ngtcp2: verify the server certificate for the gnutls case

Closes #8178
2025-04-12 16:20:35 +08:00 · 2021-12-25 16:14:53 +01:00 · 2021-12-25 16:14:53 +01:00 · 8fbd6feddf
commit 8fbd6feddf
parent c148f0f551
3 changed files with 24 additions and 17 deletions
--- a/lib/vquic/ngtcp2.c
+++ b/lib/vquic/ngtcp2.c
@ -32,6 +32,7 @@
 #include "vtls/openssl.h"
 #elif defined(USE_GNUTLS)
 #include <ngtcp2/ngtcp2_crypto_gnutls.h>
+#include "vtls/gtls.h"
 #endif
 #include "urldata.h"
 #include "sendf.h"
@ -1663,6 +1664,7 @@ static ssize_t ngh3_stream_send(struct Curl_easy *data,
 static CURLcode ng_has_connected(struct Curl_easy *data,
                                 struct connectdata *conn, int tempindex)
 {
+  CURLcode result = CURLE_OK;
  conn->recv[FIRSTSOCKET] = ngh3_stream_recv;
  conn->send[FIRSTSOCKET] = ngh3_stream_send;
  conn->handler = &Curl_handler_http3;
@ -1671,8 +1673,8 @@ static CURLcode ng_has_connected(struct Curl_easy *data,
  conn->bundle->multiuse = BUNDLE_MULTIPLEX;
  conn->quic = &conn->hequic[tempindex];

-#ifdef USE_OPENSSL
  if(conn->ssl_config.verifyhost) {
+#ifdef USE_OPENSSL
    X509 *server_cert;
    CURLcode result;
    server_cert = SSL_get_peer_certificate(conn->quic->ssl);
@ -1684,13 +1686,13 @@ static CURLcode ng_has_connected(struct Curl_easy *data,
    if(result)
      return result;
    infof(data, "Verified certificate just fine");
+#else
+    result = Curl_gtls_verifyserver(data, conn, conn->quic->ssl, FIRSTSOCKET);
+#endif
  }
  else
    infof(data, "Skipped certificate verification");
-#else
-  (void)data;
-#endif
-  return CURLE_OK;
+  return result;
 }

 /*
@ -1714,8 +1716,9 @@ CURLcode Curl_quic_is_connected(struct Curl_easy *data,
    goto error;

  if(ngtcp2_conn_get_handshake_completed(qs->qconn)) {
-    *done = TRUE;
    result = ng_has_connected(data, conn, sockindex);
+    if(!result)
+      *done = TRUE;
  }

  return result;
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@ -808,10 +808,11 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data,
 static Curl_recv gtls_recv;
 static Curl_send gtls_send;

-static CURLcode
-gtls_connect_step3(struct Curl_easy *data,
-                   struct connectdata *conn,
-                   int sockindex)
+CURLcode
+Curl_gtls_verifyserver(struct Curl_easy *data,
+                       struct connectdata *conn,
+                       gnutls_session_t session,
+                       int sockindex)
 {
  unsigned int cert_list_size;
  const gnutls_datum_t *chainp;
@ -823,9 +824,6 @@ gtls_connect_step3(struct Curl_easy *data,
  size_t size;
  time_t certclock;
  const char *ptr;
-  struct ssl_connect_data *connssl = &conn->ssl[sockindex];
-  struct ssl_backend_data *backend = connssl->backend;
-  gnutls_session_t session = backend->session;
  int rc;
  gnutls_datum_t proto;
  CURLcode result = CURLE_OK;
@ -1269,8 +1267,6 @@ gtls_connect_step3(struct Curl_easy *data,
  }

  conn->ssl[sockindex].state = ssl_connection_complete;
-  conn->recv[sockindex] = gtls_recv;
-  conn->send[sockindex] = gtls_send;

  if(SSL_SET_OPTION(primary.sessionid)) {
    /* we always unconditionally get the session id here, as even if we
@ -1355,9 +1351,13 @@ gtls_connect_common(struct Curl_easy *data,

  /* Finish connecting once the handshake is done */
  if(ssl_connect_1 == connssl->connecting_state) {
-    rc = gtls_connect_step3(data, conn, sockindex);
+    struct ssl_backend_data *backend = connssl->backend;
+    gnutls_session_t session = backend->session;
+    rc = Curl_gtls_verifyserver(data, conn, session, sockindex);
    if(rc)
      return rc;
+    conn->recv[sockindex] = gtls_recv;
+    conn->send[sockindex] = gtls_send;
  }

  *done = ssl_connect_1 == connssl->connecting_state;
--- a/lib/vtls/gtls.h
+++ b/lib/vtls/gtls.h
@ -7,7 +7,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -28,6 +28,10 @@

 #include "urldata.h"

+CURLcode
+Curl_gtls_verifyserver(struct Curl_easy *data, struct connectdata *conn,
+                       gnutls_session_t session,
+                       int sockindex);
 extern const struct Curl_ssl Curl_ssl_gnutls;

 #endif /* USE_GNUTLS */