diff --git a/mariadb-fips.patch b/mariadb-fips.patch deleted file mode 100644 index 443af6f..0000000 --- a/mariadb-fips.patch +++ /dev/null @@ -1,28 +0,0 @@ -Fix md5 in FIPS mode - -OpenSSL 3.0.0+ does not support EVP_MD_CTX_FLAG_NON_FIPS_ALLOW any longer. -In OpenSSL 1.1.1 the non FIPS allowed flag is context specific, while -in 3.0.0+ it is a different EVP_MD provider. - -Resolves: rhbz#2050541 - -diff -up mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc ---- mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips 2022-02-07 16:36:47.255131576 +0100 -+++ mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc 2022-02-07 22:57:32.391002916 +0100 -@@ -52,12 +52,15 @@ static void md5_result(EVP_MD_CTX *conte - - static void md5_init(EVP_MD_CTX *context) - { -+ EVP_MD *md5; -+ md5 = EVP_MD_fetch(NULL, "MD5", "fips=no"); - EVP_MD_CTX_init(context); - #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - /* Ok to ignore FIPS: MD5 is not used for crypto here */ - EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - #endif -- EVP_DigestInit_ex(context, EVP_md5(), NULL); -+ EVP_DigestInit_ex(context, md5, NULL); -+ EVP_MD_free(md5); - } - - static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len) diff --git a/mariadb-openssl3.patch b/mariadb-openssl3.patch deleted file mode 100644 index 9f5b660..0000000 --- a/mariadb-openssl3.patch +++ /dev/null @@ -1,401 +0,0 @@ -From c80991c79f701dac42c630af4bd39593b0c7efb4 Mon Sep 17 00:00:00 2001 -From: Vladislav Vaintroub -Date: Mon, 8 Nov 2021 18:48:19 +0100 -Subject: [PATCH] MDEV-25785 Add support for OpenSSL 3.0 - -Summary of changes - -- MD_CTX_SIZE is increased - -- EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points - to nobody knows where. The assumption made previously was that - (since the function does not seem to be documented) - was that it points to the last partial source block. - Add own partial block buffer for NOPAD encryption instead - -- SECLEVEL in CipherString in openssl.cnf - had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible - -- Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers, - in addition to what was set in --ssl-cipher - -- ctx_buf buffer now must be aligned to 16 bytes with openssl( - previously with WolfSSL only), ot crashes will happen - -- updated aes-t , to be better debuggable - using function, rather than a huge multiline macro - added test that does "nopad" encryption piece-wise, to test - replacement of EVP_CIPHER_CTX_buf_noconst ---- - cmake/ssl.cmake | 19 ++++- - include/ssl_compat.h | 3 +- - mysql-test/lib/openssl.cnf | 2 +- - mysql-test/main/ssl_cipher.result | 6 +- - mysql-test/main/ssl_cipher.test | 2 +- - mysys_ssl/my_crypt.cc | 46 +++++++----- - unittest/mysys/aes-t.c | 121 ++++++++++++++++++++++-------- - 7 files changed, 141 insertions(+), 58 deletions(-) - - -diff -up mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16 mariadb-10.5.12-downstream_modified/cmake/ssl.cmake ---- mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16 2021-08-03 10:29:07.000000000 +0200 -+++ mariadb-10.5.12-downstream_modified/cmake/ssl.cmake 2021-11-18 16:58:41.552440737 +0100 -@@ -139,9 +139,20 @@ MACRO (MYSQL_CHECK_SSL) - SET(SSL_INTERNAL_INCLUDE_DIRS "") - SET(SSL_DEFINES "-DHAVE_OPENSSL") - -+ FOREACH(x INCLUDES LIBRARIES DEFINITIONS) -+ SET(SAVE_CMAKE_REQUIRED_${x} ${CMAKE_REQUIRED_${x}}) -+ ENDFOREACH() -+ -+ # Silence "deprecated in OpenSSL 3.0" -+ IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake -+ OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0")) -+ SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L") -+ SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L) -+ ENDIF() -+ - SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) - SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES}) -- SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) -+ - CHECK_SYMBOL_EXISTS(ERR_remove_thread_state "openssl/err.h" - HAVE_ERR_remove_thread_state) - CHECK_SYMBOL_EXISTS(EVP_aes_128_ctr "openssl/evp.h" -@@ -150,8 +161,10 @@ MACRO (MYSQL_CHECK_SSL) - HAVE_EncryptAes128Gcm) - CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h" - HAVE_X509_check_host) -- SET(CMAKE_REQUIRED_INCLUDES) -- SET(CMAKE_REQUIRED_LIBRARIES) -+ -+ FOREACH(x INCLUDES LIBRARIES DEFINITIONS) -+ SET(CMAKE_REQUIRED_${x} ${SAVE_CMAKE_REQUIRED_${x}}) -+ ENDFOREACH() - ELSE() - IF(WITH_SSL STREQUAL "system") - MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support") -diff -up mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16 mariadb-10.5.12-downstream_modified/include/ssl_compat.h ---- mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16 2021-08-03 10:29:07.000000000 +0200 -+++ mariadb-10.5.12-downstream_modified/include/ssl_compat.h 2021-11-18 16:58:41.552440737 +0100 -@@ -24,7 +24,7 @@ - #define SSL_LIBRARY OpenSSL_version(OPENSSL_VERSION) - #define ERR_remove_state(X) ERR_clear_error() - #define EVP_CIPHER_CTX_SIZE 176 --#define EVP_MD_CTX_SIZE 48 -+#define EVP_MD_CTX_SIZE 72 - #undef EVP_MD_CTX_init - #define EVP_MD_CTX_init(X) do { memset((X), 0, EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0) - #undef EVP_CIPHER_CTX_init -@@ -74,7 +74,6 @@ - #define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G)) - #endif - --#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf) - #define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt) - #define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX) - -diff -up mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16 mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf ---- mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16 2021-08-03 10:29:07.000000000 +0200 -+++ mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf 2021-11-18 16:58:41.552440737 +0100 -@@ -9,4 +9,4 @@ ssl_conf = ssl_section - system_default = system_default_section - - [system_default_section] --CipherString = ALL:@SECLEVEL=1 -+CipherString = ALL:@SECLEVEL=0 -diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result ---- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16 2021-08-03 10:29:08.000000000 +0200 -+++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result 2021-11-18 16:58:41.552440737 +0100 -@@ -61,8 +61,8 @@ connect ssl_con,localhost,root,,,,,SSL; - SHOW STATUS LIKE 'Ssl_cipher'; - Variable_name Value - Ssl_cipher AES128-SHA --SHOW STATUS LIKE 'Ssl_cipher_list'; --Variable_name Value --Ssl_cipher_list AES128-SHA -+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list'; -+VARIABLE_VALUE like '%AES128-SHA%' -+1 - disconnect ssl_con; - connection default; -diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test ---- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16 2021-11-18 16:58:41.552440737 +0100 -+++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test 2021-11-18 17:00:47.753839711 +0100 -@@ -100,6 +100,6 @@ connect (ssl_con,localhost,root,,,,,SSL) - --replace_regex /TLS_AES_.*/AES128-SHA/ - SHOW STATUS LIKE 'Ssl_cipher'; - --replace_regex /TLS_AES_.*/AES128-SHA/ --SHOW STATUS LIKE 'Ssl_cipher_list'; -+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list'; - disconnect ssl_con; - connection default; -diff -up mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16 mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc ---- mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16 2021-08-03 10:29:08.000000000 +0200 -+++ mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc 2021-11-18 16:58:41.552440737 +0100 -@@ -29,11 +29,7 @@ - #include - #include - --#ifdef HAVE_WOLFSSL - #define CTX_ALIGN 16 --#else --#define CTX_ALIGN 0 --#endif - - class MyCTX - { -@@ -100,8 +96,9 @@ class MyCTX_nopad : public MyCTX - { - public: - const uchar *key; -- uint klen, buf_len; -+ uint klen, source_tail_len; - uchar oiv[MY_AES_BLOCK_SIZE]; -+ uchar source_tail[MY_AES_BLOCK_SIZE]; - - MyCTX_nopad() : MyCTX() { } - ~MyCTX_nopad() { } -@@ -112,7 +109,7 @@ public: - compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad)); - this->key= key; - this->klen= klen; -- this->buf_len= 0; -+ this->source_tail_len= 0; - if (ivlen) - memcpy(oiv, iv, ivlen); - DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv)); -@@ -123,26 +120,41 @@ public: - return res; - } - -+ /** Update last partial source block, stored in source_tail array. */ -+ void update_source_tail(const uchar* src, uint slen) -+ { -+ if (!slen) -+ return; -+ uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE; -+ if (new_tail_len) -+ { -+ if (slen + source_tail_len < MY_AES_BLOCK_SIZE) -+ { -+ memcpy(source_tail + source_tail_len, src, slen); -+ } -+ else -+ { -+ DBUG_ASSERT(slen > new_tail_len); -+ memcpy(source_tail, src + slen - new_tail_len, new_tail_len); -+ } -+ } -+ source_tail_len= new_tail_len; -+ } -+ - int update(const uchar *src, uint slen, uchar *dst, uint *dlen) - { -- buf_len+= slen; -+ update_source_tail(src, slen); - return MyCTX::update(src, slen, dst, dlen); - } - - int finish(uchar *dst, uint *dlen) - { -- buf_len %= MY_AES_BLOCK_SIZE; -- if (buf_len) -+ if (source_tail_len) - { -- uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx); - /* - Not much we can do, block ciphers cannot encrypt data that aren't - a multiple of the block length. At least not without padding. - Let's do something CTR-like for the last partial block. -- -- NOTE this assumes that there are only buf_len bytes in the buf. -- If OpenSSL will change that, we'll need to change the implementation -- of this class too. - */ - uchar mask[MY_AES_BLOCK_SIZE]; - uint mlen; -@@ -154,10 +166,10 @@ public: - return rc; - DBUG_ASSERT(mlen == sizeof(mask)); - -- for (uint i=0; i < buf_len; i++) -- dst[i]= buf[i] ^ mask[i]; -+ for (uint i=0; i < source_tail_len; i++) -+ dst[i]= source_tail[i] ^ mask[i]; - } -- *dlen= buf_len; -+ *dlen= source_tail_len; - return MY_AES_OK; - } - }; -diff -up mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16 mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c ---- mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16 2021-08-03 10:29:10.000000000 +0200 -+++ mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c 2021-11-18 16:58:41.553440740 +0100 -@@ -21,27 +21,96 @@ - #include - #include - --#define DO_TEST(mode, nopad, slen, fill, dlen, hash) \ -- SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported") \ -- { \ -- memset(src, fill, src_len= slen); \ -- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, \ -- src, src_len, dst, &dst_len, \ -- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \ -- "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad"); \ -- if (!nopad) \ -- ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\ -- my_md5(md5, (char*)dst, dst_len); \ -- ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5"); \ -- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT, \ -- dst, dst_len, ddst, &ddst_len, \ -- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \ -- "decrypt " #mode " %u", dst_len); \ -- ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \ -+ -+/** Test streaming encryption, bytewise update.*/ -+static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src, -+ unsigned int slen, unsigned char *dst, unsigned int *dlen, -+ const unsigned char *key, unsigned int klen, -+ const unsigned char *iv, unsigned int ivlen) -+{ -+ /* Allocate context on odd address on stack, in order to -+ catch misalignment errors.*/ -+ void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1; -+ -+ int res1, res2; -+ uint d1= 0, d2; -+ uint i; -+ -+ if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen))) -+ return res1; -+ for (i= 0; i < slen; i++) -+ { -+ uint tmp_d1=0; -+ res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1); -+ if (res1) -+ return res1; -+ d1+= tmp_d1; -+ dst+= tmp_d1; -+ } -+ res2= my_aes_crypt_finish(ctx, dst, &d2); -+ *dlen= d1 + d2; -+ return res1 ? res1 : res2; -+} -+ -+ -+#ifndef HAVE_EncryptAes128Ctr -+const uint MY_AES_CTR=0xDEADBEAF; -+#endif -+#ifndef HAVE_EncryptAes128Gcm -+const uint MY_AES_GCM=0xDEADBEAF; -+#endif -+ -+#define MY_AES_UNSUPPORTED(x) (x == 0xDEADBEAF) -+ -+static void do_test(uint mode, const char *mode_str, int nopad, uint slen, -+ char fill, size_t dlen, const char *hash) -+{ -+ uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6}; -+ uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7}; -+ uchar src[1000], dst[1100], dst2[1100], ddst[1000]; -+ uchar md5[MY_MD5_HASH_SIZE]; -+ uint src_len, dst_len, dst_len2, ddst_len; -+ int result; -+ -+ if (MY_AES_UNSUPPORTED(mode)) -+ { -+ skip(nopad?7:6, "%s not supported", mode_str); -+ return; -+ } -+ memset(src, fill, src_len= slen); -+ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len, -+ dst, &dst_len, key, sizeof(key), iv, sizeof(iv)); -+ ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len, -+ nopad ? "nopad" : "pad"); -+ -+ if (nopad) -+ { -+ result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, -+ src_len, dst2, &dst_len2, key, sizeof(key), -+ iv, sizeof(iv)); -+ ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len); -+ /* Compare with non-bytewise encryption result*/ -+ ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0, -+ "memcmp bytewise %s %u", mode_str, src_len); - } -+ else -+ { -+ int dst_len_real= my_aes_get_size(mode, src_len); -+ ok(dst_len_real= dst_len, "my_aes_get_size"); -+ } -+ my_md5(md5, (char *) dst, dst_len); -+ ok(dst_len == dlen, "md5 len"); -+ ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5"); -+ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT, -+ dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv, -+ sizeof(iv)); -+ -+ ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len); -+ ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); -+} - --#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H) --#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H) -+#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H) -+#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H) - - /* useful macro for debugging */ - #define PRINT_MD5() \ -@@ -53,25 +122,15 @@ - printf("\"\n"); \ - } while(0); - --#ifndef HAVE_EncryptAes128Ctr --const uint MY_AES_CTR=0xDEADBEAF; --#endif --#ifndef HAVE_EncryptAes128Gcm --const uint MY_AES_GCM=0xDEADBEAF; --#endif - - int - main(int argc __attribute__((unused)),char *argv[]) - { -- uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6}; -- uchar iv[16]= {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7}; -- uchar src[1000], dst[1100], ddst[1000]; -- uchar md5[MY_MD5_HASH_SIZE]; -- uint src_len, dst_len, ddst_len; - - MY_INIT(argv[0]); - -- plan(87); -+ plan(122); -+ - DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a"); - DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b"); - DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9"); - - - -MariaDB before 10.8 series does not contain the OpenSSL 3 patch on the upstream. -MariaDB upstream later added the following condition: -https://github.com/MariaDB/server/commit/c9beef4315 -limiting the OpenSSL that can be used to < 3. and reverted this commit for 10.8 and later: -https://github.com/MariaDB/server/commit/64e358821e - -Since we apply the OpenSSL 3 patch from MariaDB 10.8 series to earlier series, we need to revert this commit -on those earlier series too. - ---- mariadb-10.5.15-downstream_modified/cmake/ssl.cmake 2022-02-22 05:13:17.259097302 +0100 -+++ mariadb-10.5.15-downstream_modified/cmake/ssl.cmake_patched 2022-02-23 07:22:20.290082378 +0100 -@@ -118,7 +118,7 @@ MACRO (MYSQL_CHECK_SSL) - ENDIF() - FIND_PACKAGE(OpenSSL) - SET_PACKAGE_PROPERTIES(OpenSSL PROPERTIES TYPE RECOMMENDED) -- IF(OPENSSL_FOUND AND OPENSSL_VERSION AND OPENSSL_VERSION VERSION_LESS "3.0.0") -+ IF(OPENSSL_FOUND) - SET(OPENSSL_LIBRARY ${OPENSSL_SSL_LIBRARY}) - INCLUDE(CheckSymbolExists) - SET(SSL_SOURCES "") diff --git a/mariadb.spec b/mariadb.spec index 5e67618..ea3e2f2 100644 --- a/mariadb.spec +++ b/mariadb.spec @@ -11,7 +11,7 @@ # The last version on which the full testsuite has been run # In case of further rebuilds of that version, don't require full testsuite to be run # run only "main" suite -%global last_tested_version 10.5.16 +%global last_tested_version 10.5.18 # Set to 1 to force run the testsuite even if it was already tested in current version %global force_run_testsuite 0 @@ -149,8 +149,8 @@ %global sameevr %{epoch}:%{version}-%{release} Name: mariadb -Version: 10.5.16 -Release: 2%{?with_debug:.debug}%{?dist} +Version: 10.5.18 +Release: 1%{?with_debug:.debug}%{?dist} Epoch: 3 Summary: A very fast and robust SQL database server @@ -214,12 +214,6 @@ Patch7: %{pkgnamepatch}-scripts.patch Patch9: %{pkgnamepatch}-ownsetup.patch # Patch10: Fix cipher name in the SSL Cipher name test Patch10: %{pkgnamepatch}-ssl-cipher-tests.patch -# Patch12: OpenSSL 3 patch -# Picked from the upstream developement branch for MariaDB 10.8. -# https://jira.mariadb.org/browse/MDEV-25785 -Patch12: %{pkgnamepatch}-openssl3.patch -# Patch16: Fix MD5 in FIPS mode -Patch16: %{pkgnamepatch}-fips.patch BuildRequires: make BuildRequires: cmake gcc-c++ @@ -745,11 +739,12 @@ rm -r storage/rocksdb/ %patch4 -p1 %patch7 -p1 %patch9 -p1 -%patch10 -p1 -%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9 -%patch12 -p1 -%patch16 -p1 -%endif +# The test in Patch 10 has been recently updated by upstream +# and the test was disabled in the testuite run +# main.ssl_cipher [ disabled ] MDEV-17184 - Failures with OpenSSL 1.1.1 +# Keeping the patch commented out, need to revisit +# once the test is re-enabled by upstream in some future release +#%%patch10 -p1 # generate a list of tests that fail, but are not disabled by upstream cat %{SOURCE50} | tee -a mysql-test/unstable-tests @@ -1654,6 +1649,10 @@ fi %endif %changelog +* Wed Nov 16 2022 Michal Schorm - 3:10.5.18-1 +- Rebase to 10.5.18 +- OpenSSL 3 patch upstreamed + * Mon Jun 13 2022 Michal Schorm - 3:10.5.16-2 - Release bump for rebuild diff --git a/rh-skipped-tests-base.list b/rh-skipped-tests-base.list index f164aba..96ef06f 100644 --- a/rh-skipped-tests-base.list +++ b/rh-skipped-tests-base.list @@ -72,3 +72,8 @@ oqgraph.regression_1213120 : # TLSv1.0 and TLSv1.1 are not allowed anymore # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index main.tls_version1 : + +# Fails on all architectures since 10.5.18 +main.information_schema : +main.loadxml : +main.lock_kill : diff --git a/sources b/sources index 60a865a..a8f5f04 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (mariadb-10.5.16-downstream_modified.tar.gz) = c61457dcf4c2217b4432bee15094713e672f273a85f2f7a84326b619a0c51dd6f025d7bb94f5da35a2f4ac026c2b6fd32bd605985a5888101a06d62da8fdb02e +SHA512 (mariadb-10.5.18-downstream_modified.tar.gz) = 9a99d766fb05fec8d80f3c38d3ec2cbf8e5d456fe230b534aac3ebbf39e1743448c111a2fddf6592b456835f0d07baa0db7bf1821d567de2f615f0f0f01131d3