From 11991352d94cc31d42bb5e782ad0823f35c82943 Mon Sep 17 00:00:00 2001 From: Michael R Sweet Date: Wed, 26 Feb 2025 14:40:38 -0500 Subject: [PATCH] Use TLS common name by default, fallback to resolved name. --- cups/tls-gnutls.c | 60 ++++++++++++++++++++++------------------ cups/tls-openssl.c | 68 +++++++++++++++++++++++++--------------------- 2 files changed, 70 insertions(+), 58 deletions(-) diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index 2652add3de..753327ffac 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -1684,48 +1684,54 @@ _httpTLSStart(http_t *http) // I - Connection to server // Server: get certificate and private key... char crtfile[1024], // Certificate file keyfile[1024]; // Private key file - const char *cn, // Common name to lookup + const char *cn = NULL, // Common name to lookup *cnptr; // Pointer into common name bool have_creds = false; // Have credentials? - if (http->fields[HTTP_FIELD_HOST]) + if (!tls_common_name) { - // Use hostname for TLS upgrade... - cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname)); - } - else - { - // Resolve hostname from connection address... - http_addr_t addr; // Connection address - socklen_t addrlen; // Length of address - - addrlen = sizeof(addr); - if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen)) - { - DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)); - hostname[0] = '\0'; - } - else if (httpAddrIsLocalhost(&addr)) + if (http->fields[HTTP_FIELD_HOST]) { - hostname[0] = '\0'; + // Use hostname for TLS upgrade... + cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname)); } else { - httpAddrLookup(&addr, hostname, sizeof(hostname)); - DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname); + // Resolve hostname from connection address... + http_addr_t addr; // Connection address + socklen_t addrlen; // Length of address + + addrlen = sizeof(addr); + if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen)) + { + DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)); + hostname[0] = '\0'; + } + else if (httpAddrIsLocalhost(&addr)) + { + hostname[0] = '\0'; + } + else + { + httpAddrLookup(&addr, hostname, sizeof(hostname)); + DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname); + } } - } - if (isdigit(hostname[0] & 255) || hostname[0] == '[') - hostname[0] = '\0'; // Don't allow numeric addresses + if (isdigit(hostname[0] & 255) || hostname[0] == '[') + hostname[0] = '\0'; // Don't allow numeric addresses + + if (hostname[0]) + cn = hostname; + } cupsMutexLock(&tls_mutex); - if (hostname[0]) - cn = hostname; - else + if (!cn) cn = tls_common_name; + DEBUG_printf("4_httpTLSStart: Using common name \"%s\"...", cn); + if (cn) { // First look in the CUPS keystore... diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c index 8a5c5a4cc3..ba2bac37b7 100644 --- a/cups/tls-openssl.c +++ b/cups/tls-openssl.c @@ -3,7 +3,7 @@ // // Note: This file is included from tls.c // -// Copyright © 2020-2024 by OpenPrinting +// Copyright © 2020-2025 by OpenPrinting // Copyright © 2007-2019 by Apple Inc. // Copyright © 1997-2007 by Easy Software Products, all rights reserved. // @@ -1651,54 +1651,60 @@ _httpTLSStart(http_t *http) // I - Connection to server // Negotiate a TLS connection as a server char crtfile[1024], // Certificate file keyfile[1024]; // Private key file - const char *cn, // Common name to lookup + const char *cn = NULL, // Common name to lookup *cnptr; // Pointer into common name bool have_creds = false; // Have credentials? context = SSL_CTX_new(TLS_server_method()); // Find the TLS certificate... - if (http->fields[HTTP_FIELD_HOST]) + if (!tls_common_name) { - // Use hostname for TLS upgrade... - cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname)); - } - else - { - // Resolve hostname from connection address... - http_addr_t addr; // Connection address - socklen_t addrlen; // Length of address - - addrlen = sizeof(addr); - if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen)) - { - // Unable to get local socket address so use default... - DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)); - hostname[0] = '\0'; - } - else if (httpAddrIsLocalhost(&addr)) + if (http->fields[HTTP_FIELD_HOST]) { - // Local access top use default... - hostname[0] = '\0'; + // Use hostname for TLS upgrade... + cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname)); } else { - // Lookup the socket address... - httpAddrLookup(&addr, hostname, sizeof(hostname)); - DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname); + // Resolve hostname from connection address... + http_addr_t addr; // Connection address + socklen_t addrlen; // Length of address + + addrlen = sizeof(addr); + if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen)) + { + // Unable to get local socket address so use default... + DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)); + hostname[0] = '\0'; + } + else if (httpAddrIsLocalhost(&addr)) + { + // Local access top use default... + hostname[0] = '\0'; + } + else + { + // Lookup the socket address... + httpAddrLookup(&addr, hostname, sizeof(hostname)); + DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname); + } } - } - if (isdigit(hostname[0] & 255) || hostname[0] == '[') - hostname[0] = '\0'; // Don't allow numeric addresses + if (isdigit(hostname[0] & 255) || hostname[0] == '[') + hostname[0] = '\0'; // Don't allow numeric addresses + + if (hostname[0]) + cn = hostname; + } cupsMutexLock(&tls_mutex); - if (hostname[0]) - cn = hostname; - else + if (!cn) cn = tls_common_name; + DEBUG_printf("4_httpTLSStart: Using common name \"%s\"...", cn); + if (cn) { // First look in the CUPS keystore... -- 2.47.2