From 87374a47c9d22521c8d31f1c4952db5fdb479903 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 5 Nov 2010 10:24:22 +0100 Subject: Revert: use Host: name for SNI and cert name checks This reverts commit b0fd03f5b8d4520dd232a9d13567d16bd0ad8951, 4b2fbe1e97891f, afecd1aa13b4f, 68cde058f66b3 --- lib/http.c | 25 +++++++++++++------------ lib/ssluse.c | 22 +++++++--------------- lib/url.c | 2 +- lib/urldata.h | 2 +- 4 files changed, 22 insertions(+), 29 deletions(-) diff --git a/lib/http.c b/lib/http.c index 0804ce050..ed0730c0a 100644 --- a/lib/http.c +++ b/lib/http.c @@ -2254,25 +2254,26 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) ptr = Curl_checkheaders(data, "Host:"); if(ptr && (!data->state.this_is_a_follow || Curl_raw_equal(data->state.first_host, conn->host.name))) { - +#if !defined(CURL_DISABLE_COOKIES) /* If we have a given custom Host: header, we extract the host name in order to possibly use it for cookie reasons later on. We only allow the custom Host: header if this is NOT a redirect, as setting Host: in the redirected request is being out on thin ice. Except if the host name is the same as the first one! */ - char *chost = Curl_copy_header_value(ptr); - if (!chost) + char *cookiehost = Curl_copy_header_value(ptr); + if (!cookiehost) return CURLE_OUT_OF_MEMORY; - if (!*chost) + if (!*cookiehost) /* ignore empty data */ - free(chost); + free(cookiehost); else { - char *colon = strchr(chost, ':'); + char *colon = strchr(cookiehost, ':'); if (colon) *colon = 0; /* The host must not include an embedded port number */ - Curl_safefree(conn->allocptr.customhost); - conn->allocptr.customhost = chost; + Curl_safefree(conn->allocptr.cookiehost); + conn->allocptr.cookiehost = cookiehost; } +#endif conn->allocptr.host = NULL; } @@ -2596,8 +2597,8 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) if(data->cookies) { Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); co = Curl_cookie_getlist(data->cookies, - conn->allocptr.customhost? - conn->allocptr.customhost:host, + conn->allocptr.cookiehost? + conn->allocptr.cookiehost:host, data->state.path, (bool)(conn->protocol&PROT_HTTPS?TRUE:FALSE)); Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); @@ -3688,8 +3689,8 @@ CURLcode Curl_http_readwrite_headers(struct SessionHandle *data, data->cookies, TRUE, k->p+11, /* If there is a custom-set Host: name, use it here, or else use real peer host name. */ - conn->allocptr.customhost? - conn->allocptr.customhost:conn->host.name, + conn->allocptr.cookiehost? + conn->allocptr.cookiehost:conn->host.name, data->state.path); Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); } diff --git a/lib/ssluse.c b/lib/ssluse.c index 5a7294148..474bc9a33 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1125,20 +1125,16 @@ static CURLcode verifyhost(struct connectdata *conn, struct in_addr addr; #endif CURLcode res = CURLE_OK; - char *hostname; - - hostname = conn->allocptr.customhost?conn->allocptr.customhost: - conn->host.name; #ifdef ENABLE_IPV6 if(conn->bits.ipv6_ip && - Curl_inet_pton(AF_INET6, hostname, &addr)) { + Curl_inet_pton(AF_INET6, conn->host.name, &addr)) { target = GEN_IPADD; addrlen = sizeof(struct in6_addr); } else #endif - if(Curl_inet_pton(AF_INET, hostname, &addr)) { + if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) { target = GEN_IPADD; addrlen = sizeof(struct in_addr); } @@ -1180,7 +1176,7 @@ static CURLcode verifyhost(struct connectdata *conn, if((altlen == strlen(altptr)) && /* if this isn't true, there was an embedded zero in the name string and we cannot match it. */ - cert_hostcheck(altptr, hostname)) + cert_hostcheck(altptr, conn->host.name)) matched = 1; else matched = 0; @@ -1282,7 +1278,7 @@ static CURLcode verifyhost(struct connectdata *conn, "SSL: unable to obtain common name from peer certificate"); res = CURLE_PEER_FAILED_VERIFICATION; } - else if(!cert_hostcheck((const char *)peer_CN, hostname)) { + else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) { if(data->set.ssl.verifyhost > 1) { failf(data, "SSL: certificate subject name '%s' does not match " "target host name '%s'", peer_CN, conn->host.dispname); @@ -1433,7 +1429,6 @@ ossl_connect_step1(struct connectdata *conn, curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - const char *hostname; bool sni; #ifdef ENABLE_IPV6 struct in6_addr addr; @@ -1646,15 +1641,12 @@ ossl_connect_step1(struct connectdata *conn, connssl->server_cert = 0x0; #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - hostname = conn->allocptr.customhost?conn->allocptr.customhost: - conn->host.name; - - if ((0 == Curl_inet_pton(AF_INET, hostname, &addr)) && + if ((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) && #ifdef ENABLE_IPV6 - (0 == Curl_inet_pton(AF_INET6, hostname, &addr)) && + (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) && #endif sni && - !SSL_set_tlsext_host_name(connssl->handle, hostname)) + !SSL_set_tlsext_host_name(connssl->handle, conn->host.name)) infof(data, "WARNING: failed to configure server name indication (SNI) " "TLS extension\n"); #endif diff --git a/lib/url.c b/lib/url.c index ef02b4f31..b715e998f 100644 --- a/lib/url.c +++ b/lib/url.c @@ -2534,7 +2534,7 @@ static void conn_free(struct connectdata *conn) Curl_safefree(conn->allocptr.rangeline); Curl_safefree(conn->allocptr.ref); Curl_safefree(conn->allocptr.host); - Curl_safefree(conn->allocptr.customhost); + Curl_safefree(conn->allocptr.cookiehost); Curl_safefree(conn->allocptr.rtsp_transport); Curl_safefree(conn->trailer); Curl_safefree(conn->host.rawalloc); /* host name buffer */ diff --git a/lib/urldata.h b/lib/urldata.h index 7b63b496b..4d6059152 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -796,7 +796,7 @@ struct connectdata { char *rangeline; /* free later if not NULL! */ char *ref; /* free later if not NULL! */ char *host; /* free later if not NULL */ - char *customhost; /* free later if not NULL */ + char *cookiehost; /* free later if not NULL */ char *rtsp_transport; /* free later if not NULL */ } allocptr; -- cgit v1.2.3