winhttp: Set error and fail if a secure connections certificate couldn't be verified.

888d1a23 · Juan Lang · Alexandre Julliard · 1308c428 · 888d1a23
Commit 888d1a23 authored Dec 14, 2009 by Juan Lang Committed by Alexandre Julliard Dec 15, 2009
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 10 deletions

net.c dlls/winhttp/net.c +16 -10

No files found.
--- a/dlls/winhttp/net.c
+++ b/dlls/winhttp/net.c
@@ -94,6 +94,7 @@ static void *libcrypto_handle;
 static SSL_METHOD *method;
 static SSL_CTX *ctx;
 static int hostname_idx;
+static int error_idx;

 #define MAKE_FUNCPTR(f) static typeof(f) * p##f

@@ -364,7 +365,7 @@ static int netconn_secure_verify( int preverify_ok, X509_STORE_CTX *ctx )

                if (err)
                {
-                    set_last_error( err );
+                    pSSL_set_ex_data( ssl, error_idx, (void *)err );
                    ret = FALSE;
                }
            }
@@ -476,6 +477,14 @@ BOOL netconn_init( netconn_t *conn, BOOL secure )
        LeaveCriticalSection( &init_ssl_cs );
        return FALSE;
    }
+    error_idx = pSSL_get_ex_new_index( 0, (void *)"error index", NULL, NULL, NULL );
+    if (error_idx == -1)
+    {
+        ERR("SSL_get_ex_new_index failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
+        set_last_error( ERROR_OUTOFMEMORY );
+        LeaveCriticalSection( &init_ssl_cs );
+        return FALSE;
+    }
    pSSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, netconn_secure_verify );

    pCRYPTO_set_id_callback(ssl_thread_id);
@@ -610,8 +619,6 @@ BOOL netconn_connect( netconn_t *conn, const struct sockaddr *sockaddr, unsigned
 BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
 {
 #ifdef SONAME_LIBSSL
-    long res;
-
    if (!(conn->ssl_conn = pSSL_new( ctx )))
    {
        ERR("SSL_new failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
@@ -632,15 +639,14 @@ BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
    }
    if (pSSL_connect( conn->ssl_conn ) <= 0)
    {
-        ERR("SSL_connect failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
-        set_last_error( ERROR_WINHTTP_SECURE_CHANNEL_ERROR );
+        DWORD err;
+
+        err = (DWORD)pSSL_get_ex_data( conn->ssl_conn, error_idx );
+        if (!err) err = ERROR_WINHTTP_SECURE_CHANNEL_ERROR;
+        ERR("couldn't verify server certificate (%d)\n", err);
+        set_last_error( err );
        goto fail;
    }
-    if ((res = pSSL_get_verify_result( conn->ssl_conn )) != X509_V_OK)
-    {
-        /* FIXME: we should set an error and return, but we only print an error at the moment */
-        ERR("couldn't verify server certificate (%ld)\n", res);
-    }
    TRACE("established SSL connection\n");
    conn->secure = TRUE;
    return TRUE;