[kudu-CR] Add lock before verifying signature

Wed, 28 Oct 2020 21:16:03 -0700 

Alexey Serbin has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/16659 )

Change subject: Add lock before verifying signature
......................................................................


Patch Set 6:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/16659/6//COMMIT_MSG
Commit Message:

http://gerrit.cloudera.org:8080/#/c/16659/6//COMMIT_MSG@21
PS6, Line 21: OpenSSL locking callbacks are
            : properly registered too
Since this issue happens so far only in FIPS-enabled OpenSSL library build, I'm 
curious what's the status of FIPS-related callbacks set by functions 
FIPS_set_locking_callbacks(), FIPS_crypto_set_id_callback() with relation to 
our custom callbacks installed here: 
https://github.com/apache/kudu/blob/ea1695885067dc5d39ad1f794a91a9d9e0540b1a/src/kudu/security/openssl_util.cc#L191

As you can see in 
https://github.com/openssl/openssl/blob/12ad22dd16ffe47f8cde3cddb84a160e8cdb3e30/crypto/o_init.c#L73-L91,
 there is some work to be done in FIPS mode upon calling OPENSSL_init().  We 
don't call such a function directly but it seems FIPS_mode() calls 
OPENSSL_init() within (I guess some other internal OpenSSL functions might call 
OPENSSL_init() as well).

I guess it might be some issues if FIPS mode locking and thread id callbacks 
don't match with callbacks installed by our code referenced above.  Did you 
happen to look deeper into this by any chance?



--
To view, visit http://gerrit.cloudera.org:8080/16659
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ifafc7dcf91db910123276b657515e410bb7f6fcd
Gerrit-Change-Number: 16659
Gerrit-PatchSet: 6
Gerrit-Owner: Attila Bukor <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Attila Bukor <[email protected]>
Gerrit-Reviewer: Grant Henke <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Tidy Bot (241)
Gerrit-Reviewer: Wenzhe Zhou <[email protected]>
Gerrit-Comment-Date: Thu, 29 Oct 2020 04:15:03 +0000
Gerrit-HasComments: Yes

Reply via email to