An interpreter of object-oriented scripting language
59242d8ce8
This commit fixes the following failures in OpenSSL FIPS using the `OPENSSL_FORCE_FIPS_MODE=1` in CentOS stream 9 non-FIPS OS environment. ``` $ cat /etc/redhat-release CentOS Stream release 9 $ rpm -q openssl openssl-3.0.7-24.el9.x86_64 $ pwd /builddir/build/BUILD/ruby-3.1.2 $ make runruby 'TESTRUN_SCRIPT= \ -I/builddir/build/BUILD/ruby-3.1.2/tool/lib --enable-gems \ /builddir/build/SOURCES/test_openssl_fips.rb /builddir/build/BUILD/ruby-3.1.2 --verbose' ... 1) Failure: OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:38]: assert_separately failed with error message pid 2043890 exit 1 | /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>' | from -:in `require' 2) Failure: OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:12]: assert_separately failed with error message pid 2043891 exit 1 | /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>' | from -:in `require' Finished tests in 0.154373s, 77.7337 tests/s, 369.2351 assertions/s. 12 tests, 57 assertions, 2 failures, 0 errors, 1 skips ruby -v: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux] make: *** [uncommon.mk:1249: runruby] Error 2 ``` Note that we obverved the issue in RHEL 9.4 Beta non-FIPS OS environment too. The error happened by applying the patch ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch rewriting the `ossl_pkey_read_generic` properly. The error didn't happen without the patch. ``` $ cat /etc/redhat-release Red Hat Enterprise Linux release 9.4 Beta (Plow) $ OPENSSL_FORCE_FIPS_MODE=1 bundle exec ruby -I./lib -e "require 'openssl'" /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new' from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:34:in `<class:SSLContext>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:20:in `<module:SSL>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:19:in `<module:OpenSSL>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:18:in `<top (required)>' from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `require_relative' from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `<top (required)>' from -e:1:in `require' from -e:1:in `<main>' ``` Related: RHEL-5590 |
||
|---|---|---|
| .gitignore | ||
| libruby.stp | ||
| macros.ruby | ||
| macros.rubygems | ||
| operating_system.rb | ||
| ruby-1.9.3-mkmf-verbose.patch | ||
| ruby-2.1.0-always-use-i386.patch | ||
| ruby-2.1.0-custom-rubygems-location.patch | ||
| ruby-2.1.0-Enable-configuration-of-archlibdir.patch | ||
| ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch | ||
| ruby-2.3.0-ruby_version.patch | ||
| ruby-2.7.0-Initialize-ABRT-hook.patch | ||
| ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch | ||
| ruby-3.1.0-Don-t-query-RubyVM-FrozenCore-for-class-path.patch | ||
| ruby-3.1.1-ossl_ocsp-use-null.patch | ||
| ruby-3.1.2-ossl-tests-replace-sha1.patch | ||
| ruby-3.1.3-Fix-for-tzdata-2022g.patch | ||
| ruby-3.2.0-Build-extension-libraries-in-bundled-gems.patch | ||
| ruby-3.2.0-define-unsupported-gc-compaction-methods_generated-files.patch | ||
| ruby-3.2.0-define-unsupported-gc-compaction-methods-as-rb_f_notimplement.patch | ||
| ruby-3.2.0-Detect-compaction-support-during-runtime.patch | ||
| ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch | ||
| ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch | ||
| ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch | ||
| ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch | ||
| ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch | ||
| ruby-bundler-2.4.0-bundle-update-bundler-test-in-ruby.patch | ||
| ruby-exercise.stp | ||
| ruby-spec-Fix-tests-on-tzdata-2022b.patch | ||
| ruby.rpmlintrc | ||
| ruby.spec | ||
| rubygems.attr | ||
| rubygems.con | ||
| rubygems.prov | ||
| rubygems.req | ||
| sources | ||
| test_abrt.rb | ||
| test_openssl_fips.rb | ||
| test_systemtap.rb | ||