[kudu-CR] [security] make sure OpenSSL initialized as expected

Fri, 08 Aug 2025 10:36:44 -0700 

Abhishek Chennaka has submitted this change and it was merged. ( 
http://gerrit.cloudera.org:8080/23268 )

Change subject: [security] make sure OpenSSL initialized as expected
......................................................................

[security] make sure OpenSSL initialized as expected

Per OpenSSL's documentation [1][2], numerous internal OpenSSL functions
call OPENSSL_init_{crypto,ssl}().  Therefore, in order to perform
nondefault initialisation which Kudu does since addressing KUDU-3635,
OPENSSL_init_{crypto,ssl}() MUST be called by application code prior
to any other OpenSSL function calls.  And this is also applicable to
ERR_peek_error() which calls OPENSSL_init_crypt with the
OPENSSL_INIT_BASE_ONLY option, at least in OpenSSL 1.1.1.  Meanwhile,
ERR_peek_error() is called in the constructor and the destructor
of the underlying object in the SCOPED_OPENSSL_NO_PENDING_ERRORS macro.

Even if Kudu adds a non-default OPENSSL_INIT_NO_ATEXIT flag only when
initializing the OpenSSL library early in the process start-up phase,
it makes sense to address this to avoid unexpected surprises if any
extra flag is added.  Also, placing SCOPED_OPENSSL_NO_PENDING_ERRORS
before InitializeOpenSSL() was an apparent typo, so it needs to be fixed
anyway.

This is a follow-up 5f1ca4f3948a61b22946255e4ada895c77bc6adf.

[1] https://docs.openssl.org/1.1.1/man3/OPENSSL_init_crypto/
[2] https://docs.openssl.org/1.1.1/man3/OPENSSL_init_ssl/

Change-Id: If56b5d23e1f974aa2ab5677458b125cb011a36dc
Reviewed-on: http://gerrit.cloudera.org:8080/23268
Tested-by: Alexey Serbin <[email protected]>
Reviewed-by: Abhishek Chennaka <[email protected]>
---
M src/kudu/security/ca/cert_management.cc
M src/kudu/security/crypto.cc
2 files changed, 3 insertions(+), 3 deletions(-)

Approvals:
  Alexey Serbin: Verified
  Abhishek Chennaka: Looks good to me, approved

--
To view, visit http://gerrit.cloudera.org:8080/23268
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: If56b5d23e1f974aa2ab5677458b125cb011a36dc
Gerrit-Change-Number: 23268
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Abhishek Chennaka <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Attila Bukor <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Marton Greber <[email protected]>

Reply via email to