import UBI ruby-3.0.4-161.el9

SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch

@@ -14,7 +14,7 @@ diff --git a/configure.ac b/configure.ac
 index c42436c23d..d261ea57b5 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3881,7 +3881,8 @@ AS_CASE(["$ruby_version_dir_name"],
+@@ -3886,7 +3886,8 @@ AS_CASE(["$ruby_version_dir_name"],
  ruby_version_dir=/'${ruby_version_dir_name}'
  
  if test -z "${ruby_version_dir_name}"; then

SOURCES/ruby-2.1.0-always-use-i386.patch

@@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac
 index 3c13076b82..93af30321d 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3945,6 +3945,8 @@ AC_SUBST(vendorarchdir)dnl
+@@ -3950,6 +3950,8 @@ AC_SUBST(vendorarchdir)dnl
  AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl
  AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl
  

SOURCES/ruby-2.1.0-custom-rubygems-location.patch

@@ -15,7 +15,7 @@ diff --git a/configure.ac b/configure.ac
 index 93af30321d..bc13397e0e 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3917,6 +3917,10 @@ AC_ARG_WITH(vendorarchdir,
+@@ -3922,6 +3922,10 @@ AC_ARG_WITH(vendorarchdir,
              [vendorarchdir=$withval],
              [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}])
  
@@ -26,7 +26,7 @@ index 93af30321d..bc13397e0e 100644
  AS_IF([test "${LOAD_RELATIVE+set}"], [
      AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
      RUBY_EXEC_PREFIX=''
-@@ -3941,6 +3945,7 @@ AC_SUBST(sitearchdir)dnl
+@@ -3946,6 +3950,7 @@ AC_SUBST(sitearchdir)dnl
  AC_SUBST(vendordir)dnl
  AC_SUBST(vendorlibdir)dnl
  AC_SUBST(vendorarchdir)dnl

SOURCES/ruby-2.3.0-ruby_version.patch

@@ -20,7 +20,7 @@ diff --git a/configure.ac b/configure.ac
 index 80b137e380..63cd3b4f8b 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -3832,9 +3832,6 @@ AS_CASE(["$target_os"],
+@@ -3837,9 +3837,6 @@ AS_CASE(["$target_os"],
      rubyw_install_name='$(RUBYW_INSTALL_NAME)'
      ])
  
@@ -30,7 +30,7 @@ index 80b137e380..63cd3b4f8b 100644
  rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'}
  AC_ARG_WITH(rubyarchprefix,
  	    AS_HELP_STRING([--with-rubyarchprefix=DIR],
-@@ -3857,56 +3854,62 @@ AC_ARG_WITH(ridir,
+@@ -3862,56 +3859,62 @@ AC_ARG_WITH(ridir,
  AC_SUBST(ridir)
  AC_SUBST(RI_BASE_NAME)
  
@@ -120,7 +120,7 @@ index 80b137e380..63cd3b4f8b 100644
  
  AS_IF([test "${LOAD_RELATIVE+set}"], [
      AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
-@@ -3923,6 +3926,7 @@ AC_SUBST(sitearchincludedir)dnl
+@@ -3928,6 +3931,7 @@ AC_SUBST(sitearchincludedir)dnl
  AC_SUBST(arch)dnl
  AC_SUBST(sitearch)dnl
  AC_SUBST(ruby_version)dnl

SOURCES/ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch

@@ -123,7 +123,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
  
                  RB_DEBUG_COUNTER_INC(cc_invalidate_negative);
              }
-@@ -1023,6 +1025,7 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
+@@ -1030,6 +1032,7 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
  {
      struct rb_id_table *mtbl;
      const rb_callable_method_entry_t *cme;
@@ -131,7 +131,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
  
      if (me) {
          if (me->defined_class == 0) {
-@@ -1032,7 +1035,8 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
+@@ -1039,7 +1042,8 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_
  
              mtbl = RCLASS_CALLABLE_M_TBL(defined_class);
  
@@ -141,7 +141,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
                  RB_DEBUG_COUNTER_INC(mc_cme_complement_hit);
                  VM_ASSERT(callable_method_entry_p(cme));
                  VM_ASSERT(!METHOD_ENTRY_INVALIDATED(cme));
-@@ -1076,9 +1080,10 @@ cached_callable_method_entry(VALUE klass, ID mid)
+@@ -1083,9 +1087,10 @@ cached_callable_method_entry(VALUE klass, ID mid)
      ASSERT_vm_locking();
  
      struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
@@ -154,7 +154,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
          VM_ASSERT(vm_ccs_p(ccs));
  
          if (LIKELY(!METHOD_ENTRY_INVALIDATED(ccs->cme))) {
-@@ -1104,12 +1109,14 @@ cache_callable_method_entry(VALUE klass, ID mid, const rb_callable_method_entry_
+@@ -1111,12 +1116,14 @@ cache_callable_method_entry(VALUE klass, ID mid, const rb_callable_method_entry_
  
      struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass);
      struct rb_class_cc_entries *ccs;
@@ -170,7 +170,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644
          VM_ASSERT(ccs->cme == cme);
      }
      else {
-@@ -1123,8 +1130,12 @@ negative_cme(ID mid)
+@@ -1130,8 +1137,12 @@ negative_cme(ID mid)
  {
      rb_vm_t *vm = GET_VM();
      const rb_callable_method_entry_t *cme;

SOURCES/ruby-3.1.3-Fix-for-tzdata-2022g.patch

@@ -0,0 +1,70 @@
+From a1124dc162810f86cb0bff58cde24064cfc561bc Mon Sep 17 00:00:00 2001
+From: nagachika <nagachika@ruby-lang.org>
+Date: Fri, 9 Dec 2022 21:11:47 +0900
+Subject: [PATCH] merge revision(s) 58cc3c9f387dcf8f820b43e043b540fa06248da3:
+ [Backport #19187]
+
+	[Bug #19187] Fix for tzdata-2022g
+
+	---
+	 test/ruby/test_time_tz.rb | 21 +++++++++++++++------
+	 1 file changed, 15 insertions(+), 6 deletions(-)
+---
+ test/ruby/test_time_tz.rb | 21 +++++++++++++++------
+ 1 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/test/ruby/test_time_tz.rb b/test/ruby/test_time_tz.rb
+index b6785f336028d..939f218ed4d10 100644
+--- a/test/ruby/test_time_tz.rb
++++ b/test/ruby/test_time_tz.rb
+@@ -7,9 +7,9 @@ class TestTimeTZ < Test::Unit::TestCase
+   has_lisbon_tz = true
+   force_tz_test = ENV["RUBY_FORCE_TIME_TZ_TEST"] == "yes"
+   case RUBY_PLATFORM
+-  when /linux/
++  when /darwin|linux/
+     force_tz_test = true
+-  when /darwin|freebsd|openbsd/
++  when /freebsd|openbsd/
+     has_lisbon_tz = false
+     force_tz_test = true
+   end
+@@ -95,6 +95,9 @@ def group_by(e, &block)
+   CORRECT_KIRITIMATI_SKIP_1994 = with_tz("Pacific/Kiritimati") {
+     Time.local(1994, 12, 31, 0, 0, 0).year == 1995
+   }
++  CORRECT_SINGAPORE_1982 = with_tz("Asia/Singapore") {
++    "2022g" if Time.local(1981, 12, 31, 23, 59, 59).utc_offset == 8*3600
++  }
+ 
+   def time_to_s(t)
+     t.to_s
+@@ -140,9 +143,12 @@ def test_america_managua
+ 
+   def test_asia_singapore
+     with_tz(tz="Asia/Singapore") {
+-      assert_time_constructor(tz, "1981-12-31 23:59:59 +0730", :local, [1981,12,31,23,59,59])
+-      assert_time_constructor(tz, "1982-01-01 00:30:00 +0800", :local, [1982,1,1,0,0,0])
+-      assert_time_constructor(tz, "1982-01-01 00:59:59 +0800", :local, [1982,1,1,0,29,59])
++      assert_time_constructor(tz, "1981-12-31 23:29:59 +0730", :local, [1981,12,31,23,29,59])
++      if CORRECT_SINGAPORE_1982
++        assert_time_constructor(tz, "1982-01-01 00:00:00 +0800", :local, [1981,12,31,23,30,00])
++        assert_time_constructor(tz, "1982-01-01 00:00:00 +0800", :local, [1982,1,1,0,0,0])
++        assert_time_constructor(tz, "1982-01-01 00:29:59 +0800", :local, [1982,1,1,0,29,59])
++      end
+       assert_time_constructor(tz, "1982-01-01 00:30:00 +0800", :local, [1982,1,1,0,30,0])
+     }
+   end
+@@ -448,8 +454,11 @@ def self.gen_zdump_test(data)
+ America/Managua  Wed Jan  1 04:59:59 1997 UTC = Tue Dec 31 23:59:59 1996 EST isdst=0 gmtoff=-18000
+ America/Managua  Wed Jan  1 05:00:00 1997 UTC = Tue Dec 31 23:00:00 1996 CST isdst=0 gmtoff=-21600
+ Asia/Singapore  Sun Aug  8 16:30:00 1965 UTC = Mon Aug  9 00:00:00 1965 SGT isdst=0 gmtoff=27000
+-Asia/Singapore  Thu Dec 31 16:29:59 1981 UTC = Thu Dec 31 23:59:59 1981 SGT isdst=0 gmtoff=27000
++Asia/Singapore  Thu Dec 31 15:59:59 1981 UTC = Thu Dec 31 23:29:59 1981 SGT isdst=0 gmtoff=27000
+ Asia/Singapore  Thu Dec 31 16:30:00 1981 UTC = Fri Jan  1 00:30:00 1982 SGT isdst=0 gmtoff=28800
++End
++  gen_zdump_test <<'End' if CORRECT_SINGAPORE_1982
++Asia/Singapore  Thu Dec 31 16:00:00 1981 UTC = Fri Jan  1 00:00:00 1982 SGT isdst=0 gmtoff=28800
+ End
+   gen_zdump_test CORRECT_TOKYO_DST_1951 ? <<'End' + (CORRECT_TOKYO_DST_1951 < "2018f" ? <<'2018e' : <<'2018f') : <<'End'
+ Asia/Tokyo  Sat May  5 14:59:59 1951 UTC = Sat May  5 23:59:59 1951 JST isdst=0 gmtoff=32400

SOURCES/ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch

@@ -0,0 +1,27 @@
+From dae843f6b7502f921a7e66f39e3714a39d860181 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Wed, 19 Oct 2022 19:40:00 +0900
+Subject: [PATCH] Bypass git submodule add/update with git config
+ protocol.file.allow=always option.
+
+Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
+---
+ test/rubygems/test_gem_source_git.rb | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/test/rubygems/test_gem_source_git.rb b/test/rubygems/test_gem_source_git.rb
+index 5702da05974b6..c3b324771fa4d 100644
+--- a/test/rubygems/test_gem_source_git.rb
++++ b/test/rubygems/test_gem_source_git.rb
+@@ -63,6 +63,11 @@ def test_checkout_local_cached
+   end
+ 
+   def test_checkout_submodules
++    # We need to allow to checkout submodules with file:// protocol
++    # CVE-2022-39253
++    # https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@gitster.g/
++    system(@git, *%W"config --global protocol.file.allow always")
++
+     source = Gem::Source::Git.new @name, @repository, 'master', true
+ 
+     git_gem 'b'

SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch

@@ -0,0 +1,32 @@
+From f0b254f1f6610294821bbfc06b414d2af452db5b Mon Sep 17 00:00:00 2001
+From: Jun Aruga <jaruga@redhat.com>
+Date: Thu, 13 Apr 2023 17:28:27 +0200
+Subject: [PATCH] [ruby/openssl] Drop a common logic disabling the FIPS mode in
+ the tests.
+
+We want to run the unit tests in the FIPS mode too.
+
+https://github.com/ruby/openssl/commit/ab92baff34
+---
+ test/openssl/utils.rb | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
+index 4ebcb9837b..8a0be0d154 100644
+--- a/test/openssl/utils.rb
++++ b/test/openssl/utils.rb
+@@ -1,11 +1,6 @@
+ # frozen_string_literal: true
+ begin
+   require "openssl"
+-
+-  # Disable FIPS mode for tests for installations
+-  # where FIPS mode would be enabled by default.
+-  # Has no effect on all other installations.
+-  OpenSSL.fips_mode=false
+ rescue LoadError
+ end
+ 
+-- 
+2.41.0
+

SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch

@@ -0,0 +1,73 @@
+From b6d7cdc2bad0eadbca73f3486917f0ec7a475814 Mon Sep 17 00:00:00 2001
+From: Kazuki Yamaguchi <k@rhe.jp>
+Date: Tue, 29 Aug 2023 19:46:02 +0900
+Subject: [PATCH] [ruby/openssl] ssl: use ffdhe2048 from RFC 7919 as the
+ default DH group parameters
+
+In TLS 1.2 or before, if DH group parameters for DHE are not supplied
+with SSLContext#tmp_dh= or #tmp_dh_callback=, we currently use the
+self-generated parameters added in commit https://github.com/ruby/openssl/commit/bb3399a61c03 ("support 2048
+bit length DH-key", 2016-01-15) as the fallback.
+
+While there is no known weakness in the current parameters, it would be
+a good idea to switch to pre-defined, more well audited parameters.
+
+This also allows the fallback to work in the FIPS mode.
+
+The PEM encoding was derived with:
+
+	# RFC 7919 Appendix A.1. ffdhe2048
+	print OpenSSL::PKey.read(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer((<<-END).split.join.to_i(16)), OpenSSL::ASN1::Integer(2)]).to_der).to_pem
+	    FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
+	    D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
+	    7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
+	    2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
+	    984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
+	    30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
+	    B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
+	    0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
+	    9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
+	    3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
+	    886B4238 61285C97 FFFFFFFF FFFFFFFF
+	END
+
+https://github.com/ruby/openssl/commit/a5527cb4f4
+---
+ ext/openssl/lib/openssl/ssl.rb | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
+index ea8bb2a18e533..94be6ba80b894 100644
+--- a/ext/openssl/lib/openssl/ssl.rb
++++ b/ext/openssl/lib/openssl/ssl.rb
+@@ -31,21 +31,21 @@ class SSLContext
+       }
+ 
+       if defined?(OpenSSL::PKey::DH)
+-        DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
++        DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
+ -----BEGIN DH PARAMETERS-----
+-MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
+-JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
+-VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
+-YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
+-1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
+-7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
++MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
++ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+ -----END DH PARAMETERS-----
+         _end_of_pem_
+-        private_constant :DEFAULT_2048
++        private_constant :DH_ffdhe2048
+ 
+         DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc:
+           warn "using default DH parameters." if $VERBOSE
+-          DEFAULT_2048
++          DH_ffdhe2048
+         }
+       end
+ 

SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch

@@ -0,0 +1,160 @@
+From 40451afa279c52ce7a508f8a9ec553cfe7a76a10 Mon Sep 17 00:00:00 2001
+From: Jun Aruga <jaruga@redhat.com>
+Date: Wed, 12 Apr 2023 17:15:21 +0200
+Subject: [PATCH] Fix OpenSSL::PKey.read in OpenSSL 3 FIPS module.
+
+This is a combination of the following 2 commits. Because the combined patch is
+easy to merge.
+
+This is the 1st commit message:
+
+[ruby/openssl] Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.
+
+This commit is a workaround to avoid the error below that the
+`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode.
+
+```
+$ openssl genrsa -out key.pem 4096
+
+$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))"
+-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
+  from -e:1:in `<main>'
+```
+
+The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection`
+doesn't apply the selection value properly if there are multiple providers, and
+a provider (e.g.  "base" provider) handles the decoder implementation, and
+another provider (e.g. "fips" provider) handles the keys.
+
+The workaround is to create `OSSL_DECODER_CTX` variable each time without using
+the `OSSL_DECODER_CTX_set_selection`.
+
+https://github.com/ruby/openssl/commit/5ff4a31621
+
+This is the commit message #2:
+
+[ruby/openssl] ossl_pkey.c: Workaround: Decode with non-zero selections.
+
+This is a workaround for the decoding issue in ossl_pkey_read_generic().
+The issue happens in the case that a key management provider is different from
+a decoding provider.
+
+Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3
+to avoid the issue.
+
+https://github.com/ruby/openssl/commit/db688fa739
+---
+ ext/openssl/ossl_pkey.c | 78 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 73 insertions(+), 5 deletions(-)
+
+diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c
+index 24d0da4683..15854aeca1 100644
+--- a/ext/openssl/ossl_pkey.c
++++ b/ext/openssl/ossl_pkey.c
+@@ -81,18 +81,20 @@ ossl_pkey_new(EVP_PKEY *pkey)
+ #if OSSL_OPENSSL_PREREQ(3, 0, 0)
+ # include <openssl/decoder.h>
+ 
+-EVP_PKEY *
+-ossl_pkey_read_generic(BIO *bio, VALUE pass)
++static EVP_PKEY *
++ossl_pkey_read(BIO *bio, const char *input_type, int selection, VALUE pass)
+ {
+     void *ppass = (void *)pass;
+     OSSL_DECODER_CTX *dctx;
+     EVP_PKEY *pkey = NULL;
+     int pos = 0, pos2;
+ 
+-    dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, NULL, 0, NULL, NULL);
++    dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, input_type, NULL, NULL,
++                                         selection, NULL, NULL);
+     if (!dctx)
+         goto out;
+-    if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1)
++    if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb,
++                                             ppass) != 1)
+         goto out;
+ 
+     /* First check DER */
+@@ -111,11 +113,77 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass)
+             goto out;
+         pos = pos2;
+     }
+-
+   out:
++    OSSL_BIO_reset(bio);
+     OSSL_DECODER_CTX_free(dctx);
+     return pkey;
+ }
++
++EVP_PKEY *
++ossl_pkey_read_generic(BIO *bio, VALUE pass)
++{
++    EVP_PKEY *pkey = NULL;
++    /* First check DER, then check PEM. */
++    const char *input_types[] = {"DER", "PEM"};
++    int input_type_num = (int)(sizeof(input_types) / sizeof(char *));
++    /*
++     * Non-zero selections to try to decode.
++     *
++     * See EVP_PKEY_fromdata(3) - Selections to see all the selections.
++     *
++     * This is a workaround for the decoder failing to decode or returning
++     * bogus keys with selection 0, if a key management provider is different
++     * from a decoder provider. The workaround is to avoid using selection 0.
++     *
++     * Affected OpenSSL versions: >= 3.1.0, <= 3.1.2, or >= 3.0.0, <= 3.0.10
++     * Fixed OpenSSL versions: 3.2, next release of the 3.1.z and 3.0.z
++     *
++     * See https://github.com/openssl/openssl/pull/21519 for details.
++     *
++     * First check for private key formats (EVP_PKEY_KEYPAIR). This is to keep
++     * compatibility with ruby/openssl < 3.0 which decoded the following as a
++     * private key.
++     *
++     *     $ openssl ecparam -name prime256v1 -genkey -outform PEM
++     *     -----BEGIN EC PARAMETERS-----
++     *     BggqhkjOPQMBBw==
++     *     -----END EC PARAMETERS-----
++     *     -----BEGIN EC PRIVATE KEY-----
++     *     MHcCAQEEIAG8ugBbA5MHkqnZ9ujQF93OyUfL9tk8sxqM5Wv5tKg5oAoGCCqGSM49
++     *     AwEHoUQDQgAEVcjhJfkwqh5C7kGuhAf8XaAjVuG5ADwb5ayg/cJijCgs+GcXeedj
++     *     86avKpGH84DXUlB23C/kPt+6fXYlitUmXQ==
++     *     -----END EC PRIVATE KEY-----
++     *
++     * While the first PEM block is a proper encoding of ECParameters, thus
++     * OSSL_DECODER_from_bio() would pick it up, ruby/openssl used to return
++     * the latter instead. Existing applications expect this behavior.
++     *
++     * Note that normally, the input is supposed to contain a single decodable
++     * PEM block only, so this special handling should not create a new problem.
++     *
++     * Note that we need to create the OSSL_DECODER_CTX variable each time when
++     * we use the different selection as a workaround.
++     * See https://github.com/openssl/openssl/issues/20657 for details.
++     */
++    int selections[] = {
++        EVP_PKEY_KEYPAIR,
++        EVP_PKEY_KEY_PARAMETERS,
++        EVP_PKEY_PUBLIC_KEY
++    };
++    int selection_num = (int)(sizeof(selections) / sizeof(int));
++    int i, j;
++
++    for (i = 0; i < input_type_num; i++) {
++        for (j = 0; j < selection_num; j++) {
++            pkey = ossl_pkey_read(bio, input_types[i], selections[j], pass);
++            if (pkey) {
++                goto out;
++            }
++        }
++    }
++  out:
++    return pkey;
++}
+ #else
+ EVP_PKEY *
+ ossl_pkey_read_generic(BIO *bio, VALUE pass)
+-- 
+2.41.0
+

SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch

@@ -0,0 +1,142 @@
+From 29920ec109751459a65c6478525f2e59c644891f Mon Sep 17 00:00:00 2001
+From: Jun Aruga <jaruga@redhat.com>
+Date: Thu, 16 Mar 2023 21:36:43 +0100
+Subject: [PATCH] [ruby/openssl] Implement FIPS functions on OpenSSL 3.
+
+This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get`
+and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`.
+
+It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any
+more, and some FIPS related APIs also were removed in OpenSSL 3.
+
+See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set>
+the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 >
+Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() .
+
+The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used
+functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled`
+works with the OpenSSL installed without FIPS option.
+
+The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI.
+Because I want to test that the `OpenSSL.fips_mode` returns the `true` or
+'false' surely in the CI. You can test the FIPS mode case by setting
+`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better
+way to get the status of the FIPS mode enabled or disabled for this purpose. I
+am afraid of the possibility that the FIPS test case is unintentionally skipped.
+
+I also replaced the ambiguous "returns" with "should return" in the tests.
+
+https://github.com/ruby/openssl/commit/c5b2bc1268
+---
+ ext/openssl/ossl.c        | 25 +++++++++++++++++++++----
+ test/openssl/test_fips.rb | 32 ++++++++++++++++++++++++++++----
+ 2 files changed, 49 insertions(+), 8 deletions(-)
+
+diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
+index 6c532aca94..fcf3744c65 100644
+--- a/ext/openssl/ossl.c
++++ b/ext/openssl/ossl.c
+@@ -405,7 +405,11 @@ static VALUE
+ ossl_fips_mode_get(VALUE self)
+ {
+ 
+-#ifdef OPENSSL_FIPS
++#if OSSL_OPENSSL_PREREQ(3, 0, 0)
++    VALUE enabled;
++    enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
++    return enabled;
++#elif OPENSSL_FIPS
+     VALUE enabled;
+     enabled = FIPS_mode() ? Qtrue : Qfalse;
+     return enabled;
+@@ -429,8 +433,18 @@ ossl_fips_mode_get(VALUE self)
+ static VALUE
+ ossl_fips_mode_set(VALUE self, VALUE enabled)
+ {
+-
+-#ifdef OPENSSL_FIPS
++#if OSSL_OPENSSL_PREREQ(3, 0, 0)
++    if (RTEST(enabled)) {
++        if (!EVP_default_properties_enable_fips(NULL, 1)) {
++            ossl_raise(eOSSLError, "Turning on FIPS mode failed");
++        }
++    } else {
++        if (!EVP_default_properties_enable_fips(NULL, 0)) {
++            ossl_raise(eOSSLError, "Turning off FIPS mode failed");
++        }
++    }
++    return enabled;
++#elif OPENSSL_FIPS
+     if (RTEST(enabled)) {
+ 	int mode = FIPS_mode();
+ 	if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
+@@ -1185,7 +1199,10 @@ Init_openssl(void)
+      * Boolean indicating whether OpenSSL is FIPS-capable or not
+      */
+     rb_define_const(mOSSL, "OPENSSL_FIPS",
+-#ifdef OPENSSL_FIPS
++/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */
++#if OSSL_OPENSSL_PREREQ(3, 0, 0)
++                    Qtrue
++#elif OPENSSL_FIPS
+ 		    Qtrue
+ #else
+ 		    Qfalse
+diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb
+index 8cd474f9a3..56a12a94ce 100644
+--- a/test/openssl/test_fips.rb
++++ b/test/openssl/test_fips.rb
+@@ -4,22 +4,46 @@
+ if defined?(OpenSSL)
+ 
+ class OpenSSL::TestFIPS < OpenSSL::TestCase
++  def test_fips_mode_get_is_true_on_fips_mode_enabled
++    unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
++      omit "Only for FIPS mode environment"
++    end
++
++    assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
++      assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled"
++    end;
++  end
++
++  def test_fips_mode_get_is_false_on_fips_mode_disabled
++    if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
++      omit "Only for non-FIPS mode environment"
++    end
++
++    assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
++      message = ".fips_mode should return false on FIPS mode disabled. " \
++                "If you run the test on FIPS mode, please set " \
++                "TEST_RUBY_OPENSSL_FIPS_ENABLED=true"
++      assert OpenSSL.fips_mode == false, message
++    end;
++  end
++
+   def test_fips_mode_is_reentrant
+     OpenSSL.fips_mode = false
+     OpenSSL.fips_mode = false
+   end
+ 
+-  def test_fips_mode_get
+-    return unless OpenSSL::OPENSSL_FIPS
++  def test_fips_mode_get_with_fips_mode_set
++    omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS
++
+     assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
+       require #{__FILE__.dump}
+ 
+       begin
+         OpenSSL.fips_mode = true
+-        assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true"
++        assert OpenSSL.fips_mode == true, ".fips_mode should return true when .fips_mode=true"
+ 
+         OpenSSL.fips_mode = false
+-        assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false"
++        assert OpenSSL.fips_mode == false, ".fips_mode should return false when .fips_mode=false"
+       rescue OpenSSL::OpenSSLError
+         pend "Could not set FIPS mode (OpenSSL::OpenSSLError: \#$!); skipping"
+       end
+-- 
+2.41.0
+

SOURCES/ruby-3.3.0-test-file-utime.patch

@@ -0,0 +1,36 @@
+From 8d1109c03bacc952b6218af2e4ae9b74c9855273 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Wed, 22 Mar 2023 16:10:06 +0900
+Subject: [PATCH] Added assertion values for Amazon Linux 2023
+
+---
+ spec/ruby/core/file/utime_spec.rb | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/spec/ruby/core/file/utime_spec.rb b/spec/ruby/core/file/utime_spec.rb
+index a191e2924037c..0b0e4f979c935 100644
+--- a/spec/ruby/core/file/utime_spec.rb
++++ b/spec/ruby/core/file/utime_spec.rb
+@@ -72,17 +72,19 @@
+ 
+   platform_is :linux do
+     platform_is wordsize: 64 do
+-      it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19)" do
++      it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19 or 2486-07-02)" do
+         # https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout#Inode_Timestamps
+         # "Therefore, timestamps should not overflow until May 2446."
+         # https://lwn.net/Articles/804382/
+         # "On-disk timestamps hitting the y2038 limit..."
+         # The problem seems to be being improved, but currently it actually fails on XFS on RHEL8
+         # https://rubyci.org/logs/rubyci.s3.amazonaws.com/rhel8/ruby-master/log/20201112T123004Z.fail.html.gz
++        # Amazon Linux 2023 returns 2486-07-02 in this example
++        # http://rubyci.s3.amazonaws.com/amazon2023/ruby-master/log/20230322T063004Z.fail.html.gz
+         time = Time.at(1<<44)
+         File.utime(time, time, @file1)
+-        [559444, 2446, 2038].should.include? File.atime(@file1).year
+-        [559444, 2446, 2038].should.include? File.mtime(@file1).year
++        [559444, 2486, 2446, 2038].should.include? File.atime(@file1).year
++        [559444, 2486, 2446, 2038].should.include? File.mtime(@file1).year
+       end
+     end
+   end

SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch

@@ -0,0 +1,40 @@
+From 7e9ec8a20b0f7469b415283d2ec0c22087f8eb2b Mon Sep 17 00:00:00 2001
+From: Jun Aruga <jaruga@redhat.com>
+Date: Wed, 24 Aug 2022 12:02:56 +0200
+Subject: [PATCH] Fix tests with Europe/Amsterdam pre-1970 time on tzdata
+ version 2022b.
+
+The Time Zone Database (tzdata) changed the pre-1970 timestamps in some zones
+including Europe/Amsterdam on tzdata version 2022b or later.
+See <https://github.com/eggert/tz/commit/35fa37fbbb152f5dbed4fd5edfdc968e3584fe12>.
+
+The tzdata RPM package maintainer on Fedora project suggested changing the Ruby
+test, because the change is intentional.
+See <https://bugzilla.redhat.com/show_bug.cgi?id=2118259#c1>.
+
+We use post-1970 time test data to simplify the test.
+---
+ core/time/shared/local.rb | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/spec/ruby/core/time/shared/local.rb b/spec/ruby/core/time/shared/local.rb
+index 43f331c4c..c4aa7a7ea 100644
+--- a/spec/ruby/core/time/shared/local.rb
++++ b/spec/ruby/core/time/shared/local.rb
+@@ -8,10 +8,10 @@ describe :time_local, shared: true do
+ 
+   platform_is_not :windows do
+     describe "timezone changes" do
+-      it "correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam'" do
++      it "correctly adjusts the timezone change to 'CET' on 'Europe/Amsterdam'" do
+         with_timezone("Europe/Amsterdam") do
+-          Time.send(@method, 1940, 5, 16).to_a.should ==
+-            [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"]
++          Time.send(@method, 1970, 5, 16).to_a.should ==
++            [0, 0, 0, 16, 5, 1970, 6, 136, false, "CET"]
+         end
+       end
+     end
+-- 
+2.36.1
+

SOURCES/test_openssl_fips.rb

@@ -0,0 +1,34 @@
+require 'openssl'
+
+# Run openssl tests in OpenSSL FIPS. See the link below for how to test.
+# https://github.com/ruby/openssl/blob/master/.github/workflows/test.yml
+# - step name: test on fips module
+
+# Listing the testing files by an array explicitly rather than the `Dir.glob`
+# to prevent the test files from not loading unintentionally.
+TEST_FILES = %w[
+  test/openssl/test_fips.rb
+  test/openssl/test_pkey.rb
+].freeze
+
+if ARGV.empty?
+  puts 'ERROR: Argument base_dir required.'
+  puts "Usage: #{__FILE__} base_dir [options]"
+  exit false
+end
+BASE_DIR = ARGV[0]
+abs_test_files = TEST_FILES.map { |file| File.join(BASE_DIR, file) }
+
+# Set Fedora/RHEL downstream OpenSSL downstream environment variable to enable
+# FIPS module in non-FIPS OS environment. It is available in Fedora 38 or later
+# versions.
+# https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0009-Add-Kernel-FIPS-mode-flag-support.patch
+ENV['OPENSSL_FORCE_FIPS_MODE'] = '1'
+# A flag to tell the tests the current environment is FIPS enabled.
+# https://github.com/ruby/openssl/blob/master/test/openssl/test_fips.rb
+ENV['TEST_RUBY_OPENSSL_FIPS_ENABLED'] = 'true'
+
+abs_test_files.each do |file|
+  puts "INFO: Loading #{file}."
+  require file
+end

SPECS/ruby.spec

@@ -22,7 +22,7 @@
 %endif
 
 
-%global release 160
+%global release 161
 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
 
 # The RubyGems library has to stay out of Ruby directory tree, since the
@@ -106,6 +106,8 @@ Source11: rubygems.con
 Source13: test_abrt.rb
 # SystemTap tests.
 Source14: test_systemtap.rb
+# Ruby OpenSSL FIPS tests.
+Source15: test_openssl_fips.rb
 
 # The load directive is supported since RPM 4.12, i.e. F21+. The build process
 # fails on older Fedoras.
@@ -261,6 +263,38 @@ Patch59: ruby-3.1.1-ossl_ocsp-use-null.patch
 # Replace SHA1 usage in tests.
 # https://github.com/ruby/openssl/pull/511
 Patch60: ruby-3.1.2-ossl-tests-replace-sha1.patch
+# Bypass git submodule test failure on Git >= 2.38.1.
+# https://github.com/ruby/ruby/pull/6587
+Patch61: ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch
+# Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
+# https://github.com/ruby/spec/pull/939
+Patch62: ruby-spec-Fix-tests-on-tzdata-2022b.patch
+# Fix Time Zone Database 2022g.
+# https://bugs.ruby-lang.org/issues/19187
+# https://github.com/ruby/ruby/commit/a1124dc162810f86cb0bff58cde24064cfc561bc
+Patch63: ruby-3.1.3-Fix-for-tzdata-2022g.patch
+# Fix File.utime test.
+# https://github.com/ruby/ruby/commit/8d1109c03bacc952b6218af2e4ae9b74c9855273
+Patch64: ruby-3.3.0-test-file-utime.patch
+# Fix OpenSSL.fips_mode in OpenSSL 3 FIPS.
+# https://github.com/ruby/openssl/pull/608
+# https://github.com/ruby/ruby/commit/678d41bc51fe31834eec0b653ba0e47de5420aa0
+Patch65: ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch
+# Fix OpenSSL::PKey.read in OpenSSL 3 FIPS.
+# The patch is a combination of the following 2 commits to simplify the patch.
+# https://github.com/ruby/openssl/pull/615
+# https://github.com/ruby/ruby/commit/2a4834057b30a26c38ece3961b370c0b2ee59380
+# https://github.com/ruby/openssl/pull/669
+# https://github.com/ruby/ruby/commit/b0ec1db8a72c530460abd9462ac75845362886bd
+Patch66: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
+# Enable tests in OpenSSL FIPS.
+# https://github.com/ruby/openssl/pull/615
+# https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5
+Patch67: ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
+# ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
+# https://github.com/ruby/openssl/pull/674
+# https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814
+Patch68: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Suggests: rubypick
@@ -726,6 +760,14 @@ rm -rf ext/fiddle/libffi*
 %patch58 -p1
 %patch59
 %patch60 -p1
+%patch61 -p1
+%patch62 -p1
+%patch63 -p1
+%patch64 -p1
+%patch65 -p1
+%patch66 -p1
+%patch67 -p1
+%patch68 -p1
 
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@@ -1017,6 +1059,11 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \
 %{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \
   make check TESTS="-v $DISABLE_TESTS" MSPECOPT="-fs $MSPECOPTS"
 
+# Run Ruby OpenSSL tests in OpenSSL FIPS.
+make runruby TESTRUN_SCRIPT=" \
+  -I%{_builddir}/%{buildsubdir}/tool/lib --enable-gems \
+  %{SOURCE15} %{_builddir}/%{buildsubdir} --verbose"
+
 %files
 %license BSDL
 %license COPYING
@@ -1489,11 +1536,23 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \
 
 
 %changelog
+* Mon Oct 09 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-161
+- Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.
+  Resolves: RHEL-12724
+- ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
+  Related: RHEL-12724
+
+* Wed Jun 28 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-160
+- Bypass git submodule test failure on Git >= 2.38.1.
+- Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.
+- Fix for tzdata-2022g.
+- Fix File.utime test.
+
 * Fri Jul 08 2022 Jarek Prokop <jprokop@redhat.com> - 3.0.4-160
 - Upgrade to Ruby 3.0.4.
-  Resolves: rhbz#2109428
+  Resolves: rhbz#2096347
 - OpenSSL test suite fixes due to disabled SHA1.
-  Related: rbhz#2109428
+  Resolves: rbhz#2107696
 - Fix double free in Regexp compilation.
   Resolves: CVE-2022-28738
 - Fix buffer overrun in String-to-Float conversion.