The OpenSSL engine of Digest uses the low-level API of OpenSSL, whose
use has been discouraged for years for multiple reasons.
A long-standing issue on a FIPS-enabled system is that using ::Digest
results in crashing the Ruby process, because the low-level API lacks
the mechanism to report an error (the policy violation) and thus kills
the process as a last resort[1][2]. Also, the upcoming OpenSSL 3.0 will
deprecate it for future removal[3]. Compiling with
-Wdeprecated-declarations will start to emit warnings.
A proper fix for this is to make it use the EVP API instead. This is a
non-trivial work as it requires backwards-incompatible changes to the
framework interface of Digest::Base and rb_digest_metadata_t.
It is more than 15 years ago that the openssl library became part of the
standard library. It has implemented the exactly same functionality as
OpenSSL::Digest, in fact, as a subclass of Digest::Class. There is not
much point in having an identical code in the digest library. Let's
just get rid of OpenSSL within digest. This leaves the C implementations
and the CommonCrypto engine for Apple systems.
A patch is being prepared for the openssl library to provide ::Digest
constants for better performance[4].
[1] https://bugs.ruby-lang.org/issues/6946
[2] https://bugs.ruby-lang.org/issues/13681
[3] https://www.openssl.org/docs/OpenSSL300Design.html
[4] https://github.com/ruby/openssl/pull/377
ext/openssl/deprecation.rb has been removed in ext/openssl upstream[1].
It was originally introduced to detect and prevent linking against
Apple's bundled (and very outdated) version of OpenSSL. It is long gone
and the header files do not exist in current versions of macOS.
The dependency in ext/digest was introduced by commit 26e258c807.
Note that the original issue[2] is resolved without this dependency.
The commit also added the pkg_config("openss") call to match what
ext/openssl does.
[1] https://github.com/ruby/openssl/pull/333
[2] https://bugs.ruby-lang.org/issues/6379
* ext/digest/digest_conf.rb: Support to search variaous filenames of
OpenSSL/LibreSSL libraries.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59362 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* lib/mkmf.rb (create_makefile): store $headers in LOCAL_HDRS for
depend files.
* ext/digest/digest_conf.rb (digest_conf): add implementation
specific headers to $header.
* ext/digest/{md5,rmd160,sha1,sha2}/depend: add LOCAL_HDRS to the
dependencies.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55588 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OpenSSL's SHA1 struct name is SHA_CTX (which is also used for SHA-0),
but function name is SHA1_Transform.
http://openssl.org/docs/man0.9.8/crypto/SHA1.html
also note that LibreSSL 2.3 remove the SHA-0 support but still support SHA-1.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52755 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/digest/digest_conf.rb (digest_conf): check for CommonDigest.
* ext/digest/*/*cc.h: for Apple CommonCrypto/CommonDigest.h.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49565 b2dd03c8-39d4-4d8f-98ff-823fe69b080e