From 7961393dd45e4ad1cdc7544b4bba2e98a5d2760c Mon Sep 17 00:00:00 2001 From: eroen Date: Fri, 20 Jan 2017 14:43:53 +0100 Subject: [PATCH] Don't use deprecated API with openssl 1.1 If openssl 1.1.0 is built with `--api=1.1 disable-deprecated`, using deprecated APIs causes build errors. X-Gentoo-Bug: 606600 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=606600 --- mysys_ssl/my_aes_openssl.cc | 54 ++++++++++++++++++++++++++++++++------------- sql-common/client.c | 16 ++++++++++++-- vio/viossl.c | 8 +++++++ vio/viosslfactories.c | 23 +++++++++++++++++++ 4 files changed, 84 insertions(+), 17 deletions(-) diff --git a/mysys_ssl/my_aes_openssl.cc b/mysys_ssl/my_aes_openssl.cc index 261ba8a..59a95e3 100644 --- a/mysys_ssl/my_aes_openssl.cc +++ b/mysys_ssl/my_aes_openssl.cc @@ -22,6 +22,12 @@ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #include #include #include +#include + +#if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L) +#undef OPENSSL_VERSION_NUMBER +#define OPENSSL_VERSION_NUMBER 0x1000107fL +#endif /* xplugin needs BIO_new_bio_pair, but the server does not. @@ -122,7 +128,7 @@ int my_aes_encrypt(const unsigned char *source, uint32 source_length, enum my_aes_opmode mode, const unsigned char *iv, bool padding) { - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx; const EVP_CIPHER *cipher= aes_evp_type(mode); int u_len, f_len; /* The real key to be used for encryption */ @@ -132,23 +138,31 @@ int my_aes_encrypt(const unsigned char *source, uint32 source_length, if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv)) return MY_AES_BAD_DATA; - if (!EVP_EncryptInit(&ctx, cipher, rkey, iv)) + if (!EVP_EncryptInit(ctx, cipher, rkey, iv)) goto aes_error; /* Error */ - if (!EVP_CIPHER_CTX_set_padding(&ctx, padding)) + if (!EVP_CIPHER_CTX_set_padding(ctx, padding)) goto aes_error; /* Error */ - if (!EVP_EncryptUpdate(&ctx, dest, &u_len, source, source_length)) + if (!EVP_EncryptUpdate(ctx, dest, &u_len, source, source_length)) goto aes_error; /* Error */ - if (!EVP_EncryptFinal(&ctx, dest + u_len, &f_len)) + if (!EVP_EncryptFinal(ctx, dest + u_len, &f_len)) goto aes_error; /* Error */ - EVP_CIPHER_CTX_cleanup(&ctx); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_CIPHER_CTX_cleanup(ctx); +#else + EVP_CIPHER_CTX_free(ctx); +#endif return u_len + f_len; aes_error: /* need to explicitly clean up the error if we want to ignore it */ ERR_clear_error(); - EVP_CIPHER_CTX_cleanup(&ctx); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_CIPHER_CTX_cleanup(ctx); +#else + EVP_CIPHER_CTX_free(ctx); +#endif return MY_AES_BAD_DATA; } @@ -159,7 +173,7 @@ int my_aes_decrypt(const unsigned char *source, uint32 source_length, bool padding) { - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx; const EVP_CIPHER *cipher= aes_evp_type(mode); int u_len, f_len; @@ -170,24 +184,34 @@ int my_aes_decrypt(const unsigned char *source, uint32 source_length, if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv)) return MY_AES_BAD_DATA; - EVP_CIPHER_CTX_init(&ctx); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_CIPHER_CTX_init(ctx); +#endif - if (!EVP_DecryptInit(&ctx, aes_evp_type(mode), rkey, iv)) + if (!EVP_DecryptInit(ctx, aes_evp_type(mode), rkey, iv)) goto aes_error; /* Error */ - if (!EVP_CIPHER_CTX_set_padding(&ctx, padding)) + if (!EVP_CIPHER_CTX_set_padding(ctx, padding)) goto aes_error; /* Error */ - if (!EVP_DecryptUpdate(&ctx, dest, &u_len, source, source_length)) + if (!EVP_DecryptUpdate(ctx, dest, &u_len, source, source_length)) goto aes_error; /* Error */ - if (!EVP_DecryptFinal_ex(&ctx, dest + u_len, &f_len)) + if (!EVP_DecryptFinal_ex(ctx, dest + u_len, &f_len)) goto aes_error; /* Error */ - EVP_CIPHER_CTX_cleanup(&ctx); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_CIPHER_CTX_cleanup(ctx); +#else + EVP_CIPHER_CTX_free(ctx); +#endif return u_len + f_len; aes_error: /* need to explicitly clean up the error if we want to ignore it */ ERR_clear_error(); - EVP_CIPHER_CTX_cleanup(&ctx); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_CIPHER_CTX_cleanup(ctx); +#else + EVP_CIPHER_CTX_free(ctx); +#endif return MY_AES_BAD_DATA; } diff --git a/sql-common/client.c b/sql-common/client.c index 9e88e9f..fe7daf7 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -86,6 +86,14 @@ my_bool net_flush(NET *net); # include #endif +#ifdef HAVE_OPENSSL +#include +#if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L) +#undef OPENSSL_VERSION_NUMBER +#define OPENSSL_VERSION_NUMBER 0x1000107fL +#endif +#endif + #ifndef _WIN32 #include #define SOCKET_ERROR -1 @@ -2685,7 +2693,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c { SSL *ssl; X509 *server_cert= NULL; - char *cn= NULL; + const char *cn= NULL; int cn_loc= -1; ASN1_STRING *cn_asn1= NULL; X509_NAME_ENTRY *cn_entry= NULL; @@ -2757,7 +2765,11 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c goto error; } - cn= (char *) ASN1_STRING_data(cn_asn1); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + cn= (const char *) ASN1_STRING_data(cn_asn1); +#else + cn= (const char *) ASN1_STRING_get0_data(cn_asn1); +#endif // There should not be any NULL embedded in the CN if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) diff --git a/vio/viossl.c b/vio/viossl.c index 5622cb7..94b0f09 100644 --- a/vio/viossl.c +++ b/vio/viossl.c @@ -24,6 +24,12 @@ #ifdef HAVE_OPENSSL +#include +#if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L) +#undef OPENSSL_VERSION_NUMBER +#define OPENSSL_VERSION_NUMBER 0x1000107fL +#endif + #ifndef DBUG_OFF static void @@ -310,8 +316,10 @@ void vio_ssl_delete(Vio *vio) } #ifndef HAVE_YASSL +#if OPENSSL_VERSION_NUMBER < 0x10100000L ERR_remove_thread_state(0); #endif +#endif vio_delete(vio); } @@ -427,7 +427,12 @@ for (j = 0; j < n; j++) { SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); +#if OPENSSL_VERSION_NUMBER < 0x10100000L DBUG_PRINT("info", (" %d: %s\n", c->id, c->name)); +#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + DBUG_PRINT("info", + (" %d: %s\n", SSL_COMP_get_id(c), SSL_COMP_get0_name(c))); +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ } } #endif diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index da5449a..87b30c3 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -16,6 +16,14 @@ #include "vio_priv.h" #ifdef HAVE_OPENSSL +#include +#include +#include + +#if (defined LIBRESSL_VERSION_NUMBER && OPENSSL_VERSION_NUMBER == 0x20000000L) +#undef OPENSSL_VERSION_NUMBER +#define OPENSSL_VERSION_NUMBER 0x1000107fL +#endif #define TLS_VERSION_OPTION_SIZE 256 #define SSL_CIPHER_LIST_SIZE 4096 @@ -121,10 +129,18 @@ static DH *get_dh2048(void) DH *dh; if ((dh=DH_new())) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); if (! dh->p || ! dh->g) { +#else + if (! DH_set0_pqg(dh, + BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL), + NULL, + BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL))) + { +#endif DH_free(dh); dh=0; } @@ -247,6 +263,8 @@ typedef struct CRYPTO_dynlock_value } openssl_lock_t; +#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* Array of locks used by openssl internally for thread synchronization. The number of locks is equal to CRYPTO_num_locks. */ @@ -389,9 +407,11 @@ static void deinit_lock_callback_functions() { set_lock_callback_functions(FALSE); } +#endif void vio_ssl_end() { +#if OPENSSL_VERSION_NUMBER < 0x10100000L int i= 0; if (ssl_initialized) { @@ -409,6 +429,7 @@ void vio_ssl_end() ssl_initialized= FALSE; } +#endif } #endif //OpenSSL specific @@ -419,6 +440,7 @@ void ssl_start() { ssl_initialized= TRUE; +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); OpenSSL_add_all_algorithms(); SSL_load_error_strings(); @@ -427,6 +449,7 @@ void ssl_start() init_ssl_locks(); init_lock_callback_functions(); #endif +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ } } -- 2.11.0