[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode To compliant with FIPS requirement, we should use OpenSSL libraries for cryptographic hash functions, instead of own hash functions. This patch replace MD5 and SHA1 functions in Squeasel Web server with OpenSSL APIs. It also force to turn off Digest Authorization for Web server in FIPS approved mode since Digest Authorization use MD5 hash and it doesn't comply with FIPS 140-2. Testing: - Passed webserver-test. - Passed exhaustive tests. - Manually verified HTTP Digest Authorization could not be enabled by setting webserver_password_file on a FIPS enabled cluster. Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Reviewed-on: http://gerrit.cloudera.org:8080/16630 Reviewed-by: Thomas Tauber-Marshall Tested-by: Impala Public Jenkins --- M be/src/thirdparty/squeasel/squeasel.c M be/src/util/webserver-test.cc M be/src/util/webserver.cc 3 files changed, 38 insertions(+), 338 deletions(-) Approvals: Thomas Tauber-Marshall: Looks good to me, approved Impala Public Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 9 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. Patch Set 8: Verified+1 -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 8 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Fri, 30 Oct 2020 04:33:09 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. Patch Set 8: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/7585/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 8 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 29 Oct 2020 23:22:32 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. Patch Set 8: Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/6622/ DRY_RUN=false -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 8 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 29 Oct 2020 23:09:25 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Thomas Tauber-Marshall has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. Patch Set 8: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 8 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 29 Oct 2020 23:09:07 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Wenzhe Zhou has uploaded a new patch set (#8). ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode To compliant with FIPS requirement, we should use OpenSSL libraries for cryptographic hash functions, instead of own hash functions. This patch replace MD5 and SHA1 functions in Squeasel Web server with OpenSSL APIs. It also force to turn off Digest Authorization for Web server in FIPS approved mode since Digest Authorization use MD5 hash and it doesn't comply with FIPS 140-2. Testing: - Passed webserver-test. - Passed exhaustive tests. - Manually verified HTTP Digest Authorization could not be enabled by setting webserver_password_file on a FIPS enabled cluster. Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f --- M be/src/thirdparty/squeasel/squeasel.c M be/src/util/webserver-test.cc M be/src/util/webserver.cc 3 files changed, 38 insertions(+), 338 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/30/16630/8 -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 8 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Wenzhe Zhou has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. Patch Set 7: (1 comment) http://gerrit.cloudera.org:8080/#/c/16630/7/be/src/util/webserver.cc File be/src/util/webserver.cc: http://gerrit.cloudera.org:8080/#/c/16630/7/be/src/util/webserver.cc@401 PS7, Line 401: stringstream ss; > This is unnecessary, you can just pass the string directly into the Status Right, fixed it. -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 7 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 29 Oct 2020 23:04:49 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Thomas Tauber-Marshall has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. Patch Set 7: (1 comment) http://gerrit.cloudera.org:8080/#/c/16630/7/be/src/util/webserver.cc File be/src/util/webserver.cc: http://gerrit.cloudera.org:8080/#/c/16630/7/be/src/util/webserver.cc@401 PS7, Line 401: stringstream ss; This is unnecessary, you can just pass the string directly into the Status constructor. -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 7 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 29 Oct 2020 22:38:28 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. Patch Set 7: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/7584/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 7 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 29 Oct 2020 22:15:48 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Wenzhe Zhou has uploaded a new patch set (#7). ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode To compliant with FIPS requirement, we should use OpenSSL libraries for cryptographic hash functions, instead of own hash functions. This patch replace MD5 and SHA1 functions in Squeasel Web server with OpenSSL APIs. It also force to turn off Digest Authorization for Web server in FIPS approved mode since Digest Authorization use MD5 hash and it doesn't comply with FIPS 140-2. Testing: - Passed webserver-test. - Passed exhaustive tests. - Manually verified HTTP Digest Authorization could not be enabled by setting webserver_password_file on a FIPS enabled cluster. Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f --- M be/src/thirdparty/squeasel/squeasel.c M be/src/util/webserver-test.cc M be/src/util/webserver.cc 3 files changed, 38 insertions(+), 336 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/30/16630/7 -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 7 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Thomas Tauber-Marshall has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. Patch Set 6: (2 comments) http://gerrit.cloudera.org:8080/#/c/16630/6/be/src/util/webserver-test.cc File be/src/util/webserver-test.cc: http://gerrit.cloudera.org:8080/#/c/16630/6/be/src/util/webserver-test.cc@439 PS6, Line 439: if (FIPS_mode()) return; Once we're returning an error status (per my other comment), lets have this test check for that, ie. do an if(FIPS_mode()) ASSERT_ERROR(webserver.Start()) http://gerrit.cloudera.org:8080/#/c/16630/6/be/src/util/webserver.cc File be/src/util/webserver.cc: http://gerrit.cloudera.org:8080/#/c/16630/6/be/src/util/webserver.cc@401 PS6, Line 401: LOG(WARNING) << "HTTP digest authorization is not supported in FIPS approved mode."; We should probably return an error status here, just to be sure people don't accidentally misconfigure this. -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 6 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 29 Oct 2020 20:47:49 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. Patch Set 6: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/7582/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 6 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Thu, 29 Oct 2020 19:44:16 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
Wenzhe Zhou has uploaded a new patch set (#6). ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode .. IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode To compliant with FIPS requirement, we should use OpenSSL libraries for cryptographic hash functions, instead of own hash functions. This patch replace MD5 and SHA1 functions in Squeasel Web server with OpenSSL APIs. It also force to turn off Digest Authorization for Web server in FIPS approved mode since Digest Authorization use MD5 hash and it doesn't comply with FIPS 140-2. Testing: - Passed exhaustive tests. - Manually verified HTTP Digest Authorization could not be enabled by setting webserver_password_file on a FIPS enabled cluster. Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f --- M be/src/thirdparty/squeasel/squeasel.c M be/src/util/webserver-test.cc M be/src/util/webserver.cc 3 files changed, 31 insertions(+), 333 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/30/16630/6 -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 6 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou