Skip to content

Commit

Permalink
[fix] security issues
Browse files Browse the repository at this point in the history 
SUMMARY
=======
1. upgrade openssl to version 1.1.0l
2. back port patches from upstream
  • Loading branch information
@songleiwang
shimengchu.smc authored and songleiwang committed Aug 18, 2022
1 parent c5b6a64 commit 5896b49
Show file tree
Hide file tree
Showing 4,240 changed files with 487,850 additions and 493,130 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
MYSQL_VERSION_MAJOR=8
MYSQL_VERSION_MINOR=0
MYSQL_VERSION_PATCH=18
MYSQL_VERSION_PATCH=30
MYSQL_VERSION_EXTRA=
MYSQL_CLUSTER_VERSION_EXTRA=-rc
19 changes: 15 additions & 4 deletions cmake/ssl.cmake
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,8 +94,7 @@ MACRO(RESET_SSL_VARIABLES)
ENDMACRO()

MACRO (MYSQL_USE_BUNDLED_OPENSSL)
SET(SOURCE_DIR "${CMAKE_SOURCE_DIR}/extra/openssl")
#SET(BINARY_DIR "${CMAKE_BINARY_DIR}/${CMAKE_CFG_INTDIR}/extra/openssl")
SET(SOURCE_DIR "${CMAKE_SOURCE_DIR}/extra/openssl-1.1.0l")
SET(BINARY_DIR ${SOURCE_DIR})
SET(SSL_INCLUDE_DIRS ${SOURCE_DIR}/include)
INCLUDE_DIRECTORIES(SYSTEM ${SSL_INCLUDE_DIRS})
Expand All @@ -111,12 +110,18 @@ MACRO (MYSQL_USE_BUNDLED_OPENSSL)
SET(MAKE_COMMAND make)
ENDIF()

# Advance the configuration and compilation of header files to the phase of cmake.
EXECUTE_PROCESS(COMMAND ${SOURCE_DIR}/config ${OPENSSL_CONFIGURE_OPTS} WORKING_DIRECTORY ${SOURCE_DIR})
EXECUTE_PROCESS(COMMAND ${MAKE_COMMAND} build_all_generated WORKING_DIRECTORY ${SOURCE_DIR})
# IS need comipled openssl
EXECUTE_PROCESS(COMMAND cd ${SOURCE_DIR}/ && make -j)

ExternalProject_Add(openssl
PREFIX extra/openssl
PREFIX extra/openssl-1.1.0l
SOURCE_DIR ${SOURCE_DIR}
BINARY_DIR ${BINARY_DIR}
STAMP_DIR ${BINARY_DIR}
CONFIGURE_COMMAND "${SOURCE_DIR}/config" ${OPENSSL_CONFIGURE_OPTS}
CONFIGURE_COMMAND ${CMAKE_COMMAND} -E echo "Skip configuration step"
BUILD_COMMAND ${MAKE_COMMAND}
INSTALL_COMMAND ""
)
Expand All @@ -131,6 +136,12 @@ MACRO (MYSQL_USE_BUNDLED_OPENSSL)
SET_TARGET_PROPERTIES(libcrypto PROPERTIES IMPORTED_LOCATION "${MY_OPENSSL_LIBCRYPTO}")
ADD_DEPENDENCIES(libcrypto openssl)

# Compat some interfaces hidden in OpenSSL-1.1.0l.
ADD_DEFINITIONS(-DOPENSSL_API_COMPAT=0x00908000L)

# Add bundled ssl include patch to system path.
INCLUDE_DIRECTORIES(SYSTEM ${SSL_INCLUDE_DIRS})

SET(SSL_LIBRARIES libssl libcrypto)
IF(CMAKE_SYSTEM_NAME MATCHES "SunOS")
SET(SSL_LIBRARIES ${SSL_LIBRARIES} ${LIBSOCKET})
Expand Down
12 changes: 6 additions & 6 deletions extra/IS/consensus/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,19 +109,19 @@ IF (CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64")
add_custom_command (
OUTPUT ${LIBEASY_OUTPUT}
COMMAND [ -d output ] && mkdir output || echo "create output"
COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR}/../dependency/easy/src && ([ -d
bu ] || (mkdir bu && cd bu && cmake -D
CMAKE_INSTALL_PREFIX=${CMAKE_INSTALL_PREFIX} .. && cd ..) ) && cd
COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR}/../dependency/easy/src &&
(rm -fr bu && mkdir bu && cd bu && cmake -D
CMAKE_INSTALL_PREFIX=${CMAKE_INSTALL_PREFIX} .. && cd ..) && cd
bu && make -j && make install
COMMENT "building libmyeasy"
)
ELSE()
add_custom_command (
OUTPUT ${LIBEASY_OUTPUT}
COMMAND [ -d output ] && mkdir output || echo "create output"
COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR}/../dependency/easy/src && ([ -d
bu ] || (mkdir bu && cd bu && cmake -D
CMAKE_INSTALL_PREFIX=${CMAKE_INSTALL_PREFIX} -DEASY_SPIN_USE_SYS=1 .. && cd ..) ) && cd
COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR}/../dependency/easy/src &&
(rm -fr bu && mkdir bu && cd bu && cmake -D
CMAKE_INSTALL_PREFIX=${CMAKE_INSTALL_PREFIX} -DEASY_SPIN_USE_SYS=1 .. && cd ..) && cd
bu && make -j && make install
COMMENT "building libmyeasy"
)
Expand Down
4 changes: 3 additions & 1 deletion extra/IS/dependency/easy/src/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,9 +64,11 @@ ELSE()
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -D_GNU_SOURCE -D__STDC_LIMIT_MACROS -Wall -Werror -fPIC -fno-strict-aliasing -O0 -DEASY_SPIN_USE_SYS")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D_GNU_SOURCE -D__STDC_LIMIT_MACROS -O0 -DEASY_SPIN_USE_SYS")
ENDIF()
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DOPENSSL_API_COMPAT=0x00908000L")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DOPENSSL_API_COMPAT=0x00908000L")
INCLUDE_DIRECTORIES (include io packet thread util packet/http)

SET(SSL_INCLUDE_DIRS ${CMAKE_SOURCE_DIR}/../../../../openssl/include/)
SET(SSL_INCLUDE_DIRS ${CMAKE_SOURCE_DIR}/../../../../openssl-1.1.0l/include/)
INCLUDE_DIRECTORIES(SYSTEM ${SSL_INCLUDE_DIRS})

add_library (myeasy STATIC ${PRJ_SRC})
Expand Down
44 changes: 24 additions & 20 deletions extra/IS/dependency/easy/src/io/easy_ssl.c
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <openssl/ssl_xdb.h>
#include <pthread.h>
#include "easy_ssl.h"
#include "easy_log.h"
Expand Down Expand Up @@ -35,7 +36,7 @@ static int easy_ssl_pass_phrase_cb(char *buf, int size, int rwflag, void *conf);
/**
* 初始化ssl
*/
static unsigned long id_function(void)
/*static unsigned long id_function(void)
{
return ((unsigned long) pthread_self());
}
Expand All @@ -47,7 +48,7 @@ static void locking_function(int mode, int type, const char *file, int line)
} else {
easy_spin_unlock(&easy_ssl_lock_cs[type]);
}
}
}*/
int easy_ssl_init()
{
if (easy_ssl_connection_index == -1) {
Expand Down Expand Up @@ -81,11 +82,11 @@ int easy_ssl_cleanup()
ENGINE_cleanup();
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
//ERR_remove_state(0);
ERR_free_strings();
//SSL_COMP_free();
//sk_SSL_COMP_free (SSL_COMP_get_compression_methods());
CRYPTO_mem_leaks_fp(stderr);
//CRYPTO_mem_leaks_fp(stderr);
easy_free((char *)easy_ssl_lock_cs);

return EASY_OK;
Expand Down Expand Up @@ -292,9 +293,7 @@ static int easy_ssl_handshake(easy_connection_t *c)
c->read = easy_ssl_read;
c->write = easy_ssl_write;

if (c->sc->connection->s3) {
c->sc->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
}
ored_ssl_s3_flags(c->sc->connection, SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS);

return EASY_OK;
}
Expand Down Expand Up @@ -415,7 +414,6 @@ static void easy_ssl_connection_error(easy_connection_t *c, int sslerr, int err,
if (n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */
|| n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
|| n == SSL_R_LENGTH_MISMATCH /* 159 */
|| n == SSL_R_NO_CIPHERS_PASSED /* 182 */
|| n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
|| n == SSL_R_NO_SHARED_CIPHER /* 193 */
|| n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
Expand Down Expand Up @@ -1077,25 +1075,31 @@ static int easy_ssl_certificate(easy_ssl_ctx_t *ssl, char *cert, char *key)

static int easy_ssl_generate_rsa512_key(easy_ssl_ctx_t *ssl)
{
RSA *key;
RSA *rsa;
BIGNUM *bn;
int ret = EASY_ERROR;

if (SSL_CTX_need_tmp_RSA(ssl->ctx) == 0) {
return EASY_OK;
}

key = RSA_generate_key(512, RSA_F4, NULL, NULL);
bn = BN_new();
rsa = RSA_new();

if (key) {
SSL_CTX_set_tmp_rsa(ssl->ctx, key);
if (bn && rsa && BN_set_word(bn, RSA_F4) &&
RSA_generate_key_ex(rsa, 512, bn, NULL)) {
SSL_CTX_set_tmp_rsa(ssl->ctx, rsa);
ret = EASY_OK;
}

RSA_free(key);
if (bn) BN_free(bn);
if (rsa) RSA_free(rsa);

return EASY_OK;
if (ret != EASY_OK) {
easy_ssl_error(EASY_LOG_ERROR, "RSA_generate_key(512) failed");
}

easy_ssl_error(EASY_LOG_ERROR, "RSA_generate_key(512) failed");

return EASY_ERROR;
return ret;
}

static int easy_ssl_dhparam(easy_ssl_ctx_t *ssl, char *file)
Expand Down Expand Up @@ -1136,10 +1140,10 @@ static int easy_ssl_dhparam(easy_ssl_ctx_t *ssl, char *file)
return EASY_ERROR;
}

dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
dh_set_p(dh, BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL));
dh_set_g(dh, BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL));

if (dh->p == NULL || dh->g == NULL) {
if (dh_get_p(dh) == NULL || dh_get_g(dh) == NULL) {
easy_ssl_error(EASY_LOG_ERROR, "BN_bin2bn() failed");
DH_free(dh);
return EASY_ERROR;
Expand Down
0 extra/openssl/ACKNOWLEDGMENTS → extra/openssl-1.1.0l/ACKNOWLEDGEMENTS
View file
File renamed without changes.
21 changes: 21 additions & 0 deletions extra/openssl-1.1.0l/AUTHORS
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
Andy Polyakov
Ben Laurie
Bodo M�ller
Emilia K�sper
Eric Young
Geoff Thorpe
Holger Reif
Kurt Roeckx
Lutz J�nicke
Mark J. Cox
Matt Caswell
Nils Larsch
Paul C. Sutton
Ralf S. Engelschall
Rich Salz
Richard Levitte
Stephen Henson
Steve Marquess
Tim Hudson
Ulf M�ller
Viktor Dukhovni
Loading

0 comments on commit 5896b49

Please sign in to comment.