From: Theo Buehler <tb@theobuehler.org>
Subject: mariadb: avoid openssl/libressl deprecated api
To: ports@openbsd.org
Cc: brad@comstyle.com
Date: Wed, 21 Jan 2026 08:31:01 +0100

CRYPTO_set_locking_callback() hasn't done anything since forever and
I'm going to remove it from libcrypto.

ASN1_STRING_data() has long been deprecated and has been removed from
OpenSSL after 3.6 and will be removed from LibreSSL. Use its const
correct non-deprecated spelling.

ssl_compat.h has a strange ASN1_STRING_get0_data define which falls back
to ASN1_STRING_data(). This is incorrectly guarded (ASN1_STRING_get0_data
was never a macro) and unused, so I didn't touch it.

Index: Makefile
===================================================================
RCS file: /cvs/ports/databases/mariadb/Makefile,v
diff -u -p -r1.159 Makefile
--- Makefile	19 Jan 2026 22:37:02 -0000	1.159
+++ Makefile	21 Jan 2026 07:13:13 -0000
@@ -8,6 +8,8 @@ VERSION=	11.4.9
 DISTNAME=	mariadb-${VERSION}
 PKGNAME-main=	mariadb-client-${VERSION}
 EPOCH=		1
+REVISION=	0
+
 CATEGORIES=	databases
 SITES=		https://archive.mariadb.org/${DISTNAME}/source/ \
 		https://ftp.osuosl.org/pub/mariadb/${DISTNAME}/source/
Index: patches/patch-libmariadb_libmariadb_secure_openssl_c
===================================================================
RCS file: patches/patch-libmariadb_libmariadb_secure_openssl_c
diff -N patches/patch-libmariadb_libmariadb_secure_openssl_c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-libmariadb_libmariadb_secure_openssl_c	21 Jan 2026 07:16:29 -0000
@@ -0,0 +1,22 @@
+Avoid use of long-deprecated functions.
+
+Index: libmariadb/libmariadb/secure/openssl.c
+--- libmariadb/libmariadb/secure/openssl.c.orig
++++ libmariadb/libmariadb/secure/openssl.c
+@@ -285,7 +285,6 @@ void ma_tls_end()
+     {
+       int i;
+       CRYPTO_set_locking_callback(NULL);
+-      CRYPTO_THREADID_set_callback(NULL);
+ 
+       for (i=0; i < CRYPTO_num_locks(); i++)
+         pthread_mutex_destroy(&LOCK_crypto[i]);
+@@ -842,7 +841,7 @@ int ma_tls_verify_server_cert(MARIADB_TLS *ctls, unsig
+       goto error;
+     }
+ 
+-    cn_str = (char *)ASN1_STRING_data(cn_asn1);
++    cn_str = (char *)ASN1_STRING_get0_data(cn_asn1);
+ 
+     /* Make sure there is no embedded \0 in the CN */
+     if ((size_t)ASN1_STRING_length(cn_asn1) != strlen(cn_str))