src: add proper mutexes for accessing FIPS state#42278
Merged
Uh oh!
There was an error while loading. Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
The FIPS state handling and OpenSSL initialization code makes accesses to global OpenSSL state without any protection against parallel modifications from multiple threads. This commit adds such protections.
Collaborator
nodejs-github-bot commented Mar 10, 2022
Review requested:
|
nodejs-github-bot added c++ 
addaleax commented Mar 10, 2022
src/crypto/crypto_util.cc Outdated
Comment on lines 222 to 223
| // TODO: This should not be possible to set from worker threads. | ||
| // CHECK(env->owns_process_state()); |
MemberAuthor
There was a problem hiding this comment.
Left out because this could be seen as a semver-major change. If we don’t think it’s semver-major, I’m happy to add this as well.
Member
There was a problem hiding this comment.
Is it worth doing this for Node.js 18 as a semver-major anyway?
MemberAuthor
There was a problem hiding this comment.
Yeah, sure. It’s just not quite as important and I didn’t want to make this PR one that wouldn’t be backported.
addaleax added request-ci 
github-actionsbot removed the request-ci This comment was marked as outdated.
This comment was marked as outdated.
| // Protect accesses to FIPS state with a mutex. This should potentially | ||
| // be part of a larger mutex for global OpenSSL state. | ||
| static Mutex fips_mutex; |
Member
There was a problem hiding this comment.
This makes sense for semantic reasons, but is my understanding correct that this is technically not required since per_process::cli_options_mutex will already guarantee mutually exclusive access whenever fips_mutex is used?
MemberAuthor
There was a problem hiding this comment.
Yes, that is correct as far as the current state of this PR is concerned. 👍
tniessen approved these changes Mar 10, 2022
Member
tniessen left a comment
tniessen left a comment There was a problem hiding this comment.
LGTM with or without fips_mutex.
richardlau approved these changes Mar 10, 2022
tniessen added the author ready This comment was marked as outdated.
This comment was marked as outdated.
jasnell approved these changes Mar 10, 2022
16 tasks
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
15 tasks
This comment was marked as outdated.
This comment was marked as outdated.
Member
tniessen commented Mar 12, 2022
I have no idea what's going on with arm CI... |
17 tasks
This comment was marked as outdated.
This comment was marked as outdated.
RaisinTen approved these changes Mar 13, 2022
28 tasks
8 tasks
github-actionsbot removed the request-ci Collaborator
nodejs-github-bot commented Apr 3, 2022
Collaborator
nodejs-github-bot commented Apr 3, 2022
Collaborator
nodejs-github-bot commented Apr 3, 2022
richardlau added the commit-queue nodejs-github-bot removed the commit-queue Collaborator
nodejs-github-bot commented Apr 3, 2022
Landed in 1c69dfe |
9 tasks
Member
richardlau commented Apr 4, 2022
|
13 tasks
juanarbol pushed a commit to juanarbol/node that referenced this pull request Apr 5, 2022
The FIPS state handling and OpenSSL initialization code makes accesses to global OpenSSL state without any protection against parallel modifications from multiple threads. This commit adds such protections. PR-URL: nodejs#42278 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Darshan Sen <[email protected]>
11 tasks
juanarbol pushed a commit that referenced this pull request Apr 6, 2022
The FIPS state handling and OpenSSL initialization code makes accesses to global OpenSSL state without any protection against parallel modifications from multiple threads. This commit adds such protections. PR-URL: #42278 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Darshan Sen <[email protected]>
17 tasks
xtx1130 pushed a commit to xtx1130/node that referenced this pull request Apr 25, 2022
The FIPS state handling and OpenSSL initialization code makes accesses to global OpenSSL state without any protection against parallel modifications from multiple threads. This commit adds such protections. PR-URL: nodejs#42278 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Darshan Sen <[email protected]>
juanarbol pushed a commit that referenced this pull request May 31, 2022
The FIPS state handling and OpenSSL initialization code makes accesses to global OpenSSL state without any protection against parallel modifications from multiple threads. This commit adds such protections. PR-URL: #42278 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Darshan Sen <[email protected]>
danielleadams pushed a commit that referenced this pull request Jun 27, 2022
The FIPS state handling and OpenSSL initialization code makes accesses to global OpenSSL state without any protection against parallel modifications from multiple threads. This commit adds such protections. PR-URL: #42278 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Darshan Sen <[email protected]>
targos pushed a commit that referenced this pull request Jul 11, 2022
The FIPS state handling and OpenSSL initialization code makes accesses to global OpenSSL state without any protection against parallel modifications from multiple threads. This commit adds such protections. PR-URL: #42278 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Darshan Sen <[email protected]>
guangwong pushed a commit to noslate-project/node that referenced this pull request Oct 10, 2022
The FIPS state handling and OpenSSL initialization code makes accesses to global OpenSSL state without any protection against parallel modifications from multiple threads. This commit adds such protections. PR-URL: nodejs/node#42278 Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Darshan Sen <[email protected]>
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The FIPS state handling and OpenSSL initialization code makes
accesses to global OpenSSL state without any protection against
parallel modifications from multiple threads.
This commit adds such protections.