From 060b1eadf4913f7066484ea34ec62feead1bca44 Mon Sep 17 00:00:00 2001 From: Ramil Kalimullin Date: Fri, 10 Mar 2017 01:19:50 +0400 Subject: BUG#25575605: SETTING --SSL-MODE=REQUIRED SENDS CREDENTIALS BEFORE VERIFYING SSL CONNECTION MYSQL_OPT_SSL_MODE option introduced. It is set in case of --ssl-mode=REQUIRED and permits only SSL connection. (cherry picked from commit 3b2d28578c526f347f5cfe763681eff365731f99) --- client/client_priv.h | 34 +++++++++++++++++++++++++--------- client/mysql.cc | 6 +++--- client/mysql_upgrade.c | 6 ++++-- client/mysqladmin.cc | 6 +++--- client/mysqlcheck.c | 4 ++-- client/mysqldump.c | 4 ++-- client/mysqlimport.c | 4 ++-- client/mysqlshow.c | 4 ++-- client/mysqlslap.c | 5 +++-- client/mysqltest.cc | 6 +++--- 10 files changed, 49 insertions(+), 30 deletions(-) (limited to 'client') diff --git a/client/client_priv.h b/client/client_priv.h index e53ced7e790..fb83ce9cc8b 100644 --- a/client/client_priv.h +++ b/client/client_priv.h @@ -1,5 +1,5 @@ /* - Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -115,13 +115,15 @@ enum options_client /** Wrapper for mysql_real_connect() that checks if SSL connection is establised. - The function calls mysql_real_connect() first, then if given ssl_required==TRUE - argument (i.e. --ssl-mode=REQUIRED option used) checks current SSL chiper to - ensure that SSL is used for current connection. - Otherwise it returns NULL and sets errno to CR_SSL_CONNECTION_ERROR. + The function calls mysql_real_connect() first. Then, if the ssl_required + argument is TRUE (i.e., the --ssl-mode=REQUIRED option was specified), it + checks the current SSL cipher to ensure that SSL is used for the current + connection. Otherwise, it returns NULL and sets errno to + CR_SSL_CONNECTION_ERROR. - All clients (except mysqlbinlog which disregards SSL options) use this function - instead of mysql_real_connect() to handle --ssl-mode=REQUIRED option. + All clients (except mysqlbinlog, which disregards SSL options) use this + function instead of mysql_real_connect() to handle the --ssl-mode=REQUIRED + option. */ MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host, const char *user, const char *passwd, @@ -129,8 +131,22 @@ MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host, const char *unix_socket, ulong client_flag, my_bool ssl_required __attribute__((unused))) { - MYSQL *mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port, - unix_socket, client_flag); + MYSQL *mysql; + +#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) + enum mysql_ssl_mode opt_ssl_mode= SSL_MODE_REQUIRED; + if (ssl_required && + mysql_options(mysql_arg, MYSQL_OPT_SSL_MODE, (char *) &opt_ssl_mode)) + { + NET *net= &mysql_arg->net; + net->last_errno= CR_SSL_CONNECTION_ERROR; + strmov(net->last_error, "Client library doesn't support MYSQL_SSL_REQUIRED option"); + strmov(net->sqlstate, "HY000"); + return NULL; + } +#endif + mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port, + unix_socket, client_flag); #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) if (mysql && /* connection established. */ ssl_required && /* --ssl-mode=REQUIRED. */ diff --git a/client/mysql.cc b/client/mysql.cc index cdc2ab0d6e0..2269563814c 100644 --- a/client/mysql.cc +++ b/client/mysql.cc @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1318,7 +1318,7 @@ sig_handler handle_sigint(int sig) kill_mysql= mysql_init(kill_mysql); if (!mysql_connect_ssl_check(kill_mysql, current_host, current_user, opt_password, "", opt_mysql_port, opt_mysql_unix_port, 0, - opt_ssl_required)) + opt_ssl_mode == SSL_MODE_REQUIRED)) { tee_fprintf(stdout, "Ctrl-C -- sorry, cannot connect to server to kill query, giving up ...\n"); goto err; @@ -4461,7 +4461,7 @@ sql_real_connect(char *host,char *database,char *user,char *password, if (!mysql_connect_ssl_check(&mysql, host, user, password, database, opt_mysql_port, opt_mysql_unix_port, connect_flag | CLIENT_MULTI_STATEMENTS, - opt_ssl_required)) + opt_ssl_mode == SSL_MODE_REQUIRED)) { if (!silent || (mysql_errno(&mysql) != CR_CONN_HOST_ERROR && diff --git a/client/mysql_upgrade.c b/client/mysql_upgrade.c index 507df6f7843..be0af089027 100644 --- a/client/mysql_upgrade.c +++ b/client/mysql_upgrade.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -387,9 +387,11 @@ static int run_tool(char *tool_path, DYNAMIC_STRING *ds_res, ...) va_end(args); +#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) /* If given --ssl-mode=REQUIRED propagate it to the tool. */ - if (opt_ssl_required) + if (opt_ssl_mode == SSL_MODE_REQUIRED) dynstr_append(&ds_cmdline, "--ssl-mode=REQUIRED"); +#endif #ifdef __WIN__ dynstr_append(&ds_cmdline, "\""); diff --git a/client/mysqladmin.cc b/client/mysqladmin.cc index c03b37ab165..ae9db85b917 100644 --- a/client/mysqladmin.cc +++ b/client/mysqladmin.cc @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -519,8 +519,8 @@ static my_bool sql_connect(MYSQL *mysql, uint wait) for (;;) { if (mysql_connect_ssl_check(mysql, host, user, opt_password, NullS, - tcp_port, unix_port, - CLIENT_REMEMBER_OPTIONS, opt_ssl_required)) + tcp_port, unix_port, CLIENT_REMEMBER_OPTIONS, + opt_ssl_mode == SSL_MODE_REQUIRED)) { mysql->reconnect= 1; if (info) diff --git a/client/mysqlcheck.c b/client/mysqlcheck.c index 55b941e7f1a..7822460e341 100644 --- a/client/mysqlcheck.c +++ b/client/mysqlcheck.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -907,7 +907,7 @@ static int dbConnect(char *host, char *user, char *passwd) if (!(sock = mysql_connect_ssl_check(&mysql_connection, host, user, passwd, NULL, opt_mysql_port, opt_mysql_unix_port, 0, - opt_ssl_required))) + opt_ssl_mode == SSL_MODE_REQUIRED))) { DBerror(&mysql_connection, "when trying to connect"); return 1; diff --git a/client/mysqldump.c b/client/mysqldump.c index 00265def489..fcd29e26fe3 100644 --- a/client/mysqldump.c +++ b/client/mysqldump.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1501,7 +1501,7 @@ static int connect_to_db(char *host, char *user,char *passwd) if (!(mysql= mysql_connect_ssl_check(&mysql_connection, host, user, passwd, NULL, opt_mysql_port, opt_mysql_unix_port, 0, - opt_ssl_required))) + opt_ssl_mode == SSL_MODE_REQUIRED))) { DB_error(&mysql_connection, "when trying to connect"); DBUG_RETURN(1); diff --git a/client/mysqlimport.c b/client/mysqlimport.c index 5841c0b855a..bab43356bc7 100644 --- a/client/mysqlimport.c +++ b/client/mysqlimport.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -463,7 +463,7 @@ static MYSQL *db_connect(char *host, char *database, mysql_options(mysql, MYSQL_SET_CHARSET_NAME, default_charset); if (!(mysql_connect_ssl_check(mysql, host, user, passwd, database, opt_mysql_port, opt_mysql_unix_port, - 0, opt_ssl_required))) + 0, opt_ssl_mode == SSL_MODE_REQUIRED))) { ignore_errors=0; /* NO RETURN FROM db_error */ db_error(mysql); diff --git a/client/mysqlshow.c b/client/mysqlshow.c index d0390ec443b..bd7a37f93b4 100644 --- a/client/mysqlshow.c +++ b/client/mysqlshow.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -142,7 +142,7 @@ int main(int argc, char **argv) if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password, (first_argument_uses_wildcards) ? "" : argv[0], opt_mysql_port, opt_mysql_unix_port, - 0, opt_ssl_required))) + 0, opt_ssl_mode == SSL_MODE_REQUIRED))) { fprintf(stderr,"%s: %s\n",my_progname,mysql_error(&mysql)); exit(1); diff --git a/client/mysqlslap.c b/client/mysqlslap.c index eb2b577948c..aa312339e87 100644 --- a/client/mysqlslap.c +++ b/client/mysqlslap.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -357,7 +357,8 @@ int main(int argc, char **argv) { if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password, NULL, opt_mysql_port, opt_mysql_unix_port, - connect_flags, opt_ssl_required))) + connect_flags, + opt_ssl_mode == SSL_MODE_REQUIRED))) { fprintf(stderr,"%s: Error when connecting to server: %s\n", my_progname,mysql_error(&mysql)); diff --git a/client/mysqltest.cc b/client/mysqltest.cc index 79d448cf811..e5f9b11fe76 100644 --- a/client/mysqltest.cc +++ b/client/mysqltest.cc @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -5283,7 +5283,7 @@ void safe_connect(MYSQL* mysql, const char *name, const char *host, host, port, sock, user, name, failed_attempts); while(!mysql_connect_ssl_check(mysql, host,user, pass, db, port, sock, CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS, - opt_ssl_required)) + opt_ssl_mode == SSL_MODE_REQUIRED)) { /* Connect failed @@ -5385,7 +5385,7 @@ int connect_n_handle_errors(struct st_command *command, while (!mysql_connect_ssl_check(con, host, user, pass, db, port, sock ? sock: 0, CLIENT_MULTI_STATEMENTS, - opt_ssl_required)) + opt_ssl_mode == SSL_MODE_REQUIRED)) { /* If we have used up all our connections check whether this -- cgit v1.2.1