Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/16659 )
Change subject: KUDU-3210 Add lock before verifying signature ...................................................................... Patch Set 6: (2 comments) http://gerrit.cloudera.org:8080/#/c/16659/6//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/16659/6//COMMIT_MSG@21 PS6, Line 21: OpenSSL locking callbacks are : properly registered too > fips.h is not exposed as part of the public API so unfortunately, I can't c I'm suggesting to try using the same locking callbacks for both FIPS and regular OpenSSL callbacks, basically switch to using CRYPTO_lock() function from OpenSSL instead of our own LockingCB(). I suspect that all those race-related issues happen because different locking callbacks are used where they are supposed to be the same. http://gerrit.cloudera.org:8080/#/c/16659/3/src/kudu/security/tls_handshake.cc File src/kudu/security/tls_handshake.cc: http://gerrit.cloudera.org:8080/#/c/16659/3/src/kudu/security/tls_handshake.cc@101 PS3, Line 101: DCHECK(n == recv.size() || (n == -1 && recv.empty())); : DCHECK_EQ(BIO_ctrl_pending(rbio), recv.size()); : > BIO_write() and BIO_read() use a memory-based BIO. From what I gather, the I guess BIO_write() and BIO_read() is an API to abstract actual IO happening under the hood. It might be memory-based, file-based, whatever. This page https://www.openssl.org/docs/manmaster/man3/BIO_write.html explicitly discusses blocking and non-blocking sockets. Yes, you are right: here they are used memory-based IO. However, the actual TLS/SSL handshake is performed by the SSL_do_handshake() function, and I guess it has the access to all necessary sockets it needs: https://www.openssl.org/docs/manmaster/man3/SSL_do_handshake.html Here you can see how TlsHandshake::Continue() is used to run TLS handshake, and that involves actual network IO, I guess: https://github.com/apache/kudu/blob/ea1695885067dc5d39ad1f794a91a9d9e0540b1a/src/kudu/security/tls_handshake-test.cc#L90-L128 I'm not buying the tcpdump observations you mentioned, sorry. -- To view, visit http://gerrit.cloudera.org:8080/16659 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ifafc7dcf91db910123276b657515e410bb7f6fcd Gerrit-Change-Number: 16659 Gerrit-PatchSet: 6 Gerrit-Owner: Attila Bukor <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Reviewer: Wenzhe Zhou <[email protected]> Gerrit-Comment-Date: Thu, 29 Oct 2020 18:59:28 +0000 Gerrit-HasComments: Yes
