Skip to content
This repository was archived by the owner on Mar 1, 2026. It is now read-only.

Commit a0132f5

Browse files
committed
WL#14683: Support openssl 3.0
RB#27023
1 parent 80ca34d commit a0132f5

33 files changed

Lines changed: 955 additions & 257 deletions

File tree

‎client/mysqltest.cc‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,7 @@
8686
#include "my_dir.h"
8787
#include "my_inttypes.h"
8888
#include "my_macros.h"
89+
#include "my_openssl_fips.h"
8990
#include "my_pointer_arithmetic.h"
9091
#include "my_stacktrace.h"
9192
#include "my_systime.h" // my_sleep()

‎cmake/ssl.cmake‎

Lines changed: 93 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,8 @@
6565
# pkg-config --cflags openssl11
6666
# -I/usr/include/openssl11
6767

68+
SET(MIN_OPENSSL_VERSION_REQUIRED "1.0.0")
69+
6870
SET(WITH_SSL_DOC "\nsystem (use the OS openssl library)")
6971
SET(WITH_SSL_DOC "\nopenssl[0-9]+ (use alternative system library)")
7072
STRING_APPEND(WITH_SSL_DOC "\nyes (synonym for system)")
@@ -108,28 +110,55 @@ MACRO(RESET_SSL_VARIABLES)
108110
UNSET(HAVE_SHA512_DIGEST_LENGTH CACHE)
109111
ENDMACRO(RESET_SSL_VARIABLES)
110112

113+
# Fetch OpenSSL version number.
114+
# OpenSSL < 3:
115+
# #define OPENSSL_VERSION_NUMBER 0x1000103fL
116+
# Encoded as MNNFFPPS: major minor fix patch status
117+
#
118+
# OpenSSL 3:
119+
# #define OPENSSL_VERSION_NUMBER
120+
# ( (OPENSSL_VERSION_MAJOR<<28)
121+
# |(OPENSSL_VERSION_MINOR<<20)
122+
# |(OPENSSL_VERSION_PATCH<<4)
123+
# |_OPENSSL_VERSION_PRE_RELEASE )
111124
MACRO(FIND_OPENSSL_VERSION)
112-
# Verify version number. Version information looks like:
113-
# #define OPENSSL_VERSION_NUMBER 0x1000103fL
114-
# Encoded as MNNFFPPS: major minor fix patch status
115-
FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h"
116-
OPENSSL_VERSION_NUMBER
117-
REGEX "^#[ ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x[0-9].*"
118-
)
119-
STRING(REGEX REPLACE
120-
"^.*OPENSSL_VERSION_NUMBER[\t ]+0x([0-9]).*$" "\\1"
121-
OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_NUMBER}"
122-
)
123-
STRING(REGEX REPLACE
124-
"^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9]([0-9][0-9]).*$" "\\1"
125-
OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_NUMBER}"
126-
)
127-
STRING(REGEX REPLACE
128-
"^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9][0-9][0-9]([0-9][0-9]).*$" "\\1"
129-
OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"
130-
)
131-
SET(OPENSSL_MAJOR_MINOR_FIX_VERSION "${OPENSSL_MAJOR_VERSION}")
132-
STRING_APPEND(OPENSSL_MAJOR_MINOR_FIX_VERSION ".${OPENSSL_MINOR_VERSION}")
125+
FOREACH(version_part
126+
OPENSSL_VERSION_MAJOR
127+
OPENSSL_VERSION_MINOR
128+
OPENSSL_VERSION_PATCH
129+
)
130+
FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" ${version_part}
131+
REGEX "^#[\t ]*define[\t ]+${version_part}[\t ]+([0-9]+).*")
132+
STRING(REGEX REPLACE
133+
"^.*${version_part}[\t ]+([0-9]+).*" "\\1"
134+
${version_part} "${${version_part}}")
135+
ENDFOREACH()
136+
IF(OPENSSL_VERSION_MAJOR VERSION_EQUAL 3)
137+
# OpenSSL 3
138+
SET(OPENSSL_FIX_VERSION "${OPENSSL_VERSION_PATCH}")
139+
ELSE()
140+
# Verify version number. Version information looks like:
141+
# #define OPENSSL_VERSION_NUMBER 0x1000103fL
142+
# Encoded as MNNFFPPS: major minor fix patch status
143+
FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h"
144+
OPENSSL_VERSION_NUMBER
145+
REGEX "^#[ ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x[0-9].*"
146+
)
147+
STRING(REGEX REPLACE
148+
"^.*OPENSSL_VERSION_NUMBER[\t ]+0x([0-9]).*$" "\\1"
149+
OPENSSL_VERSION_MAJOR "${OPENSSL_VERSION_NUMBER}"
150+
)
151+
STRING(REGEX REPLACE
152+
"^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9]([0-9][0-9]).*$" "\\1"
153+
OPENSSL_VERSION_MINOR "${OPENSSL_VERSION_NUMBER}"
154+
)
155+
STRING(REGEX REPLACE
156+
"^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9][0-9][0-9]([0-9][0-9]).*$" "\\1"
157+
OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"
158+
)
159+
ENDIF()
160+
SET(OPENSSL_MAJOR_MINOR_FIX_VERSION "${OPENSSL_VERSION_MAJOR}")
161+
STRING_APPEND(OPENSSL_MAJOR_MINOR_FIX_VERSION ".${OPENSSL_VERSION_MINOR}")
133162
STRING_APPEND(OPENSSL_MAJOR_MINOR_FIX_VERSION ".${OPENSSL_FIX_VERSION}")
134163
MESSAGE(STATUS
135164
"OPENSSL_VERSION (${WITH_SSL}) is ${OPENSSL_MAJOR_MINOR_FIX_VERSION}")
@@ -327,25 +356,37 @@ MACRO (MYSQL_CHECK_SSL)
327356
HINTS ${OPENSSL_ROOT_DIR}/include
328357
)
329358
MESSAGE(STATUS "OPENSSL_APPLINK_C ${OPENSSL_APPLINK_C}")
359+
IF(NOT OPENSSL_APPLINK_C)
360+
RESET_SSL_VARIABLES()
361+
FATAL_SSL_NOT_FOUND_ERROR(
362+
"Cannot find applink.c for WITH_SSL=${WITH_SSL}.")
363+
ENDIF()
330364
ENDIF()
331365

332366
FIND_LIBRARY(OPENSSL_LIBRARY
333367
NAMES ssl libssl ssleay32 ssleay32MD
334-
HINTS ${OPENSSL_ROOT_DIR}/lib)
368+
HINTS ${OPENSSL_ROOT_DIR}/lib ${OPENSSL_ROOT_DIR}/lib64)
335369
FIND_LIBRARY(CRYPTO_LIBRARY
336370
NAMES crypto libcrypto libeay32
337-
HINTS ${OPENSSL_ROOT_DIR}/lib)
371+
HINTS ${OPENSSL_ROOT_DIR}/lib ${OPENSSL_ROOT_DIR}/lib64)
338372

339373
IF(OPENSSL_INCLUDE_DIR)
340374
FIND_OPENSSL_VERSION()
341375
ENDIF()
376+
IF (OPENSSL_MAJOR_MINOR_FIX_VERSION VERSION_LESS
377+
${MIN_OPENSSL_VERSION_REQUIRED})
378+
RESET_SSL_VARIABLES()
379+
FATAL_SSL_NOT_FOUND_ERROR(
380+
"Not a supported openssl version in WITH_SSL=${WITH_SSL}.")
381+
ENDIF()
382+
342383
IF("${OPENSSL_MAJOR_MINOR_FIX_VERSION}" VERSION_GREATER "1.1.0")
343384
ADD_DEFINITIONS(-DHAVE_TLSv13)
344385
ENDIF()
386+
345387
IF(OPENSSL_INCLUDE_DIR AND
346-
OPENSSL_LIBRARY AND
347-
CRYPTO_LIBRARY AND
348-
OPENSSL_MAJOR_VERSION STREQUAL "1"
388+
OPENSSL_LIBRARY AND
389+
CRYPTO_LIBRARY
349390
)
350391
SET(OPENSSL_FOUND TRUE)
351392
IF(WITH_SSL_PATH)
@@ -412,8 +453,8 @@ MACRO (MYSQL_CHECK_SSL)
412453
MESSAGE(STATUS "OPENSSL_LIBRARY = ${OPENSSL_LIBRARY}")
413454
MESSAGE(STATUS "CRYPTO_LIBRARY = ${CRYPTO_LIBRARY}")
414455
MESSAGE(STATUS "OPENSSL_LIB_DIR = ${OPENSSL_LIB_DIR}")
415-
MESSAGE(STATUS "OPENSSL_MAJOR_VERSION = ${OPENSSL_MAJOR_VERSION}")
416-
MESSAGE(STATUS "OPENSSL_MINOR_VERSION = ${OPENSSL_MINOR_VERSION}")
456+
MESSAGE(STATUS "OPENSSL_VERSION_MAJOR = ${OPENSSL_VERSION_MAJOR}")
457+
MESSAGE(STATUS "OPENSSL_VERSION_MINOR = ${OPENSSL_VERSION_MINOR}")
417458
MESSAGE(STATUS "OPENSSL_FIX_VERSION = ${OPENSSL_FIX_VERSION}")
418459

419460
INCLUDE(CheckSymbolExists)
@@ -669,15 +710,21 @@ MACRO(MYSQL_CHECK_SSL_DLLS)
669710
GET_FILENAME_COMPONENT(OPENSSL_NAME "${OPENSSL_LIBRARY}" NAME_WE)
670711

671712
# Different naming scheme for the matching .dll as of SSL 1.1
713+
# OpenSSL 3.x Look for libcrypto-3-x64.dll or libcrypto-3.dll
714+
# OpenSSL 1.1 Look for libcrypto-1_1-x64.dll or libcrypto-1_1.dll
715+
# OpenSSL 1.0 Look for libeay32.dll
672716
SET(SSL_MSVC_VERSION_SUFFIX)
673717
SET(SSL_MSVC_ARCH_SUFFIX)
674-
IF(OPENSSL_MINOR_VERSION VERSION_EQUAL 1)
718+
IF(OPENSSL_VERSION_MAJOR VERSION_EQUAL 1 AND
719+
OPENSSL_VERSION_MINOR VERSION_EQUAL 1)
675720
SET(SSL_MSVC_VERSION_SUFFIX "-1_1")
676721
SET(SSL_MSVC_ARCH_SUFFIX "-x64")
677722
ENDIF()
723+
IF(OPENSSL_VERSION_MAJOR VERSION_EQUAL 3)
724+
SET(SSL_MSVC_VERSION_SUFFIX "-3")
725+
SET(SSL_MSVC_ARCH_SUFFIX "-x64")
726+
ENDIF()
678727

679-
# OpenSSL 1.1 Look for libcrypto-1_1-x64.dll or libcrypto-1_1.dll
680-
# OpenSSL 1.0 Look for libeay32.dll
681728
FIND_FILE(HAVE_CRYPTO_DLL
682729
NAMES
683730
"${CRYPTO_NAME}${SSL_MSVC_VERSION_SUFFIX}${SSL_MSVC_ARCH_SUFFIX}.dll"
@@ -717,11 +764,25 @@ MACRO(MYSQL_CHECK_SSL_DLLS)
717764
ADD_DEPENDENCIES(${openssl_exe_target} copy_openssl_dlls)
718765
ELSE()
719766
MESSAGE(STATUS "Cannot find SSL dynamic libraries")
720-
IF(OPENSSL_MINOR_VERSION VERSION_EQUAL 1)
767+
IF(OPENSSL_VERSION_MAJOR VERSION_EQUAL 1 AND
768+
OPENSSL_VERSION_MINOR VERSION_EQUAL 1)
721769
SET(SSL_LIBRARIES ${SSL_LIBRARIES} crypt32.lib)
722770
MESSAGE(STATUS "SSL_LIBRARIES ${SSL_LIBRARIES}")
723771
ENDIF()
724772
ENDIF()
725773
ENDIF()
726774
ENDIF()
727775
ENDMACRO()
776+
777+
# Downgrade OpenSSL 3 deprecation warnings.
778+
MACRO(DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS)
779+
IF(OPENSSL_VERSION_MAJOR VERSION_EQUAL 3)
780+
IF(MY_COMPILER_IS_GNU_OR_CLANG)
781+
ADD_COMPILE_FLAGS(${ARGV}
782+
COMPILE_FLAGS "-Wno-error=deprecated-declarations")
783+
ELSEIF(WIN32)
784+
ADD_COMPILE_FLAGS(${ARGV}
785+
COMPILE_FLAGS "/wd4996")
786+
ENDIF()
787+
ENDIF()
788+
ENDMACRO()

‎extra/libfido2/libfido2-1.8.0/src/CMakeLists.txt‎

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,52 @@ list(APPEND COMPAT_SOURCES
8585
../openbsd-compat/timingsafe_bcmp.c
8686
)
8787

88+
DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS(
89+
assert.c
90+
cbor.c
91+
cred.c
92+
es256.c
93+
rs256.c
94+
ecdh.c
95+
)
96+
97+
IF(OPENSSL_VERSION_MAJOR VERSION_EQUAL 3)
98+
IF(MY_COMPILER_IS_GNU)
99+
# Downgrade to warning, for now.
100+
ADD_COMPILE_FLAGS(
101+
assert.c
102+
cbor.c
103+
cred.c
104+
es256.c
105+
rs256.c
106+
COMPILE_FLAGS "-Wno-error=discarded-qualifiers")
107+
ADD_COMPILE_FLAGS(
108+
ecdh.c
109+
COMPILE_FLAGS "-Wno-error=pointer-sign")
110+
ELSEIF(MY_COMPILER_IS_CLANG)
111+
# Downgrade to warning, for now.
112+
ADD_COMPILE_FLAGS(
113+
assert.c
114+
cbor.c
115+
cred.c
116+
es256.c
117+
rs256.c
118+
COMPILE_FLAGS
119+
"-Wno-incompatible-pointer-types-discards-qualifiers")
120+
ADD_COMPILE_FLAGS(
121+
ecdh.c
122+
COMPILE_FLAGS "-Wno-pointer-sign")
123+
ELSEIF(MSVC)
124+
ADD_COMPILE_FLAGS(
125+
assert.c
126+
cred.c
127+
COMPILE_FLAGS "/wd4090")
128+
ADD_COMPILE_FLAGS(
129+
ecdh.c
130+
COMPILE_FLAGS "/wd4057")
131+
ENDIF()
132+
ENDIF()
133+
88134

89135
# Windows wants only major.minor
90136
IF(WIN32)

‎include/my_openssl_fips.h‎

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
/* Copyright (c) 2022, Oracle and/or its affiliates.
2+
3+
This program is free software; you can redistribute it and/or modify
4+
it under the terms of the GNU General Public License, version 2.0,
5+
as published by the Free Software Foundation.
6+
7+
This program is also distributed with certain software (including
8+
but not limited to OpenSSL) that is licensed under separate terms,
9+
as designated in a particular file or component or in included license
10+
documentation. The authors of MySQL hereby grant you an additional
11+
permission to link the program and your derivative works with the
12+
separately licensed software that they have included with MySQL.
13+
14+
Without limiting anything contained in the foregoing, this file,
15+
which is part of C Driver for MySQL (Connector/C), is also subject to the
16+
Universal FOSS Exception, version 1.0, a copy of which can be found at
17+
http://oss.oracle.com/licenses/universal-foss-exception.
18+
19+
This program is distributed in the hope that it will be useful,
20+
but WITHOUT ANY WARRANTY; without even the implied warranty of
21+
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22+
GNU General Public License, version 2.0, for more details.
23+
24+
You should have received a copy of the GNU General Public License
25+
along with this program; if not, write to the Free Software
26+
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
27+
28+
#ifndef my_openssl_fips_h_
29+
#define my_openssl_fips_h_
30+
31+
constexpr int OPENSSL_ERROR_LENGTH{512}; /* Openssl error code max length */
32+
33+
bool set_fips_mode(const int fips_mode, char err_string[OPENSSL_ERROR_LENGTH]);
34+
int get_fips_mode();
35+
36+
int test_ssl_fips_mode(char err_string[OPENSSL_ERROR_LENGTH]);
37+
38+
void fips_deinit();
39+
void fips_init();
40+
41+
#endif /* ifndef my_openssl_fips_h_ */

‎include/violite.h‎

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -140,7 +140,6 @@ enum enum_vio_io_event {
140140
#define VIO_LOCALHOST 1 /* a localhost connection */
141141
#define VIO_BUFFERED_READ 2 /* use buffered read */
142142
#define VIO_READ_BUFFER_SIZE 16384 /* size of read buffer */
143-
#define OPENSSL_ERROR_LENGTH 512 /* Openssl error code max length */
144143

145144
MYSQL_VIO vio_new(my_socket sd, enum enum_vio_type type, uint flags);
146145
MYSQL_VIO mysql_socket_vio_new(MYSQL_SOCKET mysql_socket,
@@ -268,12 +267,6 @@ struct st_VioSSLFd *new_VioSSLConnectorFd(
268267

269268
long process_tls_version(const char *tls_version);
270269

271-
int set_fips_mode(const uint fips_mode, char *err_string);
272-
273-
uint get_fips_mode();
274-
275-
int test_ssl_fips_mode(char *err_string);
276-
277270
struct st_VioSSLFd *new_VioSSLAcceptorFd(
278271
const char *key_file, const char *cert_file, const char *ca_file,
279272
const char *ca_path, const char *cipher, const char *ciphersuites,

‎libmysql/authentication_oci_client/CMakeLists.txt‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,3 +52,7 @@ MYSQL_ADD_PLUGIN(
5252
CLIENT_ONLY
5353
MODULE_ONLY MODULE_OUTPUT_NAME "authentication_oci_client"
5454
)
55+
56+
DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS(
57+
src/oci_iam/request/ssl.cc
58+
)

‎mysql-test/suite/auth_sec/r/openssl_without_fips.result‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ c9f0f895fb98ab9159f51fd0297e236d
1717
# Bug #33082255: SERVER EXIT TRYING TO SET FIPS MODE
1818
#
1919
SET @@global.ssl_fips_mode = 'ON';
20-
ERROR HY000: SSL fips mode error: Openssl is not fips enabled
20+
ERROR HY000: SSL fips mode error: Openssl is not fips enabled: openssl error
2121
##Test: Start the server with SSL FIPS mode ON, server will throw error and abort.
22-
Pattern "(FIPS_mode_set:fips mode not supported|FIPS_module_mode_set:fingerprint does not match)" found
22+
Pattern "(FIPS_mode_set:fips mode not supported|FIPS_module_mode_set:fingerprint does not match|SSL fips mode error:)" found
2323
Restart server with FIPS mode OFF.

‎mysql-test/suite/auth_sec/t/openssl_without_fips.test‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ EOF
5151
--echo # Bug #33082255: SERVER EXIT TRYING TO SET FIPS MODE
5252
--echo #
5353

54+
--replace_regex /SSL fips mode error: Openssl is not fips enabled.*/SSL fips mode error: Openssl is not fips enabled: openssl error/
5455
--error ER_DA_SSL_FIPS_MODE_ERROR
5556
SET @@global.ssl_fips_mode = 'ON';
5657

@@ -65,7 +66,7 @@ let $restart_file = $MYSQLTEST_VARDIR/tmp/mysqld.1.expect;
6566
--source include/wait_until_disconnected.inc
6667
--error 1
6768
--exec $MYSQLD_CMD --loose-console --ssl-fips-mode=ON > $error_log 2>&1
68-
let SEARCH_PATTERN = (FIPS_mode_set:fips mode not supported|FIPS_module_mode_set:fingerprint does not match);
69+
let SEARCH_PATTERN = (FIPS_mode_set:fips mode not supported|FIPS_module_mode_set:fingerprint does not match|SSL fips mode error:);
6970
--source include/search_pattern.inc
7071
--remove_file $error_log
7172

‎mysys/CMakeLists.txt‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Copyright (c) 2006, 2021, Oracle and/or its affiliates.
1+
# Copyright (c) 2006, 2022, Oracle and/or its affiliates.
22
#
33
# This program is free software; you can redistribute it and/or modify
44
# it under the terms of the GNU General Public License, version 2.0,
@@ -119,6 +119,7 @@ SET(MYSYS_SOURCES
119119
my_sha2.cc
120120
my_md5.cc
121121
my_rnd.cc
122+
my_openssl_fips.cc
122123
)
123124
LIST(APPEND MYSYS_SOURCES my_aes_openssl.cc)
124125

0 commit comments

Comments
 (0)