data race in OPENSSL_sk_num

[CheSema]

I faced a sanitazer report in the CI

full report: https://s3.amazonaws.com/clickhouse-test-reports/PRs/79963/1cde959f33ad5a23e68a0f52365000c2da5455df//integration_tests_tsan_2_6/integration_run_parallel4_0.log
read write stack: https://pastila.nl/?001166e3/2c2a085d64d5295b50a2d12dcf1fc1a5#h0aJA5qyZg7fiZkrXJC2EQ==

As I read here openssl/openssl#24480
openssl/openssl#24480 (comment)

An SSL_CTX object should not be changed after it is used to create any SSL objects or from multiple threads concurrently, since the implementation does not provide serialization of access for these cases.

And the load operations mutate the SSL_CTX object, by adding certificate location to an internal list.
The appropriate approach here is to call all the mutation functions for the SSL_CTX objects prior to passing to threads for use, so that the shared object can be used in an immutable fashion.

I'm not sure that Clickhouse follows this rule.
May be we need to reorganize our Storages initialization. Now, the one storage is adding certs, other is already firing the requests over ssl.

[rschu1ze]

@thevar1able Another race in OpenSSL 😢

[thevar1able]

Most likely same with #80175, caused by legacy HMAC usage (probably uses global context) and lazy provider initialization. I don't think SSL_CTX is related as both of these are working on global context.

[CheSema]

Aws::InitAPI(aws_options); method inits some SSL_CTX at the first run.
I bet that Azure does the same.

Moreover we also do it in CertificateReloader. We update Poco::Net::SSLManager::instance().defaultClientContext() here.

It seems like defult init inside Aws and Azure work on the same instance SSL_CTX.
I do not know if it is the same instance as in CertificateReloader. I assume it is different one.

As a result it is possible to have wrong credentials until CertificateReloader is done.

[thevar1able]

legacy HMAC usage

I'm wrong, this is okay usage. But the one in AWS SDK is legacy.
https://docs.openssl.org/master/man3/HMAC/#synopsis

[thevar1able]

It seems like defult init inside Aws and Azure work on the same instance SSL_CTX.

I don't see how any of SSL_CTXs managed by ClickHouse are getting to either Azure or AWS SDK init, so the issue is probably not there.

[thevar1able]

Most likely related ClickHouse/openssl@5d81fa7...ee2bb85#diff-cfc719d40d91b89c912183e165bc9c4110b758cf18248d7f5c853544275e60c9

[thevar1able]

This is a race between ossl_method_store_add and ossl_method_store_do_all.

We write to impl stack here https://github.com/openssl/openssl/blob/dca67c0aa17010f2315bc5bf1915ad4509ff8e52/crypto/property/property.c#L410, holding the lock on the store.

Here we're copying algs, releasing the lock, and iterating through a copy, although alg->impl stack points to the same data as original, and we're trying to enumerate it without a lock.
https://github.com/openssl/openssl/blob/dca67c0aa17010f2315bc5bf1915ad4509ff8e52/crypto/property/property.c#L586-L590

[thevar1able]

Was caused by an unrelated memory issue.