1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9  *
10  * This software is licensed as described in the file COPYING, which
11  * you should have received as part of this distribution. The terms
12  * are also available at https://curl.se/docs/copyright.html.
13  *
14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15  * copies of the Software, and permit persons to whom the Software is
16  * furnished to do so, under the terms of the COPYING file.
17  *
18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19  * KIND, either express or implied.
20  *
21  * SPDX-License-Identifier: curl
22  *
23  ***************************************************************************/
24 #include "curlcheck.h"
25 
26 #include "urldata.h"
27 #include "hsts.h"
28 
29 static CURLcode
unit_setup(void)30 unit_setup(void)
31 {
32   return CURLE_OK;
33 }
34 
35 static void
unit_stop(void)36 unit_stop(void)
37 {
38   curl_global_cleanup();
39 }
40 
41 #if defined(CURL_DISABLE_HTTP) || defined(CURL_DISABLE_HSTS)
42 UNITTEST_START
43 {
44   puts("nothing to do when HTTP or HSTS are disabled");
45 }
46 UNITTEST_STOP
47 #else
48 
49 struct testit {
50   const char *host;
51   const char *chost; /* if non-NULL, use to lookup with */
52   const char *hdr; /* if NULL, just do the lookup */
53   const CURLcode result; /* parse result */
54 };
55 
56 static const struct testit headers[] = {
57   /* two entries read from disk cache, verify first */
58   { "-", "readfrom.example", NULL, CURLE_OK},
59   { "-", "old.example", NULL, CURLE_OK},
60   /* delete the remaining one read from disk */
61   { "readfrom.example", NULL, "max-age=\"0\"", CURLE_OK},
62 
63   { "example.com", NULL, "max-age=\"31536000\"\r\n", CURLE_OK },
64   { "example.com", NULL, "max-age=\"21536000\"\r\n", CURLE_OK },
65   { "example.com", NULL, "max-age=\"21536000\"; \r\n", CURLE_OK },
66   { "example.com", NULL, "max-age=\"21536000\"; includeSubDomains\r\n",
67     CURLE_OK },
68   { "example.org", NULL, "max-age=\"31536000\"\r\n", CURLE_OK },
69   { "this.example", NULL, "max=\"31536\";", CURLE_BAD_FUNCTION_ARGUMENT },
70   { "this.example", NULL, "max-age=\"31536", CURLE_BAD_FUNCTION_ARGUMENT },
71   { "this.example", NULL, "max-age=31536\"", CURLE_OK },
72   /* max-age=0 removes the entry */
73   { "this.example", NULL, "max-age=0", CURLE_OK },
74   { "another.example", NULL, "includeSubDomains; ",
75     CURLE_BAD_FUNCTION_ARGUMENT },
76 
77   /* Two max-age is illegal */
78   { "example.com", NULL,
79     "max-age=\"21536000\"; includeSubDomains; max-age=\"3\";",
80     CURLE_BAD_FUNCTION_ARGUMENT },
81   /* Two includeSubDomains is illegal */
82   { "2.example.com", NULL,
83     "max-age=\"21536000\"; includeSubDomains; includeSubDomains;",
84     CURLE_BAD_FUNCTION_ARGUMENT },
85   /* use a unknown directive "include" that should be ignored */
86   { "3.example.com", NULL, "max-age=\"21536000\"; include; includeSubDomains;",
87     CURLE_OK },
88   /* remove the "3.example.com" one, should still match the example.com */
89   { "3.example.com", NULL, "max-age=\"0\"; includeSubDomains;",
90     CURLE_OK },
91   { "-", "foo.example.com", NULL, CURLE_OK},
92   { "-", "foo.xample.com", NULL, CURLE_OK},
93 
94   /* should not match */
95   { "example.net", "forexample.net", "max-age=\"31536000\"\r\n", CURLE_OK },
96 
97   /* should not match either, since forexample.net is not in the example.net
98      domain */
99   { "example.net", "forexample.net",
100     "max-age=\"31536000\"; includeSubDomains\r\n", CURLE_OK },
101   /* remove example.net again */
102   { "example.net", NULL, "max-age=\"0\"; includeSubDomains\r\n", CURLE_OK },
103 
104   /* make this live for 7 seconds */
105   { "expire.example", NULL, "max-age=\"7\"\r\n", CURLE_OK },
106   { NULL, NULL, NULL, CURLE_OK }
107 };
108 
109 static void showsts(struct stsentry *e, const char *chost)
110 {
111   if(!e)
112     printf("'%s' is not HSTS\n", chost);
113   else {
114     printf("%s [%s]: %" CURL_FORMAT_CURL_OFF_T "%s\n",
115            chost, e->host, e->expires,
116            e->includeSubDomains ? " includeSubDomains" : "");
117   }
118 }
119 
120 UNITTEST_START
121 {
122   CURLcode result;
123   struct stsentry *e;
124   struct hsts *h = Curl_hsts_init();
125   int i;
126   const char *chost;
127   CURL *easy;
128   char savename[256];
129 
130   abort_unless(h, "Curl_hsts_init()");
131 
132   curl_global_init(CURL_GLOBAL_ALL);
133   easy = curl_easy_init();
134   if(!easy) {
135     Curl_hsts_cleanup(&h);
136     curl_global_cleanup();
137     abort_unless(easy, "curl_easy_init()");
138   }
139 
140   Curl_hsts_loadfile(easy, h, arg);
141 
142   for(i = 0; headers[i].host ; i++) {
143     if(headers[i].hdr) {
144       result = Curl_hsts_parse(h, headers[i].host, headers[i].hdr);
145 
146       if(result != headers[i].result) {
147         fprintf(stderr, "Curl_hsts_parse(%s) failed: %d\n",
148                 headers[i].hdr, result);
149         unitfail++;
150         continue;
151       }
152       else if(result) {
153         printf("Input %u: error %d\n", i, (int) result);
154         continue;
155       }
156     }
157 
158     chost = headers[i].chost ? headers[i].chost : headers[i].host;
159     e = Curl_hsts(h, chost, strlen(chost), TRUE);
160     showsts(e, chost);
161   }
162 
163   printf("Number of entries: %zu\n", Curl_llist_count(&h->list));
164 
165   /* verify that it is exists for 7 seconds */
166   chost = "expire.example";
167   for(i = 100; i < 110; i++) {
168     e = Curl_hsts(h, chost, strlen(chost), TRUE);
169     showsts(e, chost);
170     deltatime++; /* another second passed */
171   }
172 
173   msnprintf(savename, sizeof(savename), "%s.save", arg);
174   (void)Curl_hsts_save(easy, h, savename);
175   Curl_hsts_cleanup(&h);
176   curl_easy_cleanup(easy);
177   curl_global_cleanup();
178 }
179 UNITTEST_STOP
180 #endif
181