Skip to content

Commit 8bec278

Browse files
palichoroba
pali
authored and
choroba
committed
Do not accept SSL connection parameters when SSL is disabled
1 parent a005081 commit 8bec278

File tree

2 files changed

+37
-7
lines changed

2 files changed

+37
-7
lines changed

dbdimp.c

Lines changed: 23 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1679,6 +1679,17 @@ static bool mariadb_dr_connect(
16791679
HV* processed = newHV();
16801680
HE* he;
16811681
SV** svp;
1682+
size_t i;
1683+
1684+
const char * const mariadb_ssl_attributes[] = {
1685+
"mariadb_ssl_optional",
1686+
"mariadb_ssl_verify_server_cert",
1687+
"mariadb_ssl_client_key",
1688+
"mariadb_ssl_client_cert",
1689+
"mariadb_ssl_ca_file",
1690+
"mariadb_ssl_ca_path",
1691+
"mariadb_ssl_cipher",
1692+
};
16821693

16831694
sv_2mortal(newRV_noinc((SV *)processed)); /* Automatically free HV processed */
16841695

@@ -2054,13 +2065,8 @@ static bool mariadb_dr_connect(
20542065
imp_dbh->disable_fallback_for_server_prepare ? 1 : 0);
20552066

20562067
(void)hv_stores(processed, "mariadb_ssl", &PL_sv_yes);
2057-
(void)hv_stores(processed, "mariadb_ssl_optional", &PL_sv_yes);
2058-
(void)hv_stores(processed, "mariadb_ssl_verify_server_cert", &PL_sv_yes);
2059-
(void)hv_stores(processed, "mariadb_ssl_client_key", &PL_sv_yes);
2060-
(void)hv_stores(processed, "mariadb_ssl_client_cert", &PL_sv_yes);
2061-
(void)hv_stores(processed, "mariadb_ssl_ca_file", &PL_sv_yes);
2062-
(void)hv_stores(processed, "mariadb_ssl_ca_path", &PL_sv_yes);
2063-
(void)hv_stores(processed, "mariadb_ssl_cipher", &PL_sv_yes);
2068+
for (i = 0; i < sizeof(mariadb_ssl_attributes)/sizeof(*mariadb_ssl_attributes); i++)
2069+
(void)hv_store(processed, mariadb_ssl_attributes[i], strlen(mariadb_ssl_attributes[i]), &PL_sv_yes, 0);
20642070
if ((svp = hv_fetchs(hv, "mariadb_ssl", FALSE)) && *svp && SvTRUE(*svp))
20652071
{
20662072
char *client_key = NULL;
@@ -2254,6 +2260,16 @@ static bool mariadb_dr_connect(
22542260
}
22552261
else
22562262
{
2263+
for (i = 0; i < sizeof(mariadb_ssl_attributes)/sizeof(*mariadb_ssl_attributes); i++)
2264+
{
2265+
if ((svp = hv_fetch(hv, mariadb_ssl_attributes[i], strlen(mariadb_ssl_attributes[i]), FALSE)) && *svp)
2266+
{
2267+
mariadb_dr_do_error(dbh, CR_SSL_CONNECTION_ERROR, SvPVX(sv_2mortal(newSVpvf("SSL connection error: SSL attribute %s was specified but SSL encryption was not enabled via mariadb_ssl=1", mariadb_ssl_attributes[i]))), "HY000");
2268+
mariadb_db_disconnect(dbh, imp_dbh);
2269+
return FALSE;
2270+
}
2271+
}
2272+
22572273
#ifdef HAVE_SSL_MODE
22582274
unsigned int ssl_mode = SSL_MODE_DISABLED;
22592275
mysql_options(sock, MYSQL_OPT_SSL_MODE, &ssl_mode);

lib/DBD/MariaDB.pod

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -294,6 +294,8 @@ When set MariaDB or MySQL server certificate is checked that it is signed by
294294
some CA certificate in the list. I<Common Name> value is not verified unless
295295
L<I<mariadb_ssl_verify_server_cert>|/mariadb_ssl_verify_server_cert> is enabled.
296296

297+
Requires L<C<mariadb_ssl=1>|/mariadb_ssl>.
298+
297299
=item mariadb_ssl_ca_path
298300

299301
The path to a directory that contains trusted SSL certificate authority
@@ -306,6 +308,8 @@ L<I<mariadb_ssl_verify_server_cert>|/mariadb_ssl_verify_server_cert> is enabled.
306308
Please note that this option is supported only if your MariaDB or MySQL client
307309
was compiled with OpenSSL library, and not with default yaSSL library.
308310

311+
Requires L<C<mariadb_ssl=1>|/mariadb_ssl>.
312+
309313
=item mariadb_ssl_verify_server_cert
310314

311315
Checks the server's I<Common Name> value in the certificate that the server
@@ -316,16 +320,22 @@ attacks.
316320

317321
Verification of the host name is disabled by default.
318322

323+
Requires L<C<mariadb_ssl=1>|/mariadb_ssl>.
324+
319325
=item mariadb_ssl_client_key
320326

321327
The name of the SSL key file in PEM format to use for establishing a secure
322328
connection.
323329

330+
Requires L<C<mariadb_ssl=1>|/mariadb_ssl>.
331+
324332
=item mariadb_ssl_client_cert
325333

326334
The name of the SSL certificate file in PEM format to use for establishing a
327335
secure connection.
328336

337+
Requires L<C<mariadb_ssl=1>|/mariadb_ssl>.
338+
329339
=item mariadb_ssl_cipher
330340

331341
A list of permissible ciphers to use for connection encryption. If no cipher in
@@ -334,6 +344,8 @@ the list is supported, encrypted connections will not work.
334344
mariadb_ssl_cipher=AES128-SHA
335345
mariadb_ssl_cipher=DHE-RSA-AES256-SHA:AES128-SHA
336346

347+
Requires L<C<mariadb_ssl=1>|/mariadb_ssl>.
348+
337349
=item mariadb_ssl_optional
338350

339351
Setting I<mariadb_ssl_optional> to true disables strict SSL enforcement and
@@ -350,6 +362,8 @@ could refuse connection to MariaDB or MySQL server if underlying libmariadb or
350362
libmysqlclient library is vulnerable. Option I<mariadb_ssl_optional> can be used
351363
to make SSL connection vulnerable.
352364

365+
Requires L<C<mariadb_ssl=1>|/mariadb_ssl>.
366+
353367
=item mariadb_local_infile
354368

355369
The C<LOCAL> capability for C<LOAD DATA> may be disabled in the MariaDB or MySQL

0 commit comments

Comments
 (0)