[kudu-CR] Follow-up on OpenSSL 3 FIPS mode removal
Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/19232 ) Change subject: Follow-up on OpenSSL 3 FIPS_mode removal .. Follow-up on OpenSSL 3 FIPS_mode removal According to OpenSSL documentation[1], FIPS is now part of OpenSSL and checking should be done with EVP_default_properties_is_fips_enabled(3)[2], but it's not a trivial change. [1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module [2] https://www.openssl.org/docs/man3.0/man7/migration_guide.html Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a Reviewed-on: http://gerrit.cloudera.org:8080/19232 Tested-by: Kudu Jenkins Reviewed-by: Zoltan Chovan Reviewed-by: Alexey Serbin --- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc M src/kudu/util/openssl_util.cc 3 files changed, 15 insertions(+), 2 deletions(-) Approvals: Kudu Jenkins: Verified Zoltan Chovan: Looks good to me, but someone else must approve Alexey Serbin: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/19232 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a Gerrit-Change-Number: 19232 Gerrit-PatchSet: 6 Gerrit-Owner: Ádám Bakai Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Attila Bukor Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Zoltan Chovan Gerrit-Reviewer: Ádám Bakai
[kudu-CR] Follow-up on OpenSSL 3 FIPS mode removal
Alexey Serbin has posted comments on this change. (
http://gerrit.cloudera.org:8080/19232 )
Change subject: Follow-up on OpenSSL 3 FIPS_mode removal
..
Patch Set 5: Code-Review+2
(1 comment)
http://gerrit.cloudera.org:8080/#/c/19232/5/src/kudu/server/webserver-test.cc
File src/kudu/server/webserver-test.cc:
http://gerrit.cloudera.org:8080/#/c/19232/5/src/kudu/server/webserver-test.cc@69
PS5, Line 69: // FIPS_mode is removed from OpenSSL3 for test purposes, a fake
one is created and
: // set to disabled.
: #if OPENSSL_VERSION_NUMBER >= 0x3000L
: int FIPS_mode() { return 0; }
: #endif
> Yes they, do because in multiple tests in webserver-test.cc FIPS_mode funct
OK, thanks for clarifying on this: it seems I missed checking webserver-test.cc
for the usage of FIPS_mode().
Yes, I'd rather vote for the approach you pointed at, but since it seems this
patch is just a temporary fix before properly addressing the detection of FIPS
mode in OpenSSL3, I guess it's good enough. So, this looks good enough to me
as is.
--
To view, visit http://gerrit.cloudera.org:8080/19232
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a
Gerrit-Change-Number: 19232
Gerrit-PatchSet: 5
Gerrit-Owner: Ádám Bakai
Gerrit-Reviewer: Alexey Serbin
Gerrit-Reviewer: Attila Bukor
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Zoltan Chovan
Gerrit-Reviewer: Ádám Bakai
Gerrit-Comment-Date: Fri, 18 Nov 2022 05:48:52 +
Gerrit-HasComments: Yes
[kudu-CR] Follow-up on OpenSSL 3 FIPS mode removal
Ádám Bakai has posted comments on this change. (
http://gerrit.cloudera.org:8080/19232 )
Change subject: Follow-up on OpenSSL 3 FIPS_mode removal
..
Patch Set 5:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/19232/5/src/kudu/server/webserver-test.cc
File src/kudu/server/webserver-test.cc:
http://gerrit.cloudera.org:8080/#/c/19232/5/src/kudu/server/webserver-test.cc@69
PS5, Line 69: // FIPS_mode is removed from OpenSSL3 for test purposes, a fake
one is created and
: // set to disabled.
: #if OPENSSL_VERSION_NUMBER >= 0x3000L
: int FIPS_mode() { return 0; }
: #endif
> Is this still required after adding corresponding if-defs in src/kudu/serve
Yes they, do because in multiple tests in webserver-test.cc FIPS_mode function
is still used(line 112 for example). One can argue, that one function that
wraps around FIPS_mode and call it everywhere would be a better solution. It
would be a little bit bigger modification in terms of number of changed lines.
--
To view, visit http://gerrit.cloudera.org:8080/19232
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a
Gerrit-Change-Number: 19232
Gerrit-PatchSet: 5
Gerrit-Owner: Ádám Bakai
Gerrit-Reviewer: Alexey Serbin
Gerrit-Reviewer: Attila Bukor
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Zoltan Chovan
Gerrit-Reviewer: Ádám Bakai
Gerrit-Comment-Date: Thu, 17 Nov 2022 14:16:13 +
Gerrit-HasComments: Yes
[kudu-CR] Follow-up on OpenSSL 3 FIPS mode removal
Alexey Serbin has posted comments on this change. (
http://gerrit.cloudera.org:8080/19232 )
Change subject: Follow-up on OpenSSL 3 FIPS_mode removal
..
Patch Set 5:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/19232/5/src/kudu/server/webserver-test.cc
File src/kudu/server/webserver-test.cc:
http://gerrit.cloudera.org:8080/#/c/19232/5/src/kudu/server/webserver-test.cc@69
PS5, Line 69: // FIPS_mode is removed from OpenSSL3 for test purposes, a fake
one is created and
: // set to disabled.
: #if OPENSSL_VERSION_NUMBER >= 0x3000L
: int FIPS_mode() { return 0; }
: #endif
Is this still required after adding corresponding if-defs in
src/kudu/server/webserver.cc and src/kudu/util/openssl_util.cc?
--
To view, visit http://gerrit.cloudera.org:8080/19232
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a
Gerrit-Change-Number: 19232
Gerrit-PatchSet: 5
Gerrit-Owner: Ádám Bakai
Gerrit-Reviewer: Alexey Serbin
Gerrit-Reviewer: Attila Bukor
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Zoltan Chovan
Gerrit-Comment-Date: Tue, 15 Nov 2022 18:33:51 +
Gerrit-HasComments: Yes
[kudu-CR] Follow-up on OpenSSL 3 FIPS mode removal
Zoltan Chovan has posted comments on this change. ( http://gerrit.cloudera.org:8080/19232 ) Change subject: Follow-up on OpenSSL 3 FIPS_mode removal .. Patch Set 5: Code-Review+1 -- To view, visit http://gerrit.cloudera.org:8080/19232 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a Gerrit-Change-Number: 19232 Gerrit-PatchSet: 5 Gerrit-Owner: Ádám Bakai Gerrit-Reviewer: Alexey Serbin Gerrit-Reviewer: Attila Bukor Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Zoltan Chovan Gerrit-Comment-Date: Tue, 15 Nov 2022 16:08:56 + Gerrit-HasComments: No
[kudu-CR] Follow-up on OpenSSL 3 FIPS mode removal
Hello Kudu Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/19232 to look at the new patch set (#5). Change subject: Follow-up on OpenSSL 3 FIPS_mode removal .. Follow-up on OpenSSL 3 FIPS_mode removal According to OpenSSL documentation[1], FIPS is now part of OpenSSL and checking should be done with EVP_default_properties_is_fips_enabled(3)[2], but it's not a trivial change. [1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module [2] https://www.openssl.org/docs/man3.0/man7/migration_guide.html Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a --- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc M src/kudu/util/openssl_util.cc 3 files changed, 15 insertions(+), 2 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/32/19232/5 -- To view, visit http://gerrit.cloudera.org:8080/19232 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a Gerrit-Change-Number: 19232 Gerrit-PatchSet: 5 Gerrit-Owner: Ádám Bakai Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR] Follow-up on OpenSSL 3 FIPS mode removal
Hello Kudu Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/19232 to look at the new patch set (#4). Change subject: Follow-up on OpenSSL 3 FIPS_mode removal .. Follow-up on OpenSSL 3 FIPS_mode removal According to OpenSSL documentation[1], FIPS is now part of OpenSSL and checking should be done with EVP_default_properties_is_fips_enabled(3)[2], but it's not a trivial change. [1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module [2] https://www.openssl.org/docs/man3.0/man7/migration_guide.html Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a --- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc M src/kudu/util/openssl_util.cc 3 files changed, 15 insertions(+), 2 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/32/19232/4 -- To view, visit http://gerrit.cloudera.org:8080/19232 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a Gerrit-Change-Number: 19232 Gerrit-PatchSet: 4 Gerrit-Owner: Ádám Bakai Gerrit-Reviewer: Kudu Jenkins (120)
[kudu-CR] Follow-up on OpenSSL 3 FIPS mode removal
Hello Kudu Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/19232 to look at the new patch set (#3). Change subject: Follow-up on OpenSSL 3 FIPS_mode removal .. Follow-up on OpenSSL 3 FIPS_mode removal According to OpenSSL documentation[1], FIPS is now part of OpenSSL and checking should be done with EVP_default_properties_is_fips_enabled(3)[2], but it's not a trivial change. [1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module [2] https://www.openssl.org/docs/man3.0/man7/migration_guide.html Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a --- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc M src/kudu/util/openssl_util.cc 3 files changed, 15 insertions(+), 2 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/32/19232/3 -- To view, visit http://gerrit.cloudera.org:8080/19232 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ib67d6e6c28085ca61456c26a759c89ecdffb0b4a Gerrit-Change-Number: 19232 Gerrit-PatchSet: 3 Gerrit-Owner: Ádám Bakai Gerrit-Reviewer: Kudu Jenkins (120)
