mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
Revert: use Host: name for SNI and cert name checks
This reverts commitb0fd03f5b8,4b2fbe1e97,afecd1aa13,68cde058f6
This commit is contained in:
Daniel Stenberg
parent
368f5a8547
commit
87374a47c9
25
lib/http.c
25
lib/http.c
@ -2254,25 +2254,26 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
|
|||||||
ptr = Curl_checkheaders(data, "Host:");
|
ptr = Curl_checkheaders(data, "Host:");
|
||||||
if(ptr && (!data->state.this_is_a_follow ||
|
if(ptr && (!data->state.this_is_a_follow ||
|
||||||
Curl_raw_equal(data->state.first_host, conn->host.name))) {
|
Curl_raw_equal(data->state.first_host, conn->host.name))) {
|
||||||
|
#if !defined(CURL_DISABLE_COOKIES)
|
||||||
/* If we have a given custom Host: header, we extract the host name in
|
/* If we have a given custom Host: header, we extract the host name in
|
||||||
order to possibly use it for cookie reasons later on. We only allow the
|
order to possibly use it for cookie reasons later on. We only allow the
|
||||||
custom Host: header if this is NOT a redirect, as setting Host: in the
|
custom Host: header if this is NOT a redirect, as setting Host: in the
|
||||||
redirected request is being out on thin ice. Except if the host name
|
redirected request is being out on thin ice. Except if the host name
|
||||||
is the same as the first one! */
|
is the same as the first one! */
|
||||||
char *chost = Curl_copy_header_value(ptr);
|
char *cookiehost = Curl_copy_header_value(ptr);
|
||||||
if (!chost)
|
if (!cookiehost)
|
||||||
return CURLE_OUT_OF_MEMORY;
|
return CURLE_OUT_OF_MEMORY;
|
||||||
if (!*chost)
|
if (!*cookiehost)
|
||||||
/* ignore empty data */
|
/* ignore empty data */
|
||||||
free(chost);
|
free(cookiehost);
|
||||||
else {
|
else {
|
||||||
char *colon = strchr(chost, ':');
|
char *colon = strchr(cookiehost, ':');
|
||||||
if (colon)
|
if (colon)
|
||||||
*colon = 0; /* The host must not include an embedded port number */
|
*colon = 0; /* The host must not include an embedded port number */
|
||||||
Curl_safefree(conn->allocptr.customhost);
|
Curl_safefree(conn->allocptr.cookiehost);
|
||||||
conn->allocptr.customhost = chost;
|
conn->allocptr.cookiehost = cookiehost;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
conn->allocptr.host = NULL;
|
conn->allocptr.host = NULL;
|
||||||
}
|
}
|
||||||
@ -2596,8 +2597,8 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
|
|||||||
if(data->cookies) {
|
if(data->cookies) {
|
||||||
Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
|
Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
|
||||||
co = Curl_cookie_getlist(data->cookies,
|
co = Curl_cookie_getlist(data->cookies,
|
||||||
conn->allocptr.customhost?
|
conn->allocptr.cookiehost?
|
||||||
conn->allocptr.customhost:host,
|
conn->allocptr.cookiehost:host,
|
||||||
data->state.path,
|
data->state.path,
|
||||||
(bool)(conn->protocol&PROT_HTTPS?TRUE:FALSE));
|
(bool)(conn->protocol&PROT_HTTPS?TRUE:FALSE));
|
||||||
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
|
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
|
||||||
@ -3688,8 +3689,8 @@ CURLcode Curl_http_readwrite_headers(struct SessionHandle *data,
|
|||||||
data->cookies, TRUE, k->p+11,
|
data->cookies, TRUE, k->p+11,
|
||||||
/* If there is a custom-set Host: name, use it
|
/* If there is a custom-set Host: name, use it
|
||||||
here, or else use real peer host name. */
|
here, or else use real peer host name. */
|
||||||
conn->allocptr.customhost?
|
conn->allocptr.cookiehost?
|
||||||
conn->allocptr.customhost:conn->host.name,
|
conn->allocptr.cookiehost:conn->host.name,
|
||||||
data->state.path);
|
data->state.path);
|
||||||
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
|
Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
|
||||||
}
|
}
|
||||||
|
|||||||
22
lib/ssluse.c
22
lib/ssluse.c
@ -1125,20 +1125,16 @@ static CURLcode verifyhost(struct connectdata *conn,
|
|||||||
struct in_addr addr;
|
struct in_addr addr;
|
||||||
#endif
|
#endif
|
||||||
CURLcode res = CURLE_OK;
|
CURLcode res = CURLE_OK;
|
||||||
char *hostname;
|
|
||||||
|
|
||||||
hostname = conn->allocptr.customhost?conn->allocptr.customhost:
|
|
||||||
conn->host.name;
|
|
||||||
|
|
||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
if(conn->bits.ipv6_ip &&
|
if(conn->bits.ipv6_ip &&
|
||||||
Curl_inet_pton(AF_INET6, hostname, &addr)) {
|
Curl_inet_pton(AF_INET6, conn->host.name, &addr)) {
|
||||||
target = GEN_IPADD;
|
target = GEN_IPADD;
|
||||||
addrlen = sizeof(struct in6_addr);
|
addrlen = sizeof(struct in6_addr);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif
|
#endif
|
||||||
if(Curl_inet_pton(AF_INET, hostname, &addr)) {
|
if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) {
|
||||||
target = GEN_IPADD;
|
target = GEN_IPADD;
|
||||||
addrlen = sizeof(struct in_addr);
|
addrlen = sizeof(struct in_addr);
|
||||||
}
|
}
|
||||||
@ -1180,7 +1176,7 @@ static CURLcode verifyhost(struct connectdata *conn,
|
|||||||
if((altlen == strlen(altptr)) &&
|
if((altlen == strlen(altptr)) &&
|
||||||
/* if this isn't true, there was an embedded zero in the name
|
/* if this isn't true, there was an embedded zero in the name
|
||||||
string and we cannot match it. */
|
string and we cannot match it. */
|
||||||
cert_hostcheck(altptr, hostname))
|
cert_hostcheck(altptr, conn->host.name))
|
||||||
matched = 1;
|
matched = 1;
|
||||||
else
|
else
|
||||||
matched = 0;
|
matched = 0;
|
||||||
@ -1282,7 +1278,7 @@ static CURLcode verifyhost(struct connectdata *conn,
|
|||||||
"SSL: unable to obtain common name from peer certificate");
|
"SSL: unable to obtain common name from peer certificate");
|
||||||
res = CURLE_PEER_FAILED_VERIFICATION;
|
res = CURLE_PEER_FAILED_VERIFICATION;
|
||||||
}
|
}
|
||||||
else if(!cert_hostcheck((const char *)peer_CN, hostname)) {
|
else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {
|
||||||
if(data->set.ssl.verifyhost > 1) {
|
if(data->set.ssl.verifyhost > 1) {
|
||||||
failf(data, "SSL: certificate subject name '%s' does not match "
|
failf(data, "SSL: certificate subject name '%s' does not match "
|
||||||
"target host name '%s'", peer_CN, conn->host.dispname);
|
"target host name '%s'", peer_CN, conn->host.dispname);
|
||||||
@ -1433,7 +1429,6 @@ ossl_connect_step1(struct connectdata *conn,
|
|||||||
curl_socket_t sockfd = conn->sock[sockindex];
|
curl_socket_t sockfd = conn->sock[sockindex];
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||||
const char *hostname;
|
|
||||||
bool sni;
|
bool sni;
|
||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
struct in6_addr addr;
|
struct in6_addr addr;
|
||||||
@ -1646,15 +1641,12 @@ ossl_connect_step1(struct connectdata *conn,
|
|||||||
connssl->server_cert = 0x0;
|
connssl->server_cert = 0x0;
|
||||||
|
|
||||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||||
hostname = conn->allocptr.customhost?conn->allocptr.customhost:
|
if ((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
|
||||||
conn->host.name;
|
|
||||||
|
|
||||||
if ((0 == Curl_inet_pton(AF_INET, hostname, &addr)) &&
|
|
||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
(0 == Curl_inet_pton(AF_INET6, hostname, &addr)) &&
|
(0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
|
||||||
#endif
|
#endif
|
||||||
sni &&
|
sni &&
|
||||||
!SSL_set_tlsext_host_name(connssl->handle, hostname))
|
!SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
|
||||||
infof(data, "WARNING: failed to configure server name indication (SNI) "
|
infof(data, "WARNING: failed to configure server name indication (SNI) "
|
||||||
"TLS extension\n");
|
"TLS extension\n");
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@ -2534,7 +2534,7 @@ static void conn_free(struct connectdata *conn)
|
|||||||
Curl_safefree(conn->allocptr.rangeline);
|
Curl_safefree(conn->allocptr.rangeline);
|
||||||
Curl_safefree(conn->allocptr.ref);
|
Curl_safefree(conn->allocptr.ref);
|
||||||
Curl_safefree(conn->allocptr.host);
|
Curl_safefree(conn->allocptr.host);
|
||||||
Curl_safefree(conn->allocptr.customhost);
|
Curl_safefree(conn->allocptr.cookiehost);
|
||||||
Curl_safefree(conn->allocptr.rtsp_transport);
|
Curl_safefree(conn->allocptr.rtsp_transport);
|
||||||
Curl_safefree(conn->trailer);
|
Curl_safefree(conn->trailer);
|
||||||
Curl_safefree(conn->host.rawalloc); /* host name buffer */
|
Curl_safefree(conn->host.rawalloc); /* host name buffer */
|
||||||
|
|||||||
@ -796,7 +796,7 @@ struct connectdata {
|
|||||||
char *rangeline; /* free later if not NULL! */
|
char *rangeline; /* free later if not NULL! */
|
||||||
char *ref; /* free later if not NULL! */
|
char *ref; /* free later if not NULL! */
|
||||||
char *host; /* free later if not NULL */
|
char *host; /* free later if not NULL */
|
||||||
char *customhost; /* free later if not NULL */
|
char *cookiehost; /* free later if not NULL */
|
||||||
char *rtsp_transport; /* free later if not NULL */
|
char *rtsp_transport; /* free later if not NULL */
|
||||||
} allocptr;
|
} allocptr;
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user