From c13941a25b42ec73772e396915b96294a51fd778 Mon Sep 17 00:00:00 2001 From: Thomas Deutschmann Date: Wed, 23 Jun 2021 01:44:33 +0200 Subject: dev-db/mysql-connector-c: add OpenSSL 3.0.0 support Closes: https://bugs.gentoo.org/797331 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann --- ...nector-c-8.0.25-add-OpenSSL-3.0.0-support.patch | 294 +++++++++++++++++++++ 1 file changed, 294 insertions(+) create mode 100644 dev-db/mysql-connector-c/files/mysql-connector-c-8.0.25-add-OpenSSL-3.0.0-support.patch (limited to 'dev-db/mysql-connector-c/files') diff --git a/dev-db/mysql-connector-c/files/mysql-connector-c-8.0.25-add-OpenSSL-3.0.0-support.patch b/dev-db/mysql-connector-c/files/mysql-connector-c-8.0.25-add-OpenSSL-3.0.0-support.patch new file mode 100644 index 000000000000..f566e0fba5b6 --- /dev/null +++ b/dev-db/mysql-connector-c/files/mysql-connector-c-8.0.25-add-OpenSSL-3.0.0-support.patch @@ -0,0 +1,294 @@ +From 3bf91fabf641f3f5114bf3893de40a31aae36e13 Mon Sep 17 00:00:00 2001 +From: Thomas Deutschmann +Date: Tue, 22 Jun 2021 23:56:54 +0200 +Subject: [PATCH 5/5] Add OpenSSL 3.0.0 support + +Signed-off-by: Thomas Deutschmann +--- + cmake/ssl.cmake | 59 +++++++++++++------ + mysys/my_md5.cc | 2 + + .../bindings/xcom/xcom/xcom_ssl_transport.cc | 4 ++ + plugin/x/client/xconnection_impl.cc | 4 ++ + sql-common/client.cc | 2 + + sql/mysqld.cc | 2 + + sql/sys_vars.cc | 18 +++++- + vio/viosslfactories.cc | 2 + + 8 files changed, 74 insertions(+), 19 deletions(-) + +diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake +index 18c95dfac..dd2f7e657 100644 +--- a/cmake/ssl.cmake ++++ b/cmake/ssl.cmake +@@ -201,34 +201,59 @@ MACRO (MYSQL_CHECK_SSL) + NAMES crypto libcrypto libeay32 + HINTS ${OPENSSL_ROOT_DIR}/lib) + +- IF(OPENSSL_INCLUDE_DIR) ++ IF(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h") + # Verify version number. Version information looks like: + # #define OPENSSL_VERSION_NUMBER 0x1000103fL + # Encoded as MNNFFPPS: major minor fix patch status + FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" + OPENSSL_VERSION_NUMBER +- REGEX "^#[ ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x[0-9].*" +- ) +- STRING(REGEX REPLACE +- "^.*OPENSSL_VERSION_NUMBER[\t ]+0x([0-9]).*$" "\\1" +- OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_NUMBER}" +- ) +- STRING(REGEX REPLACE +- "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9]([0-9][0-9]).*$" "\\1" +- OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_NUMBER}" +- ) +- STRING(REGEX REPLACE +- "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9][0-9][0-9]([0-9][0-9]).*$" "\\1" +- OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}" ++ REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x[0-9].*" + ) ++ ++ IF(OPENSSL_VERSION_NUMBER) ++ STRING(REGEX REPLACE ++ "^.*OPENSSL_VERSION_NUMBER[\t ]+0x([0-9]).*$" "\\1" ++ OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_NUMBER}" ++ ) ++ STRING(REGEX REPLACE ++ "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9]([0-9][0-9]).*$" "\\1" ++ OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_NUMBER}" ++ ) ++ STRING(REGEX REPLACE ++ "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9][0-9][0-9]([0-9][0-9]).*$" "\\1" ++ OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}" ++ ) ++ ELSE() ++ FILE(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" ++ OPENSSL_VERSION_STR ++ REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_STR[\t ]+\"([0-9])+\\.([0-9])+\\.([0-9])+\".*" ++ ) ++ ++ STRING(REGEX REPLACE ++ "^.*OPENSSL_VERSION_STR[\t ]+\"([0-9]+)\\.[0-9]+\\.[0-9]+\".*$" "\\1" ++ OPENSSL_MAJOR_VERSION "${OPENSSL_VERSION_STR}" ++ ) ++ STRING(REGEX REPLACE ++ "^.*OPENSSL_VERSION_STR[\t ]+\"[0-9]+\\.([0-9]+)\\.[0-9]+\".*$" "\\1" ++ OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_STR}" ++ ) ++ STRING(REGEX REPLACE ++ "^.*OPENSSL_VERSION_STR[\t ]+\"[0-9]+\\.[0-9]+\\.([0-9]+)\".*$" "\\1" ++ OPENSSL_FIX_VERSION "${OPENSSL_VERSION_STR}" ++ ) ++ ENDIF() + ENDIF() +- IF("${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}" VERSION_GREATER "1.1.0") ++ ++ INCLUDE(CheckSymbolExists) ++ ++ CHECK_SYMBOL_EXISTS(TLS1_3_VERSION "openssl/tls1.h" HAVE_TLS1_3_VERSION) ++ IF(HAVE_TLS1_3_VERSION) + ADD_DEFINITIONS(-DHAVE_TLSv13) + ENDIF() + IF(OPENSSL_INCLUDE_DIR AND + OPENSSL_LIBRARY AND + CRYPTO_LIBRARY AND +- OPENSSL_MAJOR_VERSION STREQUAL "1" ++ OPENSSL_MAJOR_VERSION VERSION_GREATER_EQUAL "1" + ) + SET(OPENSSL_FOUND TRUE) + FIND_PROGRAM(OPENSSL_EXECUTABLE openssl +@@ -292,8 +317,6 @@ MACRO (MYSQL_CHECK_SSL) + MESSAGE(STATUS "OPENSSL_MINOR_VERSION = ${OPENSSL_MINOR_VERSION}") + MESSAGE(STATUS "OPENSSL_FIX_VERSION = ${OPENSSL_FIX_VERSION}") + +- INCLUDE(CheckSymbolExists) +- + CMAKE_PUSH_CHECK_STATE() + SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) + CHECK_SYMBOL_EXISTS(SHA512_DIGEST_LENGTH "openssl/sha.h" +diff --git a/mysys/my_md5.cc b/mysys/my_md5.cc +index 86203619f..37ed3c8b2 100644 +--- a/mysys/my_md5.cc ++++ b/mysys/my_md5.cc +@@ -56,7 +56,9 @@ static void my_md5_hash(unsigned char *digest, unsigned const char *buf, + int compute_md5_hash(char *digest, const char *buf, int len) { + int retval = 0; + int fips_mode = 0; ++#if defined(OPENSSL_FIPS) + fips_mode = FIPS_mode(); ++#endif + /* If fips mode is ON/STRICT restricted method calls will result into abort, + * skipping call. */ + if (fips_mode == 0) { +diff --git a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc +index 4ed9f9ac9..895443166 100644 +--- a/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc ++++ b/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.cc +@@ -325,6 +325,7 @@ error: + return 1; + } + ++#if defined(OPENSSL_FIPS) + #define OPENSSL_ERROR_LENGTH 512 + static int configure_ssl_fips_mode(const uint fips_mode) { + int rc = -1; +@@ -348,6 +349,7 @@ static int configure_ssl_fips_mode(const uint fips_mode) { + EXIT: + return rc; + } ++#endif + + static int configure_ssl_ca(SSL_CTX *ssl_ctx, const char *ca_file, + const char *ca_path) { +@@ -544,10 +546,12 @@ int xcom_init_ssl(const char *server_key_file, const char *server_cert_file, + int verify_server = SSL_VERIFY_NONE; + int verify_client = SSL_VERIFY_NONE; + ++#if defined(OPENSSL_FIPS) + if (configure_ssl_fips_mode(ssl_fips_mode) != 1) { + G_ERROR("Error setting the ssl fips mode"); + goto error; + } ++#endif + + SSL_library_init(); + SSL_load_error_strings(); +diff --git a/plugin/x/client/xconnection_impl.cc b/plugin/x/client/xconnection_impl.cc +index c1686c6d5..3ae34fdfd 100644 +--- a/plugin/x/client/xconnection_impl.cc ++++ b/plugin/x/client/xconnection_impl.cc +@@ -617,6 +617,7 @@ XError Connection_impl::get_ssl_error(const int error_id) { + return XError(CR_SSL_CONNECTION_ERROR, buffer); + } + ++#if defined(OPENSSL_FIPS) + /** + Set fips mode in openssl library, + When we set fips mode ON/STRICT, it will perform following operations: +@@ -656,6 +657,7 @@ int set_fips_mode(const uint32_t fips_mode, + EXIT: + return rc; + } ++#endif + + XError Connection_impl::activate_tls() { + if (nullptr == m_vio) return get_socket_error(SOCKET_ECONNRESET); +@@ -666,12 +668,14 @@ XError Connection_impl::activate_tls() { + if (!m_context->m_ssl_config.is_configured()) + return XError{CR_SSL_CONNECTION_ERROR, ER_TEXT_TLS_NOT_CONFIGURATED, true}; + ++#if defined(OPENSSL_FIPS) + char err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; + if (set_fips_mode( + static_cast(m_context->m_ssl_config.m_ssl_fips_mode), + err_string) != 1) { + return XError{CR_SSL_CONNECTION_ERROR, err_string, true}; + } ++#endif + auto ssl_ctx_flags = process_tls_version( + details::null_when_empty(m_context->m_ssl_config.m_tls_version)); + +diff --git a/sql-common/client.cc b/sql-common/client.cc +index 1316d54a7..554970378 100644 +--- a/sql-common/client.cc ++++ b/sql-common/client.cc +@@ -8019,6 +8019,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option, + return 1; + break; + case MYSQL_OPT_SSL_FIPS_MODE: { ++#if defined(OPENSSL_FIPS) + char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; + ENSURE_EXTENSIONS_PRESENT(&mysql->options); + mysql->options.extension->ssl_fips_mode = *static_cast(arg); +@@ -8030,6 +8031,7 @@ int STDCALL mysql_options(MYSQL *mysql, enum mysql_option option, + "Set Fips mode ON/STRICT failed, detail: '%s'.", ssl_err_string); + return 1; + } ++#endif + } break; + case MYSQL_OPT_SSL_MODE: + ENSURE_EXTENSIONS_PRESENT(&mysql->options); +diff --git a/sql/mysqld.cc b/sql/mysqld.cc +index 83643f76a..dfdc23ab7 100644 +--- a/sql/mysqld.cc ++++ b/sql/mysqld.cc +@@ -5134,12 +5134,14 @@ static void init_ssl() { + } + + static int init_ssl_communication() { ++#if defined(OPENSSL_FIPS) + char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; + int ret_fips_mode = set_fips_mode(opt_ssl_fips_mode, ssl_err_string); + if (ret_fips_mode != 1) { + LogErr(ERROR_LEVEL, ER_SSL_FIPS_MODE_ERROR, ssl_err_string); + return 1; + } ++#endif + if (TLS_channel::singleton_init(&mysql_main, mysql_main_channel, opt_use_ssl, + &server_main_callback, opt_initialize)) + return 1; +diff --git a/sql/sys_vars.cc b/sql/sys_vars.cc +index 3b8473bd1..c22c38305 100644 +--- a/sql/sys_vars.cc ++++ b/sql/sys_vars.cc +@@ -4614,6 +4614,7 @@ static Sys_var_ulong Sys_max_execution_time( + HINT_UPDATEABLE SESSION_VAR(max_execution_time), CMD_LINE(REQUIRED_ARG), + VALID_RANGE(0, ULONG_MAX), DEFAULT(0), BLOCK_SIZE(1)); + ++#if defined(OPENSSL_FIPS) + static bool update_fips_mode(sys_var *, THD *, enum_var_type) { + char ssl_err_string[OPENSSL_ERROR_LENGTH] = {'\0'}; + if (set_fips_mode(opt_ssl_fips_mode, ssl_err_string) != 1) { +@@ -4624,15 +4625,30 @@ static bool update_fips_mode(sys_var *, THD *, enum_var_type) { + return false; + } + } ++#endif + ++#if defined(OPENSSL_FIPS) + static const char *ssl_fips_mode_names[] = {"OFF", "ON", "STRICT", nullptr}; ++#else ++static const char *ssl_fips_mode_names[] = {"OFF", 0}; ++#endif + static Sys_var_enum Sys_ssl_fips_mode( + "ssl_fips_mode", + "SSL FIPS mode (applies only for OpenSSL); " ++#if defined(OPENSSL_FIPS) + "permitted values are: OFF, ON, STRICT", ++#else ++ "permitted values are: OFF", ++#endif + GLOBAL_VAR(opt_ssl_fips_mode), CMD_LINE(REQUIRED_ARG, OPT_SSL_FIPS_MODE), + ssl_fips_mode_names, DEFAULT(0), NO_MUTEX_GUARD, NOT_IN_BINLOG, +- ON_CHECK(nullptr), ON_UPDATE(update_fips_mode), nullptr); ++ ON_CHECK(NULL), ++#if defined(OPENSSL_FIPS) ++ ON_UPDATE(update_fips_mode), ++#else ++ ON_UPDATE(NULL), ++#endif ++ NULL); + + static Sys_var_bool Sys_auto_generate_certs( + "auto_generate_certs", +diff --git a/vio/viosslfactories.cc b/vio/viosslfactories.cc +index c25117bd0..11b466bcf 100644 +--- a/vio/viosslfactories.cc ++++ b/vio/viosslfactories.cc +@@ -472,6 +472,7 @@ void ssl_start() { + } + } + ++#if defined(OPENSSL_FIPS) + /** + Set fips mode in openssl library, + When we set fips mode ON/STRICT, it will perform following operations: +@@ -525,6 +526,7 @@ EXIT: + @returns openssl current fips mode + */ + uint get_fips_mode() { return FIPS_mode(); } ++#endif + + long process_tls_version(const char *tls_version) { + const char *separator = ","; +-- +2.32.0 + -- cgit v1.2.3-65-gdbad