MDEV-12763 10.2 uses deprecated openssl 1.0 apis even with 1.1

Use OpenSSL 1.1 when applicable. Create compatibility macros for OpenSSL 1.0- and YaSSL.

MDEV-12763 10.2 uses deprecated openssl 1.0 apis even with 1.1
Use OpenSSL 1.1 when applicable. Create compatibility macros for OpenSSL 1.0- and YaSSL.
bba169b9 · Sergei Golubchik · 031a0404 · bba169b9 · bba169b9 · bba169b9
Commit bba169b9 authored Sep 11, 2017 by Sergei Golubchik
7 changed files
--- a/extra/yassl/include/openssl/ssl.h
+++ b/extra/yassl/include/openssl/ssl.h
@@ -540,7 +540,7 @@ void MD5_Final(unsigned char*, MD5_CTX*);
 /* yaSSL extensions */
 int SSL_set_compression(SSL*);   /* turn on yaSSL zlib compression */
-char *yaSSL_ASN1_TIME_to_string(ASN1_TIME *time, char *buf, size_t len);
+char *yaSSL_ASN1_TIME_to_string(const ASN1_TIME *time, char *buf, size_t len);
 #include "transport_types.h"

--- a/extra/yassl/src/ssl.cpp
+++ b/extra/yassl/src/ssl.cpp
@@ -1736,7 +1736,7 @@ unsigned long ERR_get_error()
    // end stunnel needs
-    char *yaSSL_ASN1_TIME_to_string(ASN1_TIME *time, char *buf, size_t len)
+    char *yaSSL_ASN1_TIME_to_string(const ASN1_TIME *time, char *buf, size_t len)
    {
      tm t;
      static const char *month_names[12]=

--- a/include/ssl_compat.h
+++ b/include/ssl_compat.h
@@ -25,8 +25,8 @@
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 #define HAVE_OPENSSL11 1
+#define SSL_LIBRARY OpenSSL_version(OPENSSL_VERSION)
 #define ERR_remove_state(X) ERR_clear_error()
-#define EVP_MD_CTX_cleanup(X) EVP_MD_CTX_reset(X)
 #define EVP_CIPHER_CTX_SIZE 168
 #define EVP_MD_CTX_SIZE 48
 #undef EVP_MD_CTX_init
@@ -34,8 +34,23 @@
 #undef EVP_CIPHER_CTX_init
 #define EVP_CIPHER_CTX_init(X) do { bzero((X), EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0)
+/*
+  Macros below are deprecated. OpenSSL 1.1 may define them or not,
+  depending on how it was built.
+*/
+#undef ERR_free_strings
+#define ERR_free_strings()
+#undef EVP_cleanup
+#define EVP_cleanup()
+#undef CRYPTO_cleanup_all_ex_data
+#define CRYPTO_cleanup_all_ex_data()
+#undef SSL_load_error_strings
+#define SSL_load_error_strings()
 #else
 #define HAVE_OPENSSL10 1
+#define SSL_LIBRARY SSLeay_version(SSLEAY_VERSION)
 /*
  Unfortunately RAND_bytes manual page does not provide any guarantees
  in relation to blocking behavior. Here we explicitly use SSLeay random
@@ -51,6 +66,7 @@
 #endif /* HAVE_OPENSSL11 */
 #elif defined(HAVE_YASSL)
+#define SSL_LIBRARY "YaSSL " YASSL_VERSION
 #define BN_free(X) do { } while(0)
 #endif /* !defined(HAVE_YASSL) */
@@ -62,6 +78,11 @@
 #define EVP_CIPHER_CTX_encrypting(ctx)  ((ctx)->encrypt)
 #define EVP_CIPHER_CTX_SIZE             sizeof(EVP_CIPHER_CTX)
 #define EVP_MD_CTX_SIZE                 sizeof(EVP_MD_CTX)
+#define EVP_MD_CTX_reset(X) EVP_MD_CTX_cleanup(X)
+#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X)
+#define X509_get0_notBefore(X) X509_get_notBefore(X)
+#define X509_get0_notAfter(X) X509_get_notAfter(X)
 #endif
 #ifdef	__cplusplus

--- a/mysys_ssl/my_crypt.cc
+++ b/mysys_ssl/my_crypt.cc
@@ -43,7 +43,7 @@ class MyCTX
  }
  virtual ~MyCTX()
  {
-    EVP_CIPHER_CTX_cleanup(ctx);
+    EVP_CIPHER_CTX_reset(ctx);
    ERR_remove_state(0);
  }

--- a/mysys_ssl/my_md5.cc
+++ b/mysys_ssl/my_md5.cc
@@ -71,7 +71,7 @@ static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)
 static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE])
 {
  EVP_DigestFinal_ex(context, digest, NULL);
-  EVP_MD_CTX_cleanup(context);
+  EVP_MD_CTX_reset(context);
 }
 #endif /* HAVE_YASSL */

--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -8150,7 +8150,7 @@ static int show_ssl_get_cipher_list(THD *thd, SHOW_VAR *var, char *buff,
 #ifdef HAVE_YASSL
 static char *
-my_asn1_time_to_string(ASN1_TIME *time, char *buf, size_t len)
+my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len)
 {
  return yaSSL_ASN1_TIME_to_string(time, buf, len);
 }
@@ -8158,7 +8158,7 @@ my_asn1_time_to_string(ASN1_TIME *time, char *buf, size_t len)
 #else /* openssl */
 static char *
-my_asn1_time_to_string(ASN1_TIME *time, char *buf, size_t len)
+my_asn1_time_to_string(const ASN1_TIME *time, char *buf, size_t len)
 {
  int n_read;
  char *res= NULL;
@@ -8206,7 +8206,7 @@ show_ssl_get_server_not_before(THD *thd, SHOW_VAR *var, char *buff,
  {
    SSL *ssl= (SSL*) thd->net.vio->ssl_arg;
    X509 *cert= SSL_get_certificate(ssl);
-    ASN1_TIME *not_before= X509_get_notBefore(cert);
+    const ASN1_TIME *not_before= X509_get0_notBefore(cert);
    var->value= my_asn1_time_to_string(not_before, buff,
                                       SHOW_VAR_FUNC_BUFF_SIZE);
@@ -8240,7 +8240,7 @@ show_ssl_get_server_not_after(THD *thd, SHOW_VAR *var, char *buff,
  {
    SSL *ssl= (SSL*) thd->net.vio->ssl_arg;
    X509 *cert= SSL_get_certificate(ssl);
-    ASN1_TIME *not_after= X509_get_notAfter(cert);
+    const ASN1_TIME *not_after= X509_get0_notAfter(cert);
    var->value= my_asn1_time_to_string(not_after, buff,
                                       SHOW_VAR_FUNC_BUFF_SIZE);

--- a/sql/sys_vars.cc
+++ b/sql/sys_vars.cc
@@ -62,6 +62,7 @@
 #include "sql_repl.h"
 #include "opt_range.h"
 #include "rpl_parallel.h"
+#include <ssl_compat.h>
 /*
  The rule for this file: everything should be 'static'. When a sys_var
@@ -3528,16 +3529,6 @@ static Sys_var_charptr Sys_malloc_library(
       READ_ONLY GLOBAL_VAR(malloc_library), CMD_LINE_HELP_ONLY,
       IN_SYSTEM_CHARSET, DEFAULT(guess_malloc_library()));
-#ifdef HAVE_YASSL
-#include <openssl/ssl.h>
-#define SSL_LIBRARY "YaSSL " YASSL_VERSION
-#elif HAVE_OPENSSL
-#include <openssl/crypto.h>
-#define SSL_LIBRARY SSLeay_version(SSLEAY_VERSION)
-#else
-#error No SSL?
-#endif
 static char *ssl_library;
 static Sys_var_charptr Sys_ssl_library(
       "version_ssl_library", "Version of the used SSL library",