1 /* 2 * Private HTTP definitions for CUPS. 3 * 4 * Copyright 2007-2018 by Apple Inc. 5 * Copyright 1997-2007 by Easy Software Products, all rights reserved. 6 * 7 * These coded instructions, statements, and computer programs are the 8 * property of Apple Inc. and are protected by Federal copyright 9 * law. Distribution and use rights are outlined in the file "LICENSE.txt" 10 * which should have been included with this file. If this file is 11 * missing or damaged, see the license at "http://www.cups.org/". 12 * 13 * This file is subject to the Apple OS-Developed Software exception. 14 */ 15 16 #ifndef _CUPS_HTTP_PRIVATE_H_ 17 # define _CUPS_HTTP_PRIVATE_H_ 18 19 /* 20 * Include necessary headers... 21 */ 22 23 # include "config.h" 24 # include <cups/language.h> 25 # include <stddef.h> 26 # include <stdlib.h> 27 28 # ifdef __sun 29 # include <sys/select.h> 30 # endif /* __sun */ 31 32 # include <limits.h> 33 # ifdef _WIN32 34 # include <io.h> 35 # include <winsock2.h> 36 # define CUPS_SOCAST (const char *) 37 # else 38 # include <unistd.h> 39 # include <fcntl.h> 40 # include <sys/socket.h> 41 # define CUPS_SOCAST 42 # endif /* _WIN32 */ 43 44 # ifdef HAVE_GSSAPI 45 # ifdef HAVE_GSS_GSSAPI_H 46 # include <GSS/gssapi.h> 47 # elif defined(HAVE_GSSAPI_GSSAPI_H) 48 # include <gssapi/gssapi.h> 49 # elif defined(HAVE_GSSAPI_H) 50 # include <gssapi.h> 51 # endif /* HAVE_GSS_GSSAPI_H */ 52 # ifndef HAVE_GSS_C_NT_HOSTBASED_SERVICE 53 # define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name 54 # endif /* !HAVE_GSS_C_NT_HOSTBASED_SERVICE */ 55 # endif /* HAVE_GSSAPI */ 56 57 # ifdef HAVE_AUTHORIZATION_H 58 # include <Security/Authorization.h> 59 # endif /* HAVE_AUTHORIZATION_H */ 60 61 # if defined(__APPLE__) && !defined(_SOCKLEN_T) 62 /* 63 * macOS 10.2.x does not define socklen_t, and in fact uses an int instead of 64 * unsigned type for length values... 65 */ 66 67 typedef int socklen_t; 68 # endif /* __APPLE__ && !_SOCKLEN_T */ 69 70 # include <cups/http.h> 71 # include "ipp-private.h" 72 73 # ifdef HAVE_GNUTLS 74 # include <gnutls/gnutls.h> 75 # include <gnutls/x509.h> 76 # elif defined(HAVE_CDSASSL) 77 # include <CoreFoundation/CoreFoundation.h> 78 # include <Security/Security.h> 79 # include <Security/SecureTransport.h> 80 # ifdef HAVE_SECURETRANSPORTPRIV_H 81 # include <Security/SecureTransportPriv.h> 82 # endif /* HAVE_SECURETRANSPORTPRIV_H */ 83 # ifdef HAVE_SECITEM_H 84 # include <Security/SecItem.h> 85 # endif /* HAVE_SECITEM_H */ 86 # ifdef HAVE_SECBASEPRIV_H 87 # include <Security/SecBasePriv.h> 88 # endif /* HAVE_SECBASEPRIV_H */ 89 # ifdef HAVE_SECCERTIFICATE_H 90 # include <Security/SecCertificate.h> 91 # include <Security/SecIdentity.h> 92 # endif /* HAVE_SECCERTIFICATE_H */ 93 # ifdef HAVE_SECCERTIFICATEPRIV_H 94 # include <Security/SecCertificatePriv.h> 95 # else 96 # ifdef __cplusplus 97 extern "C" { 98 # endif /* __cplusplus */ 99 # ifndef _SECURITY_VERSION_GREATER_THAN_57610_ 100 typedef CF_OPTIONS(uint32_t, SecKeyUsage) { 101 kSecKeyUsageAll = 0x7FFFFFFF 102 }; 103 # endif /* !_SECURITY_VERSION_GREATER_THAN_57610_ */ 104 extern const void * kSecCSRChallengePassword; 105 extern const void * kSecSubjectAltName; 106 extern const void * kSecCertificateKeyUsage; 107 extern const void * kSecCSRBasicContraintsPathLen; 108 extern const void * kSecCertificateExtensions; 109 extern const void * kSecCertificateExtensionsEncoded; 110 extern const void * kSecOidCommonName; 111 extern const void * kSecOidCountryName; 112 extern const void * kSecOidStateProvinceName; 113 extern const void * kSecOidLocalityName; 114 extern const void * kSecOidOrganization; 115 extern const void * kSecOidOrganizationalUnit; 116 extern SecCertificateRef SecCertificateCreateWithBytes(CFAllocatorRef allocator, const UInt8 *bytes, CFIndex length); 117 extern bool SecCertificateIsValid(SecCertificateRef certificate, CFAbsoluteTime verifyTime); 118 extern CFAbsoluteTime SecCertificateNotValidAfter(SecCertificateRef certificate); 119 extern SecCertificateRef SecGenerateSelfSignedCertificate(CFArrayRef subject, CFDictionaryRef parameters, SecKeyRef publicKey, SecKeyRef privateKey); 120 extern SecIdentityRef SecIdentityCreate(CFAllocatorRef allocator, SecCertificateRef certificate, SecKeyRef privateKey); 121 # ifdef __cplusplus 122 } 123 # endif /* __cplusplus */ 124 # endif /* HAVE_SECCERTIFICATEPRIV_H */ 125 # ifdef HAVE_SECITEMPRIV_H 126 # include <Security/SecItemPriv.h> 127 # endif /* HAVE_SECITEMPRIV_H */ 128 # ifdef HAVE_SECIDENTITYSEARCHPRIV_H 129 # include <Security/SecIdentitySearchPriv.h> 130 # endif /* HAVE_SECIDENTITYSEARCHPRIV_H */ 131 # ifdef HAVE_SECPOLICYPRIV_H 132 # include <Security/SecPolicyPriv.h> 133 # endif /* HAVE_SECPOLICYPRIV_H */ 134 # elif defined(HAVE_SSPISSL) 135 # include <wincrypt.h> 136 # include <wintrust.h> 137 # include <schannel.h> 138 # define SECURITY_WIN32 139 # include <security.h> 140 # include <sspi.h> 141 # endif /* HAVE_GNUTLS */ 142 143 # ifndef _WIN32 144 # include <net/if.h> 145 # include <resolv.h> 146 # ifdef HAVE_GETIFADDRS 147 # include <ifaddrs.h> 148 # else 149 # include <sys/ioctl.h> 150 # ifdef HAVE_SYS_SOCKIO_H 151 # include <sys/sockio.h> 152 # endif /* HAVE_SYS_SOCKIO_H */ 153 # endif /* HAVE_GETIFADDRS */ 154 # endif /* !_WIN32 */ 155 156 157 /* 158 * C++ magic... 159 */ 160 161 # ifdef __cplusplus 162 extern "C" { 163 # endif /* __cplusplus */ 164 165 166 /* 167 * Constants... 168 */ 169 170 # define _HTTP_MAX_SBUFFER 65536 /* Size of (de)compression buffer */ 171 # define _HTTP_RESOLVE_DEFAULT 0 /* Just resolve with default options */ 172 # define _HTTP_RESOLVE_STDERR 1 /* Log resolve progress to stderr */ 173 # define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */ 174 # define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */ 175 176 # define _HTTP_TLS_NONE 0 /* No TLS options */ 177 # define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */ 178 # define _HTTP_TLS_ALLOW_DH 2 /* Allow DH/DHE key negotiation */ 179 # define _HTTP_TLS_DENY_CBC 4 /* Deny CBC cipher suites */ 180 # define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */ 181 182 # define _HTTP_TLS_SSL3 0 /* Min/max version is SSL/3.0 */ 183 # define _HTTP_TLS_1_0 1 /* Min/max version is TLS/1.0 */ 184 # define _HTTP_TLS_1_1 2 /* Min/max version is TLS/1.1 */ 185 # define _HTTP_TLS_1_2 3 /* Min/max version is TLS/1.2 */ 186 # define _HTTP_TLS_1_3 4 /* Min/max version is TLS/1.3 */ 187 # define _HTTP_TLS_MAX 5 /* Highest known TLS version */ 188 189 190 /* 191 * Types and functions for SSL support... 192 */ 193 194 # ifdef HAVE_GNUTLS 195 /* 196 * The GNU TLS library is more of a "bare metal" SSL/TLS library... 197 */ 198 199 typedef gnutls_session_t http_tls_t; 200 typedef gnutls_certificate_credentials_t *http_tls_credentials_t; 201 202 # elif defined(HAVE_CDSASSL) 203 /* 204 * Darwin's Security framework provides its own SSL/TLS context structure 205 * for its IO and protocol management... 206 */ 207 208 # if !defined(HAVE_SECBASEPRIV_H) && defined(HAVE_CSSMERRORSTRING) /* Declare prototype for function in that header... */ 209 extern const char *cssmErrorString(int error); 210 # endif /* !HAVE_SECBASEPRIV_H && HAVE_CSSMERRORSTRING */ 211 # if !defined(HAVE_SECIDENTITYSEARCHPRIV_H) && defined(HAVE_SECIDENTITYSEARCHCREATEWITHPOLICY) /* Declare prototype for function in that header... */ 212 extern OSStatus SecIdentitySearchCreateWithPolicy(SecPolicyRef policy, 213 CFStringRef idString, CSSM_KEYUSE keyUsage, 214 CFTypeRef keychainOrArray, 215 Boolean returnOnlyValidIdentities, 216 SecIdentitySearchRef* searchRef); 217 # endif /* !HAVE_SECIDENTITYSEARCHPRIV_H && HAVE_SECIDENTITYSEARCHCREATEWITHPOLICY */ 218 # if !defined(HAVE_SECPOLICYPRIV_H) && defined(HAVE_SECPOLICYSETVALUE) /* Declare prototype for function in that header... */ 219 extern OSStatus SecPolicySetValue(SecPolicyRef policyRef, 220 const CSSM_DATA *value); 221 # endif /* !HAVE_SECPOLICYPRIV_H && HAVE_SECPOLICYSETVALUE */ 222 223 typedef SSLContextRef http_tls_t; 224 typedef CFArrayRef http_tls_credentials_t; 225 226 # elif defined(HAVE_SSPISSL) 227 /* 228 * Windows' SSPI library gets a CUPS wrapper... 229 */ 230 231 typedef struct _http_sspi_s /**** SSPI/SSL data structure ****/ 232 { 233 CredHandle creds; /* Credentials */ 234 CtxtHandle context; /* SSL context */ 235 BOOL contextInitialized; /* Is context init'd? */ 236 SecPkgContext_StreamSizes streamSizes;/* SSL data stream sizes */ 237 BYTE *decryptBuffer; /* Data pre-decryption*/ 238 size_t decryptBufferLength; /* Length of decrypt buffer */ 239 size_t decryptBufferUsed; /* Bytes used in buffer */ 240 BYTE *readBuffer; /* Data post-decryption */ 241 int readBufferLength; /* Length of read buffer */ 242 int readBufferUsed; /* Bytes used in buffer */ 243 BYTE *writeBuffer; /* Data pre-encryption */ 244 int writeBufferLength; /* Length of write buffer */ 245 PCCERT_CONTEXT localCert, /* Local certificate */ 246 remoteCert; /* Remote (peer's) certificate */ 247 char error[256]; /* Most recent error message */ 248 } _http_sspi_t; 249 typedef _http_sspi_t *http_tls_t; 250 typedef PCCERT_CONTEXT http_tls_credentials_t; 251 252 # else 253 /* 254 * Otherwise define stub types since we have no SSL support... 255 */ 256 257 typedef void *http_tls_t; 258 typedef void *http_tls_credentials_t; 259 # endif /* HAVE_GNUTLS */ 260 261 typedef enum _http_coding_e /**** HTTP content coding enumeration ****/ 262 { 263 _HTTP_CODING_IDENTITY, /* No content coding */ 264 _HTTP_CODING_GZIP, /* LZ77+gzip decompression */ 265 _HTTP_CODING_DEFLATE, /* LZ77+zlib compression */ 266 _HTTP_CODING_GUNZIP, /* LZ77+gzip decompression */ 267 _HTTP_CODING_INFLATE /* LZ77+zlib decompression */ 268 } _http_coding_t; 269 270 typedef enum _http_mode_e /**** HTTP mode enumeration ****/ 271 { 272 _HTTP_MODE_CLIENT, /* Client connected to server */ 273 _HTTP_MODE_SERVER /* Server connected (accepted) from client */ 274 } _http_mode_t; 275 276 # ifndef _HTTP_NO_PRIVATE 277 struct _http_s /**** HTTP connection structure ****/ 278 { 279 int fd; /* File descriptor for this socket */ 280 int blocking; /* To block or not to block */ 281 int error; /* Last error on read */ 282 time_t activity; /* Time since last read/write */ 283 http_state_t state; /* State of client */ 284 http_status_t status; /* Status of last request */ 285 http_version_t version; /* Protocol version */ 286 http_keepalive_t keep_alive; /* Keep-alive supported? */ 287 struct sockaddr_in _hostaddr; /* Address of connected host (deprecated) */ 288 char hostname[HTTP_MAX_HOST], 289 /* Name of connected host */ 290 fields[HTTP_FIELD_ACCEPT_ENCODING][HTTP_MAX_VALUE]; 291 /* Field values up to Accept-Encoding */ 292 char *data; /* Pointer to data buffer */ 293 http_encoding_t data_encoding; /* Chunked or not */ 294 int _data_remaining;/* Number of bytes left (deprecated) */ 295 int used; /* Number of bytes used in buffer */ 296 char buffer[HTTP_MAX_BUFFER]; 297 /* Buffer for incoming data */ 298 int _auth_type; /* Authentication in use (deprecated) */ 299 unsigned char _md5_state[88]; /* MD5 state (deprecated) */ 300 char nonce[HTTP_MAX_VALUE]; 301 /* Nonce value */ 302 unsigned nonce_count; /* Nonce count */ 303 http_tls_t tls; /* TLS state information */ 304 http_encryption_t encryption; /* Encryption requirements */ 305 306 /**** New in CUPS 1.1.19 ****/ 307 fd_set *input_set; /* select() set for httpWait() (deprecated) */ 308 http_status_t expect; /* Expect: header */ 309 char *cookie; /* Cookie value(s) */ 310 311 /**** New in CUPS 1.1.20 ****/ 312 char _authstring[HTTP_MAX_VALUE], 313 /* Current Authorization value (deprecated) */ 314 userpass[HTTP_MAX_VALUE]; 315 /* Username:password string */ 316 int digest_tries; /* Number of tries for digest auth */ 317 318 /**** New in CUPS 1.2 ****/ 319 off_t data_remaining; /* Number of bytes left */ 320 http_addr_t *hostaddr; /* Current host address and port */ 321 http_addrlist_t *addrlist; /* List of valid addresses */ 322 char wbuffer[HTTP_MAX_BUFFER]; 323 /* Buffer for outgoing data */ 324 int wused; /* Write buffer bytes used */ 325 326 /**** New in CUPS 1.3 ****/ 327 char *field_authorization; 328 /* Authorization field */ 329 char *authstring; /* Current Authorization field */ 330 # ifdef HAVE_GSSAPI 331 gss_OID gssmech; /* Authentication mechanism */ 332 gss_ctx_id_t gssctx; /* Authentication context */ 333 gss_name_t gssname; /* Authentication server name */ 334 # endif /* HAVE_GSSAPI */ 335 # ifdef HAVE_AUTHORIZATION_H 336 AuthorizationRef auth_ref; /* Authorization ref */ 337 # endif /* HAVE_AUTHORIZATION_H */ 338 339 /**** New in CUPS 1.5 ****/ 340 http_tls_credentials_t tls_credentials; 341 /* TLS credentials */ 342 http_timeout_cb_t timeout_cb; /* Timeout callback */ 343 void *timeout_data; /* User data pointer */ 344 double timeout_value; /* Timeout in seconds */ 345 int wait_value; /* httpWait value for timeout */ 346 # ifdef HAVE_GSSAPI 347 char gsshost[256]; /* Hostname for Kerberos */ 348 # endif /* HAVE_GSSAPI */ 349 350 /**** New in CUPS 1.7 ****/ 351 int tls_upgrade; /* Non-zero if we are doing an upgrade */ 352 _http_mode_t mode; /* _HTTP_MODE_CLIENT or _HTTP_MODE_SERVER */ 353 char *accept_encoding, 354 /* Accept-Encoding field */ 355 *allow, /* Allow field */ 356 *server, /* Server field */ 357 *default_accept_encoding, 358 *default_server, 359 *default_user_agent; 360 /* Default field values */ 361 # ifdef HAVE_LIBZ 362 _http_coding_t coding; /* _HTTP_CODING_xxx */ 363 void *stream; /* (De)compression stream */ 364 unsigned char *sbuffer; /* (De)compression buffer */ 365 # endif /* HAVE_LIBZ */ 366 367 /**** New in CUPS 2.2.9 ****/ 368 char *authentication_info, 369 /* Authentication-Info header */ 370 algorithm[65], /* Algorithm from WWW-Authenticate */ 371 nextnonce[HTTP_MAX_VALUE], 372 /* Next nonce value from Authentication-Info */ 373 opaque[HTTP_MAX_VALUE], 374 /* Opaque value from WWW-Authenticate */ 375 realm[HTTP_MAX_VALUE]; 376 /* Realm from WWW-Authenticate */ 377 }; 378 # endif /* !_HTTP_NO_PRIVATE */ 379 380 381 /* 382 * Some OS's don't have hstrerror(), most notably Solaris... 383 */ 384 385 # ifndef HAVE_HSTRERROR 386 extern const char *_cups_hstrerror(int error); 387 # define hstrerror _cups_hstrerror 388 # endif /* !HAVE_HSTRERROR */ 389 390 391 /* 392 * Some OS's don't have getifaddrs() and freeifaddrs()... 393 */ 394 395 # if !defined(_WIN32) && !defined(HAVE_GETIFADDRS) 396 # ifdef ifa_dstaddr 397 # undef ifa_dstaddr 398 # endif /* ifa_dstaddr */ 399 # ifndef ifr_netmask 400 # define ifr_netmask ifr_addr 401 # endif /* !ifr_netmask */ 402 403 struct ifaddrs /**** Interface Structure ****/ 404 { 405 struct ifaddrs *ifa_next; /* Next interface in list */ 406 char *ifa_name; /* Name of interface */ 407 unsigned int ifa_flags; /* Flags (up, point-to-point, etc.) */ 408 struct sockaddr *ifa_addr, /* Network address */ 409 *ifa_netmask; /* Address mask */ 410 union 411 { 412 struct sockaddr *ifu_broadaddr; /* Broadcast address of this interface. */ 413 struct sockaddr *ifu_dstaddr; /* Point-to-point destination address. */ 414 } ifa_ifu; 415 416 void *ifa_data; /* Interface statistics */ 417 }; 418 419 # ifndef ifa_broadaddr 420 # define ifa_broadaddr ifa_ifu.ifu_broadaddr 421 # endif /* !ifa_broadaddr */ 422 # ifndef ifa_dstaddr 423 # define ifa_dstaddr ifa_ifu.ifu_dstaddr 424 # endif /* !ifa_dstaddr */ 425 426 extern int _cups_getifaddrs(struct ifaddrs **addrs); 427 # define getifaddrs _cups_getifaddrs 428 extern void _cups_freeifaddrs(struct ifaddrs *addrs); 429 # define freeifaddrs _cups_freeifaddrs 430 # endif /* !_WIN32 && !HAVE_GETIFADDRS */ 431 432 433 /* 434 * Prototypes... 435 */ 436 437 extern void _httpAddrSetPort(http_addr_t *addr, int port); 438 extern http_tls_credentials_t 439 _httpCreateCredentials(cups_array_t *credentials); 440 extern char *_httpDecodeURI(char *dst, const char *src, 441 size_t dstsize); 442 extern void _httpDisconnect(http_t *http); 443 extern char *_httpEncodeURI(char *dst, const char *src, 444 size_t dstsize); 445 extern void _httpFreeCredentials(http_tls_credentials_t credentials); 446 extern const char *_httpResolveURI(const char *uri, char *resolved_uri, 447 size_t resolved_size, int options, 448 int (*cb)(void *context), 449 void *context); 450 extern int _httpSetDigestAuthString(http_t *http, const char *nonce, const char *method, const char *resource); 451 extern const char *_httpStatus(cups_lang_t *lang, http_status_t status); 452 extern void _httpTLSInitialize(void); 453 extern size_t _httpTLSPending(http_t *http); 454 extern int _httpTLSRead(http_t *http, char *buf, int len); 455 extern int _httpTLSSetCredentials(http_t *http); 456 extern void _httpTLSSetOptions(int options, int min_version, int max_version); 457 extern int _httpTLSStart(http_t *http); 458 extern void _httpTLSStop(http_t *http); 459 extern int _httpTLSWrite(http_t *http, const char *buf, int len); 460 extern int _httpUpdate(http_t *http, http_status_t *status); 461 extern int _httpWait(http_t *http, int msec, int usessl); 462 463 464 /* 465 * C++ magic... 466 */ 467 468 # ifdef __cplusplus 469 } 470 # endif /* __cplusplus */ 471 472 #endif /* !_CUPS_HTTP_PRIVATE_H_ */ 473