This is an automated email from the ASF dual-hosted git repository.

andor pushed a commit to branch branch-3.8
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.8 by this push:
     new 43b97a72e ZOOKEEPER-4889: Fallback to DIGEST-MD5 auth mech should be 
disabled in Fips mode (branch-3.8)
43b97a72e is described below

commit 43b97a72ed502401b4b7f28bf6d4820b6c592bc4
Author: Andor Molnár <an...@apache.org>
AuthorDate: Tue Nov 26 09:55:30 2024 -0600

    ZOOKEEPER-4889: Fallback to DIGEST-MD5 auth mech should be disabled in Fips 
mode (branch-3.8)
    
    Reviewers: kezhuw, symat
    Author: anmolnar
    Closes #2215 from anmolnar/ZOOKEEPER-4889_38
---
 zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md | 12 ++++++++----
 .../org/apache/zookeeper/client/ZooKeeperSaslClient.java     |  2 +-
 .../src/main/java/org/apache/zookeeper/common/X509Util.java  |  5 +++--
 .../zookeeper/server/auth/X509AuthenticationProvider.java    |  2 +-
 .../zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java  |  1 +
 .../main/java/org/apache/zookeeper/util/SecurityUtils.java   |  8 ++++++++
 6 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md 
b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
index 8ae003029..29276e5bc 100644
--- a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
+++ b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
@@ -1810,10 +1810,14 @@ and [SASL authentication for 
ZooKeeper](https://cwiki.apache.org/confluence/disp
 * *fips-mode* :
     (Java system property: **zookeeper.fips-mode**)
     **New in 3.8.2:**
-    Enable FIPS compatibility mode in ZooKeeper. If enabled, the custom trust 
manager (`ZKTrustManager`) that is used for 
-    hostname verification will be disabled in order to comply with FIPS 
requirements. As a consequence, hostname verification is not
-    available in the Quorum protocol, but still can be set in client-server 
communication. Default: **true** (3.9.0+), 
-    **false** (3.8.x)
+    Enable FIPS compatibility mode in ZooKeeper. If enabled, the following 
things will be changed in order to comply 
+    with FIPS requirements:
+    * Custom trust manager (`ZKTrustManager`) that is used for hostname 
verification will be disabled. As a consequence, 
+      hostname verification is not available in the Quorum protocol, but still 
can be set in client-server communication. 
+    * DIGEST-MD5 Sasl auth mechanism will be disabled in Quorum and ZooKeeper 
Sasl clients. Only GSSAPI (Kerberos)
+      can be used.
+    
+    Default: **true** (3.9.0+), **false** (3.8.x)
 
 <a name="Experimental+Options%2FFeatures"></a>
 
diff --git 
a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java
 
b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java
index cafa66610..87e26cdf7 100644
--- 
a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java
+++ 
b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java
@@ -247,7 +247,7 @@ public class ZooKeeperSaslClient {
                     l.startThreadIfNeeded();
                 }
             }
-            return SecurityUtils.createSaslClient(loginRef.get().getSubject(),
+            return SecurityUtils.createSaslClient(clientConfig, 
loginRef.get().getSubject(),
                 servicePrincipal, "zookeeper", "zk-sasl-md5", LOG, "Client");
         } catch (LoginException e) {
             // We throw LoginExceptions...
diff --git 
a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java 
b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
index ce185e137..b53800cda 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
@@ -69,6 +69,7 @@ public abstract class X509Util implements Closeable, 
AutoCloseable {
 
     private static final String REJECT_CLIENT_RENEGOTIATION_PROPERTY = 
"jdk.tls.rejectClientInitiatedRenegotiation";
     private static final String FIPS_MODE_PROPERTY = "zookeeper.fips-mode";
+    private static final boolean FIPS_MODE_DEFAULT = false;
 
     static {
         // Client-initiated renegotiation in TLS is unsafe and
@@ -259,8 +260,8 @@ public abstract class X509Util implements Closeable, 
AutoCloseable {
         return FIPS_MODE_PROPERTY;
     }
 
-    public boolean getFipsMode(ZKConfig config) {
-        return config.getBoolean(FIPS_MODE_PROPERTY, false);
+    public static boolean getFipsMode(ZKConfig config) {
+        return config.getBoolean(FIPS_MODE_PROPERTY, FIPS_MODE_DEFAULT);
     }
 
     public boolean isServerHostnameVerificationEnabled(ZKConfig config) {
diff --git 
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
 
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
index 52eb7a7a9..3c29b5f08 100644
--- 
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
+++ 
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
@@ -98,7 +98,7 @@ public class X509AuthenticationProvider implements 
AuthenticationProvider {
                     x509Util.getSslTruststorePasswdProperty(),
                     x509Util.getSslTruststorePasswdPathProperty());
             String trustStoreTypeProp = 
config.getProperty(x509Util.getSslTruststoreTypeProperty());
-            boolean fipsMode = x509Util.getFipsMode(config);
+            boolean fipsMode = X509Util.getFipsMode(config);
 
             if (trustStoreLocation.isEmpty()) {
                 LOG.warn("Truststore not specified for client connection");
diff --git 
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java
 
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java
index 12cec788a..9ed986ac9 100644
--- 
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java
+++ 
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java
@@ -88,6 +88,7 @@ public class SaslQuorumAuthLearner implements 
QuorumAuthLearner {
             DataInputStream din = new DataInputStream(sock.getInputStream());
             byte[] responseToken = new byte[0];
             sc = SecurityUtils.createSaslClient(
+                new ZKConfig(),
                 learnerLogin.getSubject(),
                 principalConfig,
                 QuorumAuth.QUORUM_SERVER_PROTOCOL_NAME,
diff --git 
a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java 
b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
index 6ac3fff2a..5c44f2116 100644
--- 
a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
+++ 
b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
@@ -28,6 +28,8 @@ import javax.security.sasl.SaslClient;
 import javax.security.sasl.SaslException;
 import javax.security.sasl.SaslServer;
 import org.apache.zookeeper.SaslClientCallbackHandler;
+import org.apache.zookeeper.common.X509Util;
+import org.apache.zookeeper.common.ZKConfig;
 import org.apache.zookeeper.server.auth.KerberosName;
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSCredential;
@@ -55,6 +57,7 @@ public final class SecurityUtils {
      * @throws SaslException
      */
     public static SaslClient createSaslClient(
+        ZKConfig config,
         final Subject subject,
         final String servicePrincipal,
         final String protocol,
@@ -67,6 +70,11 @@ public final class SecurityUtils {
         if (subject.getPrincipals().isEmpty()) {
             // no principals: must not be GSSAPI: use DIGEST-MD5 mechanism
             // instead.
+            // FIPS-mode: don't try DIGEST-MD5, just return error
+            if (X509Util.getFipsMode(config)) {
+                LOG.warn("{} will not use DIGEST-MD5 as SASL mechanism, 
because FIPS mode is enabled.", entity);
+                return null;
+            }
             LOG.info("{} will use DIGEST-MD5 as SASL mechanism.", entity);
             String[] mechs = {"DIGEST-MD5"};
             String username = (String) 
(subject.getPublicCredentials().toArray()[0]);

Reply via email to