Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.
This commit was cherry-picked from Fedora rawhide
<1f35109c5e
>.
Resolves: RHEL-12724
This commit is contained in:
parent
b1838b763e
commit
6ad0d16f8a
32
ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
Normal file
32
ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From f0b254f1f6610294821bbfc06b414d2af452db5b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jun Aruga <jaruga@redhat.com>
|
||||||
|
Date: Thu, 13 Apr 2023 17:28:27 +0200
|
||||||
|
Subject: [PATCH] [ruby/openssl] Drop a common logic disabling the FIPS mode in
|
||||||
|
the tests.
|
||||||
|
|
||||||
|
We want to run the unit tests in the FIPS mode too.
|
||||||
|
|
||||||
|
https://github.com/ruby/openssl/commit/ab92baff34
|
||||||
|
---
|
||||||
|
test/openssl/utils.rb | 5 -----
|
||||||
|
1 file changed, 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
|
||||||
|
index 4ebcb9837b..8a0be0d154 100644
|
||||||
|
--- a/test/openssl/utils.rb
|
||||||
|
+++ b/test/openssl/utils.rb
|
||||||
|
@@ -1,11 +1,6 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
begin
|
||||||
|
require "openssl"
|
||||||
|
-
|
||||||
|
- # Disable FIPS mode for tests for installations
|
||||||
|
- # where FIPS mode would be enabled by default.
|
||||||
|
- # Has no effect on all other installations.
|
||||||
|
- OpenSSL.fips_mode=false
|
||||||
|
rescue LoadError
|
||||||
|
end
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
160
ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
Normal file
160
ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
Normal file
@ -0,0 +1,160 @@
|
|||||||
|
From 40451afa279c52ce7a508f8a9ec553cfe7a76a10 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jun Aruga <jaruga@redhat.com>
|
||||||
|
Date: Wed, 12 Apr 2023 17:15:21 +0200
|
||||||
|
Subject: [PATCH] Fix OpenSSL::PKey.read in OpenSSL 3 FIPS module.
|
||||||
|
|
||||||
|
This is a combination of the following 2 commits. Because the combined patch is
|
||||||
|
easy to merge.
|
||||||
|
|
||||||
|
This is the 1st commit message:
|
||||||
|
|
||||||
|
[ruby/openssl] Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.
|
||||||
|
|
||||||
|
This commit is a workaround to avoid the error below that the
|
||||||
|
`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.
|
||||||
|
|
||||||
|
```
|
||||||
|
$ openssl genrsa -out key.pem 4096
|
||||||
|
|
||||||
|
$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
|
||||||
|
-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
|
||||||
|
from -e:1:in `<main>'
|
||||||
|
```
|
||||||
|
|
||||||
|
The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
|
||||||
|
doesn't apply the selection value properly if there are multiple providers, and
|
||||||
|
a provider (e.g. "base" provider) handles the decoder implementation, and
|
||||||
|
another provider (e.g. "fips" provider) handles the keys.
|
||||||
|
|
||||||
|
The workaround is to create `OSSL_DECODER_CTX` variable each time without using
|
||||||
|
the `OSSL_DECODER_CTX_set_selection`.
|
||||||
|
|
||||||
|
https://github.com/ruby/openssl/commit/5ff4a31621
|
||||||
|
|
||||||
|
This is the commit message #2:
|
||||||
|
|
||||||
|
[ruby/openssl] ossl_pkey.c: Workaround: Decode with non-zero selections.
|
||||||
|
|
||||||
|
This is a workaround for the decoding issue in ossl_pkey_read_generic().
|
||||||
|
The issue happens in the case that a key management provider is different from
|
||||||
|
a decoding provider.
|
||||||
|
|
||||||
|
Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3
|
||||||
|
to avoid the issue.
|
||||||
|
|
||||||
|
https://github.com/ruby/openssl/commit/db688fa739
|
||||||
|
---
|
||||||
|
ext/openssl/ossl_pkey.c | 78 ++++++++++++++++++++++++++++++++++++++---
|
||||||
|
1 file changed, 73 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
||||||
|
index 24d0da4683..15854aeca1 100644
|
||||||
|
--- a/ext/openssl/ossl_pkey.c
|
||||||
|
+++ b/ext/openssl/ossl_pkey.c
|
||||||
|
@@ -81,18 +81,20 @@ ossl_pkey_new(EVP_PKEY *pkey)
|
||||||
|
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||||
|
# include <openssl/decoder.h>
|
||||||
|
|
||||||
|
-EVP_PKEY *
|
||||||
|
-ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
||||||
|
+static EVP_PKEY *
|
||||||
|
+ossl_pkey_read(BIO *bio, const char *input_type, int selection, VALUE pass)
|
||||||
|
{
|
||||||
|
void *ppass = (void *)pass;
|
||||||
|
OSSL_DECODER_CTX *dctx;
|
||||||
|
EVP_PKEY *pkey = NULL;
|
||||||
|
int pos = 0, pos2;
|
||||||
|
|
||||||
|
- dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, NULL, 0, NULL, NULL);
|
||||||
|
+ dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, input_type, NULL, NULL,
|
||||||
|
+ selection, NULL, NULL);
|
||||||
|
if (!dctx)
|
||||||
|
goto out;
|
||||||
|
- if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1)
|
||||||
|
+ if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb,
|
||||||
|
+ ppass) != 1)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
/* First check DER */
|
||||||
|
@@ -111,11 +113,77 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
||||||
|
goto out;
|
||||||
|
pos = pos2;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
out:
|
||||||
|
+ OSSL_BIO_reset(bio);
|
||||||
|
OSSL_DECODER_CTX_free(dctx);
|
||||||
|
return pkey;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+EVP_PKEY *
|
||||||
|
+ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
||||||
|
+{
|
||||||
|
+ EVP_PKEY *pkey = NULL;
|
||||||
|
+ /* First check DER, then check PEM. */
|
||||||
|
+ const char *input_types[] = {"DER", "PEM"};
|
||||||
|
+ int input_type_num = (int)(sizeof(input_types) / sizeof(char *));
|
||||||
|
+ /*
|
||||||
|
+ * Non-zero selections to try to decode.
|
||||||
|
+ *
|
||||||
|
+ * See EVP_PKEY_fromdata(3) - Selections to see all the selections.
|
||||||
|
+ *
|
||||||
|
+ * This is a workaround for the decoder failing to decode or returning
|
||||||
|
+ * bogus keys with selection 0, if a key management provider is different
|
||||||
|
+ * from a decoder provider. The workaround is to avoid using selection 0.
|
||||||
|
+ *
|
||||||
|
+ * Affected OpenSSL versions: >= 3.1.0, <= 3.1.2, or >= 3.0.0, <= 3.0.10
|
||||||
|
+ * Fixed OpenSSL versions: 3.2, next release of the 3.1.z and 3.0.z
|
||||||
|
+ *
|
||||||
|
+ * See https://github.com/openssl/openssl/pull/21519 for details.
|
||||||
|
+ *
|
||||||
|
+ * First check for private key formats (EVP_PKEY_KEYPAIR). This is to keep
|
||||||
|
+ * compatibility with ruby/openssl < 3.0 which decoded the following as a
|
||||||
|
+ * private key.
|
||||||
|
+ *
|
||||||
|
+ * $ openssl ecparam -name prime256v1 -genkey -outform PEM
|
||||||
|
+ * -----BEGIN EC PARAMETERS-----
|
||||||
|
+ * BggqhkjOPQMBBw==
|
||||||
|
+ * -----END EC PARAMETERS-----
|
||||||
|
+ * -----BEGIN EC PRIVATE KEY-----
|
||||||
|
+ * MHcCAQEEIAG8ugBbA5MHkqnZ9ujQF93OyUfL9tk8sxqM5Wv5tKg5oAoGCCqGSM49
|
||||||
|
+ * AwEHoUQDQgAEVcjhJfkwqh5C7kGuhAf8XaAjVuG5ADwb5ayg/cJijCgs+GcXeedj
|
||||||
|
+ * 86avKpGH84DXUlB23C/kPt+6fXYlitUmXQ==
|
||||||
|
+ * -----END EC PRIVATE KEY-----
|
||||||
|
+ *
|
||||||
|
+ * While the first PEM block is a proper encoding of ECParameters, thus
|
||||||
|
+ * OSSL_DECODER_from_bio() would pick it up, ruby/openssl used to return
|
||||||
|
+ * the latter instead. Existing applications expect this behavior.
|
||||||
|
+ *
|
||||||
|
+ * Note that normally, the input is supposed to contain a single decodable
|
||||||
|
+ * PEM block only, so this special handling should not create a new problem.
|
||||||
|
+ *
|
||||||
|
+ * Note that we need to create the OSSL_DECODER_CTX variable each time when
|
||||||
|
+ * we use the different selection as a workaround.
|
||||||
|
+ * See https://github.com/openssl/openssl/issues/20657 for details.
|
||||||
|
+ */
|
||||||
|
+ int selections[] = {
|
||||||
|
+ EVP_PKEY_KEYPAIR,
|
||||||
|
+ EVP_PKEY_KEY_PARAMETERS,
|
||||||
|
+ EVP_PKEY_PUBLIC_KEY
|
||||||
|
+ };
|
||||||
|
+ int selection_num = (int)(sizeof(selections) / sizeof(int));
|
||||||
|
+ int i, j;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < input_type_num; i++) {
|
||||||
|
+ for (j = 0; j < selection_num; j++) {
|
||||||
|
+ pkey = ossl_pkey_read(bio, input_types[i], selections[j], pass);
|
||||||
|
+ if (pkey) {
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ out:
|
||||||
|
+ return pkey;
|
||||||
|
+}
|
||||||
|
#else
|
||||||
|
EVP_PKEY *
|
||||||
|
ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
142
ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch
Normal file
142
ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch
Normal file
@ -0,0 +1,142 @@
|
|||||||
|
From 29920ec109751459a65c6478525f2e59c644891f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jun Aruga <jaruga@redhat.com>
|
||||||
|
Date: Thu, 16 Mar 2023 21:36:43 +0100
|
||||||
|
Subject: [PATCH] [ruby/openssl] Implement FIPS functions on OpenSSL 3.
|
||||||
|
|
||||||
|
This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get`
|
||||||
|
and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`.
|
||||||
|
|
||||||
|
It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any
|
||||||
|
more, and some FIPS related APIs also were removed in OpenSSL 3.
|
||||||
|
|
||||||
|
See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set>
|
||||||
|
the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 >
|
||||||
|
Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() .
|
||||||
|
|
||||||
|
The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used
|
||||||
|
functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled`
|
||||||
|
works with the OpenSSL installed without FIPS option.
|
||||||
|
|
||||||
|
The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI.
|
||||||
|
Because I want to test that the `OpenSSL.fips_mode` returns the `true` or
|
||||||
|
'false' surely in the CI. You can test the FIPS mode case by setting
|
||||||
|
`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better
|
||||||
|
way to get the status of the FIPS mode enabled or disabled for this purpose. I
|
||||||
|
am afraid of the possibility that the FIPS test case is unintentionally skipped.
|
||||||
|
|
||||||
|
I also replaced the ambiguous "returns" with "should return" in the tests.
|
||||||
|
|
||||||
|
https://github.com/ruby/openssl/commit/c5b2bc1268
|
||||||
|
---
|
||||||
|
ext/openssl/ossl.c | 25 +++++++++++++++++++++----
|
||||||
|
test/openssl/test_fips.rb | 32 ++++++++++++++++++++++++++++----
|
||||||
|
2 files changed, 49 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
|
||||||
|
index 6c532aca94..fcf3744c65 100644
|
||||||
|
--- a/ext/openssl/ossl.c
|
||||||
|
+++ b/ext/openssl/ossl.c
|
||||||
|
@@ -405,7 +405,11 @@ static VALUE
|
||||||
|
ossl_fips_mode_get(VALUE self)
|
||||||
|
{
|
||||||
|
|
||||||
|
-#ifdef OPENSSL_FIPS
|
||||||
|
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||||
|
+ VALUE enabled;
|
||||||
|
+ enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
|
||||||
|
+ return enabled;
|
||||||
|
+#elif OPENSSL_FIPS
|
||||||
|
VALUE enabled;
|
||||||
|
enabled = FIPS_mode() ? Qtrue : Qfalse;
|
||||||
|
return enabled;
|
||||||
|
@@ -429,8 +433,18 @@ ossl_fips_mode_get(VALUE self)
|
||||||
|
static VALUE
|
||||||
|
ossl_fips_mode_set(VALUE self, VALUE enabled)
|
||||||
|
{
|
||||||
|
-
|
||||||
|
-#ifdef OPENSSL_FIPS
|
||||||
|
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||||
|
+ if (RTEST(enabled)) {
|
||||||
|
+ if (!EVP_default_properties_enable_fips(NULL, 1)) {
|
||||||
|
+ ossl_raise(eOSSLError, "Turning on FIPS mode failed");
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (!EVP_default_properties_enable_fips(NULL, 0)) {
|
||||||
|
+ ossl_raise(eOSSLError, "Turning off FIPS mode failed");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return enabled;
|
||||||
|
+#elif OPENSSL_FIPS
|
||||||
|
if (RTEST(enabled)) {
|
||||||
|
int mode = FIPS_mode();
|
||||||
|
if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
|
||||||
|
@@ -1185,7 +1199,10 @@ Init_openssl(void)
|
||||||
|
* Boolean indicating whether OpenSSL is FIPS-capable or not
|
||||||
|
*/
|
||||||
|
rb_define_const(mOSSL, "OPENSSL_FIPS",
|
||||||
|
-#ifdef OPENSSL_FIPS
|
||||||
|
+/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */
|
||||||
|
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||||
|
+ Qtrue
|
||||||
|
+#elif OPENSSL_FIPS
|
||||||
|
Qtrue
|
||||||
|
#else
|
||||||
|
Qfalse
|
||||||
|
diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb
|
||||||
|
index 8cd474f9a3..56a12a94ce 100644
|
||||||
|
--- a/test/openssl/test_fips.rb
|
||||||
|
+++ b/test/openssl/test_fips.rb
|
||||||
|
@@ -4,22 +4,46 @@
|
||||||
|
if defined?(OpenSSL)
|
||||||
|
|
||||||
|
class OpenSSL::TestFIPS < OpenSSL::TestCase
|
||||||
|
+ def test_fips_mode_get_is_true_on_fips_mode_enabled
|
||||||
|
+ unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
|
||||||
|
+ omit "Only for FIPS mode environment"
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
+ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
||||||
|
+ assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled"
|
||||||
|
+ end;
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
+ def test_fips_mode_get_is_false_on_fips_mode_disabled
|
||||||
|
+ if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
|
||||||
|
+ omit "Only for non-FIPS mode environment"
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
+ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
||||||
|
+ message = ".fips_mode should return false on FIPS mode disabled. " \
|
||||||
|
+ "If you run the test on FIPS mode, please set " \
|
||||||
|
+ "TEST_RUBY_OPENSSL_FIPS_ENABLED=true"
|
||||||
|
+ assert OpenSSL.fips_mode == false, message
|
||||||
|
+ end;
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
def test_fips_mode_is_reentrant
|
||||||
|
OpenSSL.fips_mode = false
|
||||||
|
OpenSSL.fips_mode = false
|
||||||
|
end
|
||||||
|
|
||||||
|
- def test_fips_mode_get
|
||||||
|
- return unless OpenSSL::OPENSSL_FIPS
|
||||||
|
+ def test_fips_mode_get_with_fips_mode_set
|
||||||
|
+ omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS
|
||||||
|
+
|
||||||
|
assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
||||||
|
require #{__FILE__.dump}
|
||||||
|
|
||||||
|
begin
|
||||||
|
OpenSSL.fips_mode = true
|
||||||
|
- assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true"
|
||||||
|
+ assert OpenSSL.fips_mode == true, ".fips_mode should return true when .fips_mode=true"
|
||||||
|
|
||||||
|
OpenSSL.fips_mode = false
|
||||||
|
- assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false"
|
||||||
|
+ assert OpenSSL.fips_mode == false, ".fips_mode should return false when .fips_mode=false"
|
||||||
|
rescue OpenSSL::OpenSSLError
|
||||||
|
pend "Could not set FIPS mode (OpenSSL::OpenSSLError: \#$!); skipping"
|
||||||
|
end
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
31
ruby.spec
31
ruby.spec
@ -22,7 +22,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%global release 160
|
%global release 161
|
||||||
%{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
|
%{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
|
||||||
|
|
||||||
# The RubyGems library has to stay out of Ruby directory tree, since the
|
# The RubyGems library has to stay out of Ruby directory tree, since the
|
||||||
@ -106,6 +106,8 @@ Source11: rubygems.con
|
|||||||
Source13: test_abrt.rb
|
Source13: test_abrt.rb
|
||||||
# SystemTap tests.
|
# SystemTap tests.
|
||||||
Source14: test_systemtap.rb
|
Source14: test_systemtap.rb
|
||||||
|
# Ruby OpenSSL FIPS tests.
|
||||||
|
Source15: test_openssl_fips.rb
|
||||||
|
|
||||||
# The load directive is supported since RPM 4.12, i.e. F21+. The build process
|
# The load directive is supported since RPM 4.12, i.e. F21+. The build process
|
||||||
# fails on older Fedoras.
|
# fails on older Fedoras.
|
||||||
@ -274,6 +276,21 @@ Patch63: ruby-3.1.3-Fix-for-tzdata-2022g.patch
|
|||||||
# Fix File.utime test.
|
# Fix File.utime test.
|
||||||
# https://github.com/ruby/ruby/commit/8d1109c03bacc952b6218af2e4ae9b74c9855273
|
# https://github.com/ruby/ruby/commit/8d1109c03bacc952b6218af2e4ae9b74c9855273
|
||||||
Patch64: ruby-3.3.0-test-file-utime.patch
|
Patch64: ruby-3.3.0-test-file-utime.patch
|
||||||
|
# Fix OpenSSL.fips_mode in OpenSSL 3 FIPS.
|
||||||
|
# https://github.com/ruby/openssl/pull/608
|
||||||
|
# https://github.com/ruby/ruby/commit/678d41bc51fe31834eec0b653ba0e47de5420aa0
|
||||||
|
Patch65: ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch
|
||||||
|
# Fix OpenSSL::PKey.read in OpenSSL 3 FIPS.
|
||||||
|
# The patch is a combination of the following 2 commits to simplify the patch.
|
||||||
|
# https://github.com/ruby/openssl/pull/615
|
||||||
|
# https://github.com/ruby/ruby/commit/2a4834057b30a26c38ece3961b370c0b2ee59380
|
||||||
|
# https://github.com/ruby/openssl/pull/669
|
||||||
|
# https://github.com/ruby/ruby/commit/b0ec1db8a72c530460abd9462ac75845362886bd
|
||||||
|
Patch66: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
|
||||||
|
# Enable tests in OpenSSL FIPS.
|
||||||
|
# https://github.com/ruby/openssl/pull/615
|
||||||
|
# https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5
|
||||||
|
Patch67: ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
|
||||||
|
|
||||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
Suggests: rubypick
|
Suggests: rubypick
|
||||||
@ -743,6 +760,9 @@ rm -rf ext/fiddle/libffi*
|
|||||||
%patch62 -p1
|
%patch62 -p1
|
||||||
%patch63 -p1
|
%patch63 -p1
|
||||||
%patch64 -p1
|
%patch64 -p1
|
||||||
|
%patch65 -p1
|
||||||
|
%patch66 -p1
|
||||||
|
%patch67 -p1
|
||||||
|
|
||||||
# Provide an example of usage of the tapset:
|
# Provide an example of usage of the tapset:
|
||||||
cp -a %{SOURCE3} .
|
cp -a %{SOURCE3} .
|
||||||
@ -1034,6 +1054,11 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \
|
|||||||
%{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \
|
%{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \
|
||||||
make check TESTS="-v $DISABLE_TESTS" MSPECOPT="-fs $MSPECOPTS"
|
make check TESTS="-v $DISABLE_TESTS" MSPECOPT="-fs $MSPECOPTS"
|
||||||
|
|
||||||
|
# Run Ruby OpenSSL tests in OpenSSL FIPS.
|
||||||
|
make runruby TESTRUN_SCRIPT=" \
|
||||||
|
-I%{_builddir}/%{buildsubdir}/tool/lib --enable-gems \
|
||||||
|
%{SOURCE15} %{_builddir}/%{buildsubdir} --verbose"
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license BSDL
|
%license BSDL
|
||||||
%license COPYING
|
%license COPYING
|
||||||
@ -1506,6 +1531,10 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 09 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-161
|
||||||
|
- Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.
|
||||||
|
Resolves: RHEL-12724
|
||||||
|
|
||||||
* Wed Jun 28 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-160
|
* Wed Jun 28 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-160
|
||||||
- Bypass git submodule test failure on Git >= 2.38.1.
|
- Bypass git submodule test failure on Git >= 2.38.1.
|
||||||
- Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
|
- Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
|
||||||
|
34
test_openssl_fips.rb
Normal file
34
test_openssl_fips.rb
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
require 'openssl'
|
||||||
|
|
||||||
|
# Run openssl tests in OpenSSL FIPS. See the link below for how to test.
|
||||||
|
# https://github.com/ruby/openssl/blob/master/.github/workflows/test.yml
|
||||||
|
# - step name: test on fips module
|
||||||
|
|
||||||
|
# Listing the testing files by an array explicitly rather than the `Dir.glob`
|
||||||
|
# to prevent the test files from not loading unintentionally.
|
||||||
|
TEST_FILES = %w[
|
||||||
|
test/openssl/test_fips.rb
|
||||||
|
test/openssl/test_pkey.rb
|
||||||
|
].freeze
|
||||||
|
|
||||||
|
if ARGV.empty?
|
||||||
|
puts 'ERROR: Argument base_dir required.'
|
||||||
|
puts "Usage: #{__FILE__} base_dir [options]"
|
||||||
|
exit false
|
||||||
|
end
|
||||||
|
BASE_DIR = ARGV[0]
|
||||||
|
abs_test_files = TEST_FILES.map { |file| File.join(BASE_DIR, file) }
|
||||||
|
|
||||||
|
# Set Fedora/RHEL downstream OpenSSL downstream environment variable to enable
|
||||||
|
# FIPS module in non-FIPS OS environment. It is available in Fedora 38 or later
|
||||||
|
# versions.
|
||||||
|
# https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||||
|
ENV['OPENSSL_FORCE_FIPS_MODE'] = '1'
|
||||||
|
# A flag to tell the tests the current environment is FIPS enabled.
|
||||||
|
# https://github.com/ruby/openssl/blob/master/test/openssl/test_fips.rb
|
||||||
|
ENV['TEST_RUBY_OPENSSL_FIPS_ENABLED'] = 'true'
|
||||||
|
|
||||||
|
abs_test_files.each do |file|
|
||||||
|
puts "INFO: Loading #{file}."
|
||||||
|
require file
|
||||||
|
end
|
Loading…
Reference in New Issue
Block a user