SSL Error: Enable OpenSSL hostname verification

Since OpenSSL 1.0.2 there has been hostname verification support
which cURL doesn't turn on for some reason.  Turn it on so that
we get better hostname verification handling.

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>

content/fetchers/curl.c

@@ -39,6 +39,7 @@
 #include <time.h>
 #include <sys/stat.h>
 #include <openssl/ssl.h>
+#include <openssl/x509v3.h>
 
 #include <libwapcaplet/libwapcaplet.h>
 #include <nsutils/time.h>
@@ -594,6 +595,9 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info *f)
 		case X509_V_ERR_CERT_REVOKED:
 			ssl_certs[depth].err = SSL_CERT_ERR_REVOKED;
 			break;
+		case X509_V_ERR_HOSTNAME_MISMATCH:
+			ssl_certs[depth].err = SSL_CERT_ERR_HOSTNAME_MISMATCH;
+			break;
 		default:
 			ssl_certs[depth].err = SSL_CERT_ERR_UNKNOWN;
 			break;
@@ -689,9 +693,20 @@ static int fetch_curl_cert_verify_callback(X509_STORE_CTX *x509_ctx, void *parm)
 {
 	struct curl_fetch_info *f = (struct curl_fetch_info *) parm;
 	int ok;
+	X509_VERIFY_PARAM *vparam;
+
+	/* Configure the verification parameters to include hostname */
+	vparam = X509_STORE_CTX_get0_param(x509_ctx);
+	X509_VERIFY_PARAM_set_hostflags(vparam, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+
+	ok = X509_VERIFY_PARAM_set1_host(vparam,
+					 lwc_string_data(f->host),
+					 lwc_string_length(f->host));
 
 	/* Store fetch struct in context for verify callback */
-	ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+	if (ok) {
+		ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+	}
 
 	/* verify the certificate chain using standard call */
 	if (ok) {
@@ -1181,21 +1196,9 @@ static void fetch_curl_done(CURL *curl_handle, CURLcode result)
 		;
 	} else if (result == CURLE_SSL_PEER_CERTIFICATE ||
 		   result == CURLE_SSL_CACERT) {
-		/*
-		 * curl in 7.63.0 (https://github.com/curl/curl/pull/3291)
-		 *   unified *all* SSL errors into the single
-		 *   CURLE_PEER_FAILED_VERIFICATION depricating
-		 *   CURLE_SSL_PEER_CERTIFICATE and CURLE_SSL_CACERT
-		 *
-		 * This change complete removed the ability to
-		 *   distinguish between certificate errors, host
-		 *   verification errors or any other failure reason
-		 *   using the curl result code.
-		 *
-		 * The result is when certificate error message is
-		 *   sent there is currently no way of informing the
-		 *   llcache about host verification faliures as the
-		 *   certificate chain has no error codes set.
+		/* Some kind of failure has occurred.  If we don't know
+		 * what happened, we'll have reported unknown errors up
+		 * to the user already via the certificate chain error fields.
 		 */
 		cert = true;
 	} else {

include/netsurf/ssl_certs.h

@@ -38,7 +38,7 @@ typedef enum {
 	SSL_CERT_ERR_SELF_SIGNED, /**< This certificate (or the chain) is self signed */
 	SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self signed */
 	SSL_CERT_ERR_REVOKED,	/**< This certificate has been revoked */
-	SSL_CERT_ERR_COMMON_NAME, /**< This certificate host did not match teh server */
+	SSL_CERT_ERR_HOSTNAME_MISMATCH, /**< This certificate host did not match the server */
 } ssl_cert_err;
 
 /**

resources/FatMessages

@@ -1076,7 +1076,7 @@ en.all.SSLCertErrTooOld:The certificate has expired.
 en.all.SSLCertErrSelfSigned:The certificate is self signed.
 en.all.SSLCertErrChainSelfSigned:The certificate chain is self signed.
 en.all.SSLCertErrRevoked:The certificate has been revoked by the issuer.
-en.all.SSLCertErrCommonName:The certificate is for a different host than the server
+en.all.SSLCertErrHostnameMismatch:The certificate is for a different host than the server
 
 
 # SSL certificate viewer

utils/messages.c

@@ -383,9 +383,9 @@ const char *messages_get_sslcode(ssl_cert_err code)
 		/* This certificate has been revoked */
 		return messages_get_ctx("SSLCertErrRevoked", messages_hash);
 
-	case SSL_CERT_ERR_COMMON_NAME:
+	case SSL_CERT_ERR_HOSTNAME_MISMATCH:
 		/* Common name is invalid */
-		return messages_get_ctx("SSLCertErrCommonName", messages_hash);
+		return messages_get_ctx("SSLCertErrHostnameMismatch", messages_hash);
 
 	}