From: jenkinscolton7@... Date: 2017-06-30T15:43:53+00:00 Subject: [ruby-core:81876] [Ruby trunk Feature#13681] Ruby digest init fails in FIPS mode when built against OpenSSL ~> 1.0.1 Issue #13681 has been updated by rinzler (Colton Jenkins). rhenium (Kazuki Yamaguchi) wrote: > rinzler (Colton Jenkins) wrote: > > > > ```diff > > > > + rb_raise(rb_eRuntimeError, error_message); \ > > > > + } \ > > > > + *ctx = *(upper_name##_CTX*)md_ctx->md_data; \ > > > > > > This won't compile with OpenSSL 1.1.x since `EVP_MD_CTX` was made opaque. > > > > Hasn't it always been opaque? They just moved the struct def from evp.h -> evp_locl.h, but the typedef is still in ossl_typ.h > > crypto/evp/evp_locl.h is not a public header file. -> operator can't be > used against md_ctx. > > > > > > > Also I suspect this approach breaks if an external OpenSSL engine > > > replaces the default implementation for the algorithm. I think we have > > > to completely rewrite to use the EVP API only. > > > > Not sure I follow. Passing NULL for engine skips it? But using EVP api would be ideal. > > Passing NULL as the third argument tells OpenSSL to use the 'default > implementation', which can be changed at runtime by an > ENGINE_set_default*() function call by another C extension (such as > openssl). I think I'll move forward with adding in the above recommendations and place a condition for OPENSSL_VERSION < 1.1. Given FOM 3.0 is still up in the air (https://www.safelogic.com/openssl-1-1-update/) this would only be needed with 1.0.x anyhow. I'll update the patch. ---------------------------------------- Feature #13681: Ruby digest init fails in FIPS mode when built against OpenSSL ~> 1.0.1 https://bugs.ruby-lang.org/issues/13681#change-65605 * Author: rinzler (Colton Jenkins) * Status: Open * Priority: Normal * Assignee: * Target version: ---------------------------------------- When FIPS (https://en.wikipedia.org/wiki/FIPS_140-2) is enabled attempting to initialize any digest will kill the process due to https://github.com/openssl/openssl/commit/65300dcfb04bae643ea7b8f42ff8c8f1b1210a9e Example, ~~~ > require 'digest' > Digest::MD5.new md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call to digest MD5 forbidden in FIPS mode! > require 'digest' > Digest::SHA1.new sha_locl.h(128): OpenSSL internal error, assertion failed: Low level API call to digest SHA1 forbidden in FIPS mode! ~~~ This patch will redefine alg##_Init to use the EVP interface. This allows the digest initialization to never die, but will fail when using a non FIPS algorithm (MD5). Example, ~~~ irb(main):002:0> Digest::MD5.new RuntimeError: disabled for fips from (irb):2:in `new' from (irb):2 from /usr/local/bin/irb:11:in `

' irb(main):003:0> Digest::SHA1.new => # ~~~ ---Files-------------------------------- add_evp_init_to_digests.patch (3.77 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: