193 lines
6.2 KiB
Diff
193 lines
6.2 KiB
Diff
From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon, 24 Apr 2023 21:07:02 +0200
|
|
Subject: [PATCH] hostcheck: fix host name wildcard checking
|
|
|
|
The leftmost "label" of the host name can now only match against single
|
|
'*'. Like the browsers have worked for a long time.
|
|
|
|
- extended unit test 1397 for this
|
|
- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc
|
|
|
|
Reported-by: Hiroki Kurosawa
|
|
Closes #11018
|
|
---
|
|
tests/data/test1397 | 10 ++--
|
|
tests/unit/unit1397.c | 120 +++++++++++++++++++++++++++-------------
|
|
2 files changed, 85 insertions(+), 45 deletions(-)
|
|
|
|
diff --git a/tests/data/test1397 b/tests/data/test1397
|
|
index 84f962a..f31b2c2 100644
|
|
--- a/tests/data/test1397
|
|
+++ b/tests/data/test1397
|
|
@@ -2,8 +2,7 @@
|
|
<info>
|
|
<keywords>
|
|
unittest
|
|
-ssl
|
|
-wildcard
|
|
+Curl_cert_hostcheck
|
|
</keywords>
|
|
</info>
|
|
|
|
@@ -16,9 +15,8 @@ none
|
|
<features>
|
|
unittest
|
|
</features>
|
|
- <name>
|
|
-Check wildcard certificate matching function Curl_cert_hostcheck
|
|
- </name>
|
|
+<name>
|
|
+Curl_cert_hostcheck unit tests
|
|
+</name>
|
|
</client>
|
|
-
|
|
</testcase>
|
|
diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c
|
|
index 508f41a..89ff957 100644
|
|
--- a/tests/unit/unit1397.c
|
|
+++ b/tests/unit/unit1397.c
|
|
@@ -21,8 +21,6 @@
|
|
***************************************************************************/
|
|
#include "curlcheck.h"
|
|
|
|
-#include "hostcheck.h" /* from the lib dir */
|
|
-
|
|
static CURLcode unit_setup(void)
|
|
{
|
|
return CURLE_OK;
|
|
@@ -30,50 +28,92 @@ static CURLcode unit_setup(void)
|
|
|
|
static void unit_stop(void)
|
|
{
|
|
- /* done before shutting down and exiting */
|
|
}
|
|
|
|
-UNITTEST_START
|
|
-
|
|
/* only these backends define the tested functions */
|
|
-#if defined(USE_OPENSSL) || defined(USE_GSKIT)
|
|
-
|
|
- /* here you start doing things and checking that the results are good */
|
|
+#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL)
|
|
+#include "hostcheck.h"
|
|
+struct testcase {
|
|
+ const char *host;
|
|
+ const char *pattern;
|
|
+ bool match;
|
|
+};
|
|
|
|
-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"),
|
|
- "good 1");
|
|
-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"),
|
|
- "good 2");
|
|
-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"),
|
|
- "good 3");
|
|
-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"),
|
|
- "good 4");
|
|
-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"),
|
|
- "good 5");
|
|
+static struct testcase tests[] = {
|
|
+ {"", "", FALSE},
|
|
+ {"a", "", FALSE},
|
|
+ {"", "b", FALSE},
|
|
+ {"a", "b", FALSE},
|
|
+ {"aa", "bb", FALSE},
|
|
+ {"\xff", "\xff", TRUE},
|
|
+ {"aa.aa.aa", "aa.aa.bb", FALSE},
|
|
+ {"aa.aa.aa", "aa.aa.aa", TRUE},
|
|
+ {"aa.aa.aa", "*.aa.bb", FALSE},
|
|
+ {"aa.aa.aa", "*.aa.aa", TRUE},
|
|
+ {"192.168.0.1", "192.168.0.1", TRUE},
|
|
+ {"192.168.0.1", "*.168.0.1", FALSE},
|
|
+ {"192.168.0.1", "*.0.1", FALSE},
|
|
+ {"h.ello", "*.ello", FALSE},
|
|
+ {"h.ello.", "*.ello", FALSE},
|
|
+ {"h.ello", "*.ello.", FALSE},
|
|
+ {"h.e.llo", "*.e.llo", TRUE},
|
|
+ {"h.e.llo", " *.e.llo", FALSE},
|
|
+ {" h.e.llo", "*.e.llo", TRUE},
|
|
+ {"h.e.llo.", "*.e.llo", TRUE},
|
|
+ {"*.e.llo.", "*.e.llo", TRUE},
|
|
+ {"************.e.llo.", "*.e.llo", TRUE},
|
|
+ {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
|
+ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
|
|
+ "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
|
|
+ "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
|
|
+ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
|
|
+ ".e.llo.", "*.e.llo", TRUE},
|
|
+ {"\xfe\xfe.e.llo.", "*.e.llo", TRUE},
|
|
+ {"h.e.llo.", "*.e.llo.", TRUE},
|
|
+ {"h.e.llo", "*.e.llo.", TRUE},
|
|
+ {".h.e.llo", "*.e.llo.", FALSE},
|
|
+ {"h.e.llo", "*.*.llo.", FALSE},
|
|
+ {"h.e.llo", "h.*.llo", FALSE},
|
|
+ {"h.e.llo", "h.e.*", FALSE},
|
|
+ {"hello", "*.ello", FALSE},
|
|
+ {"hello", "**llo", FALSE},
|
|
+ {"bar.foo.example.com", "*.example.com", FALSE},
|
|
+ {"foo.example.com", "*.example.com", TRUE},
|
|
+ {"baz.example.net", "b*z.example.net", FALSE},
|
|
+ {"foobaz.example.net", "*baz.example.net", FALSE},
|
|
+ {"xn--l8j.example.local", "x*.example.local", FALSE},
|
|
+ {"xn--l8j.example.net", "*.example.net", TRUE},
|
|
+ {"xn--l8j.example.net", "*j.example.net", FALSE},
|
|
+ {"xn--l8j.example.net", "xn--l8j.example.net", TRUE},
|
|
+ {"xn--l8j.example.net", "xn--l8j.*.net", FALSE},
|
|
+ {"xl8j.example.net", "*.example.net", TRUE},
|
|
+ {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE},
|
|
+ {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE},
|
|
+ {NULL, NULL, FALSE}
|
|
+};
|
|
|
|
-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1");
|
|
-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2");
|
|
-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3");
|
|
-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4");
|
|
-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5");
|
|
-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6");
|
|
-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7");
|
|
-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8");
|
|
-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9");
|
|
-fail_if(Curl_cert_hostcheck("", "www"), "bad 10");
|
|
-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11");
|
|
-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12");
|
|
-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13");
|
|
-
|
|
-#ifdef ENABLE_IPV6
|
|
-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619",
|
|
- "fe80::3285:a9ff:fe46:b619"), "bad 14");
|
|
-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619",
|
|
- "fe80::3285:a9ff:fe46:b619"), "good 6");
|
|
-#endif
|
|
+UNITTEST_START
|
|
+{
|
|
+ int i;
|
|
+ for(i = 0; tests[i].host; i++) {
|
|
+ if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern,
|
|
+ tests[i].host)) {
|
|
+ fprintf(stderr,
|
|
+ "HOST: %s\n"
|
|
+ "PTRN: %s\n"
|
|
+ "did %sMATCH\n",
|
|
+ tests[i].host,
|
|
+ tests[i].pattern,
|
|
+ tests[i].match ? "NOT ": "");
|
|
+ unitfail++;
|
|
+ }
|
|
+ }
|
|
+}
|
|
|
|
-#endif
|
|
+UNITTEST_STOP
|
|
+#else
|
|
|
|
- /* you end the test code like this: */
|
|
+UNITTEST_START
|
|
|
|
UNITTEST_STOP
|
|
+#endif
|
|
--
|
|
2.33.0
|
|
|