Annotation of /trunk/mariadb/patches/mariadb-10.1.28-openssl-1.1.patch
Parent Directory | Revision Log
Revision 3016 -
(hide annotations)
(download)
Thu Oct 26 13:17:59 2017 UTC (6 years, 11 months ago) by niro
File size: 35281 byte(s)
Thu Oct 26 13:17:59 2017 UTC (6 years, 11 months ago) by niro
File size: 35281 byte(s)
-added openssl-1.1 patch
1 | niro | 3016 | diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp |
2 | index 407e409..6e181a9 100644 | ||
3 | --- a/extra/yassl/src/handshake.cpp | ||
4 | +++ b/extra/yassl/src/handshake.cpp | ||
5 | @@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl) | ||
6 | needHdr = true; | ||
7 | else { | ||
8 | buffer >> hdr; | ||
9 | + /* | ||
10 | + According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello | ||
11 | + packet needs to specify the highest supported TLS version, but not | ||
12 | + higher than what client requests. YaSSL highest supported version is | ||
13 | + TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it | ||
14 | + here to 3.2. | ||
15 | + See also Appendix E of RFC 5246 (TLS 1.2) | ||
16 | + */ | ||
17 | + if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2) | ||
18 | + hdr.version_.minor_ = 2; | ||
19 | ssl.verifyState(hdr); | ||
20 | } | ||
21 | |||
22 | diff --git a/include/ssl_compat.h b/include/ssl_compat.h | ||
23 | new file mode 100644 | ||
24 | index 0000000..b0e3ed4 | ||
25 | --- /dev/null | ||
26 | +++ b/include/ssl_compat.h | ||
27 | @@ -0,0 +1,75 @@ | ||
28 | +/* | ||
29 | + Copyright (c) 2016, 2017 MariaDB Corporation | ||
30 | + | ||
31 | + This program is free software; you can redistribute it and/or modify | ||
32 | + it under the terms of the GNU General Public License as published by | ||
33 | + the Free Software Foundation; version 2 of the License. | ||
34 | + | ||
35 | + This program is distributed in the hope that it will be useful, | ||
36 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
37 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
38 | + GNU General Public License for more details. | ||
39 | + | ||
40 | + You should have received a copy of the GNU General Public License | ||
41 | + along with this program; if not, write to the Free Software | ||
42 | + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ | ||
43 | + | ||
44 | +#include <openssl/opensslv.h> | ||
45 | + | ||
46 | +/* OpenSSL version specific definitions */ | ||
47 | +#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) | ||
48 | + | ||
49 | +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) | ||
50 | +#define HAVE_X509_check_host 1 | ||
51 | +#endif | ||
52 | + | ||
53 | +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) | ||
54 | +#define HAVE_OPENSSL11 1 | ||
55 | +#define ERR_remove_state(X) ERR_clear_error() | ||
56 | +#define EVP_MD_CTX_cleanup(X) EVP_MD_CTX_reset(X) | ||
57 | +#define EVP_CIPHER_CTX_SIZE 168 | ||
58 | +#define EVP_MD_CTX_SIZE 48 | ||
59 | +#undef EVP_MD_CTX_init | ||
60 | +#define EVP_MD_CTX_init(X) do { bzero((X), EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0) | ||
61 | +#undef EVP_CIPHER_CTX_init | ||
62 | +#define EVP_CIPHER_CTX_init(X) do { bzero((X), EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0) | ||
63 | + | ||
64 | +#else | ||
65 | +#define HAVE_OPENSSL10 1 | ||
66 | +/* | ||
67 | + Unfortunately RAND_bytes manual page does not provide any guarantees | ||
68 | + in relation to blocking behavior. Here we explicitly use SSLeay random | ||
69 | + instead of whatever random engine is currently set in OpenSSL. That way | ||
70 | + we are guaranteed to have a non-blocking random. | ||
71 | +*/ | ||
72 | +#define RAND_OpenSSL() RAND_SSLeay() | ||
73 | + | ||
74 | +#ifdef HAVE_ERR_remove_thread_state | ||
75 | +#define ERR_remove_state(X) ERR_remove_thread_state(NULL) | ||
76 | +#endif /* HAVE_ERR_remove_thread_state */ | ||
77 | + | ||
78 | +#endif /* HAVE_OPENSSL11 */ | ||
79 | + | ||
80 | +#elif defined(HAVE_YASSL) | ||
81 | +#define BN_free(X) do { } while(0) | ||
82 | +#endif /* !defined(HAVE_YASSL) */ | ||
83 | + | ||
84 | +#ifndef HAVE_OPENSSL11 | ||
85 | +#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) | ||
86 | +#define OPENSSL_init_ssl(X,Y) SSL_library_init() | ||
87 | +#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G)) | ||
88 | +#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) | ||
89 | +#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) | ||
90 | +#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX) | ||
91 | +#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX) | ||
92 | +#endif | ||
93 | + | ||
94 | +#ifdef __cplusplus | ||
95 | +extern "C" { | ||
96 | +#endif /* __cplusplus */ | ||
97 | + | ||
98 | +int check_openssl_compatibility(); | ||
99 | + | ||
100 | +#ifdef __cplusplus | ||
101 | +} | ||
102 | +#endif | ||
103 | diff --git a/include/violite.h b/include/violite.h | ||
104 | index a7165ca..572d474 100644 | ||
105 | --- a/include/violite.h | ||
106 | +++ b/include/violite.h | ||
107 | @@ -123,13 +123,6 @@ int vio_getnameinfo(const struct sockaddr *sa, | ||
108 | int flags); | ||
109 | |||
110 | #ifdef HAVE_OPENSSL | ||
111 | -#include <openssl/opensslv.h> | ||
112 | -#if OPENSSL_VERSION_NUMBER < 0x0090700f | ||
113 | -#define DES_cblock des_cblock | ||
114 | -#define DES_key_schedule des_key_schedule | ||
115 | -#define DES_set_key_unchecked(k,ks) des_set_key_unchecked((k),*(ks)) | ||
116 | -#define DES_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e) des_ede3_cbc_encrypt((i),(o),(l),*(k1),*(k2),*(k3),(iv),(e)) | ||
117 | -#endif | ||
118 | /* apple deprecated openssl in MacOSX Lion */ | ||
119 | #ifdef __APPLE__ | ||
120 | #pragma GCC diagnostic ignored "-Wdeprecated-declarations" | ||
121 | @@ -146,14 +139,10 @@ typedef my_socket YASSL_SOCKET_T; | ||
122 | #include <openssl/ssl.h> | ||
123 | #include <openssl/err.h> | ||
124 | |||
125 | -#ifdef HAVE_ERR_remove_thread_state | ||
126 | -#define ERR_remove_state(X) ERR_remove_thread_state(NULL) | ||
127 | -#endif | ||
128 | - | ||
129 | enum enum_ssl_init_error | ||
130 | { | ||
131 | - SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, | ||
132 | - SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, | ||
133 | + SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, | ||
134 | + SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, | ||
135 | SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_LASTERR | ||
136 | }; | ||
137 | const char* sslGetErrString(enum enum_ssl_init_error err); | ||
138 | diff --git a/mysql-test/include/require_openssl_client.inc b/mysql-test/include/require_openssl_client.inc | ||
139 | new file mode 100644 | ||
140 | index 0000000..9b19960 | ||
141 | --- /dev/null | ||
142 | +++ b/mysql-test/include/require_openssl_client.inc | ||
143 | @@ -0,0 +1,5 @@ | ||
144 | +if ($CLIENT_TLS_LIBRARY != "OpenSSL") { | ||
145 | + if ($CLIENT_TLS_LIBRARY != "LibreSSL") { | ||
146 | + skip "Test requires Connector/C with OpenSSL library"; | ||
147 | + } | ||
148 | +} | ||
149 | diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl | ||
150 | index 2cd5d2a..22bcaba 100755 | ||
151 | --- a/mysql-test/mysql-test-run.pl | ||
152 | +++ b/mysql-test/mysql-test-run.pl | ||
153 | @@ -2300,6 +2300,11 @@ sub environment_setup { | ||
154 | $ENV{'MYSQL_PLUGIN'}= $exe_mysql_plugin; | ||
155 | $ENV{'MYSQL_EMBEDDED'}= $exe_mysql_embedded; | ||
156 | |||
157 | + my $client_config_exe= | ||
158 | + native_path("$bindir/libmariadb/mariadb_config$opt_vs_config/mariadb_config"); | ||
159 | + my $tls_info= `$client_config_exe --tlsinfo`; | ||
160 | + ($ENV{CLIENT_TLS_LIBRARY},$ENV{CLIENT_TLS_LIBRARY_VERSION})= | ||
161 | + split(/ /, $tls_info, 2); | ||
162 | my $exe_mysqld= find_mysqld($basedir); | ||
163 | $ENV{'MYSQLD'}= $exe_mysqld; | ||
164 | my $extra_opts= join (" ", @opt_extra_mysqld_opt); | ||
165 | diff --git a/mysql-test/r/openssl_6975,tlsv10.result b/mysql-test/r/openssl_6975,tlsv10.result | ||
166 | index 7a4465f..202e7f4 100644 | ||
167 | --- a/mysql-test/r/openssl_6975,tlsv10.result | ||
168 | +++ b/mysql-test/r/openssl_6975,tlsv10.result | ||
169 | @@ -3,11 +3,11 @@ grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; | ||
170 | create user ssl_tls12@localhost; | ||
171 | grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; | ||
172 | TLS1.2 ciphers: user is ok with any cipher | ||
173 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure | ||
174 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure | ||
175 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure | ||
176 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure | ||
177 | TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA | ||
178 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure | ||
179 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure | ||
180 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure | ||
181 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure | ||
182 | TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256 | ||
183 | ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure | ||
184 | ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure | ||
185 | diff --git a/mysql-test/t/openssl_6975.test b/mysql-test/t/openssl_6975.test | ||
186 | index 49889a3..6a82d01 100644 | ||
187 | --- a/mysql-test/t/openssl_6975.test | ||
188 | +++ b/mysql-test/t/openssl_6975.test | ||
189 | @@ -4,6 +4,7 @@ | ||
190 | # test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2 | ||
191 | # | ||
192 | source include/have_ssl_communication.inc; | ||
193 | +source include/require_openssl_client.inc; | ||
194 | |||
195 | # this is OpenSSL test. | ||
196 | |||
197 | diff --git a/mysql-test/t/ssl_7937.test b/mysql-test/t/ssl_7937.test | ||
198 | index d593b9d..a764579 100644 | ||
199 | --- a/mysql-test/t/ssl_7937.test | ||
200 | +++ b/mysql-test/t/ssl_7937.test | ||
201 | @@ -26,6 +26,7 @@ create procedure have_ssl() | ||
202 | # we fake the test result for yassl | ||
203 | let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`; | ||
204 | if (!$yassl) { | ||
205 | + --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate" | ||
206 | --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1 | ||
207 | } | ||
208 | if ($yassl) { | ||
209 | diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test | ||
210 | index 27cffdc..9d5b382 100644 | ||
211 | --- a/mysql-test/t/ssl_8k_key.test | ||
212 | +++ b/mysql-test/t/ssl_8k_key.test | ||
213 | @@ -1,5 +1,5 @@ | ||
214 | -# This test should work in embedded server after we fix mysqltest | ||
215 | --- source include/not_embedded.inc | ||
216 | +# schannel does not support keys longer than 4k | ||
217 | +-- source include/not_windows.inc | ||
218 | |||
219 | -- source include/have_ssl_communication.inc | ||
220 | # | ||
221 | diff --git a/mysys_ssl/CMakeLists.txt b/mysys_ssl/CMakeLists.txt | ||
222 | index 4f6f745..f8a767e 100644 | ||
223 | --- a/mysys_ssl/CMakeLists.txt | ||
224 | +++ b/mysys_ssl/CMakeLists.txt | ||
225 | @@ -28,6 +28,7 @@ SET(MYSYS_SSL_HIDDEN_SOURCES | ||
226 | my_sha384.cc | ||
227 | my_sha512.cc | ||
228 | my_md5.cc | ||
229 | + openssl.c | ||
230 | ) | ||
231 | |||
232 | SET(MYSYS_SSL_SOURCES | ||
233 | diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc | ||
234 | index a0937a8..ed1c82d 100644 | ||
235 | --- a/mysys_ssl/my_crypt.cc | ||
236 | +++ b/mysys_ssl/my_crypt.cc | ||
237 | @@ -1,6 +1,6 @@ | ||
238 | /* | ||
239 | Copyright (c) 2014 Google Inc. | ||
240 | - Copyright (c) 2014, 2015 MariaDB Corporation | ||
241 | + Copyright (c) 2014, 2017 MariaDB Corporation | ||
242 | |||
243 | This program is free software; you can redistribute it and/or modify | ||
244 | it under the terms of the GNU General Public License as published by | ||
245 | @@ -17,52 +17,60 @@ | ||
246 | |||
247 | #include <my_global.h> | ||
248 | #include <string.h> | ||
249 | -#include <my_crypt.h> | ||
250 | |||
251 | #ifdef HAVE_YASSL | ||
252 | #include "yassl.cc" | ||
253 | #else | ||
254 | - | ||
255 | #include <openssl/evp.h> | ||
256 | #include <openssl/aes.h> | ||
257 | #include <openssl/err.h> | ||
258 | - | ||
259 | -#ifdef HAVE_ERR_remove_thread_state | ||
260 | -#define ERR_remove_state(X) ERR_remove_thread_state(NULL) | ||
261 | +#include <openssl/rand.h> | ||
262 | #endif | ||
263 | |||
264 | -#endif | ||
265 | +#include <my_crypt.h> | ||
266 | +#include <ssl_compat.h> | ||
267 | |||
268 | class MyCTX | ||
269 | { | ||
270 | public: | ||
271 | - EVP_CIPHER_CTX ctx; | ||
272 | - MyCTX() { EVP_CIPHER_CTX_init(&ctx); } | ||
273 | - virtual ~MyCTX() { EVP_CIPHER_CTX_cleanup(&ctx); ERR_remove_state(0); } | ||
274 | + char ctx_buf[EVP_CIPHER_CTX_SIZE]; | ||
275 | + EVP_CIPHER_CTX *ctx; | ||
276 | + | ||
277 | + MyCTX() | ||
278 | + { | ||
279 | + ctx= (EVP_CIPHER_CTX *)ctx_buf; | ||
280 | + EVP_CIPHER_CTX_init(ctx); | ||
281 | + } | ||
282 | + virtual ~MyCTX() | ||
283 | + { | ||
284 | + EVP_CIPHER_CTX_cleanup(ctx); | ||
285 | + ERR_remove_state(0); | ||
286 | + } | ||
287 | |||
288 | virtual int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, | ||
289 | uint klen, const uchar *iv, uint ivlen) | ||
290 | { | ||
291 | + compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX)); | ||
292 | if (unlikely(!cipher)) | ||
293 | return MY_AES_BAD_KEYSIZE; | ||
294 | |||
295 | - if (!EVP_CipherInit_ex(&ctx, cipher, NULL, key, iv, encrypt)) | ||
296 | + if (!EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt)) | ||
297 | return MY_AES_OPENSSL_ERROR; | ||
298 | |||
299 | - DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == (int)klen); | ||
300 | - DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) <= (int)ivlen); | ||
301 | + DBUG_ASSERT(EVP_CIPHER_CTX_key_length(ctx) == (int)klen); | ||
302 | + DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(ctx) <= (int)ivlen); | ||
303 | |||
304 | return MY_AES_OK; | ||
305 | } | ||
306 | virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen) | ||
307 | { | ||
308 | - if (!EVP_CipherUpdate(&ctx, dst, (int*)dlen, src, slen)) | ||
309 | + if (!EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen)) | ||
310 | return MY_AES_OPENSSL_ERROR; | ||
311 | return MY_AES_OK; | ||
312 | } | ||
313 | virtual int finish(uchar *dst, uint *dlen) | ||
314 | { | ||
315 | - if (!EVP_CipherFinal_ex(&ctx, dst, (int*)dlen)) | ||
316 | + if (!EVP_CipherFinal_ex(ctx, dst, (int*)dlen)) | ||
317 | return MY_AES_BAD_DATA; | ||
318 | return MY_AES_OK; | ||
319 | } | ||
320 | @@ -72,7 +80,8 @@ class MyCTX_nopad : public MyCTX | ||
321 | { | ||
322 | public: | ||
323 | const uchar *key; | ||
324 | - int klen; | ||
325 | + uint klen, buf_len; | ||
326 | + uchar oiv[MY_AES_BLOCK_SIZE]; | ||
327 | |||
328 | MyCTX_nopad() : MyCTX() { } | ||
329 | ~MyCTX_nopad() { } | ||
330 | @@ -83,32 +92,48 @@ class MyCTX_nopad : public MyCTX | ||
331 | compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad)); | ||
332 | this->key= key; | ||
333 | this->klen= klen; | ||
334 | + this->buf_len= 0; | ||
335 | + memcpy(oiv, iv, ivlen); | ||
336 | + DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv)); | ||
337 | + | ||
338 | int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); | ||
339 | - memcpy(ctx.oiv, iv, ivlen); // in ECB mode OpenSSL doesn't do that itself | ||
340 | - EVP_CIPHER_CTX_set_padding(&ctx, 0); | ||
341 | + | ||
342 | + EVP_CIPHER_CTX_set_padding(ctx, 0); | ||
343 | return res; | ||
344 | } | ||
345 | |||
346 | + int update(const uchar *src, uint slen, uchar *dst, uint *dlen) | ||
347 | + { | ||
348 | + buf_len+= slen; | ||
349 | + return MyCTX::update(src, slen, dst, dlen); | ||
350 | + } | ||
351 | + | ||
352 | int finish(uchar *dst, uint *dlen) | ||
353 | { | ||
354 | - if (ctx.buf_len) | ||
355 | + buf_len %= MY_AES_BLOCK_SIZE; | ||
356 | + if (buf_len) | ||
357 | { | ||
358 | + uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx); | ||
359 | /* | ||
360 | Not much we can do, block ciphers cannot encrypt data that aren't | ||
361 | a multiple of the block length. At least not without padding. | ||
362 | Let's do something CTR-like for the last partial block. | ||
363 | + | ||
364 | + NOTE this assumes that there are only buf_len bytes in the buf. | ||
365 | + If OpenSSL will change that, we'll need to change the implementation | ||
366 | + of this class too. | ||
367 | */ | ||
368 | uchar mask[MY_AES_BLOCK_SIZE]; | ||
369 | uint mlen; | ||
370 | |||
371 | my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD, | ||
372 | - ctx.oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0); | ||
373 | + oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0); | ||
374 | DBUG_ASSERT(mlen == sizeof(mask)); | ||
375 | |||
376 | - for (int i=0; i < ctx.buf_len; i++) | ||
377 | - dst[i]= ctx.buf[i] ^ mask[i]; | ||
378 | + for (uint i=0; i < buf_len; i++) | ||
379 | + dst[i]= buf[i] ^ mask[i]; | ||
380 | } | ||
381 | - *dlen= ctx.buf_len; | ||
382 | + *dlen= buf_len; | ||
383 | return MY_AES_OK; | ||
384 | } | ||
385 | }; | ||
386 | @@ -152,7 +177,7 @@ class MyCTX_gcm : public MyCTX | ||
387 | { | ||
388 | compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_gcm)); | ||
389 | int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); | ||
390 | - int real_ivlen= EVP_CIPHER_CTX_iv_length(&ctx); | ||
391 | + int real_ivlen= EVP_CIPHER_CTX_iv_length(ctx); | ||
392 | aad= iv + real_ivlen; | ||
393 | aadlen= ivlen - real_ivlen; | ||
394 | return res; | ||
395 | @@ -166,15 +191,15 @@ class MyCTX_gcm : public MyCTX | ||
396 | before decrypting the data. it can encrypt data piecewise, like, first | ||
397 | half, then the second half, but it must decrypt all at once | ||
398 | */ | ||
399 | - if (!ctx.encrypt) | ||
400 | + if (!EVP_CIPHER_CTX_encrypting(ctx)) | ||
401 | { | ||
402 | slen-= MY_AES_BLOCK_SIZE; | ||
403 | - if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, | ||
404 | + if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, | ||
405 | (void*)(src + slen))) | ||
406 | return MY_AES_OPENSSL_ERROR; | ||
407 | } | ||
408 | int unused; | ||
409 | - if (aadlen && !EVP_CipherUpdate(&ctx, NULL, &unused, aad, aadlen)) | ||
410 | + if (aadlen && !EVP_CipherUpdate(ctx, NULL, &unused, aad, aadlen)) | ||
411 | return MY_AES_OPENSSL_ERROR; | ||
412 | aadlen= 0; | ||
413 | return MyCTX::update(src, slen, dst, dlen); | ||
414 | @@ -183,13 +208,13 @@ class MyCTX_gcm : public MyCTX | ||
415 | int finish(uchar *dst, uint *dlen) | ||
416 | { | ||
417 | int fin; | ||
418 | - if (!EVP_CipherFinal_ex(&ctx, dst, &fin)) | ||
419 | + if (!EVP_CipherFinal_ex(ctx, dst, &fin)) | ||
420 | return MY_AES_BAD_DATA; | ||
421 | DBUG_ASSERT(fin == 0); | ||
422 | |||
423 | - if (ctx.encrypt) | ||
424 | + if (EVP_CIPHER_CTX_encrypting(ctx)) | ||
425 | { | ||
426 | - if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) | ||
427 | + if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) | ||
428 | return MY_AES_OPENSSL_ERROR; | ||
429 | *dlen= MY_AES_BLOCK_SIZE; | ||
430 | } | ||
431 | @@ -257,12 +282,15 @@ int my_aes_crypt(enum my_aes_mode mode, int flags, | ||
432 | { | ||
433 | void *ctx= alloca(MY_AES_CTX_SIZE); | ||
434 | int res1, res2; | ||
435 | - uint d1, d2; | ||
436 | + uint d1= 0, d2; | ||
437 | if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen))) | ||
438 | return res1; | ||
439 | res1= my_aes_crypt_update(ctx, src, slen, dst, &d1); | ||
440 | res2= my_aes_crypt_finish(ctx, dst + d1, &d2); | ||
441 | - *dlen= d1 + d2; | ||
442 | + if (res1 || res2) | ||
443 | + ERR_remove_state(0); /* in case of failure clear error queue */ | ||
444 | + else | ||
445 | + *dlen= d1 + d2; | ||
446 | return res1 ? res1 : res2; | ||
447 | } | ||
448 | |||
449 | @@ -301,17 +329,10 @@ int my_random_bytes(uchar* buf, int num) | ||
450 | return MY_AES_OK; | ||
451 | } | ||
452 | #else | ||
453 | -#include <openssl/rand.h> | ||
454 | |||
455 | int my_random_bytes(uchar *buf, int num) | ||
456 | { | ||
457 | - /* | ||
458 | - Unfortunately RAND_bytes manual page does not provide any guarantees | ||
459 | - in relation to blocking behavior. Here we explicitly use SSLeay random | ||
460 | - instead of whatever random engine is currently set in OpenSSL. That way | ||
461 | - we are guaranteed to have a non-blocking random. | ||
462 | - */ | ||
463 | - RAND_METHOD *rand = RAND_SSLeay(); | ||
464 | + RAND_METHOD *rand = RAND_OpenSSL(); | ||
465 | if (rand == NULL || rand->bytes(buf, num) != 1) | ||
466 | return MY_AES_OPENSSL_ERROR; | ||
467 | return MY_AES_OK; | ||
468 | diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc | ||
469 | index 7139ea9..0105082 100644 | ||
470 | --- a/mysys_ssl/my_md5.cc | ||
471 | +++ b/mysys_ssl/my_md5.cc | ||
472 | @@ -1,5 +1,5 @@ | ||
473 | /* Copyright (c) 2012, Oracle and/or its affiliates. | ||
474 | - Copyright (c) 2014, SkySQL Ab. | ||
475 | + Copyright (c) 2017, MariaDB Corporation | ||
476 | |||
477 | This program is free software; you can redistribute it and/or modify | ||
478 | it under the terms of the GNU General Public License as published by | ||
479 | @@ -29,38 +29,31 @@ | ||
480 | |||
481 | #if defined(HAVE_YASSL) | ||
482 | #include "md5.hpp" | ||
483 | +#include <ssl_compat.h> | ||
484 | |||
485 | -typedef TaoCrypt::MD5 MD5_CONTEXT; | ||
486 | +typedef TaoCrypt::MD5 EVP_MD_CTX; | ||
487 | |||
488 | -static void md5_init(MD5_CONTEXT *context) | ||
489 | +static void md5_init(EVP_MD_CTX *context) | ||
490 | { | ||
491 | - context= new(context) MD5_CONTEXT; | ||
492 | + context= new(context) EVP_MD_CTX; | ||
493 | context->Init(); | ||
494 | } | ||
495 | |||
496 | -/* | ||
497 | - this is a variant of md5_init to be used in this file only. | ||
498 | - does nothing for yassl, because the context's constructor was called automatically. | ||
499 | -*/ | ||
500 | -static void md5_init_fast(MD5_CONTEXT *context) | ||
501 | -{ | ||
502 | -} | ||
503 | - | ||
504 | -static void md5_input(MD5_CONTEXT *context, const uchar *buf, unsigned len) | ||
505 | +static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) | ||
506 | { | ||
507 | context->Update((const TaoCrypt::byte *) buf, len); | ||
508 | } | ||
509 | |||
510 | -static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) | ||
511 | +static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) | ||
512 | { | ||
513 | context->Final((TaoCrypt::byte *) digest); | ||
514 | } | ||
515 | |||
516 | #elif defined(HAVE_OPENSSL) | ||
517 | #include <openssl/evp.h> | ||
518 | -typedef EVP_MD_CTX MD5_CONTEXT; | ||
519 | +#include <ssl_compat.h> | ||
520 | |||
521 | -static void md5_init(MD5_CONTEXT *context) | ||
522 | +static void md5_init(EVP_MD_CTX *context) | ||
523 | { | ||
524 | EVP_MD_CTX_init(context); | ||
525 | #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW | ||
526 | @@ -70,17 +63,12 @@ static void md5_init(MD5_CONTEXT *context) | ||
527 | EVP_DigestInit_ex(context, EVP_md5(), NULL); | ||
528 | } | ||
529 | |||
530 | -static void md5_init_fast(MD5_CONTEXT *context) | ||
531 | -{ | ||
532 | - md5_init(context); | ||
533 | -} | ||
534 | - | ||
535 | -static void md5_input(MD5_CONTEXT *context, const uchar *buf, unsigned len) | ||
536 | +static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) | ||
537 | { | ||
538 | EVP_DigestUpdate(context, buf, len); | ||
539 | } | ||
540 | |||
541 | -static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) | ||
542 | +static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) | ||
543 | { | ||
544 | EVP_DigestFinal_ex(context, digest, NULL); | ||
545 | EVP_MD_CTX_cleanup(context); | ||
546 | @@ -99,58 +87,58 @@ static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) | ||
547 | */ | ||
548 | void my_md5(uchar *digest, const char *buf, size_t len) | ||
549 | { | ||
550 | - MD5_CONTEXT md5_context; | ||
551 | - | ||
552 | - md5_init_fast(&md5_context); | ||
553 | - md5_input(&md5_context, (const uchar *)buf, len); | ||
554 | - md5_result(&md5_context, digest); | ||
555 | + char ctx_buf[EVP_MD_CTX_SIZE]; | ||
556 | + EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf; | ||
557 | + md5_init(ctx); | ||
558 | + md5_input(ctx, (const uchar *)buf, len); | ||
559 | + md5_result(ctx, digest); | ||
560 | } | ||
561 | |||
562 | |||
563 | /** | ||
564 | Wrapper function to compute MD5 message digest for | ||
565 | - two messages in order to emulate md5(msg1, msg2). | ||
566 | + many messages, concatenated. | ||
567 | |||
568 | @param digest [out] Computed MD5 digest | ||
569 | @param buf1 [in] First message | ||
570 | @param len1 [in] Length of first message | ||
571 | - @param buf2 [in] Second message | ||
572 | - @param len2 [in] Length of second message | ||
573 | + ... | ||
574 | + @param bufN [in] NULL terminates the list of buf,len pairs. | ||
575 | |||
576 | @return void | ||
577 | */ | ||
578 | void my_md5_multi(uchar *digest, ...) | ||
579 | { | ||
580 | va_list args; | ||
581 | - va_start(args, digest); | ||
582 | - | ||
583 | - MD5_CONTEXT md5_context; | ||
584 | const uchar *str; | ||
585 | + char ctx_buf[EVP_MD_CTX_SIZE]; | ||
586 | + EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf; | ||
587 | + va_start(args, digest); | ||
588 | |||
589 | - md5_init_fast(&md5_context); | ||
590 | + md5_init(ctx); | ||
591 | for (str= va_arg(args, const uchar*); str; str= va_arg(args, const uchar*)) | ||
592 | - md5_input(&md5_context, str, va_arg(args, size_t)); | ||
593 | + md5_input(ctx, str, va_arg(args, size_t)); | ||
594 | |||
595 | - md5_result(&md5_context, digest); | ||
596 | + md5_result(ctx, digest); | ||
597 | va_end(args); | ||
598 | } | ||
599 | |||
600 | size_t my_md5_context_size() | ||
601 | { | ||
602 | - return sizeof(MD5_CONTEXT); | ||
603 | + return EVP_MD_CTX_SIZE; | ||
604 | } | ||
605 | |||
606 | void my_md5_init(void *context) | ||
607 | { | ||
608 | - md5_init((MD5_CONTEXT *)context); | ||
609 | + md5_init((EVP_MD_CTX *)context); | ||
610 | } | ||
611 | |||
612 | void my_md5_input(void *context, const uchar *buf, size_t len) | ||
613 | { | ||
614 | - md5_input((MD5_CONTEXT *)context, buf, len); | ||
615 | + md5_input((EVP_MD_CTX *)context, buf, len); | ||
616 | } | ||
617 | |||
618 | void my_md5_result(void *context, uchar *digest) | ||
619 | { | ||
620 | - md5_result((MD5_CONTEXT *)context, digest); | ||
621 | + md5_result((EVP_MD_CTX *)context, digest); | ||
622 | } | ||
623 | diff --git a/mysys_ssl/openssl.c b/mysys_ssl/openssl.c | ||
624 | new file mode 100644 | ||
625 | index 0000000..a3f1ca2 | ||
626 | --- /dev/null | ||
627 | +++ b/mysys_ssl/openssl.c | ||
628 | @@ -0,0 +1,71 @@ | ||
629 | +/* | ||
630 | + Copyright (c) 2017, MariaDB Corporation. | ||
631 | + | ||
632 | + This program is free software; you can redistribute it and/or modify | ||
633 | + it under the terms of the GNU General Public License as published by | ||
634 | + the Free Software Foundation; version 2 of the License. | ||
635 | + | ||
636 | + This program is distributed in the hope that it will be useful, | ||
637 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
638 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
639 | + GNU General Public License for more details. | ||
640 | + | ||
641 | + You should have received a copy of the GNU General Public License | ||
642 | + along with this program; if not, write to the Free Software | ||
643 | + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ | ||
644 | + | ||
645 | +#include <my_global.h> | ||
646 | +#include <ssl_compat.h> | ||
647 | + | ||
648 | +#ifdef HAVE_YASSL | ||
649 | + | ||
650 | +int check_openssl_compatibility() | ||
651 | +{ | ||
652 | + return 0; | ||
653 | +} | ||
654 | +#else | ||
655 | +#include <openssl/evp.h> | ||
656 | + | ||
657 | +#ifdef HAVE_OPENSSL11 | ||
658 | +typedef void *(*CRYPTO_malloc_t)(size_t, const char *, int); | ||
659 | +#endif | ||
660 | + | ||
661 | +#ifdef HAVE_OPENSSL10 | ||
662 | +typedef void *(*CRYPTO_malloc_t)(size_t); | ||
663 | +#define CRYPTO_malloc malloc | ||
664 | +#define CRYPTO_realloc realloc | ||
665 | +#define CRYPTO_free free | ||
666 | +#endif | ||
667 | + | ||
668 | +static uint allocated_size, allocated_count; | ||
669 | + | ||
670 | +static void *coc_malloc(size_t size) | ||
671 | +{ | ||
672 | + allocated_size+= size; | ||
673 | + allocated_count++; | ||
674 | + return malloc(size); | ||
675 | +} | ||
676 | + | ||
677 | +int check_openssl_compatibility() | ||
678 | +{ | ||
679 | + EVP_CIPHER_CTX *evp_ctx; | ||
680 | + EVP_MD_CTX *md5_ctx; | ||
681 | + | ||
682 | + CRYPTO_set_mem_functions((CRYPTO_malloc_t)coc_malloc, CRYPTO_realloc, CRYPTO_free); | ||
683 | + | ||
684 | + allocated_size= allocated_count= 0; | ||
685 | + evp_ctx= EVP_CIPHER_CTX_new(); | ||
686 | + EVP_CIPHER_CTX_free(evp_ctx); | ||
687 | + if (allocated_count != 1 || allocated_size > EVP_CIPHER_CTX_SIZE) | ||
688 | + return 1; | ||
689 | + | ||
690 | + allocated_size= allocated_count= 0; | ||
691 | + md5_ctx= EVP_MD_CTX_create(); | ||
692 | + EVP_MD_CTX_destroy(md5_ctx); | ||
693 | + if (allocated_count != 1 || allocated_size > EVP_MD_CTX_SIZE) | ||
694 | + return 1; | ||
695 | + | ||
696 | + CRYPTO_set_mem_functions(CRYPTO_malloc, CRYPTO_realloc, CRYPTO_free); | ||
697 | + return 0; | ||
698 | +} | ||
699 | +#endif | ||
700 | diff --git a/mysys_ssl/yassl.cc b/mysys_ssl/yassl.cc | ||
701 | index 9717870..aa5631f 100644 | ||
702 | --- a/mysys_ssl/yassl.cc | ||
703 | +++ b/mysys_ssl/yassl.cc | ||
704 | @@ -44,7 +44,6 @@ typedef struct | ||
705 | int buf_len; | ||
706 | int final_used; | ||
707 | uchar tao_buf[sizeof(TaoCrypt::AES)]; // TaoCrypt::AES object | ||
708 | - uchar oiv[TaoCrypt::AES::BLOCK_SIZE]; // original IV | ||
709 | uchar buf[TaoCrypt::AES::BLOCK_SIZE]; // last partial input block | ||
710 | uchar final[TaoCrypt::AES::BLOCK_SIZE]; // last decrypted (output) block | ||
711 | } EVP_CIPHER_CTX; | ||
712 | @@ -97,10 +96,7 @@ static int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, | ||
713 | : TaoCrypt::DECRYPTION, cipher->mode); | ||
714 | TAO(ctx)->SetKey(key, cipher->key_len); | ||
715 | if (iv) | ||
716 | - { | ||
717 | TAO(ctx)->SetIV(iv); | ||
718 | - memcpy(ctx->oiv, iv, TaoCrypt::AES::BLOCK_SIZE); | ||
719 | - } | ||
720 | ctx->encrypt= enc; | ||
721 | ctx->key_len= cipher->key_len; | ||
722 | ctx->flags|= cipher->mode == TaoCrypt::CBC ? EVP_CIPH_CBC_MODE : EVP_CIPH_ECB_MODE; | ||
723 | diff --git a/sql-common/client.c b/sql-common/client.c | ||
724 | index b7796ce..2518f66 100644 | ||
725 | --- a/sql-common/client.c | ||
726 | +++ b/sql-common/client.c | ||
727 | @@ -105,6 +105,7 @@ my_bool net_flush(NET *net); | ||
728 | #endif | ||
729 | |||
730 | #include "client_settings.h" | ||
731 | +#include <ssl_compat.h> | ||
732 | #include <sql_common.h> | ||
733 | #include <mysql/client_plugin.h> | ||
734 | #include <my_context.h> | ||
735 | @@ -1769,9 +1770,8 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused))) | ||
736 | |||
737 | #if defined(HAVE_OPENSSL) | ||
738 | |||
739 | -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(HAVE_YASSL) | ||
740 | +#ifdef HAVE_X509_check_host | ||
741 | #include <openssl/x509v3.h> | ||
742 | -#define HAVE_X509_check_host | ||
743 | #endif | ||
744 | |||
745 | static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr) | ||
746 | @@ -1843,7 +1843,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c | ||
747 | goto error; | ||
748 | } | ||
749 | |||
750 | - cn= (char *) ASN1_STRING_data(cn_asn1); | ||
751 | + cn= (char *) ASN1_STRING_get0_data(cn_asn1); | ||
752 | |||
753 | if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) | ||
754 | { | ||
755 | diff --git a/sql/mysqld.cc b/sql/mysqld.cc | ||
756 | index 3af8750..cc64205 100644 | ||
757 | --- a/sql/mysqld.cc | ||
758 | +++ b/sql/mysqld.cc | ||
759 | @@ -338,9 +338,13 @@ static PSI_thread_key key_thread_handle_con_sockets; | ||
760 | static PSI_thread_key key_thread_handle_shutdown; | ||
761 | #endif /* __WIN__ */ | ||
762 | |||
763 | -#if defined (HAVE_OPENSSL) && !defined(HAVE_YASSL) | ||
764 | +#ifdef HAVE_OPENSSL | ||
765 | +#include <ssl_compat.h> | ||
766 | + | ||
767 | +#ifdef HAVE_OPENSSL10 | ||
768 | static PSI_rwlock_key key_rwlock_openssl; | ||
769 | #endif | ||
770 | +#endif | ||
771 | #endif /* HAVE_PSI_INTERFACE */ | ||
772 | |||
773 | #ifdef HAVE_NPTL | ||
774 | @@ -987,7 +991,7 @@ PSI_rwlock_key key_rwlock_LOCK_grant, key_rwlock_LOCK_logger, | ||
775 | |||
776 | static PSI_rwlock_info all_server_rwlocks[]= | ||
777 | { | ||
778 | -#if defined (HAVE_OPENSSL) && !defined(HAVE_YASSL) | ||
779 | +#ifdef HAVE_OPENSSL10 | ||
780 | { &key_rwlock_openssl, "CRYPTO_dynlock_value::lock", 0}, | ||
781 | #endif | ||
782 | { &key_rwlock_LOCK_grant, "LOCK_grant", PSI_FLAG_GLOBAL}, | ||
783 | @@ -1457,7 +1461,7 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct, | ||
784 | |||
785 | #ifdef HAVE_OPENSSL | ||
786 | #include <openssl/crypto.h> | ||
787 | -#ifndef HAVE_YASSL | ||
788 | +#ifdef HAVE_OPENSSL10 | ||
789 | typedef struct CRYPTO_dynlock_value | ||
790 | { | ||
791 | mysql_rwlock_t lock; | ||
792 | @@ -1468,7 +1472,7 @@ static openssl_lock_t *openssl_dynlock_create(const char *, int); | ||
793 | static void openssl_dynlock_destroy(openssl_lock_t *, const char *, int); | ||
794 | static void openssl_lock_function(int, int, const char *, int); | ||
795 | static void openssl_lock(int, openssl_lock_t *, const char *, int); | ||
796 | -#endif | ||
797 | +#endif /* HAVE_OPENSSL10 */ | ||
798 | char *des_key_file; | ||
799 | #ifndef EMBEDDED_LIBRARY | ||
800 | struct st_VioSSLFd *ssl_acceptor_fd; | ||
801 | @@ -2244,11 +2248,11 @@ static void clean_up_mutexes() | ||
802 | mysql_mutex_destroy(&LOCK_global_index_stats); | ||
803 | #ifdef HAVE_OPENSSL | ||
804 | mysql_mutex_destroy(&LOCK_des_key_file); | ||
805 | -#ifndef HAVE_YASSL | ||
806 | +#ifdef HAVE_OPENSSL10 | ||
807 | for (int i= 0; i < CRYPTO_num_locks(); ++i) | ||
808 | mysql_rwlock_destroy(&openssl_stdlocks[i].lock); | ||
809 | OPENSSL_free(openssl_stdlocks); | ||
810 | -#endif /* HAVE_YASSL */ | ||
811 | +#endif /* HAVE_OPENSSL10 */ | ||
812 | #endif /* HAVE_OPENSSL */ | ||
813 | #ifdef HAVE_REPLICATION | ||
814 | mysql_mutex_destroy(&LOCK_rpl_status); | ||
815 | @@ -4057,6 +4061,14 @@ static int init_common_variables() | ||
816 | return 1; | ||
817 | } | ||
818 | |||
819 | +#ifdef HAVE_OPENSSL | ||
820 | + if (check_openssl_compatibility()) | ||
821 | + { | ||
822 | + sql_print_error("Incompatible OpenSSL version. Cannot continue..."); | ||
823 | + return 1; | ||
824 | + } | ||
825 | +#endif | ||
826 | + | ||
827 | if (init_thread_environment() || | ||
828 | mysql_init_variables()) | ||
829 | return 1; | ||
830 | @@ -4603,7 +4615,7 @@ static int init_thread_environment() | ||
831 | #ifdef HAVE_OPENSSL | ||
832 | mysql_mutex_init(key_LOCK_des_key_file, | ||
833 | &LOCK_des_key_file, MY_MUTEX_INIT_FAST); | ||
834 | -#ifndef HAVE_YASSL | ||
835 | +#ifdef HAVE_OPENSSL10 | ||
836 | openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() * | ||
837 | sizeof(openssl_lock_t)); | ||
838 | for (int i= 0; i < CRYPTO_num_locks(); ++i) | ||
839 | @@ -4612,8 +4624,8 @@ static int init_thread_environment() | ||
840 | CRYPTO_set_dynlock_destroy_callback(openssl_dynlock_destroy); | ||
841 | CRYPTO_set_dynlock_lock_callback(openssl_lock); | ||
842 | CRYPTO_set_locking_callback(openssl_lock_function); | ||
843 | -#endif | ||
844 | -#endif | ||
845 | +#endif /* HAVE_OPENSSL10 */ | ||
846 | +#endif /* HAVE_OPENSSL */ | ||
847 | mysql_rwlock_init(key_rwlock_LOCK_sys_init_connect, &LOCK_sys_init_connect); | ||
848 | mysql_rwlock_init(key_rwlock_LOCK_sys_init_slave, &LOCK_sys_init_slave); | ||
849 | mysql_rwlock_init(key_rwlock_LOCK_grant, &LOCK_grant); | ||
850 | @@ -4646,7 +4658,7 @@ static int init_thread_environment() | ||
851 | } | ||
852 | |||
853 | |||
854 | -#if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL) | ||
855 | +#ifdef HAVE_OPENSSL10 | ||
856 | static openssl_lock_t *openssl_dynlock_create(const char *file, int line) | ||
857 | { | ||
858 | openssl_lock_t *lock= new openssl_lock_t; | ||
859 | @@ -4706,8 +4718,7 @@ static void openssl_lock(int mode, openssl_lock_t *lock, const char *file, | ||
860 | abort(); | ||
861 | } | ||
862 | } | ||
863 | -#endif /* HAVE_OPENSSL */ | ||
864 | - | ||
865 | +#endif /* HAVE_OPENSSL10 */ | ||
866 | |||
867 | static void init_ssl() | ||
868 | { | ||
869 | diff --git a/sql/slave.cc b/sql/slave.cc | ||
870 | index db1c330..aec5143 100644 | ||
871 | --- a/sql/slave.cc | ||
872 | +++ b/sql/slave.cc | ||
873 | @@ -40,6 +40,7 @@ | ||
874 | #include <my_dir.h> | ||
875 | #include <sql_common.h> | ||
876 | #include <errmsg.h> | ||
877 | +#include <ssl_compat.h> | ||
878 | #include <mysqld_error.h> | ||
879 | #include <mysys_err.h> | ||
880 | #include "rpl_handler.h" | ||
881 | @@ -60,7 +61,6 @@ | ||
882 | #include "debug_sync.h" | ||
883 | #include "rpl_parallel.h" | ||
884 | |||
885 | - | ||
886 | #define FLAGSTR(V,F) ((V)&(F)?#F" ":"") | ||
887 | |||
888 | #define MAX_SLAVE_RETRY_PAUSE 5 | ||
889 | @@ -4507,9 +4507,7 @@ log space"); | ||
890 | |||
891 | DBUG_LEAVE; // Must match DBUG_ENTER() | ||
892 | my_thread_end(); | ||
893 | -#ifdef HAVE_OPENSSL | ||
894 | ERR_remove_state(0); | ||
895 | -#endif | ||
896 | pthread_exit(0); | ||
897 | return 0; // Avoid compiler warnings | ||
898 | } | ||
899 | @@ -5168,9 +5166,7 @@ pthread_handler_t handle_slave_sql(void *arg) | ||
900 | |||
901 | DBUG_LEAVE; // Must match DBUG_ENTER() | ||
902 | my_thread_end(); | ||
903 | -#ifdef HAVE_OPENSSL | ||
904 | ERR_remove_state(0); | ||
905 | -#endif | ||
906 | pthread_exit(0); | ||
907 | return 0; // Avoid compiler warnings | ||
908 | } | ||
909 | diff --git a/vio/vio.c b/vio/vio.c | ||
910 | index e3bc8ca..44d0609 100644 | ||
911 | --- a/vio/vio.c | ||
912 | +++ b/vio/vio.c | ||
913 | @@ -22,6 +22,7 @@ | ||
914 | */ | ||
915 | |||
916 | #include "vio_priv.h" | ||
917 | +#include "ssl_compat.h" | ||
918 | |||
919 | #ifdef _WIN32 | ||
920 | |||
921 | diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c | ||
922 | index 52b624d..71ef287 100644 | ||
923 | --- a/vio/viosslfactories.c | ||
924 | +++ b/vio/viosslfactories.c | ||
925 | @@ -15,6 +15,7 @@ | ||
926 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ | ||
927 | |||
928 | #include "vio_priv.h" | ||
929 | +#include <ssl_compat.h> | ||
930 | |||
931 | #ifdef HAVE_OPENSSL | ||
932 | #ifndef HAVE_YASSL | ||
933 | @@ -26,49 +27,56 @@ static my_bool ssl_algorithms_added = FALSE; | ||
934 | static my_bool ssl_error_strings_loaded= FALSE; | ||
935 | |||
936 | /* the function below was generated with "openssl dhparam -2 -C 2048" */ | ||
937 | + | ||
938 | static | ||
939 | DH *get_dh2048() | ||
940 | { | ||
941 | - static unsigned char dh2048_p[]={ | ||
942 | - 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, | ||
943 | - 0x15,0xFC,0x3B,0xBA,0xAB,0x9F,0xDF,0x68,0xC4,0x79,0x78,0x0D, | ||
944 | - 0xC1,0x12,0x64,0xE4,0x15,0xC9,0x66,0xDB,0xF6,0xCB,0xB3,0x39, | ||
945 | - 0x02,0x5B,0x78,0x62,0xFB,0x09,0xAE,0x09,0x6B,0xDD,0xD4,0x5D, | ||
946 | - 0x97,0xBC,0xDC,0x7F,0xE6,0xD6,0xF1,0xCB,0xF5,0xEB,0xDA,0xA7, | ||
947 | - 0x2E,0x5A,0x43,0x2B,0xE9,0x40,0xE2,0x85,0x00,0x1C,0xC0,0x0A, | ||
948 | - 0x98,0x77,0xA9,0x31,0xDE,0x0B,0x75,0x4D,0x1E,0x1F,0x16,0x83, | ||
949 | - 0xCA,0xDE,0xBD,0x21,0xFC,0xC1,0x82,0x37,0x36,0x33,0x0B,0x66, | ||
950 | - 0x06,0x3C,0xF3,0xAF,0x21,0x57,0x57,0x80,0xF6,0x94,0x1B,0xA9, | ||
951 | - 0xD4,0xF6,0x8F,0x18,0x62,0x0E,0xC4,0x22,0xF9,0x5B,0x62,0xCC, | ||
952 | - 0x3F,0x19,0x95,0xCF,0x4B,0x00,0xA6,0x6C,0x0B,0xAF,0x9F,0xD5, | ||
953 | - 0xFA,0x3D,0x6D,0xDA,0x30,0x83,0x07,0x91,0xAC,0x15,0xFF,0x8F, | ||
954 | - 0x59,0x54,0xEA,0x25,0xBC,0x4E,0xEB,0x6A,0x54,0xDF,0x75,0x09, | ||
955 | - 0x72,0x0F,0xEF,0x23,0x70,0xE0,0xA8,0x04,0xEA,0xFF,0x90,0x54, | ||
956 | - 0xCD,0x84,0x18,0xC0,0x75,0x91,0x99,0x0F,0xA1,0x78,0x0C,0x07, | ||
957 | - 0xB7,0xC5,0xDE,0x55,0x06,0x7B,0x95,0x68,0x2C,0x33,0x39,0xBC, | ||
958 | - 0x2C,0xD0,0x6D,0xDD,0xFA,0xDC,0xB5,0x8F,0x82,0x39,0xF8,0x67, | ||
959 | - 0x44,0xF1,0xD8,0xF7,0x78,0x11,0x9A,0x77,0x9B,0x53,0x47,0xD6, | ||
960 | - 0x2B,0x5D,0x67,0xB8,0xB7,0xBC,0xC1,0xD7,0x79,0x62,0x15,0xC2, | ||
961 | - 0xC5,0x83,0x97,0xA7,0xF8,0xB4,0x9C,0xF6,0x8F,0x9A,0xC7,0xDA, | ||
962 | - 0x1B,0xBB,0x87,0x07,0xA7,0x71,0xAD,0xB2,0x8A,0x50,0xF8,0x26, | ||
963 | - 0x12,0xB7,0x3E,0x0B, | ||
964 | - }; | ||
965 | - static unsigned char dh2048_g[]={ | ||
966 | - 0x02, | ||
967 | - }; | ||
968 | - DH *dh; | ||
969 | - | ||
970 | - if ((dh=DH_new()) == NULL) return(NULL); | ||
971 | - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); | ||
972 | - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); | ||
973 | - if ((dh->p == NULL) || (dh->g == NULL)) | ||
974 | - { DH_free(dh); return(NULL); } | ||
975 | - return(dh); | ||
976 | + static unsigned char dhp_2048[] = { | ||
977 | + 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, | ||
978 | + 0x15,0xFC,0x3B,0xBA,0xAB,0x9F,0xDF,0x68,0xC4,0x79,0x78,0x0D, | ||
979 | + 0xC1,0x12,0x64,0xE4,0x15,0xC9,0x66,0xDB,0xF6,0xCB,0xB3,0x39, | ||
980 | + 0x02,0x5B,0x78,0x62,0xFB,0x09,0xAE,0x09,0x6B,0xDD,0xD4,0x5D, | ||
981 | + 0x97,0xBC,0xDC,0x7F,0xE6,0xD6,0xF1,0xCB,0xF5,0xEB,0xDA,0xA7, | ||
982 | + 0x2E,0x5A,0x43,0x2B,0xE9,0x40,0xE2,0x85,0x00,0x1C,0xC0,0x0A, | ||
983 | + 0x98,0x77,0xA9,0x31,0xDE,0x0B,0x75,0x4D,0x1E,0x1F,0x16,0x83, | ||
984 | + 0xCA,0xDE,0xBD,0x21,0xFC,0xC1,0x82,0x37,0x36,0x33,0x0B,0x66, | ||
985 | + 0x06,0x3C,0xF3,0xAF,0x21,0x57,0x57,0x80,0xF6,0x94,0x1B,0xA9, | ||
986 | + 0xD4,0xF6,0x8F,0x18,0x62,0x0E,0xC4,0x22,0xF9,0x5B,0x62,0xCC, | ||
987 | + 0x3F,0x19,0x95,0xCF,0x4B,0x00,0xA6,0x6C,0x0B,0xAF,0x9F,0xD5, | ||
988 | + 0xFA,0x3D,0x6D,0xDA,0x30,0x83,0x07,0x91,0xAC,0x15,0xFF,0x8F, | ||
989 | + 0x59,0x54,0xEA,0x25,0xBC,0x4E,0xEB,0x6A,0x54,0xDF,0x75,0x09, | ||
990 | + 0x72,0x0F,0xEF,0x23,0x70,0xE0,0xA8,0x04,0xEA,0xFF,0x90,0x54, | ||
991 | + 0xCD,0x84,0x18,0xC0,0x75,0x91,0x99,0x0F,0xA1,0x78,0x0C,0x07, | ||
992 | + 0xB7,0xC5,0xDE,0x55,0x06,0x7B,0x95,0x68,0x2C,0x33,0x39,0xBC, | ||
993 | + 0x2C,0xD0,0x6D,0xDD,0xFA,0xDC,0xB5,0x8F,0x82,0x39,0xF8,0x67, | ||
994 | + 0x44,0xF1,0xD8,0xF7,0x78,0x11,0x9A,0x77,0x9B,0x53,0x47,0xD6, | ||
995 | + 0x2B,0x5D,0x67,0xB8,0xB7,0xBC,0xC1,0xD7,0x79,0x62,0x15,0xC2, | ||
996 | + 0xC5,0x83,0x97,0xA7,0xF8,0xB4,0x9C,0xF6,0x8F,0x9A,0xC7,0xDA, | ||
997 | + 0x1B,0xBB,0x87,0x07,0xA7,0x71,0xAD,0xB2,0x8A,0x50,0xF8,0x26, | ||
998 | + 0x12,0xB7,0x3E,0x0B, | ||
999 | + }; | ||
1000 | + static unsigned char dhg_2048[] = { | ||
1001 | + 0x02 | ||
1002 | + }; | ||
1003 | + DH *dh = DH_new(); | ||
1004 | + BIGNUM *dhp_bn, *dhg_bn; | ||
1005 | + | ||
1006 | + if (dh == NULL) | ||
1007 | + return NULL; | ||
1008 | + dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); | ||
1009 | + dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); | ||
1010 | + if (dhp_bn == NULL || dhg_bn == NULL | ||
1011 | + || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | ||
1012 | + DH_free(dh); | ||
1013 | + BN_free(dhp_bn); | ||
1014 | + BN_free(dhg_bn); | ||
1015 | + return NULL; | ||
1016 | + } | ||
1017 | + return dh; | ||
1018 | } | ||
1019 | |||
1020 | - | ||
1021 | static const char* | ||
1022 | -ssl_error_string[] = | ||
1023 | +ssl_error_string[] = | ||
1024 | { | ||
1025 | "No error", | ||
1026 | "Unable to get certificate", | ||
1027 | @@ -148,9 +156,7 @@ static void check_ssl_init() | ||
1028 | if (!ssl_algorithms_added) | ||
1029 | { | ||
1030 | ssl_algorithms_added= TRUE; | ||
1031 | - SSL_library_init(); | ||
1032 | - OpenSSL_add_all_algorithms(); | ||
1033 | - | ||
1034 | + OPENSSL_init_ssl(0, NULL); | ||
1035 | } | ||
1036 | |||
1037 | if (!ssl_error_strings_loaded) |