From: Michael Sweet Date: Thu, 25 Aug 2016 13:36:52 +0000 (-0400) Subject: Set cupsLastErrorString in httpCredentialsGetTrust, and show the result in the X-Git-Tag: v2.2.0~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5aa186c437eb72dda3b323c2ea79500f1ce93c6;p=thirdparty%2Fcups.git Set cupsLastErrorString in httpCredentialsGetTrust, and show the result in the IPP backend. --- diff --git a/backend/ipp.c b/backend/ipp.c index b42b0dff1a..67383c71c4 100644 --- a/backend/ipp.c +++ b/backend/ipp.c @@ -848,7 +848,7 @@ main(int argc, /* I - Number of command-line args */ trust = httpCredentialsGetTrust(creds, hostname); httpCredentialsString(creds, credinfo, sizeof(credinfo)); - fprintf(stderr, "DEBUG: %s\n", trust_msgs[trust]); + fprintf(stderr, "DEBUG: %s (%s)\n", trust_msgs[trust], cupsLastErrorString()); fprintf(stderr, "DEBUG: Printer credentials: %s\n", credinfo); if (!httpLoadCredentials(NULL, &lcreds, hostname)) diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index 23e3a8bc2b..70515f20e7 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -435,10 +435,16 @@ httpCredentialsGetTrust( if (!common_name) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No common name specified."), 1); return (HTTP_TRUST_UNKNOWN); + } if ((cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create credentials from array."), 1); return (HTTP_TRUST_UNKNOWN); + } if (cg->any_root < 0) { @@ -473,15 +479,28 @@ httpCredentialsGetTrust( * Do not trust certificates on first use... */ + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); + trust = HTTP_TRUST_INVALID; } - else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds) || !httpCredentialsAreValidForName(credentials, common_name)) + else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds)) { /* - * Either the new credentials are not newly issued, or the common name - * does not match the issued certificate... + * The new credentials are not newly issued... */ + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), 1); + + trust = HTTP_TRUST_INVALID; + } + else if (!httpCredentialsAreValidForName(credentials, common_name)) + { + /* + * The common name does not match the issued certificate... + */ + + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), 1); + trust = HTTP_TRUST_INVALID; } else if (httpCredentialsGetExpiration(tcreds) < time(NULL)) @@ -499,7 +518,10 @@ httpCredentialsGetTrust( httpFreeCredentials(tcreds); } else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1); trust = HTTP_TRUST_INVALID; + } if (trust == HTTP_TRUST_OK && !cg->expired_certs) { @@ -508,11 +530,17 @@ httpCredentialsGetTrust( time(&curtime); if (curtime < gnutls_x509_crt_get_activation_time(cert) || curtime > gnutls_x509_crt_get_expiration_time(cert)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), 1); trust = HTTP_TRUST_EXPIRED; + } } if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1); trust = HTTP_TRUST_INVALID; + } gnutls_x509_crt_deinit(cert);