Implemented replication over SSL

 Added proper options to CHANGE MASTER TO, new fields to SHOW SLAVE STATUS,
 Honoring this parameters during connection to master.
 Introduced new format of master.info file


include/mysqld_error.h:
  Added error code for "slave without SSL ignored SSL params warning"
mysql-test/Makefile.am:
  Copy files required for rpl_openssl test during the make process
mysql-test/r/rpl000015.result:
  Added fields to SHOW SLAVE STATUS for replication over SSL
mysql-test/r/rpl_empty_master_crash.result:
  Added fields to SHOW SLAVE STATUS for replication over SSL
mysql-test/r/rpl_flush_log_loop.result:
  Added fields to SHOW SLAVE STATUS for replication over SSL
mysql-test/r/rpl_log.result:
  Added fields to SHOW SLAVE STATUS for replication over SSL
mysql-test/r/rpl_log_pos.result:
  Added fields to SHOW SLAVE STATUS for replication over SSL
mysql-test/r/rpl_redirect.result:
  Added fields to SHOW SLAVE STATUS for replication over SSL
mysql-test/r/rpl_replicate_do.result:
  Added fields to SHOW SLAVE STATUS for replication over SSL
mysql-test/r/rpl_rotate_logs.result:
  Added fields to SHOW SLAVE STATUS for replication over SSL
sql/lex.h:
  Added MASTER_SSL lexems for CHANGE MASTER
sql/mysqld.cc:
  Added --master-ssl-ca parameter. Fixed description of other master-ssl parameters
sql/repl_failsafe.cc:
  Added SSL support to connect_to_master()
sql/share/czech/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/danish/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/dutch/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/english/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/estonian/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/french/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/german/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/greek/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/hungarian/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/italian/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/japanese/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/korean/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/norwegian-ny/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/norwegian/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/polish/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/portuguese/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/romanian/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/russian/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/serbian/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/slovak/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/spanish/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/swedish/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/share/ukrainian/errmsg.txt:
  Added "slave without SSL ignored SSL params" warning
sql/slave.cc:
  Introduced new format of master.info file
  Added support of SSL params in master.info and SHOW SLAVE STATUS
  Added support of SSL connections
sql/slave.h:
  Added SSL parameters to MASTER_INFO
sql/sql_lex.h:
  Added SSL parameters for CHANGE MASTER TO
sql/sql_repl.cc:
  Added SSL parameters for CHANGE MASTER TO
sql/sql_yacc.yy:
  Added SSL parameters for CHANGE MASTER TO

1 files changed, 136 insertions, 12 deletions

diff --git a/sql/slave.cc b/sql/slave.cc
index 37979576b73..210d2c0c744 100644
--- a/sql/slave.cc
+++ b/sql/slave.cc
@@ -1409,6 +1409,7 @@ static int count_relay_log_space(RELAY_LOG_INFO* rli)
   DBUG_RETURN(0);
 }
 
+#define LINES_IN_MASTER_INFO_WITH_SSL 14
 
 int init_master_info(MASTER_INFO* mi, const char* master_info_fname,
 		     const char* slave_info_fname,
@@ -1462,6 +1463,18 @@ int init_master_info(MASTER_INFO* mi, const char* master_info_fname,
       strmake(mi->password, master_password, HASH_PASSWORD_LENGTH);
     mi->port = master_port;
     mi->connect_retry = master_connect_retry;
+  
+    mi->ssl= master_ssl;
+    if (master_ssl_ca)
+      strmake(mi->ssl_ca, master_ssl_ca, sizeof(mi->ssl_ca)-1);
+    if (master_ssl_capath)
+      strmake(mi->ssl_capath, master_ssl_capath, sizeof(mi->ssl_capath)-1);
+    if (master_ssl_cert)
+      strmake(mi->ssl_cert, master_ssl_cert, sizeof(mi->ssl_cert)-1);
+    if (master_ssl_cipher)
+      strmake(mi->ssl_cipher, master_ssl_cipher, sizeof(mi->ssl_cipher)-1);
+    if (master_ssl_key)
+      strmake(mi->ssl_key, master_ssl_key, sizeof(mi->ssl_key)-1);
   }
   else // file exists
   {
@@ -1473,12 +1486,50 @@ int init_master_info(MASTER_INFO* mi, const char* master_info_fname,
       goto err;
 
     mi->fd = fd;
-    int port, connect_retry, master_log_pos;
-
+    int port, connect_retry, master_log_pos, ssl= 0, lines;
+    char *first_non_digit;
+    
+    /*
+       Starting from 4.1.x master.info has new format. Now its
+       first line contains number of lines in file. By reading this 
+       number we will be always distinguish to which version our 
+       master.info corresponds to. We can't simply count lines in 
+       file since versions before 4.1.x could generate files with more
+       lines than needed.
+       If first line doesn't contain a number or contain number less than 
+       14 then such file is treated like file from pre 4.1.1 version.
+       There is no ambiguity when reading an old master.info, as before 
+       4.1.1, the first line contained the binlog's name, which is either
+       empty or has an extension (contains a '.'), so can't be confused 
+       with an integer.
+
+       So we're just reading first line and trying to figure which version 
+       is this.
+    */
+    
+    /* 
+       The first row is temporarily stored in mi->master_log_name, 
+       if it is line count and not binlog name (new format) it will be 
+       overwritten by the second row later.
+    */
     if (init_strvar_from_file(mi->master_log_name,
 			      sizeof(mi->master_log_name), &mi->file,
-			      "") ||
-	init_intvar_from_file(&master_log_pos, &mi->file, 4) ||
+			      ""))
+      goto errwithmsg;
+    
+    lines= strtoul(mi->master_log_name, &first_non_digit, 10);
+
+    if (mi->master_log_name[0]!='\0' && 
+        *first_non_digit=='\0' && lines >= LINES_IN_MASTER_INFO_WITH_SSL)
+    {                                          // Seems to be new format
+      if (init_strvar_from_file(mi->master_log_name,     
+            sizeof(mi->master_log_name), &mi->file, ""))
+        goto errwithmsg;
+    }
+    else
+      lines= 7;
+    
+    if (init_intvar_from_file(&master_log_pos, &mi->file, 4) ||
 	init_strvar_from_file(mi->host, sizeof(mi->host), &mi->file,
 			      master_host) ||
 	init_strvar_from_file(mi->user, sizeof(mi->user), &mi->file,
@@ -1488,10 +1539,34 @@ int init_master_info(MASTER_INFO* mi, const char* master_info_fname,
 	init_intvar_from_file(&port, &mi->file, master_port) ||
 	init_intvar_from_file(&connect_retry, &mi->file,
 			      master_connect_retry))
-    {
-      sql_print_error("Error reading master configuration");
-      goto err;
-    }
+      goto errwithmsg;
+
+    /* 
+       If file has ssl part use it even if we have server without 
+       SSL support. But these option will be ignored later when 
+       slave will try connect to master, so in this case warning 
+       is printed.
+     */
+    if (lines >= LINES_IN_MASTER_INFO_WITH_SSL && 
+        (init_intvar_from_file(&ssl, &mi->file, master_ssl) ||
+         init_strvar_from_file(mi->ssl_ca, sizeof(mi->ssl_ca), 
+                               &mi->file, master_ssl_ca) ||
+         init_strvar_from_file(mi->ssl_capath, sizeof(mi->ssl_capath), 
+                               &mi->file, master_ssl_capath) ||
+         init_strvar_from_file(mi->ssl_cert, sizeof(mi->ssl_cert),
+                               &mi->file, master_ssl_cert) ||
+         init_strvar_from_file(mi->ssl_cipher, sizeof(mi->ssl_cipher),
+                               &mi->file, master_ssl_cipher) ||
+         init_strvar_from_file(mi->ssl_key, sizeof(mi->ssl_key),
+                              &mi->file, master_ssl_key)))
+      goto errwithmsg;
+#ifndef HAVE_OPENSSL
+    if (ssl)
+      sql_print_error("SSL information in the master info file "
+                      "('%s') are ignored because this MySQL slave was compiled "
+                      "without SSL support.", fname);
+#endif /* HAVE_OPENSSL */
+    
     /*
       This has to be handled here as init_intvar_from_file can't handle
       my_off_t types
@@ -1499,6 +1574,7 @@ int init_master_info(MASTER_INFO* mi, const char* master_info_fname,
     mi->master_log_pos= (my_off_t) master_log_pos;
     mi->port= (uint) port;
     mi->connect_retry= (uint) connect_retry;
+    mi->ssl= (my_bool) ssl;
   }
   DBUG_PRINT("master_info",("log_file_name: %s  position: %ld",
 			    mi->master_log_name,
@@ -1514,7 +1590,10 @@ int init_master_info(MASTER_INFO* mi, const char* master_info_fname,
   error=test(flush_master_info(mi));
   pthread_mutex_unlock(&mi->data_lock);
   DBUG_RETURN(error);
-
+  
+errwithmsg:
+  sql_print_error("Error reading master configuration");
+  
 err:
   if (fd >= 0)
   {
@@ -1648,6 +1727,18 @@ int show_master_info(THD* thd, MASTER_INFO* mi)
 					   MYSQL_TYPE_LONGLONG));
   field_list.push_back(new Item_return_int("Relay_log_space", 10,
 					   MYSQL_TYPE_LONGLONG));
+  field_list.push_back(new Item_empty_string("Master_SSL_Allowed", 7));
+  field_list.push_back(new Item_empty_string("Master_SSL_CA_File",
+                                             sizeof(mi->ssl_ca)));
+  field_list.push_back(new Item_empty_string("Master_SSL_CA_Path", 
+                                             sizeof(mi->ssl_capath)));
+  field_list.push_back(new Item_empty_string("Master_SSL_Cert", 
+                                             sizeof(mi->ssl_cert)));
+  field_list.push_back(new Item_empty_string("Master_SSL_Cipher", 
+                                             sizeof(mi->ssl_cipher)));
+  field_list.push_back(new Item_empty_string("Master_SSL_Key", 
+                                             sizeof(mi->ssl_key)));
+  
   if (protocol->send_fields(&field_list, 1))
     DBUG_RETURN(-1);
 
@@ -1694,6 +1785,17 @@ int show_master_info(THD* thd, MASTER_INFO* mi)
     protocol->store((uint32) mi->rli.slave_skip_counter);
     protocol->store((ulonglong) mi->rli.group_master_log_pos);
     protocol->store((ulonglong) mi->rli.log_space_total);
+#ifdef HAVE_OPENSSL 
+    protocol->store(mi->ssl? "Yes":"No", &my_charset_bin);
+#else
+    protocol->store(mi->ssl? "Ignored":"No", &my_charset_bin);
+#endif
+    protocol->store(mi->ssl_ca, &my_charset_bin);
+    protocol->store(mi->ssl_capath, &my_charset_bin);
+    protocol->store(mi->ssl_cert, &my_charset_bin);
+    protocol->store(mi->ssl_cipher, &my_charset_bin);
+    protocol->store(mi->ssl_key, &my_charset_bin);
+    
     pthread_mutex_unlock(&mi->rli.data_lock);
     pthread_mutex_unlock(&mi->data_lock);
   
@@ -1712,11 +1814,22 @@ bool flush_master_info(MASTER_INFO* mi)
   DBUG_ENTER("flush_master_info");
   DBUG_PRINT("enter",("master_pos: %ld", (long) mi->master_log_pos));
 
+  /*
+     In certain cases this code may create master.info files that seems 
+     corrupted, because of extra lines filled with garbage in the end 
+     file (this happens if new contents take less space than previous 
+     contents of file). But because of number of lines in the first line 
+     of file we don't care about this garbage.
+  */
+  
   my_b_seek(file, 0L);
-  my_b_printf(file, "%s\n%s\n%s\n%s\n%s\n%d\n%d\n",
-	      mi->master_log_name, llstr(mi->master_log_pos, lbuf),
+  my_b_printf(file, "%u\n%s\n%s\n%s\n%s\n%s\n%d\n%d\n%d\n%s\n%s\n%s\n%s\n%s\n",
+	      LINES_IN_MASTER_INFO_WITH_SSL,
+              mi->master_log_name, llstr(mi->master_log_pos, lbuf),
 	      mi->host, mi->user,
-	      mi->password, mi->port, mi->connect_retry);
+	      mi->password, mi->port, mi->connect_retry,
+              (int)(mi->ssl), mi->ssl_ca, mi->ssl_capath, mi->ssl_cert,
+              mi->ssl_cipher, mi->ssl_key);
   flush_io_cache(file);
   DBUG_RETURN(0);
 }
@@ -3061,6 +3174,17 @@ static int connect_to_master(THD* thd, MYSQL* mysql, MASTER_INFO* mi,
 
   mysql_options(mysql, MYSQL_OPT_CONNECT_TIMEOUT, (char *) &slave_net_timeout);
   mysql_options(mysql, MYSQL_OPT_READ_TIMEOUT, (char *) &slave_net_timeout);
+ 
+#ifdef HAVE_OPENSSL
+  if (mi->ssl)
+    mysql_ssl_set(mysql, 
+                  mi->ssl_key[0]?mi->ssl_key:0,
+                  mi->ssl_cert[0]?mi->ssl_cert:0, 
+                  mi->ssl_ca[0]?mi->ssl_ca:0,
+                  mi->ssl_capath[0]?mi->ssl_capath:0,
+                  mi->ssl_cipher[0]?mi->ssl_cipher:0);
+#endif
+
   mysql_options(mysql, MYSQL_SET_CHARSET_NAME, default_charset_info->csname);
   /* This one is not strictly needed but we have it here for completeness */
   mysql_options(mysql, MYSQL_SET_CHARSET_DIR, (char *) charsets_dir);