[arch-commits] Commit in mariadb/trunk (0001-openssl-1-1-0.patch PKGBUILD)
Date: Friday, November 2, 2018 @ 09:24:57 Author: eworm Revision: 337728 upgpkg: mariadb 10.1.37-1 new upstream release Modified: mariadb/trunk/0001-openssl-1-1-0.patch mariadb/trunk/PKGBUILD --+ 0001-openssl-1-1-0.patch | 13 + PKGBUILD |6 +++--- 2 files changed, 16 insertions(+), 3 deletions(-) Modified: 0001-openssl-1-1-0.patch === --- 0001-openssl-1-1-0.patch2018-11-02 06:51:23 UTC (rev 337727) +++ 0001-openssl-1-1-0.patch2018-11-02 09:24:57 UTC (rev 337728) @@ -1,3 +1,16 @@ +diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake +index 24e18600402..6fac749fd13 100644 +--- a/cmake/ssl.cmake b/cmake/ssl.cmake +@@ -182,7 +182,7 @@ MACRO (MYSQL_CHECK_SSL) + HAVE_SHA512_DIGEST_LENGTH) + SET(CMAKE_REQUIRED_INCLUDES) + IF(OPENSSL_INCLUDE_DIR AND OPENSSL_LIBRARIES AND +- OPENSSL_MAJOR_VERSION STRLESS "101" AND ++ OPENSSL_MAJOR_VERSION STRLESS "102" AND +CRYPTO_LIBRARY AND HAVE_SHA512_DIGEST_LENGTH) + + SET(SSL_SOURCES "") diff --git a/include/ssl_compat.h b/include/ssl_compat.h new file mode 100644 index 000..b0e3ed4 Modified: PKGBUILD === --- PKGBUILD2018-11-02 06:51:23 UTC (rev 337727) +++ PKGBUILD2018-11-02 09:24:57 UTC (rev 337728) @@ -3,7 +3,7 @@ pkgbase=mariadb pkgname=('libmariadbclient' 'mariadb-clients' 'mytop' 'mariadb') -pkgver=10.1.36 +pkgver=10.1.37 pkgrel=1 arch=('x86_64') license=('GPL') @@ -13,9 +13,9 @@ validpgpkeys=('199369E5404BD5FC7D2FE43BCBCB082A1BB943DB') # MariaDB Package Signing Key source=("https://mirrors.n-ix.net/mariadb/mariadb-$pkgver/source/mariadb-$pkgver.tar.gz"{,.asc} '0001-openssl-1-1-0.patch') -sha256sums=('ad742e8cf02b9294259cc8b0c888f7ba2e105e76554e4183603d275bcd91aa58' +sha256sums=('8cd516b0a7f7aa36a7c1d6e687dbbad8c0b08c92d5fd60c6e691b19a6cab4d46' 'SKIP' -'229d556748119757f36be1e9956834be28db0f5a35cdacce53f6c640784fca77') +'fe26d22f0150e7460daa83d71d35735b3031cfc97e99bfbb8d6d74c11a28ccea') prepare() { cd $pkgbase-$pkgver/
[arch-commits] Commit in mariadb/trunk (0001-openssl-1-1-0.patch PKGBUILD)
Date: Tuesday, March 27, 2018 @ 07:45:51 Author: eworm Revision: 320366 upgpkg: mariadb 10.1.32-1 new upstream release Modified: mariadb/trunk/0001-openssl-1-1-0.patch mariadb/trunk/PKGBUILD --+ 0001-openssl-1-1-0.patch | 23 +-- PKGBUILD |6 +++--- 2 files changed, 4 insertions(+), 25 deletions(-) Modified: 0001-openssl-1-1-0.patch === --- 0001-openssl-1-1-0.patch2018-03-26 21:31:50 UTC (rev 320365) +++ 0001-openssl-1-1-0.patch2018-03-27 07:45:51 UTC (rev 320366) @@ -1,24 +1,3 @@ -diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp -index 407e409..6e181a9 100644 a/extra/yassl/src/handshake.cpp -+++ b/extra/yassl/src/handshake.cpp -@@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl) - needHdr = true; - else { - buffer >> hdr; -+/* -+ According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello -+ packet needs to specify the highest supported TLS version, but not -+ higher than what client requests. YaSSL highest supported version is -+ TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it -+ here to 3.2. -+ See also Appendix E of RFC 5246 (TLS 1.2) -+*/ -+if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2) -+ hdr.version_.minor_ = 2; - ssl.verifyState(hdr); - } - diff --git a/include/ssl_compat.h b/include/ssl_compat.h new file mode 100644 index 000..b0e3ed4 @@ -150,7 +129,7 @@ index eaec51b..1b28469 100755 --- a/mysql-test/mysql-test-run.pl +++ b/mysql-test/mysql-test-run.pl -@@ -2301,6 +2301,11 @@ sub environment_setup { +@@ -2307,6 +2307,11 @@ sub environment_setup { $ENV{'MYSQL_PLUGIN'}= $exe_mysql_plugin; $ENV{'MYSQL_EMBEDDED'}= $exe_mysql_embedded; Modified: PKGBUILD === --- PKGBUILD2018-03-26 21:31:50 UTC (rev 320365) +++ PKGBUILD2018-03-27 07:45:51 UTC (rev 320366) @@ -4,7 +4,7 @@ pkgbase=mariadb pkgname=('libmariadbclient' 'mariadb-clients' 'mytop' 'mariadb') -pkgver=10.1.31 +pkgver=10.1.32 pkgrel=1 arch=('x86_64') license=('GPL') @@ -15,9 +15,9 @@ source=("https://ftp.heanet.ie/mirrors/mariadb/mariadb-$pkgver/source/mariadb-$pkgver.tar.gz"{,.asc} '0001-openssl-1-1-0.patch' '0002-mroonga-after-merge-CMakeLists.txt-fixes.patch') -sha256sums=('ab7641c2fe4e5289da6141766a9c3350e013def56fafd6f1377080bc8048b2e6' +sha256sums=('0e2aae6a6a190d07c8e36e87dd43377057fa82651ca3c583462563f3e9369096' 'SKIP' -'c209c939e5b27582df16fe7cef8fd31c2c574165dddce15d157bfcf9a1a38b2f' +'229d556748119757f36be1e9956834be28db0f5a35cdacce53f6c640784fca77' '98736aefef21e575e450f8066685ba82771264409412e33491ab0a54e4407ba7') prepare() {
[arch-commits] Commit in mariadb/trunk (0001-openssl-1-1-0.patch PKGBUILD)
Date: Tuesday, February 6, 2018 @ 10:16:52 Author: eworm Revision: 315951 upgpkg: mariadb 10.1.31-1 * new upstream release * clean up dependencies Modified: mariadb/trunk/0001-openssl-1-1-0.patch mariadb/trunk/PKGBUILD --+ 0001-openssl-1-1-0.patch | 77 - PKGBUILD | 17 - 2 files changed, 36 insertions(+), 58 deletions(-) Modified: 0001-openssl-1-1-0.patch === --- 0001-openssl-1-1-0.patch2018-02-06 09:12:23 UTC (rev 315950) +++ 0001-openssl-1-1-0.patch2018-02-06 10:16:52 UTC (rev 315951) @@ -147,10 +147,10 @@ + } +} diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl -index 2cd5d2a..22bcaba 100755 +index eaec51b..1b28469 100755 --- a/mysql-test/mysql-test-run.pl +++ b/mysql-test/mysql-test-run.pl -@@ -2300,6 +2300,11 @@ sub environment_setup { +@@ -2301,6 +2301,11 @@ sub environment_setup { $ENV{'MYSQL_PLUGIN'}= $exe_mysql_plugin; $ENV{'MYSQL_EMBEDDED'}= $exe_mysql_embedded; @@ -231,7 +231,7 @@ SET(MYSYS_SSL_SOURCES diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc -index a0937a8..ed1c82d 100644 +index 4393394..da60a10 100644 --- a/mysys_ssl/my_crypt.cc +++ b/mysys_ssl/my_crypt.cc @@ -1,6 +1,6 @@ @@ -242,7 +242,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -@@ -17,52 +17,60 @@ +@@ -17,7 +17,6 @@ #include #include @@ -250,12 +250,10 @@ #ifdef HAVE_YASSL #include "yassl.cc" - #else -- - #include - #include +@@ -28,42 +27,53 @@ #include -- + #include + -#ifdef HAVE_ERR_remove_thread_state -#define ERR_remove_state(X) ERR_remove_thread_state(NULL) +#include @@ -317,7 +315,7 @@ return MY_AES_BAD_DATA; return MY_AES_OK; } -@@ -72,7 +80,8 @@ class MyCTX_nopad : public MyCTX +@@ -73,7 +83,8 @@ class MyCTX_nopad : public MyCTX { public: const uchar *key; @@ -327,7 +325,7 @@ MyCTX_nopad() : MyCTX() { } ~MyCTX_nopad() { } -@@ -83,32 +92,48 @@ class MyCTX_nopad : public MyCTX +@@ -84,32 +95,48 @@ class MyCTX_nopad : public MyCTX compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad)); this->key= key; this->klen= klen; @@ -383,7 +381,7 @@ return MY_AES_OK; } }; -@@ -152,7 +177,7 @@ class MyCTX_gcm : public MyCTX +@@ -153,7 +180,7 @@ class MyCTX_gcm : public MyCTX { compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_gcm)); int res= MyCTX::init(cipher, encrypt, key, klen, iv, ivlen); @@ -392,7 +390,7 @@ aad= iv + real_ivlen; aadlen= ivlen - real_ivlen; return res; -@@ -166,15 +191,15 @@ class MyCTX_gcm : public MyCTX +@@ -167,15 +194,15 @@ class MyCTX_gcm : public MyCTX before decrypting the data. it can encrypt data piecewise, like, first half, then the second half, but it must decrypt all at once */ @@ -411,7 +409,7 @@ return MY_AES_OPENSSL_ERROR; aadlen= 0; return MyCTX::update(src, slen, dst, dlen); -@@ -183,13 +208,13 @@ class MyCTX_gcm : public MyCTX +@@ -184,13 +211,13 @@ class MyCTX_gcm : public MyCTX int finish(uchar *dst, uint *dlen) { int fin; @@ -428,7 +426,7 @@ return MY_AES_OPENSSL_ERROR; *dlen= MY_AES_BLOCK_SIZE; } -@@ -257,12 +282,15 @@ int my_aes_crypt(enum my_aes_mode mode, int flags, +@@ -258,12 +285,15 @@ int my_aes_crypt(enum my_aes_mode mode, int flags, { void *ctx= alloca(MY_AES_CTX_SIZE); int res1, res2; @@ -446,25 +444,6 @@ return res1 ? res1 : res2; } -@@ -301,17 +329,10 @@ int my_random_bytes(uchar* buf, int num) - return MY_AES_OK; - } - #else --#include - - int my_random_bytes(uchar *buf, int num) - { -- /* --Unfortunately RAND_bytes manual page does not provide any guarantees --in relation to blocking behavior. Here we explicitly use SSLeay random --instead of whatever random engine is currently set in OpenSSL. That way --we are guaranteed to have a non-blocking random. -- */ -- RAND_METHOD *rand = RAND_SSLeay(); -+ RAND_METHOD *rand = RAND_OpenSSL(); - if (rand == NULL || rand->bytes(buf, num) != 1) - return MY_AES_OPENSSL_ERROR; - return MY_AES_OK; diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc index 7139ea9..0105082 100644 --- a/mysys_ssl/my_md5.cc @@ -698,10 +677,10 @@ +} +#endif diff --git a/mysys_ssl/yassl.cc b/mysys_ssl/yassl.cc -index 9717870..aa5631f 100644 +index e9f8e65..268589d 100644 --- a/mysys_ssl/yassl.cc +++ b/mysys_ssl/yassl.cc -@@ -44,7 +44,6 @@ typedef struct +@@ -45,7 +45,6 @@ typedef struct int buf_len; int final_used; uchar tao_buf[sizeof(TaoCrypt::AES)]; // TaoCrypt::AES object @@ -709,7 +688,7 @@ uchar buf[TaoCrypt::AES::BLOCK_SIZE]; // last partial input block uchar final[TaoCrypt::AES::BLOCK_SIZE]; //
[arch-commits] Commit in mariadb/trunk (0001-openssl-1-1-0.patch PKGBUILD)
Date: Thursday, August 10, 2017 @ 10:46:06 Author: eworm Revision: 301838 upgpkg: mariadb 10.1.26-1 Modified: mariadb/trunk/0001-openssl-1-1-0.patch mariadb/trunk/PKGBUILD --+ 0001-openssl-1-1-0.patch | 1605 +++-- PKGBUILD |6 2 files changed, 270 insertions(+), 1341 deletions(-) Modified: 0001-openssl-1-1-0.patch === --- 0001-openssl-1-1-0.patch2017-08-10 10:44:25 UTC (rev 301837) +++ 0001-openssl-1-1-0.patch2017-08-10 10:46:06 UTC (rev 301838) @@ -1,43 +1,5 @@ -From fb57acd98f96b3d2684cd29c126b4904db81f84c Mon Sep 17 00:00:00 2001 -From: Georg Richter-Date: Wed, 8 Mar 2017 17:39:47 +0100 -Subject: [PATCH 1/2] MDEV-10332 support for OpenSSL 1.1 and LibreSSL - -Initial support - -tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL -not working on Windows with native SChannel support, due to wrong cipher -mapping: Latter one requires push of CONC-241 fixes. -Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if -the build succeeds, test cases will fail with various errors, especially -when using different tls libraries or versions for client and server. - -Upstream commit: f8866f8f665ac26beb31842fef48ecee5feb346e - extra/yassl/src/handshake.cpp | 10 +++ - include/my_crypt.h| 15 - include/violite.h | 9 +- - mysql-test/include/require_openssl_client.inc | 5 ++ - mysql-test/mysql-test-run.pl | 5 ++ - mysql-test/r/openssl_1.result | 2 +- - mysql-test/r/openssl_6975,tlsv10.result | 18 ++-- - mysql-test/r/openssl_6975,tlsv12.result | 14 ++-- - mysql-test/t/openssl_1.test | 4 +- - mysql-test/t/openssl_6975.test| 19 +++-- - mysql-test/t/ssl_7937.test| 1 + - mysql-test/t/ssl_8k_key.test | 1 + - mysys_ssl/my_crypt.cc | 115 ++ - mysys_ssl/my_md5.cc | 39 ++--- - mysys_ssl/yassl.cc| 15 - sql-common/client.c | 6 +- - sql/mysqld.cc | 14 +++- - sql/slave.cc | 13 +++ - vio/viosslfactories.c | 54 - 19 files changed, 263 insertions(+), 96 deletions(-) - create mode 100644 mysql-test/include/require_openssl_client.inc - diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp -index 407e4092ccc..6e181a997bd 100644 +index 407e409..6e181a9 100644 --- a/extra/yassl/src/handshake.cpp +++ b/extra/yassl/src/handshake.cpp @@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl) @@ -57,44 +19,112 @@ ssl.verifyState(hdr); } -diff --git a/include/my_crypt.h b/include/my_crypt.h -index 719e349bfb9..e7dd9d80100 100644 a/include/my_crypt.h -+++ b/include/my_crypt.h -@@ -21,4 +21,19 @@ - #include /* HAVE_EncryptAes128{Ctr,Gcm} */ - #include - +diff --git a/include/ssl_compat.h b/include/ssl_compat.h +new file mode 100644 +index 000..b0e3ed4 +--- /dev/null b/include/ssl_compat.h +@@ -0,0 +1,75 @@ ++/* ++ Copyright (c) 2016, 2017 MariaDB Corporation ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; version 2 of the License. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program; if not, write to the Free Software ++ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ ++ ++#include ++ +/* OpenSSL version specific definitions */ +#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) ++#define HAVE_X509_check_host 1 ++#endif ++ +#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) -+#define ERR_remove_state(X) ++#define HAVE_OPENSSL11 1 ++#define ERR_remove_state(X) ERR_clear_error() ++#define EVP_MD_CTX_cleanup(X) EVP_MD_CTX_reset(X) ++#define EVP_CIPHER_CTX_SIZE 168 ++#define EVP_MD_CTX_SIZE 48 ++#undef EVP_MD_CTX_init ++#define EVP_MD_CTX_init(X) do { bzero((X), EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0) ++#undef EVP_CIPHER_CTX_init ++#define EVP_CIPHER_CTX_init(X) do { bzero((X), EVP_CIPHER_CTX_SIZE); EVP_CIPHER_CTX_reset(X); } while(0) ++ +#else -+#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) -+#define RAND_OpenSSL()
[arch-commits] Commit in mariadb/trunk (0001-openssl-1-1-0.patch PKGBUILD)
Date: Wednesday, May 31, 2017 @ 11:02:26 Author: eworm Revision: 296927 upgpkg: mariadb 10.1.24-1 * new upstream release * minor changes (mariadb.pc and mysql.m4 moved to libmariadbclient, ...) Added: mariadb/trunk/0001-openssl-1-1-0.patch Modified: mariadb/trunk/PKGBUILD --+ 0001-openssl-1-1-0.patch | 2108 + PKGBUILD | 56 - 2 files changed, 2127 insertions(+), 37 deletions(-) Added: 0001-openssl-1-1-0.patch === --- 0001-openssl-1-1-0.patch(rev 0) +++ 0001-openssl-1-1-0.patch2017-05-31 11:02:26 UTC (rev 296927) @@ -0,0 +1,2108 @@ +From fb57acd98f96b3d2684cd29c126b4904db81f84c Mon Sep 17 00:00:00 2001 +From: Georg Richter+Date: Wed, 8 Mar 2017 17:39:47 +0100 +Subject: [PATCH 1/2] MDEV-10332 support for OpenSSL 1.1 and LibreSSL + +Initial support + +tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL +not working on Windows with native SChannel support, due to wrong cipher +mapping: Latter one requires push of CONC-241 fixes. +Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if +the build succeeds, test cases will fail with various errors, especially +when using different tls libraries or versions for client and server. + +Upstream commit: f8866f8f665ac26beb31842fef48ecee5feb346e +--- + extra/yassl/src/handshake.cpp | 10 +++ + include/my_crypt.h| 15 + include/violite.h | 9 +- + mysql-test/include/require_openssl_client.inc | 5 ++ + mysql-test/mysql-test-run.pl | 5 ++ + mysql-test/r/openssl_1.result | 2 +- + mysql-test/r/openssl_6975,tlsv10.result | 18 ++-- + mysql-test/r/openssl_6975,tlsv12.result | 14 ++-- + mysql-test/t/openssl_1.test | 4 +- + mysql-test/t/openssl_6975.test| 19 +++-- + mysql-test/t/ssl_7937.test| 1 + + mysql-test/t/ssl_8k_key.test | 1 + + mysys_ssl/my_crypt.cc | 115 ++ + mysys_ssl/my_md5.cc | 39 ++--- + mysys_ssl/yassl.cc| 15 + sql-common/client.c | 6 +- + sql/mysqld.cc | 14 +++- + sql/slave.cc | 13 +++ + vio/viosslfactories.c | 54 + 19 files changed, 263 insertions(+), 96 deletions(-) + create mode 100644 mysql-test/include/require_openssl_client.inc + +diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp +index 407e4092ccc..6e181a997bd 100644 +--- a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp +@@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl) + needHdr = true; + else { + buffer >> hdr; ++/* ++ According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello ++ packet needs to specify the highest supported TLS version, but not ++ higher than what client requests. YaSSL highest supported version is ++ TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it ++ here to 3.2. ++ See also Appendix E of RFC 5246 (TLS 1.2) ++*/ ++if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2) ++ hdr.version_.minor_ = 2; + ssl.verifyState(hdr); + } + +diff --git a/include/my_crypt.h b/include/my_crypt.h +index 719e349bfb9..e7dd9d80100 100644 +--- a/include/my_crypt.h b/include/my_crypt.h +@@ -21,4 +21,19 @@ + #include /* HAVE_EncryptAes128{Ctr,Gcm} */ + #include + ++/* OpenSSL version specific definitions */ ++#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) ++#define ERR_remove_state(X) ++#else ++#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) ++#define RAND_OpenSSL() RAND_SSLeay(); ++#if defined(HAVE_ERR_remove_thread_state) ++#define ERR_remove_state(X) ERR_remove_thread_state(NULL) ++#endif ++#endif ++#elif defined(HAVE_YASSL) ++#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) ++#endif /* !defined(HAVE_YASSL) */ ++ + #endif /* MY_CRYPT_INCLUDED */ +diff --git a/include/violite.h b/include/violite.h +index a7165ca91a9..23800696e5a 100644 +--- a/include/violite.h b/include/violite.h +@@ -146,14 +146,15 @@ typedef my_socket YASSL_SOCKET_T; + #include + #include + +-#ifdef HAVE_ERR_remove_thread_state ++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) ++#define ERR_remove_state(X) ++#elif defined(HAVE_ERR_remove_thread_state) + #define ERR_remove_state(X) ERR_remove_thread_state(NULL) + #endif +- + enum
[arch-commits] Commit in mariadb/trunk (0001-openssl-1-1-0.patch PKGBUILD)
Date: Thursday, May 25, 2017 @ 13:58:42 Author: eworm Revision: 296571 prepare for mariadb 10.2.6 Modified: mariadb/trunk/PKGBUILD Deleted: mariadb/trunk/0001-openssl-1-1-0.patch --+ 0001-openssl-1-1-0.patch | 2129 - PKGBUILD | 76 - 2 files changed, 36 insertions(+), 2169 deletions(-) Deleted: 0001-openssl-1-1-0.patch === --- 0001-openssl-1-1-0.patch2017-05-25 11:35:31 UTC (rev 296570) +++ 0001-openssl-1-1-0.patch2017-05-25 13:58:42 UTC (rev 296571) @@ -1,2129 +0,0 @@ -From fb57acd98f96b3d2684cd29c126b4904db81f84c Mon Sep 17 00:00:00 2001 -From: Georg Richter-Date: Wed, 8 Mar 2017 17:39:47 +0100 -Subject: [PATCH 1/2] MDEV-10332 support for OpenSSL 1.1 and LibreSSL - -Initial support - -tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL -not working on Windows with native SChannel support, due to wrong cipher -mapping: Latter one requires push of CONC-241 fixes. -Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if -the build succeeds, test cases will fail with various errors, especially -when using different tls libraries or versions for client and server. - -Upstream commit: f8866f8f665ac26beb31842fef48ecee5feb346e - extra/yassl/src/handshake.cpp | 10 +++ - include/my_crypt.h| 15 - include/violite.h | 9 +- - mysql-test/include/require_openssl_client.inc | 5 ++ - mysql-test/mysql-test-run.pl | 5 ++ - mysql-test/r/openssl_1.result | 2 +- - mysql-test/r/openssl_6975,tlsv10.result | 18 ++-- - mysql-test/r/openssl_6975,tlsv12.result | 14 ++-- - mysql-test/t/openssl_1.test | 4 +- - mysql-test/t/openssl_6975.test| 19 +++-- - mysql-test/t/ssl_7937.test| 1 + - mysql-test/t/ssl_8k_key.test | 1 + - mysys_ssl/my_crypt.cc | 115 ++ - mysys_ssl/my_md5.cc | 39 ++--- - mysys_ssl/yassl.cc| 15 - sql-common/client.c | 6 +- - sql/mysqld.cc | 14 +++- - sql/slave.cc | 13 +++ - vio/viosslfactories.c | 54 - 19 files changed, 263 insertions(+), 96 deletions(-) - create mode 100644 mysql-test/include/require_openssl_client.inc - -diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp -index 407e4092ccc..6e181a997bd 100644 a/extra/yassl/src/handshake.cpp -+++ b/extra/yassl/src/handshake.cpp -@@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl) - needHdr = true; - else { - buffer >> hdr; -+/* -+ According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello -+ packet needs to specify the highest supported TLS version, but not -+ higher than what client requests. YaSSL highest supported version is -+ TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it -+ here to 3.2. -+ See also Appendix E of RFC 5246 (TLS 1.2) -+*/ -+if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2) -+ hdr.version_.minor_ = 2; - ssl.verifyState(hdr); - } - -diff --git a/include/my_crypt.h b/include/my_crypt.h -index 719e349bfb9..e7dd9d80100 100644 a/include/my_crypt.h -+++ b/include/my_crypt.h -@@ -21,4 +21,19 @@ - #include /* HAVE_EncryptAes128{Ctr,Gcm} */ - #include - -+/* OpenSSL version specific definitions */ -+#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) -+#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) -+#define ERR_remove_state(X) -+#else -+#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) -+#define RAND_OpenSSL() RAND_SSLeay(); -+#if defined(HAVE_ERR_remove_thread_state) -+#define ERR_remove_state(X) ERR_remove_thread_state(NULL) -+#endif -+#endif -+#elif defined(HAVE_YASSL) -+#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) -+#endif /* !defined(HAVE_YASSL) */ -+ - #endif /* MY_CRYPT_INCLUDED */ -diff --git a/include/violite.h b/include/violite.h -index a7165ca91a9..23800696e5a 100644 a/include/violite.h -+++ b/include/violite.h -@@ -146,14 +146,15 @@ typedef my_socket YASSL_SOCKET_T; - #include - #include - --#ifdef HAVE_ERR_remove_thread_state -+#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) -+#define ERR_remove_state(X) -+#elif defined(HAVE_ERR_remove_thread_state) - #define ERR_remove_state(X) ERR_remove_thread_state(NULL) - #endif -- - enum enum_ssl_init_error - { -- SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, --
[arch-commits] Commit in mariadb/trunk (0001-openssl-1-1-0.patch PKGBUILD)
Date: Sunday, May 14, 2017 @ 21:36:51 Author: eworm Revision: 296001 upgpkg: mariadb 10.1.23-2 back to system ssl with openssl 1.1.0 Added: mariadb/trunk/0001-openssl-1-1-0.patch Modified: mariadb/trunk/PKGBUILD --+ 0001-openssl-1-1-0.patch | 2129 + PKGBUILD | 27 2 files changed, 2143 insertions(+), 13 deletions(-) Added: 0001-openssl-1-1-0.patch === --- 0001-openssl-1-1-0.patch(rev 0) +++ 0001-openssl-1-1-0.patch2017-05-14 21:36:51 UTC (rev 296001) @@ -0,0 +1,2129 @@ +From fb57acd98f96b3d2684cd29c126b4904db81f84c Mon Sep 17 00:00:00 2001 +From: Georg Richter+Date: Wed, 8 Mar 2017 17:39:47 +0100 +Subject: [PATCH 1/2] MDEV-10332 support for OpenSSL 1.1 and LibreSSL + +Initial support + +tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL +not working on Windows with native SChannel support, due to wrong cipher +mapping: Latter one requires push of CONC-241 fixes. +Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if +the build succeeds, test cases will fail with various errors, especially +when using different tls libraries or versions for client and server. + +Upstream commit: f8866f8f665ac26beb31842fef48ecee5feb346e +--- + extra/yassl/src/handshake.cpp | 10 +++ + include/my_crypt.h| 15 + include/violite.h | 9 +- + mysql-test/include/require_openssl_client.inc | 5 ++ + mysql-test/mysql-test-run.pl | 5 ++ + mysql-test/r/openssl_1.result | 2 +- + mysql-test/r/openssl_6975,tlsv10.result | 18 ++-- + mysql-test/r/openssl_6975,tlsv12.result | 14 ++-- + mysql-test/t/openssl_1.test | 4 +- + mysql-test/t/openssl_6975.test| 19 +++-- + mysql-test/t/ssl_7937.test| 1 + + mysql-test/t/ssl_8k_key.test | 1 + + mysys_ssl/my_crypt.cc | 115 ++ + mysys_ssl/my_md5.cc | 39 ++--- + mysys_ssl/yassl.cc| 15 + sql-common/client.c | 6 +- + sql/mysqld.cc | 14 +++- + sql/slave.cc | 13 +++ + vio/viosslfactories.c | 54 + 19 files changed, 263 insertions(+), 96 deletions(-) + create mode 100644 mysql-test/include/require_openssl_client.inc + +diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp +index 407e4092ccc..6e181a997bd 100644 +--- a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp +@@ -788,6 +788,16 @@ int DoProcessReply(SSL& ssl) + needHdr = true; + else { + buffer >> hdr; ++/* ++ According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello ++ packet needs to specify the highest supported TLS version, but not ++ higher than what client requests. YaSSL highest supported version is ++ TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it ++ here to 3.2. ++ See also Appendix E of RFC 5246 (TLS 1.2) ++*/ ++if (hdr.version_.major_ == 3 && hdr.version_.minor_ > 2) ++ hdr.version_.minor_ = 2; + ssl.verifyState(hdr); + } + +diff --git a/include/my_crypt.h b/include/my_crypt.h +index 719e349bfb9..e7dd9d80100 100644 +--- a/include/my_crypt.h b/include/my_crypt.h +@@ -21,4 +21,19 @@ + #include /* HAVE_EncryptAes128{Ctr,Gcm} */ + #include + ++/* OpenSSL version specific definitions */ ++#if !defined(HAVE_YASSL) && defined(OPENSSL_VERSION_NUMBER) ++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) ++#define ERR_remove_state(X) ++#else ++#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) ++#define RAND_OpenSSL() RAND_SSLeay(); ++#if defined(HAVE_ERR_remove_thread_state) ++#define ERR_remove_state(X) ERR_remove_thread_state(NULL) ++#endif ++#endif ++#elif defined(HAVE_YASSL) ++#define EVP_CIPHER_CTX_reset(X) EVP_CIPHER_CTX_cleanup(X) ++#endif /* !defined(HAVE_YASSL) */ ++ + #endif /* MY_CRYPT_INCLUDED */ +diff --git a/include/violite.h b/include/violite.h +index a7165ca91a9..23800696e5a 100644 +--- a/include/violite.h b/include/violite.h +@@ -146,14 +146,15 @@ typedef my_socket YASSL_SOCKET_T; + #include + #include + +-#ifdef HAVE_ERR_remove_thread_state ++#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined(LIBRESSL_VERSION_NUMBER) ++#define ERR_remove_state(X) ++#elif defined(HAVE_ERR_remove_thread_state) + #define ERR_remove_state(X) ERR_remove_thread_state(NULL) + #endif +- + enum enum_ssl_init_error + { +- SSL_INITERR_NOERROR= 0,