-
Jun Aruga authoredThis commit fixes the following failures in OpenSSL FIPS using the `OPENSSL_FORCE_FIPS_MODE=1` in CentOS stream 9 non-FIPS OS environment. ``` $ cat /etc/redhat-release CentOS Stream release 9 $ rpm -q openssl openssl-3.0.7-24.el9.x86_64 $ pwd /builddir/build/BUILD/ruby-3.1.2 $ make runruby 'TESTRUN_SCRIPT= \ -I/builddir/build/BUILD/ruby-3.1.2/tool/lib --enable-gems \ /builddir/build/SOURCES/test_openssl_fips.rb /builddir/build/BUILD/ruby-3.1.2 --verbose' ... 1) Failure: OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:38]: assert_separately failed with error message pid 2043890 exit 1 | /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>' | from -:in `require' 2) Failure: OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:12]: assert_separately failed with error message pid 2043891 exit 1 | /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>' | from -:in `require' Finished tests in 0.154373s, 77.7337 tests/s, 369.2351 assertions/s. 12 tests, 57 assertions, 2 failures, 0 errors, 1 skips ruby -v: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux] make: *** [uncommon.mk:1249: runruby] Error 2 ``` Note that we obverved the issue in RHEL 9.4 Beta non-FIPS OS environment too. The error happened by applying the patch ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch rewriting the `ossl_pkey_read_generic` properly. The error didn't happen without the patch. ``` $ cat /etc/redhat-release Red Hat Enterprise Linux release 9.4 Beta (Plow) $ OPENSSL_FORCE_FIPS_MODE=1 bundle exec ruby -I./lib -e "require 'openssl'" /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new' from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:34:in `<class:SSLContext>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:20:in `<module:SSL>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:19:in `<module:OpenSSL>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:18:in `<top (required)>' from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `require_relative' from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `<top (required)>' from -e:1:in `require' from -e:1:in `<main>' ``` Related: RHEL-12724
e0deda71