schannel: verify hostname independent of verify cert

Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in curl#3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: https://github.com/curl/curl/blob/curl-7_86_0/docs/KNOWN_BUGS#L304-L308 Ref: curl#3285 Fixes curl#3284 Closes #xxxx
jay · Dec 8, 2022 · 454aca8 · 454aca8
1 parent ae99ac6
commit 454aca8
Show file tree

Hide file tree

Showing 4 changed files with 266 additions and 243 deletions.
diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS
@@ -24,7 +24,6 @@ problems may have been fixed or changed somewhat since this was written.
  2.5 Client cert handling with Issuer DN differs between backends
  2.6 CURL_GLOBAL_SSL
  2.7 Client cert (MTLS) issues with Schannel
- 2.8 Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname
  2.9 TLS session cache does not work with TFO
  2.10 Store TLS context per transfer instead of per connection
  2.11 Schannel TLS 1.2 handshake bug in old Windows versions
@@ -253,12 +252,6 @@ problems may have been fixed or changed somewhat since this was written.
 
  See https://github.com/curl/curl/issues/3145
 
-2.8 Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname
-
- This seems to be a limitation in the underlying Schannel API.
-
- https://github.com/curl/curl/issues/3284
-
 2.9 TLS session cache does not work with TFO
 
  See https://github.com/curl/curl/issues/4301

diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
@@ -1609,10 +1609,16 @@ schannel_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
 
 #ifdef HAS_MANUAL_VERIFY_API
   if(conn_config->verifypeer && backend->use_manual_cred_validation) {
+    /* Certificate verification also verifies the hostname if verifyhost */
     return Curl_verify_certificate(cf, data);
   }
 #endif
 
+  /* Verify the hostname manually when certificate verification is disabled,
+     because in that case Schannel won't verify it. */
+  if(!conn_config->verifypeer && conn_config->verifyhost)
+    return Curl_verify_host(cf, data);
+
   return CURLE_OK;
 }
 

diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
@@ -78,6 +78,9 @@
 
 extern const struct Curl_ssl Curl_ssl_schannel;
 
+CURLcode Curl_verify_host(struct Curl_cfilter *cf,
+                          struct Curl_easy *data);
+
 CURLcode Curl_verify_certificate(struct Curl_cfilter *cf,
                                  struct Curl_easy *data);