Contents of /trunk/mariadb/patches/mariadb-10.1.37-openssl-1.1.patch
Parent Directory
| 
Revision Log
Revision 3318 -
(show annotations)
(download)
Tue Mar 12 14:08:59 2019 UTC (5 years, 1 month ago) by niro
File size: 34201 byte(s)
Tue Mar 12 14:08:59 2019 UTC (5 years, 1 month ago) by niro
File size: 34201 byte(s)
-updated openssl patch
| 1 | diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake |
| 2 | index 24e18600402..6fac749fd13 100644 |
| 3 | --- a/cmake/ssl.cmake |
| 4 | +++ b/cmake/ssl.cmake |
| 5 | @@ -182,7 +182,7 @@ MACRO (MYSQL_CHECK_SSL) |
| 6 | HAVE_SHA512_DIGEST_LENGTH) |
| 7 | SET(CMAKE_REQUIRED_INCLUDES) |
| 8 | IF(OPENSSL_INCLUDE_DIR AND OPENSSL_LIBRARIES AND |
| 9 | - OPENSSL_MAJOR_VERSION STRLESS "101" AND |
| 10 | + OPENSSL_MAJOR_VERSION STRLESS "102" AND |
| 11 | CRYPTO_LIBRARY AND HAVE_SHA512_DIGEST_LENGTH) |
| 12 | |
| 13 | SET(SSL_SOURCES "") |
| 14 | diff --git a/include/ssl_compat.h b/include/ssl_compat.h |
| 15 | new file mode 100644 |
| 16 | index 0000000..b0e3ed4 |
| 17 | --- /dev/null |
| 18 | +++ b/include/ssl_compat.h |
| 19 | @@ -0,0 +1,75 @@ |
| 20 | +/* |
| 21 | + Copyright (c) 2016, 2017 MariaDB Corporation |
| 22 | + |
| 23 | + This program is free software; you can redistribute it and/or modify |
| 24 | + it under the terms of the GNU General Public License as published by |
| 25 | + the Free Software Foundation; version 2 of the License. |
| 26 | + |
| 27 | + This program is distributed in the hope that it will be useful, |
| 28 | + but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 29 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 30 | + GNU General Public License for more details. |
| 31 | + |
| 32 | + You should have received a copy of the GNU General Public License |
| 33 | + along with this program; if not, write to the Free Software |
| 34 | + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ |
| 35 | + |
| 36 | +#include <openssl/opensslv.h> |
| 37 | + |
| 38 | +/* OpenSSL version specific definitions */ |
| 39 | +#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) |
| 40 | + |
| 41 | +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) |
| 42 | +#define HAVE_X509_check_host 1 |
| 43 | +#endif |
| 44 | + |
| 45 | +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) |
| 46 | +#define HAVE_OPENSSL11 1 |
| 47 | +#define ERR_remove_state(X) ERR_clear_error() |
| 48 | +#define EVP_MD_CTX_cleanup(X) EVP_MD_CTX_reset(X) |
| 49 | +#define EVP_CIPHER_CTX_SIZE 168 |
| 50 | +#define EVP_MD_CTX_SIZE 48 |
| 51 | +#undef EVP_MD_CTX_init |
| 52 | +#define EVP_MD_CTX_init(X) do { bzero((X), EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0) |
| 53 | +#undef EVP_CIPHER_CTX_init |
| 54 | +#define EVP_CIPHER_CTX_init(X) do { bzero((X), EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0) |
| 55 | + |
| 56 | +#else |
| 57 | +#define HAVE_OPENSSL10 1 |
| 58 | +/* |
| 59 | + Unfortunately RAND_bytes manual page does not provide any guarantees |
| 60 | + in relation to blocking behavior. Here we explicitly use SSLeay random |
| 61 | + instead of whatever random engine is currently set in OpenSSL. That way |
| 62 | + we are guaranteed to have a non-blocking random. |
| 63 | +*/ |
| 64 | +#define RAND_OpenSSL() RAND_SSLeay() |
| 65 | + |
| 66 | +#ifdef HAVE_ERR_remove_thread_state |
| 67 | +#define ERR_remove_state(X) ERR_remove_thread_state(NULL) |
| 68 | +#endif /* HAVE_ERR_remove_thread_state */ |
| 69 | + |
| 70 | +#endif /* HAVE_OPENSSL11 */ |
| 71 | + |
| 72 | +#elif defined(HAVE_YASSL) |
| 73 | +#define BN_free(X) do { } while(0) |
| 74 | +#endif /* !defined(HAVE_YASSL) */ |
| 75 | + |
| 76 | +#ifndef HAVE_OPENSSL11 |
| 77 | +#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) |
| 78 | +#define OPENSSL_init_ssl(X,Y) SSL_library_init() |
| 79 | +#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G)) |
| 80 | +#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) |
| 81 | +#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) |
| 82 | +#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX) |
| 83 | +#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX) |
| 84 | +#endif |
| 85 | + |
| 86 | +#ifdef __cplusplus |
| 87 | +extern "C" { |
| 88 | +#endif /* __cplusplus */ |
| 89 | + |
| 90 | +int check_openssl_compatibility(); |
| 91 | + |
| 92 | +#ifdef __cplusplus |
| 93 | +} |
| 94 | +#endif |
| 95 | diff --git a/include/violite.h b/include/violite.h |
| 96 | index a7165ca..572d474 100644 |
| 97 | --- a/include/violite.h |
| 98 | +++ b/include/violite.h |
| 99 | @@ -123,13 +123,6 @@ int vio_getnameinfo(const struct sockaddr *sa, |
| 100 | int flags); |
| 101 | |
| 102 | #ifdef HAVE_OPENSSL |
| 103 | -#include <openssl/opensslv.h> |
| 104 | -#if OPENSSL_VERSION_NUMBER < 0x0090700f |
| 105 | -#define DES_cblock des_cblock |
| 106 | -#define DES_key_schedule des_key_schedule |
| 107 | -#define DES_set_key_unchecked(k,ks) des_set_key_unchecked((k),*(ks)) |
| 108 | -#define DES_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e) des_ede3_cbc_encrypt((i),(o),(l),*(k1),*(k2),*(k3),(iv),(e)) |
| 109 | -#endif |
| 110 | /* apple deprecated openssl in MacOSX Lion */ |
| 111 | #ifdef __APPLE__ |
| 112 | #pragma GCC diagnostic ignored "-Wdeprecated-declarations" |
| 113 | @@ -146,14 +139,10 @@ typedef my_socket YASSL_SOCKET_T; |
| 114 | #include <openssl/ssl.h> |
| 115 | #include <openssl/err.h> |
| 116 | |
| 117 | -#ifdef HAVE_ERR_remove_thread_state |
| 118 | -#define ERR_remove_state(X) ERR_remove_thread_state(NULL) |
| 119 | -#endif |
| 120 | - |
| 121 | enum enum_ssl_init_error |
| 122 | { |
| 123 | - SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, |
| 124 | - SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, |
| 125 | + SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, |
| 126 | + SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, |
| 127 | SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_LASTERR |
| 128 | }; |
| 129 | const char* sslGetErrString(enum enum_ssl_init_error err); |
| 130 | diff --git a/mysql-test/include/require_openssl_client.inc b/mysql-test/include/require_openssl_client.inc |
| 131 | new file mode 100644 |
| 132 | index 0000000..9b19960 |
| 133 | --- /dev/null |
| 134 | +++ b/mysql-test/include/require_openssl_client.inc |
| 135 | @@ -0,0 +1,5 @@ |
| 136 | +if ($CLIENT_TLS_LIBRARY != "OpenSSL") { |
| 137 | + if ($CLIENT_TLS_LIBRARY != "LibreSSL") { |
| 138 | + skip "Test requires Connector/C with OpenSSL library"; |
| 139 | + } |
| 140 | +} |
| 141 | diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl |
| 142 | index eaec51b..1b28469 100755 |
| 143 | --- a/mysql-test/mysql-test-run.pl |
| 144 | +++ b/mysql-test/mysql-test-run.pl |
| 145 | @@ -2307,6 +2307,11 @@ sub environment_setup { |
| 146 | $ENV{'MYSQL_PLUGIN'}= $exe_mysql_plugin; |
| 147 | $ENV{'MYSQL_EMBEDDED'}= $exe_mysql_embedded; |
| 148 | |
| 149 | + my $client_config_exe= |
| 150 | + native_path("$bindir/libmariadb/mariadb_config$opt_vs_config/mariadb_config"); |
| 151 | + my $tls_info= `$client_config_exe --tlsinfo`; |
| 152 | + ($ENV{CLIENT_TLS_LIBRARY},$ENV{CLIENT_TLS_LIBRARY_VERSION})= |
| 153 | + split(/ /, $tls_info, 2); |
| 154 | my $exe_mysqld= find_mysqld($basedir); |
| 155 | $ENV{'MYSQLD'}= $exe_mysqld; |
| 156 | my $extra_opts= join (" ", @opt_extra_mysqld_opt); |
| 157 | diff --git a/mysql-test/r/openssl_6975,tlsv10.result b/mysql-test/r/openssl_6975,tlsv10.result |
| 158 | index 7a4465f..202e7f4 100644 |
| 159 | --- a/mysql-test/r/openssl_6975,tlsv10.result |
| 160 | +++ b/mysql-test/r/openssl_6975,tlsv10.result |
| 161 | @@ -3,11 +3,11 @@ grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; |
| 162 | create user ssl_tls12@localhost; |
| 163 | grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; |
| 164 | TLS1.2 ciphers: user is ok with any cipher |
| 165 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
| 166 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
| 167 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure |
| 168 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure |
| 169 | TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA |
| 170 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
| 171 | -ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
| 172 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure |
| 173 | +ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure |
| 174 | TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256 |
| 175 | ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
| 176 | ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
| 177 | diff --git a/mysql-test/t/openssl_6975.test b/mysql-test/t/openssl_6975.test |
| 178 | index 49889a3..6a82d01 100644 |
| 179 | --- a/mysql-test/t/openssl_6975.test |
| 180 | +++ b/mysql-test/t/openssl_6975.test |
| 181 | @@ -4,6 +4,7 @@ |
| 182 | # test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2 |
| 183 | # |
| 184 | source include/have_ssl_communication.inc; |
| 185 | +source include/require_openssl_client.inc; |
| 186 | |
| 187 | # this is OpenSSL test. |
| 188 | |
| 189 | diff --git a/mysql-test/t/ssl_7937.test b/mysql-test/t/ssl_7937.test |
| 190 | index d593b9d..a764579 100644 |
| 191 | --- a/mysql-test/t/ssl_7937.test |
| 192 | +++ b/mysql-test/t/ssl_7937.test |
| 193 | @@ -26,6 +26,7 @@ create procedure have_ssl() |
| 194 | # we fake the test result for yassl |
| 195 | let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`; |
| 196 | if (!$yassl) { |
| 197 | + --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate" |
| 198 | --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1 |
| 199 | } |
| 200 | if ($yassl) { |
| 201 | diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test |
| 202 | index 27cffdc..9d5b382 100644 |
| 203 | --- a/mysql-test/t/ssl_8k_key.test |
| 204 | +++ b/mysql-test/t/ssl_8k_key.test |
| 205 | @@ -1,5 +1,5 @@ |
| 206 | -# This test should work in embedded server after we fix mysqltest |
| 207 | --- source include/not_embedded.inc |
| 208 | +# schannel does not support keys longer than 4k |
| 209 | +-- source include/not_windows.inc |
| 210 | |
| 211 | -- source include/have_ssl_communication.inc |
| 212 | # |
| 213 | diff --git a/mysys_ssl/CMakeLists.txt b/mysys_ssl/CMakeLists.txt |
| 214 | index 4f6f745..f8a767e 100644 |
| 215 | --- a/mysys_ssl/CMakeLists.txt |
| 216 | +++ b/mysys_ssl/CMakeLists.txt |
| 217 | @@ -28,6 +28,7 @@ SET(MYSYS_SSL_HIDDEN_SOURCES |
| 218 | my_sha384.cc |
| 219 | my_sha512.cc |
| 220 | my_md5.cc |
| 221 | + openssl.c |
| 222 | ) |
| 223 | |
| 224 | SET(MYSYS_SSL_SOURCES |
| 225 | diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc |
| 226 | index 4393394..da60a10 100644 |
| 227 | --- a/mysys_ssl/my_crypt.cc |
| 228 | +++ b/mysys_ssl/my_crypt.cc |
| 229 | @@ -1,6 +1,6 @@ |
| 230 | /* |
| 231 | Copyright (c) 2014 Google Inc. |
| 232 | - Copyright (c) 2014, 2015 MariaDB Corporation |
| 233 | + Copyright (c) 2014, 2017 MariaDB Corporation |
| 234 | |
| 235 | This program is free software; you can redistribute it and/or modify |
| 236 | it under the terms of the GNU General Public License as published by |
| 237 | @@ -17,7 +17,6 @@ |
| 238 | |
| 239 | #include <my_global.h> |
| 240 | #include <string.h> |
| 241 | -#include <my_crypt.h> |
| 242 | |
| 243 | #ifdef HAVE_YASSL |
| 244 | #include "yassl.cc" |
| 245 | @@ -28,42 +27,53 @@ |
| 246 | #include <openssl/err.h> |
| 247 | #include <openssl/rand.h> |
| 248 | |
| 249 | -#ifdef HAVE_ERR_remove_thread_state |
| 250 | -#define ERR_remove_state(X) ERR_remove_thread_state(NULL) |
| 251 | +#include <openssl/rand.h> |
| 252 | #endif |
| 253 | |
| 254 | -#endif |
| 255 | +#include <my_crypt.h> |
| 256 | +#include <ssl_compat.h> |
| 257 | |
| 258 | class MyCTX |
| 259 | { |
| 260 | public: |
| 261 | - EVP_CIPHER_CTX ctx; |
| 262 | - MyCTX() { EVP_CIPHER_CTX_init(&ctx); } |
| 263 | - virtual ~MyCTX() { EVP_CIPHER_CTX_cleanup(&ctx); ERR_remove_state(0); } |
| 264 | + char ctx_buf[EVP_CIPHER_CTX_SIZE]; |
| 265 | + EVP_CIPHER_CTX *ctx; |
| 266 | + |
| 267 | + MyCTX() |
| 268 | + { |
| 269 | + ctx= (EVP_CIPHER_CTX *)ctx_buf; |
| 270 | + EVP_CIPHER_CTX_init(ctx); |
| 271 | + } |
| 272 | + virtual ~MyCTX() |
| 273 | + { |
| 274 | + EVP_CIPHER_CTX_cleanup(ctx); |
| 275 | + ERR_remove_state(0); |
| 276 | + } |
| 277 | |
| 278 | virtual int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, |
| 279 | uint klen, const uchar *iv, uint ivlen) |
| 280 | { |
| 281 | + compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX)); |
| 282 | if (unlikely(!cipher)) |
| 283 | return MY_AES_BAD_KEYSIZE; |
| 284 | |
| 285 | - if (!EVP_CipherInit_ex(&ctx, cipher, NULL, key, iv, encrypt)) |
| 286 | + if (!EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt)) |
| 287 | return MY_AES_OPENSSL_ERROR; |
| 288 | |
| 289 | - DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == (int)klen); |
| 290 | - DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) <= (int)ivlen); |
| 291 | + DBUG_ASSERT(EVP_CIPHER_CTX_key_length(ctx) == (int)klen); |
| 292 | + DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(ctx) <= (int)ivlen); |
| 293 | |
| 294 | return MY_AES_OK; |
| 295 | } |
| 296 | virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen) |
| 297 | { |
| 298 | - if (!EVP_CipherUpdate(&ctx, dst, (int*)dlen, src, slen)) |
| 299 | + if (!EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen)) |
| 300 | return MY_AES_OPENSSL_ERROR; |
| 301 | return MY_AES_OK; |
| 302 | } |
| 303 | virtual int finish(uchar *dst, uint *dlen) |
| 304 | { |
| 305 | - if (!EVP_CipherFinal_ex(&ctx, dst, (int*)dlen)) |
| 306 | + if (!EVP_CipherFinal_ex(ctx, dst, (int*)dlen)) |
| 307 | return MY_AES_BAD_DATA; |
| 308 | return MY_AES_OK; |
| 309 | } |
| 310 | @@ -73,7 +83,8 @@ class MyCTX_nopad : public MyCTX |
| 311 | { |
| 312 | public: |
| 313 | const uchar *key; |
| 314 | - int klen; |
| 315 | + uint klen, buf_len; |
| 316 | + uchar oiv[MY_AES_BLOCK_SIZE]; |
| 317 | |
| 318 | MyCTX_nopad() : MyCTX() { } |
| 319 | ~MyCTX_nopad() { } |
| 320 | @@ -84,32 +95,48 @@ class MyCTX_nopad : public MyCTX |
| 321 | compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad)); |
| 322 | this->key= key; |
| 323 | this->klen= klen; |
| 324 | + this->buf_len= 0; |
| 325 | + memcpy(oiv, iv, ivlen); |
| 326 | + DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv)); |
| 327 | + |
| 328 | int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); |
| 329 | - memcpy(ctx.oiv, iv, ivlen); // in ECB mode OpenSSL doesn't do that itself |
| 330 | - EVP_CIPHER_CTX_set_padding(&ctx, 0); |
| 331 | + |
| 332 | + EVP_CIPHER_CTX_set_padding(ctx, 0); |
| 333 | return res; |
| 334 | } |
| 335 | |
| 336 | + int update(const uchar *src, uint slen, uchar *dst, uint *dlen) |
| 337 | + { |
| 338 | + buf_len+= slen; |
| 339 | + return MyCTX::update(src, slen, dst, dlen); |
| 340 | + } |
| 341 | + |
| 342 | int finish(uchar *dst, uint *dlen) |
| 343 | { |
| 344 | - if (ctx.buf_len) |
| 345 | + buf_len %= MY_AES_BLOCK_SIZE; |
| 346 | + if (buf_len) |
| 347 | { |
| 348 | + uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx); |
| 349 | /* |
| 350 | Not much we can do, block ciphers cannot encrypt data that aren't |
| 351 | a multiple of the block length. At least not without padding. |
| 352 | Let's do something CTR-like for the last partial block. |
| 353 | + |
| 354 | + NOTE this assumes that there are only buf_len bytes in the buf. |
| 355 | + If OpenSSL will change that, we'll need to change the implementation |
| 356 | + of this class too. |
| 357 | */ |
| 358 | uchar mask[MY_AES_BLOCK_SIZE]; |
| 359 | uint mlen; |
| 360 | |
| 361 | my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD, |
| 362 | - ctx.oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0); |
| 363 | + oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0); |
| 364 | DBUG_ASSERT(mlen == sizeof(mask)); |
| 365 | |
| 366 | - for (int i=0; i < ctx.buf_len; i++) |
| 367 | - dst[i]= ctx.buf[i] ^ mask[i]; |
| 368 | + for (uint i=0; i < buf_len; i++) |
| 369 | + dst[i]= buf[i] ^ mask[i]; |
| 370 | } |
| 371 | - *dlen= ctx.buf_len; |
| 372 | + *dlen= buf_len; |
| 373 | return MY_AES_OK; |
| 374 | } |
| 375 | }; |
| 376 | @@ -153,7 +180,7 @@ class MyCTX_gcm : public MyCTX |
| 377 | { |
| 378 | compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_gcm)); |
| 379 | int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); |
| 380 | - int real_ivlen= EVP_CIPHER_CTX_iv_length(&ctx); |
| 381 | + int real_ivlen= EVP_CIPHER_CTX_iv_length(ctx); |
| 382 | aad= iv + real_ivlen; |
| 383 | aadlen= ivlen - real_ivlen; |
| 384 | return res; |
| 385 | @@ -167,15 +194,15 @@ class MyCTX_gcm : public MyCTX |
| 386 | before decrypting the data. it can encrypt data piecewise, like, first |
| 387 | half, then the second half, but it must decrypt all at once |
| 388 | */ |
| 389 | - if (!ctx.encrypt) |
| 390 | + if (!EVP_CIPHER_CTX_encrypting(ctx)) |
| 391 | { |
| 392 | slen-= MY_AES_BLOCK_SIZE; |
| 393 | - if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, |
| 394 | + if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, |
| 395 | (void*)(src + slen))) |
| 396 | return MY_AES_OPENSSL_ERROR; |
| 397 | } |
| 398 | int unused; |
| 399 | - if (aadlen && !EVP_CipherUpdate(&ctx, NULL, &unused, aad, aadlen)) |
| 400 | + if (aadlen && !EVP_CipherUpdate(ctx, NULL, &unused, aad, aadlen)) |
| 401 | return MY_AES_OPENSSL_ERROR; |
| 402 | aadlen= 0; |
| 403 | return MyCTX::update(src, slen, dst, dlen); |
| 404 | @@ -184,13 +211,13 @@ class MyCTX_gcm : public MyCTX |
| 405 | int finish(uchar *dst, uint *dlen) |
| 406 | { |
| 407 | int fin; |
| 408 | - if (!EVP_CipherFinal_ex(&ctx, dst, &fin)) |
| 409 | + if (!EVP_CipherFinal_ex(ctx, dst, &fin)) |
| 410 | return MY_AES_BAD_DATA; |
| 411 | DBUG_ASSERT(fin == 0); |
| 412 | |
| 413 | - if (ctx.encrypt) |
| 414 | + if (EVP_CIPHER_CTX_encrypting(ctx)) |
| 415 | { |
| 416 | - if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) |
| 417 | + if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) |
| 418 | return MY_AES_OPENSSL_ERROR; |
| 419 | *dlen= MY_AES_BLOCK_SIZE; |
| 420 | } |
| 421 | @@ -258,12 +285,15 @@ int my_aes_crypt(enum my_aes_mode mode, int flags, |
| 422 | { |
| 423 | void *ctx= alloca(MY_AES_CTX_SIZE); |
| 424 | int res1, res2; |
| 425 | - uint d1, d2; |
| 426 | + uint d1= 0, d2; |
| 427 | if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen))) |
| 428 | return res1; |
| 429 | res1= my_aes_crypt_update(ctx, src, slen, dst, &d1); |
| 430 | res2= my_aes_crypt_finish(ctx, dst + d1, &d2); |
| 431 | - *dlen= d1 + d2; |
| 432 | + if (res1 || res2) |
| 433 | + ERR_remove_state(0); /* in case of failure clear error queue */ |
| 434 | + else |
| 435 | + *dlen= d1 + d2; |
| 436 | return res1 ? res1 : res2; |
| 437 | } |
| 438 | |
| 439 | diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc |
| 440 | index 7139ea9..0105082 100644 |
| 441 | --- a/mysys_ssl/my_md5.cc |
| 442 | +++ b/mysys_ssl/my_md5.cc |
| 443 | @@ -1,5 +1,5 @@ |
| 444 | /* Copyright (c) 2012, Oracle and/or its affiliates. |
| 445 | - Copyright (c) 2014, SkySQL Ab. |
| 446 | + Copyright (c) 2017, MariaDB Corporation |
| 447 | |
| 448 | This program is free software; you can redistribute it and/or modify |
| 449 | it under the terms of the GNU General Public License as published by |
| 450 | @@ -29,38 +29,31 @@ |
| 451 | |
| 452 | #if defined(HAVE_YASSL) |
| 453 | #include "md5.hpp" |
| 454 | +#include <ssl_compat.h> |
| 455 | |
| 456 | -typedef TaoCrypt::MD5 MD5_CONTEXT; |
| 457 | +typedef TaoCrypt::MD5 EVP_MD_CTX; |
| 458 | |
| 459 | -static void md5_init(MD5_CONTEXT *context) |
| 460 | +static void md5_init(EVP_MD_CTX *context) |
| 461 | { |
| 462 | - context= new(context) MD5_CONTEXT; |
| 463 | + context= new(context) EVP_MD_CTX; |
| 464 | context->Init(); |
| 465 | } |
| 466 | |
| 467 | -/* |
| 468 | - this is a variant of md5_init to be used in this file only. |
| 469 | - does nothing for yassl, because the context's constructor was called automatically. |
| 470 | -*/ |
| 471 | -static void md5_init_fast(MD5_CONTEXT *context) |
| 472 | -{ |
| 473 | -} |
| 474 | - |
| 475 | -static void md5_input(MD5_CONTEXT *context, const uchar *buf, unsigned len) |
| 476 | +static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) |
| 477 | { |
| 478 | context->Update((const TaoCrypt::byte *) buf, len); |
| 479 | } |
| 480 | |
| 481 | -static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) |
| 482 | +static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) |
| 483 | { |
| 484 | context->Final((TaoCrypt::byte *) digest); |
| 485 | } |
| 486 | |
| 487 | #elif defined(HAVE_OPENSSL) |
| 488 | #include <openssl/evp.h> |
| 489 | -typedef EVP_MD_CTX MD5_CONTEXT; |
| 490 | +#include <ssl_compat.h> |
| 491 | |
| 492 | -static void md5_init(MD5_CONTEXT *context) |
| 493 | +static void md5_init(EVP_MD_CTX *context) |
| 494 | { |
| 495 | EVP_MD_CTX_init(context); |
| 496 | #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW |
| 497 | @@ -70,17 +63,12 @@ static void md5_init(MD5_CONTEXT *context) |
| 498 | EVP_DigestInit_ex(context, EVP_md5(), NULL); |
| 499 | } |
| 500 | |
| 501 | -static void md5_init_fast(MD5_CONTEXT *context) |
| 502 | -{ |
| 503 | - md5_init(context); |
| 504 | -} |
| 505 | - |
| 506 | -static void md5_input(MD5_CONTEXT *context, const uchar *buf, unsigned len) |
| 507 | +static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) |
| 508 | { |
| 509 | EVP_DigestUpdate(context, buf, len); |
| 510 | } |
| 511 | |
| 512 | -static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) |
| 513 | +static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) |
| 514 | { |
| 515 | EVP_DigestFinal_ex(context, digest, NULL); |
| 516 | EVP_MD_CTX_cleanup(context); |
| 517 | @@ -99,58 +87,58 @@ static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) |
| 518 | */ |
| 519 | void my_md5(uchar *digest, const char *buf, size_t len) |
| 520 | { |
| 521 | - MD5_CONTEXT md5_context; |
| 522 | - |
| 523 | - md5_init_fast(&md5_context); |
| 524 | - md5_input(&md5_context, (const uchar *)buf, len); |
| 525 | - md5_result(&md5_context, digest); |
| 526 | + char ctx_buf[EVP_MD_CTX_SIZE]; |
| 527 | + EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf; |
| 528 | + md5_init(ctx); |
| 529 | + md5_input(ctx, (const uchar *)buf, len); |
| 530 | + md5_result(ctx, digest); |
| 531 | } |
| 532 | |
| 533 | |
| 534 | /** |
| 535 | Wrapper function to compute MD5 message digest for |
| 536 | - two messages in order to emulate md5(msg1, msg2). |
| 537 | + many messages, concatenated. |
| 538 | |
| 539 | @param digest [out] Computed MD5 digest |
| 540 | @param buf1 [in] First message |
| 541 | @param len1 [in] Length of first message |
| 542 | - @param buf2 [in] Second message |
| 543 | - @param len2 [in] Length of second message |
| 544 | + ... |
| 545 | + @param bufN [in] NULL terminates the list of buf,len pairs. |
| 546 | |
| 547 | @return void |
| 548 | */ |
| 549 | void my_md5_multi(uchar *digest, ...) |
| 550 | { |
| 551 | va_list args; |
| 552 | - va_start(args, digest); |
| 553 | - |
| 554 | - MD5_CONTEXT md5_context; |
| 555 | const uchar *str; |
| 556 | + char ctx_buf[EVP_MD_CTX_SIZE]; |
| 557 | + EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf; |
| 558 | + va_start(args, digest); |
| 559 | |
| 560 | - md5_init_fast(&md5_context); |
| 561 | + md5_init(ctx); |
| 562 | for (str= va_arg(args, const uchar*); str; str= va_arg(args, const uchar*)) |
| 563 | - md5_input(&md5_context, str, va_arg(args, size_t)); |
| 564 | + md5_input(ctx, str, va_arg(args, size_t)); |
| 565 | |
| 566 | - md5_result(&md5_context, digest); |
| 567 | + md5_result(ctx, digest); |
| 568 | va_end(args); |
| 569 | } |
| 570 | |
| 571 | size_t my_md5_context_size() |
| 572 | { |
| 573 | - return sizeof(MD5_CONTEXT); |
| 574 | + return EVP_MD_CTX_SIZE; |
| 575 | } |
| 576 | |
| 577 | void my_md5_init(void *context) |
| 578 | { |
| 579 | - md5_init((MD5_CONTEXT *)context); |
| 580 | + md5_init((EVP_MD_CTX *)context); |
| 581 | } |
| 582 | |
| 583 | void my_md5_input(void *context, const uchar *buf, size_t len) |
| 584 | { |
| 585 | - md5_input((MD5_CONTEXT *)context, buf, len); |
| 586 | + md5_input((EVP_MD_CTX *)context, buf, len); |
| 587 | } |
| 588 | |
| 589 | void my_md5_result(void *context, uchar *digest) |
| 590 | { |
| 591 | - md5_result((MD5_CONTEXT *)context, digest); |
| 592 | + md5_result((EVP_MD_CTX *)context, digest); |
| 593 | } |
| 594 | diff --git a/mysys_ssl/openssl.c b/mysys_ssl/openssl.c |
| 595 | new file mode 100644 |
| 596 | index 0000000..a3f1ca2 |
| 597 | --- /dev/null |
| 598 | +++ b/mysys_ssl/openssl.c |
| 599 | @@ -0,0 +1,71 @@ |
| 600 | +/* |
| 601 | + Copyright (c) 2017, MariaDB Corporation. |
| 602 | + |
| 603 | + This program is free software; you can redistribute it and/or modify |
| 604 | + it under the terms of the GNU General Public License as published by |
| 605 | + the Free Software Foundation; version 2 of the License. |
| 606 | + |
| 607 | + This program is distributed in the hope that it will be useful, |
| 608 | + but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 609 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 610 | + GNU General Public License for more details. |
| 611 | + |
| 612 | + You should have received a copy of the GNU General Public License |
| 613 | + along with this program; if not, write to the Free Software |
| 614 | + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ |
| 615 | + |
| 616 | +#include <my_global.h> |
| 617 | +#include <ssl_compat.h> |
| 618 | + |
| 619 | +#ifdef HAVE_YASSL |
| 620 | + |
| 621 | +int check_openssl_compatibility() |
| 622 | +{ |
| 623 | + return 0; |
| 624 | +} |
| 625 | +#else |
| 626 | +#include <openssl/evp.h> |
| 627 | + |
| 628 | +#ifdef HAVE_OPENSSL11 |
| 629 | +typedef void *(*CRYPTO_malloc_t)(size_t, const char *, int); |
| 630 | +#endif |
| 631 | + |
| 632 | +#ifdef HAVE_OPENSSL10 |
| 633 | +typedef void *(*CRYPTO_malloc_t)(size_t); |
| 634 | +#define CRYPTO_malloc malloc |
| 635 | +#define CRYPTO_realloc realloc |
| 636 | +#define CRYPTO_free free |
| 637 | +#endif |
| 638 | + |
| 639 | +static uint allocated_size, allocated_count; |
| 640 | + |
| 641 | +static void *coc_malloc(size_t size) |
| 642 | +{ |
| 643 | + allocated_size+= size; |
| 644 | + allocated_count++; |
| 645 | + return malloc(size); |
| 646 | +} |
| 647 | + |
| 648 | +int check_openssl_compatibility() |
| 649 | +{ |
| 650 | + EVP_CIPHER_CTX *evp_ctx; |
| 651 | + EVP_MD_CTX *md5_ctx; |
| 652 | + |
| 653 | + CRYPTO_set_mem_functions((CRYPTO_malloc_t)coc_malloc, CRYPTO_realloc, CRYPTO_free); |
| 654 | + |
| 655 | + allocated_size= allocated_count= 0; |
| 656 | + evp_ctx= EVP_CIPHER_CTX_new(); |
| 657 | + EVP_CIPHER_CTX_free(evp_ctx); |
| 658 | + if (allocated_count != 1 || allocated_size > EVP_CIPHER_CTX_SIZE) |
| 659 | + return 1; |
| 660 | + |
| 661 | + allocated_size= allocated_count= 0; |
| 662 | + md5_ctx= EVP_MD_CTX_create(); |
| 663 | + EVP_MD_CTX_destroy(md5_ctx); |
| 664 | + if (allocated_count != 1 || allocated_size > EVP_MD_CTX_SIZE) |
| 665 | + return 1; |
| 666 | + |
| 667 | + CRYPTO_set_mem_functions(CRYPTO_malloc, CRYPTO_realloc, CRYPTO_free); |
| 668 | + return 0; |
| 669 | +} |
| 670 | +#endif |
| 671 | diff --git a/mysys_ssl/yassl.cc b/mysys_ssl/yassl.cc |
| 672 | index e9f8e65..268589d 100644 |
| 673 | --- a/mysys_ssl/yassl.cc |
| 674 | +++ b/mysys_ssl/yassl.cc |
| 675 | @@ -45,7 +45,6 @@ typedef struct |
| 676 | int buf_len; |
| 677 | int final_used; |
| 678 | uchar tao_buf[sizeof(TaoCrypt::AES)]; // TaoCrypt::AES object |
| 679 | - uchar oiv[TaoCrypt::AES::BLOCK_SIZE]; // original IV |
| 680 | uchar buf[TaoCrypt::AES::BLOCK_SIZE]; // last partial input block |
| 681 | uchar final[TaoCrypt::AES::BLOCK_SIZE]; // last decrypted (output) block |
| 682 | } EVP_CIPHER_CTX; |
| 683 | @@ -98,10 +97,7 @@ static int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, |
| 684 | : TaoCrypt::DECRYPTION, cipher->mode); |
| 685 | TAO(ctx)->SetKey(key, cipher->key_len); |
| 686 | if (iv) |
| 687 | - { |
| 688 | TAO(ctx)->SetIV(iv); |
| 689 | - memcpy(ctx->oiv, iv, TaoCrypt::AES::BLOCK_SIZE); |
| 690 | - } |
| 691 | ctx->encrypt= enc; |
| 692 | ctx->key_len= cipher->key_len; |
| 693 | ctx->flags|= cipher->mode == TaoCrypt::CBC ? EVP_CIPH_CBC_MODE : EVP_CIPH_ECB_MODE; |
| 694 | diff --git a/sql-common/client.c b/sql-common/client.c |
| 695 | index da18a0f..e3280a1 100644 |
| 696 | --- a/sql-common/client.c |
| 697 | +++ b/sql-common/client.c |
| 698 | @@ -105,6 +105,7 @@ my_bool net_flush(NET *net); |
| 699 | #endif |
| 700 | |
| 701 | #include "client_settings.h" |
| 702 | +#include <ssl_compat.h> |
| 703 | #include <sql_common.h> |
| 704 | #include <mysql/client_plugin.h> |
| 705 | #include <my_context.h> |
| 706 | @@ -1770,9 +1771,8 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused))) |
| 707 | |
| 708 | #if defined(HAVE_OPENSSL) |
| 709 | |
| 710 | -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(HAVE_YASSL) |
| 711 | +#ifdef HAVE_X509_check_host |
| 712 | #include <openssl/x509v3.h> |
| 713 | -#define HAVE_X509_check_host |
| 714 | #endif |
| 715 | |
| 716 | static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr) |
| 717 | @@ -1844,7 +1844,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c |
| 718 | goto error; |
| 719 | } |
| 720 | |
| 721 | - cn= (char *) ASN1_STRING_data(cn_asn1); |
| 722 | + cn= (char *) ASN1_STRING_get0_data(cn_asn1); |
| 723 | |
| 724 | if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) |
| 725 | { |
| 726 | diff --git a/sql/mysqld.cc b/sql/mysqld.cc |
| 727 | index 0de9d7a..3a92192 100644 |
| 728 | --- a/sql/mysqld.cc |
| 729 | +++ b/sql/mysqld.cc |
| 730 | @@ -338,9 +338,13 @@ static PSI_thread_key key_thread_handle_con_sockets; |
| 731 | static PSI_thread_key key_thread_handle_shutdown; |
| 732 | #endif /* __WIN__ */ |
| 733 | |
| 734 | -#if defined (HAVE_OPENSSL) && !defined(HAVE_YASSL) |
| 735 | +#ifdef HAVE_OPENSSL |
| 736 | +#include <ssl_compat.h> |
| 737 | + |
| 738 | +#ifdef HAVE_OPENSSL10 |
| 739 | static PSI_rwlock_key key_rwlock_openssl; |
| 740 | #endif |
| 741 | +#endif |
| 742 | #endif /* HAVE_PSI_INTERFACE */ |
| 743 | |
| 744 | #ifdef HAVE_NPTL |
| 745 | @@ -987,7 +991,7 @@ PSI_rwlock_key key_rwlock_LOCK_grant, key_rwlock_LOCK_logger, |
| 746 | |
| 747 | static PSI_rwlock_info all_server_rwlocks[]= |
| 748 | { |
| 749 | -#if defined (HAVE_OPENSSL) && !defined(HAVE_YASSL) |
| 750 | +#ifdef HAVE_OPENSSL10 |
| 751 | { &key_rwlock_openssl, "CRYPTO_dynlock_value::lock", 0}, |
| 752 | #endif |
| 753 | { &key_rwlock_LOCK_grant, "LOCK_grant", PSI_FLAG_GLOBAL}, |
| 754 | @@ -1457,7 +1461,7 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct, |
| 755 | |
| 756 | #ifdef HAVE_OPENSSL |
| 757 | #include <openssl/crypto.h> |
| 758 | -#ifndef HAVE_YASSL |
| 759 | +#ifdef HAVE_OPENSSL10 |
| 760 | typedef struct CRYPTO_dynlock_value |
| 761 | { |
| 762 | mysql_rwlock_t lock; |
| 763 | @@ -1468,7 +1472,7 @@ static openssl_lock_t *openssl_dynlock_create(const char *, int); |
| 764 | static void openssl_dynlock_destroy(openssl_lock_t *, const char *, int); |
| 765 | static void openssl_lock_function(int, int, const char *, int); |
| 766 | static void openssl_lock(int, openssl_lock_t *, const char *, int); |
| 767 | -#endif |
| 768 | +#endif /* HAVE_OPENSSL10 */ |
| 769 | char *des_key_file; |
| 770 | #ifndef EMBEDDED_LIBRARY |
| 771 | struct st_VioSSLFd *ssl_acceptor_fd; |
| 772 | @@ -2244,11 +2248,11 @@ static void clean_up_mutexes() |
| 773 | mysql_mutex_destroy(&LOCK_global_index_stats); |
| 774 | #ifdef HAVE_OPENSSL |
| 775 | mysql_mutex_destroy(&LOCK_des_key_file); |
| 776 | -#ifndef HAVE_YASSL |
| 777 | +#ifdef HAVE_OPENSSL10 |
| 778 | for (int i= 0; i < CRYPTO_num_locks(); ++i) |
| 779 | mysql_rwlock_destroy(&openssl_stdlocks[i].lock); |
| 780 | OPENSSL_free(openssl_stdlocks); |
| 781 | -#endif /* HAVE_YASSL */ |
| 782 | +#endif /* HAVE_OPENSSL10 */ |
| 783 | #endif /* HAVE_OPENSSL */ |
| 784 | #ifdef HAVE_REPLICATION |
| 785 | mysql_mutex_destroy(&LOCK_rpl_status); |
| 786 | @@ -4038,6 +4042,14 @@ static int init_common_variables() |
| 787 | return 1; |
| 788 | } |
| 789 | |
| 790 | +#ifdef HAVE_OPENSSL |
| 791 | + if (check_openssl_compatibility()) |
| 792 | + { |
| 793 | + sql_print_error("Incompatible OpenSSL version. Cannot continue..."); |
| 794 | + return 1; |
| 795 | + } |
| 796 | +#endif |
| 797 | + |
| 798 | if (init_thread_environment() || |
| 799 | mysql_init_variables()) |
| 800 | return 1; |
| 801 | @@ -4584,7 +4596,7 @@ static int init_thread_environment() |
| 802 | #ifdef HAVE_OPENSSL |
| 803 | mysql_mutex_init(key_LOCK_des_key_file, |
| 804 | &LOCK_des_key_file, MY_MUTEX_INIT_FAST); |
| 805 | -#ifndef HAVE_YASSL |
| 806 | +#ifdef HAVE_OPENSSL10 |
| 807 | openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() * |
| 808 | sizeof(openssl_lock_t)); |
| 809 | for (int i= 0; i < CRYPTO_num_locks(); ++i) |
| 810 | @@ -4593,8 +4605,8 @@ static int init_thread_environment() |
| 811 | CRYPTO_set_dynlock_destroy_callback(openssl_dynlock_destroy); |
| 812 | CRYPTO_set_dynlock_lock_callback(openssl_lock); |
| 813 | CRYPTO_set_locking_callback(openssl_lock_function); |
| 814 | -#endif |
| 815 | -#endif |
| 816 | +#endif /* HAVE_OPENSSL10 */ |
| 817 | +#endif /* HAVE_OPENSSL */ |
| 818 | mysql_rwlock_init(key_rwlock_LOCK_sys_init_connect, &LOCK_sys_init_connect); |
| 819 | mysql_rwlock_init(key_rwlock_LOCK_sys_init_slave, &LOCK_sys_init_slave); |
| 820 | mysql_rwlock_init(key_rwlock_LOCK_grant, &LOCK_grant); |
| 821 | @@ -4627,7 +4639,7 @@ static int init_thread_environment() |
| 822 | } |
| 823 | |
| 824 | |
| 825 | -#if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL) |
| 826 | +#ifdef HAVE_OPENSSL10 |
| 827 | static openssl_lock_t *openssl_dynlock_create(const char *file, int line) |
| 828 | { |
| 829 | openssl_lock_t *lock= new openssl_lock_t; |
| 830 | @@ -4687,8 +4699,7 @@ static void openssl_lock(int mode, openssl_lock_t *lock, const char *file, |
| 831 | abort(); |
| 832 | } |
| 833 | } |
| 834 | -#endif /* HAVE_OPENSSL */ |
| 835 | - |
| 836 | +#endif /* HAVE_OPENSSL10 */ |
| 837 | |
| 838 | static void init_ssl() |
| 839 | { |
| 840 | diff --git a/sql/slave.cc b/sql/slave.cc |
| 841 | index da394ff..2096ed1 100644 |
| 842 | --- a/sql/slave.cc |
| 843 | +++ b/sql/slave.cc |
| 844 | @@ -40,6 +40,7 @@ |
| 845 | #include <my_dir.h> |
| 846 | #include <sql_common.h> |
| 847 | #include <errmsg.h> |
| 848 | +#include <ssl_compat.h> |
| 849 | #include <mysqld_error.h> |
| 850 | #include <mysys_err.h> |
| 851 | #include "rpl_handler.h" |
| 852 | @@ -60,7 +61,6 @@ |
| 853 | #include "debug_sync.h" |
| 854 | #include "rpl_parallel.h" |
| 855 | |
| 856 | - |
| 857 | #define FLAGSTR(V,F) ((V)&(F)?#F" ":"") |
| 858 | |
| 859 | #define MAX_SLAVE_RETRY_PAUSE 5 |
| 860 | @@ -4506,9 +4506,7 @@ log space"); |
| 861 | |
| 862 | DBUG_LEAVE; // Must match DBUG_ENTER() |
| 863 | my_thread_end(); |
| 864 | -#ifdef HAVE_OPENSSL |
| 865 | ERR_remove_state(0); |
| 866 | -#endif |
| 867 | pthread_exit(0); |
| 868 | return 0; // Avoid compiler warnings |
| 869 | } |
| 870 | @@ -5167,9 +5165,7 @@ pthread_handler_t handle_slave_sql(void *arg) |
| 871 | |
| 872 | DBUG_LEAVE; // Must match DBUG_ENTER() |
| 873 | my_thread_end(); |
| 874 | -#ifdef HAVE_OPENSSL |
| 875 | ERR_remove_state(0); |
| 876 | -#endif |
| 877 | pthread_exit(0); |
| 878 | return 0; // Avoid compiler warnings |
| 879 | } |
| 880 | diff --git a/vio/vio.c b/vio/vio.c |
| 881 | index e3bc8ca..44d0609 100644 |
| 882 | --- a/vio/vio.c |
| 883 | +++ b/vio/vio.c |
| 884 | @@ -22,6 +22,7 @@ |
| 885 | */ |
| 886 | |
| 887 | #include "vio_priv.h" |
| 888 | +#include "ssl_compat.h" |
| 889 | |
| 890 | #ifdef _WIN32 |
| 891 | |
| 892 | diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c |
| 893 | index 52b624d..71ef287 100644 |
| 894 | --- a/vio/viosslfactories.c |
| 895 | +++ b/vio/viosslfactories.c |
| 896 | @@ -15,6 +15,7 @@ |
| 897 | Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ |
| 898 | |
| 899 | #include "vio_priv.h" |
| 900 | +#include <ssl_compat.h> |
| 901 | |
| 902 | #ifdef HAVE_OPENSSL |
| 903 | #ifndef HAVE_YASSL |
| 904 | @@ -26,49 +27,56 @@ static my_bool ssl_algorithms_added = FALSE; |
| 905 | static my_bool ssl_error_strings_loaded= FALSE; |
| 906 | |
| 907 | /* the function below was generated with "openssl dhparam -2 -C 2048" */ |
| 908 | + |
| 909 | static |
| 910 | DH *get_dh2048() |
| 911 | { |
| 912 | - static unsigned char dh2048_p[]={ |
| 913 | - 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, |
| 914 | - 0x15,0xFC,0x3B,0xBA,0xAB,0x9F,0xDF,0x68,0xC4,0x79,0x78,0x0D, |
| 915 | - 0xC1,0x12,0x64,0xE4,0x15,0xC9,0x66,0xDB,0xF6,0xCB,0xB3,0x39, |
| 916 | - 0x02,0x5B,0x78,0x62,0xFB,0x09,0xAE,0x09,0x6B,0xDD,0xD4,0x5D, |
| 917 | - 0x97,0xBC,0xDC,0x7F,0xE6,0xD6,0xF1,0xCB,0xF5,0xEB,0xDA,0xA7, |
| 918 | - 0x2E,0x5A,0x43,0x2B,0xE9,0x40,0xE2,0x85,0x00,0x1C,0xC0,0x0A, |
| 919 | - 0x98,0x77,0xA9,0x31,0xDE,0x0B,0x75,0x4D,0x1E,0x1F,0x16,0x83, |
| 920 | - 0xCA,0xDE,0xBD,0x21,0xFC,0xC1,0x82,0x37,0x36,0x33,0x0B,0x66, |
| 921 | - 0x06,0x3C,0xF3,0xAF,0x21,0x57,0x57,0x80,0xF6,0x94,0x1B,0xA9, |
| 922 | - 0xD4,0xF6,0x8F,0x18,0x62,0x0E,0xC4,0x22,0xF9,0x5B,0x62,0xCC, |
| 923 | - 0x3F,0x19,0x95,0xCF,0x4B,0x00,0xA6,0x6C,0x0B,0xAF,0x9F,0xD5, |
| 924 | - 0xFA,0x3D,0x6D,0xDA,0x30,0x83,0x07,0x91,0xAC,0x15,0xFF,0x8F, |
| 925 | - 0x59,0x54,0xEA,0x25,0xBC,0x4E,0xEB,0x6A,0x54,0xDF,0x75,0x09, |
| 926 | - 0x72,0x0F,0xEF,0x23,0x70,0xE0,0xA8,0x04,0xEA,0xFF,0x90,0x54, |
| 927 | - 0xCD,0x84,0x18,0xC0,0x75,0x91,0x99,0x0F,0xA1,0x78,0x0C,0x07, |
| 928 | - 0xB7,0xC5,0xDE,0x55,0x06,0x7B,0x95,0x68,0x2C,0x33,0x39,0xBC, |
| 929 | - 0x2C,0xD0,0x6D,0xDD,0xFA,0xDC,0xB5,0x8F,0x82,0x39,0xF8,0x67, |
| 930 | - 0x44,0xF1,0xD8,0xF7,0x78,0x11,0x9A,0x77,0x9B,0x53,0x47,0xD6, |
| 931 | - 0x2B,0x5D,0x67,0xB8,0xB7,0xBC,0xC1,0xD7,0x79,0x62,0x15,0xC2, |
| 932 | - 0xC5,0x83,0x97,0xA7,0xF8,0xB4,0x9C,0xF6,0x8F,0x9A,0xC7,0xDA, |
| 933 | - 0x1B,0xBB,0x87,0x07,0xA7,0x71,0xAD,0xB2,0x8A,0x50,0xF8,0x26, |
| 934 | - 0x12,0xB7,0x3E,0x0B, |
| 935 | - }; |
| 936 | - static unsigned char dh2048_g[]={ |
| 937 | - 0x02, |
| 938 | - }; |
| 939 | - DH *dh; |
| 940 | - |
| 941 | - if ((dh=DH_new()) == NULL) return(NULL); |
| 942 | - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); |
| 943 | - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); |
| 944 | - if ((dh->p == NULL) || (dh->g == NULL)) |
| 945 | - { DH_free(dh); return(NULL); } |
| 946 | - return(dh); |
| 947 | + static unsigned char dhp_2048[] = { |
| 948 | + 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, |
| 949 | + 0x15,0xFC,0x3B,0xBA,0xAB,0x9F,0xDF,0x68,0xC4,0x79,0x78,0x0D, |
| 950 | + 0xC1,0x12,0x64,0xE4,0x15,0xC9,0x66,0xDB,0xF6,0xCB,0xB3,0x39, |
| 951 | + 0x02,0x5B,0x78,0x62,0xFB,0x09,0xAE,0x09,0x6B,0xDD,0xD4,0x5D, |
| 952 | + 0x97,0xBC,0xDC,0x7F,0xE6,0xD6,0xF1,0xCB,0xF5,0xEB,0xDA,0xA7, |
| 953 | + 0x2E,0x5A,0x43,0x2B,0xE9,0x40,0xE2,0x85,0x00,0x1C,0xC0,0x0A, |
| 954 | + 0x98,0x77,0xA9,0x31,0xDE,0x0B,0x75,0x4D,0x1E,0x1F,0x16,0x83, |
| 955 | + 0xCA,0xDE,0xBD,0x21,0xFC,0xC1,0x82,0x37,0x36,0x33,0x0B,0x66, |
| 956 | + 0x06,0x3C,0xF3,0xAF,0x21,0x57,0x57,0x80,0xF6,0x94,0x1B,0xA9, |
| 957 | + 0xD4,0xF6,0x8F,0x18,0x62,0x0E,0xC4,0x22,0xF9,0x5B,0x62,0xCC, |
| 958 | + 0x3F,0x19,0x95,0xCF,0x4B,0x00,0xA6,0x6C,0x0B,0xAF,0x9F,0xD5, |
| 959 | + 0xFA,0x3D,0x6D,0xDA,0x30,0x83,0x07,0x91,0xAC,0x15,0xFF,0x8F, |
| 960 | + 0x59,0x54,0xEA,0x25,0xBC,0x4E,0xEB,0x6A,0x54,0xDF,0x75,0x09, |
| 961 | + 0x72,0x0F,0xEF,0x23,0x70,0xE0,0xA8,0x04,0xEA,0xFF,0x90,0x54, |
| 962 | + 0xCD,0x84,0x18,0xC0,0x75,0x91,0x99,0x0F,0xA1,0x78,0x0C,0x07, |
| 963 | + 0xB7,0xC5,0xDE,0x55,0x06,0x7B,0x95,0x68,0x2C,0x33,0x39,0xBC, |
| 964 | + 0x2C,0xD0,0x6D,0xDD,0xFA,0xDC,0xB5,0x8F,0x82,0x39,0xF8,0x67, |
| 965 | + 0x44,0xF1,0xD8,0xF7,0x78,0x11,0x9A,0x77,0x9B,0x53,0x47,0xD6, |
| 966 | + 0x2B,0x5D,0x67,0xB8,0xB7,0xBC,0xC1,0xD7,0x79,0x62,0x15,0xC2, |
| 967 | + 0xC5,0x83,0x97,0xA7,0xF8,0xB4,0x9C,0xF6,0x8F,0x9A,0xC7,0xDA, |
| 968 | + 0x1B,0xBB,0x87,0x07,0xA7,0x71,0xAD,0xB2,0x8A,0x50,0xF8,0x26, |
| 969 | + 0x12,0xB7,0x3E,0x0B, |
| 970 | + }; |
| 971 | + static unsigned char dhg_2048[] = { |
| 972 | + 0x02 |
| 973 | + }; |
| 974 | + DH *dh = DH_new(); |
| 975 | + BIGNUM *dhp_bn, *dhg_bn; |
| 976 | + |
| 977 | + if (dh == NULL) |
| 978 | + return NULL; |
| 979 | + dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); |
| 980 | + dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); |
| 981 | + if (dhp_bn == NULL || dhg_bn == NULL |
| 982 | + || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { |
| 983 | + DH_free(dh); |
| 984 | + BN_free(dhp_bn); |
| 985 | + BN_free(dhg_bn); |
| 986 | + return NULL; |
| 987 | + } |
| 988 | + return dh; |
| 989 | } |
| 990 | |
| 991 | - |
| 992 | static const char* |
| 993 | -ssl_error_string[] = |
| 994 | +ssl_error_string[] = |
| 995 | { |
| 996 | "No error", |
| 997 | "Unable to get certificate", |
| 998 | @@ -148,9 +156,7 @@ static void check_ssl_init() |
| 999 | if (!ssl_algorithms_added) |
| 1000 | { |
| 1001 | ssl_algorithms_added= TRUE; |
| 1002 | - SSL_library_init(); |
| 1003 | - OpenSSL_add_all_algorithms(); |
| 1004 | - |
| 1005 | + OPENSSL_init_ssl(0, NULL); |
| 1006 | } |
| 1007 | |
| 1008 | if (!ssl_error_strings_loaded) |