MDEV-14343 Server crash on FIPS with openssl-1.0.2k

don't use internal undocumented OpenSSL functionality
MariaDB · Jan 30, 2018 · ad0013c · ad0013c
1 parent fb24eb8
commit ad0013c
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 21 deletions.
diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc
@@ -26,6 +26,7 @@
 #include <openssl/evp.h>
 #include <openssl/aes.h>
 #include <openssl/err.h>
+#include <openssl/rand.h>
 
 #ifdef HAVE_ERR_remove_thread_state
 #define ERR_remove_state(X) ERR_remove_thread_state(NULL)
@@ -292,31 +293,11 @@ unsigned int my_aes_ctx_size(enum my_aes_mode)
  return MY_AES_CTX_SIZE;
 }
 
-#ifdef HAVE_YASSL
-#include <random.hpp>
-int my_random_bytes(uchar* buf, int num)
-{
- TaoCrypt::RandomNumberGenerator rand;
- rand.GenerateBlock((TaoCrypt::byte*) buf, num);
- return MY_AES_OK;
-}
-#else
-#include <openssl/rand.h>
-
 int my_random_bytes(uchar *buf, int num)
 {
- /*
- Unfortunately RAND_bytes manual page does not provide any guarantees
- in relation to blocking behavior. Here we explicitly use SSLeay random
- instead of whatever random engine is currently set in OpenSSL. That way
- we are guaranteed to have a non-blocking random.
- */
- RAND_METHOD *rand = RAND_SSLeay();
- if (rand == NULL || rand->bytes(buf, num) != 1)
+ if (RAND_bytes(buf, num) != 1)
  return MY_AES_OPENSSL_ERROR;
  return MY_AES_OK;
 }
-#endif
 
 }
-
diff --git a/mysys_ssl/yassl.cc b/mysys_ssl/yassl.cc
@@ -26,6 +26,7 @@
 #include "aes.hpp"
 
 using yaSSL::yaERR_remove_state;
+using yaSSL::yaRAND_bytes;
 
 #define EVP_CIPH_ECB_MODE 0x1
 #define EVP_CIPH_CBC_MODE 0x2