OpenSSL work

Docs/manual.texi

@@ -23299,6 +23299,7 @@ GRANT priv_type [(column_list)] [, priv_type [(column_list)] ...]
     ON @{tbl_name | * | *.* | db_name.*@}
     TO user_name [IDENTIFIED BY 'password']
         [, user_name [IDENTIFIED BY 'password'] ...]
+    [REQUIRE @{SSL|X509@} [ISSUER issuer] [SUBJECT subject]]
     [WITH GRANT OPTION]
 
 REVOKE priv_type [(column_list)] [, priv_type [(column_list)] ...]
@@ -29454,6 +29455,15 @@ The number of seconds the slave thread will sleep before retrying to
 connect to the master in case the master goes down or the connection is
 lost.  Default is 60.  (Example: @code{master-connect-retry=60})
 
+@item @code{master-ssl} @tab
+Turn SSL on (Example: @code{master-ssl})
+
+@item @code{master-ssl-key} @tab
+Master SSL keyfile name (Example: @code{master-ssl-key=SSL/master-key.pem})
+
+@item @code{master-ssl-cert} @tab
+Master SSL certificate file name (Example: @code{master-ssl-key=SSL/master-cert.pem})
+
 @item @code{master-info-file=filename} @tab
 The location of the file that remembers where we left off on the master
 during the replication process. The default is master.info in the data

SSL/run-client

@@ -5,5 +5,6 @@ cmd () {
 	$*
 }
 
-client/mysql --port=4407 --socket=/tmp/test.mysql.sock --ssl-ca=SSL/cacert.pem --ssl-cert=SSL/client-cert.pem --ssl-key=SSL/client-key.pem --debug='d:t:O,/tmp/client.trace' -h 127.0.0.1 --execute="select version()"
+client/mysql --port=4407 --socket=/tmp/test.mysql.sock --ssl-ca=SSL/cacert.pem --ssl-cert=SSL/client-cert.pem --ssl-key=SSL/client-key.pem --debug='d:t:O,/tmp/client.trace' -h 127.0.0.1 -u root
+#--execute="select version();show status"
 

SSL/run-server

@@ -5,5 +5,5 @@ cmd () {
 	$*
 }
 
-cmd sql/mysqld --port=4407 --socket=/tmp/test.mysql.sock --ssl-ca=SSL/cacert.pem --ssl-cert=SSL/server-cert.pem --ssl-key=SSL/server-key.pem --skip-grant --debug='d:t:O,/tmp/mysqld.trace' >& /tmp/mysqld.output
+cmd sql/mysqld --port=4407 --socket=/tmp/test.mysql.sock --ssl-ca=SSL/cacert.pem --ssl-cert=SSL/server-cert.pem --ssl-key=SSL/server-key.pem --debug='d:t:O,/tmp/mysqld.trace' -uroot >& /tmp/mysqld.output
 

readline/callback.c

@@ -29,6 +29,7 @@
 
 #if defined (READLINE_CALLBACKS)
 
+#include <stdlib.h>
 #include <sys/types.h>
 #include <stdio.h>
 

sql/mysqld.cc

@@ -704,10 +704,10 @@ void clean_up(bool print_message)
   end_raid();
 #endif
 #ifdef HAVE_OPENSSL
-  my_free(opt_ssl_key,MYF(0));
-  my_free(opt_ssl_cert,MYF(0));
-  my_free(opt_ssl_ca,MYF(0));
-  my_free(opt_ssl_capath,MYF(0));
+  my_free(opt_ssl_key,MYF(MY_ALLOW_ZERO_PTR));
+  my_free(opt_ssl_cert,MYF(MY_ALLOW_ZERO_PTR));
+  my_free(opt_ssl_ca,MYF(MY_ALLOW_ZERO_PTR));
+  my_free(opt_ssl_capath,MYF(MY_ALLOW_ZERO_PTR));
   opt_ssl_key=opt_ssl_cert=opt_ssl_ca=opt_ssl_capath=0;
 #endif /* HAVE_OPENSSL */
   free_defaults(defaults_argv);

sql/sql_acl.cc

@@ -61,6 +61,7 @@ public:
   uint hostname_length;
   char *user,*password;
   ulong salt[2];
+  char *ssl_type, *ssl_cipher, *ssl_issuer, *ssl_subject;
 };
 
 class ACL_DB :public ACL_ACCESS
@@ -199,6 +200,10 @@ int  acl_init(bool dont_read_acl_tables)
     update_hostname(&user.host,get_field(&mem, table,0));
     user.user=get_field(&mem, table,1);
     user.password=get_field(&mem, table,2);
+    user.ssl_type=get_field(&mem, table,17);
+    user.ssl_cipher=get_field(&mem, table,18);
+    user.ssl_issuer=get_field(&mem, table,19);
+    user.ssl_subject=get_field(&mem, table,20);
     if (user.password && (length=(uint) strlen(user.password)) == 8 &&
 	protocol_version == PROTOCOL_VERSION)
     {
@@ -2312,7 +2317,7 @@ uint get_column_grant(THD *thd, TABLE_LIST *table, Field *field)
 static const char *command_array[]=
 {"SELECT", "INSERT","UPDATE","DELETE","CREATE", "DROP","RELOAD","SHUTDOWN",
  "PROCESS","FILE","GRANT","REFERENCES","INDEX","ALTER"};
-static int command_lengths[]={6,6,6,6,6,4,6,8,7,4,5,9,5,5};
+static int command_lengths[]={6,6,6,6,6,4,6,8,7,4,5,10,5,5};
 
 int mysql_show_grants(THD *thd,LEX_USER *lex_user) 
 {
@@ -2320,7 +2325,7 @@ int mysql_show_grants(THD *thd,LEX_USER *lex_user)
   int  error = 0;
   ACL_USER *acl_user; ACL_DB *acl_db;
   char buff[1024];
-  DBUG_ENTER("mysql_grant");
+  DBUG_ENTER("mysql_show_grants");
 
   LINT_INIT(acl_user);
   if (!initialized)
@@ -2411,6 +2416,30 @@ int mysql_show_grants(THD *thd,LEX_USER *lex_user)
       global.append(passd_buff);
       global.append('\'');
     }
+/* SSL grant stuff */
+    DBUG_PRINT("info",("acl_user->ssl_type=%s",acl_user->ssl_type));
+    DBUG_PRINT("info",("acl_user->ssl_cipher=%s",acl_user->ssl_cipher));
+    DBUG_PRINT("info",("acl_user->ssl_subject=%s",acl_user->ssl_subject));
+    DBUG_PRINT("info",("acl_user->ssl_issuer=%s",acl_user->ssl_issuer));
+    if(acl_user->ssl_type) {
+      if(!strcmp(acl_user->ssl_type,"ssl"))
+        global.append(" REQUIRE SSL",12);
+      else if(!strcmp(acl_user->ssl_type,"x509"))       
+      {
+        global.append(" REQUIRE X509 ",14);
+	if(acl_user->ssl_issuer) {
+          global.append("SUBJECT \"",9);
+          global.append(acl_user->ssl_issuer,strlen(acl_user->ssl_issuer));
+          global.append("\"",1);
+	}
+	if(acl_user->ssl_subject) {
+          global.append("ISSUER \"",8);
+          global.append(acl_user->ssl_subject,strlen(acl_user->ssl_subject));
+          global.append("\"",1);
+	}
+      }
+    }
+
     if (want_access & GRANT_ACL)
       global.append(" WITH GRANT OPTION",18); 
     thd->packet.length(0);

vio/viosocket.c

@@ -143,6 +143,7 @@ int vio_blocking(Vio * vio, my_bool set_blocking_mode)
   DBUG_ENTER("vio_blocking");
   DBUG_PRINT("enter", ("set_blocking_mode: %d", (int) set_blocking_mode));
 
+#if !defined(HAVE_OPENSSL)
 #if !defined(___WIN__) && !defined(__EMX__)
 #if !defined(NO_FCNTL_NONBLOCK)
 
@@ -178,6 +179,8 @@ int vio_blocking(Vio * vio, my_bool set_blocking_mode)
       r = ioctlsocket(vio->sd,FIONBIO,(void*) &arg, sizeof(arg));
   }
 #endif /* !defined(__WIN__) && !defined(__EMX__) */
+#endif /* !defined (HAVE_OPENSSL) */ 
+  DBUG_PRINT("exit", ("return %d", r));
   DBUG_RETURN(r);
 }