An interpreter of object-oriented scripting language
e0deda71a3
This commit fixes the following failures in OpenSSL FIPS using the `OPENSSL_FORCE_FIPS_MODE=1` in CentOS stream 9 non-FIPS OS environment. ``` $ cat /etc/redhat-release CentOS Stream release 9 $ rpm -q openssl openssl-3.0.7-24.el9.x86_64 $ pwd /builddir/build/BUILD/ruby-3.1.2 $ make runruby 'TESTRUN_SCRIPT= \ -I/builddir/build/BUILD/ruby-3.1.2/tool/lib --enable-gems \ /builddir/build/SOURCES/test_openssl_fips.rb /builddir/build/BUILD/ruby-3.1.2 --verbose' ... 1) Failure: OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:38]: assert_separately failed with error message pid 2043890 exit 1 | /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>' | from -:in `require' 2) Failure: OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:12]: assert_separately failed with error message pid 2043891 exit 1 | /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>' | from -:in `require' Finished tests in 0.154373s, 77.7337 tests/s, 369.2351 assertions/s. 12 tests, 57 assertions, 2 failures, 0 errors, 1 skips ruby -v: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux] make: *** [uncommon.mk:1249: runruby] Error 2 ``` Note that we obverved the issue in RHEL 9.4 Beta non-FIPS OS environment too. The error happened by applying the patch ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch rewriting the `ossl_pkey_read_generic` properly. The error didn't happen without the patch. ``` $ cat /etc/redhat-release Red Hat Enterprise Linux release 9.4 Beta (Plow) $ OPENSSL_FORCE_FIPS_MODE=1 bundle exec ruby -I./lib -e "require 'openssl'" /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new' from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:34:in `<class:SSLContext>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:20:in `<module:SSL>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:19:in `<module:OpenSSL>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:18:in `<top (required)>' from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `require_relative' from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `<top (required)>' from -e:1:in `require' from -e:1:in `<main>' ``` Related: RHEL-12724 |
||
|---|---|---|
| .gitlab/merge_request_templates | ||
| .gitignore | ||
| gating.yaml | ||
| libruby.stp | ||
| macros.ruby | ||
| macros.rubygems | ||
| operating_system.rb | ||
| ruby-1.9.3-mkmf-verbose.patch | ||
| ruby-2.1.0-always-use-i386.patch | ||
| ruby-2.1.0-custom-rubygems-location.patch | ||
| ruby-2.1.0-Enable-configuration-of-archlibdir.patch | ||
| ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch | ||
| ruby-2.3.0-ruby_version.patch | ||
| ruby-2.7.0-Initialize-ABRT-hook.patch | ||
| ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch | ||
| ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch | ||
| ruby-3.1.0-Add-more-support-for-generic-pkey-types.patch | ||
| ruby-3.1.0-addr2line-DW_FORM_ref_addr.patch | ||
| ruby-3.1.0-Allocate-EVP_PKEY-on-initialize.patch | ||
| ruby-3.1.0-Allow-setting-algorithm-specific-options-in-sign-and-verify.patch | ||
| ruby-3.1.0-Deprecate-PKey-set_-and-PKey-DH-EC-generate_key.patch | ||
| ruby-3.1.0-Disable-test_no_private_exp-on-OpenSSL-3.0.patch | ||
| ruby-3.1.0-Don-t-query-RubyVM-FrozenCore-for-class-path.patch | ||
| ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch | ||
| ruby-3.1.0-Ignore-DW_FORM_ref_addr.patch | ||
| ruby-3.1.0-Implement-PKey-encrypt-decrypt-sign_raw-verify_raw-and-verify_recover.patch | ||
| ruby-3.1.0-Migrate-from-the-low-level-HMAC-API-to-the-EVP-API.patch | ||
| ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support-part-2.patch | ||
| ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch | ||
| ruby-3.1.0-Properly-exclude-test-cases.patch | ||
| ruby-3.1.0-Refactor-PEM-DER-serialization-code.patch | ||
| ruby-3.1.0-Support-GCCs-DWARF-5.patch | ||
| ruby-3.1.0-test-openssl-test_digest-do-not-test-constants-for-l.patch | ||
| ruby-3.1.0-test-openssl-test_pkcs12-fix-test-failures-with-Open.patch | ||
| ruby-3.1.0-test-openssl-test_pkey-use-EC-keys-for-PKey.generate.patch | ||
| ruby-3.1.0-test-openssl-test_ssl-relax-regex-to-match-OpenSSL-s.patch | ||
| ruby-3.1.0-test-openssl-utils-remove-dup_public-helper-method.patch | ||
| ruby-3.1.0-Use-EVP-API-in-more-places.patch | ||
| ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch | ||
| ruby-3.1.0-Use-mmap-for-allocating-heap-pages-in-the-GC.patch | ||
| ruby-3.1.0-Use-OSSL_DECODER-to-load-encrypted-PEM-on-OpenSSL-3.0.patch | ||
| ruby-3.1.1-ossl_ocsp-use-null.patch | ||
| ruby-3.1.2-ossl-tests-replace-sha1.patch | ||
| ruby-3.1.3-Fix-for-tzdata-2022g.patch | ||
| ruby-3.2.0-git-2.38.1-fix-rubygems-test.patch | ||
| ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch | ||
| ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch | ||
| ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch | ||
| ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch | ||
| ruby-3.3.0-test-file-utime.patch | ||
| ruby-exercise.stp | ||
| ruby-spec-Fix-tests-on-tzdata-2022b.patch | ||
| ruby.rpmlintrc | ||
| ruby.spec | ||
| rubygems-3.2.30-Provide-distinguished-name-which-will-be-correctly-p.patch | ||
| rubygems-3.2.33-Fix-loading-operating_system-rb-customizations-too-late.patch | ||
| rubygems-3.3.1-Fix-compatibility-with-OpenSSL3.0.patch | ||
| rubygems.attr | ||
| rubygems.con | ||
| rubygems.prov | ||
| rubygems.req | ||
| sources | ||
| test_abrt.rb | ||
| test_openssl_fips.rb | ||
| test_systemtap.rb | ||