/*
* HTTP support routines for CUPS.
*
- * Copyright 2007-2018 by Apple Inc.
+ * Copyright 2007-2019 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
* Licensed under Apache License v2.0. See the file "LICENSE" for more
*/
#include "cups-private.h"
+#include "debug-internal.h"
#ifdef HAVE_DNSSD
# include <dns_sd.h>
-# ifdef WIN32
+# ifdef _WIN32
# include <io.h>
# elif defined(HAVE_POLL)
# include <poll.h>
# else
# include <sys/select.h>
-# endif /* WIN32 */
+# endif /* _WIN32 */
#elif defined(HAVE_AVAHI)
# include <avahi-client/client.h>
# include <avahi-client/lookup.h>
}
-/*
- * '_httpDigest()' - Calculate a Digest authentication response using the
- * appropriate RFC 2068/2617/7616 algorithm.
- */
-
-char * /* O - Response string */
-_httpDigest(char *buffer, /* I - Response buffer */
- size_t bufsize, /* I - Size of response buffer */
- const char *algorithm, /* I - algorithm value or `NULL` */
- const char *username, /* I - username value */
- const char *realm, /* I - realm value */
- const char *password, /* I - password value */
- const char *nonce, /* I - nonce value */
- unsigned nc, /* I - nc value */
- const char *cnonce, /* I - cnonce value or `NULL` */
- const char *qop, /* I - qop value */
- const char *method, /* I - HTTP method */
- const char *resource) /* I - HTTP resource path */
-{
- char ha1[65], /* Hash of username:realm:password */
- ha2[65], /* Hash of method:request-uri */
- temp[1024]; /* Temporary string */
- unsigned char hash[32]; /* Hash buffer */
- const char *hashalg; /* Hashing algorithm */
- size_t hashsize; /* Size of hash */
-
-
- DEBUG_printf(("2_httpDigest(buffer=%p, bufsize=" CUPS_LLFMT ", algorithm=\%s\", username=\"%s\", realm=\"%s\", password=\"%d chars\", nonce=\"%s\", nc=%u, cnonce=\"%s\", qop=\"%s\", method=\"%s\", resource=\"%s\")", buffer, CUPS_LLCAST bufsize, algorithm, username, realm, (int)strlen(password), nonce, nc, cnonce, qop, method, resource));
-
- if (algorithm)
- {
- /*
- * Follow RFC 2617/7616...
- */
-
- if (!_cups_strcasecmp(algorithm, "MD5"))
- {
- /*
- * RFC 2617 Digest with MD5
- */
-
- hashalg = "md5";
- }
- else if (!_cups_strcasecmp(algorithm, "SHA-256"))
- {
- /*
- * RFC 7616 Digest with SHA-256
- */
-
- hashalg = "sha2-256";
- }
- else
- {
- /*
- * Some other algorithm we don't support, skip this one...
- */
-
- *buffer = '\0';
-
- return (NULL);
- }
-
- /*
- * Calculate digest value...
- */
-
- /* H(A1) = H(username:realm:password) */
- snprintf(temp, sizeof(temp), "%s:%s:%s", username, realm, password);
- hashsize = (size_t)cupsHashData(hashalg, (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
- cupsHashString(hash, hashsize, ha1, sizeof(ha1));
-
- /* H(A2) = H(method:uri) */
- snprintf(temp, sizeof(temp), "%s:%s", method, resource);
- hashsize = (size_t)cupsHashData(hashalg, (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
- cupsHashString(hash, hashsize, ha2, sizeof(ha2));
-
- /* KD = H(H(A1):nonce:nc:cnonce:qop:H(A2)) */
- snprintf(temp, sizeof(temp), "%s:%s:%08x:%s:%s:%s", ha1, nonce, nc, cnonce, qop, ha2);
- hashsize = (size_t)cupsHashData(hashalg, (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
- cupsHashString(hash, hashsize, buffer, bufsize);
- }
- else
- {
- /*
- * Use old RFC 2069 Digest method...
- */
-
- /* H(A1) = H(username:realm:password) */
- snprintf(temp, sizeof(temp), "%s:%s:%s", username, realm, password);
- hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
- cupsHashString(hash, hashsize, ha1, sizeof(ha1));
-
- /* H(A2) = H(method:uri) */
- snprintf(temp, sizeof(temp), "%s:%s", method, resource);
- hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
- cupsHashString(hash, hashsize, ha2, sizeof(ha2));
-
- /* KD = H(H(A1):nonce:H(A2)) */
- snprintf(temp, sizeof(temp), "%s:%s:%s", ha1, nonce, ha2);
- hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
- cupsHashString(hash, hashsize, buffer, bufsize);
- }
-
- return (buffer);
-}
-
-
/*
* 'httpEncode64()' - Base64-encode a string.
*
char *s, /* I - String buffer */
int slen) /* I - Size of string buffer */
{
- struct tm *tdate; /* UNIX date/time data */
+ struct tm tdate; /* UNIX date/time data */
- tdate = gmtime(&t);
- if (tdate)
- snprintf(s, (size_t)slen, "%s, %02d %s %d %02d:%02d:%02d GMT", http_days[tdate->tm_wday], tdate->tm_mday, http_months[tdate->tm_mon], tdate->tm_year + 1900, tdate->tm_hour, tdate->tm_min, tdate->tm_sec);
- else
- s[0] = '\0';
+ gmtime_r(&t, &tdate);
+
+ snprintf(s, (size_t)slen, "%s, %02d %s %d %02d:%02d:%02d GMT", http_days[tdate.tm_wday], tdate.tm_mday, http_months[tdate.tm_mon], tdate.tm_year + 1900, tdate.tm_hour, tdate.tm_min, tdate.tm_sec);
return (s);
}
DEBUG_printf(("4httpGetDateTime: day=%d, mon=\"%s\", year=%d, hour=%d, "
"min=%d, sec=%d", day, mon, year, hour, min, sec));
+ /*
+ * Check for invalid year (RFC 7231 says it's 4DIGIT)
+ */
+
+ if (year > 9999)
+ return (0);
+
/*
* Convert the month name to a number from 0 to 11.
*/
}
+/*
+ * '_httpSetDigestAuthString()' - Calculate a Digest authentication response
+ * using the appropriate RFC 2068/2617/7616
+ * algorithm.
+ */
+
+int /* O - 1 on success, 0 on failure */
+_httpSetDigestAuthString(
+ http_t *http, /* I - HTTP connection */
+ const char *nonce, /* I - Nonce value */
+ const char *method, /* I - HTTP method */
+ const char *resource) /* I - HTTP resource path */
+{
+ char kd[65], /* Final MD5/SHA-256 digest */
+ ha1[65], /* Hash of username:realm:password */
+ ha2[65], /* Hash of method:request-uri */
+ username[HTTP_MAX_VALUE],
+ /* username:password */
+ *password, /* Pointer to password */
+ temp[1024], /* Temporary string */
+ digest[1024]; /* Digest auth data */
+ unsigned char hash[32]; /* Hash buffer */
+ size_t hashsize; /* Size of hash */
+ _cups_globals_t *cg = _cupsGlobals(); /* Per-thread globals */
+
+
+ DEBUG_printf(("2_httpSetDigestAuthString(http=%p, nonce=\"%s\", method=\"%s\", resource=\"%s\")", (void *)http, nonce, method, resource));
+
+ if (nonce && *nonce && strcmp(nonce, http->nonce))
+ {
+ strlcpy(http->nonce, nonce, sizeof(http->nonce));
+
+ if (nonce == http->nextnonce)
+ http->nextnonce[0] = '\0';
+
+ http->nonce_count = 1;
+ }
+ else
+ http->nonce_count ++;
+
+ strlcpy(username, http->userpass, sizeof(username));
+ if ((password = strchr(username, ':')) != NULL)
+ *password++ = '\0';
+ else
+ return (0);
+
+ if (http->algorithm[0])
+ {
+ /*
+ * Follow RFC 2617/7616...
+ */
+
+ int i; /* Looping var */
+ char cnonce[65]; /* cnonce value */
+ const char *hashalg; /* Hashing algorithm */
+
+ for (i = 0; i < 64; i ++)
+ cnonce[i] = "0123456789ABCDEF"[CUPS_RAND() & 15];
+ cnonce[64] = '\0';
+
+ if (!_cups_strcasecmp(http->algorithm, "MD5"))
+ {
+ /*
+ * RFC 2617 Digest with MD5
+ */
+
+ if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5)
+ {
+ DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled.");
+ return (0);
+ }
+
+ hashalg = "md5";
+ }
+ else if (!_cups_strcasecmp(http->algorithm, "SHA-256"))
+ {
+ /*
+ * RFC 7616 Digest with SHA-256
+ */
+
+ hashalg = "sha2-256";
+ }
+ else
+ {
+ /*
+ * Some other algorithm we don't support, skip this one...
+ */
+
+ return (0);
+ }
+
+ /*
+ * Calculate digest value...
+ */
+
+ /* H(A1) = H(username:realm:password) */
+ snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password);
+ hashsize = (size_t)cupsHashData(hashalg, (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
+ cupsHashString(hash, hashsize, ha1, sizeof(ha1));
+
+ /* H(A2) = H(method:uri) */
+ snprintf(temp, sizeof(temp), "%s:%s", method, resource);
+ hashsize = (size_t)cupsHashData(hashalg, (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
+ cupsHashString(hash, hashsize, ha2, sizeof(ha2));
+
+ /* KD = H(H(A1):nonce:nc:cnonce:qop:H(A2)) */
+ snprintf(temp, sizeof(temp), "%s:%s:%08x:%s:%s:%s", ha1, http->nonce, http->nonce_count, cnonce, "auth", ha2);
+ hashsize = (size_t)cupsHashData(hashalg, (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
+ cupsHashString(hash, hashsize, kd, sizeof(kd));
+
+ /*
+ * Pass the RFC 2617/7616 WWW-Authenticate header...
+ */
+
+ if (http->opaque[0])
+ snprintf(digest, sizeof(digest), "username=\"%s\", realm=\"%s\", nonce=\"%s\", algorithm=%s, qop=auth, opaque=\"%s\", cnonce=\"%s\", nc=%08x, uri=\"%s\", response=\"%s\"", cupsUser(), http->realm, http->nonce, http->algorithm, http->opaque, cnonce, http->nonce_count, resource, kd);
+ else
+ snprintf(digest, sizeof(digest), "username=\"%s\", realm=\"%s\", nonce=\"%s\", algorithm=%s, qop=auth, cnonce=\"%s\", nc=%08x, uri=\"%s\", response=\"%s\"", username, http->realm, http->nonce, http->algorithm, cnonce, http->nonce_count, resource, kd);
+ }
+ else
+ {
+ /*
+ * Use old RFC 2069 Digest method...
+ */
+
+ /* H(A1) = H(username:realm:password) */
+ snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password);
+ hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
+ cupsHashString(hash, hashsize, ha1, sizeof(ha1));
+
+ /* H(A2) = H(method:uri) */
+ snprintf(temp, sizeof(temp), "%s:%s", method, resource);
+ hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
+ cupsHashString(hash, hashsize, ha2, sizeof(ha2));
+
+ /* KD = H(H(A1):nonce:H(A2)) */
+ snprintf(temp, sizeof(temp), "%s:%s:%s", ha1, http->nonce, ha2);
+ hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
+ cupsHashString(hash, hashsize, kd, sizeof(kd));
+
+ /*
+ * Pass the old RFC 2069 WWW-Authenticate header...
+ */
+
+ snprintf(digest, sizeof(digest), "username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", response=\"%s\"", username, http->realm, http->nonce, resource, kd);
+ }
+
+ httpSetAuthString(http, "Digest", digest);
+
+ return (1);
+}
+
+
/*
* 'httpStateString()' - Return the string describing a HTTP state value.
*
_http_uribuf_t uribuf; /* URI buffer */
int offline = 0; /* offline-report state set? */
# ifdef HAVE_DNSSD
-# ifdef WIN32
-# pragma comment(lib, "dnssd.lib")
-# endif /* WIN32 */
DNSServiceRef ref, /* DNS-SD master service reference */
domainref = NULL,/* DNS-SD service reference for domain */
ippref = NULL, /* DNS-SD service reference for network IPP */
FD_ZERO(&input_set);
FD_SET(DNSServiceRefSockFD(ref), &input_set);
-# ifdef WIN32
+# ifdef _WIN32
stimeout.tv_sec = (long)timeout;
# else
stimeout.tv_sec = timeout;
-# endif /* WIN32 */
+# endif /* _WIN32 */
stimeout.tv_usec = 0;
fds = select(DNSServiceRefSockFD(ref)+1, &input_set, NULL, NULL,