openssl.patch

   1 --- mysql-5.0.96/vio/viosslfactories.c~ 2019-09-17 11:52:59.000000000 +0200
   2 +++ mysql-5.0.96/vio/viosslfactories.c  2019-09-17 12:14:48.223177024 +0200
   3 @@ -48,12 +48,18 @@
   4    DH *dh;
   5    if ((dh=DH_new()))
   6    {
   7 -    dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
   8 -    dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
   9 +    BIGNUM* p= BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
  10 +    BIGNUM* g= BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
  11 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
  12 +    dh->p= p;
  13 +    dh->g= g;
  14      if (! dh->p || ! dh->g)
  15 +#else
  16 +      if (!DH_set0_pqg(dh, p, NULL, g))
  17 +#endif
  18      {
  19        DH_free(dh);
  20 -      dh=0;
  21 +      dh=NULL;
  22      }
  23    }
  24    return(dh);
  25 commit fe4c4ab914d82af1a1cb2e1bca78c8dcfbc57d4d
  26 Author: Harin Vadodaria <harin.vadodaria@oracle.com>
  27 Date:   Fri Jan 2 10:18:04 2015 +0530
  28
  29     Bug#19820550 : DISABLE SSL 3.0 SUPPORT IN OPENSSL
  30
  31     Explicitly disable weaker SSL protocols.
  32
  33 diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
  34 index cd6a6d68cb4..7e475683f9a 100644
  35 --- a/vio/viosslfactories.c
  36 +++ b/vio/viosslfactories.c
  37 @@ -173,6 +173,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
  38  {
  39    DH *dh;
  40    struct st_VioSSLFd *ssl_fd;
  41 +  long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
  42    DBUG_ENTER("new_VioSSLFd");
  43
  44    check_ssl_init();
  45 @@ -200,6 +201,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
  46      DBUG_RETURN(0);
  47    }
  48
  49 +  SSL_CTX_set_options(ssl_fd->ssl_context, ssl_ctx_options);
  50 +
  51    /*
  52      Set the ciphers that can be used
  53      NOTE: SSL_CTX_set_cipher_list will return 0 if
  54 --- mysql-5.0.96/vio/viosslfactories.c~ 2022-10-18 09:53:29.000000000 +0200
  55 +++ mysql-5.0.96/vio/viosslfactories.c  2022-10-18 10:39:06.402730218 +0200
  56 @@ -338,7 +338,7 @@
  57      verify= SSL_VERIFY_NONE;
  58
  59    if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
  60 -                             ca_path, cipher, TLSv1_client_method(), &dummy)))
  61 +                             ca_path, cipher, TLS_client_method(), &dummy)))
  62    {
  63      return 0;
  64    }
  65 @@ -360,7 +360,7 @@
  66    struct st_VioSSLFd *ssl_fd;
  67    int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
  68    if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
  69 -                             ca_path, cipher, TLSv1_server_method(), error)))
  70 +                             ca_path, cipher, TLS_server_method(), error)))
  71    {
  72      return 0;
  73    }