File perl-DBD-mysql-CVE-2017-10789.patch of Package perl-DBD-mysql.7188

Overview Repositories Revisions Requests Users Attributes Meta

File perl-DBD-mysql-CVE-2017-10789.patch of Package perl-DBD-mysql.7188

From a681e2c8a57161a333c7fed15e2b2e4e0c99d048 Mon Sep 17 00:00:00 2001
From: Pali <pali@cpan.org>
Date: Sat, 15 Apr 2017 13:17:21 +0200
Subject: [PATCH] Enforce SSL encryption when mysql_ssl=1 is set

This reflect changes between different versions of libmysqlclient.so and
finally fix library usage to handle BACKRONYM and Riddle vulnerabilities.

Due to fixing vulnerabilities, it changes also behavior of mysql_ssl=1
attribute from opportunistic mode to enforced mode of SSL. Now DBD::mysql
with mysql_ssl=1 fails to connect to non-SSL server.
---
 .travis.yml                       |  34 +++++++++++
 MANIFEST                          |   2 +
 dbdimp.c                          | 119 ++++++++++++++++++++++++++++----------
 dbdimp.h                          |  58 +++++++++++++++----
 lib/DBD/mysql.pm                  |   3 +-
 t/92ssl_backronym_vulnerability.t |  24 ++++++++
 t/92ssl_riddle_vulnerability.t    |  24 ++++++++
 7 files changed, 224 insertions(+), 40 deletions(-)
 create mode 100644 t/92ssl_backronym_vulnerability.t
 create mode 100644 t/92ssl_riddle_vulnerability.t

Index: DBD-mysql-4.021/MANIFEST
===================================================================
--- DBD-mysql-4.021.orig/MANIFEST
+++ DBD-mysql-4.021/MANIFEST
@@ -55,6 +55,8 @@ t/76multi_statement.t
 t/80procs.t
 t/85init_command.t
 t/86_bug_36972.t
+t/92ssl_backronym_vulnerability.t
+t/92ssl_riddle_vulnerability.t
 t/lib.pl
 t/mysql.dbtest
 t/mysql.mtest
Index: DBD-mysql-4.021/dbdimp.c
===================================================================
--- DBD-mysql-4.021.orig/dbdimp.c
+++ DBD-mysql-4.021/dbdimp.c
@@ -1489,6 +1489,12 @@ void do_warn(SV* h, int rc, char* what)
     } \
   }
 
+static void set_ssl_error(MYSQL *sock, const char *error)
+{
+  sock->net.last_errno = CR_SSL_CONNECTION_ERROR;
+  strcpy(sock->net.sqlstate, "HY000");
+  my_snprintf(sock->net.last_error, sizeof(sock->net.last_error)-1, "SSL connection error: %-.100s", error);
+}
 
 /***************************************************************************
  *
@@ -1815,28 +1821,30 @@ MYSQL *mysql_dr_connect(
         }
 #endif
 
+	if ((svp = hv_fetch(hv, "mysql_ssl", 9, FALSE)) && *svp && SvTRUE(*svp))
+          {
 #if defined(DBD_MYSQL_WITH_SSL) && !defined(DBD_MYSQL_EMBEDDED) && \
     (defined(CLIENT_SSL) || (MYSQL_VERSION_ID >= 40000))
-	if ((svp = hv_fetch(hv, "mysql_ssl", 9, FALSE))  &&  *svp)
-        {
-	  if (SvTRUE(*svp))
-          {
 	    char *client_key = NULL;
 	    char *client_cert = NULL;
 	    char *ca_file = NULL;
 	    char *ca_path = NULL;
 	    char *cipher = NULL;
 	    STRLEN lna;
-#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION
-            /*
-              New code to utilise MySQLs new feature that verifies that the
-              server's hostname that the client connects to matches that of
-              the certificate
-            */
-	    my_bool ssl_verify_true = 0;
-	    if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE))  &&  *svp)
-	      ssl_verify_true = SvTRUE(*svp);
+	    unsigned int ssl_mode;
+	    my_bool ssl_enforce = 1;
+	    my_bool ssl_verify = 0;
+	    my_bool ssl_verify_set = 0;
+
+	    if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE)) && *svp) {
+#if defined(HAVE_SSL_VERIFY) || defined(HAVE_SSL_MODE)
+	      ssl_verify = SvTRUE(*svp);
+	      ssl_verify_set = 1;
+#else
+	      set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported");
+	      return NULL;
 #endif
+	    }
 	    if ((svp = hv_fetch(hv, "mysql_ssl_client_key", 20, FALSE)) && *svp)
 	      client_key = SvPV(*svp, lna);
 
@@ -1858,13 +1866,85 @@ MYSQL *mysql_dr_connect(
 
 	    mysql_ssl_set(sock, client_key, client_cert, ca_file,
 			  ca_path, cipher);
-#if MYSQL_VERSION_ID >= SSL_VERIFY_VERSION
-	    mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &ssl_verify_true);
+
+	    if (ssl_verify && !(ca_file || ca_path)) {
+	      set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported without mysql_ssl_ca_file or mysql_ssl_ca_path");
+	      return NULL;
+	    }
+
+#ifdef HAVE_SSL_MODE
+
+        if (ssl_verify)
+  	         ssl_mode = SSL_MODE_VERIFY_IDENTITY;
+        else if (ca_file || ca_path)
+   	        ssl_mode = SSL_MODE_VERIFY_CA;
+        else
+            ssl_mode = SSL_MODE_REQUIRED;
+            if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) {
+              set_ssl_error(sock, "Enforcing SSL encryption is not supported");
+              return NULL;
+            }
+
+#else
+
+#if defined(HAVE_SSL_MODE_ONLY_REQUIRED)
+	      ssl_mode = SSL_MODE_REQUIRED;
+	      if (mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode) != 0) {
+	        set_ssl_error(sock, "Enforcing SSL encryption is not supported");
+	        return NULL;
+	      }
+#elif defined(HAVE_SSL_ENFORCE)
+          if (mysql_options(sock, MYSQL_OPT_SSL_ENFORCE, &ssl_enforce) != 0) {
+	        set_ssl_error(sock, "Enforcing SSL encryption is not supported");
+	        return NULL;
+	      }
+#elif defined(HAVE_SSL_VERIFY)
+	      if (!ssl_verify_also_enforce_ssl()) {
+	        set_ssl_error(sock, "Enforcing SSL encryption is not supported");
+	        return NULL;
+	      }
+	      if (ssl_verify_set && !ssl_verify) {
+	        set_ssl_error(sock, "Enforcing SSL encryption is not supported without mysql_ssl_verify_server_cert=1");
+	        return NULL;
+	      }
+	      ssl_verify = 1;
+#else
+	      set_ssl_error(sock, "Enforcing SSL encryption is not supported");
+	      return NULL;
 #endif
-	    client_flag |= CLIENT_SSL;
-	  }
-	}
+
+        if (ssl_verify) {
+	      if (!ssl_verify_usable() && ssl_verify_set) {
+	        set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is broken by current version of MySQL client");
+	        return NULL;
+	      }
+#ifdef HAVE_SSL_VERIFY
+        if (mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &ssl_verify) != 0) {
+	        set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported");
+	        return NULL;
+	      }
+#else
+	      set_ssl_error(sock, "mysql_ssl_verify_server_cert=1 is not supported");
+	      return NULL;
+#endif
+	    }
+
+#endif
+
+        client_flag |= CLIENT_SSL;
+#else
+	    set_ssl_error(sock, "mysql_ssl=1 is not supported");
+	    return NULL;
+#endif
+   	  }
+	else
+   	  {
+#ifdef HAVE_SSL_MODE
+   	    unsigned int ssl_mode = SSL_MODE_DISABLED;
+   	    mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode);
 #endif
+  	  }
+
 #if (MYSQL_VERSION_ID >= 32349)
 	/*
 	 * MySQL 3.23.49 disables LOAD DATA LOCAL by default. Use
Index: DBD-mysql-4.021/dbdimp.h
===================================================================
--- DBD-mysql-4.021.orig/dbdimp.h
+++ DBD-mysql-4.021/dbdimp.h
@@ -49,7 +49,6 @@
 #define LIMIT_PLACEHOLDER_VERSION 50100
 #define GEO_DATATYPE_VERSION 50007
 #define NEW_DATATYPE_VERSION 50003
-#define SSL_VERIFY_VERSION 50023
 #define MYSQL_VERSION_5_0 50001
 /* This is to avoid the ugly #ifdef mess in dbdimp.c */
 #if MYSQL_VERSION_ID < SQL_STATE_VERSION
@@ -65,6 +64,54 @@
 #define false 0
 
 /*
+ * Check which SSL settings are supported by API at compile time
+ */
+
+/* Use mysql_options with MYSQL_OPT_SSL_VERIFY_SERVER_CERT */
+#if ((MYSQL_VERSION_ID >= 50023 && MYSQL_VERSION_ID < 50100) || MYSQL_VERSION_ID >= 50111) && (MYSQL_VERSION_ID < 80000 || defined(MARIADB_BASE_VERSION))
+#define HAVE_SSL_VERIFY
+#endif
+
+/* Use mysql_options with MYSQL_OPT_SSL_ENFORCE */
+#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 50703 && MYSQL_VERSION_ID < 80000 && MYSQL_VERSION_ID != 60000
+#define HAVE_SSL_ENFORCE
+#endif
+
+/* Use mysql_options with MYSQL_OPT_SSL_MODE */
+#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 50711 && MYSQL_VERSION_ID != 60000
+#define HAVE_SSL_MODE
+#endif
+
+/* Use mysql_options with MYSQL_OPT_SSL_MODE, but only SSL_MODE_REQUIRED is supported */
+#if !defined(MARIADB_BASE_VERSION) && ((MYSQL_VERSION_ID >= 50636 && MYSQL_VERSION_ID < 50700) || (MYSQL_VERSION_ID >= 50555 && MYSQL_VERSION_ID < 50600))
+#define HAVE_SSL_MODE_ONLY_REQUIRED
+#endif
+
+/*
+ * Check which SSL settings are supported by API at runtime
+ */
+
+/* MYSQL_OPT_SSL_VERIFY_SERVER_CERT automatically enforce SSL mode */
+PERL_STATIC_INLINE bool ssl_verify_also_enforce_ssl(void) {
+#ifdef MARIADB_BASE_VERSION
+	my_ulonglong version = mysql_get_client_version();
+	return ((version >= 50544 && version < 50600) || (version >= 100020 && version < 100100) || version >= 100106);
+#else
+	return false;
+#endif
+}
+
+/* MYSQL_OPT_SSL_VERIFY_SERVER_CERT is not vulnerable (CVE-2016-2047) and can be used */
+PERL_STATIC_INLINE bool ssl_verify_usable(void) {
+	my_ulonglong version = mysql_get_client_version();
+#ifdef MARIADB_BASE_VERSION
+	return ((version >= 50547 && version < 50600) || (version >= 100023 && version < 100100) || version >= 100110);
+#else
+	return ((version >= 50549 && version < 50600) || (version >= 50630 && version < 50700) || version >= 50712);
+#endif
+}
+
+/*
  *  The following are return codes passed in $h->err in case of
  *  errors by DBD::mysql.
  */
Index: DBD-mysql-4.021/lib/DBD/mysql.pm
===================================================================
--- DBD-mysql-4.021.orig/lib/DBD/mysql.pm
+++ DBD-mysql-4.021/lib/DBD/mysql.pm
@@ -1066,7 +1066,8 @@ location for the socket than that built
 =item mysql_ssl
 
 A true value turns on the CLIENT_SSL flag when connecting to the MySQL
-database:
+server and enforce SSL encryption.  A false value (which is default)
+disable SSL encryption with the MySQL server.
 
   mysql_ssl=1

Places

File perl-DBD-mysql-CVE-2017-10789.patch of Package perl-DBD-mysql.7188

Places