1
0
mirror of https://github.com/MariaDB/server.git synced 2025-10-24 07:13:33 +03:00
Commit Graph

29 Commits

Author SHA1 Message Date
Marko Mäkelä
26a14ee130 Merge 10.1 into 10.2 2019-05-13 17:54:04 +03:00
Vicențiu Ciorbaru
cb248f8806 Merge branch '5.5' into 10.1 2019-05-11 22:19:05 +03:00
Marko Mäkelä
fc168c3a5e MDEV-15587 AES test fails, segfaults in EVP_CipherInit_ex
When HAVE_YASSL is defined (due to cmake -DWITH_SSL=bundled
or otherwise), mysys_ssl/my_crypt.cc will #include "yassl.cc"
from the same directory.

When MariaDB 10.2 or later is compiled with GCC 8 and optimizations
are enabled, then the check
  if (iv)
in EVP_CipherInit_ex() can be wrongly optimized away.
The reason appears to be that __attribute__((nonnull)) is attached
to the variable iv, because there is a (no-op) call
memcpy(oiv, iv, ivlen=0) earlier in the code path.

It is possible that this started failing after the code was
refactored in MDEV-10332 (MariaDB 10.2.6). In MariaDB 10.1,
there is a similar memcpy() call in MyCTX_nopad::init(),
but the code appears to work fine.
2019-03-29 11:38:45 +02:00
Sergei Golubchik
4771ae4b22 Merge branch 'github/10.1' into 10.2 2018-02-06 14:50:50 +01:00
Sergei Golubchik
ad0013c8e2 MDEV-14343 Server crash on FIPS with openssl-1.0.2k
don't use internal undocumented OpenSSL functionality
2018-01-30 21:28:16 +01:00
Sergei Golubchik
bba169b984 MDEV-12763 10.2 uses deprecated openssl 1.0 apis even with 1.1
Use OpenSSL 1.1 when applicable.
Create compatibility macros for OpenSSL 1.0- and YaSSL.
2017-09-18 10:12:23 +02:00
Sergei Golubchik
ccca4f43c9 MDEV-10332 support for OpenSSL 1.1 and LibreSSL
post-review fixes:
* move all ssl implementation related ifdefs/defines to one file
  (ssl_compat.h)
* work around OpenSSL-1.1 desire to malloc every EVP context by
  run-time checking that context allocated on the stack is big enough
  (openssl.c)
* use newer version of the AWS SDK for OpenSSL 1.1
* use get_dh2048() function as generated by openssl 1.1
  (viosslfactories.c)
2017-05-09 18:53:10 +02:00
Georg Richter
f8866f8f66 MDEV-10332 support for OpenSSL 1.1 and LibreSSL
Initial support

tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL
not working on Windows with native SChannel support, due to wrong cipher
mapping: Latter one requires push of CONC-241 fixes.
Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if
the build succeeds, test cases will fail with various errors, especially
when using different tls libraries or versions for client and server.
2017-05-09 18:53:10 +02:00
Marko Mäkelä
14c6f00a9f Merge 10.1 into 10.2
Also, include fixes by Vladislav Vaintroub to the
aws_key_management plugin. The AWS C++ SDK specifically depends on
OPENSSL_LIBRARIES, not generic SSL_LIBRARIES (such as YaSSL).
2017-05-06 14:36:46 +03:00
Vladislav Vaintroub
db39107413 MDEV-11663 Create services for functionality used by plugins
Added service for
- encryption (AES)
- error reporting, e.g my_printf_error()
2017-04-27 19:12:38 +02:00
Georg Richter
23628d123b Fix for MDEV-11174:
A GCM encrypted ciphertext must contain an authentication tag with AES_BLOCK_SIZE length, so we need to check that the length of ciphertext is at least AES_BLOCK_SIZE.
2017-02-01 12:14:37 +01:00
Sergei Golubchik
a2bcee626d Merge branch '10.0' into 10.1 2015-12-21 21:24:22 +01:00
Sergei Golubchik
66b9a9409c New encryption API. Piece-wise encryption.
Instead of encrypt(src, dst, key, iv) that encrypts all
data in one go, now we have encrypt_init(key,iv),
encrypt_update(src,dst), and encrypt_finish(dst).

This also causes collateral changes in the internal my_crypt.cc
encryption functions and in the encryption service.

There are wrappers to provide the old all-at-once encryption
functionality. But binlog events are often written piecewise,
they'll need the new api.
2015-09-04 10:33:50 +02:00
Sergei Golubchik
e7620ce4ce MDEV-8281 aes_decrypt crashes in block_crypt()
fix aes_decrypt of yassl to support zero-length input
2015-06-27 09:40:54 +02:00
Sergei Golubchik
0f0092720f my_aes_encrypt_gcm() and my_aes_decrypt_gcm() 2015-06-02 19:00:23 +02:00
Sergei Golubchik
ebc5e00641 my_aes_get_size()
return unsigned, not signed.
return a value large enough for GCM
2015-06-02 19:00:23 +02:00
Sergei Golubchik
5091a4ba75 Merge tag 'mariadb-10.0.19' into 10.1 2015-06-01 15:51:25 +02:00
Sergei Golubchik
8827eb8325 MDEV-8162 func_str crashes on SELECT AES_DECRYPT(AES_ENCRYPT(...)) on line 107
encrypting 0 byte string *is* possible
2015-05-15 18:12:02 +02:00
Sergei Golubchik
acd992d4b7 MDEV-8022 Assertion `rc == 0' failed in ma_encrypt on dropping an encrypted Aria table
fix encryption of the last partial block

* now really encrypt it, using key and iv
* support the case of very short plaintext (less than one block)
* recommend aes_ctr over aes_cbc, because the former
  doesn't have problems with partial blocks
2015-05-13 14:27:17 +02:00
Sergei Golubchik
bea3f30d46 move AES_CTR to its own greatly simplified function
* don't use do_crypt() for stream cipher AES_CTR
* rename do_crypt to block_crypt to emphasize its specialization
2015-05-13 14:27:17 +02:00
Sergei Golubchik
4d40a7d133 remove now-empty my_aes.{h,cc}
move remaning defines to my_crypt, add MY_ namespace prefix
2015-04-09 18:42:44 +02:00
Sergei Golubchik
bb1b61b312 encryption plugin controls the encryption
* no --encryption-algorithm option anymore
* encrypt/decrypt methods in the encryption plugin
* ecnrypt/decrypt methods in the encryption_km service
* file_km plugin has --file-key-management-encryption-algorithm
* debug_km always uses aes_cbc
* example_km changes between aes_cbc and aes_ecb for different key versions
2015-04-09 18:42:43 +02:00
Sergei Golubchik
91f7363e4b yassl padding 2015-04-08 10:58:46 +02:00
Sergei Golubchik
f444d13a3b my_aes* functions: support for different key lengths
to: different key lengths
2015-04-08 10:58:29 +02:00
Sergei Golubchik
3bbe2057da yassl support 2015-04-05 13:14:38 +02:00
Sergei Golubchik
2f8d101f9e unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet. 2015-04-05 13:14:37 +02:00
Sergei Golubchik
27cc252bb7 simplify my_crypt.cc, remove duplicate code 2015-04-05 13:14:37 +02:00
Sergei Golubchik
f3da18f635 cmake-time detection for EVP_aes_128_ctr()
because old openssl versions (e.g. on labrador) don't have it
2015-02-10 10:21:18 +01:00
Monty
d7d589dc01 Push for testing of encryption 2015-02-10 10:21:17 +01:00