Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: add mutex to ManagedEVPPKey class #36825

Closed
wants to merge 1 commit into from

Commits on Feb 9, 2021

  1. src: add mutex to ManagedEVPPKey class

    This commit introduces a mutex field on the ManagedEVPPKey class
    intended to be used when multiple threads require access to an OpenSSL
    EVP_PKEY object. The motivation for this came from the work being done
    to upgrade Node.js to OpenSSL 3.0.
    
    OpenSSL objects, like EVP_PKEY, are not thread safe (see refs for
    details). In versions prior to OpenSSL 3.0 this was not noticeable and
    did not cause any issues (like incorrect logic or crashes), but with
    OpenSSL 3.0 this does cause issues if access to an EVP_PKEY instance is
    required from multiple threads without locking.
    
    In OpenSSL 3.0 when the evp_pkey_downgrade function is called, which
    downgrades an EVP_PKEY instance to a legacy version, it will clear all
    the fields of EVP_PKEY struct except the lock (nodejs#13374). But this also
    means that keymgmt and keydata will also be cleared, which other parts
    of the code base depends on, and those calls will either fail to export
    the key (returning null) or crash due to a segment fault.
    
    This same code works with OpenSSL 1.1.1 without locking and I think this
    is because there is no downgrade being done in OpenSSL 1.1.1. But even
    so, as far as I can tell there are no guarantees that these object are
    thread safe in 1.1.1 either and should be protected with a lock.
    
    Refs:
    openssl/openssl#13374
    openssl/openssl#2165)
    https://www.openssl.org/blog/blog/2017/02/21/threads
    danbev committed Feb 9, 2021
    Configuration menu
    Copy the full SHA
    c675689 View commit details
    Browse the repository at this point in the history