WL#9072: Backport WL#8785 to 5.5

client/client_priv.h

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2001, 2012, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -88,6 +88,7 @@ enum options_client
   OPT_DEFAULT_AUTH,
   OPT_DEFAULT_PLUGIN,
   OPT_ENABLE_CLEARTEXT_PLUGIN,
+  OPT_SSL_MODE,
   OPT_MAX_CLIENT_OPTION
 };
 
@@ -111,3 +112,36 @@ enum options_client
 */
 #define PERFORMANCE_SCHEMA_DB_NAME "performance_schema"
 
+/**
+  Wrapper for mysql_real_connect() that checks if SSL connection is establised.
+
+  The function calls mysql_real_connect() first, then if given ssl_required==TRUE
+  argument (i.e. --ssl-mode=REQUIRED option used) checks current SSL chiper to
+  ensure that SSL is used for current connection.
+  Otherwise it returns NULL and sets errno to CR_SSL_CONNECTION_ERROR.
+
+  All clients (except mysqlbinlog which disregards SSL options) use this function
+  instead of mysql_real_connect() to handle --ssl-mode=REQUIRED option.
+*/
+MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host,
+                               const char *user, const char *passwd,
+                               const char *db, uint port,
+                               const char *unix_socket, ulong client_flag,
+                               my_bool ssl_required __attribute__((unused)))
+{
+  MYSQL *mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port,
+                                   unix_socket, client_flag);
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+  if (mysql &&                                   /* connection established. */
+      ssl_required &&                            /* --ssl-mode=REQUIRED. */
+      !mysql_get_ssl_cipher(mysql))              /* non-SSL connection. */
+  {
+    NET *net= &mysql->net;
+    net->last_errno= CR_SSL_CONNECTION_ERROR;
+    strmov(net->last_error, "--ssl-mode=REQUIRED option forbids non SSL connections");
+    strmov(net->sqlstate, "HY000");
+    return NULL;
+  }
+#endif
+  return mysql;
+}

client/mysql.cc

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1316,8 +1316,9 @@ sig_handler handle_sigint(int sig)
   }
 
   kill_mysql= mysql_init(kill_mysql);
-  if (!mysql_real_connect(kill_mysql,current_host, current_user, opt_password,
-                          "", opt_mysql_port, opt_mysql_unix_port,0))
+  if (!mysql_connect_ssl_check(kill_mysql, current_host, current_user, opt_password,
+                               "", opt_mysql_port, opt_mysql_unix_port, 0,
+                               opt_ssl_required))
   {
     tee_fprintf(stdout, "Ctrl-C -- sorry, cannot connect to server to kill query, giving up ...\n");
     goto err;
@@ -4457,9 +4458,10 @@ sql_real_connect(char *host,char *database,char *user,char *password,
     mysql_options(&mysql, MYSQL_ENABLE_CLEARTEXT_PLUGIN, 
                   (char*) &opt_enable_cleartext_plugin);
 
-  if (!mysql_real_connect(&mysql, host, user, password,
-                          database, opt_mysql_port, opt_mysql_unix_port,
-                          connect_flag | CLIENT_MULTI_STATEMENTS))
+  if (!mysql_connect_ssl_check(&mysql, host, user, password,
+                               database, opt_mysql_port, opt_mysql_unix_port,
+                               connect_flag | CLIENT_MULTI_STATEMENTS,
+                               opt_ssl_required))
   {
     if (!silent ||
 	(mysql_errno(&mysql) != CR_CONN_HOST_ERROR &&

client/mysql_upgrade.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -307,6 +307,7 @@ get_one_option(int optid, const struct my_option *opt,
   case OPT_DEFAULT_AUTH:                        /* --default-auth */
     add_one_option(&conn_args, opt, argument);
     break;
+#include <sslopt-case.h>
   }
 
   if (add_option)
@@ -386,6 +387,10 @@ static int run_tool(char *tool_path, DYNAMIC_STRING *ds_res, ...)
 
   va_end(args);
 
+  /* If given --ssl-mode=REQUIRED propagate it to the tool. */
+  if (opt_ssl_required)
+    dynstr_append(&ds_cmdline, "--ssl-mode=REQUIRED");
+
 #ifdef __WIN__
   dynstr_append(&ds_cmdline, "\"");
 #endif

client/mysqladmin.cc

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -518,8 +518,9 @@ static my_bool sql_connect(MYSQL *mysql, uint wait)
 
   for (;;)
   {
-    if (mysql_real_connect(mysql,host,user,opt_password,NullS,tcp_port,
-			   unix_port, CLIENT_REMEMBER_OPTIONS))
+    if (mysql_connect_ssl_check(mysql, host, user, opt_password, NullS,
+                                tcp_port, unix_port,
+                                CLIENT_REMEMBER_OPTIONS, opt_ssl_required))
     {
       mysql->reconnect= 1;
       if (info)

client/mysqlcheck.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -894,8 +894,10 @@ static int dbConnect(char *host, char *user, char *passwd)
                   (char *) &opt_enable_cleartext_plugin);
 
   mysql_options(&mysql_connection, MYSQL_SET_CHARSET_NAME, default_charset);
-  if (!(sock = mysql_real_connect(&mysql_connection, host, user, passwd,
-         NULL, opt_mysql_port, opt_mysql_unix_port, 0)))
+  if (!(sock = mysql_connect_ssl_check(&mysql_connection, host, user, passwd,
+                                       NULL, opt_mysql_port,
+                                       opt_mysql_unix_port, 0,
+                                       opt_ssl_required)))
   {
     DBerror(&mysql_connection, "when trying to connect");
     return 1;

client/mysqldump.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1498,9 +1498,10 @@ static int connect_to_db(char *host, char *user,char *passwd)
     mysql_options(&mysql_connection, MYSQL_ENABLE_CLEARTEXT_PLUGIN,
                   (char *) &opt_enable_cleartext_plugin);
 
-  if (!(mysql= mysql_real_connect(&mysql_connection,host,user,passwd,
-                                  NULL,opt_mysql_port,opt_mysql_unix_port,
-                                  0)))
+  if (!(mysql= mysql_connect_ssl_check(&mysql_connection, host, user,
+                                       passwd, NULL, opt_mysql_port,
+                                       opt_mysql_unix_port, 0,
+                                       opt_ssl_required)))
   {
     DB_error(&mysql_connection, "when trying to connect");
     DBUG_RETURN(1);

client/mysqlimport.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -449,9 +449,9 @@ static MYSQL *db_connect(char *host, char *database,
                   (char*)&opt_enable_cleartext_plugin);
 
   mysql_options(mysql, MYSQL_SET_CHARSET_NAME, default_charset);
-  if (!(mysql_real_connect(mysql,host,user,passwd,
-                           database,opt_mysql_port,opt_mysql_unix_port,
-                           0)))
+  if (!(mysql_connect_ssl_check(mysql, host, user, passwd, database,
+                                opt_mysql_port, opt_mysql_unix_port,
+                                0, opt_ssl_required)))
   {
     ignore_errors=0;	  /* NO RETURN FROM db_error */
     db_error(mysql);

client/mysqlshow.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -139,10 +139,10 @@ int main(int argc, char **argv)
     mysql_options(&mysql, MYSQL_ENABLE_CLEARTEXT_PLUGIN,
                   (char*)&opt_enable_cleartext_plugin);
 
-  if (!(mysql_real_connect(&mysql,host,user,opt_password,
-			   (first_argument_uses_wildcards) ? "" :
-                           argv[0],opt_mysql_port,opt_mysql_unix_port,
-			   0)))
+  if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
+			        (first_argument_uses_wildcards) ? "" :
+                                argv[0], opt_mysql_port, opt_mysql_unix_port,
+			        0, opt_ssl_required)))
   {
     fprintf(stderr,"%s: %s\n",my_progname,mysql_error(&mysql));
     exit(1);

client/mysqlslap.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -355,9 +355,9 @@ int main(int argc, char **argv)
                   (char*) &opt_enable_cleartext_plugin);
   if (!opt_only_print) 
   {
-    if (!(mysql_real_connect(&mysql, host, user, opt_password,
-                             NULL, opt_mysql_port,
-                             opt_mysql_unix_port, connect_flags)))
+    if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
+                                  NULL, opt_mysql_port, opt_mysql_unix_port,
+                                  connect_flags, opt_ssl_required)))
     {
       fprintf(stderr,"%s: Error when connecting to server: %s\n",
               my_progname,mysql_error(&mysql));

client/mysqltest.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -5281,8 +5281,9 @@ void safe_connect(MYSQL* mysql, const char *name, const char *host,
   verbose_msg("Connecting to server %s:%d (socket %s) as '%s'"
               ", connection '%s', attempt %d ...", 
               host, port, sock, user, name, failed_attempts);
-  while(!mysql_real_connect(mysql, host,user, pass, db, port, sock,
-                            CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS))
+  while(!mysql_connect_ssl_check(mysql, host,user, pass, db, port, sock,
+                                 CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS,
+                                 opt_ssl_required))
   {
     /*
       Connect failed
@@ -5382,8 +5383,9 @@ int connect_n_handle_errors(struct st_command *command,
     dynstr_append_mem(ds, ";\n", 2);
   }
   
-  while (!mysql_real_connect(con, host, user, pass, db, port, sock ? sock: 0,
-                          CLIENT_MULTI_STATEMENTS))
+  while (!mysql_connect_ssl_check(con, host, user, pass, db, port,
+                                  sock ? sock: 0, CLIENT_MULTI_STATEMENTS,
+                                  opt_ssl_required))
   {
     /*
       If we have used up all our connections check whether this