This is an automated email from the ASF dual-hosted git repository.
laszlog pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
The following commit(s) were added to refs/heads/master by this push:
new e486f3e3c IMPALA-14385: Fix crashes using sha2() in FIPS CentOS 7
e486f3e3c is described below
commit e486f3e3c38df373980fe928a9895b10c3c79a75
Author: Yida Wu <[email protected]>
AuthorDate: Tue Sep 2 13:06:47 2025 -0700
IMPALA-14385: Fix crashes using sha2() in FIPS CentOS 7
This commit fixes a crash in the sha2() function that occurs when
Impala is run on a FIPS enabled OS, particularly CentOS 7. Running
sha2() with 384 or 512-bit lengths would cause the impalad
to crash with an OpenSSL assertion failure:
"Low level API call to digest SHA384 forbidden in FIPS mode!"
The root cause was the direct use of low-level OpenSSL API calls
like SHA384(), SHA512(). OpenSSL 1.0 (used in RHEL/CentOS 7) is
particularly strict and forbids these calls in FIPS mode, causing
the module to terminate the process.
This patch changes to use the high-level, FIPS compliant EVP_Digest
API to perform the hash in sha2() function implementation.
Tests:
Ran sha2() in FIPS enabled CentOs 7 after the change and succeeded.
Passed exhaustive tests.
Change-Id: I694532350285534fd935c92b7a78bed91ded3cb5
Reviewed-on: http://gerrit.cloudera.org:8080/23373
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
---
be/src/exprs/utility-functions-ir.cc | 31 ++++++++++++++++++-------------
1 file changed, 18 insertions(+), 13 deletions(-)
diff --git a/be/src/exprs/utility-functions-ir.cc
b/be/src/exprs/utility-functions-ir.cc
index 470e84096..8e139ec66 100644
--- a/be/src/exprs/utility-functions-ir.cc
+++ b/be/src/exprs/utility-functions-ir.cc
@@ -287,28 +287,25 @@ StringVal UtilityFunctions::Sha2(FunctionContext* ctx,
const StringVal& input_st
return StringVal::null();
}
- StringVal sha_hash;
+ const EVP_MD* md_alg = nullptr;
+ int digest_length = 0;
switch(bit_len.val) {
case 224:
- sha_hash = StringVal(ctx, SHA224_DIGEST_LENGTH);
- if (UNLIKELY(sha_hash.is_null)) return StringVal::null();
- SHA224(input_str.ptr, input_str.len, sha_hash.ptr);
+ md_alg = EVP_sha224();
+ digest_length = SHA224_DIGEST_LENGTH;
break;
case 256:
- sha_hash = StringVal(ctx, SHA256_DIGEST_LENGTH);
- if (UNLIKELY(sha_hash.is_null)) return StringVal::null();
- SHA256(input_str.ptr, input_str.len, sha_hash.ptr);
+ md_alg = EVP_sha256();
+ digest_length = SHA256_DIGEST_LENGTH;
break;
case 384:
- sha_hash = StringVal(ctx, SHA384_DIGEST_LENGTH);
- if (UNLIKELY(sha_hash.is_null)) return StringVal::null();
- SHA384(input_str.ptr, input_str.len, sha_hash.ptr);
+ md_alg = EVP_sha384();
+ digest_length = SHA384_DIGEST_LENGTH;
break;
case 512:
- sha_hash = StringVal(ctx, SHA512_DIGEST_LENGTH);
- if (UNLIKELY(sha_hash.is_null)) return StringVal::null();
- SHA512(input_str.ptr, input_str.len, sha_hash.ptr);
+ md_alg = EVP_sha512();
+ digest_length = SHA512_DIGEST_LENGTH;
break;
default:
// Unsupported bit length.
@@ -316,6 +313,14 @@ StringVal UtilityFunctions::Sha2(FunctionContext* ctx,
const StringVal& input_st
return StringVal::null();
}
+ StringVal sha_hash(ctx, digest_length);
+ if (UNLIKELY(sha_hash.is_null)) return StringVal::null();
+
+ // Do not use low-level calls like SHA384(), which can be forbidden in FIPS
mode.
+ // This is the fips-compliant hashing implementation, which uses the
high-level
+ // EVP_Digest function.
+ EVP_Digest(input_str.ptr, input_str.len, sha_hash.ptr, nullptr, md_alg,
nullptr);
+
return StringFunctions::Lower(ctx, MathFunctions::HexString(ctx, sha_hash));
}
