/*
- * "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $"
+ * "$Id$"
*
- * Authorization routines for the CUPS scheduler.
+ * Authorization routines for the CUPS scheduler.
*
- * Copyright 2007-2012 by Apple Inc.
- * Copyright 1997-2007 by Easy Software Products, all rights reserved.
+ * Copyright 2007-2013 by Apple Inc.
+ * Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
- * This file contains Kerberos support code, copyright 2006 by
- * Jelmer Vernooij.
+ * This file contains Kerberos support code, copyright 2006 by
+ * Jelmer Vernooij.
*
- * These coded instructions, statements, and computer programs are the
- * property of Apple Inc. and are protected by Federal copyright
- * law. Distribution and use rights are outlined in the file "LICENSE.txt"
- * which should have been included with this file. If this file is
- * file is missing or damaged, see the license at "http://www.cups.org/".
- *
- * Contents:
- *
- * cupsdAddIPMask() - Add an IP address authorization mask.
- * cupsdAddLocation() - Add a location for authorization.
- * cupsdAddName() - Add a name to a location...
- * cupsdAddNameMask() - Add a host or interface name authorization
- * mask.
- * cupsdAuthorize() - Validate any authorization credentials.
- * cupsdCheckAccess() - Check whether the given address is allowed to
- * access a location.
- * cupsdCheckAuth() - Check authorization masks.
- * cupsdCheckGroup() - Check for a user's group membership.
- * cupsdCopyLocation() - Make a copy of a location...
- * cupsdDeleteAllLocations() - Free all memory used for location
- * authorization.
- * cupsdFindBest() - Find the location entry that best matches the
- * resource.
- * cupsdFindLocation() - Find the named location.
- * cupsdFreeLocation() - Free all memory used by a location.
- * cupsdIsAuthorized() - Check to see if the user is authorized...
- * cupsdNewLocation() - Create a new location for authorization.
- * check_authref() - Check if an authorization services reference
- * has the supplied right.
- * compare_locations() - Compare two locations.
- * copy_authmask() - Copy function for auth masks.
- * cups_crypt() - Encrypt the password using the DES or MD5
- * algorithms, as needed.
- * free_authmask() - Free function for auth masks.
- * get_md5_password() - Get an MD5 password.
- * pam_func() - PAM conversation function.
- * to64() - Base64-encode an integer value...
+ * These coded instructions, statements, and computer programs are the
+ * property of Apple Inc. and are protected by Federal copyright
+ * law. Distribution and use rights are outlined in the file "LICENSE.txt"
+ * which should have been included with this file. If this file is
+ * file is missing or damaged, see the license at "http://www.cups.org/".
*/
/*
# include <security/pam_appl.h>
# endif /* HAVE_PAM_PAM_APPL_H */
#endif /* HAVE_LIBPAM */
-#ifdef HAVE_USERSEC_H
-# include <usersec.h>
-#endif /* HAVE_USERSEC_H */
#ifdef HAVE_MEMBERSHIP_H
# include <membership.h>
#endif /* HAVE_MEMBERSHIP_H */
static int compare_locations(cupsd_location_t *a,
cupsd_location_t *b);
static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data);
-#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
+#if !HAVE_LIBPAM
static char *cups_crypt(const char *pw, const char *salt);
-#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
+#endif /* !HAVE_LIBPAM */
static void free_authmask(cupsd_authmask_t *am, void *data);
static char *get_md5_password(const char *username,
const char *group, char passwd[33]);
#if HAVE_LIBPAM
static int pam_func(int, const struct pam_message **,
struct pam_response **, void *);
-#elif !defined(HAVE_USERSEC_H)
+#else
static void to64(char *s, unsigned long v, int n);
#endif /* HAVE_LIBPAM */
#endif /* HAVE_LIBPAM */
-/*
- * Local globals...
- */
-
-#if defined(__hpux) && HAVE_LIBPAM
-static cupsd_authdata_t *auth_data; /* Current client being authenticated */
-#endif /* __hpux && HAVE_LIBPAM */
-
-
/*
* 'cupsdAddIPMask()' - Add an IP address authorization mask.
*/
* authentication to expect...
*/
- con->best = cupsdFindBest(con->uri, con->http.state);
+ con->best = cupsdFindBest(con->uri, httpGetState(con->http));
con->type = CUPSD_AUTH_NONE;
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"[Client %d] con->uri=\"%s\", con->best=%p(%s)",
- con->http.fd, con->uri, con->best,
+ con->number, con->uri, con->best,
con->best ? con->best->location : "");
if (con->best && con->best->type != CUPSD_AUTH_NONE)
* Decode the Authorization string...
*/
- authorization = httpGetField(&con->http, HTTP_FIELD_AUTHORIZATION);
+ authorization = httpGetField(con->http, HTTP_FIELD_AUTHORIZATION);
cupsdLogMessage(CUPSD_LOG_DEBUG2, "[Client %d] Authorization=\"%s\"",
- con->http.fd, authorization);
+ con->number, authorization);
username[0] = '\0';
password[0] = '\0';
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] No authentication data provided.",
- con->http.fd);
+ con->number);
return;
}
#ifdef HAVE_AUTHORIZATION_H
else if (!strncmp(authorization, "AuthRef ", 8) &&
- !_cups_strcasecmp(con->http.hostname, "localhost"))
+ httpAddrLocalhost(httpGetAddress(con->http)))
{
OSStatus status; /* Status */
int authlen; /* Auth string length */
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] External Authorization reference size is "
- "incorrect.", con->http.fd);
+ "incorrect.", con->number);
return;
}
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] AuthorizationCreateFromExternalForm "
- "returned %d (%s)", con->http.fd, (int)status,
+ "returned %d (%s)", con->number, (int)status,
cssmErrorString(status));
return;
}
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as \"%s\" using AuthRef",
- con->http.fd, username);
+ con->number, username);
}
AuthorizationFreeItemSet(authinfo);
peersize = sizeof(peercred);
- if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
+ if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unable to get peer credentials - %s",
- con->http.fd, strerror(errno));
+ con->number, strerror(errno));
return;
}
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unable to find UID %d for peer "
- "credentials.", con->http.fd,
+ "credentials.", con->number,
(int)CUPSD_UCRED_UID(peercred));
return;
}
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as \"%s\" using "
- "AuthRef + PeerCred", con->http.fd, username);
+ "AuthRef + PeerCred", con->number, username);
}
con->type = CUPSD_AUTH_BASIC;
#endif /* HAVE_AUTHORIZATION_H */
#if defined(SO_PEERCRED) && defined(AF_LOCAL)
else if (!strncmp(authorization, "PeerCred ", 9) &&
- con->http.hostaddr->addr.sa_family == AF_LOCAL)
+ con->http->hostaddr->addr.sa_family == AF_LOCAL)
{
/*
* Use peer credentials from domain socket connection...
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] PeerCred authentication not allowed for "
- "resource per AUTHKEY policy.", con->http.fd);
+ "resource per AUTHKEY policy.", con->number);
return;
}
#endif /* HAVE_AUTHORIZATION_H */
if ((pwd = getpwnam(authorization + 9)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "[Client %d] User \"%s\" does not exist.", con->http.fd,
+ "[Client %d] User \"%s\" does not exist.", con->number,
authorization + 9);
return;
}
peersize = sizeof(peercred);
# ifdef __APPLE__
- if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
+ if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
# else
- if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
+ if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
# endif /* __APPLE__ */
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unable to get peer credentials - %s",
- con->http.fd, strerror(errno));
+ con->number, strerror(errno));
return;
}
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Invalid peer credentials for \"%s\" - got "
- "%d, expected %d!", con->http.fd, authorization + 9,
+ "%d, expected %d!", con->number, authorization + 9,
CUPSD_UCRED_UID(peercred), pwd->pw_uid);
# ifdef HAVE_SYS_UCRED_H
cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_version=%d",
- con->http.fd, peercred.cr_version);
+ con->number, peercred.cr_version);
cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_uid=%d",
- con->http.fd, peercred.cr_uid);
+ con->number, peercred.cr_uid);
cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_ngroups=%d",
- con->http.fd, peercred.cr_ngroups);
+ con->number, peercred.cr_ngroups);
cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_groups[0]=%d",
- con->http.fd, peercred.cr_groups[0]);
+ con->number, peercred.cr_groups[0]);
# endif /* HAVE_SYS_UCRED_H */
return;
}
# endif /* HAVE_GSSAPI */
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Authorized as %s using PeerCred", con->http.fd,
+ "[Client %d] Authorized as %s using PeerCred", con->number,
username);
con->type = CUPSD_AUTH_BASIC;
}
#endif /* SO_PEERCRED && AF_LOCAL */
else if (!strncmp(authorization, "Local", 5) &&
- !_cups_strcasecmp(con->http.hostname, "localhost"))
+ httpAddrLocalhost(httpGetAddress(con->http)))
{
/*
* Get Local certificate authentication data...
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Local authentication certificate not found.",
- con->http.fd);
+ con->number);
return;
}
con->type = localuser->type;
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Authorized as %s using Local", con->http.fd,
+ "[Client %d] Authorized as %s using Local", con->number,
username);
}
else if (!strncmp(authorization, "Basic", 5))
if ((ptr = strchr(username, ':')) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Missing Basic password.",
- con->http.fd);
+ con->number);
return;
}
*/
cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Empty Basic username.",
- con->http.fd);
+ con->number);
return;
}
*/
cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Empty Basic password.",
- con->http.fd);
+ con->number);
return;
}
strlcpy(data.username, username, sizeof(data.username));
strlcpy(data.password, password, sizeof(data.password));
-# if defined(__sun) || defined(__hpux)
+# ifdef __sun
pamdata.conv = (int (*)(int, struct pam_message **,
struct pam_response **,
void *))pam_func;
# else
pamdata.conv = pam_func;
-# endif /* __sun || __hpux */
+# endif /* __sun */
pamdata.appdata_ptr = &data;
-# ifdef __hpux
- /*
- * Workaround for HP-UX bug in pam_unix; see pam_func() below for
- * more info...
- */
-
- auth_data = &data;
-# endif /* __hpux */
-
pamerr = pam_start("cups", username, &pamdata, &pamh);
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] pam_start() returned %d (%s)",
- con->http.fd, pamerr, pam_strerror(pamh, pamerr));
+ con->number, pamerr, pam_strerror(pamh, pamerr));
return;
}
# ifdef HAVE_PAM_SET_ITEM
# ifdef PAM_RHOST
- pamerr = pam_set_item(pamh, PAM_RHOST, con->http.hostname);
+ pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname);
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
"[Client %d] pam_set_item(PAM_RHOST) "
- "returned %d (%s)", con->http.fd, pamerr,
+ "returned %d (%s)", con->number, pamerr,
pam_strerror(pamh, pamerr));
# endif /* PAM_RHOST */
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
"[Client %d] pam_set_item(PAM_TTY) "
- "returned %d (%s)!", con->http.fd, pamerr,
+ "returned %d (%s)!", con->number, pamerr,
pam_strerror(pamh, pamerr));
# endif /* PAM_TTY */
# endif /* HAVE_PAM_SET_ITEM */
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] pam_authenticate() returned %d (%s)",
- con->http.fd, pamerr, pam_strerror(pamh, pamerr));
+ con->number, pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
}
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
"[Client %d] pam_setcred() returned %d (%s)",
- con->http.fd, pamerr,
+ con->number, pamerr,
pam_strerror(pamh, pamerr));
# endif /* HAVE_PAM_SETCRED */
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] pam_acct_mgmt() returned %d (%s)",
- con->http.fd, pamerr, pam_strerror(pamh, pamerr));
+ con->number, pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
}
pam_end(pamh, PAM_SUCCESS);
-#elif defined(HAVE_USERSEC_H)
- /*
- * Use AIX authentication interface...
- */
-
- char *authmsg; /* Authentication message */
- int reenter; /* ??? */
-
-
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] AIX authenticate of username \"%s\"",
- con->http.fd, username);
-
- reenter = 1;
- if (authenticate(username, password, &reenter, &authmsg) != 0)
- {
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Unable to authenticate username "
- "\"%s\": %s", con->http.fd, username,
- strerror(errno));
- return;
- }
-
#else
/*
* Use normal UNIX password file-based authentication...
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unknown username \"%s\".",
- con->http.fd, username);
+ con->number, username);
return;
}
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Username \"%s\" has no shadow "
- "password.", con->http.fd, username);
+ "password.", con->number, username);
return;
}
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Username \"%s\" has no password.",
- con->http.fd, username);
+ con->number, username);
return;
}
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"[Client %d] pw_passwd=\"%s\", crypt=\"%s\"",
- con->http.fd, pw->pw_passwd, pass);
+ con->number, pw->pw_passwd, pass);
if (!pass || strcmp(pw->pw_passwd, pass))
{
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"[Client %d] sp_pwdp=\"%s\", crypt=\"%s\"",
- con->http.fd, spw->sp_pwdp, pass);
+ con->number, spw->sp_pwdp, pass);
if (pass == NULL || strcmp(spw->sp_pwdp, pass))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Authentication failed for user "
- "\"%s\".", con->http.fd, username);
+ "\"%s\".", con->number, username);
return;
}
}
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Authentication failed for user "
- "\"%s\".", con->http.fd, username);
+ "\"%s\".", con->number, username);
return;
}
}
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as %s using Basic",
- con->http.fd, username);
+ con->number, username);
break;
case CUPSD_AUTH_BASICDIGEST :
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unknown MD5 username \"%s\".",
- con->http.fd, username);
+ con->number, username);
return;
}
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Authentication failed for \"%s\".",
- con->http.fd, username);
+ con->number, username);
return;
}
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as %s using BasicDigest",
- con->http.fd, username);
+ con->number, username);
break;
}
* Get the username, password, and nonce from the Digest attributes...
*/
- if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "username",
+ if (!httpGetSubField2(con->http, HTTP_FIELD_AUTHORIZATION, "username",
username, sizeof(username)) || !username[0])
{
/*
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Empty or missing Digest username.",
- con->http.fd);
+ con->number);
return;
}
- if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "response",
+ if (!httpGetSubField2(con->http, HTTP_FIELD_AUTHORIZATION, "response",
password, sizeof(password)) || !password[0])
{
/*
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Empty or missing Digest password.",
- con->http.fd);
+ con->number);
return;
}
- if (!httpGetSubField(&(con->http), HTTP_FIELD_AUTHORIZATION, "nonce",
+ if (!httpGetSubField(con->http, HTTP_FIELD_AUTHORIZATION, "nonce",
nonce))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] No nonce value for Digest authentication.",
- con->http.fd);
+ con->number);
return;
}
- if (strcmp(con->http.hostname, nonce))
+ if (strcmp(con->http->hostname, nonce))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Bad nonce value, expected \"%s\", "
- "got \"%s\".", con->http.fd, con->http.hostname, nonce);
+ "got \"%s\".", con->number, con->http->hostname, nonce);
return;
}
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unknown MD5 username \"%s\".",
- con->http.fd, username);
+ con->number, username);
return;
}
- httpMD5Final(nonce, states[con->http.state], con->uri, md5);
+ httpMD5Final(nonce, states[httpGetState(con->http)], con->uri, md5);
if (strcmp(md5, password))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Authentication failed for \"%s\".",
- con->http.fd, username);
+ con->number, username);
return;
}
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "[Client %d] Authorized as %s using Digest", con->http.fd,
+ "[Client %d] Authorized as %s using Digest", con->number,
username);
con->type = CUPSD_AUTH_DIGEST;
cupsdLogMessage(CUPSD_LOG_WARN,
"[Client %d] GSSAPI/Kerberos authentication failed "
"because the Kerberos framework is not present.",
- con->http.fd);
+ con->number);
return;
}
# endif /* __APPLE__ */
{
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"[Client %d] No authentication data specified.",
- con->http.fd);
+ con->number);
return;
}
{
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
"[Client %d] Error accepting GSSAPI security context",
- con->http.fd);
+ con->number);
if (context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
if (major_status == GSS_S_CONTINUE_NEEDED)
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
- "[Client %d] Credentials not complete", con->http.fd);
+ "[Client %d] Credentials not complete", con->number);
else if (major_status == GSS_S_COMPLETE)
{
major_status = gss_display_name(&minor_status, client_name,
if (GSS_ERROR(major_status))
{
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
- "[Client %d] Error getting username", con->http.fd);
+ "[Client %d] Error getting username", con->number);
gss_release_name(&minor_status, &client_name);
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
return;
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as %s using Negotiate",
- con->http.fd, username);
+ con->number, username);
gss_release_name(&minor_status, &client_name);
gss_release_buffer(&minor_status, &output_token);
* to run as the correct user to get Kerberos credentials of its own.
*/
- if (_httpAddrFamily(con->http.hostaddr) == AF_LOCAL)
+ if (httpAddrFamily(con->http->hostaddr) == AF_LOCAL)
{
cupsd_ucred_t peercred; /* Peer credentials */
socklen_t peersize; /* Size of peer credentials */
peersize = sizeof(peercred);
# ifdef __APPLE__
- if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
+ if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
# else
- if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred,
+ if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred,
&peersize))
# endif /* __APPLE__ */
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unable to get peer credentials - %s",
- con->http.fd, strerror(errno));
+ con->number, strerror(errno));
}
else
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Using credentials for UID %d.",
- con->http.fd, CUPSD_UCRED_UID(peercred));
+ con->number, CUPSD_UCRED_UID(peercred));
con->gss_uid = CUPSD_UCRED_UID(peercred);
}
}
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Bad authentication data \"%s ...\"",
- con->http.fd, scheme);
+ con->number, scheme);
return;
}
int /* O - 1 if allowed, 0 otherwise */
cupsdCheckAccess(
unsigned ip[4], /* I - Client address */
- char *name, /* I - Client hostname */
+ const char *name, /* I - Client hostname */
int namelen, /* I - Length of hostname */
cupsd_location_t *loc) /* I - Location to check */
{
int /* O - 1 if mask matches, 0 otherwise */
cupsdCheckAuth(unsigned ip[4], /* I - Client address */
- char *name, /* I - Client hostname */
+ const char *name, /* I - Client hostname */
int name_len, /* I - Length of hostname */
cups_array_t *masks) /* I - Masks */
{
int i, /* Looping vars */
auth, /* Authorization status */
type; /* Type of authentication */
+ http_addr_t *hostaddr = httpGetAddress(con->http);
+ /* Client address */
+ const char *hostname = httpGetHostname(con->http, NULL, 0);
+ /* Client hostname */
unsigned address[4]; /* Authorization address */
cupsd_location_t *best; /* Best match for location so far */
int hostlen; /* Length of hostname */
if (!con->best)
{
- if (!strcmp(con->http.hostname, "localhost") ||
- !strcmp(con->http.hostname, ServerName))
+ if (httpAddrLocalhost(httpGetAddress(con->http)) ||
+ !strcmp(hostname, ServerName) ||
+ cupsArrayFind(ServerAlias, (void *)hostname))
return (HTTP_OK);
else
return (HTTP_FORBIDDEN);
*/
#ifdef AF_INET6
- if (con->http.hostaddr->addr.sa_family == AF_INET6)
+ if (httpAddrFamily(hostaddr) == AF_INET6)
{
/*
* Copy IPv6 address...
*/
- address[0] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[0]);
- address[1] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[1]);
- address[2] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[2]);
- address[3] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[3]);
+ address[0] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[0]);
+ address[1] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[1]);
+ address[2] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[2]);
+ address[3] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[3]);
}
else
#endif /* AF_INET6 */
- if (con->http.hostaddr->addr.sa_family == AF_INET)
+ if (con->http->hostaddr->addr.sa_family == AF_INET)
{
/*
* Copy IPv4 address...
address[0] = 0;
address[1] = 0;
address[2] = 0;
- address[3] = ntohl(con->http.hostaddr->ipv4.sin_addr.s_addr);
+ address[3] = ntohl(hostaddr->ipv4.sin_addr.s_addr);
}
else
memset(address, 0, sizeof(address));
- hostlen = strlen(con->http.hostname);
+ hostlen = strlen(hostname);
- auth = cupsdCheckAccess(address, con->http.hostname, hostlen, best)
+ auth = cupsdCheckAccess(address, hostname, hostlen, best)
? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...",
* See if encryption is required...
*/
- if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls &&
- _cups_strcasecmp(con->http.hostname, "localhost") &&
+ if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http->tls &&
+ _cups_strcasecmp(hostname, "localhost") &&
+ !httpAddrLocalhost(hostaddr) &&
best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
!(type == CUPSD_AUTH_NEGOTIATE ||
(type == CUPSD_AUTH_NONE &&
}
-#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
+#if !HAVE_LIBPAM
/*
* 'cups_crypt()' - Encrypt the password using the DES or MD5 algorithms,
* as needed.
return (crypt(pw, salt));
}
}
-#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
+#endif /* !HAVE_LIBPAM */
/*
DEBUG_printf(("pam_func: appdata_ptr = %p\n", appdata_ptr));
-#ifdef __hpux
- /*
- * Apparently some versions of HP-UX 11 have a broken pam_unix security
- * module. This is a workaround...
- */
-
- data = auth_data;
- (void)appdata_ptr;
-#else
data = (cupsd_authdata_t *)appdata_ptr;
-#endif /* __hpux */
for (i = 0; i < num_msg; i ++)
{
return (PAM_SUCCESS);
}
-#elif !defined(HAVE_USERSEC_H)
+#else
/*
/*
- * End of "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $".
+ * End of "$Id$".
*/