moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

Revert: use Host: name for SNI and cert name checks 

This reverts commit b0fd03f5b8,
4b2fbe1e97, afecd1aa13, 68cde058f6
This commit is contained in:
Daniel Stenberg 2010-11-05 10:24:22 +01:00
parent 368f5a8547
commit 87374a47c9
4 changed files with 22 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
lib/http.c
View File

@ -2254,25 +2254,26 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
ptr = Curl_checkheaders(data, "Host:");
if(ptr && (!data->state.this_is_a_follow ||
Curl_raw_equal(data->state.first_host, conn->host.name))) {
#if !defined(CURL_DISABLE_COOKIES)
/* If we have a given custom Host: header, we extract the host name in
order to possibly use it for cookie reasons later on. We only allow the
custom Host: header if this is NOT a redirect, as setting Host: in the
redirected request is being out on thin ice. Except if the host name
is the same as the first one! */
char *chost = Curl_copy_header_value(ptr);
if (!chost)
char *cookiehost = Curl_copy_header_value(ptr);
if (!cookiehost)
return CURLE_OUT_OF_MEMORY;
if (!*chost)
if (!*cookiehost)
/* ignore empty data */
free(chost);
free(cookiehost);
else {
char *colon = strchr(chost, ':');
char *colon = strchr(cookiehost, ':');
if (colon)
*colon = 0; /* The host must not include an embedded port number */
Curl_safefree(conn->allocptr.customhost);
conn->allocptr.customhost = chost;
Curl_safefree(conn->allocptr.cookiehost);
conn->allocptr.cookiehost = cookiehost;
}
#endif
conn->allocptr.host = NULL;
}
@ -2596,8 +2597,8 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
if(data->cookies) {
Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
co = Curl_cookie_getlist(data->cookies,
conn->allocptr.customhost?
conn->allocptr.customhost:host,
conn->allocptr.cookiehost?
conn->allocptr.cookiehost:host,
data->state.path,
(bool)(conn->protocol&PROT_HTTPS?TRUE:FALSE));
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
@ -3688,8 +3689,8 @@ CURLcode Curl_http_readwrite_headers(struct SessionHandle *data,
data->cookies, TRUE, k->p+11,
/* If there is a custom-set Host: name, use it
here, or else use real peer host name. */
conn->allocptr.customhost?
conn->allocptr.customhost:conn->host.name,
conn->allocptr.cookiehost?
conn->allocptr.cookiehost:conn->host.name,
data->state.path);
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
}

22
lib/ssluse.c
View File

@ -1125,20 +1125,16 @@ static CURLcode verifyhost(struct connectdata *conn,
struct in_addr addr;
#endif
CURLcode res = CURLE_OK;
char *hostname;
hostname = conn->allocptr.customhost?conn->allocptr.customhost:
conn->host.name;
#ifdef ENABLE_IPV6
if(conn->bits.ipv6_ip &&
Curl_inet_pton(AF_INET6, hostname, &addr)) {
Curl_inet_pton(AF_INET6, conn->host.name, &addr)) {
target = GEN_IPADD;
addrlen = sizeof(struct in6_addr);
}
else
#endif
if(Curl_inet_pton(AF_INET, hostname, &addr)) {
if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) {
target = GEN_IPADD;
addrlen = sizeof(struct in_addr);
}
@ -1180,7 +1176,7 @@ static CURLcode verifyhost(struct connectdata *conn,
if((altlen == strlen(altptr)) &&
/* if this isn't true, there was an embedded zero in the name
string and we cannot match it. */
cert_hostcheck(altptr, hostname))
cert_hostcheck(altptr, conn->host.name))
matched = 1;
else
matched = 0;
@ -1282,7 +1278,7 @@ static CURLcode verifyhost(struct connectdata *conn,
"SSL: unable to obtain common name from peer certificate");
res = CURLE_PEER_FAILED_VERIFICATION;
}
else if(!cert_hostcheck((const char *)peer_CN, hostname)) {
else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {
if(data->set.ssl.verifyhost > 1) {
failf(data, "SSL: certificate subject name '%s' does not match "
"target host name '%s'", peer_CN, conn->host.dispname);
@ -1433,7 +1429,6 @@ ossl_connect_step1(struct connectdata *conn,
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
const char *hostname;
bool sni;
#ifdef ENABLE_IPV6
struct in6_addr addr;
@ -1646,15 +1641,12 @@ ossl_connect_step1(struct connectdata *conn,
connssl->server_cert = 0x0;
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
hostname = conn->allocptr.customhost?conn->allocptr.customhost:
conn->host.name;
if ((0 == Curl_inet_pton(AF_INET, hostname, &addr)) &&
if ((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
#ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, hostname, &addr)) &&
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
#endif
sni &&
!SSL_set_tlsext_host_name(connssl->handle, hostname))
!SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
infof(data, "WARNING: failed to configure server name indication (SNI) "
"TLS extension\n");
#endif

2
lib/url.c
View File

@ -2534,7 +2534,7 @@ static void conn_free(struct connectdata *conn)
Curl_safefree(conn->allocptr.rangeline);
Curl_safefree(conn->allocptr.ref);
Curl_safefree(conn->allocptr.host);
Curl_safefree(conn->allocptr.customhost);
Curl_safefree(conn->allocptr.cookiehost);
Curl_safefree(conn->allocptr.rtsp_transport);
Curl_safefree(conn->trailer);
Curl_safefree(conn->host.rawalloc); /* host name buffer */

2
lib/urldata.h
View File

@ -796,7 +796,7 @@ struct connectdata {
char *rangeline; /* free later if not NULL! */
char *ref; /* free later if not NULL! */
char *host; /* free later if not NULL */
char *customhost; /* free later if not NULL */
char *cookiehost; /* free later if not NULL */
char *rtsp_transport; /* free later if not NULL */
} allocptr;