BUG#25575605: SETTING --SSL-MODE=REQUIRED SENDS CREDENTIALS BEFORE VERIFYING SSL CONNECTION

MYSQL_OPT_SSL_MODE option introduced.
It is set in case of --ssl-mode=REQUIRED and permits only SSL connection.

(cherry picked from commit f91b941842d240b8a62645e507f5554e8be76aec)

Author: Ramil Kalimullin

client/client_priv.h

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -127,22 +127,38 @@ enum options_client
 /**
   Wrapper for mysql_real_connect() that checks if SSL connection is establised.
 
-  The function calls mysql_real_connect() first, then if given ssl_required==TRUE
-  argument (i.e. --ssl-mode=REQUIRED option used) checks current SSL chiper to
-  ensure that SSL is used for current connection.
-  Otherwise it returns NULL and sets errno to CR_SSL_CONNECTION_ERROR.
+  The function calls mysql_real_connect() first. Then, if the ssl_required
+  argument is TRUE (i.e., the --ssl-mode=REQUIRED option was specified), it
+  checks the current SSL cipher to ensure that SSL is used for the current
+  connection. Otherwise, it returns NULL and sets errno to
+  CR_SSL_CONNECTION_ERROR.
 
-  All clients (except mysqlbinlog which disregards SSL options) use this function
-  instead of mysql_real_connect() to handle --ssl-mode=REQUIRED option.
+  All clients (except mysqlbinlog, which disregards SSL options) use this
+  function instead of mysql_real_connect() to handle the --ssl-mode=REQUIRED
+  option.
 */
 MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host,
                                const char *user, const char *passwd,
                                const char *db, uint port,
                                const char *unix_socket, ulong client_flag,
                                my_bool ssl_required MY_ATTRIBUTE((unused)))
 {
-  MYSQL *mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port,
-                                   unix_socket, client_flag);
+  MYSQL *mysql;
+
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+  enum mysql_ssl_mode opt_ssl_mode= SSL_MODE_REQUIRED;
+  if (ssl_required &&
+      mysql_options(mysql_arg, MYSQL_OPT_SSL_MODE, (char *) &opt_ssl_mode))
+  {
+    NET *net= &mysql_arg->net;
+    net->last_errno= CR_SSL_CONNECTION_ERROR;
+    strmov(net->last_error, "Client library doesn't support MYSQL_SSL_REQUIRED option");
+    strmov(net->sqlstate, "HY000");
+    return NULL;
+  }
+#endif
+  mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port,
+                            unix_socket, client_flag);
 #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
   if (mysql &&                                   /* connection established. */
       ssl_required &&                            /* --ssl-mode=REQUIRED. */

client/mysql.cc

@@ -1488,7 +1488,8 @@ sig_handler handle_kill_signal(int sig)
                  "program_name", "mysql");
   if (!mysql_connect_ssl_check(kill_mysql, current_host, current_user,
                                opt_password, "", opt_mysql_port,
-                               opt_mysql_unix_port, 0, opt_ssl_required))
+                               opt_mysql_unix_port, 0,
+                               opt_ssl_mode == SSL_MODE_REQUIRED))
   {
     tee_fprintf(stdout, "%s -- sorry, cannot connect to server to kill query, giving up ...\n", reason);
     goto err;
@@ -4819,7 +4820,7 @@ sql_real_connect(char *host,char *database,char *user,char *password,
   if (!mysql_connect_ssl_check(&mysql, host, user, password,
                                database, opt_mysql_port, opt_mysql_unix_port,
                                connect_flag | CLIENT_MULTI_STATEMENTS,
-                               opt_ssl_required))
+                               opt_ssl_mode == SSL_MODE_REQUIRED))
   {
     if (!silent ||
 	(mysql_errno(&mysql) != CR_CONN_HOST_ERROR &&

client/mysql_upgrade.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -401,9 +401,11 @@ static int run_tool(char *tool_path, DYNAMIC_STRING *ds_res, ...)
 
   va_end(args);
 
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
   /* If given --ssl-mode=REQUIRED propagate it to the tool. */
-  if (opt_ssl_required)
+  if (opt_ssl_mode == SSL_MODE_REQUIRED)
     dynstr_append(&ds_cmdline, "--ssl-mode=REQUIRED");
+#endif
 
 #ifdef __WIN__
   dynstr_append(&ds_cmdline, "\"");

client/mysqladmin.cc

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -552,8 +552,8 @@ static my_bool sql_connect(MYSQL *mysql, uint wait)
   for (;;)
   {
     if (mysql_connect_ssl_check(mysql, host, user, opt_password, NullS,
-                                tcp_port, unix_port,
-                                CLIENT_REMEMBER_OPTIONS, opt_ssl_required))
+                                tcp_port, unix_port, CLIENT_REMEMBER_OPTIONS,
+                                opt_ssl_mode == SSL_MODE_REQUIRED))
     {
       mysql->reconnect= 1;
       if (info)

client/mysqlcheck.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -937,7 +937,7 @@ static int dbConnect(char *host, char *user, char *passwd)
   if (!(sock = mysql_connect_ssl_check(&mysql_connection, host, user, passwd,
                                        NULL, opt_mysql_port,
                                        opt_mysql_unix_port, 0,
-                                       opt_ssl_required)))
+                                       opt_ssl_mode == SSL_MODE_REQUIRED)))
   {
     DBerror(&mysql_connection, "when trying to connect");
     DBUG_RETURN(1);

client/mysqldump.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1556,7 +1556,7 @@ static int connect_to_db(char *host, char *user,char *passwd)
   if (!(mysql= mysql_connect_ssl_check(&mysql_connection, host, user,
                                        passwd, NULL, opt_mysql_port,
                                        opt_mysql_unix_port, 0,
-                                       opt_ssl_required)))
+                                       opt_ssl_mode == SSL_MODE_REQUIRED)))
   {
     DB_error(&mysql_connection, "when trying to connect");
     DBUG_RETURN(1);

client/mysqlimport.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -482,7 +482,7 @@ static MYSQL *db_connect(char *host, char *database,
                  "program_name", "mysqlimport");
   if (!(mysql_connect_ssl_check(mysql, host, user, passwd, database,
                                 opt_mysql_port, opt_mysql_unix_port,
-                                0, opt_ssl_required)))
+                                0, opt_ssl_mode == SSL_MODE_REQUIRED)))
   {
     ignore_errors=0;	  /* NO RETURN FROM db_error */
     db_error(mysql);

client/mysqlshow.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -159,7 +159,7 @@ int main(int argc, char **argv)
   if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
                                 (first_argument_uses_wildcards) ? "" :
                                 argv[0], opt_mysql_port, opt_mysql_unix_port,
-                                0, opt_ssl_required)))
+                                0, opt_ssl_mode == SSL_MODE_REQUIRED)))
   {
     fprintf(stderr,"%s: %s\n",my_progname,mysql_error(&mysql));
     exit(1);

client/mysqlslap.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -371,7 +371,8 @@ int main(int argc, char **argv)
   {
     if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
                                   NULL, opt_mysql_port, opt_mysql_unix_port,
-                                  connect_flags, opt_ssl_required)))
+                                  connect_flags,
+                                  opt_ssl_mode == SSL_MODE_REQUIRED)))
     {
       fprintf(stderr,"%s: Error when connecting to server: %s\n",
               my_progname,mysql_error(&mysql));

client/mysqltest.cc

@@ -5323,7 +5323,7 @@ void safe_connect(MYSQL* mysql, const char *name, const char *host,
                 &can_handle_expired_passwords);
   while(!mysql_connect_ssl_check(mysql, host,user, pass, db, port, sock,
                                  CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS,
-                                 opt_ssl_required))
+                                 opt_ssl_mode == SSL_MODE_REQUIRED))
   {
     /*
       Connect failed
@@ -5429,7 +5429,7 @@ int connect_n_handle_errors(struct st_command *command,
                 &can_handle_expired_passwords);
   while (!mysql_connect_ssl_check(con, host, user, pass, db, port,
                                   sock ? sock: 0, CLIENT_MULTI_STATEMENTS,
-                                  opt_ssl_required))
+                                  opt_ssl_mode == SSL_MODE_REQUIRED))
   {
     /*
       If we have used up all our connections check whether this

include/mysql.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -175,7 +175,8 @@ enum mysql_option
   MYSQL_OPT_CONNECT_ATTR_DELETE,
   MYSQL_SERVER_PUBLIC_KEY,
   MYSQL_ENABLE_CLEARTEXT_PLUGIN,
-  MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS
+  MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS,
+  MYSQL_OPT_SSL_MODE
 };
 
 /**
@@ -245,6 +246,11 @@ enum mysql_protocol_type
   MYSQL_PROTOCOL_PIPE, MYSQL_PROTOCOL_MEMORY
 };
 
+enum mysql_ssl_mode
+{
+  SSL_MODE_REQUIRED= 3
+};
+
 typedef struct character_set
 {
   unsigned int      number;     /* character set number              */

include/mysql.h.pp

@@ -272,7 +272,8 @@
   MYSQL_OPT_CONNECT_ATTR_DELETE,
   MYSQL_SERVER_PUBLIC_KEY,
   MYSQL_ENABLE_CLEARTEXT_PLUGIN,
-  MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS
+  MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS,
+  MYSQL_OPT_SSL_MODE
 };
 struct st_mysql_options_extention;
 struct st_mysql_options {
@@ -319,6 +320,10 @@
   MYSQL_PROTOCOL_DEFAULT, MYSQL_PROTOCOL_TCP, MYSQL_PROTOCOL_SOCKET,
   MYSQL_PROTOCOL_PIPE, MYSQL_PROTOCOL_MEMORY
 };
+enum mysql_ssl_mode
+{
+  SSL_MODE_REQUIRED= 3
+};
 typedef struct character_set
 {
   unsigned int number;

include/sql_common.h

@@ -1,7 +1,7 @@
 #ifndef SQL_COMMON_INCLUDED
 #define SQL_COMMON_INCLUDED
 
-/* Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -38,6 +38,7 @@ struct st_mysql_options_extention {
   char *server_public_key_path;
   size_t connection_attributes_length;
   my_bool enable_cleartext_plugin;
+  unsigned int ssl_mode;
 };
 
 typedef struct st_mysql_methods

include/sslopt-case.h

@@ -1,7 +1,7 @@
 #ifndef SSLOPT_CASE_INCLUDED
 #define SSLOPT_CASE_INCLUDED
 
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -45,7 +45,7 @@
         exit(1);
       }
       else
-        opt_ssl_required= 1;
+        opt_ssl_mode= SSL_MODE_REQUIRED;
       break;
 #endif /* MYSQL_CLIENT */
 #endif

include/sslopt-vars.h

@@ -1,7 +1,7 @@
 #ifndef SSLOPT_VARS_INCLUDED
 #define SSLOPT_VARS_INCLUDED
 
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -33,10 +33,10 @@ SSL_STATIC char *opt_ssl_crlpath = 0;
 
 #ifdef MYSQL_CLIENT
 SSL_STATIC my_bool opt_ssl_verify_server_cert= 0;
-SSL_STATIC my_bool opt_ssl_required= 0;
+SSL_STATIC uint opt_ssl_mode= 0;
 #endif /* MYSQL_CLIENT */
 #else /* HAVE_OPENSSL */
-#define opt_ssl_required 0
+#define opt_ssl_mode 0
 #endif /* HAVE_OPENSSL */
 
 #endif /* SSLOPT_VARS_INCLUDED */

mysql-test/r/ssl_mode.result

@@ -38,8 +38,8 @@ DROP TABLE t1;
 # mysql
 Unknown value to --ssl-mode: ''. Use --ssl-mode=REQUIRED
 Unknown value to --ssl-mode: 'DERIUQER'. Use --ssl-mode=REQUIRED
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Client is not configured to use SSL
+ERROR 2026 (HY000): SSL connection error: Client is not configured to use SSL
+ERROR 2026 (HY000): SSL connection error: Client is not configured to use SSL
 
 End of tests

mysql-test/r/ssl_mode_no_ssl.result

@@ -1,23 +1,23 @@
 # negative client tests
 # mysql
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
 # mysqldump
-mysqldump: Got error: 2026: --ssl-mode=REQUIRED option forbids non SSL connections when trying to connect
+mysqldump: Got error: 2026: SSL connection error: Server doesn't support SSL when trying to connect
 # mysqladmin
 Warning: Using a password on the command line interface can be insecure.
-mysqladmin: error: '--ssl-mode=REQUIRED option forbids non SSL connections'
+mysqladmin: error: 'SSL connection error: Server doesn't support SSL'
 # mysqlcheck
-mysqlcheck: Got error: 2026: --ssl-mode=REQUIRED option forbids non SSL connections when trying to connect
+mysqlcheck: Got error: 2026: SSL connection error: Server doesn't support SSL when trying to connect
 # mysqlimport
-mysqlimport: Error: 2026 --ssl-mode=REQUIRED option forbids non SSL connections
+mysqlimport: Error: 2026 SSL connection error: Server doesn't support SSL
 # mysqlshow
-mysqlshow: --ssl-mode=REQUIRED option forbids non SSL connections
+mysqlshow: SSL connection error: Server doesn't support SSL
 # mysqlslap
-mysqlslap: Error when connecting to server: --ssl-mode=REQUIRED option forbids non SSL connections
+mysqlslap: Error when connecting to server: SSL connection error: Server doesn't support SSL
 # mysqltest
-mysqltest: Could not open connection 'default': 2026 --ssl-mode=REQUIRED option forbids non SSL connections
+mysqltest: Could not open connection 'default': 2026 SSL connection error: Server doesn't support SSL
 
 End of tests