Skip to content

Commit

Permalink
src: add proper mutexes for accessing FIPS state
Browse files Browse the repository at this point in the history
The FIPS state handling and OpenSSL initialization code makes
accesses to global OpenSSL state without any protection against
parallel modifications from multiple threads.

This commit adds such protections.

PR-URL: #42278
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
  • Loading branch information
addaleax authored and targos committed Jul 11, 2022
1 parent cbb253e commit 4ffc088
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions src/crypto/crypto_util.cc
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,13 @@ bool InitCryptoOnce(Isolate* isolate) {
return true;
}

// Protect accesses to FIPS state with a mutex. This should potentially
// be part of a larger mutex for global OpenSSL state.
static Mutex fips_mutex;

void InitCryptoOnce() {
Mutex::ScopedLock lock(per_process::cli_options_mutex);
Mutex::ScopedLock fips_lock(fips_mutex);
#ifndef OPENSSL_IS_BORINGSSL
OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new();

Expand Down Expand Up @@ -186,6 +192,9 @@ void InitCryptoOnce() {
}

void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
Mutex::ScopedLock lock(per_process::cli_options_mutex);
Mutex::ScopedLock fips_lock(fips_mutex);

#if OPENSSL_VERSION_MAJOR >= 3
args.GetReturnValue().Set(EVP_default_properties_is_fips_enabled(nullptr) ?
1 : 0);
Expand All @@ -195,8 +204,13 @@ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
}

void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
Mutex::ScopedLock lock(per_process::cli_options_mutex);
Mutex::ScopedLock fips_lock(fips_mutex);

CHECK(!per_process::cli_options->force_fips_crypto);
Environment* env = Environment::GetCurrent(args);
// TODO(addaleax): This should not be possible to set from worker threads.
// CHECK(env->owns_process_state());
bool enable = args[0]->BooleanValue(env->isolate());

#if OPENSSL_VERSION_MAJOR >= 3
Expand All @@ -217,6 +231,9 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
}

void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {
Mutex::ScopedLock lock(per_process::cli_options_mutex);
Mutex::ScopedLock fips_lock(fips_mutex);

#ifdef OPENSSL_FIPS
#if OPENSSL_VERSION_MAJOR >= 3
OSSL_PROVIDER* fips_provider = nullptr;
Expand Down

0 comments on commit 4ffc088

Please sign in to comment.