winhttp: Set error and fail if a secure connections certificate couldn't be verified.
This commit is contained in:
parent
1308c4287f
commit
888d1a2323
|
@ -94,6 +94,7 @@ static void *libcrypto_handle;
|
||||||
static SSL_METHOD *method;
|
static SSL_METHOD *method;
|
||||||
static SSL_CTX *ctx;
|
static SSL_CTX *ctx;
|
||||||
static int hostname_idx;
|
static int hostname_idx;
|
||||||
|
static int error_idx;
|
||||||
|
|
||||||
#define MAKE_FUNCPTR(f) static typeof(f) * p##f
|
#define MAKE_FUNCPTR(f) static typeof(f) * p##f
|
||||||
|
|
||||||
|
@ -364,7 +365,7 @@ static int netconn_secure_verify( int preverify_ok, X509_STORE_CTX *ctx )
|
||||||
|
|
||||||
if (err)
|
if (err)
|
||||||
{
|
{
|
||||||
set_last_error( err );
|
pSSL_set_ex_data( ssl, error_idx, (void *)err );
|
||||||
ret = FALSE;
|
ret = FALSE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -476,6 +477,14 @@ BOOL netconn_init( netconn_t *conn, BOOL secure )
|
||||||
LeaveCriticalSection( &init_ssl_cs );
|
LeaveCriticalSection( &init_ssl_cs );
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
error_idx = pSSL_get_ex_new_index( 0, (void *)"error index", NULL, NULL, NULL );
|
||||||
|
if (error_idx == -1)
|
||||||
|
{
|
||||||
|
ERR("SSL_get_ex_new_index failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
|
||||||
|
set_last_error( ERROR_OUTOFMEMORY );
|
||||||
|
LeaveCriticalSection( &init_ssl_cs );
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
pSSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, netconn_secure_verify );
|
pSSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, netconn_secure_verify );
|
||||||
|
|
||||||
pCRYPTO_set_id_callback(ssl_thread_id);
|
pCRYPTO_set_id_callback(ssl_thread_id);
|
||||||
|
@ -610,8 +619,6 @@ BOOL netconn_connect( netconn_t *conn, const struct sockaddr *sockaddr, unsigned
|
||||||
BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
|
BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
|
||||||
{
|
{
|
||||||
#ifdef SONAME_LIBSSL
|
#ifdef SONAME_LIBSSL
|
||||||
long res;
|
|
||||||
|
|
||||||
if (!(conn->ssl_conn = pSSL_new( ctx )))
|
if (!(conn->ssl_conn = pSSL_new( ctx )))
|
||||||
{
|
{
|
||||||
ERR("SSL_new failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
|
ERR("SSL_new failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
|
||||||
|
@ -632,15 +639,14 @@ BOOL netconn_secure_connect( netconn_t *conn, WCHAR *hostname )
|
||||||
}
|
}
|
||||||
if (pSSL_connect( conn->ssl_conn ) <= 0)
|
if (pSSL_connect( conn->ssl_conn ) <= 0)
|
||||||
{
|
{
|
||||||
ERR("SSL_connect failed: %s\n", pERR_error_string( pERR_get_error(), 0 ));
|
DWORD err;
|
||||||
set_last_error( ERROR_WINHTTP_SECURE_CHANNEL_ERROR );
|
|
||||||
|
err = (DWORD)pSSL_get_ex_data( conn->ssl_conn, error_idx );
|
||||||
|
if (!err) err = ERROR_WINHTTP_SECURE_CHANNEL_ERROR;
|
||||||
|
ERR("couldn't verify server certificate (%d)\n", err);
|
||||||
|
set_last_error( err );
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
if ((res = pSSL_get_verify_result( conn->ssl_conn )) != X509_V_OK)
|
|
||||||
{
|
|
||||||
/* FIXME: we should set an error and return, but we only print an error at the moment */
|
|
||||||
ERR("couldn't verify server certificate (%ld)\n", res);
|
|
||||||
}
|
|
||||||
TRACE("established SSL connection\n");
|
TRACE("established SSL connection\n");
|
||||||
conn->secure = TRUE;
|
conn->secure = TRUE;
|
||||||
return TRUE;
|
return TRUE;
|
||||||
|
|
Loading…
Reference in New Issue