Restore SSL functionnality with OpenSSL 1.0.1p

With OpenSSL 1.0.1p upgrade, DH parameters below 1024 bits are now
refused. mariaDB 5.5.43 hardcodes 512 bits DH parameters and will
therefore fail to run SSL connexions with OpenSSL 1.0.1p

Port fix from mysql:
https://github.com/mysql/mysql-server/commit/866b988a76e8e7e217017a7883a52a12ec5024b9

4 files changed, 163 insertions, 9 deletions

diff --git a/databases/mariadb55-client/Makefile b/databases/mariadb55-client/Makefile
index 176be7d7def..efd91367a94 100644
--- a/databases/mariadb55-client/Makefile
+++ b/databases/mariadb55-client/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.2 2015/06/12 10:48:36 wiz Exp $
+# $NetBSD: Makefile,v 1.3 2015/08/03 14:51:29 manu Exp $
 
 PKGNAME=	${DISTNAME:S/-/-client-/}
-PKGREVISION=	1
+PKGREVISION=	2
 COMMENT=	MarisDB 5.5, a free SQL database (client)
 
 CONFLICTS=	mysql3-client-[0-9]*
diff --git a/databases/mariadb55-client/distinfo b/databases/mariadb55-client/distinfo
index da74106ab97..026c04a960a 100644
--- a/databases/mariadb55-client/distinfo
+++ b/databases/mariadb55-client/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.2 2015/05/07 12:45:28 fhajny Exp $
+$NetBSD: distinfo,v 1.3 2015/08/03 14:51:29 manu Exp $
 
 SHA1 (mariadb-5.5.43.tar.gz) = 80223c91ecda64ec30a5056af225eee39a3782fd
 RMD160 (mariadb-5.5.43.tar.gz) = 93296e8d9e14949d47d4d0195f566891ba83bc76
@@ -24,7 +24,7 @@ SHA1 (patch-include_my_compare.h) = 9d04f444d56d705f3a57add7ad5f8fc5c7ce8341
 SHA1 (patch-include_my_net.h) = b6361a0871afdf66feabc82c5ad3559ff5b34c37
 SHA1 (patch-include_my_pthread.h) = 6d4ec91f90e717b0a075133fea535ee62d64d3ef
 SHA1 (patch-include_myisam.h) = 4cc8fd0bcba5ae8fdc4882048351b6225f00d2c5
-SHA1 (patch-include_violite.h) = 89c21f49751e06324fd32773e03561bd9cce33d7
+SHA1 (patch-include_violite.h) = 31555632c2f48ae2cf9670f94a8233bfcad25083
 SHA1 (patch-libmysql_CMakeLists.txt) = bca5243b76ea783e5b39e619528b28095aa1392a
 SHA1 (patch-mysys_my__getopt.c) = 76ed2ffb774a7171bb547b3098db148329cbe21d
 SHA1 (patch-mysys_stacktrace.c) = 9f18875126208c30d41f896f0e6edc7000df0c73
@@ -54,3 +54,4 @@ SHA1 (patch-strings_decimal.c) = 4b22180d1766352673a648f76302780b1c06bca5
 SHA1 (patch-strtoll.c) = 53a3c0172487ee68f621328b16aa1742af4ae737
 SHA1 (patch-strtoull.c) = 7126be697036a588d29e21a6e1a472863d285f4a
 SHA1 (patch-vio_viosocket.c) = bf6d57ee04db57b7ac508b18653b0955ef8a6a2b
+SHA1 (patch-vio_viosslfactories.c) = a2e38d211d6dfdbf83d729f195bf81b8c7620103
diff --git a/databases/mariadb55-client/patches/patch-include_violite.h b/databases/mariadb55-client/patches/patch-include_violite.h
index db3c745895e..c5d78e1845c 100644
--- a/databases/mariadb55-client/patches/patch-include_violite.h
+++ b/databases/mariadb55-client/patches/patch-include_violite.h
@@ -1,8 +1,35 @@
-$NetBSD: patch-include_violite.h,v 1.1 2015/04/16 20:20:15 ryoon Exp $
+$NetBSD: patch-include_violite.h,v 1.2 2015/08/03 14:51:30 manu Exp $
 
---- include/violite.h.orig	2015-02-13 12:07:01.000000000 +0000
-+++ include/violite.h
-@@ -212,8 +212,14 @@ struct st_vio
+1) SCO support
+
+2) Port from mysql to fix SSL connexions with OpenSSL >= 1.0.1p
+https://github.com/mysql/mysql-server/commit/866b988a76e8e7e217017a7883a52a12ec5024b9
+
+From 866b988a76e8e7e217017a7883a52a12ec5024b9 Mon Sep 17 00:00:00 2001
+From: Marek Szymczak <marek.szymczak@oracle.com>
+Date: Thu, 9 Oct 2014 16:39:43 +0200
+Subject: [PATCH] Bug#18367167 DH KEY LENGTH OF 1024 BITS TO MEET MINIMUM REQ
+ OF FIPS 140-2
+
+Perfect Forward Secrecy (PFS) requires Diffie-Hellman (DH) parameters to be set.
+ Current implementation uses DH key of 512 bit.
+
+--- include/violite.h.orig	2015-08-03 16:42:17.000000000 +0200
++++ include/violite.h	2015-08-03 16:42:06.000000000 +0200
+@@ -126,9 +126,10 @@
+ enum enum_ssl_init_error
+ {
+   SSL_INITERR_NOERROR= 0, SSL_INITERR_CERT, SSL_INITERR_KEY, 
+   SSL_INITERR_NOMATCH, SSL_INITERR_BAD_PATHS, SSL_INITERR_CIPHERS, 
+-  SSL_INITERR_MEMFAIL, SSL_INITERR_LASTERR
++  SSL_INITERR_MEMFAIL, SSL_INITERR_NO_USABLE_CTX, SSL_INITERR_DHFAIL,
++  SSL_INITERR_LASTERR
+ };
+ const char* sslGetErrString(enum enum_ssl_init_error err);
+ 
+ struct st_VioSSLFd
+@@ -211,10 +212,16 @@
+   my_socket		sd;		/* my_socket - real or imaginary */
    HANDLE hPipe;
    my_bool		localhost;	/* Are we from localhost? */
    int			fcntl_mode;	/* Buffered fcntl(sd,F_GETFL) */
@@ -17,7 +44,9 @@ $NetBSD: patch-include_violite.h,v 1.1 2015/04/16 20:20:15 ryoon Exp $
    int addrLen;                          /* Length of remote address */
    enum enum_vio_type	type;		/* Type of connection */
    char			desc[30];	/* String description */
-@@ -233,7 +239,12 @@ struct st_vio
+   char                  *read_buffer;   /* buffer for vio_read_buff */
+@@ -232,9 +239,14 @@
+   my_bool (*is_blocking)(Vio*);
    int     (*viokeepalive)(Vio*, my_bool);
    int     (*fastsend)(Vio*);
    my_bool (*peer_addr)(Vio*, char *, uint16*, size_t);
@@ -30,3 +59,4 @@ $NetBSD: patch-include_violite.h,v 1.1 2015/04/16 20:20:15 ryoon Exp $
    my_bool (*should_retry)(Vio*);
    my_bool (*was_interrupted)(Vio*);
    int     (*vioclose)(Vio*);
+   void	  (*timeout)(Vio*, unsigned int which, unsigned int timeout);
diff --git a/databases/mariadb55-client/patches/patch-vio_viosslfactories.c b/databases/mariadb55-client/patches/patch-vio_viosslfactories.c
new file mode 100644
index 00000000000..8e60f95c292
--- /dev/null
+++ b/databases/mariadb55-client/patches/patch-vio_viosslfactories.c
@@ -0,0 +1,123 @@
+$NetBSD: patch-vio_viosslfactories.c,v 1.1 2015/08/03 14:51:30 manu Exp $
+
+Port from mysql:
+https://github.com/mysql/mysql-server/commit/866b988a76e8e7e217017a7883a52a12ec5024b9
+
+From 866b988a76e8e7e217017a7883a52a12ec5024b9 Mon Sep 17 00:00:00 2001
+From: Marek Szymczak <marek.szymczak@oracle.com>
+Date: Thu, 9 Oct 2014 16:39:43 +0200
+Subject: [PATCH] Bug#18367167 DH KEY LENGTH OF 1024 BITS TO MEET MINIMUM REQ
+ OF FIPS 140-2
+
+Perfect Forward Secrecy (PFS) requires Diffie-Hellman (DH) parameters to be set.
+ Current implementation uses DH key of 512 bit.
+
+--- vio/viosslfactories.c.orig	2015-04-29 20:55:39.000000000 +0200
++++ vio/viosslfactories.c	2015-08-02 14:40:21.000000000 +0200
+@@ -20,29 +20,58 @@
+ 
+ static my_bool     ssl_algorithms_added    = FALSE;
+ static my_bool     ssl_error_strings_loaded= FALSE;
+ 
+-static unsigned char dh512_p[]=
+-{
+-  0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
+-  0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+-  0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
+-  0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+-  0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
+-  0x47,0x74,0xE8,0x33,
++/*
++  Diffie-Hellman key.
++  Generated using: >openssl dhparam -5 -C 2048
++ 
++  -----BEGIN DH PARAMETERS-----
++  MIIBCAKCAQEAil36wGZ2TmH6ysA3V1xtP4MKofXx5n88xq/aiybmGnReZMviCPEJ
++  46+7VCktl/RZ5iaDH1XNG1dVQmznt9pu2G3usU+k1/VB4bQL4ZgW4u0Wzxh9PyXD
++  glm99I9Xyj4Z5PVE4MyAsxCRGA1kWQpD9/zKAegUBPLNqSo886Uqg9hmn8ksyU9E
++  BV5eAEciCuawh6V0O+Sj/C3cSfLhgA0GcXp3OqlmcDu6jS5gWjn3LdP1U0duVxMB
++  h/neTSCSvtce4CAMYMjKNVh9P1nu+2d9ZH2Od2xhRIqMTfAS1KTqF3VmSWzPFCjG
++  mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ==
++  -----END DH PARAMETERS-----
++ */
++static unsigned char dh2048_p[]=
++{
++  0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37,
++  0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C,
++  0xC6, 0xAF, 0xDA, 0x8B, 0x26, 0xE6, 0x1A, 0x74, 0x5E, 0x64, 0xCB, 0xE2,
++  0x08, 0xF1, 0x09, 0xE3, 0xAF, 0xBB, 0x54, 0x29, 0x2D, 0x97, 0xF4, 0x59,
++  0xE6, 0x26, 0x83, 0x1F, 0x55, 0xCD, 0x1B, 0x57, 0x55, 0x42, 0x6C, 0xE7,
++  0xB7, 0xDA, 0x6E, 0xD8, 0x6D, 0xEE, 0xB1, 0x4F, 0xA4, 0xD7, 0xF5, 0x41,
++  0xE1, 0xB4, 0x0B, 0xE1, 0x98, 0x16, 0xE2, 0xED, 0x16, 0xCF, 0x18, 0x7D,
++  0x3F, 0x25, 0xC3, 0x82, 0x59, 0xBD, 0xF4, 0x8F, 0x57, 0xCA, 0x3E, 0x19,
++  0xE4, 0xF5, 0x44, 0xE0, 0xCC, 0x80, 0xB3, 0x10, 0x91, 0x18, 0x0D, 0x64,
++  0x59, 0x0A, 0x43, 0xF7, 0xFC, 0xCA, 0x01, 0xE8, 0x14, 0x04, 0xF2, 0xCD,
++  0xA9, 0x2A, 0x3C, 0xF3, 0xA5, 0x2A, 0x83, 0xD8, 0x66, 0x9F, 0xC9, 0x2C,
++  0xC9, 0x4F, 0x44, 0x05, 0x5E, 0x5E, 0x00, 0x47, 0x22, 0x0A, 0xE6, 0xB0,
++  0x87, 0xA5, 0x74, 0x3B, 0xE4, 0xA3, 0xFC, 0x2D, 0xDC, 0x49, 0xF2, 0xE1,
++  0x80, 0x0D, 0x06, 0x71, 0x7A, 0x77, 0x3A, 0xA9, 0x66, 0x70, 0x3B, 0xBA,
++  0x8D, 0x2E, 0x60, 0x5A, 0x39, 0xF7, 0x2D, 0xD3, 0xF5, 0x53, 0x47, 0x6E,
++  0x57, 0x13, 0x01, 0x87, 0xF9, 0xDE, 0x4D, 0x20, 0x92, 0xBE, 0xD7, 0x1E,
++  0xE0, 0x20, 0x0C, 0x60, 0xC8, 0xCA, 0x35, 0x58, 0x7D, 0x3F, 0x59, 0xEE,
++  0xFB, 0x67, 0x7D, 0x64, 0x7D, 0x8E, 0x77, 0x6C, 0x61, 0x44, 0x8A, 0x8C,
++  0x4D, 0xF0, 0x12, 0xD4, 0xA4, 0xEA, 0x17, 0x75, 0x66, 0x49, 0x6C, 0xCF,
++  0x14, 0x28, 0xC6, 0x9A, 0x3C, 0x71, 0xFD, 0xB8, 0x3A, 0x6C, 0xE3, 0xA3,
++  0xA6, 0x06, 0x5A, 0xA6, 0xF0, 0x7A, 0x00, 0x15, 0xA5, 0x5A, 0x64, 0x66,
++  0x00, 0x05, 0x85, 0xB7,
+ };
+ 
+-static unsigned char dh512_g[]={
+-  0x02,
++static unsigned char dh2048_g[]={
++  0x05,
+ };
+ 
+-static DH *get_dh512(void)
++static DH *get_dh2048(void)
+ {
+   DH *dh;
+   if ((dh=DH_new()))
+   {
+-    dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+-    dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
++    dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
++    dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
+     if (! dh->p || ! dh->g)
+     {
+       DH_free(dh);
+       dh=0;
+@@ -81,9 +110,11 @@
+   "Unable to get private key",
+   "Private key does not match the certificate public key",
+   "SSL_CTX_set_default_verify_paths failed",
+   "Failed to set ciphers to use",
+-  "SSL_CTX_new failed"
++  "SSL_CTX_new failed",
++  "SSL context is not usable without certificate and private key",
++  "SSL_CTX_set_tmp_dh failed"
+ };
+ 
+ const char*
+ sslGetErrString(enum enum_ssl_init_error e)
+@@ -258,10 +289,19 @@
+     DBUG_RETURN(0);
+   }
+ 
+   /* DH stuff */
+-  dh=get_dh512();
+-  SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
++  dh= get_dh2048();
++  if (SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh) == 0)
++  {
++    *error= SSL_INITERR_DHFAIL;
++    DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
++    report_errors();
++    DH_free(dh);
++    SSL_CTX_free(ssl_fd->ssl_context);
++    my_free(ssl_fd);
++    DBUG_RETURN(0);
++  }
+   DH_free(dh);
+ 
+   DBUG_PRINT("exit", ("OK 1"));
+