Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10227

Clean up hash functions for FIPS compliant build

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • Impala 4.0.0
    • None
    • Backend, Infrastructure
    • ghx-label-10

    Description

      md5 is blocked for “FIPS compliant” libraries, SHA-1 and SHA-256 will be soon to be deprecated. We should avoid these hash algorithms in Impala code.

      IMPALA-10205, IMPALA-10206, IMPALA-10207 , IMPALA-10298,  IMPALA-10305  track the FIPS blocking issues for the upcoming release (7.1.5). This Jira tracks the remaining non-block issues for cleanup in the future.
       

      • Key Agreement and Authentication Algorithms in be/src/kudu/security
        Kudu security code support SHA-256 for message digest and signing key
        GetServerEndPointChannelBindings() in be/src/kudu/security/cert.cc
        DigestType in be/src/kudu/security/crypto.h and crypto.cc
        TokenSigningPrivateKey::Sign()and TokenSigningPublicKey::VerifySignature() in be/src/kudu/security/token_signing_key.cc  
         
      • Integrity and Authentication Hash
        Openssl utility function generate integrity and authentication hash in SHA-256
        IntegrityHash() and AuthenticationHash() in be/src/util/openssl-util.h
         
      • RPC generate cookie
        RPC generate cookie in SHA-256:
        GenerateCookie() in be/src/rpc/authentication-util.cc
         
      • Python script for dev/test environment
        In Python script infra.deploy/deploy.py, it calls hashlib.md5() to generate hash for hostId when generating role_name for service as below:
           md5 = hashlib.md5()
           md5.update(master_host.hostId)
           new_role_name = "%s-%s-%s" % (new_name, rcg.roleType, md5.hexdigest())
        We use md5 for non-security purposes and there is no dependency on the hash value so we can change the hash algorithm. Except the md5 hash algorithm, hashlib supports SHA1/SHA224/SHA256/SHA384/SHA512 (https://docs.python.org/2/library/hashlib.html). We can change md5 to sha512.
         
        - PostgreSQL configuration for dev/test environment
        In Shell script bin/bootstrap_system.sh, it set the password authentication methods of PostgreSQL as md5 to accept md5-hashed passwords from localhost. 
        According to PostgreSQL document https://www.postgresql.org/docs/11/auth-password.html, it recommends to upgrade md5 to scram-sha-256, but we have to ensure that the client libraries are new enough to support SCRAM.

      Attachments

        Activity

          People

            wzhou Wenzhe Zhou
            wzhou Wenzhe Zhou
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: