| author | Christian Hesse
<eworm@archlinux.org> 2017-08-10 10:46:06 UTC |
| committer | Christian Hesse
<eworm@archlinux.org> 2017-08-10 10:46:06 UTC |
| parent | b3c1811865fe41e3ac7ba6f686892cfaeb12ed6a |
| 0001-openssl-1-1-0.patch | +270 | -1341 |
| PKGBUILD | +3 | -3 |
diff --git a/0001-openssl-1-1-0.patch b/0001-openssl-1-1-0.patch index 7b6d110..488aec2 100644 --- a/0001-openssl-1-1-0.patch +++ b/0001-openssl-1-1-0.patch @@ -1,43 +1,5 @@ -From fb57acd98f96b3d2684cd29c126b4904db81f84c Mon Sep 17 00:00:00 2001 -From: Georg Richter <georg@mariadb.com> -Date: Wed, 8 Mar 2017 17:39:47 +0100 -Subject: [PATCH 1/2] MDEV-10332 support for OpenSSL 1.1 and LibreSSL - -Initial support - -tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL -not working on Windows with native SChannel support, due to wrong cipher -mapping: Latter one requires push of CONC-241 fixes. -Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if -the build succeeds, test cases will fail with various errors, especially -when using different tls libraries or versions for client and server. - -Upstream commit: f8866f8f665ac26beb31842fef48ecee5feb346e ---- - extra/yassl/src/handshake.cpp | 10 +++ - include/my_crypt.h | 15 ++++ - include/violite.h | 9 +- - mysql-test/include/require_openssl_client.inc | 5 ++ - mysql-test/mysql-test-run.pl | 5 ++ - mysql-test/r/openssl_1.result | 2 +- - mysql-test/r/openssl_6975,tlsv10.result | 18 ++-- - mysql-test/r/openssl_6975,tlsv12.result | 14 ++-- - mysql-test/t/openssl_1.test | 4 +- - mysql-test/t/openssl_6975.test | 19 +++-- - mysql-test/t/ssl_7937.test | 1 + - mysql-test/t/ssl_8k_key.test | 1 + - mysys_ssl/my_crypt.cc | 115 ++++++++++++++++++-------- - mysys_ssl/my_md5.cc | 39 ++++++--- - mysys_ssl/yassl.cc | 15 ++++ - sql-common/client.c | 6 +- - sql/mysqld.cc | 14 +++- - sql/slave.cc | 13 +++ - vio/viosslfactories.c | 54 ++++++++---- - 19 files changed, 263 insertions(+), 96 deletions(-) - create mode 100644 mysql-test/include/require_openssl_client.inc - diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp -index 407e4092ccc..6e181a997bd 100644 +index 407e409..6e181a9 100644 --- a/extra/yassl/src/handshake.cpp +++ b/extra/yassl/src/handshake.cpp @@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl) @@ -57,965 +19,9 @@ index 407e4092ccc..6e181a997bd 100644 ssl.verifyState(hdr); } -diff --git a/include/my_crypt.h b/include/my_crypt.h -index 719e349bfb9..e7dd9d80100 100644 ---- a/include/my_crypt.h -+++ b/include/my_crypt.h -@@ -21,4 +21,19 @@ - #include <my_config.h> /* HAVE_EncryptAes128{Ctr,Gcm} */ - #include <mysql/service_my_crypt.h> - -+/* OpenSSL version specific definitions */ -+#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+#define ERR_remove_state(X) -+#else -+#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) -+#define RAND_OpenSSL() RAND_SSLeay(); -+#if defined(HAVE_ERR_remove_thread_state) -+#define ERR_remove_state(X) ERR_remove_thread_state(NULL) -+#endif -+#endif -+#elif defined(HAVE_YASSL) -+#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) -+#endif /* !defined(HAVE_YASSL) */ -+ - #endif /* MY_CRYPT_INCLUDED */ -diff --git a/include/violite.h b/include/violite.h -index a7165ca91a9..23800696e5a 100644 ---- a/include/violite.h -+++ b/include/violite.h -@@ -146,14 +146,15 @@ typedef my_socket YASSL_SOCKET_T; - #include <openssl/ssl.h> - #include <openssl/err.h> - --#ifdef HAVE_ERR_remove_thread_state -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+#define ERR_remove_state(X) -+#elif defined(HAVE_ERR_remove_thread_state) - #define ERR_remove_state(X) ERR_remove_thread_state(NULL) - #endif -- - enum enum_ssl_init_error - { -- SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, -- SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, -+ SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, -+ SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, - SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_LASTERR - }; - const char* sslGetErrString(enum enum_ssl_init_error err); -diff --git a/mysql-test/include/require_openssl_client.inc b/mysql-test/include/require_openssl_client.inc -new file mode 100644 -index 00000000000..9b19960041b ---- /dev/null -+++ b/mysql-test/include/require_openssl_client.inc -@@ -0,0 +1,5 @@ -+if ($CLIENT_TLS_LIBRARY != "OpenSSL") { -+ if ($CLIENT_TLS_LIBRARY != "LibreSSL") { -+ skip "Test requires Connector/C with OpenSSL library"; -+ } -+} -diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl -index ef054fb2d3e..7241d2f2ea9 100755 ---- a/mysql-test/mysql-test-run.pl -+++ b/mysql-test/mysql-test-run.pl -@@ -2304,6 +2304,11 @@ sub environment_setup { - $ENV{'MYSQL_PLUGIN'}= $exe_mysql_plugin; - $ENV{'MYSQL_EMBEDDED'}= $exe_mysql_embedded; - -+ my $client_config_exe= -+ native_path("$bindir/libmariadb/mariadb_config$opt_vs_config/mariadb_config"); -+ my $tls_info= `$client_config_exe --tlsinfo`; -+ ($ENV{CLIENT_TLS_LIBRARY},$ENV{CLIENT_TLS_LIBRARY_VERSION})= -+ split(/ /, $tls_info, 2); - my $exe_mysqld= find_mysqld($basedir); - $ENV{'MYSQLD'}= $exe_mysqld; - my $extra_opts= join (" ", @opt_extra_mysqld_opt); -diff --git a/mysql-test/r/openssl_1.result b/mysql-test/r/openssl_1.result -index 294ddaf7884..9a9bc619377 100644 ---- a/mysql-test/r/openssl_1.result -+++ b/mysql-test/r/openssl_1.result -@@ -198,7 +198,7 @@ DROP TABLE t1; - Variable_name Value - Ssl_cipher DHE-RSA-AES256-SHA - Variable_name Value --Ssl_cipher EDH-RSA-DES-CBC3-SHA -+Ssl_cipher AES128-SHA - select 'is still running; no cipher request crashed the server' as result from dual; - result - is still running; no cipher request crashed the server -diff --git a/mysql-test/r/openssl_6975,tlsv10.result b/mysql-test/r/openssl_6975,tlsv10.result -index 6285faa0143..202e7f4268e 100644 ---- a/mysql-test/r/openssl_6975,tlsv10.result -+++ b/mysql-test/r/openssl_6975,tlsv10.result -@@ -1,24 +1,24 @@ - create user ssl_sslv3@localhost; --grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA"; -+grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; - create user ssl_tls12@localhost; - grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; - TLS1.2 ciphers: user is ok with any cipher --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure - TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256 - ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure - ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure - SSLv3 ciphers: user is ok with any cipher - Variable_name Value --Ssl_cipher RC4-SHA -+Ssl_cipher AES256-SHA - Variable_name Value - Ssl_cipher DHE-RSA-AES256-SHA --SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA -+SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA - Variable_name Value --Ssl_cipher RC4-SHA -+Ssl_cipher AES128-SHA - ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO) - SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256 - ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO) -diff --git a/mysql-test/r/openssl_6975,tlsv12.result b/mysql-test/r/openssl_6975,tlsv12.result -index 31d2658c829..e2cc28cca70 100644 ---- a/mysql-test/r/openssl_6975,tlsv12.result -+++ b/mysql-test/r/openssl_6975,tlsv12.result -@@ -1,5 +1,5 @@ - create user ssl_sslv3@localhost; --grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA"; -+grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; - create user ssl_tls12@localhost; - grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; - TLS1.2 ciphers: user is ok with any cipher -@@ -7,7 +7,7 @@ Variable_name Value - Ssl_cipher AES128-SHA256 - Variable_name Value - Ssl_cipher DHE-RSA-AES256-GCM-SHA384 --TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA -+TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA - ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO) - ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO) - TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256 -@@ -15,11 +15,11 @@ Variable_name Value - Ssl_cipher AES128-SHA256 - ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO) - SSLv3 ciphers: user is ok with any cipher --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure - SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256 - ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure - ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure -diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test -index eea74b5b012..28f666263d2 100644 ---- a/mysql-test/t/openssl_1.test -+++ b/mysql-test/t/openssl_1.test -@@ -221,8 +221,8 @@ DROP TABLE t1; - # - - # Common ciphers to openssl and yassl ----exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=DHE-RSA-AES256-SHA ----exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=EDH-RSA-DES-CBC3-SHA -+--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA -+--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA - --disable_query_log - --disable_result_log - -diff --git a/mysql-test/t/openssl_6975.test b/mysql-test/t/openssl_6975.test -index 6e8e03a0a89..6cf5d82cf54 100644 ---- a/mysql-test/t/openssl_6975.test -+++ b/mysql-test/t/openssl_6975.test -@@ -4,11 +4,13 @@ - # test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2 - # - source include/have_ssl_communication.inc; -+source include/require_openssl_client.inc; - - # this is OpenSSL test. - - create user ssl_sslv3@localhost; --grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA"; -+# grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; -+grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; - create user ssl_tls12@localhost; - grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; - -@@ -18,8 +20,9 @@ disable_abort_on_error; - echo TLS1.2 ciphers: user is ok with any cipher; - exec $mysql --ssl-cipher=AES128-SHA256; - --replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 --exec $mysql --ssl-cipher=TLSv1.2; --echo TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA; -+--replace_result ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 -+exec $mysql --ssl-cipher=TLSv1.2 -+echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA; - exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256; - exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2; - echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256; -@@ -27,13 +30,13 @@ exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256; - exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2; - - echo SSLv3 ciphers: user is ok with any cipher; --exec $mysql --ssl-cipher=RC4-SHA; --exec $mysql --ssl-cipher=SSLv3; --echo SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA; --exec $mysql --user ssl_sslv3 --ssl-cipher=RC4-SHA; -+exec $mysql --ssl-cipher=AES256-SHA; -+exec $mysql --ssl-cipher=DHE-RSA-AES256-SHA -+echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA; -+exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA; - exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3; - echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256; --exec $mysql --user ssl_tls12 --ssl-cipher=RC4-SHA; -+exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA; - exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3; - - drop user ssl_sslv3@localhost; -diff --git a/mysql-test/t/ssl_7937.test b/mysql-test/t/ssl_7937.test -index d593b9d936d..a76457906ec 100644 ---- a/mysql-test/t/ssl_7937.test -+++ b/mysql-test/t/ssl_7937.test -@@ -26,6 +26,7 @@ create procedure have_ssl() - # we fake the test result for yassl - let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`; - if (!$yassl) { -+ --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate" - --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1 - } - if ($yassl) { -diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test -index 27cffdce1f2..470d577edb8 100644 ---- a/mysql-test/t/ssl_8k_key.test -+++ b/mysql-test/t/ssl_8k_key.test -@@ -1,4 +1,5 @@ - # This test should work in embedded server after we fix mysqltest -+-- source include/require_openssl_client.inc - -- source include/not_embedded.inc - - -- source include/have_ssl_communication.inc -diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc -index a0937a83e17..0ff49a2c427 100644 ---- a/mysys_ssl/my_crypt.cc -+++ b/mysys_ssl/my_crypt.cc -@@ -17,7 +17,6 @@ - - #include <my_global.h> - #include <string.h> --#include <my_crypt.h> - - #ifdef HAVE_YASSL - #include "yassl.cc" -@@ -26,43 +25,51 @@ - #include <openssl/evp.h> - #include <openssl/aes.h> - #include <openssl/err.h> -+#include <openssl/rand.h> - --#ifdef HAVE_ERR_remove_thread_state --#define ERR_remove_state(X) ERR_remove_thread_state(NULL) - #endif -+#include <my_crypt.h> - --#endif -+#define MY_CIPHER_CTX_SIZE 384 - - class MyCTX - { - public: -- EVP_CIPHER_CTX ctx; -- MyCTX() { EVP_CIPHER_CTX_init(&ctx); } -- virtual ~MyCTX() { EVP_CIPHER_CTX_cleanup(&ctx); ERR_remove_state(0); } -+ EVP_CIPHER_CTX *ctx; -+ const uchar *key; -+ unsigned int klen; -+ MyCTX() { -+ ctx= EVP_CIPHER_CTX_new(); -+ } -+ virtual ~MyCTX() { -+ EVP_CIPHER_CTX_free(ctx); -+ ERR_remove_state(0); -+ } - - virtual int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, - uint klen, const uchar *iv, uint ivlen) - { -+ compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX)); - if (unlikely(!cipher)) - return MY_AES_BAD_KEYSIZE; - -- if (!EVP_CipherInit_ex(&ctx, cipher, NULL, key, iv, encrypt)) -+ if (!EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt)) - return MY_AES_OPENSSL_ERROR; - -- DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == (int)klen); -- DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) <= (int)ivlen); -+ DBUG_ASSERT(EVP_CIPHER_CTX_key_length(ctx) == (int)klen); -+ DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(ctx) <= (int)ivlen); - - return MY_AES_OK; - } - virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen) - { -- if (!EVP_CipherUpdate(&ctx, dst, (int*)dlen, src, slen)) -+ if (!EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen)) - return MY_AES_OPENSSL_ERROR; - return MY_AES_OK; - } - virtual int finish(uchar *dst, uint *dlen) - { -- if (!EVP_CipherFinal_ex(&ctx, dst, (int*)dlen)) -+ if (!EVP_CipherFinal_ex(ctx, dst, (int*)dlen)) - return MY_AES_BAD_DATA; - return MY_AES_OK; - } -@@ -71,11 +78,9 @@ class MyCTX - class MyCTX_nopad : public MyCTX - { - public: -- const uchar *key; -- int klen; -- - MyCTX_nopad() : MyCTX() { } - ~MyCTX_nopad() { } -+ unsigned int buf_len; - - int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, uint klen, - const uchar *iv, uint ivlen) -@@ -83,16 +88,39 @@ class MyCTX_nopad : public MyCTX - compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad)); - this->key= key; - this->klen= klen; -+ this->buf_len= 0; -+ /* FIX-ME: -+ For the sake of backward compatibility we do some strange hack here: -+ Since ECB doesn't need an IV (and therefore is considered kind of -+ insecure) we need to store the specified iv. -+ The last nonpadding block will be encrypted with an additional -+ expensive crypt_call in ctr mode instead -+ of encrypting the entire plain text in ctr-mode */ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ const unsigned char *oiv= EVP_CIPHER_CTX_original_iv(ctx); -+#else -+ const unsigned char *oiv= ctx->oiv; -+#endif -+ memcpy((char *)oiv, iv, ivlen); -+ - int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); -- memcpy(ctx.oiv, iv, ivlen); // in ECB mode OpenSSL doesn't do that itself -- EVP_CIPHER_CTX_set_padding(&ctx, 0); -+ -+ EVP_CIPHER_CTX_set_padding(ctx, 0); - return res; - } - -+ int update(const uchar *src, uint slen, uchar *dst, uint *dlen) -+ { -+ buf_len= slen % MY_AES_BLOCK_SIZE; -+ return MyCTX::update(src, slen, dst, dlen); -+ } -+ - int finish(uchar *dst, uint *dlen) - { -- if (ctx.buf_len) -+ if (buf_len) - { -+ const uchar *org_iv; -+ unsigned char *buf; - /* - Not much we can do, block ciphers cannot encrypt data that aren't - a multiple of the block length. At least not without padding. -@@ -101,14 +129,22 @@ class MyCTX_nopad : public MyCTX - uchar mask[MY_AES_BLOCK_SIZE]; - uint mlen; - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ org_iv= EVP_CIPHER_CTX_original_iv(ctx); -+ buf= EVP_CIPHER_CTX_buf_noconst(ctx); -+#else -+ org_iv= ctx->oiv; -+ buf= ctx->buf; -+#endif -+ - my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD, -- ctx.oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0); -+ org_iv, sizeof(mask), mask, &mlen, key, klen, 0, 0); - DBUG_ASSERT(mlen == sizeof(mask)); - -- for (int i=0; i < ctx.buf_len; i++) -- dst[i]= ctx.buf[i] ^ mask[i]; -+ for (uint i=0; i < buf_len; i++) -+ dst[i]= buf[i] ^ mask[i]; - } -- *dlen= ctx.buf_len; -+ *dlen= buf_len; - return MY_AES_OK; - } - }; -@@ -142,8 +178,9 @@ make_aes_dispatcher(gcm) - class MyCTX_gcm : public MyCTX - { - public: -- const uchar *aad; -+ const uchar *aad= NULL; - int aadlen; -+ my_bool encrypt; - MyCTX_gcm() : MyCTX() { } - ~MyCTX_gcm() { } - -@@ -152,9 +189,10 @@ class MyCTX_gcm : public MyCTX - { - compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_gcm)); - int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); -- int real_ivlen= EVP_CIPHER_CTX_iv_length(&ctx); -+ int real_ivlen= EVP_CIPHER_CTX_iv_length(ctx); - aad= iv + real_ivlen; - aadlen= ivlen - real_ivlen; -+ this->encrypt= encrypt; - return res; - } - -@@ -166,15 +204,15 @@ class MyCTX_gcm : public MyCTX - before decrypting the data. it can encrypt data piecewise, like, first - half, then the second half, but it must decrypt all at once - */ -- if (!ctx.encrypt) -+ if (!this->encrypt) - { - slen-= MY_AES_BLOCK_SIZE; -- if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, -+ if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, - (void*)(src + slen))) - return MY_AES_OPENSSL_ERROR; - } -- int unused; -- if (aadlen && !EVP_CipherUpdate(&ctx, NULL, &unused, aad, aadlen)) -+ int unused= 0; -+ if (aadlen && !EVP_CipherUpdate(ctx, NULL, &unused, aad, aadlen)) - return MY_AES_OPENSSL_ERROR; - aadlen= 0; - return MyCTX::update(src, slen, dst, dlen); -@@ -182,14 +220,14 @@ class MyCTX_gcm : public MyCTX - - int finish(uchar *dst, uint *dlen) - { -- int fin; -- if (!EVP_CipherFinal_ex(&ctx, dst, &fin)) -+ int fin= 0; -+ if (!EVP_CipherFinal_ex(ctx, dst, &fin)) - return MY_AES_BAD_DATA; - DBUG_ASSERT(fin == 0); - -- if (ctx.encrypt) -+ if (this->encrypt) - { -- if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) -+ if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) - return MY_AES_OPENSSL_ERROR; - *dlen= MY_AES_BLOCK_SIZE; - } -@@ -257,12 +295,20 @@ int my_aes_crypt(enum my_aes_mode mode, int flags, - { - void *ctx= alloca(MY_AES_CTX_SIZE); - int res1, res2; -- uint d1, d2; -+ uint d1= 0, d2= 0; - if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen))) - return res1; - res1= my_aes_crypt_update(ctx, src, slen, dst, &d1); - res2= my_aes_crypt_finish(ctx, dst + d1, &d2); - *dlen= d1 + d2; -+ /* in case of failure clear error queue */ -+#ifndef HAVE_YASSL -+ /* since we don't check the crypto error messages we need to -+ clear the error queue - otherwise subsequent crypto or tls/ssl -+ calls will fail */ -+ if (!*dlen) -+ ERR_clear_error(); -+#endif - return res1 ? res1 : res2; - } - -@@ -301,7 +347,6 @@ int my_random_bytes(uchar* buf, int num) - return MY_AES_OK; - } - #else --#include <openssl/rand.h> - - int my_random_bytes(uchar *buf, int num) - { -@@ -311,7 +356,7 @@ int my_random_bytes(uchar *buf, int num) - instead of whatever random engine is currently set in OpenSSL. That way - we are guaranteed to have a non-blocking random. - */ -- RAND_METHOD *rand = RAND_SSLeay(); -+ RAND_METHOD *rand = RAND_OpenSSL(); - if (rand == NULL || rand->bytes(buf, num) != 1) - return MY_AES_OPENSSL_ERROR; - return MY_AES_OK; -diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc -index 7139ea9b6ff..02c01dd7148 100644 ---- a/mysys_ssl/my_md5.cc -+++ b/mysys_ssl/my_md5.cc -@@ -27,6 +27,8 @@ - #include <my_md5.h> - #include <stdarg.h> - -+#define MA_HASH_CTX_SIZE 512 -+ - #if defined(HAVE_YASSL) - #include "md5.hpp" - -@@ -57,11 +59,18 @@ static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) - } - - #elif defined(HAVE_OPENSSL) -+ -+ - #include <openssl/evp.h> -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#define EVP_MD_CTX_reset(X) EVP_MD_CTX_cleanup(X) -+#endif - typedef EVP_MD_CTX MD5_CONTEXT; - - static void md5_init(MD5_CONTEXT *context) - { -+ memset(context, 0, my_md5_context_size()); - EVP_MD_CTX_init(context); - #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - /* Ok to ignore FIPS: MD5 is not used for crypto here */ -@@ -83,7 +92,7 @@ static void md5_input(MD5_CONTEXT *context, const uchar *buf, unsigned len) - static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) - { - EVP_DigestFinal_ex(context, digest, NULL); -- EVP_MD_CTX_cleanup(context); -+ EVP_MD_CTX_reset(context); - } - - #endif /* HAVE_YASSL */ -@@ -99,11 +108,14 @@ static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) - */ - void my_md5(uchar *digest, const char *buf, size_t len) - { -+#ifdef HAVE_YASSL - MD5_CONTEXT md5_context; -- -- md5_init_fast(&md5_context); -- md5_input(&md5_context, (const uchar *)buf, len); -- md5_result(&md5_context, digest); -+#else -+ unsigned char md5_context[MA_HASH_CTX_SIZE]; -+#endif -+ md5_init_fast((MD5_CONTEXT *)&md5_context); -+ md5_input((MD5_CONTEXT *)&md5_context, (const uchar *)buf, len); -+ md5_result((MD5_CONTEXT *)&md5_context, digest); - } - - -@@ -122,22 +134,25 @@ void my_md5(uchar *digest, const char *buf, size_t len) - void my_md5_multi(uchar *digest, ...) - { - va_list args; -- va_start(args, digest); -- -- MD5_CONTEXT md5_context; - const uchar *str; -+#ifdef HAVE_YASSL -+ MD5_CONTEXT md5_context; -+#else -+ unsigned char md5_context[MA_HASH_CTX_SIZE]; -+#endif -+ va_start(args, digest); - -- md5_init_fast(&md5_context); -+ md5_init_fast((MD5_CONTEXT *)&md5_context); - for (str= va_arg(args, const uchar*); str; str= va_arg(args, const uchar*)) -- md5_input(&md5_context, str, va_arg(args, size_t)); -+ md5_input((MD5_CONTEXT *)&md5_context, str, va_arg(args, size_t)); - -- md5_result(&md5_context, digest); -+ md5_result((MD5_CONTEXT *)&md5_context, digest); - va_end(args); - } - - size_t my_md5_context_size() - { -- return sizeof(MD5_CONTEXT); -+ return MA_HASH_CTX_SIZE; - } - - void my_md5_init(void *context) -diff --git a/mysys_ssl/yassl.cc b/mysys_ssl/yassl.cc -index 9717870fe26..9e6f90d8d77 100644 ---- a/mysys_ssl/yassl.cc -+++ b/mysys_ssl/yassl.cc -@@ -24,6 +24,7 @@ - - #include <openssl/ssl.h> - #include "aes.hpp" -+#include <my_sys.h> - - using yaSSL::yaERR_remove_state; - -@@ -75,12 +76,26 @@ static void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) - ctx->final_used= ctx->buf_len= ctx->flags= 0; - } - -+static EVP_CIPHER_CTX *EVP_CIPHER_CTX_new() -+{ -+ EVP_CIPHER_CTX *ctx= (EVP_CIPHER_CTX *)my_malloc(sizeof(EVP_CIPHER_CTX), MYF(0)); -+ if (ctx) -+ EVP_CIPHER_CTX_init(ctx); -+ return ctx; -+} -+ - static int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *ctx) - { - TAO(ctx)->~AES(); - return 1; - } - -+static void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) -+{ -+ EVP_CIPHER_CTX_cleanup(ctx); -+ my_free(ctx); -+} -+ - static int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) - { - if (pad) -diff --git a/sql-common/client.c b/sql-common/client.c -index a918060a848..d881080b55a 100644 ---- a/sql-common/client.c -+++ b/sql-common/client.c -@@ -104,6 +104,10 @@ my_bool net_flush(NET *net); - #define CONNECT_TIMEOUT 0 - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) || defined(HAVE_YASSL) -+#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) -+#endif -+ - #include "client_settings.h" - #include <sql_common.h> - #include <mysql/client_plugin.h> -@@ -1842,7 +1846,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c - goto error; - } - -- cn= (char *) ASN1_STRING_data(cn_asn1); -+ cn= (char *) ASN1_STRING_get0_data(cn_asn1); - - if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) - { -diff --git a/sql/mysqld.cc b/sql/mysqld.cc -index 0bf57d9543b..d6a7c6b4931 100644 ---- a/sql/mysqld.cc -+++ b/sql/mysqld.cc -@@ -111,6 +111,7 @@ - #endif - - #include <my_systemd.h> -+#include <my_crypt.h> - - #define mysqld_charset &my_charset_latin1 - -@@ -120,6 +121,7 @@ - #define HAVE_CLOSE_SERVER_SOCK 1 - #endif - -+ - extern "C" { // Because of SCO 3.2V4.2 - #include <sys/stat.h> - #ifndef __GNU_LIBRARY__ -@@ -1456,6 +1458,8 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct, - #ifdef HAVE_OPENSSL - #include <openssl/crypto.h> - #ifndef HAVE_YASSL -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - typedef struct CRYPTO_dynlock_value - { - mysql_rwlock_t lock; -@@ -1467,6 +1471,7 @@ static void openssl_dynlock_destroy(openssl_lock_t *, const char *, int); - static void openssl_lock_function(int, int, const char *, int); - static void openssl_lock(int, openssl_lock_t *, const char *, int); - #endif -+#endif - char *des_key_file; - #ifndef EMBEDDED_LIBRARY - struct st_VioSSLFd *ssl_acceptor_fd; -@@ -2243,9 +2248,11 @@ static void clean_up_mutexes() - #ifdef HAVE_OPENSSL - mysql_mutex_destroy(&LOCK_des_key_file); - #ifndef HAVE_YASSL -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - for (int i= 0; i < CRYPTO_num_locks(); ++i) - mysql_rwlock_destroy(&openssl_stdlocks[i].lock); - OPENSSL_free(openssl_stdlocks); -+#endif - #endif /* HAVE_YASSL */ - #endif /* HAVE_OPENSSL */ - #ifdef HAVE_REPLICATION -@@ -4595,6 +4602,7 @@ static int init_thread_environment() - mysql_mutex_init(key_LOCK_des_key_file, - &LOCK_des_key_file, MY_MUTEX_INIT_FAST); - #ifndef HAVE_YASSL -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() * - sizeof(openssl_lock_t)); - for (int i= 0; i < CRYPTO_num_locks(); ++i) -@@ -4605,6 +4613,7 @@ static int init_thread_environment() - CRYPTO_set_locking_callback(openssl_lock_function); - #endif - #endif -+#endif - mysql_rwlock_init(key_rwlock_LOCK_sys_init_connect, &LOCK_sys_init_connect); - mysql_rwlock_init(key_rwlock_LOCK_sys_init_slave, &LOCK_sys_init_slave); - mysql_rwlock_init(key_rwlock_LOCK_grant, &LOCK_grant); -@@ -4638,6 +4647,7 @@ static int init_thread_environment() - - - #if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL) -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - static openssl_lock_t *openssl_dynlock_create(const char *file, int line) - { - openssl_lock_t *lock= new openssl_lock_t; -@@ -4697,6 +4707,7 @@ static void openssl_lock(int mode, openssl_lock_t *lock, const char *file, - abort(); - } - } -+#endif - #endif /* HAVE_OPENSSL */ - - -@@ -4726,8 +4737,9 @@ static void init_ssl() - while ((err= ERR_get_error())) - sql_print_warning("SSL error: %s", ERR_error_string(err, NULL)); - } -- else -+ else { - ERR_remove_state(0); -+ } - } - else - { -diff --git a/sql/slave.cc b/sql/slave.cc -index f95dd60287b..636965c4619 100644 ---- a/sql/slave.cc -+++ b/sql/slave.cc -@@ -60,6 +60,11 @@ - #include "debug_sync.h" - #include "rpl_parallel.h" - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#define ERR_remove_state(X) -+#elif defined(HAVE_ERR_remove_thread_state) -+#define ERR_remove_state(X) ERR_remove_thread_state(NULL) -+#endif - - #define FLAGSTR(V,F) ((V)&(F)?#F" ":"") - -@@ -4505,7 +4510,11 @@ log space"); - DBUG_LEAVE; // Must match DBUG_ENTER() - my_thread_end(); - #ifdef HAVE_OPENSSL -+#if OPENSSL_VERSION_NUMBER < 0x10000000L - ERR_remove_state(0); -+#elif OPENSSL_VERSION_NUMBER < 0x10100000L -+ ERR_remove_thread_state(0); -+#endif - #endif - pthread_exit(0); - return 0; // Avoid compiler warnings -@@ -5166,7 +5175,11 @@ pthread_handler_t handle_slave_sql(void *arg) - DBUG_LEAVE; // Must match DBUG_ENTER() - my_thread_end(); - #ifdef HAVE_OPENSSL -+#if OPENSSL_VERSION_NUMBER < 0x10000000L - ERR_remove_state(0); -+#elif OPENSSL_VERSION_NUMBER < 0x10100000L -+ ERR_remove_thread_state(0); -+#endif - #endif - pthread_exit(0); - return 0; // Avoid compiler warnings -diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c -index 52b624d3376..497047cac72 100644 ---- a/vio/viosslfactories.c -+++ b/vio/viosslfactories.c -@@ -17,17 +17,27 @@ - #include "vio_priv.h" - - #ifdef HAVE_OPENSSL --#ifndef HAVE_YASSL -+#if defined(HAVE_YASSL) || defined(LIBRESSL_VERSION_NUMBER) -+#define OPENSSL_init_ssl(X,Y) SSL_library_init() -+#else - #include <openssl/dh.h> - #include <openssl/bn.h> -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#define ERR_remove_state(X) -+#else -+#define OPENSSL_init_ssl(X,Y) SSL_library_init() -+#endif -+ - #endif - - static my_bool ssl_algorithms_added = FALSE; - static my_bool ssl_error_strings_loaded= FALSE; - - /* the function below was generated with "openssl dhparam -2 -C 2048" */ --static --DH *get_dh2048() -+ -+/* {{{ get_dh_2048 */ -+static DH *get_dh_2048() - { - static unsigned char dh2048_p[]={ - 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, -@@ -57,18 +67,32 @@ DH *get_dh2048() - 0x02, - }; - DH *dh; -- -- if ((dh=DH_new()) == NULL) return(NULL); -- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); -- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -- if ((dh->p == NULL) || (dh->g == NULL)) -- { DH_free(dh); return(NULL); } -- return(dh); -+ if ((dh=DH_new()) == NULL) -+ return(NULL); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+ (dh)->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); -+ (dh)->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -+ if ((dh)->p == NULL || (dh)->g == NULL) -+ { DH_free(dh); return NULL; } -+#else -+ { -+ BIGNUM *dhp_bn= BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL), -+ *dhg_bn= BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -+ if (dhp_bn == NULL || dhg_bn == NULL || -+ !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) -+ { -+ DH_free(dh); -+ BN_free(dhp_bn); -+ BN_free(dhg_bn); -+ return NULL; -+ } -+ } -+#endif -+ return dh; - } - -- - static const char* --ssl_error_string[] = -+ssl_error_string[] = - { - "No error", - "Unable to get certificate", -@@ -148,9 +172,7 @@ static void check_ssl_init() - if (!ssl_algorithms_added) - { - ssl_algorithms_added= TRUE; -- SSL_library_init(); -- OpenSSL_add_all_algorithms(); -- -+ OPENSSL_init_ssl(0, NULL); - } - - if (!ssl_error_strings_loaded) -@@ -265,7 +287,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file, - /* DH stuff */ - if (!is_client_method) - { -- dh=get_dh2048(); -+ dh=get_dh_2048(); - if (!SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh)) - { - *error= SSL_INITERR_DH; -From 1e73c46c82f65ef59485f4789cc0642a03bb2494 Mon Sep 17 00:00:00 2001 -From: Sergei Golubchik <serg@mariadb.org> -Date: Wed, 3 May 2017 21:22:59 +0200 -Subject: [PATCH 2/2] MDEV-10332 support for OpenSSL 1.1 and LibreSSL - -post-review fixes: -* move all ssl implementation related ifdefs/defines to one file - (ssl_compat.h) -* work around OpenSSL-1.1 desire to malloc every EVP context by - run-time checking that context allocated on the stack is big enough - (openssl.c) -* use newer version of the AWS SDK for OpenSSL 1.1 -* use get_dh2048() function as generated by openssl 1.1 - (viosslfactories.c) - -Upstream commit: ccca4f43c92916c347210a7f9a8126f2aa3f6c31 ---- - include/my_crypt.h | 15 ----- - include/ssl_compat.h | 75 +++++++++++++++++++++ - include/violite.h | 12 ---- - mysql-test/mysql-test-run.pl | 2 +- - mysql-test/t/openssl_6975.test | 7 +- - mysql-test/t/ssl_8k_key.test | 5 +- - mysys_ssl/CMakeLists.txt | 1 + - mysys_ssl/my_crypt.cc | 102 +++++++++++------------------ - mysys_ssl/my_md5.cc | 85 +++++++++--------------- - mysys_ssl/openssl.c | 71 ++++++++++++++++++++ - mysys_ssl/yassl.cc | 19 ------ - plugin/aws_key_management/CMakeLists.txt | 10 +++ - sql-common/client.c | 8 +-- - sql/mysqld.cc | 49 +++++++------- - sql/slave.cc | 19 +----- - vio/vio.c | 1 + - vio/viosslfactories.c | 108 +++++++++++++------------------ - 17 files changed, 305 insertions(+), 284 deletions(-) - create mode 100644 include/ssl_compat.h - create mode 100644 mysys_ssl/openssl.c - -diff --git a/include/my_crypt.h b/include/my_crypt.h -index e7dd9d80100..719e349bfb9 100644 ---- a/include/my_crypt.h -+++ b/include/my_crypt.h -@@ -21,19 +21,4 @@ - #include <my_config.h> /* HAVE_EncryptAes128{Ctr,Gcm} */ - #include <mysql/service_my_crypt.h> - --/* OpenSSL version specific definitions */ --#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) --#define ERR_remove_state(X) --#else --#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) --#define RAND_OpenSSL() RAND_SSLeay(); --#if defined(HAVE_ERR_remove_thread_state) --#define ERR_remove_state(X) ERR_remove_thread_state(NULL) --#endif --#endif --#elif defined(HAVE_YASSL) --#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) --#endif /* !defined(HAVE_YASSL) */ -- - #endif /* MY_CRYPT_INCLUDED */ diff --git a/include/ssl_compat.h b/include/ssl_compat.h new file mode 100644 -index 00000000000..b0e3ed497cd +index 0000000..b0e3ed4 --- /dev/null +++ b/include/ssl_compat.h @@ -0,0 +1,75 @@ @@ -1095,7 +101,7 @@ index 00000000000..b0e3ed497cd +} +#endif diff --git a/include/violite.h b/include/violite.h -index 23800696e5a..572d4741c80 100644 +index a7165ca..572d474 100644 --- a/include/violite.h +++ b/include/violite.h @@ -123,13 +123,6 @@ int vio_getnameinfo(const struct sockaddr *sa, @@ -1112,63 +118,100 @@ index 23800696e5a..572d4741c80 100644 /* apple deprecated openssl in MacOSX Lion */ #ifdef __APPLE__ #pragma GCC diagnostic ignored "-Wdeprecated-declarations" -@@ -146,11 +139,6 @@ typedef my_socket YASSL_SOCKET_T; +@@ -146,14 +139,10 @@ typedef my_socket YASSL_SOCKET_T; #include <openssl/ssl.h> #include <openssl/err.h> --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) --#define ERR_remove_state(X) --#elif defined(HAVE_ERR_remove_thread_state) +-#ifdef HAVE_ERR_remove_thread_state -#define ERR_remove_state(X) ERR_remove_thread_state(NULL) -#endif +- enum enum_ssl_init_error { - SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, +- SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, +- SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, ++ SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, ++ SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, + SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_LASTERR + }; + const char* sslGetErrString(enum enum_ssl_init_error err); +diff --git a/mysql-test/include/require_openssl_client.inc b/mysql-test/include/require_openssl_client.inc +new file mode 100644 +index 0000000..9b19960 +--- /dev/null ++++ b/mysql-test/include/require_openssl_client.inc +@@ -0,0 +1,5 @@ ++if ($CLIENT_TLS_LIBRARY != "OpenSSL") { ++ if ($CLIENT_TLS_LIBRARY != "LibreSSL") { ++ skip "Test requires Connector/C with OpenSSL library"; ++ } ++} diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl -index 7241d2f2ea9..21dff82736e 100755 +index 2cd5d2a..22bcaba 100755 --- a/mysql-test/mysql-test-run.pl +++ b/mysql-test/mysql-test-run.pl -@@ -2304,7 +2304,7 @@ sub environment_setup { +@@ -2300,6 +2300,11 @@ sub environment_setup { $ENV{'MYSQL_PLUGIN'}= $exe_mysql_plugin; $ENV{'MYSQL_EMBEDDED'}= $exe_mysql_embedded; -- my $client_config_exe= + my $client_config_exe= - native_path("$bindir/libmariadb/mariadb_config$opt_vs_config/mariadb_config"); - my $tls_info= `$client_config_exe --tlsinfo`; - ($ENV{CLIENT_TLS_LIBRARY},$ENV{CLIENT_TLS_LIBRARY_VERSION})= ++ native_path("$bindir/libmariadb/mariadb_config$opt_vs_config/mariadb_config"); ++ my $tls_info= `$client_config_exe --tlsinfo`; ++ ($ENV{CLIENT_TLS_LIBRARY},$ENV{CLIENT_TLS_LIBRARY_VERSION})= ++ split(/ /, $tls_info, 2); + my $exe_mysqld= find_mysqld($basedir); + $ENV{'MYSQLD'}= $exe_mysqld; + my $extra_opts= join (" ", @opt_extra_mysqld_opt); +diff --git a/mysql-test/r/openssl_6975,tlsv10.result b/mysql-test/r/openssl_6975,tlsv10.result +index 7a4465f..202e7f4 100644 +--- a/mysql-test/r/openssl_6975,tlsv10.result ++++ b/mysql-test/r/openssl_6975,tlsv10.result +@@ -3,11 +3,11 @@ grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; + create user ssl_tls12@localhost; + grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; + TLS1.2 ciphers: user is ok with any cipher +-ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure +-ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure ++ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure + TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA +-ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure +-ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ++ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure ++ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure + TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256 + ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure + ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure diff --git a/mysql-test/t/openssl_6975.test b/mysql-test/t/openssl_6975.test -index 6cf5d82cf54..6a82d013fb6 100644 +index 49889a3..6a82d01 100644 --- a/mysql-test/t/openssl_6975.test +++ b/mysql-test/t/openssl_6975.test -@@ -19,9 +19,8 @@ let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$ - disable_abort_on_error; - echo TLS1.2 ciphers: user is ok with any cipher; - exec $mysql --ssl-cipher=AES128-SHA256; ----replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 ----replace_result ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 --exec $mysql --ssl-cipher=TLSv1.2 -+--replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 -+exec $mysql --ssl-cipher=TLSv1.2; - echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA; - exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256; - exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2; -@@ -31,7 +30,7 @@ exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2; - - echo SSLv3 ciphers: user is ok with any cipher; - exec $mysql --ssl-cipher=AES256-SHA; --exec $mysql --ssl-cipher=DHE-RSA-AES256-SHA -+exec $mysql --ssl-cipher=SSLv3; - echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA; - exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA; - exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3; +@@ -4,6 +4,7 @@ + # test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2 + # + source include/have_ssl_communication.inc; ++source include/require_openssl_client.inc; + + # this is OpenSSL test. + +diff --git a/mysql-test/t/ssl_7937.test b/mysql-test/t/ssl_7937.test +index d593b9d..a764579 100644 +--- a/mysql-test/t/ssl_7937.test ++++ b/mysql-test/t/ssl_7937.test +@@ -26,6 +26,7 @@ create procedure have_ssl() + # we fake the test result for yassl + let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`; + if (!$yassl) { ++ --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate" + --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1 + } + if ($yassl) { diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test -index 470d577edb8..9d5b382726e 100644 +index 27cffdc..9d5b382 100644 --- a/mysql-test/t/ssl_8k_key.test +++ b/mysql-test/t/ssl_8k_key.test -@@ -1,6 +1,5 @@ +@@ -1,5 +1,5 @@ -# This test should work in embedded server after we fix mysqltest ---- source include/require_openssl_client.inc --- source include/not_embedded.inc +# schannel does not support keys longer than 4k +-- source include/not_windows.inc @@ -1176,7 +219,7 @@ index 470d577edb8..9d5b382726e 100644 -- source include/have_ssl_communication.inc # diff --git a/mysys_ssl/CMakeLists.txt b/mysys_ssl/CMakeLists.txt -index 4f6f7458c5b..f8a767ed6f3 100644 +index 4f6f745..f8a767e 100644 --- a/mysys_ssl/CMakeLists.txt +++ b/mysys_ssl/CMakeLists.txt @@ -28,6 +28,7 @@ SET(MYSYS_SSL_HIDDEN_SOURCES @@ -1188,7 +231,7 @@ index 4f6f7458c5b..f8a767ed6f3 100644 SET(MYSYS_SSL_SOURCES diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc -index 0ff49a2c427..ed1c82dbac6 100644 +index a0937a8..ed1c82d 100644 --- a/mysys_ssl/my_crypt.cc +++ b/mysys_ssl/my_crypt.cc @@ -1,6 +1,6 @@ @@ -1199,7 +242,12 @@ index 0ff49a2c427..ed1c82dbac6 100644 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -@@ -21,30 +21,31 @@ +@@ -17,52 +17,60 @@ + + #include <my_global.h> + #include <string.h> +-#include <my_crypt.h> + #ifdef HAVE_YASSL #include "yassl.cc" #else @@ -1207,29 +255,24 @@ index 0ff49a2c427..ed1c82dbac6 100644 #include <openssl/evp.h> #include <openssl/aes.h> #include <openssl/err.h> - #include <openssl/rand.h> - +-#ifdef HAVE_ERR_remove_thread_state +-#define ERR_remove_state(X) ERR_remove_thread_state(NULL) ++#include <openssl/rand.h> #endif --#include <my_crypt.h> --#define MY_CIPHER_CTX_SIZE 384 +-#endif +#include <my_crypt.h> +#include <ssl_compat.h> class MyCTX { public: +- EVP_CIPHER_CTX ctx; +- MyCTX() { EVP_CIPHER_CTX_init(&ctx); } +- virtual ~MyCTX() { EVP_CIPHER_CTX_cleanup(&ctx); ERR_remove_state(0); } + char ctx_buf[EVP_CIPHER_CTX_SIZE]; - EVP_CIPHER_CTX *ctx; -- const uchar *key; -- unsigned int klen; -- MyCTX() { -- ctx= EVP_CIPHER_CTX_new(); -- } -- virtual ~MyCTX() { -- EVP_CIPHER_CTX_free(ctx); -- ERR_remove_state(0); -- } ++ EVP_CIPHER_CTX *ctx; + + MyCTX() + { @@ -1244,58 +287,74 @@ index 0ff49a2c427..ed1c82dbac6 100644 virtual int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, uint klen, const uchar *iv, uint ivlen) -@@ -78,9 +79,12 @@ class MyCTX - class MyCTX_nopad : public MyCTX + { ++ compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX)); + if (unlikely(!cipher)) + return MY_AES_BAD_KEYSIZE; + +- if (!EVP_CipherInit_ex(&ctx, cipher, NULL, key, iv, encrypt)) ++ if (!EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt)) + return MY_AES_OPENSSL_ERROR; + +- DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == (int)klen); +- DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) <= (int)ivlen); ++ DBUG_ASSERT(EVP_CIPHER_CTX_key_length(ctx) == (int)klen); ++ DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(ctx) <= (int)ivlen); + + return MY_AES_OK; + } + virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen) + { +- if (!EVP_CipherUpdate(&ctx, dst, (int*)dlen, src, slen)) ++ if (!EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen)) + return MY_AES_OPENSSL_ERROR; + return MY_AES_OK; + } + virtual int finish(uchar *dst, uint *dlen) + { +- if (!EVP_CipherFinal_ex(&ctx, dst, (int*)dlen)) ++ if (!EVP_CipherFinal_ex(ctx, dst, (int*)dlen)) + return MY_AES_BAD_DATA; + return MY_AES_OK; + } +@@ -72,7 +80,8 @@ class MyCTX_nopad : public MyCTX { public: -+ const uchar *key; + const uchar *key; +- int klen; + uint klen, buf_len; + uchar oiv[MY_AES_BLOCK_SIZE]; -+ + MyCTX_nopad() : MyCTX() { } ~MyCTX_nopad() { } -- unsigned int buf_len; - - int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, uint klen, - const uchar *iv, uint ivlen) -@@ -89,19 +93,8 @@ class MyCTX_nopad : public MyCTX +@@ -83,32 +92,48 @@ class MyCTX_nopad : public MyCTX + compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad)); this->key= key; this->klen= klen; - this->buf_len= 0; -- /* FIX-ME: -- For the sake of backward compatibility we do some strange hack here: -- Since ECB doesn't need an IV (and therefore is considered kind of -- insecure) we need to store the specified iv. -- The last nonpadding block will be encrypted with an additional -- expensive crypt_call in ctr mode instead -- of encrypting the entire plain text in ctr-mode */ --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -- const unsigned char *oiv= EVP_CIPHER_CTX_original_iv(ctx); --#else -- const unsigned char *oiv= ctx->oiv; --#endif -- memcpy((char *)oiv, iv, ivlen); ++ this->buf_len= 0; + memcpy(oiv, iv, ivlen); + DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv)); - ++ int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); - -@@ -111,34 +104,30 @@ class MyCTX_nopad : public MyCTX - - int update(const uchar *src, uint slen, uchar *dst, uint *dlen) - { -- buf_len= slen % MY_AES_BLOCK_SIZE; -+ buf_len+= slen; - return MyCTX::update(src, slen, dst, dlen); +- memcpy(ctx.oiv, iv, ivlen); // in ECB mode OpenSSL doesn't do that itself +- EVP_CIPHER_CTX_set_padding(&ctx, 0); ++ ++ EVP_CIPHER_CTX_set_padding(ctx, 0); + return res; } ++ int update(const uchar *src, uint slen, uchar *dst, uint *dlen) ++ { ++ buf_len+= slen; ++ return MyCTX::update(src, slen, dst, dlen); ++ } ++ int finish(uchar *dst, uint *dlen) { +- if (ctx.buf_len) + buf_len %= MY_AES_BLOCK_SIZE; - if (buf_len) ++ if (buf_len) { -- const uchar *org_iv; -- unsigned char *buf; + uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx); /* Not much we can do, block ciphers cannot encrypt data that aren't @@ -1309,90 +368,77 @@ index 0ff49a2c427..ed1c82dbac6 100644 uchar mask[MY_AES_BLOCK_SIZE]; uint mlen; --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -- org_iv= EVP_CIPHER_CTX_original_iv(ctx); -- buf= EVP_CIPHER_CTX_buf_noconst(ctx); --#else -- org_iv= ctx->oiv; -- buf= ctx->buf; --#endif -- my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD, -- org_iv, sizeof(mask), mask, &mlen, key, klen, 0, 0); +- ctx.oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0); + oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0); DBUG_ASSERT(mlen == sizeof(mask)); - for (uint i=0; i < buf_len; i++) -@@ -178,9 +167,8 @@ make_aes_dispatcher(gcm) - class MyCTX_gcm : public MyCTX - { - public: -- const uchar *aad= NULL; -+ const uchar *aad; - int aadlen; -- my_bool encrypt; - MyCTX_gcm() : MyCTX() { } - ~MyCTX_gcm() { } - -@@ -192,7 +180,6 @@ class MyCTX_gcm : public MyCTX - int real_ivlen= EVP_CIPHER_CTX_iv_length(ctx); +- for (int i=0; i < ctx.buf_len; i++) +- dst[i]= ctx.buf[i] ^ mask[i]; ++ for (uint i=0; i < buf_len; i++) ++ dst[i]= buf[i] ^ mask[i]; + } +- *dlen= ctx.buf_len; ++ *dlen= buf_len; + return MY_AES_OK; + } + }; +@@ -152,7 +177,7 @@ class MyCTX_gcm : public MyCTX + { + compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_gcm)); + int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); +- int real_ivlen= EVP_CIPHER_CTX_iv_length(&ctx); ++ int real_ivlen= EVP_CIPHER_CTX_iv_length(ctx); aad= iv + real_ivlen; aadlen= ivlen - real_ivlen; -- this->encrypt= encrypt; return res; - } - -@@ -204,14 +191,14 @@ class MyCTX_gcm : public MyCTX +@@ -166,15 +191,15 @@ class MyCTX_gcm : public MyCTX before decrypting the data. it can encrypt data piecewise, like, first half, then the second half, but it must decrypt all at once */ -- if (!this->encrypt) +- if (!ctx.encrypt) + if (!EVP_CIPHER_CTX_encrypting(ctx)) { slen-= MY_AES_BLOCK_SIZE; - if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, +- if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, ++ if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, (void*)(src + slen))) return MY_AES_OPENSSL_ERROR; } -- int unused= 0; -+ int unused; - if (aadlen && !EVP_CipherUpdate(ctx, NULL, &unused, aad, aadlen)) + int unused; +- if (aadlen && !EVP_CipherUpdate(&ctx, NULL, &unused, aad, aadlen)) ++ if (aadlen && !EVP_CipherUpdate(ctx, NULL, &unused, aad, aadlen)) return MY_AES_OPENSSL_ERROR; aadlen= 0; -@@ -220,12 +207,12 @@ class MyCTX_gcm : public MyCTX - + return MyCTX::update(src, slen, dst, dlen); +@@ -183,13 +208,13 @@ class MyCTX_gcm : public MyCTX int finish(uchar *dst, uint *dlen) { -- int fin= 0; -+ int fin; - if (!EVP_CipherFinal_ex(ctx, dst, &fin)) + int fin; +- if (!EVP_CipherFinal_ex(&ctx, dst, &fin)) ++ if (!EVP_CipherFinal_ex(ctx, dst, &fin)) return MY_AES_BAD_DATA; DBUG_ASSERT(fin == 0); -- if (this->encrypt) +- if (ctx.encrypt) + if (EVP_CIPHER_CTX_encrypting(ctx)) { - if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) +- if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) ++ if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) return MY_AES_OPENSSL_ERROR; -@@ -295,20 +282,15 @@ int my_aes_crypt(enum my_aes_mode mode, int flags, + *dlen= MY_AES_BLOCK_SIZE; + } +@@ -257,12 +282,15 @@ int my_aes_crypt(enum my_aes_mode mode, int flags, { void *ctx= alloca(MY_AES_CTX_SIZE); int res1, res2; -- uint d1= 0, d2= 0; +- uint d1, d2; + uint d1= 0, d2; if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen))) return res1; res1= my_aes_crypt_update(ctx, src, slen, dst, &d1); res2= my_aes_crypt_finish(ctx, dst + d1, &d2); - *dlen= d1 + d2; -- /* in case of failure clear error queue */ --#ifndef HAVE_YASSL -- /* since we don't check the crypto error messages we need to -- clear the error queue - otherwise subsequent crypto or tls/ssl -- calls will fail */ -- if (!*dlen) -- ERR_clear_error(); --#endif + if (res1 || res2) + ERR_remove_state(0); /* in case of failure clear error queue */ + else @@ -1400,7 +446,11 @@ index 0ff49a2c427..ed1c82dbac6 100644 return res1 ? res1 : res2; } -@@ -350,12 +332,6 @@ int my_random_bytes(uchar* buf, int num) +@@ -301,17 +329,10 @@ int my_random_bytes(uchar* buf, int num) + return MY_AES_OK; + } + #else +-#include <openssl/rand.h> int my_random_bytes(uchar *buf, int num) { @@ -1410,11 +460,13 @@ index 0ff49a2c427..ed1c82dbac6 100644 - instead of whatever random engine is currently set in OpenSSL. That way - we are guaranteed to have a non-blocking random. - */ - RAND_METHOD *rand = RAND_OpenSSL(); +- RAND_METHOD *rand = RAND_SSLeay(); ++ RAND_METHOD *rand = RAND_OpenSSL(); if (rand == NULL || rand->bytes(buf, num) != 1) return MY_AES_OPENSSL_ERROR; + return MY_AES_OK; diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc -index 02c01dd7148..0105082b7e1 100644 +index 7139ea9..0105082 100644 --- a/mysys_ssl/my_md5.cc +++ b/mysys_ssl/my_md5.cc @@ -1,5 +1,5 @@ @@ -1424,12 +476,8 @@ index 02c01dd7148..0105082b7e1 100644 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -@@ -27,50 +27,34 @@ - #include <my_md5.h> - #include <stdarg.h> +@@ -29,38 +29,31 @@ --#define MA_HASH_CTX_SIZE 512 -- #if defined(HAVE_YASSL) #include "md5.hpp" +#include <ssl_compat.h> @@ -1466,24 +514,16 @@ index 02c01dd7148..0105082b7e1 100644 } #elif defined(HAVE_OPENSSL) -- -- #include <openssl/evp.h> +-typedef EVP_MD_CTX MD5_CONTEXT; +#include <ssl_compat.h> --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) --#define EVP_MD_CTX_reset(X) EVP_MD_CTX_cleanup(X) --#endif --typedef EVP_MD_CTX MD5_CONTEXT; -- -static void md5_init(MD5_CONTEXT *context) +static void md5_init(EVP_MD_CTX *context) { -- memset(context, 0, my_md5_context_size()); EVP_MD_CTX_init(context); #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - /* Ok to ignore FIPS: MD5 is not used for crypto here */ -@@ -79,20 +63,15 @@ static void md5_init(MD5_CONTEXT *context) +@@ -70,17 +63,12 @@ static void md5_init(MD5_CONTEXT *context) EVP_DigestInit_ex(context, EVP_md5(), NULL); } @@ -1502,23 +542,16 @@ index 02c01dd7148..0105082b7e1 100644 +static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) { EVP_DigestFinal_ex(context, digest, NULL); -- EVP_MD_CTX_reset(context); -+ EVP_MD_CTX_cleanup(context); - } - - #endif /* HAVE_YASSL */ -@@ -108,26 +87,23 @@ static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) + EVP_MD_CTX_cleanup(context); +@@ -99,58 +87,58 @@ static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) */ void my_md5(uchar *digest, const char *buf, size_t len) { --#ifdef HAVE_YASSL - MD5_CONTEXT md5_context; --#else -- unsigned char md5_context[MA_HASH_CTX_SIZE]; --#endif -- md5_init_fast((MD5_CONTEXT *)&md5_context); -- md5_input((MD5_CONTEXT *)&md5_context, (const uchar *)buf, len); -- md5_result((MD5_CONTEXT *)&md5_context, digest); +- +- md5_init_fast(&md5_context); +- md5_input(&md5_context, (const uchar *)buf, len); +- md5_result(&md5_context, digest); + char ctx_buf[EVP_MD_CTX_SIZE]; + EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf; + md5_init(ctx); @@ -1542,33 +575,31 @@ index 02c01dd7148..0105082b7e1 100644 @return void */ -@@ -135,37 +111,34 @@ void my_md5_multi(uchar *digest, ...) + void my_md5_multi(uchar *digest, ...) { va_list args; - const uchar *str; --#ifdef HAVE_YASSL +- va_start(args, digest); +- - MD5_CONTEXT md5_context; --#else -- unsigned char md5_context[MA_HASH_CTX_SIZE]; --#endif + const uchar *str; + char ctx_buf[EVP_MD_CTX_SIZE]; + EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf; - va_start(args, digest); ++ va_start(args, digest); -- md5_init_fast((MD5_CONTEXT *)&md5_context); +- md5_init_fast(&md5_context); + md5_init(ctx); for (str= va_arg(args, const uchar*); str; str= va_arg(args, const uchar*)) -- md5_input((MD5_CONTEXT *)&md5_context, str, va_arg(args, size_t)); +- md5_input(&md5_context, str, va_arg(args, size_t)); + md5_input(ctx, str, va_arg(args, size_t)); -- md5_result((MD5_CONTEXT *)&md5_context, digest); +- md5_result(&md5_context, digest); + md5_result(ctx, digest); va_end(args); } size_t my_md5_context_size() { -- return MA_HASH_CTX_SIZE; +- return sizeof(MD5_CONTEXT); + return EVP_MD_CTX_SIZE; } @@ -1591,7 +622,7 @@ index 02c01dd7148..0105082b7e1 100644 } diff --git a/mysys_ssl/openssl.c b/mysys_ssl/openssl.c new file mode 100644 -index 00000000000..a3f1ca29ec1 +index 0000000..a3f1ca2 --- /dev/null +++ b/mysys_ssl/openssl.c @@ -0,0 +1,71 @@ @@ -1667,18 +698,10 @@ index 00000000000..a3f1ca29ec1 +} +#endif diff --git a/mysys_ssl/yassl.cc b/mysys_ssl/yassl.cc -index 9e6f90d8d77..aa5631f2ab8 100644 +index 9717870..aa5631f 100644 --- a/mysys_ssl/yassl.cc +++ b/mysys_ssl/yassl.cc -@@ -24,7 +24,6 @@ - - #include <openssl/ssl.h> - #include "aes.hpp" --#include <my_sys.h> - - using yaSSL::yaERR_remove_state; - -@@ -45,7 +44,6 @@ typedef struct +@@ -44,7 +44,6 @@ typedef struct int buf_len; int final_used; uchar tao_buf[sizeof(TaoCrypt::AES)]; // TaoCrypt::AES object @@ -1686,34 +709,7 @@ index 9e6f90d8d77..aa5631f2ab8 100644 uchar buf[TaoCrypt::AES::BLOCK_SIZE]; // last partial input block uchar final[TaoCrypt::AES::BLOCK_SIZE]; // last decrypted (output) block } EVP_CIPHER_CTX; -@@ -76,26 +74,12 @@ static void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) - ctx->final_used= ctx->buf_len= ctx->flags= 0; - } - --static EVP_CIPHER_CTX *EVP_CIPHER_CTX_new() --{ -- EVP_CIPHER_CTX *ctx= (EVP_CIPHER_CTX *)my_malloc(sizeof(EVP_CIPHER_CTX), MYF(0)); -- if (ctx) -- EVP_CIPHER_CTX_init(ctx); -- return ctx; --} -- - static int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *ctx) - { - TAO(ctx)->~AES(); - return 1; - } - --static void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) --{ -- EVP_CIPHER_CTX_cleanup(ctx); -- my_free(ctx); --} -- - static int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) - { - if (pad) -@@ -112,10 +96,7 @@ static int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, +@@ -97,10 +96,7 @@ static int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, : TaoCrypt::DECRYPTION, cipher->mode); TAO(ctx)->SetKey(key, cipher->key_len); if (iv) @@ -1725,23 +721,18 @@ index 9e6f90d8d77..aa5631f2ab8 100644 ctx->key_len= cipher->key_len; ctx->flags|= cipher->mode == TaoCrypt::CBC ? EVP_CIPH_CBC_MODE : EVP_CIPH_ECB_MODE; diff --git a/sql-common/client.c b/sql-common/client.c -index d881080b55a..eb2899410d4 100644 +index b7796ce..2518f66 100644 --- a/sql-common/client.c +++ b/sql-common/client.c -@@ -104,11 +104,8 @@ my_bool net_flush(NET *net); - #define CONNECT_TIMEOUT 0 +@@ -105,6 +105,7 @@ my_bool net_flush(NET *net); #endif --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) || defined(HAVE_YASSL) --#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) --#endif -- #include "client_settings.h" +#include <ssl_compat.h> #include <sql_common.h> #include <mysql/client_plugin.h> #include <my_context.h> -@@ -1772,9 +1769,8 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused))) +@@ -1769,9 +1770,8 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused))) #if defined(HAVE_OPENSSL) @@ -1752,27 +743,20 @@ index d881080b55a..eb2899410d4 100644 #endif static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr) +@@ -1843,7 +1843,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c + goto error; + } + +- cn= (char *) ASN1_STRING_data(cn_asn1); ++ cn= (char *) ASN1_STRING_get0_data(cn_asn1); + + if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) + { diff --git a/sql/mysqld.cc b/sql/mysqld.cc -index d6a7c6b4931..904695d8742 100644 +index 3af8750..cc64205 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc -@@ -111,7 +111,6 @@ - #endif - - #include <my_systemd.h> --#include <my_crypt.h> - - #define mysqld_charset &my_charset_latin1 - -@@ -121,7 +120,6 @@ - #define HAVE_CLOSE_SERVER_SOCK 1 - #endif - -- - extern "C" { // Because of SCO 3.2V4.2 - #include <sys/stat.h> - #ifndef __GNU_LIBRARY__ -@@ -339,9 +337,13 @@ static PSI_thread_key key_thread_handle_con_sockets; +@@ -338,9 +338,13 @@ static PSI_thread_key key_thread_handle_con_sockets; static PSI_thread_key key_thread_handle_shutdown; #endif /* __WIN__ */ @@ -1787,7 +771,7 @@ index d6a7c6b4931..904695d8742 100644 #endif /* HAVE_PSI_INTERFACE */ #ifdef HAVE_NPTL -@@ -987,7 +989,7 @@ PSI_rwlock_key key_rwlock_LOCK_grant, key_rwlock_LOCK_logger, +@@ -987,7 +991,7 @@ PSI_rwlock_key key_rwlock_LOCK_grant, key_rwlock_LOCK_logger, static PSI_rwlock_info all_server_rwlocks[]= { @@ -1796,44 +780,39 @@ index d6a7c6b4931..904695d8742 100644 { &key_rwlock_openssl, "CRYPTO_dynlock_value::lock", 0}, #endif { &key_rwlock_LOCK_grant, "LOCK_grant", PSI_FLAG_GLOBAL}, -@@ -1457,9 +1459,7 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct, +@@ -1457,7 +1461,7 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct, #ifdef HAVE_OPENSSL #include <openssl/crypto.h> -#ifndef HAVE_YASSL -- --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#ifdef HAVE_OPENSSL10 typedef struct CRYPTO_dynlock_value { mysql_rwlock_t lock; -@@ -1470,8 +1470,7 @@ static openssl_lock_t *openssl_dynlock_create(const char *, int); +@@ -1468,7 +1472,7 @@ static openssl_lock_t *openssl_dynlock_create(const char *, int); static void openssl_dynlock_destroy(openssl_lock_t *, const char *, int); static void openssl_lock_function(int, int, const char *, int); static void openssl_lock(int, openssl_lock_t *, const char *, int); -#endif --#endif +#endif /* HAVE_OPENSSL10 */ char *des_key_file; #ifndef EMBEDDED_LIBRARY struct st_VioSSLFd *ssl_acceptor_fd; -@@ -2247,13 +2246,11 @@ static void clean_up_mutexes() +@@ -2244,11 +2248,11 @@ static void clean_up_mutexes() mysql_mutex_destroy(&LOCK_global_index_stats); #ifdef HAVE_OPENSSL mysql_mutex_destroy(&LOCK_des_key_file); -#ifndef HAVE_YASSL --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#ifdef HAVE_OPENSSL10 for (int i= 0; i < CRYPTO_num_locks(); ++i) mysql_rwlock_destroy(&openssl_stdlocks[i].lock); OPENSSL_free(openssl_stdlocks); --#endif -#endif /* HAVE_YASSL */ +#endif /* HAVE_OPENSSL10 */ #endif /* HAVE_OPENSSL */ #ifdef HAVE_REPLICATION mysql_mutex_destroy(&LOCK_rpl_status); -@@ -4055,6 +4052,14 @@ static int init_common_variables() +@@ -4057,6 +4061,14 @@ static int init_common_variables() return 1; } @@ -1848,62 +827,47 @@ index d6a7c6b4931..904695d8742 100644 if (init_thread_environment() || mysql_init_variables()) return 1; -@@ -4601,8 +4606,7 @@ static int init_thread_environment() +@@ -4603,7 +4615,7 @@ static int init_thread_environment() #ifdef HAVE_OPENSSL mysql_mutex_init(key_LOCK_des_key_file, &LOCK_des_key_file, MY_MUTEX_INIT_FAST); -#ifndef HAVE_YASSL --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#ifdef HAVE_OPENSSL10 openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() * sizeof(openssl_lock_t)); for (int i= 0; i < CRYPTO_num_locks(); ++i) -@@ -4611,9 +4615,8 @@ static int init_thread_environment() +@@ -4612,8 +4624,8 @@ static int init_thread_environment() CRYPTO_set_dynlock_destroy_callback(openssl_dynlock_destroy); CRYPTO_set_dynlock_lock_callback(openssl_lock); CRYPTO_set_locking_callback(openssl_lock_function); -#endif -#endif --#endif +#endif /* HAVE_OPENSSL10 */ +#endif /* HAVE_OPENSSL */ mysql_rwlock_init(key_rwlock_LOCK_sys_init_connect, &LOCK_sys_init_connect); mysql_rwlock_init(key_rwlock_LOCK_sys_init_slave, &LOCK_sys_init_slave); mysql_rwlock_init(key_rwlock_LOCK_grant, &LOCK_grant); -@@ -4646,8 +4649,7 @@ static int init_thread_environment() +@@ -4646,7 +4658,7 @@ static int init_thread_environment() } -#if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL) --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#ifdef HAVE_OPENSSL10 static openssl_lock_t *openssl_dynlock_create(const char *file, int line) { openssl_lock_t *lock= new openssl_lock_t; -@@ -4707,9 +4709,7 @@ static void openssl_lock(int mode, openssl_lock_t *lock, const char *file, +@@ -4706,8 +4718,7 @@ static void openssl_lock(int mode, openssl_lock_t *lock, const char *file, abort(); } } --#endif -#endif /* HAVE_OPENSSL */ - +#endif /* HAVE_OPENSSL10 */ static void init_ssl() { -@@ -4737,9 +4737,8 @@ static void init_ssl() - while ((err= ERR_get_error())) - sql_print_warning("SSL error: %s", ERR_error_string(err, NULL)); - } -- else { -+ else - ERR_remove_state(0); -- } - } - else - { diff --git a/sql/slave.cc b/sql/slave.cc -index 636965c4619..6882156564c 100644 +index db1c330..aec5143 100644 --- a/sql/slave.cc +++ b/sql/slave.cc @@ -40,6 +40,7 @@ @@ -1914,49 +878,36 @@ index 636965c4619..6882156564c 100644 #include <mysqld_error.h> #include <mysys_err.h> #include "rpl_handler.h" -@@ -60,12 +61,6 @@ +@@ -60,7 +61,6 @@ #include "debug_sync.h" #include "rpl_parallel.h" --#if OPENSSL_VERSION_NUMBER >= 0x10100000L --#define ERR_remove_state(X) --#elif defined(HAVE_ERR_remove_thread_state) --#define ERR_remove_state(X) ERR_remove_thread_state(NULL) --#endif - #define FLAGSTR(V,F) ((V)&(F)?#F" ":"") #define MAX_SLAVE_RETRY_PAUSE 5 -@@ -4509,13 +4504,7 @@ log space"); +@@ -4507,9 +4507,7 @@ log space"); DBUG_LEAVE; // Must match DBUG_ENTER() my_thread_end(); -#ifdef HAVE_OPENSSL --#if OPENSSL_VERSION_NUMBER < 0x10000000L ERR_remove_state(0); --#elif OPENSSL_VERSION_NUMBER < 0x10100000L -- ERR_remove_thread_state(0); --#endif -#endif pthread_exit(0); return 0; // Avoid compiler warnings } -@@ -5174,13 +5163,7 @@ pthread_handler_t handle_slave_sql(void *arg) +@@ -5168,9 +5166,7 @@ pthread_handler_t handle_slave_sql(void *arg) DBUG_LEAVE; // Must match DBUG_ENTER() my_thread_end(); -#ifdef HAVE_OPENSSL --#if OPENSSL_VERSION_NUMBER < 0x10000000L ERR_remove_state(0); --#elif OPENSSL_VERSION_NUMBER < 0x10100000L -- ERR_remove_thread_state(0); --#endif -#endif pthread_exit(0); return 0; // Avoid compiler warnings } diff --git a/vio/vio.c b/vio/vio.c -index e3bc8ca8ab8..44d06092184 100644 +index e3bc8ca..44d0609 100644 --- a/vio/vio.c +++ b/vio/vio.c @@ -22,6 +22,7 @@ @@ -1968,40 +919,24 @@ index e3bc8ca8ab8..44d06092184 100644 #ifdef _WIN32 diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c -index 497047cac72..71ef2879464 100644 +index 52b624d..71ef287 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c -@@ -15,20 +15,12 @@ +@@ -15,6 +15,7 @@ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #include "vio_priv.h" +#include <ssl_compat.h> #ifdef HAVE_OPENSSL --#if defined(HAVE_YASSL) || defined(LIBRESSL_VERSION_NUMBER) --#define OPENSSL_init_ssl(X,Y) SSL_library_init() --#else -+#ifndef HAVE_YASSL - #include <openssl/dh.h> - #include <openssl/bn.h> -- --#if OPENSSL_VERSION_NUMBER >= 0x10100000L --#define ERR_remove_state(X) --#else --#define OPENSSL_init_ssl(X,Y) SSL_library_init() --#endif -- - #endif - - static my_bool ssl_algorithms_added = FALSE; -@@ -36,59 +28,51 @@ static my_bool ssl_error_strings_loaded= FALSE; + #ifndef HAVE_YASSL +@@ -26,49 +27,56 @@ static my_bool ssl_algorithms_added = FALSE; + static my_bool ssl_error_strings_loaded= FALSE; /* the function below was generated with "openssl dhparam -2 -C 2048" */ - --/* {{{ get_dh_2048 */ --static DH *get_dh_2048() -+static -+DH *get_dh2048() ++ + static + DH *get_dh2048() { - static unsigned char dh2048_p[]={ - 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, @@ -2031,24 +966,13 @@ index 497047cac72..71ef2879464 100644 - 0x02, - }; - DH *dh; -- if ((dh=DH_new()) == NULL) -- return(NULL); --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -- (dh)->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); -- (dh)->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -- if ((dh)->p == NULL || (dh)->g == NULL) -- { DH_free(dh); return NULL; } --#else -- { -- BIGNUM *dhp_bn= BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL), -- *dhg_bn= BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -- if (dhp_bn == NULL || dhg_bn == NULL || -- !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) -- { -- DH_free(dh); -- BN_free(dhp_bn); -- BN_free(dhg_bn); -- return NULL; +- +- if ((dh=DH_new()) == NULL) return(NULL); +- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); +- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); +- if ((dh->p == NULL) || (dh->g == NULL)) +- { DH_free(dh); return(NULL); } +- return(dh); + static unsigned char dhp_2048[] = { + 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, + 0x15,0xFC,0x3B,0xBA,0xAB,0x9F,0xDF,0x68,0xC4,0x79,0x78,0x0D, @@ -2089,20 +1013,25 @@ index 497047cac72..71ef2879464 100644 + BN_free(dhp_bn); + BN_free(dhg_bn); + return NULL; - } -- } --#endif -- return dh; ++ } + return dh; } +- static const char* -@@ -287,7 +271,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file, - /* DH stuff */ - if (!is_client_method) +-ssl_error_string[] = ++ssl_error_string[] = + { + "No error", + "Unable to get certificate", +@@ -148,9 +156,7 @@ static void check_ssl_init() + if (!ssl_algorithms_added) { -- dh=get_dh_2048(); -+ dh=get_dh2048(); - if (!SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh)) - { - *error= SSL_INITERR_DH; + ssl_algorithms_added= TRUE; +- SSL_library_init(); +- OpenSSL_add_all_algorithms(); +- ++ OPENSSL_init_ssl(0, NULL); + } + + if (!ssl_error_strings_loaded) diff --git a/PKGBUILD b/PKGBUILD index 067bd33..7d67786 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,7 +3,7 @@ pkgbase=mariadb pkgname=('libmariadbclient' 'mariadb-clients' 'mytop' 'mariadb') -pkgver=10.1.25 +pkgver=10.1.26 pkgrel=1 arch=('i686' 'x86_64') license=('GPL') @@ -15,9 +15,9 @@ source=("https://ftp.heanet.ie/mirrors/mariadb/mariadb-$pkgver/source/mariadb-$p '0001-openssl-1-1-0.patch' 'mariadb-sysusers.conf' 'mariadb-tmpfile.conf') -sha256sums=('7205ecaa6f1bc16335ad88faa5c46be52b3ac628a5e795cb942a3f4335b2a0d6' +sha256sums=('ba88b1cb9967dea2909938a34ba89373b162b0d83e5c98a0f1c94540156bf73d' 'SKIP' - '41d80d3ff78251bd3e05ed5c40b63e4ac71153832a00c86443be5a111daad354' + '40d298ca77c0459ade4ef9fc68a3a7450273b098b9f7edfb0a5251c5db434cfc' 'e1a22777c65854041f16fc0a2db3218d17b4d7e7ec7ab7a77cf49c71277c1515' '2af318c52ae0fe5428e8a9245d1b0fc3bc5ce153842d1563329ceb1edfa83ddd')