path: root/ext/digest/sha2/depend
diff options
authorKazuki Yamaguchi <>2020-05-28 00:53:41 +0900
committerHiroshi SHIBATA <>2020-12-02 11:09:12 +0900
commit2e601c284c9b61c286aa031d91e5198c17b44f00 (patch)
tree8e239b9e7972e6f04a8a4432ba7b59258b5607b7 /ext/digest/sha2/depend
parent95bb49d42568802e36b213a7139176dbf9f58672 (diff)
digest: remove OpenSSL engine
The OpenSSL engine of Digest uses the low-level API of OpenSSL, whose use has been discouraged for years for multiple reasons. A long-standing issue on a FIPS-enabled system is that using ::Digest results in crashing the Ruby process, because the low-level API lacks the mechanism to report an error (the policy violation) and thus kills the process as a last resort[1][2]. Also, the upcoming OpenSSL 3.0 will deprecate it for future removal[3]. Compiling with -Wdeprecated-declarations will start to emit warnings. A proper fix for this is to make it use the EVP API instead. This is a non-trivial work as it requires backwards-incompatible changes to the framework interface of Digest::Base and rb_digest_metadata_t. It is more than 15 years ago that the openssl library became part of the standard library. It has implemented the exactly same functionality as OpenSSL::Digest, in fact, as a subclass of Digest::Class. There is not much point in having an identical code in the digest library. Let's just get rid of OpenSSL within digest. This leaves the C implementations and the CommonCrypto engine for Apple systems. A patch is being prepared for the openssl library to provide ::Digest constants for better performance[4]. [1] [2] [3] [4]
Notes: Merged:
Diffstat (limited to 'ext/digest/sha2/depend')
1 files changed, 0 insertions, 1 deletions
diff --git a/ext/digest/sha2/depend b/ext/digest/sha2/depend
index 7aa445d8a7..d8d265c1ef 100644
--- a/ext/digest/sha2/depend
+++ b/ext/digest/sha2/depend
@@ -328,5 +328,4 @@ sha2init.o: $(hdrdir)/ruby/subst.h
sha2init.o: $(srcdir)/../digest.h
sha2init.o: sha2.h
sha2init.o: sha2init.c
-sha2init.o: sha2ossl.h