Mirror X.509 validation changes from libcups v3.

diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index 7f3f59f35367008031f5b2e61475a93599b8649c..49cd2ed96a6ba5bdd991f292a25f606646c54e66 100644 (file)
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -878,41 +878,44 @@ cupsGetCredentialsTrust(
     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1);
     trust = HTTP_TRUST_INVALID;
   }
-  else if (num_certs > 1 && !http_check_roots(credentials))
+  else if (num_certs > 1)
   {
-    // See if we have a site CA certificate we can compare...
-    if ((tcreds = cupsCopyCredentials(path, "_site_")) != NULL)
+    if (!http_check_roots(credentials))
     {
-      size_t   credslen,               // Length of credentials
-               tcredslen;              // Length of trust root
+      // See if we have a site CA certificate we can compare...
+      if ((tcreds = cupsCopyCredentials(path, "_site_")) != NULL)
+      {
+       size_t  credslen,               // Length of credentials
+                 tcredslen;            // Length of trust root
 
 
-      // Do a tail comparison of the root...
-      credslen  = strlen(credentials);
-      tcredslen = strlen(tcreds);
-      if (credslen <= tcredslen || strcmp(credentials + (credslen - tcredslen), tcreds))
-      {
-        // Certificate isn't directly generated from the CA cert...
-        trust = HTTP_TRUST_INVALID;
-      }
+       // Do a tail comparison of the root...
+       credslen  = strlen(credentials);
+       tcredslen = strlen(tcreds);
+       if (credslen <= tcredslen || strcmp(credentials + (credslen - tcredslen), tcreds))
+       {
+         // Certificate isn't directly generated from the CA cert...
+         trust = HTTP_TRUST_INVALID;
+       }
 
-      if (trust != HTTP_TRUST_OK)
-       _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1);
+       if (trust != HTTP_TRUST_OK)
+         _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1);
 
-      free(tcreds);
-    }
-    else if (require_ca)
-    {
-      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
-      trust = HTTP_TRUST_INVALID;
-    }
-    else if (!cg->trust_first)
-    {
-      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
-      trust = HTTP_TRUST_INVALID;
+       free(tcreds);
+      }
     }
   }
-  else if ((!cg->any_root || require_ca) && num_certs == 1)
+  else if (require_ca)
+  {
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials are not CA-signed."), 1);
+    trust = HTTP_TRUST_INVALID;
+  }
+  else if (!cg->trust_first)
+  {
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
+    trust = HTTP_TRUST_INVALID;
+  }
+  else if (!cg->any_root || require_ca)
   {
     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1);
     trust = HTTP_TRUST_INVALID;

diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c
index ff0eccf4b8020463c1a919d8bfb8ef4bcee6794a..e2a8ec30bc20a29cc897cf449bc1a74956bb7eb8 100644 (file)
--- a/cups/tls-openssl.c
+++ b/cups/tls-openssl.c
@@ -852,41 +852,44 @@ cupsGetCredentialsTrust(
     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1);
     trust = HTTP_TRUST_INVALID;
   }
-  else if (sk_X509_num(certs) > 1 && !http_check_roots(credentials))
+  else if (sk_X509_num(certs) > 1)
   {
-    // See if we have a site CA certificate we can compare...
-    if ((tcreds = cupsCopyCredentials(path, "_site_")) != NULL)
+    if (!http_check_roots(credentials))
     {
-      size_t   credslen,               // Length of credentials
-               tcredslen;              // Length of trust root
+      // See if we have a site CA certificate we can compare...
+      if ((tcreds = cupsCopyCredentials(path, "_site_")) != NULL)
+      {
+       size_t  credslen,               // Length of credentials
+                 tcredslen;            // Length of trust root
 
 
-      // Do a tail comparison of the root...
-      credslen  = strlen(credentials);
-      tcredslen = strlen(tcreds);
-      if (credslen <= tcredslen || strcmp(credentials + (credslen - tcredslen), tcreds))
-      {
-        // Certificate isn't directly generated from the CA cert...
-        trust = HTTP_TRUST_INVALID;
-      }
+       // Do a tail comparison of the root...
+       credslen  = strlen(credentials);
+       tcredslen = strlen(tcreds);
+       if (credslen <= tcredslen || strcmp(credentials + (credslen - tcredslen), tcreds))
+       {
+         // Certificate isn't directly generated from the CA cert...
+         trust = HTTP_TRUST_INVALID;
+       }
 
-      if (trust != HTTP_TRUST_OK)
-       _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1);
+       if (trust != HTTP_TRUST_OK)
+         _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1);
 
-      free(tcreds);
-    }
-    else if (require_ca)
-    {
-      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
-      trust = HTTP_TRUST_INVALID;
-    }
-    else if (!cg->trust_first)
-    {
-      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
-      trust = HTTP_TRUST_INVALID;
+       free(tcreds);
+      }
     }
   }
-  else if ((!cg->any_root || require_ca) && sk_X509_num(certs) == 1)
+  else if (require_ca)
+  {
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials are not CA-signed."), 1);
+    trust = HTTP_TRUST_INVALID;
+  }
+  else if (!cg->trust_first)
+  {
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
+    trust = HTTP_TRUST_INVALID;
+  }
+  else if (!cg->any_root || require_ca)
   {
     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1);
     trust = HTTP_TRUST_INVALID;