import CS ruby-3.0.4-161.el9
This commit is contained in:
parent
bb9b841c84
commit
ad50867ca7
@ -14,7 +14,7 @@ diff --git a/configure.ac b/configure.ac
|
|||||||
index c42436c23d..d261ea57b5 100644
|
index c42436c23d..d261ea57b5 100644
|
||||||
--- a/configure.ac
|
--- a/configure.ac
|
||||||
+++ b/configure.ac
|
+++ b/configure.ac
|
||||||
@@ -3881,7 +3881,8 @@ AS_CASE(["$ruby_version_dir_name"],
|
@@ -3886,7 +3886,8 @@ AS_CASE(["$ruby_version_dir_name"],
|
||||||
ruby_version_dir=/'${ruby_version_dir_name}'
|
ruby_version_dir=/'${ruby_version_dir_name}'
|
||||||
|
|
||||||
if test -z "${ruby_version_dir_name}"; then
|
if test -z "${ruby_version_dir_name}"; then
|
||||||
|
@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
|
|||||||
index 3c13076b82..93af30321d 100644
|
index 3c13076b82..93af30321d 100644
|
||||||
--- a/configure.ac
|
--- a/configure.ac
|
||||||
+++ b/configure.ac
|
+++ b/configure.ac
|
||||||
@@ -3945,6 +3945,8 @@ AC_SUBST(vendorarchdir)dnl
|
@@ -3950,6 +3950,8 @@ AC_SUBST(vendorarchdir)dnl
|
||||||
AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl
|
AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl
|
||||||
AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl
|
AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl
|
||||||
|
|
||||||
|
@ -15,7 +15,7 @@ diff --git a/configure.ac b/configure.ac
|
|||||||
index 93af30321d..bc13397e0e 100644
|
index 93af30321d..bc13397e0e 100644
|
||||||
--- a/configure.ac
|
--- a/configure.ac
|
||||||
+++ b/configure.ac
|
+++ b/configure.ac
|
||||||
@@ -3917,6 +3917,10 @@ AC_ARG_WITH(vendorarchdir,
|
@@ -3922,6 +3922,10 @@ AC_ARG_WITH(vendorarchdir,
|
||||||
[vendorarchdir=$withval],
|
[vendorarchdir=$withval],
|
||||||
[vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}])
|
[vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}])
|
||||||
|
|
||||||
@ -26,7 +26,7 @@ index 93af30321d..bc13397e0e 100644
|
|||||||
AS_IF([test "${LOAD_RELATIVE+set}"], [
|
AS_IF([test "${LOAD_RELATIVE+set}"], [
|
||||||
AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
|
AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
|
||||||
RUBY_EXEC_PREFIX=''
|
RUBY_EXEC_PREFIX=''
|
||||||
@@ -3941,6 +3945,7 @@ AC_SUBST(sitearchdir)dnl
|
@@ -3946,6 +3950,7 @@ AC_SUBST(sitearchdir)dnl
|
||||||
AC_SUBST(vendordir)dnl
|
AC_SUBST(vendordir)dnl
|
||||||
AC_SUBST(vendorlibdir)dnl
|
AC_SUBST(vendorlibdir)dnl
|
||||||
AC_SUBST(vendorarchdir)dnl
|
AC_SUBST(vendorarchdir)dnl
|
||||||
|
@ -20,7 +20,7 @@ diff --git a/configure.ac b/configure.ac
|
|||||||
index 80b137e380..63cd3b4f8b 100644
|
index 80b137e380..63cd3b4f8b 100644
|
||||||
--- a/configure.ac
|
--- a/configure.ac
|
||||||
+++ b/configure.ac
|
+++ b/configure.ac
|
||||||
@@ -3832,9 +3832,6 @@ AS_CASE(["$target_os"],
|
@@ -3837,9 +3837,6 @@ AS_CASE(["$target_os"],
|
||||||
rubyw_install_name='$(RUBYW_INSTALL_NAME)'
|
rubyw_install_name='$(RUBYW_INSTALL_NAME)'
|
||||||
])
|
])
|
||||||
|
|
||||||
@ -30,7 +30,7 @@ index 80b137e380..63cd3b4f8b 100644
|
|||||||
rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'}
|
rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'}
|
||||||
AC_ARG_WITH(rubyarchprefix,
|
AC_ARG_WITH(rubyarchprefix,
|
||||||
AS_HELP_STRING([--with-rubyarchprefix=DIR],
|
AS_HELP_STRING([--with-rubyarchprefix=DIR],
|
||||||
@@ -3857,56 +3854,62 @@ AC_ARG_WITH(ridir,
|
@@ -3862,56 +3859,62 @@ AC_ARG_WITH(ridir,
|
||||||
AC_SUBST(ridir)
|
AC_SUBST(ridir)
|
||||||
AC_SUBST(RI_BASE_NAME)
|
AC_SUBST(RI_BASE_NAME)
|
||||||
|
|
||||||
@ -120,7 +120,7 @@ index 80b137e380..63cd3b4f8b 100644
|
|||||||
|
|
||||||
AS_IF([test "${LOAD_RELATIVE+set}"], [
|
AS_IF([test "${LOAD_RELATIVE+set}"], [
|
||||||
AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
|
AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
|
||||||
@@ -3923,6 +3926,7 @@ AC_SUBST(sitearchincludedir)dnl
|
@@ -3928,6 +3931,7 @@ AC_SUBST(sitearchincludedir)dnl
|
||||||
AC_SUBST(arch)dnl
|
AC_SUBST(arch)dnl
|
||||||
AC_SUBST(sitearch)dnl
|
AC_SUBST(sitearch)dnl
|
||||||
AC_SUBST(ruby_version)dnl
|
AC_SUBST(ruby_version)dnl
|
||||||
|
@ -123,7 +123,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
|
|||||||
|
|
||||||
RB_DEBUG_COUNTER_INC(cc_invalidate_negative);
|
RB_DEBUG_COUNTER_INC(cc_invalidate_negative);
|
||||||
}
|
}
|
||||||
@@ -1023,6 +1025,7 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
|
@@ -1030,6 +1032,7 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
|
||||||
{
|
{
|
||||||
struct rb_id_table *mtbl;
|
struct rb_id_table *mtbl;
|
||||||
const rb_callable_method_entry_t *cme;
|
const rb_callable_method_entry_t *cme;
|
||||||
@ -131,7 +131,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
|
|||||||
|
|
||||||
if (me) {
|
if (me) {
|
||||||
if (me->defined_class == 0) {
|
if (me->defined_class == 0) {
|
||||||
@@ -1032,7 +1035,8 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
|
@@ -1039,7 +1042,8 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
|
||||||
|
|
||||||
mtbl = RCLASS_CALLABLE_M_TBL(defined_class);
|
mtbl = RCLASS_CALLABLE_M_TBL(defined_class);
|
||||||
|
|
||||||
@ -141,7 +141,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
|
|||||||
RB_DEBUG_COUNTER_INC(mc_cme_complement_hit);
|
RB_DEBUG_COUNTER_INC(mc_cme_complement_hit);
|
||||||
VM_ASSERT(callable_method_entry_p(cme));
|
VM_ASSERT(callable_method_entry_p(cme));
|
||||||
VM_ASSERT(!METHOD_ENTRY_INVALIDATED(cme));
|
VM_ASSERT(!METHOD_ENTRY_INVALIDATED(cme));
|
||||||
@@ -1076,9 +1080,10 @@ cached_callable_method_entry(VALUE klass, ID mid)
|
@@ -1083,9 +1087,10 @@ cached_callable_method_entry(VALUE klass, ID mid)
|
||||||
ASSERT_vm_locking();
|
ASSERT_vm_locking();
|
||||||
|
|
||||||
struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
|
struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
|
||||||
@ -154,7 +154,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
|
|||||||
VM_ASSERT(vm_ccs_p(ccs));
|
VM_ASSERT(vm_ccs_p(ccs));
|
||||||
|
|
||||||
if (LIKELY(!METHOD_ENTRY_INVALIDATED(ccs->cme))) {
|
if (LIKELY(!METHOD_ENTRY_INVALIDATED(ccs->cme))) {
|
||||||
@@ -1104,12 +1109,14 @@ cache_callable_method_entry(VALUE klass, ID mid, const rb_callable_method_entry_
|
@@ -1111,12 +1116,14 @@ cache_callable_method_entry(VALUE klass, ID mid, const rb_callable_method_entry_
|
||||||
|
|
||||||
struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
|
struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
|
||||||
struct rb_class_cc_entries *ccs;
|
struct rb_class_cc_entries *ccs;
|
||||||
@ -170,7 +170,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
|
|||||||
VM_ASSERT(ccs->cme == cme);
|
VM_ASSERT(ccs->cme == cme);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
@@ -1123,8 +1130,12 @@ negative_cme(ID mid)
|
@@ -1130,8 +1137,12 @@ negative_cme(ID mid)
|
||||||
{
|
{
|
||||||
rb_vm_t *vm = GET_VM();
|
rb_vm_t *vm = GET_VM();
|
||||||
const rb_callable_method_entry_t *cme;
|
const rb_callable_method_entry_t *cme;
|
||||||
|
70
SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch
Normal file
70
SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
From a1124dc162810f86cb0bff58cde24064cfc561bc Mon Sep 17 00:00:00 2001
|
||||||
|
From: nagachika <nagachika@ruby-lang.org>
|
||||||
|
Date: Fri, 9 Dec 2022 21:11:47 +0900
|
||||||
|
Subject: [PATCH] merge revision(s) 58cc3c9f387dcf8f820b43e043b540fa06248da3:
|
||||||
|
[Backport #19187]
|
||||||
|
|
||||||
|
[Bug #19187] Fix for tzdata-2022g
|
||||||
|
|
||||||
|
---
|
||||||
|
test/ruby/test_time_tz.rb | 21 +++++++++++++++------
|
||||||
|
1 file changed, 15 insertions(+), 6 deletions(-)
|
||||||
|
---
|
||||||
|
test/ruby/test_time_tz.rb | 21 +++++++++++++++------
|
||||||
|
1 files changed, 15 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/ruby/test_time_tz.rb b/test/ruby/test_time_tz.rb
|
||||||
|
index b6785f336028d..939f218ed4d10 100644
|
||||||
|
--- a/test/ruby/test_time_tz.rb
|
||||||
|
+++ b/test/ruby/test_time_tz.rb
|
||||||
|
@@ -7,9 +7,9 @@ class TestTimeTZ < Test::Unit::TestCase
|
||||||
|
has_lisbon_tz = true
|
||||||
|
force_tz_test = ENV["RUBY_FORCE_TIME_TZ_TEST"] == "yes"
|
||||||
|
case RUBY_PLATFORM
|
||||||
|
- when /linux/
|
||||||
|
+ when /darwin|linux/
|
||||||
|
force_tz_test = true
|
||||||
|
- when /darwin|freebsd|openbsd/
|
||||||
|
+ when /freebsd|openbsd/
|
||||||
|
has_lisbon_tz = false
|
||||||
|
force_tz_test = true
|
||||||
|
end
|
||||||
|
@@ -95,6 +95,9 @@ def group_by(e, &block)
|
||||||
|
CORRECT_KIRITIMATI_SKIP_1994 = with_tz("Pacific/Kiritimati") {
|
||||||
|
Time.local(1994, 12, 31, 0, 0, 0).year == 1995
|
||||||
|
}
|
||||||
|
+ CORRECT_SINGAPORE_1982 = with_tz("Asia/Singapore") {
|
||||||
|
+ "2022g" if Time.local(1981, 12, 31, 23, 59, 59).utc_offset == 8*3600
|
||||||
|
+ }
|
||||||
|
|
||||||
|
def time_to_s(t)
|
||||||
|
t.to_s
|
||||||
|
@@ -140,9 +143,12 @@ def test_america_managua
|
||||||
|
|
||||||
|
def test_asia_singapore
|
||||||
|
with_tz(tz="Asia/Singapore") {
|
||||||
|
- assert_time_constructor(tz, "1981-12-31 23:59:59 +0730", :local, [1981,12,31,23,59,59])
|
||||||
|
- assert_time_constructor(tz, "1982-01-01 00:30:00 +0800", :local, [1982,1,1,0,0,0])
|
||||||
|
- assert_time_constructor(tz, "1982-01-01 00:59:59 +0800", :local, [1982,1,1,0,29,59])
|
||||||
|
+ assert_time_constructor(tz, "1981-12-31 23:29:59 +0730", :local, [1981,12,31,23,29,59])
|
||||||
|
+ if CORRECT_SINGAPORE_1982
|
||||||
|
+ assert_time_constructor(tz, "1982-01-01 00:00:00 +0800", :local, [1981,12,31,23,30,00])
|
||||||
|
+ assert_time_constructor(tz, "1982-01-01 00:00:00 +0800", :local, [1982,1,1,0,0,0])
|
||||||
|
+ assert_time_constructor(tz, "1982-01-01 00:29:59 +0800", :local, [1982,1,1,0,29,59])
|
||||||
|
+ end
|
||||||
|
assert_time_constructor(tz, "1982-01-01 00:30:00 +0800", :local, [1982,1,1,0,30,0])
|
||||||
|
}
|
||||||
|
end
|
||||||
|
@@ -448,8 +454,11 @@ def self.gen_zdump_test(data)
|
||||||
|
America/Managua Wed Jan 1 04:59:59 1997 UTC = Tue Dec 31 23:59:59 1996 EST isdst=0 gmtoff=-18000
|
||||||
|
America/Managua Wed Jan 1 05:00:00 1997 UTC = Tue Dec 31 23:00:00 1996 CST isdst=0 gmtoff=-21600
|
||||||
|
Asia/Singapore Sun Aug 8 16:30:00 1965 UTC = Mon Aug 9 00:00:00 1965 SGT isdst=0 gmtoff=27000
|
||||||
|
-Asia/Singapore Thu Dec 31 16:29:59 1981 UTC = Thu Dec 31 23:59:59 1981 SGT isdst=0 gmtoff=27000
|
||||||
|
+Asia/Singapore Thu Dec 31 15:59:59 1981 UTC = Thu Dec 31 23:29:59 1981 SGT isdst=0 gmtoff=27000
|
||||||
|
Asia/Singapore Thu Dec 31 16:30:00 1981 UTC = Fri Jan 1 00:30:00 1982 SGT isdst=0 gmtoff=28800
|
||||||
|
+End
|
||||||
|
+ gen_zdump_test <<'End' if CORRECT_SINGAPORE_1982
|
||||||
|
+Asia/Singapore Thu Dec 31 16:00:00 1981 UTC = Fri Jan 1 00:00:00 1982 SGT isdst=0 gmtoff=28800
|
||||||
|
End
|
||||||
|
gen_zdump_test CORRECT_TOKYO_DST_1951 ? <<'End' + (CORRECT_TOKYO_DST_1951 < "2018f" ? <<'2018e' : <<'2018f') : <<'End'
|
||||||
|
Asia/Tokyo Sat May 5 14:59:59 1951 UTC = Sat May 5 23:59:59 1951 JST isdst=0 gmtoff=32400
|
27
SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch
Normal file
27
SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From dae843f6b7502f921a7e66f39e3714a39d860181 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
|
||||||
|
Date: Wed, 19 Oct 2022 19:40:00 +0900
|
||||||
|
Subject: [PATCH] Bypass git submodule add/update with git config
|
||||||
|
protocol.file.allow=always option.
|
||||||
|
|
||||||
|
Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
|
||||||
|
---
|
||||||
|
test/rubygems/test_gem_source_git.rb | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/test/rubygems/test_gem_source_git.rb b/test/rubygems/test_gem_source_git.rb
|
||||||
|
index 5702da05974b6..c3b324771fa4d 100644
|
||||||
|
--- a/test/rubygems/test_gem_source_git.rb
|
||||||
|
+++ b/test/rubygems/test_gem_source_git.rb
|
||||||
|
@@ -63,6 +63,11 @@ def test_checkout_local_cached
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_checkout_submodules
|
||||||
|
+ # We need to allow to checkout submodules with file:// protocol
|
||||||
|
+ # CVE-2022-39253
|
||||||
|
+ # https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@gitster.g/
|
||||||
|
+ system(@git, *%W"config --global protocol.file.allow always")
|
||||||
|
+
|
||||||
|
source = Gem::Source::Git.new @name, @repository, 'master', true
|
||||||
|
|
||||||
|
git_gem 'b'
|
32
SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
Normal file
32
SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From f0b254f1f6610294821bbfc06b414d2af452db5b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jun Aruga <jaruga@redhat.com>
|
||||||
|
Date: Thu, 13 Apr 2023 17:28:27 +0200
|
||||||
|
Subject: [PATCH] [ruby/openssl] Drop a common logic disabling the FIPS mode in
|
||||||
|
the tests.
|
||||||
|
|
||||||
|
We want to run the unit tests in the FIPS mode too.
|
||||||
|
|
||||||
|
https://github.com/ruby/openssl/commit/ab92baff34
|
||||||
|
---
|
||||||
|
test/openssl/utils.rb | 5 -----
|
||||||
|
1 file changed, 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
|
||||||
|
index 4ebcb9837b..8a0be0d154 100644
|
||||||
|
--- a/test/openssl/utils.rb
|
||||||
|
+++ b/test/openssl/utils.rb
|
||||||
|
@@ -1,11 +1,6 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
begin
|
||||||
|
require "openssl"
|
||||||
|
-
|
||||||
|
- # Disable FIPS mode for tests for installations
|
||||||
|
- # where FIPS mode would be enabled by default.
|
||||||
|
- # Has no effect on all other installations.
|
||||||
|
- OpenSSL.fips_mode=false
|
||||||
|
rescue LoadError
|
||||||
|
end
|
||||||
|
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,73 @@
|
|||||||
|
From b6d7cdc2bad0eadbca73f3486917f0ec7a475814 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||||
|
Date: Tue, 29 Aug 2023 19:46:02 +0900
|
||||||
|
Subject: [PATCH] [ruby/openssl] ssl: use ffdhe2048 from RFC 7919 as the
|
||||||
|
default DH group parameters
|
||||||
|
|
||||||
|
In TLS 1.2 or before, if DH group parameters for DHE are not supplied
|
||||||
|
with SSLContext#tmp_dh= or #tmp_dh_callback=, we currently use the
|
||||||
|
self-generated parameters added in commit https://github.com/ruby/openssl/commit/bb3399a61c03 ("support 2048
|
||||||
|
bit length DH-key", 2016-01-15) as the fallback.
|
||||||
|
|
||||||
|
While there is no known weakness in the current parameters, it would be
|
||||||
|
a good idea to switch to pre-defined, more well audited parameters.
|
||||||
|
|
||||||
|
This also allows the fallback to work in the FIPS mode.
|
||||||
|
|
||||||
|
The PEM encoding was derived with:
|
||||||
|
|
||||||
|
# RFC 7919 Appendix A.1. ffdhe2048
|
||||||
|
print OpenSSL::PKey.read(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer((<<-END).split.join.to_i(16)), OpenSSL::ASN1::Integer(2)]).to_der).to_pem
|
||||||
|
FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
|
||||||
|
D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
|
||||||
|
7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
|
||||||
|
2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
|
||||||
|
984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
|
||||||
|
30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
|
||||||
|
B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
|
||||||
|
0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
|
||||||
|
9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
|
||||||
|
3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
|
||||||
|
886B4238 61285C97 FFFFFFFF FFFFFFFF
|
||||||
|
END
|
||||||
|
|
||||||
|
https://github.com/ruby/openssl/commit/a5527cb4f4
|
||||||
|
---
|
||||||
|
ext/openssl/lib/openssl/ssl.rb | 18 +++++++++---------
|
||||||
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
|
||||||
|
index ea8bb2a18e533..94be6ba80b894 100644
|
||||||
|
--- a/ext/openssl/lib/openssl/ssl.rb
|
||||||
|
+++ b/ext/openssl/lib/openssl/ssl.rb
|
||||||
|
@@ -31,21 +31,21 @@ class SSLContext
|
||||||
|
}
|
||||||
|
|
||||||
|
if defined?(OpenSSL::PKey::DH)
|
||||||
|
- DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
|
||||||
|
+ DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
-MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
|
||||||
|
-JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
|
||||||
|
-VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
|
||||||
|
-YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
||||||
|
-1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
|
||||||
|
-7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
|
||||||
|
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
||||||
|
_end_of_pem_
|
||||||
|
- private_constant :DEFAULT_2048
|
||||||
|
+ private_constant :DH_ffdhe2048
|
||||||
|
|
||||||
|
DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc:
|
||||||
|
warn "using default DH parameters." if $VERBOSE
|
||||||
|
- DEFAULT_2048
|
||||||
|
+ DH_ffdhe2048
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
@ -0,0 +1,160 @@
|
|||||||
|
From 40451afa279c52ce7a508f8a9ec553cfe7a76a10 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jun Aruga <jaruga@redhat.com>
|
||||||
|
Date: Wed, 12 Apr 2023 17:15:21 +0200
|
||||||
|
Subject: [PATCH] Fix OpenSSL::PKey.read in OpenSSL 3 FIPS module.
|
||||||
|
|
||||||
|
This is a combination of the following 2 commits. Because the combined patch is
|
||||||
|
easy to merge.
|
||||||
|
|
||||||
|
This is the 1st commit message:
|
||||||
|
|
||||||
|
[ruby/openssl] Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.
|
||||||
|
|
||||||
|
This commit is a workaround to avoid the error below that the
|
||||||
|
`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.
|
||||||
|
|
||||||
|
```
|
||||||
|
$ openssl genrsa -out key.pem 4096
|
||||||
|
|
||||||
|
$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
|
||||||
|
-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
|
||||||
|
from -e:1:in `<main>'
|
||||||
|
```
|
||||||
|
|
||||||
|
The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
|
||||||
|
doesn't apply the selection value properly if there are multiple providers, and
|
||||||
|
a provider (e.g. "base" provider) handles the decoder implementation, and
|
||||||
|
another provider (e.g. "fips" provider) handles the keys.
|
||||||
|
|
||||||
|
The workaround is to create `OSSL_DECODER_CTX` variable each time without using
|
||||||
|
the `OSSL_DECODER_CTX_set_selection`.
|
||||||
|
|
||||||
|
https://github.com/ruby/openssl/commit/5ff4a31621
|
||||||
|
|
||||||
|
This is the commit message #2:
|
||||||
|
|
||||||
|
[ruby/openssl] ossl_pkey.c: Workaround: Decode with non-zero selections.
|
||||||
|
|
||||||
|
This is a workaround for the decoding issue in ossl_pkey_read_generic().
|
||||||
|
The issue happens in the case that a key management provider is different from
|
||||||
|
a decoding provider.
|
||||||
|
|
||||||
|
Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3
|
||||||
|
to avoid the issue.
|
||||||
|
|
||||||
|
https://github.com/ruby/openssl/commit/db688fa739
|
||||||
|
---
|
||||||
|
ext/openssl/ossl_pkey.c | 78 ++++++++++++++++++++++++++++++++++++++---
|
||||||
|
1 file changed, 73 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
||||||
|
index 24d0da4683..15854aeca1 100644
|
||||||
|
--- a/ext/openssl/ossl_pkey.c
|
||||||
|
+++ b/ext/openssl/ossl_pkey.c
|
||||||
|
@@ -81,18 +81,20 @@ ossl_pkey_new(EVP_PKEY *pkey)
|
||||||
|
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||||
|
# include <openssl/decoder.h>
|
||||||
|
|
||||||
|
-EVP_PKEY *
|
||||||
|
-ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
||||||
|
+static EVP_PKEY *
|
||||||
|
+ossl_pkey_read(BIO *bio, const char *input_type, int selection, VALUE pass)
|
||||||
|
{
|
||||||
|
void *ppass = (void *)pass;
|
||||||
|
OSSL_DECODER_CTX *dctx;
|
||||||
|
EVP_PKEY *pkey = NULL;
|
||||||
|
int pos = 0, pos2;
|
||||||
|
|
||||||
|
- dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, NULL, 0, NULL, NULL);
|
||||||
|
+ dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, input_type, NULL, NULL,
|
||||||
|
+ selection, NULL, NULL);
|
||||||
|
if (!dctx)
|
||||||
|
goto out;
|
||||||
|
- if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1)
|
||||||
|
+ if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb,
|
||||||
|
+ ppass) != 1)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
/* First check DER */
|
||||||
|
@@ -111,11 +113,77 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
||||||
|
goto out;
|
||||||
|
pos = pos2;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
out:
|
||||||
|
+ OSSL_BIO_reset(bio);
|
||||||
|
OSSL_DECODER_CTX_free(dctx);
|
||||||
|
return pkey;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+EVP_PKEY *
|
||||||
|
+ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
||||||
|
+{
|
||||||
|
+ EVP_PKEY *pkey = NULL;
|
||||||
|
+ /* First check DER, then check PEM. */
|
||||||
|
+ const char *input_types[] = {"DER", "PEM"};
|
||||||
|
+ int input_type_num = (int)(sizeof(input_types) / sizeof(char *));
|
||||||
|
+ /*
|
||||||
|
+ * Non-zero selections to try to decode.
|
||||||
|
+ *
|
||||||
|
+ * See EVP_PKEY_fromdata(3) - Selections to see all the selections.
|
||||||
|
+ *
|
||||||
|
+ * This is a workaround for the decoder failing to decode or returning
|
||||||
|
+ * bogus keys with selection 0, if a key management provider is different
|
||||||
|
+ * from a decoder provider. The workaround is to avoid using selection 0.
|
||||||
|
+ *
|
||||||
|
+ * Affected OpenSSL versions: >= 3.1.0, <= 3.1.2, or >= 3.0.0, <= 3.0.10
|
||||||
|
+ * Fixed OpenSSL versions: 3.2, next release of the 3.1.z and 3.0.z
|
||||||
|
+ *
|
||||||
|
+ * See https://github.com/openssl/openssl/pull/21519 for details.
|
||||||
|
+ *
|
||||||
|
+ * First check for private key formats (EVP_PKEY_KEYPAIR). This is to keep
|
||||||
|
+ * compatibility with ruby/openssl < 3.0 which decoded the following as a
|
||||||
|
+ * private key.
|
||||||
|
+ *
|
||||||
|
+ * $ openssl ecparam -name prime256v1 -genkey -outform PEM
|
||||||
|
+ * -----BEGIN EC PARAMETERS-----
|
||||||
|
+ * BggqhkjOPQMBBw==
|
||||||
|
+ * -----END EC PARAMETERS-----
|
||||||
|
+ * -----BEGIN EC PRIVATE KEY-----
|
||||||
|
+ * MHcCAQEEIAG8ugBbA5MHkqnZ9ujQF93OyUfL9tk8sxqM5Wv5tKg5oAoGCCqGSM49
|
||||||
|
+ * AwEHoUQDQgAEVcjhJfkwqh5C7kGuhAf8XaAjVuG5ADwb5ayg/cJijCgs+GcXeedj
|
||||||
|
+ * 86avKpGH84DXUlB23C/kPt+6fXYlitUmXQ==
|
||||||
|
+ * -----END EC PRIVATE KEY-----
|
||||||
|
+ *
|
||||||
|
+ * While the first PEM block is a proper encoding of ECParameters, thus
|
||||||
|
+ * OSSL_DECODER_from_bio() would pick it up, ruby/openssl used to return
|
||||||
|
+ * the latter instead. Existing applications expect this behavior.
|
||||||
|
+ *
|
||||||
|
+ * Note that normally, the input is supposed to contain a single decodable
|
||||||
|
+ * PEM block only, so this special handling should not create a new problem.
|
||||||
|
+ *
|
||||||
|
+ * Note that we need to create the OSSL_DECODER_CTX variable each time when
|
||||||
|
+ * we use the different selection as a workaround.
|
||||||
|
+ * See https://github.com/openssl/openssl/issues/20657 for details.
|
||||||
|
+ */
|
||||||
|
+ int selections[] = {
|
||||||
|
+ EVP_PKEY_KEYPAIR,
|
||||||
|
+ EVP_PKEY_KEY_PARAMETERS,
|
||||||
|
+ EVP_PKEY_PUBLIC_KEY
|
||||||
|
+ };
|
||||||
|
+ int selection_num = (int)(sizeof(selections) / sizeof(int));
|
||||||
|
+ int i, j;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < input_type_num; i++) {
|
||||||
|
+ for (j = 0; j < selection_num; j++) {
|
||||||
|
+ pkey = ossl_pkey_read(bio, input_types[i], selections[j], pass);
|
||||||
|
+ if (pkey) {
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ out:
|
||||||
|
+ return pkey;
|
||||||
|
+}
|
||||||
|
#else
|
||||||
|
EVP_PKEY *
|
||||||
|
ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,142 @@
|
|||||||
|
From 29920ec109751459a65c6478525f2e59c644891f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jun Aruga <jaruga@redhat.com>
|
||||||
|
Date: Thu, 16 Mar 2023 21:36:43 +0100
|
||||||
|
Subject: [PATCH] [ruby/openssl] Implement FIPS functions on OpenSSL 3.
|
||||||
|
|
||||||
|
This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get`
|
||||||
|
and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`.
|
||||||
|
|
||||||
|
It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any
|
||||||
|
more, and some FIPS related APIs also were removed in OpenSSL 3.
|
||||||
|
|
||||||
|
See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set>
|
||||||
|
the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 >
|
||||||
|
Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() .
|
||||||
|
|
||||||
|
The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used
|
||||||
|
functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled`
|
||||||
|
works with the OpenSSL installed without FIPS option.
|
||||||
|
|
||||||
|
The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI.
|
||||||
|
Because I want to test that the `OpenSSL.fips_mode` returns the `true` or
|
||||||
|
'false' surely in the CI. You can test the FIPS mode case by setting
|
||||||
|
`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better
|
||||||
|
way to get the status of the FIPS mode enabled or disabled for this purpose. I
|
||||||
|
am afraid of the possibility that the FIPS test case is unintentionally skipped.
|
||||||
|
|
||||||
|
I also replaced the ambiguous "returns" with "should return" in the tests.
|
||||||
|
|
||||||
|
https://github.com/ruby/openssl/commit/c5b2bc1268
|
||||||
|
---
|
||||||
|
ext/openssl/ossl.c | 25 +++++++++++++++++++++----
|
||||||
|
test/openssl/test_fips.rb | 32 ++++++++++++++++++++++++++++----
|
||||||
|
2 files changed, 49 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
|
||||||
|
index 6c532aca94..fcf3744c65 100644
|
||||||
|
--- a/ext/openssl/ossl.c
|
||||||
|
+++ b/ext/openssl/ossl.c
|
||||||
|
@@ -405,7 +405,11 @@ static VALUE
|
||||||
|
ossl_fips_mode_get(VALUE self)
|
||||||
|
{
|
||||||
|
|
||||||
|
-#ifdef OPENSSL_FIPS
|
||||||
|
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||||
|
+ VALUE enabled;
|
||||||
|
+ enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
|
||||||
|
+ return enabled;
|
||||||
|
+#elif OPENSSL_FIPS
|
||||||
|
VALUE enabled;
|
||||||
|
enabled = FIPS_mode() ? Qtrue : Qfalse;
|
||||||
|
return enabled;
|
||||||
|
@@ -429,8 +433,18 @@ ossl_fips_mode_get(VALUE self)
|
||||||
|
static VALUE
|
||||||
|
ossl_fips_mode_set(VALUE self, VALUE enabled)
|
||||||
|
{
|
||||||
|
-
|
||||||
|
-#ifdef OPENSSL_FIPS
|
||||||
|
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||||
|
+ if (RTEST(enabled)) {
|
||||||
|
+ if (!EVP_default_properties_enable_fips(NULL, 1)) {
|
||||||
|
+ ossl_raise(eOSSLError, "Turning on FIPS mode failed");
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (!EVP_default_properties_enable_fips(NULL, 0)) {
|
||||||
|
+ ossl_raise(eOSSLError, "Turning off FIPS mode failed");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return enabled;
|
||||||
|
+#elif OPENSSL_FIPS
|
||||||
|
if (RTEST(enabled)) {
|
||||||
|
int mode = FIPS_mode();
|
||||||
|
if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
|
||||||
|
@@ -1185,7 +1199,10 @@ Init_openssl(void)
|
||||||
|
* Boolean indicating whether OpenSSL is FIPS-capable or not
|
||||||
|
*/
|
||||||
|
rb_define_const(mOSSL, "OPENSSL_FIPS",
|
||||||
|
-#ifdef OPENSSL_FIPS
|
||||||
|
+/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */
|
||||||
|
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||||
|
+ Qtrue
|
||||||
|
+#elif OPENSSL_FIPS
|
||||||
|
Qtrue
|
||||||
|
#else
|
||||||
|
Qfalse
|
||||||
|
diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb
|
||||||
|
index 8cd474f9a3..56a12a94ce 100644
|
||||||
|
--- a/test/openssl/test_fips.rb
|
||||||
|
+++ b/test/openssl/test_fips.rb
|
||||||
|
@@ -4,22 +4,46 @@
|
||||||
|
if defined?(OpenSSL)
|
||||||
|
|
||||||
|
class OpenSSL::TestFIPS < OpenSSL::TestCase
|
||||||
|
+ def test_fips_mode_get_is_true_on_fips_mode_enabled
|
||||||
|
+ unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
|
||||||
|
+ omit "Only for FIPS mode environment"
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
+ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
||||||
|
+ assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled"
|
||||||
|
+ end;
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
+ def test_fips_mode_get_is_false_on_fips_mode_disabled
|
||||||
|
+ if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
|
||||||
|
+ omit "Only for non-FIPS mode environment"
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
+ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
||||||
|
+ message = ".fips_mode should return false on FIPS mode disabled. " \
|
||||||
|
+ "If you run the test on FIPS mode, please set " \
|
||||||
|
+ "TEST_RUBY_OPENSSL_FIPS_ENABLED=true"
|
||||||
|
+ assert OpenSSL.fips_mode == false, message
|
||||||
|
+ end;
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
def test_fips_mode_is_reentrant
|
||||||
|
OpenSSL.fips_mode = false
|
||||||
|
OpenSSL.fips_mode = false
|
||||||
|
end
|
||||||
|
|
||||||
|
- def test_fips_mode_get
|
||||||
|
- return unless OpenSSL::OPENSSL_FIPS
|
||||||
|
+ def test_fips_mode_get_with_fips_mode_set
|
||||||
|
+ omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS
|
||||||
|
+
|
||||||
|
assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
||||||
|
require #{__FILE__.dump}
|
||||||
|
|
||||||
|
begin
|
||||||
|
OpenSSL.fips_mode = true
|
||||||
|
- assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true"
|
||||||
|
+ assert OpenSSL.fips_mode == true, ".fips_mode should return true when .fips_mode=true"
|
||||||
|
|
||||||
|
OpenSSL.fips_mode = false
|
||||||
|
- assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false"
|
||||||
|
+ assert OpenSSL.fips_mode == false, ".fips_mode should return false when .fips_mode=false"
|
||||||
|
rescue OpenSSL::OpenSSLError
|
||||||
|
pend "Could not set FIPS mode (OpenSSL::OpenSSLError: \#$!); skipping"
|
||||||
|
end
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
36
SOURCES/ruby-3.3.0-test-file-utime.patch
Normal file
36
SOURCES/ruby-3.3.0-test-file-utime.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From 8d1109c03bacc952b6218af2e4ae9b74c9855273 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
|
||||||
|
Date: Wed, 22 Mar 2023 16:10:06 +0900
|
||||||
|
Subject: [PATCH] Added assertion values for Amazon Linux 2023
|
||||||
|
|
||||||
|
---
|
||||||
|
spec/ruby/core/file/utime_spec.rb | 8 +++++---
|
||||||
|
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/spec/ruby/core/file/utime_spec.rb b/spec/ruby/core/file/utime_spec.rb
|
||||||
|
index a191e2924037c..0b0e4f979c935 100644
|
||||||
|
--- a/spec/ruby/core/file/utime_spec.rb
|
||||||
|
+++ b/spec/ruby/core/file/utime_spec.rb
|
||||||
|
@@ -72,17 +72,19 @@
|
||||||
|
|
||||||
|
platform_is :linux do
|
||||||
|
platform_is wordsize: 64 do
|
||||||
|
- it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19)" do
|
||||||
|
+ it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19 or 2486-07-02)" do
|
||||||
|
# https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout#Inode_Timestamps
|
||||||
|
# "Therefore, timestamps should not overflow until May 2446."
|
||||||
|
# https://lwn.net/Articles/804382/
|
||||||
|
# "On-disk timestamps hitting the y2038 limit..."
|
||||||
|
# The problem seems to be being improved, but currently it actually fails on XFS on RHEL8
|
||||||
|
# https://rubyci.org/logs/rubyci.s3.amazonaws.com/rhel8/ruby-master/log/20201112T123004Z.fail.html.gz
|
||||||
|
+ # Amazon Linux 2023 returns 2486-07-02 in this example
|
||||||
|
+ # http://rubyci.s3.amazonaws.com/amazon2023/ruby-master/log/20230322T063004Z.fail.html.gz
|
||||||
|
time = Time.at(1<<44)
|
||||||
|
File.utime(time, time, @file1)
|
||||||
|
- [559444, 2446, 2038].should.include? File.atime(@file1).year
|
||||||
|
- [559444, 2446, 2038].should.include? File.mtime(@file1).year
|
||||||
|
+ [559444, 2486, 2446, 2038].should.include? File.atime(@file1).year
|
||||||
|
+ [559444, 2486, 2446, 2038].should.include? File.mtime(@file1).year
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
40
SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch
Normal file
40
SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From 7e9ec8a20b0f7469b415283d2ec0c22087f8eb2b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jun Aruga <jaruga@redhat.com>
|
||||||
|
Date: Wed, 24 Aug 2022 12:02:56 +0200
|
||||||
|
Subject: [PATCH] Fix tests with Europe/Amsterdam pre-1970 time on tzdata
|
||||||
|
version 2022b.
|
||||||
|
|
||||||
|
The Time Zone Database (tzdata) changed the pre-1970 timestamps in some zones
|
||||||
|
including Europe/Amsterdam on tzdata version 2022b or later.
|
||||||
|
See <https://github.com/eggert/tz/commit/35fa37fbbb152f5dbed4fd5edfdc968e3584fe12>.
|
||||||
|
|
||||||
|
The tzdata RPM package maintainer on Fedora project suggested changing the Ruby
|
||||||
|
test, because the change is intentional.
|
||||||
|
See <https://bugzilla.redhat.com/show_bug.cgi?id=2118259#c1>.
|
||||||
|
|
||||||
|
We use post-1970 time test data to simplify the test.
|
||||||
|
---
|
||||||
|
core/time/shared/local.rb | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/spec/ruby/core/time/shared/local.rb b/spec/ruby/core/time/shared/local.rb
|
||||||
|
index 43f331c4c..c4aa7a7ea 100644
|
||||||
|
--- a/spec/ruby/core/time/shared/local.rb
|
||||||
|
+++ b/spec/ruby/core/time/shared/local.rb
|
||||||
|
@@ -8,10 +8,10 @@ describe :time_local, shared: true do
|
||||||
|
|
||||||
|
platform_is_not :windows do
|
||||||
|
describe "timezone changes" do
|
||||||
|
- it "correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam'" do
|
||||||
|
+ it "correctly adjusts the timezone change to 'CET' on 'Europe/Amsterdam'" do
|
||||||
|
with_timezone("Europe/Amsterdam") do
|
||||||
|
- Time.send(@method, 1940, 5, 16).to_a.should ==
|
||||||
|
- [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"]
|
||||||
|
+ Time.send(@method, 1970, 5, 16).to_a.should ==
|
||||||
|
+ [0, 0, 0, 16, 5, 1970, 6, 136, false, "CET"]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
--
|
||||||
|
2.36.1
|
||||||
|
|
34
SOURCES/test_openssl_fips.rb
Normal file
34
SOURCES/test_openssl_fips.rb
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
require 'openssl'
|
||||||
|
|
||||||
|
# Run openssl tests in OpenSSL FIPS. See the link below for how to test.
|
||||||
|
# https://github.com/ruby/openssl/blob/master/.github/workflows/test.yml
|
||||||
|
# - step name: test on fips module
|
||||||
|
|
||||||
|
# Listing the testing files by an array explicitly rather than the `Dir.glob`
|
||||||
|
# to prevent the test files from not loading unintentionally.
|
||||||
|
TEST_FILES = %w[
|
||||||
|
test/openssl/test_fips.rb
|
||||||
|
test/openssl/test_pkey.rb
|
||||||
|
].freeze
|
||||||
|
|
||||||
|
if ARGV.empty?
|
||||||
|
puts 'ERROR: Argument base_dir required.'
|
||||||
|
puts "Usage: #{__FILE__} base_dir [options]"
|
||||||
|
exit false
|
||||||
|
end
|
||||||
|
BASE_DIR = ARGV[0]
|
||||||
|
abs_test_files = TEST_FILES.map { |file| File.join(BASE_DIR, file) }
|
||||||
|
|
||||||
|
# Set Fedora/RHEL downstream OpenSSL downstream environment variable to enable
|
||||||
|
# FIPS module in non-FIPS OS environment. It is available in Fedora 38 or later
|
||||||
|
# versions.
|
||||||
|
# https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||||
|
ENV['OPENSSL_FORCE_FIPS_MODE'] = '1'
|
||||||
|
# A flag to tell the tests the current environment is FIPS enabled.
|
||||||
|
# https://github.com/ruby/openssl/blob/master/test/openssl/test_fips.rb
|
||||||
|
ENV['TEST_RUBY_OPENSSL_FIPS_ENABLED'] = 'true'
|
||||||
|
|
||||||
|
abs_test_files.each do |file|
|
||||||
|
puts "INFO: Loading #{file}."
|
||||||
|
require file
|
||||||
|
end
|
@ -22,7 +22,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%global release 160
|
%global release 161
|
||||||
%{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
|
%{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
|
||||||
|
|
||||||
# The RubyGems library has to stay out of Ruby directory tree, since the
|
# The RubyGems library has to stay out of Ruby directory tree, since the
|
||||||
@ -106,6 +106,8 @@ Source11: rubygems.con
|
|||||||
Source13: test_abrt.rb
|
Source13: test_abrt.rb
|
||||||
# SystemTap tests.
|
# SystemTap tests.
|
||||||
Source14: test_systemtap.rb
|
Source14: test_systemtap.rb
|
||||||
|
# Ruby OpenSSL FIPS tests.
|
||||||
|
Source15: test_openssl_fips.rb
|
||||||
|
|
||||||
# The load directive is supported since RPM 4.12, i.e. F21+. The build process
|
# The load directive is supported since RPM 4.12, i.e. F21+. The build process
|
||||||
# fails on older Fedoras.
|
# fails on older Fedoras.
|
||||||
@ -261,6 +263,38 @@ Patch59: ruby-3.1.1-ossl_ocsp-use-null.patch
|
|||||||
# Replace SHA1 usage in tests.
|
# Replace SHA1 usage in tests.
|
||||||
# https://github.com/ruby/openssl/pull/511
|
# https://github.com/ruby/openssl/pull/511
|
||||||
Patch60: ruby-3.1.2-ossl-tests-replace-sha1.patch
|
Patch60: ruby-3.1.2-ossl-tests-replace-sha1.patch
|
||||||
|
# Bypass git submodule test failure on Git >= 2.38.1.
|
||||||
|
# https://github.com/ruby/ruby/pull/6587
|
||||||
|
Patch61: ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch
|
||||||
|
# Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
|
||||||
|
# https://github.com/ruby/spec/pull/939
|
||||||
|
Patch62: ruby-spec-Fix-tests-on-tzdata-2022b.patch
|
||||||
|
# Fix Time Zone Database 2022g.
|
||||||
|
# https://bugs.ruby-lang.org/issues/19187
|
||||||
|
# https://github.com/ruby/ruby/commit/a1124dc162810f86cb0bff58cde24064cfc561bc
|
||||||
|
Patch63: ruby-3.1.3-Fix-for-tzdata-2022g.patch
|
||||||
|
# Fix File.utime test.
|
||||||
|
# https://github.com/ruby/ruby/commit/8d1109c03bacc952b6218af2e4ae9b74c9855273
|
||||||
|
Patch64: ruby-3.3.0-test-file-utime.patch
|
||||||
|
# Fix OpenSSL.fips_mode in OpenSSL 3 FIPS.
|
||||||
|
# https://github.com/ruby/openssl/pull/608
|
||||||
|
# https://github.com/ruby/ruby/commit/678d41bc51fe31834eec0b653ba0e47de5420aa0
|
||||||
|
Patch65: ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch
|
||||||
|
# Fix OpenSSL::PKey.read in OpenSSL 3 FIPS.
|
||||||
|
# The patch is a combination of the following 2 commits to simplify the patch.
|
||||||
|
# https://github.com/ruby/openssl/pull/615
|
||||||
|
# https://github.com/ruby/ruby/commit/2a4834057b30a26c38ece3961b370c0b2ee59380
|
||||||
|
# https://github.com/ruby/openssl/pull/669
|
||||||
|
# https://github.com/ruby/ruby/commit/b0ec1db8a72c530460abd9462ac75845362886bd
|
||||||
|
Patch66: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
|
||||||
|
# Enable tests in OpenSSL FIPS.
|
||||||
|
# https://github.com/ruby/openssl/pull/615
|
||||||
|
# https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5
|
||||||
|
Patch67: ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
|
||||||
|
# ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
|
||||||
|
# https://github.com/ruby/openssl/pull/674
|
||||||
|
# https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814
|
||||||
|
Patch68: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch
|
||||||
|
|
||||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
Suggests: rubypick
|
Suggests: rubypick
|
||||||
@ -726,6 +760,14 @@ rm -rf ext/fiddle/libffi*
|
|||||||
%patch58 -p1
|
%patch58 -p1
|
||||||
%patch59
|
%patch59
|
||||||
%patch60 -p1
|
%patch60 -p1
|
||||||
|
%patch61 -p1
|
||||||
|
%patch62 -p1
|
||||||
|
%patch63 -p1
|
||||||
|
%patch64 -p1
|
||||||
|
%patch65 -p1
|
||||||
|
%patch66 -p1
|
||||||
|
%patch67 -p1
|
||||||
|
%patch68 -p1
|
||||||
|
|
||||||
# Provide an example of usage of the tapset:
|
# Provide an example of usage of the tapset:
|
||||||
cp -a %{SOURCE3} .
|
cp -a %{SOURCE3} .
|
||||||
@ -1017,6 +1059,11 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \
|
|||||||
%{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \
|
%{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \
|
||||||
make check TESTS="-v $DISABLE_TESTS" MSPECOPT="-fs $MSPECOPTS"
|
make check TESTS="-v $DISABLE_TESTS" MSPECOPT="-fs $MSPECOPTS"
|
||||||
|
|
||||||
|
# Run Ruby OpenSSL tests in OpenSSL FIPS.
|
||||||
|
make runruby TESTRUN_SCRIPT=" \
|
||||||
|
-I%{_builddir}/%{buildsubdir}/tool/lib --enable-gems \
|
||||||
|
%{SOURCE15} %{_builddir}/%{buildsubdir} --verbose"
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license BSDL
|
%license BSDL
|
||||||
%license COPYING
|
%license COPYING
|
||||||
@ -1489,11 +1536,23 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 09 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-161
|
||||||
|
- Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.
|
||||||
|
Resolves: RHEL-12724
|
||||||
|
- ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
|
||||||
|
Related: RHEL-12724
|
||||||
|
|
||||||
|
* Wed Jun 28 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-160
|
||||||
|
- Bypass git submodule test failure on Git >= 2.38.1.
|
||||||
|
- Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
|
||||||
|
- Fix for tzdata-2022g.
|
||||||
|
- Fix File.utime test.
|
||||||
|
|
||||||
* Fri Jul 08 2022 Jarek Prokop <jprokop@redhat.com> - 3.0.4-160
|
* Fri Jul 08 2022 Jarek Prokop <jprokop@redhat.com> - 3.0.4-160
|
||||||
- Upgrade to Ruby 3.0.4.
|
- Upgrade to Ruby 3.0.4.
|
||||||
Resolves: rhbz#2109428
|
Resolves: rhbz#2096347
|
||||||
- OpenSSL test suite fixes due to disabled SHA1.
|
- OpenSSL test suite fixes due to disabled SHA1.
|
||||||
Related: rbhz#2109428
|
Resolves: rbhz#2107696
|
||||||
- Fix double free in Regexp compilation.
|
- Fix double free in Regexp compilation.
|
||||||
Resolves: CVE-2022-28738
|
Resolves: CVE-2022-28738
|
||||||
- Fix buffer overrun in String-to-Float conversion.
|
- Fix buffer overrun in String-to-Float conversion.
|
||||||
|
Loading…
Reference in New Issue
Block a user