This commit fixes the following failures in OpenSSL FIPS using the
`OPENSSL_FORCE_FIPS_MODE=1` in CentOS stream 9 non-FIPS OS environment.
```
$ cat /etc/redhat-release
CentOS Stream release 9
$ rpm -q openssl
openssl-3.0.7-24.el9.x86_64
$ pwd
/builddir/build/BUILD/ruby-3.1.2
$ make runruby 'TESTRUN_SCRIPT= \
-I/builddir/build/BUILD/ruby-3.1.2/tool/lib --enable-gems \
/builddir/build/SOURCES/test_openssl_fips.rb /builddir/build/BUILD/ruby-3.1.2 --verbose'
...
1) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:38]:
assert_separately failed with error message
pid 2043890 exit 1
| /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>'
| from -:in `require'
2) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:12]:
assert_separately failed with error message
pid 2043891 exit 1
| /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative'
| from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>'
| from -:in `require'
Finished tests in 0.154373s, 77.7337 tests/s, 369.2351 assertions/s.
12 tests, 57 assertions, 2 failures, 0 errors, 1 skips
ruby -v: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux]
make: *** [uncommon.mk:1249: runruby] Error 2
```
Note that we obverved the issue in RHEL 9.4 Beta non-FIPS OS environment too.
The error happened by applying the patch
ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
rewriting the `ossl_pkey_read_generic` properly.
The error didn't happen without the patch.
```
$ cat /etc/redhat-release
Red Hat Enterprise Linux release 9.4 Beta (Plow)
$ OPENSSL_FORCE_FIPS_MODE=1 bundle exec ruby -I./lib -e "require 'openssl'"
/builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new'
from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:34:in `<class:SSLContext>'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:20:in `<module:SSL>'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:19:in `<module:OpenSSL>'
from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:18:in `<top (required)>'
from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `require_relative'
from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `<top (required)>'
from -e:1:in `require'
from -e:1:in `<main>'
```
Related: RHEL-12724
This commit is to fix the following test failure on CentOS Stream Zuul CI
mock-build.
```
DEBUG: 1)
DEBUG: File.utime allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19) FAILED
DEBUG: Expected [559444, 2446, 2038].include? 2486
DEBUG: to be truthy but was false
DEBUG: /builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/file/utime_spec.rb:84:in `block (4 levels) in <top (required)>'
DEBUG: /builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/file/utime_spec.rb:3:in `<top (required)>'
DEBUG: Finished in 77.102196 seconds
DEBUG: 3769 files, 30810 examples, 179414 expectations, 1 failure, 0 errors, 0 tagged
```
Related: rhbz#2173531
This commit was cherry-picked from Fedora rawhide
<f8ef5964d0>.
This fixes the test failures related to the Singapore time zone like below.
```
2) Failure:
TestTimeTZ#test_asia_singapore [/builddir/build/BUILD/ruby-3.0.4/test/ruby/test_time_tz.rb:143]:
TZ=Asia/Singapore Time.local(1981, 12, 31, 23, 59, 59).
<"1981-12-31 23:59:59 +0730"> expected but was
<"1982-01-01 00:29:59 +0800">.
```
Related: rhbz#2173531
This commit was cherry-picked from Fedora rawhide
<ad7f78b5c8>.
This fixes the test failures related to the Amsterdam time zone like below.
```
1)
Time.local timezone changes correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam' FAILED
Expected [0, 0, 0, 16, 5, 1940, 4, 137, true, "WEST"] == [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"]
to be truthy but was false
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/shared/local.rb:13:in `block (5 levels) in <top (required)>'
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/shared/local.rb:12:in `block (4 levels) in <top (required)>'
/builddir/build/BUILD/ruby-3.0.4/spec/ruby/core/time/local_spec.rb:5:in `<top (required)>'
```
Related: rhbz#2173531
This commit was cherry-picked from Fedora rawhide
<79d75fdcdd>.
This fixes the following test failure.
```
1) Failure:
TestGemSourceGit#test_checkout_submodules [/builddir/build/BUILD/ruby-3.0.4/test/rubygems/test_gem_source_git.rb:72]:
fatal: transport 'file' not allowed
fatal: clone of '/builddir/build/BUILD/ruby-3.0.4/tmp/test_rubygems_20230627-4031323-yppcjj/git/b' into submodule path '/builddir/build/BUILD/ruby-3.0.4/tmp/test_rubygems_20230627-4031323-yppcjj/git/a/b' failed
```
Resolves: rhbz#2173531
Backport OpenSSL test suite fixes from the C9S branch stream-ruby-3.1-rhel-9.1.0
Patches were backported from commit: 20188a8a3f .
Changes:
Firstly, replace SHA1 with SHA256 and higher in tests.
SHA1 is disabled by default on C9S and RHEL 9.
Secondly, apply ossl_ocsp-use-null patch.
C9S/RHEL9 have SHA1 disabled by default, so using the OCSP with
default arguments on a default C9S/RHEL9 installation will result in an
OpenSSL error. This patch, when OCSP does not receive a digest explicitly, will
let OpenSSL decide which digest to use instead of using a default, thus
preventing usage of disabled digests.
See <https://github.com/ruby/openssl/pull/507>.
OPENSSL_ENABLE_SHA1_SIGNATURES=1 enables SHA1 for
OpenSSL in order to enable tests using SHA1 certificates, at least running
the tests is preferable to not running them at all.
Resolves: rbhz#2107696
This is based on origina PR with official patches which landed in
[ruby/openssl](https://github.com/ruby/openssl) repository and should
reflect the state of OpenSSL 3 support in Ruby 3.1.
Resolves: rhbz#1952925
In Ruby 3.0.3, a new logic with the hard-coded "libc.so.6" to detect glibc
works on PPC, both Power 8 and 9.
See <https://bugs.ruby-lang.org/issues/12666#note-13>.
Note the logic also fixes the following error on a Power 9 environment where
the path is `/lib64/glibc-hwcaps/power9/libc-2.28.so`.
```
/builddir/build/BUILD/ruby-2.6.9/.ext/common/fiddle/import.rb:299:in `import_function': cannot find the function: strcpy() (Fiddle::DLError)
from /builddir/build/BUILD/ruby-2.6.9/.ext/common/fiddle/import.rb:172:in `extern'
from /builddir/build/BUILD/ruby-2.6.9/test/fiddle/test_import.rb:17:in `<module:LIBC>'
from /builddir/build/BUILD/ruby-2.6.9/test/fiddle/test_import.rb:10:in `<module:Fiddle>'
from /builddir/build/BUILD/ruby-2.6.9/test/fiddle/test_import.rb:9:in `<top (required)>'
from /builddir/build/BUILD/ruby-2.6.9/test/lib/test/unit.rb:958:in `require'
from /builddir/build/BUILD/ruby-2.6.9/test/lib/test/unit.rb:958:in `block in non_options'
from /builddir/build/BUILD/ruby-2.6.9/test/lib/test/unit.rb:952:in `each'
from /builddir/build/BUILD/ruby-2.6.9/test/lib/test/unit.rb:952:in `non_options'
from /builddir/build/BUILD/ruby-2.6.9/test/lib/test/unit.rb:64:in `process_args'
from /builddir/build/BUILD/ruby-2.6.9/test/lib/test/unit.rb:130:in `process_args'
from /builddir/build/BUILD/ruby-2.6.9/test/lib/test/unit.rb:1136:in `process_args'
from /builddir/build/BUILD/ruby-2.6.9/test/lib/test/unit.rb:1141:in `run'
from /builddir/build/BUILD/ruby-2.6.9/test/lib/test/unit.rb:1148:in `run'
from ./test/runner.rb:33:in `<main>'
```
Related: rhbz#2049693
- Fix command injection vulnerability in RDoc.
- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host.
- Fix StartTLS stripping vulnerability in Net::IMAP
- Fix dependencies of gems with explicit source installed from a
different source.
Resolves: CVE-2021-31810
Resolves: CVE-2021-32066
Resolves: CVE-2021-31799
Resolves: CVE-2020-36327
