Date: Thursday, May 25, 2017 @ 13:58:42 Author: eworm Revision: 296571
prepare for mariadb 10.2.6 Modified: mariadb/trunk/PKGBUILD Deleted: mariadb/trunk/0001-openssl-1-1-0.patch --------------------------+ 0001-openssl-1-1-0.patch | 2129 --------------------------------------------- PKGBUILD | 76 - 2 files changed, 36 insertions(+), 2169 deletions(-) Deleted: 0001-openssl-1-1-0.patch =================================================================== --- 0001-openssl-1-1-0.patch 2017-05-25 11:35:31 UTC (rev 296570) +++ 0001-openssl-1-1-0.patch 2017-05-25 13:58:42 UTC (rev 296571) @@ -1,2129 +0,0 @@ -From fb57acd98f96b3d2684cd29c126b4904db81f84c Mon Sep 17 00:00:00 2001 -From: Georg Richter <[email protected]> -Date: Wed, 8 Mar 2017 17:39:47 +0100 -Subject: [PATCH 1/2] MDEV-10332 support for OpenSSL 1.1 and LibreSSL - -Initial support - -tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL -not working on Windows with native SChannel support, due to wrong cipher -mapping: Latter one requires push of CONC-241 fixes. -Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if -the build succeeds, test cases will fail with various errors, especially -when using different tls libraries or versions for client and server. - -Upstream commit: f8866f8f665ac26beb31842fef48ecee5feb346e ---- - extra/yassl/src/handshake.cpp | 10 +++ - include/my_crypt.h | 15 ++++ - include/violite.h | 9 +- - mysql-test/include/require_openssl_client.inc | 5 ++ - mysql-test/mysql-test-run.pl | 5 ++ - mysql-test/r/openssl_1.result | 2 +- - mysql-test/r/openssl_6975,tlsv10.result | 18 ++-- - mysql-test/r/openssl_6975,tlsv12.result | 14 ++-- - mysql-test/t/openssl_1.test | 4 +- - mysql-test/t/openssl_6975.test | 19 +++-- - mysql-test/t/ssl_7937.test | 1 + - mysql-test/t/ssl_8k_key.test | 1 + - mysys_ssl/my_crypt.cc | 115 ++++++++++++++++++-------- - mysys_ssl/my_md5.cc | 39 ++++++--- - mysys_ssl/yassl.cc | 15 ++++ - sql-common/client.c | 6 +- - sql/mysqld.cc | 14 +++- - sql/slave.cc | 13 +++ - vio/viosslfactories.c | 54 ++++++++---- - 19 files changed, 263 insertions(+), 96 deletions(-) - create mode 100644 mysql-test/include/require_openssl_client.inc - -diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp -index 407e4092ccc..6e181a997bd 100644 ---- a/extra/yassl/src/handshake.cpp -+++ b/extra/yassl/src/handshake.cpp -@@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl) - needHdr = true; - else { - buffer >> hdr; -+ /* -+ According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello -+ packet needs to specify the highest supported TLS version, but not -+ higher than what client requests. YaSSL highest supported version is -+ TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it -+ here to 3.2. -+ See also Appendix E of RFC 5246 (TLS 1.2) -+ */ -+ if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2) -+ hdr.version_.minor_ = 2; - ssl.verifyState(hdr); - } - -diff --git a/include/my_crypt.h b/include/my_crypt.h -index 719e349bfb9..e7dd9d80100 100644 ---- a/include/my_crypt.h -+++ b/include/my_crypt.h -@@ -21,4 +21,19 @@ - #include <my_config.h> /* HAVE_EncryptAes128{Ctr,Gcm} */ - #include <mysql/service_my_crypt.h> - -+/* OpenSSL version specific definitions */ -+#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+#define ERR_remove_state(X) -+#else -+#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) -+#define RAND_OpenSSL() RAND_SSLeay(); -+#if defined(HAVE_ERR_remove_thread_state) -+#define ERR_remove_state(X) ERR_remove_thread_state(NULL) -+#endif -+#endif -+#elif defined(HAVE_YASSL) -+#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) -+#endif /* !defined(HAVE_YASSL) */ -+ - #endif /* MY_CRYPT_INCLUDED */ -diff --git a/include/violite.h b/include/violite.h -index a7165ca91a9..23800696e5a 100644 ---- a/include/violite.h -+++ b/include/violite.h -@@ -146,14 +146,15 @@ typedef my_socket YASSL_SOCKET_T; - #include <openssl/ssl.h> - #include <openssl/err.h> - --#ifdef HAVE_ERR_remove_thread_state -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+#define ERR_remove_state(X) -+#elif defined(HAVE_ERR_remove_thread_state) - #define ERR_remove_state(X) ERR_remove_thread_state(NULL) - #endif -- - enum enum_ssl_init_error - { -- SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, -- SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, -+ SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, -+ SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, - SSL_INITERR_MEMFAIL, SSL_INITERR_DH, SSL_INITERR_LASTERR - }; - const char* sslGetErrString(enum enum_ssl_init_error err); -diff --git a/mysql-test/include/require_openssl_client.inc b/mysql-test/include/require_openssl_client.inc -new file mode 100644 -index 00000000000..9b19960041b ---- /dev/null -+++ b/mysql-test/include/require_openssl_client.inc -@@ -0,0 +1,5 @@ -+if ($CLIENT_TLS_LIBRARY != "OpenSSL") { -+ if ($CLIENT_TLS_LIBRARY != "LibreSSL") { -+ skip "Test requires Connector/C with OpenSSL library"; -+ } -+} -diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl -index ef054fb2d3e..7241d2f2ea9 100755 ---- a/mysql-test/mysql-test-run.pl -+++ b/mysql-test/mysql-test-run.pl -@@ -2304,6 +2304,11 @@ sub environment_setup { - $ENV{'MYSQL_PLUGIN'}= $exe_mysql_plugin; - $ENV{'MYSQL_EMBEDDED'}= $exe_mysql_embedded; - -+ my $client_config_exe= -+ native_path("$bindir/libmariadb/mariadb_config$opt_vs_config/mariadb_config"); -+ my $tls_info= `$client_config_exe --tlsinfo`; -+ ($ENV{CLIENT_TLS_LIBRARY},$ENV{CLIENT_TLS_LIBRARY_VERSION})= -+ split(/ /, $tls_info, 2); - my $exe_mysqld= find_mysqld($basedir); - $ENV{'MYSQLD'}= $exe_mysqld; - my $extra_opts= join (" ", @opt_extra_mysqld_opt); -diff --git a/mysql-test/r/openssl_1.result b/mysql-test/r/openssl_1.result -index 294ddaf7884..9a9bc619377 100644 ---- a/mysql-test/r/openssl_1.result -+++ b/mysql-test/r/openssl_1.result -@@ -198,7 +198,7 @@ DROP TABLE t1; - Variable_name Value - Ssl_cipher DHE-RSA-AES256-SHA - Variable_name Value --Ssl_cipher EDH-RSA-DES-CBC3-SHA -+Ssl_cipher AES128-SHA - select 'is still running; no cipher request crashed the server' as result from dual; - result - is still running; no cipher request crashed the server -diff --git a/mysql-test/r/openssl_6975,tlsv10.result b/mysql-test/r/openssl_6975,tlsv10.result -index 6285faa0143..202e7f4268e 100644 ---- a/mysql-test/r/openssl_6975,tlsv10.result -+++ b/mysql-test/r/openssl_6975,tlsv10.result -@@ -1,24 +1,24 @@ - create user ssl_sslv3@localhost; --grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA"; -+grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; - create user ssl_tls12@localhost; - grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; - TLS1.2 ciphers: user is ok with any cipher --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure - TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256 - ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure - ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure - SSLv3 ciphers: user is ok with any cipher - Variable_name Value --Ssl_cipher RC4-SHA -+Ssl_cipher AES256-SHA - Variable_name Value - Ssl_cipher DHE-RSA-AES256-SHA --SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA -+SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA - Variable_name Value --Ssl_cipher RC4-SHA -+Ssl_cipher AES128-SHA - ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO) - SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256 - ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO) -diff --git a/mysql-test/r/openssl_6975,tlsv12.result b/mysql-test/r/openssl_6975,tlsv12.result -index 31d2658c829..e2cc28cca70 100644 ---- a/mysql-test/r/openssl_6975,tlsv12.result -+++ b/mysql-test/r/openssl_6975,tlsv12.result -@@ -1,5 +1,5 @@ - create user ssl_sslv3@localhost; --grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA"; -+grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; - create user ssl_tls12@localhost; - grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; - TLS1.2 ciphers: user is ok with any cipher -@@ -7,7 +7,7 @@ Variable_name Value - Ssl_cipher AES128-SHA256 - Variable_name Value - Ssl_cipher DHE-RSA-AES256-GCM-SHA384 --TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA -+TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA - ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO) - ERROR 1045 (28000): Access denied for user 'ssl_sslv3'@'localhost' (using password: NO) - TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256 -@@ -15,11 +15,11 @@ Variable_name Value - Ssl_cipher AES128-SHA256 - ERROR 1045 (28000): Access denied for user 'ssl_tls12'@'localhost' (using password: NO) - SSLv3 ciphers: user is ok with any cipher --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure --ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure -+ERROR 2026 (HY000): SSL connection error: sslv3 alert handshake failure - SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256 - ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure - ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure -diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test -index eea74b5b012..28f666263d2 100644 ---- a/mysql-test/t/openssl_1.test -+++ b/mysql-test/t/openssl_1.test -@@ -221,8 +221,8 @@ DROP TABLE t1; - # - - # Common ciphers to openssl and yassl ----exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=DHE-RSA-AES256-SHA ----exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=EDH-RSA-DES-CBC3-SHA -+--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES256-SHA -+--exec $MYSQL --host=localhost -e "SHOW STATUS LIKE 'Ssl_cipher';" --ssl-cipher=AES128-SHA - --disable_query_log - --disable_result_log - -diff --git a/mysql-test/t/openssl_6975.test b/mysql-test/t/openssl_6975.test -index 6e8e03a0a89..6cf5d82cf54 100644 ---- a/mysql-test/t/openssl_6975.test -+++ b/mysql-test/t/openssl_6975.test -@@ -4,11 +4,13 @@ - # test SSLv3 and TLSv1.2 ciphers when OpenSSL is restricted to SSLv3 or TLSv1.2 - # - source include/have_ssl_communication.inc; -+source include/require_openssl_client.inc; - - # this is OpenSSL test. - - create user ssl_sslv3@localhost; --grant select on test.* to ssl_sslv3@localhost require cipher "RC4-SHA"; -+# grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; -+grant select on test.* to ssl_sslv3@localhost require cipher "AES128-SHA"; - create user ssl_tls12@localhost; - grant select on test.* to ssl_tls12@localhost require cipher "AES128-SHA256"; - -@@ -18,8 +20,9 @@ disable_abort_on_error; - echo TLS1.2 ciphers: user is ok with any cipher; - exec $mysql --ssl-cipher=AES128-SHA256; - --replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 --exec $mysql --ssl-cipher=TLSv1.2; --echo TLS1.2 ciphers: user requires SSLv3 cipher RC4-SHA; -+--replace_result ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 -+exec $mysql --ssl-cipher=TLSv1.2 -+echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA; - exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256; - exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2; - echo TLS1.2 ciphers: user requires TLSv1.2 cipher AES128-SHA256; -@@ -27,13 +30,13 @@ exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA256; - exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2; - - echo SSLv3 ciphers: user is ok with any cipher; --exec $mysql --ssl-cipher=RC4-SHA; --exec $mysql --ssl-cipher=SSLv3; --echo SSLv3 ciphers: user requires SSLv3 cipher RC4-SHA; --exec $mysql --user ssl_sslv3 --ssl-cipher=RC4-SHA; -+exec $mysql --ssl-cipher=AES256-SHA; -+exec $mysql --ssl-cipher=DHE-RSA-AES256-SHA -+echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA; -+exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA; - exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3; - echo SSLv3 ciphers: user requires TLSv1.2 cipher AES128-SHA256; --exec $mysql --user ssl_tls12 --ssl-cipher=RC4-SHA; -+exec $mysql --user ssl_tls12 --ssl-cipher=AES128-SHA; - exec $mysql --user ssl_tls12 --ssl-cipher=SSLv3; - - drop user ssl_sslv3@localhost; -diff --git a/mysql-test/t/ssl_7937.test b/mysql-test/t/ssl_7937.test -index d593b9d936d..a76457906ec 100644 ---- a/mysql-test/t/ssl_7937.test -+++ b/mysql-test/t/ssl_7937.test -@@ -26,6 +26,7 @@ create procedure have_ssl() - # we fake the test result for yassl - let yassl=`select variable_value='Unknown' from information_schema.session_status where variable_name='Ssl_session_cache_mode'`; - if (!$yassl) { -+ --replace_result "self signed certificate in certificate chain" "Failed to verify the server certificate" "Error in the certificate." "Failed to verify the server certificate" - --exec $MYSQL --ssl --ssl-verify-server-cert -e "call test.have_ssl()" 2>&1 - } - if ($yassl) { -diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test -index 27cffdce1f2..470d577edb8 100644 ---- a/mysql-test/t/ssl_8k_key.test -+++ b/mysql-test/t/ssl_8k_key.test -@@ -1,4 +1,5 @@ - # This test should work in embedded server after we fix mysqltest -+-- source include/require_openssl_client.inc - -- source include/not_embedded.inc - - -- source include/have_ssl_communication.inc -diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc -index a0937a83e17..0ff49a2c427 100644 ---- a/mysys_ssl/my_crypt.cc -+++ b/mysys_ssl/my_crypt.cc -@@ -17,7 +17,6 @@ - - #include <my_global.h> - #include <string.h> --#include <my_crypt.h> - - #ifdef HAVE_YASSL - #include "yassl.cc" -@@ -26,43 +25,51 @@ - #include <openssl/evp.h> - #include <openssl/aes.h> - #include <openssl/err.h> -+#include <openssl/rand.h> - --#ifdef HAVE_ERR_remove_thread_state --#define ERR_remove_state(X) ERR_remove_thread_state(NULL) - #endif -+#include <my_crypt.h> - --#endif -+#define MY_CIPHER_CTX_SIZE 384 - - class MyCTX - { - public: -- EVP_CIPHER_CTX ctx; -- MyCTX() { EVP_CIPHER_CTX_init(&ctx); } -- virtual ~MyCTX() { EVP_CIPHER_CTX_cleanup(&ctx); ERR_remove_state(0); } -+ EVP_CIPHER_CTX *ctx; -+ const uchar *key; -+ unsigned int klen; -+ MyCTX() { -+ ctx= EVP_CIPHER_CTX_new(); -+ } -+ virtual ~MyCTX() { -+ EVP_CIPHER_CTX_free(ctx); -+ ERR_remove_state(0); -+ } - - virtual int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, - uint klen, const uchar *iv, uint ivlen) - { -+ compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX)); - if (unlikely(!cipher)) - return MY_AES_BAD_KEYSIZE; - -- if (!EVP_CipherInit_ex(&ctx, cipher, NULL, key, iv, encrypt)) -+ if (!EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt)) - return MY_AES_OPENSSL_ERROR; - -- DBUG_ASSERT(EVP_CIPHER_CTX_key_length(&ctx) == (int)klen); -- DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(&ctx) <= (int)ivlen); -+ DBUG_ASSERT(EVP_CIPHER_CTX_key_length(ctx) == (int)klen); -+ DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(ctx) <= (int)ivlen); - - return MY_AES_OK; - } - virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen) - { -- if (!EVP_CipherUpdate(&ctx, dst, (int*)dlen, src, slen)) -+ if (!EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen)) - return MY_AES_OPENSSL_ERROR; - return MY_AES_OK; - } - virtual int finish(uchar *dst, uint *dlen) - { -- if (!EVP_CipherFinal_ex(&ctx, dst, (int*)dlen)) -+ if (!EVP_CipherFinal_ex(ctx, dst, (int*)dlen)) - return MY_AES_BAD_DATA; - return MY_AES_OK; - } -@@ -71,11 +78,9 @@ class MyCTX - class MyCTX_nopad : public MyCTX - { - public: -- const uchar *key; -- int klen; -- - MyCTX_nopad() : MyCTX() { } - ~MyCTX_nopad() { } -+ unsigned int buf_len; - - int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, uint klen, - const uchar *iv, uint ivlen) -@@ -83,16 +88,39 @@ class MyCTX_nopad : public MyCTX - compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad)); - this->key= key; - this->klen= klen; -+ this->buf_len= 0; -+ /* FIX-ME: -+ For the sake of backward compatibility we do some strange hack here: -+ Since ECB doesn't need an IV (and therefore is considered kind of -+ insecure) we need to store the specified iv. -+ The last nonpadding block will be encrypted with an additional -+ expensive crypt_call in ctr mode instead -+ of encrypting the entire plain text in ctr-mode */ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ const unsigned char *oiv= EVP_CIPHER_CTX_original_iv(ctx); -+#else -+ const unsigned char *oiv= ctx->oiv; -+#endif -+ memcpy((char *)oiv, iv, ivlen); -+ - int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); -- memcpy(ctx.oiv, iv, ivlen); // in ECB mode OpenSSL doesn't do that itself -- EVP_CIPHER_CTX_set_padding(&ctx, 0); -+ -+ EVP_CIPHER_CTX_set_padding(ctx, 0); - return res; - } - -+ int update(const uchar *src, uint slen, uchar *dst, uint *dlen) -+ { -+ buf_len= slen % MY_AES_BLOCK_SIZE; -+ return MyCTX::update(src, slen, dst, dlen); -+ } -+ - int finish(uchar *dst, uint *dlen) - { -- if (ctx.buf_len) -+ if (buf_len) - { -+ const uchar *org_iv; -+ unsigned char *buf; - /* - Not much we can do, block ciphers cannot encrypt data that aren't - a multiple of the block length. At least not without padding. -@@ -101,14 +129,22 @@ class MyCTX_nopad : public MyCTX - uchar mask[MY_AES_BLOCK_SIZE]; - uint mlen; - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ org_iv= EVP_CIPHER_CTX_original_iv(ctx); -+ buf= EVP_CIPHER_CTX_buf_noconst(ctx); -+#else -+ org_iv= ctx->oiv; -+ buf= ctx->buf; -+#endif -+ - my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD, -- ctx.oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0); -+ org_iv, sizeof(mask), mask, &mlen, key, klen, 0, 0); - DBUG_ASSERT(mlen == sizeof(mask)); - -- for (int i=0; i < ctx.buf_len; i++) -- dst[i]= ctx.buf[i] ^ mask[i]; -+ for (uint i=0; i < buf_len; i++) -+ dst[i]= buf[i] ^ mask[i]; - } -- *dlen= ctx.buf_len; -+ *dlen= buf_len; - return MY_AES_OK; - } - }; -@@ -142,8 +178,9 @@ make_aes_dispatcher(gcm) - class MyCTX_gcm : public MyCTX - { - public: -- const uchar *aad; -+ const uchar *aad= NULL; - int aadlen; -+ my_bool encrypt; - MyCTX_gcm() : MyCTX() { } - ~MyCTX_gcm() { } - -@@ -152,9 +189,10 @@ class MyCTX_gcm : public MyCTX - { - compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_gcm)); - int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); -- int real_ivlen= EVP_CIPHER_CTX_iv_length(&ctx); -+ int real_ivlen= EVP_CIPHER_CTX_iv_length(ctx); - aad= iv + real_ivlen; - aadlen= ivlen - real_ivlen; -+ this->encrypt= encrypt; - return res; - } - -@@ -166,15 +204,15 @@ class MyCTX_gcm : public MyCTX - before decrypting the data. it can encrypt data piecewise, like, first - half, then the second half, but it must decrypt all at once - */ -- if (!ctx.encrypt) -+ if (!this->encrypt) - { - slen-= MY_AES_BLOCK_SIZE; -- if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, -+ if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, - (void*)(src + slen))) - return MY_AES_OPENSSL_ERROR; - } -- int unused; -- if (aadlen && !EVP_CipherUpdate(&ctx, NULL, &unused, aad, aadlen)) -+ int unused= 0; -+ if (aadlen && !EVP_CipherUpdate(ctx, NULL, &unused, aad, aadlen)) - return MY_AES_OPENSSL_ERROR; - aadlen= 0; - return MyCTX::update(src, slen, dst, dlen); -@@ -182,14 +220,14 @@ class MyCTX_gcm : public MyCTX - - int finish(uchar *dst, uint *dlen) - { -- int fin; -- if (!EVP_CipherFinal_ex(&ctx, dst, &fin)) -+ int fin= 0; -+ if (!EVP_CipherFinal_ex(ctx, dst, &fin)) - return MY_AES_BAD_DATA; - DBUG_ASSERT(fin == 0); - -- if (ctx.encrypt) -+ if (this->encrypt) - { -- if(!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) -+ if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) - return MY_AES_OPENSSL_ERROR; - *dlen= MY_AES_BLOCK_SIZE; - } -@@ -257,12 +295,20 @@ int my_aes_crypt(enum my_aes_mode mode, int flags, - { - void *ctx= alloca(MY_AES_CTX_SIZE); - int res1, res2; -- uint d1, d2; -+ uint d1= 0, d2= 0; - if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen))) - return res1; - res1= my_aes_crypt_update(ctx, src, slen, dst, &d1); - res2= my_aes_crypt_finish(ctx, dst + d1, &d2); - *dlen= d1 + d2; -+ /* in case of failure clear error queue */ -+#ifndef HAVE_YASSL -+ /* since we don't check the crypto error messages we need to -+ clear the error queue - otherwise subsequent crypto or tls/ssl -+ calls will fail */ -+ if (!*dlen) -+ ERR_clear_error(); -+#endif - return res1 ? res1 : res2; - } - -@@ -301,7 +347,6 @@ int my_random_bytes(uchar* buf, int num) - return MY_AES_OK; - } - #else --#include <openssl/rand.h> - - int my_random_bytes(uchar *buf, int num) - { -@@ -311,7 +356,7 @@ int my_random_bytes(uchar *buf, int num) - instead of whatever random engine is currently set in OpenSSL. That way - we are guaranteed to have a non-blocking random. - */ -- RAND_METHOD *rand = RAND_SSLeay(); -+ RAND_METHOD *rand = RAND_OpenSSL(); - if (rand == NULL || rand->bytes(buf, num) != 1) - return MY_AES_OPENSSL_ERROR; - return MY_AES_OK; -diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc -index 7139ea9b6ff..02c01dd7148 100644 ---- a/mysys_ssl/my_md5.cc -+++ b/mysys_ssl/my_md5.cc -@@ -27,6 +27,8 @@ - #include <my_md5.h> - #include <stdarg.h> - -+#define MA_HASH_CTX_SIZE 512 -+ - #if defined(HAVE_YASSL) - #include "md5.hpp" - -@@ -57,11 +59,18 @@ static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) - } - - #elif defined(HAVE_OPENSSL) -+ -+ - #include <openssl/evp.h> -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#define EVP_MD_CTX_reset(X) EVP_MD_CTX_cleanup(X) -+#endif - typedef EVP_MD_CTX MD5_CONTEXT; - - static void md5_init(MD5_CONTEXT *context) - { -+ memset(context, 0, my_md5_context_size()); - EVP_MD_CTX_init(context); - #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - /* Ok to ignore FIPS: MD5 is not used for crypto here */ -@@ -83,7 +92,7 @@ static void md5_input(MD5_CONTEXT *context, const uchar *buf, unsigned len) - static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) - { - EVP_DigestFinal_ex(context, digest, NULL); -- EVP_MD_CTX_cleanup(context); -+ EVP_MD_CTX_reset(context); - } - - #endif /* HAVE_YASSL */ -@@ -99,11 +108,14 @@ static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) - */ - void my_md5(uchar *digest, const char *buf, size_t len) - { -+#ifdef HAVE_YASSL - MD5_CONTEXT md5_context; -- -- md5_init_fast(&md5_context); -- md5_input(&md5_context, (const uchar *)buf, len); -- md5_result(&md5_context, digest); -+#else -+ unsigned char md5_context[MA_HASH_CTX_SIZE]; -+#endif -+ md5_init_fast((MD5_CONTEXT *)&md5_context); -+ md5_input((MD5_CONTEXT *)&md5_context, (const uchar *)buf, len); -+ md5_result((MD5_CONTEXT *)&md5_context, digest); - } - - -@@ -122,22 +134,25 @@ void my_md5(uchar *digest, const char *buf, size_t len) - void my_md5_multi(uchar *digest, ...) - { - va_list args; -- va_start(args, digest); -- -- MD5_CONTEXT md5_context; - const uchar *str; -+#ifdef HAVE_YASSL -+ MD5_CONTEXT md5_context; -+#else -+ unsigned char md5_context[MA_HASH_CTX_SIZE]; -+#endif -+ va_start(args, digest); - -- md5_init_fast(&md5_context); -+ md5_init_fast((MD5_CONTEXT *)&md5_context); - for (str= va_arg(args, const uchar*); str; str= va_arg(args, const uchar*)) -- md5_input(&md5_context, str, va_arg(args, size_t)); -+ md5_input((MD5_CONTEXT *)&md5_context, str, va_arg(args, size_t)); - -- md5_result(&md5_context, digest); -+ md5_result((MD5_CONTEXT *)&md5_context, digest); - va_end(args); - } - - size_t my_md5_context_size() - { -- return sizeof(MD5_CONTEXT); -+ return MA_HASH_CTX_SIZE; - } - - void my_md5_init(void *context) -diff --git a/mysys_ssl/yassl.cc b/mysys_ssl/yassl.cc -index 9717870fe26..9e6f90d8d77 100644 ---- a/mysys_ssl/yassl.cc -+++ b/mysys_ssl/yassl.cc -@@ -24,6 +24,7 @@ - - #include <openssl/ssl.h> - #include "aes.hpp" -+#include <my_sys.h> - - using yaSSL::yaERR_remove_state; - -@@ -75,12 +76,26 @@ static void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) - ctx->final_used= ctx->buf_len= ctx->flags= 0; - } - -+static EVP_CIPHER_CTX *EVP_CIPHER_CTX_new() -+{ -+ EVP_CIPHER_CTX *ctx= (EVP_CIPHER_CTX *)my_malloc(sizeof(EVP_CIPHER_CTX), MYF(0)); -+ if (ctx) -+ EVP_CIPHER_CTX_init(ctx); -+ return ctx; -+} -+ - static int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *ctx) - { - TAO(ctx)->~AES(); - return 1; - } - -+static void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) -+{ -+ EVP_CIPHER_CTX_cleanup(ctx); -+ my_free(ctx); -+} -+ - static int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) - { - if (pad) -diff --git a/sql-common/client.c b/sql-common/client.c -index a918060a848..d881080b55a 100644 ---- a/sql-common/client.c -+++ b/sql-common/client.c -@@ -104,6 +104,10 @@ my_bool net_flush(NET *net); - #define CONNECT_TIMEOUT 0 - #endif - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) || defined(HAVE_YASSL) -+#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) -+#endif -+ - #include "client_settings.h" - #include <sql_common.h> - #include <mysql/client_plugin.h> -@@ -1842,7 +1846,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c - goto error; - } - -- cn= (char *) ASN1_STRING_data(cn_asn1); -+ cn= (char *) ASN1_STRING_get0_data(cn_asn1); - - if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) - { -diff --git a/sql/mysqld.cc b/sql/mysqld.cc -index 0bf57d9543b..d6a7c6b4931 100644 ---- a/sql/mysqld.cc -+++ b/sql/mysqld.cc -@@ -111,6 +111,7 @@ - #endif - - #include <my_systemd.h> -+#include <my_crypt.h> - - #define mysqld_charset &my_charset_latin1 - -@@ -120,6 +121,7 @@ - #define HAVE_CLOSE_SERVER_SOCK 1 - #endif - -+ - extern "C" { // Because of SCO 3.2V4.2 - #include <sys/stat.h> - #ifndef __GNU_LIBRARY__ -@@ -1456,6 +1458,8 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct, - #ifdef HAVE_OPENSSL - #include <openssl/crypto.h> - #ifndef HAVE_YASSL -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - typedef struct CRYPTO_dynlock_value - { - mysql_rwlock_t lock; -@@ -1467,6 +1471,7 @@ static void openssl_dynlock_destroy(openssl_lock_t *, const char *, int); - static void openssl_lock_function(int, int, const char *, int); - static void openssl_lock(int, openssl_lock_t *, const char *, int); - #endif -+#endif - char *des_key_file; - #ifndef EMBEDDED_LIBRARY - struct st_VioSSLFd *ssl_acceptor_fd; -@@ -2243,9 +2248,11 @@ static void clean_up_mutexes() - #ifdef HAVE_OPENSSL - mysql_mutex_destroy(&LOCK_des_key_file); - #ifndef HAVE_YASSL -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - for (int i= 0; i < CRYPTO_num_locks(); ++i) - mysql_rwlock_destroy(&openssl_stdlocks[i].lock); - OPENSSL_free(openssl_stdlocks); -+#endif - #endif /* HAVE_YASSL */ - #endif /* HAVE_OPENSSL */ - #ifdef HAVE_REPLICATION -@@ -4595,6 +4602,7 @@ static int init_thread_environment() - mysql_mutex_init(key_LOCK_des_key_file, - &LOCK_des_key_file, MY_MUTEX_INIT_FAST); - #ifndef HAVE_YASSL -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() * - sizeof(openssl_lock_t)); - for (int i= 0; i < CRYPTO_num_locks(); ++i) -@@ -4605,6 +4613,7 @@ static int init_thread_environment() - CRYPTO_set_locking_callback(openssl_lock_function); - #endif - #endif -+#endif - mysql_rwlock_init(key_rwlock_LOCK_sys_init_connect, &LOCK_sys_init_connect); - mysql_rwlock_init(key_rwlock_LOCK_sys_init_slave, &LOCK_sys_init_slave); - mysql_rwlock_init(key_rwlock_LOCK_grant, &LOCK_grant); -@@ -4638,6 +4647,7 @@ static int init_thread_environment() - - - #if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL) -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - static openssl_lock_t *openssl_dynlock_create(const char *file, int line) - { - openssl_lock_t *lock= new openssl_lock_t; -@@ -4697,6 +4707,7 @@ static void openssl_lock(int mode, openssl_lock_t *lock, const char *file, - abort(); - } - } -+#endif - #endif /* HAVE_OPENSSL */ - - -@@ -4726,8 +4737,9 @@ static void init_ssl() - while ((err= ERR_get_error())) - sql_print_warning("SSL error: %s", ERR_error_string(err, NULL)); - } -- else -+ else { - ERR_remove_state(0); -+ } - } - else - { -diff --git a/sql/slave.cc b/sql/slave.cc -index f95dd60287b..636965c4619 100644 ---- a/sql/slave.cc -+++ b/sql/slave.cc -@@ -60,6 +60,11 @@ - #include "debug_sync.h" - #include "rpl_parallel.h" - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#define ERR_remove_state(X) -+#elif defined(HAVE_ERR_remove_thread_state) -+#define ERR_remove_state(X) ERR_remove_thread_state(NULL) -+#endif - - #define FLAGSTR(V,F) ((V)&(F)?#F" ":"") - -@@ -4505,7 +4510,11 @@ log space"); - DBUG_LEAVE; // Must match DBUG_ENTER() - my_thread_end(); - #ifdef HAVE_OPENSSL -+#if OPENSSL_VERSION_NUMBER < 0x10000000L - ERR_remove_state(0); -+#elif OPENSSL_VERSION_NUMBER < 0x10100000L -+ ERR_remove_thread_state(0); -+#endif - #endif - pthread_exit(0); - return 0; // Avoid compiler warnings -@@ -5166,7 +5175,11 @@ pthread_handler_t handle_slave_sql(void *arg) - DBUG_LEAVE; // Must match DBUG_ENTER() - my_thread_end(); - #ifdef HAVE_OPENSSL -+#if OPENSSL_VERSION_NUMBER < 0x10000000L - ERR_remove_state(0); -+#elif OPENSSL_VERSION_NUMBER < 0x10100000L -+ ERR_remove_thread_state(0); -+#endif - #endif - pthread_exit(0); - return 0; // Avoid compiler warnings -diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c -index 52b624d3376..497047cac72 100644 ---- a/vio/viosslfactories.c -+++ b/vio/viosslfactories.c -@@ -17,17 +17,27 @@ - #include "vio_priv.h" - - #ifdef HAVE_OPENSSL --#ifndef HAVE_YASSL -+#if defined(HAVE_YASSL) || defined(LIBRESSL_VERSION_NUMBER) -+#define OPENSSL_init_ssl(X,Y) SSL_library_init() -+#else - #include <openssl/dh.h> - #include <openssl/bn.h> -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#define ERR_remove_state(X) -+#else -+#define OPENSSL_init_ssl(X,Y) SSL_library_init() -+#endif -+ - #endif - - static my_bool ssl_algorithms_added = FALSE; - static my_bool ssl_error_strings_loaded= FALSE; - - /* the function below was generated with "openssl dhparam -2 -C 2048" */ --static --DH *get_dh2048() -+ -+/* {{{ get_dh_2048 */ -+static DH *get_dh_2048() - { - static unsigned char dh2048_p[]={ - 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, -@@ -57,18 +67,32 @@ DH *get_dh2048() - 0x02, - }; - DH *dh; -- -- if ((dh=DH_new()) == NULL) return(NULL); -- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); -- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -- if ((dh->p == NULL) || (dh->g == NULL)) -- { DH_free(dh); return(NULL); } -- return(dh); -+ if ((dh=DH_new()) == NULL) -+ return(NULL); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+ (dh)->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); -+ (dh)->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -+ if ((dh)->p == NULL || (dh)->g == NULL) -+ { DH_free(dh); return NULL; } -+#else -+ { -+ BIGNUM *dhp_bn= BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL), -+ *dhg_bn= BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -+ if (dhp_bn == NULL || dhg_bn == NULL || -+ !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) -+ { -+ DH_free(dh); -+ BN_free(dhp_bn); -+ BN_free(dhg_bn); -+ return NULL; -+ } -+ } -+#endif -+ return dh; - } - -- - static const char* --ssl_error_string[] = -+ssl_error_string[] = - { - "No error", - "Unable to get certificate", -@@ -148,9 +172,7 @@ static void check_ssl_init() - if (!ssl_algorithms_added) - { - ssl_algorithms_added= TRUE; -- SSL_library_init(); -- OpenSSL_add_all_algorithms(); -- -+ OPENSSL_init_ssl(0, NULL); - } - - if (!ssl_error_strings_loaded) -@@ -265,7 +287,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file, - /* DH stuff */ - if (!is_client_method) - { -- dh=get_dh2048(); -+ dh=get_dh_2048(); - if (!SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh)) - { - *error= SSL_INITERR_DH; -From 1e73c46c82f65ef59485f4789cc0642a03bb2494 Mon Sep 17 00:00:00 2001 -From: Sergei Golubchik <[email protected]> -Date: Wed, 3 May 2017 21:22:59 +0200 -Subject: [PATCH 2/2] MDEV-10332 support for OpenSSL 1.1 and LibreSSL - -post-review fixes: -* move all ssl implementation related ifdefs/defines to one file - (ssl_compat.h) -* work around OpenSSL-1.1 desire to malloc every EVP context by - run-time checking that context allocated on the stack is big enough - (openssl.c) -* use newer version of the AWS SDK for OpenSSL 1.1 -* use get_dh2048() function as generated by openssl 1.1 - (viosslfactories.c) - -Upstream commit: ccca4f43c92916c347210a7f9a8126f2aa3f6c31 ---- - include/my_crypt.h | 15 ----- - include/ssl_compat.h | 75 +++++++++++++++++++++ - include/violite.h | 12 ---- - mysql-test/mysql-test-run.pl | 2 +- - mysql-test/t/openssl_6975.test | 7 +- - mysql-test/t/ssl_8k_key.test | 5 +- - mysys_ssl/CMakeLists.txt | 1 + - mysys_ssl/my_crypt.cc | 102 +++++++++++------------------ - mysys_ssl/my_md5.cc | 85 +++++++++--------------- - mysys_ssl/openssl.c | 71 ++++++++++++++++++++ - mysys_ssl/yassl.cc | 19 ------ - plugin/aws_key_management/CMakeLists.txt | 10 +++ - sql-common/client.c | 8 +-- - sql/mysqld.cc | 49 +++++++------- - sql/slave.cc | 19 +----- - vio/vio.c | 1 + - vio/viosslfactories.c | 108 +++++++++++++------------------ - 17 files changed, 305 insertions(+), 284 deletions(-) - create mode 100644 include/ssl_compat.h - create mode 100644 mysys_ssl/openssl.c - -diff --git a/include/my_crypt.h b/include/my_crypt.h -index e7dd9d80100..719e349bfb9 100644 ---- a/include/my_crypt.h -+++ b/include/my_crypt.h -@@ -21,19 +21,4 @@ - #include <my_config.h> /* HAVE_EncryptAes128{Ctr,Gcm} */ - #include <mysql/service_my_crypt.h> - --/* OpenSSL version specific definitions */ --#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) --#define ERR_remove_state(X) --#else --#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) --#define RAND_OpenSSL() RAND_SSLeay(); --#if defined(HAVE_ERR_remove_thread_state) --#define ERR_remove_state(X) ERR_remove_thread_state(NULL) --#endif --#endif --#elif defined(HAVE_YASSL) --#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) --#endif /* !defined(HAVE_YASSL) */ -- - #endif /* MY_CRYPT_INCLUDED */ -diff --git a/include/ssl_compat.h b/include/ssl_compat.h -new file mode 100644 -index 00000000000..b0e3ed497cd ---- /dev/null -+++ b/include/ssl_compat.h -@@ -0,0 +1,75 @@ -+/* -+ Copyright (c) 2016, 2017 MariaDB Corporation -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; version 2 of the License. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program; if not, write to the Free Software -+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ -+ -+#include <openssl/opensslv.h> -+ -+/* OpenSSL version specific definitions */ -+#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) -+#define HAVE_X509_check_host 1 -+#endif -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+#define HAVE_OPENSSL11 1 -+#define ERR_remove_state(X) ERR_clear_error() -+#define EVP_MD_CTX_cleanup(X) EVP_MD_CTX_reset(X) -+#define EVP_CIPHER_CTX_SIZE 168 -+#define EVP_MD_CTX_SIZE 48 -+#undef EVP_MD_CTX_init -+#define EVP_MD_CTX_init(X) do { bzero((X), EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0) -+#undef EVP_CIPHER_CTX_init -+#define EVP_CIPHER_CTX_init(X) do { bzero((X), EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0) -+ -+#else -+#define HAVE_OPENSSL10 1 -+/* -+ Unfortunately RAND_bytes manual page does not provide any guarantees -+ in relation to blocking behavior. Here we explicitly use SSLeay random -+ instead of whatever random engine is currently set in OpenSSL. That way -+ we are guaranteed to have a non-blocking random. -+*/ -+#define RAND_OpenSSL() RAND_SSLeay() -+ -+#ifdef HAVE_ERR_remove_thread_state -+#define ERR_remove_state(X) ERR_remove_thread_state(NULL) -+#endif /* HAVE_ERR_remove_thread_state */ -+ -+#endif /* HAVE_OPENSSL11 */ -+ -+#elif defined(HAVE_YASSL) -+#define BN_free(X) do { } while(0) -+#endif /* !defined(HAVE_YASSL) */ -+ -+#ifndef HAVE_OPENSSL11 -+#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) -+#define OPENSSL_init_ssl(X,Y) SSL_library_init() -+#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G)) -+#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) -+#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) -+#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX) -+#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX) -+#endif -+ -+#ifdef __cplusplus -+extern "C" { -+#endif /* __cplusplus */ -+ -+int check_openssl_compatibility(); -+ -+#ifdef __cplusplus -+} -+#endif -diff --git a/include/violite.h b/include/violite.h -index 23800696e5a..572d4741c80 100644 ---- a/include/violite.h -+++ b/include/violite.h -@@ -123,13 +123,6 @@ int vio_getnameinfo(const struct sockaddr *sa, - int flags); - - #ifdef HAVE_OPENSSL --#include <openssl/opensslv.h> --#if OPENSSL_VERSION_NUMBER < 0x0090700f --#define DES_cblock des_cblock --#define DES_key_schedule des_key_schedule --#define DES_set_key_unchecked(k,ks) des_set_key_unchecked((k),*(ks)) --#define DES_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e) des_ede3_cbc_encrypt((i),(o),(l),*(k1),*(k2),*(k3),(iv),(e)) --#endif - /* apple deprecated openssl in MacOSX Lion */ - #ifdef __APPLE__ - #pragma GCC diagnostic ignored "-Wdeprecated-declarations" -@@ -146,11 +139,6 @@ typedef my_socket YASSL_SOCKET_T; - #include <openssl/ssl.h> - #include <openssl/err.h> - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) --#define ERR_remove_state(X) --#elif defined(HAVE_ERR_remove_thread_state) --#define ERR_remove_state(X) ERR_remove_thread_state(NULL) --#endif - enum enum_ssl_init_error - { - SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, -diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl -index 7241d2f2ea9..21dff82736e 100755 ---- a/mysql-test/mysql-test-run.pl -+++ b/mysql-test/mysql-test-run.pl -@@ -2304,7 +2304,7 @@ sub environment_setup { - $ENV{'MYSQL_PLUGIN'}= $exe_mysql_plugin; - $ENV{'MYSQL_EMBEDDED'}= $exe_mysql_embedded; - -- my $client_config_exe= -+ my $client_config_exe= - native_path("$bindir/libmariadb/mariadb_config$opt_vs_config/mariadb_config"); - my $tls_info= `$client_config_exe --tlsinfo`; - ($ENV{CLIENT_TLS_LIBRARY},$ENV{CLIENT_TLS_LIBRARY_VERSION})= -diff --git a/mysql-test/t/openssl_6975.test b/mysql-test/t/openssl_6975.test -index 6cf5d82cf54..6a82d013fb6 100644 ---- a/mysql-test/t/openssl_6975.test -+++ b/mysql-test/t/openssl_6975.test -@@ -19,9 +19,8 @@ let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$ - disable_abort_on_error; - echo TLS1.2 ciphers: user is ok with any cipher; - exec $mysql --ssl-cipher=AES128-SHA256; ----replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 ----replace_result ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 --exec $mysql --ssl-cipher=TLSv1.2 -+--replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 -+exec $mysql --ssl-cipher=TLSv1.2; - echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA; - exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256; - exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2; -@@ -31,7 +30,7 @@ exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2; - - echo SSLv3 ciphers: user is ok with any cipher; - exec $mysql --ssl-cipher=AES256-SHA; --exec $mysql --ssl-cipher=DHE-RSA-AES256-SHA -+exec $mysql --ssl-cipher=SSLv3; - echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA; - exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA; - exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3; -diff --git a/mysql-test/t/ssl_8k_key.test b/mysql-test/t/ssl_8k_key.test -index 470d577edb8..9d5b382726e 100644 ---- a/mysql-test/t/ssl_8k_key.test -+++ b/mysql-test/t/ssl_8k_key.test -@@ -1,6 +1,5 @@ --# This test should work in embedded server after we fix mysqltest ---- source include/require_openssl_client.inc ---- source include/not_embedded.inc -+# schannel does not support keys longer than 4k -+-- source include/not_windows.inc - - -- source include/have_ssl_communication.inc - # -diff --git a/mysys_ssl/CMakeLists.txt b/mysys_ssl/CMakeLists.txt -index 4f6f7458c5b..f8a767ed6f3 100644 ---- a/mysys_ssl/CMakeLists.txt -+++ b/mysys_ssl/CMakeLists.txt -@@ -28,6 +28,7 @@ SET(MYSYS_SSL_HIDDEN_SOURCES - my_sha384.cc - my_sha512.cc - my_md5.cc -+ openssl.c - ) - - SET(MYSYS_SSL_SOURCES -diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc -index 0ff49a2c427..ed1c82dbac6 100644 ---- a/mysys_ssl/my_crypt.cc -+++ b/mysys_ssl/my_crypt.cc -@@ -1,6 +1,6 @@ - /* - Copyright (c) 2014 Google Inc. -- Copyright (c) 2014, 2015 MariaDB Corporation -+ Copyright (c) 2014, 2017 MariaDB Corporation - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -21,30 +21,31 @@ - #ifdef HAVE_YASSL - #include "yassl.cc" - #else -- - #include <openssl/evp.h> - #include <openssl/aes.h> - #include <openssl/err.h> - #include <openssl/rand.h> -- - #endif --#include <my_crypt.h> - --#define MY_CIPHER_CTX_SIZE 384 -+#include <my_crypt.h> -+#include <ssl_compat.h> - - class MyCTX - { - public: -+ char ctx_buf[EVP_CIPHER_CTX_SIZE]; - EVP_CIPHER_CTX *ctx; -- const uchar *key; -- unsigned int klen; -- MyCTX() { -- ctx= EVP_CIPHER_CTX_new(); -- } -- virtual ~MyCTX() { -- EVP_CIPHER_CTX_free(ctx); -- ERR_remove_state(0); -- } -+ -+ MyCTX() -+ { -+ ctx= (EVP_CIPHER_CTX *)ctx_buf; -+ EVP_CIPHER_CTX_init(ctx); -+ } -+ virtual ~MyCTX() -+ { -+ EVP_CIPHER_CTX_cleanup(ctx); -+ ERR_remove_state(0); -+ } - - virtual int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, - uint klen, const uchar *iv, uint ivlen) -@@ -78,9 +79,12 @@ class MyCTX - class MyCTX_nopad : public MyCTX - { - public: -+ const uchar *key; -+ uint klen, buf_len; -+ uchar oiv[MY_AES_BLOCK_SIZE]; -+ - MyCTX_nopad() : MyCTX() { } - ~MyCTX_nopad() { } -- unsigned int buf_len; - - int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, uint klen, - const uchar *iv, uint ivlen) -@@ -89,19 +93,8 @@ class MyCTX_nopad : public MyCTX - this->key= key; - this->klen= klen; - this->buf_len= 0; -- /* FIX-ME: -- For the sake of backward compatibility we do some strange hack here: -- Since ECB doesn't need an IV (and therefore is considered kind of -- insecure) we need to store the specified iv. -- The last nonpadding block will be encrypted with an additional -- expensive crypt_call in ctr mode instead -- of encrypting the entire plain text in ctr-mode */ --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -- const unsigned char *oiv= EVP_CIPHER_CTX_original_iv(ctx); --#else -- const unsigned char *oiv= ctx->oiv; --#endif -- memcpy((char *)oiv, iv, ivlen); -+ memcpy(oiv, iv, ivlen); -+ DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv)); - - int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); - -@@ -111,34 +104,30 @@ class MyCTX_nopad : public MyCTX - - int update(const uchar *src, uint slen, uchar *dst, uint *dlen) - { -- buf_len= slen % MY_AES_BLOCK_SIZE; -+ buf_len+= slen; - return MyCTX::update(src, slen, dst, dlen); - } - - int finish(uchar *dst, uint *dlen) - { -+ buf_len %= MY_AES_BLOCK_SIZE; - if (buf_len) - { -- const uchar *org_iv; -- unsigned char *buf; -+ uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx); - /* - Not much we can do, block ciphers cannot encrypt data that aren't - a multiple of the block length. At least not without padding. - Let's do something CTR-like for the last partial block. -+ -+ NOTE this assumes that there are only buf_len bytes in the buf. -+ If OpenSSL will change that, we'll need to change the implementation -+ of this class too. - */ - uchar mask[MY_AES_BLOCK_SIZE]; - uint mlen; - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -- org_iv= EVP_CIPHER_CTX_original_iv(ctx); -- buf= EVP_CIPHER_CTX_buf_noconst(ctx); --#else -- org_iv= ctx->oiv; -- buf= ctx->buf; --#endif -- - my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD, -- org_iv, sizeof(mask), mask, &mlen, key, klen, 0, 0); -+ oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0); - DBUG_ASSERT(mlen == sizeof(mask)); - - for (uint i=0; i < buf_len; i++) -@@ -178,9 +167,8 @@ make_aes_dispatcher(gcm) - class MyCTX_gcm : public MyCTX - { - public: -- const uchar *aad= NULL; -+ const uchar *aad; - int aadlen; -- my_bool encrypt; - MyCTX_gcm() : MyCTX() { } - ~MyCTX_gcm() { } - -@@ -192,7 +180,6 @@ class MyCTX_gcm : public MyCTX - int real_ivlen= EVP_CIPHER_CTX_iv_length(ctx); - aad= iv + real_ivlen; - aadlen= ivlen - real_ivlen; -- this->encrypt= encrypt; - return res; - } - -@@ -204,14 +191,14 @@ class MyCTX_gcm : public MyCTX - before decrypting the data. it can encrypt data piecewise, like, first - half, then the second half, but it must decrypt all at once - */ -- if (!this->encrypt) -+ if (!EVP_CIPHER_CTX_encrypting(ctx)) - { - slen-= MY_AES_BLOCK_SIZE; - if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE, - (void*)(src + slen))) - return MY_AES_OPENSSL_ERROR; - } -- int unused= 0; -+ int unused; - if (aadlen && !EVP_CipherUpdate(ctx, NULL, &unused, aad, aadlen)) - return MY_AES_OPENSSL_ERROR; - aadlen= 0; -@@ -220,12 +207,12 @@ class MyCTX_gcm : public MyCTX - - int finish(uchar *dst, uint *dlen) - { -- int fin= 0; -+ int fin; - if (!EVP_CipherFinal_ex(ctx, dst, &fin)) - return MY_AES_BAD_DATA; - DBUG_ASSERT(fin == 0); - -- if (this->encrypt) -+ if (EVP_CIPHER_CTX_encrypting(ctx)) - { - if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst)) - return MY_AES_OPENSSL_ERROR; -@@ -295,20 +282,15 @@ int my_aes_crypt(enum my_aes_mode mode, int flags, - { - void *ctx= alloca(MY_AES_CTX_SIZE); - int res1, res2; -- uint d1= 0, d2= 0; -+ uint d1= 0, d2; - if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen))) - return res1; - res1= my_aes_crypt_update(ctx, src, slen, dst, &d1); - res2= my_aes_crypt_finish(ctx, dst + d1, &d2); -- *dlen= d1 + d2; -- /* in case of failure clear error queue */ --#ifndef HAVE_YASSL -- /* since we don't check the crypto error messages we need to -- clear the error queue - otherwise subsequent crypto or tls/ssl -- calls will fail */ -- if (!*dlen) -- ERR_clear_error(); --#endif -+ if (res1 || res2) -+ ERR_remove_state(0); /* in case of failure clear error queue */ -+ else -+ *dlen= d1 + d2; - return res1 ? res1 : res2; - } - -@@ -350,12 +332,6 @@ int my_random_bytes(uchar* buf, int num) - - int my_random_bytes(uchar *buf, int num) - { -- /* -- Unfortunately RAND_bytes manual page does not provide any guarantees -- in relation to blocking behavior. Here we explicitly use SSLeay random -- instead of whatever random engine is currently set in OpenSSL. That way -- we are guaranteed to have a non-blocking random. -- */ - RAND_METHOD *rand = RAND_OpenSSL(); - if (rand == NULL || rand->bytes(buf, num) != 1) - return MY_AES_OPENSSL_ERROR; -diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc -index 02c01dd7148..0105082b7e1 100644 ---- a/mysys_ssl/my_md5.cc -+++ b/mysys_ssl/my_md5.cc -@@ -1,5 +1,5 @@ - /* Copyright (c) 2012, Oracle and/or its affiliates. -- Copyright (c) 2014, SkySQL Ab. -+ Copyright (c) 2017, MariaDB Corporation - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -27,50 +27,34 @@ - #include <my_md5.h> - #include <stdarg.h> - --#define MA_HASH_CTX_SIZE 512 -- - #if defined(HAVE_YASSL) - #include "md5.hpp" -+#include <ssl_compat.h> - --typedef TaoCrypt::MD5 MD5_CONTEXT; -+typedef TaoCrypt::MD5 EVP_MD_CTX; - --static void md5_init(MD5_CONTEXT *context) -+static void md5_init(EVP_MD_CTX *context) - { -- context= new(context) MD5_CONTEXT; -+ context= new(context) EVP_MD_CTX; - context->Init(); - } - --/* -- this is a variant of md5_init to be used in this file only. -- does nothing for yassl, because the context's constructor was called automatically. --*/ --static void md5_init_fast(MD5_CONTEXT *context) --{ --} -- --static void md5_input(MD5_CONTEXT *context, const uchar *buf, unsigned len) -+static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) - { - context->Update((const TaoCrypt::byte *) buf, len); - } - --static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) -+static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) - { - context->Final((TaoCrypt::byte *) digest); - } - - #elif defined(HAVE_OPENSSL) -- -- - #include <openssl/evp.h> -+#include <ssl_compat.h> - --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) --#define EVP_MD_CTX_reset(X) EVP_MD_CTX_cleanup(X) --#endif --typedef EVP_MD_CTX MD5_CONTEXT; -- --static void md5_init(MD5_CONTEXT *context) -+static void md5_init(EVP_MD_CTX *context) - { -- memset(context, 0, my_md5_context_size()); - EVP_MD_CTX_init(context); - #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - /* Ok to ignore FIPS: MD5 is not used for crypto here */ -@@ -79,20 +63,15 @@ static void md5_init(MD5_CONTEXT *context) - EVP_DigestInit_ex(context, EVP_md5(), NULL); - } - --static void md5_init_fast(MD5_CONTEXT *context) --{ -- md5_init(context); --} -- --static void md5_input(MD5_CONTEXT *context, const uchar *buf, unsigned len) -+static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) - { - EVP_DigestUpdate(context, buf, len); - } - --static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) -+static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE]) - { - EVP_DigestFinal_ex(context, digest, NULL); -- EVP_MD_CTX_reset(context); -+ EVP_MD_CTX_cleanup(context); - } - - #endif /* HAVE_YASSL */ -@@ -108,26 +87,23 @@ static void md5_result(MD5_CONTEXT *context, uchar digest[MD5_HASH_SIZE]) - */ - void my_md5(uchar *digest, const char *buf, size_t len) - { --#ifdef HAVE_YASSL -- MD5_CONTEXT md5_context; --#else -- unsigned char md5_context[MA_HASH_CTX_SIZE]; --#endif -- md5_init_fast((MD5_CONTEXT *)&md5_context); -- md5_input((MD5_CONTEXT *)&md5_context, (const uchar *)buf, len); -- md5_result((MD5_CONTEXT *)&md5_context, digest); -+ char ctx_buf[EVP_MD_CTX_SIZE]; -+ EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf; -+ md5_init(ctx); -+ md5_input(ctx, (const uchar *)buf, len); -+ md5_result(ctx, digest); - } - - - /** - Wrapper function to compute MD5 message digest for -- two messages in order to emulate md5(msg1, msg2). -+ many messages, concatenated. - - @param digest [out] Computed MD5 digest - @param buf1 [in] First message - @param len1 [in] Length of first message -- @param buf2 [in] Second message -- @param len2 [in] Length of second message -+ ... -+ @param bufN [in] NULL terminates the list of buf,len pairs. - - @return void - */ -@@ -135,37 +111,34 @@ void my_md5_multi(uchar *digest, ...) - { - va_list args; - const uchar *str; --#ifdef HAVE_YASSL -- MD5_CONTEXT md5_context; --#else -- unsigned char md5_context[MA_HASH_CTX_SIZE]; --#endif -+ char ctx_buf[EVP_MD_CTX_SIZE]; -+ EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf; - va_start(args, digest); - -- md5_init_fast((MD5_CONTEXT *)&md5_context); -+ md5_init(ctx); - for (str= va_arg(args, const uchar*); str; str= va_arg(args, const uchar*)) -- md5_input((MD5_CONTEXT *)&md5_context, str, va_arg(args, size_t)); -+ md5_input(ctx, str, va_arg(args, size_t)); - -- md5_result((MD5_CONTEXT *)&md5_context, digest); -+ md5_result(ctx, digest); - va_end(args); - } - - size_t my_md5_context_size() - { -- return MA_HASH_CTX_SIZE; -+ return EVP_MD_CTX_SIZE; - } - - void my_md5_init(void *context) - { -- md5_init((MD5_CONTEXT *)context); -+ md5_init((EVP_MD_CTX *)context); - } - - void my_md5_input(void *context, const uchar *buf, size_t len) - { -- md5_input((MD5_CONTEXT *)context, buf, len); -+ md5_input((EVP_MD_CTX *)context, buf, len); - } - - void my_md5_result(void *context, uchar *digest) - { -- md5_result((MD5_CONTEXT *)context, digest); -+ md5_result((EVP_MD_CTX *)context, digest); - } -diff --git a/mysys_ssl/openssl.c b/mysys_ssl/openssl.c -new file mode 100644 -index 00000000000..a3f1ca29ec1 ---- /dev/null -+++ b/mysys_ssl/openssl.c -@@ -0,0 +1,71 @@ -+/* -+ Copyright (c) 2017, MariaDB Corporation. -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; version 2 of the License. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program; if not, write to the Free Software -+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ -+ -+#include <my_global.h> -+#include <ssl_compat.h> -+ -+#ifdef HAVE_YASSL -+ -+int check_openssl_compatibility() -+{ -+ return 0; -+} -+#else -+#include <openssl/evp.h> -+ -+#ifdef HAVE_OPENSSL11 -+typedef void *(*CRYPTO_malloc_t)(size_t, const char *, int); -+#endif -+ -+#ifdef HAVE_OPENSSL10 -+typedef void *(*CRYPTO_malloc_t)(size_t); -+#define CRYPTO_malloc malloc -+#define CRYPTO_realloc realloc -+#define CRYPTO_free free -+#endif -+ -+static uint allocated_size, allocated_count; -+ -+static void *coc_malloc(size_t size) -+{ -+ allocated_size+= size; -+ allocated_count++; -+ return malloc(size); -+} -+ -+int check_openssl_compatibility() -+{ -+ EVP_CIPHER_CTX *evp_ctx; -+ EVP_MD_CTX *md5_ctx; -+ -+ CRYPTO_set_mem_functions((CRYPTO_malloc_t)coc_malloc, CRYPTO_realloc, CRYPTO_free); -+ -+ allocated_size= allocated_count= 0; -+ evp_ctx= EVP_CIPHER_CTX_new(); -+ EVP_CIPHER_CTX_free(evp_ctx); -+ if (allocated_count != 1 || allocated_size > EVP_CIPHER_CTX_SIZE) -+ return 1; -+ -+ allocated_size= allocated_count= 0; -+ md5_ctx= EVP_MD_CTX_create(); -+ EVP_MD_CTX_destroy(md5_ctx); -+ if (allocated_count != 1 || allocated_size > EVP_MD_CTX_SIZE) -+ return 1; -+ -+ CRYPTO_set_mem_functions(CRYPTO_malloc, CRYPTO_realloc, CRYPTO_free); -+ return 0; -+} -+#endif -diff --git a/mysys_ssl/yassl.cc b/mysys_ssl/yassl.cc -index 9e6f90d8d77..aa5631f2ab8 100644 ---- a/mysys_ssl/yassl.cc -+++ b/mysys_ssl/yassl.cc -@@ -24,7 +24,6 @@ - - #include <openssl/ssl.h> - #include "aes.hpp" --#include <my_sys.h> - - using yaSSL::yaERR_remove_state; - -@@ -45,7 +44,6 @@ typedef struct - int buf_len; - int final_used; - uchar tao_buf[sizeof(TaoCrypt::AES)]; // TaoCrypt::AES object -- uchar oiv[TaoCrypt::AES::BLOCK_SIZE]; // original IV - uchar buf[TaoCrypt::AES::BLOCK_SIZE]; // last partial input block - uchar final[TaoCrypt::AES::BLOCK_SIZE]; // last decrypted (output) block - } EVP_CIPHER_CTX; -@@ -76,26 +74,12 @@ static void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) - ctx->final_used= ctx->buf_len= ctx->flags= 0; - } - --static EVP_CIPHER_CTX *EVP_CIPHER_CTX_new() --{ -- EVP_CIPHER_CTX *ctx= (EVP_CIPHER_CTX *)my_malloc(sizeof(EVP_CIPHER_CTX), MYF(0)); -- if (ctx) -- EVP_CIPHER_CTX_init(ctx); -- return ctx; --} -- - static int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *ctx) - { - TAO(ctx)->~AES(); - return 1; - } - --static void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) --{ -- EVP_CIPHER_CTX_cleanup(ctx); -- my_free(ctx); --} -- - static int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) - { - if (pad) -@@ -112,10 +96,7 @@ static int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - : TaoCrypt::DECRYPTION, cipher->mode); - TAO(ctx)->SetKey(key, cipher->key_len); - if (iv) -- { - TAO(ctx)->SetIV(iv); -- memcpy(ctx->oiv, iv, TaoCrypt::AES::BLOCK_SIZE); -- } - ctx->encrypt= enc; - ctx->key_len= cipher->key_len; - ctx->flags|= cipher->mode == TaoCrypt::CBC ? EVP_CIPH_CBC_MODE : EVP_CIPH_ECB_MODE; -diff --git a/plugin/aws_key_management/CMakeLists.txt b/plugin/aws_key_management/CMakeLists.txt -index 1ad96dd9f19..8ea0452fa6b 100644 ---- a/plugin/aws_key_management/CMakeLists.txt -+++ b/plugin/aws_key_management/CMakeLists.txt -@@ -113,6 +113,16 @@ ELSE() - SET_TARGET_PROPERTIES(${lib} PROPERTIES IMPORTED_LOCATION ${loc}) - ENDFOREACH() - -+ # To be compatible with older cmake, we use older version of the SDK -+ # We increase the version for macs however, so the newest mac could built it. -+ IF(APPLE) -+ SET(GIT_TAG "1.0.100") -+ ELSEIF(_OPENSSL_VERSION VERSION_EQUAL "1.1") -+ SET(GIT_TAG "1.0.114") -+ ELSE() -+ SET(GIT_TAG "1.0.8") -+ ENDIF() -+ - SET(AWS_SDK_PATCH_COMMAND ) - ExternalProject_Add( - aws_sdk_cpp -diff --git a/sql-common/client.c b/sql-common/client.c -index d881080b55a..eb2899410d4 100644 ---- a/sql-common/client.c -+++ b/sql-common/client.c -@@ -104,11 +104,8 @@ my_bool net_flush(NET *net); - #define CONNECT_TIMEOUT 0 - #endif - --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) || defined(HAVE_YASSL) --#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X) --#endif -- - #include "client_settings.h" -+#include <ssl_compat.h> - #include <sql_common.h> - #include <mysql/client_plugin.h> - #include <my_context.h> -@@ -1772,9 +1769,8 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused))) - - #if defined(HAVE_OPENSSL) - --#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(HAVE_YASSL) -+#ifdef HAVE_X509_check_host - #include <openssl/x509v3.h> --#define HAVE_X509_check_host - #endif - - static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr) -diff --git a/sql/mysqld.cc b/sql/mysqld.cc -index d6a7c6b4931..904695d8742 100644 ---- a/sql/mysqld.cc -+++ b/sql/mysqld.cc -@@ -111,7 +111,6 @@ - #endif - - #include <my_systemd.h> --#include <my_crypt.h> - - #define mysqld_charset &my_charset_latin1 - -@@ -121,7 +120,6 @@ - #define HAVE_CLOSE_SERVER_SOCK 1 - #endif - -- - extern "C" { // Because of SCO 3.2V4.2 - #include <sys/stat.h> - #ifndef __GNU_LIBRARY__ -@@ -339,9 +337,13 @@ static PSI_thread_key key_thread_handle_con_sockets; - static PSI_thread_key key_thread_handle_shutdown; - #endif /* __WIN__ */ - --#if defined (HAVE_OPENSSL) && !defined(HAVE_YASSL) -+#ifdef HAVE_OPENSSL -+#include <ssl_compat.h> -+ -+#ifdef HAVE_OPENSSL10 - static PSI_rwlock_key key_rwlock_openssl; - #endif -+#endif - #endif /* HAVE_PSI_INTERFACE */ - - #ifdef HAVE_NPTL -@@ -987,7 +989,7 @@ PSI_rwlock_key key_rwlock_LOCK_grant, key_rwlock_LOCK_logger, - - static PSI_rwlock_info all_server_rwlocks[]= - { --#if defined (HAVE_OPENSSL) && !defined(HAVE_YASSL) -+#ifdef HAVE_OPENSSL10 - { &key_rwlock_openssl, "CRYPTO_dynlock_value::lock", 0}, - #endif - { &key_rwlock_LOCK_grant, "LOCK_grant", PSI_FLAG_GLOBAL}, -@@ -1457,9 +1459,7 @@ scheduler_functions *thread_scheduler= &thread_scheduler_struct, - - #ifdef HAVE_OPENSSL - #include <openssl/crypto.h> --#ifndef HAVE_YASSL -- --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#ifdef HAVE_OPENSSL10 - typedef struct CRYPTO_dynlock_value - { - mysql_rwlock_t lock; -@@ -1470,8 +1470,7 @@ static openssl_lock_t *openssl_dynlock_create(const char *, int); - static void openssl_dynlock_destroy(openssl_lock_t *, const char *, int); - static void openssl_lock_function(int, int, const char *, int); - static void openssl_lock(int, openssl_lock_t *, const char *, int); --#endif --#endif -+#endif /* HAVE_OPENSSL10 */ - char *des_key_file; - #ifndef EMBEDDED_LIBRARY - struct st_VioSSLFd *ssl_acceptor_fd; -@@ -2247,13 +2246,11 @@ static void clean_up_mutexes() - mysql_mutex_destroy(&LOCK_global_index_stats); - #ifdef HAVE_OPENSSL - mysql_mutex_destroy(&LOCK_des_key_file); --#ifndef HAVE_YASSL --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#ifdef HAVE_OPENSSL10 - for (int i= 0; i < CRYPTO_num_locks(); ++i) - mysql_rwlock_destroy(&openssl_stdlocks[i].lock); - OPENSSL_free(openssl_stdlocks); --#endif --#endif /* HAVE_YASSL */ -+#endif /* HAVE_OPENSSL10 */ - #endif /* HAVE_OPENSSL */ - #ifdef HAVE_REPLICATION - mysql_mutex_destroy(&LOCK_rpl_status); -@@ -4055,6 +4052,14 @@ static int init_common_variables() - return 1; - } - -+#ifdef HAVE_OPENSSL -+ if (check_openssl_compatibility()) -+ { -+ sql_print_error("Incompatible OpenSSL version. Cannot continue..."); -+ return 1; -+ } -+#endif -+ - if (init_thread_environment() || - mysql_init_variables()) - return 1; -@@ -4601,8 +4606,7 @@ static int init_thread_environment() - #ifdef HAVE_OPENSSL - mysql_mutex_init(key_LOCK_des_key_file, - &LOCK_des_key_file, MY_MUTEX_INIT_FAST); --#ifndef HAVE_YASSL --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#ifdef HAVE_OPENSSL10 - openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() * - sizeof(openssl_lock_t)); - for (int i= 0; i < CRYPTO_num_locks(); ++i) -@@ -4611,9 +4615,8 @@ static int init_thread_environment() - CRYPTO_set_dynlock_destroy_callback(openssl_dynlock_destroy); - CRYPTO_set_dynlock_lock_callback(openssl_lock); - CRYPTO_set_locking_callback(openssl_lock_function); --#endif --#endif --#endif -+#endif /* HAVE_OPENSSL10 */ -+#endif /* HAVE_OPENSSL */ - mysql_rwlock_init(key_rwlock_LOCK_sys_init_connect, &LOCK_sys_init_connect); - mysql_rwlock_init(key_rwlock_LOCK_sys_init_slave, &LOCK_sys_init_slave); - mysql_rwlock_init(key_rwlock_LOCK_grant, &LOCK_grant); -@@ -4646,8 +4649,7 @@ static int init_thread_environment() - } - - --#if defined(HAVE_OPENSSL) && !defined(HAVE_YASSL) --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#ifdef HAVE_OPENSSL10 - static openssl_lock_t *openssl_dynlock_create(const char *file, int line) - { - openssl_lock_t *lock= new openssl_lock_t; -@@ -4707,9 +4709,7 @@ static void openssl_lock(int mode, openssl_lock_t *lock, const char *file, - abort(); - } - } --#endif --#endif /* HAVE_OPENSSL */ -- -+#endif /* HAVE_OPENSSL10 */ - - static void init_ssl() - { -@@ -4737,9 +4737,8 @@ static void init_ssl() - while ((err= ERR_get_error())) - sql_print_warning("SSL error: %s", ERR_error_string(err, NULL)); - } -- else { -+ else - ERR_remove_state(0); -- } - } - else - { -diff --git a/sql/slave.cc b/sql/slave.cc -index 636965c4619..6882156564c 100644 ---- a/sql/slave.cc -+++ b/sql/slave.cc -@@ -40,6 +40,7 @@ - #include <my_dir.h> - #include <sql_common.h> - #include <errmsg.h> -+#include <ssl_compat.h> - #include <mysqld_error.h> - #include <mysys_err.h> - #include "rpl_handler.h" -@@ -60,12 +61,6 @@ - #include "debug_sync.h" - #include "rpl_parallel.h" - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L --#define ERR_remove_state(X) --#elif defined(HAVE_ERR_remove_thread_state) --#define ERR_remove_state(X) ERR_remove_thread_state(NULL) --#endif -- - #define FLAGSTR(V,F) ((V)&(F)?#F" ":"") - - #define MAX_SLAVE_RETRY_PAUSE 5 -@@ -4509,13 +4504,7 @@ log space"); - - DBUG_LEAVE; // Must match DBUG_ENTER() - my_thread_end(); --#ifdef HAVE_OPENSSL --#if OPENSSL_VERSION_NUMBER < 0x10000000L - ERR_remove_state(0); --#elif OPENSSL_VERSION_NUMBER < 0x10100000L -- ERR_remove_thread_state(0); --#endif --#endif - pthread_exit(0); - return 0; // Avoid compiler warnings - } -@@ -5174,13 +5163,7 @@ pthread_handler_t handle_slave_sql(void *arg) - - DBUG_LEAVE; // Must match DBUG_ENTER() - my_thread_end(); --#ifdef HAVE_OPENSSL --#if OPENSSL_VERSION_NUMBER < 0x10000000L - ERR_remove_state(0); --#elif OPENSSL_VERSION_NUMBER < 0x10100000L -- ERR_remove_thread_state(0); --#endif --#endif - pthread_exit(0); - return 0; // Avoid compiler warnings - } -diff --git a/vio/vio.c b/vio/vio.c -index e3bc8ca8ab8..44d06092184 100644 ---- a/vio/vio.c -+++ b/vio/vio.c -@@ -22,6 +22,7 @@ - */ - - #include "vio_priv.h" -+#include "ssl_compat.h" - - #ifdef _WIN32 - -diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c -index 497047cac72..71ef2879464 100644 ---- a/vio/viosslfactories.c -+++ b/vio/viosslfactories.c -@@ -15,20 +15,12 @@ - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ - - #include "vio_priv.h" -+#include <ssl_compat.h> - - #ifdef HAVE_OPENSSL --#if defined(HAVE_YASSL) || defined(LIBRESSL_VERSION_NUMBER) --#define OPENSSL_init_ssl(X,Y) SSL_library_init() --#else -+#ifndef HAVE_YASSL - #include <openssl/dh.h> - #include <openssl/bn.h> -- --#if OPENSSL_VERSION_NUMBER >= 0x10100000L --#define ERR_remove_state(X) --#else --#define OPENSSL_init_ssl(X,Y) SSL_library_init() --#endif -- - #endif - - static my_bool ssl_algorithms_added = FALSE; -@@ -36,59 +28,51 @@ static my_bool ssl_error_strings_loaded= FALSE; - - /* the function below was generated with "openssl dhparam -2 -C 2048" */ - --/* {{{ get_dh_2048 */ --static DH *get_dh_2048() -+static -+DH *get_dh2048() - { -- static unsigned char dh2048_p[]={ -- 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, -- 0x15,0xFC,0x3B,0xBA,0xAB,0x9F,0xDF,0x68,0xC4,0x79,0x78,0x0D, -- 0xC1,0x12,0x64,0xE4,0x15,0xC9,0x66,0xDB,0xF6,0xCB,0xB3,0x39, -- 0x02,0x5B,0x78,0x62,0xFB,0x09,0xAE,0x09,0x6B,0xDD,0xD4,0x5D, -- 0x97,0xBC,0xDC,0x7F,0xE6,0xD6,0xF1,0xCB,0xF5,0xEB,0xDA,0xA7, -- 0x2E,0x5A,0x43,0x2B,0xE9,0x40,0xE2,0x85,0x00,0x1C,0xC0,0x0A, -- 0x98,0x77,0xA9,0x31,0xDE,0x0B,0x75,0x4D,0x1E,0x1F,0x16,0x83, -- 0xCA,0xDE,0xBD,0x21,0xFC,0xC1,0x82,0x37,0x36,0x33,0x0B,0x66, -- 0x06,0x3C,0xF3,0xAF,0x21,0x57,0x57,0x80,0xF6,0x94,0x1B,0xA9, -- 0xD4,0xF6,0x8F,0x18,0x62,0x0E,0xC4,0x22,0xF9,0x5B,0x62,0xCC, -- 0x3F,0x19,0x95,0xCF,0x4B,0x00,0xA6,0x6C,0x0B,0xAF,0x9F,0xD5, -- 0xFA,0x3D,0x6D,0xDA,0x30,0x83,0x07,0x91,0xAC,0x15,0xFF,0x8F, -- 0x59,0x54,0xEA,0x25,0xBC,0x4E,0xEB,0x6A,0x54,0xDF,0x75,0x09, -- 0x72,0x0F,0xEF,0x23,0x70,0xE0,0xA8,0x04,0xEA,0xFF,0x90,0x54, -- 0xCD,0x84,0x18,0xC0,0x75,0x91,0x99,0x0F,0xA1,0x78,0x0C,0x07, -- 0xB7,0xC5,0xDE,0x55,0x06,0x7B,0x95,0x68,0x2C,0x33,0x39,0xBC, -- 0x2C,0xD0,0x6D,0xDD,0xFA,0xDC,0xB5,0x8F,0x82,0x39,0xF8,0x67, -- 0x44,0xF1,0xD8,0xF7,0x78,0x11,0x9A,0x77,0x9B,0x53,0x47,0xD6, -- 0x2B,0x5D,0x67,0xB8,0xB7,0xBC,0xC1,0xD7,0x79,0x62,0x15,0xC2, -- 0xC5,0x83,0x97,0xA7,0xF8,0xB4,0x9C,0xF6,0x8F,0x9A,0xC7,0xDA, -- 0x1B,0xBB,0x87,0x07,0xA7,0x71,0xAD,0xB2,0x8A,0x50,0xF8,0x26, -- 0x12,0xB7,0x3E,0x0B, -- }; -- static unsigned char dh2048_g[]={ -- 0x02, -- }; -- DH *dh; -- if ((dh=DH_new()) == NULL) -- return(NULL); --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -- (dh)->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); -- (dh)->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -- if ((dh)->p == NULL || (dh)->g == NULL) -- { DH_free(dh); return NULL; } --#else -- { -- BIGNUM *dhp_bn= BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL), -- *dhg_bn= BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -- if (dhp_bn == NULL || dhg_bn == NULL || -- !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) -- { -- DH_free(dh); -- BN_free(dhp_bn); -- BN_free(dhg_bn); -- return NULL; -+ static unsigned char dhp_2048[] = { -+ 0xA1,0xBB,0x7C,0x20,0xC5,0x5B,0xC0,0x7B,0x21,0x8B,0xD6,0xA8, -+ 0x15,0xFC,0x3B,0xBA,0xAB,0x9F,0xDF,0x68,0xC4,0x79,0x78,0x0D, -+ 0xC1,0x12,0x64,0xE4,0x15,0xC9,0x66,0xDB,0xF6,0xCB,0xB3,0x39, -+ 0x02,0x5B,0x78,0x62,0xFB,0x09,0xAE,0x09,0x6B,0xDD,0xD4,0x5D, -+ 0x97,0xBC,0xDC,0x7F,0xE6,0xD6,0xF1,0xCB,0xF5,0xEB,0xDA,0xA7, -+ 0x2E,0x5A,0x43,0x2B,0xE9,0x40,0xE2,0x85,0x00,0x1C,0xC0,0x0A, -+ 0x98,0x77,0xA9,0x31,0xDE,0x0B,0x75,0x4D,0x1E,0x1F,0x16,0x83, -+ 0xCA,0xDE,0xBD,0x21,0xFC,0xC1,0x82,0x37,0x36,0x33,0x0B,0x66, -+ 0x06,0x3C,0xF3,0xAF,0x21,0x57,0x57,0x80,0xF6,0x94,0x1B,0xA9, -+ 0xD4,0xF6,0x8F,0x18,0x62,0x0E,0xC4,0x22,0xF9,0x5B,0x62,0xCC, -+ 0x3F,0x19,0x95,0xCF,0x4B,0x00,0xA6,0x6C,0x0B,0xAF,0x9F,0xD5, -+ 0xFA,0x3D,0x6D,0xDA,0x30,0x83,0x07,0x91,0xAC,0x15,0xFF,0x8F, -+ 0x59,0x54,0xEA,0x25,0xBC,0x4E,0xEB,0x6A,0x54,0xDF,0x75,0x09, -+ 0x72,0x0F,0xEF,0x23,0x70,0xE0,0xA8,0x04,0xEA,0xFF,0x90,0x54, -+ 0xCD,0x84,0x18,0xC0,0x75,0x91,0x99,0x0F,0xA1,0x78,0x0C,0x07, -+ 0xB7,0xC5,0xDE,0x55,0x06,0x7B,0x95,0x68,0x2C,0x33,0x39,0xBC, -+ 0x2C,0xD0,0x6D,0xDD,0xFA,0xDC,0xB5,0x8F,0x82,0x39,0xF8,0x67, -+ 0x44,0xF1,0xD8,0xF7,0x78,0x11,0x9A,0x77,0x9B,0x53,0x47,0xD6, -+ 0x2B,0x5D,0x67,0xB8,0xB7,0xBC,0xC1,0xD7,0x79,0x62,0x15,0xC2, -+ 0xC5,0x83,0x97,0xA7,0xF8,0xB4,0x9C,0xF6,0x8F,0x9A,0xC7,0xDA, -+ 0x1B,0xBB,0x87,0x07,0xA7,0x71,0xAD,0xB2,0x8A,0x50,0xF8,0x26, -+ 0x12,0xB7,0x3E,0x0B, -+ }; -+ static unsigned char dhg_2048[] = { -+ 0x02 -+ }; -+ DH *dh = DH_new(); -+ BIGNUM *dhp_bn, *dhg_bn; -+ -+ if (dh == NULL) -+ return NULL; -+ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); -+ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); -+ if (dhp_bn == NULL || dhg_bn == NULL -+ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { -+ DH_free(dh); -+ BN_free(dhp_bn); -+ BN_free(dhg_bn); -+ return NULL; - } -- } --#endif -- return dh; -+ return dh; - } - - static const char* -@@ -287,7 +271,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file, - /* DH stuff */ - if (!is_client_method) - { -- dh=get_dh_2048(); -+ dh=get_dh2048(); - if (!SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh)) - { - *error= SSL_INITERR_DH; Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-05-25 11:35:31 UTC (rev 296570) +++ PKGBUILD 2017-05-25 13:58:42 UTC (rev 296571) @@ -3,10 +3,9 @@ # Maintainer: Christian Hesse <[email protected]> pkgbase=mariadb -pkgname=('libmariadbclient' 'mariadb-clients' 'mytop' 'mariadb') -pkgver=10.1.23 -_pkgver=${pkgver/.a/a} -pkgrel=2 +pkgname=('libmariadb' 'mariadb-clients' 'mytop' 'mariadb') +pkgver=10.2.6 +pkgrel=0 arch=('i686' 'x86_64') license=('GPL') url='http://mariadb.org/' @@ -14,17 +13,15 @@ 'lz4' 'boost' 'libevent' 'systemd') validpgpkeys=('199369E5404BD5FC7D2FE43BCBCB082A1BB943DB') # MariaDB Package Signing Key <[email protected]> source=("https://ftp.heanet.ie/mirrors/mariadb/mariadb-$pkgver/source/mariadb-$pkgver.tar.gz"{,.asc} - '0001-openssl-1-1-0.patch' 'mariadb-sysusers.conf' 'mariadb-tmpfile.conf') -sha256sums=('54d8114e24bfa5e3ebdc7d69e071ad1471912847ea481b227d204f9d644300bf' +sha256sums=('c385c76e40d6e5f0577eba021805da5f494a30c9ef51884baefe206d5658a2e5' 'SKIP' - 'f337505ce421aea82693ab95372ce93fde3ea0351e0b6b78c26c9e1154df174c' 'e1a22777c65854041f16fc0a2db3218d17b4d7e7ec7ab7a77cf49c71277c1515' '2af318c52ae0fe5428e8a9245d1b0fc3bc5ce153842d1563329ceb1edfa83ddd') prepare() { - cd $pkgbase-$_pkgver/ + cd $pkgbase-$pkgver/ # Changes to the upstream unit files: # * remove the alias from unit files, we install symlinks in package function @@ -32,9 +29,6 @@ sed -i -e '/^Alias/d' \ -e '/^PrivateTmp/c PrivateTmp=true' \ support-files/mariadb{,@}.service.in - - # openssl 1.1.0 - patch -Np1 < "${srcdir}"/0001-openssl-1-1-0.patch } build() { @@ -41,7 +35,7 @@ mkdir build cd build - cmake ../$pkgbase-$_pkgver \ + cmake ../$pkgbase-$pkgver \ -DCMAKE_AR=/usr/bin/gcc-ar \ -DCMAKE_RANLIB=/usr/bin/gcc-ranlib \ -DBUILD_CONFIG=mysql_release \ @@ -88,45 +82,44 @@ make } -package_libmariadbclient() { - pkgdesc='MariaDB client libraries' +package_libmariadb() { + pkgdesc='MariaDB libraries' depends=('openssl' 'libaio' 'zlib' 'pcre' 'lz4' 'lzo' 'xz') - conflicts=('libmysqlclient') - provides=("libmysqlclient=$pkgver") - options=('staticlibs') + conflicts=('libmysqlclient' 'libmariadbclient') + replaces=('libmariadbclient') cd build - for dir in include libmysql libmysqld libservices; do + + for dir in include libmariadb libmysqld libservices; do make -C $dir DESTDIR="$pkgdir" install done install -Dm0755 scripts/mysql_config "$pkgdir"/usr/bin/mysql_config - install -d "$pkgdir"/usr/share/man/man1 + for man in mysql_config mysql_client_test_embedded mysqltest_embedded; do - install -m0644 "$srcdir"/$pkgbase-$_pkgver/man/$man.1 "$pkgdir"/usr/share/man/man1/$man.1 + install -D -m0644 "$srcdir"/$pkgbase-$pkgver/man/$man.1 "$pkgdir"/usr/share/man/man1/$man.1 done - rm "$pkgdir"/usr/lib/libmysql{client,client_r,d}.a + install -D -m0644 support-files/mariadb.pc "$pkgdir"/usr/share/pkgconfig/mariadb.pc + install -D -m0644 "$srcdir"/$pkgbase-$pkgver/support-files/mysql.m4 "$pkgdir"/usr/share/aclocal/mysql.m4 + + # remove static libraries + rm "$pkgdir"/usr/lib/*.a } package_mariadb-clients() { pkgdesc='MariaDB client tools' - depends=("libmariadbclient=${pkgver}" 'zlib' 'openssl' 'jemalloc') + depends=("libmariadb=${pkgver}" 'zlib' 'openssl' 'jemalloc') conflicts=('mysql-clients') - provides=("mysql-clients=$pkgver") cd build + make -C client DESTDIR="$pkgdir" install # install man pages - install -d "$pkgdir"/usr/share/man/man1 - for man in mysql mysqladmin mysqlcheck mysqldump mysqlimport mysqlshow mysqlslap; do - install -m0644 "$srcdir"/$pkgbase-$_pkgver/man/$man.1 "$pkgdir"/usr/share/man/man1/$man.1 + for man in mysql mysql_plugin mysql_upgrade mysqladmin mysqlbinlog mysqlcheck mysqldump mysqlimport mysqlshow mysqlslap mysqltest; do + install -D -m0644 "$srcdir"/$pkgbase-$pkgver/man/$man.1 "$pkgdir"/usr/share/man/man1/$man.1 done - - # provided by mariadb - rm "$pkgdir"/usr/bin/{mysql_{plugin,upgrade},mysqlbinlog,mysqltest} - } package_mytop() { @@ -134,12 +127,14 @@ depends=('perl' 'perl-dbd-mysql' 'perl-term-readkey') cd build + install -Dm0755 scripts/mytop "$pkgdir"/usr/bin/mytop } package_mariadb() { pkgdesc='Fast SQL database server, drop-in replacement for MySQL' - backup=('etc/mysql/my.cnf') + backup=('etc/mysql/my.cnf' + 'etc/mysql/wsrep.cnf') install=mariadb.install depends=("mariadb-clients=${pkgver}" 'inetutils' 'libaio' 'libxml2' 'pcre' 'jemalloc' 'lz4' 'boost-libs' 'lzo' 'libevent' 'libsystemd') @@ -149,6 +144,7 @@ options=('emptydirs') cd build + make DESTDIR="$pkgdir" install cd "$pkgdir" @@ -158,6 +154,7 @@ # TOOD: Change to upstream file layout with version 10.2.x? rm -r etc/ install -Dm0644 usr/share/mysql/my-medium.cnf etc/mysql/my.cnf + install -Dm0644 usr/share/mysql/wsrep.cnf etc/mysql/wsrep.cnf install -Dm0644 "${srcdir}"/mariadb-tmpfile.conf usr/lib/tmpfiles.d/mariadb.conf install -Dm0644 "${srcdir}"/mariadb-sysusers.conf usr/lib/sysusers.d/mariadb.conf @@ -167,11 +164,6 @@ install -dm0700 var/lib/mysql chown -R 89:89 var/lib/mysql &>/dev/null - # move aclocal and pkgconfig files - install -D -m0644 usr/share/mysql/aclocal/mysql.m4 usr/share/aclocal/mysql.m4 - install -D -m0644 usr/share/mysql/pkgconfig/mariadb.pc usr/share/pkgconfig/mariadb.pc - rm -r usr/share/mysql/{aclocal,pkgconfig} - # move to proper licenses directories install -d usr/share/licenses/mariadb mv usr/share/doc/mariadb/COPYING* usr/share/licenses/mariadb/ @@ -179,15 +171,19 @@ # already installed to real systemd unit directory rm -r usr/share/mysql/systemd/ - # provided by libmariadbclient - rm usr/bin/{mysql_config,mysql_client_test_embedded,mysqltest_embedded} + # provided by libmariadb + rm usr/bin/{mariadb_config,mysql_config,mysql_client_test_embedded,mysqltest_embedded} + rm usr/lib/libmariadb* rm usr/lib/libmysql* + rm usr/lib/mysql/plugin/sha256_password.so rm -r usr/include/ rm usr/share/man/man1/{mysql_config,mysql_client_test_embedded,mysqltest_embedded}.1 + rm -r usr/share/mysql/{aclocal,pkgconfig} # provided by mariadb-clients - rm usr/bin/{mysql,mysqladmin,mysqlcheck,mysqldump,mysqlimport,mysqlshow,mysqlslap} - rm usr/share/man/man1/{mysql,mysqladmin,mysqlcheck,mysqldump,mysqlimport,mysqlshow,mysqlslap}.1 + rm usr/bin/{mysql,mysql_plugin,mysql_upgrade,mysqladmin,mysqlbinlog,mysqlcheck,mysqldump,mysqlimport,mysqlshow,mysqlslap,mysqltest} + rm usr/share/man/man1/{mysql,mysql_plugin,mysql_upgrade,mysqladmin,mysqlbinlog,mysqlcheck,mysqldump,mysqlimport,mysqlshow,mysqlslap,mysqltest}.1 + rm usr/lib/mysql/plugin/{auth_gssapi_client,dialog,libaurora,libreplication,mysql_clear_password,trace_example}.so # provided by mytop rm usr/bin/mytop
