openssl: add a more specific DES support detection

Improve detection for DES support in OpenSSL, to allow compilation against system OpenSSL without DES. Note that MariaDB needs to be compiled against OpenSSL-like library that itself has DES support which cmake detected. Positive detection is indicated with CMake variable HAVE_des 1. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>

openssl: add a more specific DES support detection
Improve detection for DES support in OpenSSL, to allow compilation against system OpenSSL without DES. Note that MariaDB needs to be compiled against OpenSSL-like library that itself has DES support which cmake detected. Positive detection is indicated with CMake variable HAVE_des 1. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
bf77f979 · Dimitri John Ledkov · Daniel Black · f9575495 · bf77f979 · bf77f979
Commit bf77f979 authored Apr 13, 2024 by Dimitri John Ledkov Committed by Daniel Black Apr 30, 2024
10 changed files
--- a/cmake/ssl.cmake
+++ b/cmake/ssl.cmake
@@ -60,6 +60,7 @@ MACRO (MYSQL_USE_BUNDLED_SSL)
  SET(HAVE_EncryptAes128Ctr OFF CACHE INTERNAL "wolfssl does support AES-CTR, but differently from openssl")
  SET(HAVE_EncryptAes128Gcm OFF CACHE INTERNAL "wolfssl does not support AES-GCM")
  SET(HAVE_X509_check_host ON CACHE INTERNAL  "wolfssl does support X509_check_host")
+  SET(HAVE_des ON CACHE INTERNAL "wolfssl does support DES API")
  CHANGE_SSL_SETTINGS("bundled")
  ADD_SUBDIRECTORY(extra/wolfssl)
  MESSAGE_ONCE(SSL_LIBRARIES "SSL_LIBRARIES = ${SSL_LIBRARIES}")
@@ -158,6 +159,8 @@ MACRO (MYSQL_CHECK_SSL)
                          HAVE_EncryptAes128Gcm)
      CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
                          HAVE_X509_check_host)
+      CHECK_SYMBOL_EXISTS(DES_set_key_unchecked "openssl/des.h"
+                          HAVE_des)
      SET(CMAKE_REQUIRED_INCLUDES)
      SET(CMAKE_REQUIRED_LIBRARIES)
      SET(CMAKE_REQUIRED_DEFINITIONS)

--- a/config.h.cmake
+++ b/config.h.cmake
@@ -498,6 +498,7 @@
 #cmakedefine HAVE_COMPRESS 1
 #cmakedefine HAVE_EncryptAes128Ctr 1
 #cmakedefine HAVE_EncryptAes128Gcm 1
+#cmakedefine HAVE_des 1
 /*
  Stuff that always need to be defined (compile breaks without it)

--- a/mysql-test/main/func_encrypt_nossl.result
+++ b/mysql-test/main/func_encrypt_nossl.result
@@ -2,83 +2,83 @@ select des_encrypt("test", 'akeystr');
 des_encrypt("test", 'akeystr')
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_encrypt("test", 1);
 des_encrypt("test", 1)
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_encrypt("test", 9);
 des_encrypt("test", 9)
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_encrypt("test", 100);
 des_encrypt("test", 100)
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_encrypt("test", NULL);
 des_encrypt("test", NULL)
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_encrypt(NULL, NULL);
 des_encrypt(NULL, NULL)
 NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt("test", 'anotherkeystr');
 des_decrypt("test", 'anotherkeystr')
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(1, 1);
 des_decrypt(1, 1)
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(des_encrypt("test", 'thekey'));
 des_decrypt(des_encrypt("test", 'thekey'))
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select hex(des_encrypt("hello")),des_decrypt(des_encrypt("hello"));
 hex(des_encrypt("hello"))	des_decrypt(des_encrypt("hello"))
 NULL	NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(des_encrypt("hello",4));
 des_decrypt(des_encrypt("hello",4))
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(des_encrypt("hello",'test'),'test');
 des_decrypt(des_encrypt("hello",'test'),'test')
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select hex(des_encrypt("hello")),hex(des_encrypt("hello",5)),hex(des_encrypt("hello",'default_password'));
 hex(des_encrypt("hello"))	hex(des_encrypt("hello",5))	hex(des_encrypt("hello",'default_password'))
 NULL	NULL	NULL
 Warnings:
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
-Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_encrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(des_encrypt("hello"),'default_password');
 des_decrypt(des_encrypt("hello"),'default_password')
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select des_decrypt(des_encrypt("hello",4),'password4');
 des_decrypt(des_encrypt("hello",4),'password4')
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 SET @a=des_decrypt(des_encrypt("hello"));
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 flush des_key_file;
 select @a = des_decrypt(des_encrypt("hello"));
 @a = des_decrypt(des_encrypt("hello"))
@@ -90,9 +90,9 @@ select hex(des_decrypt(des_encrypt("hello",4),'password2'));
 hex(des_decrypt(des_encrypt("hello",4),'password2'))
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
 select hex(des_decrypt(des_encrypt("hello","hidden")));
 hex(des_decrypt(des_encrypt("hello","hidden")))
 NULL
 Warnings:
-Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with '--with-ssl' to have it working
+Warning	1289	The 'des_decrypt' feature is disabled; you need MariaDB built with 'openssl des cipher (HAVE_des)' to have it working
--- a/mysql-test/main/ssl_and_innodb.test
+++ b/mysql-test/main/ssl_and_innodb.test
 -- source include/have_innodb.inc
-- source include/have_ssl_crypto_functs.inc
+-- source include/have_des.inc
 CREATE TABLE t1(a int) engine=innodb;
 INSERT INTO t1 VALUES (1);

--- a/sql/des_key_file.cc
+++ b/sql/des_key_file.cc
@@ -19,7 +19,7 @@
 #include "log.h"                // sql_print_error
 #include <m_ctype.h>
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_des
 struct st_des_keyschedule des_keyschedule[10];
 uint   des_default_key;
@@ -103,4 +103,4 @@ load_des_key_file(const char *file_name)
  mysql_mutex_unlock(&LOCK_des_key_file);
  DBUG_RETURN(result);
 }
-#endif /* HAVE_OPENSSL */
+#endif /* HAVE_des */
--- a/sql/des_key_file.h
+++ b/sql/des_key_file.h
@@ -16,7 +16,7 @@
 #ifndef DES_KEY_FILE_INCLUDED
 #define DES_KEY_FILE_INCLUDED
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_des
 #include <openssl/des.h>
 #include "violite.h"                /* DES_cblock, DES_key_schedule */
@@ -35,6 +35,6 @@ extern struct st_des_keyschedule des_keyschedule[10];
 extern uint des_default_key;
 bool load_des_key_file(const char *file_name);
-#endif /* HAVE_OPENSSL */
+#endif /* HAVE_des */
 #endif /* DES_KEY_FILE_INCLUDED */
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -722,7 +722,7 @@ bool Item_func_concat::fix_length_and_dec()
 String *Item_func_des_encrypt::val_str(String *str)
 {
  DBUG_ASSERT(fixed == 1);
-#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+#if defined(HAVE_des) && !defined(EMBEDDED_LIBRARY)
  uint code= ER_WRONG_PARAMETERS_TO_PROCEDURE;
  DES_cblock ivec;
  struct st_des_keyblock keyblock;
@@ -811,8 +811,8 @@ String *Item_func_des_encrypt::val_str(String *str)
  THD *thd= current_thd;
  push_warning_printf(thd, Sql_condition::WARN_LEVEL_WARN,
                      ER_FEATURE_DISABLED, ER_THD(thd, ER_FEATURE_DISABLED),
-                      "des_encrypt", "--with-ssl");
+                      "des_encrypt", "openssl des cipher (HAVE_des)");
-#endif /* defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) */
+#endif /* defined(HAVE_des) && !defined(EMBEDDED_LIBRARY) */
  null_value=1;
  return 0;
 }
@@ -821,7 +821,7 @@ String *Item_func_des_encrypt::val_str(String *str)
 String *Item_func_des_decrypt::val_str(String *str)
 {
  DBUG_ASSERT(fixed == 1);
-#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+#if defined(HAVE_des) && !defined(EMBEDDED_LIBRARY)
  uint code= ER_WRONG_PARAMETERS_TO_PROCEDURE;
  DES_cblock ivec;
  struct st_des_keyblock keyblock;
@@ -896,9 +896,9 @@ String *Item_func_des_decrypt::val_str(String *str)
    THD *thd= current_thd;
    push_warning_printf(thd, Sql_condition::WARN_LEVEL_WARN,
                        ER_FEATURE_DISABLED, ER_THD(thd, ER_FEATURE_DISABLED),
-                        "des_decrypt", "--with-ssl");
+                        "des_decrypt", "openssl des cipher (HAVE_des)");
  }
-#endif /* defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) */
+#endif /* defined(HAVE_des) && !defined(EMBEDDED_LIBRARY) */
  null_value=1;
  return 0;
 }

--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -706,9 +706,6 @@ mysql_mutex_t LOCK_thread_id;
  server may be fairly high, we need a dedicated lock.
 */
 mysql_mutex_t LOCK_prepared_stmt_count;
-#ifdef HAVE_OPENSSL
-mysql_mutex_t LOCK_des_key_file;
-#endif
 mysql_rwlock_t LOCK_grant, LOCK_sys_init_connect, LOCK_sys_init_slave;
 mysql_rwlock_t LOCK_ssl_refresh;
 mysql_rwlock_t LOCK_all_status_vars;
@@ -849,7 +846,7 @@ static struct my_option pfs_early_options[]=
 PSI_file_key key_file_binlog,  key_file_binlog_cache, key_file_binlog_index,
  key_file_binlog_index_cache, key_file_casetest,
-  key_file_dbopt, key_file_des_key_file, key_file_ERRMSG, key_select_to_file,
+  key_file_dbopt, key_file_ERRMSG, key_select_to_file,
  key_file_fileparser, key_file_frm, key_file_global_ddl_log, key_file_load,
  key_file_loadfile, key_file_log_event_data, key_file_log_event_info,
  key_file_master_info, key_file_misc, key_file_partition_ddl_log,
@@ -860,16 +857,19 @@ PSI_file_key key_file_relaylog, key_file_relaylog_index,
             key_file_relaylog_cache, key_file_relaylog_index_cache;
 PSI_file_key key_file_binlog_state;
+#ifdef HAVE_des
+char *des_key_file;
+PSI_file_key key_file_des_key_file;
+PSI_mutex_key key_LOCK_des_key_file;
+mysql_mutex_t LOCK_des_key_file;
+#endif /* HAVE_des */
 #ifdef HAVE_PSI_INTERFACE
 #ifdef HAVE_MMAP
 PSI_mutex_key key_PAGE_lock, key_LOCK_sync, key_LOCK_active, key_LOCK_pool,
  key_LOCK_pending_checkpoint;
 #endif /* HAVE_MMAP */
-#ifdef HAVE_OPENSSL
-PSI_mutex_key key_LOCK_des_key_file;
-#endif /* HAVE_OPENSSL */
 PSI_mutex_key key_BINLOG_LOCK_index, key_BINLOG_LOCK_xid_list,
  key_BINLOG_LOCK_binlog_background_thread,
  key_LOCK_binlog_end_pos,
@@ -924,9 +924,9 @@ static PSI_mutex_info all_server_mutexes[]=
  { &key_LOCK_pool, "TC_LOG_MMAP::LOCK_pending_checkpoint", 0},
 #endif /* HAVE_MMAP */
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_des
  { &key_LOCK_des_key_file, "LOCK_des_key_file", PSI_FLAG_GLOBAL},
-#endif /* HAVE_OPENSSL */
+#endif /* HAVE_des */
  { &key_BINLOG_LOCK_index, "MYSQL_BIN_LOG::LOCK_index", 0},
  { &key_BINLOG_LOCK_xid_list, "MYSQL_BIN_LOG::LOCK_xid_list", 0},
@@ -1454,7 +1454,6 @@ static void openssl_dynlock_destroy(openssl_lock_t *, const char *, int);
 static void openssl_lock_function(int, int, const char *, int);
 static void openssl_lock(int, openssl_lock_t *, const char *, int);
 #endif /* HAVE_OPENSSL10 */
-char *des_key_file;
 #ifndef EMBEDDED_LIBRARY
 struct st_VioSSLFd *ssl_acceptor_fd;
 #endif
@@ -2137,7 +2136,9 @@ static void clean_up_mutexes()
  mysql_mutex_destroy(&LOCK_global_table_stats);
  mysql_mutex_destroy(&LOCK_global_index_stats);
 #ifdef HAVE_OPENSSL
+#ifdef HAVE_des
  mysql_mutex_destroy(&LOCK_des_key_file);
+#endif /* HAVE_des */
 #if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
  for (int i= 0; i < CRYPTO_num_locks(); ++i)
    mysql_rwlock_destroy(&openssl_stdlocks[i].lock);
@@ -4260,8 +4261,10 @@ static int init_thread_environment()
                   MY_MUTEX_INIT_SLOW);
 #ifdef HAVE_OPENSSL
+#ifdef HAVE_des
  mysql_mutex_init(key_LOCK_des_key_file,
                   &LOCK_des_key_file, MY_MUTEX_INIT_FAST);
+#endif /* HAVE_des */
 #if defined(HAVE_OPENSSL10) && !defined(HAVE_WOLFSSL)
  openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() *
                                                     sizeof(openssl_lock_t));
@@ -4479,8 +4482,10 @@ static void init_ssl()
  {
    have_ssl= SHOW_OPTION_DISABLED;
  }
+#ifdef HAVE_des
  if (des_key_file)
    load_des_key_file(des_key_file);
+#endif /* HAVE_des */
 #endif /* HAVE_OPENSSL && ! EMBEDDED_LIBRARY */
 }
@@ -6566,12 +6571,12 @@ struct my_option my_long_options[]=
   &opt_debug_sync_timeout, 0,
   0, GET_UINT, OPT_ARG, 0, 0, UINT_MAX, 0, 0, 0},
 #endif /* defined(ENABLED_DEBUG_SYNC) */
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_des
  {"des-key-file", 0,
   "Load keys for des_encrypt() and des_encrypt from given file.",
   &des_key_file, &des_key_file, 0, GET_STR, REQUIRED_ARG,
   0, 0, 0, 0, 0, 0},
-#endif /* HAVE_OPENSSL */
+#endif /* HAVE_des */
 #ifdef HAVE_STACKTRACE
  {"stack-trace", 0 , "Print a symbolic stack trace on failure",
   &opt_stack_trace, &opt_stack_trace, 0, GET_BOOL, NO_ARG, 1, 0, 0, 0, 0, 0},
@@ -7917,7 +7922,9 @@ static int mysql_init_variables(void)
  libwrapName= NullS;
 #endif
 #ifdef HAVE_OPENSSL
+#ifdef HAVE_des
  des_key_file = 0;
+#endif /* HAVE_des */
 #ifndef EMBEDDED_LIBRARY
  ssl_acceptor_fd= 0;
 #endif /* ! EMBEDDED_LIBRARY */
@@ -9112,7 +9119,9 @@ static PSI_file_info all_server_files[]=
  { &key_file_io_cache, "io_cache", 0},
  { &key_file_casetest, "casetest", 0},
  { &key_file_dbopt, "dbopt", 0},
+#ifdef HAVE_des
  { &key_file_des_key_file, "des_key_file", 0},
+#endif
  { &key_file_ERRMSG, "ERRMSG", 0},
  { &key_select_to_file, "select_to_file", 0},
  { &key_file_fileparser, "file_parser", 0},

--- a/sql/mysqld.h
+++ b/sql/mysqld.h
@@ -310,10 +310,6 @@ extern PSI_mutex_key key_PAGE_lock, key_LOCK_sync, key_LOCK_active,
       key_LOCK_pool, key_LOCK_pending_checkpoint;
 #endif /* HAVE_MMAP */
-#ifdef HAVE_OPENSSL
-extern PSI_mutex_key key_LOCK_des_key_file;
-#endif
 extern PSI_mutex_key key_BINLOG_LOCK_index, key_BINLOG_LOCK_xid_list,
  key_BINLOG_LOCK_binlog_background_thread,
  key_LOCK_binlog_end_pos,
@@ -390,7 +386,7 @@ extern PSI_thread_key key_thread_delayed_insert,
 extern PSI_file_key key_file_binlog, key_file_binlog_cache,
       key_file_binlog_index, key_file_binlog_index_cache, key_file_casetest,
-  key_file_dbopt, key_file_des_key_file, key_file_ERRMSG, key_select_to_file,
+  key_file_dbopt, key_file_ERRMSG, key_select_to_file,
  key_file_fileparser, key_file_frm, key_file_global_ddl_log, key_file_load,
  key_file_loadfile, key_file_log_event_data, key_file_log_event_info,
  key_file_master_info, key_file_misc, key_file_partition_ddl_log,
@@ -403,6 +399,13 @@ extern PSI_socket_key key_socket_tcpip, key_socket_unix,
  key_socket_client_connection;
 extern PSI_file_key key_file_binlog_state;
+#ifdef HAVE_des
+extern char* des_key_file;
+extern PSI_file_key key_file_des_key_file;
+extern PSI_mutex_key key_LOCK_des_key_file;
+extern mysql_mutex_t LOCK_des_key_file;
+#endif
 #ifdef HAVE_PSI_INTERFACE
 void init_server_psi_keys();
 #endif /* HAVE_PSI_INTERFACE */
@@ -746,10 +749,6 @@ extern mysql_mutex_t
 extern MYSQL_PLUGIN_IMPORT mysql_mutex_t LOCK_global_system_variables;
 extern mysql_rwlock_t LOCK_all_status_vars;
 extern mysql_mutex_t LOCK_start_thread;
-#ifdef HAVE_OPENSSL
-extern char* des_key_file;
-extern mysql_mutex_t LOCK_des_key_file;
-#endif
 extern MYSQL_PLUGIN_IMPORT mysql_mutex_t LOCK_server_started;
 extern MYSQL_PLUGIN_IMPORT mysql_cond_t COND_server_started;
 extern mysql_rwlock_t LOCK_grant, LOCK_sys_init_connect, LOCK_sys_init_slave;

--- a/sql/sql_reload.cc
+++ b/sql/sql_reload.cc
@@ -392,7 +392,7 @@ bool reload_acl_and_cache(THD *thd, unsigned long long options,
    }
  }
 #endif
-#ifdef HAVE_OPENSSL
+#ifdef HAVE_des
   if (options & REFRESH_DES_KEY_FILE)
   {
     if (des_key_file && load_des_key_file(des_key_file))