[
https://issues.apache.org/jira/browse/IMPALA-10227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wenzhe Zhou updated IMPALA-10227:
---------------------------------
Description:
md5 is blocked for “FIPS compliant” libraries, SHA-1 and SHA-256 will be soon
to be deprecated. We should avoid these hash algorithms in Impala code.
IMPALA-10205, IMPALA-10206, IMPALA-10207 track the FIPS blocking issues for the
upcoming release. This Jira tracks the remaining non-block issues for cleanup
in the future.
- Key Agreement and Authentication Algorithms in be/src/kudu/security
Kudu security code support SHA-256 for message digest and signing key
GetServerEndPointChannelBindings() in be/src/kudu/security/cert.cc
DigestType in be/src/kudu/security/crypto.h and crypto.cc
TokenSigningPrivateKey::Sign()and TokenSigningPublicKey::VerifySignature() in
be/src/kudu/security/token_signing_key.cc
- Encoding
{color:#000000}Hive use SHA-256 to hash value and encoding{color}
{color:#000000} {color}{color:#000000}MaskFunctions::MaskHash() in
be/src/exprs/mask-functions-ir.cc{color}
- RPC generate cookie
RPC generate cookie in SHA-256:
GenerateCookie() in be/src/rpc/cookie-util.cc
- Integrity and Authentication Hash
Openssl utility function generate integrity and authentication hash in SHA-256
IntegrityHash() and AuthenticationHash() in be/src/util/openssl-util.h
- Python script for dev/test environment
In Python script infra.deploy/deploy.py, it calls hashlib.md5() to generate
hash for hostId when generating role_name for service as below:
md5 = hashlib.md5()
md5.update(master_host.hostId)
new_role_name = "%s-%s-%s" % (new_name, rcg.roleType, md5.hexdigest())
We use md5 for non-security purposes and there is no dependency on the hash
value so we can change the hash algorithm. Except the md5 hash algorithm,
hashlib supports SHA1/SHA224/SHA256/SHA384/SHA512
([https://docs.python.org/2/library/hashlib.html]). We can change md5 to sha512.
- PostgreSQL configuration for dev/test environment
In Shell script bin/bootstrap_system.sh, it set the password authentication
methods of PostgreSQL as md5 to a{color:#000000}ccept md5-hashed passwords from
localhost. {color}
{color:#000000}According to PostgreSQL document
{color}[https://www.postgresql.org/docs/11/auth-password.html], it recommends
to upgrade md5 to scram-sha-256, but we have to ensure that the client
libraries are new enough to support SCRAM.
was:
md5 is blocked for “FIPS compliant” libraries, SHA-1 and SHA-256 will be soon
to be deprecated. We should avoid these hash algorithms in Impala code.
IMPALA-10205, IMPALA-10206, IMPALA-10207 track the FIPS blocking issues for the
upcoming release. This Jira tracks the remaining non-block issues for cleanup
in the future.
- Key Agreement and Authentication Algorithms in be/src/kudu/security
Kudu security code support SHA-256 for message digest and signing key
GetServerEndPointChannelBindings() in be/src/kudu/security/cert.cc
DigestType in be/src/kudu/security/crypto.h and crypto.cc
TokenSigningPrivateKey::Sign()and TokenSigningPublicKey::VerifySignature() in
be/src/kudu/security/token_signing_key.cc
- Encoding
{color:#000000}Hive use SHA-256 to hash value and encoding{color}
{color:#000000} {color}{color:#000000}MaskFunctions::MaskHash() in
be/src/exprs/mask-functions-ir.cc{color}
- RPC generate cookie
RPC generate cookie in SHA-256:
GenerateCookie() in be/src/rpc/cookie-util.cc
- Integrity and Authentication Hash
Openssl utility function generate integrity and authentication hash in SHA-256
IntegrityHash() and AuthenticationHash() in be/src/util/openssl-util.h
- Python script for dev/test environment
In Python script infra.deploy/deploy.py, it calls hashlib.md5() to generate
hash for hostId when generating role_name for service as below:
md5 = hashlib.md5()
md5.update(master_host.hostId)
new_role_name = "%s-%s-%s" % (new_name, rcg.roleType, md5.hexdigest())
We use md5 for non-security purposes and there is no dependency on the hash
value so we can change the hash algorithm. Except the md5 hash algorithm,
hashlib supports SHA1/SHA224/SHA256/SHA384/SHA512
([https://docs.python.org/2/library/hashlib.html]). We can change md5 to sha512.
- PostgreSQL configuration for dev/test environment
In Shell script bin/bootstrap_system.sh, it set the password authentication
methods of PostgreSQL as md5 to a{color:#000000}ccept md5-hashed passwords from
localhost. {color}
{color:#000000}According to PostgreSQL document
{color}[https://www.postgresql.org/docs/11/auth-password.html], it recommends
to upgrade md5 to scram-sha-256, but we have to ensure that the client
libraries are new enough to support SCRAM.
> Clean up hash functions for FIPS compliant build
> ------------------------------------------------
>
> Key: IMPALA-10227
> URL: https://issues.apache.org/jira/browse/IMPALA-10227
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend, Infrastructure
> Affects Versions: Impala 4.0
> Reporter: Wenzhe Zhou
> Assignee: Wenzhe Zhou
> Priority: Minor
> Labels: FIPS
>
> md5 is blocked for “FIPS compliant” libraries, SHA-1 and SHA-256 will be soon
> to be deprecated. We should avoid these hash algorithms in Impala code.
> IMPALA-10205, IMPALA-10206, IMPALA-10207 track the FIPS blocking issues for
> the upcoming release. This Jira tracks the remaining non-block issues for
> cleanup in the future.
>
> - Key Agreement and Authentication Algorithms in be/src/kudu/security
> Kudu security code support SHA-256 for message digest and signing key
> GetServerEndPointChannelBindings() in be/src/kudu/security/cert.cc
> DigestType in be/src/kudu/security/crypto.h and crypto.cc
> TokenSigningPrivateKey::Sign()and TokenSigningPublicKey::VerifySignature()
> in be/src/kudu/security/token_signing_key.cc
>
> - Encoding
> {color:#000000}Hive use SHA-256 to hash value and encoding{color}
> {color:#000000} {color}{color:#000000}MaskFunctions::MaskHash() in
> be/src/exprs/mask-functions-ir.cc{color}
>
> - RPC generate cookie
> RPC generate cookie in SHA-256:
> GenerateCookie() in be/src/rpc/cookie-util.cc
>
> - Integrity and Authentication Hash
> Openssl utility function generate integrity and authentication hash in
> SHA-256
> IntegrityHash() and AuthenticationHash() in be/src/util/openssl-util.h
>
> - Python script for dev/test environment
> In Python script infra.deploy/deploy.py, it calls hashlib.md5() to generate
> hash for hostId when generating role_name for service as below:
> md5 = hashlib.md5()
> md5.update(master_host.hostId)
> new_role_name = "%s-%s-%s" % (new_name, rcg.roleType, md5.hexdigest())
> We use md5 for non-security purposes and there is no dependency on the hash
> value so we can change the hash algorithm. Except the md5 hash algorithm,
> hashlib supports SHA1/SHA224/SHA256/SHA384/SHA512
> ([https://docs.python.org/2/library/hashlib.html]). We can change md5 to
> sha512.
>
> - PostgreSQL configuration for dev/test environment
> In Shell script bin/bootstrap_system.sh, it set the password authentication
> methods of PostgreSQL as md5 to a{color:#000000}ccept md5-hashed passwords
> from localhost. {color}
> {color:#000000}According to PostgreSQL document
> {color}[https://www.postgresql.org/docs/11/auth-password.html], it recommends
> to upgrade md5 to scram-sha-256, but we have to ensure that the client
> libraries are new enough to support SCRAM.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
