Rebase to 10.5.18
OpenSSL 3 patch upstreamed
This commit is contained in:
		
							parent
							
								
									ff7a95c651
								
							
						
					
					
						commit
						9f12d914a4
					
				| @ -1,28 +0,0 @@ | ||||
| Fix md5 in FIPS mode | ||||
| 
 | ||||
| OpenSSL 3.0.0+ does not support EVP_MD_CTX_FLAG_NON_FIPS_ALLOW any longer. | ||||
| In OpenSSL 1.1.1 the non FIPS allowed flag is context specific, while | ||||
| in 3.0.0+ it is a different EVP_MD provider. | ||||
| 
 | ||||
| Resolves: rhbz#2050541 | ||||
| 
 | ||||
| diff -up mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc
 | ||||
| --- mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips	2022-02-07 16:36:47.255131576 +0100
 | ||||
| +++ mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc	2022-02-07 22:57:32.391002916 +0100
 | ||||
| @@ -52,12 +52,15 @@ static void md5_result(EVP_MD_CTX *conte
 | ||||
|   | ||||
|  static void md5_init(EVP_MD_CTX *context) | ||||
|  { | ||||
| +  EVP_MD *md5;
 | ||||
| +  md5 = EVP_MD_fetch(NULL, "MD5", "fips=no");
 | ||||
|    EVP_MD_CTX_init(context); | ||||
|  #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW | ||||
|    /* Ok to ignore FIPS: MD5 is not used for crypto here */ | ||||
|    EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | ||||
|  #endif | ||||
| -  EVP_DigestInit_ex(context, EVP_md5(), NULL);
 | ||||
| +  EVP_DigestInit_ex(context, md5, NULL);
 | ||||
| +  EVP_MD_free(md5);
 | ||||
|  } | ||||
|   | ||||
|  static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) | ||||
| @ -1,401 +0,0 @@ | ||||
| From c80991c79f701dac42c630af4bd39593b0c7efb4 Mon Sep 17 00:00:00 2001 | ||||
| From: Vladislav Vaintroub <wlad@mariadb.com> | ||||
| Date: Mon, 8 Nov 2021 18:48:19 +0100 | ||||
| Subject: [PATCH] MDEV-25785 Add support for OpenSSL 3.0 | ||||
| 
 | ||||
| Summary of changes | ||||
| 
 | ||||
| - MD_CTX_SIZE is increased
 | ||||
| 
 | ||||
| - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points
 | ||||
|   to nobody knows where. The assumption made previously was that | ||||
|   (since the function does not seem to be documented) | ||||
|   was that it points to the last partial source block. | ||||
|   Add own partial block buffer for NOPAD encryption instead | ||||
| 
 | ||||
| - SECLEVEL in CipherString in openssl.cnf
 | ||||
|   had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible | ||||
| 
 | ||||
| - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers,
 | ||||
|   in addition to what was set in --ssl-cipher | ||||
| 
 | ||||
| - ctx_buf buffer now must be aligned to 16 bytes with openssl(
 | ||||
|   previously with WolfSSL only), ot crashes will happen | ||||
| 
 | ||||
| - updated aes-t , to be better debuggable
 | ||||
|   using function, rather than a huge multiline macro | ||||
|   added test that does "nopad" encryption piece-wise, to test | ||||
|   replacement of EVP_CIPHER_CTX_buf_noconst | ||||
| ---
 | ||||
|  cmake/ssl.cmake                   |  19 ++++- | ||||
|  include/ssl_compat.h              |   3 +- | ||||
|  mysql-test/lib/openssl.cnf        |   2 +- | ||||
|  mysql-test/main/ssl_cipher.result |   6 +- | ||||
|  mysql-test/main/ssl_cipher.test   |   2 +- | ||||
|  mysys_ssl/my_crypt.cc             |  46 +++++++----- | ||||
|  unittest/mysys/aes-t.c            | 121 ++++++++++++++++++++++-------- | ||||
|  7 files changed, 141 insertions(+), 58 deletions(-) | ||||
| 
 | ||||
| 
 | ||||
| diff -up mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16 mariadb-10.5.12-downstream_modified/cmake/ssl.cmake
 | ||||
| --- mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16	2021-08-03 10:29:07.000000000 +0200
 | ||||
| +++ mariadb-10.5.12-downstream_modified/cmake/ssl.cmake	2021-11-18 16:58:41.552440737 +0100
 | ||||
| @@ -139,9 +139,20 @@ MACRO (MYSQL_CHECK_SSL)
 | ||||
|        SET(SSL_INTERNAL_INCLUDE_DIRS "") | ||||
|        SET(SSL_DEFINES "-DHAVE_OPENSSL") | ||||
|   | ||||
| +      FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
 | ||||
| +        SET(SAVE_CMAKE_REQUIRED_${x} ${CMAKE_REQUIRED_${x}})
 | ||||
| +      ENDFOREACH()
 | ||||
| +
 | ||||
| +      # Silence "deprecated in OpenSSL 3.0"
 | ||||
| +      IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
 | ||||
| +         OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
 | ||||
| +        SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
 | ||||
| +        SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
 | ||||
| +      ENDIF()
 | ||||
| +
 | ||||
|        SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) | ||||
|        SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES}) | ||||
| -      SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
 | ||||
| +
 | ||||
|        CHECK_SYMBOL_EXISTS(ERR_remove_thread_state "openssl/err.h" | ||||
|                            HAVE_ERR_remove_thread_state) | ||||
|        CHECK_SYMBOL_EXISTS(EVP_aes_128_ctr "openssl/evp.h" | ||||
| @@ -150,8 +161,10 @@ MACRO (MYSQL_CHECK_SSL)
 | ||||
|                            HAVE_EncryptAes128Gcm) | ||||
|        CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h" | ||||
|                            HAVE_X509_check_host) | ||||
| -      SET(CMAKE_REQUIRED_INCLUDES)
 | ||||
| -      SET(CMAKE_REQUIRED_LIBRARIES)
 | ||||
| +
 | ||||
| +      FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
 | ||||
| +        SET(CMAKE_REQUIRED_${x} ${SAVE_CMAKE_REQUIRED_${x}})
 | ||||
| +      ENDFOREACH()
 | ||||
|      ELSE() | ||||
|        IF(WITH_SSL STREQUAL "system") | ||||
|          MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support") | ||||
| diff -up mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16 mariadb-10.5.12-downstream_modified/include/ssl_compat.h
 | ||||
| --- mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16	2021-08-03 10:29:07.000000000 +0200
 | ||||
| +++ mariadb-10.5.12-downstream_modified/include/ssl_compat.h	2021-11-18 16:58:41.552440737 +0100
 | ||||
| @@ -24,7 +24,7 @@
 | ||||
|  #define SSL_LIBRARY OpenSSL_version(OPENSSL_VERSION) | ||||
|  #define ERR_remove_state(X) ERR_clear_error() | ||||
|  #define EVP_CIPHER_CTX_SIZE 176 | ||||
| -#define EVP_MD_CTX_SIZE 48
 | ||||
| +#define EVP_MD_CTX_SIZE 72
 | ||||
|  #undef EVP_MD_CTX_init | ||||
|  #define EVP_MD_CTX_init(X) do { memset((X), 0, EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0) | ||||
|  #undef EVP_CIPHER_CTX_init | ||||
| @@ -74,7 +74,6 @@
 | ||||
|  #define DH_set0_pqg(D,P,Q,G)            ((D)->p= (P), (D)->g= (G)) | ||||
|  #endif | ||||
|   | ||||
| -#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
 | ||||
|  #define EVP_CIPHER_CTX_encrypting(ctx)  ((ctx)->encrypt) | ||||
|  #define EVP_CIPHER_CTX_SIZE             sizeof(EVP_CIPHER_CTX) | ||||
|   | ||||
| diff -up mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16 mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf
 | ||||
| --- mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16	2021-08-03 10:29:07.000000000 +0200
 | ||||
| +++ mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf	2021-11-18 16:58:41.552440737 +0100
 | ||||
| @@ -9,4 +9,4 @@ ssl_conf = ssl_section
 | ||||
|  system_default = system_default_section | ||||
|   | ||||
|  [system_default_section] | ||||
| -CipherString = ALL:@SECLEVEL=1
 | ||||
| +CipherString = ALL:@SECLEVEL=0
 | ||||
| diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result
 | ||||
| --- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16	2021-08-03 10:29:08.000000000 +0200
 | ||||
| +++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result	2021-11-18 16:58:41.552440737 +0100
 | ||||
| @@ -61,8 +61,8 @@ connect  ssl_con,localhost,root,,,,,SSL;
 | ||||
|  SHOW STATUS LIKE 'Ssl_cipher'; | ||||
|  Variable_name	Value | ||||
|  Ssl_cipher	AES128-SHA | ||||
| -SHOW STATUS LIKE 'Ssl_cipher_list';
 | ||||
| -Variable_name	Value
 | ||||
| -Ssl_cipher_list	AES128-SHA
 | ||||
| +SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
 | ||||
| +VARIABLE_VALUE like '%AES128-SHA%'
 | ||||
| +1
 | ||||
|  disconnect ssl_con; | ||||
|  connection default; | ||||
| diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test
 | ||||
| --- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16	2021-11-18 16:58:41.552440737 +0100
 | ||||
| +++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test	2021-11-18 17:00:47.753839711 +0100
 | ||||
| @@ -100,6 +100,6 @@ connect (ssl_con,localhost,root,,,,,SSL)
 | ||||
|  --replace_regex /TLS_AES_.*/AES128-SHA/ | ||||
|  SHOW STATUS LIKE 'Ssl_cipher'; | ||||
|  --replace_regex /TLS_AES_.*/AES128-SHA/ | ||||
| -SHOW STATUS LIKE 'Ssl_cipher_list';
 | ||||
| +SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
 | ||||
|  disconnect ssl_con; | ||||
|  connection default; | ||||
| diff -up mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16 mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc
 | ||||
| --- mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16	2021-08-03 10:29:08.000000000 +0200
 | ||||
| +++ mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc	2021-11-18 16:58:41.552440737 +0100
 | ||||
| @@ -29,11 +29,7 @@
 | ||||
|  #include <ssl_compat.h> | ||||
|  #include <cstdint> | ||||
|   | ||||
| -#ifdef HAVE_WOLFSSL
 | ||||
|  #define CTX_ALIGN 16 | ||||
| -#else
 | ||||
| -#define CTX_ALIGN 0
 | ||||
| -#endif
 | ||||
|   | ||||
|  class MyCTX | ||||
|  { | ||||
| @@ -100,8 +96,9 @@ class MyCTX_nopad : public MyCTX
 | ||||
|  { | ||||
|  public: | ||||
|    const uchar *key; | ||||
| -  uint klen, buf_len;
 | ||||
| +  uint klen, source_tail_len;
 | ||||
|    uchar oiv[MY_AES_BLOCK_SIZE]; | ||||
| +  uchar source_tail[MY_AES_BLOCK_SIZE];
 | ||||
|   | ||||
|    MyCTX_nopad() : MyCTX() { } | ||||
|    ~MyCTX_nopad() { } | ||||
| @@ -112,7 +109,7 @@ public:
 | ||||
|      compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad)); | ||||
|      this->key= key; | ||||
|      this->klen= klen; | ||||
| -    this->buf_len= 0;
 | ||||
| +    this->source_tail_len= 0;
 | ||||
|      if (ivlen) | ||||
|        memcpy(oiv, iv, ivlen); | ||||
|      DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv)); | ||||
| @@ -123,26 +120,41 @@ public:
 | ||||
|      return res; | ||||
|    } | ||||
|   | ||||
| +  /** Update last partial source block, stored in source_tail array. */
 | ||||
| +  void update_source_tail(const uchar* src, uint slen)
 | ||||
| +  {
 | ||||
| +    if (!slen)
 | ||||
| +      return;
 | ||||
| +    uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
 | ||||
| +    if (new_tail_len)
 | ||||
| +    {
 | ||||
| +      if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
 | ||||
| +      {
 | ||||
| +        memcpy(source_tail + source_tail_len, src, slen);
 | ||||
| +      }
 | ||||
| +      else
 | ||||
| +      {
 | ||||
| +        DBUG_ASSERT(slen > new_tail_len);
 | ||||
| +        memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
 | ||||
| +      }
 | ||||
| +    }
 | ||||
| +    source_tail_len= new_tail_len;
 | ||||
| +  }
 | ||||
| +
 | ||||
|    int update(const uchar *src, uint slen, uchar *dst, uint *dlen) | ||||
|    { | ||||
| -    buf_len+= slen;
 | ||||
| +    update_source_tail(src, slen);
 | ||||
|      return MyCTX::update(src, slen, dst, dlen); | ||||
|    } | ||||
|   | ||||
|    int finish(uchar *dst, uint *dlen) | ||||
|    { | ||||
| -    buf_len %= MY_AES_BLOCK_SIZE;
 | ||||
| -    if (buf_len)
 | ||||
| +    if (source_tail_len)
 | ||||
|      { | ||||
| -      uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
 | ||||
|        /* | ||||
|          Not much we can do, block ciphers cannot encrypt data that aren't | ||||
|          a multiple of the block length. At least not without padding. | ||||
|          Let's do something CTR-like for the last partial block. | ||||
| -
 | ||||
| -        NOTE this assumes that there are only buf_len bytes in the buf.
 | ||||
| -        If OpenSSL will change that, we'll need to change the implementation
 | ||||
| -        of this class too.
 | ||||
|        */ | ||||
|        uchar mask[MY_AES_BLOCK_SIZE]; | ||||
|        uint mlen; | ||||
| @@ -154,10 +166,10 @@ public:
 | ||||
|          return rc; | ||||
|        DBUG_ASSERT(mlen == sizeof(mask)); | ||||
|   | ||||
| -      for (uint i=0; i < buf_len; i++)
 | ||||
| -        dst[i]= buf[i] ^ mask[i];
 | ||||
| +      for (uint i=0; i < source_tail_len; i++)
 | ||||
| +        dst[i]= source_tail[i] ^ mask[i];
 | ||||
|      } | ||||
| -    *dlen= buf_len;
 | ||||
| +    *dlen= source_tail_len;
 | ||||
|      return MY_AES_OK; | ||||
|    } | ||||
|  }; | ||||
| diff -up mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16 mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c
 | ||||
| --- mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16	2021-08-03 10:29:10.000000000 +0200
 | ||||
| +++ mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c	2021-11-18 16:58:41.553440740 +0100
 | ||||
| @@ -21,27 +21,96 @@
 | ||||
|  #include <string.h> | ||||
|  #include <ctype.h> | ||||
|   | ||||
| -#define DO_TEST(mode, nopad, slen, fill, dlen, hash)                    \
 | ||||
| -  SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported")     \
 | ||||
| -  {                                                                     \
 | ||||
| -    memset(src, fill, src_len= slen);                                   \
 | ||||
| -    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT,              \
 | ||||
| -                    src, src_len, dst, &dst_len,                        \
 | ||||
| -                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
 | ||||
| -      "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad");     \
 | ||||
| -    if (!nopad)                                                         \
 | ||||
| -      ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
 | ||||
| -    my_md5(md5, (char*)dst, dst_len);                                   \
 | ||||
| -    ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5");  \
 | ||||
| -    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,              \
 | ||||
| -                    dst, dst_len, ddst, &ddst_len,                      \
 | ||||
| -                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
 | ||||
| -       "decrypt " #mode " %u", dst_len);                                \
 | ||||
| -    ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
 | ||||
| +
 | ||||
| +/** Test streaming encryption, bytewise update.*/
 | ||||
| +static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
 | ||||
| +                 unsigned int slen, unsigned char *dst, unsigned int *dlen,
 | ||||
| +                 const unsigned char *key, unsigned int klen,
 | ||||
| +                 const unsigned char *iv, unsigned int ivlen)
 | ||||
| +{
 | ||||
| +  /* Allocate context on odd address on stack, in order to
 | ||||
| +   catch misalignment errors.*/
 | ||||
| +  void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
 | ||||
| +
 | ||||
| +  int res1, res2;
 | ||||
| +  uint d1= 0, d2;
 | ||||
| +  uint i;
 | ||||
| +
 | ||||
| +  if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
 | ||||
| +    return res1;
 | ||||
| +  for (i= 0; i < slen; i++)
 | ||||
| +  {
 | ||||
| +    uint tmp_d1=0;
 | ||||
| +    res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
 | ||||
| +    if (res1)
 | ||||
| +      return res1;
 | ||||
| +    d1+= tmp_d1;
 | ||||
| +    dst+= tmp_d1;
 | ||||
| +  }
 | ||||
| +  res2= my_aes_crypt_finish(ctx, dst, &d2);
 | ||||
| +  *dlen= d1 + d2;
 | ||||
| +  return res1 ? res1 : res2;
 | ||||
| +}
 | ||||
| +
 | ||||
| +
 | ||||
| +#ifndef HAVE_EncryptAes128Ctr
 | ||||
| +const uint MY_AES_CTR=0xDEADBEAF;
 | ||||
| +#endif
 | ||||
| +#ifndef HAVE_EncryptAes128Gcm
 | ||||
| +const uint MY_AES_GCM=0xDEADBEAF;
 | ||||
| +#endif
 | ||||
| +
 | ||||
| +#define MY_AES_UNSUPPORTED(x)  (x == 0xDEADBEAF)
 | ||||
| +
 | ||||
| +static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
 | ||||
| +                    char fill, size_t dlen, const char *hash)
 | ||||
| +{
 | ||||
| +  uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
 | ||||
| +  uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
 | ||||
| +  uchar src[1000], dst[1100], dst2[1100], ddst[1000];
 | ||||
| +  uchar md5[MY_MD5_HASH_SIZE];
 | ||||
| +  uint src_len, dst_len, dst_len2, ddst_len;
 | ||||
| +  int result;
 | ||||
| +
 | ||||
| +  if (MY_AES_UNSUPPORTED(mode))
 | ||||
| +  {
 | ||||
| +    skip(nopad?7:6, "%s not supported", mode_str);
 | ||||
| +    return;
 | ||||
| +  }
 | ||||
| +  memset(src, fill, src_len= slen);
 | ||||
| +  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
 | ||||
| +                       dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
 | ||||
| +  ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
 | ||||
| +     nopad ? "nopad" : "pad");
 | ||||
| +
 | ||||
| +  if (nopad)
 | ||||
| +  {
 | ||||
| +    result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
 | ||||
| +                                src_len, dst2, &dst_len2, key, sizeof(key),
 | ||||
| +                                iv, sizeof(iv));
 | ||||
| +    ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
 | ||||
| +    /* Compare with non-bytewise encryption result*/
 | ||||
| +    ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
 | ||||
| +       "memcmp bytewise  %s %u", mode_str, src_len);
 | ||||
|    } | ||||
| +  else
 | ||||
| +  {
 | ||||
| +    int dst_len_real= my_aes_get_size(mode, src_len);
 | ||||
| +    ok(dst_len_real= dst_len, "my_aes_get_size");
 | ||||
| +  }
 | ||||
| +  my_md5(md5, (char *) dst, dst_len);
 | ||||
| +  ok(dst_len == dlen, "md5 len");
 | ||||
| +  ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
 | ||||
| +  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
 | ||||
| +                       dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
 | ||||
| +                       sizeof(iv));
 | ||||
| +
 | ||||
| +  ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
 | ||||
| +  ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
 | ||||
| +}
 | ||||
|   | ||||
| -#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
 | ||||
| -#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
 | ||||
| +#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
 | ||||
| +#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
 | ||||
|   | ||||
|  /* useful macro for debugging */ | ||||
|  #define PRINT_MD5()                                     \ | ||||
| @@ -53,25 +122,15 @@
 | ||||
|      printf("\"\n");                                     \ | ||||
|    } while(0); | ||||
|   | ||||
| -#ifndef HAVE_EncryptAes128Ctr
 | ||||
| -const uint MY_AES_CTR=0xDEADBEAF;
 | ||||
| -#endif
 | ||||
| -#ifndef HAVE_EncryptAes128Gcm
 | ||||
| -const uint MY_AES_GCM=0xDEADBEAF;
 | ||||
| -#endif
 | ||||
|   | ||||
|  int | ||||
|  main(int argc __attribute__((unused)),char *argv[]) | ||||
|  { | ||||
| -  uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
 | ||||
| -  uchar iv[16]=  {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
 | ||||
| -  uchar src[1000], dst[1100], ddst[1000];
 | ||||
| -  uchar md5[MY_MD5_HASH_SIZE];
 | ||||
| -  uint src_len, dst_len, ddst_len;
 | ||||
|   | ||||
|    MY_INIT(argv[0]); | ||||
|   | ||||
| -  plan(87);
 | ||||
| +  plan(122);
 | ||||
| +
 | ||||
|    DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a"); | ||||
|    DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b"); | ||||
|    DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9"); | ||||
| 
 | ||||
| 
 | ||||
| 
 | ||||
| MariaDB before 10.8 series does not contain the OpenSSL 3 patch on the upstream. | ||||
| MariaDB upstream later added the following condition: | ||||
| https://github.com/MariaDB/server/commit/c9beef4315 | ||||
| limiting the OpenSSL that can be used to < 3. and reverted this commit for 10.8 and later: | ||||
| https://github.com/MariaDB/server/commit/64e358821e | ||||
| 
 | ||||
| Since we apply the OpenSSL 3 patch from MariaDB 10.8 series to earlier series, we need to revert this commit | ||||
| on those earlier series too. | ||||
| 
 | ||||
| --- mariadb-10.5.15-downstream_modified/cmake/ssl.cmake	2022-02-22 05:13:17.259097302 +0100
 | ||||
| +++ mariadb-10.5.15-downstream_modified/cmake/ssl.cmake_patched	2022-02-23 07:22:20.290082378 +0100
 | ||||
| @@ -118,7 +118,7 @@ MACRO (MYSQL_CHECK_SSL)
 | ||||
|      ENDIF() | ||||
|      FIND_PACKAGE(OpenSSL) | ||||
|      SET_PACKAGE_PROPERTIES(OpenSSL PROPERTIES TYPE RECOMMENDED) | ||||
| -    IF(OPENSSL_FOUND AND OPENSSL_VERSION AND OPENSSL_VERSION VERSION_LESS "3.0.0")
 | ||||
| +    IF(OPENSSL_FOUND)
 | ||||
|        SET(OPENSSL_LIBRARY ${OPENSSL_SSL_LIBRARY}) | ||||
|        INCLUDE(CheckSymbolExists) | ||||
|        SET(SSL_SOURCES "") | ||||
							
								
								
									
										27
									
								
								mariadb.spec
									
									
									
									
									
								
							
							
						
						
									
										27
									
								
								mariadb.spec
									
									
									
									
									
								
							| @ -11,7 +11,7 @@ | ||||
| # The last version on which the full testsuite has been run | ||||
| # In case of further rebuilds of that version, don't require full testsuite to be run | ||||
| # run only "main" suite | ||||
| %global last_tested_version 10.5.16 | ||||
| %global last_tested_version 10.5.18 | ||||
| # Set to 1 to force run the testsuite even if it was already tested in current version | ||||
| %global force_run_testsuite 0 | ||||
| 
 | ||||
| @ -149,8 +149,8 @@ | ||||
| %global sameevr   %{epoch}:%{version}-%{release} | ||||
| 
 | ||||
| Name:             mariadb | ||||
| Version:          10.5.16 | ||||
| Release:          3%{?with_debug:.debug}%{?dist} | ||||
| Version:          10.5.18 | ||||
| Release:          1%{?with_debug:.debug}%{?dist} | ||||
| Epoch:            3 | ||||
| 
 | ||||
| Summary:          A very fast and robust SQL database server | ||||
| @ -209,12 +209,6 @@ Patch7:           %{pkgnamepatch}-scripts.patch | ||||
| Patch9:           %{pkgnamepatch}-ownsetup.patch | ||||
| #   Patch10: Fix cipher name in the SSL Cipher name test | ||||
| Patch10:          %{pkgnamepatch}-ssl-cipher-tests.patch | ||||
| #   Patch12: OpenSSL 3 patch | ||||
| #   Picked from the upstream developement branch for MariaDB 10.8. | ||||
| #   https://jira.mariadb.org/browse/MDEV-25785 | ||||
| Patch12:           %{pkgnamepatch}-openssl3.patch | ||||
| #   Patch16: Fix MD5 in FIPS mode | ||||
| Patch16:          %{pkgnamepatch}-fips.patch | ||||
| 
 | ||||
| BuildRequires:    make | ||||
| BuildRequires:    cmake gcc-c++ | ||||
| @ -740,11 +734,12 @@ rm -r storage/rocksdb/ | ||||
| %patch4 -p1 | ||||
| %patch7 -p1 | ||||
| %patch9 -p1 | ||||
| %patch10 -p1 | ||||
| %if 0%{?fedora} >= 36 || 0%{?rhel} >= 9 | ||||
| %patch12 -p1 | ||||
| %patch16 -p1 | ||||
| %endif | ||||
| # The test in Patch 10 has been recently updated by upstream | ||||
| # and the test was disabled in the testuite run | ||||
| #   main.ssl_cipher     [ disabled ]  MDEV-17184 - Failures with OpenSSL 1.1.1 | ||||
| # Keeping the patch commented out, need to revisit | ||||
| #  once the test is re-enabled by upstream  in some future release | ||||
| #%patch10 -p1 | ||||
| 
 | ||||
| # generate a list of tests that fail, but are not disabled by upstream | ||||
| cat %{SOURCE50} | tee -a mysql-test/unstable-tests | ||||
| @ -1644,6 +1639,10 @@ fi | ||||
| %endif | ||||
| 
 | ||||
| %changelog | ||||
| * Wed Nov 16 2022 Michal Schorm <mschorm@redhat.com> - 3:10.5.18-1 | ||||
| - Rebase to 10.5.18 | ||||
| - OpenSSL 3 patch upstreamed | ||||
| 
 | ||||
| * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3:10.5.16-3 | ||||
| - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild | ||||
| 
 | ||||
|  | ||||
| @ -64,3 +64,8 @@ oqgraph.legacy_upgrade                       : | ||||
| oqgraph.regression_1133093                   : | ||||
| oqgraph.regression_1196036                   : | ||||
| oqgraph.regression_1213120                   : | ||||
| 
 | ||||
| # Fails on all architectures since 10.5.18 | ||||
| main.information_schema                      : | ||||
| main.loadxml                                 : | ||||
| main.lock_kill                               : | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user