vquic-tls: use correct cert name check API for wolfSSL

wolfSSL_X509_check_host checks the peer name against the alt names and
the common name.

Fixes curl#13487
Closes curl#13680

Author: julek-wolfssl

docs/TODO

@@ -126,7 +126,6 @@
  13.13 Make sure we forbid TLS 1.3 post-handshake authentication
  13.14 Support the clienthello extension
  13.15 Select signature algorithms
- 13.16 QUIC peer verification with wolfSSL
 
  14. GnuTLS
  14.2 check connection
@@ -922,11 +921,6 @@
 
  https://github.com/curl/curl/issues/12982
 
-13.16 QUIC peer verification with wolfSSL
-
- Peer certificate verification is missing in the QUIC (ngtcp2) implementation
- using wolfSSL.
-
 14. GnuTLS
 
 14.2 check connection

lib/vquic/vquic-tls.c

@@ -324,13 +324,15 @@ CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx,
 #elif defined(USE_WOLFSSL)
   (void)data;
   if(conn_config->verifyhost) {
-    /* TODO: this does not really verify the peer certificate.
-     * On TCP connection this works as it is wired into the wolfSSL
-     * connect() implementation and gives a special return code on
-     * such a fail. */
-    if(peer->sni &&
-       wolfSSL_check_domain_name(ctx->ssl, peer->sni) == SSL_FAILURE)
-      return CURLE_PEER_FAILED_VERIFICATION;
+    if(peer->sni) {
+      WOLFSSL_X509* cert = wolfSSL_get_peer_certificate(ctx->ssl);
+      if(wolfSSL_X509_check_host(cert, peer->sni, strlen(peer->sni), 0, NULL)
+            == WOLFSSL_FAILURE) {
+        result = CURLE_PEER_FAILED_VERIFICATION;
+      }
+      wolfSSL_X509_free(cert);
+    }
+
   }
 #endif
   return result;