]> git.ipfire.org Git - thirdparty/cups.git/commitdiff
Fix bug in tlscheck utility - wasn't retrying connections and used "host"
authorMichael R Sweet <michael.r.sweet@gmail.com>
Wed, 30 Mar 2022 18:31:22 +0000 (14:31 -0400)
committerMichael R Sweet <michael.r.sweet@gmail.com>
Wed, 30 Mar 2022 18:31:22 +0000 (14:31 -0400)
instead of "server" when constructing the printer URI.

Continue OpenSSL implementations of http_create_credentials,
httpCopyCredentials, and httpCredentialString.

cups/tls-openssl.c
cups/tlscheck.c

index 45bc9cde45c83e1b6634ae8cc59855806efc7011..bf8b418472f126d2a0bb47db564954fd1ed496af 100644 (file)
@@ -342,9 +342,8 @@ httpCopyCredentials(
     http_t      *http,                 // I - Connection to server
     cups_array_t **credentials)                // O - Array of credentials
 {
-#if 0
-  unsigned             count;          // Number of certificates
-  const openssl_datum_t *certs;                // Certificates
+  // TODO: Switch to SSL_get_peer_cert_chain to get all of the certificates
+  X509 *cert;                          // Certificate
 
 
   DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
@@ -356,24 +355,30 @@ httpCopyCredentials(
     return (-1);
 
   *credentials = cupsArrayNew(NULL, NULL);
-  certs        = openssl_certificate_get_peers(http->tls, &count);
+  cert         = SSL_get_peer_certificate(http->tls);
 
-  DEBUG_printf(("1httpCopyCredentials: certs=%p, count=%u", certs, count));
+  DEBUG_printf(("1httpCopyCredentials: cert=%p", cert));
 
-  if (certs && count)
+  if (cert)
   {
-    while (count > 0)
+    BIO        *bio = BIO_new(BIO_s_mem());    // Memory buffer for cert
+
+    if (bio)
     {
-      httpAddCredential(*credentials, certs->data, certs->size);
-      certs ++;
-      count --;
+      long     bytes;                  // Number of bytes
+      char     *buffer;                // Pointer to bytes
+
+      if (PEM_write_bio_X509(bio, cert))
+      {
+        bytes = BIO_get_mem_data(bio, &buffer);
+        httpAddCredential(*credentials, buffer, (int)bytes);
+      }
+
+      BIO_free(bio);
     }
   }
 
   return (0);
-#else
-  return (-1);
-#endif // 0
 }
 
 
@@ -697,27 +702,63 @@ httpCredentialsString(
   if (bufsize > 0)
     *buffer = '\0';
 
-  if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL && (cert = http_create_credential(first)) != NULL)
+  first = (http_credential_t *)cupsArrayFirst(credentials);
+  cert  = http_create_credential(first);
+
+  if (cert)
   {
     char               name[256],      // Common name associated with cert
                        issuer[256];    // Issuer associated with cert
-    time_t             expiration;     // Expiration date of cert
-//    struct tm                exptm;          // Expiration date/time of cert
-    int                        sigalg;         // Signature algorithm
+    unsigned char      *expiration;    // Expiration date of cert
+    const char         *sigalg;        // Signature algorithm
     unsigned char      md5_digest[16]; // MD5 result
 
 
-    X509_NAME_oneline(X509_get_subject_name(cert), name, sizeof(name));
-    X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer));
+    X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, name, sizeof(name));
+    X509_NAME_get_text_by_NID(X509_get_issuer_name(cert), NID_commonName, issuer, sizeof(issuer));
+    ASN1_STRING_to_UTF8(&expiration, X509_get0_notAfter(cert));
 
-//    ASN1_TIME_to_tm(X509_get0_notAfter(cert), &exptm);
-//    expiration = mktime(&exptm);
-    expiration = 0;
-    sigalg     = X509_get_signature_nid(cert);
+    switch (X509_get_signature_nid(cert))
+    {
+      case NID_ecdsa_with_SHA1 :
+          sigalg = "SHA1WithECDSAEncryption";
+          break;
+      case NID_ecdsa_with_SHA224 :
+          sigalg = "SHA224WithECDSAEncryption";
+          break;
+      case NID_ecdsa_with_SHA256 :
+          sigalg = "SHA256WithECDSAEncryption";
+          break;
+      case NID_ecdsa_with_SHA384 :
+          sigalg = "SHA384WithECDSAEncryption";
+          break;
+      case NID_ecdsa_with_SHA512 :
+          sigalg = "SHA512WithECDSAEncryption";
+          break;
+      case NID_sha1WithRSAEncryption :
+          sigalg = "SHA1WithRSAEncryption";
+          break;
+      case NID_sha224WithRSAEncryption :
+          sigalg = "SHA224WithRSAEncryption";
+          break;
+      case NID_sha256WithRSAEncryption :
+          sigalg = "SHA256WithRSAEncryption";
+          break;
+      case NID_sha384WithRSAEncryption :
+          sigalg = "SHA384WithRSAEncryption";
+          break;
+      case NID_sha512WithRSAEncryption :
+          sigalg = "SHA512WithRSAEncryption";
+          break;
+      default :
+          sigalg = "Unknown";
+          break;
+    }
 
     cupsHashData("md5", first->data, first->datalen, md5_digest, sizeof(md5_digest));
 
-    snprintf(buffer, bufsize, "%s (issued by %s) / %s / sig(%d) / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, issuer, httpGetDateString(expiration), sigalg, md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
+    snprintf(buffer, bufsize, "%s (issued by %s) / %s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, issuer, (char *)expiration, sigalg, md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
+    OPENSSL_free(expiration);
     X509_free(cert);
   }
 
@@ -1379,6 +1420,8 @@ http_create_credential(
   BIO  *bio;                           // Basic I/O for string
 
 
+  if (!credential)
+    return (NULL);
 
   if ((bio = BIO_new_mem_buf(credential->data, credential->datalen)) == NULL)
     return (NULL);
index 7b42903d45c51b7699b49ea74375515be23c68e1..5e49467b94e52aa88f53569e048154229ccc77a3 100644 (file)
@@ -166,7 +166,12 @@ main(int  argc,                            /* I - Number of command-line arguments */
 
   _httpTLSSetOptions(tls_options, tls_min_version, tls_max_version);
 
-  http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
+  for (i = 0; i < 10; i ++)
+  {
+    if ((http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL)) != NULL)
+      break;
+  }
+
   if (!http)
   {
     printf("%s: ERROR (%s)\n", server, cupsLastErrorString());
@@ -179,7 +184,8 @@ main(int  argc,                             /* I - Number of command-line arguments */
   }
   else
   {
-    httpCredentialsString(creds, creds_str, sizeof(creds_str));
+    if (!httpCredentialsString(creds, creds_str, sizeof(creds_str)))
+      strlcpy(creds_str, "Unable to convert X.509 credential to string.", sizeof(creds_str));
     httpFreeCredentials(creds);
   }
 
@@ -756,7 +762,7 @@ main(int  argc,                             /* I - Number of command-line arguments */
 
   if (verbose)
   {
-    httpAssembleURI(HTTP_URI_CODING_ALL, uri, sizeof(uri), "ipps", NULL, host, port, resource);
+    httpAssembleURI(HTTP_URI_CODING_ALL, uri, sizeof(uri), "ipps", NULL, server, port, resource);
     request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
     ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL, uri);
     ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "requesting-user-name", NULL, cupsUser());