accept proxy protocol header from client connections.
The new server variable 'proxy_protocol_networks' contains list
of networks from which proxy header is accepted.
post-review fixes:
* move all ssl implementation related ifdefs/defines to one file
(ssl_compat.h)
* work around OpenSSL-1.1 desire to malloc every EVP context by
run-time checking that context allocated on the stack is big enough
(openssl.c)
* use newer version of the AWS SDK for OpenSSL 1.1
* use get_dh2048() function as generated by openssl 1.1
(viosslfactories.c)
Initial support
tested against OpenSSL 1.0.1, 1.0.2, 1.1.0, Yassl and LibreSSL
not working on Windows with native SChannel support, due to wrong cipher
mapping: Latter one requires push of CONC-241 fixes.
Please note that OpenSSL 0.9.8 and OpenSSL 1.1.0 will not work: Even if
the build succeeds, test cases will fail with various errors, especially
when using different tls libraries or versions for client and server.
Define my_thread_id as an unsigned type, to avoid mismatch with
ulonglong. Change some parameters to this type.
Use size_t in a few more places.
Declare many flag constants as unsigned to avoid sign mismatch
when shifting bits or applying the unary ~ operator.
When applying the unary ~ operator to enum constants, explictly
cast the result to an unsigned type, because enum constants can
be treated as signed.
In InnoDB, change the source code line number parameters from
ulint to unsigned type. Also, make some InnoDB functions return
a narrower type (unsigned or uint32_t instead of ulint;
bool instead of ibool).
Fix test whether process is alive in mysqltest.
Also fix SHUT_RD definition on Windows to be SD_RECEIVE.
SD_BOTH was used instead prior to this patch, and this would
occasionally make mysql_shutdown() fail - when the socket for the current connection
is not able send the COM_SHUTDOWN response anymore.
-Change my_rnd() slightly to make it safer if two threads use it at the same time.
-Avoid some sprintf and strmov in vio.
-Changed thread_count to be automically incremented (instead of under LOCK_thread_count).
-Thread cache now uses LOCK_thread_cache instead of LOCK_thread_count.
-Moved delete thd out from LOCK_thread_count.
-Save some mysql_cond_broadcast(&COND_thread_count) calls.
-Removed call to getsockname() during connect.
-Initialize random generator without locks.
Other things:
-Added thread_safe_decrement32() and thread_safe_increment32()
-Removed sql_rnd_with_mutex() and get_thread_running()
Thanks to Yoshinori Matsunobu for the benchmark of connection speed and to
Domas Mituzas for the inspiration for many of the fixes.
include/violite.h:
Change desc to a string pointer
mysql-test/suite/perfschema/r/all_instances.result:
Added new mutex
mysys/my_rnd.c:
Change my_rnd() slightly to make it safer if two threads use it at the same time.
sql/event_scheduler.cc:
Changed thread_count to be automically incremented
Moved some safe things out from LOCK_thread_count.
Simplify deleting of THD for running thread.
sql/mysqld.cc:
Changed thread_count to be automically incremented
Thread cache now uses LOCK_thread_cache instead of LOCK_thread_count
Added delete_running_thd()
Moved delete thd out from LOCK_thread_count
More DBUG_ENTER
Only call mysql_cond_broadcast(&COND_thread_count) if thread_count is 0
Removed call to getsockname() (old not anymore needed check)
sql/mysqld.h:
Removed sql_rnd_with_mutex() (not needed anymore)
Removed not used function get_thread_running()
Added thread_safe_decrement32() and thread_safe_increment32()
Simplified dec_thread_running() and inc_thread_running()
sql/sql_class.cc:
Removed thd_lock_thread_count() and thd_unlock_thread_count()
Initialize random generator without locks
sql/sql_insert.cc:
Changed thread_count to be automically incremented
sql/sql_parse.cc:
Changed thread_count to be automically incremented
vio/vio.c:
Don't generate 'desc' with sprintf/strmov. Assign a pointer instead.
(Good enough as this is just for debugging)
Fix mismerged code from 5.6 (named-pipe related). viopipe.c, which was introduced in 5.6 is now copied almost identically into 10.0
The unused vio::pipe_overlapped is removed.
Use post_kill_notification in for one_thread_per_connection scheduler,
the same as already used in threadpool, to reliably wake a thread stuck in
read() or in different poll() variations.
On shutdown(), Windows can drop traffic still queued for sending even if that
wasn't specifically requested. As a result, fatal errors (those after
signaling which the server will drop the connection) were sometimes only
seen as "connection lost" on the client side, because the server-side
shutdown() erraneously discarded the correct error message before sending
it.
If on Windows, we now use the Windows API to access the (non-broken) equivalent
of shutdown().
Backport from trunk
On shutdown(), Windows can drop traffic still queued for sending even if that
wasn't specifically requested. As a result, fatal errors (those after
signaling which the server will drop the connection) were sometimes only
seen as "connection lost" on the client side, because the server-side
shutdown() erraneously discarded the correct error message before sending
it.
If on Windows, we now use the Windows API to access the (non-broken) equivalent
of shutdown().
Backport from trunk
include/violite.h:
export mysql_socket_shutdown(). It lives in vio in the backport.
sql/mysqld.cc:
Go through our own shutdown() rather than straight to the POSIX one.
vio/viosocket.c:
Define mysql_socket_shutdown(). On UNIXoid systems, it's just a wrapper for shutdown(), but
on Window, it uses DisconnectEx, which is magic.
VIO has SSL in embedded server anyway, so we do not win anything by excluding it.
This was actually already done in this changeset:
revision-id: kostja@sun.com-20100413150445-8x23keoxdiufgq76
"... Also, he removed the (probable) bug of embedded server never using SSL-dependent functions..."
But was apparenly lost by a mis-merge of WL#5030.
All client functions that can block on I/O have alternate _start() and
_cont() versions that do not block but return control back to the
application, which can then issue I/O wait in its own fashion and later
call back into the library to continue the operation.
Works behind the scenes by spawning a co-routine/fiber to run the
blocking operation and suspend it while waiting for I/O. This
co-routine/fiber use is invisible to applications.
For i368/x86_64 on GCC, uses very fast assembler co-routine support. On
Windows uses native Win32 Fibers. Falls back to POSIX ucontext on other
platforms. Assembler routines for more platforms are relatively easy to
add by extending mysys/my_context.c, eg. similar to the Lua lcoco
library.
For testing, mysqltest and mysql_client_test are extended with the
option --non-blocking-api. This causes the programs to use the
non-blocking API for database access. mysql-test-run.pl has a similar
option --non-blocking-api that uses this, as well as additional
testcases.
An example program tests/async_queries.c is included that uses the new
non-blocking API with libevent to show how, in a single-threaded
program, to issue many queries in parallel against a database.
client/async_example.c:
Fix const warning
******
Fix bug with wrong timeout value for poll().
include/Makefile.am:
Fix missing include for `make dist`
include/mysql.h:
Add prototypes for all non-blocking API calls.
include/mysql.h.pp:
Add prototypes for all non-blocking API calls.
mysys/my_context.c:
Fix type warning for makecontext() function pointer argument.
sql-common/mysql_async.c:
Fix crashes in the non-blocking API for functions that can take MYSQL argument
that is NULL.
tests/Makefile.am:
Add header file to `make dist`
tests/mysql_client_test.c:
Replace blocking calls with wrappers around the non-blocking calls, used in
mysql_client_test to test the new non-blocking API.
tests/nonblock-wrappers.h:
Replace blocking calls with wrappers around the non-blocking calls, used in
mysql_client_test to test the new non-blocking API.
SSL errors on client and now more specific to aid end-user
with debugging. Also restructures error handling for
compliance with SSL docs.
include/violite.h:
new_VioSSLConnectorFd/sslaccept/sslconnect return more elaborate status
libmysql/errmsg.c:
SSL errors now extended, more specific
mysql-test/r/openssl_1.result:
SSL errors now extended, more specific
sql-common/client.c:
Do more detailed error reporting for setup, connect, and
server cert verifying phases.
sql/sql_acl.cc:
sslaccept() signature has changed
vio/viossl.c:
Save the error code and return it to callers of sslaccept
and sslconnect.
vio/viosslfactories.c:
new_VioSSLConnectorFd(): return error code to caller
IF NO DNS-SERVER AVAILABLE.
The thing is that on Windows XP getnameinfo() returns WSANO_DATA
when hostname-lookup is not available. The problem was that
this error code was treated as serious error and the client
connection got rejected.
The fix is to treat all errors from getnameinfo() as not ciritical,
but add IP-address to the host cache only for EAI_NONAME (or WSANO_DATA).
In order to allow thread schedulers to be dynamically loaded,
it is necessary to make the following changes to the server:
- Two new service interfaces
- Modifications to InnoDB to inform the thread scheduler of state changes.
- Changes to the VIO subsystem for checking if data is available on a socket.
- Elimination of remains of the old thread pool implementation.
The two new service interfaces introduces are:
my_thread_scheduler
A service interface to register a thread
scheduler.
thd_wait
A service interface to inform thread scheduler
that the thread is about to start waiting.
In addition, the patch adds code that:
- Add a call to thd_wait for table locks in mysys
thd_lock.c by introducing a set function that
can be used to set a callback to be used when
waiting on a lock and resuming from waiting.
- Calling the mysys set function from the server
to set the callbacks correctly.
ChangeSet@1.2703, 2007-12-07 09:35:28-05:00, cmiller@zippy.cornsilk.net +40 -0
Bug#13174: SHA2 function
Patch contributed from Bill Karwin, paper unnumbered CLA in Seattle
Implement SHA2 functions.
Chad added code to make it work with YaSSL. Also, he removed the
(probable) bug of embedded server never using SSL-dependent
functions. (libmysqld/Makefile.am didn't read ANY autoconf defs.)
Function specification:
SHA2( string cleartext, integer hash_length )
-> string hash, or NULL
where hash_length is one of 224, 256, 384, or 512. If either is
NULL or a length is unsupported, then the result is NULL. The
resulting string is always the length of the hash_length parameter
or is NULL.
Include the canonical hash examples from the NIST in the test
results.
---
Polish and address concerns of reviewers.
.bzrignore:
Added libmysqld/sha2.cc to the ignore list.
client/mysql.cc:
Add condition to remove code for embedded server.
client/mysqltest.cc:
Add condition to remove code for embedded server.
include/Makefile.am:
New header file to header list.
include/mysql_embed.h:
Embedded servers can use SSL-library functions too!
include/sha2.h:
Compatibility layer to make YaSSL behave like OpenSSL.
include/sslopt-case.h:
Remove SSL-communication parameters from command lines.
include/sslopt-longopts.h:
Remove SSL-communication parameters from command lines.
include/sslopt-vars.h:
Don't declare variables that are only used in SSL communication, if
we are compiling the embedded server.
include/violite.h:
Don't even compile the SSL-communication function if we're in the
embedded server.
---
Remove CPP condition indentation.
libmysqld/CMakeLists.txt:
Add new file to source list.
libmysqld/Makefile.am:
Include standard DEFS in embedded compilation. It's an undiscovered
but that it's not there.
Add new file to source list.
libmysqld/examples/Makefile.am:
Include autoconf DEFS.
libmysqld/lib_sql.cc:
Initialize SSL-related variables in embedded server.
mysql-test/include/have_ssl_crypto_functs.inc:
Distinguish between communication and crypto.
Use the tristate value of "have_ssl" variable to know whether to
test or not for SSL-provided crypto functions.
mysql-test/r/func_digest.result:
Test against the sample test vectors in the NIST Secure
Hash Standard (http://csrc.nist.gov/cryptval/shs.htm)
mysql-test/r/func_encrypt_nossl.result:
Update results to the new error message text.
mysql-test/r/have_ssl_is_yes_or_disabled_only.require:
Distinguish between communication and crypto.
Use the tristate value of "have_ssl" variable to know whether to
test or not for SSL-provided crypto functions.
mysql-test/suite/rpl/t/rpl_ssl.test:
Distinguish between communication and crypto.
mysql-test/suite/rpl/t/rpl_ssl1.test:
Distinguish between communication and crypto.
mysql-test/t/func_des_encrypt.test:
Distinguish between communication and crypto.
mysql-test/t/func_digest.test:
Test against the sample test vectors in the NIST Secure
Hash Standard (http://csrc.nist.gov/cryptval/shs.htm)
Also, test that various parameters (legal and illegal)
do what we expect.
---
Distinguish between communication and crypto.
mysql-test/t/func_encrypt.test:
Distinguish between communication and crypto.
mysql-test/t/openssl_1.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
mysql-test/t/ssl-big.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
mysql-test/t/ssl.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
mysql-test/t/ssl_8k_key.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
mysql-test/t/ssl_compress.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
mysql-test/t/ssl_connect.test:
Don't test SSL communication if we're in the embedded server.
---
Distinguish between communication and crypto.
sql-common/client.c:
SSL is useful for more functionality than just connecting. Test
for whether we are not embedded server also.
sql/CMakeLists.txt:
Add new source file to source list so that we have access to SHA2
functions.
sql/Makefile.am:
Add new source file to source list so that we have access to SHA2
functions.
sql/item_create.cc:
Bootstrap the SHA2 function into the server.
sql/item_strfunc.cc:
Add new SHA2 Item class methods.
Clean up two minor problems.
---
Remove extraneous debugging.
---
We must check nullness of a parameter only /after/ computing its
value.
sql/item_strfunc.h:
Declare new SHA2 Item class.
sql/mysqld.cc:
For embedded server, don't refer to SSL-communications variables
or values.
---
Remove CPP condition indentation.
sql/sha2.cc:
Compatibility layer to make YaSSL behave like OpenSSL.
---
Add comment for generated functions.
sql/sql_acl.cc:
For embedded server, don't refer to SSL-communications variables
or values.
sql/sql_connect.cc:
SSL is useful for more functionality than just connecting. Test
for whether we are not embedded server also.
sql/sys_vars.cc:
For embedded server, don't refer to SSL-communications variables
or values.
This patch:
- Moves all definitions from the mysql_priv.h file into
header files for the component where the variable is
defined
- Creates header files if the component lacks one
- Eliminates all include directives from mysql_priv.h
- Eliminates all circular include cycles
- Rename time.cc to sql_time.cc
- Rename mysql_priv.h to sql_priv.h
Fixed bug in Yassle to get correct error messages in case of errors
Provide better error messages in case of ssl connect failure
Updated out-of-date ssl certificates to fix failing mysql-test-system (certificates now active for 10 years)
Fixed bug in query_cache that could cause asserts and hangs in DEBUG builds.
Fixed bug where one connection did not see changes done by another connection.
configure.in:
Changed version number from RC to stable
extra/yassl/src/yassl_error.cpp:
Fixed bug in Yassle to get correct error messages in case of errors
- 'error' is an enum that hold more error numbers than the enum was defined for
include/violite.h:
Added error output string for sslaccept() and sslconnect() to get reason for connect failure
mysql-test/mysql-test-run.pl:
Write failed test cases if mysql-test-run fails because of too many errors
mysql-test/r/grant.result:
Update results to reflect new certificates
mysql-test/r/openssl_1.result:
Update results to reflect new certificates
mysql-test/std_data/cacert.pem:
Update ssl certificate
mysql-test/std_data/client-cert.pem:
Update ssl certificate
mysql-test/std_data/client-key.pem:
Update ssl certificate
mysql-test/std_data/server-cert.pem:
Update ssl certificate
mysql-test/std_data/server-key.pem:
Update ssl certificate
mysql-test/t/grant.test:
Update test to reflect new certificates
mysql-test/t/openssl_1.test:
Update test to reflect new certificates
mysql-test/t/query_cache_debug.test:
Remove 'big_test' as test is now fast
sql-common/client.c:
Give a better error message if ssl connect fails
sql/net_serv.cc:
Fixed compiler warnings
sql/slave.cc:
Give a better error message in logs if ssl connect fails
sql/sql_cache.cc:
debug_wait_for_kill() now removes the set watch variable after kill signal
This is needed as invalidate_table() may be called twice for one query.
Ensure that net->query_cache_query is reset after query. This fixes assert in
query_cache_end_of_result() if query_cache_query holds results from previous query.
Removed DBUG_ASSERT(0), as this code can be run by query_cache_debug.test
sql/sql_connect.cc:
Give a better error message if ssl connect fails
sql/sql_parse.cc:
Fixed bug where one connection did not see changes done by another connection.
For statements that changes tables, close_thread_tables() MUST be called before
sending OK as a table handler may not make the changes available for other connections
before unlock_tables().
vio/viossl.c:
Give a better error message if ssl connect fails
- Marked a couple of tests with --big
- Fixed xtradb/handler/ha_innodb.cc to call explain_filename()
storage/xtradb/handler/ha_innodb.cc:
Call explain_filename() to get proper names for partitioned tables
Original changeset:
------------------------------------------------------------
revno: 2626
committer: davi@mysql.com/endora.local
timestamp: Wed 2008-04-23 09:33:25 -0300
message:
Fix for main.ssl and main.ssl_compress test case failures under pool-of-threads.
The problem is that the SSL layer has a read buffer and might read
more data than requested by the VIO layer. The SSL layer empties the
socket buffer which causes the socket to not be signaled for IO if
the client is waiting for a command which is sitting in the read
buffer.
The solution is to retrieve from the transport layer the number of
bytes waiting in the read buffer. The data in the read buffer needs
to be processed before waiting for more data.
implement Davi's review suggestions (post-push fixes)
include/violite.h:
Use official abbreviation for milliseconds (ms)
sql/mysqld.cc:
Fix formatting
Add error handling for the case of CreateEvent error
vio/vio.c:
Use official abbreviation for milliseconds(ms)
Remove superfluous memset
Fix formatting
vio/viosocket.c:
Use official abbreviation for milliseconds (ms)
Use size_t datatype instead of int in pipe_complete_io
- Moved some code from innodb_plugin to xtradb, to ensure that all tests runs
- Did changes in pbxt and maria storage engines becasue of changes in thd->query
- Reverted wrong code in sql_table.cc for how ROW_FORMAT is used.
This is a re-commit of Monty's merge to eliminate an extra commit from
MySQL-5.1.42 that was accidentally included in the merge.
This is a merge of the MySQL 5.1.41 clone-off (clone-5.1.41-build). In
case there are any extra changes done before final MySQL 5.1.41
release, these will need to be merged later before MariaDB 5.1.41
release.
------------------------------------------------------------
revno: 3317
revision-id: davi.arnaut@sun.com-20090522170916-fzc5ca3tjs9roy1t
parent: patrick.crews@sun.com-20090522152933-ole8s3suy4zqyvku
committer: Davi Arnaut <Davi.Arnaut@Sun.COM>
branch nick: 41860-6.0
timestamp: Fri 2009-05-22 14:09:16 -0300
message:
Bug#41860: Without Windows named pipe
The problem was that the patch for Bug#10374 broke named pipe
and shared memory transports on Windows due to a failure to
implement a dummy poll method for transports other than BSD
sockets. Another problem was that mysqltest lacked support
for named pipe and shared memory connections, which lead to
misleading test cases that were supposed run common queries
over both transports.
The solution is to properly implement, at the VIO layer, the
poll and is_connected methods. The is_connected method is
implemented for every suppported transport and the poll one
only where it makes sense. Furthermore, support for named pipe
and shared memory connections is added to mysqltest as to
enable testing of both transports using the test suite.
client/mysqltest.cc:
Add support for named pipe and shared memory connections.
include/violite.h:
Move private functions to vio/vio_priv.h
Add poll_read and is_connected methods.
mysql-test/t/named_pipe.test:
Run tests over a named pipe connection.
mysql-test/t/shm.test:
Run tests over a shared memory connection.
sql/item_func.cc:
Rename method.
sql/sql_class.cc:
Remove higher-level vio_is_connected implementation.
sql/sql_class.h:
Rename vio_is_connected to not conflict with the vio one.
Verify that there is a valid vio.
vio/vio.c:
Add poll_read and is_connected methods.
vio/vio_priv.h:
Add private functions.
vio/viosocket.c:
Implement the is_connected method for the various transports.
------------------------------------------------------------
revno: 2597.37.3
revision-id: sp1r-davi@mysql.com/endora.local-20080328123626-16430
parent: sp1r-anozdrin/alik@quad.opbmk-20080327125300-11290
committer: davi@mysql.com/endora.local
timestamp: Fri 2008-03-28 09:36:26 -0300
message:
Bug#10374 GET_LOCK does not let connection to close on the server side if it's aborted
The problem is that the server doesn't detect aborted connections which
are waiting on a lock or sleeping (user sleep), wasting system resources
for a connection that is already dead.
The solution is to peek at the connection every five seconds to verify if
the connection is not aborted. A aborted connection is detect by polling
the connection socket for available data to be read or end of file and in
case of eof, the wait is aborted and the connection killed.
include/violite.h:
Export vio_peek_read function.
mysql-test/r/dirty_close.result:
Add test case result for Bug#10374
mysql-test/t/dirty_close.test:
Add test case for Bug#10374
sql/item_func.cc:
While waiting for a condition to be signaled, check if the connection
is not broken every INTERRUPT_INTERVAL seconds.
sql/sql_class.cc:
Add function which checks if the client connection was aborted.
sql/sql_class.h:
Add function prototype.
vio/viosocket.c:
Add poll and peek functions for Windows and Unix.
Bug#31621: Windows server hanging during shutdown using named pipes
and idle connection
Problem: when idle pipe connection is forcefully closed with KILL
statement or when the server goes down, thread that is closing connection
would hang infinitely in CloseHandle(). The reason for the hang is that
named pipe operations are performed synchronously. In this mode all IOs
on pipe are serialized, that is CloseHandle() will not abort ReadFile()
in another thread, but wait for ReadFile() to complete.
The fix implements asynchrnous mode for named pipes, where operation of file
are not synchronized. Read/Write operation would fire an async IO and wait for
either IO completion or timeout.
Note, that with this patch timeouts are properly handled for named pipes.
Post-review: Win32 timeout code has been fixed for named pipes and shared
memory. We do not store pointer to NET in vio structure, only the read and
write timeouts.
include/violite.h:
Add pipe_overlapped to Vio structure for async IO for named pipes.
sql-common/client.c:
Use asynchronous pipe IO.
sql/mysqld.cc:
Use asynchronous pipe IO.
vio/vio.c:
-Refactor timeouts for win32 protocols: shared memory and named pipes.
Store read/write timeout in VIO structure, instead of storing pointer
to NET. New function vio_win32_timeout called indirectly via
vio_timeout changes these values.
vio/vio_priv.h:
Remove vio_ignore_timeout.
Add vio_win32_timeout to be used for named pipes and shared memory.
vio/viosocket.c:
Use async IO for named pipes.
After issuing IO, wait for either IO completion, pipe_close_event
or timeout.
Refactor timeouts for named pipe and shared memory.
* Finished Monty and Jani's merge
* Some InnoDB tests still fail (because it's old xtradb code run against
newer testsuite). They are expected to go after mergning with the latest
xtradb.
not logged
Errors encountered during initialization of the SSL subsystem
are printed to stderr, rather than to the error log.
This patch adds a parameter to several SSL init functions to
report the error (if any) out to the caller. The function
init_ssl() in mysqld.cc is moved after the initialization of
the log subsystem, so that any error messages can be logged to
the error log. Printing of messages to stderr has been
retained to get diagnostic output in a client context.
include/violite.h:
Adding an enumeration for the various errors that can
occur during initialization of the SSL module.
sql/mysqld.cc:
Adding more logging of SSL init errors, and moving
init_ssl() till after initialization of logging
subsystem.
vio/viosslfactories.c:
Define error strings, provide an access method for these
strings, and maintain an error parameter in several funcs
to return the error (if any) to the caller.
