From cb767615cc4459245433e7b5e211a7c19511f79b Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 28 Mar 2024 14:22:39 +0000 Subject: [PATCH] import CS ruby-3.1.2-142.module_el9+787+b20bfeee --- SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch | 70 +++++++ ...y-3.2.0-git-2.38.1-fix-rubygems-test.patch | 27 +++ ....3.0-openssl-3.2.0-fips-enable-tests.patch | 32 ++++ ...2.0-fips-fix-pkey-dh-require-openssl.patch | 73 ++++++++ ....2.0-fips-fix-pkey-read-in-openssl-3.patch | 177 ++++++++++++++++++ ...-3.2.0-fix-fips-get-set-in-openssl-3.patch | 142 ++++++++++++++ .../ruby-spec-Fix-tests-on-tzdata-2022b.patch | 40 ++++ SOURCES/test_openssl_fips.rb | 34 ++++ SPECS/ruby.spec | 59 +++++- 9 files changed, 653 insertions(+), 1 deletion(-) create mode 100644 SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch create mode 100644 SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch create mode 100644 SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch create mode 100644 SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch create mode 100644 SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch create mode 100644 SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch create mode 100644 SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch create mode 100644 SOURCES/test_openssl_fips.rb diff --git a/SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch b/SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch new file mode 100644 index 0000000..a8a1605 --- /dev/null +++ b/SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch @@ -0,0 +1,70 @@ +From a1124dc162810f86cb0bff58cde24064cfc561bc Mon Sep 17 00:00:00 2001 +From: nagachika +Date: Fri, 9 Dec 2022 21:11:47 +0900 +Subject: [PATCH] merge revision(s) 58cc3c9f387dcf8f820b43e043b540fa06248da3: + [Backport #19187] + + [Bug #19187] Fix for tzdata-2022g + + --- + test/ruby/test_time_tz.rb | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) +--- + test/ruby/test_time_tz.rb | 21 +++++++++++++++------ + 1 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/test/ruby/test_time_tz.rb b/test/ruby/test_time_tz.rb +index b6785f336028d..939f218ed4d10 100644 +--- a/test/ruby/test_time_tz.rb ++++ b/test/ruby/test_time_tz.rb +@@ -7,9 +7,9 @@ class TestTimeTZ < Test::Unit::TestCase + has_lisbon_tz = true + force_tz_test = ENV["RUBY_FORCE_TIME_TZ_TEST"] == "yes" + case RUBY_PLATFORM +- when /linux/ ++ when /darwin|linux/ + force_tz_test = true +- when /darwin|freebsd|openbsd/ ++ when /freebsd|openbsd/ + has_lisbon_tz = false + force_tz_test = true + end +@@ -95,6 +95,9 @@ def group_by(e, &block) + CORRECT_KIRITIMATI_SKIP_1994 = with_tz("Pacific/Kiritimati") { + Time.local(1994, 12, 31, 0, 0, 0).year == 1995 + } ++ CORRECT_SINGAPORE_1982 = with_tz("Asia/Singapore") { ++ "2022g" if Time.local(1981, 12, 31, 23, 59, 59).utc_offset == 8*3600 ++ } + + def time_to_s(t) + t.to_s +@@ -140,9 +143,12 @@ def test_america_managua + + def test_asia_singapore + with_tz(tz="Asia/Singapore") { +- assert_time_constructor(tz, "1981-12-31 23:59:59 +0730", :local, [1981,12,31,23,59,59]) +- assert_time_constructor(tz, "1982-01-01 00:30:00 +0800", :local, [1982,1,1,0,0,0]) +- assert_time_constructor(tz, "1982-01-01 00:59:59 +0800", :local, [1982,1,1,0,29,59]) ++ assert_time_constructor(tz, "1981-12-31 23:29:59 +0730", :local, [1981,12,31,23,29,59]) ++ if CORRECT_SINGAPORE_1982 ++ assert_time_constructor(tz, "1982-01-01 00:00:00 +0800", :local, [1981,12,31,23,30,00]) ++ assert_time_constructor(tz, "1982-01-01 00:00:00 +0800", :local, [1982,1,1,0,0,0]) ++ assert_time_constructor(tz, "1982-01-01 00:29:59 +0800", :local, [1982,1,1,0,29,59]) ++ end + assert_time_constructor(tz, "1982-01-01 00:30:00 +0800", :local, [1982,1,1,0,30,0]) + } + end +@@ -450,8 +456,11 @@ def self.gen_zdump_test(data) + America/Managua Wed Jan 1 04:59:59 1997 UTC = Tue Dec 31 23:59:59 1996 EST isdst=0 gmtoff=-18000 + America/Managua Wed Jan 1 05:00:00 1997 UTC = Tue Dec 31 23:00:00 1996 CST isdst=0 gmtoff=-21600 + Asia/Singapore Sun Aug 8 16:30:00 1965 UTC = Mon Aug 9 00:00:00 1965 SGT isdst=0 gmtoff=27000 +-Asia/Singapore Thu Dec 31 16:29:59 1981 UTC = Thu Dec 31 23:59:59 1981 SGT isdst=0 gmtoff=27000 ++Asia/Singapore Thu Dec 31 15:59:59 1981 UTC = Thu Dec 31 23:29:59 1981 SGT isdst=0 gmtoff=27000 + Asia/Singapore Thu Dec 31 16:30:00 1981 UTC = Fri Jan 1 00:30:00 1982 SGT isdst=0 gmtoff=28800 ++End ++ gen_zdump_test <<'End' if CORRECT_SINGAPORE_1982 ++Asia/Singapore Thu Dec 31 16:00:00 1981 UTC = Fri Jan 1 00:00:00 1982 SGT isdst=0 gmtoff=28800 + End + gen_zdump_test CORRECT_TOKYO_DST_1951 ? <<'End' + (CORRECT_TOKYO_DST_1951 < "2018f" ? <<'2018e' : <<'2018f') : <<'End' + Asia/Tokyo Sat May 5 14:59:59 1951 UTC = Sat May 5 23:59:59 1951 JST isdst=0 gmtoff=32400 diff --git a/SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch b/SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch new file mode 100644 index 0000000..73f9a02 --- /dev/null +++ b/SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch @@ -0,0 +1,27 @@ +From dae843f6b7502f921a7e66f39e3714a39d860181 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Wed, 19 Oct 2022 19:40:00 +0900 +Subject: [PATCH] Bypass git submodule add/update with git config + protocol.file.allow=always option. + +Co-authored-by: Nobuyoshi Nakada +--- + test/rubygems/test_gem_source_git.rb | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/test/rubygems/test_gem_source_git.rb b/test/rubygems/test_gem_source_git.rb +index 5702da05974b6..c3b324771fa4d 100644 +--- a/test/rubygems/test_gem_source_git.rb ++++ b/test/rubygems/test_gem_source_git.rb +@@ -63,6 +63,11 @@ def test_checkout_local_cached + end + + def test_checkout_submodules ++ # We need to allow to checkout submodules with file:// protocol ++ # CVE-2022-39253 ++ # https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@gitster.g/ ++ system(@git, *%W"config --global protocol.file.allow always") ++ + source = Gem::Source::Git.new @name, @repository, 'master', true + + git_gem 'b' diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch new file mode 100644 index 0000000..7f66fa1 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch @@ -0,0 +1,32 @@ +From f0b254f1f6610294821bbfc06b414d2af452db5b Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Thu, 13 Apr 2023 17:28:27 +0200 +Subject: [PATCH] [ruby/openssl] Drop a common logic disabling the FIPS mode in + the tests. + +We want to run the unit tests in the FIPS mode too. + +https://github.com/ruby/openssl/commit/ab92baff34 +--- + test/openssl/utils.rb | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb +index 4ebcb9837b..8a0be0d154 100644 +--- a/test/openssl/utils.rb ++++ b/test/openssl/utils.rb +@@ -1,11 +1,6 @@ + # frozen_string_literal: true + begin + require "openssl" +- +- # Disable FIPS mode for tests for installations +- # where FIPS mode would be enabled by default. +- # Has no effect on all other installations. +- OpenSSL.fips_mode=false + rescue LoadError + end + +-- +2.41.0 + diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch new file mode 100644 index 0000000..156cf88 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch @@ -0,0 +1,73 @@ +From b6d7cdc2bad0eadbca73f3486917f0ec7a475814 Mon Sep 17 00:00:00 2001 +From: Kazuki Yamaguchi +Date: Tue, 29 Aug 2023 19:46:02 +0900 +Subject: [PATCH] [ruby/openssl] ssl: use ffdhe2048 from RFC 7919 as the + default DH group parameters + +In TLS 1.2 or before, if DH group parameters for DHE are not supplied +with SSLContext#tmp_dh= or #tmp_dh_callback=, we currently use the +self-generated parameters added in commit https://github.com/ruby/openssl/commit/bb3399a61c03 ("support 2048 +bit length DH-key", 2016-01-15) as the fallback. + +While there is no known weakness in the current parameters, it would be +a good idea to switch to pre-defined, more well audited parameters. + +This also allows the fallback to work in the FIPS mode. + +The PEM encoding was derived with: + + # RFC 7919 Appendix A.1. ffdhe2048 + print OpenSSL::PKey.read(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer((<<-END).split.join.to_i(16)), OpenSSL::ASN1::Integer(2)]).to_der).to_pem + FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1 + D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9 + 7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561 + 2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935 + 984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735 + 30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB + B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19 + 0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61 + 9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73 + 3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA + 886B4238 61285C97 FFFFFFFF FFFFFFFF + END + +https://github.com/ruby/openssl/commit/a5527cb4f4 +--- + ext/openssl/lib/openssl/ssl.rb | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb +index ea8bb2a18e533..94be6ba80b894 100644 +--- a/ext/openssl/lib/openssl/ssl.rb ++++ b/ext/openssl/lib/openssl/ssl.rb +@@ -31,21 +31,21 @@ class SSLContext + } + + if defined?(OpenSSL::PKey::DH) +- DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_ ++ DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_ + -----BEGIN DH PARAMETERS----- +-MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY +-JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab +-VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6 +-YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 +-1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD +-7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg== ++MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a ++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 ++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi ++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ++ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== + -----END DH PARAMETERS----- + _end_of_pem_ +- private_constant :DEFAULT_2048 ++ private_constant :DH_ffdhe2048 + + DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc: + warn "using default DH parameters." if $VERBOSE +- DEFAULT_2048 ++ DH_ffdhe2048 + } + end + diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch new file mode 100644 index 0000000..cac2418 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch @@ -0,0 +1,177 @@ +From 40451afa279c52ce7a508f8a9ec553cfe7a76a10 Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Wed, 12 Apr 2023 17:15:21 +0200 +Subject: [PATCH] Fix OpenSSL::PKey.read in OpenSSL 3 FIPS module. + +This is a combination of the following 2 commits. Because the combined patch is +easy to merge. + +This is the 1st commit message: + +[ruby/openssl] Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode. + +This commit is a workaround to avoid the error below that the +`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode. + +``` +$ openssl genrsa -out key.pem 4096 + +$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))" +-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError) + from -e:1:in `
' +``` + +The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection` +doesn't apply the selection value properly if there are multiple providers, and +a provider (e.g. "base" provider) handles the decoder implementation, and +another provider (e.g. "fips" provider) handles the keys. + +The workaround is to create `OSSL_DECODER_CTX` variable each time without using +the `OSSL_DECODER_CTX_set_selection`. + +https://github.com/ruby/openssl/commit/5ff4a31621 + +This is the commit message #2: + +[ruby/openssl] ossl_pkey.c: Workaround: Decode with non-zero selections. + +This is a workaround for the decoding issue in ossl_pkey_read_generic(). +The issue happens in the case that a key management provider is different from +a decoding provider. + +Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3 +to avoid the issue. + +https://github.com/ruby/openssl/commit/db688fa739 +--- + ext/openssl/ossl_pkey.c | 96 +++++++++++++++++++++++++++++++++-------- + 1 file changed, 79 insertions(+), 17 deletions(-) + +diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c +index 24d0da4683..15854aeca1 100644 +--- a/ext/openssl/ossl_pkey.c ++++ b/ext/openssl/ossl_pkey.c +@@ -82,41 +82,103 @@ ossl_pkey_new(EVP_PKEY *pkey) + #if OSSL_OPENSSL_PREREQ(3, 0, 0) + # include + +-EVP_PKEY * +-ossl_pkey_read_generic(BIO *bio, VALUE pass) ++static EVP_PKEY * ++ossl_pkey_read(BIO *bio, const char *input_type, int selection, VALUE pass) + { + void *ppass = (void *)pass; + OSSL_DECODER_CTX *dctx; + EVP_PKEY *pkey = NULL; + int pos = 0, pos2; + +- dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, NULL, 0, NULL, NULL); ++ dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, input_type, NULL, NULL, ++ selection, NULL, NULL); + if (!dctx) + goto out; +- if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1) ++ if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ++ ppass) != 1) + goto out; +- +- /* First check DER */ +- if (OSSL_DECODER_from_bio(dctx, bio) == 1) +- goto out; +- +- /* Then check PEM; multiple OSSL_DECODER_from_bio() calls may be needed */ +- OSSL_BIO_reset(bio); +- if (OSSL_DECODER_CTX_set_input_type(dctx, "PEM") != 1) +- goto out; +- while (OSSL_DECODER_from_bio(dctx, bio) != 1) { +- if (BIO_eof(bio)) ++ while (1) { ++ if (OSSL_DECODER_from_bio(dctx, bio) == 1) + goto out; ++ if (BIO_eof(bio)) ++ break; + pos2 = BIO_tell(bio); + if (pos2 < 0 || pos2 <= pos) +- goto out; ++ break; ++ ossl_clear_error(); + pos = pos2; + } +- + out: ++ OSSL_BIO_reset(bio); + OSSL_DECODER_CTX_free(dctx); + return pkey; + } ++ ++EVP_PKEY * ++ossl_pkey_read_generic(BIO *bio, VALUE pass) ++{ ++ EVP_PKEY *pkey = NULL; ++ /* First check DER, then check PEM. */ ++ const char *input_types[] = {"DER", "PEM"}; ++ int input_type_num = (int)(sizeof(input_types) / sizeof(char *)); ++ /* ++ * Non-zero selections to try to decode. ++ * ++ * See EVP_PKEY_fromdata(3) - Selections to see all the selections. ++ * ++ * This is a workaround for the decoder failing to decode or returning ++ * bogus keys with selection 0, if a key management provider is different ++ * from a decoder provider. The workaround is to avoid using selection 0. ++ * ++ * Affected OpenSSL versions: >= 3.1.0, <= 3.1.2, or >= 3.0.0, <= 3.0.10 ++ * Fixed OpenSSL versions: 3.2, next release of the 3.1.z and 3.0.z ++ * ++ * See https://github.com/openssl/openssl/pull/21519 for details. ++ * ++ * First check for private key formats (EVP_PKEY_KEYPAIR). This is to keep ++ * compatibility with ruby/openssl < 3.0 which decoded the following as a ++ * private key. ++ * ++ * $ openssl ecparam -name prime256v1 -genkey -outform PEM ++ * -----BEGIN EC PARAMETERS----- ++ * BggqhkjOPQMBBw== ++ * -----END EC PARAMETERS----- ++ * -----BEGIN EC PRIVATE KEY----- ++ * MHcCAQEEIAG8ugBbA5MHkqnZ9ujQF93OyUfL9tk8sxqM5Wv5tKg5oAoGCCqGSM49 ++ * AwEHoUQDQgAEVcjhJfkwqh5C7kGuhAf8XaAjVuG5ADwb5ayg/cJijCgs+GcXeedj ++ * 86avKpGH84DXUlB23C/kPt+6fXYlitUmXQ== ++ * -----END EC PRIVATE KEY----- ++ * ++ * While the first PEM block is a proper encoding of ECParameters, thus ++ * OSSL_DECODER_from_bio() would pick it up, ruby/openssl used to return ++ * the latter instead. Existing applications expect this behavior. ++ * ++ * Note that normally, the input is supposed to contain a single decodable ++ * PEM block only, so this special handling should not create a new problem. ++ * ++ * Note that we need to create the OSSL_DECODER_CTX variable each time when ++ * we use the different selection as a workaround. ++ * See https://github.com/openssl/openssl/issues/20657 for details. ++ */ ++ int selections[] = { ++ EVP_PKEY_KEYPAIR, ++ EVP_PKEY_KEY_PARAMETERS, ++ EVP_PKEY_PUBLIC_KEY ++ }; ++ int selection_num = (int)(sizeof(selections) / sizeof(int)); ++ int i, j; ++ ++ for (i = 0; i < input_type_num; i++) { ++ for (j = 0; j < selection_num; j++) { ++ pkey = ossl_pkey_read(bio, input_types[i], selections[j], pass); ++ if (pkey) { ++ goto out; ++ } ++ } ++ } ++ out: ++ return pkey; ++} + #else + EVP_PKEY * + ossl_pkey_read_generic(BIO *bio, VALUE pass) +-- +2.41.0 + diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch new file mode 100644 index 0000000..ab6a777 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch @@ -0,0 +1,142 @@ +From 29920ec109751459a65c6478525f2e59c644891f Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Thu, 16 Mar 2023 21:36:43 +0100 +Subject: [PATCH] [ruby/openssl] Implement FIPS functions on OpenSSL 3. + +This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get` +and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`. + +It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any +more, and some FIPS related APIs also were removed in OpenSSL 3. + +See the document +the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 > +Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() . + +The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used +functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled` +works with the OpenSSL installed without FIPS option. + +The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI. +Because I want to test that the `OpenSSL.fips_mode` returns the `true` or +'false' surely in the CI. You can test the FIPS mode case by setting +`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better +way to get the status of the FIPS mode enabled or disabled for this purpose. I +am afraid of the possibility that the FIPS test case is unintentionally skipped. + +I also replaced the ambiguous "returns" with "should return" in the tests. + +https://github.com/ruby/openssl/commit/c5b2bc1268 +--- + ext/openssl/ossl.c | 25 +++++++++++++++++++++---- + test/openssl/test_fips.rb | 32 ++++++++++++++++++++++++++++---- + 2 files changed, 49 insertions(+), 8 deletions(-) + +diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c +index 6c532aca94..fcf3744c65 100644 +--- a/ext/openssl/ossl.c ++++ b/ext/openssl/ossl.c +@@ -418,7 +418,11 @@ static VALUE + ossl_fips_mode_get(VALUE self) + { + +-#ifdef OPENSSL_FIPS ++#if OSSL_OPENSSL_PREREQ(3, 0, 0) ++ VALUE enabled; ++ enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse; ++ return enabled; ++#elif OPENSSL_FIPS + VALUE enabled; + enabled = FIPS_mode() ? Qtrue : Qfalse; + return enabled; +@@ -442,8 +446,18 @@ ossl_fips_mode_get(VALUE self) + static VALUE + ossl_fips_mode_set(VALUE self, VALUE enabled) + { +- +-#ifdef OPENSSL_FIPS ++#if OSSL_OPENSSL_PREREQ(3, 0, 0) ++ if (RTEST(enabled)) { ++ if (!EVP_default_properties_enable_fips(NULL, 1)) { ++ ossl_raise(eOSSLError, "Turning on FIPS mode failed"); ++ } ++ } else { ++ if (!EVP_default_properties_enable_fips(NULL, 0)) { ++ ossl_raise(eOSSLError, "Turning off FIPS mode failed"); ++ } ++ } ++ return enabled; ++#elif OPENSSL_FIPS + if (RTEST(enabled)) { + int mode = FIPS_mode(); + if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ +@@ -1198,7 +1212,10 @@ Init_openssl(void) + * Boolean indicating whether OpenSSL is FIPS-capable or not + */ + rb_define_const(mOSSL, "OPENSSL_FIPS", +-#ifdef OPENSSL_FIPS ++/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */ ++#if OSSL_OPENSSL_PREREQ(3, 0, 0) ++ Qtrue ++#elif OPENSSL_FIPS + Qtrue + #else + Qfalse +diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb +index 8cd474f9a3..56a12a94ce 100644 +--- a/test/openssl/test_fips.rb ++++ b/test/openssl/test_fips.rb +@@ -4,22 +4,46 @@ + if defined?(OpenSSL) + + class OpenSSL::TestFIPS < OpenSSL::TestCase ++ def test_fips_mode_get_is_true_on_fips_mode_enabled ++ unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] ++ omit "Only for FIPS mode environment" ++ end ++ ++ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") ++ assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled" ++ end; ++ end ++ ++ def test_fips_mode_get_is_false_on_fips_mode_disabled ++ if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] ++ omit "Only for non-FIPS mode environment" ++ end ++ ++ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") ++ message = ".fips_mode should return false on FIPS mode disabled. " \ ++ "If you run the test on FIPS mode, please set " \ ++ "TEST_RUBY_OPENSSL_FIPS_ENABLED=true" ++ assert OpenSSL.fips_mode == false, message ++ end; ++ end ++ + def test_fips_mode_is_reentrant + OpenSSL.fips_mode = false + OpenSSL.fips_mode = false + end + +- def test_fips_mode_get +- return unless OpenSSL::OPENSSL_FIPS ++ def test_fips_mode_get_with_fips_mode_set ++ omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS ++ + assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") + require #{__FILE__.dump} + + begin + OpenSSL.fips_mode = true +- assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true" ++ assert OpenSSL.fips_mode == true, ".fips_mode should return true when .fips_mode=true" + + OpenSSL.fips_mode = false +- assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false" ++ assert OpenSSL.fips_mode == false, ".fips_mode should return false when .fips_mode=false" + rescue OpenSSL::OpenSSLError + pend "Could not set FIPS mode (OpenSSL::OpenSSLError: \#$!); skipping" + end +-- +2.41.0 + diff --git a/SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch b/SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch new file mode 100644 index 0000000..19386d9 --- /dev/null +++ b/SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch @@ -0,0 +1,40 @@ +From 7e9ec8a20b0f7469b415283d2ec0c22087f8eb2b Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Wed, 24 Aug 2022 12:02:56 +0200 +Subject: [PATCH] Fix tests with Europe/Amsterdam pre-1970 time on tzdata + version 2022b. + +The Time Zone Database (tzdata) changed the pre-1970 timestamps in some zones +including Europe/Amsterdam on tzdata version 2022b or later. +See . + +The tzdata RPM package maintainer on Fedora project suggested changing the Ruby +test, because the change is intentional. +See . + +We use post-1970 time test data to simplify the test. +--- + core/time/shared/local.rb | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/spec/ruby/core/time/shared/local.rb b/spec/ruby/core/time/shared/local.rb +index 43f331c4c..c4aa7a7ea 100644 +--- a/spec/ruby/core/time/shared/local.rb ++++ b/spec/ruby/core/time/shared/local.rb +@@ -8,10 +8,10 @@ describe :time_local, shared: true do + + platform_is_not :windows do + describe "timezone changes" do +- it "correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam'" do ++ it "correctly adjusts the timezone change to 'CET' on 'Europe/Amsterdam'" do + with_timezone("Europe/Amsterdam") do +- Time.send(@method, 1940, 5, 16).to_a.should == +- [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"] ++ Time.send(@method, 1970, 5, 16).to_a.should == ++ [0, 0, 0, 16, 5, 1970, 6, 136, false, "CET"] + end + end + end +-- +2.36.1 + diff --git a/SOURCES/test_openssl_fips.rb b/SOURCES/test_openssl_fips.rb new file mode 100644 index 0000000..ffc7883 --- /dev/null +++ b/SOURCES/test_openssl_fips.rb @@ -0,0 +1,34 @@ +require 'openssl' + +# Run openssl tests in OpenSSL FIPS. See the link below for how to test. +# https://github.com/ruby/openssl/blob/master/.github/workflows/test.yml +# - step name: test on fips module + +# Listing the testing files by an array explicitly rather than the `Dir.glob` +# to prevent the test files from not loading unintentionally. +TEST_FILES = %w[ + test/openssl/test_fips.rb + test/openssl/test_pkey.rb +].freeze + +if ARGV.empty? + puts 'ERROR: Argument base_dir required.' + puts "Usage: #{__FILE__} base_dir [options]" + exit false +end +BASE_DIR = ARGV[0] +abs_test_files = TEST_FILES.map { |file| File.join(BASE_DIR, file) } + +# Set Fedora/RHEL downstream OpenSSL downstream environment variable to enable +# FIPS module in non-FIPS OS environment. It is available in Fedora 38 or later +# versions. +# https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0009-Add-Kernel-FIPS-mode-flag-support.patch +ENV['OPENSSL_FORCE_FIPS_MODE'] = '1' +# A flag to tell the tests the current environment is FIPS enabled. +# https://github.com/ruby/openssl/blob/master/test/openssl/test_fips.rb +ENV['TEST_RUBY_OPENSSL_FIPS_ENABLED'] = 'true' + +abs_test_files.each do |file| + puts "INFO: Loading #{file}." + require file +end diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index 339cfe7..b5638a6 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -22,7 +22,7 @@ %endif -%global release 141 +%global release 142 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the @@ -118,6 +118,8 @@ Source11: rubygems.con Source13: test_abrt.rb # SystemTap tests. Source14: test_systemtap.rb +# Ruby OpenSSL FIPS tests. +Source15: test_openssl_fips.rb # The load directive is supported since RPM 4.12, i.e. F21+. The build process # fails on older Fedoras. @@ -196,6 +198,35 @@ Patch25: ruby-3.2.0-define-unsupported-gc-compaction-methods_generated-files.pat # https://github.com/ruby/ruby/pull/6019 # https://github.com/ruby/ruby/commit/2c190863239bee3f54cfb74b16bb6ea4cae6ed20 Patch26: ruby-3.2.0-Detect-compaction-support-during-runtime.patch +# Bypass git submodule test failure on Git >= 2.38.1. +# https://github.com/ruby/ruby/pull/6587 +Patch27: ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch +# Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b. +# https://github.com/ruby/spec/pull/939 +Patch28: ruby-spec-Fix-tests-on-tzdata-2022b.patch +# Fix Time Zone Database 2022g. +# https://bugs.ruby-lang.org/issues/19187 +# https://github.com/ruby/ruby/commit/a1124dc162810f86cb0bff58cde24064cfc561bc +Patch29: ruby-3.1.3-Fix-for-tzdata-2022g.patch +# Fix OpenSSL.fips_mode in OpenSSL 3 FIPS. +# https://github.com/ruby/openssl/pull/608 +# https://github.com/ruby/ruby/commit/678d41bc51fe31834eec0b653ba0e47de5420aa0 +Patch30: ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch +# Fix OpenSSL::PKey.read in OpenSSL 3 FIPS. +# The patch is a combination of the following 2 commits to simplify the patch. +# https://github.com/ruby/openssl/pull/615 +# https://github.com/ruby/ruby/commit/2a4834057b30a26c38ece3961b370c0b2ee59380 +# https://github.com/ruby/openssl/pull/669 +# https://github.com/ruby/ruby/commit/b0ec1db8a72c530460abd9462ac75845362886bd +Patch31: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch +# Enable tests in OpenSSL FIPS. +# https://github.com/ruby/openssl/pull/615 +# https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5 +Patch32: ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch +# ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters +# https://github.com/ruby/openssl/pull/674 +# https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814 +Patch33: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -663,6 +694,13 @@ find .bundle/gems -name '*-[0-9]*.gemspec' -exec cp -t .bundle/specifications/ { %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 +%patch28 -p1 +%patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -976,12 +1014,20 @@ DISABLE_TESTS="$DISABLE_TESTS \ # other components are fixed. # https://bugzilla.redhat.com/show_bug.cgi?id=2040380 mv test/fiddle/test_import.rb{,.disable} +mv test/fiddle/test_closure.rb{,.disable} +DISABLE_TESTS="$DISABLE_TESTS -n !/Fiddle::TestFunc#test_qsort1/" +DISABLE_TESTS="$DISABLE_TESTS -n !/Fiddle::TestFunction#test_argument_count/" # Give an option to increase the timeout in tests. # https://bugs.ruby-lang.org/issues/16921 %{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \ make check TESTS="-v $DISABLE_TESTS" MSPECOPT="-fs $MSPECOPTS" +# Run Ruby OpenSSL tests in OpenSSL FIPS. +make runruby TESTRUN_SCRIPT=" \ + -I%{_builddir}/%{buildsubdir}/tool/lib --enable-gems \ + %{SOURCE15} %{_builddir}/%{buildsubdir} --verbose" + %{?with_bundler_tests:make test-bundler-parallel} %files @@ -1531,6 +1577,17 @@ mv test/fiddle/test_import.rb{,.disable} %changelog +* Sun Dec 03 2023 Jun Aruga - 3.1.2-142 +- Bypass git submodule test failure on Git >= 2.38.1. +- Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b. +- Fix for tzdata-2022g. +- Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. + Resolves: RHEL-5590 +- ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters + Related: RHEL-5590 +- Disable fiddle tests that use FFI closures. + Related: RHEL-5590 + * Fri Jun 03 2022 Jarek Prokop - 3.1.2-141 - Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). Resolves: rhbz#2063773