diff options
author | Michael Sweet <michael.r.sweet@gmail.com> | 2016-08-25 09:50:26 -0400 |
---|---|---|
committer | Michael Sweet <michael.r.sweet@gmail.com> | 2016-08-25 09:50:26 -0400 |
commit | 7aeb36153a854efcb7638d3770f9ff801edfbe34 (patch) | |
tree | 5b32599b5db13ab9f5c4a027b0f55f453ba1e28e /cups/tls-darwin.c | |
parent | e5aa186c437eb72dda3b323c2ea79500f1ce93c6 (diff) | |
download | cups-7aeb36153a854efcb7638d3770f9ff801edfbe34.tar.gz |
Sync up GNU TLS and Darwin TLS certificate validation code.
Diffstat (limited to 'cups/tls-darwin.c')
-rw-r--r-- | cups/tls-darwin.c | 46 |
1 files changed, 39 insertions, 7 deletions
diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c index 0dfe73a95..fa33f8383 100644 --- a/cups/tls-darwin.c +++ b/cups/tls-darwin.c @@ -600,10 +600,16 @@ httpCredentialsGetTrust( if (!common_name) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No common name specified."), 1); return (HTTP_TRUST_UNKNOWN); + } if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create credentials from array."), 1); return (HTTP_TRUST_UNKNOWN); + } if (cg->any_root < 0) _cupsSetDefaults(); @@ -635,15 +641,28 @@ httpCredentialsGetTrust( * Do not trust certificates on first use... */ + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); + trust = HTTP_TRUST_INVALID; } - else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds) || !httpCredentialsAreValidForName(credentials, common_name)) + else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds)) { /* - * Either the new credentials are not newly issued, or the common name - * does not match the issued certificate... + * The new credentials are not newly issued... */ + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), 1); + + trust = HTTP_TRUST_INVALID; + } + else if (!httpCredentialsAreValidForName(credentials, common_name)) + { + /* + * The common name does not match the issued certificate... + */ + + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), 1); + trust = HTTP_TRUST_INVALID; } else if (httpCredentialsGetExpiration(tcreds) < time(NULL)) @@ -661,14 +680,27 @@ httpCredentialsGetTrust( httpFreeCredentials(tcreds); } else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1); trust = HTTP_TRUST_INVALID; + } + else if (!cg->trust_first) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); + trust = HTTP_TRUST_INVALID; + } - if (!cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent())) + if (trust == HTTP_TRUST_OK && !cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent())) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), 1); trust = HTTP_TRUST_EXPIRED; - else if (!cg->any_root && cupsArrayCount(credentials) == 1) - trust = HTTP_TRUST_INVALID; - else if (!cg->trust_first) + } + + if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1); trust = HTTP_TRUST_INVALID; + } CFRelease(secCert); |