rpms
/
mariadb
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Use OpenSSL 3.0.0 patch from upstream 

Resolves: #1991498

Upstream patch: c80991c79f
Upstream JIRA ticket: https://jira.mariadb.org/browse/MDEV-25785
This commit is contained in:
Honza Horak 2021-11-18 21:15:33 +01:00 committed by Lukas Javorsky
parent 5de93c78f5
commit 295ecfc23a
2 changed files with 372 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

539
mariadb-openssl3.patch
View File

@ -1,183 +1,378 @@
diff -rup mariadb-10.5.9-orig/mysql-test/main/tls_version1.opt mariadb-10.5.9/mysql-test/main/tls_version1.opt From c80991c79f701dac42c630af4bd39593b0c7efb4 Mon Sep 17 00:00:00 2001
--- mariadb-10.5.9-orig/mysql-test/main/tls_version1.opt 2021-05-19 18:52:49.627469097 +0200 From: Vladislav Vaintroub <wlad@mariadb.com>
+++ mariadb-10.5.9/mysql-test/main/tls_version1.opt 2021-05-21 22:34:44.131913619 +0200 Date: Mon, 8 Nov 2021 18:48:19 +0100
@@ -1 +1 @@ Subject: [PATCH] MDEV-25785 Add support for OpenSSL 3.0
---tls_version=TLSv1.0
+--tls_version=TLSv1.2 Summary of changes
diff -rup mariadb-10.5.9-orig/mysql-test/main/tls_version1.result mariadb-10.5.9/mysql-test/main/tls_version1.result
--- mariadb-10.5.9-orig/mysql-test/main/tls_version1.result 2021-05-19 18:52:49.592468722 +0200 - MD_CTX_SIZE is increased
+++ mariadb-10.5.9/mysql-test/main/tls_version1.result 2021-05-21 22:34:44.131913619 +0200
@@ -1,6 +1,6 @@ - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points
Variable_name Value to nobody knows where. The assumption made previously was that
-Ssl_version TLSv1 (since the function does not seem to be documented)
+Ssl_version TLSv1.2 was that it points to the last partial source block.
Variable_name Value Add own partial block buffer for NOPAD encryption instead
-Ssl_version TLSv1
+Ssl_version TLSv1.2 - SECLEVEL in CipherString in openssl.cnf
@@tls_version had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible
-TLSv1.0
+TLSv1.2 - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers,
diff -rup mariadb-10.5.9-orig/mysql-test/main/tls_version1.test mariadb-10.5.9/mysql-test/main/tls_version1.test in addition to what was set in --ssl-cipher
--- mariadb-10.5.9-orig/mysql-test/main/tls_version1.test 2021-05-19 18:52:49.577468561 +0200
+++ mariadb-10.5.9/mysql-test/main/tls_version1.test 2021-05-21 22:34:44.131913619 +0200 - ctx_buf buffer now must be aligned to 16 bytes with openssl(
@@ -3,10 +3,10 @@ previously with WolfSSL only), ot crashes will happen
- updated aes-t , to be better debuggable
using function, rather than a huge multiline macro
added test that does "nopad" encryption piece-wise, to test
replacement of EVP_CIPHER_CTX_buf_noconst
---
cmake/ssl.cmake | 19 ++++-
include/ssl_compat.h | 3 +-
mysql-test/lib/openssl.cnf | 2 +-
mysql-test/main/ssl_cipher.result | 6 +-
mysql-test/main/ssl_cipher.test | 2 +-
mysys_ssl/my_crypt.cc | 46 +++++++-----
unittest/mysys/aes-t.c | 121 ++++++++++++++++++++++--------
7 files changed, 141 insertions(+), 58 deletions(-)
diff -up mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16 mariadb-10.5.12-downstream_modified/cmake/ssl.cmake
--- mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16 2021-08-03 10:29:07.000000000 +0200
+++ mariadb-10.5.12-downstream_modified/cmake/ssl.cmake 2021-11-18 16:58:41.552440737 +0100
@@ -139,9 +139,20 @@ MACRO (MYSQL_CHECK_SSL)
SET(SSL_INTERNAL_INCLUDE_DIRS "")
SET(SSL_DEFINES "-DHAVE_OPENSSL")
-- source include/have_ssl_communication.inc + FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
--exec $MYSQL --host=localhost --ssl -e "show status like 'ssl_version';" + SET(SAVE_CMAKE_REQUIRED_${x} ${CMAKE_REQUIRED_${x}})
---error 1 + ENDFOREACH()
--exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.2 -e "show status like 'ssl_version';" +
--error 1 + # Silence "deprecated in OpenSSL 3.0"
--exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.1 -e "show status like 'ssl_version';" + IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
+--error 1 + OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
--exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.0 -e "show status like 'ssl_version';" + SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
--exec $MYSQL --host=localhost --ssl -e "select @@tls_version;" + SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
+ ENDIF()
+
SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
- SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+
CHECK_SYMBOL_EXISTS(ERR_remove_thread_state "openssl/err.h"
HAVE_ERR_remove_thread_state)
CHECK_SYMBOL_EXISTS(EVP_aes_128_ctr "openssl/evp.h"
@@ -150,8 +161,10 @@ MACRO (MYSQL_CHECK_SSL)
HAVE_EncryptAes128Gcm)
CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
HAVE_X509_check_host)
- SET(CMAKE_REQUIRED_INCLUDES)
- SET(CMAKE_REQUIRED_LIBRARIES)
+
+ FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
+ SET(CMAKE_REQUIRED_${x} ${SAVE_CMAKE_REQUIRED_${x}})
+ ENDFOREACH()
ELSE()
IF(WITH_SSL STREQUAL "system")
MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
diff -up mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16 mariadb-10.5.12-downstream_modified/include/ssl_compat.h
--- mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16 2021-08-03 10:29:07.000000000 +0200
+++ mariadb-10.5.12-downstream_modified/include/ssl_compat.h 2021-11-18 16:58:41.552440737 +0100
@@ -24,7 +24,7 @@
#define SSL_LIBRARY OpenSSL_version(OPENSSL_VERSION)
#define ERR_remove_state(X) ERR_clear_error()
#define EVP_CIPHER_CTX_SIZE 176
-#define EVP_MD_CTX_SIZE 48
+#define EVP_MD_CTX_SIZE 72
#undef EVP_MD_CTX_init
#define EVP_MD_CTX_init(X) do { memset((X), 0, EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0)
#undef EVP_CIPHER_CTX_init
@@ -74,7 +74,6 @@
#endif
#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G))
-#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt)
#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX)
diff -up mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16 mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf
--- mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16 2021-08-03 10:29:07.000000000 +0200
+++ mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf 2021-11-18 16:58:41.552440737 +0100
@@ -9,4 +9,4 @@ ssl_conf = ssl_section
system_default = system_default_section
[system_default_section]
-CipherString = ALL:@SECLEVEL=1
+CipherString = ALL:@SECLEVEL=0
diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result
--- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16 2021-08-03 10:29:08.000000000 +0200
+++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result 2021-11-18 16:58:41.552440737 +0100
@@ -61,8 +61,8 @@ connect ssl_con,localhost,root,,,,,SSL;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
-SHOW STATUS LIKE 'Ssl_cipher_list';
-Variable_name Value
-Ssl_cipher_list AES128-SHA
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+VARIABLE_VALUE like '%AES128-SHA%'
+1
disconnect ssl_con;
connection default;
diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test
--- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16 2021-11-18 16:58:41.552440737 +0100
+++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test 2021-11-18 17:00:47.753839711 +0100
@@ -100,6 +100,6 @@ connect (ssl_con,localhost,root,,,,,SSL)
--replace_regex /TLS_AES_.*/AES128-SHA/
SHOW STATUS LIKE 'Ssl_cipher';
--replace_regex /TLS_AES_.*/AES128-SHA/
-SHOW STATUS LIKE 'Ssl_cipher_list';
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
disconnect ssl_con;
connection default;
diff -up mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16 mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc
--- mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16 2021-08-03 10:29:08.000000000 +0200
+++ mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc 2021-11-18 16:58:41.552440737 +0100
@@ -29,11 +29,7 @@
#include <ssl_compat.h>
#include <cstdint>
-#ifdef HAVE_WOLFSSL
#define CTX_ALIGN 16
-#else
-#define CTX_ALIGN 0
-#endif
diff -rup mariadb-10.5.9-orig/mysys_ssl/my_crypt.cc mariadb-10.5.9/mysys_ssl/my_crypt.cc
--- mariadb-10.5.9-orig/mysys_ssl/my_crypt.cc 2021-05-19 18:52:49.167464162 +0200
+++ mariadb-10.5.9/mysys_ssl/my_crypt.cc 2021-05-21 22:34:44.132913630 +0200
@@ -38,22 +38,14 @@
class MyCTX class MyCTX
{ {
@@ -100,8 +96,9 @@ class MyCTX_nopad : public MyCTX
{
public: public:
- char ctx_buf[EVP_CIPHER_CTX_SIZE + CTX_ALIGN]; const uchar *key;
- EVP_CIPHER_CTX* ctx; - uint klen, buf_len;
+ EVP_CIPHER_CTX* ctx= NULL; + uint klen, source_tail_len;
MyCTX() uchar oiv[MY_AES_BLOCK_SIZE];
+ uchar source_tail[MY_AES_BLOCK_SIZE];
MyCTX_nopad() : MyCTX() { }
~MyCTX_nopad() { }
@@ -112,7 +109,7 @@ public:
compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
this->key= key;
this->klen= klen;
- this->buf_len= 0;
+ this->source_tail_len= 0;
if (ivlen)
memcpy(oiv, iv, ivlen);
DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
@@ -123,26 +120,41 @@ public:
return res;
}
+ /** Update last partial source block, stored in source_tail array. */
+ void update_source_tail(const uchar* src, uint slen)
+ {
+ if (!slen)
+ return;
+ uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
+ if (new_tail_len)
+ {
+ if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
+ {
+ memcpy(source_tail + source_tail_len, src, slen);
+ }
+ else
+ {
+ DBUG_ASSERT(slen > new_tail_len);
+ memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
+ }
+ }
+ source_tail_len= new_tail_len;
+ }
+
int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
{ {
-#if CTX_ALIGN > 0 - buf_len+= slen;
- uintptr_t p= ((uintptr_t)ctx_buf + (CTX_ALIGN - 1)) & ~(CTX_ALIGN - 1); + update_source_tail(src, slen);
- ctx = reinterpret_cast<EVP_CIPHER_CTX*>(p); return MyCTX::update(src, slen, dst, dlen);
-#else }
- ctx = (EVP_CIPHER_CTX*)ctx_buf;
-#endif int finish(uchar *dst, uint *dlen)
{
- buf_len %= MY_AES_BLOCK_SIZE;
- if (buf_len)
+ if (source_tail_len)
{
- uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
/*
Not much we can do, block ciphers cannot encrypt data that aren't
a multiple of the block length. At least not without padding.
Let's do something CTR-like for the last partial block.
- -
- EVP_CIPHER_CTX_init(ctx); - NOTE this assumes that there are only buf_len bytes in the buf.
+ ctx = EVP_CIPHER_CTX_new(); - If OpenSSL will change that, we'll need to change the implementation
- of this class too.
*/
uchar mask[MY_AES_BLOCK_SIZE];
uint mlen;
@@ -154,10 +166,10 @@ public:
return rc;
DBUG_ASSERT(mlen == sizeof(mask));
- for (uint i=0; i < buf_len; i++)
- dst[i]= buf[i] ^ mask[i];
+ for (uint i=0; i < source_tail_len; i++)
+ dst[i]= source_tail[i] ^ mask[i];
}
- *dlen= buf_len;
+ *dlen= source_tail_len;
return MY_AES_OK;
} }
virtual ~MyCTX() };
{ diff -up mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16 mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c
- EVP_CIPHER_CTX_reset(ctx); --- mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16 2021-08-03 10:29:10.000000000 +0200
+ EVP_CIPHER_CTX_free(ctx); +++ mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c 2021-11-18 16:58:41.553440740 +0100
ERR_remove_state(0); @@ -21,27 +21,96 @@
#include <string.h>
#include <ctype.h>
-#define DO_TEST(mode, nopad, slen, fill, dlen, hash) \
- SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported") \
- { \
- memset(src, fill, src_len= slen); \
- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, \
- src, src_len, dst, &dst_len, \
- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
- "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad"); \
- if (!nopad) \
- ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
- my_md5(md5, (char*)dst, dst_len); \
- ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5"); \
- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT, \
- dst, dst_len, ddst, &ddst_len, \
- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
- "decrypt " #mode " %u", dst_len); \
- ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
+
+/** Test streaming encryption, bytewise update.*/
+static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
+ unsigned int slen, unsigned char *dst, unsigned int *dlen,
+ const unsigned char *key, unsigned int klen,
+ const unsigned char *iv, unsigned int ivlen)
+{
+ /* Allocate context on odd address on stack, in order to
+ catch misalignment errors.*/
+ void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
+
+ int res1, res2;
+ uint d1= 0, d2;
+ uint i;
+
+ if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
+ return res1;
+ for (i= 0; i < slen; i++)
+ {
+ uint tmp_d1=0;
+ res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
+ if (res1)
+ return res1;
+ d1+= tmp_d1;
+ dst+= tmp_d1;
+ }
+ res2= my_aes_crypt_finish(ctx, dst, &d2);
+ *dlen= d1 + d2;
+ return res1 ? res1 : res2;
+}
+
+
+#ifndef HAVE_EncryptAes128Ctr
+const uint MY_AES_CTR=0xDEADBEAF;
+#endif
+#ifndef HAVE_EncryptAes128Gcm
+const uint MY_AES_GCM=0xDEADBEAF;
+#endif
+
+#define MY_AES_UNSUPPORTED(x) (x == 0xDEADBEAF)
+
+static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
+ char fill, size_t dlen, const char *hash)
+{
+ uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
+ uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
+ uchar src[1000], dst[1100], dst2[1100], ddst[1000];
+ uchar md5[MY_MD5_HASH_SIZE];
+ uint src_len, dst_len, dst_len2, ddst_len;
+ int result;
+
+ if (MY_AES_UNSUPPORTED(mode))
+ {
+ skip(nopad?7:6, "%s not supported", mode_str);
+ return;
+ }
+ memset(src, fill, src_len= slen);
+ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
+ dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
+ ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
+ nopad ? "nopad" : "pad");
+
+ if (nopad)
+ {
+ result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
+ src_len, dst2, &dst_len2, key, sizeof(key),
+ iv, sizeof(iv));
+ ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
+ /* Compare with non-bytewise encryption result*/
+ ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
+ "memcmp bytewise %s %u", mode_str, src_len);
} }
+ else
diff -rup mariadb-10.5.9-orig/mysys_ssl/my_md5.cc mariadb-10.5.9/mysys_ssl/my_md5.cc + {
--- mariadb-10.5.9-orig/mysys_ssl/my_md5.cc 2021-05-19 18:52:49.167464162 +0200 + int dst_len_real= my_aes_get_size(mode, src_len);
+++ mariadb-10.5.9/mysys_ssl/my_md5.cc 2021-05-24 15:25:11.365769072 +0200 + ok(dst_len_real= dst_len, "my_aes_get_size");
@@ -52,12 +52,13 @@ static void md5_result(EVP_MD_CTX *conte + }
+ my_md5(md5, (char *) dst, dst_len);
static void md5_init(EVP_MD_CTX *context) + ok(dst_len == dlen, "md5 len");
{ + ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
- EVP_MD_CTX_init(context); + result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
+ const EVP_MD *md; + dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW + sizeof(iv));
/* Ok to ignore FIPS: MD5 is not used for crypto here */
EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
#endif
- EVP_DigestInit_ex(context, EVP_md5(), NULL);
+ md = EVP_get_digestbyname("MD5");
+ EVP_DigestInit_ex(context, md, NULL);
}
static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)
@@ -68,7 +69,6 @@ static void md5_input(EVP_MD_CTX *contex
static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE])
{
EVP_DigestFinal_ex(context, digest, NULL);
- EVP_MD_CTX_reset(context);
}
#endif /* HAVE_WOLFSSL */
@@ -84,11 +84,13 @@ static void md5_result(EVP_MD_CTX *conte
*/
void my_md5(uchar *digest, const char *buf, size_t len)
{
- char ctx_buf[EVP_MD_CTX_SIZE];
- EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf;
+ EVP_MD_CTX * const ctx= EVP_MD_CTX_new();
+ +
md5_init(ctx); + ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
md5_input(ctx, (const uchar *)buf, (uint) len); + ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
md5_result(ctx, digest); +}
-#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
-#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
+#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
+#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
/* useful macro for debugging */
#define PRINT_MD5() \
@@ -53,25 +122,15 @@
printf("\"\n"); \
} while(0);
-#ifndef HAVE_EncryptAes128Ctr
-const uint MY_AES_CTR=0xDEADBEAF;
-#endif
-#ifndef HAVE_EncryptAes128Gcm
-const uint MY_AES_GCM=0xDEADBEAF;
-#endif
int
main(int argc __attribute__((unused)),char *argv[])
{
- uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
- uchar iv[16]= {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
- uchar src[1000], dst[1100], ddst[1000];
- uchar md5[MY_MD5_HASH_SIZE];
- uint src_len, dst_len, ddst_len;
MY_INIT(argv[0]);
- plan(87);
+ plan(122);
+ +
+ EVP_MD_CTX_free(ctx); DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
} DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");
@@ -108,8 +110,7 @@ void my_md5_multi(uchar *digest, ...)
{
va_list args;
const uchar *str;
- char ctx_buf[EVP_MD_CTX_SIZE];
- EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf;
+ EVP_MD_CTX * const ctx= EVP_MD_CTX_new();
va_start(args, digest);
md5_init(ctx);
@@ -118,6 +119,7 @@ void my_md5_multi(uchar *digest, ...)
md5_result(ctx, digest);
va_end(args);
+ EVP_MD_CTX_free(ctx);
}
size_t my_md5_context_size()
Only in mariadb-10.5.9-orig/mysys_ssl: my_md5.cc.patchmd5
diff -rup mariadb-10.5.9-orig/mysys_ssl/my_sha.ic mariadb-10.5.9/mysys_ssl/my_sha.ic
--- mariadb-10.5.9-orig/mysys_ssl/my_sha.ic 2021-05-19 18:52:49.167464162 +0200
+++ mariadb-10.5.9/mysys_ssl/my_sha.ic 2021-05-21 22:34:44.132913630 +0200
@@ -146,11 +146,11 @@ static void sha_result(CONTEXT *context,
*/
void my_sha(uchar *digest, const char *buf, size_t len)
{
- CONTEXT context;
+ CONTEXT *context= (CONTEXT *)alloca(sizeof(CONTEXT));
- sha_init_fast(&context);
- sha_input(&context, (const uchar *)buf, (unsigned int)len);
- sha_result(&context, digest);
+ sha_init_fast(context);
+ sha_input(context, (const uchar *)buf, (unsigned int)len);
+ sha_result(context, digest);
}
@@ -171,14 +171,14 @@ void my_sha_multi(uchar *digest, ...)
va_list args;
va_start(args, digest);
- CONTEXT context;
+ CONTEXT *context= (CONTEXT *)alloca(sizeof(CONTEXT));
const uchar *str;
- sha_init_fast(&context);
+ sha_init_fast(context);
for (str= va_arg(args, const uchar*); str; str= va_arg(args, const uchar*))
- sha_input(&context, str, (uint) va_arg(args, size_t));
+ sha_input(context, str, (uint) va_arg(args, size_t));
- sha_result(&context, digest);
+ sha_result(context, digest);
va_end(args);
}
diff -up mariadb-10.5.10-downstream_modified/storage/innobase/handler/ha_innodb.cc.md5galera mariadb-10.5.10-downstream_modified/storage/innobase/handler/ha_innodb.cc
--- mariadb-10.5.10-downstream_modified/storage/innobase/handler/ha_innodb.cc.md5galera 2021-07-26 17:32:23.649932748 +0200
+++ mariadb-10.5.10-downstream_modified/storage/innobase/handler/ha_innodb.cc 2021-07-27 09:14:46.413734421 +0200
@@ -8279,7 +8279,7 @@ wsrep_calc_row_hash(
dictionary */
row_prebuilt_t* prebuilt) /*!< in: InnoDB prebuilt struct */
{
- void *ctx = alloca(my_md5_context_size());
+ void * const ctx= (void *)EVP_MD_CTX_new();
my_md5_init(ctx);
for (uint i = 0; i < table->s->fields; i++) {
@@ -8335,6 +8335,7 @@ wsrep_calc_row_hash(
}
my_md5_result(ctx, digest);
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx);
return(0);
}

6
mariadb.spec
View File

@ -154,7 +154,7 @@
Name: mariadb Name: mariadb
Version: 10.5.12 Version: 10.5.12
Release: 3%{?with_debug:.debug}%{?dist} Release: 4%{?with_debug:.debug}%{?dist}
Epoch: 3 Epoch: 3
Summary: A very fast and robust SQL database server Summary: A very fast and robust SQL database server
@ -1648,6 +1648,10 @@ fi
%endif %endif
%changelog %changelog
* Thu Nov 18 2021 Honza Horak <hhorak@redhat.com> - 3:10.5.12-4
- Use OpenSSL 3.0.0 patch from upstream
Related: #1991498
* Mon Oct 11 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.12-3 * Mon Oct 11 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.12-3
- Add wsrep_sst_rsync_tunnel script - Add wsrep_sst_rsync_tunnel script