2 files changed, 382 insertions, 0 deletions
diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index 81a7859323..51e6ddbf71 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -20,6 +20,7 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
           file://ssize_t.patch \
           file://mm_malloc.patch \
           file://sys_futex.patch \
+           file://0001-MDEV-25785-Add-support-for-OpenSSL-3.0.patch \
          "
 SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch"
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-25785-Add-support-for-OpenSSL-3.0.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-25785-Add-support-for-OpenSSL-3.0.patch
new file mode 100644
index 0000000000..ab6811c0f5
--- /dev/null
+++ b/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-25785-Add-support-for-OpenSSL-3.0.patch
@@ -0,0 +1,381 @@
+From 1b238e343506b43825092941d4cd294d9b866bef Mon Sep 17 00:00:00 2001
+From: Vladislav Vaintroub <wlad@mariadb.com>
+Date: Mon, 8 Nov 2021 18:48:19 +0100
+Subject: [PATCH] MDEV-25785 Add support for OpenSSL 3.0
+Summary of changes
+- MD_CTX_SIZE is increased
+- EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points
+  to nobody knows where. The assumption made previously was that
+  (since the function does not seem to be documented)
+  was that it points to the last partial source block.
+  Add own partial block buffer for NOPAD encryption instead
+- SECLEVEL in CipherString in openssl.cnf
+  had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible
+   (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md
+   even though the manual for SSL_CTX_get_security_level claims that it
+   should not be necessary)
+- Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers,
+  in addition to what was set in --ssl-cipher
+- ctx_buf buffer now must be aligned to 16 bytes with openssl(
+  previously with WolfSSL only), ot crashes will happen
+- updated aes-t , to be better debuggable
+  using function, rather than a huge multiline macro
+  added test that does "nopad" encryption piece-wise, to test
+  replacement of EVP_CIPHER_CTX_buf_noconst
+Upstream-Status: Backport [https://github.com/MariaDB/server/commit/1b238e343506b43825092941d4cd294d9b866bef]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ cmake/ssl.cmake                   |   8 ++
+ include/ssl_compat.h              |   3 +-
+ mysql-test/lib/openssl.cnf        |   2 +-
+ mysql-test/main/ssl_cipher.result |   6 +-
+ mysql-test/main/ssl_cipher.test   |   2 +-
+ mysys_ssl/my_crypt.cc             |  46 +++++++-----
+ unittest/mysys/aes-t.c            | 121 ++++++++++++++++++++++--------
+ 7 files changed, 133 insertions(+), 55 deletions(-)
+diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake
+index 7c2488be8bd..1bd46bc0f39 100644
+--- a/cmake/ssl.cmake
+++ b/cmake/ssl.cmake
+@@ -139,6 +139,13 @@ MACRO (MYSQL_CHECK_SSL)
+       SET(SSL_INTERNAL_INCLUDE_DIRS "")
+       SET(SSL_DEFINES "-DHAVE_OPENSSL")
+ 
+      # Silence "deprecated in OpenSSL 3.0"
+      IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
+         OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
+        SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
+        SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
+      ENDIF()
+
+       SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+       SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
+       SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+@@ -152,6 +159,7 @@ MACRO (MYSQL_CHECK_SSL)
+                           HAVE_X509_check_host)
+       SET(CMAKE_REQUIRED_INCLUDES)
+       SET(CMAKE_REQUIRED_LIBRARIES)
+      SET(CMAKE_REQUIRED_DEFINITIONS)
+     ELSE()
+       IF(WITH_SSL STREQUAL "system")
+         MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
+diff --git a/include/ssl_compat.h b/include/ssl_compat.h
+index 9f4b6be8d95..affa9f2a448 100644
+--- a/include/ssl_compat.h
+++ b/include/ssl_compat.h
+@@ -24,7 +24,7 @@
+ #define SSL_LIBRARY OpenSSL_version(OPENSSL_VERSION)
+ #define ERR_remove_state(X) ERR_clear_error()
+ #define EVP_CIPHER_CTX_SIZE 176
+-#define EVP_MD_CTX_SIZE 48
+#define EVP_MD_CTX_SIZE 72
+ #undef EVP_MD_CTX_init
+ #define EVP_MD_CTX_init(X) do { memset((X), 0, EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0)
+ #undef EVP_CIPHER_CTX_init
+@@ -74,7 +74,6 @@
+ #endif
+ 
+ #define DH_set0_pqg(D,P,Q,G)            ((D)->p= (P), (D)->g= (G))
+-#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
+ #define EVP_CIPHER_CTX_encrypting(ctx)  ((ctx)->encrypt)
+ #define EVP_CIPHER_CTX_SIZE             sizeof(EVP_CIPHER_CTX)
+ 
+diff --git a/mysql-test/lib/openssl.cnf b/mysql-test/lib/openssl.cnf
+index b9ab37ac3a1..7cd6f748af2 100644
+--- a/mysql-test/lib/openssl.cnf
+++ b/mysql-test/lib/openssl.cnf
+@@ -9,4 +9,4 @@ ssl_conf = ssl_section
+ system_default = system_default_section
+ 
+ [system_default_section]
+-CipherString = ALL:@SECLEVEL=1
+CipherString = ALL:@SECLEVEL=0
+diff --git a/mysql-test/main/ssl_cipher.result b/mysql-test/main/ssl_cipher.result
+index 930d384eda9..66d817b7b41 100644
+--- a/mysql-test/main/ssl_cipher.result
+++ b/mysql-test/main/ssl_cipher.result
+@@ -61,8 +61,8 @@ connect  ssl_con,localhost,root,,,,,SSL;
+ SHOW STATUS LIKE 'Ssl_cipher';
+ Variable_name  Value
+ Ssl_cipher     AES128-SHA
+-SHOW STATUS LIKE 'Ssl_cipher_list';
+-Variable_name  Value
+-Ssl_cipher_list        AES128-SHA
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+VARIABLE_VALUE like '%AES128-SHA%'
+1
+ disconnect ssl_con;
+ connection default;
+diff --git a/mysql-test/main/ssl_cipher.test b/mysql-test/main/ssl_cipher.test
+index 36549d76d02..d4cdcffb276 100644
+--- a/mysql-test/main/ssl_cipher.test
+++ b/mysql-test/main/ssl_cipher.test
+@@ -98,6 +98,6 @@ let $restart_parameters=--ssl-cipher=AES128-SHA;
+ source include/restart_mysqld.inc;
+ connect (ssl_con,localhost,root,,,,,SSL);
+ SHOW STATUS LIKE 'Ssl_cipher';
+-SHOW STATUS LIKE 'Ssl_cipher_list';
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+ disconnect ssl_con;
+ connection default;
+diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc
+index e512eee9066..4d7ebc7bd27 100644
+--- a/mysys_ssl/my_crypt.cc
+++ b/mysys_ssl/my_crypt.cc
+@@ -29,11 +29,7 @@
+ #include <ssl_compat.h>
+ #include <cstdint>
+ 
+-#ifdef HAVE_WOLFSSL
+ #define CTX_ALIGN 16
+-#else
+-#define CTX_ALIGN 0
+-#endif
+ 
+ class MyCTX
+ {
+@@ -100,8 +96,9 @@ class MyCTX_nopad : public MyCTX
+ {
+ public:
+   const uchar *key;
+-  uint klen, buf_len;
+  uint klen, source_tail_len;
+   uchar oiv[MY_AES_BLOCK_SIZE];
+  uchar source_tail[MY_AES_BLOCK_SIZE];
+ 
+   MyCTX_nopad() : MyCTX() { }
+   ~MyCTX_nopad() { }
+@@ -112,7 +109,7 @@ class MyCTX_nopad : public MyCTX
+     compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
+     this->key= key;
+     this->klen= klen;
+-    this->buf_len= 0;
+    this->source_tail_len= 0;
+     if (ivlen)
+       memcpy(oiv, iv, ivlen);
+     DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
+@@ -123,26 +120,41 @@ class MyCTX_nopad : public MyCTX
+     return res;
+   }
+ 
+  /** Update last partial source block, stored in source_tail array. */
+  void update_source_tail(const uchar* src, uint slen)
+  {
+    if (!slen)
+      return;
+    uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
+    if (new_tail_len)
+    {
+      if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
+      {
+        memcpy(source_tail + source_tail_len, src, slen);
+      }
+      else
+      {
+        DBUG_ASSERT(slen > new_tail_len);
+        memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
+      }
+    }
+    source_tail_len= new_tail_len;
+  }
+
+   int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
+   {
+-    buf_len+= slen;
+    update_source_tail(src, slen);
+     return MyCTX::update(src, slen, dst, dlen);
+   }
+ 
+   int finish(uchar *dst, uint *dlen)
+   {
+-    buf_len %= MY_AES_BLOCK_SIZE;
+-    if (buf_len)
+    if (source_tail_len)
+     {
+-      uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
+       /*
+         Not much we can do, block ciphers cannot encrypt data that aren't
+         a multiple of the block length. At least not without padding.
+         Let's do something CTR-like for the last partial block.
+-
+-        NOTE this assumes that there are only buf_len bytes in the buf.
+-        If OpenSSL will change that, we'll need to change the implementation
+-        of this class too.
+       */
+       uchar mask[MY_AES_BLOCK_SIZE];
+       uint mlen;
+@@ -154,10 +166,10 @@ class MyCTX_nopad : public MyCTX
+         return rc;
+       DBUG_ASSERT(mlen == sizeof(mask));
+ 
+-      for (uint i=0; i < buf_len; i++)
+-        dst[i]= buf[i] ^ mask[i];
+      for (uint i=0; i < source_tail_len; i++)
+        dst[i]= source_tail[i] ^ mask[i];
+     }
+-    *dlen= buf_len;
+    *dlen= source_tail_len;
+     return MY_AES_OK;
+   }
+ };
+diff --git a/unittest/mysys/aes-t.c b/unittest/mysys/aes-t.c
+index 34704e06749..cbec2760941 100644
+--- a/unittest/mysys/aes-t.c
+++ b/unittest/mysys/aes-t.c
+@@ -21,27 +21,96 @@
+ #include <string.h>
+ #include <ctype.h>
+ 
+-#define DO_TEST(mode, nopad, slen, fill, dlen, hash)                    \
+-  SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported")     \
+-  {                                                                     \
+-    memset(src, fill, src_len= slen);                                   \
+-    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT,              \
+-                    src, src_len, dst, &dst_len,                        \
+-                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
+-      "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad");     \
+-    if (!nopad)                                                         \
+-      ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
+-    my_md5(md5, (char*)dst, dst_len);                                   \
+-    ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5");  \
+-    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,              \
+-                    dst, dst_len, ddst, &ddst_len,                      \
+-                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
+-       "decrypt " #mode " %u", dst_len);                                \
+-    ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
+
+/** Test streaming encryption, bytewise update.*/
+static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
+                 unsigned int slen, unsigned char *dst, unsigned int *dlen,
+                 const unsigned char *key, unsigned int klen,
+                 const unsigned char *iv, unsigned int ivlen)
+{
+  /* Allocate context on odd address on stack, in order to
+   catch misalignment errors.*/
+  void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
+
+  int res1, res2;
+  uint d1= 0, d2;
+  uint i;
+
+  if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
+    return res1;
+  for (i= 0; i < slen; i++)
+  {
+    uint tmp_d1=0;
+    res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
+    if (res1)
+      return res1;
+    d1+= tmp_d1;
+    dst+= tmp_d1;
+  }
+  res2= my_aes_crypt_finish(ctx, dst, &d2);
+  *dlen= d1 + d2;
+  return res1 ? res1 : res2;
+}
+
+
+#ifndef HAVE_EncryptAes128Ctr
+const uint MY_AES_CTR=0xDEADBEAF;
+#endif
+#ifndef HAVE_EncryptAes128Gcm
+const uint MY_AES_GCM=0xDEADBEAF;
+#endif
+
+#define MY_AES_UNSUPPORTED(x)  (x == 0xDEADBEAF)
+
+static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
+                    char fill, size_t dlen, const char *hash)
+{
+  uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
+  uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
+  uchar src[1000], dst[1100], dst2[1100], ddst[1000];
+  uchar md5[MY_MD5_HASH_SIZE];
+  uint src_len, dst_len, dst_len2, ddst_len;
+  int result;
+
+  if (MY_AES_UNSUPPORTED(mode))
+  {
+    skip(nopad?7:6, "%s not supported", mode_str);
+    return;
+  }
+  memset(src, fill, src_len= slen);
+  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
+                       dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
+  ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
+     nopad ? "nopad" : "pad");
+
+  if (nopad)
+  {
+    result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
+                                src_len, dst2, &dst_len2, key, sizeof(key),
+                                iv, sizeof(iv));
+    ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
+    /* Compare with non-bytewise encryption result*/
+    ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
+       "memcmp bytewise  %s %u", mode_str, src_len);
+  }
+  else
+  {
+    int dst_len_real= my_aes_get_size(mode, src_len);
+    ok(dst_len_real= dst_len, "my_aes_get_size");
+   }
+  my_md5(md5, (char *) dst, dst_len);
+  ok(dst_len == dlen, "md5 len");
+  ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
+  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
+                       dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
+                       sizeof(iv));
+
+  ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
+  ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
+}
+ 
+-#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
+-#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
+#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
+#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
+ 
+ /* useful macro for debugging */
+ #define PRINT_MD5()                                     \
+@@ -53,25 +122,15 @@
+     printf("\"\n");                                     \
+   } while(0);
+ 
+-#ifndef HAVE_EncryptAes128Ctr
+-const uint MY_AES_CTR=0xDEADBEAF;
+-#endif
+-#ifndef HAVE_EncryptAes128Gcm
+-const uint MY_AES_GCM=0xDEADBEAF;
+-#endif
+ 
+ int
+ main(int argc __attribute__((unused)),char *argv[])
+ {
+-  uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
+-  uchar iv[16]=  {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
+-  uchar src[1000], dst[1100], ddst[1000];
+-  uchar md5[MY_MD5_HASH_SIZE];
+-  uint src_len, dst_len, ddst_len;
+ 
+   MY_INIT(argv[0]);
+ 
+-  plan(87);
+  plan(122);
+
+   DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
+   DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
+   DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");
+-- 
+2.17.1

diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 81a7859323..51e6ddbf71 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -20,6 +20,7 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
20	file://ssize_t.patch \	20	file://ssize_t.patch \
21	file://mm_malloc.patch \	21	file://mm_malloc.patch \
22	file://sys_futex.patch \	22	file://sys_futex.patch \
		23	file://0001-MDEV-25785-Add-support-for-OpenSSL-3.0.patch \
23	"	24	"
24	SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch"	25	SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch"
25		26


diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-25785-Add-support-for-OpenSSL-3.0.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-25785-Add-support-for-OpenSSL-3.0.patch new file mode 100644 index 0000000000..ab6811c0f5 --- /dev/null +++ b/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-25785-Add-support-for-OpenSSL-3.0.patch
@@ -0,0 +1,381 @@
		1	From 1b238e343506b43825092941d4cd294d9b866bef Mon Sep 17 00:00:00 2001
		2	From: Vladislav Vaintroub <wlad@mariadb.com>
		3	Date: Mon, 8 Nov 2021 18:48:19 +0100
		4	Subject: [PATCH] MDEV-25785 Add support for OpenSSL 3.0
		5
		6	Summary of changes
		7
		8	- MD_CTX_SIZE is increased
		9
		10	- EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points
		11	to nobody knows where. The assumption made previously was that
		12	(since the function does not seem to be documented)
		13	was that it points to the last partial source block.
		14	Add own partial block buffer for NOPAD encryption instead
		15
		16	- SECLEVEL in CipherString in openssl.cnf
		17	had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible
		18	(according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md
		19	even though the manual for SSL_CTX_get_security_level claims that it
		20	should not be necessary)
		21
		22	- Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers,
		23	in addition to what was set in --ssl-cipher
		24
		25	- ctx_buf buffer now must be aligned to 16 bytes with openssl(
		26	previously with WolfSSL only), ot crashes will happen
		27
		28	- updated aes-t , to be better debuggable
		29	using function, rather than a huge multiline macro
		30	added test that does "nopad" encryption piece-wise, to test
		31	replacement of EVP_CIPHER_CTX_buf_noconst
		32
		33	Upstream-Status: Backport [https://github.com/MariaDB/server/commit/1b238e343506b43825092941d4cd294d9b866bef]
		34
		35	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		36	---
		37	cmake/ssl.cmake \| 8 ++
		38	include/ssl_compat.h \| 3 +-
		39	mysql-test/lib/openssl.cnf \| 2 +-
		40	mysql-test/main/ssl_cipher.result \| 6 +-
		41	mysql-test/main/ssl_cipher.test \| 2 +-
		42	mysys_ssl/my_crypt.cc \| 46 +++++++-----
		43	unittest/mysys/aes-t.c \| 121 ++++++++++++++++++++++--------
		44	7 files changed, 133 insertions(+), 55 deletions(-)
		45
		46	diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake
		47	index 7c2488be8bd..1bd46bc0f39 100644
		48	--- a/cmake/ssl.cmake
		49	+++ b/cmake/ssl.cmake
		50	@@ -139,6 +139,13 @@ MACRO (MYSQL_CHECK_SSL)
		51	SET(SSL_INTERNAL_INCLUDE_DIRS "")
		52	SET(SSL_DEFINES "-DHAVE_OPENSSL")
		53
		54	+ # Silence "deprecated in OpenSSL 3.0"
		55	+ IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
		56	+ OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
		57	+ SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
		58	+ SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
		59	+ ENDIF()
		60	+
		61	SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
		62	SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
		63	SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
		64	@@ -152,6 +159,7 @@ MACRO (MYSQL_CHECK_SSL)
		65	HAVE_X509_check_host)
		66	SET(CMAKE_REQUIRED_INCLUDES)
		67	SET(CMAKE_REQUIRED_LIBRARIES)
		68	+ SET(CMAKE_REQUIRED_DEFINITIONS)
		69	ELSE()
		70	IF(WITH_SSL STREQUAL "system")
		71	MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
		72	diff --git a/include/ssl_compat.h b/include/ssl_compat.h
		73	index 9f4b6be8d95..affa9f2a448 100644
		74	--- a/include/ssl_compat.h
		75	+++ b/include/ssl_compat.h
		76	@@ -24,7 +24,7 @@
		77	#define SSL_LIBRARY OpenSSL_version(OPENSSL_VERSION)
		78	#define ERR_remove_state(X) ERR_clear_error()
		79	#define EVP_CIPHER_CTX_SIZE 176
		80	-#define EVP_MD_CTX_SIZE 48
		81	+#define EVP_MD_CTX_SIZE 72
		82	#undef EVP_MD_CTX_init
		83	#define EVP_MD_CTX_init(X) do { memset((X), 0, EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0)
		84	#undef EVP_CIPHER_CTX_init
		85	@@ -74,7 +74,6 @@
		86	#endif
		87
		88	#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G))
		89	-#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
		90	#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt)
		91	#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX)
		92
		93	diff --git a/mysql-test/lib/openssl.cnf b/mysql-test/lib/openssl.cnf
		94	index b9ab37ac3a1..7cd6f748af2 100644
		95	--- a/mysql-test/lib/openssl.cnf
		96	+++ b/mysql-test/lib/openssl.cnf
		97	@@ -9,4 +9,4 @@ ssl_conf = ssl_section
		98	system_default = system_default_section
		99
		100	[system_default_section]
		101	-CipherString = ALL:@SECLEVEL=1
		102	+CipherString = ALL:@SECLEVEL=0
		103	diff --git a/mysql-test/main/ssl_cipher.result b/mysql-test/main/ssl_cipher.result
		104	index 930d384eda9..66d817b7b41 100644
		105	--- a/mysql-test/main/ssl_cipher.result
		106	+++ b/mysql-test/main/ssl_cipher.result
		107	@@ -61,8 +61,8 @@ connect ssl_con,localhost,root,,,,,SSL;
		108	SHOW STATUS LIKE 'Ssl_cipher';
		109	Variable_name Value
		110	Ssl_cipher AES128-SHA
		111	-SHOW STATUS LIKE 'Ssl_cipher_list';
		112	-Variable_name Value
		113	-Ssl_cipher_list AES128-SHA
		114	+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
		115	+VARIABLE_VALUE like '%AES128-SHA%'
		116	+1
		117	disconnect ssl_con;
		118	connection default;
		119	diff --git a/mysql-test/main/ssl_cipher.test b/mysql-test/main/ssl_cipher.test
		120	index 36549d76d02..d4cdcffb276 100644
		121	--- a/mysql-test/main/ssl_cipher.test
		122	+++ b/mysql-test/main/ssl_cipher.test
		123	@@ -98,6 +98,6 @@ let $restart_parameters=--ssl-cipher=AES128-SHA;
		124	source include/restart_mysqld.inc;
		125	connect (ssl_con,localhost,root,,,,,SSL);
		126	SHOW STATUS LIKE 'Ssl_cipher';
		127	-SHOW STATUS LIKE 'Ssl_cipher_list';
		128	+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
		129	disconnect ssl_con;
		130	connection default;
		131	diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc
		132	index e512eee9066..4d7ebc7bd27 100644
		133	--- a/mysys_ssl/my_crypt.cc
		134	+++ b/mysys_ssl/my_crypt.cc
		135	@@ -29,11 +29,7 @@
		136	#include <ssl_compat.h>
		137	#include <cstdint>
		138
		139	-#ifdef HAVE_WOLFSSL
		140	#define CTX_ALIGN 16
		141	-#else
		142	-#define CTX_ALIGN 0
		143	-#endif
		144
		145	class MyCTX
		146	{
		147	@@ -100,8 +96,9 @@ class MyCTX_nopad : public MyCTX
		148	{
		149	public:
		150	const uchar *key;
		151	- uint klen, buf_len;
		152	+ uint klen, source_tail_len;
		153	uchar oiv[MY_AES_BLOCK_SIZE];
		154	+ uchar source_tail[MY_AES_BLOCK_SIZE];
		155
		156	MyCTX_nopad() : MyCTX() { }
		157	~MyCTX_nopad() { }
		158	@@ -112,7 +109,7 @@ class MyCTX_nopad : public MyCTX
		159	compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
		160	this->key= key;
		161	this->klen= klen;
		162	- this->buf_len= 0;
		163	+ this->source_tail_len= 0;
		164	if (ivlen)
		165	memcpy(oiv, iv, ivlen);
		166	DBUG_ASSERT(ivlen == 0 \|\| ivlen == sizeof(oiv));
		167	@@ -123,26 +120,41 @@ class MyCTX_nopad : public MyCTX
		168	return res;
		169	}
		170
		171	+ /** Update last partial source block, stored in source_tail array. */
		172	+ void update_source_tail(const uchar* src, uint slen)
		173	+ {
		174	+ if (!slen)
		175	+ return;
		176	+ uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
		177	+ if (new_tail_len)
		178	+ {
		179	+ if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
		180	+ {
		181	+ memcpy(source_tail + source_tail_len, src, slen);
		182	+ }
		183	+ else
		184	+ {
		185	+ DBUG_ASSERT(slen > new_tail_len);
		186	+ memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
		187	+ }
		188	+ }
		189	+ source_tail_len= new_tail_len;
		190	+ }
		191	+
		192	int update(const uchar src, uint slen, uchar dst, uint *dlen)
		193	{
		194	- buf_len+= slen;
		195	+ update_source_tail(src, slen);
		196	return MyCTX::update(src, slen, dst, dlen);
		197	}
		198
		199	int finish(uchar dst, uint dlen)
		200	{
		201	- buf_len %= MY_AES_BLOCK_SIZE;
		202	- if (buf_len)
		203	+ if (source_tail_len)
		204	{
		205	- uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
		206	/*
		207	Not much we can do, block ciphers cannot encrypt data that aren't
		208	a multiple of the block length. At least not without padding.
		209	Let's do something CTR-like for the last partial block.
		210	-
		211	- NOTE this assumes that there are only buf_len bytes in the buf.
		212	- If OpenSSL will change that, we'll need to change the implementation
		213	- of this class too.
		214	*/
		215	uchar mask[MY_AES_BLOCK_SIZE];
		216	uint mlen;
		217	@@ -154,10 +166,10 @@ class MyCTX_nopad : public MyCTX
		218	return rc;
		219	DBUG_ASSERT(mlen == sizeof(mask));
		220
		221	- for (uint i=0; i < buf_len; i++)
		222	- dst[i]= buf[i] ^ mask[i];
		223	+ for (uint i=0; i < source_tail_len; i++)
		224	+ dst[i]= source_tail[i] ^ mask[i];
		225	}
		226	- *dlen= buf_len;
		227	+ *dlen= source_tail_len;
		228	return MY_AES_OK;
		229	}
		230	};
		231	diff --git a/unittest/mysys/aes-t.c b/unittest/mysys/aes-t.c
		232	index 34704e06749..cbec2760941 100644
		233	--- a/unittest/mysys/aes-t.c
		234	+++ b/unittest/mysys/aes-t.c
		235	@@ -21,27 +21,96 @@
		236	#include <string.h>
		237	#include <ctype.h>
		238
		239	-#define DO_TEST(mode, nopad, slen, fill, dlen, hash) \
		240	- SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported") \
		241	- { \
		242	- memset(src, fill, src_len= slen); \
		243	- ok(my_aes_crypt(mode, nopad \| ENCRYPTION_FLAG_ENCRYPT, \
		244	- src, src_len, dst, &dst_len, \
		245	- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
		246	- "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad"); \
		247	- if (!nopad) \
		248	- ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
		249	- my_md5(md5, (char*)dst, dst_len); \
		250	- ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5"); \
		251	- ok(my_aes_crypt(mode, nopad \| ENCRYPTION_FLAG_DECRYPT, \
		252	- dst, dst_len, ddst, &ddst_len, \
		253	- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
		254	- "decrypt " #mode " %u", dst_len); \
		255	- ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
		256	+
		257	+/** Test streaming encryption, bytewise update.*/
		258	+static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
		259	+ unsigned int slen, unsigned char dst, unsigned int dlen,
		260	+ const unsigned char *key, unsigned int klen,
		261	+ const unsigned char *iv, unsigned int ivlen)
		262	+{
		263	+ /* Allocate context on odd address on stack, in order to
		264	+ catch misalignment errors.*/
		265	+ void ctx= (char )alloca(MY_AES_CTX_SIZE+1)+1;
		266	+
		267	+ int res1, res2;
		268	+ uint d1= 0, d2;
		269	+ uint i;
		270	+
		271	+ if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
		272	+ return res1;
		273	+ for (i= 0; i < slen; i++)
		274	+ {
		275	+ uint tmp_d1=0;
		276	+ res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
		277	+ if (res1)
		278	+ return res1;
		279	+ d1+= tmp_d1;
		280	+ dst+= tmp_d1;
		281	+ }
		282	+ res2= my_aes_crypt_finish(ctx, dst, &d2);
		283	+ *dlen= d1 + d2;
		284	+ return res1 ? res1 : res2;
		285	+}
		286	+
		287	+
		288	+#ifndef HAVE_EncryptAes128Ctr
		289	+const uint MY_AES_CTR=0xDEADBEAF;
		290	+#endif
		291	+#ifndef HAVE_EncryptAes128Gcm
		292	+const uint MY_AES_GCM=0xDEADBEAF;
		293	+#endif
		294	+
		295	+#define MY_AES_UNSUPPORTED(x) (x == 0xDEADBEAF)
		296	+
		297	+static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
		298	+ char fill, size_t dlen, const char *hash)
		299	+{
		300	+ uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
		301	+ uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
		302	+ uchar src[1000], dst[1100], dst2[1100], ddst[1000];
		303	+ uchar md5[MY_MD5_HASH_SIZE];
		304	+ uint src_len, dst_len, dst_len2, ddst_len;
		305	+ int result;
		306	+
		307	+ if (MY_AES_UNSUPPORTED(mode))
		308	+ {
		309	+ skip(nopad?7:6, "%s not supported", mode_str);
		310	+ return;
		311	+ }
		312	+ memset(src, fill, src_len= slen);
		313	+ result= my_aes_crypt(mode, nopad \| ENCRYPTION_FLAG_ENCRYPT, src, src_len,
		314	+ dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
		315	+ ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
		316	+ nopad ? "nopad" : "pad");
		317	+
		318	+ if (nopad)
		319	+ {
		320	+ result= aes_crypt_bytewise(mode, nopad \| ENCRYPTION_FLAG_ENCRYPT, src,
		321	+ src_len, dst2, &dst_len2, key, sizeof(key),
		322	+ iv, sizeof(iv));
		323	+ ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
		324	+ /* Compare with non-bytewise encryption result*/
		325	+ ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
		326	+ "memcmp bytewise %s %u", mode_str, src_len);
		327	+ }
		328	+ else
		329	+ {
		330	+ int dst_len_real= my_aes_get_size(mode, src_len);
		331	+ ok(dst_len_real= dst_len, "my_aes_get_size");
		332	}
		333	+ my_md5(md5, (char *) dst, dst_len);
		334	+ ok(dst_len == dlen, "md5 len");
		335	+ ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
		336	+ result= my_aes_crypt(mode, nopad \| ENCRYPTION_FLAG_DECRYPT,
		337	+ dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
		338	+ sizeof(iv));
		339	+
		340	+ ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
		341	+ ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
		342	+}
		343
		344	-#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
		345	-#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
		346	+#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
		347	+#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
		348
		349	/* useful macro for debugging */
		350	#define PRINT_MD5() \
		351	@@ -53,25 +122,15 @@
		352	printf("\"\n"); \
		353	} while(0);
		354
		355	-#ifndef HAVE_EncryptAes128Ctr
		356	-const uint MY_AES_CTR=0xDEADBEAF;
		357	-#endif
		358	-#ifndef HAVE_EncryptAes128Gcm
		359	-const uint MY_AES_GCM=0xDEADBEAF;
		360	-#endif
		361
		362	int
		363	main(int argc __attribute__((unused)),char *argv[])
		364	{
		365	- uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
		366	- uchar iv[16]= {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
		367	- uchar src[1000], dst[1100], ddst[1000];
		368	- uchar md5[MY_MD5_HASH_SIZE];
		369	- uint src_len, dst_len, ddst_len;
		370
		371	MY_INIT(argv[0]);
		372
		373	- plan(87);
		374	+ plan(122);
		375	+
		376	DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
		377	DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
		378	DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");
		379	--
		380	2.17.1
		381