Skip to content

Commit

Permalink
Use TLS common name by default, fallback to resolved name.
Browse files Browse the repository at this point in the history
  • Loading branch information
@michaelrsweet
michaelrsweet committed Feb 26, 2025
1 parent c285d99 commit 3bd8537
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 60 deletions.
62 changes: 34 additions & 28 deletions cups/tls-gnutls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
//
// Note: This file is included from tls.c
//
// Copyright © 2020-2024 by OpenPrinting
// Copyright © 2020-2025 by OpenPrinting
// Copyright © 2007-2019 by Apple Inc.
// Copyright © 1997-2007 by Easy Software Products, all rights reserved.
//
Expand Down Expand Up @@ -1682,48 +1682,54 @@ _httpTLSStart(http_t *http) // I - Connection to server
// Server: get certificate and private key...
char crtfile[1024], // Certificate file
keyfile[1024]; // Private key file
const char *cn, // Common name to lookup
const char *cn = NULL, // Common name to lookup
*cnptr; // Pointer into common name
bool have_creds = false; // Have credentials?

if (http->fields[HTTP_FIELD_HOST])
if (!tls_common_name)
{
// Use hostname for TLS upgrade...
cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
}
else
{
// Resolve hostname from connection address...
http_addr_t addr; // Connection address
socklen_t addrlen; // Length of address

addrlen = sizeof(addr);
if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
{
DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno));
hostname[0] = '\0';
}
else if (httpAddrIsLocalhost(&addr))
if (http->fields[HTTP_FIELD_HOST])
{
hostname[0] = '\0';
// Use hostname for TLS upgrade...
cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
}
else
{
httpAddrLookup(&addr, hostname, sizeof(hostname));
DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname);
// Resolve hostname from connection address...
http_addr_t addr; // Connection address
socklen_t addrlen; // Length of address

addrlen = sizeof(addr);
if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
{
DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno));
hostname[0] = '\0';
}
else if (httpAddrIsLocalhost(&addr))
{
hostname[0] = '\0';
}
else
{
httpAddrLookup(&addr, hostname, sizeof(hostname));
DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname);
}
}
}

if (isdigit(hostname[0] & 255) || hostname[0] == '[')
hostname[0] = '\0'; // Don't allow numeric addresses
if (isdigit(hostname[0] & 255) || hostname[0] == '[')
hostname[0] = '\0'; // Don't allow numeric addresses

if (hostname[0])
cn = hostname;
}

cupsMutexLock(&tls_mutex);

if (hostname[0])
cn = hostname;
else
if (!cn)
cn = tls_common_name;

DEBUG_printf("4_httpTLSStart: Using common name \"%s\"...", cn);

if (cn)
{
// First look in the CUPS keystore...
Expand Down
70 changes: 38 additions & 32 deletions cups/tls-openssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
//
// Note: This file is included from tls.c
//
// Copyright © 2020-2024 by OpenPrinting
// Copyright © 2020-2025 by OpenPrinting
// Copyright © 2007-2019 by Apple Inc.
// Copyright © 1997-2007 by Easy Software Products, all rights reserved.
//
Expand Down Expand Up @@ -1734,54 +1734,60 @@ _httpTLSStart(http_t *http) // I - Connection to server
// Negotiate a TLS connection as a server
char crtfile[1024], // Certificate file
keyfile[1024]; // Private key file
const char *cn, // Common name to lookup
const char *cn = NULL, // Common name to lookup
*cnptr; // Pointer into common name
bool have_creds = false; // Have credentials?

context = SSL_CTX_new(TLS_server_method());

// Find the TLS certificate...
if (http->fields[HTTP_FIELD_HOST])
if (!tls_common_name)
{
// Use hostname for TLS upgrade...
cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
}
else
{
// Resolve hostname from connection address...
http_addr_t addr; // Connection address
socklen_t addrlen; // Length of address

addrlen = sizeof(addr);
if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
{
// Unable to get local socket address so use default...
DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno));
hostname[0] = '\0';
}
else if (httpAddrIsLocalhost(&addr))
// Find the TLS certificate...
if (http->fields[HTTP_FIELD_HOST])
{
// Local access top use default...
hostname[0] = '\0';
// Use hostname for TLS upgrade...
cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
}
else
{
// Lookup the socket address...
httpAddrLookup(&addr, hostname, sizeof(hostname));
DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname);
// Resolve hostname from connection address...
http_addr_t addr; // Connection address
socklen_t addrlen; // Length of address

addrlen = sizeof(addr);
if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
{
// Unable to get local socket address so use default...
DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno));
hostname[0] = '\0';
}
else if (httpAddrIsLocalhost(&addr))
{
// Local access top use default...
hostname[0] = '\0';
}
else
{
// Lookup the socket address...
httpAddrLookup(&addr, hostname, sizeof(hostname));
DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname);
}
}
}

if (isdigit(hostname[0] & 255) || hostname[0] == '[')
hostname[0] = '\0'; // Don't allow numeric addresses
if (isdigit(hostname[0] & 255) || hostname[0] == '[')
hostname[0] = '\0'; // Don't allow numeric addresses

if (hostname[0])
cn = hostname;
}

cupsMutexLock(&tls_mutex);

if (hostname[0])
cn = hostname;
else
if (!cn)
cn = tls_common_name;

DEBUG_printf("4_httpTLSStart: Using common name \"%s\"...", cn);

if (cn)
{
// First look in the CUPS keystore...
Expand Down

0 comments on commit 3bd8537

Please sign in to comment.