You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by st...@apache.org on 2023/08/16 06:15:15 UTC
[impala] 03/03: IMPALA-11195: Disable SSL renegotiations for OpenSSL 1.0.2.
This is an automated email from the ASF dual-hosted git repository.
stigahuang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
commit ddcdfc2200c7d605b07d443ba911f89c48ecee39
Author: Zoltan Borok-Nagy <bo...@cloudera.com>
AuthorDate: Tue Aug 8 16:07:29 2023 +0200
IMPALA-11195: Disable SSL renegotiations for OpenSSL 1.0.2.
When OpenSSL 1.0.2 was being used Impala didn't disable SSL
renegotiations correctly. It wasn't enough setting the flag
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS right after SSL_new() as
due to an OpenSSL bug the SSL flags are getting reset in SSL_accept().
See https://github.com/openssl/openssl/discussions/21666
With this patch the followings happen depending on the OpenSSL versions:
* OpenSSL 1.0.2: we set the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag in
a callback function the same way as it is being set in various
open source projects
* OpenSSL 1.1.0h+: we set the SSL_OP_NO_RENEGOTIATION option in the
SSL_CTX object
* OpenSSL versions between the above two: we raise either compile-time
error (when compiled with such version) or runtime warning (when
Impala is running with such version)
This patch also upgrades the native toolchain version to have a Thrift
that is fixed the same way.
Testing:
* manually tested on CentOS 7.9 with
>openssl s_client -connect <host>:<port>
>R
Initially it outputs that "Secure Renegotiation IS supported" because
we can only set the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag after the
handshake, but then prompting "R" doesn't do the renegotiation.
Without these changes "R" renegotiates.
Change-Id: I6fd6a8dedcbca8f50a16dbe68ebd8303e3e5aed1
Reviewed-on: http://gerrit.cloudera.org:8080/20360
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
be/src/rpc/authentication.cc | 8 ++++++++
be/src/thirdparty/squeasel/squeasel.c | 28 +++++++++++++++++++++-------
bin/impala-config.sh | 2 +-
3 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/be/src/rpc/authentication.cc b/be/src/rpc/authentication.cc
index 16bf5acf7..5dadd8e3a 100644
--- a/be/src/rpc/authentication.cc
+++ b/be/src/rpc/authentication.cc
@@ -1495,6 +1495,14 @@ Status AuthManager::Init() {
TSSLSocketFactory::setManualOpenSSLInitialization(true);
kudu::security::InitializeOpenSSL();
LOG(INFO) << "Initialized " << OPENSSL_VERSION_TEXT;
+ LOG(INFO) << "Runtime OpenSSL version " << SSLeay_version(SSLEAY_VERSION);
+ unsigned long openssl_version = SSLeay();
+ // Check if we are running against an OpenSSL version that is vulnerable to
+ // CVE-2009-3555
+ if (openssl_version >= 0x10100000L && openssl_version <= 0x1010007fL) {
+ LOG(WARNING) <<
+ "OpenSSL runtime version detected that is vulnerable to CVE-2009-3555";
+ }
// Could use any other requiered flag for SAML
bool use_saml = !FLAGS_saml2_sp_callback_url.empty();
diff --git a/be/src/thirdparty/squeasel/squeasel.c b/be/src/thirdparty/squeasel/squeasel.c
index 1ba9aa8bd..a3934fa22 100644
--- a/be/src/thirdparty/squeasel/squeasel.c
+++ b/be/src/thirdparty/squeasel/squeasel.c
@@ -3792,15 +3792,21 @@ static int set_uid_option(struct sq_context *ctx) {
static pthread_mutex_t *ssl_mutexes;
-static int sslize(struct sq_connection *conn, SSL_CTX *s, int (*func)(SSL *)) {
- return (conn->ssl = SSL_new(s)) != NULL &&
#if OPENSSL_VERSION_NUMBER < 0x10100000L
- // IMPALA-11195: disable TLS/SSL renegotiation. In version 1.0.2 and prior it's
- // possible to use the undocumented SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag.
- // For more context, see a note on the SSL_OP_NO_RENEGOTIATION option in the
- // $OPENSSL_ROOT/CHANGES and https://github.com/openssl/openssl/issues/4739.
- (conn->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+// IMPALA-11195: disable TLS/SSL renegotiation. In version 1.0.2 and prior it's
+// possible to use the undocumented SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag.
+static void ssl_disable_renegotiation_cb(const SSL *ssl, int where, int ret)
+{
+ (void)ret;
+ if ((where & SSL_CB_HANDSHAKE_DONE) != 0) {
+ // disable renegotiation (CVE-2009-3555)
+ ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+ }
+}
#endif
+
+static int sslize(struct sq_connection *conn, SSL_CTX *s, int (*func)(SSL *)) {
+ return (conn->ssl = SSL_new(s)) != NULL &&
SSL_set_fd(conn->ssl, conn->client.sock) == 1 &&
func(conn->ssl) == 1;
}
@@ -3928,6 +3934,14 @@ static int set_ssl_option(struct sq_context *ctx) {
// will be accepted but nothing will happen, i.e. renegotiation will
// not be prevented.
options |= SSL_OP_NO_RENEGOTIATION;
+#elif OPENSSL_VERSION_NUMBER < 0x10100000L
+ // IMPALA-11195: disable TLS/SSL renegotiation. In version 1.0.2 and prior it's
+ // possible to use the undocumented SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag.
+ // We need to set the flag in the callback 'ssl_disable_renegotiation_cb' after
+ // handshake is done, otherwise the flag would get reset in SSL_accept().
+ SSL_CTX_set_info_callback(ctx_, ssl_disable_renegotiation_cb);
+#else
+ static_error(false, "Found SSL version that is vulnerable to CVE-2009-3555.");
#endif
if ((SSL_CTX_set_options(ctx->ssl_ctx, options) & options) != options) {
diff --git a/bin/impala-config.sh b/bin/impala-config.sh
index b10541439..7afa739f4 100755
--- a/bin/impala-config.sh
+++ b/bin/impala-config.sh
@@ -85,7 +85,7 @@ export USE_AVRO_CPP=${USE_AVRO_CPP:=false}
# moving to a different build of the toolchain, e.g. when a version is bumped or a
# compile option is changed. The build id can be found in the output of the toolchain
# build jobs, it is constructed from the build number and toolchain git hash prefix.
-export IMPALA_TOOLCHAIN_BUILD_ID=324-bb64c6ed91
+export IMPALA_TOOLCHAIN_BUILD_ID=351-c240088ecb
# Versions of toolchain dependencies.
# -----------------------------------
if $USE_AVRO_CPP; then