quic: support hostname verification

Signed-off-by: James M Snell <jasnell@gmail.com>
PR-URL: #63483
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>

Author: jasnell

lib/internal/quic/quic.js

@@ -5133,6 +5133,11 @@ function processSessionOptions(options, config = kEmptyObject) {
       // client SSL_CTX. For 'auto' and 'manual' modes, the handshake
       // completes regardless and the result is handled in JS.
       verifyPeerStrict: verifyPeer === 'strict',
+      // Enable hostname verification for 'strict' and 'auto' modes.
+      // SSL_set1_host tells OpenSSL to verify the server certificate's
+      // SAN/CN matches the servername. Without this, a valid cert for
+      // any domain would be accepted.
+      verifyHostname: verifyPeer !== 'manual',
     },
     verifyPeer,
     qlog,

src/quic/bindingdata.h

@@ -169,6 +169,7 @@ class SessionManager;
   V(unacknowledged_packet_threshold, "unacknowledgedPacketThreshold")          \
   V(validate_address, "validateAddress")                                       \
   V(verify_client, "verifyClient")                                             \
+  V(verify_hostname, "verifyHostname")                                         \
   V(verify_peer_strict, "verifyPeerStrict")                                    \
   V(verify_private_key, "verifyPrivateKey")                                    \
   V(version, "version")

src/quic/session.cc

@@ -618,8 +618,7 @@ Maybe<Session::Options> Session::Options::From(Environment* env,
       !SET(keep_alive_timeout) || !SET(max_stream_window) || !SET(max_window) ||
       !SET(max_payload_size) || !SET(unacknowledged_packet_threshold) ||
       !SET(cc_algorithm) || !SET(draining_period_multiplier) ||
-      !SET(max_datagram_send_attempts) ||
-      !SET(stream_idle_timeout)) {
+      !SET(max_datagram_send_attempts) || !SET(stream_idle_timeout)) {
     return Nothing<Options>();
   }
 
@@ -2831,8 +2830,8 @@ void Session::ShutdownStream(stream_id id, QuicError error) {
 
 void Session::ShutdownStreamWrite(stream_id id, QuicError error) {
   DCHECK(!is_destroyed());
-  Debug(this, "Shutting down stream %" PRIi64 " write with error %s",
-        id, error);
+  Debug(
+      this, "Shutting down stream %" PRIi64 " write with error %s", id, error);
   SendPendingDataScope send_scope(this);
   error_code code;
   if (error.type() == QuicError::Type::APPLICATION) {
@@ -3058,17 +3057,15 @@ void Session::CheckStreamIdleTimeout(uint64_t now) {
 
     uint64_t last_activity = stream->last_activity_timestamp();
     if (last_activity > 0 && (now - last_activity) > timeout_ns) {
-      Debug(this,
-            "Stream %" PRId64 " idle timeout exceeded, destroying",
-            id);
+      Debug(this, "Stream %" PRId64 " idle timeout exceeded, destroying", id);
       // Notify the peer before destroying. ShutdownStream sends both
       // STOP_SENDING and RESET_STREAM as appropriate, using the
       // application's no-error code for non-APPLICATION errors (since
       // these frames carry application-level error codes per RFC 9000).
       // Without this, the peer's stream sits orphaned until the
       // session closes.
-      auto error = QuicError::ForTransport(NGTCP2_ERR_PROTO,
-                                           "stream idle timeout");
+      auto error =
+          QuicError::ForTransport(NGTCP2_ERR_PROTO, "stream idle timeout");
       ShutdownStream(id, error);
       stream->Destroy(error);
       STAT_INCREMENT(Stats, streams_idle_timed_out);

src/quic/streams.cc

@@ -1891,6 +1891,7 @@ void Stream::EmitClose(const QuicError& error) {
 }
 
 void Stream::EmitHeaders() {
+  STAT_RECORD_TIMESTAMP(Stats, received_at);
   // state()->wants_headers will be set from the javascript side if the
   // stream object has a handler for the headers event.
   if (!env()->can_call_into_js() || !state()->wants_headers) {

src/quic/tlscontext.cc

@@ -261,6 +261,18 @@ bool OSSLContext::set_hostname(std::string_view hostname) const {
                   const_cast<char*>(name.c_str())) == 1;
 }
 
+bool OSSLContext::set_verify_hostname(std::string_view hostname) const {
+  // SSL_set1_host tells OpenSSL to verify the peer certificate's
+  // subject name (SAN/CN) matches this hostname. This is separate
+  // from SSL_set_tlsext_host_name which only sets the SNI extension.
+  static const char* kDefaultHostname = "localhost";
+  if (hostname.empty()) {
+    return SSL_set1_host(*this, kDefaultHostname) == 1;
+  } else {
+    return SSL_set1_host(*this, hostname.data()) == 1;
+  }
+}
+
 bool OSSLContext::set_early_data_enabled() const {
   return SSL_set_quic_tls_early_data_enabled(*this, 1) == 1;
 }
@@ -714,12 +726,13 @@ Maybe<TLSContext::Options> TLSContext::Options::From(Environment* env,
       env, &options, params, state.name##_string())
 
   if (!SET(verify_client) || !SET(reject_unauthorized) ||
-      !SET(verify_peer_strict) || !SET(enable_early_data) ||
-      !SET(enable_tls_trace) || !SET(alpn) || !SET(servername) ||
-      !SET(ciphers) || !SET(groups) || !SET(verify_private_key) ||
-      !SET(keylog) || !SET(port) || !SET(authoritative) ||
-      !SET_VECTOR(crypto::KeyObjectData, keys) || !SET_VECTOR(Store, certs) ||
-      !SET_VECTOR(Store, ca) || !SET_VECTOR(Store, crl)) {
+      !SET(verify_hostname) || !SET(verify_peer_strict) ||
+      !SET(enable_early_data) || !SET(enable_tls_trace) || !SET(alpn) ||
+      !SET(servername) || !SET(ciphers) || !SET(groups) ||
+      !SET(verify_private_key) || !SET(keylog) || !SET(port) ||
+      !SET(authoritative) || !SET_VECTOR(crypto::KeyObjectData, keys) ||
+      !SET_VECTOR(Store, certs) || !SET_VECTOR(Store, ca) ||
+      !SET_VECTOR(Store, crl)) {
     return Nothing<Options>();
   }
 
@@ -854,6 +867,14 @@ void TLSSession::Initialize(
         return;
       }
 
+      if (options.verify_hostname) {
+        if (!ossl_context_.set_verify_hostname(options.servername)) {
+          validation_error_ = "Failed to set verify hostname";
+          ossl_context_.reset();
+          return;
+        }
+      }
+
       if (maybeSessionTicket.has_value()) {
         const auto& sessionTicket = *maybeSessionTicket;
         uv_buf_t buf = sessionTicket.ticket();

src/quic/tlscontext.h

@@ -51,6 +51,7 @@ class OSSLContext final {
 
   bool set_alpn_protocols(std::string_view protocols) const;
   bool set_hostname(std::string_view hostname) const;
+  bool set_verify_hostname(std::string_view hostname) const;
   bool set_early_data_enabled() const;
   bool set_transport_params(const ngtcp2_vec& tp) const;
 
@@ -215,6 +216,13 @@ class TLSContext final : public MemoryRetainer,
     // by the client side.
     bool verify_peer_strict = false;
 
+    // When true, OpenSSL verifies that the server's certificate matches
+    // the servername (hostname verification via SSL_set1_host). Should
+    // be true for 'strict' and 'auto' verifyPeer modes, false for
+    // 'manual'. Without this, a valid certificate for any domain would
+    // be accepted. This option is only used by the client side.
+    bool verify_hostname = false;
+
     // When true (the default), the server accepts 0-RTT early data
     // from clients with valid session tickets. When false, early data
     // is disabled and clients must complete a full handshake before