[
https://issues.apache.org/jira/browse/IMPALA-10206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17223772#comment-17223772
]
ASF subversion and git services commented on IMPALA-10206:
----------------------------------------------------------
Commit f4ed07c8eb673fcd2d569ca6474f27ef70ac26b5 in impala's branch
refs/heads/master from wzhou-code
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=f4ed07c ]
IMPALA-10206: Avoid MD5 Digest Authorization in FIPS approved mode
To compliant with FIPS requirement, we should use OpenSSL libraries
for cryptographic hash functions, instead of own hash functions.
This patch replace MD5 and SHA1 functions in Squeasel Web server
with OpenSSL APIs. It also force to turn off Digest Authorization
for Web server in FIPS approved mode since Digest Authorization
use MD5 hash and it doesn't comply with FIPS 140-2.
Testing:
- Passed webserver-test.
- Passed exhaustive tests.
- Manually verified HTTP Digest Authorization could not be enabled
by setting webserver_password_file on a FIPS enabled cluster.
Change-Id: Ie075389b3ab65c612d64ba58e16a10b19bdf4d6f
Reviewed-on: http://gerrit.cloudera.org:8080/16630
Reviewed-by: Thomas Tauber-Marshall <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Avoid MD5 Digest Authorization for debug Web Server in FIPS mode
> ----------------------------------------------------------------
>
> Key: IMPALA-10206
> URL: https://issues.apache.org/jira/browse/IMPALA-10206
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend
> Affects Versions: Impala 4.0
> Reporter: Wenzhe Zhou
> Assignee: Wenzhe Zhou
> Priority: Major
> Labels: FIPS
> Fix For: Impala 4.0
>
>
> Class Webserver (be/src/util/webserver.h) is defined as a wrapper class for
> the third party web server library - Squeasel. Squeasel supports the HTTP
> Digest Access Authorization with MD5 hash algorithm (RFC 2069, RFC 2617).
> Since the MD5 algorithm is not allowed in FIPS, HTTP Digest Authentication
> will not work with FIPS-certified^^ crypto library. In 2015, [RFC
> 7616|https://tools.ietf.org/html/rfc7616] replaced [RFC
> 2617|https://tools.ietf.org/html/rfc2617] by adding 4 new algorithms:
> "SHA-256", "SHA-256-sess", "SHA-512/256" and "SHA-512/256-sess". The encoding
> is equivalent to "MD5" and "MD5-sess" algorithms, with [MD5 hashing
> function|https://en.wikipedia.org/wiki/MD5] replaced with
> [SHA-256|https://en.wikipedia.org/wiki/SHA-256] and
> [SHA-512/256|https://en.wikipedia.org/wiki/SHA-512].
> In FIPS mode, it's better to support SHA-256 hash algorithm for HTTP Digest
> Authentication in Squeasel.
> Squeasel also use SHA-1 hash algorithms for WebSocket hands off. Since SHA-1
> is soon to be deprecated, we should replace SHA-1 with SHA-512. Note that
> WebSocket is only available when Squeasel is compiled with DUSE_WEBSOCKET,
> but Impala integrate Squeasel without defining USE_WEBSOCKET so WebSocket is
> not supported now. It's not urgent to replace SHA-1 with SHA-512.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
