X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fcups.git;a=blobdiff_plain;f=cups%2Fauth.c;h=f9187ffa86667941cc9a0b5a9d8c9c26e12b6acc;hp=c74e1490fe223f0ed80b41e2e5b1e1a755348c97;hb=8072030b3c862315c367c73663b27f0427325919;hpb=eac3a0a01bf37d95f4129b28296cb697c54b2613 diff --git a/cups/auth.c b/cups/auth.c index c74e1490f..f9187ffa8 100644 --- a/cups/auth.c +++ b/cups/auth.c @@ -1,32 +1,19 @@ /* - * "$Id: auth.c 7720 2008-07-11 22:46:21Z mike $" + * Authentication functions for CUPS. * - * Authentication functions for CUPS. + * Copyright 2007-2014 by Apple Inc. + * Copyright 1997-2007 by Easy Software Products. * - * Copyright 2007-2011 by Apple Inc. - * Copyright 1997-2007 by Easy Software Products. + * This file contains Kerberos support code, copyright 2006 by + * Jelmer Vernooij. * - * This file contains Kerberos support code, copyright 2006 by - * Jelmer Vernooij. + * These coded instructions, statements, and computer programs are the + * property of Apple Inc. and are protected by Federal copyright + * law. Distribution and use rights are outlined in the file "LICENSE.txt" + * which should have been included with this file. If this file is + * file is missing or damaged, see the license at "http://www.cups.org/". * - * These coded instructions, statements, and computer programs are the - * property of Apple Inc. and are protected by Federal copyright - * law. Distribution and use rights are outlined in the file "LICENSE.txt" - * which should have been included with this file. If this file is - * file is missing or damaged, see the license at "http://www.cups.org/". - * - * This file is subject to the Apple OS-Developed Software exception. - * - * Contents: - * - * cupsDoAuthentication() - Authenticate a request. - * _cupsSetNegotiateAuthString() - Set the Kerberos authentication string. - * cups_gss_acquire() - Kerberos credentials callback. - * cups_gss_getname() - Get CUPS service credentials for - * authentication. - * cups_gss_printf() - Show debug error messages from GSSAPI. - * cups_local_auth() - Get the local authorization certificate if - * available/applicable. + * This file is subject to the Apple OS-Developed Software exception. */ /* @@ -65,6 +52,8 @@ extern const char *cssmErrorString(int error); # ifdef HAVE_GSS_GSSAPI_SPI_H # include # else +# define GSS_AUTH_IDENTITY_TYPE_1 1 +# define gss_acquire_cred_ex_f __ApplePrivate_gss_acquire_cred_ex_f typedef struct gss_auth_identity { uint32_t type; @@ -110,10 +99,10 @@ static int cups_local_auth(http_t *http); /* * 'cupsDoAuthentication()' - Authenticate a request. * - * This function should be called in response to a @code HTTP_UNAUTHORIZED@ + * This function should be called in response to a @code HTTP_STATUS_UNAUTHORIZED@ * status, prior to resubmitting your request. * - * @since CUPS 1.1.20/Mac OS X 10.4@ + * @since CUPS 1.1.20/macOS 10.4@ */ int /* O - 0 on success, -1 on error */ @@ -122,7 +111,8 @@ cupsDoAuthentication( const char *method, /* I - Request method ("GET", "POST", "PUT") */ const char *resource) /* I - Resource path */ { - const char *password; /* Password string */ + const char *password, /* Password string */ + *www_auth; /* WWW-Authenticate header */ char prompt[1024], /* Prompt for user */ realm[HTTP_MAX_VALUE], /* realm="xyz" string */ nonce[HTTP_MAX_VALUE]; /* nonce="xyz" string */ @@ -130,8 +120,7 @@ cupsDoAuthentication( _cups_globals_t *cg; /* Global data */ - DEBUG_printf(("cupsDoAuthentication(http=%p, method=\"%s\", resource=\"%s\")", - http, method, resource)); + DEBUG_printf(("cupsDoAuthentication(http=%p, method=\"%s\", resource=\"%s\")", (void *)http, method, resource)); if (!http) http = _cupsConnect(); @@ -161,14 +150,14 @@ cupsDoAuthentication( DEBUG_printf(("2cupsDoAuthentication: authstring=\"%s\"", http->authstring)); - if (http->status == HTTP_UNAUTHORIZED) + if (http->status == HTTP_STATUS_UNAUTHORIZED) http->digest_tries ++; return (0); } else if (localauth == -1) { - http->status = HTTP_AUTHORIZATION_CANCELED; + http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED; return (-1); /* Error or canceled */ } } @@ -177,46 +166,54 @@ cupsDoAuthentication( * Nope, see if we should retry the current username:password... */ + www_auth = http->fields[HTTP_FIELD_WWW_AUTHENTICATE]; + if ((http->digest_tries > 1 || !http->userpass[0]) && - (!strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Basic", 5) || - !strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Digest", 6))) + (!_cups_strncasecmp(www_auth, "Basic", 5) || + !_cups_strncasecmp(www_auth, "Digest", 6))) { /* * Nope - get a new password from the user... */ + char default_username[HTTP_MAX_VALUE]; + /* Default username */ + cg = _cupsGlobals(); if (!cg->lang_default) cg->lang_default = cupsLangDefault(); + if (httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "username", + default_username)) + cupsSetUser(default_username); + snprintf(prompt, sizeof(prompt), _cupsLangString(cg->lang_default, _("Password for %s on %s? ")), cupsUser(), http->hostname[0] == '/' ? "localhost" : http->hostname); - http->digest_tries = strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], - "Digest", 5) != 0; + http->digest_tries = _cups_strncasecmp(www_auth, "Digest", 6) != 0; http->userpass[0] = '\0'; if ((password = cupsGetPassword2(prompt, http, method, resource)) == NULL) { - http->status = HTTP_AUTHORIZATION_CANCELED; + http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED; return (-1); } snprintf(http->userpass, sizeof(http->userpass), "%s:%s", cupsUser(), password); } - else if (http->status == HTTP_UNAUTHORIZED) + else if (http->status == HTTP_STATUS_UNAUTHORIZED) http->digest_tries ++; - if (http->status == HTTP_UNAUTHORIZED && http->digest_tries >= 3) + if (http->status == HTTP_STATUS_UNAUTHORIZED && http->digest_tries >= 3) { DEBUG_printf(("1cupsDoAuthentication: Too many authentication tries (%d)", http->digest_tries)); - http->status = HTTP_AUTHORIZATION_CANCELED; + http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED; return (-1); } @@ -225,7 +222,7 @@ cupsDoAuthentication( */ #ifdef HAVE_GSSAPI - if (!strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9)) + if (!_cups_strncasecmp(www_auth, "Negotiate", 9)) { /* * Kerberos authentication... @@ -233,13 +230,13 @@ cupsDoAuthentication( if (_cupsSetNegotiateAuthString(http, method, resource)) { - http->status = HTTP_AUTHORIZATION_CANCELED; + http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED; return (-1); } } else #endif /* HAVE_GSSAPI */ - if (!strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Basic", 5)) + if (!_cups_strncasecmp(www_auth, "Basic", 5)) { /* * Basic authentication... @@ -252,7 +249,7 @@ cupsDoAuthentication( (int)strlen(http->userpass)); httpSetAuthString(http, "Basic", encode); } - else if (!strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Digest", 6)) + else if (!_cups_strncasecmp(www_auth, "Digest", 6)) { /* * Digest authentication... @@ -261,7 +258,6 @@ cupsDoAuthentication( char encode[33], /* MD5 buffer */ digest[1024]; /* Digest auth data */ - httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "realm", realm); httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "nonce", nonce); @@ -275,8 +271,8 @@ cupsDoAuthentication( else { DEBUG_printf(("1cupsDoAuthentication: Unknown auth type: \"%s\"", - http->fields[HTTP_FIELD_WWW_AUTHENTICATE])); - http->status = HTTP_AUTHORIZATION_CANCELED; + www_auth)); + http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED; return (-1); } @@ -303,13 +299,16 @@ _cupsSetNegotiateAuthString( /* Output token */ + (void)method; + (void)resource; + # ifdef __APPLE__ /* * If the weak-linked GSSAPI/Kerberos library is not present, don't try * to use it... */ - if (gss_init_sec_context == NULL) + if (&gss_init_sec_context == NULL) { DEBUG_puts("1_cupsSetNegotiateAuthString: Weak-linked GSSAPI/Kerberos " "framework is not present"); @@ -358,7 +357,7 @@ _cupsSetNegotiateAuthString( snprintf(prompt, sizeof(prompt), _cupsLangString(cg->lang_default, _("Password for %s on %s? ")), - cupsUser(), http->gssname); + cupsUser(), http->gsshost); if ((password = cupsGetPassword2(prompt, http, method, resource)) == NULL) return (-1); @@ -370,7 +369,7 @@ _cupsSetNegotiateAuthString( username = cupsUser(); if (!strchr(username, '@')) { - snprintf(userbuf, sizeof(userbuf), "%s@%s", username, http->gssname); + snprintf(userbuf, sizeof(userbuf), "%s@%s", username, http->gsshost); username = userbuf; } @@ -416,7 +415,6 @@ _cupsSetNegotiateAuthString( } } } - else #endif /* HAVE_GSS_ACQUIRED_CRED_EX_F */ if (GSS_ERROR(major_status)) @@ -440,21 +438,21 @@ _cupsSetNegotiateAuthString( * arbitrarily large credentials... */ - int authsize = 10 + /* "Negotiate " */ - output_token.length * 4 / 3 + 1 + /* Base64 */ - 1; /* nul */ + int authsize = 10 + /* "Negotiate " */ + (int)output_token.length * 4 / 3 + 1 + 1; + /* Base64 + nul */ httpSetAuthString(http, NULL, NULL); - if ((http->authstring = malloc(authsize)) == NULL) + if ((http->authstring = malloc((size_t)authsize)) == NULL) { http->authstring = http->_authstring; authsize = sizeof(http->_authstring); } - strcpy(http->authstring, "Negotiate "); + strlcpy(http->authstring, "Negotiate ", (size_t)authsize); httpEncode64_2(http->authstring + 10, authsize - 10, output_token.value, - output_token.length); + (int)output_token.length); gss_release_buffer(&minor_status, &output_token); } @@ -654,8 +652,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ int pid; /* Current process ID */ FILE *fp; /* Certificate file */ char trc[16], /* Try Root Certificate parameter */ - filename[1024], /* Certificate filename */ - certificate[33];/* Certificate string */ + filename[1024]; /* Certificate filename */ _cups_globals_t *cg = _cupsGlobals(); /* Global data */ # if defined(HAVE_AUTHORIZATION_H) OSStatus status; /* Status */ @@ -668,15 +665,14 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ # endif /* HAVE_AUTHORIZATION_H */ - DEBUG_printf(("7cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"", - http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname)); + DEBUG_printf(("7cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"", (void *)http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname)); /* * See if we are accessing localhost... */ if (!httpAddrLocalhost(http->hostaddr) && - strcasecmp(http->hostname, "localhost") != 0) + _cups_strcasecmp(http->hostname, "localhost") != 0) { DEBUG_puts("8cups_local_auth: Not a local connection!"); return (1); @@ -761,7 +757,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ if ( # ifdef HAVE_GSSAPI - strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9) && + _cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9) && # endif /* HAVE_GSSAPI */ # ifdef HAVE_AUTHORIZATION_H !httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey", @@ -808,7 +804,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ filename, strerror(errno))); # ifdef HAVE_GSSAPI - if (!strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9)) + if (!_cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9)) { /* * Kerberos required, don't try the root certificate... @@ -849,26 +845,27 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ * Read the certificate from the file... */ - fgets(certificate, sizeof(certificate), fp); + char certificate[33], /* Certificate string */ + *certptr; /* Pointer to certificate string */ + + certptr = fgets(certificate, sizeof(certificate), fp); fclose(fp); - /* - * Set the authorization string and return... - */ + if (certptr) + { + /* + * Set the authorization string and return... + */ - httpSetAuthString(http, "Local", certificate); + httpSetAuthString(http, "Local", certificate); - DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"", - http->authstring)); + DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"", + http->authstring)); - return (0); + return (0); + } } return (1); #endif /* WIN32 || __EMX__ */ } - - -/* - * End of "$Id: auth.c 7720 2008-07-11 22:46:21Z mike $". - */