From dde33ef7af6c89e0711f504c07d355e2a80f86ad Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Sat, 12 Oct 2024 12:08:05 -0400
Subject: [PATCH] Updated  to re-validate the server's X.509 certificate (Issue
 #1061)

---
 cups/http.c | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/cups/http.c b/cups/http.c
index 3bed7a79e..140dcff95 100644
--- a/cups/http.c
+++ b/cups/http.c
@@ -442,6 +442,7 @@ httpConnectAgain(http_t *http,		// I - HTTP connection
 	         int    *cancel)	// I - Pointer to "cancel" variable
 {
   http_addrlist_t	*addr;		// Connected address
+  char			*orig_creds;	// Original peer credentials
 #ifdef DEBUG
   http_addrlist_t	*current;	// Current address
   char			temp[256];	// Temporary address string
@@ -456,6 +457,8 @@ httpConnectAgain(http_t *http,		// I - HTTP connection
     return (false);
   }
 
+  orig_creds = httpCopyPeerCredentials(http);
+
   if (http->tls)
   {
     DEBUG_puts("1httpConnectAgain: Shutting down TLS...");
@@ -502,6 +505,8 @@ httpConnectAgain(http_t *http,		// I - HTTP connection
 
     DEBUG_printf("1httpConnectAgain: httpAddrConnect failed: %s", strerror(http->error));
 
+    free(orig_creds);
+
     return (false);
   }
 
@@ -521,14 +526,42 @@ httpConnectAgain(http_t *http,		// I - HTTP connection
       httpAddrClose(NULL, http->fd);
       http->fd = -1;
 
+      free(orig_creds);
+
       return (false);
     }
   }
   else if (http->encryption == HTTP_ENCRYPTION_REQUIRED && !http->tls_upgrade)
-    return (http_tls_upgrade(http));
+  {
+    if (!http_tls_upgrade(http))
+    {
+      free(orig_creds);
+
+      return (false);
+    }
+  }
 
   DEBUG_printf("1httpConnectAgain: Connected to %s:%d...", httpAddrGetString(http->hostaddr, temp, sizeof(temp)), httpAddrGetPort(http->hostaddr));
 
+  if (orig_creds)
+  {
+    char *new_creds = httpCopyPeerCredentials(http);
+					// New peer credentials
+
+    if (!new_creds || (strcmp(orig_creds, new_creds) && cupsGetCredentialsTrust(/*path*/NULL, http->hostname, new_creds, /*require_ca*/true) != HTTP_TRUST_OK))
+    {
+      // New and old credentials don't match and the new cert doesn't validate...
+      _httpDisconnect(http);
+
+      free(orig_creds);
+      free(new_creds);
+
+      return (false);
+    }
+  }
+
+  free(orig_creds);
+
   return (true);
 }