[
https://issues.apache.org/jira/browse/IMPALA-10227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wenzhe Zhou closed IMPALA-10227.
--------------------------------
Resolution: Fixed
> Clean up hash functions for FIPS compliant build
> ------------------------------------------------
>
> Key: IMPALA-10227
> URL: https://issues.apache.org/jira/browse/IMPALA-10227
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend, Infrastructure
> Affects Versions: Impala 4.0.0
> Reporter: Wenzhe Zhou
> Assignee: Wenzhe Zhou
> Priority: Minor
> Labels: FIPS
>
> md5 is blocked for “FIPS compliant” libraries, SHA-1 and SHA-256 will be soon
> to be deprecated. We should avoid these hash algorithms in Impala code.
> IMPALA-10205, IMPALA-10206, IMPALA-10207 , IMPALA-10298, IMPALA-10305 track
> the FIPS blocking issues for the upcoming release (7.1.5). This Jira tracks
> the remaining non-block issues for cleanup in the future.
>
> - Key Agreement and Authentication Algorithms in be/src/kudu/security
> Kudu security code support SHA-256 for message digest and signing key
> GetServerEndPointChannelBindings() in be/src/kudu/security/cert.cc
> DigestType in be/src/kudu/security/crypto.h and crypto.cc
> TokenSigningPrivateKey::Sign()and TokenSigningPublicKey::VerifySignature()
> in be/src/kudu/security/token_signing_key.cc
>
> - Integrity and Authentication Hash
> Openssl utility function generate integrity and authentication hash in
> SHA-256
> IntegrityHash() and AuthenticationHash() in be/src/util/openssl-util.h
>
> - RPC generate cookie
> RPC generate cookie in SHA-256:
> GenerateCookie() in be/src/rpc/authentication-util.cc
>
> - Python script for dev/test environment
> In Python script infra.deploy/deploy.py, it calls hashlib.md5() to generate
> hash for hostId when generating role_name for service as below:
> md5 = hashlib.md5()
> md5.update(master_host.hostId)
> new_role_name = "%s-%s-%s" % (new_name, rcg.roleType, md5.hexdigest())
> We use md5 for non-security purposes and there is no dependency on the hash
> value so we can change the hash algorithm. Except the md5 hash algorithm,
> hashlib supports SHA1/SHA224/SHA256/SHA384/SHA512
> ([https://docs.python.org/2/library/hashlib.html]). We can change md5 to
> sha512.
>
> - PostgreSQL configuration for dev/test environment
> In Shell script bin/bootstrap_system.sh, it set the password authentication
> methods of PostgreSQL as md5 to a{color:#000000}ccept md5-hashed passwords
> from localhost. {color}
> {color:#000000}According to PostgreSQL document
> {color}[https://www.postgresql.org/docs/11/auth-password.html], it recommends
> to upgrade md5 to scram-sha-256, but we have to ensure that the client
> libraries are new enough to support SCRAM.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
