mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-01-18 14:04:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

quic: set ciphers/curves the same way regular TLS does

Browse Source 
for OpenSSL/BoringSSL

Fixes #11796
Reported-by: Karthikdasari0423 on github
Assisted-by: Jay Satiro
Closes #11836
This commit is contained in:
Daniel Stenberg 2023-09-12 08:01:05 +02:00
parent 1bf2797ba2
commit aa9a6a1770
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 32 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
lib/vquic/curl_ngtcp2.c
View File

@ -421,24 +421,24 @@ static CURLcode quic_ssl_ctx(SSL_CTX **pssl_ctx,
SSL_CTX_set_default_verify_paths(ssl_ctx);
#ifdef OPENSSL_IS_BORINGSSL
if(SSL_CTX_set1_curves_list(ssl_ctx, QUIC_GROUPS) != 1) {
failf(data, "SSL_CTX_set1_curves_list failed");
goto out;
}
#else
if(SSL_CTX_set_ciphersuites(ssl_ctx, QUIC_CIPHERS) != 1) {
char error_buffer[256];
ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer));
failf(data, "SSL_CTX_set_ciphersuites: %s", error_buffer);
goto out;
{
const char *curves = conn->ssl_config.curves ?
conn->ssl_config.curves : QUIC_GROUPS;
if(!SSL_CTX_set1_curves_list(ssl_ctx, curves)) {
failf(data, "failed setting curves list for QUIC: '%s'", curves);
return CURLE_SSL_CIPHER;
}
}
if(SSL_CTX_set1_groups_list(ssl_ctx, QUIC_GROUPS) != 1) {
failf(data, "SSL_CTX_set1_groups_list failed");
goto out;
{
const char *ciphers13 = conn->ssl_config.cipher_list13 ?
conn->ssl_config.cipher_list13 : QUIC_CIPHERS;
if(SSL_CTX_set_ciphersuites(ssl_ctx, ciphers13) != 1) {
failf(data, "failed setting QUIC cipher suite: %s", ciphers13);
return CURLE_SSL_CIPHER;
}
infof(data, "QUIC cipher selection: %s", ciphers13);
}
#endif
/* Open the file if a TLS or QUIC backend has not done this before. */
Curl_tls_keylog_open();
@ -616,15 +616,19 @@ static CURLcode quic_ssl_ctx(WOLFSSL_CTX **pssl_ctx,
wolfSSL_CTX_set_default_verify_paths(ssl_ctx);
if(wolfSSL_CTX_set_cipher_list(ssl_ctx, QUIC_CIPHERS) != 1) {
if(wolfSSL_CTX_set_cipher_list(ssl_ctx, conn->ssl_config.cipher_list13 ?
conn->ssl_config.cipher_list13 :
QUIC_CIPHERS) != 1) {
char error_buffer[256];
ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer));
failf(data, "wolfSSL_CTX_set_cipher_list: %s", error_buffer);
failf(data, "wolfSSL failed to set ciphers: %s", error_buffer);
goto out;
}
if(wolfSSL_CTX_set1_groups_list(ssl_ctx, (char *)QUIC_GROUPS) != 1) {
failf(data, "SSL_CTX_set1_groups_list failed");
if(wolfSSL_CTX_set1_groups_list(ssl_ctx, conn->ssl_config.curves ?
conn->ssl_config.curves :
(char *)QUIC_GROUPS) != 1) {
failf(data, "wolfSSL failed to set curves");
goto out;
}

11
lib/vquic/curl_quiche.c
View File

@ -149,8 +149,8 @@ static CURLcode quic_x509_store_setup(struct Curl_cfilter *cf,
SSL_CTX_set_verify(ctx->sslctx, SSL_VERIFY_PEER, NULL);
/* tell OpenSSL where to find CA certificates that are used to verify
the server's certificate. */
if(!SSL_CTX_load_verify_locations(
ctx->sslctx, ssl_cafile, ssl_capath)) {
if(!SSL_CTX_load_verify_locations(ctx->sslctx, ssl_cafile,
ssl_capath)) {
/* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:"
" CAfile: %s CApath: %s",
@ -178,6 +178,8 @@ static CURLcode quic_ssl_setup(struct Curl_cfilter *cf, struct Curl_easy *data)
{
struct cf_quiche_ctx *ctx = cf->ctx;
unsigned char checkip[16];
struct connectdata *conn = data->conn;
const char *curves = conn->ssl_config.curves;
DEBUGASSERT(!ctx->sslctx);
ctx->sslctx = SSL_CTX_new(TLS_method());
@ -196,6 +198,11 @@ static CURLcode quic_ssl_setup(struct Curl_cfilter *cf, struct Curl_easy *data)
SSL_CTX_set_keylog_callback(ctx->sslctx, keylog_callback);
}
if(curves && !SSL_CTX_set1_curves_list(ctx->sslctx, curves)) {
failf(data, "failed setting curves list for QUIC: '%s'", curves);
return CURLE_SSL_CIPHER;
}
ctx->ssl = SSL_new(ctx->sslctx);
if(!ctx->ssl)
return CURLE_QUIC_CONNECT_ERROR;