An interpreter of object-oriented scripting language
Go to file
Jun Aruga 59242d8ce8 ssl: use ffdhe2048 from RFC 7919 as the default DH group parameter
This commit fixes the following failures in OpenSSL FIPS using the
`OPENSSL_FORCE_FIPS_MODE=1` in CentOS stream 9 non-FIPS OS environment.

```
$ cat /etc/redhat-release
CentOS Stream release 9

$ rpm -q openssl
openssl-3.0.7-24.el9.x86_64

$ pwd
/builddir/build/BUILD/ruby-3.1.2

$ make runruby 'TESTRUN_SCRIPT= \
   -I/builddir/build/BUILD/ruby-3.1.2/tool/lib --enable-gems \
   /builddir/build/SOURCES/test_openssl_fips.rb /builddir/build/BUILD/ruby-3.1.2 --verbose'
...
  1) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:38]:
assert_separately failed with error message
pid 2043890 exit 1
| /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>'
| 	from -:in `require'
  2) Failure:
OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:12]:
assert_separately failed with error message
pid 2043891 exit 1
| /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative'
| 	from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>'
| 	from -:in `require'

Finished tests in 0.154373s, 77.7337 tests/s, 369.2351 assertions/s.
12 tests, 57 assertions, 2 failures, 0 errors, 1 skips

ruby -v: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux]
make: *** [uncommon.mk:1249: runruby] Error 2
```

Note that we obverved the issue in RHEL 9.4 Beta non-FIPS OS environment too.
The error happened by applying the patch
ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
rewriting the `ossl_pkey_read_generic` properly.
The error didn't happen without the patch.

```
$ cat /etc/redhat-release
Red Hat Enterprise Linux release 9.4 Beta (Plow)

$ OPENSSL_FORCE_FIPS_MODE=1 bundle exec ruby -I./lib -e "require 'openssl'"
/builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError)
  from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new'
  from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new'
  from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:34:in `<class:SSLContext>'
  from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:20:in `<module:SSL>'
  from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:19:in `<module:OpenSSL>'
  from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:18:in `<top (required)>'
  from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `require_relative'
  from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `<top (required)>'
  from -e:1:in `require'
  from -e:1:in `<main>'
```

Related: RHEL-5590
2023-10-11 19:20:25 +02:00
.gitignore Upgrade to Ruby 3.0.1. 2021-06-24 21:02:48 +02:00
libruby.stp Initial package 2016-02-17 19:05:04 +01:00
macros.ruby Merge Fedora master. 2018-03-12 17:55:43 +01:00
macros.rubygems Pass ldflags to gem install 2021-07-22 14:18:05 +02:00
operating_system.rb Update to Ruby 2.5.5. 2019-04-18 07:39:17 +02:00
ruby-1.9.3-mkmf-verbose.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-2.1.0-always-use-i386.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-2.1.0-custom-rubygems-location.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-2.1.0-Enable-configuration-of-archlibdir.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-2.3.0-ruby_version.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-2.7.0-Initialize-ABRT-hook.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-3.1.0-Don-t-query-RubyVM-FrozenCore-for-class-path.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-3.1.1-ossl_ocsp-use-null.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-3.1.2-ossl-tests-replace-sha1.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-3.1.3-Fix-for-tzdata-2022g.patch Fix for tzdata-2022g. 2023-10-11 19:16:22 +02:00
ruby-3.2.0-Build-extension-libraries-in-bundled-gems.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-3.2.0-define-unsupported-gc-compaction-methods_generated-files.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-3.2.0-define-unsupported-gc-compaction-methods-as-rb_f_notimplement.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-3.2.0-Detect-compaction-support-during-runtime.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch Bypass git submodule test failure on Git >= 2.38.1. 2023-10-11 19:15:58 +02:00
ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. 2023-10-11 19:17:26 +02:00
ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch ssl: use ffdhe2048 from RFC 7919 as the default DH group parameter 2023-10-11 19:20:25 +02:00
ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. 2023-10-11 19:17:26 +02:00
ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. 2023-10-11 19:17:26 +02:00
ruby-bundler-2.4.0-bundle-update-bundler-test-in-ruby.patch Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby-exercise.stp Initial package 2016-02-17 19:05:04 +01:00
ruby-spec-Fix-tests-on-tzdata-2022b.patch Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b. 2023-10-11 19:16:17 +02:00
ruby.rpmlintrc Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
ruby.spec ssl: use ffdhe2048 from RFC 7919 as the default DH group parameter 2023-10-11 19:20:25 +02:00
rubygems.attr Merge Fedora master. 2018-03-12 17:55:43 +01:00
rubygems.con Merge Fedora master. 2018-03-12 17:55:43 +01:00
rubygems.prov Update to Ruby 2.6.3 by merging Fedora master branch (commit: 1cc2a49) 2019-06-13 16:56:02 +02:00
rubygems.req Update to Ruby 2.6.3 by merging Fedora master branch (commit: 1cc2a49) 2019-06-13 16:56:02 +02:00
sources Upgrade to Ruby 3.1.2 by merging Fedora Rawhide branch (commit: b7b5473). 2022-06-22 20:36:32 +02:00
test_abrt.rb Initial package 2016-02-17 19:05:04 +01:00
test_openssl_fips.rb Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. 2023-10-11 19:17:26 +02:00
test_systemtap.rb Fix and enhance systemtap tests 2016-08-03 18:02:20 +02:00