From 647f31feaf8a3fb6bf251b39fae4828ffb275512 Mon Sep 17 00:00:00 2001 From: Billy Lynch Date: Thu, 17 Oct 2024 15:22:51 -0400 Subject: [PATCH 1/4] ambex: Remove usage of md5 When trying to run emissary in crypto-restricted environments (e.g. FIPS), usage of md5 can be problematic: ``` time="2024-10-17 19:20:29.7063" level=error msg="shut down with error error: PANIC: openssl: MD5 failed" func=github.com/emissary-ingress/emissary/v3/pkg/busy.Main file="github.com/emissary-ingress/emissary/v3/pkg/busy/busy.go:87" CMD=entrypoint PID=1 ``` This replaces the usage with xxhash, which should avoid usage of unsupport crypto libraries, but keep the deterministic behavior. Signed-off-by: Billy Lynch (cherry picked from commit f1b539c92c901a50e662bb0c2392cfaab214b810) --- CHANGELOG.md | 2 ++ go.mod | 2 +- pkg/ambex/transforms.go | 11 ++++++----- pkg/ambex/transforms_test.go | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b5388391d..3c33c9c4f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -107,6 +107,8 @@ it will be removed; but as it won't be user-visible this isn't considered a brea instead of the Mapping name, which could reduce the cache's effectiveness. This has been fixed so that the correct key is used. ([Incorrect Cache Key for Mapping]) +- Change: Changed Ambex suffix hashing algorithm to use xxhash64 instead of md5. + [Incorrect Cache Key for Mapping]: https://github.com/emissary-ingress/emissary/issues/5714 ## [3.9.0] November 13, 2023 diff --git a/go.mod b/go.mod index aff5f28791..2337d11267 100644 --- a/go.mod +++ b/go.mod @@ -83,6 +83,7 @@ require ( github.com/Masterminds/sprig v2.22.0+incompatible github.com/cenkalti/backoff/v4 v4.2.1 github.com/census-instrumentation/opencensus-proto v0.4.1 + github.com/cespare/xxhash/v2 v2.2.0 github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 github.com/datawire/dlib v1.3.1 github.com/datawire/dtest v0.0.0-20210928162311-722b199c4c2f @@ -146,7 +147,6 @@ require ( github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect github.com/cloudflare/circl v1.3.7 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect diff --git a/pkg/ambex/transforms.go b/pkg/ambex/transforms.go index cb1e0bf943..76eef6298e 100644 --- a/pkg/ambex/transforms.go +++ b/pkg/ambex/transforms.go @@ -3,12 +3,12 @@ package ambex import ( // standard library "context" - "crypto/md5" - "encoding/hex" "encoding/json" "fmt" + "strconv" // third-party libraries + "github.com/cespare/xxhash/v2" "google.golang.org/protobuf/proto" "google.golang.org/protobuf/types/known/anypb" @@ -146,9 +146,10 @@ func V3ListenerToRdsListener(lnr *v3listener.Listener) (*v3listener.Listener, [] // associated with a given listener. filterChainMatch, _ := json.Marshal(fc.GetFilterChainMatch()) - // Use MD5 because it's decently fast and cryptographic security isn't needed. - matchHash := md5.Sum(filterChainMatch) - matchKey := hex.EncodeToString(matchHash[:]) + // Use xxhash64 because it's decently fast and cryptographic security isn't needed. + h := xxhash.New() + h.Write(filterChainMatch) + matchKey := strconv.FormatUint(h.Sum64(), 16) rc.Name = fmt.Sprintf("%s-routeconfig-%s-%d", l.Name, matchKey, matchKeyIndex[matchKey]) diff --git a/pkg/ambex/transforms_test.go b/pkg/ambex/transforms_test.go index 2048496a52..3a55cd65bc 100644 --- a/pkg/ambex/transforms_test.go +++ b/pkg/ambex/transforms_test.go @@ -78,7 +78,7 @@ func TestV3ListenerToRdsListener(t *testing.T) { for i, rc := range routes { // Confirm that the route name was transformed to the hashed version - assert.Equal(t, fmt.Sprintf("emissary-ingress-listener-8080-routeconfig-8c82e45fa3f94ab4e879543e0a1a30ac-%d", i), rc.GetName()) + assert.Equal(t, fmt.Sprintf("emissary-ingress-listener-8080-routeconfig-29865f40cbcf32dc-%d", i), rc.GetName()) // Make sure the virtual hosts are unmodified virtualHosts := rc.GetVirtualHosts() From 7d3f7a905a00925ff3256e0de8f1da18d26dacd9 Mon Sep 17 00:00:00 2001 From: Alice Wasko Date: Sun, 20 Oct 2024 15:02:10 -0700 Subject: [PATCH 2/4] update release notes Signed-off-by: Alice Wasko --- CHANGELOG.md | 3 ++- docs/releaseNotes.yml | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c33c9c4f9..29edef7773 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -107,9 +107,10 @@ it will be removed; but as it won't be user-visible this isn't considered a brea instead of the Mapping name, which could reduce the cache's effectiveness. This has been fixed so that the correct key is used. ([Incorrect Cache Key for Mapping]) -- Change: Changed Ambex suffix hashing algorithm to use xxhash64 instead of md5. +- Change: Ambex now uses xxhash64 instead of md5 for hashing. ([ambex: Remove usage of md5]) [Incorrect Cache Key for Mapping]: https://github.com/emissary-ingress/emissary/issues/5714 +[ambex: Remove usage of md5]: https://github.com/emissary-ingress/emissary/pull/5794 ## [3.9.0] November 13, 2023 [3.9.0]: https://github.com/emissary-ingress/emissary/compare/v3.8.0...v3.9.0 diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml index 98172ee72f..3e852a4d24 100644 --- a/docs/releaseNotes.yml +++ b/docs/releaseNotes.yml @@ -68,6 +68,14 @@ items: - title: "Incorrect Cache Key for Mapping" link: https://github.com/emissary-ingress/emissary/issues/5714 + - title: Changed Ambex suffix hashing algorithm + type: change + body: >- + Ambex now uses xxhash64 instead of md5 for hashing. + github: + - title: "ambex: Remove usage of md5" + link: https://github.com/emissary-ingress/emissary/pull/5794 + - version: 3.9.0 prevVersion: 3.8.0 date: '2023-11-13' From 88cf6986b5e44da9900fc750ada0600b4286e941 Mon Sep 17 00:00:00 2001 From: Alice Wasko Date: Sun, 20 Oct 2024 15:02:51 -0700 Subject: [PATCH 3/4] update dependencies Signed-off-by: Alice Wasko --- DEPENDENCIES.md | 62 +++++++++++++++---------------- tools/src/py-mkopensource/main.go | 4 +- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/DEPENDENCIES.md b/DEPENDENCIES.md index 009922d291..334fdbff28 100644 --- a/DEPENDENCIES.md +++ b/DEPENDENCIES.md @@ -180,34 +180,34 @@ following Free and Open Source software: The Emissary-ingress Python code makes use of the following Free and Open Source libraries: - Name Version License(s) - ---- ------- ---------- - Cython 0.29.37 Apache License 2.0 - Flask 3.0.3 3-clause BSD license - Jinja2 3.1.4 3-clause BSD license - MarkupSafe 2.1.5 3-clause BSD license - PyYAML 6.0.1 MIT license - Werkzeug 3.0.3 3-clause BSD license - blinker 1.8.2 MIT license - build 1.2.1 MIT license - certifi 2024.2.2 Mozilla Public License 2.0 - charset-normalizer 3.3.2 MIT license - click 8.1.7 3-clause BSD license - durationpy 0.6 MIT license - expiringdict 1.2.2 Apache License 2.0 - gunicorn 22.0.0 MIT license - idna 3.7 3-clause BSD license - itsdangerous 2.2.0 3-clause BSD license - jsonpatch 1.33 3-clause BSD license - jsonpointer 2.4 3-clause BSD license - orjson 3.10.3 Apache License 2.0, MIT license - packaging 23.1 2-clause BSD license, Apache License 2.0 - pip-tools 7.3.0 3-clause BSD license - prometheus_client 0.20.0 Apache License 2.0 - pyparsing 3.0.9 MIT license - pyproject_hooks 1.1.0 MIT license - python-json-logger 2.0.7 2-clause BSD license - requests 2.31.0 Apache License 2.0 - semantic-version 2.10.0 2-clause BSD license - typing_extensions 4.11.0 Python Software Foundation license - urllib3 2.2.1 MIT license + Name Version License(s) + ---- ------- ---------- + Cython 0.29.37 Apache License 2.0 + Flask 3.0.3 3-clause BSD license + Jinja2 3.1.4 3-clause BSD license + MarkupSafe 2.1.5 3-clause BSD license + PyYAML 6.0.1 MIT license + Werkzeug 3.0.3 3-clause BSD license + blinker 1.8.2 MIT license + build 1.2.2.post1 MIT license + certifi 2024.2.2 Mozilla Public License 2.0 + charset-normalizer 3.3.2 MIT license + click 8.1.7 3-clause BSD license + durationpy 0.6 MIT license + expiringdict 1.2.2 Apache License 2.0 + gunicorn 22.0.0 MIT license + idna 3.7 3-clause BSD license + itsdangerous 2.2.0 3-clause BSD license + jsonpatch 1.33 3-clause BSD license + jsonpointer 2.4 3-clause BSD license + orjson 3.10.3 Apache License 2.0, MIT license + packaging 23.1 2-clause BSD license, Apache License 2.0 + pip-tools 7.3.0 3-clause BSD license + prometheus_client 0.20.0 Apache License 2.0 + pyparsing 3.0.9 MIT license + pyproject_hooks 1.2.0 MIT license + python-json-logger 2.0.7 2-clause BSD license + requests 2.31.0 Apache License 2.0 + semantic-version 2.10.0 2-clause BSD license + typing_extensions 4.11.0 Python Software Foundation license + urllib3 2.2.1 MIT license diff --git a/tools/src/py-mkopensource/main.go b/tools/src/py-mkopensource/main.go index f323b8ab64..dc7cdd4958 100644 --- a/tools/src/py-mkopensource/main.go +++ b/tools/src/py-mkopensource/main.go @@ -34,7 +34,7 @@ func parseLicenses(name, version, license string) map[License]struct{} { // that a human has to go make sure that the license didn't // change when upgrading. {"blinker", "1.8.2", ""}: {MIT}, - {"build", "1.2.1", ""}: {MIT}, + {"build", "1.2.2.post1", ""}: {MIT}, {"CacheControl", "0.12.6", "UNKNOWN"}: {Apache2}, {"CacheControl", "0.12.10", "UNKNOWN"}: {Apache2}, {"Click", "7.0", "BSD"}: {BSD3}, @@ -62,7 +62,7 @@ func parseLicenses(name, version, license string) map[License]struct{} { {"pyasn1-modules", "0.3.0", "BSD"}: {BSD2}, {"pycparser", "2.20", "BSD"}: {BSD3}, {"pyparsing", "3.0.9", ""}: {MIT}, - {"pyproject_hooks", "1.1.0", ""}: {MIT}, + {"pyproject_hooks", "1.2.0", ""}: {MIT}, {"python-dateutil", "2.8.1", "Dual License"}: {BSD3, Apache2}, {"python-dateutil", "2.8.2", "Dual License"}: {BSD3, Apache2}, {"python-json-logger", "2.0.7", "BSD"}: {BSD2}, From 803ee3bff7b457258e8390266b2c522760ad45e3 Mon Sep 17 00:00:00 2001 From: Alice Wasko Date: Sun, 20 Oct 2024 15:10:41 -0700 Subject: [PATCH 4/4] fix linting errors Signed-off-by: Alice Wasko --- pkg/ambex/transforms.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/ambex/transforms.go b/pkg/ambex/transforms.go index 76eef6298e..bdd225f2c7 100644 --- a/pkg/ambex/transforms.go +++ b/pkg/ambex/transforms.go @@ -148,7 +148,9 @@ func V3ListenerToRdsListener(lnr *v3listener.Listener) (*v3listener.Listener, [] // Use xxhash64 because it's decently fast and cryptographic security isn't needed. h := xxhash.New() - h.Write(filterChainMatch) + if _, err := h.Write(filterChainMatch); err != nil { + return nil, nil, fmt.Errorf("xxhash write error: %w", err) + } matchKey := strconv.FormatUint(h.Sum64(), 16) rc.Name = fmt.Sprintf("%s-routeconfig-%s-%d", l.Name, matchKey, matchKeyIndex[matchKey])