Bug #19127636 MYSQL_SECURE_INSTALLATION FAILS TO RUN IF

              THE ROOT PLUGIN IS SHA256_PASSWORD

Problem: When the root user uses sha256_password,
         mysql_secure_installation fails to connect to the
         server after reading the password from mysql_secret
         file.

Solution: mysql_secure_installation initially tries to
          connect with a blank password and then reads
          mysql_secret file to fetch the password. If the
          login fails with blank password, all the options
          in mysql handle are reset and hence the ssl
          options too.

          A step is added in this patch to set the
          connection options in mysql handle after the login
          fails with blank password.

Author: Vamsikrishna Bhagi

client/mysql_secure_installation.cc

@@ -604,6 +604,7 @@ int get_root_password()
         the temporary password file.
       */
       char *temp_pass;
+      init_connection_options(&mysql);
       if (find_temporary_password(&temp_pass) == TRUE)
       {
         my_free(password);

mysql-test/suite/interactive_utilities/r/mysql_secure_installation_ssl.result

@@ -0,0 +1,117 @@
+SET old_passwords=2;
+SELECT plugin into @plugin from mysql.user where user= 'root' and host='localhost';
+SELECT password_last_changed into @plc from mysql.user where user= 'root' and host='localhost';
+SELECT password into @pwd from mysql.user where user= 'root' and host='localhost';
+SELECT authentication_string into @auth_str from mysql.user where user= 'root' and host='localhost';
+update mysql.user set plugin= 'sha256_password', authentication_string= PASSWORD('123') where user='root' and host='localhost';
+FLUSH PRIVILEGES;
+call mtr.add_suppression("Dictionary file not specified");
+mysql_secure_installation: [Warning] Using a password on the command line interface can be insecure.
+
+Securing the MySQL server deployment.
+
+
+VALIDATE PASSWORD PLUGIN can be used to test passwords
+and improve security. It checks the strength of password
+and allows the users to set only those passwords which are
+secure enough. Would you like to setup VALIDATE PASSWORD plugin?
+
+Press y|Y for Yes, any other key for No: Using existing root password.
+Change the root password? (Press y|Y for Yes, any other key for No) : 
+ ... skipping.
+By default, a MySQL installation has an anonymous user,
+allowing anyone to log into MySQL without having to have
+a user account created for them. This is intended only for
+testing, and to make the installation go a bit smoother.
+You should remove them before moving into a production
+environment.
+
+Remove anonymous users? (Press y|Y for Yes, any other key for No) : 
+ ... skipping.
+
+
+Normally, root should only be allowed to connect from
+'localhost'. This ensures that someone cannot guess at
+the root password from the network.
+
+Disallow root login remotely? (Press y|Y for Yes, any other key for No) : 
+ ... skipping.
+By default, MySQL comes with a database named 'test' that
+anyone can access. This is also intended only for testing,
+and should be removed before moving into a production
+environment.
+
+
+Remove test database and access to it? (Press y|Y for Yes, any other key for No) : 
+ ... skipping.
+Reloading the privilege tables will ensure that all changes
+made so far will take effect immediately.
+
+Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Execution number 1 was successful
+mysql_secure_installation: [Warning] Using a password on the command line interface can be insecure.
+
+Securing the MySQL server deployment.
+
+
+VALIDATE PASSWORD PLUGIN can be used to test passwords
+and improve security. It checks the strength of password
+and allows the users to set only those passwords which are
+secure enough. Would you like to setup VALIDATE PASSWORD plugin?
+
+Press y|Y for Yes, any other key for No: 
+There are three levels of password validation policy:
+
+LOW    Length >= 8
+MEDIUM Length >= 8, numeric, mixed case, and special characters
+STRONG Length >= 8, numeric, mixed case, special characters and dictionary                  file
+
+Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: Using existing root password.
+
+Estimated strength of the password: 0 
+Change the root password? (Press y|Y for Yes, any other key for No) : 
+New password: 
+
+Re-enter new password: 
+
+Estimated strength of the password: 100 
+Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : By default, a MySQL installation has an anonymous user,
+allowing anyone to log into MySQL without having to have
+a user account created for them. This is intended only for
+testing, and to make the installation go a bit smoother.
+You should remove them before moving into a production
+environment.
+
+Remove anonymous users? (Press y|Y for Yes, any other key for No) : Success.
+
+
+Normally, root should only be allowed to connect from
+'localhost'. This ensures that someone cannot guess at
+the root password from the network.
+
+Disallow root login remotely? (Press y|Y for Yes, any other key for No) : Success.
+
+By default, MySQL comes with a database named 'test' that
+anyone can access. This is also intended only for testing,
+and should be removed before moving into a production
+environment.
+
+
+Remove test database and access to it? (Press y|Y for Yes, any other key for No) :  - Dropping test database...
+Success.
+
+ - Removing privileges on test database...
+Success.
+
+Reloading the privilege tables will ensure that all changes
+made so far will take effect immediately.
+
+Reload privilege tables now? (Press y|Y for Yes, any other key for No) : INSERT INTO mysql.user SELECT LOWER(@@hostname),'root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'mysql_native_password','','N',@password,NULL;
+REPLACE INTO mysql.user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'mysql_native_password','','N',@password,NULL);
+REPLACE INTO mysql.user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'mysql_native_password','','N',@password,NULL);
+REPLACE INTO mysql.user VALUES ('::1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'mysql_native_password','','N',@password,NULL);
+INSERT INTO mysql.db VALUES ('%','test','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N','Y','Y');
+INSERT INTO mysql.db VALUES ('%','test\_%','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N','Y','Y');
+UNINSTALL PLUGIN validate_password;
+UPDATE mysql.user SET password=@pwd, password_last_changed=@plc, authentication_string=@auth_str, plugin= @plugin;
+FLUSH PRIVILEGES;
+CREATE DATABASE test;

mysql-test/suite/interactive_utilities/t/mysql_secure_installation_ssl-master.opt

@@ -0,0 +1,4 @@
+$VALIDATE_PASSWORD_OPT
+--sha256_password_private_key_path=$MYSQL_TEST_DIR/std_data/rsa_private_key.pem
+--sha256_password_public_key_path=$MYSQL_TEST_DIR/std_data/rsa_public_key.pem
+--default_authentication_plugin=sha256_password

mysql-test/suite/interactive_utilities/t/mysql_secure_installation_ssl.test

@@ -0,0 +1,98 @@
+#
+# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+#
+
+--source include/have_ssl_communication.inc
+--source include/have_openssl.inc
+
+SET old_passwords=2;
+SELECT plugin into @plugin from mysql.user where user= 'root' and host='localhost';
+SELECT password_last_changed into @plc from mysql.user where user= 'root' and host='localhost';
+SELECT password into @pwd from mysql.user where user= 'root' and host='localhost';
+SELECT authentication_string into @auth_str from mysql.user where user= 'root' and host='localhost';
+update mysql.user set plugin= 'sha256_password', authentication_string= PASSWORD('123') where user='root' and host='localhost';
+FLUSH PRIVILEGES;
+call mtr.add_suppression("Dictionary file not specified");
+--perl
+
+# Checking if perl Expect module is installed on the system.
+# If not, the test will be skipped.
+die "Please install the Expect module ." unless(eval{require Expect});
+
+use strict;
+require Expect;
+
+my @texp;
+my $i;
+
+# Aggregating the commands which are executed post the password is input to 
+# mysql_secure_installation into a function with the values no. 
+sub after_commands()
+{
+   $texp[$i]->expect(1,' -re ',[ 'any other key for No' => sub {
+$texp[$i]->send("n\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'any other key for No' => sub {
+$texp[$i]->send("n\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'anonymous users' => sub {
+$texp[$i]->send("n\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'root login' => sub {
+$texp[$i]->send("n\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'test database' => sub {
+$texp[$i]->send("n\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'Reload' => sub { $texp[$i]->send("n\n");}]);
+   print "Execution number $i was successful\n";
+}
+
+# Defining a new Expect object and invoking mysql_secure_installation
+sub initial_commands()
+{
+   $texp[$i] = new Expect();
+   $texp[$i]->raw_pty(1);
+   $texp[$i]->spawn("$ENV{MYSQL_SECURE_INSTALLATION}  -S $ENV{MASTER_MYSOCK} --password='123' ");
+}
+
+# Aggregating the commands which are executed post the password is input to 
+# mysql_secure_installation into a function with the values yes.
+sub after_effects()
+{
+   $texp[$i]->expect(1,' -re ',[ 'any other key for No' => sub {
+$texp[$i]->send("y\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'MEDIUM and 2 = STRONG' => sub {
+$texp[$i]->send("2\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'any other key for No' => sub {
+$texp[$i]->send("y\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'password' => sub {
+$texp[$i]->send("Vamsi#1234#\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'password' => sub {
+$texp[$i]->send("Vamsi#1234#\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'any other key for No' => sub {
+$texp[$i]->send("y\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'anonymous users' => sub {
+$texp[$i]->send("y\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'root login' => sub {
+$texp[$i]->send("y\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'test database' => sub {
+$texp[$i]->send("y\n");}]);
+   $texp[$i]->expect(1,' -re ',[ 'Reload' => sub { $texp[$i]->send("y\n");}]);
+}
+
+$i = 1;
+initial_commands();
+after_commands();
+$i++;
+
+initial_commands();
+after_effects();
+$i++;
+
+EOF
+INSERT INTO mysql.user SELECT LOWER(@@hostname),'root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'mysql_native_password','','N',@password,NULL;
+REPLACE INTO mysql.user VALUES ('localhost','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'mysql_native_password','','N',@password,NULL);
+REPLACE INTO mysql.user VALUES ('127.0.0.1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'mysql_native_password','','N',@password,NULL);
+REPLACE INTO mysql.user VALUES ('::1','root','','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','',0,0,0,0,'mysql_native_password','','N',@password,NULL);
+INSERT INTO mysql.db VALUES ('%','test','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N','Y','Y');
+INSERT INTO mysql.db VALUES ('%','test\_%','','Y','Y','Y','Y','Y','Y','N','Y','Y','Y','Y','Y','Y','Y','Y','N','N','Y','Y');
+UNINSTALL PLUGIN validate_password;
+UPDATE mysql.user SET password=@pwd, password_last_changed=@plc, authentication_string=@auth_str, plugin= @plugin;
+FLUSH PRIVILEGES;
+CREATE DATABASE test;