path: root/ext/digest/rmd160/extconf.rb
diff options
authorKazuki Yamaguchi <>2020-05-28 00:53:41 +0900
committerHiroshi SHIBATA <>2020-12-02 11:09:12 +0900
commit2e601c284c9b61c286aa031d91e5198c17b44f00 (patch)
tree8e239b9e7972e6f04a8a4432ba7b59258b5607b7 /ext/digest/rmd160/extconf.rb
parent95bb49d42568802e36b213a7139176dbf9f58672 (diff)
digest: remove OpenSSL engine
The OpenSSL engine of Digest uses the low-level API of OpenSSL, whose use has been discouraged for years for multiple reasons. A long-standing issue on a FIPS-enabled system is that using ::Digest results in crashing the Ruby process, because the low-level API lacks the mechanism to report an error (the policy violation) and thus kills the process as a last resort[1][2]. Also, the upcoming OpenSSL 3.0 will deprecate it for future removal[3]. Compiling with -Wdeprecated-declarations will start to emit warnings. A proper fix for this is to make it use the EVP API instead. This is a non-trivial work as it requires backwards-incompatible changes to the framework interface of Digest::Base and rb_digest_metadata_t. It is more than 15 years ago that the openssl library became part of the standard library. It has implemented the exactly same functionality as OpenSSL::Digest, in fact, as a subclass of Digest::Class. There is not much point in having an identical code in the digest library. Let's just get rid of OpenSSL within digest. This leaves the C implementations and the CommonCrypto engine for Apple systems. A patch is being prepared for the openssl library to provide ::Digest constants for better performance[4]. [1] [2] [3] [4]
Notes: Merged:
Diffstat (limited to 'ext/digest/rmd160/extconf.rb')
1 files changed, 1 insertions, 1 deletions
diff --git a/ext/digest/rmd160/extconf.rb b/ext/digest/rmd160/extconf.rb
index a02ba56169..ffa70ee803 100644
--- a/ext/digest/rmd160/extconf.rb
+++ b/ext/digest/rmd160/extconf.rb
@@ -10,7 +10,7 @@ $defs << "-DNDEBUG" << "-DHAVE_CONFIG_H"
$objs = [ "rmd160init.#{$OBJEXT}" ]
-digest_conf("rmd160", "ripemd", "RIPEMD160")