HPCC-33018 Expose chosen OpenSSL cryptography capabilities via a plugin

[jackdelv]

Type of change:

• This change is a bug fix (non-breaking change which fixes an issue).
• This change is a new feature (non-breaking change which adds functionality).
• This change improves the code (refactor or other change that does not change the functionality)
• This change fixes warnings (the fix does not alter the functionality or the generated code)
• This change is a breaking change (fix or feature that will cause existing behavior to change).
• This change alters the query API (existing queries will have to be recompiled)

Checklist:

• My code follows the code style of this project.
  • My code does not create any new warnings from compiler, build system, or lint.
• The commit message is properly formatted and free of typos.
  • The commit message title makes sense in a changelog, by itself.
  • The commit is signed.
• My change requires a change to the documentation.
  • I have updated the documentation accordingly, or...
  • I have created a JIRA ticket to update the documentation.
  • Any new interfaces or exported functions are appropriately commented.
• I have read the CONTRIBUTORS document.
• The change has been fully tested:
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • I have checked that this change does not introduce memory leaks.
  • I have used Valgrind or similar tools to check for potential issues.
• I have given due consideration to all of the following potential concerns:
  • Scalability
  • Performance
  • Security
  • Thread-safety
  • Cloud-compatibility
  • Premature optimization
  • Existing deployed queries will not be broken
  • This change fixes the problem, not just the symptom
  • The target branch of this pull request is appropriate for such a change.
• There are no similar instances of the same problem that should be addressed
  • I have addressed them here
  • I have raised JIRA issues to address them separately
• This is a user interface / front-end modification
  • I have tested my changes in multiple modern browsers
  • The component(s) render as expected

Smoketest:

• Send notifications about my Pull Request position in Smoketest queue.
• Test my draft Pull Request.

Testing:

[github-actions]

Jira Issue: https://hpccsystems.atlassian.net//browse/HPCC-33018

Jirabot Action Result:
Workflow Transition To: Merge Pending
Updated PR

[dcamper]

I stopped reviewing after I realized that there may be an issue with supporting passphrases for private keys.

Your RSA.Sign() test uses both the private key and a passphrase, and you indicate that it works. That implies that the key requires that passphrase. But, that key is used elsewhere without the passphrase, and it also appears to work. That isn't right; something should be failing.

Take a look at that, please.

[dcamper]

Make the ECL version of the arguments friendly: indata andhash_name (no leading underscores).

Thought: Would it be worthwhile to settle on an argument name of "algorithm_name" (or something, as long as it is consistent) everywhere that argument is used? Thinking of matching the "AvailableAlgorithms()" naming....

[jackdelv]

I think it is worthwhile to make the argument name consistent everywhere. I have set it to "algorithm_name."

[dcamper]

It looks like a 'replace all' event went wrong here.

[jackdelv]

Fixed.

[dcamper]

This function should permit passing a passphrase for the private key, like RSA.Sign().

[jackdelv]

Added passphrase parameter.

[dcamper]

This function should permit passing a passphrase for the private key, like RSA.Sign().

[jackdelv]

Added passphrase parameter.

[dcamper]

Public keys don't have passphrases.

[jackdelv]

Removed passphrase parameter from VerifySignature.

[dcamper]

Was RSA_PRIVATE_1 created with a non-empty passphrase? If not then I don't see how this could work.

[jackdelv]

It was accepting the passphrase parameter, but not doing anything with it. The passphrase is now used and I have added RSA_PRIVATE_2 that was created with a non-empty passphrase to test.

[dcamper]

Looking pretty good! Just a few changes for this round.

[dcamper]

Let's make algorithm_name default to 'sha256'. That is the most common hash algorithm for signing. Remember to adjust the @param doc accordingly.

[jackdelv]

Changed default to value to sha256.

[dcamper]

Same as with Sign(): Set the default value of algorithm_name to 'sha256' and adjust the @param doc.

[jackdelv]

Fixed.

[dcamper]

Question: Why not use the triple-apostrophe multi-line quote scheme for these big PEM keys? It's fine the way it is, just asking.

[jackdelv]

When using the triple-apostrophe syntax, the regression test would fail inside PEM_read_bio_PrivateKey with "Error: -1: Error within loading a pkey: error:1E08010C:DECODER routines::unsupported", but worked just fine using the other syntax.

[dcamper]

I've asked Gavin for recommendations on how to test this. Trapping rtlFail() can be difficult, if not impossible.

[dcamper]

It appears that it isn't possible to cleanly capture a failure that throws an exception. My advice is to leave the failure tests in the file, commented-out, along with a comment describing why they are commented-out.

[jackdelv]

Added an explanation to the test.

[dcamper]

I just realized that the MODULEs I defined need the best. Existing structure is:

OpenSSL
    Digest
        AvailableAlgorithms()
        Hash()
    Ciphers
        AvailableAlgorithms()
        IVSize()
        SaltSize()
        Encrypt()
        Decrypt()
    RSA
        Seal()
        Unseal()
        Encrypt()
        Decrypt()
        Sign()
        VerifySignature()

New structure should be:

OpenSSL
    Digest
        AvailableAlgorithms()
        Hash()
    Cipher *
        AvailableAlgorithms()
        IVSize()
        SaltSize()
        Encrypt()
        Decrypt()
    PublicKey *
        RSASeal() *
        RSAUnseal() *
        Encrypt()
        Decrypt()
        Sign()
        VerifySignature()

Asterisks indicate changes.

[jackdelv]

Fixed.

[dcamper]

This public key may not be RSA; it could be ECC. I think you should check for 'contains "PUBLIC KEY-----"' (not sure about the dashes).

[jackdelv]

Added a function isPublicKey to check the string for "PUBLIC KEY-----".

[dcamper]

The 'rsaSign' is a misnomer, because you can sign with other public key types. This may need alteration elsewhere in the code as well.

Technically, there is a subset of public key types that can be used for signing. We can let OpenSSL generate an error message if necessary; no need to explicitly check. For reference:

Only EVP_PKEY types that support signing can be used with these functions. This includes MAC algorithms where the MAC generation is considered as a form of "signing". Built-in EVP_PKEY types supported by these functions are CMAC, Poly1305, DSA, ECDSA, HMAC, RSA, SipHash, Ed25519 and Ed448.

[jackdelv]

Removed RSA naming from Sign and VerifySignature and changed the modulename to PublicKey

[dcamper]

Suggest renaming this function because it is not RSA-specific.

[jackdelv]

Changed to pkSign as part of the Public Key module.

[dcamper]

Suggest renaming this function because it is not RSA-specific.

[jackdelv]

Changed to pkVerifySignature

[dcamper]

Looks good. Approving, but I would ask that you make the trivial changes I noted.

[dcamper]

We did some renaming, so this Unseal() was changed to RSAUnseal(). Check all other @see functions as well.

[jackdelv]

Fixed the @see functions in the comments.

[dcamper]

Looks like you need a final linefeed in the file.

[jackdelv]

Added a linefeed.

[ghalliday]

Generally looks good. A comment about the name of the plugin, an object leak and a few scattered comments about style.

[ghalliday]

I suspect a different name would be better, otherwise it is confusing whether it means the real openssl library. sslservices?

[jackdelv]

Changed to sslservices. The toplevel std/OpenSSL.ecl file is still named OpenSSl. Should that be renamed as well e.g. SSL.ecl?

[ghalliday]

Is this needed? Do the regression tests work on windows?

[jackdelv]

I'm not sure if it is required. I added it to stay consistent with cryptolib and fileservices.

I also don't think it works on windows because it expects 'ecl' to be installed. I haven't tried doing a windows build though.

[ghalliday]

I think these will never be freed. Should this be using a unique_ptr in the tuple?

[jackdelv]

The algorithms and digests are allocated by OPENSSL_init_crypto, and generally, they are freed when the application exits. They can be explicitly freed by a call to OPENSSL_cleanup, but that is discouraged in the documentation. I think it is currently correct.

[ghalliday]

minor: ; not needed after a function definition (and in other places)

[jackdelv]

Fixed.

[ghalliday]

You can use unique_ptr to avoid having to explicitly delete the associated items. (Or create a wrapper class.)

[jackdelv]

Changed to use unique_ptr.

[ghalliday]

This may trigger warnings from scanning rules about private keys being exported in public repositories.... I'm not quite sure what the best solution idea is.

[jackdelv]

The TestCrypto_PKE.ecl Includes a private key the same way for testing. I'm not sure if there is a better way either.

[ghalliday]

minor: A general point, for free, delete and rtlFree it is legal to pass a null ptr, and it is defined to do nothing - so no need to check first.

[jackdelv]

Removed checks around rtlFree.

[ghalliday]

minor: You could use
enryptedKeys = new byte * [keyCount];
and
delete [] encryptedKeys;

rtlMalloc and rtlFree need to be used for allocated data that is returned from the function. The reason is to avoid conflicts between the debug and release versions of the c++ library.

[jackdelv]

Changed to use new/delete syntax instead of rtlMalloc/rtlFree.

[ghalliday]

general: Use size32_t for the sizes of objects that are never going to be ridiculously large, size_t for full compatibility. Same in various other places.

[jackdelv]

Changed to use size32_t instead of int in most places.

[ghalliday]

Should this be size32_t rather than size_t? All ecl structures are 32 bit lengths. Another alternative if it is not read from ecl, you could use appendPacked()

[jackdelv]

I think this should be size32_t.

[ghalliday]

Thanks jack, a few more comments.

[ghalliday]

I don't think this is used

[jackdelv]

Removed unused variable.

[ghalliday]

may need to cast passPhraseBufSize to size32_t to avoid complains about mixing signed and unsigned in a comparison

[jackdelv]

Added cast to size32_t for passPhraseBufSize.

[ghalliday]

this should be unsigned. size32_t is only used for numbers of bytes - not arbitrary counts.

[jackdelv]

Changed to unsigned.

[ghalliday]

same comment about unsigned here

[jackdelv]

Fixed. Also reverted the hash to an unsigned since it is not a number of bytes.

[ghalliday]

cleanup: you can use a typedef/using to declare a type for a unique Pkey, which simplifies the code when adding to the cache

[jackdelv]

Added typedef.

[ghalliday]

multi-threading: What happens if there are lots of calls to resolve items in the cache from other threads - so this item is evicted (and deleted) as soon as the function returns. May require a shared pointer.

[jackdelv]

I don't think that is an issue since the caches are initialized with a thread_local storage specifier. Should the caches be shared among multiple threads?

[ghalliday]

I think this needs to be clearly documented as a comment on the class. The cached results cannot be relied on if it is called from multiple threads.

[jackdelv]

Added note to caches.

[ghalliday]

Slightly too enthusiastic replacement of int!

[jackdelv]

Fixed.

[ghalliday]

This is a case where using int is probably correct - because that is the type required by the api you are calling. (technically the reinterpret cast is undefined behaviour.)

[jackdelv]

Changed cases where the type is required by the api to use that type.

[ghalliday]

You still need to iterate and delete the encryptedKeys

[jackdelv]

Fixed.

[ghalliday]

Only fixed in the catch{} block - it needs similar code here.

[jackdelv]

Fixed in try block.

[ghalliday]

same comment about int being correct for this call/instance

[jackdelv]

Fixed.

[jackdelv]

@ghalliday Fixed those issues and had one question about the storage class of the caches.

[jackdelv]

Removed unused variable.

[jackdelv]

Added cast to size32_t for passPhraseBufSize.

[jackdelv]

Changed to unsigned.

[jackdelv]

Fixed. Also reverted the hash to an unsigned since it is not a number of bytes.

[jackdelv]

Added typedef.

[jackdelv]

Fixed.

[jackdelv]

Changed cases where the type is required by the api to use that type.

[jackdelv]

Fixed.

[jackdelv]

Fixed.

[jackdelv]

I don't think that is an issue since the caches are initialized with a thread_local storage specifier. Should the caches be shared among multiple threads?

[ghalliday]

A few comments about the thread safety of the caches. Something to discuss with Dan whether it is best to have per thread caches, or one shared cache.
If they are per thread, then the initialisation all needs to happen in the constructor, and clean up in the destructor. If one shared, then the returned object's lifetime needs more thought.

[ghalliday]

Do these objects need cleaning up? I suspect not, but please confirm.

[jackdelv]

No, the lists of ciphers/digests are populated at initialization and cleaned up automatically by OpenSSL.

[ghalliday]

minor: Safer/cleaner to have default initialisers on the member variables. They should be initialised in the (implicit or explicit) constructor

[jackdelv]

Added default initializer to cache member variables.

[ghalliday]

If these are thread-local variables you cannot rely on calling init.

[jackdelv]

Removed init functions and moved logic to constructor and added default initializers.

[ghalliday]

This would be better logged as a metric, with text that is machine readable. Something along the lines of ...:

LOG(MCmonitorMetric, "{ \"type\": \"metric\", \"name\": \"sslServiceCache%s\", \"hits\": \"%u\", \"misses\": \"%u\" }", cacheName.c_str(), hits, misses);

There is only one other place that currently does this, but it would be good to switch all existing equivalents to a similar pattern. It would be worth rationalising the format.

[jackdelv]

Removed printStatistics functions and change to LOG call in the destructor.

[ghalliday]

Interesting, I didn't know you could do this...

[ghalliday]

Only fixed in the catch{} block - it needs similar code here.

[ghalliday]

same potential problem with large numbers of keys, and cache size.

[jackdelv]

I don't think this is the same issue because there is only a single key checked out from the cache to compare to the encrypted public keys stored in the _ciphertext.

[ghalliday]

Can you directly return from plaintext.detachOwn() and avoid a clone?

[jackdelv]

Fixed and removed clone MemoryBuffer.

[ghalliday]

I think this needs to be clearly documented as a comment on the class. The cached results cannot be relied on if it is called from multiple threads.

[ghalliday]

This is only going to work for hthor - because the caches are threaded local. Even then there are situations where it will display nothing.

[dcamper]

A few comments about the thread safety of the caches. Something to discuss with Dan whether it is best to have per thread caches, or one shared cache. If they are per thread, then the initialisation all needs to happen in the constructor, and clean up in the destructor. If one shared, then the returned object's lifetime needs more thought.

I had originally suggested that Jack implement thread-local caches. This is one of the (few) cases where I think the overhead of thread-safety via locks outweighs the savings of globally caching constructed objects. Considerations included: cached objects are usually quite small; there will typically be very few objects in any particular run (there won't be much switching between algorithms or keys during a job, for instance); and crypto calls will generally be applied en masse to large data in a TRANSFORM (as opposed to one-off calls at the top level of a BWR).

[jackdelv]

@ghalliday I had a couple questions that I left for you in the comments. Back to you.

[ghalliday]

@jackdelv looks good. Please can you squash ready for merging.

[ghalliday]

trivial: could now be deleted.

[github-actions]

Jira Issue: https://hpccsystems.atlassian.net//browse/HPCC-33018

Jirabot Action Result:
Workflow Transition To: Merge Pending

[jackdelv]

@ghalliday Squashed.

[github-actions]

Jirabot Action Result:
Added fix version: 9.10.0
Workflow Transition: 'Resolve issue'