diff options
| author | Anna Henningsen <anna@addaleax.net> | 2022-04-03 15:00:27 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-04-03 15:00:27 +0300 |
| commit | 1c69dfe47218ecbc9f080a9a303f9d99e0515e51 (patch) | |
| tree | 495d4da4ab5f080bb12cd94b8a4f51378a60f916 /src | |
| parent | 5d0eb10c80843badca677b82995c8decd401b08e (diff) | |
src: add proper mutexes for accessing FIPS state
The FIPS state handling and OpenSSL initialization code makes
accesses to global OpenSSL state without any protection against
parallel modifications from multiple threads.
This commit adds such protections.
PR-URL: https://github.com/nodejs/node/pull/42278
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/crypto/crypto_util.cc | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc index e93edd4b2fc..bbc86e6d889 100644 --- a/src/crypto/crypto_util.cc +++ b/src/crypto/crypto_util.cc @@ -136,7 +136,13 @@ bool InitCryptoOnce(Isolate* isolate) { return true; } +// Protect accesses to FIPS state with a mutex. This should potentially +// be part of a larger mutex for global OpenSSL state. +static Mutex fips_mutex; + void InitCryptoOnce() { + Mutex::ScopedLock lock(per_process::cli_options_mutex); + Mutex::ScopedLock fips_lock(fips_mutex); #ifndef OPENSSL_IS_BORINGSSL OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new(); @@ -196,6 +202,9 @@ void InitCryptoOnce() { } void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) { + Mutex::ScopedLock lock(per_process::cli_options_mutex); + Mutex::ScopedLock fips_lock(fips_mutex); + #if OPENSSL_VERSION_MAJOR >= 3 args.GetReturnValue().Set(EVP_default_properties_is_fips_enabled(nullptr) ? 1 : 0); @@ -205,8 +214,13 @@ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) { } void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) { + Mutex::ScopedLock lock(per_process::cli_options_mutex); + Mutex::ScopedLock fips_lock(fips_mutex); + CHECK(!per_process::cli_options->force_fips_crypto); Environment* env = Environment::GetCurrent(args); + // TODO(addaleax): This should not be possible to set from worker threads. + // CHECK(env->owns_process_state()); bool enable = args[0]->BooleanValue(env->isolate()); #if OPENSSL_VERSION_MAJOR >= 3 @@ -227,6 +241,9 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) { } void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) { + Mutex::ScopedLock lock(per_process::cli_options_mutex); + Mutex::ScopedLock fips_lock(fips_mutex); + #ifdef OPENSSL_FIPS #if OPENSSL_VERSION_MAJOR >= 3 OSSL_PROVIDER* fips_provider = nullptr; |