ngtcp2+quictls: fix cert-status use

- add test for --cert-status on all http versions Reported-by: Dexter Gerig Fixes #14049 Closes #14050
2025-02-23 15:10:03 +08:00 · 2024-06-28 12:10:42 +02:00 · 2024-06-28 12:10:42 +02:00 · 185a05e943
commit 185a05e943
parent 6e95e3f7af
2 changed files with 21 additions and 4 deletions
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@ -2285,9 +2285,9 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
  !defined(OPENSSL_NO_OCSP)
 static CURLcode verifystatus(struct Curl_cfilter *cf,
-                             struct Curl_easy *data)
+                             struct Curl_easy *data,
+                             struct ossl_ctx *octx)
 {
-  struct ssl_connect_data *connssl = cf->ctx;
  int i, ocsp_status;
 #if defined(OPENSSL_IS_AWSLC)
  const uint8_t *status;
@ -2300,7 +2300,6 @@ static CURLcode verifystatus(struct Curl_cfilter *cf,
  OCSP_BASICRESP *br = NULL;
  X509_STORE     *st = NULL;
  STACK_OF(X509) *ch = NULL;
-  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
  X509 *cert;
  OCSP_CERTID *id = NULL;
  int cert_status, crl_reason;
@ -2308,6 +2307,7 @@ static CURLcode verifystatus(struct Curl_cfilter *cf,
  int ret;
  long len;

+  (void)cf;
  DEBUGASSERT(octx);

  len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &status);
@ -4657,7 +4657,7 @@ CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf,
  !defined(OPENSSL_NO_OCSP)
  if(conn_config->verifystatus && !octx->reused_session) {
    /* don't do this after Session ID reuse */
-    result = verifystatus(cf, data);
+    result = verifystatus(cf, data, octx);
    if(result) {
      /* when verifystatus failed, remove the session id from the cache again
         if present */
--- a/tests/http/test_17_ssl_use.py
+++ b/tests/http/test_17_ssl_use.py
@ -240,3 +240,20 @@ class TestSSLUse:
            assert r.json['SSL_CIPHER'] in cipher_names, f'{r.json}'
        else:
            assert r.exit_code != 0, f'{r}'
+
+    @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
+    def test_17_08_cert_status(self, env: Env, httpd, nghttpx, repeat, proto):
+        if proto == 'h3' and not env.have_h3():
+            pytest.skip("h3 not supported")
+        if not env.curl_uses_lib('openssl') and \
+            not env.curl_uses_lib('gnutls') and \
+            not env.curl_uses_lib('quictls'):
+            pytest.skip("tls library does not support --cert-status")
+        curl = CurlClient(env=env)
+        domain = f'localhost'
+        url = f'https://{env.authority_for(domain, proto)}/'
+        r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+            '--cert-status'
+        ])
+        # CURLE_SSL_INVALIDCERTSTATUS, our certs have no OCSP info
+        assert r.exit_code == 91, f'{r}'