Lookup ciphers programatically. #304
Milestone
Comments
This is what OpenSSL::Digest.new("digest-algo-name") currently does. I agree with this idea in general. It's hard to maintain those constants for specific algorithms (as in lib/openssl/digest.rb) up to date, and I also think we should be agnostic on the algorithms. The same goes for OpenSSL::Cipher. |
|
I think this can be closed now #362 is merged? |
|
Yes, thanks for your work! |
This was referenced May 10, 2020
vipulnsward
added a commit
to vipulnsward/rails
that referenced
this issue
Jun 1, 2020
…tring.
Before:
Digest::UUID.uuid_from_hash(Digest::SHA1, Digest::UUID::OID_NAMESPACE, "1.2.3")
# => "42d5e23b-3a02-5135-85c6-52d1102f1f00"
After:
Digest::UUID.uuid_from_hash("SHA1", Digest::UUID::OID_NAMESPACE, "1.2.3")
# => "42d5e23b-3a02-5135-85c6-52d1102f1f00"
Related discussions:
ruby/openssl#362
ruby/openssl#304
rails#39410 (comment)
vipulnsward
added a commit
to vipulnsward/rails
that referenced
this issue
Jun 7, 2020
…cated in favour of String.
Before:
ActiveSupport::Digest.hash_digest_class = OpenSSL::Digest::SHA256
After:
ActiveSupport::Digest.hash_digest_class = "SHA256"
Related discussions:
ruby/openssl#362
ruby/openssl#304
rails#39410
Sibling PR: rails#39504
vipulnsward
added a commit
to vipulnsward/rails
that referenced
this issue
Jun 28, 2020
More information here: https://bugs.ruby-lang.org/issues/13681 openssl/openssl@65300dc From OpenSSL Changelog which is hard to link: h ttps://github.com/openssl/openssl/blob/ccb8f0c87eb28d55a6607504f2fbf1be94836c49/CHANGES.md#L5106 > Experimental multi-implementation support for FIPS capable OpenSSL. When in FIPS mode the approved implementations are used as normal, when not in FIPS mode the internal unapproved versions are used instead. This means that the FIPS capable OpenSSL isn't forced to use the (often lower performance) FIPS implementations outside FIPS mode. > Steve Henson So the issue is on Ruby's internal version we don't have a gradual fallback. But using the openssl version > 1.0.1l and 1.0.2, openssl uses internal implementation to maintain FIPS compat One concern to move to OpenSSL::Digest could be that top level ::Digest is ruby implementation and not OpenSLL, but given we use the OpenSSL versions all over, I think its save to move to use OpenSSL versions at remaining places Migrate all non-OpenSSL digest class references to OpenSSL versions Import openssl instead of digest variants on all files OpenSSL::Digest::SHA2 => OpenSSL::Digest::SHA256 Use the preferred ways of initializing Digest classes or use toplevel class methods instead of algorithm constants in Digest class Details: ruby/openssl#304 ruby/openssl#362
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
My advice would be to avoid specific support for any particular
digest algorithm. Instead, provide bindings to:
EVP_get_digestbyname(),EVP_MD_CTX_create(3),EVP_DigestInit_ex(3),EVP_DigestUpdate(3),EVP_DigestFinal_ex(3),EVP_MD_CTX_destroy(3)which can they use any available digest algorithm (by name).
The text was updated successfully, but these errors were encountered: