From 2e601c284c9b61c286aa031d91e5198c17b44f00 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Thu, 28 May 2020 00:53:41 +0900 Subject: digest: remove OpenSSL engine The OpenSSL engine of Digest uses the low-level API of OpenSSL, whose use has been discouraged for years for multiple reasons. A long-standing issue on a FIPS-enabled system is that using ::Digest results in crashing the Ruby process, because the low-level API lacks the mechanism to report an error (the policy violation) and thus kills the process as a last resort[1][2]. Also, the upcoming OpenSSL 3.0 will deprecate it for future removal[3]. Compiling with -Wdeprecated-declarations will start to emit warnings. A proper fix for this is to make it use the EVP API instead. This is a non-trivial work as it requires backwards-incompatible changes to the framework interface of Digest::Base and rb_digest_metadata_t. It is more than 15 years ago that the openssl library became part of the standard library. It has implemented the exactly same functionality as OpenSSL::Digest, in fact, as a subclass of Digest::Class. There is not much point in having an identical code in the digest library. Let's just get rid of OpenSSL within digest. This leaves the C implementations and the CommonCrypto engine for Apple systems. A patch is being prepared for the openssl library to provide ::Digest constants for better performance[4]. [1] https://bugs.ruby-lang.org/issues/6946 [2] https://bugs.ruby-lang.org/issues/13681 [3] https://www.openssl.org/docs/OpenSSL300Design.html [4] https://github.com/ruby/openssl/pull/377 --- ext/digest/sha1/sha1ossl.h | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 ext/digest/sha1/sha1ossl.h (limited to 'ext/digest/sha1/sha1ossl.h') diff --git a/ext/digest/sha1/sha1ossl.h b/ext/digest/sha1/sha1ossl.h deleted file mode 100644 index 599efe9a2f..0000000000 --- a/ext/digest/sha1/sha1ossl.h +++ /dev/null @@ -1,22 +0,0 @@ -/* $Id$ */ - -#ifndef SHA1OSSL_H_INCLUDED -#define SHA1OSSL_H_INCLUDED - -#include -#include - -#define SHA1_CTX SHA_CTX - -#ifdef SHA_BLOCK_LENGTH -#define SHA1_BLOCK_LENGTH SHA_BLOCK_LENGTH -#else -#define SHA1_BLOCK_LENGTH SHA_CBLOCK -#endif -#define SHA1_DIGEST_LENGTH SHA_DIGEST_LENGTH - -static DEFINE_FINISH_FUNC_FROM_FINAL(SHA1) -#undef SHA1_Finish -#define SHA1_Finish rb_digest_SHA1_finish - -#endif -- cgit v1.2.3