Re-validate server cert on re-connect (Issue #90)

michaelrsweet · michaelrsweet · commit 2a5a0a228277 · 2024-10-12T12:03:06.000-04:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -4,6 +4,8 @@ Changes in libcups
 libcups v3.0.0 (YYYY-MM-DD)
 ---------------------------
 
+- Updated `httpConnectAgain` to re-validate the server's X.509 certificate
+  (Issue #90)
 - Fixed a compressed file error handling bug (Issue #91)
 - Fixed the default User-Agent string sent in requests.
 - Fixed a recursion issue in `ippReadIO`.
diff --git a/cups/http.c b/cups/http.c
@@ -352,10 +352,11 @@ httpConnect(
 
 bool					// O - `true` on success, `false` on failure
 httpConnectAgain(http_t *http,		// I - HTTP connection
-	      int    msec,		// I - Timeout in milliseconds
-	      int    *cancel)		// I - Pointer to "cancel" variable
+	         int    msec,		// I - Timeout in milliseconds
+	         int    *cancel)	// I - Pointer to "cancel" variable
 {
   http_addrlist_t	*addr;		// Connected address
+  char			*orig_creds;	// Original peer credentials
 #ifdef DEBUG
   http_addrlist_t	*current;	// Current address
   char			temp[256];	// Temporary address string
@@ -371,6 +372,8 @@ httpConnectAgain(http_t *http,		// I - HTTP connection
     return (false);
   }
 
+  orig_creds = httpCopyPeerCredentials(http);
+
   if (http->tls)
   {
     DEBUG_puts("2httpConnectAgain: Shutting down SSL/TLS...");
@@ -415,6 +418,8 @@ httpConnectAgain(http_t *http,		// I - HTTP connection
 
     DEBUG_printf("1httpConnectAgain: httpAddrConnect failed: %s", strerror(http->error));
 
+    free(orig_creds);
+
     return (false);
   }
 
@@ -434,16 +439,42 @@ httpConnectAgain(http_t *http,		// I - HTTP connection
       httpAddrClose(NULL, http->fd);
       http->fd = -1;
 
+      free(orig_creds);
+
       return (false);
     }
   }
   else if (http->encryption == HTTP_ENCRYPTION_REQUIRED && !http->tls_upgrade)
   {
-    return (http_tls_upgrade(http));
+    if (!http_tls_upgrade(http))
+    {
+      free(orig_creds);
+
+      return (false);
+    }
   }
 
   DEBUG_printf("1httpConnectAgain: Connected to %s:%d...", httpAddrGetString(http->hostaddr, temp, sizeof(temp)), httpAddrGetPort(http->hostaddr));
 
+  if (orig_creds)
+  {
+    char *new_creds = httpCopyPeerCredentials(http);
+					// New peer credentials
+
+    if (!new_creds || (strcmp(orig_creds, new_creds) && cupsGetCredentialsTrust(/*path*/NULL, http->hostname, new_creds, /*require_ca*/true) != HTTP_TRUST_OK))
+    {
+      // New and old credentials don't match and the new cert doesn't validate...
+      _httpDisconnect(http);
+
+      free(orig_creds);
+      free(new_creds);
+
+      return (false);
+    }
+  }
+
+  free(orig_creds);
+
   return (true);
 }
 
