Issue #13681 has been updated by rhenium (Kazuki Yamaguchi).


rinzler (Colton Jenkins) wrote:
> > > ```diff
> > > +    rb_raise(rb_eRuntimeError, error_message); \
> > > +  } \
> > > +  *ctx = *(upper_name##_CTX*)md_ctx->md_data; \
> > 
> > This won't compile with OpenSSL 1.1.x since `EVP_MD_CTX` was made opaque.
> 
> Hasn't it always been opaque? They just moved the struct def from evp.h -> evp_locl.h, but the typedef is still in ossl_typ.h

crypto/evp/evp_locl.h is not a public header file. -> operator can't be
used against md_ctx.

> > 
> > Also I suspect this approach breaks if an external OpenSSL engine
> > replaces the default implementation for the algorithm. I think we have
> > to completely rewrite to use the EVP API only.
> 
> Not sure I follow. Passing NULL for engine skips it? But using EVP api would be ideal.

Passing NULL as the third argument tells OpenSSL to use the 'default
implementation', which can be changed at runtime by an
ENGINE_set_default*() function call by another C extension (such as
openssl).


----------------------------------------
Feature #13681: Ruby digest init fails in FIPS mode when built against OpenSSL ~> 1.0.1
https://bugs.ruby-lang.org/issues/13681#change-65483

* Author: rinzler (Colton Jenkins)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
When FIPS (https://en.wikipedia.org/wiki/FIPS_140-2) is enabled attempting to initialize any digest will kill the process due to https://github.com/openssl/openssl/commit/65300dcfb04bae643ea7b8f42ff8c8f1b1210a9e

Example,

~~~
> require 'digest'
> Digest::MD5.new
md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call to digest MD5 forbidden in FIPS mode!

> require 'digest'
> Digest::SHA1.new
sha_locl.h(128): OpenSSL internal error, assertion failed: Low level API call to digest SHA1 forbidden in FIPS mode!
~~~

This patch will redefine alg##_Init to use the EVP interface. This allows the digest initialization to never die, but will fail when using a non FIPS algorithm (MD5).

Example,

~~~
irb(main):002:0> Digest::MD5.new
RuntimeError: disabled for fips
	from (irb):2:in `new'
	from (irb):2
	from /usr/local/bin/irb:11:in `<main>'
irb(main):003:0> Digest::SHA1.new
=> #<Digest::SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709>
~~~

---Files--------------------------------
add_evp_init_to_digests.patch (3.77 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>