You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by ab...@apache.org on 2020/11/03 22:37:40 UTC

[kudu] 01/02: KUDU-3210 Disable digest authn in FIPS mode

This is an automated email from the ASF dual-hosted git repository.

abukor pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git

commit 46231c52f5f16c1613d92f3393724f3c4c15db22
Author: Attila Bukor <ab...@apache.org>
AuthorDate: Thu Oct 29 13:13:48 2020 +0100

    KUDU-3210 Disable digest authn in FIPS mode
    
    The webserver supports digest authentication, which is considered
    insecure as it's based on MD5. This doesn't comply with FIPS 140-2, so
    it needs to be disabled in FIPS approved mode.
    
    Squeasel also used to roll its own MD5 implementation instead of using
    OpenSSL's implementation. This commit also bumps the Squeasel version to
    the most recent commit that already removes the MD5 implementation in
    favor of OpenSSL's one. This is useful in case we need to catch some
    other non-FIPS-compliant usages in the future. This new version no
    longer supports PROPFIND and MKCOL methods, which we fortunately didn't
    use, but string matched the list of supported methods in tests.
    
    Change-Id: I4a446aa8d95a67658c727d3a6f85943d64c79ecf
    Reviewed-on: http://gerrit.cloudera.org:8080/16675
    Reviewed-by: Alexey Serbin <as...@cloudera.com>
    Tested-by: Attila Bukor <ab...@apache.org>
---
 src/kudu/server/webserver-test.cc | 37 ++++++++++++++++++++++++++++---------
 src/kudu/server/webserver.cc      |  5 +++++
 thirdparty/vars.sh                |  2 +-
 3 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/src/kudu/server/webserver-test.cc b/src/kudu/server/webserver-test.cc
index f709a8b..652b9a6 100644
--- a/src/kudu/server/webserver-test.cc
+++ b/src/kudu/server/webserver-test.cc
@@ -17,6 +17,8 @@
 
 #include "kudu/server/webserver.h"
 
+#include <openssl/crypto.h>
+
 #include <cstdlib>
 #include <functional>
 #include <iosfwd>
@@ -100,14 +102,16 @@ class WebserverTest : public KuduTest {
     server_.reset(new Webserver(opts));
 
     AddDefaultPathHandlers(server_.get());
-    ASSERT_OK(server_->Start());
-
-    vector<Sockaddr> addrs;
-    ASSERT_OK(server_->GetBoundAddresses(&addrs));
-    ASSERT_EQ(addrs.size(), 1);
-    ASSERT_TRUE(addrs[0].IsWildcard());
-    ASSERT_OK(addr_.ParseString("127.0.0.1", addrs[0].port()));
-    url_ = Substitute("http://$0", addr_.ToString());
+    if (!use_htpasswd() || !FIPS_mode()) {
+      ASSERT_OK(server_->Start());
+
+      vector<Sockaddr> addrs;
+      ASSERT_OK(server_->GetBoundAddresses(&addrs));
+      ASSERT_EQ(addrs.size(), 1);
+      ASSERT_TRUE(addrs[0].IsWildcard());
+      ASSERT_OK(addr_.ParseString("127.0.0.1", addrs[0].port()));
+      url_ = Substitute("http://$0", addr_.ToString());
+    }
   }
 
   void RunTestOptions() {
@@ -115,7 +119,7 @@ class WebserverTest : public KuduTest {
     curl_.set_return_headers(true);
     ASSERT_OK(curl_.FetchURL(url_, &buf_));
     ASSERT_STR_CONTAINS(buf_.ToString(),
-                        "Allow: GET, POST, HEAD, OPTIONS, PROPFIND, MKCOL");
+                        "Allow: GET, POST, HEAD, OPTIONS");
   }
 
  protected:
@@ -147,16 +151,31 @@ class PasswdWebserverTest : public WebserverTest {
 // Send a HTTP request with no username and password. It should reject
 // the request as the .htpasswd is presented to webserver.
 TEST_F(PasswdWebserverTest, TestPasswdMissing) {
+  if (FIPS_mode()) {
+    return;
+  }
   Status status = curl_.FetchURL(url_, &buf_);
   ASSERT_EQ("Remote error: HTTP 401", status.ToString());
 }
 
 TEST_F(PasswdWebserverTest, TestPasswdPresent) {
+  if (FIPS_mode()) {
+    return;
+  }
   ASSERT_OK(curl_.set_auth(CurlAuthType::DIGEST, security::kTestAuthUsername,
                            security::kTestAuthPassword));
   ASSERT_OK(curl_.FetchURL(addr_.ToString(), &buf_));
 }
 
+TEST_F(PasswdWebserverTest, TestCrashInFIPSMode) {
+  if (!FIPS_mode()) {
+    return;
+  }
+
+  Status s = server_->Start();
+  ASSERT_TRUE(s.IsIllegalState());
+  ASSERT_STR_CONTAINS("Digest authentication in FIPS approved mode", s.ToString());
+}
 
 class SpnegoWebserverTest : public WebserverTest {
  protected:
diff --git a/src/kudu/server/webserver.cc b/src/kudu/server/webserver.cc
index a903661..420984f 100644
--- a/src/kudu/server/webserver.cc
+++ b/src/kudu/server/webserver.cc
@@ -18,6 +18,7 @@
 #include "kudu/server/webserver.h"
 
 #include <netinet/in.h>
+#include <openssl/crypto.h>
 #include <sys/socket.h>
 
 #include <algorithm>
@@ -276,6 +277,10 @@ Status Webserver::Start() {
   }
 
   if (!opts_.password_file.empty()) {
+    if (FIPS_mode()) {
+      return Status::IllegalState(
+          "Webserver cannot be started with Digest authentication in FIPS approved mode");
+    }
     // Mongoose doesn't log anything if it can't stat the password file (but
     // will if it can't open it, which it tries to do during a request).
     if (!Env::Default()->FileExists(opts_.password_file)) {
diff --git a/thirdparty/vars.sh b/thirdparty/vars.sh
index 95c2de8..c29e50a 100644
--- a/thirdparty/vars.sh
+++ b/thirdparty/vars.sh
@@ -96,7 +96,7 @@ RAPIDJSON_SOURCE=$TP_SOURCE_DIR/$RAPIDJSON_NAME
 #  export NAME=squeasel-$(git rev-parse HEAD)
 #  git archive HEAD --prefix=$NAME/ -o /tmp/$NAME.tar.gz
 #  s3cmd put -P /tmp/$NAME.tar.gz s3://cloudera-thirdparty-libs/$NAME.tar.gz
-SQUEASEL_VERSION=030ccce87359d892e22fb368c5fc5b75d9a2a5f7
+SQUEASEL_VERSION=d83cf6d9af0e2c98c16467a6a035ae0d7ca21cb1
 SQUEASEL_NAME=squeasel-$SQUEASEL_VERSION
 SQUEASEL_SOURCE=$TP_SOURCE_DIR/$SQUEASEL_NAME