Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Steven Gueguen
slapos
Commits
54eab2b3
Commit
54eab2b3
authored
Dec 14, 2023
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
component/mariadb: backport OpenSSL 3.0 support for MariaDB 10.4.
parent
da53b8f0
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
334 additions
and
0 deletions
+334
-0
component/mariadb/buildout.cfg
component/mariadb/buildout.cfg
+1
-0
component/mariadb/mariadb-10.4.32-openssl-3.0.patch
component/mariadb/mariadb-10.4.32-openssl-3.0.patch
+333
-0
No files found.
component/mariadb/buildout.cfg
View file @
54eab2b3
...
@@ -101,6 +101,7 @@ pcre-location = ${pcre:location}
...
@@ -101,6 +101,7 @@ pcre-location = ${pcre:location}
patch-options = -p1
patch-options = -p1
patches =
patches =
https://sources.debian.org/data/main/m/mariadb-10.3/1:10.3.34-0+deb10u1/debian/patches/0024-Revert-to-using-system-pcre-library.patch#1c6a0f2634f5a56122299674b77b1131
https://sources.debian.org/data/main/m/mariadb-10.3/1:10.3.34-0+deb10u1/debian/patches/0024-Revert-to-using-system-pcre-library.patch#1c6a0f2634f5a56122299674b77b1131
${:_profile_base_location_}/mariadb-10.4.32-openssl-3.0.patch#3e10af43d23701f5c0eefc117c31f5ff
[mariadb-10.5]
[mariadb-10.5]
<= mariadb-common
<= mariadb-common
...
...
component/mariadb/mariadb-10.4.32-openssl-3.0.patch
0 → 100644
View file @
54eab2b3
Changes to support OpenSSL 3.0 based on the following commits :
* 8a9c1e9ccf227e5f8ee9a4716a9b64665a8489e3 MDEV-25785 Add support for OpenSSL 3.0
*
1dc09ce0fdcf556dfc57de3f012a455c6d54a951 Revert "don't build with OpenSSL 3.0, it doesn't work before MDEV-25785"
diff -ur mariadb-10.4.32.orig/cmake/ssl.cmake mariadb-10.4.32/cmake/ssl.cmake
--- mariadb-10.4.32.orig/cmake/ssl.cmake 2023-10-30 13:36:19.000000000 +0100
+++ mariadb-10.4.32/cmake/ssl.cmake 2023-12-14 22:10:13.397922000 +0100
@@ -118,7 +118,7 @@
ENDIF()
FIND_PACKAGE(OpenSSL)
SET_PACKAGE_PROPERTIES(OpenSSL PROPERTIES TYPE RECOMMENDED)
- IF(OPENSSL_FOUND AND OPENSSL_VERSION AND OPENSSL_VERSION VERSION_LESS "3.0.0")
+ IF(OPENSSL_FOUND)
SET(OPENSSL_LIBRARY ${OPENSSL_SSL_LIBRARY})
INCLUDE(CheckSymbolExists)
SET(SSL_SOURCES "")
@@ -139,6 +139,13 @@
SET(SSL_INTERNAL_INCLUDE_DIRS "")
SET(SSL_DEFINES "-DHAVE_OPENSSL")
+ # Silence "deprecated in OpenSSL 3.0"
+ IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
+ OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
+ SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
+ SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
+ ENDIF()
+
SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
@@ -152,6 +159,7 @@
HAVE_X509_check_host)
SET(CMAKE_REQUIRED_INCLUDES)
SET(CMAKE_REQUIRED_LIBRARIES)
+ SET(CMAKE_REQUIRED_DEFINITIONS)
ELSE()
IF(WITH_SSL STREQUAL "system")
MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
diff -ur mariadb-10.4.32.orig/include/ssl_compat.h mariadb-10.4.32/include/ssl_compat.h
--- mariadb-10.4.32.orig/include/ssl_compat.h 2023-10-30 13:36:19.000000000 +0100
+++ mariadb-10.4.32/include/ssl_compat.h 2023-12-14 22:00:26.607591689 +0100
@@ -78,7 +78,6 @@
#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G))
#endif
-#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt)
#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX)
diff -ur mariadb-10.4.32.orig/mysql-test/lib/openssl.cnf mariadb-10.4.32/mysql-test/lib/openssl.cnf
--- mariadb-10.4.32.orig/mysql-test/lib/openssl.cnf 2023-10-30 13:36:19.000000000 +0100
+++ mariadb-10.4.32/mysql-test/lib/openssl.cnf 2023-12-14 22:00:26.607591689 +0100
@@ -9,4 +9,4 @@
system_default = system_default_section
[system_default_section]
-CipherString = ALL:@SECLEVEL=1
+CipherString = ALL:@SECLEVEL=0
diff -ur mariadb-10.4.32.orig/mysql-test/main/ssl_cipher.result mariadb-10.4.32/mysql-test/main/ssl_cipher.result
--- mariadb-10.4.32.orig/mysql-test/main/ssl_cipher.result 2023-10-30 13:36:19.000000000 +0100
+++ mariadb-10.4.32/mysql-test/main/ssl_cipher.result 2023-12-14 22:00:26.607591689 +0100
@@ -61,9 +61,9 @@
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
-SHOW STATUS LIKE 'Ssl_cipher_list';
-Variable_name Value
-Ssl_cipher_list AES128-SHA
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+VARIABLE_VALUE like '%AES128-SHA%'
+1
disconnect ssl_con;
connection default;
call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
diff -ur mariadb-10.4.32.orig/mysql-test/main/ssl_cipher.test mariadb-10.4.32/mysql-test/main/ssl_cipher.test
--- mariadb-10.4.32.orig/mysql-test/main/ssl_cipher.test 2023-10-30 13:36:19.000000000 +0100
+++ mariadb-10.4.32/mysql-test/main/ssl_cipher.test 2023-12-14 22:00:26.607591689 +0100
@@ -98,7 +98,7 @@
source include/restart_mysqld.inc;
connect (ssl_con,localhost,root,,,,,SSL);
SHOW STATUS LIKE 'Ssl_cipher';
-SHOW STATUS LIKE 'Ssl_cipher_list';
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
disconnect ssl_con;
connection default;
diff -ur mariadb-10.4.32.orig/mysys_ssl/my_crypt.cc mariadb-10.4.32/mysys_ssl/my_crypt.cc
--- mariadb-10.4.32.orig/mysys_ssl/my_crypt.cc 2023-10-30 13:36:20.000000000 +0100
+++ mariadb-10.4.32/mysys_ssl/my_crypt.cc 2023-12-14 22:00:26.607591689 +0100
@@ -29,11 +29,7 @@
#include <ssl_compat.h>
#include <cstdint>
-#ifdef HAVE_WOLFSSL
#define CTX_ALIGN 16
-#else
-#define CTX_ALIGN 0
-#endif
class MyCTX
{
@@ -100,8 +96,9 @@
{
public:
const uchar *key;
- uint klen, buf_len;
+ uint klen, source_tail_len;
uchar oiv[MY_AES_BLOCK_SIZE];
+ uchar source_tail[MY_AES_BLOCK_SIZE];
MyCTX_nopad() : MyCTX() { }
~MyCTX_nopad() = default;
@@ -112,7 +109,7 @@
compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
this->key= key;
this->klen= klen;
- this->buf_len= 0;
+ this->source_tail_len= 0;
if (ivlen)
memcpy(oiv, iv, ivlen);
DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
@@ -123,26 +120,41 @@
return res;
}
+ /** Update last partial source block, stored in source_tail array. */
+ void update_source_tail(const uchar* src, uint slen)
+ {
+ if (!slen)
+ return;
+ uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
+ if (new_tail_len)
+ {
+ if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
+ {
+ memcpy(source_tail + source_tail_len, src, slen);
+ }
+ else
+ {
+ DBUG_ASSERT(slen > new_tail_len);
+ memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
+ }
+ }
+ source_tail_len= new_tail_len;
+ }
+
int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
{
- buf_len+= slen;
+ update_source_tail(src, slen);
return MyCTX::update(src, slen, dst, dlen);
}
int finish(uchar *dst, uint *dlen)
{
- buf_len %= MY_AES_BLOCK_SIZE;
- if (buf_len)
+ if (source_tail_len)
{
- uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
/*
Not much we can do, block ciphers cannot encrypt data that aren't
a multiple of the block length. At least not without padding.
Let's do something CTR-like for the last partial block.
-
- NOTE this assumes that there are only buf_len bytes in the buf.
- If OpenSSL will change that, we'll need to change the implementation
- of this class too.
*/
uchar mask[MY_AES_BLOCK_SIZE];
uint mlen;
@@ -154,10 +166,10 @@
return rc;
DBUG_ASSERT(mlen == sizeof(mask));
- for (uint i=0; i < buf_len; i++)
- dst[i]= buf[i] ^ mask[i];
+ for (uint i=0; i < source_tail_len; i++)
+ dst[i]= source_tail[i] ^ mask[i];
}
- *dlen= buf_len;
+ *dlen= source_tail_len;
return MY_AES_OK;
}
};
diff -ur mariadb-10.4.32.orig/unittest/mysys/aes-t.c mariadb-10.4.32/unittest/mysys/aes-t.c
--- mariadb-10.4.32.orig/unittest/mysys/aes-t.c 2023-10-30 13:36:22.000000000 +0100
+++ mariadb-10.4.32/unittest/mysys/aes-t.c 2023-12-14 22:00:26.607591689 +0100
@@ -21,27 +21,96 @@
#include <string.h>
#include <ctype.h>
-#define DO_TEST(mode, nopad, slen, fill, dlen, hash) \
- SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported") \
- { \
- memset(src, fill, src_len= slen); \
- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, \
- src, src_len, dst, &dst_len, \
- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
- "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad"); \
- if (!nopad) \
- ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
- my_md5(md5, (char*)dst, dst_len); \
- ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5"); \
- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT, \
- dst, dst_len, ddst, &ddst_len, \
- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
- "decrypt " #mode " %u", dst_len); \
- ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
+
+/** Test streaming encryption, bytewise update.*/
+static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
+ unsigned int slen, unsigned char *dst, unsigned int *dlen,
+ const unsigned char *key, unsigned int klen,
+ const unsigned char *iv, unsigned int ivlen)
+{
+ /* Allocate context on odd address on stack, in order to
+ catch misalignment errors.*/
+ void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
+
+ int res1, res2;
+ uint d1= 0, d2;
+ uint i;
+
+ if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
+ return res1;
+ for (i= 0; i < slen; i++)
+ {
+ uint tmp_d1=0;
+ res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
+ if (res1)
+ return res1;
+ d1+= tmp_d1;
+ dst+= tmp_d1;
+ }
+ res2= my_aes_crypt_finish(ctx, dst, &d2);
+ *dlen= d1 + d2;
+ return res1 ? res1 : res2;
+}
+
+
+#ifndef HAVE_EncryptAes128Ctr
+const uint MY_AES_CTR=0xDEADBEAF;
+#endif
+#ifndef HAVE_EncryptAes128Gcm
+const uint MY_AES_GCM=0xDEADBEAF;
+#endif
+
+#define MY_AES_UNSUPPORTED(x) (x == 0xDEADBEAF)
+
+static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
+ char fill, size_t dlen, const char *hash)
+{
+ uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
+ uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
+ uchar src[1000], dst[1100], dst2[1100], ddst[1000];
+ uchar md5[MY_MD5_HASH_SIZE];
+ uint src_len, dst_len, dst_len2, ddst_len;
+ int result;
+
+ if (MY_AES_UNSUPPORTED(mode))
+ {
+ skip(nopad?7:6, "%s not supported", mode_str);
+ return;
+ }
+ memset(src, fill, src_len= slen);
+ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
+ dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
+ ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
+ nopad ? "nopad" : "pad");
+
+ if (nopad)
+ {
+ result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
+ src_len, dst2, &dst_len2, key, sizeof(key),
+ iv, sizeof(iv));
+ ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
+ /* Compare with non-bytewise encryption result*/
+ ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
+ "memcmp bytewise %s %u", mode_str, src_len);
}
+ else
+ {
+ int dst_len_real= my_aes_get_size(mode, src_len);
+ ok(dst_len_real= dst_len, "my_aes_get_size");
+ }
+ my_md5(md5, (char *) dst, dst_len);
+ ok(dst_len == dlen, "md5 len");
+ ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
+ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
+ dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
+ sizeof(iv));
+
+ ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
+ ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
+}
-#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
-#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
+#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
+#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
/* useful macro for debugging */
#define PRINT_MD5() \
@@ -53,25 +122,15 @@
printf("\"\n"); \
} while(0);
-#ifndef HAVE_EncryptAes128Ctr
-const uint MY_AES_CTR=0xDEADBEAF;
-#endif
-#ifndef HAVE_EncryptAes128Gcm
-const uint MY_AES_GCM=0xDEADBEAF;
-#endif
int
main(int argc __attribute__((unused)),char *argv[])
{
- uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
- uchar iv[16]= {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
- uchar src[1000], dst[1100], ddst[1000];
- uchar md5[MY_MD5_HASH_SIZE];
- uint src_len, dst_len, ddst_len;
MY_INIT(argv[0]);
- plan(87);
+ plan(122);
+
DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment