PR#103: [WIP] Fix OpenSSL 3.0 compatibility. - rpms/ruby

rpms / ruby

#103 [WIP] Fix OpenSSL 3.0 compatibility.

Merged 2 years ago by vondruch. Opened 2 years ago by vondruch.

rpms/ vondruch/ruby openssl3-compat into rawhide

Fix OpenSSL 3.0 compatibility.

Vít Ondruch • 2 years ago

c4f8814

ruby-3.1.0-Add-more-support-for-generic-pkey-types.patch

file added

+1004

The added file is too large to be shown here, see it at: ruby-3.1.0-Add-more-support-for-generic-pkey-types.patch

ruby-3.1.0-Allow-setting-algorithm-specific-options-in-sign-and-verify.patch

file added

+358

		`@@ -0,0 +1,358 @@`
		`+ From f2cf3afc6fa1e13e960f732c0bc658ad408ee219 Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Fri, 12 Jun 2020 14:12:59 +0900`
		`+ Subject: [PATCH 1/3] pkey: fix potential memory leak in PKey#sign`
		`+`
		`+ Fix potential leak of EVP_MD_CTX object in an error path. This path is`
		`+ normally unreachable, since the size of a signature generated by any`
		`+ supported algorithms would not be larger than LONG_MAX.`
		`+ ---`
		`+ ext/openssl/ossl_pkey.c \| 8 ++++++--`
		`+ 1 file changed, 6 insertions(+), 2 deletions(-)`
		`+`
		`+ diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c`
		`+ index df8b425a0f..7488190e0e 100644`
		`+ --- a/ext/openssl/ossl_pkey.c`
		`+ +++ b/ext/openssl/ossl_pkey.c`
		`+ @@ -777,8 +777,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)`
		`+ EVP_MD_CTX_free(ctx);`
		`+ ossl_raise(ePKeyError, "EVP_DigestSign");`
		`+ }`
		`+ - if (siglen > LONG_MAX)`
		`+ + if (siglen > LONG_MAX) {`
		`+ + EVP_MD_CTX_free(ctx);`
		`+ rb_raise(ePKeyError, "signature would be too large");`
		`+ + }`
		`+ sig = ossl_str_new(NULL, (long)siglen, &state);`
		`+ if (state) {`
		`+ EVP_MD_CTX_free(ctx);`
		`+ @@ -799,8 +801,10 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)`
		`+ EVP_MD_CTX_free(ctx);`
		`+ ossl_raise(ePKeyError, "EVP_DigestSignFinal");`
		`+ }`
		`+ - if (siglen > LONG_MAX)`
		`+ + if (siglen > LONG_MAX) {`
		`+ + EVP_MD_CTX_free(ctx);`
		`+ rb_raise(ePKeyError, "signature would be too large");`
		`+ + }`
		`+ sig = ossl_str_new(NULL, (long)siglen, &state);`
		`+ if (state) {`
		`+ EVP_MD_CTX_free(ctx);`
		`+ --`
		`+ 2.32.0`
		`+`
		`+`
		`+ From 8b30ce20eb9e03180c28288e29a96308e594f860 Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Fri, 2 Apr 2021 23:58:48 +0900`
		`+ Subject: [PATCH 2/3] pkey: prepare pkey_ctx_apply_options() for usage by other`
		`+ operations`
		`+`
		`+ The routine to apply Hash to EVP_PKEY_CTX_ctrl_str() is currently used`
		`+ by key generation, but it is useful for other operations too. Let's`
		`+ change it to a slightly more generic name.`
		`+ ---`
		`+ ext/openssl/ossl_pkey.c \| 22 ++++++++++++++--------`
		`+ 1 file changed, 14 insertions(+), 8 deletions(-)`
		`+`
		`+ diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c`
		`+ index 7488190e0e..fed4a2b81f 100644`
		`+ --- a/ext/openssl/ossl_pkey.c`
		`+ +++ b/ext/openssl/ossl_pkey.c`
		`+ @@ -198,7 +198,7 @@ ossl_pkey_new_from_data(int argc, VALUE *argv, VALUE self)`
		`+ }`
		`+`
		`+ static VALUE`
		`+ -pkey_gen_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))`
		`+ +pkey_ctx_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))`
		`+ {`
		`+ VALUE key = rb_ary_entry(i, 0), value = rb_ary_entry(i, 1);`
		`+ EVP_PKEY_CTX ctx = (EVP_PKEY_CTX )ctx_v;`
		`+ @@ -214,15 +214,25 @@ pkey_gen_apply_options_i(RB_BLOCK_CALL_FUNC_ARGLIST(i, ctx_v))`
		`+ }`
		`+`
		`+ static VALUE`
		`+ -pkey_gen_apply_options0(VALUE args_v)`
		`+ +pkey_ctx_apply_options0(VALUE args_v)`
		`+ {`
		`+ VALUE args = (VALUE )args_v;`
		`+`
		`+ rb_block_call(args[1], rb_intern("each"), 0, NULL,`
		`+ - pkey_gen_apply_options_i, args[0]);`
		`+ + pkey_ctx_apply_options_i, args[0]);`
		`+ return Qnil;`
		`+ }`
		`+`
		`+ +static void`
		`+ +pkey_ctx_apply_options(EVP_PKEY_CTX ctx, VALUE options, int state)`
		`+ +{`
		`+ + VALUE args[2];`
		`+ + args[0] = (VALUE)ctx;`
		`+ + args[1] = options;`
		`+ +`
		`+ + rb_protect(pkey_ctx_apply_options0, (VALUE)args, state);`
		`+ +}`
		`+ +`
		`+ struct pkey_blocking_generate_arg {`
		`+ EVP_PKEY_CTX *ctx;`
		`+ EVP_PKEY *pkey;`
		`+ @@ -330,11 +340,7 @@ pkey_generate(int argc, VALUE *argv, VALUE self, int genparam)`
		`+ }`
		`+`
		`+ if (!NIL_P(options)) {`
		`+ - VALUE args[2];`
		`+ -`
		`+ - args[0] = (VALUE)ctx;`
		`+ - args[1] = options;`
		`+ - rb_protect(pkey_gen_apply_options0, (VALUE)args, &state);`
		`+ + pkey_ctx_apply_options(ctx, options, &state);`
		`+ if (state) {`
		`+ EVP_PKEY_CTX_free(ctx);`
		`+ rb_jump_tag(state);`
		`+ --`
		`+ 2.32.0`
		`+`
		`+`
		`+ From 4c7b0f91da666961d11908b94520db4e09ce4e67 Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Sat, 18 Jul 2020 20:40:39 +0900`
		`+ Subject: [PATCH 3/3] pkey: allow setting algorithm-specific options in #sign`
		`+ and #verify`
		`+`
		`+ Similarly to OpenSSL::PKey.generate_key and .generate_parameters, let`
		`+ OpenSSL::PKey::PKey#sign and #verify take an optional parameter for`
		`+ specifying control strings for EVP_PKEY_CTX_ctrl_str().`
		`+ ---`
		`+ ext/openssl/ossl_pkey.c \| 113 ++++++++++++++++++++++------------`
		`+ test/openssl/test_pkey_rsa.rb \| 34 +++++-----`
		`+ 2 files changed, 89 insertions(+), 58 deletions(-)`
		`+`
		`+ diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c`
		`+ index fed4a2b81f..22e9f19982 100644`
		`+ --- a/ext/openssl/ossl_pkey.c`
		`+ +++ b/ext/openssl/ossl_pkey.c`
		`+ @@ -739,33 +739,51 @@ ossl_pkey_public_to_pem(VALUE self)`
		`+ }`
		`+`
		`+ /*`
		`+ - * call-seq:`
		`+ - * pkey.sign(digest, data) -> String`
		`+ + * call-seq:`
		`+ + * pkey.sign(digest, data [, options]) -> string`
		`+ *`
		`+ - * To sign the String _data_, _digest_, an instance of OpenSSL::Digest, must`
		`+ - * be provided. The return value is again a String containing the signature.`
		`+ - * A PKeyError is raised should errors occur.`
		`+ - * Any previous state of the Digest instance is irrelevant to the signature`
		`+ - * outcome, the digest instance is reset to its initial state during the`
		`+ - * operation.`
		`+ + * Hashes and signs the +data+ using a message digest algorithm +digest+ and`
		`+ + * a private key +pkey+.`
		`+ *`
		`+ - * == Example`
		`+ - * data = 'Sign me!'`
		`+ - * digest = OpenSSL::Digest.new('SHA256')`
		`+ - * pkey = OpenSSL::PKey::RSA.new(2048)`
		`+ - * signature = pkey.sign(digest, data)`
		`+ + * See #verify for the verification operation.`
		`+ + *`
		`+ + * See also the man page EVP_DigestSign(3).`
		`+ + *`
		`+ + * +digest+::`
		`+ + * A String that represents the message digest algorithm name, or +nil+`
		`+ + * if the PKey type requires no digest algorithm.`
		`+ + * For backwards compatibility, this can be an instance of OpenSSL::Digest.`
		`+ + * Its state will not affect the signature.`
		`+ + * +data+::`
		`+ + * A String. The data to be hashed and signed.`
		`+ + * +options+::`
		`+ + * A Hash that contains algorithm specific control operations to \OpenSSL.`
		`+ + * See OpenSSL's man page EVP_PKEY_CTX_ctrl_str(3) for details.`
		`+ + * +options+ parameter was added in version 2.3.`
		`+ + *`
		`+ + * Example:`
		`+ + * data = "Sign me!"`
		`+ + * pkey = OpenSSL::PKey.generate_key("RSA", rsa_keygen_bits: 2048)`
		`+ + * signopts = { rsa_padding_mode: "pss" }`
		`+ + * signature = pkey.sign("SHA256", data, signopts)`
		`+ + *`
		`+ + * # Creates a copy of the RSA key pkey, but without the private components`
		`+ + * pub_key = pkey.public_key`
		`+ + * puts pub_key.verify("SHA256", signature, data, signopts) # => true`
		`+ */`
		`+ static VALUE`
		`+ -ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)`
		`+ +ossl_pkey_sign(int argc, VALUE *argv, VALUE self)`
		`+ {`
		`+ EVP_PKEY *pkey;`
		`+ + VALUE digest, data, options, sig;`
		`+ const EVP_MD *md = NULL;`
		`+ EVP_MD_CTX *ctx;`
		`+ + EVP_PKEY_CTX *pctx;`
		`+ size_t siglen;`
		`+ int state;`
		`+ - VALUE sig;`
		`+`
		`+ pkey = GetPrivPKeyPtr(self);`
		`+ + rb_scan_args(argc, argv, "21", &digest, &data, &options);`
		`+ if (!NIL_P(digest))`
		`+ md = ossl_evp_get_digestbyname(digest);`
		`+ StringValue(data);`
		`+ @@ -773,10 +791,17 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)`
		`+ ctx = EVP_MD_CTX_new();`
		`+ if (!ctx)`
		`+ ossl_raise(ePKeyError, "EVP_MD_CTX_new");`
		`+ - if (EVP_DigestSignInit(ctx, NULL, md, /* engine */NULL, pkey) < 1) {`
		`+ + if (EVP_DigestSignInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) {`
		`+ EVP_MD_CTX_free(ctx);`
		`+ ossl_raise(ePKeyError, "EVP_DigestSignInit");`
		`+ }`
		`+ + if (!NIL_P(options)) {`
		`+ + pkey_ctx_apply_options(pctx, options, &state);`
		`+ + if (state) {`
		`+ + EVP_MD_CTX_free(ctx);`
		`+ + rb_jump_tag(state);`
		`+ + }`
		`+ + }`
		`+ #if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)`
		`+ if (EVP_DigestSign(ctx, NULL, &siglen, (unsigned char *)RSTRING_PTR(data),`
		`+ RSTRING_LEN(data)) < 1) {`
		`+ @@ -828,35 +853,40 @@ ossl_pkey_sign(VALUE self, VALUE digest, VALUE data)`
		`+ }`
		`+`
		`+ /*`
		`+ - * call-seq:`
		`+ - * pkey.verify(digest, signature, data) -> String`
		`+ + * call-seq:`
		`+ + * pkey.verify(digest, signature, data [, options]) -> true or false`
		`+ *`
		`+ - * To verify the String _signature_, _digest_, an instance of`
		`+ - * OpenSSL::Digest, must be provided to re-compute the message digest of the`
		`+ - * original _data_, also a String. The return value is +true+ if the`
		`+ - * signature is valid, +false+ otherwise. A PKeyError is raised should errors`
		`+ - * occur.`
		`+ - * Any previous state of the Digest instance is irrelevant to the validation`
		`+ - * outcome, the digest instance is reset to its initial state during the`
		`+ - * operation.`
		`+ + * Verifies the +signature+ for the +data+ using a message digest algorithm`
		`+ + * +digest+ and a public key +pkey+.`
		`+ *`
		`+ - * == Example`
		`+ - * data = 'Sign me!'`
		`+ - * digest = OpenSSL::Digest.new('SHA256')`
		`+ - * pkey = OpenSSL::PKey::RSA.new(2048)`
		`+ - * signature = pkey.sign(digest, data)`
		`+ - * pub_key = pkey.public_key`
		`+ - * puts pub_key.verify(digest, signature, data) # => true`
		`+ + * Returns +true+ if the signature is successfully verified, +false+ otherwise.`
		`+ + * The caller must check the return value.`
		`+ + *`
		`+ + * See #sign for the signing operation and an example.`
		`+ + *`
		`+ + * See also the man page EVP_DigestVerify(3).`
		`+ + *`
		`+ + * +digest+::`
		`+ + * See #sign.`
		`+ + * +signature+::`
		`+ + * A String containing the signature to be verified.`
		`+ + * +data+::`
		`+ + * See #sign.`
		`+ + * +options+::`
		`+ + * See #sign. +options+ parameter was added in version 2.3.`
		`+ */`
		`+ static VALUE`
		`+ -ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)`
		`+ +ossl_pkey_verify(int argc, VALUE *argv, VALUE self)`
		`+ {`
		`+ EVP_PKEY *pkey;`
		`+ + VALUE digest, sig, data, options;`
		`+ const EVP_MD *md = NULL;`
		`+ EVP_MD_CTX *ctx;`
		`+ - int ret;`
		`+ + EVP_PKEY_CTX *pctx;`
		`+ + int state, ret;`
		`+`
		`+ GetPKey(self, pkey);`
		`+ + rb_scan_args(argc, argv, "31", &digest, &sig, &data, &options);`
		`+ ossl_pkey_check_public_key(pkey);`
		`+ if (!NIL_P(digest))`
		`+ md = ossl_evp_get_digestbyname(digest);`
		`+ @@ -866,10 +896,17 @@ ossl_pkey_verify(VALUE self, VALUE digest, VALUE sig, VALUE data)`
		`+ ctx = EVP_MD_CTX_new();`
		`+ if (!ctx)`
		`+ ossl_raise(ePKeyError, "EVP_MD_CTX_new");`
		`+ - if (EVP_DigestVerifyInit(ctx, NULL, md, /* engine */NULL, pkey) < 1) {`
		`+ + if (EVP_DigestVerifyInit(ctx, &pctx, md, /* engine */NULL, pkey) < 1) {`
		`+ EVP_MD_CTX_free(ctx);`
		`+ ossl_raise(ePKeyError, "EVP_DigestVerifyInit");`
		`+ }`
		`+ + if (!NIL_P(options)) {`
		`+ + pkey_ctx_apply_options(pctx, options, &state);`
		`+ + if (state) {`
		`+ + EVP_MD_CTX_free(ctx);`
		`+ + rb_jump_tag(state);`
		`+ + }`
		`+ + }`
		`+ #if OPENSSL_VERSION_NUMBER >= 0x10101000 && !defined(LIBRESSL_VERSION_NUMBER)`
		`+ ret = EVP_DigestVerify(ctx, (unsigned char *)RSTRING_PTR(sig),`
		`+ RSTRING_LEN(sig), (unsigned char *)RSTRING_PTR(data),`
		`+ @@ -1042,8 +1079,8 @@ Init_ossl_pkey(void)`
		`+ rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0);`
		`+ rb_define_method(cPKey, "public_to_pem", ossl_pkey_public_to_pem, 0);`
		`+`
		`+ - rb_define_method(cPKey, "sign", ossl_pkey_sign, 2);`
		`+ - rb_define_method(cPKey, "verify", ossl_pkey_verify, 3);`
		`+ + rb_define_method(cPKey, "sign", ossl_pkey_sign, -1);`
		`+ + rb_define_method(cPKey, "verify", ossl_pkey_verify, -1);`
		`+ rb_define_method(cPKey, "derive", ossl_pkey_derive, -1);`
		`+`
		`+ id_private_q = rb_intern("private?");`
		`+ diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb`
		`+ index 88164c3b52..d1e68dbc9f 100644`
		`+ --- a/test/openssl/test_pkey_rsa.rb`
		`+ +++ b/test/openssl/test_pkey_rsa.rb`
		`+ @@ -117,27 +117,21 @@ def test_sign_verify`
		`+ assert_equal false, rsa1024.verify("SHA256", signature1, data)`
		`+ end`
		`+`
		`+ - def test_digest_state_irrelevant_sign`
		`+ + def test_sign_verify_options`
		`+ key = Fixtures.pkey("rsa1024")`
		`+ - digest1 = OpenSSL::Digest.new('SHA1')`
		`+ - digest2 = OpenSSL::Digest.new('SHA1')`
		`+ - data = 'Sign me!'`
		`+ - digest1 << 'Change state of digest1'`
		`+ - sig1 = key.sign(digest1, data)`
		`+ - sig2 = key.sign(digest2, data)`
		`+ - assert_equal(sig1, sig2)`
		`+ - end`
		`+ -`
		`+ - def test_digest_state_irrelevant_verify`
		`+ - key = Fixtures.pkey("rsa1024")`
		`+ - digest1 = OpenSSL::Digest.new('SHA1')`
		`+ - digest2 = OpenSSL::Digest.new('SHA1')`
		`+ - data = 'Sign me!'`
		`+ - sig = key.sign(digest1, data)`
		`+ - digest1.reset`
		`+ - digest1 << 'Change state of digest1'`
		`+ - assert(key.verify(digest1, sig, data))`
		`+ - assert(key.verify(digest2, sig, data))`
		`+ + data = "Sign me!"`
		`+ + pssopts = {`
		`+ + "rsa_padding_mode" => "pss",`
		`+ + "rsa_pss_saltlen" => 20,`
		`+ + "rsa_mgf1_md" => "SHA1"`
		`+ + }`
		`+ + sig_pss = key.sign("SHA256", data, pssopts)`
		`+ + assert_equal 128, sig_pss.bytesize`
		`+ + assert_equal true, key.verify("SHA256", sig_pss, data, pssopts)`
		`+ + assert_equal true, key.verify_pss("SHA256", sig_pss, data,`
		`+ + salt_length: 20, mgf1_hash: "SHA1")`
		`+ + # Defaults to PKCS #1 v1.5 padding => verification failure`
		`+ + assert_equal false, key.verify("SHA256", sig_pss, data)`
		`+ end`
		`+`
		`+ def test_verify_empty_rsa`
		`+ --`
		`+ 2.32.0`
		`+`

ruby-3.1.0-Implement-PKey-encrypt-decrypt-sign_raw-verify_raw-and-verify_recover.patch

file added

+1319

The added file is too large to be shown here, see it at: ruby-3.1.0-Implement-PKey-encrypt-decrypt-sign_raw-verify_raw-and-verify_recover.patch

ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch

file added

+142

		`@@ -0,0 +1,142 @@`
		`+ From 8f948ed68a4ed6c05ff66d822711e3b70ae4bb3f Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Mon, 27 Sep 2021 13:32:03 +0900`
		`+ Subject: [PATCH 1/3] ext/openssl/ossl.h: add helper macros for`
		`+ OpenSSL/LibreSSL versions`
		`+`
		`+ Add following convenient macros:`
		`+`
		`+ - OSSL_IS_LIBRESSL`
		`+ - OSSL_OPENSSL_PREREQ(maj, min, pat)`
		`+ - OSSL_LIBRESSL_PREREQ(maj, min, pat)`
		`+ ---`
		`+ ext/openssl/ossl.h \| 12 ++++++++++++`
		`+ 1 file changed, 12 insertions(+)`
		`+`
		`+ diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h`
		`+ index c20f506bda..a0cef29d74 100644`
		`+ --- a/ext/openssl/ossl.h`
		`+ +++ b/ext/openssl/ossl.h`
		`+ @@ -43,6 +43,18 @@`
		`+ #include <openssl/evp.h>`
		`+ #include <openssl/dh.h>`
		`+`
		`+ +#ifndef LIBRESSL_VERSION_NUMBER`
		`+ +# define OSSL_IS_LIBRESSL 0`
		`+ +# define OSSL_OPENSSL_PREREQ(maj, min, pat) \`
		`+ + (OPENSSL_VERSION_NUMBER >= (maj << 28) \| (min << 20) \| (pat << 12))`
		`+ +# define OSSL_LIBRESSL_PREREQ(maj, min, pat) 0`
		`+ +#else`
		`+ +# define OSSL_IS_LIBRESSL 1`
		`+ +# define OSSL_OPENSSL_PREREQ(maj, min, pat) 0`
		`+ +# define OSSL_LIBRESSL_PREREQ(maj, min, pat) \`
		`+ + (LIBRESSL_VERSION_NUMBER >= (maj << 28) \| (min << 20) \| (pat << 12))`
		`+ +#endif`
		`+ +`
		`+ /*`
		`+ * Common Module`
		`+ */`
		`+ --`
		`+ 2.32.0`
		`+`
		`+`
		`+ From bbf235091e49807ece8f3a3df95bbfcc9d3ab43d Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Sat, 22 Feb 2020 05:37:01 +0900`
		`+ Subject: [PATCH 2/3] ts: use TS_VERIFY_CTX_set_certs instead of`
		`+ TS_VERIFY_CTS_set_certs`
		`+`
		`+ OpenSSL 3.0 fixed the typo in the function name and replaced the`
		`+ current 'CTS' version with a macro.`
		`+ ---`
		`+ ext/openssl/extconf.rb \| 5 ++++-`
		`+ ext/openssl/openssl_missing.h \| 5 +++++`
		`+ ext/openssl/ossl_ts.c \| 2 +-`
		`+ 3 files changed, 10 insertions(+), 2 deletions(-)`
		`+`
		`+ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb`
		`+ index 17d93443fc..09cae05b72 100644`
		`+ --- a/ext/openssl/extconf.rb`
		`+ +++ b/ext/openssl/extconf.rb`
		`+ @@ -166,7 +166,7 @@ def find_openssl_library`
		`+ have_func("TS_STATUS_INFO_get0_status")`
		`+ have_func("TS_STATUS_INFO_get0_text")`
		`+ have_func("TS_STATUS_INFO_get0_failure_info")`
		`+ -have_func("TS_VERIFY_CTS_set_certs")`
		`+ +have_func("TS_VERIFY_CTS_set_certs(NULL, NULL)", "openssl/ts.h")`
		`+ have_func("TS_VERIFY_CTX_set_store")`
		`+ have_func("TS_VERIFY_CTX_add_flags")`
		`+ have_func("TS_RESP_CTX_set_time_cb")`
		`+ @@ -175,6 +175,9 @@ def find_openssl_library`
		`+`
		`+ # added in 1.1.1`
		`+ have_func("EVP_PKEY_check")`
		`+ +`
		`+ +# added in 3.0.0`
		`+ +have_func("TS_VERIFY_CTX_set_certs(NULL, NULL)", "openssl/ts.h")`
		`+`
		`+ Logging::message "=== Checking done. ===\n"`
		`+`
		`+ diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h`
		`+ index e575415f49..fe486bcfcf 100644`
		`+ --- a/ext/openssl/openssl_missing.h`
		`+ +++ b/ext/openssl/openssl_missing.h`
		`+ @@ -242,4 +242,9 @@ IMPL_PKEY_GETTER(EC_KEY, ec)`
		`+ } while (0)`
		`+ #endif`
		`+`
		`+ +/* added in 3.0.0 */`
		`+ +#if !defined(HAVE_TS_VERIFY_CTX_SET_CERTS)`
		`+ +# define TS_VERIFY_CTX_set_certs(ctx, crts) TS_VERIFY_CTS_set_certs(ctx, crts)`
		`+ +#endif`
		`+ +`
		`+ #endif /* _OSSL_OPENSSL_MISSING_H_ */`
		`+ diff --git a/ext/openssl/ossl_ts.c b/ext/openssl/ossl_ts.c`
		`+ index 692c0d620f..f1da7c1947 100644`
		`+ --- a/ext/openssl/ossl_ts.c`
		`+ +++ b/ext/openssl/ossl_ts.c`
		`+ @@ -816,7 +816,7 @@ ossl_ts_resp_verify(int argc, VALUE *argv, VALUE self)`
		`+ X509_up_ref(cert);`
		`+ }`
		`+`
		`+ - TS_VERIFY_CTS_set_certs(ctx, x509inter);`
		`+ + TS_VERIFY_CTX_set_certs(ctx, x509inter);`
		`+ TS_VERIFY_CTX_add_flags(ctx, TS_VFY_SIGNATURE);`
		`+ TS_VERIFY_CTX_set_store(ctx, x509st);`
		`+`
		`+ --`
		`+ 2.32.0`
		`+`
		`+`
		`+ From 5fba3bc1df93ab6abc3ea53be3393480f36ea259 Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Fri, 19 Mar 2021 19:18:25 +0900`
		`+ Subject: [PATCH 3/3] ssl: use SSL_get_rbio() to check if SSL is started or not`
		`+`
		`+ Use SSL_get_rbio() instead of SSL_get_fd(). SSL_get_fd() internally`
		`+ calls SSL_get_rbio() and it's enough for our purpose.`
		`+`
		`+ In OpenSSL 3.0, SSL_get_fd() leaves an entry in the OpenSSL error queue`
		`+ if BIO has not been set up yet, and we would have to clean it up.`
		`+ ---`
		`+ ext/openssl/ossl_ssl.c \| 4 ++--`
		`+ 1 file changed, 2 insertions(+), 2 deletions(-)`
		`+`
		`+ diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c`
		`+ index 4b7efa39f5..ec430bfb0c 100644`
		`+ --- a/ext/openssl/ossl_ssl.c`
		`+ +++ b/ext/openssl/ossl_ssl.c`
		`+ @@ -1522,8 +1522,8 @@ ossl_sslctx_flush_sessions(int argc, VALUE *argv, VALUE self)`
		`+ static inline int`
		`+ ssl_started(SSL *ssl)`
		`+ {`
		`+ - /* the FD is set in ossl_ssl_setup(), called by #connect or #accept */`
		`+ - return SSL_get_fd(ssl) >= 0;`
		`+ + /* BIO is created through ossl_ssl_setup(), called by #connect or #accept */`
		`+ + return SSL_get_rbio(ssl) != NULL;`
		`+ }`
		`+`
		`+ static void`
		`+ --`
		`+ 2.32.0`
		`+`

ruby-3.1.0-Properly-exclude-test-cases.patch

file added

+93

		`@@ -0,0 +1,93 @@`
		`+ From 96684439e96aa92e10376b5be45f006772028295 Mon Sep 17 00:00:00 2001`
		`+ From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>`
		`+ Date: Thu, 21 Oct 2021 13:02:38 +0200`
		`+ Subject: [PATCH] Properly exclude test cases.`
		`+`
		`+ Lets consider the following scenario:`
		`+`
		`+ ~~~`
		`+ irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):001:0> p suite`
		`+ OpenSSL::TestEC`
		`+ => OpenSSL::TestEC`
		`+`
		`+ irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):002:0> p all_test_methods`
		`+ ["test_ECPrivateKey", "test_ECPrivateKey_encrypted", "test_PUBKEY", "test_check_key", "test_derive_key", "test_dh_compute_key", "test_dsa_sign_asn1_FIPS186_3", "test_ec_group", "test_ec_key", "test_ec_point", "test_ec_point_add", "test_ec_point_mul", "test_generate", "test_marshal", "test_sign_verify", "test_sign_verify_raw"]`
		`+ =>`
		`+ ["test_ECPrivateKey",`
		`+ "test_ECPrivateKey_encrypted",`
		`+ "test_PUBKEY",`
		`+ "test_check_key",`
		`+ "test_derive_key",`
		`+ "test_dh_compute_key",`
		`+ "test_dsa_sign_asn1_FIPS186_3",`
		`+ "test_ec_group",`
		`+ "test_ec_key",`
		`+ "test_ec_point",`
		`+ "test_ec_point_add",`
		`+ "test_ec_point_mul",`
		`+ "test_generate",`
		`+ "test_marshal",`
		`+ "test_sign_verify",`
		`+ "test_sign_verify_raw"]`
		`+`
		`+ irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):003:0> p filter`
		`+ /\A(?=.)(?!.(?-mix:(?-mix:memory_leak)\|(?-mix:OpenSSL::TestEC.test_check_key)))/`
		`+ => /\A(?=.)(?!.(?-mix:(?-mix:memory_leak)\|(?-mix:OpenSSL::TestEC.test_check_key)))/`
		`+`
		`+ irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):004:0> method = "test_check_key"`
		`+ => "test_check_key"`
		`+ ~~~`
		`+`
		+ The intention here is to exclude the `test_check_key` test case.
		`+ Unfortunately this does not work as expected, because the negative filter`
		`+ is never checked:`
		`+`
		`+ ~~~`
		`+`
		`+ irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):005:0> filter === method`
		`+ => true`
		`+`
		`+ irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):006:0> filter === "#{suite}##{method}"`
		`+ => false`
		`+`
		`+ irb(#<Test::Unit::AutoRunner::Runner:0x0000560f68afc3c8>):007:0> filter === method \|\| filter === "#{suite}##{method}"`
		`+ => true`
		`+ ~~~`
		`+`
		`+ Therefore always filter against the fully qualified method name`
		+ `#{suite}##{method}`, which should provide the expected result.
		`+`
		`+ However, if plain string filter is used, keep checking also only the`
		`+ method name.`
		`+`
		`+ This resolves [Bug #16936].`
		`+ ---`
		`+ tool/lib/minitest/unit.rb \| 12 +++++++++---`
		`+ 1 file changed, 9 insertion(+), 3 deletion(-)`
		`+`
		`+ diff --git a/tool/lib/minitest/unit.rb b/tool/lib/minitest/unit.rb`
		`+ index c58a609bfa..d5af6cb906 100644`
		`+ --- a/tool/lib/minitest/unit.rb`
		`+ +++ b/tool/lib/minitest/unit.rb`
		`+ @@ -956,9 +956,15 @@ def _run_suite suite, type`
		`+`
		`+ all_test_methods = suite.send "#{type}_methods"`
		`+`
		`+ - filtered_test_methods = all_test_methods.find_all { \|m\|`
		`+ - filter === m \|\| filter === "#{suite}##{m}"`
		`+ - }`
		`+ + filtered_test_methods = if Regexp === filter`
		`+ + all_test_methods.find_all { \|m\|`
		`+ + filter === "#{suite}##{m}"`
		`+ + }`
		`+ + else`
		`+ + all_test_methods.find_all {\|m\|`
		`+ + filter === m \|\| filter === "#{suite}##{m}"`
		`+ + }`
		`+ + end`
		`+`
		`+ leakchecker = LeakChecker.new`
		`+`
		`+ --`
		`+ 2.32.0`
		`+`

ruby-3.1.0-Refactor-PEM-DER-serialization-code.patch

file added

+1450

The added file is too large to be shown here, see it at: ruby-3.1.0-Refactor-PEM-DER-serialization-code.patch

ruby-3.1.0-SSL_read-EOF-handling.patch

file added

+16

		`@@ -0,0 +1,16 @@`
		`+ diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c`
		`+ index 3b425ca..40e748c 100644`
		`+ --- a/ext/openssl/ossl_ssl.c`
		`+ +++ b/ext/openssl/ossl_ssl.c`
		`+ @@ -1844,6 +1844,11 @@ ossl_ssl_read_internal(int argc, VALUE *argv, VALUE self, int nonblock)`
		`+ return str;`
		`+`
		`+ GetSSL(self, ssl);`
		`+ +`
		`+ +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF`
		`+ + SSL_set_options(ssl, SSL_OP_IGNORE_UNEXPECTED_EOF);`
		`+ +#endif`
		`+ +`
		`+ io = rb_attr_get(self, id_i_io);`
		`+ GetOpenFile(io, fptr);`
		`+ if (ssl_started(ssl)) {`

ruby-3.1.0-Support-OpenSSL-3.0.patch

file added

+1101

The added file is too large to be shown here, see it at: ruby-3.1.0-Support-OpenSSL-3.0.patch

ruby-3.1.0-Use-EVP-API-in-more-places.patch

file added

+831

		`@@ -0,0 +1,831 @@`
		`+ From cf070378020088cd7e69b1cb08be68152ab8a078 Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Sun, 17 May 2020 18:25:38 +0900`
		`+ Subject: [PATCH 1/3] pkey: implement #to_text using EVP API`
		`+`
		`+ Use EVP_PKEY_print_private() instead of the low-level API *_print()`
		`+ functions, such as RSA_print().`
		`+`
		`+ EVP_PKEY_print_*() family was added in OpenSSL 1.0.0.`
		`+`
		`+ Note that it falls back to EVP_PKEY_print_public() and`
		`+ EVP_PKEY_print_params() as necessary. This is required for EVP_PKEY_DH`
		`+ type for which _private() fails if the private component is not set in`
		`+ the pkey object.`
		`+`
		`+ Since the new API works in the same way for all key types, we now`
		`+ implement #to_text in the base class OpenSSL::PKey::PKey rather than in`
		`+ each subclass.`
		`+ ---`
		`+ ext/openssl/ossl_pkey.c \| 38 +++++++++++++++++++++++++++++++++++++`
		`+ ext/openssl/ossl_pkey_dh.c \| 29 ----------------------------`
		`+ ext/openssl/ossl_pkey_dsa.c \| 29 ----------------------------`
		`+ ext/openssl/ossl_pkey_ec.c \| 27 --------------------------`
		`+ ext/openssl/ossl_pkey_rsa.c \| 31 ------------------------------`
		`+ test/openssl/test_pkey.rb \| 5 +++++`
		`+ 6 files changed, 43 insertions(+), 116 deletions(-)`
		`+`
		`+ diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c`
		`+ index f9282b9417..21cd4b2cda 100644`
		`+ --- a/ext/openssl/ossl_pkey.c`
		`+ +++ b/ext/openssl/ossl_pkey.c`
		`+ @@ -539,6 +539,43 @@ ossl_pkey_inspect(VALUE self)`
		`+ OBJ_nid2sn(nid));`
		`+ }`
		`+`
		`+ +/*`
		`+ + * call-seq:`
		`+ + * pkey.to_text -> string`
		`+ + *`
		`+ + * Dumps key parameters, public key, and private key components contained in`
		`+ + * the key into a human-readable text.`
		`+ + *`
		`+ + * This is intended for debugging purpose.`
		`+ + *`
		`+ + * See also the man page EVP_PKEY_print_private(3).`
		`+ + */`
		`+ +static VALUE`
		`+ +ossl_pkey_to_text(VALUE self)`
		`+ +{`
		`+ + EVP_PKEY *pkey;`
		`+ + BIO *bio;`
		`+ +`
		`+ + GetPKey(self, pkey);`
		`+ + if (!(bio = BIO_new(BIO_s_mem())))`
		`+ + ossl_raise(ePKeyError, "BIO_new");`
		`+ +`
		`+ + if (EVP_PKEY_print_private(bio, pkey, 0, NULL) == 1)`
		`+ + goto out;`
		`+ + OSSL_BIO_reset(bio);`
		`+ + if (EVP_PKEY_print_public(bio, pkey, 0, NULL) == 1)`
		`+ + goto out;`
		`+ + OSSL_BIO_reset(bio);`
		`+ + if (EVP_PKEY_print_params(bio, pkey, 0, NULL) == 1)`
		`+ + goto out;`
		`+ +`
		`+ + BIO_free(bio);`
		`+ + ossl_raise(ePKeyError, "EVP_PKEY_print_params");`
		`+ +`
		`+ + out:`
		`+ + return ossl_membio2str(bio);`
		`+ +}`
		`+ +`
		`+ VALUE`
		`+ ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der)`
		`+ {`
		`+ @@ -1039,6 +1076,7 @@ Init_ossl_pkey(void)`
		`+ rb_define_method(cPKey, "initialize", ossl_pkey_initialize, 0);`
		`+ rb_define_method(cPKey, "oid", ossl_pkey_oid, 0);`
		`+ rb_define_method(cPKey, "inspect", ossl_pkey_inspect, 0);`
		`+ + rb_define_method(cPKey, "to_text", ossl_pkey_to_text, 0);`
		`+ rb_define_method(cPKey, "private_to_der", ossl_pkey_private_to_der, -1);`
		`+ rb_define_method(cPKey, "private_to_pem", ossl_pkey_private_to_pem, -1);`
		`+ rb_define_method(cPKey, "public_to_der", ossl_pkey_public_to_der, 0);`
		`+ diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c`
		`+ index 6b477b077c..acd3bf474e 100644`
		`+ --- a/ext/openssl/ossl_pkey_dh.c`
		`+ +++ b/ext/openssl/ossl_pkey_dh.c`
		`+ @@ -266,34 +266,6 @@ ossl_dh_get_params(VALUE self)`
		`+ return hash;`
		`+ }`
		`+`
		`+ -/*`
		`+ - * call-seq:`
		`+ - * dh.to_text -> aString`
		`+ - *`
		`+ - * Prints all parameters of key to buffer`
		`+ - * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!!`
		`+ - * Don't use :-)) (I's up to you)`
		`+ - */`
		`+ -static VALUE`
		`+ -ossl_dh_to_text(VALUE self)`
		`+ -{`
		`+ - DH *dh;`
		`+ - BIO *out;`
		`+ - VALUE str;`
		`+ -`
		`+ - GetDH(self, dh);`
		`+ - if (!(out = BIO_new(BIO_s_mem()))) {`
		`+ - ossl_raise(eDHError, NULL);`
		`+ - }`
		`+ - if (!DHparams_print(out, dh)) {`
		`+ - BIO_free(out);`
		`+ - ossl_raise(eDHError, NULL);`
		`+ - }`
		`+ - str = ossl_membio2str(out);`
		`+ -`
		`+ - return str;`
		`+ -}`
		`+ -`
		`+ /*`
		`+ * call-seq:`
		`+ * dh.public_key -> aDH`
		`+ @@ -426,7 +398,6 @@ Init_ossl_dh(void)`
		`+ rb_define_method(cDH, "initialize_copy", ossl_dh_initialize_copy, 1);`
		`+ rb_define_method(cDH, "public?", ossl_dh_is_public, 0);`
		`+ rb_define_method(cDH, "private?", ossl_dh_is_private, 0);`
		`+ - rb_define_method(cDH, "to_text", ossl_dh_to_text, 0);`
		`+ rb_define_method(cDH, "export", ossl_dh_export, 0);`
		`+ rb_define_alias(cDH, "to_pem", "export");`
		`+ rb_define_alias(cDH, "to_s", "export");`
		`+ diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c`
		`+ index 1c5a8a737e..f017cceb4a 100644`
		`+ --- a/ext/openssl/ossl_pkey_dsa.c`
		`+ +++ b/ext/openssl/ossl_pkey_dsa.c`
		`+ @@ -264,34 +264,6 @@ ossl_dsa_get_params(VALUE self)`
		`+ return hash;`
		`+ }`
		`+`
		`+ -/*`
		`+ - * call-seq:`
		`+ - * dsa.to_text -> aString`
		`+ - *`
		`+ - * Prints all parameters of key to buffer`
		`+ - * INSECURE: PRIVATE INFORMATIONS CAN LEAK OUT!!!`
		`+ - * Don't use :-)) (I's up to you)`
		`+ - */`
		`+ -static VALUE`
		`+ -ossl_dsa_to_text(VALUE self)`
		`+ -{`
		`+ - DSA *dsa;`
		`+ - BIO *out;`
		`+ - VALUE str;`
		`+ -`
		`+ - GetDSA(self, dsa);`
		`+ - if (!(out = BIO_new(BIO_s_mem()))) {`
		`+ - ossl_raise(eDSAError, NULL);`
		`+ - }`
		`+ - if (!DSA_print(out, dsa, 0)) { /* offset = 0 */`
		`+ - BIO_free(out);`
		`+ - ossl_raise(eDSAError, NULL);`
		`+ - }`
		`+ - str = ossl_membio2str(out);`
		`+ -`
		`+ - return str;`
		`+ -}`
		`+ -`
		`+ /*`
		`+ * call-seq:`
		`+ * dsa.public_key -> aDSA`
		`+ @@ -469,7 +441,6 @@ Init_ossl_dsa(void)`
		`+`
		`+ rb_define_method(cDSA, "public?", ossl_dsa_is_public, 0);`
		`+ rb_define_method(cDSA, "private?", ossl_dsa_is_private, 0);`
		`+ - rb_define_method(cDSA, "to_text", ossl_dsa_to_text, 0);`
		`+ rb_define_method(cDSA, "export", ossl_dsa_export, -1);`
		`+ rb_define_alias(cDSA, "to_pem", "export");`
		`+ rb_define_alias(cDSA, "to_s", "export");`
		`+ diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c`
		`+ index c2534251c3..ecb8305184 100644`
		`+ --- a/ext/openssl/ossl_pkey_ec.c`
		`+ +++ b/ext/openssl/ossl_pkey_ec.c`
		`+ @@ -417,32 +417,6 @@ ossl_ec_key_to_der(VALUE self)`
		`+ else`
		`+ return ossl_pkey_export_spki(self, 1);`
		`+ }`
		`+ -`
		`+ -/*`
		`+ - * call-seq:`
		`+ - * key.to_text => String`
		`+ - *`
		`+ - * See the OpenSSL documentation for EC_KEY_print()`
		`+ - */`
		`+ -static VALUE ossl_ec_key_to_text(VALUE self)`
		`+ -{`
		`+ - EC_KEY *ec;`
		`+ - BIO *out;`
		`+ - VALUE str;`
		`+ -`
		`+ - GetEC(self, ec);`
		`+ - if (!(out = BIO_new(BIO_s_mem()))) {`
		`+ - ossl_raise(eECError, "BIO_new(BIO_s_mem())");`
		`+ - }`
		`+ - if (!EC_KEY_print(out, ec, 0)) {`
		`+ - BIO_free(out);`
		`+ - ossl_raise(eECError, "EC_KEY_print");`
		`+ - }`
		`+ - str = ossl_membio2str(out);`
		`+ -`
		`+ - return str;`
		`+ -}`
		`+ -`
		`+ /*`
		`+ * call-seq:`
		`+ * key.generate_key! => self`
		`+ @@ -1633,7 +1607,6 @@ void Init_ossl_ec(void)`
		`+ rb_define_method(cEC, "export", ossl_ec_key_export, -1);`
		`+ rb_define_alias(cEC, "to_pem", "export");`
		`+ rb_define_method(cEC, "to_der", ossl_ec_key_to_der, 0);`
		`+ - rb_define_method(cEC, "to_text", ossl_ec_key_to_text, 0);`
		`+`
		`+`
		`+ rb_define_alloc_func(cEC_GROUP, ossl_ec_group_alloc);`
		`+ diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c`
		`+ index 43f82cb29e..7a7e66dbda 100644`
		`+ --- a/ext/openssl/ossl_pkey_rsa.c`
		`+ +++ b/ext/openssl/ossl_pkey_rsa.c`
		`+ @@ -587,36 +587,6 @@ ossl_rsa_get_params(VALUE self)`
		`+ return hash;`
		`+ }`
		`+`
		`+ -/*`
		`+ - * call-seq:`
		`+ - * rsa.to_text => String`
		`+ - *`
		`+ - * THIS METHOD IS INSECURE, PRIVATE INFORMATION CAN LEAK OUT!!!`
		`+ - *`
		`+ - * Dumps all parameters of a keypair to a String`
		`+ - *`
		`+ - * Don't use :-)) (It's up to you)`
		`+ - */`
		`+ -static VALUE`
		`+ -ossl_rsa_to_text(VALUE self)`
		`+ -{`
		`+ - RSA *rsa;`
		`+ - BIO *out;`
		`+ - VALUE str;`
		`+ -`
		`+ - GetRSA(self, rsa);`
		`+ - if (!(out = BIO_new(BIO_s_mem()))) {`
		`+ - ossl_raise(eRSAError, NULL);`
		`+ - }`
		`+ - if (!RSA_print(out, rsa, 0)) { /* offset = 0 */`
		`+ - BIO_free(out);`
		`+ - ossl_raise(eRSAError, NULL);`
		`+ - }`
		`+ - str = ossl_membio2str(out);`
		`+ -`
		`+ - return str;`
		`+ -}`
		`+ -`
		`+ /*`
		`+ * call-seq:`
		`+ * rsa.public_key -> RSA`
		`+ @@ -738,7 +708,6 @@ Init_ossl_rsa(void)`
		`+`
		`+ rb_define_method(cRSA, "public?", ossl_rsa_is_public, 0);`
		`+ rb_define_method(cRSA, "private?", ossl_rsa_is_private, 0);`
		`+ - rb_define_method(cRSA, "to_text", ossl_rsa_to_text, 0);`
		`+ rb_define_method(cRSA, "export", ossl_rsa_export, -1);`
		`+ rb_define_alias(cRSA, "to_pem", "export");`
		`+ rb_define_alias(cRSA, "to_s", "export");`
		`+ diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb`
		`+ index 5307fe5b08..3630458b3c 100644`
		`+ --- a/test/openssl/test_pkey.rb`
		`+ +++ b/test/openssl/test_pkey.rb`
		`+ @@ -151,4 +151,9 @@ def test_x25519`
		`+ assert_equal bob_pem, bob.public_to_pem`
		`+ assert_equal [shared_secret].pack("H*"), alice.derive(bob)`
		`+ end`
		`+ +`
		`+ + def test_to_text`
		`+ + rsa = Fixtures.pkey("rsa1024")`
		`+ + assert_include rsa.to_text, "publicExponent"`
		`+ + end`
		`+ end`
		`+ --`
		`+ 2.32.0`
		`+`
		`+`
		`+ From 0c45b22e485bfa62f4d704b08e3704e6444118c4 Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Thu, 15 Apr 2021 19:11:32 +0900`
		`+ Subject: [PATCH 2/3] pkey: implement {DH,DSA,RSA}#public_key in Ruby`
		`+`
		`+ The low-level API that is used to implement #public_key is deprecated`
		`+ in OpenSSL 3.0. It is actually very simple to implement in another way,`
		`+ using existing methods only, in much shorter code. Let's do it.`
		`+`
		`+ While we are at it, the documentation is updated to recommend against`
		`+ using #public_key. Now that OpenSSL::PKey::PKey implements public_to_der`
		`+ method, there is no real use case for #public_key in newly written Ruby`
		`+ programs.`
		`+ ---`
		`+ ext/openssl/lib/openssl/pkey.rb \| 55 ++++++++++++++++++++++++++++`
		`+ ext/openssl/ossl_pkey_dh.c \| 63 +++++++--------------------------`
		`+ ext/openssl/ossl_pkey_dsa.c \| 42 ----------------------`
		`+ ext/openssl/ossl_pkey_rsa.c \| 58 +-----------------------------`
		`+ test/openssl/test_pkey_rsa.rb \| 37 ++++++++++---------`
		`+ 5 files changed, 87 insertions(+), 168 deletions(-)`
		`+`
		`+ diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb`
		`+ index 53ee52f98b..569559e1ce 100644`
		`+ --- a/ext/openssl/lib/openssl/pkey.rb`
		`+ +++ b/ext/openssl/lib/openssl/pkey.rb`
		`+ @@ -10,6 +10,30 @@ module OpenSSL::PKey`
		`+ class DH`
		`+ include OpenSSL::Marshal`
		`+`
		`+ + # :call-seq:`
		`+ + # dh.public_key -> dhnew`
		`+ + #`
		`+ + # Returns a new DH instance that carries just the \DH parameters.`
		`+ + #`
		`+ + # Contrary to the method name, the returned DH object contains only`
		`+ + # parameters and not the public key.`
		`+ + #`
		`+ + # This method is provided for backwards compatibility. In most cases, there`
		`+ + # is no need to call this method.`
		`+ + #`
		`+ + # For the purpose of re-generating the key pair while keeping the`
		`+ + # parameters, check OpenSSL::PKey.generate_key.`
		`+ + #`
		`+ + # Example:`
		`+ + # # OpenSSL::PKey::DH.generate by default generates a random key pair`
		`+ + # dh1 = OpenSSL::PKey::DH.generate(2048)`
		`+ + # p dh1.priv_key #=> #<OpenSSL::BN 1288347...>`
		`+ + # dhcopy = dh1.public_key`
		`+ + # p dhcopy.priv_key #=> nil`
		`+ + def public_key`
		`+ + DH.new(to_der)`
		`+ + end`
		`+ +`
		`+ # :call-seq:`
		`+ # dh.compute_key(pub_bn) -> string`
		`+ #`
		`+ @@ -89,6 +113,22 @@ def new(*args, &blk) # :nodoc:`
		`+ class DSA`
		`+ include OpenSSL::Marshal`
		`+`
		`+ + # :call-seq:`
		`+ + # dsa.public_key -> dsanew`
		`+ + #`
		`+ + # Returns a new DSA instance that carries just the \DSA parameters and the`
		`+ + # public key.`
		`+ + #`
		`+ + # This method is provided for backwards compatibility. In most cases, there`
		`+ + # is no need to call this method.`
		`+ + #`
		`+ + # For the purpose of serializing the public key, to PEM or DER encoding of`
		`+ + # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and`
		`+ + # PKey#public_to_der.`
		`+ + def public_key`
		`+ + OpenSSL::PKey.read(public_to_der)`
		`+ + end`
		`+ +`
		`+ class << self`
		`+ # :call-seq:`
		`+ # DSA.generate(size) -> dsa`
		`+ @@ -159,6 +199,21 @@ def to_bn(conversion_form = group.point_conversion_form)`
		`+ class RSA`
		`+ include OpenSSL::Marshal`
		`+`
		`+ + # :call-seq:`
		`+ + # rsa.public_key -> rsanew`
		`+ + #`
		`+ + # Returns a new RSA instance that carries just the public key components.`
		`+ + #`
		`+ + # This method is provided for backwards compatibility. In most cases, there`
		`+ + # is no need to call this method.`
		`+ + #`
		`+ + # For the purpose of serializing the public key, to PEM or DER encoding of`
		`+ + # X.509 SubjectPublicKeyInfo format, check PKey#public_to_pem and`
		`+ + # PKey#public_to_der.`
		`+ + def public_key`
		`+ + OpenSSL::PKey.read(public_to_der)`
		`+ + end`
		`+ +`
		`+ class << self`
		`+ # :call-seq:`
		`+ # RSA.generate(size, exponent = 65537) -> RSA`
		`+ diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c`
		`+ index acd3bf474e..a512b209d3 100644`
		`+ --- a/ext/openssl/ossl_pkey_dh.c`
		`+ +++ b/ext/openssl/ossl_pkey_dh.c`
		`+ @@ -266,48 +266,6 @@ ossl_dh_get_params(VALUE self)`
		`+ return hash;`
		`+ }`
		`+`
		`+ -/*`
		`+ - * call-seq:`
		`+ - * dh.public_key -> aDH`
		`+ - *`
		`+ - * Returns a new DH instance that carries just the public information, i.e.`
		`+ - * the prime _p_ and the generator _g_, but no public/private key yet. Such`
		`+ - * a pair may be generated using DH#generate_key!. The "public key" needed`
		`+ - * for a key exchange with DH#compute_key is considered as per-session`
		`+ - * information and may be retrieved with DH#pub_key once a key pair has`
		`+ - * been generated.`
		`+ - * If the current instance already contains private information (and thus a`
		`+ - * valid public/private key pair), this information will no longer be present`
		`+ - * in the new instance generated by DH#public_key. This feature is helpful for`
		`+ - * publishing the Diffie-Hellman parameters without leaking any of the private`
		`+ - * per-session information.`
		`+ - *`
		`+ - * === Example`
		`+ - * dh = OpenSSL::PKey::DH.new(2048) # has public and private key set`
		`+ - * public_key = dh.public_key # contains only prime and generator`
		`+ - * parameters = public_key.to_der # it's safe to publish this`
		`+ - */`
		`+ -static VALUE`
		`+ -ossl_dh_to_public_key(VALUE self)`
		`+ -{`
		`+ - EVP_PKEY *pkey;`
		`+ - DH orig_dh, dh;`
		`+ - VALUE obj;`
		`+ -`
		`+ - obj = rb_obj_alloc(rb_obj_class(self));`
		`+ - GetPKey(obj, pkey);`
		`+ -`
		`+ - GetDH(self, orig_dh);`
		`+ - dh = DHparams_dup(orig_dh);`
		`+ - if (!dh)`
		`+ - ossl_raise(eDHError, "DHparams_dup");`
		`+ - if (!EVP_PKEY_assign_DH(pkey, dh)) {`
		`+ - DH_free(dh);`
		`+ - ossl_raise(eDHError, "EVP_PKEY_assign_DH");`
		`+ - }`
		`+ - return obj;`
		`+ -}`
		`+ -`
		`+ /*`
		`+ * call-seq:`
		`+ * dh.params_ok? -> true \| false`
		`+ @@ -384,14 +342,20 @@ Init_ossl_dh(void)`
		`+ * The per-session private key, an OpenSSL::BN.`
		`+ *`
		`+ * === Example of a key exchange`
		`+ - * dh1 = OpenSSL::PKey::DH.new(2048)`
		`+ - * der = dh1.public_key.to_der #you may send this publicly to the participating party`
		`+ - * dh2 = OpenSSL::PKey::DH.new(der)`
		`+ - * dh2.generate_key! #generate the per-session key pair`
		`+ - * symm_key1 = dh1.compute_key(dh2.pub_key)`
		`+ - * symm_key2 = dh2.compute_key(dh1.pub_key)`
		`+ + * # you may send the parameters (der) and own public key (pub1) publicly`
		`+ + * # to the participating party`
		`+ + * dh1 = OpenSSL::PKey::DH.new(2048)`
		`+ + * der = dh1.to_der`
		`+ + * pub1 = dh1.pub_key`
		`+ + *`
		`+ + * # the other party generates its per-session key pair`
		`+ + * dhparams = OpenSSL::PKey::DH.new(der)`
		`+ + * dh2 = OpenSSL::PKey.generate_key(dhparams)`
		`+ + * pub2 = dh2.pub_key`
		`+ *`
		`+ - * puts symm_key1 == symm_key2 # => true`
		`+ + * symm_key1 = dh1.compute_key(pub2)`
		`+ + * symm_key2 = dh2.compute_key(pub1)`
		`+ + * puts symm_key1 == symm_key2 # => true`
		`+ */`
		`+ cDH = rb_define_class_under(mPKey, "DH", cPKey);`
		`+ rb_define_method(cDH, "initialize", ossl_dh_initialize, -1);`
		`+ @@ -402,7 +366,6 @@ Init_ossl_dh(void)`
		`+ rb_define_alias(cDH, "to_pem", "export");`
		`+ rb_define_alias(cDH, "to_s", "export");`
		`+ rb_define_method(cDH, "to_der", ossl_dh_to_der, 0);`
		`+ - rb_define_method(cDH, "public_key", ossl_dh_to_public_key, 0);`
		`+ rb_define_method(cDH, "params_ok?", ossl_dh_check_params, 0);`
		`+`
		`+ DEF_OSSL_PKEY_BN(cDH, dh, p);`
		`+ diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c`
		`+ index f017cceb4a..ab9ac781e8 100644`
		`+ --- a/ext/openssl/ossl_pkey_dsa.c`
		`+ +++ b/ext/openssl/ossl_pkey_dsa.c`
		`+ @@ -264,47 +264,6 @@ ossl_dsa_get_params(VALUE self)`
		`+ return hash;`
		`+ }`
		`+`
		`+ -/*`
		`+ - * call-seq:`
		`+ - * dsa.public_key -> aDSA`
		`+ - *`
		`+ - * Returns a new DSA instance that carries just the public key information.`
		`+ - * If the current instance has also private key information, this will no`
		`+ - * longer be present in the new instance. This feature is helpful for`
		`+ - * publishing the public key information without leaking any of the private`
		`+ - * information.`
		`+ - *`
		`+ - * === Example`
		`+ - * dsa = OpenSSL::PKey::DSA.new(2048) # has public and private information`
		`+ - * pub_key = dsa.public_key # has only the public part available`
		`+ - * pub_key_der = pub_key.to_der # it's safe to publish this`
		`+ - *`
		`+ - *`
		`+ - */`
		`+ -static VALUE`
		`+ -ossl_dsa_to_public_key(VALUE self)`
		`+ -{`
		`+ - EVP_PKEY pkey, pkey_new;`
		`+ - DSA *dsa;`
		`+ - VALUE obj;`
		`+ -`
		`+ - GetPKeyDSA(self, pkey);`
		`+ - obj = rb_obj_alloc(rb_obj_class(self));`
		`+ - GetPKey(obj, pkey_new);`
		`+ -`
		`+ -#define DSAPublicKey_dup(dsa) (DSA *)ASN1_dup( \`
		`+ - (i2d_of_void )i2d_DSAPublicKey, (d2i_of_void )d2i_DSAPublicKey, (char *)(dsa))`
		`+ - dsa = DSAPublicKey_dup(EVP_PKEY_get0_DSA(pkey));`
		`+ -#undef DSAPublicKey_dup`
		`+ - if (!dsa)`
		`+ - ossl_raise(eDSAError, "DSAPublicKey_dup");`
		`+ - if (!EVP_PKEY_assign_DSA(pkey_new, dsa)) {`
		`+ - DSA_free(dsa);`
		`+ - ossl_raise(eDSAError, "EVP_PKEY_assign_DSA");`
		`+ - }`
		`+ - return obj;`
		`+ -}`
		`+ -`
		`+ /*`
		`+ * call-seq:`
		`+ * dsa.syssign(string) -> aString`
		`+ @@ -445,7 +404,6 @@ Init_ossl_dsa(void)`
		`+ rb_define_alias(cDSA, "to_pem", "export");`
		`+ rb_define_alias(cDSA, "to_s", "export");`
		`+ rb_define_method(cDSA, "to_der", ossl_dsa_to_der, 0);`
		`+ - rb_define_method(cDSA, "public_key", ossl_dsa_to_public_key, 0);`
		`+ rb_define_method(cDSA, "syssign", ossl_dsa_sign, 1);`
		`+ rb_define_method(cDSA, "sysverify", ossl_dsa_verify, 2);`
		`+`
		`+ diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c`
		`+ index 7a7e66dbda..1c5476cdcd 100644`
		`+ --- a/ext/openssl/ossl_pkey_rsa.c`
		`+ +++ b/ext/openssl/ossl_pkey_rsa.c`
		`+ @@ -390,7 +390,7 @@ ossl_rsa_private_decrypt(int argc, VALUE *argv, VALUE self)`
		`+ * data = "Sign me!"`
		`+ * pkey = OpenSSL::PKey::RSA.new(2048)`
		`+ * signature = pkey.sign_pss("SHA256", data, salt_length: :max, mgf1_hash: "SHA256")`
		`+ - * pub_key = pkey.public_key`
		`+ + * pub_key = OpenSSL::PKey.read(pkey.public_to_der)`
		`+ * puts pub_key.verify_pss("SHA256", signature, data,`
		`+ * salt_length: :auto, mgf1_hash: "SHA256") # => true`
		`+ */`
		`+ @@ -587,61 +587,6 @@ ossl_rsa_get_params(VALUE self)`
		`+ return hash;`
		`+ }`
		`+`
		`+ -/*`
		`+ - * call-seq:`
		`+ - * rsa.public_key -> RSA`
		`+ - *`
		`+ - * Makes new RSA instance containing the public key from the private key.`
		`+ - */`
		`+ -static VALUE`
		`+ -ossl_rsa_to_public_key(VALUE self)`
		`+ -{`
		`+ - EVP_PKEY pkey, pkey_new;`
		`+ - RSA *rsa;`
		`+ - VALUE obj;`
		`+ -`
		`+ - GetPKeyRSA(self, pkey);`
		`+ - obj = rb_obj_alloc(rb_obj_class(self));`
		`+ - GetPKey(obj, pkey_new);`
		`+ -`
		`+ - rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(pkey));`
		`+ - if (!rsa)`
		`+ - ossl_raise(eRSAError, "RSAPublicKey_dup");`
		`+ - if (!EVP_PKEY_assign_RSA(pkey_new, rsa)) {`
		`+ - RSA_free(rsa);`
		`+ - ossl_raise(eRSAError, "EVP_PKEY_assign_RSA");`
		`+ - }`
		`+ - return obj;`
		`+ -}`
		`+ -`
		`+ -/*`
		`+ - * TODO: Test me`
		`+ -`
		`+ -static VALUE`
		`+ -ossl_rsa_blinding_on(VALUE self)`
		`+ -{`
		`+ - RSA *rsa;`
		`+ -`
		`+ - GetRSA(self, rsa);`
		`+ -`
		`+ - if (RSA_blinding_on(rsa, ossl_bn_ctx) != 1) {`
		`+ - ossl_raise(eRSAError, NULL);`
		`+ - }`
		`+ - return self;`
		`+ -}`
		`+ -`
		`+ -static VALUE`
		`+ -ossl_rsa_blinding_off(VALUE self)`
		`+ -{`
		`+ - RSA *rsa;`
		`+ -`
		`+ - GetRSA(self, rsa);`
		`+ - RSA_blinding_off(rsa);`
		`+ -`
		`+ - return self;`
		`+ -}`
		`+ - */`
		`+ -`
		`+ /*`
		`+ * Document-method: OpenSSL::PKey::RSA#set_key`
		`+ * call-seq:`
		`+ @@ -712,7 +657,6 @@ Init_ossl_rsa(void)`
		`+ rb_define_alias(cRSA, "to_pem", "export");`
		`+ rb_define_alias(cRSA, "to_s", "export");`
		`+ rb_define_method(cRSA, "to_der", ossl_rsa_to_der, 0);`
		`+ - rb_define_method(cRSA, "public_key", ossl_rsa_to_public_key, 0);`
		`+ rb_define_method(cRSA, "public_encrypt", ossl_rsa_public_encrypt, -1);`
		`+ rb_define_method(cRSA, "public_decrypt", ossl_rsa_public_decrypt, -1);`
		`+ rb_define_method(cRSA, "private_encrypt", ossl_rsa_private_encrypt, -1);`
		`+ diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb`
		`+ index d1e68dbc9f..5f8d04e754 100644`
		`+ --- a/test/openssl/test_pkey_rsa.rb`
		`+ +++ b/test/openssl/test_pkey_rsa.rb`
		`+ @@ -69,29 +69,28 @@ def test_private`
		`+ end`
		`+`
		`+ def test_new`
		`+ - key = OpenSSL::PKey::RSA.new 512`
		`+ - pem = key.public_key.to_pem`
		`+ - OpenSSL::PKey::RSA.new pem`
		`+ - assert_equal([], OpenSSL.errors)`
		`+ - end`
		`+ + key = OpenSSL::PKey::RSA.new(512)`
		`+ + assert_equal 512, key.n.num_bits`
		`+ + assert_equal 65537, key.e`
		`+ + assert_not_nil key.d`
		`+`
		`+ - def test_new_exponent_default`
		`+ - assert_equal(65537, OpenSSL::PKey::RSA.new(512).e)`
		`+ + # Specify public exponent`
		`+ + key2 = OpenSSL::PKey::RSA.new(512, 3)`
		`+ + assert_equal 512, key2.n.num_bits`
		`+ + assert_equal 3, key2.e`
		`+ + assert_not_nil key2.d`
		`+ end`
		`+`
		`+ - def test_new_with_exponent`
		`+ - 1.upto(30) do \|idx\|`
		`+ - e = (2 ** idx) + 1`
		`+ - key = OpenSSL::PKey::RSA.new(512, e)`
		`+ - assert_equal(e, key.e)`
		`+ - end`
		`+ - end`
		`+ + def test_s_generate`
		`+ + key1 = OpenSSL::PKey::RSA.generate(512)`
		`+ + assert_equal 512, key1.n.num_bits`
		`+ + assert_equal 65537, key1.e`
		`+`
		`+ - def test_generate`
		`+ - key = OpenSSL::PKey::RSA.generate(512, 17)`
		`+ - assert_equal 512, key.n.num_bits`
		`+ - assert_equal 17, key.e`
		`+ - assert_not_nil key.d`
		`+ + # Specify public exponent`
		`+ + key2 = OpenSSL::PKey::RSA.generate(512, 3)`
		`+ + assert_equal 512, key2.n.num_bits`
		`+ + assert_equal 3, key2.e`
		`+ + assert_not_nil key2.d`
		`+ end`
		`+`
		`+ def test_new_break`
		`+ --`
		`+ 2.32.0`
		`+`
		`+`
		`+ From 2150af0e55b2a25c24f62006e27e0aec3dc81b57 Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Fri, 10 Jul 2020 14:34:51 +0900`
		`+ Subject: [PATCH 3/3] pkey/dh, pkey/ec: use EVP_PKEY_check() family`
		`+`
		`+ Use EVP_PKEY_param_check() instead of DH_check() if available. Also,`
		`+ use EVP_PKEY_public_check() instead of EC_KEY_check_key().`
		`+`
		`+ EVP_PKEY_*check() is part of the EVP API and is meant to replace those`
		`+ low-level functions. They were added by OpenSSL 1.1.1. It is currently`
		`+ not provided by LibreSSL.`
		`+ ---`
		`+ ext/openssl/extconf.rb \| 3 +++`
		`+ ext/openssl/ossl_pkey_dh.c \| 27 +++++++++++++++++++++++----`
		`+ ext/openssl/ossl_pkey_ec.c \| 23 +++++++++++++++++++----`
		`+ test/openssl/test_pkey_dh.rb \| 16 ++++++++++++++++`
		`+ 4 files changed, 61 insertions(+), 8 deletions(-)`
		`+`
		`+ diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb`
		`+ index b3c6647faf..17d93443fc 100644`
		`+ --- a/ext/openssl/extconf.rb`
		`+ +++ b/ext/openssl/extconf.rb`
		`+ @@ -173,6 +173,9 @@ def find_openssl_library`
		`+ have_func("EVP_PBE_scrypt")`
		`+ have_func("SSL_CTX_set_post_handshake_auth")`
		`+`
		`+ +# added in 1.1.1`
		`+ +have_func("EVP_PKEY_check")`
		`+ +`
		`+ Logging::message "=== Checking done. ===\n"`
		`+`
		`+ create_header`
		`+ diff --git a/ext/openssl/ossl_pkey_dh.c b/ext/openssl/ossl_pkey_dh.c`
		`+ index a512b209d3..ca782bbe59 100644`
		`+ --- a/ext/openssl/ossl_pkey_dh.c`
		`+ +++ b/ext/openssl/ossl_pkey_dh.c`
		`+ @@ -273,19 +273,38 @@ ossl_dh_get_params(VALUE self)`
		`+ * Validates the Diffie-Hellman parameters associated with this instance.`
		`+ * It checks whether a safe prime and a suitable generator are used. If this`
		`+ * is not the case, +false+ is returned.`
		`+ + *`
		`+ + * See also the man page EVP_PKEY_param_check(3).`
		`+ */`
		`+ static VALUE`
		`+ ossl_dh_check_params(VALUE self)`
		`+ {`
		`+ + int ret;`
		`+ +#ifdef HAVE_EVP_PKEY_CHECK`
		`+ + EVP_PKEY *pkey;`
		`+ + EVP_PKEY_CTX *pctx;`
		`+ +`
		`+ + GetPKey(self, pkey);`
		`+ + pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL);`
		`+ + if (!pctx)`
		`+ + ossl_raise(eDHError, "EVP_PKEY_CTX_new");`
		`+ + ret = EVP_PKEY_param_check(pctx);`
		`+ + EVP_PKEY_CTX_free(pctx);`
		`+ +#else`
		`+ DH *dh;`
		`+ int codes;`
		`+`
		`+ GetDH(self, dh);`
		`+ - if (!DH_check(dh, &codes)) {`
		`+ - return Qfalse;`
		`+ - }`
		`+ + ret = DH_check(dh, &codes) == 1 && codes == 0;`
		`+ +#endif`
		`+`
		`+ - return codes == 0 ? Qtrue : Qfalse;`
		`+ + if (ret == 1)`
		`+ + return Qtrue;`
		`+ + else {`
		`+ + /* DH_check_ex() will put error entry on failure */`
		`+ + ossl_clear_error();`
		`+ + return Qfalse;`
		`+ + }`
		`+ }`
		`+`
		`+ /*`
		`+ diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c`
		`+ index ecb8305184..829529d4b9 100644`
		`+ --- a/ext/openssl/ossl_pkey_ec.c`
		`+ +++ b/ext/openssl/ossl_pkey_ec.c`
		`+ @@ -443,20 +443,35 @@ static VALUE ossl_ec_key_generate_key(VALUE self)`
		`+ }`
		`+`
		`+ /*`
		`+ - * call-seq:`
		`+ - * key.check_key => true`
		`+ + * call-seq:`
		`+ + * key.check_key => true`
		`+ *`
		`+ - * Raises an exception if the key is invalid.`
		`+ + * Raises an exception if the key is invalid.`
		`+ *`
		`+ - * See the OpenSSL documentation for EC_KEY_check_key()`
		`+ + * See also the man page EVP_PKEY_public_check(3).`
		`+ */`
		`+ static VALUE ossl_ec_key_check_key(VALUE self)`
		`+ {`
		`+ +#ifdef HAVE_EVP_PKEY_CHECK`
		`+ + EVP_PKEY *pkey;`
		`+ + EVP_PKEY_CTX *pctx;`
		`+ + int ret;`
		`+ +`
		`+ + GetPKey(self, pkey);`
		`+ + pctx = EVP_PKEY_CTX_new(pkey, /* engine */NULL);`
		`+ + if (!pctx)`
		`+ + ossl_raise(eDHError, "EVP_PKEY_CTX_new");`
		`+ + ret = EVP_PKEY_public_check(pctx);`
		`+ + EVP_PKEY_CTX_free(pctx);`
		`+ + if (ret != 1)`
		`+ + ossl_raise(eECError, "EVP_PKEY_public_check");`
		`+ +#else`
		`+ EC_KEY *ec;`
		`+`
		`+ GetEC(self, ec);`
		`+ if (EC_KEY_check_key(ec) != 1)`
		`+ ossl_raise(eECError, "EC_KEY_check_key");`
		`+ +#endif`
		`+`
		`+ return Qtrue;`
		`+ }`
		`+ diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb`
		`+ index 279ce1984c..f80af8f841 100644`
		`+ --- a/test/openssl/test_pkey_dh.rb`
		`+ +++ b/test/openssl/test_pkey_dh.rb`
		`+ @@ -86,6 +86,22 @@ def test_key_exchange`
		`+ assert_equal(dh.compute_key(dh2.pub_key), dh2.compute_key(dh.pub_key))`
		`+ end`
		`+`
		`+ + def test_params_ok?`
		`+ + dh0 = Fixtures.pkey("dh1024")`
		`+ +`
		`+ + dh1 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([`
		`+ + OpenSSL::ASN1::Integer(dh0.p),`
		`+ + OpenSSL::ASN1::Integer(dh0.g)`
		`+ + ]))`
		`+ + assert_equal(true, dh1.params_ok?)`
		`+ +`
		`+ + dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([`
		`+ + OpenSSL::ASN1::Integer(dh0.p + 1),`
		`+ + OpenSSL::ASN1::Integer(dh0.g)`
		`+ + ]))`
		`+ + assert_equal(false, dh2.params_ok?)`
		`+ + end`
		`+ +`
		`+ def test_dup`
		`+ dh = Fixtures.pkey("dh1024")`
		`+ dh2 = dh.dup`
		`+ --`
		`+ 2.32.0`
		`+`

ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch

file added

+1113

The added file is too large to be shown here, see it at: ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch

ruby-3.1.0-test-openssl-test_digest-do-not-test-constants-for-l.patch

file added

+29

		`@@ -0,0 +1,29 @@`
		`+ From b4b5eab2a5fd0e9ac62c01102dd26d0a433c5683 Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Mon, 18 May 2020 02:17:28 +0900`
		`+ Subject: [PATCH] test/openssl/test_digest: do not test constants for legacy`
		`+ algorithms`
		`+`
		`+ Remove availability test for MD4 and RIPEMD160 as they are considered`
		`+ legacy and may be missing depending on the compile-time options of`
		`+ OpenSSL. OpenSSL 3.0 by default disables them.`
		`+ ---`
		`+ test/openssl/test_digest.rb \| 2 +-`
		`+ 1 file changed, 1 insertion(+), 1 deletion(-)`
		`+`
		`+ diff --git a/test/openssl/test_digest.rb b/test/openssl/test_digest.rb`
		`+ index 8d7046e831..84c128c12f 100644`
		`+ --- a/test/openssl/test_digest.rb`
		`+ +++ b/test/openssl/test_digest.rb`
		`+ @@ -54,7 +54,7 @@ def test_reset`
		`+ end`
		`+`
		`+ def test_digest_constants`
		`+ - %w{MD4 MD5 RIPEMD160 SHA1 SHA224 SHA256 SHA384 SHA512}.each do \|name\|`
		`+ + %w{MD5 SHA1 SHA224 SHA256 SHA384 SHA512}.each do \|name\|`
		`+ assert_not_nil(OpenSSL::Digest.new(name))`
		`+ klass = OpenSSL::Digest.const_get(name.tr('-', '_'))`
		`+ assert_not_nil(klass.new)`
		`+ --`
		`+ 2.32.0`
		`+`

ruby-3.1.0-test-openssl-test_pkcs12-fix-test-failures-with-Open.patch

file added

+439

		`@@ -0,0 +1,439 @@`
		`+ From 9596788bdd2d061bef042485af14262e9fc4020c Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Thu, 13 Aug 2020 23:20:55 +0900`
		`+ Subject: [PATCH] test/openssl/test_pkcs12: fix test failures with OpenSSL 3.0`
		`+`
		`+ OpenSSL's PKCS12_create() by default uses pbewithSHAAnd40BitRC2-CBC for`
		`+ encryption of the certificates. However, in OpenSSL 3.0, the algorithm`
		`+ is part of the legacy provider and is not enabled by default.`
		`+`
		`+ Specify another algorithm that is still in the default provider for`
		`+ these test cases.`
		`+ ---`
		`+ test/openssl/test_pkcs12.rb \| 297 ++++++++++++++++++------------------`
		`+ 1 file changed, 149 insertions(+), 148 deletions(-)`
		`+`
		`+ diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb`
		`+ index fdbe753b17..ec676743bc 100644`
		`+ --- a/test/openssl/test_pkcs12.rb`
		`+ +++ b/test/openssl/test_pkcs12.rb`
		`+ @@ -5,6 +5,9 @@`
		`+`
		`+ module OpenSSL`
		`+ class TestPKCS12 < OpenSSL::TestCase`
		`+ + DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES"`
		`+ + DEFAULT_PBE_CERTS = "PBE-SHA1-3DES"`
		`+ +`
		`+ def setup`
		`+ super`
		`+ ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")`
		`+ @@ -14,47 +17,41 @@ def setup`
		`+ ["subjectKeyIdentifier","hash",false],`
		`+ ["authorityKeyIdentifier","keyid:always",false],`
		`+ ]`
		`+ - @cacert = issue_cert(ca, Fixtures.pkey("rsa2048"), 1, ca_exts, nil, nil)`
		`+ + ca_key = Fixtures.pkey("rsa-1")`
		`+ + @cacert = issue_cert(ca, ca_key, 1, ca_exts, nil, nil)`
		`+`
		`+ inter_ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Intermediate CA")`
		`+ - inter_ca_key = OpenSSL::PKey.read <<-_EOS_`
		`+ ------BEGIN RSA PRIVATE KEY-----`
		`+ -MIICXAIBAAKBgQDp7hIG0SFMG/VWv1dBUWziAPrNmkMXJgTCAoB7jffzRtyyN04K`
		`+ -oq/89HAszTMStZoMigQURfokzKsjpUp8OYCAEsBtt9d5zPndWMz/gHN73GrXk3LT`
		`+ -ZsxEn7Xv5Da+Y9F/Hx2QZUHarV5cdZixq2NbzWGwrToogOQMh2pxN3Z/0wIDAQAB`
		`+ -AoGBAJysUyx3olpsGzv3OMRJeahASbmsSKTXVLZvoIefxOINosBFpCIhZccAG6UV`
		`+ -5c/xCvS89xBw8aD15uUfziw3AuT8QPEtHCgfSjeT7aWzBfYswEgOW4XPuWr7EeI9`
		`+ -iNHGD6z+hCN/IQr7FiEBgTp6A+i/hffcSdR83fHWKyb4M7TRAkEA+y4BNd668HmC`
		`+ -G5MPRx25n6LixuBxrNp1umfjEI6UZgEFVpYOg4agNuimN6NqM253kcTR94QNTUs5`
		`+ -Kj3EhG1YWwJBAO5rUjiOyCNVX2WUQrOMYK/c1lU7fvrkdygXkvIGkhsPoNRzLPeA`
		`+ -HGJszKtrKD8bNihWpWNIyqKRHfKVD7yXT+kCQGCAhVCIGTRoypcDghwljHqLnysf`
		`+ -ci0h5ZdPcIqc7ODfxYhFsJ/Rql5ONgYsT5Ig/+lOQAkjf+TRYM4c2xKx2/8CQBvG`
		`+ -jv6dy70qDgIUgqzONtlmHeYyFzn9cdBO5sShdVYHvRHjFSMEXsosqK9zvW2UqvuK`
		`+ -FJx7d3f29gkzynCLJDkCQGQZlEZJC4vWmWJGRKJ24P6MyQn3VsPfErSKOg4lvyM3`
		`+ -Li8JsX5yIiuVYaBg/6ha3tOg4TCa5K/3r3tVliRZ2Es=`
		`+ ------END RSA PRIVATE KEY-----`
		`+ - _EOS_`
		`+ - @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, Fixtures.pkey("rsa2048"))`
		`+ + inter_ca_key = Fixtures.pkey("rsa-2")`
		`+ + @inter_cacert = issue_cert(inter_ca, inter_ca_key, 2, ca_exts, @cacert, ca_key)`
		`+`
		`+ exts = [`
		`+ ["keyUsage","digitalSignature",true],`
		`+ ["subjectKeyIdentifier","hash",false],`
		`+ ]`
		`+ ee = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=Ruby PKCS12 Test Certificate")`
		`+ - @mykey = Fixtures.pkey("rsa1024")`
		`+ + @mykey = Fixtures.pkey("rsa-3")`
		`+ @mycert = issue_cert(ee, @mykey, 3, exts, @inter_cacert, inter_ca_key)`
		`+ end`
		`+`
		`+ - def test_create`
		`+ + def test_create_single_key_single_cert`
		`+ pkcs12 = OpenSSL::PKCS12.create(`
		`+ "omg",`
		`+ "hello",`
		`+ @mykey,`
		`+ - @mycert`
		`+ + @mycert,`
		`+ + nil,`
		`+ + DEFAULT_PBE_PKEYS,`
		`+ + DEFAULT_PBE_CERTS,`
		`+ )`
		`+ - assert_equal @mycert.to_der, pkcs12.certificate.to_der`
		`+ + assert_equal @mycert, pkcs12.certificate`
		`+ assert_equal @mykey.to_der, pkcs12.key.to_der`
		`+ assert_nil pkcs12.ca_certs`
		`+ +`
		`+ + der = pkcs12.to_der`
		`+ + decoded = OpenSSL::PKCS12.new(der, "omg")`
		`+ + assert_equal @mykey.to_der, decoded.key.to_der`
		`+ + assert_equal @mycert, decoded.certificate`
		`+ + assert_equal [], Array(decoded.ca_certs)`
		`+ end`
		`+`
		`+ def test_create_no_pass`
		`+ @@ -62,14 +59,17 @@ def test_create_no_pass`
		`+ nil,`
		`+ "hello",`
		`+ @mykey,`
		`+ - @mycert`
		`+ + @mycert,`
		`+ + nil,`
		`+ + DEFAULT_PBE_PKEYS,`
		`+ + DEFAULT_PBE_CERTS,`
		`+ )`
		`+ - assert_equal @mycert.to_der, pkcs12.certificate.to_der`
		`+ + assert_equal @mycert, pkcs12.certificate`
		`+ assert_equal @mykey.to_der, pkcs12.key.to_der`
		`+ assert_nil pkcs12.ca_certs`
		`+`
		`+ decoded = OpenSSL::PKCS12.new(pkcs12.to_der)`
		`+ - assert_cert @mycert, decoded.certificate`
		`+ + assert_equal @mycert, decoded.certificate`
		`+ end`
		`+`
		`+ def test_create_with_chain`
		`+ @@ -80,7 +80,9 @@ def test_create_with_chain`
		`+ "hello",`
		`+ @mykey,`
		`+ @mycert,`
		`+ - chain`
		`+ + chain,`
		`+ + DEFAULT_PBE_PKEYS,`
		`+ + DEFAULT_PBE_CERTS,`
		`+ )`
		`+ assert_equal chain, pkcs12.ca_certs`
		`+ end`
		`+ @@ -95,14 +97,16 @@ def test_create_with_chain_decode`
		`+ "hello",`
		`+ @mykey,`
		`+ @mycert,`
		`+ - chain`
		`+ + chain,`
		`+ + DEFAULT_PBE_PKEYS,`
		`+ + DEFAULT_PBE_CERTS,`
		`+ )`
		`+`
		`+ decoded = OpenSSL::PKCS12.new(pkcs12.to_der, passwd)`
		`+ assert_equal chain.size, decoded.ca_certs.size`
		`+ - assert_include_cert @cacert, decoded.ca_certs`
		`+ - assert_include_cert @inter_cacert, decoded.ca_certs`
		`+ - assert_cert @mycert, decoded.certificate`
		`+ + assert_include decoded.ca_certs, @cacert`
		`+ + assert_include decoded.ca_certs, @inter_cacert`
		`+ + assert_equal @mycert, decoded.certificate`
		`+ assert_equal @mykey.to_der, decoded.key.to_der`
		`+ end`
		`+`
		`+ @@ -126,8 +130,8 @@ def test_create_with_itr`
		`+ @mykey,`
		`+ @mycert,`
		`+ [],`
		`+ - nil,`
		`+ - nil,`
		`+ + DEFAULT_PBE_PKEYS,`
		`+ + DEFAULT_PBE_CERTS,`
		`+ 2048`
		`+ )`
		`+`
		`+ @@ -138,8 +142,8 @@ def test_create_with_itr`
		`+ @mykey,`
		`+ @mycert,`
		`+ [],`
		`+ - nil,`
		`+ - nil,`
		`+ + DEFAULT_PBE_PKEYS,`
		`+ + DEFAULT_PBE_CERTS,`
		`+ "omg"`
		`+ )`
		`+ end`
		`+ @@ -152,7 +156,8 @@ def test_create_with_mac_itr`
		`+ @mykey,`
		`+ @mycert,`
		`+ [],`
		`+ - nil,`
		`+ + DEFAULT_PBE_PKEYS,`
		`+ + DEFAULT_PBE_CERTS,`
		`+ nil,`
		`+ nil,`
		`+ 2048`
		`+ @@ -165,148 +170,144 @@ def test_create_with_mac_itr`
		`+ @mykey,`
		`+ @mycert,`
		`+ [],`
		`+ - nil,`
		`+ - nil,`
		`+ + DEFAULT_PBE_PKEYS,`
		`+ + DEFAULT_PBE_CERTS,`
		`+ nil,`
		`+ "omg"`
		`+ )`
		`+ end`
		`+ end`
		`+`
		`+ - def test_new_with_one_key_and_one_cert`
		`+ - # generated with:`
		`+ - # openssl version #=> OpenSSL 1.0.2h 3 May 2016`
		`+ - # openssl pkcs12 -in <@mycert> -inkey <RSA1024> -export -out <out>`
		`+ - str = <<~EOF.unpack("m").first`
		`+ -MIIGQQIBAzCCBgcGCSqGSIb3DQEHAaCCBfgEggX0MIIF8DCCAu8GCSqGSIb3DQEH`
		`+ -BqCCAuAwggLcAgEAMIIC1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIeZPM`
		`+ -Rh6KiXgCAggAgIICqL6O+LCZmBzdIg6mozPF3FpY0hVbWHvTNMiDHieW3CrAanhN`
		`+ -YCH2/wHqH8WpFpEWwF0qEEXAWjHsIlYB4Cfqo6b7XpuZe5eVESsjNTOTMF1JCUJj`
		`+ -A6iNefXmCFLync1JK5LUodRDhTlKLU1WPK20X9X4vuEwHn8wt5RUb8P0E+Xh6rpS`
		`+ -XC4LkZKT45zF3cJa/n5+dW65ohVGNVnF9D1bCNEKHMOllK1V9omutQ9slW88hpga`
		`+ -LGiFsJoFOb/ESGb78KO+bd6zbX1MdKdBV+WD6t1uF/cgU65y+2A4nXs1urda+MJ7`
		`+ -7iVqiB7Vnc9cANTbAkTSGNyoUDVM/NZde782/8IvddLAzUZ2EftoRDke6PvuBOVL`
		`+ -ljBhNWmdamrtBqzuzVZCRdWq44KZkF2Xoc9asepwIkdVmntzQF7f1Z+Ta5yg6HFp`
		`+ -xnr7CuM+MlHEShXkMgYtHnwAq10fDMSXIvjhi/AA5XUAusDO3D+hbtcRDcJ4uUes`
		`+ -dm5dhQE2qJ02Ysn4aH3o1F3RYNOzrxejHJwl0D2TCE8Ww2X342xib57+z9u03ufj`
		`+ -jswhiMKxy67f1LhUMq3XrT3uV6kCVXk/KUOUPcXPlPVNA5JmZeFhMp6GrtB5xJJ9`
		`+ -wwBZD8UL5A2U2Mxi2OZsdUBv8eo3jnjZ284aFpt+mCjIHrLW5O0jwY8OCwSlYUoY`
		`+ -IY00wlabX0s82kBcIQNZbC1RSV2267ro/7A0MClc8YQ/zWN0FKY6apgtUkHJI1cL`
		`+ -1dc77mhnjETjwW94iLMDFy4zQfVu7IfCBqOBzygRNnqqUG66UhTs1xFnWM0mWXl/`
		`+ -Zh9+AMpbRLIPaKCktIjl5juzzm+KEgkhD+707XRCFIGUYGP5bSHzGaz8PK9hj0u1`
		`+ -E2SpZHUvYOcawmxtA7pmpSxl5uQjMIIC+QYJKoZIhvcNAQcBoIIC6gSCAuYwggLi`
		`+ -MIIC3gYLKoZIhvcNAQwKAQKgggKmMIICojAcBgoqhkiG9w0BDAEDMA4ECKB338m8`
		`+ -qSzHAgIIAASCAoACFhJeqA3xx+s1qIH6udNQYY5hAL6oz7SXoGwFhDiceSyJjmAD`
		`+ -Dby9XWM0bPl1Gj5nqdsuI/lAM++fJeoETk+rxw8q6Ofk2zUaRRE39qgpwBwSk44o`
		`+ -0SAFJ6bzHpc5CFh6sZmDaUX5Lm9GtjnGFmmsPTSJT5an5JuJ9WczGBEd0nSBQhJq`
		`+ -xHbTGZiN8i3SXcIH531Sub+CBIFWy5lyCKgDYh/kgJFGQAaWUOjLI+7dCEESonXn`
		`+ -F3Jh2uPbnDF9MGJyAFoNgWFhgSpi1cf6AUi87GY4Oyur88ddJ1o0D0Kz2uw8/bpG`
		`+ -s3O4PYnIW5naZ8mozzbnYByEFk7PoTwM7VhoFBfYNtBoAI8+hBnPY/Y71YUojEXf`
		`+ -SeX6QbtkIANfzS1XuFNKElShC3DPQIHpKzaatEsfxHfP+8VOav6zcn4mioao7NHA`
		`+ -x7Dp6R1enFGoQOq4UNjBT8YjnkG5vW8zQHW2dAHLTJBq6x2Fzm/4Pjo/8vM1FiGl`
		`+ -BQdW5vfDeJ/l6NgQm3xR9ka2E2HaDqIcj1zWbN8jy/bHPFJYuF/HH8MBV/ngMIXE`
		`+ -vFEW/ToYv8eif0+EpUtzBsCKD4a7qYYYh87RmEVoQU96q6m+UbhpD2WztYfAPkfo`
		`+ -OSL9j2QHhVczhL7OAgqNeM95pOsjA9YMe7exTeqK31LYnTX8oH8WJD1xGbRSJYgu`
		`+ -SY6PQbumcJkc/TFPn0GeVUpiDdf83SeG50lo/i7UKQi2l1hi5Y51fQhnBnyMr68D`
		`+ -llSZEvSWqfDxBJkBpeg6PIYvkTpEwKRJpVQoM3uYvdqVSSnW6rydqIb+snfOrlhd`
		`+ -f+xCtq9xr+kHeTSqLIDRRAnMfgFRhY3IBlj6MSUwIwYJKoZIhvcNAQkVMRYEFBdb`
		`+ -8XGWehZ6oPj56Pf/uId46M9AMDEwITAJBgUrDgMCGgUABBRvSCB04/f8f13pp2PF`
		`+ -vyl2WuMdEwQIMWFFphPkIUICAggA`
		`+ - EOF`
		`+ - p12 = OpenSSL::PKCS12.new(str, "abc123")`
		`+ -`
		`+ - assert_equal @mykey.to_der, p12.key.to_der`
		`+ - assert_equal @mycert.subject.to_der, p12.certificate.subject.to_der`
		`+ - assert_equal [], Array(p12.ca_certs)`
		`+ - end`
		`+ -`
		`+ def test_new_with_no_keys`
		`+ # generated with:`
		`+ - # openssl pkcs12 -in <@mycert> -nokeys -export -out <out>`
		`+ + # openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export`
		`+ str = <<~EOF.unpack("m").first`
		`+ -MIIDHAIBAzCCAuIGCSqGSIb3DQEHAaCCAtMEggLPMIICyzCCAscGCSqGSIb3DQEH`
		`+ -BqCCArgwggK0AgEAMIICrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIX4+W`
		`+ -irqwH40CAggAgIICgOaCyo+5+6IOVoGCCL80c50bkkzAwqdXxvkKExJSdcJz2uMU`
		`+ -0gRrKnZEjL5wrUsN8RwZu8DvgQTEhNEkKsUgM7AWainmN/EnwohIdHZAHpm6WD67`
		`+ -I9kLGp0/DHrqZrV9P2dLfhXLUSQE8PI0tqZPZ8UEABhizkViw4eISTkrOUN7pGbN`
		`+ -Qtx/oqgitXDuX2polbxYYDwt9vfHZhykHoKgew26SeJyZfeMs/WZ6olEI4cQUAFr`
		`+ -mvYGuC1AxEGTo9ERmU8Pm16j9Hr9PFk50WYe+rnk9oX3wJogQ7XUWS5kYf7XRycd`
		`+ -NDkNiwV/ts94bbuaGZp1YA6I48FXpIc8b5fX7t9tY0umGaWy0bARe1L7o0Y89EPe`
		`+ -lMg25rOM7j3uPtFG8whbSfdETSy57UxzzTcJ6UwexeaK6wb2jqEmj5AOoPLWeaX0`
		`+ -LyOAszR3v7OPAcjIDYZGdrbb3MZ2f2vo2pdQfu9698BrWhXuM7Odh73RLhJVreNI`
		`+ -aezNOAtPyBlvGiBQBGTzRIYHSLL5Y5aVj2vWLAa7hjm5qTL5C5mFdDIo6TkEMr6I`
		`+ -OsexNQofEGs19kr8nARXDlcbEimk2VsPj4efQC2CEXZNzURsKca82pa62MJ8WosB`
		`+ -DTFd8X06zZZ4nED50vLopZvyW4fyW60lELwOyThAdG8UchoAaz2baqP0K4de44yM`
		`+ -Y5/yPFDu4+GoimipJfbiYviRwbzkBxYW8+958ILh0RtagLbvIGxbpaym9PqGjOzx`
		`+ -ShNXjLK2aAFZsEizQ8kd09quJHU/ogq2cUXdqqhmOqPnUWrJVi/VCoRB3Pv1/lE4`
		`+ -mrUgr2YZ11rYvBw6g5XvNvFcSc53OKyV7SLn0dwwMTAhMAkGBSsOAwIaBQAEFEWP`
		`+ -1WRQykaoD4uJCpTx/wv0SLLBBAiDKI26LJK7xgICCAA=`
		`+ +MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3`
		`+ +DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw`
		`+ +DgQIjv5c3OHvnBgCAggAgIIFiMJa8Z/w7errRvCQPXh9dGQz3eJaFq3S2gXD`
		`+ +rh6oiwsgIRJZvYAWgU6ll9NV7N5SgvS2DDNVuc3tsP8TPWjp+bIxzS9qmGUV`
		`+ +kYWuURWLMKhpF12ZRDab8jcIwBgKoSGiDJk8xHjx6L613/XcRM6ln3VeQK+C`
		`+ +hlW5kXniNAUAgTft25Fn61Xa8xnhmsz/fk1ycGnyGjKCnr7Mgy7KV0C1vs23`
		`+ +18n8+b1ktDWLZPYgpmXuMFVh0o+HJTV3O86mkIhJonMcnOMgKZ+i8KeXaocN`
		`+ +JQlAPBG4+HOip7FbQT/h6reXv8/J+hgjLfqAb5aV3m03rUX9mXx66nR1tQU0`
		`+ +Jq+XPfDh5+V4akIczLlMyyo/xZjI1/qupcMjr+giOGnGd8BA3cuXW+ueLQiA`
		`+ +PpTp+DQLVHRfz9XTZbyqOReNEtEXvO9gOlKSEY5lp65ItXVEs2Oqyf9PfU9y`
		`+ +DUltN6fCMilwPyyrsIBKXCu2ZLM5h65KVCXAYEX9lNqj9zrQ7vTqvCNN8RhS`
		`+ +ScYouTX2Eqa4Z+gTZWLHa8RCQFoyP6hd+97/Tg2Gv2UTH0myQxIVcnpdi1wy`
		`+ +cqb+er7tyKbcO96uSlUjpj/JvjlodtjJcX+oinEqGb/caj4UepbBwiG3vv70`
		`+ +63bS3jTsOLNjDRsR9if3LxIhLa6DW8zOJiGC+EvMD1o4dzHcGVpQ/pZWCHZC`
		`+ ++YiNJpQOBApiZluE+UZ0m3XrtHFQYk7xblTrh+FJF91wBsok0rZXLAKd8m4p`
		`+ +OJsc7quCq3cuHRRTzJQ4nSe01uqbwGDAYwLvi6VWy3svU5qa05eDRmgzEFTG`
		`+ +e84Gp/1LQCtpQFr4txkjFchO2whWS80KoQKqmLPyGm1D9Lv53Q4ZsKMgNihs`
		`+ +rEepuaOZMKHl4yMAYFoOXZCAYzfbhN6b2phcFAHjMUHUw9e3F0QuDk9D0tsr`
		`+ +riYTrkocqlOKfK4QTomx27O0ON2J6f1rtEojGgfl9RNykN7iKGzjS3914QjW`
		`+ +W6gGiZejxHsDPEAa4gUp0WiSUSXtD5WJgoyAzLydR2dKWsQ4WlaUXi01CuGy`
		`+ ++xvncSn2nO3bbot8VD5H6XU1CjREVtnIfbeRYO/uofyLUP3olK5RqN6ne6Xo`
		`+ +eXnJ/bjYphA8NGuuuvuW1SCITmINkZDLC9cGlER9+K65RR/DR3TigkexXMeN`
		`+ +aJ70ivZYAl0OuhZt3TGIlAzS64TIoyORe3z7Ta1Pp9PZQarYJpF9BBIZIFor`
		`+ +757PHHuQKRuugiRkp8B7v4eq1BQ+VeAxCKpyZ7XrgEtbY/AWDiaKcGPKPjc3`
		`+ +AqQraVeQm7kMBT163wFmZArCphzkDOI3bz2oEO8YArMgLq2Vto9jAZlqKyWr`
		`+ +pi2bSJxuoP1aoD58CHcWMrf8/j1LVdQhKgHQXSik2ID0H2Wc/XnglhzlVFuJ`
		`+ +JsNIW/EGJlZh/5WDez9U0bXqnBlu3uasPEOezdoKlcCmQlmTO5+uLHYLEtNA`
		`+ +EH9MtnGZebi9XS5meTuS6z5LILt8O9IHZxmT3JRPHYj287FEzotlLdcJ4Ee5`
		`+ +enW41UHjLrfv4OaITO1hVuoLRGdzjESx/fHMWmxroZ1nVClxECOdT42zvIYJ`
		`+ +J3xBZ0gppzQ5fjoYiKjJpxTflRxUuxshk3ih6VUoKtqj/W18tBQ3g5SOlkgT`
		`+ +yCW8r74yZlfYmNrPyDMUQYpLUPWj2n71GF0KyPfTU5yOatRgvheh262w5BG3`
		`+ +omFY7mb3tCv8/U2jdMIoukRKacpZiagofz3SxojOJq52cHnCri+gTHBMX0cO`
		`+ +j58ygfntHWRzst0pV7Ze2X3fdCAJ4DokH6bNJNthcgmolFJ/y3V1tJjgsdtQ`
		`+ +7Pjn/vE6xUV0HXE2x4yoVYNirbAMIvkN/X+atxrN0dA4AchN+zGp8TAxMCEw`
		`+ +CQYFKw4DAhoFAAQUQ+6XXkyhf6uYgtbibILN2IjKnOAECLiqoY45MPCrAgII`
		`+ +AA==`
		`+ EOF`
		`+ p12 = OpenSSL::PKCS12.new(str, "abc123")`
		`+`
		`+ assert_equal nil, p12.key`
		`+ assert_equal nil, p12.certificate`
		`+ assert_equal 1, p12.ca_certs.size`
		`+ - assert_equal @mycert.subject.to_der, p12.ca_certs[0].subject.to_der`
		`+ + assert_equal @mycert.subject, p12.ca_certs[0].subject`
		`+ end`
		`+`
		`+ def test_new_with_no_certs`
		`+ # generated with:`
		`+ - # openssl pkcs12 -inkey <RSA1024> -nocerts -export -out <out>`
		`+ + # openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export`
		`+ str = <<~EOF.unpack("m").first`
		`+ -MIIDJwIBAzCCAu0GCSqGSIb3DQEHAaCCAt4EggLaMIIC1jCCAtIGCSqGSIb3DQEH`
		`+ -AaCCAsMEggK/MIICuzCCArcGCyqGSIb3DQEMCgECoIICpjCCAqIwHAYKKoZIhvcN`
		`+ -AQwBAzAOBAg6AaYnJs84SwICCAAEggKAQzZH+fWSpcQYD1J7PsGSune85A++fLCQ`
		`+ -V7tacp2iv95GJkxwYmfTP176pJdgs00mceB9UJ/u9EX5nD0djdjjQjwo6sgKjY0q`
		`+ -cpVhZw8CMxw7kBD2dhtui0zT8z5hy03LePxsjEKsGiSbeVeeGbSfw/I6AAYbv+Uh`
		`+ -O/YPBGumeHj/D2WKnfsHJLQ9GAV3H6dv5VKYNxjciK7f/JEyZCuUQGIN64QFHDhJ`
		`+ -7fzLqd/ul3FZzJZO6a+dwvcgux09SKVXDRSeFmRCEX4b486iWhJJVspCo9P2KNne`
		`+ -ORrpybr3ZSwxyoICmjyo8gj0OSnEfdx9790Ej1takPqSA1wIdSdBLekbZqB0RBQg`
		`+ -DEuPOsXNo3QFi8ji1vu0WBRJZZSNC2hr5NL6lNR+DKxG8yzDll2j4W4BBIp22mAE`
		`+ -7QRX7kVxu17QJXQhOUac4Dd1qXmzebP8t6xkAxD9L7BWEN5OdiXWwSWGjVjMBneX`
		`+ -nYObi/3UT/aVc5WHMHK2BhCI1bwH51E6yZh06d5m0TQpYGUTWDJdWGBSrp3A+8jN`
		`+ -N2PMQkWBFrXP3smHoTEN4oZC4FWiPsIEyAkQsfKRhcV9lGKl2Xgq54ROTFLnwKoj`
		`+ -Z3zJScnq9qmNzvVZSMmDLkjLyDq0pxRxGKBvgouKkWY7VFFIwwBIJM39iDJ5NbBY`
		`+ -i1AQFTRsRSsZrNVPasCXrIq7bhMoJZb/YZOGBLNyJVqKUoYXhtwsajzSq54VlWft`
		`+ -JxsPayEd4Vi6O9EU1ahnj6qFEZiKFzsicgK2J1Rb8cYagrp0XWjHW0SBn5GVUWCg`
		`+ -GUokSFG/0JTdeYTo/sQuG4qNgJkOolRjpeI48Fciq5VUWLvVdKioXzAxMCEwCQYF`
		`+ -Kw4DAhoFAAQUYAuwVtGD1TdgbFK4Yal2XBgwUR4ECEawsN3rNaa6AgIIAA==`
		`+ +MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3`
		`+ +DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK`
		`+ +KoZIhvcNAQwBAzAOBAjX5nN8jyRKwQICCAAEgglIBIRLHfiY1mNHpl3FdX6+`
		`+ +72L+ZOVXnlZ1MY9HSeg0RMkCJcm0mJ2UD7INUOGXvwpK9fr6WJUZM1IqTihQ`
		`+ +1dM0crRC2m23aP7KtAlXh2DYD3otseDtwoN/NE19RsiJzeIiy5TSW1d47weU`
		`+ ++D4Ig/9FYVFPTDgMzdCxXujhvO/MTbZIjqtcS+IOyF+91KkXrHkfkGjZC7KS`
		`+ +WRmYw9BBuIPQEewdTI35sAJcxT8rK7JIiL/9mewbSE+Z28Wq1WXwmjL3oZm9`
		`+ +lw6+f515b197GYEGomr6LQqJJamSYpwQbTGHonku6Tf3ylB4NLFqOnRCKE4K`
		`+ +zRSSYIqJBlKHmQ4pDm5awoupHYxMZLZKZvXNYyYN3kV8r1iiNVlY7KBR4CsX`
		`+ +rqUkXehRmcPnuqEMW8aOpuYe/HWf8PYI93oiDZjcEZMwW2IZFFrgBbqUeNCM`
		`+ +CQTkjAYxi5FyoaoTnHrj/aRtdLOg1xIJe4KKcmOXAVMmVM9QEPNfUwiXJrE7`
		`+ +n42gl4NyzcZpxqwWBT++9TnQGZ/lEpwR6dzkZwICNQLdQ+elsdT7mumywP+1`
		`+ +WaFqg9kpurimaiBu515vJNp9Iqv1Nmke6R8Lk6WVRKPg4Akw0fkuy6HS+LyN`
		`+ +ofdCfVUkPGN6zkjAxGZP9ZBwvXUbLRC5W3N5qZuAy5WcsS75z+oVeX9ePV63`
		`+ +cue23sClu8JSJcw3HFgPaAE4sfkQ4MoihPY5kezgT7F7Lw/j86S0ebrDNp4N`
		`+ +Y685ec81NRHJ80CAM55f3kGCOEhoifD4VZrvr1TdHZY9Gm3b1RYaJCit2huF`
		`+ +nlOfzeimdcv/tkjb6UsbpXx3JKkF2NFFip0yEBERRCdWRYMUpBRcl3ad6XHy`
		`+ +w0pVTgIjTxGlbbtOCi3siqMOK0GNt6UgjoEFc1xqjsgLwU0Ta2quRu7RFPGM`
		`+ +GoEwoC6VH23p9Hr4uTFOL0uHfkKWKunNN+7YPi6LT6IKmTQwrp+fTO61N6Xh`
		`+ +KlqTpwESKsIJB2iMnc8wBkjXJtmG/e2n5oTqfhICIrxYmEb7zKDyK3eqeTj3`
		`+ +FhQh2t7cUIiqcT52AckUqniPmlE6hf82yBjhaQUPfi/ExTBtTDSmFfRPUzq+`
		`+ +Rlla4OHllPRzUXJExyansgCxZbPqlw46AtygSWRGcWoYAKUKwwoYjerqIV5g`
		`+ +JoZICV9BOU9TXco1dHXZQTs/nnTwoRmYiL/Ly5XpvUAnQOhYeCPjBeFnPSBR`
		`+ +R/hRNqrDH2MOV57v5KQIH2+mvy26tRG+tVGHmLMaOJeQkjLdxx+az8RfXIrH`
		`+ +7hpAsoBb+g9jUDY1mUVavPk1T45GMpQH8u3kkzRvChfOst6533GyIZhE7FhN`
		`+ +KanC6ACabVFDUs6P9pK9RPQMp1qJfpA0XJFx5TCbVbPkvnkZd8K5Tl/tzNM1`
		`+ +n32eRao4MKr9KDwoDL93S1yJgYTlYjy1XW/ewdedtX+B4koAoz/wSXDYO+GQ`
		`+ +Zu6ZSpKSEHTRPhchsJ4oICvpriVaJkn0/Z7H3YjNMB9U5RR9+GiIg1wY1Oa1`
		`+ +S3WfuwrrI6eqfbQwj6PDNu3IKy6srEgvJwaofQALNBPSYWbauM2brc8qsD+t`
		`+ +n8jC/aD1aMcy00+9t3H/RVCjEOb3yKfUpAldIkEA2NTTnZpoDQDXeNYU2F/W`
		`+ +yhmFjJy8A0O4QOk2xnZK9kcxSRs0v8vI8HivvgWENoVPscsDC4742SSIe6SL`
		`+ +f/T08reIX11f0K70rMtLhtFMQdHdYOTNl6JzhkHPLr/f9MEZsBEQx52depnF`
		`+ +ARb3gXGbCt7BAi0OeCEBSbLr2yWuW4r55N0wRZSOBtgqgjsiHP7CDQSkbL6p`
		`+ +FPlQS1do9gBSHiNYvsmN1LN5bG+mhcVb0UjZub4mL0EqGadjDfDdRJmWqlX0`
		`+ +r5dyMcOWQVy4O2cPqYFlcP9lk8buc5otcyVI2isrAFdlvBK29oK6jc52Aq5Q`
		`+ +0b2ESDlgX8WRgiOPPxK8dySKEeuIwngCtJyNTecP9Ug06TDsu0znZGCXJ+3P`
		`+ +8JOpykgA8EQdOZOYHbo76ZfB2SkklI5KeRA5IBjGs9G3TZ4PHLy2DIwsbWzS`
		`+ +H1g01o1x264nx1cJ+eEgUN/KIiGFIib42RS8Af4D5e+Vj54Rt3axq+ag3kI+`
		`+ +53p8uotyu+SpvvXUP7Kv4xpQ/L6k41VM0rfrd9+DrlDVvSfxP2uh6I1TKF7A`
		`+ +CT5n8zguMbng4PGjxvyPBM5k62t6hN5fuw6Af0aZFexh+IjB/5wFQ6onSz23`
		`+ +fBzMW4St7RgSs8fDg3lrM+5rwXiey1jxY1ddaxOoUsWRMvvdd7rZxRZQoN5v`
		`+ +AcI5iMkK/vvpQgC/sfzhtXtrJ2XOPZ+GVgi7VcuDLKSkdFMcPbGzO8SdxUnS`
		`+ +SLV5XTKqKND+Lrfx7DAoKi5wbDFHu5496/MHK5qP4tBe6sJ5bZc+KDJIH46e`
		`+ +wTV1oWtB5tV4q46hOb5WRcn/Wjz3HSKaGZgx5QbK1MfKTzD5CTUn+ArMockX`
		`+ +2wJhPnFK85U4rgv8iBuh9bRjyw+YaKf7Z3loXRiE1eRG6RzuPF0ZecFiDumk`
		`+ +AC/VUXynJhzePBLqzrQj0exanACdullN+pSfHiRWBxR2VFUkjoFP5X45GK3z`
		`+ +OstSH6FOkMVU4afqEmjsIwozDFIyin5EyWTtdhJe3szdJSGY23Tut+9hUatx`
		`+ +9FDFLESOd8z3tyQSNiLk/Hib+e/lbjxqbXBG/p/oyvP3N999PLUPtpKqtYkV`
		`+ +H0+18sNh9CVfojiJl44fzxe8yCnuefBjut2PxEN0EFRBPv9P2wWlmOxkPKUq`
		`+ +NrCJP0rDj5aONLrNZPrR8bZNdIShkZ/rKkoTuA0WMZ+xUlDRxAupdMkWAlrz`
		`+ +8IcwNcdDjPnkGObpN5Ctm3vK7UGSBmPeNqkXOYf3QTJ9gStJEd0F6+DzTN5C`
		`+ +KGt1IyuGwZqL2Yk51FDIIkr9ykEnBMaA39LS7GFHEDNGlW+fKC7AzA0zfoOr`
		`+ +fXZlHMBuqHtXqk3zrsHRqGGoocigg4ctrhD1UREYKj+eIj1TBiRdf7c6+COf`
		`+ +NIOmej8pX3FmZ4ui+dDA8r2ctgsWHrb4A6iiH+v1DRA61GtoaA/tNRggewXW`
		`+ +VXCZCGWyyTuyHGOqq5ozrv5MlzZLWD/KV/uDsAWmy20RAed1C4AzcXlpX25O`
		`+ +M4SNl47g5VRNJRtMqokc8j6TjZrzMDEwITAJBgUrDgMCGgUABBRrkIRuS5qg`
		`+ +BC8fv38mue8LZVcbHQQIUNrWKEnskCoCAggA`
		`+ EOF`
		`+ p12 = OpenSSL::PKCS12.new(str, "abc123")`
		`+`
		`+ - assert_equal @mykey.to_der, p12.key.to_der`
		`+ + assert_equal Fixtures.pkey("rsa-1").to_der, p12.key.to_der`
		`+ assert_equal nil, p12.certificate`
		`+ assert_equal [], Array(p12.ca_certs)`
		`+ end`
		`+`
		`+ def test_dup`
		`+ - p12 = OpenSSL::PKCS12.create("pass", "name", @mykey, @mycert)`
		`+ + p12 = OpenSSL::PKCS12.create(`
		`+ + "pass",`
		`+ + "name",`
		`+ + @mykey,`
		`+ + @mycert,`
		`+ + nil,`
		`+ + DEFAULT_PBE_PKEYS,`
		`+ + DEFAULT_PBE_CERTS,`
		`+ + )`
		`+ assert_equal p12.to_der, p12.dup.to_der`
		`+ end`
		`+ -`
		`+ - private`
		`+ - def assert_cert expected, actual`
		`+ - [`
		`+ - :subject,`
		`+ - :issuer,`
		`+ - :serial,`
		`+ - :not_before,`
		`+ - :not_after,`
		`+ - ].each do \|attribute\|`
		`+ - assert_equal expected.send(attribute), actual.send(attribute)`
		`+ - end`
		`+ - assert_equal expected.to_der, actual.to_der`
		`+ - end`
		`+ -`
		`+ - def assert_include_cert cert, ary`
		`+ - der = cert.to_der`
		`+ - ary.each do \|candidate\|`
		`+ - if candidate.to_der == der`
		`+ - return true`
		`+ - end`
		`+ - end`
		`+ - false`
		`+ - end`
		`+ end`
		`+ end`
		`+`
		`+ --`
		`+ 2.32.0`
		`+`

ruby-3.1.0-test-openssl-test_pkey-use-EC-keys-for-PKey.generate.patch

file added

+67

		`@@ -0,0 +1,67 @@`
		`+ From 10d2216b2f35a31777a099d9f765b0b6ea34a63e Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Mon, 18 May 2020 02:35:35 +0900`
		`+ Subject: [PATCH] test/openssl/test_pkey: use EC keys for`
		`+ PKey.generate_parameters tests`
		`+`
		`+ OpenSSL 3.0 refuses to generate DSA parameters shorter than 2048 bits,`
		`+ but generating 2048 bits parameters takes very long time. Let's use EC`
		`+ in these test cases instead.`
		`+ ---`
		`+ test/openssl/test_pkey.rb \| 27 +++++++++++----------------`
		`+ 1 file changed, 11 insertions(+), 16 deletions(-)`
		`+`
		`+ diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb`
		`+ index 3630458b3c..88a6e04581 100644`
		`+ --- a/test/openssl/test_pkey.rb`
		`+ +++ b/test/openssl/test_pkey.rb`
		`+ @@ -27,20 +27,16 @@ def test_generic_oid_inspect`
		`+ end`
		`+`
		`+ def test_s_generate_parameters`
		`+ - # 512 is non-default; 1024 is used if 'dsa_paramgen_bits' is not specified`
		`+ - # with OpenSSL 1.1.0.`
		`+ - pkey = OpenSSL::PKey.generate_parameters("DSA", {`
		`+ - "dsa_paramgen_bits" => 512,`
		`+ - "dsa_paramgen_q_bits" => 256,`
		`+ + pkey = OpenSSL::PKey.generate_parameters("EC", {`
		`+ + "ec_paramgen_curve" => "secp384r1",`
		`+ })`
		`+ - assert_instance_of OpenSSL::PKey::DSA, pkey`
		`+ - assert_equal 512, pkey.p.num_bits`
		`+ - assert_equal 256, pkey.q.num_bits`
		`+ - assert_equal nil, pkey.priv_key`
		`+ + assert_instance_of OpenSSL::PKey::EC, pkey`
		`+ + assert_equal "secp384r1", pkey.group.curve_name`
		`+ + assert_equal nil, pkey.private_key`
		`+`
		`+ # Invalid options are checked`
		`+ assert_raise(OpenSSL::PKey::PKeyError) {`
		`+ - OpenSSL::PKey.generate_parameters("DSA", "invalid" => "option")`
		`+ + OpenSSL::PKey.generate_parameters("EC", "invalid" => "option")`
		`+ }`
		`+`
		`+ # Parameter generation callback is called`
		`+ @@ -59,14 +55,13 @@ def test_s_generate_key`
		`+ # DSA key pair cannot be generated without parameters`
		`+ OpenSSL::PKey.generate_key("DSA")`
		`+ }`
		`+ - pkey_params = OpenSSL::PKey.generate_parameters("DSA", {`
		`+ - "dsa_paramgen_bits" => 512,`
		`+ - "dsa_paramgen_q_bits" => 256,`
		`+ + pkey_params = OpenSSL::PKey.generate_parameters("EC", {`
		`+ + "ec_paramgen_curve" => "secp384r1",`
		`+ })`
		`+ pkey = OpenSSL::PKey.generate_key(pkey_params)`
		`+ - assert_instance_of OpenSSL::PKey::DSA, pkey`
		`+ - assert_equal 512, pkey.p.num_bits`
		`+ - assert_not_equal nil, pkey.priv_key`
		`+ + assert_instance_of OpenSSL::PKey::EC, pkey`
		`+ + assert_equal "secp384r1", pkey.group.curve_name`
		`+ + assert_not_equal nil, pkey.private_key`
		`+ end`
		`+`
		`+ def test_hmac_sign_verify`
		`+ --`
		`+ 2.32.0`
		`+`

ruby-3.1.0-test-openssl-test_ssl-relax-regex-to-match-OpenSSL-s.patch

file added

+31

		`@@ -0,0 +1,31 @@`
		`+ From 05fd14aea7eff2a6911a6f529f1237276482c6e7 Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Fri, 10 Jul 2020 13:56:38 +0900`
		`+ Subject: [PATCH] test/openssl/test_ssl: relax regex to match OpenSSL's error`
		`+ message`
		`+`
		`+ OpenSSL 3.0 slightly changed the error message for a certificate`
		`+ verification failure when an untrusted self-signed certificate is found`
		`+ in the chain.`
		`+ ---`
		`+ test/openssl/test_ssl.rb \| 4 +++-`
		`+ 1 file changed, 3 insertions(+), 1 deletion(-)`
		`+`
		`+ diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb`
		`+ index 6095d545b5..9e9b8b9b69 100644`
		`+ --- a/test/openssl/test_ssl.rb`
		`+ +++ b/test/openssl/test_ssl.rb`
		`+ @@ -955,7 +955,9 @@ def test_connect_certificate_verify_failed_exception_message`
		`+ start_server(ignore_listener_error: true) { \|port\|`
		`+ ctx = OpenSSL::SSL::SSLContext.new`
		`+ ctx.set_params`
		`+ - assert_raise_with_message(OpenSSL::SSL::SSLError, /self signed/) {`
		`+ + # OpenSSL <= 1.1.0: "self signed certificate in certificate chain"`
		`+ + # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain"`
		`+ + assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) {`
		`+ server_connect(port, ctx)`
		`+ }`
		`+ }`
		`+ --`
		`+ 2.32.0`
		`+`

ruby-3.1.0-test-openssl-utils-remove-dup_public-helper-method.patch

file added

+265

		`@@ -0,0 +1,265 @@`
		`+ From 2c6797bc97d7c92284dc3c0ed27f97ace4e5cfb9 Mon Sep 17 00:00:00 2001`
		`+ From: Kazuki Yamaguchi <k@rhe.jp>`
		`+ Date: Mon, 31 May 2021 11:44:05 +0900`
		`+ Subject: [PATCH] test/openssl/utils: remove dup_public helper method`
		`+`
		`+ It uses deprecated PKey::{RSA,DSA,DH}#set_* methods, which will not`
		`+ work with OpenSSL 3.0. The same can easily be achieved using`
		`+ PKey#public_to_der regardless of the key kind.`
		`+ ---`
		`+ test/openssl/test_pkey_dh.rb \| 8 +++++---`
		`+ test/openssl/test_pkey_dsa.rb \| 15 +++++++++++----`
		`+ test/openssl/test_pkey_ec.rb \| 15 +++++++++++----`
		`+ test/openssl/test_pkey_rsa.rb \| 31 +++++++++++++++++--------------`
		`+ test/openssl/utils.rb \| 26 --------------------------`
		`+ 5 files changed, 44 insertions(+), 51 deletions(-)`
		`+`
		`+ diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb`
		`+ index f80af8f841..757704caf6 100644`
		`+ --- a/test/openssl/test_pkey_dh.rb`
		`+ +++ b/test/openssl/test_pkey_dh.rb`
		`+ @@ -40,12 +40,14 @@ def test_derive_key`
		`+`
		`+ def test_DHparams`
		`+ dh1024 = Fixtures.pkey("dh1024")`
		`+ + dh1024params = dh1024.public_key`
		`+ +`
		`+ asn1 = OpenSSL::ASN1::Sequence([`
		`+ OpenSSL::ASN1::Integer(dh1024.p),`
		`+ OpenSSL::ASN1::Integer(dh1024.g)`
		`+ ])`
		`+ key = OpenSSL::PKey::DH.new(asn1.to_der)`
		`+ - assert_same_dh dup_public(dh1024), key`
		`+ + assert_same_dh dh1024params, key`
		`+`
		`+ pem = <<~EOF`
		`+ -----BEGIN DH PARAMETERS-----`
		`+ @@ -55,9 +57,9 @@ def test_DHparams`
		`+ -----END DH PARAMETERS-----`
		`+ EOF`
		`+ key = OpenSSL::PKey::DH.new(pem)`
		`+ - assert_same_dh dup_public(dh1024), key`
		`+ + assert_same_dh dh1024params, key`
		`+ key = OpenSSL::PKey.read(pem)`
		`+ - assert_same_dh dup_public(dh1024), key`
		`+ + assert_same_dh dh1024params, key`
		`+`
		`+ assert_equal asn1.to_der, dh1024.to_der`
		`+ assert_equal pem, dh1024.export`
		`+ diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb`
		`+ index 147e50176b..0994607f21 100644`
		`+ --- a/test/openssl/test_pkey_dsa.rb`
		`+ +++ b/test/openssl/test_pkey_dsa.rb`
		`+ @@ -138,6 +138,8 @@ def test_DSAPrivateKey_encrypted`
		`+`
		`+ def test_PUBKEY`
		`+ dsa512 = Fixtures.pkey("dsa512")`
		`+ + dsa512pub = OpenSSL::PKey::DSA.new(dsa512.public_to_der)`
		`+ +`
		`+ asn1 = OpenSSL::ASN1::Sequence([`
		`+ OpenSSL::ASN1::Sequence([`
		`+ OpenSSL::ASN1::ObjectId("DSA"),`
		`+ @@ -153,7 +155,7 @@ def test_PUBKEY`
		`+ ])`
		`+ key = OpenSSL::PKey::DSA.new(asn1.to_der)`
		`+ assert_not_predicate key, :private?`
		`+ - assert_same_dsa dup_public(dsa512), key`
		`+ + assert_same_dsa dsa512pub, key`
		`+`
		`+ pem = <<~EOF`
		`+ -----BEGIN PUBLIC KEY-----`
		`+ @@ -166,10 +168,15 @@ def test_PUBKEY`
		`+ -----END PUBLIC KEY-----`
		`+ EOF`
		`+ key = OpenSSL::PKey::DSA.new(pem)`
		`+ - assert_same_dsa dup_public(dsa512), key`
		`+ + assert_same_dsa dsa512pub, key`
		`+ +`
		`+ + assert_equal asn1.to_der, key.to_der`
		`+ + assert_equal pem, key.export`
		`+`
		`+ - assert_equal asn1.to_der, dup_public(dsa512).to_der`
		`+ - assert_equal pem, dup_public(dsa512).export`
		`+ + assert_equal asn1.to_der, dsa512.public_to_der`
		`+ + assert_equal asn1.to_der, key.public_to_der`
		`+ + assert_equal pem, dsa512.public_to_pem`
		`+ + assert_equal pem, key.public_to_pem`
		`+ end`
		`+`
		`+ def test_read_DSAPublicKey_pem`
		`+ diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb`
		`+ index 4b6df0290f..d62f1b5eb8 100644`
		`+ --- a/test/openssl/test_pkey_ec.rb`
		`+ +++ b/test/openssl/test_pkey_ec.rb`
		`+ @@ -210,6 +210,8 @@ def test_ECPrivateKey_encrypted`
		`+`
		`+ def test_PUBKEY`
		`+ p256 = Fixtures.pkey("p256")`
		`+ + p256pub = OpenSSL::PKey::EC.new(p256.public_to_der)`
		`+ +`
		`+ asn1 = OpenSSL::ASN1::Sequence([`
		`+ OpenSSL::ASN1::Sequence([`
		`+ OpenSSL::ASN1::ObjectId("id-ecPublicKey"),`
		`+ @@ -221,7 +223,7 @@ def test_PUBKEY`
		`+ ])`
		`+ key = OpenSSL::PKey::EC.new(asn1.to_der)`
		`+ assert_not_predicate key, :private?`
		`+ - assert_same_ec dup_public(p256), key`
		`+ + assert_same_ec p256pub, key`
		`+`
		`+ pem = <<~EOF`
		`+ -----BEGIN PUBLIC KEY-----`
		`+ @@ -230,10 +232,15 @@ def test_PUBKEY`
		`+ -----END PUBLIC KEY-----`
		`+ EOF`
		`+ key = OpenSSL::PKey::EC.new(pem)`
		`+ - assert_same_ec dup_public(p256), key`
		`+ + assert_same_ec p256pub, key`
		`+ +`
		`+ + assert_equal asn1.to_der, key.to_der`
		`+ + assert_equal pem, key.export`
		`+`
		`+ - assert_equal asn1.to_der, dup_public(p256).to_der`
		`+ - assert_equal pem, dup_public(p256).export`
		`+ + assert_equal asn1.to_der, p256.public_to_der`
		`+ + assert_equal asn1.to_der, key.public_to_der`
		`+ + assert_equal pem, p256.public_to_pem`
		`+ + assert_equal pem, key.public_to_pem`
		`+ end`
		`+`
		`+ def test_ec_group`
		`+ diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb`
		`+ index 5e127f5407..4548bdb2cf 100644`
		`+ --- a/test/openssl/test_pkey_rsa.rb`
		`+ +++ b/test/openssl/test_pkey_rsa.rb`
		`+ @@ -201,7 +201,7 @@ def test_sign_verify_pss`
		`+`
		`+ def test_encrypt_decrypt`
		`+ rsapriv = Fixtures.pkey("rsa-1")`
		`+ - rsapub = dup_public(rsapriv)`
		`+ + rsapub = OpenSSL::PKey.read(rsapriv.public_to_der)`
		`+`
		`+ # Defaults to PKCS #1 v1.5`
		`+ raw = "data"`
		`+ @@ -216,7 +216,7 @@ def test_encrypt_decrypt`
		`+`
		`+ def test_encrypt_decrypt_legacy`
		`+ rsapriv = Fixtures.pkey("rsa-1")`
		`+ - rsapub = dup_public(rsapriv)`
		`+ + rsapub = OpenSSL::PKey.read(rsapriv.public_to_der)`
		`+`
		`+ # Defaults to PKCS #1 v1.5`
		`+ raw = "data"`
		`+ @@ -346,13 +346,15 @@ def test_RSAPrivateKey_encrypted`
		`+`
		`+ def test_RSAPublicKey`
		`+ rsa1024 = Fixtures.pkey("rsa1024")`
		`+ + rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der)`
		`+ +`
		`+ asn1 = OpenSSL::ASN1::Sequence([`
		`+ OpenSSL::ASN1::Integer(rsa1024.n),`
		`+ OpenSSL::ASN1::Integer(rsa1024.e)`
		`+ ])`
		`+ key = OpenSSL::PKey::RSA.new(asn1.to_der)`
		`+ assert_not_predicate key, :private?`
		`+ - assert_same_rsa dup_public(rsa1024), key`
		`+ + assert_same_rsa rsa1024pub, key`
		`+`
		`+ pem = <<~EOF`
		`+ -----BEGIN RSA PUBLIC KEY-----`
		`+ @@ -362,11 +364,13 @@ def test_RSAPublicKey`
		`+ -----END RSA PUBLIC KEY-----`
		`+ EOF`
		`+ key = OpenSSL::PKey::RSA.new(pem)`
		`+ - assert_same_rsa dup_public(rsa1024), key`
		`+ + assert_same_rsa rsa1024pub, key`
		`+ end`
		`+`
		`+ def test_PUBKEY`
		`+ rsa1024 = Fixtures.pkey("rsa1024")`
		`+ + rsa1024pub = OpenSSL::PKey::RSA.new(rsa1024.public_to_der)`
		`+ +`
		`+ asn1 = OpenSSL::ASN1::Sequence([`
		`+ OpenSSL::ASN1::Sequence([`
		`+ OpenSSL::ASN1::ObjectId("rsaEncryption"),`
		`+ @@ -381,7 +385,7 @@ def test_PUBKEY`
		`+ ])`
		`+ key = OpenSSL::PKey::RSA.new(asn1.to_der)`
		`+ assert_not_predicate key, :private?`
		`+ - assert_same_rsa dup_public(rsa1024), key`
		`+ + assert_same_rsa rsa1024pub, key`
		`+`
		`+ pem = <<~EOF`
		`+ -----BEGIN PUBLIC KEY-----`
		`+ @@ -392,10 +396,15 @@ def test_PUBKEY`
		`+ -----END PUBLIC KEY-----`
		`+ EOF`
		`+ key = OpenSSL::PKey::RSA.new(pem)`
		`+ - assert_same_rsa dup_public(rsa1024), key`
		`+ + assert_same_rsa rsa1024pub, key`
		`+ +`
		`+ + assert_equal asn1.to_der, key.to_der`
		`+ + assert_equal pem, key.export`
		`+`
		`+ - assert_equal asn1.to_der, dup_public(rsa1024).to_der`
		`+ - assert_equal pem, dup_public(rsa1024).export`
		`+ + assert_equal asn1.to_der, rsa1024.public_to_der`
		`+ + assert_equal asn1.to_der, key.public_to_der`
		`+ + assert_equal pem, rsa1024.public_to_pem`
		`+ + assert_equal pem, key.public_to_pem`
		`+ end`
		`+`
		`+ def test_pem_passwd`
		`+ @@ -482,12 +491,6 @@ def test_private_encoding_encrypted`
		`+ assert_same_rsa rsa1024, OpenSSL::PKey.read(pem, "abcdef")`
		`+ end`
		`+`
		`+ - def test_public_encoding`
		`+ - rsa1024 = Fixtures.pkey("rsa1024")`
		`+ - assert_equal dup_public(rsa1024).to_der, rsa1024.public_to_der`
		`+ - assert_equal dup_public(rsa1024).to_pem, rsa1024.public_to_pem`
		`+ - end`
		`+ -`
		`+ def test_dup`
		`+ key = Fixtures.pkey("rsa1024")`
		`+ key2 = key.dup`
		`+ diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb`
		`+ index c1d737b2ab..f664bd3074 100644`
		`+ --- a/test/openssl/utils.rb`
		`+ +++ b/test/openssl/utils.rb`
		`+ @@ -305,32 +305,6 @@ def check_component(base, test, keys)`
		`+ assert_equal base.send(comp), test.send(comp)`
		`+ }`
		`+ end`
		`+ -`
		`+ - def dup_public(key)`
		`+ - case key`
		`+ - when OpenSSL::PKey::RSA`
		`+ - rsa = OpenSSL::PKey::RSA.new`
		`+ - rsa.set_key(key.n, key.e, nil)`
		`+ - rsa`
		`+ - when OpenSSL::PKey::DSA`
		`+ - dsa = OpenSSL::PKey::DSA.new`
		`+ - dsa.set_pqg(key.p, key.q, key.g)`
		`+ - dsa.set_key(key.pub_key, nil)`
		`+ - dsa`
		`+ - when OpenSSL::PKey::DH`
		`+ - dh = OpenSSL::PKey::DH.new`
		`+ - dh.set_pqg(key.p, nil, key.g)`
		`+ - dh`
		`+ - else`
		`+ - if defined?(OpenSSL::PKey::EC) && OpenSSL::PKey::EC === key`
		`+ - ec = OpenSSL::PKey::EC.new(key.group)`
		`+ - ec.public_key = key.public_key`
		`+ - ec`
		`+ - else`
		`+ - raise "unknown key type"`
		`+ - end`
		`+ - end`
		`+ - end`
		`+ end`
		`+`
		`+ module OpenSSL::Certs`
		`+ --`
		`+ 2.32.0`
		`+`

ruby.spec

file modified

+94

		`@@ -167,6 +167,71 @@`
		`# Add AC_PROG_CC to make C++ compiler dependency optional on autoconf >= 2.70.`
		`# https://github.com/ruby/ruby/commit/912a8dcfc5369d840dcd6bf0f88ee0bac7d902d6`
		`Patch20: ruby-3.1.0-autoconf-2.70-add-ac-prog-cc.patch`
		`+ # Allow to exclude test with fully qualified name.`
		`+ # https://bugs.ruby-lang.org/issues/16936`
		`+ # https://github.com/ruby/ruby/pull/5026`
		`+ Patch21: ruby-3.1.0-Properly-exclude-test-cases.patch`
		`+`
		`+`
		`+ # OpenSSL 3.0 compatibility patches`
		`+`
		`+ # Switch from legacy DES-CBC to AES-256-CBC.`
		`+ # https://github.com/rubygems/rubygems/pull/4986`
		`+ Patch30: rubygems-3.2.30-Switch-from-DES-CBC-to-AES-256-CBC.patch`
		`+ # Fix test broken by wrongly formatted distinguished name submitted to`
		+ # `OpenSSL::X509::Name.parse`.
		`+ # https://github.com/ruby/openssl/issues/470`
		`+ # https://github.com/rubygems/rubygems/pull/5030`
		`+ Patch31: rubygems-3.2.30-Provide-distinguished-name-which-will-be-correctly-p.patch`
		`+ # Fix TestGemRequest#test_verify_certificate_extra_message compatibility`
		`+ # with OpenSSL 3.x.`
		`+ # https://github.com/rubygems/rubygems/pull/5040`
		`+ Patch32: rubygems-3.2.30-Use-OpenSSL-constants-for-error-codes.patch`
		`+`
		`+ # Refactor PEM/DER serialization code.`
		`+ # https://github.com/ruby/openssl/pull/328`
		`+ Patch40: ruby-3.1.0-Refactor-PEM-DER-serialization-code.patch`
		`+ # Implement more 'generic' operations using the EVP API.`
		`+ # https://github.com/ruby/openssl/pull/329`
		`+ Patch41: ruby-3.1.0-Add-more-support-for-generic-pkey-types.patch`
		`+ # Allow setting algorithm-specific options in #sign and #verify.`
		`+ # https://github.com/ruby/openssl/pull/374`
		`+ Patch42: ruby-3.1.0-Allow-setting-algorithm-specific-options-in-sign-and-verify.patch`
		`+ # Use high level EVP interface to generate parameters and keys.`
		`+ # https://github.com/ruby/openssl/pull/397`
		`+ Patch43: ruby-3.1.0-Use-high-level-EVP-interface-to-generate-parameters-and-keys.patch`
		`+ # Use EVP API in more places.`
		`+ # https://github.com/ruby/openssl/pull/436`
		`+ Patch44: ruby-3.1.0-Use-EVP-API-in-more-places.patch`
		`+ # Implement PKey#{encrypt,decrypt,sign_raw,verify_{raw,verify_recover}}.`
		`+ # https://github.com/ruby/openssl/pull/382`
		`+ Patch45: ruby-3.1.0-Implement-PKey-encrypt-decrypt-sign_raw-verify_raw-and-verify_recover.patch`
		+ # Fix `OpenSSL::TestSSL#test_dup` test failure.
		`+ # https://github.com/ruby/openssl/commit/7b66eaa2dbabb6570dbbbdfac24c4dcdcc6793d7`
		`+ Patch46: ruby-3.1.0-test-openssl-utils-remove-dup_public-helper-method.patch`
		+ # Fix `OpenSSL::TestDigest#test_digest_constants` test case.
		`+ # https://github.com/ruby/openssl/commit/a3e59f4c2e200c76ef1d93945ff8737a05715e17`
		`+ Patch47: ruby-3.1.0-test-openssl-test_digest-do-not-test-constants-for-l.patch`
		+ # Fix `OpenSSL::TestSSL#test_connect_certificate_verify_failed_exception_message`
		`+ # test case.`
		`+ # https://github.com/ruby/openssl/commit/b5a0a198505452c7457b192da2e5cd5dda04f23d`
		`+ Patch48: ruby-3.1.0-test-openssl-test_ssl-relax-regex-to-match-OpenSSL-s.patch`
		+ # Fix `OpenSSL::TestPKCS12#test_{new_with_no_keys,new_with_one_key_and_one_cert}`
		`+ # test failures.`
		`+ # https://github.com/ruby/openssl/commit/998406d18f2acf73090e9fd9d92a7b4227ac593b`
		`+ Patch49: ruby-3.1.0-test-openssl-test_pkcs12-fix-test-failures-with-Open.patch`
		+ # Fix `OpenSSL::TestPKey#test_s_generate_key` test case.
		`+ # https://github.com/ruby/openssl/commit/c732387ee5aaa8c5a9717e8b3ffebb3d7430e99a`
		`+ Patch50: ruby-3.1.0-test-openssl-test_pkey-use-EC-keys-for-PKey.generate.patch`
		`+ # Miscellaneous changes for OpenSSL 3.0 support.`
		`+ # https://github.com/ruby/openssl/pull/468`
		`+ Patch51: ruby-3.1.0-Miscellaneous-changes-for-OpenSSL-3.0-support.patch`
		`+ # Support OpenSSL 3.0.`
		`+ # https://github.com/ruby/openssl/pull/399`
		`+ Patch52: ruby-3.1.0-Support-OpenSSL-3.0.patch`
		+ # Fix `TestPumaControlCli#test_control_ssl` testcase in Puma.
		`+ # https://github.com/ruby/openssl/pull/399#issuecomment-966239736`
		`+ Patch53: ruby-3.1.0-SSL_read-EOF-handling.patch`

		`Requires: %{name}-libs%{?_isa} = %{version}-%{release}`
		`Suggests: rubypick`
		`@@ -618,6 +683,24 @@`
		`%patch18 -p1`
		`%patch19 -p1`
		`%patch20 -p1`
		`+ %patch21 -p1`
		`+ %patch30 -p1`
		`+ %patch31 -p1`
		`+ %patch32 -p1`
		`+ %patch40 -p1`
		`+ %patch41 -p1`
		`+ %patch42 -p1`
		`+ %patch43 -p1`
		`+ %patch44 -p1`
		`+ %patch45 -p1`
		`+ %patch46 -p1`
		`+ %patch47 -p1`
		`+ %patch48 -p1`
		`+ %patch49 -p1`
		`+ %patch50 -p1`
		`+ %patch51 -p1`
		`+ %patch52 -p1`
		`+ %patch53 -p1`

		`# Provide an example of usage of the tapset:`
		`cp -a %{SOURCE3} .`
		`@@ -896,6 +979,13 @@`
		# Avoid `hostname' dependency.
		`%{!?with_hostname:MSPECOPTS="-P 'Socket.gethostname returns the host name'"}`

		`+ # Some tests are failing upstream due to OpenSSL 3.x compatibility.`
		`+ # https://github.com/ruby/openssl/pull/399/checks?check_run_id=3716152870`
		`+ DISABLE_TESTS="$DISABLE_TESTS -n !/OpenSSL::TestEC#test_check_key/"`
		`+ DISABLE_TESTS="$DISABLE_TESTS -n !/OpenSSL::TestPKeyDH#test_derive_key/"`
		`+ DISABLE_TESTS="$DISABLE_TESTS -n !/OpenSSL::TestPKeyDH#test_key_exchange/"`
		`+ DISABLE_TESTS="$DISABLE_TESTS -n !/OpenSSL::TestCipher#test_ciphers/"`
		`+`
		`# Give an option to increase the timeout in tests.`
		`# https://bugs.ruby-lang.org/issues/16921`
		`%{?test_timeout_scale:RUBY_TEST_TIMEOUT_SCALE="%{test_timeout_scale}"} \`
		`@@ -1374,6 +1464,10 @@`


		`%changelog`
		`+ * Fri Nov 05 2021 Vít Ondruch <vondruch@redhat.com> - 3.0.2-153`
		`+ - Fix OpenSSL 3.0 compatibility.`
		`+ Resolves: rhbz#2021922`
		`+`
		`* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com>`
		`- Rebuilt with OpenSSL 3.0.0`

rubygems-3.2.30-Provide-distinguished-name-which-will-be-correctly-p.patch

file added

+44

		`@@ -0,0 +1,44 @@`
		`+ From bb0f57aeb4de36a3b2b8b8cb01d25b32af0357d3 Mon Sep 17 00:00:00 2001`
		`+ From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>`
		`+ Date: Wed, 27 Oct 2021 16:28:24 +0200`
		`+ Subject: [PATCH] Provide distinguished name which will be correctly parsed.`
		`+`
		`+ It seems that since ruby openssl 2.1.0 [[1]], the distinguished name`
		+ submitted to `OpenSSL::X509::Name.parse` is not correctly parsed if it
		`+ does not contain the first slash:`
		`+`
		`+ ~~~`
		`+ $ ruby -v`
		`+ ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]`
		`+`
		`+ $ gem list \| grep openssl`
		`+ openssl (default: 2.2.0)`
		`+`
		`+ $ irb -r openssl`
		`+ irb(main):001:0> OpenSSL::X509::Name.parse("CN=nobody/DC=example").to_s(OpenSSL::X509::Name::ONELINE)`
		`+ => "CN = nobody/DC=example"`
		`+ irb(main):002:0> OpenSSL::X509::Name.parse("/CN=nobody/DC=example").to_s(OpenSSL::X509::Name::ONELINE)`
		`+ => "CN = nobody, DC = example"`
		`+ ~~~`
		`+`
		`+ [1]: https://github.com/ruby/openssl/commit/19c67cd10c57f3ab7b13966c36431ebc3fdd653b`
		`+ ---`
		`+ lib/rubygems/security.rb \| 2 +-`
		`+ 1 file changed, 1 insertion(+), 1 deletion(-)`
		`+`
		`+ diff --git a/lib/rubygems/security.rb b/lib/rubygems/security.rb`
		`+ index c80639af6d..12de141f36 100644`
		`+ --- a/lib/rubygems/security.rb`
		`+ +++ b/lib/rubygems/security.rb`
		`+ @@ -476,7 +476,7 @@ def self.email_to_name(email_address)`
		`+`
		`+ dcs = dcs.split '.'`
		`+`
		`+ - name = "CN=#{cn}/#{dcs.map {\|dc\| "DC=#{dc}" }.join '/'}"`
		`+ + name = "/CN=#{cn}/#{dcs.map {\|dc\| "DC=#{dc}" }.join '/'}"`
		`+`
		`+ OpenSSL::X509::Name.parse name`
		`+ end`
		`+ --`
		`+ 2.32.0`
		`+`

rubygems-3.2.30-Switch-from-DES-CBC-to-AES-256-CBC.patch

file added

+106

		`@@ -0,0 +1,106 @@`
		`+ From 467be1c90bda755710943e9e2a42a42262dde909 Mon Sep 17 00:00:00 2001`
		`+ From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>`
		`+ Date: Thu, 14 Oct 2021 09:46:03 +0200`
		`+ Subject: [PATCH] Switch from DES-CBC to AES-256-CBC.`
		`+`
		`+ DES-CBS is considered legacy and disabled in OpenSSL 3.x+ [[1], [2]].`
		`+ This cause causes Ruby test failures:`
		`+`
		`+ ~~~`
		`+ ruby -v: ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]`
		+ /builddir/build/BUILD/ruby-3.0.2/lib/rubygems/test_case.rb:1542:in `initialize': Neither PUB key nor PRIV key (OpenSSL::PKey::RSAError)
		+ from /builddir/build/BUILD/ruby-3.0.2/lib/rubygems/test_case.rb:1542:in `new'
		+ from /builddir/build/BUILD/ruby-3.0.2/lib/rubygems/test_case.rb:1542:in `load_key'
		+ from /builddir/build/BUILD/ruby-3.0.2/lib/rubygems/test_case.rb:1562:in `<class:TestCase>'
		+ from /builddir/build/BUILD/ruby-3.0.2/lib/rubygems/test_case.rb:105:in `<top (required)>'
		+ from <internal:/builddir/build/BUILD/ruby-3.0.2/lib/rubygems/core_ext/kernel_require.rb>:85:in `require'
		+ from <internal:/builddir/build/BUILD/ruby-3.0.2/lib/rubygems/core_ext/kernel_require.rb>:85:in `require'
		+ from /builddir/build/BUILD/ruby-3.0.2/test/rdoc/test_rdoc_rubygems_hook.rb:2:in `<top (required)>'
		+ from <internal:/builddir/build/BUILD/ruby-3.0.2/lib/rubygems/core_ext/kernel_require.rb>:85:in `require'
		+ from <internal:/builddir/build/BUILD/ruby-3.0.2/lib/rubygems/core_ext/kernel_require.rb>:85:in `require'
		+ from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1049:in `block in non_options'
		+ from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1043:in `each'
		+ from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1043:in `non_options'
		+ from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:65:in `process_args'
		+ from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:143:in `process_args'
		+ from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1237:in `process_args'
		+ from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1242:in `run'
		+ from /builddir/build/BUILD/ruby-3.0.2/tool/lib/test/unit.rb:1249:in `run'
		+ from /builddir/build/BUILD/ruby-3.0.2/tool/test/runner.rb:23:in `<top (required)>'
		+ from ./test/runner.rb:11:in `require_relative'
		+ from ./test/runner.rb:11:in `<main>'
		`+ ~~~`
		`+`
		`+ Therefore use AES-256-CBC instead. This is essentially revert of`
		`+ ca228b76b, which was fixing https://github.com/jruby/jruby/issues/919`
		`+`
		`+ [1]: https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#legacy-algorithms`
		`+ [2]: https://github.com/openssl/openssl/blob/master/doc/man7/OSSL_PROVIDER-legacy.pod`
		`+ ---`
		`+ test/rubygems/encrypted_private_key.pem \| 52 ++++++++++++-------------`
		`+ 1 file changed, 26 insertions(+), 26 deletions(-)`
		`+`
		`+ diff --git a/test/rubygems/encrypted_private_key.pem b/test/rubygems/encrypted_private_key.pem`
		`+ index 868f332b7c..d9667689a6 100644`
		`+ --- a/test/rubygems/encrypted_private_key.pem`
		`+ +++ b/test/rubygems/encrypted_private_key.pem`
		`+ @@ -1,30 +1,30 @@`
		`+ -----BEGIN RSA PRIVATE KEY-----`
		`+ Proc-Type: 4,ENCRYPTED`
		`+ -DEK-Info: DES-CBC,4E38D58B5A059DB6`
		`+ +DEK-Info: AES-256-CBC,CB6FD0B173EF450C6EE21A01DD785C1D`
		`+`
		`+ -IgWLfnHVnkErKkhysrUMoE0ubkRDtJXZv9KR02jGGFk/kGqWyTqPk08uzhwVNM+l`
		`+ -eOk0qfPykkJM3KZgqTsD6xfA1D5WqFp5mLoFXVVTn9I3acSZsqOY0FweCipwdVpI`
		`+ -x+9Fl+v62kIW06dOjyWLE1abed9hHiXesGGsD87/RJSywy4OBxOcrhR1fJLK4ElR`
		`+ -ya0UzI7rWnmZMChjaZBssfzT1DR79/dARXhon2m5EiIJDjMpc8BKGYlQy5RHCHwA`
		`+ -cnrhUTTvsggZbQtmLZ/yVx8FSJ273XpYR0pmwbw4j1R+zeXQRK5MroBnCfOGcYa7`
		`+ -rmpERmDW3VAuxXR20SUAGdo1XOMTDe1uLbaotn6e56pXghIaYROTPS+HsuOkAZGY`
		`+ -OYWEkUoyog4l4n+h/C1umFfTFGvKNATLgDugONFvTw/PLbjvl+sWMy2QfqH0MlNB`
		`+ -DIUPxhEVCFD9oB4nfB86WDAmPp1DH9/IBet/21kbQ2eTIzakTdG3XiC+xzAQRu68`
		`+ -EOCTbasFWGxlCix66gt4xWMLksEg8UhWSpjS3/HsifrKyNMB8sfUFYmZmOYMW4mf`
		`+ -NuEtpBL3AdHNObN8nQ75HfehukzNpbYVRsLzWrVgtxvXHVpnvoCCpCvQBMHeRZxK`
		`+ -6m028mhH1m6yYE/uGFiRKLrN7BKAttbUiqnGgVIg/lQQilFWwylxQ6aXqJGmNgxa`
		`+ -oihzWZRlXivIhhrM7VMnLoKAF/YfmWpP3zahGpBQGfObtPtm44R0ezXPdtsivnyu`
		`+ -CmFOPGzRNMKZtH/lwVhuIIK3AFIGDsRRP9ySN4YfjQZnTdu2sRlxBnANP9m8W9T2`
		`+ -p+C4zVkDYAbsuWq2HpHwsdL8gqIiXeptsHLqkNw+ulSSLyeBCgM9fpV3RsNGjwqu`
		`+ -k8QLb1CYp2VX46CE8UKvOd/nyFnEsD+EAc3WangEwA41m2IaXcbs9Au7xsG9oacZ`
		`+ -DrxlJVNxlxO9YyP9dNOTfP0fHIiygKQQY2aU3y3oRneu7ogYES5V2mUNH7cYUWVL`
		`+ -CHPXAoUXJErvDQ/opW2DroA9Eqv9sST6WqBf6LXRcWU0ntfzcFUbEqgmCmB7Cbu2`
		`+ -8udEn6iWilQahLyDoAShLkU7+Tk78Z1c6RuqjyY4VboZPzxrTYK8YIXzwX+jj9bG`
		`+ -KIIGS5eghK185+AjlwtzJ7MBdoL323YIik6uOZluhnJHLaxjxUXGa1VqDgsyqGi7`
		`+ -ISRMTpVTrbR+UtoEi4ZhMjobtFUr7lGkt24VkXwBKdoyryj4RPHGdp7Tf6XDJufQ`
		`+ -+KKhqt8QrpOTPiMskFN2disOSF5/YZCmtT84nkhU7Hf1lkQ2kfx1zfNk0GqYYXOW`
		`+ -zHOAczy8gWBRetDMnhRYohDzQGWn//b+2Wr2n1RD8D9kyjMRhpFMYfQGfRcuPGjW`
		`+ -91k/T0XFcjcjeZPL9s+HITmrh7zg5WxbCfTEp91j3Oy1bns196SY77TE0BzUsqR2`
		`+ -geJggcUMEfyvHiiCMtijmSSD9nf8tNIxLVL8Jaf1coA6e1CrlHnYAu2f/Q3GIcvU`
		`+ -EEEmw+cZRwsk4fffYzh5psxxGdXKBv1KcQ/CeBhZL0WJsCp2y5oxwg==`
		`+ +KqHn2Df8hSuwNE+W+60MnGtc6xpoXmF3iN25iVwcN67krYn+N6cBhjFeXwXccYwJ`
		`+ +2gHSu4iEK9Qe32vK0yuv8N9h/fmsabZl0TotnEem/pqO5T8W4LxyK+Rw0s6RB30S`
		`+ +C+mUisRADTanAxyBxsNU8xR8OAUNMAAxV1me6It0W2lfNE3t5jg/Kr0NWMoRUNRx`
		`+ +dkE6WlD5D8jBeC3QdZ6OuE7QXOCEAWAjcFMc0d1WJq2t2r3TrLVfTH7EOoRyvL1H`
		`+ +rrFRx/dEW1UJfM6P11wB5R0nhg3rDXF7oDFszjwO/3tzARke0NZuN37l301lYRl1`
		`+ +aolO6sShJLa0Ml/TgNcJw0S6rc6a1Z52gTfQKztKcL1UX4HLZg75zKmn6qfatMBC`
		`+ +iXn+pQRYNsOPQ5h4r7lBBqvuV+gBw+rN768tYpZ2/YVDaygxETHcZAFCdAw/JNbP`
		`+ +d0XPIbP79NRrCgzSo58LKQGuOQf3Hh0vp1YS+MilMtm/eogoj1enSPM+ymStHRwG`
		`+ +i+D00xCQ6blSOZ2eUUBJXt11YzP22GYnv+XTR/5kGKkTIvoRMfd+39bQyR32IEv2`
		`+ +Z+yweAGQInD94eifT9ObbIayJ47y01KP0+Vj6hz4RCFsmJKsYiai5JiKlmf7lV9w`
		`+ +7zH3TtCOx/xSyomesXVRkqvFkdyeguU72kXc5tiMPaDXGCOeV0GWyR1GU1DUX9/K`
		`+ +60E7ym0Wx77WGMKk2fkirZzBdOeliyCRUXd7ccN2rBCjTwtjAUIk27lwzdUaTUv7`
		`+ +EmjauDvSMFtir58c+zjlLmBaSQOzKcj0KXMp0Oucls9bD85WGGbGyzGhTa0AZ+/+`
		`+ +cCEJt7RAwW0kTEO/uO+BAZe/zBoi9ek+QBn54FK3E7CXfS4Oi9Qbc3fwlVyTlVmz`
		`+ +ZGrCncO0TIVGErFWK24Z7lX8rBnk8enfnamrPfKtwn4LG9aDfhSj8DtisjlRUVT5`
		`+ +chDQ+CCi9rh3wXh28lyS+nXJ3yFidCzRgcsc3PpN/c4DNRggZc+C/KDw+J2FW+8Y`
		`+ +p65OliBQHQcG0PnCa2xRyCGevytPG0rfNDgyaY33dPEo90mBLVcwLbzGiSGBHgFl`
		`+ +pr8A/rqbnFpRO39NYbACeRFCqPpzyzfARCCcjcDoFrENdIaJui0fjlBkoV3B/KiK`
		`+ +EVjDcgwt1HAtz8bV2YJ+OpQbhD7E90e2vTRMuXAH21Ygo32VOS0LRlCRc9ZyZW4z`
		`+ +PTyO/6a+FbXZ1zhVJxu/0bmBERZ14WVmWq56oxQav8knpxYeYPgpEmIZnrHnJ1Ko`
		`+ +UoXcc8Hy4NKtaBmDcaF8TCobNsRZTxO/htqpdyNsOrBSsnX2kP5D/O1l1vuVYi1/`
		`+ +RYfUqL9dvGzvfsFuuDDjDlQ/fIA6pFzJV3fy4KJHlF1r33qaE/lNMdpKljBwvUII`
		`+ +Vog4cGmzxssqK5q9kuogcuyeOuFODjBNW4qt0WylSi9bwwy3ZwaZLRqhngz6+tCV`
		`+ +Jp45Gk881XiVe3aVU0l+4DmJJ9/5vwqjH5Vo/GJqFU6gzB+Zv/0plYeNkuE0Xo2z`
		`+ +ecdxnGKVPl42q44lvczjDw2KX0ahxQrfrbcl48//zR295u9POzCL97d6zpioI2NR`
		`+ -----END RSA PRIVATE KEY-----`
		`+ --`
		`+ 2.32.0`
		`+`

rubygems-3.2.30-Use-OpenSSL-constants-for-error-codes.patch

file added

+75

		`@@ -0,0 +1,75 @@`
		`+ From 8acf8e95dcaebe227f779271b8213c15eceb846f Mon Sep 17 00:00:00 2001`
		`+ From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>`
		`+ Date: Mon, 1 Nov 2021 18:40:06 +0100`
		`+ Subject: [PATCH] Use OpenSSL constants for error codes.`
		`+`
		`+ This fixes the following test error testing against OpenSSL 3.x:`
		`+`
		`+ ~~~`
		`+ 2) Failure:`
		`+ TestGemRequest#test_verify_certificate_extra_message [/builddir/build/BUILD/ruby-3.0.2/test/rubygems/test_gem_request.rb:358]:`
		`+ <"ERROR: SSL verification error at depth 0: invalid CA certificate (24)\n" +`
		`+ "ERROR: Certificate is an invalid CA certificate\n"> expected but was`
		`+ <"ERROR: SSL verification error at depth 0: invalid CA certificate (79)\n" +`
		`+ "ERROR: Certificate is an invalid CA certificate\n">.`
		`+ ~~~`
		`+`
		`+ Where the root cause is this OpenSSL commit:`
		`+`
		`+ https://github.com/openssl/openssl/commit/1e41dadfa7b9f792ed0f4714a3d3d36f070cf30e`
		`+`
		`+ It seems that OpenSSL upstream considers the constant value just an`
		`+ implementation detail and therefore this changes the test case to`
		`+ follow the suite.`
		`+ ---`
		`+ test/rubygems/test_gem_request.rb \| 14 ++++++++++----`
		`+ 1 file changed, 10 insertions(+), 4 deletions(-)`
		`+`
		`+ diff --git a/test/rubygems/test_gem_request.rb b/test/rubygems/test_gem_request.rb`
		`+ index 66477be7bc..47654f6fa4 100644`
		`+ --- a/test/rubygems/test_gem_request.rb`
		`+ +++ b/test/rubygems/test_gem_request.rb`
		`+ @@ -328,30 +328,36 @@ def test_user_agent_revision_missing`
		`+`
		`+ def test_verify_certificate`
		`+ pend if Gem.java_platform?`
		`+ +`
		`+ + error_number = OpenSSL::X509::V_ERR_OUT_OF_MEM`
		`+ +`
		`+ store = OpenSSL::X509::Store.new`
		`+ context = OpenSSL::X509::StoreContext.new store`
		`+ - context.error = OpenSSL::X509::V_ERR_OUT_OF_MEM`
		`+ + context.error = error_number`
		`+`
		`+ use_ui @ui do`
		`+ Gem::Request.verify_certificate context`
		`+ end`
		`+`
		`+ - assert_equal "ERROR: SSL verification error at depth 0: out of memory (17)\n",`
		`+ + assert_equal "ERROR: SSL verification error at depth 0: out of memory (#{error_number})\n",`
		`+ @ui.error`
		`+ end`
		`+`
		`+ def test_verify_certificate_extra_message`
		`+ pend if Gem.java_platform?`
		`+ +`
		`+ + error_number = OpenSSL::X509::V_ERR_INVALID_CA`
		`+ +`
		`+ store = OpenSSL::X509::Store.new`
		`+ context = OpenSSL::X509::StoreContext.new store`
		`+ - context.error = OpenSSL::X509::V_ERR_INVALID_CA`
		`+ + context.error = error_number`
		`+`
		`+ use_ui @ui do`
		`+ Gem::Request.verify_certificate context`
		`+ end`
		`+`
		`+ expected = <<-ERROR`
		`+ -ERROR: SSL verification error at depth 0: invalid CA certificate (24)`
		`+ +ERROR: SSL verification error at depth 0: invalid CA certificate (#{error_number})`
		`+ ERROR: Certificate is an invalid CA certificate`
		`+ ERROR`
		`+`
		`+ --`
		`+ 2.32.0`
		`+`

vondruch commented 2 years ago

This is first draft of Ruby supporting OpenSSL 3.0. The build is passing, but I have not tested much beyond that. It also needs additional polish.

zuul commented 2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

check-for-arches : SUCCESS in 1m 15s
rpm-scratch-build : SUCCESS in 32m 44s
rpm-scratch-build-s390x : SKIPPED (non-voting)
rpm-scratch-build-ppc64le : SKIPPED (non-voting)
rpm-scratch-build-i686 : SKIPPED (non-voting)
rpm-scratch-build-armv7hl : SKIPPED (non-voting)
rpm-scratch-build-aarch64 : SKIPPED (non-voting)
rpm-linter : FAILURE in 7m 25s
rpm-rpminspect : FAILURE in 14m 20s (non-voting)
check-for-tests : SUCCESS in 46s
check-for-fmf-tests : SUCCESS in 44s
rpm-install-test : SUCCESS in 4m 23s
rpm-test : SKIPPED
rpm-tmt-test : SKIPPED

pvalena commented 2 years ago

I've built it in my testing COPR:
https://copr.fedorainfracloud.org/coprs/pvalena/ruby-testing/build/2934888/

I've also run gems rebuilds of dependent packages in an accompanying COPR:
https://copr.fedorainfracloud.org/coprs/pvalena/rubygems-testing/builds/
(starting with 2934971)

There're multiple buildroots, so to if the build failed, you need to be check for rawhide buildroot specifically(I'll fix this next time). I'll check for any errors with my automation.

1 new commit added

Polish

2 years ago

zuul commented 2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

check-for-arches : SUCCESS in 1m 16s
rpm-scratch-build : SUCCESS in 38m 33s
rpm-scratch-build-s390x : SKIPPED (non-voting)
rpm-scratch-build-ppc64le : SKIPPED (non-voting)
rpm-scratch-build-i686 : SKIPPED (non-voting)
rpm-scratch-build-armv7hl : SKIPPED (non-voting)
rpm-scratch-build-aarch64 : SKIPPED (non-voting)
rpm-linter : FAILURE in 5m 46s
rpm-rpminspect : FAILURE in 19m 41s (non-voting)
check-for-tests : SUCCESS in 2m 31s
check-for-fmf-tests : SUCCESS in 2m 31s
rpm-install-test : SUCCESS in 5m 56s
rpm-test : SKIPPED
rpm-tmt-test : SKIPPED

vondruch commented 2 years ago

There seems to be some random issue. My scratch build succeeded:

https://koji.fedoraproject.org/koji/taskinfo?taskID=78530923

While the "Fedora CI" failed with following error:

  1) Failure:
OpenSSL::TestPKey#test_s_generate_parameters [/builddir/build/BUILD/ruby-3.0.2/test/openssl/test_pkey.rb:44]:
RuntimeError expected but nothing was raised.

I have noted this in the upstream ticket

pvalena commented 2 years ago

3 failures:

Puma

TestPumaControlCli#test_control_ssl [/builddir/build/BUILD/puma-4.3.6/usr/share/gems/gems/>
Expected /Command\ stop\ sent\ success/ to match "SSL_read: unexpected eof while reading\n>
https://copr.fedorainfracloud.org/coprs/build/2935470

Eventmachine

(Timeout; retrying for 10th time now ; locally it succeeds)
https://koji.fedoraproject.org/koji/taskinfo?taskID=78622246
https://copr.fedorainfracloud.org/coprs/build/2943854

Interestingly, there's:
Omission: TLSv1_3 is unavailable [test_tlsext_sni_hostname_1_3(TestSslExtensions)]
/builddir/build/BUILD/eventmachine-1.2.7/usr/share/gems/gems/eventmachine-1.2.7/tests/test_ssl_extensions.rb:54:in `test_tlsext_sni_hostname_1_3'

gio2

(checking if the error occurs with regular build)
Segmentation fault
https://copr.fedorainfracloud.org/coprs/build/2943815

Edited 2 years ago by pvalena

pvalena commented 2 years ago

I can confirm the gio2 gem error occurs with regular Scratch build as well:
https://koji.fedoraproject.org/koji/taskinfo?taskID=78623645

vondruch commented 2 years ago

I can confirm the gio2 gem error occurs with regular Scratch build as well:
https://koji.fedoraproject.org/koji/taskinfo?taskID=78623645

This does not look even remotely related to OpenSSL

vondruch commented 2 years ago

Eventmachine

(Timeout; retrying for 10th time now ; locally it succeeds)
https://koji.fedoraproject.org/koji/taskinfo?taskID=78622246
https://copr.fedorainfracloud.org/coprs/build/2943854

Interestingly, there's:
Omission: TLSv1_3 is unavailable [test_tlsext_sni_hostname_1_3(TestSslExtensions)]
/builddir/build/BUILD/eventmachine-1.2.7/usr/share/gems/gems/eventmachine-1.2.7/tests/test_ssl_extensions.rb:54:in `test_tlsext_sni_hostname_1_3'

I have compared the messages with old build and they don't differ, while this is interesting message indeed.

vondruch commented 2 years ago

I have compared the messages with old build and they don't differ, while this is interesting message indeed.

https://github.com/eventmachine/eventmachine/commit/0904385936ef4ecae4519f4f7b8f829a3608afcd

:question:

vondruch commented 2 years ago

Puma

TestPumaControlCli#test_control_ssl [/builddir/build/BUILD/puma-4.3.6/usr/share/gems/gems/>
Expected /Command\ stop\ sent\ success/ to match "SSL_read: unexpected eof while reading\n>
https://copr.fedorainfracloud.org/coprs/build/2935470

This seems to be legitimate issue in Ruby:

https://github.com/ruby/openssl/pull/399#issuecomment-966103794

1 new commit added

Additional fix for Puma.

2 years ago

vondruch commented 2 years ago

Added naive patch fixing the Puma issue.

zuul commented 2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

check-for-arches : SUCCESS in 1m 31s
rpm-scratch-build : SUCCESS in 42m 57s
rpm-scratch-build-s390x : SKIPPED (non-voting)
rpm-scratch-build-ppc64le : SKIPPED (non-voting)
rpm-scratch-build-i686 : SKIPPED (non-voting)
rpm-scratch-build-armv7hl : SKIPPED (non-voting)
rpm-scratch-build-aarch64 : SKIPPED (non-voting)
rpm-linter : FAILURE in 6m 19s
rpm-rpminspect : FAILURE in 22m 24s (non-voting)
check-for-tests : SUCCESS in 2m 42s
check-for-fmf-tests : SUCCESS in 2m 42s
rpm-install-test : SUCCESS in 6m 44s
rpm-test : SKIPPED
rpm-tmt-test : SKIPPED

pvalena commented 2 years ago

I've been trying this (for other Fedora work) found some offsets:

DEBUG: + echo 'Patch #32 (rubygems-3.2.30-Use-OpenSSL-constants-for-error-codes.patch):'
DEBUG: + /usr/bin/patch --no-backup-if-mismatch -f -p1 --fuzz=0
DEBUG: patching file test/rubygems/test_gem_request.rb
DEBUG: Hunk #1 succeeded at 328 (offset -26 lines).

and

DEBUG: + echo 'Patch #53 (ruby-3.1.0-SSL_read-EOF-handling.patch):'
DEBUG: + /usr/bin/patch --no-backup-if-mismatch -f -p1 --fuzz=0
DEBUG: patching file ext/openssl/ossl_ssl.c
DEBUG: Hunk #1 succeeded at 1844 (offset 32 lines).

pvalena commented 2 years ago

Also, I can confirm Puma builds with this:

https://copr.fedorainfracloud.org/coprs/build/2961025

rebased onto c4f8814

2 years ago

vondruch commented 2 years ago