diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2021-12-25 16:14:53 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2021-12-25 21:53:51 +0100 |
| commit | 08bcfd8b2d0b582b65b2669615139fe17fac05d4 (patch) | |
| tree | b97ae1e3b46b871f1c7e57255c9be33be4f558f2 | |
| parent | 7dae4f2b5a2c5de0ef39642a046bee80a1b9e8f1 (diff) | |
| download | curl-bagder/http3-ngtcp2-cacert.tar.gz | |
ngtcp2: verify the server certificate for the gnutls casebagder/http3-ngtcp2-cacert
| -rw-r--r-- | lib/vquic/ngtcp2.c | 15 | ||||
| -rw-r--r-- | lib/vtls/gtls.c | 20 | ||||
| -rw-r--r-- | lib/vtls/gtls.h | 6 |
3 files changed, 24 insertions, 17 deletions
diff --git a/lib/vquic/ngtcp2.c b/lib/vquic/ngtcp2.c index b161a5061..1596049b7 100644 --- a/lib/vquic/ngtcp2.c +++ b/lib/vquic/ngtcp2.c @@ -32,6 +32,7 @@ #include "vtls/openssl.h" #elif defined(USE_GNUTLS) #include <ngtcp2/ngtcp2_crypto_gnutls.h> +#include "vtls/gtls.h" #endif #include "urldata.h" #include "sendf.h" @@ -1663,6 +1664,7 @@ static ssize_t ngh3_stream_send(struct Curl_easy *data, static CURLcode ng_has_connected(struct Curl_easy *data, struct connectdata *conn, int tempindex) { + CURLcode result = CURLE_OK; conn->recv[FIRSTSOCKET] = ngh3_stream_recv; conn->send[FIRSTSOCKET] = ngh3_stream_send; conn->handler = &Curl_handler_http3; @@ -1671,8 +1673,8 @@ static CURLcode ng_has_connected(struct Curl_easy *data, conn->bundle->multiuse = BUNDLE_MULTIPLEX; conn->quic = &conn->hequic[tempindex]; -#ifdef USE_OPENSSL if(conn->ssl_config.verifyhost) { +#ifdef USE_OPENSSL X509 *server_cert; CURLcode result; server_cert = SSL_get_peer_certificate(conn->quic->ssl); @@ -1684,13 +1686,13 @@ static CURLcode ng_has_connected(struct Curl_easy *data, if(result) return result; infof(data, "Verified certificate just fine"); +#else + result = Curl_gtls_verifyserver(data, conn, conn->quic->ssl, FIRSTSOCKET); +#endif } else infof(data, "Skipped certificate verification"); -#else - (void)data; -#endif - return CURLE_OK; + return result; } /* @@ -1714,8 +1716,9 @@ CURLcode Curl_quic_is_connected(struct Curl_easy *data, goto error; if(ngtcp2_conn_get_handshake_completed(qs->qconn)) { - *done = TRUE; result = ng_has_connected(data, conn, sockindex); + if(!result) + *done = TRUE; } return result; diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 2053fd439..1f95e0118 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -804,10 +804,11 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, static Curl_recv gtls_recv; static Curl_send gtls_send; -static CURLcode -gtls_connect_step3(struct Curl_easy *data, - struct connectdata *conn, - int sockindex) +CURLcode +Curl_gtls_verifyserver(struct Curl_easy *data, + struct connectdata *conn, + gnutls_session_t session, + int sockindex) { unsigned int cert_list_size; const gnutls_datum_t *chainp; @@ -819,9 +820,6 @@ gtls_connect_step3(struct Curl_easy *data, size_t size; time_t certclock; const char *ptr; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct ssl_backend_data *backend = connssl->backend; - gnutls_session_t session = backend->session; int rc; gnutls_datum_t proto; CURLcode result = CURLE_OK; @@ -1265,8 +1263,6 @@ gtls_connect_step3(struct Curl_easy *data, } conn->ssl[sockindex].state = ssl_connection_complete; - conn->recv[sockindex] = gtls_recv; - conn->send[sockindex] = gtls_send; if(SSL_SET_OPTION(primary.sessionid)) { /* we always unconditionally get the session id here, as even if we @@ -1351,9 +1347,13 @@ gtls_connect_common(struct Curl_easy *data, /* Finish connecting once the handshake is done */ if(ssl_connect_1 == connssl->connecting_state) { - rc = gtls_connect_step3(data, conn, sockindex); + struct ssl_backend_data *backend = connssl->backend; + gnutls_session_t session = backend->session; + rc = Curl_gtls_verifyserver(data, conn, session, sockindex); if(rc) return rc; + conn->recv[sockindex] = gtls_recv; + conn->send[sockindex] = gtls_send; } *done = ssl_connect_1 == connssl->connecting_state; diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h index 1a146a3a9..226d3aebb 100644 --- a/lib/vtls/gtls.h +++ b/lib/vtls/gtls.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -28,6 +28,10 @@ #include "urldata.h" +CURLcode +Curl_gtls_verifyserver(struct Curl_easy *data, struct connectdata *conn, + gnutls_session_t session, + int sockindex); extern const struct Curl_ssl Curl_ssl_gnutls; #endif /* USE_GNUTLS */ |