Save work.

author msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>

Wed, 9 Jul 2014 01:00:00 +0000 (01:00 +0000)

committer msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>

Wed, 9 Jul 2014 01:00:00 +0000 (01:00 +0000)
author msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Wed, 9 Jul 2014 01:00:00 +0000 (01:00 +0000)
committer msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Wed, 9 Jul 2014 01:00:00 +0000 (01:00 +0000)
diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c

index 6ae154f71e09f7216fbc5dea999f3f90204330dc..7daa291d2ba9a1591c7c584833316f250ead294c 100644 (file)
--- a/cups/tls-darwin.c
+++ b/cups/tls-darwin.c
@@ -51,6 +51,7 @@ static _cups_mutex_t  tls_mutex = _CUPS_MUTEX_INITIALIZER;
  #ifdef HAVE_SECKEYCHAINOPEN
  static CFArrayRef      http_cdsa_copy_server(const char *common_name);
  #endif /* HAVE_SECKEYCHAINOPEN */
+static const char      *http_cdsa_default_path(char *buffer, size_t bufsize);
  static OSStatus                http_cdsa_read(SSLConnectionRef connection, void *data, size_t *dataLength);
  static int             http_cdsa_set_credentials(http_t *http);
  static OSStatus                http_cdsa_write(SSLConnectionRef connection, const void *data, size_t *dataLength);
@@ -92,18 +93,7 @@ cupsMakeServerCredentials(
    (void)expiration_date;
  
    if (!path)
-  {
-    const char *home = getenv("HOME"); /* HOME environment variable */
-
-    if (getuid() && home)
-      snprintf(filename, sizeof(filename), "%s/Library/Keychains/login.keychain", home);
-    else
-      strlcpy(filename, "/Library/Keychains/System.keychain", sizeof(filename));
-
-    path = filename;
-
-    DEBUG_printf(("1cupsMakeServerCredentials: Using default path \"%s\".", path));
-  }
+    path = http_cdsa_default_path(filename, sizeof(filename));
  
    cfcommon_name = CFStringCreateWithCString(kCFAllocatorDefault, common_name, kCFStringEncodingUTF8);
    if (!cfcommon_name)
@@ -203,18 +193,7 @@ cleanup:
    (void)alt_names;
  
    if (!path)
-  {
-    const char *home = getenv("HOME"); /* HOME environment variable */
-
-    if (getuid() && home)
-      snprintf(filename, sizeof(filename), "%s/Library/Keychains/login.keychain", home);
-    else
-      strlcpy(filename, "/Library/Keychains/System.keychain", sizeof(filename));
-
-    path = filename;
-
-    DEBUG_printf(("1cupsMakeServerCredentials: Using default path \"%s\".", path));
-  }
+    path = http_cdsa_default_path(filename, sizeof(filename));
  
   /*
    * Run the "certtool" command to generate a self-signed certificate...
@@ -320,18 +299,7 @@ cupsSetServerCredentials(
  
  
    if (!path)
-  {
-    const char *home = getenv("HOME"); /* HOME environment variable */
-
-    if (getuid() && home)
-      snprintf(filename, sizeof(filename), "%s/Library/Keychains/login.keychain", home);
-    else
-      strlcpy(filename, "/Library/Keychains/System.keychain", sizeof(filename));
-
-    path = filename;
-
-    DEBUG_printf(("1cupsSetServerCredentials: Using default path \"%s\".", path));
-  }
+    path = http_cdsa_default_path(filename, sizeof(filename));
  
    if (SecKeychainOpen(path, &keychain) != noErr)
    {
@@ -774,18 +742,7 @@ httpLoadCredentials(
    *credentials = NULL;
  
    if (!path)
-  {
-    const char *home = getenv("HOME"); /* HOME environment variable */
-
-    if (getuid() && home)
-      snprintf(filename, sizeof(filename), "%s/Library/Keychains/login.keychain", home);
-    else
-      strlcpy(filename, "/Library/Keychains/System.keychain", sizeof(filename));
-
-    path = filename;
-
-    DEBUG_printf(("1httpLoadCredentials: Using default path \"%s\".", path));
-  }
+    path = http_cdsa_default_path(filename, sizeof(filename));
  
    if ((err = SecKeychainOpen(path, &keychain)) != noErr)
      goto cleanup;
@@ -897,18 +854,7 @@ httpSaveCredentials(
    }
  
    if (!path)
-  {
-    const char *home = getenv("HOME"); /* HOME environment variable */
-
-    if (getuid() && home)
-      snprintf(filename, sizeof(filename), "%s/Library/Keychains/login.keychain", home);
-    else
-      strlcpy(filename, "/Library/Keychains/System.keychain", sizeof(filename));
-
-    path = filename;
-
-    DEBUG_printf(("1httpSaveCredentials: Using default path \"%s\".", path));
-  }
+    path = http_cdsa_default_path(filename, sizeof(filename));
  
    if ((err = SecKeychainOpen(path, &keychain)) != noErr)
    {
@@ -1545,6 +1491,28 @@ http_cdsa_copy_server(
  #endif /* HAVE_SECKEYCHAINOPEN */
  
  
+/*
+ * 'http_cdsa_default_path()' - Get the default keychain path.
+ */
+
+static const char *                    /* O - Keychain path */
+http_cdsa_default_path(char   *buffer, /* I - Path buffer */
+                       size_t bufsize) /* I - Size of buffer */
+{
+  const char *home = getenv("HOME");   /* HOME environment variable */
+
+
+  if (getuid() && home)
+    snprintf(buffer, bufsize, "%s/Library/Keychains/login.keychain", home);
+  else
+    strlcpy(buffer, "/Library/Keychains/System.keychain", bufsize);
+
+  DEBUG_printf(("1http_cdsa_default_path: Using default path \"%s\".", buffer));
+
+  return (buffer);
+}
+
+
  /*
   * 'http_cdsa_read()' - Read function for the CDSA library.
   */
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c

index 42db8576fcb1619c237bd9670183e313c670ce91..13c260ba599218d8dda1c61a3f33d88ef65a009e 100644 (file)
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -41,7 +41,6 @@ static _cups_mutex_t  tls_mutex = _CUPS_MUTEX_INITIALIZER;
   * Local functions...
   */
  
-//static int           make_certificate(cupsd_client_t *con);
  static const char      *http_gnutls_default_path(char *buffer, size_t bufsize);
  static ssize_t         http_gnutls_read(gnutls_transport_ptr_t ptr, void *data, size_t length);
  static ssize_t         http_gnutls_write(gnutls_transport_ptr_t ptr, const void *data, size_t length);
@@ -828,9 +827,8 @@ _httpTLSStart(http_t *http)         /* I - Connection to server */
  
    gnutls_certificate_allocate_credentials(credentials);
    status = gnutls_init(&http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_CLIENT : GNUTLS_SERVER);
-//  gnutls_set_default_priority(http->tls);
    if (!status)
-    status = gnutls_priority_set_direct(http->tls, "NORMAL:%COMPAT", NULL);
+    status = gnutls_set_default_priority(http->tls);
  
    if (status)
    {
@@ -1079,268 +1077,6 @@ _httpTLSWrite(http_t     *http,         /* I - Connection to server */
  }
  
  
-#if 0
-/*
- * 'cupsdEndTLS()' - Shutdown a secure session with the client.
- */
-
-int                                    /* O - 1 on success, 0 on error */
-cupsdEndTLS(cupsd_client_t *con)       /* I - Client connection */
-{
-  int          error;                  /* Error code */
-  gnutls_certificate_server_credentials *credentials;
-                                       /* TLS credentials */
-
-
-  credentials = (gnutls_certificate_server_credentials *)
-                    (con->http.tls_credentials);
-
-  error = gnutls_bye(con->http.tls, GNUTLS_SHUT_WR);
-  switch (error)
-  {
-    case GNUTLS_E_SUCCESS:
-      cupsdLogMessage(CUPSD_LOG_DEBUG,
-                     "SSL shutdown successful!");
-      break;
-    default:
-      cupsdLogMessage(CUPSD_LOG_ERROR,
-                     "SSL shutdown failed: %s", gnutls_strerror(error));
-      break;
-  }
-
-  gnutls_deinit(con->http.tls);
-  con->http.tls = NULL;
-
-  gnutls_certificate_free_credentials(*credentials);
-  free(credentials);
-
-  return (1);
-}
-
-
-/*
- * 'cupsdStartTLS()' - Start a secure session with the client.
- */
-
-int                                    /* O - 1 on success, 0 on error */
-cupsdStartTLS(cupsd_client_t *con)     /* I - Client connection */
-{
-  int          status;                 /* Error code */
-  gnutls_certificate_credentials_t *credentials;
-                                       /* TLS credentials */
-
-
-  cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] Encrypting connection.",
-                  con->http.fd);
-
- /*
-  * Verify that we have a certificate...
-  */
-
-  if (access(ServerKey, 0) || access(ServerCertificate, 0))
-  {
-   /*
-    * Nope, make a self-signed certificate...
-    */
-
-    if (!make_certificate(con))
-      return (0);
-  }
-
- /*
-  * Create the SSL object and perform the SSL handshake...
-  */
-
-  credentials = (gnutls_certificate_credentials_t *)
-                    malloc(sizeof(gnutls_certificate_credentials_t));
-  if (credentials == NULL)
-  {
-    cupsdLogMessage(CUPSD_LOG_ERROR,
-                    "Unable to encrypt connection from %s - %s",
-                    con->http.hostname, strerror(errno));
-
-    return (0);
-  }
-
-  gnutls_certificate_allocate_credentials(credentials);
-  gnutls_certificate_set_x509_key_file(*credentials, ServerCertificate,
-                                      ServerKey, GNUTLS_X509_FMT_PEM);
-
-  gnutls_init(&con->http.tls, GNUTLS_SERVER);
-  gnutls_set_default_priority(con->http.tls);
-
-  gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
-  gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr_t)HTTP(con));
-  gnutls_transport_set_pull_function(con->http.tls, http_gnutls_read);
-  gnutls_transport_set_push_function(con->http.tls, http_gnutls_write);
-
-  while ((status = gnutls_handshake(con->http.tls)) != GNUTLS_E_SUCCESS)
-  {
-    if (gnutls_error_is_fatal(status))
-    {
-      cupsdLogMessage(CUPSD_LOG_ERROR,
-                      "Unable to encrypt connection from %s - %s",
-                      con->http.hostname, gnutls_strerror(status));
-
-      gnutls_deinit(con->http.tls);
-      gnutls_certificate_free_credentials(*credentials);
-      con->http.tls = NULL;
-      free(credentials);
-      return (0);
-    }
-  }
-
-  cupsdLogMessage(CUPSD_LOG_DEBUG, "Connection from %s now encrypted.",
-                  con->http.hostname);
-
-  con->http.tls_credentials = credentials;
-  return (1);
-}
-
-
-/*
- * 'make_certificate()' - Make a self-signed SSL/TLS certificate.
- */
-
-static int                             /* O - 1 on success, 0 on failure */
-make_certificate(cupsd_client_t *con)  /* I - Client connection */
-{
-  gnutls_x509_crt      crt;            /* Self-signed certificate */
-  gnutls_x509_privkey  key;            /* Encryption key */
-  cups_lang_t          *language;      /* Default language info */
-  cups_file_t          *fp;            /* Key/cert file */
-  unsigned char                buffer[8192];   /* Buffer for x509 data */
-  size_t               bytes;          /* Number of bytes of data */
-  unsigned char                serial[4];      /* Serial number buffer */
-  time_t               curtime;        /* Current time */
-  int                  result;         /* Result of GNU TLS calls */
-
-
- /*
-  * Create the encryption key...
-  */
-
-  cupsdLogMessage(CUPSD_LOG_INFO, "Generating SSL server key...");
-
-  gnutls_x509_privkey_init(&key);
-  gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 2048, 0);
-
- /*
-  * Save it...
-  */
-
-  bytes = sizeof(buffer);
-
-  if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM,
-                                           buffer, &bytes)) < 0)
-  {
-    cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to export SSL server key - %s",
-                    gnutls_strerror(result));
-    gnutls_x509_privkey_deinit(key);
-    return (0);
-  }
-  else if ((fp = cupsFileOpen(ServerKey, "w")) != NULL)
-  {
-    cupsFileWrite(fp, (char *)buffer, bytes);
-    cupsFileClose(fp);
-
-    cupsdLogMessage(CUPSD_LOG_INFO, "Created SSL server key file \"%s\"...",
-                   ServerKey);
-  }
-  else
-  {
-    cupsdLogMessage(CUPSD_LOG_ERROR,
-                    "Unable to create SSL server key file \"%s\" - %s",
-                   ServerKey, strerror(errno));
-    gnutls_x509_privkey_deinit(key);
-    return (0);
-  }
-
- /*
-  * Create the self-signed certificate...
-  */
-
-  cupsdLogMessage(CUPSD_LOG_INFO, "Generating self-signed SSL certificate...");
-
-  language  = cupsLangDefault();
-  curtime   = time(NULL);
-  serial[0] = curtime >> 24;
-  serial[1] = curtime >> 16;
-  serial[2] = curtime >> 8;
-  serial[3] = curtime;
-
-  gnutls_x509_crt_init(&crt);
-  if (strlen(language->language) == 5)
-    gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
-                                  language->language + 3, 2);
-  else
-    gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
-                                  "US", 2);
-  gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0,
-                                ServerName, strlen(ServerName));
-  gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
-                                ServerName, strlen(ServerName));
-  gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
-                                0, "Unknown", 7);
-  gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0,
-                                "Unknown", 7);
-  gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_LOCALITY_NAME, 0,
-                                "Unknown", 7);
-  gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_PKCS9_EMAIL, 0,
-                                ServerAdmin, strlen(ServerAdmin));
-  gnutls_x509_crt_set_key(crt, key);
-  gnutls_x509_crt_set_serial(crt, serial, sizeof(serial));
-  gnutls_x509_crt_set_activation_time(crt, curtime);
-  gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
-  gnutls_x509_crt_set_ca_status(crt, 0);
-  gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME,
-                                               ServerName);
-  gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
-  gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT);
-  gnutls_x509_crt_set_version(crt, 3);
-
-  bytes = sizeof(buffer);
-  if (gnutls_x509_crt_get_key_id(crt, 0, buffer, &bytes) >= 0)
-    gnutls_x509_crt_set_subject_key_id(crt, buffer, bytes);
-
-  gnutls_x509_crt_sign(crt, crt, key);
-
- /*
-  * Save it...
-  */
-
-  bytes = sizeof(buffer);
-  if ((result = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM,
-                                       buffer, &bytes)) < 0)
-    cupsdLogMessage(CUPSD_LOG_ERROR,
-                    "Unable to export SSL server certificate - %s",
-                   gnutls_strerror(result));
-  else if ((fp = cupsFileOpen(ServerCertificate, "w")) != NULL)
-  {
-    cupsFileWrite(fp, (char *)buffer, bytes);
-    cupsFileClose(fp);
-
-    cupsdLogMessage(CUPSD_LOG_INFO,
-                    "Created SSL server certificate file \"%s\"...",
-                   ServerCertificate);
-  }
-  else
-    cupsdLogMessage(CUPSD_LOG_ERROR,
-                    "Unable to create SSL server certificate file \"%s\" - %s",
-                   ServerCertificate, strerror(errno));
-
- /*
-  * Cleanup...
-  */
-
-  gnutls_x509_crt_deinit(crt);
-  gnutls_x509_privkey_deinit(key);
-
-  return (1);
-}
-#endif /* 0 */
-
-
  /*
   * End of "$Id$".
   */
author	msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
	Wed, 9 Jul 2014 01:00:00 +0000 (01:00 +0000)
committer	msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
	Wed, 9 Jul 2014 01:00:00 +0000 (01:00 +0000)
cups/tls-darwin.c		patch \| blob \| blame \| history
cups/tls-gnutls.c		patch \| blob \| blame \| history