You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@bookkeeper.apache.org by "Sijie Guo (JIRA)" <ji...@apache.org> on 2016/08/01 06:05:20 UTC

[jira] [Resolved] (BOOKKEEPER-938) LedgerOpenOp should use digestType from metadata

     [ https://issues.apache.org/jira/browse/BOOKKEEPER-938?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sijie Guo resolved BOOKKEEPER-938.
----------------------------------
       Resolution: Fixed
    Fix Version/s: 4.5.0

Issue resolved by merging pull request 52
            [https://github.com/apache/bookkeeper/pull/52]

            {noformat}
            commit 64f596f4563436b3e4cfe0f57714fc3012778b4c
Author:     Andrey Yegorov <ay...@salesforce.com>
AuthorDate: Sun Jul 31 23:04:09 2016 -0700
Commit:     Sijie Guo <si...@apache.org>
CommitDate: Sun Jul 31 23:04:09 2016 -0700

    BOOKKEEPER-938 ledger digestType autodetection on open
    
    Currently digestType verification in LedgerOpenOp seems to be treated as part of security logic.
    Since it is checked after password and error explicitly states that digestType mismatched,
    all that evil hacker has to do is to change digest type to another one. There are only two of them after all.
    
    here is the scenario significantly affected by current behavior:
    
    1. user rolls out clients with digestType set to MAC and creates lots of ledgers.
    2. user notices that MAC is slower than CRC32 and decides to change digestType.
    3. more ledgers created with CRC32.
    4. user tries to read old and new ledgers
    -> now old ledgers cannot be read because of the digest type mismatch.
    
    Author: Andrey Yegorov <ay...@salesforce.com>
    
    Reviewers: Sijie Guo <si...@apache.org>
    
    Closes #52 from dlg99/fix/BOOKKEEPER-938-digest-autodetect

            {noformat}
            

> LedgerOpenOp should use digestType from metadata
> ------------------------------------------------
>
>                 Key: BOOKKEEPER-938
>                 URL: https://issues.apache.org/jira/browse/BOOKKEEPER-938
>             Project: Bookkeeper
>          Issue Type: Bug
>          Components: bookkeeper-client
>    Affects Versions: 4.5.0
>            Reporter: Andrey Yegorov
>            Priority: Minor
>             Fix For: 4.5.0
>
>
> Currently digestType verification in LedgerOpenOp seems to be treated as part of security logic. Since it is checked after password and error explicitly states that digestType mismatched, all that evil hacker has to do is to change digest type to another one. There are only two of them after all.
> here is the scenario significantly affected by current behavior:
> 1. user rolls out clients with digestType set to MAC and creates lots of ledgers.
> 2. user notices that MAC is slower than CRC32 and decides to change digestType.
> 3. more ledgers created with CRC32.
> 4. user tries to read old and new ledgers
> -> now old ledgers cannot be read because of the digest type mismatch.
> I'll send pull request for review.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)