From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 28 Sep 2020 06:30:25 +0000 (+0200)
Subject: schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root
X-Git-Tag: curl-7_73_0~48
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=abeeffb11c996aed90ea465fa2128bfa564a1542;p=thirdparty%2Fcurl.git

schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root

This matches what is returned in other TLS backends in the same
situation.

Reviewed-by: Jay Satiro
Reviewed-by: Emil Engler
Follow-up to 5a3efb1
Reported-by: iammrtau on github
Fixes #6003
Closes #6018
---

diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index 1fe9b7b8db..c7e4e793cc 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -1181,6 +1181,10 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
         failf(data, "schannel: SNI or certificate check failed: %s",
               Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
         return CURLE_PEER_FAILED_VERIFICATION;
+      case SEC_E_UNTRUSTED_ROOT:
+        failf(data, "schannel: %s",
+              Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
+        return CURLE_PEER_FAILED_VERIFICATION;
         /*
           case SEC_E_INVALID_HANDLE:
           case SEC_E_INVALID_TOKEN: