diff --git a/include/maxscale/encryption.h b/include/maxscale/encryption.h new file mode 100644 index 000000000..dfbb3407a --- /dev/null +++ b/include/maxscale/encryption.h @@ -0,0 +1,25 @@ +#pragma once +/* + * Copyright (c) 2016 MariaDB Corporation Ab + * + * Use of this software is governed by the Business Source License included + * in the LICENSE.TXT file and at www.mariadb.com/bsl11. + * + * Change Date: 2020-01-01 + * + * On the date above, in accordance with the Business Source License, use + * of this software will be governed by version 2 or later of the General + * Public License. + */ + +#include + +#include + +MXS_BEGIN_DECLS + + +EVP_CIPHER_CTX* mxs_evp_cipher_ctx_alloc(); +void mxs_evp_cipher_ctx_free(EVP_CIPHER_CTX* ctx); + +MXS_END_DECLS diff --git a/server/core/CMakeLists.txt b/server/core/CMakeLists.txt index 371e550ec..93df3874f 100644 --- a/server/core/CMakeLists.txt +++ b/server/core/CMakeLists.txt @@ -9,6 +9,7 @@ add_library(maxscale-common SHARED config.cc config_runtime.cc dcb.cc + encryption.cc externcmd.cc filter.cc hashtable.cc diff --git a/server/core/encryption.cc b/server/core/encryption.cc new file mode 100644 index 000000000..99a1e63cf --- /dev/null +++ b/server/core/encryption.cc @@ -0,0 +1,37 @@ +/* + * Copyright (c) 2016 MariaDB Corporation Ab + * + * Use of this software is governed by the Business Source License included + * in the LICENSE.TXT file and at www.mariadb.com/bsl11. + * + * Change Date: 2020-01-01 + * + * On the date above, in accordance with the Business Source License, use + * of this software will be governed by version 2 or later of the General + * Public License. + */ + +#include + +#include +#include + +EVP_CIPHER_CTX* mxs_evp_cipher_ctx_alloc() +{ +#ifdef OPENSSL_1_1 + return EVP_CIPHER_CTX_new(); +#else + EVP_CIPHER_CTX* rval = (EVP_CIPHER_CTX*)MXS_MALLOC(sizeof(*rval)); + EVP_CIPHER_CTX_init(rval); + return rval; +#endif +} + +void mxs_evp_cipher_ctx_free(EVP_CIPHER_CTX* ctx) +{ +#ifdef OPENSSL_1_1 + EVP_CIPHER_CTX_free(ctx); +#else + MXS_FREE(ctx); +#endif +} diff --git a/server/modules/routing/binlogrouter/blr_file.c b/server/modules/routing/binlogrouter/blr_file.c index 7137ba8d4..682aa1e9c 100644 --- a/server/modules/routing/binlogrouter/blr_file.c +++ b/server/modules/routing/binlogrouter/blr_file.c @@ -72,6 +72,7 @@ #include #include #include +#include /** * AES_CTR handling @@ -3025,7 +3026,6 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, uint8_t *iv, int action) { - EVP_CIPHER_CTX ctx; uint8_t *key = router->encryption.key_value; unsigned int key_len = router->encryption.key_len; int outlen; @@ -3048,10 +3048,10 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, out_ptr = GWBUF_DATA(outbuf); - EVP_CIPHER_CTX_init(&ctx); + EVP_CIPHER_CTX *ctx = mxs_evp_cipher_ctx_alloc(); /* Set the encryption algorithm accordingly to key_len and encryption mode */ - if (!EVP_CipherInit_ex(&ctx, + if (!EVP_CipherInit_ex(ctx, ciphers[router->encryption.encryption_algorithm](router->encryption.key_len), NULL, key, @@ -3059,23 +3059,23 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, action)) { MXS_ERROR("Error in EVP_CipherInit_ex for algo %d", router->encryption.encryption_algorithm); - EVP_CIPHER_CTX_cleanup(&ctx); + mxs_evp_cipher_ctx_free(ctx); MXS_FREE(outbuf); return NULL; } /* Set no padding */ - EVP_CIPHER_CTX_set_padding(&ctx, 0); + EVP_CIPHER_CTX_set_padding(ctx, 0); /* Encryt/Decrypt the input data */ - if (!EVP_CipherUpdate(&ctx, + if (!EVP_CipherUpdate(ctx, out_ptr + 4, &outlen, buffer, size)) { MXS_ERROR("Error in EVP_CipherUpdate"); - EVP_CIPHER_CTX_cleanup(&ctx); + mxs_evp_cipher_ctx_free(ctx); MXS_FREE(outbuf); return NULL; } @@ -3086,7 +3086,7 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, if (router->encryption.encryption_algorithm != BLR_AES_CBC) { /* Call Final_ex */ - if (!EVP_CipherFinal_ex(&ctx, + if (!EVP_CipherFinal_ex(ctx, (out_ptr + 4 + outlen), (int*)&flen)) { @@ -3100,12 +3100,12 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, * If some bytes (ctx.buf_len) are still available in ctx.buf * handle them with ECB and XOR */ - if (ctx.buf_len) + if (size - outlen > 0) { if (!blr_aes_create_tail_for_cbc(out_ptr + 4 + outlen, - ctx.buf, - ctx.buf_len, - ctx.oiv, + buffer + outlen, + size - outlen, + iv, router->encryption.key_value, router->encryption.key_len)) { @@ -3121,7 +3121,7 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, outbuf = NULL; } - EVP_CIPHER_CTX_cleanup(&ctx); + mxs_evp_cipher_ctx_free(ctx); return outbuf; } @@ -3299,14 +3299,13 @@ static int blr_aes_create_tail_for_cbc(uint8_t *output, uint8_t *key, unsigned int key_len) { - EVP_CIPHER_CTX t_ctx; uint8_t mask[AES_BLOCK_SIZE]; int mlen = 0; - EVP_CIPHER_CTX_init(&t_ctx); + EVP_CIPHER_CTX* t_ctx = mxs_evp_cipher_ctx_alloc(); /* Initialise with AES_ECB and NULL iv */ - if (!EVP_CipherInit_ex(&t_ctx, + if (!EVP_CipherInit_ex(t_ctx, ciphers[BLR_AES_ECB](key_len), NULL, key, @@ -3314,22 +3313,22 @@ static int blr_aes_create_tail_for_cbc(uint8_t *output, BINLOG_FLAG_ENCRYPT)) { MXS_ERROR("Error in EVP_CipherInit_ex CBC for last block (ECB)"); - EVP_CIPHER_CTX_cleanup(&t_ctx); + mxs_evp_cipher_ctx_free(t_ctx); return 0; } /* Set no padding */ - EVP_CIPHER_CTX_set_padding(&t_ctx, 0); + EVP_CIPHER_CTX_set_padding(t_ctx, 0); /* Do the enc/dec of the IV (the one from previous stage) */ - if (!EVP_CipherUpdate(&t_ctx, + if (!EVP_CipherUpdate(t_ctx, mask, &mlen, iv, sizeof(mask))) { MXS_ERROR("Error in EVP_CipherUpdate ECB"); - EVP_CIPHER_CTX_cleanup(&t_ctx); + mxs_evp_cipher_ctx_free(t_ctx); return 0; } @@ -3344,7 +3343,7 @@ static int blr_aes_create_tail_for_cbc(uint8_t *output, output[i] = input[i] ^ mask[i]; } - EVP_CIPHER_CTX_cleanup(&t_ctx); + mxs_evp_cipher_ctx_free(t_ctx); return 1; }