diff --git a/databases/mysql80-server/files/patch-include_dh__ecdh__config.h b/databases/mysql80-server/files/patch-include_dh__ecdh__config.h new file mode 100644 --- /dev/null +++ b/databases/mysql80-server/files/patch-include_dh__ecdh__config.h @@ -0,0 +1,63 @@ +--- include/dh_ecdh_config.h.orig 2023-12-03 10:42:56 UTC ++++ include/dh_ecdh_config.h +@@ -38,7 +38,7 @@ + #endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */ + + namespace { +-#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + /* Following primes are from https://www.rfc-editor.org/rfc/rfc7919#appendix-A + */ + +@@ -257,6 +257,7 @@ bool set_dh(SSL_CTX *ctx) { + + DH *dh = nullptr; + #if OPENSSL_VERSION_NUMBER >= 0x10100000L ++#if !defined(LIBRESSL_VERSION_NUMBER) + switch (security_level) { + case 1: + [[fallthrough]]; +@@ -275,6 +276,43 @@ bool set_dh(SSL_CTX *ctx) { + default: + break; + }; ++#else ++ dh = DH_new(); ++ if (!dh) return true; ++ ++ BIGNUM *dhp = nullptr; ++ BIGNUM *dhg = nullptr; ++ switch (security_level) { ++ case 1: ++ [[fallthrough]]; ++ case 2: ++ dhp = ++ BN_bin2bn(rfc7919_ffdhe2048_p, sizeof(rfc7919_ffdhe2048_p), nullptr); ++ break; ++ case 3: ++ dhp = ++ BN_bin2bn(rfc7919_ffdhe3072_p, sizeof(rfc7919_ffdhe3072_p), nullptr); ++ break; ++ case 4: ++ dhp = ++ BN_bin2bn(rfc7919_ffdhe8192_p, sizeof(rfc7919_ffdhe8192_p), nullptr); ++ break; ++ case 5: ++ /* There is no RFC7919 approved prime for sec level 5 */ ++ [[fallthrough]]; ++ default: ++ DH_free(dh); ++ return true; ++ }; ++ ++ dhg = BN_bin2bn(rfc7919_g, sizeof(rfc7919_g), nullptr); ++ if (!dhp || !dhg || !DH_set0_pqg(dh, dhp, nullptr, dhg)) { ++ DH_free(dh); ++ BN_free(dhg); ++ BN_free(dhp); ++ return true; ++ } ++#endif /* !defined(LIBRESSL_VERSION_NUMBER) */ + #else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ + dh = DH_new(); + if (!dh) return true; diff --git a/databases/mysql80-server/files/patch-vio_viossl.cc b/databases/mysql80-server/files/patch-vio_viossl.cc deleted file mode 100644 --- a/databases/mysql80-server/files/patch-vio_viossl.cc +++ /dev/null @@ -1,30 +0,0 @@ ---- vio/viossl.cc.orig 2021-12-17 16:07:27 UTC -+++ vio/viossl.cc -@@ -45,7 +45,8 @@ - BIO_set_callback_ex was added in openSSL 1.1.1 - For older openSSL, use the deprecated BIO_set_callback. - */ --#if OPENSSL_VERSION_NUMBER >= 0x10101000L -+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && \ -+ !defined(LIBRESSL_VERSION_NUMBER) - #define HAVE_BIO_SET_CALLBACK_EX - #endif - -@@ -640,7 +641,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, l - #if !defined(NDEBUG) - { - STACK_OF(SSL_COMP) *ssl_comp_methods = nullptr; -- ssl_comp_methods = SSL_COMP_get_compression_methods(); -+ ssl_comp_methods = (STACK_OF(SSL_COMP) *)SSL_COMP_get_compression_methods(); - n = sk_SSL_COMP_num(ssl_comp_methods); - DBUG_PRINT("info", ("Available compression methods:\n")); - if (n == 0) -@@ -648,7 +649,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, l - else - for (j = 0; j < n; j++) { - SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - DBUG_PRINT("info", (" %d: %s\n", c->id, c->name)); - #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */ - DBUG_PRINT("info", diff --git a/databases/mysql80-server/files/patch-vio_viosslfactories.cc b/databases/mysql80-server/files/patch-vio_viosslfactories.cc deleted file mode 100644 --- a/databases/mysql80-server/files/patch-vio_viosslfactories.cc +++ /dev/null @@ -1,46 +0,0 @@ ---- vio/viosslfactories.cc.orig 2023-11-18 20:56:37.098235000 +0100 -+++ vio/viosslfactories.cc 2023-11-19 09:20:02.284708000 +0100 -@@ -43,6 +43,7 @@ - #include - - #include "my_openssl_fips.h" -+#include "openssl/crypto.h" - #define TLS_VERSION_OPTION_SIZE 256 - - /* -@@ -417,7 +418,7 @@ long process_tls_version(const char *tls_version) { - const char *separator = ","; - char *token, *lasts = nullptr; - --#ifdef HAVE_TLSv13 -+#if defined(HAVE_TLSv13) && !defined(LIBRESSL_VERSION_NUMBER) - const char *tls_version_name_list[] = {"TLSv1.2", "TLSv1.3"}; - const char ctx_flag_default[] = "TLSv1.2,TLSv1.3"; - const long tls_ctx_list[] = {SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3}; -@@ -489,7 +490,7 @@ static struct st_VioSSLFd *new_VioSSLFd( - ssl_ctx_options = (ssl_ctx_options | ssl_ctx_flags) & - (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | - SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 --#ifdef HAVE_TLSv13 -+#if defined(HAVE_TLSv13) && !defined(LIBRESSL_VERSION_NUMBER) - | SSL_OP_NO_TLSv1_3 - #endif /* HAVE_TLSv13 */ - | SSL_OP_NO_TICKET); -@@ -498,7 +499,7 @@ static struct st_VioSSLFd *new_VioSSLFd( - return nullptr; - - if (!(ssl_fd->ssl_context = SSL_CTX_new(is_client ? --#ifdef HAVE_TLSv13 -+#if defined(HAVE_TLSv13) && !defined(LIBRESSL_VERSION_NUMBER) - TLS_client_method() - : TLS_server_method() - #else /* HAVE_TLSv13 */ -@@ -513,7 +514,7 @@ static struct st_VioSSLFd *new_VioSSLFd( - return nullptr; - } - --#ifdef HAVE_TLSv13 -+#if defined(HAVE_TLSv13) && !defined(LIBRESSL_VERSION_NUMBER) - /* - Set OpenSSL TLS v1.3 ciphersuites. - Note that an empty list is permissible.