Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify handling of IP literal addresses #142

Merged
merged 3 commits into from
Jan 29, 2024
Merged

Simplify handling of IP literal addresses #142

merged 3 commits into from
Jan 29, 2024

Commits on Jan 28, 2024

  1. Simplify handling of IP literal addresses; require that IPv6 literals 

    use the bracketed syntax; avoid name resolution for all literal
addresses.

* src/ne_session.h: Clarify host parameter must match RFC 3986 syntax.

* src/ne_private.h (struct host_info): Add literal field.

* src/ne_session.c (free_hostinfo): Free literal field.
  (set_hostinfo): Parse and store IP literals including bracketed
  IPv6-literal.
  (ne_session_create) Use literal field to determine TLS SNI mode.

* test/utils.c (session_server): Use bracketed IPv6 literals.

* test/request.c (ipv6_host_checker, serve_v6_check, ipv6_literal):
  Test for bracketed form of IPv6 literals.

* src/ne_request.c (do_connect): Update comment.
    @notroj
    notroj committed Jan 28, 2024
    Configuration menu
    Copy the full SHA
    a65f9a2 View commit details
    Browse the repository at this point in the history

  2. Fix status, status_chunked tests. 

    * test/utils.c (session_server): Store the hostname.
  (get_session_host): New function.

* test/request.c (status, status_chunked): Use get_session_host() to
  accurately create the expected status notifier output.
    @notroj
    notroj committed Jan 28, 2024
    Configuration menu
    Copy the full SHA
    3203d95 View commit details
    Browse the repository at this point in the history

  3. Update TLS identity checks to simplify literal address test, avoid 

    matching a DNS name against an IP address, and remove URI altname
support since this is not specified by RFC 9110/6125.

* src/ne_openssl.c (check_identity): Take the host_info rather than a
  URI; only test DNS names for a non-literal identifier, and only test
  IP addresses for a literal identifier.
  (check_certificate): Adjust accordingly.

* src/ne_gnutls.c (check_identity, check_certificate): Update
  similarly.

* src/ne_session.c (ne__ssl_match_hostname): Drop now unnecessary
  safety check for IP addresses here.

* test/ssl.c (uri_altname, fail_bad_urialtname): Removed tests.
  (fail_ssl_request_with_error2): Update to use
  fakeproxied_session_server.
  (cert_identities): Drop altname8.cert (URI altname).

* test/makekeys.sh, test/openssl.conf: Drop URI altname cert generation.
    @notroj
    notroj committed Jan 28, 2024
    Configuration menu
    Copy the full SHA
    9fbf570 View commit details
    Browse the repository at this point in the history