Commit 9b51cc82 by Carlos Martín Nieto Committed by GitHub

Merge pull request #4050 from ethomson/ethomson/winhttp_errmsgs

WinHTTP: set proper error messages when SSL fails
parents 11968073 1910a04a
...@@ -242,8 +242,12 @@ static int certificate_check(winhttp_stream *s, int valid) ...@@ -242,8 +242,12 @@ static int certificate_check(winhttp_stream *s, int valid)
git_cert_x509 cert; git_cert_x509 cert;
/* If there is no override, we should fail if WinHTTP doesn't think it's fine */ /* If there is no override, we should fail if WinHTTP doesn't think it's fine */
if (t->owner->certificate_check_cb == NULL && !valid) if (t->owner->certificate_check_cb == NULL && !valid) {
if (!giterr_last())
giterr_set(GITERR_NET, "unknown certificate check failure");
return GIT_ECERTIFICATE; return GIT_ECERTIFICATE;
}
if (t->owner->certificate_check_cb == NULL || !t->connection_data.use_ssl) if (t->owner->certificate_check_cb == NULL || !t->connection_data.use_ssl)
return 0; return 0;
...@@ -691,6 +695,38 @@ static int user_agent(git_buf *ua) ...@@ -691,6 +695,38 @@ static int user_agent(git_buf *ua)
return git_buf_putc(ua, ')'); return git_buf_putc(ua, ')');
} }
static void CALLBACK winhttp_status(
HINTERNET connection,
DWORD_PTR ctx,
DWORD code,
LPVOID info,
DWORD info_len)
{
DWORD status;
if (code != WINHTTP_CALLBACK_STATUS_SECURE_FAILURE)
return;
status = *((DWORD *)info);
if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID))
giterr_set(GITERR_NET, "SSL certificate issued for different common name");
else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID))
giterr_set(GITERR_NET, "SSL certificate has expired");
else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA))
giterr_set(GITERR_NET, "SSL certificate signed by unknown CA");
else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CERT))
giterr_set(GITERR_NET, "SSL certificate is invalid");
else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED))
giterr_set(GITERR_NET, "certificate revocation check failed");
else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_REVOKED))
giterr_set(GITERR_NET, "SSL certificate was revoked");
else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR))
giterr_set(GITERR_NET, "security libraries could not be loaded");
else
giterr_set(GITERR_NET, "unknown security error %d", status);
}
static int winhttp_connect( static int winhttp_connect(
winhttp_subtransport *t) winhttp_subtransport *t)
{ {
...@@ -760,6 +796,11 @@ static int winhttp_connect( ...@@ -760,6 +796,11 @@ static int winhttp_connect(
goto on_error; goto on_error;
} }
if (WinHttpSetStatusCallback(t->connection, winhttp_status, WINHTTP_CALLBACK_FLAG_SECURE_FAILURE, 0) == WINHTTP_INVALID_STATUS_CALLBACK) {
giterr_set(GITERR_OS, "failed to set status callback");
goto on_error;
}
error = 0; error = 0;
on_error: on_error:
...@@ -798,16 +839,15 @@ static int send_request(winhttp_stream *s, size_t len, int ignore_length) ...@@ -798,16 +839,15 @@ static int send_request(winhttp_stream *s, size_t len, int ignore_length)
int request_failed = 0, cert_valid = 1, error = 0; int request_failed = 0, cert_valid = 1, error = 0;
DWORD ignore_flags; DWORD ignore_flags;
if ((error = do_send_request(s, len, ignore_length)) < 0) giterr_clear();
request_failed = 1; if ((error = do_send_request(s, len, ignore_length)) < 0) {
if (request_failed) {
if (GetLastError() != ERROR_WINHTTP_SECURE_FAILURE) { if (GetLastError() != ERROR_WINHTTP_SECURE_FAILURE) {
giterr_set(GITERR_OS, "failed to send request"); giterr_set(GITERR_OS, "failed to send request");
return -1; return -1;
} else {
cert_valid = 0;
} }
request_failed = 1;
cert_valid = 0;
} }
giterr_clear(); giterr_clear();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment