Yan-Daojiang has posted comments on this change. ( http://gerrit.cloudera.org:8080/23429 )
Change subject: Adapting to OpenSSL 3.x ...................................................................... Patch Set 5: (5 comments) http://gerrit.cloudera.org:8080/#/c/23429/2/src/kudu/security/crypto.cc File src/kudu/security/crypto.cc: http://gerrit.cloudera.org:8080/#/c/23429/2/src/kudu/security/crypto.cc@334 PS2, Line 334: auto ctx = ssl_ma > Use ssl_make_unique to wrap raw pointers, making the code more concise, les Done. Wrapped EVP_PKEY_CTX with ssl_make_unique and added SslTypeTraits<EVP_PKEY_CTX> http://gerrit.cloudera.org:8080/#/c/23429/2/src/kudu/security/crypto.cc@347 PS2, Line 347: urn Status::Run > Isn't it necessary to call EVP_PKEY_keygen_init() prior to calling EVP_PKEY Yes, EVP_PKEY_keygen_init() must be called before EVP_PKEY_keygen(). I’ve updated to make this explicit and verified the order: create ctx EVP_PKEY_keygen_init(ctx) EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, num_bits) EVP_PKEY_keygen(ctx, &gen) In addition, I added explicit return-code checks for each step to make the failure modes clear. http://gerrit.cloudera.org:8080/#/c/23429/2/src/kudu/security/crypto.cc@347 PS2, Line 347: re > It seems error handling is missing here: what if EVP_PKEY_keygen() returns Thanks for pointing this out. I added explicit return-code checks for each step in the keygen flow http://gerrit.cloudera.org:8080/#/c/23429/2/src/kudu/util/jwt-util.cc File src/kudu/util/jwt-util.cc: http://gerrit.cloudera.org:8080/#/c/23429/2/src/kudu/util/jwt-util.cc@471 PS2, Line 471: auto ctx = ssl_ma > Wrap into ssl_make_unique? Done. Wrapped EVP_PKEY_CTX, OSSL_PARAM_BLD, and OSSL_PARAM with ssl_make_unique; removed manual frees and use .get() for OpenSSL calls. http://gerrit.cloudera.org:8080/#/c/23429/2/src/kudu/util/jwt-util.cc@649 PS2, Line 649: if (!bld) { > Create a corresponding trait and wrap this into ssl_make_unique? Done. Added traits for EVP_PKEY_CTX, OSSL_PARAM_BLD, and OSSL_PARAM; refactored EC path to use ssl_make_unique accordingly. -- To view, visit http://gerrit.cloudera.org:8080/23429 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ic587a85e6b9088ffd353f9119b75431f1ec60b5c Gerrit-Change-Number: 23429 Gerrit-PatchSet: 5 Gerrit-Owner: Yan-Daojiang <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Yan-Daojiang <[email protected]> Gerrit-Comment-Date: Wed, 17 Sep 2025 09:28:01 +0000 Gerrit-HasComments: Yes
