Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
104
Merge Requests
104
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
nexedi
slapos
Commits
9f210d7c
Commit
9f210d7c
authored
Dec 14, 2023
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
component/mariadb: backport OpenSSL 3.0 support for MariaDB 10.4.
parent
f12d6d77
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
370 additions
and
0 deletions
+370
-0
component/mariadb/buildout.cfg
component/mariadb/buildout.cfg
+1
-0
component/mariadb/mariadb-10.4.32-openssl-3.0.patch
component/mariadb/mariadb-10.4.32-openssl-3.0.patch
+369
-0
No files found.
component/mariadb/buildout.cfg
View file @
9f210d7c
...
...
@@ -102,6 +102,7 @@ pcre-location = ${pcre:location}
patch-options = -p1
patches =
https://sources.debian.org/data/main/m/mariadb-10.3/1:10.3.34-0+deb10u1/debian/patches/0024-Revert-to-using-system-pcre-library.patch#1c6a0f2634f5a56122299674b77b1131
${:_profile_base_location_}/mariadb-10.4.32-openssl-3.0.patch#ec3e2b57eae5421e052ab89224b29b7e
[mariadb-10.5]
<= mariadb-common
...
...
component/mariadb/mariadb-10.4.32-openssl-3.0.patch
0 → 100644
View file @
9f210d7c
Changes to support OpenSSL 3.0 based on the following commits :
* 8a9c1e9ccf227e5f8ee9a4716a9b64665a8489e3 MDEV-25785 Add support for OpenSSL 3.0
*
1dc09ce0fdcf556dfc57de3f012a455c6d54a951 Revert "don't build with OpenSSL 3.0, it doesn't work before MDEV-25785"
*
ef655669816d73a1d92fbf459b768abcc7cac296 MDEV-27778 md5 in FIPS crashes with OpenSSL 3.0.0
diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake
index a6793cf3c55..1bd46bc0f39 100644
--- a/cmake/ssl.cmake
+++ b/cmake/ssl.cmake
@@ -118,7 +118,7 @@
MACRO (MYSQL_CHECK_SSL)
ENDIF()
FIND_PACKAGE(OpenSSL)
SET_PACKAGE_PROPERTIES(OpenSSL PROPERTIES TYPE RECOMMENDED)
- IF(OPENSSL_FOUND AND OPENSSL_VERSION AND OPENSSL_VERSION VERSION_LESS "3.0.0")
+ IF(OPENSSL_FOUND)
SET(OPENSSL_LIBRARY ${OPENSSL_SSL_LIBRARY})
INCLUDE(CheckSymbolExists)
SET(SSL_SOURCES "")
@@ -139,6 +139,13 @@
MACRO (MYSQL_CHECK_SSL)
SET(SSL_INTERNAL_INCLUDE_DIRS "")
SET(SSL_DEFINES "-DHAVE_OPENSSL")
+ # Silence "deprecated in OpenSSL 3.0"
+ IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
+ OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
+ SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
+ SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
+ ENDIF()
+
SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
@@ -152,6 +159,7 @@
MACRO (MYSQL_CHECK_SSL)
HAVE_X509_check_host)
SET(CMAKE_REQUIRED_INCLUDES)
SET(CMAKE_REQUIRED_LIBRARIES)
+ SET(CMAKE_REQUIRED_DEFINITIONS)
ELSE()
IF(WITH_SSL STREQUAL "system")
MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
diff --git a/include/ssl_compat.h b/include/ssl_compat.h
index 7b4a828a4d9..7a652d46121 100644
--- a/include/ssl_compat.h
+++ b/include/ssl_compat.h
@@ -78,7 +78,6 @@
#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G))
#endif
-#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt)
#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX)
diff --git a/mysql-test/lib/openssl.cnf b/mysql-test/lib/openssl.cnf
index b9ab37ac3a1..7cd6f748af2 100644
--- a/mysql-test/lib/openssl.cnf
+++ b/mysql-test/lib/openssl.cnf
@@ -9,4 +9,4 @@
ssl_conf = ssl_section
system_default = system_default_section
[system_default_section]
-CipherString = ALL:@SECLEVEL=1
+CipherString = ALL:@SECLEVEL=0
diff --git a/mysql-test/main/ssl_cipher.result b/mysql-test/main/ssl_cipher.result
index 9308f0f9833..d549ec7d2b4 100644
--- a/mysql-test/main/ssl_cipher.result
+++ b/mysql-test/main/ssl_cipher.result
@@ -61,9 +61,9 @@
connect ssl_con,localhost,root,,,,,SSL;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
-SHOW STATUS LIKE 'Ssl_cipher_list';
-Variable_name Value
-Ssl_cipher_list AES128-SHA
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+VARIABLE_VALUE like '%AES128-SHA%'
+1
disconnect ssl_con;
connection default;
call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
diff --git a/mysql-test/main/ssl_cipher.test b/mysql-test/main/ssl_cipher.test
index 3a54aca5145..7150e19809e 100644
--- a/mysql-test/main/ssl_cipher.test
+++ b/mysql-test/main/ssl_cipher.test
@@ -98,7 +98,7 @@
let $restart_parameters=--ssl-cipher=AES128-SHA;
source include/restart_mysqld.inc;
connect (ssl_con,localhost,root,,,,,SSL);
SHOW STATUS LIKE 'Ssl_cipher';
-SHOW STATUS LIKE 'Ssl_cipher_list';
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
disconnect ssl_con;
connection default;
diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc
index a8643f6e5b6..00447e73d79 100644
--- a/mysys_ssl/my_crypt.cc
+++ b/mysys_ssl/my_crypt.cc
@@ -29,11 +29,7 @@
#include <ssl_compat.h>
#include <cstdint>
-#ifdef HAVE_WOLFSSL
#define CTX_ALIGN 16
-#else
-#define CTX_ALIGN 0
-#endif
class MyCTX
{
@@ -100,8 +96,9 @@
class MyCTX_nopad : public MyCTX
{
public:
const uchar *key;
- uint klen, buf_len;
+ uint klen, source_tail_len;
uchar oiv[MY_AES_BLOCK_SIZE];
+ uchar source_tail[MY_AES_BLOCK_SIZE];
MyCTX_nopad() : MyCTX() { }
~MyCTX_nopad() = default;
@@ -112,7 +109,7 @@
class MyCTX_nopad : public MyCTX
compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
this->key= key;
this->klen= klen;
- this->buf_len= 0;
+ this->source_tail_len= 0;
if (ivlen)
memcpy(oiv, iv, ivlen);
DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
@@ -123,26 +120,41 @@
class MyCTX_nopad : public MyCTX
return res;
}
+ /** Update last partial source block, stored in source_tail array. */
+ void update_source_tail(const uchar* src, uint slen)
+ {
+ if (!slen)
+ return;
+ uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
+ if (new_tail_len)
+ {
+ if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
+ {
+ memcpy(source_tail + source_tail_len, src, slen);
+ }
+ else
+ {
+ DBUG_ASSERT(slen > new_tail_len);
+ memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
+ }
+ }
+ source_tail_len= new_tail_len;
+ }
+
int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
{
- buf_len+= slen;
+ update_source_tail(src, slen);
return MyCTX::update(src, slen, dst, dlen);
}
int finish(uchar *dst, uint *dlen)
{
- buf_len %= MY_AES_BLOCK_SIZE;
- if (buf_len)
+ if (source_tail_len)
{
- uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
/*
Not much we can do, block ciphers cannot encrypt data that aren't
a multiple of the block length. At least not without padding.
Let's do something CTR-like for the last partial block.
-
- NOTE this assumes that there are only buf_len bytes in the buf.
- If OpenSSL will change that, we'll need to change the implementation
- of this class too.
*/
uchar mask[MY_AES_BLOCK_SIZE];
uint mlen;
@@ -154,10 +166,10 @@
class MyCTX_nopad : public MyCTX
return rc;
DBUG_ASSERT(mlen == sizeof(mask));
- for (uint i=0; i < buf_len; i++)
- dst[i]= buf[i] ^ mask[i];
+ for (uint i=0; i < source_tail_len; i++)
+ dst[i]= source_tail[i] ^ mask[i];
}
- *dlen= buf_len;
+ *dlen= source_tail_len;
return MY_AES_OK;
}
};
diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc
index 407dee3bc69..75995bccf90 100644
--- a/mysys_ssl/my_md5.cc
+++ b/mysys_ssl/my_md5.cc
@@ -52,12 +52,23 @@
static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE])
static void md5_init(EVP_MD_CTX *context)
{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MD *md5;
+ EVP_MD_CTX_init(context);
+ /* Ok to ignore FIPS: MD5 is not used for crypto here */
+ /* In OpenSSL 3.0.0+ it is a different EVP_MD provider */
+ md5 = EVP_MD_fetch(NULL, "MD5", "fips=no");
+ EVP_DigestInit_ex(context, md5, NULL);
+ EVP_MD_free(md5);
+#else
EVP_MD_CTX_init(context);
#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
/* Ok to ignore FIPS: MD5 is not used for crypto here */
+ /* In OpenSSL 1.1.1 the non FIPS allowed flag is context specific */
EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
#endif
EVP_DigestInit_ex(context, EVP_md5(), NULL);
+#endif
}
static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)
diff --git a/unittest/mysys/aes-t.c b/unittest/mysys/aes-t.c
index 34704e06749..cbec2760941 100644
--- a/unittest/mysys/aes-t.c
+++ b/unittest/mysys/aes-t.c
@@ -21,27 +21,96 @@
#include <string.h>
#include <ctype.h>
-#define DO_TEST(mode, nopad, slen, fill, dlen, hash) \
- SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported") \
- { \
- memset(src, fill, src_len= slen); \
- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, \
- src, src_len, dst, &dst_len, \
- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
- "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad"); \
- if (!nopad) \
- ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
- my_md5(md5, (char*)dst, dst_len); \
- ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5"); \
- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT, \
- dst, dst_len, ddst, &ddst_len, \
- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
- "decrypt " #mode " %u", dst_len); \
- ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
+
+/** Test streaming encryption, bytewise update.*/
+static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
+ unsigned int slen, unsigned char *dst, unsigned int *dlen,
+ const unsigned char *key, unsigned int klen,
+ const unsigned char *iv, unsigned int ivlen)
+{
+ /* Allocate context on odd address on stack, in order to
+ catch misalignment errors.*/
+ void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
+
+ int res1, res2;
+ uint d1= 0, d2;
+ uint i;
+
+ if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
+ return res1;
+ for (i= 0; i < slen; i++)
+ {
+ uint tmp_d1=0;
+ res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
+ if (res1)
+ return res1;
+ d1+= tmp_d1;
+ dst+= tmp_d1;
+ }
+ res2= my_aes_crypt_finish(ctx, dst, &d2);
+ *dlen= d1 + d2;
+ return res1 ? res1 : res2;
+}
+
+
+#ifndef HAVE_EncryptAes128Ctr
+const uint MY_AES_CTR=0xDEADBEAF;
+#endif
+#ifndef HAVE_EncryptAes128Gcm
+const uint MY_AES_GCM=0xDEADBEAF;
+#endif
+
+#define MY_AES_UNSUPPORTED(x) (x == 0xDEADBEAF)
+
+static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
+ char fill, size_t dlen, const char *hash)
+{
+ uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
+ uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
+ uchar src[1000], dst[1100], dst2[1100], ddst[1000];
+ uchar md5[MY_MD5_HASH_SIZE];
+ uint src_len, dst_len, dst_len2, ddst_len;
+ int result;
+
+ if (MY_AES_UNSUPPORTED(mode))
+ {
+ skip(nopad?7:6, "%s not supported", mode_str);
+ return;
+ }
+ memset(src, fill, src_len= slen);
+ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
+ dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
+ ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
+ nopad ? "nopad" : "pad");
+
+ if (nopad)
+ {
+ result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
+ src_len, dst2, &dst_len2, key, sizeof(key),
+ iv, sizeof(iv));
+ ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
+ /* Compare with non-bytewise encryption result*/
+ ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
+ "memcmp bytewise %s %u", mode_str, src_len);
+ }
+ else
+ {
+ int dst_len_real= my_aes_get_size(mode, src_len);
+ ok(dst_len_real= dst_len, "my_aes_get_size");
}
+ my_md5(md5, (char *) dst, dst_len);
+ ok(dst_len == dlen, "md5 len");
+ ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
+ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
+ dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
+ sizeof(iv));
+
+ ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
+ ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
+}
-#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
-#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
+#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
+#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
/* useful macro for debugging */
#define PRINT_MD5() \
@@ -53,25 +122,15 @@
printf("\"\n"); \
} while(0);
-#ifndef HAVE_EncryptAes128Ctr
-const uint MY_AES_CTR=0xDEADBEAF;
-#endif
-#ifndef HAVE_EncryptAes128Gcm
-const uint MY_AES_GCM=0xDEADBEAF;
-#endif
int
main(int argc __attribute__((unused)),char *argv[])
{
- uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
- uchar iv[16]= {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
- uchar src[1000], dst[1100], ddst[1000];
- uchar md5[MY_MD5_HASH_SIZE];
- uint src_len, dst_len, ddst_len;
MY_INIT(argv[0]);
- plan(87);
+ plan(122);
+
DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
