]> git.ipfire.org Git - thirdparty/cups.git/blob - scheduler/auth.c
projects / thirdparty / cups.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge CUPS 1.4svn-r7319.
[thirdparty/cups.git] / scheduler / auth.c
1 /*
2 * "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $"
3 *
4 * Authorization routines for the Common UNIX Printing System (CUPS).
5 *
6 * Copyright 2007-2008 by Apple Inc.
7 * Copyright 1997-2007 by Easy Software Products, all rights reserved.
8 *
9 * This file contains Kerberos support code, copyright 2006 by
10 * Jelmer Vernooij.
11 *
12 * These coded instructions, statements, and computer programs are the
13 * property of Apple Inc. and are protected by Federal copyright
14 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
15 * which should have been included with this file. If this file is
16 * file is missing or damaged, see the license at "http://www.cups.org/".
17 *
18 * Contents:
19 *
20 * cupsdAddLocation() - Add a location for authorization.
21 * cupsdAddName() - Add a name to a location...
22 * cupsdAllowHost() - Add a host name that is allowed to access the
23 * location.
24 * cupsdAllowIP() - Add an IP address or network that is allowed to
25 * access the location.
26 * cupsdAuthorize() - Validate any authorization credentials.
27 * cupsdCheckAccess() - Check whether the given address is allowed to
28 * access a location.
29 * cupsdCheckAuth() - Check authorization masks.
30 * cupsdCheckGroup() - Check for a user's group membership.
31 * cupsdCopyLocation() - Make a copy of a location...
32 * cupsdDeleteAllLocations() - Free all memory used for location
33 * authorization.
34 * cupsdDeleteLocation() - Free all memory used by a location.
35 * cupsdDenyHost() - Add a host name that is not allowed to access
36 * the location.
37 * cupsdDenyIP() - Add an IP address or network that is not
38 * allowed to access the location.
39 * cupsdFindBest() - Find the location entry that best matches the
40 * resource.
41 * cupsdFindLocation() - Find the named location.
42 * cupsdIsAuthorized() - Check to see if the user is authorized...
43 * add_allow() - Add an allow mask to the location.
44 * add_deny() - Add a deny mask to the location.
45 * check_authref() - Check if an authorization services reference
46 * has the supplied right.
47 * compare_locations() - Compare two locations.
48 * cups_crypt() - Encrypt the password using the DES or MD5
49 * algorithms, as needed.
50 * get_gss_creds() - Obtain GSS credentials.
51 * get_md5_password() - Get an MD5 password.
52 * pam_func() - PAM conversation function.
53 * to64() - Base64-encode an integer value...
54 */
55
56 /*
57 * Include necessary headers...
58 */
59
60 #include "cupsd.h"
61 #include <grp.h>
62 #ifdef HAVE_SHADOW_H
63 # include <shadow.h>
64 #endif /* HAVE_SHADOW_H */
65 #ifdef HAVE_CRYPT_H
66 # include <crypt.h>
67 #endif /* HAVE_CRYPT_H */
68 #if HAVE_LIBPAM
69 # ifdef HAVE_PAM_PAM_APPL_H
70 # include <pam/pam_appl.h>
71 # else
72 # include <security/pam_appl.h>
73 # endif /* HAVE_PAM_PAM_APPL_H */
74 #endif /* HAVE_LIBPAM */
75 #ifdef HAVE_USERSEC_H
76 # include <usersec.h>
77 #endif /* HAVE_USERSEC_H */
78 #ifdef HAVE_MEMBERSHIP_H
79 # include <membership.h>
80 #endif /* HAVE_MEMBERSHIP_H */
81 #ifdef HAVE_AUTHORIZATION_H
82 # include <Security/AuthorizationTags.h>
83 # ifdef HAVE_SECBASEPRIV_H
84 # include <Security/SecBasePriv.h>
85 # else
86 extern const char *cssmErrorString(int error);
87 # endif /* HAVE_SECBASEPRIV_H */
88 #endif /* HAVE_AUTHORIZATION_H */
89 #ifdef HAVE_SYS_PARAM_H
90 # include <sys/param.h>
91 #endif /* HAVE_SYS_PARAM_H */
92 #ifdef HAVE_SYS_UCRED_H
93 # include <sys/ucred.h>
94 typedef struct xucred cupsd_ucred_t;
95 # define CUPSD_UCRED_UID(c) (c).cr_uid
96 #else
97 typedef struct ucred cupsd_ucred_t;
98 # define CUPSD_UCRED_UID(c) (c).uid
99 #endif /* HAVE_SYS_UCRED_H */
100
101
102 /*
103 * Local functions...
104 */
105
106 static cupsd_authmask_t *add_allow(cupsd_location_t *loc);
107 static cupsd_authmask_t *add_deny(cupsd_location_t *loc);
108 #ifdef HAVE_AUTHORIZATION_H
109 static int check_authref(cupsd_client_t *con, const char *right);
110 #endif /* HAVE_AUTHORIZATION_H */
111 static int compare_locations(cupsd_location_t *a,
112 cupsd_location_t *b);
113 #if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
114 static char *cups_crypt(const char *pw, const char *salt);
115 #endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
116 #ifdef HAVE_GSSAPI
117 static gss_cred_id_t get_gss_creds(const char *service_name);
118 #endif /* HAVE_GSSAPI */
119 static char *get_md5_password(const char *username,
120 const char *group, char passwd[33]);
121 #if HAVE_LIBPAM
122 static int pam_func(int, const struct pam_message **,
123 struct pam_response **, void *);
124 #elif !defined(HAVE_USERSEC_H)
125 static void to64(char *s, unsigned long v, int n);
126 #endif /* HAVE_LIBPAM */
127
128
129 /*
130 * Local structures...
131 */
132
133 #if HAVE_LIBPAM
134 typedef struct cupsd_authdata_s /**** Authentication data ****/
135 {
136 char username[33], /* Username string */
137 password[33]; /* Password string */
138 } cupsd_authdata_t;
139 #endif /* HAVE_LIBPAM */
140
141
142 /*
143 * Local globals...
144 */
145
146 #if defined(__hpux) && HAVE_LIBPAM
147 static cupsd_authdata_t *auth_data; /* Current client being authenticated */
148 #endif /* __hpux && HAVE_LIBPAM */
149
150
151 /*
152 * 'cupsdAddLocation()' - Add a location for authorization.
153 */
154
155 cupsd_location_t * /* O - Pointer to new location record */
156 cupsdAddLocation(const char *location) /* I - Location path */
157 {
158 cupsd_location_t *temp; /* New location */
159
160
161 /*
162 * Make sure the locations array is created...
163 */
164
165 if (!Locations)
166 Locations = cupsArrayNew((cups_array_func_t)compare_locations, NULL);
167
168 if (!Locations)
169 return (NULL);
170
171 /*
172 * Try to allocate memory for the new location.
173 */
174
175 if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
176 return (NULL);
177
178 /*
179 * Initialize the record and copy the name over...
180 */
181
182 if ((temp->location = strdup(location)) == NULL)
183 {
184 free(temp);
185 return (NULL);
186 }
187
188 temp->length = strlen(temp->location);
189
190 cupsArrayAdd(Locations, temp);
191
192 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: added location \'%s\'",
193 location);
194
195 /*
196 * Return the new record...
197 */
198
199 return (temp);
200 }
201
202
203 /*
204 * 'cupsdAddName()' - Add a name to a location...
205 */
206
207 void
208 cupsdAddName(cupsd_location_t *loc, /* I - Location to add to */
209 char *name) /* I - Name to add */
210 {
211 char **temp; /* Pointer to names array */
212
213
214 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")",
215 loc, name);
216
217 if (loc->num_names == 0)
218 temp = malloc(sizeof(char *));
219 else
220 temp = realloc(loc->names, (loc->num_names + 1) * sizeof(char *));
221
222 if (temp == NULL)
223 {
224 cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to add name to location %s: %s",
225 loc->location ? loc->location : "nil", strerror(errno));
226 return;
227 }
228
229 loc->names = temp;
230
231 if ((temp[loc->num_names] = strdup(name)) == NULL)
232 {
233 cupsdLogMessage(CUPSD_LOG_ERROR,
234 "Unable to duplicate name for location %s: %s",
235 loc->location ? loc->location : "nil", strerror(errno));
236 return;
237 }
238
239 loc->num_names ++;
240 }
241
242
243 /*
244 * 'cupsdAllowHost()' - Add a host name that is allowed to access the location.
245 */
246
247 void
248 cupsdAllowHost(cupsd_location_t *loc, /* I - Location to add to */
249 char *name) /* I - Name of host or domain to add */
250 {
251 cupsd_authmask_t *temp; /* New host/domain mask */
252 char ifname[32], /* Interface name */
253 *ifptr; /* Pointer to end of name */
254
255
256 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAllowHost(loc=%p(%s), name=\"%s\")",
257 loc, loc->location ? loc->location : "nil", name);
258
259 if ((temp = add_allow(loc)) == NULL)
260 return;
261
262 if (!strcasecmp(name, "@LOCAL"))
263 {
264 /*
265 * Allow *interface*...
266 */
267
268 temp->type = CUPSD_AUTH_INTERFACE;
269 temp->mask.name.name = strdup("*");
270 temp->mask.name.length = 1;
271 }
272 else if (!strncasecmp(name, "@IF(", 4))
273 {
274 /*
275 * Allow *interface*...
276 */
277
278 strlcpy(ifname, name + 4, sizeof(ifname));
279
280 ifptr = ifname + strlen(ifname);
281
282 if (ifptr[-1] == ')')
283 {
284 ifptr --;
285 *ifptr = '\0';
286 }
287
288 temp->type = CUPSD_AUTH_INTERFACE;
289 temp->mask.name.name = strdup(ifname);
290 temp->mask.name.length = ifptr - ifname;
291 }
292 else
293 {
294 /*
295 * Allow name...
296 */
297
298 temp->type = CUPSD_AUTH_NAME;
299 temp->mask.name.name = strdup(name);
300 temp->mask.name.length = strlen(name);
301 }
302 }
303
304
305 /*
306 * 'cupsdAllowIP()' - Add an IP address or network that is allowed to access
307 * the location.
308 */
309
310 void
311 cupsdAllowIP(
312 cupsd_location_t *loc, /* I - Location to add to */
313 const unsigned address[4], /* I - IP address to add */
314 const unsigned netmask[4]) /* I - Netmask of address */
315 {
316 cupsd_authmask_t *temp; /* New host/domain mask */
317
318
319 cupsdLogMessage(CUPSD_LOG_DEBUG2,
320 "cupsdAllowIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)",
321 loc, loc->location ? loc->location : "nil",
322 address[0], address[1], address[2], address[3],
323 netmask[0], netmask[1], netmask[2], netmask[3]);
324
325 if ((temp = add_allow(loc)) == NULL)
326 return;
327
328 temp->type = CUPSD_AUTH_IP;
329 memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
330 memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
331 }
332
333
334 /*
335 * 'cupsdAuthorize()' - Validate any authorization credentials.
336 */
337
338 void
339 cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */
340 {
341 int type; /* Authentication type */
342 const char *authorization; /* Pointer into Authorization string */
343 char *ptr, /* Pointer into string */
344 username[256], /* Username string */
345 password[33]; /* Password string */
346 const char *localuser; /* Certificate username */
347 char nonce[HTTP_MAX_VALUE], /* Nonce value from client */
348 md5[33], /* MD5 password */
349 basicmd5[33]; /* MD5 of Basic password */
350 static const char * const states[] = /* HTTP client states... */
351 {
352 "WAITING",
353 "OPTIONS",
354 "GET",
355 "GET",
356 "HEAD",
357 "POST",
358 "POST",
359 "POST",
360 "PUT",
361 "PUT",
362 "DELETE",
363 "TRACE",
364 "CLOSE",
365 "STATUS"
366 };
367
368
369 /*
370 * Locate the best matching location so we know what kind of
371 * authentication to expect...
372 */
373
374 con->best = cupsdFindBest(con->uri, con->http.state);
375 con->type = CUPSD_AUTH_NONE;
376
377 cupsdLogMessage(CUPSD_LOG_DEBUG2,
378 "cupsdAuthorize: con->uri=\"%s\", con->best=%p(%s)",
379 con->uri, con->best, con->best ? con->best->location : "");
380
381 if (con->best && con->best->type != CUPSD_AUTH_NONE)
382 {
383 if (con->best->type == CUPSD_AUTH_DEFAULT)
384 type = DefaultAuthType;
385 else
386 type = con->best->type;
387 }
388 else
389 type = DefaultAuthType;
390
391 /*
392 * Decode the Authorization string...
393 */
394
395 authorization = httpGetField(&con->http, HTTP_FIELD_AUTHORIZATION);
396
397 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAuthorize: Authorization=\"%s\"",
398 authorization);
399
400 username[0] = '\0';
401 password[0] = '\0';
402
403 #ifdef HAVE_AUTHORIZATION_H
404 if (con->authref)
405 {
406 AuthorizationFree(con->authref, kAuthorizationFlagDefaults);
407 con->authref = NULL;
408 }
409 #endif /* HAVE_AUTHORIZATION_H */
410
411 if (!*authorization)
412 {
413 /*
414 * No authorization data provided, return early...
415 */
416
417 cupsdLogMessage(CUPSD_LOG_DEBUG,
418 "cupsdAuthorize: No authentication data provided.");
419 return;
420 }
421 #ifdef HAVE_AUTHORIZATION_H
422 else if (!strncmp(authorization, "AuthRef", 6) &&
423 !strcasecmp(con->http.hostname, "localhost"))
424 {
425 OSStatus status; /* Status */
426 int authlen; /* Auth string length */
427 AuthorizationItemSet *authinfo; /* Authorization item set */
428
429 /*
430 * Get the Authorization Services data...
431 */
432
433 authorization += 7;
434 while (isspace(*authorization & 255))
435 authorization ++;
436
437 authlen = sizeof(nonce);
438 httpDecode64_2(nonce, &authlen, authorization);
439
440 if (authlen != kAuthorizationExternalFormLength)
441 {
442 cupsdLogMessage(CUPSD_LOG_ERROR,
443 "External Authorization reference size is incorrect!");
444 return;
445 }
446
447 if ((status = AuthorizationCreateFromExternalForm(
448 (AuthorizationExternalForm *)nonce, &con->authref)) != 0)
449 {
450 cupsdLogMessage(CUPSD_LOG_ERROR,
451 "AuthorizationCreateFromExternalForm returned %d (%s)",
452 (int)status, cssmErrorString(status));
453 return;
454 }
455
456 if ((status = AuthorizationCopyInfo(con->authref,
457 kAuthorizationEnvironmentUsername,
458 &authinfo)) != 0)
459 {
460 cupsdLogMessage(CUPSD_LOG_ERROR,
461 "AuthorizationCopyInfo returned %d (%s)",
462 (int)status, cssmErrorString(status));
463 return;
464 }
465
466 if (authinfo->count == 1)
467 strlcpy(username, authinfo->items[0].value, sizeof(username));
468
469 cupsdLogMessage(CUPSD_LOG_DEBUG,
470 "cupsdAuthorize: Authorized as %s using AuthRef",
471 username);
472
473 AuthorizationFreeItemSet(authinfo);
474
475 con->type = CUPSD_AUTH_BASIC;
476 }
477 #endif /* HAVE_AUTHORIZATION_H */
478 #if defined(SO_PEERCRED) && defined(AF_LOCAL)
479 else if (!strncmp(authorization, "PeerCred ", 9) &&
480 con->http.hostaddr->addr.sa_family == AF_LOCAL)
481 {
482 /*
483 * Use peer credentials from domain socket connection...
484 */
485
486 struct passwd *pwd; /* Password entry for this user */
487 cupsd_ucred_t peercred; /* Peer credentials */
488 socklen_t peersize; /* Size of peer credentials */
489
490
491 if ((pwd = getpwnam(authorization + 9)) == NULL)
492 {
493 cupsdLogMessage(CUPSD_LOG_ERROR, "User \"%s\" does not exist!",
494 authorization + 9);
495 return;
496 }
497
498 peersize = sizeof(peercred);
499
500 if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
501 {
502 cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get peer credentials - %s",
503 strerror(errno));
504 return;
505 }
506
507 if (pwd->pw_uid != CUPSD_UCRED_UID(peercred))
508 {
509 cupsdLogMessage(CUPSD_LOG_ERROR,
510 "Invalid peer credentials for \"%s\" - got %d, "
511 "expected %d!", authorization + 9,
512 CUPSD_UCRED_UID(peercred), pwd->pw_uid);
513 # ifdef HAVE_SYS_UCRED_H
514 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_version=%d",
515 peercred.cr_version);
516 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_uid=%d",
517 peercred.cr_uid);
518 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_ngroups=%d",
519 peercred.cr_ngroups);
520 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAuthorize: cr_groups[0]=%d",
521 peercred.cr_groups[0]);
522 # endif /* HAVE_SYS_UCRED_H */
523 return;
524 }
525
526 strlcpy(username, authorization + 9, sizeof(username));
527
528 cupsdLogMessage(CUPSD_LOG_DEBUG,
529 "cupsdAuthorize: Authorized as %s using PeerCred",
530 username);
531
532 con->type = CUPSD_AUTH_BASIC;
533 }
534 #endif /* SO_PEERCRED && AF_LOCAL */
535 else if (!strncmp(authorization, "Local", 5) &&
536 !strcasecmp(con->http.hostname, "localhost"))
537 {
538 /*
539 * Get Local certificate authentication data...
540 */
541
542 authorization += 5;
543 while (isspace(*authorization & 255))
544 authorization ++;
545
546 if ((localuser = cupsdFindCert(authorization)) != NULL)
547 {
548 strlcpy(username, localuser, sizeof(username));
549
550 cupsdLogMessage(CUPSD_LOG_DEBUG,
551 "cupsdAuthorize: Authorized as %s using Local",
552 username);
553 }
554 else
555 {
556 cupsdLogMessage(CUPSD_LOG_ERROR,
557 "cupsdAuthorize: Local authentication certificate not "
558 "found!");
559 return;
560 }
561
562 con->type = CUPSD_AUTH_BASIC;
563 }
564 else if (!strncmp(authorization, "Basic", 5))
565 {
566 /*
567 * Get the Basic authentication data...
568 */
569
570 int userlen; /* Username:password length */
571
572
573 authorization += 5;
574 while (isspace(*authorization & 255))
575 authorization ++;
576
577 userlen = sizeof(username);
578 httpDecode64_2(username, &userlen, authorization);
579
580 /*
581 * Pull the username and password out...
582 */
583
584 if ((ptr = strchr(username, ':')) == NULL)
585 {
586 cupsdLogMessage(CUPSD_LOG_ERROR,
587 "cupsdAuthorize: Missing Basic password!");
588 return;
589 }
590
591 *ptr++ = '\0';
592
593 if (!username[0])
594 {
595 /*
596 * Username must not be empty...
597 */
598
599 cupsdLogMessage(CUPSD_LOG_ERROR,
600 "cupsdAuthorize: Empty Basic username!");
601 return;
602 }
603
604 if (!*ptr)
605 {
606 /*
607 * Password must not be empty...
608 */
609
610 cupsdLogMessage(CUPSD_LOG_ERROR,
611 "cupsdAuthorize: Empty Basic password!");
612 return;
613 }
614
615 strlcpy(password, ptr, sizeof(password));
616
617 /*
618 * Validate the username and password...
619 */
620
621 switch (type)
622 {
623 default :
624 case CUPSD_AUTH_BASIC :
625 {
626 #if HAVE_LIBPAM
627 /*
628 * Only use PAM to do authentication. This supports MD5
629 * passwords, among other things...
630 */
631
632 pam_handle_t *pamh; /* PAM authentication handle */
633 int pamerr; /* PAM error code */
634 struct pam_conv pamdata;/* PAM conversation data */
635 cupsd_authdata_t data; /* Authentication data */
636
637
638 strlcpy(data.username, username, sizeof(data.username));
639 strlcpy(data.password, password, sizeof(data.password));
640
641 # if defined(__sun) || defined(__hpux)
642 pamdata.conv = (int (*)(int, struct pam_message **,
643 struct pam_response **,
644 void *))pam_func;
645 # else
646 pamdata.conv = pam_func;
647 # endif /* __sun || __hpux */
648 pamdata.appdata_ptr = &data;
649
650 # ifdef __hpux
651 /*
652 * Workaround for HP-UX bug in pam_unix; see pam_func() below for
653 * more info...
654 */
655
656 auth_data = &data;
657 # endif /* __hpux */
658
659 pamerr = pam_start("cups", username, &pamdata, &pamh);
660 if (pamerr != PAM_SUCCESS)
661 {
662 cupsdLogMessage(CUPSD_LOG_ERROR,
663 "cupsdAuthorize: pam_start() returned %d (%s)!\n",
664 pamerr, pam_strerror(pamh, pamerr));
665 pam_end(pamh, 0);
666 return;
667 }
668
669 # if defined(HAVE_PAM_SET_ITEM) && defined(PAM_RHOST)
670 pamerr = pam_set_item(pamh, PAM_RHOST, con->http.hostname);
671 if (pamerr != PAM_SUCCESS)
672 cupsdLogMessage(CUPSD_LOG_WARN,
673 "cupsdAuthorize: pam_set_item() returned %d "
674 "(%s)!\n", pamerr, pam_strerror(pamh, pamerr));
675 # endif /* HAVE_PAM_SET_ITEM && PAM_RHOST */
676
677 pamerr = pam_authenticate(pamh, PAM_SILENT);
678 if (pamerr != PAM_SUCCESS)
679 {
680 cupsdLogMessage(CUPSD_LOG_ERROR,
681 "cupsdAuthorize: pam_authenticate() returned %d "
682 "(%s)!\n",
683 pamerr, pam_strerror(pamh, pamerr));
684 pam_end(pamh, 0);
685 return;
686 }
687
688 pamerr = pam_acct_mgmt(pamh, PAM_SILENT);
689 if (pamerr != PAM_SUCCESS)
690 {
691 cupsdLogMessage(CUPSD_LOG_ERROR,
692 "cupsdAuthorize: pam_acct_mgmt() returned %d "
693 "(%s)!\n",
694 pamerr, pam_strerror(pamh, pamerr));
695 pam_end(pamh, 0);
696 return;
697 }
698
699 pam_end(pamh, PAM_SUCCESS);
700
701 #elif defined(HAVE_USERSEC_H)
702 /*
703 * Use AIX authentication interface...
704 */
705
706 char *authmsg; /* Authentication message */
707 int reenter; /* ??? */
708
709
710 cupsdLogMessage(CUPSD_LOG_DEBUG,
711 "cupsdAuthorize: AIX authenticate of username \"%s\"",
712 username);
713
714 reenter = 1;
715 if (authenticate(username, password, &reenter, &authmsg) != 0)
716 {
717 cupsdLogMessage(CUPSD_LOG_DEBUG,
718 "cupsdAuthorize: Unable to authenticate username "
719 "\"%s\": %s",
720 username, strerror(errno));
721 return;
722 }
723
724 #else
725 /*
726 * Use normal UNIX password file-based authentication...
727 */
728
729 char *pass; /* Encrypted password */
730 struct passwd *pw; /* User password data */
731 # ifdef HAVE_SHADOW_H
732 struct spwd *spw; /* Shadow password data */
733 # endif /* HAVE_SHADOW_H */
734
735
736 pw = getpwnam(username); /* Get the current password */
737 endpwent(); /* Close the password file */
738
739 if (!pw)
740 {
741 /*
742 * No such user...
743 */
744
745 cupsdLogMessage(CUPSD_LOG_ERROR,
746 "cupsdAuthorize: Unknown username \"%s\"!",
747 username);
748 return;
749 }
750
751 # ifdef HAVE_SHADOW_H
752 spw = getspnam(username);
753 endspent();
754
755 if (!spw && !strcmp(pw->pw_passwd, "x"))
756 {
757 /*
758 * Don't allow blank passwords!
759 */
760
761 cupsdLogMessage(CUPSD_LOG_ERROR,
762 "cupsdAuthorize: Username \"%s\" has no shadow "
763 "password!", username);
764 return;
765 }
766
767 if (spw && !spw->sp_pwdp[0] && !pw->pw_passwd[0])
768 # else
769 if (!pw->pw_passwd[0])
770 # endif /* HAVE_SHADOW_H */
771 {
772 /*
773 * Don't allow blank passwords!
774 */
775
776 cupsdLogMessage(CUPSD_LOG_ERROR,
777 "cupsdAuthorize: Username \"%s\" has no password!",
778 username);
779 return;
780 }
781
782 /*
783 * OK, the password isn't blank, so compare with what came from the
784 * client...
785 */
786
787 pass = cups_crypt(password, pw->pw_passwd);
788
789 cupsdLogMessage(CUPSD_LOG_DEBUG2,
790 "cupsdAuthorize: pw_passwd=\"%s\", crypt=\"%s\"",
791 pw->pw_passwd, pass);
792
793 if (!pass || strcmp(pw->pw_passwd, pass))
794 {
795 # ifdef HAVE_SHADOW_H
796 if (spw)
797 {
798 pass = cups_crypt(password, spw->sp_pwdp);
799
800 cupsdLogMessage(CUPSD_LOG_DEBUG2,
801 "cupsdAuthorize: sp_pwdp=\"%s\", crypt=\"%s\"",
802 spw->sp_pwdp, pass);
803
804 if (pass == NULL || strcmp(spw->sp_pwdp, pass))
805 {
806 cupsdLogMessage(CUPSD_LOG_ERROR,
807 "cupsdAuthorize: Authentication failed for "
808 "user \"%s\"!",
809 username);
810 return;
811 }
812 }
813 else
814 # endif /* HAVE_SHADOW_H */
815 {
816 cupsdLogMessage(CUPSD_LOG_ERROR,
817 "cupsdAuthorize: Authentication failed for "
818 "user \"%s\"!",
819 username);
820 return;
821 }
822 }
823 #endif /* HAVE_LIBPAM */
824 }
825
826 cupsdLogMessage(CUPSD_LOG_DEBUG,
827 "cupsdAuthorize: Authorized as %s using Basic",
828 username);
829 break;
830
831 case CUPSD_AUTH_BASICDIGEST :
832 /*
833 * Do Basic authentication with the Digest password file...
834 */
835
836 if (!get_md5_password(username, NULL, md5))
837 {
838 cupsdLogMessage(CUPSD_LOG_ERROR,
839 "cupsdAuthorize: Unknown MD5 username \"%s\"!",
840 username);
841 return;
842 }
843
844 httpMD5(username, "CUPS", password, basicmd5);
845
846 if (strcmp(md5, basicmd5))
847 {
848 cupsdLogMessage(CUPSD_LOG_ERROR,
849 "cupsdAuthorize: Authentication failed for \"%s\"!",
850 username);
851 return;
852 }
853
854 cupsdLogMessage(CUPSD_LOG_DEBUG,
855 "cupsdAuthorize: Authorized as %s using BasicDigest",
856 username);
857 break;
858 }
859
860 con->type = type;
861 }
862 else if (!strncmp(authorization, "Digest", 6))
863 {
864 /*
865 * Get the username, password, and nonce from the Digest attributes...
866 */
867
868 if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "username",
869 username, sizeof(username)) || !username[0])
870 {
871 /*
872 * Username must not be empty...
873 */
874
875 cupsdLogMessage(CUPSD_LOG_ERROR,
876 "cupsdAuthorize: Empty or missing Digest username!");
877 return;
878 }
879
880 if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "response",
881 password, sizeof(password)) || !password[0])
882 {
883 /*
884 * Password must not be empty...
885 */
886
887 cupsdLogMessage(CUPSD_LOG_ERROR,
888 "cupsdAuthorize: Empty or missing Digest password!");
889 return;
890 }
891
892 if (!httpGetSubField(&(con->http), HTTP_FIELD_AUTHORIZATION, "nonce",
893 nonce))
894 {
895 cupsdLogMessage(CUPSD_LOG_ERROR,
896 "cupsdAuthorize: No nonce value for Digest "
897 "authentication!");
898 return;
899 }
900
901 if (strcmp(con->http.hostname, nonce))
902 {
903 cupsdLogMessage(CUPSD_LOG_ERROR,
904 "cupsdAuthorize: Bad nonce value, expected \"%s\", "
905 "got \"%s\"!", con->http.hostname, nonce);
906 return;
907 }
908
909 /*
910 * Validate the username and password...
911 */
912
913 if (!get_md5_password(username, NULL, md5))
914 {
915 cupsdLogMessage(CUPSD_LOG_ERROR,
916 "cupsdAuthorize: Unknown MD5 username \"%s\"!",
917 username);
918 return;
919 }
920
921 httpMD5Final(nonce, states[con->http.state], con->uri, md5);
922
923 if (strcmp(md5, password))
924 {
925 cupsdLogMessage(CUPSD_LOG_ERROR,
926 "cupsdAuthorize: Authentication failed for \"%s\"!",
927 username);
928 return;
929 }
930
931 cupsdLogMessage(CUPSD_LOG_DEBUG,
932 "cupsdAuthorize: Authorized as %s using Digest",
933 username);
934
935 con->type = CUPSD_AUTH_DIGEST;
936 }
937 #ifdef HAVE_GSSAPI
938 else if (!strncmp(authorization, "Negotiate", 9))
939 {
940 int len; /* Length of authorization string */
941 gss_cred_id_t server_creds; /* Server credentials */
942 gss_ctx_id_t context; /* Authorization context */
943 OM_uint32 major_status, /* Major status code */
944 minor_status; /* Minor status code */
945 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER,
946 /* Input token from string */
947 output_token = GSS_C_EMPTY_BUFFER;
948 /* Output token for username */
949 gss_name_t client_name; /* Client name */
950 unsigned int ret_flags; /* Credential flags */
951
952
953 # ifdef __APPLE__
954 /*
955 * If the weak-linked GSSAPI/Kerberos library is not present, don't try
956 * to use it...
957 */
958
959 if (gss_init_sec_context == NULL)
960 {
961 cupsdLogMessage(CUPSD_LOG_WARN,
962 "GSSAPI/Kerberos authentication failed because the "
963 "Kerberos framework is not present.");
964 return;
965 }
966 # endif /* __APPLE__ */
967
968 con->gss_output_token.length = 0;
969
970 /*
971 * Find the start of the Kerberos input token...
972 */
973
974 authorization += 9;
975 while (isspace(*authorization & 255))
976 authorization ++;
977
978 if (!*authorization)
979 {
980 cupsdLogMessage(CUPSD_LOG_DEBUG2,
981 "cupsdAuthorize: No authentication data specified.");
982 return;
983 }
984
985 /*
986 * Get the server credentials...
987 */
988
989 if ((server_creds = get_gss_creds(GSSServiceName)) == NULL)
990 return;
991
992 /*
993 * Decode the authorization string to get the input token...
994 */
995
996 len = strlen(authorization);
997 input_token.value = malloc(len);
998 input_token.value = httpDecode64_2(input_token.value, &len,
999 authorization);
1000 input_token.length = len;
1001
1002 /*
1003 * Accept the input token to get the authorization info...
1004 */
1005
1006 context = GSS_C_NO_CONTEXT;
1007 client_name = GSS_C_NO_NAME;
1008 major_status = gss_accept_sec_context(&minor_status,
1009 &context,
1010 server_creds,
1011 &input_token,
1012 GSS_C_NO_CHANNEL_BINDINGS,
1013 &client_name,
1014 NULL,
1015 &con->gss_output_token,
1016 &ret_flags,
1017 NULL,
1018 &con->gss_delegated_cred);
1019
1020 if (GSS_ERROR(major_status))
1021 {
1022 cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
1023 "cupsdAuthorize: Error accepting GSSAPI security "
1024 "context");
1025
1026 if (context != GSS_C_NO_CONTEXT)
1027 gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
1028
1029 gss_release_cred(&minor_status, &server_creds);
1030 return;
1031 }
1032
1033 /*
1034 * Release our credentials...
1035 */
1036
1037 gss_release_cred(&minor_status, &server_creds);
1038
1039 /*
1040 * Get the username associated with the client's credentials...
1041 */
1042
1043 if (!con->gss_delegated_cred)
1044 cupsdLogMessage(CUPSD_LOG_DEBUG,
1045 "cupsdAuthorize: No delegated credentials!");
1046
1047 if (major_status == GSS_S_CONTINUE_NEEDED)
1048 cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
1049 "cupsdAuthorize: Credentials not complete");
1050 else if (major_status == GSS_S_COMPLETE)
1051 {
1052 major_status = gss_display_name(&minor_status, client_name,
1053 &output_token, NULL);
1054
1055 if (GSS_ERROR(major_status))
1056 {
1057 cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
1058 "cupsdAuthorize: Error getting username");
1059 gss_release_name(&minor_status, &client_name);
1060 gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
1061 return;
1062 }
1063
1064 gss_release_name(&minor_status, &client_name);
1065 strlcpy(username, output_token.value, sizeof(username));
1066
1067 cupsdLogMessage(CUPSD_LOG_DEBUG,
1068 "cupsdAuthorize: Authorized as %s using Negotiate",
1069 username);
1070
1071 gss_release_buffer(&minor_status, &output_token);
1072 gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
1073
1074 con->gss_have_creds = 1;
1075
1076 con->type = CUPSD_AUTH_NEGOTIATE;
1077 }
1078 else
1079 gss_release_name(&minor_status, &client_name);
1080 }
1081 #endif /* HAVE_GSSAPI */
1082 else
1083 {
1084 char scheme[256]; /* Auth scheme... */
1085
1086
1087 if (sscanf(authorization, "%255s", scheme) != 1)
1088 strcpy(scheme, "UNKNOWN");
1089
1090 cupsdLogMessage(CUPSD_LOG_ERROR, "Bad authentication data \"%s ...\"",
1091 scheme);
1092 return;
1093 }
1094
1095 /*
1096 * If we get here, then we were able to validate the username and
1097 * password - copy the validated username and password to the client
1098 * data and return...
1099 */
1100
1101 strlcpy(con->username, username, sizeof(con->username));
1102 strlcpy(con->password, password, sizeof(con->password));
1103 }
1104
1105
1106 /*
1107 * 'cupsdCheckAccess()' - Check whether the given address is allowed to
1108 * access a location.
1109 */
1110
1111 int /* O - 1 if allowed, 0 otherwise */
1112 cupsdCheckAccess(
1113 unsigned ip[4], /* I - Client address */
1114 char *name, /* I - Client hostname */
1115 int namelen, /* I - Length of hostname */
1116 cupsd_location_t *loc) /* I - Location to check */
1117 {
1118 int allow; /* 1 if allowed, 0 otherwise */
1119
1120
1121 if (!strcasecmp(name, "localhost"))
1122 {
1123 /*
1124 * Access from localhost (127.0.0.1 or ::1) is always allowed...
1125 */
1126
1127 return (1);
1128 }
1129 else
1130 {
1131 /*
1132 * Do authorization checks on the domain/address...
1133 */
1134
1135 switch (loc->order_type)
1136 {
1137 default :
1138 allow = 0; /* anti-compiler-warning-code */
1139 break;
1140
1141 case CUPSD_AUTH_ALLOW : /* Order Deny,Allow */
1142 allow = 1;
1143
1144 if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny))
1145 allow = 0;
1146
1147 if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow))
1148 allow = 1;
1149 break;
1150
1151 case CUPSD_AUTH_DENY : /* Order Allow,Deny */
1152 allow = 0;
1153
1154 if (cupsdCheckAuth(ip, name, namelen, loc->num_allow, loc->allow))
1155 allow = 1;
1156
1157 if (cupsdCheckAuth(ip, name, namelen, loc->num_deny, loc->deny))
1158 allow = 0;
1159 break;
1160 }
1161 }
1162
1163 return (allow);
1164 }
1165
1166
1167 /*
1168 * 'cupsdCheckAuth()' - Check authorization masks.
1169 */
1170
1171 int /* O - 1 if mask matches, 0 otherwise */
1172 cupsdCheckAuth(
1173 unsigned ip[4], /* I - Client address */
1174 char *name, /* I - Client hostname */
1175 int name_len, /* I - Length of hostname */
1176 int num_masks, /* I - Number of masks */
1177 cupsd_authmask_t *masks) /* I - Masks */
1178 {
1179 int i; /* Looping var */
1180 cupsd_netif_t *iface; /* Network interface */
1181 unsigned netip4; /* IPv4 network address */
1182 #ifdef AF_INET6
1183 unsigned netip6[4]; /* IPv6 network address */
1184 #endif /* AF_INET6 */
1185
1186 while (num_masks > 0)
1187 {
1188 switch (masks->type)
1189 {
1190 case CUPSD_AUTH_INTERFACE :
1191 /*
1192 * Check for a match with a network interface...
1193 */
1194
1195 netip4 = htonl(ip[3]);
1196
1197 #ifdef AF_INET6
1198 netip6[0] = htonl(ip[0]);
1199 netip6[1] = htonl(ip[1]);
1200 netip6[2] = htonl(ip[2]);
1201 netip6[3] = htonl(ip[3]);
1202 #endif /* AF_INET6 */
1203
1204 if (!strcmp(masks->mask.name.name, "*"))
1205 {
1206 /*
1207 * Check against all local interfaces...
1208 */
1209
1210 cupsdNetIFUpdate();
1211
1212 for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
1213 iface;
1214 iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
1215 {
1216 /*
1217 * Only check local interfaces...
1218 */
1219
1220 if (!iface->is_local)
1221 continue;
1222
1223 if (iface->address.addr.sa_family == AF_INET)
1224 {
1225 /*
1226 * Check IPv4 address...
1227 */
1228
1229 if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
1230 (iface->address.ipv4.sin_addr.s_addr &
1231 iface->mask.ipv4.sin_addr.s_addr))
1232 return (1);
1233 }
1234 #ifdef AF_INET6
1235 else
1236 {
1237 /*
1238 * Check IPv6 address...
1239 */
1240
1241 for (i = 0; i < 4; i ++)
1242 if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
1243 (iface->address.ipv6.sin6_addr.s6_addr32[i] &
1244 iface->mask.ipv6.sin6_addr.s6_addr32[i]))
1245 break;
1246
1247 if (i == 4)
1248 return (1);
1249 }
1250 #endif /* AF_INET6 */
1251 }
1252 }
1253 else
1254 {
1255 /*
1256 * Check the named interface...
1257 */
1258
1259 for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
1260 iface;
1261 iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
1262 {
1263 if (strcmp(masks->mask.name.name, iface->name))
1264 continue;
1265
1266 if (iface->address.addr.sa_family == AF_INET)
1267 {
1268 /*
1269 * Check IPv4 address...
1270 */
1271
1272 if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
1273 (iface->address.ipv4.sin_addr.s_addr &
1274 iface->mask.ipv4.sin_addr.s_addr))
1275 return (1);
1276 }
1277 #ifdef AF_INET6
1278 else
1279 {
1280 /*
1281 * Check IPv6 address...
1282 */
1283
1284 for (i = 0; i < 4; i ++)
1285 if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
1286 (iface->address.ipv6.sin6_addr.s6_addr32[i] &
1287 iface->mask.ipv6.sin6_addr.s6_addr32[i]))
1288 break;
1289
1290 if (i == 4)
1291 return (1);
1292 }
1293 #endif /* AF_INET6 */
1294 }
1295 }
1296 break;
1297
1298 case CUPSD_AUTH_NAME :
1299 /*
1300 * Check for exact name match...
1301 */
1302
1303 if (!strcasecmp(name, masks->mask.name.name))
1304 return (1);
1305
1306 /*
1307 * Check for domain match...
1308 */
1309
1310 if (name_len >= masks->mask.name.length &&
1311 masks->mask.name.name[0] == '.' &&
1312 !strcasecmp(name + name_len - masks->mask.name.length,
1313 masks->mask.name.name))
1314 return (1);
1315 break;
1316
1317 case CUPSD_AUTH_IP :
1318 /*
1319 * Check for IP/network address match...
1320 */
1321
1322 for (i = 0; i < 4; i ++)
1323 if ((ip[i] & masks->mask.ip.netmask[i]) !=
1324 masks->mask.ip.address[i])
1325 break;
1326
1327 if (i == 4)
1328 return (1);
1329 break;
1330 }
1331
1332 masks ++;
1333 num_masks --;
1334 }
1335
1336 return (0);
1337 }
1338
1339
1340 /*
1341 * 'cupsdCheckGroup()' - Check for a user's group membership.
1342 */
1343
1344 int /* O - 1 if user is a member, 0 otherwise */
1345 cupsdCheckGroup(
1346 const char *username, /* I - User name */
1347 struct passwd *user, /* I - System user info */
1348 const char *groupname) /* I - Group name */
1349 {
1350 int i; /* Looping var */
1351 struct group *group; /* System group info */
1352 char junk[33]; /* MD5 password (not used) */
1353 #ifdef HAVE_MBR_UID_TO_UUID
1354 uuid_t useruuid, /* UUID for username */
1355 groupuuid; /* UUID for groupname */
1356 int is_member; /* True if user is a member of group */
1357 #endif /* HAVE_MBR_UID_TO_UUID */
1358
1359
1360 cupsdLogMessage(CUPSD_LOG_DEBUG2,
1361 "cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")",
1362 username, user, groupname);
1363
1364 /*
1365 * Validate input...
1366 */
1367
1368 if (!username || !groupname)
1369 return (0);
1370
1371 /*
1372 * Check to see if the user is a member of the named group...
1373 */
1374
1375 group = getgrnam(groupname);
1376 endgrent();
1377
1378 if (group != NULL)
1379 {
1380 /*
1381 * Group exists, check it...
1382 */
1383
1384 for (i = 0; group->gr_mem[i]; i ++)
1385 if (!strcasecmp(username, group->gr_mem[i]))
1386 return (1);
1387 }
1388
1389 /*
1390 * Group doesn't exist or user not in group list, check the group ID
1391 * against the user's group ID...
1392 */
1393
1394 if (user && group && group->gr_gid == user->pw_gid)
1395 return (1);
1396
1397 #ifdef HAVE_MBR_UID_TO_UUID
1398 /*
1399 * Check group membership through MacOS X membership API...
1400 */
1401
1402 if (user && group)
1403 if (!mbr_uid_to_uuid(user->pw_uid, useruuid))
1404 if (!mbr_gid_to_uuid(group->gr_gid, groupuuid))
1405 if (!mbr_check_membership(useruuid, groupuuid, &is_member))
1406 if (is_member)
1407 return (1);
1408 #endif /* HAVE_MBR_UID_TO_UUID */
1409
1410 /*
1411 * Username not found, group not found, or user is not part of the
1412 * system group... Check for a user and group in the MD5 password
1413 * file...
1414 */
1415
1416 if (get_md5_password(username, groupname, junk) != NULL)
1417 return (1);
1418
1419 /*
1420 * If we get this far, then the user isn't part of the named group...
1421 */
1422
1423 return (0);
1424 }
1425
1426
1427 /*
1428 * 'cupsdCopyLocation()' - Make a copy of a location...
1429 */
1430
1431 cupsd_location_t * /* O - New location */
1432 cupsdCopyLocation(
1433 cupsd_location_t **loc) /* IO - Original location */
1434 {
1435 int i; /* Looping var */
1436 cupsd_location_t *temp; /* New location */
1437 char location[HTTP_MAX_URI];
1438 /* Location of resource */
1439
1440
1441 /*
1442 * Use a local copy of location because cupsdAddLocation may cause
1443 * this memory to be moved...
1444 */
1445
1446 strlcpy(location, (*loc)->location, sizeof(location));
1447
1448 if ((temp = cupsdAddLocation(location)) == NULL)
1449 return (NULL);
1450
1451 /*
1452 * Copy the information from the original location to the new one.
1453 */
1454
1455 temp->limit = (*loc)->limit;
1456 temp->order_type = (*loc)->order_type;
1457 temp->type = (*loc)->type;
1458 temp->level = (*loc)->level;
1459 temp->satisfy = (*loc)->satisfy;
1460 temp->encryption = (*loc)->encryption;
1461
1462 if ((temp->num_names = (*loc)->num_names) > 0)
1463 {
1464 /*
1465 * Copy the names array...
1466 */
1467
1468 if ((temp->names = calloc(temp->num_names, sizeof(char *))) == NULL)
1469 {
1470 cupsdLogMessage(CUPSD_LOG_ERROR,
1471 "cupsdCopyLocation: Unable to allocate memory for %d names: %s",
1472 temp->num_names, strerror(errno));
1473
1474 cupsdDeleteLocation(temp);
1475 return (NULL);
1476 }
1477
1478 for (i = 0; i < temp->num_names; i ++)
1479 if ((temp->names[i] = strdup((*loc)->names[i])) == NULL)
1480 {
1481 cupsdLogMessage(CUPSD_LOG_ERROR,
1482 "cupsdCopyLocation: Unable to copy name \"%s\": %s",
1483 (*loc)->names[i], strerror(errno));
1484
1485 cupsdDeleteLocation(temp);
1486 return (NULL);
1487 }
1488 }
1489
1490 if ((temp->num_allow = (*loc)->num_allow) > 0)
1491 {
1492 /*
1493 * Copy allow rules...
1494 */
1495
1496 if ((temp->allow = calloc(temp->num_allow, sizeof(cupsd_authmask_t))) == NULL)
1497 {
1498 cupsdLogMessage(CUPSD_LOG_ERROR,
1499 "cupsdCopyLocation: Unable to allocate memory for %d allow rules: %s",
1500 temp->num_allow, strerror(errno));
1501 cupsdDeleteLocation(temp);
1502 return (NULL);
1503 }
1504
1505 for (i = 0; i < temp->num_allow; i ++)
1506 switch (temp->allow[i].type = (*loc)->allow[i].type)
1507 {
1508 case CUPSD_AUTH_NAME :
1509 temp->allow[i].mask.name.length = (*loc)->allow[i].mask.name.length;
1510 temp->allow[i].mask.name.name = strdup((*loc)->allow[i].mask.name.name);
1511
1512 if (temp->allow[i].mask.name.name == NULL)
1513 {
1514 cupsdLogMessage(CUPSD_LOG_ERROR,
1515 "cupsdCopyLocation: Unable to copy allow name \"%s\": %s",
1516 (*loc)->allow[i].mask.name.name, strerror(errno));
1517 cupsdDeleteLocation(temp);
1518 return (NULL);
1519 }
1520 break;
1521 case CUPSD_AUTH_IP :
1522 memcpy(&(temp->allow[i].mask.ip), &((*loc)->allow[i].mask.ip),
1523 sizeof(cupsd_ipmask_t));
1524 break;
1525 }
1526 }
1527
1528 if ((temp->num_deny = (*loc)->num_deny) > 0)
1529 {
1530 /*
1531 * Copy deny rules...
1532 */
1533
1534 if ((temp->deny = calloc(temp->num_deny, sizeof(cupsd_authmask_t))) == NULL)
1535 {
1536 cupsdLogMessage(CUPSD_LOG_ERROR,
1537 "cupsdCopyLocation: Unable to allocate memory for %d deny rules: %s",
1538 temp->num_deny, strerror(errno));
1539 cupsdDeleteLocation(temp);
1540 return (NULL);
1541 }
1542
1543 for (i = 0; i < temp->num_deny; i ++)
1544 switch (temp->deny[i].type = (*loc)->deny[i].type)
1545 {
1546 case CUPSD_AUTH_NAME :
1547 temp->deny[i].mask.name.length = (*loc)->deny[i].mask.name.length;
1548 temp->deny[i].mask.name.name = strdup((*loc)->deny[i].mask.name.name);
1549
1550 if (temp->deny[i].mask.name.name == NULL)
1551 {
1552 cupsdLogMessage(CUPSD_LOG_ERROR,
1553 "cupsdCopyLocation: Unable to copy deny name \"%s\": %s",
1554 (*loc)->deny[i].mask.name.name, strerror(errno));
1555 cupsdDeleteLocation(temp);
1556 return (NULL);
1557 }
1558 break;
1559 case CUPSD_AUTH_IP :
1560 memcpy(&(temp->deny[i].mask.ip), &((*loc)->deny[i].mask.ip),
1561 sizeof(cupsd_ipmask_t));
1562 break;
1563 }
1564 }
1565
1566 return (temp);
1567 }
1568
1569
1570 /*
1571 * 'cupsdDeleteAllLocations()' - Free all memory used for location authorization.
1572 */
1573
1574 void
1575 cupsdDeleteAllLocations(void)
1576 {
1577 cupsd_location_t *loc; /* Current location */
1578
1579
1580 /*
1581 * Free all of the allow/deny records first...
1582 */
1583
1584 for (loc = (cupsd_location_t *)cupsArrayFirst(Locations);
1585 loc;
1586 loc = (cupsd_location_t *)cupsArrayNext(Locations))
1587 cupsdDeleteLocation(loc);
1588
1589 /*
1590 * Then free the location array...
1591 */
1592
1593 cupsArrayDelete(Locations);
1594 Locations = NULL;
1595 }
1596
1597
1598 /*
1599 * 'cupsdDeleteLocation()' - Free all memory used by a location.
1600 */
1601
1602 void
1603 cupsdDeleteLocation(
1604 cupsd_location_t *loc) /* I - Location to delete */
1605 {
1606 int i; /* Looping var */
1607 cupsd_authmask_t *mask; /* Current mask */
1608
1609
1610 cupsArrayRemove(Locations, loc);
1611
1612 for (i = loc->num_names - 1; i >= 0; i --)
1613 free(loc->names[i]);
1614
1615 if (loc->num_names > 0)
1616 free(loc->names);
1617
1618 for (i = loc->num_allow, mask = loc->allow; i > 0; i --, mask ++)
1619 if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
1620 free(mask->mask.name.name);
1621
1622 if (loc->num_allow > 0)
1623 free(loc->allow);
1624
1625 for (i = loc->num_deny, mask = loc->deny; i > 0; i --, mask ++)
1626 if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
1627 free(mask->mask.name.name);
1628
1629 if (loc->num_deny > 0)
1630 free(loc->deny);
1631
1632 free(loc->location);
1633 free(loc);
1634 }
1635
1636
1637 /*
1638 * 'cupsdDenyHost()' - Add a host name that is not allowed to access the
1639 * location.
1640 */
1641
1642 void
1643 cupsdDenyHost(cupsd_location_t *loc, /* I - Location to add to */
1644 char *name) /* I - Name of host or domain to add */
1645 {
1646 cupsd_authmask_t *temp; /* New host/domain mask */
1647 char ifname[32], /* Interface name */
1648 *ifptr; /* Pointer to end of name */
1649
1650
1651 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdDenyHost(loc=%p(%s), name=\"%s\")",
1652 loc, loc->location ? loc->location : "nil", name);
1653
1654 if ((temp = add_deny(loc)) == NULL)
1655 return;
1656
1657 if (!strcasecmp(name, "@LOCAL"))
1658 {
1659 /*
1660 * Deny *interface*...
1661 */
1662
1663 temp->type = CUPSD_AUTH_INTERFACE;
1664 temp->mask.name.name = strdup("*");
1665 temp->mask.name.length = 1;
1666 }
1667 else if (!strncasecmp(name, "@IF(", 4))
1668 {
1669 /*
1670 * Deny *interface*...
1671 */
1672
1673 strlcpy(ifname, name + 4, sizeof(ifname));
1674
1675 ifptr = ifname + strlen(ifname);
1676
1677 if (ifptr[-1] == ')')
1678 {
1679 ifptr --;
1680 *ifptr = '\0';
1681 }
1682
1683 temp->type = CUPSD_AUTH_INTERFACE;
1684 temp->mask.name.name = strdup(ifname);
1685 temp->mask.name.length = ifptr - ifname;
1686 }
1687 else
1688 {
1689 /*
1690 * Deny name...
1691 */
1692
1693 temp->type = CUPSD_AUTH_NAME;
1694 temp->mask.name.name = strdup(name);
1695 temp->mask.name.length = strlen(name);
1696 }
1697 }
1698
1699
1700 /*
1701 * 'cupsdDenyIP()' - Add an IP address or network that is not allowed to
1702 * access the location.
1703 */
1704
1705 void
1706 cupsdDenyIP(cupsd_location_t *loc, /* I - Location to add to */
1707 const unsigned address[4],/* I - IP address to add */
1708 const unsigned netmask[4])/* I - Netmask of address */
1709 {
1710 cupsd_authmask_t *temp; /* New host/domain mask */
1711
1712
1713 cupsdLogMessage(CUPSD_LOG_DEBUG,
1714 "cupsdDenyIP(loc=%p(%s), address=%x:%x:%x:%x, netmask=%x:%x:%x:%x)",
1715 loc, loc->location ? loc->location : "nil",
1716 address[0], address[1], address[2], address[3],
1717 netmask[0], netmask[1], netmask[2], netmask[3]);
1718
1719 if ((temp = add_deny(loc)) == NULL)
1720 return;
1721
1722 temp->type = CUPSD_AUTH_IP;
1723 memcpy(temp->mask.ip.address, address, sizeof(temp->mask.ip.address));
1724 memcpy(temp->mask.ip.netmask, netmask, sizeof(temp->mask.ip.netmask));
1725 }
1726
1727
1728 /*
1729 * 'cupsdFindBest()' - Find the location entry that best matches the resource.
1730 */
1731
1732 cupsd_location_t * /* O - Location that matches */
1733 cupsdFindBest(const char *path, /* I - Resource path */
1734 http_state_t state) /* I - HTTP state/request */
1735 {
1736 char uri[HTTP_MAX_URI],
1737 /* URI in request... */
1738 *uriptr; /* Pointer into URI */
1739 cupsd_location_t *loc, /* Current location */
1740 *best; /* Best match for location so far */
1741 int bestlen; /* Length of best match */
1742 int limit; /* Limit field */
1743 static const int limits[] = /* Map http_status_t to CUPSD_AUTH_LIMIT_xyz */
1744 {
1745 CUPSD_AUTH_LIMIT_ALL,
1746 CUPSD_AUTH_LIMIT_OPTIONS,
1747 CUPSD_AUTH_LIMIT_GET,
1748 CUPSD_AUTH_LIMIT_GET,
1749 CUPSD_AUTH_LIMIT_HEAD,
1750 CUPSD_AUTH_LIMIT_POST,
1751 CUPSD_AUTH_LIMIT_POST,
1752 CUPSD_AUTH_LIMIT_POST,
1753 CUPSD_AUTH_LIMIT_PUT,
1754 CUPSD_AUTH_LIMIT_PUT,
1755 CUPSD_AUTH_LIMIT_DELETE,
1756 CUPSD_AUTH_LIMIT_TRACE,
1757 CUPSD_AUTH_LIMIT_ALL,
1758 CUPSD_AUTH_LIMIT_ALL
1759 };
1760
1761
1762 /*
1763 * First copy the connection URI to a local string so we have drop
1764 * any .ppd extension from the pathname in /printers or /classes
1765 * URIs...
1766 */
1767
1768 strlcpy(uri, path, sizeof(uri));
1769
1770 if (!strncmp(uri, "/printers/", 10) ||
1771 !strncmp(uri, "/classes/", 9))
1772 {
1773 /*
1774 * Check if the URI has .ppd on the end...
1775 */
1776
1777 uriptr = uri + strlen(uri) - 4; /* len > 4 if we get here... */
1778
1779 if (!strcmp(uriptr, ".ppd"))
1780 *uriptr = '\0';
1781 }
1782
1783 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri = \"%s\"...", uri);
1784
1785 /*
1786 * Loop through the list of locations to find a match...
1787 */
1788
1789 limit = limits[state];
1790 best = NULL;
1791 bestlen = 0;
1792
1793 for (loc = (cupsd_location_t *)cupsArrayFirst(Locations);
1794 loc;
1795 loc = (cupsd_location_t *)cupsArrayNext(Locations))
1796 {
1797 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s Limit %x",
1798 loc->location ? loc->location : "nil", loc->limit);
1799
1800 if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9))
1801 {
1802 /*
1803 * Use case-insensitive comparison for queue names...
1804 */
1805
1806 if (loc->length > bestlen && loc->location &&
1807 !strncasecmp(uri, loc->location, loc->length) &&
1808 loc->location[0] == '/' &&
1809 (limit & loc->limit) != 0)
1810 {
1811 best = loc;
1812 bestlen = loc->length;
1813 }
1814 }
1815 else
1816 {
1817 /*
1818 * Use case-sensitive comparison for other URIs...
1819 */
1820
1821 if (loc->length > bestlen && loc->location &&
1822 !strncmp(uri, loc->location, loc->length) &&
1823 loc->location[0] == '/' &&
1824 (limit & loc->limit) != 0)
1825 {
1826 best = loc;
1827 bestlen = loc->length;
1828 }
1829 }
1830 }
1831
1832 /*
1833 * Return the match, if any...
1834 */
1835
1836 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best = %s",
1837 best ? best->location : "NONE");
1838
1839 return (best);
1840 }
1841
1842
1843 /*
1844 * 'cupsdFindLocation()' - Find the named location.
1845 */
1846
1847 cupsd_location_t * /* O - Location that matches */
1848 cupsdFindLocation(const char *location) /* I - Connection */
1849 {
1850 cupsd_location_t key; /* Search key */
1851
1852
1853 key.location = (char *)location;
1854
1855 return ((cupsd_location_t *)cupsArrayFind(Locations, &key));
1856 }
1857
1858
1859 /*
1860 * 'cupsdIsAuthorized()' - Check to see if the user is authorized...
1861 */
1862
1863 http_status_t /* O - HTTP_OK if authorized or error code */
1864 cupsdIsAuthorized(cupsd_client_t *con, /* I - Connection */
1865 const char *owner)/* I - Owner of object */
1866 {
1867 int i, j, /* Looping vars */
1868 auth, /* Authorization status */
1869 type; /* Type of authentication */
1870 unsigned address[4]; /* Authorization address */
1871 cupsd_location_t *best; /* Best match for location so far */
1872 int hostlen; /* Length of hostname */
1873 char username[256], /* Username to authorize */
1874 ownername[256], /* Owner name to authorize */
1875 *ptr; /* Pointer into username */
1876 struct passwd *pw; /* User password data */
1877 static const char * const levels[] = /* Auth levels */
1878 {
1879 "ANON",
1880 "USER",
1881 "GROUP"
1882 };
1883 static const char * const types[] = /* Auth types */
1884 {
1885 "None",
1886 "Basic",
1887 "Digest",
1888 "BasicDigest",
1889 "Negotiate"
1890 };
1891
1892
1893 cupsdLogMessage(CUPSD_LOG_DEBUG2,
1894 "cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)",
1895 con->uri, con->best, con->best ? con->best->location ?
1896 con->best->location : "(null)" : "");
1897 if (owner)
1898 cupsdLogMessage(CUPSD_LOG_DEBUG2,
1899 "cupsdIsAuthorized: owner=\"%s\"", owner);
1900
1901 /*
1902 * If there is no "best" authentication rule for this request, then
1903 * access is allowed from the local system and denied from other
1904 * addresses...
1905 */
1906
1907 if (!con->best)
1908 {
1909 if (!strcmp(con->http.hostname, "localhost") ||
1910 !strcmp(con->http.hostname, ServerName))
1911 return (HTTP_OK);
1912 else
1913 return (HTTP_FORBIDDEN);
1914 }
1915
1916 best = con->best;
1917
1918 if ((type = best->type) == CUPSD_AUTH_DEFAULT)
1919 type = DefaultAuthType;
1920
1921 cupsdLogMessage(CUPSD_LOG_DEBUG2,
1922 "cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, "
1923 "satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d",
1924 levels[best->level], types[type],
1925 best->satisfy ? "ANY" : "ALL", best->num_names);
1926
1927 if (best->limit == CUPSD_AUTH_LIMIT_IPP)
1928 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)",
1929 best->op, ippOpString(best->op));
1930
1931 /*
1932 * Check host/ip-based accesses...
1933 */
1934
1935 #ifdef AF_INET6
1936 if (con->http.hostaddr->addr.sa_family == AF_INET6)
1937 {
1938 /*
1939 * Copy IPv6 address...
1940 */
1941
1942 address[0] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[0]);
1943 address[1] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[1]);
1944 address[2] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[2]);
1945 address[3] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[3]);
1946 }
1947 else
1948 #endif /* AF_INET6 */
1949 if (con->http.hostaddr->addr.sa_family == AF_INET)
1950 {
1951 /*
1952 * Copy IPv4 address...
1953 */
1954
1955 address[0] = 0;
1956 address[1] = 0;
1957 address[2] = 0;
1958 address[3] = ntohl(con->http.hostaddr->ipv4.sin_addr.s_addr);
1959 }
1960 else
1961 memset(address, 0, sizeof(address));
1962
1963 hostlen = strlen(con->http.hostname);
1964
1965 auth = cupsdCheckAccess(address, con->http.hostname, hostlen, best)
1966 ? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
1967
1968 cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...",
1969 auth ? "DENY" : "ALLOW");
1970
1971 if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL)
1972 return (HTTP_FORBIDDEN);
1973
1974 #ifdef HAVE_SSL
1975 /*
1976 * See if encryption is required...
1977 */
1978
1979 if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls &&
1980 strcasecmp(con->http.hostname, "localhost") &&
1981 best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
1982 !(type == CUPSD_AUTH_NEGOTIATE ||
1983 (type == CUPSD_AUTH_NONE && DefaultAuthType == CUPSD_AUTH_NEGOTIATE)))
1984 {
1985 cupsdLogMessage(CUPSD_LOG_DEBUG,
1986 "cupsdIsAuthorized: Need upgrade to TLS...");
1987 return (HTTP_UPGRADE_REQUIRED);
1988 }
1989 #endif /* HAVE_SSL */
1990
1991 /*
1992 * Now see what access level is required...
1993 */
1994
1995 if (best->level == CUPSD_AUTH_ANON || /* Anonymous access - allow it */
1996 (type == CUPSD_AUTH_NONE && best->num_names == 0))
1997 return (HTTP_OK);
1998
1999 if (!con->username[0] && type == CUPSD_AUTH_NONE &&
2000 best->limit == CUPSD_AUTH_LIMIT_IPP)
2001 {
2002 /*
2003 * Check for unauthenticated username...
2004 */
2005
2006 ipp_attribute_t *attr; /* requesting-user-name attribute */
2007
2008
2009 attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
2010 if (attr)
2011 {
2012 cupsdLogMessage(CUPSD_LOG_DEBUG,
2013 "cupsdIsAuthorized: requesting-user-name=\"%s\"",
2014 attr->values[0].string.text);
2015 strlcpy(username, attr->values[0].string.text, sizeof(username));
2016 }
2017 else if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
2018 return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
2019 else
2020 return (HTTP_OK); /* unless overridden with Satisfy */
2021 }
2022 else
2023 {
2024 cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: username=\"%s\"",
2025 con->username);
2026
2027 #ifdef HAVE_AUTHORIZATION_H
2028 if (!con->username[0] && !con->authref)
2029 #else
2030 if (!con->username[0])
2031 #endif /* HAVE_AUTHORIZATION_H */
2032 {
2033 if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
2034 return (HTTP_UNAUTHORIZED); /* Non-anonymous needs user/pass */
2035 else
2036 return (HTTP_OK); /* unless overridden with Satisfy */
2037 }
2038
2039 if (con->type != type && type != CUPSD_AUTH_NONE &&
2040 (con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST))
2041 {
2042 cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s!",
2043 types[con->type], types[type]);
2044
2045 return (HTTP_UNAUTHORIZED);
2046 }
2047
2048 strlcpy(username, con->username, sizeof(username));
2049 }
2050
2051 /*
2052 * OK, got a username. See if we need normal user access, or group
2053 * access... (root always matches)
2054 */
2055
2056 if (!strcmp(username, "root"))
2057 return (HTTP_OK);
2058
2059 /*
2060 * Strip any @domain or @KDC from the username and owner...
2061 */
2062
2063 if ((ptr = strchr(username, '@')) != NULL)
2064 *ptr = '\0';
2065
2066 if (owner)
2067 {
2068 strlcpy(ownername, owner, sizeof(ownername));
2069
2070 if ((ptr = strchr(ownername, '@')) != NULL)
2071 *ptr = '\0';
2072 }
2073 else
2074 ownername[0] = '\0';
2075
2076 /*
2077 * Get the user info...
2078 */
2079
2080 if (username[0])
2081 {
2082 pw = getpwnam(username);
2083 endpwent();
2084 }
2085 else
2086 pw = NULL;
2087
2088 if (best->level == CUPSD_AUTH_USER)
2089 {
2090 /*
2091 * If there are no names associated with this location, then
2092 * any valid user is OK...
2093 */
2094
2095 if (best->num_names == 0)
2096 return (HTTP_OK);
2097
2098 /*
2099 * Otherwise check the user list and return OK if this user is
2100 * allowed...
2101 */
2102
2103 cupsdLogMessage(CUPSD_LOG_DEBUG2,
2104 "cupsdIsAuthorized: Checking user membership...");
2105
2106 #ifdef HAVE_AUTHORIZATION_H
2107 /*
2108 * If an authorization reference was supplied it must match a right name...
2109 */
2110
2111 if (con->authref)
2112 {
2113 for (i = 0; i < best->num_names; i ++)
2114 {
2115 if (!strncasecmp(best->names[i], "@AUTHKEY(", 9) &&
2116 check_authref(con, best->names[i] + 9))
2117 return (HTTP_OK);
2118 else if (!strcasecmp(best->names[i], "@SYSTEM") &&
2119 SystemGroupAuthKey &&
2120 check_authref(con, SystemGroupAuthKey))
2121 return (HTTP_OK);
2122 }
2123
2124 return (HTTP_UNAUTHORIZED);
2125 }
2126 #endif /* HAVE_AUTHORIZATION_H */
2127
2128 for (i = 0; i < best->num_names; i ++)
2129 {
2130 if (!strcasecmp(best->names[i], "@OWNER") && owner &&
2131 !strcasecmp(username, ownername))
2132 return (HTTP_OK);
2133 else if (!strcasecmp(best->names[i], "@SYSTEM"))
2134 {
2135 for (j = 0; j < NumSystemGroups; j ++)
2136 if (cupsdCheckGroup(username, pw, SystemGroups[j]))
2137 return (HTTP_OK);
2138 }
2139 else if (best->names[i][0] == '@')
2140 {
2141 if (cupsdCheckGroup(username, pw, best->names[i] + 1))
2142 return (HTTP_OK);
2143 }
2144 else if (!strcasecmp(username, best->names[i]))
2145 return (HTTP_OK);
2146 }
2147
2148 return (HTTP_UNAUTHORIZED);
2149 }
2150
2151 /*
2152 * Check to see if this user is in any of the named groups...
2153 */
2154
2155 cupsdLogMessage(CUPSD_LOG_DEBUG2,
2156 "cupsdIsAuthorized: Checking group membership...");
2157
2158 /*
2159 * Check to see if this user is in any of the named groups...
2160 */
2161
2162 for (i = 0; i < best->num_names; i ++)
2163 {
2164 cupsdLogMessage(CUPSD_LOG_DEBUG2,
2165 "cupsdIsAuthorized: Checking group \"%s\" membership...",
2166 best->names[i]);
2167
2168 if (!strcasecmp(best->names[i], "@SYSTEM"))
2169 {
2170 for (j = 0; j < NumSystemGroups; j ++)
2171 if (cupsdCheckGroup(username, pw, SystemGroups[j]))
2172 return (HTTP_OK);
2173 }
2174 else if (cupsdCheckGroup(username, pw, best->names[i]))
2175 return (HTTP_OK);
2176 }
2177
2178 /*
2179 * The user isn't part of the specified group, so deny access...
2180 */
2181
2182 cupsdLogMessage(CUPSD_LOG_DEBUG,
2183 "cupsdIsAuthorized: User not in group(s)!");
2184
2185 return (HTTP_UNAUTHORIZED);
2186 }
2187
2188
2189 /*
2190 * 'add_allow()' - Add an allow mask to the location.
2191 */
2192
2193 static cupsd_authmask_t * /* O - New mask record */
2194 add_allow(cupsd_location_t *loc) /* I - Location to add to */
2195 {
2196 cupsd_authmask_t *temp; /* New mask record */
2197
2198
2199 /*
2200 * Range-check...
2201 */
2202
2203 if (loc == NULL)
2204 return (NULL);
2205
2206 /*
2207 * Try to allocate memory for the record...
2208 */
2209
2210 if (loc->num_allow == 0)
2211 temp = malloc(sizeof(cupsd_authmask_t));
2212 else
2213 temp = realloc(loc->allow, sizeof(cupsd_authmask_t) * (loc->num_allow + 1));
2214
2215 if (temp == NULL)
2216 return (NULL);
2217
2218 loc->allow = temp;
2219 temp += loc->num_allow;
2220 loc->num_allow ++;
2221
2222 /*
2223 * Clear the mask record and return...
2224 */
2225
2226 memset(temp, 0, sizeof(cupsd_authmask_t));
2227 return (temp);
2228 }
2229
2230
2231 /*
2232 * 'add_deny()' - Add a deny mask to the location.
2233 */
2234
2235 static cupsd_authmask_t * /* O - New mask record */
2236 add_deny(cupsd_location_t *loc) /* I - Location to add to */
2237 {
2238 cupsd_authmask_t *temp; /* New mask record */
2239
2240
2241 /*
2242 * Range-check...
2243 */
2244
2245 if (loc == NULL)
2246 return (NULL);
2247
2248 /*
2249 * Try to allocate memory for the record...
2250 */
2251
2252 if (loc->num_deny == 0)
2253 temp = malloc(sizeof(cupsd_authmask_t));
2254 else
2255 temp = realloc(loc->deny, sizeof(cupsd_authmask_t) * (loc->num_deny + 1));
2256
2257 if (temp == NULL)
2258 return (NULL);
2259
2260 loc->deny = temp;
2261 temp += loc->num_deny;
2262 loc->num_deny ++;
2263
2264 /*
2265 * Clear the mask record and return...
2266 */
2267
2268 memset(temp, 0, sizeof(cupsd_authmask_t));
2269 return (temp);
2270 }
2271
2272
2273 #ifdef HAVE_AUTHORIZATION_H
2274 /*
2275 * 'check_authref()' - Check if an authorization services reference has the
2276 * supplied right.
2277 */
2278
2279 static int /* O - 1 if right is valid, 0 otherwise */
2280 check_authref(cupsd_client_t *con, /* I - Connection */
2281 const char *right) /* I - Right name */
2282 {
2283 OSStatus status; /* OS Status */
2284 AuthorizationItem authright; /* Authorization right */
2285 AuthorizationRights authrights; /* Authorization rights */
2286 AuthorizationFlags authflags; /* Authorization flags */
2287
2288
2289 /*
2290 * Check to see if the user is allowed to perform the task...
2291 */
2292
2293 if (!con->authref)
2294 return (0);
2295
2296 authright.name = right;
2297 authright.valueLength = 0;
2298 authright.value = NULL;
2299 authright.flags = 0;
2300
2301 authrights.count = 1;
2302 authrights.items = &authright;
2303
2304 authflags = kAuthorizationFlagDefaults |
2305 kAuthorizationFlagExtendRights;
2306
2307 if ((status = AuthorizationCopyRights(con->authref, &authrights,
2308 kAuthorizationEmptyEnvironment,
2309 authflags, NULL)) != 0)
2310 {
2311 cupsdLogMessage(CUPSD_LOG_ERROR,
2312 "AuthorizationCopyRights(\"%s\") returned %d (%s)",
2313 authright.name, (int)status, cssmErrorString(status));
2314 return (0);
2315 }
2316
2317 cupsdLogMessage(CUPSD_LOG_DEBUG2,
2318 "AuthorizationCopyRights(\"%s\") succeeded!",
2319 authright.name);
2320
2321 return (1);
2322 }
2323 #endif /* HAVE_AUTHORIZATION_H */
2324
2325
2326 /*
2327 * 'compare_locations()' - Compare two locations.
2328 */
2329
2330 static int /* O - Result of comparison */
2331 compare_locations(cupsd_location_t *a, /* I - First location */
2332 cupsd_location_t *b) /* I - Second location */
2333 {
2334 return (strcmp(b->location, a->location));
2335 }
2336
2337
2338 #if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
2339 /*
2340 * 'cups_crypt()' - Encrypt the password using the DES or MD5 algorithms,
2341 * as needed.
2342 */
2343
2344 static char * /* O - Encrypted password */
2345 cups_crypt(const char *pw, /* I - Password string */
2346 const char *salt) /* I - Salt (key) string */
2347 {
2348 if (!strncmp(salt, "$1$", 3))
2349 {
2350 /*
2351 * Use MD5 passwords without the benefit of PAM; this is for
2352 * Slackware Linux, and the algorithm was taken from the
2353 * old shadow-19990827/lib/md5crypt.c source code... :(
2354 */
2355
2356 int i; /* Looping var */
2357 unsigned long n; /* Output number */
2358 int pwlen; /* Length of password string */
2359 const char *salt_end; /* End of "salt" data for MD5 */
2360 char *ptr; /* Pointer into result string */
2361 _cups_md5_state_t state; /* Primary MD5 state info */
2362 _cups_md5_state_t state2; /* Secondary MD5 state info */
2363 unsigned char digest[16]; /* MD5 digest result */
2364 static char result[120]; /* Final password string */
2365
2366
2367 /*
2368 * Get the salt data between dollar signs, e.g. $1$saltdata$md5.
2369 * Get a maximum of 8 characters of salt data after $1$...
2370 */
2371
2372 for (salt_end = salt + 3; *salt_end && (salt_end - salt) < 11; salt_end ++)
2373 if (*salt_end == '$')
2374 break;
2375
2376 /*
2377 * Compute the MD5 sum we need...
2378 */
2379
2380 pwlen = strlen(pw);
2381
2382 _cupsMD5Init(&state);
2383 _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
2384 _cupsMD5Append(&state, (unsigned char *)salt, salt_end - salt);
2385
2386 _cupsMD5Init(&state2);
2387 _cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
2388 _cupsMD5Append(&state2, (unsigned char *)salt + 3, salt_end - salt - 3);
2389 _cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
2390 _cupsMD5Finish(&state2, digest);
2391
2392 for (i = pwlen; i > 0; i -= 16)
2393 _cupsMD5Append(&state, digest, i > 16 ? 16 : i);
2394
2395 for (i = pwlen; i > 0; i >>= 1)
2396 _cupsMD5Append(&state, (unsigned char *)((i & 1) ? "" : pw), 1);
2397
2398 _cupsMD5Finish(&state, digest);
2399
2400 for (i = 0; i < 1000; i ++)
2401 {
2402 _cupsMD5Init(&state);
2403
2404 if (i & 1)
2405 _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
2406 else
2407 _cupsMD5Append(&state, digest, 16);
2408
2409 if (i % 3)
2410 _cupsMD5Append(&state, (unsigned char *)salt + 3, salt_end - salt - 3);
2411
2412 if (i % 7)
2413 _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
2414
2415 if (i & 1)
2416 _cupsMD5Append(&state, digest, 16);
2417 else
2418 _cupsMD5Append(&state, (unsigned char *)pw, pwlen);
2419
2420 _cupsMD5Finish(&state, digest);
2421 }
2422
2423 /*
2424 * Copy the final sum to the result string and return...
2425 */
2426
2427 memcpy(result, salt, salt_end - salt);
2428 ptr = result + (salt_end - salt);
2429 *ptr++ = '$';
2430
2431 for (i = 0; i < 5; i ++, ptr += 4)
2432 {
2433 n = (((digest[i] << 8) | digest[i + 6]) << 8);
2434
2435 if (i < 4)
2436 n |= digest[i + 12];
2437 else
2438 n |= digest[5];
2439
2440 to64(ptr, n, 4);
2441 }
2442
2443 to64(ptr, digest[11], 2);
2444 ptr += 2;
2445 *ptr = '\0';
2446
2447 return (result);
2448 }
2449 else
2450 {
2451 /*
2452 * Use the standard crypt() function...
2453 */
2454
2455 return (crypt(pw, salt));
2456 }
2457 }
2458 #endif /* !HAVE_LIBPAM && !HAVE_USERSEC_H */
2459
2460
2461 #ifdef HAVE_GSSAPI
2462 /*
2463 * 'get_gss_creds()' - Obtain GSS credentials.
2464 */
2465
2466 static gss_cred_id_t /* O - Server credentials */
2467 get_gss_creds(const char *service_name) /* I - Service name */
2468 {
2469 OM_uint32 major_status, /* Major status code */
2470 minor_status; /* Minor status code */
2471 gss_name_t server_name; /* Server name */
2472 gss_cred_id_t server_creds; /* Server credentials */
2473 gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
2474 /* Service name token */
2475 char buf[1024], /* Service name buffer */
2476 fqdn[HTTP_MAX_URI]; /* Hostname of server */
2477
2478
2479 snprintf(buf, sizeof(buf), "%s@%s", service_name,
2480 httpGetHostname(NULL, fqdn, sizeof(fqdn)));
2481
2482 token.value = buf;
2483 token.length = strlen(buf);
2484 server_name = GSS_C_NO_NAME;
2485 major_status = gss_import_name(&minor_status, &token,
2486 GSS_C_NT_HOSTBASED_SERVICE,
2487 &server_name);
2488
2489 memset(&token, 0, sizeof(token));
2490
2491 if (GSS_ERROR(major_status))
2492 {
2493 cupsdLogGSSMessage(CUPSD_LOG_WARN, major_status, minor_status,
2494 "gss_import_name() failed");
2495 return (NULL);
2496 }
2497
2498 major_status = gss_display_name(&minor_status, server_name, &token, NULL);
2499
2500 if (GSS_ERROR(major_status))
2501 {
2502 cupsdLogGSSMessage(CUPSD_LOG_WARN, major_status, minor_status,
2503 "gss_display_name() failed");
2504 return (NULL);
2505 }
2506
2507 cupsdLogMessage(CUPSD_LOG_DEBUG,
2508 "get_gss_creds: Attempting to acquire credentials for %s...",
2509 (char *)token.value);
2510
2511 server_creds = GSS_C_NO_CREDENTIAL;
2512 major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
2513 GSS_C_NO_OID_SET, GSS_C_ACCEPT,
2514 &server_creds, NULL, NULL);
2515 if (GSS_ERROR(major_status))
2516 {
2517 cupsdLogGSSMessage(CUPSD_LOG_WARN, major_status, minor_status,
2518 "gss_acquire_cred() failed");
2519 gss_release_name(&minor_status, &server_name);
2520 gss_release_buffer(&minor_status, &token);
2521 return (NULL);
2522 }
2523
2524 cupsdLogMessage(CUPSD_LOG_DEBUG,
2525 "get_gss_creds: Credentials acquired successfully for %s.",
2526 (char *)token.value);
2527
2528 gss_release_name(&minor_status, &server_name);
2529 gss_release_buffer(&minor_status, &token);
2530
2531 return (server_creds);
2532 }
2533 #endif /* HAVE_GSSAPI */
2534
2535
2536 /*
2537 * 'get_md5_password()' - Get an MD5 password.
2538 */
2539
2540 static char * /* O - MD5 password string */
2541 get_md5_password(const char *username, /* I - Username */
2542 const char *group, /* I - Group */
2543 char passwd[33]) /* O - MD5 password string */
2544 {
2545 cups_file_t *fp; /* passwd.md5 file */
2546 char filename[1024], /* passwd.md5 filename */
2547 line[256], /* Line from file */
2548 tempuser[33], /* User from file */
2549 tempgroup[33]; /* Group from file */
2550
2551
2552 cupsdLogMessage(CUPSD_LOG_DEBUG2,
2553 "get_md5_password(username=\"%s\", group=\"%s\", passwd=%p)",
2554 username, group ? group : "(null)", passwd);
2555
2556 snprintf(filename, sizeof(filename), "%s/passwd.md5", ServerRoot);
2557 if ((fp = cupsFileOpen(filename, "r")) == NULL)
2558 {
2559 if (errno != ENOENT)
2560 cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to open %s - %s", filename,
2561 strerror(errno));
2562
2563 return (NULL);
2564 }
2565
2566 while (cupsFileGets(fp, line, sizeof(line)) != NULL)
2567 {
2568 if (sscanf(line, "%32[^:]:%32[^:]:%32s", tempuser, tempgroup, passwd) != 3)
2569 {
2570 cupsdLogMessage(CUPSD_LOG_ERROR, "Bad MD5 password line: %s", line);
2571 continue;
2572 }
2573
2574 if (!strcmp(username, tempuser) &&
2575 (group == NULL || !strcmp(group, tempgroup)))
2576 {
2577 /*
2578 * Found the password entry!
2579 */
2580
2581 cupsdLogMessage(CUPSD_LOG_DEBUG2, "Found MD5 user %s, group %s...",
2582 username, tempgroup);
2583
2584 cupsFileClose(fp);
2585 return (passwd);
2586 }
2587 }
2588
2589 /*
2590 * Didn't find a password entry - return NULL!
2591 */
2592
2593 cupsFileClose(fp);
2594 return (NULL);
2595 }
2596
2597
2598 #if HAVE_LIBPAM
2599 /*
2600 * 'pam_func()' - PAM conversation function.
2601 */
2602
2603 static int /* O - Success or failure */
2604 pam_func(
2605 int num_msg, /* I - Number of messages */
2606 const struct pam_message **msg, /* I - Messages */
2607 struct pam_response **resp, /* O - Responses */
2608 void *appdata_ptr)
2609 /* I - Pointer to connection */
2610 {
2611 int i; /* Looping var */
2612 struct pam_response *replies; /* Replies */
2613 cupsd_authdata_t *data; /* Pointer to auth data */
2614
2615
2616 /*
2617 * Allocate memory for the responses...
2618 */
2619
2620 if ((replies = malloc(sizeof(struct pam_response) * num_msg)) == NULL)
2621 return (PAM_CONV_ERR);
2622
2623 /*
2624 * Answer all of the messages...
2625 */
2626
2627 DEBUG_printf(("pam_func: appdata_ptr = %p\n", appdata_ptr));
2628
2629 #ifdef __hpux
2630 /*
2631 * Apparently some versions of HP-UX 11 have a broken pam_unix security
2632 * module. This is a workaround...
2633 */
2634
2635 data = auth_data;
2636 (void)appdata_ptr;
2637 #else
2638 data = (cupsd_authdata_t *)appdata_ptr;
2639 #endif /* __hpux */
2640
2641 for (i = 0; i < num_msg; i ++)
2642 {
2643 DEBUG_printf(("pam_func: Message = \"%s\"\n", msg[i]->msg));
2644
2645 switch (msg[i]->msg_style)
2646 {
2647 case PAM_PROMPT_ECHO_ON:
2648 DEBUG_printf(("pam_func: PAM_PROMPT_ECHO_ON, returning \"%s\"...\n",
2649 data->username));
2650 replies[i].resp_retcode = PAM_SUCCESS;
2651 replies[i].resp = strdup(data->username);
2652 break;
2653
2654 case PAM_PROMPT_ECHO_OFF:
2655 DEBUG_printf(("pam_func: PAM_PROMPT_ECHO_OFF, returning \"%s\"...\n",
2656 data->password));
2657 replies[i].resp_retcode = PAM_SUCCESS;
2658 replies[i].resp = strdup(data->password);
2659 break;
2660
2661 case PAM_TEXT_INFO:
2662 DEBUG_puts("pam_func: PAM_TEXT_INFO...");
2663 replies[i].resp_retcode = PAM_SUCCESS;
2664 replies[i].resp = NULL;
2665 break;
2666
2667 case PAM_ERROR_MSG:
2668 DEBUG_puts("pam_func: PAM_ERROR_MSG...");
2669 replies[i].resp_retcode = PAM_SUCCESS;
2670 replies[i].resp = NULL;
2671 break;
2672
2673 default:
2674 DEBUG_printf(("pam_func: Unknown PAM message %d...\n",
2675 msg[i]->msg_style));
2676 free(replies);
2677 return (PAM_CONV_ERR);
2678 }
2679 }
2680
2681 /*
2682 * Return the responses back to PAM...
2683 */
2684
2685 *resp = replies;
2686
2687 return (PAM_SUCCESS);
2688 }
2689 #elif !defined(HAVE_USERSEC_H)
2690
2691
2692 /*
2693 * 'to64()' - Base64-encode an integer value...
2694 */
2695
2696 static void
2697 to64(char *s, /* O - Output string */
2698 unsigned long v, /* I - Value to encode */
2699 int n) /* I - Number of digits */
2700 {
2701 const char *itoa64 = "./0123456789"
2702 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
2703 "abcdefghijklmnopqrstuvwxyz";
2704
2705
2706 for (; n > 0; n --, v >>= 6)
2707 *s++ = itoa64[v & 0x3f];
2708 }
2709 #endif /* HAVE_LIBPAM */
2710
2711
2712 /*
2713 * End of "$Id: auth.c 6947 2007-09-12 21:09:49Z mike $".
2714 */
Unnamed repository; edit this file 'description' to name the repository.