From: Michael R Sweet <michaelrsweet@gmail.com>
Date: Tue, 19 Feb 2019 20:04:49 +0000 (-0500)
Subject: Add subject alternate names for self-signed certificates (Issue #5525)
X-Git-Tag: v2.2.11~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7d8c89ecc5b3a99614ed210e6f801ee259fffef;p=thirdparty%2Fcups.git

Add subject alternate names for self-signed certificates (Issue #5525)
---

diff --git a/CHANGES.md b/CHANGES.md
index 26f13b944d..5b5fbbcd40 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -22,6 +22,8 @@ Changes in CUPS v2.2.11
   UTF-8 strings (Issue #5509)
 - Non-Kerberized printing to Windows via IPP was broken (Issue #5515)
 - Added a USB quirks rule for Xerox printers (Issue #5523)
+- The scheduler's self-signed certificate did not include all of the alternate
+  names for the server when using GNU TLS (Issue #5525)
 - Fixed a potential crash bug in cups-driverd (rdar://46625579)
 - Fixed a performance regression with large PPDs (rdar://47040759)
 
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index ae4e4d24f6..4a626e7430 100644
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -173,8 +173,31 @@ cupsMakeServerCredentials(
   gnutls_x509_crt_set_activation_time(crt, curtime);
   gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
   gnutls_x509_crt_set_ca_status(crt, 0);
+  gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, common_name, (unsigned)strlen(common_name), GNUTLS_FSAN_SET);
+  if (!strchr(common_name, '.'))
+  {
+   /*
+    * Add common_name.local to the list, too...
+    */
+
+    char localname[256];                /* hostname.local */
+
+    snprintf(localname, sizeof(localname), "%s.local", common_name);
+    gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, localname, (unsigned)strlen(localname), GNUTLS_FSAN_APPEND);
+  }
+  gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "localhost", 9, GNUTLS_FSAN_APPEND);
   if (num_alt_names > 0)
-    gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME, alt_names[0]);
+  {
+    int i;                              /* Looping var */
+
+    for (i = 0; i < num_alt_names; i ++)
+    {
+      if (strcmp(alt_names[i], "localhost"))
+      {
+        gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, alt_names[i], (unsigned)strlen(alt_names[i]), GNUTLS_FSAN_APPEND);
+      }
+    }
+  }
   gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
   gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT);
   gnutls_x509_crt_set_version(crt, 3);