MDEV-10332 support for OpenSSL 1.1 and LibreSSL

post-review fixes:
* move all ssl implementation related ifdefs/defines to one file
  (ssl_compat.h)
* work around OpenSSL-1.1 desire to malloc every EVP context by
  run-time checking that context allocated on the stack is big enough
  (openssl.c)
* use newer version of the AWS SDK for OpenSSL 1.1
* use get_dh2048() function as generated by openssl 1.1
  (viosslfactories.c)

include/my_crypt.h

@@ -21,19 +21,4 @@
 #include <my_config.h> /* HAVE_EncryptAes128{Ctr,Gcm} */
 #include <mysql/service_my_crypt.h>
 
-/* OpenSSL version specific definitions */
-#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER)
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-#define ERR_remove_state(X)
-#else
-#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X)
-#define RAND_OpenSSL() RAND_SSLeay();
-#if defined(HAVE_ERR_remove_thread_state)
-#define ERR_remove_state(X) ERR_remove_thread_state(NULL)
-#endif
-#endif
-#elif defined(HAVE_YASSL)
-#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X)
-#endif /* !defined(HAVE_YASSL) */
-
 #endif /* MY_CRYPT_INCLUDED */

include/ssl_compat.h

@@ -0,0 +1,75 @@
+/*
+ Copyright (c) 2016, 2017 MariaDB Corporation
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA */
+
+#include <openssl/opensslv.h>
+
+/* OpenSSL version specific definitions */
+#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER)
+
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+#define HAVE_X509_check_host 1
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#define HAVE_OPENSSL11 1
+#define ERR_remove_state(X) ERR_clear_error()
+#define EVP_MD_CTX_cleanup(X) EVP_MD_CTX_reset(X)
+#define EVP_CIPHER_CTX_SIZE 168
+#define EVP_MD_CTX_SIZE 48
+#undef EVP_MD_CTX_init
+#define EVP_MD_CTX_init(X) do { bzero((X), EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0)
+#undef EVP_CIPHER_CTX_init
+#define EVP_CIPHER_CTX_init(X) do { bzero((X), EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0)
+
+#else
+#define HAVE_OPENSSL10 1
+/*
+  Unfortunately RAND_bytes manual page does not provide any guarantees
+  in relation to blocking behavior. Here we explicitly use SSLeay random
+  instead of whatever random engine is currently set in OpenSSL. That way
+  we are guaranteed to have a non-blocking random.
+*/
+#define RAND_OpenSSL() RAND_SSLeay()
+
+#ifdef HAVE_ERR_remove_thread_state
+#define ERR_remove_state(X) ERR_remove_thread_state(NULL)
+#endif /* HAVE_ERR_remove_thread_state */
+
+#endif /* HAVE_OPENSSL11 */
+
+#elif defined(HAVE_YASSL)
+#define BN_free(X) do { } while(0)
+#endif /* !defined(HAVE_YASSL) */
+
+#ifndef HAVE_OPENSSL11
+#define ASN1_STRING_get0_data(X)        ASN1_STRING_data(X)
+#define OPENSSL_init_ssl(X,Y)           SSL_library_init()
+#define DH_set0_pqg(D,P,Q,G)            ((D)->p= (P), (D)->g= (G))
+#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
+#define EVP_CIPHER_CTX_encrypting(ctx)  ((ctx)->encrypt)
+#define EVP_CIPHER_CTX_SIZE             sizeof(EVP_CIPHER_CTX)
+#define EVP_MD_CTX_SIZE                 sizeof(EVP_MD_CTX)
+#endif
+
+#ifdef	__cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+int check_openssl_compatibility();
+
+#ifdef	__cplusplus
+}
+#endif

include/violite.h

@@ -123,13 +123,6 @@ int vio_getnameinfo(const struct sockaddr *sa,
                     int flags);
 
 #ifdef HAVE_OPENSSL
-#include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER < 0x0090700f
-#define DES_cblock des_cblock
-#define DES_key_schedule des_key_schedule
-#define DES_set_key_unchecked(k,ks) des_set_key_unchecked((k),*(ks))
-#define DES_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e) des_ede3_cbc_encrypt((i),(o),(l),*(k1),*(k2),*(k3),(iv),(e))
-#endif
 /* apple deprecated openssl in MacOSX Lion */
 #ifdef __APPLE__
 #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
@@ -146,11 +139,6 @@ typedef my_socket YASSL_SOCKET_T;
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-#define ERR_remove_state(X)
-#elif defined(HAVE_ERR_remove_thread_state)
-#define ERR_remove_state(X) ERR_remove_thread_state(NULL)
-#endif
 enum enum_ssl_init_error
 {
   SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY,

mysql-test/mysql-test-run.pl

@@ -2279,7 +2279,7 @@ sub environment_setup {
   $ENV{'MYSQL_PLUGIN'}=             $exe_mysql_plugin;
   $ENV{'MYSQL_EMBEDDED'}=           $exe_mysql_embedded;
 
-  my $client_config_exe= 
+  my $client_config_exe=
     native_path("$bindir/libmariadb/mariadb_config$opt_vs_config/mariadb_config");
   my $tls_info= `$client_config_exe --tlsinfo`;
   ($ENV{CLIENT_TLS_LIBRARY},$ENV{CLIENT_TLS_LIBRARY_VERSION})=

mysql-test/t/openssl_6975.test

@@ -19,9 +19,8 @@ let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$
 disable_abort_on_error;
 echo TLS1.2 ciphers: user is ok with any cipher;
 exec $mysql                  --ssl-cipher=AES128-SHA256;
---replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384
---replace_result ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
-exec $mysql                  --ssl-cipher=TLSv1.2
+--replace_result DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384
+exec $mysql                  --ssl-cipher=TLSv1.2;
 echo TLS1.2 ciphers: user requires SSLv3 cipher AES128-SHA;
 exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA256;
 exec $mysql --user ssl_sslv3 --ssl-cipher=TLSv1.2;
@@ -31,7 +30,7 @@ exec $mysql --user ssl_tls12 --ssl-cipher=TLSv1.2;
 
 echo SSLv3 ciphers: user is ok with any cipher;
 exec $mysql                  --ssl-cipher=AES256-SHA;
-exec $mysql                  --ssl-cipher=DHE-RSA-AES256-SHA
+exec $mysql                  --ssl-cipher=SSLv3;
 echo SSLv3 ciphers: user requires SSLv3 cipher AES128-SHA;
 exec $mysql --user ssl_sslv3 --ssl-cipher=AES128-SHA;
 exec $mysql --user ssl_sslv3 --ssl-cipher=SSLv3;

mysql-test/t/ssl_8k_key.test

@@ -1,6 +1,5 @@
-# This test should work in embedded server after we fix mysqltest
--- source include/require_openssl_client.inc
--- source include/not_embedded.inc
+# schannel does not support keys longer than 4k
+-- source include/not_windows.inc
 
 -- source include/have_ssl_communication.inc
 #

mysys_ssl/CMakeLists.txt

@@ -28,6 +28,7 @@ SET(MYSYS_SSL_HIDDEN_SOURCES
     my_sha384.cc
     my_sha512.cc
     my_md5.cc
+    openssl.c
    )
 
 SET(MYSYS_SSL_SOURCES

mysys_ssl/my_crypt.cc

@@ -1,6 +1,6 @@
 /*
  Copyright (c) 2014 Google Inc.
- Copyright (c) 2014, 2015 MariaDB Corporation
+ Copyright (c) 2014, 2017 MariaDB Corporation
 
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@@ -21,30 +21,31 @@
 #ifdef HAVE_YASSL
 #include "yassl.cc"
 #else
-
 #include <openssl/evp.h>
 #include <openssl/aes.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
-
 #endif
-#include <my_crypt.h>
 
-#define MY_CIPHER_CTX_SIZE 384
+#include <my_crypt.h>
+#include <ssl_compat.h>
 
 class MyCTX
 {
 public:
+  char ctx_buf[EVP_CIPHER_CTX_SIZE];
   EVP_CIPHER_CTX *ctx;
-  const uchar *key;
-  unsigned int klen;
-  MyCTX() {
-            ctx= EVP_CIPHER_CTX_new();
-          }
-  virtual ~MyCTX() {
-                     EVP_CIPHER_CTX_free(ctx);
-                     ERR_remove_state(0);
-                    }
+
+  MyCTX()
+  {
+    ctx= (EVP_CIPHER_CTX *)ctx_buf;
+    EVP_CIPHER_CTX_init(ctx);
+  }
+  virtual ~MyCTX()
+  {
+    EVP_CIPHER_CTX_cleanup(ctx);
+    ERR_remove_state(0);
+  }
 
   virtual int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key,
                    uint klen, const uchar *iv, uint ivlen)
@@ -78,9 +79,12 @@ class MyCTX
 class MyCTX_nopad : public MyCTX
 {
 public:
+  const uchar *key;
+  uint klen, buf_len;
+  uchar oiv[MY_AES_BLOCK_SIZE];
+
   MyCTX_nopad() : MyCTX() { }
   ~MyCTX_nopad() { }
-  unsigned int buf_len;
 
   int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, uint klen,
            const uchar *iv, uint ivlen)
@@ -89,19 +93,8 @@ class MyCTX_nopad : public MyCTX
     this->key= key;
     this->klen= klen;
     this->buf_len= 0;
-    /* FIX-ME:
-       For the sake of backward compatibility we do some strange hack here:
-       Since ECB doesn't need an IV (and therefore is considered kind of
-       insecure) we need to store the specified iv.
-       The last nonpadding block will be encrypted with an additional
-       expensive crypt_call in ctr mode instead
-       of encrypting the entire plain text in ctr-mode */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-    const unsigned char *oiv= EVP_CIPHER_CTX_original_iv(ctx);
-#else
-    const unsigned char *oiv= ctx->oiv;
-#endif
-    memcpy((char *)oiv, iv, ivlen);
+    memcpy(oiv, iv, ivlen);
+    DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
 
     int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen);
 
@@ -111,34 +104,30 @@ class MyCTX_nopad : public MyCTX
 
   int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
   {
-    buf_len= slen % MY_AES_BLOCK_SIZE;
+    buf_len+= slen;
     return MyCTX::update(src, slen, dst, dlen);
   }
 
   int finish(uchar *dst, uint *dlen)
   {
+    buf_len %= MY_AES_BLOCK_SIZE;
     if (buf_len)
     {
-      const uchar *org_iv;
-      unsigned char *buf;
+      uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
       /*
         Not much we can do, block ciphers cannot encrypt data that aren't
         a multiple of the block length. At least not without padding.
         Let's do something CTR-like for the last partial block.
+
+        NOTE this assumes that there are only buf_len bytes in the buf.
+        If OpenSSL will change that, we'll need to change the implementation
+        of this class too.
       */
       uchar mask[MY_AES_BLOCK_SIZE];
       uint mlen;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-      org_iv= EVP_CIPHER_CTX_original_iv(ctx);
-      buf= EVP_CIPHER_CTX_buf_noconst(ctx);
-#else
-      org_iv= ctx->oiv;
-      buf= ctx->buf;
-#endif
-
       my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD,
-                   org_iv, sizeof(mask), mask, &mlen, key, klen, 0, 0);
+                   oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0);
       DBUG_ASSERT(mlen == sizeof(mask));
 
       for (uint i=0; i < buf_len; i++)
@@ -178,9 +167,8 @@ make_aes_dispatcher(gcm)
 class MyCTX_gcm : public MyCTX
 {
 public:
-  const uchar *aad= NULL;
+  const uchar *aad;
   int aadlen;
-  my_bool encrypt;
   MyCTX_gcm() : MyCTX() { }
   ~MyCTX_gcm() { }
 
@@ -192,7 +180,6 @@ class MyCTX_gcm : public MyCTX
     int real_ivlen= EVP_CIPHER_CTX_iv_length(ctx);
     aad= iv + real_ivlen;
     aadlen= ivlen - real_ivlen;
-    this->encrypt= encrypt;
     return res;
   }
 
@@ -204,7 +191,7 @@ class MyCTX_gcm : public MyCTX
       before decrypting the data. it can encrypt data piecewise, like, first
       half, then the second half, but it must decrypt all at once
     */
-    if (!this->encrypt)
+    if (!EVP_CIPHER_CTX_encrypting(ctx))
     {
       /* encrypted string must contain authenticaton tag (see MDEV-11174) */
       if (slen < MY_AES_BLOCK_SIZE)
@@ -214,7 +201,7 @@ class MyCTX_gcm : public MyCTX
                               (void*)(src + slen)))
         return MY_AES_OPENSSL_ERROR;
     }
-    int unused= 0;
+    int unused;
     if (aadlen && !EVP_CipherUpdate(ctx, NULL, &unused, aad, aadlen))
       return MY_AES_OPENSSL_ERROR;
     aadlen= 0;
@@ -223,12 +210,12 @@ class MyCTX_gcm : public MyCTX
 
   int finish(uchar *dst, uint *dlen)
   {
-    int fin= 0;
+    int fin;
     if (!EVP_CipherFinal_ex(ctx, dst, &fin))
       return MY_AES_BAD_DATA;
     DBUG_ASSERT(fin == 0);
 
-    if (this->encrypt)
+    if (EVP_CIPHER_CTX_encrypting(ctx))
     {
       if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst))
         return MY_AES_OPENSSL_ERROR;
@@ -298,20 +285,15 @@ int my_aes_crypt(enum my_aes_mode mode, int flags,
 {
   void *ctx= alloca(MY_AES_CTX_SIZE);
   int res1, res2;
-  uint d1= 0, d2= 0;
+  uint d1= 0, d2;
   if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
     return res1;
   res1= my_aes_crypt_update(ctx, src, slen, dst, &d1);
   res2= my_aes_crypt_finish(ctx, dst + d1, &d2);
-  *dlen= d1 + d2;
-  /* in case of failure clear error queue */
-#ifndef HAVE_YASSL
-  /* since we don't check the crypto error messages we need to
-     clear the error queue - otherwise subsequent crypto or tls/ssl
-     calls will fail */
-  if (!*dlen)
-    ERR_clear_error();
-#endif
+  if (res1 || res2)
+    ERR_remove_state(0); /* in case of failure clear error queue */
+  else
+    *dlen= d1 + d2;
   return res1 ? res1 : res2;
 }
 
@@ -353,12 +335,6 @@ int my_random_bytes(uchar* buf, int num)
 
 int my_random_bytes(uchar *buf, int num)
 {
-  /*
-    Unfortunately RAND_bytes manual page does not provide any guarantees
-    in relation to blocking behavior. Here we explicitly use SSLeay random
-    instead of whatever random engine is currently set in OpenSSL. That way
-    we are guaranteed to have a non-blocking random.
-  */
   RAND_METHOD *rand = RAND_OpenSSL();
   if (rand == NULL || rand->bytes(buf, num) != 1)
     return MY_AES_OPENSSL_ERROR;