Merge branch 'mysql-5.6' into mysql-5.7

Author: Arun Kuruvila

mysql-test/r/ssl_ca.result

@@ -0,0 +1,24 @@
+#
+# Bug#21920657: SSL-CA FAILS SILENTLY IF THE PATH CANNOT BE FOUND
+#
+# try to connect with wrong '--ssl-ca' path : should fail
+ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed
+# try to connect with correct '--ssl-ca' path : should connect
+Variable_name	Value
+Ssl_cipher	SSL_CIPHER
+#
+# Bug#21920678: SSL-CA DOES NOT ACCEPT ~USER TILDE HOME DIRECTORY
+#               PATH SUBSTITUTION
+#
+# try to connect with '--ssl-ca' option using tilde home directoy
+# path substitution : should connect
+Variable_name	Value
+Ssl_cipher	SSL_CIPHER
+# try to connect with '--ssl-key' option using tilde home directoy
+# path substitution : should connect
+Variable_name	Value
+Ssl_cipher	SSL_CIPHER
+# try to connect with '--ssl-cert' option using tilde home directoy
+# path substitution : should connect
+Variable_name	Value
+Ssl_cipher	SSL_CIPHER

mysql-test/r/ssl_crl.result

@@ -21,3 +21,15 @@ ssl_crl	MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
 ssl_crlpath	
 ssl_key	MYSQL_TEST_DIR/std_data/crl-server-key.pem
 # try logging in with a certificate in the server's --ssl-crl : should fail
+#
+# Bug#21920678: SSL-CA DOES NOT ACCEPT ~USER TILDE HOME DIRECTORY
+#               PATH SUBSTITUTION
+#
+# try to connect with '--ssl-crl' option using tilde home directoy
+# path substitution : should connect
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES128-GCM-SHA256
+# try to connect with '--ssl-crlpath' option using tilde home directoy
+# path substitution : should connect
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES128-GCM-SHA256

mysql-test/t/ssl_ca-master.opt

@@ -0,0 +1,3 @@
+--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
+--ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem
+--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem

mysql-test/t/ssl_ca.test

@@ -0,0 +1,36 @@
+--source include/have_ssl.inc
+--source include/not_embedded.inc
+
+--echo #
+--echo # Bug#21920657: SSL-CA FAILS SILENTLY IF THE PATH CANNOT BE FOUND
+--echo #
+
+--echo # try to connect with wrong '--ssl-ca' path : should fail
+--error 1
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/wrong-crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'" 2>&1
+
+--echo # try to connect with correct '--ssl-ca' path : should connect
+--replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
+
+--echo #
+--echo # Bug#21920678: SSL-CA DOES NOT ACCEPT ~USER TILDE HOME DIRECTORY
+--echo #               PATH SUBSTITUTION
+--echo #
+
+--let $mysql_test_dir_path= `SELECT REPLACE('$MYSQL_TEST_DIR', '$HOME', '~')`
+
+--echo # try to connect with '--ssl-ca' option using tilde home directoy
+--echo # path substitution : should connect
+--replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--exec $MYSQL --ssl-ca=$mysql_test_dir_path/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
+
+--echo # try to connect with '--ssl-key' option using tilde home directoy
+--echo # path substitution : should connect
+--replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$mysql_test_dir_path/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"
+
+--echo # try to connect with '--ssl-cert' option using tilde home directoy
+--echo # path substitution : should connect
+--replace_result DHE-RSA-AES128-GCM-SHA256 SSL_CIPHER DHE-RSA-AES256-SHA SSL_CIPHER
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$mysql_test_dir_path/std_data/crl-client-cert.pem test -e "SHOW STATUS LIKE 'Ssl_cipher'"

mysql-test/t/ssl_crl.test

@@ -21,3 +21,20 @@ if (!$crllen)
 --replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
 --error 1
 --exec $MYSQL --ssl-mode=VERIFY_CA --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-revoked-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-revoked-cert.pem test -e "SHOW VARIABLES like '%ssl%';"
+
+--echo #
+--echo # Bug#21920678: SSL-CA DOES NOT ACCEPT ~USER TILDE HOME DIRECTORY
+--echo #               PATH SUBSTITUTION
+--echo #
+
+--let $mysql_test_dir_path= `SELECT REPLACE('$MYSQL_TEST_DIR', '$HOME', '~')`
+
+--echo # try to connect with '--ssl-crl' option using tilde home directoy
+--echo # path substitution : should connect
+--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test --ssl-crl=$mysql_test_dir_path/std_data/crl-client-revoked.crl -e "SHOW STATUS LIKE 'Ssl_cipher'"
+
+--echo # try to connect with '--ssl-crlpath' option using tilde home directoy
+--echo # path substitution : should connect
+--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
+--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem --ssl-crlpath=$mysql_test_dir_path/std_data/crldir test -e "SHOW STATUS LIKE 'Ssl_cipher'"

sql-common/client.c

@@ -1744,6 +1744,24 @@ static int add_init_command(struct st_mysql_options *options, const char *cmd)
     } while(0)
 #endif
 
+static char *set_ssl_option_unpack_path(struct st_mysql_options *options,
+                                        const char *arg, unsigned int mode)
+{
+  char *opt_var= NULL;
+  if (arg)
+  {
+    char *buff= (char *)my_malloc(key_memory_mysql_options, FN_REFLEN + 1,
+                                  MYF(MY_WME));
+    unpack_filename(buff, (char *)arg);
+    opt_var= my_strdup(key_memory_mysql_options, buff, MYF(MY_WME));
+    ENSURE_EXTENSIONS_PRESENT(options);
+    options->extension->ssl_mode= mode;
+    my_free(buff);
+  }
+  return opt_var;
+}
+
+
 void mysql_read_default_options(struct st_mysql_options *options,
 				const char *filename,const char *group)
 {
@@ -5485,27 +5503,49 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg)
     EXTENSION_SET_STRING(&mysql->options, default_auth, arg);
     break;
   case MYSQL_OPT_SSL_KEY:
-    SET_SSL_OPTION(ssl_key, arg, SSL_MODE_PREFERRED);
+    if (mysql->options.ssl_key)
+      my_free(mysql->options.ssl_key);
+    mysql->options.ssl_key= set_ssl_option_unpack_path(&mysql->options, arg,
+                                                       SSL_MODE_PREFERRED);
     break;
   case MYSQL_OPT_SSL_CERT:
-    SET_SSL_OPTION(ssl_cert, arg, SSL_MODE_PREFERRED);
+    if (mysql->options.ssl_cert)
+      my_free(mysql->options.ssl_cert);
+    mysql->options.ssl_cert= set_ssl_option_unpack_path(&mysql->options, arg,
+                                                        SSL_MODE_PREFERRED);
     break;
   case MYSQL_OPT_SSL_CA:
-    SET_SSL_OPTION(ssl_ca, arg, SSL_MODE_VERIFY_CA);
+    if (mysql->options.ssl_ca)
+      my_free(mysql->options.ssl_ca);
+    mysql->options.ssl_ca= set_ssl_option_unpack_path(&mysql->options, arg,
+                                                      SSL_MODE_VERIFY_CA);
     break;
   case MYSQL_OPT_SSL_CAPATH:
-    SET_SSL_OPTION(ssl_capath, arg, SSL_MODE_VERIFY_CA);
+    if (mysql->options.ssl_capath)
+      my_free(mysql->options.ssl_capath);
+    mysql->options.ssl_capath= set_ssl_option_unpack_path(&mysql->options, arg,
+                                                          SSL_MODE_VERIFY_CA);
     break;
   case MYSQL_OPT_SSL_CIPHER:
     SET_SSL_OPTION(ssl_cipher, arg, SSL_MODE_PREFERRED);
     break;
   case MYSQL_OPT_SSL_CRL:
-    EXTENSION_SET_SSL_STRING(&mysql->options, ssl_crl, arg,
-                             SSL_MODE_PREFERRED);
+    if (mysql->options.extension)
+      my_free(mysql->options.extension->ssl_crl);
+    else
+      ALLOCATE_EXTENSIONS(&mysql->options);
+    mysql->options.extension->ssl_crl=
+                   set_ssl_option_unpack_path(&mysql->options, arg,
+                                              SSL_MODE_PREFERRED);
     break;
   case MYSQL_OPT_SSL_CRLPATH:
-    EXTENSION_SET_SSL_STRING(&mysql->options, ssl_crlpath, arg,
-                             SSL_MODE_PREFERRED);
+    if (mysql->options.extension)
+      my_free(mysql->options.extension->ssl_crlpath);
+    else
+      ALLOCATE_EXTENSIONS(&mysql->options);
+    mysql->options.extension->ssl_crlpath=
+                   set_ssl_option_unpack_path(&mysql->options, arg,
+                                              SSL_MODE_PREFERRED);
     break;
   case MYSQL_OPT_TLS_VERSION:
 #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)

vio/viosslfactories.c

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -564,7 +564,7 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
   }
 
   /* Load certs from the trusted ca */
-  if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
+  if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) <= 0)
   {
     DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
     if (ca_file || ca_path)