WL#15801: Remove weak ciphers usage

Description:
- Added blocked cipher handling for following variables
  - ssl-cipher
  - admin-ssl-cipher
  - tls-ciphersuites
  - admin-tls-ciphersuites
- Updated tests to remove blocked ciphers
- Added new FIPS tests without using weak ciphers
- Added test to check blocked cipher handling

Change-Id: I91721e4cc0f3690e25d802493fa36313a479f641

include/tls_ciphers.h

@@ -116,18 +116,7 @@ const char blocked_tls12_ciphers[] = {
     "!RC2:"
     "!RC4:"
     "!PSK:"
-    "!DH-RSA-AES128-SHA256:"
-    "!DH-RSA-AES256-SHA256:"
-    "!DH-DSS-AES128-SHA256:"
-    "!DH-DSS-AES128-SHA:"
-    "!DH-DSS-AES256-SHA:"
-    "!DH-DSS-AES256-SHA256:"
-    "!DH-RSA-AES128-SHA:"
-    "!DH-RSA-AES256-SHA:"
-    "!DH-DSS-AES128-GCM-SHA256:"
-    "!DH-DSS-AES256-GCM-SHA384:"
-    "!DH-RSA-AES128-GCM-SHA256:"
-    "!DH-RSA-AES256-GCM-SHA384"};
+    "!kDH"};
 
 /*
   Following ciphers are added to the list of permissible ciphers

mysql-test/include/allowed_ciphers.inc

@@ -1,7 +1,7 @@
 #
-# List of allowed TLSv1.2 and TLSv1.3 ciphers which will be
+# List of TLSv1.2 and TLSv1.3 ciphers which will be
 # replaced with "SSL_CIPHER" in the result files.
 # Usage: --replace_regex $ALLOWED_CIPHERS_REGEX
 #
 
-LET $ALLOWED_CIPHERS_REGEX = /ECDHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-SHA|ECDHE-RSA-AES128-SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256/SSL_CIPHER/;
+LET $ALLOWED_CIPHERS_REGEX = /ECDHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-SHA|ECDHE-RSA-AES128-SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|DHE-RSA-CHACHA20-POLY1305/SSL_CIPHER/;

mysql-test/r/ssl_dynamic.result

@@ -1,10 +1,3 @@
-call mtr.add_suppression("Failed to set up SSL because of the following SSL library error");
-call mtr.add_suppression("Failed to initialize TLS for channel: mysql_main");
-call mtr.add_suppression("CA certificate/certficates is invalid. Please check logs for more details.");
-call mtr.add_suppression("Failed to validate certificate .*");
-call mtr.add_suppression("Server certificate .* verification has failed. Check logs for more details");
-call mtr.add_suppression("Failed to set up TLS. Check logs for details");
-call mtr.add_suppression("Internal TLS error error.*");
 # Check if ssl is on
 SELECT LENGTH(VARIABLE_VALUE) > 0 FROM performance_schema.session_status
 WHERE VARIABLE_NAME='Ssl_cipher';
@@ -141,8 +134,11 @@ SET GLOBAL ssl_key = 'gizmo';
 SET GLOBAL ssl_capath = 'gizmo';
 SET GLOBAL ssl_crl = 'gizmo';
 SET GLOBAL ssl_crlpath = 'gizmo';
+# Must fail
 SET GLOBAL ssl_cipher = 'gizmo';
+ERROR 42000: Variable 'ssl_cipher' can't be set to the value of 'gizmo'
 SET GLOBAL tls_ciphersuites = 'gizmo';
+ERROR 42000: Variable 'tls_ciphersuites' can't be set to the value of 'gizmo'
 SET GLOBAL tls_version = 'gizmo';
 ERROR 42000: Variable 'tls_version' can't be set to the value of 'gizmo'
 # Must fail

mysql-test/suite/auth_sec/include/wl15800_cipher_test.inc → mysql-test/suite/auth_sec/include/ciphers_test.inc

@@ -4,11 +4,11 @@
 # --let $USER = user
 # --let $TLS_VERSION = "TLSv1.2" or "TLSv1.3"
 #
-# --source ../inc/cipher_test.inc
+# --source ../inc/ciphers_test.inc
 #
 
-# Usage:
-# --source ../inc/set_ciphers.inc
+--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err
+
 --let $records = `SELECT JSON_LENGTH(ciphers) FROM $cipher_db.acceptable`
 if ($records != "") {
   --echo
@@ -41,39 +41,6 @@ if ($records != "") {
   --echo
 }
 
---let $records = `SELECT JSON_LENGTH(ciphers) FROM $cipher_db.deprecated`
-if ($records != "") {
-  --echo
-  --echo #-----------------------------------------------------------------------
-  --echo
-  --echo # Checking deprecated ciphers
-  --let $CIPHER_TABLE =deprecated
-  --let $BLOCKED_CIPHERS=0
-  --source set_ciphers.inc
-  --let $i = 0
-  while ($i < $records) {
-    --let $CIPHER_NAME = `SELECT JSON_UNQUOTE(JSON_EXTRACT(ciphers, '$[$i]')) FROM $cipher_db.deprecated`
-    --source search_cipher_deprecation.inc
-    if ($TLS_VERSION == "TLSv1.2") {
-      --echo # Expecting connection success with cipher: $CIPHER_NAME on main channel
-      --exec $MYSQL --protocol=TCP --host=127.0.0.1 -P $MASTER_MYPORT --ssl-mode=REQUIRED --tls-version=TLSv1.2 -u$USER --ssl-cipher=$CIPHER_NAME -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1
-      --echo # Expecting connection success with cipher: $CIPHER_NAME on admin channel
-      --exec $MYSQL --protocol=TCP --host=127.0.0.1 -P $MASTER_ADMINPORT --ssl-mode=REQUIRED --tls-version=TLSv1.2 -u$USER --ssl-cipher=$CIPHER_NAME -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1
-    }
-
-    if ($TLS_VERSION == "TLSv1.3") {
-      --echo # Expecting connection success with cipher: $CIPHER_NAME on main channel
-      --exec $MYSQL --protocol=TCP --host=127.0.0.1 -P $MASTER_MYPORT --ssl-mode=REQUIRED --tls-version=TLSv1.3 -u$USER --tls-ciphersuites=$CIPHER_NAME -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1
-      --echo # Expecting connection success with cipher: $CIPHER_NAME on admin channel
-      --exec $MYSQL --protocol=TCP --host=127.0.0.1 -P $MASTER_ADMINPORT --ssl-mode=REQUIRED --tls-version=TLSv1.3 -u$USER --tls-ciphersuites=$CIPHER_NAME -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1
-    }
-    --inc $i
-  }
-  --echo
-  --echo #-----------------------------------------------------------------------
-  --echo
-}
-
 --let $records = `SELECT JSON_LENGTH(ciphers) FROM $cipher_db.blocked`
 if ($records != "") {
   --echo
@@ -86,7 +53,7 @@ if ($records != "") {
   --let $i = 0
   while ($i < $records) {
     --let $CIPHER_NAME = `SELECT JSON_UNQUOTE(JSON_EXTRACT(ciphers, '$[$i]')) FROM $cipher_db.blocked`
-    --source search_cipher_deprecation.inc
+    --source search_cipher_blocked_error.inc
     if ($TLS_VERSION == "TLSv1.2") {
       --echo # Expecting connection failure wiith cipher: $CIPHER_NAME on main channel
       --replace_regex /SSL connection error:.*/SSL connection error: Failed to set ciphers to use/

mysql-test/suite/auth_sec/include/search_cipher_deprecation.inc → mysql-test/suite/auth_sec/include/search_cipher_blocked_error.inc

@@ -2,21 +2,20 @@
 # Usage:
 # --let $CIPHER_NAME=<cipher>
 # --let $TLS_VERSION = "TLSv1.2" or "TLSv1.3"
-# --source search_cipher_deprecation.inc
+# --let SEARCH_FILE=<file>
+# --source search_cipher_blocked_error.inc
 #
 
---let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err
-
 if ($TLS_VERSION == "TLSv1.2") {
-  --let SEARCH_PATTERN=Value for option 'ssl_cipher' contains cipher '$CIPHER_NAME' that is either blocked or deprecated
+  --let SEARCH_PATTERN=Value for option 'ssl_cipher' contains cipher '$CIPHER_NAME' that is blocked
   --source include/search_pattern.inc
-  --let SEARCH_PATTERN=Value for option 'admin_ssl_cipher' contains cipher '$CIPHER_NAME' that is either blocked or deprecated
+  --let SEARCH_PATTERN=Value for option 'admin_ssl_cipher' contains cipher '$CIPHER_NAME' that is blocked
   --source include/search_pattern.inc
 }
 
 if ($TLS_VERSION == "TLSv1.3") {
-  --let SEARCH_PATTERN=Value for option 'tls_ciphersuites' contains cipher '$CIPHER_NAME' that is either blocked or deprecated
+  --let SEARCH_PATTERN=Value for option 'tls_ciphersuites' contains cipher '$CIPHER_NAME' that is blocked
   --source include/search_pattern.inc
-  --let SEARCH_PATTERN=Value for option 'admin_tls_ciphersuites' contains cipher '$CIPHER_NAME' that is either blocked or deprecated
+  --let SEARCH_PATTERN=Value for option 'admin_tls_ciphersuites' contains cipher '$CIPHER_NAME' that is blocked
   --source include/search_pattern.inc
 }

mysql-test/suite/auth_sec/include/set_ciphers.inc

@@ -28,34 +28,34 @@ if ($records != "") {
   SELECT @@global.admin_tls_ciphersuites INTO @saved_admin_ciphersuites;
 
   if ($TLS_VERSION == "TLSv1.2") {
+    if ($BLOCKED_CIPHERS == 0) {
       SET GLOBAL ssl_cipher=@ciphers;
       SET GLOBAL admin_ssl_cipher=@ciphers;
+    }
+
+    if ($BLOCKED_CIPHERS == 1) {
+      --error ER_WRONG_VALUE_FOR_VAR
+      SET GLOBAL ssl_cipher=@ciphers;
+      --error ER_WRONG_VALUE_FOR_VAR
+      SET GLOBAL admin_ssl_cipher=@ciphers;
+    }
   }
 
   if ($TLS_VERSION == "TLSv1.3") {
+    if ($BLOCKED_CIPHERS == 0) {
       SET GLOBAL tls_ciphersuites=@ciphers;
       SET GLOBAL admin_tls_ciphersuites=@ciphers;
-  }
+    }
 
-  if ($BLOCKED_CIPHERS == 0) {
-    ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_main;
-    ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_admin;
+    if ($BLOCKED_CIPHERS == 1) {
+      --error ER_WRONG_VALUE_FOR_VAR
+      SET GLOBAL tls_ciphersuites=@ciphers;
+      --error ER_WRONG_VALUE_FOR_VAR
+      SET GLOBAL admin_tls_ciphersuites=@ciphers;
+    }
   }
-  if ($BLOCKED_CIPHERS == 1) {
-    --error ER_DA_SSL_LIBRARY_ERROR
-    ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_main;
-    --error ER_DA_SSL_LIBRARY_ERROR
-    ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_admin;
 
-    # Reset ciphers to last known good values
-    if ($TLS_VERSION == "TLSv1.2") {
-      SET GLOBAL ssl_cipher=@saved_ciphers;
-      SET GLOBAL admin_ssl_cipher=@saved_admin_ciphers;
-    }
-    if ($TLS_VERSION == "TLSv1.3") {
-      SET GLOBAL tls_ciphersuites=@saved_ciphersuites;
-      SET GLOBAL admin_tls_ciphersuites=@saved_admin_ciphersuites;
-    }
+  if ($BLOCKED_CIPHERS == 0) {
     ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_main;
     ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_admin;
   }

mysql-test/suite/auth_sec/include/wl15800_variables_test.inc → mysql-test/suite/auth_sec/include/variables_test.inc

@@ -1,9 +1,11 @@
 #
 # Usage:
 # --let $TLS_VERSION = TLSv1.2 or TLSv1.3
-# --source ../inc/wl15800_variables_test.inc
+# --source ../inc/variables_test.inc
 #
 
+--let SEARCH_FILE=$MYSQLTEST_VARDIR/log/mysqld.1.err
+
 --let $records = `SELECT JSON_LENGTH(ciphers) FROM cipher_db.ciphers_data`
 if ($records != "") {
   --echo
@@ -20,20 +22,24 @@ if ($records != "") {
   --let $CIPHERS = `SELECT @ciphers`
   --echo # Setting server ciphers: $CIPHERS
   if ($TLS_VERSION == "TLSv1.2") {
+    --error 0, ER_WRONG_VALUE_FOR_VAR
     --eval SET GLOBAL ssl_cipher='$CIPHERS'
+    --error 0, ER_WRONG_VALUE_FOR_VAR
     --eval SET GLOBAL admin_ssl_cipher='$CIPHERS'
   }
 
   if ($TLS_VERSION == "TLSv1.3") {
+    --error 0, ER_WRONG_VALUE_FOR_VAR
     --eval SET GLOBAL tls_ciphersuites='$CIPHERS'
+    --error 0, ER_WRONG_VALUE_FOR_VAR
     --eval SET GLOBAL admin_tls_ciphersuites='$CIPHERS'
   }
   --let $i = 0
   while ($i < $records) {
     --echo
     --let $CIPHER_NAME = `SELECT JSON_UNQUOTE(JSON_EXTRACT(ciphers, '$[$i]')) FROM cipher_db.ciphers_data`
-    --echo # Checking deprecation messages (if any) for $CIPHER_NAME
-    --source search_cipher_deprecation.inc
+    --echo # Checking error messages (if any) for $CIPHER_NAME
+    --source search_cipher_blocked_error.inc
     --echo
     --inc $i
   }

mysql-test/suite/auth_sec/r/admin_channel_tls.result

@@ -116,8 +116,11 @@ SET GLOBAL admin_ssl_key = 'gizmo';
 SET GLOBAL admin_ssl_capath = 'gizmo';
 SET GLOBAL admin_ssl_crl = 'gizmo';
 SET GLOBAL admin_ssl_crlpath = 'gizmo';
+# Must fail
 SET GLOBAL admin_ssl_cipher = 'gizmo';
+ERROR 42000: Variable 'admin_ssl_cipher' can't be set to the value of 'gizmo'
 SET GLOBAL admin_tls_ciphersuites = 'gizmo';
+ERROR 42000: Variable 'admin_tls_ciphersuites' can't be set to the value of 'gizmo'
 SET GLOBAL admin_tls_version = 'gizmo';
 ERROR 42000: Variable 'admin_tls_version' can't be set to the value of 'gizmo'
 # Must fail

mysql-test/suite/auth_sec/r/ciphers_configuration_at_startup.result

@@ -0,0 +1,51 @@
+CALL mtr.add_suppression("Value for option .* contains cipher .* that is blocked.");
+#
+# WL#15801: Remove weak ciphers usage
+#
+# Stop server
+# Server should fail to start: Invalid --ssl-cipher value
+# Must find error for ECDHE-RSA-AES128-SHA256 for ssl-cipher
+Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" found
+Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" not found
+# Server should fail to start: Invalid --admin-ssl-cipher value
+# Must find error for ECDHE-RSA-AES128-SHA256 for admin-ssl-cipher
+Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" not found
+Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" found
+# Server should fail to start: Valid and invalid --ssl-cipher values
+# Must not find error for ECDHE-RSA-AES128-GCM-SHA256
+Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-GCM-SHA256' that is blocked" not found
+Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-GCM-SHA256' that is blocked" not found
+# Must find error for ECDHE-RSA-AES128-SHA256 for ssl-cipher
+Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" found
+Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" not found
+# Server should fail to start: Valid and invalid --admin-ssl-cipher values
+# Must not find error for ECDHE-RSA-AES128-GCM-SHA256
+Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-GCM-SHA256' that is blocked" not found
+Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-GCM-SHA256' that is blocked" not found
+# Must find error for ECDHE-RSA-AES128-SHA256 for admin-ssl-cipher
+Pattern "Value for option 'ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" not found
+Pattern "Value for option 'admin_ssl_cipher' contains cipher 'ECDHE-RSA-AES128-SHA256' that is blocked" found
+# Server should fail to start: Invalid --tls-ciphersuites value
+# Must find error for TLS_AES_128_CCM_8_SHA256 for tls-ciphersuites
+Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" found
+Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" not found
+# Server should fail to start: Invalid --admin-tls-ciphersuites value
+# Must find error for TLS_AES_128_CCM_8_SHA256 for admin-tls-ciphersuites
+Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" not found
+Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" found
+# Server should fail to start: Valid and invalid --tls-ciphersuites values
+# Must not find error for TLS_AES_128_GCM_SHA256
+Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_GCM_SHA256' that is blocked" not found
+Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_GCM_SHA256' that is blocked" not found
+# Must find error for TLS_AES_128_CCM_8_SHA256 for tls-ciphersuites
+Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" found
+Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" not found
+# Server should fail to start: Valid and invalid --admin-tls-ciphersuites values
+# Must not find error for TLS_AES_128_GCM_SHA256
+Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_GCM_SHA256' that is blocked" not found
+Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_GCM_SHA256' that is blocked" not found
+# Must find error for TLS_AES_128_CCM_8_SHA256 for admin-tls-ciphersuites
+Pattern "Value for option 'tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" not found
+Pattern "Value for option 'admin_tls_ciphersuites' contains cipher 'TLS_AES_128_CCM_8_SHA256' that is blocked" found
+# start server with all defaults
+# restart