Update httpConnectURI to do X.509 pinning.

michaelrsweet · michaelrsweet · commit 0eedd19fb1fb · 2024-09-20T11:10:54.000-04:00
diff --git a/cups/http.c b/cups/http.c
@@ -485,6 +485,7 @@ httpConnectURI(const char *uri,		// I - Service to connect to
 		lresource[256];		// URI resource (local copy)
   int		lport;			// URI port (local copy)
   http_encryption_t encryption;		// Type of encryption to use
+  http_uri_status_t uri_status;		// URI separation status
 
 
   DEBUG_printf("httpConnectURI(uri=\"%s\", host=%p, hsize=%u, port=%p, resource=%p, rsize=%u, blocking=%d, msec=%d, cancel=%p, require_ca=%s)", uri, (void *)host, (unsigned)hsize, (void *)port, (void *)resource, (unsigned)rsize, blocking, msec, (void *)cancel, require_ca ? "true" : "false");
@@ -520,8 +521,11 @@ httpConnectURI(const char *uri,		// I - Service to connect to
   }
 
   // Get the URI components...
-  if (httpSeparateURI(HTTP_URI_CODING_ALL, uri, scheme, sizeof(scheme), userpass, sizeof(userpass), host, hsize, port, resource, rsize) < HTTP_URI_STATUS_OK)
+  if ((uri_status = httpSeparateURI(HTTP_URI_CODING_ALL, uri, scheme, sizeof(scheme), userpass, sizeof(userpass), host, hsize, port, resource, rsize)) < HTTP_URI_STATUS_OK)
+  {
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, httpURIStatusString(uri_status), 0);
     return (NULL);
+  }
 
   DEBUG_printf("1httpConnectURI: scheme=\"%s\", host=\"%s\", port=%d, resource=\"%s\"", scheme, host, *port, resource);
 
@@ -532,7 +536,7 @@ httpConnectURI(const char *uri,		// I - Service to connect to
 
   http = httpConnect(host, *port, /*addrlist*/NULL, AF_UNSPEC, encryption, blocking, msec, cancel);
 
-  if (httpIsEncrypted(http) && require_ca)
+  if (httpIsEncrypted(http))
   {
     // Validate trust with service...
     char	*creds;			// Peer credentials...
@@ -541,13 +545,19 @@ httpConnectURI(const char *uri,		// I - Service to connect to
     creds = httpCopyPeerCredentials(http);
     trust = cupsGetCredentialsTrust(/*path*/NULL, host, creds, require_ca);
 
-    free(creds);
-
-    if (trust != HTTP_TRUST_OK)
+    if (trust == HTTP_TRUST_OK)
     {
+      // Pin the trusted credentials (for TOFU)...
+      cupsSaveCredentials(/*path*/NULL, host, creds, /*key*/NULL);
+    }
+    else if (trust != HTTP_TRUST_RENEWED)
+    {
+      // Don't allow the connection...
       httpClose(http);
       http = NULL;
     }
+
+    free(creds);
   }
 
   return (http);
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
@@ -818,7 +818,7 @@ cupsGetCredentialsTrust(
   // Load the credentials...
   if (!gnutls_import_certs(credentials, &num_certs, certs))
   {
-    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to import credentials."), true);
+    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Unable to import credentials."), true);
     return (HTTP_TRUST_UNKNOWN);
   }
 
@@ -844,21 +844,21 @@ cupsGetCredentialsTrust(
       if (!cg->trust_first || require_ca)
       {
         // Do not trust certificates on first use...
-        _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), true);
+        _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Trust on first use is disabled."), true);
 
         trust = HTTP_TRUST_INVALID;
       }
       else if (cupsGetCredentialsExpiration(credentials) <= cupsGetCredentialsExpiration(tcreds))
       {
         // The new credentials are not newly issued...
-        _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), true);
+        _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("New credentials are older than stored credentials."), true);
 
         trust = HTTP_TRUST_INVALID;
       }
       else if (!cupsAreCredentialsValidForName(common_name, credentials))
       {
         // The common name does not match the issued certificate...
-        _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), true);
+        _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("New credentials are not valid for name."), true);
 
         trust = HTTP_TRUST_INVALID;
       }
@@ -875,7 +875,7 @@ cupsGetCredentialsTrust(
   }
   else if ((cg->validate_certs || require_ca) && !cupsAreCredentialsValidForName(common_name, credentials))
   {
-    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), true);
+    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("No stored credentials, not valid for name."), true);
     trust = HTTP_TRUST_INVALID;
   }
   else if (num_certs > 1)
@@ -899,25 +899,25 @@ cupsGetCredentialsTrust(
 	}
 
 	if (trust != HTTP_TRUST_OK)
-	  _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), true);
+	  _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials do not validate against site CA certificate."), true);
 
 	free(tcreds);
       }
     }
   }
   else if (require_ca)
   {
-    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials are not CA-signed."), true);
+    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials are not CA-signed."), true);
     trust = HTTP_TRUST_INVALID;
   }
   else if (!cg->trust_first)
   {
-    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), true);
+    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Trust on first use is disabled."), true);
     trust = HTTP_TRUST_INVALID;
   }
   else if (!cg->any_root || require_ca)
   {
-    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), true);
+    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Self-signed credentials are blocked."), true);
     trust = HTTP_TRUST_INVALID;
   }
 
@@ -928,7 +928,7 @@ cupsGetCredentialsTrust(
     time(&curtime);
     if (curtime < gnutls_x509_crt_get_activation_time(certs[0]) || curtime > gnutls_x509_crt_get_expiration_time(certs[0]))
     {
-      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), true);
+      _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials have expired."), true);
       trust = HTTP_TRUST_EXPIRED;
     }
   }
diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c
@@ -877,7 +877,7 @@ cupsGetCredentialsTrust(
   // Load the credentials...
   if ((certs = openssl_load_x509(credentials)) == NULL)
   {
-    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to import credentials."), true);
+    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Unable to import credentials."), true);
     return (HTTP_TRUST_UNKNOWN);
   }
 
@@ -905,21 +905,21 @@ cupsGetCredentialsTrust(
       if (!cg->trust_first || require_ca)
       {
         // Do not trust certificates on first use...
-        _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), true);
+        _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Trust on first use is disabled."), true);
 
         trust = HTTP_TRUST_INVALID;
       }
       else if (cupsGetCredentialsExpiration(credentials) <= cupsGetCredentialsExpiration(tcreds))
       {
         // The new credentials are not newly issued...
-        _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), true);
+        _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("New credentials are older than stored credentials."), true);
 
         trust = HTTP_TRUST_INVALID;
       }
       else if (!cupsAreCredentialsValidForName(common_name, credentials))
       {
         // The common name does not match the issued certificate...
-        _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), true);
+        _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("New credentials are not valid for name."), true);
 
         trust = HTTP_TRUST_INVALID;
       }
@@ -936,7 +936,7 @@ cupsGetCredentialsTrust(
   }
   else if ((cg->validate_certs || require_ca) && !cupsAreCredentialsValidForName(common_name, credentials))
   {
-    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), true);
+    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("No stored credentials, not valid for name."), true);
     trust = HTTP_TRUST_INVALID;
   }
   else if (sk_X509_num(certs) > 1)
@@ -960,25 +960,25 @@ cupsGetCredentialsTrust(
 	}
 
 	if (trust != HTTP_TRUST_OK)
-	  _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), true);
+	  _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials do not validate against site CA certificate."), true);
 
 	free(tcreds);
       }
     }
   }
   else if (require_ca)
   {
-    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials are not CA-signed."), true);
+    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials are not CA-signed."), true);
     trust = HTTP_TRUST_INVALID;
   }
   else if (!cg->trust_first)
   {
-    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), true);
+    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Trust on first use is disabled."), true);
     trust = HTTP_TRUST_INVALID;
   }
   else if (!cg->any_root || require_ca)
   {
-    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), true);
+    _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Self-signed credentials are blocked."), true);
     trust = HTTP_TRUST_INVALID;
   }
 
@@ -989,7 +989,7 @@ cupsGetCredentialsTrust(
     time(&curtime);
     if (curtime < openssl_get_date(cert, 0) || curtime > openssl_get_date(cert, 1))
     {
-      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), true);
+      _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials have expired."), true);
       trust = HTTP_TRUST_EXPIRED;
     }
   }
diff --git a/pdfio b/pdfio
@@ -1 +1 @@
-Subproject commit 986c5f0438ea71f549244b841c3775d94659849a
+Subproject commit 206f75403a085c6bf2033f8e2c0eae2c81ac4e82

Original file line number	Diff line number	Diff line change
`@@ -818,7 +818,7 @@ cupsGetCredentialsTrust(`
`818`	`818`	`// Load the credentials...`
`819`	`819`	`if (!gnutls_import_certs(credentials, &num_certs, certs))`
`820`	`820`	`{`
`821`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to import credentials."), true);`
	`821`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Unable to import credentials."), true);`
`822`	`822`	`return (HTTP_TRUST_UNKNOWN);`
`823`	`823`	`}`
`824`	`824`
`@@ -844,21 +844,21 @@ cupsGetCredentialsTrust(`
`844`	`844`	`if (!cg->trust_first \|\| require_ca)`
`845`	`845`	`{`
`846`	`846`	`// Do not trust certificates on first use...`
`847`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), true);`
	`847`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Trust on first use is disabled."), true);`
`848`	`848`
`849`	`849`	`trust = HTTP_TRUST_INVALID;`
`850`	`850`	`}`
`851`	`851`	`else if (cupsGetCredentialsExpiration(credentials) <= cupsGetCredentialsExpiration(tcreds))`
`852`	`852`	`{`
`853`	`853`	`// The new credentials are not newly issued...`
`854`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), true);`
	`854`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("New credentials are older than stored credentials."), true);`
`855`	`855`
`856`	`856`	`trust = HTTP_TRUST_INVALID;`
`857`	`857`	`}`
`858`	`858`	`else if (!cupsAreCredentialsValidForName(common_name, credentials))`
`859`	`859`	`{`
`860`	`860`	`// The common name does not match the issued certificate...`
`861`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), true);`
	`861`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("New credentials are not valid for name."), true);`
`862`	`862`
`863`	`863`	`trust = HTTP_TRUST_INVALID;`
`864`	`864`	`}`
`@@ -875,7 +875,7 @@ cupsGetCredentialsTrust(`
`875`	`875`	`}`
`876`	`876`	`else if ((cg->validate_certs \|\| require_ca) && !cupsAreCredentialsValidForName(common_name, credentials))`
`877`	`877`	`{`
`878`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), true);`
	`878`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("No stored credentials, not valid for name."), true);`
`879`	`879`	`trust = HTTP_TRUST_INVALID;`
`880`	`880`	`}`
`881`	`881`	`else if (num_certs > 1)`
`@@ -899,25 +899,25 @@ cupsGetCredentialsTrust(`
`899`	`899`	`}`
`900`	`900`
`901`	`901`	`if (trust != HTTP_TRUST_OK)`
`902`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), true);`
	`902`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials do not validate against site CA certificate."), true);`
`903`	`903`
`904`	`904`	`free(tcreds);`
`905`	`905`	`}`
`906`	`906`	`}`
`907`	`907`	`}`
`908`	`908`	`else if (require_ca)`
`909`	`909`	`{`
`910`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials are not CA-signed."), true);`
	`910`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials are not CA-signed."), true);`
`911`	`911`	`trust = HTTP_TRUST_INVALID;`
`912`	`912`	`}`
`913`	`913`	`else if (!cg->trust_first)`
`914`	`914`	`{`
`915`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), true);`
	`915`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Trust on first use is disabled."), true);`
`916`	`916`	`trust = HTTP_TRUST_INVALID;`
`917`	`917`	`}`
`918`	`918`	`else if (!cg->any_root \|\| require_ca)`
`919`	`919`	`{`
`920`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), true);`
	`920`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Self-signed credentials are blocked."), true);`
`921`	`921`	`trust = HTTP_TRUST_INVALID;`
`922`	`922`	`}`
`923`	`923`
`@@ -928,7 +928,7 @@ cupsGetCredentialsTrust(`
`928`	`928`	`time(&curtime);`
`929`	`929`	`if (curtime < gnutls_x509_crt_get_activation_time(certs[0]) \|\| curtime > gnutls_x509_crt_get_expiration_time(certs[0]))`
`930`	`930`	`{`
`931`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), true);`
	`931`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials have expired."), true);`
`932`	`932`	`trust = HTTP_TRUST_EXPIRED;`
`933`	`933`	`}`
`934`	`934`	`}`
Original file line number	Diff line number	Diff line change
`@@ -877,7 +877,7 @@ cupsGetCredentialsTrust(`
`877`	`877`	`// Load the credentials...`
`878`	`878`	`if ((certs = openssl_load_x509(credentials)) == NULL)`
`879`	`879`	`{`
`880`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to import credentials."), true);`
	`880`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Unable to import credentials."), true);`
`881`	`881`	`return (HTTP_TRUST_UNKNOWN);`
`882`	`882`	`}`
`883`	`883`
`@@ -905,21 +905,21 @@ cupsGetCredentialsTrust(`
`905`	`905`	`if (!cg->trust_first \|\| require_ca)`
`906`	`906`	`{`
`907`	`907`	`// Do not trust certificates on first use...`
`908`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), true);`
	`908`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Trust on first use is disabled."), true);`
`909`	`909`
`910`	`910`	`trust = HTTP_TRUST_INVALID;`
`911`	`911`	`}`
`912`	`912`	`else if (cupsGetCredentialsExpiration(credentials) <= cupsGetCredentialsExpiration(tcreds))`
`913`	`913`	`{`
`914`	`914`	`// The new credentials are not newly issued...`
`915`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), true);`
	`915`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("New credentials are older than stored credentials."), true);`
`916`	`916`
`917`	`917`	`trust = HTTP_TRUST_INVALID;`
`918`	`918`	`}`
`919`	`919`	`else if (!cupsAreCredentialsValidForName(common_name, credentials))`
`920`	`920`	`{`
`921`	`921`	`// The common name does not match the issued certificate...`
`922`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), true);`
	`922`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("New credentials are not valid for name."), true);`
`923`	`923`
`924`	`924`	`trust = HTTP_TRUST_INVALID;`
`925`	`925`	`}`
`@@ -936,7 +936,7 @@ cupsGetCredentialsTrust(`
`936`	`936`	`}`
`937`	`937`	`else if ((cg->validate_certs \|\| require_ca) && !cupsAreCredentialsValidForName(common_name, credentials))`
`938`	`938`	`{`
`939`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), true);`
	`939`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("No stored credentials, not valid for name."), true);`
`940`	`940`	`trust = HTTP_TRUST_INVALID;`
`941`	`941`	`}`
`942`	`942`	`else if (sk_X509_num(certs) > 1)`
`@@ -960,25 +960,25 @@ cupsGetCredentialsTrust(`
`960`	`960`	`}`
`961`	`961`
`962`	`962`	`if (trust != HTTP_TRUST_OK)`
`963`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), true);`
	`963`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials do not validate against site CA certificate."), true);`
`964`	`964`
`965`	`965`	`free(tcreds);`
`966`	`966`	`}`
`967`	`967`	`}`
`968`	`968`	`}`
`969`	`969`	`else if (require_ca)`
`970`	`970`	`{`
`971`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials are not CA-signed."), true);`
	`971`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials are not CA-signed."), true);`
`972`	`972`	`trust = HTTP_TRUST_INVALID;`
`973`	`973`	`}`
`974`	`974`	`else if (!cg->trust_first)`
`975`	`975`	`{`
`976`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), true);`
	`976`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Trust on first use is disabled."), true);`
`977`	`977`	`trust = HTTP_TRUST_INVALID;`
`978`	`978`	`}`
`979`	`979`	`else if (!cg->any_root \|\| require_ca)`
`980`	`980`	`{`
`981`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), true);`
	`981`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Self-signed credentials are blocked."), true);`
`982`	`982`	`trust = HTTP_TRUST_INVALID;`
`983`	`983`	`}`
`984`	`984`
`@@ -989,7 +989,7 @@ cupsGetCredentialsTrust(`
`989`	`989`	`time(&curtime);`
`990`	`990`	`if (curtime < openssl_get_date(cert, 0) \|\| curtime > openssl_get_date(cert, 1))`
`991`	`991`	`{`
`992`		`- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), true);`
	`992`	`+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, _("Credentials have expired."), true);`
`993`	`993`	`trust = HTTP_TRUST_EXPIRED;`
`994`	`994`	`}`
`995`	`995`	`}`