(spark) branch master updated: [SPARK-47841][BUILD] Upgrade `postgresql` to 42.7.3

2024-04-13 Thread dongjoon 
This is an automated email from the ASF dual-hosted git repository.

dongjoon pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/master by this push:
 new 85c4f053f25a [SPARK-47841][BUILD] Upgrade `postgresql` to 42.7.3
85c4f053f25a is described below

commit 85c4f053f25a7f20546600e179a7303a4409834f
Author: panbingkun 
AuthorDate: Sat Apr 13 17:36:17 2024 -0700

[SPARK-47841][BUILD] Upgrade `postgresql` to 42.7.3

### What changes were proposed in this pull request?
The pr aims to upgrade `postgresql` from `42.7.2` to `42.7.3`.

### Why are the changes needed?
The version `42.7.3` full release notes:
https://jdbc.postgresql.org/changelogs/2024-03-14-42.7.3-release/
- fix: boolean types not handled in SimpleQuery mode [PR 
#3146](https://github.com/pgjdbc/pgjdbc/pull/3146) *make sure we handle boolean 
types in simple query mode
support uuid as well
handle all well known types in text mode and change else if to switch
- fix: released new versions of 42.2.29, 42.3.10, 42.4.5, 42.5.6, 42.6.2 to 
deal with NoSuchMethodError on ByteBuffer#position when running on Java 8

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
Pass GA.

### Was this patch authored or co-authored using generative AI tooling?
No.

Closes #46038 from panbingkun/postgresql_upgrade.

Authored-by: panbingkun 
Signed-off-by: Dongjoon Hyun 
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 95ed02d412a9..560a6c037282 100644
--- a/pom.xml
+++ b/pom.xml
@@ -320,7 +320,7 @@
 
 2.7.12
 8.3.0
-42.7.2
+42.7.3
 11.5.9.0
 9.4.1.jre8
 23.3.0.23.09


-
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org

(spark) branch branch-3.5 updated: [SPARK-47318][CORE][3.5] Adds HKDF round to AuthEngine key derivation to follow standard KEX practices

2024-04-13 Thread dongjoon 
This is an automated email from the ASF dual-hosted git repository.

dongjoon pushed a commit to branch branch-3.5
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/branch-3.5 by this push:
 new b8e2498007a0 [SPARK-47318][CORE][3.5] Adds HKDF round to AuthEngine 
key derivation to follow standard KEX practices
b8e2498007a0 is described below

commit b8e2498007a0b4e9a8790ce8a3511427093fa6a7
Author: Dongjoon Hyun 
AuthorDate: Sat Apr 13 16:54:20 2024 -0700

[SPARK-47318][CORE][3.5] Adds HKDF round to AuthEngine key derivation to 
follow standard KEX practices

### What changes were proposed in this pull request?

Backport of SPARK-47318 to v3.5.0

This change adds an additional pass through a key derivation function (KDF) 
to the key exchange protocol in `AuthEngine`. Currently, it uses the shared 
secret from a bespoke key negotiation protocol directly. This is an encoded X 
coordinate on the X25519 curve. It is atypical and not recommended to use that 
coordinate directly as a key, but rather to pass it to an KDF.

Note, Spark now supports TLS for RPC calls. It is preferable to use that 
rather than the bespoke AES RPC encryption implemented by `AuthEngine` and 
`TransportCipher`.

### Why are the changes needed?

This follows best practices of key negotiation protocols. The encoded X 
coordinate is not guaranteed to be uniformly distributed over the 32-byte key 
space. Rather, we pass it through a HKDF function to map it uniformly to a 
16-byte key space.

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

Exiting tests under:
`build/sbt "network-common/test:testOnly"`

Specifically:
`build/sbt "network-common/test:testOnly 
org.apache.spark.network.crypto.AuthEngineSuite"`
`build/sbt "network-common/test:testOnly 
org.apache.spark.network.crypto.AuthIntegrationSuite"`

### Was this patch authored or co-authored using generative AI tooling?

No.

Closes #46014 from sweisdb/SPARK-47318-v3.5.0.

Lead-authored-by: Dongjoon Hyun 
Co-authored-by: Steve Weis 
Signed-off-by: Dongjoon Hyun 
---
 .../apache/spark/network/crypto/AuthEngine.java| 15 +-
 .../java/org/apache/spark/network/crypto/README.md | 17 ++-
 .../apache/spark/network/util/TransportConf.java   |  9 ++
 .../spark/network/crypto/AuthEngineSuite.java  | 34 --
 docs/security.md   | 12 
 5 files changed, 82 insertions(+), 5 deletions(-)

diff --git 
a/common/network-common/src/main/java/org/apache/spark/network/crypto/AuthEngine.java
 
b/common/network-common/src/main/java/org/apache/spark/network/crypto/AuthEngine.java
index 078d9ceb317b..14f0c23fd05f 100644
--- 
a/common/network-common/src/main/java/org/apache/spark/network/crypto/AuthEngine.java
+++ 
b/common/network-common/src/main/java/org/apache/spark/network/crypto/AuthEngine.java
@@ -41,16 +41,19 @@ import org.apache.spark.network.util.TransportConf;
  * Exchange, using a pre-shared key to derive an AES-GCM key encrypting key.
  */
 class AuthEngine implements Closeable {
+  public static final byte[] DERIVED_KEY_INFO = "derivedKey".getBytes(UTF_8);
   public static final byte[] INPUT_IV_INFO = "inputIv".getBytes(UTF_8);
   public static final byte[] OUTPUT_IV_INFO = "outputIv".getBytes(UTF_8);
   private static final String MAC_ALGORITHM = "HMACSHA256";
   private static final int AES_GCM_KEY_SIZE_BYTES = 16;
   private static final byte[] EMPTY_TRANSCRIPT = new byte[0];
+  private static final int UNSAFE_SKIP_HKDF_VERSION = 1;
 
   private final String appId;
   private final byte[] preSharedSecret;
   private final TransportConf conf;
   private final Properties cryptoConf;
+  private final boolean unsafeSkipFinalHkdf;
 
   private byte[] clientPrivateKey;
   private TransportCipher sessionCipher;
@@ -62,6 +65,9 @@ class AuthEngine implements Closeable {
 this.preSharedSecret = preSharedSecret.getBytes(UTF_8);
 this.conf = conf;
 this.cryptoConf = conf.cryptoConf();
+// This is for backward compatibility with version 1.0 of this protocol,
+// which did not perform a final HKDF round.
+this.unsafeSkipFinalHkdf = conf.authEngineVersion() == 
UNSAFE_SKIP_HKDF_VERSION;
   }
 
   @VisibleForTesting
@@ -201,6 +207,13 @@ class AuthEngine implements Closeable {
   byte[] sharedSecret,
   boolean isClient,
   byte[] transcript) throws GeneralSecurityException {
+byte[] derivedKey = unsafeSkipFinalHkdf ? sharedSecret :  // This is for 
backwards compatibility
+  Hkdf.computeHkdf(
+MAC_ALGORITHM,
+sharedSecret,
+transcript,
+DERIVED_KEY_INFO,
+AES_GCM_KEY_SIZE_BYTES);
 byte[] clientIv = Hkdf.computeHkdf(
 MAC_ALGORITHM,
 sharedSecret,
@@ -213,7 +226,7 @@ class

(spark) branch branch-3.4 updated (d0fd730839d8 -> 6736024f298e)

2024-04-13 Thread dongjoon 
This is an automated email from the ASF dual-hosted git repository.

dongjoon pushed a change to branch branch-3.4
in repository https://gitbox.apache.org/repos/asf/spark.git


from d0fd730839d8 [SPARK-47824][PS] Fix nondeterminism in 
pyspark.pandas.series.asof
 add 6736024f298e [SPARK-47318][CORE][3.4] Adds HKDF round to AuthEngine 
key derivation to follow standard KEX practices

No new revisions were added by this update.

Summary of changes:
 .../apache/spark/network/crypto/AuthEngine.java| 15 +-
 .../java/org/apache/spark/network/crypto/README.md | 17 ++-
 .../apache/spark/network/util/TransportConf.java   |  9 ++
 .../spark/network/crypto/AuthEngineSuite.java  | 34 --
 docs/security.md   | 12 
 5 files changed, 82 insertions(+), 5 deletions(-)


-
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org