WL#12361: Support TLS 1.3 in the server and libmysql

Author: Ramil Kalimullin

client/base/ssl_options.cc

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -56,6 +56,8 @@ void Mysql_connection_options::Ssl_options::create_options() {
                           "X509 cert in PEM format.");
   this->create_new_option(&::opt_ssl_cipher, "ssl-cipher",
                           "SSL cipher to use.");
+  this->create_new_option(&::opt_tls_ciphersuites, "tls-ciphersuites",
+                          "TLS v1.3 cipher to use.");
   this->create_new_option(&::opt_ssl_key, "ssl-key", "X509 key in PEM format.");
   this->create_new_option(&::opt_ssl_crl, "ssl-crl",
                           "Certificate revocation list.");

client/client_priv.h

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -171,6 +171,7 @@ enum options_client {
   OPT_SSL_MODE,
   OPT_PRINT_TABLE_METADATA,
   OPT_SSL_FIPS_MODE,
+  OPT_TLS_CIPHERSUITES,
   /* Add new option above this */
   OPT_MAX_CLIENT_OPTION
 };

cmake/ssl.cmake

@@ -1,4 +1,4 @@
-# Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2019, Oracle and/or its affiliates. All rights reserved.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0,
@@ -308,6 +308,13 @@ MACRO (MYSQL_CHECK_SSL)
         "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9]([0-9][0-9]).*$" "\\1"
         OPENSSL_MINOR_VERSION "${OPENSSL_VERSION_NUMBER}"
         )
+      STRING(REGEX REPLACE
+        "^.*OPENSSL_VERSION_NUMBER[\t ]+0x[0-9][0-9][0-9]([0-9][0-9]).*$" "\\1"
+        OPENSSL_FIX_VERSION "${OPENSSL_VERSION_NUMBER}"
+        )
+    ENDIF()
+    IF("${OPENSSL_MAJOR_VERSION}.${OPENSSL_MINOR_VERSION}.${OPENSSL_FIX_VERSION}" VERSION_GREATER "1.1.0")
+       ADD_DEFINITIONS(-DHAVE_TLSv13)
     ENDIF()
     IF(OPENSSL_INCLUDE_DIR AND
        OPENSSL_LIBRARY   AND
@@ -379,6 +386,7 @@ MACRO (MYSQL_CHECK_SSL)
     MESSAGE(STATUS "CRYPTO_LIBRARY = ${CRYPTO_LIBRARY}")
     MESSAGE(STATUS "OPENSSL_MAJOR_VERSION = ${OPENSSL_MAJOR_VERSION}")
     MESSAGE(STATUS "OPENSSL_MINOR_VERSION = ${OPENSSL_MINOR_VERSION}")
+    MESSAGE(STATUS "OPENSSL_FIX_VERSION = ${OPENSSL_FIX_VERSION}")
     # The server hangs in OpenSSL_add_all_algorithms() in ssl_start()
     IF(WIN32 AND OPENSSL_MINOR_VERSION VERSION_EQUAL 1)
       MESSAGE(WARNING "OpenSSL 1.1 is experimental on Windows")

include/mysql.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -207,7 +207,8 @@ enum mysql_option {
   MYSQL_OPT_GET_SERVER_PUBLIC_KEY,
   MYSQL_OPT_RETRY_COUNT,
   MYSQL_OPT_OPTIONAL_RESULTSET_METADATA,
-  MYSQL_OPT_SSL_FIPS_MODE
+  MYSQL_OPT_SSL_FIPS_MODE,
+  MYSQL_OPT_TLS_CIPHERSUITES
 };
 
 /**

include/mysql.h.pp

@@ -393,7 +393,8 @@
   MYSQL_OPT_GET_SERVER_PUBLIC_KEY,
   MYSQL_OPT_RETRY_COUNT,
   MYSQL_OPT_OPTIONAL_RESULTSET_METADATA,
-  MYSQL_OPT_SSL_FIPS_MODE
+  MYSQL_OPT_SSL_FIPS_MODE,
+  MYSQL_OPT_TLS_CIPHERSUITES
 };
 struct st_mysql_options_extention;
 struct st_mysql_options {

include/sql_common.h

@@ -1,7 +1,7 @@
 #ifndef SQL_COMMON_INCLUDED
 #define SQL_COMMON_INCLUDED
 
-/* Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -124,6 +124,7 @@ struct st_mysql_options_extention {
   unsigned int ssl_mode;
   unsigned int retry_count;
   unsigned int ssl_fips_mode; /* SSL fips mode for enforced encryption.*/
+  char *tls_ciphersuites;
 };
 
 struct MYSQL_METHODS {

include/sslopt-longopts.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -159,7 +159,7 @@
     {"tls-version",
      OPT_TLS_VERSION,
      "TLS version to use, "
-     "permitted values are: TLSv1, TLSv1.1, TLSv1.2",
+     "permitted values are: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3",
      &opt_tls_version,
      &opt_tls_version,
      0,
@@ -190,4 +190,18 @@
      0,
      0,
      0},
+    {"tls-ciphersuites",
+     OPT_TLS_CIPHERSUITES,
+     "TLS v1.3 cipher to use.",
+     &opt_tls_ciphersuites,
+     &opt_tls_ciphersuites,
+     0,
+     GET_STR,
+     REQUIRED_ARG,
+     0,
+     0,
+     0,
+     0,
+     0,
+     0},
 #endif /* HAVE_OPENSSL */

include/sslopt-vars.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -70,6 +70,7 @@ static char *opt_ssl_ca = 0;
 static char *opt_ssl_capath = 0;
 static char *opt_ssl_cert = 0;
 static char *opt_ssl_cipher = 0;
+static char *opt_tls_ciphersuites = 0;
 static char *opt_ssl_key = 0;
 static char *opt_ssl_crl = 0;
 static char *opt_ssl_crlpath = 0;
@@ -102,6 +103,7 @@ static inline int set_client_ssl_options(MYSQL *mysql) {
   mysql_options(mysql, MYSQL_OPT_SSL_FIPS_MODE, &opt_ssl_fips_mode);
   if (opt_ssl_fips_mode > 0 && mysql_errno(mysql) == CR_SSL_FIPS_MODE_ERR)
     return 1;
+  mysql_options(mysql, MYSQL_OPT_TLS_CIPHERSUITES, opt_tls_ciphersuites);
 
   return 0;
 }

include/violite.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -262,8 +262,9 @@ int sslconnect(struct st_VioSSLFd *, MYSQL_VIO, long timeout,
 
 struct st_VioSSLFd *new_VioSSLConnectorFd(
     const char *key_file, const char *cert_file, const char *ca_file,
-    const char *ca_path, const char *cipher, enum enum_ssl_init_error *error,
-    const char *crl_file, const char *crl_path, const long ssl_ctx_flags);
+    const char *ca_path, const char *cipher, const char *ciphersuites,
+    enum enum_ssl_init_error *error, const char *crl_file, const char *crl_path,
+    const long ssl_ctx_flags);
 
 long process_tls_version(const char *tls_version);
 
@@ -273,8 +274,9 @@ uint get_fips_mode();
 
 struct st_VioSSLFd *new_VioSSLAcceptorFd(
     const char *key_file, const char *cert_file, const char *ca_file,
-    const char *ca_path, const char *cipher, enum enum_ssl_init_error *error,
-    const char *crl_file, const char *crl_path, const long ssl_ctx_flags);
+    const char *ca_path, const char *cipher, const char *ciphersuites,
+    enum enum_ssl_init_error *error, const char *crl_file, const char *crl_path,
+    const long ssl_ctx_flags);
 void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd);
 
 void vio_ssl_end();

mysql-test/include/allowed_ciphers.inc

@@ -0,0 +1,7 @@
+#
+# List of allowed TLSv1.2 and TLSv1.3 ciphers which will be
+# replaced with "SSL_CIPHER" in the result files.
+# Usage: --replace_regex $ALLOWED_CIPHERS_REGEX
+#
+
+LET $ALLOWED_CIPHERS_REGEX = /ECDHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-SHA|ECDHE-RSA-AES128-SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256/SSL_CIPHER/;

mysql-test/include/excludenoskip.list

@@ -106,6 +106,8 @@ have_ssl.inc
 have_ssl_crypto_functs.inc
 not_openssl.inc
 check_openssl_version.inc
+have_tlsv13.inc
+not_have_tlsv13.inc
 
 # 4.5 Reason for inclusion: Tests should run only with supported innodb page
 # sizes and skip on others. However, this can be handled using a custom

mysql-test/include/have_openssl.inc

@@ -3,3 +3,4 @@ let $shavars= query_get_value("SHOW STATUS LIKE 'Rsa_public_key'", Variable_name
 if ($shavars != 'Rsa_public_key'){
   skip Need OpenSSL support;
 }
+--source include/allowed_ciphers.inc

mysql-test/include/have_ssl.inc

@@ -3,3 +3,4 @@ if (!$have_ssl)
 {
   --skip Test requires 'have_ssl'
 }
+--source include/allowed_ciphers.inc

mysql-test/include/have_tlsv13.inc

@@ -0,0 +1,3 @@
+if (`SELECT @@GLOBAL.tls_version NOT LIKE '%TLSv1.3%'`) {
+  --skip Requires TLSv1.3
+}

mysql-test/include/not_have_tlsv13.inc

@@ -0,0 +1,3 @@
+if (`SELECT @@GLOBAL.tls_version LIKE '%TLSv1.3%'`) {
+  --skip Doesn't support TLSv1.3
+}

mysql-test/r/all_persisted_variables.result

@@ -43,17 +43,17 @@ include/assert.inc ['Expect 554 variables in the table. Due to open Bugs, we are
 
 # Test SET PERSIST
 
-include/assert.inc [Expect 374 persisted variables in the table. Due to open Bugs, we are checking for 369]
+include/assert.inc [Expect 375 persisted variables in the table. Due to open Bugs, we are checking for 370]
 
 ************************************************************
 * 3. Restart server, it must preserve the persisted variable
 *    settings. Verify persisted configuration.
 ************************************************************
 # restart
 
-include/assert.inc [Expect 369 persisted variables in persisted_variables table.]
-include/assert.inc [Expect 369 persisted variables shown as PERSISTED in variables_info table.]
-include/assert.inc [Expect 369 persisted variables with matching peristed and global values.]
+include/assert.inc [Expect 370 persisted variables in persisted_variables table.]
+include/assert.inc [Expect 370 persisted variables shown as PERSISTED in variables_info table.]
+include/assert.inc [Expect 370 persisted variables with matching peristed and global values.]
 
 ************************************************************
 * 4. Test RESET PERSIST IF EXISTS. Verify persisted variable

mysql-test/r/mysqld--help-notwin.result

@@ -1298,7 +1298,9 @@ The following options may be given as the first argument:
  Define threads usage for handling queries, one of
  one-thread-per-connection, no-threads, loaded-dynamically
  --thread-stack=#    The stack size for each thread
- --tls-version=name  TLS version, permitted values are TLSv1, TLSv1.1, TLSv1.2
+ --tls-ciphersuites=name 
+ --tls-version=name  TLS version, permitted values are TLSv1, TLSv1.1,
+ TLSv1.2, TLSv1.3
  --tmp-table-size=#  If an internal in-memory temporary table in the MEMORY
  storage engine exceeds this size, MySQL will
  automatically convert it to an on-disk table
@@ -1692,6 +1694,7 @@ temptable-use-mmap TRUE
 thread-cache-size 9
 thread-handling one-thread-per-connection
 thread-stack 262144
+tls-ciphersuites (No default value)
 tmp-table-size 16777216
 transaction-alloc-block-size 8192
 transaction-isolation REPEATABLE-READ

mysql-test/r/mysqld--help-win.result

@@ -1309,7 +1309,9 @@ The following options may be given as the first argument:
  Define threads usage for handling queries, one of
  one-thread-per-connection, no-threads, loaded-dynamically
  --thread-stack=#    The stack size for each thread
- --tls-version=name  TLS version, permitted values are TLSv1, TLSv1.1, TLSv1.2
+ --tls-ciphersuites=name 
+ --tls-version=name  TLS version, permitted values are TLSv1, TLSv1.1,
+ TLSv1.2, TLSv1.3
  --tmp-table-size=#  If an internal in-memory temporary table in the MEMORY
  storage engine exceeds this size, MySQL will
  automatically convert it to an on-disk table
@@ -1707,6 +1709,7 @@ temptable-use-mmap TRUE
 thread-cache-size 9
 thread-handling one-thread-per-connection
 thread-stack 262144
+tls-ciphersuites (No default value)
 tmp-table-size 16777216
 transaction-alloc-block-size 8192
 transaction-isolation REPEATABLE-READ

mysql-test/r/openssl_1.result

@@ -96,7 +96,7 @@ SHOW STATUS LIKE 'Ssl_cipher';
 Variable_name	Value
 Ssl_cipher	AES128-SHA
 WARNING: no verification of server certificate will be done. Use --ssl-mode=VERIFY_CA or VERIFY_IDENTITY.
-mysqltest: Could not open connection 'default': 2026 SSL connection error: Failed to set ciphers to use
+mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
 CREATE TABLE t1(a int);
 INSERT INTO t1 VALUES (1), (2);
 

mysql-test/r/ssl_dynamic.result

@@ -22,6 +22,7 @@ present
 ################## FR 1.2: check if new sessions get the new vals
 # Save the defaults
 SET @orig_ssl_cipher = @@global.ssl_cipher;
+SET @orig_tls_version = @@global.tls_version;
 # in ssl_con
 # check if the session has the original values
 SHOW STATUS LIKE 'Ssl_cipher';
@@ -30,6 +31,7 @@ Ssl_cipher	orig_cipher
 # in default connection
 # setting new values for ssl_cipher
 SET GLOBAL ssl_cipher = "DHE-RSA-AES256-SHA256";
+SET GLOBAL tls_version = "TLSv1.2";
 ALTER INSTANCE RELOAD TLS;
 # in ssl_new_con
 # Save the new defaults
@@ -42,6 +44,7 @@ Ssl_cipher	orig_cipher;
 # cleanup
 # in default connection
 SET GLOBAL ssl_cipher = @orig_ssl_cipher;
+SET GLOBAL tls_version = @orig_tls_version;
 ALTER INSTANCE RELOAD TLS;
 ################## FR 1.5: new values effective only after RELOAD TLS
 # Save the defaults
@@ -123,6 +126,7 @@ SET @orig_ssl_capath= @@global.ssl_capath;
 SET @orig_ssl_crl= @@global.ssl_crl;
 SET @orig_ssl_crlpath= @@global.ssl_crlpath;
 SET @orig_ssl_cipher= @@global.ssl_cipher;
+SET @orig_tls_cipher= @@global.tls_ciphersuites;
 SET @orig_tls_version= @@global.tls_version;
 # Must pass
 SET GLOBAL ssl_ca = 'gizmo';
@@ -132,6 +136,7 @@ SET GLOBAL ssl_capath = 'gizmo';
 SET GLOBAL ssl_crl = 'gizmo';
 SET GLOBAL ssl_crlpath = 'gizmo';
 SET GLOBAL ssl_cipher = 'gizmo';
+SET GLOBAL tls_ciphersuites = 'gizmo';
 SET GLOBAL tls_version = 'gizmo';
 # Must fail
 SET SESSION ssl_ca = 'gizmo';
@@ -148,21 +153,24 @@ SET SESSION ssl_crlpath = 'gizmo';
 ERROR HY000: Variable 'ssl_crlpath' is a GLOBAL variable and should be set with SET GLOBAL
 SET SESSION ssl_cipher = 'gizmo';
 ERROR HY000: Variable 'ssl_cipher' is a GLOBAL variable and should be set with SET GLOBAL
+SET SESSION tls_ciphersuites = 'gizmo';
+ERROR HY000: Variable 'tls_ciphersuites' is a GLOBAL variable and should be set with SET GLOBAL
 SET SESSION tls_version = 'gizmo';
 ERROR HY000: Variable 'tls_version' is a GLOBAL variable and should be set with SET GLOBAL
-# FR6: Must return 8
+# FR6: Must return 9
 SELECT VARIABLE_NAME FROM performance_schema.session_status WHERE
 VARIABLE_NAME IN
 ('Current_tls_ca', 'Current_tls_capath', 'Current_tls_cert',
 'Current_tls_key', 'Current_tls_version', 'Current_tls_cipher',
-'Current_tls_crl', 'Current_tls_crlpath') AND
+'Current_tls_ciphersuites', 'Current_tls_crl', 'Current_tls_crlpath') AND
 VARIABLE_VALUE != 'gizmo'
   ORDER BY VARIABLE_NAME;
 VARIABLE_NAME
 Current_tls_ca
 Current_tls_capath
 Current_tls_cert
 Current_tls_cipher
+Current_tls_ciphersuites
 Current_tls_crl
 Current_tls_crlpath
 Current_tls_key
@@ -175,6 +183,7 @@ SET GLOBAL ssl_capath = @orig_ssl_capath;
 SET GLOBAL ssl_crl = @orig_ssl_crl;
 SET GLOBAL ssl_crlpath = @orig_ssl_crlpath;
 SET GLOBAL ssl_cipher = @orig_ssl_cipher;
+SET GLOBAL tls_ciphersuites = @orig_tls_ciphersuites;
 SET GLOBAL tls_version = @orig_tls_version;
 ################## FR8: X plugin do not follow
 # Save the defaults

mysql-test/suite/auth_sec/r/tls.result

@@ -9,7 +9,7 @@ Variable_name	Value
 Ssl_cipher	SSL_CIPHER
 #T3: Setting TLS version TLSv1.2 from the client
 Variable_name	Value
-Ssl_version	TLS_VERSION
+Ssl_version	TLSv1.2
 #T4: Setting TLS version TLSv1.1 from the client
 Variable_name	Value
 Ssl_version	TLSv1.1