diff options
| -rw-r--r-- | Docs/manual.texi | 10 | ||||
| -rwxr-xr-x | SSL/run-client | 3 | ||||
| -rwxr-xr-x | SSL/run-server | 2 | ||||
| -rw-r--r-- | readline/callback.c | 1 | ||||
| -rw-r--r-- | sql/mysqld.cc | 8 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 33 | ||||
| -rw-r--r-- | vio/viosocket.c | 3 |
7 files changed, 52 insertions, 8 deletions
diff --git a/Docs/manual.texi b/Docs/manual.texi index e5569264ddc..f341dd9a289 100644 --- a/Docs/manual.texi +++ b/Docs/manual.texi @@ -23299,6 +23299,7 @@ GRANT priv_type [(column_list)] [, priv_type [(column_list)] ...] ON @{tbl_name | * | *.* | db_name.*@} TO user_name [IDENTIFIED BY 'password'] [, user_name [IDENTIFIED BY 'password'] ...] + [REQUIRE @{SSL|X509@} [ISSUER issuer] [SUBJECT subject]] [WITH GRANT OPTION] REVOKE priv_type [(column_list)] [, priv_type [(column_list)] ...] @@ -29454,6 +29455,15 @@ The number of seconds the slave thread will sleep before retrying to connect to the master in case the master goes down or the connection is lost. Default is 60. (Example: @code{master-connect-retry=60}) +@item @code{master-ssl} @tab +Turn SSL on (Example: @code{master-ssl}) + +@item @code{master-ssl-key} @tab +Master SSL keyfile name (Example: @code{master-ssl-key=SSL/master-key.pem}) + +@item @code{master-ssl-cert} @tab +Master SSL certificate file name (Example: @code{master-ssl-key=SSL/master-cert.pem}) + @item @code{master-info-file=filename} @tab The location of the file that remembers where we left off on the master during the replication process. The default is master.info in the data diff --git a/SSL/run-client b/SSL/run-client index c8065f30030..f3b29eb273b 100755 --- a/SSL/run-client +++ b/SSL/run-client @@ -5,5 +5,6 @@ cmd () { $* } -client/mysql --port=4407 --socket=/tmp/test.mysql.sock --ssl-ca=SSL/cacert.pem --ssl-cert=SSL/client-cert.pem --ssl-key=SSL/client-key.pem --debug='d:t:O,/tmp/client.trace' -h 127.0.0.1 --execute="select version()" +client/mysql --port=4407 --socket=/tmp/test.mysql.sock --ssl-ca=SSL/cacert.pem --ssl-cert=SSL/client-cert.pem --ssl-key=SSL/client-key.pem --debug='d:t:O,/tmp/client.trace' -h 127.0.0.1 -u root +#--execute="select version();show status" diff --git a/SSL/run-server b/SSL/run-server index a77e671a18e..e90a7644b83 100755 --- a/SSL/run-server +++ b/SSL/run-server @@ -5,5 +5,5 @@ cmd () { $* } -cmd sql/mysqld --port=4407 --socket=/tmp/test.mysql.sock --ssl-ca=SSL/cacert.pem --ssl-cert=SSL/server-cert.pem --ssl-key=SSL/server-key.pem --skip-grant --debug='d:t:O,/tmp/mysqld.trace' >& /tmp/mysqld.output +cmd sql/mysqld --port=4407 --socket=/tmp/test.mysql.sock --ssl-ca=SSL/cacert.pem --ssl-cert=SSL/server-cert.pem --ssl-key=SSL/server-key.pem --debug='d:t:O,/tmp/mysqld.trace' -uroot >& /tmp/mysqld.output diff --git a/readline/callback.c b/readline/callback.c index 6915be483a4..200f3cc37f9 100644 --- a/readline/callback.c +++ b/readline/callback.c @@ -29,6 +29,7 @@ #if defined (READLINE_CALLBACKS) +#include <stdlib.h> #include <sys/types.h> #include <stdio.h> diff --git a/sql/mysqld.cc b/sql/mysqld.cc index 4019046b87c..df3d30adfce 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -704,10 +704,10 @@ void clean_up(bool print_message) end_raid(); #endif #ifdef HAVE_OPENSSL - my_free(opt_ssl_key,MYF(0)); - my_free(opt_ssl_cert,MYF(0)); - my_free(opt_ssl_ca,MYF(0)); - my_free(opt_ssl_capath,MYF(0)); + my_free(opt_ssl_key,MYF(MY_ALLOW_ZERO_PTR)); + my_free(opt_ssl_cert,MYF(MY_ALLOW_ZERO_PTR)); + my_free(opt_ssl_ca,MYF(MY_ALLOW_ZERO_PTR)); + my_free(opt_ssl_capath,MYF(MY_ALLOW_ZERO_PTR)); opt_ssl_key=opt_ssl_cert=opt_ssl_ca=opt_ssl_capath=0; #endif /* HAVE_OPENSSL */ free_defaults(defaults_argv); diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 4adc93b7aa4..3d8304675a5 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -61,6 +61,7 @@ public: uint hostname_length; char *user,*password; ulong salt[2]; + char *ssl_type, *ssl_cipher, *ssl_issuer, *ssl_subject; }; class ACL_DB :public ACL_ACCESS @@ -199,6 +200,10 @@ int acl_init(bool dont_read_acl_tables) update_hostname(&user.host,get_field(&mem, table,0)); user.user=get_field(&mem, table,1); user.password=get_field(&mem, table,2); + user.ssl_type=get_field(&mem, table,17); + user.ssl_cipher=get_field(&mem, table,18); + user.ssl_issuer=get_field(&mem, table,19); + user.ssl_subject=get_field(&mem, table,20); if (user.password && (length=(uint) strlen(user.password)) == 8 && protocol_version == PROTOCOL_VERSION) { @@ -2312,7 +2317,7 @@ uint get_column_grant(THD *thd, TABLE_LIST *table, Field *field) static const char *command_array[]= {"SELECT", "INSERT","UPDATE","DELETE","CREATE", "DROP","RELOAD","SHUTDOWN", "PROCESS","FILE","GRANT","REFERENCES","INDEX","ALTER"}; -static int command_lengths[]={6,6,6,6,6,4,6,8,7,4,5,9,5,5}; +static int command_lengths[]={6,6,6,6,6,4,6,8,7,4,5,10,5,5}; int mysql_show_grants(THD *thd,LEX_USER *lex_user) { @@ -2320,7 +2325,7 @@ int mysql_show_grants(THD *thd,LEX_USER *lex_user) int error = 0; ACL_USER *acl_user; ACL_DB *acl_db; char buff[1024]; - DBUG_ENTER("mysql_grant"); + DBUG_ENTER("mysql_show_grants"); LINT_INIT(acl_user); if (!initialized) @@ -2411,6 +2416,30 @@ int mysql_show_grants(THD *thd,LEX_USER *lex_user) global.append(passd_buff); global.append('\''); } +/* SSL grant stuff */ + DBUG_PRINT("info",("acl_user->ssl_type=%s",acl_user->ssl_type)); + DBUG_PRINT("info",("acl_user->ssl_cipher=%s",acl_user->ssl_cipher)); + DBUG_PRINT("info",("acl_user->ssl_subject=%s",acl_user->ssl_subject)); + DBUG_PRINT("info",("acl_user->ssl_issuer=%s",acl_user->ssl_issuer)); + if(acl_user->ssl_type) { + if(!strcmp(acl_user->ssl_type,"ssl")) + global.append(" REQUIRE SSL",12); + else if(!strcmp(acl_user->ssl_type,"x509")) + { + global.append(" REQUIRE X509 ",14); + if(acl_user->ssl_issuer) { + global.append("SUBJECT \"",9); + global.append(acl_user->ssl_issuer,strlen(acl_user->ssl_issuer)); + global.append("\"",1); + } + if(acl_user->ssl_subject) { + global.append("ISSUER \"",8); + global.append(acl_user->ssl_subject,strlen(acl_user->ssl_subject)); + global.append("\"",1); + } + } + } + if (want_access & GRANT_ACL) global.append(" WITH GRANT OPTION",18); thd->packet.length(0); diff --git a/vio/viosocket.c b/vio/viosocket.c index bf151c19928..d5573cdfa64 100644 --- a/vio/viosocket.c +++ b/vio/viosocket.c @@ -143,6 +143,7 @@ int vio_blocking(Vio * vio, my_bool set_blocking_mode) DBUG_ENTER("vio_blocking"); DBUG_PRINT("enter", ("set_blocking_mode: %d", (int) set_blocking_mode)); +#if !defined(HAVE_OPENSSL) #if !defined(___WIN__) && !defined(__EMX__) #if !defined(NO_FCNTL_NONBLOCK) @@ -178,6 +179,8 @@ int vio_blocking(Vio * vio, my_bool set_blocking_mode) r = ioctlsocket(vio->sd,FIONBIO,(void*) &arg, sizeof(arg)); } #endif /* !defined(__WIN__) && !defined(__EMX__) */ +#endif /* !defined (HAVE_OPENSSL) */ + DBUG_PRINT("exit", ("return %d", r)); DBUG_RETURN(r); } |