mirror of
https://github.com/libgit2/libgit2.git
synced 2026-01-25 02:56:17 +00:00
7f7dfe71cc
Usage of the deprecated 'SHA256_*' OpenSSL API in a FIPS compliant environment results in OpenSSL's assertion failure with the following description: "OpenSSL internal error, assertion failed: Low level API call to digest SHA256 forbidden in FIPS mode!" This commit adds a possibility to use the OpenSSL's 'EVP_MD*' API instead of the deprecated 'SHA256_*' API, by extending the optional CMake flag 'USE_SHA256' with the new option called 'OpenSSL-FIPS'. The new option is used to choose a hashing backend used by libgit2 to calculate SHA256 hashes, in a similar way that currently existing options like 'OpenSSL', 'OpenSSL-Dynamic', 'mbedTLS' etc do. 'OpenSSL-FIPS' is a fully opt-in option which is purposely not interfering with the existing options, because, after running some benchmarks, it's been discovered that using the 'EVP_MD*' API causes hashing to be a bit slower in comparison to using the deprecated 'SHA256_*' API. Another change introduced in this commit is the enhancement of the Nightly workflow (nightly.yml) which will cause libgit2 to be automatically built with '-DUSE_SHA256="OpenSSL-FIPS"' CMake flag, on Linux, macOS and Windows.