openssl: add a more specific DES support detection

Improve detection for DES support in OpenSSL, to allow compilation
against system OpenSSL without DES.

Note that MariaDB needs to be compiled against OpenSSL-like library
that itself has DES support which cmake detected. Positive detection
is indicated with CMake variable HAVE_des 1.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>

cmake/ssl.cmake

@@ -60,6 +60,7 @@ MACRO (MYSQL_USE_BUNDLED_SSL)
   SET(HAVE_EncryptAes128Ctr OFF CACHE INTERNAL "wolfssl does support AES-CTR, but differently from openssl")
   SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM")
   SET(HAVE_X509_check_host ON CACHE INTERNAL  "wolfssl does support X509_check_host")
+  SET(HAVE_des ON CACHE INTERNAL "wolfssl does support DES API")
   CHANGE_SSL_SETTINGS("bundled")
   ADD_SUBDIRECTORY(extra/wolfssl)
   MESSAGE_ONCE(SSL_LIBRARIES "SSL_LIBRARIES = ${SSL_LIBRARIES}")
@@ -158,6 +159,8 @@ MACRO (MYSQL_CHECK_SSL)
                           HAVE_EncryptAes128Gcm)
       CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
                           HAVE_X509_check_host)
+      CHECK_SYMBOL_EXISTS(DES_set_key_unchecked "openssl/des.h"
+                          HAVE_des)
       SET(CMAKE_REQUIRED_INCLUDES)
       SET(CMAKE_REQUIRED_LIBRARIES)
       SET(CMAKE_REQUIRED_DEFINITIONS)

config.h.cmake

@@ -498,6 +498,7 @@
 #cmakedefine HAVE_COMPRESS 1
 #cmakedefine HAVE_EncryptAes128Ctr 1
 #cmakedefine HAVE_EncryptAes128Gcm 1
+#cmakedefine HAVE_des 1
 
 /*
   Stuff that always need to be defined (compile breaks without it)

mysql-test/main/func_encrypt_nossl.result

@@ -2,83 +2,83 @@ select des_encrypt("test", 'akeystr');
 des_encrypt("test", 'akeystr')
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_encrypt("test", 1);
 des_encrypt("test", 1)
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_encrypt("test", 9);
 des_encrypt("test", 9)
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_encrypt("test", 100);
 des_encrypt("test", 100)
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_encrypt("test", NULL);
 des_encrypt("test", NULL)
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_encrypt(NULL, NULL);
 des_encrypt(NULL, NULL)
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt("test", 'anotherkeystr');
 des_decrypt("test", 'anotherkeystr')
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(1, 1);
 des_decrypt(1, 1)
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(des_encrypt("test", 'thekey'));
 des_decrypt(des_encrypt("test", 'thekey'))
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select hex(des_encrypt("hello")),des_decrypt(des_encrypt("hello"));
 hex(des_encrypt("hello"))	des_decrypt(des_encrypt("hello"))
 NULL	NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(des_encrypt("hello",4));
 des_decrypt(des_encrypt("hello",4))
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(des_encrypt("hello",'test'),'test');
 des_decrypt(des_encrypt("hello",'test'),'test')
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select hex(des_encrypt("hello")),hex(des_encrypt("hello",5)),hex(des_encrypt("hello",'default_password'));
 hex(des_encrypt("hello"))	hex(des_encrypt("hello",5))	hex(des_encrypt("hello",'default_password'))
 NULL	NULL	NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(des_encrypt("hello"),'default_password');
 des_decrypt(des_encrypt("hello"),'default_password')
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(des_encrypt("hello",4),'password4');
 des_decrypt(des_encrypt("hello",4),'password4')
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 SET @a=des_decrypt(des_encrypt("hello"));
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 flush des_key_file;
 select @a = des_decrypt(des_encrypt("hello"));
 @a = des_decrypt(des_encrypt("hello"))
@@ -90,9 +90,9 @@ select hex(des_decrypt(des_encrypt("hello",4),'password2'));
 hex(des_decrypt(des_encrypt("hello",4),'password2'))
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select hex(des_decrypt(des_encrypt("hello","hidden")));
 hex(des_decrypt(des_encrypt("hello","hidden")))
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working

mysql-test/main/ssl_and_innodb.test

@@ -1,5 +1,5 @@
 -- source include/have_innodb.inc
--- source include/have_ssl_crypto_functs.inc
+-- source include/have_des.inc
 
 CREATE TABLE t1(a int) engine=innodb;
 INSERT INTO t1 VALUES (1);

sql/des_key_file.cc

@@ -19,7 +19,7 @@
 #include "log.h"                // sql_print_error
 #include <m_ctype.h>
 
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_des
 
 struct st_des_keyschedule des_keyschedule[10];
 uint   des_default_key;
@@ -103,4 +103,4 @@ error:
   mysql_mutex_unlock(&LOCK_des_key_file);
   DBUG_RETURN(result);
 }
-#endif /* HAVE_OPENSSL */
+#endif /* HAVE_des */

sql/des_key_file.h

@@ -16,7 +16,7 @@
 #ifndef DES_KEY_FILE_INCLUDED
 #define DES_KEY_FILE_INCLUDED
 
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_des
 #include <openssl/des.h>
 
 #include "violite.h"                /* DES_cblock, DES_key_schedule */
@@ -35,6 +35,6 @@ extern struct st_des_keyschedule des_keyschedule[10];
 extern uint des_default_key;
 
 bool load_des_key_file(const char *file_name);
-#endif /* HAVE_OPENSSL */
+#endif /* HAVE_des */
 
 #endif /* DES_KEY_FILE_INCLUDED */

sql/item_strfunc.cc

@@ -722,7 +722,7 @@ bool Item_func_concat::fix_length_and_dec()
 String *Item_func_des_encrypt::val_str(String *str)
 {
   DBUG_ASSERT(fixed == 1);
-#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+#if defined(HAVE_des) && !defined(EMBEDDED_LIBRARY)
   uint code= ER_WRONG_PARAMETERS_TO_PROCEDURE;
   DES_cblock ivec;
   struct st_des_keyblock keyblock;
@@ -811,8 +811,8 @@ error:
   THD *thd= current_thd;
   push_warning_printf(thd, Sql_condition::WARN_LEVEL_WARN,
                       ER_FEATURE_DISABLED, ER_THD(thd, ER_FEATURE_DISABLED),
-                      "des_encrypt", "--with-ssl");
-#endif /* defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) */
+                      "des_encrypt", "openssl des cipher (HAVE_des)");
+#endif /* defined(HAVE_des) && !defined(EMBEDDED_LIBRARY) */
   null_value=1;
   return 0;
 }
@@ -821,7 +821,7 @@ error:
 String *Item_func_des_decrypt::val_str(String *str)
 {
   DBUG_ASSERT(fixed == 1);
-#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+#if defined(HAVE_des) && !defined(EMBEDDED_LIBRARY)
   uint code= ER_WRONG_PARAMETERS_TO_PROCEDURE;
   DES_cblock ivec;
   struct st_des_keyblock keyblock;
@@ -896,9 +896,9 @@ wrong_key:
     THD *thd= current_thd;
     push_warning_printf(thd, Sql_condition::WARN_LEVEL_WARN,
                         ER_FEATURE_DISABLED, ER_THD(thd, ER_FEATURE_DISABLED),
-                        "des_decrypt", "--with-ssl");
+                        "des_decrypt", "openssl des cipher (HAVE_des)");
   }
-#endif /* defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) */
+#endif /* defined(HAVE_des) && !defined(EMBEDDED_LIBRARY) */
   null_value=1;
   return 0;
 }

sql/mysqld.cc

@@ -706,9 +706,6 @@ mysql_mutex_t LOCK_thread_id;
   server may be fairly high, we need a dedicated lock.
 */
 mysql_mutex_t LOCK_prepared_stmt_count;
-#ifdef HAVE_OPENSSL
-mysql_mutex_t LOCK_des_key_file;
-#endif
 mysql_rwlock_t LOCK_grant, LOCK_sys_init_connect, LOCK_sys_init_slave;
 mysql_rwlock_t LOCK_ssl_refresh;
 mysql_rwlock_t LOCK_all_status_vars;
@@ -849,7 +846,7 @@ static struct my_option pfs_early_options[]=
 
 PSI_file_key key_file_binlog,  key_file_binlog_cache, key_file_binlog_index,
   key_file_binlog_index_cache, key_file_casetest,
-  key_file_dbopt, key_file_des_key_file, key_file_ERRMSG, key_select_to_file,
+  key_file_dbopt, key_file_ERRMSG, key_select_to_file,
   key_file_fileparser, key_file_frm, key_file_global_ddl_log, key_file_load,
   key_file_loadfile, key_file_log_event_data, key_file_log_event_info,
   key_file_master_info, key_file_misc, key_file_partition_ddl_log,
@@ -860,16 +857,19 @@ PSI_file_key key_file_relaylog, key_file_relaylog_index,
              key_file_relaylog_cache, key_file_relaylog_index_cache;
 PSI_file_key key_file_binlog_state;
 
+#ifdef HAVE_des
+char *des_key_file;
+PSI_file_key key_file_des_key_file;
+PSI_mutex_key key_LOCK_des_key_file;
+mysql_mutex_t LOCK_des_key_file;
+#endif /* HAVE_des */
+
 #ifdef HAVE_PSI_INTERFACE
 #ifdef HAVE_MMAP
 PSI_mutex_key key_PAGE_lock, key_LOCK_sync, key_LOCK_active, key_LOCK_pool,
   key_LOCK_pending_checkpoint;
 #endif /* HAVE_MMAP */
 
-#ifdef HAVE_OPENSSL
-PSI_mutex_key key_LOCK_des_key_file;
-#endif /* HAVE_OPENSSL */
-
 PSI_mutex_key key_BINLOG_LOCK_index, key_BINLOG_LOCK_xid_list,
   key_BINLOG_LOCK_binlog_background_thread,
   key_LOCK_binlog_end_pos,
@@ -924,9 +924,9 @@ static PSI_mutex_info all_server_mutexes[]=
   { &key_LOCK_pool, "TC_LOG_MMAP::LOCK_pending_checkpoint", 0},
 #endif /* HAVE_MMAP */
 
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_des
   { &key_LOCK_des_key_file, "LOCK_des_key_file", PSI_FLAG_GLOBAL},
-#endif /* HAVE_OPENSSL */
+#endif /* HAVE_des */
 
   { &key_BINLOG_LOCK_index, "MYSQL_BIN_LOG::LOCK_index", 0},
   { &key_BINLOG_LOCK_xid_list, "MYSQL_BIN_LOG::LOCK_xid_list", 0},
@@ -1454,7 +1454,6 @@ static void openssl_dynlock_destroy(openssl_lock_t *, const char *, int);
 static void openssl_lock_function(int, int, const char *, int);
 static void openssl_lock(int, openssl_lock_t *, const char *, int);
 #endif /* HAVE_OPENSSL10 */
-char *des_key_file;
 #ifndef EMBEDDED_LIBRARY
 struct st_VioSSLFd *ssl_acceptor_fd;
 #endif
@@ -2137,7 +2136,9 @@ static void clean_up_mutexes()
   mysql_mutex_destroy(&LOCK_global_table_stats);
   mysql_mutex_destroy(&LOCK_global_index_stats);
 #ifdef HAVE_OPENSSL
+#ifdef HAVE_des
   mysql_mutex_destroy(&LOCK_des_key_file);
+#endif /* HAVE_des */
 #if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
   for (int i= 0; i < CRYPTO_num_locks(); ++i)
     mysql_rwlock_destroy(&openssl_stdlocks[i].lock);
@@ -4260,8 +4261,10 @@ static int init_thread_environment()
                    MY_MUTEX_INIT_SLOW);
 
 #ifdef HAVE_OPENSSL
+#ifdef HAVE_des
   mysql_mutex_init(key_LOCK_des_key_file,
                    &LOCK_des_key_file, MY_MUTEX_INIT_FAST);
+#endif /* HAVE_des */
 #if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
   openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() *
                                                      sizeof(openssl_lock_t));
@@ -4479,8 +4482,10 @@ static void init_ssl()
   {
     have_ssl= SHOW_OPTION_DISABLED;
   }
+#ifdef HAVE_des
   if (des_key_file)
     load_des_key_file(des_key_file);
+#endif /* HAVE_des */
 #endif /* HAVE_OPENSSL && ! EMBEDDED_LIBRARY */
 }
 
@@ -6566,12 +6571,12 @@ struct my_option my_long_options[]=
    &opt_debug_sync_timeout, 0,
    0, GET_UINT, OPT_ARG, 0, 0, UINT_MAX, 0, 0, 0},
 #endif /* defined(ENABLED_DEBUG_SYNC) */
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_des
   {"des-key-file", 0,
    "Load keys for des_encrypt() and des_encrypt from given file.",
    &des_key_file, &des_key_file, 0, GET_STR, REQUIRED_ARG,
    0, 0, 0, 0, 0, 0},
-#endif /* HAVE_OPENSSL */
+#endif /* HAVE_des */
 #ifdef HAVE_STACKTRACE
   {"stack-trace", 0 , "Print a symbolic stack trace on failure",
    &opt_stack_trace, &opt_stack_trace, 0, GET_BOOL, NO_ARG, 1, 0, 0, 0, 0, 0},
@@ -7917,7 +7922,9 @@ static int mysql_init_variables(void)
   libwrapName= NullS;
 #endif
 #ifdef HAVE_OPENSSL
+#ifdef HAVE_des
   des_key_file = 0;
+#endif /* HAVE_des */
 #ifndef EMBEDDED_LIBRARY
   ssl_acceptor_fd= 0;
 #endif /* ! EMBEDDED_LIBRARY */
@@ -9112,7 +9119,9 @@ static PSI_file_info all_server_files[]=
   { &key_file_io_cache, "io_cache", 0},
   { &key_file_casetest, "casetest", 0},
   { &key_file_dbopt, "dbopt", 0},
+#ifdef HAVE_des
   { &key_file_des_key_file, "des_key_file", 0},
+#endif
   { &key_file_ERRMSG, "ERRMSG", 0},
   { &key_select_to_file, "select_to_file", 0},
   { &key_file_fileparser, "file_parser", 0},

sql/mysqld.h

@@ -310,10 +310,6 @@ extern PSI_mutex_key key_PAGE_lock, key_LOCK_sync, key_LOCK_active,
        key_LOCK_pool, key_LOCK_pending_checkpoint;
 #endif /* HAVE_MMAP */
 
-#ifdef HAVE_OPENSSL
-extern PSI_mutex_key key_LOCK_des_key_file;
-#endif
-
 extern PSI_mutex_key key_BINLOG_LOCK_index, key_BINLOG_LOCK_xid_list,
   key_BINLOG_LOCK_binlog_background_thread,
   key_LOCK_binlog_end_pos,
@@ -390,7 +386,7 @@ extern PSI_thread_key key_thread_delayed_insert,
 
 extern PSI_file_key key_file_binlog, key_file_binlog_cache,
        key_file_binlog_index, key_file_binlog_index_cache, key_file_casetest,
-  key_file_dbopt, key_file_des_key_file, key_file_ERRMSG, key_select_to_file,
+  key_file_dbopt, key_file_ERRMSG, key_select_to_file,
   key_file_fileparser, key_file_frm, key_file_global_ddl_log, key_file_load,
   key_file_loadfile, key_file_log_event_data, key_file_log_event_info,
   key_file_master_info, key_file_misc, key_file_partition_ddl_log,
@@ -403,6 +399,13 @@ extern PSI_socket_key key_socket_tcpip, key_socket_unix,
   key_socket_client_connection;
 extern PSI_file_key key_file_binlog_state;
 
+#ifdef HAVE_des
+extern char* des_key_file;
+extern PSI_file_key key_file_des_key_file;
+extern PSI_mutex_key key_LOCK_des_key_file;
+extern mysql_mutex_t LOCK_des_key_file;
+#endif
+
 #ifdef HAVE_PSI_INTERFACE
 void init_server_psi_keys();
 #endif /* HAVE_PSI_INTERFACE */
@@ -746,10 +749,6 @@ extern mysql_mutex_t
 extern MYSQL_PLUGIN_IMPORT mysql_mutex_t LOCK_global_system_variables;
 extern mysql_rwlock_t LOCK_all_status_vars;
 extern mysql_mutex_t LOCK_start_thread;
-#ifdef HAVE_OPENSSL
-extern char* des_key_file;
-extern mysql_mutex_t LOCK_des_key_file;
-#endif
 extern MYSQL_PLUGIN_IMPORT mysql_mutex_t LOCK_server_started;
 extern MYSQL_PLUGIN_IMPORT mysql_cond_t COND_server_started;
 extern mysql_rwlock_t LOCK_grant, LOCK_sys_init_connect, LOCK_sys_init_slave;

sql/sql_reload.cc

@@ -392,7 +392,7 @@ bool reload_acl_and_cache(THD *thd, unsigned long long options,
     }
   }
 #endif
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_des
    if (options & REFRESH_DES_KEY_FILE)
    {
      if (des_key_file && load_des_key_file(des_key_file))