BUG27434751: Add a TLS/SSL option to verify server name

nmariz · nmariz · commit 069bc6737dd1 · 2018-11-28T10:30:19.000Z
To prevent man-in-the-middle attacks, MySQL clients should connect using TLS
and verify the server name against the server certificate's common name (CN)
and subject alternative names (SANs).

This patch adds a new connection option `ssl_verify_identity` to perform this
verification in the pure Python implementation, and also changes the behavior
of the C extension implementation, which previously was performing this
verification by default.

A test was added for regression.
diff --git a/lib/mysql/connector/abstracts.py b/lib/mysql/connector/abstracts.py
@@ -339,6 +339,9 @@ def config(self, **kwargs):
             if 'verify_cert' not in self._ssl:
                 self._ssl['verify_cert'] = \
                     DEFAULT_CONFIGURATION['ssl_verify_cert']
+            if 'verify_identity' not in self._ssl:
+                self._ssl['verify_identity'] = \
+                    DEFAULT_CONFIGURATION['ssl_verify_identity']
             # Make sure both ssl_key/ssl_cert are set, or neither (XOR)
             if 'ca' not in self._ssl or self._ssl['ca'] is None:
                 raise AttributeError(
diff --git a/lib/mysql/connector/connection.py b/lib/mysql/connector/connection.py
@@ -158,6 +158,8 @@ def _do_auth(self, username=None, password=None, database=None,
                                        ssl_options.get('cert'),
                                        ssl_options.get('key'),
                                        ssl_options.get('verify_cert') or False,
+                                       ssl_options.get('verify_identity') or
+                                       False,
                                        ssl_options.get('cipher'),
                                        ssl_options.get('version', None))
             self._ssl_active = True
diff --git a/lib/mysql/connector/connection_cext.py b/lib/mysql/connector/connection_cext.py
@@ -169,6 +169,8 @@ def _open_connection(self):
                 'ssl_cert': self._ssl.get('cert'),
                 'ssl_key': self._ssl.get('key'),
                 'ssl_verify_cert': self._ssl.get('verify_cert') or False,
+                'ssl_verify_identity':
+                    self._ssl.get('verify_identity') or False,
                 'ssl_disabled': self._ssl_disabled
             })
 
diff --git a/lib/mysql/connector/constants.py b/lib/mysql/connector/constants.py
@@ -61,6 +61,7 @@
     'ssl_cert': None,
     'ssl_key': None,
     'ssl_verify_cert': False,
+    'ssl_verify_identity': False,
     'ssl_cipher': None,
     'ssl_disabled': False,
     'ssl_version': None,
diff --git a/lib/mysql/connector/network.py b/lib/mysql/connector/network.py
@@ -410,9 +410,9 @@ def set_connection_timeout(self, timeout):
         """Set the connection timeout"""
         self._connection_timeout = timeout
 
-    # pylint: disable=C0103
-    def switch_to_ssl(self, ca, cert, key, verify_cert=False, cipher=None,
-                      ssl_version=None):
+    # pylint: disable=C0103,E1101
+    def switch_to_ssl(self, ca, cert, key, verify_cert=False,
+                      verify_identity=False, cipher=None, ssl_version=None):
         """Switch the socket to use SSL"""
         if not self.sock:
             raise errors.InterfaceError(errno=2048)
@@ -434,17 +434,21 @@ def switch_to_ssl(self, ca, cert, key, verify_cert=False, cipher=None,
                     cert_reqs=cert_reqs, do_handshake_on_connect=False,
                     ssl_version=ssl_version, ciphers=cipher)
             self.sock.do_handshake()
+            if verify_identity:
+                ssl.match_hostname(self.sock.getpeercert(), self.server_host)
         except NameError:
             raise errors.NotSupportedError(
                 "Python installation has no SSL support")
         except (ssl.SSLError, IOError) as err:
             raise errors.InterfaceError(
                 errno=2055, values=(self.get_address(), _strioerror(err)))
+        except ssl.CertificateError as err:
+            raise errors.InterfaceError(str(err))
         except NotImplementedError as err:
             raise errors.InterfaceError(str(err))
 
 
-# pylint: enable=C0103
+# pylint: enable=C0103,E1101
 
 
 class MySQLUnixSocket(BaseMySQLSocket):
diff --git a/src/mysql_capi.c b/src/mysql_capi.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2018, Oracle and/or its affiliates. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License, version 2.0, as
@@ -1039,7 +1039,7 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
 {
 	char *host= NULL, *user= NULL, *database= NULL, *unix_socket= NULL;
 	char *ssl_ca= NULL, *ssl_cert= NULL, *ssl_key= NULL;
-	PyObject *charset_name, *compress, *ssl_verify_cert, *password, *ssl_disabled;
+	PyObject *charset_name, *compress, *ssl_verify_cert, *ssl_verify_identity, *password, *ssl_disabled;
 	const char* auth_plugin;
 	unsigned long client_flags= 0;
 	unsigned int port= 3306, tmp_uint;
@@ -1060,21 +1060,22 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
 	{
 	    "host", "user", "password", "database",
 		"port", "unix_socket", "client_flags",
-		"ssl_ca", "ssl_cert", "ssl_key", "ssl_verify_cert", "ssl_disabled",
+		"ssl_ca", "ssl_cert", "ssl_key", "ssl_verify_cert", "ssl_verify_identity", "ssl_disabled",
 		"compress",
 		NULL
     };
 
 #ifdef PY3
-    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzzzkzkzzzO!O!O!", kwlist,
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzzzkzkzzzO!O!O!O!", kwlist,
 #else
-    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzOzkzkzzzO!O!O!", kwlist,
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "|zzOzkzkzzzO!O!O!O!", kwlist,
 #endif
                                      &host, &user, &password, &database,
                                      &port, &unix_socket,
                                      &client_flags,
                                      &ssl_ca, &ssl_cert, &ssl_key,
                                      &PyBool_Type, &ssl_verify_cert,
+                                     &PyBool_Type, &ssl_verify_identity,
                                      &PyBool_Type, &ssl_disabled,
                                      &PyBool_Type, &compress))
     {
@@ -1136,8 +1137,10 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
         if (ssl_verify_cert && ssl_verify_cert == Py_True)
         {
 #if MYSQL_VERSION_ID >= 50711
-            ssl_mode= SSL_MODE_VERIFY_IDENTITY;
-            mysql_options(&self->session, MYSQL_OPT_SSL_MODE, &ssl_mode);
+            if (ssl_verify_identity && ssl_verify_identity == Py_True) {
+                ssl_mode= SSL_MODE_VERIFY_IDENTITY;
+                mysql_options(&self->session, MYSQL_OPT_SSL_MODE, &ssl_mode);
+            }
 #else
             abool= 1;
 #if MYSQL_VERSION_ID > 50703
@@ -1147,7 +1150,13 @@ MySQL_connect(MySQL *self, PyObject *args, PyObject *kwds)
                           MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&abool);
 #endif
         } else {
-          ssl_ca= NULL;
+#if MYSQL_VERSION_ID >= 50711
+            if (ssl_verify_identity && ssl_verify_identity == Py_True) {
+                ssl_mode= SSL_MODE_VERIFY_IDENTITY;
+                mysql_options(&self->session, MYSQL_OPT_SSL_MODE, &ssl_mode);
+            }
+#endif
+            ssl_ca= NULL;
         }
         mysql_ssl_set(&self->session, ssl_key, ssl_cert, ssl_ca, NULL, NULL);
     } else {
diff --git a/tests/test_bugs.py b/tests/test_bugs.py
@@ -5511,3 +5511,50 @@ def test_utf8mb4_default_charset(self):
         cur.execute("DROP TABLE IF EXISTS {0}".format(tbl))
         cur.close()
         self.cnx.close()
+
+
+@unittest.skipIf(sys.version_info < (2, 7, 9),
+                 "Python 2.7.9+ is required for SSL")
+class BugOra27434751(tests.MySQLConnectorTests):
+    """BUG#27434751: MYSQL.CONNECTOR HAS NO TLS/SSL OPTION TO VERIFY SERVER NAME
+    """
+    def setUp(self):
+        ssl_ca = os.path.abspath(
+            os.path.join(tests.SSL_DIR, 'tests_CA_cert.pem'))
+        ssl_cert = os.path.abspath(
+            os.path.join(tests.SSL_DIR, 'tests_client_cert.pem'))
+        ssl_key = os.path.abspath(
+            os.path.join(tests.SSL_DIR, 'tests_client_key.pem'))
+        self.config = tests.get_mysql_config()
+        self.config.pop("unix_socket")
+        self.config["ssl_ca"] = ssl_ca
+        self.config["ssl_cert"] = ssl_cert
+        self.config["ssl_key"] = ssl_key
+        self.config["ssl_verify_cert"] = True
+
+    def _verify_server_name_cnx(self, use_pure=True):
+        config = self.config.copy()
+        config["use_pure"] = use_pure
+        # Setting an invalid host name against a server certificate
+        config["host"] = "127.0.0.1"
+
+        # Should connect with ssl_verify_identity=False
+        config["ssl_verify_identity"] = False
+        cnx = mysql.connector.connect(**config)
+        cnx.close()
+
+        # Should fail to connect with ssl_verify_identity=True
+        config["ssl_verify_identity"] = True
+        self.assertRaises(errors.InterfaceError, mysql.connector.connect,
+                          **config)
+
+        # Should connect with the correct host name and ssl_verify_identity=True
+        config["host"] = "localhost"
+        cnx = mysql.connector.connect(**config)
+        cnx.close()
+
+    def test_verify_server_name_cext_cnx(self):
+        self._verify_server_name_cnx(use_pure=False)
+
+    def test_verify_server_name_pure_cnx(self):
+        self._verify_server_name_cnx(use_pure=True)
diff --git a/tests/test_connection.py b/tests/test_connection.py
@@ -118,6 +118,7 @@ def test_DEFAULT_CONFIGURATION(self):
             'ssl_cert': None,
             'ssl_key': None,
             'ssl_verify_cert': False,
+            'ssl_verify_identity': False,
             'passwd': None,
             'db': None,
             'connect_timeout': None,
@@ -818,7 +819,8 @@ def test_caching_sha2_password(self):
         self.cnx._handshake['auth_plugin'] = 'caching_sha2_password'
         self.cnx._handshake['auth_data'] = b'h4i6oP!OLng9&PD@WrYH'
         self.cnx._socket.switch_to_ssl = \
-            lambda ca, cert, key, verify_cert, cipher, ssl_version: None
+            lambda ca, cert, key, verify_cert, verify_identity, cipher, \
+                ssl_version: None
 
         # Test perform_full_authentication
         # Exchange:
@@ -917,7 +919,8 @@ def test__do_auth_ssl(self):
                 ssl_enabled=True),
         ]
         self.cnx._socket.switch_to_ssl = \
-            lambda ca, cert, key, verify_cert, cipher, ssl_version: None
+            lambda ca, cert, key, verify_cert, verify_identity, cipher, \
+                ssl_version: None
         self.cnx._socket.sock.reset()
         self.cnx._socket.sock.add_packets([
             bytearray(b'\x07\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00'),
@@ -947,7 +950,8 @@ def test_config(self):
             'ssl_ca': 'CACert',
             'ssl_cert': 'ServerCert',
             'ssl_key': 'ServerKey',
-            'ssl_verify_cert': False
+            'ssl_verify_cert': False,
+            'ssl_verify_identity': False
         })
         default_config['converter_class'] = MySQLConverter
         try:
@@ -1062,15 +1066,17 @@ def __init__(self, charset, unicode):
             'ca': 'CACert',
             'cert': 'ServerCert',
             'key': 'ServerKey',
-            'verify_cert': False
+            'verify_cert': False,
+            'verify_identity': False
         }
         cnx.config(ssl_ca=exp['ca'], ssl_cert=exp['cert'], ssl_key=exp['key'])
         self.assertEqual(exp, cnx._ssl)
 
         exp['verify_cert'] = True
 
         cnx.config(ssl_ca=exp['ca'], ssl_cert=exp['cert'],
-                   ssl_key=exp['key'], ssl_verify_cert=exp['verify_cert'])
+                   ssl_key=exp['key'], ssl_verify_cert=exp['verify_cert'],
+                   ssl_verify_identity=exp['verify_identity'])
         self.assertEqual(exp, cnx._ssl)
 
         # Missing SSL configuration should raise an AttributeError
