Merge tag 'clone-5.7.40-build' into mysql-5.7-cluster-7.5

Change-Id: Ia175a68bca48a2b15e522958dff00131566ae151

Author: arnabray21

LICENSE

@@ -10,7 +10,7 @@ Introduction
    third-party software which may be included in this distribution of
    MySQL NDB Cluster 7.5.16 (and later).
 
-   Last updated: May 2022
+   Last updated: August 2022
 
 Licensing Information
 

VERSION

@@ -1,4 +1,4 @@
 MYSQL_VERSION_MAJOR=5
 MYSQL_VERSION_MINOR=7
-MYSQL_VERSION_PATCH=39
+MYSQL_VERSION_PATCH=40
 MYSQL_VERSION_EXTRA=-ndb-7.5.28

config.h.cmake

@@ -187,6 +187,7 @@
 #cmakedefine HAVE_ULONG 1
 #cmakedefine HAVE_U_INT32_T 1
 #cmakedefine HAVE_STRUCT_TIMESPEC
+#cmakedefine HAVE_TM_GMTOFF 1
 
 /* Support for tagging symbols with __attribute__((visibility("hidden"))) */
 #cmakedefine HAVE_VISIBILITY_HIDDEN 1

configure.cmake

@@ -446,6 +446,9 @@ CHECK_TYPE_SIZE("off_t"     SIZEOF_OFF_T)
 CHECK_TYPE_SIZE("time_t"    SIZEOF_TIME_T)
 CHECK_TYPE_SIZE("struct timespec" STRUCT_TIMESPEC)
 
+CHECK_STRUCT_HAS_MEMBER("struct tm"
+ tm_gmtoff "time.h" HAVE_TM_GMTOFF)
+
 # If finds the size of a type, set SIZEOF_<type> and HAVE_<type>
 FUNCTION(MY_CHECK_TYPE_SIZE type defbase)
   CHECK_TYPE_SIZE("${type}" SIZEOF_${defbase})

include/my_aes.h

@@ -27,6 +27,12 @@
 /* Header file for my_aes.c */
 /* Wrapper to give simple interface for MySQL to AES standard encryption */
 
+#include <string>
+#include <vector>
+
+using std::string;
+using std::vector;
+
 C_MODE_START
 
 /** AES IV size is 16 bytes for all supported ciphers except ECB */
@@ -79,14 +85,16 @@ extern const char *my_aes_opmode_names[];
   @param mode           [in]  encryption mode
   @param iv             [in]  16 bytes initialization vector if needed. Otherwise NULL
   @param padding        [in]  if padding needed.
+  @param kdf_options    [in]  KDF options
   @return              size of encrypted data, or negative in case of error
 */
 
 int my_aes_encrypt(const unsigned char *source, uint32 source_length,
                    unsigned char *dest,
-		   const unsigned char *key, uint32 key_length,
+                   const unsigned char *key, uint32 key_length,
                    enum my_aes_opmode mode, const unsigned char *iv,
-                   bool padding = true);
+                   bool padding = true,
+                   vector<string> *kdf_options = NULL);
 
 /**
   Decrypt an AES encrypted buffer
@@ -99,6 +107,7 @@ int my_aes_encrypt(const unsigned char *source, uint32 source_length,
   @param mode           encryption mode
   @param iv             16 bytes initialization vector if needed. Otherwise NULL
   @param padding        if padding needed.
+  @param kdf_options    [in]  KDF options
   @return size of original data.
 */
 
@@ -107,7 +116,8 @@ int my_aes_decrypt(const unsigned char *source, uint32 source_length,
                    unsigned char *dest,
                    const unsigned char *key, uint32 key_length,
                    enum my_aes_opmode mode, const unsigned char *iv,
-                   bool padding = true);
+                   bool padding = true,
+                   vector<string> *kdf_options = NULL);
 
 /**
   Calculate the size of a buffer large enough for encrypted data

mysql-test/include/have_openssl_version_1.1.0.inc

@@ -0,0 +1,56 @@
+--disable_query_log
+--disable_result_log
+
+let OPENSSL_VERSION_INFO= $MYSQLTEST_VARDIR/log/openssl_version_info.txt;
+let OPENSSL_CONFIG_INC= $MYSQLTEST_VARDIR/log/openssl_binary_config.inc;
+
+--error 0,1
+--remove_file $OPENSSL_VERSION_INFO
+--error 0,1
+--remove_file $OPENSSL_CONFIG_INC
+
+--error 0,1, 127
+--exec openssl version > $OPENSSL_VERSION_INFO
+
+perl;
+ use strict;
+ my $search_file= $ENV{'OPENSSL_VERSION_INFO'};
+ my $search_pattern_1= "0.9.*";
+ my $search_pattern_2= "1.0.0.*";
+ my $search_pattern_3= "1.0.1.*";
+ my $search_pattern_4= "1.0.2.*";
+ my $content= "";
+ my $dir= $ENV{'MYSQLTEST_VARDIR'};
+ open(CONFIG_INC, ">$dir/log/openssl_binary_config.inc");
+ open(FILE, "$search_file") or die("Unable to open '$search_file' : $!\n");
+ read(FILE, $content, 100, 0);
+ close(FILE);
+
+ if ( ($content =~ m{$search_pattern_1}) || ($content =~ m{$search_pattern_2}) ||
+      ($content =~ m{$search_pattern_3}) || ($content =~ m{$search_pattern_4})) {
+    print CONFIG_INC "let \$STATUS_VAR = 1;\n";
+ }
+ else {
+    print CONFIG_INC "let \$STATUS_VAR = 0;\n";
+ }
+ close(CONFIG_INC);
+EOF
+
+--source $OPENSSL_CONFIG_INC
+
+if ($STATUS_VAR)
+{
+ --error 0,1
+ --remove_file $OPENSSL_VERSION_INFO
+ --error 0,1
+ --remove_file $OPENSSL_CONFIG_INC
+ --skip Test requires openssl version to be 1.1.0+
+}
+
+--error 0,1
+--remove_file $OPENSSL_VERSION_INFO
+--error 0,1
+--remove_file $OPENSSL_CONFIG_INC
+
+--enable_query_log
+--enable_result_log

mysql-test/r/func_aes.result

@@ -100,6 +100,8 @@ AES_ENCRYPT('a', 'a') = AES_ENCRYPT(REPEAT('a',1000), 'a')
 SELECT AES_ENCRYPT('a', 'a') = AES_ENCRYPT('a', REPEAT('a',1000));
 AES_ENCRYPT('a', 'a') = AES_ENCRYPT('a', REPEAT('a',1000))
 0
+Warnings:
+Warning	3237	AES key size should be 16 bytes length or secure KDF methods hkdf or pbkdf2_hmac should be used, please provide exact AES key size or use KDF methods for better security.
 #### persistense
 CREATE TABLE t1 (a BINARY(16) PRIMARY KEY);
 # must pass without a warning

mysql-test/r/func_aes_kdf_hkdf.result

@@ -0,0 +1,65 @@
+# Tests of the AES KDF hkdf functionality
+#### AES_ENCRYPT return type
+# must work and return a string
+SELECT TO_BASE64(AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf'));
+TO_BASE64(AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf'))
+9UwMLA5qdPChE0NbqnTYGw==
+# must return 16
+SELECT LENGTH(AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf'));
+LENGTH(AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf'))
+16
+# must return binary
+SELECT CHARSET(AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf'));
+CHARSET(AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf'))
+binary
+# must be equal
+SELECT AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf') = AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf');
+AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf') = AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf')
+1
+# Tests of AES strong key generation
+# Strong key generation with KDF, should not be equal keys
+SELECT AES_ENCRYPT('my_text', repeat("x",32), '', 'hkdf') = AES_ENCRYPT('my_text', repeat("y",32), '', 'hkdf');
+AES_ENCRYPT('my_text', repeat("x",32), '', 'hkdf') = AES_ENCRYPT('my_text', repeat("y",32), '', 'hkdf')
+0
+# Strong key generation with KDF, should not be equal keys
+SELECT AES_ENCRYPT('my_text', repeat("x",32), '', 'hkdf') = AES_ENCRYPT('my_text', '\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0', '', 'hkdf');
+AES_ENCRYPT('my_text', repeat("x",32), '', 'hkdf') = AES_ENCRYPT('my_text', '\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0', '', 'hkdf')
+0
+#### AES_ENCRYPT KDF hkdf parameters
+select TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'hkdf'));
+TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'hkdf'))
+9UwMLA5qdPChE0NbqnTYGw==
+select TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'hkdf', 'salt'));
+TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'hkdf', 'salt'))
+nmOEqhC+wjUalOcakrMOQw==
+select TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'hkdf', 'salt', 'info'));
+TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'hkdf', 'salt', 'info'))
+QzgVeH3yZT7XefHW7G36nQ==
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf'), 'my_key_string', '', 'hkdf');
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', '', 'hkdf'), 'my_key_string', '', 'hkdf')
+1
+#### AES_ENCRYPT KDF hkdf parameters with incorrect data types
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text','my_key_string', '', 'hkdf', 10001), 'my_key_string', '', 'hkdf', 10001);
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text','my_key_string', '', 'hkdf', 10001), 'my_key_string', '', 'hkdf', 10001)
+1
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text','my_key_string', '', 'hkdf', 10001, 2000), 'my_key_string', '', 'hkdf', 10001, 2000);
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text','my_key_string', '', 'hkdf', 10001, 2000), 'my_key_string', '', 'hkdf', 10001, 2000)
+1
+# KDF function name different case.
+select aes_encrypt("foo",repeat("x",16),NULL,'hKdF');
+ERROR HY000: KDF method name is not valid. Please use hkdf or pbkdf2_hmac method name
+#### AES_ENCRYPT KDF hkdf parameters with initialization vector
+SET @IV=REPEAT('a', 16);
+#### aes-128-cbc
+SELECT @@session.block_encryption_mode INTO @save_block_encryption_mode;
+SET SESSION block_encryption_mode="aes-128-cbc";
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'hkdf'), 'my_key_string', @IV, 'hkdf');
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'hkdf'), 'my_key_string', @IV, 'hkdf')
+1
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'hkdf', 'salt'), 'my_key_string', @IV, 'hkdf', 'salt');
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'hkdf', 'salt'), 'my_key_string', @IV, 'hkdf', 'salt')
+1
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'hkdf', 'salt', 'info'), 'my_key_string', @IV, 'hkdf', 'salt', 'info');
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'hkdf', 'salt', 'info'), 'my_key_string', @IV, 'hkdf', 'salt', 'info')
+1
+SET SESSION block_encryption_mode=@save_block_encryption_mode;

mysql-test/r/func_aes_kdf_pbkdf2_hmac.result

@@ -0,0 +1,103 @@
+# Tests of the AES KDF functionality
+#### AES_ENCRYPT return type
+# must work and return a string
+SELECT TO_BASE64(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac'));
+TO_BASE64(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac'))
+44uRAyA9td7Ih/8XyI4paA==
+# must return 16
+SELECT LENGTH(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac'));
+LENGTH(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac'))
+16
+# must return binary
+SELECT CHARSET(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac'));
+CHARSET(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac'))
+binary
+# must be equal
+SELECT AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac') = AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac');
+AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac') = AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac')
+1
+#### AES_ENCRYPT KDF pbkdf2_hmac parameters
+select TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'pbkdf2_hmac'));
+TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'pbkdf2_hmac'))
+44uRAyA9td7Ih/8XyI4paA==
+select TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'pbkdf2_hmac', 'salt'));
+TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'pbkdf2_hmac', 'salt'))
+gmnbJutgker3Oftr8Bwejg==
+select TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'pbkdf2_hmac', 'salt', '10001'));
+TO_BASE64(AES_ENCRYPT('my_text','my_key_string', '', 'pbkdf2_hmac', 'salt', '10001'))
+XoWbOI01+edhv7XX2+BKew==
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac'), 'my_key_string', '', 'pbkdf2_hmac');
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac'), 'my_key_string', '', 'pbkdf2_hmac')
+1
+# Tests of AES strong key generation
+# Weak key generation without KDF, should be equal output
+SELECT AES_ENCRYPT('my_text', repeat("x",32), '') = AES_ENCRYPT('my_text', repeat("y",32), '');
+AES_ENCRYPT('my_text', repeat("x",32), '') = AES_ENCRYPT('my_text', repeat("y",32), '')
+1
+Warnings:
+Warning	1618	<IV> option ignored
+Warning	3237	AES key size should be 16 bytes length or secure KDF methods hkdf or pbkdf2_hmac should be used, please provide exact AES key size or use KDF methods for better security.
+Warning	1618	<IV> option ignored
+Warning	3237	AES key size should be 16 bytes length or secure KDF methods hkdf or pbkdf2_hmac should be used, please provide exact AES key size or use KDF methods for better security.
+# Strong key generation with KDF, should not be equal output
+SELECT AES_ENCRYPT('my_text', repeat("x",32), '', 'pbkdf2_hmac') = AES_ENCRYPT('my_text', repeat("y",32), '', 'pbkdf2_hmac');
+AES_ENCRYPT('my_text', repeat("x",32), '', 'pbkdf2_hmac') = AES_ENCRYPT('my_text', repeat("y",32), '', 'pbkdf2_hmac')
+0
+# Strong key generation with KDF, should not be equal output
+SELECT AES_ENCRYPT('my_text', repeat("x",32), '', 'pbkdf2_hmac') = AES_ENCRYPT('my_text', '\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0', '', 'pbkdf2_hmac');
+AES_ENCRYPT('my_text', repeat("x",32), '', 'pbkdf2_hmac') = AES_ENCRYPT('my_text', '\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0', '', 'pbkdf2_hmac')
+0
+#### AES_ENCRYPT KDF pbkdf2_hmac parameters with incorrect data types
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac', 4000, '10001'), 'my_key_string', '', 'pbkdf2_hmac',4000, '10001');
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac', 4000, '10001'), 'my_key_string', '', 'pbkdf2_hmac',4000, '10001')
+1
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac', 4000, 10001), 'my_key_string', '', 'pbkdf2_hmac',4000, 10001);
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', '', 'pbkdf2_hmac', 4000, 10001), 'my_key_string', '', 'pbkdf2_hmac',4000, 10001)
+1
+#### AES_ENCRYPT KDF error conditions
+# Invalid KDF method
+select AES_ENCRYPT('my_text','my_key_string', '', 'invalid');
+ERROR HY000: KDF method name is not valid. Please use hkdf or pbkdf2_hmac method name
+# Warning for big AES key and empty KDF method
+select AES_ENCRYPT('my_text', repeat("x",32));
+AES_ENCRYPT('my_text', repeat("x",32))
+�'���lD5H�����
+Warnings:
+Warning	3237	AES key size should be 16 bytes length or secure KDF methods hkdf or pbkdf2_hmac should be used, please provide exact AES key size or use KDF methods for better security.
+# No warning for smaller key
+select AES_ENCRYPT('my_text', 'my_key');
+AES_ENCRYPT('my_text', 'my_key')
+~�Zk,Za���=Z�
+# KDF pbkdf2_hmac iterations less then 1000 error.
+select AES_ENCRYPT('my_text','my_key_string', '', 'pbkdf2_hmac', 'salt', '100');
+ERROR HY000: For KDF method pbkdf2_hmac iterations value less than 1000 or more than 65535 is not allowed due to security reasons. Please provide iterations >= 1000 and iterations < 65535
+# KDF pbkdf2_hmac iterations as text
+select AES_ENCRYPT('my_text','my_key_string', '', 'pbkdf2_hmac', 'salt', 'aa');
+ERROR HY000: For KDF method pbkdf2_hmac iterations value less than 1000 or more than 65535 is not allowed due to security reasons. Please provide iterations >= 1000 and iterations < 65535
+# KDF function name very large.
+select aes_encrypt("foo",repeat("x",16),NULL,repeat("1",10000000000));
+ERROR HY000: KDF option size is invalid, please provide valid size < 256 bytes and not NULL
+# KDF function name large
+select aes_encrypt("foo",repeat("x",16),NULL,repeat("1",300));
+ERROR HY000: KDF option size is invalid, please provide valid size < 256 bytes and not NULL
+# KDF function name different case.
+select aes_encrypt("foo",repeat("x",16),NULL,'pbkdf2_HMac');
+ERROR HY000: KDF method name is not valid. Please use hkdf or pbkdf2_hmac method name
+# Extra IV
+select aes_encrypt("foo",repeat("x",16),NULL,'pbkdf2_HMac');
+ERROR HY000: KDF method name is not valid. Please use hkdf or pbkdf2_hmac method name
+#### AES_ENCRYPT KDF pbkdf2_hmac parameters with initialization vector
+SET @IV=REPEAT('a', 16);
+#### aes-128-cbc
+SELECT @@session.block_encryption_mode INTO @save_block_encryption_mode;
+SET SESSION block_encryption_mode="aes-128-cbc";
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'pbkdf2_hmac'), 'my_key_string', @IV, 'pbkdf2_hmac');
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'pbkdf2_hmac'), 'my_key_string', @IV, 'pbkdf2_hmac')
+1
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'pbkdf2_hmac', 'salt'), 'my_key_string', @IV, 'pbkdf2_hmac', 'salt');
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'pbkdf2_hmac', 'salt'), 'my_key_string', @IV, 'pbkdf2_hmac', 'salt')
+1
+SELECT 'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'pbkdf2_hmac', 'salt', '10001'), 'my_key_string', @IV, 'pbkdf2_hmac', 'salt', '10001');
+'my_text' = AES_DECRYPT(AES_ENCRYPT('my_text', 'my_key_string', @IV, 'pbkdf2_hmac', 'salt', '10001'), 'my_key_string', @IV, 'pbkdf2_hmac', 'salt', '10001')
+1
+SET SESSION block_encryption_mode=@save_block_encryption_mode;

mysql-test/r/func_aes_misc.result

@@ -206,6 +206,7 @@ CREATE TABLE t1(f1 varchar(256));
 INSERT INTO t1 values(AES_ENCRYPT(@ENCSTR, @KEYS, @IV));
 Warnings:
 Warning	1618	<IV> option ignored
+Warning	3237	AES key size should be 16 bytes length or secure KDF methods hkdf or pbkdf2_hmac should be used, please provide exact AES key size or use KDF methods for better security.
 Combination1..............
 SET @@session.block_encryption_mode = 'aes-192-ecb';
 should return NULL