diff --git a/.gitignore b/.gitignore index 28c9453..13b39ff 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ DBD-mysql-4.017.tar.gz /DBD-mysql-4.041.tar.gz /DBD-mysql-4.042.tar.gz /DBD-mysql-4.043.tar.gz +/DBD-mysql-4.044.tar.gz diff --git a/DBD-mysql-4.043-Add-new-connection-attribute-mysql_ssl_optional.patch b/DBD-mysql-4.043-Add-new-connection-attribute-mysql_ssl_optional.patch deleted file mode 100644 index 46d2641..0000000 --- a/DBD-mysql-4.043-Add-new-connection-attribute-mysql_ssl_optional.patch +++ /dev/null @@ -1,125 +0,0 @@ -diff --git a/MANIFEST b/MANIFEST -index 577b029..fba58e0 100644 ---- a/MANIFEST -+++ b/MANIFEST -@@ -70,6 +70,7 @@ t/88async-multi-stmts.t - t/89async-method-check.t - t/90no-async.t - t/91errcheck.t -+t/92ssl_optional.t - t/92ssl_backronym_vulnerability.t - t/92ssl_riddle_vulnerability.t - t/99_bug_server_prepare_blob_null.t -diff --git a/dbdimp.c b/dbdimp.c -index 7a71677..4c510ca 100644 ---- a/dbdimp.c -+++ b/dbdimp.c -@@ -1930,6 +1930,9 @@ MYSQL *mysql_dr_connect( - #endif - } - -+ if ((svp = hv_fetch(hv, "mysql_ssl_optional", 18, FALSE)) && *svp) -+ ssl_enforce = !SvTRUE(*svp); -+ - if ((svp = hv_fetch(hv, "mysql_ssl_client_key", 20, FALSE)) && *svp) - client_key = SvPV(*svp, lna); - -@@ -1959,7 +1962,9 @@ MYSQL *mysql_dr_connect( - - #ifdef HAVE_SSL_MODE - -- if (ssl_verify) -+ if (!ssl_enforce) -+ ssl_mode = SSL_MODE_PREFERRED; -+ else if (ssl_verify) - ssl_mode = SSL_MODE_VERIFY_IDENTITY; - else if (ca_file || ca_path) - ssl_mode = SSL_MODE_VERIFY_CA; -@@ -1972,6 +1977,7 @@ MYSQL *mysql_dr_connect( - - #else - -+ if (ssl_enforce) { - #if defined(HAVE_SSL_MODE_ONLY_REQUIRED) - ssl_mode = SSL_MODE_REQUIRED; - if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) { -@@ -1997,9 +2003,17 @@ MYSQL *mysql_dr_connect( - set_ssl_error(sock, "Enforcing SSL encryption is not supported"); - return NULL; - #endif -+ } -+ -+ #ifdef HAVE_SSL_VERIFY -+ if (!ssl_enforce && ssl_verify && ssl_verify_also_enforce_ssl()) { -+ set_ssl_error(sock, "mysql_ssl_optional=1 with mysql_ssl_verify_server_cert=1 is not supported"); -+ return NULL; -+ } -+ #endif - - if (ssl_verify) { -- if (!ssl_verify_usable() && ssl_verify_set) { -+ if (!ssl_verify_usable() && ssl_enforce && ssl_verify_set) { - set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is broken by current version of MySQL client"); - return NULL; - } -diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm -index 572c229..f49d408 100644 ---- a/lib/DBD/mysql.pm -+++ b/lib/DBD/mysql.pm -@@ -1223,6 +1223,22 @@ cipher in the list is supported, encrypted connections will not work. - mysql_ssl_cipher=AES128-SHA - mysql_ssl_cipher=DHE-RSA-AES256-SHA:AES128-SHA - -+=item mysql_ssl_optional -+ -+Setting C to true disables strict SSL enforcement -+and makes SSL connection optional. This option opens security hole -+for man-in-the-middle attacks. Default value is false which means -+that C set to true enforce SSL encryption. -+ -+This option was introduced in 4.043 version of DBD::mysql. Due to -+L and L -+vulnerabilities in libmysqlclient library, enforcement of SSL -+encryption was not possbile and therefore C -+was effectively set for all DBD::mysql versions prior to 4.043. -+Starting with 4.043, DBD::mysql with C could refuse -+connection to MySQL server if underlaying libmysqlclient library is -+vulnerable. Option C can be used to make SSL -+connection vulnerable. - - =item mysql_local_infile - -diff --git a/t/92ssl_optional.t b/t/92ssl_optional.t -new file mode 100644 -index 0000000..54790a3 ---- /dev/null -+++ b/t/92ssl_optional.t -@@ -0,0 +1,28 @@ -+use strict; -+use warnings; -+ -+use Test::More; -+use DBI; -+ -+use vars qw($test_dsn $test_user $test_password); -+use lib 't', '.'; -+require "lib.pl"; -+ -+my $dbh; -+eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password, -+ { PrintError => 0, RaiseError => 1 });}; -+if (!$dbh) { -+ plan skip_all => "no database connection"; -+} -+ -+my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") }; -+$dbh->disconnect(); -+plan skip_all => 'Server supports SSL connections, cannot test fallback to plain text' if $have_ssl and $have_ssl->{Value} eq 'YES'; -+ -+plan tests => 2; -+ -+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 1, RaiseError => 0, mysql_ssl => 1, mysql_ssl_optional => 1 }); -+ok(defined $dbh, 'DBD::mysql supports mysql_ssl_optional=1 and connect via plain text protocol when SSL is not supported by server') or diag('Error code: ' . ($DBI::err || 'none') . "\n" . 'Error message: ' . ($DBI::errstr || 'unknown')); -+ -+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 1, RaiseError => 0, mysql_ssl => 1, mysql_ssl_optional => 1, mysql_ssl_ca_file => "" }); -+ok(defined $dbh, 'DBD::mysql supports mysql_ssl_optional=1 and connect via plain text protocol when SSL is not supported by server even with mysql_ssl_ca_file') or diag('Error code: ' . ($DBI::err || 'none') . "\n" . 'Error message: ' . ($DBI::errstr || 'unknown')); diff --git a/DBD-mysql-4.043-Add-new-database-handle-attribute-mysql_ssl_cipher.patch b/DBD-mysql-4.043-Add-new-database-handle-attribute-mysql_ssl_cipher.patch deleted file mode 100644 index 36a9e07..0000000 --- a/DBD-mysql-4.043-Add-new-database-handle-attribute-mysql_ssl_cipher.patch +++ /dev/null @@ -1,124 +0,0 @@ -diff --git a/MANIFEST b/MANIFEST -index fba58e0..7d625f8 100644 ---- a/MANIFEST -+++ b/MANIFEST -@@ -70,6 +70,7 @@ t/88async-multi-stmts.t - t/89async-method-check.t - t/90no-async.t - t/91errcheck.t -+t/92ssl_connection.t - t/92ssl_optional.t - t/92ssl_backronym_vulnerability.t - t/92ssl_riddle_vulnerability.t -diff --git a/dbdimp.c b/dbdimp.c -index 4c510ca..608a433 100644 ---- a/dbdimp.c -+++ b/dbdimp.c -@@ -2785,6 +2785,14 @@ SV* dbd_db_FETCH_attrib(SV *dbh, imp_dbh_t *imp_dbh, SV *keysv) - result= serverinfo ? - sv_2mortal(newSVpvn(serverinfo, strlen(serverinfo))) : &PL_sv_undef; - } -+#if ((MYSQL_VERSION_ID >= 50023 && MYSQL_VERSION_ID < 50100) || MYSQL_VERSION_ID >= 50111) -+ else if (kl == 10 && strEQ(key, "ssl_cipher")) -+ { -+ const char* ssl_cipher = mysql_get_ssl_cipher(imp_dbh->pmysql); -+ result= ssl_cipher ? -+ sv_2mortal(newSVpvn(ssl_cipher, strlen(ssl_cipher))) : &PL_sv_undef; -+ } -+#endif - else if (kl == 13 && strEQ(key, "serverversion")) - result= sv_2mortal(my_ulonglong2str(aTHX_ mysql_get_server_version(imp_dbh->pmysql))); - else if (strEQ(key, "sock")) -diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm -index f49d408..26d8c53 100644 ---- a/lib/DBD/mysql.pm -+++ b/lib/DBD/mysql.pm -@@ -1437,18 +1437,19 @@ handles (read only): - - $errno = $dbh->{'mysql_errno'}; - $error = $dbh->{'mysql_error'}; -- $info = $dbh->{'mysql_hostinfo'}; -+ $hostinfo = $dbh->{'mysql_hostinfo'}; - $info = $dbh->{'mysql_info'}; - $insertid = $dbh->{'mysql_insertid'}; -- $info = $dbh->{'mysql_protoinfo'}; -- $info = $dbh->{'mysql_serverinfo'}; -- $info = $dbh->{'mysql_stat'}; -- $threadId = $dbh->{'mysql_thread_id'}; -+ $protoinfo = $dbh->{'mysql_protoinfo'}; -+ $serverinfo = $dbh->{'mysql_serverinfo'}; -+ $ssl_cipher = $dbh->{'mysql_ssl_cipher'}; -+ $stat = $dbh->{'mysql_stat'}; -+ $thread_id = $dbh->{'mysql_thread_id'}; - - These correspond to mysql_errno(), mysql_error(), mysql_get_host_info(), - mysql_info(), mysql_insert_id(), mysql_get_proto_info(), --mysql_get_server_info(), mysql_stat() and mysql_thread_id(), --respectively. -+mysql_get_server_info(), mysql_stat(), mysql_get_ssl_cipher() -+and mysql_thread_id() respectively. - - =over 2 - -@@ -1473,6 +1474,19 @@ against: - - 50200 - -+=item mysql_ssl_cipher -+ -+Returns the SSL encryption cipher used for the given connection to -+the server. In case SSL encryption was not enabled with C -+or was not established returns undef. -+ -+ my $ssl_cipher = $dbh->{mysql_ssl_cipher}; -+ if (defined $ssl_cipher) { -+ print "Connection with server is encrypted with cipher: $ssl_cipher\n"; -+ } else { -+ print "Connection with server is not encrypted\n"; -+ } -+ - =item mysql_dbd_stats - - $info_hashref = $dhb->{mysql_dbd_stats}; -diff --git a/t/92ssl_connection.t b/t/92ssl_connection.t -new file mode 100644 -index 0000000..9819b3b ---- /dev/null -+++ b/t/92ssl_connection.t -@@ -0,0 +1,36 @@ -+use strict; -+use warnings; -+ -+use Test::More; -+use DBI; -+ -+use vars qw($test_dsn $test_user $test_password); -+use lib 't', '.'; -+require "lib.pl"; -+ -+my $dbh; -+eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password, -+ { PrintError => 0, RaiseError => 1 });}; -+if (!$dbh) { -+ plan skip_all => "no database connection"; -+} -+ -+my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") }; -+$dbh->disconnect(); -+plan skip_all => 'Server does not support SSL connections' unless $have_ssl and $have_ssl->{Value} eq 'YES'; -+ -+plan tests => 4; -+ -+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1, mysql_ssl_optional => 1 }); -+ok(defined $dbh, 'DBD::mysql supports mysql_ssl=1 with mysql_ssl_optional=1 and connect to server') or diag('Error code: ' . ($DBI::err || 'none') . "\n" . 'Error message: ' . ($DBI::errstr || 'unknown')); -+ -+ok(defined $dbh && defined $dbh->{mysql_ssl_cipher}, 'SSL connection was established') and diag("mysql_ssl_cipher is: ". $dbh->{mysql_ssl_cipher}); -+ -+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1 }); -+if (defined $dbh) { -+ pass('DBD::mysql supports mysql_ssl=1 without mysql_ssl_optional=1 and connect to server'); -+ ok(defined $dbh->{mysql_ssl_cipher}, 'SSL connection was established'); -+} else { -+ is($DBI::errstr, 'SSL connection error: Enforcing SSL encryption is not supported', 'DBD::mysql supports mysql_ssl=1 without mysql_ssl_optional=1 and fail because cannot enforce SSL encryption') or diag('Error message: ' . ($DBI::errstr || 'unknown')); -+ is($DBI::err, 2026, 'DBD::mysql error code is SSL related') or diag('Error code: ' . ($DBI::err || 'unknown')); -+} diff --git a/DBD-mysql-4.043-Describe-all-SSL-related-attributes-in-POD.patch b/DBD-mysql-4.043-Describe-all-SSL-related-attributes-in-POD.patch deleted file mode 100644 index 685d16f..0000000 --- a/DBD-mysql-4.043-Describe-all-SSL-related-attributes-in-POD.patch +++ /dev/null @@ -1,78 +0,0 @@ -diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm -index ec107a6..dc5eb06 100644 ---- a/lib/DBD/mysql.pm -+++ b/lib/DBD/mysql.pm -@@ -1162,7 +1162,10 @@ location for the socket than that built into the client. - A true value turns on the CLIENT_SSL flag when connecting to the MySQL - database: - -- mysql_ssl=1 -+When enabling SSL encryption you should set also other SSL options, -+at least mysql_ssl_ca_file or mysql_ssl_ca_path. -+ -+ mysql_ssl=1 mysql_ssl_verify_server_cert=1 mysql_ssl_ca_file=/path/to/ca_cert.pem - - This means that your communication with the server will be encrypted. - -@@ -1170,21 +1173,54 @@ Please note that this can only work if you enabled SSL when compiling - DBD::mysql; this is the default starting version 4.034. - See L for more details. - --If you turn mysql_ssl on, you might also wish to use the following --flags: -+=item mysql_ssl_ca_file -+ -+The path to a file in PEM format that contains a list of trusted SSL -+certificate authorities. -+ -+When set MySQL server certificate is checked that it is signed by some -+CA certificate in the list. Common Name value is not verified unless -+C is enabled. -+ -+=item mysql_ssl_ca_path -+ -+The path to a directory that contains trusted SSL certificate authority -+certificates in PEM format. -+ -+When set MySQL server certificate is checked that it is signed by some -+CA certificate in the list. Common Name value is not verified unless -+C is enabled. -+ -+Please note that this option is supported only if your MySQL client was -+compiled with OpenSSL library, and not with default yaSSL library. -+ -+=item mysql_ssl_verify_server_cert -+ -+Checks the server's Common Name value in the certificate that the server -+sends to the client. The client verifies that name against the host name -+the client uses for connecting to the server, and the connection fails if -+there is a mismatch. For encrypted connections, this option helps prevent -+man-in-the-middle attacks. -+ -+Verification of the host name is disabled by default. - - =item mysql_ssl_client_key - --=item mysql_ssl_client_cert -+The name of the SSL key file in PEM format to use for establishing -+a secure connection. - --=item mysql_ssl_ca_file -+=item mysql_ssl_client_cert - --=item mysql_ssl_ca_path -+The name of the SSL certificate file in PEM format to use for -+establishing a secure connection. - - =item mysql_ssl_cipher - --These are used to specify the respective parameters of a call --to mysql_ssl_set, if mysql_ssl is turned on. -+A list of permissible ciphers to use for connection encryption. If no -+cipher in the list is supported, encrypted connections will not work. -+ -+ mysql_ssl_cipher=AES128-SHA -+ mysql_ssl_cipher=DHE-RSA-AES256-SHA:AES128-SHA - - - =item mysql_local_infile diff --git a/DBD-mysql-4.043-Enforce-SSL-encryption.patch b/DBD-mysql-4.043-Enforce-SSL-encryption.patch deleted file mode 100644 index 52db1d6..0000000 --- a/DBD-mysql-4.043-Enforce-SSL-encryption.patch +++ /dev/null @@ -1,324 +0,0 @@ -diff --git a/MANIFEST b/MANIFEST -index c4e16cc..577b029 100644 ---- a/MANIFEST -+++ b/MANIFEST -@@ -70,6 +70,8 @@ t/88async-multi-stmts.t - t/89async-method-check.t - t/90no-async.t - t/91errcheck.t -+t/92ssl_backronym_vulnerability.t -+t/92ssl_riddle_vulnerability.t - t/99_bug_server_prepare_blob_null.t - t/lib.pl - t/manifest.t -diff --git a/dbdimp.c b/dbdimp.c -index 97fa9c4..7a71677 100644 ---- a/dbdimp.c -+++ b/dbdimp.c -@@ -1506,6 +1506,12 @@ void do_warn(SV* h, int rc, char* what) - } \ - } - -+static void set_ssl_error(MYSQL *sock, const char *error) -+{ -+ sock->net.last_errno = CR_SSL_CONNECTION_ERROR; -+ strcpy(sock->net.sqlstate, "HY000"); -+ my_snprintf(sock->net.last_error, sizeof(sock->net.last_error)-1, "SSL connection error: %-.100s", error); -+} - - /*************************************************************************** - * -@@ -1898,28 +1904,32 @@ MYSQL *mysql_dr_connect( - } - #endif - -+ if ((svp = hv_fetch(hv, "mysql_ssl", 9, FALSE)) && *svp && SvTRUE(*svp)) -+ { - #if defined(DBD_MYSQL_WITH_SSL) && !defined(DBD_MYSQL_EMBEDDED) && \ - (defined(CLIENT_SSL) || (MYSQL_VERSION_ID >= 40000)) -- if ((svp = hv_fetch(hv, "mysql_ssl", 9, FALSE)) && *svp) -- { -- if (SvTRUE(*svp)) -- { - char *client_key = NULL; - char *client_cert = NULL; - char *ca_file = NULL; - char *ca_path = NULL; - char *cipher = NULL; - STRLEN lna; --#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION && MYSQL_VERSION_ID <= SSL_LAST_VERIFY_VERSION -- /* -- New code to utilise MySQLs new feature that verifies that the -- server's hostname that the client connects to matches that of -- the certificate -- */ -- my_bool ssl_verify_true = 0; -- if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE)) && *svp) -- ssl_verify_true = SvTRUE(*svp); --#endif -+ unsigned int ssl_mode; -+ my_bool ssl_enforce = 1; -+ my_bool ssl_verify = 0; -+ my_bool ssl_verify_set = 0; -+ -+ /* Verify if the hostname we connect to matches the hostname in the certificate */ -+ if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE)) && *svp) { -+ #if defined(HAVE_SSL_VERIFY) || defined(HAVE_SSL_MODE) -+ ssl_verify = SvTRUE(*svp); -+ ssl_verify_set = 1; -+ #else -+ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported"); -+ return NULL; -+ #endif -+ } -+ - if ((svp = hv_fetch(hv, "mysql_ssl_client_key", 20, FALSE)) && *svp) - client_key = SvPV(*svp, lna); - -@@ -1941,13 +1951,84 @@ MYSQL *mysql_dr_connect( - - mysql_ssl_set(sock, client_key, client_cert, ca_file, - ca_path, cipher); --#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION && MYSQL_VERSION_ID <= SSL_LAST_VERIFY_VERSION -- mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &ssl_verify_true); --#endif -+ -+ if (ssl_verify && !(ca_file || ca_path)) { -+ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported without mysql_ssl_ca_file or mysql_ssl_ca_path"); -+ return NULL; -+ } -+ -+ #ifdef HAVE_SSL_MODE -+ -+ if (ssl_verify) -+ ssl_mode = SSL_MODE_VERIFY_IDENTITY; -+ else if (ca_file || ca_path) -+ ssl_mode = SSL_MODE_VERIFY_CA; -+ else -+ ssl_mode = SSL_MODE_REQUIRED; -+ if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) { -+ set_ssl_error(sock, "Enforcing SSL encryption is not supported"); -+ return NULL; -+ } -+ -+ #else -+ -+ #if defined(HAVE_SSL_MODE_ONLY_REQUIRED) -+ ssl_mode = SSL_MODE_REQUIRED; -+ if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) { -+ set_ssl_error(sock, "Enforcing SSL encryption is not supported"); -+ return NULL; -+ } -+ #elif defined(HAVE_SSL_ENFORCE) -+ if (mysql_options(sock, MYSQL_OPT_SSL_ENFORCE, &ssl_enforce) != 0) { -+ set_ssl_error(sock, "Enforcing SSL encryption is not supported"); -+ return NULL; -+ } -+ #elif defined(HAVE_SSL_VERIFY) -+ if (!ssl_verify_also_enforce_ssl()) { -+ set_ssl_error(sock, "Enforcing SSL encryption is not supported"); -+ return NULL; -+ } -+ if (ssl_verify_set && !ssl_verify) { -+ set_ssl_error(sock, "Enforcing SSL encryption is not supported without mysql_ssl_verify_server_cert=1"); -+ return NULL; -+ } -+ ssl_verify = 1; -+ #else -+ set_ssl_error(sock, "Enforcing SSL encryption is not supported"); -+ return NULL; -+ #endif -+ -+ if (ssl_verify) { -+ if (!ssl_verify_usable() && ssl_verify_set) { -+ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is broken by current version of MySQL client"); -+ return NULL; -+ } -+ #ifdef HAVE_SSL_VERIFY -+ if (mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &ssl_verify) != 0) { -+ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported"); -+ return NULL; -+ } -+ #else -+ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported"); -+ return NULL; -+ #endif -+ } -+ -+ #endif -+ - client_flag |= CLIENT_SSL; -+#else -+ set_ssl_error(sock, "mysql_ssl=1 is not supported"); -+ return NULL; -+#endif - } -- } -+ else -+ { -+#ifdef HAVE_SSL_MODE -+ unsigned int ssl_mode = SSL_MODE_DISABLED; -+ mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode); - #endif -+ } - #if (MYSQL_VERSION_ID >= 32349) - /* - * MySQL 3.23.49 disables LOAD DATA LOCAL by default. Use -diff --git a/dbdimp.h b/dbdimp.h -index 545beda..8aed561 100644 ---- a/dbdimp.h -+++ b/dbdimp.h -@@ -48,8 +48,6 @@ - #define LIMIT_PLACEHOLDER_VERSION 50007 - #define GEO_DATATYPE_VERSION 50007 - #define NEW_DATATYPE_VERSION 50003 --#define SSL_VERIFY_VERSION 50023 --#define SSL_LAST_VERIFY_VERSION 50799 - #define MYSQL_VERSION_5_0 50001 - /* This is to avoid the ugly #ifdef mess in dbdimp.c */ - #if MYSQL_VERSION_ID < SQL_STATE_VERSION -@@ -79,6 +77,58 @@ - #define true 1 - #define false 0 - -+#if defined(MARIADB_BASE_VERSION) || defined(MARIADB_VERSION_ID) -+#define MARIADB_CLIENT -+#endif -+ -+/* -+ * Check which SSL settings are supported by API at compile time -+ */ -+ -+/* Use mysql_options with MYSQL_OPT_SSL_VERIFY_SERVER_CERT */ -+#if ((MYSQL_VERSION_ID >= 50023 && MYSQL_VERSION_ID < 50100) || MYSQL_VERSION_ID >= 50111) && (MYSQL_VERSION_ID < 80000 || defined(MARIADB_CLIENT)) -+#define HAVE_SSL_VERIFY -+#endif -+ -+/* Use mysql_options with MYSQL_OPT_SSL_ENFORCE */ -+#if !defined(MARIADB_CLIENT) && MYSQL_VERSION_ID >= 50703 && MYSQL_VERSION_ID < 80000 && MYSQL_VERSION_ID != 60000 -+#define HAVE_SSL_ENFORCE -+#endif -+ -+/* Use mysql_options with MYSQL_OPT_SSL_MODE */ -+#if !defined(MARIADB_CLIENT) && MYSQL_VERSION_ID >= 50711 && MYSQL_VERSION_ID != 60000 -+#define HAVE_SSL_MODE -+#endif -+ -+/* Use mysql_options with MYSQL_OPT_SSL_MODE, but only SSL_MODE_REQUIRED is supported */ -+#if !defined(MARIADB_CLIENT) && ((MYSQL_VERSION_ID >= 50636 && MYSQL_VERSION_ID < 50700) || (MYSQL_VERSION_ID >= 50555 && MYSQL_VERSION_ID < 50600)) -+#define HAVE_SSL_MODE_ONLY_REQUIRED -+#endif -+ -+/* -+ * Check which SSL settings are supported by API at runtime -+ */ -+ -+/* MYSQL_OPT_SSL_VERIFY_SERVER_CERT automatically enforce SSL mode */ -+PERL_STATIC_INLINE bool ssl_verify_also_enforce_ssl(void) { -+#ifdef MARIADB_CLIENT -+ my_ulonglong version = mysql_get_client_version(); -+ return ((version >= 50544 && version < 50600) || (version >= 100020 && version < 100100) || version >= 100106); -+#else -+ return false; -+#endif -+} -+ -+/* MYSQL_OPT_SSL_VERIFY_SERVER_CERT is not vulnerable (CVE-2016-2047) and can be used */ -+PERL_STATIC_INLINE bool ssl_verify_usable(void) { -+ my_ulonglong version = mysql_get_client_version(); -+#ifdef MARIADB_CLIENT -+ return ((version >= 50547 && version < 50600) || (version >= 100023 && version < 100100) || version >= 100110); -+#else -+ return ((version >= 50549 && version < 50600) || (version >= 50630 && version < 50700) || version >= 50712); -+#endif -+} -+ - /* - * The following are return codes passed in $h->err in case of - * errors by DBD::mysql. -diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm -index dc5eb06..572c229 100644 ---- a/lib/DBD/mysql.pm -+++ b/lib/DBD/mysql.pm -@@ -1160,7 +1160,8 @@ location for the socket than that built into the client. - =item mysql_ssl - - A true value turns on the CLIENT_SSL flag when connecting to the MySQL --database: -+server and enforce SSL encryption. A false value (which is default) -+disable SSL encryption with the MySQL server. - - When enabling SSL encryption you should set also other SSL options, - at least mysql_ssl_ca_file or mysql_ssl_ca_path. -diff --git a/t/92ssl_backronym_vulnerability.t b/t/92ssl_backronym_vulnerability.t -new file mode 100644 -index 0000000..5237c6d ---- /dev/null -+++ b/t/92ssl_backronym_vulnerability.t -@@ -0,0 +1,30 @@ -+use strict; -+use warnings; -+ -+use Test::More; -+use DBI; -+ -+use vars qw($test_dsn $test_user $test_password); -+use lib 't', '.'; -+require "lib.pl"; -+ -+my $dbh; -+eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password, -+ { PrintError => 0, RaiseError => 1 });}; -+if (!$dbh) { -+ plan skip_all => "no database connection"; -+} -+ -+my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") }; -+$dbh->disconnect(); -+plan skip_all => 'Server supports SSL connections, cannot test false-positive enforcement' if $have_ssl and $have_ssl->{Value} eq 'YES'; -+ -+plan tests => 4; -+ -+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1 }); -+ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1 and correct user and password'); -+is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown')); -+ -+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1, mysql_ssl_verify_server_cert => 1, mysql_ssl_ca_file => "" }); -+ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1, mysql_ssl_verify_server_cert=1 and correct user and password'); -+is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown')); -diff --git a/t/92ssl_riddle_vulnerability.t b/t/92ssl_riddle_vulnerability.t -new file mode 100644 -index 0000000..2354a73 ---- /dev/null -+++ b/t/92ssl_riddle_vulnerability.t -@@ -0,0 +1,30 @@ -+use strict; -+use warnings; -+ -+use Test::More; -+use DBI; -+ -+use vars qw($test_dsn $test_user $test_password); -+use lib 't', '.'; -+require "lib.pl"; -+ -+my $dbh; -+eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password, -+ { PrintError => 0, RaiseError => 1 });}; -+if (!$dbh) { -+ plan skip_all => "no database connection"; -+} -+ -+my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") }; -+$dbh->disconnect(); -+plan skip_all => 'Server supports SSL connections, cannot test false-positive enforcement' if $have_ssl and $have_ssl->{Value} eq 'YES'; -+ -+plan tests => 4; -+ -+$dbh = DBI->connect($test_dsn, '4yZ73s9qeECdWi', '64heUGwAsVoNqo', { PrintError => 0, RaiseError => 0, mysql_ssl => 1 }); -+ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1 and incorrect user and password'); -+is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown')); -+ -+$dbh = DBI->connect($test_dsn, '4yZ73s9qeECdWi', '64heUGwAsVoNqo', { PrintError => 0, RaiseError => 0, mysql_ssl => 1, mysql_ssl_verify_server_cert => 1, mysql_ssl_ca_file => "" }); -+ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1, mysql_ssl_verify_server_cert=1 and incorrect user and password'); -+is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown')); diff --git a/DBD-mysql-4.043-Fix-build-failures-for-MariaDB-10.2.patch b/DBD-mysql-4.043-Fix-build-failures-for-MariaDB-10.2.patch index 571e357..6e882b8 100644 --- a/DBD-mysql-4.043-Fix-build-failures-for-MariaDB-10.2.patch +++ b/DBD-mysql-4.043-Fix-build-failures-for-MariaDB-10.2.patch @@ -21,7 +21,7 @@ diff --git a/dbdimp.c b/dbdimp.c index 71251da..97fa9c4 100644 --- a/dbdimp.c +++ b/dbdimp.c -@@ -1979,6 +1979,9 @@ MYSQL *mysql_dr_connect( +@@ -2104,6 +2104,9 @@ MYSQL *mysql_dr_connect( if (result) { @@ -31,7 +31,7 @@ index 71251da..97fa9c4 100644 #if MYSQL_VERSION_ID >=SERVER_PREPARE_VERSION /* connection succeeded. */ /* imp_dbh == NULL when mysql_dr_connect() is called from mysql.xs -@@ -1997,7 +2000,11 @@ MYSQL *mysql_dr_connect( +@@ -2122,7 +2125,11 @@ MYSQL *mysql_dr_connect( we turn off Mysql's auto reconnect and handle re-connecting ourselves so that we can keep track of when this happens. */ diff --git a/DBD-mysql-4.043-Fix-use-after-free-after-calling-mysql_stmt_close.patch.txt b/DBD-mysql-4.043-Fix-use-after-free-after-calling-mysql_stmt_close.patch.txt deleted file mode 100644 index 96e4f48..0000000 --- a/DBD-mysql-4.043-Fix-use-after-free-after-calling-mysql_stmt_close.patch.txt +++ /dev/null @@ -1,52 +0,0 @@ -From 9ce10cfae7138c37c3a0cb2ba2a1d682482943d0 Mon Sep 17 00:00:00 2001 -From: Pali -Date: Sun, 25 Jun 2017 10:07:39 +0200 -Subject: [PATCH] Fix use-after-free after calling mysql_stmt_close() - -Ignore return value from mysql_stmt_close() and also its error message -because it points to freed memory after mysql_stmt_close() was called. ---- - dbdimp.c | 8 ++------ - mysql.xs | 7 ++----- - 2 files changed, 4 insertions(+), 11 deletions(-) - -diff --git a/dbdimp.c b/dbdimp.c -index c60a5f6..a6410e5 100644 ---- a/dbdimp.c -+++ b/dbdimp.c -@@ -4894,12 +4894,8 @@ void dbd_st_destroy(SV *sth, imp_sth_t *imp_sth) { - - if (imp_sth->stmt) - { -- if (mysql_stmt_close(imp_sth->stmt)) -- { -- do_error(DBIc_PARENT_H(imp_sth), mysql_stmt_errno(imp_sth->stmt), -- mysql_stmt_error(imp_sth->stmt), -- mysql_stmt_sqlstate(imp_sth->stmt)); -- } -+ mysql_stmt_close(imp_sth->stmt); -+ imp_sth->stmt= NULL; - } - #endif - -diff --git a/mysql.xs b/mysql.xs -index 55376e1..affde59 100644 ---- a/mysql.xs -+++ b/mysql.xs -@@ -434,11 +434,8 @@ do(dbh, statement, attr=Nullsv, ...) - if (bind) - Safefree(bind); - -- if(mysql_stmt_close(stmt)) -- { -- fprintf(stderr, "\n failed while closing the statement"); -- fprintf(stderr, "\n %s", mysql_stmt_error(stmt)); -- } -+ mysql_stmt_close(stmt); -+ stmt= NULL; - - if (retval == -2) /* -2 means error */ - { --- -1.7.9.5 - diff --git a/perl-DBD-MySQL.spec b/perl-DBD-MySQL.spec index 14e98e4..dfa0a75 100644 --- a/perl-DBD-MySQL.spec +++ b/perl-DBD-MySQL.spec @@ -1,21 +1,13 @@ Name: perl-DBD-MySQL -Version: 4.043 -Release: 7%{?dist} +Version: 4.044 +Release: 1%{?dist} Summary: A MySQL interface for Perl Group: Development/Libraries License: GPL+ or Artistic URL: http://search.cpan.org/dist/DBD-mysql/ -Source0: http://www.cpan.org/authors/id/M/MI/MICHIELB/DBD-mysql-%{version}.tar.gz -# Fix for CVE-2017-10788 -Patch0: DBD-mysql-4.043-Fix-use-after-free-after-calling-mysql_stmt_close.patch.txt +Source0: http://www.cpan.org/authors/id/C/CA/CAPTTOFU/DBD-mysql-%{version}.tar.gz # Fix for new version of MariaDB 10.2 -Patch1: DBD-mysql-4.043-Fix-build-failures-for-MariaDB-10.2.patch -# Fix for CVE-2017-10789 -# Backport https://github.com/perl5-dbi/DBD-mysql/pull/114 -Patch2: DBD-mysql-4.043-Describe-all-SSL-related-attributes-in-POD.patch -Patch3: DBD-mysql-4.043-Enforce-SSL-encryption.patch -Patch4: DBD-mysql-4.043-Add-new-connection-attribute-mysql_ssl_optional.patch -Patch5: DBD-mysql-4.043-Add-new-database-handle-attribute-mysql_ssl_cipher.patch +Patch0: DBD-mysql-4.043-Fix-build-failures-for-MariaDB-10.2.patch BuildRequires: coreutils BuildRequires: findutils BuildRequires: mariadb-connector-c @@ -54,11 +46,6 @@ management system. %prep %setup -q -n DBD-mysql-%{version} %patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 # Correct file permissions find . -type f | xargs chmod -x @@ -86,6 +73,9 @@ find %{buildroot} -type f -name '*.bs' -empty -delete %{_mandir}/man3/*.3* %changelog +* Tue Jan 23 2018 Jitka Plesnikova - 4.044-1 +- 4.044 bump + * Tue Dec 19 2017 Petr Pisar - 4.043-7 - Fix building against mariadb-5.5.56 diff --git a/sources b/sources index 430338d..defe496 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (DBD-mysql-4.043.tar.gz) = ef845052caabba7060e2e21d81f0791003509ec56741d92ff3a82196b528f81245ce1562539d89bc6e12584769739012325046b5e1c4e56febef108a7d2ae9ba +SHA512 (DBD-mysql-4.044.tar.gz) = e3dd9482e8f78c19dc91baba07e39e266f113ce5a014cfe6c5989c96ed0f85723a17ba6a6e00b65a1ed3c62362400bd3779eb63ed282f73587b4757da249af02