Return-Path: <hdfs-issues-return-170705-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id CA2B2200B96
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu,  6 Oct 2016 20:33:22 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id C8E8D160AC5; Thu,  6 Oct 2016 18:33:22 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 12858160AED
	for <archive-asf-public@cust-asf.ponee.io>; Thu,  6 Oct 2016 20:33:21 +0200 (CEST)
Received: (qmail 92349 invoked by uid 500); 6 Oct 2016 18:33:20 -0000
Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:hdfs-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:hdfs-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:hdfs-issues@hadoop.apache.org>
List-Id: <hdfs-issues.hadoop.apache.org>
Delivered-To: mailing list hdfs-issues@hadoop.apache.org
Received: (qmail 91995 invoked by uid 99); 6 Oct 2016 18:33:20 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Oct 2016 18:33:20 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 93B5E2C2A6B
	for <hdfs-issues@hadoop.apache.org>; Thu,  6 Oct 2016 18:33:20 +0000 (UTC)
Date: Thu, 6 Oct 2016 18:33:20 +0000 (UTC)
From: "Xiao Chen (JIRA)" <jira@apache.org>
To: hdfs-issues@hadoop.apache.org
Message-ID: <JIRA.12945706.1456796938000.755732.1475778800602@Atlassian.JIRA>
In-Reply-To: <JIRA.12945706.1456796938000@Atlassian.JIRA>
References: <JIRA.12945706.1456796938000@Atlassian.JIRA> <JIRA.12945706.1456796938120@arcas>
Subject: [jira] [Updated] (HDFS-9878) Data transfer encryption with AES 192:
 Invalid key length.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 06 Oct 2016 18:33:22 -0000


     [ https://issues.apache.org/jira/browse/HDFS-9878?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Xiao Chen updated HDFS-9878:
----------------------------
    Assignee: Harsh J

> Data transfer encryption with AES 192: Invalid key length.
> ----------------------------------------------------------
>
>                 Key: HDFS-9878
>                 URL: https://issues.apache.org/jira/browse/HDFS-9878
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: datanode, hdfs-client
>    Affects Versions: 2.7.2
>         Environment: OS: Ubuntu 14.04
> /hadoop-2.7.2/bin$ uname -a
> Linux wkstn-kpalaniappan 3.13.0-79-generic #123-Ubuntu SMP Fri Feb 19 14:27:58 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
> /hadoop-2.7.2/bin$ java -version
> java version "1.7.0_95"
> OpenJDK Runtime Environment (IcedTea 2.6.4) (7u95-2.6.4-0ubuntu0.14.04.1)
> OpenJDK 64-Bit Server VM (build 24.95-b01, mixed mode)
> Hadoop version: 2.7.2
>            Reporter: Karthik Palaniappan
>            Assignee: Harsh J
>
> Configuring aes 128 or aes 256 encryption (dfs.encrypt.data.transfer.cipher.key.bitlength = [128, 256]) works perfectly fine. Trying to use AES 192 generates this exception on the datanode:
> 16/02/29 17:34:10 ERROR datanode.DataNode: wkstn-kpalaniappan:50010:DataXceiver error processing unknown operation  src: /127.0.0.1:57237 dst: /127.0.0.1:50010
> java.lang.IllegalArgumentException: Invalid key length.
> 	at org.apache.hadoop.crypto.OpensslCipher.init(Native Method)
> 	at org.apache.hadoop.crypto.OpensslCipher.init(OpensslCipher.java:176)
> 	at org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec$OpensslAesCtrCipher.init(OpensslAesCtrCryptoCodec.java:116)
> 	at org.apache.hadoop.crypto.CryptoInputStream.updateDecryptor(CryptoInputStream.java:290)
> 	at org.apache.hadoop.crypto.CryptoInputStream.resetStreamOffset(CryptoInputStream.java:303)
> 	at org.apache.hadoop.crypto.CryptoInputStream.<init>(CryptoInputStream.java:128)
> 	at org.apache.hadoop.crypto.CryptoInputStream.<init>(CryptoInputStream.java:109)
> 	at org.apache.hadoop.crypto.CryptoInputStream.<init>(CryptoInputStream.java:133)
> 	at org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataTransferSaslUtil.createStreamPair(DataTransferSaslUtil.java:345)
> 	at org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferServer.doSaslHandshake(SaslDataTransferServer.java:396)
> 	at org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferServer.getEncryptedStreams(SaslDataTransferServer.java:178)
> 	at org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferServer.receive(SaslDataTransferServer.java:110)
> 	at org.apache.hadoop.hdfs.server.datanode.DataXceiver.run(DataXceiver.java:193)
> 	at java.lang.Thread.run(Thread.java:745)
> And this exception on the client:
> /hadoop-2.7.2/bin$ ./hdfs dfs -copyFromLocal ~/.vimrc /vimrc
> 16/02/29 17:34:10 WARN hdfs.DFSClient: DataStreamer Exception
> java.lang.IllegalArgumentException: Invalid key length.
> 	at org.apache.hadoop.crypto.OpensslCipher.init(Native Method)
> 	at org.apache.hadoop.crypto.OpensslCipher.init(OpensslCipher.java:176)
> 	at org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec$OpensslAesCtrCipher.init(OpensslAesCtrCryptoCodec.java:116)
> 	at org.apache.hadoop.crypto.CryptoInputStream.updateDecryptor(CryptoInputStream.java:290)
> 	at org.apache.hadoop.crypto.CryptoInputStream.resetStreamOffset(CryptoInputStream.java:303)
> 	at org.apache.hadoop.crypto.CryptoInputStream.<init>(CryptoInputStream.java:128)
> 	at org.apache.hadoop.crypto.CryptoInputStream.<init>(CryptoInputStream.java:109)
> 	at org.apache.hadoop.crypto.CryptoInputStream.<init>(CryptoInputStream.java:133)
> 	at org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataTransferSaslUtil.createStreamPair(DataTransferSaslUtil.java:345)
> 	at org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient.doSaslHandshake(SaslDataTransferClient.java:490)
> 	at org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient.getEncryptedStreams(SaslDataTransferClient.java:299)
> 	at org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient.send(SaslDataTransferClient.java:242)
> 	at org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient.checkTrustAndSend(SaslDataTransferClient.java:211)
> 	at org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient.socketSend(SaslDataTransferClient.java:183)
> 	at org.apache.hadoop.hdfs.DFSOutputStream$DataStreamer.createBlockOutputStream(DFSOutputStream.java:1318)
> 	at org.apache.hadoop.hdfs.DFSOutputStream$DataStreamer.nextBlockOutputStream(DFSOutputStream.java:1266)
> 	at org.apache.hadoop.hdfs.DFSOutputStream$DataStreamer.run(DFSOutputStream.java:449)
> copyFromLocal: DataStreamer Exception: 
> The issue is in the openssl c code: https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/native/src/org/apache/hadoop/crypto/OpensslCipher.c#L204.
> It asserts that the key length is 128 or 256 bits, but does not allow 192.
> Multiple hadoop documents say that dfs.encrypt.data.transfer.cipher.key.bitlength can be set to 128, 192, or 256: https://hadoop.apache.org/docs/r2.6.0/hadoop-project-dist/hadoop-common/SecureMode.html, https://hadoop.apache.org/docs/r2.7.2/hadoop-project-dist/hadoop-hdfs/hdfs-default.xml. Are these documents wrong? Or is it an environment-specific issue?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org