From: msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Date: Wed, 7 May 2014 23:12:48 +0000 (+0000)
Subject: Save work on cert stuff.
X-Git-Tag: v2.2b1~648
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=524c65e662f2c36fd6a5321425a30d2cdd2d4ece;p=thirdparty%2Fcups.git

Save work on cert stuff.


git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11850 a1ca3aef-8c08-0410-bb20-df032aa958be
---

diff --git a/cups/http.h b/cups/http.h
index 1e8ed00ea4..2c6bf9bcb8 100644
--- a/cups/http.h
+++ b/cups/http.h
@@ -342,6 +342,16 @@ typedef enum http_status_e		/**** HTTP status codes ****/
 #  endif /* !_CUPS_NO_DEPRECATED */
 } http_status_t;
 
+typedef enum http_trust_e		/**** Level of trust for credentials @since CUPS 2.0@ */
+{
+  HTTP_TRUST_OK = 0,			/* Credentials are OK/trusted */
+  HTTP_TRUST_INVALID,			/* Credentials are invalid */
+  HTTP_TRUST_CHANGED,			/* Credentials have changed */
+  HTTP_TRUST_EXPIRED,			/* Credentials are expired */
+  HTTP_TRUST_RENEWED,			/* Credentials have been renewed */
+  HTTP_TRUST_UNKNOWN,			/* Credentials are unknown/new */
+} http_trust_t;
+
 typedef enum http_uri_status_e		/**** URI separation status @since CUPS 1.2@ ****/
 {
   HTTP_URI_STATUS_OVERFLOW = -8,	/* URI buffer for httpAssembleURI is too small */
@@ -614,9 +624,9 @@ extern http_state_t	httpWriteResponse(http_t *http,
 extern int		httpAddrClose(http_addr_t *addr, int fd) _CUPS_API_2_0;
 extern int		httpAddrFamily(http_addr_t *addr) _CUPS_API_2_0;
 extern int		httpCompareCredentials(cups_array_t *cred1, cups_array_t *cred2) _CUPS_API_2_0;
-extern int		httpCredentialsAreTrusted(cups_array_t *credentials, const char *common_name) _CUPS_API_2_0;
+extern int		httpCredentialsAreValidForName(cups_array_t *credentials, const char *common_name);
 extern time_t		httpCredentialsGetExpiration(cups_array_t *credentials) _CUPS_API_2_0;
-extern int		httpCredentialsIsValidName(cups_array_t *credentials, const char *common_name);
+extern http_trust_t	httpCredentialsGetTrust(cups_array_t *credentials, const char *common_name) _CUPS_API_2_0;
 extern size_t		httpCredentialsString(cups_array_t *credentials, char *buffer, size_t bufsize) _CUPS_API_2_0;
 extern http_field_t	httpFieldValue(const char *name) _CUPS_API_2_0;
 extern time_t		httpGetActivity(http_t *http) _CUPS_API_2_0;
diff --git a/cups/testhttp.c b/cups/testhttp.c
index 2696f56d6c..00b46de129 100644
--- a/cups/testhttp.c
+++ b/cups/testhttp.c
@@ -624,22 +624,23 @@ main(int  argc,				/* I - Number of command-line arguments */
     {
       cups_array_t *creds;
       char info[1024];
-
+      static const char *trusts[] = { "OK", "Invalid", "Changed", "Expired", "Renewed", "Unknown" };
       if (!httpCopyCredentials(http, &creds))
       {
-        int trusted = httpCredentialsAreTrusted(creds, hostname);
+        http_trust_t trust = httpCredentialsGetTrust(creds, hostname);
 
         httpCredentialsString(creds, info, sizeof(info));
 
-        printf("AreTrusted: %d\n", trusted);
+        printf("Trust: %s\n", trusts[trust]);
         printf("Expiration: %s\n", httpGetDateString(httpCredentialsGetExpiration(creds)));
-        printf("IsValidName: %d\n", httpCredentialsIsValidName(creds, hostname));
+        printf("IsValidName: %d\n", httpCredentialsAreValidForName(creds, hostname));
         printf("String: \"%s\"\n", info);
 
-        if (!trusted)
+        if (trust != HTTP_TRUST_OK)
 	{
 	  printf("SaveCredentials: %d\n", httpSaveCredentials(NULL, creds, hostname));
-	  printf("New AreTrusted: %d\n", httpCredentialsAreTrusted(creds, hostname));
+	  trust = httpCredentialsGetTrust(creds, hostname);
+	  printf("New Trust: %s\n", trusts[trust]);
 	}
 
         httpFreeCredentials(creds);
diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c
index 1a9bfefd2b..61b71a7ce2 100644
--- a/cups/tls-darwin.c
+++ b/cups/tls-darwin.c
@@ -447,29 +447,92 @@ _httpCreateCredentials(
 
 
 /*
- * 'httpCredentialsAreTrusted()' - Return whether the credentials are trusted.
+ * 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
  *
  * @since CUPS 2.0@
  */
 
-int					/* O - 1 if trusted, 0 if not/unknown */
-httpCredentialsAreTrusted(
+int					/* O - 1 if valid, 0 otherwise */
+httpCredentialsAreValidForName(
+    cups_array_t *credentials,		/* I - Credentials */
+    const char   *common_name)		/* I - Name to check */
+{
+  SecCertificateRef	secCert;	/* Certificate reference */
+  CFStringRef		cfcert_name = NULL;
+					/* Certificate's common name (CF string) */
+  char			cert_name[256];	/* Certificate's common name (C string) */
+  int			valid = 1;	/* Valid name? */
+
+
+  if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
+    return (0);
+
+ /*
+  * Compare the common names...
+  */
+
+  if ((cfcert_name = SecCertificateCopySubjectSummary(secCert)) == NULL)
+  {
+   /*
+    * Can't get common name, cannot be valid...
+    */
+
+    valid = 0;
+  }
+  else if (CFStringGetCString(cfcert_name, cert_name, sizeof(cert_name), kCFStringEncodingUTF8) &&
+           _cups_strcasecmp(common_name, cert_name))
+  {
+   /*
+    * Not an exact match for the common name, check for wildcard certs...
+    */
+
+    const char	*domain = strchr(common_name, '.');
+					/* Domain in common name */
+
+    if (strncmp(cert_name, "*.", 2) || !domain || _cups_strcasecmp(domain, cert_name + 1))
+    {
+     /*
+      * Not a wildcard match.
+      */
+
+      /* TODO: Check subject alternate names */
+      valid = 0;
+    }
+  }
+
+  if (cfcert_name)
+    CFRelease(cfcert_name);
+
+  CFRelease(secCert);
+
+  return (valid);
+}
+
+
+/*
+ * 'httpCredentialsGetTrust()' - Return the trust of credentials.
+ *
+ * @since CUPS 2.0@
+ */
+
+http_trust_t				/* O - Level of trust */
+httpCredentialsGetTrust(
     cups_array_t *credentials,		/* I - Credentials */
     const char   *common_name)		/* I - Common name for trust lookup */
 {
   SecCertificateRef	secCert;	/* Certificate reference */
-  int			trusted = 1;	/* Trusted? */
-  int			save = 0;	/* Save credentials? */
+  http_trust_t		trust = HTTP_TRUST_OK;
+					/* Trusted? */
   cups_array_t		*tcreds = NULL;	/* Trusted credentials */
   _cups_globals_t	*cg = _cupsGlobals();
 					/* Per-thread globals */
 
 
   if (!common_name)
-    return (0);
+    return (HTTP_TRUST_UNKNOWN);
 
   if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
-    return (0);
+    return (HTTP_TRUST_UNKNOWN);
 
  /*
   * Look this common name up in the default keychains...
@@ -493,43 +556,40 @@ httpCredentialsAreTrusted(
       */
 
       if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds) ||
-          !httpCredentialsIsValidName(credentials, common_name))
+          !httpCredentialsAreValidForName(credentials, common_name))
       {
        /*
         * Either the new credentials are not newly issued, or the common name
 	* does not match the issued certificate...
 	*/
 
-        trusted = 0;
+        trust = HTTP_TRUST_INVALID;
       }
-      else
+      else if (httpCredentialsGetExpiration(tcreds) < time(NULL))
       {
        /*
-        * Flag that we should save the new credentials...
+        * Save the renewed credentials...
 	*/
 
-        save = 1;
+	trust = HTTP_TRUST_RENEWED;
+
+        httpSaveCredentials(NULL, credentials, common_name);
       }
     }
 
     httpFreeCredentials(tcreds);
   }
-  else if (!httpCredentialsIsValidName(credentials, common_name))
-    trusted = 0;
-  else
-    save = 1;
+  else if (!httpCredentialsAreValidForName(credentials, common_name))
+    trust = HTTP_TRUST_INVALID;
 
   if (!cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent()))
-    trusted = 0;
+    trust = HTTP_TRUST_EXPIRED;
   else if (!cg->any_root && cupsArrayCount(credentials) == 1)
-    trusted = 0;
-
-  if (trusted && save)
-    httpSaveCredentials(NULL, credentials, common_name);
+    trust = HTTP_TRUST_INVALID;
 
   CFRelease(secCert);
 
-  return (trusted);
+  return (trust);
 }
 
 
@@ -558,69 +618,6 @@ httpCredentialsGetExpiration(
 }
 
 
-/*
- * 'httpCredentialsIsValidName()' - Return whether the credentials are valid for the given name.
- *
- * @since CUPS 2.0@
- */
-
-int					/* O - 1 if valid, 0 otherwise */
-httpCredentialsIsValidName(
-    cups_array_t *credentials,		/* I - Credentials */
-    const char   *common_name)		/* I - Name to check */
-{
-  SecCertificateRef	secCert;	/* Certificate reference */
-  CFStringRef		cfcert_name = NULL;
-					/* Certificate's common name (CF string) */
-  char			cert_name[256];	/* Certificate's common name (C string) */
-  int			valid = 1;	/* Valid name? */
-
-
-  if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
-    return (0);
-
- /*
-  * Compare the common names...
-  */
-
-  if ((cfcert_name = SecCertificateCopySubjectSummary(secCert)) == NULL)
-  {
-   /*
-    * Can't get common name, cannot be valid...
-    */
-
-    valid = 0;
-  }
-  else if (CFStringGetCString(cfcert_name, cert_name, sizeof(cert_name), kCFStringEncodingUTF8) &&
-           _cups_strcasecmp(common_name, cert_name))
-  {
-   /*
-    * Not an exact match for the common name, check for wildcard certs...
-    */
-
-    const char	*domain = strchr(common_name, '.');
-					/* Domain in common name */
-
-    if (strncmp(cert_name, "*.", 2) || !domain || _cups_strcasecmp(domain, cert_name + 1))
-    {
-     /*
-      * Not a wildcard match.
-      */
-
-      /* TODO: Check subject alternate names */
-      valid = 0;
-    }
-  }
-
-  if (cfcert_name)
-    CFRelease(cfcert_name);
-
-  CFRelease(secCert);
-
-  return (valid);
-}
-
-
 /*
  * 'httpCredentialsString()' - Return a string representing the credentials.
  *
@@ -806,6 +803,7 @@ httpLoadCredentials(
   (void)path;
   (void)credentials;
   (void)common_name;
+  (void)alt_name;
 
   return (-1);
 #endif /* HAVE_SECKEYCHAINOPEN */
@@ -831,8 +829,6 @@ httpSaveCredentials(
   SecKeychainRef	keychain = NULL;/* Keychain reference */
   SecIdentitySearchRef	search = NULL;	/* Search reference */
   SecCertificateRef	cert = NULL;	/* Certificate */
-  CFStringRef		cfcommon_name = NULL;
-					/* Server name */
   CFMutableDictionaryRef attrs = NULL;	/* Attributes for add */
   CFArrayRef		list = NULL;	/* Keychain list */
 
@@ -841,6 +837,12 @@ httpSaveCredentials(
   if (!credentials)
     goto cleanup;
 
+  if (!httpCredentialsAreValidForName(credentials, common_name))
+  {
+    DEBUG_puts("1httpSaveCredentials: Common name does not match.");
+    return (-1);
+  }
+
   if ((cert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
   {
     DEBUG_puts("1httpSaveCredentials: Unable to create certificate.");
@@ -873,12 +875,6 @@ httpSaveCredentials(
     goto cleanup;
   }
 
-  if ((cfcommon_name = CFStringCreateWithCString(kCFAllocatorDefault, common_name, kCFStringEncodingUTF8)) == NULL)
-  {
-    DEBUG_puts("1httpSaveCredentials: Unable to create common name string.");
-    goto cleanup;
-  }
-
   if ((attrs = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks)) == NULL)
   {
     DEBUG_puts("1httpSaveCredentials: Unable to create dictionary.");
@@ -886,21 +882,15 @@ httpSaveCredentials(
   }
 
   CFDictionaryAddValue(attrs, kSecClass, kSecClassCertificate);
-  CFDictionaryAddValue(attrs, kSecAttrLabel, cfcommon_name);
-  CFDictionaryAddValue(attrs, kSecAttrSubject, cfcommon_name);
   CFDictionaryAddValue(attrs, kSecValueRef, cert);
   CFDictionaryAddValue(attrs, kSecMatchSearchList, list);
 
   /* Note: SecItemAdd consumes "attrs"... */
-  if ((err = SecItemAdd(attrs, NULL)) == noErr)
-    ret = 0;
-
+  err = SecItemAdd(attrs, NULL);
   DEBUG_printf(("1httpSaveCredentials: SecItemAdd returned %d.", (int)err));
 
   cleanup :
 
-  if (cfcommon_name)
-    CFRelease(cfcommon_name);
   if (list)
     CFRelease(list);
   if (keychain)
diff --git a/doc/help/man-client.conf.html b/doc/help/man-client.conf.html
index a24cafdbbd..ec11b96f5b 100644
--- a/doc/help/man-client.conf.html
+++ b/doc/help/man-client.conf.html
@@ -8,46 +8,46 @@
 <body>
 <h1 class="title">client.conf(5)</h1>
 <h2 class="title"><a name="NAME">Name</a></h2>
-client.conf - client configuration file for cups (deprecated)
+client.conf - client configuration file for cups
 <h2 class="title"><a name="DESCRIPTION">Description</a></h2>
-The <b>client.conf</b> file configures the CUPS client and is normally located in the <i>/etc/cups</i> and/or <i>~/.cups</i> directories.
-Each line in the file can be a configuration directive, a blank line, or a comment. Comment lines start with the # character.
-<p><b>Note:</b> Starting with OS X 10.7, this file is only used by command-line and X11 applications.
-The <b>ServerName</b> directive is not supported on OS X at all.
-<h3><a name="DIRECTIVES">Directives</a></h3>
-The following directives are understood by the client. Consult the online help for detailed descriptions:
+The <i>client.conf</i> file configures the CUPS client and is
+normally located in the <i>/etc/cups</i> or <i>~/.cups</i>
+directory. Each line in the file can be a configuration
+directive, a blank line, or a comment. Comment lines start with
+the # character.
+<h2 class="title"><a name="DIRECTIVES">Directives</a></h2>
+The following directives are understood by the client. Consult the
+on-line help for detailed descriptions:
 <dl class="man">
-<dt><b>AllowAnyRoot Y</b>
-<dd style="margin-left: 5.0em"><dt><b>AllowAnyRoot N</b>
-<dd style="margin-left: 5.0em">Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority.
-The default is "Y".
-<dt><b>AllowExpiredCerts Y</b>
-<dd style="margin-left: 5.0em"><dt><b>AllowExpiredCerts N</b>
-<dd style="margin-left: 5.0em">Specifies whether to allow TLS with expired certificates.
-The default is "Y".
-<dt><b>Encryption IfRequested</b>
-<dd style="margin-left: 5.0em"><dt><b>Encryption Never</b>
-<dd style="margin-left: 5.0em"><dt><b>Encryption Required</b>
-<dd style="margin-left: 5.0em">Specifies the level of encryption that should be used.
-<dt><b>GSSServiceName </b><i>name</i>
-<dd style="margin-left: 5.0em">Specifies the Kerberos service name that is used for authentication, typically "host", "http", or "ipp".
-CUPS adds the remote hostname ("name@server.example.com") for you. The default name is "http".
-<dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]
-<dd style="margin-left: 5.0em"><dt><b>ServerName </b><i>/domain/socket</i>
-<dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to the server.
-<b>Note: This directive it not supported on OS X 10.7 or later.</b>
-<dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]<b>/version=1.1</b>
-<dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
-<dt><b>User </b><i>name</i>
-<dd style="margin-left: 5.0em">Specifies the default user name to use for requests.
+<dt>Encryption IfRequested
+<dd style="margin-left: 5.0em"><dt>Encryption Never
+<dd style="margin-left: 5.0em"><dt>Encryption Required
+<dd style="margin-left: 5.0em"><br>
+Specifies the level of encryption that is required for a particular
+location.
+<dt>GSSServiceName name
+<dd style="margin-left: 5.0em">Specifies the Kerberos service name that is used for authentication, typically
+"host", "http", or "ipp". CUPS adds the remote hostname
+("name@server.example.com") for you. The default name is
+"http".
+<dt>ServerName hostname-or-ip-address[:port]
+<dd style="margin-left: 5.0em"><dt>ServerName /domain/socket
+<dd style="margin-left: 5.0em"><br>
+Specifies the address and optionally the port to use when connecting to the
+server. <b>Note: Not supported on OS X 10.7 or later.</b>
+<dt>ServerName hostname-or-ip-address[:port]/version=1.1
+<dd style="margin-left: 5.0em"><br>
+Specifies the address and optionally the port to use when connecting to a
+server running CUPS 1.3.12 and earlier. <b>Note: Not supported on OS X 10.7 or
+later.</b>
+<dt>User name
+<dd style="margin-left: 5.0em"><br>
+Specifies the default user name to use for requests.
 </dl>
-<h2 class="title"><a name="NOTES">Notes</a></h2>
-The <b>client.conf</b> file is deprecated and will no longer be supported in a future version of CUPS.
 <h2 class="title"><a name="SEE_ALSO">See Also</a></h2>
-<a href="man-cups.html?TOPIC=Man+Pages"><b>cups</b>(1),</a>
-CUPS Online Help (<a href="http://localhost:631/help">http://localhost:631/help</a>)
+<a href="http://localhost:631/help">http://localhost:631/help</a>
 <h2 class="title"><a name="COPYRIGHT">Copyright</a></h2>
-Copyright &copy; 2007-2014 by Apple Inc.
+Copyright 2007-2013 by Apple Inc.
 
 </body>
 </html>
diff --git a/doc/help/man-cups-files.conf.html b/doc/help/man-cups-files.conf.html
index b4778bfdb2..f23cbdbd08 100644
--- a/doc/help/man-cups-files.conf.html
+++ b/doc/help/man-cups-files.conf.html
@@ -10,138 +10,109 @@
 <h2 class="title"><a name="NAME">Name</a></h2>
 cups-files.conf - file and directory configuration file for cups
 <h2 class="title"><a name="DESCRIPTION">Description</a></h2>
-The <b>cups-files.conf</b> file configures the files and directories used by the CUPS scheduler,
-<a href="man-cupsd.html?TOPIC=Man+Pages"><b>cupsd</b>(8).</a>
-It is normally located in the <i>/etc/cups</i> directory.
-<p>Each line in the file can be a configuration directive, a blank line, or a comment.
-Comment lines start with the # character.
-<h3><a name="DIRECTIVES">Directives</a></h3>
-The following directives are understood by
-<a href="man-cupsd.html?TOPIC=Man+Pages"><b>cupsd</b>(8):</a>
+The <i>cups-files.conf</i> file configures the files and directories used by the
+CUPS scheduler, <i>cupsd(8)</i>.  It is normally located in the
+<i>/etc/cups</i> directory.
+<p>Each line in the file can be a configuration directive, a blank line,
+or a comment. Comment lines start with the # character.
+<h2 class="title"><a name="DIRECTIVES">Directives</a></h2>
+The following directives are understood by <i>cupsd(8)</i>. Consult the
+on-line help for detailed descriptions:
 <dl class="man">
-<dt><b>AccessLog </b><i>filename</i>
-<dd style="margin-left: 5.0em"><dt><b>AccessLog </b>[ <i>filename</i> ]
-<dd style="margin-left: 5.0em"><dt><b>AccessLog syslog</b>
-<dd style="margin-left: 5.0em">Defines the access log filename.
-The value "syslog" causes log entries to be sent to the system log daemon.
-Specifying a blank filename disables access log generation.
-The server name may be included in filenames using the string "%s", for example:
-<pre class="man">
-
-    AccessLog /var/log/cups/%s-access_log
-
-</pre>
-<dt><b>ConfigFilePerm </b><i>mode</i>
-<dd style="margin-left: 5.0em">Specifies the permissions for all configuration files that the scheduler writes.
-The default is 0644 on OS X and 0640 on all other operating systems.
-<b>Note:</b> The permissions for the printers.conf file are currently masked to only allow access from the scheduler user (typically root).
-This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system.
-There is no way to disable this security feature.
-<dt><b>DataDir </b><i>path</i>
-<dd style="margin-left: 5.0em">Specifies the directory where data files can be found. The default is usually <i>/usr/share/cups</i>.
-<dt><b>DocumentRoot </b><i>directory</i>
-<dd style="margin-left: 5.0em">Specifies the root directory for the CUPS web interface content. The default is usually <i>/usr/share/doc/cups</i>.
-<dt><b>ErrorLog </b>[ <i>filename</i> ]
-<dd style="margin-left: 5.0em"><dt><b>ErrorLog syslog</b>
-<dd style="margin-left: 5.0em">Defines the error log filename.
-The value "syslog" causes log entries to be sent to the system log daemon.
-Specifying a blank filename disables error log generation.
-The server name may be included in filenames using the string "%s", for example:
-<pre class="man">
-
-    ErrorLog /var/log/cups/%s-error_log
-
-</pre>
-<dt><b>FatalErrors none</b>
-<dd style="margin-left: 5.0em"><dt><b>FatalErrors all </b><i>-kind </i>[ <i>... -kind </i>]
-<dd style="margin-left: 5.0em"><dt><b>FatalErrors </b><i>kind </i>[ <i>... kind </i>]
-<dd style="margin-left: 5.0em">Specifies which errors are fatal, causing the scheduler to exit.
-The default setting is "config".
-The <i>kind</i> strings are:
-<div style="margin-left: 0.0em;">
-<dl class="man">
-<dt><b>none</b>
-<dd style="margin-left: 5.0em">No errors are fatal.
-<dt><b>all</b>
-<dd style="margin-left: 5.0em">All of the errors below are fatal.
-<dt><b>browse</b>
-<dd style="margin-left: 5.0em">Browsing initialization errors are fatal, for example failed connections to the DNS-SD daemon.
-<dt><b>config</b>
-<dd style="margin-left: 5.0em">Configuration file syntax errors are fatal.
-<dt><b>listen</b>
-<dd style="margin-left: 5.0em">Listen or Port errors are fatal, except for IPv6 failures on the loopback or "any" addresses.
-<dt><b>log</b>
-<dd style="margin-left: 5.0em">Log file creation or write errors are fatal.
-<dt><b>permissions</b>
-<dd style="margin-left: 5.0em">Bad startup file permissions are fatal, for example shared TLS certificate and key files with world-read permissions.
-</div>
-<dt><b>FileDevice Yes</b>
-<dd style="margin-left: 5.0em"><dt><b>FileDevice No</b>
-<dd style="margin-left: 5.0em">Specifies whether the file pseudo-device can be used for new printer queues.
-The URI "file:///dev/null" is always allowed.
-<dt><b>FontPath </b><i>directory</i>[:<i>...</i>:<i>directory</i>]
-<dd style="margin-left: 5.0em">Specifies the search path for fonts.
-<b>This directive is deprecated and will no longer be supported in a future release of CUPS.</b>
-<dt><b>Group </b><i>group-name-or-number</i>
-<dd style="margin-left: 5.0em">Specifies the group name or ID that will be used when executing external programs.
-The default group is operating system specific but is usually <i>lp</i> or <i>nobody</i>.
-<dt><b>LogFilePerm </b><i>mode</i>
-<dd style="margin-left: 5.0em">Specifies the permissions of all log files that the scheduler writes. The default is 0644.
-<dt><b>PageLog </b>[ <i>filename</i> ]
-<dd style="margin-left: 5.0em"><dt><b>PageLog syslog</b>
-<dd style="margin-left: 5.0em">Defines the page log filename.
-The value "syslog" causes log entries to be sent to the system log daemon.
-Specifying a blank filename disables page log generation.
-The server name may be included in filenames using the string "%s", for example:
-<pre class="man">
-
-    PageLog /var/log/cups/%s-page_log
-
-</pre>
-<dt><b>Printcap </b>[ <i>filename</i> ]
-<dd style="margin-left: 5.0em">Defines the printcap filename that the scheduler automatically updates with the current list of available printers, which is sometimes used by legacy applications.
-Specifying a blank filename disables printcap generation.
-<b>This directive is deprecated and will no longer be supported in a future release of CUPS.</b>
-<dt><b>RemoteRoot </b><i>username</i>
-<dd style="margin-left: 5.0em">Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user.
-<dt><b>RequestRoot </b><i>directory</i>
-<dd style="margin-left: 5.0em">Specifies the directory that contains print jobs and other HTTP request data.
-<dt><b>Sandboxing off</b>
-<dd style="margin-left: 5.0em"><dt><b>Sandboxing relaxed</b>
-<dd style="margin-left: 5.0em"><dt><b>Sandboxing strict</b>
-<dd style="margin-left: 5.0em">Specifies the level of security sandboxing that is applied to print filters, backends, and other child processes of the scheduler.
-The default is "strict".
-This directive is currently only used on OS X.
-<dt><b>ServerBin </b><i>directory</i>
-<dd style="margin-left: 5.0em">Specifies the directory containing the backends, CGI programs, filters, helper programs, notifiers, and port monitors.
-<dt><b>ServerKeychain </b><i>path</i>
-<dd style="margin-left: 5.0em">Specifies the location of TLS certificates and private keys.
-<dt><b>ServerRoot </b><i>directory</i>
-<dd style="margin-left: 5.0em">Specifies the directory containing the server configuration files.
-<dt><b>SyncOnClose Yes</b>
-<dd style="margin-left: 5.0em"><dt><b>SyncOnClose No</b>
-<dd style="margin-left: 5.0em">Specifies whether the scheduler calls
-<b>fsync</b>(2)
-after writing configuration or state files. The default is No.
-<dt><b>SystemGroup </b><i>group-name </i>[ <i>... group-name</i> ]
-<dd style="margin-left: 5.0em">Specifies the group(s) to use for <i>@SYSTEM</i> group authentication.
-<dt><b>TempDir </b><i>directory</i>
-<dd style="margin-left: 5.0em">Specifies the directory where temporary files are stored.
-<dt><b>User </b><i>username</i>
-<dd style="margin-left: 5.0em">Specifies the user name or ID that is used when running external programs.
+<dt>AccessLog filename
+<dd style="margin-left: 5.0em"><dt>AccessLog syslog
+<dd style="margin-left: 5.0em"><br>
+Defines the access log filename.
+<dt>ConfigFilePerm mode
+<dd style="margin-left: 5.0em"><br>
+Specifies the permissions for all configuration files that the scheduler
+writes.
+<dt>DataDir path
+<dd style="margin-left: 5.0em"><br>
+Specified the directory where data files can be found.
+<dt>DocumentRoot directory
+<dd style="margin-left: 5.0em"><br>
+Specifies the root directory for the internal web server documents.
+<dt>ErrorLog filename
+<dd style="margin-left: 5.0em"><dt>ErrorLog syslog
+<dd style="margin-left: 5.0em"><br>
+Specifies the error log filename.
+<dt>FatalErrors none
+<dd style="margin-left: 5.0em"><dt>FatalErrors all -kind [... -kind]
+<dd style="margin-left: 5.0em"><dt>FatalErrors kind [... kind]
+<dd style="margin-left: 5.0em"><br>
+Specifies which errors are fatal, causing the scheduler to exit. "Kind" is
+"browse", "config", "listen", "log", or "permissions".
+<dt>FileDevice Yes
+<dd style="margin-left: 5.0em"><dt>FileDevice No
+<dd style="margin-left: 5.0em"><br>
+Specifies whether the file pseudo-device can be used for new
+printer queues.
+<dt>FontPath directory[:directory:...]
+<dd style="margin-left: 5.0em"><br>
+Specifies the search path for fonts.
+<dt>Group group-name-or-number
+<dd style="margin-left: 5.0em"><br>
+Specifies the group name or ID that will be used when executing
+external programs.
+<dt>LogFilePerm mode
+<dd style="margin-left: 5.0em"><br>
+Specifies the permissions for all log files that the scheduler writes.
+<dt>PageLog filename
+<dd style="margin-left: 5.0em"><dt>PageLog syslog
+<dd style="margin-left: 5.0em"><br>
+Specifies the page log filename.
+<dt>Printcap
+<dd style="margin-left: 5.0em"><dt>Printcap filename
+<dd style="margin-left: 5.0em"><br>
+Specifies the filename for a printcap file that is updated
+automatically with a list of available printers (needed for
+legacy applications); specifying Printcap with no filename
+disables printcap generation.
+<dt>RemoteRoot user-name
+<dd style="margin-left: 5.0em"><br>
+Specifies the username that is associated with unauthenticated root
+accesses.
+<dt>RequestRoot directory
+<dd style="margin-left: 5.0em"><br>
+Specifies the directory to store print jobs and other HTTP request
+data.
+<dt>Sandboxing off
+<dd style="margin-left: 5.0em"><dt>Sandboxing relaxed
+<dd style="margin-left: 5.0em"><dt>Sandboxing strict
+<dd style="margin-left: 5.0em">Specifies the level of security sandboxing that is applied to print filters, backends, and other child processes of the scheduler. The default is "strict". (OS X only)
+<dt>ServerBin directory
+<dd style="margin-left: 5.0em"><br>
+Specifies the directory where backends, CGIs, daemons, and filters may
+be found.
+<dt>ServerKeychain path
+<dd style="margin-left: 5.0em"><br>
+Specifies the location of TLS certificates and private keys.
+<dt>ServerRoot directory
+<dd style="margin-left: 5.0em"><br>
+Specifies the directory where the server configuration files can be found.
+<dt>SyncOnClose Yes
+<dd style="margin-left: 5.0em"><dt>SyncOnClose No
+<dd style="margin-left: 5.0em">Specifies whether the scheduler calls <i>fsync(2)</i> after writing configuration
+or state files. The default is No.
+<dt>SystemGroup group-name [group-name ...]
+<dd style="margin-left: 5.0em"><br>
+Specifies the group(s) to use for System class authentication.
+<dt>TempDir directory
+<dd style="margin-left: 5.0em"><br>
+Specifies the directory where temporary files are stored.
+<dt>User user-name
+<dd style="margin-left: 5.0em"><br>
+Specifies the user name or ID that is used when running external programs.
 </dl>
 <h2 class="title"><a name="SEE_ALSO">See Also</a></h2>
-<a href="man-classes.conf.html?TOPIC=Man+Pages"><b>classes.conf</b>(5),</a>
-<a href="man-cups.html?TOPIC=Man+Pages"><b>cups</b>(1),</a>
-<a href="man-cupsd.html?TOPIC=Man+Pages"><b>cupsd</b>(8),</a>
-<a href="man-cupsd.conf.html?TOPIC=Man+Pages"><b>cupsd.conf</b>(5),</a>
-<a href="man-mime.convs.html?TOPIC=Man+Pages"><b>mime.convs</b>(5),</a>
-<a href="man-mime.types.html?TOPIC=Man+Pages"><b>mime.types</b>(5),</a>
-<a href="man-printers.conf.html?TOPIC=Man+Pages"><b>printers.conf</b>(5),</a>
-<a href="man-subscriptions.conf.html?TOPIC=Man+Pages"><b>subscriptions.conf</b>(5),</a>
-CUPS Online Help (<a href="http://localhost:631/help">http://localhost:631/help</a>)
+<i>classes.conf(5)</i>, <i>cupsd(8)</i>, <i>cupsd.conf(5)</i>, <i>mime.convs(5)</i>,
+<i>mime.types(5)</i>, <i>printers.conf(5)</i>,
+<i>subscriptions.conf(5)</i>,
+<br>
+<a href="http://localhost:631/help">http://localhost:631/help</a>
 <h2 class="title"><a name="COPYRIGHT">Copyright</a></h2>
-Copyright &copy; 2007-2014 by Apple Inc.
+Copyright 2007-2014 by Apple Inc.
 
 </body>
 </html>
diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html
index c6c71fe626..bdc544a129 100644
--- a/doc/help/man-cupsd.conf.html
+++ b/doc/help/man-cupsd.conf.html
@@ -14,9 +14,7 @@ The
 <i>cupsd.conf</i>
 file configures the CUPS scheduler,
 <a href="man-cupsd.html?TOPIC=Man+Pages"><b>cupsd</b>(8).</a>
-It is normally located in the
-<i>/etc/cups</i>
-directory. <b>Note:</b> File, directory, and user configuration directives that used to be allowed in the <i>cupsd.conf</i> file are now stored in the <i>cups-files.conf(5)</i> instead in order to prevent certain types of privilege escalation attacks.
+It is normally located in the <i>/etc/cups</i> directory. <b>Note:</b> File, directory, and user configuration directives that used to be allowed in the <i>cupsd.conf</i> file are now stored in the <i>cups-files.conf(5)</i> instead in order to prevent certain types of privilege escalation attacks.
 <p>Each line in the file can be a configuration directive, a blank line, or a comment. Comment lines start with the # character. The configuration directives are intentionally similar to those used by the popular Apache web server software and are described below.
 <h2 class="title"><a name="TOP_LEVEL_DIRECTIVES">Top-level Directives</a></h2>
 The following directives are understood by
diff --git a/doc/help/man-cupsd.html b/doc/help/man-cupsd.html
index 1050d3a525..7f8242408b 100644
--- a/doc/help/man-cupsd.html
+++ b/doc/help/man-cupsd.html
@@ -11,20 +11,9 @@
 cupsd - cups scheduler
 <h2 class="title"><a name="SYNOPSIS">Synopsis</a></h2>
 <b>cupsd</b>
-[
-<b>-c</b>
+[ -c
 <i>config-file</i>
-] [ 
-<b>-f</b>
-] [
-<b>-F</b>
-] [
-<b>-h</b>
-] [
-<b>-l</b>
-] [
-<b>-t</b>
-]
+] [ -f ] [ -F ] [ -h ] [ -l ] [ -t ]
 <h2 class="title"><a name="DESCRIPTION">Description</a></h2>
 <b>cupsd</b>
 is the scheduler for CUPS. It implements a printing system based upon the Internet Printing Protocol, version 2.1. If no options are specified on the command-line then the default configuration file
@@ -32,83 +21,33 @@ is the scheduler for CUPS. It implements a printing system based upon the Intern
 will be used.
 <h2 class="title"><a name="OPTIONS">Options</a></h2>
 <dl class="man">
-<dt><b>-c</b><i> config-file</i>
+<dt>-c config-file
 <dd style="margin-left: 5.0em">Uses the named configuration file.
-<dt><b>-f</b>
+<dt>-f
 <dd style="margin-left: 5.0em">Run
 <b>cupsd</b>
 in the foreground; the default is to run in the background as a "daemon".
-<dt><b>-F</b>
+<dt>-F
 <dd style="margin-left: 5.0em">Run
 <b>cupsd</b>
 in the foreground but detach the process from the controlling terminal and current directory. This is useful for running
-<b>cupsd</b>
-from
-<b>init</b>(8).
-<dt><b>-h</b>
+<b>cupsd</b>from<b>init</b>(8).
+<dt>-h
 <dd style="margin-left: 5.0em">Shows the program usage.
-<dt><b>-l</b>
+<dt>-l
 <dd style="margin-left: 5.0em">This option is passed to
 <b>cupsd</b>
 when it is run from
-<b>launchd</b>(8)
-or
-<b>systemd</b>(8).
-<dt><b>-t</b>
+<b>launchd</b>(8).
+<dt>-t
 <dd style="margin-left: 5.0em">Test the configuration file for syntax errors.
 </dl>
-<h2 class="title"><a name="FILES">Files</a></h2>
-<pre class="man">
-<i>/etc/cups/classes.conf</i>
-<i>/etc/cups/cups-files.conf</i>
-<i>/etc/cups/cupsd.conf</i>
-<i>/usr/share/cups/mime/mime.convs</i>
-<i>/usr/share/cups/mime/mime.types</i>
-<i>/etc/cups/printers.conf</i>
-</pre>
-<h2 class="title"><a name="CONFORMING_TO">Conforming To</a></h2>
-<b>cupsd</b>
-implements all of the required IPP/2.1 attributes and operations. It also implements several CUPS-specific administrative operations.
-<h2 class="title"><a name="EXAMPLES">Examples</a></h2>
-Run
-<b>cupsd</b>
-in the background with the default configuration file:
-<pre class="man">
-
-    cupsd
-
-</pre>
-Test a configuration file called
-<i>test.conf</i>:
-<pre class="man">
-
-    cupsd -t -c test.conf
-
-</pre>
-Run
+<h2 class="title"><a name="COMPATIBILITY">Compatibility</a></h2>
 <b>cupsd</b>
-in the foreground with a test configuration file called
-<i>test.conf</i>:
-<pre class="man">
-
-    cupsd -f -c test.conf
-
-</pre>
+implements all of the required IPP/2.1 attributes and operations. It also implements several CUPS-specific administration operations.
 <h2 class="title"><a name="SEE_ALSO">See Also</a></h2>
-<a href="man-backend.html?TOPIC=Man+Pages"><b>backend</b>(7),</a>
-<a href="man-classes.conf.html?TOPIC=Man+Pages"><b>classes.conf</b>(5),</a>
-<a href="man-cups.html?TOPIC=Man+Pages"><b>cups</b>(1),</a>
-<b>cups-deviced</b>(8),
-<b>cups-driverd</b>(8),
-<a href="man-cups-lpd.html?TOPIC=Man+Pages"><b>cups-lpd</b>(8),</a>
-<a href="man-cupsd.conf.html?TOPIC=Man+Pages"><b>cupsd.conf</b>(5),</a>
-<a href="man-filter.html?TOPIC=Man+Pages"><b>filter</b>(7),</a>
-<b>launchd</b>(8),
-<a href="man-mime.convs.html?TOPIC=Man+Pages"><b>mime.convs</b>(5),</a>
-<a href="man-mime.types.html?TOPIC=Man+Pages"><b>mime.types</b>(5),</a>
-<a href="man-printers.conf.html?TOPIC=Man+Pages"><b>printers.conf</b>(5),</a>
-<b>systemd</b>(8),
-CUPS Online Help (<a href="http://localhost:631/help">http://localhost:631/help</a>)
+<a href="man-backend.html?TOPIC=Man+Pages"><b>backend</b>(7),</a><a href="man-classes.conf.html?TOPIC=Man+Pages"><b>classes.conf</b>(5),</a><b>cups-deviced</b>(8),<b>cups-driverd</b>(8),<a href="man-cups-lpd.html?TOPIC=Man+Pages"><b>cups-lpd</b>(8),</a><a href="man-cupsd.conf.html?TOPIC=Man+Pages"><b>cupsd.conf</b>(5),</a><a href="man-filter.html?TOPIC=Man+Pages"><b>filter</b>(7),</a><b>launchd</b>(8),<a href="man-mime.convs.html?TOPIC=Man+Pages"><b>mime.convs</b>(5),</a><a href="man-mime.types.html?TOPIC=Man+Pages"><b>mime.types</b>(5),</a><a href="man-printers.conf.html?TOPIC=Man+Pages"><b>printers.conf</b>(5),</a>
+<a href="http://localhost:631/help">http://localhost:631/help</a>
 <h2 class="title"><a name="COPYRIGHT">Copyright</a></h2>
 Copyright &copy; 2007-2014 by Apple Inc.
 
diff --git a/xcode/CUPS.xcodeproj/project.pbxproj b/xcode/CUPS.xcodeproj/project.pbxproj
index 786e240fd2..c198e99830 100644
--- a/xcode/CUPS.xcodeproj/project.pbxproj
+++ b/xcode/CUPS.xcodeproj/project.pbxproj
@@ -339,6 +339,21 @@
 		728FB7EE15361642005426E1 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 278C58E8136B64B000836530 /* SystemConfiguration.framework */; };
 		728FB7F11536167A005426E1 /* libiconv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 728FB7EF1536167A005426E1 /* libiconv.dylib */; };
 		728FB7F21536167A005426E1 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 728FB7F01536167A005426E1 /* libresolv.dylib */; };
+		72BFD5FB191AF0A30005DA37 /* libcups_static.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 72A4332F155844CF002E172D /* libcups_static.a */; };
+		72BFD5FC191AF0A30005DA37 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 278C58E5136B64AF00836530 /* CoreFoundation.framework */; };
+		72BFD5FD191AF0A30005DA37 /* Kerberos.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 278C58E6136B64B000836530 /* Kerberos.framework */; };
+		72BFD5FE191AF0A30005DA37 /* libiconv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 728FB7EF1536167A005426E1 /* libiconv.dylib */; };
+		72BFD5FF191AF0A30005DA37 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 728FB7F01536167A005426E1 /* libresolv.dylib */; };
+		72BFD600191AF0A30005DA37 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 728FB7EC1536161C005426E1 /* libz.dylib */; };
+		72BFD601191AF0A30005DA37 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 278C58E7136B64B000836530 /* Security.framework */; };
+		72BFD602191AF1270005DA37 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 278C58E5136B64AF00836530 /* CoreFoundation.framework */; };
+		72BFD603191AF1270005DA37 /* GSS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 72D53A2915B49110003F877F /* GSS.framework */; };
+		72BFD604191AF1270005DA37 /* Kerberos.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 278C58E6136B64B000836530 /* Kerberos.framework */; };
+		72BFD605191AF1270005DA37 /* libiconv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 728FB7EF1536167A005426E1 /* libiconv.dylib */; };
+		72BFD606191AF1270005DA37 /* libresolv.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 728FB7F01536167A005426E1 /* libresolv.dylib */; };
+		72BFD607191AF1270005DA37 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 728FB7EC1536161C005426E1 /* libz.dylib */; };
+		72BFD608191AF1270005DA37 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 278C58E7136B64B000836530 /* Security.framework */; };
+		72BFD609191AF14C0005DA37 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 278C58E8136B64B000836530 /* SystemConfiguration.framework */; };
 		72C16CB9137B195D007E4BF4 /* file.c in Sources */ = {isa = PBXBuildFile; fileRef = 72C16CB8137B195D007E4BF4 /* file.c */; };
 		72CEF95618A966E000FA9B81 /* libcups.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 72220EAE1333047D00FCA411 /* libcups.dylib */; };
 		72CF95E318A13543000FCAE4 /* dest-job.c in Sources */ = {isa = PBXBuildFile; fileRef = 72CF95E018A13543000FCAE4 /* dest-job.c */; };
@@ -1501,6 +1516,14 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				72BFD609191AF14C0005DA37 /* SystemConfiguration.framework in Frameworks */,
+				72BFD602191AF1270005DA37 /* CoreFoundation.framework in Frameworks */,
+				72BFD603191AF1270005DA37 /* GSS.framework in Frameworks */,
+				72BFD604191AF1270005DA37 /* Kerberos.framework in Frameworks */,
+				72BFD605191AF1270005DA37 /* libiconv.dylib in Frameworks */,
+				72BFD606191AF1270005DA37 /* libresolv.dylib in Frameworks */,
+				72BFD607191AF1270005DA37 /* libz.dylib in Frameworks */,
+				72BFD608191AF1270005DA37 /* Security.framework in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -1577,6 +1600,13 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				72BFD5FB191AF0A30005DA37 /* libcups_static.a in Frameworks */,
+				72BFD5FC191AF0A30005DA37 /* CoreFoundation.framework in Frameworks */,
+				72BFD5FD191AF0A30005DA37 /* Kerberos.framework in Frameworks */,
+				72BFD5FE191AF0A30005DA37 /* libiconv.dylib in Frameworks */,
+				72BFD5FF191AF0A30005DA37 /* libresolv.dylib in Frameworks */,
+				72BFD600191AF0A30005DA37 /* libz.dylib in Frameworks */,
+				72BFD601191AF0A30005DA37 /* Security.framework in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};