From 7e3369a9b465214a08dc288293fc3c907c59154d Mon Sep 17 00:00:00 2001 From: Jun Aruga Date: Fri, 25 Apr 2025 09:59:52 +0200 Subject: [PATCH] Fix test_provider.rb test_openssl_provider_names. This commit fixes the following test failure of the test_openssl_provider_names in the test/openssl/test_provider.rb. ``` 159) Failure: OpenSSL::TestProvider#test_openssl_provider_names [/builddir/build/BUILD/ruby-3.3.8/test/openssl/test_provider.rb:65]: <2> expected but was <3>. ``` Because the test_openssl_provider_names assumes the total number of the providers calculating the number of the providers as a default status (1), adding the legacy provider (1) is 2 at the following line. https://github.com/ruby/ruby/blob/v3_3_8/test/openssl/test_provider.rb#L18 However, it is not the case on the current c10s. Because the number of the providers as a default status is not 1 but 2 according the following result on c10s mock environment. Therefore the total number of the providers adding the one provider should be 3. ``` sh-5.2# rpm -q openssl openssl-libs oqsprovider openssl-3.2.2-16.el10.x86_64 openssl-libs-3.2.2-16.el10.x86_64 oqsprovider-0.8.0-5.el10.x86_64 sh-5.2# openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.2.2 status: active oqsprovider name: OpenSSL OQS Provider version: 0.8.0 status: active ``` The patch files fixes the test_openssl_provider_names, considering this case. Related: RHEL-87342 --- ....0-openssl-fix-test-provider-in-fips.patch | 61 +++++++++++++++++++ ...make-a-legacy-provider-test-optional.patch | 58 ++++++++++++++++++ ruby.spec | 10 +++ 3 files changed, 129 insertions(+) create mode 100644 ruby-3.4.0-openssl-fix-test-provider-in-fips.patch create mode 100644 ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch diff --git a/ruby-3.4.0-openssl-fix-test-provider-in-fips.patch b/ruby-3.4.0-openssl-fix-test-provider-in-fips.patch new file mode 100644 index 0000000..21abef1 --- /dev/null +++ b/ruby-3.4.0-openssl-fix-test-provider-in-fips.patch @@ -0,0 +1,61 @@ +From 570582fb78bc4adaafba44f47465507f649fa9dc Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Thu, 5 Sep 2024 20:06:37 +0200 +Subject: [PATCH] [ruby/openssl] Fix test_provider.rb in FIPS. + +https://github.com/ruby/openssl/commit/7bdbc52100 +--- + test/openssl/test_provider.rb | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/test/openssl/test_provider.rb b/test/openssl/test_provider.rb +index 4e050b4bc2..e27968602a 100644 +--- a/test/openssl/test_provider.rb ++++ b/test/openssl/test_provider.rb +@@ -1,6 +1,6 @@ + # frozen_string_literal: true + require_relative 'utils' +-if defined?(OpenSSL) && defined?(OpenSSL::Provider) && !OpenSSL.fips_mode ++if defined?(OpenSSL) && defined?(OpenSSL::Provider) + + class OpenSSL::TestProvider < OpenSSL::TestCase + def test_openssl_provider_name_inspect +@@ -13,14 +13,22 @@ def test_openssl_provider_name_inspect + + def test_openssl_provider_names + omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/ ++ # We expect the following providers are loaded in the cases: ++ # * Non-FIPS: default ++ # * FIPS: fips, base ++ # Use the null provider to test the added provider. ++ # See provider(7) - OPENSSL PROVIDERS to see the list of providers, and ++ # OSSL_PROVIDER-null(7) to check the details of the null provider. + with_openssl <<-'end;' +- base_provider = OpenSSL::Provider.load("base") +- assert_equal(2, OpenSSL::Provider.provider_names.size) +- assert_includes(OpenSSL::Provider.provider_names, "base") ++ num = OpenSSL::Provider.provider_names.size + +- assert_equal(true, base_provider.unload) +- assert_equal(1, OpenSSL::Provider.provider_names.size) +- assert_not_includes(OpenSSL::Provider.provider_names, "base") ++ added_provider = OpenSSL::Provider.load("null") ++ assert_equal(num + 1, OpenSSL::Provider.provider_names.size) ++ assert_includes(OpenSSL::Provider.provider_names, "null") ++ ++ assert_equal(true, added_provider.unload) ++ assert_equal(num, OpenSSL::Provider.provider_names.size) ++ assert_not_includes(OpenSSL::Provider.provider_names, "null") + end; + end + +@@ -35,6 +43,9 @@ def test_unloaded_openssl_provider + + def test_openssl_legacy_provider + omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/ ++ # The legacy provider is not supported on FIPS. ++ omit_on_fips ++ + with_openssl(<<-'end;') + begin + OpenSSL::Provider.load("legacy") diff --git a/ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch b/ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch new file mode 100644 index 0000000..0dc2c7d --- /dev/null +++ b/ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch @@ -0,0 +1,58 @@ +From 02c40367d918d3bc42098e1fcfe0c822319f4d37 Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Thu, 8 Feb 2024 18:53:32 +0100 +Subject: [PATCH] [ruby/openssl] test_provider.rb: Make a legacy provider test + optional. + +In some cases such as OpenSSL package in FreeBSD[1], the legacy provider is not +installed intentionally. So, we omit a test depending the legacy provider if the +legacy provider is not loadable. + +For the test_openssl_provider_names test, we use base provider[2] instead of +legacy provider, because we would expect the base provider is always loadable +in OpenSSL 3 for now. + +* [1] https://www.freshports.org/security/openssl/ +* [2] https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers + +https://github.com/ruby/openssl/commit/7223da7730 +--- + test/openssl/test_provider.rb | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/test/openssl/test_provider.rb b/test/openssl/test_provider.rb +index 7361a0e250..4e050b4bc2 100644 +--- a/test/openssl/test_provider.rb ++++ b/test/openssl/test_provider.rb +@@ -14,13 +14,13 @@ def test_openssl_provider_name_inspect + def test_openssl_provider_names + omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/ + with_openssl <<-'end;' +- legacy_provider = OpenSSL::Provider.load("legacy") ++ base_provider = OpenSSL::Provider.load("base") + assert_equal(2, OpenSSL::Provider.provider_names.size) +- assert_includes(OpenSSL::Provider.provider_names, "legacy") ++ assert_includes(OpenSSL::Provider.provider_names, "base") + +- assert_equal(true, legacy_provider.unload) ++ assert_equal(true, base_provider.unload) + assert_equal(1, OpenSSL::Provider.provider_names.size) +- assert_not_includes(OpenSSL::Provider.provider_names, "legacy") ++ assert_not_includes(OpenSSL::Provider.provider_names, "base") + end; + end + +@@ -36,7 +36,12 @@ def test_unloaded_openssl_provider + def test_openssl_legacy_provider + omit 'not working on freebsd RubyCI' if ENV['RUBYCI_NICKNAME'] =~ /freebsd/ + with_openssl(<<-'end;') +- OpenSSL::Provider.load("legacy") ++ begin ++ OpenSSL::Provider.load("legacy") ++ rescue OpenSSL::Provider::ProviderError ++ omit "Only for OpenSSL with legacy provider" ++ end ++ + algo = "RC4" + data = "a" * 1000 + key = OpenSSL::Random.random_bytes(16) diff --git a/ruby.spec b/ruby.spec index 12e138e..0288f39 100644 --- a/ruby.spec +++ b/ruby.spec @@ -285,6 +285,14 @@ Patch12: ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.p # https://github.com/ruby/openssl/pull/710 # https://github.com/ruby/ruby/commit/6213ab1a51387fd9cdcb5e87908722f3bbdf78cb Patch13: ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch +# test_provider.rb: Make a legacy provider test optional. +# https://github.com/ruby/openssl/pull/721 +# https://github.com/ruby/ruby/commit/eb4082284aace391a16a389a70eeaf1e7db5c542 +Patch14: ruby-3.4.0-openssl-make-a-legacy-provider-test-optional.patch +# Fix test_provider.rb in FIPS. +# https://github.com/ruby/openssl/pull/794 +# https://github.com/ruby/ruby/commit/ad742de79bcce53290005429868f63c51cbeb0f2 +Patch15: ruby-3.4.0-openssl-fix-test-provider-in-fips.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} %{?with_rubypick:Suggests: rubypick} @@ -771,6 +779,8 @@ analysis result in RBS format, a standard type description format for Ruby %patch 9 -p1 %patch 12 -p1 %patch 13 -p1 +%patch 14 -p1 +%patch 15 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} .