[ 
https://issues.apache.org/jira/browse/KUDU-3210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17233245#comment-17233245
 ] 

ASF subversion and git services commented on KUDU-3210:
-------------------------------------------------------

Commit d1285eb3855ca1125dab4aac318e8acaf3edf58a in kudu's branch 
refs/heads/master from Attila Bukor
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=d1285eb ]

KUDU-3210 Add thread ID callback to OpenSSL init

It seems the race condition bug we worked around in
f9f3189a6dbe0636d578d80b1d8e60cf7b2e6686 was caused by using the default
thread ID callback.

It seems it's not a bug in SafeLogic after all, but this is likely
reproducible in upstream OpenSSL as well. We didn't find this before as
we always tested in older OpenSSL versions, while the commit[1]
responsible for this behavior was included only in OpenSSL 1.0.2i[2].

The threads(3) man page claims that "If the application does not
register such a callback using CRYPTO_THREADID_set_callback(), then a
default implementation is used - on Windows and BeOS this uses the
system's default thread identifying APIs, and on all other platforms it
uses the address of errno. The latter is satisfactory for thread-safety
if and only if the platform has a thread-local error number facility."

This seems to be no longer true in 1.0.2i and later.

Redefining the thread ID callback seems to fix the problem without any
additional locking and f9f3189a6dbe0636d578d80b1d8e60cf7b2e6686 can be
reverted safely. I tested these changes on the host I discovered the
race condition.

[1] 
https://github.com/openssl/openssl/commit/a43cfd7bb1fc681d563e5efa75cc926d7e8e5c36
[2] https://mta.openssl.org/pipermail/openssl-commits/2016-September/010743.html

Change-Id: Icec6da3a9380206fe6ba4a31ea8fb4dcbc34dd00
Reviewed-on: http://gerrit.cloudera.org:8080/16730
Reviewed-by: Grant Henke <granthe...@apache.org>
Reviewed-by: Alexey Serbin <aser...@cloudera.com>
Tested-by: Kudu Jenkins


> Support FIPS approved mode
> --------------------------
>
>                 Key: KUDU-3210
>                 URL: https://issues.apache.org/jira/browse/KUDU-3210
>             Project: Kudu
>          Issue Type: Improvement
>            Reporter: Attila Bukor
>            Assignee: Attila Bukor
>            Priority: Major
>
> FIPS 140-2 is a standard used to approve cryptographic modules. Some versions 
> of OpenSSL support a "FIPS mode" where only approved algorithms and key sizes 
> are enabled. Kudu should be able to run when FIPS mode is enabled and should 
> provide a way for admins to require that FIPS mode is enabled.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to