BUG#25575605: SETTING --SSL-MODE=REQUIRED SENDS CREDENTIALS BEFORE VERIFYING SSL CONNECTION

MYSQL_OPT_SSL_MODE option introduced.
It is set in case of --ssl-mode=REQUIRED and permits only SSL connection.

(cherry picked from commit 3b2d28578c526f347f5cfe763681eff365731f99)

client/client_priv.h

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -115,13 +115,15 @@ enum options_client
 /**
   Wrapper for mysql_real_connect() that checks if SSL connection is establised.
 
-  The function calls mysql_real_connect() first, then if given ssl_required==TRUE
+  The function calls mysql_real_connect() first. Then, if the ssl_required
-  argument (i.e. --ssl-mode=REQUIRED option used) checks current SSL chiper to
+  argument is TRUE (i.e., the --ssl-mode=REQUIRED option was specified), it
-  ensure that SSL is used for current connection.
+  checks the current SSL cipher to ensure that SSL is used for the current
-  Otherwise it returns NULL and sets errno to CR_SSL_CONNECTION_ERROR.
+  connection. Otherwise, it returns NULL and sets errno to
+  CR_SSL_CONNECTION_ERROR.
 
-  All clients (except mysqlbinlog which disregards SSL options) use this function
+  All clients (except mysqlbinlog, which disregards SSL options) use this
-  instead of mysql_real_connect() to handle --ssl-mode=REQUIRED option.
+  function instead of mysql_real_connect() to handle the --ssl-mode=REQUIRED
+  option.
 */
 MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host,
                                const char *user, const char *passwd,
@@ -129,8 +131,22 @@ MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host,
                                const char *unix_socket, ulong client_flag,
                                my_bool ssl_required __attribute__((unused)))
 {
-  MYSQL *mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port,
+  MYSQL *mysql;
-                                   unix_socket, client_flag);
+
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+  enum mysql_ssl_mode opt_ssl_mode= SSL_MODE_REQUIRED;
+  if (ssl_required &&
+      mysql_options(mysql_arg, MYSQL_OPT_SSL_MODE, (char *) &opt_ssl_mode))
+  {
+    NET *net= &mysql_arg->net;
+    net->last_errno= CR_SSL_CONNECTION_ERROR;
+    strmov(net->last_error, "Client library doesn't support MYSQL_SSL_REQUIRED option");
+    strmov(net->sqlstate, "HY000");
+    return NULL;
+  }
+#endif
+  mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port,
+                            unix_socket, client_flag);
 #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
   if (mysql &&                                   /* connection established. */
       ssl_required &&                            /* --ssl-mode=REQUIRED. */

client/mysql.cc

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1318,7 +1318,7 @@ sig_handler handle_sigint(int sig)
   kill_mysql= mysql_init(kill_mysql);
   if (!mysql_connect_ssl_check(kill_mysql, current_host, current_user, opt_password,
                                "", opt_mysql_port, opt_mysql_unix_port, 0,
-                               opt_ssl_required))
+                               opt_ssl_mode == SSL_MODE_REQUIRED))
   {
     tee_fprintf(stdout, "Ctrl-C -- sorry, cannot connect to server to kill query, giving up ...\n");
     goto err;
@@ -4461,7 +4461,7 @@ sql_real_connect(char *host,char *database,char *user,char *password,
   if (!mysql_connect_ssl_check(&mysql, host, user, password,
                                database, opt_mysql_port, opt_mysql_unix_port,
                                connect_flag | CLIENT_MULTI_STATEMENTS,
-                               opt_ssl_required))
+                               opt_ssl_mode == SSL_MODE_REQUIRED))
   {
     if (!silent ||
 	(mysql_errno(&mysql) != CR_CONN_HOST_ERROR &&

client/mysql_upgrade.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -387,9 +387,11 @@ static int run_tool(char *tool_path, DYNAMIC_STRING *ds_res, ...)
 
   va_end(args);
 
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
   /* If given --ssl-mode=REQUIRED propagate it to the tool. */
-  if (opt_ssl_required)
+  if (opt_ssl_mode == SSL_MODE_REQUIRED)
     dynstr_append(&ds_cmdline, "--ssl-mode=REQUIRED");
+#endif
 
 #ifdef __WIN__
   dynstr_append(&ds_cmdline, "\"");

client/mysqladmin.cc

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -519,8 +519,8 @@ static my_bool sql_connect(MYSQL *mysql, uint wait)
   for (;;)
   {
     if (mysql_connect_ssl_check(mysql, host, user, opt_password, NullS,
-                                tcp_port, unix_port,
+                                tcp_port, unix_port, CLIENT_REMEMBER_OPTIONS,
-                                CLIENT_REMEMBER_OPTIONS, opt_ssl_required))
+                                opt_ssl_mode == SSL_MODE_REQUIRED))
     {
       mysql->reconnect= 1;
       if (info)

client/mysqlcheck.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -907,7 +907,7 @@ static int dbConnect(char *host, char *user, char *passwd)
   if (!(sock = mysql_connect_ssl_check(&mysql_connection, host, user, passwd,
                                        NULL, opt_mysql_port,
                                        opt_mysql_unix_port, 0,
-                                       opt_ssl_required)))
+                                       opt_ssl_mode == SSL_MODE_REQUIRED)))
   {
     DBerror(&mysql_connection, "when trying to connect");
     return 1;

client/mysqldump.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1501,7 +1501,7 @@ static int connect_to_db(char *host, char *user,char *passwd)
   if (!(mysql= mysql_connect_ssl_check(&mysql_connection, host, user,
                                        passwd, NULL, opt_mysql_port,
                                        opt_mysql_unix_port, 0,
-                                       opt_ssl_required)))
+                                       opt_ssl_mode == SSL_MODE_REQUIRED)))
   {
     DB_error(&mysql_connection, "when trying to connect");
     DBUG_RETURN(1);

client/mysqlimport.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -463,7 +463,7 @@ static MYSQL *db_connect(char *host, char *database,
   mysql_options(mysql, MYSQL_SET_CHARSET_NAME, default_charset);
   if (!(mysql_connect_ssl_check(mysql, host, user, passwd, database,
                                 opt_mysql_port, opt_mysql_unix_port,
-                                0, opt_ssl_required)))
+                                0, opt_ssl_mode == SSL_MODE_REQUIRED)))
   {
     ignore_errors=0;	  /* NO RETURN FROM db_error */
     db_error(mysql);

client/mysqlshow.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -142,7 +142,7 @@ int main(int argc, char **argv)
   if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
 			        (first_argument_uses_wildcards) ? "" :
                                 argv[0], opt_mysql_port, opt_mysql_unix_port,
-			        0, opt_ssl_required)))
+			        0, opt_ssl_mode == SSL_MODE_REQUIRED)))
   {
     fprintf(stderr,"%s: %s\n",my_progname,mysql_error(&mysql));
     exit(1);

client/mysqlslap.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -357,7 +357,8 @@ int main(int argc, char **argv)
   {
     if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
                                   NULL, opt_mysql_port, opt_mysql_unix_port,
-                                  connect_flags, opt_ssl_required)))
+                                  connect_flags,
+                                  opt_ssl_mode == SSL_MODE_REQUIRED)))
     {
       fprintf(stderr,"%s: Error when connecting to server: %s\n",
               my_progname,mysql_error(&mysql));

client/mysqltest.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -5283,7 +5283,7 @@ void safe_connect(MYSQL* mysql, const char *name, const char *host,
               host, port, sock, user, name, failed_attempts);
   while(!mysql_connect_ssl_check(mysql, host,user, pass, db, port, sock,
                                  CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS,
-                                 opt_ssl_required))
+                                 opt_ssl_mode == SSL_MODE_REQUIRED))
   {
     /*
       Connect failed
@@ -5385,7 +5385,7 @@ int connect_n_handle_errors(struct st_command *command,
   
   while (!mysql_connect_ssl_check(con, host, user, pass, db, port,
                                   sock ? sock: 0, CLIENT_MULTI_STATEMENTS,
-                                  opt_ssl_required))
+                                  opt_ssl_mode == SSL_MODE_REQUIRED))
   {
     /*
       If we have used up all our connections check whether this

include/mysql.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -167,7 +167,7 @@ enum mysql_option
   MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,
   MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT,
   MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH,
-  MYSQL_ENABLE_CLEARTEXT_PLUGIN
+  MYSQL_ENABLE_CLEARTEXT_PLUGIN, MYSQL_OPT_SSL_MODE
 };
 
 /**
@@ -224,6 +224,11 @@ enum mysql_protocol_type
   MYSQL_PROTOCOL_PIPE, MYSQL_PROTOCOL_MEMORY
 };
 
+enum mysql_ssl_mode
+{
+  SSL_MODE_REQUIRED= 3
+};
+
 typedef struct character_set
 {
   unsigned int      number;     /* character set number              */

include/mysql.h.pp

@@ -263,7 +263,7 @@ enum mysql_option
   MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,
   MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT,
   MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH,
-  MYSQL_ENABLE_CLEARTEXT_PLUGIN
+  MYSQL_ENABLE_CLEARTEXT_PLUGIN, MYSQL_OPT_SSL_MODE
 };
 struct st_mysql_options_extention;
 struct st_mysql_options {
@@ -307,6 +307,10 @@ enum mysql_protocol_type
   MYSQL_PROTOCOL_DEFAULT, MYSQL_PROTOCOL_TCP, MYSQL_PROTOCOL_SOCKET,
   MYSQL_PROTOCOL_PIPE, MYSQL_PROTOCOL_MEMORY
 };
+enum mysql_ssl_mode
+{
+  SSL_MODE_REQUIRED= 3
+};
 typedef struct character_set
 {
   unsigned int number;

include/sql_common.h

@@ -1,7 +1,7 @@
 #ifndef SQL_COMMON_INCLUDED
 #define SQL_COMMON_INCLUDED
 
-/* Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -32,6 +32,7 @@ struct st_mysql_options_extention {
   char *plugin_dir;
   char *default_auth;
   my_bool enable_cleartext_plugin;
+  unsigned int ssl_mode;
 };
 
 typedef struct st_mysql_methods

include/sslopt-case.h

@@ -1,7 +1,7 @@
 #ifndef SSLOPT_CASE_INCLUDED
 #define SSLOPT_CASE_INCLUDED
 
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -38,7 +38,7 @@
         exit(1);
       }
       else
-        opt_ssl_required= 1;
+        opt_ssl_mode= SSL_MODE_REQUIRED;
       break;
 #endif /* MYSQL_CLIENT */
 #endif

include/sslopt-vars.h

@@ -1,7 +1,7 @@
 #ifndef SSLOPT_VARS_INCLUDED
 #define SSLOPT_VARS_INCLUDED
 
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -31,11 +31,11 @@ SSL_STATIC char *opt_ssl_key    = 0;
 
 #ifdef MYSQL_CLIENT
 SSL_STATIC my_bool opt_ssl_verify_server_cert= 0;
-SSL_STATIC my_bool opt_ssl_required= 0;
+SSL_STATIC uint opt_ssl_mode= 0;
 #endif /* MYSQL_CLIENT */
 
 #else /* HAVE_OPENSSL */
-#define opt_ssl_required 0
+#define opt_ssl_mode 0
 #endif /* HAVE_OPENSSL */
 
 #endif /* SSLOPT_VARS_INCLUDED */

mysql-test/r/ssl_mode.result

@@ -37,8 +37,8 @@ DROP TABLE t1;
 # mysql
 Unknown value to --ssl-mode: ''. Use --ssl-mode=REQUIRED
 Unknown value to --ssl-mode: 'DERIUQER'. Use --ssl-mode=REQUIRED
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Client is not configured to use SSL
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Client is not configured to use SSL
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Client is not configured to use SSL
 
 End of tests

mysql-test/r/ssl_mode_no_ssl.result

@@ -1,22 +1,22 @@
 # negative client tests
 # mysql
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
 # mysqldump
-mysqldump: Got error: 2026: --ssl-mode=REQUIRED option forbids non SSL connections when trying to connect
+mysqldump: Got error: 2026: SSL connection error: Server doesn't support SSL when trying to connect
 # mysqladmin
-mysqladmin: error: '--ssl-mode=REQUIRED option forbids non SSL connections'
+mysqladmin: error: 'SSL connection error: Server doesn't support SSL'
 # mysqlcheck
-mysqlcheck: Got error: 2026: --ssl-mode=REQUIRED option forbids non SSL connections when trying to connect
+mysqlcheck: Got error: 2026: SSL connection error: Server doesn't support SSL when trying to connect
 # mysqlimport
-mysqlimport: Error: 2026 --ssl-mode=REQUIRED option forbids non SSL connections
+mysqlimport: Error: 2026 SSL connection error: Server doesn't support SSL
 # mysqlshow
-mysqlshow: --ssl-mode=REQUIRED option forbids non SSL connections
+mysqlshow: SSL connection error: Server doesn't support SSL
 # mysqlslap
-mysqlslap: Error when connecting to server: --ssl-mode=REQUIRED option forbids non SSL connections
+mysqlslap: Error when connecting to server: SSL connection error: Server doesn't support SSL
 # mysqltest
-mysqltest: Could not open connection 'default': 2026 --ssl-mode=REQUIRED option forbids non SSL connections
+mysqltest: Could not open connection 'default': 2026 SSL connection error: Server doesn't support SSL
 
 End of tests

sql-common/client.c

@@ -1137,7 +1137,7 @@ static const char *default_options[]=
   "ssl-cipher", "max-allowed-packet", "protocol", "shared-memory-base-name",
   "multi-results", "multi-statements", "multi-queries", "secure-auth",
   "report-data-truncation", "plugin-dir", "default-auth", 
-  "enable-cleartext-plugin",
+  "enable-cleartext-plugin", "ssl-mode",
   NullS
 };
 enum option_id {
@@ -1149,7 +1149,7 @@ enum option_id {
   OPT_ssl_cipher, OPT_max_allowed_packet, OPT_protocol, OPT_shared_memory_base_name, 
   OPT_multi_results, OPT_multi_statements, OPT_multi_queries, OPT_secure_auth, 
   OPT_report_data_truncation, OPT_plugin_dir, OPT_default_auth, 
-  OPT_enable_cleartext_plugin,
+  OPT_enable_cleartext_plugin, OPT_ssl_mode,
   OPT_keep_this_one_last
 };
 
@@ -1338,12 +1338,26 @@ void mysql_read_default_options(struct st_mysql_options *options,
           my_free(options->ssl_cipher);
           options->ssl_cipher= my_strdup(opt_arg, MYF(MY_WME));
           break;
+        case OPT_ssl_mode:
+          if (opt_arg &&
+              !my_strcasecmp(&my_charset_latin1, opt_arg, "required"))
+          {
+            ENSURE_EXTENSIONS_PRESENT(options);
+            options->extension->ssl_mode= SSL_MODE_REQUIRED;
+          }
+          else
+          {
+            fprintf(stderr, "Unknown option to ssl-mode: %s\n", opt_arg);
+            exit(1);
+          }
+          break;
 #else
 	case OPT_ssl_key:
 	case OPT_ssl_cert:
 	case OPT_ssl_ca:
 	case OPT_ssl_capath:
         case OPT_ssl_cipher:
+        case OPT_ssl_mode:
 	  break;
 #endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */
 	case OPT_character_sets_dir:
@@ -1850,6 +1864,10 @@ mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
   mysql->options.ssl_capath = 0;
   mysql->options.ssl_cipher= 0;
   mysql->options.use_ssl = FALSE;
+  if (mysql->options.extension)
+  {
+    mysql->options.extension->ssl_mode= 0;
+  }
   mysql->connector_fd = 0;
   DBUG_VOID_RETURN;
 }
@@ -2596,6 +2614,31 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
     end= buff+5;
   }
 #ifdef HAVE_OPENSSL
+  /*
+    If SSL connection is required we'll:
+      1. check if the server supports SSL;
+      2. check if the client is properly configured;
+      3. try to use SSL no matter the other options given.
+  */
+  if (mysql->options.extension &&
+      mysql->options.extension->ssl_mode == SSL_MODE_REQUIRED)
+  {
+    if (!(mysql->server_capabilities & CLIENT_SSL))
+    {
+      set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
+                               ER(CR_SSL_CONNECTION_ERROR),
+                               "Server doesn't support SSL");
+      goto error;
+    }
+    if (!mysql->options.use_ssl)
+    {
+      set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
+                               ER(CR_SSL_CONNECTION_ERROR),
+                               "Client is not configured to use SSL");
+      goto error;
+    }
+    mysql->client_flag|= CLIENT_SSL;
+  }
   if (mysql->client_flag & CLIENT_SSL)
   {
     /* Do the SSL layering. */
@@ -4242,6 +4285,13 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg)
     mysql->options.extension->enable_cleartext_plugin= 
       (*(my_bool*) arg) ? TRUE : FALSE;
     break;
+  case MYSQL_OPT_SSL_MODE:
+    if (*(uint *) arg == SSL_MODE_REQUIRED)
+    {
+      ENSURE_EXTENSIONS_PRESENT(&mysql->options);
+      mysql->options.extension->ssl_mode= SSL_MODE_REQUIRED;
+    }
+    break;
   default:
     DBUG_RETURN(1);
   }