component/mariadb: backport OpenSSL 3.0 support for MariaDB 10.4.

54eab2b3 · Kazuhiko Shiozaki · da53b8f0 · 54eab2b3 · 54eab2b3
Commit 54eab2b3 authored Dec 14, 2023 by Kazuhiko Shiozaki
Showing with 334 additions and 0 deletions

component/mariadb/buildout.cfg component/mariadb/buildout.cfg +1 -0

component/mariadb/mariadb-10.4.32-openssl-3.0.patch component/mariadb/mariadb-10.4.32-openssl-3.0.patch +333 -0

No files found.
--- a/component/mariadb/buildout.cfg
+++ b/component/mariadb/buildout.cfg
@@ -101,6 +101,7 @@ pcre-location = ${pcre:location}
 patch-options = -p1
 patches =
  https://sources.debian.org/data/main/m/mariadb-10.3/1:10.3.34-0+deb10u1/debian/patches/0024-Revert-to-using-system-pcre-library.patch#1c6a0f2634f5a56122299674b77b1131
+  ${:_profile_base_location_}/mariadb-10.4.32-openssl-3.0.patch#3e10af43d23701f5c0eefc117c31f5ff

 [mariadb-10.5]
 <= mariadb-common

--- a/component/mariadb/mariadb-10.4.32-openssl-3.0.patch
+++ b/component/mariadb/mariadb-10.4.32-openssl-3.0.patch
+Changes to support OpenSSL 3.0 based on the following commits :
+
+* 8a9c1e9ccf227e5f8ee9a4716a9b64665a8489e3 MDEV-25785 Add support for OpenSSL 3.0
+* 1dc09ce0fdcf556dfc57de3f012a455c6d54a951 Revert "don't build with OpenSSL 3.0, it doesn't work before MDEV-25785"
+
+diff -ur mariadb-10.4.32.orig/cmake/ssl.cmake mariadb-10.4.32/cmake/ssl.cmake
+--- mariadb-10.4.32.orig/cmake/ssl.cmake	2023-10-30 13:36:19.000000000 +0100
+++ mariadb-10.4.32/cmake/ssl.cmake	2023-12-14 22:10:13.397922000 +0100
+@@ -118,7 +118,7 @@
+     ENDIF()
+     FIND_PACKAGE(OpenSSL)
+     SET_PACKAGE_PROPERTIES(OpenSSL PROPERTIES TYPE RECOMMENDED)
+-    IF(OPENSSL_FOUND AND OPENSSL_VERSION AND OPENSSL_VERSION VERSION_LESS "3.0.0")
+    IF(OPENSSL_FOUND)
+       SET(OPENSSL_LIBRARY ${OPENSSL_SSL_LIBRARY})
+       INCLUDE(CheckSymbolExists)
+       SET(SSL_SOURCES "")
+@@ -139,6 +139,13 @@
+       SET(SSL_INTERNAL_INCLUDE_DIRS "")
+       SET(SSL_DEFINES "-DHAVE_OPENSSL")
+ 
+      # Silence "deprecated in OpenSSL 3.0"
+      IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
+         OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
+        SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
+        SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
+      ENDIF()
+
+       SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+       SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
+       SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+@@ -152,6 +159,7 @@
+                           HAVE_X509_check_host)
+       SET(CMAKE_REQUIRED_INCLUDES)
+       SET(CMAKE_REQUIRED_LIBRARIES)
+      SET(CMAKE_REQUIRED_DEFINITIONS)
+     ELSE()
+       IF(WITH_SSL STREQUAL "system")
+         MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
+diff -ur mariadb-10.4.32.orig/include/ssl_compat.h mariadb-10.4.32/include/ssl_compat.h
+--- mariadb-10.4.32.orig/include/ssl_compat.h	2023-10-30 13:36:19.000000000 +0100
+++ mariadb-10.4.32/include/ssl_compat.h	2023-12-14 22:00:26.607591689 +0100
+@@ -78,7 +78,6 @@
+ #define DH_set0_pqg(D,P,Q,G)            ((D)->p= (P), (D)->g= (G))
+ #endif
+ 
+-#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
+ #define EVP_CIPHER_CTX_encrypting(ctx)  ((ctx)->encrypt)
+ #define EVP_CIPHER_CTX_SIZE             sizeof(EVP_CIPHER_CTX)
+ 
+diff -ur mariadb-10.4.32.orig/mysql-test/lib/openssl.cnf mariadb-10.4.32/mysql-test/lib/openssl.cnf
+--- mariadb-10.4.32.orig/mysql-test/lib/openssl.cnf	2023-10-30 13:36:19.000000000 +0100
+++ mariadb-10.4.32/mysql-test/lib/openssl.cnf	2023-12-14 22:00:26.607591689 +0100
+@@ -9,4 +9,4 @@
+ system_default = system_default_section
+ 
+ [system_default_section]
+-CipherString = ALL:@SECLEVEL=1
+CipherString = ALL:@SECLEVEL=0
+diff -ur mariadb-10.4.32.orig/mysql-test/main/ssl_cipher.result mariadb-10.4.32/mysql-test/main/ssl_cipher.result
+--- mariadb-10.4.32.orig/mysql-test/main/ssl_cipher.result	2023-10-30 13:36:19.000000000 +0100
+++ mariadb-10.4.32/mysql-test/main/ssl_cipher.result	2023-12-14 22:00:26.607591689 +0100
+@@ -61,9 +61,9 @@
+ SHOW STATUS LIKE 'Ssl_cipher';
+ Variable_name	Value
+ Ssl_cipher	AES128-SHA
+-SHOW STATUS LIKE 'Ssl_cipher_list';
+-Variable_name	Value
+-Ssl_cipher_list	AES128-SHA
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+VARIABLE_VALUE like '%AES128-SHA%'
+1
+ disconnect ssl_con;
+ connection default;
+ call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
+diff -ur mariadb-10.4.32.orig/mysql-test/main/ssl_cipher.test mariadb-10.4.32/mysql-test/main/ssl_cipher.test
+--- mariadb-10.4.32.orig/mysql-test/main/ssl_cipher.test	2023-10-30 13:36:19.000000000 +0100
+++ mariadb-10.4.32/mysql-test/main/ssl_cipher.test	2023-12-14 22:00:26.607591689 +0100
+@@ -98,7 +98,7 @@
+ source include/restart_mysqld.inc;
+ connect (ssl_con,localhost,root,,,,,SSL);
+ SHOW STATUS LIKE 'Ssl_cipher';
+-SHOW STATUS LIKE 'Ssl_cipher_list';
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+ disconnect ssl_con;
+ connection default;
+ 
+diff -ur mariadb-10.4.32.orig/mysys_ssl/my_crypt.cc mariadb-10.4.32/mysys_ssl/my_crypt.cc
+--- mariadb-10.4.32.orig/mysys_ssl/my_crypt.cc	2023-10-30 13:36:20.000000000 +0100
+++ mariadb-10.4.32/mysys_ssl/my_crypt.cc	2023-12-14 22:00:26.607591689 +0100
+@@ -29,11 +29,7 @@
+ #include <ssl_compat.h>
+ #include <cstdint>
+ 
+-#ifdef HAVE_WOLFSSL
+ #define CTX_ALIGN 16
+-#else
+-#define CTX_ALIGN 0
+-#endif
+ 
+ class MyCTX
+ {
+@@ -100,8 +96,9 @@
+ {
+ public:
+   const uchar *key;
+-  uint klen, buf_len;
+  uint klen, source_tail_len;
+   uchar oiv[MY_AES_BLOCK_SIZE];
+  uchar source_tail[MY_AES_BLOCK_SIZE];
+ 
+   MyCTX_nopad() : MyCTX() { }
+   ~MyCTX_nopad() = default;
+@@ -112,7 +109,7 @@
+     compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
+     this->key= key;
+     this->klen= klen;
+-    this->buf_len= 0;
+    this->source_tail_len= 0;
+     if (ivlen)
+       memcpy(oiv, iv, ivlen);
+     DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
+@@ -123,26 +120,41 @@
+     return res;
+   }
+ 
+  /** Update last partial source block, stored in source_tail array. */
+  void update_source_tail(const uchar* src, uint slen)
+  {
+    if (!slen)
+      return;
+    uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
+    if (new_tail_len)
+    {
+      if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
+      {
+        memcpy(source_tail + source_tail_len, src, slen);
+      }
+      else
+      {
+        DBUG_ASSERT(slen > new_tail_len);
+        memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
+      }
+    }
+    source_tail_len= new_tail_len;
+  }
+
+   int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
+   {
+-    buf_len+= slen;
+    update_source_tail(src, slen);
+     return MyCTX::update(src, slen, dst, dlen);
+   }
+ 
+   int finish(uchar *dst, uint *dlen)
+   {
+-    buf_len %= MY_AES_BLOCK_SIZE;
+-    if (buf_len)
+    if (source_tail_len)
+     {
+-      uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
+       /*
+         Not much we can do, block ciphers cannot encrypt data that aren't
+         a multiple of the block length. At least not without padding.
+         Let's do something CTR-like for the last partial block.
+-
+-        NOTE this assumes that there are only buf_len bytes in the buf.
+-        If OpenSSL will change that, we'll need to change the implementation
+-        of this class too.
+       */
+       uchar mask[MY_AES_BLOCK_SIZE];
+       uint mlen;
+@@ -154,10 +166,10 @@
+         return rc;
+       DBUG_ASSERT(mlen == sizeof(mask));
+ 
+-      for (uint i=0; i < buf_len; i++)
+-        dst[i]= buf[i] ^ mask[i];
+      for (uint i=0; i < source_tail_len; i++)
+        dst[i]= source_tail[i] ^ mask[i];
+     }
+-    *dlen= buf_len;
+    *dlen= source_tail_len;
+     return MY_AES_OK;
+   }
+ };
+diff -ur mariadb-10.4.32.orig/unittest/mysys/aes-t.c mariadb-10.4.32/unittest/mysys/aes-t.c
+--- mariadb-10.4.32.orig/unittest/mysys/aes-t.c	2023-10-30 13:36:22.000000000 +0100
+++ mariadb-10.4.32/unittest/mysys/aes-t.c	2023-12-14 22:00:26.607591689 +0100
+@@ -21,27 +21,96 @@
+ #include <string.h>
+ #include <ctype.h>
+ 
+-#define DO_TEST(mode, nopad, slen, fill, dlen, hash)                    \
+-  SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported")     \
+-  {                                                                     \
+-    memset(src, fill, src_len= slen);                                   \
+-    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT,              \
+-                    src, src_len, dst, &dst_len,                        \
+-                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
+-      "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad");     \
+-    if (!nopad)                                                         \
+-      ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
+-    my_md5(md5, (char*)dst, dst_len);                                   \
+-    ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5");  \
+-    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,              \
+-                    dst, dst_len, ddst, &ddst_len,                      \
+-                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
+-       "decrypt " #mode " %u", dst_len);                                \
+-    ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
+
+/** Test streaming encryption, bytewise update.*/
+static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
+                 unsigned int slen, unsigned char *dst, unsigned int *dlen,
+                 const unsigned char *key, unsigned int klen,
+                 const unsigned char *iv, unsigned int ivlen)
+{
+  /* Allocate context on odd address on stack, in order to
+   catch misalignment errors.*/
+  void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
+
+  int res1, res2;
+  uint d1= 0, d2;
+  uint i;
+
+  if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
+    return res1;
+  for (i= 0; i < slen; i++)
+  {
+    uint tmp_d1=0;
+    res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
+    if (res1)
+      return res1;
+    d1+= tmp_d1;
+    dst+= tmp_d1;
+  }
+  res2= my_aes_crypt_finish(ctx, dst, &d2);
+  *dlen= d1 + d2;
+  return res1 ? res1 : res2;
+}
+
+
+#ifndef HAVE_EncryptAes128Ctr
+const uint MY_AES_CTR=0xDEADBEAF;
+#endif
+#ifndef HAVE_EncryptAes128Gcm
+const uint MY_AES_GCM=0xDEADBEAF;
+#endif
+
+#define MY_AES_UNSUPPORTED(x)  (x == 0xDEADBEAF)
+
+static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
+                    char fill, size_t dlen, const char *hash)
+{
+  uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
+  uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
+  uchar src[1000], dst[1100], dst2[1100], ddst[1000];
+  uchar md5[MY_MD5_HASH_SIZE];
+  uint src_len, dst_len, dst_len2, ddst_len;
+  int result;
+
+  if (MY_AES_UNSUPPORTED(mode))
+  {
+    skip(nopad?7:6, "%s not supported", mode_str);
+    return;
+  }
+  memset(src, fill, src_len= slen);
+  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
+                       dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
+  ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
+     nopad ? "nopad" : "pad");
+
+  if (nopad)
+  {
+    result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
+                                src_len, dst2, &dst_len2, key, sizeof(key),
+                                iv, sizeof(iv));
+    ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
+    /* Compare with non-bytewise encryption result*/
+    ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
+       "memcmp bytewise  %s %u", mode_str, src_len);
+   }
+  else
+  {
+    int dst_len_real= my_aes_get_size(mode, src_len);
+    ok(dst_len_real= dst_len, "my_aes_get_size");
+  }
+  my_md5(md5, (char *) dst, dst_len);
+  ok(dst_len == dlen, "md5 len");
+  ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
+  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
+                       dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
+                       sizeof(iv));
+
+  ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
+  ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
+}
+ 
+-#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
+-#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
+#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
+#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
+ 
+ /* useful macro for debugging */
+ #define PRINT_MD5()                                     \
+@@ -53,25 +122,15 @@
+     printf("\"\n");                                     \
+   } while(0);
+ 
+-#ifndef HAVE_EncryptAes128Ctr
+-const uint MY_AES_CTR=0xDEADBEAF;
+-#endif
+-#ifndef HAVE_EncryptAes128Gcm
+-const uint MY_AES_GCM=0xDEADBEAF;
+-#endif
+ 
+ int
+ main(int argc __attribute__((unused)),char *argv[])
+ {
+-  uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
+-  uchar iv[16]=  {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
+-  uchar src[1000], dst[1100], ddst[1000];
+-  uchar md5[MY_MD5_HASH_SIZE];
+-  uint src_len, dst_len, ddst_len;
+ 
+   MY_INIT(argv[0]);
+ 
+-  plan(87);
+  plan(122);
+
+   DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
+   DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
+   DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");