From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Wed, 30 Mar 2022 18:31:22 +0000 (-0400)
Subject: Fix bug in tlscheck utility - wasn't retrying connections and used "host"
X-Git-Tag: v2.4.2~29^2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ced0509504dc2e1b63f78830083d9a20e13cbdaf;p=thirdparty%2Fcups.git

Fix bug in tlscheck utility - wasn't retrying connections and used "host"
instead of "server" when constructing the printer URI.

Continue OpenSSL implementations of http_create_credentials,
httpCopyCredentials, and httpCredentialString.
---

diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c
index 45bc9cde45..bf8b418472 100644
--- a/cups/tls-openssl.c
+++ b/cups/tls-openssl.c
@@ -342,9 +342,8 @@ httpCopyCredentials(
     http_t	 *http,			// I - Connection to server
     cups_array_t **credentials)		// O - Array of credentials
 {
-#if 0
-  unsigned		count;		// Number of certificates
-  const openssl_datum_t *certs;		// Certificates
+  // TODO: Switch to SSL_get_peer_cert_chain to get all of the certificates
+  X509	*cert;				// Certificate
 
 
   DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
@@ -356,24 +355,30 @@ httpCopyCredentials(
     return (-1);
 
   *credentials = cupsArrayNew(NULL, NULL);
-  certs        = openssl_certificate_get_peers(http->tls, &count);
+  cert         = SSL_get_peer_certificate(http->tls);
 
-  DEBUG_printf(("1httpCopyCredentials: certs=%p, count=%u", certs, count));
+  DEBUG_printf(("1httpCopyCredentials: cert=%p", cert));
 
-  if (certs && count)
+  if (cert)
   {
-    while (count > 0)
+    BIO	*bio = BIO_new(BIO_s_mem());	// Memory buffer for cert
+
+    if (bio)
     {
-      httpAddCredential(*credentials, certs->data, certs->size);
-      certs ++;
-      count --;
+      long	bytes;			// Number of bytes
+      char	*buffer;		// Pointer to bytes
+
+      if (PEM_write_bio_X509(bio, cert))
+      {
+        bytes = BIO_get_mem_data(bio, &buffer);
+        httpAddCredential(*credentials, buffer, (int)bytes);
+      }
+
+      BIO_free(bio);
     }
   }
 
   return (0);
-#else
-  return (-1);
-#endif // 0
 }
 
 
@@ -697,27 +702,63 @@ httpCredentialsString(
   if (bufsize > 0)
     *buffer = '\0';
 
-  if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL && (cert = http_create_credential(first)) != NULL)
+  first = (http_credential_t *)cupsArrayFirst(credentials);
+  cert  = http_create_credential(first);
+
+  if (cert)
   {
     char		name[256],	// Common name associated with cert
 			issuer[256];	// Issuer associated with cert
-    time_t		expiration;	// Expiration date of cert
-//    struct tm		exptm;		// Expiration date/time of cert
-    int			sigalg;		// Signature algorithm
+    unsigned char	*expiration;	// Expiration date of cert
+    const char		*sigalg;	// Signature algorithm
     unsigned char	md5_digest[16];	// MD5 result
 
 
-    X509_NAME_oneline(X509_get_subject_name(cert), name, sizeof(name));
-    X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer));
+    X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, name, sizeof(name));
+    X509_NAME_get_text_by_NID(X509_get_issuer_name(cert), NID_commonName, issuer, sizeof(issuer));
+    ASN1_STRING_to_UTF8(&expiration, X509_get0_notAfter(cert));
 
-//    ASN1_TIME_to_tm(X509_get0_notAfter(cert), &exptm);
-//    expiration = mktime(&exptm);
-    expiration = 0;
-    sigalg     = X509_get_signature_nid(cert);
+    switch (X509_get_signature_nid(cert))
+    {
+      case NID_ecdsa_with_SHA1 :
+          sigalg = "SHA1WithECDSAEncryption";
+          break;
+      case NID_ecdsa_with_SHA224 :
+          sigalg = "SHA224WithECDSAEncryption";
+          break;
+      case NID_ecdsa_with_SHA256 :
+          sigalg = "SHA256WithECDSAEncryption";
+          break;
+      case NID_ecdsa_with_SHA384 :
+          sigalg = "SHA384WithECDSAEncryption";
+          break;
+      case NID_ecdsa_with_SHA512 :
+          sigalg = "SHA512WithECDSAEncryption";
+          break;
+      case NID_sha1WithRSAEncryption :
+          sigalg = "SHA1WithRSAEncryption";
+          break;
+      case NID_sha224WithRSAEncryption :
+          sigalg = "SHA224WithRSAEncryption";
+          break;
+      case NID_sha256WithRSAEncryption :
+          sigalg = "SHA256WithRSAEncryption";
+          break;
+      case NID_sha384WithRSAEncryption :
+          sigalg = "SHA384WithRSAEncryption";
+          break;
+      case NID_sha512WithRSAEncryption :
+          sigalg = "SHA512WithRSAEncryption";
+          break;
+      default :
+          sigalg = "Unknown";
+          break;
+    }
 
     cupsHashData("md5", first->data, first->datalen, md5_digest, sizeof(md5_digest));
 
-    snprintf(buffer, bufsize, "%s (issued by %s) / %s / sig(%d) / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, issuer, httpGetDateString(expiration), sigalg, md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
+    snprintf(buffer, bufsize, "%s (issued by %s) / %s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, issuer, (char *)expiration, sigalg, md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
+    OPENSSL_free(expiration);
     X509_free(cert);
   }
 
@@ -1379,6 +1420,8 @@ http_create_credential(
   BIO	*bio;				// Basic I/O for string
 
 
+  if (!credential)
+    return (NULL);
 
   if ((bio = BIO_new_mem_buf(credential->data, credential->datalen)) == NULL)
     return (NULL);
diff --git a/cups/tlscheck.c b/cups/tlscheck.c
index 7b42903d45..5e49467b94 100644
--- a/cups/tlscheck.c
+++ b/cups/tlscheck.c
@@ -166,7 +166,12 @@ main(int  argc,				/* I - Number of command-line arguments */
 
   _httpTLSSetOptions(tls_options, tls_min_version, tls_max_version);
 
-  http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
+  for (i = 0; i < 10; i ++)
+  {
+    if ((http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL)) != NULL)
+      break;
+  }
+
   if (!http)
   {
     printf("%s: ERROR (%s)\n", server, cupsLastErrorString());
@@ -179,7 +184,8 @@ main(int  argc,				/* I - Number of command-line arguments */
   }
   else
   {
-    httpCredentialsString(creds, creds_str, sizeof(creds_str));
+    if (!httpCredentialsString(creds, creds_str, sizeof(creds_str)))
+      strlcpy(creds_str, "Unable to convert X.509 credential to string.", sizeof(creds_str));
     httpFreeCredentials(creds);
   }
 
@@ -756,7 +762,7 @@ main(int  argc,				/* I - Number of command-line arguments */
 
   if (verbose)
   {
-    httpAssembleURI(HTTP_URI_CODING_ALL, uri, sizeof(uri), "ipps", NULL, host, port, resource);
+    httpAssembleURI(HTTP_URI_CODING_ALL, uri, sizeof(uri), "ipps", NULL, server, port, resource);
     request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
     ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL, uri);
     ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "requesting-user-name", NULL, cupsUser());