Project

General

Profile

Actions

Feature #13681

open

Ruby digest init fails in FIPS mode when built against OpenSSL ~> 1.0.1

Added by rinzler (Colton Jenkins) over 4 years ago. Updated over 4 years ago.

Status:
Open
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:81776]

Description

When FIPS (https://en.wikipedia.org/wiki/FIPS_140-2) is enabled attempting to initialize any digest will kill the process due to https://github.com/openssl/openssl/commit/65300dcfb04bae643ea7b8f42ff8c8f1b1210a9e

Example,

> require 'digest'
> Digest::MD5.new
md5_dgst.c(75): OpenSSL internal error, assertion failed: Low level API call to digest MD5 forbidden in FIPS mode!

> require 'digest'
> Digest::SHA1.new
sha_locl.h(128): OpenSSL internal error, assertion failed: Low level API call to digest SHA1 forbidden in FIPS mode!

This patch will redefine alg##_Init to use the EVP interface. This allows the digest initialization to never die, but will fail when using a non FIPS algorithm (MD5).

Example,

irb(main):002:0> Digest::MD5.new
RuntimeError: disabled for fips
    from (irb):2:in `new'
    from (irb):2
    from /usr/local/bin/irb:11:in `<main>'
irb(main):003:0> Digest::SHA1.new
=> #<Digest::SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709>

Files

add_evp_init_to_digests.patch (3.77 KB) add_evp_init_to_digests.patch rinzler (Colton Jenkins), 06/27/2017 02:26 AM
Actions

Also available in: Atom PDF