You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2023/06/15 16:24:00 UTC
[jira] [Commented] (IMPALA-12211) OpenSSL 3 doesn't provide FIPS_mode()
[ https://issues.apache.org/jira/browse/IMPALA-12211?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17733162#comment-17733162 ]
ASF subversion and git services commented on IMPALA-12211:
----------------------------------------------------------
Commit c5ec833aec58425d203fbc452058ea837ad2ae75 in impala's branch refs/heads/master from Joe McDonnell
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=c5ec833ae ]
IMPALA-12211: Adapt FIPS detection to handle OpenSSL 3
Various pieces of our code detect FIPS and enable/disable
code and tests accordingly (e.g. old hashing algorithms
like MD5 are not allowed). The detection logic currently
uses FIPS_mode(), but FIPS_mode() was removed in OpenSSL 3.
The OpenSSL 3 equivalent is EVP_default_properties_is_fips_enabled().
This adds a new IsFIPSMode() function in util/openssl-util.h
that uses OPENSSL_VERSION_NUMBER to dispatch to either
FIPS_mode() or EVP_default_properties_is_fips_enabled().
This also pulls in the Kudu changes to handle this for KRPC.
The original upstream Kudu commits were:
c24629083e : Follow-up on OpenSSL 3 FIPS_mode removal
acac73ecda : Fix OpenSSL3 FIPS_mode() issue on RHEL9.1
Testing:
- Built on Ubuntu 22 / Redhat 9 with OpenSSL 3
Change-Id: I78571c8086bea06bf7b355cfe86a16f190cde067
Reviewed-on: http://gerrit.cloudera.org:8080/20072
Reviewed-by: Michael Smith <mi...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
Reviewed-by: Wenzhe Zhou <wz...@cloudera.com>
> OpenSSL 3 doesn't provide FIPS_mode()
> -------------------------------------
>
> Key: IMPALA-12211
> URL: https://issues.apache.org/jira/browse/IMPALA-12211
> Project: IMPALA
> Issue Type: Bug
> Components: Backend
> Affects Versions: Impala 4.3.0
> Reporter: Joe McDonnell
> Priority: Major
>
> OpenSSL 3 doesn't provide FIPS_mode(). Instead, it provides EVP_default_properties_is_fips_enabled(). To compile against OpenSSL 3 (needed for Ubuntu 22 and Redhat 9), the existing references to FIPS_mode() will need to handle this.
> Current FIPS_mode() references:
> {noformat}
> be/src/exprs/expr-test.cc: if (FIPS_mode()) {
> be/src/exprs/expr-test.cc: if (!FIPS_mode()) {
> be/src/exprs/expr-test.cc: if (FIPS_mode()) {
> be/src/exprs/expr-test.cc: if (FIPS_mode()) {
> be/src/exprs/mask-functions-ir.cc: if (FIPS_mode()) {
> be/src/exprs/utility-functions-ir.cc: if (FIPS_mode()) {
> be/src/exprs/utility-functions-ir.cc: if (FIPS_mode() && (bit_len.val == 224 || bit_len.val == 256)) {
> be/src/exprs/utility-functions-ir.cc: if (UNLIKELY(FIPS_mode())) {
> be/src/kudu/util/openssl_util.cc: auto fips_mode = FIPS_mode();
> be/src/util/webserver-test.cc: if (FIPS_mode()) {
> be/src/util/webserver-test.cc: if (FIPS_mode()) return;
> be/src/util/webserver.cc: if (FIPS_mode()) {{noformat}
> We also need to pull in these two Kudu fixes for the KRPC code:
> [https://github.com/apache/kudu/commit/c24629083e520614af50d0c4242e3d30f55689b6]
> [https://github.com/apache/kudu/commit/acac73ecda83ec2390b5990cc132ca6968bfefdf]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org