Fix bug in ssl_get_verify_result()

ChangeLog

@@ -50,6 +50,8 @@ Bugfix
    * Fix unchecked return code in x509_crt_parse_path() on Windows (found by
      Peter Vaskovic).
    * Fix assembly selection for MIPS64 (thanks to James Cowgill).
+   * ssl_get_verify_result() now works even if the handshake was aborted due
+     to a failed verification (found by Fredrik Axelsson).
 
 Changes
    * Use deterministic nonces for AEAD ciphers in TLS by default (possible to

include/polarssl/ssl.h

@@ -1710,11 +1710,11 @@ size_t ssl_get_bytes_avail( const ssl_context *ssl );
  *
  * \param ssl      SSL context
  *
- * \return         0 if successful, or a combination of:
- *                      BADCERT_EXPIRED
- *                      BADCERT_REVOKED
- *                      BADCERT_CN_MISMATCH
- *                      BADCERT_NOT_TRUSTED
+ * \return         0 if successful,
+ *                 -1 if result is not available (eg because the handshake was
+ *                 aborted too early), or
+ *                 a combination of BADCERT_xxx and BADCRL_xxx flags, see
+ *                 x509.h
  */
 int ssl_get_verify_result( const ssl_context *ssl );
 

library/ssl_tls.c

@@ -4336,7 +4336,13 @@ size_t ssl_get_bytes_avail( const ssl_context *ssl )
 
 int ssl_get_verify_result( const ssl_context *ssl )
 {
+    if( ssl->session != NULL )
         return( ssl->session->verify_result );
+
+    if( ssl->session_negotiate != NULL )
+        return( ssl->session_negotiate->verify_result );
+
+    return( -1 );
 }
 
 const char *ssl_get_ciphersuite( const ssl_context *ssl )