diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2020-05-28 00:53:41 +0900 |
---|---|---|
committer | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2020-12-02 11:09:12 +0900 |
commit | 2e601c284c9b61c286aa031d91e5198c17b44f00 (patch) | |
tree | 8e239b9e7972e6f04a8a4432ba7b59258b5607b7 /ext/digest/rmd160/rmd160init.c | |
parent | 95bb49d42568802e36b213a7139176dbf9f58672 (diff) | |
download | ruby-2e601c284c9b61c286aa031d91e5198c17b44f00.tar.gz |
digest: remove OpenSSL engine
The OpenSSL engine of Digest uses the low-level API of OpenSSL, whose
use has been discouraged for years for multiple reasons.
A long-standing issue on a FIPS-enabled system is that using ::Digest
results in crashing the Ruby process, because the low-level API lacks
the mechanism to report an error (the policy violation) and thus kills
the process as a last resort[1][2]. Also, the upcoming OpenSSL 3.0 will
deprecate it for future removal[3]. Compiling with
-Wdeprecated-declarations will start to emit warnings.
A proper fix for this is to make it use the EVP API instead. This is a
non-trivial work as it requires backwards-incompatible changes to the
framework interface of Digest::Base and rb_digest_metadata_t.
It is more than 15 years ago that the openssl library became part of the
standard library. It has implemented the exactly same functionality as
OpenSSL::Digest, in fact, as a subclass of Digest::Class. There is not
much point in having an identical code in the digest library. Let's
just get rid of OpenSSL within digest. This leaves the C implementations
and the CommonCrypto engine for Apple systems.
A patch is being prepared for the openssl library to provide ::Digest
constants for better performance[4].
[1] https://bugs.ruby-lang.org/issues/6946
[2] https://bugs.ruby-lang.org/issues/13681
[3] https://www.openssl.org/docs/OpenSSL300Design.html
[4] https://github.com/ruby/openssl/pull/377
Diffstat (limited to 'ext/digest/rmd160/rmd160init.c')
-rw-r--r-- | ext/digest/rmd160/rmd160init.c | 4 |
1 files changed, 0 insertions, 4 deletions
diff --git a/ext/digest/rmd160/rmd160init.c b/ext/digest/rmd160/rmd160init.c index a2c0a023c0..2c44d83df6 100644 --- a/ext/digest/rmd160/rmd160init.c +++ b/ext/digest/rmd160/rmd160init.c @@ -3,11 +3,7 @@ #include <ruby/ruby.h> #include "../digest.h" -#if defined(RMD160_USE_OPENSSL) -#include "rmd160ossl.h" -#else #include "rmd160.h" -#endif static const rb_digest_metadata_t rmd160 = { RUBY_DIGEST_API_VERSION, |