static int /* O - 0 if available */
/* 1 if not available */
/* -1 error */
cups_local_auth(http_t *http) /* I - HTTP connection to server */
{
#if defined(WIN32) || defined(__EMX__)
/*
* Currently WIN32 and OS-2 do not support the CUPS server...
*/
return (1);
#else
int pid; /* Current process ID */
FILE *fp; /* Certificate file */
char trc[16], /* Try Root Certificate parameter */
filename[1024]; /* Certificate filename */
_cups_globals_t *cg = _cupsGlobals(); /* Global data */
# if defined(HAVE_AUTHORIZATION_H)
OSStatus status; /* Status */
AuthorizationItem auth_right; /* Authorization right */
AuthorizationRights auth_rights; /* Authorization rights */
AuthorizationFlags auth_flags; /* Authorization flags */
AuthorizationExternalForm auth_extrn; /* Authorization ref external */
char auth_key[1024]; /* Buffer */
char buffer[1024]; /* Buffer */
# endif /* HAVE_AUTHORIZATION_H */
DEBUG_printf(("7cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"",
http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname));
/*
* See if we are accessing localhost...
*/
if (!httpAddrLocalhost(http->hostaddr) &&
_cups_strcasecmp(http->hostname, "localhost") != 0)
{
DEBUG_puts("8cups_local_auth: Not a local connection!");
return (1);
}
# if defined(HAVE_AUTHORIZATION_H)
/*
* Delete any previous authorization reference...
*/
if (http->auth_ref)
{
AuthorizationFree(http->auth_ref, kAuthorizationFlagDefaults);
http->auth_ref = NULL;
}
if (!getenv("GATEWAY_INTERFACE") &&
httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey",
auth_key, sizeof(auth_key)))
{
status = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment,
kAuthorizationFlagDefaults, &http->auth_ref);
if (status != errAuthorizationSuccess)
{
DEBUG_printf(("8cups_local_auth: AuthorizationCreate() returned %d (%s)",
(int)status, cssmErrorString(status)));
return (-1);
}
auth_right.name = auth_key;
auth_right.valueLength = 0;
auth_right.value = NULL;
auth_right.flags = 0;
auth_rights.count = 1;
auth_rights.items = &auth_right;
auth_flags = kAuthorizationFlagDefaults |
kAuthorizationFlagPreAuthorize |
kAuthorizationFlagInteractionAllowed |
kAuthorizationFlagExtendRights;
status = AuthorizationCopyRights(http->auth_ref, &auth_rights,
kAuthorizationEmptyEnvironment,
auth_flags, NULL);
if (status == errAuthorizationSuccess)
status = AuthorizationMakeExternalForm(http->auth_ref, &auth_extrn);
if (status == errAuthorizationSuccess)
{
/*
* Set the authorization string and return...
*/
httpEncode64_2(buffer, sizeof(buffer), (void *)&auth_extrn,
sizeof(auth_extrn));
httpSetAuthString(http, "AuthRef", buffer);
DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"",
http->authstring));
return (0);
}
else if (status == errAuthorizationCanceled)
return (-1);
DEBUG_printf(("9cups_local_auth: AuthorizationCopyRights() returned %d (%s)",
(int)status, cssmErrorString(status)));
/*
* Fall through to try certificates...
*/
}
# endif /* HAVE_AUTHORIZATION_H */
# if defined(SO_PEERCRED) && defined(AF_LOCAL)
/*
* See if we can authenticate using the peer credentials provided over a
* domain socket; if so, specify "PeerCred username" as the authentication
* information...
*/
if (
# ifdef HAVE_GSSAPI
_cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9) &&
# endif /* HAVE_GSSAPI */
# ifdef HAVE_AUTHORIZATION_H
!httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey",
auth_key, sizeof(auth_key)) &&
# endif /* HAVE_AUTHORIZATION_H */
http->hostaddr->addr.sa_family == AF_LOCAL &&
!getenv("GATEWAY_INTERFACE")) /* Not via CGI programs... */
{
/*
* Verify that the current cupsUser() matches the current UID...
*/
struct passwd *pwd; /* Password information */
const char *username; /* Current username */
username = cupsUser();
if ((pwd = getpwnam(username)) != NULL && pwd->pw_uid == getuid())
{
httpSetAuthString(http, "PeerCred", username);
DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"",
http->authstring));
return (0);
}
}
# endif /* SO_PEERCRED && AF_LOCAL */
/*
* Try opening a certificate file for this PID. If that fails,
* try the root certificate...
*/
pid = getpid();
snprintf(filename, sizeof(filename), "%s/certs/%d", cg->cups_statedir, pid);
if ((fp = fopen(filename, "r")) == NULL && pid > 0)
{
/*
* No certificate for this PID; see if we can get the root certificate...
*/
DEBUG_printf(("9cups_local_auth: Unable to open file %s: %s",
filename, strerror(errno)));
# ifdef HAVE_GSSAPI
if (!_cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9))
{
/*
* Kerberos required, don't try the root certificate...
*/
return (1);
}
# endif /* HAVE_GSSAPI */
# ifdef HAVE_AUTHORIZATION_H
if (httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey",
auth_key, sizeof(auth_key)))
{
/*
* Don't use the root certificate as a replacement for an authkey...
*/
return (1);
}
# endif /* HAVE_AUTHORIZATION_H */
if (!httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "trc", trc,
sizeof(trc)))
{
/*
* Scheduler doesn't want us to use the root certificate...
*/
return (1);
}
snprintf(filename, sizeof(filename), "%s/certs/0", cg->cups_statedir);
fp = fopen(filename, "r");
}
if (fp)
{
/*
* Read the certificate from the file...
*/
char certificate[33], /* Certificate string */
*certptr; /* Pointer to certificate string */
certptr = fgets(certificate, sizeof(certificate), fp);
fclose(fp);
if (certptr)
{
/*
* Set the authorization string and return...
*/
httpSetAuthString(http, "Local", certificate);
DEBUG_printf(("8cups_local_auth: Returning authstring=\"%s\"",
http->authstring));
return (0);
}
}
return (1);
#endif /* WIN32 || __EMX__ */
}
static void
dnssdUpdateDNSSDName(int from_callback) /* I - Called from callback? */
{
char webif[1024]; /* Web interface share name */
# ifdef __APPLE__
SCDynamicStoreRef sc; /* Context for dynamic store */
CFDictionaryRef btmm; /* Back-to-My-Mac domains */
CFStringEncoding nameEncoding; /* Encoding of computer name */
CFStringRef nameRef; /* Host name CFString */
char nameBuffer[1024]; /* C-string buffer */
# endif /* __APPLE__ */
/*
* Only share the web interface and printers when non-local listening is
* enabled...
*/
if (!DNSSDPort)
{
/*
* Get the port we use for registrations. If we are not listening on any
* non-local ports, there is no sense sharing local printers via Bonjour...
*/
cupsd_listener_t *lis; /* Current listening socket */
for (lis = (cupsd_listener_t *)cupsArrayFirst(Listeners);
lis;
lis = (cupsd_listener_t *)cupsArrayNext(Listeners))
{
if (httpAddrLocalhost(&(lis->address)))
continue;
DNSSDPort = httpAddrPort(&(lis->address));
break;
}
}
if (!DNSSDPort)
return;
/*
* Get the computer name as a c-string...
*/
# ifdef __APPLE__
sc = SCDynamicStoreCreate(kCFAllocatorDefault, CFSTR("cupsd"), NULL, NULL);
if (sc)
{
/*
* Get the computer name from the dynamic store...
*/
cupsdClearString(&DNSSDComputerName);
if ((nameRef = SCDynamicStoreCopyComputerName(sc, &nameEncoding)) != NULL)
{
if (CFStringGetCString(nameRef, nameBuffer, sizeof(nameBuffer),
kCFStringEncodingUTF8))
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"Dynamic store computer name is \"%s\".", nameBuffer);
cupsdSetString(&DNSSDComputerName, nameBuffer);
}
CFRelease(nameRef);
}
if (!DNSSDComputerName)
{
/*
* Use the ServerName instead...
*/
cupsdLogMessage(CUPSD_LOG_DEBUG,
"Using ServerName \"%s\" as computer name.", ServerName);
cupsdSetString(&DNSSDComputerName, ServerName);
}
/*
* Get the local hostname from the dynamic store...
*/
cupsdClearString(&DNSSDHostName);
if ((nameRef = SCDynamicStoreCopyLocalHostName(sc)) != NULL)
{
if (CFStringGetCString(nameRef, nameBuffer, sizeof(nameBuffer),
kCFStringEncodingUTF8))
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"Dynamic store host name is \"%s\".", nameBuffer);
cupsdSetString(&DNSSDHostName, nameBuffer);
}
CFRelease(nameRef);
}
if (!DNSSDHostName)
{
/*
* Use the ServerName instead...
*/
cupsdLogMessage(CUPSD_LOG_DEBUG,
"Using ServerName \"%s\" as host name.", ServerName);
cupsdSetString(&DNSSDHostName, ServerName);
}
/*
* Get any Back-to-My-Mac domains and add them as aliases...
*/
cupsdFreeAliases(DNSSDAlias);
DNSSDAlias = NULL;
btmm = SCDynamicStoreCopyValue(sc, CFSTR("Setup:/Network/BackToMyMac"));
if (btmm && CFGetTypeID(btmm) == CFDictionaryGetTypeID())
{
cupsdLogMessage(CUPSD_LOG_DEBUG, "%d Back to My Mac aliases to add.",
(int)CFDictionaryGetCount(btmm));
CFDictionaryApplyFunction(btmm, dnssdAddAlias, NULL);
}
else if (btmm)
cupsdLogMessage(CUPSD_LOG_ERROR,
"Bad Back to My Mac data in dynamic store!");
else
cupsdLogMessage(CUPSD_LOG_DEBUG, "No Back to My Mac aliases to add.");
if (btmm)
CFRelease(btmm);
CFRelease(sc);
}
else
# endif /* __APPLE__ */
# ifdef HAVE_AVAHI
if (DNSSDClient)
{
const char *host_name = avahi_client_get_host_name(DNSSDClient);
const char *host_fqdn = avahi_client_get_host_name_fqdn(DNSSDClient);
cupsdSetString(&DNSSDComputerName, host_name ? host_name : ServerName);
if (host_fqdn)
cupsdSetString(&DNSSDHostName, host_fqdn);
else if (strchr(ServerName, '.'))
cupsdSetString(&DNSSDHostName, ServerName);
else
cupsdSetStringf(&DNSSDHostName, "%s.local", ServerName);
}
else
# endif /* HAVE_AVAHI */
{
cupsdSetString(&DNSSDComputerName, ServerName);
if (strchr(ServerName, '.'))
cupsdSetString(&DNSSDHostName, ServerName);
else
cupsdSetStringf(&DNSSDHostName, "%s.local", ServerName);
}
/*
* Then (re)register the web interface if enabled...
*/
if (BrowseWebIF)
{
if (DNSSDComputerName)
snprintf(webif, sizeof(webif), "CUPS @ %s", DNSSDComputerName);
else
strlcpy(webif, "CUPS", sizeof(webif));
dnssdDeregisterInstance(&WebIFSrv, from_callback);
dnssdRegisterInstance(&WebIFSrv, NULL, webif, "_http._tcp", "_printer", DNSSDPort, NULL, 1, from_callback);
}
}
http_status_t /* O - Initial HTTP status */
cupsSendRequest(http_t *http, /* I - Connection to server or @code CUPS_HTTP_DEFAULT@ */
ipp_t *request, /* I - IPP request */
const char *resource, /* I - Resource path */
size_t length) /* I - Length of data to follow or @code CUPS_LENGTH_VARIABLE@ */
{
http_status_t status; /* Status of HTTP request */
int got_status; /* Did we get the status? */
ipp_state_t state; /* State of IPP processing */
http_status_t expect; /* Expect: header to use */
DEBUG_printf(("cupsSendRequest(http=%p, request=%p(%s), resource=\"%s\", "
"length=" CUPS_LLFMT ")", http, request,
request ? ippOpString(request->request.op.operation_id) : "?",
resource, CUPS_LLCAST length));
/*
* Range check input...
*/
if (!request || !resource)
{
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
return (HTTP_STATUS_ERROR);
}
/*
* Get the default connection as needed...
*/
if (!http)
if ((http = _cupsConnect()) == NULL)
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
/*
* If the prior request was not flushed out, do so now...
*/
if (http->state == HTTP_STATE_GET_SEND ||
http->state == HTTP_STATE_POST_SEND)
{
DEBUG_puts("2cupsSendRequest: Flush prior response.");
httpFlush(http);
}
else if (http->state != HTTP_STATE_WAITING)
{
DEBUG_printf(("1cupsSendRequest: Unknown HTTP state (%d), "
"reconnecting.", http->state));
if (httpReconnect2(http, 30000, NULL))
return (HTTP_STATUS_ERROR);
}
#ifdef HAVE_SSL
/*
* See if we have an auth-info attribute and are communicating over
* a non-local link. If so, encrypt the link so that we can pass
* the authentication information securely...
*/
if (ippFindAttribute(request, "auth-info", IPP_TAG_TEXT) &&
!httpAddrLocalhost(http->hostaddr) && !http->tls &&
httpEncryption(http, HTTP_ENCRYPTION_REQUIRED))
{
DEBUG_puts("1cupsSendRequest: Unable to encrypt connection.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
#endif /* HAVE_SSL */
/*
* Reconnect if the last response had a "Connection: close"...
*/
if (!_cups_strcasecmp(http->fields[HTTP_FIELD_CONNECTION], "close"))
{
DEBUG_puts("2cupsSendRequest: Connection: close");
httpClearFields(http);
if (httpReconnect2(http, 30000, NULL))
{
DEBUG_puts("1cupsSendRequest: Unable to reconnect.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
}
/*
* Loop until we can send the request without authorization problems.
*/
expect = HTTP_STATUS_CONTINUE;
for (;;)
{
DEBUG_puts("2cupsSendRequest: Setup...");
/*
* Setup the HTTP variables needed...
*/
httpClearFields(http);
httpSetExpect(http, expect);
httpSetField(http, HTTP_FIELD_CONTENT_TYPE, "application/ipp");
httpSetLength(http, length);
#ifdef HAVE_GSSAPI
if (http->authstring && !strncmp(http->authstring, "Negotiate", 9))
{
/*
* Do not use cached Kerberos credentials since they will look like a
* "replay" attack...
*/
_cupsSetNegotiateAuthString(http, "POST", resource);
}
#endif /* HAVE_GSSAPI */
httpSetField(http, HTTP_FIELD_AUTHORIZATION, http->authstring);
DEBUG_printf(("2cupsSendRequest: authstring=\"%s\"", http->authstring));
/*
* Try the request...
*/
DEBUG_puts("2cupsSendRequest: Sending HTTP POST...");
if (httpPost(http, resource))
{
DEBUG_puts("2cupsSendRequest: POST failed, reconnecting.");
if (httpReconnect2(http, 30000, NULL))
{
DEBUG_puts("1cupsSendRequest: Unable to reconnect.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
else
continue;
}
/*
* Send the IPP data...
*/
DEBUG_puts("2cupsSendRequest: Writing IPP request...");
request->state = IPP_STATE_IDLE;
status = HTTP_STATUS_CONTINUE;
got_status = 0;
while ((state = ippWrite(http, request)) != IPP_STATE_DATA)
if (state == IPP_STATE_ERROR)
break;
else if (httpCheck(http))
{
got_status = 1;
_httpUpdate(http, &status);
if (status >= HTTP_STATUS_MULTIPLE_CHOICES)
break;
}
if (state == IPP_STATE_ERROR)
{
DEBUG_puts("1cupsSendRequest: Unable to send IPP request.");
http->status = HTTP_STATUS_ERROR;
http->state = HTTP_STATE_WAITING;
return (HTTP_STATUS_ERROR);
}
/*
* Wait up to 1 second to get the 100-continue response as needed...
*/
if (!got_status)
{
if (expect == HTTP_STATUS_CONTINUE)
{
DEBUG_puts("2cupsSendRequest: Waiting for 100-continue...");
if (httpWait(http, 1000))
_httpUpdate(http, &status);
}
else if (httpCheck(http))
_httpUpdate(http, &status);
}
DEBUG_printf(("2cupsSendRequest: status=%d", status));
/*
* Process the current HTTP status...
*/
if (status >= HTTP_STATUS_MULTIPLE_CHOICES)
{
int temp_status; /* Temporary status */
_cupsSetHTTPError(status);
do
{
temp_status = httpUpdate(http);
}
while (temp_status != HTTP_STATUS_ERROR &&
http->state == HTTP_STATE_POST_RECV);
httpFlush(http);
}
switch (status)
{
case HTTP_STATUS_CONTINUE :
case HTTP_STATUS_OK :
case HTTP_STATUS_ERROR :
DEBUG_printf(("1cupsSendRequest: Returning %d.", status));
return (status);
case HTTP_STATUS_UNAUTHORIZED :
if (cupsDoAuthentication(http, "POST", resource))
{
DEBUG_puts("1cupsSendRequest: Returning HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED.");
return (HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED);
}
DEBUG_puts("2cupsSendRequest: Reconnecting after HTTP_STATUS_UNAUTHORIZED.");
if (httpReconnect2(http, 30000, NULL))
{
DEBUG_puts("1cupsSendRequest: Unable to reconnect.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
break;
#ifdef HAVE_SSL
case HTTP_STATUS_UPGRADE_REQUIRED :
/*
* Flush any error message, reconnect, and then upgrade with
* encryption...
*/
DEBUG_puts("2cupsSendRequest: Reconnecting after "
"HTTP_STATUS_UPGRADE_REQUIRED.");
if (httpReconnect2(http, 30000, NULL))
{
DEBUG_puts("1cupsSendRequest: Unable to reconnect.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
DEBUG_puts("2cupsSendRequest: Upgrading to TLS.");
if (httpEncryption(http, HTTP_ENCRYPTION_REQUIRED))
{
DEBUG_puts("1cupsSendRequest: Unable to encrypt connection.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
break;
#endif /* HAVE_SSL */
case HTTP_STATUS_EXPECTATION_FAILED :
/*
* Don't try using the Expect: header the next time around...
*/
expect = (http_status_t)0;
DEBUG_puts("2cupsSendRequest: Reconnecting after "
"HTTP_EXPECTATION_FAILED.");
if (httpReconnect2(http, 30000, NULL))
{
DEBUG_puts("1cupsSendRequest: Unable to reconnect.");
return (HTTP_STATUS_SERVICE_UNAVAILABLE);
}
break;
default :
/*
* Some other error...
*/
return (status);
}
}
}
void
cupsdNetIFUpdate(void)
{
int match; /* Matching address? */
cupsd_listener_t *lis; /* Listen address */
cupsd_netif_t *temp; /* New interface */
struct ifaddrs *addrs, /* Interface address list */
*addr; /* Current interface address */
char hostname[1024]; /* Hostname for address */
size_t hostlen; /* Length of hostname */
/*
* Only update the list if we need to...
*/
if (!NetIFUpdate)
return;
NetIFUpdate = 0;
/*
* Free the old interfaces...
*/
cupsdNetIFFree();
/*
* Make sure we have an array...
*/
if (!NetIFList)
NetIFList = cupsArrayNew((cups_array_func_t)compare_netif, NULL);
if (!NetIFList)
return;
/*
* Grab a new list of interfaces...
*/
if (getifaddrs(&addrs) < 0)
{
cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdNetIFUpdate: Unable to get interface list - %s", strerror(errno));
return;
}
for (addr = addrs; addr != NULL; addr = addr->ifa_next)
{
/*
* See if this interface address is IPv4 or IPv6...
*/
if (addr->ifa_addr == NULL ||
(addr->ifa_addr->sa_family != AF_INET
#ifdef AF_INET6
&& addr->ifa_addr->sa_family != AF_INET6
#endif
) ||
addr->ifa_netmask == NULL || addr->ifa_name == NULL)
{
cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdNetIFUpdate: Ignoring \"%s\".", addr->ifa_name);
continue;
}
/*
* Try looking up the hostname for the address as needed...
*/
if (HostNameLookups)
httpAddrLookup((http_addr_t *)(addr->ifa_addr), hostname,
sizeof(hostname));
else
{
/*
* Map the default server address and localhost to the server name
* and localhost, respectively; for all other addresses, use the
* numeric address...
*/
if (httpAddrLocalhost((http_addr_t *)(addr->ifa_addr)))
strlcpy(hostname, "localhost", sizeof(hostname));
else
httpAddrString((http_addr_t *)(addr->ifa_addr), hostname,
sizeof(hostname));
}
/*
* Create a new address element...
*/
hostlen = strlen(hostname);
if ((temp = calloc(1, sizeof(cupsd_netif_t) + hostlen)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdNetIFUpdate: Unable to allocate memory for interface.");
break;
}
/*
* Copy all of the information...
*/
strlcpy(temp->name, addr->ifa_name, sizeof(temp->name));
temp->hostlen = hostlen;
memcpy(temp->hostname, hostname, hostlen + 1);
if (addr->ifa_addr->sa_family == AF_INET)
{
/*
* Copy IPv4 addresses...
*/
memcpy(&(temp->address), addr->ifa_addr, sizeof(struct sockaddr_in));
memcpy(&(temp->mask), addr->ifa_netmask, sizeof(struct sockaddr_in));
if (addr->ifa_dstaddr)
memcpy(&(temp->broadcast), addr->ifa_dstaddr,
sizeof(struct sockaddr_in));
}
#ifdef AF_INET6
else
{
/*
* Copy IPv6 addresses...
*/
memcpy(&(temp->address), addr->ifa_addr, sizeof(struct sockaddr_in6));
memcpy(&(temp->mask), addr->ifa_netmask, sizeof(struct sockaddr_in6));
if (addr->ifa_dstaddr)
memcpy(&(temp->broadcast), addr->ifa_dstaddr,
sizeof(struct sockaddr_in6));
}
#endif /* AF_INET6 */
if (!(addr->ifa_flags & IFF_POINTOPOINT) &&
!httpAddrLocalhost(&(temp->address)))
temp->is_local = 1;
/*
* Determine which port to use when advertising printers...
*/
for (lis = (cupsd_listener_t *)cupsArrayFirst(Listeners);
lis;
lis = (cupsd_listener_t *)cupsArrayNext(Listeners))
{
match = 0;
if (httpAddrAny(&(lis->address)))
match = 1;
else if (addr->ifa_addr->sa_family == AF_INET &&
lis->address.addr.sa_family == AF_INET &&
(lis->address.ipv4.sin_addr.s_addr &
temp->mask.ipv4.sin_addr.s_addr) ==
(temp->address.ipv4.sin_addr.s_addr &
temp->mask.ipv4.sin_addr.s_addr))
match = 1;
#ifdef AF_INET6
else if (addr->ifa_addr->sa_family == AF_INET6 &&
lis->address.addr.sa_family == AF_INET6 &&
(lis->address.ipv6.sin6_addr.s6_addr[0] &
temp->mask.ipv6.sin6_addr.s6_addr[0]) ==
(temp->address.ipv6.sin6_addr.s6_addr[0] &
temp->mask.ipv6.sin6_addr.s6_addr[0]) &&
(lis->address.ipv6.sin6_addr.s6_addr[1] &
temp->mask.ipv6.sin6_addr.s6_addr[1]) ==
(temp->address.ipv6.sin6_addr.s6_addr[1] &
temp->mask.ipv6.sin6_addr.s6_addr[1]) &&
(lis->address.ipv6.sin6_addr.s6_addr[2] &
temp->mask.ipv6.sin6_addr.s6_addr[2]) ==
(temp->address.ipv6.sin6_addr.s6_addr[2] &
temp->mask.ipv6.sin6_addr.s6_addr[2]) &&
(lis->address.ipv6.sin6_addr.s6_addr[3] &
temp->mask.ipv6.sin6_addr.s6_addr[3]) ==
(temp->address.ipv6.sin6_addr.s6_addr[3] &
temp->mask.ipv6.sin6_addr.s6_addr[3]))
match = 1;
#endif /* AF_INET6 */
if (match)
{
temp->port = httpAddrPort(&(lis->address));
break;
}
}
/*
* Add it to the array...
*/
cupsArrayAdd(NetIFList, temp);
cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdNetIFUpdate: \"%s\" = %s:%d",
temp->name, temp->hostname, temp->port);
}
freeifaddrs(addrs);
}
void
cupsdStartListening(void)
{
int p; /* Port number */
cupsd_listener_t *lis; /* Current listening socket */
char s[256]; /* String addresss */
const char *have_domain; /* Have a domain socket? */
static const char * const encryptions[] =
{ /* Encryption values */
"IfRequested",
"Never",
"Required",
"Always"
};
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdStartListening: %d Listeners",
cupsArrayCount(Listeners));
/*
* Setup socket listeners...
*/
for (lis = (cupsd_listener_t *)cupsArrayFirst(Listeners), LocalPort = 0,
have_domain = NULL;
lis;
lis = (cupsd_listener_t *)cupsArrayNext(Listeners))
{
httpAddrString(&(lis->address), s, sizeof(s));
p = httpAddrPort(&(lis->address));
/*
* If needed, create a socket for listening...
*/
if (lis->fd == -1)
{
/*
* Create a socket for listening...
*/
lis->fd = httpAddrListen(&(lis->address), p);
if (lis->fd == -1)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to open listen socket for address %s:%d - %s.",
s, p, strerror(errno));
#ifdef AF_INET6
/*
* IPv6 is often disabled while DNS returns IPv6 addresses...
*/
if (lis->address.addr.sa_family != AF_INET6 &&
(FatalErrors & CUPSD_FATAL_LISTEN))
cupsdEndProcess(getpid(), 0);
#else
if (FatalErrors & CUPSD_FATAL_LISTEN)
cupsdEndProcess(getpid(), 0);
#endif /* AF_INET6 */
continue;
}
}
if (p)
cupsdLogMessage(CUPSD_LOG_INFO, "Listening to %s:%d on fd %d...",
s, p, lis->fd);
else
cupsdLogMessage(CUPSD_LOG_INFO, "Listening to %s on fd %d...",
s, lis->fd);
/*
* Save the first port that is bound to the local loopback or
* "any" address...
*/
if ((!LocalPort || LocalEncryption == HTTP_ENCRYPT_ALWAYS) && p > 0 &&
(httpAddrLocalhost(&(lis->address)) ||
httpAddrAny(&(lis->address))))
{
LocalPort = p;
LocalEncryption = lis->encryption;
}
#ifdef AF_LOCAL
if (lis->address.addr.sa_family == AF_LOCAL && !have_domain)
have_domain = lis->address.un.sun_path;
#endif /* AF_LOCAL */
}
/*
* Make sure that we are listening on localhost!
*/
if (!LocalPort && !have_domain)
{
cupsdLogMessage(CUPSD_LOG_EMERG,
"No Listen or Port lines were found to allow access via "
"localhost.");
if (FatalErrors & (CUPSD_FATAL_CONFIG | CUPSD_FATAL_LISTEN))
cupsdEndProcess(getpid(), 0);
}
/*
* Set the CUPS_SERVER, IPP_PORT, and CUPS_ENCRYPTION variables based on
* the listeners...
*/
if (have_domain)
{
/*
* Use domain sockets for the local connection...
*/
cupsdSetEnv("CUPS_SERVER", have_domain);
LocalEncryption = HTTP_ENCRYPT_IF_REQUESTED;
}
else
{
/*
* Use the default local loopback address for the server...
*/
cupsdSetEnv("CUPS_SERVER", "localhost");
}
cupsdSetEnv("CUPS_ENCRYPTION", encryptions[LocalEncryption]);
if (LocalPort)
cupsdSetEnvf("IPP_PORT", "%d", LocalPort);
/*
* Resume listening for connections...
*/
cupsdResumeListening();
}
void
cupsdStartListening(void)
{
int status; /* Bind result */
int p, /* Port number */
val; /* Parameter value */
cupsd_listener_t *lis; /* Current listening socket */
char s[256]; /* String addresss */
const char *have_domain; /* Have a domain socket? */
static const char * const encryptions[] =
{ /* Encryption values */
"IfRequested",
"Never",
"Required",
"Always"
};
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdStartListening: %d Listeners",
cupsArrayCount(Listeners));
/*
* Setup socket listeners...
*/
for (lis = (cupsd_listener_t *)cupsArrayFirst(Listeners), LocalPort = 0,
have_domain = NULL;
lis;
lis = (cupsd_listener_t *)cupsArrayNext(Listeners))
{
httpAddrString(&(lis->address), s, sizeof(s));
p = httpAddrPort(&(lis->address));
/*
* If needed, create a socket for listening...
*/
if (lis->fd == -1)
{
/*
* Create a socket for listening...
*/
lis->fd = socket(lis->address.addr.sa_family, SOCK_STREAM, 0);
if (lis->fd == -1)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to open listen socket for address %s:%d - %s.",
s, p, strerror(errno));
#ifdef AF_INET6
/*
* IPv6 is often disabled while DNS returns IPv6 addresses...
*/
if (lis->address.addr.sa_family != AF_INET6 &&
(FatalErrors & CUPSD_FATAL_LISTEN))
cupsdEndProcess(getpid(), 0);
#else
if (FatalErrors & CUPSD_FATAL_LISTEN)
cupsdEndProcess(getpid(), 0);
#endif /* AF_INET6 */
continue;
}
/*
* Set things up to reuse the local address for this port.
*/
val = 1;
#ifdef __sun
setsockopt(lis->fd, SOL_SOCKET, SO_REUSEADDR, (char *)&val, sizeof(val));
#else
setsockopt(lis->fd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val));
#endif /* __sun */
/*
* Bind to the port we found...
*/
#ifdef AF_INET6
if (lis->address.addr.sa_family == AF_INET6)
{
# ifdef IPV6_V6ONLY
/*
* Accept only IPv6 connections on this socket, to avoid
* potential security issues and to make all platforms behave
* the same.
*/
val = 1;
# ifdef __sun
setsockopt(lis->fd, IPPROTO_IPV6, IPV6_V6ONLY, (char *)&val, sizeof(val));
# else
setsockopt(lis->fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof(val));
# endif /* __sun */
# endif /* IPV6_V6ONLY */
status = bind(lis->fd, (struct sockaddr *)&(lis->address),
httpAddrLength(&(lis->address)));
}
else
#endif /* AF_INET6 */
#ifdef AF_LOCAL
if (lis->address.addr.sa_family == AF_LOCAL)
{
mode_t mask; /* Umask setting */
/*
* Remove any existing domain socket file...
*/
unlink(lis->address.un.sun_path);
/*
* Save the current umask and set it to 0 so that all users can access
* the domain socket...
*/
mask = umask(0);
/*
* Bind the domain socket...
*/
status = bind(lis->fd, (struct sockaddr *)&(lis->address),
httpAddrLength(&(lis->address)));
/*
* Restore the umask...
*/
umask(mask);
}
else
#endif /* AF_LOCAL */
status = bind(lis->fd, (struct sockaddr *)&(lis->address),
sizeof(lis->address.ipv4));
if (status < 0)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to bind socket for address %s:%d - %s.",
s, p, strerror(errno));
close(lis->fd);
lis->fd = -1;
if (FatalErrors & CUPSD_FATAL_LISTEN)
cupsdEndProcess(getpid(), 0);
continue;
}
/*
* Listen for new clients.
*/
if (listen(lis->fd, ListenBackLog) < 0)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to listen for clients on address %s:%d - %s.",
s, p, strerror(errno));
close(lis->fd);
lis->fd = -1;
if (FatalErrors & CUPSD_FATAL_LISTEN)
cupsdEndProcess(getpid(), 0);
continue;
}
}
fcntl(lis->fd, F_SETFD, fcntl(lis->fd, F_GETFD) | FD_CLOEXEC);
if (p)
cupsdLogMessage(CUPSD_LOG_INFO, "Listening to %s:%d on fd %d...",
s, p, lis->fd);
else
{
cupsdLogMessage(CUPSD_LOG_INFO, "Listening to %s on fd %d...",
s, lis->fd);
if (chmod(s, 0140777))
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to change permisssions on domain socket "
"\"%s\" - %s", s, strerror(errno));
}
/*
* Save the first port that is bound to the local loopback or
* "any" address...
*/
if ((!LocalPort || LocalEncryption == HTTP_ENCRYPT_ALWAYS) && p > 0 &&
(httpAddrLocalhost(&(lis->address)) ||
httpAddrAny(&(lis->address))))
{
LocalPort = p;
LocalEncryption = lis->encryption;
}
#ifdef AF_LOCAL
if (lis->address.addr.sa_family == AF_LOCAL && !have_domain)
have_domain = lis->address.un.sun_path;
#endif /* AF_LOCAL */
}
/*
* Make sure that we are listening on localhost!
*/
if (!LocalPort && !have_domain)
{
cupsdLogMessage(CUPSD_LOG_EMERG,
"No Listen or Port lines were found to allow access via "
"localhost!");
if (FatalErrors & (CUPSD_FATAL_CONFIG | CUPSD_FATAL_LISTEN))
cupsdEndProcess(getpid(), 0);
}
/*
* Set the CUPS_SERVER, IPP_PORT, and CUPS_ENCRYPTION variables based on
* the listeners...
*/
if (have_domain)
{
/*
* Use domain sockets for the local connection...
*/
cupsdSetEnv("CUPS_SERVER", have_domain);
LocalEncryption = HTTP_ENCRYPT_IF_REQUESTED;
}
else
{
/*
* Use the default local loopback address for the server...
*/
cupsdSetEnv("CUPS_SERVER", "localhost");
}
cupsdSetEnv("CUPS_ENCRYPTION", encryptions[LocalEncryption]);
if (LocalPort)
cupsdSetEnvf("IPP_PORT", "%d", LocalPort);
/*
* Resume listening for connections...
*/
cupsdResumeListening();
}
int /* O - 0 on success, -1 on failure */
_httpTLSStart(http_t *http) /* I - Connection to server */
{
char hostname[256], /* Hostname */
*hostptr; /* Pointer into hostname */
int status; /* Status of handshake */
gnutls_certificate_credentials_t *credentials;
/* TLS credentials */
char priority_string[1024];
/* Priority string */
DEBUG_printf(("3_httpTLSStart(http=%p)", http));
if (tls_options < 0)
{
DEBUG_puts("4_httpTLSStart: Setting defaults.");
_cupsSetDefaults();
DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
}
if (http->mode == _HTTP_MODE_SERVER && !tls_keypath)
{
DEBUG_puts("4_httpTLSStart: cupsSetServerCredentials not called.");
http->error = errno = EINVAL;
http->status = HTTP_STATUS_ERROR;
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Server credentials not set."), 1);
return (-1);
}
credentials = (gnutls_certificate_credentials_t *)
malloc(sizeof(gnutls_certificate_credentials_t));
if (credentials == NULL)
{
DEBUG_printf(("8_httpStartTLS: Unable to allocate credentials: %s",
strerror(errno)));
http->error = errno;
http->status = HTTP_STATUS_ERROR;
_cupsSetHTTPError(HTTP_STATUS_ERROR);
return (-1);
}
gnutls_certificate_allocate_credentials(credentials);
status = gnutls_init(&http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_CLIENT : GNUTLS_SERVER);
if (!status)
status = gnutls_set_default_priority(http->tls);
if (status)
{
http->error = EIO;
http->status = HTTP_STATUS_ERROR;
DEBUG_printf(("4_httpTLSStart: Unable to initialize common TLS parameters: %s", gnutls_strerror(status)));
_cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
gnutls_deinit(http->tls);
gnutls_certificate_free_credentials(*credentials);
free(credentials);
http->tls = NULL;
return (-1);
}
if (http->mode == _HTTP_MODE_CLIENT)
{
/*
* Client: get the hostname to use for TLS...
*/
if (httpAddrLocalhost(http->hostaddr))
{
strlcpy(hostname, "localhost", sizeof(hostname));
}
else
{
/*
* Otherwise make sure the hostname we have does not end in a trailing dot.
*/
strlcpy(hostname, http->hostname, sizeof(hostname));
if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
*hostptr == '.')
*hostptr = '\0';
}
status = gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname, strlen(hostname));
}
else
{
/*
* Server: get certificate and private key...
*/
char crtfile[1024], /* Certificate file */
keyfile[1024]; /* Private key file */
int have_creds = 0; /* Have credentials? */
if (http->fields[HTTP_FIELD_HOST][0])
{
/*
* Use hostname for TLS upgrade...
*/
strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
}
else
{
/*
* Resolve hostname from connection address...
*/
http_addr_t addr; /* Connection address */
socklen_t addrlen; /* Length of address */
addrlen = sizeof(addr);
if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
{
DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
hostname[0] = '\0';
}
else if (httpAddrLocalhost(&addr))
hostname[0] = '\0';
else
{
httpAddrLookup(&addr, hostname, sizeof(hostname));
DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
}
}
if (isdigit(hostname[0] & 255) || hostname[0] == '[')
hostname[0] = '\0'; /* Don't allow numeric addresses */
if (hostname[0])
{
http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
have_creds = !access(crtfile, 0) && !access(keyfile, 0);
}
else if (tls_common_name)
{
http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
have_creds = !access(crtfile, 0) && !access(keyfile, 0);
}
if (!have_creds && tls_auto_create && (hostname[0] || tls_common_name))
{
DEBUG_printf(("4_httpTLSStart: Auto-create credentials for \"%s\".", hostname[0] ? hostname : tls_common_name));
if (!cupsMakeServerCredentials(tls_keypath, hostname[0] ? hostname : tls_common_name, 0, NULL, time(NULL) + 365 * 86400))
{
DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed.");
http->error = errno = EINVAL;
http->status = HTTP_STATUS_ERROR;
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1);
return (-1);
}
}
DEBUG_printf(("4_httpTLSStart: Using certificate \"%s\" and private key \"%s\".", crtfile, keyfile));
status = gnutls_certificate_set_x509_key_file(*credentials, crtfile, keyfile, GNUTLS_X509_FMT_PEM);
}
if (!status)
status = gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
if (status)
{
http->error = EIO;
http->status = HTTP_STATUS_ERROR;
DEBUG_printf(("4_httpTLSStart: Unable to complete client/server setup: %s", gnutls_strerror(status)));
_cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
gnutls_deinit(http->tls);
gnutls_certificate_free_credentials(*credentials);
free(credentials);
http->tls = NULL;
return (-1);
}
strlcpy(priority_string, "NORMAL", sizeof(priority_string));
if (tls_options & _HTTP_TLS_DENY_TLS10)
strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
else
strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
strlcat(priority_string, ":-ARCFOUR-128", sizeof(priority_string));
if (!(tls_options & _HTTP_TLS_ALLOW_DH))
strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
#ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
gnutls_priority_set_direct(http->tls, priority_string, NULL);
#else
gnutls_priority_t priority; /* Priority */
gnutls_priority_init(&priority, priority_string, NULL);
gnutls_priority_set(http->tls, priority);
gnutls_priority_deinit(priority);
#endif /* HAVE_GNUTLS_PRIORITY_SET_DIRECT */
gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http);
gnutls_transport_set_pull_function(http->tls, http_gnutls_read);
#ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION
gnutls_transport_set_pull_timeout_function(http->tls, (gnutls_pull_timeout_func)httpWait);
#endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */
gnutls_transport_set_push_function(http->tls, http_gnutls_write);
while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS)
{
DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)",
status, gnutls_strerror(status)));
if (gnutls_error_is_fatal(status))
{
http->error = EIO;
http->status = HTTP_STATUS_ERROR;
_cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
gnutls_deinit(http->tls);
gnutls_certificate_free_credentials(*credentials);
free(credentials);
http->tls = NULL;
return (-1);
}
}
http->tls_credentials = credentials;
return (0);
}
