Fixed CVE-2017-10789 (bug #1467600)

This commit is contained in:
Jitka Plesnikova 2017-12-04 16:37:35 +01:00
parent 1e4724db89
commit f9abbc81ab
5 changed files with 665 additions and 1 deletions

View File

@ -0,0 +1,125 @@
diff --git a/MANIFEST b/MANIFEST
index 577b029..fba58e0 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -70,6 +70,7 @@ t/88async-multi-stmts.t
t/89async-method-check.t
t/90no-async.t
t/91errcheck.t
+t/92ssl_optional.t
t/92ssl_backronym_vulnerability.t
t/92ssl_riddle_vulnerability.t
t/99_bug_server_prepare_blob_null.t
diff --git a/dbdimp.c b/dbdimp.c
index 7a71677..4c510ca 100644
--- a/dbdimp.c
+++ b/dbdimp.c
@@ -1930,6 +1930,9 @@ MYSQL *mysql_dr_connect(
#endif
}
+ if ((svp = hv_fetch(hv, "mysql_ssl_optional", 18, FALSE)) && *svp)
+ ssl_enforce = !SvTRUE(*svp);
+
if ((svp = hv_fetch(hv, "mysql_ssl_client_key", 20, FALSE)) && *svp)
client_key = SvPV(*svp, lna);
@@ -1959,7 +1962,9 @@ MYSQL *mysql_dr_connect(
#ifdef HAVE_SSL_MODE
- if (ssl_verify)
+ if (!ssl_enforce)
+ ssl_mode = SSL_MODE_PREFERRED;
+ else if (ssl_verify)
ssl_mode = SSL_MODE_VERIFY_IDENTITY;
else if (ca_file || ca_path)
ssl_mode = SSL_MODE_VERIFY_CA;
@@ -1972,6 +1977,7 @@ MYSQL *mysql_dr_connect(
#else
+ if (ssl_enforce) {
#if defined(HAVE_SSL_MODE_ONLY_REQUIRED)
ssl_mode = SSL_MODE_REQUIRED;
if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) {
@@ -1997,9 +2003,17 @@ MYSQL *mysql_dr_connect(
set_ssl_error(sock, "Enforcing SSL encryption is not supported");
return NULL;
#endif
+ }
+
+ #ifdef HAVE_SSL_VERIFY
+ if (!ssl_enforce && ssl_verify && ssl_verify_also_enforce_ssl()) {
+ set_ssl_error(sock, "mysql_ssl_optional=1 with mysql_ssl_verify_server_cert=1 is not supported");
+ return NULL;
+ }
+ #endif
if (ssl_verify) {
- if (!ssl_verify_usable() && ssl_verify_set) {
+ if (!ssl_verify_usable() && ssl_enforce && ssl_verify_set) {
set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is broken by current version of MySQL client");
return NULL;
}
diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm
index 572c229..f49d408 100644
--- a/lib/DBD/mysql.pm
+++ b/lib/DBD/mysql.pm
@@ -1223,6 +1223,22 @@ cipher in the list is supported, encrypted connections will not work.
mysql_ssl_cipher=AES128-SHA
mysql_ssl_cipher=DHE-RSA-AES256-SHA:AES128-SHA
+=item mysql_ssl_optional
+
+Setting C<mysql_ssl_optional> to true disables strict SSL enforcement
+and makes SSL connection optional. This option opens security hole
+for man-in-the-middle attacks. Default value is false which means
+that C<mysql_ssl> set to true enforce SSL encryption.
+
+This option was introduced in 4.043 version of DBD::mysql. Due to
+L<The BACKRONYM|http://backronym.fail/> and L<The Riddle|http://riddle.link/>
+vulnerabilities in libmysqlclient library, enforcement of SSL
+encryption was not possbile and therefore C<mysql_ssl_optional=1>
+was effectively set for all DBD::mysql versions prior to 4.043.
+Starting with 4.043, DBD::mysql with C<mysql_ssl=1> could refuse
+connection to MySQL server if underlaying libmysqlclient library is
+vulnerable. Option C<mysql_ssl_optional> can be used to make SSL
+connection vulnerable.
=item mysql_local_infile
diff --git a/t/92ssl_optional.t b/t/92ssl_optional.t
new file mode 100644
index 0000000..54790a3
--- /dev/null
+++ b/t/92ssl_optional.t
@@ -0,0 +1,28 @@
+use strict;
+use warnings;
+
+use Test::More;
+use DBI;
+
+use vars qw($test_dsn $test_user $test_password);
+use lib 't', '.';
+require "lib.pl";
+
+my $dbh;
+eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password,
+ { PrintError => 0, RaiseError => 1 });};
+if (!$dbh) {
+ plan skip_all => "no database connection";
+}
+
+my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") };
+$dbh->disconnect();
+plan skip_all => 'Server supports SSL connections, cannot test fallback to plain text' if $have_ssl and $have_ssl->{Value} eq 'YES';
+
+plan tests => 2;
+
+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 1, RaiseError => 0, mysql_ssl => 1, mysql_ssl_optional => 1 });
+ok(defined $dbh, 'DBD::mysql supports mysql_ssl_optional=1 and connect via plain text protocol when SSL is not supported by server') or diag('Error code: ' . ($DBI::err || 'none') . "\n" . 'Error message: ' . ($DBI::errstr || 'unknown'));
+
+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 1, RaiseError => 0, mysql_ssl => 1, mysql_ssl_optional => 1, mysql_ssl_ca_file => "" });
+ok(defined $dbh, 'DBD::mysql supports mysql_ssl_optional=1 and connect via plain text protocol when SSL is not supported by server even with mysql_ssl_ca_file') or diag('Error code: ' . ($DBI::err || 'none') . "\n" . 'Error message: ' . ($DBI::errstr || 'unknown'));

View File

@ -0,0 +1,124 @@
diff --git a/MANIFEST b/MANIFEST
index fba58e0..7d625f8 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -70,6 +70,7 @@ t/88async-multi-stmts.t
t/89async-method-check.t
t/90no-async.t
t/91errcheck.t
+t/92ssl_connection.t
t/92ssl_optional.t
t/92ssl_backronym_vulnerability.t
t/92ssl_riddle_vulnerability.t
diff --git a/dbdimp.c b/dbdimp.c
index 4c510ca..608a433 100644
--- a/dbdimp.c
+++ b/dbdimp.c
@@ -2785,6 +2785,14 @@ SV* dbd_db_FETCH_attrib(SV *dbh, imp_dbh_t *imp_dbh, SV *keysv)
result= serverinfo ?
sv_2mortal(newSVpvn(serverinfo, strlen(serverinfo))) : &PL_sv_undef;
}
+#if ((MYSQL_VERSION_ID >= 50023 && MYSQL_VERSION_ID < 50100) || MYSQL_VERSION_ID >= 50111)
+ else if (kl == 10 && strEQ(key, "ssl_cipher"))
+ {
+ const char* ssl_cipher = mysql_get_ssl_cipher(imp_dbh->pmysql);
+ result= ssl_cipher ?
+ sv_2mortal(newSVpvn(ssl_cipher, strlen(ssl_cipher))) : &PL_sv_undef;
+ }
+#endif
else if (kl == 13 && strEQ(key, "serverversion"))
result= sv_2mortal(my_ulonglong2str(aTHX_ mysql_get_server_version(imp_dbh->pmysql)));
else if (strEQ(key, "sock"))
diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm
index f49d408..26d8c53 100644
--- a/lib/DBD/mysql.pm
+++ b/lib/DBD/mysql.pm
@@ -1437,18 +1437,19 @@ handles (read only):
$errno = $dbh->{'mysql_errno'};
$error = $dbh->{'mysql_error'};
- $info = $dbh->{'mysql_hostinfo'};
+ $hostinfo = $dbh->{'mysql_hostinfo'};
$info = $dbh->{'mysql_info'};
$insertid = $dbh->{'mysql_insertid'};
- $info = $dbh->{'mysql_protoinfo'};
- $info = $dbh->{'mysql_serverinfo'};
- $info = $dbh->{'mysql_stat'};
- $threadId = $dbh->{'mysql_thread_id'};
+ $protoinfo = $dbh->{'mysql_protoinfo'};
+ $serverinfo = $dbh->{'mysql_serverinfo'};
+ $ssl_cipher = $dbh->{'mysql_ssl_cipher'};
+ $stat = $dbh->{'mysql_stat'};
+ $thread_id = $dbh->{'mysql_thread_id'};
These correspond to mysql_errno(), mysql_error(), mysql_get_host_info(),
mysql_info(), mysql_insert_id(), mysql_get_proto_info(),
-mysql_get_server_info(), mysql_stat() and mysql_thread_id(),
-respectively.
+mysql_get_server_info(), mysql_stat(), mysql_get_ssl_cipher()
+and mysql_thread_id() respectively.
=over 2
@@ -1473,6 +1474,19 @@ against:
50200
+=item mysql_ssl_cipher
+
+Returns the SSL encryption cipher used for the given connection to
+the server. In case SSL encryption was not enabled with C<mysql_ssl>
+or was not established returns undef.
+
+ my $ssl_cipher = $dbh->{mysql_ssl_cipher};
+ if (defined $ssl_cipher) {
+ print "Connection with server is encrypted with cipher: $ssl_cipher\n";
+ } else {
+ print "Connection with server is not encrypted\n";
+ }
+
=item mysql_dbd_stats
$info_hashref = $dhb->{mysql_dbd_stats};
diff --git a/t/92ssl_connection.t b/t/92ssl_connection.t
new file mode 100644
index 0000000..9819b3b
--- /dev/null
+++ b/t/92ssl_connection.t
@@ -0,0 +1,36 @@
+use strict;
+use warnings;
+
+use Test::More;
+use DBI;
+
+use vars qw($test_dsn $test_user $test_password);
+use lib 't', '.';
+require "lib.pl";
+
+my $dbh;
+eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password,
+ { PrintError => 0, RaiseError => 1 });};
+if (!$dbh) {
+ plan skip_all => "no database connection";
+}
+
+my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") };
+$dbh->disconnect();
+plan skip_all => 'Server does not support SSL connections' unless $have_ssl and $have_ssl->{Value} eq 'YES';
+
+plan tests => 4;
+
+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1, mysql_ssl_optional => 1 });
+ok(defined $dbh, 'DBD::mysql supports mysql_ssl=1 with mysql_ssl_optional=1 and connect to server') or diag('Error code: ' . ($DBI::err || 'none') . "\n" . 'Error message: ' . ($DBI::errstr || 'unknown'));
+
+ok(defined $dbh && defined $dbh->{mysql_ssl_cipher}, 'SSL connection was established') and diag("mysql_ssl_cipher is: ". $dbh->{mysql_ssl_cipher});
+
+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1 });
+if (defined $dbh) {
+ pass('DBD::mysql supports mysql_ssl=1 without mysql_ssl_optional=1 and connect to server');
+ ok(defined $dbh->{mysql_ssl_cipher}, 'SSL connection was established');
+} else {
+ is($DBI::errstr, 'SSL connection error: Enforcing SSL encryption is not supported', 'DBD::mysql supports mysql_ssl=1 without mysql_ssl_optional=1 and fail because cannot enforce SSL encryption') or diag('Error message: ' . ($DBI::errstr || 'unknown'));
+ is($DBI::err, 2026, 'DBD::mysql error code is SSL related') or diag('Error code: ' . ($DBI::err || 'unknown'));
+}

View File

@ -0,0 +1,78 @@
diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm
index ec107a6..dc5eb06 100644
--- a/lib/DBD/mysql.pm
+++ b/lib/DBD/mysql.pm
@@ -1162,7 +1162,10 @@ location for the socket than that built into the client.
A true value turns on the CLIENT_SSL flag when connecting to the MySQL
database:
- mysql_ssl=1
+When enabling SSL encryption you should set also other SSL options,
+at least mysql_ssl_ca_file or mysql_ssl_ca_path.
+
+ mysql_ssl=1 mysql_ssl_verify_server_cert=1 mysql_ssl_ca_file=/path/to/ca_cert.pem
This means that your communication with the server will be encrypted.
@@ -1170,21 +1173,54 @@ Please note that this can only work if you enabled SSL when compiling
DBD::mysql; this is the default starting version 4.034.
See L<DBD::mysql::INSTALL> for more details.
-If you turn mysql_ssl on, you might also wish to use the following
-flags:
+=item mysql_ssl_ca_file
+
+The path to a file in PEM format that contains a list of trusted SSL
+certificate authorities.
+
+When set MySQL server certificate is checked that it is signed by some
+CA certificate in the list. Common Name value is not verified unless
+C<mysql_ssl_verify_server_cert> is enabled.
+
+=item mysql_ssl_ca_path
+
+The path to a directory that contains trusted SSL certificate authority
+certificates in PEM format.
+
+When set MySQL server certificate is checked that it is signed by some
+CA certificate in the list. Common Name value is not verified unless
+C<mysql_ssl_verify_server_cert> is enabled.
+
+Please note that this option is supported only if your MySQL client was
+compiled with OpenSSL library, and not with default yaSSL library.
+
+=item mysql_ssl_verify_server_cert
+
+Checks the server's Common Name value in the certificate that the server
+sends to the client. The client verifies that name against the host name
+the client uses for connecting to the server, and the connection fails if
+there is a mismatch. For encrypted connections, this option helps prevent
+man-in-the-middle attacks.
+
+Verification of the host name is disabled by default.
=item mysql_ssl_client_key
-=item mysql_ssl_client_cert
+The name of the SSL key file in PEM format to use for establishing
+a secure connection.
-=item mysql_ssl_ca_file
+=item mysql_ssl_client_cert
-=item mysql_ssl_ca_path
+The name of the SSL certificate file in PEM format to use for
+establishing a secure connection.
=item mysql_ssl_cipher
-These are used to specify the respective parameters of a call
-to mysql_ssl_set, if mysql_ssl is turned on.
+A list of permissible ciphers to use for connection encryption. If no
+cipher in the list is supported, encrypted connections will not work.
+
+ mysql_ssl_cipher=AES128-SHA
+ mysql_ssl_cipher=DHE-RSA-AES256-SHA:AES128-SHA
=item mysql_local_infile

View File

@ -0,0 +1,324 @@
diff --git a/MANIFEST b/MANIFEST
index c4e16cc..577b029 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -70,6 +70,8 @@ t/88async-multi-stmts.t
t/89async-method-check.t
t/90no-async.t
t/91errcheck.t
+t/92ssl_backronym_vulnerability.t
+t/92ssl_riddle_vulnerability.t
t/99_bug_server_prepare_blob_null.t
t/lib.pl
t/manifest.t
diff --git a/dbdimp.c b/dbdimp.c
index 97fa9c4..7a71677 100644
--- a/dbdimp.c
+++ b/dbdimp.c
@@ -1506,6 +1506,12 @@ void do_warn(SV* h, int rc, char* what)
} \
}
+static void set_ssl_error(MYSQL *sock, const char *error)
+{
+ sock->net.last_errno = CR_SSL_CONNECTION_ERROR;
+ strcpy(sock->net.sqlstate, "HY000");
+ my_snprintf(sock->net.last_error, sizeof(sock->net.last_error)-1, "SSL connection error: %-.100s", error);
+}
/***************************************************************************
*
@@ -1898,28 +1904,32 @@ MYSQL *mysql_dr_connect(
}
#endif
+ if ((svp = hv_fetch(hv, "mysql_ssl", 9, FALSE)) && *svp && SvTRUE(*svp))
+ {
#if defined(DBD_MYSQL_WITH_SSL) && !defined(DBD_MYSQL_EMBEDDED) && \
(defined(CLIENT_SSL) || (MYSQL_VERSION_ID >= 40000))
- if ((svp = hv_fetch(hv, "mysql_ssl", 9, FALSE)) && *svp)
- {
- if (SvTRUE(*svp))
- {
char *client_key = NULL;
char *client_cert = NULL;
char *ca_file = NULL;
char *ca_path = NULL;
char *cipher = NULL;
STRLEN lna;
-#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION && MYSQL_VERSION_ID <= SSL_LAST_VERIFY_VERSION
- /*
- New code to utilise MySQLs new feature that verifies that the
- server's hostname that the client connects to matches that of
- the certificate
- */
- my_bool ssl_verify_true = 0;
- if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE)) && *svp)
- ssl_verify_true = SvTRUE(*svp);
-#endif
+ unsigned int ssl_mode;
+ my_bool ssl_enforce = 1;
+ my_bool ssl_verify = 0;
+ my_bool ssl_verify_set = 0;
+
+ /* Verify if the hostname we connect to matches the hostname in the certificate */
+ if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE)) && *svp) {
+ #if defined(HAVE_SSL_VERIFY) || defined(HAVE_SSL_MODE)
+ ssl_verify = SvTRUE(*svp);
+ ssl_verify_set = 1;
+ #else
+ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported");
+ return NULL;
+ #endif
+ }
+
if ((svp = hv_fetch(hv, "mysql_ssl_client_key", 20, FALSE)) && *svp)
client_key = SvPV(*svp, lna);
@@ -1941,13 +1951,84 @@ MYSQL *mysql_dr_connect(
mysql_ssl_set(sock, client_key, client_cert, ca_file,
ca_path, cipher);
-#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION && MYSQL_VERSION_ID <= SSL_LAST_VERIFY_VERSION
- mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &ssl_verify_true);
-#endif
+
+ if (ssl_verify && !(ca_file || ca_path)) {
+ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported without mysql_ssl_ca_file or mysql_ssl_ca_path");
+ return NULL;
+ }
+
+ #ifdef HAVE_SSL_MODE
+
+ if (ssl_verify)
+ ssl_mode = SSL_MODE_VERIFY_IDENTITY;
+ else if (ca_file || ca_path)
+ ssl_mode = SSL_MODE_VERIFY_CA;
+ else
+ ssl_mode = SSL_MODE_REQUIRED;
+ if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) {
+ set_ssl_error(sock, "Enforcing SSL encryption is not supported");
+ return NULL;
+ }
+
+ #else
+
+ #if defined(HAVE_SSL_MODE_ONLY_REQUIRED)
+ ssl_mode = SSL_MODE_REQUIRED;
+ if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) {
+ set_ssl_error(sock, "Enforcing SSL encryption is not supported");
+ return NULL;
+ }
+ #elif defined(HAVE_SSL_ENFORCE)
+ if (mysql_options(sock, MYSQL_OPT_SSL_ENFORCE, &ssl_enforce) != 0) {
+ set_ssl_error(sock, "Enforcing SSL encryption is not supported");
+ return NULL;
+ }
+ #elif defined(HAVE_SSL_VERIFY)
+ if (!ssl_verify_also_enforce_ssl()) {
+ set_ssl_error(sock, "Enforcing SSL encryption is not supported");
+ return NULL;
+ }
+ if (ssl_verify_set && !ssl_verify) {
+ set_ssl_error(sock, "Enforcing SSL encryption is not supported without mysql_ssl_verify_server_cert=1");
+ return NULL;
+ }
+ ssl_verify = 1;
+ #else
+ set_ssl_error(sock, "Enforcing SSL encryption is not supported");
+ return NULL;
+ #endif
+
+ if (ssl_verify) {
+ if (!ssl_verify_usable() && ssl_verify_set) {
+ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is broken by current version of MySQL client");
+ return NULL;
+ }
+ #ifdef HAVE_SSL_VERIFY
+ if (mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &ssl_verify) != 0) {
+ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported");
+ return NULL;
+ }
+ #else
+ set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported");
+ return NULL;
+ #endif
+ }
+
+ #endif
+
client_flag |= CLIENT_SSL;
+#else
+ set_ssl_error(sock, "mysql_ssl=1 is not supported");
+ return NULL;
+#endif
}
- }
+ else
+ {
+#ifdef HAVE_SSL_MODE
+ unsigned int ssl_mode = SSL_MODE_DISABLED;
+ mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode);
#endif
+ }
#if (MYSQL_VERSION_ID >= 32349)
/*
* MySQL 3.23.49 disables LOAD DATA LOCAL by default. Use
diff --git a/dbdimp.h b/dbdimp.h
index 545beda..8aed561 100644
--- a/dbdimp.h
+++ b/dbdimp.h
@@ -48,8 +48,6 @@
#define LIMIT_PLACEHOLDER_VERSION 50007
#define GEO_DATATYPE_VERSION 50007
#define NEW_DATATYPE_VERSION 50003
-#define SSL_VERIFY_VERSION 50023
-#define SSL_LAST_VERIFY_VERSION 50799
#define MYSQL_VERSION_5_0 50001
/* This is to avoid the ugly #ifdef mess in dbdimp.c */
#if MYSQL_VERSION_ID < SQL_STATE_VERSION
@@ -79,6 +77,58 @@
#define true 1
#define false 0
+#if defined(MARIADB_BASE_VERSION) || defined(MARIADB_VERSION_ID)
+#define MARIADB_CLIENT
+#endif
+
+/*
+ * Check which SSL settings are supported by API at compile time
+ */
+
+/* Use mysql_options with MYSQL_OPT_SSL_VERIFY_SERVER_CERT */
+#if ((MYSQL_VERSION_ID >= 50023 && MYSQL_VERSION_ID < 50100) || MYSQL_VERSION_ID >= 50111) && (MYSQL_VERSION_ID < 80000 || defined(MARIADB_CLIENT))
+#define HAVE_SSL_VERIFY
+#endif
+
+/* Use mysql_options with MYSQL_OPT_SSL_ENFORCE */
+#if !defined(MARIADB_CLIENT) && MYSQL_VERSION_ID >= 50703 && MYSQL_VERSION_ID < 80000 && MYSQL_VERSION_ID != 60000
+#define HAVE_SSL_ENFORCE
+#endif
+
+/* Use mysql_options with MYSQL_OPT_SSL_MODE */
+#if !defined(MARIADB_CLIENT) && MYSQL_VERSION_ID >= 50711 && MYSQL_VERSION_ID != 60000
+#define HAVE_SSL_MODE
+#endif
+
+/* Use mysql_options with MYSQL_OPT_SSL_MODE, but only SSL_MODE_REQUIRED is supported */
+#if !defined(MARIADB_CLIENT) && ((MYSQL_VERSION_ID >= 50636 && MYSQL_VERSION_ID < 50700) || (MYSQL_VERSION_ID >= 50555 && MYSQL_VERSION_ID < 50600))
+#define HAVE_SSL_MODE_ONLY_REQUIRED
+#endif
+
+/*
+ * Check which SSL settings are supported by API at runtime
+ */
+
+/* MYSQL_OPT_SSL_VERIFY_SERVER_CERT automatically enforce SSL mode */
+PERL_STATIC_INLINE bool ssl_verify_also_enforce_ssl(void) {
+#ifdef MARIADB_CLIENT
+ my_ulonglong version = mysql_get_client_version();
+ return ((version >= 50544 && version < 50600) || (version >= 100020 && version < 100100) || version >= 100106);
+#else
+ return false;
+#endif
+}
+
+/* MYSQL_OPT_SSL_VERIFY_SERVER_CERT is not vulnerable (CVE-2016-2047) and can be used */
+PERL_STATIC_INLINE bool ssl_verify_usable(void) {
+ my_ulonglong version = mysql_get_client_version();
+#ifdef MARIADB_CLIENT
+ return ((version >= 50547 && version < 50600) || (version >= 100023 && version < 100100) || version >= 100110);
+#else
+ return ((version >= 50549 && version < 50600) || (version >= 50630 && version < 50700) || version >= 50712);
+#endif
+}
+
/*
* The following are return codes passed in $h->err in case of
* errors by DBD::mysql.
diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm
index dc5eb06..572c229 100644
--- a/lib/DBD/mysql.pm
+++ b/lib/DBD/mysql.pm
@@ -1160,7 +1160,8 @@ location for the socket than that built into the client.
=item mysql_ssl
A true value turns on the CLIENT_SSL flag when connecting to the MySQL
-database:
+server and enforce SSL encryption. A false value (which is default)
+disable SSL encryption with the MySQL server.
When enabling SSL encryption you should set also other SSL options,
at least mysql_ssl_ca_file or mysql_ssl_ca_path.
diff --git a/t/92ssl_backronym_vulnerability.t b/t/92ssl_backronym_vulnerability.t
new file mode 100644
index 0000000..5237c6d
--- /dev/null
+++ b/t/92ssl_backronym_vulnerability.t
@@ -0,0 +1,30 @@
+use strict;
+use warnings;
+
+use Test::More;
+use DBI;
+
+use vars qw($test_dsn $test_user $test_password);
+use lib 't', '.';
+require "lib.pl";
+
+my $dbh;
+eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password,
+ { PrintError => 0, RaiseError => 1 });};
+if (!$dbh) {
+ plan skip_all => "no database connection";
+}
+
+my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") };
+$dbh->disconnect();
+plan skip_all => 'Server supports SSL connections, cannot test false-positive enforcement' if $have_ssl and $have_ssl->{Value} eq 'YES';
+
+plan tests => 4;
+
+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1 });
+ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1 and correct user and password');
+is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown'));
+
+$dbh = DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 0, RaiseError => 0, mysql_ssl => 1, mysql_ssl_verify_server_cert => 1, mysql_ssl_ca_file => "" });
+ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1, mysql_ssl_verify_server_cert=1 and correct user and password');
+is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown'));
diff --git a/t/92ssl_riddle_vulnerability.t b/t/92ssl_riddle_vulnerability.t
new file mode 100644
index 0000000..2354a73
--- /dev/null
+++ b/t/92ssl_riddle_vulnerability.t
@@ -0,0 +1,30 @@
+use strict;
+use warnings;
+
+use Test::More;
+use DBI;
+
+use vars qw($test_dsn $test_user $test_password);
+use lib 't', '.';
+require "lib.pl";
+
+my $dbh;
+eval {$dbh= DBI->connect($test_dsn, $test_user, $test_password,
+ { PrintError => 0, RaiseError => 1 });};
+if (!$dbh) {
+ plan skip_all => "no database connection";
+}
+
+my $have_ssl = eval { $dbh->selectrow_hashref("SHOW VARIABLES WHERE Variable_name = 'have_ssl'") };
+$dbh->disconnect();
+plan skip_all => 'Server supports SSL connections, cannot test false-positive enforcement' if $have_ssl and $have_ssl->{Value} eq 'YES';
+
+plan tests => 4;
+
+$dbh = DBI->connect($test_dsn, '4yZ73s9qeECdWi', '64heUGwAsVoNqo', { PrintError => 0, RaiseError => 0, mysql_ssl => 1 });
+ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1 and incorrect user and password');
+is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown'));
+
+$dbh = DBI->connect($test_dsn, '4yZ73s9qeECdWi', '64heUGwAsVoNqo', { PrintError => 0, RaiseError => 0, mysql_ssl => 1, mysql_ssl_verify_server_cert => 1, mysql_ssl_ca_file => "" });
+ok(!defined $dbh, 'DBD::mysql refused connection to non-SSL server with mysql_ssl=1, mysql_ssl_verify_server_cert=1 and incorrect user and password');
+is($DBI::err, 2026, 'DBD::mysql error message is SSL related') or diag('Error message: ' . ($DBI::errstr || 'unknown'));

View File

@ -1,6 +1,6 @@
Name: perl-DBD-MySQL Name: perl-DBD-MySQL
Version: 4.043 Version: 4.043
Release: 5%{?dist} Release: 6%{?dist}
Summary: A MySQL interface for Perl Summary: A MySQL interface for Perl
Group: Development/Libraries Group: Development/Libraries
License: GPL+ or Artistic License: GPL+ or Artistic
@ -10,6 +10,12 @@ Source0: http://www.cpan.org/authors/id/M/MI/MICHIELB/DBD-mysql-%{version
Patch0: DBD-mysql-4.043-Fix-use-after-free-after-calling-mysql_stmt_close.patch.txt Patch0: DBD-mysql-4.043-Fix-use-after-free-after-calling-mysql_stmt_close.patch.txt
# Fix for new version of MariaDB 10.2 # Fix for new version of MariaDB 10.2
Patch1: DBD-mysql-4.043-Fix-build-failures-for-MariaDB-10.2.patch Patch1: DBD-mysql-4.043-Fix-build-failures-for-MariaDB-10.2.patch
# Fix for CVE-2017-10789
# Backport https://github.com/perl5-dbi/DBD-mysql/pull/114
Patch2: DBD-mysql-4.043-Describe-all-SSL-related-attributes-in-POD.patch
Patch3: DBD-mysql-4.043-Enforce-SSL-encryption.patch
Patch4: DBD-mysql-4.043-Add-new-connection-attribute-mysql_ssl_optional.patch
Patch5: DBD-mysql-4.043-Add-new-database-handle-attribute-mysql_ssl_cipher.patch
BuildRequires: coreutils BuildRequires: coreutils
BuildRequires: findutils BuildRequires: findutils
BuildRequires: mariadb-connector-c BuildRequires: mariadb-connector-c
@ -49,6 +55,10 @@ management system.
%setup -q -n DBD-mysql-%{version} %setup -q -n DBD-mysql-%{version}
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
# Correct file permissions # Correct file permissions
find . -type f | xargs chmod -x find . -type f | xargs chmod -x
@ -76,6 +86,9 @@ find %{buildroot} -type f -name '*.bs' -empty -delete
%{_mandir}/man3/*.3* %{_mandir}/man3/*.3*
%changelog %changelog
* Mon Dec 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4.043-6
- Fixed CVE-2017-10789 (bug #1467600)
* Tue Sep 05 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4.043-5 * Tue Sep 05 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4.043-5
- Replace mariadb/-devel by mariadb-connector-c/-devel - Replace mariadb/-devel by mariadb-connector-c/-devel