[thirdparty/cups.git] / cups / auth.c

/*
 * "$Id: auth.c 177 2006-06-21 00:20:03Z jlovell $"
 *
 *   Authentication functions for the Common UNIX Printing System (CUPS).
 *
 *   Copyright 1997-2006 by Easy Software Products.
 *
 *   These coded instructions, statements, and computer programs are the
 *   property of Easy Software Products and are protected by Federal
 *   copyright law.  Distribution and use rights are outlined in the file
 *   "LICENSE.txt" which should have been included with this file.  If this
 *   file is missing or damaged please contact Easy Software Products
 *   at:
 *
 *       Attn: CUPS Licensing Information
 *       Easy Software Products
 *       44141 Airport View Drive, Suite 204
 *       Hollywood, Maryland 20636 USA
 *
 *       Voice: (301) 373-9600
 *       EMail: cups-info@cups.org
 *         WWW: http://www.cups.org
 *
 *   This file is subject to the Apple OS-Developed Software exception.
 *
 * Contents:
 *
 *   cupsDoAuthentication() - Authenticate a request.
 *   cups_local_auth()      - Get the local authorization certificate if
 *                            available/applicable...
 */

/*
 * Include necessary headers...
 */

#include "globals.h"
#include "debug.h"
#include <stdlib.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/stat.h>
#if defined(WIN32) || defined(__EMX__)
#  include <io.h>
#else
#  include <unistd.h>
#endif /* WIN32 || __EMX__ */


/*
 * Local functions...
 */

static int	cups_local_auth(http_t *http);


/*
 * 'cupsDoAuthentication()' - Authenticate a request.
 *
 * This function should be called in response to a HTTP_UNAUTHORIZED
 * status, prior to resubmitting your request.
 *
 * @since CUPS 1.1.20@
 */

int					/* O - 0 on success, -1 on error */
cupsDoAuthentication(http_t     *http,	/* I - HTTP connection to server */
                     const char *method,/* I - Request method (GET, POST, PUT) */
		     const char *resource)
					/* I - Resource path */
{
  const char	*password;		/* Password string */
  char		prompt[1024],		/* Prompt for user */
		realm[HTTP_MAX_VALUE],	/* realm="xyz" string */
		nonce[HTTP_MAX_VALUE],	/* nonce="xyz" string */
		encode[512];		/* Encoded username:password */


  DEBUG_printf(("cupsDoAuthentication(http=%p, method=\"%s\", resource=\"%s\")\n",
                http, method, resource));
  DEBUG_printf(("cupsDoAuthentication: digest_tries=%d, userpass=\"%s\"\n",
                http->digest_tries, http->userpass));

 /*
  * Clear the current authentication string...
  */

  http->authstring[0] = '\0';

 /*
  * See if we can do local authentication...
  */

  if (http->digest_tries < 3 && !cups_local_auth(http))
  {
    DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));

    if (http->status == HTTP_UNAUTHORIZED)
      http->digest_tries ++;

    return (0);
  }

 /*
  * Nope, see if we should retry the current username:password...
  */

  if (http->digest_tries > 1 || !http->userpass[0])
  {
   /*
    * Nope - get a new password from the user...
    */

    snprintf(prompt, sizeof(prompt), _("Password for %s on %s? "), cupsUser(),
             http->hostname[0] == '/' ? "localhost" : http->hostname);

    http->digest_tries  = strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE],
                                      "Digest", 5) != 0;
    http->userpass[0]   = '\0';

    if ((password = cupsGetPassword(prompt)) == NULL)
      return (-1);

    if (!password[0])
      return (-1);

    snprintf(http->userpass, sizeof(http->userpass), "%s:%s", cupsUser(),
             password);
  }
  else if (http->status == HTTP_UNAUTHORIZED)
    http->digest_tries ++;

 /*
  * Got a password; encode it for the server...
  */

  if (strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Digest", 6))
  {
   /*
    * Basic authentication...
    */

    httpEncode64_2(encode, sizeof(encode), http->userpass,
                   strlen(http->userpass));
    snprintf(http->authstring, sizeof(http->authstring), "Basic %s", encode);
  }
  else
  {
   /*
    * Digest authentication...
    */

    httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "realm", realm);
    httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "nonce", nonce);

    httpMD5(cupsUser(), realm, strchr(http->userpass, ':') + 1, encode);
    httpMD5Final(nonce, method, resource, encode);
    snprintf(http->authstring, sizeof(http->authstring),
	     "Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", "
	     "uri=\"%s\", response=\"%s\"", cupsUser(), realm, nonce,
	     resource, encode);
  }

  DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));

  return (0);
}


/*
 * 'cups_local_auth()' - Get the local authorization certificate if
 *                       available/applicable...
 */

static int				/* O - 0 if available, -1 if not */
cups_local_auth(http_t *http)		/* I - HTTP connection to server */
{
#if defined(WIN32) || defined(__EMX__)
 /*
  * Currently WIN32 and OS-2 do not support the CUPS server...
  */

  return (-1);
#else
  int		pid;			/* Current process ID */
  FILE		*fp;			/* Certificate file */
  char		filename[1024],		/* Certificate filename */
		certificate[33];	/* Certificate string */
  _cups_globals_t *cg = _cupsGlobals();	/* Global data */


  DEBUG_printf(("cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"\n",
                http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname));

 /*
  * See if we are accessing localhost...
  */

  if (!httpAddrLocalhost(http->hostaddr) &&
      strcasecmp(http->hostname, "localhost") != 0)
  {
    DEBUG_puts("cups_local_auth: Not a local connection!");
    return (-1);
  }

 /*
  * Try opening a certificate file for this PID.  If that fails,
  * try the root certificate...
  */

  pid = getpid();
  snprintf(filename, sizeof(filename), "%s/certs/%d", cg->cups_statedir, pid);
  if ((fp = fopen(filename, "r")) == NULL && pid > 0)
  {
    DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
                  filename, strerror(errno)));

    snprintf(filename, sizeof(filename), "%s/certs/0", cg->cups_statedir);
    fp = fopen(filename, "r");
  }

  if (fp == NULL)
  {
    DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
                  filename, strerror(errno)));
    return (-1);
  }

 /*
  * Read the certificate from the file...
  */

  fgets(certificate, sizeof(certificate), fp);
  fclose(fp);

 /*
  * Set the authorization string and return...
  */

  snprintf(http->authstring, sizeof(http->authstring), "Local %s", certificate);

  DEBUG_printf(("cups_local_auth: Returning authstring = \"%s\"\n",
                http->authstring));

  return (0);
#endif /* WIN32 || __EMX__ */
}


/*
 * End of "$Id: auth.c 177 2006-06-21 00:20:03Z jlovell $".
 */
Commit	Line	Data
ef416fc2	1	/*
c07d5b2d	2	* "$Id: auth.c 177 2006-06-21 00:20:03Z jlovell $"
ef416fc2	3	*
	4	* Authentication functions for the Common UNIX Printing System (CUPS).
	5	*
	6	* Copyright 1997-2006 by Easy Software Products.
	7	*
	8	* These coded instructions, statements, and computer programs are the
	9	* property of Easy Software Products and are protected by Federal
	10	* copyright law. Distribution and use rights are outlined in the file
	11	* "LICENSE.txt" which should have been included with this file. If this
	12	* file is missing or damaged please contact Easy Software Products
	13	* at:
	14	*
	15	* Attn: CUPS Licensing Information
	16	* Easy Software Products
	17	* 44141 Airport View Drive, Suite 204
	18	* Hollywood, Maryland 20636 USA
	19	*
	20	* Voice: (301) 373-9600
	21	* EMail: cups-info@cups.org
	22	* WWW: http://www.cups.org
	23	*
	24	* This file is subject to the Apple OS-Developed Software exception.
	25	*
	26	* Contents:
	27	*
	28	* cupsDoAuthentication() - Authenticate a request.
	29	* cups_local_auth() - Get the local authorization certificate if
	30	* available/applicable...
	31	*/
	32
	33	/*
	34	* Include necessary headers...
	35	*/
	36
	37	#include "globals.h"
	38	#include "debug.h"
	39	#include <stdlib.h>
	40	#include <ctype.h>
	41	#include <errno.h>
	42	#include <fcntl.h>
	43	#include <sys/stat.h>
	44	#if defined(WIN32) \|\| defined(__EMX__)
	45	# include <io.h>
	46	#else
	47	# include <unistd.h>
	48	#endif /* WIN32 \|\| __EMX__ */
	49
	50
	51	/*
	52	* Local functions...
	53	*/
	54
	55	static int cups_local_auth(http_t *http);
	56
	57
	58	/*
	59	* 'cupsDoAuthentication()' - Authenticate a request.
	60	*
	61	* This function should be called in response to a HTTP_UNAUTHORIZED
	62	* status, prior to resubmitting your request.
	63	*
	64	* @since CUPS 1.1.20@
	65	*/
	66
67	int /* O - 0 on success, -1 on error */
68	cupsDoAuthentication(http_t http, / I - HTTP connection to server */
69	const char method,/ I - Request method (GET, POST, PUT) */
70	const char *resource)
71	/* I - Resource path */
72	{
73	const char password; / Password string */
74	char prompt[1024], /* Prompt for user */
75	realm[HTTP_MAX_VALUE], /* realm="xyz" string */
76	nonce[HTTP_MAX_VALUE], /* nonce="xyz" string */
77	encode[512]; /* Encoded username:password */
78
79
80	DEBUG_printf(("cupsDoAuthentication(http=%p, method=\"%s\", resource=\"%s\")\n",
81	http, method, resource));
82	DEBUG_printf(("cupsDoAuthentication: digest_tries=%d, userpass=\"%s\"\n",
83	http->digest_tries, http->userpass));
84
85	/*
86	* Clear the current authentication string...
87	*/
88
89	http->authstring[0] = '\0';
90
91	/*
92	* See if we can do local authentication...
93	*/
94
d6ae789d	95	if (http->digest_tries < 3 && !cups_local_auth(http))
ef416fc2	96	{
ef416fc2	97	DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));
d6ae789d	98
	99	if (http->status == HTTP_UNAUTHORIZED)
	100	http->digest_tries ++;
	101
ef416fc2	102	return (0);
	103	}
	104
	105	/*
	106	* Nope, see if we should retry the current username:password...
	107	*/
	108
	109	if (http->digest_tries > 1 \|\| !http->userpass[0])
	110	{
	111	/*
	112	* Nope - get a new password from the user...
	113	*/
	114
f301802f	115	snprintf(prompt, sizeof(prompt), _("Password for %s on %s? "), cupsUser(),
f301802f	116	http->hostname[0] == '/' ? "localhost" : http->hostname);
ef416fc2	117
	118	http->digest_tries = strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE],
	119	"Digest", 5) != 0;
	120	http->userpass[0] = '\0';
	121
	122	if ((password = cupsGetPassword(prompt)) == NULL)
	123	return (-1);
	124
	125	if (!password[0])
	126	return (-1);
	127
	128	snprintf(http->userpass, sizeof(http->userpass), "%s:%s", cupsUser(),
	129	password);
	130	}
	131	else if (http->status == HTTP_UNAUTHORIZED)
	132	http->digest_tries ++;
	133
	134	/*
	135	* Got a password; encode it for the server...
	136	*/
	137
	138	if (strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Digest", 6))
	139	{
	140	/*
	141	* Basic authentication...
	142	*/
	143
	144	httpEncode64_2(encode, sizeof(encode), http->userpass,
	145	strlen(http->userpass));
	146	snprintf(http->authstring, sizeof(http->authstring), "Basic %s", encode);
	147	}
	148	else
	149	{
	150	/*
	151	* Digest authentication...
	152	*/
	153
	154	httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "realm", realm);
	155	httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "nonce", nonce);
	156
	157	httpMD5(cupsUser(), realm, strchr(http->userpass, ':') + 1, encode);
	158	httpMD5Final(nonce, method, resource, encode);
	159	snprintf(http->authstring, sizeof(http->authstring),
	160	"Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", "
	161	"uri=\"%s\", response=\"%s\"", cupsUser(), realm, nonce,
	162	resource, encode);
	163	}
	164
	165	DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));
	166
	167	return (0);
	168	}
	169
	170
	171	/*
	172	* 'cups_local_auth()' - Get the local authorization certificate if
	173	* available/applicable...
	174	*/
	175
	176	static int /* O - 0 if available, -1 if not */
	177	cups_local_auth(http_t http) / I - HTTP connection to server */
	178	{
	179	#if defined(WIN32) \|\| defined(__EMX__)
	180	/*
181	* Currently WIN32 and OS-2 do not support the CUPS server...
182	*/
183
184	return (-1);
185	#else
186	int pid; /* Current process ID */
187	FILE fp; / Certificate file */
188	char filename[1024], /* Certificate filename */
189	certificate[33]; /* Certificate string */
190	_cups_globals_t cg = _cupsGlobals(); / Global data */
191
192
193	DEBUG_printf(("cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"\n",
194	http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname));
195
196	/*
197	* See if we are accessing localhost...
198	*/
199
200	if (!httpAddrLocalhost(http->hostaddr) &&
201	strcasecmp(http->hostname, "localhost") != 0)
202	{
203	DEBUG_puts("cups_local_auth: Not a local connection!");
204	return (-1);
205	}
206
207	/*
208	* Try opening a certificate file for this PID. If that fails,
209	* try the root certificate...
210	*/
211
212	pid = getpid();
213	snprintf(filename, sizeof(filename), "%s/certs/%d", cg->cups_statedir, pid);
214	if ((fp = fopen(filename, "r")) == NULL && pid > 0)
215	{
216	DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
217	filename, strerror(errno)));
218
219	snprintf(filename, sizeof(filename), "%s/certs/0", cg->cups_statedir);
220	fp = fopen(filename, "r");
221	}
222
223	if (fp == NULL)
224	{
225	DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
226	filename, strerror(errno)));
227	return (-1);
228	}
229
230	/*
231	* Read the certificate from the file...
232	*/
233
234	fgets(certificate, sizeof(certificate), fp);
235	fclose(fp);
236
237	/*
238	* Set the authorization string and return...
239	*/
240
241	snprintf(http->authstring, sizeof(http->authstring), "Local %s", certificate);
242
243	DEBUG_printf(("cups_local_auth: Returning authstring = \"%s\"\n",
244	http->authstring));
245
246	return (0);
247	#endif /* WIN32 \|\| __EMX__ */
248	}
249
250
251	/*
c07d5b2d	252	* End of "$Id: auth.c 177 2006-06-21 00:20:03Z jlovell $".
ef416fc2	253	*/