#include <sys/stat.h>
static int tls_auto_create = 0;
static char *tls_common_name = NULL;
static char *tls_keypath = NULL;
static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
static gnutls_x509_crt_t http_gnutls_create_credential(http_credential_t *credential);
static const char *http_gnutls_default_path(char *buffer, size_t bufsize);
static const char *http_gnutls_make_path(char *buffer, size_t bufsize, const char *dirname, const char *filename, const char *ext);
static ssize_t http_gnutls_read(gnutls_transport_ptr_t ptr, void *data, size_t length);
static ssize_t http_gnutls_write(gnutls_transport_ptr_t ptr, const void *data, size_t length);
int
cupsMakeServerCredentials(
const char *path,
const char *common_name,
int num_alt_names,
const char **alt_names,
time_t expiration_date)
{
gnutls_x509_crt_t crt;
gnutls_x509_privkey_t key;
char temp[1024],
crtfile[1024],
keyfile[1024];
cups_lang_t *language;
cups_file_t *fp;
unsigned char buffer[8192];
size_t bytes;
unsigned char serial[4];
time_t curtime;
int result;
DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date));
if (!path)
path = http_gnutls_default_path(temp, sizeof(temp));
if (!path || !common_name)
{
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
return (0);
}
http_gnutls_make_path(crtfile, sizeof(crtfile), path, common_name, "crt");
http_gnutls_make_path(keyfile, sizeof(keyfile), path, common_name, "key");
DEBUG_puts("1cupsMakeServerCredentials: Creating key pair.");
gnutls_x509_privkey_init(&key);
gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 2048, 0);
DEBUG_puts("1cupsMakeServerCredentials: Key pair created.");
bytes = sizeof(buffer);
if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
{
DEBUG_printf(("1cupsMakeServerCredentials: Unable to export private key: %s", gnutls_strerror(result)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
gnutls_x509_privkey_deinit(key);
return (0);
}
else if ((fp = cupsFileOpen(keyfile, "w")) != NULL)
{
DEBUG_printf(("1cupsMakeServerCredentials: Writing private key to \"%s\".", keyfile));
cupsFileWrite(fp, (char *)buffer, bytes);
cupsFileClose(fp);
}
else
{
DEBUG_printf(("1cupsMakeServerCredentials: Unable to create private key file \"%s\": %s", keyfile, strerror(errno)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
gnutls_x509_privkey_deinit(key);
return (0);
}
DEBUG_puts("1cupsMakeServerCredentials: Generating self-signed X.509 certificate.");
language = cupsLangDefault();
curtime = time(NULL);
serial[0] = curtime >> 24;
serial[1] = curtime >> 16;
serial[2] = curtime >> 8;
serial[3] = curtime;
gnutls_x509_crt_init(&crt);
if (strlen(language->language) == 5)
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
language->language + 3, 2);
else
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
"US", 2);
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0,
common_name, strlen(common_name));
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
common_name, strlen(common_name));
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
0, "Unknown", 7);
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0,
"Unknown", 7);
gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_LOCALITY_NAME, 0,
"Unknown", 7);
gnutls_x509_crt_set_key(crt, key);
gnutls_x509_crt_set_serial(crt, serial, sizeof(serial));
gnutls_x509_crt_set_activation_time(crt, curtime);
gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
gnutls_x509_crt_set_ca_status(crt, 0);
if (num_alt_names > 0)
gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME, alt_names[0]);
gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT);
gnutls_x509_crt_set_version(crt, 3);
bytes = sizeof(buffer);
if (gnutls_x509_crt_get_key_id(crt, 0, buffer, &bytes) >= 0)
gnutls_x509_crt_set_subject_key_id(crt, buffer, bytes);
gnutls_x509_crt_sign(crt, crt, key);
bytes = sizeof(buffer);
if ((result = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
{
DEBUG_printf(("1cupsMakeServerCredentials: Unable to export public key and X.509 certificate: %s", gnutls_strerror(result)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
gnutls_x509_crt_deinit(crt);
gnutls_x509_privkey_deinit(key);
return (0);
}
else if ((fp = cupsFileOpen(crtfile, "w")) != NULL)
{
DEBUG_printf(("1cupsMakeServerCredentials: Writing public key and X.509 certificate to \"%s\".", crtfile));
cupsFileWrite(fp, (char *)buffer, bytes);
cupsFileClose(fp);
}
else
{
DEBUG_printf(("1cupsMakeServerCredentials: Unable to create public key and X.509 certificate file \"%s\": %s", crtfile, strerror(errno)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
gnutls_x509_crt_deinit(crt);
gnutls_x509_privkey_deinit(key);
return (0);
}
gnutls_x509_crt_deinit(crt);
gnutls_x509_privkey_deinit(key);
DEBUG_puts("1cupsMakeServerCredentials: Successfully created credentials.");
return (1);
}
int
cupsSetServerCredentials(
const char *path,
const char *common_name,
int auto_create)
{
char temp[1024];
DEBUG_printf(("cupsSetServerCredentials(path=\"%s\", common_name=\"%s\", auto_create=%d)", path, common_name, auto_create));
if (!path)
path = http_gnutls_default_path(temp, sizeof(temp));
if (!path || !common_name)
{
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
return (0);
}
_cupsMutexLock(&tls_mutex);
if (tls_keypath)
_cupsStrFree(tls_keypath);
if (tls_common_name)
_cupsStrFree(tls_common_name);
tls_keypath = _cupsStrAlloc(path);
tls_auto_create = auto_create;
tls_common_name = _cupsStrAlloc(common_name);
_cupsMutexUnlock(&tls_mutex);
return (1);
}
int
httpCopyCredentials(
http_t *http,
cups_array_t **credentials)
{
unsigned count;
const gnutls_datum_t *certs;
DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
if (credentials)
*credentials = NULL;
if (!http || !http->tls || !credentials)
return (-1);
*credentials = cupsArrayNew(NULL, NULL);
certs = gnutls_certificate_get_peers(http->tls, &count);
DEBUG_printf(("1httpCopyCredentials: certs=%p, count=%u", certs, count));
if (certs && count)
{
while (count > 0)
{
httpAddCredential(*credentials, certs->data, certs->size);
certs ++;
count --;
}
}
return (0);
}
http_tls_credentials_t
_httpCreateCredentials(
cups_array_t *credentials)
{
(void)credentials;
return (NULL);
}
void
_httpFreeCredentials(
http_tls_credentials_t credentials)
{
(void)credentials;
}
int
httpCredentialsAreValidForName(
cups_array_t *credentials,
const char *common_name)
{
gnutls_x509_crt_t cert;
int result = 0;
cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
if (cert)
{
result = gnutls_x509_crt_check_hostname(cert, common_name) != 0;
gnutls_x509_crt_deinit(cert);
}
return (result);
}
http_trust_t
httpCredentialsGetTrust(
cups_array_t *credentials,
const char *common_name)
{
http_trust_t trust = HTTP_TRUST_OK;
gnutls_x509_crt_t cert;
cups_array_t *tcreds = NULL;
_cups_globals_t *cg = _cupsGlobals();
if (!common_name)
return (HTTP_TRUST_UNKNOWN);
if ((cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
return (HTTP_TRUST_UNKNOWN);
httpLoadCredentials(NULL, &tcreds, common_name);
if (tcreds)
{
char credentials_str[1024],
tcreds_str[1024];
httpCredentialsString(credentials, credentials_str, sizeof(credentials_str));
httpCredentialsString(tcreds, tcreds_str, sizeof(tcreds_str));
if (strcmp(credentials_str, tcreds_str))
{
if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds) ||
!httpCredentialsAreValidForName(credentials, common_name))
{
trust = HTTP_TRUST_INVALID;
}
else if (httpCredentialsGetExpiration(tcreds) < time(NULL))
{
trust = HTTP_TRUST_RENEWED;
httpSaveCredentials(NULL, credentials, common_name);
}
}
httpFreeCredentials(tcreds);
}
else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name))
trust = HTTP_TRUST_INVALID;
if (trust == HTTP_TRUST_OK && !cg->expired_certs)
{
time_t curtime;
time(&curtime);
if (curtime < gnutls_x509_crt_get_activation_time(cert) ||
curtime > gnutls_x509_crt_get_expiration_time(cert))
trust = HTTP_TRUST_EXPIRED;
}
if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1)
trust = HTTP_TRUST_INVALID;
gnutls_x509_crt_deinit(cert);
return (trust);
}
time_t
httpCredentialsGetExpiration(
cups_array_t *credentials)
{
gnutls_x509_crt_t cert;
time_t result = 0;
cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
if (cert)
{
result = gnutls_x509_crt_get_expiration_time(cert);
gnutls_x509_crt_deinit(cert);
}
return (result);
}
size_t
httpCredentialsString(
cups_array_t *credentials,
char *buffer,
size_t bufsize)
{
http_credential_t *first;
gnutls_x509_crt_t cert;
DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize));
if (!buffer)
return (0);
if (buffer && bufsize > 0)
*buffer = '\0';
if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL &&
(cert = http_gnutls_create_credential(first)) != NULL)
{
char name[256];
size_t namelen;
time_t expiration;
_cups_md5_state_t md5_state;
unsigned char md5_digest[16];
namelen = sizeof(name) - 1;
if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, name, &namelen) >= 0)
name[namelen] = '\0';
else
strlcpy(name, "unknown", sizeof(name));
expiration = gnutls_x509_crt_get_expiration_time(cert);
_cupsMD5Init(&md5_state);
_cupsMD5Append(&md5_state, first->data, (int)first->datalen);
_cupsMD5Finish(&md5_state, md5_digest);
snprintf(buffer, bufsize, "%s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, httpGetDateString(expiration), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
gnutls_x509_crt_deinit(cert);
}
DEBUG_printf(("1httpCredentialsString: Returning \"%s\".", buffer));
return (strlen(buffer));
}
int
httpLoadCredentials(
const char *path,
cups_array_t **credentials,
const char *common_name)
{
cups_file_t *fp;
char filename[1024],
temp[1024],
line[256];
unsigned char *data = NULL;
size_t alloc_data = 0,
num_data = 0;
int decoded;
if (!credentials || !common_name)
return (-1);
if (!path)
path = http_gnutls_default_path(temp, sizeof(temp));
if (!path)
return (-1);
http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
if ((fp = cupsFileOpen(filename, "r")) == NULL)
return (-1);
while (cupsFileGets(fp, line, sizeof(line)))
{
if (!strcmp(line, "-----BEGIN CERTIFICATE-----"))
{
if (num_data)
{
httpFreeCredentials(*credentials);
*credentials = NULL;
break;
}
}
else if (!strcmp(line, "-----END CERTIFICATE-----"))
{
if (!num_data)
{
httpFreeCredentials(*credentials);
*credentials = NULL;
break;
}
if (!*credentials)
*credentials = cupsArrayNew(NULL, NULL);
if (httpAddCredential(*credentials, data, num_data))
{
httpFreeCredentials(*credentials);
*credentials = NULL;
break;
}
num_data = 0;
}
else
{
if (alloc_data == 0)
{
data = malloc(2048);
alloc_data = 2048;
if (!data)
break;
}
else if ((num_data + strlen(line)) >= alloc_data)
{
unsigned char *tdata = realloc(data, alloc_data + 1024);
if (!tdata)
{
httpFreeCredentials(*credentials);
*credentials = NULL;
break;
}
data = tdata;
alloc_data += 1024;
}
decoded = alloc_data - num_data;
httpDecode64_2((char *)data + num_data, &decoded, line);
num_data += (size_t)decoded;
}
}
cupsFileClose(fp);
if (num_data)
{
httpFreeCredentials(*credentials);
*credentials = NULL;
}
if (data)
free(data);
return (*credentials ? 0 : -1);
}
int
httpSaveCredentials(
const char *path,
cups_array_t *credentials,
const char *common_name)
{
cups_file_t *fp;
char filename[1024],
nfilename[1024],
temp[1024],
line[256];
const unsigned char *ptr;
ssize_t remaining;
http_credential_t *cred;
if (!credentials || !common_name)
return (-1);
if (!path)
path = http_gnutls_default_path(temp, sizeof(temp));
if (!path)
return (-1);
http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
snprintf(nfilename, sizeof(nfilename), "%s.N", filename);
if ((fp = cupsFileOpen(nfilename, "w")) == NULL)
return (-1);
fchmod(cupsFileNumber(fp), 0600);
for (cred = (http_credential_t *)cupsArrayFirst(credentials);
cred;
cred = (http_credential_t *)cupsArrayNext(credentials))
{
cupsFilePuts(fp, "-----BEGIN CERTIFICATE-----\n");
for (ptr = cred->data, remaining = (ssize_t)cred->datalen; remaining > 0; remaining -= 45, ptr += 45)
{
httpEncode64_2(line, sizeof(line), (char *)ptr, remaining > 45 ? 45 : remaining);
cupsFilePrintf(fp, "%s\n", line);
}
cupsFilePuts(fp, "-----END CERTIFICATE-----\n");
}
cupsFileClose(fp);
return (rename(nfilename, filename));
}
static gnutls_x509_crt_t
http_gnutls_create_credential(
http_credential_t *credential)
{
int result;
gnutls_x509_crt_t cert;
gnutls_datum_t datum;
DEBUG_printf(("3http_gnutls_create_credential(credential=%p)", credential));
if (!credential)
return (NULL);
if ((result = gnutls_x509_crt_init(&cert)) < 0)
{
DEBUG_printf(("4http_gnutls_create_credential: init error: %s", gnutls_strerror(result)));
return (NULL);
}
datum.data = credential->data;
datum.size = credential->datalen;
if ((result = gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) < 0)
{
DEBUG_printf(("4http_gnutls_create_credential: import error: %s", gnutls_strerror(result)));
gnutls_x509_crt_deinit(cert);
return (NULL);
}
return (cert);
}
static const char *
http_gnutls_default_path(char *buffer,
size_t bufsize)
{
const char *home = getenv("HOME");
if (getuid() && home)
{
snprintf(buffer, bufsize, "%s/.cups", home);
if (access(buffer, 0))
{
DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
if (mkdir(buffer, 0700))
{
DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
return (NULL);
}
}
snprintf(buffer, bufsize, "%s/.cups/ssl", home);
if (access(buffer, 0))
{
DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
if (mkdir(buffer, 0700))
{
DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
return (NULL);
}
}
}
else
strlcpy(buffer, CUPS_SERVERROOT "/ssl", bufsize);
DEBUG_printf(("1http_gnutls_default_path: Using default path \"%s\".", buffer));
return (buffer);
}
static const char *
http_gnutls_make_path(
char *buffer,
size_t bufsize,
const char *dirname,
const char *filename,
const char *ext)
{
char *bufptr,
*bufend = buffer + bufsize - 1;
snprintf(buffer, bufsize, "%s/", dirname);
bufptr = buffer + strlen(buffer);
while (*filename && bufptr < bufend)
{
if (_cups_isalnum(*filename) || *filename == '-' || *filename == '.')
*bufptr++ = *filename;
else
*bufptr++ = '_';
filename ++;
}
if (bufptr < bufend)
*bufptr++ = '.';
strlcpy(bufptr, ext, (size_t)(bufend - bufptr + 1));
return (buffer);
}
static ssize_t
http_gnutls_read(
gnutls_transport_ptr_t ptr,
void *data,
size_t length)
{
http_t *http;
ssize_t bytes;
DEBUG_printf(("6http_gnutls_read(ptr=%p, data=%p, length=%d)", ptr, data, (int)length));
http = (http_t *)ptr;
if (!http->blocking)
{
while (!_httpWait(http, http->wait_value, 0))
{
if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
continue;
http->error = ETIMEDOUT;
return (-1);
}
}
bytes = recv(http->fd, data, length, 0);
DEBUG_printf(("6http_gnutls_read: bytes=%d", (int)bytes));
return (bytes);
}
static ssize_t
http_gnutls_write(
gnutls_transport_ptr_t ptr,
const void *data,
size_t length)
{
ssize_t bytes;
DEBUG_printf(("6http_gnutls_write(ptr=%p, data=%p, length=%d)", ptr, data,
(int)length));
bytes = send(((http_t *)ptr)->fd, data, length, 0);
DEBUG_printf(("http_gnutls_write: bytes=%d", (int)bytes));
return (bytes);
}
void
_httpTLSInitialize(void)
{
gnutls_global_init();
}
size_t
_httpTLSPending(http_t *http)
{
return (gnutls_record_check_pending(http->tls));
}
int
_httpTLSRead(http_t *http,
char *buf,
int len)
{
ssize_t result;
result = gnutls_record_recv(http->tls, buf, (size_t)len);
if (result < 0 && !errno)
{
switch (result)
{
case GNUTLS_E_INTERRUPTED :
errno = EINTR;
break;
case GNUTLS_E_AGAIN :
errno = EAGAIN;
break;
default :
errno = EPIPE;
break;
}
result = -1;
}
return ((int)result);
}
int
_httpTLSSetCredentials(http_t *http)
{
(void)http;
return (0);
}
int
_httpTLSStart(http_t *http)
{
char hostname[256],
*hostptr;
int status;
gnutls_certificate_credentials_t *credentials;
DEBUG_printf(("7_httpTLSStart(http=%p)", http));
if (http->mode == _HTTP_MODE_SERVER && !tls_keypath)
{
DEBUG_puts("4_httpTLSStart: cupsSetServerCredentials not called.");
http->error = errno = EINVAL;
http->status = HTTP_STATUS_ERROR;
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Server credentials not set."), 1);
return (-1);
}
credentials = (gnutls_certificate_credentials_t *)
malloc(sizeof(gnutls_certificate_credentials_t));
if (credentials == NULL)
{
DEBUG_printf(("8_httpStartTLS: Unable to allocate credentials: %s",
strerror(errno)));
http->error = errno;
http->status = HTTP_STATUS_ERROR;
_cupsSetHTTPError(HTTP_STATUS_ERROR);
return (-1);
}
gnutls_certificate_allocate_credentials(credentials);
status = gnutls_init(&http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_CLIENT : GNUTLS_SERVER);
if (!status)
status = gnutls_set_default_priority(http->tls);
if (status)
{
http->error = EIO;
http->status = HTTP_STATUS_ERROR;
DEBUG_printf(("4_httpTLSStart: Unable to initialize common TLS parameters: %s", gnutls_strerror(status)));
_cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
gnutls_deinit(http->tls);
gnutls_certificate_free_credentials(*credentials);
free(credentials);
http->tls = NULL;
return (-1);
}
if (http->mode == _HTTP_MODE_CLIENT)
{
if (httpAddrLocalhost(http->hostaddr))
{
strlcpy(hostname, "localhost", sizeof(hostname));
}
else
{
strlcpy(hostname, http->hostname, sizeof(hostname));
if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
*hostptr == '.')
*hostptr = '\0';
}
status = gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname, strlen(hostname));
}
else
{
char crtfile[1024],
keyfile[1024];
int have_creds = 0;
if (http->fields[HTTP_FIELD_HOST][0])
{
strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
}
else
{
http_addr_t addr;
socklen_t addrlen;
addrlen = sizeof(addr);
if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
{
DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
hostname[0] = '\0';
}
else if (httpAddrLocalhost(&addr))
hostname[0] = '\0';
else
{
httpAddrLookup(&addr, hostname, sizeof(hostname));
DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
}
}
if (isdigit(hostname[0] & 255) || hostname[0] == '[')
hostname[0] = '\0';
if (hostname[0])
{
http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
have_creds = !access(crtfile, 0) && !access(keyfile, 0);
}
else if (tls_common_name)
{
http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
have_creds = !access(crtfile, 0) && !access(keyfile, 0);
}
if (!have_creds && tls_auto_create && (hostname[0] || tls_common_name))
{
DEBUG_printf(("4_httpTLSStart: Auto-create credentials for \"%s\".", hostname[0] ? hostname : tls_common_name));
if (!cupsMakeServerCredentials(tls_keypath, hostname[0] ? hostname : tls_common_name, 0, NULL, time(NULL) + 365 * 86400))
{
DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed.");
http->error = errno = EINVAL;
http->status = HTTP_STATUS_ERROR;
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1);
return (-1);
}
}
DEBUG_printf(("4_httpTLSStart: Using certificate \"%s\" and private key \"%s\".", crtfile, keyfile));
status = gnutls_certificate_set_x509_key_file(*credentials, crtfile, keyfile, GNUTLS_X509_FMT_PEM);
}
if (!status)
status = gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
if (status)
{
http->error = EIO;
http->status = HTTP_STATUS_ERROR;
DEBUG_printf(("4_httpTLSStart: Unable to complete client/server setup: %s", gnutls_strerror(status)));
_cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
gnutls_deinit(http->tls);
gnutls_certificate_free_credentials(*credentials);
free(credentials);
http->tls = NULL;
return (-1);
}
gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http);
gnutls_transport_set_pull_function(http->tls, http_gnutls_read);
#ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION
gnutls_transport_set_pull_timeout_function(http->tls, (gnutls_pull_timeout_func)httpWait);
#endif
gnutls_transport_set_push_function(http->tls, http_gnutls_write);
while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS)
{
DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)",
status, gnutls_strerror(status)));
if (gnutls_error_is_fatal(status))
{
http->error = EIO;
http->status = HTTP_STATUS_ERROR;
_cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
gnutls_deinit(http->tls);
gnutls_certificate_free_credentials(*credentials);
free(credentials);
http->tls = NULL;
return (-1);
}
}
http->tls_credentials = credentials;
return (0);
}
void
_httpTLSStop(http_t *http)
{
int error;
error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
if (error != GNUTLS_E_SUCCESS)
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0);
gnutls_deinit(http->tls);
http->tls = NULL;
if (http->tls_credentials)
{
gnutls_certificate_free_credentials(*(http->tls_credentials));
free(http->tls_credentials);
http->tls_credentials = NULL;
}
}
int
_httpTLSWrite(http_t *http,
const char *buf,
int len)
{
ssize_t result;
DEBUG_printf(("2http_write_ssl(http=%p, buf=%p, len=%d)", http, buf, len));
result = gnutls_record_send(http->tls, buf, (size_t)len);
if (result < 0 && !errno)
{
switch (result)
{
case GNUTLS_E_INTERRUPTED :
errno = EINTR;
break;
case GNUTLS_E_AGAIN :
errno = EAGAIN;
break;
default :
errno = EPIPE;
break;
}
result = -1;
}
DEBUG_printf(("3http_write_ssl: Returning %d.", (int)result));
return ((int)result);
}