Bug #13115401: -SSL-KEY VALUE IS NOT VALIDATED AND IT ALLOWS INSECURE

CONNECTIONS IF SPE Problem description: -ssl-key value is not validated, you can assign any bogus text to --ssl-key and it is not verified that it exists, and more importantly, it allows the client to connect to mysqld. Fix: Added proper validations checks for --ssl-key. Note: 1) Documentation changes require for 5.1, 5.5, 5.6 and trunk in the sections listed below and the details are : http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html#option_general_ssl and REQUIRE SSL section of http://dev.mysql.com/doc/refman/5.6/en/grant.html 2) Client having with option '--ssl', should able to get ssl connection. This will be implemented as part of separate fix in 5.6 and trunk.

Bug #13115401: -SSL-KEY VALUE IS NOT VALIDATED AND IT ALLOWS INSECURE
CONNECTIONS IF SPE Problem description: -ssl-key value is not validated, you can assign any bogus text to --ssl-key and it is not verified that it exists, and more importantly, it allows the client to connect to mysqld. Fix: Added proper validations checks for --ssl-key. Note: 1) Documentation changes require for 5.1, 5.5, 5.6 and trunk in the sections listed below and the details are : http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html#option_general_ssl and REQUIRE SSL section of http://dev.mysql.com/doc/refman/5.6/en/grant.html 2) Client having with option '--ssl', should able to get ssl connection. This will be implemented as part of separate fix in 5.6 and trunk.
18087b04 · Venkata Sidagam · 2f30b340 · 18087b04 · 18087b04 · 18087b04
Commit 18087b04 authored Aug 11, 2012 by Venkata Sidagam
4 changed files
--- a/extra/yassl/src/ssl.cpp
+++ b/extra/yassl/src/ssl.cpp
@@ -747,7 +747,7 @@ void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback vc)
 int SSL_CTX_load_verify_locations(SSL_CTX* ctx, const char* file,
                                  const char* path)
 {
-    int       ret = SSL_SUCCESS;
+    int       ret = SSL_FAILURE;
    const int HALF_PATH = 128;

    if (file) ret = read_file(ctx, file, SSL_FILETYPE_PEM, CA);

--- a/mysql-test/r/openssl_1.result
+++ b/mysql-test/r/openssl_1.result
@@ -44,9 +44,9 @@ ERROR 42000: DELETE command denied to user 'ssl_user4'@'localhost' for table 't1
 drop user ssl_user1@localhost, ssl_user2@localhost,
 ssl_user3@localhost, ssl_user4@localhost, ssl_user5@localhost;
 drop table t1;
-mysqltest: Could not open connection 'default': 2026 SSL connection error
-mysqltest: Could not open connection 'default': 2026 SSL connection error
-mysqltest: Could not open connection 'default': 2026 SSL connection error
+mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
+mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
+mysqltest: Could not open connection 'default': 2026 SSL connection error: xxxx
 SSL error: Unable to get private key from ''
 mysqltest: Could not open connection 'default': 2026 SSL connection error
 SSL error: Unable to get certificate from ''

--- a/mysql-test/t/openssl_1.test
+++ b/mysql-test/t/openssl_1.test
@@ -73,22 +73,28 @@ drop table t1;
 # a different cacert
 #
 --exec echo "this query should not execute;" > $MYSQLTEST_VARDIR/tmp/test.sql
+--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/
 --error 1
 --exec $MYSQL_TEST --ssl-ca=$MYSQL_TEST_DIR/std_data/untrusted-cacert.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
+--echo

 #
 # Test that we can't open connection to server if we are using
 # a blank ca
 #
+--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/
 --error 1
 --exec $MYSQL_TEST --ssl-ca= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
+--echo

 #
 # Test that we can't open connection to server if we are using
 # a nonexistent ca file
 #
+--replace_regex /2026 SSL connection error.*/2026 SSL connection error: xxxx/
 --error 1
 --exec $MYSQL_TEST --ssl-ca=nonexisting_file.pem --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
+--echo

 #
 # Test that we can't open connection to server if we are using

--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -101,47 +101,51 @@ vio_set_cert_stuff(SSL_CTX *ctx, const char *cert_file, const char *key_file,
  DBUG_ENTER("vio_set_cert_stuff");
  DBUG_PRINT("enter", ("ctx: 0x%lx  cert_file: %s  key_file: %s",
 		       (long) ctx, cert_file, key_file));
-  if (cert_file)
-  {
-    if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
-    {
-      *error= SSL_INITERR_CERT;
-      DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
-      DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-      fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
-              cert_file);
-      fflush(stderr);
-      DBUG_RETURN(1);
-    }

-    if (!key_file)
-      key_file= cert_file;
+  if (!cert_file &&  key_file)
+    cert_file= key_file;
+  
+  if (!key_file &&  cert_file)
+    key_file= cert_file;

-    if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
-    {
-      *error= SSL_INITERR_KEY;
-      DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file));
-      DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-      fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
-              key_file);
-      fflush(stderr);
-      DBUG_RETURN(1);
-    }
+  if (cert_file &&
+      SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0)
+  {
+    *error= SSL_INITERR_CERT;
+    DBUG_PRINT("error",("%s from file '%s'", sslGetErrString(*error), cert_file));
+    DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
+    fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
+            cert_file);
+    fflush(stderr);
+    DBUG_RETURN(1);
+  }

-    /*
-      If we are using DSA, we can copy the parameters from the private key
-      Now we know that a key and cert have been set against the SSL context
-    */
-    if (!SSL_CTX_check_private_key(ctx))
-    {
-      *error= SSL_INITERR_NOMATCH;
-      DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
-      DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
-      fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
-      fflush(stderr);
-      DBUG_RETURN(1);
-    }
+  if (key_file &&
+      SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
+  {
+    *error= SSL_INITERR_KEY;
+    DBUG_PRINT("error", ("%s from file '%s'", sslGetErrString(*error), key_file));
+    DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
+    fprintf(stderr, "SSL error: %s from '%s'\n", sslGetErrString(*error),
+            key_file);
+    fflush(stderr);
+    DBUG_RETURN(1);
+  }
+
+  /*
+    If we are using DSA, we can copy the parameters from the private key
+    Now we know that a key and cert have been set against the SSL context
+  */
+  if (cert_file && !SSL_CTX_check_private_key(ctx))
+  {
+    *error= SSL_INITERR_NOMATCH;
+    DBUG_PRINT("error", ("%s",sslGetErrString(*error)));
+    DBUG_EXECUTE("error", ERR_print_errors_fp(DBUG_FILE););
+    fprintf(stderr, "SSL error: %s\n", sslGetErrString(*error));
+    fflush(stderr);
+    DBUG_RETURN(1);
  }
+
  DBUG_RETURN(0);
 }

@@ -253,6 +257,20 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
  if (SSL_CTX_load_verify_locations(ssl_fd->ssl_context, ca_file, ca_path) == 0)
  {
    DBUG_PRINT("warning", ("SSL_CTX_load_verify_locations failed"));
+    if (ca_file || ca_path)
+    {
+      /* fail only if ca file or ca path were supplied and looking into 
+         them fails. */
+      *error= SSL_INITERR_BAD_PATHS;
+      DBUG_PRINT("error", ("SSL_CTX_load_verify_locations failed : %s", 
+                 sslGetErrString(*error)));
+      report_errors();
+      SSL_CTX_free(ssl_fd->ssl_context);
+      my_free((void*)ssl_fd,MYF(0));
+      DBUG_RETURN(0);
+    }
+
+    /* otherwise go use the defaults */
    if (SSL_CTX_set_default_verify_paths(ssl_fd->ssl_context) == 0)
    {
      *error= SSL_INITERR_BAD_PATHS;