int /* O - 0 on success, -1 on error */
cupsDoAuthentication(
http_t *http, /* I - Connection to server or @code CUPS_HTTP_DEFAULT@ */
const char *method, /* I - Request method ("GET", "POST", "PUT") */
const char *resource) /* I - Resource path */
{
const char *password, /* Password string */
*www_auth; /* WWW-Authenticate header */
char prompt[1024], /* Prompt for user */
realm[HTTP_MAX_VALUE], /* realm="xyz" string */
nonce[HTTP_MAX_VALUE]; /* nonce="xyz" string */
int localauth; /* Local authentication result */
_cups_globals_t *cg; /* Global data */
DEBUG_printf(("cupsDoAuthentication(http=%p, method=\"%s\", resource=\"%s\")",
http, method, resource));
if (!http)
http = _cupsConnect();
if (!http || !method || !resource)
return (-1);
DEBUG_printf(("2cupsDoAuthentication: digest_tries=%d, userpass=\"%s\"",
http->digest_tries, http->userpass));
DEBUG_printf(("2cupsDoAuthentication: WWW-Authenticate=\"%s\"",
httpGetField(http, HTTP_FIELD_WWW_AUTHENTICATE)));
/*
* Clear the current authentication string...
*/
httpSetAuthString(http, NULL, NULL);
/*
* See if we can do local authentication...
*/
if (http->digest_tries < 3)
{
if ((localauth = cups_local_auth(http)) == 0)
{
DEBUG_printf(("2cupsDoAuthentication: authstring=\"%s\"",
http->authstring));
if (http->status == HTTP_STATUS_UNAUTHORIZED)
http->digest_tries ++;
return (0);
}
else if (localauth == -1)
{
http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED;
return (-1); /* Error or canceled */
}
}
/*
* Nope, see if we should retry the current username:password...
*/
www_auth = http->fields[HTTP_FIELD_WWW_AUTHENTICATE];
if ((http->digest_tries > 1 || !http->userpass[0]) &&
(!_cups_strncasecmp(www_auth, "Basic", 5) ||
!_cups_strncasecmp(www_auth, "Digest", 6)))
{
/*
* Nope - get a new password from the user...
*/
char default_username[HTTP_MAX_VALUE];
/* Default username */
cg = _cupsGlobals();
if (!cg->lang_default)
cg->lang_default = cupsLangDefault();
if (httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "username",
default_username))
cupsSetUser(default_username);
snprintf(prompt, sizeof(prompt),
_cupsLangString(cg->lang_default, _("Password for %s on %s? ")),
cupsUser(),
http->hostname[0] == '/' ? "localhost" : http->hostname);
http->digest_tries = _cups_strncasecmp(www_auth, "Digest", 6) != 0;
http->userpass[0] = '\0';
if ((password = cupsGetPassword2(prompt, http, method, resource)) == NULL)
{
http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED;
return (-1);
}
snprintf(http->userpass, sizeof(http->userpass), "%s:%s", cupsUser(),
password);
}
else if (http->status == HTTP_STATUS_UNAUTHORIZED)
http->digest_tries ++;
if (http->status == HTTP_STATUS_UNAUTHORIZED && http->digest_tries >= 3)
{
DEBUG_printf(("1cupsDoAuthentication: Too many authentication tries (%d)",
http->digest_tries));
http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED;
return (-1);
}
/*
* Got a password; encode it for the server...
*/
#ifdef HAVE_GSSAPI
if (!_cups_strncasecmp(www_auth, "Negotiate", 9))
{
/*
* Kerberos authentication...
*/
if (_cupsSetNegotiateAuthString(http, method, resource))
{
http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED;
return (-1);
}
}
else
#endif /* HAVE_GSSAPI */
if (!_cups_strncasecmp(www_auth, "Basic", 5))
{
/*
* Basic authentication...
*/
char encode[256]; /* Base64 buffer */
httpEncode64_2(encode, sizeof(encode), http->userpass,
(int)strlen(http->userpass));
httpSetAuthString(http, "Basic", encode);
}
else if (!_cups_strncasecmp(www_auth, "Digest", 6))
{
/*
* Digest authentication...
*/
char encode[33], /* MD5 buffer */
digest[1024]; /* Digest auth data */
httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "realm", realm);
httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "nonce", nonce);
httpMD5(cupsUser(), realm, strchr(http->userpass, ':') + 1, encode);
httpMD5Final(nonce, method, resource, encode);
snprintf(digest, sizeof(digest),
"username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", "
"response=\"%s\"", cupsUser(), realm, nonce, resource, encode);
httpSetAuthString(http, "Digest", digest);
}
else
{
DEBUG_printf(("1cupsDoAuthentication: Unknown auth type: \"%s\"",
www_auth));
http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED;
return (-1);
}
DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\"", http->authstring));
return (0);
}
http_status_t /* O - HTTP status */
cupsGetFd(http_t *http, /* I - Connection to server or @code CUPS_HTTP_DEFAULT@ */
const char *resource, /* I - Resource name */
int fd) /* I - File descriptor */
{
ssize_t bytes; /* Number of bytes read */
char buffer[8192]; /* Buffer for file */
http_status_t status; /* HTTP status from server */
char if_modified_since[HTTP_MAX_VALUE];
/* If-Modified-Since header */
int new_auth = 0; /* Using new auth information? */
int digest; /* Are we using Digest authentication? */
/*
* Range check input...
*/
DEBUG_printf(("cupsGetFd(http=%p, resource=\"%s\", fd=%d)", (void *)http, resource, fd));
if (!resource || fd < 0)
{
if (http)
http->error = EINVAL;
return (HTTP_STATUS_ERROR);
}
if (!http)
if ((http = _cupsConnect()) == NULL)
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
/*
* Then send GET requests to the HTTP server...
*/
strlcpy(if_modified_since, httpGetField(http, HTTP_FIELD_IF_MODIFIED_SINCE),
sizeof(if_modified_since));
do
{
if (!_cups_strcasecmp(httpGetField(http, HTTP_FIELD_CONNECTION), "close"))
{
httpClearFields(http);
if (httpReconnect2(http, 30000, NULL))
{
status = HTTP_STATUS_ERROR;
break;
}
}
httpClearFields(http);
httpSetField(http, HTTP_FIELD_IF_MODIFIED_SINCE, if_modified_since);
digest = http->authstring && !strncmp(http->authstring, "Digest ", 7);
if (digest && !new_auth)
{
/*
* Update the Digest authentication string...
*/
_httpSetDigestAuthString(http, http->nextnonce, "GET", resource);
}
#ifdef HAVE_GSSAPI
if (http->authstring && !strncmp(http->authstring, "Negotiate", 9) && !new_auth)
{
/*
* Do not use cached Kerberos credentials since they will look like a
* "replay" attack...
*/
_cupsSetNegotiateAuthString(http, "GET", resource);
}
#endif /* HAVE_GSSAPI */
httpSetField(http, HTTP_FIELD_AUTHORIZATION, http->authstring);
if (httpGet(http, resource))
{
if (httpReconnect2(http, 30000, NULL))
{
status = HTTP_STATUS_ERROR;
break;
}
else
{
status = HTTP_STATUS_UNAUTHORIZED;
continue;
}
}
new_auth = 0;
while ((status = httpUpdate(http)) == HTTP_STATUS_CONTINUE);
if (status == HTTP_STATUS_UNAUTHORIZED)
{
/*
* Flush any error message...
*/
httpFlush(http);
/*
* See if we can do authentication...
*/
new_auth = 1;
if (cupsDoAuthentication(http, "GET", resource))
{
status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED;
break;
}
if (httpReconnect2(http, 30000, NULL))
{
status = HTTP_STATUS_ERROR;
break;
}
continue;
}
#ifdef HAVE_SSL
else if (status == HTTP_STATUS_UPGRADE_REQUIRED)
{
/* Flush any error message... */
httpFlush(http);
/* Reconnect... */
if (httpReconnect2(http, 30000, NULL))
{
status = HTTP_STATUS_ERROR;
break;
}
/* Upgrade with encryption... */
httpEncryption(http, HTTP_ENCRYPTION_REQUIRED);
/* Try again, this time with encryption enabled... */
continue;
}
#endif /* HAVE_SSL */
}
while (status == HTTP_STATUS_UNAUTHORIZED || status == HTTP_STATUS_UPGRADE_REQUIRED);
/*
* See if we actually got the file or an error...
*/
if (status == HTTP_STATUS_OK)
{
/*
* Yes, copy the file...
*/
while ((bytes = httpRead2(http, buffer, sizeof(buffer))) > 0)
write(fd, buffer, (size_t)bytes);
}
else
{
_cupsSetHTTPError(status);
httpFlush(http);
}
/*
* Return the request status...
*/
DEBUG_printf(("1cupsGetFd: Returning %d...", status));
return (status);
}
http_status_t /* O - Initial HTTP status */
cupsSendRequest(http_t *http, /* I - Connection to server or @code CUPS_HTTP_DEFAULT@ */
ipp_t *request, /* I - IPP request */
const char *resource, /* I - Resource path */
size_t length) /* I - Length of data to follow or @code CUPS_LENGTH_VARIABLE@ */
{
http_status_t status; /* Status of HTTP request */
int got_status; /* Did we get the status? */
ipp_state_t state; /* State of IPP processing */
http_status_t expect; /* Expect: header to use */
DEBUG_printf(("cupsSendRequest(http=%p, request=%p(%s), resource=\"%s\", "
"length=" CUPS_LLFMT ")", http, request,
request ? ippOpString(request->request.op.operation_id) : "?",
resource, CUPS_LLCAST length));
/*
* Range check input...
*/
if (!request || !resource)
{
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
return (HTTP_STATUS_ERROR);
}
/*
* Get the default connection as needed...
*/
if (!http)
if ((http = _cupsConnect()) == NULL)
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
/*
* If the prior request was not flushed out, do so now...
*/
if (http->state == HTTP_STATE_GET_SEND ||
http->state == HTTP_STATE_POST_SEND)
{
DEBUG_puts("2cupsSendRequest: Flush prior response.");
httpFlush(http);
}
else if (http->state != HTTP_STATE_WAITING)
{
DEBUG_printf(("1cupsSendRequest: Unknown HTTP state (%d), "
"reconnecting.", http->state));
if (httpReconnect2(http, 30000, NULL))
return (HTTP_STATUS_ERROR);
}
#ifdef HAVE_SSL
/*
* See if we have an auth-info attribute and are communicating over
* a non-local link. If so, encrypt the link so that we can pass
* the authentication information securely...
*/
if (ippFindAttribute(request, "auth-info", IPP_TAG_TEXT) &&
!httpAddrLocalhost(http->hostaddr) && !http->tls &&
httpEncryption(http, HTTP_ENCRYPTION_REQUIRED))
{
DEBUG_puts("1cupsSendRequest: Unable to encrypt connection.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
#endif /* HAVE_SSL */
/*
* Reconnect if the last response had a "Connection: close"...
*/
if (!_cups_strcasecmp(http->fields[HTTP_FIELD_CONNECTION], "close"))
{
DEBUG_puts("2cupsSendRequest: Connection: close");
httpClearFields(http);
if (httpReconnect2(http, 30000, NULL))
{
DEBUG_puts("1cupsSendRequest: Unable to reconnect.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
}
/*
* Loop until we can send the request without authorization problems.
*/
expect = HTTP_STATUS_CONTINUE;
for (;;)
{
DEBUG_puts("2cupsSendRequest: Setup...");
/*
* Setup the HTTP variables needed...
*/
httpClearFields(http);
httpSetExpect(http, expect);
httpSetField(http, HTTP_FIELD_CONTENT_TYPE, "application/ipp");
httpSetLength(http, length);
#ifdef HAVE_GSSAPI
if (http->authstring && !strncmp(http->authstring, "Negotiate", 9))
{
/*
* Do not use cached Kerberos credentials since they will look like a
* "replay" attack...
*/
_cupsSetNegotiateAuthString(http, "POST", resource);
}
#endif /* HAVE_GSSAPI */
httpSetField(http, HTTP_FIELD_AUTHORIZATION, http->authstring);
DEBUG_printf(("2cupsSendRequest: authstring=\"%s\"", http->authstring));
/*
* Try the request...
*/
DEBUG_puts("2cupsSendRequest: Sending HTTP POST...");
if (httpPost(http, resource))
{
DEBUG_puts("2cupsSendRequest: POST failed, reconnecting.");
if (httpReconnect2(http, 30000, NULL))
{
DEBUG_puts("1cupsSendRequest: Unable to reconnect.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
else
continue;
}
/*
* Send the IPP data...
*/
DEBUG_puts("2cupsSendRequest: Writing IPP request...");
request->state = IPP_STATE_IDLE;
status = HTTP_STATUS_CONTINUE;
got_status = 0;
while ((state = ippWrite(http, request)) != IPP_STATE_DATA)
if (state == IPP_STATE_ERROR)
break;
else if (httpCheck(http))
{
got_status = 1;
_httpUpdate(http, &status);
if (status >= HTTP_STATUS_MULTIPLE_CHOICES)
break;
}
if (state == IPP_STATE_ERROR)
{
DEBUG_puts("1cupsSendRequest: Unable to send IPP request.");
http->status = HTTP_STATUS_ERROR;
http->state = HTTP_STATE_WAITING;
return (HTTP_STATUS_ERROR);
}
/*
* Wait up to 1 second to get the 100-continue response as needed...
*/
if (!got_status)
{
if (expect == HTTP_STATUS_CONTINUE)
{
DEBUG_puts("2cupsSendRequest: Waiting for 100-continue...");
if (httpWait(http, 1000))
_httpUpdate(http, &status);
}
else if (httpCheck(http))
_httpUpdate(http, &status);
}
DEBUG_printf(("2cupsSendRequest: status=%d", status));
/*
* Process the current HTTP status...
*/
if (status >= HTTP_STATUS_MULTIPLE_CHOICES)
{
int temp_status; /* Temporary status */
_cupsSetHTTPError(status);
do
{
temp_status = httpUpdate(http);
}
while (temp_status != HTTP_STATUS_ERROR &&
http->state == HTTP_STATE_POST_RECV);
httpFlush(http);
}
switch (status)
{
case HTTP_STATUS_CONTINUE :
case HTTP_STATUS_OK :
case HTTP_STATUS_ERROR :
DEBUG_printf(("1cupsSendRequest: Returning %d.", status));
return (status);
case HTTP_STATUS_UNAUTHORIZED :
if (cupsDoAuthentication(http, "POST", resource))
{
DEBUG_puts("1cupsSendRequest: Returning HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED.");
return (HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED);
}
DEBUG_puts("2cupsSendRequest: Reconnecting after HTTP_STATUS_UNAUTHORIZED.");
if (httpReconnect2(http, 30000, NULL))
{
DEBUG_puts("1cupsSendRequest: Unable to reconnect.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
break;
#ifdef HAVE_SSL
case HTTP_STATUS_UPGRADE_REQUIRED :
/*
* Flush any error message, reconnect, and then upgrade with
* encryption...
*/
DEBUG_puts("2cupsSendRequest: Reconnecting after "
"HTTP_STATUS_UPGRADE_REQUIRED.");
if (httpReconnect2(http, 30000, NULL))
{
DEBUG_puts("1cupsSendRequest: Unable to reconnect.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
DEBUG_puts("2cupsSendRequest: Upgrading to TLS.");
if (httpEncryption(http, HTTP_ENCRYPTION_REQUIRED))
{
DEBUG_puts("1cupsSendRequest: Unable to encrypt connection.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
break;
#endif /* HAVE_SSL */
case HTTP_STATUS_EXPECTATION_FAILED :
/*
* Don't try using the Expect: header the next time around...
*/
expect = (http_status_t)0;
DEBUG_puts("2cupsSendRequest: Reconnecting after "
"HTTP_EXPECTATION_FAILED.");
if (httpReconnect2(http, 30000, NULL))
{
DEBUG_puts("1cupsSendRequest: Unable to reconnect.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
break;
default :
/*
* Some other error...
*/
return (status);
}
}
}
http_status_t /* O - HTTP status */
cupsPutFd(http_t *http, /* I - Connection to server or @code CUPS_HTTP_DEFAULT@ */
const char *resource, /* I - Resource name */
int fd) /* I - File descriptor */
{
ssize_t bytes; /* Number of bytes read */
int retries; /* Number of retries */
char buffer[8192]; /* Buffer for file */
http_status_t status; /* HTTP status from server */
int new_auth = 0; /* Using new auth information? */
int digest; /* Are we using Digest authentication? */
/*
* Range check input...
*/
DEBUG_printf(("cupsPutFd(http=%p, resource=\"%s\", fd=%d)", (void *)http, resource, fd));
if (!resource || fd < 0)
{
if (http)
http->error = EINVAL;
return (HTTP_STATUS_ERROR);
}
if (!http)
if ((http = _cupsConnect()) == NULL)
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
/*
* Then send PUT requests to the HTTP server...
*/
retries = 0;
do
{
if (!_cups_strcasecmp(httpGetField(http, HTTP_FIELD_CONNECTION), "close"))
{
httpClearFields(http);
if (httpReconnect2(http, 30000, NULL))
{
status = HTTP_STATUS_ERROR;
break;
}
}
DEBUG_printf(("2cupsPutFd: starting attempt, authstring=\"%s\"...",
http->authstring));
httpClearFields(http);
httpSetField(http, HTTP_FIELD_TRANSFER_ENCODING, "chunked");
httpSetExpect(http, HTTP_STATUS_CONTINUE);
digest = http->authstring && !strncmp(http->authstring, "Digest ", 7);
if (digest && !new_auth)
{
/*
* Update the Digest authentication string...
*/
_httpSetDigestAuthString(http, http->nextnonce, "PUT", resource);
}
#ifdef HAVE_GSSAPI
if (http->authstring && !strncmp(http->authstring, "Negotiate", 9) && !new_auth)
{
/*
* Do not use cached Kerberos credentials since they will look like a
* "replay" attack...
*/
_cupsSetNegotiateAuthString(http, "PUT", resource);
}
#endif /* HAVE_GSSAPI */
httpSetField(http, HTTP_FIELD_AUTHORIZATION, http->authstring);
if (httpPut(http, resource))
{
if (httpReconnect2(http, 30000, NULL))
{
status = HTTP_STATUS_ERROR;
break;
}
else
{
status = HTTP_STATUS_UNAUTHORIZED;
continue;
}
}
/*
* Wait up to 1 second for a 100-continue response...
*/
if (httpWait(http, 1000))
status = httpUpdate(http);
else
status = HTTP_STATUS_CONTINUE;
if (status == HTTP_STATUS_CONTINUE)
{
/*
* Copy the file...
*/
lseek(fd, 0, SEEK_SET);
while ((bytes = read(fd, buffer, sizeof(buffer))) > 0)
if (httpCheck(http))
{
if ((status = httpUpdate(http)) != HTTP_STATUS_CONTINUE)
break;
}
else
httpWrite2(http, buffer, (size_t)bytes);
}
if (status == HTTP_STATUS_CONTINUE)
{
httpWrite2(http, buffer, 0);
while ((status = httpUpdate(http)) == HTTP_STATUS_CONTINUE);
}
if (status == HTTP_STATUS_ERROR && !retries)
{
DEBUG_printf(("2cupsPutFd: retry on status %d", status));
retries ++;
/* Flush any error message... */
httpFlush(http);
/* Reconnect... */
if (httpReconnect2(http, 30000, NULL))
{
status = HTTP_STATUS_ERROR;
break;
}
/* Try again... */
continue;
}
DEBUG_printf(("2cupsPutFd: status=%d", status));
new_auth = 0;
if (status == HTTP_STATUS_UNAUTHORIZED)
{
/*
* Flush any error message...
*/
httpFlush(http);
/*
* See if we can do authentication...
*/
new_auth = 1;
if (cupsDoAuthentication(http, "PUT", resource))
{
status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED;
break;
}
if (httpReconnect2(http, 30000, NULL))
{
status = HTTP_STATUS_ERROR;
break;
}
continue;
}
#ifdef HAVE_SSL
else if (status == HTTP_STATUS_UPGRADE_REQUIRED)
{
/* Flush any error message... */
httpFlush(http);
/* Reconnect... */
if (httpReconnect2(http, 30000, NULL))
{
status = HTTP_STATUS_ERROR;
break;
}
/* Upgrade with encryption... */
httpEncryption(http, HTTP_ENCRYPTION_REQUIRED);
/* Try again, this time with encryption enabled... */
continue;
}
#endif /* HAVE_SSL */
}
while (status == HTTP_STATUS_UNAUTHORIZED || status == HTTP_STATUS_UPGRADE_REQUIRED ||
(status == HTTP_STATUS_ERROR && retries < 2));
/*
* See if we actually put the file or an error...
*/
if (status != HTTP_STATUS_CREATED)
{
_cupsSetHTTPError(status);
httpFlush(http);
}
DEBUG_printf(("1cupsPutFd: Returning %d...", status));
return (status);
}
