WL#9072: Backport WL#8785 to 5.5

Ramil Kalimullin · Ramil Kalimullin · commit 074a15c7af6a · 2016-02-19T23:35:38.000+04:00
diff --git a/client/client_priv.h b/client/client_priv.h
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -100,6 +100,7 @@ enum options_client
   OPT_SERVER_PUBLIC_KEY,
   OPT_ENABLE_CLEARTEXT_PLUGIN,
   OPT_CONNECTION_SERVER_ID,
+  OPT_SSL_MODE,
   OPT_MAX_CLIENT_OPTION
 };
 
@@ -123,3 +124,36 @@ enum options_client
 */
 #define PERFORMANCE_SCHEMA_DB_NAME "performance_schema"
 
+/**
+  Wrapper for mysql_real_connect() that checks if SSL connection is establised.
+
+  The function calls mysql_real_connect() first, then if given ssl_required==TRUE
+  argument (i.e. --ssl-mode=REQUIRED option used) checks current SSL chiper to
+  ensure that SSL is used for current connection.
+  Otherwise it returns NULL and sets errno to CR_SSL_CONNECTION_ERROR.
+
+  All clients (except mysqlbinlog which disregards SSL options) use this function
+  instead of mysql_real_connect() to handle --ssl-mode=REQUIRED option.
+*/
+MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host,
+                               const char *user, const char *passwd,
+                               const char *db, uint port,
+                               const char *unix_socket, ulong client_flag,
+                               my_bool ssl_required __attribute__((unused)))
+{
+  MYSQL *mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port,
+                                   unix_socket, client_flag);
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+  if (mysql &&                                   /* connection established. */
+      ssl_required &&                            /* --ssl-mode=REQUIRED. */
+      !mysql_get_ssl_cipher(mysql))              /* non-SSL connection. */
+  {
+    NET *net= &mysql->net;
+    net->last_errno= CR_SSL_CONNECTION_ERROR;
+    strmov(net->last_error, "--ssl-mode=REQUIRED option forbids non SSL connections");
+    strmov(net->sqlstate, "HY000");
+    return NULL;
+  }
+#endif
+  return mysql;
+}
diff --git a/client/mysql.cc b/client/mysql.cc
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1486,8 +1486,9 @@ sig_handler handle_kill_signal(int sig)
   mysql_options(kill_mysql, MYSQL_OPT_CONNECT_ATTR_RESET, 0);
   mysql_options4(kill_mysql, MYSQL_OPT_CONNECT_ATTR_ADD,
                  "program_name", "mysql");
-  if (!mysql_real_connect(kill_mysql,current_host, current_user, opt_password,
-                          "", opt_mysql_port, opt_mysql_unix_port,0))
+  if (!mysql_connect_ssl_check(kill_mysql, current_host, current_user,
+                               opt_password, "", opt_mysql_port,
+                               opt_mysql_unix_port, 0, opt_ssl_required))
   {
     tee_fprintf(stdout, "%s -- sorry, cannot connect to server to kill query, giving up ...\n", reason);
     goto err;
@@ -4815,9 +4816,10 @@ sql_real_connect(char *host,char *database,char *user,char *password,
                  "program_name", "mysql");
   mysql_options(&mysql, MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS, &handle_expired);
 
-  if (!mysql_real_connect(&mysql, host, user, password,
-                          database, opt_mysql_port, opt_mysql_unix_port,
-                          connect_flag | CLIENT_MULTI_STATEMENTS))
+  if (!mysql_connect_ssl_check(&mysql, host, user, password,
+                               database, opt_mysql_port, opt_mysql_unix_port,
+                               connect_flag | CLIENT_MULTI_STATEMENTS,
+                               opt_ssl_required))
   {
     if (!silent ||
 	(mysql_errno(&mysql) != CR_CONN_HOST_ERROR &&
diff --git a/client/mysql_upgrade.c b/client/mysql_upgrade.c
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -310,6 +310,7 @@ get_one_option(int optid, const struct my_option *opt,
   case OPT_DEFAULT_AUTH:                        /* --default-auth */
     add_one_option(&conn_args, opt, argument);
     break;
+#include <sslopt-case.h>
   }
 
   if (add_option)
@@ -400,6 +401,10 @@ static int run_tool(char *tool_path, DYNAMIC_STRING *ds_res, ...)
 
   va_end(args);
 
+  /* If given --ssl-mode=REQUIRED propagate it to the tool. */
+  if (opt_ssl_required)
+    dynstr_append(&ds_cmdline, "--ssl-mode=REQUIRED");
+
 #ifdef __WIN__
   dynstr_append(&ds_cmdline, "\"");
 #endif
diff --git a/client/mysqladmin.cc b/client/mysqladmin.cc
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -551,8 +551,9 @@ static my_bool sql_connect(MYSQL *mysql, uint wait)
 
   for (;;)
   {
-    if (mysql_real_connect(mysql,host,user,opt_password,NullS,tcp_port,
-			   unix_port, CLIENT_REMEMBER_OPTIONS))
+    if (mysql_connect_ssl_check(mysql, host, user, opt_password, NullS,
+                                tcp_port, unix_port,
+                                CLIENT_REMEMBER_OPTIONS, opt_ssl_required))
     {
       mysql->reconnect= 1;
       if (info)
diff --git a/client/mysqlcheck.c b/client/mysqlcheck.c
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -924,8 +924,10 @@ static int dbConnect(char *host, char *user, char *passwd)
   mysql_options(&mysql_connection, MYSQL_OPT_CONNECT_ATTR_RESET, 0);
   mysql_options4(&mysql_connection, MYSQL_OPT_CONNECT_ATTR_ADD,
                  "program_name", "mysqlcheck");
-  if (!(sock = mysql_real_connect(&mysql_connection, host, user, passwd,
-         NULL, opt_mysql_port, opt_mysql_unix_port, 0)))
+  if (!(sock = mysql_connect_ssl_check(&mysql_connection, host, user, passwd,
+                                       NULL, opt_mysql_port,
+                                       opt_mysql_unix_port, 0,
+                                       opt_ssl_required)))
   {
     DBerror(&mysql_connection, "when trying to connect");
     DBUG_RETURN(1);
diff --git a/client/mysqldump.c b/client/mysqldump.c
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1553,9 +1553,10 @@ static int connect_to_db(char *host, char *user,char *passwd)
   mysql_options(&mysql_connection, MYSQL_OPT_CONNECT_ATTR_RESET, 0);
   mysql_options4(&mysql_connection, MYSQL_OPT_CONNECT_ATTR_ADD,
                  "program_name", "mysqldump");
-  if (!(mysql= mysql_real_connect(&mysql_connection,host,user,passwd,
-                                  NULL,opt_mysql_port,opt_mysql_unix_port,
-                                  0)))
+  if (!(mysql= mysql_connect_ssl_check(&mysql_connection, host, user,
+                                       passwd, NULL, opt_mysql_port,
+                                       opt_mysql_unix_port, 0,
+                                       opt_ssl_required)))
   {
     DB_error(&mysql_connection, "when trying to connect");
     DBUG_RETURN(1);
diff --git a/client/mysqlimport.c b/client/mysqlimport.c
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -468,9 +468,9 @@ static MYSQL *db_connect(char *host, char *database,
   mysql_options(mysql, MYSQL_OPT_CONNECT_ATTR_RESET, 0);
   mysql_options4(mysql, MYSQL_OPT_CONNECT_ATTR_ADD,
                  "program_name", "mysqlimport");
-  if (!(mysql_real_connect(mysql,host,user,passwd,
-                           database,opt_mysql_port,opt_mysql_unix_port,
-                           0)))
+  if (!(mysql_connect_ssl_check(mysql, host, user, passwd, database,
+                                opt_mysql_port, opt_mysql_unix_port,
+                                0, opt_ssl_required)))
   {
     ignore_errors=0;	  /* NO RETURN FROM db_error */
     db_error(mysql);
diff --git a/client/mysqlshow.c b/client/mysqlshow.c
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -156,10 +156,10 @@ int main(int argc, char **argv)
   mysql_options(&mysql, MYSQL_OPT_CONNECT_ATTR_RESET, 0);
   mysql_options4(&mysql, MYSQL_OPT_CONNECT_ATTR_ADD,
                  "program_name", "mysqlshow");
-  if (!(mysql_real_connect(&mysql,host,user,opt_password,
-			   (first_argument_uses_wildcards) ? "" :
-                           argv[0],opt_mysql_port,opt_mysql_unix_port,
-			   0)))
+  if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
+                                (first_argument_uses_wildcards) ? "" :
+                                argv[0], opt_mysql_port, opt_mysql_unix_port,
+                                0, opt_ssl_required)))
   {
     fprintf(stderr,"%s: %s\n",my_progname,mysql_error(&mysql));
     exit(1);
diff --git a/client/mysqlslap.c b/client/mysqlslap.c
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -369,9 +369,9 @@ int main(int argc, char **argv)
                   (char*) &opt_enable_cleartext_plugin);
   if (!opt_only_print) 
   {
-    if (!(mysql_real_connect(&mysql, host, user, opt_password,
-                             NULL, opt_mysql_port,
-                             opt_mysql_unix_port, connect_flags)))
+    if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
+                                  NULL, opt_mysql_port, opt_mysql_unix_port,
+                                  connect_flags, opt_ssl_required)))
     {
       fprintf(stderr,"%s: Error when connecting to server: %s\n",
               my_progname,mysql_error(&mysql));
diff --git a/client/mysqltest.cc b/client/mysqltest.cc
@@ -5315,8 +5315,9 @@ void safe_connect(MYSQL* mysql, const char *name, const char *host,
                  "program_name", "mysqltest");
   mysql_options(mysql, MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS,
                 &can_handle_expired_passwords);
-  while(!mysql_real_connect(mysql, host,user, pass, db, port, sock,
-                            CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS))
+  while(!mysql_connect_ssl_check(mysql, host,user, pass, db, port, sock,
+                                 CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS,
+                                 opt_ssl_required))
   {
     /*
       Connect failed
@@ -5420,8 +5421,9 @@ int connect_n_handle_errors(struct st_command *command,
   mysql_options4(con, MYSQL_OPT_CONNECT_ATTR_ADD, "program_name", "mysqltest");
   mysql_options(con, MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS,
                 &can_handle_expired_passwords);
-  while (!mysql_real_connect(con, host, user, pass, db, port, sock ? sock: 0,
-                          CLIENT_MULTI_STATEMENTS))
+  while (!mysql_connect_ssl_check(con, host, user, pass, db, port,
+                                  sock ? sock: 0, CLIENT_MULTI_STATEMENTS,
+                                  opt_ssl_required))
   {
     /*
       If we have used up all our connections check whether this
diff --git a/include/sslopt-case.h b/include/sslopt-case.h
@@ -1,7 +1,7 @@
 #ifndef SSLOPT_CASE_INCLUDED
 #define SSLOPT_CASE_INCLUDED
 
-/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -35,5 +35,18 @@
       opt_ssl_crlpath= NULL;
 #endif
       break;
+#ifdef MYSQL_CLIENT
+    case OPT_SSL_MODE:
+      if (my_strcasecmp(&my_charset_latin1, argument, "required"))
+      {
+        fprintf(stderr,
+                "Unknown value to --ssl-mode: '%s'. Use --ssl-mode=REQUIRED\n",
+                argument);
+        exit(1);
+      }
+      else
+        opt_ssl_required= 1;
+      break;
+#endif /* MYSQL_CLIENT */
 #endif
 #endif /* SSLOPT_CASE_INCLUDED */
diff --git a/include/sslopt-longopts.h b/include/sslopt-longopts.h
@@ -1,7 +1,7 @@
 #ifndef SSLOPT_LONGOPTS_INCLUDED
 #define SSLOPT_LONGOPTS_INCLUDED
 
-/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -51,6 +51,9 @@
    "when connecting. This option is disabled by default.",
    &opt_ssl_verify_server_cert, &opt_ssl_verify_server_cert,
    0, GET_BOOL, OPT_ARG, 0, 0, 0, 0, 0, 0},
+  {"ssl-mode", OPT_SSL_MODE,
+   "SSL connection mode.",
+   0, 0, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
 #endif
 #endif /* HAVE_OPENSSL */
 #endif /* SSLOPT_LONGOPTS_INCLUDED */
diff --git a/include/sslopt-vars.h b/include/sslopt-vars.h
@@ -1,7 +1,7 @@
 #ifndef SSLOPT_VARS_INCLUDED
 #define SSLOPT_VARS_INCLUDED
 
-/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -30,8 +30,13 @@ SSL_STATIC char *opt_ssl_cipher  = 0;
 SSL_STATIC char *opt_ssl_key     = 0;
 SSL_STATIC char *opt_ssl_crl     = 0;
 SSL_STATIC char *opt_ssl_crlpath = 0;
+
 #ifdef MYSQL_CLIENT
 SSL_STATIC my_bool opt_ssl_verify_server_cert= 0;
-#endif
-#endif
+SSL_STATIC my_bool opt_ssl_required= 0;
+#endif /* MYSQL_CLIENT */
+#else /* HAVE_OPENSSL */
+#define opt_ssl_required 0
+#endif /* HAVE_OPENSSL */
+
 #endif /* SSLOPT_VARS_INCLUDED */
diff --git a/mysql-test/r/ssl_mode.result b/mysql-test/r/ssl_mode.result
@@ -0,0 +1,45 @@
+# positive client tests
+# mysql
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-SHA
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-SHA
+CREATE TABLE t1(a INT);
+INSERT INTO t1 VALUES(0);
+# mysqldump
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `t1` (
+  `a` int(11) DEFAULT NULL
+) ENGINE=MyISAM DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+INSERT INTO `t1` VALUES (0);
+# mysqladmin
+Warning: Using a password on the command line interface can be insecure.
+mysqld is alive
+# mysqlcheck
+test.t1                                            OK
+# mysqlimport
+CREATE TABLE words(a VARCHAR(255));
+test.words: Records: 70  Deleted: 0  Skipped: 0  Warnings: 0
+DROP TABLE words;
+# mysqlshow
+Database: test
++--------+
+| Tables |
++--------+
+| t1     |
++--------+
+# mysqlslap
+# mysqltest
+Output from mysqltest-x.inc
+DROP TABLE t1;
+# negative client tests
+# mysql
+Unknown value to --ssl-mode: ''. Use --ssl-mode=REQUIRED
+Unknown value to --ssl-mode: 'DERIUQER'. Use --ssl-mode=REQUIRED
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+
+End of tests
diff --git a/mysql-test/r/ssl_mode_no_ssl.result b/mysql-test/r/ssl_mode_no_ssl.result
@@ -0,0 +1,23 @@
+# negative client tests
+# mysql
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+# mysqldump
+mysqldump: Got error: 2026: --ssl-mode=REQUIRED option forbids non SSL connections when trying to connect
+# mysqladmin
+Warning: Using a password on the command line interface can be insecure.
+mysqladmin: error: '--ssl-mode=REQUIRED option forbids non SSL connections'
+# mysqlcheck
+mysqlcheck: Got error: 2026: --ssl-mode=REQUIRED option forbids non SSL connections when trying to connect
+# mysqlimport
+mysqlimport: Error: 2026 --ssl-mode=REQUIRED option forbids non SSL connections
+# mysqlshow
+mysqlshow: --ssl-mode=REQUIRED option forbids non SSL connections
+# mysqlslap
+mysqlslap: Error when connecting to server: --ssl-mode=REQUIRED option forbids non SSL connections
+# mysqltest
+mysqltest: Could not open connection 'default': 2026 --ssl-mode=REQUIRED option forbids non SSL connections
+
+End of tests
diff --git a/mysql-test/t/ssl_mode.test b/mysql-test/t/ssl_mode.test
diff --git a/mysql-test/t/ssl_mode_no_ssl-master.opt b/mysql-test/t/ssl_mode_no_ssl-master.opt
diff --git a/mysql-test/t/ssl_mode_no_ssl.test b/mysql-test/t/ssl_mode_no_ssl.test
