Bug #70489 Crash when using AES_ENCRYPT on empty string
Submitted: 2 Oct 2013 12:13 Modified: 2 Dec 2013 17:20
Reporter: Sergei Glushchenko Email Updates:
Status: Unsupported Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.6.12 OS:Linux (CentOS 5)
Assigned to: CPU Architecture:Any
Tags: crash, openssl

[2 Oct 2013 12:13] Sergei Glushchenko 
Description:
Older versions of OpenSSL don't allow to pass empty input buffer to EVP_EncryptUpdate which leads to server crash with error

evp_enc.c(146): OpenSSL internal error, assertion failed: inl > 0

Originally reported as https://bugs.launchpad.net/percona-server/+bug/1201033.

How to repeat:
1. Build MySQL 5.6 on CentOS 5 with -DWITH_SSL=system
2. Execute SELECT AES_ENCRYPT('','6b2d440b57b3bae74e3cf71e415b3965');

Suggested fix:
Do not call EVP_EncryptUpdate for empty string.
[2 Oct 2013 15:04] MySQL Verification Team 
I couldn't repeat with source tree on CentOS 6.4:

[miguel@TikalVM 5.6]$ bin/mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.6.15-debug Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SELECT AES_ENCRYPT('','6b2d440b57b3bae74e3cf71e415b3965');
+----------------------------------------------------+
| AES_ENCRYPT('','6b2d440b57b3bae74e3cf71e415b3965') |
+----------------------------------------------------+
| �Z�q�� �Jy��                                           |
+----------------------------------------------------+
1 row in set (0.00 sec)

mysql>

Please try with most recent version. Thanks.
[2 Oct 2013 17:59] Sergei Glushchenko 
You should try the same with binaries built with system OpenSSL on CentOS 5. OpenSSL version is important.
[3 Oct 2013 7:38] MySQL Verification Team 
At same time we have this, which would indicate old version of openssl shouldn't be used!

Bug 14167227 - CMAKE SHOULD REJECT -DWITH_SSL=SYSTEM IF OPENSSL IS OLDER THAN 1.0.0
[11 Oct 2013 17:17] Sveta Smirnova 
Thank you for the report.

Which exact version of OpenSSL do you use?
[12 Oct 2013 16:43] Sergei Glushchenko 
[root@localhost ~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

It is default on CentOS 5

[root@localhost ~]# cat /etc/redhat-release
CentOS release 5.8 (Final)
[2 Dec 2013 17:20] Sveta Smirnova 
Thank you for the feedback.

After fix of bug #14167227 (in 5.6.7) this configuration is not supported anymore.