From d9323ed72dcbd13fdaa0b8b671c97b94170e446b Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 11 Jan 2022 12:58:07 -0500
Subject: [PATCH] import mariadb-10.5.12-4.el9
---
SOURCES/mariadb-openssl3.patch | 539 ++++++++++++++++++++++-----------
SPECS/mariadb.spec | 6 +-
2 files changed, 372 insertions(+), 173 deletions(-)
diff --git a/SOURCES/mariadb-openssl3.patch b/SOURCES/mariadb-openssl3.patch
index 8c6694a..0b69969 100644
--- a/SOURCES/mariadb-openssl3.patch
+++ b/SOURCES/mariadb-openssl3.patch
@@ -1,183 +1,378 @@
-diff -rup mariadb-10.5.9-orig/mysql-test/main/tls_version1.opt mariadb-10.5.9/mysql-test/main/tls_version1.opt
---- mariadb-10.5.9-orig/mysql-test/main/tls_version1.opt 2021-05-19 18:52:49.627469097 +0200
-+++ mariadb-10.5.9/mysql-test/main/tls_version1.opt 2021-05-21 22:34:44.131913619 +0200
-@@ -1 +1 @@
----tls_version=TLSv1.0
-+--tls_version=TLSv1.2
-diff -rup mariadb-10.5.9-orig/mysql-test/main/tls_version1.result mariadb-10.5.9/mysql-test/main/tls_version1.result
---- mariadb-10.5.9-orig/mysql-test/main/tls_version1.result 2021-05-19 18:52:49.592468722 +0200
-+++ mariadb-10.5.9/mysql-test/main/tls_version1.result 2021-05-21 22:34:44.131913619 +0200
-@@ -1,6 +1,6 @@
- Variable_name Value
--Ssl_version TLSv1
-+Ssl_version TLSv1.2
- Variable_name Value
--Ssl_version TLSv1
-+Ssl_version TLSv1.2
- @@tls_version
--TLSv1.0
-+TLSv1.2
-diff -rup mariadb-10.5.9-orig/mysql-test/main/tls_version1.test mariadb-10.5.9/mysql-test/main/tls_version1.test
---- mariadb-10.5.9-orig/mysql-test/main/tls_version1.test 2021-05-19 18:52:49.577468561 +0200
-+++ mariadb-10.5.9/mysql-test/main/tls_version1.test 2021-05-21 22:34:44.131913619 +0200
-@@ -3,10 +3,10 @@
+From c80991c79f701dac42c630af4bd39593b0c7efb4 Mon Sep 17 00:00:00 2001
+From: Vladislav Vaintroub <wlad@mariadb.com>
+Date: Mon, 8 Nov 2021 18:48:19 +0100
+Subject: [PATCH] MDEV-25785 Add support for OpenSSL 3.0
+
+Summary of changes
+
+- MD_CTX_SIZE is increased
+
+- EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points
+ to nobody knows where. The assumption made previously was that
+ (since the function does not seem to be documented)
+ was that it points to the last partial source block.
+ Add own partial block buffer for NOPAD encryption instead
+
+- SECLEVEL in CipherString in openssl.cnf
+ had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible
+
+- Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers,
+ in addition to what was set in --ssl-cipher
+
+- ctx_buf buffer now must be aligned to 16 bytes with openssl(
+ previously with WolfSSL only), ot crashes will happen
+
+- updated aes-t , to be better debuggable
+ using function, rather than a huge multiline macro
+ added test that does "nopad" encryption piece-wise, to test
+ replacement of EVP_CIPHER_CTX_buf_noconst
+---
+ cmake/ssl.cmake | 19 ++++-
+ include/ssl_compat.h | 3 +-
+ mysql-test/lib/openssl.cnf | 2 +-
+ mysql-test/main/ssl_cipher.result | 6 +-
+ mysql-test/main/ssl_cipher.test | 2 +-
+ mysys_ssl/my_crypt.cc | 46 +++++++-----
+ unittest/mysys/aes-t.c | 121 ++++++++++++++++++++++--------
+ 7 files changed, 141 insertions(+), 58 deletions(-)
+
+
+diff -up mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16 mariadb-10.5.12-downstream_modified/cmake/ssl.cmake
+--- mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16 2021-08-03 10:29:07.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/cmake/ssl.cmake 2021-11-18 16:58:41.552440737 +0100
+@@ -139,9 +139,20 @@ MACRO (MYSQL_CHECK_SSL)
+ SET(SSL_INTERNAL_INCLUDE_DIRS "")
+ SET(SSL_DEFINES "-DHAVE_OPENSSL")
- -- source include/have_ssl_communication.inc
- --exec $MYSQL --host=localhost --ssl -e "show status like 'ssl_version';"
----error 1
- --exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.2 -e "show status like 'ssl_version';"
- --error 1
- --exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.1 -e "show status like 'ssl_version';"
-+--error 1
- --exec $MYSQL --host=localhost --ssl --tls_version=TLSv1.0 -e "show status like 'ssl_version';"
- --exec $MYSQL --host=localhost --ssl -e "select @@tls_version;"
++ FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
++ SET(SAVE_CMAKE_REQUIRED_${x} ${CMAKE_REQUIRED_${x}})
++ ENDFOREACH()
++
++ # Silence "deprecated in OpenSSL 3.0"
++ IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
++ OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
++ SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
++ SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
++ ENDIF()
++
+ SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+ SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
+- SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
++
+ CHECK_SYMBOL_EXISTS(ERR_remove_thread_state "openssl/err.h"
+ HAVE_ERR_remove_thread_state)
+ CHECK_SYMBOL_EXISTS(EVP_aes_128_ctr "openssl/evp.h"
+@@ -150,8 +161,10 @@ MACRO (MYSQL_CHECK_SSL)
+ HAVE_EncryptAes128Gcm)
+ CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
+ HAVE_X509_check_host)
+- SET(CMAKE_REQUIRED_INCLUDES)
+- SET(CMAKE_REQUIRED_LIBRARIES)
++
++ FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
++ SET(CMAKE_REQUIRED_${x} ${SAVE_CMAKE_REQUIRED_${x}})
++ ENDFOREACH()
+ ELSE()
+ IF(WITH_SSL STREQUAL "system")
+ MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
+diff -up mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16 mariadb-10.5.12-downstream_modified/include/ssl_compat.h
+--- mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16 2021-08-03 10:29:07.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/include/ssl_compat.h 2021-11-18 16:58:41.552440737 +0100
+@@ -24,7 +24,7 @@
+ #define SSL_LIBRARY OpenSSL_version(OPENSSL_VERSION)
+ #define ERR_remove_state(X) ERR_clear_error()
+ #define EVP_CIPHER_CTX_SIZE 176
+-#define EVP_MD_CTX_SIZE 48
++#define EVP_MD_CTX_SIZE 72
+ #undef EVP_MD_CTX_init
+ #define EVP_MD_CTX_init(X) do { memset((X), 0, EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0)
+ #undef EVP_CIPHER_CTX_init
+@@ -74,7 +74,6 @@
+ #endif
+
+ #define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G))
+-#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
+ #define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt)
+ #define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX)
+
+diff -up mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16 mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf
+--- mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16 2021-08-03 10:29:07.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf 2021-11-18 16:58:41.552440737 +0100
+@@ -9,4 +9,4 @@ ssl_conf = ssl_section
+ system_default = system_default_section
+
+ [system_default_section]
+-CipherString = ALL:@SECLEVEL=1
++CipherString = ALL:@SECLEVEL=0
+diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result
+--- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16 2021-08-03 10:29:08.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result 2021-11-18 16:58:41.552440737 +0100
+@@ -61,8 +61,8 @@ connect ssl_con,localhost,root,,,,,SSL;
+ SHOW STATUS LIKE 'Ssl_cipher';
+ Variable_name Value
+ Ssl_cipher AES128-SHA
+-SHOW STATUS LIKE 'Ssl_cipher_list';
+-Variable_name Value
+-Ssl_cipher_list AES128-SHA
++SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
++VARIABLE_VALUE like '%AES128-SHA%'
++1
+ disconnect ssl_con;
+ connection default;
+diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test
+--- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16 2021-11-18 16:58:41.552440737 +0100
++++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test 2021-11-18 17:00:47.753839711 +0100
+@@ -100,6 +100,6 @@ connect (ssl_con,localhost,root,,,,,SSL)
+ --replace_regex /TLS_AES_.*/AES128-SHA/
+ SHOW STATUS LIKE 'Ssl_cipher';
+ --replace_regex /TLS_AES_.*/AES128-SHA/
+-SHOW STATUS LIKE 'Ssl_cipher_list';
++SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+ disconnect ssl_con;
+ connection default;
+diff -up mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16 mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc
+--- mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16 2021-08-03 10:29:08.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc 2021-11-18 16:58:41.552440737 +0100
+@@ -29,11 +29,7 @@
+ #include <ssl_compat.h>
+ #include <cstdint>
+
+-#ifdef HAVE_WOLFSSL
+ #define CTX_ALIGN 16
+-#else
+-#define CTX_ALIGN 0
+-#endif
-diff -rup mariadb-10.5.9-orig/mysys_ssl/my_crypt.cc mariadb-10.5.9/mysys_ssl/my_crypt.cc
---- mariadb-10.5.9-orig/mysys_ssl/my_crypt.cc 2021-05-19 18:52:49.167464162 +0200
-+++ mariadb-10.5.9/mysys_ssl/my_crypt.cc 2021-05-21 22:34:44.132913630 +0200
-@@ -38,22 +38,14 @@
class MyCTX
{
+@@ -100,8 +96,9 @@ class MyCTX_nopad : public MyCTX
+ {
public:
-- char ctx_buf[EVP_CIPHER_CTX_SIZE + CTX_ALIGN];
-- EVP_CIPHER_CTX* ctx;
-+ EVP_CIPHER_CTX* ctx= NULL;
- MyCTX()
+ const uchar *key;
+- uint klen, buf_len;
++ uint klen, source_tail_len;
+ uchar oiv[MY_AES_BLOCK_SIZE];
++ uchar source_tail[MY_AES_BLOCK_SIZE];
+
+ MyCTX_nopad() : MyCTX() { }
+ ~MyCTX_nopad() { }
+@@ -112,7 +109,7 @@ public:
+ compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
+ this->key= key;
+ this->klen= klen;
+- this->buf_len= 0;
++ this->source_tail_len= 0;
+ if (ivlen)
+ memcpy(oiv, iv, ivlen);
+ DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
+@@ -123,26 +120,41 @@ public:
+ return res;
+ }
+
++ /** Update last partial source block, stored in source_tail array. */
++ void update_source_tail(const uchar* src, uint slen)
++ {
++ if (!slen)
++ return;
++ uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
++ if (new_tail_len)
++ {
++ if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
++ {
++ memcpy(source_tail + source_tail_len, src, slen);
++ }
++ else
++ {
++ DBUG_ASSERT(slen > new_tail_len);
++ memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
++ }
++ }
++ source_tail_len= new_tail_len;
++ }
++
+ int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
{
--#if CTX_ALIGN > 0
-- uintptr_t p= ((uintptr_t)ctx_buf + (CTX_ALIGN - 1)) & ~(CTX_ALIGN - 1);
-- ctx = reinterpret_cast<EVP_CIPHER_CTX*>(p);
--#else
-- ctx = (EVP_CIPHER_CTX*)ctx_buf;
--#endif
+- buf_len+= slen;
++ update_source_tail(src, slen);
+ return MyCTX::update(src, slen, dst, dlen);
+ }
+
+ int finish(uchar *dst, uint *dlen)
+ {
+- buf_len %= MY_AES_BLOCK_SIZE;
+- if (buf_len)
++ if (source_tail_len)
+ {
+- uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
+ /*
+ Not much we can do, block ciphers cannot encrypt data that aren't
+ a multiple of the block length. At least not without padding.
+ Let's do something CTR-like for the last partial block.
-
-- EVP_CIPHER_CTX_init(ctx);
-+ ctx = EVP_CIPHER_CTX_new();
+- NOTE this assumes that there are only buf_len bytes in the buf.
+- If OpenSSL will change that, we'll need to change the implementation
+- of this class too.
+ */
+ uchar mask[MY_AES_BLOCK_SIZE];
+ uint mlen;
+@@ -154,10 +166,10 @@ public:
+ return rc;
+ DBUG_ASSERT(mlen == sizeof(mask));
+
+- for (uint i=0; i < buf_len; i++)
+- dst[i]= buf[i] ^ mask[i];
++ for (uint i=0; i < source_tail_len; i++)
++ dst[i]= source_tail[i] ^ mask[i];
+ }
+- *dlen= buf_len;
++ *dlen= source_tail_len;
+ return MY_AES_OK;
}
- virtual ~MyCTX()
- {
-- EVP_CIPHER_CTX_reset(ctx);
-+ EVP_CIPHER_CTX_free(ctx);
- ERR_remove_state(0);
+ };
+diff -up mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16 mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c
+--- mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16 2021-08-03 10:29:10.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c 2021-11-18 16:58:41.553440740 +0100
+@@ -21,27 +21,96 @@
+ #include <string.h>
+ #include <ctype.h>
+
+-#define DO_TEST(mode, nopad, slen, fill, dlen, hash) \
+- SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported") \
+- { \
+- memset(src, fill, src_len= slen); \
+- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, \
+- src, src_len, dst, &dst_len, \
+- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
+- "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad"); \
+- if (!nopad) \
+- ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
+- my_md5(md5, (char*)dst, dst_len); \
+- ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5"); \
+- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT, \
+- dst, dst_len, ddst, &ddst_len, \
+- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
+- "decrypt " #mode " %u", dst_len); \
+- ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
++
++/** Test streaming encryption, bytewise update.*/
++static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
++ unsigned int slen, unsigned char *dst, unsigned int *dlen,
++ const unsigned char *key, unsigned int klen,
++ const unsigned char *iv, unsigned int ivlen)
++{
++ /* Allocate context on odd address on stack, in order to
++ catch misalignment errors.*/
++ void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
++
++ int res1, res2;
++ uint d1= 0, d2;
++ uint i;
++
++ if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
++ return res1;
++ for (i= 0; i < slen; i++)
++ {
++ uint tmp_d1=0;
++ res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
++ if (res1)
++ return res1;
++ d1+= tmp_d1;
++ dst+= tmp_d1;
++ }
++ res2= my_aes_crypt_finish(ctx, dst, &d2);
++ *dlen= d1 + d2;
++ return res1 ? res1 : res2;
++}
++
++
++#ifndef HAVE_EncryptAes128Ctr
++const uint MY_AES_CTR=0xDEADBEAF;
++#endif
++#ifndef HAVE_EncryptAes128Gcm
++const uint MY_AES_GCM=0xDEADBEAF;
++#endif
++
++#define MY_AES_UNSUPPORTED(x) (x == 0xDEADBEAF)
++
++static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
++ char fill, size_t dlen, const char *hash)
++{
++ uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
++ uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
++ uchar src[1000], dst[1100], dst2[1100], ddst[1000];
++ uchar md5[MY_MD5_HASH_SIZE];
++ uint src_len, dst_len, dst_len2, ddst_len;
++ int result;
++
++ if (MY_AES_UNSUPPORTED(mode))
++ {
++ skip(nopad?7:6, "%s not supported", mode_str);
++ return;
++ }
++ memset(src, fill, src_len= slen);
++ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
++ dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
++ ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
++ nopad ? "nopad" : "pad");
++
++ if (nopad)
++ {
++ result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
++ src_len, dst2, &dst_len2, key, sizeof(key),
++ iv, sizeof(iv));
++ ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
++ /* Compare with non-bytewise encryption result*/
++ ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
++ "memcmp bytewise %s %u", mode_str, src_len);
}
-
-diff -rup mariadb-10.5.9-orig/mysys_ssl/my_md5.cc mariadb-10.5.9/mysys_ssl/my_md5.cc
---- mariadb-10.5.9-orig/mysys_ssl/my_md5.cc 2021-05-19 18:52:49.167464162 +0200
-+++ mariadb-10.5.9/mysys_ssl/my_md5.cc 2021-05-24 15:25:11.365769072 +0200
-@@ -52,12 +52,13 @@ static void md5_result(EVP_MD_CTX *conte
-
- static void md5_init(EVP_MD_CTX *context)
- {
-- EVP_MD_CTX_init(context);
-+ const EVP_MD *md;
- #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
- /* Ok to ignore FIPS: MD5 is not used for crypto here */
- EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- #endif
-- EVP_DigestInit_ex(context, EVP_md5(), NULL);
-+ md = EVP_get_digestbyname("MD5");
-+ EVP_DigestInit_ex(context, md, NULL);
- }
-
- static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)
-@@ -68,7 +69,6 @@ static void md5_input(EVP_MD_CTX *contex
- static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE])
- {
- EVP_DigestFinal_ex(context, digest, NULL);
-- EVP_MD_CTX_reset(context);
- }
-
- #endif /* HAVE_WOLFSSL */
-@@ -84,11 +84,13 @@ static void md5_result(EVP_MD_CTX *conte
- */
- void my_md5(uchar *digest, const char *buf, size_t len)
- {
-- char ctx_buf[EVP_MD_CTX_SIZE];
-- EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf;
-+ EVP_MD_CTX * const ctx= EVP_MD_CTX_new();
++ else
++ {
++ int dst_len_real= my_aes_get_size(mode, src_len);
++ ok(dst_len_real= dst_len, "my_aes_get_size");
++ }
++ my_md5(md5, (char *) dst, dst_len);
++ ok(dst_len == dlen, "md5 len");
++ ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
++ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
++ dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
++ sizeof(iv));
+
- md5_init(ctx);
- md5_input(ctx, (const uchar *)buf, (uint) len);
- md5_result(ctx, digest);
++ ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
++ ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
++}
+
+-#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
+-#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
++#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
++#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
+
+ /* useful macro for debugging */
+ #define PRINT_MD5() \
+@@ -53,25 +122,15 @@
+ printf("\"\n"); \
+ } while(0);
+
+-#ifndef HAVE_EncryptAes128Ctr
+-const uint MY_AES_CTR=0xDEADBEAF;
+-#endif
+-#ifndef HAVE_EncryptAes128Gcm
+-const uint MY_AES_GCM=0xDEADBEAF;
+-#endif
+
+ int
+ main(int argc __attribute__((unused)),char *argv[])
+ {
+- uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
+- uchar iv[16]= {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
+- uchar src[1000], dst[1100], ddst[1000];
+- uchar md5[MY_MD5_HASH_SIZE];
+- uint src_len, dst_len, ddst_len;
+
+ MY_INIT(argv[0]);
+
+- plan(87);
++ plan(122);
+
-+ EVP_MD_CTX_free(ctx);
- }
-
-
-@@ -108,8 +110,7 @@ void my_md5_multi(uchar *digest, ...)
- {
- va_list args;
- const uchar *str;
-- char ctx_buf[EVP_MD_CTX_SIZE];
-- EVP_MD_CTX * const ctx= (EVP_MD_CTX*)ctx_buf;
-+ EVP_MD_CTX * const ctx= EVP_MD_CTX_new();
- va_start(args, digest);
-
- md5_init(ctx);
-@@ -118,6 +119,7 @@ void my_md5_multi(uchar *digest, ...)
-
- md5_result(ctx, digest);
- va_end(args);
-+ EVP_MD_CTX_free(ctx);
- }
-
- size_t my_md5_context_size()
-Only in mariadb-10.5.9-orig/mysys_ssl: my_md5.cc.patchmd5
-diff -rup mariadb-10.5.9-orig/mysys_ssl/my_sha.ic mariadb-10.5.9/mysys_ssl/my_sha.ic
---- mariadb-10.5.9-orig/mysys_ssl/my_sha.ic 2021-05-19 18:52:49.167464162 +0200
-+++ mariadb-10.5.9/mysys_ssl/my_sha.ic 2021-05-21 22:34:44.132913630 +0200
-@@ -146,11 +146,11 @@ static void sha_result(CONTEXT *context,
- */
- void my_sha(uchar *digest, const char *buf, size_t len)
- {
-- CONTEXT context;
-+ CONTEXT *context= (CONTEXT *)alloca(sizeof(CONTEXT));
-
-- sha_init_fast(&context);
-- sha_input(&context, (const uchar *)buf, (unsigned int)len);
-- sha_result(&context, digest);
-+ sha_init_fast(context);
-+ sha_input(context, (const uchar *)buf, (unsigned int)len);
-+ sha_result(context, digest);
- }
-
-
-@@ -171,14 +171,14 @@ void my_sha_multi(uchar *digest, ...)
- va_list args;
- va_start(args, digest);
-
-- CONTEXT context;
-+ CONTEXT *context= (CONTEXT *)alloca(sizeof(CONTEXT));
- const uchar *str;
-
-- sha_init_fast(&context);
-+ sha_init_fast(context);
- for (str= va_arg(args, const uchar*); str; str= va_arg(args, const uchar*))
-- sha_input(&context, str, (uint) va_arg(args, size_t));
-+ sha_input(context, str, (uint) va_arg(args, size_t));
-
-- sha_result(&context, digest);
-+ sha_result(context, digest);
- va_end(args);
- }
-
-diff -up mariadb-10.5.10-downstream_modified/storage/innobase/handler/ha_innodb.cc.md5galera mariadb-10.5.10-downstream_modified/storage/innobase/handler/ha_innodb.cc
---- mariadb-10.5.10-downstream_modified/storage/innobase/handler/ha_innodb.cc.md5galera 2021-07-26 17:32:23.649932748 +0200
-+++ mariadb-10.5.10-downstream_modified/storage/innobase/handler/ha_innodb.cc 2021-07-27 09:14:46.413734421 +0200
-@@ -8279,7 +8279,7 @@ wsrep_calc_row_hash(
- dictionary */
- row_prebuilt_t* prebuilt) /*!< in: InnoDB prebuilt struct */
- {
-- void *ctx = alloca(my_md5_context_size());
-+ void * const ctx= (void *)EVP_MD_CTX_new();
- my_md5_init(ctx);
-
- for (uint i = 0; i < table->s->fields; i++) {
-@@ -8335,6 +8335,7 @@ wsrep_calc_row_hash(
- }
-
- my_md5_result(ctx, digest);
-+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx);
-
- return(0);
- }
+ DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
+ DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
+ DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");
diff --git a/SPECS/mariadb.spec b/SPECS/mariadb.spec
index bea684a..2973cd2 100644
--- a/SPECS/mariadb.spec
+++ b/SPECS/mariadb.spec
@@ -154,7 +154,7 @@
Name: mariadb
Version: 10.5.12
-Release: 3%{?with_debug:.debug}%{?dist}
+Release: 4%{?with_debug:.debug}%{?dist}
Epoch: 3
Summary: A very fast and robust SQL database server
@@ -1648,6 +1648,10 @@ fi
%endif
%changelog
+* Thu Nov 18 2021 Honza Horak <hhorak@redhat.com> - 3:10.5.12-4
+- Use OpenSSL 3.0.0 patch from upstream
+ Related: #1991498
+
* Mon Oct 11 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.12-3
- Add wsrep_sst_rsync_tunnel script