Nobuyoshi Nakada wrote: > Is EVP API necessary? The EVP API has been recommended over the old digest-specific API for [almost fifteen years](http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4facdbb5fa9d791fc72dc78b9c3512ea...jared.jennings.ctr (Jared Jennings)
Patch for 1.8.7 is at https://bugzilla.redhat.com/show_bug.cgi?id=802946#c4 (this won't be news to you, Vit, but any other readers of this issue may not know about https://bugzilla.redhat.com/show_bug.cgi?id=802946)jared.jennings.ctr (Jared Jennings)
I've just compared the Debian and CentOS OpenSSL sources, and it looks like large parts of the FIPS functionality in OpenSSL that I've taken for granted are provided in CentOS/RHEL-specific patches. So you may not be able to duplicate th...jared.jennings.ctr (Jared Jennings)
If any credit is given for finding this problem, it belongs to Joseph Yaworski; see https://tickets.puppetlabs.com/browse/PUP-1840.jared.jennings.ctr (Jared Jennings)
Attached are three cumulative patches against source:/trunk@45452. The first, 001-detect-digest-failure, changes the prototypes of digest initialization and finalization functions in the digest extension to return int instead of void;...jared.jennings.ctr (Jared Jennings)
I changed the `rb_digest_hash_init_func` typedef from a return type of `void` to `int`, so that the return value of `MD5_Init` could be checked. I changed digest.c to check the return value of `algo->init_func`, which at the time of the ...jared.jennings.ctr (Jared Jennings)
Now I see that `rb_digest_hash_init_func_t` (source:ext/digest/digest.h@43668#L20) is a typedef for a pointer to a function returning void. This complicates the patch: the typedef must be changed so init functions return an int, and the ...jared.jennings.ctr (Jared Jennings)
This is just like #4944, but in the `digest` extension instead of the `openssl` extension. On my host, which is configured for FIPS 140-2 compliance (this is a U.S. Government security standard), OpenSSL refuses to perform an MD5 chec...jared.jennings.ctr (Jared Jennings)
SHA-1 would work too - for a few years, until it's cryptographically broken enough to no longer be FIPS approved, like MD5 is. But if you could do it without hashing, that would quash the problem forever. Ah - here's why to hash it: h...jared.jennings.ctr (Jared Jennings)
=begin I've got a host configured to be compliant with ((<U.S. Federal Information Processing Standard 140-2|URL:http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf>)) (FIPS 140-2). On this host, the OpenSSL library refuses to...jared.jennings.ctr (Jared Jennings)