From d851d5e70cf7ce2c1aacdf2119d7ecaacc8835d2 Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <sergii@pisem.net>
Date: Wed, 19 Nov 2014 18:54:02 +0100
Subject: [PATCH 1/3] MDEV-6975 Implement TLS protocol

followup:
* explicitly disable SSLv2 and SSLv3, keep other protocols enabled
* fix a compiler warning
* rename the test and combinations to avoid confusion

vio/viossl.c:
  fix a compiler warning
---
 ...nssl-poodle_6975,sslv3.result => openssl_6975,tlsv10.result} | 0
 ...ssl-poodle_6975,tlsv12.result => openssl_6975,tlsv12.result} | 0
 ...enssl-poodle_6975.combinations => openssl_6975.combinations} | 2 +-
 mysql-test/t/{openssl-poodle_6975.test => openssl_6975.test}    | 0
 vio/viossl.c                                                    | 2 +-
 vio/viosslfactories.c                                           | 2 ++
 6 files changed, 4 insertions(+), 2 deletions(-)
 rename mysql-test/r/{openssl-poodle_6975,sslv3.result => openssl_6975,tlsv10.result} (100%)
 rename mysql-test/r/{openssl-poodle_6975,tlsv12.result => openssl_6975,tlsv12.result} (100%)
 rename mysql-test/t/{openssl-poodle_6975.combinations => openssl_6975.combinations} (86%)
 rename mysql-test/t/{openssl-poodle_6975.test => openssl_6975.test} (100%)

diff --git a/mysql-test/r/openssl-poodle_6975,sslv3.result b/mysql-test/r/openssl_6975,tlsv10.result
similarity index 100%
rename from mysql-test/r/openssl-poodle_6975,sslv3.result
rename to mysql-test/r/openssl_6975,tlsv10.result
diff --git a/mysql-test/r/openssl-poodle_6975,tlsv12.result b/mysql-test/r/openssl_6975,tlsv12.result
similarity index 100%
rename from mysql-test/r/openssl-poodle_6975,tlsv12.result
rename to mysql-test/r/openssl_6975,tlsv12.result
diff --git a/mysql-test/t/openssl-poodle_6975.combinations b/mysql-test/t/openssl_6975.combinations
similarity index 86%
rename from mysql-test/t/openssl-poodle_6975.combinations
rename to mysql-test/t/openssl_6975.combinations
index 3147de1cb63..17517b7d552 100644
--- a/mysql-test/t/openssl-poodle_6975.combinations
+++ b/mysql-test/t/openssl_6975.combinations
@@ -1,6 +1,6 @@
 [tlsv12]
 loose-ssl-cipher=TLSv1.2
 
-[sslv3]
+[tlsv10]
 loose-ssl-cipher=SSLv3
 
diff --git a/mysql-test/t/openssl-poodle_6975.test b/mysql-test/t/openssl_6975.test
similarity index 100%
rename from mysql-test/t/openssl-poodle_6975.test
rename to mysql-test/t/openssl_6975.test
diff --git a/vio/viossl.c b/vio/viossl.c
index fd5dfc51f17..5181f496768 100644
--- a/vio/viossl.c
+++ b/vio/viossl.c
@@ -144,7 +144,7 @@ int vio_ssl_close(Vio *vio)
       break;
     default: /* Shutdown failed */
       DBUG_PRINT("vio_error", ("SSL_shutdown() failed, error: %d",
-                               SSL_get_error(ssl, r)));
+                               (int)SSL_get_error(ssl, r)));
       break;
     }
   }
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index c64bba338a4..22645b18b1b 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -200,6 +200,8 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
     DBUG_RETURN(0);
   }
 
+  SSL_CTX_set_options(ssl_fd->ssl_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
   /*
     Set the ciphers that can be used
     NOTE: SSL_CTX_set_cipher_list will return 0 if

From ed2cc2a8cb6a657110f921931fafd999679b331c Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <sergii@pisem.net>
Date: Wed, 19 Nov 2014 22:04:51 +0100
Subject: [PATCH 2/3] Fix YaSSL on windows

This came with the upgrade from yassl 2.3.0 to 2.3.4 -
ssl tests started to hang on Windows. Comparing and removing changes
I've got to this:

 void input_buffer::set_current(uint i)
 {
-    if (i)
-        check(i - 1, size_);
-    current_ = i;
+    if (error_ == 0 && i && check(i - 1, size_) == 0)
+        current_ = i;
+    else
+        error_ = -1;
 }

in 2.3.0 i==0 was only used to avoid the check, in 2.3.4 it's an error.
but there are places in the code that do set_current(0) and others that
do, like, { before=get_current(); ...; set_current(before); } - and the
initial value of current_ is 0.

So, I suspect that set_current(0) should not be an error, but it should
only skip the check().
---
 extra/yassl/src/buffer.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extra/yassl/src/buffer.cpp b/extra/yassl/src/buffer.cpp
index b7a77f478f8..ee5e0cc0793 100644
--- a/extra/yassl/src/buffer.cpp
+++ b/extra/yassl/src/buffer.cpp
@@ -165,7 +165,7 @@ void input_buffer::set_error()
 
 void input_buffer::set_current(uint i) 
 {
-    if (error_ == 0 && i && check(i - 1, size_) == 0)
+    if (error_ == 0 && (i == 0 || check(i - 1, size_) == 0))
         current_ = i;
     else
         error_ = -1;

From 48f4961a12919405a719c951630a8b804e685997 Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <sergii@pisem.net>
Date: Thu, 20 Nov 2014 16:11:30 +0100
Subject: [PATCH 3/3] followup: disable openssl_6975.test as appropriate

---
 mysql-test/suite.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mysql-test/suite.pm b/mysql-test/suite.pm
index 60d3c0b6d8d..d3285187607 100644
--- a/mysql-test/suite.pm
+++ b/mysql-test/suite.pm
@@ -39,7 +39,7 @@ sub skip_combinations {
   }
   $skip{'include/check_ipv6.inc'} = 'No IPv6' unless ipv6_ok();
 
-  $skip{'t/openssl-poodle_6975.test'} = 'no or too old openssl'
+  $skip{'t/openssl_6975.test'} = 'no or too old openssl'
     unless ! IS_WINDOWS and ! system "openssl ciphers TLSv1.2 2>&1 >/dev/null";
 
   %skip;