From 7385610d0c74c6a254fea5e4cd6e1d559d848c8c Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 2 Nov 2020 23:17:01 +0100
Subject: hsts: add support for Strict-Transport-Security

- enable in the build (configure)
- header parsing
- host name lookup
- unit tests for the above
- CI build
- CURL_VERSION_HSTS bit
- curl_version_info support
- curl -V output
- curl-config --features
- CURLOPT_HSTS_CTRL
- man page for CURLOPT_HSTS_CTRL
- curl --hsts (sets CURLOPT_HSTS_CTRL and works with --libcurl)
- man page for --hsts
- save cache to disk
- load cache from disk
- CURLOPT_HSTS
- man page for CURLOPT_HSTS
- added docs/HSTS.md
- fixed --version docs
- adjusted curl_easy_duphandle

Closes #5896
---
 lib/http.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'lib/http.c')

diff --git a/lib/http.c b/lib/http.c
index 3a0a32df4..4db1c9589 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -77,6 +77,7 @@
 #include "connect.h"
 #include "strdup.h"
 #include "altsvc.h"
+#include "hsts.h"
 
 /* The last 3 #include files should be in this order */
 #include "curl_printf.h"
@@ -3990,6 +3991,23 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
         }
       }
     }
+
+#ifdef USE_HSTS
+    /* If enabled, the header is incoming and this is over HTTPS */
+    else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) &&
+            (conn->handler->flags & PROTOPT_SSL)) {
+      CURLcode check =
+        Curl_hsts_parse(data->hsts, data->state.up.hostname,
+                        &headp[ sizeof("Strict-Transport-Security:") -1 ]);
+      if(check)
+        infof(data, "Illegal STS header skipped\n");
+#ifdef DEBUGBUILD
+      else
+        infof(data, "Parsed STS header fine (%d entries)\n",
+              data->hsts->list.size);
+#endif
+    }
+#endif
 #ifndef CURL_DISABLE_ALTSVC
     /* If enabled, the header is incoming and this is over HTTPS */
     else if(data->asi && checkprefix("Alt-Svc:", headp) &&
-- 
cgit v1.2.1