From d5c562cd0dfdde2424632d779cb5ed37ce10c72e Mon Sep 17 00:00:00 2001 From: vvb2060 Date: Mon, 11 Sep 2023 03:50:10 +0800 Subject: [PATCH] quic: don't set SNI if hostname is an IP address We already do this for TLS connections. RFC 6066 says: Literal IPv4 and IPv6 addresses are not permitted in "HostName". Ref: https://www.rfc-editor.org/rfc/rfc6066#section-3 Fixes https://github.com/curl/curl/issues/11827 Closes https://github.com/curl/curl/pull/11828 --- lib/vquic/curl_ngtcp2.c | 17 +++++++++++++++-- lib/vquic/curl_quiche.c | 19 +++++++++++++++++-- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c index ddd0992a64..85b2106a1d 100644 --- a/lib/vquic/curl_ngtcp2.c +++ b/lib/vquic/curl_ngtcp2.c @@ -58,6 +58,7 @@ #include "dynbuf.h" #include "http1.h" #include "select.h" +#include "inet_pton.h" #include "vquic.h" #include "vquic_int.h" #include "vtls/keylog.h" @@ -511,8 +512,8 @@ static CURLcode quic_init_ssl(struct Curl_cfilter *cf, struct cf_ngtcp2_ctx *ctx = cf->ctx; const uint8_t *alpn = NULL; size_t alpnlen = 0; + unsigned char checkip[16]; - (void)data; DEBUGASSERT(!ctx->ssl); ctx->ssl = SSL_new(ctx->sslctx); @@ -526,7 +527,19 @@ static CURLcode quic_init_ssl(struct Curl_cfilter *cf, SSL_set_alpn_protos(ctx->ssl, alpn, (int)alpnlen); /* set SNI */ - SSL_set_tlsext_host_name(ctx->ssl, cf->conn->host.name); + if((0 == Curl_inet_pton(AF_INET, cf->conn->host.name, checkip)) +#ifdef ENABLE_IPV6 + && (0 == Curl_inet_pton(AF_INET6, cf->conn->host.name, checkip)) +#endif + ) { + char *snihost = Curl_ssl_snihost(data, cf->conn->host.name, NULL); + if(!snihost || !SSL_set_tlsext_host_name(ctx->ssl, snihost)) { + failf(data, "Failed set SNI"); + SSL_free(ctx->ssl); + ctx->ssl = NULL; + return CURLE_QUIC_CONNECT_ERROR; + } + } return CURLE_OK; } #elif defined(USE_GNUTLS) diff --git a/lib/vquic/curl_quiche.c b/lib/vquic/curl_quiche.c index b65bea871c..3598de1c7a 100644 --- a/lib/vquic/curl_quiche.c +++ b/lib/vquic/curl_quiche.c @@ -45,8 +45,10 @@ #include "vquic_int.h" #include "curl_quiche.h" #include "transfer.h" +#include "inet_pton.h" #include "vtls/openssl.h" #include "vtls/keylog.h" +#include "vtls/vtls.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" @@ -175,8 +177,8 @@ static CURLcode quic_x509_store_setup(struct Curl_cfilter *cf, static CURLcode quic_ssl_setup(struct Curl_cfilter *cf, struct Curl_easy *data) { struct cf_quiche_ctx *ctx = cf->ctx; + unsigned char checkip[16]; - (void)data; DEBUGASSERT(!ctx->sslctx); ctx->sslctx = SSL_CTX_new(TLS_method()); if(!ctx->sslctx) @@ -199,7 +201,20 @@ static CURLcode quic_ssl_setup(struct Curl_cfilter *cf, struct Curl_easy *data) return CURLE_QUIC_CONNECT_ERROR; SSL_set_app_data(ctx->ssl, cf); - SSL_set_tlsext_host_name(ctx->ssl, cf->conn->host.name); + + if((0 == Curl_inet_pton(AF_INET, cf->conn->host.name, checkip)) +#ifdef ENABLE_IPV6 + && (0 == Curl_inet_pton(AF_INET6, cf->conn->host.name, checkip)) +#endif + ) { + char *snihost = Curl_ssl_snihost(data, cf->conn->host.name, NULL); + if(!snihost || !SSL_set_tlsext_host_name(ctx->ssl, snihost)) { + failf(data, "Failed set SNI"); + SSL_free(ctx->ssl); + ctx->ssl = NULL; + return CURLE_QUIC_CONNECT_ERROR; + } + } return CURLE_OK; }