From 44f3846727d35ab17be3f779caa4a33548cdc152 Mon Sep 17 00:00:00 2001
From: Daniel Silverstone <dsilvers@digital-scurf.org>
Date: Wed, 14 Aug 2019 20:11:11 +0100
Subject: SSL Error: Enable OpenSSL hostname verification

Since OpenSSL 1.0.2 there has been hostname verification support
which cURL doesn't turn on for some reason.  Turn it on so that
we get better hostname verification handling.

Signed-off-by: Daniel Silverstone <dsilvers@digital-scurf.org>
---
 content/fetchers/curl.c     | 35 +++++++++++++++++++----------------
 include/netsurf/ssl_certs.h |  2 +-
 resources/FatMessages       |  2 +-
 utils/messages.c            |  4 ++--
 4 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c
index db41b32cb..50c5d6473 100644
--- a/content/fetchers/curl.c
+++ b/content/fetchers/curl.c
@@ -39,6 +39,7 @@
 #include <time.h>
 #include <sys/stat.h>
 #include <openssl/ssl.h>
+#include <openssl/x509v3.h>
 
 #include <libwapcaplet/libwapcaplet.h>
 #include <nsutils/time.h>
@@ -594,6 +595,9 @@ fetch_curl_report_certs_upstream(struct curl_fetch_info *f)
 		case X509_V_ERR_CERT_REVOKED:
 			ssl_certs[depth].err = SSL_CERT_ERR_REVOKED;
 			break;
+		case X509_V_ERR_HOSTNAME_MISMATCH:
+			ssl_certs[depth].err = SSL_CERT_ERR_HOSTNAME_MISMATCH;
+			break;
 		default:
 			ssl_certs[depth].err = SSL_CERT_ERR_UNKNOWN;
 			break;
@@ -689,9 +693,20 @@ static int fetch_curl_cert_verify_callback(X509_STORE_CTX *x509_ctx, void *parm)
 {
 	struct curl_fetch_info *f = (struct curl_fetch_info *) parm;
 	int ok;
+	X509_VERIFY_PARAM *vparam;
+
+	/* Configure the verification parameters to include hostname */
+	vparam = X509_STORE_CTX_get0_param(x509_ctx);
+	X509_VERIFY_PARAM_set_hostflags(vparam, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+
+	ok = X509_VERIFY_PARAM_set1_host(vparam,
+					 lwc_string_data(f->host),
+					 lwc_string_length(f->host));
 
 	/* Store fetch struct in context for verify callback */
-	ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+	if (ok) {
+		ok = X509_STORE_CTX_set_app_data(x509_ctx, parm);
+	}
 
 	/* verify the certificate chain using standard call */
 	if (ok) {
@@ -1181,21 +1196,9 @@ static void fetch_curl_done(CURL *curl_handle, CURLcode result)
 		;
 	} else if (result == CURLE_SSL_PEER_CERTIFICATE ||
 		   result == CURLE_SSL_CACERT) {
-		/*
-		 * curl in 7.63.0 (https://github.com/curl/curl/pull/3291)
-		 *   unified *all* SSL errors into the single
-		 *   CURLE_PEER_FAILED_VERIFICATION depricating
-		 *   CURLE_SSL_PEER_CERTIFICATE and CURLE_SSL_CACERT
-		 *
-		 * This change complete removed the ability to
-		 *   distinguish between certificate errors, host
-		 *   verification errors or any other failure reason
-		 *   using the curl result code.
-		 *
-		 * The result is when certificate error message is
-		 *   sent there is currently no way of informing the
-		 *   llcache about host verification faliures as the
-		 *   certificate chain has no error codes set.
+		/* Some kind of failure has occurred.  If we don't know
+		 * what happened, we'll have reported unknown errors up
+		 * to the user already via the certificate chain error fields.
 		 */
 		cert = true;
 	} else {
diff --git a/include/netsurf/ssl_certs.h b/include/netsurf/ssl_certs.h
index c77c2996d..7e933b10c 100644
--- a/include/netsurf/ssl_certs.h
+++ b/include/netsurf/ssl_certs.h
@@ -38,7 +38,7 @@ typedef enum {
 	SSL_CERT_ERR_SELF_SIGNED, /**< This certificate (or the chain) is self signed */
 	SSL_CERT_ERR_CHAIN_SELF_SIGNED, /**< This certificate chain is self signed */
 	SSL_CERT_ERR_REVOKED,	/**< This certificate has been revoked */
-	SSL_CERT_ERR_COMMON_NAME, /**< This certificate host did not match teh server */
+	SSL_CERT_ERR_HOSTNAME_MISMATCH, /**< This certificate host did not match the server */
 } ssl_cert_err;
 
 /**
diff --git a/resources/FatMessages b/resources/FatMessages
index 7dd39700b..54c69b8a5 100644
--- a/resources/FatMessages
+++ b/resources/FatMessages
@@ -1076,7 +1076,7 @@ en.all.SSLCertErrTooOld:The certificate has expired.
 en.all.SSLCertErrSelfSigned:The certificate is self signed.
 en.all.SSLCertErrChainSelfSigned:The certificate chain is self signed.
 en.all.SSLCertErrRevoked:The certificate has been revoked by the issuer.
-en.all.SSLCertErrCommonName:The certificate is for a different host than the server
+en.all.SSLCertErrHostnameMismatch:The certificate is for a different host than the server
 
 
 # SSL certificate viewer
diff --git a/utils/messages.c b/utils/messages.c
index c4a7959cf..0d2085c08 100644
--- a/utils/messages.c
+++ b/utils/messages.c
@@ -383,9 +383,9 @@ const char *messages_get_sslcode(ssl_cert_err code)
 		/* This certificate has been revoked */
 		return messages_get_ctx("SSLCertErrRevoked", messages_hash);
 
-	case SSL_CERT_ERR_COMMON_NAME:
+	case SSL_CERT_ERR_HOSTNAME_MISMATCH:
 		/* Common name is invalid */
-		return messages_get_ctx("SSLCertErrCommonName", messages_hash);
+		return messages_get_ctx("SSLCertErrHostnameMismatch", messages_hash);
 
 	}
 
-- 
cgit v1.2.3