|
 |
05db4b |
Make MySQL compile with openssl 3.x without FIPS properly implemented
|
|
|
05db4b |
|
|
|
05db4b |
This change takes some pieces from MariaDB, including compat_ssl.h and
|
|
|
05db4b |
changes in my_md5.cc.
|
|
|
05db4b |
|
|
|
05db4b |
MySQL utilizes FIPS_mode() and FIPS_mode_set() functions that are not
|
|
|
05db4b |
available in OpenSSL 3.x any more. This patch only mocks the call of
|
|
|
05db4b |
those functions, returning 0 every time, which effectively makes usage
|
|
|
05db4b |
of those functions non working. For making the MySQL build with
|
|
|
05db4b |
OpenSSL 3.x this seems to be enough though.
|
|
|
05db4b |
|
|
|
05db4b |
Resolves: #1952951
|
|
|
05db4b |
|
|
|
05db4b |
diff -rup mysql-8.0.22-orig/cmake/ssl.cmake mysql-8.0.22/cmake/ssl.cmake
|
|
|
05db4b |
--- mysql-8.0.22-orig/cmake/ssl.cmake 2021-05-19 21:36:33.161996422 +0200
|
|
|
05db4b |
+++ mysql-8.0.22/cmake/ssl.cmake 2021-05-19 23:06:54.211877057 +0200
|
|
|
05db4b |
@@ -227,8 +227,7 @@ MACRO (MYSQL_CHECK_SSL)
|
|
|
05db4b |
ENDIF()
|
|
|
05db4b |
IF(OPENSSL_INCLUDE_DIR AND
|
|
|
05db4b |
OPENSSL_LIBRARY AND
|
|
|
05db4b |
- CRYPTO_LIBRARY AND
|
|
|
05db4b |
- OPENSSL_MAJOR_VERSION STREQUAL "1"
|
|
|
05db4b |
+ CRYPTO_LIBRARY
|
|
|
05db4b |
)
|
|
|
05db4b |
SET(OPENSSL_FOUND TRUE)
|
|
|
05db4b |
FIND_PROGRAM(OPENSSL_EXECUTABLE openssl
|
|
|
05db4b |
diff -rup mysql-8.0.22-orig/include/ssl_compat.h mysql-8.0.22/include/ssl_compat.h
|
|
|
05db4b |
--- mysql-8.0.22-orig/include/ssl_compat.h 2021-05-19 23:19:36.152956356 +0200
|
|
|
05db4b |
+++ mysql-8.0.22/include/ssl_compat.h 2021-05-19 23:06:55.048885933 +0200
|
|
|
05db4b |
@@ -0,0 +1,105 @@
|
|
|
05db4b |
+/*
|
|
|
05db4b |
+ Copyright (c) 2016, 2021, MariaDB Corporation.
|
|
|
05db4b |
+
|
|
|
05db4b |
+ This program is free software; you can redistribute it and/or modify
|
|
|
05db4b |
+ it under the terms of the GNU General Public License as published by
|
|
|
05db4b |
+ the Free Software Foundation; version 2 of the License.
|
|
|
05db4b |
+
|
|
|
05db4b |
+ This program is distributed in the hope that it will be useful,
|
|
|
05db4b |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
05db4b |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
05db4b |
+ GNU General Public License for more details.
|
|
|
05db4b |
+
|
|
|
05db4b |
+ You should have received a copy of the GNU General Public License
|
|
|
05db4b |
+ along with this program; if not, write to the Free Software
|
|
|
05db4b |
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
|
|
|
05db4b |
+
|
|
|
05db4b |
+#include <openssl/opensslv.h>
|
|
|
05db4b |
+
|
|
|
05db4b |
+/* OpenSSL version specific definitions */
|
|
|
05db4b |
+#if defined(OPENSSL_VERSION_NUMBER)
|
|
|
05db4b |
+
|
|
|
05db4b |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
|
05db4b |
+#define HAVE_OPENSSL11 1
|
|
|
05db4b |
+#define SSL_LIBRARY OpenSSL_version(OPENSSL_VERSION)
|
|
|
05db4b |
+#define ERR_remove_state(X) ERR_clear_error()
|
|
|
05db4b |
+#define EVP_CIPHER_CTX_SIZE 176
|
|
|
05db4b |
+#define EVP_MD_CTX_SIZE 48
|
|
|
05db4b |
+#undef EVP_MD_CTX_init
|
|
|
05db4b |
+#define EVP_MD_CTX_init(X) do { memset((X), 0, EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0)
|
|
|
05db4b |
+#undef EVP_CIPHER_CTX_init
|
|
|
05db4b |
+#define EVP_CIPHER_CTX_init(X) do { memset((X), 0, EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0)
|
|
|
05db4b |
+
|
|
|
05db4b |
+/*
|
|
|
05db4b |
+ Macros below are deprecated. OpenSSL 1.1 may define them or not,
|
|
|
05db4b |
+ depending on how it was built.
|
|
|
05db4b |
+*/
|
|
|
05db4b |
+#undef ERR_free_strings
|
|
|
05db4b |
+#define ERR_free_strings()
|
|
|
05db4b |
+#undef EVP_cleanup
|
|
|
05db4b |
+#define EVP_cleanup()
|
|
|
05db4b |
+#undef CRYPTO_cleanup_all_ex_data
|
|
|
05db4b |
+#define CRYPTO_cleanup_all_ex_data()
|
|
|
05db4b |
+#undef SSL_load_error_strings
|
|
|
05db4b |
+#define SSL_load_error_strings()
|
|
|
05db4b |
+
|
|
|
05db4b |
+#else
|
|
|
05db4b |
+#define HAVE_OPENSSL10 1
|
|
|
05db4b |
+#ifdef HAVE_WOLFSSL
|
|
|
05db4b |
+#define SSL_LIBRARY "WolfSSL " WOLFSSL_VERSION
|
|
|
05db4b |
+#else
|
|
|
05db4b |
+#define SSL_LIBRARY SSLeay_version(SSLEAY_VERSION)
|
|
|
05db4b |
+#endif
|
|
|
05db4b |
+
|
|
|
05db4b |
+#ifdef HAVE_WOLFSSL
|
|
|
05db4b |
+#undef ERR_remove_state
|
|
|
05db4b |
+#define ERR_remove_state(x) do {} while(0)
|
|
|
05db4b |
+#elif defined (HAVE_ERR_remove_thread_state)
|
|
|
05db4b |
+#define ERR_remove_state(X) ERR_remove_thread_state(NULL)
|
|
|
05db4b |
+#endif /* HAVE_ERR_remove_thread_state */
|
|
|
05db4b |
+
|
|
|
05db4b |
+#endif /* HAVE_OPENSSL11 */
|
|
|
05db4b |
+#endif
|
|
|
05db4b |
+
|
|
|
05db4b |
+#ifdef HAVE_WOLFSSL
|
|
|
05db4b |
+#define EVP_MD_CTX_SIZE sizeof(wc_Md5)
|
|
|
05db4b |
+#endif
|
|
|
05db4b |
+
|
|
|
05db4b |
+#ifndef HAVE_OPENSSL11
|
|
|
05db4b |
+#ifndef ASN1_STRING_get0_data
|
|
|
05db4b |
+#define ASN1_STRING_get0_data(X) ASN1_STRING_data(X)
|
|
|
05db4b |
+#endif
|
|
|
05db4b |
+#ifndef EVP_MD_CTX_SIZE
|
|
|
05db4b |
+#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX)
|
|
|
05db4b |
+#endif
|
|
|
05db4b |
+
|
|
|
05db4b |
+#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G))
|
|
|
05db4b |
+#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
|
|
|
05db4b |
+#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt)
|
|
|
05db4b |
+#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX)
|
|
|
05db4b |
+
|
|
|
05db4b |
+#ifndef HAVE_WOLFSSL
|
|
|
05db4b |
+#define OPENSSL_init_ssl(X,Y) SSL_library_init()
|
|
|
05db4b |
+#define EVP_MD_CTX_reset(X) EVP_MD_CTX_cleanup(X)
|
|
|
05db4b |
+#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X)
|
|
|
05db4b |
+#define X509_get0_notBefore(X) X509_get_notBefore(X)
|
|
|
05db4b |
+#define X509_get0_notAfter(X) X509_get_notAfter(X)
|
|
|
05db4b |
+#endif
|
|
|
05db4b |
+#endif
|
|
|
05db4b |
+
|
|
|
05db4b |
+#ifndef TLS1_3_VERSION
|
|
|
05db4b |
+//#define SSL_CTX_set_ciphersuites(X,Y) 0
|
|
|
05db4b |
+#endif
|
|
|
05db4b |
+
|
|
|
05db4b |
+#ifdef __cplusplus
|
|
|
05db4b |
+extern "C" {
|
|
|
05db4b |
+#endif /* __cplusplus */
|
|
|
05db4b |
+
|
|
|
05db4b |
+int check_openssl_compatibility();
|
|
|
05db4b |
+
|
|
|
05db4b |
+#define FIPS_mode_set(X) 0
|
|
|
05db4b |
+#define FIPS_mode() 0
|
|
|
05db4b |
+
|
|
|
05db4b |
+#ifdef __cplusplus
|
|
|
05db4b |
+}
|
|
|
05db4b |
+#endif
|
|
|
05db4b |
diff -rup mysql-8.0.22-orig/mysys/my_md5.cc mysql-8.0.22/mysys/my_md5.cc
|
|
|
05db4b |
--- mysql-8.0.22-orig/mysys/my_md5.cc 2021-05-19 21:36:31.738980913 +0200
|
|
|
05db4b |
+++ mysql-8.0.22/mysys/my_md5.cc 2021-05-19 23:13:41.380194493 +0200
|
|
|
05db4b |
@@ -34,13 +34,12 @@
|
|
|
05db4b |
|
|
|
05db4b |
#include <openssl/crypto.h>
|
|
|
05db4b |
#include <openssl/md5.h>
|
|
|
05db4b |
+#include <openssl/evp.h>
|
|
|
05db4b |
+#include <ssl_compat.h>
|
|
|
05db4b |
|
|
|
05db4b |
static void my_md5_hash(unsigned char *digest, unsigned const char *buf,
|
|
|
05db4b |
int len) {
|
|
|
05db4b |
- MD5_CTX ctx;
|
|
|
05db4b |
- MD5_Init(&ctx;;
|
|
|
05db4b |
- MD5_Update(&ctx, buf, len);
|
|
|
05db4b |
- MD5_Final(digest, &ctx;;
|
|
|
05db4b |
+ MD5(buf, len, digest);
|
|
|
05db4b |
}
|
|
|
05db4b |
|
|
|
05db4b |
/**
|
|
|
05db4b |
diff -Naurp mysql-8.0.27/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/network/xcom_network_provider_ssl_native_lib.cc*
|
|
|
05db4b |
--- mysql-8.0.27/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/network/xcom_network_provider_ssl_native_lib.cc 2021-09-28 13:46:34.000000000 +0200
|
|
|
05db4b |
+++ mysql-8.0.27/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/network/xcom_network_provider_ssl_native_lib.cc_patched 2021-10-31 10:57:37.865934624 +0100
|
|
|
05db4b |
@@ -30,6 +30,7 @@
|
|
|
05db4b |
#include <assert.h>
|
|
|
05db4b |
#include <stdlib.h>
|
|
|
05db4b |
|
|
|
05db4b |
+#include <openssl/crypto.h>
|
|
|
05db4b |
#include <openssl/dh.h>
|
|
|
05db4b |
#include <openssl/opensslv.h>
|
|
|
05db4b |
#include <openssl/x509v3.h>
|
|
|
05db4b |
@@ -39,6 +40,7 @@
|
|
|
05db4b |
#endif
|
|
|
05db4b |
|
|
|
05db4b |
#include "openssl/engine.h"
|
|
|
05db4b |
+#include <ssl_compat.h>
|
|
|
05db4b |
|
|
|
05db4b |
#include "xcom/task_debug.h"
|
|
|
05db4b |
#include "xcom/x_platform.h"
|
|
|
05db4b |
diff -rup mysql-8.0.22-orig/plugin/x/client/xconnection_impl.cc mysql-8.0.22/plugin/x/client/xconnection_impl.cc
|
|
|
05db4b |
--- mysql-8.0.22-orig/plugin/x/client/xconnection_impl.cc 2021-05-19 21:36:14.388791818 +0200
|
|
|
05db4b |
+++ mysql-8.0.22/plugin/x/client/xconnection_impl.cc 2021-05-19 23:06:55.049885943 +0200
|
|
|
05db4b |
@@ -31,6 +31,7 @@
|
|
|
05db4b |
#ifdef HAVE_NETINET_IN_H
|
|
|
05db4b |
#include <netinet/in.h>
|
|
|
05db4b |
#endif // HAVE_NETINET_IN_H
|
|
|
05db4b |
+#include <openssl/crypto.h>
|
|
|
05db4b |
#include <openssl/x509v3.h>
|
|
|
05db4b |
#include <cassert>
|
|
|
05db4b |
#include <chrono> // NOLINT(build/c++11)
|
|
|
05db4b |
@@ -38,6 +39,7 @@
|
|
|
05db4b |
#include <limits>
|
|
|
05db4b |
#include <sstream>
|
|
|
05db4b |
#include <string>
|
|
|
05db4b |
+#include <ssl_compat.h>
|
|
|
05db4b |
|
|
|
05db4b |
#include "errmsg.h" // NOLINT(build/include_subdir)
|
|
|
05db4b |
#include "my_config.h" // NOLINT(build/include_subdir)
|
|
|
05db4b |
diff -rup mysql-8.0.22-orig/vio/viosslfactories.cc mysql-8.0.22/vio/viosslfactories.cc
|
|
|
05db4b |
--- mysql-8.0.22-orig/vio/viosslfactories.cc 2021-05-19 21:36:33.310998046 +0200
|
|
|
05db4b |
+++ mysql-8.0.22/vio/viosslfactories.cc 2021-05-19 23:06:55.049885943 +0200
|
|
|
05db4b |
@@ -39,7 +39,9 @@
|
|
|
05db4b |
#include "mysys_err.h"
|
|
|
05db4b |
#include "vio/vio_priv.h"
|
|
|
05db4b |
|
|
|
05db4b |
+#include <openssl/crypto.h>
|
|
|
05db4b |
#include <openssl/dh.h>
|
|
|
05db4b |
+#include <ssl_compat.h>
|
|
|
05db4b |
|
|
|
05db4b |
#if OPENSSL_VERSION_NUMBER < 0x10002000L
|
|
|
05db4b |
#include <openssl/ec.h>
|