/*
* Private HTTP definitions for CUPS.
*
* Copyright 2007-2017 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
* These coded instructions, statements, and computer programs are the
* property of Apple Inc. and are protected by Federal copyright
* law. Distribution and use rights are outlined in the file "LICENSE.txt"
* which should have been included with this file. If this file is
* missing or damaged, see the license at "http://www.cups.org/".
*
* This file is subject to the Apple OS-Developed Software exception.
*/
#ifndef _CUPS_HTTP_PRIVATE_H_
# define _CUPS_HTTP_PRIVATE_H_
/*
* Include necessary headers...
*/
# include "config.h"
# include <cups/language.h>
# include <stddef.h>
# include <stdlib.h>
# ifdef __sun
# include <sys/select.h>
# endif /* __sun */
# include <limits.h>
# ifdef WIN32
# include <io.h>
# include <winsock2.h>
# define CUPS_SOCAST (const char *)
# else
# include <unistd.h>
# include <fcntl.h>
# include <sys/socket.h>
# define CUPS_SOCAST
# endif /* WIN32 */
# ifdef HAVE_GSSAPI
# ifdef HAVE_GSS_GSSAPI_H
# include <GSS/gssapi.h>
# elif defined(HAVE_GSSAPI_GSSAPI_H)
# include <gssapi/gssapi.h>
# elif defined(HAVE_GSSAPI_H)
# include <gssapi.h>
# endif /* HAVE_GSS_GSSAPI_H */
# ifndef HAVE_GSS_C_NT_HOSTBASED_SERVICE
# define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
# endif /* !HAVE_GSS_C_NT_HOSTBASED_SERVICE */
# endif /* HAVE_GSSAPI */
# ifdef HAVE_AUTHORIZATION_H
# include <Security/Authorization.h>
# endif /* HAVE_AUTHORIZATION_H */
# if defined(__APPLE__) && !defined(_SOCKLEN_T)
/*
* macOS 10.2.x does not define socklen_t, and in fact uses an int instead of
* unsigned type for length values...
*/
typedef int socklen_t;
# endif /* __APPLE__ && !_SOCKLEN_T */
# include <cups/http.h>
# include "md5-private.h"
# include "ipp-private.h"
# ifdef HAVE_GNUTLS
# include <gnutls/gnutls.h>
# include <gnutls/x509.h>
# elif defined(HAVE_CDSASSL)
# include <CoreFoundation/CoreFoundation.h>
# include <Security/Security.h>
# include <Security/SecureTransport.h>
# ifdef HAVE_SECURETRANSPORTPRIV_H
# include <Security/SecureTransportPriv.h>
# endif /* HAVE_SECURETRANSPORTPRIV_H */
# ifdef HAVE_SECITEM_H
# include <Security/SecItem.h>
# endif /* HAVE_SECITEM_H */
# ifdef HAVE_SECBASEPRIV_H
# include <Security/SecBasePriv.h>
# endif /* HAVE_SECBASEPRIV_H */
# ifdef HAVE_SECCERTIFICATE_H
# include <Security/SecCertificate.h>
# include <Security/SecIdentity.h>
# endif /* HAVE_SECCERTIFICATE_H */
# ifdef HAVE_SECCERTIFICATEPRIV_H
# include <Security/SecCertificatePriv.h>
# else
# ifdef __cplusplus
extern "C" {
# endif /* __cplusplus */
# ifndef _SECURITY_VERSION_GREATER_THAN_57610_
typedef CF_OPTIONS(uint32_t, SecKeyUsage) {
kSecKeyUsageAll = 0x7FFFFFFF
};
# endif /* !_SECURITY_VERSION_GREATER_THAN_57610_ */
extern const void * kSecCSRChallengePassword;
extern const void * kSecSubjectAltName;
extern const void * kSecCertificateKeyUsage;
extern const void * kSecCSRBasicContraintsPathLen;
extern const void * kSecCertificateExtensions;
extern const void * kSecCertificateExtensionsEncoded;
extern const void * kSecOidCommonName;
extern const void * kSecOidCountryName;
extern const void * kSecOidStateProvinceName;
extern const void * kSecOidLocalityName;
extern const void * kSecOidOrganization;
extern const void * kSecOidOrganizationalUnit;
extern SecCertificateRef SecCertificateCreateWithBytes(CFAllocatorRef allocator, const UInt8 *bytes, CFIndex length);
extern bool SecCertificateIsValid(SecCertificateRef certificate, CFAbsoluteTime verifyTime);
extern CFAbsoluteTime SecCertificateNotValidAfter(SecCertificateRef certificate);
extern SecCertificateRef SecGenerateSelfSignedCertificate(CFArrayRef subject, CFDictionaryRef parameters, SecKeyRef publicKey, SecKeyRef privateKey);
extern SecIdentityRef SecIdentityCreate(CFAllocatorRef allocator, SecCertificateRef certificate, SecKeyRef privateKey);
# ifdef __cplusplus
}
# endif /* __cplusplus */
# endif /* HAVE_SECCERTIFICATEPRIV_H */
# ifdef HAVE_SECITEMPRIV_H
# include <Security/SecItemPriv.h>
# endif /* HAVE_SECITEMPRIV_H */
# ifdef HAVE_SECIDENTITYSEARCHPRIV_H
# include <Security/SecIdentitySearchPriv.h>
# endif /* HAVE_SECIDENTITYSEARCHPRIV_H */
# ifdef HAVE_SECPOLICYPRIV_H
# include <Security/SecPolicyPriv.h>
# endif /* HAVE_SECPOLICYPRIV_H */
# elif defined(HAVE_SSPISSL)
# include <wincrypt.h>
# include <wintrust.h>
# include <schannel.h>
# define SECURITY_WIN32
# include <security.h>
# include <sspi.h>
# endif /* HAVE_GNUTLS */
# ifndef WIN32
# include <net/if.h>
# include <resolv.h>
# ifdef HAVE_GETIFADDRS
# include <ifaddrs.h>
# else
# include <sys/ioctl.h>
# ifdef HAVE_SYS_SOCKIO_H
# include <sys/sockio.h>
# endif /* HAVE_SYS_SOCKIO_H */
# endif /* HAVE_GETIFADDRS */
# endif /* !WIN32 */
# ifdef HAVE_LIBZ
# include <zlib.h>
# endif /* HAVE_LIBZ */
/*
* C++ magic...
*/
# ifdef __cplusplus
extern "C" {
# endif /* __cplusplus */
/*
* Constants...
*/
# define _HTTP_MAX_SBUFFER 65536 /* Size of (de)compression buffer */
# define _HTTP_RESOLVE_DEFAULT 0 /* Just resolve with default options */
# define _HTTP_RESOLVE_STDERR 1 /* Log resolve progress to stderr */
# define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */
# define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */
# define _HTTP_TLS_NONE 0 /* No TLS options */
# define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */
# define _HTTP_TLS_ALLOW_SSL3 2 /* Allow SSL 3.0 */
# define _HTTP_TLS_ALLOW_DH 4 /* Allow DH/DHE key negotiation */
# define _HTTP_TLS_DENY_TLS10 16 /* Deny TLS 1.0 */
# define _HTTP_TLS_DENY_CBC 32 /* Deny CBC cipher suites */
# define _HTTP_TLS_ONLY_TLS10 64 /* Only use TLS 1.0 */
# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */
/*
* Types and functions for SSL support...
*/
# ifdef HAVE_GNUTLS
/*
* The GNU TLS library is more of a "bare metal" SSL/TLS library...
*/
typedef gnutls_session_t http_tls_t;
typedef gnutls_certificate_credentials_t *http_tls_credentials_t;
# elif defined(HAVE_CDSASSL)
/*
* Darwin's Security framework provides its own SSL/TLS context structure
* for its IO and protocol management...
*/
# if !defined(HAVE_SECBASEPRIV_H) && defined(HAVE_CSSMERRORSTRING) /* Declare prototype for function in that header... */
extern const char *cssmErrorString(int error);
# endif /* !HAVE_SECBASEPRIV_H && HAVE_CSSMERRORSTRING */
# if !defined(HAVE_SECIDENTITYSEARCHPRIV_H) && defined(HAVE_SECIDENTITYSEARCHCREATEWITHPOLICY) /* Declare prototype for function in that header... */
extern OSStatus SecIdentitySearchCreateWithPolicy(SecPolicyRef policy,
CFStringRef idString, CSSM_KEYUSE keyUsage,
CFTypeRef keychainOrArray,
Boolean returnOnlyValidIdentities,
SecIdentitySearchRef* searchRef);
# endif /* !HAVE_SECIDENTITYSEARCHPRIV_H && HAVE_SECIDENTITYSEARCHCREATEWITHPOLICY */
# if !defined(HAVE_SECPOLICYPRIV_H) && defined(HAVE_SECPOLICYSETVALUE) /* Declare prototype for function in that header... */
extern OSStatus SecPolicySetValue(SecPolicyRef policyRef,
const CSSM_DATA *value);
# endif /* !HAVE_SECPOLICYPRIV_H && HAVE_SECPOLICYSETVALUE */
typedef SSLContextRef http_tls_t;
typedef CFArrayRef http_tls_credentials_t;
# elif defined(HAVE_SSPISSL)
/*
* Windows' SSPI library gets a CUPS wrapper...
*/
typedef struct _http_sspi_s /**** SSPI/SSL data structure ****/
{
CredHandle creds; /* Credentials */
CtxtHandle context; /* SSL context */
BOOL contextInitialized; /* Is context init'd? */
SecPkgContext_StreamSizes streamSizes;/* SSL data stream sizes */
BYTE *decryptBuffer; /* Data pre-decryption*/
size_t decryptBufferLength; /* Length of decrypt buffer */
size_t decryptBufferUsed; /* Bytes used in buffer */
BYTE *readBuffer; /* Data post-decryption */
int readBufferLength; /* Length of read buffer */
int readBufferUsed; /* Bytes used in buffer */
BYTE *writeBuffer; /* Data pre-encryption */
int writeBufferLength; /* Length of write buffer */
PCCERT_CONTEXT localCert, /* Local certificate */
remoteCert; /* Remote (peer's) certificate */
char error[256]; /* Most recent error message */
} _http_sspi_t;
typedef _http_sspi_t *http_tls_t;
typedef PCCERT_CONTEXT http_tls_credentials_t;
# else
/*
* Otherwise define stub types since we have no SSL support...
*/
typedef void *http_tls_t;
typedef void *http_tls_credentials_t;
# endif /* HAVE_GNUTLS */
typedef enum _http_coding_e /**** HTTP content coding enumeration ****/
{
_HTTP_CODING_IDENTITY, /* No content coding */
_HTTP_CODING_GZIP, /* LZ77+gzip decompression */
_HTTP_CODING_DEFLATE, /* LZ77+zlib compression */
_HTTP_CODING_GUNZIP, /* LZ77+gzip decompression */
_HTTP_CODING_INFLATE /* LZ77+zlib decompression */
} _http_coding_t;
typedef enum _http_mode_e /**** HTTP mode enumeration ****/
{
_HTTP_MODE_CLIENT, /* Client connected to server */
_HTTP_MODE_SERVER /* Server connected (accepted) from client */
} _http_mode_t;
# ifndef _HTTP_NO_PRIVATE
struct _http_s /**** HTTP connection structure ****/
{
int fd; /* File descriptor for this socket */
int blocking; /* To block or not to block */
int error; /* Last error on read */
time_t activity; /* Time since last read/write */
http_state_t state; /* State of client */
http_status_t status; /* Status of last request */
http_version_t version; /* Protocol version */
http_keepalive_t keep_alive; /* Keep-alive supported? */
struct sockaddr_in _hostaddr; /* Address of connected host (deprecated) */
char hostname[HTTP_MAX_HOST],
/* Name of connected host */
fields[HTTP_FIELD_ACCEPT_ENCODING][HTTP_MAX_VALUE];
/* Field values up to Accept-Encoding */
char *data; /* Pointer to data buffer */
http_encoding_t data_encoding; /* Chunked or not */
int _data_remaining;/* Number of bytes left (deprecated) */
int used; /* Number of bytes used in buffer */
char buffer[HTTP_MAX_BUFFER];
/* Buffer for incoming data */
int _auth_type; /* Authentication in use (deprecated) */
_cups_md5_state_t md5_state; /* MD5 state */
char nonce[HTTP_MAX_VALUE];
/* Nonce value */
int nonce_count; /* Nonce count */
http_tls_t tls; /* TLS state information */
http_encryption_t encryption; /* Encryption requirements */
/**** New in CUPS 1.1.19 ****/
fd_set *input_set; /* select() set for httpWait() (deprecated) */
http_status_t expect; /* Expect: header */
char *cookie; /* Cookie value(s) */
/**** New in CUPS 1.1.20 ****/
char _authstring[HTTP_MAX_VALUE],
/* Current Authorization value (deprecated) */
userpass[HTTP_MAX_VALUE];
/* Username:password string */
int digest_tries; /* Number of tries for digest auth */
/**** New in CUPS 1.2 ****/
off_t data_remaining; /* Number of bytes left */
http_addr_t *hostaddr; /* Current host address and port */
http_addrlist_t *addrlist; /* List of valid addresses */
char wbuffer[HTTP_MAX_BUFFER];
/* Buffer for outgoing data */
int wused; /* Write buffer bytes used */
/**** New in CUPS 1.3 ****/
char *field_authorization;
/* Authorization field */
char *authstring; /* Current Authorization field */
# ifdef HAVE_GSSAPI
gss_OID gssmech; /* Authentication mechanism */
gss_ctx_id_t gssctx; /* Authentication context */
gss_name_t gssname; /* Authentication server name */
# endif /* HAVE_GSSAPI */
# ifdef HAVE_AUTHORIZATION_H
AuthorizationRef auth_ref; /* Authorization ref */
# endif /* HAVE_AUTHORIZATION_H */
/**** New in CUPS 1.5 ****/
http_tls_credentials_t tls_credentials;
/* TLS credentials */
http_timeout_cb_t timeout_cb; /* Timeout callback */
void *timeout_data; /* User data pointer */
double timeout_value; /* Timeout in seconds */
int wait_value; /* httpWait value for timeout */
# ifdef HAVE_GSSAPI
char gsshost[256]; /* Hostname for Kerberos */
# endif /* HAVE_GSSAPI */
/**** New in CUPS 1.7 ****/
int tls_upgrade; /* Non-zero if we are doing an upgrade */
_http_mode_t mode; /* _HTTP_MODE_CLIENT or _HTTP_MODE_SERVER */
char *accept_encoding,
/* Accept-Encoding field */
*allow, /* Allow field */
*server, /* Server field */
*default_accept_encoding,
*default_server,
*default_user_agent;
/* Default field values */
# ifdef HAVE_LIBZ
_http_coding_t coding; /* _HTTP_CODING_xxx */
z_stream stream; /* (De)compression stream */
Bytef *sbuffer; /* (De)compression buffer */
# endif /* HAVE_LIBZ */
};
# endif /* !_HTTP_NO_PRIVATE */
/*
* Some OS's don't have hstrerror(), most notably Solaris...
*/
# ifndef HAVE_HSTRERROR
extern const char *_cups_hstrerror(int error);
# define hstrerror _cups_hstrerror
# endif /* !HAVE_HSTRERROR */
/*
* Some OS's don't have getifaddrs() and freeifaddrs()...
*/
# if !defined(WIN32) && !defined(HAVE_GETIFADDRS)
# ifdef ifa_dstaddr
# undef ifa_dstaddr
# endif /* ifa_dstaddr */
# ifndef ifr_netmask
# define ifr_netmask ifr_addr
# endif /* !ifr_netmask */
struct ifaddrs /**** Interface Structure ****/
{
struct ifaddrs *ifa_next; /* Next interface in list */
char *ifa_name; /* Name of interface */
unsigned int ifa_flags; /* Flags (up, point-to-point, etc.) */
struct sockaddr *ifa_addr, /* Network address */
*ifa_netmask; /* Address mask */
union
{
struct sockaddr *ifu_broadaddr; /* Broadcast address of this interface. */
struct sockaddr *ifu_dstaddr; /* Point-to-point destination address. */
} ifa_ifu;
void *ifa_data; /* Interface statistics */
};
# ifndef ifa_broadaddr
# define ifa_broadaddr ifa_ifu.ifu_broadaddr
# endif /* !ifa_broadaddr */
# ifndef ifa_dstaddr
# define ifa_dstaddr ifa_ifu.ifu_dstaddr
# endif /* !ifa_dstaddr */
extern int _cups_getifaddrs(struct ifaddrs **addrs);
# define getifaddrs _cups_getifaddrs
extern void _cups_freeifaddrs(struct ifaddrs *addrs);
# define freeifaddrs _cups_freeifaddrs
# endif /* !WIN32 && !HAVE_GETIFADDRS */
/*
* Prototypes...
*/
extern void _httpAddrSetPort(http_addr_t *addr, int port);
extern http_tls_credentials_t
_httpCreateCredentials(cups_array_t *credentials);
extern char *_httpDecodeURI(char *dst, const char *src,
size_t dstsize);
extern void _httpDisconnect(http_t *http);
extern char *_httpEncodeURI(char *dst, const char *src,
size_t dstsize);
extern void _httpFreeCredentials(http_tls_credentials_t credentials);
extern const char *_httpResolveURI(const char *uri, char *resolved_uri,
size_t resolved_size, int options,
int (*cb)(void *context),
void *context);
extern const char *_httpStatus(cups_lang_t *lang, http_status_t status);
extern void _httpTLSInitialize(void);
extern size_t _httpTLSPending(http_t *http);
extern int _httpTLSRead(http_t *http, char *buf, int len);
extern int _httpTLSSetCredentials(http_t *http);
extern void _httpTLSSetOptions(int options);
extern int _httpTLSStart(http_t *http);
extern void _httpTLSStop(http_t *http);
extern int _httpTLSWrite(http_t *http, const char *buf, int len);
extern int _httpUpdate(http_t *http, http_status_t *status);
extern int _httpWait(http_t *http, int msec, int usessl);
/*
* C++ magic...
*/
# ifdef __cplusplus
}
# endif /* __cplusplus */
#endif /* !_CUPS_HTTP_PRIVATE_H_ */