From: nobu@... Date: 2017-06-27T07:15:52+00:00 Subject: [ruby-core:81783] [Ruby trunk Feature#13681] Ruby digest init fails in FIPS mode when built against OpenSSL ~> 1.0.1 Issue #13681 has been updated by nobu (Nobuyoshi Nakada). rhenium (Kazuki Yamaguchi) wrote: > > ```diff > > + error_message = ERR_reason_error_string(ERR_peek_last_error()); \ > > + rb_raise(rb_eRuntimeError, error_message); \ Just a note, this causes -Wformat-security "format string is not a string literal (potentially insecure)" warnings. And probably `EVP_MD_CTX_`* functions need to be checked in `ext/digest/digest_conf.rb`. ---------------------------------------- Feature #13681: Ruby digest init fails in FIPS mode when built against OpenSSL ~> 1.0.1 https://bugs.ruby-lang.org/issues/13681#change-65479 * Author: rinzler (Colton Jenkins) * Status: Open * Priority: Normal * Assignee: * Target version: ---------------------------------------- When FIPS (https://en.wikipedia.org/wiki/FIPS_140-2) is enabled attempting to initialize any digest will kill the process due to https://github.com/openssl/openssl/commit/65300dcfb04bae643ea7b8f42ff8c8f1b1210a9e Example, ~~~ > require 'digest' > Digest::MD5.new md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call to digest MD5 forbidden in FIPS mode! > require 'digest' > Digest::SHA1.new sha_locl.h(128): OpenSSL internal error, assertion failed: Low level API call to digest SHA1 forbidden in FIPS mode! ~~~ This patch will redefine alg##_Init to use the EVP interface. This allows the digest initialization to never die, but will fail when using a non FIPS algorithm (MD5). Example, ~~~ irb(main):002:0> Digest::MD5.new RuntimeError: disabled for fips from (irb):2:in `new' from (irb):2 from /usr/local/bin/irb:11:in `
' irb(main):003:0> Digest::SHA1.new => # ~~~ ---Files-------------------------------- add_evp_init_to_digests.patch (3.77 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: