!84 Update to version 10.5.22

From: @fundawang Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2023-08-21 06:08:23 +00:00 · 2023-08-21 06:08:23 +00:00 · 0e9ab85fbd
commit 0e9ab85fbd
parent 1f15420d78 211afe19f0
5 changed files with 16 additions and 450 deletions
--- a/mariadb-10.5.22.tar.gz
+++ b/mariadb-10.5.22.tar.gz
--- a/mariadb-fips.patch
+++ b/mariadb-fips.patch
@ -1,28 +0,0 @@
 Fix md5 in FIPS mode
 OpenSSL 3.0.0+ does not support EVP_MD_CTX_FLAG_NON_FIPS_ALLOW any longer.
 In OpenSSL 1.1.1 the non FIPS allowed flag is context specific, while
 in 3.0.0+ it is a different EVP_MD provider.
 Resolves: rhbz#2050541
 diff -up mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc
 --- mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc.fips	2022-02-07 16:36:47.255131576 +0100
 +++ mariadb-10.5.13-downstream_modified/mysys_ssl/my_md5.cc	2022-02-07 22:57:32.391002916 +0100
@@ -52,12 +52,15 @@ static void md5_result(EVP_MD_CTX *conte
 static void md5_init(EVP_MD_CTX *context)
 {
 +  EVP_MD *md5;
 +  md5 = EVP_MD_fetch(NULL, "MD5", "fips=no");
   EVP_MD_CTX_init(context);
 #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
   /* Ok to ignore FIPS: MD5 is not used for crypto here */
   EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 #endif
 -  EVP_DigestInit_ex(context, EVP_md5(), NULL);
 +  EVP_DigestInit_ex(context, md5, NULL);
 +  EVP_MD_free(md5);
 }
 static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)
--- a/mariadb-openssl3.patch
+++ b/mariadb-openssl3.patch
@ -1,401 +0,0 @@
 From c80991c79f701dac42c630af4bd39593b0c7efb4 Mon Sep 17 00:00:00 2001
 From: Vladislav Vaintroub <wlad@mariadb.com>
 Date: Mon, 8 Nov 2021 18:48:19 +0100
 Subject: [PATCH] MDEV-25785 Add support for OpenSSL 3.0
 Summary of changes
 - MD_CTX_SIZE is increased
 - EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points
  to nobody knows where. The assumption made previously was that
  (since the function does not seem to be documented)
  was that it points to the last partial source block.
  Add own partial block buffer for NOPAD encryption instead
 - SECLEVEL in CipherString in openssl.cnf
  had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible
 - Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers,
  in addition to what was set in --ssl-cipher
 - ctx_buf buffer now must be aligned to 16 bytes with openssl(
  previously with WolfSSL only), ot crashes will happen
 - updated aes-t , to be better debuggable
  using function, rather than a huge multiline macro
  added test that does "nopad" encryption piece-wise, to test
  replacement of EVP_CIPHER_CTX_buf_noconst
 ---
 cmake/ssl.cmake                   |  19 ++++-
 include/ssl_compat.h              |   3 +-
 mysql-test/lib/openssl.cnf        |   2 +-
 mysql-test/main/ssl_cipher.result |   6 +-
 mysql-test/main/ssl_cipher.test   |   2 +-
 mysys_ssl/my_crypt.cc             |  46 +++++++-----
 unittest/mysys/aes-t.c            | 121 ++++++++++++++++++++++--------
 7 files changed, 141 insertions(+), 58 deletions(-)
 diff -up mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16 mariadb-10.5.12-downstream_modified/cmake/ssl.cmake
 --- mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16	2021-08-03 10:29:07.000000000 +0200
 +++ mariadb-10.5.12-downstream_modified/cmake/ssl.cmake	2021-11-18 16:58:41.552440737 +0100
@@ -139,9 +139,20 @@ MACRO (MYSQL_CHECK_SSL)
       SET(SSL_INTERNAL_INCLUDE_DIRS "")
       SET(SSL_DEFINES "-DHAVE_OPENSSL")
 +      FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
 +        SET(SAVE_CMAKE_REQUIRED_${x} ${CMAKE_REQUIRED_${x}})
 +      ENDFOREACH()
 +
 +      # Silence "deprecated in OpenSSL 3.0"
 +      IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
 +         OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
 +        SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
 +        SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
 +      ENDIF()
 +
       SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
       SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
 -      SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
 +
       CHECK_SYMBOL_EXISTS(ERR_remove_thread_state "openssl/err.h"
                           HAVE_ERR_remove_thread_state)
       CHECK_SYMBOL_EXISTS(EVP_aes_128_ctr "openssl/evp.h"
@@ -150,8 +161,10 @@ MACRO (MYSQL_CHECK_SSL)
                           HAVE_EncryptAes128Gcm)
       CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
                           HAVE_X509_check_host)
 -      SET(CMAKE_REQUIRED_INCLUDES)
 -      SET(CMAKE_REQUIRED_LIBRARIES)
 +
 +      FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
 +        SET(CMAKE_REQUIRED_${x} ${SAVE_CMAKE_REQUIRED_${x}})
 +      ENDFOREACH()
     ELSE()
       IF(WITH_SSL STREQUAL "system")
         MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
 diff -up mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16 mariadb-10.5.12-downstream_modified/include/ssl_compat.h
 --- mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16	2021-08-03 10:29:07.000000000 +0200
 +++ mariadb-10.5.12-downstream_modified/include/ssl_compat.h	2021-11-18 16:58:41.552440737 +0100
@@ -24,7 +24,7 @@
 #define SSL_LIBRARY OpenSSL_version(OPENSSL_VERSION)
 #define ERR_remove_state(X) ERR_clear_error()
 #define EVP_CIPHER_CTX_SIZE 176
 -#define EVP_MD_CTX_SIZE 48
 +#define EVP_MD_CTX_SIZE 72
 #undef EVP_MD_CTX_init
 #define EVP_MD_CTX_init(X) do { memset((X), 0, EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0)
 #undef EVP_CIPHER_CTX_init
@@ -74,7 +74,6 @@
 #define DH_set0_pqg(D,P,Q,G)            ((D)->p= (P), (D)->g= (G))
 #endif
 -#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
 #define EVP_CIPHER_CTX_encrypting(ctx)  ((ctx)->encrypt)
 #define EVP_CIPHER_CTX_SIZE             sizeof(EVP_CIPHER_CTX)
 diff -up mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16 mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf
 --- mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16	2021-08-03 10:29:07.000000000 +0200
 +++ mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf	2021-11-18 16:58:41.552440737 +0100
@@ -9,4 +9,4 @@ ssl_conf = ssl_section
 system_default = system_default_section
 [system_default_section]
 -CipherString = ALL:@SECLEVEL=1
 +CipherString = ALL:@SECLEVEL=0
 diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result
 --- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16	2021-08-03 10:29:08.000000000 +0200
 +++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result	2021-11-18 16:58:41.552440737 +0100
@@ -61,8 +61,8 @@ connect  ssl_con,localhost,root,,,,,SSL;
 SHOW STATUS LIKE 'Ssl_cipher';
 Variable_name	Value
 Ssl_cipher	AES128-SHA
 -SHOW STATUS LIKE 'Ssl_cipher_list';
 -Variable_name	Value
 -Ssl_cipher_list	AES128-SHA
 +SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
 +VARIABLE_VALUE like '%AES128-SHA%'
 +1
 disconnect ssl_con;
 connection default;
 diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test
 --- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16	2021-11-18 16:58:41.552440737 +0100
 +++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test	2021-11-18 17:00:47.753839711 +0100
@@ -100,6 +100,6 @@ connect (ssl_con,localhost,root,,,,,SSL)
 --replace_regex /TLS_AES_.*/AES128-SHA/
 SHOW STATUS LIKE 'Ssl_cipher';
 --replace_regex /TLS_AES_.*/AES128-SHA/
 -SHOW STATUS LIKE 'Ssl_cipher_list';
 +SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
 disconnect ssl_con;
 connection default;
 diff -up mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16 mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc
 --- mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16	2021-08-03 10:29:08.000000000 +0200
 +++ mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc	2021-11-18 16:58:41.552440737 +0100
@@ -29,11 +29,7 @@
 #include <ssl_compat.h>
 #include <cstdint>
 -#ifdef HAVE_WOLFSSL
 #define CTX_ALIGN 16
 -#else
 -#define CTX_ALIGN 0
 -#endif
 class MyCTX
 {
@@ -100,8 +96,9 @@ class MyCTX_nopad : public MyCTX
 {
 public:
   const uchar *key;
 -  uint klen, buf_len;
 +  uint klen, source_tail_len;
   uchar oiv[MY_AES_BLOCK_SIZE];
 +  uchar source_tail[MY_AES_BLOCK_SIZE];
   MyCTX_nopad() : MyCTX() { }
   ~MyCTX_nopad() { }
@@ -112,7 +109,7 @@ public:
     compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
     this->key= key;
     this->klen= klen;
 -    this->buf_len= 0;
 +    this->source_tail_len= 0;
     if (ivlen)
       memcpy(oiv, iv, ivlen);
     DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
@@ -123,26 +120,41 @@ public:
     return res;
   }
 +  /** Update last partial source block, stored in source_tail array. */
 +  void update_source_tail(const uchar* src, uint slen)
 +  {
 +    if (!slen)
 +      return;
 +    uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
 +    if (new_tail_len)
 +    {
 +      if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
 +      {
 +        memcpy(source_tail + source_tail_len, src, slen);
 +      }
 +      else
 +      {
 +        DBUG_ASSERT(slen > new_tail_len);
 +        memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
 +      }
 +    }
 +    source_tail_len= new_tail_len;
 +  }
 +
   int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
   {
 -    buf_len+= slen;
 +    update_source_tail(src, slen);
     return MyCTX::update(src, slen, dst, dlen);
   }
   int finish(uchar *dst, uint *dlen)
   {
 -    buf_len %= MY_AES_BLOCK_SIZE;
 -    if (buf_len)
 +    if (source_tail_len)
     {
 -      uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
       /*
         Not much we can do, block ciphers cannot encrypt data that aren't
         a multiple of the block length. At least not without padding.
         Let's do something CTR-like for the last partial block.
 -
 -        NOTE this assumes that there are only buf_len bytes in the buf.
 -        If OpenSSL will change that, we'll need to change the implementation
 -        of this class too.
       */
       uchar mask[MY_AES_BLOCK_SIZE];
       uint mlen;
@@ -154,10 +166,10 @@ public:
         return rc;
       DBUG_ASSERT(mlen == sizeof(mask));
 -      for (uint i=0; i < buf_len; i++)
 -        dst[i]= buf[i] ^ mask[i];
 +      for (uint i=0; i < source_tail_len; i++)
 +        dst[i]= source_tail[i] ^ mask[i];
     }
 -    *dlen= buf_len;
 +    *dlen= source_tail_len;
     return MY_AES_OK;
   }
 };
 diff -up mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16 mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c
 --- mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16	2021-08-03 10:29:10.000000000 +0200
 +++ mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c	2021-11-18 16:58:41.553440740 +0100
@@ -21,27 +21,96 @@
 #include <string.h>
 #include <ctype.h>
 -#define DO_TEST(mode, nopad, slen, fill, dlen, hash)                    \
 -  SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported")     \
 -  {                                                                     \
 -    memset(src, fill, src_len= slen);                                   \
 -    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT,              \
 -                    src, src_len, dst, &dst_len,                        \
 -                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
 -      "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad");     \
 -    if (!nopad)                                                         \
 -      ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
 -    my_md5(md5, (char*)dst, dst_len);                                   \
 -    ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5");  \
 -    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,              \
 -                    dst, dst_len, ddst, &ddst_len,                      \
 -                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
 -       "decrypt " #mode " %u", dst_len);                                \
 -    ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
 +
 +/** Test streaming encryption, bytewise update.*/
 +static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
 +                 unsigned int slen, unsigned char *dst, unsigned int *dlen,
 +                 const unsigned char *key, unsigned int klen,
 +                 const unsigned char *iv, unsigned int ivlen)
 +{
 +  /* Allocate context on odd address on stack, in order to
 +   catch misalignment errors.*/
 +  void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
 +
 +  int res1, res2;
 +  uint d1= 0, d2;
 +  uint i;
 +
 +  if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
 +    return res1;
 +  for (i= 0; i < slen; i++)
 +  {
 +    uint tmp_d1=0;
 +    res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
 +    if (res1)
 +      return res1;
 +    d1+= tmp_d1;
 +    dst+= tmp_d1;
 +  }
 +  res2= my_aes_crypt_finish(ctx, dst, &d2);
 +  *dlen= d1 + d2;
 +  return res1 ? res1 : res2;
 +}
 +
 +
 +#ifndef HAVE_EncryptAes128Ctr
 +const uint MY_AES_CTR=0xDEADBEAF;
 +#endif
 +#ifndef HAVE_EncryptAes128Gcm
 +const uint MY_AES_GCM=0xDEADBEAF;
 +#endif
 +
 +#define MY_AES_UNSUPPORTED(x)  (x == 0xDEADBEAF)
 +
 +static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
 +                    char fill, size_t dlen, const char *hash)
 +{
 +  uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
 +  uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
 +  uchar src[1000], dst[1100], dst2[1100], ddst[1000];
 +  uchar md5[MY_MD5_HASH_SIZE];
 +  uint src_len, dst_len, dst_len2, ddst_len;
 +  int result;
 +
 +  if (MY_AES_UNSUPPORTED(mode))
 +  {
 +    skip(nopad?7:6, "%s not supported", mode_str);
 +    return;
 +  }
 +  memset(src, fill, src_len= slen);
 +  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
 +                       dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
 +  ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
 +     nopad ? "nopad" : "pad");
 +
 +  if (nopad)
 +  {
 +    result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
 +                                src_len, dst2, &dst_len2, key, sizeof(key),
 +                                iv, sizeof(iv));
 +    ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
 +    /* Compare with non-bytewise encryption result*/
 +    ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
 +       "memcmp bytewise  %s %u", mode_str, src_len);
   }
 +  else
 +  {
 +    int dst_len_real= my_aes_get_size(mode, src_len);
 +    ok(dst_len_real= dst_len, "my_aes_get_size");
 +  }
 +  my_md5(md5, (char *) dst, dst_len);
 +  ok(dst_len == dlen, "md5 len");
 +  ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
 +  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
 +                       dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
 +                       sizeof(iv));
 +
 +  ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
 +  ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
 +}
 -#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
 -#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
 +#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
 +#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
 /* useful macro for debugging */
 #define PRINT_MD5()                                     \
@@ -53,25 +122,15 @@
     printf("\"\n");                                     \
   } while(0);
 -#ifndef HAVE_EncryptAes128Ctr
 -const uint MY_AES_CTR=0xDEADBEAF;
 -#endif
 -#ifndef HAVE_EncryptAes128Gcm
 -const uint MY_AES_GCM=0xDEADBEAF;
 -#endif
 int
 main(int argc __attribute__((unused)),char *argv[])
 {
 -  uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
 -  uchar iv[16]=  {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
 -  uchar src[1000], dst[1100], ddst[1000];
 -  uchar md5[MY_MD5_HASH_SIZE];
 -  uint src_len, dst_len, ddst_len;
   MY_INIT(argv[0]);
 -  plan(87);
 +  plan(122);
 +
   DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
   DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
   DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");
 MariaDB before 10.8 series does not contain the OpenSSL 3 patch on the upstream.
 MariaDB upstream later added the following condition:
 https://github.com/MariaDB/server/commit/c9beef4315
 limiting the OpenSSL that can be used to < 3. and reverted this commit for 10.8 and later:
 https://github.com/MariaDB/server/commit/64e358821e
 Since we apply the OpenSSL 3 patch from MariaDB 10.8 series to earlier series, we need to revert this commit
 on those earlier series too.
 --- mariadb-10.5.15-downstream_modified/cmake/ssl.cmake	2022-02-22 05:13:17.259097302 +0100
 +++ mariadb-10.5.15-downstream_modified/cmake/ssl.cmake_patched	2022-02-23 07:22:20.290082378 +0100
@@ -118,7 +118,7 @@ MACRO (MYSQL_CHECK_SSL)
     ENDIF()
     FIND_PACKAGE(OpenSSL)
     SET_PACKAGE_PROPERTIES(OpenSSL PROPERTIES TYPE RECOMMENDED)
 -    IF(OPENSSL_FOUND AND OPENSSL_VERSION AND OPENSSL_VERSION VERSION_LESS "3.0.0")
 +    IF(OPENSSL_FOUND)
       SET(OPENSSL_LIBRARY ${OPENSSL_SSL_LIBRARY})
       INCLUDE(CheckSymbolExists)
       SET(SSL_SOURCES "")
--- a/mariadb-ssl-cipher-tests.patch
+++ b/mariadb-ssl-cipher-tests.patch
@ -1,6 +1,6 @@
-diff -up mariadb-10.3.9/mysql-test/main/ssl_cipher.test.fixtest mariadb-10.3.9/mysql-test/main/ssl_cipher.test
+diff -up mariadb-10.5.22/mysql-test/main/ssl_cipher.test.fixtest mariadb-10.3.9/mysql-test/main/ssl_cipher.test
--- mariadb-10.3.13/mysql-test/main/ssl_cipher.test	2019-02-20 08:59:09.000000000 +0100
+--- mariadb-10.5.22/mysql-test/main/ssl_cipher.test	2019-02-20 08:59:09.000000000 +0100
-+++ mariadb-10.3.13/mysql-test/main/ssl_cipher.test_patched	2019-02-22 11:22:01.250256060 +0100
+++ mariadb-10.5.22/mysql-test/main/ssl_cipher.test_patched	2019-02-22 11:22:01.250256060 +0100
@@ -97,7 +97,9 @@ drop user mysqltest_1@localhost;
 let $restart_parameters=--ssl-cipher=AES128-SHA;
 source include/restart_mysqld.inc;
@ -8,6 +8,6 @@ diff -up mariadb-10.3.9/mysql-test/main/ssl_cipher.test.fixtest mariadb-10.3.9/m
 +--replace_regex /TLS_AES_.*/AES128-SHA/
 SHOW STATUS LIKE 'Ssl_cipher';
 +--replace_regex /TLS_AES_.*/AES128-SHA/
- SHOW STATUS LIKE 'Ssl_cipher_list';
+ SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
 disconnect ssl_con;
 connection default;
--- a/mariadb.spec
+++ b/mariadb.spec
@ -73,8 +73,8 @@
 %global sameevr   %{epoch}:%{version}-%{release}
 Name:             mariadb
-Version:          10.5.16
+Version:          10.5.22
-Release:          3
+Release:          1
 Epoch:            4
 Summary:          A very fast and robust SQL database server
@ -112,12 +112,6 @@ Patch9:           %{pkgnamepatch}-ownsetup.patch
 Patch10:          %{pkgnamepatch}-ssl-cipher-tests.patch
 #   Patch11: Use PCDIR CMake option, if configured
 Patch11:          %{pkgnamepatch}-pcdir.patch
 #   Patch12: OpenSSL 3 patch
 #   Picked from the upstream developement branch for MariaDB 10.8.
 #   https://jira.mariadb.org/browse/MDEV-25785
 Patch12:           %{pkgnamepatch}-openssl3.patch
 #   Patch16: Fix MD5 in FIPS mode
 Patch16:          %{pkgnamepatch}-fips.patch
 BuildRequires:    make
 BuildRequires:    cmake gcc-c++
@ -624,13 +618,11 @@ sources.
 %prep
 %setup -q -n mariadb-%{version}
-%patch4 -p1
+%patch -P4 -p1
-%patch7 -p1
+%patch -P7 -p1
-%patch9 -p1
+%patch -P9 -p1
-%patch10 -p1
+%patch -P10 -p1
-%patch11 -p1
+%patch -P11 -p1
 %patch12 -p1
 %patch16 -p1
 # Remove JAR files that upstream puts into tarball
 find . -name "*.jar" -type f -exec rm --verbose -f {} \;
@ -1482,13 +1474,16 @@ fi
 %endif
 %changelog
 * Sun Aug 20 2023 Funda Wang <fundawang@yeah.net> - 4:10.5.22-1
 - update to 10.5.22
 * Tue Feb 14 2023 peijiankang <peijiankang@kylinos.cn> - 4:10.5.16-3
 - add mariadb-openssl3.patch and mariadb-fips.patch
 * Tue Feb 7 2023 dillon chen <dillon.chen@gmail.com> - 4:10.5.16-2
 - change openssl to compat-openssl11 because openSSL upgrade to 3.0
-* Thur May 26 2022 bzhaoop<bzhaojyathousandy@gmail.com> - 4:10.5.16-1
+* Thu May 26 2022 bzhaoop<bzhaojyathousandy@gmail.com> - 4:10.5.16-1
 - Bump to 10.5.16 for resolving CVEs below
 - CVE-2022-27385
 - CVE-2022-27382
@ -1521,7 +1516,7 @@ fi
 - Apply the patches from old branch.
 - Adaption the cmake version and integrate into the spec file.
-* Thur Mar 17 2022 bzhaoop<bzhaojyathousandy@gmail.com> -4:10.5.15-1
+* Thu Mar 17 2022 bzhaoop<bzhaojyathousandy@gmail.com> -4:10.5.15-1
 - Bump to 10.5.15
 - For resolving CVEs:
 - CVE-2022-24048