summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortron <tron>2015-07-19 17:58:43 +0000
committertron <tron>2015-07-19 17:58:43 +0000
commit69997e67bbd61056a84c3d013080a6ebb03b771a (patch)
tree1c74c8f73d3f73ea825b1e83afe207f666131106
parent0a6e7e2973ad3d9988199d97e0f3347f67077227 (diff)
downloadpkgsrc-69997e67bbd61056a84c3d013080a6ebb03b771a.tar.gz
Pullup ticket #4776 - requested by manu
databases/mysql56-client: bug fix patch databases/mysql56-server: bug fix patch Revisions pulled up: - databases/mysql56-client/Makefile 1.17 - databases/mysql56-client/distinfo 1.25 - databases/mysql56-client/patches/patch-include_violite.h 1.1 - databases/mysql56-client/patches/patch-vio_viosslfactories.c 1.1 - databases/mysql56-server/Makefile 1.25 --- Module Name: pkgsrc Committed By: manu Date: Tue Jul 14 12:09:24 UTC 2015 Modified Files: pkgsrc/databases/mysql56-client: Makefile distinfo Added Files: pkgsrc/databases/mysql56-client/patches: patch-include_violite.h patch-vio_viosslfactories.c Log Message: Restore SSL functionnality with OpenSSL 1.0.1p With OpenSSL 1.0.1p upgrade, DH parameters below 1024 bits are now refused. MySQL hardcodes 512 bits DH parameters and will therefore fail to run SSL connexions with OpenSSL 1.0.1p Apply fix from upstream: https://github.com/mysql/mysql-server/commit/ 866b988a76e8e7e217017a7883a52a12ec5024b9 --- Module Name: pkgsrc Committed By: manu Date: Tue Jul 14 16:38:56 UTC 2015 Modified Files: pkgsrc/databases/mysql56-server: Makefile Log Message: Restore SSL functionnality with OpenSSL 1.0.1p (revision bump) This changes just bumps PKGREVISION after patches were added in mysql56-client/patches which impact mysql56-server. For the record, the commit log or that patches: > With OpenSSL 1.0.1p upgrade, DH parameters below 1024 bits are now > refused. MySQL hardcodes 512 bits DH parameters and will therefore > fail to run SSL connexions with OpenSSL 1.0.1p > > Apply fix from upstream: > https://github.com/mysql/mysql-server/commit/ 866b988a76e8e7e217017a7883a52a12ec5024b9
Diffstat
-rw-r--r--databases/mysql56-client/Makefile4
-rw-r--r--databases/mysql56-client/distinfo4
-rw-r--r--databases/mysql56-client/patches/patch-include_violite.h28
-rw-r--r--databases/mysql56-client/patches/patch-vio_viosslfactories.c123
-rw-r--r--databases/mysql56-server/Makefile3
5 files changed, 158 insertions, 4 deletions
diff --git a/databases/mysql56-client/Makefile b/databases/mysql56-client/Makefile
index 87a26d33e5a..b02cc30b811 100644
--- a/databases/mysql56-client/Makefile
+++ b/databases/mysql56-client/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.16 2015/06/12 10:48:36 wiz Exp $
+# $NetBSD: Makefile,v 1.16.2.1 2015/07/19 17:58:43 tron Exp $
PKGNAME= ${DISTNAME:S/-/-client-/}
-PKGREVISION= 1
+PKGREVISION= 2
COMMENT= MySQL 5, a free SQL database (client)
CONFLICTS= mysql3-client-[0-9]*
diff --git a/databases/mysql56-client/distinfo b/databases/mysql56-client/distinfo
index 67629af79e7..8bb5ef2f0c9 100644
--- a/databases/mysql56-client/distinfo
+++ b/databases/mysql56-client/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.24 2015/06/03 03:20:03 ryoon Exp $
+$NetBSD: distinfo,v 1.24.2.1 2015/07/19 17:58:43 tron Exp $
SHA1 (mysql-5.6.25.tar.gz) = ace53481400a4ad363ee0453a547b8ba07582fd2
RMD160 (mysql-5.6.25.tar.gz) = a65b1aa209cb2f08295db7cb7259a7ce294c0713
@@ -20,6 +20,7 @@ SHA1 (patch-include_my__global.h) = 843b9527faf880eee59cf02239ba601f5985ddfb
SHA1 (patch-include_my_compare.h) = f45bac4b488332a668b0005751856279b67401f5
SHA1 (patch-include_my_net.h) = b08aa36921efd023f9ecaac4cd3fb8a16d200abd
SHA1 (patch-include_my_pthread.h) = ff3bf1fddd04edd7804d810f79de64387464b5ca
+SHA1 (patch-include_violite.h) = 1a5f404da44e24d5deebf1d54418aa910f54fc02
SHA1 (patch-libmysql_CMakeLists.txt) = 229044de6d11b26ee99b25be99b628a9f146b795
SHA1 (patch-mysql-test_CMakeLists.txt) = b7dd562d55678b13ac487aa0ee59bf2551af1f9d
SHA1 (patch-mysys__ssl_CMakeLists.txt) = e50bad459520be78ea2d5c4d0699cda8c1141884
@@ -39,3 +40,4 @@ SHA1 (patch-storage_myisam_CMakeLists.txt) = 55897ae78208f78a396776d1082cb5f9863
SHA1 (patch-storage_myisammrg_CMakeLists.txt) = 0a56a16ccaff3fa9de996fec6ffc324af9855a4e
SHA1 (patch-storage_ndb_include_util_Parser.hpp) = 037fc153619bf79ee95cb03a5ac4a71c14952c3a
SHA1 (patch-strings_decimal.c) = 069c9d930c735f74510702baa9bef38aec425903
+SHA1 (patch-vio_viosslfactories.c) = ad3fa2152243c9d384c312d5554580e139c6398e
diff --git a/databases/mysql56-client/patches/patch-include_violite.h b/databases/mysql56-client/patches/patch-include_violite.h
new file mode 100644
index 00000000000..ca3d9aac272
--- /dev/null
+++ b/databases/mysql56-client/patches/patch-include_violite.h
@@ -0,0 +1,28 @@
+$NetBSD: patch-include_violite.h,v 1.1.2.2 2015/07/19 17:58:43 tron Exp $
+
+Backport from upstream to mysql 5.6.x:
+https://github.com/mysql/mysql-server/commit/866b988a76e8e7e217017a7883a52a12ec5024b9
+
+From 866b988a76e8e7e217017a7883a52a12ec5024b9 Mon Sep 17 00:00:00 2001
+From: Marek Szymczak <marek.szymczak@oracle.com>
+Date: Thu, 9 Oct 2014 16:39:43 +0200
+Subject: [PATCH] Bug#18367167 DH KEY LENGTH OF 1024 BITS TO MEET MINIMUM REQ
+ OF FIPS 140-2
+
+Perfect Forward Secrecy (PFS) requires Diffie-Hellman (DH) parameters to be set.
+ Current implementation uses DH key of 512 bit.
+
+--- include/violite.h.orig 2015-05-05 13:05:53.000000000 +0200
++++ include/violite.h 2015-07-14 05:20:18.000000000 +0200
+@@ -146,9 +146,10 @@
+ enum enum_ssl_init_error
+ {
+ SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY,
+ SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS,
+- SSL_INITERR_MEMFAIL, SSL_INITERR_LASTERR
++ SSL_INITERR_MEMFAIL, SSL_INITERR_NO_USABLE_CTX, SSL_INITERR_DHFAIL,
++ SSL_INITERR_LASTERR
+ };
+ const char* sslGetErrString(enum enum_ssl_init_error err);
+
+ struct st_VioSSLFd
diff --git a/databases/mysql56-client/patches/patch-vio_viosslfactories.c b/databases/mysql56-client/patches/patch-vio_viosslfactories.c
new file mode 100644
index 00000000000..3c829dad258
--- /dev/null
+++ b/databases/mysql56-client/patches/patch-vio_viosslfactories.c
@@ -0,0 +1,123 @@
+$NetBSD: patch-vio_viosslfactories.c,v 1.1.2.2 2015/07/19 17:58:43 tron Exp $
+
+Backport from upstream to mysql 5.6.x:
+https://github.com/mysql/mysql-server/commit/866b988a76e8e7e217017a7883a52a12ec5024b9
+
+From 866b988a76e8e7e217017a7883a52a12ec5024b9 Mon Sep 17 00:00:00 2001
+From: Marek Szymczak <marek.szymczak@oracle.com>
+Date: Thu, 9 Oct 2014 16:39:43 +0200
+Subject: [PATCH] Bug#18367167 DH KEY LENGTH OF 1024 BITS TO MEET MINIMUM REQ
+ OF FIPS 140-2
+
+Perfect Forward Secrecy (PFS) requires Diffie-Hellman (DH) parameters to be set.
+ Current implementation uses DH key of 512 bit.
+
+--- vio/viosslfactories.c.orig 2015-05-05 13:05:53.000000000 +0200
++++ vio/viosslfactories.c 2015-07-14 05:22:11.000000000 +0200
+@@ -19,29 +19,58 @@
+
+ static my_bool ssl_algorithms_added = FALSE;
+ static my_bool ssl_error_strings_loaded= FALSE;
+
+-static unsigned char dh512_p[]=
+-{
+- 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
+- 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+- 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
+- 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+- 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
+- 0x47,0x74,0xE8,0x33,
++/*
++ Diffie-Hellman key.
++ Generated using: >openssl dhparam -5 -C 2048
++
++ -----BEGIN DH PARAMETERS-----
++ MIIBCAKCAQEAil36wGZ2TmH6ysA3V1xtP4MKofXx5n88xq/aiybmGnReZMviCPEJ
++ 46+7VCktl/RZ5iaDH1XNG1dVQmznt9pu2G3usU+k1/VB4bQL4ZgW4u0Wzxh9PyXD
++ glm99I9Xyj4Z5PVE4MyAsxCRGA1kWQpD9/zKAegUBPLNqSo886Uqg9hmn8ksyU9E
++ BV5eAEciCuawh6V0O+Sj/C3cSfLhgA0GcXp3OqlmcDu6jS5gWjn3LdP1U0duVxMB
++ h/neTSCSvtce4CAMYMjKNVh9P1nu+2d9ZH2Od2xhRIqMTfAS1KTqF3VmSWzPFCjG
++ mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ==
++ -----END DH PARAMETERS-----
++ */
++static unsigned char dh2048_p[]=
++{
++ 0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37,
++ 0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C,
++ 0xC6, 0xAF, 0xDA, 0x8B, 0x26, 0xE6, 0x1A, 0x74, 0x5E, 0x64, 0xCB, 0xE2,
++ 0x08, 0xF1, 0x09, 0xE3, 0xAF, 0xBB, 0x54, 0x29, 0x2D, 0x97, 0xF4, 0x59,
++ 0xE6, 0x26, 0x83, 0x1F, 0x55, 0xCD, 0x1B, 0x57, 0x55, 0x42, 0x6C, 0xE7,
++ 0xB7, 0xDA, 0x6E, 0xD8, 0x6D, 0xEE, 0xB1, 0x4F, 0xA4, 0xD7, 0xF5, 0x41,
++ 0xE1, 0xB4, 0x0B, 0xE1, 0x98, 0x16, 0xE2, 0xED, 0x16, 0xCF, 0x18, 0x7D,
++ 0x3F, 0x25, 0xC3, 0x82, 0x59, 0xBD, 0xF4, 0x8F, 0x57, 0xCA, 0x3E, 0x19,
++ 0xE4, 0xF5, 0x44, 0xE0, 0xCC, 0x80, 0xB3, 0x10, 0x91, 0x18, 0x0D, 0x64,
++ 0x59, 0x0A, 0x43, 0xF7, 0xFC, 0xCA, 0x01, 0xE8, 0x14, 0x04, 0xF2, 0xCD,
++ 0xA9, 0x2A, 0x3C, 0xF3, 0xA5, 0x2A, 0x83, 0xD8, 0x66, 0x9F, 0xC9, 0x2C,
++ 0xC9, 0x4F, 0x44, 0x05, 0x5E, 0x5E, 0x00, 0x47, 0x22, 0x0A, 0xE6, 0xB0,
++ 0x87, 0xA5, 0x74, 0x3B, 0xE4, 0xA3, 0xFC, 0x2D, 0xDC, 0x49, 0xF2, 0xE1,
++ 0x80, 0x0D, 0x06, 0x71, 0x7A, 0x77, 0x3A, 0xA9, 0x66, 0x70, 0x3B, 0xBA,
++ 0x8D, 0x2E, 0x60, 0x5A, 0x39, 0xF7, 0x2D, 0xD3, 0xF5, 0x53, 0x47, 0x6E,
++ 0x57, 0x13, 0x01, 0x87, 0xF9, 0xDE, 0x4D, 0x20, 0x92, 0xBE, 0xD7, 0x1E,
++ 0xE0, 0x20, 0x0C, 0x60, 0xC8, 0xCA, 0x35, 0x58, 0x7D, 0x3F, 0x59, 0xEE,
++ 0xFB, 0x67, 0x7D, 0x64, 0x7D, 0x8E, 0x77, 0x6C, 0x61, 0x44, 0x8A, 0x8C,
++ 0x4D, 0xF0, 0x12, 0xD4, 0xA4, 0xEA, 0x17, 0x75, 0x66, 0x49, 0x6C, 0xCF,
++ 0x14, 0x28, 0xC6, 0x9A, 0x3C, 0x71, 0xFD, 0xB8, 0x3A, 0x6C, 0xE3, 0xA3,
++ 0xA6, 0x06, 0x5A, 0xA6, 0xF0, 0x7A, 0x00, 0x15, 0xA5, 0x5A, 0x64, 0x66,
++ 0x00, 0x05, 0x85, 0xB7,
+ };
+
+-static unsigned char dh512_g[]={
+- 0x02,
++static unsigned char dh2048_g[]={
++ 0x05,
+ };
+
+-static DH *get_dh512(void)
++static DH *get_dh2048(void)
+ {
+ DH *dh;
+ if ((dh=DH_new()))
+ {
+- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
++ dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
++ dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
+ if (! dh->p || ! dh->g)
+ {
+ DH_free(dh);
+ dh=0;
+@@ -80,9 +109,11 @@
+ "Unable to get private key",
+ "Private key does not match the certificate public key",
+ "SSL_CTX_set_default_verify_paths failed",
+ "Failed to set ciphers to use",
+- "SSL_CTX_new failed"
++ "SSL_CTX_new failed",
++ "SSL context is not usable without certificate and private key",
++ "SSL_CTX_set_tmp_dh failed"
+ };
+
+ const char*
+ sslGetErrString(enum enum_ssl_init_error e)
+@@ -284,10 +315,19 @@
+ DBUG_RETURN(0);
+ }
+
+ /* DH stuff */
+- dh=get_dh512();
+- SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
++ dh= get_dh2048();
++ if (SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh) == 0)
++ {
++ *error= SSL_INITERR_DHFAIL;
++ DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
++ report_errors();
++ DH_free(dh);
++ SSL_CTX_free(ssl_fd->ssl_context);
++ my_free(ssl_fd);
++ DBUG_RETURN(0);
++ }
+ DH_free(dh);
+
+ DBUG_PRINT("exit", ("OK 1"));
+
diff --git a/databases/mysql56-server/Makefile b/databases/mysql56-server/Makefile
index 738e185b6f0..3d81206aa12 100644
--- a/databases/mysql56-server/Makefile
+++ b/databases/mysql56-server/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.24 2015/04/08 10:38:48 adam Exp $
+# $NetBSD: Makefile,v 1.24.2.1 2015/07/19 17:58:43 tron Exp $
PKGNAME= ${DISTNAME:S/-/-server-/}
+PKGREVISION= 1
COMMENT= MySQL 5, a free SQL database (server)
CONFLICTS= mysql3-server-[0-9]*
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-07 08:33:12 +0000