Commit 888d1a23 authored by Juan Lang's avatar Juan Lang Committed by Alexandre Julliard

winhttp: Set error and fail if a secure connections certificate couldn't be verified.

parent 1308c428
...@@ -94,6 +94,7 @@ static void *libcrypto_handle; ...@@ -94,6 +94,7 @@ static void *libcrypto_handle;
static SSL_METHOD *method; static SSL_METHOD *method;
static SSL_CTX *ctx; static SSL_CTX *ctx;
static int hostname_idx; static int hostname_idx;
static int error_idx;
#define MAKE_FUNCPTR(f) static typeof(f) * p##f #define MAKE_FUNCPTR(f) static typeof(f) * p##f
...@@ -364,7 +365,7 @@ static int netconn_secure_verify( int preverify_ok, X509_STORE_CTX *ctx ) ...@@ -364,7 +365,7 @@ static int netconn_secure_verify( int preverify_ok, X509_STORE_CTX *ctx )
if (err) if (err)
{ {
set_last_error( err ); pSSL_set_ex_data( ssl, error_idx, (void *)err );
ret = FALSE; ret = FALSE;
} }
} }
...@@ -476,6 +477,14 @@ BOOL netconn_init( netconn_t *conn, BOOL secure ) ...@@ -476,6 +477,14 @@ BOOL netconn_init( netconn_t *conn, BOOL secure )
LeaveCriticalSection( &init_ssl_cs ); LeaveCriticalSection( &init_ssl_cs );
return FALSE; return FALSE;
} }
error_idx = pSSL_get_ex_new_index( 0, (void *)"error index", NULL, NULL, NULL );
if (error_idx == -1)
{
ERR("SSL_get_ex_new_index failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
set_last_error( ERROR_OUTOFMEMORY );
LeaveCriticalSection( &init_ssl_cs );
return FALSE;
}
pSSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, netconn_secure_verify ); pSSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, netconn_secure_verify );
pCRYPTO_set_id_callback(ssl_thread_id); pCRYPTO_set_id_callback(ssl_thread_id);
...@@ -610,8 +619,6 @@ BOOL netconn_connect( netconn_t *conn, const struct sockaddr *sockaddr, unsigned ...@@ -610,8 +619,6 @@ BOOL netconn_connect( netconn_t *conn, const struct sockaddr *sockaddr, unsigned
BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname ) BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
{ {
#ifdef SONAME_LIBSSL #ifdef SONAME_LIBSSL
long res;
if (!(conn->ssl_conn = pSSL_new( ctx ))) if (!(conn->ssl_conn = pSSL_new( ctx )))
{ {
ERR("SSL_new failed: %s\n", pERR_error_string( pERR_get_error(), 0 )); ERR("SSL_new failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
...@@ -632,15 +639,14 @@ BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname ) ...@@ -632,15 +639,14 @@ BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
} }
if (pSSL_connect( conn->ssl_conn ) <= 0) if (pSSL_connect( conn->ssl_conn ) <= 0)
{ {
ERR("SSL_connect failed: %s\n", pERR_error_string( pERR_get_error(), 0 )); DWORD err;
set_last_error( ERROR_WINHTTP_SECURE_CHANNEL_ERROR );
err = (DWORD)pSSL_get_ex_data( conn->ssl_conn, error_idx );
if (!err) err = ERROR_WINHTTP_SECURE_CHANNEL_ERROR;
ERR("couldn't verify server certificate (%d)\n", err);
set_last_error( err );
goto fail; goto fail;
} }
if ((res = pSSL_get_verify_result( conn->ssl_conn )) != X509_V_OK)
{
/* FIXME: we should set an error and return, but we only print an error at the moment */
ERR("couldn't verify server certificate (%ld)\n", res);
}
TRACE("established SSL connection\n"); TRACE("established SSL connection\n");
conn->secure = TRUE; conn->secure = TRUE;
return TRUE; return TRUE;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment