Skip to content

Commit

Permalink
Make "rake debug" protective for a Ruby OpenSSL loading error.
Browse files Browse the repository at this point in the history 
We experienced a FIPS case specific Ruby OpenSSL error in the loading process
of Ruby OpenSSL by calling the `ruby -ropenssl` (`require 'openssl'`) built
with OpenSSL master branch which includes the commit
<openssl/openssl@6d47e81>
but doesn't include the commit
<openssl/openssl@3c6e114>
fixing the issue.

The following error happened at `lib/openssl.rb:22` calling the
`lib/openssl/ssl.rb` with the OpenSSL commit
<14e46600c68ece74970462a60ad20703221747a1> which is between the above 2 commits.

```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.4.0-dev-fips-debug-14e46600c6/ssl/openssl_fips.cnf \
  bundle exec rake debug
...
ruby 3.4.0dev (2024-07-22T08:33:07Z master 82aee1a946) [x86_64-linux]
/home/jaruga/var/git/ruby/openssl/lib/openssl/pkey.rb:132:in 'OpenSSL::PKey::DH#initialize': could not parse pkey (OpenSSL::PKey::DHError)
  from /home/jaruga/var/git/ruby/openssl/lib/openssl/pkey.rb:132:in 'Class#new'
  from /home/jaruga/var/git/ruby/openssl/lib/openssl/pkey.rb:132:in 'OpenSSL::PKey::DH.new'
  from /home/jaruga/var/git/ruby/openssl/lib/openssl/ssl.rb:36:in '<class:SSLContext>'
  from /home/jaruga/var/git/ruby/openssl/lib/openssl/ssl.rb:23:in '<module:SSL>'
  from /home/jaruga/var/git/ruby/openssl/lib/openssl/ssl.rb:22:in '<module:OpenSSL>'
  from /home/jaruga/var/git/ruby/openssl/lib/openssl/ssl.rb:21:in '<top (required)>'
  from /home/jaruga/var/git/ruby/openssl/lib/openssl.rb:22:in 'Kernel#require_relative'
  from /home/jaruga/var/git/ruby/openssl/lib/openssl.rb:22:in '<top (required)>'
  from /home/jaruga/.local/ruby-3.4.0dev-debug-82aee1a946/lib/ruby/3.4.0+0/bundled_gems.rb:71:in 'Kernel.require'
  from /home/jaruga/.local/ruby-3.4.0dev-debug-82aee1a946/lib/ruby/3.4.0+0/bundled_gems.rb:71:in 'block (2 levels) in Kernel#replace_require'
rake aborted!
```

This commit enables the `rake debug` still to print the debugging values in such
cases. In this case, the `rake debug` prints only the base provider without
fips provider. That was a bug of OpenSSL.

```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.4.0-dev-fips-debug-14e46600c6/ssl/openssl_fips.cnf \
  bundle exec rake debug
...
ruby 3.4.0dev (2024-07-22T08:33:07Z master 82aee1a946) [x86_64-linux]
OpenSSL::OPENSSL_VERSION: OpenSSL 3.4.0-dev
OpenSSL::OPENSSL_LIBRARY_VERSION: OpenSSL 3.4.0-dev
OpenSSL::OPENSSL_VERSION_NUMBER: 30400000
OpenSSL::LIBRESSL_VERSION_NUMBER: undefined
FIPS enabled: true
Providers: base
```
  • Loading branch information
@junaruga
junaruga committed Jul 25, 2024
1 parent a1aff21 commit d5da6b3
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion Rakefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ task :debug do
Providers: #{providers_str}
MESSAGE
EOF
ruby %Q(-I./lib -ropenssl -ve'#{ruby_code}')
ruby %Q(-I./lib -ropenssl.so -ve'#{ruby_code}')
end

task :default => :test

0 comments on commit d5da6b3

Please sign in to comment.