git: 81d71f93c329 - main - databases/mysql80-server: Fix build with libressl

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Felix Palmen <zirias_at_FreeBSD.org>
Date: Wed, 13 Dec 2023 10:57:19 UTC
The branch main has been updated by zirias:

URL: https://cgit.FreeBSD.org/ports/commit/?id=81d71f93c329a6d328dc7dddc5db2eb3cd51e1b8

commit 81d71f93c329a6d328dc7dddc5db2eb3cd51e1b8
Author:     Felix Palmen <zirias@FreeBSD.org>
AuthorDate: 2023-12-04 06:50:03 +0000
Commit:     Felix Palmen <zirias@FreeBSD.org>
CommitDate: 2023-12-13 10:56:43 +0000

    databases/mysql80-server: Fix build with libressl
    
    Upstream commit d737d2a [1] introduced three code paths for OpenSSL
    <1.1, >=3.0 and between, none of which currently works with LibreSSL.
    3.x APIs are not yet supported, and the code path for <1.1 directly
    accesses struct members that were made opaque in LibreSSL as well.
    Finally, the code path for >=1.1 uses DH_new_by_nid() which is missing
    from LibreSSL.
    
    Therefore add a patch introducing a fourth code path, doing essentially
    the same as the version for OpenSSL <1.1, but using the accessor methods
    instead of directly accessing struct members.
    
    Also remove patches for viossl[factories].cc, which aren't needed any
    more for current LibreSSL.
    
    [1] https://github.com/mysql/mysql-server/commit/d737d2a3ef6fc82d933a2345769835e8c2e4f700
    
    Approved by:            joneum (maintainer, via private mail)
    Differential Revision:  https://reviews.freebsd.org/D42922
---
 .../files/patch-include_dh__ecdh__config.h         | 63 ++++++++++++++++++++++
 databases/mysql80-server/files/patch-vio_viossl.cc | 30 -----------
 .../files/patch-vio_viosslfactories.cc             | 46 ----------------
 3 files changed, 63 insertions(+), 76 deletions(-)

diff --git a/databases/mysql80-server/files/patch-include_dh__ecdh__config.h b/databases/mysql80-server/files/patch-include_dh__ecdh__config.h
new file mode 100644
index 000000000000..a33067bbd562
--- /dev/null
+++ b/databases/mysql80-server/files/patch-include_dh__ecdh__config.h
@@ -0,0 +1,63 @@
+--- include/dh_ecdh_config.h.orig	2023-12-03 10:42:56 UTC
++++ include/dh_ecdh_config.h
+@@ -38,7 +38,7 @@
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */
+ 
+ namespace {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ /* Following primes are from https://www.rfc-editor.org/rfc/rfc7919#appendix-A
+  */
+ 
+@@ -257,6 +257,7 @@ bool set_dh(SSL_CTX *ctx) {
+ 
+   DH *dh = nullptr;
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if !defined(LIBRESSL_VERSION_NUMBER)
+   switch (security_level) {
+     case 1:
+       [[fallthrough]];
+@@ -275,6 +276,43 @@ bool set_dh(SSL_CTX *ctx) {
+     default:
+       break;
+   };
++#else
++  dh = DH_new();
++  if (!dh) return true;
++
++  BIGNUM *dhp = nullptr;
++  BIGNUM *dhg = nullptr;
++  switch (security_level) {
++    case 1:
++      [[fallthrough]];
++    case 2:
++      dhp =
++          BN_bin2bn(rfc7919_ffdhe2048_p, sizeof(rfc7919_ffdhe2048_p), nullptr);
++      break;
++    case 3:
++      dhp =
++          BN_bin2bn(rfc7919_ffdhe3072_p, sizeof(rfc7919_ffdhe3072_p), nullptr);
++      break;
++    case 4:
++      dhp =
++          BN_bin2bn(rfc7919_ffdhe8192_p, sizeof(rfc7919_ffdhe8192_p), nullptr);
++      break;
++    case 5:
++      /* There is no RFC7919 approved prime for sec level 5 */
++      [[fallthrough]];
++    default:
++      DH_free(dh);
++      return true;
++  };
++
++  dhg = BN_bin2bn(rfc7919_g, sizeof(rfc7919_g), nullptr);
++  if (!dhp || !dhg || !DH_set0_pqg(dh, dhp, nullptr, dhg)) {
++    DH_free(dh);
++    BN_free(dhg);
++    BN_free(dhp);
++    return true;
++  }
++#endif /* !defined(LIBRESSL_VERSION_NUMBER) */
+ #else  /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+   dh = DH_new();
+   if (!dh) return true;
diff --git a/databases/mysql80-server/files/patch-vio_viossl.cc b/databases/mysql80-server/files/patch-vio_viossl.cc
deleted file mode 100644
index 8fe78ce89f2a..000000000000
--- a/databases/mysql80-server/files/patch-vio_viossl.cc
+++ /dev/null
@@ -1,30 +0,0 @@
---- vio/viossl.cc.orig	2021-12-17 16:07:27 UTC
-+++ vio/viossl.cc
-@@ -45,7 +45,8 @@
-   BIO_set_callback_ex was added in openSSL 1.1.1
-   For older openSSL, use the deprecated BIO_set_callback.
- */
--#if OPENSSL_VERSION_NUMBER >= 0x10101000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && \
-+    !defined(LIBRESSL_VERSION_NUMBER)
- #define HAVE_BIO_SET_CALLBACK_EX
- #endif
- 
-@@ -640,7 +641,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, l
- #if !defined(NDEBUG)
-     {
-       STACK_OF(SSL_COMP) *ssl_comp_methods = nullptr;
--      ssl_comp_methods = SSL_COMP_get_compression_methods();
-+      ssl_comp_methods = (STACK_OF(SSL_COMP) *)SSL_COMP_get_compression_methods();
-       n = sk_SSL_COMP_num(ssl_comp_methods);
-       DBUG_PRINT("info", ("Available compression methods:\n"));
-       if (n == 0)
-@@ -648,7 +649,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio, l
-       else
-         for (j = 0; j < n; j++) {
-           SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-           DBUG_PRINT("info", ("  %d: %s\n", c->id, c->name));
- #else  /* OPENSSL_VERSION_NUMBER < 0x10100000L */
-           DBUG_PRINT("info",
diff --git a/databases/mysql80-server/files/patch-vio_viosslfactories.cc b/databases/mysql80-server/files/patch-vio_viosslfactories.cc
deleted file mode 100644
index 4951cc995df3..000000000000
--- a/databases/mysql80-server/files/patch-vio_viosslfactories.cc
+++ /dev/null
@@ -1,46 +0,0 @@
---- vio/viosslfactories.cc.orig	2023-11-18 20:56:37.098235000 +0100
-+++ vio/viosslfactories.cc	2023-11-19 09:20:02.284708000 +0100
-@@ -43,6 +43,7 @@
- #include <dh_ecdh_config.h>
- 
- #include "my_openssl_fips.h"
-+#include "openssl/crypto.h"
- #define TLS_VERSION_OPTION_SIZE 256
- 
- /*
-@@ -417,7 +418,7 @@ long process_tls_version(const char *tls_version) {
-   const char *separator = ",";
-   char *token, *lasts = nullptr;
- 
--#ifdef HAVE_TLSv13
-+#if defined(HAVE_TLSv13) && !defined(LIBRESSL_VERSION_NUMBER)
-   const char *tls_version_name_list[] = {"TLSv1.2", "TLSv1.3"};
-   const char ctx_flag_default[] = "TLSv1.2,TLSv1.3";
-   const long tls_ctx_list[] = {SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3};
-@@ -489,7 +490,7 @@ static struct st_VioSSLFd *new_VioSSLFd(
-   ssl_ctx_options = (ssl_ctx_options | ssl_ctx_flags) &
-                     (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
-                      SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2
--#ifdef HAVE_TLSv13
-+#if defined(HAVE_TLSv13) && !defined(LIBRESSL_VERSION_NUMBER)
-                      | SSL_OP_NO_TLSv1_3
- #endif /* HAVE_TLSv13 */
-                      | SSL_OP_NO_TICKET);
-@@ -498,7 +499,7 @@ static struct st_VioSSLFd *new_VioSSLFd(
-     return nullptr;
- 
-   if (!(ssl_fd->ssl_context = SSL_CTX_new(is_client ?
--#ifdef HAVE_TLSv13
-+#if defined(HAVE_TLSv13) && !defined(LIBRESSL_VERSION_NUMBER)
-                                                     TLS_client_method()
-                                                     : TLS_server_method()
- #else  /* HAVE_TLSv13 */
-@@ -513,7 +514,7 @@ static struct st_VioSSLFd *new_VioSSLFd(
-     return nullptr;
-   }
- 
--#ifdef HAVE_TLSv13
-+#if defined(HAVE_TLSv13) && !defined(LIBRESSL_VERSION_NUMBER)
-   /*
-     Set OpenSSL TLS v1.3 ciphersuites.
-     Note that an empty list is permissible.