Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/23429 )
Change subject: OpenSSL 3.x compatibility adaptation ...................................................................... OpenSSL 3.x compatibility adaptation Adopt EVP/RAII, update TLS methods, and protect old paths. Follow the OpenSSL 3.0 migration guide [1], replace deprecated APIs, prefer EVP-level interfaces, and improve memory safety through RAII. For OpenSSL versions below 3.0, retain source compatible paths and set up clear version protection mechanisms. Key changes: * security/crypto.cc For OpenSSL 3.0 and above: switch RSA key generation to EVP_PKEY_CTX_new_from_name + EVP_PKEY_keygen_init + EVP_PKEY_CTX_set_rsa_keygen_bits + EVP_PKEY_keygen. Add explicit return code/null value checks where applicable and use RAII to wrap OpenSSL pointers. Replace EVP_MD_CTX_create with EVP_MD_CTX_new (under appropriate version protection mechanisms). * util/jwt-util.cc For OpenSSL 3.0 and above: Build RSA/EC public keys from JWKs using EVP_PKEY_fromdata and OSSL_PARAM_BLD/OSSL_PARAM; serialize via generic EVP_PKEY writers (PEM_write_bio_PUBKEY, i2d_PUBKEY_bio). Preserve legacy RSA_set0_key / EC_KEY paths from older OpenSSL versions and place them after the version protection mechanism. Use RAII functions for ctx/param builder/params; unify ToString with EvpPublicKeyTraits. * util/openssl_util.h Centralize SslTypeTraits for EVP_PKEY_CTX, OSSL_PARAM_BLD, and OSSL_PARAM (OpenSSL 3.x) and place required headers after the version protection mechanism. * security/tls_context.cc, util/openssl_util.cc Replace the deprecated SSLv23_method() with TLS_method() when OpenSSL 1.1.0 and above are available, maintaining compatibility with older versions. This patch does not change provider/FIPS management semantics; existing detection/enforcement logic remains unchanged. The scope of the changes is limited to API modernization; no behavioral changes will occur in non-3.x releases. [1] https://docs.openssl.org/3.0/man7/migration_guide/ Change-Id: Ic587a85e6b9088ffd353f9119b75431f1ec60b5c Reviewed-on: http://gerrit.cloudera.org:8080/23429 Reviewed-by: Alexey Serbin <[email protected]> Tested-by: Alexey Serbin <[email protected]> --- M src/kudu/security/ca/cert_management.cc M src/kudu/security/ca/cert_management.h M src/kudu/security/crypto.cc M src/kudu/security/crypto.h M src/kudu/security/tls_context.cc M src/kudu/util/jwt-util.cc M src/kudu/util/openssl_util.cc M src/kudu/util/openssl_util.h 8 files changed, 263 insertions(+), 32 deletions(-) Approvals: Alexey Serbin: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/23429 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: Ic587a85e6b9088ffd353f9119b75431f1ec60b5c Gerrit-Change-Number: 23429 Gerrit-PatchSet: 21 Gerrit-Owner: Yan-Daojiang <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Yan-Daojiang <[email protected]>
