Permalink
Browse files

WL#6791 : Redefine client --ssl option to imply enforced encryption

# Changed the meaning of the --ssl=1 option of all client binaries
to mean force ssl, not try ssl and fail over to eunecrypted
# Added a new MYSQL_OPT_SSL_ENFORCE mysql_options()
option to specify that an ssl connection is required.
# Added a new macro SSL_SET_OPTIONS() to the client
SSL handling headers that sets all the relevant SSL options at 
once.
# Revamped all of the current native clients to use the new macro
# Removed some Windows line endings.
# Added proper handling of the new option into the ssl helper
headers.
# If SSL is mandatory assume that the media is secure enough 
for the sha256 plugin to do unencrypted password exchange even
before establishing a connection.
# Set the default ssl cipher to DHE-RSA-AES256-SHA if none is 
specified.
# updated test cases that require a non-default cipher to spawn 
a mysql command line tool binary since mysqltest has no support
for specifying ciphers.
# updated the replication slave connection code to always enforce
SSL if any of the SSL config options is present.
# test cases added and updated.
# added a mysql_get_option() API to return mysql_options() 
values. Used the new API inside the sha256 plugin.
# Fixed compilation warnings because of unused variables.
# Fixed test failures (mysql_ssl and bug13115401)
# Fixed whitespace issues.
# Fully implemented the mysql_get_option() function.
# Added a test case for mysql_get_option()
# fixed some trailing whitespace issues
# fixed some uint/int warnings in mysql_client_test.c
# removed shared memory option from non-windows get_options
 tests
# moved MYSQL_OPT_LOCAL_INFILE to the uint options
  • Loading branch information...
gkodinov committed Oct 31, 2013
1 parent 6958f5f commit 3bd5589e1a5a93f9c224badf983cd65c45215390
View
@@ -4953,17 +4953,7 @@ init_connection_options(MYSQL *mysql)
if (using_opt_local_infile)
mysql_options(mysql, MYSQL_OPT_LOCAL_INFILE, (char*) &opt_local_infile);
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
if (opt_use_ssl)
{
mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*) &opt_ssl_verify_server_cert);
#endif
SSL_SET_OPTIONS(mysql);
if (opt_protocol)
mysql_options(mysql, MYSQL_OPT_PROTOCOL, (char*) &opt_protocol);
@@ -158,17 +158,7 @@ my_arguments_get_one_option(int optid,
static void
init_connection_options(MYSQL *mysql)
{
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
if (opt_use_ssl)
{
mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*) &opt_ssl_verify_server_cert);
#endif
SSL_SET_OPTIONS(mysql);
if (opt_protocol)
mysql_options(mysql, MYSQL_OPT_PROTOCOL, (char*) &opt_protocol);
View
@@ -288,7 +288,7 @@ get_one_option(int optid, const struct my_option *opt,
case OPT_WRITE_BINLOG: /* --write-binlog */
add_option= FALSE;
break;
#include <sslopt-case.h>
case 'h': /* --host */
case 'W': /* --pipe */
case 'P': /* --port */
View
@@ -361,17 +361,7 @@ int main(int argc,char *argv[])
uint tmp=opt_connect_timeout;
mysql_options(&mysql,MYSQL_OPT_CONNECT_TIMEOUT, (char*) &tmp);
}
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif
SSL_SET_OPTIONS(&mysql);
if (opt_protocol)
mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
#if defined (_WIN32) && !defined (EMBEDDED_LIBRARY)
View
@@ -1885,17 +1885,7 @@ static Exit_status safe_connect()
return ERROR_STOP;
}
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*) &opt_ssl_verify_server_cert);
#endif
SSL_SET_OPTIONS(mysql);
if (opt_plugin_dir && *opt_plugin_dir)
mysql_options(mysql, MYSQL_PLUGIN_DIR, opt_plugin_dir);
View
@@ -881,15 +881,7 @@ static int dbConnect(char *host, char *user, char *passwd)
mysql_init(&mysql_connection);
if (opt_compress)
mysql_options(&mysql_connection, MYSQL_OPT_COMPRESS, NullS);
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
#endif
SSL_SET_OPTIONS(&mysql_connection);
if (opt_protocol)
mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
if (opt_bind_addr)
View
@@ -1595,17 +1595,7 @@ static int connect_to_db(char *host, char *user,char *passwd)
mysql_init(&mysql_connection);
if (opt_compress)
mysql_options(&mysql_connection,MYSQL_OPT_COMPRESS,NullS);
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif
SSL_SET_OPTIONS(&mysql_connection);
if (opt_protocol)
mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
if (opt_bind_addr)
View
@@ -420,17 +420,7 @@ static MYSQL *db_connect(char *host, char *database,
if (opt_local_file)
mysql_options(mysql,MYSQL_OPT_LOCAL_INFILE,
(char*) &opt_local_file);
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif
SSL_SET_OPTIONS(mysql);
if (opt_protocol)
mysql_options(mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
if (opt_bind_addr)
View
@@ -117,17 +117,7 @@ int main(int argc, char **argv)
mysql_init(&mysql);
if (opt_compress)
mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS);
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
(char*)&opt_ssl_verify_server_cert);
#endif
SSL_SET_OPTIONS(&mysql);
if (opt_protocol)
mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
if (opt_bind_addr)
View
@@ -144,8 +144,8 @@ static my_bool opt_compress= FALSE, tty_password= FALSE,
const char *auto_generate_sql_type= "mixed";
static unsigned long connect_flags= CLIENT_MULTI_RESULTS |
CLIENT_MULTI_STATEMENTS |
CLIENT_REMEMBER_OPTIONS;
CLIENT_MULTI_STATEMENTS |
CLIENT_REMEMBER_OPTIONS;
static int verbose, delimiter_length;
@@ -335,15 +335,7 @@ int main(int argc, char **argv)
mysql_init(&mysql);
if (opt_compress)
mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS);
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
}
#endif
SSL_SET_OPTIONS(&mysql);
if (opt_protocol)
mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
#if defined (_WIN32) && !defined (EMBEDDED_LIBRARY)
View
@@ -5507,6 +5507,9 @@ void do_connect(struct st_command *command)
my_bool con_pipe= 0, con_shm= 0, con_cleartext_enable= 0;
my_bool con_secure_auth= 1;
struct st_connection* con_slot;
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
my_bool save_opt_use_ssl= opt_use_ssl;
#endif
static DYNAMIC_STRING ds_connection_name;
static DYNAMIC_STRING ds_host;
@@ -5641,23 +5644,22 @@ void do_connect(struct st_command *command)
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
if (opt_use_ssl)
con_ssl= 1;
#endif
if (con_ssl)
opt_use_ssl= con_ssl;
if (opt_use_ssl)
{
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
mysql_ssl_set(&con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
#if MYSQL_VERSION_ID >= 50000
/* Turn on ssl_verify_server_cert only if host is "localhost" */
opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost");
mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
&opt_ssl_verify_server_cert);
}
#else
/* keep the compiler happy about con_ssl */
con_ssl = con_ssl ? TRUE : FALSE;
#endif
SSL_SET_OPTIONS(&con_slot->mysql);
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
opt_use_ssl= save_opt_use_ssl;
#endif
}
if (con_pipe)
{
@@ -8764,22 +8766,16 @@ int main(int argc, char **argv)
mysql_options(&con->mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
#endif
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
if (opt_use_ssl)
{
mysql_ssl_set(&con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
opt_ssl_capath, opt_ssl_cipher);
mysql_options(&con->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
mysql_options(&con->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
#if MYSQL_VERSION_ID >= 50000
/* Turn on ssl_verify_server_cert only if host is "localhost" */
opt_ssl_verify_server_cert= opt_host && !strcmp(opt_host, "localhost");
mysql_options(&con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
&opt_ssl_verify_server_cert);
#endif
}
#endif
SSL_SET_OPTIONS(&con->mysql);
#if defined (_WIN32) && !defined (EMBEDDED_LIBRARY)
if (shared_memory_base_name)
@@ -18,7 +18,7 @@
#
SET(SHARED_LIB_MAJOR_VERSION "18")
SET(SHARED_LIB_MINOR_VERSION "1")
SET(SHARED_LIB_MINOR_VERSION "2")
SET(PROTOCOL_VERSION "10")
SET(DOT_FRM_VERSION "6")
View
@@ -159,7 +159,8 @@ enum mysql_option
MYSQL_OPT_CONNECT_ATTR_DELETE,
MYSQL_SERVER_PUBLIC_KEY,
MYSQL_ENABLE_CLEARTEXT_PLUGIN,
MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS
MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS,
MYSQL_OPT_SSL_ENFORCE
};
/**
@@ -451,6 +452,8 @@ int STDCALL mysql_options(MYSQL *mysql,enum mysql_option option,
const void *arg);
int STDCALL mysql_options4(MYSQL *mysql,enum mysql_option option,
const void *arg1, const void *arg2);
int STDCALL mysql_get_option(MYSQL *mysql, enum mysql_option option,
const void *arg);
void STDCALL mysql_free_result(MYSQL_RES *result);
void STDCALL mysql_data_seek(MYSQL_RES *result,
my_ulonglong offset);
View
@@ -316,7 +316,8 @@
MYSQL_OPT_CONNECT_ATTR_DELETE,
MYSQL_SERVER_PUBLIC_KEY,
MYSQL_ENABLE_CLEARTEXT_PLUGIN,
MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS
MYSQL_OPT_CAN_HANDLE_EXPIRED_PASSWORDS,
MYSQL_OPT_SSL_ENFORCE
};
struct st_mysql_options_extention;
struct st_mysql_options {
@@ -518,6 +519,8 @@
const void *arg);
int mysql_options4(MYSQL *mysql,enum mysql_option option,
const void *arg1, const void *arg2);
int mysql_get_option(MYSQL *mysql, enum mysql_option option,
const void *arg);
void mysql_free_result(MYSQL_RES *result);
void mysql_data_seek(MYSQL_RES *result,
my_ulonglong offset);
View
@@ -67,6 +67,8 @@ struct st_mysql_options_extention {
char *server_public_key_path;
size_t connection_attributes_length;
my_bool enable_cleartext_plugin;
/** false if it is possible to fall back on unencrypted connections */
my_bool ssl_enforce;
};
typedef struct st_mysql_methods
View
@@ -17,6 +17,17 @@
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
#ifdef MYSQL_CLIENT
case OPT_SSL_SSL:
/*
A client side --ssl option handling.
--ssl=1 means enforce (use=1, enforce=1)
--ssl=0 means can't enforce (use=0, enforce=0)
no --ssl means default : no enforce (use=1), just try (enforce=1)
*/
opt_ssl_enforce= opt_use_ssl;
break;
#endif
case OPT_SSL_KEY:
case OPT_SSL_CERT:
case OPT_SSL_CA:
@@ -28,7 +39,7 @@
Enable use of SSL if we are using any ssl option
One can disable SSL later by using --skip-ssl or --ssl=0
*/
opt_use_ssl= 1;
opt_use_ssl= TRUE;
/* crl has no effect in yaSSL */
#ifdef HAVE_YASSL
opt_ssl_crl= NULL;
View
@@ -19,30 +19,32 @@
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
{"ssl", OPT_SSL_SSL,
"Enable SSL for connection (automatically enabled with other flags).",
"If set to ON, this option enforces that SSL is established before client "
"attempts to authenticate to the server. To disable client SSL capabilities "
"use --ssl=OFF.",
&opt_use_ssl, &opt_use_ssl, 0, GET_BOOL, OPT_ARG, 0, 0, 0, 0, 0, 0},
{"ssl-ca", OPT_SSL_CA,
"CA file in PEM format (check OpenSSL docs, implies --ssl).",
"CA file in PEM format.",
&opt_ssl_ca, &opt_ssl_ca, 0, GET_STR, REQUIRED_ARG,
0, 0, 0, 0, 0, 0},
{"ssl-capath", OPT_SSL_CAPATH,
"CA directory (check OpenSSL docs, implies --ssl).",
"CA directory.",
&opt_ssl_capath, &opt_ssl_capath, 0, GET_STR, REQUIRED_ARG,
0, 0, 0, 0, 0, 0},
{"ssl-cert", OPT_SSL_CERT, "X509 cert in PEM format (implies --ssl).",
{"ssl-cert", OPT_SSL_CERT, "X509 cert in PEM format.",
&opt_ssl_cert, &opt_ssl_cert, 0, GET_STR, REQUIRED_ARG,
0, 0, 0, 0, 0, 0},
{"ssl-cipher", OPT_SSL_CIPHER, "SSL cipher to use (implies --ssl).",
{"ssl-cipher", OPT_SSL_CIPHER, "SSL cipher to use.",
&opt_ssl_cipher, &opt_ssl_cipher, 0, GET_STR, REQUIRED_ARG,
0, 0, 0, 0, 0, 0},
{"ssl-key", OPT_SSL_KEY, "X509 key in PEM format (implies --ssl).",
{"ssl-key", OPT_SSL_KEY, "X509 key in PEM format.",
&opt_ssl_key, &opt_ssl_key, 0, GET_STR, REQUIRED_ARG,
0, 0, 0, 0, 0, 0},
{"ssl-crl", OPT_SSL_CRL, "Certificate revocation list (implies --ssl).",
{"ssl-crl", OPT_SSL_CRL, "Certificate revocation list.",
&opt_ssl_crl, &opt_ssl_crl, 0, GET_STR, REQUIRED_ARG,
0, 0, 0, 0, 0, 0},
{"ssl-crlpath", OPT_SSL_CRLPATH,
"Certificate revocation list path (implies --ssl).",
"Certificate revocation list path.",
&opt_ssl_crlpath, &opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG,
0, 0, 0, 0, 0, 0},
#ifdef MYSQL_CLIENT
Oops, something went wrong.

0 comments on commit 3bd5589

Please sign in to comment.