OpenSSL changes

BitKeeper/etc/ignore:
  Added vio/test-sslclient vio/test-sslserver to the ignore list
client/mysql.cc:
  Let make mysql client tell user about cipher in use
sql/mini_client.cc:
  Synced SSL stuff with libmysql code
sql/mysqld.cc:
  Preaparations to turn replication SSL on
  Stuff to output SSL variables with SHOW STATUS command
sql/sql_show.cc:
  Stuff to output SSL variables with SHOW STATUS command
sql/structs.h:
  Stuff to output SSL variables with SHOW STATUS command
vio/viossl.c:
  Major modifications
vio/viosslfactories.c:
  SSL fixes

4 files changed, 186 insertions, 15 deletions

diff --git a/sql/mini_client.cc b/sql/mini_client.cc
index d52dc40f6a8..31181ee2580 100644
--- a/sql/mini_client.cc
+++ b/sql/mini_client.cc
@@ -766,23 +766,36 @@ mc_mysql_connect(MYSQL *mysql,const char *host, const char *user,
   mysql->client_flag=client_flag;
 
 #ifdef HAVE_OPENSSL
+  if ((mysql->server_capabilities & CLIENT_SSL) &&
+      (mysql->options.use_ssl || (client_flag & CLIENT_SSL)))
+  {
+    DBUG_PRINT("info", ("Changing IO layer to SSL"));
+    client_flag |= CLIENT_SSL;
+  }
+  else
+  {
+    if (client_flag & CLIENT_SSL)
+    {
+      DBUG_PRINT("info", ("Leaving IO layer intact because server doesn't support SSL"));
+    }
+    client_flag &= ~CLIENT_SSL;
+  }
   /* Oops.. are we careful enough to not send ANY information */
   /* without encryption? */
-/*  if (client_flag & CLIENT_SSL)
+  if (client_flag & CLIENT_SSL)
   {
     if (my_net_write(net,buff,(uint) (2)) || net_flush(net))
-      goto error;*/
+      goto error;
     /* Do the SSL layering. */
- /*   DBUG_PRINT("info", ("IO layer change in progress..."));
-    VioSSLConnectorFd* connector_fd = (VioSSLConnectorFd*)
-      (mysql->connector_fd);
-    VioSocket*	vio_socket = (VioSocket*)(mysql->net.vio);
-    VioSSL*	vio_ssl =    connector_fd->connect(vio_socket);
-    mysql->net.vio =         (NetVio*)(vio_ssl);
-  }*/
+    DBUG_PRINT("info", ("IO layer change in progress..."));
+    DBUG_PRINT("info", ("IO context %p",((struct st_VioSSLConnectorFd*)mysql->connector_fd)->ssl_context_));
+    sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd),mysql->net.vio);
+    DBUG_PRINT("info", ("IO layer change done!"));
+  }
 #endif /* HAVE_OPENSSL */
-
   int3store(buff+2,max_allowed_packet);
+
+  
   if (user && user[0])
     strmake(buff+5,user,32);
   else
@@ -821,6 +834,32 @@ error:
   DBUG_RETURN(0);
 }
 
+
+#ifdef HAVE_OPENSSL
+/*
+**************************************************************************
+** Free strings in the SSL structure and clear 'use_ssl' flag.
+** NB! Errors are not reported until you do mysql_real_connect.
+**************************************************************************
+*/
+int STDCALL
+mysql_ssl_clear(MYSQL *mysql)
+{
+  my_free(mysql->options.ssl_key, MYF(MY_ALLOW_ZERO_PTR));
+  my_free(mysql->options.ssl_cert, MYF(MY_ALLOW_ZERO_PTR));
+  my_free(mysql->options.ssl_ca, MYF(MY_ALLOW_ZERO_PTR));
+  my_free(mysql->options.ssl_capath, MYF(MY_ALLOW_ZERO_PTR));
+  mysql->options.ssl_key = 0;
+  mysql->options.ssl_cert = 0;
+  mysql->options.ssl_ca = 0;
+  mysql->options.ssl_capath = 0;
+  mysql->options.use_ssl = FALSE;
+  my_free(mysql->connector_fd,MYF(MY_ALLOW_ZERO_PTR));
+  mysql->connector_fd = 0;
+  return 0;
+}
+#endif /* HAVE_OPENSSL */
+
 /*************************************************************************
 ** Send a QUIT to the server and close the connection
 ** If handle is alloced by mysql connect free it.
@@ -849,8 +888,7 @@ mc_mysql_close(MYSQL *mysql)
     bzero((char*) &mysql->options,sizeof(mysql->options));
     mysql->net.vio = 0;
 #ifdef HAVE_OPENSSL
-/*    ((VioConnectorFd*)(mysql->connector_fd))->delete();
-    mysql->connector_fd = 0;*/
+    mysql_ssl_clear(mysql);
 #endif /* HAVE_OPENSSL */
     if (mysql->free_me)
       my_free((gptr) mysql,MYF(0));
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
index a036c885f4b..18de8c19c89 100644
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -279,13 +279,14 @@ volatile ulong cached_thread_count=0;
 
 // replication parameters, if master_host is not NULL, we are a slave
 my_string master_user = (char*) "test", master_password = 0, master_host=0,
-  master_info_file = (char*) "master.info";
+  master_info_file = (char*) "master.info", master_ssl_key=0, master_ssl_cert=0;
 my_string report_user = 0, report_password = 0, report_host=0;
  
 const char *localhost=LOCAL_HOST;
 const char *delayed_user="DELAYED";
 uint master_port = MYSQL_PORT, master_connect_retry = 60;
 uint report_port = MYSQL_PORT;
+bool master_ssl = 0;
 
 ulong max_tmp_tables,max_heap_table_size;
 ulong bytes_sent = 0L, bytes_received = 0L;
@@ -707,7 +708,6 @@ void clean_up(bool print_message)
   my_free(opt_ssl_cert,MYF(0));
   my_free(opt_ssl_ca,MYF(0));
   my_free(opt_ssl_capath,MYF(0));
-//  my_free(ssl_acceptor_fd,MYF(0));
   opt_ssl_key=opt_ssl_cert=opt_ssl_ca=opt_ssl_capath=0;
 #endif /* HAVE_OPENSSL */
   free_defaults(defaults_argv);
@@ -2495,6 +2495,10 @@ enum options {
 	       OPT_MASTER_HOST,             OPT_MASTER_USER,
                OPT_MASTER_PASSWORD,         OPT_MASTER_PORT,
                OPT_MASTER_INFO_FILE,        OPT_MASTER_CONNECT_RETRY,
+#ifdef HAVE_OPENSSL
+	       OPT_MASTER_SSL,             OPT_MASTER_SSL_KEY,
+	       OPT_MASTER_SSL_CERT,            
+#endif /* HAVE_OPESSSL*/ 
                OPT_SQL_BIN_UPDATE_SAME,     OPT_REPLICATE_DO_DB,      
                OPT_REPLICATE_IGNORE_DB,     OPT_LOG_SLAVE_UPDATES,
                OPT_BINLOG_DO_DB,            OPT_BINLOG_IGNORE_DB,
@@ -2601,6 +2605,9 @@ static struct option long_options[] = {
   {"master-port",           required_argument, 0, (int) OPT_MASTER_PORT},
   {"master-connect-retry",  required_argument, 0, (int) OPT_MASTER_CONNECT_RETRY},
   {"master-info-file",      required_argument, 0, (int) OPT_MASTER_INFO_FILE},
+  {"master-ssl",      	    optional_argument, 0, (int) OPT_MASTER_SSL},
+  {"master-ssl-key",        optional_argument, 0, (int) OPT_MASTER_SSL_KEY},
+  {"master-ssl-cert",       optional_argument, 0, (int) OPT_MASTER_SSL_CERT},
   {"myisam-recover",	    optional_argument, 0, (int) OPT_MYISAM_RECOVER},
   {"memlock",		    no_argument,       0, (int) OPT_MEMLOCK},
     // needs to be available for the test case to pass in non-debugging mode
@@ -3017,6 +3024,23 @@ struct show_var_st status_vars[]= {
   {"Sort_range",	       (char*) &filesort_range_count,   SHOW_LONG},
   {"Sort_rows",		       (char*) &filesort_rows,	        SHOW_LONG},
   {"Sort_scan",		       (char*) &filesort_scan_count,    SHOW_LONG},
+#ifdef HAVE_OPENSSL
+  {"SSL_CTX_sess_accept",      (char*) 0,  			SHOW_SSL_CTX_SESS_ACCEPT},
+  {"SSL_CTX_sess_accept_good", (char*) 0,  			SHOW_SSL_CTX_SESS_ACCEPT_GOOD},
+  {"SSL_CTX_sess_accept_renegotiate", (char*) 0, 		SHOW_SSL_CTX_SESS_ACCEPT_RENEGOTIATE},
+  {"SSL_CTX_sess_cb_hits",     (char*) 0,			SHOW_SSL_CTX_SESS_CB_HITS},
+  {"SSL_CTX_sess_number",      (char*) 0,			SHOW_SSL_CTX_SESS_NUMBER},
+  {"SSL_CTX_get_session_cache_mode", (char*) 0,			SHOW_SSL_CTX_GET_SESSION_CACHE_MODE},
+  {"SSL_CTX_sess_get_cache_size", (char*) 0,			SHOW_SSL_CTX_SESS_GET_CACHE_SIZE},
+  {"SSL_CTX_get_verify_mode",  (char*) 0,			SHOW_SSL_CTX_GET_VERIFY_MODE},
+  {"SSL_CTX_get_verify_depth", (char*) 0,			SHOW_SSL_CTX_GET_VERIFY_DEPTH},
+  {"SSL_get_verify_mode",      (char*) 0,			SHOW_SSL_GET_VERIFY_MODE},
+  {"SSL_get_verify_depth",     (char*) 0,			SHOW_SSL_GET_VERIFY_DEPTH},
+  {"SSL_session_reused",       (char*) 0,			SHOW_SSL_SESSION_REUSED},
+  {"SSL_get_version",          (char*) 0,  			SHOW_SSL_GET_VERSION},
+  {"SSL_get_cipher",           (char*) 0,  			SHOW_SSL_GET_CIPHER},
+  {"SSL_get_default_timeout",  (char*) 0,  			SHOW_SSL_GET_DEFAULT_TIMEOUT},
+#endif /* HAVE_OPENSSL */
   {"Table_locks_immediate",    (char*) &locks_immediate,        SHOW_LONG},
   {"Table_locks_waited",       (char*) &locks_waited,           SHOW_LONG},
   {"Threads_cached",           (char*) &cached_thread_count,    SHOW_LONG_CONST},
@@ -3855,6 +3879,17 @@ static void get_options(int argc,char **argv)
     case OPT_MASTER_PORT:
       master_port= atoi(optarg);
       break;
+#ifdef HAVE_OPENSSL
+    case OPT_MASTER_SSL:
+      master_ssl=atoi(optarg);
+      break;
+    case OPT_MASTER_SSL_KEY:
+      master_ssl_key=optarg;
+      break;
+    case OPT_MASTER_SSL_CERT:
+      master_ssl_cert=optarg;
+      break;
+#endif /* HAVE_OPENSSL */
     case OPT_REPORT_HOST:
       report_host=optarg;
       break;
diff --git a/sql/sql_show.cc b/sql/sql_show.cc
index 79a93da8c15..a6e0c8a01f4 100644
--- a/sql/sql_show.cc
+++ b/sql/sql_show.cc
@@ -17,6 +17,7 @@
 
 /* Function with list databases, tables or fields */
 
+#include "global.h"
 #include "mysql_priv.h"
 #include "sql_select.h"                         // For select_describe
 #include "sql_acl.h"
@@ -45,6 +46,8 @@ store_create_info(THD *thd, TABLE *table, String *packet);
 static void
 append_identifier(THD *thd, String *packet, const char *name);
 
+extern struct st_VioSSLAcceptorFd * ssl_acceptor_fd;
+
 /****************************************************************************
 ** Send list of databases
 ** A database is a directory in the mysql_data_home directory
@@ -1151,6 +1154,90 @@ int mysqld_show(THD *thd, const char *wild, show_var_st *variables)
           net_store_data(&packet2,convert, value ? value : "");
           break;
         }
+#ifdef HAVE_OPENSSL
+      case SHOW_SSL_CTX_SESS_ACCEPT:
+	net_store_data(&packet2,(uint32) 
+			SSL_CTX_sess_accept(ssl_acceptor_fd->ssl_context_));
+        break;
+      case SHOW_SSL_CTX_SESS_ACCEPT_GOOD:
+	net_store_data(&packet2,(uint32) 
+			SSL_CTX_sess_accept_good(ssl_acceptor_fd->ssl_context_));
+        break;
+      case SHOW_SSL_CTX_SESS_ACCEPT_RENEGOTIATE:
+	net_store_data(&packet2,(uint32) 
+			SSL_CTX_sess_accept_renegotiate(ssl_acceptor_fd->ssl_context_));
+        break;
+      case SHOW_SSL_GET_VERSION:
+	net_store_data(&packet2,
+			SSL_get_version(thd->net.vio->ssl_));
+        break;
+      case SHOW_SSL_CTX_SESS_CB_HITS:
+	net_store_data(&packet2,(uint32) 
+			SSL_CTX_sess_cb_hits(ssl_acceptor_fd->ssl_context_));
+        break;
+      case SHOW_SSL_CTX_SESS_NUMBER:
+	net_store_data(&packet2,(uint32) 
+			SSL_CTX_sess_number(ssl_acceptor_fd->ssl_context_));
+        break;
+      case SHOW_SSL_SESSION_REUSED:
+	net_store_data(&packet2,(uint32) 
+			SSL_session_reused(thd->net.vio->ssl_));
+        break;
+      case SHOW_SSL_GET_DEFAULT_TIMEOUT:
+	net_store_data(&packet2,(uint32) 
+			SSL_get_default_timeout(thd->net.vio->ssl_));
+        break;
+      case SHOW_SSL_CTX_SESS_GET_CACHE_SIZE:
+	net_store_data(&packet2,(uint32) 
+			SSL_CTX_sess_get_cache_size(ssl_acceptor_fd->ssl_context_));
+        break;
+      case SHOW_SSL_CTX_GET_VERIFY_MODE:
+	net_store_data(&packet2,(uint32) 
+			SSL_CTX_get_verify_mode(ssl_acceptor_fd->ssl_context_));
+        break;
+      case SHOW_SSL_GET_VERIFY_MODE:
+	net_store_data(&packet2,(uint32) 
+			SSL_get_verify_mode(thd->net.vio->ssl_));
+        break;
+      case SHOW_SSL_CTX_GET_VERIFY_DEPTH:
+	net_store_data(&packet2,(uint32) 
+			SSL_CTX_get_verify_depth(ssl_acceptor_fd->ssl_context_));
+        break;
+      case SHOW_SSL_GET_VERIFY_DEPTH:
+	net_store_data(&packet2,(uint32) 
+			SSL_get_verify_depth(thd->net.vio->ssl_));
+        break;
+      case SHOW_SSL_GET_CIPHER:
+	net_store_data(&packet2, SSL_get_cipher(thd->net.vio->ssl_));
+        break;
+      case SHOW_SSL_CTX_GET_SESSION_CACHE_MODE:
+	switch(SSL_CTX_get_session_cache_mode(ssl_acceptor_fd->ssl_context_))
+	{
+          case SSL_SESS_CACHE_OFF:
+            net_store_data(&packet2,"OFF" );
+	    break;
+          case SSL_SESS_CACHE_CLIENT:
+            net_store_data(&packet2,"CLIENT" );
+	    break;
+          case SSL_SESS_CACHE_SERVER:
+            net_store_data(&packet2,"SERVER" );
+	    break;
+          case SSL_SESS_CACHE_BOTH:
+            net_store_data(&packet2,"BOTH" );
+	    break;
+          case SSL_SESS_CACHE_NO_AUTO_CLEAR:
+            net_store_data(&packet2,"NO_AUTO_CLEAR" );
+	    break;
+          case SSL_SESS_CACHE_NO_INTERNAL_LOOKUP:
+            net_store_data(&packet2,"NO_INTERNAL_LOOKUP" );
+	    break;
+	  default:
+            net_store_data(&packet2,"Unknown");
+	    break;
+	}
+        break;
+
+#endif /* HAVE_OPENSSL */
       }
       if (my_net_write(&thd->net, (char*) packet2.ptr(),packet2.length()))
         goto err;                               /* purecov: inspected */
diff --git a/sql/structs.h b/sql/structs.h
index 594432134b2..12ba5004a2e 100644
--- a/sql/structs.h
+++ b/sql/structs.h
@@ -125,7 +125,18 @@ typedef struct {
 
 enum SHOW_TYPE { SHOW_LONG,SHOW_CHAR,SHOW_INT,SHOW_CHAR_PTR,SHOW_BOOL,
 		 SHOW_MY_BOOL,SHOW_OPENTABLES,SHOW_STARTTIME,SHOW_QUESTION,
-		 SHOW_LONG_CONST, SHOW_INT_CONST, SHOW_HAVE};
+		 SHOW_LONG_CONST, SHOW_INT_CONST, SHOW_HAVE
+#ifdef HAVE_OPENSSL
+                 ,SHOW_SSL_CTX_SESS_ACCEPT, 	SHOW_SSL_CTX_SESS_ACCEPT_GOOD
+		 ,SHOW_SSL_GET_VERSION, 	SHOW_SSL_CTX_GET_SESSION_CACHE_MODE
+		 ,SHOW_SSL_CTX_SESS_CB_HITS, 	SHOW_SSL_CTX_SESS_ACCEPT_RENEGOTIATE
+		 ,SHOW_SSL_CTX_SESS_NUMBER, 	SHOW_SSL_SESSION_REUSED
+		 ,SHOW_SSL_CTX_SESS_GET_CACHE_SIZE, SHOW_SSL_GET_CIPHER
+		 ,SHOW_SSL_GET_DEFAULT_TIMEOUT,	SHOW_SSL_GET_VERIFY_MODE
+		 ,SHOW_SSL_CTX_GET_VERIFY_MODE, SHOW_SSL_GET_VERIFY_DEPTH
+		 ,SHOW_SSL_CTX_GET_VERIFY_DEPTH
+#endif /* HAVE_OPENSSL */
+};
 
 enum SHOW_COMP_OPTION { SHOW_OPTION_YES, SHOW_OPTION_NO, SHOW_OPTION_DISABLED};