Dan Burkert has posted comments on this change. Change subject: KUDU-1964. security: avoid calling ERR_clear_error() defensively ......................................................................
Patch Set 1: (3 comments) http://gerrit.cloudera.org:8080/#/c/6552/1//COMMIT_MSG Commit Message: PS1, Line 19: apparently : improved in OpenSSL 1.1, but that's not available on current OSes > seems like extra complexity because then we have two different code paths t Yah, this seems like a good change to make regardless of OpenSSL version (btw, we wouldn't support 1.1 even if it were in a released OS; see KUDU-1889). I knew preemptively clearing the error was a bit of a hack way back when this was introduced, in that it obfuscates openssl callsites that aren't checking and clearing the error. http://gerrit.cloudera.org:8080/#/c/6552/1/src/kudu/security/openssl_util.cc File src/kudu/security/openssl_util.cc: Line 110: ERR_clear_error(); Should this be moved into the if block? http://gerrit.cloudera.org:8080/#/c/6552/1/src/kudu/security/openssl_util.h File src/kudu/security/openssl_util.h: Line 41: CHECK_GT((call), 0) Perhaps we should assert that the error stack is empty here, before making the call? (and likewise in the other helper macros). -- To view, visit http://gerrit.cloudera.org:8080/6552 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I3b4421f4aae4d0e5a2d938881f9eea4e07ff2b10 Gerrit-PatchSet: 1 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd Lipcon <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Henry Robinson <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: Yes
