[arch-commits] Commit in mariadb/repos (5 files)
Date: Saturday, August 8, 2020 @ 22:10:33 Author: eworm Revision: 393330 archrelease: copy trunk to testing-x86_64 Added: mariadb/repos/testing-x86_64/ mariadb/repos/testing-x86_64/0001-arch-specific.patch (from rev 393329, mariadb/trunk/0001-arch-specific.patch) mariadb/repos/testing-x86_64/0004-MDEV-15526-systemd-unit-files-naming-and-installation.patch (from rev 393329, mariadb/trunk/0004-MDEV-15526-systemd-unit-files-naming-and-installation.patch) mariadb/repos/testing-x86_64/PKGBUILD (from rev 393329, mariadb/trunk/PKGBUILD) mariadb/repos/testing-x86_64/mariadb.install (from rev 393329, mariadb/trunk/mariadb.install) --+ 0001-arch-specific.patch | 94 0004-MDEV-15526-systemd-unit-files-naming-and-installation.patch | 28 + PKGBUILD | 227 ++ mariadb.install | 25 + 4 files changed, 374 insertions(+) Copied: mariadb/repos/testing-x86_64/0001-arch-specific.patch (from rev 393329, mariadb/trunk/0001-arch-specific.patch) === --- testing-x86_64/0001-arch-specific.patch (rev 0) +++ testing-x86_64/0001-arch-specific.patch 2020-08-08 22:10:33 UTC (rev 393330) @@ -0,0 +1,94 @@ +From bf66e7d610de0d7d3651742342c01ed9ff93f363 Mon Sep 17 00:00:00 2001 +From: Christian Hesse +Date: Wed, 19 Feb 2020 13:10:17 +0100 +Subject: [PATCH 1/3] enable PrivateTmp for a little bit more security +--- + support-files/mariadb.service.in | 2 +- + support-files/mari...@.service.in | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in +index e7665ed1219..a1fe69d61c4 100644 +--- a/support-files/mariadb.service.in b/support-files/mariadb.service.in +@@ -129,7 +129,7 @@ UMask=007 + + # If you don't use the /tmp directory for SELECT ... OUTFILE and + # LOAD DATA INFILE you can enable PrivateTmp=true for a little more security. +-PrivateTmp=false ++PrivateTmp=true + + # Set an explicit Start and Stop timeout of 900 seconds (15 minutes!) + # this is the same value as used in SysV init scripts in the past +diff --git a/support-files/mari...@.service.in b/support-files/mari...@.service.in +index ffefc2f22d8..f8b0b8aad8d 100644 +--- a/support-files/mari...@.service.in b/support-files/mari...@.service.in +@@ -241,7 +241,7 @@ UMask=007 + + # If you don't use the /tmp directory for SELECT ... OUTFILE and + # LOAD DATA INFILE you can enable PrivateTmp=true for a little more security. +-PrivateTmp=false ++PrivateTmp=true + + # Set an explicit Start and Stop timeout of 900 seconds (15 minutes!) + # this is the same value as used in SysV init scripts in the past + +From 00aab78891a19a14a92039fcc6a73e391a3bb471 Mon Sep 17 00:00:00 2001 +From: Christian Hesse +Date: Wed, 19 Feb 2020 13:10:46 +0100 +Subject: [PATCH 2/3] force preloading jemalloc for memory management +--- + support-files/mariadb.service.in | 1 + + support-files/mari...@.service.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in +index a1fe69d61c4..9a2941ae917 100644 +--- a/support-files/mariadb.service.in b/support-files/mariadb.service.in +@@ -159,6 +159,7 @@ LimitNOFILE=16364 + # Library substitutions. previously [mysqld_safe] malloc-lib with explicit paths + # (in LD_LIBRARY_PATH) and library name (in LD_PRELOAD). + # Environment="LD_LIBRARY_PATH=/path1 /path2" "LD_PRELOAD= ++Environment="LD_PRELOAD=/usr/lib/libjemalloc.so" + + # Flush caches. previously [mysqld_safe] flush-caches=1 + # ExecStartPre=sync +diff --git a/support-files/mari...@.service.in b/support-files/mari...@.service.in +index f8b0b8aad8d..3309127330c 100644 +--- a/support-files/mari...@.service.in b/support-files/mari...@.service.in +@@ -282,6 +282,7 @@ LimitNOFILE=16364 + # Library substitutions. previously [mysqld_safe] malloc-lib with explicit paths + # (in LD_LIBRARY_PATH) and library name (in LD_PRELOAD). + # Environment="LD_LIBRARY_PATH=/path1 /path2" "LD_PRELOAD= ++Environment="LD_PRELOAD=/usr/lib/libjemalloc.so" + + # Flush caches. previously [mysqld_safe] flush-caches=1 + # ExecStartPre=sync + +From a78ff18c83a5eb2556d4f3716f13786dcd8395d2 Mon Sep 17 00:00:00 2001 +From: Christian Hesse +Date: Wed, 19 Feb 2020 13:11:31 +0100 +Subject: [PATCH 3/3] Make systemd-tmpfiles create MYSQL_DATADIR + +This is a no-op if the directory exists, but makes sure it is created by +systemd-tmpfiles with proper permissions otherwise. + +This solves packaging issues when the user MYSQLD_USER is created by +systemd-sysusers and uid is not known in advance. + +Also this now sets the No_COW attribute. +--- + support-files/tmpfiles.conf.in | 2 + + 1 file changed, 2
[arch-commits] Commit in mariadb/repos (5 files)
Date: Tuesday, May 12, 2020 @ 06:26:51 Author: eworm Revision: 383261 archrelease: copy trunk to testing-x86_64 Added: mariadb/repos/testing-x86_64/ mariadb/repos/testing-x86_64/0001-arch-specific.patch (from rev 383260, mariadb/trunk/0001-arch-specific.patch) mariadb/repos/testing-x86_64/0004-MDEV-15526-systemd-unit-files-naming-and-installation.patch (from rev 383260, mariadb/trunk/0004-MDEV-15526-systemd-unit-files-naming-and-installation.patch) mariadb/repos/testing-x86_64/PKGBUILD (from rev 383260, mariadb/trunk/PKGBUILD) mariadb/repos/testing-x86_64/mariadb.install (from rev 383260, mariadb/trunk/mariadb.install) --+ 0001-arch-specific.patch | 91 0004-MDEV-15526-systemd-unit-files-naming-and-installation.patch | 28 + PKGBUILD | 227 ++ mariadb.install | 25 + 4 files changed, 371 insertions(+) Copied: mariadb/repos/testing-x86_64/0001-arch-specific.patch (from rev 383260, mariadb/trunk/0001-arch-specific.patch) === --- testing-x86_64/0001-arch-specific.patch (rev 0) +++ testing-x86_64/0001-arch-specific.patch 2020-05-12 06:26:51 UTC (rev 383261) @@ -0,0 +1,91 @@ +From bf66e7d610de0d7d3651742342c01ed9ff93f363 Mon Sep 17 00:00:00 2001 +From: Christian Hesse +Date: Wed, 19 Feb 2020 13:10:17 +0100 +Subject: [PATCH 1/3] enable PrivateTmp for a little bit more security +--- + support-files/mariadb.service.in | 2 +- + support-files/mari...@.service.in | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in +index e7665ed1219..a1fe69d61c4 100644 +--- a/support-files/mariadb.service.in b/support-files/mariadb.service.in +@@ -129,7 +129,7 @@ UMask=007 + + # If you don't use the /tmp directory for SELECT ... OUTFILE and + # LOAD DATA INFILE you can enable PrivateTmp=true for a little more security. +-PrivateTmp=false ++PrivateTmp=true + + # Set an explicit Start and Stop timeout of 900 seconds (15 minutes!) + # this is the same value as used in SysV init scripts in the past +diff --git a/support-files/mari...@.service.in b/support-files/mari...@.service.in +index ffefc2f22d8..f8b0b8aad8d 100644 +--- a/support-files/mari...@.service.in b/support-files/mari...@.service.in +@@ -241,7 +241,7 @@ UMask=007 + + # If you don't use the /tmp directory for SELECT ... OUTFILE and + # LOAD DATA INFILE you can enable PrivateTmp=true for a little more security. +-PrivateTmp=false ++PrivateTmp=true + + # Set an explicit Start and Stop timeout of 900 seconds (15 minutes!) + # this is the same value as used in SysV init scripts in the past + +From 00aab78891a19a14a92039fcc6a73e391a3bb471 Mon Sep 17 00:00:00 2001 +From: Christian Hesse +Date: Wed, 19 Feb 2020 13:10:46 +0100 +Subject: [PATCH 2/3] force preloading jemalloc for memory management +--- + support-files/mariadb.service.in | 1 + + support-files/mari...@.service.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in +index a1fe69d61c4..9a2941ae917 100644 +--- a/support-files/mariadb.service.in b/support-files/mariadb.service.in +@@ -159,6 +159,7 @@ LimitNOFILE=16364 + # Library substitutions. previously [mysqld_safe] malloc-lib with explicit paths + # (in LD_LIBRARY_PATH) and library name (in LD_PRELOAD). + # Environment="LD_LIBRARY_PATH=/path1 /path2" "LD_PRELOAD= ++Environment="LD_PRELOAD=/usr/lib/libjemalloc.so" + + # Flush caches. previously [mysqld_safe] flush-caches=1 + # ExecStartPre=sync +diff --git a/support-files/mari...@.service.in b/support-files/mari...@.service.in +index f8b0b8aad8d..3309127330c 100644 +--- a/support-files/mari...@.service.in b/support-files/mari...@.service.in +@@ -282,6 +282,7 @@ LimitNOFILE=16364 + # Library substitutions. previously [mysqld_safe] malloc-lib with explicit paths + # (in LD_LIBRARY_PATH) and library name (in LD_PRELOAD). + # Environment="LD_LIBRARY_PATH=/path1 /path2" "LD_PRELOAD= ++Environment="LD_PRELOAD=/usr/lib/libjemalloc.so" + + # Flush caches. previously [mysqld_safe] flush-caches=1 + # ExecStartPre=sync + +From a78ff18c83a5eb2556d4f3716f13786dcd8395d2 Mon Sep 17 00:00:00 2001 +From: Christian Hesse +Date: Wed, 19 Feb 2020 13:11:31 +0100 +Subject: [PATCH 3/3] Make systemd-tmpfiles create MYSQL_DATADIR + +This is a no-op if the directory exists, but makes sure it is created by +systemd-tmpfiles with proper permissions otherwise. + +This solves packaging issues when the user MYSQLD_USER is created by +systemd-sysusers and uid is not known in advance. +--- + support-files/tmpfiles.conf.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git
[arch-commits] Commit in mariadb/repos (5 files)
Date: Friday, January 25, 2019 @ 15:15:20 Author: eworm Revision: 344767 archrelease: copy trunk to testing-x86_64 Added: mariadb/repos/testing-x86_64/ mariadb/repos/testing-x86_64/0001-MDEV-18360-Prevent-set_max_open_files-from-allocating-too-many-files.patch (from rev 344766, mariadb/trunk/0001-MDEV-18360-Prevent-set_max_open_files-from-allocating-too-many-files.patch) mariadb/repos/testing-x86_64/0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch (from rev 344766, mariadb/trunk/0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch) mariadb/repos/testing-x86_64/PKGBUILD (from rev 344766, mariadb/trunk/PKGBUILD) mariadb/repos/testing-x86_64/mariadb.install (from rev 344766, mariadb/trunk/mariadb.install) -+ 0001-MDEV-18360-Prevent-set_max_open_files-from-allocating-too-many-files.patch | 31 + 0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch | 32 + PKGBUILD | 240 ++ mariadb.install | 15 4 files changed, 318 insertions(+) Copied: mariadb/repos/testing-x86_64/0001-MDEV-18360-Prevent-set_max_open_files-from-allocating-too-many-files.patch (from rev 344766, mariadb/trunk/0001-MDEV-18360-Prevent-set_max_open_files-from-allocating-too-many-files.patch) === --- testing-x86_64/0001-MDEV-18360-Prevent-set_max_open_files-from-allocating-too-many-files.patch (rev 0) +++ testing-x86_64/0001-MDEV-18360-Prevent-set_max_open_files-from-allocating-too-many-files.patch 2019-01-25 15:15:20 UTC (rev 344767) @@ -0,0 +1,31 @@ +From 8b87e87252f7d0599a99f18cd5f51914d2611397 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Vicen=C8=9Biu=20Ciorbaru?= +Date: Thu, 24 Jan 2019 00:58:20 +0200 +Subject: MDEV-18360 Prevent set_max_open_files from allocating too many files + +If the rlimit.rlim_cur value returned by getrlimit is not the +RLIM_INFINITY magic constant, but a *very* large number, we can allocate +too many open files. Restrict set_max_open_files to only return at most +max_file_limit, as passed via its parameter. +--- + mysys/my_file.c | 7 +++ + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/mysys/my_file.c b/mysys/my_file.c +index 8d01285a94b..b3aef8494cb 100644 +--- a/mysys/my_file.c b/mysys/my_file.c +@@ -52,10 +52,9 @@ static uint set_max_open_files(uint max_file_limit) + DBUG_PRINT("info", ("rlim_cur: %u rlim_max: %u", + (uint) rlimit.rlim_cur, + (uint) rlimit.rlim_max)); +-if ((ulonglong) rlimit.rlim_cur == (ulonglong) RLIM_INFINITY) +- rlimit.rlim_cur = max_file_limit; +-if (rlimit.rlim_cur >= max_file_limit) +- DBUG_RETURN(rlimit.rlim_cur); /* purecov: inspected */ ++if ((ulonglong) rlimit.rlim_cur == (ulonglong) RLIM_INFINITY || ++rlimit.rlim_cur >= max_file_limit) ++ DBUG_RETURN(max_file_limit); + rlimit.rlim_cur= rlimit.rlim_max= max_file_limit; + if (setrlimit(RLIMIT_NOFILE, )) + max_file_limit= old_cur;/* Use original value */ Copied: mariadb/repos/testing-x86_64/0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch (from rev 344766, mariadb/trunk/0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch) === --- testing-x86_64/0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch (rev 0) +++ testing-x86_64/0002-fix-galera_recovery-with-fs.protected_regular-enabled.patch 2019-01-25 15:15:20 UTC (rev 344767) @@ -0,0 +1,32 @@ +From 5936f0be4a49eda7b05ea1591a3d72e4d7b9 Mon Sep 17 00:00:00 2001 +From: Christian Hesse +Date: Fri, 25 Jan 2019 14:50:53 +0100 +Subject: fix galera_recovery with fs.protected_regular enabled + +The fs.protected_regular sysctls was added in Linux 4.19 to make some +data spoofing attacks harder. With systemd v241 these will be enabled +by default. + +With this protection enabled galera_recovery fails with EPERM +(permission denied). This is caused by a wrong security measure: +The script changes ownership of $log_file to $user, though $user never +touches it. The shell redirection writes output to the file, not mysqld. +So just drop chown to fix this. +--- + scripts/galera_recovery.sh | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/scripts/galera_recovery.sh b/scripts/galera_recovery.sh +index c58f3d8f6b9..c70decc0005 100644 +--- a/scripts/galera_recovery.sh b/scripts/galera_recovery.sh +@@ -101,8 +101,7 @@ wsrep_recover_position() { + + # Safety checks + if [ -n "$log_file" -a -f "$log_file" ]; then +- [ "$euid" = "0" ] && chown $user
[arch-commits] Commit in mariadb/repos (5 files)
Date: Wednesday, May 9, 2018 @ 12:12:50 Author: eworm Revision: 323616 archrelease: copy trunk to testing-x86_64 Added: mariadb/repos/testing-x86_64/ mariadb/repos/testing-x86_64/0001-openssl-1-1-0.patch (from rev 323615, mariadb/trunk/0001-openssl-1-1-0.patch) mariadb/repos/testing-x86_64/0002-mroonga-after-merge-CMakeLists.txt-fixes.patch (from rev 323615, mariadb/trunk/0002-mroonga-after-merge-CMakeLists.txt-fixes.patch) mariadb/repos/testing-x86_64/PKGBUILD (from rev 323615, mariadb/trunk/PKGBUILD) mariadb/repos/testing-x86_64/mariadb.install (from rev 323615, mariadb/trunk/mariadb.install) -+ 0001-openssl-1-1-0.patch| 995 ++ 0002-mroonga-after-merge-CMakeLists.txt-fixes.patch | 53 PKGBUILD| 201 +++ mariadb.install | 11 4 files changed, 1260 insertions(+) Copied: mariadb/repos/testing-x86_64/0001-openssl-1-1-0.patch (from rev 323615, mariadb/trunk/0001-openssl-1-1-0.patch) === --- testing-x86_64/0001-openssl-1-1-0.patch (rev 0) +++ testing-x86_64/0001-openssl-1-1-0.patch 2018-05-09 12:12:50 UTC (rev 323616) @@ -0,0 +1,995 @@ +diff --git a/include/ssl_compat.h b/include/ssl_compat.h +new file mode 100644 +index 000..b0e3ed4 +--- /dev/null b/include/ssl_compat.h +@@ -0,0 +1,75 @@ ++/* ++ Copyright (c) 2016, 2017 MariaDB Corporation ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; version 2 of the License. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ ++ ++#include ++ ++/* OpenSSL version specific definitions */ ++#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) ++#define HAVE_X509_check_host 1 ++#endif ++ ++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) ++#define HAVE_OPENSSL11 1 ++#define ERR_remove_state(X) ERR_clear_error() ++#define EVP_MD_CTX_cleanup(X) EVP_MD_CTX_reset(X) ++#define EVP_CIPHER_CTX_SIZE 168 ++#define EVP_MD_CTX_SIZE 48 ++#undef EVP_MD_CTX_init ++#define EVP_MD_CTX_init(X) do { bzero((X), EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0) ++#undef EVP_CIPHER_CTX_init ++#define EVP_CIPHER_CTX_init(X) do { bzero((X), EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0) ++ ++#else ++#define HAVE_OPENSSL10 1 ++/* ++ Unfortunately RAND_bytes manual page does not provide any guarantees ++ in relation to blocking behavior. Here we explicitly use SSLeay random ++ instead of whatever random engine is currently set in OpenSSL. That way ++ we are guaranteed to have a non-blocking random. ++*/ ++#define RAND_OpenSSL() RAND_SSLeay() ++ ++#ifdef HAVE_ERR_remove_thread_state ++#define ERR_remove_state(X) ERR_remove_thread_state(NULL) ++#endif /* HAVE_ERR_remove_thread_state */ ++ ++#endif /* HAVE_OPENSSL11 */ ++ ++#elif defined(HAVE_YASSL) ++#define BN_free(X) do { } while(0) ++#endif /* !defined(HAVE_YASSL) */ ++ ++#ifndef HAVE_OPENSSL11 ++#define ASN1_STRING_get0_data(X)ASN1_STRING_data(X) ++#define OPENSSL_init_ssl(X,Y) SSL_library_init() ++#define DH_set0_pqg(D,P,Q,G)((D)->p= (P), (D)->g= (G)) ++#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) ++#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) ++#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX) ++#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX) ++#endif ++ ++#ifdef__cplusplus ++extern "C" { ++#endif /* __cplusplus */ ++ ++int check_openssl_compatibility(); ++ ++#ifdef__cplusplus ++} ++#endif +diff --git a/include/violite.h b/include/violite.h +index a7165ca..572d474 100644 +--- a/include/violite.h b/include/violite.h +@@ -123,13 +123,6 @@ int vio_getnameinfo(const struct sockaddr *sa, + int flags); + + #ifdef HAVE_OPENSSL +-#include +-#if OPENSSL_VERSION_NUMBER < 0x0090700f +-#define DES_cblock des_cblock +-#define DES_key_schedule des_key_schedule +-#define DES_set_key_unchecked(k,ks) des_set_key_unchecked((k),*(ks)) +-#define DES_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e) des_ede3_cbc_encrypt((i),(o),(l),*(k1),*(k2),*(k3),(iv),(e)) +-#endif + /* apple deprecated openssl in MacOSX Lion */ + #ifdef __APPLE__ + #pragma GCC diagnostic ignored
[arch-commits] Commit in mariadb/repos (5 files)
Date: Tuesday, March 27, 2018 @ 07:45:57 Author: eworm Revision: 320367 archrelease: copy trunk to testing-x86_64 Added: mariadb/repos/testing-x86_64/ mariadb/repos/testing-x86_64/0001-openssl-1-1-0.patch (from rev 320366, mariadb/trunk/0001-openssl-1-1-0.patch) mariadb/repos/testing-x86_64/0002-mroonga-after-merge-CMakeLists.txt-fixes.patch (from rev 320366, mariadb/trunk/0002-mroonga-after-merge-CMakeLists.txt-fixes.patch) mariadb/repos/testing-x86_64/PKGBUILD (from rev 320366, mariadb/trunk/PKGBUILD) mariadb/repos/testing-x86_64/mariadb.install (from rev 320366, mariadb/trunk/mariadb.install) -+ 0001-openssl-1-1-0.patch| 995 ++ 0002-mroonga-after-merge-CMakeLists.txt-fixes.patch | 53 PKGBUILD| 201 +++ mariadb.install | 11 4 files changed, 1260 insertions(+) Copied: mariadb/repos/testing-x86_64/0001-openssl-1-1-0.patch (from rev 320366, mariadb/trunk/0001-openssl-1-1-0.patch) === --- testing-x86_64/0001-openssl-1-1-0.patch (rev 0) +++ testing-x86_64/0001-openssl-1-1-0.patch 2018-03-27 07:45:57 UTC (rev 320367) @@ -0,0 +1,995 @@ +diff --git a/include/ssl_compat.h b/include/ssl_compat.h +new file mode 100644 +index 000..b0e3ed4 +--- /dev/null b/include/ssl_compat.h +@@ -0,0 +1,75 @@ ++/* ++ Copyright (c) 2016, 2017 MariaDB Corporation ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; version 2 of the License. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ ++ ++#include ++ ++/* OpenSSL version specific definitions */ ++#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) ++#define HAVE_X509_check_host 1 ++#endif ++ ++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) ++#define HAVE_OPENSSL11 1 ++#define ERR_remove_state(X) ERR_clear_error() ++#define EVP_MD_CTX_cleanup(X) EVP_MD_CTX_reset(X) ++#define EVP_CIPHER_CTX_SIZE 168 ++#define EVP_MD_CTX_SIZE 48 ++#undef EVP_MD_CTX_init ++#define EVP_MD_CTX_init(X) do { bzero((X), EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0) ++#undef EVP_CIPHER_CTX_init ++#define EVP_CIPHER_CTX_init(X) do { bzero((X), EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0) ++ ++#else ++#define HAVE_OPENSSL10 1 ++/* ++ Unfortunately RAND_bytes manual page does not provide any guarantees ++ in relation to blocking behavior. Here we explicitly use SSLeay random ++ instead of whatever random engine is currently set in OpenSSL. That way ++ we are guaranteed to have a non-blocking random. ++*/ ++#define RAND_OpenSSL() RAND_SSLeay() ++ ++#ifdef HAVE_ERR_remove_thread_state ++#define ERR_remove_state(X) ERR_remove_thread_state(NULL) ++#endif /* HAVE_ERR_remove_thread_state */ ++ ++#endif /* HAVE_OPENSSL11 */ ++ ++#elif defined(HAVE_YASSL) ++#define BN_free(X) do { } while(0) ++#endif /* !defined(HAVE_YASSL) */ ++ ++#ifndef HAVE_OPENSSL11 ++#define ASN1_STRING_get0_data(X)ASN1_STRING_data(X) ++#define OPENSSL_init_ssl(X,Y) SSL_library_init() ++#define DH_set0_pqg(D,P,Q,G)((D)->p= (P), (D)->g= (G)) ++#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) ++#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) ++#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX) ++#define EVP_MD_CTX_SIZE sizeof(EVP_MD_CTX) ++#endif ++ ++#ifdef__cplusplus ++extern "C" { ++#endif /* __cplusplus */ ++ ++int check_openssl_compatibility(); ++ ++#ifdef__cplusplus ++} ++#endif +diff --git a/include/violite.h b/include/violite.h +index a7165ca..572d474 100644 +--- a/include/violite.h b/include/violite.h +@@ -123,13 +123,6 @@ int vio_getnameinfo(const struct sockaddr *sa, + int flags); + + #ifdef HAVE_OPENSSL +-#include +-#if OPENSSL_VERSION_NUMBER < 0x0090700f +-#define DES_cblock des_cblock +-#define DES_key_schedule des_key_schedule +-#define DES_set_key_unchecked(k,ks) des_set_key_unchecked((k),*(ks)) +-#define DES_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e) des_ede3_cbc_encrypt((i),(o),(l),*(k1),*(k2),*(k3),(iv),(e)) +-#endif + /* apple deprecated openssl in MacOSX Lion */ + #ifdef __APPLE__ + #pragma GCC diagnostic ignored
[arch-commits] Commit in mariadb/repos (5 files)
Date: Tuesday, February 6, 2018 @ 10:16:56 Author: eworm Revision: 315952 archrelease: copy trunk to testing-x86_64 Added: mariadb/repos/testing-x86_64/ mariadb/repos/testing-x86_64/0001-openssl-1-1-0.patch (from rev 315951, mariadb/trunk/0001-openssl-1-1-0.patch) mariadb/repos/testing-x86_64/0002-mroonga-after-merge-CMakeLists.txt-fixes.patch (from rev 315951, mariadb/trunk/0002-mroonga-after-merge-CMakeLists.txt-fixes.patch) mariadb/repos/testing-x86_64/PKGBUILD (from rev 315951, mariadb/trunk/PKGBUILD) mariadb/repos/testing-x86_64/mariadb.install (from rev 315951, mariadb/trunk/mariadb.install) -+ 0001-openssl-1-1-0.patch| 1016 ++ 0002-mroonga-after-merge-CMakeLists.txt-fixes.patch | 53 PKGBUILD| 201 +++ mariadb.install | 11 4 files changed, 1281 insertions(+) Copied: mariadb/repos/testing-x86_64/0001-openssl-1-1-0.patch (from rev 315951, mariadb/trunk/0001-openssl-1-1-0.patch) === --- testing-x86_64/0001-openssl-1-1-0.patch (rev 0) +++ testing-x86_64/0001-openssl-1-1-0.patch 2018-02-06 10:16:56 UTC (rev 315952) @@ -0,0 +1,1016 @@ +diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp +index 407e409..6e181a9 100644 +--- a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp +@@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl) + needHdr = true; + else { + buffer >> hdr; ++/* ++ According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello ++ packet needs to specify the highest supported TLS version, but not ++ higher than what client requests. YaSSL highest supported version is ++ TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it ++ here to 3.2. ++ See also Appendix E of RFC 5246 (TLS 1.2) ++*/ ++if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2) ++ hdr.version_.minor_ = 2; + ssl.verifyState(hdr); + } + +diff --git a/include/ssl_compat.h b/include/ssl_compat.h +new file mode 100644 +index 000..b0e3ed4 +--- /dev/null b/include/ssl_compat.h +@@ -0,0 +1,75 @@ ++/* ++ Copyright (c) 2016, 2017 MariaDB Corporation ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; version 2 of the License. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ ++ ++#include ++ ++/* OpenSSL version specific definitions */ ++#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) ++#define HAVE_X509_check_host 1 ++#endif ++ ++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) ++#define HAVE_OPENSSL11 1 ++#define ERR_remove_state(X) ERR_clear_error() ++#define EVP_MD_CTX_cleanup(X) EVP_MD_CTX_reset(X) ++#define EVP_CIPHER_CTX_SIZE 168 ++#define EVP_MD_CTX_SIZE 48 ++#undef EVP_MD_CTX_init ++#define EVP_MD_CTX_init(X) do { bzero((X), EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0) ++#undef EVP_CIPHER_CTX_init ++#define EVP_CIPHER_CTX_init(X) do { bzero((X), EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0) ++ ++#else ++#define HAVE_OPENSSL10 1 ++/* ++ Unfortunately RAND_bytes manual page does not provide any guarantees ++ in relation to blocking behavior. Here we explicitly use SSLeay random ++ instead of whatever random engine is currently set in OpenSSL. That way ++ we are guaranteed to have a non-blocking random. ++*/ ++#define RAND_OpenSSL() RAND_SSLeay() ++ ++#ifdef HAVE_ERR_remove_thread_state ++#define ERR_remove_state(X) ERR_remove_thread_state(NULL) ++#endif /* HAVE_ERR_remove_thread_state */ ++ ++#endif /* HAVE_OPENSSL11 */ ++ ++#elif defined(HAVE_YASSL) ++#define BN_free(X) do { } while(0) ++#endif /* !defined(HAVE_YASSL) */ ++ ++#ifndef HAVE_OPENSSL11 ++#define ASN1_STRING_get0_data(X)ASN1_STRING_data(X) ++#define OPENSSL_init_ssl(X,Y) SSL_library_init() ++#define DH_set0_pqg(D,P,Q,G)((D)->p= (P), (D)->g= (G)) ++#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) ++#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) ++#define EVP_CIPHER_CTX_SIZE
[arch-commits] Commit in mariadb/repos (5 files)
Date: Saturday, December 23, 2017 @ 22:30:03 Author: eworm Revision: 313573 archrelease: copy trunk to testing-x86_64 Added: mariadb/repos/testing-x86_64/ mariadb/repos/testing-x86_64/0001-openssl-1-1-0.patch (from rev 313572, mariadb/trunk/0001-openssl-1-1-0.patch) mariadb/repos/testing-x86_64/0002-mroonga-after-merge-CMakeLists.txt-fixes.patch (from rev 313572, mariadb/trunk/0002-mroonga-after-merge-CMakeLists.txt-fixes.patch) mariadb/repos/testing-x86_64/PKGBUILD (from rev 313572, mariadb/trunk/PKGBUILD) mariadb/repos/testing-x86_64/mariadb.install (from rev 313572, mariadb/trunk/mariadb.install) -+ 0001-openssl-1-1-0.patch| 1037 ++ 0002-mroonga-after-merge-CMakeLists.txt-fixes.patch | 53 PKGBUILD| 202 +++ mariadb.install | 11 4 files changed, 1303 insertions(+) Copied: mariadb/repos/testing-x86_64/0001-openssl-1-1-0.patch (from rev 313572, mariadb/trunk/0001-openssl-1-1-0.patch) === --- testing-x86_64/0001-openssl-1-1-0.patch (rev 0) +++ testing-x86_64/0001-openssl-1-1-0.patch 2017-12-23 22:30:03 UTC (rev 313573) @@ -0,0 +1,1037 @@ +diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp +index 407e409..6e181a9 100644 +--- a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp +@@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl) + needHdr = true; + else { + buffer >> hdr; ++/* ++ According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello ++ packet needs to specify the highest supported TLS version, but not ++ higher than what client requests. YaSSL highest supported version is ++ TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it ++ here to 3.2. ++ See also Appendix E of RFC 5246 (TLS 1.2) ++*/ ++if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2) ++ hdr.version_.minor_ = 2; + ssl.verifyState(hdr); + } + +diff --git a/include/ssl_compat.h b/include/ssl_compat.h +new file mode 100644 +index 000..b0e3ed4 +--- /dev/null b/include/ssl_compat.h +@@ -0,0 +1,75 @@ ++/* ++ Copyright (c) 2016, 2017 MariaDB Corporation ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; version 2 of the License. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ ++ ++#include ++ ++/* OpenSSL version specific definitions */ ++#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) ++#define HAVE_X509_check_host 1 ++#endif ++ ++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) ++#define HAVE_OPENSSL11 1 ++#define ERR_remove_state(X) ERR_clear_error() ++#define EVP_MD_CTX_cleanup(X) EVP_MD_CTX_reset(X) ++#define EVP_CIPHER_CTX_SIZE 168 ++#define EVP_MD_CTX_SIZE 48 ++#undef EVP_MD_CTX_init ++#define EVP_MD_CTX_init(X) do { bzero((X), EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0) ++#undef EVP_CIPHER_CTX_init ++#define EVP_CIPHER_CTX_init(X) do { bzero((X), EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0) ++ ++#else ++#define HAVE_OPENSSL10 1 ++/* ++ Unfortunately RAND_bytes manual page does not provide any guarantees ++ in relation to blocking behavior. Here we explicitly use SSLeay random ++ instead of whatever random engine is currently set in OpenSSL. That way ++ we are guaranteed to have a non-blocking random. ++*/ ++#define RAND_OpenSSL() RAND_SSLeay() ++ ++#ifdef HAVE_ERR_remove_thread_state ++#define ERR_remove_state(X) ERR_remove_thread_state(NULL) ++#endif /* HAVE_ERR_remove_thread_state */ ++ ++#endif /* HAVE_OPENSSL11 */ ++ ++#elif defined(HAVE_YASSL) ++#define BN_free(X) do { } while(0) ++#endif /* !defined(HAVE_YASSL) */ ++ ++#ifndef HAVE_OPENSSL11 ++#define ASN1_STRING_get0_data(X)ASN1_STRING_data(X) ++#define OPENSSL_init_ssl(X,Y) SSL_library_init() ++#define DH_set0_pqg(D,P,Q,G)((D)->p= (P), (D)->g= (G)) ++#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) ++#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) ++#define EVP_CIPHER_CTX_SIZE