impala-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tarmstr...@apache.org
Subject [05/11] impala git commit: IMPALA-6418: Find a reliable way to detect supported TLS versions
Date Thu, 25 Jan 2018 21:46:23 GMT
IMPALA-6418: Find a reliable way to detect supported TLS versions

Due to a RHEL bug, finding the version of the dynamically linked
OpenSSL is unreliable on certain RHEL platforms. This means that
if Impala is built against OpenSSL 1.0.0 and run against OpenSSL
1.0.1, due to the bug, Impala will not be able to access the
capabilities of OpenSSL 1.0.1. The most significant drawback of
this is that in this scenario, Impala cannot use TLSv1.2, even though
it is available.

The RHEL bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1497859

This patch imitates Kudu's way of determining what TLS versions are
supported via this patch:
https://github.com/apache/kudu/commit/b88117415a02699c12a6eacbf065c4140ee0963c

This is tested and works on all supported platforms of Impala.

Change-Id: Idd40219b7be5889b3c24457acdb79a28bdcd9bfb
Reviewed-on: http://gerrit.cloudera.org:8080/9060
Reviewed-by: Sailesh Mukil <sailesh@cloudera.com>
Tested-by: Impala Public Jenkins


Project: http://git-wip-us.apache.org/repos/asf/impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/e32b2305
Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/e32b2305
Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/e32b2305

Branch: refs/heads/2.x
Commit: e32b230545800b7cc6c1672224969a38ae017838
Parents: 2a27b4f
Author: Sailesh Mukil <sailesh@cloudera.com>
Authored: Thu Jan 18 11:00:32 2018 -0800
Committer: Philip Zeyliger <philip@cloudera.com>
Committed: Wed Jan 24 10:17:56 2018 -0800

----------------------------------------------------------------------
 be/src/rpc/thrift-client.cc |  5 +++--
 be/src/rpc/thrift-server.cc | 25 ++++++++++++++++---------
 be/src/util/openssl-util.cc |  4 ++++
 be/src/util/openssl-util.h  | 25 +++++++++++++++++++++++--
 4 files changed, 46 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/impala/blob/e32b2305/be/src/rpc/thrift-client.cc
----------------------------------------------------------------------
diff --git a/be/src/rpc/thrift-client.cc b/be/src/rpc/thrift-client.cc
index 085e92e..1f8d99e 100644
--- a/be/src/rpc/thrift-client.cc
+++ b/be/src/rpc/thrift-client.cc
@@ -24,6 +24,7 @@
 #include <gutil/strings/substitute.h>
 
 #include "util/network-util.h"
+#include "util/openssl-util.h"
 #include "util/time.h"
 
 #include "common/names.h"
@@ -46,8 +47,8 @@ ThriftClientImpl::ThriftClientImpl(const std::string& ipaddress, int
port, bool
         SSLProtoVersions::StringToProtocol(FLAGS_ssl_minimum_version, &version);
     if (init_status_.ok() && !SSLProtoVersions::IsSupported(version)) {
       string err =
-          Substitute("TLS ($0) version not supported (linked OpenSSL version is $1)",
-              version, SSLeay());
+          Substitute("TLS ($0) version not supported (maximum supported version is $1)",
+              version, MaxSupportedTlsVersion());
       init_status_ = Status(err);
     }
     if (!init_status_.ok()) return;

http://git-wip-us.apache.org/repos/asf/impala/blob/e32b2305/be/src/rpc/thrift-server.cc
----------------------------------------------------------------------
diff --git a/be/src/rpc/thrift-server.cc b/be/src/rpc/thrift-server.cc
index eaca699..75ad424 100644
--- a/be/src/rpc/thrift-server.cc
+++ b/be/src/rpc/thrift-server.cc
@@ -40,6 +40,7 @@
 #include "util/debug-util.h"
 #include "util/metrics.h"
 #include "util/network-util.h"
+#include "util/openssl-util.h"
 #include "util/os-util.h"
 #include "util/uid-util.h"
 
@@ -86,14 +87,20 @@ Status SSLProtoVersions::StringToProtocol(const string& in, SSLProtocol*
protoco
   return Status(Substitute("Unknown TLS version: '$0'", in));
 }
 
-#define OPENSSL_MIN_VERSION_WITH_TLS_1_1 0x10001000L
-
 bool SSLProtoVersions::IsSupported(const SSLProtocol& protocol) {
-  bool is_openssl_1_0_0_or_lower = (SSLeay() < OPENSSL_MIN_VERSION_WITH_TLS_1_1);
-  if (is_openssl_1_0_0_or_lower) return (protocol == TLSv1_0_plus);
-
-  // All other versions supported by OpenSSL 1.0.1 and later.
-  return true;
+  DCHECK_LE(protocol, TLSv1_2_plus);
+  int max_supported_tls_version = MaxSupportedTlsVersion();
+  DCHECK_GE(max_supported_tls_version, TLS1_VERSION);
+
+  switch (max_supported_tls_version) {
+    case TLS1_VERSION:
+      return protocol == TLSv1_0_plus || protocol == TLSv1_0;
+    case TLS1_1_VERSION:
+      return protocol != TLSv1_2_plus && protocol != TLSv1_2;
+    default:
+      DCHECK_GE(max_supported_tls_version, TLS1_2_VERSION);
+      return true;
+  }
 }
 
 bool EnableInternalSslConnections() {
@@ -376,8 +383,8 @@ Status ThriftServer::CreateSocket(boost::shared_ptr<TServerTransport>*
socket) {
   if (ssl_enabled()) {
     if (!SSLProtoVersions::IsSupported(version_)) {
       return Status(TErrorCode::SSL_SOCKET_CREATION_FAILED,
-          Substitute("TLS ($0) version not supported (linked OpenSSL version is $1)",
-                        version_, SSLeay()));
+          Substitute("TLS ($0) version not supported (maximum supported version is $1)",
+                        version_, MaxSupportedTlsVersion()));
     }
     try {
       // This 'factory' is only called once, since CreateSocket() is only called from

http://git-wip-us.apache.org/repos/asf/impala/blob/e32b2305/be/src/util/openssl-util.cc
----------------------------------------------------------------------
diff --git a/be/src/util/openssl-util.cc b/be/src/util/openssl-util.cc
index a8ec976..264a49a 100644
--- a/be/src/util/openssl-util.cc
+++ b/be/src/util/openssl-util.cc
@@ -43,6 +43,10 @@ static const int RNG_RESEED_INTERVAL = 128;
 // Number of bytes of entropy to add at RNG_RESEED_INTERVAL.
 static const int RNG_RESEED_BYTES = 512;
 
+int MaxSupportedTlsVersion() {
+  return SSLv23_method()->version;
+}
+
 // Callback used by OpenSSLErr() - write the error given to us through buf to the
 // stringstream that's passed in through ctx.
 static int OpenSSLErrCallback(const char* buf, size_t len, void* ctx) {

http://git-wip-us.apache.org/repos/asf/impala/blob/e32b2305/be/src/util/openssl-util.h
----------------------------------------------------------------------
diff --git a/be/src/util/openssl-util.h b/be/src/util/openssl-util.h
index 22f8235..67d014d 100644
--- a/be/src/util/openssl-util.h
+++ b/be/src/util/openssl-util.h
@@ -21,12 +21,31 @@
 #include <openssl/aes.h>
 #include <openssl/evp.h>
 #include <openssl/sha.h>
+#include <openssl/ssl.h>
 
 #include "common/status.h"
 
 namespace impala {
 
-#define OPENSSL_VERSION_1_0_1 0x1000100L
+// From https://github.com/apache/kudu/commit/b88117415a02699c12a6eacbf065c4140ee0963c
+//
+// Hard code OpenSSL flag values from OpenSSL 1.0.1e[1][2] when compiling
+// against OpenSSL 1.0.0 and below. We detect when running against a too-old
+// version of OpenSSL using these definitions at runtime so that Kudu has full
+// functionality when run against a new OpenSSL version, even if it's compiled
+// against an older version.
+//
+// [1]: https://github.com/openssl/openssl/blob/OpenSSL_1_0_1e/ssl/ssl.h#L605-L609
+// [2]: https://github.com/openssl/openssl/blob/OpenSSL_1_0_1e/ssl/tls1.h#L166-L172
+#ifndef TLS1_1_VERSION
+#define TLS1_1_VERSION 0x0302
+#endif
+#ifndef TLS1_2_VERSION
+#define TLS1_2_VERSION 0x0303
+#endif
+
+/// Returns the maximum supported TLS version available in the linked OpenSSL library.
+int MaxSupportedTlsVersion();
 
 /// Add entropy from the system RNG to OpenSSL's global RNG. Called at system startup
 /// and again periodically to add new entropy.
@@ -67,7 +86,9 @@ class IntegrityHash {
 class EncryptionKey {
  public:
   EncryptionKey() : initialized_(false) {
-    mode_ = SSLeay() < OPENSSL_VERSION_1_0_1 ? AES_256_CFB : AES_256_CTR;
+    // If TLS1.2 is supported, then we're on a verison of OpenSSL that supports
+    // AES-256-CTR.
+    mode_ = MaxSupportedTlsVersion() < TLS1_2_VERSION ? AES_256_CFB : AES_256_CTR;
   }
 
   /// Initialize a key for temporary use with randomly generated data. Reinitializes with


Mime
View raw message