diff options
| author | Michael R Sweet <michael.r.sweet@gmail.com> | 2019-02-15 17:06:35 -0500 |
|---|---|---|
| committer | Michael R Sweet <michael.r.sweet@gmail.com> | 2019-02-15 17:06:35 -0500 |
| commit | 1ce6909d23aed05c3e24d2631a5468f09a0c486b (patch) | |
| tree | d766998bc1c7ff27b46ae267cd6692286f81d90a /cups | |
| parent | 6e63114c45720a4157245b6fd3dfa47612df21b4 (diff) | |
| download | cups-1ce6909d23aed05c3e24d2631a5468f09a0c486b.tar.gz | |
Non-Kerberized IPP printing to Windows was broken (Issue #5515)
Diffstat (limited to 'cups')
| -rw-r--r-- | cups/auth.c | 72 |
1 files changed, 54 insertions, 18 deletions
diff --git a/cups/auth.c b/cups/auth.c index 0f7fd523a..634ed1fba 100644 --- a/cups/auth.c +++ b/cups/auth.c @@ -42,6 +42,9 @@ static const char *cups_auth_param(const char *scheme, const char *name, char *v static const char *cups_auth_scheme(const char *www_authenticate, char *scheme, size_t schemesize); #ifdef HAVE_GSSAPI +# define CUPS_GSS_OK 0 /* Successfully set credentials */ +# define CUPS_GSS_NONE -1 /* No credentials */ +# define CUPS_GSS_FAIL -2 /* Failed credentials/authentication */ # ifdef HAVE_GSS_ACQUIRE_CRED_EX_F # ifdef HAVE_GSS_GSSAPI_SPI_H # include <GSS/gssapi_spi.h> @@ -168,6 +171,8 @@ cupsDoAuthentication( * Check the scheme name... */ + DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme)); + #ifdef HAVE_GSSAPI if (!_cups_strcasecmp(scheme, "Negotiate")) { @@ -175,18 +180,36 @@ cupsDoAuthentication( * Kerberos authentication... */ - if (_cupsSetNegotiateAuthString(http, method, resource)) + int gss_status; /* Auth status */ + + if ((gss_status = _cupsSetNegotiateAuthString(http, method, resource)) == CUPS_GSS_FAIL) { + DEBUG_puts("1cupsDoAuthentication: Negotiate failed."); http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED; return (-1); } - - break; + else if (gss_status == CUPS_GSS_NONE) + { + DEBUG_puts("2cupsDoAuthentication: No credentials for Negotiate."); + continue; + } + else + { + DEBUG_puts("2cupsDoAuthentication: Using Negotiate."); + break; + } } else #endif /* HAVE_GSSAPI */ if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest")) - continue; /* Not supported (yet) */ + { + /* + * Other schemes not yet supported... + */ + + DEBUG_printf(("2cupsDoAuthentication: Scheme \"%s\" not yet supported.", scheme)); + continue; + } /* * See if we should retry the current username:password... @@ -216,6 +239,7 @@ cupsDoAuthentication( if ((password = cupsGetPassword2(prompt, http, method, resource)) == NULL) { + DEBUG_puts("1cupsDoAuthentication: User canceled password request."); http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED; return (-1); } @@ -245,6 +269,7 @@ cupsDoAuthentication( char encode[256]; /* Base64 buffer */ + DEBUG_puts("2cupsDoAuthentication: Using Basic."); httpEncode64_2(encode, sizeof(encode), http->userpass, (int)strlen(http->userpass)); httpSetAuthString(http, "Basic", encode); break; @@ -263,19 +288,22 @@ cupsDoAuthentication( cups_auth_param(schemedata, "realm", http->realm, sizeof(http->realm)); if (_httpSetDigestAuthString(http, nonce, method, resource)) + { + DEBUG_puts("2cupsDoAuthentication: Using Basic."); break; + } } } if (http->authstring) { - DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\"", http->authstring)); + DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring)); return (0); } else { - DEBUG_printf(("1cupsDoAuthentication: Unknown auth type: \"%s\"", www_auth)); + DEBUG_puts("1cupsDoAuthentication: No supported schemes."); http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED; return (-1); @@ -288,7 +316,7 @@ cupsDoAuthentication( * '_cupsSetNegotiateAuthString()' - Set the Kerberos authentication string. */ -int /* O - 0 on success, -1 on error */ +int /* O - 0 on success, negative on error */ _cupsSetNegotiateAuthString( http_t *http, /* I - Connection to server */ const char *method, /* I - Request method ("GET", "POST", "PUT") */ @@ -313,10 +341,16 @@ _cupsSetNegotiateAuthString( { DEBUG_puts("1_cupsSetNegotiateAuthString: Weak-linked GSSAPI/Kerberos " "framework is not present"); - return (-1); + return (CUPS_GSS_NONE); } # endif /* __APPLE__ */ + if (!strcmp(http->hostname, "localhost") || http->hostname[0] == '/' || isdigit(http->hostname[0] & 255) || !strchr(http->hostname, '.')) + { + DEBUG_printf(("1_cupsSetNegotiateAuthString: Kerberos not available for host \"%s\".", http->hostname)); + return (CUPS_GSS_NONE); + } + if (http->gssname == GSS_C_NO_NAME) { http->gssname = cups_gss_getname(http, _cupsGSSServiceName()); @@ -361,7 +395,7 @@ _cupsSetNegotiateAuthString( cupsUser(), http->gsshost); if ((password = cupsGetPassword2(prompt, http, method, resource)) == NULL) - return (-1); + return (CUPS_GSS_FAIL); /* * Try to acquire credentials... @@ -415,18 +449,20 @@ _cupsSetNegotiateAuthString( } # endif /* HAVE_GSS_ACQUIRED_CRED_EX_F */ - if (GSS_ERROR(major_status)) + if (major_status == GSS_S_NO_CRED) { - cups_gss_printf(major_status, minor_status, - "_cupsSetNegotiateAuthString: Unable to initialize " - "security context"); - return (-1); + cups_gss_printf(major_status, minor_status, "_cupsSetNegotiateAuthString: No credentials"); + return (CUPS_GSS_NONE); + } + else if (GSS_ERROR(major_status)) + { + cups_gss_printf(major_status, minor_status, "_cupsSetNegotiateAuthString: Unable to initialize security context"); + return (CUPS_GSS_FAIL); } # ifdef DEBUG else if (major_status == GSS_S_CONTINUE_NEEDED) - cups_gss_printf(major_status, minor_status, - "_cupsSetNegotiateAuthString: Continuation needed!"); + cups_gss_printf(major_status, minor_status, "_cupsSetNegotiateAuthString: Continuation needed"); # endif /* DEBUG */ if (output_token.length > 0 && output_token.length <= 65536) @@ -460,10 +496,10 @@ _cupsSetNegotiateAuthString( "large - %d bytes!", (int)output_token.length)); gss_release_buffer(&minor_status, &output_token); - return (-1); + return (CUPS_GSS_FAIL); } - return (0); + return (CUPS_GSS_OK); } #endif /* HAVE_GSSAPI */ |