diff options
author | Juliusz Sosinowicz <juliusz@wolfssl.com> | 2024-05-16 20:16:37 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2024-05-16 22:44:29 +0200 |
commit | 4c46e277b2a0c0489de0e0fcb91f315c62f0369c (patch) | |
tree | 6e4f0d117d426e1264fb43f76aa5feb40e6e333f | |
parent | 9e2bd56ec61c03868fb8d777bfd5fe3602f9ddf5 (diff) | |
download | curl-4c46e277b2a0c0489de0e0fcb91f315c62f0369c.tar.gz |
vquic-tls: use correct cert name check API for wolfSSL
wolfSSL_X509_check_host checks the peer name against the alt names and
the common name.
Fixes #13487
Closes #13680
-rw-r--r-- | docs/TODO | 6 | ||||
-rw-r--r-- | lib/vquic/vquic-tls.c | 16 |
2 files changed, 9 insertions, 13 deletions
@@ -126,7 +126,6 @@ 13.13 Make sure we forbid TLS 1.3 post-handshake authentication 13.14 Support the clienthello extension 13.15 Select signature algorithms - 13.16 QUIC peer verification with wolfSSL 14. GnuTLS 14.2 check connection @@ -922,11 +921,6 @@ https://github.com/curl/curl/issues/12982 -13.16 QUIC peer verification with wolfSSL - - Peer certificate verification is missing in the QUIC (ngtcp2) implementation - using wolfSSL. - 14. GnuTLS 14.2 check connection diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c index 90a5044b5..aca18b457 100644 --- a/lib/vquic/vquic-tls.c +++ b/lib/vquic/vquic-tls.c @@ -324,13 +324,15 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx, #elif defined(USE_WOLFSSL) (void)data; if(conn_config->verifyhost) { - /* TODO: this does not really verify the peer certificate. - * On TCP connection this works as it is wired into the wolfSSL - * connect() implementation and gives a special return code on - * such a fail. */ - if(peer->sni && - wolfSSL_check_domain_name(ctx->ssl, peer->sni) == SSL_FAILURE) - return CURLE_PEER_FAILED_VERIFICATION; + if(peer->sni) { + WOLFSSL_X509* cert = wolfSSL_get_peer_certificate(ctx->ssl); + if(wolfSSL_X509_check_host(cert, peer->sni, strlen(peer->sni), 0, NULL) + == WOLFSSL_FAILURE) { + result = CURLE_PEER_FAILED_VERIFICATION; + } + wolfSSL_X509_free(cert); + } + } #endif return result; |