You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by jo...@apache.org on 2020/10/30 04:32:28 UTC

[impala] 02/04: IMPALA-10298: Change column mask hash as SHA512 in FIPS mode

This is an automated email from the ASF dual-hosted git repository.

joemcdonnell pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git

commit 1682afcda6e28571c83200a89f0e334a5ae49aa7
Author: wzhou-code <wz...@cloudera.com>
AuthorDate: Tue Oct 27 14:57:53 2020 -0700

    IMPALA-10298: Change column mask hash as SHA512 in FIPS mode
    
    Column masking API is called by Ranger during policy evaluation.
    Ranger team requires to change the column mask hash as SHA-512 in
    FIPS mode without changing API.
    This patch changes the MaskFunctions::MaskHash() for string type
    to use SHA-512 in FIPS mode.
    
    Testing:
     - Passed exhaustive tests.
     - Manually test the API.
    
    Change-Id: I422d4b11b31c3e6eb7963260a1da730579c4ca74
    Reviewed-on: http://gerrit.cloudera.org:8080/16671
    Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
    Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
 be/src/exprs/expr-test.cc         | 26 ++++++++++++++++++++------
 be/src/exprs/mask-functions-ir.cc | 19 ++++++++++++++-----
 2 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/be/src/exprs/expr-test.cc b/be/src/exprs/expr-test.cc
index 72e7aac..024799b 100644
--- a/be/src/exprs/expr-test.cc
+++ b/be/src/exprs/expr-test.cc
@@ -29,6 +29,8 @@
 #include <boost/scoped_ptr.hpp>
 #include <boost/unordered_map.hpp>
 
+#include <openssl/crypto.h>
+
 #include "codegen/llvm-codegen.h"
 #include "common/init.h"
 #include "common/object-pool.h"
@@ -10481,12 +10483,24 @@ TEST_P(ExprTest, MaskTest) {
 }
 
 TEST_P(ExprTest, MaskHashTest) {
-  TestStringValue("mask_hash('TestString-123')",
-      "8b44d559dc5d60e4453c9b4edf2a455fbce054bb8504cd3eb9b5f391bd239c90");
-  TestStringValue("mask_hash(cast('TestString-123' as varchar(24)))",
-      "8b44d559dc5d60e4453c9b4edf2a455fbce054bb8504cd3eb9b5f391bd239c90");
-  TestStringValue("mask_hash(cast('TestString-123' as char(24)))",
-      "30a88603135d3a6f7a66b4f9193da1ab4423aed45fb8fe736c2f2a08977f2bdd");
+  if (FIPS_mode()) {
+    TestStringValue("mask_hash('TestString-123')",
+        "f3a58111be6ecec11449ac44654e72376b7759883ea11723b6e51354d50436de"
+        "645bd061cb5c2b07b68e15b7a7c342cac41f69b9c4efe19e810bbd7abf639a1c");
+    TestStringValue("mask_hash(cast('TestString-123' as varchar(24)))",
+        "f3a58111be6ecec11449ac44654e72376b7759883ea11723b6e51354d50436de"
+        "645bd061cb5c2b07b68e15b7a7c342cac41f69b9c4efe19e810bbd7abf639a1c");
+    TestStringValue("mask_hash(cast('TestString-123' as char(24)))",
+        "8eb5cfb29df20ccb1142aab8700ef4649c3b26304c35263c9bbc7db0d20e1098"
+        "47a728afe0dccdfbbb3d876a5cb3ceb0bd34b5104dd62af1feb234d705bfb193");
+  } else {
+    TestStringValue("mask_hash('TestString-123')",
+        "8b44d559dc5d60e4453c9b4edf2a455fbce054bb8504cd3eb9b5f391bd239c90");
+    TestStringValue("mask_hash(cast('TestString-123' as varchar(24)))",
+        "8b44d559dc5d60e4453c9b4edf2a455fbce054bb8504cd3eb9b5f391bd239c90");
+    TestStringValue("mask_hash(cast('TestString-123' as char(24)))",
+        "30a88603135d3a6f7a66b4f9193da1ab4423aed45fb8fe736c2f2a08977f2bdd");
+  }
   TestIsNull("mask_hash(cast(123 as tinyint))", TYPE_BIGINT);
   TestIsNull("mask_hash(cast(12345 as smallint))", TYPE_BIGINT);
   TestIsNull("mask_hash(cast(12345 as int))", TYPE_BIGINT);
diff --git a/be/src/exprs/mask-functions-ir.cc b/be/src/exprs/mask-functions-ir.cc
index 15177bf..6034501 100644
--- a/be/src/exprs/mask-functions-ir.cc
+++ b/be/src/exprs/mask-functions-ir.cc
@@ -18,6 +18,7 @@
 #include "exprs/mask-functions.h"
 
 #include <gutil/strings/substitute.h>
+#include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/sha.h>
 
@@ -702,11 +703,19 @@ BigIntVal MaskFunctions::Mask(FunctionContext* ctx, const BigIntVal& val,
 }
 
 StringVal MaskFunctions::MaskHash(FunctionContext* ctx, const StringVal& val) {
-  // Hive hash the value by sha256 and encoding it into a lower case hex string.
-  StringVal sha256_hash(ctx, SHA256_DIGEST_LENGTH);
-  if (UNLIKELY(sha256_hash.is_null)) return StringVal::null();
-  discard_result(SHA256(val.ptr, val.len, sha256_hash.ptr));
-  return StringFunctions::Lower(ctx, MathFunctions::HexString(ctx, sha256_hash));
+  // Hive hash the value by sha256 and encoding it into a lower case hex string in
+  // non FIPS mode. In FIPS enabled mode, it's required to use sha512 for mask hash.
+  if (FIPS_mode()) {
+    StringVal sha512_hash(ctx, SHA512_DIGEST_LENGTH);
+    if (UNLIKELY(sha512_hash.is_null)) return StringVal::null();
+    discard_result(SHA512(val.ptr, val.len, sha512_hash.ptr));
+    return StringFunctions::Lower(ctx, MathFunctions::HexString(ctx, sha512_hash));
+  } else {
+    StringVal sha256_hash(ctx, SHA256_DIGEST_LENGTH);
+    if (UNLIKELY(sha256_hash.is_null)) return StringVal::null();
+    discard_result(SHA256(val.ptr, val.len, sha256_hash.ptr));
+    return StringFunctions::Lower(ctx, MathFunctions::HexString(ctx, sha256_hash));
+  }
 }
 // For other types, the hash values are always NULL.
 BigIntVal MaskFunctions::MaskHash(FunctionContext* ctx, const BigIntVal& val) {