2 files changed, 25 insertions, 12 deletions

diff --git a/mysys_ssl/my_aes.cc b/mysys_ssl/my_aes.cc
index 9327bc32a3b..05dbfdb4f0b 100644
--- a/mysys_ssl/my_aes.cc
+++ b/mysys_ssl/my_aes.cc
@@ -24,6 +24,7 @@
 #elif defined(HAVE_OPENSSL)
 #include <openssl/aes.h>
 #include <openssl/evp.h>
+#include <openssl/err.h>
 
 // Wrap C struct, to ensure resources are released.
 struct MyCipherCtx
@@ -165,14 +166,17 @@ int my_aes_encrypt(const char* source, int source_length, char* dest,
 #elif defined(HAVE_OPENSSL)
   if (! EVP_EncryptInit(&ctx.ctx, EVP_aes_128_ecb(),
                         (const unsigned char *) rkey, NULL))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
   if (! EVP_EncryptUpdate(&ctx.ctx, (unsigned char *) dest, &u_len,
                           (unsigned const char *) source, source_length))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
   if (! EVP_EncryptFinal(&ctx.ctx, (unsigned char *) dest + u_len, &f_len))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
 
   return u_len + f_len;
+err:
+  ERR_remove_state(0);
+  return AES_BAD_DATA;
 #endif
 }
 
@@ -248,13 +252,16 @@ int my_aes_decrypt(const char *source, int source_length, char *dest,
 #elif defined(HAVE_OPENSSL)
   if (! EVP_DecryptInit(&ctx.ctx, EVP_aes_128_ecb(),
                         (const unsigned char *) rkey, NULL))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
   if (! EVP_DecryptUpdate(&ctx.ctx, (unsigned char *) dest, &u_len,
                           (unsigned const char *) source, source_length))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
   if (! EVP_DecryptFinal(&ctx.ctx, (unsigned char *) dest + u_len, &f_len))
-    return AES_BAD_DATA;                        /* Error */
+    goto err;
   return u_len + f_len;
+err:
+  ERR_remove_state(0);
+  return AES_BAD_DATA;
 #endif
 }
 
diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc
index 4c14366a4e3..4e362e647a1 100644
--- a/mysys_ssl/my_md5.cc
+++ b/mysys_ssl/my_md5.cc
@@ -37,14 +37,20 @@ static void my_md5_hash(char *digest, const char *buf, int len)
 }
 
 #elif defined(HAVE_OPENSSL)
-#include <openssl/md5.h>
+#include <openssl/evp.h>
 
-static void my_md5_hash(unsigned char* digest, unsigned const char *buf, int len)
+static void my_md5_hash(uchar* digest, const uchar *buf, uint len)
 {
-  MD5_CTX ctx;
-  MD5_Init (&ctx);
-  MD5_Update (&ctx, buf, len);
-  MD5_Final (digest, &ctx);
+  EVP_MD_CTX ctx;
+  EVP_MD_CTX_init(&ctx);
+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+  /* Ok to ignore FIPS: MD5 is not used for crypto here */
+  EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+#endif
+  EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
+  EVP_DigestUpdate(&ctx, buf, len);
+  EVP_DigestFinal(&ctx, digest, &len);
+  EVP_MD_CTX_cleanup(&ctx);
 }
 
 #endif /* HAVE_YASSL */