From f366bff4b55f4edabefe7f500d58adbaf9118e93 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Fri, 10 Mar 2006 16:41:14 +0100
Subject: Cleanup SSL implementation Remove duplicate code Merge common
 functions Enforce MySQL coding standard

include/violite.h:
  Cleanup SSL implementation
sql-common/client.c:
  Cleanup SSL implementation
sql/mysql_priv.h:
  Cleanup SSL implementation
sql/mysqld.cc:
  Cleanup SSL implementation
sql/sql_acl.cc:
  Cleanup SSL implementation
vio/vio.c:
  Cleanup SSL implementation
vio/vio_priv.h:
  Cleanup SSL implementation
vio/viossl.c:
  Cleanup SSL implementation
vio/viosslfactories.c:
  Cleanup SSL implementation
---
 include/violite.h     |  21 +---
 sql-common/client.c   | 106 +++++++++++++---
 sql/mysql_priv.h      |   2 +-
 sql/mysqld.cc         |   7 +-
 sql/sql_acl.cc        |   4 +-
 vio/vio.c             |  16 +--
 vio/vio_priv.h        |  22 +---
 vio/viossl.c          | 336 ++++++++++++++------------------------------------
 vio/viosslfactories.c | 301 +++++++++++++++++++-------------------------
 9 files changed, 331 insertions(+), 484 deletions(-)

diff --git a/include/violite.h b/include/violite.h
index b48f3724f5b..b2a5f1640a5 100644
--- a/include/violite.h
+++ b/include/violite.h
@@ -105,33 +105,22 @@ void	vio_timeout(Vio *vio,uint which, uint timeout);
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
-struct st_VioSSLAcceptorFd 
+struct st_VioSSLFd
 {
   SSL_CTX *ssl_context;
-  SSL_METHOD *ssl_method;
-  struct st_VioSSLAcceptorFd *session_id_context;
 };
 
-/* One copy for client */
-struct st_VioSSLConnectorFd
-{
-  SSL_CTX *ssl_context;
-  /* function pointers which are only once for SSL client */ 
-  SSL_METHOD *ssl_method;
-};
-
-int sslaccept(struct st_VioSSLAcceptorFd*, Vio *, long timeout);
-int sslconnect(struct st_VioSSLConnectorFd*, Vio *, long timeout);
+int sslaccept(struct st_VioSSLFd*, Vio *, long timeout);
+int sslconnect(struct st_VioSSLFd*, Vio *, long timeout);
 
-struct st_VioSSLConnectorFd
+struct st_VioSSLFd
 *new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
 		       const char *ca_file,  const char *ca_path,
 		       const char *cipher);
-struct st_VioSSLAcceptorFd
+struct st_VioSSLFd
 *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
 		      const char *ca_file,const char *ca_path,
 		      const char *cipher);
-Vio *new_VioSSL(struct st_VioSSLAcceptorFd *fd, Vio *sd, int state);
 #endif /* HAVE_OPENSSL */
 
 #ifdef HAVE_SMEM
diff --git a/sql-common/client.c b/sql-common/client.c
index 2d826df0662..21eb58adf01 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1514,8 +1514,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
 static void
 mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
 {
-  struct st_VioSSLConnectorFd *st= 
-    (struct st_VioSSLConnectorFd*) mysql->connector_fd;
+  struct st_VioSSLFd *ssl_fd= (struct st_VioSSLFd*) mysql->connector_fd;
   DBUG_ENTER("mysql_ssl_free");
 
   my_free(mysql->options.ssl_key, MYF(MY_ALLOW_ZERO_PTR));
@@ -1523,8 +1522,8 @@ mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
   my_free(mysql->options.ssl_ca, MYF(MY_ALLOW_ZERO_PTR));
   my_free(mysql->options.ssl_capath, MYF(MY_ALLOW_ZERO_PTR));
   my_free(mysql->options.ssl_cipher, MYF(MY_ALLOW_ZERO_PTR));  
-  if (st)
-    SSL_CTX_free(st->ssl_context);
+  if (ssl_fd)
+    SSL_CTX_free(ssl_fd->ssl_context);
   my_free(mysql->connector_fd,MYF(MY_ALLOW_ZERO_PTR));
   mysql->options.ssl_key = 0;
   mysql->options.ssl_cert = 0;
@@ -1568,6 +1567,63 @@ static MYSQL_METHODS client_methods=
 #endif
 };
 
+int ssl_verify_server_cert(Vio *vio, const char* server_host)
+{
+  SSL *ssl;
+  X509 *server_cert;
+  char *cp1, *cp2;
+  char buf[256];
+  DBUG_ENTER("ssl_verify_server_cert");
+  DBUG_PRINT("enter", ("server_host: %s", server_host));
+
+  if (!(ssl= (SSL*)vio->ssl_arg))
+  {
+    DBUG_PRINT("error", ("No SSL pointer found"));
+    return 1;
+  }
+
+  if (!server_host)
+  {
+    DBUG_PRINT("error", ("No server hostname supplied"));
+    return 1;
+  }
+
+  if (!(server_cert= SSL_get_peer_certificate(ssl)))
+  {
+    DBUG_PRINT("error", ("Could not get server certificate"));
+    return 1;
+  }
+
+  /*
+    We already know that the certificate exchanged was valid; the SSL library
+    handled that. Now we need to verify that the contents of the certificate
+    are what we expect.
+  */
+
+  X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
+  X509_free (server_cert);
+
+//  X509_NAME_get_text_by_NID(x509_get_subject_name(server_cert), NID_commonName, buf, sizeof(buf));... does the same thing
+
+  DBUG_PRINT("info", ("hostname in cert: %s", buf));
+  cp1 = strstr(buf, "/CN=");
+  if (cp1)
+  {
+    cp1 += 4; // Skip the "/CN=" that we found
+    cp2 = strchr(cp1, '/');
+    if (cp2)
+      *cp2 = '\0';
+    DBUG_PRINT("info", ("Server hostname in cert: ", cp1));
+    if (!strcmp(cp1, server_host))
+    {
+      /* Success */
+      DBUG_RETURN(0);
+    }
+  }
+  DBUG_PRINT("error", ("SSL certificate validation failure"));
+  DBUG_RETURN(1);
+}
+
 
 MYSQL *
 CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
@@ -2013,37 +2069,53 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
   mysql->client_flag=client_flag;
 
 #ifdef HAVE_OPENSSL
-  /*
-    Oops.. are we careful enough to not send ANY information without
-    encryption?
-  */
   if (client_flag & CLIENT_SSL)
   {
+    /* Do the SSL layering. */
     struct st_mysql_options *options= &mysql->options;
+    struct st_VioSSLFd *ssl_fd;
+
+    /*
+      Send client_flag, max_packet_size - unencrypted otherwise
+      the server does not know we want to do SSL
+    */
     if (my_net_write(net,buff,(uint) (end-buff)) || net_flush(net))
     {
       set_mysql_error(mysql, CR_SERVER_LOST, unknown_sqlstate);
       goto error;
     }
-    /* Do the SSL layering. */
-    if (!(mysql->connector_fd=
-	  (gptr) new_VioSSLConnectorFd(options->ssl_key,
-				       options->ssl_cert,
-				       options->ssl_ca,
-				       options->ssl_capath,
-				       options->ssl_cipher)))
+
+    /* Create the VioSSLConnectorFd - init SSL and load certs */
+    if (!(ssl_fd= new_VioSSLConnectorFd(options->ssl_key,
+                                        options->ssl_cert,
+                                        options->ssl_ca,
+                                        options->ssl_capath,
+                                        options->ssl_cipher)))
     {
       set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
       goto error;
     }
+    mysql->connector_fd= (void*)ssl_fd;
+
+    /* Connect to the server */
     DBUG_PRINT("info", ("IO layer change in progress..."));
-    if (sslconnect((struct st_VioSSLConnectorFd*)(mysql->connector_fd),
-		   mysql->net.vio, (long) (mysql->options.connect_timeout)))
+    if (sslconnect(ssl_fd, mysql->net.vio,
+                   (long) (mysql->options.connect_timeout)))
     {
       set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
       goto error;
     }
     DBUG_PRINT("info", ("IO layer change done!"));
+
+#if 0
+    /* Verify server cert */
+    if (mysql->options.ssl_verify_cert &&
+        ssl_verify_server_cert(mysql->net.vio, mysql->host))
+    {
+      set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
+      goto error;
+    }
+#endif
   }
 #endif /* HAVE_OPENSSL */
 
diff --git a/sql/mysql_priv.h b/sql/mysql_priv.h
index 2c817ae54c2..dfb5d6d22cc 100644
--- a/sql/mysql_priv.h
+++ b/sql/mysql_priv.h
@@ -1258,7 +1258,7 @@ extern pthread_t signal_thread;
 #endif
 
 #ifdef HAVE_OPENSSL
-extern struct st_VioSSLAcceptorFd * ssl_acceptor_fd;
+extern struct st_VioSSLFd * ssl_acceptor_fd;
 #endif /* HAVE_OPENSSL */
 
 MYSQL_LOCK *mysql_lock_tables(THD *thd, TABLE **table, uint count,
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
index 37a135fa063..e0be383a9ad 100644
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -599,7 +599,7 @@ static void openssl_lock(int, openssl_lock_t *, const char *, int);
 static unsigned long openssl_id_function();
 #endif
 char *des_key_file;
-struct st_VioSSLAcceptorFd *ssl_acceptor_fd;
+struct st_VioSSLFd *ssl_acceptor_fd;
 #endif /* HAVE_OPENSSL */
 
 
@@ -1110,7 +1110,10 @@ void clean_up(bool print_message)
 #endif
 #ifdef HAVE_OPENSSL
   if (ssl_acceptor_fd)
-    my_free((gptr) ssl_acceptor_fd, MYF(MY_ALLOW_ZERO_PTR));
+  {
+    SSL_CTX_free(ssl_acceptor_fd->ssl_context);
+    my_free((gptr) ssl_acceptor_fd, MYF(0));
+  }
 #endif /* HAVE_OPENSSL */
 #ifdef USE_REGEX
   my_regex_end();
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 88c3c86aacb..28d9fe0c532 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -858,8 +858,8 @@ int acl_getroot(THD *thd, USER_RESOURCES  *mqh,
       if (acl_user->x509_issuer)
       {
         DBUG_PRINT("info",("checkpoint 3"));
-	char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
-	DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
+        char *ptr = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
+        DBUG_PRINT("info",("comparing issuers: '%s' and '%s'",
 			   acl_user->x509_issuer, ptr));
         if (strcmp(acl_user->x509_issuer, ptr))
         {
diff --git a/vio/vio.c b/vio/vio.c
index bc286b2d2bb..21a824a4016 100644
--- a/vio/vio.c
+++ b/vio/vio.c
@@ -88,19 +88,19 @@ static void vio_init(Vio* vio, enum enum_vio_type type,
   if (type == VIO_TYPE_SSL)
   {
     vio->viodelete	=vio_delete;
-    vio->vioerrno	=vio_ssl_errno;
+    vio->vioerrno	=vio_errno;
     vio->read		=vio_ssl_read;
     vio->write		=vio_ssl_write;
-    vio->fastsend	=vio_ssl_fastsend;
-    vio->viokeepalive	=vio_ssl_keepalive;
-    vio->should_retry	=vio_ssl_should_retry;
-    vio->was_interrupted=vio_ssl_was_interrupted;
+    vio->fastsend	=vio_fastsend;
+    vio->viokeepalive	=vio_keepalive;
+    vio->should_retry	=vio_should_retry;
+    vio->was_interrupted=vio_was_interrupted;
     vio->vioclose	=vio_ssl_close;
-    vio->peer_addr	=vio_ssl_peer_addr;
-    vio->in_addr	=vio_ssl_in_addr;
+    vio->peer_addr	=vio_peer_addr;
+    vio->in_addr	=vio_in_addr;
     vio->vioblocking	=vio_ssl_blocking;
     vio->is_blocking	=vio_is_blocking;
-    vio->timeout	=vio_ssl_timeout;
+    vio->timeout	=vio_timeout;
   }
   else					/* default is VIO_TYPE_TCPIP */
 #endif /* HAVE_OPENSSL */
diff --git a/vio/vio_priv.h b/vio/vio_priv.h
index eb495025ddd..db331abdea8 100644
--- a/vio/vio_priv.h
+++ b/vio/vio_priv.h
@@ -30,28 +30,10 @@ void	vio_ignore_timeout(Vio *vio, uint which, uint timeout);
 
 int	vio_ssl_read(Vio *vio,gptr buf,	int size);
 int	vio_ssl_write(Vio *vio,const gptr buf,int size);
-void	vio_ssl_timeout(Vio *vio, uint which, uint timeout);
-
-/* setsockopt TCP_NODELAY at IPPROTO_TCP level, when possible. */
-int vio_ssl_fastsend(Vio *vio);
-/* setsockopt SO_KEEPALIVE at SOL_SOCKET level, when possible. */
-int vio_ssl_keepalive(Vio *vio, my_bool onoff);
-/* Whenever we should retry the last read/write operation. */
-my_bool vio_ssl_should_retry(Vio *vio);
-/* Check that operation was timed out */
-my_bool	vio_ssl_was_interrupted(Vio *vio);
+
 /* When the workday is over... */
 int vio_ssl_close(Vio *vio);
-/* Return last error number */
-int vio_ssl_errno(Vio *vio);
-my_bool vio_ssl_peer_addr(Vio *vio, char *buf, uint16 *port);
-void vio_ssl_in_addr(Vio *vio, struct in_addr *in);
+
 int vio_ssl_blocking(Vio *vio, my_bool set_blocking_mode, my_bool *old_mode);
 
-/* Single copy for server */
-enum vio_ssl_acceptorfd_state
-{
-  state_connect       = 1,
-  state_accept        = 2
-};
 #endif /* HAVE_OPENSSL */
diff --git a/vio/viossl.c b/vio/viossl.c
index 1273814c551..33b8f716b9e 100644
--- a/vio/viossl.c
+++ b/vio/viossl.c
@@ -70,12 +70,6 @@ report_errors()
 }
 
 
-int vio_ssl_errno(Vio *vio __attribute__((unused)))
-{
-  return socket_errno;	/* On Win32 this mapped to WSAGetLastError() */
-}
-
-
 int vio_ssl_read(Vio * vio, gptr buf, int size)
 {
   int r;
@@ -107,183 +101,51 @@ int vio_ssl_write(Vio * vio, const gptr buf, int size)
 }
 
 
-int vio_ssl_fastsend(Vio * vio __attribute__((unused)))
-{
-  int r=0;
-  DBUG_ENTER("vio_ssl_fastsend");
-
-#if defined(IPTOS_THROUGHPUT) && !defined(__EMX__)
-  {
-    int tos= IPTOS_THROUGHPUT;
-    r= setsockopt(vio->sd, IPPROTO_IP, IP_TOS, (void *) &tos, sizeof(tos));
-  }
-#endif                                    /* IPTOS_THROUGHPUT && !__EMX__ */
-  if (!r)
-  {
-#ifdef __WIN__
-    BOOL nodelay= 1;
-    r= setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (const char*) &nodelay,
-                  sizeof(nodelay));
-#else
-    int nodelay= 1;
-    r= setsockopt(vio->sd, IPPROTO_TCP, TCP_NODELAY, (void*) &nodelay,
-                  sizeof(nodelay));
-#endif                                          /* __WIN__ */
-  }
-  if (r)
-  {
-    DBUG_PRINT("warning", ("Couldn't set socket option for fast send"));
-    r= -1;
-  }
-  DBUG_PRINT("exit", ("%d", r));
-  DBUG_RETURN(r);
-}
-
-
-int vio_ssl_keepalive(Vio* vio, my_bool set_keep_alive)
-{
-  int r=0;
-  DBUG_ENTER("vio_ssl_keepalive");
-  DBUG_PRINT("enter", ("sd: %d, set_keep_alive: %d", vio->sd, (int)
-		       set_keep_alive));
-  if (vio->type != VIO_TYPE_NAMEDPIPE)
-  {
-    uint opt = (set_keep_alive) ? 1 : 0;
-    r= setsockopt(vio->sd, SOL_SOCKET, SO_KEEPALIVE, (char *) &opt,
-		  sizeof(opt));
-  }
-  DBUG_RETURN(r);
-}
-
-
-my_bool
-vio_ssl_should_retry(Vio * vio __attribute__((unused)))
-{
-  int en = socket_errno;
-  return (en == SOCKET_EAGAIN || en == SOCKET_EINTR ||
-	  en == SOCKET_EWOULDBLOCK);
-}
-
-
-my_bool
-vio_ssl_was_interrupted(Vio *vio __attribute__((unused)))
-{
-  int en= socket_errno;
-  return (en == SOCKET_EAGAIN || en == SOCKET_EINTR ||
-	  en == SOCKET_EWOULDBLOCK || en == SOCKET_ETIMEDOUT);
-}
-
-
 int vio_ssl_close(Vio * vio)
 {
-  int r;
+  int r= 0;
+  SSL* ssl= (SSL*)vio->ssl_arg;
   DBUG_ENTER("vio_ssl_close");
-  r=0;
-  if ((SSL*) vio->ssl_arg)
-  {
-    r = SSL_shutdown((SSL*) vio->ssl_arg);
-    SSL_free((SSL*) vio->ssl_arg);
-    vio->ssl_arg= 0;
-  }
-  if (vio->sd >= 0)
-  {
-    if (shutdown(vio->sd, 2))
-      r= -1;
-    if (closesocket(vio->sd))
-      r= -1;
-  }
-  if (r)
-  {
-    DBUG_PRINT("error", ("close() failed, error: %d",socket_errno));
-    report_errors();
-    /* FIXME: error handling (not critical for MySQL) */
-  }
-  vio->type= VIO_CLOSED;
-  vio->sd=   -1;
-  DBUG_RETURN(r);
-}
-
-
-const char *vio_ssl_description(Vio * vio)
-{
-  return vio->desc;
-}
-
-enum enum_vio_type vio_ssl_type(Vio* vio)
-{
-  return vio->type;
-}
-
-my_socket vio_ssl_fd(Vio* vio)
-{
-  return vio->sd;
-}
-
 
-my_bool vio_ssl_peer_addr(Vio * vio, char *buf, uint16 *port)
-{
-  DBUG_ENTER("vio_ssl_peer_addr");
-  DBUG_PRINT("enter", ("sd: %d", vio->sd));
-  if (vio->localhost)
-  {
-    strmov(buf,"127.0.0.1");
-    *port=0;
-  }
-  else
+  if (ssl)
   {
-    size_socket addrLen = sizeof(struct sockaddr);
-    if (getpeername(vio->sd, (struct sockaddr *) (& (vio->remote)),
-		    &addrLen) != 0)
+    switch ((r= SSL_shutdown(ssl)))
     {
-      DBUG_PRINT("exit", ("getpeername, error: %d", socket_errno));
-      DBUG_RETURN(1);
+    case 1: /* Shutdown successful */
+      break;
+    case 0: /* Shutdown not yet finished, call it again */
+      if ((r= SSL_shutdown(ssl) >= 0))
+        break;
+      /* Fallthrough */
+    default: /* Shutdown failed */
+      DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %s",
+                               SSL_get_error(ssl, r)));
+      break;
     }
-#ifdef TO_BE_FIXED
-    my_inet_ntoa(vio->remote.sin_addr,buf);
-    *port= 0;
-#else
-    strmov(buf, "unknown");
-    *port= 0;
-#endif
+    SSL_free(ssl);
+    vio->ssl_arg= 0;
   }
-  DBUG_PRINT("exit", ("addr: %s", buf));
-  DBUG_RETURN(0);
-}
-
-
-void vio_ssl_in_addr(Vio *vio, struct in_addr *in)
-{
-  DBUG_ENTER("vio_ssl_in_addr");
-  if (vio->localhost)
-    bzero((char*) in, sizeof(*in));
-  else
-    *in=vio->remote.sin_addr;
-  DBUG_VOID_RETURN;
+  DBUG_RETURN(vio_close(vio));
 }
 
 
-/*
-  TODO: Add documentation
-*/
-
-int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
+int sslaccept(struct st_VioSSLFd* ptr, Vio* vio, long timeout)
 {
-  char *str;
-  char buf[1024];
+  SSL *ssl;
   X509* client_cert;
   my_bool unused;
   my_bool net_blocking;
   enum enum_vio_type old_type;
   DBUG_ENTER("sslaccept");
-  DBUG_PRINT("enter", ("sd: %d  ptr: Ox%p, timeout: %d",
+  DBUG_PRINT("enter", ("sd: %d  ptr: %p, timeout: %d",
                        vio->sd, ptr, timeout));
 
   old_type= vio->type;
-  net_blocking = vio_is_blocking(vio);
+  net_blocking= vio_is_blocking(vio);
   vio_blocking(vio, 1, &unused);	/* Must be called before reset */
-  vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
-  vio->ssl_arg= 0;
-  if (!(vio->ssl_arg= (void*) SSL_new(ptr->ssl_context)))
+  vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE);
+
+  if (!(ssl= SSL_new(ptr->ssl_context)))
   {
     DBUG_PRINT("error", ("SSL_new failure"));
     report_errors();
@@ -291,121 +153,114 @@ int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
     vio_blocking(vio, net_blocking, &unused);
     DBUG_RETURN(1);
   }
-  DBUG_PRINT("info", ("ssl_: Ox%p  timeout: %ld",
-                      (SSL*) vio->ssl_arg, timeout));
-  SSL_clear((SSL*) vio->ssl_arg);
-  SSL_SESSION_set_timeout(SSL_get_session((SSL*) vio->ssl_arg), timeout);
-  SSL_set_fd((SSL*) vio->ssl_arg,vio->sd);
-  SSL_set_accept_state((SSL*) vio->ssl_arg);
-  if (SSL_do_handshake((SSL*) vio->ssl_arg) < 1)
+  vio->ssl_arg= (void*)ssl;
+  DBUG_PRINT("info", ("ssl_: %p  timeout: %ld", ssl, timeout));
+  SSL_clear(ssl);
+  SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
+  SSL_set_fd(ssl, vio->sd);
+  SSL_set_accept_state(ssl);
+  if (SSL_do_handshake(ssl) < 1)
   {
     DBUG_PRINT("error", ("SSL_do_handshake failure"));
     report_errors();
-    SSL_free((SSL*) vio->ssl_arg);
+    SSL_free(ssl);
     vio->ssl_arg= 0;
     vio_reset(vio, old_type,vio->sd,0,FALSE);
     vio_blocking(vio, net_blocking, &unused);
     DBUG_RETURN(1);
   }
+
 #ifndef DBUG_OFF
-  DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
-		     ,SSL_get_cipher_name((SSL*) vio->ssl_arg)));
-  client_cert = SSL_get_peer_certificate ((SSL*) vio->ssl_arg);
-  if (client_cert != NULL)
   {
-    DBUG_PRINT("info",("Client certificate:"));
-    str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
-    DBUG_PRINT("info",("\t subject: %s", str));
-    free (str);
+    char buf[1024];
+    DBUG_PRINT("info",("cipher_name= '%s'", SSL_get_cipher_name(ssl)));
 
-    str = X509_NAME_oneline (X509_get_issuer_name  (client_cert), 0, 0);
-    DBUG_PRINT("info",("\t issuer: %s", str));
-    free (str);
+    if ((client_cert= SSL_get_peer_certificate (ssl)))
+    {
+      DBUG_PRINT("info",("Client certificate:"));
+      X509_NAME_oneline (X509_get_subject_name (client_cert),
+                         buf, sizeof(buf));
+      DBUG_PRINT("info",("\t subject: %s", buf));
 
-    X509_free (client_cert);
-  }
-  else
-    DBUG_PRINT("info",("Client does not have certificate."));
+      X509_NAME_oneline (X509_get_issuer_name  (client_cert),
+                         buf, sizeof(buf));
+      DBUG_PRINT("info",("\t issuer: %s", buf));
 
-  str=SSL_get_shared_ciphers((SSL*) vio->ssl_arg, buf, sizeof(buf));
-  if (str)
-  {
-    DBUG_PRINT("info",("SSL_get_shared_ciphers() returned '%s'",str));
-  }
-  else
-  {
-    DBUG_PRINT("info",("no shared ciphers!"));
-  }
+      X509_free (client_cert);
+    }
+    else
+      DBUG_PRINT("info",("Client does not have certificate."));
 
+    if (SSL_get_shared_ciphers(ssl, buf, sizeof(buf)))
+    {
+      DBUG_PRINT("info",("shared_ciphers: '%s'", buf));
+    }
+    else
+      DBUG_PRINT("info",("no shared ciphers!"));
+  }
 #endif
+
   DBUG_RETURN(0);
 }
 
 
-int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout)
+int sslconnect(struct st_VioSSLFd* ptr, Vio* vio, long timeout)
 {
-  char *str;
-  X509*    server_cert;
+  SSL *ssl;
+  X509 *server_cert;
   my_bool unused;
   my_bool net_blocking;
-  enum enum_vio_type old_type;  
+  enum enum_vio_type old_type;
+
   DBUG_ENTER("sslconnect");
-  DBUG_PRINT("enter", ("sd: %d  ptr: 0x%p  ctx: 0x%p",
-                       vio->sd,ptr,ptr->ssl_context));
+  DBUG_PRINT("enter", ("sd: %d,  ptr: %p, ctx: %p",
+                       vio->sd, ptr, ptr->ssl_context));
 
   old_type= vio->type;
-  net_blocking = vio_is_blocking(vio);
+  net_blocking= vio_is_blocking(vio);
   vio_blocking(vio, 1, &unused);	/* Must be called before reset */
-  vio_reset(vio,VIO_TYPE_SSL,vio->sd,0,FALSE);
-  vio->ssl_arg= 0;
-  if (!(vio->ssl_arg = SSL_new(ptr->ssl_context)))
+  vio_reset(vio, VIO_TYPE_SSL, vio->sd, 0, FALSE);
+  if (!(ssl= SSL_new(ptr->ssl_context)))
   {
     DBUG_PRINT("error", ("SSL_new failure"));
     report_errors();
-    vio_reset(vio, old_type,vio->sd,0,FALSE);
-    vio_blocking(vio, net_blocking, &unused);    
+    vio_reset(vio, old_type, vio->sd, 0, FALSE);
+    vio_blocking(vio, net_blocking, &unused);
     DBUG_RETURN(1);
   }
-  DBUG_PRINT("info", ("ssl_: 0x%p  timeout: %ld",
-                      (SSL*) vio->ssl_arg, timeout));
-  SSL_clear((SSL*) vio->ssl_arg);
-  SSL_SESSION_set_timeout(SSL_get_session((SSL*) vio->ssl_arg), timeout);
-  SSL_set_fd ((SSL*) vio->ssl_arg, vio_ssl_fd(vio));
-  SSL_set_connect_state((SSL*) vio->ssl_arg);
-  if (SSL_do_handshake((SSL*) vio->ssl_arg) < 1)
+  vio->ssl_arg= (void*)ssl;
+  DBUG_PRINT("info", ("ssl: %p, timeout: %ld", ssl, timeout));
+  SSL_clear(ssl);
+  SSL_SESSION_set_timeout(SSL_get_session(ssl), timeout);
+  SSL_set_fd(ssl, vio->sd);
+  SSL_set_connect_state(ssl);
+  if (SSL_do_handshake(ssl) < 1)
   {
     DBUG_PRINT("error", ("SSL_do_handshake failure"));
     report_errors();
-    SSL_free((SSL*) vio->ssl_arg);
+    SSL_free(ssl);
     vio->ssl_arg= 0;
-    vio_reset(vio, old_type,vio->sd,0,FALSE);
+    vio_reset(vio, old_type, vio->sd, 0, FALSE);
     vio_blocking(vio, net_blocking, &unused);
     DBUG_RETURN(1);
-  }  
+  }
 #ifndef DBUG_OFF
-  DBUG_PRINT("info",("SSL_get_cipher_name() = '%s'"
-		     ,SSL_get_cipher_name((SSL*) vio->ssl_arg)));
-  server_cert = SSL_get_peer_certificate ((SSL*) vio->ssl_arg);
-  if (server_cert != NULL)
+  DBUG_PRINT("info",("cipher_name: '%s'" , SSL_get_cipher_name(ssl)));
+
+  if ((server_cert= SSL_get_peer_certificate (ssl)))
   {
+    char buf[256];
     DBUG_PRINT("info",("Server certificate:"));
-    str = X509_NAME_oneline (X509_get_subject_name (server_cert), 0, 0);
-    DBUG_PRINT("info",("\t subject: %s", str));
-    free(str);
-
-    str = X509_NAME_oneline (X509_get_issuer_name  (server_cert), 0, 0);
-    DBUG_PRINT("info",("\t issuer: %s", str));
-    free(str);
-
-    /*
-      We could do all sorts of certificate verification stuff here before
-      deallocating the certificate.
-    */
+    X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
+    DBUG_PRINT("info",("\t subject: %s", buf));
+    X509_NAME_oneline (X509_get_issuer_name(server_cert), buf, sizeof(buf));
+    DBUG_PRINT("info",("\t issuer: %s", buf));
     X509_free (server_cert);
   }
   else
     DBUG_PRINT("info",("Server does not have certificate."));
 #endif
+
   DBUG_RETURN(0);
 }
 
@@ -414,21 +269,10 @@ int vio_ssl_blocking(Vio * vio __attribute__((unused)),
 		     my_bool set_blocking_mode,
 		     my_bool *old_mode)
 {
+  /* Mode is always blocking */
+  *old_mode= 1;
   /* Return error if we try to change to non_blocking mode */
-  *old_mode=1;					/* Mode is always blocking */
-  return set_blocking_mode ? 0 : 1;
+  return (set_blocking_mode ? 0 : 1);
 }
 
-
-void vio_ssl_timeout(Vio *vio __attribute__((unused)),
-		     uint which __attribute__((unused)),
-                     uint timeout __attribute__((unused)))
-{
-#ifdef __WIN__
-  ulong wait_timeout= (ulong) timeout * 1000;
-  (void) setsockopt(vio->sd, SOL_SOCKET,
-	which ? SO_SNDTIMEO : SO_RCVTIMEO, (char*) &wait_timeout,
-        sizeof(wait_timeout));
-#endif /* __WIN__ */
-}
 #endif /* HAVE_OPENSSL */
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 4ee27f1e491..c58fa449374 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -21,7 +21,6 @@
 static bool     ssl_algorithms_added    = FALSE;
 static bool     ssl_error_strings_loaded= FALSE;
 static int      verify_depth = 0;
-static int      verify_error = X509_V_OK;
 
 static unsigned char dh512_p[]=
 {
@@ -82,30 +81,31 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
   DBUG_ENTER("vio_set_cert_stuff");
   DBUG_PRINT("enter", ("ctx: %p, cert_file: %s, key_file: %s",
 		       ctx, cert_file, key_file));
-  if (cert_file != NULL)
+  if (cert_file)
   {
-    if (SSL_CTX_use_certificate_file(ctx,cert_file,SSL_FILETYPE_PEM) <= 0)
+    if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
     {
-      DBUG_PRINT("error",("unable to get certificate from '%s'\n",cert_file));
+      DBUG_PRINT("error",("unable to get certificate from '%s'\n", cert_file));
       /* FIX stderr */
       fprintf(stderr,"Error when connection to server using SSL:");
       ERR_print_errors_fp(stderr);
       fprintf(stderr,"Unable to get certificate from '%s'\n", cert_file);
       fflush(stderr);
-      DBUG_RETURN(0);
+      DBUG_RETURN(1);
     }
-    if (key_file == NULL)
-      key_file = cert_file;
-    if (SSL_CTX_use_PrivateKey_file(ctx,key_file,
-				    SSL_FILETYPE_PEM) <= 0)
+
+    if (!key_file)
+      key_file= cert_file;
+
+    if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
     {
-      DBUG_PRINT("error", ("unable to get private key from '%s'\n",key_file));
+      DBUG_PRINT("error", ("unable to get private key from '%s'\n", key_file));
       /* FIX stderr */
       fprintf(stderr,"Error when connection to server using SSL:");
       ERR_print_errors_fp(stderr);
       fprintf(stderr,"Unable to get private key from '%s'\n", cert_file);
-      fflush(stderr);      
-      DBUG_RETURN(0);
+      fflush(stderr);
+      DBUG_RETURN(1);
     }
 
     /*
@@ -116,45 +116,45 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
     {
       DBUG_PRINT("error",
 		 ("Private key does not match the certificate public key\n"));
-      DBUG_RETURN(0);
+      DBUG_RETURN(1);
     }
   }
-  DBUG_RETURN(1);
+  DBUG_RETURN(0);
 }
 
 
 static int
 vio_verify_callback(int ok, X509_STORE_CTX *ctx)
 {
-  char	buf[256];
-  X509*	err_cert;
-  int	err,depth;
+  char buf[256];
+  X509 *err_cert;
 
   DBUG_ENTER("vio_verify_callback");
-  DBUG_PRINT("enter", ("ok: %d, ctx: 0x%p", ok, ctx));
-  err_cert=X509_STORE_CTX_get_current_cert(ctx);
-  err=	   X509_STORE_CTX_get_error(ctx);
-  depth=   X509_STORE_CTX_get_error_depth(ctx);
+  DBUG_PRINT("enter", ("ok: %d, ctx: %p", ok, ctx));
 
-  X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof(buf));
+  err_cert= X509_STORE_CTX_get_current_cert(ctx);
+  X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+  DBUG_PRINT("info", ("cert: %s", buf));
   if (!ok)
   {
-    DBUG_PRINT("error",("verify error: num: %d : '%s'\n",err,
+    int err, depth;
+    err= X509_STORE_CTX_get_error(ctx);
+    depth= X509_STORE_CTX_get_error_depth(ctx);
+
+    DBUG_PRINT("error",("verify error: %d, '%s'",err,
 			X509_verify_cert_error_string(err)));
+    /*
+      Approve cert if depth is greater then "verify_depth", currently
+      verify_depth is always 0 and there is no way to increase it.
+     */
     if (verify_depth >= depth)
-    {
-      ok=1;
-      verify_error=X509_V_OK;
-    }
-    else
-    {
-      verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;
-    }
+      ok= 1;
   }
-  switch (ctx->error) {
+  switch (ctx->error)
+  {
   case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-    X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
-    DBUG_PRINT("info",("issuer= %s\n",buf));
+    X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256);
+    DBUG_PRINT("info",("issuer= %s\n", buf));
     break;
   case X509_V_ERR_CERT_NOT_YET_VALID:
   case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
@@ -198,193 +198,150 @@ static void netware_ssl_init()
 #endif /* __NETWARE__ */
 
 
-/************************ VioSSLConnectorFd **********************************/
-/*
-  TODO:
-       Add option --verify to mysql to be able to change verification mode
-*/
-
-struct st_VioSSLConnectorFd *
-new_VioSSLConnectorFd(const char* key_file,
-		      const char* cert_file,
-		      const char* ca_file,
-		      const char* ca_path,
-		      const char* cipher)
+static void check_ssl_init()
 {
-  int	verify = SSL_VERIFY_NONE;
-  struct st_VioSSLConnectorFd* ptr;
-  int result;
-  DH *dh;
-  DBUG_ENTER("new_VioSSLConnectorFd");
-
-  if (!(ptr=((struct st_VioSSLConnectorFd*)
-	     my_malloc(sizeof(struct st_VioSSLConnectorFd),MYF(0)))))
-    DBUG_RETURN(0);
-
-  ptr->ssl_context= 0;
-  ptr->ssl_method=  0;
-  /* FIXME: constants! */
-
   if (!ssl_algorithms_added)
   {
-    DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()"));
-    ssl_algorithms_added = TRUE;
+    ssl_algorithms_added= TRUE;
     SSL_library_init();
     OpenSSL_add_all_algorithms();
+
   }
+
 #ifdef __NETWARE__
+  /* MASV, should it be done everytime? */
   netware_ssl_init();
 #endif
 
   if (!ssl_error_strings_loaded)
   {
-    DBUG_PRINT("info", ("todo:SSL_load_error_strings()"));
-    ssl_error_strings_loaded = TRUE;
+    ssl_error_strings_loaded= TRUE;
     SSL_load_error_strings();
   }
-  ptr->ssl_method = TLSv1_client_method();
-  ptr->ssl_context = SSL_CTX_new(ptr->ssl_method);
-  DBUG_PRINT("info", ("ssl_context: %p",ptr->ssl_context));
-  if (ptr->ssl_context == 0)
+}
+
+/************************ VioSSLFd **********************************/
+struct st_VioSSLFd *
+new_VioSSLFd(const char *key_file, const char *cert_file,
+             const char *ca_file, const char *ca_path,
+             const char *cipher, SSL_METHOD *method)
+{
+  DH *dh;
+  struct st_VioSSLFd *ssl_fd;
+  DBUG_ENTER("new_VioSSLFd");
+
+  check_ssl_init();
+
+  if (!(ssl_fd= ((struct st_VioSSLFd*)
+                 my_malloc(sizeof(struct st_VioSSLFd),MYF(0)))))
+    DBUG_RETURN(0);
+
+  if (!(ssl_fd->ssl_context= SSL_CTX_new(method)))
   {
     DBUG_PRINT("error", ("SSL_CTX_new failed"));
     report_errors();
-    goto ctor_failure;
+    my_free((void*)ssl_fd,MYF(0));
+    DBUG_RETURN(0);
   }
-  /*
-    SSL_CTX_set_options
-    SSL_CTX_set_info_callback
-   */
-  if (cipher)
+
+  /* Set the ciphers that can be used */
+  if (cipher && SSL_CTX_set_cipher_list(ssl_fd->ssl_context, cipher))
   {
-    result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher);
-    DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result));
+    DBUG_PRINT("error", ("failed to set ciphers to use"));
+    report_errors();
+    my_free((void*)ssl_fd,MYF(0));
+    DBUG_RETURN(0);
   }
-  SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback);
-  if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1)
+
+  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
   {
     DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
     report_errors();
-    goto ctor_failure;
+    my_free((void*)ssl_fd,MYF(0));
+    DBUG_RETURN(0);
   }
-  if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file,ca_path) == 0)
+
+  if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
   {
     DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
-    if (SSL_CTX_set_default_verify_paths(ptr->ssl_context) == 0)
+    if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
     {
       DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
       report_errors();
-      goto ctor_failure;
+      my_free((void*)ssl_fd,MYF(0));
+      DBUG_RETURN(0);
     }
-  } 
+  }
 
   /* DH stuff */
   dh=get_dh512();
-  SSL_CTX_set_tmp_dh(ptr->ssl_context,dh);
+  SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
   DH_free(dh);
 
-  DBUG_RETURN(ptr);
-ctor_failure:
-  DBUG_PRINT("exit", ("there was an error"));
-  my_free((gptr)ptr,MYF(0));
-  DBUG_RETURN(0);
+  DBUG_PRINT("exit", ("OK 1"));
+
+  DBUG_RETURN(ssl_fd);
 }
 
 
-/************************ VioSSLAcceptorFd **********************************/
-/*
-  TODO:
-       Add option --verify to mysqld to be able to change verification mode
-*/
-struct st_VioSSLAcceptorFd*
-new_VioSSLAcceptorFd(const char *key_file,
-		     const char *cert_file,
-		     const char *ca_file,
-		     const char *ca_path,
-		     const char *cipher)
+/************************ VioSSLConnectorFd **********************************/
+struct st_VioSSLFd *
+new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
+                      const char *ca_file, const char *ca_path,
+                      const char *cipher)
 {
-  int verify = (SSL_VERIFY_PEER			|
-		SSL_VERIFY_CLIENT_ONCE);
-  struct st_VioSSLAcceptorFd* ptr;
-  int result;
-  DH *dh;
-  DBUG_ENTER("new_VioSSLAcceptorFd");
+  struct st_VioSSLFd *ssl_fd;
+  int verify= SSL_VERIFY_NONE;
+  if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
+                             ca_path, cipher, TLSv1_client_method())))
+  {
+    return 0;
+  }
+  /* Init the the VioSSLFd as a "connector" ie. the client side */
 
-  ptr= ((struct st_VioSSLAcceptorFd*)
-	my_malloc(sizeof(struct st_VioSSLAcceptorFd),MYF(0)));
-  ptr->ssl_context=0;
-  ptr->ssl_method=0;
-  /* FIXME: constants! */
-  ptr->session_id_context= ptr;
+  /*
+    The verify_callback function is used to control the behaviour
+    when the SSL_VERIFY_PEER flag is set. Here it is SSL_VERIFY_NONE
+    and thus callback is set to NULL
+  */
+  SSL_CTX_set_verify(ssl_fd->ssl_context, verify, NULL);
 
-  if (!ssl_algorithms_added)
-  {
-    DBUG_PRINT("info", ("todo: OpenSSL_add_all_algorithms()"));
-    ssl_algorithms_added = TRUE;
-    SSL_library_init();
-    OpenSSL_add_all_algorithms();
+  return ssl_fd;
+}
 
-  }
-#ifdef __NETWARE__
-  netware_ssl_init();
-#endif
 
-  if (!ssl_error_strings_loaded)
-  {
-    DBUG_PRINT("info", ("todo: SSL_load_error_strings()"));
-    ssl_error_strings_loaded = TRUE;
-    SSL_load_error_strings();
-  }
-  ptr->ssl_method=  TLSv1_server_method();
-  ptr->ssl_context= SSL_CTX_new(ptr->ssl_method);
-  if (ptr->ssl_context == 0)
-  {
-    DBUG_PRINT("error", ("SSL_CTX_new failed"));
-    report_errors();
-    goto ctor_failure;
-  }
-  if (cipher)
+/************************ VioSSLAcceptorFd **********************************/
+struct st_VioSSLFd*
+new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
+		     const char *ca_file, const char *ca_path,
+		     const char *cipher)
+{
+  struct st_VioSSLFd *ssl_fd;
+  int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+  if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
+                             ca_path, cipher, TLSv1_server_method())))
   {
-    result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher);
-    DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result));
+    return 0;
   }
-  /* SSL_CTX_set_quiet_shutdown(ctx,1); */
-  SSL_CTX_sess_set_cache_size(ptr->ssl_context,128);
+  /* Init the the VioSSLFd as a "acceptor" ie. the server side */
 
-  /* DH? */
-  SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback);
-  SSL_CTX_set_session_id_context(ptr->ssl_context,
-				 (const uchar*) &(ptr->session_id_context),
-				 sizeof(ptr->session_id_context));
+  /* Set max number of cached sessions, returns the previous size */
+  SSL_CTX_sess_set_cache_size(ssl_fd->ssl_context, 128);
 
   /*
-    SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
+    The verify_callback function is used to control the behaviour
+    when the SSL_VERIFY_PEER flag is set.
   */
-  if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1)
-  {
-    DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
-    report_errors();
-    goto ctor_failure;
-  }
-  if (SSL_CTX_load_verify_locations( ptr->ssl_context, ca_file, ca_path) == 0)
-  {
-    DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
-    if (SSL_CTX_set_default_verify_paths(ptr->ssl_context)==0)
-    {
-      DBUG_PRINT("error", ("SSL_CTX_set_default_verify_paths failed"));
-      report_errors();
-      goto ctor_failure;
-    }
-  }
-  /* DH stuff */
-  dh=get_dh512();
-  SSL_CTX_set_tmp_dh(ptr->ssl_context,dh);
-  DH_free(dh);
-  DBUG_RETURN(ptr);
+  SSL_CTX_set_verify(ssl_fd->ssl_context, verify, vio_verify_callback);
 
-ctor_failure:
-  DBUG_PRINT("exit", ("there was an error"));
-  my_free((gptr) ptr,MYF(0));
-  DBUG_RETURN(0);
+  /*
+    Set session_id - an identifier for this server session
+    Use the ssl_fd pointer
+   */
+  SSL_CTX_set_session_id_context(ssl_fd->ssl_context,
+				 ssl_fd,
+				 sizeof(ssl_fd));
+
+  return ssl_fd;
 }
 #endif /* HAVE_OPENSSL */
-- 
cgit v1.2.1


From 90ef6fcaa5e6c9ce31e89c2ff0d8d02378e0ee5d Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Wed, 12 Apr 2006 14:06:05 +0200
Subject: Fix up patch

sql-common/client.c:
  Remove the ssl_verify_server_cert will be added in separate patch
vio/viossl.c:
  Fix coding standard
vio/viosslfactories.c:
  Remove comment
---
 sql-common/client.c   | 68 +--------------------------------------------------
 vio/viossl.c          | 24 +++++++++---------
 vio/viosslfactories.c |  1 -
 3 files changed, 13 insertions(+), 80 deletions(-)

diff --git a/sql-common/client.c b/sql-common/client.c
index da38d022c4d..b24b92014d6 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1567,64 +1567,6 @@ static MYSQL_METHODS client_methods=
 #endif
 };
 
-int ssl_verify_server_cert(Vio *vio, const char* server_host)
-{
-  SSL *ssl;
-  X509 *server_cert;
-  char *cp1, *cp2;
-  char buf[256];
-  DBUG_ENTER("ssl_verify_server_cert");
-  DBUG_PRINT("enter", ("server_host: %s", server_host));
-
-  if (!(ssl= (SSL*)vio->ssl_arg))
-  {
-    DBUG_PRINT("error", ("No SSL pointer found"));
-    return 1;
-  }
-
-  if (!server_host)
-  {
-    DBUG_PRINT("error", ("No server hostname supplied"));
-    return 1;
-  }
-
-  if (!(server_cert= SSL_get_peer_certificate(ssl)))
-  {
-    DBUG_PRINT("error", ("Could not get server certificate"));
-    return 1;
-  }
-
-  /*
-    We already know that the certificate exchanged was valid; the SSL library
-    handled that. Now we need to verify that the contents of the certificate
-    are what we expect.
-  */
-
-  X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
-  X509_free (server_cert);
-
-//  X509_NAME_get_text_by_NID(x509_get_subject_name(server_cert), NID_commonName, buf, sizeof(buf));... does the same thing
-
-  DBUG_PRINT("info", ("hostname in cert: %s", buf));
-  cp1 = strstr(buf, "/CN=");
-  if (cp1)
-  {
-    cp1 += 4; // Skip the "/CN=" that we found
-    cp2 = strchr(cp1, '/');
-    if (cp2)
-      *cp2 = '\0';
-    DBUG_PRINT("info", ("Server hostname in cert: ", cp1));
-    if (!strcmp(cp1, server_host))
-    {
-      /* Success */
-      DBUG_RETURN(0);
-    }
-  }
-  DBUG_PRINT("error", ("SSL certificate validation failure"));
-  DBUG_RETURN(1);
-}
-
-
 MYSQL *
 CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
 		       const char *passwd, const char *db,
@@ -2107,15 +2049,7 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
     }
     DBUG_PRINT("info", ("IO layer change done!"));
 
-#if 0
-    /* Verify server cert */
-    if (mysql->options.ssl_verify_cert &&
-        ssl_verify_server_cert(mysql->net.vio, mysql->host))
-    {
-      set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
-      goto error;
-    }
-#endif
+    /* TODO Verify server cert */
   }
 #endif /* HAVE_OPENSSL */
 
diff --git a/vio/viossl.c b/vio/viossl.c
index 33b8f716b9e..aa4cdda9f01 100644
--- a/vio/viossl.c
+++ b/vio/viossl.c
@@ -54,12 +54,12 @@ static void
 report_errors()
 {
   unsigned long	l;
-  const char*	file;
-  const char*	data;
-  int		line,flags;
+  const char *file;
+  const char *data;
+  int line,flags;
   DBUG_ENTER("report_errors");
 
-  while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)))
+  while ((l= ERR_get_error_line_data(&file,&line,&data,&flags)))
   {
     char buf[512];
     DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
@@ -70,7 +70,7 @@ report_errors()
 }
 
 
-int vio_ssl_read(Vio * vio, gptr buf, int size)
+int vio_ssl_read(Vio *vio, gptr buf, int size)
 {
   int r;
   DBUG_ENTER("vio_ssl_read");
@@ -88,7 +88,7 @@ int vio_ssl_read(Vio * vio, gptr buf, int size)
 }
 
 
-int vio_ssl_write(Vio * vio, const gptr buf, int size)
+int vio_ssl_write(Vio *vio, const gptr buf, int size)
 {
   int r;
   DBUG_ENTER("vio_ssl_write");
@@ -101,10 +101,10 @@ int vio_ssl_write(Vio * vio, const gptr buf, int size)
 }
 
 
-int vio_ssl_close(Vio * vio)
+int vio_ssl_close(Vio *vio)
 {
   int r= 0;
-  SSL* ssl= (SSL*)vio->ssl_arg;
+  SSL *ssl= (SSL*)vio->ssl_arg;
   DBUG_ENTER("vio_ssl_close");
 
   if (ssl)
@@ -129,10 +129,10 @@ int vio_ssl_close(Vio * vio)
 }
 
 
-int sslaccept(struct st_VioSSLFd* ptr, Vio* vio, long timeout)
+int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
 {
   SSL *ssl;
-  X509* client_cert;
+  X509 *client_cert;
   my_bool unused;
   my_bool net_blocking;
   enum enum_vio_type old_type;
@@ -204,7 +204,7 @@ int sslaccept(struct st_VioSSLFd* ptr, Vio* vio, long timeout)
 }
 
 
-int sslconnect(struct st_VioSSLFd* ptr, Vio* vio, long timeout)
+int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
 {
   SSL *ssl;
   X509 *server_cert;
@@ -265,7 +265,7 @@ int sslconnect(struct st_VioSSLFd* ptr, Vio* vio, long timeout)
 }
 
 
-int vio_ssl_blocking(Vio * vio __attribute__((unused)),
+int vio_ssl_blocking(Vio *vio __attribute__((unused)),
 		     my_bool set_blocking_mode,
 		     my_bool *old_mode)
 {
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index c58fa449374..d6356f1adca 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -209,7 +209,6 @@ static void check_ssl_init()
   }
 
 #ifdef __NETWARE__
-  /* MASV, should it be done everytime? */
   netware_ssl_init();
 #endif
 
-- 
cgit v1.2.1


From edfc0149d0167560a98eacc7f222e4ff2caa5714 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Tue, 18 Apr 2006 17:58:27 +0200
Subject: Bug#17208 SSL: client does not verify server certificate  - Add new
 function 'ssl_verify_server_cert' which is used if we are    connecting to
 the server with SSL. It will compare the hostname in    the server's cert
 against the hostname that we used when connecting    to the server. Will
 reject the connection if hostname does not match.  - Add new option
 "OPT_SSL_VERIFY_SERVER_CERT" to be passed to mysql_options    which will turn
 on checking of servers cert.  - Add new argument "ssl-verify-server-cert" to
 all mysql* clients which    will activate the above option.  - Generate a new
 server cert with 1024 bits that has "localhost" as the server name.

SSL/server-cert.pem:
  Generate a new server cert that has "localhost" as CN, so that we can test to verify the hostname we connected against with the hostname in the cert
client/client_priv.h:
  Add OPT_SSL_VERIFY_CERT
client/mysql.cc:
  Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files
client/mysqladmin.cc:
  Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files
client/mysqldump.c:
  Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files
client/mysqlimport.c:
  Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files
client/mysqlshow.c:
  Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files
client/mysqltest.c:
  Always set opt_ssl_verify_server_cert on in mysqltest if we are using SSL
include/mysql.h:
  Add variable ssl_verify_cerver_cert
include/sslopt-longopts.h:
  Add ssl-verify-server-cert options to all clients.
include/sslopt-vars.h:
  Add opt_ssl_varify_server_cert to all clients.
sql-common/client.c:
  Add ssl_vertify_server_cert function which is executed if user has set the option ssl_verify_cerver_cert
vio/viosslfactories.c:
  Ask the SSL library to verify servers cert by setting the SSL_VERIFY_PEER flag
---
 SSL/server-cert.pem       | 78 +++++++++++++++++++++---------------------
 client/client_priv.h      |  2 +-
 client/mysql.cc           |  2 ++
 client/mysqladmin.cc      |  2 ++
 client/mysqldump.c        |  2 ++
 client/mysqlimport.c      |  2 ++
 client/mysqlshow.c        |  2 ++
 client/mysqltest.c        | 11 +++++-
 include/mysql.h           |  4 ++-
 include/sslopt-longopts.h |  7 +++-
 include/sslopt-vars.h     |  3 ++
 sql-common/client.c       | 86 +++++++++++++++++++++++++++++++++++++++++++++--
 vio/viosslfactories.c     |  8 ++---
 13 files changed, 159 insertions(+), 50 deletions(-)

diff --git a/SSL/server-cert.pem b/SSL/server-cert.pem
index debf7026e3c..4ef70ed5095 100644
--- a/SSL/server-cert.pem
+++ b/SSL/server-cert.pem
@@ -1,13 +1,14 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 2 (0x2)
+        Serial Number:
+            e9:07:d1:01:94:ee:66:ca
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=SE, L=Uppsala, O=MySQL AB, CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com
+        Issuer: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB, CN=localhost/emailAddress=abstract.mysql.developer@mysql.com
         Validity
-            Not Before: Sep 12 16:22:06 2003 GMT
-            Not After : Sep  9 16:22:06 2013 GMT
-        Subject: C=SE, L=Uppsala, O=MySQL AB, CN=MySQL Server/Email=abstract.mysql.developer@mysql.com
+            Not Before: Apr 18 15:35:37 2006 GMT
+            Not After : Jan 12 15:35:37 2009 GMT
+        Subject: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB, CN=localhost/emailAddress=abstract.mysql.developer@mysql.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
@@ -23,45 +24,42 @@ Certificate:
                     3d:0e:4d:2a:a8:b8:ca:99:8d
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            Netscape Comment: 
-                OpenSSL Generated Certificate
             X509v3 Subject Key Identifier: 
                 6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4
             X509v3 Authority Key Identifier: 
-                keyid:88:98:65:D9:F3:F2:8B:03:1D:66:60:61:23:FA:AD:73:6D:D3:68:92
-                DirName:/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com
-                serial:00
+                keyid:6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4
+                DirName:/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/CN=localhost/emailAddress=abstract.mysql.developer@mysql.com
+                serial:E9:07:D1:01:94:EE:66:CA
 
+            X509v3 Basic Constraints: 
+                CA:TRUE
     Signature Algorithm: md5WithRSAEncryption
-        31:77:69:b9:bd:ab:29:f3:fc:5a:09:16:6f:5d:42:ea:ba:01:
-        55:69:e3:75:cf:b8:d1:b7:b9:bf:da:63:85:8c:48:92:06:60:
-        76:97:e0:00:78:4b:ad:da:ab:6a:90:6d:8b:03:a8:b1:e9:09:
-        78:e1:29:98:56:12:60:6b:42:fe:e8:a7:c4:f8:d6:15:07:e8:
-        2b:c2:d8:8a:e5:1b:2e:51:08:9b:56:e3:b3:7a:4c:3e:e5:be:
-        4a:4d:f8:65:7b:a8:21:e0:ca:fe:8b:ab:d7:ec:f2:2d:f7:d0:
-        bf:d7:c5:23:1c:08:d8:aa:57:c7:f3:5f:ba:33:3f:78:d1:f4:
-        8e:5e
+        1f:03:59:6e:ff:1f:9d:c7:19:9e:8e:b2:1a:c0:0b:9e:ee:94:
+        35:77:2a:93:04:ea:d5:a8:fc:36:5a:5b:e3:1c:02:b8:cf:04:
+        6e:21:b0:27:f6:96:6e:d6:8f:cd:02:cf:23:f3:e7:ff:6a:ee:
+        a9:09:c5:c9:07:81:b6:d2:bc:bd:13:47:0d:7b:76:f6:8a:c4:
+        76:24:f8:4c:4e:26:fc:d8:c0:1f:3d:40:19:43:8e:41:ab:99:
+        3a:99:9b:24:7c:ae:78:f3:df:2f:a2:ed:8f:27:0a:0a:0b:04:
+        bf:25:74:88:87:96:c8:68:d5:bc:5b:a0:ef:14:aa:53:6e:c4:
+        a3:e3
 -----BEGIN CERTIFICATE-----
-MIIDkTCCAvqgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCU0Ux
-EDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhB
-YnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0
-Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wHhcNMDMwOTEyMTYyMjA2WhcNMTMw
-OTA5MTYyMjA2WjB8MQswCQYDVQQGEwJTRTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G
-A1UEChMITXlTUUwgQUIxFTATBgNVBAMTDE15U1FMIFNlcnZlcjExMC8GCSqGSIb3
-DQEJARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEA6YZ6VYSITL6k+JJzMBJJC3qFhzk0OQ19C40Y
-wheVE1LSP1UQV8g/WvWy+ovQZ0nMqoL8n84AtHPzNtI608KwDhTD1LIhdKHwMYFg
-h5hzXBDBsRpN8fOwmD/w15ebK/3VIXmyL+tkFcmbnfyeLdT4BFvqqXVLQsM9Dk0q
-qLjKmY0CAwEAAaOCARQwggEQMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w
-ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRu5Jtqxerk5sfv
-1x7IY0VgKxvU1DCBtQYDVR0jBIGtMIGqgBSImGXZ8/KLAx1mYGEj+q1zbdNokqGB
-jqSBizCBiDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoT
-CE15U1FMIEFCMSEwHwYDVQQDExhBYnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAv
-BgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb22C
-AQAwDQYJKoZIhvcNAQEEBQADgYEAMXdpub2rKfP8WgkWb11C6roBVWnjdc+40be5
-v9pjhYxIkgZgdpfgAHhLrdqrapBtiwOosekJeOEpmFYSYGtC/uinxPjWFQfoK8LY
-iuUbLlEIm1bjs3pMPuW+Sk34ZXuoIeDK/our1+zyLffQv9fFIxwI2KpXx/NfujM/
-eNH0jl4=
+MIIDijCCAvOgAwIBAgIJAOkH0QGU7mbKMA0GCSqGSIb3DQEBBAUAMIGLMQswCQYD
+VQQGEwJTRTEQMA4GA1UECBMHVXBwc2FsYTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G
+A1UEChMITXlTUUwgQUIxEjAQBgNVBAMTCWxvY2FsaG9zdDExMC8GCSqGSIb3DQEJ
+ARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTAeFw0wNjA0MTgx
+NTM1MzdaFw0wOTAxMTIxNTM1MzdaMIGLMQswCQYDVQQGEwJTRTEQMA4GA1UECBMH
+VXBwc2FsYTEQMA4GA1UEBxMHVXBwc2FsYTERMA8GA1UEChMITXlTUUwgQUIxEjAQ
+BgNVBAMTCWxvY2FsaG9zdDExMC8GCSqGSIb3DQEJARYiYWJzdHJhY3QubXlzcWwu
+ZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+6YZ6VYSITL6k+JJzMBJJC3qFhzk0OQ19C40YwheVE1LSP1UQV8g/WvWy+ovQZ0nM
+qoL8n84AtHPzNtI608KwDhTD1LIhdKHwMYFgh5hzXBDBsRpN8fOwmD/w15ebK/3V
+IXmyL+tkFcmbnfyeLdT4BFvqqXVLQsM9Dk0qqLjKmY0CAwEAAaOB8zCB8DAdBgNV
+HQ4EFgQUbuSbasXq5ObH79ceyGNFYCsb1NQwgcAGA1UdIwSBuDCBtYAUbuSbasXq
+5ObH79ceyGNFYCsb1NShgZGkgY4wgYsxCzAJBgNVBAYTAlNFMRAwDgYDVQQIEwdV
+cHBzYWxhMRAwDgYDVQQHEwdVcHBzYWxhMREwDwYDVQQKEwhNeVNRTCBBQjESMBAG
+A1UEAxMJbG9jYWxob3N0MTEwLwYJKoZIhvcNAQkBFiJhYnN0cmFjdC5teXNxbC5k
+ZXZlbG9wZXJAbXlzcWwuY29tggkA6QfRAZTuZsowDAYDVR0TBAUwAwEB/zANBgkq
+hkiG9w0BAQQFAAOBgQAfA1lu/x+dxxmejrIawAue7pQ1dyqTBOrVqPw2WlvjHAK4
+zwRuIbAn9pZu1o/NAs8j8+f/au6pCcXJB4G20ry9E0cNe3b2isR2JPhMTib82MAf
+PUAZQ45Bq5k6mZskfK54898vou2PJwoKCwS/JXSIh5bIaNW8W6DvFKpTbsSj4w==
 -----END CERTIFICATE-----
diff --git a/client/client_priv.h b/client/client_priv.h
index a9d5364df49..9e011144836 100644
--- a/client/client_priv.h
+++ b/client/client_priv.h
@@ -51,5 +51,5 @@ enum options_client
 #endif
   OPT_TRIGGERS,
   OPT_IGNORE_TABLE,OPT_INSERT_IGNORE,OPT_SHOW_WARNINGS,OPT_DROP_DATABASE,
-  OPT_TZ_UTC, OPT_AUTO_CLOSE
+  OPT_TZ_UTC, OPT_AUTO_CLOSE, OPT_SSL_VERIFY_SERVER_CERT
 };
diff --git a/client/mysql.cc b/client/mysql.cc
index cd4cbf49918..7c1e70cfda2 100644
--- a/client/mysql.cc
+++ b/client/mysql.cc
@@ -3123,6 +3123,8 @@ sql_real_connect(char *host,char *database,char *user,char *password,
   if (opt_use_ssl)
     mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+  mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
diff --git a/client/mysqladmin.cc b/client/mysqladmin.cc
index 5b52d524f8e..57ab4e071fb 100644
--- a/client/mysqladmin.cc
+++ b/client/mysqladmin.cc
@@ -340,6 +340,8 @@ int main(int argc,char *argv[])
   if (opt_use_ssl)
     mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+  mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
diff --git a/client/mysqldump.c b/client/mysqldump.c
index 78f12593f46..ee6d7b9d12b 100644
--- a/client/mysqldump.c
+++ b/client/mysqldump.c
@@ -905,6 +905,8 @@ static int dbConnect(char *host, char *user,char *passwd)
   if (opt_use_ssl)
     mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+  mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
diff --git a/client/mysqlimport.c b/client/mysqlimport.c
index 8694093f06b..1f9b96f91be 100644
--- a/client/mysqlimport.c
+++ b/client/mysqlimport.c
@@ -384,6 +384,8 @@ static MYSQL *db_connect(char *host, char *database, char *user, char *passwd)
   if (opt_use_ssl)
     mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+  mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
diff --git a/client/mysqlshow.c b/client/mysqlshow.c
index 504f0d9844b..d090495ff81 100644
--- a/client/mysqlshow.c
+++ b/client/mysqlshow.c
@@ -109,6 +109,8 @@ int main(int argc, char **argv)
   if (opt_use_ssl)
     mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+  mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                (char*)&opt_ssl_verify_server_cert);
 #endif
   if (opt_protocol)
     mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
diff --git a/client/mysqltest.c b/client/mysqltest.c
index e51d83270b5..7257958311f 100644
--- a/client/mysqltest.c
+++ b/client/mysqltest.c
@@ -108,7 +108,7 @@ enum {OPT_MANAGER_USER=256,OPT_MANAGER_HOST,OPT_MANAGER_PASSWD,
       OPT_MANAGER_PORT,OPT_MANAGER_WAIT_TIMEOUT, OPT_SKIP_SAFEMALLOC,
       OPT_SSL_SSL, OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, OPT_SSL_CAPATH,
       OPT_SSL_CIPHER,OPT_PS_PROTOCOL,OPT_SP_PROTOCOL,OPT_CURSOR_PROTOCOL,
-      OPT_VIEW_PROTOCOL};
+      OPT_VIEW_PROTOCOL, OPT_SSL_VERIFY_SERVER_CERT};
 
 /* ************************************************************************ */
 /*
@@ -2378,8 +2378,12 @@ int do_connect(struct st_query *q)
 
 #ifdef HAVE_OPENSSL
   if (opt_use_ssl || con_ssl)
+  {
     mysql_ssl_set(&next_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+    mysql_options(&next_con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                  &opt_ssl_verify_server_cert);
+  }
 #endif
   if (con_sock && !free_con_sock && *con_sock && *con_sock != FN_LIBCHAR)
     con_sock=fn_format(buff, con_sock, TMPDIR, "",0);
@@ -4604,9 +4608,14 @@ int main(int argc, char **argv)
   mysql_options(&cur_con->mysql, MYSQL_SET_CHARSET_NAME, charset_name);
 
 #ifdef HAVE_OPENSSL
+  opt_ssl_verify_server_cert= TRUE; /* Always on in mysqltest */
   if (opt_use_ssl)
+  {
     mysql_ssl_set(&cur_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
 		  opt_ssl_capath, opt_ssl_cipher);
+    mysql_options(&cur_con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
+                  &opt_ssl_verify_server_cert);
+  }
 #endif
 
   if (!(cur_con->name = my_strdup("default", MYF(MY_WME))))
diff --git a/include/mysql.h b/include/mysql.h
index 925a4525378..7149224dcdd 100644
--- a/include/mysql.h
+++ b/include/mysql.h
@@ -149,7 +149,8 @@ enum mysql_option
   MYSQL_OPT_WRITE_TIMEOUT, MYSQL_OPT_USE_RESULT,
   MYSQL_OPT_USE_REMOTE_CONNECTION, MYSQL_OPT_USE_EMBEDDED_CONNECTION,
   MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,
-  MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT
+  MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT,
+  MYSQL_OPT_SSL_VERIFY_SERVER_CERT
 };
 
 struct st_mysql_options {
@@ -164,6 +165,7 @@ struct st_mysql_options {
   char *ssl_ca;					/* PEM CA file */
   char *ssl_capath;				/* PEM directory of CA-s? */
   char *ssl_cipher;				/* cipher to use */
+  my_bool ssl_verify_server_cert;		/* if to verify server cert */
   char *shared_memory_base_name;
   unsigned long max_allowed_packet;
   my_bool use_ssl;				/* if to use SSL or not */
diff --git a/include/sslopt-longopts.h b/include/sslopt-longopts.h
index dc3b0922327..f444a7eb7ce 100644
--- a/include/sslopt-longopts.h
+++ b/include/sslopt-longopts.h
@@ -37,5 +37,10 @@
   {"ssl-cipher", OPT_SSL_CIPHER, "SSL cipher to use (implies --ssl).",
    (gptr*) &opt_ssl_cipher, (gptr*) &opt_ssl_cipher, 0, GET_STR, REQUIRED_ARG,
    0, 0, 0, 0, 0, 0},
-
+#ifdef MYSQL_CLIENT
+  {"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT,
+   "Verify servers \"Common Name\" in it's cert against hostname used when connecting. This option is disabled by default.",
+   (gptr*) &opt_ssl_verify_server_cert, (gptr*) &opt_ssl_verify_server_cert,
+    0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
+#endif
 #endif /* HAVE_OPENSSL */
diff --git a/include/sslopt-vars.h b/include/sslopt-vars.h
index 164cf541381..8e5f3434396 100644
--- a/include/sslopt-vars.h
+++ b/include/sslopt-vars.h
@@ -21,4 +21,7 @@ static char *opt_ssl_cert   = 0;
 static char *opt_ssl_ca     = 0;
 static char *opt_ssl_capath = 0;
 static char *opt_ssl_cipher = 0;
+#ifdef MYSQL_CLIENT
+static my_bool opt_ssl_verify_server_cert= 0;
+#endif
 #endif
diff --git a/sql-common/client.c b/sql-common/client.c
index b24b92014d6..13a816b05b9 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1500,6 +1500,7 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
   mysql->options.ssl_ca=     strdup_if_not_null(ca);
   mysql->options.ssl_capath= strdup_if_not_null(capath);
   mysql->options.ssl_cipher= strdup_if_not_null(cipher);
+  mysql->options.ssl_verify_server_cert= FALSE; /* Off by default */
 #endif /* HAVE_OPENSSL */
   DBUG_RETURN(0);
 }
@@ -1521,7 +1522,7 @@ mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
   my_free(mysql->options.ssl_cert, MYF(MY_ALLOW_ZERO_PTR));
   my_free(mysql->options.ssl_ca, MYF(MY_ALLOW_ZERO_PTR));
   my_free(mysql->options.ssl_capath, MYF(MY_ALLOW_ZERO_PTR));
-  my_free(mysql->options.ssl_cipher, MYF(MY_ALLOW_ZERO_PTR));  
+  my_free(mysql->options.ssl_cipher, MYF(MY_ALLOW_ZERO_PTR));
   if (ssl_fd)
     SSL_CTX_free(ssl_fd->ssl_context);
   my_free(mysql->connector_fd,MYF(MY_ALLOW_ZERO_PTR));
@@ -1534,6 +1535,77 @@ mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
   mysql->connector_fd = 0;
   DBUG_VOID_RETURN;
 }
+
+/*
+  Check the server's (subject) Common Name against the
+  hostname we connected to
+
+  SYNOPSIS
+  ssl_verify_server_cert()
+    vio              pointer to a SSL connected vio
+    server_hostname  name of the server that we connected to
+
+  RETURN VALUES
+   0 Success
+   1 Failed to validate server
+
+ */
+static int ssl_verify_server_cert(Vio *vio, const char* server_hostname)
+{
+  SSL *ssl;
+  X509 *server_cert;
+  char *cp1, *cp2;
+  char buf[256];
+  DBUG_ENTER("ssl_verify_server_cert");
+  DBUG_PRINT("enter", ("server_hostname: %s", server_hostname));
+
+  if (!(ssl= (SSL*)vio->ssl_arg))
+  {
+    DBUG_PRINT("error", ("No SSL pointer found"));
+    DBUG_RETURN(1);
+  }
+
+  if (!server_hostname)
+  {
+    DBUG_PRINT("error", ("No server hostname supplied"));
+    DBUG_RETURN(1);
+  }
+
+  if (!(server_cert= SSL_get_peer_certificate(ssl)))
+  {
+    DBUG_PRINT("error", ("Could not get server certificate"));
+    DBUG_RETURN(1);
+  }
+
+  /*
+    We already know that the certificate exchanged was valid; the SSL library
+    handled that. Now we need to verify that the contents of the certificate
+    are what we expect.
+  */
+
+  X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
+  X509_free (server_cert);
+
+  DBUG_PRINT("info", ("hostname in cert: %s", buf));
+  cp1 = strstr(buf, "/CN=");
+  if (cp1)
+  {
+    cp1 += 4; // Skip the "/CN=" that we found
+    // Search for next / which might be the delimiter for email
+    cp2 = strchr(cp1, '/');
+    if (cp2)
+      *cp2 = '\0';
+    DBUG_PRINT("info", ("Server hostname in cert: %s", cp1));
+    if (!strcmp(cp1, server_hostname))
+    {
+      /* Success */
+      DBUG_RETURN(0);
+    }
+  }
+  DBUG_PRINT("error", ("SSL certificate validation failure"));
+  DBUG_RETURN(1);
+}
+
 #endif /* HAVE_OPENSSL */
 
 
@@ -2049,7 +2121,14 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
     }
     DBUG_PRINT("info", ("IO layer change done!"));
 
-    /* TODO Verify server cert */
+    /* Verify server cert */
+    if (mysql->options.ssl_verify_server_cert &&
+        ssl_verify_server_cert(mysql->net.vio, mysql->host))
+    {
+      set_mysql_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate);
+      goto error;
+    }
+
   }
 #endif /* HAVE_OPENSSL */
 
@@ -2789,6 +2868,9 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const char *arg)
   case MYSQL_OPT_RECONNECT:
     mysql->reconnect= *(my_bool *) arg;
     break;
+  case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
+    mysql->options.ssl_verify_server_cert= *(my_bool *) arg;
+    break;
   default:
     DBUG_RETURN(1);
   }
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index d6356f1adca..2b3e80a98e4 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -290,20 +290,20 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
                       const char *cipher)
 {
   struct st_VioSSLFd *ssl_fd;
-  int verify= SSL_VERIFY_NONE;
+  int verify= SSL_VERIFY_PEER;
   if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
                              ca_path, cipher, TLSv1_client_method())))
   {
     return 0;
   }
+
   /* Init the the VioSSLFd as a "connector" ie. the client side */
 
   /*
     The verify_callback function is used to control the behaviour
-    when the SSL_VERIFY_PEER flag is set. Here it is SSL_VERIFY_NONE
-    and thus callback is set to NULL
+    when the SSL_VERIFY_PEER flag is set.
   */
-  SSL_CTX_set_verify(ssl_fd->ssl_context, verify, NULL);
+  SSL_CTX_set_verify(ssl_fd->ssl_context, verify, vio_verify_callback);
 
   return ssl_fd;
 }
-- 
cgit v1.2.1


From 4449047d0eac62db679300da661b97f11ab574cb Mon Sep 17 00:00:00 2001
From: unknown <msvensson@shellback.(none)>
Date: Wed, 26 Apr 2006 15:29:52 +0200
Subject: Import from upstream yassl

extra/yassl/mySTL/helpers.hpp:
  Import patch yassl.diff
extra/yassl/taocrypt/include/asn.hpp:
  Import patch yassl.diff
extra/yassl/taocrypt/src/asn.cpp:
  Import patch yassl.diff
extra/yassl/taocrypt/src/make.bat:
  Import patch yassl.diff
extra/yassl/taocrypt/src/template_instnt.cpp:
  Import patch yassl.diff
extra/yassl/testsuite/test.hpp:
  Import patch yassl.diff
---
 extra/yassl/mySTL/helpers.hpp                |  5 +++
 extra/yassl/taocrypt/include/asn.hpp         | 19 ++++++---
 extra/yassl/taocrypt/src/asn.cpp             | 64 ++++++++++++++++++++++------
 extra/yassl/taocrypt/src/make.bat            |  2 +-
 extra/yassl/taocrypt/src/template_instnt.cpp |  1 -
 extra/yassl/testsuite/test.hpp               |  4 +-
 6 files changed, 73 insertions(+), 22 deletions(-)

diff --git a/extra/yassl/mySTL/helpers.hpp b/extra/yassl/mySTL/helpers.hpp
index 5aa14d838b1..df79025197a 100644
--- a/extra/yassl/mySTL/helpers.hpp
+++ b/extra/yassl/mySTL/helpers.hpp
@@ -44,6 +44,11 @@
         return static_cast<void*>(d);
     }
 
+    // for compilers that want matching delete
+    inline void operator delete(void* ptr, Dummy* d) 
+    { 
+    }
+
     typedef Dummy* yassl_pointer;
 
 namespace mySTL {
diff --git a/extra/yassl/taocrypt/include/asn.hpp b/extra/yassl/taocrypt/include/asn.hpp
index 6a1163fbb1c..7dc349e00db 100644
--- a/extra/yassl/taocrypt/include/asn.hpp
+++ b/extra/yassl/taocrypt/include/asn.hpp
@@ -79,7 +79,13 @@ enum ASNIdFlag
 
 enum DNTags
 {
-    COMMON_NAME         = 0x03
+    COMMON_NAME         = 0x03,  // CN
+    SUR_NAME            = 0x04,  // SN
+    COUNTRY_NAME        = 0x06,  // C
+    LOCALITY_NAME       = 0x07,  // L
+    STATE_NAME          = 0x08,  // ST
+    ORG_NAME            = 0x0a,  // O
+    ORGUNIT_NAME        = 0x0b   // OU
 };
 
 
@@ -92,7 +98,8 @@ enum Constants
     MAX_SEQ_SZ    =  5,    // enum(seq|con) + length(4)
     MAX_ALGO_SIZE =  9,
     MAX_DIGEST_SZ = 25,    // SHA + enum(Bit or Octet) + length(4)
-    DSA_SIG_SZ    = 40
+    DSA_SIG_SZ    = 40,
+    NAME_MAX      = 512    // max total of all included names
 };
 
 
@@ -205,14 +212,14 @@ enum { SHA_SIZE = 20 };
 // A Signing Authority
 class Signer {
     PublicKey key_;
-    char*     name_;
+    char      name_[NAME_MAX];
     byte      hash_[SHA_SIZE];
 public:
     Signer(const byte* k, word32 kSz, const char* n, const byte* h);
     ~Signer();
 
     const PublicKey& GetPublicKey()  const { return key_; }
-    const char*      GetCommonName() const { return name_; }
+    const char*      GetName()       const { return name_; }
     const byte*      GetHash()       const { return hash_; }
 
 private:
@@ -257,8 +264,8 @@ private:
     byte      subjectHash_[SHA_SIZE];   // hash of all Names
     byte      issuerHash_[SHA_SIZE];    // hash of all Names
     byte*     signature_;
-    char*     issuer_;                  // CommonName
-    char*     subject_;                 // CommonName
+    char      issuer_[NAME_MAX];        // Names
+    char      subject_[NAME_MAX];       // Names
     bool      verify_;                  // Default to yes, but could be off
 
     void   ReadHeader();
diff --git a/extra/yassl/taocrypt/src/asn.cpp b/extra/yassl/taocrypt/src/asn.cpp
index 3efc26ab168..824d1a2056d 100644
--- a/extra/yassl/taocrypt/src/asn.cpp
+++ b/extra/yassl/taocrypt/src/asn.cpp
@@ -213,21 +213,17 @@ void PublicKey::AddToEnd(const byte* data, word32 len)
 
 
 Signer::Signer(const byte* k, word32 kSz, const char* n, const byte* h)
-    : key_(k, kSz), name_(0)
+    : key_(k, kSz)
 {
-    if (n) {
         int sz = strlen(n);
-        name_ = NEW_TC char[sz + 1];
         memcpy(name_, n, sz);
         name_[sz] = 0;
-    }
 
     memcpy(hash_, h, SHA::DIGEST_SIZE);
 }
 
 Signer::~Signer()
 {
-    tcArrayDelete(name_);
 }
 
 
@@ -424,17 +420,19 @@ void DH_Decoder::Decode(DH& key)
 CertDecoder::CertDecoder(Source& s, bool decode, SignerList* signers,
                          bool noVerify, CertType ct)
     : BER_Decoder(s), certBegin_(0), sigIndex_(0), sigLength_(0),
-      signature_(0), issuer_(0), subject_(0), verify_(!noVerify)
+      signature_(0), verify_(!noVerify)
 { 
+    issuer_[0] = 0;
+    subject_[0] = 0;
+
     if (decode)
         Decode(signers, ct); 
+
 }
 
 
 CertDecoder::~CertDecoder()
 {
-    tcArrayDelete(subject_);
-    tcArrayDelete(issuer_);
     tcArrayDelete(signature_);
 }
 
@@ -672,8 +670,12 @@ void CertDecoder::GetName(NameType nt)
 
     SHA    sha;
     word32 length = GetSequence();  // length of all distinguished names
+    assert (length < NAME_MAX);
     length += source_.get_index();
 
+    char*  ptr = (nt == ISSUER) ? issuer_ : subject_;
+    word32 idx = 0;
+
     while (source_.get_index() < length) {
         GetSet();
         GetSequence();
@@ -694,13 +696,49 @@ void CertDecoder::GetName(NameType nt)
             byte   id      = source_.next();  
             b              = source_.next();    // strType
             word32 strLen  = GetLength(source_);
+            bool   copy    = false;
 
             if (id == COMMON_NAME) {
-                char*& ptr = (nt == ISSUER) ? issuer_ : subject_;
-                ptr = NEW_TC char[strLen + 1];
-                memcpy(ptr, source_.get_current(), strLen);
-                ptr[strLen] = 0;
+                memcpy(&ptr[idx], "/CN=", 4);
+                idx += 4;
+                copy = true;
+            }
+            else if (id == SUR_NAME) {
+                memcpy(&ptr[idx], "/SN=", 4);
+                idx += 4;
+                copy = true;
+            }
+            else if (id == COUNTRY_NAME) {
+                memcpy(&ptr[idx], "/C=", 3);
+                idx += 3;
+                copy = true;
+            }
+            else if (id == LOCALITY_NAME) {
+                memcpy(&ptr[idx], "/L=", 3);
+                idx += 3;
+                copy = true;
             }
+            else if (id == STATE_NAME) {
+                memcpy(&ptr[idx], "/ST=", 4);
+                idx += 4;
+                copy = true;
+            }
+            else if (id == ORG_NAME) {
+                memcpy(&ptr[idx], "/O=", 3);
+                idx += 3;
+                copy = true;
+            }
+            else if (id == ORGUNIT_NAME) {
+                memcpy(&ptr[idx], "/OU=", 4);
+                idx += 4;
+                copy = true;
+            }
+
+            if (copy) {
+                memcpy(&ptr[idx], source_.get_current(), strLen);
+                idx += strLen;
+            }
+
             sha.Update(source_.get_current(), strLen);
             source_.advance(strLen);
         }
@@ -711,6 +749,8 @@ void CertDecoder::GetName(NameType nt)
             source_.advance(length);
         }
     }
+    ptr[idx++] = 0;
+
     if (nt == ISSUER)
         sha.Final(issuerHash_);
     else
diff --git a/extra/yassl/taocrypt/src/make.bat b/extra/yassl/taocrypt/src/make.bat
index 5a2ae580b76..3acd50fc875 100644
--- a/extra/yassl/taocrypt/src/make.bat
+++ b/extra/yassl/taocrypt/src/make.bat
@@ -1,4 +1,4 @@
-# quick and dirty build file for testing different MSDEVs
+REM quick and dirty build file for testing different MSDEVs
 setlocal 
 
 set myFLAGS= /I../include /I../../mySTL /c /W3 /G6 /O2 
diff --git a/extra/yassl/taocrypt/src/template_instnt.cpp b/extra/yassl/taocrypt/src/template_instnt.cpp
index 12bcd8238f2..18a884364fa 100644
--- a/extra/yassl/taocrypt/src/template_instnt.cpp
+++ b/extra/yassl/taocrypt/src/template_instnt.cpp
@@ -30,7 +30,6 @@
 #include "sha.hpp"
 #include "md5.hpp"
 #include "hmac.hpp"
-#include "ripemd.hpp"
 #include "pwdbased.hpp"
 #include "algebra.hpp"
 #include "vector.hpp"
diff --git a/extra/yassl/testsuite/test.hpp b/extra/yassl/testsuite/test.hpp
index 79d02b63558..7fe8656f6d2 100644
--- a/extra/yassl/testsuite/test.hpp
+++ b/extra/yassl/testsuite/test.hpp
@@ -305,8 +305,8 @@ inline void showPeer(SSL* ssl)
         char* subject = X509_NAME_oneline(X509_get_subject_name(peer), 0, 0);
 
         printf("peer's cert info:\n");
-        printf("issuer  is: %s\n", issuer);
-        printf("subject is: %s\n", subject);
+        printf("issuer : %s\n", issuer);
+        printf("subject: %s\n", subject);
 
         free(subject);
         free(issuer);
-- 
cgit v1.2.1


From a11b9051dfc2d8440a3914af02199295215ad04a Mon Sep 17 00:00:00 2001
From: unknown <msvensson@shellback.(none)>
Date: Wed, 26 Apr 2006 18:10:14 +0200
Subject: Move inclusion of "ripemd.hpp" from yassl to taocrypt

---
 extra/yassl/src/template_instnt.cpp          | 1 -
 extra/yassl/taocrypt/src/template_instnt.cpp | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/extra/yassl/src/template_instnt.cpp b/extra/yassl/src/template_instnt.cpp
index 5782df213ea..d4a1650b8e2 100644
--- a/extra/yassl/src/template_instnt.cpp
+++ b/extra/yassl/src/template_instnt.cpp
@@ -31,7 +31,6 @@
 #include "hmac.hpp"
 #include "md5.hpp"
 #include "sha.hpp"
-#include "ripemd.hpp"
 #include "openssl/ssl.h"
 
 #ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION
diff --git a/extra/yassl/taocrypt/src/template_instnt.cpp b/extra/yassl/taocrypt/src/template_instnt.cpp
index 18a884364fa..5efd2d32a10 100644
--- a/extra/yassl/taocrypt/src/template_instnt.cpp
+++ b/extra/yassl/taocrypt/src/template_instnt.cpp
@@ -34,6 +34,7 @@
 #include "algebra.hpp"
 #include "vector.hpp"
 #include "hash.hpp"
+#include "ripemd.hpp"
 
 #ifdef HAVE_EXPLICIT_TEMPLATE_INSTANTIATION
 namespace TaoCrypt {
-- 
cgit v1.2.1


From 283cf514fd6cb5cf6ebabbdf7c0cfbf5cb018950 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@shellback.(none)>
Date: Fri, 28 Apr 2006 11:37:20 +0200
Subject: Fix small bug in udf_example.cc, it was processing one char too much
 and thus returning junk Add more DBUG_PRINT's in udf_handler::val_str Enable
 udf.test

mysql-test/t/disabled.def:
  Enable udf.test
sql/item_func.cc:
  Add DBUG_ printouts for easier debugging of installed udf's
sql/udf_example.cc:
  Bug fix, break for loop when "n < n_end"
---
 mysql-test/t/disabled.def |  1 -
 sql/item_func.cc          | 15 ++++++++++-----
 sql/udf_example.cc        |  2 +-
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/mysql-test/t/disabled.def b/mysql-test/t/disabled.def
index 1b587eea40f..007847fab37 100644
--- a/mysql-test/t/disabled.def
+++ b/mysql-test/t/disabled.def
@@ -11,4 +11,3 @@
 ##############################################################################
 
 ndb_load        : Bug#17233
-udf             : Not yet            
diff --git a/sql/item_func.cc b/sql/item_func.cc
index 0447ab115ec..f2f2cd9b4ed 100644
--- a/sql/item_func.cc
+++ b/sql/item_func.cc
@@ -2734,9 +2734,10 @@ String *udf_handler::val_str(String *str,String *save_str)
 {
   uchar is_null_tmp=0;
   ulong res_length;
+  DBUG_ENTER("udf_handler::val_str");
 
   if (get_arguments())
-    return 0;
+    DBUG_RETURN(0);
   char * (*func)(UDF_INIT *, UDF_ARGS *, char *, ulong *, uchar *, uchar *)=
     (char* (*)(UDF_INIT *, UDF_ARGS *, char *, ulong *, uchar *, uchar *))
     u_d->func;
@@ -2746,22 +2747,26 @@ String *udf_handler::val_str(String *str,String *save_str)
     if (str->alloc(MAX_FIELD_WIDTH))
     {
       error=1;
-      return 0;
+      DBUG_RETURN(0);
     }
   }
   char *res=func(&initid, &f_args, (char*) str->ptr(), &res_length,
 		 &is_null_tmp, &error);
+  DBUG_PRINT("info", ("udf func returned, res_length: %lu", res_length));
   if (is_null_tmp || !res || error)		// The !res is for safety
   {
-    return 0;
+    DBUG_PRINT("info", ("Null or error"));
+    DBUG_RETURN(0);
   }
   if (res == str->ptr())
   {
     str->length(res_length);
-    return str;
+    DBUG_PRINT("exit", ("str: %s", str->ptr()));
+    DBUG_RETURN(str);
   }
   save_str->set(res, res_length, str->charset());
-  return save_str;
+  DBUG_PRINT("exit", ("save_str: %s", save_str->ptr()));
+  DBUG_RETURN(save_str);
 }
 
 
diff --git a/sql/udf_example.cc b/sql/udf_example.cc
index f4f936f34ef..6ad066eacc2 100644
--- a/sql/udf_example.cc
+++ b/sql/udf_example.cc
@@ -344,7 +344,7 @@ char *metaphon(UDF_INIT *initid, UDF_ARGS *args, char *result,
   KSflag = 0; /* state flag for KS translation */
 
   for (metaph_end = result + MAXMETAPH, n_start = n;
-	n <= n_end && result < metaph_end; n++ )
+	n < n_end && result < metaph_end; n++ )
   {
 
     if ( KSflag )
-- 
cgit v1.2.1


From f1a1bd482f2c1bf1eb93195b8bb5769dfccb7e15 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Tue, 2 May 2006 14:46:18 +0200
Subject: Use libtool --mode=execute when starting the mysqld as well. Add
 $exe_libtool to be used throughout the script

---
 mysql-test/mysql-test-run.pl | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl
index 3b29aff2892..08b9ade72a1 100755
--- a/mysql-test/mysql-test-run.pl
+++ b/mysql-test/mysql-test-run.pl
@@ -189,6 +189,7 @@ our $exe_slave_mysqld;
 our $exe_im;
 our $exe_my_print_defaults;
 our $lib_udf_example;
+our $exe_libtool;
 
 our $opt_bench= 0;
 our $opt_small_bench= 0;
@@ -448,6 +449,7 @@ sub initial_setup () {
   {
     $glob_use_libtool= 0;
   }
+  $exe_libtool= "../libtool";
 
   # We require that we are in the "mysql-test" directory
   # to run mysql-test-run
@@ -2624,6 +2626,15 @@ sub mysqld_start ($$$$$) {
     $exe= undef;
   }
 
+  if ($glob_use_libtool and $opt_valgrind)
+  {
+    # Add "libtool --mode-execute"
+    # if running in valgrind(to avoid valgrinding bash)
+    unshift(@$args, "--mode=execute", $exe);
+    $exe= $exe_libtool;
+  }
+
+
   if ( $type eq 'master' )
   {
     if ( ! defined $exe or
@@ -3126,7 +3137,7 @@ sub run_mysqltest ($) {
     # Add "libtool --mode-execute" before the test to execute
     # if running in valgrind(to avoid valgrinding bash)
     unshift(@$args, "--mode=execute", $exe);
-    $exe= "libtool";
+    $exe= $exe_libtool;
   }
 
   if ( $opt_check_testcases )
@@ -3198,7 +3209,7 @@ sub gdb_arguments {
 
   if ( $glob_use_libtool )
   {
-    mtr_add_arg($$args, "libtool");
+    mtr_add_arg($$args, $exe_libtool);
     mtr_add_arg($$args, "--mode=execute");
   }
 
@@ -3261,7 +3272,7 @@ sub ddd_arguments {
   $$args= [];
   if ( $glob_use_libtool )
   {
-    $$exe= "libtool";
+    $$exe= $exe_libtool;
     mtr_add_arg($$args, "--mode=execute");
     mtr_add_arg($$args, "ddd");
   }
@@ -3282,6 +3293,8 @@ sub debugger_arguments {
   my $exe=  shift;
   my $debugger= $opt_debugger || $opt_client_debugger;
 
+  # FIXME Need to change the below "eq"'s to
+  # "case unsensitive string contains"
   if ( $debugger eq "vcexpress" or $debugger eq "vc")
   {
     # vc[express] /debugexe exe arg1 .. argn
-- 
cgit v1.2.1


From 24651ae90c6d50b843602a0cd542595efeac752a Mon Sep 17 00:00:00 2001
From: unknown <msvensson@shellback.(none)>
Date: Wed, 3 May 2006 11:31:23 +0200
Subject: Generate new ca, client and server cert. Set CN in the server cert to
 localhost so that we can test --ssl-verify-server-cert

SSL/cacert.pem:
  Generate new CA cert to get the CA's private key
SSL/client-cert.pem:
  Generate new client cert since we have a new CA cert
SSL/client-key.pem:
  Generate new client cert since we have a new CA cert
SSL/client-req.pem:
  Generate new client cert since we have a new CA cert
SSL/server-cert.pem:
  Generate new server cert since we have a new CA cert and set it's CN to localhost so that we can test --ssl-verify-server-cert
SSL/server-key.pem:
  Generate new server cert since we have a new CA cert and set it's CN to localhost so that we can test --ssl-verify-server-cert
SSL/server-req.pem:
  Generate new server cert since we have a new CA cert and set it's CN to localhost so that we can test --ssl-verify-server-cert
---
 SSL/cacert.pem      | 34 +++++++++-----------
 SSL/client-cert.pem | 87 +++++++++++++++++++--------------------------------
 SSL/client-key.pem  | 20 +++++-------
 SSL/client-req.pem  | 17 +++++-----
 SSL/server-cert.pem | 89 +++++++++++++++++++----------------------------------
 SSL/server-key.pem  | 20 +++++-------
 SSL/server-req.pem  | 17 +++++-----
 7 files changed, 106 insertions(+), 178 deletions(-)

diff --git a/SSL/cacert.pem b/SSL/cacert.pem
index a63dae57767..b445e77d7c4 100644
--- a/SSL/cacert.pem
+++ b/SSL/cacert.pem
@@ -1,21 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDcTCCAtqgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCU0Ux
-EDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhB
-YnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0
-Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wHhcNMDMwOTEyMTYxNDE2WhcNMTMw
-OTA5MTYxNDE2WjCBiDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAP
-BgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhBYnN0cmFjdCBNeVNRTCBEZXZlbG9w
-ZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNx
-bC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKrT7zp5tp5djXp+TEQs
-5ZEds1XUglp/EQUQ1FMMb1Xe6gqJsQ62O+jsUe0nrUjXBrUCUy49k6mcnmQtZREj
-l1pWKmzx1fgcYpxTwxaY7IKB2jik5IWprhVPmSQ+AWss43oolXMZWR+csKehqm3j
-+YNZc9NsR4ydE71l0VEtJEQvAgMBAAGjgegwgeUwHQYDVR0OBBYEFIiYZdnz8osD
-HWZgYSP6rXNt02iSMIG1BgNVHSMEga0wgaqAFIiYZdnz8osDHWZgYSP6rXNt02iS
-oYGOpIGLMIGIMQswCQYDVQQGEwJTRTEQMA4GA1UEBxMHVXBwc2FsYTERMA8GA1UE
-ChMITXlTUUwgQUIxITAfBgNVBAMTGEFic3RyYWN0IE15U1FMIERldmVsb3BlcjEx
-MC8GCSqGSIb3DQEJARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNv
-bYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAGIL22MCIU/0sKDp
-pZIhoabvNVDTfuhtene+WBCrzCzGXPZjB4+b/KAJJNvOR4zi43Kk7euu+PENs9M7
-nKpInMdhvT1RcCnUHJ3jBCvDDzXab2msqn3rxhwetWWbfE0OeEn/PoQcwiZCe7x5
-h+Zz+oUbvsEe4DjtDVgG4UH9nSSS
+MIICrTCCAhagAwIBAgIJAIAO/Ybiptv1MA0GCSqGSIb3DQEBBAUAMEQxCzAJBgNV
+BAYTAlNFMRAwDgYDVQQIEwdVcHBzYWxhMRAwDgYDVQQHEwdVcHBzYWxhMREwDwYD
+VQQKEwhNeVNRTCBBQjAeFw0wNjA1MDMwODQ4NTRaFw0wOTAxMjcwODQ4NTRaMEQx
+CzAJBgNVBAYTAlNFMRAwDgYDVQQIEwdVcHBzYWxhMRAwDgYDVQQHEwdVcHBzYWxh
+MREwDwYDVQQKEwhNeVNRTCBBQjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
++C46EQl1u7tQ6gb9eqc8V079gr8YmDPCEqtjO8bCIbchpjOpDITx0WZz36Sn9E72
+GPJwNip4FxLaPRIA3xNQHM5cE5U53qznlRx1Fc4O3hcWCvyCqNDl/vzPAh3pI6Bl
+Ku9hfHXpp93W812smVPe9haShEXGgbEPYGzvOfVdu/MCAwEAAaOBpjCBozAdBgNV
+HQ4EFgQUjIy/6OCTmqtPHBFha6/qzVk3yTcwdAYDVR0jBG0wa4AUjIy/6OCTmqtP
+HBFha6/qzVk3yTehSKRGMEQxCzAJBgNVBAYTAlNFMRAwDgYDVQQIEwdVcHBzYWxh
+MRAwDgYDVQQHEwdVcHBzYWxhMREwDwYDVQQKEwhNeVNRTCBBQoIJAIAO/Ybiptv1
+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA8lD9zyB820Oq1aj7ZafX
+De/hbdt9RIl2tzgw2K3r1KZGdXJVL0vSt5fZ51Nq9lg7OPJy3iXf+caBJEp0IJpB
+uf4Gfr6zfXw+UlY6ZthRtHQHoXKcbskECjH5/ps/Uaa+dpVQ9O+Ii1rPzmgo6ztM
+s+xZ46ESBt4WiHXm8kwbU9Y=
 -----END CERTIFICATE-----
diff --git a/SSL/client-cert.pem b/SSL/client-cert.pem
index 4c81162c911..fdd5c86a23f 100644
--- a/SSL/client-cert.pem
+++ b/SSL/client-cert.pem
@@ -1,67 +1,42 @@
 Certificate:
     Data:
-        Version: 3 (0x2)
+        Version: 1 (0x0)
         Serial Number: 1 (0x1)
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=SE, L=Uppsala, O=MySQL AB, CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com
+        Issuer: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB
         Validity
-            Not Before: Sep 12 16:21:19 2003 GMT
-            Not After : Sep  9 16:21:19 2013 GMT
-        Subject: C=SE, L=Uppsala, O=MySQL AB, CN=MySQL Client/Email=abstract.mysql.developer@mysql.com
+            Not Before: May  3 08:55:39 2006 GMT
+            Not After : Jan 27 08:55:39 2009 GMT
+        Subject: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:c4:03:0a:ee:e3:b1:12:fc:ee:b4:19:f4:e1:60:
-                    1d:e0:28:c3:96:2d:df:82:69:cd:74:7c:54:58:d0:
-                    ae:b3:59:3f:0c:19:1c:99:10:a6:12:c9:cf:3a:64:
-                    05:43:8e:bf:d2:65:36:80:91:0b:65:b0:27:26:38:
-                    c9:23:d8:36:a2:4a:f0:f7:c0:2f:68:38:70:01:27:
-                    29:ff:b2:c5:52:e1:6b:f1:c8:d7:c3:5c:ee:f0:37:
-                    6c:2a:9b:96:1a:05:9e:eb:33:a2:39:5a:77:66:62:
-                    27:75:1f:2f:6f:38:da:e5:9f:78:af:ca:6b:22:3f:
-                    57:2b:bc:a6:8f:47:d1:99:6f
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:d8:db:68:28:49:84:4d:d6:0f:5c:bc:3d:9a:ab:
+                    70:d5:3e:f5:b5:17:ba:ef:e1:f8:87:54:30:22:1f:
+                    81:07:bf:f9:24:7f:8a:54:10:e9:5f:e6:99:50:04:
+                    d4:3b:55:a9:f1:52:ad:12:2b:5a:da:5c:be:8c:3e:
+                    5b:9e:b0:5a:19
                 Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            Netscape Comment: 
-                OpenSSL Generated Certificate
-            X509v3 Subject Key Identifier: 
-                80:81:A9:22:EB:AB:D6:CA:7E:3F:8D:BB:D1:AC:2A:F4:87:9D:13:29
-            X509v3 Authority Key Identifier: 
-                keyid:88:98:65:D9:F3:F2:8B:03:1D:66:60:61:23:FA:AD:73:6D:D3:68:92
-                DirName:/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com
-                serial:00
-
     Signature Algorithm: md5WithRSAEncryption
-        86:17:1c:f3:9f:10:1b:75:47:03:ca:54:ea:ef:f7:15:54:8d:
-        8f:58:c9:64:7d:de:2e:bf:ea:a6:5d:72:56:c9:81:be:bb:1c:
-        78:a5:91:d6:f8:77:df:9d:d2:cb:94:d9:06:61:4f:05:21:22:
-        2a:ea:9e:c3:8b:4d:fe:94:c7:98:61:cd:7e:88:19:c9:92:01:
-        1f:10:5b:c6:16:95:99:9b:32:01:3a:89:df:fa:0a:89:ac:fa:
-        b5:40:55:7a:ca:0a:bd:5d:8b:06:d8:7e:e1:44:8c:70:c8:63:
-        c7:77:6a:37:3d:a4:ac:57:dc:00:c1:c1:f3:72:17:5b:50:95:
-        ee:b7
+        07:57:bf:07:92:c2:8e:86:24:6b:0a:bf:e5:31:21:44:c3:60:
+        02:a6:ac:9e:f7:db:7a:6e:fc:4f:d4:7b:54:18:80:47:d2:4a:
+        63:0e:e3:f8:af:6e:58:e3:97:5a:2b:82:5d:76:20:d1:33:a0:
+        f5:43:a1:d1:51:f4:ca:c8:b3:1a:66:4e:0e:55:df:d2:e8:fa:
+        83:18:42:f5:ec:66:40:f0:39:e8:f9:d7:cf:f6:dd:e4:7b:69:
+        dd:0c:92:d8:52:95:43:6f:29:3d:f0:8d:4c:dd:52:ea:6b:a0:
+        39:0f:dc:59:a7:5c:37:6b:8b:05:44:b7:69:ea:a3:58:e0:4e:
+        ce:d6
 -----BEGIN CERTIFICATE-----
-MIIDkTCCAvqgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCU0Ux
-EDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhB
-YnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0
-Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wHhcNMDMwOTEyMTYyMTE5WhcNMTMw
-OTA5MTYyMTE5WjB8MQswCQYDVQQGEwJTRTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G
-A1UEChMITXlTUUwgQUIxFTATBgNVBAMTDE15U1FMIENsaWVudDExMC8GCSqGSIb3
-DQEJARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEAxAMK7uOxEvzutBn04WAd4CjDli3fgmnNdHxU
-WNCus1k/DBkcmRCmEsnPOmQFQ46/0mU2gJELZbAnJjjJI9g2okrw98AvaDhwAScp
-/7LFUuFr8cjXw1zu8DdsKpuWGgWe6zOiOVp3ZmIndR8vbzja5Z94r8prIj9XK7ym
-j0fRmW8CAwEAAaOCARQwggEQMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w
-ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSAgaki66vWyn4/
-jbvRrCr0h50TKTCBtQYDVR0jBIGtMIGqgBSImGXZ8/KLAx1mYGEj+q1zbdNokqGB
-jqSBizCBiDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoT
-CE15U1FMIEFCMSEwHwYDVQQDExhBYnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAv
-BgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb22C
-AQAwDQYJKoZIhvcNAQEEBQADgYEAhhcc858QG3VHA8pU6u/3FVSNj1jJZH3eLr/q
-pl1yVsmBvrsceKWR1vh3353Sy5TZBmFPBSEiKuqew4tN/pTHmGHNfogZyZIBHxBb
-xhaVmZsyATqJ3/oKiaz6tUBVesoKvV2LBth+4USMcMhjx3dqNz2krFfcAMHB83IX
-W1CV7rc=
+MIIB5jCCAU8CAQEwDQYJKoZIhvcNAQEEBQAwRDELMAkGA1UEBhMCU0UxEDAOBgNV
+BAgTB1VwcHNhbGExEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFC
+MB4XDTA2MDUwMzA4NTUzOVoXDTA5MDEyNzA4NTUzOVowdzELMAkGA1UEBhMCU0Ux
+EDAOBgNVBAgTB1VwcHNhbGExEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15
+U1FMIEFCMTEwLwYJKoZIhvcNAQkBFiJhYnN0cmFjdC5teXNxbC5kZXZlbG9wZXJA
+bXlzcWwuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANjbaChJhE3WD1y8PZqr
+cNU+9bUXuu/h+IdUMCIfgQe/+SR/ilQQ6V/mmVAE1DtVqfFSrRIrWtpcvow+W56w
+WhkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQAHV78HksKOhiRrCr/lMSFEw2ACpqye
+99t6bvxP1HtUGIBH0kpjDuP4r25Y45daK4JddiDRM6D1Q6HRUfTKyLMaZk4OVd/S
+6PqDGEL17GZA8Dno+dfP9t3ke2ndDJLYUpVDbyk98I1M3VLqa6A5D9xZp1w3a4sF
+RLdp6qNY4E7O1g==
 -----END CERTIFICATE-----
diff --git a/SSL/client-key.pem b/SSL/client-key.pem
index 58fa805e620..22f8e23ab2a 100644
--- a/SSL/client-key.pem
+++ b/SSL/client-key.pem
@@ -1,15 +1,9 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDEAwru47ES/O60GfThYB3gKMOWLd+Cac10fFRY0K6zWT8MGRyZ
-EKYSyc86ZAVDjr/SZTaAkQtlsCcmOMkj2DaiSvD3wC9oOHABJyn/ssVS4WvxyNfD
-XO7wN2wqm5YaBZ7rM6I5WndmYid1Hy9vONrln3ivymsiP1crvKaPR9GZbwIDAQAB
-AoGAcR7IaoGhKbIrGGl6d67+zuT3q24h9aOV3Mn7653TlNHGnvbHGFcRYPpyy+H5
-X7m8XnHm+F+80hzNGzPecP9Q12oPOyoZgeQn6bTK73OFkNcX7FAkNdyH4xVhf2aK
-YOzTcQfq3gRCqXtVIg4qBShTMjJLE31R8H430Or62XmJgFECQQDjP+Kz+ecQwuTB
-HADLm+GQgceIB1kLgdQoZ3deUxGvqtVImuDRViSM0F2srfJ4GfkEDhc27UI5f6ir
-ZTOw4ww7AkEA3M9wCPgWNtbOXbYjaNA0IzHcjMDxQDVvJAmb3EiZlKQp4EfrESxR
-ly/u08TyfwrK6q5WS7xE0ad8+95G1af4XQJBAI9+3ME20SB1YItMCniHYwSj3oHX
-2fN5NKWax/Zoz+c0IV+qZMHq+kNso2oRoOUTyXk1CJWndcTnBnPMALr2c9cCQQCZ
-VL7Cq6uZVx6kemcqUHH0AprZbt3YLYLI7pc5p3xmeHzPzoEQQstBhjp8+aU+zPrN
-blRkcQ8E2x5yNA7SLLrNAkAhzkA+EK8hc0f9W3ncy+py0Rn0i5Ay0N3T715vkThf
-CfOHE3L91dLlmYpL5xVqOpugY/2sHyxwctv97DgS6tHZ
+MIIBOgIBAAJBANjbaChJhE3WD1y8PZqrcNU+9bUXuu/h+IdUMCIfgQe/+SR/ilQQ
+6V/mmVAE1DtVqfFSrRIrWtpcvow+W56wWhkCAwEAAQJAK27WT6tZylUjQomZNQ89
+TBiOEbUtBbqWklQ0R8FTkH9uKV+8KYQ+k+tMkoAEGFfChB0YfofNQ2KZYWWw4yOB
+WQIhAPXXDQt73aou10s+cmKM3C3WzLmIZtrvm9wNBXWDGxgTAiEA4dG4cXrZfa1M
+TTbjzNU1/Jf50/M8SvZDWMPQWxJ8oqMCIH6zBpYUkHlVCsBMvsbrsc4uFfTIx7mu
+I7WVQGr/1sbhAiBf4uFirjtztgZUMx5/d3k5DH80lG/hlLf8FQl/4lWx6QIhAPHw
+CXfPUbUFl4r/i9Br5+exGol50qX4F3aP5Sh5EnZT
 -----END RSA PRIVATE KEY-----
diff --git a/SSL/client-req.pem b/SSL/client-req.pem
index b3667fb5ec6..16ef777b677 100644
--- a/SSL/client-req.pem
+++ b/SSL/client-req.pem
@@ -1,12 +1,9 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBvDCCASUCAQAwfDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAP
-BgNVBAoTCE15U1FMIEFCMRUwEwYDVQQDEwxNeVNRTCBDbGllbnQxMTAvBgkqhkiG
-9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wgZ8wDQYJ
-KoZIhvcNAQEBBQADgY0AMIGJAoGBAMQDCu7jsRL87rQZ9OFgHeAow5Yt34JpzXR8
-VFjQrrNZPwwZHJkQphLJzzpkBUOOv9JlNoCRC2WwJyY4ySPYNqJK8PfAL2g4cAEn
-Kf+yxVLha/HI18Nc7vA3bCqblhoFnuszojlad2ZiJ3UfL2842uWfeK/KayI/Vyu8
-po9H0ZlvAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQAnKdk68dGJXvlj/GXwBUWN
-oXWF7hq4fDmwyhmcFUqk8qZKPKFUxkcER0GLzYeUgvD2URSfaS3/YW0d7K7kXGwP
-rB5edb+suaYf6mjm/w37xw/EJI9rdSKcB/3SSu8mALds7sUHDAO+MO0WkA/9d7t0
-LOsUqcDvMkKpZuYwNILwLw==
+MIIBMTCB3AIBADB3MQswCQYDVQQGEwJTRTEQMA4GA1UECBMHVXBwc2FsYTEQMA4G
+A1UEBxMHVXBwc2FsYTERMA8GA1UEChMITXlTUUwgQUIxMTAvBgkqhkiG9w0BCQEW
+ImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wXDANBgkqhkiG9w0B
+AQEFAANLADBIAkEA2NtoKEmETdYPXLw9mqtw1T71tRe67+H4h1QwIh+BB7/5JH+K
+VBDpX+aZUATUO1Wp8VKtEita2ly+jD5bnrBaGQIDAQABoAAwDQYJKoZIhvcNAQEE
+BQADQQB/86MEaTPxaMR80nZevJS/FLFkt+zlp45x3glUZyaOnYb970YNimytZBrz
+iS2s/0dNeSRwKbEMzKc/Qhe/GVJt
 -----END CERTIFICATE REQUEST-----
diff --git a/SSL/server-cert.pem b/SSL/server-cert.pem
index debf7026e3c..f420b4f3124 100644
--- a/SSL/server-cert.pem
+++ b/SSL/server-cert.pem
@@ -1,67 +1,42 @@
 Certificate:
     Data:
-        Version: 3 (0x2)
-        Serial Number: 2 (0x2)
+        Version: 1 (0x0)
+        Serial Number: 1 (0x1)
         Signature Algorithm: md5WithRSAEncryption
-        Issuer: C=SE, L=Uppsala, O=MySQL AB, CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com
+        Issuer: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB
         Validity
-            Not Before: Sep 12 16:22:06 2003 GMT
-            Not After : Sep  9 16:22:06 2013 GMT
-        Subject: C=SE, L=Uppsala, O=MySQL AB, CN=MySQL Server/Email=abstract.mysql.developer@mysql.com
+            Not Before: May  3 08:54:13 2006 GMT
+            Not After : Jan 27 08:54:13 2009 GMT
+        Subject: C=SE, ST=Uppsala, L=Uppsala, O=MySQL AB, CN=localhost/emailAddress=abstract.mysql.developer@mysql.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-            RSA Public Key: (1024 bit)
-                Modulus (1024 bit):
-                    00:e9:86:7a:55:84:88:4c:be:a4:f8:92:73:30:12:
-                    49:0b:7a:85:87:39:34:39:0d:7d:0b:8d:18:c2:17:
-                    95:13:52:d2:3f:55:10:57:c8:3f:5a:f5:b2:fa:8b:
-                    d0:67:49:cc:aa:82:fc:9f:ce:00:b4:73:f3:36:d2:
-                    3a:d3:c2:b0:0e:14:c3:d4:b2:21:74:a1:f0:31:81:
-                    60:87:98:73:5c:10:c1:b1:1a:4d:f1:f3:b0:98:3f:
-                    f0:d7:97:9b:2b:fd:d5:21:79:b2:2f:eb:64:15:c9:
-                    9b:9d:fc:9e:2d:d4:f8:04:5b:ea:a9:75:4b:42:c3:
-                    3d:0e:4d:2a:a8:b8:ca:99:8d
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:d9:fd:da:b3:fb:7c:e0:b0:03:be:97:c6:a4:36:
+                    ac:71:af:bb:2d:e5:84:ed:f3:8f:2b:eb:11:e5:aa:
+                    66:ed:bf:62:6b:e3:ce:fa:80:ed:90:ff:b9:4a:39:
+                    20:40:b6:f2:99:bf:2f:33:b5:f2:ec:3a:90:60:1d:
+                    9e:94:7e:a4:1b
                 Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            Netscape Comment: 
-                OpenSSL Generated Certificate
-            X509v3 Subject Key Identifier: 
-                6E:E4:9B:6A:C5:EA:E4:E6:C7:EF:D7:1E:C8:63:45:60:2B:1B:D4:D4
-            X509v3 Authority Key Identifier: 
-                keyid:88:98:65:D9:F3:F2:8B:03:1D:66:60:61:23:FA:AD:73:6D:D3:68:92
-                DirName:/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com
-                serial:00
-
     Signature Algorithm: md5WithRSAEncryption
-        31:77:69:b9:bd:ab:29:f3:fc:5a:09:16:6f:5d:42:ea:ba:01:
-        55:69:e3:75:cf:b8:d1:b7:b9:bf:da:63:85:8c:48:92:06:60:
-        76:97:e0:00:78:4b:ad:da:ab:6a:90:6d:8b:03:a8:b1:e9:09:
-        78:e1:29:98:56:12:60:6b:42:fe:e8:a7:c4:f8:d6:15:07:e8:
-        2b:c2:d8:8a:e5:1b:2e:51:08:9b:56:e3:b3:7a:4c:3e:e5:be:
-        4a:4d:f8:65:7b:a8:21:e0:ca:fe:8b:ab:d7:ec:f2:2d:f7:d0:
-        bf:d7:c5:23:1c:08:d8:aa:57:c7:f3:5f:ba:33:3f:78:d1:f4:
-        8e:5e
+        de:5e:35:cd:7b:11:e6:7c:c5:7c:d6:27:4e:72:12:49:42:eb:
+        6f:2c:96:f3:f4:00:78:a7:4f:9f:2d:7b:d7:30:39:af:49:4d:
+        df:b1:55:0d:30:be:23:6f:06:67:fd:dd:ba:98:66:36:c6:32:
+        b7:ed:63:fc:aa:49:cd:4f:72:98:3b:13:0e:f6:28:d7:d4:eb:
+        04:6b:dc:e8:c7:04:80:92:e4:04:86:0b:ed:32:25:76:1d:a9:
+        5c:a9:2c:18:2c:bd:bc:15:ed:e1:76:96:4d:bb:0d:41:44:06:
+        2c:ad:45:bb:db:61:ad:17:11:cb:49:70:67:eb:c6:27:d3:91:
+        c8:f2
 -----BEGIN CERTIFICATE-----
-MIIDkTCCAvqgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCU0Ux
-EDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMSEwHwYDVQQDExhB
-YnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0
-Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wHhcNMDMwOTEyMTYyMjA2WhcNMTMw
-OTA5MTYyMjA2WjB8MQswCQYDVQQGEwJTRTEQMA4GA1UEBxMHVXBwc2FsYTERMA8G
-A1UEChMITXlTUUwgQUIxFTATBgNVBAMTDE15U1FMIFNlcnZlcjExMC8GCSqGSIb3
-DQEJARYiYWJzdHJhY3QubXlzcWwuZGV2ZWxvcGVyQG15c3FsLmNvbTCBnzANBgkq
-hkiG9w0BAQEFAAOBjQAwgYkCgYEA6YZ6VYSITL6k+JJzMBJJC3qFhzk0OQ19C40Y
-wheVE1LSP1UQV8g/WvWy+ovQZ0nMqoL8n84AtHPzNtI608KwDhTD1LIhdKHwMYFg
-h5hzXBDBsRpN8fOwmD/w15ebK/3VIXmyL+tkFcmbnfyeLdT4BFvqqXVLQsM9Dk0q
-qLjKmY0CAwEAAaOCARQwggEQMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w
-ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRu5Jtqxerk5sfv
-1x7IY0VgKxvU1DCBtQYDVR0jBIGtMIGqgBSImGXZ8/KLAx1mYGEj+q1zbdNokqGB
-jqSBizCBiDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoT
-CE15U1FMIEFCMSEwHwYDVQQDExhBYnN0cmFjdCBNeVNRTCBEZXZlbG9wZXIxMTAv
-BgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb22C
-AQAwDQYJKoZIhvcNAQEEBQADgYEAMXdpub2rKfP8WgkWb11C6roBVWnjdc+40be5
-v9pjhYxIkgZgdpfgAHhLrdqrapBtiwOosekJeOEpmFYSYGtC/uinxPjWFQfoK8LY
-iuUbLlEIm1bjs3pMPuW+Sk34ZXuoIeDK/our1+zyLffQv9fFIxwI2KpXx/NfujM/
-eNH0jl4=
+MIIB+zCCAWQCAQEwDQYJKoZIhvcNAQEEBQAwRDELMAkGA1UEBhMCU0UxEDAOBgNV
+BAgTB1VwcHNhbGExEDAOBgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFC
+MB4XDTA2MDUwMzA4NTQxM1oXDTA5MDEyNzA4NTQxM1owgYsxCzAJBgNVBAYTAlNF
+MRAwDgYDVQQIEwdVcHBzYWxhMRAwDgYDVQQHEwdVcHBzYWxhMREwDwYDVQQKEwhN
+eVNRTCBBQjESMBAGA1UEAxMJbG9jYWxob3N0MTEwLwYJKoZIhvcNAQkBFiJhYnN0
+cmFjdC5teXNxbC5kZXZlbG9wZXJAbXlzcWwuY29tMFwwDQYJKoZIhvcNAQEBBQAD
+SwAwSAJBANn92rP7fOCwA76XxqQ2rHGvuy3lhO3zjyvrEeWqZu2/YmvjzvqA7ZD/
+uUo5IEC28pm/LzO18uw6kGAdnpR+pBsCAwEAATANBgkqhkiG9w0BAQQFAAOBgQDe
+XjXNexHmfMV81idOchJJQutvLJbz9AB4p0+fLXvXMDmvSU3fsVUNML4jbwZn/d26
+mGY2xjK37WP8qknNT3KYOxMO9ijX1OsEa9zoxwSAkuQEhgvtMiV2HalcqSwYLL28
+Fe3hdpZNuw1BRAYsrUW722GtFxHLSXBn68Yn05HI8g==
 -----END CERTIFICATE-----
diff --git a/SSL/server-key.pem b/SSL/server-key.pem
index 4292dc79929..a4842624c0c 100644
--- a/SSL/server-key.pem
+++ b/SSL/server-key.pem
@@ -1,15 +1,9 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDphnpVhIhMvqT4knMwEkkLeoWHOTQ5DX0LjRjCF5UTUtI/VRBX
-yD9a9bL6i9BnScyqgvyfzgC0c/M20jrTwrAOFMPUsiF0ofAxgWCHmHNcEMGxGk3x
-87CYP/DXl5sr/dUhebIv62QVyZud/J4t1PgEW+qpdUtCwz0OTSqouMqZjQIDAQAB
-AoGBALTq11nrjIEQbdSZ+R1z/R0kddB2U+wjdA3/6P9tr7PBxVsFdtzbKaI5mcib
-iwCKX0J2qmrP+SHUdsexBZxLR4KV/Z55v9Pym99Dy+DxDA95zURyCMKRBIzlU5uN
-F7USEQoltLUCsmZwNWdit0gfxSWdddkHNuI0uxTzHwuDcUlNAkEA/76zVremngNL
-DlekM9NPn/8E/TXBHN1b1jdUKd7WymSJykdcm3viU98dFNZFWF8B0jiTcuBKXgpR
-vTShNab/swJBAOnCGp554BLhioTyyk8qjRLt3xEsjsDljJULHVLYWcUqIkMf97GL
-VLBhl6ZEI9i0WduqvgZ+Bacd0uHqIHz1Yb8CQQDm1CjqTDiGxlIoT9JVNJTZxEOs
-h6gVdXY+kxHT+N3FL5luiZp8fAR7zxVgiUVtzdLG+2madfapiobcT3RyCJkhAkBI
-64AaR7KasTjg2Ew7/e4cJZAcb2XozrLYG6t+GHeIhehCQEqoW+qDSy5fc4orI7eU
-SuMUa2OgCjGqv7p6wKFJAkEAznmum/MbVOBpC4FsdnIGkxyFKIbh2OLY2aUb2KkK
-Ouf4S8Y5Ldgszi0fnDPRaxWJzewwZKvcff2zj+mYZeAXbA==
+MIIBOgIBAAJBANn92rP7fOCwA76XxqQ2rHGvuy3lhO3zjyvrEeWqZu2/YmvjzvqA
+7ZD/uUo5IEC28pm/LzO18uw6kGAdnpR+pBsCAwEAAQJBAMieYdpmRoUaODf9wqh6
+ULXH/sG8i1vaXRcUHcJ50oRVfVK8/tGGvUuTDu6MeINTdahNDlYfjwOjKWVXys1w
+h6ECIQDs6s7DfczK2bKCLt0zqg24mZL3rOpGmDU+TatwN1yVgwIhAOuMzdVTX39p
+328+5WxJvBOFfxmSmqdDhIFpnRMvgguJAiByvKjT/km+970+1OllyvaIL0AA2OpA
+tBgdC0p6tyUMdwIgKuHAWzTJbu28UolVxQgLaFZmVCZ/ZzIAfnrWsLZ2a1kCIBq/
+ywJ2cpyFlgazu8AH6KCQa0ok9s70ElaB6FEC85Al
 -----END RSA PRIVATE KEY-----
diff --git a/SSL/server-req.pem b/SSL/server-req.pem
index 7c3db0660ad..f9a6d8940c2 100644
--- a/SSL/server-req.pem
+++ b/SSL/server-req.pem
@@ -1,12 +1,9 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBvDCCASUCAQAwfDELMAkGA1UEBhMCU0UxEDAOBgNVBAcTB1VwcHNhbGExETAP
-BgNVBAoTCE15U1FMIEFCMRUwEwYDVQQDEwxNeVNRTCBTZXJ2ZXIxMTAvBgkqhkiG
-9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wgZ8wDQYJ
-KoZIhvcNAQEBBQADgY0AMIGJAoGBAOmGelWEiEy+pPiSczASSQt6hYc5NDkNfQuN
-GMIXlRNS0j9VEFfIP1r1svqL0GdJzKqC/J/OALRz8zbSOtPCsA4Uw9SyIXSh8DGB
-YIeYc1wQwbEaTfHzsJg/8NeXmyv91SF5si/rZBXJm538ni3U+ARb6ql1S0LDPQ5N
-Kqi4ypmNAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQCagJxGHBC+G5aSh3OguFn6
-z+qAC7u3B181kPBgNv20zMgLeq7YiAh3iNx4XO2+QXRGzMznFKx1tFr/mavCpgLs
-p3+dCvQt5FHEFFK1D1pDeXy4146X07hOTtC9jc/jSWeVnH4ujuX5gMtZqisOyYWV
-/gpw6dBtkTYlhS+y86kM/Q==
+MIIBRjCB8QIBADCBizELMAkGA1UEBhMCU0UxEDAOBgNVBAgTB1VwcHNhbGExEDAO
+BgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMRIwEAYDVQQDEwlsb2Nh
+bGhvc3QxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBt
+eXNxbC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2f3as/t84LADvpfGpDas
+ca+7LeWE7fOPK+sR5apm7b9ia+PO+oDtkP+5SjkgQLbymb8vM7Xy7DqQYB2elH6k
+GwIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQAJH+9fYD3tmUS8p3f2HlN1lfRM/Jt/
+OtVAsnJ1qcHOhAA24FOARs8ZtxwvDQP57/rLkf43kbFbpDWFRtSyUXa6
 -----END CERTIFICATE REQUEST-----
-- 
cgit v1.2.1


From 286624ecfa0c0662d4c7a29ea08a30dcd6834e51 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@shellback.(none)>
Date: Wed, 3 May 2006 11:50:45 +0200
Subject: Update NOTES with information how we generate new keys

---
 SSL/NOTES | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/SSL/NOTES b/SSL/NOTES
index 413c724c583..a1109db8c80 100644
--- a/SSL/NOTES
+++ b/SSL/NOTES
@@ -40,7 +40,69 @@ openssl s_server -port 1111 -cert ../SSL/server-cert.pem -key ../SSL/server-key.
 
 
 
+-------------------------------------------
+How to generate new keys:
 
+First we need the private key of the CA cert. Since we always throw
+away the old private key for the CA, we need to generate a totally new
+CA cert. Our CA cert is self signed and we will use that to sign the
+server and client keys. As long as we distibute the cacert.pem they can
+b oth be validated against that.
+
+
+1) openssl genrsa 512 > cecert.pem
+
+2) openssl req -new -x509 -nodes -md5 -days 1000 -key cacert.pem > cacert.pem
+
+We now have a cacert.pem which is the public key and a cakey.pem which is the
+private key of the CA.
+
+Steps to generate the server key.
+
+3) openssl req -newkey rsa:512 -md5 -days 1000 -nodes -keyout server-key.pem > server-req.pem
+
+4) copy ca-key.pem ca-cert.srl
+
+5) openssl x509 -req -in server-req.pem -days 1000 -md5 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
+
+
+-- adding metadata to beginning
+
+6) openssl x509 -in server-cert.pem -text > tmp.pem
+
+7) mv tmp.pem server-cert.pem
+
+-- And almost the same for the client.
+
+8) openssl req -newkey rsa:512 -md5 -days 1000 -nodes -keyout client-key.pem > client-req.pem
+
+9) openssl x509 -req -in client-req.pem -days 1000 -md5 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
+
+
+-- adding metadata to beginning
+
+10) openssl x509 -in client-cert.pem -text > tmp.pem
+
+11) mv tmp.pem client-cert.pem
+
+The new certs are now generated. They can be verified against the cacert to test they are ok. This is actually what is done in the MySQL client and server.
+
+12) openssl verify -CAfile cacert.pem server-cert.pem
+server-cert.pem: OK
+13) openssl verify -CAfile cacert.pem client-cert.pm
+client-cert.pem: OK
+
+
+The files we add to our repository and thus distribute are
+* cacert.pem - CA's public key, used to verify the client/servers pblic keys
+* server-key.pem - servers private key
+* server-cert.pem - servers public key
+* client-key.pem - clients private key
+* client-cert.pem - clients public key
+
+
+
+== OLD NOTES below ==
 --------------------------------------------
 
 CA stuff:
-- 
cgit v1.2.1


From e4326a1f1e3cbad5720abe3c89053408eddc120e Mon Sep 17 00:00:00 2001
From: unknown <msvensson@shellback.(none)>
Date: Wed, 3 May 2006 11:53:16 +0200
Subject: Remove client-req-pem and server-req.pem

BitKeeper/deleted/.del-server-req.pem~16301893cacf1be4:
  Delete: SSL/server-req.pem
BitKeeper/deleted/.del-client-req.pem~efd482e1d290d4d8:
  Delete: SSL/client-req.pem
---
 SSL/Makefile.am    | 4 ++--
 SSL/client-req.pem | 9 ---------
 SSL/server-req.pem | 9 ---------
 3 files changed, 2 insertions(+), 20 deletions(-)
 delete mode 100644 SSL/client-req.pem
 delete mode 100644 SSL/server-req.pem

diff --git a/SSL/Makefile.am b/SSL/Makefile.am
index bd3aad1e3b2..6edc6146a29 100644
--- a/SSL/Makefile.am
+++ b/SSL/Makefile.am
@@ -17,8 +17,8 @@
 ## Process this file with automake to create Makefile.in
 
 EXTRA_DIST=	NOTES cacert.pem client-cert.pem client-key.pem \
-		client-req.pem run-client run-server server-cert.pem \
-		server-key.pem server-req.pem
+		run-client run-server server-cert.pem \
+		server-key.pem
 
 # Don't update the files from bitkeeper
 %::SCCS/s.%
diff --git a/SSL/client-req.pem b/SSL/client-req.pem
deleted file mode 100644
index 16ef777b677..00000000000
--- a/SSL/client-req.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBMTCB3AIBADB3MQswCQYDVQQGEwJTRTEQMA4GA1UECBMHVXBwc2FsYTEQMA4G
-A1UEBxMHVXBwc2FsYTERMA8GA1UEChMITXlTUUwgQUIxMTAvBgkqhkiG9w0BCQEW
-ImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBteXNxbC5jb20wXDANBgkqhkiG9w0B
-AQEFAANLADBIAkEA2NtoKEmETdYPXLw9mqtw1T71tRe67+H4h1QwIh+BB7/5JH+K
-VBDpX+aZUATUO1Wp8VKtEita2ly+jD5bnrBaGQIDAQABoAAwDQYJKoZIhvcNAQEE
-BQADQQB/86MEaTPxaMR80nZevJS/FLFkt+zlp45x3glUZyaOnYb970YNimytZBrz
-iS2s/0dNeSRwKbEMzKc/Qhe/GVJt
------END CERTIFICATE REQUEST-----
diff --git a/SSL/server-req.pem b/SSL/server-req.pem
deleted file mode 100644
index f9a6d8940c2..00000000000
--- a/SSL/server-req.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIIBRjCB8QIBADCBizELMAkGA1UEBhMCU0UxEDAOBgNVBAgTB1VwcHNhbGExEDAO
-BgNVBAcTB1VwcHNhbGExETAPBgNVBAoTCE15U1FMIEFCMRIwEAYDVQQDEwlsb2Nh
-bGhvc3QxMTAvBgkqhkiG9w0BCQEWImFic3RyYWN0Lm15c3FsLmRldmVsb3BlckBt
-eXNxbC5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA2f3as/t84LADvpfGpDas
-ca+7LeWE7fOPK+sR5apm7b9ia+PO+oDtkP+5SjkgQLbymb8vM7Xy7DqQYB2elH6k
-GwIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQAJH+9fYD3tmUS8p3f2HlN1lfRM/Jt/
-OtVAsnJ1qcHOhAA24FOARs8ZtxwvDQP57/rLkf43kbFbpDWFRtSyUXa6
------END CERTIFICATE REQUEST-----
-- 
cgit v1.2.1


From 1f8591b443d912c427adb5286f1c74c428bb0da5 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Wed, 3 May 2006 12:05:04 +0200
Subject: Make cert's in std_data that we cpoy from SSL/ depend on the cert's
 in SSL/

---
 mysql-test/Makefile.am | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/mysql-test/Makefile.am b/mysql-test/Makefile.am
index 33598748397..73074397086 100644
--- a/mysql-test/Makefile.am
+++ b/mysql-test/Makefile.am
@@ -100,15 +100,15 @@ install-data-local:
 uninstall-local:
 	@RM@ -f -r $(DESTDIR)$(testdir)
 
-std_data/client-key.pem:
+std_data/client-key.pem: $(top_srcdir)/SSL/$(@F)
 	@CP@ $(top_srcdir)/SSL/$(@F) $(srcdir)/std_data
-std_data/client-cert.pem:
+std_data/client-cert.pem: $(top_srcdir)/SSL/$(@F)
 	@CP@ $(top_srcdir)/SSL/$(@F) $(srcdir)/std_data
-std_data/cacert.pem:
+std_data/cacert.pem: $(top_srcdir)/SSL/$(@F)
 	@CP@ $(top_srcdir)/SSL/$(@F) $(srcdir)/std_data
-std_data/server-cert.pem:
+std_data/server-cert.pem: $(top_srcdir)/SSL/$(@F)
 	@CP@ $(top_srcdir)/SSL/$(@F) $(srcdir)/std_data
-std_data/server-key.pem:
+std_data/server-key.pem: $(top_srcdir)/SSL/$(@F)
 	@CP@ $(top_srcdir)/SSL/$(@F) $(srcdir)/std_data
 
 SUFFIXES = .sh
-- 
cgit v1.2.1


From 3e5686626423349a3f829b39c8e1c1627388d1f6 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@shellback.(none)>
Date: Wed, 3 May 2006 13:08:24 +0200
Subject: Update yaSSL to version 1.3.0

extra/yassl/README:
  Import patch yassl.diff
extra/yassl/examples/client/client.cpp:
  Import patch yassl.diff
extra/yassl/include/openssl/err.h:
  Import patch yassl.diff
extra/yassl/include/openssl/md5.h:
  Import patch yassl.diff
extra/yassl/include/openssl/ssl.h:
  Import patch yassl.diff
extra/yassl/include/yassl_int.hpp:
  Import patch yassl.diff
extra/yassl/mySTL/helpers.hpp:
  Import patch yassl.diff
extra/yassl/src/cert_wrapper.cpp:
  Import patch yassl.diff
extra/yassl/src/ssl.cpp:
  Import patch yassl.diff
extra/yassl/src/template_instnt.cpp:
  Import patch yassl.diff
extra/yassl/src/yassl_int.cpp:
  Import patch yassl.diff
extra/yassl/taocrypt/include/asn.hpp:
  Import patch yassl.diff
extra/yassl/taocrypt/src/asn.cpp:
  Import patch yassl.diff
extra/yassl/taocrypt/src/integer.cpp:
  Import patch yassl.diff
extra/yassl/taocrypt/src/make.bat:
  Import patch yassl.diff
extra/yassl/taocrypt/src/misc.cpp:
  Import patch yassl.diff
extra/yassl/taocrypt/taocrypt.dsp:
  Import patch yassl.diff
extra/yassl/testsuite/test.hpp:
  Import patch yassl.diff
extra/yassl/testsuite/testsuite.cpp:
  Import patch yassl.diff
extra/yassl/testsuite/testsuite.dsp:
  Import patch yassl.diff
extra/yassl/include/openssl/md4.h:
  Import patch yassl.diff
extra/yassl/include/openssl/pem.h:
  Import patch yassl.diff
extra/yassl/include/openssl/x509.h:
  Import patch yassl.diff
extra/yassl/include/openssl/x509v3.h:
  Import patch yassl.diff
extra/yassl/lib/dummy:
  Import patch yassl.diff
extra/yassl/certs/ca-cert.pem:
  New BitKeeper file ``extra/yassl/certs/ca-cert.pem''
extra/yassl/certs/client-cert.pem:
  New BitKeeper file ``extra/yassl/certs/client-cert.pem''
extra/yassl/certs/client-key.pem:
  New BitKeeper file ``extra/yassl/certs/client-key.pem''
extra/yassl/certs/dsa-cert.pem:
  New BitKeeper file ``extra/yassl/certs/dsa-cert.pem''
extra/yassl/certs/dsa512.pem:
  New BitKeeper file ``extra/yassl/certs/dsa512.pem''
extra/yassl/certs/server-cert.pem:
  New BitKeeper file ``extra/yassl/certs/server-cert.pem''
extra/yassl/certs/server-key.pem:
  New BitKeeper file ``extra/yassl/certs/server-key.pem''
extra/yassl/certs/taoCert.txt:
  New BitKeeper file ``extra/yassl/certs/taoCert.txt''
---
 extra/yassl/README                     |  35 +++-
 extra/yassl/certs/ca-cert.pem          |  53 ++++++
 extra/yassl/certs/client-cert.pem      |  52 ++++++
 extra/yassl/certs/client-key.pem       |   9 +
 extra/yassl/certs/dsa-cert.pem         |  68 ++++++++
 extra/yassl/certs/dsa512.pem           |   8 +
 extra/yassl/certs/server-cert.pem      |  38 +++++
 extra/yassl/certs/server-key.pem       |   9 +
 extra/yassl/certs/taoCert.txt          |  50 ++++++
 extra/yassl/examples/client/client.cpp |   6 +-
 extra/yassl/include/openssl/err.h      |   2 +-
 extra/yassl/include/openssl/md4.h      |   1 +
 extra/yassl/include/openssl/md5.h      |   3 +
 extra/yassl/include/openssl/pem.h      |   1 +
 extra/yassl/include/openssl/ssl.h      | 112 ++++++++++++-
 extra/yassl/include/openssl/x509.h     |   1 +
 extra/yassl/include/openssl/x509v3.h   |   1 +
 extra/yassl/include/yassl_int.hpp      |  41 ++++-
 extra/yassl/lib/dummy                  |   1 +
 extra/yassl/mySTL/helpers.hpp          |   5 +
 extra/yassl/src/cert_wrapper.cpp       |   9 +-
 extra/yassl/src/ssl.cpp                | 290 ++++++++++++++++++++++++++++++++-
 extra/yassl/src/template_instnt.cpp    |   5 +
 extra/yassl/src/yassl_int.cpp          | 103 +++++++++++-
 extra/yassl/taocrypt/include/asn.hpp   |  25 ++-
 extra/yassl/taocrypt/src/asn.cpp       |  74 +++++++--
 extra/yassl/taocrypt/src/integer.cpp   |   6 +-
 extra/yassl/taocrypt/src/make.bat      |   2 +-
 extra/yassl/taocrypt/src/misc.cpp      |   9 +
 extra/yassl/taocrypt/taocrypt.dsp      |   3 +-
 extra/yassl/testsuite/test.hpp         |   4 +-
 extra/yassl/testsuite/testsuite.cpp    |   6 +-
 extra/yassl/testsuite/testsuite.dsp    |   4 +-
 33 files changed, 979 insertions(+), 57 deletions(-)
 create mode 100644 extra/yassl/certs/ca-cert.pem
 create mode 100644 extra/yassl/certs/client-cert.pem
 create mode 100644 extra/yassl/certs/client-key.pem
 create mode 100644 extra/yassl/certs/dsa-cert.pem
 create mode 100644 extra/yassl/certs/dsa512.pem
 create mode 100644 extra/yassl/certs/server-cert.pem
 create mode 100644 extra/yassl/certs/server-key.pem
 create mode 100644 extra/yassl/certs/taoCert.txt
 create mode 100644 extra/yassl/include/openssl/md4.h
 create mode 100644 extra/yassl/include/openssl/pem.h
 create mode 100644 extra/yassl/include/openssl/x509.h
 create mode 100644 extra/yassl/include/openssl/x509v3.h
 create mode 100644 extra/yassl/lib/dummy

diff --git a/extra/yassl/README b/extra/yassl/README
index ad59fe3965e..62209723f66 100644
--- a/extra/yassl/README
+++ b/extra/yassl/README
@@ -1,4 +1,37 @@
-yaSSL Release notes, version 1.2.2 (03/27/06)
+yaSSL Release notes, version 1.3.0 (04/26/06)
+
+
+    This release of yaSSL contains minor bug fixes, portability enhancements,
+    and libcurl support.
+
+See normal build instructions below under 1.0.6.
+
+
+--To build for libcurl on Linux, Solaris, *BSD, Mac OS X, or Cygwin:
+
+  To build for libcurl the library needs to be built without C++ globals since
+  the linker will be called in a C context, also libcurl configure will expect
+  OpenSSL library names so some symbolic links are created.
+
+    ./configure --enable-pure-c
+    make
+    make openssl-links
+
+    (then go to your libcurl home and tell libcurl about yaSSL)
+    ./configure --with-ssl=/yaSSL-HomeDir
+    make
+
+
+--To build for libcurl on Win32:
+
+    Simply add the yaSSL project as a dependency to libcurl, add 
+    yaSSL-Home\include and yaSSL-Home\include\openssl to the include list, and
+    define USE_SSLEAY and USE_OPENSSL
+
+    please email todd@yassl.com if you have any questions.
+    
+
+*******************yaSSL Release notes, version 1.2.2 (03/27/06)
 
 
     This release of yaSSL contains minor bug fixes and portability enhancements.
diff --git a/extra/yassl/certs/ca-cert.pem b/extra/yassl/certs/ca-cert.pem
new file mode 100644
index 00000000000..981dd004fc6
--- /dev/null
+++ b/extra/yassl/certs/ca-cert.pem
@@ -0,0 +1,53 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com
+        Validity
+            Not Before: Jan 18 20:12:32 2005 GMT
+            Not After : Oct 15 20:12:32 2007 GMT
+        Subject: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:cf:2b:14:00:b0:3c:df:6f:9e:91:40:ec:c8:f6:
+                    90:b2:5b:b4:70:80:a5:a4:0a:73:c7:44:f3:2a:26:
+                    c4:2f:f1:3a:f1:c3:c4:ac:fc:c3:d2:c3:bf:f5:d7:
+                    6a:38:42:ad:22:ab:c8:c4:4b:4c:1d:16:af:05:34:
+                    7d:79:97:5e:e1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                CB:0F:1F:E9:A2:76:71:C9:E6:E8:23:A6:C1:18:B7:CC:44:CF:B9:84
+            X509v3 Authority Key Identifier: 
+                keyid:CB:0F:1F:E9:A2:76:71:C9:E6:E8:23:A6:C1:18:B7:CC:44:CF:B9:84
+                DirName:/C=US/ST=Oregon/L=Portland/O=sawtooth/CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com
+                serial:00
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: md5WithRSAEncryption
+        27:f7:3d:fb:39:6f:73:a4:86:f3:a0:48:22:60:84:e9:5c:3d:
+        28:36:05:16:44:98:07:87:e1:5d:b5:f3:a7:bc:33:5f:f4:29:
+        a9:5f:87:33:df:e6:8e:bd:e2:f3:0a:c8:00:69:ae:3d:41:47:
+        03:ea:0b:4c:67:45:4b:ab:f3:39
+-----BEGIN CERTIFICATE-----
+MIIC7zCCApmgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCVVMx
+DzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxETAPBgNVBAoTCHNh
+d3Rvb3RoMSQwIgYDVQQDExt3d3cuc2F3dG9vdGgtY29uc3VsdGluZy5jb20xHTAb
+BgkqhkiG9w0BCQEWDmluZm9AeWFzc2wuY29tMB4XDTA1MDExODIwMTIzMloXDTA3
+MTAxNTIwMTIzMlowgYkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xETAP
+BgNVBAcTCFBvcnRsYW5kMREwDwYDVQQKEwhzYXd0b290aDEkMCIGA1UEAxMbd3d3
+LnNhd3Rvb3RoLWNvbnN1bHRpbmcuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlh
+c3NsLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDPKxQAsDzfb56RQOzI9pCy
+W7RwgKWkCnPHRPMqJsQv8Trxw8Ss/MPSw7/112o4Qq0iq8jES0wdFq8FNH15l17h
+AgMBAAGjgekwgeYwHQYDVR0OBBYEFMsPH+midnHJ5ugjpsEYt8xEz7mEMIG2BgNV
+HSMEga4wgauAFMsPH+midnHJ5ugjpsEYt8xEz7mEoYGPpIGMMIGJMQswCQYDVQQG
+EwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDERMA8GA1UE
+ChMIc2F3dG9vdGgxJDAiBgNVBAMTG3d3dy5zYXd0b290aC1jb25zdWx0aW5nLmNv
+bTEdMBsGCSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb22CAQAwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQQFAANBACf3Pfs5b3OkhvOgSCJghOlcPSg2BRZEmAeH4V21
+86e8M1/0KalfhzPf5o694vMKyABprj1BRwPqC0xnRUur8zk=
+-----END CERTIFICATE-----
diff --git a/extra/yassl/certs/client-cert.pem b/extra/yassl/certs/client-cert.pem
new file mode 100644
index 00000000000..81110f17252
--- /dev/null
+++ b/extra/yassl/certs/client-cert.pem
@@ -0,0 +1,52 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, CN=www.yassl.com/emailAddress=info@yassl.com
+        Validity
+            Not Before: Jan 18 19:33:15 2005 GMT
+            Not After : Oct 15 19:33:15 2007 GMT
+        Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, CN=www.yassl.com/emailAddress=info@yassl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:cd:1f:78:47:f8:b8:d6:08:bf:bd:7c:23:61:86:
+                    36:28:ac:ee:3c:a8:9a:94:e6:d5:26:e8:71:50:b2:
+                    26:8b:1c:1e:3f:75:b2:d3:b3:67:95:0c:fd:76:28:
+                    65:d5:ce:12:82:9e:06:00:a2:09:dd:ce:3a:26:dd:
+                    46:2a:a0:45:71
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                AE:25:5E:FA:4D:A3:5B:2B:87:DE:F1:2A:F5:42:C0:FF:CE:B5:B4:AD
+            X509v3 Authority Key Identifier: 
+                keyid:AE:25:5E:FA:4D:A3:5B:2B:87:DE:F1:2A:F5:42:C0:FF:CE:B5:B4:AD
+                DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/CN=www.yassl.com/emailAddress=info@yassl.com
+                serial:00
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: md5WithRSAEncryption
+        c5:82:26:0c:1f:61:01:14:b0:ce:18:99:64:91:0e:f1:f8:90:
+        3e:a3:0e:be:38:7c:97:ba:05:c9:2a:dc:dd:62:2d:12:61:79:
+        7a:86:b1:97:5d:1e:e8:f7:e8:32:34:f7:8f:b1:08:3d:13:71:
+        a6:3c:15:91:85:12:35:6e:78:87
+-----BEGIN CERTIFICATE-----
+MIICtzCCAmGgAwIBAgIBADANBgkqhkiG9w0BAQQFADB4MQswCQYDVQQGEwJVUzEP
+MA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFT
+U0wxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEWDmluZm9A
+eWFzc2wuY29tMB4XDTA1MDExODE5MzMxNVoXDTA3MTAxNTE5MzMxNVoweDELMAkG
+A1UEBhMCVVMxDzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxDjAM
+BgNVBAoTBXlhU1NMMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJKoZIhvcN
+AQkBFg5pbmZvQHlhc3NsLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDNH3hH
++LjWCL+9fCNhhjYorO48qJqU5tUm6HFQsiaLHB4/dbLTs2eVDP12KGXVzhKCngYA
+ogndzjom3UYqoEVxAgMBAAGjgdUwgdIwHQYDVR0OBBYEFK4lXvpNo1srh97xKvVC
+wP/OtbStMIGiBgNVHSMEgZowgZeAFK4lXvpNo1srh97xKvVCwP/OtbStoXykejB4
+MQswCQYDVQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFu
+ZDEOMAwGA1UEChMFeWFTU0wxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkq
+hkiG9w0BCQEWDmluZm9AeWFzc2wuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI
+hvcNAQEEBQADQQDFgiYMH2EBFLDOGJlkkQ7x+JA+ow6+OHyXugXJKtzdYi0SYXl6
+hrGXXR7o9+gyNPePsQg9E3GmPBWRhRI1bniH
+-----END CERTIFICATE-----
diff --git a/extra/yassl/certs/client-key.pem b/extra/yassl/certs/client-key.pem
new file mode 100644
index 00000000000..6898b2796fa
--- /dev/null
+++ b/extra/yassl/certs/client-key.pem
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOgIBAAJBAM0feEf4uNYIv718I2GGNiis7jyompTm1SbocVCyJoscHj91stOz
+Z5UM/XYoZdXOEoKeBgCiCd3OOibdRiqgRXECAwEAAQJAXwa6OVVvg7Bv63+MAI0l
+n/hlMfLGEj9R9gFvJXwywPSEQhijOZmedpHALufFPNHtwba9dmbqMkBAw9JDaAgg
+QQIhAO+mBaSmoG5AYVKYQZiASe/2wMZjaQSN+zFLyF97OX8ZAiEA2x5iRmXUkbOT
+8Td/vx8R9mq9W5CJu+cN+SWGwTYhPBkCIGZFM6NQeKaUUvQshdHO7b66Twpa4jZP
+YSNoc9pLe/4BAiB+jIvBkKo2A/rbg2waG32qTXdTXKTPiuA9Fnk/OV30cQIhANuA
+uMdo+T+rYcNGJ1hCYKDe9JWBpNfSQ+H/A7sWuW8L
+-----END RSA PRIVATE KEY-----
diff --git a/extra/yassl/certs/dsa-cert.pem b/extra/yassl/certs/dsa-cert.pem
new file mode 100644
index 00000000000..ecca18dae82
--- /dev/null
+++ b/extra/yassl/certs/dsa-cert.pem
@@ -0,0 +1,68 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+        Signature Algorithm: dsaWithSHA1
+        Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL DSA, CN=yaSSL DSA/emailAddress=info@yassl.com
+        Validity
+            Not Before: Jan 23 22:54:51 2005 GMT
+            Not After : Oct 20 22:54:51 2007 GMT
+        Subject: C=US, ST=Oregon, L=Portland, O=yaSSL DSA, CN=yaSSL DSA/emailAddress=info@yassl.com
+        Subject Public Key Info:
+            Public Key Algorithm: dsaEncryption
+            DSA Public Key:
+                pub: 
+                    04:84:a0:26:31:72:0c:e8:4f:5d:53:17:62:b1:80:
+                    ca:c0:16:5f:c3:1e:ea:c5:d9:98:38:f9:be:56:53:
+                    47:68:ce:08:22:57:1c:bb:0d:77:91:cf:5b:36:ed:
+                    f3:24:82:90:8a:cd:90:7c:db:77:f9:17:2d:73:73:
+                    ef:bb:b9:82
+                P:   
+                    00:99:29:69:80:c9:3c:98:68:45:a9:82:fe:67:eb:
+                    95:88:c5:b4:0c:d6:26:45:95:19:2c:a0:20:5b:7e:
+                    df:69:e9:dc:c3:0f:f3:61:0a:25:9b:f2:21:01:6a:
+                    cd:aa:8c:37:e7:ca:66:db:56:f4:0f:7d:7a:d1:18:
+                    b9:42:fd:1b:11
+                Q:   
+                    00:ad:25:29:ab:0a:9f:09:1c:c1:ad:03:20:76:7f:
+                    a6:b7:dd:4d:03:09
+                G:   
+                    12:88:99:da:e7:d0:0b:93:9b:e6:ee:3c:21:7f:9c:
+                    b3:b4:8d:a5:8c:e2:37:80:3f:17:d1:81:4f:bd:f0:
+                    71:b6:32:08:54:dd:bf:01:e2:b3:77:06:64:75:8a:
+                    04:d6:79:39:b1:02:03:03:c6:06:74:e5:90:05:0a:
+                    10:46:19:31
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                BE:F9:8C:5D:D6:1C:B4:EE:81:DD:36:56:0A:21:E4:61:44:73:E9:E2
+            X509v3 Authority Key Identifier: 
+                keyid:BE:F9:8C:5D:D6:1C:B4:EE:81:DD:36:56:0A:21:E4:61:44:73:E9:E2
+                DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL DSA/CN=yaSSL DSA/emailAddress=info@yassl.com
+                serial:00
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: dsaWithSHA1
+        30:2b:02:14:74:46:9f:91:7b:24:17:3b:ee:0f:10:e3:76:62:
+        f4:dc:81:e6:fd:fe:02:13:08:f4:87:0a:ab:ba:9c:de:3a:69:
+        72:59:b8:ec:e9:57:f4:bf:37
+-----BEGIN CERTIFICATE-----
+MIIDMTCCAvKgAwIBAgIBADAJBgcqhkjOOAQDMHgxCzAJBgNVBAYTAlVTMQ8wDQYD
+VQQIEwZPcmVnb24xETAPBgNVBAcTCFBvcnRsYW5kMRIwEAYDVQQKEwl5YVNTTCBE
+U0ExEjAQBgNVBAMTCXlhU1NMIERTQTEdMBsGCSqGSIb3DQEJARYOaW5mb0B5YXNz
+bC5jb20wHhcNMDUwMTIzMjI1NDUxWhcNMDcxMDIwMjI1NDUxWjB4MQswCQYDVQQG
+EwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDESMBAGA1UE
+ChMJeWFTU0wgRFNBMRIwEAYDVQQDEwl5YVNTTCBEU0ExHTAbBgkqhkiG9w0BCQEW
+DmluZm9AeWFzc2wuY29tMIHwMIGoBgcqhkjOOAQBMIGcAkEAmSlpgMk8mGhFqYL+
+Z+uViMW0DNYmRZUZLKAgW37faencww/zYQolm/IhAWrNqow358pm21b0D3160Ri5
+Qv0bEQIVAK0lKasKnwkcwa0DIHZ/prfdTQMJAkASiJna59ALk5vm7jwhf5yztI2l
+jOI3gD8X0YFPvfBxtjIIVN2/AeKzdwZkdYoE1nk5sQIDA8YGdOWQBQoQRhkxA0MA
+AkAEhKAmMXIM6E9dUxdisYDKwBZfwx7qxdmYOPm+VlNHaM4IIlccuw13kc9bNu3z
+JIKQis2QfNt3+Rctc3Pvu7mCo4HVMIHSMB0GA1UdDgQWBBS++Yxd1hy07oHdNlYK
+IeRhRHPp4jCBogYDVR0jBIGaMIGXgBS++Yxd1hy07oHdNlYKIeRhRHPp4qF8pHow
+eDELMAkGA1UEBhMCVVMxDzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxh
+bmQxEjAQBgNVBAoTCXlhU1NMIERTQTESMBAGA1UEAxMJeWFTU0wgRFNBMR0wGwYJ
+KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbYIBADAMBgNVHRMEBTADAQH/MAkGByqG
+SM44BAMDLgAwKwIUdEafkXskFzvuDxDjdmL03IHm/f4CEwj0hwqrupzeOmlyWbjs
+6Vf0vzc=
+-----END CERTIFICATE-----
diff --git a/extra/yassl/certs/dsa512.pem b/extra/yassl/certs/dsa512.pem
new file mode 100644
index 00000000000..04a3dd94a77
--- /dev/null
+++ b/extra/yassl/certs/dsa512.pem
@@ -0,0 +1,8 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIH3AgEAAkEAmSlpgMk8mGhFqYL+Z+uViMW0DNYmRZUZLKAgW37faencww/zYQol
+m/IhAWrNqow358pm21b0D3160Ri5Qv0bEQIVAK0lKasKnwkcwa0DIHZ/prfdTQMJ
+AkASiJna59ALk5vm7jwhf5yztI2ljOI3gD8X0YFPvfBxtjIIVN2/AeKzdwZkdYoE
+1nk5sQIDA8YGdOWQBQoQRhkxAkAEhKAmMXIM6E9dUxdisYDKwBZfwx7qxdmYOPm+
+VlNHaM4IIlccuw13kc9bNu3zJIKQis2QfNt3+Rctc3Pvu7mCAhQjg+e+aqykxwwc
+E2V27tjDFY02uA==
+-----END DSA PRIVATE KEY-----
diff --git a/extra/yassl/certs/server-cert.pem b/extra/yassl/certs/server-cert.pem
new file mode 100644
index 00000000000..403dabdf5fa
--- /dev/null
+++ b/extra/yassl/certs/server-cert.pem
@@ -0,0 +1,38 @@
+Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com
+        Validity
+            Not Before: Jan 18 20:50:59 2005 GMT
+            Not After : Oct 15 20:50:59 2007 GMT
+        Subject: C=US, ST=Oregon, L=Portland, O=taoSoftDev, CN=www.taosoftdev.com/emailAddress=info@yassl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:a4:68:bb:bc:b7:27:5f:3c:f5:78:c6:1a:af:b9:
+                    95:fc:7e:61:1f:a8:81:0a:ca:43:88:9a:03:e0:d0:
+                    a6:79:70:16:34:b9:7c:75:54:ca:70:19:66:38:be:
+                    6e:28:7e:a5:ff:6b:3c:83:2f:39:42:c3:15:f3:bd:
+                    f2:25:93:22:e7
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: md5WithRSAEncryption
+        08:36:07:8c:3a:7f:f9:91:0a:82:d1:6a:c1:34:be:bc:2d:b2:
+        20:98:dc:45:50:53:9c:66:e6:26:71:bd:fa:d2:b4:91:d3:53:
+        c0:20:05:c0:b6:84:9a:5f:3f:61:75:f5:fd:c6:ec:e2:f6:9f:
+        a2:13:17:a9:b7:83:60:cc:cb:eb
+-----BEGIN CERTIFICATE-----
+MIIB9zCCAaECAQEwDQYJKoZIhvcNAQEEBQAwgYkxCzAJBgNVBAYTAlVTMQ8wDQYD
+VQQIEwZPcmVnb24xETAPBgNVBAcTCFBvcnRsYW5kMREwDwYDVQQKEwhzYXd0b290
+aDEkMCIGA1UEAxMbd3d3LnNhd3Rvb3RoLWNvbnN1bHRpbmcuY29tMR0wGwYJKoZI
+hvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0wNTAxMTgyMDUwNTlaFw0wNzEwMTUy
+MDUwNTlaMIGCMQswCQYDVQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQH
+EwhQb3J0bGFuZDETMBEGA1UEChMKdGFvU29mdERldjEbMBkGA1UEAxMSd3d3LnRh
+b3NvZnRkZXYuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTBcMA0G
+CSqGSIb3DQEBAQUAA0sAMEgCQQCkaLu8tydfPPV4xhqvuZX8fmEfqIEKykOImgPg
+0KZ5cBY0uXx1VMpwGWY4vm4ofqX/azyDLzlCwxXzvfIlkyLnAgMBAAEwDQYJKoZI
+hvcNAQEEBQADQQAINgeMOn/5kQqC0WrBNL68LbIgmNxFUFOcZuYmcb360rSR01PA
+IAXAtoSaXz9hdfX9xuzi9p+iExept4NgzMvr
+-----END CERTIFICATE-----
diff --git a/extra/yassl/certs/server-key.pem b/extra/yassl/certs/server-key.pem
new file mode 100644
index 00000000000..d6055c4cfd8
--- /dev/null
+++ b/extra/yassl/certs/server-key.pem
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOQIBAAJBAKRou7y3J1889XjGGq+5lfx+YR+ogQrKQ4iaA+DQpnlwFjS5fHVU
+ynAZZji+bih+pf9rPIMvOULDFfO98iWTIucCAwEAAQJABLVvMw931DV1vljGKORC
+1HF2LKbx0zJJzt7CX6z6J54vcE79K3NYXdU6o7/j1WTtfD47tFG+4ljGvSYPmrCI
+2QIhANfiY6is6JUJGGgeMxyWeQRPXfaE9Yrk6OhxHhpYf5CTAiEAwvWraeLPy/NE
+B+0w80mh8tCv2tpuKaYMOG53XpYX3N0CIDy/Bj3rUZLGOWjqvoUXzjupPY5lgVYw
+7Vyin87YAiUjAiAgM8X5em5KSMc+6+2+8bWfTtsNMjEqDfRMyepLpE0SvQIgTSYL
+WWfcZoRUPDM9GEuQ40nifVNjobzvjTW4aYyHCEI=
+-----END RSA PRIVATE KEY-----
diff --git a/extra/yassl/certs/taoCert.txt b/extra/yassl/certs/taoCert.txt
new file mode 100644
index 00000000000..585293e4f2b
--- /dev/null
+++ b/extra/yassl/certs/taoCert.txt
@@ -0,0 +1,50 @@
+
+***** Create a self signed cert ************
+
+1) openssl genrsa 512 > client-key.pem
+
+2) openssl req -new -x509 -nodes -md5 -days 1000 -key client-key.pem > client-cert.pem
+
+-- adding metadata to beginning
+
+3) openssl x509 -in client-cert.pem -text > tmp.pem
+
+4) mv tmp.pem client-cert.pem
+
+
+***** Create a CA, signing authority **********
+
+same as self signed, use ca prefix instead of client
+
+
+***** Create a cert signed by CA **************
+
+1) openssl req -newkey rsa:512 -md5 -days 1000 -nodes -keyout server-key.pem > server-req.pem
+
+2) copy ca-key.pem ca-cert.srl   (why ????)
+
+3) openssl x509 -req -in server-req.pem -days 1000 -md5 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
+
+
+
+***** To create a dsa cert ********************
+
+1) openssl dsaparam 512 > dsa512.param       # creates group params
+
+2) openssl gendsa dsa512.param > dsa512.pem  # creates private key
+
+3) openssl req -new -x509 -nodes -days 1000 -key dsa512.pem > dsa-cert.pem 
+
+
+
+
+***** To convert from PEM to DER **************
+
+a) openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
+
+to convert rsa private PEM to DER :
+
+b) openssl rsa -in key.pem -outform DER -out key.der
+
+
+
diff --git a/extra/yassl/examples/client/client.cpp b/extra/yassl/examples/client/client.cpp
index 704a8e76637..3acd091baad 100644
--- a/extra/yassl/examples/client/client.cpp
+++ b/extra/yassl/examples/client/client.cpp
@@ -33,10 +33,10 @@ void client_test(void* args)
     const char* cipher = 0;
     int index = 0;
     char list[1024];
-    strcpy(list, "cipherlist");
+    strncpy(list, "cipherlist", 11);
     while ( (cipher = SSL_get_cipher_list(ssl, index++)) ) {
-        strcat(list, ":");
-        strcat(list, cipher);
+        strncat(list, ":", 2);
+        strncat(list, cipher, strlen(cipher) + 1);
     }
     printf("%s\n", list);
     printf("Using Cipher Suite %s\n", SSL_get_cipher(ssl));
diff --git a/extra/yassl/include/openssl/err.h b/extra/yassl/include/openssl/err.h
index 054d0940509..45ac1ca2469 100644
--- a/extra/yassl/include/openssl/err.h
+++ b/extra/yassl/include/openssl/err.h
@@ -1,6 +1,6 @@
 /* err.h for openssl */
 
-#ifndef ysSSL_err_h__
+#ifndef yaSSL_err_h__
 #define yaSSL_err_h__
 
 
diff --git a/extra/yassl/include/openssl/md4.h b/extra/yassl/include/openssl/md4.h
new file mode 100644
index 00000000000..2e99f977fca
--- /dev/null
+++ b/extra/yassl/include/openssl/md4.h
@@ -0,0 +1 @@
+/* md4.h for libcurl */
diff --git a/extra/yassl/include/openssl/md5.h b/extra/yassl/include/openssl/md5.h
index a1025b92782..dfaf9799c44 100644
--- a/extra/yassl/include/openssl/md5.h
+++ b/extra/yassl/include/openssl/md5.h
@@ -1 +1,4 @@
 /* md5.h for openssl */
+
+#include "ssl.h"   /* in there for now */
+
diff --git a/extra/yassl/include/openssl/pem.h b/extra/yassl/include/openssl/pem.h
new file mode 100644
index 00000000000..b4c63d56a4d
--- /dev/null
+++ b/extra/yassl/include/openssl/pem.h
@@ -0,0 +1 @@
+/* pem.h  for libcurl */
diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h
index b6840d006df..03a0cfad15b 100644
--- a/extra/yassl/include/openssl/ssl.h
+++ b/extra/yassl/include/openssl/ssl.h
@@ -29,6 +29,7 @@
 #define yaSSL_openssl_h__
 
 #include <stdio.h>   /* ERR_print fp */
+#include "opensslv.h" /* for version number */
 #include "rsa.h"
 
 #if defined(__cplusplus) && !defined(YASSL_MYSQL_COMPATIBLE)
@@ -102,7 +103,6 @@ void X509_free(X509*);
 typedef struct BIO BIO;
 
 /* ASN stuff */
-typedef struct ASN1_TIME ASN1_TIME;
 
 
 
@@ -345,8 +345,8 @@ long SSL_CTX_sess_set_cache_size(SSL_CTX*, long);
 long SSL_CTX_set_tmp_dh(SSL_CTX*, DH*);
 
 void OpenSSL_add_all_algorithms(void);
-void SSL_library_init();
-void SSLeay_add_ssl_algorithms(void);
+int  SSL_library_init();
+int  SSLeay_add_ssl_algorithms(void);
 
 
 SSL_CIPHER* SSL_get_current_cipher(SSL*);
@@ -371,6 +371,10 @@ typedef unsigned char DES_cblock[8];
 typedef const  DES_cblock const_DES_cblock;
 typedef DES_cblock DES_key_schedule;
                                                           
+enum {
+    DES_ENCRYPT = 1,
+    DES_DECRYPT = 0
+};
                                                              
 const EVP_MD*     EVP_md5(void);
 const EVP_CIPHER* EVP_des_ede3_cbc(void);
@@ -392,6 +396,108 @@ int         RAND_write_file(const char*);
 int         RAND_load_file(const char*, long);
 
 
+/* for libcurl */
+int  RAND_status(void);
+
+int  DES_set_key(const_DES_cblock*, DES_key_schedule*);
+void DES_set_odd_parity(DES_cblock*);
+void DES_ecb_encrypt(DES_cblock*, DES_cblock*, DES_key_schedule*, int);
+
+void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX*, void* userdata);
+void SSL_SESSION_free(SSL_SESSION* session);
+
+X509*     SSL_get_certificate(SSL* ssl);
+EVP_PKEY* SSL_get_privatekey(SSL* ssl);
+EVP_PKEY* X509_get_pubkey(X509* x);
+
+int  EVP_PKEY_copy_parameters(EVP_PKEY* to, const EVP_PKEY* from);
+void EVP_PKEY_free(EVP_PKEY* pkey);
+void ERR_error_string_n(unsigned long e, char *buf, size_t len);
+void ERR_free_strings(void);
+void EVP_cleanup(void);
+
+void* X509_get_ext_d2i(X509* x, int nid, int* crit, int* idx);
+
+#define GEN_IPADD 7
+#define NID_subject_alt_name 85
+#define STACK_OF(x) x
+
+
+/* defined here because libcurl dereferences */
+typedef struct ASN1_STRING {
+    int type;
+    int length;
+    unsigned char* data;
+} ASN1_STRING;
+
+
+typedef struct GENERAL_NAME {
+    int type;
+    union {
+        ASN1_STRING* ia5;
+    } d;
+} GENERAL_NAME;
+
+void GENERAL_NAMES_free(STACK_OF(GENERAL_NAME) *x);
+
+int           sk_GENERAL_NAME_num(STACK_OF(GENERAL_NAME) *x);
+GENERAL_NAME* sk_GENERAL_NAME_value(STACK_OF(GENERAL_NAME) *x, int i);
+
+
+unsigned char* ASN1_STRING_data(ASN1_STRING* x);
+int            ASN1_STRING_length(ASN1_STRING* x);
+int            ASN1_STRING_type(ASN1_STRING *x);
+
+typedef ASN1_STRING X509_NAME_ENTRY;
+
+int X509_NAME_get_index_by_NID(X509_NAME* name,int nid, int lastpos);
+
+ASN1_STRING* X509_NAME_ENTRY_get_data(X509_NAME_ENTRY* ne);
+X509_NAME_ENTRY* X509_NAME_get_entry(X509_NAME* name, int loc);
+
+#define OPENSSL_malloc(x) malloc(x)
+#define OPENSSL_free(x)   free(x)
+
+int ASN1_STRING_to_UTF8(unsigned char** out, ASN1_STRING* in);
+
+SSL_METHOD* SSLv23_client_method(void);  /* doesn't actually roll back */
+SSL_METHOD* SSLv2_client_method(void);   /* will never work, no v 2    */
+
+
+SSL_SESSION* SSL_get1_session(SSL* ssl);  /* what's ref count */
+
+
+#define CRYPTO_free(x) free(x)
+#define ASN1_TIME ASN1_STRING
+
+ASN1_TIME* X509_get_notBefore(X509* x);
+ASN1_TIME* X509_get_notAfter(X509* x);
+
+
+#define ASN1_UTCTIME ASN1_STRING
+#define NID_commonName    13
+#define V_ASN1_UTF8STRING 12
+#define GEN_DNS            2
+
+
+typedef struct MD4_CTX {
+    void* ptr;
+} MD4_CTX;
+
+void MD4_Init(MD4_CTX*);
+void MD4_Update(MD4_CTX*, const void*, unsigned long);
+void MD4_Final(unsigned char*, MD4_CTX*);
+
+
+typedef struct MD5_CTX {
+    int buffer[32];       /* big enough to hold, check size in Init */
+} MD5_CTX;
+
+void MD5_Init(MD5_CTX*);
+void MD5_Update(MD5_CTX*, const void*, unsigned long);
+void MD5_Final(unsigned char*, MD5_CTX*);
+
+
 #define SSL_DEFAULT_CIPHER_LIST ""   /* default all */
 
 
diff --git a/extra/yassl/include/openssl/x509.h b/extra/yassl/include/openssl/x509.h
new file mode 100644
index 00000000000..dcd847c0337
--- /dev/null
+++ b/extra/yassl/include/openssl/x509.h
@@ -0,0 +1 @@
+/* x509.h  for libcurl */
diff --git a/extra/yassl/include/openssl/x509v3.h b/extra/yassl/include/openssl/x509v3.h
new file mode 100644
index 00000000000..adf94af8f48
--- /dev/null
+++ b/extra/yassl/include/openssl/x509v3.h
@@ -0,0 +1 @@
+/* x509v3.h  for libcurl */
diff --git a/extra/yassl/include/yassl_int.hpp b/extra/yassl/include/yassl_int.hpp
index 935bae582ea..97ae468d2f9 100644
--- a/extra/yassl/include/yassl_int.hpp
+++ b/extra/yassl/include/yassl_int.hpp
@@ -34,6 +34,7 @@
 #include "cert_wrapper.hpp"
 #include "log.hpp"
 #include "lock.hpp"
+#include "openssl/ssl.h"  // ASN1_STRING and DH
 
 
 namespace yaSSL {
@@ -126,32 +127,70 @@ private:
 };
 
 
+// hold add crypt references provided to callers
+class CryptProvider {
+    mySTL::list<Digest*>     digestList_;
+    mySTL::list<BulkCipher*> cipherList_;
+    CryptProvider() {}                         // only GetCryptProvider creates
+public:
+    ~CryptProvider();
+
+    Digest*     NewMd5();
+    BulkCipher* NewDesEde();
+
+    friend CryptProvider& GetCryptProvider();
+private:
+    CryptProvider(const CryptProvider&);            // hide copy
+    CryptProvider& operator=(const CryptProvider&); // and assign
+};
+
+CryptProvider& GetCryptProvider();
+
 #undef X509_NAME  // wincrypt.h clash
 
 // openSSL X509 names
 class X509_NAME {
     char* name_;
+    size_t      sz_;
+    ASN1_STRING entry_;
 public:
     X509_NAME(const char*, size_t sz);
     ~X509_NAME();
 
     char* GetName();
+    ASN1_STRING* GetEntry(int i);
 private:
     X509_NAME(const X509_NAME&);                // hide copy
     X509_NAME& operator=(const X509_NAME&);     // and assign
 };
 
 
+class StringHolder {
+    ASN1_STRING  asnString_;
+public:
+    StringHolder(const char* str, int sz);
+    ~StringHolder();
+
+    ASN1_STRING* GetString();
+};
+
+
 // openSSL X509
 class X509 {
     X509_NAME issuer_;
     X509_NAME subject_;
+    StringHolder beforeDate_;   // not valid before
+    StringHolder afterDate_;    // not valid after
 public:
-    X509(const char* i, size_t, const char* s, size_t);
+    X509(const char* i, size_t, const char* s, size_t,
+         const char* b, int, const char* a, int);
     ~X509() {}
 
     X509_NAME* GetIssuer();
     X509_NAME* GetSubject();
+
+    ASN1_STRING* GetBefore();
+    ASN1_STRING* GetAfter();
 private:
     X509(const X509&);              // hide copy
     X509& operator=(const X509&);   // and assign
diff --git a/extra/yassl/lib/dummy b/extra/yassl/lib/dummy
new file mode 100644
index 00000000000..85c1efd587f
--- /dev/null
+++ b/extra/yassl/lib/dummy
@@ -0,0 +1 @@
+// this is a dummy file
diff --git a/extra/yassl/mySTL/helpers.hpp b/extra/yassl/mySTL/helpers.hpp
index 5aa14d838b1..df79025197a 100644
--- a/extra/yassl/mySTL/helpers.hpp
+++ b/extra/yassl/mySTL/helpers.hpp
@@ -44,6 +44,11 @@
         return static_cast<void*>(d);
     }
 
+    // for compilers that want matching delete
+    inline void operator delete(void* ptr, Dummy* d) 
+    { 
+    }
+
     typedef Dummy* yassl_pointer;
 
 namespace mySTL {
diff --git a/extra/yassl/src/cert_wrapper.cpp b/extra/yassl/src/cert_wrapper.cpp
index b98c7faf1d0..ae609b510ba 100644
--- a/extra/yassl/src/cert_wrapper.cpp
+++ b/extra/yassl/src/cert_wrapper.cpp
@@ -271,10 +271,13 @@ int CertManager::Validate()
         else
             peerKeyType_ = dsa_sa_algo;
 
-        int iSz = cert.GetIssuer() ? strlen(cert.GetIssuer()) + 1 : 0;
-        int sSz = cert.GetCommonName() ? strlen(cert.GetCommonName()) + 1 : 0;
+        int iSz = strlen(cert.GetIssuer()) + 1;
+        int sSz = strlen(cert.GetCommonName()) + 1;
+        int bSz = strlen(cert.GetBeforeDate()) + 1;
+        int aSz = strlen(cert.GetAfterDate()) + 1;
         peerX509_ = NEW_YS X509(cert.GetIssuer(), iSz, cert.GetCommonName(),
-                                  sSz);
+                                sSz, cert.GetBeforeDate(), bSz,
+                                cert.GetAfterDate(), aSz);
     }
     return 0;
 }
diff --git a/extra/yassl/src/ssl.cpp b/extra/yassl/src/ssl.cpp
index 1aab14009d3..97e0e9a1717 100644
--- a/extra/yassl/src/ssl.cpp
+++ b/extra/yassl/src/ssl.cpp
@@ -1,4 +1,4 @@
-/* ssl.cpp                                
+ /* ssl.cpp                                
  *
  * Copyright (C) 2003 Sawtooth Consulting Ltd.
  *
@@ -36,6 +36,7 @@
 #include "openssl/ssl.h"
 #include "handshake.hpp"
 #include "yassl_int.hpp"
+#include "md5.hpp"              // for TaoCrypt MD5 size assert
 #include <stdio.h>
 
 #ifdef _WIN32
@@ -723,8 +724,10 @@ void OpenSSL_add_all_algorithms()  // compatibility only
 {}
 
 
-void SSL_library_init()  // compatiblity only
-{}
+int SSL_library_init()  // compatiblity only
+{
+    return 1;
+}
 
 
 DH* DH_new(void)
@@ -804,15 +807,13 @@ const char* X509_verify_cert_error_string(long /* error */)
 
 const EVP_MD* EVP_md5(void)
 {
-    // TODO: FIX add to some list for destruction
-    return NEW_YS MD5;
+    return GetCryptProvider().NewMd5();
 }
 
 
 const EVP_CIPHER* EVP_des_ede3_cbc(void)
 {
-    // TODO: FIX add to some list for destruction
-    return NEW_YS DES_EDE;
+    return GetCryptProvider().NewDesEde();
 }
 
 
@@ -897,6 +898,275 @@ void DES_ede3_cbc_encrypt(const byte* input, byte* output, long sz,
 }
 
 
+// functions for libcurl
+int RAND_status()
+{
+    return 1;  /* TaoCrypt provides enough seed */
+}
+
+
+int DES_set_key(const_DES_cblock* key, DES_key_schedule* schedule)
+{
+    memcpy(schedule, key, sizeof(const_DES_cblock));
+    return 1;
+}
+
+
+void DES_set_odd_parity(DES_cblock* key)
+{
+    // not needed now for TaoCrypt
+}
+
+
+void DES_ecb_encrypt(DES_cblock* input, DES_cblock* output,
+                     DES_key_schedule* key, int enc)
+{
+    DES  des;
+
+    if (enc) {
+        des.set_encryptKey(*key, 0);
+        des.encrypt(*output, *input, DES_BLOCK);
+    }
+    else {
+        des.set_decryptKey(*key, 0);
+        des.decrypt(*output, *input, DES_BLOCK);
+    }
+}
+
+
+void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX*, void* userdata)
+{
+    // yaSSL doesn't support yet, unencrypt your PEM file with userdata
+    // before handing off to yaSSL
+}
+
+
+X509* SSL_get_certificate(SSL* ssl)
+{
+    // only used to pass to get_privatekey which isn't used
+    return 0;
+}
+
+
+EVP_PKEY* SSL_get_privatekey(SSL* ssl)
+{
+    // only called, not used
+    return 0;
+}
+
+
+void SSL_SESSION_free(SSL_SESSION* session)
+{
+    // managed by singleton
+}
+
+
+
+EVP_PKEY* X509_get_pubkey(X509* x)
+{
+    // called, not used though
+    return 0;
+}
+
+
+int EVP_PKEY_copy_parameters(EVP_PKEY* to, const EVP_PKEY* from)
+{
+    // called, not used though
+    return 0;
+}
+
+
+void EVP_PKEY_free(EVP_PKEY* pkey)
+{
+    // never allocated from above
+}
+
+
+void ERR_error_string_n(unsigned long e, char *buf, size_t len)
+{
+    if (len) ERR_error_string(e, buf);
+}
+
+
+void ERR_free_strings(void)
+{
+    // handled internally
+}
+
+
+void EVP_cleanup(void)
+{
+    // nothing to do yet
+}
+
+
+ASN1_TIME* X509_get_notBefore(X509* x)
+{
+    if (x) return x->GetBefore();
+    return 0;
+}
+
+
+ASN1_TIME* X509_get_notAfter(X509* x)
+{
+    if (x) return x->GetAfter();
+    return 0;
+}
+
+
+SSL_METHOD* SSLv23_client_method(void)  /* doesn't actually roll back */
+{
+    return SSLv3_client_method();
+}
+
+
+SSL_METHOD* SSLv2_client_method(void)   /* will never work, no v 2    */
+{
+    return 0;
+}
+
+
+SSL_SESSION* SSL_get1_session(SSL* ssl)  /* what's ref count */
+{
+    return SSL_get_session(ssl);
+}
+
+
+void GENERAL_NAMES_free(STACK_OF(GENERAL_NAME) *x)
+{
+    // no extension names supported yet
+}
+
+
+int sk_GENERAL_NAME_num(STACK_OF(GENERAL_NAME) *x)
+{
+    // no extension names supported yet
+    return 0;
+}
+
+
+GENERAL_NAME* sk_GENERAL_NAME_value(STACK_OF(GENERAL_NAME) *x, int i)
+{
+    // no extension names supported yet
+    return 0;
+}
+
+
+unsigned char* ASN1_STRING_data(ASN1_STRING* x)
+{
+    if (x) return x->data;
+    return 0;
+}
+
+
+int ASN1_STRING_length(ASN1_STRING* x)
+{
+    if (x) return x->length;
+    return 0;
+}
+
+
+int ASN1_STRING_type(ASN1_STRING *x)
+{
+    if (x) return x->type;
+    return 0;
+}
+
+
+int X509_NAME_get_index_by_NID(X509_NAME* name,int nid, int lastpos)
+{
+    int idx = -1;  // not found
+    const char* start = &name->GetName()[lastpos + 1];
+
+    switch (nid) {
+    case NID_commonName:
+        char* found = strstr(start, "/CN=");
+        if (found) {
+            found += 4;  // advance to str
+            idx = found - start + lastpos + 1;
+        }
+        break;
+    }
+
+    return idx;
+}
+
+
+ASN1_STRING* X509_NAME_ENTRY_get_data(X509_NAME_ENTRY* ne)
+{
+    // the same in yaSSL
+    return ne;
+}
+
+
+X509_NAME_ENTRY* X509_NAME_get_entry(X509_NAME* name, int loc)
+{
+    return name->GetEntry(loc);
+}
+
+
+// already formatted, caller responsible for freeing *out
+int ASN1_STRING_to_UTF8(unsigned char** out, ASN1_STRING* in)
+{
+    if (!in) return 0;
+
+    *out = (unsigned char*)malloc(in->length + 1);
+    if (*out) {
+        memcpy(*out, in->data, in->length);
+        (*out)[in->length] = 0;
+    }
+    return in->length;
+}
+
+
+void* X509_get_ext_d2i(X509* x, int nid, int* crit, int* idx)
+{
+    // no extensions supported yet
+    return 0;
+}
+
+
+void MD4_Init(MD4_CTX* md4)
+{
+    assert(0);  // not yet supported, build compat. only
+}
+
+
+void MD4_Update(MD4_CTX* md4, const void* data, unsigned long sz)
+{
+}
+
+
+void MD4_Final(unsigned char* hash, MD4_CTX* md4)
+{
+}
+
+
+void MD5_Init(MD5_CTX* md5)
+{
+    // make sure we have a big enough buffer
+    typedef char ok[sizeof(md5->buffer) >= sizeof(TaoCrypt::MD5) ? 1 : -1];
+    (void) sizeof(ok);
+
+    // using TaoCrypt since no dynamic memory allocated
+    // and no destructor will be called
+    new (reinterpret_cast<yassl_pointer>(md5->buffer)) TaoCrypt::MD5();
+}
+
+
+void MD5_Update(MD5_CTX* md5, const void* data, unsigned long sz)
+{
+    reinterpret_cast<TaoCrypt::MD5*>(md5->buffer)->Update(
+                static_cast<const byte*>(data), static_cast<unsigned int>(sz));
+}
+
+
+void MD5_Final(unsigned char* hash, MD5_CTX* md5)
+{
+    reinterpret_cast<TaoCrypt::MD5*>(md5->buffer)->Final(hash);
+}
+
+
     // functions for stunnel
 
     void RAND_screen()
@@ -1098,8 +1368,10 @@ void DES_ede3_cbc_encrypt(const byte* input, byte* output, long sz,
     }
 
 
-    void SSLeay_add_ssl_algorithms()  // compatibility only
-    {}
+    int SSLeay_add_ssl_algorithms()  // compatibility only
+    {
+        return 1;
+    }
 
 
     void ERR_remove_state(unsigned long)
diff --git a/extra/yassl/src/template_instnt.cpp b/extra/yassl/src/template_instnt.cpp
index 5782df213ea..134deb00c75 100644
--- a/extra/yassl/src/template_instnt.cpp
+++ b/extra/yassl/src/template_instnt.cpp
@@ -51,12 +51,16 @@ template class list<yaSSL::SSL_SESSION*>;
 template class list<yaSSL::input_buffer*>;
 template class list<yaSSL::output_buffer*>;
 template class list<yaSSL::x509*>;
+template class list<yaSSL::Digest*>;
+template class list<yaSSL::BulkCipher*>;
 template void destroy<mySTL::pair<int, yaSSL::ClientKeyBase* (*)()>*>(mySTL::pair<int, yaSSL::ClientKeyBase* (*)()>*, mySTL::pair<int, yaSSL::ClientKeyBase* (*)()>*);
 template yaSSL::del_ptr_zero for_each<mySTL::list<TaoCrypt::Signer*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<TaoCrypt::Signer*>::iterator, mySTL::list<TaoCrypt::Signer*>::iterator, yaSSL::del_ptr_zero);
 template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::SSL_SESSION*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::SSL_SESSION*>::iterator, mySTL::list<yaSSL::SSL_SESSION*>::iterator, yaSSL::del_ptr_zero);
 template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::input_buffer*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::input_buffer*>::iterator, mySTL::list<yaSSL::input_buffer*>::iterator, yaSSL::del_ptr_zero);
 template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::output_buffer*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::output_buffer*>::iterator, mySTL::list<yaSSL::output_buffer*>::iterator, yaSSL::del_ptr_zero);
 template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::x509*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::x509*>::iterator, mySTL::list<yaSSL::x509*>::iterator, yaSSL::del_ptr_zero);
+template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::Digest*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::Digest*>::iterator, mySTL::list<yaSSL::Digest*>::iterator, yaSSL::del_ptr_zero);
+template yaSSL::del_ptr_zero for_each<mySTL::list<yaSSL::BulkCipher*>::iterator, yaSSL::del_ptr_zero>(mySTL::list<yaSSL::BulkCipher*>::iterator, mySTL::list<yaSSL::BulkCipher*>::iterator, yaSSL::del_ptr_zero);
 }
 
 namespace yaSSL {
@@ -82,6 +86,7 @@ template void ysDelete<X509>(X509*);
 template void ysDelete<Message>(Message*);
 template void ysDelete<sslFactory>(sslFactory*);
 template void ysDelete<Sessions>(Sessions*);
+template void ysDelete<CryptProvider>(CryptProvider*);
 template void ysArrayDelete<unsigned char>(unsigned char*);
 template void ysArrayDelete<char>(char*);
 }
diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp
index 396461a6ed5..2847217b417 100644
--- a/extra/yassl/src/yassl_int.cpp
+++ b/extra/yassl/src/yassl_int.cpp
@@ -28,7 +28,6 @@
 #include "yassl_int.hpp"
 #include "handshake.hpp"
 #include "timer.hpp"
-#include "openssl/ssl.h"  // for DH
 
 
 #ifdef YASSL_PURE_C
@@ -1375,16 +1374,51 @@ Sessions& GetSessions()
 
 static sslFactory* sslFactoryInstance = 0;
 
-sslFactory& GetSSL_Factory(){
+sslFactory& GetSSL_Factory()
+{  
     if (!sslFactoryInstance)
         sslFactoryInstance = NEW_YS sslFactory;
     return *sslFactoryInstance;
 }
 
 
+static CryptProvider* cryptProviderInstance = 0;
+
+CryptProvider& GetCryptProvider()
+{
+    if (!cryptProviderInstance)
+        cryptProviderInstance = NEW_YS CryptProvider;
+    return *cryptProviderInstance;
+}
+
+
+CryptProvider::~CryptProvider()
+{
+    mySTL::for_each(digestList_.begin(), digestList_.end(), del_ptr_zero());
+    mySTL::for_each(cipherList_.begin(), cipherList_.end(), del_ptr_zero());
+}
+
+
+Digest* CryptProvider::NewMd5()
+{
+    Digest* ptr = NEW_YS MD5();
+    digestList_.push_back(ptr);
+    return ptr;
+}
+
+
+BulkCipher* CryptProvider::NewDesEde()
+{
+    BulkCipher* ptr = NEW_YS DES_EDE();
+    cipherList_.push_back(ptr);
+    return ptr;
+}
+
+
 void CleanUp()
 {
     TaoCrypt::CleanUp();
+    ysDelete(cryptProviderInstance);
     ysDelete(sslFactoryInstance);
     ysDelete(sessionsInstance);
 }
@@ -1978,18 +2012,20 @@ void Security::set_resuming(bool b)
 
 
 X509_NAME::X509_NAME(const char* n, size_t sz)
-    : name_(0)
+    : name_(0), sz_(sz)
 {
     if (sz) {
         name_ = NEW_YS char[sz];
         memcpy(name_, n, sz);
     }
+    entry_.data = 0;
 }
 
 
 X509_NAME::~X509_NAME()
 {
     ysArrayDelete(name_);
+    ysArrayDelete(entry_.data);
 }
 
 
@@ -1999,8 +2035,10 @@ char* X509_NAME::GetName()
 }
 
 
-X509::X509(const char* i, size_t iSz, const char* s, size_t sSz)
-    : issuer_(i, iSz), subject_(s, sSz)
+X509::X509(const char* i, size_t iSz, const char* s, size_t sSz,
+           const char* b, int bSz, const char* a, int aSz)
+    : issuer_(i, iSz), subject_(s, sSz),
+      beforeDate_(b, bSz), afterDate_(a, aSz)
 {}
    
 
@@ -2016,6 +2054,61 @@ X509_NAME* X509::GetSubject()
 }
 
 
+ASN1_STRING* X509::GetBefore()
+{
+    return beforeDate_.GetString();
+}
+
+
+ASN1_STRING* X509::GetAfter()
+{
+    return afterDate_.GetString();
+}
+
+
+ASN1_STRING* X509_NAME::GetEntry(int i)
+{
+    if (i < 0 || i >= int(sz_))
+        return 0;
+
+    if (entry_.data)
+        ysArrayDelete(entry_.data);
+    entry_.data = NEW_YS byte[sz_];       // max size;
+
+    memcpy(entry_.data, &name_[i], sz_ - i);
+    if (entry_.data[sz_ -i - 1]) {
+        entry_.data[sz_ - i] = 0;
+        entry_.length = sz_ - i;
+    }
+    else
+        entry_.length = sz_ - i - 1;
+    entry_.type = 0;
+
+    return &entry_;
+}
+
+
+StringHolder::StringHolder(const char* str, int sz)
+{
+    asnString_.length = sz;
+    asnString_.data = NEW_YS byte[sz + 1];
+    memcpy(asnString_.data, str, sz);
+    asnString_.type = 0;  // not used for now
+}
+
+
+StringHolder::~StringHolder()
+{
+    ysArrayDelete(asnString_.data);
+}
+
+
+ASN1_STRING* StringHolder::GetString()
+{
+    return &asnString_;
+}
+
+
 
 } // namespace
 
diff --git a/extra/yassl/taocrypt/include/asn.hpp b/extra/yassl/taocrypt/include/asn.hpp
index 6a1163fbb1c..da4c0ce1349 100644
--- a/extra/yassl/taocrypt/include/asn.hpp
+++ b/extra/yassl/taocrypt/include/asn.hpp
@@ -79,20 +79,27 @@ enum ASNIdFlag
 
 enum DNTags
 {
-    COMMON_NAME         = 0x03
+    COMMON_NAME         = 0x03,  // CN
+    SUR_NAME            = 0x04,  // SN
+    COUNTRY_NAME        = 0x06,  // C
+    LOCALITY_NAME       = 0x07,  // L
+    STATE_NAME          = 0x08,  // ST
+    ORG_NAME            = 0x0a,  // O
+    ORGUNIT_NAME        = 0x0b   // OU
 };
 
 
 enum Constants
 {
     MIN_DATE_SZ   = 13,
-    MAX_DATE_SZ   = 15,
+    MAX_DATE_SZ   = 16,
     MAX_ALGO_SZ   = 16,
     MAX_LENGTH_SZ =  5,    
     MAX_SEQ_SZ    =  5,    // enum(seq|con) + length(4)
     MAX_ALGO_SIZE =  9,
     MAX_DIGEST_SZ = 25,    // SHA + enum(Bit or Octet) + length(4)
-    DSA_SIG_SZ    = 40
+    DSA_SIG_SZ    = 40,
+    NAME_MAX      = 512    // max total of all included names
 };
 
 
@@ -205,14 +212,14 @@ enum { SHA_SIZE = 20 };
 // A Signing Authority
 class Signer {
     PublicKey key_;
-    char*     name_;
+    char      name_[NAME_MAX];
     byte      hash_[SHA_SIZE];
 public:
     Signer(const byte* k, word32 kSz, const char* n, const byte* h);
     ~Signer();
 
     const PublicKey& GetPublicKey()  const { return key_; }
-    const char*      GetCommonName() const { return name_; }
+    const char*      GetName()       const { return name_; }
     const byte*      GetHash()       const { return hash_; }
 
 private:
@@ -245,6 +252,8 @@ public:
     const char*      GetIssuer()     const { return issuer_; }
     const char*      GetCommonName() const { return subject_; }
     const byte*      GetHash()       const { return subjectHash_; }
+    const char*      GetBeforeDate() const { return beforeDate_; }
+    const char*      GetAfterDate()  const { return afterDate_; }
 
     void DecodeToKey();
 private:
@@ -257,8 +266,10 @@ private:
     byte      subjectHash_[SHA_SIZE];   // hash of all Names
     byte      issuerHash_[SHA_SIZE];    // hash of all Names
     byte*     signature_;
-    char*     issuer_;                  // CommonName
-    char*     subject_;                 // CommonName
+    char      issuer_[NAME_MAX];        // Names
+    char      subject_[NAME_MAX];       // Names
+    char      beforeDate_[MAX_DATE_SZ]; // valid before date
+    char      afterDate_[MAX_DATE_SZ];  // valid after date
     bool      verify_;                  // Default to yes, but could be off
 
     void   ReadHeader();
diff --git a/extra/yassl/taocrypt/src/asn.cpp b/extra/yassl/taocrypt/src/asn.cpp
index 3efc26ab168..383fe65dea6 100644
--- a/extra/yassl/taocrypt/src/asn.cpp
+++ b/extra/yassl/taocrypt/src/asn.cpp
@@ -213,21 +213,17 @@ void PublicKey::AddToEnd(const byte* data, word32 len)
 
 
 Signer::Signer(const byte* k, word32 kSz, const char* n, const byte* h)
-    : key_(k, kSz), name_(0)
+    : key_(k, kSz)
 {
-    if (n) {
         int sz = strlen(n);
-        name_ = NEW_TC char[sz + 1];
         memcpy(name_, n, sz);
         name_[sz] = 0;
-    }
 
     memcpy(hash_, h, SHA::DIGEST_SIZE);
 }
 
 Signer::~Signer()
 {
-    tcArrayDelete(name_);
 }
 
 
@@ -424,17 +420,19 @@ void DH_Decoder::Decode(DH& key)
 CertDecoder::CertDecoder(Source& s, bool decode, SignerList* signers,
                          bool noVerify, CertType ct)
     : BER_Decoder(s), certBegin_(0), sigIndex_(0), sigLength_(0),
-      signature_(0), issuer_(0), subject_(0), verify_(!noVerify)
+      signature_(0), verify_(!noVerify)
 { 
+    issuer_[0] = 0;
+    subject_[0] = 0;
+
     if (decode)
         Decode(signers, ct); 
+
 }
 
 
 CertDecoder::~CertDecoder()
 {
-    tcArrayDelete(subject_);
-    tcArrayDelete(issuer_);
     tcArrayDelete(signature_);
 }
 
@@ -672,8 +670,12 @@ void CertDecoder::GetName(NameType nt)
 
     SHA    sha;
     word32 length = GetSequence();  // length of all distinguished names
+    assert (length < NAME_MAX);
     length += source_.get_index();
 
+    char*  ptr = (nt == ISSUER) ? issuer_ : subject_;
+    word32 idx = 0;
+
     while (source_.get_index() < length) {
         GetSet();
         GetSequence();
@@ -694,13 +696,49 @@ void CertDecoder::GetName(NameType nt)
             byte   id      = source_.next();  
             b              = source_.next();    // strType
             word32 strLen  = GetLength(source_);
+            bool   copy    = false;
 
             if (id == COMMON_NAME) {
-                char*& ptr = (nt == ISSUER) ? issuer_ : subject_;
-                ptr = NEW_TC char[strLen + 1];
-                memcpy(ptr, source_.get_current(), strLen);
-                ptr[strLen] = 0;
+                memcpy(&ptr[idx], "/CN=", 4);
+                idx += 4;
+                copy = true;
+            }
+            else if (id == SUR_NAME) {
+                memcpy(&ptr[idx], "/SN=", 4);
+                idx += 4;
+                copy = true;
+            }
+            else if (id == COUNTRY_NAME) {
+                memcpy(&ptr[idx], "/C=", 3);
+                idx += 3;
+                copy = true;
+            }
+            else if (id == LOCALITY_NAME) {
+                memcpy(&ptr[idx], "/L=", 3);
+                idx += 3;
+                copy = true;
+            }
+            else if (id == STATE_NAME) {
+                memcpy(&ptr[idx], "/ST=", 4);
+                idx += 4;
+                copy = true;
             }
+            else if (id == ORG_NAME) {
+                memcpy(&ptr[idx], "/O=", 3);
+                idx += 3;
+                copy = true;
+            }
+            else if (id == ORGUNIT_NAME) {
+                memcpy(&ptr[idx], "/OU=", 4);
+                idx += 4;
+                copy = true;
+            }
+
+            if (copy) {
+                memcpy(&ptr[idx], source_.get_current(), strLen);
+                idx += strLen;
+            }
+
             sha.Update(source_.get_current(), strLen);
             source_.advance(strLen);
         }
@@ -711,6 +749,8 @@ void CertDecoder::GetName(NameType nt)
             source_.advance(length);
         }
     }
+    ptr[idx++] = 0;
+
     if (nt == ISSUER)
         sha.Final(issuerHash_);
     else
@@ -744,6 +784,16 @@ void CertDecoder::GetDate(DateType dt)
             source_.SetError(BEFORE_DATE_E);
         else
             source_.SetError(AFTER_DATE_E);
+
+    // save for later use
+    if (dt == BEFORE) {
+        memcpy(beforeDate_, date, length);
+        beforeDate_[length] = 0;
+    }
+    else {  // after
+        memcpy(afterDate_, date, length);
+        afterDate_[length] = 0;
+    }       
 }
 
 
diff --git a/extra/yassl/taocrypt/src/integer.cpp b/extra/yassl/taocrypt/src/integer.cpp
index 82a248ff7da..885ddfbf630 100644
--- a/extra/yassl/taocrypt/src/integer.cpp
+++ b/extra/yassl/taocrypt/src/integer.cpp
@@ -2428,7 +2428,7 @@ void PositiveMultiply(Integer& product, const Integer& a, const Integer& b)
     product.reg_.CleanNew(RoundupSize(aSize + bSize));
     product.sign_ = Integer::POSITIVE;
 
-    WordBlock workspace(aSize + bSize);
+    AlignedWordBlock workspace(aSize + bSize);
     AsymmetricMultiply(product.reg_.get_buffer(), workspace.get_buffer(),
                        a.reg_.get_buffer(), aSize, b.reg_.get_buffer(), bSize);
 }
@@ -3375,7 +3375,7 @@ void PositiveDivide(Integer& remainder, Integer& quotient,
     quotient.reg_.CleanNew(RoundupSize(aSize-bSize+2));
     quotient.sign_ = Integer::POSITIVE;
 
-    WordBlock T(aSize+2*bSize+4);
+    AlignedWordBlock T(aSize+2*bSize+4);
     Divide(remainder.reg_.get_buffer(), quotient.reg_.get_buffer(),
            T.get_buffer(), a.reg_.get_buffer(), aSize, b.reg_.get_buffer(),
            bSize);
@@ -3595,7 +3595,7 @@ Integer Integer::InverseMod(const Integer &m) const
         return !u ? Zero() : (m*(*this-u)+1)/(*this);
     }
 
-    WordBlock T(m.reg_.size() * 4);
+    AlignedWordBlock T(m.reg_.size() * 4);
     Integer r((word)0, m.reg_.size());
     unsigned k = AlmostInverse(r.reg_.get_buffer(), T.get_buffer(),
                                reg_.get_buffer(), reg_.size(),
diff --git a/extra/yassl/taocrypt/src/make.bat b/extra/yassl/taocrypt/src/make.bat
index 5a2ae580b76..3acd50fc875 100644
--- a/extra/yassl/taocrypt/src/make.bat
+++ b/extra/yassl/taocrypt/src/make.bat
@@ -1,4 +1,4 @@
-# quick and dirty build file for testing different MSDEVs
+REM quick and dirty build file for testing different MSDEVs
 setlocal 
 
 set myFLAGS= /I../include /I../../mySTL /c /W3 /G6 /O2 
diff --git a/extra/yassl/taocrypt/src/misc.cpp b/extra/yassl/taocrypt/src/misc.cpp
index 3d0539187a7..4ef163a7f5d 100644
--- a/extra/yassl/taocrypt/src/misc.cpp
+++ b/extra/yassl/taocrypt/src/misc.cpp
@@ -25,6 +25,15 @@
 #include "runtime.hpp"
 #include "misc.hpp"
 
+
+extern "C" {
+
+    // for libcurl configure test, these are the signatures they use
+    // locking handled internally by library
+    char CRYPTO_lock() { return 0;}
+    char CRYPTO_add_lock() { return 0;}
+}  // extern "C"
+
 #ifdef YASSL_PURE_C
 
     void* operator new(size_t sz, TaoCrypt::new_t)
diff --git a/extra/yassl/taocrypt/taocrypt.dsp b/extra/yassl/taocrypt/taocrypt.dsp
index 13b9a07419b..b741cef0096 100644
--- a/extra/yassl/taocrypt/taocrypt.dsp
+++ b/extra/yassl/taocrypt/taocrypt.dsp
@@ -64,7 +64,8 @@ LIB32=link.exe -lib
 # PROP Intermediate_Dir "Debug"
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_MBCS" /D "_LIB" /YX /FD /GZ /c
-# ADD CPP /nologo /MTd /W3 /Gm /ZI /Od /I "include" /I "..\mySTL" /D "WIN32" /D "_DEBUG" /D "_MBCS" /D "_LIB" /FR /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /ZI /Od /I "include" /I "..\mySTL" /D "WIN32" /D "_DEBUG" /D "_MBCS" /D "_LIB" /YX /FD /GZ /c
+# SUBTRACT CPP /Fr
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
 BSC32=bscmake.exe
diff --git a/extra/yassl/testsuite/test.hpp b/extra/yassl/testsuite/test.hpp
index 79d02b63558..7fe8656f6d2 100644
--- a/extra/yassl/testsuite/test.hpp
+++ b/extra/yassl/testsuite/test.hpp
@@ -305,8 +305,8 @@ inline void showPeer(SSL* ssl)
         char* subject = X509_NAME_oneline(X509_get_subject_name(peer), 0, 0);
 
         printf("peer's cert info:\n");
-        printf("issuer  is: %s\n", issuer);
-        printf("subject is: %s\n", subject);
+        printf("issuer : %s\n", issuer);
+        printf("subject: %s\n", subject);
 
         free(subject);
         free(issuer);
diff --git a/extra/yassl/testsuite/testsuite.cpp b/extra/yassl/testsuite/testsuite.cpp
index af988432a86..f8bbf698c70 100644
--- a/extra/yassl/testsuite/testsuite.cpp
+++ b/extra/yassl/testsuite/testsuite.cpp
@@ -146,10 +146,10 @@ int test_openSSL_des()
                    (byte*)key, iv);
 
     byte cipher[16];
-    DES_ede3_cbc_encrypt((byte*)data, cipher, dataSz, &key[0], &key[8],
-                         &key[16], &iv, true);
+    DES_ede3_cbc_encrypt((byte*)data, cipher, dataSz, &key[0], &key[1],
+                         &key[2], &iv, true);
     byte plain[16];
-    DES_ede3_cbc_encrypt(cipher, plain, 16, &key[0], &key[8], &key[16],
+    DES_ede3_cbc_encrypt(cipher, plain, 16, &key[0], &key[1], &key[2],
                          &iv, false);
     return 0;
 }
diff --git a/extra/yassl/testsuite/testsuite.dsp b/extra/yassl/testsuite/testsuite.dsp
index f896aa7f020..24c325fa878 100644
--- a/extra/yassl/testsuite/testsuite.dsp
+++ b/extra/yassl/testsuite/testsuite.dsp
@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c
-# ADD CPP /nologo /MT /W3 /GX- /O2 /I "../taocrypt/include" /I "../include" /I "../mySTL" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "NO_MAIN_DRIVER" /YX /FD /c
+# ADD CPP /nologo /MT /W3 /O2 /I "../taocrypt/include" /I "../include" /I "../mySTL" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "NO_MAIN_DRIVER" /YX /FD /c
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -67,7 +67,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c
-# ADD CPP /nologo /MTd /W3 /Gm /GX- /ZI /Od /I "../taocrypt/include" /I "../include" /I "../mySTL" /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "NO_MAIN_DRIVER" /FR /YX /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm /ZI /Od /I "../taocrypt/include" /I "../include" /I "../mySTL" /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "NO_MAIN_DRIVER" /FR /YX /FD /GZ /c
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
 BSC32=bscmake.exe
-- 
cgit v1.2.1


From a6930c508275dc5f984209dc928c3f15619ec01d Mon Sep 17 00:00:00 2001
From: unknown <msvensson@shellback.(none)>
Date: Wed, 3 May 2006 13:11:04 +0200
Subject: Add certs/ file

extra/yassl/certs/client-cert.der:
  New BitKeeper file ``extra/yassl/certs/client-cert.der''
extra/yassl/certs/client-key.der:
  New BitKeeper file ``extra/yassl/certs/client-key.der''
extra/yassl/certs/dh1024.dat:
  New BitKeeper file ``extra/yassl/certs/dh1024.dat''
extra/yassl/certs/dsa512.der:
  New BitKeeper file ``extra/yassl/certs/dsa512.der''
---
 extra/yassl/certs/client-cert.der | Bin 0 -> 701 bytes
 extra/yassl/certs/client-key.der  | Bin 0 -> 320 bytes
 extra/yassl/certs/dh1024.dat      |   2 ++
 extra/yassl/certs/dsa512.der      | Bin 0 -> 252 bytes
 4 files changed, 2 insertions(+)
 create mode 100644 extra/yassl/certs/client-cert.der
 create mode 100644 extra/yassl/certs/client-key.der
 create mode 100644 extra/yassl/certs/dh1024.dat
 create mode 100644 extra/yassl/certs/dsa512.der

diff --git a/extra/yassl/certs/client-cert.der b/extra/yassl/certs/client-cert.der
new file mode 100644
index 00000000000..0127ead34a5
Binary files /dev/null and b/extra/yassl/certs/client-cert.der differ
diff --git a/extra/yassl/certs/client-key.der b/extra/yassl/certs/client-key.der
new file mode 100644
index 00000000000..8021a40c28e
Binary files /dev/null and b/extra/yassl/certs/client-key.der differ
diff --git a/extra/yassl/certs/dh1024.dat b/extra/yassl/certs/dh1024.dat
new file mode 100644
index 00000000000..2db8fa78fe3
--- /dev/null
+++ b/extra/yassl/certs/dh1024.dat
@@ -0,0 +1,2 @@
+30818702818100DA9A18547FF03B385CC16508C173A7EF4EB61CB40EF8FEF3B31F145051676166BCDC3FE6B799FC394D08C26385F9413F896E09117E46209D6923602683CEA100924A6EE695281775C619DAA94EA8CB3691B4275B0183F1D39639EBC92995FE645D6C1BC28D409E585549BBD2C5DCDD6C208B04EADD8B7A6D997F72CBAD88390F020102
+
diff --git a/extra/yassl/certs/dsa512.der b/extra/yassl/certs/dsa512.der
new file mode 100644
index 00000000000..3cfc20dd0e9
Binary files /dev/null and b/extra/yassl/certs/dsa512.der differ
-- 
cgit v1.2.1


From aa3c6eee12f5d5f373d86aa368c919d8fc22458e Mon Sep 17 00:00:00 2001
From: unknown <msvensson@shellback.(none)>
Date: Wed, 3 May 2006 13:20:51 +0200
Subject: Add original unmodified certs file

BitKeeper/deleted/.del-dh1024.dat~eb7af7494ea8ec62:
  Delete: extra/yassl/certs/dh1024.dat
extra/yassl/certs/client-cert.der:
  Add original unmodified file
extra/yassl/certs/client-key.der:
  Add original unmodified file
extra/yassl/certs/dsa512.der:
  Add original unmodified file
---
 extra/yassl/certs/client-cert.der | Bin 701 -> 699 bytes
 extra/yassl/certs/client-key.der  | Bin 320 -> 318 bytes
 extra/yassl/certs/dh1024.dat      |   3 +--
 extra/yassl/certs/dsa512.der      | Bin 252 -> 250 bytes
 4 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/extra/yassl/certs/client-cert.der b/extra/yassl/certs/client-cert.der
index 0127ead34a5..b28e2753376 100644
Binary files a/extra/yassl/certs/client-cert.der and b/extra/yassl/certs/client-cert.der differ
diff --git a/extra/yassl/certs/client-key.der b/extra/yassl/certs/client-key.der
index 8021a40c28e..6e8b432a07c 100644
Binary files a/extra/yassl/certs/client-key.der and b/extra/yassl/certs/client-key.der differ
diff --git a/extra/yassl/certs/dh1024.dat b/extra/yassl/certs/dh1024.dat
index 2db8fa78fe3..86a95518278 100644
--- a/extra/yassl/certs/dh1024.dat
+++ b/extra/yassl/certs/dh1024.dat
@@ -1,2 +1 @@
-30818702818100DA9A18547FF03B385CC16508C173A7EF4EB61CB40EF8FEF3B31F145051676166BCDC3FE6B799FC394D08C26385F9413F896E09117E46209D6923602683CEA100924A6EE695281775C619DAA94EA8CB3691B4275B0183F1D39639EBC92995FE645D6C1BC28D409E585549BBD2C5DCDD6C208B04EADD8B7A6D997F72CBAD88390F020102
-
+30818702818100DA9A18547FF03B385CC16508C173A7EF4EB61CB40EF8FEF3B31F145051676166BCDC3FE6B799FC394D08C26385F9413F896E09117E46209D6923602683CEA100924A6EE695281775C619DAA94EA8CB3691B4275B0183F1D39639EBC92995FE645D6C1BC28D409E585549BBD2C5DCDD6C208B04EADD8B7A6D997F72CBAD88390F020102
\ No newline at end of file
diff --git a/extra/yassl/certs/dsa512.der b/extra/yassl/certs/dsa512.der
index 3cfc20dd0e9..fe79ccb612b 100644
Binary files a/extra/yassl/certs/dsa512.der and b/extra/yassl/certs/dsa512.der differ
-- 
cgit v1.2.1


From 0d717ccb7d8eab61e653ac1aec776bf8b34c4510 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Wed, 3 May 2006 14:04:54 +0200
Subject: Add support for specifyihng the number of reconnec retries oin the
 command line

---
 client/mysqltest.c | 33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)

diff --git a/client/mysqltest.c b/client/mysqltest.c
index 7257958311f..828845f1dcd 100644
--- a/client/mysqltest.c
+++ b/client/mysqltest.c
@@ -87,14 +87,6 @@
 #endif
 #define MAX_SERVER_ARGS 64
 
-/*
-  Sometimes in a test the client starts before
-  the server - to solve the problem, we try again
-  after some sleep if connection fails the first
-  time
-*/
-#define CON_RETRY_SLEEP 2
-#define MAX_CON_TRIES	5
 
 #define SLAVE_POLL_INTERVAL 300000 /* 0.3 of a sec */
 #define DEFAULT_DELIMITER ";"
@@ -108,7 +100,7 @@ enum {OPT_MANAGER_USER=256,OPT_MANAGER_HOST,OPT_MANAGER_PASSWD,
       OPT_MANAGER_PORT,OPT_MANAGER_WAIT_TIMEOUT, OPT_SKIP_SAFEMALLOC,
       OPT_SSL_SSL, OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, OPT_SSL_CAPATH,
       OPT_SSL_CIPHER,OPT_PS_PROTOCOL,OPT_SP_PROTOCOL,OPT_CURSOR_PROTOCOL,
-      OPT_VIEW_PROTOCOL, OPT_SSL_VERIFY_SERVER_CERT};
+      OPT_VIEW_PROTOCOL, OPT_SSL_VERIFY_SERVER_CERT, OPT_MAX_CONNECT_RETRIES};
 
 /* ************************************************************************ */
 /*
@@ -157,6 +149,7 @@ static int record = 0, opt_sleep=0;
 static char *db = 0, *pass=0;
 const char *user = 0, *host = 0, *unix_sock = 0, *opt_basedir="./";
 static int port = 0;
+static int opt_max_connect_retries;
 static my_bool opt_big_test= 0, opt_compress= 0, silent= 0, verbose = 0;
 static my_bool tty_password= 0;
 static my_bool ps_protocol= 0, ps_protocol_enabled= 0;
@@ -2125,9 +2118,16 @@ void init_manager()
       db, port, sock
 
   NOTE
-    This function will try to connect to the given server MAX_CON_TRIES
-    times and sleep CON_RETRY_SLEEP seconds between attempts before
-    finally giving up. This helps in situation when the client starts
+
+    Sometimes in a test the client starts before
+    the server - to solve the problem, we try again
+    after some sleep if connection fails the first
+    time
+
+    This function will try to connect to the given server
+    "opt_max_connect_retries" times and sleep "connection_retry_sleep"
+    seconds between attempts before finally giving up.
+    This helps in situation when the client starts
     before the server (which happens sometimes).
     It will ignore any errors during these retries. One should use
     connect_n_handle_errors() if he expects a connection error and wants
@@ -2142,8 +2142,9 @@ int safe_connect(MYSQL* mysql, const char *host, const char *user,
 {
   int con_error= 1;
   my_bool reconnect= 1;
+  static int connection_retry_sleep= 2; /* Seconds */
   int i;
-  for (i= 0; i < MAX_CON_TRIES; ++i)
+  for (i= 0; i < opt_max_connect_retries; i++)
   {
     if (mysql_real_connect(mysql, host,user, pass, db, port, sock,
 			   CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS))
@@ -2151,7 +2152,7 @@ int safe_connect(MYSQL* mysql, const char *host, const char *user,
       con_error= 0;
       break;
     }
-    sleep(CON_RETRY_SLEEP);
+    sleep(connection_retry_sleep);
   }
   /*
    TODO: change this to 0 in future versions, but the 'kill' test relies on
@@ -2887,6 +2888,10 @@ static struct my_option my_long_options[] =
   {"compress", 'C', "Use the compressed server/client protocol.",
    (gptr*) &opt_compress, (gptr*) &opt_compress, 0, GET_BOOL, NO_ARG, 0, 0, 0,
    0, 0, 0},
+  {"max-connect-retries", OPT_MAX_CONNECT_RETRIES,
+   "Max number of connection attempts when connecting to server",
+   (gptr*) &opt_max_connect_retries, (gptr*) &opt_max_connect_retries, 0,
+   GET_INT, REQUIRED_ARG, 5, 1, 10, 0, 0, 0},
   {"cursor-protocol", OPT_CURSOR_PROTOCOL, "Use cursors for prepared statements.",
    (gptr*) &cursor_protocol, (gptr*) &cursor_protocol, 0,
    GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
-- 
cgit v1.2.1


From a3ea780839392f883b23625d2dcd4be6d1fa35f3 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Wed, 3 May 2006 14:06:34 +0200
Subject: Add tests for connecting to server with invalid and blank certs.

---
 mysql-test/r/openssl_1.result | 11 +++++++++--
 mysql-test/t/openssl_1.test   | 42 ++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/mysql-test/r/openssl_1.result b/mysql-test/r/openssl_1.result
index 91382619b6c..1fcfb11525e 100644
--- a/mysql-test/r/openssl_1.result
+++ b/mysql-test/r/openssl_1.result
@@ -3,8 +3,8 @@ create table t1(f1 int);
 insert into t1 values (5);
 grant select on test.* to ssl_user1@localhost require SSL;
 grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/Email=abstract.mysql.developer@mysql.com";
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/Email=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com";
+grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com";
+grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/emailAddress=abstract.mysql.developer@mysql.com";
 flush privileges;
 SHOW STATUS LIKE 'Ssl_cipher';
 Variable_name	Value
@@ -41,3 +41,10 @@ ERROR 42000: DELETE command denied to user 'ssl_user4'@'localhost' for table 't1
 drop user ssl_user1@localhost, ssl_user2@localhost,
 ssl_user3@localhost, ssl_user4@localhost;
 drop table t1;
+mysqltest: Could not open connection 'default': 2026 SSL connection error
+mysqltest: Could not open connection 'default': 2026 SSL connection error
+mysqltest: Could not open connection 'default': 2026 SSL connection error
+Error when connection to server using SSL:Unable to get private key from ''
+mysqltest: Could not open connection 'default': 2026 SSL connection error
+Error when connection to server using SSL:Unable to get certificate from ''
+mysqltest: Could not open connection 'default': 2026 SSL connection error
diff --git a/mysql-test/t/openssl_1.test b/mysql-test/t/openssl_1.test
index 4cc9113048f..afee381f5b7 100644
--- a/mysql-test/t/openssl_1.test
+++ b/mysql-test/t/openssl_1.test
@@ -10,8 +10,8 @@ insert into t1 values (5);
 
 grant select on test.* to ssl_user1@localhost require SSL;
 grant select on test.* to ssl_user2@localhost require cipher "DHE-RSA-AES256-SHA";
-grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/Email=abstract.mysql.developer@mysql.com";
-grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/Email=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/Email=abstract.mysql.developer@mysql.com";
+grant select on test.* to ssl_user3@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com";
+grant select on test.* to ssl_user4@localhost require cipher "DHE-RSA-AES256-SHA" AND SUBJECT "/C=SE/L=Uppsala/O=MySQL AB/CN=MySQL Client/emailAddress=abstract.mysql.developer@mysql.com" ISSUER "/C=SE/L=Uppsala/O=MySQL AB/CN=Abstract MySQL Developer/emailAddress=abstract.mysql.developer@mysql.com";
 flush privileges;
 
 connect (con1,localhost,ssl_user1,,,,,SSL);
@@ -54,3 +54,41 @@ ssl_user3@localhost, ssl_user4@localhost;
 drop table t1;
 
 # End of 4.1 tests
+
+#
+# Test that we can't open connection to server if we are using
+# a different cacert
+#
+--exec echo "this query should not execute;" > $MYSQLTEST_VARDIR/tmp/test.sql
+--error 1
+--exec $MYSQL_TEST --ssl-ca=$MYSQL_TEST_DIR/std_data/untrusted-cacert.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
+
+#
+# Test that we can't open connection to server if we are using
+# a blank ca
+#
+--error 1
+--exec $MYSQL_TEST --ssl-ca= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
+
+#
+# Test that we can't open connection to server if we are using
+# a nonexistent ca file
+#
+--error 1
+--exec $MYSQL_TEST --ssl-ca=nonexisting_file.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
+
+#
+# Test that we can't open connection to server if we are using
+# a blank client-key
+#
+--error 1
+--exec $MYSQL_TEST --ssl-key= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
+
+#
+# Test that we can't open connection to server if we are using
+# a blank client-cert
+#
+--error 1
+--exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
+
+
-- 
cgit v1.2.1


From 2030ef48c9f48c57b7bc409984ab3b22a3a0d2c7 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Wed, 3 May 2006 14:09:08 +0200
Subject: Load CA certs before setting local certs. Make it possible to get the
 yaSSL error message printed in the DBUG log file.

vio/viossl.c:
  Add possibility to print out the error from yaSSL.
vio/viosslfactories.c:
  Load the CA certs before loading the certs for this client or server.
  Improved comments.
---
 vio/viossl.c          | 26 ++++++++++++++++++--------
 vio/viosslfactories.c | 21 +++++++++++----------
 2 files changed, 29 insertions(+), 18 deletions(-)

diff --git a/vio/viossl.c b/vio/viossl.c
index aa4cdda9f01..38654f05521 100644
--- a/vio/viossl.c
+++ b/vio/viossl.c
@@ -51,20 +51,30 @@ static int SSL_set_fd_bsd(SSL *s, int fd)
 
 
 static void
-report_errors()
+report_errors(SSL* ssl)
 {
   unsigned long	l;
   const char *file;
   const char *data;
   int line,flags;
+  char buf[512];
+
   DBUG_ENTER("report_errors");
 
   while ((l= ERR_get_error_line_data(&file,&line,&data,&flags)))
   {
-    char buf[512];
     DBUG_PRINT("error", ("OpenSSL: %s:%s:%d:%s\n", ERR_error_string(l,buf),
 			 file,line,(flags&ERR_TXT_STRING)?data:"")) ;
   }
+
+#ifdef HAVE_YASSL
+  /*
+    The above calls to ERR_* doesn't return any messages when we
+    are using yaSSL since error is stored in the SSL object we used.
+  */
+  if (ssl)
+    DBUG_PRINT("error", ("yaSSL: %s", ERR_error_string(SSL_get_error(ssl, l), buf)));
+#endif
   DBUG_PRINT("info", ("errno: %d", socket_errno));
   DBUG_VOID_RETURN;
 }
@@ -81,7 +91,7 @@ int vio_ssl_read(Vio *vio, gptr buf, int size)
   {
     int err= SSL_get_error((SSL*) vio->ssl_arg, r);
     DBUG_PRINT("error",("SSL_read(): %d  SSL_get_error(): %d", r, err));
-    report_errors();
+    report_errors((SSL*) vio->ssl_arg);
   }
   DBUG_PRINT("exit", ("%d", r));
   DBUG_RETURN(r);
@@ -95,7 +105,7 @@ int vio_ssl_write(Vio *vio, const gptr buf, int size)
   DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d", vio->sd, buf, size));
 
   if ((r= SSL_write((SSL*) vio->ssl_arg, buf, size)) < 0)
-    report_errors();
+    report_errors((SSL*) vio->ssl_arg);
   DBUG_PRINT("exit", ("%d", r));
   DBUG_RETURN(r);
 }
@@ -148,7 +158,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
   if (!(ssl= SSL_new(ptr->ssl_context)))
   {
     DBUG_PRINT("error", ("SSL_new failure"));
-    report_errors();
+    report_errors(ssl);
     vio_reset(vio, old_type,vio->sd,0,FALSE);
     vio_blocking(vio, net_blocking, &unused);
     DBUG_RETURN(1);
@@ -162,7 +172,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
   if (SSL_do_handshake(ssl) < 1)
   {
     DBUG_PRINT("error", ("SSL_do_handshake failure"));
-    report_errors();
+    report_errors(ssl);
     SSL_free(ssl);
     vio->ssl_arg= 0;
     vio_reset(vio, old_type,vio->sd,0,FALSE);
@@ -223,7 +233,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
   if (!(ssl= SSL_new(ptr->ssl_context)))
   {
     DBUG_PRINT("error", ("SSL_new failure"));
-    report_errors();
+    report_errors(ssl);
     vio_reset(vio, old_type, vio->sd, 0, FALSE);
     vio_blocking(vio, net_blocking, &unused);
     DBUG_RETURN(1);
@@ -237,7 +247,7 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
   if (SSL_do_handshake(ssl) < 1)
   {
     DBUG_PRINT("error", ("SSL_do_handshake failure"));
-    report_errors();
+    report_errors(ssl);
     SSL_free(ssl);
     vio->ssl_arg= 0;
     vio_reset(vio, old_type, vio->sd, 0, FALSE);
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 2b3e80a98e4..f1d2b077367 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -103,7 +103,7 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file)
       /* FIX stderr */
       fprintf(stderr,"Error when connection to server using SSL:");
       ERR_print_errors_fp(stderr);
-      fprintf(stderr,"Unable to get private key from '%s'\n", cert_file);
+      fprintf(stderr,"Unable to get private key from '%s'\n", key_file);
       fflush(stderr);
       DBUG_RETURN(1);
     }
@@ -252,14 +252,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     DBUG_RETURN(0);
   }
 
-  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
-  {
-    DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
-    report_errors();
-    my_free((void*)ssl_fd,MYF(0));
-    DBUG_RETURN(0);
-  }
-
+  /* Load certs from the trusted ca */
   if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
   {
     DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
@@ -272,6 +265,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     }
   }
 
+  if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file))
+  {
+    DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
+    report_errors();
+    my_free((void*)ssl_fd,MYF(0));
+    DBUG_RETURN(0);
+  }
+
   /* DH stuff */
   dh=get_dh512();
   SSL_CTX_set_tmp_dh(ssl_fd->ssl_context, dh);
@@ -297,7 +298,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
     return 0;
   }
 
-  /* Init the the VioSSLFd as a "connector" ie. the client side */
+  /* Init the VioSSLFd as a "connector" ie. the client side */
 
   /*
     The verify_callback function is used to control the behaviour
-- 
cgit v1.2.1


From c99da1ea9b52ea842d0e83dfac5ca91d004e21a4 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Wed, 3 May 2006 14:10:22 +0200
Subject: Add an untrusted cacert used when testing

---
 mysql-test/std_data/untrusted-cacert.pem | 53 ++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 mysql-test/std_data/untrusted-cacert.pem

diff --git a/mysql-test/std_data/untrusted-cacert.pem b/mysql-test/std_data/untrusted-cacert.pem
new file mode 100644
index 00000000000..981dd004fc6
--- /dev/null
+++ b/mysql-test/std_data/untrusted-cacert.pem
@@ -0,0 +1,53 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 0 (0x0)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com
+        Validity
+            Not Before: Jan 18 20:12:32 2005 GMT
+            Not After : Oct 15 20:12:32 2007 GMT
+        Subject: C=US, ST=Oregon, L=Portland, O=sawtooth, CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (512 bit)
+                Modulus (512 bit):
+                    00:cf:2b:14:00:b0:3c:df:6f:9e:91:40:ec:c8:f6:
+                    90:b2:5b:b4:70:80:a5:a4:0a:73:c7:44:f3:2a:26:
+                    c4:2f:f1:3a:f1:c3:c4:ac:fc:c3:d2:c3:bf:f5:d7:
+                    6a:38:42:ad:22:ab:c8:c4:4b:4c:1d:16:af:05:34:
+                    7d:79:97:5e:e1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                CB:0F:1F:E9:A2:76:71:C9:E6:E8:23:A6:C1:18:B7:CC:44:CF:B9:84
+            X509v3 Authority Key Identifier: 
+                keyid:CB:0F:1F:E9:A2:76:71:C9:E6:E8:23:A6:C1:18:B7:CC:44:CF:B9:84
+                DirName:/C=US/ST=Oregon/L=Portland/O=sawtooth/CN=www.sawtooth-consulting.com/emailAddress=info@yassl.com
+                serial:00
+
+            X509v3 Basic Constraints: 
+                CA:TRUE
+    Signature Algorithm: md5WithRSAEncryption
+        27:f7:3d:fb:39:6f:73:a4:86:f3:a0:48:22:60:84:e9:5c:3d:
+        28:36:05:16:44:98:07:87:e1:5d:b5:f3:a7:bc:33:5f:f4:29:
+        a9:5f:87:33:df:e6:8e:bd:e2:f3:0a:c8:00:69:ae:3d:41:47:
+        03:ea:0b:4c:67:45:4b:ab:f3:39
+-----BEGIN CERTIFICATE-----
+MIIC7zCCApmgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBiTELMAkGA1UEBhMCVVMx
+DzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxETAPBgNVBAoTCHNh
+d3Rvb3RoMSQwIgYDVQQDExt3d3cuc2F3dG9vdGgtY29uc3VsdGluZy5jb20xHTAb
+BgkqhkiG9w0BCQEWDmluZm9AeWFzc2wuY29tMB4XDTA1MDExODIwMTIzMloXDTA3
+MTAxNTIwMTIzMlowgYkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xETAP
+BgNVBAcTCFBvcnRsYW5kMREwDwYDVQQKEwhzYXd0b290aDEkMCIGA1UEAxMbd3d3
+LnNhd3Rvb3RoLWNvbnN1bHRpbmcuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlh
+c3NsLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDPKxQAsDzfb56RQOzI9pCy
+W7RwgKWkCnPHRPMqJsQv8Trxw8Ss/MPSw7/112o4Qq0iq8jES0wdFq8FNH15l17h
+AgMBAAGjgekwgeYwHQYDVR0OBBYEFMsPH+midnHJ5ugjpsEYt8xEz7mEMIG2BgNV
+HSMEga4wgauAFMsPH+midnHJ5ugjpsEYt8xEz7mEoYGPpIGMMIGJMQswCQYDVQQG
+EwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDERMA8GA1UE
+ChMIc2F3dG9vdGgxJDAiBgNVBAMTG3d3dy5zYXd0b290aC1jb25zdWx0aW5nLmNv
+bTEdMBsGCSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb22CAQAwDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQQFAANBACf3Pfs5b3OkhvOgSCJghOlcPSg2BRZEmAeH4V21
+86e8M1/0KalfhzPf5o694vMKyABprj1BRwPqC0xnRUur8zk=
+-----END CERTIFICATE-----
-- 
cgit v1.2.1


From f28dce2cc62bc0ba5ebf8e06911a9fd197c30634 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Wed, 3 May 2006 15:53:59 +0200
Subject: Move "max-connect-retries" option to get alpabetichal order

---
 client/mysqltest.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/client/mysqltest.c b/client/mysqltest.c
index 828845f1dcd..daaf378028e 100644
--- a/client/mysqltest.c
+++ b/client/mysqltest.c
@@ -2888,10 +2888,6 @@ static struct my_option my_long_options[] =
   {"compress", 'C', "Use the compressed server/client protocol.",
    (gptr*) &opt_compress, (gptr*) &opt_compress, 0, GET_BOOL, NO_ARG, 0, 0, 0,
    0, 0, 0},
-  {"max-connect-retries", OPT_MAX_CONNECT_RETRIES,
-   "Max number of connection attempts when connecting to server",
-   (gptr*) &opt_max_connect_retries, (gptr*) &opt_max_connect_retries, 0,
-   GET_INT, REQUIRED_ARG, 5, 1, 10, 0, 0, 0},
   {"cursor-protocol", OPT_CURSOR_PROTOCOL, "Use cursors for prepared statements.",
    (gptr*) &cursor_protocol, (gptr*) &cursor_protocol, 0,
    GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0},
@@ -2920,6 +2916,10 @@ static struct my_option my_long_options[] =
   {"manager-wait-timeout", OPT_MANAGER_WAIT_TIMEOUT,
    "Undocumented: Used for debugging.", (gptr*) &manager_wait_timeout,
    (gptr*) &manager_wait_timeout, 0, GET_INT, REQUIRED_ARG, 3, 0, 0, 0, 0, 0},
+  {"max-connect-retries", OPT_MAX_CONNECT_RETRIES,
+   "Max number of connection attempts when connecting to server",
+   (gptr*) &opt_max_connect_retries, (gptr*) &opt_max_connect_retries, 0,
+   GET_INT, REQUIRED_ARG, 5, 1, 10, 0, 0, 0},
   {"password", 'p', "Password to use when connecting to server.",
    0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0},
   {"port", 'P', "Port number to use for connection.", (gptr*) &port,
-- 
cgit v1.2.1


From 7625dfc7fe5a709b7bf6d95c993657dadfb2dbb2 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Wed, 3 May 2006 16:59:02 +0200
Subject: Remove C++ comments Formatting

---
 sql-common/client.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/sql-common/client.c b/sql-common/client.c
index 9f445c02df9..26ebc9cc6b0 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1608,14 +1608,14 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname)
   X509_free (server_cert);
 
   DBUG_PRINT("info", ("hostname in cert: %s", buf));
-  cp1 = strstr(buf, "/CN=");
+  cp1= strstr(buf, "/CN=");
   if (cp1)
   {
-    cp1 += 4; // Skip the "/CN=" that we found
-    // Search for next / which might be the delimiter for email
-    cp2 = strchr(cp1, '/');
+    cp1+= 4; /* Skip the "/CN=" that we found */
+    /* Search for next / which might be the delimiter for email */
+    cp2= strchr(cp1, '/');
     if (cp2)
-      *cp2 = '\0';
+      *cp2= '\0';
     DBUG_PRINT("info", ("Server hostname in cert: %s", cp1));
     if (!strcmp(cp1, server_hostname))
     {
-- 
cgit v1.2.1


From 0e192fb47c51411bec2c767bc1c2a6a9b3b272be Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Wed, 3 May 2006 17:55:30 +0200
Subject: Use "const char*" for variable found, forte complains "Cannot use
 const char* to initialize char*" otherwise

---
 extra/yassl/src/ssl.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extra/yassl/src/ssl.cpp b/extra/yassl/src/ssl.cpp
index 97e0e9a1717..e80df5a5e48 100644
--- a/extra/yassl/src/ssl.cpp
+++ b/extra/yassl/src/ssl.cpp
@@ -1080,7 +1080,7 @@ int X509_NAME_get_index_by_NID(X509_NAME* name,int nid, int lastpos)
 
     switch (nid) {
     case NID_commonName:
-        char* found = strstr(start, "/CN=");
+        const char* found = strstr(start, "/CN=");
         if (found) {
             found += 4;  // advance to str
             idx = found - start + lastpos + 1;
-- 
cgit v1.2.1


From 643708afe4a7efbcd2fba63d0c007645237ddd1e Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Wed, 3 May 2006 20:04:57 +0200
Subject: Check if "../libtool" is available and use it only when it is.

---
 mysql-test/mysql-test-run.pl | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl
index 08b9ade72a1..78a665d4f00 100755
--- a/mysql-test/mysql-test-run.pl
+++ b/mysql-test/mysql-test-run.pl
@@ -134,7 +134,6 @@ our $glob_win32=                  0; # OS and native Win32 executables
 our $glob_win32_perl=             0; # ActiveState Win32 Perl
 our $glob_cygwin_perl=            0; # Cygwin Perl
 our $glob_cygwin_shell=           undef;
-our $glob_use_libtool=            1;
 our $glob_mysql_test_dir=         undef;
 our $glob_mysql_bench_dir=        undef;
 our $glob_hostname=               undef;
@@ -444,13 +443,6 @@ sub initial_setup () {
   $glob_cygwin_perl= ($^O eq "cygwin");
   $glob_win32=       ($glob_win32_perl or $glob_cygwin_perl);
 
-  # Use libtool on all platforms except windows
-  if ( $glob_win32 )
-  {
-    $glob_use_libtool= 0;
-  }
-  $exe_libtool= "../libtool";
-
   # We require that we are in the "mysql-test" directory
   # to run mysql-test-run
 
@@ -1001,6 +993,21 @@ sub snapshot_setup () {
 
 sub executable_setup () {
 
+  #
+  # Check if libtool is available in this distribution/clone
+  # we need it when valgrinding or debugging non installed binary
+  # Otherwise valgrind will valgrind the libtool wrapper or bash
+  # and gdb will not find the real executable to debug
+  #
+  if ( -x "../libtool")
+  {
+    $exe_libtool= "../libtool";
+    if ($opt_valgrind or $glob_debugger)
+    {
+      mtr_report("Using \"$exe_libtool\" when running valgrind or debugger");
+    }
+  }
+
   if ( $opt_source_dist )
   {
     if ( $glob_win32 )
@@ -2626,7 +2633,7 @@ sub mysqld_start ($$$$$) {
     $exe= undef;
   }
 
-  if ($glob_use_libtool and $opt_valgrind)
+  if ($exe_libtool and $opt_valgrind)
   {
     # Add "libtool --mode-execute"
     # if running in valgrind(to avoid valgrinding bash)
@@ -3132,7 +3139,7 @@ sub run_mysqltest ($) {
     debugger_arguments(\$args, \$exe, "client");
   }
 
-  if ($glob_use_libtool and $opt_valgrind)
+  if ($exe_libtool and $opt_valgrind)
   {
     # Add "libtool --mode-execute" before the test to execute
     # if running in valgrind(to avoid valgrinding bash)
@@ -3207,7 +3214,7 @@ sub gdb_arguments {
   mtr_add_arg($$args, "$type");
   mtr_add_arg($$args, "-e");
 
-  if ( $glob_use_libtool )
+  if ( $exe_libtool )
   {
     mtr_add_arg($$args, $exe_libtool);
     mtr_add_arg($$args, "--mode=execute");
@@ -3270,7 +3277,7 @@ sub ddd_arguments {
 
   my $save_exe= $$exe;
   $$args= [];
-  if ( $glob_use_libtool )
+  if ( $exe_libtool )
   {
     $$exe= $exe_libtool;
     mtr_add_arg($$args, "--mode=execute");
-- 
cgit v1.2.1


From 27acdd7ae6107e4acadf824c7c473ba91bb9c164 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Thu, 4 May 2006 10:28:49 +0200
Subject: Put the "test_running_as_root.txt" file in the vardir to avoid that
 two mysql-test-run's running in parallel uses the same file

---
 mysql-test/mysql-test-run.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl
index 78a665d4f00..f3060b8f19f 100755
--- a/mysql-test/mysql-test-run.pl
+++ b/mysql-test/mysql-test-run.pl
@@ -1344,7 +1344,7 @@ sub kill_and_cleanup () {
 sub  check_running_as_root () {
   # Check if running as root
   # i.e a file can be read regardless what mode we set it to
-  my $test_file= "test_running_as_root.txt";
+  my $test_file= "$opt_vardir/test_running_as_root.txt";
   mtr_tofile($test_file, "MySQL");
   chmod(oct("0000"), $test_file);
 
-- 
cgit v1.2.1


From 7a02710197e4271108492367890a6d216a7ac39a Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Thu, 4 May 2006 10:30:08 +0200
Subject: Fix warnings

vio/viossl.c:
  Remove warnings about unused variables
vio/viosslfactories.c:
  Remove warning about wrong cast
---
 vio/viossl.c          | 60 ++++++++++++++++++++++++++-------------------------
 vio/viosslfactories.c |  2 +-
 2 files changed, 32 insertions(+), 30 deletions(-)

diff --git a/vio/viossl.c b/vio/viossl.c
index 38654f05521..e869493c604 100644
--- a/vio/viossl.c
+++ b/vio/viossl.c
@@ -56,8 +56,10 @@ report_errors(SSL* ssl)
   unsigned long	l;
   const char *file;
   const char *data;
-  int line,flags;
+  int line, flags;
+#ifndef DBUG_OFF
   char buf[512];
+#endif
 
   DBUG_ENTER("report_errors");
 
@@ -67,15 +69,11 @@ report_errors(SSL* ssl)
 			 file,line,(flags&ERR_TXT_STRING)?data:"")) ;
   }
 
-#ifdef HAVE_YASSL
-  /*
-    The above calls to ERR_* doesn't return any messages when we
-    are using yaSSL since error is stored in the SSL object we used.
-  */
   if (ssl)
-    DBUG_PRINT("error", ("yaSSL: %s", ERR_error_string(SSL_get_error(ssl, l), buf)));
-#endif
-  DBUG_PRINT("info", ("errno: %d", socket_errno));
+    DBUG_PRINT("error", ("error: %s",
+                         ERR_error_string(SSL_get_error(ssl, l), buf)));
+
+  DBUG_PRINT("info", ("socket_errno: %d", socket_errno));
   DBUG_VOID_RETURN;
 }
 
@@ -87,12 +85,11 @@ int vio_ssl_read(Vio *vio, gptr buf, int size)
   DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d, ssl_: 0x%p",
 		       vio->sd, buf, size, vio->ssl_arg));
 
-  if ((r= SSL_read((SSL*) vio->ssl_arg, buf, size)) < 0)
-  {
-    int err= SSL_get_error((SSL*) vio->ssl_arg, r);
-    DBUG_PRINT("error",("SSL_read(): %d  SSL_get_error(): %d", r, err));
+  r= SSL_read((SSL*) vio->ssl_arg, buf, size);
+#ifndef DBUG_OFF
+  if (r < 0)
     report_errors((SSL*) vio->ssl_arg);
-  }
+#endif
   DBUG_PRINT("exit", ("%d", r));
   DBUG_RETURN(r);
 }
@@ -104,8 +101,11 @@ int vio_ssl_write(Vio *vio, const gptr buf, int size)
   DBUG_ENTER("vio_ssl_write");
   DBUG_PRINT("enter", ("sd: %d, buf: 0x%p, size: %d", vio->sd, buf, size));
 
-  if ((r= SSL_write((SSL*) vio->ssl_arg, buf, size)) < 0)
+  r= SSL_write((SSL*) vio->ssl_arg, buf, size);
+#ifndef DBUG_OFF
+  if (r < 0)
     report_errors((SSL*) vio->ssl_arg);
+#endif
   DBUG_PRINT("exit", ("%d", r));
   DBUG_RETURN(r);
 }
@@ -142,7 +142,6 @@ int vio_ssl_close(Vio *vio)
 int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
 {
   SSL *ssl;
-  X509 *client_cert;
   my_bool unused;
   my_bool net_blocking;
   enum enum_vio_type old_type;
@@ -183,6 +182,7 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
 #ifndef DBUG_OFF
   {
     char buf[1024];
+    X509 *client_cert;
     DBUG_PRINT("info",("cipher_name= '%s'", SSL_get_cipher_name(ssl)));
 
     if ((client_cert= SSL_get_peer_certificate (ssl)))
@@ -217,7 +217,6 @@ int sslaccept(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
 int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
 {
   SSL *ssl;
-  X509 *server_cert;
   my_bool unused;
   my_bool net_blocking;
   enum enum_vio_type old_type;
@@ -255,20 +254,23 @@ int sslconnect(struct st_VioSSLFd *ptr, Vio *vio, long timeout)
     DBUG_RETURN(1);
   }
 #ifndef DBUG_OFF
-  DBUG_PRINT("info",("cipher_name: '%s'" , SSL_get_cipher_name(ssl)));
-
-  if ((server_cert= SSL_get_peer_certificate (ssl)))
   {
-    char buf[256];
-    DBUG_PRINT("info",("Server certificate:"));
-    X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
-    DBUG_PRINT("info",("\t subject: %s", buf));
-    X509_NAME_oneline (X509_get_issuer_name(server_cert), buf, sizeof(buf));
-    DBUG_PRINT("info",("\t issuer: %s", buf));
-    X509_free (server_cert);
+    X509 *server_cert;
+    DBUG_PRINT("info",("cipher_name: '%s'" , SSL_get_cipher_name(ssl)));
+
+    if ((server_cert= SSL_get_peer_certificate (ssl)))
+    {
+      char buf[256];
+      DBUG_PRINT("info",("Server certificate:"));
+      X509_NAME_oneline(X509_get_subject_name(server_cert), buf, sizeof(buf));
+      DBUG_PRINT("info",("\t subject: %s", buf));
+      X509_NAME_oneline (X509_get_issuer_name(server_cert), buf, sizeof(buf));
+      DBUG_PRINT("info",("\t issuer: %s", buf));
+      X509_free (server_cert);
+    }
+    else
+      DBUG_PRINT("info",("Server does not have certificate."));
   }
-  else
-    DBUG_PRINT("info",("Server does not have certificate."));
 #endif
 
   DBUG_RETURN(0);
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index f1d2b077367..058a19dfa0c 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -339,7 +339,7 @@ new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
     Use the ssl_fd pointer
    */
   SSL_CTX_set_session_id_context(ssl_fd->ssl_context,
-				 ssl_fd,
+				 (const unsigned char *)ssl_fd,
 				 sizeof(ssl_fd));
 
   return ssl_fd;
-- 
cgit v1.2.1


From 7efb003f06bbe028da4fc7305ad14e4df356d717 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Thu, 4 May 2006 17:44:09 +0200
Subject: Move "check_running_as_root" to after var directory has been created

---
 mysql-test/mysql-test-run.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mysql-test/mysql-test-run.pl b/mysql-test/mysql-test-run.pl
index f3060b8f19f..90155aee9d9 100755
--- a/mysql-test/mysql-test-run.pl
+++ b/mysql-test/mysql-test-run.pl
@@ -376,7 +376,6 @@ sub main () {
 
   check_ndbcluster_support(); # We check whether to actually use it later
   check_ssl_support();
-  check_running_as_root();
 
   environment_setup();
   signal_setup();
@@ -1661,6 +1660,7 @@ sub initialize_servers () {
 	save_installed_db();
       }
     }
+    check_running_as_root();
   }
 }
 
-- 
cgit v1.2.1


From dd1eeaed8ce1f9e642f9e8c1df42618f1829e798 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Thu, 4 May 2006 17:47:25 +0200
Subject: Bug#18474 Unlistable directories yield no info from
 information_schema, part2  - Move "chmod" part of information_schema test to
 separate file

mysql-test/r/information_schema.result:
  Move "chmod" part of information_schema test to separate file
mysql-test/t/information_schema.test:
  Move "chmod" part of information_schema test to separate file
mysql-test/r/information_schema_chmod.result:
  Move "chmod" part of information_schema test to separate file
mysql-test/t/information_schema_chmod.test:
  Move "chmod" part of information_schema test to separate file
---
 mysql-test/r/information_schema.result       |  5 -----
 mysql-test/r/information_schema_chmod.result |  5 +++++
 mysql-test/t/information_schema.test         |  9 ---------
 mysql-test/t/information_schema_chmod.test   | 20 ++++++++++++++++++++
 4 files changed, 25 insertions(+), 14 deletions(-)
 create mode 100644 mysql-test/r/information_schema_chmod.result
 create mode 100644 mysql-test/t/information_schema_chmod.test

diff --git a/mysql-test/r/information_schema.result b/mysql-test/r/information_schema.result
index d5fb046d319..5224971890a 100644
--- a/mysql-test/r/information_schema.result
+++ b/mysql-test/r/information_schema.result
@@ -1083,11 +1083,6 @@ DROP TABLE t1;
 DROP VIEW v1;
 DROP FUNCTION func1;
 DROP FUNCTION func2;
-create database mysqltest;
-create table mysqltest.t1(a int);
-select table_schema from information_schema.tables where table_schema='mysqltest';
-table_schema
-drop database mysqltest;
 select column_type, group_concat(table_schema, '.', table_name), count(*) as num
 from information_schema.columns where
 table_schema='information_schema' and
diff --git a/mysql-test/r/information_schema_chmod.result b/mysql-test/r/information_schema_chmod.result
new file mode 100644
index 00000000000..36124559439
--- /dev/null
+++ b/mysql-test/r/information_schema_chmod.result
@@ -0,0 +1,5 @@
+create database mysqltest;
+create table mysqltest.t1(a int);
+select table_schema from information_schema.tables where table_schema='mysqltest';
+table_schema
+drop database mysqltest;
diff --git a/mysql-test/t/information_schema.test b/mysql-test/t/information_schema.test
index 90b0fd95eee..11178adbc9b 100644
--- a/mysql-test/t/information_schema.test
+++ b/mysql-test/t/information_schema.test
@@ -793,15 +793,6 @@ DROP VIEW v1;
 DROP FUNCTION func1;
 DROP FUNCTION func2;
 
-#
-# Bug #15851 Unlistable directories yield no info from information_schema
-#
-create database mysqltest;
-create table mysqltest.t1(a int);
---exec chmod -r $MYSQLTEST_VARDIR/master-data/mysqltest
-select table_schema from information_schema.tables where table_schema='mysqltest';
---exec chmod +r $MYSQLTEST_VARDIR/master-data/mysqltest
-drop database mysqltest;
 
 #
 # Bug#15307 GROUP_CONCAT() with ORDER BY returns empty set on information_schema
diff --git a/mysql-test/t/information_schema_chmod.test b/mysql-test/t/information_schema_chmod.test
new file mode 100644
index 00000000000..fb850b8e38d
--- /dev/null
+++ b/mysql-test/t/information_schema_chmod.test
@@ -0,0 +1,20 @@
+#
+# Due to "Bug#18474  Unlistable directories yield no info from
+# information_schema, part2" this test can't be run on Window with our
+# current test framework. When "chmod -r" is done within cygwin the
+# MySQL Server can still read the directory.
+# Manual testing shows the functionalty to skip unlistable directories
+# works on windows
+#
+--source include/not_windows.inc
+
+
+#
+# Bug #15851 Unlistable directories yield no info from information_schema
+#
+create database mysqltest;
+create table mysqltest.t1(a int);
+--exec chmod -r $MYSQLTEST_VARDIR/master-data/mysqltest
+select table_schema from information_schema.tables where table_schema='mysqltest';
+--exec chmod +r $MYSQLTEST_VARDIR/master-data/mysqltest
+drop database mysqltest;
-- 
cgit v1.2.1


From 184bd0c4dd3a5f1e04f1ea3786918bbcfa0b1a18 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@shellback.(none)>
Date: Fri, 5 May 2006 10:33:04 +0200
Subject: Import from yaSSL

extra/yassl/examples/client/client.cpp:
  Import patch yassl.diff
extra/yassl/examples/echoclient/echoclient.cpp:
  Import patch yassl.diff
extra/yassl/examples/echoserver/echoserver.cpp:
  Import patch yassl.diff
extra/yassl/examples/server/server.cpp:
  Import patch yassl.diff
extra/yassl/include/openssl/ssl.h:
  Import patch yassl.diff
extra/yassl/include/yassl_types.hpp:
  Import patch yassl.diff
extra/yassl/src/make.bat:
  Import patch yassl.diff
extra/yassl/src/ssl.cpp:
  Import patch yassl.diff
extra/yassl/src/yassl_imp.cpp:
  Import patch yassl.diff
extra/yassl/src/yassl_int.cpp:
  Import patch yassl.diff
extra/yassl/taocrypt/benchmark/make.bat:
  Import patch yassl.diff
extra/yassl/taocrypt/src/make.bat:
  Import patch yassl.diff
extra/yassl/taocrypt/test/make.bat:
  Import patch yassl.diff
extra/yassl/testsuite/make.bat:
  Import patch yassl.diff
extra/yassl/testsuite/testsuite.cpp:
  Import patch yassl.diff
---
 extra/yassl/examples/client/client.cpp         |  2 +
 extra/yassl/examples/echoclient/echoclient.cpp |  1 +
 extra/yassl/examples/echoserver/echoserver.cpp |  2 +
 extra/yassl/examples/server/server.cpp         |  2 +
 extra/yassl/include/openssl/ssl.h              |  6 ++
 extra/yassl/include/yassl_types.hpp            |  4 --
 extra/yassl/src/make.bat                       |  2 +-
 extra/yassl/src/ssl.cpp                        | 94 ++++++++++++++------------
 extra/yassl/src/yassl_imp.cpp                  |  4 +-
 extra/yassl/src/yassl_int.cpp                  |  2 +-
 extra/yassl/taocrypt/benchmark/make.bat        |  5 +-
 extra/yassl/taocrypt/src/make.bat              |  1 -
 extra/yassl/taocrypt/test/make.bat             |  2 +-
 extra/yassl/testsuite/make.bat                 |  2 +-
 extra/yassl/testsuite/testsuite.cpp            |  1 +
 15 files changed, 72 insertions(+), 58 deletions(-)

diff --git a/extra/yassl/examples/client/client.cpp b/extra/yassl/examples/client/client.cpp
index 3acd091baad..94bf753210b 100644
--- a/extra/yassl/examples/client/client.cpp
+++ b/extra/yassl/examples/client/client.cpp
@@ -89,6 +89,8 @@ void client_test(void* args)
         args.argv = argv;
 
         client_test(&args);
+        yaSSL_CleanUp();
+
         return args.return_code;
     }
 
diff --git a/extra/yassl/examples/echoclient/echoclient.cpp b/extra/yassl/examples/echoclient/echoclient.cpp
index ca557cca8af..fd3f7dd48a3 100644
--- a/extra/yassl/examples/echoclient/echoclient.cpp
+++ b/extra/yassl/examples/echoclient/echoclient.cpp
@@ -82,6 +82,7 @@ void echoclient_test(void* args)
         args.argv = argv;
 
         echoclient_test(&args);
+        yaSSL_CleanUp();
 
         return args.return_code;
     }
diff --git a/extra/yassl/examples/echoserver/echoserver.cpp b/extra/yassl/examples/echoserver/echoserver.cpp
index 14a37a7e175..3243cc21a7c 100644
--- a/extra/yassl/examples/echoserver/echoserver.cpp
+++ b/extra/yassl/examples/echoserver/echoserver.cpp
@@ -15,6 +15,8 @@
         args.argv = argv;
 
         echoserver_test(&args);
+        yaSSL_CleanUp();
+
         return args.return_code;
     }
 
diff --git a/extra/yassl/examples/server/server.cpp b/extra/yassl/examples/server/server.cpp
index 4d3f121cf2c..73cff19e371 100644
--- a/extra/yassl/examples/server/server.cpp
+++ b/extra/yassl/examples/server/server.cpp
@@ -67,6 +67,8 @@ THREAD_RETURN YASSL_API server_test(void* args)
         args.argv = argv;
 
         server_test(&args);
+        yaSSL_CleanUp();
+
         return args.return_code;
     }
 
diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h
index 03a0cfad15b..08075a8df5b 100644
--- a/extra/yassl/include/openssl/ssl.h
+++ b/extra/yassl/include/openssl/ssl.h
@@ -32,6 +32,12 @@
 #include "opensslv.h" /* for version number */
 #include "rsa.h"
 
+
+extern "C" void yaSSL_CleanUp();   /* call once at end of application use to
+                                      free static singleton memory holders,
+                                      not a leak per se, but helpful when 
+                                      looking for them                      */
+
 #if defined(__cplusplus) && !defined(YASSL_MYSQL_COMPATIBLE)
 namespace yaSSL {
 extern "C" {
diff --git a/extra/yassl/include/yassl_types.hpp b/extra/yassl/include/yassl_types.hpp
index bfb6467182b..76c807cd05f 100644
--- a/extra/yassl/include/yassl_types.hpp
+++ b/extra/yassl/include/yassl_types.hpp
@@ -35,10 +35,6 @@
 namespace yaSSL {
 
 
-// Delete static singleton memory holders
-void CleanUp();
-
-
 #ifdef YASSL_PURE_C
 
     // library allocation
diff --git a/extra/yassl/src/make.bat b/extra/yassl/src/make.bat
index 4c79a9c6406..148427a6f41 100644
--- a/extra/yassl/src/make.bat
+++ b/extra/yassl/src/make.bat
@@ -1,4 +1,4 @@
-# quick and dirty build file for testing different MSDEVs
+REM quick and dirty build file for testing different MSDEVs
 setlocal 
 
 set myFLAGS= /I../include /I../mySTL /I../taocrypt/include /W3 /c /ZI
diff --git a/extra/yassl/src/ssl.cpp b/extra/yassl/src/ssl.cpp
index 97e0e9a1717..66196514a87 100644
--- a/extra/yassl/src/ssl.cpp
+++ b/extra/yassl/src/ssl.cpp
@@ -53,6 +53,53 @@ namespace yaSSL {
 using mySTL::min;
 
 
+int read_file(SSL_CTX* ctx, const char* file, int format, CertType type)
+{
+    if (format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM)
+        return SSL_BAD_FILETYPE;
+
+    FILE* input = fopen(file, "rb");
+    if (!input)
+        return SSL_BAD_FILE;
+
+    if (type == CA) {
+        x509* ptr = PemToDer(file, Cert);
+        if (!ptr) {
+            fclose(input);
+            return SSL_BAD_FILE;
+        }
+        ctx->AddCA(ptr);  // takes ownership
+    }
+    else {
+        x509*& x = (type == Cert) ? ctx->certificate_ : ctx->privateKey_;
+
+        if (format == SSL_FILETYPE_ASN1) {
+            fseek(input, 0, SEEK_END);
+            long sz = ftell(input);
+            rewind(input);
+            x = NEW_YS x509(sz); // takes ownership
+            size_t bytes = fread(x->use_buffer(), sz, 1, input);
+            if (bytes != 1) {
+                fclose(input);
+                return SSL_BAD_FILE;
+            }
+        }
+        else {
+            x = PemToDer(file, type);
+            if (!x) {
+                fclose(input);
+                return SSL_BAD_FILE;
+            }
+        }
+    }
+    fclose(input);
+    return SSL_SUCCESS;
+}
+
+
+extern "C" {
+
+
 SSL_METHOD* SSLv3_method()
 {
     return SSLv3_client_method();
@@ -449,50 +496,6 @@ long SSL_CTX_set_tmp_dh(SSL_CTX* ctx, DH* dh)
 }
 
 
-int read_file(SSL_CTX* ctx, const char* file, int format, CertType type)
-{
-    if (format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM)
-        return SSL_BAD_FILETYPE;
-
-    FILE* input = fopen(file, "rb");
-    if (!input)
-        return SSL_BAD_FILE;
-
-    if (type == CA) {
-        x509* ptr = PemToDer(file, Cert);
-        if (!ptr) {
-            fclose(input);
-            return SSL_BAD_FILE;
-        }
-        ctx->AddCA(ptr);  // takes ownership
-    }
-    else {
-        x509*& x = (type == Cert) ? ctx->certificate_ : ctx->privateKey_;
-
-        if (format == SSL_FILETYPE_ASN1) {
-            fseek(input, 0, SEEK_END);
-            long sz = ftell(input);
-            rewind(input);
-            x = NEW_YS x509(sz); // takes ownership
-            size_t bytes = fread(x->use_buffer(), sz, 1, input);
-            if (bytes != 1) {
-                fclose(input);
-                return SSL_BAD_FILE;
-            }
-        }
-        else {
-            x = PemToDer(file, type);
-            if (!x) {
-                fclose(input);
-                return SSL_BAD_FILE;
-            }
-        }
-    }
-    fclose(input);
-    return SSL_SUCCESS;
-}
-
-
 int SSL_CTX_use_certificate_file(SSL_CTX* ctx, const char* file, int format)
 {
     return read_file(ctx, file, format, Cert);
@@ -1080,7 +1083,7 @@ int X509_NAME_get_index_by_NID(X509_NAME* name,int nid, int lastpos)
 
     switch (nid) {
     case NID_commonName:
-        char* found = strstr(start, "/CN=");
+        const char* found = strstr(start, "/CN=");
         if (found) {
             found += 4;  // advance to str
             idx = found - start + lastpos + 1;
@@ -1401,4 +1404,5 @@ void MD5_Final(unsigned char* hash, MD5_CTX* md5)
     // end stunnel needs
 
 
+} // extern "C"
 } // namespace
diff --git a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp
index 1d2d5396ea0..4d6d1fc7aff 100644
--- a/extra/yassl/src/yassl_imp.cpp
+++ b/extra/yassl/src/yassl_imp.cpp
@@ -1975,7 +1975,9 @@ Connection::Connection(ProtocolVersion v, RandomPool& ran)
     : pre_master_secret_(0), sequence_number_(0), peer_sequence_number_(0),
       pre_secret_len_(0), send_server_key_(false), master_clean_(false),
       TLS_(v.major_ >= 3 && v.minor_ >= 1), version_(v), random_(ran) 
-{}
+{
+    memset(sessionID_, 0, sizeof(sessionID_));
+}
 
 
 Connection::~Connection() 
diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp
index 2847217b417..f7fb1abfa3f 100644
--- a/extra/yassl/src/yassl_int.cpp
+++ b/extra/yassl/src/yassl_int.cpp
@@ -1415,7 +1415,7 @@ BulkCipher* CryptProvider::NewDesEde()
 }
 
 
-void CleanUp()
+extern "C" void yaSSL_CleanUp()
 {
     TaoCrypt::CleanUp();
     ysDelete(cryptProviderInstance);
diff --git a/extra/yassl/taocrypt/benchmark/make.bat b/extra/yassl/taocrypt/benchmark/make.bat
index 63391578cfa..4ebe4b32417 100644
--- a/extra/yassl/taocrypt/benchmark/make.bat
+++ b/extra/yassl/taocrypt/benchmark/make.bat
@@ -1,10 +1,9 @@
-# quick and dirty build file for testing different MSDEVs
+REM quick and dirty build file for testing different MSDEVs
 setlocal 
 
 set myFLAGS= /I../include /I../../mySTL /c /W3 /G6 /O2
-#set myFLAGS= /I../include /I../../mySTL /c /W3 
 
 cl %myFLAGS% benchmark.cpp
 
-link.exe  /out:benchmark.exe ../src/taocrypt.lib benchmark.obj
+link.exe  /out:benchmark.exe ../src/taocrypt.lib benchmark.obj advapi32.lib
 
diff --git a/extra/yassl/taocrypt/src/make.bat b/extra/yassl/taocrypt/src/make.bat
index 3acd50fc875..ecf7e8f8469 100644
--- a/extra/yassl/taocrypt/src/make.bat
+++ b/extra/yassl/taocrypt/src/make.bat
@@ -2,7 +2,6 @@ REM quick and dirty build file for testing different MSDEVs
 setlocal 
 
 set myFLAGS= /I../include /I../../mySTL /c /W3 /G6 /O2 
-#set myFLAGS= /I../include /I../../mySTL /c /W3 /O1
 
 cl %myFLAGS% aes.cpp
 cl %myFLAGS% aestables.cpp
diff --git a/extra/yassl/taocrypt/test/make.bat b/extra/yassl/taocrypt/test/make.bat
index e1a4cbce7cd..5f01db68d0d 100644
--- a/extra/yassl/taocrypt/test/make.bat
+++ b/extra/yassl/taocrypt/test/make.bat
@@ -1,4 +1,4 @@
-# quick and dirty build file for testing different MSDEVs
+REM quick and dirty build file for testing different MSDEVs
 setlocal 
 
 set myFLAGS= /I../include /I../../mySTL /c /W3 /G6 /O2
diff --git a/extra/yassl/testsuite/make.bat b/extra/yassl/testsuite/make.bat
index d8a55b0d3af..1bc7ce0513d 100644
--- a/extra/yassl/testsuite/make.bat
+++ b/extra/yassl/testsuite/make.bat
@@ -1,4 +1,4 @@
-# quick and dirty build file for testing different MSDEVs
+REM quick and dirty build file for testing different MSDEVs
 setlocal 
 
 set myFLAGS= /I../include /I../taocrypt/include /I../mySTL /c /W3 /G6 /O2 /MT /D"WIN32" /D"NO_MAIN_DRIVER"
diff --git a/extra/yassl/testsuite/testsuite.cpp b/extra/yassl/testsuite/testsuite.cpp
index f8bbf698c70..1cf6a78ebe7 100644
--- a/extra/yassl/testsuite/testsuite.cpp
+++ b/extra/yassl/testsuite/testsuite.cpp
@@ -91,6 +91,7 @@ int main(int argc, char** argv)
     assert(memcmp(input, output, sizeof(input)) == 0);
 
     printf("\nAll tests passed!\n");
+    yaSSL_CleanUp();
 
     return 0;
 }
-- 
cgit v1.2.1


From 0fff03fbcc301dfaef84830be56697d1d6661cf8 Mon Sep 17 00:00:00 2001
From: unknown <msvensson@shellback.(none)>
Date: Fri, 5 May 2006 10:35:12 +0200
Subject: Import from yaSSL

extra/yassl/include/openssl/ssl.h:
  Import patch yassl.diff
extra/yassl/testsuite/test.hpp:
  Import patch yassl.diff
---
 extra/yassl/include/openssl/ssl.h | 9 ++++++++-
 extra/yassl/testsuite/test.hpp    | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h
index 08075a8df5b..a7eca9138a2 100644
--- a/extra/yassl/include/openssl/ssl.h
+++ b/extra/yassl/include/openssl/ssl.h
@@ -32,12 +32,19 @@
 #include "opensslv.h" /* for version number */
 #include "rsa.h"
 
+#if defined(__cplusplus)
+extern "C" {
+#endif
 
-extern "C" void yaSSL_CleanUp();   /* call once at end of application use to
+ void yaSSL_CleanUp();   /* call once at end of application use to
                                       free static singleton memory holders,
                                       not a leak per se, but helpful when 
                                       looking for them                      */
 
+#if defined(__cplusplus)
+} // extern
+#endif
+
 #if defined(__cplusplus) && !defined(YASSL_MYSQL_COMPATIBLE)
 namespace yaSSL {
 extern "C" {
diff --git a/extra/yassl/testsuite/test.hpp b/extra/yassl/testsuite/test.hpp
index 7fe8656f6d2..259975fba0b 100644
--- a/extra/yassl/testsuite/test.hpp
+++ b/extra/yassl/testsuite/test.hpp
@@ -27,7 +27,7 @@
 #endif /* _WIN32 */
 
 
-#if defined(__MACH__) || defined(_WIN32)
+#if !defined(_SOCKLEN_T) && (defined(__MACH__) || defined(_WIN32))
     typedef int socklen_t;
 #endif
 
-- 
cgit v1.2.1


From 808df3bd61a343cb6b585dd399ffedca458cfcbe Mon Sep 17 00:00:00 2001
From: unknown <msvensson@neptunus.(none)>
Date: Mon, 8 May 2006 17:14:06 +0200
Subject: Remove valgrind and compiler warnings Add function 'vio_end' that
 will cleanup resources allocated by vio and the components it uses.

include/violite.h:
  Import patch warnings.patch
libmysql/libmysql.c:
  Import patch warnings.patch
sql/mysqld.cc:
  Import patch warnings.patch
vio/test-ssl.c:
  Import patch warnings.patch
vio/test-sslclient.c:
  Import patch warnings.patch
vio/test-sslserver.c:
  Import patch warnings.patch
vio/vio.c:
  Import patch warnings.patch
vio/viosslfactories.c:
  Import patch warnings.patch
---
 include/violite.h     |  4 ++++
 libmysql/libmysql.c   |  1 +
 sql/mysqld.cc         |  2 ++
 vio/test-ssl.c        |  4 ++--
 vio/test-sslclient.c  |  2 +-
 vio/test-sslserver.c  |  4 ++--
 vio/vio.c             | 13 +++++++++++++
 vio/viosslfactories.c |  2 +-
 8 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/include/violite.h b/include/violite.h
index b2a5f1640a5..fd870177c68 100644
--- a/include/violite.h
+++ b/include/violite.h
@@ -129,6 +129,8 @@ int vio_write_shared_memory(Vio *vio, const gptr buf, int size);
 int vio_close_shared_memory(Vio * vio);
 #endif
 
+void vio_end(void);
+
 #ifdef	__cplusplus
 }
 #endif
@@ -193,7 +195,9 @@ struct st_vio
   my_bool (*was_interrupted)(Vio*);
   int     (*vioclose)(Vio*);
   void	  (*timeout)(Vio*, unsigned int which, unsigned int timeout);
+#ifdef HAVE_OPENSSL
   void	  *ssl_arg;
+#endif
 #ifdef HAVE_SMEM
   HANDLE  handle_file_map;
   char    *handle_map;
diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c
index bfec476fde3..7713fd8dd4d 100644
--- a/libmysql/libmysql.c
+++ b/libmysql/libmysql.c
@@ -188,6 +188,7 @@ void STDCALL mysql_server_end()
     mysql_thread_end();
   finish_client_errs();
   free_charsets();
+  vio_end();
   mysql_client_init= org_my_init_done= 0;
 #ifdef EMBEDDED_SERVER
   if (stderror_file)
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
index 49efc24d15c..ef2f52a33df 100644
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -1136,6 +1136,8 @@ void clean_up(bool print_message)
     my_free((gptr) ssl_acceptor_fd, MYF(0));
   }
 #endif /* HAVE_OPENSSL */
+  vio_end();
+
 #ifdef USE_REGEX
   my_regex_end();
 #endif
diff --git a/vio/test-ssl.c b/vio/test-ssl.c
index a94eb1a21ff..f8172426e38 100644
--- a/vio/test-ssl.c
+++ b/vio/test-ssl.c
@@ -57,8 +57,8 @@ main(int argc, char**	argv)
   char*	cipher=0;
   int	child_pid,sv[2];
   my_bool unused;
-  struct st_VioSSLAcceptorFd* ssl_acceptor=0;
-  struct st_VioSSLConnectorFd* ssl_connector=0; 
+  struct st_VioSSLFd* ssl_acceptor= 0;
+  struct st_VioSSLFd* ssl_connector= 0;
   Vio* client_vio=0, *server_vio=0;
   MY_INIT(argv[0]);
   DBUG_PROCESS(argv[0]);
diff --git a/vio/test-sslclient.c b/vio/test-sslclient.c
index 3811ba0fb6a..49d6768c884 100644
--- a/vio/test-sslclient.c
+++ b/vio/test-sslclient.c
@@ -46,7 +46,7 @@ main(	int	argc __attribute__((unused)),
 {
 	char	client_key[] = "../SSL/client-key.pem",	client_cert[] = "../SSL/client-cert.pem";
 	char	ca_file[] = "../SSL/cacert.pem",	*ca_path = 0, *cipher=0;
-	struct st_VioSSLConnectorFd* ssl_connector=0; 
+	struct st_VioSSLFd* ssl_connector= 0;
 	struct sockaddr_in sa;
 	Vio* client_vio=0;
 	int err;
diff --git a/vio/test-sslserver.c b/vio/test-sslserver.c
index e4d32a75264..daec3a6e6f9 100644
--- a/vio/test-sslserver.c
+++ b/vio/test-sslserver.c
@@ -44,7 +44,7 @@ fatal_error(	const char*	r)
 
 typedef struct {
 	int	sd;
-	struct	st_VioSSLAcceptorFd*	ssl_acceptor;
+	struct	st_VioSSLFd*	ssl_acceptor;
 } TH_ARGS;
 
 static void
@@ -82,7 +82,7 @@ main(int argc __attribute__((unused)), char** argv)
 	char	ca_file[] = "../SSL/cacert.pem",
 		*ca_path = 0,
 		*cipher = 0;
-	struct	st_VioSSLAcceptorFd*	ssl_acceptor;
+	struct	st_VioSSLFd*	ssl_acceptor;
 	pthread_t	th;
 	TH_ARGS		th_args;
 
diff --git a/vio/vio.c b/vio/vio.c
index 21a824a4016..2b0a7f0d79b 100644
--- a/vio/vio.c
+++ b/vio/vio.c
@@ -233,3 +233,16 @@ void vio_delete(Vio* vio)
     my_free((gptr) vio,MYF(0));
   }
 }
+
+
+/*
+  Cleanup memory allocated by vio or the
+  components below it when application finish
+
+*/
+void vio_end(void)
+{
+#ifdef HAVE_YASSL
+  yaSSL_CleanUp();
+#endif
+}
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 058a19dfa0c..2c528e9a2fc 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -220,7 +220,7 @@ static void check_ssl_init()
 }
 
 /************************ VioSSLFd **********************************/
-struct st_VioSSLFd *
+static struct st_VioSSLFd *
 new_VioSSLFd(const char *key_file, const char *cert_file,
              const char *ca_file, const char *ca_path,
              const char *cipher, SSL_METHOD *method)
-- 
cgit v1.2.1