[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode .. Patch Set 5: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/7571/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 5 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Tue, 27 Oct 2020 23:14:12 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode
Wenzhe Zhou has uploaded a new patch set (#5). ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode .. IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode To compliant with FIPS requirement, we should use OpenSSL libraries for cryptographic hash functions, instead of own hash functions. This patch replace MD5 and SHA1 functions in Squeasel Web server with OpenSSL APIs. It also force to turn off Digest Authorization for Web server in FIPS mode since Digest Authorization use MD5 hash. Testing: - Passed exhaustive tests. - Manually verified HTTP Digest Authorization could not be enabled by setting webserver_password_file on a FIPS enabled cluster. Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f --- M be/src/thirdparty/squeasel/squeasel.c M be/src/util/webserver.cc 2 files changed, 28 insertions(+), 333 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/30/16630/5 -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 5 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode
Thomas Tauber-Marshall has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode .. Patch Set 4: (3 comments) http://gerrit.cloudera.org:8080/#/c/16630/4/be/src/thirdparty/squeasel/squeasel.c File be/src/thirdparty/squeasel/squeasel.c: http://gerrit.cloudera.org:8080/#/c/16630/4/be/src/thirdparty/squeasel/squeasel.c@1527 PS4, Line 1527: #ifndef USE_SQ_OWN_HASH_FUNCTIONS Does FIPS have a requirement that non-openssl crypto functions have to be compiled out, or is it good enough that they don't get used? Seems like given your change in webserver.cc that prevents us from using passwords files in FIPS that these functions won't ever actually get used. http://gerrit.cloudera.org:8080/#/c/16630/4/be/src/thirdparty/squeasel/squeasel.c@3247 PS4, Line 3247: #ifndef USE_SQ_OWN_HASH_FUNCTIONS Like above, seems like these functions aren't actually getting used. And in fact, I think these are already getting compiled out due to the USE_WEBSOCKET above, which I don't think we set. If we really do still want to make this change, I might suggest just completely deleting the squeasel functions and leave openssl as the only option. http://gerrit.cloudera.org:8080/#/c/16630/4/be/src/util/webserver.cc File be/src/util/webserver.cc: http://gerrit.cloudera.org:8080/#/c/16630/4/be/src/util/webserver.cc@401 PS4, Line 401: Don't support HTTP Digest Authorization in FIPS mode. nit: this is worded kind of strangely. Maybe "HTTP digest authorization is not supported in FIPS mode" -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 4 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Tue, 27 Oct 2020 20:28:25 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode .. Patch Set 4: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/7562/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 4 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Wenzhe Zhou Gerrit-Comment-Date: Tue, 27 Oct 2020 04:55:32 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode
Wenzhe Zhou has uploaded a new patch set (#4). ( http://gerrit.cloudera.org:8080/16630 ) Change subject: IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode .. IMPALA-10206: Avoid MD5 Digest Authorization in FIPS mode To compliant with FIPS requirement, we should use OpenSSL libraries for cryptographic hash functions, instead of own hash functions. This patch replace MD5 and SHA1 functions in Squeasel Web server with OpenSSL APIs. It also force to turn off Digest Authorization for Web server in FIPS mode since Digest Authorization use MD5 hash. Testing: - Passed exhaustive tests. - Manually verified HTTP Digest Authorization could not be enabled by setting webserver_password_file on a FIPS enabled cluster. Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f --- M be/src/thirdparty/squeasel/squeasel.c M be/src/util/webserver.cc 2 files changed, 38 insertions(+), 11 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/30/16630/4 -- To view, visit http://gerrit.cloudera.org:8080/16630 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f Gerrit-Change-Number: 16630 Gerrit-PatchSet: 4 Gerrit-Owner: Wenzhe Zhou Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Wenzhe Zhou