Save the result of peer certificate verification

Since the MARIADB_TLS_VERIFY_TRUST flag might be cleared in my_auth, we store the original result of peer certificate verification in mysql->extension->tls_validation. This value can be obtained via mariadb_get_infov API function using option MARIADB_TLS_VERIFY_STATUS.
2025-08-08 14:02:17 +03:00 · 2024-08-31 07:53:46 +02:00
parent 4a157ffbb5
commit 57f38cf87f
4 changed files with 7 additions and 1 deletions
--- a/include/ma_common.h
+++ b/include/ma_common.h
@@ -117,6 +117,7 @@ struct st_mariadb_extension {
  unsigned long mariadb_client_flag; /* MariaDB specific client flags */
  unsigned long mariadb_server_capabilities; /* MariaDB specific server capabilities */
  my_bool auto_local_infile;
+  my_bool tls_validation;
 };

 #define OPT_EXT_VAL(a,key) \
--- a/libmariadb/mariadb_lib.c
+++ b/libmariadb/mariadb_lib.c
@@ -4552,7 +4552,7 @@ my_bool mariadb_get_infov(MYSQL *mysql, enum mariadb_value value, void *arg, ...
    *((MARIADB_X509_INFO **)arg)= NULL;
    break;
  case MARIADB_TLS_VERIFY_STATUS:
-    *((unsigned int *)arg)= (unsigned int)mysql->net.tls_verify_status;
+    *((unsigned int *)arg)= (unsigned int)mysql->extension->tls_validation;
    break;
 #endif
  case MARIADB_MAX_ALLOWED_PACKET:
--- a/libmariadb/secure/schannel.c
+++ b/libmariadb/secure/schannel.c
@@ -551,6 +551,7 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
  my_bool rc= 1;
  SC_CTX *sctx;
  SECURITY_STATUS sRet;
+  client_cert_handle cert_handle= {0};
  DWORD protocol = 0;
  const CERT_CONTEXT* cert_context = NULL;

--- a/plugins/auth/my_auth.c
+++ b/plugins/auth/my_auth.c
@@ -433,6 +433,8 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,

    if (ma_pvio_tls_verify_server_cert(mysql->net.pvio->ctls, verify_flags))
    {
+      /* Save original verification result */
+      mysql->extension->tls_validation= mysql->net.tls_verify_status;
      if (mysql->net.tls_verify_status > MARIADB_TLS_VERIFY_TRUST ||
          (mysql->options.ssl_ca || mysql->options.ssl_capath))
        goto error;
@@ -445,6 +447,8 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
      else if (!password_and_hashing(mysql, mpvio->plugin))
        goto error;
    }
+    else
+      mysql->extension->tls_validation= mysql->net.tls_verify_status;
  }
 #endif /* HAVE_TLS */