Sync up GNU TLS and Darwin TLS certificate validation code.

[thirdparty/cups.git] / cups / tls-darwin.c
diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c

index 0dfe73a9556c2cd4d183f0bb9f03204eb94340be..fa33f8383a31b9d054051315544cc461d87c656d 100644 (file)
--- a/cups/tls-darwin.c
+++ b/cups/tls-darwin.c
@@ -600,10 +600,16 @@ httpCredentialsGetTrust(
  
  
    if (!common_name)
+  {
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No common name specified."), 1);
      return (HTTP_TRUST_UNKNOWN);
+  }
  
    if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
+  {
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create credentials from array."), 1);
      return (HTTP_TRUST_UNKNOWN);
+  }
  
    if (cg->any_root < 0)
      _cupsSetDefaults();
@@ -635,15 +641,28 @@ httpCredentialsGetTrust(
          * Do not trust certificates on first use...
         */
  
+        _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
+
          trust = HTTP_TRUST_INVALID;
        }
-      else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds) || !httpCredentialsAreValidForName(credentials, common_name))
+      else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds))
        {
         /*
-        * Either the new credentials are not newly issued, or the common name
-       * does not match the issued certificate...
+        * The new credentials are not newly issued...
         */
  
+        _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), 1);
+
+        trust = HTTP_TRUST_INVALID;
+      }
+      else if (!httpCredentialsAreValidForName(credentials, common_name))
+      {
+       /*
+        * The common name does not match the issued certificate...
+       */
+
+        _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), 1);
+
          trust = HTTP_TRUST_INVALID;
        }
        else if (httpCredentialsGetExpiration(tcreds) < time(NULL))
@@ -661,14 +680,27 @@ httpCredentialsGetTrust(
      httpFreeCredentials(tcreds);
    }
    else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name))
+  {
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1);
      trust = HTTP_TRUST_INVALID;
+  }
+  else if (!cg->trust_first)
+  {
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
+    trust = HTTP_TRUST_INVALID;
+  }
  
-  if (!cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent()))
+  if (trust == HTTP_TRUST_OK && !cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent()))
+  {
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), 1);
      trust = HTTP_TRUST_EXPIRED;
-  else if (!cg->any_root && cupsArrayCount(credentials) == 1)
-    trust = HTTP_TRUST_INVALID;
-  else if (!cg->trust_first)
+  }
+
+  if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1)
+  {
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1);
      trust = HTTP_TRUST_INVALID;
+  }
  
    CFRelease(secCert);