Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS again... #750

Open
cwjenkins opened this issue Jul 19, 2022 · 0 comments
Open

FIPS again... #750

cwjenkins opened this issue Jul 19, 2022 · 0 comments

Comments

@cwjenkins
Copy link

Summary

If the decision to switch to SHA256 was over FIPS then the other caveat that often gets overlooked is the use of ruby's Digest class.
When ruby is built against openssl the Digest class no longer uses the internal implementation, but rather openssl's old API. When using the old openssl API with FIPS enabled OpenSSL.fips_mode -> true then openssl will panic/abort with...
sha256.c(34): OpenSSL internal error, assertion failed: Low level API call to digest SHA256 forbidden in FIPS mode! even though you are using a FIPS supported algorithm. This is due to the fact that the piece of code that has been validated by NIST doesn't leverage the old API.

Using OpenSSL::Digest class however uses the new API (EVP interface) which allows crypto in a FIPS environment.

Note, rhemium has since pulled the openssl bindings from digest in ruby 3 due to the inconvenience it causes
ruby/ruby@2e601c2

Potential Solution

# some place in digest_utils
if Module.defined?(:OpenSSL) && OpenSSL.fips_mode
  digest_mod = ::OpenSSL::Digest
else
  digest_mod = ::Digest
end

# rewrite explicit references to ::Digest

Last related issue

#725
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cwjenkins