MFH: r528272

This fix a Problem, when MySQL build with libressl

/var/ports/usr/ports/databases/mysql56-client/work/mysql-5.6.47/vio/viosslfactories.c:230:25: error: use of undeclared identifier 'SSL_OP_NO_TLSv1_3'
                        SSL_OP_NO_TLSv1_3 |
                        ^
/var/ports/usr/ports/databases/mysql56-client/work/mysql-5.6.47/vio/viosslfactories.c:275:12: warning: implicit declaration of function 'SSL_CTX_set_ciphersuites' is invalid in C99 [-Wimplicit-function-declaration]
  if (0 == SSL_CTX_set_ciphersuites(ssl_fd->ssl_context, ""))

Special thanks for his help to: fluffy

PR:		244320
Sponsored by:	Netzkommune GmbH

Approved by:	ports-secteam (joneum)

16 files changed, 426 insertions, 6 deletions

diff --git a/databases/mysql56-client/Makefile b/databases/mysql56-client/Makefile
index 2709982aa04f..b5a513930866 100644
--- a/databases/mysql56-client/Makefile
+++ b/databases/mysql56-client/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	mysql
-PORTREVISION=	0
+PORTREVISION=	1
 PKGNAMESUFFIX=	56-client
 
 COMMENT=	Multithreaded SQL database (client)
diff --git a/databases/mysql56-client/files/patch-cmake_ssl.cmake b/databases/mysql56-client/files/patch-cmake_ssl.cmake
index faeed4517c4e..c2b31170ba4c 100644
--- a/databases/mysql56-client/files/patch-cmake_ssl.cmake
+++ b/databases/mysql56-client/files/patch-cmake_ssl.cmake
@@ -1,11 +1,25 @@
---- cmake/ssl.cmake.orig	2016-11-28 13:36:22 UTC
+--- cmake/ssl.cmake.orig	2019-11-26 16:53:45 UTC
 +++ cmake/ssl.cmake
-@@ -176,7 +176,7 @@ MACRO (MYSQL_CHECK_SSL)
+@@ -189,13 +189,20 @@ MACRO (MYSQL_CHECK_SSL)
+         OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"
+         )
+     ENDIF()
+-    IF("${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}" VERSION_GREATER "1.1.0")
++    CHECK_SYMBOL_EXISTS(TLS1_3_VERSION "openssl/tls1.h" HAVE_TLS1_3_VERSION)
++    IF(HAVE_TLS1_3_VERSION)
+        ADD_DEFINITIONS(-DHAVE_TLSv13)
+     ENDIF()
      IF(OPENSSL_INCLUDE_DIR AND
         OPENSSL_LIBRARY   AND
         CRYPTO_LIBRARY      AND
 -       OPENSSL_MAJOR_VERSION STREQUAL "1"
 +       OPENSSL_MAJOR_VERSION VERSION_GREATER_EQUAL "1"
++      )
++      SET(OPENSSL_FOUND TRUE)
++    ELSEIF(OPENSSL_INCLUDE_DIR AND
++       OPENSSL_LIBRARY   AND
++       CRYPTO_LIBRARY      AND
++       OPENSSL_MAJOR_VERSION STREQUAL "2"
        )
        SET(OPENSSL_FOUND TRUE)
      ELSE()
diff --git a/databases/mysql56-client/files/patch-mysys__ssl_my__aes__openssl.cc b/databases/mysql56-client/files/patch-mysys__ssl_my__aes__openssl.cc
new file mode 100644
index 000000000000..0d1dea6cf6cb
--- /dev/null
+++ b/databases/mysql56-client/files/patch-mysys__ssl_my__aes__openssl.cc
@@ -0,0 +1,74 @@
+--- mysys_ssl/my_aes_openssl.cc.orig	2019-11-26 16:53:45 UTC
++++ mysys_ssl/my_aes_openssl.cc
+@@ -120,7 +120,7 @@ int my_aes_encrypt(const unsigned char *source, uint32
+                    const unsigned char *key, uint32 key_length,
+                    enum my_aes_opmode mode, const unsigned char *iv)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX stack_ctx;
+   EVP_CIPHER_CTX *ctx= &stack_ctx;
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+@@ -135,7 +135,7 @@ int my_aes_encrypt(const unsigned char *source, uint32
+   if (!ctx || !cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv))
+     return MY_AES_BAD_DATA;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_init(ctx);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ 
+@@ -148,7 +148,7 @@ int my_aes_encrypt(const unsigned char *source, uint32
+   if (!EVP_EncryptFinal(ctx, dest + u_len, &f_len))
+     goto aes_error;                             /* Error */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_cleanup(ctx);
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   EVP_CIPHER_CTX_free(ctx);
+@@ -158,7 +158,7 @@ int my_aes_encrypt(const unsigned char *source, uint32
+ aes_error:
+   /* need to explicitly clean up the error if we want to ignore it */
+   ERR_clear_error();
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_cleanup(ctx);
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   EVP_CIPHER_CTX_free(ctx);
+@@ -172,7 +172,7 @@ int my_aes_decrypt(const unsigned char *source, uint32
+                    const unsigned char *key, uint32 key_length,
+                    enum my_aes_opmode mode, const unsigned char *iv)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX stack_ctx;
+   EVP_CIPHER_CTX *ctx= &stack_ctx;
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+@@ -188,7 +188,7 @@ int my_aes_decrypt(const unsigned char *source, uint32
+   if (!ctx || !cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv))
+     return MY_AES_BAD_DATA;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_init(ctx);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ 
+@@ -201,7 +201,7 @@ int my_aes_decrypt(const unsigned char *source, uint32
+   if (!EVP_DecryptFinal_ex(ctx, dest + u_len, &f_len))
+     goto aes_error;                             /* Error */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_cleanup(ctx);
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   EVP_CIPHER_CTX_free(ctx);
+@@ -211,7 +211,7 @@ int my_aes_decrypt(const unsigned char *source, uint32
+ aes_error:
+   /* need to explicitly clean up the error if we want to ignore it */
+   ERR_clear_error();
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_cleanup(ctx);
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   EVP_CIPHER_CTX_free(ctx);
diff --git a/databases/mysql56-client/files/patch-sql-common_client.c b/databases/mysql56-client/files/patch-sql-common_client.c
new file mode 100644
index 000000000000..cfc168b75a53
--- /dev/null
+++ b/databases/mysql56-client/files/patch-sql-common_client.c
@@ -0,0 +1,15 @@
+--- sql-common/client.c.orig	2019-11-26 16:53:45 UTC
++++ sql-common/client.c
+@@ -1980,7 +1980,11 @@ static int ssl_verify_server_cert(Vio *vio, const char
+     goto error;
+   }
+ 
+-  cn= (char *) ASN1_STRING_data(cn_asn1);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++  cn= (const char *) ASN1_STRING_data(cn_asn1);
++#else
++  cn= (const char *) ASN1_STRING_get0_data(cn_asn1);
++#endif
+ 
+   // There should not be any NULL embedded in the CN
+   if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn))
diff --git a/databases/mysql56-client/files/patch-sql_mysqld.cc b/databases/mysql56-client/files/patch-sql_mysqld.cc
new file mode 100644
index 000000000000..debee80ea2ce
--- /dev/null
+++ b/databases/mysql56-client/files/patch-sql_mysqld.cc
@@ -0,0 +1,65 @@
+--- sql/mysqld.cc.orig	2019-11-26 16:53:45 UTC
++++ sql/mysqld.cc
+@@ -1258,7 +1258,7 @@ char *opt_ssl_ca= NULL, *opt_ssl_capath= NULL, *opt_ss
+      *opt_ssl_crlpath= NULL;
+ 
+ #ifdef HAVE_OPENSSL
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #include <openssl/crypto.h>
+ typedef struct CRYPTO_dynlock_value
+ {
+@@ -2029,7 +2029,7 @@ static void clean_up_mutexes()
+   mysql_mutex_destroy(&LOCK_connection_count);
+ #ifdef HAVE_OPENSSL
+   mysql_mutex_destroy(&LOCK_des_key_file);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   for (int i= 0; i < CRYPTO_num_locks(); ++i)
+     mysql_rwlock_destroy(&openssl_stdlocks[i].lock);
+   OPENSSL_free(openssl_stdlocks);
+@@ -2768,7 +2768,7 @@ bool one_thread_per_connection_end(THD *thd, bool bloc
+ 
+   // Clean up errors now, before possibly waiting for a new connection.
+ #ifndef EMBEDDED_LIBRARY
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   ERR_remove_thread_state(0);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ #endif
+@@ -4252,7 +4252,7 @@ static int init_thread_environment()
+ #ifdef HAVE_OPENSSL
+   mysql_mutex_init(key_LOCK_des_key_file,
+                    &LOCK_des_key_file, MY_MUTEX_INIT_FAST);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() *
+                                                      sizeof(openssl_lock_t));
+   for (int i= 0; i < CRYPTO_num_locks(); ++i)
+@@ -4301,7 +4301,7 @@ static int init_thread_environment()
+   OpenSSL 1.1 supports native platform threads,
+   so we don't need the following callback functions.
+ */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ static unsigned long openssl_id_function()
+ {
+@@ -4375,7 +4375,7 @@ static void openssl_lock(int mode, openssl_lock_t *loc
+ static int init_ssl()
+ {
+ #ifdef HAVE_OPENSSL
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   CRYPTO_malloc_init();
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   OPENSSL_malloc_init();
+@@ -4392,7 +4392,7 @@ static int init_ssl()
+ 					  opt_ssl_cipher, &error,
+                                           opt_ssl_crl, opt_ssl_crlpath);
+     DBUG_PRINT("info",("ssl_acceptor_fd: 0x%lx", (long) ssl_acceptor_fd));
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     ERR_remove_thread_state(0);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+     if (!ssl_acceptor_fd)
diff --git a/databases/mysql56-client/files/patch-vio_vio.c b/databases/mysql56-client/files/patch-vio_vio.c
new file mode 100644
index 000000000000..042c4d65e8f2
--- /dev/null
+++ b/databases/mysql56-client/files/patch-vio_vio.c
@@ -0,0 +1,11 @@
+--- vio/vio.c.orig	2019-11-26 16:53:45 UTC
++++ vio/vio.c
+@@ -394,7 +394,7 @@ void vio_end(void)
+ {
+ #if defined(HAVE_OPENSSL)
+   // This one is needed on the client side
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   ERR_remove_thread_state(0);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   ERR_free_strings();
diff --git a/databases/mysql56-client/files/patch-vio_viossl.c b/databases/mysql56-client/files/patch-vio_viossl.c
new file mode 100644
index 000000000000..3180abbd7f0f
--- /dev/null
+++ b/databases/mysql56-client/files/patch-vio_viossl.c
@@ -0,0 +1,11 @@
+--- vio/viossl.c.orig	2019-11-26 16:53:45 UTC
++++ vio/viossl.c
+@@ -403,7 +403,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio,
+       for (j = 0; j < n; j++)
+       {
+         SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+         DBUG_PRINT("info", ("  %d: %s\n", c->id, c->name));
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+         DBUG_PRINT("info", ("  %d: %s\n", SSL_COMP_get_id(c), SSL_COMP_get0_name(c)));
diff --git a/databases/mysql56-client/files/patch-vio_viosslfactories.c b/databases/mysql56-client/files/patch-vio_viosslfactories.c
new file mode 100644
index 000000000000..d6a164910a0d
--- /dev/null
+++ b/databases/mysql56-client/files/patch-vio_viosslfactories.c
@@ -0,0 +1,20 @@
+--- vio/viosslfactories.c.orig	2019-11-26 16:53:45 UTC
++++ vio/viosslfactories.c
+@@ -91,7 +91,7 @@ static DH *get_dh2048(void)
+       DH_free(dh);
+       return NULL;
+     }
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     dh->p= p;
+     dh->g= g;
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+@@ -250,7 +250,7 @@ new_VioSSLFd(const char *key_file, const char *cert_fi
+     DBUG_RETURN(0);
+ 
+   if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client ?
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+                                          SSLv23_client_method() :
+                                          SSLv23_server_method()
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
diff --git a/databases/mysql56-server/Makefile b/databases/mysql56-server/Makefile
index a40b8357390a..fe5cd07dba1e 100644
--- a/databases/mysql56-server/Makefile
+++ b/databases/mysql56-server/Makefile
@@ -3,7 +3,7 @@
 
 PORTNAME?=	mysql
 PORTVERSION=	5.6.47
-PORTREVISION?=	0
+PORTREVISION?=	1
 CATEGORIES=	databases
 MASTER_SITES=	MYSQL/MySQL-5.6
 PKGNAMESUFFIX?=	56-server
diff --git a/databases/mysql56-server/files/patch-cmake_ssl.cmake b/databases/mysql56-server/files/patch-cmake_ssl.cmake
index faeed4517c4e..c2b31170ba4c 100644
--- a/databases/mysql56-server/files/patch-cmake_ssl.cmake
+++ b/databases/mysql56-server/files/patch-cmake_ssl.cmake
@@ -1,11 +1,25 @@
---- cmake/ssl.cmake.orig	2016-11-28 13:36:22 UTC
+--- cmake/ssl.cmake.orig	2019-11-26 16:53:45 UTC
 +++ cmake/ssl.cmake
-@@ -176,7 +176,7 @@ MACRO (MYSQL_CHECK_SSL)
+@@ -189,13 +189,20 @@ MACRO (MYSQL_CHECK_SSL)
+         OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"
+         )
+     ENDIF()
+-    IF("${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}" VERSION_GREATER "1.1.0")
++    CHECK_SYMBOL_EXISTS(TLS1_3_VERSION "openssl/tls1.h" HAVE_TLS1_3_VERSION)
++    IF(HAVE_TLS1_3_VERSION)
+        ADD_DEFINITIONS(-DHAVE_TLSv13)
+     ENDIF()
      IF(OPENSSL_INCLUDE_DIR AND
         OPENSSL_LIBRARY   AND
         CRYPTO_LIBRARY      AND
 -       OPENSSL_MAJOR_VERSION STREQUAL "1"
 +       OPENSSL_MAJOR_VERSION VERSION_GREATER_EQUAL "1"
++      )
++      SET(OPENSSL_FOUND TRUE)
++    ELSEIF(OPENSSL_INCLUDE_DIR AND
++       OPENSSL_LIBRARY   AND
++       CRYPTO_LIBRARY      AND
++       OPENSSL_MAJOR_VERSION STREQUAL "2"
        )
        SET(OPENSSL_FOUND TRUE)
      ELSE()
diff --git a/databases/mysql56-server/files/patch-mysys__ssl_my__aes__openssl.cc b/databases/mysql56-server/files/patch-mysys__ssl_my__aes__openssl.cc
new file mode 100644
index 000000000000..0d1dea6cf6cb
--- /dev/null
+++ b/databases/mysql56-server/files/patch-mysys__ssl_my__aes__openssl.cc
@@ -0,0 +1,74 @@
+--- mysys_ssl/my_aes_openssl.cc.orig	2019-11-26 16:53:45 UTC
++++ mysys_ssl/my_aes_openssl.cc
+@@ -120,7 +120,7 @@ int my_aes_encrypt(const unsigned char *source, uint32
+                    const unsigned char *key, uint32 key_length,
+                    enum my_aes_opmode mode, const unsigned char *iv)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX stack_ctx;
+   EVP_CIPHER_CTX *ctx= &stack_ctx;
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+@@ -135,7 +135,7 @@ int my_aes_encrypt(const unsigned char *source, uint32
+   if (!ctx || !cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv))
+     return MY_AES_BAD_DATA;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_init(ctx);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ 
+@@ -148,7 +148,7 @@ int my_aes_encrypt(const unsigned char *source, uint32
+   if (!EVP_EncryptFinal(ctx, dest + u_len, &f_len))
+     goto aes_error;                             /* Error */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_cleanup(ctx);
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   EVP_CIPHER_CTX_free(ctx);
+@@ -158,7 +158,7 @@ int my_aes_encrypt(const unsigned char *source, uint32
+ aes_error:
+   /* need to explicitly clean up the error if we want to ignore it */
+   ERR_clear_error();
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_cleanup(ctx);
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   EVP_CIPHER_CTX_free(ctx);
+@@ -172,7 +172,7 @@ int my_aes_decrypt(const unsigned char *source, uint32
+                    const unsigned char *key, uint32 key_length,
+                    enum my_aes_opmode mode, const unsigned char *iv)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX stack_ctx;
+   EVP_CIPHER_CTX *ctx= &stack_ctx;
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+@@ -188,7 +188,7 @@ int my_aes_decrypt(const unsigned char *source, uint32
+   if (!ctx || !cipher || (EVP_CIPHER_iv_length(cipher) > 0 && !iv))
+     return MY_AES_BAD_DATA;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_init(ctx);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ 
+@@ -201,7 +201,7 @@ int my_aes_decrypt(const unsigned char *source, uint32
+   if (!EVP_DecryptFinal_ex(ctx, dest + u_len, &f_len))
+     goto aes_error;                             /* Error */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_cleanup(ctx);
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   EVP_CIPHER_CTX_free(ctx);
+@@ -211,7 +211,7 @@ int my_aes_decrypt(const unsigned char *source, uint32
+ aes_error:
+   /* need to explicitly clean up the error if we want to ignore it */
+   ERR_clear_error();
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   EVP_CIPHER_CTX_cleanup(ctx);
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   EVP_CIPHER_CTX_free(ctx);
diff --git a/databases/mysql56-server/files/patch-sql-common_client.c b/databases/mysql56-server/files/patch-sql-common_client.c
new file mode 100644
index 000000000000..cfc168b75a53
--- /dev/null
+++ b/databases/mysql56-server/files/patch-sql-common_client.c
@@ -0,0 +1,15 @@
+--- sql-common/client.c.orig	2019-11-26 16:53:45 UTC
++++ sql-common/client.c
+@@ -1980,7 +1980,11 @@ static int ssl_verify_server_cert(Vio *vio, const char
+     goto error;
+   }
+ 
+-  cn= (char *) ASN1_STRING_data(cn_asn1);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++  cn= (const char *) ASN1_STRING_data(cn_asn1);
++#else
++  cn= (const char *) ASN1_STRING_get0_data(cn_asn1);
++#endif
+ 
+   // There should not be any NULL embedded in the CN
+   if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn))
diff --git a/databases/mysql56-server/files/patch-sql_mysqld.cc b/databases/mysql56-server/files/patch-sql_mysqld.cc
new file mode 100644
index 000000000000..debee80ea2ce
--- /dev/null
+++ b/databases/mysql56-server/files/patch-sql_mysqld.cc
@@ -0,0 +1,65 @@
+--- sql/mysqld.cc.orig	2019-11-26 16:53:45 UTC
++++ sql/mysqld.cc
+@@ -1258,7 +1258,7 @@ char *opt_ssl_ca= NULL, *opt_ssl_capath= NULL, *opt_ss
+      *opt_ssl_crlpath= NULL;
+ 
+ #ifdef HAVE_OPENSSL
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ #include <openssl/crypto.h>
+ typedef struct CRYPTO_dynlock_value
+ {
+@@ -2029,7 +2029,7 @@ static void clean_up_mutexes()
+   mysql_mutex_destroy(&LOCK_connection_count);
+ #ifdef HAVE_OPENSSL
+   mysql_mutex_destroy(&LOCK_des_key_file);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   for (int i= 0; i < CRYPTO_num_locks(); ++i)
+     mysql_rwlock_destroy(&openssl_stdlocks[i].lock);
+   OPENSSL_free(openssl_stdlocks);
+@@ -2768,7 +2768,7 @@ bool one_thread_per_connection_end(THD *thd, bool bloc
+ 
+   // Clean up errors now, before possibly waiting for a new connection.
+ #ifndef EMBEDDED_LIBRARY
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   ERR_remove_thread_state(0);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ #endif
+@@ -4252,7 +4252,7 @@ static int init_thread_environment()
+ #ifdef HAVE_OPENSSL
+   mysql_mutex_init(key_LOCK_des_key_file,
+                    &LOCK_des_key_file, MY_MUTEX_INIT_FAST);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   openssl_stdlocks= (openssl_lock_t*) OPENSSL_malloc(CRYPTO_num_locks() *
+                                                      sizeof(openssl_lock_t));
+   for (int i= 0; i < CRYPTO_num_locks(); ++i)
+@@ -4301,7 +4301,7 @@ static int init_thread_environment()
+   OpenSSL 1.1 supports native platform threads,
+   so we don't need the following callback functions.
+ */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ static unsigned long openssl_id_function()
+ {
+@@ -4375,7 +4375,7 @@ static void openssl_lock(int mode, openssl_lock_t *loc
+ static int init_ssl()
+ {
+ #ifdef HAVE_OPENSSL
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   CRYPTO_malloc_init();
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   OPENSSL_malloc_init();
+@@ -4392,7 +4392,7 @@ static int init_ssl()
+ 					  opt_ssl_cipher, &error,
+                                           opt_ssl_crl, opt_ssl_crlpath);
+     DBUG_PRINT("info",("ssl_acceptor_fd: 0x%lx", (long) ssl_acceptor_fd));
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     ERR_remove_thread_state(0);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+     if (!ssl_acceptor_fd)
diff --git a/databases/mysql56-server/files/patch-vio_vio.c b/databases/mysql56-server/files/patch-vio_vio.c
new file mode 100644
index 000000000000..042c4d65e8f2
--- /dev/null
+++ b/databases/mysql56-server/files/patch-vio_vio.c
@@ -0,0 +1,11 @@
+--- vio/vio.c.orig	2019-11-26 16:53:45 UTC
++++ vio/vio.c
+@@ -394,7 +394,7 @@ void vio_end(void)
+ {
+ #if defined(HAVE_OPENSSL)
+   // This one is needed on the client side
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+   ERR_remove_thread_state(0);
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+   ERR_free_strings();
diff --git a/databases/mysql56-server/files/patch-vio_viossl.c b/databases/mysql56-server/files/patch-vio_viossl.c
new file mode 100644
index 000000000000..3180abbd7f0f
--- /dev/null
+++ b/databases/mysql56-server/files/patch-vio_viossl.c
@@ -0,0 +1,11 @@
+--- vio/viossl.c.orig	2019-11-26 16:53:45 UTC
++++ vio/viossl.c
+@@ -403,7 +403,7 @@ static int ssl_do(struct st_VioSSLFd *ptr, Vio *vio,
+       for (j = 0; j < n; j++)
+       {
+         SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+         DBUG_PRINT("info", ("  %d: %s\n", c->id, c->name));
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+         DBUG_PRINT("info", ("  %d: %s\n", SSL_COMP_get_id(c), SSL_COMP_get0_name(c)));
diff --git a/databases/mysql56-server/files/patch-vio_viosslfactories.c b/databases/mysql56-server/files/patch-vio_viosslfactories.c
new file mode 100644
index 000000000000..d6a164910a0d
--- /dev/null
+++ b/databases/mysql56-server/files/patch-vio_viosslfactories.c
@@ -0,0 +1,20 @@
+--- vio/viosslfactories.c.orig	2019-11-26 16:53:45 UTC
++++ vio/viosslfactories.c
+@@ -91,7 +91,7 @@ static DH *get_dh2048(void)
+       DH_free(dh);
+       return NULL;
+     }
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+     dh->p= p;
+     dh->g= g;
+ #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+@@ -250,7 +250,7 @@ new_VioSSLFd(const char *key_file, const char *cert_fi
+     DBUG_RETURN(0);
+ 
+   if (!(ssl_fd->ssl_context= SSL_CTX_new(is_client ?
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+                                          SSLv23_client_method() :
+                                          SSLv23_server_method()
+ #else /* OPENSSL_VERSION_NUMBER < 0x10100000L */