From: Juliusz Sosinowicz Date: Thu, 16 May 2024 18:16:37 +0000 (+0200) Subject: vquic-tls: use correct cert name check API for wolfSSL X-Git-Tag: curl-8_8_0~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c46e277b2a0c0489de0e0fcb91f315c62f0369c;p=thirdparty%2Fcurl.git vquic-tls: use correct cert name check API for wolfSSL wolfSSL_X509_check_host checks the peer name against the alt names and the common name. Fixes #13487 Closes #13680 --- diff --git a/docs/TODO b/docs/TODO index f5838afedf..e5bf092433 100644 --- a/docs/TODO +++ b/docs/TODO @@ -126,7 +126,6 @@ 13.13 Make sure we forbid TLS 1.3 post-handshake authentication 13.14 Support the clienthello extension 13.15 Select signature algorithms - 13.16 QUIC peer verification with wolfSSL 14. GnuTLS 14.2 check connection @@ -922,11 +921,6 @@ https://github.com/curl/curl/issues/12982 -13.16 QUIC peer verification with wolfSSL - - Peer certificate verification is missing in the QUIC (ngtcp2) implementation - using wolfSSL. - 14. GnuTLS 14.2 check connection diff --git a/lib/vquic/vquic-tls.c b/lib/vquic/vquic-tls.c index 90a5044b5c..aca18b4570 100644 --- a/lib/vquic/vquic-tls.c +++ b/lib/vquic/vquic-tls.c @@ -324,13 +324,15 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx, #elif defined(USE_WOLFSSL) (void)data; if(conn_config->verifyhost) { - /* TODO: this does not really verify the peer certificate. - * On TCP connection this works as it is wired into the wolfSSL - * connect() implementation and gives a special return code on - * such a fail. */ - if(peer->sni && - wolfSSL_check_domain_name(ctx->ssl, peer->sni) == SSL_FAILURE) - return CURLE_PEER_FAILED_VERIFICATION; + if(peer->sni) { + WOLFSSL_X509* cert = wolfSSL_get_peer_certificate(ctx->ssl); + if(wolfSSL_X509_check_host(cert, peer->sni, strlen(peer->sni), 0, NULL) + == WOLFSSL_FAILURE) { + result = CURLE_PEER_FAILED_VERIFICATION; + } + wolfSSL_X509_free(cert); + } + } #endif return result;