Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
perl-DBD-mysql.7188
perl-DBD-mysql-CVE-2017-10789.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File perl-DBD-mysql-CVE-2017-10789.patch of Package perl-DBD-mysql.7188
From a681e2c8a57161a333c7fed15e2b2e4e0c99d048 Mon Sep 17 00:00:00 2001 From: Pali <pali@cpan.org> Date: Sat, 15 Apr 2017 13:17:21 +0200 Subject: [PATCH] Enforce SSL encryption when mysql_ssl=1 is set This reflect changes between different versions of libmysqlclient.so and finally fix library usage to handle BACKRONYM and Riddle vulnerabilities. Due to fixing vulnerabilities, it changes also behavior of mysql_ssl=1 attribute from opportunistic mode to enforced mode of SSL. Now DBD::mysql with mysql_ssl=1 fails to connect to non-SSL server. --- .travis.yml | 34 +++++++++++ MANIFEST | 2 + dbdimp.c | 119 ++++++++++++++++++++++++++++---------- dbdimp.h | 58 +++++++++++++++---- lib/DBD/mysql.pm | 3 +- t/92ssl_backronym_vulnerability.t | 24 ++++++++ t/92ssl_riddle_vulnerability.t | 24 ++++++++ 7 files changed, 224 insertions(+), 40 deletions(-) create mode 100644 t/92ssl_backronym_vulnerability.t create mode 100644 t/92ssl_riddle_vulnerability.t Index: DBD-mysql-4.021/MANIFEST =================================================================== --- DBD-mysql-4.021.orig/MANIFEST +++ DBD-mysql-4.021/MANIFEST @@ -55,6 +55,8 @@ t/76multi_statement.t t/80procs.t t/85init_command.t t/86_bug_36972.t +t/92ssl_backronym_vulnerability.t +t/92ssl_riddle_vulnerability.t t/lib.pl t/mysql.dbtest t/mysql.mtest Index: DBD-mysql-4.021/dbdimp.c =================================================================== --- DBD-mysql-4.021.orig/dbdimp.c +++ DBD-mysql-4.021/dbdimp.c @@ -1489,6 +1489,12 @@ void do_warn(SV* h, int rc, char* what) } \ } +static void set_ssl_error(MYSQL *sock, const char *error) +{ + sock->net.last_errno = CR_SSL_CONNECTION_ERROR; + strcpy(sock->net.sqlstate, "HY000"); + my_snprintf(sock->net.last_error, sizeof(sock->net.last_error)-1, "SSL connection error: %-.100s", error); +} /*************************************************************************** * @@ -1815,28 +1821,30 @@ MYSQL *mysql_dr_connect( } #endif + if ((svp = hv_fetch(hv, "mysql_ssl", 9, FALSE)) && *svp && SvTRUE(*svp)) + { #if defined(DBD_MYSQL_WITH_SSL) && !defined(DBD_MYSQL_EMBEDDED) && \ (defined(CLIENT_SSL) || (MYSQL_VERSION_ID >= 40000)) - if ((svp = hv_fetch(hv, "mysql_ssl", 9, FALSE)) && *svp) - { - if (SvTRUE(*svp)) - { char *client_key = NULL; char *client_cert = NULL; char *ca_file = NULL; char *ca_path = NULL; char *cipher = NULL; STRLEN lna; -#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION - /* - New code to utilise MySQLs new feature that verifies that the - server's hostname that the client connects to matches that of - the certificate - */ - my_bool ssl_verify_true = 0; - if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE)) && *svp) - ssl_verify_true = SvTRUE(*svp); + unsigned int ssl_mode; + my_bool ssl_enforce = 1; + my_bool ssl_verify = 0; + my_bool ssl_verify_set = 0; + + if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE)) && *svp) { +#if defined(HAVE_SSL_VERIFY) || defined(HAVE_SSL_MODE) + ssl_verify = SvTRUE(*svp); + ssl_verify_set = 1; +#else + set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported"); + return NULL; #endif + } if ((svp = hv_fetch(hv, "mysql_ssl_client_key", 20, FALSE)) && *svp) client_key = SvPV(*svp, lna); @@ -1858,13 +1866,85 @@ MYSQL *mysql_dr_connect( mysql_ssl_set(sock, client_key, client_cert, ca_file, ca_path, cipher); -#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION - mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &ssl_verify_true); + + if (ssl_verify && !(ca_file || ca_path)) { + set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported without mysql_ssl_ca_file or mysql_ssl_ca_path"); + return NULL; + } + +#ifdef HAVE_SSL_MODE + + if (ssl_verify) + ssl_mode = SSL_MODE_VERIFY_IDENTITY; + else if (ca_file || ca_path) + ssl_mode = SSL_MODE_VERIFY_CA; + else + ssl_mode = SSL_MODE_REQUIRED; + if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) { + set_ssl_error(sock, "Enforcing SSL encryption is not supported"); + return NULL; + } + +#else + +#if defined(HAVE_SSL_MODE_ONLY_REQUIRED) + ssl_mode = SSL_MODE_REQUIRED; + if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) { + set_ssl_error(sock, "Enforcing SSL encryption is not supported"); + return NULL; + } +#elif defined(HAVE_SSL_ENFORCE) + if (mysql_options(sock, MYSQL_OPT_SSL_ENFORCE, &ssl_enforce) != 0) { + set_ssl_error(sock, "Enforcing SSL encryption is not supported"); + return NULL; + } +#elif defined(HAVE_SSL_VERIFY) + if (!ssl_verify_also_enforce_ssl()) { + set_ssl_error(sock, "Enforcing SSL encryption is not supported"); + return NULL; + } + if (ssl_verify_set && !ssl_verify) { + set_ssl_error(sock, "Enforcing SSL encryption is not supported without mysql_ssl_verify_server_cert=1"); + return NULL; + } + ssl_verify = 1; +#else + set_ssl_error(sock, "Enforcing SSL encryption is not supported"); + return NULL; #endif - client_flag |= CLIENT_SSL; - } - } + + if (ssl_verify) { + if (!ssl_verify_usable() && ssl_verify_set) { + set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is broken by current version of MySQL client"); + return NULL; + } +#ifdef HAVE_SSL_VERIFY + if (mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &ssl_verify) != 0) { + set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported"); + return NULL; + } +#else + set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported"); + return NULL; +#endif + } + +#endif + + client_flag |= CLIENT_SSL; +#else + set_ssl_error(sock, "mysql_ssl=1 is not supported"); + return NULL; +#endif + } + else + { +#ifdef HAVE_SSL_MODE + unsigned int ssl_mode = SSL_MODE_DISABLED; + mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode); #endif + } + #if (MYSQL_VERSION_ID >= 32349) /* * MySQL 3.23.49 disables LOAD DATA LOCAL by default. Use Index: DBD-mysql-4.021/dbdimp.h =================================================================== --- DBD-mysql-4.021.orig/dbdimp.h +++ DBD-mysql-4.021/dbdimp.h @@ -49,7 +49,6 @@ #define LIMIT_PLACEHOLDER_VERSION 50100 #define GEO_DATATYPE_VERSION 50007 #define NEW_DATATYPE_VERSION 50003 -#define SSL_VERIFY_VERSION 50023 #define MYSQL_VERSION_5_0 50001 /* This is to avoid the ugly #ifdef mess in dbdimp.c */ #if MYSQL_VERSION_ID < SQL_STATE_VERSION @@ -65,6 +64,54 @@ #define false 0 /* + * Check which SSL settings are supported by API at compile time + */ + +/* Use mysql_options with MYSQL_OPT_SSL_VERIFY_SERVER_CERT */ +#if ((MYSQL_VERSION_ID >= 50023 && MYSQL_VERSION_ID < 50100) || MYSQL_VERSION_ID >= 50111) && (MYSQL_VERSION_ID < 80000 || defined(MARIADB_BASE_VERSION)) +#define HAVE_SSL_VERIFY +#endif + +/* Use mysql_options with MYSQL_OPT_SSL_ENFORCE */ +#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 50703 && MYSQL_VERSION_ID < 80000 && MYSQL_VERSION_ID != 60000 +#define HAVE_SSL_ENFORCE +#endif + +/* Use mysql_options with MYSQL_OPT_SSL_MODE */ +#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 50711 && MYSQL_VERSION_ID != 60000 +#define HAVE_SSL_MODE +#endif + +/* Use mysql_options with MYSQL_OPT_SSL_MODE, but only SSL_MODE_REQUIRED is supported */ +#if !defined(MARIADB_BASE_VERSION) && ((MYSQL_VERSION_ID >= 50636 && MYSQL_VERSION_ID < 50700) || (MYSQL_VERSION_ID >= 50555 && MYSQL_VERSION_ID < 50600)) +#define HAVE_SSL_MODE_ONLY_REQUIRED +#endif + +/* + * Check which SSL settings are supported by API at runtime + */ + +/* MYSQL_OPT_SSL_VERIFY_SERVER_CERT automatically enforce SSL mode */ +PERL_STATIC_INLINE bool ssl_verify_also_enforce_ssl(void) { +#ifdef MARIADB_BASE_VERSION + my_ulonglong version = mysql_get_client_version(); + return ((version >= 50544 && version < 50600) || (version >= 100020 && version < 100100) || version >= 100106); +#else + return false; +#endif +} + +/* MYSQL_OPT_SSL_VERIFY_SERVER_CERT is not vulnerable (CVE-2016-2047) and can be used */ +PERL_STATIC_INLINE bool ssl_verify_usable(void) { + my_ulonglong version = mysql_get_client_version(); +#ifdef MARIADB_BASE_VERSION + return ((version >= 50547 && version < 50600) || (version >= 100023 && version < 100100) || version >= 100110); +#else + return ((version >= 50549 && version < 50600) || (version >= 50630 && version < 50700) || version >= 50712); +#endif +} + +/* * The following are return codes passed in $h->err in case of * errors by DBD::mysql. */ Index: DBD-mysql-4.021/lib/DBD/mysql.pm =================================================================== --- DBD-mysql-4.021.orig/lib/DBD/mysql.pm +++ DBD-mysql-4.021/lib/DBD/mysql.pm @@ -1066,7 +1066,8 @@ location for the socket than that built =item mysql_ssl A true value turns on the CLIENT_SSL flag when connecting to the MySQL -database: +server and enforce SSL encryption. A false value (which is default) +disable SSL encryption with the MySQL server. mysql_ssl=1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor