summaryrefslogtreecommitdiff
path: root/ext/digest/sha1
diff options
context:
space:
mode:
authorKazuki Yamaguchi <k@rhe.jp>2020-05-28 00:53:41 +0900
committerHiroshi SHIBATA <hsbt@ruby-lang.org>2020-12-02 11:09:12 +0900
commit2e601c284c9b61c286aa031d91e5198c17b44f00 (patch)
tree8e239b9e7972e6f04a8a4432ba7b59258b5607b7 /ext/digest/sha1
parent95bb49d42568802e36b213a7139176dbf9f58672 (diff)
digest: remove OpenSSL engine
The OpenSSL engine of Digest uses the low-level API of OpenSSL, whose use has been discouraged for years for multiple reasons. A long-standing issue on a FIPS-enabled system is that using ::Digest results in crashing the Ruby process, because the low-level API lacks the mechanism to report an error (the policy violation) and thus kills the process as a last resort[1][2]. Also, the upcoming OpenSSL 3.0 will deprecate it for future removal[3]. Compiling with -Wdeprecated-declarations will start to emit warnings. A proper fix for this is to make it use the EVP API instead. This is a non-trivial work as it requires backwards-incompatible changes to the framework interface of Digest::Base and rb_digest_metadata_t. It is more than 15 years ago that the openssl library became part of the standard library. It has implemented the exactly same functionality as OpenSSL::Digest, in fact, as a subclass of Digest::Class. There is not much point in having an identical code in the digest library. Let's just get rid of OpenSSL within digest. This leaves the C implementations and the CommonCrypto engine for Apple systems. A patch is being prepared for the openssl library to provide ::Digest constants for better performance[4]. [1] https://bugs.ruby-lang.org/issues/6946 [2] https://bugs.ruby-lang.org/issues/13681 [3] https://www.openssl.org/docs/OpenSSL300Design.html [4] https://github.com/ruby/openssl/pull/377
Notes
Notes: Merged: https://github.com/ruby/ruby/pull/3149
Diffstat (limited to 'ext/digest/sha1')
-rw-r--r--ext/digest/sha1/depend1
-rw-r--r--ext/digest/sha1/extconf.rb2
-rw-r--r--ext/digest/sha1/sha1init.c4
-rw-r--r--ext/digest/sha1/sha1ossl.h22
4 files changed, 2 insertions, 27 deletions
diff --git a/ext/digest/sha1/depend b/ext/digest/sha1/depend
index f11e9e31f73..3daf84a1375 100644
--- a/ext/digest/sha1/depend
+++ b/ext/digest/sha1/depend
@@ -329,5 +329,4 @@ sha1init.o: $(srcdir)/../defs.h
sha1init.o: $(srcdir)/../digest.h
sha1init.o: sha1.h
sha1init.o: sha1init.c
-sha1init.o: sha1ossl.h
# AUTOGENERATED DEPENDENCIES END
diff --git a/ext/digest/sha1/extconf.rb b/ext/digest/sha1/extconf.rb
index 0ff4158bef3..1e94ba3ef92 100644
--- a/ext/digest/sha1/extconf.rb
+++ b/ext/digest/sha1/extconf.rb
@@ -10,7 +10,7 @@ $defs << "-DHAVE_CONFIG_H"
$objs = [ "sha1init.#{$OBJEXT}" ]
-digest_conf("sha1", "sha", nil, %w[SHA])
+digest_conf("sha1")
have_header("sys/cdefs.h")
diff --git a/ext/digest/sha1/sha1init.c b/ext/digest/sha1/sha1init.c
index 3adf424b1d1..1d201c51fca 100644
--- a/ext/digest/sha1/sha1init.c
+++ b/ext/digest/sha1/sha1init.c
@@ -3,9 +3,7 @@
#include <ruby/ruby.h>
#include "../digest.h"
-#if defined(SHA1_USE_OPENSSL)
-#include "sha1ossl.h"
-#elif defined(SHA1_USE_COMMONDIGEST)
+#if defined(SHA1_USE_COMMONDIGEST)
#include "sha1cc.h"
#else
#include "sha1.h"
diff --git a/ext/digest/sha1/sha1ossl.h b/ext/digest/sha1/sha1ossl.h
deleted file mode 100644
index 599efe9a2fa..00000000000
--- a/ext/digest/sha1/sha1ossl.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/* $Id$ */
-
-#ifndef SHA1OSSL_H_INCLUDED
-#define SHA1OSSL_H_INCLUDED
-
-#include <stddef.h>
-#include <openssl/sha.h>
-
-#define SHA1_CTX SHA_CTX
-
-#ifdef SHA_BLOCK_LENGTH
-#define SHA1_BLOCK_LENGTH SHA_BLOCK_LENGTH
-#else
-#define SHA1_BLOCK_LENGTH SHA_CBLOCK
-#endif
-#define SHA1_DIGEST_LENGTH SHA_DIGEST_LENGTH
-
-static DEFINE_FINISH_FUNC_FROM_FINAL(SHA1)
-#undef SHA1_Finish
-#define SHA1_Finish rb_digest_SHA1_finish
-
-#endif