curl/curl
1
1
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-09-18 10:02:45 +03:00
Code Issues Packages Projects Releases Wiki Activity

ngtcp2: verify the server certificate for the gnutls case

Browse Source 
Closes #8178
This commit is contained in:
Daniel Stenberg 2021-12-25 16:14:53 +01:00
parent c148f0f551
commit 8fbd6feddf
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
3 changed files with 24 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
lib/vquic/ngtcp2.c
View File

@ -32,6 +32,7 @@
#include "vtls/openssl.h" #include "vtls/openssl.h"
#elif defined(USE_GNUTLS) #elif defined(USE_GNUTLS)
#include <ngtcp2/ngtcp2_crypto_gnutls.h> #include <ngtcp2/ngtcp2_crypto_gnutls.h>
#include "vtls/gtls.h"
#endif #endif
#include "urldata.h" #include "urldata.h"
#include "sendf.h" #include "sendf.h"
@ -1663,6 +1664,7 @@ static ssize_t ngh3_stream_send(struct Curl_easy *data,
static CURLcode ng_has_connected(struct Curl_easy *data, static CURLcode ng_has_connected(struct Curl_easy *data,
struct connectdata *conn, int tempindex) struct connectdata *conn, int tempindex)
{ {
CURLcode result = CURLE_OK;
conn->recv[FIRSTSOCKET] = ngh3_stream_recv; conn->recv[FIRSTSOCKET] = ngh3_stream_recv;
conn->send[FIRSTSOCKET] = ngh3_stream_send; conn->send[FIRSTSOCKET] = ngh3_stream_send;
conn->handler = &Curl_handler_http3; conn->handler = &Curl_handler_http3;
@ -1671,8 +1673,8 @@ static CURLcode ng_has_connected(struct Curl_easy *data,
conn->bundle->multiuse = BUNDLE_MULTIPLEX; conn->bundle->multiuse = BUNDLE_MULTIPLEX;
conn->quic = &conn->hequic[tempindex]; conn->quic = &conn->hequic[tempindex];
#ifdef USE_OPENSSL
if(conn->ssl_config.verifyhost) { if(conn->ssl_config.verifyhost) {
#ifdef USE_OPENSSL
X509 *server_cert; X509 *server_cert;
CURLcode result; CURLcode result;
server_cert = SSL_get_peer_certificate(conn->quic->ssl); server_cert = SSL_get_peer_certificate(conn->quic->ssl);
@ -1684,13 +1686,13 @@ static CURLcode ng_has_connected(struct Curl_easy *data,
if(result) if(result)
return result; return result;
infof(data, "Verified certificate just fine"); infof(data, "Verified certificate just fine");
#else
result = Curl_gtls_verifyserver(data, conn, conn->quic->ssl, FIRSTSOCKET);
#endif
} }
else else
infof(data, "Skipped certificate verification"); infof(data, "Skipped certificate verification");
#else return result;
(void)data;
#endif
return CURLE_OK;
} }
/* /*
@ -1714,8 +1716,9 @@ CURLcode Curl_quic_is_connected(struct Curl_easy *data,
goto error; goto error;
if(ngtcp2_conn_get_handshake_completed(qs->qconn)) { if(ngtcp2_conn_get_handshake_completed(qs->qconn)) {
*done = TRUE;
result = ng_has_connected(data, conn, sockindex); result = ng_has_connected(data, conn, sockindex);
if(!result)
*done = TRUE;
} }
return result; return result;

20
lib/vtls/gtls.c
View File

@ -808,10 +808,11 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data,
static Curl_recv gtls_recv; static Curl_recv gtls_recv;
static Curl_send gtls_send; static Curl_send gtls_send;
static CURLcode CURLcode
gtls_connect_step3(struct Curl_easy *data, Curl_gtls_verifyserver(struct Curl_easy *data,
struct connectdata *conn, struct connectdata *conn,
int sockindex) gnutls_session_t session,
int sockindex)
{ {
unsigned int cert_list_size; unsigned int cert_list_size;
const gnutls_datum_t *chainp; const gnutls_datum_t *chainp;
@ -823,9 +824,6 @@ gtls_connect_step3(struct Curl_easy *data,
size_t size; size_t size;
time_t certclock; time_t certclock;
const char *ptr; const char *ptr;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
gnutls_session_t session = backend->session;
int rc; int rc;
gnutls_datum_t proto; gnutls_datum_t proto;
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
@ -1269,8 +1267,6 @@ gtls_connect_step3(struct Curl_easy *data,
} }
conn->ssl[sockindex].state = ssl_connection_complete; conn->ssl[sockindex].state = ssl_connection_complete;
conn->recv[sockindex] = gtls_recv;
conn->send[sockindex] = gtls_send;
if(SSL_SET_OPTION(primary.sessionid)) { if(SSL_SET_OPTION(primary.sessionid)) {
/* we always unconditionally get the session id here, as even if we /* we always unconditionally get the session id here, as even if we
@ -1355,9 +1351,13 @@ gtls_connect_common(struct Curl_easy *data,
/* Finish connecting once the handshake is done */ /* Finish connecting once the handshake is done */
if(ssl_connect_1 == connssl->connecting_state) { if(ssl_connect_1 == connssl->connecting_state) {
rc = gtls_connect_step3(data, conn, sockindex); struct ssl_backend_data *backend = connssl->backend;
gnutls_session_t session = backend->session;
rc = Curl_gtls_verifyserver(data, conn, session, sockindex);
if(rc) if(rc)
return rc; return rc;
conn->recv[sockindex] = gtls_recv;
conn->send[sockindex] = gtls_send;
} }
*done = ssl_connect_1 == connssl->connecting_state; *done = ssl_connect_1 == connssl->connecting_state;

6
lib/vtls/gtls.h
View File

@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -28,6 +28,10 @@
#include "urldata.h" #include "urldata.h"
CURLcode
Curl_gtls_verifyserver(struct Curl_easy *data, struct connectdata *conn,
gnutls_session_t session,
int sockindex);
extern const struct Curl_ssl Curl_ssl_gnutls; extern const struct Curl_ssl Curl_ssl_gnutls;
#endif /* USE_GNUTLS */ #endif /* USE_GNUTLS */