[kudu-CR] Add option to enforce FIPS approved mode

Wed, 28 Oct 2020 12:55:19 -0700 

Alexey Serbin has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/16657 )

Change subject: Add option to enforce FIPS approved mode
......................................................................


Patch Set 4:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/16657/4/src/kudu/security/openssl_util.cc
File src/kudu/security/openssl_util.cc:

http://gerrit.cloudera.org:8080/#/c/16657/4/src/kudu/security/openssl_util.cc@130
PS4, Line 130:   if (getenv("KUDU_REQUIRE_FIPS_MODE")) {
             :     CHECK(fips_mode) << ": FIPS mode require by environment 
variable "
             :                           "KUDU_REQUIRE_FIPS_MODE, but it is not 
enabled.";
> That's what I'm not sure about. On one hand, it would make sense that it cr
I think there is a misunderstanding here.  The DisableOpenSSLInitialization() 
function doesn't have any semantics like 'Kudu should _trust_ that OpenSSL has 
been initialized properly before', no.  It simply means that Kudu should not 
try to init the library on its own because the initialization has already been 
done.  If you look around, you can see that Kudu doesn't particularly "trust" 
that client initializes the library properly: there is a check in 
CheckOpenSSLInitialized() for properly installed locking callbacks: 
https://github.com/apache/kudu/blob/17d569b870e8fb3978a8c02bc1170057a42ca7cc/src/kudu/security/openssl_util.cc#L110-L112



--
To view, visit http://gerrit.cloudera.org:8080/16657
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I98a6a8b3330ea0b372b188690fadd4d312d8bf93
Gerrit-Change-Number: 16657
Gerrit-PatchSet: 4
Gerrit-Owner: Attila Bukor <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Attila Bukor <[email protected]>
Gerrit-Reviewer: Grant Henke <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Reviewer: Wenzhe Zhou <[email protected]>
Gerrit-Comment-Date: Wed, 28 Oct 2020 19:54:17 +0000
Gerrit-HasComments: Yes

Reply via email to