summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHonza Horak <hhorak@redhat.com>2022-02-08 16:39:10 +0100
committerVladislav Vaintroub <wlad@mariadb.com>2022-05-23 15:28:19 +0200
commit78412ab028509f07a801c9bf1f3792ad77bcfac6 (patch)
treeed88a778e68f11e5da803e00b2fb8d1b5f413343
parent987d16a0b43c163264ab37d3e01795577f97d83b (diff)
downloadmariadb-git-78412ab028509f07a801c9bf1f3792ad77bcfac6.tar.gz
MDEV-27778 md5 in FIPS crashes with OpenSSL 3.0.0
OpenSSL 3.0.0+ does not support EVP_MD_CTX_FLAG_NON_FIPS_ALLOW any longer. In OpenSSL 1.1.1 the non FIPS allowed flag is context specific, while in 3.0.0+ it is a different EVP_MD provider. Fixes #2010 part of MDEV-28133
-rw-r--r--mysys_ssl/my_md5.cc11
1 files changed, 11 insertions, 0 deletions
diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc
index 407dee3bc69..75995bccf90 100644
--- a/mysys_ssl/my_md5.cc
+++ b/mysys_ssl/my_md5.cc
@@ -52,12 +52,23 @@ static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE])
static void md5_init(EVP_MD_CTX *context)
{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MD *md5;
+ EVP_MD_CTX_init(context);
+ /* Ok to ignore FIPS: MD5 is not used for crypto here */
+ /* In OpenSSL 3.0.0+ it is a different EVP_MD provider */
+ md5 = EVP_MD_fetch(NULL, "MD5", "fips=no");
+ EVP_DigestInit_ex(context, md5, NULL);
+ EVP_MD_free(md5);
+#else
EVP_MD_CTX_init(context);
#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
/* Ok to ignore FIPS: MD5 is not used for crypto here */
+ /* In OpenSSL 1.1.1 the non FIPS allowed flag is context specific */
EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
#endif
EVP_DigestInit_ex(context, EVP_md5(), NULL);
+#endif
}
static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)