diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2021-12-23 10:24:31 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2021-12-28 23:34:23 +0100 |
| commit | c148f0f551f9bea0e3d08f5747b3fe58b811a011 (patch) | |
| tree | 285501c4a1f53c3f6b34e5221eebbf4bf1de2f36 /lib/vtls | |
| parent | 1914465cf180d32b3dfff9c4da15c19363075082 (diff) | |
| download | curl-c148f0f551f9bea0e3d08f5747b3fe58b811a011.tar.gz | |
ngtcp2: verify the server cert on connect (quictls)
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
`CURLOPT_SSL_VERIFYHOST`.
The name check now uses a function from lib/vtls/openssl.c which will
need attention for when TLS is not done by OpenSSL or is disabled while
QUIC is enabled.
Possibly the servercert() function in openssl.c should be adjusted to be
able to use for both regular TLS and QUIC.
Ref: #8173
Closes #8178
Diffstat (limited to 'lib/vtls')
| -rw-r--r-- | lib/vtls/openssl.c | 7 | ||||
| -rw-r--r-- | lib/vtls/openssl.h | 8 |
2 files changed, 10 insertions, 5 deletions
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 8fce068e4..e508d4813 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1673,9 +1673,10 @@ static bool subj_alt_hostcheck(struct Curl_easy *data, hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI. + This function is now used from ngtcp2 (QUIC) as well. */ -static CURLcode verifyhost(struct Curl_easy *data, struct connectdata *conn, - X509 *server_cert) +CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, + X509 *server_cert) { bool matched = FALSE; int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */ @@ -3923,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data, BIO_free(mem); if(SSL_CONN_CONFIG(verifyhost)) { - result = verifyhost(data, conn, backend->server_cert); + result = Curl_ossl_verifyhost(data, conn, backend->server_cert); if(result) { X509_free(backend->server_cert); backend->server_cert = NULL; diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h index 2f6e1b2db..28058453c 100644 --- a/lib/vtls/openssl.h +++ b/lib/vtls/openssl.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -26,11 +26,15 @@ #ifdef USE_OPENSSL /* - * This header should only be needed to get included by vtls.c and openssl.c + * This header should only be needed to get included by vtls.c, openssl.c + * and ngtcp2.c */ +#include <openssl/x509v3.h> #include "urldata.h" +CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, + X509 *server_cert); extern const struct Curl_ssl Curl_ssl_openssl; #endif /* USE_OPENSSL */ |