vquic-tls: use correct cert name check API for wolfSSL

wolfSSL_X509_check_host checks the peer name against the alt names and
the common name.

Fixes #13487
Closes #13680

2 files changed, 9 insertions, 13 deletions

diff --git a/docs/TODO b/docs/TODO
index f5838afed..e5bf09243 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -126,7 +126,6 @@
  13.13 Make sure we forbid TLS 1.3 post-handshake authentication
  13.14 Support the clienthello extension
  13.15 Select signature algorithms
- 13.16 QUIC peer verification with wolfSSL
 
  14. GnuTLS
  14.2 check connection
@@ -922,11 +921,6 @@
 
  https://github.com/curl/curl/issues/12982
 
-13.16 QUIC peer verification with wolfSSL
-
- Peer certificate verification is missing in the QUIC (ngtcp2) implementation
- using wolfSSL.
-
 14. GnuTLS
 
 14.2 check connection
diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c
index 90a5044b5..aca18b457 100644
--- a/lib/vquic/vquic-tls.c
+++ b/lib/vquic/vquic-tls.c
@@ -324,13 +324,15 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx,
 #elif defined(USE_WOLFSSL)
   (void)data;
   if(conn_config->verifyhost) {
-    /* TODO: this does not really verify the peer certificate.
-     * On TCP connection this works as it is wired into the wolfSSL
-     * connect() implementation and gives a special return code on
-     * such a fail. */
-    if(peer->sni &&
-       wolfSSL_check_domain_name(ctx->ssl, peer->sni) == SSL_FAILURE)
-      return CURLE_PEER_FAILED_VERIFICATION;
+    if(peer->sni) {
+      WOLFSSL_X509* cert = wolfSSL_get_peer_certificate(ctx->ssl);
+      if(wolfSSL_X509_check_host(cert, peer->sni, strlen(peer->sni), 0, NULL)
+            == WOLFSSL_FAILURE) {
+        result = CURLE_PEER_FAILED_VERIFICATION;
+      }
+      wolfSSL_X509_free(cert);
+    }
+
   }
 #endif
   return result;