1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00

Revert: use Host: name for SNI and cert name checks

This reverts commit b0fd03f5b8,
4b2fbe1e97, afecd1aa13, 68cde058f6
This commit is contained in:
Daniel Stenberg 2010-11-05 10:24:22 +01:00
parent 368f5a8547
commit 87374a47c9
4 changed files with 22 additions and 29 deletions

View File

@ -2254,25 +2254,26 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
ptr = Curl_checkheaders(data, "Host:"); ptr = Curl_checkheaders(data, "Host:");
if(ptr && (!data->state.this_is_a_follow || if(ptr && (!data->state.this_is_a_follow ||
Curl_raw_equal(data->state.first_host, conn->host.name))) { Curl_raw_equal(data->state.first_host, conn->host.name))) {
#if !defined(CURL_DISABLE_COOKIES)
/* If we have a given custom Host: header, we extract the host name in /* If we have a given custom Host: header, we extract the host name in
order to possibly use it for cookie reasons later on. We only allow the order to possibly use it for cookie reasons later on. We only allow the
custom Host: header if this is NOT a redirect, as setting Host: in the custom Host: header if this is NOT a redirect, as setting Host: in the
redirected request is being out on thin ice. Except if the host name redirected request is being out on thin ice. Except if the host name
is the same as the first one! */ is the same as the first one! */
char *chost = Curl_copy_header_value(ptr); char *cookiehost = Curl_copy_header_value(ptr);
if (!chost) if (!cookiehost)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
if (!*chost) if (!*cookiehost)
/* ignore empty data */ /* ignore empty data */
free(chost); free(cookiehost);
else { else {
char *colon = strchr(chost, ':'); char *colon = strchr(cookiehost, ':');
if (colon) if (colon)
*colon = 0; /* The host must not include an embedded port number */ *colon = 0; /* The host must not include an embedded port number */
Curl_safefree(conn->allocptr.customhost); Curl_safefree(conn->allocptr.cookiehost);
conn->allocptr.customhost = chost; conn->allocptr.cookiehost = cookiehost;
} }
#endif
conn->allocptr.host = NULL; conn->allocptr.host = NULL;
} }
@ -2596,8 +2597,8 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
if(data->cookies) { if(data->cookies) {
Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
co = Curl_cookie_getlist(data->cookies, co = Curl_cookie_getlist(data->cookies,
conn->allocptr.customhost? conn->allocptr.cookiehost?
conn->allocptr.customhost:host, conn->allocptr.cookiehost:host,
data->state.path, data->state.path,
(bool)(conn->protocol&PROT_HTTPS?TRUE:FALSE)); (bool)(conn->protocol&PROT_HTTPS?TRUE:FALSE));
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
@ -3688,8 +3689,8 @@ CURLcode Curl_http_readwrite_headers(struct SessionHandle *data,
data->cookies, TRUE, k->p+11, data->cookies, TRUE, k->p+11,
/* If there is a custom-set Host: name, use it /* If there is a custom-set Host: name, use it
here, or else use real peer host name. */ here, or else use real peer host name. */
conn->allocptr.customhost? conn->allocptr.cookiehost?
conn->allocptr.customhost:conn->host.name, conn->allocptr.cookiehost:conn->host.name,
data->state.path); data->state.path);
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
} }

View File

@ -1125,20 +1125,16 @@ static CURLcode verifyhost(struct connectdata *conn,
struct in_addr addr; struct in_addr addr;
#endif #endif
CURLcode res = CURLE_OK; CURLcode res = CURLE_OK;
char *hostname;
hostname = conn->allocptr.customhost?conn->allocptr.customhost:
conn->host.name;
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
if(conn->bits.ipv6_ip && if(conn->bits.ipv6_ip &&
Curl_inet_pton(AF_INET6, hostname, &addr)) { Curl_inet_pton(AF_INET6, conn->host.name, &addr)) {
target = GEN_IPADD; target = GEN_IPADD;
addrlen = sizeof(struct in6_addr); addrlen = sizeof(struct in6_addr);
} }
else else
#endif #endif
if(Curl_inet_pton(AF_INET, hostname, &addr)) { if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) {
target = GEN_IPADD; target = GEN_IPADD;
addrlen = sizeof(struct in_addr); addrlen = sizeof(struct in_addr);
} }
@ -1180,7 +1176,7 @@ static CURLcode verifyhost(struct connectdata *conn,
if((altlen == strlen(altptr)) && if((altlen == strlen(altptr)) &&
/* if this isn't true, there was an embedded zero in the name /* if this isn't true, there was an embedded zero in the name
string and we cannot match it. */ string and we cannot match it. */
cert_hostcheck(altptr, hostname)) cert_hostcheck(altptr, conn->host.name))
matched = 1; matched = 1;
else else
matched = 0; matched = 0;
@ -1282,7 +1278,7 @@ static CURLcode verifyhost(struct connectdata *conn,
"SSL: unable to obtain common name from peer certificate"); "SSL: unable to obtain common name from peer certificate");
res = CURLE_PEER_FAILED_VERIFICATION; res = CURLE_PEER_FAILED_VERIFICATION;
} }
else if(!cert_hostcheck((const char *)peer_CN, hostname)) { else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {
if(data->set.ssl.verifyhost > 1) { if(data->set.ssl.verifyhost > 1) {
failf(data, "SSL: certificate subject name '%s' does not match " failf(data, "SSL: certificate subject name '%s' does not match "
"target host name '%s'", peer_CN, conn->host.dispname); "target host name '%s'", peer_CN, conn->host.dispname);
@ -1433,7 +1429,6 @@ ossl_connect_step1(struct connectdata *conn,
curl_socket_t sockfd = conn->sock[sockindex]; curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex];
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
const char *hostname;
bool sni; bool sni;
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
struct in6_addr addr; struct in6_addr addr;
@ -1646,15 +1641,12 @@ ossl_connect_step1(struct connectdata *conn,
connssl->server_cert = 0x0; connssl->server_cert = 0x0;
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
hostname = conn->allocptr.customhost?conn->allocptr.customhost: if ((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
conn->host.name;
if ((0 == Curl_inet_pton(AF_INET, hostname, &addr)) &&
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
(0 == Curl_inet_pton(AF_INET6, hostname, &addr)) && (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
#endif #endif
sni && sni &&
!SSL_set_tlsext_host_name(connssl->handle, hostname)) !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
infof(data, "WARNING: failed to configure server name indication (SNI) " infof(data, "WARNING: failed to configure server name indication (SNI) "
"TLS extension\n"); "TLS extension\n");
#endif #endif

View File

@ -2534,7 +2534,7 @@ static void conn_free(struct connectdata *conn)
Curl_safefree(conn->allocptr.rangeline); Curl_safefree(conn->allocptr.rangeline);
Curl_safefree(conn->allocptr.ref); Curl_safefree(conn->allocptr.ref);
Curl_safefree(conn->allocptr.host); Curl_safefree(conn->allocptr.host);
Curl_safefree(conn->allocptr.customhost); Curl_safefree(conn->allocptr.cookiehost);
Curl_safefree(conn->allocptr.rtsp_transport); Curl_safefree(conn->allocptr.rtsp_transport);
Curl_safefree(conn->trailer); Curl_safefree(conn->trailer);
Curl_safefree(conn->host.rawalloc); /* host name buffer */ Curl_safefree(conn->host.rawalloc); /* host name buffer */

View File

@ -796,7 +796,7 @@ struct connectdata {
char *rangeline; /* free later if not NULL! */ char *rangeline; /* free later if not NULL! */
char *ref; /* free later if not NULL! */ char *ref; /* free later if not NULL! */
char *host; /* free later if not NULL */ char *host; /* free later if not NULL */
char *customhost; /* free later if not NULL */ char *cookiehost; /* free later if not NULL */
char *rtsp_transport; /* free later if not NULL */ char *rtsp_transport; /* free later if not NULL */
} allocptr; } allocptr;