diff --git a/include/maxscale/encryption.h b/include/maxscale/encryption.h new file mode 100644 index 000000000..dfbb3407a --- /dev/null +++ b/include/maxscale/encryption.h @@ -0,0 +1,25 @@ +#pragma once +/* + * Copyright (c) 2016 MariaDB Corporation Ab + * + * Use of this software is governed by the Business Source License included + * in the LICENSE.TXT file and at www.mariadb.com/bsl11. + * + * Change Date: 2020-01-01 + * + * On the date above, in accordance with the Business Source License, use + * of this software will be governed by version 2 or later of the General + * Public License. + */ + +#include + +#include + +MXS_BEGIN_DECLS + + +EVP_CIPHER_CTX* mxs_evp_cipher_ctx_alloc(); +void mxs_evp_cipher_ctx_free(EVP_CIPHER_CTX* ctx); + +MXS_END_DECLS diff --git a/server/core/CMakeLists.txt b/server/core/CMakeLists.txt index 79761cdc8..2f2bcadc2 100644 --- a/server/core/CMakeLists.txt +++ b/server/core/CMakeLists.txt @@ -1,4 +1,4 @@ -add_library(maxscale-common SHARED adminusers.c alloc.c authenticator.c atomic.c buffer.c config.c config_runtime.c dcb.c filter.c filter.cc externcmd.c paths.c hashtable.c hint.c housekeeper.c load_utils.c log_manager.cc maxscale_pcre2.c misc.c mlist.c modutil.c monitor.c queuemanager.c query_classifier.cc poll.c random_jkiss.c resultset.c secrets.c server.c service.c session.c spinlock.c thread.c users.c utils.c skygw_utils.cc statistics.c listener.c ssl.c mysql_utils.c mysql_binlog.c modulecmd.c) +add_library(maxscale-common SHARED adminusers.c alloc.c authenticator.c atomic.c buffer.c config.c config_runtime.c dcb.c filter.c filter.cc externcmd.c paths.c hashtable.c hint.c housekeeper.c load_utils.c log_manager.cc maxscale_pcre2.c misc.c mlist.c modutil.c monitor.c queuemanager.c query_classifier.cc poll.c random_jkiss.c resultset.c secrets.c server.c service.c session.c spinlock.c thread.c users.c utils.c skygw_utils.cc statistics.c listener.c ssl.c mysql_utils.c mysql_binlog.c modulecmd.c encryption.c) if(WITH_JEMALLOC) target_link_libraries(maxscale-common ${JEMALLOC_LIBRARIES}) diff --git a/server/core/encryption.c b/server/core/encryption.c new file mode 100644 index 000000000..219cd8916 --- /dev/null +++ b/server/core/encryption.c @@ -0,0 +1,37 @@ +/* + * Copyright (c) 2016 MariaDB Corporation Ab + * + * Use of this software is governed by the Business Source License included + * in the LICENSE.TXT file and at www.mariadb.com/bsl11. + * + * Change Date: 2020-01-01 + * + * On the date above, in accordance with the Business Source License, use + * of this software will be governed by version 2 or later of the General + * Public License. + */ + +#include + +#include +#include + +EVP_CIPHER_CTX* mxs_evp_cipher_ctx_alloc() +{ +#ifdef OPENSSL_1_1 + return EVP_CIPHER_CTX_new(); +#else + EVP_CIPHER_CTX* rval = (EVP_CIPHER_CTX*)MXS_MALLOC(sizeof(*rval)); + EVP_CIPHER_CTX_init(rval); + return rval; +#endif +} + +void mxs_evp_cipher_ctx_free(EVP_CIPHER_CTX* ctx) +{ +#ifdef OPENSSL_1_1 + EVP_CIPHER_CTX_free(ctx); +#else + MXS_FREE(ctx); +#endif +} diff --git a/server/modules/routing/binlogrouter/blr_file.c b/server/modules/routing/binlogrouter/blr_file.c index 34ea645f7..033d0c328 100644 --- a/server/modules/routing/binlogrouter/blr_file.c +++ b/server/modules/routing/binlogrouter/blr_file.c @@ -72,6 +72,7 @@ #include #include #include +#include /** * AES_CTR handling @@ -2796,7 +2797,6 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, uint8_t *iv, int action) { - EVP_CIPHER_CTX ctx; uint8_t *key = router->encryption.key_value; unsigned int key_len = router->encryption.key_len; int outlen; @@ -2819,10 +2819,10 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, out_ptr = GWBUF_DATA(outbuf); - EVP_CIPHER_CTX_init(&ctx); + EVP_CIPHER_CTX *ctx = mxs_evp_cipher_ctx_alloc(); /* Set the encryption algorithm accordingly to key_len and encryption mode */ - if (!EVP_CipherInit_ex(&ctx, + if (!EVP_CipherInit_ex(ctx, ciphers[router->encryption.encryption_algorithm](router->encryption.key_len), NULL, key, @@ -2830,23 +2830,23 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, action)) { MXS_ERROR("Error in EVP_CipherInit_ex for algo %d", router->encryption.encryption_algorithm); - EVP_CIPHER_CTX_cleanup(&ctx); + mxs_evp_cipher_ctx_free(ctx); MXS_FREE(outbuf); return NULL; } /* Set no padding */ - EVP_CIPHER_CTX_set_padding(&ctx, 0); + EVP_CIPHER_CTX_set_padding(ctx, 0); /* Encryt/Decrypt the input data */ - if (!EVP_CipherUpdate(&ctx, + if (!EVP_CipherUpdate(ctx, out_ptr + 4, &outlen, buffer, size)) { MXS_ERROR("Error in EVP_CipherUpdate"); - EVP_CIPHER_CTX_cleanup(&ctx); + mxs_evp_cipher_ctx_free(ctx); MXS_FREE(outbuf); return NULL; } @@ -2857,7 +2857,7 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, if (router->encryption.encryption_algorithm != BLR_AES_CBC) { /* Call Final_ex */ - if (!EVP_CipherFinal_ex(&ctx, + if (!EVP_CipherFinal_ex(ctx, (out_ptr + 4 + outlen), (int*)&flen)) { @@ -2871,12 +2871,12 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, * If some bytes (ctx.buf_len) are still available in ctx.buf * handle them with ECB and XOR */ - if (ctx.buf_len) + if (size - outlen > 0) { if (!blr_aes_create_tail_for_cbc(out_ptr + 4 + outlen, - ctx.buf, - ctx.buf_len, - ctx.oiv, + buffer + outlen, + size - outlen, + iv, router->encryption.key_value, router->encryption.key_len)) { @@ -2892,7 +2892,7 @@ static GWBUF *blr_aes_crypt(ROUTER_INSTANCE *router, outbuf = NULL; } - EVP_CIPHER_CTX_cleanup(&ctx); + mxs_evp_cipher_ctx_free(ctx); return outbuf; } @@ -3070,14 +3070,13 @@ static int blr_aes_create_tail_for_cbc(uint8_t *output, uint8_t *key, unsigned int key_len) { - EVP_CIPHER_CTX t_ctx; uint8_t mask[AES_BLOCK_SIZE]; int mlen = 0; - EVP_CIPHER_CTX_init(&t_ctx); + EVP_CIPHER_CTX* t_ctx = mxs_evp_cipher_ctx_alloc(); /* Initialise with AES_ECB and NULL iv */ - if (!EVP_CipherInit_ex(&t_ctx, + if (!EVP_CipherInit_ex(t_ctx, ciphers[BLR_AES_ECB](key_len), NULL, key, @@ -3085,22 +3084,22 @@ static int blr_aes_create_tail_for_cbc(uint8_t *output, BINLOG_FLAG_ENCRYPT)) { MXS_ERROR("Error in EVP_CipherInit_ex CBC for last block (ECB)"); - EVP_CIPHER_CTX_cleanup(&t_ctx); + mxs_evp_cipher_ctx_free(t_ctx); return 0; } /* Set no padding */ - EVP_CIPHER_CTX_set_padding(&t_ctx, 0); + EVP_CIPHER_CTX_set_padding(t_ctx, 0); /* Do the enc/dec of the IV (the one from previous stage) */ - if (!EVP_CipherUpdate(&t_ctx, + if (!EVP_CipherUpdate(t_ctx, mask, &mlen, iv, sizeof(mask))) { MXS_ERROR("Error in EVP_CipherUpdate ECB"); - EVP_CIPHER_CTX_cleanup(&t_ctx); + mxs_evp_cipher_ctx_free(t_ctx); return 0; } @@ -3115,7 +3114,7 @@ static int blr_aes_create_tail_for_cbc(uint8_t *output, output[i] = input[i] ^ mask[i]; } - EVP_CIPHER_CTX_cleanup(&t_ctx); + mxs_evp_cipher_ctx_free(t_ctx); return 1; }