Fix bug in ssl_get_verify_result()
diff --git a/ChangeLog b/ChangeLog
index d9716df..b43a5d8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -50,6 +50,8 @@
* Fix unchecked return code in x509_crt_parse_path() on Windows (found by
Peter Vaskovic).
* Fix assembly selection for MIPS64 (thanks to James Cowgill).
+ * ssl_get_verify_result() now works even if the handshake was aborted due
+ to a failed verification (found by Fredrik Axelsson).
Changes
* Use deterministic nonces for AEAD ciphers in TLS by default (possible to
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index efeece5..189af05 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -1710,11 +1710,11 @@
*
* \param ssl SSL context
*
- * \return 0 if successful, or a combination of:
- * BADCERT_EXPIRED
- * BADCERT_REVOKED
- * BADCERT_CN_MISMATCH
- * BADCERT_NOT_TRUSTED
+ * \return 0 if successful,
+ * -1 if result is not available (eg because the handshake was
+ * aborted too early), or
+ * a combination of BADCERT_xxx and BADCRL_xxx flags, see
+ * x509.h
*/
int ssl_get_verify_result( const ssl_context *ssl );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index fceb9b8..7383e1c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4336,7 +4336,13 @@
int ssl_get_verify_result( const ssl_context *ssl )
{
- return( ssl->session->verify_result );
+ if( ssl->session != NULL )
+ return( ssl->session->verify_result );
+
+ if( ssl->session_negotiate != NULL )
+ return( ssl->session_negotiate->verify_result );
+
+ return( -1 );
}
const char *ssl_get_ciphersuite( const ssl_context *ssl )
