Improve detection for DES support in OpenSSL, to allow compilation
against system OpenSSL without DES.
Note that MariaDB needs to be compiled against OpenSSL-like library
that itself has DES support which cmake detected. Positive detection
is indicated with CMake variable HAVE_des 1.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
- Use "new" math library WOLFSSL_SP_MATH_ALL, which is now promoted by
WolfSSL for faster performance. "fastmath" we used previously is going
to be deprecated, it was not really always fast.
- Optimize common RSA math operations with WOLFSSL_HAVE_SP_RSA
- Incorporate assembly optimizations, currently for Intel x64 only
This patch significantly reduces execution time for SSL tests like
main.ssl-big and main.ssl_connect, which now run 2 to 3 times faster.
Notably, when this patch is applied to 11.4, server startup in with
ephemeral certificates becomes approximately 10x faster due to optimized
wolfSSL_EVP_PKEY_keygen().
Additionally, refactored WolfSSL by removing old workarounds and
consolidating wolfssl and wolfcrypt into a single library wolfssl, just
like it was done in WolfSSL's own CMake.
Summary of changes
- MD_CTX_SIZE is increased
- EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points
to nobody knows where. The assumption made previously was that
(since the function does not seem to be documented)
was that it points to the last partial source block.
Add own partial block buffer for NOPAD encryption instead
- SECLEVEL in CipherString in openssl.cnf
had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible
(according to https://github.com/openssl/openssl/blob/openssl-3.0.0/NEWS.md
even though the manual for SSL_CTX_get_security_level claims that it
should not be necessary)
- Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers,
in addition to what was set in --ssl-cipher
- ctx_buf buffer now must be aligned to 16 bytes with openssl(
previously with WolfSSL only), ot crashes will happen
- updated aes-t , to be better debuggable
using function, rather than a huge multiline macro
added test that does "nopad" encryption piece-wise, to test
replacement of EVP_CIPHER_CTX_buf_noconst
part of MDEV-29000
This gives a short overview over found/missing dependencies as well
as enabled/disabled features.
Initial author Heinz Wiesinger <heinz@m2mobi.com>
Additions by Vicențiu Ciorbaru <vicentiu@mariadb.org>
* Report all plugins enabled via MYSQL_ADD_PLUGIN
* Simplify code. Eliminate duplication by making use of WITH_xxx
variable values to set feature "ON" / "OFF" state.
Reviewed by: wlad@mariadb.com (code details) serg@mariadb.com (the idea)
documentation
Apparently, WolfSSL wants to have *exactly* the same defines for
the user of the library as the was when building library itself.
A lot of #defines have an impact on ABI (structure sizes, alignment etc)
In Wolfcrypt, output length after CTR encryption is not the same
as input length. This is different from openssl and this makes unit test
aes-t fail.
So disable CTR for now.
- Add new submodule for WolfSSL
- Build and use wolfssl and wolfcrypt instead of yassl/taocrypt
- Use HAVE_WOLFSSL instead of HAVE_YASSL
- Increase MY_AES_CTX_SIZE, to avoid compile time asserts in my_crypt.cc
(sizeof(EVP_CIPHER_CTX) is larger on WolfSSL)
main.derived_cond_pushdown: Move all 10.3 tests to the end,
trim trailing white space, and add an "End of 10.3 tests" marker.
Add --sorted_result to tests where the ordering is not deterministic.
main.win_percentile: Add --sorted_result to tests where the
ordering is no longer deterministic.
if -DWITH_SSL=yes and system ssl cannot be used,
bundled ssl should be auto-selected.
That's how it worked in 10.0, and it was unintentionally broken in 10.1.
Both libraries and includes are required to check for symbols correctly.
In addition, we don't use SHA512_DIGEST_LENGTH symbol so remove the
extraneous check.
this disables the check, added in d937916c06
Applications shouldn't police OpenSSL versions that users are using.
And 0.9.8 on Mac OS X seems to have new fixes, despite being "0.9.8"
Description: If libmysql is compiled with WITH_SSL=NO,
--ssl-* are not useful.
Solution: 1. Restricted WITH_SSL to values : bundled | yes | system
2. Made "bundled" as default value for WITH_SSL. Also,
not specifying WITH_SSL or even specifying WITH_SSL=no
will be treated as/converted to WITH_SSL=bundled.
Reviewed-By: Tor Didriksen <tor.didriksen@oracle.com>
Reviewed-By: Georgi Kodinov <georgi.kodinov@oracle.com>
make repeated cmake runs less verbose:
* remove few not very useful MESSAGE's
* only run pkg_check_modules() if there's no cached result
* only print QQGraph messages on the first run