/*
- * "$Id$"
- *
* TLS support code for CUPS on OS X.
*
- * Copyright 2007-2014 by Apple Inc.
+ * Copyright 2007-2016 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
* These coded instructions, statements, and computer programs are the
* This file is subject to the Apple OS-Developed Software exception.
*/
-/**** This file is included from http.c ****/
+/**** This file is included from tls.c ****/
/*
* Include necessary headers...
static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
/* Mutex for keychain/certs */
#endif /* HAVE_SECKEYCHAINOPEN */
+static int tls_options = -1;/* Options for TLS connections */
/*
#ifdef HAVE_SECKEYCHAINOPEN
static CFArrayRef http_cdsa_copy_server(const char *common_name);
#endif /* HAVE_SECKEYCHAINOPEN */
+static SecCertificateRef http_cdsa_create_credential(http_credential_t *credential);
+static const char *http_cdsa_default_path(char *buffer, size_t bufsize);
static OSStatus http_cdsa_read(SSLConnectionRef connection, void *data, size_t *dataLength);
static int http_cdsa_set_credentials(http_t *http);
static OSStatus http_cdsa_write(SSLConnectionRef connection, const void *data, size_t *dataLength);
/*
* 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 1 on success, 0 on failure */
cupsMakeServerCredentials(
- const char *path, /* I - Path to keychain/directory */
+ const char *path, /* I - Keychain path or @code NULL@ for default */
const char *common_name, /* I - Common name */
int num_alt_names, /* I - Number of subject alternate names */
const char **alt_names, /* I - Subject Alternate Names */
time_t expiration_date) /* I - Expiration date */
{
#if defined(HAVE_SECGENERATESELFSIGNEDCERTIFICATE) && defined(HAVE_SECKEYCHAINOPEN)
+ char filename[1024]; /* Default keychain path */
int status = 0; /* Return status */
OSStatus err; /* Error code (if any) */
CFStringRef cfcommon_name = NULL;
/* Key generation parameters */
+ DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date));
+
(void)num_alt_names;
(void)alt_names;
(void)expiration_date;
- cfcommon_name = CFStringCreateWithCString(kCFAllocatorDefault, common_name,
- kCFStringEncodingUTF8);
+ if (!path)
+ path = http_cdsa_default_path(filename, sizeof(filename));
+
+ cfcommon_name = CFStringCreateWithCString(kCFAllocatorDefault, common_name, kCFStringEncodingUTF8);
if (!cfcommon_name)
goto cleanup;
* Create a public/private key pair...
*/
- keyParams = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
- &kCFTypeDictionaryKeyCallBacks,
- &kCFTypeDictionaryValueCallBacks);
+ keyParams = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
if (!keyParams)
goto cleanup;
- CFDictionaryAddValue(keyParams, kSecAttrKeyType, kSecAttrKeyTypeRSA);
+ CFDictionaryAddValue(keyParams, kSecAttrKeyType, kSecAttrKeyTypeECDSA);
CFDictionaryAddValue(keyParams, kSecAttrKeySizeInBits, CFSTR("2048"));
- CFDictionaryAddValue(keyParams, kSecAttrLabel,
- CFSTR("CUPS Self-Signed Certificate"));
+ CFDictionaryAddValue(keyParams, kSecAttrLabel, CFSTR("CUPS Self-Signed Certificate"));
err = SecKeyGeneratePair(keyParams, &publicKey, &privateKey);
if (err != noErr)
status, /* Status of command */
i; /* Looping var */
char command[1024], /* Command */
- *argv[4], /* Command-line arguments */
+ *argv[5], /* Command-line arguments */
*envp[1000], /* Environment variables */
days[32], /* CERTTOOL_EXPIRATION_DAYS env var */
keychain[1024], /* Keychain argument */
- infofile[1024]; /* Type-in information for cert */
+ infofile[1024], /* Type-in information for cert */
+ filename[1024]; /* Default keychain path */
cups_file_t *fp; /* Seed/info file */
+ DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, (void *)alt_names, (int)expiration_date));
+
(void)num_alt_names;
(void)alt_names;
+ if (!path)
+ path = http_cdsa_default_path(filename, sizeof(filename));
+
/*
* Run the "certtool" command to generate a self-signed certificate...
*/
"CUPS Self-Signed Certificate\n"
/* Enter key and certificate label */
"r\n" /* Generate RSA key pair */
- "2048\n" /* Key size in bits */
+ "2048\n" /* 2048 bit encryption key */
"y\n" /* OK (y = yes) */
"b\n" /* Usage (b=signing/encryption) */
- "s\n" /* Sign with SHA1 */
+ "2\n" /* Sign with SHA256 */
"y\n" /* OK (y = yes) */
"%s\n" /* Common name */
"\n" /* Country (default) */
posix_spawn_file_actions_init(&actions);
posix_spawn_file_actions_addclose(&actions, 0);
posix_spawn_file_actions_addopen(&actions, 0, infofile, O_RDONLY, 0);
+ posix_spawn_file_actions_addclose(&actions, 1);
+ posix_spawn_file_actions_addopen(&actions, 1, "/dev/null", O_WRONLY, 0);
+ posix_spawn_file_actions_addclose(&actions, 2);
+ posix_spawn_file_actions_addopen(&actions, 2, "/dev/null", O_WRONLY, 0);
if (posix_spawn(&pid, command, &actions, NULL, argv, envp))
{
* Note: The server credentials are used by all threads in the running process.
* This function is threadsafe.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS X 10.10@
*/
int /* O - 1 on success, 0 on failure */
cupsSetServerCredentials(
- const char *path, /* I - Path to keychain/directory */
+ const char *path, /* I - Keychain path or @code NULL@ for default */
const char *common_name, /* I - Default common name for server */
int auto_create) /* I - 1 = automatically create self-signed certificates */
{
DEBUG_printf(("cupsSetServerCredentials(path=\"%s\", common_name=\"%s\", auto_create=%d)", path, common_name, auto_create));
#ifdef HAVE_SECKEYCHAINOPEN
+ char filename[1024]; /* Filename for keychain */
SecKeychainRef keychain = NULL;/* Temporary keychain */
+ if (!path)
+ path = http_cdsa_default_path(filename, sizeof(filename));
+
if (SecKeychainOpen(path, &keychain) != noErr)
{
/* TODO: Set cups last error string */
int i; /* Looping var */
- DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
+ DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", (void *)http, (void *)credentials));
if (credentials)
*credentials = NULL;
}
-/*
- * 'http_cdsa_create_credential()' - Create a single credential in the internal format.
- */
-
-static SecCertificateRef /* O - Certificate */
-http_cdsa_create_credential(
- http_credential_t *credential) /* I - Credential */
-{
- if (!credential)
- return (NULL);
-
- return (SecCertificateCreateWithBytes(kCFAllocatorDefault, credential->data, (CFIndex)credential->datalen));
-}
-
-
/*
* '_httpCreateCredentials()' - Create credentials in the internal format.
*/
/*
* 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS X 10.10@
*/
int /* O - 1 if valid, 0 otherwise */
/*
* 'httpCredentialsGetTrust()' - Return the trust of credentials.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS X 10.10@
*/
http_trust_t /* O - Level of trust */
if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
return (HTTP_TRUST_UNKNOWN);
+ if (cg->any_root < 0)
+ _cupsSetDefaults();
+
/*
* Look this common name up in the default keychains...
*/
httpFreeCredentials(tcreds);
}
- else if (!httpCredentialsAreValidForName(credentials, common_name))
+ else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name))
trust = HTTP_TRUST_INVALID;
if (!cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent()))
/*
* 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS X 10.10@
*/
time_t /* O - Expiration date of credentials */
/*
* 'httpCredentialsString()' - Return a string representing the credentials.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS X 10.10@
*/
size_t /* O - Total size of credentials string */
SecCertificateRef secCert; /* Certificate reference */
- DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize));
+ DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", (void *)credentials, (void *)buffer, CUPS_LLCAST bufsize));
if (!buffer)
return (0);
/*
* 'httpLoadCredentials()' - Load X.509 credentials from a keychain file.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 0 on success, -1 on error */
httpLoadCredentials(
- const char *path, /* I - Keychain/PKCS#12 path */
+ const char *path, /* I - Keychain path or @code NULL@ for default */
cups_array_t **credentials, /* IO - Credentials */
const char *common_name) /* I - Common name for credentials */
{
CFArrayRef list = NULL; /* Keychain list */
- DEBUG_printf(("httpLoadCredentials(path=\"%s\", credentials=%p, common_name=\"%s\")", path, credentials, common_name));
+ DEBUG_printf(("httpLoadCredentials(path=\"%s\", credentials=%p, common_name=\"%s\")", path, (void *)credentials, common_name));
if (!credentials)
return (-1);
*credentials = NULL;
if (!path)
- {
- const char *home = getenv("HOME"); /* HOME environment variable */
-
- if (getuid() && home)
- snprintf(filename, sizeof(filename), "%s/Library/Keychains/login.keychain", home);
- else
- strlcpy(filename, "/Library/Keychains/System.keychain", sizeof(filename));
-
- path = filename;
-
- DEBUG_printf(("1httpLoadCredentials: Using default path \"%s\".", path));
- }
-
+ path = http_cdsa_default_path(filename, sizeof(filename));
if ((err = SecKeychainOpen(path, &keychain)) != noErr)
goto cleanup;
(void)path;
(void)credentials;
(void)common_name;
- (void)alt_name;
return (-1);
#endif /* HAVE_SECKEYCHAINOPEN */
/*
* 'httpSaveCredentials()' - Save X.509 credentials to a keychain file.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - -1 on error, 0 on success */
httpSaveCredentials(
- const char *path, /* I - Keychain/PKCS#12 path */
+ const char *path, /* I - Keychain path or @code NULL@ for default */
cups_array_t *credentials, /* I - Credentials */
const char *common_name) /* I - Common name for credentials */
{
CFArrayRef list = NULL; /* Keychain list */
- DEBUG_printf(("httpSaveCredentials(path=\"%s\", credentials=%p, common_name=\"%s\")", path, credentials, common_name));
+ DEBUG_printf(("httpSaveCredentials(path=\"%s\", credentials=%p, common_name=\"%s\")", path, (void *)credentials, common_name));
if (!credentials)
goto cleanup;
}
if (!path)
- {
- const char *home = getenv("HOME"); /* HOME environment variable */
-
- if (getuid() && home)
- snprintf(filename, sizeof(filename), "%s/Library/Keychains/login.keychain", home);
- else
- strlcpy(filename, "/Library/Keychains/System.keychain", sizeof(filename));
-
- path = filename;
-
- DEBUG_printf(("1httpSaveCredentials: Using default path \"%s\".", path));
- }
+ path = http_cdsa_default_path(filename, sizeof(filename));
if ((err = SecKeychainOpen(path, &keychain)) != noErr)
{
}
+/*
+ * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
+ */
+
+void
+_httpTLSSetOptions(int options) /* I - Options */
+{
+ tls_options = options;
+}
+
+
/*
* '_httpTLSStart()' - Set up SSL/TLS support on a connection.
*/
http_credential_t *credential; /* Credential data */
- DEBUG_printf(("7_httpTLSStart(http=%p)", http));
+ DEBUG_printf(("3_httpTLSStart(http=%p)", (void *)http));
+
+ if (tls_options < 0)
+ {
+ DEBUG_puts("4_httpTLSStart: Setting defaults.");
+ _cupsSetDefaults();
+ DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
+ }
#ifdef HAVE_SECKEYCHAINOPEN
if (http->mode == _HTTP_MODE_SERVER && !tls_keychain)
{
error = SSLSetSessionOption(http->tls, kSSLSessionOptionBreakOnServerAuth,
true);
- DEBUG_printf(("4_httpTLSStart: SSLSetSessionOption, error=%d",
- (int)error));
+ DEBUG_printf(("4_httpTLSStart: SSLSetSessionOption, error=%d", (int)error));
}
+ if (!error)
+ {
+ SSLProtocol minProtocol;
+
+ if (tls_options & _HTTP_TLS_DENY_TLS10)
+ minProtocol = kTLSProtocol11;
+ else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+ minProtocol = kSSLProtocol3;
+ else
+ minProtocol = kTLSProtocol1;
+
+ error = SSLSetProtocolVersionMin(http->tls, minProtocol);
+ DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", minProtocol, (int)error));
+ }
+
+# if HAVE_SSLSETENABLEDCIPHERS
+ if (!error)
+ {
+ SSLCipherSuite supported[100]; /* Supported cipher suites */
+ size_t num_supported; /* Number of supported cipher suites */
+ SSLCipherSuite enabled[100]; /* Cipher suites to enable */
+ size_t num_enabled; /* Number of cipher suites to enable */
+
+ num_supported = sizeof(supported) / sizeof(supported[0]);
+ error = SSLGetSupportedCiphers(http->tls, supported, &num_supported);
+
+ if (!error)
+ {
+ DEBUG_printf(("4_httpTLSStart: %d cipher suites supported.", (int)num_supported));
+
+ for (i = 0, num_enabled = 0; i < (int)num_supported && num_enabled < (sizeof(enabled) / sizeof(enabled[0])); i ++)
+ {
+ switch (supported[i])
+ {
+ /* Obviously insecure cipher suites that we never want to use */
+ case SSL_NULL_WITH_NULL_NULL :
+ case SSL_RSA_WITH_NULL_MD5 :
+ case SSL_RSA_WITH_NULL_SHA :
+ case SSL_RSA_EXPORT_WITH_RC4_40_MD5 :
+ case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 :
+ case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA :
+ case SSL_RSA_WITH_DES_CBC_SHA :
+ case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA :
+ case SSL_DH_DSS_WITH_DES_CBC_SHA :
+ case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA :
+ case SSL_DH_RSA_WITH_DES_CBC_SHA :
+ case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA :
+ case SSL_DHE_DSS_WITH_DES_CBC_SHA :
+ case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA :
+ case SSL_DHE_RSA_WITH_DES_CBC_SHA :
+ case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 :
+ case SSL_DH_anon_WITH_RC4_128_MD5 :
+ case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA :
+ case SSL_DH_anon_WITH_DES_CBC_SHA :
+ case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA :
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA :
+ case TLS_DH_anon_WITH_AES_128_CBC_SHA :
+ case TLS_DH_anon_WITH_AES_256_CBC_SHA :
+ case TLS_ECDH_ECDSA_WITH_NULL_SHA :
+ case TLS_ECDHE_RSA_WITH_NULL_SHA :
+ case TLS_ECDH_anon_WITH_NULL_SHA :
+ case TLS_ECDH_anon_WITH_RC4_128_SHA :
+ case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA :
+ case TLS_ECDH_anon_WITH_AES_128_CBC_SHA :
+ case TLS_ECDH_anon_WITH_AES_256_CBC_SHA :
+ case TLS_RSA_WITH_NULL_SHA256 :
+ case TLS_DH_anon_WITH_AES_128_CBC_SHA256 :
+ case TLS_DH_anon_WITH_AES_256_CBC_SHA256 :
+ case TLS_PSK_WITH_NULL_SHA :
+ case TLS_DHE_PSK_WITH_NULL_SHA :
+ case TLS_RSA_PSK_WITH_NULL_SHA :
+ case TLS_DH_anon_WITH_AES_128_GCM_SHA256 :
+ case TLS_DH_anon_WITH_AES_256_GCM_SHA384 :
+ case TLS_PSK_WITH_NULL_SHA256 :
+ case TLS_PSK_WITH_NULL_SHA384 :
+ case TLS_DHE_PSK_WITH_NULL_SHA256 :
+ case TLS_DHE_PSK_WITH_NULL_SHA384 :
+ case TLS_RSA_PSK_WITH_NULL_SHA256 :
+ case TLS_RSA_PSK_WITH_NULL_SHA384 :
+ case SSL_RSA_WITH_DES_CBC_MD5 :
+ DEBUG_printf(("4_httpTLSStart: Excluding insecure cipher suite %d", supported[i]));
+ break;
+
+ /* RC4 cipher suites that should only be used as a last resort */
+ case SSL_RSA_WITH_RC4_128_MD5 :
+ case SSL_RSA_WITH_RC4_128_SHA :
+ case TLS_ECDH_ECDSA_WITH_RC4_128_SHA :
+ case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA :
+ case TLS_ECDH_RSA_WITH_RC4_128_SHA :
+ case TLS_ECDHE_RSA_WITH_RC4_128_SHA :
+ case TLS_PSK_WITH_RC4_128_SHA :
+ case TLS_DHE_PSK_WITH_RC4_128_SHA :
+ case TLS_RSA_PSK_WITH_RC4_128_SHA :
+ if (tls_options & _HTTP_TLS_ALLOW_RC4)
+ enabled[num_enabled ++] = supported[i];
+ else
+ DEBUG_printf(("4_httpTLSStart: Excluding RC4 cipher suite %d", supported[i]));
+ break;
+
+ /* DH/DHE cipher suites that are problematic with parameters < 1024 bits */
+ case TLS_DH_DSS_WITH_AES_128_CBC_SHA :
+ case TLS_DH_RSA_WITH_AES_128_CBC_SHA :
+ case TLS_DHE_DSS_WITH_AES_128_CBC_SHA :
+ case TLS_DHE_RSA_WITH_AES_128_CBC_SHA :
+ case TLS_DH_DSS_WITH_AES_256_CBC_SHA :
+ case TLS_DH_RSA_WITH_AES_256_CBC_SHA :
+ case TLS_DHE_DSS_WITH_AES_256_CBC_SHA :
+ case TLS_DHE_RSA_WITH_AES_256_CBC_SHA :
+ case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA :
+ case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA :
+// case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA :
+ case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA :
+ case TLS_DH_DSS_WITH_AES_128_CBC_SHA256 :
+ case TLS_DH_RSA_WITH_AES_128_CBC_SHA256 :
+ case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 :
+ case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
+ case TLS_DH_DSS_WITH_AES_256_CBC_SHA256 :
+ case TLS_DH_RSA_WITH_AES_256_CBC_SHA256 :
+ case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 :
+ case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 :
+ case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA :
+ case TLS_DHE_PSK_WITH_AES_128_CBC_SHA :
+ case TLS_DHE_PSK_WITH_AES_256_CBC_SHA :
+// case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 :
+// case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 :
+ case TLS_DH_RSA_WITH_AES_128_GCM_SHA256 :
+ case TLS_DH_RSA_WITH_AES_256_GCM_SHA384 :
+// case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 :
+// case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 :
+ case TLS_DH_DSS_WITH_AES_128_GCM_SHA256 :
+ case TLS_DH_DSS_WITH_AES_256_GCM_SHA384 :
+ case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 :
+ case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 :
+ case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 :
+ case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 :
+ if (tls_options & _HTTP_TLS_ALLOW_DH)
+ enabled[num_enabled ++] = supported[i];
+ else
+ DEBUG_printf(("4_httpTLSStart: Excluding DH/DHE cipher suite %d", supported[i]));
+ break;
+
+ /* Anything else we'll assume is secure */
+ default :
+ enabled[num_enabled ++] = supported[i];
+ break;
+ }
+ }
+
+ DEBUG_printf(("4_httpTLSStart: %d cipher suites enabled.", (int)num_enabled));
+ error = SSLSetEnabledCiphers(http->tls, enabled, num_enabled);
+ }
+ }
+#endif /* HAVE_SSLSETENABLEDCIPHERS */
+
if (!error && http->mode == _HTTP_MODE_CLIENT)
{
/*
DEBUG_printf(("4_httpTLSStart: SSLSetCertificate, error=%d", (int)error));
}
- DEBUG_printf(("4_httpTLSStart: tls_credentials=%p", http->tls_credentials));
+ DEBUG_printf(("4_httpTLSStart: tls_credentials=%p", (void *)http->tls_credentials));
/*
* Let the server know which hostname/domain we are trying to connect to
size_t processed; /* Number of bytes processed */
- DEBUG_printf(("2_httpTLSWrite(http=%p, buf=%p, len=%d)", http, buf, len));
+ DEBUG_printf(("2_httpTLSWrite(http=%p, buf=%p, len=%d)", (void *)http, (void *)buf, len));
error = SSLWrite(http->tls, buf, (size_t)len, &processed);
if (!(query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks)))
goto cleanup;
+ _cupsMutexLock(&tls_mutex);
+
list = CFArrayCreate(kCFAllocatorDefault, (const void **)&tls_keychain, 1, &kCFTypeArrayCallBacks);
CFDictionaryAddValue(query, kSecClass, kSecClassIdentity);
err = SecItemCopyMatching(query, (CFTypeRef *)&identity);
+ _cupsMutexUnlock(&tls_mutex);
+
if (err)
goto cleanup;
#endif /* HAVE_SECKEYCHAINOPEN */
+/*
+ * 'http_cdsa_create_credential()' - Create a single credential in the internal format.
+ */
+
+static SecCertificateRef /* O - Certificate */
+http_cdsa_create_credential(
+ http_credential_t *credential) /* I - Credential */
+{
+ if (!credential)
+ return (NULL);
+
+ return (SecCertificateCreateWithBytes(kCFAllocatorDefault, credential->data, (CFIndex)credential->datalen));
+}
+
+
+/*
+ * 'http_cdsa_default_path()' - Get the default keychain path.
+ */
+
+static const char * /* O - Keychain path */
+http_cdsa_default_path(char *buffer, /* I - Path buffer */
+ size_t bufsize) /* I - Size of buffer */
+{
+ const char *home = getenv("HOME"); /* HOME environment variable */
+
+
+ if (getuid() && home)
+ snprintf(buffer, bufsize, "%s/Library/Keychains/login.keychain", home);
+ else
+ strlcpy(buffer, "/Library/Keychains/System.keychain", bufsize);
+
+ DEBUG_printf(("1http_cdsa_default_path: Using default path \"%s\".", buffer));
+
+ return (buffer);
+}
+
+
/*
* 'http_cdsa_read()' - Read function for the CDSA library.
*/
/* TLS credentials */
- DEBUG_printf(("7http_tls_set_credentials(%p)", http));
+ DEBUG_printf(("7http_tls_set_credentials(%p)", (void *)http));
/*
* Prefer connection specific credentials...
return (result);
}
-
-
-/*
- * End of "$Id$".
- */
projects / thirdparty / cups.git / blobdiff