diff --git a/cups/http.c b/cups/http.c index 3bed7a79e..140dcff95 100644 --- a/cups/http.c +++ b/cups/http.c @@ -442,6 +442,7 @@ httpConnectAgain(http_t *http, // I - HTTP connection int *cancel) // I - Pointer to "cancel" variable { http_addrlist_t *addr; // Connected address + char *orig_creds; // Original peer credentials #ifdef DEBUG http_addrlist_t *current; // Current address char temp[256]; // Temporary address string @@ -456,6 +457,8 @@ httpConnectAgain(http_t *http, // I - HTTP connection return (false); } + orig_creds = httpCopyPeerCredentials(http); + if (http->tls) { DEBUG_puts("1httpConnectAgain: Shutting down TLS..."); @@ -502,6 +505,8 @@ httpConnectAgain(http_t *http, // I - HTTP connection DEBUG_printf("1httpConnectAgain: httpAddrConnect failed: %s", strerror(http->error)); + free(orig_creds); + return (false); } @@ -521,14 +526,42 @@ httpConnectAgain(http_t *http, // I - HTTP connection httpAddrClose(NULL, http->fd); http->fd = -1; + free(orig_creds); + return (false); } } else if (http->encryption == HTTP_ENCRYPTION_REQUIRED && !http->tls_upgrade) - return (http_tls_upgrade(http)); + { + if (!http_tls_upgrade(http)) + { + free(orig_creds); + + return (false); + } + } DEBUG_printf("1httpConnectAgain: Connected to %s:%d...", httpAddrGetString(http->hostaddr, temp, sizeof(temp)), httpAddrGetPort(http->hostaddr)); + if (orig_creds) + { + char *new_creds = httpCopyPeerCredentials(http); + // New peer credentials + + if (!new_creds || (strcmp(orig_creds, new_creds) && cupsGetCredentialsTrust(/*path*/NULL, http->hostname, new_creds, /*require_ca*/true) != HTTP_TRUST_OK)) + { + // New and old credentials don't match and the new cert doesn't validate... + _httpDisconnect(http); + + free(orig_creds); + free(new_creds); + + return (false); + } + } + + free(orig_creds); + return (true); }