From 3bf91fabf641f3f5114bf3893de40a31aae36e13 Mon Sep 17 00:00:00 2001 From: Thomas Deutschmann Date: Tue, 22 Jun 2021 23:56:54 +0200 Subject: [PATCH 5/5] Add OpenSSL 3.0.0 support Signed-off-by: Thomas Deutschmann --- cmake/ssl.cmake | 59 +++++++++++++------ mysys/my_md5.cc | 2 + .../bindings/xcom/xcom/xcom_ssl_transport.cc | 4 ++ plugin/x/client/xconnection_impl.cc | 4 ++ sql-common/client.cc | 2 + sql/mysqld.cc | 2 + sql/sys_vars.cc | 18 +++++- vio/viosslfactories.cc | 2 + 8 files changed, 74 insertions(+), 19 deletions(-) diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake index 18c95dfac..dd2f7e657 100644 --- a/cmake/ssl.cmake +++ b/cmake/ssl.cmake @@ -201,34 +201,59 @@ MACRO (MYSQL_CHECK_SSL) NAMES crypto libcrypto libeay32 HINTS ${OPENSSL_ROOT_DIR}/lib) - IF(OPENSSL_INCLUDE_DIR) + IF(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h") # Verify version number. Version information looks like: # #define OPENSSL_VERSION_NUMBER 0x1000103fL # Encoded as MNNFFPPS: major minor fix patch status FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSL_VERSION_NUMBER - REGEX "^#[ ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x[0-9].*" - ) - STRING(REGEX REPLACE - "^.*OPENSSL_VERSION_NUMBER[\t ]+0x([0-9]).*$" "\\1" - OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_NUMBER}" - ) - STRING(REGEX REPLACE - "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9]([0-9][0-9]).*$" "\\1" - OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_NUMBER}" - ) - STRING(REGEX REPLACE - "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9][0-9][0-9]([0-9][0-9]).*$" "\\1" - OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}" + REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x[0-9].*" ) + + IF(OPENSSL_VERSION_NUMBER) + STRING(REGEX REPLACE + "^.*OPENSSL_VERSION_NUMBER[\t ]+0x([0-9]).*$" "\\1" + OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_NUMBER}" + ) + STRING(REGEX REPLACE + "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9]([0-9][0-9]).*$" "\\1" + OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_NUMBER}" + ) + STRING(REGEX REPLACE + "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9][0-9][0-9]([0-9][0-9]).*$" "\\1" + OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}" + ) + ELSE() + FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" + OPENSSL_VERSION_STR + REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_STR[\t ]+\"([0-9])+\\.([0-9])+\\.([0-9])+\".*" + ) + + STRING(REGEX REPLACE + "^.*OPENSSL_VERSION_STR[\t ]+\"([0-9]+)\\.[0-9]+\\.[0-9]+\".*$" "\\1" + OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_STR}" + ) + STRING(REGEX REPLACE + "^.*OPENSSL_VERSION_STR[\t ]+\"[0-9]+\\.([0-9]+)\\.[0-9]+\".*$" "\\1" + OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_STR}" + ) + STRING(REGEX REPLACE + "^.*OPENSSL_VERSION_STR[\t ]+\"[0-9]+\\.[0-9]+\\.([0-9]+)\".*$" "\\1" + OPENSSL_FIX_VERSION "${OPENSSL_VERSION_STR}" + ) + ENDIF() ENDIF() - IF("${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}" VERSION_GREATER "1.1.0") + + INCLUDE(CheckSymbolExists) + + CHECK_SYMBOL_EXISTS(TLS1_3_VERSION "openssl/tls1.h" HAVE_TLS1_3_VERSION) + IF(HAVE_TLS1_3_VERSION) ADD_DEFINITIONS(-DHAVE_TLSv13) ENDIF() IF(OPENSSL_INCLUDE_DIR AND OPENSSL_LIBRARY AND CRYPTO_LIBRARY AND - OPENSSL_MAJOR_VERSION STREQUAL "1" + OPENSSL_MAJOR_VERSION VERSION_GREATER_EQUAL "1" ) SET(OPENSSL_FOUND TRUE) FIND_PROGRAM(OPENSSL_EXECUTABLE openssl @@ -292,8 +317,6 @@ MACRO (MYSQL_CHECK_SSL) MESSAGE(STATUS "OPENSSL_MINOR_VERSION = ${OPENSSL_MINOR_VERSION}") MESSAGE(STATUS "OPENSSL_FIX_VERSION = ${OPENSSL_FIX_VERSION}") - INCLUDE(CheckSymbolExists) - CMAKE_PUSH_CHECK_STATE() SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) CHECK_SYMBOL_EXISTS(SHA512_DIGEST_LENGTH "openssl/sha.h" diff --git a/mysys/my_md5.cc b/mysys/my_md5.cc index 86203619f..37ed3c8b2 100644 --- a/mysys/my_md5.cc +++ b/mysys/my_md5.cc @@ -56,7 +56,9 @@ static void my_md5_hash(unsigned char *digest, unsigned const char *buf, int compute_md5_hash(char *digest, const char *buf, int len) { int retval = 0; int fips_mode = 0; +#if defined(OPENSSL_FIPS) fips_mode = FIPS_mode(); +#endif /* If fips mode is ON/STRICT restricted method calls will result into abort, * skipping call. */ if (fips_mode == 0) { diff --git a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc index 4ed9f9ac9..895443166 100644 --- a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc +++ b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc @@ -325,6 +325,7 @@ error: return 1; } +#if defined(OPENSSL_FIPS) #define OPENSSL_ERROR_LENGTH 512 static int configure_ssl_fips_mode(const uint fips_mode) { int rc = -1; @@ -348,6 +349,7 @@ static int configure_ssl_fips_mode(const uint fips_mode) { EXIT: return rc; } +#endif static int configure_ssl_ca(SSL_CTX *ssl_ctx, const char *ca_file, const char *ca_path) { @@ -544,10 +546,12 @@ int xcom_init_ssl(const char *server_key_file, const char *server_cert_file, int verify_server = SSL_VERIFY_NONE; int verify_client = SSL_VERIFY_NONE; +#if defined(OPENSSL_FIPS) if (configure_ssl_fips_mode(ssl_fips_mode) != 1) { G_ERROR("Error setting the ssl fips mode"); goto error; } +#endif SSL_library_init(); SSL_load_error_strings(); diff --git a/plugin/x/client/xconnection_impl.cc b/plugin/x/client/xconnection_impl.cc index c1686c6d5..3ae34fdfd 100644 --- a/plugin/x/client/xconnection_impl.cc +++ b/plugin/x/client/xconnection_impl.cc @@ -617,6 +617,7 @@ XError Connection_impl::get_ssl_error(const int error_id) { return XError(CR_SSL_CONNECTION_ERROR, buffer); } +#if defined(OPENSSL_FIPS) /** Set fips mode in openssl library, When we set fips mode ON/STRICT, it will perform following operations: @@ -656,6 +657,7 @@ int set_fips_mode(const uint32_t fips_mode, EXIT: return rc; } +#endif XError Connection_impl::activate_tls() { if (nullptr == m_vio) return get_socket_error(SOCKET_ECONNRESET); @@ -666,12 +668,14 @@ XError Connection_impl::activate_tls() { if (!m_context->m_ssl_config.is_configured()) return XError{CR_SSL_CONNECTION_ERROR, ER_TEXT_TLS_NOT_CONFIGURATED, true}; +#if defined(OPENSSL_FIPS) char err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; if (set_fips_mode( static_cast(m_context->m_ssl_config.m_ssl_fips_mode), err_string) != 1) { return XError{CR_SSL_CONNECTION_ERROR, err_string, true}; } +#endif auto ssl_ctx_flags = process_tls_version( details::null_when_empty(m_context->m_ssl_config.m_tls_version)); diff --git a/sql-common/client.cc b/sql-common/client.cc index 1316d54a7..554970378 100644 --- a/sql-common/client.cc +++ b/sql-common/client.cc @@ -8019,6 +8019,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option, return 1; break; case MYSQL_OPT_SSL_FIPS_MODE: { +#if defined(OPENSSL_FIPS) char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; ENSURE_EXTENSIONS_PRESENT(&mysql->options); mysql->options.extension->ssl_fips_mode = *static_cast(arg); @@ -8030,6 +8031,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option, "Set Fips mode ON/STRICT failed, detail: '%s'.", ssl_err_string); return 1; } +#endif } break; case MYSQL_OPT_SSL_MODE: ENSURE_EXTENSIONS_PRESENT(&mysql->options); diff --git a/sql/mysqld.cc b/sql/mysqld.cc index 83643f76a..dfdc23ab7 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -5134,12 +5134,14 @@ static void init_ssl() { } static int init_ssl_communication() { +#if defined(OPENSSL_FIPS) char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; int ret_fips_mode = set_fips_mode(opt_ssl_fips_mode, ssl_err_string); if (ret_fips_mode != 1) { LogErr(ERROR_LEVEL, ER_SSL_FIPS_MODE_ERROR, ssl_err_string); return 1; } +#endif if (TLS_channel::singleton_init(&mysql_main, mysql_main_channel, opt_use_ssl, &server_main_callback, opt_initialize)) return 1; diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc index 3b8473bd1..c22c38305 100644 --- a/sql/sys_vars.cc +++ b/sql/sys_vars.cc @@ -4614,6 +4614,7 @@ static Sys_var_ulong Sys_max_execution_time( HINT_UPDATEABLE SESSION_VAR(max_execution_time), CMD_LINE(REQUIRED_ARG), VALID_RANGE(0, ULONG_MAX), DEFAULT(0), BLOCK_SIZE(1)); +#if defined(OPENSSL_FIPS) static bool update_fips_mode(sys_var *, THD *, enum_var_type) { char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; if (set_fips_mode(opt_ssl_fips_mode, ssl_err_string) != 1) { @@ -4624,15 +4625,30 @@ static bool update_fips_mode(sys_var *, THD *, enum_var_type) { return false; } } +#endif +#if defined(OPENSSL_FIPS) static const char *ssl_fips_mode_names[] = {"OFF", "ON", "STRICT", nullptr}; +#else +static const char *ssl_fips_mode_names[] = {"OFF", 0}; +#endif static Sys_var_enum Sys_ssl_fips_mode( "ssl_fips_mode", "SSL FIPS mode (applies only for OpenSSL); " +#if defined(OPENSSL_FIPS) "permitted values are: OFF, ON, STRICT", +#else + "permitted values are: OFF", +#endif GLOBAL_VAR(opt_ssl_fips_mode), CMD_LINE(REQUIRED_ARG, OPT_SSL_FIPS_MODE), ssl_fips_mode_names, DEFAULT(0), NO_MUTEX_GUARD, NOT_IN_BINLOG, - ON_CHECK(nullptr), ON_UPDATE(update_fips_mode), nullptr); + ON_CHECK(NULL), +#if defined(OPENSSL_FIPS) + ON_UPDATE(update_fips_mode), +#else + ON_UPDATE(NULL), +#endif + NULL); static Sys_var_bool Sys_auto_generate_certs( "auto_generate_certs", diff --git a/vio/viosslfactories.cc b/vio/viosslfactories.cc index c25117bd0..11b466bcf 100644 --- a/vio/viosslfactories.cc +++ b/vio/viosslfactories.cc @@ -472,6 +472,7 @@ void ssl_start() { } } +#if defined(OPENSSL_FIPS) /** Set fips mode in openssl library, When we set fips mode ON/STRICT, it will perform following operations: @@ -525,6 +526,7 @@ EXIT: @returns openssl current fips mode */ uint get_fips_mode() { return FIPS_mode(); } +#endif long process_tls_version(const char *tls_version) { const char *separator = ","; -- 2.32.0