git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-11 12:01:42 +08:00
Code Issues Actions 14 Packages Projects Releases Wiki Activity
master
curl-curl/lib/vtls/hostcheck.c
Viktor Szakats 3058ed3df8
lib: use lib source directory as base include path 
Backtrack on previous change that aimed to solve the wrong `share.h`
being included. It turns out it did not fix this issue. At the same time
it introduced relative header filenames and the need to include the same
headers differently depending on the source files' location, reducing
readability and editability.

Replace this method by re-adding curl's lib source directory to the
header path and addressing headers by the their full, relative name to
that base directory. Aligning with this method already used in src and
tests.

With these advantages:
- makes includes easier to read, recognize, grep, sort, write, and copy
  between sources,
- syncs the way these headers are included across curl components,
- avoids the ambiguity between system `schannel.h`, `rustls.h` vs.
  local headers using the same names in `lib/vtls`,
- silences clang-tidy `readability-duplicate-include` checker, which
  detects the above issue,
  Ref: https://clang.llvm.org/extra/clang-tidy/checks/readability/duplicate-include.html
- possibly silences TIOBE coding standard warnings:
  `6.10.2.a: Don't use relative paths in #include statements.`
- long shot: it works well with concatenated test sources, for
  clang-tidy-friendly custom unity builds. Ref: #20667

Slight downside: it's not enforced.

If there happens to be a collision between a local `lib/*.h` header and
a system one, the solution is to rename (possibly with its `.c`
counterpart) into the `curl_` namespace. This is also the method used by
curl in the past.

Also:
- curlx/inet_pton: reduce scope of an include.
- toolx/tool_time: apply this to an include, and update VS project
  files accordingly. Also dropping unnecessary lib/curlx header path.
- clang-tidy: enable `readability-duplicate-include`.

Follow-up to 3887069c66 #19676
Follow-up to 625f2c1644 #16991 #16949

Closes #20623
2026-02-23 16:00:42 +01:00

129 lines
4.1 KiB
C
Raw Permalink Blame History

/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "curl_setup.h"
#if defined(USE_OPENSSL) || defined(USE_SCHANNEL)
/* these backends use functions from this file */
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_IN6_H
#include <netinet/in6.h>
#endif
#include "curl_memrchr.h"
#include "vtls/hostcheck.h"
#include "hostip.h"
/* check the two input strings with given length, but do not
assume they end in nul-bytes */
static bool pmatch(const char *hostname, size_t hostlen,
const char *pattern, size_t patternlen)
{
if(hostlen != patternlen)
return FALSE;
return curl_strnequal(hostname, pattern, hostlen);
}
/*
* Match a hostname against a wildcard pattern.
* E.g.
* "foo.host.com" matches "*.host.com".
*
* We use the matching rule described in RFC6125, section 6.4.3.
* https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3
*
* In addition: ignore trailing dots in the hostnames and wildcards, so that
* the names are used normalized. This is what the browsers do.
*
* Do not allow wildcard matching on IP numbers. There are apparently
* certificates being used with an IP address in the CN field, thus making no
* apparent distinction between a name and an IP. We need to detect the use of
* an IP address and not wildcard match on such names.
*
* Only match on "*" being used for the leftmost label, not "a*", "a*b" nor
* "*b".
*
* Return TRUE on a match. FALSE if not.
*
* @unittest: 1397
*/
static bool hostmatch(const char *hostname,
size_t hostlen,
const char *pattern,
size_t patternlen)
{
const char *pattern_label_end;
DEBUGASSERT(pattern);
DEBUGASSERT(patternlen);
DEBUGASSERT(hostname);
DEBUGASSERT(hostlen);
/* normalize pattern and hostname by stripping off trailing dots */
if(hostname[hostlen - 1] == '.')
hostlen--;
if(pattern[patternlen - 1] == '.')
patternlen--;
if(strncmp(pattern, "*.", 2))
return pmatch(hostname, hostlen, pattern, patternlen);
/* detect host as IP address or starting with a dot and fail if so */
else if(Curl_host_is_ipnum(hostname) || (hostname[0] == '.'))
return FALSE;
/* We require at least 2 dots in the pattern to avoid too wide wildcard
match. */
pattern_label_end = memchr(pattern, '.', patternlen);
if(!pattern_label_end ||
(memrchr(pattern, '.', patternlen) == pattern_label_end))
return pmatch(hostname, hostlen, pattern, patternlen);
else {
const char *hostname_label_end = memchr(hostname, '.', hostlen);
if(hostname_label_end) {
size_t skiphost = hostname_label_end - hostname;
size_t skiplen = pattern_label_end - pattern;
return pmatch(hostname_label_end, hostlen - skiphost,
pattern_label_end, patternlen - skiplen);
}
}
return FALSE;
}
/*
* Curl_cert_hostcheck() returns TRUE if a match and FALSE if not.
*/
bool Curl_cert_hostcheck(const char *match, size_t matchlen,
const char *hostname, size_t hostlen)
{
if(match && *match && hostname && *hostname)
return hostmatch(hostname, hostlen, match, matchlen);
return FALSE;
}
#endif /* USE_OPENSSL || USE_SCHANNEL */
Reference in New Issue View Git Blame Copy Permalink