This is an automated email from the ASF dual-hosted git repository. stigahuang pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/impala.git
commit ddcdfc2200c7d605b07d443ba911f89c48ecee39 Author: Zoltan Borok-Nagy <[email protected]> AuthorDate: Tue Aug 8 16:07:29 2023 +0200 IMPALA-11195: Disable SSL renegotiations for OpenSSL 1.0.2. When OpenSSL 1.0.2 was being used Impala didn't disable SSL renegotiations correctly. It wasn't enough setting the flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS right after SSL_new() as due to an OpenSSL bug the SSL flags are getting reset in SSL_accept(). See https://github.com/openssl/openssl/discussions/21666 With this patch the followings happen depending on the OpenSSL versions: * OpenSSL 1.0.2: we set the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag in a callback function the same way as it is being set in various open source projects * OpenSSL 1.1.0h+: we set the SSL_OP_NO_RENEGOTIATION option in the SSL_CTX object * OpenSSL versions between the above two: we raise either compile-time error (when compiled with such version) or runtime warning (when Impala is running with such version) This patch also upgrades the native toolchain version to have a Thrift that is fixed the same way. Testing: * manually tested on CentOS 7.9 with >openssl s_client -connect <host>:<port> >R Initially it outputs that "Secure Renegotiation IS supported" because we can only set the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag after the handshake, but then prompting "R" doesn't do the renegotiation. Without these changes "R" renegotiates. Change-Id: I6fd6a8dedcbca8f50a16dbe68ebd8303e3e5aed1 Reviewed-on: http://gerrit.cloudera.org:8080/20360 Reviewed-by: Impala Public Jenkins <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> --- be/src/rpc/authentication.cc | 8 ++++++++ be/src/thirdparty/squeasel/squeasel.c | 28 +++++++++++++++++++++------- bin/impala-config.sh | 2 +- 3 files changed, 30 insertions(+), 8 deletions(-) diff --git a/be/src/rpc/authentication.cc b/be/src/rpc/authentication.cc index 16bf5acf7..5dadd8e3a 100644 --- a/be/src/rpc/authentication.cc +++ b/be/src/rpc/authentication.cc @@ -1495,6 +1495,14 @@ Status AuthManager::Init() { TSSLSocketFactory::setManualOpenSSLInitialization(true); kudu::security::InitializeOpenSSL(); LOG(INFO) << "Initialized " << OPENSSL_VERSION_TEXT; + LOG(INFO) << "Runtime OpenSSL version " << SSLeay_version(SSLEAY_VERSION); + unsigned long openssl_version = SSLeay(); + // Check if we are running against an OpenSSL version that is vulnerable to + // CVE-2009-3555 + if (openssl_version >= 0x10100000L && openssl_version <= 0x1010007fL) { + LOG(WARNING) << + "OpenSSL runtime version detected that is vulnerable to CVE-2009-3555"; + } // Could use any other requiered flag for SAML bool use_saml = !FLAGS_saml2_sp_callback_url.empty(); diff --git a/be/src/thirdparty/squeasel/squeasel.c b/be/src/thirdparty/squeasel/squeasel.c index 1ba9aa8bd..a3934fa22 100644 --- a/be/src/thirdparty/squeasel/squeasel.c +++ b/be/src/thirdparty/squeasel/squeasel.c @@ -3792,15 +3792,21 @@ static int set_uid_option(struct sq_context *ctx) { static pthread_mutex_t *ssl_mutexes; -static int sslize(struct sq_connection *conn, SSL_CTX *s, int (*func)(SSL *)) { - return (conn->ssl = SSL_new(s)) != NULL && #if OPENSSL_VERSION_NUMBER < 0x10100000L - // IMPALA-11195: disable TLS/SSL renegotiation. In version 1.0.2 and prior it's - // possible to use the undocumented SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. - // For more context, see a note on the SSL_OP_NO_RENEGOTIATION option in the - // $OPENSSL_ROOT/CHANGES and https://github.com/openssl/openssl/issues/4739. - (conn->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && +// IMPALA-11195: disable TLS/SSL renegotiation. In version 1.0.2 and prior it's +// possible to use the undocumented SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. +static void ssl_disable_renegotiation_cb(const SSL *ssl, int where, int ret) +{ + (void)ret; + if ((where & SSL_CB_HANDSHAKE_DONE) != 0) { + // disable renegotiation (CVE-2009-3555) + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } +} #endif + +static int sslize(struct sq_connection *conn, SSL_CTX *s, int (*func)(SSL *)) { + return (conn->ssl = SSL_new(s)) != NULL && SSL_set_fd(conn->ssl, conn->client.sock) == 1 && func(conn->ssl) == 1; } @@ -3928,6 +3934,14 @@ static int set_ssl_option(struct sq_context *ctx) { // will be accepted but nothing will happen, i.e. renegotiation will // not be prevented. options |= SSL_OP_NO_RENEGOTIATION; +#elif OPENSSL_VERSION_NUMBER < 0x10100000L + // IMPALA-11195: disable TLS/SSL renegotiation. In version 1.0.2 and prior it's + // possible to use the undocumented SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. + // We need to set the flag in the callback 'ssl_disable_renegotiation_cb' after + // handshake is done, otherwise the flag would get reset in SSL_accept(). + SSL_CTX_set_info_callback(ctx_, ssl_disable_renegotiation_cb); +#else + static_error(false, "Found SSL version that is vulnerable to CVE-2009-3555."); #endif if ((SSL_CTX_set_options(ctx->ssl_ctx, options) & options) != options) { diff --git a/bin/impala-config.sh b/bin/impala-config.sh index b10541439..7afa739f4 100755 --- a/bin/impala-config.sh +++ b/bin/impala-config.sh @@ -85,7 +85,7 @@ export USE_AVRO_CPP=${USE_AVRO_CPP:=false} # moving to a different build of the toolchain, e.g. when a version is bumped or a # compile option is changed. The build id can be found in the output of the toolchain # build jobs, it is constructed from the build number and toolchain git hash prefix. -export IMPALA_TOOLCHAIN_BUILD_ID=324-bb64c6ed91 +export IMPALA_TOOLCHAIN_BUILD_ID=351-c240088ecb # Versions of toolchain dependencies. # ----------------------------------- if $USE_AVRO_CPP; then
