[jira] [Commented] (HBASE-22492) HBase server doesn't preserve SASL sequence number on the network

Fri, 21 Jun 2019 16:36:59 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-22492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16869957#comment-16869957
 ] 

HBase QA commented on HBASE-22492:
----------------------------------

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 13m 
53s{color} | {color:blue} Docker mode activated. {color} |
|| || || || {color:brown} Prechecks {color} ||
| {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue}  0m  
1s{color} | {color:blue} Findbugs executables are not available. {color} |
| {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green}  0m  
0s{color} | {color:green} Patch does not have any anti-patterns. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green}  0m  
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:orange}-0{color} | {color:orange} test4tests {color} | {color:orange}  
0m  0s{color} | {color:orange} The patch doesn't appear to include any new or 
modified tests. Please justify why no new tests are needed for this patch. Also 
please list what manual steps were performed to verify this patch. {color} |
|| || || || {color:brown} branch-1 Compile Tests {color} ||
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  7m 
59s{color} | {color:green} branch-1 passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 
42s{color} | {color:green} branch-1 passed with JDK v1.8.0_212 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 
41s{color} | {color:green} branch-1 passed with JDK v1.7.0_222 {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green}  1m 
25s{color} | {color:green} branch-1 passed {color} |
| {color:green}+1{color} | {color:green} shadedjars {color} | {color:green}  2m 
50s{color} | {color:green} branch has no errors when building our shaded 
downstream artifacts. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  0m 
35s{color} | {color:green} branch-1 passed with JDK v1.8.0_212 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  0m 
36s{color} | {color:green} branch-1 passed with JDK v1.7.0_222 {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green}  1m 
46s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 
39s{color} | {color:green} the patch passed with JDK v1.8.0_212 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green}  0m 
39s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green}  0m 
42s{color} | {color:green} the patch passed with JDK v1.7.0_222 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green}  0m 
42s{color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} checkstyle {color} | {color:red}  1m 
18s{color} | {color:red} hbase-server: The patch generated 1 new + 76 unchanged 
- 0 fixed = 77 total (was 76) {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green}  0m 
 0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} shadedjars {color} | {color:green}  2m 
55s{color} | {color:green} patch has no errors when building our shaded 
downstream artifacts. {color} |
| {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green}  
4m 40s{color} | {color:green} Patch does not cause any errors with Hadoop 2.8.5 
2.9.2. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  0m 
30s{color} | {color:green} the patch passed with JDK v1.8.0_212 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green}  0m 
38s{color} | {color:green} the patch passed with JDK v1.7.0_222 {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:green}+1{color} | {color:green} unit {color} | {color:green}111m  
5s{color} | {color:green} hbase-server in the patch passed. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green}  0m 
31s{color} | {color:green} The patch does not generate ASF License warnings. 
{color} |
| {color:black}{color} | {color:black} {color} | {color:black}155m 32s{color} | 
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Client=17.05.0-ce Server=17.05.0-ce base: 
https://builds.apache.org/job/PreCommit-HBASE-Build/568/artifact/patchprocess/Dockerfile
 |
| JIRA Issue | HBASE-22492 |
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/12972477/HBASE-22492.003.branch-1.patch
 |
| Optional Tests |  dupname  asflicense  javac  javadoc  unit  findbugs  
shadedjars  hadoopcheck  hbaseanti  checkstyle  compile  |
| uname | Linux 15745dcc2420 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 
17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/hbase-personality.sh |
| git revision | branch-1 / 19cdd6d |
| maven | version: Apache Maven 3.0.5 |
| Default Java | 1.7.0_222 |
| Multi-JDK versions |  /usr/lib/jvm/java-8-openjdk-amd64:1.8.0_212 
/usr/lib/jvm/java-7-openjdk-amd64:1.7.0_222 |
| checkstyle | 
https://builds.apache.org/job/PreCommit-HBASE-Build/568/artifact/patchprocess/diff-checkstyle-hbase-server.txt
 |
|  Test Results | 
https://builds.apache.org/job/PreCommit-HBASE-Build/568/testReport/ |
| Max. process+thread count | 4714 (vs. ulimit of 10000) |
| modules | C: hbase-server U: hbase-server |
| Console output | 
https://builds.apache.org/job/PreCommit-HBASE-Build/568/console |
| Powered by | Apache Yetus 0.9.0 http://yetus.apache.org |


This message was automatically generated.



> HBase server doesn't preserve SASL sequence number on the network
> -----------------------------------------------------------------
>
>                 Key: HBASE-22492
>                 URL: https://issues.apache.org/jira/browse/HBASE-22492
>             Project: HBase
>          Issue Type: Bug
>          Components: regionserver
>    Affects Versions: 1.1.2
>         Environment: HDP 2.6.5.108-1
>  
>            Reporter: Sébastien BARNOUD
>            Assignee: Sébastien BARNOUD
>            Priority: Major
>             Fix For: 1.5.0, 1.4.11
>
>         Attachments: HBASE-22492.001.branch-1.patch, 
> HBASE-22492.002.branch-1.patch, HBASE-22492.003.branch-1.patch
>
>
> When auth-conf is enabled on RPC, the server encrypt response in setReponse() 
> using saslServer. The generated cryptogram included a sequence number manage 
> by saslServer. But then, when the response is sent over the network, the 
> sequence number order is not preserved.
> The client receives reply in the wrong order, leading to a log message from 
> DigestMD5Base:
> {code:java}
> sasl:1481  - DIGEST41:Unmatched MACs
> {code}
> Then the message is discarded, leading the client to a timeout.
> I propose a fix here: 
> [https://github.com/sbarnoud/hbase-release/commit/ce9894ffe0e4039deecd1ed51fa135f64b311d41]
> It seems that any HBase 1.x is affected.
> This part of code has been fully rewritten in HBase 2.x, and i haven't do the 
> analysis on HBase 2.x which may be affected.
>  
> Here, an extract of client log that i added to help me to understand:
> {code:java}
> …
> 2019-05-28 12:53:48,644 DEBUG [Default-IPC-NioEventLoopGroup-1-32] 
> NettyRpcDuplexHandler:80  - callId: 5846 /192.163.201.65:58870 -> 
> dtltstap004.fr.world.socgen/192.163.201.72:16020
> 2019-05-28 12:53:48,651 INFO  [Default-IPC-NioEventLoopGroup-1-18] 
> NioEventLoop:101  - SG: Channel ready to read 1315913615 unsafe 1493023957 
> /192.163.201.65:44236 -> dtltstap008.fr.world.socgen/192.163.201.109:16020
> 2019-05-28 12:53:48,651 INFO  [Default-IPC-NioEventLoopGroup-1-18] 
> SaslUnwrapHandler:78  - SG: after unwrap:46 -> 29 for /192.163.201.65:44236 
> -> dtltstap008.fr.world.socgen/192.163.201.109:16020 seqNum 150
> 2019-05-28 12:53:48,652 DEBUG [Default-IPC-NioEventLoopGroup-1-18] 
> NettyRpcDuplexHandler:192  - callId: 5801 received totalSize:25 Message:20 
> scannerSize:(null)/192.163.201.65:44236 -> 
> dtltstap008.fr.world.socgen/192.163.201.109:16020
> 2019-05-28 12:53:48,652 INFO  [Default-IPC-NioEventLoopGroup-1-18] sasl:1481  
> - DIGEST41:Unmatched MACs
> 2019-05-28 12:53:48,652 WARN  [Default-IPC-NioEventLoopGroup-1-18] 
> SaslUnwrapHandler:70  - Sasl error (probably invalid MAC) detected for 
> /192.163.201.65:44236 -> dtltstap008.fr.world.socgen/192.163.201.109:16020 
> saslClient @4ac31121 ctx @14fb001d msg @140313192718406 len 118 
> data:1c^G?^P?3??h?k??????"??x?$^_??^D;^]7^Es??Em?c?w^R^BL?????????x??omG?z?I???45}???dE?^\^S>D?^????/4f?^^??
>  ?^E????d?????????D?kM^@^A^@^@^@? readerIndex 118 writerIndex 118 seqNum 
> 152{code}
>  We can see that the client unwraps the Sasl message with sequence number 152 
> before sequence number 151 and fails with the unmatched MAC.
>  
> I opened a case to Oracle because we should had an error (and not the message 
> ignored). That's because the JDK doesn't controls integrity in the right way.
> [https://github.com/openjdk/jdk/blob/master/src/java.security.sasl/share/classes/com/sun/security/sasl/digest/DigestMD5Base.java]
> The actual JDK controls the HMac before the sequence number and hides the 
> real error (bad sequence number) because SASL is stateful. The JDK should 
> check FIRST the sequence number and THEN the HMac.
> When (and if) the JDK will be patched, and accordingly to 
> [https://www.ietf.org/rfc/rfc2831.txt|https://www.ietf.org/rfc/rfc2831.txt,] 
> , we will get an exception in that case instead of having the message ignored.
> h3.  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to