The OpenSSL engine of Digest uses the low-level API of OpenSSL, whose
use has been discouraged for years for multiple reasons.
A long-standing issue on a FIPS-enabled system is that using ::Digest
results in crashing the Ruby process, because the low-level API lacks
the mechanism to report an error (the policy violation) and thus kills
the process as a last resort[1][2]. Also, the upcoming OpenSSL 3.0 will
deprecate it for future removal[3]. Compiling with
-Wdeprecated-declarations will start to emit warnings.
A proper fix for this is to make it use the EVP API instead. This is a
non-trivial work as it requires backwards-incompatible changes to the
framework interface of Digest::Base and rb_digest_metadata_t.
It is more than 15 years ago that the openssl library became part of the
standard library. It has implemented the exactly same functionality as
OpenSSL::Digest, in fact, as a subclass of Digest::Class. There is not
much point in having an identical code in the digest library. Let's
just get rid of OpenSSL within digest. This leaves the C implementations
and the CommonCrypto engine for Apple systems.
A patch is being prepared for the openssl library to provide ::Digest
constants for better performance[4].
[1] https://bugs.ruby-lang.org/issues/6946
[2] https://bugs.ruby-lang.org/issues/13681
[3] https://www.openssl.org/docs/OpenSSL300Design.html
[4] https://github.com/ruby/openssl/pull/377
* lib/mkmf.rb (create_makefile): store $headers in LOCAL_HDRS for
depend files.
* ext/digest/digest_conf.rb (digest_conf): add implementation
specific headers to $header.
* ext/digest/{md5,rmd160,sha1,sha2}/depend: add LOCAL_HDRS to the
dependencies.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55588 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
hash_final_func_t was inconsistent with others, change it and
rename to hash_finish_func_t to avoid confusion.
* ext/digest/digest.[ch]: Remove and eliminate the use of
hash_end_func_t. Implement hexdigest conversion in the base
class.
* ext/digest/md5/md5.c, ext/digest/md5/md5.h,
ext/digest/md5/md5init.c, ext/digest/md5/md5ossl.c,
ext/digest/md5/md5ossl.h: Remove MD5_End() and change
MD5_Final() to MD5_Finish().
* ext/digest/rmd160/depend, ext/digest/rmd160/extconf.rb,
ext/digest/rmd160/rmd160.c, ext/digest/rmd160/rmd160.h,
ext/digest/rmd160/rmd160hl.c, ext/digest/rmd160/rmd160init.c,
ext/digest/rmd160/rmd160ossl.c, ext/digest/rmd160/rmd160ossl.h:
Remove unused functions RMD160_End(), RMD160_File(),
RMD160_Data() and change RMD160_Final() to RMD160_Finish().
* ext/digest/sha1/extconf.rb, ext/digest/sha1/sha1.c,
ext/digest/sha1/sha1.h, ext/digest/sha1/sha1hl.c,
ext/digest/sha1/sha1init.c, ext/digest/sha1/sha1ossl.c,
ext/digest/sha1/sha1ossl.h: Likewise.
* ext/digest/sha2/extconf.rb, ext/digest/sha2/sha2.c,
ext/digest/sha2/sha2.h, ext/digest/sha2/sha2hl.c,
ext/digest/sha2/sha2init.c: Likewise.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@11086 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
is much faster than what we have now (rmd160.[ch]). Add a knob
(--with-bundled-rmd160) to extconf.rb which makes it use the
bundled one anyway.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@2894 b2dd03c8-39d4-4d8f-98ff-823fe69b080e