Contents of /trunk/mariadb/patches/mariadb-10.1.34-openssl-1.1.patch
Parent Directory | Revision Log
Revision 3156 -
(show annotations)
(download)
Fri Jul 13 11:25:13 2018 UTC (6 years, 2 months ago) by niro
File size: 33709 byte(s)
Fri Jul 13 11:25:13 2018 UTC (6 years, 2 months ago) by niro
File size: 33709 byte(s)
-re-diffed for 10.1.34
1 | diff --git a/include/ssl_compat.h b/include/ssl_compat.h |
2 | new file mode 100644 |
3 | index 0000000..b0e3ed4 |
4 | --- /dev/null |
5 | +++ b/include/ssl_compat.h |
6 | @@ -0,0 +1,75 @@ |
7 | +/* |
8 | + Copyright (c) 2016, 2017 MariaDB Corporation |
9 | + |
10 | + This program is free software; you can redistribute it and/or modify |
11 | + it under the terms of the GNU General Public License as published by |
12 | + the Free Software Foundation; version 2 of the License. |
13 | + |
14 | + This program is distributed in the hope that it will be useful, |
15 | + but WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
17 | + GNU General Public License for more details. |
18 | + |
19 | + You should have received a copy of the GNU General Public License |
20 | + along with this program; if not, write to the Free Software |
21 | + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ |
22 | + |
23 | +#include <openssl/opensslv.h> |
24 | + |
25 | +/* OpenSSL version specific definitions */ |
26 | +#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) |
27 | + |
28 | +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) |
29 | +#define HAVE_X509_check_host 1 |
30 | +#endif |
31 | + |
32 | +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) |
33 | +#define HAVE_OPENSSL11 1 |
34 | +#define ERR_remove_state(X) ERR_clear_error() |
35 | +#define EVP_MD_CTX_cleanup(X) EVP_MD_CTX_reset(X) |
36 | +#define EVP_CIPHER_CTX_SIZE 168 |
37 | +#define EVP_MD_CTX_SIZE 48 |
38 | +#undef EVP_MD_CTX_init |
39 | +#define EVP_MD_CTX_init(X) do { bzero((X), EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0) |
40 | +#undef EVP_CIPHER_CTX_init |
41 | +#define EVP_CIPHER_CTX_init(X) do { bzero((X), EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0) |
42 | + |
43 | +#else |
44 | +#define HAVE_OPENSSL10 1 |
45 | +/* |
46 | + Unfortunately RAND_bytes manual page does not provide any guarantees |
47 | + in relation to blocking behavior. Here we explicitly use SSLeay random |
48 | + instead of whatever random engine is currently set in OpenSSL. That way |
49 | + we are guaranteed to have a non-blocking random. |
50 | +*/ |
51 | +#define RAND_OpenSSL() RAND_SSLeay() |
52 | + |
53 | +#ifdef HAVE_ERR_remove_thread_state |
54 | +#define ERR_remove_state(X) ERR_remove_thread_state(NULL) |
55 | +#endif /* HAVE_ERR_remove_thread_state */ |
56 | + |
57 | +#endif /* HAVE_OPENSSL11 */ |
58 | + |
59 | +#elif defined(HAVE_YASSL) |
60 | +#define BN_free(X) do { } while(0) |
61 | +#endif /* !defined(HAVE_YASSL) */ |
62 | + |
63 | +#ifndef HAVE_OPENSSL11 |
64 | +#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) |
65 | +#define OPENSSL_init_ssl(X,Y) SSL_library_init() |
66 | +#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G)) |
67 | +#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) |
68 | +#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) |
69 | +#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX) |
70 | +#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX) |
71 | +#endif |
72 | + |
73 | +#ifdef __cplusplus |
74 | +extern "C" { |
75 | +#endif /* __cplusplus */ |
76 | + |
77 | +int check_openssl_compatibility(); |
78 | + |
79 | +#ifdef __cplusplus |
80 | +} |
81 | +#endif |
82 | diff --git a/include/violite.h b/include/violite.h |
83 | index a7165ca..572d474 100644 |
84 | --- a/include/violite.h |
85 | +++ b/include/violite.h |
86 | @@ -123,13 +123,6 @@ int vio_getnameinfo(const struct sockaddr *sa, |
87 | int flags); |
88 | |
89 | #ifdef HAVE_OPENSSL |
90 | -#include <openssl/opensslv.h> |
91 | -#if OPENSSL_VERSION_NUMBER < 0x0090700f |
92 | -#define DES_cblock des_cblock |
93 | -#define DES_key_schedule des_key_schedule |
94 | -#define DES_set_key_unchecked(k,ks) des_set_key_unchecked((k),*(ks)) |
95 | -#define DES_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e) des_ede3_cbc_encrypt((i),(o),(l),*(k1),*(k2),*(k3),(iv),(e)) |
96 | -#endif |
97 | /* apple deprecated openssl in MacOSX Lion */ |
98 | #ifdef __APPLE__ |
99 | #pragma GCC diagnostic ignored "-Wdeprecated-declarations" |
100 | @@ -146,14 +139,10 @@ typedef my_socket YASSL_SOCKET_T; |
101 | #include <openssl/ssl.h> |
102 | #include <openssl/err.h> |
103 | |
104 | -#ifdef HAVE_ERR_remove_thread_state |
105 | -#define ERR_remove_state(X) ERR_remove_thread_state(NULL) |
106 | -#endif |
107 | - |
108 | enum enum_ssl_init_error |
109 | { |
110 | - SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, |
111 | - SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, |
112 | + SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, |
113 | + SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, |
114 | SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_LASTERR |
115 | }; |
116 | const char* sslGetErrString(enum enum_ssl_init_error err); |
117 | diff --git a/mysql-test/include/require_openssl_client.inc b/mysql-test/include/require_openssl_client.inc |
118 | new file mode 100644 |
119 | index 0000000..9b19960 |
120 | --- /dev/null |
121 | +++ b/mysql-test/include/require_openssl_client.inc |
122 | @@ -0,0 +1,5 @@ |
123 | +if ($CLIENT_TLS_LIBRARY != "OpenSSL") { |
124 | + if ($CLIENT_TLS_LIBRARY != "LibreSSL") { |
125 | + skip "Test requires Connector/C with OpenSSL library"; |
126 | + } |
127 | +} |
128 | diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl |
129 | index eaec51b..1b28469 100755 |
130 | --- a/mysql-test/mysql-test-run.pl |
131 | +++ b/mysql-test/mysql-test-run.pl |
132 | @@ -2307,6 +2307,11 @@ sub environment_setup { |
133 | $ENV{'MYSQL_PLUGIN'}= $exe_mysql_plugin; |
134 | $ENV{'MYSQL_EMBEDDED'}= $exe_mysql_embedded; |
135 | |
136 | + my $client_config_exe= |
137 | + native_path("$bindir/libmariadb/mariadb_config$opt_vs_config/mariadb_config"); |
138 | + my $tls_info= `$client_config_exe --tlsinfo`; |
139 | + ($ENV{CLIENT_TLS_LIBRARY},$ENV{CLIENT_TLS_LIBRARY_VERSION})= |
140 | + split(/ /, $tls_info, 2); |
141 | my $exe_mysqld= find_mysqld($basedir); |
142 | $ENV{'MYSQLD'}= $exe_mysqld; |
143 | my $extra_opts= join (" ", @opt_extra_mysqld_opt); |
144 | diff --git a/mysql-test/r/openssl_6975,tlsv10.result b/mysql-test/r/openssl_6975,tlsv10.result |
145 | index 7a4465f..202e7f4 100644 |
146 | --- a/mysql-test/r/openssl_6975,tlsv10.result |
147 | +++ b/mysql-test/r/openssl_6975,tlsv10.result |
148 | @@ -3,11 +3,11 @@ grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; |
149 | create user ssl_tls12@localhost; |
150 | grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; |
151 | TLS1.2 ciphers: user is ok with any cipher |
152 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
153 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
154 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure |
155 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure |
156 | TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA |
157 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
158 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
159 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure |
160 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure |
161 | TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256 |
162 | ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
163 | ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
164 | diff --git a/mysql-test/t/openssl_6975.test b/mysql-test/t/openssl_6975.test |
165 | index 49889a3..6a82d01 100644 |
166 | --- a/mysql-test/t/openssl_6975.test |
167 | +++ b/mysql-test/t/openssl_6975.test |
168 | @@ -4,6 +4,7 @@ |
169 | # test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2 |
170 | # |
171 | source include/have_ssl_communication.inc; |
172 | +source include/require_openssl_client.inc; |
173 | |
174 | # this is OpenSSL test. |
175 | |
176 | diff --git a/mysql-test/t/ssl_7937.test b/mysql-test/t/ssl_7937.test |
177 | index d593b9d..a764579 100644 |
178 | --- a/mysql-test/t/ssl_7937.test |
179 | +++ b/mysql-test/t/ssl_7937.test |
180 | @@ -26,6 +26,7 @@ create procedure have_ssl() |
181 | # we fake the test result for yassl |
182 | let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`; |
183 | if (!$yassl) { |
184 | + --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate" |
185 | --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1 |
186 | } |
187 | if ($yassl) { |
188 | diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test |
189 | index 27cffdc..9d5b382 100644 |
190 | --- a/mysql-test/t/ssl_8k_key.test |
191 | +++ b/mysql-test/t/ssl_8k_key.test |
192 | @@ -1,5 +1,5 @@ |
193 | -# This test should work in embedded server after we fix mysqltest |
194 | --- source include/not_embedded.inc |
195 | +# schannel does not support keys longer than 4k |
196 | +-- source include/not_windows.inc |
197 | |
198 | -- source include/have_ssl_communication.inc |
199 | # |
200 | diff --git a/mysys_ssl/CMakeLists.txt b/mysys_ssl/CMakeLists.txt |
201 | index 4f6f745..f8a767e 100644 |
202 | --- a/mysys_ssl/CMakeLists.txt |
203 | +++ b/mysys_ssl/CMakeLists.txt |
204 | @@ -28,6 +28,7 @@ SET(MYSYS_SSL_HIDDEN_SOURCES |
205 | my_sha384.cc |
206 | my_sha512.cc |
207 | my_md5.cc |
208 | + openssl.c |
209 | ) |
210 | |
211 | SET(MYSYS_SSL_SOURCES |
212 | diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc |
213 | index 4393394..da60a10 100644 |
214 | --- a/mysys_ssl/my_crypt.cc |
215 | +++ b/mysys_ssl/my_crypt.cc |
216 | @@ -1,6 +1,6 @@ |
217 | /* |
218 | Copyright (c) 2014 Google Inc. |
219 | - Copyright (c) 2014, 2015 MariaDB Corporation |
220 | + Copyright (c) 2014, 2017 MariaDB Corporation |
221 | |
222 | This program is free software; you can redistribute it and/or modify |
223 | it under the terms of the GNU General Public License as published by |
224 | @@ -17,7 +17,6 @@ |
225 | |
226 | #include <my_global.h> |
227 | #include <string.h> |
228 | -#include <my_crypt.h> |
229 | |
230 | #ifdef HAVE_YASSL |
231 | #include "yassl.cc" |
232 | @@ -28,42 +27,53 @@ |
233 | #include <openssl/err.h> |
234 | #include <openssl/rand.h> |
235 | |
236 | -#ifdef HAVE_ERR_remove_thread_state |
237 | -#define ERR_remove_state(X) ERR_remove_thread_state(NULL) |
238 | +#include <openssl/rand.h> |
239 | #endif |
240 | |
241 | -#endif |
242 | +#include <my_crypt.h> |
243 | +#include <ssl_compat.h> |
244 | |
245 | class MyCTX |
246 | { |
247 | public: |
248 | - EVP_CIPHER_CTX ctx; |
249 | - MyCTX() { EVP_CIPHER_CTX_init(&ctx); } |
250 | - virtual ~MyCTX() { EVP_CIPHER_CTX_cleanup(&ctx); ERR_remove_state(0); } |
251 | + char ctx_buf[EVP_CIPHER_CTX_SIZE]; |
252 | + EVP_CIPHER_CTX *ctx; |
253 | + |
254 | + MyCTX() |
255 | + { |
256 | + ctx= (EVP_CIPHER_CTX *)ctx_buf; |
257 | + EVP_CIPHER_CTX_init(ctx); |
258 | + } |
259 | + virtual ~MyCTX() |
260 | + { |
261 | + EVP_CIPHER_CTX_cleanup(ctx); |
262 | + ERR_remove_state(0); |
263 | + } |
264 | |
265 | virtual int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, |
266 | uint klen, const uchar *iv, uint ivlen) |
267 | { |
268 | + compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX)); |
269 | if (unlikely(!cipher)) |
270 | return MY_AES_BAD_KEYSIZE; |
271 | |
272 | - if (!EVP_CipherInit_ex(&ctx, cipher, NULL, key, iv, encrypt)) |
273 | + if (!EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt)) |
274 | return MY_AES_OPENSSL_ERROR; |
275 | |
276 | - DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == (int)klen); |
277 | - DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) <= (int)ivlen); |
278 | + DBUG_ASSERT(EVP_CIPHER_CTX_key_length(ctx) == (int)klen); |
279 | + DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(ctx) <= (int)ivlen); |
280 | |
281 | return MY_AES_OK; |
282 | } |
283 | virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen) |
284 | { |
285 | - if (!EVP_CipherUpdate(&ctx, dst, (int*)dlen, src, slen)) |
286 | + if (!EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen)) |
287 | return MY_AES_OPENSSL_ERROR; |
288 | return MY_AES_OK; |
289 | } |
290 | virtual int finish(uchar *dst, uint *dlen) |
291 | { |
292 | - if (!EVP_CipherFinal_ex(&ctx, dst, (int*)dlen)) |
293 | + if (!EVP_CipherFinal_ex(ctx, dst, (int*)dlen)) |
294 | return MY_AES_BAD_DATA; |
295 | return MY_AES_OK; |
296 | } |
297 | @@ -73,7 +83,8 @@ class MyCTX_nopad : public MyCTX |
298 | { |
299 | public: |
300 | const uchar *key; |
301 | - int klen; |
302 | + uint klen, buf_len; |
303 | + uchar oiv[MY_AES_BLOCK_SIZE]; |
304 | |
305 | MyCTX_nopad() : MyCTX() { } |
306 | ~MyCTX_nopad() { } |
307 | @@ -84,32 +95,48 @@ class MyCTX_nopad : public MyCTX |
308 | compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad)); |
309 | this->key= key; |
310 | this->klen= klen; |
311 | + this->buf_len= 0; |
312 | + memcpy(oiv, iv, ivlen); |
313 | + DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv)); |
314 | + |
315 | int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); |
316 | - memcpy(ctx.oiv, iv, ivlen); // in ECB mode OpenSSL doesn't do that itself |
317 | - EVP_CIPHER_CTX_set_padding(&ctx, 0); |
318 | + |
319 | + EVP_CIPHER_CTX_set_padding(ctx, 0); |
320 | return res; |
321 | } |
322 | |
323 | + int update(const uchar *src, uint slen, uchar *dst, uint *dlen) |
324 | + { |
325 | + buf_len+= slen; |
326 | + return MyCTX::update(src, slen, dst, dlen); |
327 | + } |
328 | + |
329 | int finish(uchar *dst, uint *dlen) |
330 | { |
331 | - if (ctx.buf_len) |
332 | + buf_len %= MY_AES_BLOCK_SIZE; |
333 | + if (buf_len) |
334 | { |
335 | + uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx); |
336 | /* |
337 | Not much we can do, block ciphers cannot encrypt data that aren't |
338 | a multiple of the block length. At least not without padding. |
339 | Let's do something CTR-like for the last partial block. |
340 | + |
341 | + NOTE this assumes that there are only buf_len bytes in the buf. |
342 | + If OpenSSL will change that, we'll need to change the implementation |
343 | + of this class too. |
344 | */ |
345 | uchar mask[MY_AES_BLOCK_SIZE]; |
346 | uint mlen; |
347 | |
348 | my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD, |
349 | - ctx.oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0); |
350 | + oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0); |
351 | DBUG_ASSERT(mlen == sizeof(mask)); |
352 | |
353 | - for (int i=0; i < ctx.buf_len; i++) |
354 | - dst[i]= ctx.buf[i] ^ mask[i]; |
355 | + for (uint i=0; i < buf_len; i++) |
356 | + dst[i]= buf[i] ^ mask[i]; |
357 | } |
358 | - *dlen= ctx.buf_len; |
359 | + *dlen= buf_len; |
360 | return MY_AES_OK; |
361 | } |
362 | }; |
363 | @@ -153,7 +180,7 @@ class MyCTX_gcm : public MyCTX |
364 | { |
365 | compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_gcm)); |
366 | int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); |
367 | - int real_ivlen= EVP_CIPHER_CTX_iv_length(&ctx); |
368 | + int real_ivlen= EVP_CIPHER_CTX_iv_length(ctx); |
369 | aad= iv + real_ivlen; |
370 | aadlen= ivlen - real_ivlen; |
371 | return res; |
372 | @@ -167,15 +194,15 @@ class MyCTX_gcm : public MyCTX |
373 | before decrypting the data. it can encrypt data piecewise, like, first |
374 | half, then the second half, but it must decrypt all at once |
375 | */ |
376 | - if (!ctx.encrypt) |
377 | + if (!EVP_CIPHER_CTX_encrypting(ctx)) |
378 | { |
379 | slen-= MY_AES_BLOCK_SIZE; |
380 | - if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, |
381 | + if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, |
382 | (void*)(src + slen))) |
383 | return MY_AES_OPENSSL_ERROR; |
384 | } |
385 | int unused; |
386 | - if (aadlen && !EVP_CipherUpdate(&ctx, NULL, &unused, aad, aadlen)) |
387 | + if (aadlen && !EVP_CipherUpdate(ctx, NULL, &unused, aad, aadlen)) |
388 | return MY_AES_OPENSSL_ERROR; |
389 | aadlen= 0; |
390 | return MyCTX::update(src, slen, dst, dlen); |
391 | @@ -184,13 +211,13 @@ class MyCTX_gcm : public MyCTX |
392 | int finish(uchar *dst, uint *dlen) |
393 | { |
394 | int fin; |
395 | - if (!EVP_CipherFinal_ex(&ctx, dst, &fin)) |
396 | + if (!EVP_CipherFinal_ex(ctx, dst, &fin)) |
397 | return MY_AES_BAD_DATA; |
398 | DBUG_ASSERT(fin == 0); |
399 | |
400 | - if (ctx.encrypt) |
401 | + if (EVP_CIPHER_CTX_encrypting(ctx)) |
402 | { |
403 | - if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) |
404 | + if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) |
405 | return MY_AES_OPENSSL_ERROR; |
406 | *dlen= MY_AES_BLOCK_SIZE; |
407 | } |
408 | @@ -258,12 +285,15 @@ int my_aes_crypt(enum my_aes_mode mode, int flags, |
409 | { |
410 | void *ctx= alloca(MY_AES_CTX_SIZE); |
411 | int res1, res2; |
412 | - uint d1, d2; |
413 | + uint d1= 0, d2; |
414 | if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen))) |
415 | return res1; |
416 | res1= my_aes_crypt_update(ctx, src, slen, dst, &d1); |
417 | res2= my_aes_crypt_finish(ctx, dst + d1, &d2); |
418 | - *dlen= d1 + d2; |
419 | + if (res1 || res2) |
420 | + ERR_remove_state(0); /* in case of failure clear error queue */ |
421 | + else |
422 | + *dlen= d1 + d2; |
423 | return res1 ? res1 : res2; |
424 | } |
425 | |
426 | diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc |
427 | index 7139ea9..0105082 100644 |
428 | --- a/mysys_ssl/my_md5.cc |
429 | +++ b/mysys_ssl/my_md5.cc |
430 | @@ -1,5 +1,5 @@ |
431 | /* Copyright (c) 2012, Oracle and/or its affiliates. |
432 | - Copyright (c) 2014, SkySQL Ab. |
433 | + Copyright (c) 2017, MariaDB Corporation |
434 | |
435 | This program is free software; you can redistribute it and/or modify |
436 | it under the terms of the GNU General Public License as published by |
437 | @@ -29,38 +29,31 @@ |
438 | |
439 | #if defined(HAVE_YASSL) |
440 | #include "md5.hpp" |
441 | +#include <ssl_compat.h> |
442 | |
443 | -typedef TaoCrypt::MD5 MD5_CONTEXT; |
444 | +typedef TaoCrypt::MD5 EVP_MD_CTX; |
445 | |
446 | -static void md5_init(MD5_CONTEXT *context) |
447 | +static void md5_init(EVP_MD_CTX *context) |
448 | { |
449 | - context= new(context) MD5_CONTEXT; |
450 | + context= new(context) EVP_MD_CTX; |
451 | context->Init(); |
452 | } |
453 | |
454 | -/* |
455 | - this is a variant of md5_init to be used in this file only. |
456 | - does nothing for yassl, because the context's constructor was called automatically. |
457 | -*/ |
458 | -static void md5_init_fast(MD5_CONTEXT *context) |
459 | -{ |
460 | -} |
461 | - |
462 | -static void md5_input(MD5_CONTEXT *context, const uchar *buf, unsigned len) |
463 | +static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) |
464 | { |
465 | context->Update((const TaoCrypt::byte *) buf, len); |
466 | } |
467 | |
468 | -static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) |
469 | +static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) |
470 | { |
471 | context->Final((TaoCrypt::byte *) digest); |
472 | } |
473 | |
474 | #elif defined(HAVE_OPENSSL) |
475 | #include <openssl/evp.h> |
476 | -typedef EVP_MD_CTX MD5_CONTEXT; |
477 | +#include <ssl_compat.h> |
478 | |
479 | -static void md5_init(MD5_CONTEXT *context) |
480 | +static void md5_init(EVP_MD_CTX *context) |
481 | { |
482 | EVP_MD_CTX_init(context); |
483 | #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW |
484 | @@ -70,17 +63,12 @@ static void md5_init(MD5_CONTEXT *context) |
485 | EVP_DigestInit_ex(context, EVP_md5(), NULL); |
486 | } |
487 | |
488 | -static void md5_init_fast(MD5_CONTEXT *context) |
489 | -{ |
490 | - md5_init(context); |
491 | -} |
492 | - |
493 | -static void md5_input(MD5_CONTEXT *context, const uchar *buf, unsigned len) |
494 | +static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) |
495 | { |
496 | EVP_DigestUpdate(context, buf, len); |
497 | } |
498 | |
499 | -static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) |
500 | +static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) |
501 | { |
502 | EVP_DigestFinal_ex(context, digest, NULL); |
503 | EVP_MD_CTX_cleanup(context); |
504 | @@ -99,58 +87,58 @@ static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) |
505 | */ |
506 | void my_md5(uchar *digest, const char *buf, size_t len) |
507 | { |
508 | - MD5_CONTEXT md5_context; |
509 | - |
510 | - md5_init_fast(&md5_context); |
511 | - md5_input(&md5_context, (const uchar *)buf, len); |
512 | - md5_result(&md5_context, digest); |
513 | + char ctx_buf[EVP_MD_CTX_SIZE]; |
514 | + EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf; |
515 | + md5_init(ctx); |
516 | + md5_input(ctx, (const uchar *)buf, len); |
517 | + md5_result(ctx, digest); |
518 | } |
519 | |
520 | |
521 | /** |
522 | Wrapper function to compute MD5 message digest for |
523 | - two messages in order to emulate md5(msg1, msg2). |
524 | + many messages, concatenated. |
525 | |
526 | @param digest [out] Computed MD5 digest |
527 | @param buf1 [in] First message |
528 | @param len1 [in] Length of first message |
529 | - @param buf2 [in] Second message |
530 | - @param len2 [in] Length of second message |
531 | + ... |
532 | + @param bufN [in] NULL terminates the list of buf,len pairs. |
533 | |
534 | @return void |
535 | */ |
536 | void my_md5_multi(uchar *digest, ...) |
537 | { |
538 | va_list args; |
539 | - va_start(args, digest); |
540 | - |
541 | - MD5_CONTEXT md5_context; |
542 | const uchar *str; |
543 | + char ctx_buf[EVP_MD_CTX_SIZE]; |
544 | + EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf; |
545 | + va_start(args, digest); |
546 | |
547 | - md5_init_fast(&md5_context); |
548 | + md5_init(ctx); |
549 | for (str= va_arg(args, const uchar*); str; str= va_arg(args, const uchar*)) |
550 | - md5_input(&md5_context, str, va_arg(args, size_t)); |
551 | + md5_input(ctx, str, va_arg(args, size_t)); |
552 | |
553 | - md5_result(&md5_context, digest); |
554 | + md5_result(ctx, digest); |
555 | va_end(args); |
556 | } |
557 | |
558 | size_t my_md5_context_size() |
559 | { |
560 | - return sizeof(MD5_CONTEXT); |
561 | + return EVP_MD_CTX_SIZE; |
562 | } |
563 | |
564 | void my_md5_init(void *context) |
565 | { |
566 | - md5_init((MD5_CONTEXT *)context); |
567 | + md5_init((EVP_MD_CTX *)context); |
568 | } |
569 | |
570 | void my_md5_input(void *context, const uchar *buf, size_t len) |
571 | { |
572 | - md5_input((MD5_CONTEXT *)context, buf, len); |
573 | + md5_input((EVP_MD_CTX *)context, buf, len); |
574 | } |
575 | |
576 | void my_md5_result(void *context, uchar *digest) |
577 | { |
578 | - md5_result((MD5_CONTEXT *)context, digest); |
579 | + md5_result((EVP_MD_CTX *)context, digest); |
580 | } |
581 | diff --git a/mysys_ssl/openssl.c b/mysys_ssl/openssl.c |
582 | new file mode 100644 |
583 | index 0000000..a3f1ca2 |
584 | --- /dev/null |
585 | +++ b/mysys_ssl/openssl.c |
586 | @@ -0,0 +1,71 @@ |
587 | +/* |
588 | + Copyright (c) 2017, MariaDB Corporation. |
589 | + |
590 | + This program is free software; you can redistribute it and/or modify |
591 | + it under the terms of the GNU General Public License as published by |
592 | + the Free Software Foundation; version 2 of the License. |
593 | + |
594 | + This program is distributed in the hope that it will be useful, |
595 | + but WITHOUT ANY WARRANTY; without even the implied warranty of |
596 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
597 | + GNU General Public License for more details. |
598 | + |
599 | + You should have received a copy of the GNU General Public License |
600 | + along with this program; if not, write to the Free Software |
601 | + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ |
602 | + |
603 | +#include <my_global.h> |
604 | +#include <ssl_compat.h> |
605 | + |
606 | +#ifdef HAVE_YASSL |
607 | + |
608 | +int check_openssl_compatibility() |
609 | +{ |
610 | + return 0; |
611 | +} |
612 | +#else |
613 | +#include <openssl/evp.h> |
614 | + |
615 | +#ifdef HAVE_OPENSSL11 |
616 | +typedef void *(*CRYPTO_malloc_t)(size_t, const char *, int); |
617 | +#endif |
618 | + |
619 | +#ifdef HAVE_OPENSSL10 |
620 | +typedef void *(*CRYPTO_malloc_t)(size_t); |
621 | +#define CRYPTO_malloc malloc |
622 | +#define CRYPTO_realloc realloc |
623 | +#define CRYPTO_free free |
624 | +#endif |
625 | + |
626 | +static uint allocated_size, allocated_count; |
627 | + |
628 | +static void *coc_malloc(size_t size) |
629 | +{ |
630 | + allocated_size+= size; |
631 | + allocated_count++; |
632 | + return malloc(size); |
633 | +} |
634 | + |
635 | +int check_openssl_compatibility() |
636 | +{ |
637 | + EVP_CIPHER_CTX *evp_ctx; |
638 | + EVP_MD_CTX *md5_ctx; |
639 | + |
640 | + CRYPTO_set_mem_functions((CRYPTO_malloc_t)coc_malloc, CRYPTO_realloc, CRYPTO_free); |
641 | + |
642 | + allocated_size= allocated_count= 0; |
643 | + evp_ctx= EVP_CIPHER_CTX_new(); |
644 | + EVP_CIPHER_CTX_free(evp_ctx); |
645 | + if (allocated_count != 1 || allocated_size > EVP_CIPHER_CTX_SIZE) |
646 | + return 1; |
647 | + |
648 | + allocated_size= allocated_count= 0; |
649 | + md5_ctx= EVP_MD_CTX_create(); |
650 | + EVP_MD_CTX_destroy(md5_ctx); |
651 | + if (allocated_count != 1 || allocated_size > EVP_MD_CTX_SIZE) |
652 | + return 1; |
653 | + |
654 | + CRYPTO_set_mem_functions(CRYPTO_malloc, CRYPTO_realloc, CRYPTO_free); |
655 | + return 0; |
656 | +} |
657 | +#endif |
658 | diff --git a/mysys_ssl/yassl.cc b/mysys_ssl/yassl.cc |
659 | index e9f8e65..268589d 100644 |
660 | --- a/mysys_ssl/yassl.cc |
661 | +++ b/mysys_ssl/yassl.cc |
662 | @@ -45,7 +45,6 @@ typedef struct |
663 | int buf_len; |
664 | int final_used; |
665 | uchar tao_buf[sizeof(TaoCrypt::AES)]; // TaoCrypt::AES object |
666 | - uchar oiv[TaoCrypt::AES::BLOCK_SIZE]; // original IV |
667 | uchar buf[TaoCrypt::AES::BLOCK_SIZE]; // last partial input block |
668 | uchar final[TaoCrypt::AES::BLOCK_SIZE]; // last decrypted (output) block |
669 | } EVP_CIPHER_CTX; |
670 | @@ -98,10 +97,7 @@ static int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, |
671 | : TaoCrypt::DECRYPTION, cipher->mode); |
672 | TAO(ctx)->SetKey(key, cipher->key_len); |
673 | if (iv) |
674 | - { |
675 | TAO(ctx)->SetIV(iv); |
676 | - memcpy(ctx->oiv, iv, TaoCrypt::AES::BLOCK_SIZE); |
677 | - } |
678 | ctx->encrypt= enc; |
679 | ctx->key_len= cipher->key_len; |
680 | ctx->flags|= cipher->mode == TaoCrypt::CBC ? EVP_CIPH_CBC_MODE : EVP_CIPH_ECB_MODE; |
681 | diff --git a/sql-common/client.c b/sql-common/client.c |
682 | index da18a0f..e3280a1 100644 |
683 | --- a/sql-common/client.c |
684 | +++ b/sql-common/client.c |
685 | @@ -105,6 +105,7 @@ my_bool net_flush(NET *net); |
686 | #endif |
687 | |
688 | #include "client_settings.h" |
689 | +#include <ssl_compat.h> |
690 | #include <sql_common.h> |
691 | #include <mysql/client_plugin.h> |
692 | #include <my_context.h> |
693 | @@ -1770,9 +1771,8 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused))) |
694 | |
695 | #if defined(HAVE_OPENSSL) |
696 | |
697 | -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(HAVE_YASSL) |
698 | +#ifdef HAVE_X509_check_host |
699 | #include <openssl/x509v3.h> |
700 | -#define HAVE_X509_check_host |
701 | #endif |
702 | |
703 | static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr) |
704 | @@ -1844,7 +1844,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c |
705 | goto error; |
706 | } |
707 | |
708 | - cn= (char *) ASN1_STRING_data(cn_asn1); |
709 | + cn= (char *) ASN1_STRING_get0_data(cn_asn1); |
710 | |
711 | if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) |
712 | { |
713 | diff --git a/sql/mysqld.cc b/sql/mysqld.cc |
714 | index 0de9d7a..3a92192 100644 |
715 | --- a/sql/mysqld.cc |
716 | +++ b/sql/mysqld.cc |
717 | @@ -338,9 +338,13 @@ static PSI_thread_key key_thread_handle_con_sockets; |
718 | static PSI_thread_key key_thread_handle_shutdown; |
719 | #endif /* __WIN__ */ |
720 | |
721 | -#if defined (HAVE_OPENSSL) && !defined(HAVE_YASSL) |
722 | +#ifdef HAVE_OPENSSL |
723 | +#include <ssl_compat.h> |
724 | + |
725 | +#ifdef HAVE_OPENSSL10 |
726 | static PSI_rwlock_key key_rwlock_openssl; |
727 | #endif |
728 | +#endif |
729 | #endif /* HAVE_PSI_INTERFACE */ |
730 | |
731 | #ifdef HAVE_NPTL |
732 | @@ -987,7 +991,7 @@ PSI_rwlock_key key_rwlock_LOCK_grant, key_rwlock_LOCK_logger, |
733 | |
734 | static PSI_rwlock_info all_server_rwlocks[]= |
735 | { |
736 | -#if defined (HAVE_OPENSSL) && !defined(HAVE_YASSL) |
737 | +#ifdef HAVE_OPENSSL10 |
738 | { &key_rwlock_openssl, "CRYPTO_dynlock_value::lock", 0}, |
739 | #endif |
740 | { &key_rwlock_LOCK_grant, "LOCK_grant", PSI_FLAG_GLOBAL}, |
741 | @@ -1457,7 +1461,7 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct, |
742 | |
743 | #ifdef HAVE_OPENSSL |
744 | #include <openssl/crypto.h> |
745 | -#ifndef HAVE_YASSL |
746 | +#ifdef HAVE_OPENSSL10 |
747 | typedef struct CRYPTO_dynlock_value |
748 | { |
749 | mysql_rwlock_t lock; |
750 | @@ -1468,7 +1472,7 @@ static openssl_lock_t *openssl_dynlock_create(const char *, int); |
751 | static void openssl_dynlock_destroy(openssl_lock_t *, const char *, int); |
752 | static void openssl_lock_function(int, int, const char *, int); |
753 | static void openssl_lock(int, openssl_lock_t *, const char *, int); |
754 | -#endif |
755 | +#endif /* HAVE_OPENSSL10 */ |
756 | char *des_key_file; |
757 | #ifndef EMBEDDED_LIBRARY |
758 | struct st_VioSSLFd *ssl_acceptor_fd; |
759 | @@ -2244,11 +2248,11 @@ static void clean_up_mutexes() |
760 | mysql_mutex_destroy(&LOCK_global_index_stats); |
761 | #ifdef HAVE_OPENSSL |
762 | mysql_mutex_destroy(&LOCK_des_key_file); |
763 | -#ifndef HAVE_YASSL |
764 | +#ifdef HAVE_OPENSSL10 |
765 | for (int i= 0; i < CRYPTO_num_locks(); ++i) |
766 | mysql_rwlock_destroy(&openssl_stdlocks[i].lock); |
767 | OPENSSL_free(openssl_stdlocks); |
768 | -#endif /* HAVE_YASSL */ |
769 | +#endif /* HAVE_OPENSSL10 */ |
770 | #endif /* HAVE_OPENSSL */ |
771 | #ifdef HAVE_REPLICATION |
772 | mysql_mutex_destroy(&LOCK_rpl_status); |
773 | @@ -4038,6 +4042,14 @@ static int init_common_variables() |
774 | return 1; |
775 | } |
776 | |
777 | +#ifdef HAVE_OPENSSL |
778 | + if (check_openssl_compatibility()) |
779 | + { |
780 | + sql_print_error("Incompatible OpenSSL version. Cannot continue..."); |
781 | + return 1; |
782 | + } |
783 | +#endif |
784 | + |
785 | if (init_thread_environment() || |
786 | mysql_init_variables()) |
787 | return 1; |
788 | @@ -4584,7 +4596,7 @@ static int init_thread_environment() |
789 | #ifdef HAVE_OPENSSL |
790 | mysql_mutex_init(key_LOCK_des_key_file, |
791 | &LOCK_des_key_file, MY_MUTEX_INIT_FAST); |
792 | -#ifndef HAVE_YASSL |
793 | +#ifdef HAVE_OPENSSL10 |
794 | openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() * |
795 | sizeof(openssl_lock_t)); |
796 | for (int i= 0; i < CRYPTO_num_locks(); ++i) |
797 | @@ -4593,8 +4605,8 @@ static int init_thread_environment() |
798 | CRYPTO_set_dynlock_destroy_callback(openssl_dynlock_destroy); |
799 | CRYPTO_set_dynlock_lock_callback(openssl_lock); |
800 | CRYPTO_set_locking_callback(openssl_lock_function); |
801 | -#endif |
802 | -#endif |
803 | +#endif /* HAVE_OPENSSL10 */ |
804 | +#endif /* HAVE_OPENSSL */ |
805 | mysql_rwlock_init(key_rwlock_LOCK_sys_init_connect, &LOCK_sys_init_connect); |
806 | mysql_rwlock_init(key_rwlock_LOCK_sys_init_slave, &LOCK_sys_init_slave); |
807 | mysql_rwlock_init(key_rwlock_LOCK_grant, &LOCK_grant); |
808 | @@ -4627,7 +4639,7 @@ static int init_thread_environment() |
809 | } |
810 | |
811 | |
812 | -#if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL) |
813 | +#ifdef HAVE_OPENSSL10 |
814 | static openssl_lock_t *openssl_dynlock_create(const char *file, int line) |
815 | { |
816 | openssl_lock_t *lock= new openssl_lock_t; |
817 | @@ -4687,8 +4699,7 @@ static void openssl_lock(int mode, openssl_lock_t *lock, const char *file, |
818 | abort(); |
819 | } |
820 | } |
821 | -#endif /* HAVE_OPENSSL */ |
822 | - |
823 | +#endif /* HAVE_OPENSSL10 */ |
824 | |
825 | static void init_ssl() |
826 | { |
827 | diff --git a/sql/slave.cc b/sql/slave.cc |
828 | index da394ff..2096ed1 100644 |
829 | --- a/sql/slave.cc |
830 | +++ b/sql/slave.cc |
831 | @@ -40,6 +40,7 @@ |
832 | #include <my_dir.h> |
833 | #include <sql_common.h> |
834 | #include <errmsg.h> |
835 | +#include <ssl_compat.h> |
836 | #include <mysqld_error.h> |
837 | #include <mysys_err.h> |
838 | #include "rpl_handler.h" |
839 | @@ -60,7 +61,6 @@ |
840 | #include "debug_sync.h" |
841 | #include "rpl_parallel.h" |
842 | |
843 | - |
844 | #define FLAGSTR(V,F) ((V)&(F)?#F" ":"") |
845 | |
846 | #define MAX_SLAVE_RETRY_PAUSE 5 |
847 | @@ -4506,9 +4506,7 @@ log space"); |
848 | |
849 | DBUG_LEAVE; // Must match DBUG_ENTER() |
850 | my_thread_end(); |
851 | -#ifdef HAVE_OPENSSL |
852 | ERR_remove_state(0); |
853 | -#endif |
854 | pthread_exit(0); |
855 | return 0; // Avoid compiler warnings |
856 | } |
857 | @@ -5167,9 +5165,7 @@ pthread_handler_t handle_slave_sql(void *arg) |
858 | |
859 | DBUG_LEAVE; // Must match DBUG_ENTER() |
860 | my_thread_end(); |
861 | -#ifdef HAVE_OPENSSL |
862 | ERR_remove_state(0); |
863 | -#endif |
864 | pthread_exit(0); |
865 | return 0; // Avoid compiler warnings |
866 | } |
867 | diff --git a/vio/vio.c b/vio/vio.c |
868 | index e3bc8ca..44d0609 100644 |
869 | --- a/vio/vio.c |
870 | +++ b/vio/vio.c |
871 | @@ -22,6 +22,7 @@ |
872 | */ |
873 | |
874 | #include "vio_priv.h" |
875 | +#include "ssl_compat.h" |
876 | |
877 | #ifdef _WIN32 |
878 | |
879 | diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c |
880 | index 52b624d..71ef287 100644 |
881 | --- a/vio/viosslfactories.c |
882 | +++ b/vio/viosslfactories.c |
883 | @@ -15,6 +15,7 @@ |
884 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ |
885 | |
886 | #include "vio_priv.h" |
887 | +#include <ssl_compat.h> |
888 | |
889 | #ifdef HAVE_OPENSSL |
890 | #ifndef HAVE_YASSL |
891 | @@ -26,49 +27,56 @@ static my_bool ssl_algorithms_added = FALSE; |
892 | static my_bool ssl_error_strings_loaded= FALSE; |
893 | |
894 | /* the function below was generated with "openssl dhparam -2 -C 2048" */ |
895 | + |
896 | static |
897 | DH *get_dh2048() |
898 | { |
899 | - static unsigned char dh2048_p[]={ |
900 | - 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, |
901 | - 0x15,0xFC,0x3B,0xBA,0xAB,0x9F,0xDF,0x68,0xC4,0x79,0x78,0x0D, |
902 | - 0xC1,0x12,0x64,0xE4,0x15,0xC9,0x66,0xDB,0xF6,0xCB,0xB3,0x39, |
903 | - 0x02,0x5B,0x78,0x62,0xFB,0x09,0xAE,0x09,0x6B,0xDD,0xD4,0x5D, |
904 | - 0x97,0xBC,0xDC,0x7F,0xE6,0xD6,0xF1,0xCB,0xF5,0xEB,0xDA,0xA7, |
905 | - 0x2E,0x5A,0x43,0x2B,0xE9,0x40,0xE2,0x85,0x00,0x1C,0xC0,0x0A, |
906 | - 0x98,0x77,0xA9,0x31,0xDE,0x0B,0x75,0x4D,0x1E,0x1F,0x16,0x83, |
907 | - 0xCA,0xDE,0xBD,0x21,0xFC,0xC1,0x82,0x37,0x36,0x33,0x0B,0x66, |
908 | - 0x06,0x3C,0xF3,0xAF,0x21,0x57,0x57,0x80,0xF6,0x94,0x1B,0xA9, |
909 | - 0xD4,0xF6,0x8F,0x18,0x62,0x0E,0xC4,0x22,0xF9,0x5B,0x62,0xCC, |
910 | - 0x3F,0x19,0x95,0xCF,0x4B,0x00,0xA6,0x6C,0x0B,0xAF,0x9F,0xD5, |
911 | - 0xFA,0x3D,0x6D,0xDA,0x30,0x83,0x07,0x91,0xAC,0x15,0xFF,0x8F, |
912 | - 0x59,0x54,0xEA,0x25,0xBC,0x4E,0xEB,0x6A,0x54,0xDF,0x75,0x09, |
913 | - 0x72,0x0F,0xEF,0x23,0x70,0xE0,0xA8,0x04,0xEA,0xFF,0x90,0x54, |
914 | - 0xCD,0x84,0x18,0xC0,0x75,0x91,0x99,0x0F,0xA1,0x78,0x0C,0x07, |
915 | - 0xB7,0xC5,0xDE,0x55,0x06,0x7B,0x95,0x68,0x2C,0x33,0x39,0xBC, |
916 | - 0x2C,0xD0,0x6D,0xDD,0xFA,0xDC,0xB5,0x8F,0x82,0x39,0xF8,0x67, |
917 | - 0x44,0xF1,0xD8,0xF7,0x78,0x11,0x9A,0x77,0x9B,0x53,0x47,0xD6, |
918 | - 0x2B,0x5D,0x67,0xB8,0xB7,0xBC,0xC1,0xD7,0x79,0x62,0x15,0xC2, |
919 | - 0xC5,0x83,0x97,0xA7,0xF8,0xB4,0x9C,0xF6,0x8F,0x9A,0xC7,0xDA, |
920 | - 0x1B,0xBB,0x87,0x07,0xA7,0x71,0xAD,0xB2,0x8A,0x50,0xF8,0x26, |
921 | - 0x12,0xB7,0x3E,0x0B, |
922 | - }; |
923 | - static unsigned char dh2048_g[]={ |
924 | - 0x02, |
925 | - }; |
926 | - DH *dh; |
927 | - |
928 | - if ((dh=DH_new()) == NULL) return(NULL); |
929 | - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); |
930 | - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); |
931 | - if ((dh->p == NULL) || (dh->g == NULL)) |
932 | - { DH_free(dh); return(NULL); } |
933 | - return(dh); |
934 | + static unsigned char dhp_2048[] = { |
935 | + 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, |
936 | + 0x15,0xFC,0x3B,0xBA,0xAB,0x9F,0xDF,0x68,0xC4,0x79,0x78,0x0D, |
937 | + 0xC1,0x12,0x64,0xE4,0x15,0xC9,0x66,0xDB,0xF6,0xCB,0xB3,0x39, |
938 | + 0x02,0x5B,0x78,0x62,0xFB,0x09,0xAE,0x09,0x6B,0xDD,0xD4,0x5D, |
939 | + 0x97,0xBC,0xDC,0x7F,0xE6,0xD6,0xF1,0xCB,0xF5,0xEB,0xDA,0xA7, |
940 | + 0x2E,0x5A,0x43,0x2B,0xE9,0x40,0xE2,0x85,0x00,0x1C,0xC0,0x0A, |
941 | + 0x98,0x77,0xA9,0x31,0xDE,0x0B,0x75,0x4D,0x1E,0x1F,0x16,0x83, |
942 | + 0xCA,0xDE,0xBD,0x21,0xFC,0xC1,0x82,0x37,0x36,0x33,0x0B,0x66, |
943 | + 0x06,0x3C,0xF3,0xAF,0x21,0x57,0x57,0x80,0xF6,0x94,0x1B,0xA9, |
944 | + 0xD4,0xF6,0x8F,0x18,0x62,0x0E,0xC4,0x22,0xF9,0x5B,0x62,0xCC, |
945 | + 0x3F,0x19,0x95,0xCF,0x4B,0x00,0xA6,0x6C,0x0B,0xAF,0x9F,0xD5, |
946 | + 0xFA,0x3D,0x6D,0xDA,0x30,0x83,0x07,0x91,0xAC,0x15,0xFF,0x8F, |
947 | + 0x59,0x54,0xEA,0x25,0xBC,0x4E,0xEB,0x6A,0x54,0xDF,0x75,0x09, |
948 | + 0x72,0x0F,0xEF,0x23,0x70,0xE0,0xA8,0x04,0xEA,0xFF,0x90,0x54, |
949 | + 0xCD,0x84,0x18,0xC0,0x75,0x91,0x99,0x0F,0xA1,0x78,0x0C,0x07, |
950 | + 0xB7,0xC5,0xDE,0x55,0x06,0x7B,0x95,0x68,0x2C,0x33,0x39,0xBC, |
951 | + 0x2C,0xD0,0x6D,0xDD,0xFA,0xDC,0xB5,0x8F,0x82,0x39,0xF8,0x67, |
952 | + 0x44,0xF1,0xD8,0xF7,0x78,0x11,0x9A,0x77,0x9B,0x53,0x47,0xD6, |
953 | + 0x2B,0x5D,0x67,0xB8,0xB7,0xBC,0xC1,0xD7,0x79,0x62,0x15,0xC2, |
954 | + 0xC5,0x83,0x97,0xA7,0xF8,0xB4,0x9C,0xF6,0x8F,0x9A,0xC7,0xDA, |
955 | + 0x1B,0xBB,0x87,0x07,0xA7,0x71,0xAD,0xB2,0x8A,0x50,0xF8,0x26, |
956 | + 0x12,0xB7,0x3E,0x0B, |
957 | + }; |
958 | + static unsigned char dhg_2048[] = { |
959 | + 0x02 |
960 | + }; |
961 | + DH *dh = DH_new(); |
962 | + BIGNUM *dhp_bn, *dhg_bn; |
963 | + |
964 | + if (dh == NULL) |
965 | + return NULL; |
966 | + dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); |
967 | + dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); |
968 | + if (dhp_bn == NULL || dhg_bn == NULL |
969 | + || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { |
970 | + DH_free(dh); |
971 | + BN_free(dhp_bn); |
972 | + BN_free(dhg_bn); |
973 | + return NULL; |
974 | + } |
975 | + return dh; |
976 | } |
977 | |
978 | - |
979 | static const char* |
980 | -ssl_error_string[] = |
981 | +ssl_error_string[] = |
982 | { |
983 | "No error", |
984 | "Unable to get certificate", |
985 | @@ -148,9 +156,7 @@ static void check_ssl_init() |
986 | if (!ssl_algorithms_added) |
987 | { |
988 | ssl_algorithms_added= TRUE; |
989 | - SSL_library_init(); |
990 | - OpenSSL_add_all_algorithms(); |
991 | - |
992 | + OPENSSL_init_ssl(0, NULL); |
993 | } |
994 | |
995 | if (!ssl_error_strings_loaded) |