Openssl test

BitKeeper/etc/logging_ok

@@ -15,6 +15,7 @@ bell@sanja.is.com.ua
 bk@admin.bk
 davida@isil.mysql.com
 gluh@gluh.(none)
+gluh@gluh.mysql.r18.ru
 greg@mysql.com
 gweir@work.mysql.com
 heikki@donna.mysql.fi

client/mysqltest.c

@@ -91,7 +91,9 @@
 
 
 enum {OPT_MANAGER_USER=256,OPT_MANAGER_HOST,OPT_MANAGER_PASSWD,
-      OPT_MANAGER_PORT,OPT_MANAGER_WAIT_TIMEOUT, OPT_SKIP_SAFEMALLOC};
+      OPT_MANAGER_PORT,OPT_MANAGER_WAIT_TIMEOUT, OPT_SKIP_SAFEMALLOC,
+      OPT_SSL_SSL, OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, OPT_SSL_CAPATH,
+      OPT_SSL_CIPHER};
 
 static int record = 0, opt_sleep=0;
 static char *db = 0, *pass=0;
@@ -123,6 +125,8 @@ static int block_stack[BLOCK_STACK_DEPTH];
 static int block_ok_stack[BLOCK_STACK_DEPTH];
 static uint global_expected_errno[MAX_EXPECTED_ERRORS], global_expected_errors;
 
+#include "sslopt-vars.h"
+
 DYNAMIC_ARRAY q_lines;
 
 typedef struct
@@ -1442,6 +1446,11 @@ int do_connect(struct st_query* q)
     mysql_options(&next_con->mysql,MYSQL_OPT_COMPRESS,NullS);
   mysql_options(&next_con->mysql, MYSQL_OPT_LOCAL_INFILE, 0);
 
+#ifdef HAVE_OPENSSL
+  if (opt_use_ssl)
+    mysql_ssl_set(&next_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
+		  opt_ssl_capath, opt_ssl_cipher);
+#endif
   if (con_sock && !free_con_sock && *con_sock && *con_sock != FN_LIBCHAR)
     con_sock=fn_format(buff, con_sock, TMPDIR, "",0);
   if (!con_db[0])
@@ -1840,6 +1849,7 @@ static struct my_option my_long_options[] =
   {"socket", 'S', "Socket file to use for connection.",
    (gptr*) &unix_sock, (gptr*) &unix_sock, 0, GET_STR, REQUIRED_ARG, 0, 0, 0,
    0, 0, 0},
+#include "sslopt-longopts.h"
   {"test-file", 'x', "Read test from/in this file (default stdin).",
    0, 0, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
   {"tmpdir", 't', "Temporary directory where sockets are put",
@@ -1914,6 +1924,7 @@ get_one_option(int optid, const struct my_option *opt __attribute__((unused)),
     else
       tty_password= 1;
     break;
+#include <sslopt-case.h>
   case 't':
     strnmov(TMPDIR, argument, sizeof(TMPDIR));
     break;
@@ -2361,6 +2372,11 @@ int main(int argc, char** argv)
   if (opt_compress)
     mysql_options(&cur_con->mysql,MYSQL_OPT_COMPRESS,NullS);
   mysql_options(&cur_con->mysql, MYSQL_OPT_LOCAL_INFILE, 0);
+#ifdef HAVE_OPENSSL
+  if (opt_use_ssl)
+    mysql_ssl_set(&cur_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
+		  opt_ssl_capath, opt_ssl_cipher);
+#endif
 
   cur_con->name = my_strdup("default", MYF(MY_WME));
   if (!cur_con->name)

mysql-test/include/have_openssl_1.inc

@@ -1,4 +1,4 @@
 -- require r/have_openssl_1.require
 disable_query_log;
-show variables like "have_openssl";
+SHOW STATUS LIKE 'Ssl_cipher';
 enable_query_log;

mysql-test/mysql-test-run.sh

@@ -207,6 +207,7 @@ CHARACTER_SET=latin1
 DBUSER=""
 START_WAIT_TIMEOUT=10
 STOP_WAIT_TIMEOUT=10
+MYSQL_TEST_SSL_OPTS=""
 
 while test $# -gt 0; do
   case "$1" in
@@ -237,7 +238,10 @@ while test $# -gt 0; do
      EXTRA_SLAVE_MYSQLD_OPT="$EXTRA_SLAVE_MYSQLD_OPT \
      --ssl-ca=$BASEDIR/SSL/cacert.pem \
      --ssl-cert=$BASEDIR/SSL/server-cert.pem \
-     --ssl-key=$BASEDIR/SSL/server-key.pem" ;;
+     --ssl-key=$BASEDIR/SSL/server-key.pem"
+     MYSQL_TEST_SSL_OPTS="--ssl-ca=$BASEDIR/SSL/cacert.pem \
+     --ssl-cert=$BASEDIR/SSL/client-cert.pem \
+     --ssl-key=$BASEDIR/SSL/client-key.pem" ;;
     --no-manager | --skip-manager) USE_MANAGER=0 ;;
     --manager)
      USE_MANAGER=1
@@ -489,7 +493,7 @@ fi
 
 MYSQL_TEST_ARGS="--no-defaults --socket=$MASTER_MYSOCK --database=$DB \
  --user=$DBUSER --password=$DBPASSWD --silent -v --skip-safemalloc \
- --tmpdir=$MYSQL_TMP_DIR --port=$MASTER_MYPORT"
+ --tmpdir=$MYSQL_TMP_DIR --port=$MASTER_MYPORT $MYSQL_TEST_SSL_OPTS"
 MYSQL_TEST_BIN=$MYSQL_TEST
 MYSQL_TEST="$MYSQL_TEST $MYSQL_TEST_ARGS"
 GDB_CLIENT_INIT=$MYSQL_TMP_DIR/gdbinit.client

mysql-test/r/have_openssl_1.require

@@ -1,2 +1,2 @@
 Variable_name	Value
-have_openssl	YES
+Ssl_cipher	EDH-RSA-DES-CBC3-SHA

mysql-test/r/openssl_1.result

@@ -1,2 +1,32 @@
-SHOW STATUS LIKE 'SSL%';
+drop table if exists t1;
-Variable_name	Value
+create table t1(f1 int);
+insert into t1 values (5);
+grant select on test.* to ssl_user1@localhost require SSL;
+grant select on test.* to ssl_user2@localhost require cipher "EDH-RSA-DES-CBC3-SHA";
+grant select on test.* to ssl_user3@localhost require cipher "EDH-RSA-DES-CBC3-SHA" AND SUBJECT "/C=RU/L=orenburg/O=MySQL AB/OU=client/CN=walrus/Email=walrus@mysql.com";
+grant select on test.* to ssl_user4@localhost require cipher "EDH-RSA-DES-CBC3-SHA" AND SUBJECT "/C=RU/L=orenburg/O=MySQL AB/OU=client/CN=walrus/Email=walrus@mysql.com" ISSUER "/C=RU/ST=Some-State/L=Orenburg/O=MySQL AB/CN=Walrus/Email=walrus@mysql.com";
+flush privileges;
+select * from t1;
+f1
+5
+delete from t1;
+Access denied for user: 'ssl_user1@localhost' to database 'test'
+select * from t1;
+f1
+5
+delete from t1;
+Access denied for user: 'ssl_user2@localhost' to database 'test'
+select * from t1;
+f1
+5
+delete from t1;
+Access denied for user: 'ssl_user3@localhost' to database 'test'
+select * from t1;
+f1
+5
+delete from t1;
+Access denied for user: 'ssl_user4@localhost' to database 'test'
+delete from mysql.user where user='ssl_user%';
+delete from mysql.db where user='ssl_user%';
+flush privileges;
+drop table t1;

mysql-test/t/openssl_1.test

@@ -1,6 +1,43 @@
-# We test openssl. Result set is optimized to be compiled with --with-openssl but 
+# We test openssl. Result set is optimized to be compiled with --with-openssl.
-# SSL is swithced off in some reason
+# Use mysql-test-run with --with-openssl option.
--- source include/have_openssl_2.inc
+-- source include/have_openssl_1.inc
 
-SHOW STATUS LIKE 'SSL%';
+drop table if exists t1;
+create table t1(f1 int);
+insert into t1 values (5);
 
+grant select on test.* to ssl_user1@localhost require SSL;
+grant select on test.* to ssl_user2@localhost require cipher "EDH-RSA-DES-CBC3-SHA";
+grant select on test.* to ssl_user3@localhost require cipher "EDH-RSA-DES-CBC3-SHA" AND SUBJECT "/C=RU/L=orenburg/O=MySQL AB/OU=client/CN=walrus/Email=walrus@mysql.com";
+grant select on test.* to ssl_user4@localhost require cipher "EDH-RSA-DES-CBC3-SHA" AND SUBJECT "/C=RU/L=orenburg/O=MySQL AB/OU=client/CN=walrus/Email=walrus@mysql.com" ISSUER "/C=RU/ST=Some-State/L=Orenburg/O=MySQL AB/CN=Walrus/Email=walrus@mysql.com";
+flush privileges;
+connect (con1,localhost,ssl_user1,,);
+connect (con2,localhost,ssl_user2,,);
+connect (con3,localhost,ssl_user3,,);
+connect (con4,localhost,ssl_user4,,);
+
+connection con1;
+select * from t1;
+--error 1044;
+delete from t1;
+
+connection con2;
+select * from t1;
+--error 1044;
+delete from t1;
+
+connection con3;
+select * from t1;
+--error 1044;
+delete from t1;
+
+connection con4;
+select * from t1;
+--error 1044;
+delete from t1;
+
+connection default;
+delete from mysql.user where user='ssl_user%';
+delete from mysql.db where user='ssl_user%';
+flush privileges;
+drop table t1;