From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Mon, 28 Feb 2022 12:21:06 +0000 (+0900)
Subject: ngtcp2: add client certificate authentication for OpenSSL
X-Git-Tag: curl-7_83_0~166
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c82b281e1797f639c9bb1fccfe5cef316357a7a2;p=thirdparty%2Fcurl.git

ngtcp2: add client certificate authentication for OpenSSL

Closes #8522
---

diff --git a/lib/vquic/ngtcp2.c b/lib/vquic/ngtcp2.c
index 30596042bc..330c3f4d7e 100644
--- a/lib/vquic/ngtcp2.c
+++ b/lib/vquic/ngtcp2.c
@@ -47,6 +47,7 @@
 #include "vquic.h"
 #include "h2h3.h"
 #include "vtls/keylog.h"
+#include "vtls/vtls.h"
 
 /* The last 3 #include files should be in this order */
 #include "curl_printf.h"
@@ -314,6 +315,25 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data)
   return ssl_ctx;
 }
 
+static CURLcode quic_set_client_cert(struct Curl_easy *data,
+                                     struct quicsocket *qs)
+{
+  struct connectdata *conn = data->conn;
+  SSL_CTX *ssl_ctx = qs->sslctx;
+  char *const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+  const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
+  const char *const ssl_cert_type = SSL_SET_OPTION(cert_type);
+
+  if(ssl_cert || ssl_cert_blob || ssl_cert_type) {
+    return Curl_ossl_set_client_cert(
+        data, ssl_ctx, ssl_cert, ssl_cert_blob, ssl_cert_type,
+        SSL_SET_OPTION(key), SSL_SET_OPTION(key_blob),
+        SSL_SET_OPTION(key_type), SSL_SET_OPTION(key_passwd));
+  }
+
+  return CURLE_OK;
+}
+
 /** SSL callbacks ***/
 
 static int quic_init_ssl(struct quicsocket *qs)
@@ -786,6 +806,10 @@ CURLcode Curl_quic_connect(struct Curl_easy *data,
   qs->sslctx = quic_ssl_ctx(data);
   if(!qs->sslctx)
     return CURLE_QUIC_CONNECT_ERROR;
+
+  result = quic_set_client_cert(data, qs);
+  if(result)
+    return result;
 #endif
 
   if(quic_init_ssl(qs))
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 4618beeb38..2e54ede86f 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1167,6 +1167,22 @@ int cert_stuff(struct Curl_easy *data,
   return 1;
 }
 
+CURLcode Curl_ossl_set_client_cert(struct Curl_easy *data, SSL_CTX *ctx,
+                                   char *cert_file,
+                                   const struct curl_blob *cert_blob,
+                                   const char *cert_type, char *key_file,
+                                   const struct curl_blob *key_blob,
+                                   const char *key_type, char *key_passwd)
+{
+  int rv = cert_stuff(data, ctx, cert_file, cert_blob, cert_type, key_file,
+                      key_blob, key_type, key_passwd);
+  if(rv != 1) {
+    return CURLE_SSL_CERTPROBLEM;
+  }
+
+  return CURLE_OK;
+}
+
 /* returns non-zero on failure */
 static int x509_name_oneline(X509_NAME *a, char *buf, size_t size)
 {
diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h
index 7df642bc9a..0a7536ea3e 100644
--- a/lib/vtls/openssl.h
+++ b/lib/vtls/openssl.h
@@ -43,5 +43,13 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
                               struct x509_st *server_cert);
 extern const struct Curl_ssl Curl_ssl_openssl;
 
+struct ssl_ctx_st;
+CURLcode Curl_ossl_set_client_cert(struct Curl_easy *data,
+                                   struct ssl_ctx_st *ctx, char *cert_file,
+                                   const struct curl_blob *cert_blob,
+                                   const char *cert_type, char *key_file,
+                                   const struct curl_blob *key_blob,
+                                   const char *key_type, char *key_passwd);
+
 #endif /* USE_OPENSSL */
 #endif /* HEADER_CURL_SSLUSE_H */