From: msweet Date: Mon, 21 Apr 2014 12:23:56 +0000 (+0000) Subject: Save work. X-Git-Tag: v2.2b1~660 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9653cfdfbb4eacdf744f72ed168d4010b1dd9399;p=thirdparty%2Fcups.git Save work. git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11824 a1ca3aef-8c08-0410-bb20-df032aa958be --- diff --git a/cups/cups-private.h b/cups/cups-private.h index cd32e6f820..f4c075c565 100644 --- a/cups/cups-private.h +++ b/cups/cups-private.h @@ -166,9 +166,8 @@ typedef struct _cups_globals_s /**** CUPS global state data ****/ void *server_cert_data; /* Server certificate user data */ int server_version, /* Server IPP version */ - any_root, /* Allow any root */ - expired_certs, /* Allow expired certs */ - expired_root; /* Allow expired root */ + any_root, /* Allow any (e.g., self-signed) root */ + expired_certs; /* Allow expired certs */ /* util.c */ char def_printer[256]; diff --git a/cups/globals.c b/cups/globals.c index 41a5854cdc..724c961d86 100644 --- a/cups/globals.c +++ b/cups/globals.c @@ -218,7 +218,6 @@ cups_globals_alloc(void) cg->password_cb = (cups_password_cb2_t)_cupsGetPassword; cg->any_root = 1; cg->expired_certs = 1; - cg->expired_root = 1; #ifdef DEBUG /* diff --git a/cups/http-private.h b/cups/http-private.h index 5fdacd19cd..a3625b314c 100644 --- a/cups/http-private.h +++ b/cups/http-private.h @@ -94,6 +94,20 @@ typedef int socklen_t; # include # include # endif /* HAVE_SECCERTIFICATE_H */ +# ifdef HAVE_SECCERTIFICATEPRIV_H +# include +# else +# ifdef __cplusplus +extern "C" { +# endif /* __cplusplus */ +extern SecCertificateRef SecCertificateCreateWithBytes(CFAllocatorRef allocator, const UInt8 *bytes, CFIndex length); +extern bool SecCertificateIsValid(SecCertificateRef certificate, CFAbsoluteTime verifyTime); +extern CFAbsoluteTime SecCertificateNotValidAfter(SecCertificateRef certificate); +extern OSStatus SecCertificateIsSelfSigned(SecCertificateRef certRef, Boolean *isSelfSigned); +# ifdef __cplusplus +} +# endif /* __cplusplus */ +# endif /* HAVE_SECCERTIFICATEPRIV_H */ # ifdef HAVE_SECITEMPRIV_H # include # endif /* HAVE_SECITEMPRIV_H */ diff --git a/cups/testhttp.c b/cups/testhttp.c index 1a7b304433..5235a72fe8 100644 --- a/cups/testhttp.c +++ b/cups/testhttp.c @@ -620,6 +620,22 @@ main(int argc, /* I - Number of command-line arguments */ perror(hostname); continue; } + + if (httpIsEncrypted(http)) + { + cups_array_t *creds; + char info[1024]; + + if (!httpCopyCredentials(http, &creds)) + { + httpCredentialsString(creds, info, sizeof(info)); + httpFreeCredentials(creds); + printf("Credentials: \"%s\"\n", info); + } + else + puts("Credentials: Unknown"); + } + printf("Checking file \"%s\"...\n", resource); do diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c index 71895b8241..c76ad2693c 100644 --- a/cups/tls-darwin.c +++ b/cups/tls-darwin.c @@ -368,6 +368,21 @@ httpCopyCredentials( } +/* + * 'http_cdsa_create_credential()' - Create a single credential in the internal format. + */ + +static SecCertificateRef /* O - Certificate */ +http_cdsa_create_credential( + http_credential_t *credential) /* I - Credential */ +{ + if (!credential) + return (NULL); + + return (SecCertificateCreateWithBytes(kCFAllocatorDefault, credential->data, (CFIndex)credential->datalen)); +} + + /* * '_httpCreateCredentials()' - Create credentials in the internal format. */ @@ -378,7 +393,6 @@ _httpCreateCredentials( { CFMutableArrayRef peerCerts; /* Peer credentials reference */ SecCertificateRef secCert; /* Certificate reference */ - CFDataRef data; /* Credential data reference */ http_credential_t *credential; /* Credential data */ @@ -394,16 +408,10 @@ _httpCreateCredentials( credential; credential = (http_credential_t *)cupsArrayNext(credentials)) { - if ((data = CFDataCreate(kCFAllocatorDefault, credential->data, (CFIndex)credential->datalen))) + if ((secCert = http_cdsa_create_credential(credential)) != NULL) { - if ((secCert = SecCertificateCreateWithData(kCFAllocatorDefault, data)) - != NULL) - { - CFArrayAppendValue(peerCerts, secCert); - CFRelease(secCert); - } - - CFRelease(data); + CFArrayAppendValue(peerCerts, secCert); + CFRelease(secCert); } } @@ -421,9 +429,24 @@ int /* O - 1 if trusted, 0 if not/unknown */ httpCredentialsAreTrusted( cups_array_t *credentials) /* I - Credentials */ { - (void)credentials; + SecCertificateRef secCert; /* Certificate reference */ + int trusted = 1; /* Trusted? */ + Boolean isSelfSigned; /* Is this certificate self-signed? */ + _cups_globals_t *cg = _cupsGlobals(); + /* Per-thread globals */ - return (0); + + if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL) + return (0); + + if (!cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent())) + trusted = 0; + else if (!cg->any_root && (SecCertificateIsSelfSigned(secCert, &isSelfSigned) != noErr || isSelfSigned)) + trusted = 0; + + CFRelease(secCert); + + return (trusted); } @@ -437,9 +460,18 @@ time_t /* O - Expiration date of credentials */ httpCredentialsGetExpiration( cups_array_t *credentials) /* I - Credentials */ { - (void)credentials; + SecCertificateRef secCert; /* Certificate reference */ + time_t expiration; /* Expiration date */ - return (0); + + if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL) + return (0); + + expiration = (time_t)(SecCertificateNotValidAfter(secCert) - kCFAbsoluteTimeIntervalSince1970); + + CFRelease(secCert); + + return (expiration); } @@ -454,10 +486,47 @@ httpCredentialsIsValidName( cups_array_t *credentials, /* I - Credentials */ const char *common_name) /* I - Name to check */ { - (void)credentials; - (void)common_name; + SecCertificateRef secCert; /* Certificate reference */ + CFStringRef cfcommon_name; /* CF string for common name */ + CFStringRef cert_name = NULL; + /* Certificate's common name */ + int valid = 1; /* Valid name? */ - return (0); + + if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL) + return (0); + + /* + * Compare the common names... + */ + + cfcommon_name = CFStringCreateWithCString(kCFAllocatorDefault, common_name, kCFStringEncodingUTF8); + + if (SecCertificateCopyCommonName(secCert, &cert_name) != noErr) + { + /* + * Can't get common name, cannot be valid... + */ + + valid = 0; + } + else if (CFStringCompare(cfcommon_name, cert_name, kCFCompareCaseInsensitive)) + { + /* + * Not the common name, check whether the certificate is saved in the keychain... + */ + + /* TODO: Pull certificate from the keychain using label */ + } + + CFRelease(cfcommon_name); + + if (cert_name) + CFRelease(cert_name); + + CFRelease(secCert); + + return (valid); } @@ -473,12 +542,29 @@ httpCredentialsString( char *buffer, /* I - Buffer or @code NULL@ */ size_t bufsize) /* I - Size of buffer */ { - (void)credentials; + SecCertificateRef secCert; /* Certificate reference */ + CFStringRef summary; /* CF string for summary */ + + + if (!buffer) + return (0); if (buffer && bufsize > 0) *buffer = '\0'; - return (1); + /* TODO: This needs to include a hash of the credentials */ + if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) != NULL) + { + if ((summary = SecCertificateCopySubjectSummary(secCert)) != NULL) + { + CFStringGetCString(summary, buffer, (CFIndex)bufsize, kCFStringEncodingUTF8); + CFRelease(summary); + } + + CFRelease(secCert); + } + + return (strlen(buffer)); } diff --git a/cups/usersys.c b/cups/usersys.c index 4a644b96fa..aa4127c7e0 100644 --- a/cups/usersys.c +++ b/cups/usersys.c @@ -51,7 +51,6 @@ static void cups_read_client_conf(cups_file_t *fp, const char *cups_gssservicename, #endif /* HAVE_GSSAPI */ const char *cups_anyroot, - const char *cups_expiredroot, const char *cups_expiredcerts); @@ -831,7 +830,6 @@ _cupsSetDefaults(void) *cups_gssservicename, /* CUPS_GSSSERVICENAME env var */ #endif /* HAVE_GSSAPI */ *cups_anyroot, /* CUPS_ANYROOT env var */ - *cups_expiredroot, /* CUPS_EXPIREDROOT env var */ *cups_expiredcerts; /* CUPS_EXPIREDCERTS env var */ char filename[1024]; /* Filename */ _cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */ @@ -849,7 +847,6 @@ _cupsSetDefaults(void) cups_gssservicename = getenv("CUPS_GSSSERVICENAME"); #endif /* HAVE_GSSAPI */ cups_anyroot = getenv("CUPS_ANYROOT"); - cups_expiredroot = getenv("CUPS_EXPIREDROOT"); cups_expiredcerts = getenv("CUPS_EXPIREDCERTS"); if ((cups_user = getenv("CUPS_USER")) == NULL) @@ -919,8 +916,7 @@ _cupsSetDefaults(void) #ifdef HAVE_GSSAPI cups_gssservicename, #endif /* HAVE_GSSAPI */ - cups_anyroot, cups_expiredroot, - cups_expiredcerts); + cups_anyroot, cups_expiredcerts); cupsFileClose(fp); } } @@ -942,7 +938,6 @@ cups_read_client_conf( /* I - CUPS_GSSSERVICENAME env var */ #endif /* HAVE_GSSAPI */ const char *cups_anyroot, /* I - CUPS_ANYROOT env var */ - const char *cups_expiredroot, /* I - CUPS_EXPIREDROOT env var */ const char *cups_expiredcerts) /* I - CUPS_EXPIREDCERTS env var */ { int linenum; /* Current line number */ @@ -954,7 +949,6 @@ cups_read_client_conf( #endif /* !__APPLE__ */ user[256], /* User value */ any_root[1024], /* AllowAnyRoot value */ - expired_root[1024], /* AllowExpiredRoot value */ expired_certs[1024]; /* AllowExpiredCerts value */ #ifdef HAVE_GSSAPI char gss_service_name[32]; /* GSSServiceName value */ @@ -996,12 +990,6 @@ cups_read_client_conf( strlcpy(any_root, value, sizeof(any_root)); cups_anyroot = any_root; } - else if (!cups_expiredroot && !_cups_strcasecmp(line, "AllowExpiredRoot") && - value) - { - strlcpy(expired_root, value, sizeof(expired_root)); - cups_expiredroot = expired_root; - } else if (!cups_expiredcerts && !_cups_strcasecmp(line, "AllowExpiredCerts") && value) { @@ -1126,11 +1114,6 @@ cups_read_client_conf( !_cups_strcasecmp(cups_anyroot, "on") || !_cups_strcasecmp(cups_anyroot, "true"); - if (cups_expiredroot) - cg->expired_root = !_cups_strcasecmp(cups_expiredroot, "yes") || - !_cups_strcasecmp(cups_expiredroot, "on") || - !_cups_strcasecmp(cups_expiredroot, "true"); - if (cups_expiredcerts) cg->expired_certs = !_cups_strcasecmp(cups_expiredcerts, "yes") || !_cups_strcasecmp(cups_expiredcerts, "on") ||