[gentoo-commits] proj/mysql-extras:master commit in: / - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/mysql-extras:master commit in: /
Date:	Wed, 22 Jan 2020 18:27:24
Message-Id:	`1579717629.ac8332f5611918465f0d7325d6a33388c9947629.whissi@gentoo`

1

commit:     ac8332f5611918465f0d7325d6a33388c9947629

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Wed Jan 22 18:27:09 2020 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Wed Jan 22 18:27:09 2020 +0000

6

URL:        https://gitweb.gentoo.org/proj/mysql-extras.git/commit/?id=ac8332f5

7

8

Add 20018_all_percona-server-8.0.18-fix-libressl-support.patch

9

10

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

11

12

 ...ercona-server-8.0.18-fix-libressl-support.patch | 310 +++++++++++++++++++++

13

 1 file changed, 310 insertions(+)

14

15

diff --git a/20018_all_percona-server-8.0.18-fix-libressl-support.patch b/20018_all_percona-server-8.0.18-fix-libressl-support.patch

16

new file mode 100644

17

index 0000000..3006c23

18

--- /dev/null

19

+++ b/20018_all_percona-server-8.0.18-fix-libressl-support.patch

20

@@ -0,0 +1,310 @@

21

+--- a/cmake/ssl.cmake

22

++++ b/cmake/ssl.cmake

23

+@@ -214,7 +214,8 @@ MACRO (MYSQL_CHECK_SSL)

24

+         OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"

25

+         )

26

+     ENDIF()

27

+-    IF("${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}" VERSION_GREATER "1.1.0")

28

++    CHECK_SYMBOL_EXISTS(TLS1_3_VERSION "openssl/tls1.h" HAVE_TLS1_3_VERSION)

29

++    IF(HAVE_TLS1_3_VERSION)

30

+        ADD_DEFINITIONS(-DHAVE_TLSv13)

31

+     ENDIF()

32

+     IF(OPENSSL_INCLUDE_DIR AND

33

+--- a/mysys/my_crypt.cc

34

++++ b/mysys/my_crypt.cc

35

+@@ -27,7 +27,7 @@

36

+

37

+ #include "my_dbug.h"

38

+

39

+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L

40

++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)

41

+ #define ERR_remove_state(X) ERR_clear_error()

42

+ #else

43

+ #define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)

44

+@@ -86,7 +86,7 @@ class MyEncryptionCTX : private boost::noncopyable {

45

+ };

46

+

47

+ MyEncryptionCTX::MyEncryptionCTX() {

48

+-#if OPENSSL_VERSION_NUMBER < 0x10100000L

49

++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

50

+   ctx = new EVP_CIPHER_CTX();

51

+   EVP_CIPHER_CTX_init(ctx);

52

+ #else

53

+@@ -95,7 +95,8 @@ MyEncryptionCTX::MyEncryptionCTX() {

54

+ }

55

+

56

+ MyEncryptionCTX::~MyEncryptionCTX() {

57

+-#if OPENSSL_VERSION_NUMBER < 0x10100000L

58

++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \

59

++    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02090000fL)

60

+   EVP_CIPHER_CTX_cleanup(ctx);

61

+   delete ctx;

62

+ #else

63

+--- a/mysys/my_md5.cc

64

++++ b/mysys/my_md5.cc

65

+@@ -56,7 +56,9 @@ static void my_md5_hash(unsigned char *digest, unsigned const char *buf,

66

+ int compute_md5_hash(char *digest, const char *buf, int len) {

67

+   int retval = 0;

68

+   int fips_mode = 0;

69

++#ifndef LIBRESSL_VERSION_NUMBER

70

+   fips_mode = FIPS_mode();

71

++#endif

72

+   /* If fips mode is ON/STRICT restricted method calls will result into abort,

73

+    * skipping call. */

74

+   if (fips_mode == 0) {

75

+--- a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c

76

++++ b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c

77

+@@ -329,6 +329,7 @@ error:

78

+   return 1;

79

+ }

80

+

81

++#ifndef LIBRESSL_VERSION_NUMBER

82

+ #define OPENSSL_ERROR_LENGTH 512

83

+ static int configure_ssl_fips_mode(const uint fips_mode) {

84

+   int rc = -1;

85

+@@ -352,6 +353,7 @@ static int configure_ssl_fips_mode(const uint fips_mode) {

86

+ EXIT:

87

+   return rc;

88

+ }

89

++#endif

90

+

91

+ static int configure_ssl_ca(SSL_CTX *ssl_ctx, const char *ca_file,

92

+                             const char *ca_path) {

93

+@@ -555,10 +557,12 @@ int xcom_init_ssl(const char *server_key_file, const char *server_cert_file,

94

+   int verify_server = SSL_VERIFY_NONE;

95

+   int verify_client = SSL_VERIFY_NONE;

96

+

97

++#ifndef LIBRESSL_VERSION_NUMBER

98

+   if (configure_ssl_fips_mode(ssl_fips_mode) != 1) {

99

+     G_ERROR("Error setting the ssl fips mode");

100

+     goto error;

101

+   }

102

++#endif

103

+

104

+   SSL_library_init();

105

+   SSL_load_error_strings();

106

+@@ -622,7 +626,7 @@ error:

107

+ void xcom_cleanup_ssl() {

108

+   if (!xcom_use_ssl()) return;

109

+

110

+-#if OPENSSL_VERSION_NUMBER < 0x10100000L

111

++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

112

+   ERR_remove_thread_state(0);

113

+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */

114

+ }

115

+--- a/plugin/x/client/xconnection_impl.cc

116

++++ b/plugin/x/client/xconnection_impl.cc

117

+@@ -521,6 +521,7 @@ XError Connection_impl::get_ssl_error(const int error_id) {

118

+   return XError(CR_SSL_CONNECTION_ERROR, buffer);

119

+ }

120

+

121

++#ifndef LIBRESSL_VERSION_NUMBER

122

+ /**

123

+   Set fips mode in openssl library,

124

+   When we set fips mode ON/STRICT, it will perform following operations:

125

+@@ -559,6 +560,7 @@ int set_fips_mode(const uint fips_mode, char err_string[OPENSSL_ERROR_LENGTH]) {

126

+ EXIT:

127

+   return rc;

128

+ }

129

++#endif

130

+

131

+ XError Connection_impl::activate_tls() {

132

+   if (nullptr == m_vio) return get_socket_error(SOCKET_ECONNRESET);

133

+@@ -569,11 +571,13 @@ XError Connection_impl::activate_tls() {

134

+   if (!m_context->m_ssl_config.is_configured())

135

+     return XError{CR_SSL_CONNECTION_ERROR, ER_TEXT_TLS_NOT_CONFIGURATED, true};

136

+

137

++#ifndef LIBRESSL_VERSION_NUMBER

138

+   char err_string[OPENSSL_ERROR_LENGTH] = {'\0'};

139

+   if (set_fips_mode(static_cast<int>(m_context->m_ssl_config.m_ssl_fips_mode),

140

+                     err_string) != 1) {

141

+     return XError{CR_SSL_CONNECTION_ERROR, err_string, true};

142

+   }

143

++#endif

144

+   auto ssl_ctx_flags = process_tls_version(

145

+       details::null_when_empty(m_context->m_ssl_config.m_tls_version));

146

+

147

+--- a/router/src/http/src/tls_client_context.cc

148

++++ b/router/src/http/src/tls_client_context.cc

149

+@@ -54,7 +54,7 @@ void TlsClientContext::verify(TlsVerify verify) {

150

+

151

+ void TlsClientContext::cipher_suites(const std::string &ciphers) {

152

+ // TLSv1.3 ciphers are controlled via SSL_CTX_set_ciphersuites()

153

+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1)

154

++#ifdef TLS1_3_VERSION

155

+   if (1 != SSL_CTX_set_ciphersuites(ssl_ctx_.get(), ciphers.c_str())) {

156

+     throw TlsError("set-cipher-suites");

157

+   }

158

+--- a/router/src/http/src/tls_context.cc

159

++++ b/router/src/http/src/tls_context.cc

160

+@@ -91,7 +91,7 @@ static int o11x_version(TlsVersion version) {

161

+       return TLS1_1_VERSION;

162

+     case TlsVersion::TLS_1_2:

163

+       return TLS1_2_VERSION;

164

+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1)

165

++#ifdef TLS1_3_VERSION

166

+     case TlsVersion::TLS_1_3:

167

+       return TLS1_3_VERSION;

168

+ #endif

169

+@@ -120,9 +120,11 @@ void TlsContext::version_range(TlsVersion min_version, TlsVersion max_version) {

170

+   switch (min_version) {

171

+     default:

172

+       // unknown, leave all disabled

173

++#ifdef TLS1_3_VERSION

174

+       // fallthrough

175

+     case TlsVersion::TLS_1_3:

176

+       opts |= SSL_OP_NO_TLSv1_2;

177

++#endif

178

+       // fallthrough

179

+     case TlsVersion::TLS_1_2:

180

+       opts |= SSL_OP_NO_TLSv1_1;

181

+@@ -170,8 +172,10 @@ TlsVersion TlsContext::min_version() const {

182

+       return TlsVersion::TLS_1_1;

183

+     case TLS1_2_VERSION:

184

+       return TlsVersion::TLS_1_2;

185

++#ifdef TLS1_3_VERSION

186

+     case TLS1_3_VERSION:

187

+       return TlsVersion::TLS_1_3;

188

++#endif

189

+     case 0:

190

+       return TlsVersion::AUTO;

191

+     default:

192

+@@ -230,7 +234,8 @@ TlsContext::InfoCallback TlsContext::info_callback() const {

193

+ }

194

+

195

+ int TlsContext::security_level() const {

196

+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0)

197

++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) && \

198

++    !defined(LIBRESSL_VERSION_NUMBER)

199

+   return SSL_CTX_get_security_level(ssl_ctx_.get());

200

+ #else

201

+   return 0;

202

+--- a/router/src/http/src/tls_server_context.cc

203

++++ b/router/src/http/src/tls_server_context.cc

204

+@@ -166,7 +166,8 @@ void TlsServerContext::init_tmp_dh(const std::string &dh_params) {

205

+     }

206

+

207

+   } else {

208

+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0)

209

++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) && \

210

++    !defined(LIBRESSL_VERSION_NUMBER)

211

+     dh2048.reset(DH_get_2048_256());

212

+ #else

213

+     /*

214

+--- a/sql-common/client.cc

215

++++ b/sql-common/client.cc

216

+@@ -7881,7 +7881,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option,

217

+ #endif

218

+       break;

219

+     case MYSQL_OPT_SSL_FIPS_MODE: {

220

+-#if defined(HAVE_OPENSSL)

221

++#if defined(HAVE_OPENSSL) && !defined(LIBRESSL_VERSION_NUMBER)

222

+       char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'};

223

+       ENSURE_EXTENSIONS_PRESENT(&mysql->options);

224

+       mysql->options.extension->ssl_fips_mode = *static_cast<const uint *>(arg);

225

+--- a/sql/mysqld.cc

226

++++ b/sql/mysqld.cc

227

+@@ -5047,7 +5047,7 @@ static int init_thread_environment() {

228

+

229

+ static PSI_memory_key key_memory_openssl = PSI_NOT_INSTRUMENTED;

230

+

231

+-#if OPENSSL_VERSION_NUMBER < 0x10100000L

232

++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

233

+ #define FILE_LINE_ARGS

234

+ #else

235

+ #define FILE_LINE_ARGS , const char *, int

236

+@@ -5083,12 +5083,14 @@ static void init_ssl() {

237

+ }

238

+

239

+ static int init_ssl_communication() {

240

++#ifndef LIBRESSL_VERSION_NUMBER

241

+   char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'};

242

+   int ret_fips_mode = set_fips_mode(opt_ssl_fips_mode, ssl_err_string);

243

+   if (ret_fips_mode != 1) {

244

+     LogErr(ERROR_LEVEL, ER_SSL_FIPS_MODE_ERROR, ssl_err_string);

245

+     return 1;

246

+   }

247

++#endif

248

+   if (SslAcceptorContext::singleton_init(opt_use_ssl)) return 1;

249

+

250

+ #if OPENSSL_VERSION_NUMBER < 0x10100000L

251

+--- a/sql/sys_vars.cc

252

++++ b/sql/sys_vars.cc

253

+@@ -4540,6 +4540,7 @@ static Sys_var_ulong Sys_max_execution_time(

254

+     HINT_UPDATEABLE SESSION_VAR(max_execution_time), CMD_LINE(REQUIRED_ARG),

255

+     VALID_RANGE(0, ULONG_MAX), DEFAULT(0), BLOCK_SIZE(1));

256

+

257

++#ifndef LIBRESSL_VERSION_NUMBER

258

+ static bool update_fips_mode(sys_var *, THD *, enum_var_type) {

259

+   char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'};

260

+   if (set_fips_mode(opt_ssl_fips_mode, ssl_err_string) != 1) {

261

+@@ -4550,15 +4551,30 @@ static bool update_fips_mode(sys_var *, THD *, enum_var_type) {

262

+     return false;

263

+   }

264

+ }

265

++#endif

266

+

267

++#if defined(LIBRESSL_VERSION_NUMBER)

268

++static const char *ssl_fips_mode_names[] = {"OFF", 0};

269

++#else

270

+ static const char *ssl_fips_mode_names[] = {"OFF", "ON", "STRICT", 0};

271

++#endif

272

+ static Sys_var_enum Sys_ssl_fips_mode(

273

+     "ssl_fips_mode",

274

+     "SSL FIPS mode (applies only for OpenSSL); "

275

++#ifndef LIBRESSL_VERSION_NUMBER

276

+     "permitted values are: OFF, ON, STRICT",

277

++#else

278

++    "permitted values are: OFF",

279

++#endif

280

+     GLOBAL_VAR(opt_ssl_fips_mode), CMD_LINE(REQUIRED_ARG, OPT_SSL_FIPS_MODE),

281

+     ssl_fips_mode_names, DEFAULT(0), NO_MUTEX_GUARD, NOT_IN_BINLOG,

282

+-    ON_CHECK(NULL), ON_UPDATE(update_fips_mode), NULL);

283

++    ON_CHECK(NULL),

284

++#ifndef LIBRESSL_VERSION_NUMBER

285

++    ON_UPDATE(update_fips_mode),

286

++#else

287

++    ON_UPDATE(NULL),

288

++#endif

289

++    NULL);

290

+

291

+ #if defined(HAVE_OPENSSL)

292

+ static Sys_var_bool Sys_auto_generate_certs(

293

+--- a/vio/viossl.cc

294

++++ b/vio/viossl.cc

295

+@@ -490,7 +490,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,

296

+ #if !defined(DBUG_OFF)

297

+     {

298

+       STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;

299

+-      ssl_comp_methods = SSL_COMP_get_compression_methods();

300

++      ssl_comp_methods = (STACK_OF(SSL_COMP) *)SSL_COMP_get_compression_methods();

301

+       n = sk_SSL_COMP_num(ssl_comp_methods);

302

+       DBUG_PRINT("info", ("Available compression methods:\n"));

303

+       if (n == 0)

304

+@@ -498,7 +498,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout,

305

+       else

306

+         for (j = 0; j < n; j++) {

307

+           SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);

308

+-#if OPENSSL_VERSION_NUMBER < 0x10100000L

309

++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

310

+           DBUG_PRINT("info", ("  %d: %s\n", c->id, c->name));

311

+ #else  /* OPENSSL_VERSION_NUMBER < 0x10100000L */

312

+           DBUG_PRINT("info",

313

+--- a/vio/viosslfactories.cc

314

++++ b/vio/viosslfactories.cc

315

+@@ -420,6 +420,7 @@ void ssl_start() {

316

+   }

317

+ }

318

+

319

++#ifndef LIBRESSL_VERSION_NUMBER

320

+ /**

321

+   Set fips mode in openssl library,

322

+   When we set fips mode ON/STRICT, it will perform following operations:

323

+@@ -473,6 +474,7 @@ EXIT:

324

+   @returns openssl current fips mode

325

+ */

326

+ uint get_fips_mode() { return FIPS_mode(); }

327

++#endif

328

+

329

+ long process_tls_version(const char *tls_version) {

330

+   const char *separator = ",";

1	commit: ac8332f5611918465f0d7325d6a33388c9947629
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Wed Jan 22 18:27:09 2020 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Wed Jan 22 18:27:09 2020 +0000
6	URL: https://gitweb.gentoo.org/proj/mysql-extras.git/commit/?id=ac8332f5
7
8	Add 20018_all_percona-server-8.0.18-fix-libressl-support.patch
9
10	Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
11
12	...ercona-server-8.0.18-fix-libressl-support.patch \| 310 +++++++++++++++++++++
13	1 file changed, 310 insertions(+)
14
15	diff --git a/20018_all_percona-server-8.0.18-fix-libressl-support.patch b/20018_all_percona-server-8.0.18-fix-libressl-support.patch
16	new file mode 100644
17	index 0000000..3006c23
18	--- /dev/null
19	+++ b/20018_all_percona-server-8.0.18-fix-libressl-support.patch
20	@@ -0,0 +1,310 @@
21	+--- a/cmake/ssl.cmake
22	++++ b/cmake/ssl.cmake
23	+@@ -214,7 +214,8 @@ MACRO (MYSQL_CHECK_SSL)
24	+ OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"
25	+ )
26	+ ENDIF()
27	+- IF("${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}" VERSION_GREATER "1.1.0")
28	++ CHECK_SYMBOL_EXISTS(TLS1_3_VERSION "openssl/tls1.h" HAVE_TLS1_3_VERSION)
29	++ IF(HAVE_TLS1_3_VERSION)
30	+ ADD_DEFINITIONS(-DHAVE_TLSv13)
31	+ ENDIF()
32	+ IF(OPENSSL_INCLUDE_DIR AND
33	+--- a/mysys/my_crypt.cc
34	++++ b/mysys/my_crypt.cc
35	+@@ -27,7 +27,7 @@
36	+
37	+ #include "my_dbug.h"
38	+
39	+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
40	++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
41	+ #define ERR_remove_state(X) ERR_clear_error()
42	+ #else
43	+ #define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
44	+@@ -86,7 +86,7 @@ class MyEncryptionCTX : private boost::noncopyable {
45	+ };
46	+
47	+ MyEncryptionCTX::MyEncryptionCTX() {
48	+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
49	++#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
50	+ ctx = new EVP_CIPHER_CTX();
51	+ EVP_CIPHER_CTX_init(ctx);
52	+ #else
53	+@@ -95,7 +95,8 @@ MyEncryptionCTX::MyEncryptionCTX() {
54	+ }
55	+
56	+ MyEncryptionCTX::~MyEncryptionCTX() {
57	+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
58	++#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
59	++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x02090000fL)
60	+ EVP_CIPHER_CTX_cleanup(ctx);
61	+ delete ctx;
62	+ #else
63	+--- a/mysys/my_md5.cc
64	++++ b/mysys/my_md5.cc
65	+@@ -56,7 +56,9 @@ static void my_md5_hash(unsigned char digest, unsigned const char buf,
66	+ int compute_md5_hash(char digest, const char buf, int len) {
67	+ int retval = 0;
68	+ int fips_mode = 0;
69	++#ifndef LIBRESSL_VERSION_NUMBER
70	+ fips_mode = FIPS_mode();
71	++#endif
72	+ /* If fips mode is ON/STRICT restricted method calls will result into abort,
73	+ * skipping call. */
74	+ if (fips_mode == 0) {
75	+--- a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c
76	++++ b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c
77	+@@ -329,6 +329,7 @@ error:
78	+ return 1;
79	+ }
80	+
81	++#ifndef LIBRESSL_VERSION_NUMBER
82	+ #define OPENSSL_ERROR_LENGTH 512
83	+ static int configure_ssl_fips_mode(const uint fips_mode) {
84	+ int rc = -1;
85	+@@ -352,6 +353,7 @@ static int configure_ssl_fips_mode(const uint fips_mode) {
86	+ EXIT:
87	+ return rc;
88	+ }
89	++#endif
90	+
91	+ static int configure_ssl_ca(SSL_CTX ssl_ctx, const char ca_file,
92	+ const char *ca_path) {
93	+@@ -555,10 +557,12 @@ int xcom_init_ssl(const char server_key_file, const char server_cert_file,
94	+ int verify_server = SSL_VERIFY_NONE;
95	+ int verify_client = SSL_VERIFY_NONE;
96	+
97	++#ifndef LIBRESSL_VERSION_NUMBER
98	+ if (configure_ssl_fips_mode(ssl_fips_mode) != 1) {
99	+ G_ERROR("Error setting the ssl fips mode");
100	+ goto error;
101	+ }
102	++#endif
103	+
104	+ SSL_library_init();
105	+ SSL_load_error_strings();
106	+@@ -622,7 +626,7 @@ error:
107	+ void xcom_cleanup_ssl() {
108	+ if (!xcom_use_ssl()) return;
109	+
110	+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
111	++#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
112	+ ERR_remove_thread_state(0);
113	+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
114	+ }
115	+--- a/plugin/x/client/xconnection_impl.cc
116	++++ b/plugin/x/client/xconnection_impl.cc
117	+@@ -521,6 +521,7 @@ XError Connection_impl::get_ssl_error(const int error_id) {
118	+ return XError(CR_SSL_CONNECTION_ERROR, buffer);
119	+ }
120	+
121	++#ifndef LIBRESSL_VERSION_NUMBER
122	+ /**
123	+ Set fips mode in openssl library,
124	+ When we set fips mode ON/STRICT, it will perform following operations:
125	+@@ -559,6 +560,7 @@ int set_fips_mode(const uint fips_mode, char err_string[OPENSSL_ERROR_LENGTH]) {
126	+ EXIT:
127	+ return rc;
128	+ }
129	++#endif
130	+
131	+ XError Connection_impl::activate_tls() {
132	+ if (nullptr == m_vio) return get_socket_error(SOCKET_ECONNRESET);
133	+@@ -569,11 +571,13 @@ XError Connection_impl::activate_tls() {
134	+ if (!m_context->m_ssl_config.is_configured())
135	+ return XError{CR_SSL_CONNECTION_ERROR, ER_TEXT_TLS_NOT_CONFIGURATED, true};
136	+
137	++#ifndef LIBRESSL_VERSION_NUMBER
138	+ char err_string[OPENSSL_ERROR_LENGTH] = {'\0'};
139	+ if (set_fips_mode(static_cast<int>(m_context->m_ssl_config.m_ssl_fips_mode),
140	+ err_string) != 1) {
141	+ return XError{CR_SSL_CONNECTION_ERROR, err_string, true};
142	+ }
143	++#endif
144	+ auto ssl_ctx_flags = process_tls_version(
145	+ details::null_when_empty(m_context->m_ssl_config.m_tls_version));
146	+
147	+--- a/router/src/http/src/tls_client_context.cc
148	++++ b/router/src/http/src/tls_client_context.cc
149	+@@ -54,7 +54,7 @@ void TlsClientContext::verify(TlsVerify verify) {
150	+
151	+ void TlsClientContext::cipher_suites(const std::string &ciphers) {
152	+ // TLSv1.3 ciphers are controlled via SSL_CTX_set_ciphersuites()
153	+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1)
154	++#ifdef TLS1_3_VERSION
155	+ if (1 != SSL_CTX_set_ciphersuites(ssl_ctx_.get(), ciphers.c_str())) {
156	+ throw TlsError("set-cipher-suites");
157	+ }
158	+--- a/router/src/http/src/tls_context.cc
159	++++ b/router/src/http/src/tls_context.cc
160	+@@ -91,7 +91,7 @@ static int o11x_version(TlsVersion version) {
161	+ return TLS1_1_VERSION;
162	+ case TlsVersion::TLS_1_2:
163	+ return TLS1_2_VERSION;
164	+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1)
165	++#ifdef TLS1_3_VERSION
166	+ case TlsVersion::TLS_1_3:
167	+ return TLS1_3_VERSION;
168	+ #endif
169	+@@ -120,9 +120,11 @@ void TlsContext::version_range(TlsVersion min_version, TlsVersion max_version) {
170	+ switch (min_version) {
171	+ default:
172	+ // unknown, leave all disabled
173	++#ifdef TLS1_3_VERSION
174	+ // fallthrough
175	+ case TlsVersion::TLS_1_3:
176	+ opts \|= SSL_OP_NO_TLSv1_2;
177	++#endif
178	+ // fallthrough
179	+ case TlsVersion::TLS_1_2:
180	+ opts \|= SSL_OP_NO_TLSv1_1;
181	+@@ -170,8 +172,10 @@ TlsVersion TlsContext::min_version() const {
182	+ return TlsVersion::TLS_1_1;
183	+ case TLS1_2_VERSION:
184	+ return TlsVersion::TLS_1_2;
185	++#ifdef TLS1_3_VERSION
186	+ case TLS1_3_VERSION:
187	+ return TlsVersion::TLS_1_3;
188	++#endif
189	+ case 0:
190	+ return TlsVersion::AUTO;
191	+ default:
192	+@@ -230,7 +234,8 @@ TlsContext::InfoCallback TlsContext::info_callback() const {
193	+ }
194	+
195	+ int TlsContext::security_level() const {
196	+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0)
197	++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) && \
198	++ !defined(LIBRESSL_VERSION_NUMBER)
199	+ return SSL_CTX_get_security_level(ssl_ctx_.get());
200	+ #else
201	+ return 0;
202	+--- a/router/src/http/src/tls_server_context.cc
203	++++ b/router/src/http/src/tls_server_context.cc
204	+@@ -166,7 +166,8 @@ void TlsServerContext::init_tmp_dh(const std::string &dh_params) {
205	+ }
206	+
207	+ } else {
208	+-#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0)
209	++#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) && \
210	++ !defined(LIBRESSL_VERSION_NUMBER)
211	+ dh2048.reset(DH_get_2048_256());
212	+ #else
213	+ /*
214	+--- a/sql-common/client.cc
215	++++ b/sql-common/client.cc
216	+@@ -7881,7 +7881,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option,
217	+ #endif
218	+ break;
219	+ case MYSQL_OPT_SSL_FIPS_MODE: {
220	+-#if defined(HAVE_OPENSSL)
221	++#if defined(HAVE_OPENSSL) && !defined(LIBRESSL_VERSION_NUMBER)
222	+ char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'};
223	+ ENSURE_EXTENSIONS_PRESENT(&mysql->options);
224	+ mysql->options.extension->ssl_fips_mode = static_cast<const uint >(arg);
225	+--- a/sql/mysqld.cc
226	++++ b/sql/mysqld.cc
227	+@@ -5047,7 +5047,7 @@ static int init_thread_environment() {
228	+
229	+ static PSI_memory_key key_memory_openssl = PSI_NOT_INSTRUMENTED;
230	+
231	+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
232	++#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
233	+ #define FILE_LINE_ARGS
234	+ #else
235	+ #define FILE_LINE_ARGS , const char *, int
236	+@@ -5083,12 +5083,14 @@ static void init_ssl() {
237	+ }
238	+
239	+ static int init_ssl_communication() {
240	++#ifndef LIBRESSL_VERSION_NUMBER
241	+ char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'};
242	+ int ret_fips_mode = set_fips_mode(opt_ssl_fips_mode, ssl_err_string);
243	+ if (ret_fips_mode != 1) {
244	+ LogErr(ERROR_LEVEL, ER_SSL_FIPS_MODE_ERROR, ssl_err_string);
245	+ return 1;
246	+ }
247	++#endif
248	+ if (SslAcceptorContext::singleton_init(opt_use_ssl)) return 1;
249	+
250	+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
251	+--- a/sql/sys_vars.cc
252	++++ b/sql/sys_vars.cc
253	+@@ -4540,6 +4540,7 @@ static Sys_var_ulong Sys_max_execution_time(
254	+ HINT_UPDATEABLE SESSION_VAR(max_execution_time), CMD_LINE(REQUIRED_ARG),
255	+ VALID_RANGE(0, ULONG_MAX), DEFAULT(0), BLOCK_SIZE(1));
256	+
257	++#ifndef LIBRESSL_VERSION_NUMBER
258	+ static bool update_fips_mode(sys_var , THD , enum_var_type) {
259	+ char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'};
260	+ if (set_fips_mode(opt_ssl_fips_mode, ssl_err_string) != 1) {
261	+@@ -4550,15 +4551,30 @@ static bool update_fips_mode(sys_var , THD , enum_var_type) {
262	+ return false;
263	+ }
264	+ }
265	++#endif
266	+
267	++#if defined(LIBRESSL_VERSION_NUMBER)
268	++static const char *ssl_fips_mode_names[] = {"OFF", 0};
269	++#else
270	+ static const char *ssl_fips_mode_names[] = {"OFF", "ON", "STRICT", 0};
271	++#endif
272	+ static Sys_var_enum Sys_ssl_fips_mode(
273	+ "ssl_fips_mode",
274	+ "SSL FIPS mode (applies only for OpenSSL); "
275	++#ifndef LIBRESSL_VERSION_NUMBER
276	+ "permitted values are: OFF, ON, STRICT",
277	++#else
278	++ "permitted values are: OFF",
279	++#endif
280	+ GLOBAL_VAR(opt_ssl_fips_mode), CMD_LINE(REQUIRED_ARG, OPT_SSL_FIPS_MODE),
281	+ ssl_fips_mode_names, DEFAULT(0), NO_MUTEX_GUARD, NOT_IN_BINLOG,
282	+- ON_CHECK(NULL), ON_UPDATE(update_fips_mode), NULL);
283	++ ON_CHECK(NULL),
284	++#ifndef LIBRESSL_VERSION_NUMBER
285	++ ON_UPDATE(update_fips_mode),
286	++#else
287	++ ON_UPDATE(NULL),
288	++#endif
289	++ NULL);
290	+
291	+ #if defined(HAVE_OPENSSL)
292	+ static Sys_var_bool Sys_auto_generate_certs(
293	+--- a/vio/viossl.cc
294	++++ b/vio/viossl.cc
295	+@@ -490,7 +490,7 @@ static int ssl_do(struct st_VioSSLFd ptr, Vio vio, long timeout,
296	+ #if !defined(DBUG_OFF)
297	+ {
298	+ STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
299	+- ssl_comp_methods = SSL_COMP_get_compression_methods();
300	++ ssl_comp_methods = (STACK_OF(SSL_COMP) *)SSL_COMP_get_compression_methods();
301	+ n = sk_SSL_COMP_num(ssl_comp_methods);
302	+ DBUG_PRINT("info", ("Available compression methods:\n"));
303	+ if (n == 0)
304	+@@ -498,7 +498,7 @@ static int ssl_do(struct st_VioSSLFd ptr, Vio vio, long timeout,
305	+ else
306	+ for (j = 0; j < n; j++) {
307	+ SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
308	+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
309	++#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
310	+ DBUG_PRINT("info", (" %d: %s\n", c->id, c->name));
311	+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
312	+ DBUG_PRINT("info",
313	+--- a/vio/viosslfactories.cc
314	++++ b/vio/viosslfactories.cc
315	+@@ -420,6 +420,7 @@ void ssl_start() {
316	+ }
317	+ }
318	+
319	++#ifndef LIBRESSL_VERSION_NUMBER
320	+ /**
321	+ Set fips mode in openssl library,
322	+ When we set fips mode ON/STRICT, it will perform following operations:
323	+@@ -473,6 +474,7 @@ EXIT:
324	+ @returns openssl current fips mode
325	+ */
326	+ uint get_fips_mode() { return FIPS_mode(); }
327	++#endif
328	+
329	+ long process_tls_version(const char *tls_version) {
330	+ const char *separator = ",";

Gentoo Archives: gentoo-commits