X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=scheduler%2Fcert.c;h=2ac8ed72002abc31750a2482e3b89abe3ff99106;hb=8072030b3c862315c367c73663b27f0427325919;hp=d7ece80fac5498c3040617ab0e17497676fa75fb;hpb=b9faaae17cfc7cd8dfd6e82cf607c05b2f4def68;p=thirdparty%2Fcups.git

diff --git a/scheduler/cert.c b/scheduler/cert.c
index d7ece80fa..2ac8ed720 100644
--- a/scheduler/cert.c
+++ b/scheduler/cert.c
@@ -1,26 +1,14 @@
 /*
- * "$Id: cert.c 7673 2008-06-18 22:31:26Z mike $"
+ * Authentication certificate routines for the CUPS scheduler.
  *
- *   Authentication certificate routines for the Common UNIX
- *   Printing System (CUPS).
+ * Copyright 2007-2015 by Apple Inc.
+ * Copyright 1997-2006 by Easy Software Products.
  *
- *   Copyright 2007-2009 by Apple Inc.
- *   Copyright 1997-2006 by Easy Software Products.
- *
- *   These coded instructions, statements, and computer programs are the
- *   property of Apple Inc. and are protected by Federal copyright
- *   law.  Distribution and use rights are outlined in the file "LICENSE.txt"
- *   which should have been included with this file.  If this file is
- *   file is missing or damaged, see the license at "http://www.cups.org/".
- *
- * Contents:
- *
- *   cupsdAddCert()        - Add a certificate.
- *   cupsdDeleteCert()     - Delete a single certificate.
- *   cupsdDeleteAllCerts() - Delete all certificates...
- *   cupsdFindCert()       - Find a certificate.
- *   cupsdInitCerts()      - Initialize the certificate "system" and root
- *                           certificate.
+ * These coded instructions, statements, and computer programs are the
+ * property of Apple Inc. and are protected by Federal copyright
+ * law.  Distribution and use rights are outlined in the file "LICENSE.txt"
+ * which should have been included with this file.  If this file is
+ * file is missing or damaged, see the license at "http://www.cups.org/".
  */
 
 /*
@@ -36,6 +24,13 @@
 #endif /* HAVE_ACL_INIT */
 
 
+/*
+ * Local functions...
+ */
+
+static int	ctcompare(const char *a, const char *b);
+
+
 /*
  * 'cupsdAddCert()' - Add a certificate.
  */
@@ -43,7 +38,7 @@
 void
 cupsdAddCert(int        pid,		/* I - Process ID */
              const char *username,	/* I - Username */
-             void       *ccache)	/* I - Kerberos credentials or NULL */
+             int        type)		/* I - AuthType for username */
 {
   int		i;			/* Looping var */
   cupsd_cert_t	*cert;			/* Current certificate */
@@ -53,8 +48,7 @@ cupsdAddCert(int        pid,		/* I - Process ID */
 					/* Hex constants... */
 
 
-  cupsdLogMessage(CUPSD_LOG_DEBUG2,
-                  "cupsdAddCert: Adding certificate for PID %d", pid);
+  cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAddCert: Adding certificate for PID %d", pid);
 
  /*
   * Allocate memory for the certificate...
@@ -67,11 +61,12 @@ cupsdAddCert(int        pid,		/* I - Process ID */
   * Fill in the certificate information...
   */
 
-  cert->pid = pid;
+  cert->pid  = pid;
+  cert->type = type;
   strlcpy(cert->username, username, sizeof(cert->username));
 
   for (i = 0; i < 32; i ++)
-    cert->certificate[i] = hex[random() & 15];
+    cert->certificate[i] = hex[CUPS_RAND() & 15];
 
  /*
   * Save the certificate to a file readable only by the User and Group
@@ -111,8 +106,7 @@ cupsdAddCert(int        pid,		/* I - Process ID */
     fchmod(fd, 0440);
     fchown(fd, RunUser, SystemGroupIDs[0]);
 
-    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddCert: NumSystemGroups=%d",
-                    NumSystemGroups);
+    cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddCert: NumSystemGroups=%d", NumSystemGroups);
 
 #ifdef HAVE_ACL_INIT
     if (NumSystemGroups > 1)
@@ -122,9 +116,11 @@ cupsdAddCert(int        pid,		/* I - Process ID */
       * groups can access it...
       */
 
+      int	j;			/* Looping var */
+
 #  ifdef HAVE_MBR_UID_TO_UUID
      /*
-      * On MacOS X, ACLs use UUIDs instead of GIDs...
+      * On MacmacOS, ACLs use UUIDs instead of GIDs...
       */
 
       acl = acl_init(NumSystemGroups - 1);
@@ -135,6 +131,13 @@ cupsdAddCert(int        pid,		/* I - Process ID */
         * Add each group ID to the ACL...
 	*/
 
+        for (j = 0; j < i; j ++)
+	  if (SystemGroupIDs[j] == SystemGroupIDs[i])
+            break;
+
+        if (j < i)
+          continue;			/* Skip duplicate groups */
+
         acl_create_entry(&acl, &entry);
 	acl_get_permset(entry, &permset);
 	acl_add_perm(permset, ACL_READ_DATA);
@@ -143,6 +146,7 @@ cupsdAddCert(int        pid,		/* I - Process ID */
 	acl_set_qualifier(entry, &group);
 	acl_set_permset(entry, permset);
       }
+
 #  else
      /*
       * POSIX ACLs need permissions for owner, group, other, and mask
@@ -185,6 +189,13 @@ cupsdAddCert(int        pid,		/* I - Process ID */
         * Add each group ID to the ACL...
 	*/
 
+        for (j = 0; j < i; j ++)
+	  if (SystemGroupIDs[j] == SystemGroupIDs[i])
+            break;
+
+        if (j < i)
+          continue;			/* Skip duplicate groups */
+
         acl_create_entry(&acl, &entry);
 	acl_get_permset(entry, &permset);
 	acl_add_perm(permset, ACL_READ);
@@ -197,7 +208,6 @@ cupsdAddCert(int        pid,		/* I - Process ID */
       {
         char *text, *textptr;		/* Temporary string */
 
-
         cupsdLogMessage(CUPSD_LOG_ERROR, "ACL did not validate: %s",
 	                strerror(errno));
         text = acl_to_text(acl, NULL);
@@ -207,7 +217,7 @@ cupsdAddCert(int        pid,		/* I - Process ID */
 	  *textptr = ',';
 
 	cupsdLogMessage(CUPSD_LOG_ERROR, "ACL: %s", text);
-	free(text);
+	acl_free(text);
       }
 #  endif /* HAVE_MBR_UID_TO_UUID */
 
@@ -244,16 +254,6 @@ cupsdAddCert(int        pid,		/* I - Process ID */
   write(fd, cert->certificate, strlen(cert->certificate));
   close(fd);
 
- /*
-  * Add Kerberos credentials as needed...
-  */
-
-#ifdef HAVE_GSSAPI
-  cert->ccache = (krb5_ccache)ccache;
-#else
-  (void)ccache;
-#endif /* HAVE_GSSAPI */
-
  /*
   * Insert the certificate at the front of the list...
   */
@@ -282,8 +282,7 @@ cupsdDeleteCert(int pid)		/* I - Process ID */
       * Remove this certificate from the list...
       */
 
-      cupsdLogMessage(CUPSD_LOG_DEBUG2,
-                      "cupsdDeleteCert: Removing certificate for PID %d", pid);
+      cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDeleteCert: Removing certificate for PID %d.", pid);
 
       DEBUG_printf(("DELETE pid=%d, username=%s, cert=%s\n", cert->pid,
                     cert->username, cert->certificate));
@@ -293,15 +292,6 @@ cupsdDeleteCert(int pid)		/* I - Process ID */
       else
         prev->next = cert->next;
 
-#ifdef HAVE_GSSAPI
-     /*
-      * Release Kerberos credentials as needed...
-      */
-
-      if (cert->ccache)
-	krb5_cc_destroy(KerberosContext, cert->ccache);
-#endif /* HAVE_GSSAPI */
-
       free(cert);
 
      /*
@@ -366,17 +356,15 @@ cupsdFindCert(const char *certificate)	/* I - Certificate */
   cupsd_cert_t	*cert;			/* Current certificate */
 
 
-  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert(certificate=%s)",
-                  certificate);
+  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert(certificate=%s)", certificate);
   for (cert = Certs; cert != NULL; cert = cert->next)
-    if (!strcasecmp(certificate, cert->certificate))
+    if (!ctcompare(certificate, cert->certificate))
     {
-      cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Returning %s...",
-                      cert->username);
+      cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Returning \"%s\".", cert->username);
       return (cert);
     }
 
-  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Certificate not found!");
+  cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindCert: Certificate not found.");
 
   return (NULL);
 }
@@ -390,9 +378,8 @@ cupsdFindCert(const char *certificate)	/* I - Certificate */
 void
 cupsdInitCerts(void)
 {
+#ifndef HAVE_ARC4RANDOM
   cups_file_t	*fp;			/* /dev/random file */
-  unsigned	seed;			/* Seed for random number generator */
-  struct timeval tod;			/* Time of day */
 
 
  /*
@@ -402,40 +389,60 @@ cupsdInitCerts(void)
 
   if ((fp = cupsFileOpen("/dev/urandom", "rb")) == NULL)
   {
+    struct timeval tod;			/* Time of day */
+
    /*
     * Get the time in usecs and use it as the initial seed...
     */
 
     gettimeofday(&tod, NULL);
 
-    seed = (unsigned)(tod.tv_sec + tod.tv_usec);
+    CUPS_SRAND((unsigned)(tod.tv_sec + tod.tv_usec));
   }
   else
   {
+    unsigned	seed;			/* Seed for random number generator */
+
    /*
     * Read 4 random characters from the random device and use
     * them as the seed...
     */
 
-    seed = cupsFileGetChar(fp);
-    seed = (seed << 8) | cupsFileGetChar(fp);
-    seed = (seed << 8) | cupsFileGetChar(fp);
-    seed = (seed << 8) | cupsFileGetChar(fp);
+    seed = (unsigned)cupsFileGetChar(fp);
+    seed = (seed << 8) | (unsigned)cupsFileGetChar(fp);
+    seed = (seed << 8) | (unsigned)cupsFileGetChar(fp);
+    CUPS_SRAND((seed << 8) | (unsigned)cupsFileGetChar(fp));
 
     cupsFileClose(fp);
   }
-
-  srandom(seed);
+#endif /* !HAVE_ARC4RANDOM */
 
  /*
   * Create a root certificate and return...
   */
 
   if (!RunUser)
-    cupsdAddCert(0, "root", NULL);
+    cupsdAddCert(0, "root", cupsdDefaultAuthType());
 }
 
 
 /*
- * End of "$Id: cert.c 7673 2008-06-18 22:31:26Z mike $".
+ * 'ctcompare()' - Compare two strings in constant time.
  */
+
+static int				/* O - 0 on match, non-zero on non-match */
+ctcompare(const char *a,		/* I - First string */
+          const char *b)		/* I - Second string */
+{
+  int	result = 0;			/* Result */
+
+
+  while (*a && *b)
+  {
+    result |= *a ^ *b;
+    a ++;
+    b ++;
+  }
+
+  return (result);
+}