diff options
author | msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be> | 2014-05-07 23:55:35 +0000 |
---|---|---|
committer | msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be> | 2014-05-07 23:55:35 +0000 |
commit | f51f3773d1c141dfeffcb6ef478129197dde3a96 (patch) | |
tree | 69f3947fe49d7a890b13461ff307d8e47feaf803 /cups/usersys.c | |
parent | 524c65e662f2c36fd6a5321425a30d2cdd2d4ece (diff) | |
download | cups-f51f3773d1c141dfeffcb6ef478129197dde3a96.tar.gz |
Add code to validate trust when printing via the IPP backend.
Add new CUPS_VALIDATECERTS (ValidateCerts in the conf file) setting to control
whether we require the common name to match the host name, default is no.
(currently)
httpCredentialsGetTrust now only checks hostname/common name matches when
validation is enabled. Otherwise we just look for changes to certs.
git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11851 a1ca3aef-8c08-0410-bb20-df032aa958be
Diffstat (limited to 'cups/usersys.c')
-rw-r--r-- | cups/usersys.c | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/cups/usersys.c b/cups/usersys.c index aa4127c7e..22d0f3464 100644 --- a/cups/usersys.c +++ b/cups/usersys.c @@ -51,7 +51,8 @@ static void cups_read_client_conf(cups_file_t *fp, const char *cups_gssservicename, #endif /* HAVE_GSSAPI */ const char *cups_anyroot, - const char *cups_expiredcerts); + const char *cups_expiredcerts, + const char *cups_validatecerts); /* @@ -830,7 +831,8 @@ _cupsSetDefaults(void) *cups_gssservicename, /* CUPS_GSSSERVICENAME env var */ #endif /* HAVE_GSSAPI */ *cups_anyroot, /* CUPS_ANYROOT env var */ - *cups_expiredcerts; /* CUPS_EXPIREDCERTS env var */ + *cups_expiredcerts, /* CUPS_EXPIREDCERTS env var */ + *cups_validatecerts; /* CUPS_VALIDATECERTS env var */ char filename[1024]; /* Filename */ _cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */ @@ -848,6 +850,7 @@ _cupsSetDefaults(void) #endif /* HAVE_GSSAPI */ cups_anyroot = getenv("CUPS_ANYROOT"); cups_expiredcerts = getenv("CUPS_EXPIREDCERTS"); + cups_validatecerts = getenv("CUPS_VALIDATECERTS"); if ((cups_user = getenv("CUPS_USER")) == NULL) { @@ -916,7 +919,7 @@ _cupsSetDefaults(void) #ifdef HAVE_GSSAPI cups_gssservicename, #endif /* HAVE_GSSAPI */ - cups_anyroot, cups_expiredcerts); + cups_anyroot, cups_expiredcerts, cups_validatecerts); cupsFileClose(fp); } } @@ -938,7 +941,8 @@ cups_read_client_conf( /* I - CUPS_GSSSERVICENAME env var */ #endif /* HAVE_GSSAPI */ const char *cups_anyroot, /* I - CUPS_ANYROOT env var */ - const char *cups_expiredcerts) /* I - CUPS_EXPIREDCERTS env var */ + const char *cups_expiredcerts, /* I - CUPS_EXPIREDCERTS env var */ + const char *cups_validatecerts)/* I - CUPS_VALIDATECERTS env var */ { int linenum; /* Current line number */ char line[1024], /* Line from file */ @@ -949,7 +953,8 @@ cups_read_client_conf( #endif /* !__APPLE__ */ user[256], /* User value */ any_root[1024], /* AllowAnyRoot value */ - expired_certs[1024]; /* AllowExpiredCerts value */ + expired_certs[1024], /* AllowExpiredCerts value */ + validate_certs[1024]; /* ValidateCerts value */ #ifdef HAVE_GSSAPI char gss_service_name[32]; /* GSSServiceName value */ #endif /* HAVE_GSSAPI */ @@ -996,6 +1001,11 @@ cups_read_client_conf( strlcpy(expired_certs, value, sizeof(expired_certs)); cups_expiredcerts = expired_certs; } + else if (!cups_validatecerts && !_cups_strcasecmp(line, "ValidateCerts") && value) + { + strlcpy(validate_certs, value, sizeof(validate_certs)); + cups_validatecerts = validate_certs; + } #ifdef HAVE_GSSAPI else if (!cups_gssservicename && !_cups_strcasecmp(line, "GSSServiceName") && value) @@ -1118,6 +1128,11 @@ cups_read_client_conf( cg->expired_certs = !_cups_strcasecmp(cups_expiredcerts, "yes") || !_cups_strcasecmp(cups_expiredcerts, "on") || !_cups_strcasecmp(cups_expiredcerts, "true"); + + if (cups_validatecerts) + cg->validate_certs = !_cups_strcasecmp(cups_validatecerts, "yes") || + !_cups_strcasecmp(cups_validatecerts, "on") || + !_cups_strcasecmp(cups_validatecerts, "true"); } |