ngtcp2+quictls: fix cert-status use

icing · bagder · commit 185a05e9431f · 2024-06-28T14:34:51.000+02:00
- add test for --cert-status on all http versions

Reported-by: Dexter Gerig
Fixes #14049
Closes #14050
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
@@ -2285,9 +2285,9 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
   !defined(OPENSSL_NO_OCSP)
 static CURLcode verifystatus(struct Curl_cfilter *cf,
-                             struct Curl_easy *data)
+                             struct Curl_easy *data,
+                             struct ossl_ctx *octx)
 {
-  struct ssl_connect_data *connssl = cf->ctx;
   int i, ocsp_status;
 #if defined(OPENSSL_IS_AWSLC)
   const uint8_t *status;
@@ -2300,14 +2300,14 @@ static CURLcode verifystatus(struct Curl_cfilter *cf,
   OCSP_BASICRESP *br = NULL;
   X509_STORE     *st = NULL;
   STACK_OF(X509) *ch = NULL;
-  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
   X509 *cert;
   OCSP_CERTID *id = NULL;
   int cert_status, crl_reason;
   ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
   int ret;
   long len;
 
+  (void)cf;
   DEBUGASSERT(octx);
 
   len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &status);
@@ -4657,7 +4657,7 @@ CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf,
   !defined(OPENSSL_NO_OCSP)
   if(conn_config->verifystatus && !octx->reused_session) {
     /* don't do this after Session ID reuse */
-    result = verifystatus(cf, data);
+    result = verifystatus(cf, data, octx);
     if(result) {
       /* when verifystatus failed, remove the session id from the cache again
          if present */
diff --git a/tests/http/test_17_ssl_use.py b/tests/http/test_17_ssl_use.py
@@ -240,3 +240,20 @@ def test_17_07_ssl_ciphers(self, env: Env, httpd, nghttpx, ciphers, succeed, rep
             assert r.json['SSL_CIPHER'] in cipher_names, f'{r.json}'
         else:
             assert r.exit_code != 0, f'{r}'
+
+    @pytest.mark.parametrize("proto", ['http/1.1', 'h2', 'h3'])
+    def test_17_08_cert_status(self, env: Env, httpd, nghttpx, repeat, proto):
+        if proto == 'h3' and not env.have_h3():
+            pytest.skip("h3 not supported")
+        if not env.curl_uses_lib('openssl') and \
+            not env.curl_uses_lib('gnutls') and \
+            not env.curl_uses_lib('quictls'):
+            pytest.skip("tls library does not support --cert-status")
+        curl = CurlClient(env=env)
+        domain = f'localhost'
+        url = f'https://{env.authority_for(domain, proto)}/'
+        r = curl.http_get(url=url, alpn_proto=proto, extra_args=[
+            '--cert-status'
+        ])
+        # CURLE_SSL_INVALIDCERTSTATUS, our certs have no OCSP info
+        assert r.exit_code == 91, f'{r}'
