import CS ruby-3.1.2-142.module_el9+787+b20bfeee
This commit is contained in:
parent
4f1e5e9f48
commit
cb767615cc
70
SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch
Normal file
70
SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch
Normal file
@ -0,0 +1,70 @@
|
||||
From a1124dc162810f86cb0bff58cde24064cfc561bc Mon Sep 17 00:00:00 2001
|
||||
From: nagachika <nagachika@ruby-lang.org>
|
||||
Date: Fri, 9 Dec 2022 21:11:47 +0900
|
||||
Subject: [PATCH] merge revision(s) 58cc3c9f387dcf8f820b43e043b540fa06248da3:
|
||||
[Backport #19187]
|
||||
|
||||
[Bug #19187] Fix for tzdata-2022g
|
||||
|
||||
---
|
||||
test/ruby/test_time_tz.rb | 21 +++++++++++++++------
|
||||
1 file changed, 15 insertions(+), 6 deletions(-)
|
||||
---
|
||||
test/ruby/test_time_tz.rb | 21 +++++++++++++++------
|
||||
1 files changed, 15 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/test/ruby/test_time_tz.rb b/test/ruby/test_time_tz.rb
|
||||
index b6785f336028d..939f218ed4d10 100644
|
||||
--- a/test/ruby/test_time_tz.rb
|
||||
+++ b/test/ruby/test_time_tz.rb
|
||||
@@ -7,9 +7,9 @@ class TestTimeTZ < Test::Unit::TestCase
|
||||
has_lisbon_tz = true
|
||||
force_tz_test = ENV["RUBY_FORCE_TIME_TZ_TEST"] == "yes"
|
||||
case RUBY_PLATFORM
|
||||
- when /linux/
|
||||
+ when /darwin|linux/
|
||||
force_tz_test = true
|
||||
- when /darwin|freebsd|openbsd/
|
||||
+ when /freebsd|openbsd/
|
||||
has_lisbon_tz = false
|
||||
force_tz_test = true
|
||||
end
|
||||
@@ -95,6 +95,9 @@ def group_by(e, &block)
|
||||
CORRECT_KIRITIMATI_SKIP_1994 = with_tz("Pacific/Kiritimati") {
|
||||
Time.local(1994, 12, 31, 0, 0, 0).year == 1995
|
||||
}
|
||||
+ CORRECT_SINGAPORE_1982 = with_tz("Asia/Singapore") {
|
||||
+ "2022g" if Time.local(1981, 12, 31, 23, 59, 59).utc_offset == 8*3600
|
||||
+ }
|
||||
|
||||
def time_to_s(t)
|
||||
t.to_s
|
||||
@@ -140,9 +143,12 @@ def test_america_managua
|
||||
|
||||
def test_asia_singapore
|
||||
with_tz(tz="Asia/Singapore") {
|
||||
- assert_time_constructor(tz, "1981-12-31 23:59:59 +0730", :local, [1981,12,31,23,59,59])
|
||||
- assert_time_constructor(tz, "1982-01-01 00:30:00 +0800", :local, [1982,1,1,0,0,0])
|
||||
- assert_time_constructor(tz, "1982-01-01 00:59:59 +0800", :local, [1982,1,1,0,29,59])
|
||||
+ assert_time_constructor(tz, "1981-12-31 23:29:59 +0730", :local, [1981,12,31,23,29,59])
|
||||
+ if CORRECT_SINGAPORE_1982
|
||||
+ assert_time_constructor(tz, "1982-01-01 00:00:00 +0800", :local, [1981,12,31,23,30,00])
|
||||
+ assert_time_constructor(tz, "1982-01-01 00:00:00 +0800", :local, [1982,1,1,0,0,0])
|
||||
+ assert_time_constructor(tz, "1982-01-01 00:29:59 +0800", :local, [1982,1,1,0,29,59])
|
||||
+ end
|
||||
assert_time_constructor(tz, "1982-01-01 00:30:00 +0800", :local, [1982,1,1,0,30,0])
|
||||
}
|
||||
end
|
||||
@@ -450,8 +456,11 @@ def self.gen_zdump_test(data)
|
||||
America/Managua Wed Jan 1 04:59:59 1997 UTC = Tue Dec 31 23:59:59 1996 EST isdst=0 gmtoff=-18000
|
||||
America/Managua Wed Jan 1 05:00:00 1997 UTC = Tue Dec 31 23:00:00 1996 CST isdst=0 gmtoff=-21600
|
||||
Asia/Singapore Sun Aug 8 16:30:00 1965 UTC = Mon Aug 9 00:00:00 1965 SGT isdst=0 gmtoff=27000
|
||||
-Asia/Singapore Thu Dec 31 16:29:59 1981 UTC = Thu Dec 31 23:59:59 1981 SGT isdst=0 gmtoff=27000
|
||||
+Asia/Singapore Thu Dec 31 15:59:59 1981 UTC = Thu Dec 31 23:29:59 1981 SGT isdst=0 gmtoff=27000
|
||||
Asia/Singapore Thu Dec 31 16:30:00 1981 UTC = Fri Jan 1 00:30:00 1982 SGT isdst=0 gmtoff=28800
|
||||
+End
|
||||
+ gen_zdump_test <<'End' if CORRECT_SINGAPORE_1982
|
||||
+Asia/Singapore Thu Dec 31 16:00:00 1981 UTC = Fri Jan 1 00:00:00 1982 SGT isdst=0 gmtoff=28800
|
||||
End
|
||||
gen_zdump_test CORRECT_TOKYO_DST_1951 ? <<'End' + (CORRECT_TOKYO_DST_1951 < "2018f" ? <<'2018e' : <<'2018f') : <<'End'
|
||||
Asia/Tokyo Sat May 5 14:59:59 1951 UTC = Sat May 5 23:59:59 1951 JST isdst=0 gmtoff=32400
|
27
SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch
Normal file
27
SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From dae843f6b7502f921a7e66f39e3714a39d860181 Mon Sep 17 00:00:00 2001
|
||||
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
|
||||
Date: Wed, 19 Oct 2022 19:40:00 +0900
|
||||
Subject: [PATCH] Bypass git submodule add/update with git config
|
||||
protocol.file.allow=always option.
|
||||
|
||||
Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
|
||||
---
|
||||
test/rubygems/test_gem_source_git.rb | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/test/rubygems/test_gem_source_git.rb b/test/rubygems/test_gem_source_git.rb
|
||||
index 5702da05974b6..c3b324771fa4d 100644
|
||||
--- a/test/rubygems/test_gem_source_git.rb
|
||||
+++ b/test/rubygems/test_gem_source_git.rb
|
||||
@@ -63,6 +63,11 @@ def test_checkout_local_cached
|
||||
end
|
||||
|
||||
def test_checkout_submodules
|
||||
+ # We need to allow to checkout submodules with file:// protocol
|
||||
+ # CVE-2022-39253
|
||||
+ # https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@gitster.g/
|
||||
+ system(@git, *%W"config --global protocol.file.allow always")
|
||||
+
|
||||
source = Gem::Source::Git.new @name, @repository, 'master', true
|
||||
|
||||
git_gem 'b'
|
32
SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
Normal file
32
SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From f0b254f1f6610294821bbfc06b414d2af452db5b Mon Sep 17 00:00:00 2001
|
||||
From: Jun Aruga <jaruga@redhat.com>
|
||||
Date: Thu, 13 Apr 2023 17:28:27 +0200
|
||||
Subject: [PATCH] [ruby/openssl] Drop a common logic disabling the FIPS mode in
|
||||
the tests.
|
||||
|
||||
We want to run the unit tests in the FIPS mode too.
|
||||
|
||||
https://github.com/ruby/openssl/commit/ab92baff34
|
||||
---
|
||||
test/openssl/utils.rb | 5 -----
|
||||
1 file changed, 5 deletions(-)
|
||||
|
||||
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
|
||||
index 4ebcb9837b..8a0be0d154 100644
|
||||
--- a/test/openssl/utils.rb
|
||||
+++ b/test/openssl/utils.rb
|
||||
@@ -1,11 +1,6 @@
|
||||
# frozen_string_literal: true
|
||||
begin
|
||||
require "openssl"
|
||||
-
|
||||
- # Disable FIPS mode for tests for installations
|
||||
- # where FIPS mode would be enabled by default.
|
||||
- # Has no effect on all other installations.
|
||||
- OpenSSL.fips_mode=false
|
||||
rescue LoadError
|
||||
end
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,73 @@
|
||||
From b6d7cdc2bad0eadbca73f3486917f0ec7a475814 Mon Sep 17 00:00:00 2001
|
||||
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||
Date: Tue, 29 Aug 2023 19:46:02 +0900
|
||||
Subject: [PATCH] [ruby/openssl] ssl: use ffdhe2048 from RFC 7919 as the
|
||||
default DH group parameters
|
||||
|
||||
In TLS 1.2 or before, if DH group parameters for DHE are not supplied
|
||||
with SSLContext#tmp_dh= or #tmp_dh_callback=, we currently use the
|
||||
self-generated parameters added in commit https://github.com/ruby/openssl/commit/bb3399a61c03 ("support 2048
|
||||
bit length DH-key", 2016-01-15) as the fallback.
|
||||
|
||||
While there is no known weakness in the current parameters, it would be
|
||||
a good idea to switch to pre-defined, more well audited parameters.
|
||||
|
||||
This also allows the fallback to work in the FIPS mode.
|
||||
|
||||
The PEM encoding was derived with:
|
||||
|
||||
# RFC 7919 Appendix A.1. ffdhe2048
|
||||
print OpenSSL::PKey.read(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer((<<-END).split.join.to_i(16)), OpenSSL::ASN1::Integer(2)]).to_der).to_pem
|
||||
FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
|
||||
D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
|
||||
7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
|
||||
2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
|
||||
984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
|
||||
30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
|
||||
B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
|
||||
0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
|
||||
9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
|
||||
3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
|
||||
886B4238 61285C97 FFFFFFFF FFFFFFFF
|
||||
END
|
||||
|
||||
https://github.com/ruby/openssl/commit/a5527cb4f4
|
||||
---
|
||||
ext/openssl/lib/openssl/ssl.rb | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
|
||||
index ea8bb2a18e533..94be6ba80b894 100644
|
||||
--- a/ext/openssl/lib/openssl/ssl.rb
|
||||
+++ b/ext/openssl/lib/openssl/ssl.rb
|
||||
@@ -31,21 +31,21 @@ class SSLContext
|
||||
}
|
||||
|
||||
if defined?(OpenSSL::PKey::DH)
|
||||
- DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
|
||||
+ DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
-MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
|
||||
-JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
|
||||
-VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
|
||||
-YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
||||
-1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
|
||||
-7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
|
||||
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
||||
_end_of_pem_
|
||||
- private_constant :DEFAULT_2048
|
||||
+ private_constant :DH_ffdhe2048
|
||||
|
||||
DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc:
|
||||
warn "using default DH parameters." if $VERBOSE
|
||||
- DEFAULT_2048
|
||||
+ DH_ffdhe2048
|
||||
}
|
||||
end
|
||||
|
@ -0,0 +1,177 @@
|
||||
From 40451afa279c52ce7a508f8a9ec553cfe7a76a10 Mon Sep 17 00:00:00 2001
|
||||
From: Jun Aruga <jaruga@redhat.com>
|
||||
Date: Wed, 12 Apr 2023 17:15:21 +0200
|
||||
Subject: [PATCH] Fix OpenSSL::PKey.read in OpenSSL 3 FIPS module.
|
||||
|
||||
This is a combination of the following 2 commits. Because the combined patch is
|
||||
easy to merge.
|
||||
|
||||
This is the 1st commit message:
|
||||
|
||||
[ruby/openssl] Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.
|
||||
|
||||
This commit is a workaround to avoid the error below that the
|
||||
`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.
|
||||
|
||||
```
|
||||
$ openssl genrsa -out key.pem 4096
|
||||
|
||||
$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
|
||||
-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
|
||||
from -e:1:in `<main>'
|
||||
```
|
||||
|
||||
The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
|
||||
doesn't apply the selection value properly if there are multiple providers, and
|
||||
a provider (e.g. "base" provider) handles the decoder implementation, and
|
||||
another provider (e.g. "fips" provider) handles the keys.
|
||||
|
||||
The workaround is to create `OSSL_DECODER_CTX` variable each time without using
|
||||
the `OSSL_DECODER_CTX_set_selection`.
|
||||
|
||||
https://github.com/ruby/openssl/commit/5ff4a31621
|
||||
|
||||
This is the commit message #2:
|
||||
|
||||
[ruby/openssl] ossl_pkey.c: Workaround: Decode with non-zero selections.
|
||||
|
||||
This is a workaround for the decoding issue in ossl_pkey_read_generic().
|
||||
The issue happens in the case that a key management provider is different from
|
||||
a decoding provider.
|
||||
|
||||
Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3
|
||||
to avoid the issue.
|
||||
|
||||
https://github.com/ruby/openssl/commit/db688fa739
|
||||
---
|
||||
ext/openssl/ossl_pkey.c | 96 +++++++++++++++++++++++++++++++++--------
|
||||
1 file changed, 79 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
|
||||
index 24d0da4683..15854aeca1 100644
|
||||
--- a/ext/openssl/ossl_pkey.c
|
||||
+++ b/ext/openssl/ossl_pkey.c
|
||||
@@ -82,41 +82,103 @@ ossl_pkey_new(EVP_PKEY *pkey)
|
||||
#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||
# include <openssl/decoder.h>
|
||||
|
||||
-EVP_PKEY *
|
||||
-ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
||||
+static EVP_PKEY *
|
||||
+ossl_pkey_read(BIO *bio, const char *input_type, int selection, VALUE pass)
|
||||
{
|
||||
void *ppass = (void *)pass;
|
||||
OSSL_DECODER_CTX *dctx;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
int pos = 0, pos2;
|
||||
|
||||
- dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, NULL, 0, NULL, NULL);
|
||||
+ dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, input_type, NULL, NULL,
|
||||
+ selection, NULL, NULL);
|
||||
if (!dctx)
|
||||
goto out;
|
||||
- if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1)
|
||||
+ if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb,
|
||||
+ ppass) != 1)
|
||||
goto out;
|
||||
-
|
||||
- /* First check DER */
|
||||
- if (OSSL_DECODER_from_bio(dctx, bio) == 1)
|
||||
- goto out;
|
||||
-
|
||||
- /* Then check PEM; multiple OSSL_DECODER_from_bio() calls may be needed */
|
||||
- OSSL_BIO_reset(bio);
|
||||
- if (OSSL_DECODER_CTX_set_input_type(dctx, "PEM") != 1)
|
||||
- goto out;
|
||||
- while (OSSL_DECODER_from_bio(dctx, bio) != 1) {
|
||||
- if (BIO_eof(bio))
|
||||
+ while (1) {
|
||||
+ if (OSSL_DECODER_from_bio(dctx, bio) == 1)
|
||||
goto out;
|
||||
+ if (BIO_eof(bio))
|
||||
+ break;
|
||||
pos2 = BIO_tell(bio);
|
||||
if (pos2 < 0 || pos2 <= pos)
|
||||
- goto out;
|
||||
+ break;
|
||||
+ ossl_clear_error();
|
||||
pos = pos2;
|
||||
}
|
||||
-
|
||||
out:
|
||||
+ OSSL_BIO_reset(bio);
|
||||
OSSL_DECODER_CTX_free(dctx);
|
||||
return pkey;
|
||||
}
|
||||
+
|
||||
+EVP_PKEY *
|
||||
+ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
||||
+{
|
||||
+ EVP_PKEY *pkey = NULL;
|
||||
+ /* First check DER, then check PEM. */
|
||||
+ const char *input_types[] = {"DER", "PEM"};
|
||||
+ int input_type_num = (int)(sizeof(input_types) / sizeof(char *));
|
||||
+ /*
|
||||
+ * Non-zero selections to try to decode.
|
||||
+ *
|
||||
+ * See EVP_PKEY_fromdata(3) - Selections to see all the selections.
|
||||
+ *
|
||||
+ * This is a workaround for the decoder failing to decode or returning
|
||||
+ * bogus keys with selection 0, if a key management provider is different
|
||||
+ * from a decoder provider. The workaround is to avoid using selection 0.
|
||||
+ *
|
||||
+ * Affected OpenSSL versions: >= 3.1.0, <= 3.1.2, or >= 3.0.0, <= 3.0.10
|
||||
+ * Fixed OpenSSL versions: 3.2, next release of the 3.1.z and 3.0.z
|
||||
+ *
|
||||
+ * See https://github.com/openssl/openssl/pull/21519 for details.
|
||||
+ *
|
||||
+ * First check for private key formats (EVP_PKEY_KEYPAIR). This is to keep
|
||||
+ * compatibility with ruby/openssl < 3.0 which decoded the following as a
|
||||
+ * private key.
|
||||
+ *
|
||||
+ * $ openssl ecparam -name prime256v1 -genkey -outform PEM
|
||||
+ * -----BEGIN EC PARAMETERS-----
|
||||
+ * BggqhkjOPQMBBw==
|
||||
+ * -----END EC PARAMETERS-----
|
||||
+ * -----BEGIN EC PRIVATE KEY-----
|
||||
+ * MHcCAQEEIAG8ugBbA5MHkqnZ9ujQF93OyUfL9tk8sxqM5Wv5tKg5oAoGCCqGSM49
|
||||
+ * AwEHoUQDQgAEVcjhJfkwqh5C7kGuhAf8XaAjVuG5ADwb5ayg/cJijCgs+GcXeedj
|
||||
+ * 86avKpGH84DXUlB23C/kPt+6fXYlitUmXQ==
|
||||
+ * -----END EC PRIVATE KEY-----
|
||||
+ *
|
||||
+ * While the first PEM block is a proper encoding of ECParameters, thus
|
||||
+ * OSSL_DECODER_from_bio() would pick it up, ruby/openssl used to return
|
||||
+ * the latter instead. Existing applications expect this behavior.
|
||||
+ *
|
||||
+ * Note that normally, the input is supposed to contain a single decodable
|
||||
+ * PEM block only, so this special handling should not create a new problem.
|
||||
+ *
|
||||
+ * Note that we need to create the OSSL_DECODER_CTX variable each time when
|
||||
+ * we use the different selection as a workaround.
|
||||
+ * See https://github.com/openssl/openssl/issues/20657 for details.
|
||||
+ */
|
||||
+ int selections[] = {
|
||||
+ EVP_PKEY_KEYPAIR,
|
||||
+ EVP_PKEY_KEY_PARAMETERS,
|
||||
+ EVP_PKEY_PUBLIC_KEY
|
||||
+ };
|
||||
+ int selection_num = (int)(sizeof(selections) / sizeof(int));
|
||||
+ int i, j;
|
||||
+
|
||||
+ for (i = 0; i < input_type_num; i++) {
|
||||
+ for (j = 0; j < selection_num; j++) {
|
||||
+ pkey = ossl_pkey_read(bio, input_types[i], selections[j], pass);
|
||||
+ if (pkey) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ out:
|
||||
+ return pkey;
|
||||
+}
|
||||
#else
|
||||
EVP_PKEY *
|
||||
ossl_pkey_read_generic(BIO *bio, VALUE pass)
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,142 @@
|
||||
From 29920ec109751459a65c6478525f2e59c644891f Mon Sep 17 00:00:00 2001
|
||||
From: Jun Aruga <jaruga@redhat.com>
|
||||
Date: Thu, 16 Mar 2023 21:36:43 +0100
|
||||
Subject: [PATCH] [ruby/openssl] Implement FIPS functions on OpenSSL 3.
|
||||
|
||||
This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get`
|
||||
and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`.
|
||||
|
||||
It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any
|
||||
more, and some FIPS related APIs also were removed in OpenSSL 3.
|
||||
|
||||
See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set>
|
||||
the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 >
|
||||
Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() .
|
||||
|
||||
The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used
|
||||
functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled`
|
||||
works with the OpenSSL installed without FIPS option.
|
||||
|
||||
The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI.
|
||||
Because I want to test that the `OpenSSL.fips_mode` returns the `true` or
|
||||
'false' surely in the CI. You can test the FIPS mode case by setting
|
||||
`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better
|
||||
way to get the status of the FIPS mode enabled or disabled for this purpose. I
|
||||
am afraid of the possibility that the FIPS test case is unintentionally skipped.
|
||||
|
||||
I also replaced the ambiguous "returns" with "should return" in the tests.
|
||||
|
||||
https://github.com/ruby/openssl/commit/c5b2bc1268
|
||||
---
|
||||
ext/openssl/ossl.c | 25 +++++++++++++++++++++----
|
||||
test/openssl/test_fips.rb | 32 ++++++++++++++++++++++++++++----
|
||||
2 files changed, 49 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
|
||||
index 6c532aca94..fcf3744c65 100644
|
||||
--- a/ext/openssl/ossl.c
|
||||
+++ b/ext/openssl/ossl.c
|
||||
@@ -418,7 +418,11 @@ static VALUE
|
||||
ossl_fips_mode_get(VALUE self)
|
||||
{
|
||||
|
||||
-#ifdef OPENSSL_FIPS
|
||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||
+ VALUE enabled;
|
||||
+ enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
|
||||
+ return enabled;
|
||||
+#elif OPENSSL_FIPS
|
||||
VALUE enabled;
|
||||
enabled = FIPS_mode() ? Qtrue : Qfalse;
|
||||
return enabled;
|
||||
@@ -442,8 +446,18 @@ ossl_fips_mode_get(VALUE self)
|
||||
static VALUE
|
||||
ossl_fips_mode_set(VALUE self, VALUE enabled)
|
||||
{
|
||||
-
|
||||
-#ifdef OPENSSL_FIPS
|
||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||
+ if (RTEST(enabled)) {
|
||||
+ if (!EVP_default_properties_enable_fips(NULL, 1)) {
|
||||
+ ossl_raise(eOSSLError, "Turning on FIPS mode failed");
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!EVP_default_properties_enable_fips(NULL, 0)) {
|
||||
+ ossl_raise(eOSSLError, "Turning off FIPS mode failed");
|
||||
+ }
|
||||
+ }
|
||||
+ return enabled;
|
||||
+#elif OPENSSL_FIPS
|
||||
if (RTEST(enabled)) {
|
||||
int mode = FIPS_mode();
|
||||
if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
|
||||
@@ -1198,7 +1212,10 @@ Init_openssl(void)
|
||||
* Boolean indicating whether OpenSSL is FIPS-capable or not
|
||||
*/
|
||||
rb_define_const(mOSSL, "OPENSSL_FIPS",
|
||||
-#ifdef OPENSSL_FIPS
|
||||
+/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */
|
||||
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
|
||||
+ Qtrue
|
||||
+#elif OPENSSL_FIPS
|
||||
Qtrue
|
||||
#else
|
||||
Qfalse
|
||||
diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb
|
||||
index 8cd474f9a3..56a12a94ce 100644
|
||||
--- a/test/openssl/test_fips.rb
|
||||
+++ b/test/openssl/test_fips.rb
|
||||
@@ -4,22 +4,46 @@
|
||||
if defined?(OpenSSL)
|
||||
|
||||
class OpenSSL::TestFIPS < OpenSSL::TestCase
|
||||
+ def test_fips_mode_get_is_true_on_fips_mode_enabled
|
||||
+ unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
|
||||
+ omit "Only for FIPS mode environment"
|
||||
+ end
|
||||
+
|
||||
+ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
||||
+ assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled"
|
||||
+ end;
|
||||
+ end
|
||||
+
|
||||
+ def test_fips_mode_get_is_false_on_fips_mode_disabled
|
||||
+ if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
|
||||
+ omit "Only for non-FIPS mode environment"
|
||||
+ end
|
||||
+
|
||||
+ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
||||
+ message = ".fips_mode should return false on FIPS mode disabled. " \
|
||||
+ "If you run the test on FIPS mode, please set " \
|
||||
+ "TEST_RUBY_OPENSSL_FIPS_ENABLED=true"
|
||||
+ assert OpenSSL.fips_mode == false, message
|
||||
+ end;
|
||||
+ end
|
||||
+
|
||||
def test_fips_mode_is_reentrant
|
||||
OpenSSL.fips_mode = false
|
||||
OpenSSL.fips_mode = false
|
||||
end
|
||||
|
||||
- def test_fips_mode_get
|
||||
- return unless OpenSSL::OPENSSL_FIPS
|
||||
+ def test_fips_mode_get_with_fips_mode_set
|
||||
+ omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS
|
||||
+
|
||||
assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
|
||||
require #{__FILE__.dump}
|
||||
|
||||
begin
|
||||
OpenSSL.fips_mode = true
|
||||
- assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true"
|
||||
+ assert OpenSSL.fips_mode == true, ".fips_mode should return true when .fips_mode=true"
|
||||
|
||||
OpenSSL.fips_mode = false
|
||||
- assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false"
|
||||
+ assert OpenSSL.fips_mode == false, ".fips_mode should return false when .fips_mode=false"
|
||||
rescue OpenSSL::OpenSSLError
|
||||
pend "Could not set FIPS mode (OpenSSL::OpenSSLError: \#$!); skipping"
|
||||
end
|
||||
--
|
||||
2.41.0
|
||||
|
40
SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch
Normal file
40
SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 7e9ec8a20b0f7469b415283d2ec0c22087f8eb2b Mon Sep 17 00:00:00 2001
|
||||
From: Jun Aruga <jaruga@redhat.com>
|
||||
Date: Wed, 24 Aug 2022 12:02:56 +0200
|
||||
Subject: [PATCH] Fix tests with Europe/Amsterdam pre-1970 time on tzdata
|
||||
version 2022b.
|
||||
|
||||
The Time Zone Database (tzdata) changed the pre-1970 timestamps in some zones
|
||||
including Europe/Amsterdam on tzdata version 2022b or later.
|
||||
See <https://github.com/eggert/tz/commit/35fa37fbbb152f5dbed4fd5edfdc968e3584fe12>.
|
||||
|
||||
The tzdata RPM package maintainer on Fedora project suggested changing the Ruby
|
||||
test, because the change is intentional.
|
||||
See <https://bugzilla.redhat.com/show_bug.cgi?id=2118259#c1>.
|
||||
|
||||
We use post-1970 time test data to simplify the test.
|
||||
---
|
||||
core/time/shared/local.rb | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/spec/ruby/core/time/shared/local.rb b/spec/ruby/core/time/shared/local.rb
|
||||
index 43f331c4c..c4aa7a7ea 100644
|
||||
--- a/spec/ruby/core/time/shared/local.rb
|
||||
+++ b/spec/ruby/core/time/shared/local.rb
|
||||
@@ -8,10 +8,10 @@ describe :time_local, shared: true do
|
||||
|
||||
platform_is_not :windows do
|
||||
describe "timezone changes" do
|
||||
- it "correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam'" do
|
||||
+ it "correctly adjusts the timezone change to 'CET' on 'Europe/Amsterdam'" do
|
||||
with_timezone("Europe/Amsterdam") do
|
||||
- Time.send(@method, 1940, 5, 16).to_a.should ==
|
||||
- [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"]
|
||||
+ Time.send(@method, 1970, 5, 16).to_a.should ==
|
||||
+ [0, 0, 0, 16, 5, 1970, 6, 136, false, "CET"]
|
||||
end
|
||||
end
|
||||
end
|
||||
--
|
||||
2.36.1
|
||||
|
34
SOURCES/test_openssl_fips.rb
Normal file
34
SOURCES/test_openssl_fips.rb
Normal file
@ -0,0 +1,34 @@
|
||||
require 'openssl'
|
||||
|
||||
# Run openssl tests in OpenSSL FIPS. See the link below for how to test.
|
||||
# https://github.com/ruby/openssl/blob/master/.github/workflows/test.yml
|
||||
# - step name: test on fips module
|
||||
|
||||
# Listing the testing files by an array explicitly rather than the `Dir.glob`
|
||||
# to prevent the test files from not loading unintentionally.
|
||||
TEST_FILES = %w[
|
||||
test/openssl/test_fips.rb
|
||||
test/openssl/test_pkey.rb
|
||||
].freeze
|
||||
|
||||
if ARGV.empty?
|
||||
puts 'ERROR: Argument base_dir required.'
|
||||
puts "Usage: #{__FILE__} base_dir [options]"
|
||||
exit false
|
||||
end
|
||||
BASE_DIR = ARGV[0]
|
||||
abs_test_files = TEST_FILES.map { |file| File.join(BASE_DIR, file) }
|
||||
|
||||
# Set Fedora/RHEL downstream OpenSSL downstream environment variable to enable
|
||||
# FIPS module in non-FIPS OS environment. It is available in Fedora 38 or later
|
||||
# versions.
|
||||
# https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0009-Add-Kernel-FIPS-mode-flag-support.patch
|
||||
ENV['OPENSSL_FORCE_FIPS_MODE'] = '1'
|
||||
# A flag to tell the tests the current environment is FIPS enabled.
|
||||
# https://github.com/ruby/openssl/blob/master/test/openssl/test_fips.rb
|
||||
ENV['TEST_RUBY_OPENSSL_FIPS_ENABLED'] = 'true'
|
||||
|
||||
abs_test_files.each do |file|
|
||||
puts "INFO: Loading #{file}."
|
||||
require file
|
||||
end
|
@ -22,7 +22,7 @@
|
||||
%endif
|
||||
|
||||
|
||||
%global release 141
|
||||
%global release 142
|
||||
%{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
|
||||
|
||||
# The RubyGems library has to stay out of Ruby directory tree, since the
|
||||
@ -118,6 +118,8 @@ Source11: rubygems.con
|
||||
Source13: test_abrt.rb
|
||||
# SystemTap tests.
|
||||
Source14: test_systemtap.rb
|
||||
# Ruby OpenSSL FIPS tests.
|
||||
Source15: test_openssl_fips.rb
|
||||
|
||||
# The load directive is supported since RPM 4.12, i.e. F21+. The build process
|
||||
# fails on older Fedoras.
|
||||
@ -196,6 +198,35 @@ Patch25: ruby-3.2.0-define-unsupported-gc-compaction-methods_generated-files.pat
|
||||
# https://github.com/ruby/ruby/pull/6019
|
||||
# https://github.com/ruby/ruby/commit/2c190863239bee3f54cfb74b16bb6ea4cae6ed20
|
||||
Patch26: ruby-3.2.0-Detect-compaction-support-during-runtime.patch
|
||||
# Bypass git submodule test failure on Git >= 2.38.1.
|
||||
# https://github.com/ruby/ruby/pull/6587
|
||||
Patch27: ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch
|
||||
# Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
|
||||
# https://github.com/ruby/spec/pull/939
|
||||
Patch28: ruby-spec-Fix-tests-on-tzdata-2022b.patch
|
||||
# Fix Time Zone Database 2022g.
|
||||
# https://bugs.ruby-lang.org/issues/19187
|
||||
# https://github.com/ruby/ruby/commit/a1124dc162810f86cb0bff58cde24064cfc561bc
|
||||
Patch29: ruby-3.1.3-Fix-for-tzdata-2022g.patch
|
||||
# Fix OpenSSL.fips_mode in OpenSSL 3 FIPS.
|
||||
# https://github.com/ruby/openssl/pull/608
|
||||
# https://github.com/ruby/ruby/commit/678d41bc51fe31834eec0b653ba0e47de5420aa0
|
||||
Patch30: ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch
|
||||
# Fix OpenSSL::PKey.read in OpenSSL 3 FIPS.
|
||||
# The patch is a combination of the following 2 commits to simplify the patch.
|
||||
# https://github.com/ruby/openssl/pull/615
|
||||
# https://github.com/ruby/ruby/commit/2a4834057b30a26c38ece3961b370c0b2ee59380
|
||||
# https://github.com/ruby/openssl/pull/669
|
||||
# https://github.com/ruby/ruby/commit/b0ec1db8a72c530460abd9462ac75845362886bd
|
||||
Patch31: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
|
||||
# Enable tests in OpenSSL FIPS.
|
||||
# https://github.com/ruby/openssl/pull/615
|
||||
# https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5
|
||||
Patch32: ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
|
||||
# ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
|
||||
# https://github.com/ruby/openssl/pull/674
|
||||
# https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814
|
||||
Patch33: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch
|
||||
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Suggests: rubypick
|
||||
@ -663,6 +694,13 @@ find .bundle/gems -name '*-[0-9]*.gemspec' -exec cp -t .bundle/specifications/ {
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28 -p1
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
%patch33 -p1
|
||||
|
||||
# Provide an example of usage of the tapset:
|
||||
cp -a %{SOURCE3} .
|
||||
@ -976,12 +1014,20 @@ DISABLE_TESTS="$DISABLE_TESTS \
|
||||
# other components are fixed.
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2040380
|
||||
mv test/fiddle/test_import.rb{,.disable}
|
||||
mv test/fiddle/test_closure.rb{,.disable}
|
||||
DISABLE_TESTS="$DISABLE_TESTS -n !/Fiddle::TestFunc#test_qsort1/"
|
||||
DISABLE_TESTS="$DISABLE_TESTS -n !/Fiddle::TestFunction#test_argument_count/"
|
||||
|
||||
# Give an option to increase the timeout in tests.
|
||||
# https://bugs.ruby-lang.org/issues/16921
|
||||
%{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \
|
||||
make check TESTS="-v $DISABLE_TESTS" MSPECOPT="-fs $MSPECOPTS"
|
||||
|
||||
# Run Ruby OpenSSL tests in OpenSSL FIPS.
|
||||
make runruby TESTRUN_SCRIPT=" \
|
||||
-I%{_builddir}/%{buildsubdir}/tool/lib --enable-gems \
|
||||
%{SOURCE15} %{_builddir}/%{buildsubdir} --verbose"
|
||||
|
||||
%{?with_bundler_tests:make test-bundler-parallel}
|
||||
|
||||
%files
|
||||
@ -1531,6 +1577,17 @@ mv test/fiddle/test_import.rb{,.disable}
|
||||
|
||||
|
||||
%changelog
|
||||
* Sun Dec 03 2023 Jun Aruga <jaruga@redhat.com> - 3.1.2-142
|
||||
- Bypass git submodule test failure on Git >= 2.38.1.
|
||||
- Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
|
||||
- Fix for tzdata-2022g.
|
||||
- Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.
|
||||
Resolves: RHEL-5590
|
||||
- ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
|
||||
Related: RHEL-5590
|
||||
- Disable fiddle tests that use FFI closures.
|
||||
Related: RHEL-5590
|
||||
|
||||
* Fri Jun 03 2022 Jarek Prokop <jprokop@redhat.com> - 3.1.2-141
|
||||
- Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473).
|
||||
Resolves: rhbz#2063773
|
||||
|
Loading…
Reference in New Issue
Block a user