Bug #68340 aes_decrypt with bad data causes disconnect when using openssl
Submitted: 11 Feb 2013 21:25 Modified: 28 Mar 2013 16:19
Reporter: Andrew Garner Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.6.10 OS:Linux (Fedora release 17 (Beefy Miracle) )
Assigned to: CPU Architecture:Any

[11 Feb 2013 21:25] Andrew Garner
Description:
When mysql 5.6.10 is built with openssl and a connection is made with ssl, the connection is dropped immediately after running AES_DECRYPT(/* bad params*/).  This does not occur when built with YaSSL.  This does not seem to occur if a non-encrypted connection is made.  The server itself does not crash.

This was reproducible on Fedora 17 using openssl-1.0.0j.

How to repeat:
$ cmake . -DBUILD_CONFIG=mysql_release -DWITH_SSL=system

$ mysql --ssl-ca=cacert.pem -e "SELECT CONNECTION_ID(), AES_DECRYPT('', 'a');SELECT 1"
+-----------------+----------------------+
| CONNECTION_ID() | AES_DECRYPT('', 'a') |
+-----------------+----------------------+
|              93 | NULL                 |
+-----------------+----------------------+
ERROR 2006 (HY000) at line 1: MySQL server has gone away
[12 Feb 2013 10:55] Shane Bester
Verified as described.  Server starts up with hundreds of valgrind errors too.
Client handshake causes another few hundre valgrind warnings.
Although the "lost connection" is not really server crashing, it's just client losing the connection.  I'm not sure if the problem is mysqld or openssl. Let us let devs decide.

9 errors in context 963 of 1000:
Conditional jump or move depends on uninitialised value(s)
at: BN_div (bn_div.c:595)
by: BN_nnmod (bn_mod.c:132)
by: BN_mod_mul (bn_mod.c:194)
by: BN_BLINDING_convert_ex (bn_blind.c:247)
by: RSA_eay_private_encrypt (rsa_eay.c:466)
by: RSA_sign (rsa_sign.c:134)
by: ssl3_send_server_key_exchange (s3_srvr.c:1784)
by: ssl3_accept (s3_srvr.c:425)
by: ssl_handshake_loop (viossl.c:291)
by: ssl_do (viossl.c:345)
by: parse_client_handshake_packet(MPVIO_EXT*, unsigned char**, unsigned long) (sql_acl.cc:10063)
by: server_mpvio_read_packet(st_plugin_vio*, unsigned char**) (sql_acl.cc:10483)
by: native_password_authenticate(st_plugin_vio*, st_mysql_server_auth_info*) (sql_acl.cc:11130)
by: do_auth_once(THD*, st_mysql_lex_string*, MPVIO_EXT*) (sql_acl.cc:10653)
by: acl_authenticate(THD*, unsigned int) (sql_acl.cc:10795)
by: check_connection(THD*) (sql_connect.cc:672)
by: login_connection(THD*) (sql_connect.cc:741)
by: thd_prepare_connection(THD*) (sql_connect.cc:901)
by: do_handle_one_connection(THD*) (sql_connect.cc:970)
by: handle_one_connection (sql_connect.cc:893)
by: start_thread (pthread_create.c:309)
by: clone (clone.S:115)
[28 Mar 2013 16:19] Paul Dubois
Noted in 5.6.12, 5.7.2 changelogs.

If a function such as AES_DECRYPT() that requires SSL support failed,
the error could affect later calls to functions that require SSL
support.