You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Wenzhe Zhou (Jira)" <ji...@apache.org> on 2020/11/10 18:37:00 UTC
[jira] [Updated] (IMPALA-10227) Clean up hash functions for FIPS
compliant build
[ https://issues.apache.org/jira/browse/IMPALA-10227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Wenzhe Zhou updated IMPALA-10227:
---------------------------------
Description:
md5 is blocked for “FIPS compliant” libraries, SHA-1 and SHA-256 will be soon to be deprecated. We should avoid these hash algorithms in Impala code.
IMPALA-10205, IMPALA-10206, IMPALA-10207 , IMPALA-10298, IMPALA-10305 track the FIPS blocking issues for the upcoming release (7.1.5). This Jira tracks the remaining non-block issues for cleanup in the future.
- Key Agreement and Authentication Algorithms in be/src/kudu/security
Kudu security code support SHA-256 for message digest and signing key
GetServerEndPointChannelBindings() in be/src/kudu/security/cert.cc
DigestType in be/src/kudu/security/crypto.h and crypto.cc
TokenSigningPrivateKey::Sign()and TokenSigningPublicKey::VerifySignature() in be/src/kudu/security/token_signing_key.cc
- Integrity and Authentication Hash
Openssl utility function generate integrity and authentication hash in SHA-256
IntegrityHash() and AuthenticationHash() in be/src/util/openssl-util.h
- RPC generate cookie
RPC generate cookie in SHA-256:
GenerateCookie() in be/src/rpc/authentication-util.cc
- Python script for dev/test environment
In Python script infra.deploy/deploy.py, it calls hashlib.md5() to generate hash for hostId when generating role_name for service as below:
md5 = hashlib.md5()
md5.update(master_host.hostId)
new_role_name = "%s-%s-%s" % (new_name, rcg.roleType, md5.hexdigest())
We use md5 for non-security purposes and there is no dependency on the hash value so we can change the hash algorithm. Except the md5 hash algorithm, hashlib supports SHA1/SHA224/SHA256/SHA384/SHA512 ([https://docs.python.org/2/library/hashlib.html]). We can change md5 to sha512.
- PostgreSQL configuration for dev/test environment
In Shell script bin/bootstrap_system.sh, it set the password authentication methods of PostgreSQL as md5 to a{color:#000000}ccept md5-hashed passwords from localhost. {color}
{color:#000000}According to PostgreSQL document {color}[https://www.postgresql.org/docs/11/auth-password.html], it recommends to upgrade md5 to scram-sha-256, but we have to ensure that the client libraries are new enough to support SCRAM.
was:
md5 is blocked for “FIPS compliant” libraries, SHA-1 and SHA-256 will be soon to be deprecated. We should avoid these hash algorithms in Impala code.
IMPALA-10205, IMPALA-10206, IMPALA-10207 , IMPALA-10298 track the FIPS blocking issues for the upcoming release. This Jira tracks the remaining non-block issues for cleanup in the future.
- Key Agreement and Authentication Algorithms in be/src/kudu/security
Kudu security code support SHA-256 for message digest and signing key
GetServerEndPointChannelBindings() in be/src/kudu/security/cert.cc
DigestType in be/src/kudu/security/crypto.h and crypto.cc
TokenSigningPrivateKey::Sign()and TokenSigningPublicKey::VerifySignature() in be/src/kudu/security/token_signing_key.cc
- Encoding (IMPALA-10298)
{color:#000000}Hive use SHA-256 to hash value and encoding{color}
{color:#000000} {color}{color:#000000}MaskFunctions::MaskHash() in be/src/exprs/mask-functions-ir.cc{color}
- RPC generate cookie
RPC generate cookie in SHA-256:
GenerateCookie() in be/src/rpc/cookie-util.cc
- Integrity and Authentication Hash
Openssl utility function generate integrity and authentication hash in SHA-256
IntegrityHash() and AuthenticationHash() in be/src/util/openssl-util.h
- Python script for dev/test environment
In Python script infra.deploy/deploy.py, it calls hashlib.md5() to generate hash for hostId when generating role_name for service as below:
md5 = hashlib.md5()
md5.update(master_host.hostId)
new_role_name = "%s-%s-%s" % (new_name, rcg.roleType, md5.hexdigest())
We use md5 for non-security purposes and there is no dependency on the hash value so we can change the hash algorithm. Except the md5 hash algorithm, hashlib supports SHA1/SHA224/SHA256/SHA384/SHA512 ([https://docs.python.org/2/library/hashlib.html]). We can change md5 to sha512.
- PostgreSQL configuration for dev/test environment
In Shell script bin/bootstrap_system.sh, it set the password authentication methods of PostgreSQL as md5 to a{color:#000000}ccept md5-hashed passwords from localhost. {color}
{color:#000000}According to PostgreSQL document {color}[https://www.postgresql.org/docs/11/auth-password.html], it recommends to upgrade md5 to scram-sha-256, but we have to ensure that the client libraries are new enough to support SCRAM.
> Clean up hash functions for FIPS compliant build
> ------------------------------------------------
>
> Key: IMPALA-10227
> URL: https://issues.apache.org/jira/browse/IMPALA-10227
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend, Infrastructure
> Affects Versions: Impala 4.0
> Reporter: Wenzhe Zhou
> Assignee: Wenzhe Zhou
> Priority: Minor
> Labels: FIPS
>
> md5 is blocked for “FIPS compliant” libraries, SHA-1 and SHA-256 will be soon to be deprecated. We should avoid these hash algorithms in Impala code.
> IMPALA-10205, IMPALA-10206, IMPALA-10207 , IMPALA-10298, IMPALA-10305 track the FIPS blocking issues for the upcoming release (7.1.5). This Jira tracks the remaining non-block issues for cleanup in the future.
>
> - Key Agreement and Authentication Algorithms in be/src/kudu/security
> Kudu security code support SHA-256 for message digest and signing key
> GetServerEndPointChannelBindings() in be/src/kudu/security/cert.cc
> DigestType in be/src/kudu/security/crypto.h and crypto.cc
> TokenSigningPrivateKey::Sign()and TokenSigningPublicKey::VerifySignature() in be/src/kudu/security/token_signing_key.cc
>
> - Integrity and Authentication Hash
> Openssl utility function generate integrity and authentication hash in SHA-256
> IntegrityHash() and AuthenticationHash() in be/src/util/openssl-util.h
>
> - RPC generate cookie
> RPC generate cookie in SHA-256:
> GenerateCookie() in be/src/rpc/authentication-util.cc
>
> - Python script for dev/test environment
> In Python script infra.deploy/deploy.py, it calls hashlib.md5() to generate hash for hostId when generating role_name for service as below:
> md5 = hashlib.md5()
> md5.update(master_host.hostId)
> new_role_name = "%s-%s-%s" % (new_name, rcg.roleType, md5.hexdigest())
> We use md5 for non-security purposes and there is no dependency on the hash value so we can change the hash algorithm. Except the md5 hash algorithm, hashlib supports SHA1/SHA224/SHA256/SHA384/SHA512 ([https://docs.python.org/2/library/hashlib.html]). We can change md5 to sha512.
>
> - PostgreSQL configuration for dev/test environment
> In Shell script bin/bootstrap_system.sh, it set the password authentication methods of PostgreSQL as md5 to a{color:#000000}ccept md5-hashed passwords from localhost. {color}
> {color:#000000}According to PostgreSQL document {color}[https://www.postgresql.org/docs/11/auth-password.html], it recommends to upgrade md5 to scram-sha-256, but we have to ensure that the client libraries are new enough to support SCRAM.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org