From: Michael R Sweet Date: Tue, 18 Jun 2024 23:36:04 +0000 (-0400) Subject: Mirror X.509 validation changes from libcups v3. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3933e01bddecd627215a9726e8588553f468ef7b;p=thirdparty%2Fcups.git Mirror X.509 validation changes from libcups v3. --- diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index 7f3f59f353..49cd2ed96a 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -878,41 +878,44 @@ cupsGetCredentialsTrust( _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1); trust = HTTP_TRUST_INVALID; } - else if (num_certs > 1 && !http_check_roots(credentials)) + else if (num_certs > 1) { - // See if we have a site CA certificate we can compare... - if ((tcreds = cupsCopyCredentials(path, "_site_")) != NULL) + if (!http_check_roots(credentials)) { - size_t credslen, // Length of credentials - tcredslen; // Length of trust root + // See if we have a site CA certificate we can compare... + if ((tcreds = cupsCopyCredentials(path, "_site_")) != NULL) + { + size_t credslen, // Length of credentials + tcredslen; // Length of trust root - // Do a tail comparison of the root... - credslen = strlen(credentials); - tcredslen = strlen(tcreds); - if (credslen <= tcredslen || strcmp(credentials + (credslen - tcredslen), tcreds)) - { - // Certificate isn't directly generated from the CA cert... - trust = HTTP_TRUST_INVALID; - } + // Do a tail comparison of the root... + credslen = strlen(credentials); + tcredslen = strlen(tcreds); + if (credslen <= tcredslen || strcmp(credentials + (credslen - tcredslen), tcreds)) + { + // Certificate isn't directly generated from the CA cert... + trust = HTTP_TRUST_INVALID; + } - if (trust != HTTP_TRUST_OK) - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1); + if (trust != HTTP_TRUST_OK) + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1); - free(tcreds); - } - else if (require_ca) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); - trust = HTTP_TRUST_INVALID; - } - else if (!cg->trust_first) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); - trust = HTTP_TRUST_INVALID; + free(tcreds); + } } } - else if ((!cg->any_root || require_ca) && num_certs == 1) + else if (require_ca) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials are not CA-signed."), 1); + trust = HTTP_TRUST_INVALID; + } + else if (!cg->trust_first) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); + trust = HTTP_TRUST_INVALID; + } + else if (!cg->any_root || require_ca) { _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1); trust = HTTP_TRUST_INVALID; diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c index ff0eccf4b8..e2a8ec30bc 100644 --- a/cups/tls-openssl.c +++ b/cups/tls-openssl.c @@ -852,41 +852,44 @@ cupsGetCredentialsTrust( _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1); trust = HTTP_TRUST_INVALID; } - else if (sk_X509_num(certs) > 1 && !http_check_roots(credentials)) + else if (sk_X509_num(certs) > 1) { - // See if we have a site CA certificate we can compare... - if ((tcreds = cupsCopyCredentials(path, "_site_")) != NULL) + if (!http_check_roots(credentials)) { - size_t credslen, // Length of credentials - tcredslen; // Length of trust root + // See if we have a site CA certificate we can compare... + if ((tcreds = cupsCopyCredentials(path, "_site_")) != NULL) + { + size_t credslen, // Length of credentials + tcredslen; // Length of trust root - // Do a tail comparison of the root... - credslen = strlen(credentials); - tcredslen = strlen(tcreds); - if (credslen <= tcredslen || strcmp(credentials + (credslen - tcredslen), tcreds)) - { - // Certificate isn't directly generated from the CA cert... - trust = HTTP_TRUST_INVALID; - } + // Do a tail comparison of the root... + credslen = strlen(credentials); + tcredslen = strlen(tcreds); + if (credslen <= tcredslen || strcmp(credentials + (credslen - tcredslen), tcreds)) + { + // Certificate isn't directly generated from the CA cert... + trust = HTTP_TRUST_INVALID; + } - if (trust != HTTP_TRUST_OK) - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1); + if (trust != HTTP_TRUST_OK) + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1); - free(tcreds); - } - else if (require_ca) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); - trust = HTTP_TRUST_INVALID; - } - else if (!cg->trust_first) - { - _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); - trust = HTTP_TRUST_INVALID; + free(tcreds); + } } } - else if ((!cg->any_root || require_ca) && sk_X509_num(certs) == 1) + else if (require_ca) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials are not CA-signed."), 1); + trust = HTTP_TRUST_INVALID; + } + else if (!cg->trust_first) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); + trust = HTTP_TRUST_INVALID; + } + else if (!cg->any_root || require_ca) { _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1); trust = HTTP_TRUST_INVALID;