Add some GNU TLS cleanup and debug code; still not working with Mac OS X (any

author mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>

Fri, 26 Aug 2011 18:13:09 +0000 (18:13 +0000)

committer mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>

Fri, 26 Aug 2011 18:13:09 +0000 (18:13 +0000)
author mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>
Fri, 26 Aug 2011 18:13:09 +0000 (18:13 +0000)
committer mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>
Fri, 26 Aug 2011 18:13:09 +0000 (18:13 +0000)
diff --git a/cups/http.c b/cups/http.c

index 6f673808ac39e0915c9e5772f7beb058397d0087..cf9dc74c7a5a4e06421923587a244f4eea140241 100644 (file)
--- a/cups/http.c
+++ b/cups/http.c
@@ -2186,7 +2186,10 @@ _httpReadGNUTLS(
      size_t               length)       /* I - Number of bytes to read */
  {
    http_t       *http;                  /* HTTP connection */
+  ssize_t      bytes;                  /* Bytes read */
+
  
+  DEBUG_printf(("6_httpReadGNUTLS(ptr=%p, data=%p, length=%d)", ptr, data, (int)length));
  
    http = (http_t *)ptr;
  
@@ -2206,7 +2209,9 @@ _httpReadGNUTLS(
      }
    }
  
-  return (recv(http->fd, data, length, 0));
+  bytes = recv(http->fd, data, length, 0);
+  DEBUG_printf(("6_httpReadGNUTLS: bytes=%d", (int)bytes));
+  return (bytes);
  }
  #endif /* HAVE_SSL && HAVE_GNUTLS */
  
@@ -3189,7 +3194,16 @@ _httpWriteGNUTLS(
      const void           *data,                /* I - Data buffer */
      size_t               length)       /* I - Number of bytes to write */
  {
-  return (send(((http_t *)ptr)->fd, data, length, 0));
+  ssize_t bytes;                       /* Bytes written */
+
+
+  DEBUG_printf(("6_httpWriteGNUTLS(ptr=%p, data=%p, length=%d)", ptr, data,
+                (int)length));
+  http_debug_hex("_httpWriteGNUTLS", data, (int)length);
+
+  bytes = send(((http_t *)ptr)->fd, data, length, 0);
+  DEBUG_printf(("_httpWriteGNUTLS: bytes=%d", (int)bytes));
+  return (bytes);
  }
  #endif /* HAVE_SSL && HAVE_GNUTLS */
  
@@ -3866,6 +3880,7 @@ http_setup_ssl(http_t *http)              /* I - Connection to server */
  
    gnutls_init(&http->tls, GNUTLS_CLIENT);
    gnutls_set_default_priority(http->tls);
+  gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, http->hostname, strlen(http->hostname));
    gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
    gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr)http);
    gnutls_transport_set_pull_function(http->tls, _httpReadGNUTLS);
diff --git a/scheduler/client.c b/scheduler/client.c

index d5a51114dfadbbb8d48f919bb3b7c13d4527903e..710847e741e5225c48a7837aeebf19032ffe4392 100644 (file)
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -3179,9 +3179,10 @@ encrypt_client(cupsd_client_t *con)      /* I - Client to encrypt */
    return (1);
  
  #  elif defined(HAVE_GNUTLS)
-  int          error;                  /* Error code */
+  int          status;                 /* Error code */
    gnutls_certificate_server_credentials *credentials;
                                         /* TLS credentials */
+  const char   *priority;              /* Priority string */
  
  
    cupsdLogMessage(CUPSD_LOG_DEBUG2, "encrypt_client(con=%p(%d))", con,
@@ -3222,18 +3223,34 @@ encrypt_client(cupsd_client_t *con)     /* I - Client to encrypt */
  
    gnutls_init(&con->http.tls, GNUTLS_SERVER);
    gnutls_set_default_priority(con->http.tls);
+  status = gnutls_priority_set_direct(con->http.tls,
+                                      "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"
+                                      "+VERS-SSL3.0:%COMPAT", &priority);
+  if (status != GNUTLS_E_SUCCESS)
+  {
+    cupsdLogMessage(CUPSD_LOG_ERROR,
+                    "Unable to encrypt connection from %s - %s (%s)",
+                    con->http.hostname, gnutls_strerror(status), priority);
+
+    gnutls_deinit(con->http.tls);
+    gnutls_certificate_free_credentials(*credentials);
+    con->http.tls = NULL;
+    free(credentials);
+    return (0);
+  }
+
    gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
    gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr)HTTP(con));
    gnutls_transport_set_pull_function(con->http.tls, _httpReadGNUTLS);
    gnutls_transport_set_push_function(con->http.tls, _httpWriteGNUTLS);
  
-  while ((error = gnutls_handshake(con->http.tls)) != GNUTLS_E_SUCCESS)
+  while ((status = gnutls_handshake(con->http.tls)) != GNUTLS_E_SUCCESS)
    {
-    if (gnutls_error_is_fatal(error))
+    if (gnutls_error_is_fatal(status))
      {
        cupsdLogMessage(CUPSD_LOG_ERROR,
                        "Unable to encrypt connection from %s - %s",
-                      con->http.hostname, gnutls_strerror(error));
+                      con->http.hostname, gnutls_strerror(status));
  
        gnutls_deinit(con->http.tls);
        gnutls_certificate_free_credentials(*credentials);
author	mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>
	Fri, 26 Aug 2011 18:13:09 +0000 (18:13 +0000)
committer	mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>
	Fri, 26 Aug 2011 18:13:09 +0000 (18:13 +0000)
cups/http.c		patch \| blob \| blame \| history
scheduler/client.c		patch \| blob \| blame \| history