[kudu-CR] Fix order of clearing openssl error and printing it

Fri, 23 Oct 2020 05:26:49 -0700 

Hello Alexey Serbin, Kudu Jenkins, Andrew Wong, Grant Henke,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/16631

to look at the new patch set (#2).

Change subject: Fix order of clearing openssl error and printing it
......................................................................

Fix order of clearing openssl error and printing it

When verifying the certificate chain fails with an error other than
self-signed certificate, we try to get the subject and issuer to print
in the error message. Unfortunately X509NameToString(), the method doing
the conversion, also checks that there are no leftover OpenSSL errors,
so it fails immediately on call. This commit changes the behavior to
clear the errors *before* calling X509NameToString().

I ran into this problem while debugging test failures on a host where
the OpenSSL was provided by CryptoComply SafeLogic:

F1020 12:06:13.327023 25579 openssl_util.h:210] Check failed: ERR_peek_error() 
== 0 (67567722 vs. 0) Expected no pending OpenSSL errors on std::string 
kudu::security::X509NameToString(X509_NAME*) entry, but had: error:0407006A:rsa 
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:102 
error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check 
failed:rsa_eay.c:786 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP 
lib:a_verify.c:218

Unfortunately, I couldn't reproduce it in other OpenSSL versions and
distributions, so I can't add a regression test, at least for now.

Change-Id: I3f78bdedce7a976a6e8117bb8683032dd917c626
---
A src/kudu/security/tls_context-test.cc
M src/kudu/security/tls_context.cc
2 files changed, 58 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/31/16631/2
--
To view, visit http://gerrit.cloudera.org:8080/16631
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I3f78bdedce7a976a6e8117bb8683032dd917c626
Gerrit-Change-Number: 16631
Gerrit-PatchSet: 2
Gerrit-Owner: Attila Bukor <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
Gerrit-Reviewer: Grant Henke <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)

Reply via email to