From 3bd8537f1e21d8717758121cd1b3232be4ddbdb1 Mon Sep 17 00:00:00 2001 From: Michael R Sweet Date: Wed, 26 Feb 2025 14:36:38 -0500 Subject: [PATCH] Use TLS common name by default, fallback to resolved name. --- cups/tls-gnutls.c | 62 +++++++++++++++++++++------------------- cups/tls-openssl.c | 70 +++++++++++++++++++++++++--------------------- 2 files changed, 72 insertions(+), 60 deletions(-) diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index a1929a3be..4cd6f8ac0 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -3,7 +3,7 @@ // // Note: This file is included from tls.c // -// Copyright © 2020-2024 by OpenPrinting +// Copyright © 2020-2025 by OpenPrinting // Copyright © 2007-2019 by Apple Inc. // Copyright © 1997-2007 by Easy Software Products, all rights reserved. // @@ -1682,48 +1682,54 @@ _httpTLSStart(http_t *http) // I - Connection to server // Server: get certificate and private key... char crtfile[1024], // Certificate file keyfile[1024]; // Private key file - const char *cn, // Common name to lookup + const char *cn = NULL, // Common name to lookup *cnptr; // Pointer into common name bool have_creds = false; // Have credentials? - if (http->fields[HTTP_FIELD_HOST]) + if (!tls_common_name) { - // Use hostname for TLS upgrade... - cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname)); - } - else - { - // Resolve hostname from connection address... - http_addr_t addr; // Connection address - socklen_t addrlen; // Length of address - - addrlen = sizeof(addr); - if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen)) - { - DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)); - hostname[0] = '\0'; - } - else if (httpAddrIsLocalhost(&addr)) + if (http->fields[HTTP_FIELD_HOST]) { - hostname[0] = '\0'; + // Use hostname for TLS upgrade... + cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname)); } else { - httpAddrLookup(&addr, hostname, sizeof(hostname)); - DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname); + // Resolve hostname from connection address... + http_addr_t addr; // Connection address + socklen_t addrlen; // Length of address + + addrlen = sizeof(addr); + if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen)) + { + DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)); + hostname[0] = '\0'; + } + else if (httpAddrIsLocalhost(&addr)) + { + hostname[0] = '\0'; + } + else + { + httpAddrLookup(&addr, hostname, sizeof(hostname)); + DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname); + } } - } - if (isdigit(hostname[0] & 255) || hostname[0] == '[') - hostname[0] = '\0'; // Don't allow numeric addresses + if (isdigit(hostname[0] & 255) || hostname[0] == '[') + hostname[0] = '\0'; // Don't allow numeric addresses + + if (hostname[0]) + cn = hostname; + } cupsMutexLock(&tls_mutex); - if (hostname[0]) - cn = hostname; - else + if (!cn) cn = tls_common_name; + DEBUG_printf("4_httpTLSStart: Using common name \"%s\"...", cn); + if (cn) { // First look in the CUPS keystore... diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c index 20661954a..0e7b0b1d5 100644 --- a/cups/tls-openssl.c +++ b/cups/tls-openssl.c @@ -3,7 +3,7 @@ // // Note: This file is included from tls.c // -// Copyright © 2020-2024 by OpenPrinting +// Copyright © 2020-2025 by OpenPrinting // Copyright © 2007-2019 by Apple Inc. // Copyright © 1997-2007 by Easy Software Products, all rights reserved. // @@ -1734,54 +1734,60 @@ _httpTLSStart(http_t *http) // I - Connection to server // Negotiate a TLS connection as a server char crtfile[1024], // Certificate file keyfile[1024]; // Private key file - const char *cn, // Common name to lookup + const char *cn = NULL, // Common name to lookup *cnptr; // Pointer into common name bool have_creds = false; // Have credentials? context = SSL_CTX_new(TLS_server_method()); - // Find the TLS certificate... - if (http->fields[HTTP_FIELD_HOST]) + if (!tls_common_name) { - // Use hostname for TLS upgrade... - cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname)); - } - else - { - // Resolve hostname from connection address... - http_addr_t addr; // Connection address - socklen_t addrlen; // Length of address - - addrlen = sizeof(addr); - if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen)) - { - // Unable to get local socket address so use default... - DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)); - hostname[0] = '\0'; - } - else if (httpAddrIsLocalhost(&addr)) + // Find the TLS certificate... + if (http->fields[HTTP_FIELD_HOST]) { - // Local access top use default... - hostname[0] = '\0'; + // Use hostname for TLS upgrade... + cupsCopyString(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname)); } else { - // Lookup the socket address... - httpAddrLookup(&addr, hostname, sizeof(hostname)); - DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname); + // Resolve hostname from connection address... + http_addr_t addr; // Connection address + socklen_t addrlen; // Length of address + + addrlen = sizeof(addr); + if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen)) + { + // Unable to get local socket address so use default... + DEBUG_printf("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)); + hostname[0] = '\0'; + } + else if (httpAddrIsLocalhost(&addr)) + { + // Local access top use default... + hostname[0] = '\0'; + } + else + { + // Lookup the socket address... + httpAddrLookup(&addr, hostname, sizeof(hostname)); + DEBUG_printf("4_httpTLSStart: Resolved socket address to \"%s\".", hostname); + } } - } - if (isdigit(hostname[0] & 255) || hostname[0] == '[') - hostname[0] = '\0'; // Don't allow numeric addresses + if (isdigit(hostname[0] & 255) || hostname[0] == '[') + hostname[0] = '\0'; // Don't allow numeric addresses + + if (hostname[0]) + cn = hostname; + } cupsMutexLock(&tls_mutex); - if (hostname[0]) - cn = hostname; - else + if (!cn) cn = tls_common_name; + DEBUG_printf("4_httpTLSStart: Using common name \"%s\"...", cn); + if (cn) { // First look in the CUPS keystore...