-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MDEV-28133: Backport OpenSSL compatibility to 10.6 branch #2036
Conversation
|
Now that we have Ubuntu-22.04 builders I've retriggered the tarball builder which hopefully retests on all.. |
This reverts commit c9beef4, because we have OpenSSL 3.0 support here.
Summary of changes - MD_CTX_SIZE is increased - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points to nobody knows where. The assumption made previously was that (since the function does not seem to be documented) was that it points to the last partial source block. Add own partial block buffer for NOPAD encryption instead - SECLEVEL in CipherString in openssl.cnf had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, in addition to what was set in --ssl-cipher - ctx_buf buffer now must be aligned to 16 bytes with openssl( previously with WolfSSL only), or crashes will happen - updated aes-t , to be better debuggable using function, rather than a huge multiline macro added test that does "nopad" encryption piece-wise, to test replacement of EVP_CIPHER_CTX_buf_noconst
Rebased on latest 10.6. This has worked fine in Debian with zero build issues or bug reports for users. |
Thanks for the idea. The corresponding commits (and 2 more, addressing fips compatibility, and issues with OpenSSL 3.0.3) are now backported to 10.9. |
For the record and for the sake of keeping a paper trail of what happened, this PR was closed after @vaintroub merged into 10.6 the following commits on May 23rd: Hence the Fedora/Debian patches for MariaDB 10.6 can be dropped when importing MariaDB 10.6.9. |
This issue come up for me again on today, since Ubuntu 21.10 already EOL and so its http://archive.ubuntu.com/ubuntu/pool/main/libu/liburing/liburing1_0.7-3ubuntu3_amd64.deb now no longer exists for download. Therefore now a day, only Ubuntu 22.04 upstream repo and its mariadb-server-10.6 could be install under Ubuntu 22.04, but no 10.7+ installation option from MariaDB repo. Understand that this ticket is closed, but any official release schedule for 10.6.9 and so on? |
very soon, listed for tomorrow. But do allow a few days as we do go for quality rather than 100% schedule accuracy. Or there are 10.7 (focal based - so no liburing) and 10.8 (jammy base image) containers now. |
Thank you very much, but refer to https://jira.mariadb.org/browse/MDEV-28397?focusedCommentId=222217&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-222217, my current use case looking for standard deb/rpm package for used in Ansible Role, so container based options looks not suitable ;-) |
If you have the opportunity to test https://ci.mariadb.org/27057/amd64-ubuntu-2204-deb-autobake/ as a repo line, that would be appreciated. I regret not examining/retesting MDEV-25633 today. |
these will be in 10.6.9. see MariaDB/server#2036
Add .gitlab-ci.yml file to earliest supported branch to enable automated building and testing for all MariaDB major branches. OpenSSL 3.0 support was introduced in MariaDB 10.6 (see MariaDB#2036) so for 10.3/4/5 we need to use older Fedora image that still has OpenSSL 1.1. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
Add .gitlab-ci.yml file to earliest supported branch to enable automated building and testing for all MariaDB major branches. OpenSSL 3.0 support was introduced in MariaDB 10.6 (see MariaDB#2036) so for 10.3/4/5 we need to use older Fedora image that still has OpenSSL 1.1. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
Add .gitlab-ci.yml file to earliest supported branch to enable automated building and testing for all MariaDB major branches. OpenSSL 3.0 support was introduced in MariaDB 10.6 (see MariaDB#2036) so for 10.3/4/5 we need to use older Fedora image that still has OpenSSL 1.1. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
Add .gitlab-ci.yml file to earliest supported branch to enable automated building and testing for all MariaDB major branches. For 10.3/4 we use the bundled SSL to build MariaDB when the platform does not have OpenSSL 1.1 available. This requires the installation of gnutls-devel as a dependency of MariaDB Connector/C. OpenSSL 3.0 support was backported to MariaDB 10.5 (see MariaDB#2036, f0fa40e, 8a9c1e9) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
Add .gitlab-ci.yml file to earliest supported branch to enable automated building and testing for all MariaDB major branches. For 10.4 we use the bundled SSL to build MariaDB when the platform does not have OpenSSL 1.1 available. This requires the installation of gnutls-devel as a dependency of MariaDB Connector/C. OpenSSL 3.0 support was backported to MariaDB 10.5 (see MariaDB#2036, f0fa40e, 8a9c1e9) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
Add .gitlab-ci.yml file to earliest supported branch to enable automated building and testing for all MariaDB major branches. For 10.4 we use the bundled SSL to build MariaDB when the platform does not have OpenSSL 1.1 available. This requires the installation of gnutls-devel as a dependency of MariaDB Connector/C. OpenSSL 3.0 support was backported to MariaDB 10.5 (see MariaDB#2036, f0fa40e, 8a9c1e9) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
Add .gitlab-ci.yml file to earliest supported branch to enable automated building and testing for all MariaDB major branches. For 10.4 we use the bundled SSL to build MariaDB when the platform does not have OpenSSL 1.1 available. This requires the installation of gnutls-devel as a dependency of MariaDB Connector/C. OpenSSL 3.0 support was backported to MariaDB 10.5 (see MariaDB#2036, f0fa40e, 8a9c1e9) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
Add .gitlab-ci.yml file to earliest supported branch to enable automated building and testing for all MariaDB major branches. For 10.4 we use the bundled SSL to build MariaDB when the platform does not have OpenSSL 1.1 available. This requires the installation of gnutls-devel as a dependency of MariaDB Connector/C. OpenSSL 3.0 support was backported to MariaDB 10.5 (see #2036, f0fa40e, 8a9c1e9) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
Remove the OpenSSL 30 patches that all got merged upstream in MariaDB#2036 In addition to documenting CVEs for 10.6.9, also extend the list in 10.6.8 based on new known CVEs and indent the list correctly.
Description
Backport OpenSSL 3.0 compatibility changes to MariaDB 10.6. The commit is originally from c80991c but with minor changes used by CentOS in https://gitlab.com/redhat/centos-stream/rpms/mariadb/-/blob/c9s/mariadb-openssl3.patch and by Debian (and Ubuntu 22.04) in https://salsa.debian.org/mariadb-team/mariadb-server/-/commit/fb0e74d0ec197dd831f7608762234f71f96ffc89
Having this also applied upstream will make upstream aligned with the most important downstreams (Debian based distros and Red Hat based distros).
Basing the PR against the correct MariaDB version
Backward compatibility
This does not introduce any new build dependencies. For systems with older libssl-dev, MariaDB will continue to compile and use older OpenSSL. However, if system has new OpenSSL 3.0 library available, MariaDB will compile and use OpenSSL.