[
https://issues.apache.org/jira/browse/IMPALA-14385?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18018485#comment-18018485
]
ASF subversion and git services commented on IMPALA-14385:
----------------------------------------------------------
Commit e486f3e3c38df373980fe928a9895b10c3c79a75 in impala's branch
refs/heads/master from Yida Wu
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=e486f3e3c ]
IMPALA-14385: Fix crashes using sha2() in FIPS CentOS 7
This commit fixes a crash in the sha2() function that occurs when
Impala is run on a FIPS enabled OS, particularly CentOS 7. Running
sha2() with 384 or 512-bit lengths would cause the impalad
to crash with an OpenSSL assertion failure:
"Low level API call to digest SHA384 forbidden in FIPS mode!"
The root cause was the direct use of low-level OpenSSL API calls
like SHA384(), SHA512(). OpenSSL 1.0 (used in RHEL/CentOS 7) is
particularly strict and forbids these calls in FIPS mode, causing
the module to terminate the process.
This patch changes to use the high-level, FIPS compliant EVP_Digest
API to perform the hash in sha2() function implementation.
Tests:
Ran sha2() in FIPS enabled CentOs 7 after the change and succeeded.
Passed exhaustive tests.
Change-Id: I694532350285534fd935c92b7a78bed91ded3cb5
Reviewed-on: http://gerrit.cloudera.org:8080/23373
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Sha2() with 384/512 bit can fail in FIPS mode
> ---------------------------------------------
>
> Key: IMPALA-14385
> URL: https://issues.apache.org/jira/browse/IMPALA-14385
> Project: IMPALA
> Issue Type: Bug
> Reporter: Yida Wu
> Assignee: Yida Wu
> Priority: Major
>
> SHA2 with 384 or 512 bit length should work in FIPS mode, however impalad
> could hit the assertion to crash running sha2() function in FIPS mode with
> the following error message:
> {code:java}
> sha512.c(63): OpenSSL internal error, assertion failed: Low level API call to
> digest SHA384 forbidden in FIPS mode!
> {code}
> The issue can be reproduced in OS centos79fips with OpenSSL 1.0.2zd-fips, but
> it doesn’t have the same issue in OS redhat810fips with OpenSSL 1.1.1k FIPS.
> Running below sqls in impala shell can trigger the issue.
> {code:java}
> select sha2('test', 512);
> {code}
> or
> {code:java}
> select sha2('test', 384);
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
