[kudu-CR] OpenSSL 3.x compatibility adaptation

Sun, 21 Sep 2025 21:17:21 -0700 

Hello Alexey Serbin, Kudu Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/23429

to look at the new patch set (#7).

Change subject: OpenSSL 3.x compatibility adaptation
......................................................................

OpenSSL 3.x compatibility adaptation

Adopt EVP/RAII, update TLS methods, and protect old paths.

Follow the OpenSSL 3.0 migration guide [1], replace deprecated APIs,
prefer EVP-level interfaces, and improve memory safety through RAII.
For OpenSSL versions below 3.0, retain source compatible paths and
set up clear version protection mechanisms.

Key changes:

* security/crypto.cc
For OpenSSL 3.0 and above: switch RSA key generation to
EVP_PKEY_CTX_new_from_name + EVP_PKEY_keygen_init +
EVP_PKEY_CTX_set_rsa_keygen_bits + EVP_PKEY_keygen.
Add explicit return code/null value checks where applicable and
use RAII to wrap OpenSSL pointers.
Replace EVP_MD_CTX_create with EVP_MD_CTX_new
(under appropriate version protection mechanisms).

* util/jwt-util.cc
For OpenSSL 3.0 and above: Build RSA/EC public keys from
JWKs using EVP_PKEY_fromdata and OSSL_PARAM_BLD/OSSL_PARAM;
serialize via generic EVP_PKEY writers
(PEM_write_bio_PUBKEY, i2d_PUBKEY_bio).

Preserve legacy RSA_set0_key / EC_KEY paths from older
OpenSSL versions and place them after the version protection mechanism.
Use RAII functions for ctx/param builder/params;
unify ToString with EvpPublicKeyTraits.

* util/openssl_util.h
Centralize SslTypeTraits for EVP_PKEY_CTX, OSSL_PARAM_BLD,
and OSSL_PARAM (OpenSSL 3.x) and place required headers after
the version protection mechanism.

* security/tls_context.cc, util/openssl_util.cc
Replace the deprecated SSLv23_method() with TLS_method()
when OpenSSL 1.1.0 and above are available,
maintaining compatibility with older versions.

This patch does not change provider/FIPS management semantics;
existing detection/enforcement logic remains unchanged.

The scope of the changes is limited to API modernization;
no behavioral changes will occur in non-3.x releases.

[1] https://docs.openssl.org/3.0/man7/migration_guide/

Change-Id: Ic587a85e6b9088ffd353f9119b75431f1ec60b5c
---
M src/kudu/security/ca/cert_management.cc
M src/kudu/security/ca/cert_management.h
M src/kudu/security/crypto.cc
M src/kudu/security/crypto.h
M src/kudu/security/tls_context.cc
M src/kudu/util/jwt-util.cc
M src/kudu/util/openssl_util.cc
M src/kudu/util/openssl_util.h
8 files changed, 242 insertions(+), 10 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/29/23429/7
--
To view, visit http://gerrit.cloudera.org:8080/23429
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ic587a85e6b9088ffd353f9119b75431f1ec60b5c
Gerrit-Change-Number: 23429
Gerrit-PatchSet: 7
Gerrit-Owner: Yan-Daojiang <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Yan-Daojiang <[email protected]>

Reply via email to