fix certificate verification for GnuTLS

* don't verify trust unless requested
* don't error about host of untrusted certificates
* auto-verification replaces both TRUST and HOST

Author: vuvova

libmariadb/ma_tls.c

@@ -175,9 +175,9 @@ int ma_pvio_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags)
         ER(CR_SSL_CONNECTION_ERROR),
         "Peer certificate is not trusted");
   }
-  /* Save original validation, since we might unset trust flag in 
-     my_auth */
+  /* Save original validation */
   mysql->extension->tls_validation= mysql->net.tls_verify_status;
+  mysql->net.tls_verify_status&= flags;
   return rc;
 }
 

libmariadb/secure/gnutls.c

@@ -1459,7 +1459,7 @@ int ma_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags)
       mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_PERIOD;
   }
 
-  if ((flags & MARIADB_TLS_VERIFY_HOST))
+  if (flags & MARIADB_TLS_VERIFY_HOST)
   {
     gnutls_x509_crt_t cert= ma_get_cert(ctls);
     int rc;
@@ -1478,14 +1478,15 @@ int ma_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags)
 
     if (!rc)
     {
-      my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
-                   ER(CR_SSL_CONNECTION_ERROR), 
-                   "Certificate subject name doesn't match specified hostname");
+      if (!(mysql->net.tls_verify_status & MARIADB_TLS_VERIFY_TRUST))
+        my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
+                     ER(CR_SSL_CONNECTION_ERROR),
+                     "Certificate subject name doesn't match specified hostname");
       mysql->net.tls_verify_status|= MARIADB_TLS_VERIFY_HOST;
     }    
   }
 end:
-  return (mysql->net.tls_verify_status > 0);
+  return mysql->net.tls_verify_status & flags;
 }
 
 const char *ma_tls_get_cipher(MARIADB_TLS *ctls)

plugins/auth/my_auth.c

@@ -267,6 +267,8 @@ static int send_change_user_packet(MCPVIO_EXT *mpvio,
   return res;
 }
 
+#define MARIADB_TLS_VERIFY_AUTO (MARIADB_TLS_VERIFY_HOST | MARIADB_TLS_VERIFY_TRUST)
+
 static int send_client_reply_packet(MCPVIO_EXT *mpvio,
                                     const uchar *data, int data_len)
 {
@@ -437,14 +439,14 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
 
     if (mysql->options.extension->tls_verification_callback(mysql->net.pvio->ctls, verify_flags))
     {
-      if (mysql->net.tls_verify_status > MARIADB_TLS_VERIFY_TRUST ||
+      if (mysql->net.tls_verify_status > MARIADB_TLS_VERIFY_AUTO ||
           (mysql->options.ssl_ca || mysql->options.ssl_capath))
         goto error;
 
       if (is_local_connection(mysql->net.pvio))
       {
         CLEAR_CLIENT_ERROR(mysql);
-        mysql->net.tls_verify_status&= ~MARIADB_TLS_VERIFY_TRUST;
+        mysql->net.tls_verify_status&= ~MARIADB_TLS_VERIFY_AUTO;
       }
       else if (!password_and_hashing(mysql, mpvio->plugin))
         goto error;