diff --git a/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch b/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch index 118203c..437d09f 100644 --- a/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch +++ b/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch @@ -14,7 +14,7 @@ diff --git a/configure.ac b/configure.ac index c42436c23d..d261ea57b5 100644 --- a/configure.ac +++ b/configure.ac -@@ -3881,7 +3881,8 @@ AS_CASE(["$ruby_version_dir_name"], +@@ -3886,7 +3886,8 @@ AS_CASE(["$ruby_version_dir_name"], ruby_version_dir=/'${ruby_version_dir_name}' if test -z "${ruby_version_dir_name}"; then diff --git a/SOURCES/ruby-2.1.0-always-use-i386.patch b/SOURCES/ruby-2.1.0-always-use-i386.patch index de58295..46584d7 100644 --- a/SOURCES/ruby-2.1.0-always-use-i386.patch +++ b/SOURCES/ruby-2.1.0-always-use-i386.patch @@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac index 3c13076b82..93af30321d 100644 --- a/configure.ac +++ b/configure.ac -@@ -3945,6 +3945,8 @@ AC_SUBST(vendorarchdir)dnl +@@ -3950,6 +3950,8 @@ AC_SUBST(vendorarchdir)dnl AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl diff --git a/SOURCES/ruby-2.1.0-custom-rubygems-location.patch b/SOURCES/ruby-2.1.0-custom-rubygems-location.patch index f7862fa..6946429 100644 --- a/SOURCES/ruby-2.1.0-custom-rubygems-location.patch +++ b/SOURCES/ruby-2.1.0-custom-rubygems-location.patch @@ -15,7 +15,7 @@ diff --git a/configure.ac b/configure.ac index 93af30321d..bc13397e0e 100644 --- a/configure.ac +++ b/configure.ac -@@ -3917,6 +3917,10 @@ AC_ARG_WITH(vendorarchdir, +@@ -3922,6 +3922,10 @@ AC_ARG_WITH(vendorarchdir, [vendorarchdir=$withval], [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}]) @@ -26,7 +26,7 @@ index 93af30321d..bc13397e0e 100644 AS_IF([test "${LOAD_RELATIVE+set}"], [ AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) RUBY_EXEC_PREFIX='' -@@ -3941,6 +3945,7 @@ AC_SUBST(sitearchdir)dnl +@@ -3946,6 +3950,7 @@ AC_SUBST(sitearchdir)dnl AC_SUBST(vendordir)dnl AC_SUBST(vendorlibdir)dnl AC_SUBST(vendorarchdir)dnl diff --git a/SOURCES/ruby-2.3.0-ruby_version.patch b/SOURCES/ruby-2.3.0-ruby_version.patch index b0a73a9..fd545e5 100644 --- a/SOURCES/ruby-2.3.0-ruby_version.patch +++ b/SOURCES/ruby-2.3.0-ruby_version.patch @@ -20,7 +20,7 @@ diff --git a/configure.ac b/configure.ac index 80b137e380..63cd3b4f8b 100644 --- a/configure.ac +++ b/configure.ac -@@ -3832,9 +3832,6 @@ AS_CASE(["$target_os"], +@@ -3837,9 +3837,6 @@ AS_CASE(["$target_os"], rubyw_install_name='$(RUBYW_INSTALL_NAME)' ]) @@ -30,7 +30,7 @@ index 80b137e380..63cd3b4f8b 100644 rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'} AC_ARG_WITH(rubyarchprefix, AS_HELP_STRING([--with-rubyarchprefix=DIR], -@@ -3857,56 +3854,62 @@ AC_ARG_WITH(ridir, +@@ -3862,56 +3859,62 @@ AC_ARG_WITH(ridir, AC_SUBST(ridir) AC_SUBST(RI_BASE_NAME) @@ -120,7 +120,7 @@ index 80b137e380..63cd3b4f8b 100644 AS_IF([test "${LOAD_RELATIVE+set}"], [ AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) -@@ -3923,6 +3926,7 @@ AC_SUBST(sitearchincludedir)dnl +@@ -3928,6 +3931,7 @@ AC_SUBST(sitearchincludedir)dnl AC_SUBST(arch)dnl AC_SUBST(sitearch)dnl AC_SUBST(ruby_version)dnl diff --git a/SOURCES/ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch b/SOURCES/ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch index ae8f722..ce92ce6 100644 --- a/SOURCES/ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch +++ b/SOURCES/ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch @@ -123,7 +123,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644 RB_DEBUG_COUNTER_INC(cc_invalidate_negative); } -@@ -1023,6 +1025,7 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_ +@@ -1030,6 +1032,7 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_ { struct rb_id_table *mtbl; const rb_callable_method_entry_t *cme; @@ -131,7 +131,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644 if (me) { if (me->defined_class == 0) { -@@ -1032,7 +1035,8 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_ +@@ -1039,7 +1042,8 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_ mtbl = RCLASS_CALLABLE_M_TBL(defined_class); @@ -141,7 +141,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644 RB_DEBUG_COUNTER_INC(mc_cme_complement_hit); VM_ASSERT(callable_method_entry_p(cme)); VM_ASSERT(!METHOD_ENTRY_INVALIDATED(cme)); -@@ -1076,9 +1080,10 @@ cached_callable_method_entry(VALUE klass, ID mid) +@@ -1083,9 +1087,10 @@ cached_callable_method_entry(VALUE klass, ID mid) ASSERT_vm_locking(); struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass); @@ -154,7 +154,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644 VM_ASSERT(vm_ccs_p(ccs)); if (LIKELY(!METHOD_ENTRY_INVALIDATED(ccs->cme))) { -@@ -1104,12 +1109,14 @@ cache_callable_method_entry(VALUE klass, ID mid, const rb_callable_method_entry_ +@@ -1111,12 +1116,14 @@ cache_callable_method_entry(VALUE klass, ID mid, const rb_callable_method_entry_ struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass); struct rb_class_cc_entries *ccs; @@ -170,7 +170,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644 VM_ASSERT(ccs->cme == cme); } else { -@@ -1123,8 +1130,12 @@ negative_cme(ID mid) +@@ -1130,8 +1137,12 @@ negative_cme(ID mid) { rb_vm_t *vm = GET_VM(); const rb_callable_method_entry_t *cme; diff --git a/SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch b/SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch new file mode 100644 index 0000000..6bbfd9f --- /dev/null +++ b/SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch @@ -0,0 +1,70 @@ +From a1124dc162810f86cb0bff58cde24064cfc561bc Mon Sep 17 00:00:00 2001 +From: nagachika +Date: Fri, 9 Dec 2022 21:11:47 +0900 +Subject: [PATCH] merge revision(s) 58cc3c9f387dcf8f820b43e043b540fa06248da3: + [Backport #19187] + + [Bug #19187] Fix for tzdata-2022g + + --- + test/ruby/test_time_tz.rb | 21 +++++++++++++++------ + 1 file changed, 15 insertions(+), 6 deletions(-) +--- + test/ruby/test_time_tz.rb | 21 +++++++++++++++------ + 1 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/test/ruby/test_time_tz.rb b/test/ruby/test_time_tz.rb +index b6785f336028d..939f218ed4d10 100644 +--- a/test/ruby/test_time_tz.rb ++++ b/test/ruby/test_time_tz.rb +@@ -7,9 +7,9 @@ class TestTimeTZ < Test::Unit::TestCase + has_lisbon_tz = true + force_tz_test = ENV["RUBY_FORCE_TIME_TZ_TEST"] == "yes" + case RUBY_PLATFORM +- when /linux/ ++ when /darwin|linux/ + force_tz_test = true +- when /darwin|freebsd|openbsd/ ++ when /freebsd|openbsd/ + has_lisbon_tz = false + force_tz_test = true + end +@@ -95,6 +95,9 @@ def group_by(e, &block) + CORRECT_KIRITIMATI_SKIP_1994 = with_tz("Pacific/Kiritimati") { + Time.local(1994, 12, 31, 0, 0, 0).year == 1995 + } ++ CORRECT_SINGAPORE_1982 = with_tz("Asia/Singapore") { ++ "2022g" if Time.local(1981, 12, 31, 23, 59, 59).utc_offset == 8*3600 ++ } + + def time_to_s(t) + t.to_s +@@ -140,9 +143,12 @@ def test_america_managua + + def test_asia_singapore + with_tz(tz="Asia/Singapore") { +- assert_time_constructor(tz, "1981-12-31 23:59:59 +0730", :local, [1981,12,31,23,59,59]) +- assert_time_constructor(tz, "1982-01-01 00:30:00 +0800", :local, [1982,1,1,0,0,0]) +- assert_time_constructor(tz, "1982-01-01 00:59:59 +0800", :local, [1982,1,1,0,29,59]) ++ assert_time_constructor(tz, "1981-12-31 23:29:59 +0730", :local, [1981,12,31,23,29,59]) ++ if CORRECT_SINGAPORE_1982 ++ assert_time_constructor(tz, "1982-01-01 00:00:00 +0800", :local, [1981,12,31,23,30,00]) ++ assert_time_constructor(tz, "1982-01-01 00:00:00 +0800", :local, [1982,1,1,0,0,0]) ++ assert_time_constructor(tz, "1982-01-01 00:29:59 +0800", :local, [1982,1,1,0,29,59]) ++ end + assert_time_constructor(tz, "1982-01-01 00:30:00 +0800", :local, [1982,1,1,0,30,0]) + } + end +@@ -448,8 +454,11 @@ def self.gen_zdump_test(data) + America/Managua Wed Jan 1 04:59:59 1997 UTC = Tue Dec 31 23:59:59 1996 EST isdst=0 gmtoff=-18000 + America/Managua Wed Jan 1 05:00:00 1997 UTC = Tue Dec 31 23:00:00 1996 CST isdst=0 gmtoff=-21600 + Asia/Singapore Sun Aug 8 16:30:00 1965 UTC = Mon Aug 9 00:00:00 1965 SGT isdst=0 gmtoff=27000 +-Asia/Singapore Thu Dec 31 16:29:59 1981 UTC = Thu Dec 31 23:59:59 1981 SGT isdst=0 gmtoff=27000 ++Asia/Singapore Thu Dec 31 15:59:59 1981 UTC = Thu Dec 31 23:29:59 1981 SGT isdst=0 gmtoff=27000 + Asia/Singapore Thu Dec 31 16:30:00 1981 UTC = Fri Jan 1 00:30:00 1982 SGT isdst=0 gmtoff=28800 ++End ++ gen_zdump_test <<'End' if CORRECT_SINGAPORE_1982 ++Asia/Singapore Thu Dec 31 16:00:00 1981 UTC = Fri Jan 1 00:00:00 1982 SGT isdst=0 gmtoff=28800 + End + gen_zdump_test CORRECT_TOKYO_DST_1951 ? <<'End' + (CORRECT_TOKYO_DST_1951 < "2018f" ? <<'2018e' : <<'2018f') : <<'End' + Asia/Tokyo Sat May 5 14:59:59 1951 UTC = Sat May 5 23:59:59 1951 JST isdst=0 gmtoff=32400 diff --git a/SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch b/SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch new file mode 100644 index 0000000..73f9a02 --- /dev/null +++ b/SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch @@ -0,0 +1,27 @@ +From dae843f6b7502f921a7e66f39e3714a39d860181 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Wed, 19 Oct 2022 19:40:00 +0900 +Subject: [PATCH] Bypass git submodule add/update with git config + protocol.file.allow=always option. + +Co-authored-by: Nobuyoshi Nakada +--- + test/rubygems/test_gem_source_git.rb | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/test/rubygems/test_gem_source_git.rb b/test/rubygems/test_gem_source_git.rb +index 5702da05974b6..c3b324771fa4d 100644 +--- a/test/rubygems/test_gem_source_git.rb ++++ b/test/rubygems/test_gem_source_git.rb +@@ -63,6 +63,11 @@ def test_checkout_local_cached + end + + def test_checkout_submodules ++ # We need to allow to checkout submodules with file:// protocol ++ # CVE-2022-39253 ++ # https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@gitster.g/ ++ system(@git, *%W"config --global protocol.file.allow always") ++ + source = Gem::Source::Git.new @name, @repository, 'master', true + + git_gem 'b' diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch new file mode 100644 index 0000000..7f66fa1 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch @@ -0,0 +1,32 @@ +From f0b254f1f6610294821bbfc06b414d2af452db5b Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Thu, 13 Apr 2023 17:28:27 +0200 +Subject: [PATCH] [ruby/openssl] Drop a common logic disabling the FIPS mode in + the tests. + +We want to run the unit tests in the FIPS mode too. + +https://github.com/ruby/openssl/commit/ab92baff34 +--- + test/openssl/utils.rb | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb +index 4ebcb9837b..8a0be0d154 100644 +--- a/test/openssl/utils.rb ++++ b/test/openssl/utils.rb +@@ -1,11 +1,6 @@ + # frozen_string_literal: true + begin + require "openssl" +- +- # Disable FIPS mode for tests for installations +- # where FIPS mode would be enabled by default. +- # Has no effect on all other installations. +- OpenSSL.fips_mode=false + rescue LoadError + end + +-- +2.41.0 + diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch new file mode 100644 index 0000000..156cf88 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch @@ -0,0 +1,73 @@ +From b6d7cdc2bad0eadbca73f3486917f0ec7a475814 Mon Sep 17 00:00:00 2001 +From: Kazuki Yamaguchi +Date: Tue, 29 Aug 2023 19:46:02 +0900 +Subject: [PATCH] [ruby/openssl] ssl: use ffdhe2048 from RFC 7919 as the + default DH group parameters + +In TLS 1.2 or before, if DH group parameters for DHE are not supplied +with SSLContext#tmp_dh= or #tmp_dh_callback=, we currently use the +self-generated parameters added in commit https://github.com/ruby/openssl/commit/bb3399a61c03 ("support 2048 +bit length DH-key", 2016-01-15) as the fallback. + +While there is no known weakness in the current parameters, it would be +a good idea to switch to pre-defined, more well audited parameters. + +This also allows the fallback to work in the FIPS mode. + +The PEM encoding was derived with: + + # RFC 7919 Appendix A.1. ffdhe2048 + print OpenSSL::PKey.read(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer((<<-END).split.join.to_i(16)), OpenSSL::ASN1::Integer(2)]).to_der).to_pem + FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1 + D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9 + 7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561 + 2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935 + 984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735 + 30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB + B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19 + 0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61 + 9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73 + 3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA + 886B4238 61285C97 FFFFFFFF FFFFFFFF + END + +https://github.com/ruby/openssl/commit/a5527cb4f4 +--- + ext/openssl/lib/openssl/ssl.rb | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb +index ea8bb2a18e533..94be6ba80b894 100644 +--- a/ext/openssl/lib/openssl/ssl.rb ++++ b/ext/openssl/lib/openssl/ssl.rb +@@ -31,21 +31,21 @@ class SSLContext + } + + if defined?(OpenSSL::PKey::DH) +- DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_ ++ DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_ + -----BEGIN DH PARAMETERS----- +-MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY +-JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab +-VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6 +-YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 +-1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD +-7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg== ++MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a ++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 ++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi ++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ++ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== + -----END DH PARAMETERS----- + _end_of_pem_ +- private_constant :DEFAULT_2048 ++ private_constant :DH_ffdhe2048 + + DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc: + warn "using default DH parameters." if $VERBOSE +- DEFAULT_2048 ++ DH_ffdhe2048 + } + end + diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch new file mode 100644 index 0000000..f0c9da2 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch @@ -0,0 +1,160 @@ +From 40451afa279c52ce7a508f8a9ec553cfe7a76a10 Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Wed, 12 Apr 2023 17:15:21 +0200 +Subject: [PATCH] Fix OpenSSL::PKey.read in OpenSSL 3 FIPS module. + +This is a combination of the following 2 commits. Because the combined patch is +easy to merge. + +This is the 1st commit message: + +[ruby/openssl] Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode. + +This commit is a workaround to avoid the error below that the +`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode. + +``` +$ openssl genrsa -out key.pem 4096 + +$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))" +-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError) + from -e:1:in `
' +``` + +The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection` +doesn't apply the selection value properly if there are multiple providers, and +a provider (e.g. "base" provider) handles the decoder implementation, and +another provider (e.g. "fips" provider) handles the keys. + +The workaround is to create `OSSL_DECODER_CTX` variable each time without using +the `OSSL_DECODER_CTX_set_selection`. + +https://github.com/ruby/openssl/commit/5ff4a31621 + +This is the commit message #2: + +[ruby/openssl] ossl_pkey.c: Workaround: Decode with non-zero selections. + +This is a workaround for the decoding issue in ossl_pkey_read_generic(). +The issue happens in the case that a key management provider is different from +a decoding provider. + +Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3 +to avoid the issue. + +https://github.com/ruby/openssl/commit/db688fa739 +--- + ext/openssl/ossl_pkey.c | 78 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 73 insertions(+), 5 deletions(-) + +diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c +index 24d0da4683..15854aeca1 100644 +--- a/ext/openssl/ossl_pkey.c ++++ b/ext/openssl/ossl_pkey.c +@@ -81,18 +81,20 @@ ossl_pkey_new(EVP_PKEY *pkey) + #if OSSL_OPENSSL_PREREQ(3, 0, 0) + # include + +-EVP_PKEY * +-ossl_pkey_read_generic(BIO *bio, VALUE pass) ++static EVP_PKEY * ++ossl_pkey_read(BIO *bio, const char *input_type, int selection, VALUE pass) + { + void *ppass = (void *)pass; + OSSL_DECODER_CTX *dctx; + EVP_PKEY *pkey = NULL; + int pos = 0, pos2; + +- dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, NULL, 0, NULL, NULL); ++ dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, input_type, NULL, NULL, ++ selection, NULL, NULL); + if (!dctx) + goto out; +- if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1) ++ if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ++ ppass) != 1) + goto out; + + /* First check DER */ +@@ -111,11 +113,77 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass) + goto out; + pos = pos2; + } +- + out: ++ OSSL_BIO_reset(bio); + OSSL_DECODER_CTX_free(dctx); + return pkey; + } ++ ++EVP_PKEY * ++ossl_pkey_read_generic(BIO *bio, VALUE pass) ++{ ++ EVP_PKEY *pkey = NULL; ++ /* First check DER, then check PEM. */ ++ const char *input_types[] = {"DER", "PEM"}; ++ int input_type_num = (int)(sizeof(input_types) / sizeof(char *)); ++ /* ++ * Non-zero selections to try to decode. ++ * ++ * See EVP_PKEY_fromdata(3) - Selections to see all the selections. ++ * ++ * This is a workaround for the decoder failing to decode or returning ++ * bogus keys with selection 0, if a key management provider is different ++ * from a decoder provider. The workaround is to avoid using selection 0. ++ * ++ * Affected OpenSSL versions: >= 3.1.0, <= 3.1.2, or >= 3.0.0, <= 3.0.10 ++ * Fixed OpenSSL versions: 3.2, next release of the 3.1.z and 3.0.z ++ * ++ * See https://github.com/openssl/openssl/pull/21519 for details. ++ * ++ * First check for private key formats (EVP_PKEY_KEYPAIR). This is to keep ++ * compatibility with ruby/openssl < 3.0 which decoded the following as a ++ * private key. ++ * ++ * $ openssl ecparam -name prime256v1 -genkey -outform PEM ++ * -----BEGIN EC PARAMETERS----- ++ * BggqhkjOPQMBBw== ++ * -----END EC PARAMETERS----- ++ * -----BEGIN EC PRIVATE KEY----- ++ * MHcCAQEEIAG8ugBbA5MHkqnZ9ujQF93OyUfL9tk8sxqM5Wv5tKg5oAoGCCqGSM49 ++ * AwEHoUQDQgAEVcjhJfkwqh5C7kGuhAf8XaAjVuG5ADwb5ayg/cJijCgs+GcXeedj ++ * 86avKpGH84DXUlB23C/kPt+6fXYlitUmXQ== ++ * -----END EC PRIVATE KEY----- ++ * ++ * While the first PEM block is a proper encoding of ECParameters, thus ++ * OSSL_DECODER_from_bio() would pick it up, ruby/openssl used to return ++ * the latter instead. Existing applications expect this behavior. ++ * ++ * Note that normally, the input is supposed to contain a single decodable ++ * PEM block only, so this special handling should not create a new problem. ++ * ++ * Note that we need to create the OSSL_DECODER_CTX variable each time when ++ * we use the different selection as a workaround. ++ * See https://github.com/openssl/openssl/issues/20657 for details. ++ */ ++ int selections[] = { ++ EVP_PKEY_KEYPAIR, ++ EVP_PKEY_KEY_PARAMETERS, ++ EVP_PKEY_PUBLIC_KEY ++ }; ++ int selection_num = (int)(sizeof(selections) / sizeof(int)); ++ int i, j; ++ ++ for (i = 0; i < input_type_num; i++) { ++ for (j = 0; j < selection_num; j++) { ++ pkey = ossl_pkey_read(bio, input_types[i], selections[j], pass); ++ if (pkey) { ++ goto out; ++ } ++ } ++ } ++ out: ++ return pkey; ++} + #else + EVP_PKEY * + ossl_pkey_read_generic(BIO *bio, VALUE pass) +-- +2.41.0 + diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch new file mode 100644 index 0000000..3e9e084 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch @@ -0,0 +1,142 @@ +From 29920ec109751459a65c6478525f2e59c644891f Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Thu, 16 Mar 2023 21:36:43 +0100 +Subject: [PATCH] [ruby/openssl] Implement FIPS functions on OpenSSL 3. + +This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get` +and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`. + +It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any +more, and some FIPS related APIs also were removed in OpenSSL 3. + +See the document +the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 > +Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() . + +The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used +functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled` +works with the OpenSSL installed without FIPS option. + +The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI. +Because I want to test that the `OpenSSL.fips_mode` returns the `true` or +'false' surely in the CI. You can test the FIPS mode case by setting +`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better +way to get the status of the FIPS mode enabled or disabled for this purpose. I +am afraid of the possibility that the FIPS test case is unintentionally skipped. + +I also replaced the ambiguous "returns" with "should return" in the tests. + +https://github.com/ruby/openssl/commit/c5b2bc1268 +--- + ext/openssl/ossl.c | 25 +++++++++++++++++++++---- + test/openssl/test_fips.rb | 32 ++++++++++++++++++++++++++++---- + 2 files changed, 49 insertions(+), 8 deletions(-) + +diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c +index 6c532aca94..fcf3744c65 100644 +--- a/ext/openssl/ossl.c ++++ b/ext/openssl/ossl.c +@@ -405,7 +405,11 @@ static VALUE + ossl_fips_mode_get(VALUE self) + { + +-#ifdef OPENSSL_FIPS ++#if OSSL_OPENSSL_PREREQ(3, 0, 0) ++ VALUE enabled; ++ enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse; ++ return enabled; ++#elif OPENSSL_FIPS + VALUE enabled; + enabled = FIPS_mode() ? Qtrue : Qfalse; + return enabled; +@@ -429,8 +433,18 @@ ossl_fips_mode_get(VALUE self) + static VALUE + ossl_fips_mode_set(VALUE self, VALUE enabled) + { +- +-#ifdef OPENSSL_FIPS ++#if OSSL_OPENSSL_PREREQ(3, 0, 0) ++ if (RTEST(enabled)) { ++ if (!EVP_default_properties_enable_fips(NULL, 1)) { ++ ossl_raise(eOSSLError, "Turning on FIPS mode failed"); ++ } ++ } else { ++ if (!EVP_default_properties_enable_fips(NULL, 0)) { ++ ossl_raise(eOSSLError, "Turning off FIPS mode failed"); ++ } ++ } ++ return enabled; ++#elif OPENSSL_FIPS + if (RTEST(enabled)) { + int mode = FIPS_mode(); + if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ +@@ -1185,7 +1199,10 @@ Init_openssl(void) + * Boolean indicating whether OpenSSL is FIPS-capable or not + */ + rb_define_const(mOSSL, "OPENSSL_FIPS", +-#ifdef OPENSSL_FIPS ++/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */ ++#if OSSL_OPENSSL_PREREQ(3, 0, 0) ++ Qtrue ++#elif OPENSSL_FIPS + Qtrue + #else + Qfalse +diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb +index 8cd474f9a3..56a12a94ce 100644 +--- a/test/openssl/test_fips.rb ++++ b/test/openssl/test_fips.rb +@@ -4,22 +4,46 @@ + if defined?(OpenSSL) + + class OpenSSL::TestFIPS < OpenSSL::TestCase ++ def test_fips_mode_get_is_true_on_fips_mode_enabled ++ unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] ++ omit "Only for FIPS mode environment" ++ end ++ ++ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") ++ assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled" ++ end; ++ end ++ ++ def test_fips_mode_get_is_false_on_fips_mode_disabled ++ if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] ++ omit "Only for non-FIPS mode environment" ++ end ++ ++ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") ++ message = ".fips_mode should return false on FIPS mode disabled. " \ ++ "If you run the test on FIPS mode, please set " \ ++ "TEST_RUBY_OPENSSL_FIPS_ENABLED=true" ++ assert OpenSSL.fips_mode == false, message ++ end; ++ end ++ + def test_fips_mode_is_reentrant + OpenSSL.fips_mode = false + OpenSSL.fips_mode = false + end + +- def test_fips_mode_get +- return unless OpenSSL::OPENSSL_FIPS ++ def test_fips_mode_get_with_fips_mode_set ++ omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS ++ + assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") + require #{__FILE__.dump} + + begin + OpenSSL.fips_mode = true +- assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true" ++ assert OpenSSL.fips_mode == true, ".fips_mode should return true when .fips_mode=true" + + OpenSSL.fips_mode = false +- assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false" ++ assert OpenSSL.fips_mode == false, ".fips_mode should return false when .fips_mode=false" + rescue OpenSSL::OpenSSLError + pend "Could not set FIPS mode (OpenSSL::OpenSSLError: \#$!); skipping" + end +-- +2.41.0 + diff --git a/SOURCES/ruby-3.3.0-test-file-utime.patch b/SOURCES/ruby-3.3.0-test-file-utime.patch new file mode 100644 index 0000000..c2701f3 --- /dev/null +++ b/SOURCES/ruby-3.3.0-test-file-utime.patch @@ -0,0 +1,36 @@ +From 8d1109c03bacc952b6218af2e4ae9b74c9855273 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Wed, 22 Mar 2023 16:10:06 +0900 +Subject: [PATCH] Added assertion values for Amazon Linux 2023 + +--- + spec/ruby/core/file/utime_spec.rb | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/spec/ruby/core/file/utime_spec.rb b/spec/ruby/core/file/utime_spec.rb +index a191e2924037c..0b0e4f979c935 100644 +--- a/spec/ruby/core/file/utime_spec.rb ++++ b/spec/ruby/core/file/utime_spec.rb +@@ -72,17 +72,19 @@ + + platform_is :linux do + platform_is wordsize: 64 do +- it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19)" do ++ it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19 or 2486-07-02)" do + # https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout#Inode_Timestamps + # "Therefore, timestamps should not overflow until May 2446." + # https://lwn.net/Articles/804382/ + # "On-disk timestamps hitting the y2038 limit..." + # The problem seems to be being improved, but currently it actually fails on XFS on RHEL8 + # https://rubyci.org/logs/rubyci.s3.amazonaws.com/rhel8/ruby-master/log/20201112T123004Z.fail.html.gz ++ # Amazon Linux 2023 returns 2486-07-02 in this example ++ # http://rubyci.s3.amazonaws.com/amazon2023/ruby-master/log/20230322T063004Z.fail.html.gz + time = Time.at(1<<44) + File.utime(time, time, @file1) +- [559444, 2446, 2038].should.include? File.atime(@file1).year +- [559444, 2446, 2038].should.include? File.mtime(@file1).year ++ [559444, 2486, 2446, 2038].should.include? File.atime(@file1).year ++ [559444, 2486, 2446, 2038].should.include? File.mtime(@file1).year + end + end + end diff --git a/SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch b/SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch new file mode 100644 index 0000000..19386d9 --- /dev/null +++ b/SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch @@ -0,0 +1,40 @@ +From 7e9ec8a20b0f7469b415283d2ec0c22087f8eb2b Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Wed, 24 Aug 2022 12:02:56 +0200 +Subject: [PATCH] Fix tests with Europe/Amsterdam pre-1970 time on tzdata + version 2022b. + +The Time Zone Database (tzdata) changed the pre-1970 timestamps in some zones +including Europe/Amsterdam on tzdata version 2022b or later. +See . + +The tzdata RPM package maintainer on Fedora project suggested changing the Ruby +test, because the change is intentional. +See . + +We use post-1970 time test data to simplify the test. +--- + core/time/shared/local.rb | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/spec/ruby/core/time/shared/local.rb b/spec/ruby/core/time/shared/local.rb +index 43f331c4c..c4aa7a7ea 100644 +--- a/spec/ruby/core/time/shared/local.rb ++++ b/spec/ruby/core/time/shared/local.rb +@@ -8,10 +8,10 @@ describe :time_local, shared: true do + + platform_is_not :windows do + describe "timezone changes" do +- it "correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam'" do ++ it "correctly adjusts the timezone change to 'CET' on 'Europe/Amsterdam'" do + with_timezone("Europe/Amsterdam") do +- Time.send(@method, 1940, 5, 16).to_a.should == +- [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"] ++ Time.send(@method, 1970, 5, 16).to_a.should == ++ [0, 0, 0, 16, 5, 1970, 6, 136, false, "CET"] + end + end + end +-- +2.36.1 + diff --git a/SOURCES/test_openssl_fips.rb b/SOURCES/test_openssl_fips.rb new file mode 100644 index 0000000..ffc7883 --- /dev/null +++ b/SOURCES/test_openssl_fips.rb @@ -0,0 +1,34 @@ +require 'openssl' + +# Run openssl tests in OpenSSL FIPS. See the link below for how to test. +# https://github.com/ruby/openssl/blob/master/.github/workflows/test.yml +# - step name: test on fips module + +# Listing the testing files by an array explicitly rather than the `Dir.glob` +# to prevent the test files from not loading unintentionally. +TEST_FILES = %w[ + test/openssl/test_fips.rb + test/openssl/test_pkey.rb +].freeze + +if ARGV.empty? + puts 'ERROR: Argument base_dir required.' + puts "Usage: #{__FILE__} base_dir [options]" + exit false +end +BASE_DIR = ARGV[0] +abs_test_files = TEST_FILES.map { |file| File.join(BASE_DIR, file) } + +# Set Fedora/RHEL downstream OpenSSL downstream environment variable to enable +# FIPS module in non-FIPS OS environment. It is available in Fedora 38 or later +# versions. +# https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0009-Add-Kernel-FIPS-mode-flag-support.patch +ENV['OPENSSL_FORCE_FIPS_MODE'] = '1' +# A flag to tell the tests the current environment is FIPS enabled. +# https://github.com/ruby/openssl/blob/master/test/openssl/test_fips.rb +ENV['TEST_RUBY_OPENSSL_FIPS_ENABLED'] = 'true' + +abs_test_files.each do |file| + puts "INFO: Loading #{file}." + require file +end diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index ac94c1b..703f96d 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -22,7 +22,7 @@ %endif -%global release 160 +%global release 161 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the @@ -106,6 +106,8 @@ Source11: rubygems.con Source13: test_abrt.rb # SystemTap tests. Source14: test_systemtap.rb +# Ruby OpenSSL FIPS tests. +Source15: test_openssl_fips.rb # The load directive is supported since RPM 4.12, i.e. F21+. The build process # fails on older Fedoras. @@ -261,6 +263,38 @@ Patch59: ruby-3.1.1-ossl_ocsp-use-null.patch # Replace SHA1 usage in tests. # https://github.com/ruby/openssl/pull/511 Patch60: ruby-3.1.2-ossl-tests-replace-sha1.patch +# Bypass git submodule test failure on Git >= 2.38.1. +# https://github.com/ruby/ruby/pull/6587 +Patch61: ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch +# Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b. +# https://github.com/ruby/spec/pull/939 +Patch62: ruby-spec-Fix-tests-on-tzdata-2022b.patch +# Fix Time Zone Database 2022g. +# https://bugs.ruby-lang.org/issues/19187 +# https://github.com/ruby/ruby/commit/a1124dc162810f86cb0bff58cde24064cfc561bc +Patch63: ruby-3.1.3-Fix-for-tzdata-2022g.patch +# Fix File.utime test. +# https://github.com/ruby/ruby/commit/8d1109c03bacc952b6218af2e4ae9b74c9855273 +Patch64: ruby-3.3.0-test-file-utime.patch +# Fix OpenSSL.fips_mode in OpenSSL 3 FIPS. +# https://github.com/ruby/openssl/pull/608 +# https://github.com/ruby/ruby/commit/678d41bc51fe31834eec0b653ba0e47de5420aa0 +Patch65: ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch +# Fix OpenSSL::PKey.read in OpenSSL 3 FIPS. +# The patch is a combination of the following 2 commits to simplify the patch. +# https://github.com/ruby/openssl/pull/615 +# https://github.com/ruby/ruby/commit/2a4834057b30a26c38ece3961b370c0b2ee59380 +# https://github.com/ruby/openssl/pull/669 +# https://github.com/ruby/ruby/commit/b0ec1db8a72c530460abd9462ac75845362886bd +Patch66: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch +# Enable tests in OpenSSL FIPS. +# https://github.com/ruby/openssl/pull/615 +# https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5 +Patch67: ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch +# ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters +# https://github.com/ruby/openssl/pull/674 +# https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814 +Patch68: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -726,6 +760,14 @@ rm -rf ext/fiddle/libffi* %patch58 -p1 %patch59 %patch60 -p1 +%patch61 -p1 +%patch62 -p1 +%patch63 -p1 +%patch64 -p1 +%patch65 -p1 +%patch66 -p1 +%patch67 -p1 +%patch68 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1017,6 +1059,11 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \ %{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \ make check TESTS="-v $DISABLE_TESTS" MSPECOPT="-fs $MSPECOPTS" +# Run Ruby OpenSSL tests in OpenSSL FIPS. +make runruby TESTRUN_SCRIPT=" \ + -I%{_builddir}/%{buildsubdir}/tool/lib --enable-gems \ + %{SOURCE15} %{_builddir}/%{buildsubdir} --verbose" + %files %license BSDL %license COPYING @@ -1489,11 +1536,23 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \ %changelog +* Mon Oct 09 2023 Jun Aruga - 3.0.4-161 +- Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. + Resolves: RHEL-12724 +- ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters + Related: RHEL-12724 + +* Wed Jun 28 2023 Jun Aruga - 3.0.4-160 +- Bypass git submodule test failure on Git >= 2.38.1. +- Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b. +- Fix for tzdata-2022g. +- Fix File.utime test. + * Fri Jul 08 2022 Jarek Prokop - 3.0.4-160 - Upgrade to Ruby 3.0.4. - Resolves: rhbz#2109428 + Resolves: rhbz#2096347 - OpenSSL test suite fixes due to disabled SHA1. - Related: rbhz#2109428 + Resolves: rbhz#2107696 - Fix double free in Regexp compilation. Resolves: CVE-2022-28738 - Fix buffer overrun in String-to-Float conversion.