VirtualBox

source: vbox/trunk/src/libs/curl-7.87.0/lib/hsts.c@ 98341

最後變更 在這個檔案從98341是 98326,由 vboxsync 提交於 2 年 前

curl-7.87.0: Applied and adjusted our curl changes to 7.83.1. bugref:10356
  • 屬性 svn:eol-style 設為 native
檔案大小: 13.9 KB
 
1/***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 2020 - 2022, Daniel Stenberg, <[email protected]>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24/*
25 * The Strict-Transport-Security header is defined in RFC 6797:
26 * https://datatracker.ietf.org/doc/html/rfc6797
27 */
28#include "curl_setup.h"
29
30#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_HSTS)
31#include <curl/curl.h>
32#include "urldata.h"
33#include "llist.h"
34#include "hsts.h"
35#include "curl_get_line.h"
36#include "strcase.h"
37#include "sendf.h"
38#include "strtoofft.h"
39#include "parsedate.h"
40#include "fopen.h"
41#include "rename.h"
42
43/* The last 3 #include files should be in this order */
44#include "curl_printf.h"
45#include "curl_memory.h"
46#include "memdebug.h"
47
48#define MAX_HSTS_LINE 4095
49#define MAX_HSTS_HOSTLEN 256
50#define MAX_HSTS_HOSTLENSTR "256"
51#define MAX_HSTS_DATELEN 64
52#define MAX_HSTS_DATELENSTR "64"
53#define UNLIMITED "unlimited"
54
55#ifdef DEBUGBUILD
56/* to play well with debug builds, we can *set* a fixed time this will
57 return */
58time_t deltatime; /* allow for "adjustments" for unit test purposes */
59static time_t debugtime(void *unused)
60{
61 char *timestr = getenv("CURL_TIME");
62 (void)unused;
63 if(timestr) {
64 curl_off_t val;
65 (void)curlx_strtoofft(timestr, NULL, 10, &val);
66
67 val += (curl_off_t)deltatime;
68 return (time_t)val;
69 }
70 return time(NULL);
71}
72#define time(x) debugtime(x)
73#endif
74
75struct hsts *Curl_hsts_init(void)
76{
77 struct hsts *h = calloc(sizeof(struct hsts), 1);
78 if(h) {
79 Curl_llist_init(&h->list, NULL);
80 }
81 return h;
82}
83
84static void hsts_free(struct stsentry *e)
85{
86 free((char *)e->host);
87 free(e);
88}
89
90void Curl_hsts_cleanup(struct hsts **hp)
91{
92 struct hsts *h = *hp;
93 if(h) {
94 struct Curl_llist_element *e;
95 struct Curl_llist_element *n;
96 for(e = h->list.head; e; e = n) {
97 struct stsentry *sts = e->ptr;
98 n = e->next;
99 hsts_free(sts);
100 }
101 free(h->filename);
102 free(h);
103 *hp = NULL;
104 }
105}
106
107static struct stsentry *hsts_entry(void)
108{
109 return calloc(sizeof(struct stsentry), 1);
110}
111
112static CURLcode hsts_create(struct hsts *h,
113 const char *hostname,
114 bool subdomains,
115 curl_off_t expires)
116{
117 struct stsentry *sts = hsts_entry();
118 char *duphost;
119 size_t hlen;
120 if(!sts)
121 return CURLE_OUT_OF_MEMORY;
122
123 duphost = strdup(hostname);
124 if(!duphost) {
125 free(sts);
126 return CURLE_OUT_OF_MEMORY;
127 }
128
129 hlen = strlen(duphost);
130 if(duphost[hlen - 1] == '.')
131 /* strip off trailing any dot */
132 duphost[--hlen] = 0;
133
134 sts->host = duphost;
135 sts->expires = expires;
136 sts->includeSubDomains = subdomains;
137 Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node);
138 return CURLE_OK;
139}
140
141CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname,
142 const char *header)
143{
144 const char *p = header;
145 curl_off_t expires = 0;
146 bool gotma = FALSE;
147 bool gotinc = FALSE;
148 bool subdomains = FALSE;
149 struct stsentry *sts;
150 time_t now = time(NULL);
151
152 if(Curl_host_is_ipnum(hostname))
153 /* "explicit IP address identification of all forms is excluded."
154 / RFC 6797 */
155 return CURLE_OK;
156
157 do {
158 while(*p && ISBLANK(*p))
159 p++;
160 if(strncasecompare("max-age=", p, 8)) {
161 bool quoted = FALSE;
162 CURLofft offt;
163 char *endp;
164
165 if(gotma)
166 return CURLE_BAD_FUNCTION_ARGUMENT;
167
168 p += 8;
169 while(*p && ISBLANK(*p))
170 p++;
171 if(*p == '\"') {
172 p++;
173 quoted = TRUE;
174 }
175 offt = curlx_strtoofft(p, &endp, 10, &expires);
176 if(offt == CURL_OFFT_FLOW)
177 expires = CURL_OFF_T_MAX;
178 else if(offt)
179 /* invalid max-age */
180 return CURLE_BAD_FUNCTION_ARGUMENT;
181 p = endp;
182 if(quoted) {
183 if(*p != '\"')
184 return CURLE_BAD_FUNCTION_ARGUMENT;
185 p++;
186 }
187 gotma = TRUE;
188 }
189 else if(strncasecompare("includesubdomains", p, 17)) {
190 if(gotinc)
191 return CURLE_BAD_FUNCTION_ARGUMENT;
192 subdomains = TRUE;
193 p += 17;
194 gotinc = TRUE;
195 }
196 else {
197 /* unknown directive, do a lame attempt to skip */
198 while(*p && (*p != ';'))
199 p++;
200 }
201
202 while(*p && ISBLANK(*p))
203 p++;
204 if(*p == ';')
205 p++;
206 } while (*p);
207
208 if(!gotma)
209 /* max-age is mandatory */
210 return CURLE_BAD_FUNCTION_ARGUMENT;
211
212 if(!expires) {
213 /* remove the entry if present verbatim (without subdomain match) */
214 sts = Curl_hsts(h, hostname, FALSE);
215 if(sts) {
216 Curl_llist_remove(&h->list, &sts->node, NULL);
217 hsts_free(sts);
218 }
219 return CURLE_OK;
220 }
221
222 if(CURL_OFF_T_MAX - now < expires)
223 /* would overflow, use maximum value */
224 expires = CURL_OFF_T_MAX;
225 else
226 expires += now;
227
228 /* check if it already exists */
229 sts = Curl_hsts(h, hostname, FALSE);
230 if(sts) {
231 /* just update these fields */
232 sts->expires = expires;
233 sts->includeSubDomains = subdomains;
234 }
235 else
236 return hsts_create(h, hostname, subdomains, expires);
237
238 return CURLE_OK;
239}
240
241/*
242 * Return TRUE if the given host name is currently an HSTS one.
243 *
244 * The 'subdomain' argument tells the function if subdomain matching should be
245 * attempted.
246 */
247struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
248 bool subdomain)
249{
250 if(h) {
251 char buffer[MAX_HSTS_HOSTLEN + 1];
252 time_t now = time(NULL);
253 size_t hlen = strlen(hostname);
254 struct Curl_llist_element *e;
255 struct Curl_llist_element *n;
256
257 if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
258 return NULL;
259 memcpy(buffer, hostname, hlen);
260 if(hostname[hlen-1] == '.')
261 /* remove the trailing dot */
262 --hlen;
263 buffer[hlen] = 0;
264 hostname = buffer;
265
266 for(e = h->list.head; e; e = n) {
267 struct stsentry *sts = e->ptr;
268 n = e->next;
269 if(sts->expires <= now) {
270 /* remove expired entries */
271 Curl_llist_remove(&h->list, &sts->node, NULL);
272 hsts_free(sts);
273 continue;
274 }
275 if(subdomain && sts->includeSubDomains) {
276 size_t ntail = strlen(sts->host);
277 if(ntail < hlen) {
278 size_t offs = hlen - ntail;
279 if((hostname[offs-1] == '.') &&
280 strncasecompare(&hostname[offs], sts->host, ntail))
281 return sts;
282 }
283 }
284 if(strcasecompare(hostname, sts->host))
285 return sts;
286 }
287 }
288 return NULL; /* no match */
289}
290
291/*
292 * Send this HSTS entry to the write callback.
293 */
294static CURLcode hsts_push(struct Curl_easy *data,
295 struct curl_index *i,
296 struct stsentry *sts,
297 bool *stop)
298{
299 struct curl_hstsentry e;
300 CURLSTScode sc;
301 struct tm stamp;
302 CURLcode result;
303
304 e.name = (char *)sts->host;
305 e.namelen = strlen(sts->host);
306 e.includeSubDomains = sts->includeSubDomains;
307
308 if(sts->expires != TIME_T_MAX) {
309 result = Curl_gmtime((time_t)sts->expires, &stamp);
310 if(result)
311 return result;
312
313 msnprintf(e.expire, sizeof(e.expire), "%d%02d%02d %02d:%02d:%02d",
314 stamp.tm_year + 1900, stamp.tm_mon + 1, stamp.tm_mday,
315 stamp.tm_hour, stamp.tm_min, stamp.tm_sec);
316 }
317 else
318 strcpy(e.expire, UNLIMITED);
319
320 sc = data->set.hsts_write(data, &e, i,
321 data->set.hsts_write_userp);
322 *stop = (sc != CURLSTS_OK);
323 return sc == CURLSTS_FAIL ? CURLE_BAD_FUNCTION_ARGUMENT : CURLE_OK;
324}
325
326/*
327 * Write this single hsts entry to a single output line
328 */
329static CURLcode hsts_out(struct stsentry *sts, FILE *fp)
330{
331 struct tm stamp;
332 if(sts->expires != TIME_T_MAX) {
333 CURLcode result = Curl_gmtime((time_t)sts->expires, &stamp);
334 if(result)
335 return result;
336 fprintf(fp, "%s%s \"%d%02d%02d %02d:%02d:%02d\"\n",
337 sts->includeSubDomains ? ".": "", sts->host,
338 stamp.tm_year + 1900, stamp.tm_mon + 1, stamp.tm_mday,
339 stamp.tm_hour, stamp.tm_min, stamp.tm_sec);
340 }
341 else
342 fprintf(fp, "%s%s \"%s\"\n",
343 sts->includeSubDomains ? ".": "", sts->host, UNLIMITED);
344 return CURLE_OK;
345}
346
347
348/*
349 * Curl_https_save() writes the HSTS cache to file and callback.
350 */
351CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
352 const char *file)
353{
354 struct Curl_llist_element *e;
355 struct Curl_llist_element *n;
356 CURLcode result = CURLE_OK;
357 FILE *out;
358 char *tempstore = NULL;
359
360 if(!h)
361 /* no cache activated */
362 return CURLE_OK;
363
364 /* if no new name is given, use the one we stored from the load */
365 if(!file && h->filename)
366 file = h->filename;
367
368 if((h->flags & CURLHSTS_READONLYFILE) || !file || !file[0])
369 /* marked as read-only, no file or zero length file name */
370 goto skipsave;
371
372 result = Curl_fopen(data, file, &out, &tempstore);
373 if(!result) {
374 fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n"
375 "# This file was generated by libcurl! Edit at your own risk.\n",
376 out);
377 for(e = h->list.head; e; e = n) {
378 struct stsentry *sts = e->ptr;
379 n = e->next;
380 result = hsts_out(sts, out);
381 if(result)
382 break;
383 }
384 fclose(out);
385 if(!result && tempstore && Curl_rename(tempstore, file))
386 result = CURLE_WRITE_ERROR;
387
388 if(result && tempstore)
389 unlink(tempstore);
390 }
391 free(tempstore);
392 skipsave:
393 if(data->set.hsts_write) {
394 /* if there's a write callback */
395 struct curl_index i; /* count */
396 i.total = h->list.size;
397 i.index = 0;
398 for(e = h->list.head; e; e = n) {
399 struct stsentry *sts = e->ptr;
400 bool stop;
401 n = e->next;
402 result = hsts_push(data, &i, sts, &stop);
403 if(result || stop)
404 break;
405 i.index++;
406 }
407 }
408 return result;
409}
410
411/* only returns SERIOUS errors */
412static CURLcode hsts_add(struct hsts *h, char *line)
413{
414 /* Example lines:
415 example.com "20191231 10:00:00"
416 .example.net "20191231 10:00:00"
417 */
418 char host[MAX_HSTS_HOSTLEN + 1];
419 char date[MAX_HSTS_DATELEN + 1];
420 int rc;
421
422 rc = sscanf(line,
423 "%" MAX_HSTS_HOSTLENSTR "s \"%" MAX_HSTS_DATELENSTR "[^\"]\"",
424 host, date);
425 if(2 == rc) {
426 time_t expires = strcmp(date, UNLIMITED) ? Curl_getdate_capped(date) :
427 TIME_T_MAX;
428 CURLcode result;
429 char *p = host;
430 bool subdomain = FALSE;
431 if(p[0] == '.') {
432 p++;
433 subdomain = TRUE;
434 }
435 result = hsts_create(h, p, subdomain, expires);
436 if(result)
437 return result;
438 }
439
440 return CURLE_OK;
441}
442
443/*
444 * Load HSTS data from callback.
445 *
446 */
447static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h)
448{
449 /* if the HSTS read callback is set, use it */
450 if(data->set.hsts_read) {
451 CURLSTScode sc;
452 DEBUGASSERT(h);
453 do {
454 char buffer[MAX_HSTS_HOSTLEN + 1];
455 struct curl_hstsentry e;
456 e.name = buffer;
457 e.namelen = sizeof(buffer)-1;
458 e.includeSubDomains = FALSE; /* default */
459 e.expire[0] = 0;
460 e.name[0] = 0; /* just to make it clean */
461 sc = data->set.hsts_read(data, &e, data->set.hsts_read_userp);
462 if(sc == CURLSTS_OK) {
463 time_t expires;
464 CURLcode result;
465 if(!e.name[0])
466 /* bail out if no name was stored */
467 return CURLE_BAD_FUNCTION_ARGUMENT;
468 if(e.expire[0])
469 expires = Curl_getdate_capped(e.expire);
470 else
471 expires = TIME_T_MAX; /* the end of time */
472 result = hsts_create(h, e.name,
473 /* bitfield to bool conversion: */
474 e.includeSubDomains ? TRUE : FALSE,
475 expires);
476 if(result)
477 return result;
478 }
479 else if(sc == CURLSTS_FAIL)
480 return CURLE_ABORTED_BY_CALLBACK;
481 } while(sc == CURLSTS_OK);
482 }
483 return CURLE_OK;
484}
485
486/*
487 * Load the HSTS cache from the given file. The text based line-oriented file
488 * format is documented here: https://curl.se/docs/hsts.html
489 *
490 * This function only returns error on major problems that prevent hsts
491 * handling to work completely. It will ignore individual syntactical errors
492 * etc.
493 */
494static CURLcode hsts_load(struct hsts *h, const char *file)
495{
496 CURLcode result = CURLE_OK;
497 char *line = NULL;
498 FILE *fp;
499
500 /* we need a private copy of the file name so that the hsts cache file
501 name survives an easy handle reset */
502 free(h->filename);
503 h->filename = strdup(file);
504 if(!h->filename)
505 return CURLE_OUT_OF_MEMORY;
506
507 fp = fopen(file, FOPEN_READTEXT);
508 if(fp) {
509 line = malloc(MAX_HSTS_LINE);
510 if(!line)
511 goto fail;
512 while(Curl_get_line(line, MAX_HSTS_LINE, fp)) {
513 char *lineptr = line;
514 while(*lineptr && ISBLANK(*lineptr))
515 lineptr++;
516 if(*lineptr == '#')
517 /* skip commented lines */
518 continue;
519
520 hsts_add(h, lineptr);
521 }
522 free(line); /* free the line buffer */
523 fclose(fp);
524 }
525 return result;
526
527 fail:
528 Curl_safefree(h->filename);
529 fclose(fp);
530 return CURLE_OUT_OF_MEMORY;
531}
532
533/*
534 * Curl_hsts_loadfile() loads HSTS from file
535 */
536CURLcode Curl_hsts_loadfile(struct Curl_easy *data,
537 struct hsts *h, const char *file)
538{
539 DEBUGASSERT(h);
540 (void)data;
541 return hsts_load(h, file);
542}
543
544/*
545 * Curl_hsts_loadcb() loads HSTS from callback
546 */
547CURLcode Curl_hsts_loadcb(struct Curl_easy *data, struct hsts *h)
548{
549 if(h)
550 return hsts_pull(data, h);
551 return CURLE_OK;
552}
553
554#endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette