ruby-core

Issue #13681 has been updated by rinzler (Colton Jenkins).


rhenium (Kazuki Yamaguchi) wrote:
> rinzler (Colton Jenkins) wrote:
> > > > ```diff
> > > > +    rb_raise(rb_eRuntimeError, error_message); \
> > > > +  } \
> > > > +  *ctx = *(upper_name##_CTX*)md_ctx->md_data; \
> > > 
> > > This won't compile with OpenSSL 1.1.x since `EVP_MD_CTX` was made opaque.
> > 
> > Hasn't it always been opaque? They just moved the struct def from evp.h -> evp_locl.h, but the typedef is still in ossl_typ.h
> 
> crypto/evp/evp_locl.h is not a public header file. -> operator can't be
> used against md_ctx.

Ah ok, do you know what will happen to openssl::digest then given it uses the same? Curious if that plans to be refactored upon 1.1.x I could do the same with this. If not then this doesn't make much sense.
> 
> > > 
> > > Also I suspect this approach breaks if an external OpenSSL engine
> > > replaces the default implementation for the algorithm. I think we have
> > > to completely rewrite to use the EVP API only.
> > 
> > Not sure I follow. Passing NULL for engine skips it? But using EVP api would be ideal.
> 
> Passing NULL as the third argument tells OpenSSL to use the 'default
> implementation', which can be changed at runtime by an
> ENGINE_set_default*() function call by another C extension (such as
> openssl).

It is beginning to sound like this shouldn't be used and decoupling digest from openssl is a better way forward?
I'll probably continue to use this patch locally given our customers are desiring FIPS and rewriting all gems is a very large undertaking, but curious of your thoughts?


----------------------------------------
Feature #13681: Ruby digest init fails in FIPS mode when built against OpenSSL ~> 1.0.1
https://bugs.ruby-lang.org/issues/13681#change-65505

* Author: rinzler (Colton Jenkins)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
When FIPS (https://en.wikipedia.org/wiki/FIPS_140-2) is enabled attempting to initialize any digest will kill the process due to https://github.com/openssl/openssl/commit/65300dcfb04bae643ea7b8f42ff8c8f1b1210a9e

Example,

~~~
> require 'digest'
> Digest::MD5.new
md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call to digest MD5 forbidden in FIPS mode!

> require 'digest'
> Digest::SHA1.new
sha_locl.h(128): OpenSSL internal error, assertion failed: Low level API call to digest SHA1 forbidden in FIPS mode!
~~~

This patch will redefine alg##_Init to use the EVP interface. This allows the digest initialization to never die, but will fail when using a non FIPS algorithm (MD5).

Example,

~~~
irb(main):002:0> Digest::MD5.new
RuntimeError: disabled for fips
	from (irb):2:in `new'
	from (irb):2
	from /usr/local/bin/irb:11:in `<main>'
irb(main):003:0> Digest::SHA1.new
=> #<Digest::SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709>
~~~

---Files--------------------------------
add_evp_init_to_digests.patch (3.77 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>