Make use of MD5 checksum optional for REPLICATION daemon

Description

In order to provide an upgrade path for HAD users, We need to make the use of MD5 checksums for replication optional in the Stable release. We will add a knob HAD_FIPS_MODE , which will default to 0. When this knob evaluates to non-zero, the REPLICATION daemon will use SHA-2 (SHA256) instead of MD5 as a checksum for files that it transfers.

After upgrading to 8.8.13 and before upgrading to 8.9.12/9.0, users of HAD should configure HAD_FIPS_MODE=1 to insure that replication still work after one side of the transfer no longer has access to MD5.

Activity

Show:
Jaime Frey
January 8, 2021, 8:29 PM

Code Review

The additional changes look good. Approved.

John (TJ) Knoeller
January 8, 2021, 8:14 PM
  • I added a buffer size argument as well as a data size argument

  • actually adding support for SHA-2 hashes other than SHA256 is left to the future.

  • code was here was lifted from Condor_MD_MAC::addMDFile which has the same memset.

  • fixed

Jaime Frey
January 6, 2021, 8:27 PM

Code Review

  • The caller of encode_hex() must ensure the output buffer is large enough to hold the data to be placed in it, which isn’t called out in a comment. Having the output be a C++ string would be safer.

  • In utilSafePutFile(), the arrays hash and file_hash must have compatible sizes, but they are declared in different locations and one location has a comment about supporting different sizes.

  • What is the purpose of the memset() in the loop reading the file and calculating the SHA-256 hash?

  • The dprintf() message "utilSafePutFile unable to send MAC" is missing a newline.

Time remaining

0m

Assignee

John (TJ) Knoeller