From ad0013c8e2b01acf2128580599aa6d54bf234b2d Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <serg@mariadb.org>
Date: Mon, 29 Jan 2018 15:10:31 +0100
Subject: MDEV-14343 Server crash on FIPS with openssl-1.0.2k

don't use internal undocumented OpenSSL functionality
---
 mysys_ssl/my_crypt.cc | 23 ++---------------------
 mysys_ssl/yassl.cc    |  1 +
 2 files changed, 3 insertions(+), 21 deletions(-)

diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc
index a0937a83e17..439339423cd 100644
--- a/mysys_ssl/my_crypt.cc
+++ b/mysys_ssl/my_crypt.cc
@@ -26,6 +26,7 @@
 #include <openssl/evp.h>
 #include <openssl/aes.h>
 #include <openssl/err.h>
+#include <openssl/rand.h>
 
 #ifdef HAVE_ERR_remove_thread_state
 #define ERR_remove_state(X) ERR_remove_thread_state(NULL)
@@ -292,31 +293,11 @@ unsigned int my_aes_ctx_size(enum my_aes_mode)
   return MY_AES_CTX_SIZE;
 }
 
-#ifdef HAVE_YASSL
-#include <random.hpp>
-int my_random_bytes(uchar* buf, int num)
-{
-  TaoCrypt::RandomNumberGenerator rand;
-  rand.GenerateBlock((TaoCrypt::byte*) buf, num);
-  return MY_AES_OK;
-}
-#else
-#include <openssl/rand.h>
-
 int my_random_bytes(uchar *buf, int num)
 {
-  /*
-    Unfortunately RAND_bytes manual page does not provide any guarantees
-    in relation to blocking behavior. Here we explicitly use SSLeay random
-    instead of whatever random engine is currently set in OpenSSL. That way
-    we are guaranteed to have a non-blocking random.
-  */
-  RAND_METHOD *rand = RAND_SSLeay();
-  if (rand == NULL || rand->bytes(buf, num) != 1)
+  if (RAND_bytes(buf, num) != 1)
     return MY_AES_OPENSSL_ERROR;
   return MY_AES_OK;
 }
-#endif
 
 }
-
diff --git a/mysys_ssl/yassl.cc b/mysys_ssl/yassl.cc
index 9717870fe26..e9f8e650347 100644
--- a/mysys_ssl/yassl.cc
+++ b/mysys_ssl/yassl.cc
@@ -26,6 +26,7 @@
 #include "aes.hpp"
 
 using yaSSL::yaERR_remove_state;
+using yaSSL::yaRAND_bytes;
 
 #define EVP_CIPH_ECB_MODE     0x1
 #define EVP_CIPH_CBC_MODE     0x2
-- 
cgit v1.2.1