diff options
| author | Michael Sweet <michael.r.sweet@gmail.com> | 2016-08-25 09:36:52 -0400 |
|---|---|---|
| committer | Michael Sweet <michael.r.sweet@gmail.com> | 2016-08-25 09:36:52 -0400 |
| commit | e5aa186c437eb72dda3b323c2ea79500f1ce93c6 (patch) | |
| tree | 68614c6b0f52631f827f403b923d4b7f854f3952 /cups/tls-gnutls.c | |
| parent | c1bd5ac440f873db68ddae551cf12845d1ca24b5 (diff) | |
| download | cups-e5aa186c437eb72dda3b323c2ea79500f1ce93c6.tar.gz | |
Set cupsLastErrorString in httpCredentialsGetTrust, and show the result in the
IPP backend.
Diffstat (limited to 'cups/tls-gnutls.c')
| -rw-r--r-- | cups/tls-gnutls.c | 34 |
1 files changed, 31 insertions, 3 deletions
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index 23e3a8bc2..70515f20e 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -435,10 +435,16 @@ httpCredentialsGetTrust( if (!common_name) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No common name specified."), 1); return (HTTP_TRUST_UNKNOWN); + } if ((cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create credentials from array."), 1); return (HTTP_TRUST_UNKNOWN); + } if (cg->any_root < 0) { @@ -473,15 +479,28 @@ httpCredentialsGetTrust( * Do not trust certificates on first use... */ + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); + trust = HTTP_TRUST_INVALID; } - else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds) || !httpCredentialsAreValidForName(credentials, common_name)) + else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds)) { /* - * Either the new credentials are not newly issued, or the common name - * does not match the issued certificate... + * The new credentials are not newly issued... */ + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), 1); + + trust = HTTP_TRUST_INVALID; + } + else if (!httpCredentialsAreValidForName(credentials, common_name)) + { + /* + * The common name does not match the issued certificate... + */ + + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), 1); + trust = HTTP_TRUST_INVALID; } else if (httpCredentialsGetExpiration(tcreds) < time(NULL)) @@ -499,7 +518,10 @@ httpCredentialsGetTrust( httpFreeCredentials(tcreds); } else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1); trust = HTTP_TRUST_INVALID; + } if (trust == HTTP_TRUST_OK && !cg->expired_certs) { @@ -508,11 +530,17 @@ httpCredentialsGetTrust( time(&curtime); if (curtime < gnutls_x509_crt_get_activation_time(cert) || curtime > gnutls_x509_crt_get_expiration_time(cert)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), 1); trust = HTTP_TRUST_EXPIRED; + } } if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1); trust = HTTP_TRUST_INVALID; + } gnutls_x509_crt_deinit(cert); |