From eda35e8a52a304239c1ed27a5df5bd491eb132c3 Mon Sep 17 00:00:00 2001
From: vadim <tutumbul@gmail.com>
Date: Wed, 30 Dec 2020 09:52:21 +0300
Subject: [PATCH 1/3] Openssl v3 support

---
 cmake/ssl.cmake        | 63 ++++++++++++++++++++++++++++++------------
 mysys/my_md5.cc        |  8 ++++++
 vio/viosslfactories.cc | 26 ++++++++++++++++-
 3 files changed, 78 insertions(+), 19 deletions(-)

diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake
index 52feadeaa3e..56fe80102d4 100644
--- a/cmake/ssl.cmake
+++ b/cmake/ssl.cmake
@@ -202,25 +202,52 @@ MACRO (MYSQL_CHECK_SSL)
                  HINTS ${OPENSSL_ROOT_DIR}/lib)
 
     IF(OPENSSL_INCLUDE_DIR)
-      # Verify version number. Version information looks like:
-      #   #define OPENSSL_VERSION_NUMBER 0x1000103fL
-      # Encoded as MNNFFPPS: major minor fix patch status
       FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h"
-        OPENSSL_VERSION_NUMBER
-        REGEX "^#[ ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x[0-9].*"
-        )
-      STRING(REGEX REPLACE
-        "^.*OPENSSL_VERSION_NUMBER[\t ]+0x([0-9]).*$" "\\1"
-        OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_NUMBER}"
-        )
-      STRING(REGEX REPLACE
-        "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9]([0-9][0-9]).*$" "\\1"
-        OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_NUMBER}"
-        )
-      STRING(REGEX REPLACE
-        "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9][0-9][0-9]([0-9][0-9]).*$" "\\1"
-        OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"
+        OPENSSL_MAJOR_VERSION
+        REGEX "^#[ ]*define[\t ]+OPENSSL_VERSION_MAJOR[\t ]+[0-9].*"
         )
+      IF(OPENSSL_MAJOR_VERSION STREQUAL "")
+        # Verify version number. Version information looks like:
+        #   #define OPENSSL_VERSION_NUMBER 0x1000103fL
+        # Encoded as MNNFFPPS: major minor fix patch status
+        FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h"
+          OPENSSL_VERSION_NUMBER
+          REGEX "^#[ ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x[0-9].*"
+          )
+        STRING(REGEX REPLACE
+          "^.*OPENSSL_VERSION_NUMBER[\t ]+0x([0-9]).*$" "\\1"
+          OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_NUMBER}"
+          )
+        STRING(REGEX REPLACE
+          "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9]([0-9][0-9]).*$" "\\1"
+          OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_NUMBER}"
+          )
+        STRING(REGEX REPLACE
+          "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9][0-9][0-9]([0-9][0-9]).*$" "\\1"
+          OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"
+          )
+      ELSE()
+        STRING(REGEX REPLACE
+          "^.*OPENSSL_VERSION_MAJOR[\t ]+([0-9]).*$" "\\1"
+          OPENSSL_MAJOR_VERSION "${OPENSSL_MAJOR_VERSION}"
+          )
+        FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h"
+          OPENSSL_MINOR_VERSION
+          REGEX "^#[ ]*define[\t ]+OPENSSL_VERSION_MINOR[\t ]+[0-9].*"
+          )
+        STRING(REGEX REPLACE
+          "^.*OPENSSL_VERSION_MINOR[\t ]+([0-9]).*$" "\\1"
+          OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_MINOR}"
+          )
+        FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h"
+          OPENSSL_FIX_VERSION
+          REGEX "^#[ ]*define[\t ]+OPENSSL_VERSION_PATCH[\t ]+[0-9].*"
+          )
+        STRING(REGEX REPLACE
+          "^.*OPENSSL_VERSION_PATCH[\t ]+([0-9]).*$" "\\1"
+          OPENSSL_FIX_VERSION "${OPENSSL_VERSION_PATCH}"
+          )
+      ENDIF()
     ENDIF()
     IF("${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}" VERSION_GREATER "1.1.0")
        ADD_DEFINITIONS(-DHAVE_TLSv13)
@@ -228,7 +255,7 @@ MACRO (MYSQL_CHECK_SSL)
     IF(OPENSSL_INCLUDE_DIR AND
        OPENSSL_LIBRARY   AND
        CRYPTO_LIBRARY      AND
-       OPENSSL_MAJOR_VERSION STREQUAL "1"
+       (OPENSSL_MAJOR_VERSION STREQUAL "1" OR OPENSSL_MAJOR_VERSION STREQUAL "3")
       )
       SET(OPENSSL_FOUND TRUE)
       FIND_PROGRAM(OPENSSL_EXECUTABLE openssl
diff --git a/mysys/my_md5.cc b/mysys/my_md5.cc
index dea997b252c..f1cb6eed135 100644
--- a/mysys/my_md5.cc
+++ b/mysys/my_md5.cc
@@ -34,6 +34,10 @@
 
 #include <openssl/crypto.h>
 #include <openssl/md5.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/evp.h>
+#include <openssl/provider.h>
+#endif
 
 static void my_md5_hash(unsigned char *digest, unsigned const char *buf,
                         int len) {
@@ -56,7 +60,11 @@ static void my_md5_hash(unsigned char *digest, unsigned const char *buf,
 int compute_md5_hash(char *digest, const char *buf, int len) {
   int retval = 0;
   int fips_mode = 0;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+  fips_mode = EVP_default_properties_is_fips_enabled(NULL) && OSSL_PROVIDER_available(NULL, "fips");
+#else
   fips_mode = FIPS_mode();
+#endif
   /* If fips mode is ON/STRICT restricted method calls will result into abort,
    * skipping call. */
   if (fips_mode == 0) {
diff --git a/vio/viosslfactories.cc b/vio/viosslfactories.cc
index 21c3510da8a..0dc2e93088c 100644
--- a/vio/viosslfactories.cc
+++ b/vio/viosslfactories.cc
@@ -45,6 +45,11 @@
 #include <openssl/ec.h>
 #endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/evp.h>
+#include <openssl/provider.h>
+#endif
+
 #define TLS_VERSION_OPTION_SIZE 256
 
 /*
@@ -497,12 +502,20 @@ int set_fips_mode(const uint fips_mode, char err_string[OPENSSL_ERROR_LENGTH]) {
   if (fips_mode > 2) {
     goto EXIT;
   }
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+  fips_mode_old = EVP_default_properties_is_fips_enabled(NULL);
+#else
   fips_mode_old = FIPS_mode();
+#endif
   if (fips_mode_old == fips_mode) {
     rc = 1;
     goto EXIT;
   }
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+  if (!(rc = EVP_default_properties_enable_fips(NULL, fips_mode))) {
+#else
   if (!(rc = FIPS_mode_set(fips_mode))) {
+#endif
     /*
       If OS doesn't have FIPS enabled openssl library and user sets FIPS mode
       ON, It fails with proper error. But in the same time it doesn't allow to
@@ -510,7 +523,11 @@ int set_fips_mode(const uint fips_mode, char err_string[OPENSSL_ERROR_LENGTH]) {
       error, setting old working FIPS mode value in the OpenSSL library. It will
       allow successful cryptographic operation and will not abort the server.
     */
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    EVP_default_properties_enable_fips(NULL, fips_mode_old);
+#else
     FIPS_mode_set(fips_mode_old);
+#endif
     err_library = ERR_get_error();
     ERR_error_string_n(err_library, err_string, OPENSSL_ERROR_LENGTH - 1);
     err_string[OPENSSL_ERROR_LENGTH - 1] = '\0';
@@ -524,7 +541,14 @@ int set_fips_mode(const uint fips_mode, char err_string[OPENSSL_ERROR_LENGTH]) {
 
   @returns openssl current fips mode
 */
-uint get_fips_mode() { return FIPS_mode(); }
+uint get_fips_mode() 
+{ 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+  return EVP_default_properties_is_fips_enabled(NULL);
+#else
+  return FIPS_mode();
+#endif
+}
 
 long process_tls_version(const char *tls_version) {
   const char *separator = ",";

From 6e71a70b29d7b52055f5905dcfa3f4a0652db906 Mon Sep 17 00:00:00 2001
From: vadim <tutumbul@gmail.com>
Date: Wed, 30 Dec 2020 09:56:49 +0300
Subject: [PATCH 2/3] Openssl v3 support

---
 cmake/ssl.cmake | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake
index 56fe80102d4..b3303a956b6 100644
--- a/cmake/ssl.cmake
+++ b/cmake/ssl.cmake
@@ -237,7 +237,7 @@ MACRO (MYSQL_CHECK_SSL)
           )
         STRING(REGEX REPLACE
           "^.*OPENSSL_VERSION_MINOR[\t ]+([0-9]).*$" "\\1"
-          OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_MINOR}"
+          OPENSSL_MINOR_VERSION "${OPENSSL_MINOR_VERSION}"
           )
         FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h"
           OPENSSL_FIX_VERSION
@@ -245,7 +245,7 @@ MACRO (MYSQL_CHECK_SSL)
           )
         STRING(REGEX REPLACE
           "^.*OPENSSL_VERSION_PATCH[\t ]+([0-9]).*$" "\\1"
-          OPENSSL_FIX_VERSION "${OPENSSL_VERSION_PATCH}"
+          OPENSSL_FIX_VERSION "${OPENSSL_FIX_VERSION}"
           )
       ENDIF()
     ENDIF()

From a18c13ef1fb702a31888c2ce53159fda281fb384 Mon Sep 17 00:00:00 2001
From: vadim <tutumbul@gmail.com>
Date: Wed, 30 Dec 2020 10:05:13 +0300
Subject: [PATCH 3/3] Openssl v3 support

---
 vio/viosslfactories.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vio/viosslfactories.cc b/vio/viosslfactories.cc
index 0dc2e93088c..db3de255e9d 100644
--- a/vio/viosslfactories.cc
+++ b/vio/viosslfactories.cc
@@ -544,7 +544,7 @@ int set_fips_mode(const uint fips_mode, char err_string[OPENSSL_ERROR_LENGTH]) {
 uint get_fips_mode() 
 { 
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-  return EVP_default_properties_is_fips_enabled(NULL);
+  return EVP_default_properties_is_fips_enabled(NULL) && OSSL_PROVIDER_available(NULL, "fips");
 #else
   return FIPS_mode();
 #endif