From 57f38cf87f9893f82d07c5062da46fa60359534b Mon Sep 17 00:00:00 2001
From: Georg Richter <georg@mariadb.com>
Date: Sat, 31 Aug 2024 07:53:46 +0200
Subject: [PATCH] Save the result of peer certificate verification

Since the MARIADB_TLS_VERIFY_TRUST flag might be cleared in my_auth,
we store the original result of peer certificate verification in
mysql->extension->tls_validation.
This value can be obtained via mariadb_get_infov API function
using option MARIADB_TLS_VERIFY_STATUS.
---
 include/ma_common.h          | 1 +
 libmariadb/mariadb_lib.c     | 2 +-
 libmariadb/secure/schannel.c | 1 +
 plugins/auth/my_auth.c       | 4 ++++
 4 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/include/ma_common.h b/include/ma_common.h
index dc900b0d..980e6331 100644
--- a/include/ma_common.h
+++ b/include/ma_common.h
@@ -117,6 +117,7 @@ struct st_mariadb_extension {
   unsigned long mariadb_client_flag; /* MariaDB specific client flags */
   unsigned long mariadb_server_capabilities; /* MariaDB specific server capabilities */
   my_bool auto_local_infile;
+  my_bool tls_validation;
 };
 
 #define OPT_EXT_VAL(a,key) \
diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c
index 78195d44..5252648d 100644
--- a/libmariadb/mariadb_lib.c
+++ b/libmariadb/mariadb_lib.c
@@ -4552,7 +4552,7 @@ my_bool mariadb_get_infov(MYSQL *mysql, enum mariadb_value value, void *arg, ...
     *((MARIADB_X509_INFO **)arg)= NULL;
     break;
   case MARIADB_TLS_VERIFY_STATUS:
-    *((unsigned int *)arg)= (unsigned int)mysql->net.tls_verify_status;
+    *((unsigned int *)arg)= (unsigned int)mysql->extension->tls_validation;
     break;
 #endif
   case MARIADB_MAX_ALLOWED_PACKET:
diff --git a/libmariadb/secure/schannel.c b/libmariadb/secure/schannel.c
index c2b9d674..098c0e4b 100644
--- a/libmariadb/secure/schannel.c
+++ b/libmariadb/secure/schannel.c
@@ -551,6 +551,7 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
   my_bool rc= 1;
   SC_CTX *sctx;
   SECURITY_STATUS sRet;
+  client_cert_handle cert_handle= {0};
   DWORD protocol = 0;
   const CERT_CONTEXT* cert_context = NULL;
 
diff --git a/plugins/auth/my_auth.c b/plugins/auth/my_auth.c
index a2fd519d..0aa6351e 100644
--- a/plugins/auth/my_auth.c
+++ b/plugins/auth/my_auth.c
@@ -433,6 +433,8 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
 
     if (ma_pvio_tls_verify_server_cert(mysql->net.pvio->ctls, verify_flags))
     {
+      /* Save original verification result */
+      mysql->extension->tls_validation= mysql->net.tls_verify_status;
       if (mysql->net.tls_verify_status > MARIADB_TLS_VERIFY_TRUST ||
           (mysql->options.ssl_ca || mysql->options.ssl_capath))
         goto error;
@@ -445,6 +447,8 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
       else if (!password_and_hashing(mysql, mpvio->plugin))
         goto error;
     }
+    else
+      mysql->extension->tls_validation= mysql->net.tls_verify_status;
   }
 #endif /* HAVE_TLS */