From dd46f0a7a01a9ae9d6b9a5d9ab81b6d17fa769a6 Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Tue, 2 Jan 2018 14:52:58 +0100 Subject: [PATCH 1/7] Provide subackage with a client static library needed by mysql-connector-odbc package Remove Group tag as it shouldn't be used anymore --- community-mysql.spec | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/community-mysql.spec b/community-mysql.spec index 1daa0eb..687d9db 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -84,9 +84,8 @@ Name: community-mysql Version: 5.7.20 -Release: 1%{?with_debug:.debug}%{?dist} +Release: 2%{?with_debug:.debug}%{?dist} Summary: MySQL client programs and shared libraries -Group: Applications/Databases URL: http://www.mysql.com # Exceptions allow client libraries to be linked with most open source SW, @@ -216,7 +215,6 @@ contains the standard MySQL client programs and generic MySQL files. %if %{with clibrary} %package libs Summary: The shared libraries required for MySQL clients -Group: Applications/Databases Requires: %{name}-common%{?_isa} = %{sameevr} %if %{with mysql_names} Provides: mysql-libs = %{sameevr} @@ -234,7 +232,6 @@ MySQL server. %if %{with config} %package config Summary: The config files required by server and client -Group: Applications/Databases %description config The package provides the config file my.cnf and my.cnf.d directory used by any @@ -247,7 +244,6 @@ package itself. %if %{with common} %package common Summary: The shared files required for MySQL server and client -Group: Applications/Databases Requires: %{_sysconfdir}/my.cnf %description common @@ -260,7 +256,6 @@ MySQL package. %if %{with errmsg} %package errmsg Summary: The error messages files required by server and embedded -Group: Applications/Databases Requires: %{name}-common%{?_isa} = %{sameevr} %description errmsg @@ -272,7 +267,6 @@ MySQL packages. %package server Summary: The MySQL server and related files -Group: Applications/Databases # Require any mysql client, but prefer community-mysql client for community-mysql server Suggests: %{name}%{?_isa} = %{sameevr} @@ -315,7 +309,6 @@ the MySQL server and some accompanying files and directories. %if %{with devel} %package devel Summary: Files for development of MySQL applications -Group: Applications/Databases %{?with_clibrary:Requires: %{name}-libs%{?_isa} = %{sameevr}} Requires: pkgconfig(openssl) Requires: zlib-devel @@ -331,7 +324,6 @@ developing MySQL client applications. %if %{with embedded} %package embedded Summary: MySQL as an embeddable library -Group: Applications/Databases Requires: %{name}-common%{?_isa} = %{sameevr} Requires: %{name}-errmsg%{?_isa} = %{sameevr} %if %{with mysql_names} @@ -347,7 +339,6 @@ into a client application instead of running as a separate process. %package embedded-devel Summary: Development files for MySQL as an embeddable library -Group: Applications/Databases Requires: %{name}-embedded%{?_isa} = %{sameevr} Requires: %{name}-devel%{?_isa} = %{sameevr} Requires: libaio-devel @@ -365,7 +356,6 @@ the embedded version of the MySQL server. %if %{with test} %package test Summary: The test suite distributed with MySQL -Group: Applications/Databases Requires: %{name}%{?_isa} = %{sameevr} Requires: %{name}-common%{?_isa} = %{sameevr} Requires: %{name}-server%{?_isa} = %{sameevr} @@ -396,6 +386,17 @@ the MySQL sources. %endif +%package static +Summary: Static mysql client library +Suggests: %{name}-devel%{?_isa} = %{sameevr} + +%description static +MySQL is a multi-user, multi-threaded SQL database server. +This package contains the static client library "libmysqlclient.a", that is +required by mysql-connector-odbc package. This package should not be required +by any other package than mysql-connector-odbc. + + %prep %setup -q -n mysql-%{version} %patch1 -p1 @@ -585,9 +586,12 @@ install -D -p -m 0644 scripts/server.cnf %{buildroot}%{_sysconfdir}/my.cnf.d/%{p mv %{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process %{buildroot}%{_bindir} ln -s ../../../../../bin/my_safe_process %{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process +# Do not pack those libraries +rm %{buildroot}%{_libdir}/mysql/libmysqld.a +rm %{buildroot}%{_libdir}/mysql/libmysqlservices.a + # not needed in rpm package rm %{buildroot}%{_bindir}/mysql_embedded -rm %{buildroot}%{_libdir}/mysql/*.a rm %{buildroot}%{_datadir}/%{pkg_name}/magic rm %{buildroot}%{_datadir}/%{pkg_name}/mysql.server rm %{buildroot}%{_datadir}/%{pkg_name}/mysqld_multi.server @@ -791,6 +795,9 @@ fi %config(noreplace) %{_sysconfdir}/ld.so.conf.d/* %endif +%files static +%{_libdir}/mysql/libmysqlclient.a + %if %{with config} %files config # although the default my.cnf contains only server settings, we put it in the @@ -968,6 +975,11 @@ fi %endif %changelog +* Tue Jan 02 2018 Michal Schorm - 5.7.20-2 +- Provide subackage with a client static library + Needed by mysql-connector-odbc package +- Remove Group tag as it shouldn't be used anymore + * Wed Oct 25 2017 Michal Schorm - 5.7.20-1 - Fix owner and perms on log file in post script Related: #1497694 From 358de6797b7c631105c2885933aaeee377a87ab9 Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Tue, 2 Jan 2018 15:34:57 +0100 Subject: [PATCH 2/7] Exclude failing test --- community-mysql.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/community-mysql.spec b/community-mysql.spec index 687d9db..8f052bc 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -432,6 +432,8 @@ add_test () { touch %{skiplist} +add_test auth_sec.openssl_cert_validity : 2018 new year issue + # these tests fail on arm32 %ifarch %arm # FTS From 9d42ca2a37c7c9860369bddd0cd0fb927be1d544 Mon Sep 17 00:00:00 2001 From: Honza Horak Date: Fri, 8 Dec 2017 15:55:22 +0100 Subject: [PATCH 3/7] Port for OpenSSL 1.1 Change few SSL calls Fix tests that expect some particular ciphers --- community-mysql-openssl11.patch | 517 ++++++++++++++++++++++++++++++++ community-mysql.spec | 14 +- 2 files changed, 525 insertions(+), 6 deletions(-) create mode 100644 community-mysql-openssl11.patch diff --git a/community-mysql-openssl11.patch b/community-mysql-openssl11.patch new file mode 100644 index 0000000..a3c29b7 --- /dev/null +++ b/community-mysql-openssl11.patch @@ -0,0 +1,517 @@ +Add OpenSSL 1.1 compatibility + +Based on patches in upstream tracker (bellow), and patches from MariaDB for the same feature. + +Upstream tracker: https://bugs.mysql.com/bug.php?id=83814 + +diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test mysql-5.7.20/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test +--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test 2017-12-08 09:00:52.578760787 +0100 ++++ mysql-5.7.20/mysql-test/suite/auth_sec/t/mysql_ssl_connection.test 2017-12-08 22:19:40.033870734 +0100 +@@ -7,7 +7,7 @@ + connection default; + CREATE USER u_20693153@localhost IDENTIFIED BY 'abcd'; + +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL --protocol=TCP -uu_20693153 -pabcd --ssl-ca=$MYSQL_TEST_DIR/std_data/cacert.pem -e "SHOW STATUS LIKE 'Ssl_cipher';" + + DROP USER u_20693153@localhost; +diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/openssl_cert_generation.test mysql-5.7.20/mysql-test/suite/auth_sec/t/openssl_cert_generation.test +--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/openssl_cert_generation.test 2017-12-08 09:00:52.579760795 +0100 ++++ mysql-5.7.20/mysql-test/suite/auth_sec/t/openssl_cert_generation.test 2017-12-08 22:19:40.033870734 +0100 +@@ -183,7 +183,7 @@ let SEARCH_PATTERN= Auto generated SSL c + --file_exists $MYSQLTEST_VARDIR/mysqld.1/data/public_key.pem + + --echo # Ensure that server is ssl enabled +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" + #----------------------------------------------------------------------------- + +@@ -285,7 +285,7 @@ grant usage on *.* to wl7699_sha256 iden + + # Using SSL certificates + --echo # Should be able to connect to server using generated SSL certificates. +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" + # Using RSA key pair + --echo # Should be able to connect to server using RSA key pair. +@@ -351,7 +351,7 @@ show variables like 'sha256%'; + + --echo # 6.3 : SSL connection + --echo # Should be able to connect to server using generated SSL certificates. +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" + + +@@ -362,7 +362,7 @@ grant usage on *.* to wl7699_sha256 iden + + # Using SSL certificates + --echo # Should be able to connect to server using generated SSL certificates. +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL -uwl7699_sha256 -pabcd --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher'" + # Using RSA key pair + --echo # Should be able to connect to server using RSA key pair. +diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/ssl_auto_detect.test mysql-5.7.20/mysql-test/suite/auth_sec/t/ssl_auto_detect.test +--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/ssl_auto_detect.test 2017-12-08 09:00:52.583760826 +0100 ++++ mysql-5.7.20/mysql-test/suite/auth_sec/t/ssl_auto_detect.test 2017-12-08 22:19:40.034870741 +0100 +@@ -54,7 +54,7 @@ let SEARCH_PATTERN= CA certificate .* is + + --echo # Try to establish SSL connection : This must succeed. + connect (ssl_root_1,localhost,root,,,,,SSL); +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + SHOW STATUS LIKE 'Ssl_cipher'; + SHOW VARIABLES LIKE 'have_ssl'; + +@@ -68,7 +68,7 @@ connection default; + disconnect ssl_root_1; + + --echo # Connect using mysql client : This must succeed. +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" + + +@@ -140,7 +140,7 @@ let SEARCH_PATTERN= CA certificate .* is + --source include/search_pattern_in_file.inc + + --echo # Try creating SSL connection +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL -uroot --ssl-mode=REQUIRED -e "show status like 'Ssl_cipher';" + + +diff -rup mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/tls.test mysql-5.7.20/mysql-test/suite/auth_sec/t/tls.test +--- mysql-5.7.20-sslbak/mysql-test/suite/auth_sec/t/tls.test 2017-12-08 09:00:52.584760834 +0100 ++++ mysql-5.7.20/mysql-test/suite/auth_sec/t/tls.test 2017-12-08 22:56:42.786710772 +0100 +@@ -36,7 +36,7 @@ let $cipher_default= DHE-RSA-AES256-SHA; + let $tls_default= TLSv1.1; + let $openssl= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1); + if ($openssl == 'Rsa_public_key'){ +- let $cipher_default= DHE-RSA-AES128-GCM-SHA256; ++ let $cipher_default= ECDHE-RSA-AES128-GCM-SHA256; + let $tls_default= TLSv1.2; + } + --echo #T1: Default TLS connection +diff -rup mysql-5.7.20-sslbak/mysql-test/t/mysql_ssl_default.test mysql-5.7.20/mysql-test/t/mysql_ssl_default.test +--- mysql-5.7.20-sslbak/mysql-test/t/mysql_ssl_default.test 2017-12-08 09:00:55.717784968 +0100 ++++ mysql-5.7.20/mysql-test/t/mysql_ssl_default.test 2017-12-08 22:19:40.035870748 +0100 +@@ -14,15 +14,15 @@ + + --echo # verify that mysql default connect with ssl channel when using TCP/IP + --echo # connection +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" + + --echo # verify that mysql --ssl=0 connect with unencrypted channel +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=DISABLED + + --echo # verify that mysql --ssl=1 connect with ssl channel +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL --host=127.0.0.1 -P $MASTER_MYPORT -e "SHOW STATUS like 'Ssl_cipher'" --ssl-mode=REQUIRED + + CREATE USER u1@localhost IDENTIFIED BY 'secret' REQUIRE SSL; +diff -rup mysql-5.7.20-sslbak/mysql-test/t/openssl_1.test mysql-5.7.20/mysql-test/t/openssl_1.test +--- mysql-5.7.20-sslbak/mysql-test/t/openssl_1.test 2017-12-08 09:00:55.729785060 +0100 ++++ mysql-5.7.20/mysql-test/t/openssl_1.test 2017-12-08 22:19:40.035870748 +0100 +@@ -19,17 +19,17 @@ insert into t1 values (5); + let $cipher_val= "DHE-RSA-AES256-SHA"; + let $shavars= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name, 1); + if ($shavars == 'Rsa_public_key'){ +- let $cipher_val= "DHE-RSA-AES128-GCM-SHA256"; ++ let $cipher_val= "ECDHE-RSA-AES128-GCM-SHA256"; + } + + grant select on test.* to ssl_user1@localhost require SSL; +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + -- eval grant select on test.* to ssl_user2@localhost require cipher $cipher_val +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + -- eval grant select on test.* to ssl_user3@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + -- eval grant select on test.* to ssl_user4@localhost require cipher $cipher_val AND SUBJECT "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=Client" ISSUER "/C=SE/ST=Stockholm/L=Stockholm/O=Oracle/OU=MySQL/CN=CA" +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + -- eval grant select on test.* to ssl_user5@localhost require cipher $cipher_val AND SUBJECT "xxx" + flush privileges; + +@@ -43,7 +43,7 @@ connect (con5,localhost,ssl_user5,,,,,SS + + connection con1; + # Check ssl turned on +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + SHOW STATUS LIKE 'Ssl_cipher'; + select * from t1; + --error ER_TABLEACCESS_DENIED_ERROR +@@ -51,7 +51,7 @@ delete from t1; + + connection con2; + # Check ssl turned on +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + SHOW STATUS LIKE 'Ssl_cipher'; + select * from t1; + --error ER_TABLEACCESS_DENIED_ERROR +@@ -59,7 +59,7 @@ delete from t1; + + connection con3; + # Check ssl turned on +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + SHOW STATUS LIKE 'Ssl_cipher'; + select * from t1; + --error ER_TABLEACCESS_DENIED_ERROR +@@ -67,7 +67,7 @@ delete from t1; + + connection con4; + # Check ssl turned on +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + SHOW STATUS LIKE 'Ssl_cipher'; + select * from t1; + --error ER_TABLEACCESS_DENIED_ERROR +@@ -142,7 +142,7 @@ drop table t1; + # verification of servers certificate by setting both ca certificate + # and ca path to NULL + # +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 + --echo End of 5.0 tests + +@@ -269,7 +269,7 @@ select 'is still running; no cipher requ + GRANT SELECT ON test.* TO bug42158@localhost REQUIRE X509; + FLUSH PRIVILEGES; + connect(con1,localhost,bug42158,,,,,SSL); +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + SHOW STATUS LIKE 'Ssl_cipher'; + disconnect con1; + connection default; +diff -rup mysql-5.7.20-sslbak/mysql-test/t/plugin_auth_sha256_tls.test mysql-5.7.20/mysql-test/t/plugin_auth_sha256_tls.test +--- mysql-5.7.20-sslbak/mysql-test/t/plugin_auth_sha256_tls.test 2017-12-08 09:00:55.747785199 +0100 ++++ mysql-5.7.20/mysql-test/t/plugin_auth_sha256_tls.test 2017-12-08 22:19:40.035870748 +0100 +@@ -2,7 +2,7 @@ + --source include/have_ssl.inc + + connect (ssl_con,localhost,root,,,,,SSL); +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + SHOW STATUS LIKE 'Ssl_cipher'; + + CREATE USER 'kristofer' IDENTIFIED WITH 'sha256_password'; +diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_8k_key.test mysql-5.7.20/mysql-test/t/ssl_8k_key.test +--- mysql-5.7.20-sslbak/mysql-test/t/ssl_8k_key.test 2017-12-08 09:00:55.772785392 +0100 ++++ mysql-5.7.20/mysql-test/t/ssl_8k_key.test 2017-12-08 22:19:40.036870755 +0100 +@@ -4,7 +4,7 @@ + # + # Bug#29784 YaSSL assertion failure when reading 8k key. + # +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL --ssl-mode=REQUIRED --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1 + + ## This test file is for testing encrypted communication only, not other +diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_ca.test mysql-5.7.20/mysql-test/t/ssl_ca.test +--- mysql-5.7.20-sslbak/mysql-test/t/ssl_ca.test 2017-12-08 09:00:55.773785399 +0100 ++++ mysql-5.7.20/mysql-test/t/ssl_ca.test 2017-12-08 22:19:40.036870755 +0100 +@@ -10,7 +10,7 @@ + --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/wrong-crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1 + + --echo # try to connect with correct '--ssl-ca' path : should connect +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" + + --echo # +@@ -22,15 +22,15 @@ + + --echo # try to connect with '--ssl-ca' option using tilde home directoy + --echo # path substitution : should connect +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL --ssl-ca=$mysql_test_dir_path/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" + + --echo # try to connect with '--ssl-key' option using tilde home directoy + --echo # path substitution : should connect +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$mysql_test_dir_path/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" + + --echo # try to connect with '--ssl-cert' option using tilde home directoy + --echo # path substitution : should connect +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$mysql_test_dir_path/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" +diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_compress.test mysql-5.7.20/mysql-test/t/ssl_compress.test +--- mysql-5.7.20-sslbak/mysql-test/t/ssl_compress.test 2017-12-08 09:00:55.774785407 +0100 ++++ mysql-5.7.20/mysql-test/t/ssl_compress.test 2017-12-08 22:19:40.036870755 +0100 +@@ -17,7 +17,7 @@ + connect (ssl_compress_con,localhost,root,,,,,SSL COMPRESS); + + # Check ssl turned on +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + SHOW STATUS LIKE 'Ssl_cipher'; + + # Check compression turned on +@@ -27,7 +27,7 @@ SHOW STATUS LIKE 'Compression'; + -- source include/common-tests.inc + + # Check ssl turned on +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + SHOW STATUS LIKE 'Ssl_cipher'; + + # Check compression turned on +diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl_crl.test mysql-5.7.20/mysql-test/t/ssl_crl.test +--- mysql-5.7.20-sslbak/mysql-test/t/ssl_crl.test 2017-12-08 09:00:55.774785407 +0100 ++++ mysql-5.7.20/mysql-test/t/ssl_crl.test 2017-12-08 22:19:40.037870762 +0100 +@@ -32,9 +32,11 @@ if (!$crllen) + --echo # try to connect with '--ssl-crl' option using tilde home directoy + --echo # path substitution : should connect + --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 + --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test --ssl-crl=$mysql_test_dir_path/std_data/crl-client-revoked.crl -e "SHOW STATUS LIKE 'Ssl_cipher'" + + --echo # try to connect with '--ssl-crlpath' option using tilde home directoy + --echo # path substitution : should connect + --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 + --exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-crlpath=$mysql_test_dir_path/std_data/crldir test -e "SHOW STATUS LIKE 'Ssl_cipher'" +diff -rup mysql-5.7.20-sslbak/mysql-test/t/ssl.test mysql-5.7.20/mysql-test/t/ssl.test +--- mysql-5.7.20-sslbak/mysql-test/t/ssl.test 2017-12-08 09:00:55.772785392 +0100 ++++ mysql-5.7.20/mysql-test/t/ssl.test 2017-12-08 22:19:40.037870762 +0100 +@@ -16,7 +16,7 @@ + connect (ssl_con,localhost,root,,,,,SSL); + + # Check ssl turned on +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + SHOW STATUS LIKE 'Ssl_cipher'; + + # Check ssl expiration +@@ -27,7 +27,7 @@ SHOW STATUS LIKE 'Ssl_server_not_after'; + -- source include/common-tests.inc + + # Check ssl turned on +---replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER ++--replace_result ECDHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER + SHOW STATUS LIKE 'Ssl_cipher'; + + connection default; +diff -rup mysql-5.7.20-sslbak/mysys_ssl/my_aes_openssl.cc mysql-5.7.20/mysys_ssl/my_aes_openssl.cc +--- mysql-5.7.20-sslbak/mysys_ssl/my_aes_openssl.cc 2017-12-08 09:00:55.851786000 +0100 ++++ mysql-5.7.20/mysys_ssl/my_aes_openssl.cc 2017-12-08 22:19:40.037870762 +0100 +@@ -122,7 +122,7 @@ int my_aes_encrypt(const unsigned char * + enum my_aes_opmode mode, const unsigned char *iv, + bool padding) + { +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + const EVP_CIPHER *cipher= aes_evp_type(mode); + int u_len, f_len; + /* The real key to be used for encryption */ +@@ -132,23 +132,23 @@ int my_aes_encrypt(const unsigned char * + if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv)) + return MY_AES_BAD_DATA; + +- if (!EVP_EncryptInit(&ctx, cipher, rkey, iv)) ++ if (!EVP_EncryptInit(ctx, cipher, rkey, iv)) + goto aes_error; /* Error */ +- if (!EVP_CIPHER_CTX_set_padding(&ctx, padding)) ++ if (!EVP_CIPHER_CTX_set_padding(ctx, padding)) + goto aes_error; /* Error */ +- if (!EVP_EncryptUpdate(&ctx, dest, &u_len, source, source_length)) ++ if (!EVP_EncryptUpdate(ctx, dest, &u_len, source, source_length)) + goto aes_error; /* Error */ + +- if (!EVP_EncryptFinal(&ctx, dest + u_len, &f_len)) ++ if (!EVP_EncryptFinal(ctx, dest + u_len, &f_len)) + goto aes_error; /* Error */ + +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return u_len + f_len; + + aes_error: + /* need to explicitly clean up the error if we want to ignore it */ + ERR_clear_error(); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return MY_AES_BAD_DATA; + } + +@@ -159,7 +159,7 @@ int my_aes_decrypt(const unsigned char * + bool padding) + { + +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + const EVP_CIPHER *cipher= aes_evp_type(mode); + int u_len, f_len; + +@@ -170,24 +170,22 @@ int my_aes_decrypt(const unsigned char * + if (!cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv)) + return MY_AES_BAD_DATA; + +- EVP_CIPHER_CTX_init(&ctx); +- +- if (!EVP_DecryptInit(&ctx, aes_evp_type(mode), rkey, iv)) ++ if (!EVP_DecryptInit(ctx, aes_evp_type(mode), rkey, iv)) + goto aes_error; /* Error */ +- if (!EVP_CIPHER_CTX_set_padding(&ctx, padding)) ++ if (!EVP_CIPHER_CTX_set_padding(ctx, padding)) + goto aes_error; /* Error */ +- if (!EVP_DecryptUpdate(&ctx, dest, &u_len, source, source_length)) ++ if (!EVP_DecryptUpdate(ctx, dest, &u_len, source, source_length)) + goto aes_error; /* Error */ +- if (!EVP_DecryptFinal_ex(&ctx, dest + u_len, &f_len)) ++ if (!EVP_DecryptFinal_ex(ctx, dest + u_len, &f_len)) + goto aes_error; /* Error */ + +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return u_len + f_len; + + aes_error: + /* need to explicitly clean up the error if we want to ignore it */ + ERR_clear_error(); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return MY_AES_BAD_DATA; + } + +diff -rup mysql-5.7.20-sslbak/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c mysql-5.7.20/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c +--- mysql-5.7.20-sslbak/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c 2017-12-08 09:00:55.975786955 +0100 ++++ mysql-5.7.20/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_ssl_transport.c 2017-12-08 22:19:40.037870762 +0100 +@@ -104,7 +104,7 @@ static const char* tls_cipher_blocked= " + mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ== + -----END DH PARAMETERS----- + */ +-static unsigned char dh2048_p[]= ++static unsigned char dhp_2048[]= + { + 0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37, + 0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C, +@@ -131,20 +131,24 @@ static unsigned char dh2048_p[]= + }; + + +-static unsigned char dh2048_g[]={ ++static unsigned char dhg_2048[]={ + 0x05, + }; + + static DH *get_dh2048(void) + { +- DH *dh; +- if ((dh=DH_new())) ++ DH *dh = DH_new(); ++ BIGNUM *dhp_bn, *dhg_bn; ++ if (dh != NULL) + { +- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); +- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); +- if (! dh->p || ! dh->g) ++ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); ++ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); ++ if (dhp_bn == NULL || dhg_bn == NULL ++ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) + { + DH_free(dh); ++ BN_free(dhp_bn); ++ BN_free(dhg_bn); + dh=0; + } + } +diff -rup mysql-5.7.20-sslbak/sql/mysqld.cc mysql-5.7.20/sql/mysqld.cc +--- mysql-5.7.20-sslbak/sql/mysqld.cc 2017-12-08 09:00:56.309789528 +0100 ++++ mysql-5.7.20/sql/mysqld.cc 2017-12-08 22:19:40.039870776 +0100 +@@ -3376,7 +3376,7 @@ static int init_ssl() + { + #ifdef HAVE_OPENSSL + #ifndef HAVE_YASSL +- CRYPTO_malloc_init(); ++ OPENSSL_malloc_init(); + #endif + ssl_start(); + #ifndef EMBEDDED_LIBRARY +diff -rup mysql-5.7.20-sslbak/sql-common/client.c mysql-5.7.20/sql-common/client.c +--- mysql-5.7.20-sslbak/sql-common/client.c 2017-12-08 09:00:56.245789035 +0100 ++++ mysql-5.7.20/sql-common/client.c 2017-12-08 22:19:40.040870783 +0100 +@@ -2741,7 +2741,7 @@ static int ssl_verify_server_cert(Vio *v + goto error; + } + +- cn= (char *) ASN1_STRING_data(cn_asn1); ++ cn= (char *) ASN1_STRING_get0_data(cn_asn1); + + // There should not be any NULL embedded in the CN + if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn)) +diff -rup mysql-5.7.20-sslbak/vio/viosslfactories.c mysql-5.7.20/vio/viosslfactories.c +--- mysql-5.7.20-sslbak/vio/viosslfactories.c 2017-12-08 09:00:56.807793365 +0100 ++++ mysql-5.7.20/vio/viosslfactories.c 2017-12-08 22:19:40.040870783 +0100 +@@ -86,7 +86,7 @@ static my_bool ssl_initialized + mjxx/bg6bOOjpgZapvB6ABWlWmRmAAWFtwIBBQ== + -----END DH PARAMETERS----- + */ +-static unsigned char dh2048_p[]= ++static unsigned char dhp_2048[]= + { + 0x8A, 0x5D, 0xFA, 0xC0, 0x66, 0x76, 0x4E, 0x61, 0xFA, 0xCA, 0xC0, 0x37, + 0x57, 0x5C, 0x6D, 0x3F, 0x83, 0x0A, 0xA1, 0xF5, 0xF1, 0xE6, 0x7F, 0x3C, +@@ -112,20 +112,25 @@ static unsigned char dh2048_p[]= + 0x00, 0x05, 0x85, 0xB7, + }; + +-static unsigned char dh2048_g[]={ ++static unsigned char dhg_2048[]={ + 0x05, + }; + + static DH *get_dh2048(void) + { +- DH *dh; +- if ((dh=DH_new())) ++ DH *dh = DH_new(); ++ BIGNUM *dhp_bn, *dhg_bn; ++ ++ if (dh != NULL) + { +- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); +- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); +- if (! dh->p || ! dh->g) ++ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); ++ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); ++ if (dhp_bn == NULL || dhg_bn == NULL ++ || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) + { + DH_free(dh); ++ BN_free(dhp_bn); ++ BN_free(dhg_bn); + dh=0; + } + } +@@ -419,9 +424,7 @@ void ssl_start() + { + ssl_initialized= TRUE; + +- SSL_library_init(); +- OpenSSL_add_all_algorithms(); +- SSL_load_error_strings(); ++ OPENSSL_init_ssl(0, NULL); + + #ifndef HAVE_YASSL + init_ssl_locks(); diff --git a/community-mysql.spec b/community-mysql.spec index 8f052bc..ec308b3 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -84,7 +84,7 @@ Name: community-mysql Version: 5.7.20 -Release: 2%{?with_debug:.debug}%{?dist} +Release: 3%{?with_debug:.debug}%{?dist} Summary: MySQL client programs and shared libraries URL: http://www.mysql.com @@ -126,6 +126,7 @@ Patch7: %{pkgnamepatch}-md5_fips.patch Patch51: %{pkgnamepatch}-chain-certs.patch Patch52: %{pkgnamepatch}-sharedir.patch Patch70: %{pkgnamepatch}-5.7.9-major.patch +Patch71: %{pkgnamepatch}-openssl11.patch # Patches taken from boost 1.59 Patch115: boost-1.58.0-pool.patch @@ -145,11 +146,7 @@ BuildRequires: mecab-devel %ifnarch aarch64 %{arm} s390 s390x BuildRequires: numactl-devel %endif -%if 0%{?fedora} < 26 BuildRequires: openssl-devel -%else -BuildRequires: compat-openssl10-devel -%endif %if 0%{?fedora} > 24 || 0%{?rhel} > 7 BuildRequires: perl-interpreter BuildRequires: perl-generators @@ -411,6 +408,7 @@ by any other package than mysql-connector-odbc. %if %{with_shared_lib_major_hack} %patch70 -p1 %endif +%patch71 -p1 # Patch Boost pushd boost/boost_1_59_0 @@ -471,7 +469,7 @@ cp %{SOURCE2} %{SOURCE3} %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} \ %endif # build out of source -mkdir build && pushd build +mkdir -p build && pushd build # The INSTALL_xxx macros have to be specified relative to CMAKE_INSTALL_PREFIX # so we can't use %%{_datadir} and so forth here. @@ -977,6 +975,10 @@ fi %endif %changelog +* Mon Jan 08 2018 Michal Schorm - 5.7.20-3 +- Port for OpenSSL 1.1 + Fix tests that expect some particular ciphers + * Tue Jan 02 2018 Michal Schorm - 5.7.20-2 - Provide subackage with a client static library Needed by mysql-connector-odbc package From 7e1736baba53fa6d027c81dbb0ed91407922966a Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Sun, 21 Jan 2018 04:21:00 +0100 Subject: [PATCH 4/7] Update to MySQL 5.7.21 --- community-mysql-tirpc.patch | 88 +++++++++++++++++++++++++++++++++++++ community-mysql.spec | 18 +++++++- sources | 2 +- 3 files changed, 105 insertions(+), 3 deletions(-) create mode 100644 community-mysql-tirpc.patch diff --git a/community-mysql-tirpc.patch b/community-mysql-tirpc.patch new file mode 100644 index 0000000..1ddff40 --- /dev/null +++ b/community-mysql-tirpc.patch @@ -0,0 +1,88 @@ +diff --git a/rapid/plugin/group_replication/rpcgen.cmake b/rapid/plugin/group_replication/rpcgen.cmake +index b9c5895..f4569cd 100644 +--- a/rapid/plugin/group_replication/rpcgen.cmake ++++ b/rapid/plugin/group_replication/rpcgen.cmake +@@ -87,6 +87,12 @@ FOREACH(X xcom_vp) + ${XCOM_BASEDIR}/xcom_proto_enum.h + ${XCOM_BASEDIR}/xcom_limits.h) + ELSE() ++ FIND_PROGRAM(RPCGEN_EXECUTABLE rpcgen DOC "path to the rpcgen executable") ++ MARK_AS_ADVANCED(RPCGEN_EXECUTABLE) ++ IF(NOT RPCGEN_EXECUTABLE) ++ MESSAGE(FATAL_ERROR "Could not find rpcgen") ++ ENDIF() ++ + # on unix systems try to generate them if needed + ADD_CUSTOM_COMMAND(OUTPUT ${x_gen_h} ${x_gen_c} ${x_tmp_plat_h} + COMMAND ${CMAKE_COMMAND} -E copy_if_different +@@ -103,10 +109,10 @@ FOREACH(X xcom_vp) + + # generate the sources + COMMAND ${CMAKE_COMMAND} -E remove -f ${x_gen_h} +- COMMAND rpcgen -C -h -o ++ COMMAND ${RPCGEN_EXECUTABLE} -C -h -o + ${x_gen_h} ${x_tmp_x_canonical_name} + COMMAND ${CMAKE_COMMAND} -E remove -f ${x_gen_c} +- COMMAND rpcgen -C -c -o ++ COMMAND ${RPCGEN_EXECUTABLE} -C -c -o + ${x_gen_c} ${x_tmp_x_canonical_name} + WORKING_DIRECTORY ${gen_xdr_dir} + DEPENDS + +diff --git a/rapid/plugin/group_replication/CMakeLists.txt b/rapid/plugin/group_replication/CMakeLists.txt +index 5bcaa8b..bce9de4 100644 +--- a/rapid/plugin/group_replication/CMakeLists.txt ++++ b/rapid/plugin/group_replication/CMakeLists.txt +@@ -218,6 +218,7 @@ MYSQL_ADD_PLUGIN(group_replication + LINK_LIBRARIES + ${LZ4_LIBRARY} + ${SSL_LIBRARIES} ++ ${TIRPC_LIBRARY} + MODULE_ONLY MODULE_OUTPUT_NAME "group_replication") + + ### INSTALLATION ### +diff --git a/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_transport.c b/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_transport.c +index 245dda0..210e124 100644 +--- a/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_transport.c ++++ b/rapid/plugin/group_replication/libmysqlgcs/src/bindings/xcom/xcom/xcom_transport.c +@@ -417,7 +417,11 @@ x_putbytes (XDR *xdrs, const char *bp MY_ATTRIBUTE((unused)), u_int len) + + + static u_int ++#if defined(__APPLE__) || defined(__FreeBSD__) || defined(HAVE_TIRPC) ++x_getpostn(XDR *xdrs) ++#else + x_getpostn (const XDR *xdrs) ++#endif + { + #ifdef OLD_XDR + return (u_int)(xdrs->x_handy); +diff --git a/rapid/plugin/group_replication/rpcgen.cmake b/rapid/plugin/group_replication/rpcgen.cmake +index f4569cd..cccb1c3 100644 +--- a/rapid/plugin/group_replication/rpcgen.cmake ++++ b/rapid/plugin/group_replication/rpcgen.cmake +@@ -93,6 +93,24 @@ FOREACH(X xcom_vp) + MESSAGE(FATAL_ERROR "Could not find rpcgen") + ENDIF() + ++ # First look for tirpc, then the old Sun RPC ++ FIND_PATH(RPC_INCLUDE_DIR ++ NAMES rpc/rpc.h ++ HINTS /usr/include/tirpc ++ NO_DEFAULT_PATH ++ ) ++ FIND_PATH(RPC_INCLUDE_DIR NAMES rpc/rpc.h) ++ IF(NOT RPC_INCLUDE_DIR) ++ MESSAGE(FATAL_ERROR ++ "Could not find rpc/rpc.h in /usr/include or /usr/include/tirpc") ++ ENDIF() ++ MESSAGE(STATUS "RPC_INCLUDE_DIR ${RPC_INCLUDE_DIR}") ++ IF(RPC_INCLUDE_DIR STREQUAL "/usr/include/tirpc") ++ INCLUDE_DIRECTORIES(SYSTEM /usr/include/tirpc) ++ ADD_DEFINITIONS(-DHAVE_TIRPC) ++ SET(TIRPC_LIBRARY tirpc) ++ ENDIF() ++ + # on unix systems try to generate them if needed + ADD_CUSTOM_COMMAND(OUTPUT ${x_gen_h} ${x_gen_c} ${x_tmp_plat_h} + COMMAND ${CMAKE_COMMAND} -E copy_if_different diff --git a/community-mysql.spec b/community-mysql.spec index ec308b3..731536b 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -83,8 +83,8 @@ %global sameevr %{?epoch:%{epoch}:}%{version}-%{release} Name: community-mysql -Version: 5.7.20 -Release: 3%{?with_debug:.debug}%{?dist} +Version: 5.7.21 +Release: 1%{?with_debug:.debug}%{?dist} Summary: MySQL client programs and shared libraries URL: http://www.mysql.com @@ -127,6 +127,7 @@ Patch51: %{pkgnamepatch}-chain-certs.patch Patch52: %{pkgnamepatch}-sharedir.patch Patch70: %{pkgnamepatch}-5.7.9-major.patch Patch71: %{pkgnamepatch}-openssl11.patch +Patch72: %{pkgnamepatch}-tirpc.patch # Patches taken from boost 1.59 Patch115: boost-1.58.0-pool.patch @@ -151,6 +152,10 @@ BuildRequires: openssl-devel BuildRequires: perl-interpreter BuildRequires: perl-generators %endif +%if 0%{?fedora} > 27 || 0%{?rhel} > 7 +BuildRequires: rpcgen +BuildRequires: libtirpc-devel +%endif BuildRequires: systemtap-sdt-devel BuildRequires: zlib-devel BuildRequires: multilib-rpm-config @@ -409,6 +414,7 @@ by any other package than mysql-connector-odbc. %patch70 -p1 %endif %patch71 -p1 +%patch72 -p1 # Patch Boost pushd boost/boost_1_59_0 @@ -975,6 +981,14 @@ fi %endif %changelog +* Sun Jan 21 2018 Norvald H. Ryeng - 5.7.21-1 +- Update to MySQL 5.7.21, for various fixes described at + https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-21.html +- Add rpcgen to buildrep +- Add support for libtirpc +- Fix for various CVEs listed on + http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html + * Mon Jan 08 2018 Michal Schorm - 5.7.20-3 - Port for OpenSSL 1.1 Fix tests that expect some particular ciphers diff --git a/sources b/sources index adb2e3a..0a7bb27 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (mysql-boost-5.7.20.tar.gz) = 4b80e66ee634d965ea54e815b875150beb19c6bd172d94795d4874df51a93925af48d2cd41cdac5dff1f506ad363418793bcecffa35cd50ee6b8b0d389e54729 +SHA512 (mysql-boost-5.7.21.tar.gz) = 29a1bfa1f5d5e354b66ca8c9fdaf7ee88de3d57bee3c6368861b46ab6d992affb7604577c06f241df542b96ab088c055473fd76584376dd149956ae1dd8726f3 From 5cf21671c578b0136fe8ba7131b5f84a9cd53fab Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Tue, 30 Jan 2018 12:29:31 +0100 Subject: [PATCH 5/7] Fix ldconfig scriptlets --- community-mysql.spec | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/community-mysql.spec b/community-mysql.spec index 731536b..7fb41c7 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -716,11 +716,13 @@ popd -c "MySQL Server" -u 27 mysql >/dev/null 2>&1 || : %if %{with clibrary} -%post libs -p /sbin/ldconfig +# Can be dropped on F27 EOL +%ldconfig_post libs %endif %if %{with embedded} -%post embedded -p /sbin/ldconfig +# Can be dropped on F27 EOL +%ldconfig_post embedded %endif %post server @@ -749,11 +751,13 @@ fi %endif %if %{with clibrary} -%postun libs -p /sbin/ldconfig +# Can be dropped on F27 EOL +%ldconfig_postun libs %endif %if %{with embedded} -%postun embedded -p /sbin/ldconfig +# Can be dropped on F27 EOL +%ldconfig_postun embedded %endif %postun server From 74f555580084bc4425baa80726a9ff20e0ef2b09 Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Sat, 17 Feb 2018 14:05:48 +0100 Subject: [PATCH 6/7] Remove 'static' library subpackage. mysql-connector-odbc now supports dynamic linking again. --- community-mysql.spec | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/community-mysql.spec b/community-mysql.spec index 7fb41c7..282686a 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -388,17 +388,6 @@ the MySQL sources. %endif -%package static -Summary: Static mysql client library -Suggests: %{name}-devel%{?_isa} = %{sameevr} - -%description static -MySQL is a multi-user, multi-threaded SQL database server. -This package contains the static client library "libmysqlclient.a", that is -required by mysql-connector-odbc package. This package should not be required -by any other package than mysql-connector-odbc. - - %prep %setup -q -n mysql-%{version} %patch1 -p1 @@ -592,12 +581,9 @@ install -D -p -m 0644 scripts/server.cnf %{buildroot}%{_sysconfdir}/my.cnf.d/%{p mv %{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process %{buildroot}%{_bindir} ln -s ../../../../../bin/my_safe_process %{buildroot}%{_datadir}/mysql-test/lib/My/SafeProcess/my_safe_process -# Do not pack those libraries -rm %{buildroot}%{_libdir}/mysql/libmysqld.a -rm %{buildroot}%{_libdir}/mysql/libmysqlservices.a - # not needed in rpm package rm %{buildroot}%{_bindir}/mysql_embedded +rm %{buildroot}%{_libdir}/mysql/*.a rm %{buildroot}%{_datadir}/%{pkg_name}/magic rm %{buildroot}%{_datadir}/%{pkg_name}/mysql.server rm %{buildroot}%{_datadir}/%{pkg_name}/mysqld_multi.server @@ -805,9 +791,6 @@ fi %config(noreplace) %{_sysconfdir}/ld.so.conf.d/* %endif -%files static -%{_libdir}/mysql/libmysqlclient.a - %if %{with config} %files config # although the default my.cnf contains only server settings, we put it in the @@ -985,6 +968,9 @@ fi %endif %changelog +* Sat Feb 17 2018 Michal Schorm - 5.7.21-1 +- Removed 'static' library subpackage + * Sun Jan 21 2018 Norvald H. Ryeng - 5.7.21-1 - Update to MySQL 5.7.21, for various fixes described at https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-21.html From 2328bf1b187574ee29fc86937d93e09a57283e99 Mon Sep 17 00:00:00 2001 From: Michal Schorm Date: Mon, 19 Feb 2018 02:54:01 +0100 Subject: [PATCH 7/7] Move my_print_defaults binary to the server package to resolve conflict with mariadb --- community-mysql.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/community-mysql.spec b/community-mysql.spec index 282686a..a826bc6 100644 --- a/community-mysql.spec +++ b/community-mysql.spec @@ -84,7 +84,7 @@ Name: community-mysql Version: 5.7.21 -Release: 1%{?with_debug:.debug}%{?dist} +Release: 3%{?with_debug:.debug}%{?dist} Summary: MySQL client programs and shared libraries URL: http://www.mysql.com @@ -769,7 +769,6 @@ fi %{_bindir}/mysqlpump %{_bindir}/mysqlshow %{_bindir}/mysqlslap -%{_bindir}/my_print_defaults %{_mandir}/man1/mysql.1* %{_mandir}/man1/mysql_config_editor.1* @@ -782,7 +781,6 @@ fi %{_mandir}/man1/mysqlpump.1* %{_mandir}/man1/mysqlshow.1* %{_mandir}/man1/mysqlslap.1* -%{_mandir}/man1/my_print_defaults.1* %endif %if %{with clibrary} @@ -842,6 +840,7 @@ fi %{_bindir}/myisam_ftdump %{_bindir}/myisamlog %{_bindir}/myisampack +%{_bindir}/my_print_defaults %{_bindir}/mysql_install_db %{_bindir}/mysql_secure_installation %{_bindir}/mysql_ssl_rsa_setup @@ -879,6 +878,7 @@ fi %{_mandir}/man1/myisampack.1* %{_mandir}/man1/myisam_ftdump.1* %{_mandir}/man1/mysql.server.1* +%{_mandir}/man1/my_print_defaults.1* %{_mandir}/man1/mysql_install_db.1* %{_mandir}/man1/mysql_secure_installation.1* %{_mandir}/man1/mysql_ssl_rsa_setup.1* @@ -968,6 +968,9 @@ fi %endif %changelog +* Mon Feb 19 2018 Michal Schorm - 5.7.21-3 +- Move my_print_defaults binary to the server package to resolve conflict with mariadb + * Sat Feb 17 2018 Michal Schorm - 5.7.21-1 - Removed 'static' library subpackage