Fix potential TLS blocking issues (Issue #1128)

Author: michaelrsweet

CHANGES.md

@@ -13,6 +13,7 @@ Changes in CUPS v2.4.17 (YYYY-MM-DD)
   (Issue #1501)
 - Fixed an issue with the class/printer CGI name checking.
 - Fixed infinite loop in `http_write()` on busy print servers (Issue #827)
+- Fixed potential TLS blocking issues (Issue #1128)
 - Fixed notifier logging bug that would result in nul bytes getting into the
   log (Issue #1450)
 - Fixed possible use-after-free in `cupsdReadClient()` (Issue #1454)

cups/tls-gnutls.c

@@ -1370,50 +1370,58 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
 
     char	crtfile[1024],		/* Certificate file */
 		keyfile[1024];		/* Private key file */
-    const char	*cn,			// Common name to lookup
+    const char	*cn = NULL,		// Common name to lookup
 		*cnptr;			// Pointer into common name
     int		have_creds = 0;		/* Have credentials? */
 
-    if (http->fields[HTTP_FIELD_HOST])
-    {
-     /*
-      * Use hostname for TLS upgrade...
-      */
+    _cupsMutexLock(&tls_mutex);
 
-      strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
-    }
-    else
+    if (!tls_common_name)
     {
-     /*
-      * Resolve hostname from connection address...
-      */
-
-      http_addr_t	addr;		/* Connection address */
-      socklen_t		addrlen;	/* Length of address */
+      _cupsMutexUnlock(&tls_mutex);
 
-      addrlen = sizeof(addr);
-      if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
+      if (http->fields[HTTP_FIELD_HOST])
       {
-	DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
-	hostname[0] = '\0';
+       /*
+	* Use hostname for TLS upgrade...
+	*/
+
+	strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
       }
-      else if (httpAddrLocalhost(&addr))
-	hostname[0] = '\0';
       else
       {
-	httpAddrLookup(&addr, hostname, sizeof(hostname));
-        DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
+       /*
+	* Resolve hostname from connection address...
+	*/
+
+	http_addr_t	addr;		/* Connection address */
+	socklen_t		addrlen;	/* Length of address */
+
+	addrlen = sizeof(addr);
+	if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
+	{
+	  DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
+	  hostname[0] = '\0';
+	}
+	else if (httpAddrLocalhost(&addr))
+	  hostname[0] = '\0';
+	else
+	{
+	  httpAddrLookup(&addr, hostname, sizeof(hostname));
+	  DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
+	}
       }
-    }
 
-    if (isdigit(hostname[0] & 255) || hostname[0] == '[')
-      hostname[0] = '\0';		/* Don't allow numeric addresses */
+      if (isdigit(hostname[0] & 255) || hostname[0] == '[')
+	hostname[0] = '\0';		/* Don't allow numeric addresses */
 
-    _cupsMutexLock(&tls_mutex);
+      if (hostname[0])
+	cn = hostname;
 
-    if (hostname[0])
-      cn = hostname;
-    else
+      _cupsMutexLock(&tls_mutex);
+    }
+
+    if (!cn)
       cn = tls_common_name;
 
     if (cn)

cups/tls-openssl.c

@@ -1011,54 +1011,62 @@ _httpTLSStart(http_t *http)		// I - Connection to server
     // Negotiate a TLS connection as a server
     char	crtfile[1024],		// Certificate file
 		keyfile[1024];		// Private key file
-    const char	*cn,			// Common name to lookup
+    const char	*cn = NULL,		// Common name to lookup
 		*cnptr;			// Pointer into common name
     int		have_creds = 0;		// Have credentials?
     int		key_status, crt_status;	// Key and certificate load status
 
     context = SSL_CTX_new(TLS_server_method());
 
     // Find the TLS certificate...
-    if (http->fields[HTTP_FIELD_HOST])
-    {
-      // Use hostname for TLS upgrade...
-      strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
-    }
-    else
+    _cupsMutexLock(&tls_mutex);
+
+    if (!tls_common_name)
     {
-      // Resolve hostname from connection address...
-      http_addr_t	addr;		// Connection address
-      socklen_t		addrlen;	// Length of address
+      _cupsMutexUnlock(&tls_mutex);
 
-      addrlen = sizeof(addr);
-      if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
+      if (http->fields[HTTP_FIELD_HOST])
       {
-        // Unable to get local socket address so use default...
-	DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
-	hostname[0] = '\0';
-      }
-      else if (httpAddrLocalhost(&addr))
-      {
-        // Local access top use default...
-	hostname[0] = '\0';
+	// Use hostname for TLS upgrade...
+	strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
       }
       else
       {
-        // Lookup the socket address...
-	httpAddrLookup(&addr, hostname, sizeof(hostname));
-        DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
+	// Resolve hostname from connection address...
+	http_addr_t	addr;		// Connection address
+	socklen_t	addrlen;	// Length of address
+
+	addrlen = sizeof(addr);
+	if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
+	{
+	  // Unable to get local socket address so use default...
+	  DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
+	  hostname[0] = '\0';
+	}
+	else if (httpAddrLocalhost(&addr))
+	{
+	  // Local access top use default...
+	  hostname[0] = '\0';
+	}
+	else
+	{
+	  // Lookup the socket address...
+	  httpAddrLookup(&addr, hostname, sizeof(hostname));
+	  DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
+	}
       }
-    }
 
-    if (isdigit(hostname[0] & 255) || hostname[0] == '[')
-      hostname[0] = '\0';		// Don't allow numeric addresses
+      if (isdigit(hostname[0] & 255) || hostname[0] == '[')
+	hostname[0] = '\0';		// Don't allow numeric addresses
 
-    if (hostname[0])
-      cn = hostname;
-    else
-      cn = tls_common_name;
+      if (hostname[0])
+	cn = hostname;
 
-    _cupsMutexLock(&tls_mutex);
+      _cupsMutexLock(&tls_mutex);
+    }
+
+    if (!cn)
+      cn = tls_common_name;
 
     if (cn)
     {