summaryrefslogtreecommitdiff
path: root/client
diff options
context:
space:
mode:
authorRamil Kalimullin <ramil.kalimullin@oracle.com>2017-03-10 01:19:50 +0400
committerRamil Kalimullin <ramil.kalimullin@oracle.com>2017-03-10 01:19:50 +0400
commit2531c8dcd152bedeeebfe07d5e4a29bd84357c27 (patch)
tree25a818224d40ca50d38e8971c504b64475929d8b /client
parentec2a6b6035ed842e39bcecc2c62c39758bda02fb (diff)
downloadmariadb-git-2531c8dcd152bedeeebfe07d5e4a29bd84357c27.tar.gz
BUG#25575605: SETTING --SSL-MODE=REQUIRED SENDS CREDENTIALS BEFORE VERIFYING SSL CONNECTION
MYSQL_OPT_SSL_MODE option introduced. It is set in case of --ssl-mode=REQUIRED and permits only SSL connection.
Diffstat (limited to 'client')
-rw-r--r--client/client_priv.h34
-rw-r--r--client/mysql.cc6
-rw-r--r--client/mysql_upgrade.c6
-rw-r--r--client/mysqladmin.cc6
-rw-r--r--client/mysqlcheck.c4
-rw-r--r--client/mysqldump.c4
-rw-r--r--client/mysqlimport.c4
-rw-r--r--client/mysqlshow.c4
-rw-r--r--client/mysqlslap.c5
-rw-r--r--client/mysqltest.cc6
10 files changed, 49 insertions, 30 deletions
diff --git a/client/client_priv.h b/client/client_priv.h
index e53ced7e790..fb83ce9cc8b 100644
--- a/client/client_priv.h
+++ b/client/client_priv.h
@@ -1,5 +1,5 @@
/*
- Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -115,13 +115,15 @@ enum options_client
/**
Wrapper for mysql_real_connect() that checks if SSL connection is establised.
- The function calls mysql_real_connect() first, then if given ssl_required==TRUE
- argument (i.e. --ssl-mode=REQUIRED option used) checks current SSL chiper to
- ensure that SSL is used for current connection.
- Otherwise it returns NULL and sets errno to CR_SSL_CONNECTION_ERROR.
+ The function calls mysql_real_connect() first. Then, if the ssl_required
+ argument is TRUE (i.e., the --ssl-mode=REQUIRED option was specified), it
+ checks the current SSL cipher to ensure that SSL is used for the current
+ connection. Otherwise, it returns NULL and sets errno to
+ CR_SSL_CONNECTION_ERROR.
- All clients (except mysqlbinlog which disregards SSL options) use this function
- instead of mysql_real_connect() to handle --ssl-mode=REQUIRED option.
+ All clients (except mysqlbinlog, which disregards SSL options) use this
+ function instead of mysql_real_connect() to handle the --ssl-mode=REQUIRED
+ option.
*/
MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host,
const char *user, const char *passwd,
@@ -129,8 +131,22 @@ MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host,
const char *unix_socket, ulong client_flag,
my_bool ssl_required __attribute__((unused)))
{
- MYSQL *mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port,
- unix_socket, client_flag);
+ MYSQL *mysql;
+
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+ enum mysql_ssl_mode opt_ssl_mode= SSL_MODE_REQUIRED;
+ if (ssl_required &&
+ mysql_options(mysql_arg, MYSQL_OPT_SSL_MODE, (char *) &opt_ssl_mode))
+ {
+ NET *net= &mysql_arg->net;
+ net->last_errno= CR_SSL_CONNECTION_ERROR;
+ strmov(net->last_error, "Client library doesn't support MYSQL_SSL_REQUIRED option");
+ strmov(net->sqlstate, "HY000");
+ return NULL;
+ }
+#endif
+ mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port,
+ unix_socket, client_flag);
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
if (mysql && /* connection established. */
ssl_required && /* --ssl-mode=REQUIRED. */
diff --git a/client/mysql.cc b/client/mysql.cc
index cdc2ab0d6e0..2269563814c 100644
--- a/client/mysql.cc
+++ b/client/mysql.cc
@@ -1,5 +1,5 @@
/*
- Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -1318,7 +1318,7 @@ sig_handler handle_sigint(int sig)
kill_mysql= mysql_init(kill_mysql);
if (!mysql_connect_ssl_check(kill_mysql, current_host, current_user, opt_password,
"", opt_mysql_port, opt_mysql_unix_port, 0,
- opt_ssl_required))
+ opt_ssl_mode == SSL_MODE_REQUIRED))
{
tee_fprintf(stdout, "Ctrl-C -- sorry, cannot connect to server to kill query, giving up ...\n");
goto err;
@@ -4461,7 +4461,7 @@ sql_real_connect(char *host,char *database,char *user,char *password,
if (!mysql_connect_ssl_check(&mysql, host, user, password,
database, opt_mysql_port, opt_mysql_unix_port,
connect_flag | CLIENT_MULTI_STATEMENTS,
- opt_ssl_required))
+ opt_ssl_mode == SSL_MODE_REQUIRED))
{
if (!silent ||
(mysql_errno(&mysql) != CR_CONN_HOST_ERROR &&
diff --git a/client/mysql_upgrade.c b/client/mysql_upgrade.c
index 507df6f7843..be0af089027 100644
--- a/client/mysql_upgrade.c
+++ b/client/mysql_upgrade.c
@@ -1,5 +1,5 @@
/*
- Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -387,9 +387,11 @@ static int run_tool(char *tool_path, DYNAMIC_STRING *ds_res, ...)
va_end(args);
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
/* If given --ssl-mode=REQUIRED propagate it to the tool. */
- if (opt_ssl_required)
+ if (opt_ssl_mode == SSL_MODE_REQUIRED)
dynstr_append(&ds_cmdline, "--ssl-mode=REQUIRED");
+#endif
#ifdef __WIN__
dynstr_append(&ds_cmdline, "\"");
diff --git a/client/mysqladmin.cc b/client/mysqladmin.cc
index c03b37ab165..ae9db85b917 100644
--- a/client/mysqladmin.cc
+++ b/client/mysqladmin.cc
@@ -1,5 +1,5 @@
/*
- Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -519,8 +519,8 @@ static my_bool sql_connect(MYSQL *mysql, uint wait)
for (;;)
{
if (mysql_connect_ssl_check(mysql, host, user, opt_password, NullS,
- tcp_port, unix_port,
- CLIENT_REMEMBER_OPTIONS, opt_ssl_required))
+ tcp_port, unix_port, CLIENT_REMEMBER_OPTIONS,
+ opt_ssl_mode == SSL_MODE_REQUIRED))
{
mysql->reconnect= 1;
if (info)
diff --git a/client/mysqlcheck.c b/client/mysqlcheck.c
index 55b941e7f1a..7822460e341 100644
--- a/client/mysqlcheck.c
+++ b/client/mysqlcheck.c
@@ -1,5 +1,5 @@
/*
- Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -907,7 +907,7 @@ static int dbConnect(char *host, char *user, char *passwd)
if (!(sock = mysql_connect_ssl_check(&mysql_connection, host, user, passwd,
NULL, opt_mysql_port,
opt_mysql_unix_port, 0,
- opt_ssl_required)))
+ opt_ssl_mode == SSL_MODE_REQUIRED)))
{
DBerror(&mysql_connection, "when trying to connect");
return 1;
diff --git a/client/mysqldump.c b/client/mysqldump.c
index 00265def489..fcd29e26fe3 100644
--- a/client/mysqldump.c
+++ b/client/mysqldump.c
@@ -1,5 +1,5 @@
/*
- Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -1501,7 +1501,7 @@ static int connect_to_db(char *host, char *user,char *passwd)
if (!(mysql= mysql_connect_ssl_check(&mysql_connection, host, user,
passwd, NULL, opt_mysql_port,
opt_mysql_unix_port, 0,
- opt_ssl_required)))
+ opt_ssl_mode == SSL_MODE_REQUIRED)))
{
DB_error(&mysql_connection, "when trying to connect");
DBUG_RETURN(1);
diff --git a/client/mysqlimport.c b/client/mysqlimport.c
index 5841c0b855a..bab43356bc7 100644
--- a/client/mysqlimport.c
+++ b/client/mysqlimport.c
@@ -1,5 +1,5 @@
/*
- Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -463,7 +463,7 @@ static MYSQL *db_connect(char *host, char *database,
mysql_options(mysql, MYSQL_SET_CHARSET_NAME, default_charset);
if (!(mysql_connect_ssl_check(mysql, host, user, passwd, database,
opt_mysql_port, opt_mysql_unix_port,
- 0, opt_ssl_required)))
+ 0, opt_ssl_mode == SSL_MODE_REQUIRED)))
{
ignore_errors=0; /* NO RETURN FROM db_error */
db_error(mysql);
diff --git a/client/mysqlshow.c b/client/mysqlshow.c
index d0390ec443b..bd7a37f93b4 100644
--- a/client/mysqlshow.c
+++ b/client/mysqlshow.c
@@ -1,5 +1,5 @@
/*
- Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -142,7 +142,7 @@ int main(int argc, char **argv)
if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
(first_argument_uses_wildcards) ? "" :
argv[0], opt_mysql_port, opt_mysql_unix_port,
- 0, opt_ssl_required)))
+ 0, opt_ssl_mode == SSL_MODE_REQUIRED)))
{
fprintf(stderr,"%s: %s\n",my_progname,mysql_error(&mysql));
exit(1);
diff --git a/client/mysqlslap.c b/client/mysqlslap.c
index eb2b577948c..aa312339e87 100644
--- a/client/mysqlslap.c
+++ b/client/mysqlslap.c
@@ -1,5 +1,5 @@
/*
- Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -357,7 +357,8 @@ int main(int argc, char **argv)
{
if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
NULL, opt_mysql_port, opt_mysql_unix_port,
- connect_flags, opt_ssl_required)))
+ connect_flags,
+ opt_ssl_mode == SSL_MODE_REQUIRED)))
{
fprintf(stderr,"%s: Error when connecting to server: %s\n",
my_progname,mysql_error(&mysql));
diff --git a/client/mysqltest.cc b/client/mysqltest.cc
index 79d448cf811..e5f9b11fe76 100644
--- a/client/mysqltest.cc
+++ b/client/mysqltest.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -5283,7 +5283,7 @@ void safe_connect(MYSQL* mysql, const char *name, const char *host,
host, port, sock, user, name, failed_attempts);
while(!mysql_connect_ssl_check(mysql, host,user, pass, db, port, sock,
CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS,
- opt_ssl_required))
+ opt_ssl_mode == SSL_MODE_REQUIRED))
{
/*
Connect failed
@@ -5385,7 +5385,7 @@ int connect_n_handle_errors(struct st_command *command,
while (!mysql_connect_ssl_check(con, host, user, pass, db, port,
sock ? sock: 0, CLIENT_MULTI_STATEMENTS,
- opt_ssl_required))
+ opt_ssl_mode == SSL_MODE_REQUIRED))
{
/*
If we have used up all our connections check whether this