#include "cupsd.h"
#include <grp.h>
#ifdef HAVE_SHADOW_H
# include <shadow.h>
#endif
#ifdef HAVE_CRYPT_H
# include <crypt.h>
#endif
#if HAVE_LIBPAM
# ifdef HAVE_PAM_PAM_APPL_H
# include <pam/pam_appl.h>
# else
# include <security/pam_appl.h>
# endif
#endif
#ifdef HAVE_USERSEC_H
# include <usersec.h>
#endif
#ifdef HAVE_MEMBERSHIP_H
# include <membership.h>
#endif
#ifdef HAVE_AUTHORIZATION_H
# include <Security/AuthorizationTags.h>
# ifdef HAVE_SECBASEPRIV_H
# include <Security/SecBasePriv.h>
# else
extern const char *cssmErrorString(int error);
# endif
#endif
#ifdef HAVE_SYS_PARAM_H
# include <sys/param.h>
#endif
#ifdef HAVE_SYS_UCRED_H
# include <sys/ucred.h>
typedef struct xucred cupsd_ucred_t;
# define CUPSD_UCRED_UID(c) (c).cr_uid
#else
# ifndef __OpenBSD__
typedef struct ucred cupsd_ucred_t;
# else
typedef struct sockpeercred cupsd_ucred_t;
# endif
# define CUPSD_UCRED_UID(c) (c).uid
#endif
#ifdef HAVE_AUTHORIZATION_H
static int check_authref(cupsd_client_t *con, const char *right);
#endif
static int compare_locations(cupsd_location_t *a,
cupsd_location_t *b);
static cupsd_authmask_t *copy_authmask(cupsd_authmask_t *am, void *data);
#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
static char *cups_crypt(const char *pw, const char *salt);
#endif
static void free_authmask(cupsd_authmask_t *am, void *data);
static char *get_md5_password(const char *username,
const char *group, char passwd[33]);
#if HAVE_LIBPAM
static int pam_func(int, const struct pam_message **,
struct pam_response **, void *);
#elif !defined(HAVE_USERSEC_H)
static void to64(char *s, unsigned long v, int n);
#endif
#if HAVE_LIBPAM
typedef struct cupsd_authdata_s
{
char username[HTTP_MAX_VALUE],
password[HTTP_MAX_VALUE];
} cupsd_authdata_t;
#endif
#if defined(__hpux) && HAVE_LIBPAM
static cupsd_authdata_t *auth_data;
#endif
int
cupsdAddIPMask(
cups_array_t **masks,
const unsigned address[4],
const unsigned netmask[4])
{
cupsd_authmask_t temp;
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdAddIPMask(masks=%p(%p), address=%x:%x:%x:%x, "
"netmask=%x:%x:%x:%x)",
masks, *masks,
address[0], address[1], address[2], address[3],
netmask[0], netmask[1], netmask[2], netmask[3]);
temp.type = CUPSD_AUTH_IP;
memcpy(temp.mask.ip.address, address, sizeof(temp.mask.ip.address));
memcpy(temp.mask.ip.netmask, netmask, sizeof(temp.mask.ip.netmask));
if (!*masks)
*masks = cupsArrayNew3(NULL, NULL, NULL, 0,
(cups_acopy_func_t)copy_authmask,
(cups_afree_func_t)free_authmask);
return (cupsArrayAdd(*masks, &temp));
}
void
cupsdAddLocation(cupsd_location_t *loc)
{
if (!Locations)
Locations = cupsArrayNew3((cups_array_func_t)compare_locations, NULL,
(cups_ahash_func_t)NULL, 0,
(cups_acopy_func_t)NULL,
(cups_afree_func_t)cupsdFreeLocation);
if (Locations)
{
cupsArrayAdd(Locations, loc);
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddLocation: Added location \"%s\"",
loc->location ? loc->location : "(null)");
}
}
void
cupsdAddName(cupsd_location_t *loc,
char *name)
{
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdAddName(loc=%p, name=\"%s\")",
loc, name);
if (!loc->names)
loc->names = cupsArrayNew3(NULL, NULL, NULL, 0,
(cups_acopy_func_t)_cupsStrAlloc,
(cups_afree_func_t)_cupsStrFree);
if (!cupsArrayAdd(loc->names, name))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to duplicate name for location %s: %s",
loc->location ? loc->location : "nil", strerror(errno));
return;
}
}
int
cupsdAddNameMask(cups_array_t **masks,
char *name)
{
cupsd_authmask_t temp;
char ifname[32],
*ifptr;
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdAddNameMask(masks=%p(%p), name=\"%s\")",
masks, *masks, name);
if (!_cups_strcasecmp(name, "@LOCAL"))
{
temp.type = CUPSD_AUTH_INTERFACE;
temp.mask.name.name = (char *)"*";
}
else if (!_cups_strncasecmp(name, "@IF(", 4))
{
strlcpy(ifname, name + 4, sizeof(ifname));
ifptr = ifname + strlen(ifname) - 1;
if (ifptr >= ifname && *ifptr == ')')
{
ifptr --;
*ifptr = '\0';
}
temp.type = CUPSD_AUTH_INTERFACE;
temp.mask.name.name = ifname;
}
else
{
if (*name == '*')
name ++;
temp.type = CUPSD_AUTH_NAME;
temp.mask.name.name = (char *)name;
}
temp.mask.name.length = strlen(temp.mask.name.name);
if (!*masks)
*masks = cupsArrayNew3(NULL, NULL, NULL, 0,
(cups_acopy_func_t)copy_authmask,
(cups_afree_func_t)free_authmask);
return (cupsArrayAdd(*masks, &temp));
}
void
cupsdAuthorize(cupsd_client_t *con)
{
int type;
const char *authorization;
char *ptr,
username[HTTP_MAX_VALUE],
password[HTTP_MAX_VALUE];
cupsd_cert_t *localuser;
char nonce[HTTP_MAX_VALUE],
md5[33],
basicmd5[33];
static const char * const states[] =
{
"WAITING",
"OPTIONS",
"GET",
"GET",
"HEAD",
"POST",
"POST",
"POST",
"PUT",
"PUT",
"DELETE",
"TRACE",
"CLOSE",
"STATUS"
};
con->best = cupsdFindBest(con->uri, con->http.state);
con->type = CUPSD_AUTH_NONE;
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"[Client %d] con->uri=\"%s\", con->best=%p(%s)",
con->http.fd, con->uri, con->best,
con->best ? con->best->location : "");
if (con->best && con->best->type != CUPSD_AUTH_NONE)
{
if (con->best->type == CUPSD_AUTH_DEFAULT)
type = cupsdDefaultAuthType();
else
type = con->best->type;
}
else
type = cupsdDefaultAuthType();
authorization = httpGetField(&con->http, HTTP_FIELD_AUTHORIZATION);
cupsdLogMessage(CUPSD_LOG_DEBUG2, "[Client %d] Authorization=\"%s\"",
con->http.fd, authorization);
username[0] = '\0';
password[0] = '\0';
#ifdef HAVE_GSSAPI
con->gss_uid = 0;
#endif
#ifdef HAVE_AUTHORIZATION_H
if (con->authref)
{
AuthorizationFree(con->authref, kAuthorizationFlagDefaults);
con->authref = NULL;
}
#endif
if (!*authorization)
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] No authentication data provided.",
con->http.fd);
return;
}
#ifdef HAVE_AUTHORIZATION_H
else if (!strncmp(authorization, "AuthRef ", 8) &&
!_cups_strcasecmp(con->http.hostname, "localhost"))
{
OSStatus status;
int authlen;
AuthorizationItemSet *authinfo;
authorization += 8;
while (isspace(*authorization & 255))
authorization ++;
authlen = sizeof(nonce);
httpDecode64_2(nonce, &authlen, authorization);
if (authlen != kAuthorizationExternalFormLength)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] External Authorization reference size is "
"incorrect.", con->http.fd);
return;
}
if ((status = AuthorizationCreateFromExternalForm(
(AuthorizationExternalForm *)nonce, &con->authref)) != 0)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] AuthorizationCreateFromExternalForm "
"returned %d (%s)", con->http.fd, (int)status,
cssmErrorString(status));
return;
}
username[0] = '\0';
if (!AuthorizationCopyInfo(con->authref, kAuthorizationEnvironmentUsername,
&authinfo))
{
if (authinfo->count == 1 && authinfo->items[0].value &&
authinfo->items[0].valueLength >= 2)
{
strlcpy(username, authinfo->items[0].value, sizeof(username));
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as \"%s\" using AuthRef",
con->http.fd, username);
}
AuthorizationFreeItemSet(authinfo);
}
if (!username[0])
{
struct passwd *pwd;
cupsd_ucred_t peercred;
socklen_t peersize;
peersize = sizeof(peercred);
if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unable to get peer credentials - %s",
con->http.fd, strerror(errno));
return;
}
if ((pwd = getpwuid(CUPSD_UCRED_UID(peercred))) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unable to find UID %d for peer "
"credentials.", con->http.fd,
(int)CUPSD_UCRED_UID(peercred));
return;
}
strlcpy(username, pwd->pw_name, sizeof(username));
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as \"%s\" using "
"AuthRef + PeerCred", con->http.fd, username);
}
con->type = CUPSD_AUTH_BASIC;
}
#endif
#if defined(SO_PEERCRED) && defined(AF_LOCAL)
else if (!strncmp(authorization, "PeerCred ", 9) &&
con->http.hostaddr->addr.sa_family == AF_LOCAL)
{
struct passwd *pwd;
cupsd_ucred_t peercred;
socklen_t peersize;
#ifdef HAVE_AUTHORIZATION_H
const char *name;
int no_peer = 0;
for (name = (char *)cupsArrayFirst(con->best->names);
name;
name = (char *)cupsArrayNext(con->best->names))
{
if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) ||
!_cups_strcasecmp(name, "@SYSTEM"))
{
no_peer = 1;
}
else if (!_cups_strcasecmp(name, "@OWNER"))
{
no_peer = 0;
break;
}
}
if (no_peer)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] PeerCred authentication not allowed for "
"resource per AUTHKEY policy.", con->http.fd);
return;
}
#endif
if ((pwd = getpwnam(authorization + 9)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] User \"%s\" does not exist.", con->http.fd,
authorization + 9);
return;
}
peersize = sizeof(peercred);
# ifdef __APPLE__
if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
# else
if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred, &peersize))
# endif
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unable to get peer credentials - %s",
con->http.fd, strerror(errno));
return;
}
if (pwd->pw_uid != CUPSD_UCRED_UID(peercred))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Invalid peer credentials for \"%s\" - got "
"%d, expected %d!", con->http.fd, authorization + 9,
CUPSD_UCRED_UID(peercred), pwd->pw_uid);
# ifdef HAVE_SYS_UCRED_H
cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_version=%d",
con->http.fd, peercred.cr_version);
cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_uid=%d",
con->http.fd, peercred.cr_uid);
cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_ngroups=%d",
con->http.fd, peercred.cr_ngroups);
cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] cr_groups[0]=%d",
con->http.fd, peercred.cr_groups[0]);
# endif
return;
}
strlcpy(username, authorization + 9, sizeof(username));
# ifdef HAVE_GSSAPI
con->gss_uid = CUPSD_UCRED_UID(peercred);
# endif
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as %s using PeerCred", con->http.fd,
username);
con->type = CUPSD_AUTH_BASIC;
}
#endif
else if (!strncmp(authorization, "Local", 5) &&
!_cups_strcasecmp(con->http.hostname, "localhost"))
{
authorization += 5;
while (isspace(*authorization & 255))
authorization ++;
if ((localuser = cupsdFindCert(authorization)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Local authentication certificate not found.",
con->http.fd);
return;
}
strlcpy(username, localuser->username, sizeof(username));
con->type = localuser->type;
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as %s using Local", con->http.fd,
username);
}
else if (!strncmp(authorization, "Basic", 5))
{
int userlen;
authorization += 5;
while (isspace(*authorization & 255))
authorization ++;
userlen = sizeof(username);
httpDecode64_2(username, &userlen, authorization);
if ((ptr = strchr(username, ':')) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Missing Basic password.",
con->http.fd);
return;
}
*ptr++ = '\0';
if (!username[0])
{
cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Empty Basic username.",
con->http.fd);
return;
}
if (!*ptr)
{
cupsdLogMessage(CUPSD_LOG_ERROR, "[Client %d] Empty Basic password.",
con->http.fd);
return;
}
strlcpy(password, ptr, sizeof(password));
switch (type)
{
default :
case CUPSD_AUTH_BASIC :
{
#if HAVE_LIBPAM
pam_handle_t *pamh;
int pamerr;
struct pam_conv pamdata;
cupsd_authdata_t data;
strlcpy(data.username, username, sizeof(data.username));
strlcpy(data.password, password, sizeof(data.password));
# if defined(__sun) || defined(__hpux)
pamdata.conv = (int (*)(int, struct pam_message **,
struct pam_response **,
void *))pam_func;
# else
pamdata.conv = pam_func;
# endif
pamdata.appdata_ptr = &data;
# ifdef __hpux
auth_data = &data;
# endif
pamerr = pam_start("cups", username, &pamdata, &pamh);
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] pam_start() returned %d (%s)",
con->http.fd, pamerr, pam_strerror(pamh, pamerr));
return;
}
# ifdef HAVE_PAM_SET_ITEM
# ifdef PAM_RHOST
pamerr = pam_set_item(pamh, PAM_RHOST, con->http.hostname);
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
"[Client %d] pam_set_item(PAM_RHOST) "
"returned %d (%s)", con->http.fd, pamerr,
pam_strerror(pamh, pamerr));
# endif
# ifdef PAM_TTY
pamerr = pam_set_item(pamh, PAM_TTY, "cups");
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
"[Client %d] pam_set_item(PAM_TTY) "
"returned %d (%s)!", con->http.fd, pamerr,
pam_strerror(pamh, pamerr));
# endif
# endif
pamerr = pam_authenticate(pamh, PAM_SILENT);
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] pam_authenticate() returned %d (%s)",
con->http.fd, pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
}
# ifdef HAVE_PAM_SETCRED
pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED | PAM_SILENT);
if (pamerr != PAM_SUCCESS)
cupsdLogMessage(CUPSD_LOG_WARN,
"[Client %d] pam_setcred() returned %d (%s)",
con->http.fd, pamerr,
pam_strerror(pamh, pamerr));
# endif
pamerr = pam_acct_mgmt(pamh, PAM_SILENT);
if (pamerr != PAM_SUCCESS)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] pam_acct_mgmt() returned %d (%s)",
con->http.fd, pamerr, pam_strerror(pamh, pamerr));
pam_end(pamh, 0);
return;
}
pam_end(pamh, PAM_SUCCESS);
#elif defined(HAVE_USERSEC_H)
char *authmsg;
int reenter;
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] AIX authenticate of username \"%s\"",
con->http.fd, username);
reenter = 1;
if (authenticate(username, password, &reenter, &authmsg) != 0)
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Unable to authenticate username "
"\"%s\": %s", con->http.fd, username,
strerror(errno));
return;
}
#else
char *pass;
struct passwd *pw;
# ifdef HAVE_SHADOW_H
struct spwd *spw;
# endif
pw = getpwnam(username);
endpwent();
if (!pw)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unknown username \"%s\".",
con->http.fd, username);
return;
}
# ifdef HAVE_SHADOW_H
spw = getspnam(username);
endspent();
if (!spw && !strcmp(pw->pw_passwd, "x"))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Username \"%s\" has no shadow "
"password.", con->http.fd, username);
return;
}
if (spw && !spw->sp_pwdp[0] && !pw->pw_passwd[0])
# else
if (!pw->pw_passwd[0])
# endif
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Username \"%s\" has no password.",
con->http.fd, username);
return;
}
pass = cups_crypt(password, pw->pw_passwd);
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"[Client %d] pw_passwd=\"%s\", crypt=\"%s\"",
con->http.fd, pw->pw_passwd, pass);
if (!pass || strcmp(pw->pw_passwd, pass))
{
# ifdef HAVE_SHADOW_H
if (spw)
{
pass = cups_crypt(password, spw->sp_pwdp);
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"[Client %d] sp_pwdp=\"%s\", crypt=\"%s\"",
con->http.fd, spw->sp_pwdp, pass);
if (pass == NULL || strcmp(spw->sp_pwdp, pass))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Authentication failed for user "
"\"%s\".", con->http.fd, username);
return;
}
}
else
# endif
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Authentication failed for user "
"\"%s\".", con->http.fd, username);
return;
}
}
#endif
}
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as %s using Basic",
con->http.fd, username);
break;
case CUPSD_AUTH_BASICDIGEST :
if (!get_md5_password(username, NULL, md5))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unknown MD5 username \"%s\".",
con->http.fd, username);
return;
}
httpMD5(username, "CUPS", password, basicmd5);
if (strcmp(md5, basicmd5))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Authentication failed for \"%s\".",
con->http.fd, username);
return;
}
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as %s using BasicDigest",
con->http.fd, username);
break;
}
con->type = type;
}
else if (!strncmp(authorization, "Digest", 6))
{
if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "username",
username, sizeof(username)) || !username[0])
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Empty or missing Digest username.",
con->http.fd);
return;
}
if (!httpGetSubField2(&(con->http), HTTP_FIELD_AUTHORIZATION, "response",
password, sizeof(password)) || !password[0])
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Empty or missing Digest password.",
con->http.fd);
return;
}
if (!httpGetSubField(&(con->http), HTTP_FIELD_AUTHORIZATION, "nonce",
nonce))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] No nonce value for Digest authentication.",
con->http.fd);
return;
}
if (strcmp(con->http.hostname, nonce))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Bad nonce value, expected \"%s\", "
"got \"%s\".", con->http.fd, con->http.hostname, nonce);
return;
}
if (!get_md5_password(username, NULL, md5))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unknown MD5 username \"%s\".",
con->http.fd, username);
return;
}
httpMD5Final(nonce, states[con->http.state], con->uri, md5);
if (strcmp(md5, password))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Authentication failed for \"%s\".",
con->http.fd, username);
return;
}
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as %s using Digest", con->http.fd,
username);
con->type = CUPSD_AUTH_DIGEST;
}
#ifdef HAVE_GSSAPI
else if (!strncmp(authorization, "Negotiate", 9))
{
int len;
gss_ctx_id_t context;
OM_uint32 major_status,
minor_status;
gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER,
output_token = GSS_C_EMPTY_BUFFER;
gss_name_t client_name;
# ifdef __APPLE__
if (gss_init_sec_context == NULL)
{
cupsdLogMessage(CUPSD_LOG_WARN,
"[Client %d] GSSAPI/Kerberos authentication failed "
"because the Kerberos framework is not present.",
con->http.fd);
return;
}
# endif
authorization += 9;
while (isspace(*authorization & 255))
authorization ++;
if (!*authorization)
{
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"[Client %d] No authentication data specified.",
con->http.fd);
return;
}
len = strlen(authorization);
input_token.value = malloc(len);
input_token.value = httpDecode64_2(input_token.value, &len,
authorization);
input_token.length = len;
context = GSS_C_NO_CONTEXT;
client_name = GSS_C_NO_NAME;
major_status = gss_accept_sec_context(&minor_status,
&context,
ServerCreds,
&input_token,
GSS_C_NO_CHANNEL_BINDINGS,
&client_name,
NULL,
&output_token,
NULL,
NULL,
NULL);
if (output_token.length > 0)
gss_release_buffer(&minor_status, &output_token);
if (GSS_ERROR(major_status))
{
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
"[Client %d] Error accepting GSSAPI security context",
con->http.fd);
if (context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
return;
}
con->have_gss = 1;
if (major_status == GSS_S_CONTINUE_NEEDED)
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
"[Client %d] Credentials not complete", con->http.fd);
else if (major_status == GSS_S_COMPLETE)
{
major_status = gss_display_name(&minor_status, client_name,
&output_token, NULL);
if (GSS_ERROR(major_status))
{
cupsdLogGSSMessage(CUPSD_LOG_DEBUG, major_status, minor_status,
"[Client %d] Error getting username", con->http.fd);
gss_release_name(&minor_status, &client_name);
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
return;
}
strlcpy(username, output_token.value, sizeof(username));
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Authorized as %s using Negotiate",
con->http.fd, username);
gss_release_name(&minor_status, &client_name);
gss_release_buffer(&minor_status, &output_token);
con->type = CUPSD_AUTH_NEGOTIATE;
}
gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
# if defined(SO_PEERCRED) && defined(AF_LOCAL)
if (_httpAddrFamily(con->http.hostaddr) == AF_LOCAL)
{
cupsd_ucred_t peercred;
socklen_t peersize;
peersize = sizeof(peercred);
# ifdef __APPLE__
if (getsockopt(con->http.fd, 0, LOCAL_PEERCRED, &peercred, &peersize))
# else
if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &peercred,
&peersize))
# endif
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Unable to get peer credentials - %s",
con->http.fd, strerror(errno));
}
else
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"[Client %d] Using credentials for UID %d.",
con->http.fd, CUPSD_UCRED_UID(peercred));
con->gss_uid = CUPSD_UCRED_UID(peercred);
}
}
# endif
}
#endif
else
{
char scheme[256];
if (sscanf(authorization, "%255s", scheme) != 1)
strcpy(scheme, "UNKNOWN");
cupsdLogMessage(CUPSD_LOG_ERROR,
"[Client %d] Bad authentication data \"%s ...\"",
con->http.fd, scheme);
return;
}
strlcpy(con->username, username, sizeof(con->username));
strlcpy(con->password, password, sizeof(con->password));
}
int
cupsdCheckAccess(
unsigned ip[4],
char *name,
int namelen,
cupsd_location_t *loc)
{
int allow;
if (!_cups_strcasecmp(name, "localhost"))
{
return (1);
}
else
{
switch (loc->order_type)
{
default :
allow = 0;
break;
case CUPSD_AUTH_ALLOW :
allow = 1;
if (cupsdCheckAuth(ip, name, namelen, loc->deny))
allow = 0;
if (cupsdCheckAuth(ip, name, namelen, loc->allow))
allow = 1;
break;
case CUPSD_AUTH_DENY :
allow = 0;
if (cupsdCheckAuth(ip, name, namelen, loc->allow))
allow = 1;
if (cupsdCheckAuth(ip, name, namelen, loc->deny))
allow = 0;
break;
}
}
return (allow);
}
int
cupsdCheckAuth(unsigned ip[4],
char *name,
int name_len,
cups_array_t *masks)
{
int i;
cupsd_authmask_t *mask;
cupsd_netif_t *iface;
unsigned netip4;
#ifdef AF_INET6
unsigned netip6[4];
#endif
for (mask = (cupsd_authmask_t *)cupsArrayFirst(masks);
mask;
mask = (cupsd_authmask_t *)cupsArrayNext(masks))
{
switch (mask->type)
{
case CUPSD_AUTH_INTERFACE :
netip4 = htonl(ip[3]);
#ifdef AF_INET6
netip6[0] = htonl(ip[0]);
netip6[1] = htonl(ip[1]);
netip6[2] = htonl(ip[2]);
netip6[3] = htonl(ip[3]);
#endif
if (!strcmp(mask->mask.name.name, "*"))
{
#ifdef __APPLE__
if ((ip[0] & 0xff000000) == 0xfd000000)
return (1);
#endif
cupsdNetIFUpdate();
for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
iface;
iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
{
if (!iface->is_local)
continue;
if (iface->address.addr.sa_family == AF_INET)
{
if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
(iface->address.ipv4.sin_addr.s_addr &
iface->mask.ipv4.sin_addr.s_addr))
return (1);
}
#ifdef AF_INET6
else
{
for (i = 0; i < 4; i ++)
if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
(iface->address.ipv6.sin6_addr.s6_addr32[i] &
iface->mask.ipv6.sin6_addr.s6_addr32[i]))
break;
if (i == 4)
return (1);
}
#endif
}
}
else
{
for (iface = (cupsd_netif_t *)cupsArrayFirst(NetIFList);
iface;
iface = (cupsd_netif_t *)cupsArrayNext(NetIFList))
{
if (strcmp(mask->mask.name.name, iface->name))
continue;
if (iface->address.addr.sa_family == AF_INET)
{
if ((netip4 & iface->mask.ipv4.sin_addr.s_addr) ==
(iface->address.ipv4.sin_addr.s_addr &
iface->mask.ipv4.sin_addr.s_addr))
return (1);
}
#ifdef AF_INET6
else
{
for (i = 0; i < 4; i ++)
if ((netip6[i] & iface->mask.ipv6.sin6_addr.s6_addr32[i]) !=
(iface->address.ipv6.sin6_addr.s6_addr32[i] &
iface->mask.ipv6.sin6_addr.s6_addr32[i]))
break;
if (i == 4)
return (1);
}
#endif
}
}
break;
case CUPSD_AUTH_NAME :
if (!_cups_strcasecmp(name, mask->mask.name.name))
return (1);
if (name_len >= mask->mask.name.length &&
mask->mask.name.name[0] == '.' &&
!_cups_strcasecmp(name + name_len - mask->mask.name.length,
mask->mask.name.name))
return (1);
break;
case CUPSD_AUTH_IP :
for (i = 0; i < 4; i ++)
if ((ip[i] & mask->mask.ip.netmask[i]) !=
mask->mask.ip.address[i])
break;
if (i == 4)
return (1);
break;
}
}
return (0);
}
int
cupsdCheckGroup(
const char *username,
struct passwd *user,
const char *groupname)
{
int i;
struct group *group;
char junk[33];
#ifdef HAVE_MBR_UID_TO_UUID
uuid_t useruuid,
groupuuid;
int is_member;
#endif
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdCheckGroup(username=\"%s\", user=%p, groupname=\"%s\")",
username, user, groupname);
if (!username || !groupname)
return (0);
group = getgrnam(groupname);
endgrent();
if (group != NULL)
{
for (i = 0; group->gr_mem[i]; i ++)
if (!_cups_strcasecmp(username, group->gr_mem[i]))
return (1);
}
if (user && group && group->gr_gid == user->pw_gid)
return (1);
#ifdef HAVE_MBR_UID_TO_UUID
if (user && !mbr_uid_to_uuid(user->pw_uid, useruuid))
{
if (group)
{
if (!mbr_gid_to_uuid(group->gr_gid, groupuuid))
if (!mbr_check_membership(useruuid, groupuuid, &is_member))
if (is_member)
return (1);
}
else if (groupname[0] == '#')
{
if (!uuid_parse((char *)groupname + 1, groupuuid))
{
if (!uuid_compare(useruuid, groupuuid))
return (1);
else if (!mbr_check_membership(useruuid, groupuuid, &is_member))
if (is_member)
return (1);
}
return (0);
}
}
else if (groupname[0] == '#')
return (0);
#endif
if (get_md5_password(username, groupname, junk) != NULL)
return (1);
return (0);
}
cupsd_location_t *
cupsdCopyLocation(
cupsd_location_t *loc)
{
cupsd_location_t *temp;
if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
return (NULL);
if (!loc)
return (temp);
if (loc->location)
temp->location = _cupsStrAlloc(loc->location);
temp->limit = loc->limit;
temp->order_type = loc->order_type;
temp->type = loc->type;
temp->level = loc->level;
temp->satisfy = loc->satisfy;
temp->encryption = loc->encryption;
if (loc->names)
{
if ((temp->names = cupsArrayDup(loc->names)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to allocate memory for %d names: %s",
cupsArrayCount(loc->names), strerror(errno));
cupsdFreeLocation(temp);
return (NULL);
}
}
if (loc->allow)
{
if ((temp->allow = cupsArrayDup(loc->allow)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to allocate memory for %d allow rules: %s",
cupsArrayCount(loc->allow), strerror(errno));
cupsdFreeLocation(temp);
return (NULL);
}
}
if (loc->deny)
{
if ((temp->deny = cupsArrayDup(loc->deny)) == NULL)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to allocate memory for %d deny rules: %s",
cupsArrayCount(loc->deny), strerror(errno));
cupsdFreeLocation(temp);
return (NULL);
}
}
return (temp);
}
void
cupsdDeleteAllLocations(void)
{
cupsArrayDelete(Locations);
Locations = NULL;
}
cupsd_location_t *
cupsdFindBest(const char *path,
http_state_t state)
{
char uri[HTTP_MAX_URI],
*uriptr;
cupsd_location_t *loc,
*best;
int bestlen;
int limit;
static const int limits[] =
{
CUPSD_AUTH_LIMIT_ALL,
CUPSD_AUTH_LIMIT_OPTIONS,
CUPSD_AUTH_LIMIT_GET,
CUPSD_AUTH_LIMIT_GET,
CUPSD_AUTH_LIMIT_HEAD,
CUPSD_AUTH_LIMIT_POST,
CUPSD_AUTH_LIMIT_POST,
CUPSD_AUTH_LIMIT_POST,
CUPSD_AUTH_LIMIT_PUT,
CUPSD_AUTH_LIMIT_PUT,
CUPSD_AUTH_LIMIT_DELETE,
CUPSD_AUTH_LIMIT_TRACE,
CUPSD_AUTH_LIMIT_ALL,
CUPSD_AUTH_LIMIT_ALL
};
strlcpy(uri, path, sizeof(uri));
if (!strncmp(uri, "/printers/", 10) ||
!strncmp(uri, "/classes/", 9))
{
uriptr = uri + strlen(uri) - 4;
if (!strcmp(uriptr, ".ppd"))
*uriptr = '\0';
}
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: uri = \"%s\"...", uri);
limit = limits[state];
best = NULL;
bestlen = 0;
for (loc = (cupsd_location_t *)cupsArrayFirst(Locations);
loc;
loc = (cupsd_location_t *)cupsArrayNext(Locations))
{
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: Location %s Limit %x",
loc->location ? loc->location : "nil", loc->limit);
if (!strncmp(uri, "/printers/", 10) || !strncmp(uri, "/classes/", 9))
{
if (loc->length > bestlen && loc->location &&
!_cups_strncasecmp(uri, loc->location, loc->length) &&
loc->location[0] == '/' &&
(limit & loc->limit) != 0)
{
best = loc;
bestlen = loc->length;
}
}
else
{
if (loc->length > bestlen && loc->location &&
!strncmp(uri, loc->location, loc->length) &&
loc->location[0] == '/' &&
(limit & loc->limit) != 0)
{
best = loc;
bestlen = loc->length;
}
}
}
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdFindBest: best = %s",
best ? best->location : "NONE");
return (best);
}
cupsd_location_t *
cupsdFindLocation(const char *location)
{
cupsd_location_t key;
key.location = (char *)location;
return ((cupsd_location_t *)cupsArrayFind(Locations, &key));
}
void
cupsdFreeLocation(cupsd_location_t *loc)
{
cupsArrayDelete(loc->names);
cupsArrayDelete(loc->allow);
cupsArrayDelete(loc->deny);
_cupsStrFree(loc->location);
free(loc);
}
http_status_t
cupsdIsAuthorized(cupsd_client_t *con,
const char *owner)
{
int i,
auth,
type;
unsigned address[4];
cupsd_location_t *best;
int hostlen;
char *name,
username[256],
ownername[256],
*ptr;
struct passwd *pw;
static const char * const levels[] =
{
"ANON",
"USER",
"GROUP"
};
static const char * const types[] =
{
"None",
"Basic",
"Digest",
"BasicDigest",
"Negotiate"
};
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdIsAuthorized: con->uri=\"%s\", con->best=%p(%s)",
con->uri, con->best, con->best ? con->best->location ?
con->best->location : "(null)" : "");
if (owner)
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdIsAuthorized: owner=\"%s\"", owner);
if (!con->best)
{
if (!strcmp(con->http.hostname, "localhost") ||
!strcmp(con->http.hostname, ServerName))
return (HTTP_OK);
else
return (HTTP_FORBIDDEN);
}
best = con->best;
if ((type = best->type) == CUPSD_AUTH_DEFAULT)
type = cupsdDefaultAuthType();
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdIsAuthorized: level=CUPSD_AUTH_%s, type=%s, "
"satisfy=CUPSD_AUTH_SATISFY_%s, num_names=%d",
levels[best->level], types[type],
best->satisfy ? "ANY" : "ALL", cupsArrayCount(best->names));
if (best->limit == CUPSD_AUTH_LIMIT_IPP)
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: op=%x(%s)",
best->op, ippOpString(best->op));
#ifdef AF_INET6
if (con->http.hostaddr->addr.sa_family == AF_INET6)
{
address[0] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[0]);
address[1] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[1]);
address[2] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[2]);
address[3] = ntohl(con->http.hostaddr->ipv6.sin6_addr.s6_addr32[3]);
}
else
#endif
if (con->http.hostaddr->addr.sa_family == AF_INET)
{
address[0] = 0;
address[1] = 0;
address[2] = 0;
address[3] = ntohl(con->http.hostaddr->ipv4.sin_addr.s_addr);
}
else
memset(address, 0, sizeof(address));
hostlen = strlen(con->http.hostname);
auth = cupsdCheckAccess(address, con->http.hostname, hostlen, best)
? CUPSD_AUTH_ALLOW : CUPSD_AUTH_DENY;
cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdIsAuthorized: auth=CUPSD_AUTH_%s...",
auth ? "DENY" : "ALLOW");
if (auth == CUPSD_AUTH_DENY && best->satisfy == CUPSD_AUTH_SATISFY_ALL)
return (HTTP_FORBIDDEN);
#ifdef HAVE_SSL
if ((best->encryption >= HTTP_ENCRYPT_REQUIRED && !con->http.tls &&
_cups_strcasecmp(con->http.hostname, "localhost") &&
best->satisfy == CUPSD_AUTH_SATISFY_ALL) &&
!(type == CUPSD_AUTH_NEGOTIATE ||
(type == CUPSD_AUTH_NONE &&
cupsdDefaultAuthType() == CUPSD_AUTH_NEGOTIATE)))
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: Need upgrade to TLS...");
return (HTTP_UPGRADE_REQUIRED);
}
#endif
if (best->level == CUPSD_AUTH_ANON ||
(type == CUPSD_AUTH_NONE && cupsArrayCount(best->names) == 0))
return (HTTP_OK);
if (!con->username[0] && type == CUPSD_AUTH_NONE &&
best->limit == CUPSD_AUTH_LIMIT_IPP)
{
ipp_attribute_t *attr;
attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
if (attr)
{
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: requesting-user-name=\"%s\"",
attr->values[0].string.text);
strlcpy(username, attr->values[0].string.text, sizeof(username));
}
else if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
return (HTTP_UNAUTHORIZED);
else
return (HTTP_OK);
}
else
{
cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdIsAuthorized: username=\"%s\"",
con->username);
#ifdef HAVE_AUTHORIZATION_H
if (!con->username[0] && !con->authref)
#else
if (!con->username[0])
#endif
{
if (best->satisfy == CUPSD_AUTH_SATISFY_ALL || auth == CUPSD_AUTH_DENY)
return (HTTP_UNAUTHORIZED);
else
return (HTTP_OK);
}
if (con->type != type && type != CUPSD_AUTH_NONE &&
#ifdef HAVE_GSSAPI
(type != CUPSD_AUTH_NEGOTIATE || con->gss_uid <= 0) &&
#endif
(con->type != CUPSD_AUTH_BASIC || type != CUPSD_AUTH_BASICDIGEST))
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Authorized using %s, expected %s!",
types[con->type], types[type]);
return (HTTP_UNAUTHORIZED);
}
strlcpy(username, con->username, sizeof(username));
}
if (!strcmp(username, "root"))
return (HTTP_OK);
if ((ptr = strchr(username, '@')) != NULL)
*ptr = '\0';
if (owner)
{
strlcpy(ownername, owner, sizeof(ownername));
if ((ptr = strchr(ownername, '@')) != NULL)
*ptr = '\0';
}
else
ownername[0] = '\0';
if (username[0])
{
pw = getpwnam(username);
endpwent();
}
else
pw = NULL;
if (best->level == CUPSD_AUTH_USER)
{
if (cupsArrayCount(best->names) == 0)
return (HTTP_OK);
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdIsAuthorized: Checking user membership...");
#ifdef HAVE_AUTHORIZATION_H
if (con->authref)
{
for (name = (char *)cupsArrayFirst(best->names);
name;
name = (char *)cupsArrayNext(best->names))
{
if (!_cups_strncasecmp(name, "@AUTHKEY(", 9) && check_authref(con, name + 9))
return (HTTP_OK);
else if (!_cups_strcasecmp(name, "@SYSTEM") && SystemGroupAuthKey &&
check_authref(con, SystemGroupAuthKey))
return (HTTP_OK);
}
return (HTTP_FORBIDDEN);
}
#endif
for (name = (char *)cupsArrayFirst(best->names);
name;
name = (char *)cupsArrayNext(best->names))
{
if (!_cups_strcasecmp(name, "@OWNER") && owner &&
!_cups_strcasecmp(username, ownername))
return (HTTP_OK);
else if (!_cups_strcasecmp(name, "@SYSTEM"))
{
for (i = 0; i < NumSystemGroups; i ++)
if (cupsdCheckGroup(username, pw, SystemGroups[i]))
return (HTTP_OK);
}
else if (name[0] == '@')
{
if (cupsdCheckGroup(username, pw, name + 1))
return (HTTP_OK);
}
else if (!_cups_strcasecmp(username, name))
return (HTTP_OK);
}
return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
}
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdIsAuthorized: Checking group membership...");
for (name = (char *)cupsArrayFirst(best->names);
name;
name = (char *)cupsArrayNext(best->names))
{
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"cupsdIsAuthorized: Checking group \"%s\" membership...",
name);
if (!_cups_strcasecmp(name, "@SYSTEM"))
{
for (i = 0; i < NumSystemGroups; i ++)
if (cupsdCheckGroup(username, pw, SystemGroups[i]))
return (HTTP_OK);
}
else if (cupsdCheckGroup(username, pw, name))
return (HTTP_OK);
}
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdIsAuthorized: User not in group(s)!");
return (con->username[0] ? HTTP_FORBIDDEN : HTTP_UNAUTHORIZED);
}
cupsd_location_t *
cupsdNewLocation(const char *location)
{
cupsd_location_t *temp;
if ((temp = calloc(1, sizeof(cupsd_location_t))) == NULL)
return (NULL);
if ((temp->location = _cupsStrAlloc(location)) == NULL)
{
free(temp);
return (NULL);
}
temp->length = strlen(temp->location);
return (temp);
}
#ifdef HAVE_AUTHORIZATION_H
static int
check_authref(cupsd_client_t *con,
const char *right)
{
OSStatus status;
AuthorizationItem authright;
AuthorizationRights authrights;
AuthorizationFlags authflags;
if (!con->authref)
return (0);
authright.name = right;
authright.valueLength = 0;
authright.value = NULL;
authright.flags = 0;
authrights.count = 1;
authrights.items = &authright;
authflags = kAuthorizationFlagDefaults |
kAuthorizationFlagExtendRights;
if ((status = AuthorizationCopyRights(con->authref, &authrights,
kAuthorizationEmptyEnvironment,
authflags, NULL)) != 0)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"AuthorizationCopyRights(\"%s\") returned %d (%s)",
authright.name, (int)status, cssmErrorString(status));
return (0);
}
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"AuthorizationCopyRights(\"%s\") succeeded!",
authright.name);
return (1);
}
#endif
static int
compare_locations(cupsd_location_t *a,
cupsd_location_t *b)
{
return (strcmp(b->location, a->location));
}
static cupsd_authmask_t *
copy_authmask(cupsd_authmask_t *mask,
void *data)
{
cupsd_authmask_t *temp;
(void)data;
if ((temp = malloc(sizeof(cupsd_authmask_t))) != NULL)
{
memcpy(temp, mask, sizeof(cupsd_authmask_t));
if (temp->type == CUPSD_AUTH_NAME || temp->type == CUPSD_AUTH_INTERFACE)
{
if ((temp->mask.name.name = _cupsStrAlloc(temp->mask.name.name)) == NULL)
{
free(temp);
temp = NULL;
}
}
}
return (temp);
}
#if !HAVE_LIBPAM && !defined(HAVE_USERSEC_H)
static char *
cups_crypt(const char *pw,
const char *salt)
{
if (!strncmp(salt, "$1$", 3))
{
int i;
unsigned long n;
int pwlen;
const char *salt_end;
char *ptr;
_cups_md5_state_t state;
_cups_md5_state_t state2;
unsigned char digest[16];
static char result[120];
for (salt_end = salt + 3; *salt_end && (salt_end - salt) < 11; salt_end ++)
if (*salt_end == '$')
break;
pwlen = strlen(pw);
_cupsMD5Init(&state);
_cupsMD5Append(&state, (unsigned char *)pw, pwlen);
_cupsMD5Append(&state, (unsigned char *)salt, salt_end - salt);
_cupsMD5Init(&state2);
_cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
_cupsMD5Append(&state2, (unsigned char *)salt + 3, salt_end - salt - 3);
_cupsMD5Append(&state2, (unsigned char *)pw, pwlen);
_cupsMD5Finish(&state2, digest);
for (i = pwlen; i > 0; i -= 16)
_cupsMD5Append(&state, digest, i > 16 ? 16 : i);
for (i = pwlen; i > 0; i >>= 1)
_cupsMD5Append(&state, (unsigned char *)((i & 1) ? "" : pw), 1);
_cupsMD5Finish(&state, digest);
for (i = 0; i < 1000; i ++)
{
_cupsMD5Init(&state);
if (i & 1)
_cupsMD5Append(&state, (unsigned char *)pw, pwlen);
else
_cupsMD5Append(&state, digest, 16);
if (i % 3)
_cupsMD5Append(&state, (unsigned char *)salt + 3, salt_end - salt - 3);
if (i % 7)
_cupsMD5Append(&state, (unsigned char *)pw, pwlen);
if (i & 1)
_cupsMD5Append(&state, digest, 16);
else
_cupsMD5Append(&state, (unsigned char *)pw, pwlen);
_cupsMD5Finish(&state, digest);
}
memcpy(result, salt, salt_end - salt);
ptr = result + (salt_end - salt);
*ptr++ = '$';
for (i = 0; i < 5; i ++, ptr += 4)
{
n = (((digest[i] << 8) | digest[i + 6]) << 8);
if (i < 4)
n |= digest[i + 12];
else
n |= digest[5];
to64(ptr, n, 4);
}
to64(ptr, digest[11], 2);
ptr += 2;
*ptr = '\0';
return (result);
}
else
{
return (crypt(pw, salt));
}
}
#endif
static void
free_authmask(cupsd_authmask_t *mask,
void *data)
{
(void)data;
if (mask->type == CUPSD_AUTH_NAME || mask->type == CUPSD_AUTH_INTERFACE)
_cupsStrFree(mask->mask.name.name);
free(mask);
}
static char *
get_md5_password(const char *username,
const char *group,
char passwd[33])
{
cups_file_t *fp;
char filename[1024],
line[256],
tempuser[33],
tempgroup[33];
cupsdLogMessage(CUPSD_LOG_DEBUG2,
"get_md5_password(username=\"%s\", group=\"%s\", passwd=%p)",
username, group ? group : "(null)", passwd);
snprintf(filename, sizeof(filename), "%s/passwd.md5", ServerRoot);
if ((fp = cupsFileOpen(filename, "r")) == NULL)
{
if (errno != ENOENT)
cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to open %s - %s", filename,
strerror(errno));
return (NULL);
}
while (cupsFileGets(fp, line, sizeof(line)) != NULL)
{
if (sscanf(line, "%32[^:]:%32[^:]:%32s", tempuser, tempgroup, passwd) != 3)
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Bad MD5 password line: %s", line);
continue;
}
if (!strcmp(username, tempuser) &&
(group == NULL || !strcmp(group, tempgroup)))
{
cupsdLogMessage(CUPSD_LOG_DEBUG2, "Found MD5 user %s, group %s...",
username, tempgroup);
cupsFileClose(fp);
return (passwd);
}
}
cupsFileClose(fp);
return (NULL);
}
#if HAVE_LIBPAM
static int
pam_func(
int num_msg,
const struct pam_message **msg,
struct pam_response **resp,
void *appdata_ptr)
{
int i;
struct pam_response *replies;
cupsd_authdata_t *data;
if ((replies = malloc(sizeof(struct pam_response) * num_msg)) == NULL)
return (PAM_CONV_ERR);
DEBUG_printf(("pam_func: appdata_ptr = %p\n", appdata_ptr));
#ifdef __hpux
data = auth_data;
(void)appdata_ptr;
#else
data = (cupsd_authdata_t *)appdata_ptr;
#endif
for (i = 0; i < num_msg; i ++)
{
DEBUG_printf(("pam_func: Message = \"%s\"\n", msg[i]->msg));
switch (msg[i]->msg_style)
{
case PAM_PROMPT_ECHO_ON:
DEBUG_printf(("pam_func: PAM_PROMPT_ECHO_ON, returning \"%s\"...\n",
data->username));
replies[i].resp_retcode = PAM_SUCCESS;
replies[i].resp = strdup(data->username);
break;
case PAM_PROMPT_ECHO_OFF:
DEBUG_printf(("pam_func: PAM_PROMPT_ECHO_OFF, returning \"%s\"...\n",
data->password));
replies[i].resp_retcode = PAM_SUCCESS;
replies[i].resp = strdup(data->password);
break;
case PAM_TEXT_INFO:
DEBUG_puts("pam_func: PAM_TEXT_INFO...");
replies[i].resp_retcode = PAM_SUCCESS;
replies[i].resp = NULL;
break;
case PAM_ERROR_MSG:
DEBUG_puts("pam_func: PAM_ERROR_MSG...");
replies[i].resp_retcode = PAM_SUCCESS;
replies[i].resp = NULL;
break;
default:
DEBUG_printf(("pam_func: Unknown PAM message %d...\n",
msg[i]->msg_style));
free(replies);
return (PAM_CONV_ERR);
}
}
*resp = replies;
return (PAM_SUCCESS);
}
#elif !defined(HAVE_USERSEC_H)
static void
to64(char *s,
unsigned long v,
int n)
{
const char *itoa64 = "./0123456789"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz";
for (; n > 0; n --, v >>= 6)
*s++ = itoa64[v & 0x3f];
}
#endif