Mirrors
/
mariadb
mirror of https://github.com/MariaDB/server
3
0
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
199616 Commits
3221 Branches
1092 Tags
1.3 GiB
Branch: 10.6
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '10.6'
${ noResults }
mariadb/mysys_ssl/my_crypt.cc

369 lines
10 KiB
Raw Permalink Normal View History

unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
MDEV-15587 AES test fails, segfaults in EVP_CipherInit_ex When HAVE_YASSL is defined (due to cmake -DWITH_SSL=bundled or otherwise), mysys_ssl/my_crypt.cc will #include "yassl.cc" from the same directory. When MariaDB 10.2 or later is compiled with GCC 8 and optimizations are enabled, then the check if (iv) in EVP_CipherInit_ex() can be wrongly optimized away. The reason appears to be that __attribute__((nonnull)) is attached to the variable iv, because there is a (no-op) call memcpy(oiv, iv, ivlen=0) earlier in the code path. It is possible that this started failing after the code was refactored in MDEV-10332 (MariaDB 10.2.6). In MariaDB 10.1, there is a similar memcpy() call in MyCTX_nopad::init(), but the code appears to work fine.
7 years ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
Merge branch '5.5' into 10.1
6 years ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
Cleanup to be able to compile with YASSL. Temporary push as some tests still fails.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
Cleanup to be able to compile with YASSL. Temporary push as some tests still fails.
11 years ago
WolfSSL fixes remove Timeval workaround (not needed anymore). add template workaround. comments.
5 years ago
Cleanup to be able to compile with YASSL. Temporary push as some tests still fails.
11 years ago
WolfSSL fixes remove Timeval workaround (not needed anymore). add template workaround. comments.
5 years ago
Cleanup to be able to compile with YASSL. Temporary push as some tests still fails.
11 years ago
Merge tag 'mariadb-10.0.19' into 10.1
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
Merge branch '10.0' into 10.1
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
MDEV-19684 enable intel assembly (AESNI etc) and fastmath when compiling WolfSSL Using different recommended speedup options for WolfSSL. - Enable x64 assembly code on Intel. - in my_crypt.cc, align EVP_CIPHER_CTX buffer, since some members need alignment of 16 (for AESNI instructions), when assembler is enabled. - Adjust MY_AES_CTX_SIZE - Enable fastmath in wolfssl (large integer math).
6 years ago
Cleanup to be able to compile with YASSL. Temporary push as some tests still fails.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
simplify my_crypt.cc, remove duplicate code
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-19684 enable intel assembly (AESNI etc) and fastmath when compiling WolfSSL Using different recommended speedup options for WolfSSL. - Enable x64 assembly code on Intel. - in my_crypt.cc, align EVP_CIPHER_CTX buffer, since some members need alignment of 16 (for AESNI instructions), when assembler is enabled. - Adjust MY_AES_CTX_SIZE - Enable fastmath in wolfssl (large integer math).
6 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
MDEV-19684 enable intel assembly (AESNI etc) and fastmath when compiling WolfSSL Using different recommended speedup options for WolfSSL. - Enable x64 assembly code on Intel. - in my_crypt.cc, align EVP_CIPHER_CTX buffer, since some members need alignment of 16 (for AESNI instructions), when assembler is enabled. - Adjust MY_AES_CTX_SIZE - Enable fastmath in wolfssl (large integer math).
6 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
MDEV-12763 10.2 uses deprecated openssl 1.0 apis even with 1.1 Use OpenSSL 1.1 when applicable. Create compatibility macros for OpenSSL 1.0- and YaSSL.
8 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
yassl support
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
yassl support
11 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
MDEV-8022 Assertion `rc == 0' failed in ma_encrypt on dropping an encrypted Aria table fix encryption of the last partial block * now really encrypt it, using key and iv * support the case of very short plaintext (less than one block) * recommend aes_ctr over aes_cbc, because the former doesn't have problems with partial blocks
11 years ago
my_aes* functions: support for different key lengths to: different key lengths
11 years ago
MDEV-18531 : Use WolfSSL instead of YaSSL as "bundled" SSL/encryption library - Add new submodule for WolfSSL - Build and use wolfssl and wolfcrypt instead of yassl/taocrypt - Use HAVE_WOLFSSL instead of HAVE_YASSL - Increase MY_AES_CTX_SIZE, to avoid compile time asserts in my_crypt.cc (sizeof(EVP_CIPHER_CTX) is larger on WolfSSL)
7 years ago
MDEV-8022 Assertion `rc == 0' failed in ma_encrypt on dropping an encrypted Aria table fix encryption of the last partial block * now really encrypt it, using key and iv * support the case of very short plaintext (less than one block) * recommend aes_ctr over aes_cbc, because the former doesn't have problems with partial blocks
11 years ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-19617 Assertion `src' failed in MyCTX::update Apprently, sometimes there will be null pointers with 0 length passed to the MyCTX::update() function, and will need to return a valid buffer. So weaken the assertion, and use a valid pointer for src if it was NULL.
6 years ago
Fix compilation on Linux
6 years ago
MDEV-19617 Assertion `src' failed in MyCTX::update Apprently, sometimes there will be null pointers with 0 length passed to the MyCTX::update() function, and will need to return a valid buffer. So weaken the assertion, and use a valid pointer for src if it was NULL.
6 years ago
MDEV-18531 : Use WolfSSL instead of YaSSL as "bundled" SSL/encryption library - Add new submodule for WolfSSL - Build and use wolfssl and wolfcrypt instead of yassl/taocrypt - Use HAVE_WOLFSSL instead of HAVE_YASSL - Increase MY_AES_CTX_SIZE, to avoid compile time asserts in my_crypt.cc (sizeof(EVP_CIPHER_CTX) is larger on WolfSSL)
7 years ago
MDEV-8022 Assertion `rc == 0' failed in ma_encrypt on dropping an encrypted Aria table fix encryption of the last partial block * now really encrypt it, using key and iv * support the case of very short plaintext (less than one block) * recommend aes_ctr over aes_cbc, because the former doesn't have problems with partial blocks
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-18531 : Use WolfSSL instead of YaSSL as "bundled" SSL/encryption library - Add new submodule for WolfSSL - Build and use wolfssl and wolfcrypt instead of yassl/taocrypt - Use HAVE_WOLFSSL instead of HAVE_YASSL - Increase MY_AES_CTX_SIZE, to avoid compile time asserts in my_crypt.cc (sizeof(EVP_CIPHER_CTX) is larger on WolfSSL)
7 years ago
MDEV-8022 Assertion `rc == 0' failed in ma_encrypt on dropping an encrypted Aria table fix encryption of the last partial block * now really encrypt it, using key and iv * support the case of very short plaintext (less than one block) * recommend aes_ctr over aes_cbc, because the former doesn't have problems with partial blocks
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
MDEV-25785 Add support for OpenSSL 3.0 Summary of changes - MD_CTX_SIZE is increased - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points to nobody knows where. The assumption made previously was that (since the function does not seem to be documented) was that it points to the last partial source block. Add own partial block buffer for NOPAD encryption instead - SECLEVEL in CipherString in openssl.cnf had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md even though the manual for SSL_CTX_get_security_level claims that it should not be necessary) - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, in addition to what was set in --ssl-cipher - ctx_buf buffer now must be aligned to 16 bytes with openssl( previously with WolfSSL only), ot crashes will happen - updated aes-t , to be better debuggable using function, rather than a huge multiline macro added test that does "nopad" encryption piece-wise, to test replacement of EVP_CIPHER_CTX_buf_noconst part of MDEV-29000
4 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
MDEV-25785 Add support for OpenSSL 3.0 Summary of changes - MD_CTX_SIZE is increased - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points to nobody knows where. The assumption made previously was that (since the function does not seem to be documented) was that it points to the last partial source block. Add own partial block buffer for NOPAD encryption instead - SECLEVEL in CipherString in openssl.cnf had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md even though the manual for SSL_CTX_get_security_level claims that it should not be necessary) - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, in addition to what was set in --ssl-cipher - ctx_buf buffer now must be aligned to 16 bytes with openssl( previously with WolfSSL only), ot crashes will happen - updated aes-t , to be better debuggable using function, rather than a huge multiline macro added test that does "nopad" encryption piece-wise, to test replacement of EVP_CIPHER_CTX_buf_noconst part of MDEV-29000
4 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-33746 Supply missing override markings Find and fix missing virtual override markings. Updates cmake maintainer flags to include -Wsuggest-override and -Winconsistent-missing-override.
1 year ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-33746 Supply missing override markings Find and fix missing virtual override markings. Updates cmake maintainer flags to include -Wsuggest-override and -Winconsistent-missing-override.
1 year ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-25785 Add support for OpenSSL 3.0 Summary of changes - MD_CTX_SIZE is increased - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points to nobody knows where. The assumption made previously was that (since the function does not seem to be documented) was that it points to the last partial source block. Add own partial block buffer for NOPAD encryption instead - SECLEVEL in CipherString in openssl.cnf had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md even though the manual for SSL_CTX_get_security_level claims that it should not be necessary) - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, in addition to what was set in --ssl-cipher - ctx_buf buffer now must be aligned to 16 bytes with openssl( previously with WolfSSL only), ot crashes will happen - updated aes-t , to be better debuggable using function, rather than a huge multiline macro added test that does "nopad" encryption piece-wise, to test replacement of EVP_CIPHER_CTX_buf_noconst part of MDEV-29000
4 years ago
MDEV-15587 AES test fails, segfaults in EVP_CipherInit_ex When HAVE_YASSL is defined (due to cmake -DWITH_SSL=bundled or otherwise), mysys_ssl/my_crypt.cc will #include "yassl.cc" from the same directory. When MariaDB 10.2 or later is compiled with GCC 8 and optimizations are enabled, then the check if (iv) in EVP_CipherInit_ex() can be wrongly optimized away. The reason appears to be that __attribute__((nonnull)) is attached to the variable iv, because there is a (no-op) call memcpy(oiv, iv, ivlen=0) earlier in the code path. It is possible that this started failing after the code was refactored in MDEV-10332 (MariaDB 10.2.6). In MariaDB 10.1, there is a similar memcpy() call in MyCTX_nopad::init(), but the code appears to work fine.
7 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-8022 Assertion `rc == 0' failed in ma_encrypt on dropping an encrypted Aria table fix encryption of the last partial block * now really encrypt it, using key and iv * support the case of very short plaintext (less than one block) * recommend aes_ctr over aes_cbc, because the former doesn't have problems with partial blocks
11 years ago
yassl support
11 years ago
MDEV-25785 Add support for OpenSSL 3.0 Summary of changes - MD_CTX_SIZE is increased - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points to nobody knows where. The assumption made previously was that (since the function does not seem to be documented) was that it points to the last partial source block. Add own partial block buffer for NOPAD encryption instead - SECLEVEL in CipherString in openssl.cnf had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md even though the manual for SSL_CTX_get_security_level claims that it should not be necessary) - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, in addition to what was set in --ssl-cipher - ctx_buf buffer now must be aligned to 16 bytes with openssl( previously with WolfSSL only), ot crashes will happen - updated aes-t , to be better debuggable using function, rather than a huge multiline macro added test that does "nopad" encryption piece-wise, to test replacement of EVP_CIPHER_CTX_buf_noconst part of MDEV-29000
4 years ago
MDEV-33746 Supply missing override markings Find and fix missing virtual override markings. Updates cmake maintainer flags to include -Wsuggest-override and -Winconsistent-missing-override.
1 year ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
MDEV-25785 Add support for OpenSSL 3.0 Summary of changes - MD_CTX_SIZE is increased - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points to nobody knows where. The assumption made previously was that (since the function does not seem to be documented) was that it points to the last partial source block. Add own partial block buffer for NOPAD encryption instead - SECLEVEL in CipherString in openssl.cnf had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md even though the manual for SSL_CTX_get_security_level claims that it should not be necessary) - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, in addition to what was set in --ssl-cipher - ctx_buf buffer now must be aligned to 16 bytes with openssl( previously with WolfSSL only), ot crashes will happen - updated aes-t , to be better debuggable using function, rather than a huge multiline macro added test that does "nopad" encryption piece-wise, to test replacement of EVP_CIPHER_CTX_buf_noconst part of MDEV-29000
4 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
MDEV-33746 Supply missing override markings Find and fix missing virtual override markings. Updates cmake maintainer flags to include -Wsuggest-override and -Winconsistent-missing-override.
1 year ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
MDEV-25785 Add support for OpenSSL 3.0 Summary of changes - MD_CTX_SIZE is increased - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points to nobody knows where. The assumption made previously was that (since the function does not seem to be documented) was that it points to the last partial source block. Add own partial block buffer for NOPAD encryption instead - SECLEVEL in CipherString in openssl.cnf had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md even though the manual for SSL_CTX_get_security_level claims that it should not be necessary) - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, in addition to what was set in --ssl-cipher - ctx_buf buffer now must be aligned to 16 bytes with openssl( previously with WolfSSL only), ot crashes will happen - updated aes-t , to be better debuggable using function, rather than a huge multiline macro added test that does "nopad" encryption piece-wise, to test replacement of EVP_CIPHER_CTX_buf_noconst part of MDEV-29000
4 years ago
MDEV-8162 func_str crashes on SELECT AES_DECRYPT(AES_ENCRYPT(...)) on line 107 encrypting 0 byte string *is* possible
11 years ago
MDEV-19684 enable intel assembly (AESNI etc) and fastmath when compiling WolfSSL Using different recommended speedup options for WolfSSL. - Enable x64 assembly code on Intel. - in my_crypt.cc, align EVP_CIPHER_CTX buffer, since some members need alignment of 16 (for AESNI instructions), when assembler is enabled. - Adjust MY_AES_CTX_SIZE - Enable fastmath in wolfssl (large integer math).
6 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
MDEV-19684 enable intel assembly (AESNI etc) and fastmath when compiling WolfSSL Using different recommended speedup options for WolfSSL. - Enable x64 assembly code on Intel. - in my_crypt.cc, align EVP_CIPHER_CTX buffer, since some members need alignment of 16 (for AESNI instructions), when assembler is enabled. - Adjust MY_AES_CTX_SIZE - Enable fastmath in wolfssl (large integer math).
6 years ago
MDEV-8162 func_str crashes on SELECT AES_DECRYPT(AES_ENCRYPT(...)) on line 107 encrypting 0 byte string *is* possible
11 years ago
MDEV-25785 Add support for OpenSSL 3.0 Summary of changes - MD_CTX_SIZE is increased - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points to nobody knows where. The assumption made previously was that (since the function does not seem to be documented) was that it points to the last partial source block. Add own partial block buffer for NOPAD encryption instead - SECLEVEL in CipherString in openssl.cnf had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md even though the manual for SSL_CTX_get_security_level claims that it should not be necessary) - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, in addition to what was set in --ssl-cipher - ctx_buf buffer now must be aligned to 16 bytes with openssl( previously with WolfSSL only), ot crashes will happen - updated aes-t , to be better debuggable using function, rather than a huge multiline macro added test that does "nopad" encryption piece-wise, to test replacement of EVP_CIPHER_CTX_buf_noconst part of MDEV-29000
4 years ago
MDEV-8162 func_str crashes on SELECT AES_DECRYPT(AES_ENCRYPT(...)) on line 107 encrypting 0 byte string *is* possible
11 years ago
MDEV-25785 Add support for OpenSSL 3.0 Summary of changes - MD_CTX_SIZE is increased - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points to nobody knows where. The assumption made previously was that (since the function does not seem to be documented) was that it points to the last partial source block. Add own partial block buffer for NOPAD encryption instead - SECLEVEL in CipherString in openssl.cnf had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible (according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md even though the manual for SSL_CTX_get_security_level claims that it should not be necessary) - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, in addition to what was set in --ssl-cipher - ctx_buf buffer now must be aligned to 16 bytes with openssl( previously with WolfSSL only), ot crashes will happen - updated aes-t , to be better debuggable using function, rather than a huge multiline macro added test that does "nopad" encryption piece-wise, to test replacement of EVP_CIPHER_CTX_buf_noconst part of MDEV-29000
4 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
yassl support
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
yassl support
11 years ago
move AES_CTR to its own greatly simplified function * don't use do_crypt() for stream cipher AES_CTR * rename do_crypt to block_crypt to emphasize its specialization
11 years ago
yassl support
11 years ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-33746 Supply missing override markings Find and fix missing virtual override markings. Updates cmake maintainer flags to include -Wsuggest-override and -Winconsistent-missing-override.
1 year ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-33746 Supply missing override markings Find and fix missing virtual override markings. Updates cmake maintainer flags to include -Wsuggest-override and -Winconsistent-missing-override.
1 year ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
MDEV-33746 Supply missing override markings Find and fix missing virtual override markings. Updates cmake maintainer flags to include -Wsuggest-override and -Winconsistent-missing-override.
1 year ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
Fix for MDEV-11174: A GCM encrypted ciphertext must contain an authentication tag with AES_BLOCK_SIZE length, so we need to check that the length of ciphertext is at least AES_BLOCK_SIZE.
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
MDEV-33746 Supply missing override markings Find and fix missing virtual override markings. Updates cmake maintainer flags to include -Wsuggest-override and -Winconsistent-missing-override.
1 year ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL Initial support tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL not working on Windows with native SChannel support, due to wrong cipher mapping: Latter one requires push of CONC-241 fixes. Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if the build succeeds, test cases will fail with various errors, especially when using different tls libraries or versions for client and server.
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
my_aes_encrypt_gcm() and my_aes_decrypt_gcm()
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
Cleanup to be able to compile with YASSL. Temporary push as some tests still fails.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
Cleanup to be able to compile with YASSL. Temporary push as some tests still fails.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
Cleanup to be able to compile with YASSL. Temporary push as some tests still fails.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
unify my_{en|de}crypt_{cbc|ecb|ctr}. no yassl support yet.
11 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
MDEV-10332 support for OpenSSL 1.1 and LibreSSL post-review fixes: * move all ssl implementation related ifdefs/defines to one file (ssl_compat.h) * work around OpenSSL-1.1 desire to malloc every EVP context by run-time checking that context allocated on the stack is big enough (openssl.c) * use newer version of the AWS SDK for OpenSSL 1.1 * use get_dh2048() function as generated by openssl 1.1 (viosslfactories.c)
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
Cleanup to be able to compile with YASSL. Temporary push as some tests still fails.
11 years ago
MDEV-11663 Create services for functionality used by plugins Added service for - encryption (AES) - error reporting, e.g my_printf_error()
9 years ago
New encryption API. Piece-wise encryption. Instead of encrypt(src, dst, key, iv) that encrypts all data in one go, now we have encrypt_init(key,iv), encrypt_update(src,dst), and encrypt_finish(dst). This also causes collateral changes in the internal my_crypt.cc encryption functions and in the encryption service. There are wrappers to provide the old all-at-once encryption functionality. But binlog events are often written piecewise, they'll need the new api.
10 years ago
Cleanup to be able to compile with YASSL. Temporary push as some tests still fails.
11 years ago
MDEV-14343 Server crash on FIPS with openssl-1.0.2k don't use internal undocumented OpenSSL functionality
8 years ago
remove now-empty my_aes.{h,cc} move remaning defines to my_crypt, add MY_ namespace prefix
11 years ago
Cleanup to be able to compile with YASSL. Temporary push as some tests still fails.
11 years ago
remove now-empty my_aes.{h,cc} move remaning defines to my_crypt, add MY_ namespace prefix
11 years ago
  1. /*
  2. Copyright (c) 2014 Google Inc.
  3. Copyright (c) 2014, 2019, MariaDB Corporation.
  5. This program is free software; you can redistribute it and/or modify
  6. it under the terms of the GNU General Public License as published by
  7. the Free Software Foundation; version 2 of the License.
  9. This program is distributed in the hope that it will be useful,
  10. but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. GNU General Public License for more details.
  14. You should have received a copy of the GNU General Public License
  15. along with this program; if not, write to the Free Software
  16. Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1335 USA */
  18. #include <my_global.h>
  19. #include <string.h>
  21. #define template _template /* bug in WolfSSL 4.4.0, see also violite.h */
  22. #include <openssl/evp.h>
  23. #undef template
  24. #include <openssl/aes.h>
  25. #include <openssl/err.h>
  26. #include <openssl/rand.h>
  28. #include <my_crypt.h>
  29. #include <ssl_compat.h>
  30. #include <cstdint>
  32. #define CTX_ALIGN 16
  34. class MyCTX
  35. {
  36. public:
  37. char ctx_buf[EVP_CIPHER_CTX_SIZE + CTX_ALIGN];
  38. EVP_CIPHER_CTX* ctx;
  39. MyCTX()
  40. {
  41. #if CTX_ALIGN > 0
  42. uintptr_t p= ((uintptr_t)ctx_buf + (CTX_ALIGN - 1)) & ~(CTX_ALIGN - 1);
  43. ctx = reinterpret_cast<EVP_CIPHER_CTX*>(p);
  44. #else
  45. ctx = (EVP_CIPHER_CTX*)ctx_buf;
  46. #endif
  48. EVP_CIPHER_CTX_init(ctx);
  49. }
  50. virtual ~MyCTX()
  51. {
  52. EVP_CIPHER_CTX_reset(ctx);
  53. ERR_remove_state(0);
  54. }
  56. virtual int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key,
  57. uint klen, const uchar *iv, uint ivlen)
  58. {
  59. compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX));
  60. if (unlikely(!cipher))
  61. return MY_AES_BAD_KEYSIZE;
  63. if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, encrypt) != 1)
  64. return MY_AES_OPENSSL_ERROR;
  66. DBUG_ASSERT(EVP_CIPHER_CTX_key_length(ctx) == (int)klen);
  67. DBUG_ASSERT(EVP_CIPHER_CTX_iv_length(ctx) <= (int)ivlen);
  69. return MY_AES_OK;
  70. }
  71. virtual int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
  72. {
  73. #ifdef HAVE_WOLFSSL
  74. // WolfSSL checks parameters and does not like NULL pointers to be passed to function below.
  75. if (!src)
  76. {
  77. static uchar dummy[MY_AES_BLOCK_SIZE];
  78. DBUG_ASSERT(!slen);
  79. src=dummy;
  80. }
  81. #endif
  83. if (EVP_CipherUpdate(ctx, dst, (int*)dlen, src, slen) != 1)
  84. return MY_AES_OPENSSL_ERROR;
  85. return MY_AES_OK;
  86. }
  87. virtual int finish(uchar *dst, uint *dlen)
  88. {
  89. if (EVP_CipherFinal_ex(ctx, dst, (int*)dlen) != 1)
  90. return MY_AES_BAD_DATA;
  91. return MY_AES_OK;
  92. }
  93. };
  95. class MyCTX_nopad : public MyCTX
  96. {
  97. public:
  98. const uchar *key;
  99. uint klen, source_tail_len;
  100. uchar oiv[MY_AES_BLOCK_SIZE];
  101. uchar source_tail[MY_AES_BLOCK_SIZE];
  103. MyCTX_nopad() : MyCTX() { }
  104. ~MyCTX_nopad() override = default;
  106. int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, uint klen,
  107. const uchar *iv, uint ivlen) override
  108. {
  109. compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
  110. this->key= key;
  111. this->klen= klen;
  112. this->source_tail_len= 0;
  113. if (ivlen)
  114. memcpy(oiv, iv, ivlen);
  115. DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
  117. int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen);
  119. EVP_CIPHER_CTX_set_padding(ctx, 0);
  120. return res;
  121. }
  123. /** Update last partial source block, stored in source_tail array. */
  124. void update_source_tail(const uchar* src, uint slen)
  125. {
  126. if (!slen)
  127. return;
  128. uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
  129. if (new_tail_len)
  130. {
  131. if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
  132. {
  133. memcpy(source_tail + source_tail_len, src, slen);
  134. }
  135. else
  136. {
  137. DBUG_ASSERT(slen > new_tail_len);
  138. memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
  139. }
  140. }
  141. source_tail_len= new_tail_len;
  142. }
  144. int update(const uchar *src, uint slen, uchar *dst, uint *dlen) override
  145. {
  146. update_source_tail(src, slen);
  147. return MyCTX::update(src, slen, dst, dlen);
  148. }
  150. int finish(uchar *dst, uint *dlen) override
  151. {
  152. if (source_tail_len)
  153. {
  154. /*
  155. Not much we can do, block ciphers cannot encrypt data that aren't
  156. a multiple of the block length. At least not without padding.
  157. Let's do something CTR-like for the last partial block.
  158. */
  159. uchar mask[MY_AES_BLOCK_SIZE];
  160. uint mlen;
  162. int rc= my_aes_crypt(MY_AES_ECB, ENCRYPTION_FLAG_ENCRYPT | ENCRYPTION_FLAG_NOPAD,
  163. oiv, sizeof(mask), mask, &mlen, key, klen, 0, 0);
  164. DBUG_ASSERT(rc == MY_AES_OK);
  165. if (rc)
  166. return rc;
  167. DBUG_ASSERT(mlen == sizeof(mask));
  169. for (uint i=0; i < source_tail_len; i++)
  170. dst[i]= source_tail[i] ^ mask[i];
  171. }
  172. *dlen= source_tail_len;
  173. return MY_AES_OK;
  174. }
  175. };
  177. #define make_aes_dispatcher(mode) \
  178. static inline const EVP_CIPHER *aes_ ## mode(uint klen) \
  179. { \
  180. switch (klen) { \
  181. case 16: return EVP_aes_128_ ## mode(); \
  182. case 24: return EVP_aes_192_ ## mode(); \
  183. case 32: return EVP_aes_256_ ## mode(); \
  184. default: return 0; \
  185. } \
  186. }
  188. make_aes_dispatcher(ecb)
  189. make_aes_dispatcher(cbc)
  190. #ifdef HAVE_EncryptAes128Ctr
  191. make_aes_dispatcher(ctr)
  192. #endif /* HAVE_EncryptAes128Ctr */
  193. #ifdef HAVE_EncryptAes128Gcm
  194. make_aes_dispatcher(gcm)
  196. /*
  197. special implementation for GCM; to fit OpenSSL AES-GCM into the
  198. existing my_aes_* API it does the following:
  199. - IV tail (over 12 bytes) goes to AAD
  200. - the tag is appended to the ciphertext
  201. */
  203. class MyCTX_gcm : public MyCTX
  204. {
  205. public:
  206. const uchar *aad;
  207. int aadlen;
  208. MyCTX_gcm() : MyCTX() { }
  209. ~MyCTX_gcm() override { }
  211. int init(const EVP_CIPHER *cipher, int encrypt, const uchar *key, uint klen,
  212. const uchar *iv, uint ivlen) override
  213. {
  214. compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_gcm));
  215. int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen);
  216. int real_ivlen= EVP_CIPHER_CTX_iv_length(ctx);
  217. aad= iv + real_ivlen;
  218. aadlen= ivlen - real_ivlen;
  219. return res;
  220. }
  222. int update(const uchar *src, uint slen, uchar *dst, uint *dlen) override
  223. {
  224. /*
  225. note that this GCM class cannot do streaming decryption, because
  226. it needs the tag (which is located at the end of encrypted data)
  227. before decrypting the data. it can encrypt data piecewise, like, first
  228. half, then the second half, but it must decrypt all at once
  229. */
  230. if (!EVP_CIPHER_CTX_encrypting(ctx))
  231. {
  232. /* encrypted string must contain authenticaton tag (see MDEV-11174) */
  233. if (slen < MY_AES_BLOCK_SIZE)
  234. return MY_AES_BAD_DATA;
  235. slen-= MY_AES_BLOCK_SIZE;
  236. if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, MY_AES_BLOCK_SIZE,
  237. (void*)(src + slen)))
  238. return MY_AES_OPENSSL_ERROR;
  239. }
  240. int unused;
  241. if (aadlen && !EVP_CipherUpdate(ctx, NULL, &unused, aad, aadlen))
  242. return MY_AES_OPENSSL_ERROR;
  243. aadlen= 0;
  244. return MyCTX::update(src, slen, dst, dlen);
  245. }
  247. int finish(uchar *dst, uint *dlen) override
  248. {
  249. int fin;
  250. if (!EVP_CipherFinal_ex(ctx, dst, &fin))
  251. return MY_AES_BAD_DATA;
  252. DBUG_ASSERT(fin == 0);
  254. if (EVP_CIPHER_CTX_encrypting(ctx))
  255. {
  256. if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, MY_AES_BLOCK_SIZE, dst))
  257. return MY_AES_OPENSSL_ERROR;
  258. *dlen= MY_AES_BLOCK_SIZE;
  259. }
  260. else
  261. *dlen= 0;
  262. return MY_AES_OK;
  263. }
  264. };
  266. #endif
  268. const EVP_CIPHER *(*ciphers[])(uint)= {
  269. aes_ecb, aes_cbc
  270. #ifdef HAVE_EncryptAes128Ctr
  271. , aes_ctr
  272. #ifdef HAVE_EncryptAes128Gcm
  273. , aes_gcm
  274. #endif
  275. #endif
  276. };
  278. extern "C" {
  280. int my_aes_crypt_init(void *ctx, enum my_aes_mode mode, int flags,
  281. const unsigned char* key, unsigned int klen,
  282. const unsigned char* iv, unsigned int ivlen)
  283. {
  284. #ifdef HAVE_EncryptAes128Ctr
  285. #ifdef HAVE_EncryptAes128Gcm
  286. if (mode == MY_AES_GCM)
  287. if (flags & ENCRYPTION_FLAG_NOPAD)
  288. return MY_AES_OPENSSL_ERROR;
  289. else
  290. new (ctx) MyCTX_gcm();
  291. else
  292. #endif
  293. if (mode == MY_AES_CTR)
  294. new (ctx) MyCTX();
  295. else
  296. #endif
  297. if (flags & ENCRYPTION_FLAG_NOPAD)
  298. new (ctx) MyCTX_nopad();
  299. else
  300. new (ctx) MyCTX();
  301. return ((MyCTX*)ctx)->init(ciphers[mode](klen), flags & 1,
  302. key, klen, iv, ivlen);
  303. }
  305. int my_aes_crypt_update(void *ctx, const uchar *src, uint slen,
  306. uchar *dst, uint *dlen)
  307. {
  308. return ((MyCTX*)ctx)->update(src, slen, dst, dlen);
  309. }
  311. int my_aes_crypt_finish(void *ctx, uchar *dst, uint *dlen)
  312. {
  313. int res= ((MyCTX*)ctx)->finish(dst, dlen);
  314. ((MyCTX*)ctx)->~MyCTX();
  315. return res;
  316. }
  318. int my_aes_crypt(enum my_aes_mode mode, int flags,
  319. const uchar *src, uint slen, uchar *dst, uint *dlen,
  320. const uchar *key, uint klen, const uchar *iv, uint ivlen)
  321. {
  322. void *ctx= alloca(MY_AES_CTX_SIZE);
  323. int res1, res2;
  324. uint d1= 0, d2;
  325. if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
  326. return res1;
  327. res1= my_aes_crypt_update(ctx, src, slen, dst, &d1);
  328. res2= my_aes_crypt_finish(ctx, dst + d1, &d2);
  329. if (res1 || res2)
  330. ERR_remove_state(0); /* in case of failure clear error queue */
  331. else
  332. *dlen= d1 + d2;
  333. return res1 ? res1 : res2;
  334. }
  337. /*
  338. calculate the length of the cyphertext from the length of the plaintext
  339. for different AES encryption modes with padding enabled.
  340. Without padding (ENCRYPTION_FLAG_NOPAD) cyphertext has the same length
  341. as the plaintext
  342. */
  343. unsigned int my_aes_get_size(enum my_aes_mode mode __attribute__((unused)), unsigned int source_length)
  344. {
  345. #ifdef HAVE_EncryptAes128Ctr
  346. if (mode == MY_AES_CTR)
  347. return source_length;
  348. #ifdef HAVE_EncryptAes128Gcm
  349. if (mode == MY_AES_GCM)
  350. return source_length + MY_AES_BLOCK_SIZE;
  351. #endif
  352. #endif
  353. return (source_length / MY_AES_BLOCK_SIZE + 1) * MY_AES_BLOCK_SIZE;
  354. }
  357. unsigned int my_aes_ctx_size(enum my_aes_mode)
  358. {
  359. return MY_AES_CTX_SIZE;
  360. }
  362. int my_random_bytes(uchar *buf, int num)
  363. {
  364. if (RAND_bytes(buf, num) != 1)
  365. return MY_AES_OPENSSL_ERROR;
  366. return MY_AES_OK;
  367. }
  369. }