-
Notifications
You must be signed in to change notification settings - Fork 788
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIPS again... #750
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
If the decision to switch to SHA256 was over FIPS then the other caveat that often gets overlooked is the use of ruby's
Digest
class.When ruby is built against openssl the Digest class no longer uses the internal implementation, but rather openssl's old API. When using the old openssl API with FIPS enabled
OpenSSL.fips_mode -> true
then openssl will panic/abort with...sha256.c(34): OpenSSL internal error, assertion failed: Low level API call to digest SHA256 forbidden in FIPS mode!
even though you are using a FIPS supported algorithm. This is due to the fact that the piece of code that has been validated by NIST doesn't leverage the old API.Using
OpenSSL::Digest
class however uses the new API (EVP interface) which allows crypto in a FIPS environment.Note, rhemium has since pulled the openssl bindings from digest in ruby 3 due to the inconvenience it causes
ruby/ruby@2e601c2
Potential Solution
Last related issue
#725
The text was updated successfully, but these errors were encountered: