Merge neptunus.(none):/home/msvensson/mysql/tmp_jimw_federated

into  neptunus.(none):/home/msvensson/mysql/mysql-5.0-maint

SSL/server-cert.pem

 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 2 (0x2)
+        Serial Number:
+            e9:07:d1:01:94:ee:66:ca
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=SE, L=Uppsala, O=MySQL AB, CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com
+        Issuer: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB, CN=localhost/emailAddress=abstract.mysql.developer@mysql.com
         Validity
-            Not Before: Sep 12 16:22:06 2003 GMT
-            Not After : Sep  9 16:22:06 2013 GMT
-        Subject: C=SE, L=Uppsala, O=MySQL AB, CN=MySQL Server/Email=abstract.mysql.developer@mysql.com
+            Not Before: Apr 18 15:35:37 2006 GMT
+            Not After : Jan 12 15:35:37 2009 GMT
+        Subject: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB, CN=localhost/emailAddress=abstract.mysql.developer@mysql.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
@@ -23,45 +24,42 @@ Certificate:
                     3d:0e:4d:2a:a8:b8:ca:99:8d
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            Netscape Comment: 
-                OpenSSL Generated Certificate
             X509v3 Subject Key Identifier: 
                 6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4
             X509v3 Authority Key Identifier: 
-                keyid:88:98:65:D9:F3:F2:8B:03:1D:66:60:61:23:FA:AD:73:6D:D3:68:92
-                DirName:/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com
-                serial:00
+                keyid:6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4
+                DirName:/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/CN=localhost/emailAddress=abstract.mysql.developer@mysql.com
+                serial:E9:07:D1:01:94:EE:66:CA
 
+            X509v3 Basic Constraints: 
+                CA:TRUE
     Signature Algorithm: md5WithRSAEncryption
-        31:77:69:b9:bd:ab:29:f3:fc:5a:09:16:6f:5d:42:ea:ba:01:
-        55:69:e3:75:cf:b8:d1:b7:b9:bf:da:63:85:8c:48:92:06:60:
-        76:97:e0:00:78:4b:ad:da:ab:6a:90:6d:8b:03:a8:b1:e9:09:
-        78:e1:29:98:56:12:60:6b:42:fe:e8:a7:c4:f8:d6:15:07:e8:
-        2b:c2:d8:8a:e5:1b:2e:51:08:9b:56:e3:b3:7a:4c:3e:e5:be:
-        4a:4d:f8:65:7b:a8:21:e0:ca:fe:8b:ab:d7:ec:f2:2d:f7:d0:
-        bf:d7:c5:23:1c:08:d8:aa:57:c7:f3:5f:ba:33:3f:78:d1:f4:
-        8e:5e
+        1f:03:59:6e:ff:1f:9d:c7:19:9e:8e:b2:1a:c0:0b:9e:ee:94:
+        35:77:2a:93:04:ea:d5:a8:fc:36:5a:5b:e3:1c:02:b8:cf:04:
+        6e:21:b0:27:f6:96:6e:d6:8f:cd:02:cf:23:f3:e7:ff:6a:ee:
+        a9:09:c5:c9:07:81:b6:d2:bc:bd:13:47:0d:7b:76:f6:8a:c4:
+        76:24:f8:4c:4e:26:fc:d8:c0:1f:3d:40:19:43:8e:41:ab:99:
+        3a:99:9b:24:7c:ae:78:f3:df:2f:a2:ed:8f:27:0a:0a:0b:04:
+        bf:25:74:88:87:96:c8:68:d5:bc:5b:a0:ef:14:aa:53:6e:c4:
+        a3:e3
 -----BEGIN CERTIFICATE-----
-MIIDkTCCAvqgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCU0Ux
-EDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhB
-YnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0
-Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wHhcNMDMwOTEyMTYyMjA2WhcNMTMw
-OTA5MTYyMjA2WjB8MQswCQYDVQQGEwJTRTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G
-A1UEChMITXlTUUwgQUIxFTATBgNVBAMTDE15U1FMIFNlcnZlcjExMC8GCSqGSIb3
-DQEJARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEA6YZ6VYSITL6k+JJzMBJJC3qFhzk0OQ19C40Y
-wheVE1LSP1UQV8g/WvWy+ovQZ0nMqoL8n84AtHPzNtI608KwDhTD1LIhdKHwMYFg
-h5hzXBDBsRpN8fOwmD/w15ebK/3VIXmyL+tkFcmbnfyeLdT4BFvqqXVLQsM9Dk0q
-qLjKmY0CAwEAAaOCARQwggEQMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w
-ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRu5Jtqxerk5sfv
-1x7IY0VgKxvU1DCBtQYDVR0jBIGtMIGqgBSImGXZ8/KLAx1mYGEj+q1zbdNokqGB
-jqSBizCBiDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoT
-CE15U1FMIEFCMSEwHwYDVQQDExhBYnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAv
-BgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb22C
-AQAwDQYJKoZIhvcNAQEEBQADgYEAMXdpub2rKfP8WgkWb11C6roBVWnjdc+40be5
-v9pjhYxIkgZgdpfgAHhLrdqrapBtiwOosekJeOEpmFYSYGtC/uinxPjWFQfoK8LY
-iuUbLlEIm1bjs3pMPuW+Sk34ZXuoIeDK/our1+zyLffQv9fFIxwI2KpXx/NfujM/
-eNH0jl4=
+MIIDijCCAvOgAwIBAgIJAOkH0QGU7mbKMA0GCSqGSIb3DQEBBAUAMIGLMQswCQYD
+VQQGEwJTRTEQMA4GA1UECBMHVXBwc2FsYTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G
+A1UEChMITXlTUUwgQUIxEjAQBgNVBAMTCWxvY2FsaG9zdDExMC8GCSqGSIb3DQEJ
+ARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTAeFw0wNjA0MTgx
+NTM1MzdaFw0wOTAxMTIxNTM1MzdaMIGLMQswCQYDVQQGEwJTRTEQMA4GA1UECBMH
+VXBwc2FsYTEQMA4GA1UEBxMHVXBwc2FsYTERMA8GA1UEChMITXlTUUwgQUIxEjAQ
+BgNVBAMTCWxvY2FsaG9zdDExMC8GCSqGSIb3DQEJARYiYWJzdHJhY3QubXlzcWwu
+ZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+6YZ6VYSITL6k+JJzMBJJC3qFhzk0OQ19C40YwheVE1LSP1UQV8g/WvWy+ovQZ0nM
+qoL8n84AtHPzNtI608KwDhTD1LIhdKHwMYFgh5hzXBDBsRpN8fOwmD/w15ebK/3V
+IXmyL+tkFcmbnfyeLdT4BFvqqXVLQsM9Dk0qqLjKmY0CAwEAAaOB8zCB8DAdBgNV
+HQ4EFgQUbuSbasXq5ObH79ceyGNFYCsb1NQwgcAGA1UdIwSBuDCBtYAUbuSbasXq
+5ObH79ceyGNFYCsb1NShgZGkgY4wgYsxCzAJBgNVBAYTAlNFMRAwDgYDVQQIEwdV
+cHBzYWxhMRAwDgYDVQQHEwdVcHBzYWxhMREwDwYDVQQKEwhNeVNRTCBBQjESMBAG
+A1UEAxMJbG9jYWxob3N0MTEwLwYJKoZIhvcNAQkBFiJhYnN0cmFjdC5teXNxbC5k
+ZXZlbG9wZXJAbXlzcWwuY29tggkA6QfRAZTuZsowDAYDVR0TBAUwAwEB/zANBgkq
+hkiG9w0BAQQFAAOBgQAfA1lu/x+dxxmejrIawAue7pQ1dyqTBOrVqPw2WlvjHAK4
+zwRuIbAn9pZu1o/NAs8j8+f/au6pCcXJB4G20ry9E0cNe3b2isR2JPhMTib82MAf
+PUAZQ45Bq5k6mZskfK54898vou2PJwoKCwS/JXSIh5bIaNW8W6DvFKpTbsSj4w==
 -----END CERTIFICATE-----

client/client_priv.h

@@ -51,5 +51,5 @@ enum options_client
 #endif
   OPT_TRIGGERS,
   OPT_IGNORE_TABLE,OPT_INSERT_IGNORE,OPT_SHOW_WARNINGS,OPT_DROP_DATABASE,
-  OPT_TZ_UTC, OPT_AUTO_CLOSE
+  OPT_TZ_UTC, OPT_AUTO_CLOSE, OPT_SSL_VERIFY_SERVER_CERT
 };

client/mysql.cc

@@ -3118,6 +3118,8 @@ sql_real_connect(char *host,char *database,char *user,char *password,
   if (opt_use_ssl)
     mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+  mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);

client/mysqladmin.cc

@@ -340,6 +340,8 @@ int main(int argc,char *argv[])
   if (opt_use_ssl)
     mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+  mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);

client/mysqldump.c

@@ -905,6 +905,8 @@ static int dbConnect(char *host, char *user,char *passwd)
   if (opt_use_ssl)
     mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+  mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);

client/mysqlimport.c

@@ -384,6 +384,8 @@ static MYSQL *db_connect(char *host, char *database, char *user, char *passwd)
   if (opt_use_ssl)
     mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+  mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);

client/mysqlshow.c

@@ -109,6 +109,8 @@ int main(int argc, char **argv)
   if (opt_use_ssl)
     mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+  mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);

client/mysqltest.c

@@ -108,7 +108,7 @@ enum {OPT_MANAGER_USER=256,OPT_MANAGER_HOST,OPT_MANAGER_PASSWD,
       OPT_MANAGER_PORT,OPT_MANAGER_WAIT_TIMEOUT, OPT_SKIP_SAFEMALLOC,
       OPT_SSL_SSL, OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, OPT_SSL_CAPATH,
       OPT_SSL_CIPHER,OPT_PS_PROTOCOL,OPT_SP_PROTOCOL,OPT_CURSOR_PROTOCOL,
-      OPT_VIEW_PROTOCOL};
+      OPT_VIEW_PROTOCOL, OPT_SSL_VERIFY_SERVER_CERT};
 
 /* ************************************************************************ */
 /*
@@ -2378,8 +2378,12 @@ int do_connect(struct st_query *q)
 
 #ifdef HAVE_OPENSSL
   if (opt_use_ssl || con_ssl)
+  {
     mysql_ssl_set(&next_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+    mysql_options(&next_con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                  &opt_ssl_verify_server_cert);
+  }
 #endif
   if (con_sock && !free_con_sock && *con_sock && *con_sock != FN_LIBCHAR)
     con_sock=fn_format(buff, con_sock, TMPDIR, "",0);
@@ -4604,9 +4608,14 @@ int main(int argc, char **argv)
   mysql_options(&cur_con->mysql, MYSQL_SET_CHARSET_NAME, charset_name);
 
 #ifdef HAVE_OPENSSL
+  opt_ssl_verify_server_cert= TRUE; /* Always on in mysqltest */
   if (opt_use_ssl)
+  {
     mysql_ssl_set(&cur_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+    mysql_options(&cur_con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                  &opt_ssl_verify_server_cert);
+  }
 #endif
 
   if (!(cur_con->name = my_strdup("default", MYF(MY_WME))))

extra/yassl/mySTL/helpers.hpp

@@ -44,6 +44,11 @@
         return static_cast<void*>(d);
     }
 
+    // for compilers that want matching delete
+    inline void operator delete(void* ptr, Dummy* d) 
+    { 
+    }
+
     typedef Dummy* yassl_pointer;
 
 namespace mySTL {

extra/yassl/src/template_instnt.cpp

@@ -31,7 +31,6 @@
 #include "hmac.hpp"
 #include "md5.hpp"
 #include "sha.hpp"
-#include "ripemd.hpp"
 #include "openssl/ssl.h"
 
 #ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION

extra/yassl/taocrypt/include/asn.hpp

@@ -79,7 +79,13 @@ enum ASNIdFlag
 
 enum DNTags
 {
-    COMMON_NAME         = 0x03
+    COMMON_NAME         = 0x03,  // CN
+    SUR_NAME            = 0x04,  // SN
+    COUNTRY_NAME        = 0x06,  // C
+    LOCALITY_NAME       = 0x07,  // L
+    STATE_NAME          = 0x08,  // ST
+    ORG_NAME            = 0x0a,  // O
+    ORGUNIT_NAME        = 0x0b   // OU
 };
 
 
@@ -92,7 +98,8 @@ enum Constants
     MAX_SEQ_SZ    =  5,    // enum(seq|con) + length(4)
     MAX_ALGO_SIZE =  9,
     MAX_DIGEST_SZ = 25,    // SHA + enum(Bit or Octet) + length(4)
-    DSA_SIG_SZ    = 40
+    DSA_SIG_SZ    = 40,
+    NAME_MAX      = 512    // max total of all included names
 };
 
 
@@ -205,14 +212,14 @@ enum { SHA_SIZE = 20 };
 // A Signing Authority
 class Signer {
     PublicKey key_;
-    char*     name_;
+    char      name_[NAME_MAX];
     byte      hash_[SHA_SIZE];
 public:
     Signer(const byte* k, word32 kSz, const char* n, const byte* h);
     ~Signer();
 
     const PublicKey& GetPublicKey()  const { return key_; }
-    const char*      GetCommonName() const { return name_; }
+    const char*      GetName()       const { return name_; }
     const byte*      GetHash()       const { return hash_; }
 
 private:
@@ -257,8 +264,8 @@ private:
     byte      subjectHash_[SHA_SIZE];   // hash of all Names
     byte      issuerHash_[SHA_SIZE];    // hash of all Names
     byte*     signature_;
-    char*     issuer_;                  // CommonName
-    char*     subject_;                 // CommonName
+    char      issuer_[NAME_MAX];        // Names
+    char      subject_[NAME_MAX];       // Names
     bool      verify_;                  // Default to yes, but could be off
 
     void   ReadHeader();

extra/yassl/taocrypt/src/asn.cpp

@@ -213,21 +213,17 @@ void PublicKey::AddToEnd(const byte* data, word32 len)
 
 
 Signer::Signer(const byte* k, word32 kSz, const char* n, const byte* h)
-    : key_(k, kSz), name_(0)
+    : key_(k, kSz)
 {
-    if (n) {
         int sz = strlen(n);
-        name_ = NEW_TC char[sz + 1];
         memcpy(name_, n, sz);
         name_[sz] = 0;
-    }
 
     memcpy(hash_, h, SHA::DIGEST_SIZE);
 }
 
 Signer::~Signer()
 {
-    tcArrayDelete(name_);
 }
 
 
@@ -424,17 +420,19 @@ void DH_Decoder::Decode(DH& key)
 CertDecoder::CertDecoder(Source& s, bool decode, SignerList* signers,
                          bool noVerify, CertType ct)
     : BER_Decoder(s), certBegin_(0), sigIndex_(0), sigLength_(0),
-      signature_(0), issuer_(0), subject_(0), verify_(!noVerify)
+      signature_(0), verify_(!noVerify)
 { 
+    issuer_[0] = 0;
+    subject_[0] = 0;
+
     if (decode)
         Decode(signers, ct); 
+
 }
 
 
 CertDecoder::~CertDecoder()
 {
-    tcArrayDelete(subject_);
-    tcArrayDelete(issuer_);
     tcArrayDelete(signature_);
 }
 
@@ -672,8 +670,12 @@ void CertDecoder::GetName(NameType nt)
 
     SHA    sha;
     word32 length = GetSequence();  // length of all distinguished names
+    assert (length < NAME_MAX);
     length += source_.get_index();
 
+    char*  ptr = (nt == ISSUER) ? issuer_ : subject_;
+    word32 idx = 0;
+
     while (source_.get_index() < length) {
         GetSet();
         GetSequence();
@@ -694,13 +696,49 @@ void CertDecoder::GetName(NameType nt)
             byte   id      = source_.next();  
             b              = source_.next();    // strType
             word32 strLen  = GetLength(source_);
+            bool   copy    = false;
 
             if (id == COMMON_NAME) {
-                char*& ptr = (nt == ISSUER) ? issuer_ : subject_;
-                ptr = NEW_TC char[strLen + 1];
-                memcpy(ptr, source_.get_current(), strLen);
-                ptr[strLen] = 0;
+                memcpy(&ptr[idx], "/CN=", 4);
+                idx += 4;
+                copy = true;
+            }
+            else if (id == SUR_NAME) {
+                memcpy(&ptr[idx], "/SN=", 4);
+                idx += 4;
+                copy = true;
+            }
+            else if (id == COUNTRY_NAME) {
+                memcpy(&ptr[idx], "/C=", 3);
+                idx += 3;
+                copy = true;
+            }
+            else if (id == LOCALITY_NAME) {
+                memcpy(&ptr[idx], "/L=", 3);
+                idx += 3;
+                copy = true;
             }
+            else if (id == STATE_NAME) {
+                memcpy(&ptr[idx], "/ST=", 4);
+                idx += 4;
+                copy = true;
+            }
+            else if (id == ORG_NAME) {
+                memcpy(&ptr[idx], "/O=", 3);
+                idx += 3;
+                copy = true;
+            }
+            else if (id == ORGUNIT_NAME) {
+                memcpy(&ptr[idx], "/OU=", 4);
+                idx += 4;
+                copy = true;
+            }
+
+            if (copy) {
+                memcpy(&ptr[idx], source_.get_current(), strLen);
+                idx += strLen;
+            }
+
             sha.Update(source_.get_current(), strLen);
             source_.advance(strLen);
         }
@@ -711,6 +749,8 @@ void CertDecoder::GetName(NameType nt)
             source_.advance(length);
         }
     }
+    ptr[idx++] = 0;
+
     if (nt == ISSUER)
         sha.Final(issuerHash_);
     else

extra/yassl/taocrypt/src/make.bat

-# quick and dirty build file for testing different MSDEVs
+REM quick and dirty build file for testing different MSDEVs
 setlocal 
 
 set myFLAGS= /I../include /I../../mySTL /c /W3 /G6 /O2 

extra/yassl/taocrypt/src/template_instnt.cpp

@@ -30,11 +30,11 @@
 #include "sha.hpp"
 #include "md5.hpp"
 #include "hmac.hpp"
-#include "ripemd.hpp"
 #include "pwdbased.hpp"
 #include "algebra.hpp"
 #include "vector.hpp"
 #include "hash.hpp"
+#include "ripemd.hpp"
 
 #ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION
 namespace TaoCrypt {

extra/yassl/testsuite/test.hpp

@@ -305,8 +305,8 @@ inline void showPeer(SSL* ssl)
         char* subject = X509_NAME_oneline(X509_get_subject_name(peer), 0, 0);
 
         printf("peer's cert info:\n");
-        printf("issuer  is: %s\n", issuer);
-        printf("subject is: %s\n", subject);
+        printf("issuer : %s\n", issuer);
+        printf("subject: %s\n", subject);
 
         free(subject);
         free(issuer);

include/mysql.h

@@ -149,7 +149,8 @@ enum mysql_option
   MYSQL_OPT_WRITE_TIMEOUT, MYSQL_OPT_USE_RESULT,
   MYSQL_OPT_USE_REMOTE_CONNECTION, MYSQL_OPT_USE_EMBEDDED_CONNECTION,
   MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,
-  MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT
+  MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT,
+  MYSQL_OPT_SSL_VERIFY_SERVER_CERT
 };
 
 struct st_mysql_options {
@@ -164,6 +165,7 @@ struct st_mysql_options {
   char *ssl_ca;					/* PEM CA file */
   char *ssl_capath;				/* PEM directory of CA-s? */
   char *ssl_cipher;				/* cipher to use */
+  my_bool ssl_verify_server_cert;		/* if to verify server cert */
   char *shared_memory_base_name;
   unsigned long max_allowed_packet;
   my_bool use_ssl;				/* if to use SSL or not */

include/sslopt-longopts.h

@@ -37,5 +37,10 @@
   {"ssl-cipher", OPT_SSL_CIPHER, "SSL cipher to use (implies --ssl).",
    (gptr*) &opt_ssl_cipher, (gptr*) &opt_ssl_cipher, 0, GET_STR, REQUIRED_ARG,
    0, 0, 0, 0, 0, 0},
-
+#ifdef MYSQL_CLIENT
+  {"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT,
+   "Verify servers \"Common Name\" in it's cert against hostname used when connecting. This option is disabled by default.",
+   (gptr*) &opt_ssl_verify_server_cert, (gptr*) &opt_ssl_verify_server_cert,
+    0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
+#endif
 #endif /* HAVE_OPENSSL */

include/sslopt-vars.h

@@ -21,4 +21,7 @@ static char *opt_ssl_cert   = 0;
 static char *opt_ssl_ca     = 0;
 static char *opt_ssl_capath = 0;
 static char *opt_ssl_cipher = 0;
+#ifdef MYSQL_CLIENT
+static my_bool opt_ssl_verify_server_cert= 0;
+#endif
 #endif

include/violite.h

@@ -105,33 +105,22 @@ void	vio_timeout(Vio *vio,uint which, uint timeout);
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
-struct st_VioSSLAcceptorFd 
+struct st_VioSSLFd
 {
   SSL_CTX *ssl_context;
-  SSL_METHOD *ssl_method;
-  struct st_VioSSLAcceptorFd *session_id_context;
 };
 
-/* One copy for client */
-struct st_VioSSLConnectorFd
-{
-  SSL_CTX *ssl_context;
-  /* function pointers which are only once for SSL client */ 
-  SSL_METHOD *ssl_method;
-};
-
-int sslaccept(struct st_VioSSLAcceptorFd*, Vio *, long timeout);
-int sslconnect(struct st_VioSSLConnectorFd*, Vio *, long timeout);
+int sslaccept(struct st_VioSSLFd*, Vio *, long timeout);
+int sslconnect(struct st_VioSSLFd*, Vio *, long timeout);
 
-struct st_VioSSLConnectorFd
+struct st_VioSSLFd
 *new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
 		       const char *ca_file,  const char *ca_path,
 		       const char *cipher);
-struct st_VioSSLAcceptorFd
+struct st_VioSSLFd
 *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
 		      const char *ca_file,const char *ca_path,
 		      const char *cipher);
-Vio *new_VioSSL(struct st_VioSSLAcceptorFd *fd, Vio *sd, int state);
 #endif /* HAVE_OPENSSL */
 
 #ifdef HAVE_SMEM

sql-common/client.c

@@ -1500,6 +1500,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
   mysql->options.ssl_ca=     strdup_if_not_null(ca);
   mysql->options.ssl_capath= strdup_if_not_null(capath);
   mysql->options.ssl_cipher= strdup_if_not_null(cipher);
+  mysql->options.ssl_verify_server_cert= FALSE; /* Off by default */
 #endif /* HAVE_OPENSSL */
   DBUG_RETURN(0);
 }
@@ -1514,17 +1515,16 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
 static void
 mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
 {
-  struct st_VioSSLConnectorFd *st= 
-    (struct st_VioSSLConnectorFd*) mysql->connector_fd;
+  struct st_VioSSLFd *ssl_fd= (struct st_VioSSLFd*) mysql->connector_fd;
   DBUG_ENTER("mysql_ssl_free");
 
   my_free(mysql->options.ssl_key, MYF(MY_ALLOW_ZERO_PTR));
   my_free(mysql->options.ssl_cert, MYF(MY_ALLOW_ZERO_PTR));
   my_free(mysql->options.ssl_ca, MYF(MY_ALLOW_ZERO_PTR));
   my_free(mysql->options.ssl_capath, MYF(MY_ALLOW_ZERO_PTR));
-  my_free(mysql->options.ssl_cipher, MYF(MY_ALLOW_ZERO_PTR));  
-  if (st)
-    SSL_CTX_free(st->ssl_context);
+  my_free(mysql->options.ssl_cipher, MYF(MY_ALLOW_ZERO_PTR));
+  if (ssl_fd)
+    SSL_CTX_free(ssl_fd->ssl_context);
   my_free(mysql->connector_fd,MYF(MY_ALLOW_ZERO_PTR));
   mysql->options.ssl_key = 0;
   mysql->options.ssl_cert = 0;
@@ -1556,6 +1556,77 @@ mysql_get_ssl_cipher(MYSQL *mysql)
   DBUG_RETURN(NULL);
 }
 
+
+/*
+  Check the server's (subject) Common Name against the
+  hostname we connected to
+
+  SYNOPSIS
+  ssl_verify_server_cert()
+    vio              pointer to a SSL connected vio
+    server_hostname  name of the server that we connected to
+
+  RETURN VALUES
+   0 Success
+   1 Failed to validate server
+
+ */
+static int ssl_verify_server_cert(Vio *vio, const char* server_hostname)
+{
+  SSL *ssl;
+  X509 *server_cert;
+  char *cp1, *cp2;
+  char buf[256];
+  DBUG_ENTER("ssl_verify_server_cert");
+  DBUG_PRINT("enter", ("server_hostname: %s", server_hostname));
+
+  if (!(ssl= (SSL*)vio->ssl_arg))
+  {
+    DBUG_PRINT("error", ("No SSL pointer found"));
+    DBUG_RETURN(1);
+  }
+
+  if (!server_hostname)
+  {
+    DBUG_PRINT("error", ("No server hostname supplied"));
+    DBUG_RETURN(1);
+  }
+
+  if (!(server_cert= SSL_get_peer_certificate(ssl)))
+  {
+    DBUG_PRINT("error", ("Could not get server certificate"));
+    DBUG_RETURN(1);
+  }
+
+  /*
+    We already know that the certificate exchanged was valid; the SSL library
+    handled that. Now we need to verify that the contents of the certificate
+    are what we expect.
+  */
+
+  X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
+  X509_free (server_cert);
+
+  DBUG_PRINT("info", ("hostname in cert: %s", buf));
+  cp1 = strstr(buf, "/CN=");
+  if (cp1)
+  {
+    cp1 += 4; // Skip the "/CN=" that we found
+    // Search for next / which might be the delimiter for email
+    cp2 = strchr(cp1, '/');
+    if (cp2)
+      *cp2 = '\0';
+    DBUG_PRINT("info", ("Server hostname in cert: %s", cp1));
+    if (!strcmp(cp1, server_hostname))
+    {
+      /* Success */
+      DBUG_RETURN(0);
+    }
+  }
+  DBUG_PRINT("error", ("SSL certificate validation failure"));
+  DBUG_RETURN(1);
+}
+
 #endif /* HAVE_OPENSSL */
 
 
@@ -1589,7 +1660,6 @@ static MYSQL_METHODS client_methods=
 #endif
 };
 
-
 MYSQL *
 CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
 		       const char *passwd, const char *db,
@@ -2034,37 +2104,52 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
   mysql->client_flag=client_flag;
 
 #ifdef HAVE_OPENSSL
-  /*
-    Oops.. are we careful enough to not send ANY information without
-    encryption?
-  */
   if (client_flag & CLIENT_SSL)
   {
+    /* Do the SSL layering. */
     struct st_mysql_options *options= &mysql->options;
+    struct st_VioSSLFd *ssl_fd;
+
+    /*
+      Send client_flag, max_packet_size - unencrypted otherwise
+      the server does not know we want to do SSL
+    */
     if (my_net_write(net,buff,(uint) (end-buff)) || net_flush(net))
     {
       set_mysql_error(mysql, CR_SERVER_LOST, unknown_sqlstate);
       goto error;
     }
-    /* Do the SSL layering. */
-    if (!(mysql->connector_fd=
-	  (gptr) new_VioSSLConnectorFd(options->ssl_key,
-				       options->ssl_cert,
-				       options->ssl_ca,
-				       options->ssl_capath,
-				       options->ssl_cipher)))
+
+    /* Create the VioSSLConnectorFd - init SSL and load certs */
+    if (!(ssl_fd= new_VioSSLConnectorFd(options->ssl_key,
+                                        options->ssl_cert,
+                                        options->ssl_ca,
+                                        options->ssl_capath,
+                                        options->ssl_cipher)))
     {
       set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
       goto error;
     }
+    mysql->connector_fd= (void*)ssl_fd;
+
+    /* Connect to the server */
     DBUG_PRINT("info", ("IO layer change in progress..."));
-    if (sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd),
-		   mysql->net.vio, (long) (mysql->options.connect_timeout)))
+    if (sslconnect(ssl_fd, mysql->net.vio,
+                   (long) (mysql->options.connect_timeout)))
     {
       set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
       goto error;
     }
     DBUG_PRINT("info", ("IO layer change done!"));
+
+    /* Verify server cert */
+    if (mysql->options.ssl_verify_server_cert &&
+        ssl_verify_server_cert(mysql->net.vio, mysql->host))
+    {
+      set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
+      goto error;
+    }
+
   }
 #endif /* HAVE_OPENSSL */
 
@@ -2804,6 +2889,9 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const char *arg)
   case MYSQL_OPT_RECONNECT:
     mysql->reconnect= *(my_bool *) arg;
     break;
+  case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
+    mysql->options.ssl_verify_server_cert= *(my_bool *) arg;
+    break;
   default:
     DBUG_RETURN(1);
   }

sql/mysql_priv.h

@@ -1310,7 +1310,7 @@ extern pthread_t signal_thread;
 #endif
 
 #ifdef HAVE_OPENSSL
-extern struct st_VioSSLAcceptorFd * ssl_acceptor_fd;
+extern struct st_VioSSLFd * ssl_acceptor_fd;
 #endif /* HAVE_OPENSSL */
 
 MYSQL_LOCK *mysql_lock_tables(THD *thd, TABLE **table, uint count,

sql/mysqld.cc

@@ -620,7 +620,7 @@ static void openssl_lock(int, openssl_lock_t *, const char *, int);
 static unsigned long openssl_id_function();
 #endif
 char *des_key_file;
-struct st_VioSSLAcceptorFd *ssl_acceptor_fd;
+struct st_VioSSLFd *ssl_acceptor_fd;
 #endif /* HAVE_OPENSSL */
 
 
@@ -1131,7 +1131,10 @@ void clean_up(bool print_message)
 #endif
 #ifdef HAVE_OPENSSL
   if (ssl_acceptor_fd)
-    my_free((gptr) ssl_acceptor_fd, MYF(MY_ALLOW_ZERO_PTR));
+  {
+    SSL_CTX_free(ssl_acceptor_fd->ssl_context);
+    my_free((gptr) ssl_acceptor_fd, MYF(0));
+  }
 #endif /* HAVE_OPENSSL */
 #ifdef USE_REGEX
   my_regex_end();

sql/sql_acl.cc

@@ -858,8 +858,8 @@ int acl_getroot(THD *thd, USER_RESOURCES  *mqh,
       if (acl_user->x509_issuer)
       {
         DBUG_PRINT("info",("checkpoint 3"));
-	char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
-	DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
+        char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
+        DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
 			   acl_user->x509_issuer, ptr));
         if (strcmp(acl_user->x509_issuer, ptr))
         {

vio/vio.c

@@ -88,19 +88,19 @@ static void vio_init(Vio* vio, enum enum_vio_type type,
   if (type == VIO_TYPE_SSL)
   {
     vio->viodelete	=vio_delete;
-    vio->vioerrno	=vio_ssl_errno;
+    vio->vioerrno	=vio_errno;
     vio->read		=vio_ssl_read;
     vio->write		=vio_ssl_write;
-    vio->fastsend	=vio_ssl_fastsend;
-    vio->viokeepalive	=vio_ssl_keepalive;
-    vio->should_retry	=vio_ssl_should_retry;
-    vio->was_interrupted=vio_ssl_was_interrupted;
+    vio->fastsend	=vio_fastsend;
+    vio->viokeepalive	=vio_keepalive;
+    vio->should_retry	=vio_should_retry;
+    vio->was_interrupted=vio_was_interrupted;
     vio->vioclose	=vio_ssl_close;
-    vio->peer_addr	=vio_ssl_peer_addr;
-    vio->in_addr	=vio_ssl_in_addr;
+    vio->peer_addr	=vio_peer_addr;
+    vio->in_addr	=vio_in_addr;
     vio->vioblocking	=vio_ssl_blocking;
     vio->is_blocking	=vio_is_blocking;
-    vio->timeout	=vio_ssl_timeout;
+    vio->timeout	=vio_timeout;
   }
   else					/* default is VIO_TYPE_TCPIP */
 #endif /* HAVE_OPENSSL */

vio/vio_priv.h

@@ -30,28 +30,10 @@ void	vio_ignore_timeout(Vio *vio, uint which, uint timeout);
 
 int	vio_ssl_read(Vio *vio,gptr buf,	int size);
 int	vio_ssl_write(Vio *vio,const gptr buf,int size);
-void	vio_ssl_timeout(Vio *vio, uint which, uint timeout);
-
-/* setsockopt TCP_NODELAY at IPPROTO_TCP level, when possible. */
-int vio_ssl_fastsend(Vio *vio);
-/* setsockopt SO_KEEPALIVE at SOL_SOCKET level, when possible. */
-int vio_ssl_keepalive(Vio *vio, my_bool onoff);
-/* Whenever we should retry the last read/write operation. */
-my_bool vio_ssl_should_retry(Vio *vio);
-/* Check that operation was timed out */
-my_bool	vio_ssl_was_interrupted(Vio *vio);
+
 /* When the workday is over... */
 int vio_ssl_close(Vio *vio);
-/* Return last error number */
-int vio_ssl_errno(Vio *vio);
-my_bool vio_ssl_peer_addr(Vio *vio, char *buf, uint16 *port);
-void vio_ssl_in_addr(Vio *vio, struct in_addr *in);
+
 int vio_ssl_blocking(Vio *vio, my_bool set_blocking_mode, my_bool *old_mode);
 
-/* Single copy for server */
-enum vio_ssl_acceptorfd_state
-{
-  state_connect       = 1,
-  state_accept        = 2
-};
 #endif /* HAVE_OPENSSL */