diff --git a/.gitignore b/.gitignore index a915dc1..1d5fa3c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/ruby-3.0.4.tar.xz +SOURCES/ruby-3.0.7.tar.xz diff --git a/.ruby.metadata b/.ruby.metadata index 34cda36..07be9c4 100644 --- a/.ruby.metadata +++ b/.ruby.metadata @@ -1 +1 @@ -14461adca874d42a06a11851029dec877d9d28de SOURCES/ruby-3.0.4.tar.xz +efc97e609868a19f89653068c4915c162117b721 SOURCES/ruby-3.0.7.tar.xz diff --git a/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch b/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch index 32806da..f38bd9a 100644 --- a/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch +++ b/SOURCES/ruby-2.1.0-Enable-configuration-of-archlibdir.patch @@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac index d261ea57b5..3c13076b82 100644 --- a/configure.ac +++ b/configure.ac -@@ -3240,6 +3240,11 @@ AS_IF([test ${multiarch+set}], [ +@@ -3267,6 +3267,11 @@ AS_IF([test ${multiarch+set}], [ ]) archlibdir='${libdir}/${arch}' diff --git a/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch b/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch index 118203c..22b6f27 100644 --- a/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch +++ b/SOURCES/ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch @@ -14,7 +14,7 @@ diff --git a/configure.ac b/configure.ac index c42436c23d..d261ea57b5 100644 --- a/configure.ac +++ b/configure.ac -@@ -3881,7 +3881,8 @@ AS_CASE(["$ruby_version_dir_name"], +@@ -3913,7 +3913,8 @@ AS_CASE(["$ruby_version_dir_name"], ruby_version_dir=/'${ruby_version_dir_name}' if test -z "${ruby_version_dir_name}"; then diff --git a/SOURCES/ruby-2.1.0-always-use-i386.patch b/SOURCES/ruby-2.1.0-always-use-i386.patch index de58295..a9b5b70 100644 --- a/SOURCES/ruby-2.1.0-always-use-i386.patch +++ b/SOURCES/ruby-2.1.0-always-use-i386.patch @@ -11,7 +11,7 @@ diff --git a/configure.ac b/configure.ac index 3c13076b82..93af30321d 100644 --- a/configure.ac +++ b/configure.ac -@@ -3945,6 +3945,8 @@ AC_SUBST(vendorarchdir)dnl +@@ -3977,6 +3977,8 @@ AC_SUBST(vendorarchdir)dnl AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl diff --git a/SOURCES/ruby-2.1.0-custom-rubygems-location.patch b/SOURCES/ruby-2.1.0-custom-rubygems-location.patch index f7862fa..1d523e2 100644 --- a/SOURCES/ruby-2.1.0-custom-rubygems-location.patch +++ b/SOURCES/ruby-2.1.0-custom-rubygems-location.patch @@ -15,7 +15,7 @@ diff --git a/configure.ac b/configure.ac index 93af30321d..bc13397e0e 100644 --- a/configure.ac +++ b/configure.ac -@@ -3917,6 +3917,10 @@ AC_ARG_WITH(vendorarchdir, +@@ -3949,6 +3949,10 @@ AC_ARG_WITH(vendorarchdir, [vendorarchdir=$withval], [vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}]) @@ -26,7 +26,7 @@ index 93af30321d..bc13397e0e 100644 AS_IF([test "${LOAD_RELATIVE+set}"], [ AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) RUBY_EXEC_PREFIX='' -@@ -3941,6 +3945,7 @@ AC_SUBST(sitearchdir)dnl +@@ -3973,6 +3977,7 @@ AC_SUBST(sitearchdir)dnl AC_SUBST(vendordir)dnl AC_SUBST(vendorlibdir)dnl AC_SUBST(vendorarchdir)dnl diff --git a/SOURCES/ruby-2.3.0-ruby_version.patch b/SOURCES/ruby-2.3.0-ruby_version.patch index b0a73a9..24e8101 100644 --- a/SOURCES/ruby-2.3.0-ruby_version.patch +++ b/SOURCES/ruby-2.3.0-ruby_version.patch @@ -20,7 +20,7 @@ diff --git a/configure.ac b/configure.ac index 80b137e380..63cd3b4f8b 100644 --- a/configure.ac +++ b/configure.ac -@@ -3832,9 +3832,6 @@ AS_CASE(["$target_os"], +@@ -3864,9 +3864,6 @@ AS_CASE(["$target_os"], rubyw_install_name='$(RUBYW_INSTALL_NAME)' ]) @@ -30,7 +30,7 @@ index 80b137e380..63cd3b4f8b 100644 rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'} AC_ARG_WITH(rubyarchprefix, AS_HELP_STRING([--with-rubyarchprefix=DIR], -@@ -3857,56 +3854,62 @@ AC_ARG_WITH(ridir, +@@ -3889,56 +3886,62 @@ AC_ARG_WITH(ridir, AC_SUBST(ridir) AC_SUBST(RI_BASE_NAME) @@ -120,7 +120,7 @@ index 80b137e380..63cd3b4f8b 100644 AS_IF([test "${LOAD_RELATIVE+set}"], [ AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE) -@@ -3923,6 +3926,7 @@ AC_SUBST(sitearchincludedir)dnl +@@ -3955,6 +3958,7 @@ AC_SUBST(sitearchincludedir)dnl AC_SUBST(arch)dnl AC_SUBST(sitearch)dnl AC_SUBST(ruby_version)dnl diff --git a/SOURCES/ruby-2.7.0-Initialize-ABRT-hook.patch b/SOURCES/ruby-2.7.0-Initialize-ABRT-hook.patch index 2b90d9e..975f55e 100644 --- a/SOURCES/ruby-2.7.0-Initialize-ABRT-hook.patch +++ b/SOURCES/ruby-2.7.0-Initialize-ABRT-hook.patch @@ -57,7 +57,7 @@ diff --git a/ruby.c b/ruby.c index 60c57d6259..1eec16f2c8 100644 --- a/ruby.c +++ b/ruby.c -@@ -1489,10 +1489,14 @@ proc_options(long argc, char **argv, ruby_cmdline_options_t *opt, int envopt) +@@ -1501,10 +1501,14 @@ proc_options(long argc, char **argv, ruby_cmdline_options_t *opt, int envopt) void Init_builtin_features(void); diff --git a/SOURCES/ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch b/SOURCES/ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch deleted file mode 100644 index 4b8e9ab..0000000 --- a/SOURCES/ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 202ff1372a40a8adf9aac74bfe8a39141b0c57e5 Mon Sep 17 00:00:00 2001 -From: Kazuki Yamaguchi -Date: Mon, 27 Sep 2021 00:38:38 +0900 -Subject: [PATCH] ext/openssl/extconf.rb: require OpenSSL version >= 1.0.1, < 3 - -Ruby/OpenSSL 2.1.x and 2.2.x will not support OpenSSL 3.0 API. Let's -make extconf.rb explicitly check the version number to be within the -acceptable range, since it will not compile anyway. - -Reference: https://bugs.ruby-lang.org/issues/18192 ---- - ext/openssl/extconf.rb | 43 ++++++++++++++++++++++++------------------ - 1 file changed, 25 insertions(+), 18 deletions(-) - -diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb -index 264130bb..7e817ae2 100644 ---- a/ext/openssl/extconf.rb -+++ b/ext/openssl/extconf.rb -@@ -33,9 +33,6 @@ - have_library("ws2_32") - end - --Logging::message "=== Checking for required stuff... ===\n" --result = pkg_config("openssl") && have_header("openssl/ssl.h") -- - if $mingw - append_cflags '-D_FORTIFY_SOURCE=2' - append_ldflags '-fstack-protector' -@@ -92,19 +89,33 @@ def find_openssl_library - return false - end - --unless result -- unless find_openssl_library -- Logging::message "=== Checking for required stuff failed. ===\n" -- Logging::message "Makefile wasn't created. Fix the errors above.\n" -- raise "OpenSSL library could not be found. You might want to use " \ -- "--with-openssl-dir= option to specify the prefix where OpenSSL " \ -- "is installed." -- end -+Logging::message "=== Checking for required stuff... ===\n" -+pkg_config_found = pkg_config("openssl") && have_header("openssl/ssl.h") -+ -+if !pkg_config_found && !find_openssl_library -+ Logging::message "=== Checking for required stuff failed. ===\n" -+ Logging::message "Makefile wasn't created. Fix the errors above.\n" -+ raise "OpenSSL library could not be found. You might want to use " \ -+ "--with-openssl-dir= option to specify the prefix where OpenSSL " \ -+ "is installed." - end - --unless checking_for("OpenSSL version is 1.0.1 or later") { -- try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") } -- raise "OpenSSL >= 1.0.1 or LibreSSL is required" -+version_ok = if have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h") -+ is_libressl = true -+ checking_for("LibreSSL version >= 2.5.0") { -+ try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x20500000L", "openssl/opensslv.h") } -+else -+ checking_for("OpenSSL version >= 1.0.1 and < 3.0.0") { -+ try_static_assert("OPENSSL_VERSION_NUMBER >= 0x10001000L", "openssl/opensslv.h") && -+ !try_static_assert("OPENSSL_VERSION_MAJOR >= 3", "openssl/opensslv.h") } -+end -+unless version_ok -+ raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required" -+end -+ -+# Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h -+if is_libressl && ($mswin || $mingw) -+ $defs.push("-DNOCRYPT") - end - - Logging::message "=== Checking for OpenSSL features... ===\n" -@@ -116,10 +127,6 @@ def find_openssl_library - have_func("ENGINE_load_#{name}()", "openssl/engine.h") - } - --if ($mswin || $mingw) && have_macro("LIBRESSL_VERSION_NUMBER", "openssl/opensslv.h") -- $defs.push("-DNOCRYPT") --end -- - # added in 1.0.2 - have_func("EC_curve_nist2nid") - have_func("X509_REVOKED_dup") diff --git a/SOURCES/ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch b/SOURCES/ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch index ae8f722..ce92ce6 100644 --- a/SOURCES/ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch +++ b/SOURCES/ruby-3.1.0-Get-rid-of-type-punning-pointer-casts.patch @@ -123,7 +123,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644 RB_DEBUG_COUNTER_INC(cc_invalidate_negative); } -@@ -1023,6 +1025,7 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_ +@@ -1030,6 +1032,7 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_ { struct rb_id_table *mtbl; const rb_callable_method_entry_t *cme; @@ -131,7 +131,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644 if (me) { if (me->defined_class == 0) { -@@ -1032,7 +1035,8 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_ +@@ -1039,7 +1042,8 @@ prepare_callable_method_entry(VALUE defined_class, ID id, const rb_method_entry_ mtbl = RCLASS_CALLABLE_M_TBL(defined_class); @@ -141,7 +141,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644 RB_DEBUG_COUNTER_INC(mc_cme_complement_hit); VM_ASSERT(callable_method_entry_p(cme)); VM_ASSERT(!METHOD_ENTRY_INVALIDATED(cme)); -@@ -1076,9 +1080,10 @@ cached_callable_method_entry(VALUE klass, ID mid) +@@ -1083,9 +1087,10 @@ cached_callable_method_entry(VALUE klass, ID mid) ASSERT_vm_locking(); struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass); @@ -154,7 +154,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644 VM_ASSERT(vm_ccs_p(ccs)); if (LIKELY(!METHOD_ENTRY_INVALIDATED(ccs->cme))) { -@@ -1104,12 +1109,14 @@ cache_callable_method_entry(VALUE klass, ID mid, const rb_callable_method_entry_ +@@ -1111,12 +1116,14 @@ cache_callable_method_entry(VALUE klass, ID mid, const rb_callable_method_entry_ struct rb_id_table *cc_tbl = RCLASS_CC_TBL(klass); struct rb_class_cc_entries *ccs; @@ -170,7 +170,7 @@ index 016dba1dbb18..1fd0bd57f7ca 100644 VM_ASSERT(ccs->cme == cme); } else { -@@ -1123,8 +1130,12 @@ negative_cme(ID mid) +@@ -1130,8 +1137,12 @@ negative_cme(ID mid) { rb_vm_t *vm = GET_VM(); const rb_callable_method_entry_t *cme; diff --git a/SOURCES/ruby-3.1.0-Migrate-from-the-low-level-HMAC-API-to-the-EVP-API.patch b/SOURCES/ruby-3.1.0-Migrate-from-the-low-level-HMAC-API-to-the-EVP-API.patch index d25cae9..a8765f4 100644 --- a/SOURCES/ruby-3.1.0-Migrate-from-the-low-level-HMAC-API-to-the-EVP-API.patch +++ b/SOURCES/ruby-3.1.0-Migrate-from-the-low-level-HMAC-API-to-the-EVP-API.patch @@ -52,7 +52,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 693e55cd9..063498a76 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb -@@ -141,8 +141,7 @@ def find_openssl_library +@@ -148,8 +148,7 @@ def find_openssl_library have_func("BN_GENCB_get_arg") have_func("EVP_MD_CTX_new") have_func("EVP_MD_CTX_free") diff --git a/SOURCES/ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch b/SOURCES/ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch index a780108..bc11eb4 100644 --- a/SOURCES/ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch +++ b/SOURCES/ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch @@ -58,7 +58,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 17d93443fc..09cae05b72 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb -@@ -165,7 +165,7 @@ def find_openssl_library +@@ -172,7 +172,7 @@ def find_openssl_library have_func("TS_STATUS_INFO_get0_status") have_func("TS_STATUS_INFO_get0_text") have_func("TS_STATUS_INFO_get0_failure_info") @@ -67,7 +67,7 @@ index 17d93443fc..09cae05b72 100644 have_func("TS_VERIFY_CTX_set_store") have_func("TS_VERIFY_CTX_add_flags") have_func("TS_RESP_CTX_set_time_cb") -@@ -174,6 +174,9 @@ def find_openssl_library +@@ -181,6 +181,9 @@ def find_openssl_library # added in 1.1.1 have_func("EVP_PKEY_check") @@ -164,7 +164,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 98f96afe..842b7f5b 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb -@@ -177,6 +177,7 @@ def find_openssl_library +@@ -184,6 +184,7 @@ def find_openssl_library # added in 3.0.0 have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h") @@ -249,7 +249,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 842b7f5b..d9d34b7c 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb -@@ -178,6 +178,7 @@ def find_openssl_library +@@ -185,6 +185,7 @@ def find_openssl_library # added in 3.0.0 have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h") have_func("EVP_MD_CTX_get0_md") diff --git a/SOURCES/ruby-3.1.0-Use-EVP-API-in-more-places.patch b/SOURCES/ruby-3.1.0-Use-EVP-API-in-more-places.patch index f9c4580..b43aadc 100644 --- a/SOURCES/ruby-3.1.0-Use-EVP-API-in-more-places.patch +++ b/SOURCES/ruby-3.1.0-Use-EVP-API-in-more-places.patch @@ -698,7 +698,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index b3c6647faf..17d93443fc 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb -@@ -172,6 +172,9 @@ def find_openssl_library +@@ -179,6 +179,9 @@ def find_openssl_library have_func("EVP_PBE_scrypt") have_func("SSL_CTX_set_post_handshake_auth") diff --git a/SOURCES/ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch b/SOURCES/ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch index d02ce45..f3298f3 100644 --- a/SOURCES/ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch +++ b/SOURCES/ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch @@ -965,7 +965,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index 693e55cd97..b3c6647faf 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb -@@ -136,9 +136,6 @@ def find_openssl_library +@@ -143,9 +143,6 @@ def find_openssl_library $defs.push("-DHAVE_OPAQUE_OPENSSL") end have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API") diff --git a/SOURCES/ruby-3.1.0-Use-mmap-for-allocating-heap-pages-in-the-GC.patch b/SOURCES/ruby-3.1.0-Use-mmap-for-allocating-heap-pages-in-the-GC.patch index 512be18..96aa059 100644 --- a/SOURCES/ruby-3.1.0-Use-mmap-for-allocating-heap-pages-in-the-GC.patch +++ b/SOURCES/ruby-3.1.0-Use-mmap-for-allocating-heap-pages-in-the-GC.patch @@ -13,7 +13,7 @@ diff --git a/configure.ac b/configure.ac index 2dcebdde9f..b1b190004d 100644 --- a/configure.ac +++ b/configure.ac -@@ -1944,6 +1944,7 @@ AC_CHECK_FUNCS(memmem) +@@ -1952,6 +1952,7 @@ AC_CHECK_FUNCS(memmem) AC_CHECK_FUNCS(mkfifo) AC_CHECK_FUNCS(mknod) AC_CHECK_FUNCS(mktime) @@ -21,7 +21,7 @@ index 2dcebdde9f..b1b190004d 100644 AC_CHECK_FUNCS(openat) AC_CHECK_FUNCS(pipe2) AC_CHECK_FUNCS(poll) -@@ -2666,6 +2667,21 @@ main(int argc, char *argv[]) +@@ -2674,6 +2675,21 @@ main(int argc, char *argv[]) rb_cv_fork_with_pthread=yes)]) test x$rb_cv_fork_with_pthread = xyes || AC_DEFINE(CANNOT_FORK_WITH_PTHREAD) ]) diff --git a/SOURCES/ruby-3.1.2-ossl-tests-replace-sha1.patch b/SOURCES/ruby-3.1.2-ossl-tests-replace-sha1.patch index 176101c..34fa99a 100644 --- a/SOURCES/ruby-3.1.2-ossl-tests-replace-sha1.patch +++ b/SOURCES/ruby-3.1.2-ossl-tests-replace-sha1.patch @@ -2,7 +2,7 @@ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index fedcb93..53ad621 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb -@@ -174,6 +174,7 @@ have_func("SSL_CTX_set_post_handshake_auth") +@@ -181,6 +181,7 @@ have_func("SSL_CTX_set_post_handshake_auth") # added in 1.1.1 have_func("EVP_PKEY_check") diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch new file mode 100644 index 0000000..7f66fa1 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch @@ -0,0 +1,32 @@ +From f0b254f1f6610294821bbfc06b414d2af452db5b Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Thu, 13 Apr 2023 17:28:27 +0200 +Subject: [PATCH] [ruby/openssl] Drop a common logic disabling the FIPS mode in + the tests. + +We want to run the unit tests in the FIPS mode too. + +https://github.com/ruby/openssl/commit/ab92baff34 +--- + test/openssl/utils.rb | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb +index 4ebcb9837b..8a0be0d154 100644 +--- a/test/openssl/utils.rb ++++ b/test/openssl/utils.rb +@@ -1,11 +1,6 @@ + # frozen_string_literal: true + begin + require "openssl" +- +- # Disable FIPS mode for tests for installations +- # where FIPS mode would be enabled by default. +- # Has no effect on all other installations. +- OpenSSL.fips_mode=false + rescue LoadError + end + +-- +2.41.0 + diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch new file mode 100644 index 0000000..156cf88 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch @@ -0,0 +1,73 @@ +From b6d7cdc2bad0eadbca73f3486917f0ec7a475814 Mon Sep 17 00:00:00 2001 +From: Kazuki Yamaguchi +Date: Tue, 29 Aug 2023 19:46:02 +0900 +Subject: [PATCH] [ruby/openssl] ssl: use ffdhe2048 from RFC 7919 as the + default DH group parameters + +In TLS 1.2 or before, if DH group parameters for DHE are not supplied +with SSLContext#tmp_dh= or #tmp_dh_callback=, we currently use the +self-generated parameters added in commit https://github.com/ruby/openssl/commit/bb3399a61c03 ("support 2048 +bit length DH-key", 2016-01-15) as the fallback. + +While there is no known weakness in the current parameters, it would be +a good idea to switch to pre-defined, more well audited parameters. + +This also allows the fallback to work in the FIPS mode. + +The PEM encoding was derived with: + + # RFC 7919 Appendix A.1. ffdhe2048 + print OpenSSL::PKey.read(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer((<<-END).split.join.to_i(16)), OpenSSL::ASN1::Integer(2)]).to_der).to_pem + FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1 + D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9 + 7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561 + 2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935 + 984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735 + 30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB + B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19 + 0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61 + 9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73 + 3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA + 886B4238 61285C97 FFFFFFFF FFFFFFFF + END + +https://github.com/ruby/openssl/commit/a5527cb4f4 +--- + ext/openssl/lib/openssl/ssl.rb | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb +index ea8bb2a18e533..94be6ba80b894 100644 +--- a/ext/openssl/lib/openssl/ssl.rb ++++ b/ext/openssl/lib/openssl/ssl.rb +@@ -31,21 +31,21 @@ class SSLContext + } + + if defined?(OpenSSL::PKey::DH) +- DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_ ++ DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_ + -----BEGIN DH PARAMETERS----- +-MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY +-JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab +-VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6 +-YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 +-1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD +-7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg== ++MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a ++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 ++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi ++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ++ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== + -----END DH PARAMETERS----- + _end_of_pem_ +- private_constant :DEFAULT_2048 ++ private_constant :DH_ffdhe2048 + + DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc: + warn "using default DH parameters." if $VERBOSE +- DEFAULT_2048 ++ DH_ffdhe2048 + } + end + diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch new file mode 100644 index 0000000..f0c9da2 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch @@ -0,0 +1,160 @@ +From 40451afa279c52ce7a508f8a9ec553cfe7a76a10 Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Wed, 12 Apr 2023 17:15:21 +0200 +Subject: [PATCH] Fix OpenSSL::PKey.read in OpenSSL 3 FIPS module. + +This is a combination of the following 2 commits. Because the combined patch is +easy to merge. + +This is the 1st commit message: + +[ruby/openssl] Workaround: Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode. + +This commit is a workaround to avoid the error below that the +`OpenSSL::PKey.read` fails with the OpenSSL 3.0 FIPS mode. + +``` +$ openssl genrsa -out key.pem 4096 + +$ ruby -e "require 'openssl'; OpenSSL::PKey.read(File.read('key.pem'))" +-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError) + from -e:1:in `
' +``` + +The root cause is on the OpenSSL side. The `OSSL_DECODER_CTX_set_selection` +doesn't apply the selection value properly if there are multiple providers, and +a provider (e.g. "base" provider) handles the decoder implementation, and +another provider (e.g. "fips" provider) handles the keys. + +The workaround is to create `OSSL_DECODER_CTX` variable each time without using +the `OSSL_DECODER_CTX_set_selection`. + +https://github.com/ruby/openssl/commit/5ff4a31621 + +This is the commit message #2: + +[ruby/openssl] ossl_pkey.c: Workaround: Decode with non-zero selections. + +This is a workaround for the decoding issue in ossl_pkey_read_generic(). +The issue happens in the case that a key management provider is different from +a decoding provider. + +Try all the non-zero selections in order, instead of selection 0 for OpenSSL 3 +to avoid the issue. + +https://github.com/ruby/openssl/commit/db688fa739 +--- + ext/openssl/ossl_pkey.c | 78 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 73 insertions(+), 5 deletions(-) + +diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c +index 24d0da4683..15854aeca1 100644 +--- a/ext/openssl/ossl_pkey.c ++++ b/ext/openssl/ossl_pkey.c +@@ -81,18 +81,20 @@ ossl_pkey_new(EVP_PKEY *pkey) + #if OSSL_OPENSSL_PREREQ(3, 0, 0) + # include + +-EVP_PKEY * +-ossl_pkey_read_generic(BIO *bio, VALUE pass) ++static EVP_PKEY * ++ossl_pkey_read(BIO *bio, const char *input_type, int selection, VALUE pass) + { + void *ppass = (void *)pass; + OSSL_DECODER_CTX *dctx; + EVP_PKEY *pkey = NULL; + int pos = 0, pos2; + +- dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, NULL, 0, NULL, NULL); ++ dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, input_type, NULL, NULL, ++ selection, NULL, NULL); + if (!dctx) + goto out; +- if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1) ++ if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ++ ppass) != 1) + goto out; + + /* First check DER */ +@@ -111,11 +113,77 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass) + goto out; + pos = pos2; + } +- + out: ++ OSSL_BIO_reset(bio); + OSSL_DECODER_CTX_free(dctx); + return pkey; + } ++ ++EVP_PKEY * ++ossl_pkey_read_generic(BIO *bio, VALUE pass) ++{ ++ EVP_PKEY *pkey = NULL; ++ /* First check DER, then check PEM. */ ++ const char *input_types[] = {"DER", "PEM"}; ++ int input_type_num = (int)(sizeof(input_types) / sizeof(char *)); ++ /* ++ * Non-zero selections to try to decode. ++ * ++ * See EVP_PKEY_fromdata(3) - Selections to see all the selections. ++ * ++ * This is a workaround for the decoder failing to decode or returning ++ * bogus keys with selection 0, if a key management provider is different ++ * from a decoder provider. The workaround is to avoid using selection 0. ++ * ++ * Affected OpenSSL versions: >= 3.1.0, <= 3.1.2, or >= 3.0.0, <= 3.0.10 ++ * Fixed OpenSSL versions: 3.2, next release of the 3.1.z and 3.0.z ++ * ++ * See https://github.com/openssl/openssl/pull/21519 for details. ++ * ++ * First check for private key formats (EVP_PKEY_KEYPAIR). This is to keep ++ * compatibility with ruby/openssl < 3.0 which decoded the following as a ++ * private key. ++ * ++ * $ openssl ecparam -name prime256v1 -genkey -outform PEM ++ * -----BEGIN EC PARAMETERS----- ++ * BggqhkjOPQMBBw== ++ * -----END EC PARAMETERS----- ++ * -----BEGIN EC PRIVATE KEY----- ++ * MHcCAQEEIAG8ugBbA5MHkqnZ9ujQF93OyUfL9tk8sxqM5Wv5tKg5oAoGCCqGSM49 ++ * AwEHoUQDQgAEVcjhJfkwqh5C7kGuhAf8XaAjVuG5ADwb5ayg/cJijCgs+GcXeedj ++ * 86avKpGH84DXUlB23C/kPt+6fXYlitUmXQ== ++ * -----END EC PRIVATE KEY----- ++ * ++ * While the first PEM block is a proper encoding of ECParameters, thus ++ * OSSL_DECODER_from_bio() would pick it up, ruby/openssl used to return ++ * the latter instead. Existing applications expect this behavior. ++ * ++ * Note that normally, the input is supposed to contain a single decodable ++ * PEM block only, so this special handling should not create a new problem. ++ * ++ * Note that we need to create the OSSL_DECODER_CTX variable each time when ++ * we use the different selection as a workaround. ++ * See https://github.com/openssl/openssl/issues/20657 for details. ++ */ ++ int selections[] = { ++ EVP_PKEY_KEYPAIR, ++ EVP_PKEY_KEY_PARAMETERS, ++ EVP_PKEY_PUBLIC_KEY ++ }; ++ int selection_num = (int)(sizeof(selections) / sizeof(int)); ++ int i, j; ++ ++ for (i = 0; i < input_type_num; i++) { ++ for (j = 0; j < selection_num; j++) { ++ pkey = ossl_pkey_read(bio, input_types[i], selections[j], pass); ++ if (pkey) { ++ goto out; ++ } ++ } ++ } ++ out: ++ return pkey; ++} + #else + EVP_PKEY * + ossl_pkey_read_generic(BIO *bio, VALUE pass) +-- +2.41.0 + diff --git a/SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch b/SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch new file mode 100644 index 0000000..3e9e084 --- /dev/null +++ b/SOURCES/ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch @@ -0,0 +1,142 @@ +From 29920ec109751459a65c6478525f2e59c644891f Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Thu, 16 Mar 2023 21:36:43 +0100 +Subject: [PATCH] [ruby/openssl] Implement FIPS functions on OpenSSL 3. + +This commit is to implement the `OpenSSL::OPENSSL_FIPS`, `ossl_fips_mode_get` +and `ossl_fips_mode_set` to pass the test `test/openssl/test_fips.rb`. + +It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any +more, and some FIPS related APIs also were removed in OpenSSL 3. + +See the document +the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 > +Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() . + +The `OpenSSL::OPENSSL_FIPS` returns always true in OpenSSL 3 because the used +functions `EVP_default_properties_enable_fips` and `EVP_default_properties_is_fips_enabled` +works with the OpenSSL installed without FIPS option. + +The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI. +Because I want to test that the `OpenSSL.fips_mode` returns the `true` or +'false' surely in the CI. You can test the FIPS mode case by setting +`TEST_RUBY_OPENSSL_FIPS_ENABLED` on local too. Right now I don't find a better +way to get the status of the FIPS mode enabled or disabled for this purpose. I +am afraid of the possibility that the FIPS test case is unintentionally skipped. + +I also replaced the ambiguous "returns" with "should return" in the tests. + +https://github.com/ruby/openssl/commit/c5b2bc1268 +--- + ext/openssl/ossl.c | 25 +++++++++++++++++++++---- + test/openssl/test_fips.rb | 32 ++++++++++++++++++++++++++++---- + 2 files changed, 49 insertions(+), 8 deletions(-) + +diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c +index 6c532aca94..fcf3744c65 100644 +--- a/ext/openssl/ossl.c ++++ b/ext/openssl/ossl.c +@@ -405,7 +405,11 @@ static VALUE + ossl_fips_mode_get(VALUE self) + { + +-#ifdef OPENSSL_FIPS ++#if OSSL_OPENSSL_PREREQ(3, 0, 0) ++ VALUE enabled; ++ enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse; ++ return enabled; ++#elif OPENSSL_FIPS + VALUE enabled; + enabled = FIPS_mode() ? Qtrue : Qfalse; + return enabled; +@@ -429,8 +433,18 @@ ossl_fips_mode_get(VALUE self) + static VALUE + ossl_fips_mode_set(VALUE self, VALUE enabled) + { +- +-#ifdef OPENSSL_FIPS ++#if OSSL_OPENSSL_PREREQ(3, 0, 0) ++ if (RTEST(enabled)) { ++ if (!EVP_default_properties_enable_fips(NULL, 1)) { ++ ossl_raise(eOSSLError, "Turning on FIPS mode failed"); ++ } ++ } else { ++ if (!EVP_default_properties_enable_fips(NULL, 0)) { ++ ossl_raise(eOSSLError, "Turning off FIPS mode failed"); ++ } ++ } ++ return enabled; ++#elif OPENSSL_FIPS + if (RTEST(enabled)) { + int mode = FIPS_mode(); + if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ +@@ -1185,7 +1199,10 @@ Init_openssl(void) + * Boolean indicating whether OpenSSL is FIPS-capable or not + */ + rb_define_const(mOSSL, "OPENSSL_FIPS", +-#ifdef OPENSSL_FIPS ++/* OpenSSL 3 is FIPS-capable even when it is installed without fips option */ ++#if OSSL_OPENSSL_PREREQ(3, 0, 0) ++ Qtrue ++#elif OPENSSL_FIPS + Qtrue + #else + Qfalse +diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb +index 8cd474f9a3..56a12a94ce 100644 +--- a/test/openssl/test_fips.rb ++++ b/test/openssl/test_fips.rb +@@ -4,22 +4,46 @@ + if defined?(OpenSSL) + + class OpenSSL::TestFIPS < OpenSSL::TestCase ++ def test_fips_mode_get_is_true_on_fips_mode_enabled ++ unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] ++ omit "Only for FIPS mode environment" ++ end ++ ++ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") ++ assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled" ++ end; ++ end ++ ++ def test_fips_mode_get_is_false_on_fips_mode_disabled ++ if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] ++ omit "Only for non-FIPS mode environment" ++ end ++ ++ assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") ++ message = ".fips_mode should return false on FIPS mode disabled. " \ ++ "If you run the test on FIPS mode, please set " \ ++ "TEST_RUBY_OPENSSL_FIPS_ENABLED=true" ++ assert OpenSSL.fips_mode == false, message ++ end; ++ end ++ + def test_fips_mode_is_reentrant + OpenSSL.fips_mode = false + OpenSSL.fips_mode = false + end + +- def test_fips_mode_get +- return unless OpenSSL::OPENSSL_FIPS ++ def test_fips_mode_get_with_fips_mode_set ++ omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS ++ + assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") + require #{__FILE__.dump} + + begin + OpenSSL.fips_mode = true +- assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true" ++ assert OpenSSL.fips_mode == true, ".fips_mode should return true when .fips_mode=true" + + OpenSSL.fips_mode = false +- assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false" ++ assert OpenSSL.fips_mode == false, ".fips_mode should return false when .fips_mode=false" + rescue OpenSSL::OpenSSLError + pend "Could not set FIPS mode (OpenSSL::OpenSSLError: \#$!); skipping" + end +-- +2.41.0 + diff --git a/SOURCES/ruby-3.3.0-test-file-utime.patch b/SOURCES/ruby-3.3.0-test-file-utime.patch new file mode 100644 index 0000000..c2701f3 --- /dev/null +++ b/SOURCES/ruby-3.3.0-test-file-utime.patch @@ -0,0 +1,36 @@ +From 8d1109c03bacc952b6218af2e4ae9b74c9855273 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Wed, 22 Mar 2023 16:10:06 +0900 +Subject: [PATCH] Added assertion values for Amazon Linux 2023 + +--- + spec/ruby/core/file/utime_spec.rb | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/spec/ruby/core/file/utime_spec.rb b/spec/ruby/core/file/utime_spec.rb +index a191e2924037c..0b0e4f979c935 100644 +--- a/spec/ruby/core/file/utime_spec.rb ++++ b/spec/ruby/core/file/utime_spec.rb +@@ -72,17 +72,19 @@ + + platform_is :linux do + platform_is wordsize: 64 do +- it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19)" do ++ it "allows Time instances in the far future to set mtime and atime (but some filesystems limit it up to 2446-05-10 or 2038-01-19 or 2486-07-02)" do + # https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout#Inode_Timestamps + # "Therefore, timestamps should not overflow until May 2446." + # https://lwn.net/Articles/804382/ + # "On-disk timestamps hitting the y2038 limit..." + # The problem seems to be being improved, but currently it actually fails on XFS on RHEL8 + # https://rubyci.org/logs/rubyci.s3.amazonaws.com/rhel8/ruby-master/log/20201112T123004Z.fail.html.gz ++ # Amazon Linux 2023 returns 2486-07-02 in this example ++ # http://rubyci.s3.amazonaws.com/amazon2023/ruby-master/log/20230322T063004Z.fail.html.gz + time = Time.at(1<<44) + File.utime(time, time, @file1) +- [559444, 2446, 2038].should.include? File.atime(@file1).year +- [559444, 2446, 2038].should.include? File.mtime(@file1).year ++ [559444, 2486, 2446, 2038].should.include? File.atime(@file1).year ++ [559444, 2486, 2446, 2038].should.include? File.mtime(@file1).year + end + end + end diff --git a/SOURCES/ruby-3.3.1-Fix-test-session-reuse-but-expire.patch b/SOURCES/ruby-3.3.1-Fix-test-session-reuse-but-expire.patch new file mode 100644 index 0000000..d1ebe30 --- /dev/null +++ b/SOURCES/ruby-3.3.1-Fix-test-session-reuse-but-expire.patch @@ -0,0 +1,28 @@ +From 1816c142a4d66a75c23ccf6fd89a06cbe422e34f Mon Sep 17 00:00:00 2001 +From: "NARUSE, Yui" +Date: Sat, 3 Feb 2024 22:35:44 +0900 +Subject: [PATCH] Fix test session reuse but expire (#9824) + +* OpenSSL 3.2.1 30 Jan 2024 is also broken + +Import 45064610725ddd81a5ea3775da35aa46985bc789 from ruby_3_3 branch +tentatively. +--- + test/net/http/test_https.rb | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb +index 7b97e39586..aef748dfa0 100644 +--- a/test/net/http/test_https.rb ++++ b/test/net/http/test_https.rb +@@ -178,6 +178,7 @@ def test_session_reuse + def test_session_reuse_but_expire + # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h. + skip if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /OpenSSL 1.1.0h/ ++ omit if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('OpenSSL 3.2.') + + http = Net::HTTP.new("localhost", config("port")) + http.use_ssl = true +-- +2.44.0 + diff --git a/SOURCES/ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch b/SOURCES/ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch new file mode 100644 index 0000000..34a18e0 --- /dev/null +++ b/SOURCES/ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch @@ -0,0 +1,256 @@ +From d3933fc753187a055a4904af82f5f3794c88c416 Mon Sep 17 00:00:00 2001 +From: Sorah Fukumori +Date: Mon, 1 Jan 2024 20:45:54 +0900 +Subject: [PATCH] [ruby/net-http] Renew test certificates + +The private key is replaced with a public known test key published at +[RFC 9500]. + +Also lifetime has been extended to 10 years from 4 years. + +[RFC 9500]: https://www.rfc-editor.org/rfc/rfc9500.html + +https://github.com/ruby/net-http/commit/4ab6c4a500 +--- + test/net/fixtures/Makefile | 6 +-- + test/net/fixtures/cacert.pem | 44 ++++++++-------- + test/net/fixtures/server.crt | 99 +++++++----------------------------- + test/net/fixtures/server.key | 55 ++++++++++---------- + 4 files changed, 71 insertions(+), 133 deletions(-) + +diff --git a/test/net/fixtures/Makefile b/test/net/fixtures/Makefile +index b2bc9c7368ee2..88c232e3b6c16 100644 +--- a/test/net/fixtures/Makefile ++++ b/test/net/fixtures/Makefile +@@ -5,11 +5,11 @@ regen_certs: + make server.crt + + cacert.pem: server.key +- openssl req -new -x509 -days 1825 -key server.key -out cacert.pem -text -subj "/C=JP/ST=Shimane/L=Matz-e city/O=Ruby Core Team/CN=Ruby Test CA/emailAddress=security@ruby-lang.org" ++ openssl req -new -x509 -days 3650 -key server.key -out cacert.pem -subj "/C=JP/ST=Shimane/L=Matz-e city/O=Ruby Core Team/CN=Ruby Test CA/emailAddress=security@ruby-lang.org" + + server.csr: +- openssl req -new -key server.key -out server.csr -text -subj "/C=JP/ST=Shimane/O=Ruby Core Team/OU=Ruby Test/CN=localhost" ++ openssl req -new -key server.key -out server.csr -subj "/C=JP/ST=Shimane/O=Ruby Core Team/OU=Ruby Test/CN=localhost" + + server.crt: server.csr cacert.pem +- openssl x509 -days 1825 -CA cacert.pem -CAkey server.key -set_serial 00 -in server.csr -req -text -out server.crt ++ openssl x509 -days 3650 -CA cacert.pem -CAkey server.key -set_serial 00 -in server.csr -req -out server.crt + rm server.csr +diff --git a/test/net/fixtures/cacert.pem b/test/net/fixtures/cacert.pem +index f623bd62ed375..24c83f1c65225 100644 +--- a/test/net/fixtures/cacert.pem ++++ b/test/net/fixtures/cacert.pem +@@ -1,24 +1,24 @@ + -----BEGIN CERTIFICATE----- +-MIID7TCCAtWgAwIBAgIJAIltvxrFAuSnMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD +-VQQGEwJKUDEQMA4GA1UECAwHU2hpbWFuZTEUMBIGA1UEBwwLTWF0ei1lIGNpdHkx +-FzAVBgNVBAoMDlJ1YnkgQ29yZSBUZWFtMRUwEwYDVQQDDAxSdWJ5IFRlc3QgQ0Ex +-JTAjBgkqhkiG9w0BCQEWFnNlY3VyaXR5QHJ1YnktbGFuZy5vcmcwHhcNMTkwMTAy +-MDI1ODI4WhcNMjQwMTAxMDI1ODI4WjCBjDELMAkGA1UEBhMCSlAxEDAOBgNVBAgM +-B1NoaW1hbmUxFDASBgNVBAcMC01hdHotZSBjaXR5MRcwFQYDVQQKDA5SdWJ5IENv +-cmUgVGVhbTEVMBMGA1UEAwwMUnVieSBUZXN0IENBMSUwIwYJKoZIhvcNAQkBFhZz +-ZWN1cml0eUBydWJ5LWxhbmcub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +-CgKCAQEAznlbjRVhz1NlutHVrhcGnK8W0qug2ujKXv1njSC4U6nJF6py7I9EeehV +-SaKePyv+I9z3K1LnfUHOtUbdwdKC77yN66A6q2aqzu5q09/NSykcZGOIF0GuItYI +-3nvW3IqBddff2ffsyR+9pBjfb5AIPP08WowF9q4s1eGULwZc4w2B8PFhtxYANd7d +-BvGLXFlcufv9tDtzyRi4t7eqxCRJkZQIZNZ6DHHIJrNxejOILfHLarI12yk8VK6L +-2LG4WgGqyeePiRyd1o1MbuiAFYqAwpXNUbRKg5NaZGwBHZk8UZ+uFKt1QMBURO5R +-WFy1c349jbWszTqFyL4Lnbg9HhAowQIDAQABo1AwTjAdBgNVHQ4EFgQU9tEiKdU9 +-I9derQyc5nWPnc34nVMwHwYDVR0jBBgwFoAU9tEiKdU9I9derQyc5nWPnc34nVMw +-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAxj7F/u3C3fgq24N7hGRA +-of7ClFQxGmo/IGT0AISzW3HiVYiFaikKhbO1NwD9aBpD8Zwe62sCqMh8jGV/b0+q +-aOORnWYNy2R6r9FkASAglmdF6xn3bhgGD5ls4pCvcG9FynGnGc24g6MrjFNrBYUS +-2iIZsg36i0IJswo/Dy6HLphCms2BMCD3DeWtfjePUiTmQHJo6HsQIKP/u4N4Fvee +-uMBInei2M4VU74fLXbmKl1F9AEX7JDP3BKSZG19Ch5pnUo4uXM1uNTGsi07P4Y0s +-K44+SKBC0bYEFbDK0eQWMrX3kIhkPxyIWhxdq9/NqPYjShuSEAhA6CSpmRg0pqc+ +-mA== ++MIID+zCCAuOgAwIBAgIUGMvHl3EhtKPKcgc3NQSAYfFuC+8wDQYJKoZIhvcNAQEL ++BQAwgYwxCzAJBgNVBAYTAkpQMRAwDgYDVQQIDAdTaGltYW5lMRQwEgYDVQQHDAtN ++YXR6LWUgY2l0eTEXMBUGA1UECgwOUnVieSBDb3JlIFRlYW0xFTATBgNVBAMMDFJ1 ++YnkgVGVzdCBDQTElMCMGCSqGSIb3DQEJARYWc2VjdXJpdHlAcnVieS1sYW5nLm9y ++ZzAeFw0yNDAxMDExMTQ3MjNaFw0zMzEyMjkxMTQ3MjNaMIGMMQswCQYDVQQGEwJK ++UDEQMA4GA1UECAwHU2hpbWFuZTEUMBIGA1UEBwwLTWF0ei1lIGNpdHkxFzAVBgNV ++BAoMDlJ1YnkgQ29yZSBUZWFtMRUwEwYDVQQDDAxSdWJ5IFRlc3QgQ0ExJTAjBgkq ++hkiG9w0BCQEWFnNlY3VyaXR5QHJ1YnktbGFuZy5vcmcwggEiMA0GCSqGSIb3DQEB ++AQUAA4IBDwAwggEKAoIBAQCw+egZQ6eumJKq3hfKfED4dE/tL4FI5sjqont9ABVI +++1GSqyi1bFBgsRjM0THllIdMbKmJtWwnKW8J+5OgNN8y6Xxv8JmM/Y5vQt2lis0f ++qXmG8UTz0VTWdlAXXmhUs6lSADvAaIe4RVrCsZ97L3ZQTryY7JRVcbB4khUN3Gp0 ++yg+801SXzoFTTa+UGIRLE66jH51aa5VXu99hnv1OiH8tQrjdi8mH6uG/icq4XuIe ++NWMF32wHqIOOPvQcWV3M5D2vxJEj702Ku6k9OQXkAo17qRSEonWW4HtLbtmS8He1 ++JNPc/n3dVUm+fM6NoDXPoLP7j55G9zKyqGtGAWXAj1MTAgMBAAGjUzBRMB0GA1Ud ++DgQWBBSJGVleDvFp9cu9R+E0/OKYzGkwkTAfBgNVHSMEGDAWgBSJGVleDvFp9cu9 ++R+E0/OKYzGkwkTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBl ++8GLB8skAWlkSw/FwbUmEV3zyqu+p7PNP5YIYoZs0D74e7yVulGQ6PKMZH5hrZmHo ++orFSQU+VUUirG8nDGj7Rzce8WeWBxsaDGC8CE2dq6nC6LuUwtbdMnBrH0LRWAz48 ++jGFF3jHtVz8VsGfoZTZCjukWqNXvU6hETT9GsfU+PZqbqcTVRPH52+XgYayKdIbD ++r97RM4X3+aXBHcUW0b76eyyi65RR/Xtvn8ioZt2AdX7T2tZzJyXJN3Hupp77s6Ui ++AZR35SToHCZeTZD12YBvLBdaTPLZN7O/Q/aAO9ZiJaZ7SbFOjz813B2hxXab4Fob ++2uJX6eMWTVxYK5D4M9lm + -----END CERTIFICATE----- +diff --git a/test/net/fixtures/server.crt b/test/net/fixtures/server.crt +index 5ca78a6d146a0..5d2923795dabc 100644 +--- a/test/net/fixtures/server.crt ++++ b/test/net/fixtures/server.crt +@@ -1,82 +1,21 @@ +-Certificate: +- Data: +- Version: 3 (0x2) +- Serial Number: 2 (0x2) +- Signature Algorithm: sha256WithRSAEncryption +- Issuer: C=JP, ST=Shimane, L=Matz-e city, O=Ruby Core Team, CN=Ruby Test CA/emailAddress=security@ruby-lang.org +- Validity +- Not Before: Jan 2 03:27:13 2019 GMT +- Not After : Jan 1 03:27:13 2024 GMT +- Subject: C=JP, ST=Shimane, O=Ruby Core Team, OU=Ruby Test, CN=localhost +- Subject Public Key Info: +- Public Key Algorithm: rsaEncryption +- Public-Key: (2048 bit) +- Modulus: +- 00:e8:da:9c:01:2e:2b:10:ec:49:cd:5e:07:13:07: +- 9c:70:9e:c6:74:bc:13:c2:e1:6f:c6:82:fd:e3:48: +- e0:2c:a5:68:c7:9e:42:de:60:54:65:e6:6a:14:57: +- 7a:30:d0:cc:b5:b6:d9:c3:d2:df:c9:25:97:54:67: +- cf:f6:be:5e:cb:8b:ee:03:c5:e1:e2:f9:e7:f7:d1: +- 0c:47:f0:b8:da:33:5a:ad:41:ad:e7:b5:a2:7b:b7: +- bf:30:da:60:f8:e3:54:a2:bc:3a:fd:1b:74:d9:dc: +- 74:42:e9:29:be:df:ac:b4:4f:eb:32:f4:06:f1:e1: +- 8c:4b:a8:8b:fb:29:e7:b1:bf:1d:01:ee:73:0f:f9: +- 40:dc:d5:15:79:d9:c6:73:d0:c0:dd:cb:e4:da:19: +- 47:80:c6:14:04:72:fd:9a:7c:8f:11:82:76:49:04: +- 79:cc:f2:5c:31:22:95:13:3e:5d:40:a6:4d:e0:a3: +- 02:26:7d:52:3b:bb:ed:65:a1:0f:ed:6b:b0:3c:d4: +- de:61:15:5e:d3:dd:68:09:9f:4a:57:a5:c2:a9:6d: +- 86:92:c5:f4:a4:d4:b7:13:3b:52:63:24:05:e2:cc: +- e3:8a:3c:d4:35:34:2b:10:bb:58:72:e7:e1:8d:1d: +- 74:8c:61:16:20:3d:d0:1c:4e:8f:6e:fd:fe:64:10: +- 4f:41 +- Exponent: 65537 (0x10001) +- X509v3 extensions: +- X509v3 Basic Constraints: +- CA:FALSE +- Netscape Comment: +- OpenSSL Generated Certificate +- X509v3 Subject Key Identifier: +- ED:28:C2:7E:AB:4B:C8:E8:FE:55:6D:66:95:31:1C:2D:60:F9:02:36 +- X509v3 Authority Key Identifier: +- keyid:F6:D1:22:29:D5:3D:23:D7:5E:AD:0C:9C:E6:75:8F:9D:CD:F8:9D:53 +- +- Signature Algorithm: sha256WithRSAEncryption +- 1d:b8:c5:8b:72:41:20:65:ad:27:6f:15:63:06:26:12:8d:9c: +- ad:ca:f4:db:97:b4:90:cb:ff:35:94:bb:2a:a7:a1:ab:1e:35: +- 2d:a5:3f:c9:24:b0:1a:58:89:75:3e:81:0a:2c:4f:98:f9:51: +- fb:c0:a3:09:d0:0a:9b:e7:a2:b7:c3:60:40:c8:f4:6d:b2:6a: +- 56:12:17:4c:00:24:31:df:9c:60:ae:b1:68:54:a9:e6:b5:4a: +- 04:e6:92:05:86:d9:5a:dc:96:30:a5:58:de:14:99:0f:e5:15: +- 89:3e:9b:eb:80:e3:bd:83:c3:ea:33:35:4b:3e:2f:d3:0d:64: +- 93:67:7f:8d:f5:3f:0c:27:bc:37:5a:cc:d6:47:16:af:5a:62: +- d2:da:51:f8:74:06:6b:24:ad:28:68:08:98:37:7d:ed:0e:ab: +- 1e:82:61:05:d0:ba:75:a0:ab:21:b0:9a:fd:2b:54:86:1d:0d: +- 1f:c2:d4:77:1f:72:26:5e:ad:8a:9f:09:36:6d:44:be:74:c2: +- 5a:3e:ff:5c:9d:75:d6:38:7b:c5:39:f9:44:6e:a1:d1:8e:ff: +- 63:db:c4:bb:c6:91:92:ca:5c:60:9b:1d:eb:0a:de:08:ee:bf: +- da:76:03:65:62:29:8b:f8:7f:c7:86:73:1e:f6:1f:2d:89:69: +- fd:be:bd:6e + -----BEGIN CERTIFICATE----- +-MIID4zCCAsugAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSlAx +-EDAOBgNVBAgMB1NoaW1hbmUxFDASBgNVBAcMC01hdHotZSBjaXR5MRcwFQYDVQQK +-DA5SdWJ5IENvcmUgVGVhbTEVMBMGA1UEAwwMUnVieSBUZXN0IENBMSUwIwYJKoZI +-hvcNAQkBFhZzZWN1cml0eUBydWJ5LWxhbmcub3JnMB4XDTE5MDEwMjAzMjcxM1oX +-DTI0MDEwMTAzMjcxM1owYDELMAkGA1UEBhMCSlAxEDAOBgNVBAgMB1NoaW1hbmUx +-FzAVBgNVBAoMDlJ1YnkgQ29yZSBUZWFtMRIwEAYDVQQLDAlSdWJ5IFRlc3QxEjAQ +-BgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +-AOjanAEuKxDsSc1eBxMHnHCexnS8E8Lhb8aC/eNI4CylaMeeQt5gVGXmahRXejDQ +-zLW22cPS38kll1Rnz/a+XsuL7gPF4eL55/fRDEfwuNozWq1Bree1onu3vzDaYPjj +-VKK8Ov0bdNncdELpKb7frLRP6zL0BvHhjEuoi/sp57G/HQHucw/5QNzVFXnZxnPQ +-wN3L5NoZR4DGFARy/Zp8jxGCdkkEeczyXDEilRM+XUCmTeCjAiZ9Uju77WWhD+1r +-sDzU3mEVXtPdaAmfSlelwqlthpLF9KTUtxM7UmMkBeLM44o81DU0KxC7WHLn4Y0d +-dIxhFiA90BxOj279/mQQT0ECAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhC +-AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFO0o +-wn6rS8jo/lVtZpUxHC1g+QI2MB8GA1UdIwQYMBaAFPbRIinVPSPXXq0MnOZ1j53N +-+J1TMA0GCSqGSIb3DQEBCwUAA4IBAQAduMWLckEgZa0nbxVjBiYSjZytyvTbl7SQ +-y/81lLsqp6GrHjUtpT/JJLAaWIl1PoEKLE+Y+VH7wKMJ0Aqb56K3w2BAyPRtsmpW +-EhdMACQx35xgrrFoVKnmtUoE5pIFhtla3JYwpVjeFJkP5RWJPpvrgOO9g8PqMzVL +-Pi/TDWSTZ3+N9T8MJ7w3WszWRxavWmLS2lH4dAZrJK0oaAiYN33tDqsegmEF0Lp1 +-oKshsJr9K1SGHQ0fwtR3H3ImXq2Knwk2bUS+dMJaPv9cnXXWOHvFOflEbqHRjv9j +-28S7xpGSylxgmx3rCt4I7r/adgNlYimL+H/HhnMe9h8tiWn9vr1u ++MIIDYTCCAkkCAQAwDQYJKoZIhvcNAQELBQAwgYwxCzAJBgNVBAYTAkpQMRAwDgYD ++VQQIDAdTaGltYW5lMRQwEgYDVQQHDAtNYXR6LWUgY2l0eTEXMBUGA1UECgwOUnVi ++eSBDb3JlIFRlYW0xFTATBgNVBAMMDFJ1YnkgVGVzdCBDQTElMCMGCSqGSIb3DQEJ ++ARYWc2VjdXJpdHlAcnVieS1sYW5nLm9yZzAeFw0yNDAxMDExMTQ3MjNaFw0zMzEy ++MjkxMTQ3MjNaMGAxCzAJBgNVBAYTAkpQMRAwDgYDVQQIDAdTaGltYW5lMRcwFQYD ++VQQKDA5SdWJ5IENvcmUgVGVhbTESMBAGA1UECwwJUnVieSBUZXN0MRIwEAYDVQQD ++DAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw+egZ ++Q6eumJKq3hfKfED4dE/tL4FI5sjqont9ABVI+1GSqyi1bFBgsRjM0THllIdMbKmJ ++tWwnKW8J+5OgNN8y6Xxv8JmM/Y5vQt2lis0fqXmG8UTz0VTWdlAXXmhUs6lSADvA ++aIe4RVrCsZ97L3ZQTryY7JRVcbB4khUN3Gp0yg+801SXzoFTTa+UGIRLE66jH51a ++a5VXu99hnv1OiH8tQrjdi8mH6uG/icq4XuIeNWMF32wHqIOOPvQcWV3M5D2vxJEj ++702Ku6k9OQXkAo17qRSEonWW4HtLbtmS8He1JNPc/n3dVUm+fM6NoDXPoLP7j55G ++9zKyqGtGAWXAj1MTAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACtGNdj5TEtnJBYp ++M+LhBeU3oNteldfycEm993gJp6ghWZFg23oX8fVmyEeJr/3Ca9bAgDqg0t9a0npN ++oWKEY6wVKqcHgu3gSvThF5c9KhGbeDDmlTSVVNQmXWX0K2d4lS2cwZHH8mCm2mrY ++PDqlEkSc7k4qSiqigdS8i80Yk+lDXWsm8CjsiC93qaRM7DnS0WPQR0c16S95oM6G ++VklFKUSDAuFjw9aVWA/nahOucjn0w5fVW6lyIlkBslC1ChlaDgJmvhz+Ol3iMsE0 ++kAmFNu2KKPVrpMWaBID49QwQTDyhetNLaVVFM88iUdA9JDoVMEuP1mm39JqyzHTu ++uBrdP4Q= + -----END CERTIFICATE----- +diff --git a/test/net/fixtures/server.key b/test/net/fixtures/server.key +index 7f2380e71e637..6a83d5bcf4a52 100644 +--- a/test/net/fixtures/server.key ++++ b/test/net/fixtures/server.key +@@ -1,28 +1,27 @@ +------BEGIN PRIVATE KEY----- +-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDo2pwBLisQ7EnN +-XgcTB5xwnsZ0vBPC4W/Ggv3jSOAspWjHnkLeYFRl5moUV3ow0My1ttnD0t/JJZdU +-Z8/2vl7Li+4DxeHi+ef30QxH8LjaM1qtQa3ntaJ7t78w2mD441SivDr9G3TZ3HRC +-6Sm+36y0T+sy9Abx4YxLqIv7Keexvx0B7nMP+UDc1RV52cZz0MDdy+TaGUeAxhQE +-cv2afI8RgnZJBHnM8lwxIpUTPl1Apk3gowImfVI7u+1loQ/ta7A81N5hFV7T3WgJ +-n0pXpcKpbYaSxfSk1LcTO1JjJAXizOOKPNQ1NCsQu1hy5+GNHXSMYRYgPdAcTo9u +-/f5kEE9BAgMBAAECggEBAOHkwhc7DLh8IhTDNSW26oMu5OP2WU1jmiYAigDmf+OQ +-DBgrZj+JQBci8qINQxL8XLukSZn5hvQCLc7Kbyu1/wyEEUFDxSGGwwzclodr9kho +-LX2LDASPZrOSzD2+fPi2wTKmXKuS6Uc44OjQfZkYMNkz9r4Vkm8xGgOD3VipjIYX +-QXlhhdqkXZcNABsihCV52GKkDFSVm8jv95YJc5xhoYCy/3a4/qPdF0aT2R7oYUej +-hKrxVDskyooe8Zg/JTydZNV5GQEDmW01/K3r6XGT26oPi1AqMU1gtv/jkW56CRQQ +-1got8smnqM+AV7Slf9R6DauIPdQJ2S8wsr/o8ISBsOECgYEA9YrqEP2gAYSGFXRt +-liw0WI2Ant8BqXS6yvq1jLo/qWhLw/ph4Di73OQ2mpycVTpgfGr2wFPQR1XJ+0Fd +-U+Ir/C3Q7FK4VIGHK7B0zNvZr5tEjlFfeRezo2JMVw5YWeSagIFcSwK+KqCTH9qc +-pw/Eb8nB/4XNcpTZu7Fg0Wc+ooUCgYEA8sVaicn1Wxkpb45a4qfrA6wOr5xdJ4cC +-A5qs7vjX2OdPIQOmoQhdI7bCWFXZzF33wA4YCws6j5wRaySLIJqdms8Gl9QnODy1 +-ZlA5gwKToBC/jqPmWAXSKb8EH7cHilaxU9OKnQ7CfwlGLHqjMtjrhR7KHlt3CVRs +-oRmvsjZVXI0CgYAmPedslAO6mMhFSSfULrhMXmV82OCqYrrA6EEkVNGbcdnzAOkD +-gfKIWabDd8bFY10po4Mguy0CHzNhBXIioWQWV5BlbhC1YKMLw+S9DzSdLAKGY9gJ +-xQ4+UQ3wtRQ/k+IYR413RUsW2oFvgZ3KSyNeAb9MK6uuv84VdG/OzVSs/QKBgQDn +-kap//l2EbObiWyaERunckdVcW0lcN+KK75J/TGwPoOwQsLvTpPe65kxRGGrtDsEQ +-uCDk/+v3KkZPLgdrrTAih9FhJ+PVN8tMcb+6IM4SA4fFFr/UPJEwct0LJ3oQ0grJ +-y+HPWFHb/Uurh7t99/4H98uR02sjQh1wOeEmm78mzQKBgQDm+LzGH0se6CXQ6cdZ +-g1JRZeXkDEsrW3hfAsW62xJQmXcWxBoblP9OamMY+A06rM5og3JbDk5Zm6JsOaA8 +-wS2gw4ilp46jors4eQey8ux7kB9LzdBoDBBElnsbjLO8oBNZlVcYXg+6BOl/CUi7 +-2whRF0FEjKA8ehrNhAq+VFfFNw== +------END PRIVATE KEY----- ++-----BEGIN RSA PRIVATE KEY----- ++MIIEowIBAAKCAQEAsPnoGUOnrpiSqt4XynxA+HRP7S+BSObI6qJ7fQAVSPtRkqso ++tWxQYLEYzNEx5ZSHTGypibVsJylvCfuToDTfMul8b/CZjP2Ob0LdpYrNH6l5hvFE ++89FU1nZQF15oVLOpUgA7wGiHuEVawrGfey92UE68mOyUVXGweJIVDdxqdMoPvNNU ++l86BU02vlBiESxOuox+dWmuVV7vfYZ79Toh/LUK43YvJh+rhv4nKuF7iHjVjBd9s ++B6iDjj70HFldzOQ9r8SRI+9NirupPTkF5AKNe6kUhKJ1luB7S27ZkvB3tSTT3P59 ++3VVJvnzOjaA1z6Cz+4+eRvcysqhrRgFlwI9TEwIDAQABAoIBAEEYiyDP29vCzx/+ ++dS3LqnI5BjUuJhXUnc6AWX/PCgVAO+8A+gZRgvct7PtZb0sM6P9ZcLrweomlGezI ++FrL0/6xQaa8bBr/ve/a8155OgcjFo6fZEw3Dz7ra5fbSiPmu4/b/kvrg+Br1l77J ++aun6uUAs1f5B9wW+vbR7tzbT/mxaUeDiBzKpe15GwcvbJtdIVMa2YErtRjc1/5B2 ++BGVXyvlJv0SIlcIEMsHgnAFOp1ZgQ08aDzvilLq8XVMOahAhP1O2A3X8hKdXPyrx ++IVWE9bS9ptTo+eF6eNl+d7htpKGEZHUxinoQpWEBTv+iOoHsVunkEJ3vjLP3lyI/ ++fY0NQ1ECgYEA3RBXAjgvIys2gfU3keImF8e/TprLge1I2vbWmV2j6rZCg5r/AS0u ++pii5CvJ5/T5vfJPNgPBy8B/yRDs+6PJO1GmnlhOkG9JAIPkv0RBZvR0PMBtbp6nT ++Y3yo1lwamBVBfY6rc0sLTzosZh2aGoLzrHNMQFMGaauORzBFpY5lU50CgYEAzPHl ++u5DI6Xgep1vr8QvCUuEesCOgJg8Yh1UqVoY/SmQh6MYAv1I9bLGwrb3WW/7kqIoD ++fj0aQV5buVZI2loMomtU9KY5SFIsPV+JuUpy7/+VE01ZQM5FdY8wiYCQiVZYju9X ++Wz5LxMNoz+gT7pwlLCsC4N+R8aoBk404aF1gum8CgYAJ7VTq7Zj4TFV7Soa/T1eE ++k9y8a+kdoYk3BASpCHJ29M5R2KEA7YV9wrBklHTz8VzSTFTbKHEQ5W5csAhoL5Fo ++qoHzFFi3Qx7MHESQb9qHyolHEMNx6QdsHUn7rlEnaTTyrXh3ifQtD6C0yTmFXUIS ++CW9wKApOrnyKJ9nI0HcuZQKBgQCMtoV6e9VGX4AEfpuHvAAnMYQFgeBiYTkBKltQ ++XwozhH63uMMomUmtSG87Sz1TmrXadjAhy8gsG6I0pWaN7QgBuFnzQ/HOkwTm+qKw ++AsrZt4zeXNwsH7QXHEJCFnCmqw9QzEoZTrNtHJHpNboBuVnYcoueZEJrP8OnUG3r ++UjmopwKBgAqB2KYYMUqAOvYcBnEfLDmyZv9BTVNHbR2lKkMYqv5LlvDaBxVfilE0 ++2riO4p6BaAdvzXjKeRrGNEKoHNBpOSfYCOM16NjL8hIZB1CaV3WbT5oY+jp7Mzd5 ++7d56RZOE+ERK2uz/7JX9VSsM/LbH9pJibd4e8mikDS9ntciqOH/3 ++-----END RSA PRIVATE KEY----- diff --git a/SOURCES/ruby-ext-openssl-extconf.rb-ignore-OpenSSL-version-check.patch b/SOURCES/ruby-ext-openssl-extconf.rb-ignore-OpenSSL-version-check.patch new file mode 100644 index 0000000..0306a94 --- /dev/null +++ b/SOURCES/ruby-ext-openssl-extconf.rb-ignore-OpenSSL-version-check.patch @@ -0,0 +1,25 @@ +From 58ebf0f84a1dcb148f21aa589693d49d4e3be7de Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Thu, 2 May 2024 17:23:09 +0200 +Subject: [PATCH] Allow OpenSSL 3 in Ruby OpenSSL 2.x. + +--- + ext/openssl/extconf.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb +index 0dc1a5eb43..51de0d6e39 100644 +--- a/ext/openssl/extconf.rb ++++ b/ext/openssl/extconf.rb +@@ -110,7 +110,7 @@ def find_openssl_library + !try_static_assert("OPENSSL_VERSION_MAJOR >= 3", "openssl/opensslv.h") } + end + unless version_ok +- raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required" ++ # raise "OpenSSL >= 1.0.1, < 3.0.0 or LibreSSL >= 2.5.0 is required" + end + + # Prevent wincrypt.h from being included, which defines conflicting macro with openssl/x509.h +-- +2.44.0 + diff --git a/SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch b/SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch new file mode 100644 index 0000000..ad42fbd --- /dev/null +++ b/SOURCES/ruby-spec-Fix-tests-on-tzdata-2022b.patch @@ -0,0 +1,48 @@ +From 7e9ec8a20b0f7469b415283d2ec0c22087f8eb2b Mon Sep 17 00:00:00 2001 +From: Jun Aruga +Date: Wed, 24 Aug 2022 12:02:56 +0200 +Subject: [PATCH] Fix tests with Europe/Amsterdam pre-1970 time on tzdata + version 2022b. + +The Time Zone Database (tzdata) changed the pre-1970 timestamps in some zones +including Europe/Amsterdam on tzdata version 2022b or later. +See . + +The tzdata RPM package maintainer on Fedora project suggested changing the Ruby +test, because the change is intentional. +See . + +We use post-1970 time test data to simplify the test. +--- + spec/ruby/core/time/shared/local.rb | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/spec/ruby/core/time/shared/local.rb b/spec/ruby/core/time/shared/local.rb +index 997b7186f1..c4aa7a7ea9 100644 +--- a/spec/ruby/core/time/shared/local.rb ++++ b/spec/ruby/core/time/shared/local.rb +@@ -6,18 +6,16 @@ + end + end + +-=begin + platform_is_not :windows do + describe "timezone changes" do +- it "correctly adjusts the timezone change to 'CEST' on 'Europe/Amsterdam'" do ++ it "correctly adjusts the timezone change to 'CET' on 'Europe/Amsterdam'" do + with_timezone("Europe/Amsterdam") do +- Time.send(@method, 1940, 5, 16).to_a.should == +- [0, 40, 1, 16, 5, 1940, 4, 137, true, "CEST"] ++ Time.send(@method, 1970, 5, 16).to_a.should == ++ [0, 0, 0, 16, 5, 1970, 6, 136, false, "CET"] + end + end + end + end +-=end + end + + describe :time_local_10_arg, shared: true do +-- +2.36.1 + diff --git a/SOURCES/test_openssl_fips.rb b/SOURCES/test_openssl_fips.rb new file mode 100644 index 0000000..ffc7883 --- /dev/null +++ b/SOURCES/test_openssl_fips.rb @@ -0,0 +1,34 @@ +require 'openssl' + +# Run openssl tests in OpenSSL FIPS. See the link below for how to test. +# https://github.com/ruby/openssl/blob/master/.github/workflows/test.yml +# - step name: test on fips module + +# Listing the testing files by an array explicitly rather than the `Dir.glob` +# to prevent the test files from not loading unintentionally. +TEST_FILES = %w[ + test/openssl/test_fips.rb + test/openssl/test_pkey.rb +].freeze + +if ARGV.empty? + puts 'ERROR: Argument base_dir required.' + puts "Usage: #{__FILE__} base_dir [options]" + exit false +end +BASE_DIR = ARGV[0] +abs_test_files = TEST_FILES.map { |file| File.join(BASE_DIR, file) } + +# Set Fedora/RHEL downstream OpenSSL downstream environment variable to enable +# FIPS module in non-FIPS OS environment. It is available in Fedora 38 or later +# versions. +# https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0009-Add-Kernel-FIPS-mode-flag-support.patch +ENV['OPENSSL_FORCE_FIPS_MODE'] = '1' +# A flag to tell the tests the current environment is FIPS enabled. +# https://github.com/ruby/openssl/blob/master/test/openssl/test_fips.rb +ENV['TEST_RUBY_OPENSSL_FIPS_ENABLED'] = 'true' + +abs_test_files.each do |file| + puts "INFO: Loading #{file}." + require file +end diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index 7bd2e57..ed0f144 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -1,6 +1,6 @@ %global major_version 3 %global minor_version 0 -%global teeny_version 4 +%global teeny_version 7 %global major_minor_version %{major_version}.%{minor_version} %global ruby_version %{major_minor_version}.%{teeny_version} @@ -22,7 +22,7 @@ %endif -%global release 160 +%global release 162 %{!?release_string:%define release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the @@ -41,7 +41,7 @@ %global bundler_net_http_persistent_version 4.0.0 %global bundler_thor_version 1.1.0 %global bundler_tmpdir_version 0.1.0 -%global bundler_uri_version 0.10.0 +%global bundler_uri_version 0.10.0.3 %global bigdecimal_version 3.0.0 %global did_you_mean_version 1.5.0 @@ -49,14 +49,14 @@ %global io_console_version 0.5.7 %global irb_version 1.3.5 %global json_version 2.5.1 -%global openssl_version 2.2.1 +%global openssl_version 2.2.2 %global psych_version 3.3.2 %global racc_version 1.5.2 -%global rdoc_version 6.3.3 +%global rdoc_version 6.3.4.1 # Bundled gems. %global minitest_version 5.14.2 -%global power_assert_version 1.2.0 +%global power_assert_version 1.2.1 %global rake_version 13.0.3 %global rbs_version 1.4.0 %global test_unit_version 3.3.7 @@ -106,6 +106,8 @@ Source11: rubygems.con Source13: test_abrt.rb # SystemTap tests. Source14: test_systemtap.rb +# Ruby OpenSSL FIPS tests. +Source15: test_openssl_fips.rb # The load directive is supported since RPM 4.12, i.e. F21+. The build process # fails on older Fedoras. @@ -181,9 +183,9 @@ Patch22: rubygems-3.2.33-Fix-loading-operating_system-rb-customizations-too-late # OpenSSL 3.0 compatibility patches -# Revert OpenSSL < 3.x enforcement. -# https://github.com/ruby/openssl/commit/202ff1372a40a8adf9aac74bfe8a39141b0c57e5 -Patch30: ruby-3.0.3-ext-openssl-extconf.rb-require-OpenSSL-version-1.0.1.patch +# Ignore OpenSSL version check to allow OpenSSL 3 in Ruby OpenSSL 2.x. +# https://github.com/ruby/openssl?tab=readme-ov-file#compatibility-and-maintenance-policy +Patch30: ruby-ext-openssl-extconf.rb-ignore-OpenSSL-version-check.patch # Fix test broken by wrongly formatted distinguished name submitted to # `OpenSSL::X509::Name.parse`. @@ -261,6 +263,40 @@ Patch59: ruby-3.1.1-ossl_ocsp-use-null.patch # Replace SHA1 usage in tests. # https://github.com/ruby/openssl/pull/511 Patch60: ruby-3.1.2-ossl-tests-replace-sha1.patch +# Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b. +# https://github.com/ruby/spec/pull/939 +Patch62: ruby-spec-Fix-tests-on-tzdata-2022b.patch +# Fix File.utime test. +# https://github.com/ruby/ruby/commit/8d1109c03bacc952b6218af2e4ae9b74c9855273 +Patch64: ruby-3.3.0-test-file-utime.patch +# Fix OpenSSL.fips_mode in OpenSSL 3 FIPS. +# https://github.com/ruby/openssl/pull/608 +# https://github.com/ruby/ruby/commit/678d41bc51fe31834eec0b653ba0e47de5420aa0 +Patch65: ruby-3.3.0-openssl-3.2.0-fix-fips-get-set-in-openssl-3.patch +# Fix OpenSSL::PKey.read in OpenSSL 3 FIPS. +# The patch is a combination of the following 2 commits to simplify the patch. +# https://github.com/ruby/openssl/pull/615 +# https://github.com/ruby/ruby/commit/2a4834057b30a26c38ece3961b370c0b2ee59380 +# https://github.com/ruby/openssl/pull/669 +# https://github.com/ruby/ruby/commit/b0ec1db8a72c530460abd9462ac75845362886bd +Patch66: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch +# Enable tests in OpenSSL FIPS. +# https://github.com/ruby/openssl/pull/615 +# https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5 +Patch67: ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch +# ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters +# https://github.com/ruby/openssl/pull/674 +# https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814 +Patch68: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch + +# Fix net-http test errors due to expired certificate +# https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416 +# https://bugs.ruby-lang.org/issues/20106 +Patch69: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch +# Fix `TestNetHTTPS#test_session_reuse_but_expire` test failure cause by +# to OpenSSL 3.2 +# https://github.com/ruby/ruby/commit/64b6a018a38f200c957fdbbe7d0cbe0e64781c9f +Patch70: ruby-3.3.1-Fix-test-session-reuse-but-expire.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -703,7 +739,7 @@ rm -rf ext/fiddle/libffi* %patch20 -p1 %patch21 -p1 %patch22 -p1 -%patch30 -p1 -R +%patch30 -p1 %patch31 -p1 %patch40 -p1 %patch41 -p1 @@ -726,6 +762,14 @@ rm -rf ext/fiddle/libffi* %patch58 -p1 %patch59 %patch60 -p1 +%patch62 -p1 +%patch64 -p1 +%patch65 -p1 +%patch66 -p1 +%patch67 -p1 +%patch68 -p1 +%patch69 -p1 +%patch70 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -998,6 +1042,13 @@ MSPECOPTS="" # Avoid `hostname' dependency. %{!?with_hostname:MSPECOPTS="-P 'Socket.gethostname returns the host name'"} +# Some infra allows DNS resolution but then does not allow +# connection to proceed, let's ignore it altogether for now. +# Our expectation is that there is no network connectivity outside +# available loopback interface. That is not the reality currently. +# https://issues.redhat.com/browse/CS-1959 +DISABLE_TESTS="$DISABLE_TESTS -n !/TestBundledCA/" + # Several test broken by libffi-3.4.2. There should be fix in libffi, once # other components are fixed. # https://bugzilla.redhat.com/show_bug.cgi?id=2040380 @@ -1017,6 +1068,11 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \ %{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \ make check TESTS="-v $DISABLE_TESTS" MSPECOPT="-fs $MSPECOPTS" +# Run Ruby OpenSSL tests in OpenSSL FIPS. +make runruby TESTRUN_SCRIPT=" \ + -I%{_builddir}/%{buildsubdir}/tool/lib --enable-gems \ + %{SOURCE15} %{_builddir}/%{buildsubdir} --verbose" + %files %license BSDL %license COPYING @@ -1272,7 +1328,7 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \ %{gem_dir}/specifications/default/abbrev-0.1.0.gemspec %{gem_dir}/specifications/default/base64-0.1.0.gemspec %{gem_dir}/specifications/default/benchmark-0.1.1.gemspec -%{gem_dir}/specifications/default/cgi-0.2.1.gemspec +%{gem_dir}/specifications/default/cgi-0.2.2.gemspec %{gem_dir}/specifications/default/csv-3.1.9.gemspec %{gem_dir}/specifications/default/date-3.1.3.gemspec %{gem_dir}/specifications/default/dbm-1.1.0.gemspec @@ -1326,17 +1382,17 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \ %{gem_dir}/specifications/default/set-1.0.1.gemspec %{gem_dir}/specifications/default/shellwords-0.1.0.gemspec %{gem_dir}/specifications/default/singleton-0.1.1.gemspec -%{gem_dir}/specifications/default/stringio-3.0.1.gemspec +%{gem_dir}/specifications/default/stringio-3.0.1.1.gemspec %{gem_dir}/specifications/default/strscan-3.0.1.gemspec %{gem_dir}/specifications/default/syslog-0.1.0.gemspec %{gem_dir}/specifications/default/tempfile-0.1.1.gemspec -%{gem_dir}/specifications/default/time-0.1.0.gemspec +%{gem_dir}/specifications/default/time-0.1.1.gemspec %{gem_dir}/specifications/default/timeout-0.1.1.gemspec %{gem_dir}/specifications/default/tmpdir-0.1.2.gemspec %{gem_dir}/specifications/default/tsort-0.1.0.gemspec %{gem_dir}/specifications/default/tracer-0.1.1.gemspec %{gem_dir}/specifications/default/un-0.1.0.gemspec -%{gem_dir}/specifications/default/uri-0.10.1.gemspec +%{gem_dir}/specifications/default/uri-0.10.3.gemspec %{gem_dir}/specifications/default/weakref-0.1.1.gemspec #%%{gem_dir}/specifications/default/win32ole-1.8.8.gemspec %{gem_dir}/specifications/default/yaml-0.1.1.gemspec @@ -1489,14 +1545,42 @@ OPENSSL_ENABLE_SHA1_SIGNATURES=1 \ %changelog +* Tue Apr 30 2024 Jun Aruga - 3.0.7-162 +- Upgrade to Ruby 3.0.7. + Resolves: RHEL-35740 +- Fix HTTP response splitting in CGI. + Resolves: RHEL-35741 +- Fix ReDoS vulnerability in URI. + Resolves: RHEL-35742 +- Fix ReDoS vulnerability in Time. + Resolves: RHEL-35743 +- Fix buffer overread vulnerability in StringIO. + Resolves: RHEL-35744 +- Fix RCE vulnerability with .rdoc_options in RDoc. + Resolves: RHEL-35746 +- Fix arbitrary memory address read vulnerability with Regex search. + Resolves: RHEL-35747 + +* Mon Oct 09 2023 Jun Aruga - 3.0.4-161 +- Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS. + Resolves: RHEL-12724 +- ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters + Related: RHEL-12724 + +* Wed Jun 28 2023 Jun Aruga - 3.0.4-160 +- Bypass git submodule test failure on Git >= 2.38.1. +- Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b. +- Fix for tzdata-2022g. +- Fix File.utime test. + * Wed Mar 15 2023 MSVSphere Packaging Team - 3.0.4-160 - Rebuilt for MSVSphere 9.1. * Fri Jul 08 2022 Jarek Prokop - 3.0.4-160 - Upgrade to Ruby 3.0.4. - Resolves: rhbz#2109428 + Resolves: rhbz#2096347 - OpenSSL test suite fixes due to disabled SHA1. - Related: rbhz#2109428 + Resolves: rbhz#2107696 - Fix double free in Regexp compilation. Resolves: CVE-2022-28738 - Fix buffer overrun in String-to-Float conversion.