From 9f5961939dd859ff3c4567312d430656d602e320 Mon Sep 17 00:00:00 2001
From: Kazunori Kimura <norytama.k2@gmail.com>
Date: Tue, 30 Jan 2024 12:17:18 +0900
Subject: [PATCH] Allow patching Ruby, add patch for lib/securernadom.rb

Backport: fix behavior of `SecureRandom.gen_random_openssl(n)`
commit:
https://github.com/ruby/ruby/commit/64e503eb62aff0952b655e9a86217e355f786146

This has been merged into the Ruby 3.3 release, but Ruby (at least) 3.0 and later are affected by the issues fixed by this commit.
---
 assets/build/install.sh                       |  4 ++
 .../0001-avoid-seeding_until-ruby3.3.0.patch  | 45 +++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch

diff --git a/assets/build/install.sh b/assets/build/install.sh
index 37fb485b..31a23b69 100755
--- a/assets/build/install.sh
+++ b/assets/build/install.sh
@@ -47,6 +47,10 @@ mkdir /tmp/ruby && cd /tmp/ruby
 curl --remote-name -Ss "${RUBY_SRC_URL}"
 printf '%s ruby-%s.tar.gz' "${RUBY_SOURCE_SHA256SUM}" "${RUBY_VERSION}" | sha256sum -c -
 tar xzf ruby-"${RUBY_VERSION}".tar.gz && cd ruby-"${RUBY_VERSION}"
+find "${GITLAB_BUILD_DIR}/patches/ruby" -name "*.patch" | while read -r patch_file; do
+  echo "Applying patch ${patch_file}"
+  patch -p1 -i "${patch_file}"
+done
 ./configure --disable-install-rdoc --enable-shared
 make -j"$(nproc)"
 make install
diff --git a/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch b/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch
new file mode 100644
index 00000000..5fd7dcbe
--- /dev/null
+++ b/assets/build/patches/ruby/0001-avoid-seeding_until-ruby3.3.0.patch
@@ -0,0 +1,45 @@
+From 64e503eb62aff0952b655e9a86217e355f786146 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E5=8D=9C=E9=83=A8=E6=98=8C=E5=B9=B3?=
+ <shyouhei@ruby-lang.org>
+Date: Thu, 13 Apr 2023 15:36:24 +0900
+Subject: [PATCH] avoid seeding
+
+OpenSSL's man page previously stated that "the application is
+responsible for seeding the PRNG by calling RAND_add" (see [1]).
+So we had this code.  However things changed.  They no longer
+say so, instead "manual (re-)seeding of the default OpenSSL
+random generator is not necessary" now (see [2]).  It seems all
+OpenSSL versions that we support now already behaves like this.
+Let's follow that.
+
+[1]: https://www.openssl.org/docs/man1.0.2/man3/RAND_add.html
+[2]: https://www.openssl.org/docs/manmaster/man3/RAND_add.html
+---
+ lib/securerandom.rb | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/lib/securerandom.rb b/lib/securerandom.rb
+index 07ae048634..c5be6ce734 100644
+--- a/lib/securerandom.rb
++++ b/lib/securerandom.rb
+@@ -47,17 +47,6 @@ def bytes(n)
+     private
+ 
+     def gen_random_openssl(n)
+-      @pid = 0 unless defined?(@pid)
+-      pid = $$
+-      unless @pid == pid
+-        now = Process.clock_gettime(Process::CLOCK_REALTIME, :nanosecond)
+-        OpenSSL::Random.random_add([now, @pid, pid].join(""), 0.0)
+-        seed = Random.urandom(16)
+-        if (seed)
+-          OpenSSL::Random.random_add(seed, 16)
+-        end
+-        @pid = pid
+-      end
+       return OpenSSL::Random.random_bytes(n)
+     end
+ 
+-- 
+2.43.0.windows.1
+