hsts: add support for Strict-Transport-Security

- enable in the build (configure)
- header parsing
- host name lookup
- unit tests for the above
- CI build
- CURL_VERSION_HSTS bit
- curl_version_info support
- curl -V output
- curl-config --features
- CURLOPT_HSTS_CTRL
- man page for CURLOPT_HSTS_CTRL
- curl --hsts (sets CURLOPT_HSTS_CTRL and works with --libcurl)
- man page for --hsts
- save cache to disk
- load cache from disk
- CURLOPT_HSTS
- man page for CURLOPT_HSTS
- added docs/HSTS.md
- fixed --version docs
- adjusted curl_easy_duphandle

Closes #5896

1 files changed, 172 insertions, 0 deletions

diff --git a/tests/unit/unit1660.c b/tests/unit/unit1660.c
new file mode 100644
index 000000000..1687cafa1
--- /dev/null
+++ b/tests/unit/unit1660.c
@@ -0,0 +1,172 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+#include "curlcheck.h"
+
+#include "urldata.h"
+#include "hsts.h"
+
+static CURLcode
+unit_setup(void)
+{
+  return CURLE_OK;
+}
+
+static void
+unit_stop(void)
+{
+  curl_global_cleanup();
+}
+
+#if defined(CURL_DISABLE_HTTP) || !defined(USE_HSTS)
+UNITTEST_START
+{
+  return 0; /* nothing to do when HTTP or HSTS are disabled */
+}
+UNITTEST_STOP
+#else
+
+struct testit {
+  const char *host;
+  const char *chost; /* if non-NULL, use to lookup with */
+  const char *hdr; /* if NULL, just do the lookup */
+  const CURLcode result; /* parse result */
+};
+
+static const struct testit headers[] = {
+  /* two entries read from disk cache, verify first */
+  { "-", "readfrom.example", NULL, CURLE_OK},
+  { "-", "old.example", NULL, CURLE_OK},
+  /* delete the remaining one read from disk */
+  { "readfrom.example", NULL, "max-age=\"0\"", CURLE_OK},
+
+  { "example.com", NULL, "max-age=\"31536000\"\r\n", CURLE_OK },
+  { "example.com", NULL, "max-age=\"21536000\"\r\n", CURLE_OK },
+  { "example.com", NULL, "max-age=\"21536000\"; \r\n", CURLE_OK },
+  { "example.com", NULL, "max-age=\"21536000\"; includeSubDomains\r\n",
+    CURLE_OK },
+  { "example.org", NULL, "max-age=\"31536000\"\r\n", CURLE_OK },
+  { "this.example", NULL, "max=\"31536\";", CURLE_BAD_FUNCTION_ARGUMENT },
+  { "this.example", NULL, "max-age=\"31536", CURLE_BAD_FUNCTION_ARGUMENT },
+  { "this.example", NULL, "max-age=31536\"", CURLE_OK },
+  /* max-age=0 removes the entry */
+  { "this.example", NULL, "max-age=0", CURLE_OK },
+  { "another.example", NULL, "includeSubDomains; ",
+    CURLE_BAD_FUNCTION_ARGUMENT },
+
+  /* Two max-age is illegal */
+  { "example.com", NULL,
+    "max-age=\"21536000\"; includeSubDomains; max-age=\"3\";",
+    CURLE_BAD_FUNCTION_ARGUMENT },
+  /* Two includeSubDomains is illegal */
+  { "2.example.com", NULL,
+    "max-age=\"21536000\"; includeSubDomains; includeSubDomains;",
+    CURLE_BAD_FUNCTION_ARGUMENT },
+  /* use a unknown directive "include" that should be ignored */
+  { "3.example.com", NULL, "max-age=\"21536000\"; include; includeSubDomains;",
+    CURLE_OK },
+  /* remove the "3.example.com" one, should still match the example.com */
+  { "3.example.com", NULL, "max-age=\"0\"; includeSubDomains;",
+    CURLE_OK },
+  { "-", "foo.example.com", NULL, CURLE_OK},
+  { "-", "foo.xample.com", NULL, CURLE_OK},
+
+  /* should not match */
+  { "example.net", "forexample.net", "max-age=\"31536000\"\r\n", CURLE_OK },
+
+  /* should not match either, since forexample.net is not in the example.net
+     domain */
+  { "example.net", "forexample.net",
+    "max-age=\"31536000\"; includeSubDomains\r\n", CURLE_OK },
+  /* remove example.net again */
+  { "example.net", NULL, "max-age=\"0\"; includeSubDomains\r\n", CURLE_OK },
+
+  /* make this live for 7 seconds */
+  { "expire.example", NULL, "max-age=\"7\"\r\n", CURLE_OK },
+  { NULL, NULL, NULL, 0 }
+};
+
+static void showsts(struct stsentry *e, const char *chost)
+{
+  if(!e)
+    printf("'%s' is not HSTS\n", chost);
+  else {
+    printf("%s [%s]: %" CURL_FORMAT_CURL_OFF_T "%s\n",
+           chost, e->host, e->expires,
+           e->includeSubDomains ? " includeSubDomains" : "");
+  }
+}
+
+UNITTEST_START
+{
+  CURLcode result;
+  struct stsentry *e;
+  struct hsts *h = Curl_hsts_init();
+  int i;
+  const char *chost;
+  CURL *easy;
+  if(!h)
+    return 1;
+
+  Curl_hsts_load(h, "log/input1660");
+
+  for(i = 0; headers[i].host ; i++) {
+    if(headers[i].hdr) {
+      result = Curl_hsts_parse(h, headers[i].host, headers[i].hdr);
+
+      if(result != headers[i].result) {
+        fprintf(stderr, "Curl_hsts_parse(%s) failed: %d\n",
+                headers[i].hdr, result);
+        unitfail++;
+        continue;
+      }
+      else if(result) {
+        printf("Input %u: error %d\n", i, (int) result);
+        continue;
+      }
+    }
+
+    chost = headers[i].chost ? headers[i].chost : headers[i].host;
+    e = Curl_hsts(h, chost, TRUE);
+    showsts(e, chost);
+  }
+
+  printf("Number of entries: %d\n", h->list.size);
+
+  /* verify that it is exists for 7 seconds */
+  chost = "expire.example";
+  for(i = 100; i < 110; i++) {
+    e = Curl_hsts(h, chost, TRUE);
+    showsts(e, chost);
+    deltatime++; /* another second passed */
+  }
+
+  easy = curl_easy_init();
+  if(easy) {
+    (void)Curl_hsts_save(easy, h, "log/hsts1660");
+    curl_easy_cleanup(easy);
+  }
+
+  Curl_hsts_cleanup(&h);
+  return unitfail;
+}
+UNITTEST_STOP
+#endif