From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 28 Jun 2024 10:10:42 +0000 (+0200)
Subject: ngtcp2+quictls: fix cert-status use
X-Git-Tag: curl-8_9_0~160
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=185a05e9431f918cad50492bb18cd7a2bad017f6;p=thirdparty%2Fcurl.git

ngtcp2+quictls: fix cert-status use

- add test for --cert-status on all http versions

Reported-by: Dexter Gerig
Fixes #14049
Closes #14050
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index e96ee73ccc..9e55cc6412 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2285,9 +2285,9 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
   !defined(OPENSSL_NO_OCSP)
 static CURLcode verifystatus(struct Curl_cfilter *cf,
-                             struct Curl_easy *data)
+                             struct Curl_easy *data,
+                             struct ossl_ctx *octx)
 {
-  struct ssl_connect_data *connssl = cf->ctx;
   int i, ocsp_status;
 #if defined(OPENSSL_IS_AWSLC)
   const uint8_t *status;
@@ -2300,7 +2300,6 @@ static CURLcode verifystatus(struct Curl_cfilter *cf,
   OCSP_BASICRESP *br = NULL;
   X509_STORE     *st = NULL;
   STACK_OF(X509) *ch = NULL;
-  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
   X509 *cert;
   OCSP_CERTID *id = NULL;
   int cert_status, crl_reason;
@@ -2308,6 +2307,7 @@ static CURLcode verifystatus(struct Curl_cfilter *cf,
   int ret;
   long len;
 
+  (void)cf;
   DEBUGASSERT(octx);
 
   len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &status);
@@ -4657,7 +4657,7 @@ CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf,
   !defined(OPENSSL_NO_OCSP)
   if(conn_config->verifystatus && !octx->reused_session) {
     /* don't do this after Session ID reuse */
-    result = verifystatus(cf, data);
+    result = verifystatus(cf, data, octx);
     if(result) {
       /* when verifystatus failed, remove the session id from the cache again
          if present */
diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
index 143b4bb8b7..42d5a9c835 100644
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@@ -240,3 +240,20 @@ class TestSSLUse:
             assert r.json['SSL_CIPHER'] in cipher_names, f'{r.json}'
         else:
             assert r.exit_code != 0, f'{r}'
+
+    @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
+    def test_17_08_cert_status(self, env: Env, httpd, nghttpx, repeat, proto):
+        if proto == 'h3' and not env.have_h3():
+            pytest.skip("h3 not supported")
+        if not env.curl_uses_lib('openssl') and \
+            not env.curl_uses_lib('gnutls') and \
+            not env.curl_uses_lib('quictls'):
+            pytest.skip("tls library does not support --cert-status")
+        curl = CurlClient(env=env)
+        domain = f'localhost'
+        url = f'https://{env.authority_for(domain, proto)}/'
+        r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+            '--cert-status'
+        ])
+        # CURLE_SSL_INVALIDCERTSTATUS, our certs have no OCSP info
+        assert r.exit_code == 91, f'{r}'