cups/auth.c

   1 /*
   2  * "$Id: auth.c 4918 2006-01-12 05:14:40Z mike $"
   3  *
   4  *   Authentication functions for the Common UNIX Printing System (CUPS).
   5  *
   6  *   Copyright 1997-2006 by Easy Software Products.
   7  *
   8  *   These coded instructions, statements, and computer programs are the
   9  *   property of Easy Software Products and are protected by Federal
  10  *   copyright law.  Distribution and use rights are outlined in the file
  11  *   "LICENSE.txt" which should have been included with this file.  If this
  12  *   file is missing or damaged please contact Easy Software Products
  13  *   at:
  14  *
  15  *       Attn: CUPS Licensing Information
  16  *       Easy Software Products
  17  *       44141 Airport View Drive, Suite 204
  18  *       Hollywood, Maryland 20636 USA
  19  *
  20  *       Voice: (301) 373-9600
  21  *       EMail: cups-info@cups.org
  22  *         WWW: http://www.cups.org
  23  *
  24  *   This file is subject to the Apple OS-Developed Software exception.
  25  *
  26  * Contents:
  27  *
  28  *   cupsDoAuthentication() - Authenticate a request.
  29  *   cups_local_auth()      - Get the local authorization certificate if
  30  *                            available/applicable...
  31  */
  32
  33 /*
  34  * Include necessary headers...
  35  */
  36
  37 #include "globals.h"
  38 #include "debug.h"
  39 #include <stdlib.h>
  40 #include <ctype.h>
  41 #include <errno.h>
  42 #include <fcntl.h>
  43 #include <sys/stat.h>
  44 #if defined(WIN32) || defined(__EMX__)
  45 #  include <io.h>
  46 #else
  47 #  include <unistd.h>
  48 #endif /* WIN32 || __EMX__ */
  49
  50
  51 /*
  52  * Local functions...
  53  */
  54
  55 static int      cups_local_auth(http_t *http);
  56
  57
  58 /*
  59  * 'cupsDoAuthentication()' - Authenticate a request.
  60  *
  61  * This function should be called in response to a HTTP_UNAUTHORIZED
  62  * status, prior to resubmitting your request.
  63  *
  64  * @since CUPS 1.1.20@
  65  */
  66
  67 int                                     /* O - 0 on success, -1 on error */
  68 cupsDoAuthentication(http_t     *http,  /* I - HTTP connection to server */
  69                      const char *method,/* I - Request method (GET, POST, PUT) */
  70                      const char *resource)
  71                                         /* I - Resource path */
  72 {
  73   const char    *password;              /* Password string */
  74   char          prompt[1024],           /* Prompt for user */
  75                 realm[HTTP_MAX_VALUE],  /* realm="xyz" string */
  76                 nonce[HTTP_MAX_VALUE],  /* nonce="xyz" string */
  77                 encode[512];            /* Encoded username:password */
  78
  79
  80   DEBUG_printf(("cupsDoAuthentication(http=%p, method=\"%s\", resource=\"%s\")\n",
  81                 http, method, resource));
  82   DEBUG_printf(("cupsDoAuthentication: digest_tries=%d, userpass=\"%s\"\n",
  83                 http->digest_tries, http->userpass));
  84
  85  /*
  86   * Clear the current authentication string...
  87   */
  88
  89   http->authstring[0] = '\0';
  90
  91  /*
  92   * See if we can do local authentication...
  93   */
  94
  95   if (!cups_local_auth(http))
  96   {
  97     DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));
  98     return (0);
  99   }
 100
 101  /*
 102   * Nope, see if we should retry the current username:password...
 103   */
 104
 105   if (http->digest_tries > 1 || !http->userpass[0])
 106   {
 107    /*
 108     * Nope - get a new password from the user...
 109     */
 110
 111     snprintf(prompt, sizeof(prompt), "Password for %s on %s? ", cupsUser(),
 112              http->hostname);
 113
 114     http->digest_tries  = strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE],
 115                                       "Digest", 5) != 0;
 116     http->userpass[0]   = '\0';
 117
 118     if ((password = cupsGetPassword(prompt)) == NULL)
 119       return (-1);
 120
 121     if (!password[0])
 122       return (-1);
 123
 124     snprintf(http->userpass, sizeof(http->userpass), "%s:%s", cupsUser(),
 125              password);
 126   }
 127   else if (http->status == HTTP_UNAUTHORIZED)
 128     http->digest_tries ++;
 129
 130  /*
 131   * Got a password; encode it for the server...
 132   */
 133
 134   if (strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Digest", 6))
 135   {
 136    /*
 137     * Basic authentication...
 138     */
 139
 140     httpEncode64_2(encode, sizeof(encode), http->userpass,
 141                    strlen(http->userpass));
 142     snprintf(http->authstring, sizeof(http->authstring), "Basic %s", encode);
 143   }
 144   else
 145   {
 146    /*
 147     * Digest authentication...
 148     */
 149
 150     httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "realm", realm);
 151     httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "nonce", nonce);
 152
 153     httpMD5(cupsUser(), realm, strchr(http->userpass, ':') + 1, encode);
 154     httpMD5Final(nonce, method, resource, encode);
 155     snprintf(http->authstring, sizeof(http->authstring),
 156              "Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", "
 157              "uri=\"%s\", response=\"%s\"", cupsUser(), realm, nonce,
 158              resource, encode);
 159   }
 160
 161   DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));
 162
 163   return (0);
 164 }
 165
 166
 167 /*
 168  * 'cups_local_auth()' - Get the local authorization certificate if
 169  *                       available/applicable...
 170  */
 171
 172 static int                              /* O - 0 if available, -1 if not */
 173 cups_local_auth(http_t *http)           /* I - HTTP connection to server */
 174 {
 175 #if defined(WIN32) || defined(__EMX__)
 176  /*
 177   * Currently WIN32 and OS-2 do not support the CUPS server...
 178   */
 179
 180   return (-1);
 181 #else
 182   int           pid;                    /* Current process ID */
 183   FILE          *fp;                    /* Certificate file */
 184   char          filename[1024],         /* Certificate filename */
 185                 certificate[33];        /* Certificate string */
 186   _cups_globals_t *cg = _cupsGlobals(); /* Global data */
 187
 188
 189   DEBUG_printf(("cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"\n",
 190                 http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname));
 191
 192  /*
 193   * See if we are accessing localhost...
 194   */
 195
 196   if (!httpAddrLocalhost(http->hostaddr) &&
 197       strcasecmp(http->hostname, "localhost") != 0)
 198   {
 199     DEBUG_puts("cups_local_auth: Not a local connection!");
 200     return (-1);
 201   }
 202
 203  /*
 204   * Try opening a certificate file for this PID.  If that fails,
 205   * try the root certificate...
 206   */
 207
 208   pid = getpid();
 209   snprintf(filename, sizeof(filename), "%s/certs/%d", cg->cups_statedir, pid);
 210   if ((fp = fopen(filename, "r")) == NULL && pid > 0)
 211   {
 212     DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
 213                   filename, strerror(errno)));
 214
 215     snprintf(filename, sizeof(filename), "%s/certs/0", cg->cups_statedir);
 216     fp = fopen(filename, "r");
 217   }
 218
 219   if (fp == NULL)
 220   {
 221     DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
 222                   filename, strerror(errno)));
 223     return (-1);
 224   }
 225
 226  /*
 227   * Read the certificate from the file...
 228   */
 229
 230   fgets(certificate, sizeof(certificate), fp);
 231   fclose(fp);
 232
 233  /*
 234   * Set the authorization string and return...
 235   */
 236
 237   snprintf(http->authstring, sizeof(http->authstring), "Local %s", certificate);
 238
 239   DEBUG_printf(("cups_local_auth: Returning authstring = \"%s\"\n",
 240                 http->authstring));
 241
 242   return (0);
 243 #endif /* WIN32 || __EMX__ */
 244 }
 245
 246
 247 /*
 248  * End of "$Id: auth.c 4918 2006-01-12 05:14:40Z mike $".
 249  */