From 187243a87728afc6a387200bd1826e9f42a8ff7d Mon Sep 17 00:00:00 2001 From: Michael R Sweet Date: Thu, 17 Oct 2024 20:52:40 -0400 Subject: [PATCH] Fix crash in unit tests. Fix mapping of HTTP_STATUS_NOT_MODIFIED to IPP_STATUS_OK_EVENTS_COMPLETE. Only test pinning for self-signed certs. Fix sanity check for cupsSaveCredentials (copy/paste error) --- cups/request.c | 4 ++++ cups/tls-gnutls.c | 2 +- cups/tls-openssl.c | 6 +++++- cups/tls.c | 12 +++++++++++- 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/cups/request.c b/cups/request.c index c7a15f35d..0312aebe8 100644 --- a/cups/request.c +++ b/cups/request.c @@ -1156,6 +1156,10 @@ _cupsSetHTTPError(http_t *http, /* I - HTTP connection */ { switch (status) { + case HTTP_STATUS_NOT_MODIFIED : + _cupsSetError(IPP_STATUS_OK_EVENTS_COMPLETE, httpStatus(status), 0); + break; + case HTTP_STATUS_NOT_FOUND : _cupsSetError(IPP_STATUS_ERROR_NOT_FOUND, httpStatus(status), 0); break; diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index a27a51ee3..74c3859ac 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -829,7 +829,7 @@ cupsGetCredentialsTrust( } // Look this common name up in the default keychains... - if ((tcreds = cupsCopyCredentials(path, common_name)) != NULL) + if (num_certs == 1 && (tcreds = cupsCopyCredentials(path, common_name)) != NULL) { char credentials_str[1024], // String for incoming credentials tcreds_str[1024]; // String for saved credentials diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c index 26884c89d..b4652ca36 100644 --- a/cups/tls-openssl.c +++ b/cups/tls-openssl.c @@ -777,6 +777,8 @@ cupsGetCredentialsTrust( _cups_globals_t *cg = _cupsGlobals(); // Per-thread globals + DEBUG_printf("cupsGetCredentialsTrust(path=\"%s\", common_name=\"%s\", credentials=\"%lu bytes\", require_ca=%s)", path, common_name, (unsigned long)(credentials ? strlen(credentials) : 0), require_ca ? "true" : "false"); + // Range check input... if (!path) path = http_default_path(defpath, sizeof(defpath)); @@ -796,6 +798,8 @@ cupsGetCredentialsTrust( cert = sk_X509_value(certs, 0); + DEBUG_printf("1cupsGetCredentialsGetTrust: certs=%p, sk_X509_num(certs)=%d", (void *)certs, sk_X509_num(certs)); + if (cg->any_root < 0) { _cupsSetDefaults(); @@ -803,7 +807,7 @@ cupsGetCredentialsTrust( } // Look this common name up in the default keychains... - if ((tcreds = cupsCopyCredentials(path, common_name)) != NULL) + if (sk_X509_num(certs) == 1 && (tcreds = cupsCopyCredentials(path, common_name)) != NULL) { char credentials_str[1024], // String for incoming credentials tcreds_str[1024]; // String for saved credentials diff --git a/cups/tls.c b/cups/tls.c index 6f2d1aef7..5ae71bf0f 100644 --- a/cups/tls.c +++ b/cups/tls.c @@ -140,7 +140,7 @@ cupsSaveCredentials( if (credentials) { // Make sure it looks like a PEM-encoded cert... - if (strncmp(credentials, "-----BEGIN CERTIFICATE-----", 27) || strstr(key, "-----END CERTIFICATE-----") == NULL) + if (strncmp(credentials, "-----BEGIN CERTIFICATE-----", 27) || strstr(credentials, "-----END CERTIFICATE-----") == NULL) return (false); } @@ -266,6 +266,8 @@ http_check_roots(const char *creds) // I - Credentials bool ret = false; // Return value + DEBUG_printf("3http_check_roots(creds=\"%s\")", creds); + #ifdef __APPLE__ // Apple hides all of the keychain stuff (all deprecated) so the best we can // do is use the SecTrust API to evaluate the certificate... @@ -327,11 +329,19 @@ http_check_roots(const char *creds) // I - Credentials // Test the certificate list against the macOS/iOS trust store... if ((policy = SecPolicyCreateBasicX509()) != NULL) { + DEBUG_puts("4http_check_roots: SecPolicyCreateBasicX509 succeeded."); + if (SecTrustCreateWithCertificates(certs, policy, &trust) == noErr) { ret = SecTrustEvaluateWithError(trust, NULL); CFRelease(trust); + + DEBUG_printf("4http_check_roots: SecTrustEvaluateWithError returned %d.", ret); } +#ifdef DEBUG + else + DEBUG_printf("4http_check_roots: SecTrustCreateWithCertificates returned %d.", SecTrustCreateWithCertificates(certs, policy, &trust)); +#endif // DEBUG CFRelease(policy); }