/*
- * "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $"
+ * "$Id: auth.c 12604 2015-05-06 01:43:05Z msweet $"
*
- * Authorization routines for the CUPS scheduler.
+ * Authorization routines for the CUPS scheduler.
*
- * Copyright 2007-2011 by Apple Inc.
- * Copyright 1997-2007 by Easy Software Products, all rights reserved.
+ * Copyright 2007-2015 by Apple Inc.
+ * Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
- * This file contains Kerberos support code, copyright 2006 by
- * Jelmer Vernooij.
+ * This file contains Kerberos support code, copyright 2006 by
+ * Jelmer Vernooij.
*
- * These coded instructions, statements, and computer programs are the
- * property of Apple Inc. and are protected by Federal copyright
- * law. Distribution and use rights are outlined in the file "LICENSE.txt"
- * which should have been included with this file. If this file is
- * file is missing or damaged, see the license at "http://www.cups.org/".
- *
- * Contents:
- *
- * cupsdAddIPMask() - Add an IP address authorization mask.
- * cupsdAddLocation() - Add a location for authorization.
- * cupsdAddName() - Add a name to a location...
- * cupsdAddNameMask() - Add a host or interface name authorization
- * mask.
- * cupsdAuthorize() - Validate any authorization credentials.
- * cupsdCheckAccess() - Check whether the given address is allowed to
- * access a location.
- * cupsdCheckAuth() - Check authorization masks.
- * cupsdCheckGroup() - Check for a user's group membership.
- * cupsdCopyKrb5Creds() - Get a copy of the Kerberos credentials.
- * cupsdCopyLocation() - Make a copy of a location...
- * cupsdDeleteAllLocations() - Free all memory used for location
- * authorization.
- * cupsdFindBest() - Find the location entry that best matches the
- * resource.
- * cupsdFindLocation() - Find the named location.
- * cupsdFreeLocation() - Free all memory used by a location.
- * cupsdIsAuthorized() - Check to see if the user is authorized...
- * cupsdNewLocation() - Create a new location for authorization.
- * check_authref() - Check if an authorization services reference
- * has the supplied right.
- * compare_locations() - Compare two locations.
- * copy_authmask() - Copy function for auth masks.
- * cups_crypt() - Encrypt the password using the DES or MD5
- * algorithms, as needed.
- * free_authmask() - Free function for auth masks.
- * get_md5_password() - Get an MD5 password.
- * pam_func() - PAM conversation function.
- * to64() - Base64-encode an integer value...
+ * These coded instructions, statements, and computer programs are the
+ * property of Apple Inc. and are protected by Federal copyright
+ * law. Distribution and use rights are outlined in the file "LICENSE.txt"
+ * which should have been included with this file. If this file is
+ * file is missing or damaged, see the license at "http://www.cups.org/".
*/
/*
# include <security/pam_appl.h>
# endif /* HAVE_PAM_PAM_APPL_H */
#endif /* HAVE_LIBPAM */
-#ifdef HAVE_USERSEC_H
-# include <usersec.h>
-#endif /* HAVE_USERSEC_H */
#ifdef HAVE_MEMBERSHIP_H
# include <membership.h>
#endif /* HAVE_MEMBERSHIP_H */
typedef struct xucred cupsd_ucred_t;
# define CUPSD_UCRED_UID(c) (c).cr_uid
#else
+# ifndef __OpenBSD__
typedef struct ucred cupsd_ucred_t;
+# else
+typedef struct sockpeercred cupsd_ucred_t;
+# endif
# define CUPSD_UCRED_UID(c) (c).uid
#endif /* HAVE_SYS_UCRED_H */
-#ifdef HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID
-/* Not in public headers... */
-extern void krb5_ipc_client_set_target_uid(uid_t);
-extern void krb5_ipc_client_clear_target(void);
-#endif /* HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID */
/*
static int compare_locations(cupsd_location_t *a,
cupsd_location_t *b);
static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data);
-#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
+#if !HAVE_LIBPAM
static char *cups_crypt(const char *pw, const char *salt);
-#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
+#endif /* !HAVE_LIBPAM */
static void free_authmask(cupsd_authmask_t *am, void *data);
-static char *get_md5_password(const char *username,
- const char *group, char passwd[33]);
#if HAVE_LIBPAM
static int pam_func(int, const struct pam_message **,
struct pam_response **, void *);
-#elif !defined(HAVE_USERSEC_H)
+#else
static void to64(char *s, unsigned long v, int n);
#endif /* HAVE_LIBPAM */
#if HAVE_LIBPAM
typedef struct cupsd_authdata_s /**** Authentication data ****/
{
- char username[33], /* Username string */
- password[33]; /* Password string */
+ char username[HTTP_MAX_VALUE], /* Username string */
+ password[HTTP_MAX_VALUE]; /* Password string */
} cupsd_authdata_t;
#endif /* HAVE_LIBPAM */
-/*
- * Local globals...
- */
-
-#if defined(__hpux) && HAVE_LIBPAM
-static cupsd_authdata_t *auth_data; /* Current client being authenticated */
-#endif /* __hpux && HAVE_LIBPAM */
-
-
/*
* 'cupsdAddIPMask()' - Add an IP address authorization mask.
*/
"cupsdAddNameMask(masks=%p(%p), name=\"%s\")",
masks, *masks, name);
- if (!strcasecmp(name, "@LOCAL"))
+ if (!_cups_strcasecmp(name, "@LOCAL"))
{
/*
* Deny *interface*...
temp.type = CUPSD_AUTH_INTERFACE;
temp.mask.name.name = (char *)"*";
}
- else if (!strncasecmp(name, "@IF(", 4))
+ else if (!_cups_strncasecmp(name, "@IF(", 4))
{
/*
* Deny *interface*...
int type; /* Authentication type */
const char *authorization; /* Pointer into Authorization string */
char *ptr, /* Pointer into string */
- username[256], /* Username string */
- password[33]; /* Password string */
+ username[HTTP_MAX_VALUE],
+ /* Username string */
+ password[HTTP_MAX_VALUE];
+ /* Password string */
cupsd_cert_t *localuser; /* Certificate username */
- char nonce[HTTP_MAX_VALUE], /* Nonce value from client */
- md5[33], /* MD5 password */
- basicmd5[33]; /* MD5 of Basic password */
- static const char * const states[] = /* HTTP client states... */
- {
- "WAITING",
- "OPTIONS",
- "GET",
- "GET",
- "HEAD",
- "POST",
- "POST",
- "POST",
- "PUT",
- "PUT",
- "DELETE",
- "TRACE",
- "CLOSE",
- "STATUS"
- };
/*
* authentication to expect...
*/
- con->best = cupsdFindBest(con->uri, con->http.state);
+ con->best = cupsdFindBest(con->uri, httpGetState(con->http));
con->type = CUPSD_AUTH_NONE;
cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdAuthorize: con->uri=\"%s\", con->best=%p(%s)",
- con->uri, con->best, con->best ? con->best->location : "");
+ "[Client %d] con->uri=\"%s\", con->best=%p(%s)",
+ con->number, con->uri, con->best,
+ con->best ? con->best->location : "");
if (con->best && con->best->type != CUPSD_AUTH_NONE)
{
if (con->best->type == CUPSD_AUTH_DEFAULT)
- type = DefaultAuthType;
+ type = cupsdDefaultAuthType();
else
type = con->best->type;
}
else
- type = DefaultAuthType;
+ type = cupsdDefaultAuthType();
/*
* Decode the Authorization string...
*/
- authorization = httpGetField(&con->http, HTTP_FIELD_AUTHORIZATION);
+ authorization = httpGetField(con->http, HTTP_FIELD_AUTHORIZATION);
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAuthorize: Authorization=\"%s\"",
- authorization);
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "[Client %d] Authorization=\"%s\"",
+ con->number, authorization);
username[0] = '\0';
password[0] = '\0';
+#ifdef HAVE_GSSAPI
+ con->gss_uid = 0;
+#endif /* HAVE_GSSAPI */
+
#ifdef HAVE_AUTHORIZATION_H
if (con->authref)
{
*/
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: No authentication data provided.");
+ "[Client %d] No authentication data provided.",
+ con->number);
return;
}
#ifdef HAVE_AUTHORIZATION_H
else if (!strncmp(authorization, "AuthRef ", 8) &&
- !strcasecmp(con->http.hostname, "localhost"))
+ httpAddrLocalhost(httpGetAddress(con->http)))
{
OSStatus status; /* Status */
+ char authdata[HTTP_MAX_VALUE];
+ /* Nonce value from client */
int authlen; /* Auth string length */
AuthorizationItemSet *authinfo; /* Authorization item set */
while (isspace(*authorization & 255))
authorization ++;
- authlen = sizeof(nonce);
- httpDecode64_2(nonce, &authlen, authorization);
+ authlen = sizeof(authdata);
+ httpDecode64_2(authdata, &authlen, authorization);
if (authlen != kAuthorizationExternalFormLength)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "External Authorization reference size is incorrect!");
+ "[Client %d] External Authorization reference size is "
+ "incorrect.", con->number);
return;
}
- if ((status = AuthorizationCreateFromExternalForm(
- (AuthorizationExternalForm *)nonce, &con->authref)) != 0)
+ if ((status = AuthorizationCreateFromExternalForm((AuthorizationExternalForm *)authdata, &con->authref)) != 0)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "AuthorizationCreateFromExternalForm returned %d (%s)",
- (int)status, cssmErrorString(status));
+ "[Client %d] AuthorizationCreateFromExternalForm "
+ "returned %d (%s)", con->number, (int)status,
+ cssmErrorString(status));
return;
}
strlcpy(username, authinfo->items[0].value, sizeof(username));
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as \"%s\" using AuthRef",
- username);
+ "[Client %d] Authorized as \"%s\" using AuthRef",
+ con->number, username);
}
AuthorizationFreeItemSet(authinfo);
peersize = sizeof(peercred);
- if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
+ if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
{
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
- strerror(errno));
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "[Client %d] Unable to get peer credentials - %s",
+ con->number, strerror(errno));
return;
}
if ((pwd = getpwuid(CUPSD_UCRED_UID(peercred))) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to find UID %d for peer credentials.",
+ "[Client %d] Unable to find UID %d for peer "
+ "credentials.", con->number,
(int)CUPSD_UCRED_UID(peercred));
return;
}
strlcpy(username, pwd->pw_name, sizeof(username));
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as \"%s\" using "
- "AuthRef + PeerCred", username);
+ "[Client %d] Authorized as \"%s\" using "
+ "AuthRef + PeerCred", con->number, username);
}
con->type = CUPSD_AUTH_BASIC;
#endif /* HAVE_AUTHORIZATION_H */
#if defined(SO_PEERCRED) && defined(AF_LOCAL)
else if (!strncmp(authorization, "PeerCred ", 9) &&
- con->http.hostaddr->addr.sa_family == AF_LOCAL)
+ con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
{
/*
* Use peer credentials from domain socket connection...
struct passwd *pwd; /* Password entry for this user */
cupsd_ucred_t peercred; /* Peer credentials */
socklen_t peersize; /* Size of peer credentials */
+#ifdef HAVE_AUTHORIZATION_H
+ const char *name; /* Authorizing name */
+ int no_peer = 0; /* Don't allow peer credentials? */
+
+ /*
+ * See if we should allow peer credentials...
+ */
+
+ for (name = (char *)cupsArrayFirst(con->best->names);
+ name;
+ name = (char *)cupsArrayNext(con->best->names))
+ {
+ if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) ||
+ !_cups_strcasecmp(name, "@SYSTEM"))
+ {
+ /* Normally don't want peer credentials if we need an auth key... */
+ no_peer = 1;
+ }
+ else if (!_cups_strcasecmp(name, "@OWNER"))
+ {
+ /* but if @OWNER is present then we allow it... */
+ no_peer = 0;
+ break;
+ }
+ }
+ if (no_peer)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "[Client %d] PeerCred authentication not allowed for "
+ "resource per AUTHKEY policy.", con->number);
+ return;
+ }
+#endif /* HAVE_AUTHORIZATION_H */
if ((pwd = getpwnam(authorization + 9)) == NULL)
{
- cupsdLogMessage(CUPSD_LOG_ERROR, "User \"%s\" does not exist!",
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "[Client %d] User \"%s\" does not exist.", con->number,
authorization + 9);
return;
}
peersize = sizeof(peercred);
# ifdef __APPLE__
- if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
+ if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
# else
- if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
+ if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
# endif /* __APPLE__ */
{
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
- strerror(errno));
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "[Client %d] Unable to get peer credentials - %s",
+ con->number, strerror(errno));
return;
}
if (pwd->pw_uid != CUPSD_UCRED_UID(peercred))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "Invalid peer credentials for \"%s\" - got %d, "
- "expected %d!", authorization + 9,
+ "[Client %d] Invalid peer credentials for \"%s\" - got "
+ "%d, expected %d!", con->number, authorization + 9,
CUPSD_UCRED_UID(peercred), pwd->pw_uid);
# ifdef HAVE_SYS_UCRED_H
- cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_version=%d",
- peercred.cr_version);
- cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_uid=%d",
- peercred.cr_uid);
- cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_ngroups=%d",
- peercred.cr_ngroups);
- cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_groups[0]=%d",
- peercred.cr_groups[0]);
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_version=%d",
+ con->number, peercred.cr_version);
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_uid=%d",
+ con->number, peercred.cr_uid);
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_ngroups=%d",
+ con->number, peercred.cr_ngroups);
+ cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_groups[0]=%d",
+ con->number, peercred.cr_groups[0]);
# endif /* HAVE_SYS_UCRED_H */
return;
}
strlcpy(username, authorization + 9, sizeof(username));
+# ifdef HAVE_GSSAPI
+ con->gss_uid = CUPSD_UCRED_UID(peercred);
+# endif /* HAVE_GSSAPI */
+
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as %s using PeerCred",
+ "[Client %d] Authorized as %s using PeerCred", con->number,
username);
con->type = CUPSD_AUTH_BASIC;
}
#endif /* SO_PEERCRED && AF_LOCAL */
else if (!strncmp(authorization, "Local", 5) &&
- !strcasecmp(con->http.hostname, "localhost"))
+ httpAddrLocalhost(httpGetAddress(con->http)))
{
/*
* Get Local certificate authentication data...
while (isspace(*authorization & 255))
authorization ++;
- if ((localuser = cupsdFindCert(authorization)) != NULL)
- {
- strlcpy(username, localuser->username, sizeof(username));
-
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as %s using Local",
- username);
- }
- else
+ if ((localuser = cupsdFindCert(authorization)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Local authentication certificate not "
- "found!");
+ "[Client %d] Local authentication certificate not found.",
+ con->number);
return;
}
-#ifdef HAVE_GSSAPI
- if (localuser->ccache)
- con->type = CUPSD_AUTH_NEGOTIATE;
- else
-#endif /* HAVE_GSSAPI */
- con->type = CUPSD_AUTH_BASIC;
+ strlcpy(username, localuser->username, sizeof(username));
+ con->type = localuser->type;
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "[Client %d] Authorized as %s using Local", con->number,
+ username);
}
else if (!strncmp(authorization, "Basic", 5))
{
if ((ptr = strchr(username, ':')) == NULL)
{
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Missing Basic password!");
+ cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Missing Basic password.",
+ con->number);
return;
}
* Username must not be empty...
*/
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Empty Basic username!");
+ cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Empty Basic username.",
+ con->number);
return;
}
* Password must not be empty...
*/
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Empty Basic password!");
+ cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Empty Basic password.",
+ con->number);
return;
}
strlcpy(data.username, username, sizeof(data.username));
strlcpy(data.password, password, sizeof(data.password));
-# if defined(__sun) || defined(__hpux)
+# ifdef __sun
pamdata.conv = (int (*)(int, struct pam_message **,
struct pam_response **,
void *))pam_func;
# else
pamdata.conv = pam_func;
-# endif /* __sun || __hpux */
+# endif /* __sun */
pamdata.appdata_ptr = &data;
-# ifdef __hpux
- /*
- * Workaround for HP-UX bug in pam_unix; see pam_func() below for
- * more info...
- */
-
- auth_data = &data;
-# endif /* __hpux */
-
pamerr = pam_start("cups", username, &pamdata, &pamh);
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: pam_start() returned %d (%s)!",
- pamerr, pam_strerror(pamh, pamerr));
+ "[Client %d] pam_start() returned %d (%s)",
+ con->number, pamerr, pam_strerror(pamh, pamerr));
return;
}
# ifdef HAVE_PAM_SET_ITEM
# ifdef PAM_RHOST
- pamerr = pam_set_item(pamh, PAM_RHOST, con->http.hostname);
+ pamerr = pam_set_item(pamh, PAM_RHOST, con->http->hostname);
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
- "cupsdAuthorize: pam_set_item(PAM_RHOST) "
- "returned %d (%s)!", pamerr,
+ "[Client %d] pam_set_item(PAM_RHOST) "
+ "returned %d (%s)", con->number, pamerr,
pam_strerror(pamh, pamerr));
# endif /* PAM_RHOST */
pamerr = pam_set_item(pamh, PAM_TTY, "cups");
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
- "cupsdAuthorize: pam_set_item(PAM_TTY) "
- "returned %d (%s)!", pamerr,
+ "[Client %d] pam_set_item(PAM_TTY) "
+ "returned %d (%s)!", con->number, pamerr,
pam_strerror(pamh, pamerr));
# endif /* PAM_TTY */
# endif /* HAVE_PAM_SET_ITEM */
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: pam_authenticate() returned %d "
- "(%s)!",
- pamerr, pam_strerror(pamh, pamerr));
+ "[Client %d] pam_authenticate() returned %d (%s)",
+ con->number, pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
}
pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
- "cupsdAuthorize: pam_setcred() "
- "returned %d (%s)!", pamerr,
+ "[Client %d] pam_setcred() returned %d (%s)",
+ con->number, pamerr,
pam_strerror(pamh, pamerr));
# endif /* HAVE_PAM_SETCRED */
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: pam_acct_mgmt() returned %d "
- "(%s)!",
- pamerr, pam_strerror(pamh, pamerr));
+ "[Client %d] pam_acct_mgmt() returned %d (%s)",
+ con->number, pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
}
pam_end(pamh, PAM_SUCCESS);
-#elif defined(HAVE_USERSEC_H)
- /*
- * Use AIX authentication interface...
- */
-
- char *authmsg; /* Authentication message */
- int reenter; /* ??? */
-
-
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: AIX authenticate of username "
- "\"%s\"", username);
-
- reenter = 1;
- if (authenticate(username, password, &reenter, &authmsg) != 0)
- {
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Unable to authenticate username "
- "\"%s\": %s",
- username, strerror(errno));
- return;
- }
-
#else
/*
* Use normal UNIX password file-based authentication...
*/
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Unknown username \"%s\"!",
- username);
+ "[Client %d] Unknown username \"%s\".",
+ con->number, username);
return;
}
*/
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Username \"%s\" has no shadow "
- "password!", username);
+ "[Client %d] Username \"%s\" has no shadow "
+ "password.", con->number, username);
return;
}
*/
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Username \"%s\" has no password!",
- username);
+ "[Client %d] Username \"%s\" has no password.",
+ con->number, username);
return;
}
pass = cups_crypt(password, pw->pw_passwd);
cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdAuthorize: pw_passwd=\"%s\", crypt=\"%s\"",
- pw->pw_passwd, pass);
+ "[Client %d] pw_passwd=\"%s\", crypt=\"%s\"",
+ con->number, pw->pw_passwd, pass);
if (!pass || strcmp(pw->pw_passwd, pass))
{
pass = cups_crypt(password, spw->sp_pwdp);
cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdAuthorize: sp_pwdp=\"%s\", crypt=\"%s\"",
- spw->sp_pwdp, pass);
+ "[Client %d] sp_pwdp=\"%s\", crypt=\"%s\"",
+ con->number, spw->sp_pwdp, pass);
if (pass == NULL || strcmp(spw->sp_pwdp, pass))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Authentication failed for "
- "user \"%s\"!",
- username);
+ "[Client %d] Authentication failed for user "
+ "\"%s\".", con->number, username);
return;
}
}
# endif /* HAVE_SHADOW_H */
{
cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Authentication failed for "
- "user \"%s\"!",
- username);
+ "[Client %d] Authentication failed for user "
+ "\"%s\".", con->number, username);
return;
}
}
}
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as %s using Basic",
- username);
+ "[Client %d] Authorized as %s using Basic",
+ con->number, username);
break;
-
- case CUPSD_AUTH_BASICDIGEST :
- /*
- * Do Basic authentication with the Digest password file...
- */
-
- if (!get_md5_password(username, NULL, md5))
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Unknown MD5 username \"%s\"!",
- username);
- return;
- }
-
- httpMD5(username, "CUPS", password, basicmd5);
-
- if (strcmp(md5, basicmd5))
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Authentication failed for \"%s\"!",
- username);
- return;
- }
-
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as %s using BasicDigest",
- username);
- break;
}
con->type = type;
}
- else if (!strncmp(authorization, "Digest", 6))
- {
- /*
- * Get the username, password, and nonce from the Digest attributes...
- */
-
- if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "username",
- username, sizeof(username)) || !username[0])
- {
- /*
- * Username must not be empty...
- */
-
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Empty or missing Digest username!");
- return;
- }
-
- if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "response",
- password, sizeof(password)) || !password[0])
- {
- /*
- * Password must not be empty...
- */
-
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Empty or missing Digest password!");
- return;
- }
-
- if (!httpGetSubField(&(con->http), HTTP_FIELD_AUTHORIZATION, "nonce",
- nonce))
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: No nonce value for Digest "
- "authentication!");
- return;
- }
-
- if (strcmp(con->http.hostname, nonce))
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Bad nonce value, expected \"%s\", "
- "got \"%s\"!", con->http.hostname, nonce);
- return;
- }
-
- /*
- * Validate the username and password...
- */
-
- if (!get_md5_password(username, NULL, md5))
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Unknown MD5 username \"%s\"!",
- username);
- return;
- }
-
- httpMD5Final(nonce, states[con->http.state], con->uri, md5);
-
- if (strcmp(md5, password))
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "cupsdAuthorize: Authentication failed for \"%s\"!",
- username);
- return;
- }
-
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as %s using Digest",
- username);
-
- con->type = CUPSD_AUTH_DIGEST;
- }
#ifdef HAVE_GSSAPI
-# ifdef HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID
- else if (con->http.hostaddr->addr.sa_family == AF_LOCAL &&
- !strncmp(authorization, "Negotiate", 9))
- {
- /*
- * Pull the credentials directly from the user...
- */
-
- krb5_error_code error; /* Kerberos error code */
- cupsd_ucred_t peercred; /* Peer credentials */
- socklen_t peersize; /* Size of peer credentials */
- krb5_ccache peerccache; /* Peer Kerberos credentials */
- krb5_principal peerprncpl; /* Peer's default principal */
- char *peername; /* Peer username */
-
- peersize = sizeof(peercred);
-
-# ifdef __APPLE__
- if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
-# else
- if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
-# endif /* __APPLE__ */
- {
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
- strerror(errno));
- return;
- }
-
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Copying credentials for UID %d...",
- CUPSD_UCRED_UID(peercred));
-
- if (!KerberosInitialized)
- {
- /*
- * Setup a Kerberos context for the scheduler to use...
- */
-
- KerberosInitialized = 1;
-
- if (krb5_init_context(&KerberosContext))
- {
- KerberosContext = NULL;
-
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to initialize Kerberos context");
- return;
- }
- }
-
- krb5_ipc_client_set_target_uid(CUPSD_UCRED_UID(peercred));
-
- if ((error = krb5_cc_default(KerberosContext, &peerccache)) != 0)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to get credentials cache for UID %d (%d/%s)",
- (int)CUPSD_UCRED_UID(peercred), error, strerror(errno));
- krb5_ipc_client_clear_target();
- return;
- }
-
- if ((error = krb5_cc_get_principal(KerberosContext, peerccache,
- &peerprncpl)) != 0)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to get Kerberos principal for UID %d",
- (int)CUPSD_UCRED_UID(peercred));
- krb5_cc_close(KerberosContext, peerccache);
- krb5_ipc_client_clear_target();
- return;
- }
-
- if ((error = krb5_unparse_name(KerberosContext, peerprncpl,
- &peername)) != 0)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to get Kerberos name for UID %d",
- (int)CUPSD_UCRED_UID(peercred));
- krb5_cc_close(KerberosContext, peerccache);
- krb5_ipc_client_clear_target();
- return;
- }
-
- strlcpy(username, peername, sizeof(username));
-
- con->have_gss = 1;
- con->type = CUPSD_AUTH_NEGOTIATE;
-
- free(peername);
-
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as %s using Negotiate",
- username);
-
- krb5_cc_close(KerberosContext, peerccache);
- krb5_ipc_client_clear_target();
- }
-# endif /* HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID */
else if (!strncmp(authorization, "Negotiate", 9))
{
int len; /* Length of authorization string */
* to use it...
*/
- if (gss_init_sec_context == NULL)
+ if (&gss_init_sec_context == NULL)
{
cupsdLogMessage(CUPSD_LOG_WARN,
- "GSSAPI/Kerberos authentication failed because the "
- "Kerberos framework is not present.");
+ "[Client %d] GSSAPI/Kerberos authentication failed "
+ "because the Kerberos framework is not present.",
+ con->number);
return;
}
# endif /* __APPLE__ */
- con->gss_output_token.length = 0;
-
/*
* Find the start of the Kerberos input token...
*/
if (!*authorization)
{
cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "cupsdAuthorize: No authentication data specified.");
+ "[Client %d] No authentication data specified.",
+ con->number);
return;
}
* Decode the authorization string to get the input token...
*/
- len = strlen(authorization);
- input_token.value = malloc(len);
+ len = (int)strlen(authorization);
+ input_token.value = malloc((size_t)len);
input_token.value = httpDecode64_2(input_token.value, &len,
authorization);
- input_token.length = len;
+ input_token.length = (size_t)len;
/*
* Accept the input token to get the authorization info...
client_name = GSS_C_NO_NAME;
major_status = gss_accept_sec_context(&minor_status,
&context,
- GSS_C_NO_CREDENTIAL,
+ ServerCreds,
&input_token,
GSS_C_NO_CHANNEL_BINDINGS,
&client_name,
NULL,
- &con->gss_output_token,
- &con->gss_flags,
+ &output_token,
+ NULL,
NULL,
- &con->gss_creds);
+ NULL);
+
+ if (output_token.length > 0)
+ gss_release_buffer(&minor_status, &output_token);
if (GSS_ERROR(major_status))
{
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
- "cupsdAuthorize: Error accepting GSSAPI security "
- "context");
+ "[Client %d] Error accepting GSSAPI security context",
+ con->number);
if (context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
* Get the username associated with the client's credentials...
*/
- if (!con->gss_creds)
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: No delegated credentials!");
-
if (major_status == GSS_S_CONTINUE_NEEDED)
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
- "cupsdAuthorize: Credentials not complete");
+ "[Client %d] Credentials not complete", con->number);
else if (major_status == GSS_S_COMPLETE)
{
major_status = gss_display_name(&minor_status, client_name,
if (GSS_ERROR(major_status))
{
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
- "cupsdAuthorize: Error getting username");
- gss_release_cred(&minor_status, &con->gss_creds);
+ "[Client %d] Error getting username", con->number);
gss_release_name(&minor_status, &client_name);
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
return;
strlcpy(username, output_token.value, sizeof(username));
cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdAuthorize: Authorized as %s using Negotiate",
- username);
+ "[Client %d] Authorized as %s using Negotiate",
+ con->number, username);
gss_release_name(&minor_status, &client_name);
gss_release_buffer(&minor_status, &output_token);
con->type = CUPSD_AUTH_NEGOTIATE;
}
- else
- gss_release_cred(&minor_status, &con->gss_creds);
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
+
+# if defined(SO_PEERCRED) && defined(AF_LOCAL)
+ /*
+ * Get the client's UID if we are printing locally - that allows a backend
+ * to run as the correct user to get Kerberos credentials of its own.
+ */
+
+ if (httpAddrFamily(con->http->hostaddr) == AF_LOCAL)
+ {
+ cupsd_ucred_t peercred; /* Peer credentials */
+ socklen_t peersize; /* Size of peer credentials */
+
+ peersize = sizeof(peercred);
+
+# ifdef __APPLE__
+ if (getsockopt(httpGetFd(con->http), 0, LOCAL_PEERCRED, &peercred, &peersize))
+# else
+ if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &peercred,
+ &peersize))
+# endif /* __APPLE__ */
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "[Client %d] Unable to get peer credentials - %s",
+ con->number, strerror(errno));
+ }
+ else
+ {
+ cupsdLogMessage(CUPSD_LOG_DEBUG,
+ "[Client %d] Using credentials for UID %d.",
+ con->number, CUPSD_UCRED_UID(peercred));
+ con->gss_uid = CUPSD_UCRED_UID(peercred);
+ }
+ }
+# endif /* SO_PEERCRED && AF_LOCAL */
}
#endif /* HAVE_GSSAPI */
else
if (sscanf(authorization, "%255s", scheme) != 1)
- strcpy(scheme, "UNKNOWN");
+ strlcpy(scheme, "UNKNOWN", sizeof(scheme));
- cupsdLogMessage(CUPSD_LOG_ERROR, "Bad authentication data \"%s ...\"",
- scheme);
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ "[Client %d] Bad authentication data \"%s ...\"",
+ con->number, scheme);
return;
}
int /* O - 1 if allowed, 0 otherwise */
cupsdCheckAccess(
unsigned ip[4], /* I - Client address */
- char *name, /* I - Client hostname */
- int namelen, /* I - Length of hostname */
+ const char *name, /* I - Client hostname */
+ size_t namelen, /* I - Length of hostname */
cupsd_location_t *loc) /* I - Location to check */
{
int allow; /* 1 if allowed, 0 otherwise */
- if (!strcasecmp(name, "localhost"))
+ if (!_cups_strcasecmp(name, "localhost"))
{
/*
* Access from localhost (127.0.0.1 or ::1) is always allowed...
int /* O - 1 if mask matches, 0 otherwise */
cupsdCheckAuth(unsigned ip[4], /* I - Client address */
- char *name, /* I - Client hostname */
- int name_len, /* I - Length of hostname */
+ const char *name, /* I - Client hostname */
+ size_t name_len, /* I - Length of hostname */
cups_array_t *masks) /* I - Masks */
{
int i; /* Looping var */
netip6[3] = htonl(ip[3]);
#endif /* AF_INET6 */
+ cupsdNetIFUpdate();
+
if (!strcmp(mask->mask.name.name, "*"))
{
#ifdef __APPLE__
* Check against all local interfaces...
*/
- cupsdNetIFUpdate();
-
for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
iface;
iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
* Check for exact name match...
*/
- if (!strcasecmp(name, mask->mask.name.name))
+ if (!_cups_strcasecmp(name, mask->mask.name.name))
return (1);
/*
if (name_len >= mask->mask.name.length &&
mask->mask.name.name[0] == '.' &&
- !strcasecmp(name + name_len - mask->mask.name.length,
+ !_cups_strcasecmp(name + name_len - mask->mask.name.length,
mask->mask.name.name))
return (1);
break;
{
int i; /* Looping var */
struct group *group; /* System group info */
- char junk[33]; /* MD5 password (not used) */
#ifdef HAVE_MBR_UID_TO_UUID
uuid_t useruuid, /* UUID for username */
groupuuid; /* UUID for groupname */
*/
for (i = 0; group->gr_mem[i]; i ++)
- if (!strcasecmp(username, group->gr_mem[i]))
+ if (!_cups_strcasecmp(username, group->gr_mem[i]))
return (1);
}
return (0);
#endif /* HAVE_MBR_UID_TO_UUID */
- /*
- * Username not found, group not found, or user is not part of the
- * system group... Check for a user and group in the MD5 password
- * file...
- */
-
- if (get_md5_password(username, groupname, junk) != NULL)
- return (1);
-
/*
* If we get this far, then the user isn't part of the named group...
*/
}
-#ifdef HAVE_GSSAPI
-/*
- * 'cupsdCopyKrb5Creds()' - Get a copy of the Kerberos credentials.
- */
-
-krb5_ccache /* O - Credentials or NULL */
-cupsdCopyKrb5Creds(cupsd_client_t *con) /* I - Client connection */
-{
-# if !defined(HAVE_KRB5_CC_NEW_UNIQUE) && !defined(HAVE_HEIMDAL)
- cupsdLogMessage(CUPSD_LOG_INFO,
- "Sorry, your version of Kerberos does not support delegated "
- "credentials!");
- return (NULL);
-
-# else
- krb5_ccache ccache = NULL; /* Credentials */
- krb5_error_code error; /* Kerberos error code */
- OM_uint32 major_status, /* Major status code */
- minor_status; /* Minor status code */
- krb5_principal principal; /* Kerberos principal */
-
-
-# ifdef __APPLE__
- /*
- * If the weak-linked GSSAPI/Kerberos library is not present, don't try
- * to use it...
- */
-
- if (krb5_init_context == NULL)
- return (NULL);
-# endif /* __APPLE__ */
-
- if (!KerberosInitialized)
- {
- /*
- * Setup a Kerberos context for the scheduler to use...
- */
-
- KerberosInitialized = 1;
-
- if (krb5_init_context(&KerberosContext))
- {
- KerberosContext = NULL;
-
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to initialize Kerberos context");
- return (NULL);
- }
- }
-
- /*
- * We MUST create a file-based cache because memory-based caches are
- * only valid for the current process/address space.
- *
- * Due to various bugs/features in different versions of Kerberos, we
- * need either the krb5_cc_new_unique() function or Heimdal's version
- * of krb5_cc_gen_new() to create a new FILE: credential cache that
- * can be passed to the backend. These functions create a temporary
- * file (typically in /tmp) containing the cached credentials, which
- * are removed when we have successfully printed a job.
- */
-
-# ifdef HAVE_KRB5_CC_NEW_UNIQUE
- if ((error = krb5_cc_new_unique(KerberosContext, "FILE", NULL, &ccache)) != 0)
-# else /* HAVE_HEIMDAL */
- if ((error = krb5_cc_gen_new(KerberosContext, &krb5_fcc_ops, &ccache)) != 0)
-# endif /* HAVE_KRB5_CC_NEW_UNIQUE */
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to create new credentials cache (%d/%s)",
- error, strerror(errno));
- return (NULL);
- }
-
- if ((error = krb5_parse_name(KerberosContext, con->username, &principal)) != 0)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to parse kerberos username (%d/%s)", error,
- strerror(errno));
- krb5_cc_destroy(KerberosContext, ccache);
- return (NULL);
- }
-
- if ((error = krb5_cc_initialize(KerberosContext, ccache, principal)))
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to initialize credentials cache (%d/%s)", error,
- strerror(errno));
- krb5_cc_destroy(KerberosContext, ccache);
- krb5_free_principal(KerberosContext, principal);
- return (NULL);
- }
-
- krb5_free_principal(KerberosContext, principal);
-
- /*
- * Copy the user's credentials to the new cache file...
- */
-
-# ifdef HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID
- if (con->http.hostaddr->addr.sa_family == AF_LOCAL &&
- !(con->gss_flags & GSS_C_DELEG_FLAG))
- {
- /*
- * Pull the credentials directly from the user...
- */
-
- cupsd_ucred_t peercred; /* Peer credentials */
- socklen_t peersize; /* Size of peer credentials */
- krb5_ccache peerccache; /* Peer Kerberos credentials */
-
- peersize = sizeof(peercred);
-
-# ifdef __APPLE__
- if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
-# else
- if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
-# endif /* __APPLE__ */
- {
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
- strerror(errno));
- krb5_cc_destroy(KerberosContext, ccache);
- return (NULL);
- }
-
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "cupsdCopyKrb5Creds: Copying credentials for UID %d...",
- CUPSD_UCRED_UID(peercred));
-
- krb5_ipc_client_set_target_uid(CUPSD_UCRED_UID(peercred));
-
- if ((error = krb5_cc_default(KerberosContext, &peerccache)) != 0)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to get credentials cache for UID %d (%d/%s)",
- (int)CUPSD_UCRED_UID(peercred), error, strerror(errno));
- krb5_cc_destroy(KerberosContext, ccache);
- return (NULL);
- }
-
- error = krb5_cc_copy_creds(KerberosContext, peerccache, ccache);
- krb5_cc_close(KerberosContext, peerccache);
- krb5_ipc_client_clear_target();
-
- if (error)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to copy credentials cache for UID %d (%d/%s)",
- (int)CUPSD_UCRED_UID(peercred), error, strerror(errno));
- krb5_cc_destroy(KerberosContext, ccache);
- return (NULL);
- }
- }
- else
-# endif /* HAVE_KRB5_IPC_CLIENT_SET_TARGET_UID */
- {
- major_status = gss_krb5_copy_ccache(&minor_status, con->gss_creds, ccache);
-
- if (GSS_ERROR(major_status))
- {
- cupsdLogGSSMessage(CUPSD_LOG_ERROR, major_status, minor_status,
- "Unable to copy client credentials cache");
- krb5_cc_destroy(KerberosContext, ccache);
- return (NULL);
- }
- }
-
- return (ccache);
-# endif /* !HAVE_KRB5_CC_NEW_UNIQUE && !HAVE_HEIMDAL */
-}
-#endif /* HAVE_GSSAPI */
-
-
/*
* 'cupsdCopyLocation()' - Make a copy of a location...
*/
if (loc->location)
temp->location = _cupsStrAlloc(loc->location);
+ temp->length = loc->length;
temp->limit = loc->limit;
temp->order_type = loc->order_type;
temp->type = loc->type;
*uriptr; /* Pointer into URI */
cupsd_location_t *loc, /* Current location */
*best; /* Best match for location so far */
- int bestlen; /* Length of best match */
+ size_t bestlen; /* Length of best match */
int limit; /* Limit field */
static const int limits[] = /* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */
{
CUPSD_AUTH_LIMIT_DELETE,
CUPSD_AUTH_LIMIT_TRACE,
CUPSD_AUTH_LIMIT_ALL,
+ CUPSD_AUTH_LIMIT_ALL,
+ CUPSD_AUTH_LIMIT_ALL,
CUPSD_AUTH_LIMIT_ALL
};
*uriptr = '\0';
}
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri = \"%s\"...", uri);
+ if ((uriptr = strchr(uri, '?')) != NULL)
+ *uriptr = '\0'; /* Drop trailing query string */
+
+ if ((uriptr = uri + strlen(uri) - 1) > uri && *uriptr == '/')
+ *uriptr = '\0'; /* Remove trailing '/' */
/*
* Loop through the list of locations to find a match...
best = NULL;
bestlen = 0;
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri = \"%s\", limit=%x...", uri, limit);
+
+
for (loc = (cupsd_location_t *)cupsArrayFirst(Locations);
loc;
loc = (cupsd_location_t *)cupsArrayNext(Locations))
{
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s Limit %x",
- loc->location ? loc->location : "nil", loc->limit);
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s(%d) Limit %x", loc->location ? loc->location : "(null)", (int)loc->length, loc->limit);
if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9))
{
*/
if (loc->length > bestlen && loc->location &&
- !strncasecmp(uri, loc->location, loc->length) &&
+ !_cups_strncasecmp(uri, loc->location, loc->length) &&
loc->location[0] == '/' &&
(limit & loc->limit) != 0)
{
int i, /* Looping vars */
auth, /* Authorization status */
type; /* Type of authentication */
+ http_addr_t *hostaddr = httpGetAddress(con->http);
+ /* Client address */
+ const char *hostname = httpGetHostname(con->http, NULL, 0);
+ /* Client hostname */
unsigned address[4]; /* Authorization address */
cupsd_location_t *best; /* Best match for location so far */
- int hostlen; /* Length of hostname */
+ size_t hostlen; /* Length of hostname */
char *name, /* Current username */
username[256], /* Username to authorize */
ownername[256], /* Owner name to authorize */
{
"None",
"Basic",
- "Digest",
- "BasicDigest",
"Negotiate"
};
if (!con->best)
{
- if (!strcmp(con->http.hostname, "localhost") ||
- !strcmp(con->http.hostname, ServerName))
+ if (httpAddrLocalhost(httpGetAddress(con->http)) ||
+ !strcmp(hostname, ServerName) ||
+ cupsArrayFind(ServerAlias, (void *)hostname))
return (HTTP_OK);
else
return (HTTP_FORBIDDEN);
best = con->best;
if ((type = best->type) == CUPSD_AUTH_DEFAULT)
- type = DefaultAuthType;
+ type = cupsdDefaultAuthType();
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, "
*/
#ifdef AF_INET6
- if (con->http.hostaddr->addr.sa_family == AF_INET6)
+ if (httpAddrFamily(hostaddr) == AF_INET6)
{
/*
* Copy IPv6 address...
*/
- address[0] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[0]);
- address[1] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[1]);
- address[2] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[2]);
- address[3] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[3]);
+ address[0] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[0]);
+ address[1] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[1]);
+ address[2] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[2]);
+ address[3] = ntohl(hostaddr->ipv6.sin6_addr.s6_addr32[3]);
}
else
#endif /* AF_INET6 */
- if (con->http.hostaddr->addr.sa_family == AF_INET)
+ if (con->http->hostaddr->addr.sa_family == AF_INET)
{
/*
* Copy IPv4 address...
address[0] = 0;
address[1] = 0;
address[2] = 0;
- address[3] = ntohl(con->http.hostaddr->ipv4.sin_addr.s_addr);
+ address[3] = ntohl(hostaddr->ipv4.sin_addr.s_addr);
}
else
memset(address, 0, sizeof(address));
- hostlen = strlen(con->http.hostname);
+ hostlen = strlen(hostname);
- auth = cupsdCheckAccess(address, con->http.hostname, hostlen, best)
+ auth = cupsdCheckAccess(address, hostname, hostlen, best)
? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...",
* See if encryption is required...
*/
- if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls &&
- strcasecmp(con->http.hostname, "localhost") &&
+ if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http->tls &&
+ _cups_strcasecmp(hostname, "localhost") &&
+ !httpAddrLocalhost(hostaddr) &&
best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
!(type == CUPSD_AUTH_NEGOTIATE ||
- (type == CUPSD_AUTH_NONE && DefaultAuthType == CUPSD_AUTH_NEGOTIATE)))
+ (type == CUPSD_AUTH_NONE &&
+ cupsdDefaultAuthType() == CUPSD_AUTH_NEGOTIATE)))
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: Need upgrade to TLS...");
return (HTTP_OK); /* unless overridden with Satisfy */
}
+
if (con->type != type && type != CUPSD_AUTH_NONE &&
- (con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST))
+#ifdef HAVE_GSSAPI
+ (type != CUPSD_AUTH_NEGOTIATE || con->gss_uid <= 0) &&
+#endif /* HAVE_GSSAPI */
+ con->type != CUPSD_AUTH_BASIC)
{
- cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s!",
+ cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s.",
types[con->type], types[type]);
return (HTTP_UNAUTHORIZED);
name;
name = (char *)cupsArrayNext(best->names))
{
- if (!strncasecmp(name, "@AUTHKEY(", 9) && check_authref(con, name + 9))
+ if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) && check_authref(con, name + 9))
return (HTTP_OK);
- else if (!strcasecmp(name, "@SYSTEM") && SystemGroupAuthKey &&
+ else if (!_cups_strcasecmp(name, "@SYSTEM") && SystemGroupAuthKey &&
check_authref(con, SystemGroupAuthKey))
return (HTTP_OK);
}
name;
name = (char *)cupsArrayNext(best->names))
{
- if (!strcasecmp(name, "@OWNER") && owner &&
- !strcasecmp(username, ownername))
+ if (!_cups_strcasecmp(name, "@OWNER") && owner &&
+ !_cups_strcasecmp(username, ownername))
return (HTTP_OK);
- else if (!strcasecmp(name, "@SYSTEM"))
+ else if (!_cups_strcasecmp(name, "@SYSTEM"))
{
for (i = 0; i < NumSystemGroups; i ++)
if (cupsdCheckGroup(username, pw, SystemGroups[i]))
if (cupsdCheckGroup(username, pw, name + 1))
return (HTTP_OK);
}
- else if (!strcasecmp(username, name))
+ else if (!_cups_strcasecmp(username, name))
return (HTTP_OK);
}
- return (HTTP_FORBIDDEN);
+ return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
}
/*
"cupsdIsAuthorized: Checking group \"%s\" membership...",
name);
- if (!strcasecmp(name, "@SYSTEM"))
+ if (!_cups_strcasecmp(name, "@SYSTEM"))
{
for (i = 0; i < NumSystemGroups; i ++)
if (cupsdCheckGroup(username, pw, SystemGroups[i]))
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: User not in group(s)!");
- return (HTTP_FORBIDDEN);
+ return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
}
}
-#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
+#if !HAVE_LIBPAM
/*
* 'cups_crypt()' - Encrypt the password using the DES or MD5 algorithms,
* as needed.
* Copy the final sum to the result string and return...
*/
- memcpy(result, salt, salt_end - salt);
+ memcpy(result, salt, (size_t)(salt_end - salt));
ptr = result + (salt_end - salt);
*ptr++ = '$';
for (i = 0; i < 5; i ++, ptr += 4)
{
- n = (((digest[i] << 8) | digest[i + 6]) << 8);
+ n = ((((unsigned)digest[i] << 8) | (unsigned)digest[i + 6]) << 8);
if (i < 4)
- n |= digest[i + 12];
+ n |= (unsigned)digest[i + 12];
else
- n |= digest[5];
+ n |= (unsigned)digest[5];
to64(ptr, n, 4);
}
- to64(ptr, digest[11], 2);
+ to64(ptr, (unsigned)digest[11], 2);
ptr += 2;
*ptr = '\0';
return (crypt(pw, salt));
}
}
-#endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
+#endif /* !HAVE_LIBPAM */
/*
}
-/*
- * 'get_md5_password()' - Get an MD5 password.
- */
-
-static char * /* O - MD5 password string */
-get_md5_password(const char *username, /* I - Username */
- const char *group, /* I - Group */
- char passwd[33]) /* O - MD5 password string */
-{
- cups_file_t *fp; /* passwd.md5 file */
- char filename[1024], /* passwd.md5 filename */
- line[256], /* Line from file */
- tempuser[33], /* User from file */
- tempgroup[33]; /* Group from file */
-
-
- cupsdLogMessage(CUPSD_LOG_DEBUG2,
- "get_md5_password(username=\"%s\", group=\"%s\", passwd=%p)",
- username, group ? group : "(null)", passwd);
-
- snprintf(filename, sizeof(filename), "%s/passwd.md5", ServerRoot);
- if ((fp = cupsFileOpen(filename, "r")) == NULL)
- {
- if (errno != ENOENT)
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to open %s - %s", filename,
- strerror(errno));
-
- return (NULL);
- }
-
- while (cupsFileGets(fp, line, sizeof(line)) != NULL)
- {
- if (sscanf(line, "%32[^:]:%32[^:]:%32s", tempuser, tempgroup, passwd) != 3)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR, "Bad MD5 password line: %s", line);
- continue;
- }
-
- if (!strcmp(username, tempuser) &&
- (group == NULL || !strcmp(group, tempgroup)))
- {
- /*
- * Found the password entry!
- */
-
- cupsdLogMessage(CUPSD_LOG_DEBUG2, "Found MD5 user %s, group %s...",
- username, tempgroup);
-
- cupsFileClose(fp);
- return (passwd);
- }
- }
-
- /*
- * Didn't find a password entry - return NULL!
- */
-
- cupsFileClose(fp);
- return (NULL);
-}
-
-
#if HAVE_LIBPAM
/*
* 'pam_func()' - PAM conversation function.
* Allocate memory for the responses...
*/
- if ((replies = malloc(sizeof(struct pam_response) * num_msg)) == NULL)
+ if ((replies = malloc(sizeof(struct pam_response) * (size_t)num_msg)) == NULL)
return (PAM_CONV_ERR);
/*
DEBUG_printf(("pam_func: appdata_ptr = %p\n", appdata_ptr));
-#ifdef __hpux
- /*
- * Apparently some versions of HP-UX 11 have a broken pam_unix security
- * module. This is a workaround...
- */
-
- data = auth_data;
- (void)appdata_ptr;
-#else
data = (cupsd_authdata_t *)appdata_ptr;
-#endif /* __hpux */
for (i = 0; i < num_msg; i ++)
{
return (PAM_SUCCESS);
}
-#elif !defined(HAVE_USERSEC_H)
+#else
/*
/*
- * End of "$Id: auth.c 7830 2008-08-04 20:38:50Z mike $".
+ * End of "$Id: auth.c 12604 2015-05-06 01:43:05Z msweet $".
*/