diff options
| -rw-r--r-- | extra/yassl/include/openssl/crypto.h | 1 | ||||
| -rw-r--r-- | extra/yassl/include/openssl/des_old.h | 1 | ||||
| -rw-r--r-- | extra/yassl/include/openssl/evp.h | 10 | ||||
| -rw-r--r-- | extra/yassl/include/openssl/hmac.h | 1 | ||||
| -rw-r--r-- | extra/yassl/include/openssl/objects.h | 1 | ||||
| -rw-r--r-- | extra/yassl/include/openssl/prefix_ssl.h | 3 | ||||
| -rw-r--r-- | extra/yassl/include/openssl/sha.h | 1 | ||||
| -rw-r--r-- | extra/yassl/include/openssl/ssl.h | 3 | ||||
| -rw-r--r-- | extra/yassl/include/yassl_int.hpp | 2 | ||||
| -rw-r--r-- | extra/yassl/src/handshake.cpp | 4 | ||||
| -rw-r--r-- | extra/yassl/src/socket_wrapper.cpp | 4 | ||||
| -rw-r--r-- | extra/yassl/src/ssl.cpp | 6 | ||||
| -rw-r--r-- | extra/yassl/src/yassl_int.cpp | 1 | ||||
| -rw-r--r-- | extra/yassl/taocrypt/src/coding.cpp | 5 | ||||
| -rw-r--r-- | extra/yassl/taocrypt/src/crypto.cpp | 5 | ||||
| -rw-r--r-- | mysql-test/suite/rpl/t/rpl_ssl.test | 15 | ||||
| -rw-r--r-- | vio/viossl.c | 142 |
17 files changed, 101 insertions, 104 deletions
diff --git a/extra/yassl/include/openssl/crypto.h b/extra/yassl/include/openssl/crypto.h index 288990e1318..f53e5231027 100644 --- a/extra/yassl/include/openssl/crypto.h +++ b/extra/yassl/include/openssl/crypto.h @@ -9,6 +9,7 @@ const char* SSLeay_version(int type); +#define SSLEAY_NUMBER_DEFINED #define SSLEAY_VERSION 0x0900L #define SSLEAY_VERSION_NUMBER SSLEAY_VERSION diff --git a/extra/yassl/include/openssl/des_old.h b/extra/yassl/include/openssl/des_old.h new file mode 100644 index 00000000000..40e8fbc02af --- /dev/null +++ b/extra/yassl/include/openssl/des_old.h @@ -0,0 +1 @@ +/* des_old.h for openvn */ diff --git a/extra/yassl/include/openssl/evp.h b/extra/yassl/include/openssl/evp.h new file mode 100644 index 00000000000..1d66b08df46 --- /dev/null +++ b/extra/yassl/include/openssl/evp.h @@ -0,0 +1,10 @@ +/* evp.h for openSSL */ + +#ifndef SSLEAY_NUMBER_DEFINED +#define SSLEAY_NUMBER_DEFINED + +/* for OpenVPN */ +#define SSLEAY_VERSION_NUMBER 0x0090700f + + +#endif /* SSLEAY_NUMBER_DEFINED */ diff --git a/extra/yassl/include/openssl/hmac.h b/extra/yassl/include/openssl/hmac.h new file mode 100644 index 00000000000..a2eae4c08c1 --- /dev/null +++ b/extra/yassl/include/openssl/hmac.h @@ -0,0 +1 @@ +/* hmac.h for openvpn */ diff --git a/extra/yassl/include/openssl/objects.h b/extra/yassl/include/openssl/objects.h new file mode 100644 index 00000000000..99f2326e51b --- /dev/null +++ b/extra/yassl/include/openssl/objects.h @@ -0,0 +1 @@ +/* objects.h for openvpn */ diff --git a/extra/yassl/include/openssl/prefix_ssl.h b/extra/yassl/include/openssl/prefix_ssl.h index dc6e3ef81f0..3a3a8c26c9c 100644 --- a/extra/yassl/include/openssl/prefix_ssl.h +++ b/extra/yassl/include/openssl/prefix_ssl.h @@ -30,6 +30,7 @@ #define SSL_CTX_new yaSSL_CTX_new #define SSL_new yaSSL_new #define SSL_set_fd yaSSL_set_fd +#define SSL_get_fd yaSSL_get_fd #define SSL_connect yaSSL_connect #define SSL_write yaSSL_write #define SSL_read yaSSL_read @@ -91,6 +92,8 @@ #define SSL_set_rfd yaSSL_set_rfd #define SSL_set_wfd yaSSL_set_wfd #define SSL_set_shutdown yaSSL_set_shutdown +#define SSL_set_quiet_shutdown yaSSL_set_quiet_shutdown +#define SSL_get_quiet_shutdown yaSSL_get_quiet_shutdown #define SSL_want_read yaSSL_want_read #define SSL_want_write yaSSL_want_write #define SSL_pending yaSSL_pending diff --git a/extra/yassl/include/openssl/sha.h b/extra/yassl/include/openssl/sha.h new file mode 100644 index 00000000000..bb487c05c2e --- /dev/null +++ b/extra/yassl/include/openssl/sha.h @@ -0,0 +1 @@ +/* sha.h for openvpn */ diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h index efd0dec75b6..c0b87f804ad 100644 --- a/extra/yassl/include/openssl/ssl.h +++ b/extra/yassl/include/openssl/ssl.h @@ -34,7 +34,7 @@ #include "rsa.h" -#define YASSL_VERSION "1.6.5" +#define YASSL_VERSION "1.7.2" #if defined(__cplusplus) @@ -201,6 +201,7 @@ typedef int YASSL_SOCKET_T; SSL_CTX* SSL_CTX_new(SSL_METHOD*); SSL* SSL_new(SSL_CTX*); int SSL_set_fd (SSL*, YASSL_SOCKET_T); +YASSL_SOCKET_T SSL_get_fd(const SSL*); int SSL_connect(SSL*); int SSL_write(SSL*, const void*, int); int SSL_read(SSL*, void*, int); diff --git a/extra/yassl/include/yassl_int.hpp b/extra/yassl/include/yassl_int.hpp index b7bd35f5fa2..b207f0bffbd 100644 --- a/extra/yassl/include/yassl_int.hpp +++ b/extra/yassl/include/yassl_int.hpp @@ -584,7 +584,7 @@ class SSL { Socket socket_; // socket wrapper Buffers buffers_; // buffered handshakes and data Log log_; // logger - bool quietShutdown_; // shutdown without handshakes + bool quietShutdown_; // optimization variables bool has_data_; // buffered data ready? diff --git a/extra/yassl/src/handshake.cpp b/extra/yassl/src/handshake.cpp index 0cd0dfe9c7c..1d5a95820bb 100644 --- a/extra/yassl/src/handshake.cpp +++ b/extra/yassl/src/handshake.cpp @@ -719,6 +719,10 @@ int DoProcessReply(SSL& ssl) // add new data uint read = ssl.useSocket().receive(buffer.get_buffer() + buffSz, ready); + if (read == static_cast<uint>(-1)) { + ssl.SetError(receive_error); + return 0; + } buffer.add_size(read); uint offset = 0; const MessageFactory& mf = ssl.getFactory().getMessage(); diff --git a/extra/yassl/src/socket_wrapper.cpp b/extra/yassl/src/socket_wrapper.cpp index d53a109d70e..eee5d47377f 100644 --- a/extra/yassl/src/socket_wrapper.cpp +++ b/extra/yassl/src/socket_wrapper.cpp @@ -114,8 +114,6 @@ uint Socket::send(const byte* buf, unsigned int sz, int flags) const const byte* pos = buf; const byte* end = pos + sz; - assert(socket_ != INVALID_SOCKET); - while (pos != end) { int sent = ::send(socket_, reinterpret_cast<const char *>(pos), static_cast<int>(end - pos), flags); @@ -132,7 +130,6 @@ uint Socket::send(const byte* buf, unsigned int sz, int flags) const uint Socket::receive(byte* buf, unsigned int sz, int flags) { - assert(socket_ != INVALID_SOCKET); wouldBlock_ = false; int recvd = ::recv(socket_, reinterpret_cast<char *>(buf), sz, flags); @@ -163,7 +160,6 @@ bool Socket::wait() void Socket::shutDown(int how) { - assert(socket_ != INVALID_SOCKET); shutdown(socket_, how); } diff --git a/extra/yassl/src/ssl.cpp b/extra/yassl/src/ssl.cpp index c3d580a93ab..f09a43be56e 100644 --- a/extra/yassl/src/ssl.cpp +++ b/extra/yassl/src/ssl.cpp @@ -239,6 +239,12 @@ int SSL_set_fd(SSL* ssl, YASSL_SOCKET_T fd) } +YASSL_SOCKET_T SSL_get_fd(const SSL* ssl) +{ + return ssl->getSocket().get_fd(); +} + + int SSL_connect(SSL* ssl) { if (ssl->GetError() == YasslError(SSL_ERROR_WANT_READ)) diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp index f5ab2f200a5..0b6cb89e77e 100644 --- a/extra/yassl/src/yassl_int.cpp +++ b/extra/yassl/src/yassl_int.cpp @@ -773,6 +773,7 @@ void SSL::SetError(YasslError ye) // TODO: add string here } + // set the quiet shutdown mode (close_nofiy not sent or received on shutdown) void SSL::SetQuietShutdown(bool mode) { diff --git a/extra/yassl/taocrypt/src/coding.cpp b/extra/yassl/taocrypt/src/coding.cpp index 55fe31831e3..7a9d50aaac9 100644 --- a/extra/yassl/taocrypt/src/coding.cpp +++ b/extra/yassl/taocrypt/src/coding.cpp @@ -107,11 +107,12 @@ void HexDecoder::Decode() // sanity checks assert( b < sizeof(hexDecode)/sizeof(hexDecode[0]) ); assert( b2 < sizeof(hexDecode)/sizeof(hexDecode[0]) ); - assert( b != bad && b2 != bad ); b = hexDecode[b]; b2 = hexDecode[b2]; + assert( b != bad && b2 != bad ); + decoded_[i++] = (b << 4) | b2; bytes -= 2; } @@ -184,7 +185,7 @@ void Base64Decoder::Decode() { word32 bytes = coded_.size(); word32 plainSz = bytes - ((bytes + (pemLineSz - 1)) / pemLineSz); - plainSz = ((plainSz * 3) / 4) + 3; + plainSz = (plainSz * 3 + 3) / 4; decoded_.New(plainSz); word32 i = 0; diff --git a/extra/yassl/taocrypt/src/crypto.cpp b/extra/yassl/taocrypt/src/crypto.cpp index 82d3b853084..90d406bf0c2 100644 --- a/extra/yassl/taocrypt/src/crypto.cpp +++ b/extra/yassl/taocrypt/src/crypto.cpp @@ -26,6 +26,11 @@ extern "C" { // locking handled internally by library char CRYPTO_lock() { return 0;} char CRYPTO_add_lock() { return 0;} + + + // for openvpn, test are the signatures they use + char EVP_CIPHER_CTX_init() { return 0; } + char CRYPTO_mem_ctrl() { return 0; } } // extern "C" diff --git a/mysql-test/suite/rpl/t/rpl_ssl.test b/mysql-test/suite/rpl/t/rpl_ssl.test index 4bc07ee0622..c1b7bc2097b 100644 --- a/mysql-test/suite/rpl/t/rpl_ssl.test +++ b/mysql-test/suite/rpl/t/rpl_ssl.test @@ -41,28 +41,43 @@ select * from t1; # Do the same thing a number of times disable_query_log; +disable_result_log; let $i= 100; while ($i) { start slave; connection master; insert into t1 values (NULL); + select * from t1; # Some variance connection slave; + select * from t1; # Some variance stop slave; dec $i; } start slave; enable_query_log; +enable_result_log; connection master; # INSERT one more record to make sure # the sync has something to do insert into t1 values (NULL); +let $master_count= `select count(*) from t1`; + sync_slave_with_master; --source include/wait_for_slave_to_start.inc --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR $MASTER_MYPORT MASTER_MYPORT --replace_column 1 # 7 # 8 # 9 # 22 # 23 # 33 # 35 # 36 # query_vertical show slave status; +let $slave_count= `select count(*) from t1`; + +if (`select $slave_count != $master_count`) +{ + echo master and slave differed in number of rows; + echo master: $master_count; + echo slave: $slave_count; +} + connection master; drop user replssl@localhost; drop table t1; diff --git a/vio/viossl.c b/vio/viossl.c index 2c74efb1bef..24bb18b9c68 100644 --- a/vio/viossl.c +++ b/vio/viossl.c @@ -172,78 +172,10 @@ void vio_ssl_delete(Vio *vio) vio_delete(vio); } - int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout) { - SSL *ssl; - my_bool unused; - my_bool net_blocking; - enum enum_vio_type old_type; DBUG_ENTER("sslaccept"); - DBUG_PRINT("enter", ("sd: %d ptr: 0x%lx, timeout: %ld", - vio->sd, (long) ptr, timeout)); - - old_type= vio->type; - net_blocking= vio_is_blocking(vio); - vio_blocking(vio, 1, &unused); /* Must be called before reset */ - vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE); - - if (!(ssl= SSL_new(ptr->ssl_context))) - { - DBUG_PRINT("error", ("SSL_new failure")); - report_errors(ssl); - vio_reset(vio, old_type,vio->sd,0,FALSE); - vio_blocking(vio, net_blocking, &unused); - DBUG_RETURN(1); - } - vio->ssl_arg= (void*)ssl; - DBUG_PRINT("info", ("ssl: 0x%lx timeout: %ld", (long) ssl, timeout)); - SSL_clear(ssl); - SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout); - SSL_set_fd(ssl, vio->sd); - if (SSL_accept(ssl) < 1) - { - DBUG_PRINT("error", ("SSL_accept failure")); - report_errors(ssl); - SSL_free(ssl); - vio->ssl_arg= 0; - vio_reset(vio, old_type,vio->sd,0,FALSE); - vio_blocking(vio, net_blocking, &unused); - DBUG_RETURN(1); - } - -#ifndef DBUG_OFF - { - char buf[1024]; - X509 *client_cert; - DBUG_PRINT("info",("cipher_name= '%s'", SSL_get_cipher_name(ssl))); - - if ((client_cert= SSL_get_peer_certificate (ssl))) - { - DBUG_PRINT("info",("Client certificate:")); - X509_NAME_oneline (X509_get_subject_name (client_cert), - buf, sizeof(buf)); - DBUG_PRINT("info",("\t subject: %s", buf)); - - X509_NAME_oneline (X509_get_issuer_name (client_cert), - buf, sizeof(buf)); - DBUG_PRINT("info",("\t issuer: %s", buf)); - - X509_free (client_cert); - } - else - DBUG_PRINT("info",("Client does not have certificate.")); - - if (SSL_get_shared_ciphers(ssl, buf, sizeof(buf))) - { - DBUG_PRINT("info",("shared_ciphers: '%s'", buf)); - } - else - DBUG_PRINT("info",("no shared ciphers!")); - } -#endif - - DBUG_RETURN(0); + DBUG_RETURN(sslconnect(ptr, vio, timeout)); } @@ -251,57 +183,75 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout) { SSL *ssl; my_bool unused; - my_bool net_blocking; - enum enum_vio_type old_type; + my_bool was_blocking; DBUG_ENTER("sslconnect"); - DBUG_PRINT("enter", ("sd: %d ptr: 0x%lx ctx: 0x%lx", - vio->sd, (long) ptr, (long) ptr->ssl_context)); + DBUG_PRINT("enter", ("ptr: 0x%lx, sd: %d ctx: 0x%lx", + (long) ptr, vio->sd, (long) ptr->ssl_context)); + + /* Set socket to blocking if not already set */ + vio_blocking(vio, 1, &was_blocking); - old_type= vio->type; - net_blocking= vio_is_blocking(vio); - vio_blocking(vio, 1, &unused); /* Must be called before reset */ - vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE); if (!(ssl= SSL_new(ptr->ssl_context))) { DBUG_PRINT("error", ("SSL_new failure")); report_errors(ssl); - vio_reset(vio, old_type, vio->sd, 0, FALSE); - vio_blocking(vio, net_blocking, &unused); + vio_blocking(vio, was_blocking, &unused); DBUG_RETURN(1); } - vio->ssl_arg= (void*)ssl; DBUG_PRINT("info", ("ssl: 0x%lx timeout: %ld", (long) ssl, timeout)); SSL_clear(ssl); SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout); SSL_set_fd(ssl, vio->sd); - if (SSL_connect(ssl) < 1) + + /* + SSL_do_handshake will select between SSL_connect + or SSL_accept depending on server or client side + */ + if (SSL_do_handshake(ssl) < 1) { - DBUG_PRINT("error", ("SSL_connect failure")); + DBUG_PRINT("error", ("SSL_do_handshake failure")); report_errors(ssl); SSL_free(ssl); - vio->ssl_arg= 0; - vio_reset(vio, old_type, vio->sd, 0, FALSE); - vio_blocking(vio, net_blocking, &unused); + vio_blocking(vio, was_blocking, &unused); DBUG_RETURN(1); } + + /* + Connection succeeded. Install new function handlers, + change type, set sd to the fd used when connecting + and set pointer to the SSL structure + */ + vio_reset(vio, VIO_TYPE_SSL, SSL_get_fd(ssl), 0, 0); + vio->ssl_arg= (void*)ssl; + #ifndef DBUG_OFF { - X509 *server_cert; - DBUG_PRINT("info",("cipher_name: '%s'" , SSL_get_cipher_name(ssl))); + /* Print some info about the peer */ + X509 *cert; + char buf[512]; + + DBUG_PRINT("info",("SSL connection succeeded")); + DBUG_PRINT("info",("Using cipher: '%s'" , SSL_get_cipher_name(ssl))); - if ((server_cert= SSL_get_peer_certificate (ssl))) + if ((cert= SSL_get_peer_certificate (ssl))) { - char buf[256]; - DBUG_PRINT("info",("Server certificate:")); - X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf)); - DBUG_PRINT("info",("\t subject: %s", buf)); - X509_NAME_oneline (X509_get_issuer_name(server_cert), buf, sizeof(buf)); - DBUG_PRINT("info",("\t issuer: %s", buf)); - X509_free (server_cert); + DBUG_PRINT("info",("Peer certificate:")); + X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); + DBUG_PRINT("info",("\t subject: '%s'", buf)); + X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); + DBUG_PRINT("info",("\t issuer: '%s'", buf)); + X509_free(cert); } else - DBUG_PRINT("info",("Server does not have certificate.")); + DBUG_PRINT("info",("Peer does not have certificate.")); + + if (SSL_get_shared_ciphers(ssl, buf, sizeof(buf))) + { + DBUG_PRINT("info",("shared_ciphers: '%s'", buf)); + } + else + DBUG_PRINT("info",("no shared ciphers!")); } #endif |