Upgrade to Ruby 3.1.0 (fdf3996349).

2021-12-22 14:55:03 +01:00 · 2021-12-22 14:55:03 +01:00 · 00ba817911
commit 00ba817911
parent 7e982d49d8
2 changed files with 113 additions and 8 deletions
--- a/ruby.spec
+++ b/ruby.spec
@ -10,7 +10,7 @@
 #%%global milestone rc1

 # Keep the revision enabled for pre-releases from GIT.
-%global revision cdb7d699d0
+%global revision fdf3996349

 %global ruby_archive %{name}-%{ruby_version}

@ -152,13 +152,12 @@ Patch6: ruby-2.7.0-Initialize-ABRT-hook.patch
 # Avoid possible timeout errors in TestBugReporter#test_bug_reporter_add.
 # https://bugs.ruby-lang.org/issues/16492
 Patch19: ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch
-
-
-# OpenSSL 3.0 compatibility patches
-
 # Fix `TestPumaControlCli#test_control_ssl` testcase in Puma.
 # https://github.com/ruby/openssl/pull/399#issuecomment-966239736
-Patch53: ruby-3.1.0-SSL_read-EOF-handling.patch
+Patch20: ruby-3.1.0-SSL_read-EOF-handling.patch
+# Fix several RubyGems test failures due to OpenSSL 3.x.
+# https://github.com/rubygems/rubygems/pull/5196
+Patch21: rubygems-3.3.1-Fix-compatibility-with-OpenSSL-3.0.patch

 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Suggests: rubypick
@ -616,7 +615,8 @@ rm -rf ext/fiddle/libffi*
 %patch5 -p1
 %patch6 -p1
 %patch19 -p1
-%patch53 -p1
+%patch20 -p1
+%patch21 -p1

 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -1459,7 +1459,7 @@ DISABLE_TESTS="$DISABLE_TESTS -n !/TestReadline#test_interrupt_in_other_thread/"

 %changelog
 * Wed Dec 01 2021 Vít Ondruch <vondruch@redhat.com> - 3.1.0-1
- Upgrade to Ruby 3.1.0 (cdb7d699d0).
+- Upgrade to Ruby 3.1.0 (fdf3996349).

 * Thu Nov 25 2021 Vít Ondruch <vondruch@redhat.com> - 3.0.2-154
 - Upgrade to Ruby 3.0.3.
--- a/rubygems-3.3.1-Fix-compatibility-with-OpenSSL-3.0.patch
+++ b/rubygems-3.3.1-Fix-compatibility-with-OpenSSL-3.0.patch
@ -0,0 +1,105 @@
+From 558128594de16add5b453833fd5b043a24c1b7f5 Mon Sep 17 00:00:00 2001
+From: Kazuki Yamaguchi <k@rhe.jp>
+Date: Wed, 22 Dec 2021 01:38:47 +0900
+Subject: [PATCH 1/3] Use OpenSSL::PKey::EC.generate to generate ECC key pairs
+
+When Ruby/OpenSSL is built against OpenSSL 3.0, OpenSSL::PKey::PKey
+instances are immutable and OpenSSL::PKey::EC#generate_key cannot work
+because it modifies the receiver.
+
+OpenSSL::PKey::EC.generate is available on Ruby 2.4 (Ruby/OpenSSL 2.0)
+or later.
+---
+ lib/rubygems/security.rb | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
+index 22759972070..2aa07381d69 100644
+--- a/lib/rubygems/security.rb
+++ b/lib/rubygems/security.rb
+@@ -490,9 +490,13 @@ def self.create_key(algorithm)
+       when 'rsa'
+         OpenSSL::PKey::RSA.new(RSA_DSA_KEY_LENGTH)
+       when 'ec'
+-        domain_key = OpenSSL::PKey::EC.new(EC_NAME)
+-        domain_key.generate_key
+-        domain_key
+        if RUBY_VERSION >= "2.4.0"
+          OpenSSL::PKey::EC.generate(EC_NAME)
+        else
+          domain_key = OpenSSL::PKey::EC.new(EC_NAME)
+          domain_key.generate_key
+          domain_key
+        end
+       else
+         raise Gem::Security::Exception,
+         "#{algorithm} algorithm not found. RSA, DSA, and EC algorithms are supported."
+
+From 60067d4f09b7fb9c23bed38e91acfde0293f29a0 Mon Sep 17 00:00:00 2001
+From: Kazuki Yamaguchi <k@rhe.jp>
+Date: Wed, 22 Dec 2021 01:49:05 +0900
+Subject: [PATCH 2/3] Use OpenSSL::X509::Certificate#check_private_key
+
+The method is for the exact purpose: to check that an instance of
+OpenSSL::PKey::PKey matches the public key in a certificate.
+---
+ lib/rubygems/security.rb        | 2 +-
+ lib/rubygems/security/policy.rb | 4 +---
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
+index 2aa07381d69..2906819bd34 100644
+--- a/lib/rubygems/security.rb
+++ b/lib/rubygems/security.rb
+@@ -531,7 +531,7 @@ def self.re_sign(expired_certificate, private_key, age = ONE_YEAR,
+     raise Gem::Security::Exception,
+           "incorrect signing key for re-signing " +
+           "#{expired_certificate.subject}" unless
+-      expired_certificate.public_key.to_pem == get_public_key(private_key).to_pem
+      expired_certificate.check_private_key(private_key)
+ 
+     unless expired_certificate.subject.to_s ==
+            expired_certificate.issuer.to_s
+diff --git a/lib/rubygems/security/policy.rb b/lib/rubygems/security/policy.rb
+index 3c3cb647ee3..06eae073f4a 100644
+--- a/lib/rubygems/security/policy.rb
+++ b/lib/rubygems/security/policy.rb
+@@ -115,11 +115,9 @@ def check_key(signer, key)
+       raise Gem::Security::Exception, 'missing key or signature'
+     end
+ 
+-    public_key = Gem::Security.get_public_key(key)
+-
+     raise Gem::Security::Exception,
+       "certificate #{signer.subject} does not match the signing key" unless
+-        signer.public_key.to_pem == public_key.to_pem
+        signer.check_private_key(key)
+ 
+     true
+   end
+
+From 6819e3d0fadc10ce8d10919402eedb730cf0e43f Mon Sep 17 00:00:00 2001
+From: Kazuki Yamaguchi <k@rhe.jp>
+Date: Wed, 22 Dec 2021 01:54:10 +0900
+Subject: [PATCH 3/3] Fix Gem::Security.get_public_key on OpenSSL 3.0
+
+Ruby/OpenSSL 2.2 added OpenSSL::PKey::PKey#public_to_der for serializing
+only the public key components contained in the instance. This works
+for all possible key types.
+---
+ lib/rubygems/security.rb | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb
+index 2906819bd34..f21c1756422 100644
+--- a/lib/rubygems/security.rb
+++ b/lib/rubygems/security.rb
+@@ -424,6 +424,8 @@ def self.create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS,
+   # Gets the right public key from a PKey instance
+ 
+   def self.get_public_key(key)
+    # Ruby 3.0 (Ruby/OpenSSL 2.2) or later
+    return OpenSSL::PKey.read(key.public_to_der) if key.respond_to?(:public_to_der)
+     return key.public_key unless key.is_a?(OpenSSL::PKey::EC)
+ 
+     ec_key = OpenSSL::PKey::EC.new(key.group.curve_name)