diff --git a/community-mysql-cmake.patch b/community-mysql-cmake.patch new file mode 100644 index 0000000..1653627 --- /dev/null +++ b/community-mysql-cmake.patch @@ -0,0 +1,13 @@ +Include the library with function ADD_COMPILE_FLAGS() + +--- mysql-5.7.23/regex/CMakeLists.txt 2018-08-23 02:02:38.971432914 +0200 ++++ mysql-5.7.23/regex/CMakeLists.txt_patched 2018-08-23 02:02:29.711608104 +0200 +@@ -15,6 +15,8 @@ + + INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}/include) + ++INCLUDE(${MYSQL_CMAKE_SCRIPT_DIR}/compile_flags.cmake) ++ + MY_CHECK_C_COMPILER_FLAG("-Wstringop-truncation" HAVE_STRINGOP_TRUNCATION) + IF(HAVE_STRINGOP_TRUNCATION) + ADD_COMPILE_FLAGS( diff --git a/community-mysql-openssl11.patch b/community-mysql-openssl11.patch deleted file mode 100644 index a3c29b7..0000000 --- a/community-mysql-openssl11.patch +++ /dev/null @@ -1,517 +0,0 @@ -Add OpenSSL 1.1 compatibility - -Based on patches in upstream tracker (bellow), and patches from MariaDB for the same feature. - -Upstream tracker: https://bugs.mysql.com/bug.php?id=83814 - -diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test mysql-5.7.20/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test ---- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test 2017-12-08 09:00:52.578760787 +0100 -+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test 2017-12-08 22:19:40.033870734 +0100 -@@ -7,7 +7,7 @@ - connection default; - CREATE USER u_20693153@localhost IDENTIFIED BY 'abcd'; - ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL --protocol=TCP -uu_20693153 -pabcd --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem -e "SHOW STATUS LIKE 'Ssl_cipher';" - - DROP USER u_20693153@localhost; -diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/openssl_cert_generation.test mysql-5.7.20/mysql-test/suite/auth_sec/t/openssl_cert_generation.test ---- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/openssl_cert_generation.test 2017-12-08 09:00:52.579760795 +0100 -+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/openssl_cert_generation.test 2017-12-08 22:19:40.033870734 +0100 -@@ -183,7 +183,7 @@ let SEARCH_PATTERN= Auto generated SSL c - --file_exists $MYSQLTEST_VARDIR/mysqld.1/data/public_key.pem - - --echo # Ensure that server is ssl enabled ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" - #----------------------------------------------------------------------------- - -@@ -285,7 +285,7 @@ grant usage on *.* to wl7699_sha256 iden - - # Using SSL certificates - --echo # Should be able to connect to server using generated SSL certificates. ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" - # Using RSA key pair - --echo # Should be able to connect to server using RSA key pair. -@@ -351,7 +351,7 @@ show variables like 'sha256%'; - - --echo # 6.3 : SSL connection - --echo # Should be able to connect to server using generated SSL certificates. ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" - - -@@ -362,7 +362,7 @@ grant usage on *.* to wl7699_sha256 iden - - # Using SSL certificates - --echo # Should be able to connect to server using generated SSL certificates. ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" - # Using RSA key pair - --echo # Should be able to connect to server using RSA key pair. -diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/ssl_auto_detect.test mysql-5.7.20/mysql-test/suite/auth_sec/t/ssl_auto_detect.test ---- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/ssl_auto_detect.test 2017-12-08 09:00:52.583760826 +0100 -+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/ssl_auto_detect.test 2017-12-08 22:19:40.034870741 +0100 -@@ -54,7 +54,7 @@ let SEARCH_PATTERN= CA certificate .* is - - --echo # Try to establish SSL connection : This must succeed. - connect (ssl_root_1,localhost,root,,,,,SSL); ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - SHOW STATUS LIKE 'Ssl_cipher'; - SHOW VARIABLES LIKE 'have_ssl'; - -@@ -68,7 +68,7 @@ connection default; - disconnect ssl_root_1; - - --echo # Connect using mysql client : This must succeed. ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" - - -@@ -140,7 +140,7 @@ let SEARCH_PATTERN= CA certificate .* is - --source include/search_pattern_in_file.inc - - --echo # Try creating SSL connection ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" - - -diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/tls.test mysql-5.7.20/mysql-test/suite/auth_sec/t/tls.test ---- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/tls.test 2017-12-08 09:00:52.584760834 +0100 -+++ mysql-5.7.20/mysql-test/suite/auth_sec/t/tls.test 2017-12-08 22:56:42.786710772 +0100 -@@ -36,7 +36,7 @@ let $cipher_default= DHE-RSA-AES256-SHA; - let $tls_default= TLSv1.1; - let $openssl= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1); - if ($openssl == 'Rsa_public_key'){ -- let $cipher_default= DHE-RSA-AES128-GCM-SHA256; -+ let $cipher_default= ECDHE-RSA-AES128-GCM-SHA256; - let $tls_default= TLSv1.2; - } - --echo #T1: Default TLS connection -diff -rup mysql-5.7.20-sslbak/mysql-test/t/mysql_ssl_default.test mysql-5.7.20/mysql-test/t/mysql_ssl_default.test ---- mysql-5.7.20-sslbak/mysql-test/t/mysql_ssl_default.test 2017-12-08 09:00:55.717784968 +0100 -+++ mysql-5.7.20/mysql-test/t/mysql_ssl_default.test 2017-12-08 22:19:40.035870748 +0100 -@@ -14,15 +14,15 @@ - - --echo # verify that mysql default connect with ssl channel when using TCP/IP - --echo # connection ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" - - --echo # verify that mysql --ssl=0 connect with unencrypted channel ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=DISABLED - - --echo # verify that mysql --ssl=1 connect with ssl channel ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=REQUIRED - - CREATE USER u1@localhost IDENTIFIED BY 'secret' REQUIRE SSL; -diff -rup mysql-5.7.20-sslbak/mysql-test/t/openssl_1.test mysql-5.7.20/mysql-test/t/openssl_1.test ---- mysql-5.7.20-sslbak/mysql-test/t/openssl_1.test 2017-12-08 09:00:55.729785060 +0100 -+++ mysql-5.7.20/mysql-test/t/openssl_1.test 2017-12-08 22:19:40.035870748 +0100 -@@ -19,17 +19,17 @@ insert into t1 values (5); - let $cipher_val= "DHE-RSA-AES256-SHA"; - let $shavars= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1); - if ($shavars == 'Rsa_public_key'){ -- let $cipher_val= "DHE-RSA-AES128-GCM-SHA256"; -+ let $cipher_val= "ECDHE-RSA-AES128-GCM-SHA256"; - } - - grant select on test.* to ssl_user1@localhost require SSL; ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - -- eval grant select on test.* to ssl_user2@localhost require cipher $cipher_val ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - -- eval grant select on test.* to ssl_user3@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - -- eval grant select on test.* to ssl_user4@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA" ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - -- eval grant select on test.* to ssl_user5@localhost require cipher $cipher_val AND SUBJECT "xxx" - flush privileges; - -@@ -43,7 +43,7 @@ connect (con5,localhost,ssl_user5,,,,,SS - - connection con1; - # Check ssl turned on ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - SHOW STATUS LIKE 'Ssl_cipher'; - select * from t1; - --error ER_TABLEACCESS_DENIED_ERROR -@@ -51,7 +51,7 @@ delete from t1; - - connection con2; - # Check ssl turned on ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - SHOW STATUS LIKE 'Ssl_cipher'; - select * from t1; - --error ER_TABLEACCESS_DENIED_ERROR -@@ -59,7 +59,7 @@ delete from t1; - - connection con3; - # Check ssl turned on ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - SHOW STATUS LIKE 'Ssl_cipher'; - select * from t1; - --error ER_TABLEACCESS_DENIED_ERROR -@@ -67,7 +67,7 @@ delete from t1; - - connection con4; - # Check ssl turned on ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - SHOW STATUS LIKE 'Ssl_cipher'; - select * from t1; - --error ER_TABLEACCESS_DENIED_ERROR -@@ -142,7 +142,7 @@ drop table t1; - # verification of servers certificate by setting both ca certificate - # and ca path to NULL - # ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 - --echo End of 5.0 tests - -@@ -269,7 +269,7 @@ select 'is still running; no cipher requ - GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509; - FLUSH PRIVILEGES; - connect(con1,localhost,bug42158,,,,,SSL); ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - SHOW STATUS LIKE 'Ssl_cipher'; - disconnect con1; - connection default; -diff -rup mysql-5.7.20-sslbak/mysql-test/t/plugin_auth_sha256_tls.test mysql-5.7.20/mysql-test/t/plugin_auth_sha256_tls.test ---- mysql-5.7.20-sslbak/mysql-test/t/plugin_auth_sha256_tls.test 2017-12-08 09:00:55.747785199 +0100 -+++ mysql-5.7.20/mysql-test/t/plugin_auth_sha256_tls.test 2017-12-08 22:19:40.035870748 +0100 -@@ -2,7 +2,7 @@ - --source include/have_ssl.inc - - connect (ssl_con,localhost,root,,,,,SSL); ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - SHOW STATUS LIKE 'Ssl_cipher'; - - CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password'; -diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_8k_key.test mysql-5.7.20/mysql-test/t/ssl_8k_key.test ---- mysql-5.7.20-sslbak/mysql-test/t/ssl_8k_key.test 2017-12-08 09:00:55.772785392 +0100 -+++ mysql-5.7.20/mysql-test/t/ssl_8k_key.test 2017-12-08 22:19:40.036870755 +0100 -@@ -4,7 +4,7 @@ - # - # Bug#29784 YaSSL assertion failure when reading 8k key. - # ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 - - ## This test file is for testing encrypted communication only, not other -diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_ca.test mysql-5.7.20/mysql-test/t/ssl_ca.test ---- mysql-5.7.20-sslbak/mysql-test/t/ssl_ca.test 2017-12-08 09:00:55.773785399 +0100 -+++ mysql-5.7.20/mysql-test/t/ssl_ca.test 2017-12-08 22:19:40.036870755 +0100 -@@ -10,7 +10,7 @@ - --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/wrong-crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1 - - --echo # try to connect with correct '--ssl-ca' path : should connect ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" - - --echo # -@@ -22,15 +22,15 @@ - - --echo # try to connect with '--ssl-ca' option using tilde home directoy - --echo # path substitution : should connect ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL --ssl-ca=$mysql_test_dir_path/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" - - --echo # try to connect with '--ssl-key' option using tilde home directoy - --echo # path substitution : should connect ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$mysql_test_dir_path/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" - - --echo # try to connect with '--ssl-cert' option using tilde home directoy - --echo # path substitution : should connect ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$mysql_test_dir_path/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" -diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_compress.test mysql-5.7.20/mysql-test/t/ssl_compress.test ---- mysql-5.7.20-sslbak/mysql-test/t/ssl_compress.test 2017-12-08 09:00:55.774785407 +0100 -+++ mysql-5.7.20/mysql-test/t/ssl_compress.test 2017-12-08 22:19:40.036870755 +0100 -@@ -17,7 +17,7 @@ - connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS); - - # Check ssl turned on ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - SHOW STATUS LIKE 'Ssl_cipher'; - - # Check compression turned on -@@ -27,7 +27,7 @@ SHOW STATUS LIKE 'Compression'; - -- source include/common-tests.inc - - # Check ssl turned on ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - SHOW STATUS LIKE 'Ssl_cipher'; - - # Check compression turned on -diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_crl.test mysql-5.7.20/mysql-test/t/ssl_crl.test ---- mysql-5.7.20-sslbak/mysql-test/t/ssl_crl.test 2017-12-08 09:00:55.774785407 +0100 -+++ mysql-5.7.20/mysql-test/t/ssl_crl.test 2017-12-08 22:19:40.037870762 +0100 -@@ -32,9 +32,11 @@ if (!$crllen) - --echo # try to connect with '--ssl-crl' option using tilde home directoy - --echo # path substitution : should connect - --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 - --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test --ssl-crl=$mysql_test_dir_path/std_data/crl-client-revoked.crl -e "SHOW STATUS LIKE 'Ssl_cipher'" - - --echo # try to connect with '--ssl-crlpath' option using tilde home directoy - --echo # path substitution : should connect - --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 - --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-crlpath=$mysql_test_dir_path/std_data/crldir test -e "SHOW STATUS LIKE 'Ssl_cipher'" -diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl.test mysql-5.7.20/mysql-test/t/ssl.test ---- mysql-5.7.20-sslbak/mysql-test/t/ssl.test 2017-12-08 09:00:55.772785392 +0100 -+++ mysql-5.7.20/mysql-test/t/ssl.test 2017-12-08 22:19:40.037870762 +0100 -@@ -16,7 +16,7 @@ - connect (ssl_con,localhost,root,,,,,SSL); - - # Check ssl turned on ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - SHOW STATUS LIKE 'Ssl_cipher'; - - # Check ssl expiration -@@ -27,7 +27,7 @@ SHOW STATUS LIKE 'Ssl_server_not_after'; - -- source include/common-tests.inc - - # Check ssl turned on ----replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER -+--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER - SHOW STATUS LIKE 'Ssl_cipher'; - - connection default; -diff -rup mysql-5.7.20-sslbak/mysys_ssl/my_aes_openssl.cc mysql-5.7.20/mysys_ssl/my_aes_openssl.cc ---- mysql-5.7.20-sslbak/mysys_ssl/my_aes_openssl.cc 2017-12-08 09:00:55.851786000 +0100 -+++ mysql-5.7.20/mysys_ssl/my_aes_openssl.cc 2017-12-08 22:19:40.037870762 +0100 -@@ -122,7 +122,7 @@ int my_aes_encrypt(const unsigned char * - enum my_aes_opmode mode, const unsigned char *iv, - bool padding) - { -- EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); - const EVP_CIPHER *cipher= aes_evp_type(mode); - int u_len, f_len; - /* The real key to be used for encryption */ -@@ -132,23 +132,23 @@ int my_aes_encrypt(const unsigned char * - if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv)) - return MY_AES_BAD_DATA; - -- if (!EVP_EncryptInit(&ctx, cipher, rkey, iv)) -+ if (!EVP_EncryptInit(ctx, cipher, rkey, iv)) - goto aes_error; /* Error */ -- if (!EVP_CIPHER_CTX_set_padding(&ctx, padding)) -+ if (!EVP_CIPHER_CTX_set_padding(ctx, padding)) - goto aes_error; /* Error */ -- if (!EVP_EncryptUpdate(&ctx, dest, &u_len, source, source_length)) -+ if (!EVP_EncryptUpdate(ctx, dest, &u_len, source, source_length)) - goto aes_error; /* Error */ - -- if (!EVP_EncryptFinal(&ctx, dest + u_len, &f_len)) -+ if (!EVP_EncryptFinal(ctx, dest + u_len, &f_len)) - goto aes_error; /* Error */ - -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return u_len + f_len; - - aes_error: - /* need to explicitly clean up the error if we want to ignore it */ - ERR_clear_error(); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return MY_AES_BAD_DATA; - } - -@@ -159,7 +159,7 @@ int my_aes_decrypt(const unsigned char * - bool padding) - { - -- EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); - const EVP_CIPHER *cipher= aes_evp_type(mode); - int u_len, f_len; - -@@ -170,24 +170,22 @@ int my_aes_decrypt(const unsigned char * - if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv)) - return MY_AES_BAD_DATA; - -- EVP_CIPHER_CTX_init(&ctx); -- -- if (!EVP_DecryptInit(&ctx, aes_evp_type(mode), rkey, iv)) -+ if (!EVP_DecryptInit(ctx, aes_evp_type(mode), rkey, iv)) - goto aes_error; /* Error */ -- if (!EVP_CIPHER_CTX_set_padding(&ctx, padding)) -+ if (!EVP_CIPHER_CTX_set_padding(ctx, padding)) - goto aes_error; /* Error */ -- if (!EVP_DecryptUpdate(&ctx, dest, &u_len, source, source_length)) -+ if (!EVP_DecryptUpdate(ctx, dest, &u_len, source, source_length)) - goto aes_error; /* Error */ -- if (!EVP_DecryptFinal_ex(&ctx, dest + u_len, &f_len)) -+ if (!EVP_DecryptFinal_ex(ctx, dest + u_len, &f_len)) - goto aes_error; /* Error */ - -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return u_len + f_len; - - aes_error: - /* need to explicitly clean up the error if we want to ignore it */ - ERR_clear_error(); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return MY_AES_BAD_DATA; - } - -diff -rup mysql-5.7.20-sslbak/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c mysql-5.7.20/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c ---- mysql-5.7.20-sslbak/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c 2017-12-08 09:00:55.975786955 +0100 -+++ mysql-5.7.20/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c 2017-12-08 22:19:40.037870762 +0100 -@@ -104,7 +104,7 @@ static const char* tls_cipher_blocked= " - mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ== - -----END DH PARAMETERS----- - */ --static unsigned char dh2048_p[]= -+static unsigned char dhp_2048[]= - { - 0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37, - 0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C, -@@ -131,20 +131,24 @@ static unsigned char dh2048_p[]= - }; - - --static unsigned char dh2048_g[]={ -+static unsigned char dhg_2048[]={ - 0x05, - }; - - static DH *get_dh2048(void) - { -- DH *dh; -- if ((dh=DH_new())) -+ DH *dh = DH_new(); -+ BIGNUM *dhp_bn, *dhg_bn; -+ if (dh != NULL) - { -- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); -- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -- if (! dh->p || ! dh->g) -+ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); -+ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); -+ if (dhp_bn == NULL || dhg_bn == NULL -+ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) - { - DH_free(dh); -+ BN_free(dhp_bn); -+ BN_free(dhg_bn); - dh=0; - } - } -diff -rup mysql-5.7.20-sslbak/sql/mysqld.cc mysql-5.7.20/sql/mysqld.cc ---- mysql-5.7.20-sslbak/sql/mysqld.cc 2017-12-08 09:00:56.309789528 +0100 -+++ mysql-5.7.20/sql/mysqld.cc 2017-12-08 22:19:40.039870776 +0100 -@@ -3376,7 +3376,7 @@ static int init_ssl() - { - #ifdef HAVE_OPENSSL - #ifndef HAVE_YASSL -- CRYPTO_malloc_init(); -+ OPENSSL_malloc_init(); - #endif - ssl_start(); - #ifndef EMBEDDED_LIBRARY -diff -rup mysql-5.7.20-sslbak/sql-common/client.c mysql-5.7.20/sql-common/client.c ---- mysql-5.7.20-sslbak/sql-common/client.c 2017-12-08 09:00:56.245789035 +0100 -+++ mysql-5.7.20/sql-common/client.c 2017-12-08 22:19:40.040870783 +0100 -@@ -2741,7 +2741,7 @@ static int ssl_verify_server_cert(Vio *v - goto error; - } - -- cn= (char *) ASN1_STRING_data(cn_asn1); -+ cn= (char *) ASN1_STRING_get0_data(cn_asn1); - - // There should not be any NULL embedded in the CN - if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) -diff -rup mysql-5.7.20-sslbak/vio/viosslfactories.c mysql-5.7.20/vio/viosslfactories.c ---- mysql-5.7.20-sslbak/vio/viosslfactories.c 2017-12-08 09:00:56.807793365 +0100 -+++ mysql-5.7.20/vio/viosslfactories.c 2017-12-08 22:19:40.040870783 +0100 -@@ -86,7 +86,7 @@ static my_bool ssl_initialized - mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ== - -----END DH PARAMETERS----- - */ --static unsigned char dh2048_p[]= -+static unsigned char dhp_2048[]= - { - 0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37, - 0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C, -@@ -112,20 +112,25 @@ static unsigned char dh2048_p[]= - 0x00, 0x05, 0x85, 0xB7, - }; - --static unsigned char dh2048_g[]={ -+static unsigned char dhg_2048[]={ - 0x05, - }; - - static DH *get_dh2048(void) - { -- DH *dh; -- if ((dh=DH_new())) -+ DH *dh = DH_new(); -+ BIGNUM *dhp_bn, *dhg_bn; -+ -+ if (dh != NULL) - { -- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); -- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); -- if (! dh->p || ! dh->g) -+ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); -+ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); -+ if (dhp_bn == NULL || dhg_bn == NULL -+ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) - { - DH_free(dh); -+ BN_free(dhp_bn); -+ BN_free(dhg_bn); - dh=0; - } - } -@@ -419,9 +424,7 @@ void ssl_start() - { - ssl_initialized= TRUE; - -- SSL_library_init(); -- OpenSSL_add_all_algorithms(); -- SSL_load_error_strings(); -+ OPENSSL_init_ssl(0, NULL); - - #ifndef HAVE_YASSL - init_ssl_locks(); diff --git a/community-mysql.spec b/community-mysql.spec index 647bd37..57e64e0 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -89,7 +89,7 @@ %global sameevr %{?epoch:%{epoch}:}%{version}-%{release} Name: community-mysql -Version: 5.7.22 +Version: 5.7.23 Release: 1%{?with_debug:.debug}%{?dist} Summary: MySQL client programs and shared libraries URL: http://www.mysql.com @@ -132,10 +132,12 @@ Patch7: %{pkgnamepatch}-md5_fips.patch Patch51: %{pkgnamepatch}-chain-certs.patch Patch52: %{pkgnamepatch}-sharedir.patch Patch70: %{pkgnamepatch}-5.7.9-major.patch -Patch71: %{pkgnamepatch}-openssl11.patch %if 0%{?fedora} >= 28 || 0%{?rhel} > 7 Patch73: %{pkgnamepatch}-libxcrypt.patch %endif +# Bug in 5.7.23 +Patch74: %{pkgnamepatch}-cmake.patch + # Patches taken from boost 1.59 Patch115: boost-1.58.0-pool.patch @@ -409,10 +411,10 @@ the MySQL sources. %if %{with_shared_lib_major_hack} %patch70 -p1 %endif -%patch71 -p1 %if 0%{?fedora} >= 28 || 0%{?rhel} > 7 %patch73 -p1 %endif +%patch74 -p1 # Patch Boost pushd boost/boost_1_59_0 @@ -434,6 +436,10 @@ add_test () { touch %{skiplist} +# Fails everywhere since 5.7.23 +add_test main.myisam : +add_test main.variables : + # these tests fail on arm32 %ifarch %arm # FTS; still apply for 5.7.21 @@ -705,8 +711,9 @@ export MTR_BUILD_THREAD=%{__isa_bits} --mysqld=--binlog-format=mixed \ --suite-timeout=720 --testcase-timeout=30 \ --report-unstable-tests --clean-vardir \ + --max-test-fail=5 \ %if %{check_testsuite} - --max-test-fail=0 || : + --max-test-fail=9999 || : %else --skip-test-list=%{skiplist} %endif @@ -984,6 +991,16 @@ fi %endif %changelog +* Thu Aug 23 2018 Michal Schorm - 5.7.23-1 +- Rebase to 5.7.23 version +- OpenSSL 1.1 patch removed; fixed by upstream +- CVE fixes: #1564967 + CVE-2018-2767 +- CVE fixes: #1602383 + CVE-2018-3056 CVE-2018-3058 CVE-2018-3060 CVE-2018-3061 CVE-2018-3062 + CVE-2018-3064 CVE-2018-3065 CVE-2018-3066 CVE-2018-3070 CVE-2018-3071 + CVE-2018-3077 CVE-2018-3081 + * Thu Apr 19 2018 Michal Schorm - 5.7.22-1 - Rebase to 5.7.22 version - CVE fixes: #1568963 diff --git a/sources b/sources index 7c10f37..548b284 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (mysql-boost-5.7.22.tar.gz) = 186c9e9735114e312c65531c70e6b0b9b48b0fe14384b7a6ebfac2c1f91c3f4ac223d06e27a424fc75f57e0aaf2f74d6a8411a8ab9c6fed45c499068d0f1dc2a +SHA512 (mysql-boost-5.7.23.tar.gz) = e4317f89d108a68652cd95e41ffd670c37b6663aabd6af3985d18052fb7e8d8879b5822399caf9091cecc0a949ec588c121c87cfd60d69941f68d0ecbedd0953