[#81492] [Ruby trunk Feature#13618] [PATCH] auto fiber schedule for rb_wait_for_single_fd and rb_waitpid — normalperson@...
Issue #13618 has been reported by normalperson (Eric Wong).
12 messages
2017/06/01
[#88695] Re: [Ruby trunk Feature#13618] [PATCH] auto fiber schedule for rb_wait_for_single_fd and rb_waitpid
— Eric Wong <normalperson@...>
2018/08/27
> https://bugs.ruby-lang.org/issues/13618
[#81569] [Ruby trunk Feature#12589] VM performance improvement proposal — vmakarov@...
Issue #12589 has been updated by vmakarov (Vladimir Makarov).
3 messages
2017/06/04
[#81581] [Ruby trunk Bug#13632] Not processable interrupt queue for a thread after it's notified that FD is closed in some other thread. — sir.nickolas@...
Issue #13632 has been reported by nvashchenko (Nikolay Vashchenko).
4 messages
2017/06/05
[#81590] Re: [ruby-cvs:66197] ko1:r59023 (trunk): revert r59020 because it may fail some tests sometimes on some environment (http://ci.rvm.jp/). This revert is to check the reason of failures. — Eric Wong <normalperson@...>
ko1@ruby-lang.org wrote:
5 messages
2017/06/06
[#81591] Re: [ruby-cvs:66197] ko1:r59023 (trunk): revert r59020 because it may fail some tests sometimes on some environment (http://ci.rvm.jp/). This revert is to check the reason of failures.
— Eric Wong <normalperson@...>
2017/06/06
Eric Wong <normalperson@yhbt.net> wrote:
[#81596] Re: [ruby-cvs:66203] Re: Re: ko1:r59023 (trunk): revert r59020 because it may fail some tests sometimes on some environment (http://ci.rvm.jp/). This revert is to check the reason of failures.
— Eric Wong <normalperson@...>
2017/06/06
Eric Wong <normalperson@yhbt.net> wrote:
[#81825] [Ruby trunk Feature#13697] [PATCH]: futex based thread primitives — normalperson@...
Issue #13697 has been reported by normalperson (Eric Wong).
3 messages
2017/06/29
[ruby-core:81782] [Ruby trunk Feature#13681] Ruby digest init fails in FIPS mode when built against OpenSSL ~> 1.0.1
From:
k@...
Date:
2017-06-27 06:47:52 UTC
List:
ruby-core #81782
Issue #13681 has been updated by rhenium (Kazuki Yamaguchi).
> diff -Nurp old/ext/digest/digest.h new/ext/digest/digest.h
> --- old/ext/digest/digest.h 2017-06-21 12:56:09.007011362 -0400
> +++ new/ext/digest/digest.h 2017-06-21 12:56:32.458975554 -0400
> @@ -31,6 +31,26 @@ typedef struct {
> rb_digest_hash_finish_func_t finish_func;
> } rb_digest_metadata_t;
>
> +#define DEFINE_INIT_FUNC_FOR_EVP(upper_name, lower_name) \
> +int \
> +rb_digest_##upper_name##_evp_init(upper_name##_CTX* ctx) \
> +{ \
> + SSL_load_error_strings(); \
> + EVP_MD_CTX *md_ctx = EVP_MD_CTX_create(); \
> + \
> + if(!EVP_DigestInit_ex(md_ctx, EVP_##lower_name(), NULL)) { \
> + const char *error_message; \
> + EVP_MD_CTX_destroy(md_ctx); \
> + \
> + error_message = ERR_reason_error_string(ERR_peek_last_error()); \
The OpenSSL error queue must be cleared by ERR_clear_error().
> + rb_raise(rb_eRuntimeError, error_message); \
> + } \
> + *ctx = *(upper_name##_CTX*)md_ctx->md_data; \
This won't compile with OpenSSL 1.1.x since EVP_MD_CTX was made opaque.
Also I suspect this approach breaks if an external OpenSSL engine
replaces the default implementation for the algorithm. I think we have
to completely rewrite to use the EVP API only.
> + EVP_MD_CTX_destroy(md_ctx); \
> + \
> + return 1; \
> +}
> +
> #define DEFINE_UPDATE_FUNC_FOR_UINT(name) \
> void \
> rb_digest_##name##_update(void *ctx, unsigned char *ptr, size_t size) \
Another idea: I wonder if it would be possible or desirable to rip out
the OpenSSL backend entirely instead. There would be some performance
degradation, though, people could switch to OpenSSL::Digest of the
'openssl' extension if they really care about. It uses the EVP API and
works as a drop-in replacement (in fact it inherits from Digest::Base).
----------------------------------------
Feature #13681: Ruby digest init fails in FIPS mode when built against OpenSSL ~> 1.0.1
https://bugs.ruby-lang.org/issues/13681#change-65477
* Author: rinzler (Colton Jenkins)
* Status: Open
* Priority: Normal
* Assignee:
* Target version:
----------------------------------------
When FIPS (https://en.wikipedia.org/wiki/FIPS_140-2) is enabled attempting to initialize any digest will kill the process due to https://github.com/openssl/openssl/commit/65300dcfb04bae643ea7b8f42ff8c8f1b1210a9e
Example,
~~~
> require 'digest'
> Digest::MD5.new
md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call to digest MD5 forbidden in FIPS mode!
> require 'digest'
> Digest::SHA1.new
sha_locl.h(128): OpenSSL internal error, assertion failed: Low level API call to digest SHA1 forbidden in FIPS mode!
~~~
This patch will redefine alg##_Init to use the EVP interface. This allows the digest initialization to never die, but will fail when using a non FIPS algorithm (MD5).
Example,
~~~
irb(main):002:0> Digest::MD5.new
RuntimeError: disabled for fips
from (irb):2:in `new'
from (irb):2
from /usr/local/bin/irb:11:in `<main>'
irb(main):003:0> Digest::SHA1.new
=> #<Digest::SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709>
~~~
---Files--------------------------------
add_evp_init_to_digests.patch (3.77 KB)
--
https://bugs.ruby-lang.org/
Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>