Merge changes from CUPS 1.4svn-r7282.

[thirdparty/cups.git] / cups / auth.c
diff --git a/cups/auth.c b/cups/auth.c

index dd2d22c519d6f4e92ed4d58be515610f0a64ca1b..adc2436c90fc1d2d1da32e7f2769f2221ef7680b 100644 (file)
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -76,7 +76,7 @@ static int    cups_local_auth(http_t *http);
  /*
   * 'cupsDoAuthentication()' - Authenticate a request.
   *
- * This function should be called in response to a HTTP_UNAUTHORIZED
+ * This function should be called in response to a @code HTTP_UNAUTHORIZED@
   * status, prior to resubmitting your request.
   *
   * @since CUPS 1.1.20@
@@ -84,15 +84,14 @@ static int  cups_local_auth(http_t *http);
  
  int                                    /* O - 0 on success, -1 on error */
  cupsDoAuthentication(http_t     *http, /* I - HTTP connection to server */
-                     const char *method,/* I - Request method (GET, POST, PUT) */
+                     const char *method,/* I - Request method ("GET", "POST", "PUT") */
                      const char *resource)
                                         /* I - Resource path */
  {
    const char   *password;              /* Password string */
    char         prompt[1024],           /* Prompt for user */
                 realm[HTTP_MAX_VALUE],  /* realm="xyz" string */
-               nonce[HTTP_MAX_VALUE],  /* nonce="xyz" string */
-               encode[4096];           /* Encoded username:password */
+               nonce[HTTP_MAX_VALUE];  /* nonce="xyz" string */
    int          localauth;              /* Local authentication result */
    _cups_globals_t *cg;                 /* Global data */
  
@@ -301,14 +300,40 @@ cupsDoAuthentication(http_t     *http,    /* I - HTTP connection to server */
      if (major_status == GSS_S_CONTINUE_NEEDED)
        DEBUG_gss_printf(major_status, minor_status, "Continuation needed!");
  
-    if (output_token.length)
+    if (output_token.length > 0 && output_token.length <= 65536)
      {
-      httpEncode64_2(encode, sizeof(encode), output_token.value,
+     /*
+      * Allocate the authorization string since Windows KDCs can have
+      * arbitrarily large credentials...
+      */
+
+      int authsize = 10 +                              /* "Negotiate " */
+                     output_token.length * 4 / 3 + 1 + /* Base64 */
+                    1;                                 /* nul */
+
+      httpSetAuthString(http, NULL, NULL);
+
+      if ((http->authstring = malloc(authsize)) == NULL)
+      {
+        http->authstring = http->_authstring;
+       authsize         = sizeof(http->_authstring);
+      }
+
+      strcpy(http->authstring, "Negotiate ");
+      httpEncode64_2(http->authstring + 10, authsize - 10, output_token.value,
                      output_token.length);
-      httpSetAuthString(http, "Negotiate", encode);
   
        major_status = gss_release_buffer(&minor_status, &output_token);
      }
+    else
+    {
+      DEBUG_printf(("cupsDoAuthentication: Kerberos credentials too large - "
+                    "%d bytes!\n", output_token.length));
+
+      major_status = gss_release_buffer(&minor_status, &output_token);
+
+      return (-1);
+    }
  #endif /* HAVE_GSSAPI */
    }
    else if (strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Digest", 6))
@@ -317,6 +342,9 @@ cupsDoAuthentication(http_t     *http,      /* I - HTTP connection to server */
      * Basic authentication...
      */
  
+    char       encode[256];            /* Base64 buffer */
+
+
      httpEncode64_2(encode, sizeof(encode), http->userpass,
                     (int)strlen(http->userpass));
      httpSetAuthString(http, "Basic", encode);
@@ -327,7 +355,8 @@ cupsDoAuthentication(http_t     *http,      /* I - HTTP connection to server */
      * Digest authentication...
      */
  
-    char digest[1024];                 /* Digest auth data */
+    char       encode[33],             /* MD5 buffer */
+               digest[1024];           /* Digest auth data */
  
  
      httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "realm", realm);