1 |
commit: 47f22161eb3177488ecdf04e7e15e979dc5dc25c |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon May 3 18:27:29 2021 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon May 3 18:45:31 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47f22161 |
7 |
|
8 |
dev-db/mysql-connector-c: drop obsolete LibreSSL patches |
9 |
|
10 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
11 |
|
12 |
.../files/mysql-connector-c-8.0.21-libressl.patch | 356 --------------------- |
13 |
.../files/mysql-connector-c-8.0.23-libressl.patch | 356 --------------------- |
14 |
2 files changed, 712 deletions(-) |
15 |
|
16 |
diff --git a/dev-db/mysql-connector-c/files/mysql-connector-c-8.0.21-libressl.patch b/dev-db/mysql-connector-c/files/mysql-connector-c-8.0.21-libressl.patch |
17 |
deleted file mode 100644 |
18 |
index 78f3e78fd6d..00000000000 |
19 |
--- a/dev-db/mysql-connector-c/files/mysql-connector-c-8.0.21-libressl.patch |
20 |
+++ /dev/null |
21 |
@@ -1,356 +0,0 @@ |
22 |
-From 4aadff7b08f6a69160a44c1742d5a12fb5abc059 Mon Sep 17 00:00:00 2001 |
23 |
-From: Thomas Deutschmann <whissi@g.o> |
24 |
-Date: Thu, 30 Apr 2020 20:01:48 +0200 |
25 |
-Subject: [PATCH 5/5] Add LibreSSL support |
26 |
- |
27 |
-Signed-off-by: Thomas Deutschmann <whissi@g.o> |
28 |
---- |
29 |
- cmake/ssl.cmake | 5 +++-- |
30 |
- mysys/my_md5.cc | 2 ++ |
31 |
- .../bindings/xcom/xcom/xcom_ssl_transport.cc | 6 +++++- |
32 |
- plugin/x/client/xconnection_impl.cc | 4 ++++ |
33 |
- router/src/http/src/tls_client_context.cc | 2 +- |
34 |
- router/src/http/src/tls_context.cc | 9 ++++++-- |
35 |
- router/src/http/src/tls_server_context.cc | 3 ++- |
36 |
- sql-common/client.cc | 2 ++ |
37 |
- sql/mysqld.cc | 4 +++- |
38 |
- sql/sys_vars.cc | 21 +++++++++++++++++-- |
39 |
- vio/viossl.cc | 8 +++---- |
40 |
- vio/viosslfactories.cc | 2 ++ |
41 |
- 12 files changed, 54 insertions(+), 14 deletions(-) |
42 |
- |
43 |
-diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake |
44 |
-index 52feadeaa..3b8332695 100644 |
45 |
---- a/cmake/ssl.cmake |
46 |
-+++ b/cmake/ssl.cmake |
47 |
-@@ -222,13 +222,14 @@ MACRO (MYSQL_CHECK_SSL) |
48 |
- OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}" |
49 |
- ) |
50 |
- ENDIF() |
51 |
-- IF("${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}" VERSION_GREATER "1.1.0") |
52 |
-+ CHECK_SYMBOL_EXISTS(TLS1_3_VERSION "openssl/tls1.h" HAVE_TLS1_3_VERSION) |
53 |
-+ IF(HAVE_TLS1_3_VERSION) |
54 |
- ADD_DEFINITIONS(-DHAVE_TLSv13) |
55 |
- ENDIF() |
56 |
- IF(OPENSSL_INCLUDE_DIR AND |
57 |
- OPENSSL_LIBRARY AND |
58 |
- CRYPTO_LIBRARY AND |
59 |
-- OPENSSL_MAJOR_VERSION STREQUAL "1" |
60 |
-+ OPENSSL_MAJOR_VERSION VERSION_GREATER_EQUAL "1" |
61 |
- ) |
62 |
- SET(OPENSSL_FOUND TRUE) |
63 |
- FIND_PROGRAM(OPENSSL_EXECUTABLE openssl |
64 |
-diff --git a/mysys/my_md5.cc b/mysys/my_md5.cc |
65 |
-index dea997b25..531696329 100644 |
66 |
---- a/mysys/my_md5.cc |
67 |
-+++ b/mysys/my_md5.cc |
68 |
-@@ -56,7 +56,9 @@ static void my_md5_hash(unsigned char *digest, unsigned const char *buf, |
69 |
- int compute_md5_hash(char *digest, const char *buf, int len) { |
70 |
- int retval = 0; |
71 |
- int fips_mode = 0; |
72 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
73 |
- fips_mode = FIPS_mode(); |
74 |
-+#endif |
75 |
- /* If fips mode is ON/STRICT restricted method calls will result into abort, |
76 |
- * skipping call. */ |
77 |
- if (fips_mode == 0) { |
78 |
-diff --git a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc |
79 |
-index 8bf63ce14..02f91b44e 100644 |
80 |
---- a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc |
81 |
-+++ b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc |
82 |
-@@ -325,6 +325,7 @@ error: |
83 |
- return 1; |
84 |
- } |
85 |
- |
86 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
87 |
- #define OPENSSL_ERROR_LENGTH 512 |
88 |
- static int configure_ssl_fips_mode(const uint fips_mode) { |
89 |
- int rc = -1; |
90 |
-@@ -348,6 +349,7 @@ static int configure_ssl_fips_mode(const uint fips_mode) { |
91 |
- EXIT: |
92 |
- return rc; |
93 |
- } |
94 |
-+#endif |
95 |
- |
96 |
- static int configure_ssl_ca(SSL_CTX *ssl_ctx, const char *ca_file, |
97 |
- const char *ca_path) { |
98 |
-@@ -544,10 +546,12 @@ int xcom_init_ssl(const char *server_key_file, const char *server_cert_file, |
99 |
- int verify_server = SSL_VERIFY_NONE; |
100 |
- int verify_client = SSL_VERIFY_NONE; |
101 |
- |
102 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
103 |
- if (configure_ssl_fips_mode(ssl_fips_mode) != 1) { |
104 |
- G_ERROR("Error setting the ssl fips mode"); |
105 |
- goto error; |
106 |
- } |
107 |
-+#endif |
108 |
- |
109 |
- SSL_library_init(); |
110 |
- SSL_load_error_strings(); |
111 |
-@@ -611,7 +615,7 @@ error: |
112 |
- void xcom_cleanup_ssl() { |
113 |
- if (!xcom_use_ssl()) return; |
114 |
- |
115 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L |
116 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
117 |
- ERR_remove_thread_state(0); |
118 |
- #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ |
119 |
- } |
120 |
-diff --git a/plugin/x/client/xconnection_impl.cc b/plugin/x/client/xconnection_impl.cc |
121 |
-index 13bc6794e..5223169db 100644 |
122 |
---- a/plugin/x/client/xconnection_impl.cc |
123 |
-+++ b/plugin/x/client/xconnection_impl.cc |
124 |
-@@ -498,6 +498,7 @@ XError Connection_impl::get_ssl_error(const int error_id) { |
125 |
- return XError(CR_SSL_CONNECTION_ERROR, buffer); |
126 |
- } |
127 |
- |
128 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
129 |
- /** |
130 |
- Set fips mode in openssl library, |
131 |
- When we set fips mode ON/STRICT, it will perform following operations: |
132 |
-@@ -537,6 +538,7 @@ int set_fips_mode(const uint32_t fips_mode, |
133 |
- EXIT: |
134 |
- return rc; |
135 |
- } |
136 |
-+#endif |
137 |
- |
138 |
- XError Connection_impl::activate_tls() { |
139 |
- if (nullptr == m_vio) return get_socket_error(SOCKET_ECONNRESET); |
140 |
-@@ -547,12 +549,14 @@ XError Connection_impl::activate_tls() { |
141 |
- if (!m_context->m_ssl_config.is_configured()) |
142 |
- return XError{CR_SSL_CONNECTION_ERROR, ER_TEXT_TLS_NOT_CONFIGURATED, true}; |
143 |
- |
144 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
145 |
- char err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; |
146 |
- if (set_fips_mode( |
147 |
- static_cast<uint32_t>(m_context->m_ssl_config.m_ssl_fips_mode), |
148 |
- err_string) != 1) { |
149 |
- return XError{CR_SSL_CONNECTION_ERROR, err_string, true}; |
150 |
- } |
151 |
-+#endif |
152 |
- auto ssl_ctx_flags = process_tls_version( |
153 |
- details::null_when_empty(m_context->m_ssl_config.m_tls_version)); |
154 |
- |
155 |
-diff --git a/router/src/http/src/tls_client_context.cc b/router/src/http/src/tls_client_context.cc |
156 |
-index 297ceee30..7c1157289 100644 |
157 |
---- a/router/src/http/src/tls_client_context.cc |
158 |
-+++ b/router/src/http/src/tls_client_context.cc |
159 |
-@@ -54,7 +54,7 @@ void TlsClientContext::verify(TlsVerify verify) { |
160 |
- |
161 |
- void TlsClientContext::cipher_suites(const std::string &ciphers) { |
162 |
- // TLSv1.3 ciphers are controlled via SSL_CTX_set_ciphersuites() |
163 |
--#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1) |
164 |
-+#ifdef TLS1_3_VERSION |
165 |
- if (1 != SSL_CTX_set_ciphersuites(ssl_ctx_.get(), ciphers.c_str())) { |
166 |
- throw TlsError("set-cipher-suites"); |
167 |
- } |
168 |
-diff --git a/router/src/http/src/tls_context.cc b/router/src/http/src/tls_context.cc |
169 |
-index 60ed7e6ca..388ef8f28 100644 |
170 |
---- a/router/src/http/src/tls_context.cc |
171 |
-+++ b/router/src/http/src/tls_context.cc |
172 |
-@@ -91,7 +91,7 @@ static int o11x_version(TlsVersion version) { |
173 |
- return TLS1_1_VERSION; |
174 |
- case TlsVersion::TLS_1_2: |
175 |
- return TLS1_2_VERSION; |
176 |
--#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1) |
177 |
-+#ifdef TLS1_3_VERSION |
178 |
- case TlsVersion::TLS_1_3: |
179 |
- return TLS1_3_VERSION; |
180 |
- #endif |
181 |
-@@ -120,9 +120,11 @@ void TlsContext::version_range(TlsVersion min_version, TlsVersion max_version) { |
182 |
- switch (min_version) { |
183 |
- default: |
184 |
- // unknown, leave all disabled |
185 |
-+#ifdef TLS1_3_VERSION |
186 |
- // fallthrough |
187 |
- case TlsVersion::TLS_1_3: |
188 |
- opts |= SSL_OP_NO_TLSv1_2; |
189 |
-+#endif |
190 |
- // fallthrough |
191 |
- case TlsVersion::TLS_1_2: |
192 |
- opts |= SSL_OP_NO_TLSv1_1; |
193 |
-@@ -170,8 +172,10 @@ TlsVersion TlsContext::min_version() const { |
194 |
- return TlsVersion::TLS_1_1; |
195 |
- case TLS1_2_VERSION: |
196 |
- return TlsVersion::TLS_1_2; |
197 |
-+#ifdef TLS1_3_VERSION |
198 |
- case TLS1_3_VERSION: |
199 |
- return TlsVersion::TLS_1_3; |
200 |
-+#endif |
201 |
- case 0: |
202 |
- return TlsVersion::AUTO; |
203 |
- default: |
204 |
-@@ -230,7 +234,8 @@ TlsContext::InfoCallback TlsContext::info_callback() const { |
205 |
- } |
206 |
- |
207 |
- int TlsContext::security_level() const { |
208 |
--#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) |
209 |
-+#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) && \ |
210 |
-+ !defined(LIBRESSL_VERSION_NUMBER) |
211 |
- return SSL_CTX_get_security_level(ssl_ctx_.get()); |
212 |
- #else |
213 |
- return 0; |
214 |
-diff --git a/router/src/http/src/tls_server_context.cc b/router/src/http/src/tls_server_context.cc |
215 |
-index 0f4472419..707d7de86 100644 |
216 |
---- a/router/src/http/src/tls_server_context.cc |
217 |
-+++ b/router/src/http/src/tls_server_context.cc |
218 |
-@@ -167,7 +167,8 @@ void TlsServerContext::init_tmp_dh(const std::string &dh_params) { |
219 |
- } |
220 |
- |
221 |
- } else { |
222 |
--#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) |
223 |
-+#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) && \ |
224 |
-+ !defined(LIBRESSL_VERSION_NUMBER) |
225 |
- dh2048.reset(DH_get_2048_256()); |
226 |
- #else |
227 |
- /* |
228 |
-diff --git a/sql-common/client.cc b/sql-common/client.cc |
229 |
-index ffb136b5b..8a0c7b834 100644 |
230 |
---- a/sql-common/client.cc |
231 |
-+++ b/sql-common/client.cc |
232 |
-@@ -7766,6 +7766,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option, |
233 |
- return 1; |
234 |
- break; |
235 |
- case MYSQL_OPT_SSL_FIPS_MODE: { |
236 |
-+#if !defined(LIBRESSL_VERSION_NUMBER) |
237 |
- char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; |
238 |
- ENSURE_EXTENSIONS_PRESENT(&mysql->options); |
239 |
- mysql->options.extension->ssl_fips_mode = *static_cast<const uint *>(arg); |
240 |
-@@ -7777,6 +7778,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option, |
241 |
- "Set Fips mode ON/STRICT failed, detail: '%s'.", ssl_err_string); |
242 |
- return 1; |
243 |
- } |
244 |
-+#endif |
245 |
- } break; |
246 |
- case MYSQL_OPT_SSL_MODE: |
247 |
- ENSURE_EXTENSIONS_PRESENT(&mysql->options); |
248 |
-diff --git a/sql/mysqld.cc b/sql/mysqld.cc |
249 |
-index 682e8d5ae..96a922d7a 100644 |
250 |
---- a/sql/mysqld.cc |
251 |
-+++ b/sql/mysqld.cc |
252 |
-@@ -5109,7 +5109,7 @@ static int init_thread_environment() { |
253 |
- |
254 |
- static PSI_memory_key key_memory_openssl = PSI_NOT_INSTRUMENTED; |
255 |
- |
256 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L |
257 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
258 |
- #define FILE_LINE_ARGS |
259 |
- #else |
260 |
- #define FILE_LINE_ARGS , const char *, int |
261 |
-@@ -5143,12 +5143,14 @@ static void init_ssl() { |
262 |
- } |
263 |
- |
264 |
- static int init_ssl_communication() { |
265 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
266 |
- char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; |
267 |
- int ret_fips_mode = set_fips_mode(opt_ssl_fips_mode, ssl_err_string); |
268 |
- if (ret_fips_mode != 1) { |
269 |
- LogErr(ERROR_LEVEL, ER_SSL_FIPS_MODE_ERROR, ssl_err_string); |
270 |
- return 1; |
271 |
- } |
272 |
-+#endif |
273 |
- if (TLS_channel::singleton_init(&mysql_main, mysql_main_channel, opt_use_ssl, |
274 |
- &server_main_callback, opt_initialize)) |
275 |
- return 1; |
276 |
-diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc |
277 |
-index 5b1a82d2f..4e2dff865 100644 |
278 |
---- a/sql/sys_vars.cc |
279 |
-+++ b/sql/sys_vars.cc |
280 |
-@@ -4474,6 +4474,7 @@ static Sys_var_ulong Sys_max_execution_time( |
281 |
- HINT_UPDATEABLE SESSION_VAR(max_execution_time), CMD_LINE(REQUIRED_ARG), |
282 |
- VALID_RANGE(0, ULONG_MAX), DEFAULT(0), BLOCK_SIZE(1)); |
283 |
- |
284 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
285 |
- static bool update_fips_mode(sys_var *, THD *, enum_var_type) { |
286 |
- char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; |
287 |
- if (set_fips_mode(opt_ssl_fips_mode, ssl_err_string) != 1) { |
288 |
-@@ -4484,15 +4485,31 @@ static bool update_fips_mode(sys_var *, THD *, enum_var_type) { |
289 |
- return false; |
290 |
- } |
291 |
- } |
292 |
-+#endif |
293 |
-+ |
294 |
-+#if defined(LIBRESSL_VERSION_NUMBER) |
295 |
-+static const char *ssl_fips_mode_names[] = {"OFF", 0}; |
296 |
-+#else |
297 |
-+static const char *ssl_fips_mode_names[] = {"OFF", "ON", "STRICT", 0}; |
298 |
-+#endif |
299 |
- |
300 |
--static const char *ssl_fips_mode_names[] = {"OFF", "ON", "STRICT", nullptr}; |
301 |
- static Sys_var_enum Sys_ssl_fips_mode( |
302 |
- "ssl_fips_mode", |
303 |
- "SSL FIPS mode (applies only for OpenSSL); " |
304 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
305 |
- "permitted values are: OFF, ON, STRICT", |
306 |
-+#else |
307 |
-+ "permitted values are: OFF", |
308 |
-+#endif |
309 |
- GLOBAL_VAR(opt_ssl_fips_mode), CMD_LINE(REQUIRED_ARG, OPT_SSL_FIPS_MODE), |
310 |
- ssl_fips_mode_names, DEFAULT(0), NO_MUTEX_GUARD, NOT_IN_BINLOG, |
311 |
-- ON_CHECK(nullptr), ON_UPDATE(update_fips_mode), nullptr); |
312 |
-+ ON_CHECK(NULL), |
313 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
314 |
-+ ON_UPDATE(update_fips_mode), |
315 |
-+#else |
316 |
-+ ON_UPDATE(NULL), |
317 |
-+#endif |
318 |
-+ NULL); |
319 |
- |
320 |
- static Sys_var_bool Sys_auto_generate_certs( |
321 |
- "auto_generate_certs", |
322 |
-diff --git a/vio/viossl.cc b/vio/viossl.cc |
323 |
-index 0e9594741..3a589c64b 100644 |
324 |
---- a/vio/viossl.cc |
325 |
-+++ b/vio/viossl.cc |
326 |
-@@ -45,7 +45,7 @@ |
327 |
- BIO_set_callback_ex was added in openSSL 1.1.1 |
328 |
- For older openSSL, use the deprecated BIO_set_callback. |
329 |
- */ |
330 |
--#if OPENSSL_VERSION_NUMBER >= 0x10101000L |
331 |
-+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) |
332 |
- #define HAVE_BIO_SET_CALLBACK_EX |
333 |
- #endif |
334 |
- |
335 |
-@@ -634,8 +634,8 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout, |
336 |
- |
337 |
- #if !defined(DBUG_OFF) |
338 |
- { |
339 |
-- STACK_OF(SSL_COMP) *ssl_comp_methods = nullptr; |
340 |
-- ssl_comp_methods = SSL_COMP_get_compression_methods(); |
341 |
-+ STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; |
342 |
-+ ssl_comp_methods = (STACK_OF(SSL_COMP) *)SSL_COMP_get_compression_methods(); |
343 |
- n = sk_SSL_COMP_num(ssl_comp_methods); |
344 |
- DBUG_PRINT("info", ("Available compression methods:\n")); |
345 |
- if (n == 0) |
346 |
-@@ -643,7 +643,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout, |
347 |
- else |
348 |
- for (j = 0; j < n; j++) { |
349 |
- SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); |
350 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L |
351 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
352 |
- DBUG_PRINT("info", (" %d: %s\n", c->id, c->name)); |
353 |
- #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */ |
354 |
- DBUG_PRINT("info", |
355 |
-diff --git a/vio/viosslfactories.cc b/vio/viosslfactories.cc |
356 |
-index 6c04029cc..f27221463 100644 |
357 |
---- a/vio/viosslfactories.cc |
358 |
-+++ b/vio/viosslfactories.cc |
359 |
-@@ -473,6 +473,7 @@ void ssl_start() { |
360 |
- } |
361 |
- } |
362 |
- |
363 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
364 |
- /** |
365 |
- Set fips mode in openssl library, |
366 |
- When we set fips mode ON/STRICT, it will perform following operations: |
367 |
-@@ -526,6 +527,7 @@ EXIT: |
368 |
- @returns openssl current fips mode |
369 |
- */ |
370 |
- uint get_fips_mode() { return FIPS_mode(); } |
371 |
-+#endif |
372 |
- |
373 |
- long process_tls_version(const char *tls_version) { |
374 |
- const char *separator = ","; |
375 |
--- |
376 |
-2.27.0 |
377 |
- |
378 |
|
379 |
diff --git a/dev-db/mysql-connector-c/files/mysql-connector-c-8.0.23-libressl.patch b/dev-db/mysql-connector-c/files/mysql-connector-c-8.0.23-libressl.patch |
380 |
deleted file mode 100644 |
381 |
index 06681d940dd..00000000000 |
382 |
--- a/dev-db/mysql-connector-c/files/mysql-connector-c-8.0.23-libressl.patch |
383 |
+++ /dev/null |
384 |
@@ -1,356 +0,0 @@ |
385 |
-From 262f0b8bdc86a755041c19c11b6067afce28dae1 Mon Sep 17 00:00:00 2001 |
386 |
-From: Thomas Deutschmann <whissi@g.o> |
387 |
-Date: Thu, 30 Apr 2020 20:01:48 +0200 |
388 |
-Subject: [PATCH 5/6] Add LibreSSL support |
389 |
- |
390 |
-Signed-off-by: Thomas Deutschmann <whissi@g.o> |
391 |
---- |
392 |
- cmake/ssl.cmake | 5 +++-- |
393 |
- mysys/my_md5.cc | 2 ++ |
394 |
- .../bindings/xcom/xcom/xcom_ssl_transport.cc | 6 +++++- |
395 |
- plugin/x/client/xconnection_impl.cc | 4 ++++ |
396 |
- router/src/harness/src/tls_client_context.cc | 2 +- |
397 |
- router/src/harness/src/tls_context.cc | 9 ++++++-- |
398 |
- router/src/harness/src/tls_server_context.cc | 3 ++- |
399 |
- sql-common/client.cc | 2 ++ |
400 |
- sql/mysqld.cc | 4 +++- |
401 |
- sql/sys_vars.cc | 21 +++++++++++++++++-- |
402 |
- vio/viossl.cc | 8 +++---- |
403 |
- vio/viosslfactories.cc | 2 ++ |
404 |
- 12 files changed, 54 insertions(+), 14 deletions(-) |
405 |
- |
406 |
-diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake |
407 |
-index 52feadeaa..3b8332695 100644 |
408 |
---- a/cmake/ssl.cmake |
409 |
-+++ b/cmake/ssl.cmake |
410 |
-@@ -222,13 +222,14 @@ MACRO (MYSQL_CHECK_SSL) |
411 |
- OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}" |
412 |
- ) |
413 |
- ENDIF() |
414 |
-- IF("${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}" VERSION_GREATER "1.1.0") |
415 |
-+ CHECK_SYMBOL_EXISTS(TLS1_3_VERSION "openssl/tls1.h" HAVE_TLS1_3_VERSION) |
416 |
-+ IF(HAVE_TLS1_3_VERSION) |
417 |
- ADD_DEFINITIONS(-DHAVE_TLSv13) |
418 |
- ENDIF() |
419 |
- IF(OPENSSL_INCLUDE_DIR AND |
420 |
- OPENSSL_LIBRARY AND |
421 |
- CRYPTO_LIBRARY AND |
422 |
-- OPENSSL_MAJOR_VERSION STREQUAL "1" |
423 |
-+ OPENSSL_MAJOR_VERSION VERSION_GREATER_EQUAL "1" |
424 |
- ) |
425 |
- SET(OPENSSL_FOUND TRUE) |
426 |
- FIND_PROGRAM(OPENSSL_EXECUTABLE openssl |
427 |
-diff --git a/mysys/my_md5.cc b/mysys/my_md5.cc |
428 |
-index dea997b25..531696329 100644 |
429 |
---- a/mysys/my_md5.cc |
430 |
-+++ b/mysys/my_md5.cc |
431 |
-@@ -56,7 +56,9 @@ static void my_md5_hash(unsigned char *digest, unsigned const char *buf, |
432 |
- int compute_md5_hash(char *digest, const char *buf, int len) { |
433 |
- int retval = 0; |
434 |
- int fips_mode = 0; |
435 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
436 |
- fips_mode = FIPS_mode(); |
437 |
-+#endif |
438 |
- /* If fips mode is ON/STRICT restricted method calls will result into abort, |
439 |
- * skipping call. */ |
440 |
- if (fips_mode == 0) { |
441 |
-diff --git a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc |
442 |
-index 8bf63ce14..02f91b44e 100644 |
443 |
---- a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc |
444 |
-+++ b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc |
445 |
-@@ -325,6 +325,7 @@ error: |
446 |
- return 1; |
447 |
- } |
448 |
- |
449 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
450 |
- #define OPENSSL_ERROR_LENGTH 512 |
451 |
- static int configure_ssl_fips_mode(const uint fips_mode) { |
452 |
- int rc = -1; |
453 |
-@@ -348,6 +349,7 @@ static int configure_ssl_fips_mode(const uint fips_mode) { |
454 |
- EXIT: |
455 |
- return rc; |
456 |
- } |
457 |
-+#endif |
458 |
- |
459 |
- static int configure_ssl_ca(SSL_CTX *ssl_ctx, const char *ca_file, |
460 |
- const char *ca_path) { |
461 |
-@@ -544,10 +546,12 @@ int xcom_init_ssl(const char *server_key_file, const char *server_cert_file, |
462 |
- int verify_server = SSL_VERIFY_NONE; |
463 |
- int verify_client = SSL_VERIFY_NONE; |
464 |
- |
465 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
466 |
- if (configure_ssl_fips_mode(ssl_fips_mode) != 1) { |
467 |
- G_ERROR("Error setting the ssl fips mode"); |
468 |
- goto error; |
469 |
- } |
470 |
-+#endif |
471 |
- |
472 |
- SSL_library_init(); |
473 |
- SSL_load_error_strings(); |
474 |
-@@ -611,7 +615,7 @@ error: |
475 |
- void xcom_cleanup_ssl() { |
476 |
- if (!xcom_use_ssl()) return; |
477 |
- |
478 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L |
479 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
480 |
- ERR_remove_thread_state(0); |
481 |
- #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ |
482 |
- } |
483 |
-diff --git a/plugin/x/client/xconnection_impl.cc b/plugin/x/client/xconnection_impl.cc |
484 |
-index a78371098..9d3a7b436 100644 |
485 |
---- a/plugin/x/client/xconnection_impl.cc |
486 |
-+++ b/plugin/x/client/xconnection_impl.cc |
487 |
-@@ -498,6 +498,7 @@ XError Connection_impl::get_ssl_error(const int error_id) { |
488 |
- return XError(CR_SSL_CONNECTION_ERROR, buffer); |
489 |
- } |
490 |
- |
491 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
492 |
- /** |
493 |
- Set fips mode in openssl library, |
494 |
- When we set fips mode ON/STRICT, it will perform following operations: |
495 |
-@@ -537,6 +538,7 @@ int set_fips_mode(const uint32_t fips_mode, |
496 |
- EXIT: |
497 |
- return rc; |
498 |
- } |
499 |
-+#endif |
500 |
- |
501 |
- XError Connection_impl::activate_tls() { |
502 |
- if (nullptr == m_vio) return get_socket_error(SOCKET_ECONNRESET); |
503 |
-@@ -547,12 +549,14 @@ XError Connection_impl::activate_tls() { |
504 |
- if (!m_context->m_ssl_config.is_configured()) |
505 |
- return XError{CR_SSL_CONNECTION_ERROR, ER_TEXT_TLS_NOT_CONFIGURATED, true}; |
506 |
- |
507 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
508 |
- char err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; |
509 |
- if (set_fips_mode( |
510 |
- static_cast<uint32_t>(m_context->m_ssl_config.m_ssl_fips_mode), |
511 |
- err_string) != 1) { |
512 |
- return XError{CR_SSL_CONNECTION_ERROR, err_string, true}; |
513 |
- } |
514 |
-+#endif |
515 |
- auto ssl_ctx_flags = process_tls_version( |
516 |
- details::null_when_empty(m_context->m_ssl_config.m_tls_version)); |
517 |
- |
518 |
-diff --git a/router/src/harness/src/tls_client_context.cc b/router/src/harness/src/tls_client_context.cc |
519 |
-index c14b1cb18..81a9425ca 100644 |
520 |
---- a/router/src/harness/src/tls_client_context.cc |
521 |
-+++ b/router/src/harness/src/tls_client_context.cc |
522 |
-@@ -61,7 +61,7 @@ stdx::expected<void, std::error_code> TlsClientContext::verify( |
523 |
- stdx::expected<void, std::error_code> TlsClientContext::cipher_suites( |
524 |
- const std::string &ciphers) { |
525 |
- // TLSv1.3 ciphers are controlled via SSL_CTX_set_ciphersuites() |
526 |
--#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1) |
527 |
-+#ifdef TLS1_3_VERSION |
528 |
- if (1 != SSL_CTX_set_ciphersuites(ssl_ctx_.get(), ciphers.c_str())) { |
529 |
- return stdx::make_unexpected(make_tls_error()); |
530 |
- } |
531 |
-diff --git a/router/src/harness/src/tls_context.cc b/router/src/harness/src/tls_context.cc |
532 |
-index e0b97bf2d..8b64b1d01 100644 |
533 |
---- a/router/src/harness/src/tls_context.cc |
534 |
-+++ b/router/src/harness/src/tls_context.cc |
535 |
-@@ -115,7 +115,7 @@ static int o11x_version(TlsVersion version) { |
536 |
- return TLS1_1_VERSION; |
537 |
- case TlsVersion::TLS_1_2: |
538 |
- return TLS1_2_VERSION; |
539 |
--#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 1) |
540 |
-+#ifdef TLS1_3_VERSION |
541 |
- case TlsVersion::TLS_1_3: |
542 |
- return TLS1_3_VERSION; |
543 |
- #endif |
544 |
-@@ -145,9 +145,11 @@ stdx::expected<void, std::error_code> TlsContext::version_range( |
545 |
- switch (min_version) { |
546 |
- default: |
547 |
- // unknown, leave all disabled |
548 |
-+#ifdef TLS1_3_VERSION |
549 |
- // fallthrough |
550 |
- case TlsVersion::TLS_1_3: |
551 |
- opts |= SSL_OP_NO_TLSv1_2; |
552 |
-+#endif |
553 |
- // fallthrough |
554 |
- case TlsVersion::TLS_1_2: |
555 |
- opts |= SSL_OP_NO_TLSv1_1; |
556 |
-@@ -197,8 +199,10 @@ TlsVersion TlsContext::min_version() const { |
557 |
- return TlsVersion::TLS_1_1; |
558 |
- case TLS1_2_VERSION: |
559 |
- return TlsVersion::TLS_1_2; |
560 |
-+#ifdef TLS1_3_VERSION |
561 |
- case TLS1_3_VERSION: |
562 |
- return TlsVersion::TLS_1_3; |
563 |
-+#endif |
564 |
- case 0: |
565 |
- return TlsVersion::AUTO; |
566 |
- default: |
567 |
-@@ -257,7 +261,8 @@ TlsContext::InfoCallback TlsContext::info_callback() const { |
568 |
- } |
569 |
- |
570 |
- int TlsContext::security_level() const { |
571 |
--#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) |
572 |
-+#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) && \ |
573 |
-+ !defined(LIBRESSL_VERSION_NUMBER) |
574 |
- return SSL_CTX_get_security_level(ssl_ctx_.get()); |
575 |
- #else |
576 |
- return 0; |
577 |
-diff --git a/router/src/harness/src/tls_server_context.cc b/router/src/harness/src/tls_server_context.cc |
578 |
-index c8fc2b5a0..76775e2a0 100644 |
579 |
---- a/router/src/harness/src/tls_server_context.cc |
580 |
-+++ b/router/src/harness/src/tls_server_context.cc |
581 |
-@@ -169,7 +169,8 @@ stdx::expected<void, std::error_code> TlsServerContext::init_tmp_dh( |
582 |
- } |
583 |
- |
584 |
- } else { |
585 |
--#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) |
586 |
-+#if OPENSSL_VERSION_NUMBER >= ROUTER_OPENSSL_VERSION(1, 1, 0) && \ |
587 |
-+ !defined(LIBRESSL_VERSION_NUMBER) |
588 |
- dh2048.reset(DH_get_2048_256()); |
589 |
- #else |
590 |
- /* |
591 |
-diff --git a/sql-common/client.cc b/sql-common/client.cc |
592 |
-index 79f301fe6..b5e1d126c 100644 |
593 |
---- a/sql-common/client.cc |
594 |
-+++ b/sql-common/client.cc |
595 |
-@@ -7987,6 +7987,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option, |
596 |
- return 1; |
597 |
- break; |
598 |
- case MYSQL_OPT_SSL_FIPS_MODE: { |
599 |
-+#if !defined(LIBRESSL_VERSION_NUMBER) |
600 |
- char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; |
601 |
- ENSURE_EXTENSIONS_PRESENT(&mysql->options); |
602 |
- mysql->options.extension->ssl_fips_mode = *static_cast<const uint *>(arg); |
603 |
-@@ -7998,6 +7999,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option, |
604 |
- "Set Fips mode ON/STRICT failed, detail: '%s'.", ssl_err_string); |
605 |
- return 1; |
606 |
- } |
607 |
-+#endif |
608 |
- } break; |
609 |
- case MYSQL_OPT_SSL_MODE: |
610 |
- ENSURE_EXTENSIONS_PRESENT(&mysql->options); |
611 |
-diff --git a/sql/mysqld.cc b/sql/mysqld.cc |
612 |
-index cde636761..266a8c3bb 100644 |
613 |
---- a/sql/mysqld.cc |
614 |
-+++ b/sql/mysqld.cc |
615 |
-@@ -5035,7 +5035,7 @@ static int init_thread_environment() { |
616 |
- |
617 |
- static PSI_memory_key key_memory_openssl = PSI_NOT_INSTRUMENTED; |
618 |
- |
619 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L |
620 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
621 |
- #define FILE_LINE_ARGS |
622 |
- #else |
623 |
- #define FILE_LINE_ARGS , const char *, int |
624 |
-@@ -5069,12 +5069,14 @@ static void init_ssl() { |
625 |
- } |
626 |
- |
627 |
- static int init_ssl_communication() { |
628 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
629 |
- char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; |
630 |
- int ret_fips_mode = set_fips_mode(opt_ssl_fips_mode, ssl_err_string); |
631 |
- if (ret_fips_mode != 1) { |
632 |
- LogErr(ERROR_LEVEL, ER_SSL_FIPS_MODE_ERROR, ssl_err_string); |
633 |
- return 1; |
634 |
- } |
635 |
-+#endif |
636 |
- if (TLS_channel::singleton_init(&mysql_main, mysql_main_channel, opt_use_ssl, |
637 |
- &server_main_callback, opt_initialize)) |
638 |
- return 1; |
639 |
-diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc |
640 |
-index 2df3271ff..90942eef0 100644 |
641 |
---- a/sql/sys_vars.cc |
642 |
-+++ b/sql/sys_vars.cc |
643 |
-@@ -4614,6 +4614,7 @@ static Sys_var_ulong Sys_max_execution_time( |
644 |
- HINT_UPDATEABLE SESSION_VAR(max_execution_time), CMD_LINE(REQUIRED_ARG), |
645 |
- VALID_RANGE(0, ULONG_MAX), DEFAULT(0), BLOCK_SIZE(1)); |
646 |
- |
647 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
648 |
- static bool update_fips_mode(sys_var *, THD *, enum_var_type) { |
649 |
- char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; |
650 |
- if (set_fips_mode(opt_ssl_fips_mode, ssl_err_string) != 1) { |
651 |
-@@ -4624,15 +4625,31 @@ static bool update_fips_mode(sys_var *, THD *, enum_var_type) { |
652 |
- return false; |
653 |
- } |
654 |
- } |
655 |
-+#endif |
656 |
-+ |
657 |
-+#if defined(LIBRESSL_VERSION_NUMBER) |
658 |
-+static const char *ssl_fips_mode_names[] = {"OFF", 0}; |
659 |
-+#else |
660 |
-+static const char *ssl_fips_mode_names[] = {"OFF", "ON", "STRICT", 0}; |
661 |
-+#endif |
662 |
- |
663 |
--static const char *ssl_fips_mode_names[] = {"OFF", "ON", "STRICT", nullptr}; |
664 |
- static Sys_var_enum Sys_ssl_fips_mode( |
665 |
- "ssl_fips_mode", |
666 |
- "SSL FIPS mode (applies only for OpenSSL); " |
667 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
668 |
- "permitted values are: OFF, ON, STRICT", |
669 |
-+#else |
670 |
-+ "permitted values are: OFF", |
671 |
-+#endif |
672 |
- GLOBAL_VAR(opt_ssl_fips_mode), CMD_LINE(REQUIRED_ARG, OPT_SSL_FIPS_MODE), |
673 |
- ssl_fips_mode_names, DEFAULT(0), NO_MUTEX_GUARD, NOT_IN_BINLOG, |
674 |
-- ON_CHECK(nullptr), ON_UPDATE(update_fips_mode), nullptr); |
675 |
-+ ON_CHECK(NULL), |
676 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
677 |
-+ ON_UPDATE(update_fips_mode), |
678 |
-+#else |
679 |
-+ ON_UPDATE(NULL), |
680 |
-+#endif |
681 |
-+ NULL); |
682 |
- |
683 |
- static Sys_var_bool Sys_auto_generate_certs( |
684 |
- "auto_generate_certs", |
685 |
-diff --git a/vio/viossl.cc b/vio/viossl.cc |
686 |
-index 0e9594741..3a589c64b 100644 |
687 |
---- a/vio/viossl.cc |
688 |
-+++ b/vio/viossl.cc |
689 |
-@@ -45,7 +45,7 @@ |
690 |
- BIO_set_callback_ex was added in openSSL 1.1.1 |
691 |
- For older openSSL, use the deprecated BIO_set_callback. |
692 |
- */ |
693 |
--#if OPENSSL_VERSION_NUMBER >= 0x10101000L |
694 |
-+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) |
695 |
- #define HAVE_BIO_SET_CALLBACK_EX |
696 |
- #endif |
697 |
- |
698 |
-@@ -634,8 +634,8 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout, |
699 |
- |
700 |
- #if !defined(DBUG_OFF) |
701 |
- { |
702 |
-- STACK_OF(SSL_COMP) *ssl_comp_methods = nullptr; |
703 |
-- ssl_comp_methods = SSL_COMP_get_compression_methods(); |
704 |
-+ STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; |
705 |
-+ ssl_comp_methods = (STACK_OF(SSL_COMP) *)SSL_COMP_get_compression_methods(); |
706 |
- n = sk_SSL_COMP_num(ssl_comp_methods); |
707 |
- DBUG_PRINT("info", ("Available compression methods:\n")); |
708 |
- if (n == 0) |
709 |
-@@ -643,7 +643,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, long timeout, |
710 |
- else |
711 |
- for (j = 0; j < n; j++) { |
712 |
- SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); |
713 |
--#if OPENSSL_VERSION_NUMBER < 0x10100000L |
714 |
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
715 |
- DBUG_PRINT("info", (" %d: %s\n", c->id, c->name)); |
716 |
- #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */ |
717 |
- DBUG_PRINT("info", |
718 |
-diff --git a/vio/viosslfactories.cc b/vio/viosslfactories.cc |
719 |
-index 21c3510da..70e7d8f8b 100644 |
720 |
---- a/vio/viosslfactories.cc |
721 |
-+++ b/vio/viosslfactories.cc |
722 |
-@@ -472,6 +472,7 @@ void ssl_start() { |
723 |
- } |
724 |
- } |
725 |
- |
726 |
-+#ifndef LIBRESSL_VERSION_NUMBER |
727 |
- /** |
728 |
- Set fips mode in openssl library, |
729 |
- When we set fips mode ON/STRICT, it will perform following operations: |
730 |
-@@ -525,6 +526,7 @@ EXIT: |
731 |
- @returns openssl current fips mode |
732 |
- */ |
733 |
- uint get_fips_mode() { return FIPS_mode(); } |
734 |
-+#endif |
735 |
- |
736 |
- long process_tls_version(const char *tls_version) { |
737 |
- const char *separator = ","; |
738 |
--- |
739 |
-2.30.0 |
740 |
- |