Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move Digest classes to OpenSSL #2236

Merged
merged 1 commit into from
Feb 23, 2021
Merged

Move Digest classes to OpenSSL #2236

merged 1 commit into from
Feb 23, 2021

Conversation

dbussink
Copy link
Contributor

@dbussink dbussink commented Jan 5, 2021

In older Ruby versions, Digest uses legacy OpenSSL APIs to implement the digest methods. These APIs break in some configurations such as FIPS mode enforcement. In the latest Ruby, this was removed (see ruby/ruby#3149), but that means Digest uses the non OpenSSL implementations. In those same environments that want FIPS enforcement, that is not desired as all crypto operations should be using OpenSSL there.

Another consequence of that change is that the Digest implementations have a slower implementation as the OpenSSL version has hardware acceleration and optimized assembly where available.

In ruby/openssl#377, it is discussed to replace the constants when OpenSSL is loaded. But what is a limiting factor here, is that OpenSSL doesn't have the equivalent of Digest::SHA2 (which really ends up computing a SHA256 digest).

So this removes the usage of Digest::SHA2 which is harder to wrap and also switches to use OpenSSL digest directly.

In older Ruby versions, Digest uses legacy OpenSSL APIs to implement the
digest methods. These APIs break in some configurations such as FIPS mode
enforcement. In the latest Ruby, this was removed (see
ruby/ruby#3149), but that means Digest uses the
non OpenSSL implementations. In those same environments that want FIPS
enforcement, that is not desired as all crypto operations should be using
OpenSSL there.

Another consequence of that change is that the Digest implementations
have a slower implementation as the OpenSSL version has hardware
acceleration and optimized assembly where available.

In ruby/openssl#377, it is discussed to replace
the constants when OpenSSL is loaded. But what is a limiting factor here,
is that OpenSSL doesn't have the equivalent of Digest::SHA2 (which really
ends up computing a SHA256 digest).

So this removes the usage of Digest::SHA2 which is harder to wrap and also
switches to use OpenSSL digest directly.
@dbussink
Copy link
Contributor Author

@vbrazo Any feedback on this?

@koic koic merged commit e75aa3c into faker-ruby:master Feb 23, 2021
@koic
Copy link
Member

koic commented Feb 23, 2021

Thanks @dbussink!

@vbrazo
Copy link
Member

vbrazo commented Feb 28, 2021

Thanks @dbussink @koic 👍

This was referenced Mar 12, 2021
This was referenced Mar 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants