Merge branch 'mysql-5.7-cluster-7.5' into mysql-5.7-cluster-7.6

Change-Id: I7f2274ed00eaa72a3a08262c0c6118073dc01ab2

Author: zmur

cmake/ssl.cmake

@@ -92,6 +92,62 @@ MACRO(RESET_SSL_VARIABLES)
   UNSET(HAVE_SHA512_DIGEST_LENGTH CACHE)
 ENDMACRO()
 
+# Fetch OpenSSL version number.
+# OpenSSL < 3:
+# #define OPENSSL_VERSION_NUMBER 0x1000103fL
+# Encoded as MNNFFPPS: major minor fix patch status
+#
+# OpenSSL 3:
+# #define OPENSSL_VERSION_NUMBER
+#   ( (OPENSSL_VERSION_MAJOR<<28)
+#     |(OPENSSL_VERSION_MINOR<<20)
+#     |(OPENSSL_VERSION_PATCH<<4)
+#     |_OPENSSL_VERSION_PRE_RELEASE )
+MACRO(FIND_OPENSSL_VERSION)
+  FOREACH(version_part
+      OPENSSL_VERSION_MAJOR
+      OPENSSL_VERSION_MINOR
+      OPENSSL_VERSION_PATCH
+      )
+    FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" ${version_part}
+      REGEX "^#[\t ]*define[\t ]+${version_part}[\t ]+([0-9]+).*")
+    STRING(REGEX REPLACE
+      "^.*${version_part}[\t ]+([0-9]+).*" "\\1"
+      ${version_part} "${${version_part}}")
+  ENDFOREACH()
+  IF(OPENSSL_VERSION_MAJOR VERSION_EQUAL 3)
+    # OpenSSL 3
+    SET(OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_MAJOR}")
+    SET(OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_MINOR}")
+    SET(OPENSSL_FIX_VERSION "${OPENSSL_VERSION_PATCH}")
+  ELSE()
+    # Verify version number. Version information looks like:
+    #   #define OPENSSL_VERSION_NUMBER 0x1000103fL
+    # Encoded as MNNFFPPS: major minor fix patch status
+    FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h"
+      OPENSSL_VERSION_NUMBER
+      REGEX "^#[ ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x[0-9].*"
+      )
+    STRING(REGEX REPLACE
+      "^.*OPENSSL_VERSION_NUMBER[\t ]+0x([0-9]).*$" "\\1"
+      OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_NUMBER}"
+      )
+    STRING(REGEX REPLACE
+      "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9]([0-9][0-9]).*$" "\\1"
+      OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_NUMBER}"
+      )
+    STRING(REGEX REPLACE
+      "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9][0-9][0-9]([0-9][0-9]).*$" "\\1"
+      OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"
+      )
+  ENDIF()
+  SET(OPENSSL_VERSION
+    "${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}"
+    )
+  SET(OPENSSL_VERSION ${OPENSSL_VERSION} CACHE INTERNAL "")
+  MESSAGE(STATUS "OPENSSL_VERSION (${WITH_SSL}) is ${OPENSSL_VERSION}")
+ENDMACRO(FIND_OPENSSL_VERSION)
+
 # MYSQL_CHECK_SSL
 #
 # Provides the following configure options:
@@ -194,30 +250,8 @@ MACRO (MYSQL_CHECK_SSL)
     ENDIF()
 
     IF(OPENSSL_INCLUDE_DIR)
-      # Verify version number. Version information looks like:
-      #   #define OPENSSL_VERSION_NUMBER 0x1000103fL
-      # Encoded as MNNFFPPS: major minor fix patch status
-      FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h"
-        OPENSSL_VERSION_NUMBER
-        REGEX "^#[ ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x[0-9].*"
-        )
-      STRING(REGEX REPLACE
-        "^.*OPENSSL_VERSION_NUMBER[\t ]+0x([0-9]).*$" "\\1"
-        OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_NUMBER}"
-        )
-      STRING(REGEX REPLACE
-        "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9]([0-9][0-9]).*$" "\\1"
-        OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_NUMBER}"
-        )
-      STRING(REGEX REPLACE
-        "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9][0-9][0-9]([0-9][0-9]).*$" "\\1"
-        OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"
-        )
+      FIND_OPENSSL_VERSION()
     ENDIF()
-    SET(OPENSSL_VERSION
-      "${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}"
-      )
-    SET(OPENSSL_VERSION ${OPENSSL_VERSION} CACHE INTERNAL "")
 
     IF("${OPENSSL_VERSION}" VERSION_GREATER "1.1.0")
        ADD_DEFINITIONS(-DHAVE_TLSv13)
@@ -229,7 +263,8 @@ MACRO (MYSQL_CHECK_SSL)
     IF(OPENSSL_INCLUDE_DIR AND
        OPENSSL_LIBRARY   AND
        CRYPTO_LIBRARY      AND
-       OPENSSL_MAJOR_VERSION STREQUAL "1"
+       (OPENSSL_MAJOR_VERSION STREQUAL "1" OR
+        OPENSSL_MAJOR_VERSION STREQUAL "3")
       )
       SET(OPENSSL_FOUND TRUE)
     ELSE()
@@ -312,3 +347,16 @@ MACRO (MYSQL_CHECK_SSL)
       "Wrong option or path for WITH_SSL=${WITH_SSL}.")
   ENDIF()
 ENDMACRO()
+
+# Downgrade OpenSSL 3 deprecation warnings.
+MACRO(DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS)
+  IF(OPENSSL_MAJOR_VERSION VERSION_EQUAL 3)
+    IF(MY_COMPILER_IS_GNU_OR_CLANG)
+      ADD_COMPILE_FLAGS(${ARGV}
+        COMPILE_FLAGS "-Wno-error=deprecated-declarations")
+    ELSEIF(WIN32)
+      ADD_COMPILE_FLAGS(${ARGV}
+        COMPILE_FLAGS "/wd4996")
+    ENDIF()
+  ENDIF()
+ENDMACRO()

libmysql/CMakeLists.txt

@@ -197,6 +197,9 @@ SET(CLIENT_SOURCES
   ../sql/auth/sha2_password_common.cc
 )
 
+DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS(
+    ../sql-common/client_authentication.cc)
+
 IF (WIN32 AND OPENSSL_APPLINK_C)
   SET_SOURCE_FILES_PROPERTIES(
     ../sql-common/client_authentication.cc

mysql-test/include/openssl3_legacy_tls.cnf

@@ -0,0 +1,11 @@
+# Allow ciphers by default treated as unsecure in OpenSSL 3.0 to allow use of
+# legacy TLSv1.0 and TLSv1.1.
+# Configuration file should also work for OpenSSL 1.1.1 but will not work with
+# for example OpenSSL 1.0.
+openssl_conf = openssl_sect
+[ openssl_sect ]
+ssl_conf = ssl_sect
+[ssl_sect]
+system_default = system_default_sect
+[system_default_sect]
+CipherString = DEFAULT:@SECLEVEL=0

mysql-test/mysql-test-run.pl

@@ -3007,6 +3007,18 @@ sub environment_setup {
   my $pathsep= ":";
   $pathsep= ";" if IS_WINDOWS && ! IS_CYGWIN;
   $ENV{'PATH'}= "$ENV{'PATH'}".$pathsep.$perldir;
+
+  # ----------------------------------------------------
+  # openssl3 helper
+  # ----------------------------------------------------
+  # Provide path to openssl configuration file allowing old TLSv1.0 and TLSv1.1.
+  # In tests that need it add to test cnf-file:
+  #
+  #   [ENV]
+  #   [email protected]_LEGACY_TLS_CNF
+  #
+  $ENV{'OPENSSL3_LEGACY_TLS_CNF'}=
+    native_path(${glob_mysql_test_dir}."/include/openssl3_legacy_tls.cnf");
 }
 
 

mysql-test/suite/auth_sec/t/tls.cnf

@@ -0,0 +1,3 @@
+!include include/default_my.cnf
+[ENV]
+OPENSSL_CONF[email protected]_LEGACY_TLS_CNF

mysql-test/suite/auth_sec/t/tls12_tls1.cnf

@@ -0,0 +1,3 @@
+!include include/default_my.cnf
+[ENV]
+OPENSSL_CONF[email protected]_LEGACY_TLS_CNF

mysql-test/suite/rpl/t/rpl_ssl1.cnf

@@ -0,0 +1,3 @@
+!include ../my.cnf
+[ENV]
+OPENSSL_CONF[email protected]_LEGACY_TLS_CNF

mysql-test/t/ssl_deprecated_tls_versions.cnf

@@ -0,0 +1,3 @@
+!include include/default_my.cnf
+[ENV]
+OPENSSL_CONF[email protected]_LEGACY_TLS_CNF

mysys_ssl/CMakeLists.txt

@@ -31,6 +31,11 @@ IF(SSL_DEFINES)
 ADD_DEFINITIONS(${SSL_DEFINES})
 ENDIF()
 
+DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS(
+    crypt_genhash_impl.cc
+    my_md5.cc
+    my_sha1.cc)
+
 SET(MYSYS_AES_IMPLEMENTATION my_aes_openssl.cc)
 
 SET(MYSYS_SSL_SOURCES

rapid/plugin/group_replication/CMakeLists.txt

@@ -165,6 +165,8 @@ ADD_DEFINITIONS(${SSL_DEFINES})
 # add the definition to build XCom with SSL support
 ADD_DEFINITIONS(-DXCOM_HAVE_OPENSSL)
 
+DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS(
+    libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c)
 
 IF(WITH_UNIT_TESTS)
   ADD_CONVENIENCE_LIBRARY(gr_unit_test_resource

rapid/plugin/x/CMakeLists.txt

@@ -27,6 +27,9 @@ IF(SSL_DEFINES)
   ADD_DEFINITIONS(${SSL_DEFINES})
 ENDIF()
 
+DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS(
+    mysqlxtest_src/mysql41_hash.cc)
+
 # Note that no COMPONENTS option is to be used for header only components,
 # it would try to find a library
 SET(Boost_USE_STATIC_LIBS OFF)

rapid/plugin/x/tests/mtr/t/connection_expired_certs.cnf

@@ -0,0 +1,3 @@
+!include include/default_my.cnf
+[ENV]
+OPENSSL_CONF[email protected]_LEGACY_TLS_CNF

rapid/plugin/x/tests/mtr/t/connection_openssl.cnf

@@ -0,0 +1,3 @@
+!include include/default_my.cnf
+[ENV]
+OPENSSL_CONF[email protected]_LEGACY_TLS_CNF

rapid/plugin/x/tests/mtr/t/connection_tls_version.cnf

@@ -0,0 +1,3 @@
+!include include/default_my.cnf
+[ENV]
+OPENSSL_CONF[email protected]_LEGACY_TLS_CNF

rapid/plugin/x/tests/mtr/t/connection_tls_version.test

@@ -30,8 +30,8 @@ EOF
 --exec $MYSQLXTEST -uroot --file=$xtest_file 2>&1
 
 --let $XTESTPARAMS= -u user5_mysqlx --password='auth_string' --file=$xtest_file --ssl-cipher='DHE-RSA-AES256-SHA'
---let $ERROR1= /in main, line 0:ERROR: error:00000001:lib\(0\):func\(0\):reason\(1\)/Application terminated with expected error: protocol version mismatch/
---let $ERROR5= /in main, line 0:ERROR: error:00000005:lib\(0\):func\(0\):DH lib/Application terminated with expected error: socket layer receive error/ /in main, line 0:ERROR: error:00000001:lib\(0\):func\(0\):reason\(1\)/Application terminated with expected error: socket layer receive error/
+--let $ERROR1= /in main, line 0:ERROR: error:00000001:lib\(0\):.*:reason\(1\)/Application terminated with expected error: protocol version mismatch/
+--let $ERROR5= /in main, line 0:ERROR: error:00000005:lib\(0\):.*:DH lib/Application terminated with expected error: socket layer receive error/ /in main, line 0:ERROR: error:00000001:lib\(0\):.*:reason\(1\)/Application terminated with expected error: socket layer receive error/
 
 --exec $MYSQLXTEST                                     $XTESTPARAMS 2>&1
 --exec $MYSQLXTEST --tls-version=TLSv1,TLSv1.1,TLSv1.2 $XTESTPARAMS 2>&1

rapid/unittest/gunit/xplugin/CMakeLists.txt

@@ -40,6 +40,16 @@ MYSQLX_PROTOBUF_GENERATE_CPP_NAMES(protobuf_SRC ${PROTOBUF_MYSQLX_FILES})
 
 IF(MSVC)
   ADD_COMPILE_FLAGS(${protobuf_SRC} COMPILE_FLAGS "/wd4018")
+  DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS(
+    "${PROJECT_SOURCE_DIR}/rapid/plugin/x/mysqlxtest_src/mysql41_hash.cc")
+ELSE()
+  # DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS macro does not work in this
+  # directory when using GCC 4.4.7 compiler.
+  MY_CHECK_CXX_COMPILER_FLAG("-Wno-deprecated-declarations"
+    HAVE_NO_DEPRECATED_DECLARATIONS)
+  IF(HAVE_NO_DEPRECATED_DECLARATIONS)
+    SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-deprecated-declarations")
+  ENDIF()
 ENDIF(MSVC)
 
 # Turn off some warning flags when compiling GUnit and proto files.

sql/CMakeLists.txt

@@ -302,6 +302,14 @@ SET(SQL_SOURCE
   auth/sha2_password_common.cc
   )
 
+DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS(
+  ${CMAKE_SOURCE_DIR}/sql-common/client_authentication.cc
+  ${CMAKE_SOURCE_DIR}/sql/auth/auth_common.h
+  ${CMAKE_SOURCE_DIR}/sql/auth/sql_authentication.cc
+  ${CMAKE_SOURCE_DIR}/sql/auth/sql_authentication.h
+  ${CMAKE_SOURCE_DIR}/sql/des_key_file.cc
+  ${CMAKE_SOURCE_DIR}/sql/item_strfunc.cc)
+
 IF(NOT WIN32)
   LIST(APPEND SQL_SOURCE mysqld_daemon.cc)
 ENDIF()
@@ -557,9 +565,18 @@ IF(UNIX AND STATIC_SSL_LIBRARY)
       -Wl,-force_load ${OPENSSL_LIBRARY}
       )
   ELSE()
-    TARGET_LINK_LIBRARIES(mysqld
-      -Wl,--whole-archive ${SSL_LIBRARIES} -Wl,--no-whole-archive
-      )
+    # OpenSSL 3.0.8 has an issue with duplicate symbols between static crypto
+    # and ssl libraries. See https://github.com/openssl/openssl/issues/20238
+    IF("${OPENSSL_VERSION}" VERSION_EQUAL "3.0.8")
+      TARGET_LINK_LIBRARIES(mysqld
+        -Wl,--whole-archive,--allow-multiple-definition ${SSL_LIBRARIES}
+        -Wl,--no-whole-archive
+        )
+    ELSE()
+      TARGET_LINK_LIBRARIES(mysqld
+        -Wl,--whole-archive ${SSL_LIBRARIES} -Wl,--no-whole-archive
+        )
+    ENDIF()
   ENDIF()
 ENDIF()
 

vio/CMakeLists.txt

@@ -31,6 +31,10 @@ SET(VIO_SOURCES
   viosslfactories.c
 )
 
+DOWNGRADE_OPENSSL3_DEPRECATION_WARNINGS(
+  viossl.c
+  viosslfactories.c)
+
 IF(WIN32)
   LIST(APPEND VIO_SOURCES
     viopipe.c

vio/viossl.c

@@ -193,7 +193,7 @@ size_t vio_ssl_read(Vio *vio, uchar *buf, size_t size)
 
     ret= SSL_read(ssl, buf, (int)size);
 
-    if (ret >= 0)
+    if (ret > 0)
       break;
 
     /* Process the SSL I/O error. */
@@ -230,7 +230,7 @@ size_t vio_ssl_write(Vio *vio, const uchar *buf, size_t size)
 
     ret= SSL_write(ssl, buf, (int)size);
 
-    if (ret >= 0)
+    if (ret > 0)
       break;
 
     /* Process the SSL I/O error. */
@@ -277,6 +277,7 @@ int vio_ssl_shutdown(Vio *vio)
     default: /* Shutdown failed */
       DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %d",
                                SSL_get_error(ssl, r)));
+      ERR_clear_error();
       break;
     }
   }
@@ -414,6 +415,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio,
       }
   }
 #endif
+  ERR_clear_error();
 
   if ((r= ssl_handshake_loop(vio, ssl, func, ssl_errno_holder)) < 1)
   {