1/* 2 * Private HTTP definitions for CUPS. 3 * 4 * Copyright 2007-2017 by Apple Inc. 5 * Copyright 1997-2007 by Easy Software Products, all rights reserved. 6 * 7 * These coded instructions, statements, and computer programs are the 8 * property of Apple Inc. and are protected by Federal copyright 9 * law. Distribution and use rights are outlined in the file "LICENSE.txt" 10 * which should have been included with this file. If this file is 11 * missing or damaged, see the license at "http://www.cups.org/". 12 * 13 * This file is subject to the Apple OS-Developed Software exception. 14 */ 15 16#ifndef _CUPS_HTTP_PRIVATE_H_ 17# define _CUPS_HTTP_PRIVATE_H_ 18 19/* 20 * Include necessary headers... 21 */ 22 23# include "config.h" 24# include <cups/language.h> 25# include <stddef.h> 26# include <stdlib.h> 27 28# ifdef __sun 29# include <sys/select.h> 30# endif /* __sun */ 31 32# include <limits.h> 33# ifdef WIN32 34# include <io.h> 35# include <winsock2.h> 36# define CUPS_SOCAST (const char *) 37# else 38# include <unistd.h> 39# include <fcntl.h> 40# include <sys/socket.h> 41# define CUPS_SOCAST 42# endif /* WIN32 */ 43 44# ifdef HAVE_GSSAPI 45# ifdef HAVE_GSS_GSSAPI_H 46# include <GSS/gssapi.h> 47# elif defined(HAVE_GSSAPI_GSSAPI_H) 48# include <gssapi/gssapi.h> 49# elif defined(HAVE_GSSAPI_H) 50# include <gssapi.h> 51# endif /* HAVE_GSS_GSSAPI_H */ 52# ifndef HAVE_GSS_C_NT_HOSTBASED_SERVICE 53# define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name 54# endif /* !HAVE_GSS_C_NT_HOSTBASED_SERVICE */ 55# endif /* HAVE_GSSAPI */ 56 57# ifdef HAVE_AUTHORIZATION_H 58# include <Security/Authorization.h> 59# endif /* HAVE_AUTHORIZATION_H */ 60 61# if defined(__APPLE__) && !defined(_SOCKLEN_T) 62/* 63 * macOS 10.2.x does not define socklen_t, and in fact uses an int instead of 64 * unsigned type for length values... 65 */ 66 67typedef int socklen_t; 68# endif /* __APPLE__ && !_SOCKLEN_T */ 69 70# include <cups/http.h> 71# include "md5-private.h" 72# include "ipp-private.h" 73 74# ifdef HAVE_GNUTLS 75# include <gnutls/gnutls.h> 76# include <gnutls/x509.h> 77# elif defined(HAVE_CDSASSL) 78# include <CoreFoundation/CoreFoundation.h> 79# include <Security/Security.h> 80# include <Security/SecureTransport.h> 81# ifdef HAVE_SECURETRANSPORTPRIV_H 82# include <Security/SecureTransportPriv.h> 83# endif /* HAVE_SECURETRANSPORTPRIV_H */ 84# ifdef HAVE_SECITEM_H 85# include <Security/SecItem.h> 86# endif /* HAVE_SECITEM_H */ 87# ifdef HAVE_SECBASEPRIV_H 88# include <Security/SecBasePriv.h> 89# endif /* HAVE_SECBASEPRIV_H */ 90# ifdef HAVE_SECCERTIFICATE_H 91# include <Security/SecCertificate.h> 92# include <Security/SecIdentity.h> 93# endif /* HAVE_SECCERTIFICATE_H */ 94# ifdef HAVE_SECCERTIFICATEPRIV_H 95# include <Security/SecCertificatePriv.h> 96# else 97# ifdef __cplusplus 98extern "C" { 99# endif /* __cplusplus */ 100# ifndef _SECURITY_VERSION_GREATER_THAN_57610_ 101typedef CF_OPTIONS(uint32_t, SecKeyUsage) { 102 kSecKeyUsageAll = 0x7FFFFFFF 103}; 104# endif /* !_SECURITY_VERSION_GREATER_THAN_57610_ */ 105extern const void * kSecCSRChallengePassword; 106extern const void * kSecSubjectAltName; 107extern const void * kSecCertificateKeyUsage; 108extern const void * kSecCSRBasicContraintsPathLen; 109extern const void * kSecCertificateExtensions; 110extern const void * kSecCertificateExtensionsEncoded; 111extern const void * kSecOidCommonName; 112extern const void * kSecOidCountryName; 113extern const void * kSecOidStateProvinceName; 114extern const void * kSecOidLocalityName; 115extern const void * kSecOidOrganization; 116extern const void * kSecOidOrganizationalUnit; 117extern SecCertificateRef SecCertificateCreateWithBytes(CFAllocatorRef allocator, const UInt8 *bytes, CFIndex length); 118extern bool SecCertificateIsValid(SecCertificateRef certificate, CFAbsoluteTime verifyTime); 119extern CFAbsoluteTime SecCertificateNotValidAfter(SecCertificateRef certificate); 120extern SecCertificateRef SecGenerateSelfSignedCertificate(CFArrayRef subject, CFDictionaryRef parameters, SecKeyRef publicKey, SecKeyRef privateKey); 121extern SecIdentityRef SecIdentityCreate(CFAllocatorRef allocator, SecCertificateRef certificate, SecKeyRef privateKey); 122# ifdef __cplusplus 123} 124# endif /* __cplusplus */ 125# endif /* HAVE_SECCERTIFICATEPRIV_H */ 126# ifdef HAVE_SECITEMPRIV_H 127# include <Security/SecItemPriv.h> 128# endif /* HAVE_SECITEMPRIV_H */ 129# ifdef HAVE_SECIDENTITYSEARCHPRIV_H 130# include <Security/SecIdentitySearchPriv.h> 131# endif /* HAVE_SECIDENTITYSEARCHPRIV_H */ 132# ifdef HAVE_SECPOLICYPRIV_H 133# include <Security/SecPolicyPriv.h> 134# endif /* HAVE_SECPOLICYPRIV_H */ 135# elif defined(HAVE_SSPISSL) 136# include <wincrypt.h> 137# include <wintrust.h> 138# include <schannel.h> 139# define SECURITY_WIN32 140# include <security.h> 141# include <sspi.h> 142# endif /* HAVE_GNUTLS */ 143 144# ifndef WIN32 145# include <net/if.h> 146# include <resolv.h> 147# ifdef HAVE_GETIFADDRS 148# include <ifaddrs.h> 149# else 150# include <sys/ioctl.h> 151# ifdef HAVE_SYS_SOCKIO_H 152# include <sys/sockio.h> 153# endif /* HAVE_SYS_SOCKIO_H */ 154# endif /* HAVE_GETIFADDRS */ 155# endif /* !WIN32 */ 156 157# ifdef HAVE_LIBZ 158# include <zlib.h> 159# endif /* HAVE_LIBZ */ 160 161 162/* 163 * C++ magic... 164 */ 165 166# ifdef __cplusplus 167extern "C" { 168# endif /* __cplusplus */ 169 170 171/* 172 * Constants... 173 */ 174 175# define _HTTP_MAX_SBUFFER 65536 /* Size of (de)compression buffer */ 176# define _HTTP_RESOLVE_DEFAULT 0 /* Just resolve with default options */ 177# define _HTTP_RESOLVE_STDERR 1 /* Log resolve progress to stderr */ 178# define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */ 179# define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */ 180 181# define _HTTP_TLS_NONE 0 /* No TLS options */ 182# define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */ 183# define _HTTP_TLS_ALLOW_SSL3 2 /* Allow SSL 3.0 */ 184# define _HTTP_TLS_ALLOW_DH 4 /* Allow DH/DHE key negotiation */ 185# define _HTTP_TLS_DENY_TLS10 16 /* Deny TLS 1.0 */ 186# define _HTTP_TLS_DENY_CBC 32 /* Deny CBC cipher suites */ 187# define _HTTP_TLS_ONLY_TLS10 64 /* Only use TLS 1.0 */ 188# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */ 189 190 191/* 192 * Types and functions for SSL support... 193 */ 194 195# ifdef HAVE_GNUTLS 196/* 197 * The GNU TLS library is more of a "bare metal" SSL/TLS library... 198 */ 199 200typedef gnutls_session_t http_tls_t; 201typedef gnutls_certificate_credentials_t *http_tls_credentials_t; 202 203# elif defined(HAVE_CDSASSL) 204/* 205 * Darwin's Security framework provides its own SSL/TLS context structure 206 * for its IO and protocol management... 207 */ 208 209# if !defined(HAVE_SECBASEPRIV_H) && defined(HAVE_CSSMERRORSTRING) /* Declare prototype for function in that header... */ 210extern const char *cssmErrorString(int error); 211# endif /* !HAVE_SECBASEPRIV_H && HAVE_CSSMERRORSTRING */ 212# if !defined(HAVE_SECIDENTITYSEARCHPRIV_H) && defined(HAVE_SECIDENTITYSEARCHCREATEWITHPOLICY) /* Declare prototype for function in that header... */ 213extern OSStatus SecIdentitySearchCreateWithPolicy(SecPolicyRef policy, 214 CFStringRef idString, CSSM_KEYUSE keyUsage, 215 CFTypeRef keychainOrArray, 216 Boolean returnOnlyValidIdentities, 217 SecIdentitySearchRef* searchRef); 218# endif /* !HAVE_SECIDENTITYSEARCHPRIV_H && HAVE_SECIDENTITYSEARCHCREATEWITHPOLICY */ 219# if !defined(HAVE_SECPOLICYPRIV_H) && defined(HAVE_SECPOLICYSETVALUE) /* Declare prototype for function in that header... */ 220extern OSStatus SecPolicySetValue(SecPolicyRef policyRef, 221 const CSSM_DATA *value); 222# endif /* !HAVE_SECPOLICYPRIV_H && HAVE_SECPOLICYSETVALUE */ 223 224typedef SSLContextRef http_tls_t; 225typedef CFArrayRef http_tls_credentials_t; 226 227# elif defined(HAVE_SSPISSL) 228/* 229 * Windows' SSPI library gets a CUPS wrapper... 230 */ 231 232typedef struct _http_sspi_s /**** SSPI/SSL data structure ****/ 233{ 234 CredHandle creds; /* Credentials */ 235 CtxtHandle context; /* SSL context */ 236 BOOL contextInitialized; /* Is context init'd? */ 237 SecPkgContext_StreamSizes streamSizes;/* SSL data stream sizes */ 238 BYTE *decryptBuffer; /* Data pre-decryption*/ 239 size_t decryptBufferLength; /* Length of decrypt buffer */ 240 size_t decryptBufferUsed; /* Bytes used in buffer */ 241 BYTE *readBuffer; /* Data post-decryption */ 242 int readBufferLength; /* Length of read buffer */ 243 int readBufferUsed; /* Bytes used in buffer */ 244 BYTE *writeBuffer; /* Data pre-encryption */ 245 int writeBufferLength; /* Length of write buffer */ 246 PCCERT_CONTEXT localCert, /* Local certificate */ 247 remoteCert; /* Remote (peer's) certificate */ 248 char error[256]; /* Most recent error message */ 249} _http_sspi_t; 250typedef _http_sspi_t *http_tls_t; 251typedef PCCERT_CONTEXT http_tls_credentials_t; 252 253# else 254/* 255 * Otherwise define stub types since we have no SSL support... 256 */ 257 258typedef void *http_tls_t; 259typedef void *http_tls_credentials_t; 260# endif /* HAVE_GNUTLS */ 261 262typedef enum _http_coding_e /**** HTTP content coding enumeration ****/ 263{ 264 _HTTP_CODING_IDENTITY, /* No content coding */ 265 _HTTP_CODING_GZIP, /* LZ77+gzip decompression */ 266 _HTTP_CODING_DEFLATE, /* LZ77+zlib compression */ 267 _HTTP_CODING_GUNZIP, /* LZ77+gzip decompression */ 268 _HTTP_CODING_INFLATE /* LZ77+zlib decompression */ 269} _http_coding_t; 270 271typedef enum _http_mode_e /**** HTTP mode enumeration ****/ 272{ 273 _HTTP_MODE_CLIENT, /* Client connected to server */ 274 _HTTP_MODE_SERVER /* Server connected (accepted) from client */ 275} _http_mode_t; 276 277# ifndef _HTTP_NO_PRIVATE 278struct _http_s /**** HTTP connection structure ****/ 279{ 280 int fd; /* File descriptor for this socket */ 281 int blocking; /* To block or not to block */ 282 int error; /* Last error on read */ 283 time_t activity; /* Time since last read/write */ 284 http_state_t state; /* State of client */ 285 http_status_t status; /* Status of last request */ 286 http_version_t version; /* Protocol version */ 287 http_keepalive_t keep_alive; /* Keep-alive supported? */ 288 struct sockaddr_in _hostaddr; /* Address of connected host (deprecated) */ 289 char hostname[HTTP_MAX_HOST], 290 /* Name of connected host */ 291 fields[HTTP_FIELD_ACCEPT_ENCODING][HTTP_MAX_VALUE]; 292 /* Field values up to Accept-Encoding */ 293 char *data; /* Pointer to data buffer */ 294 http_encoding_t data_encoding; /* Chunked or not */ 295 int _data_remaining;/* Number of bytes left (deprecated) */ 296 int used; /* Number of bytes used in buffer */ 297 char buffer[HTTP_MAX_BUFFER]; 298 /* Buffer for incoming data */ 299 int _auth_type; /* Authentication in use (deprecated) */ 300 _cups_md5_state_t md5_state; /* MD5 state */ 301 char nonce[HTTP_MAX_VALUE]; 302 /* Nonce value */ 303 int nonce_count; /* Nonce count */ 304 http_tls_t tls; /* TLS state information */ 305 http_encryption_t encryption; /* Encryption requirements */ 306 307 /**** New in CUPS 1.1.19 ****/ 308 fd_set *input_set; /* select() set for httpWait() (deprecated) */ 309 http_status_t expect; /* Expect: header */ 310 char *cookie; /* Cookie value(s) */ 311 312 /**** New in CUPS 1.1.20 ****/ 313 char _authstring[HTTP_MAX_VALUE], 314 /* Current Authorization value (deprecated) */ 315 userpass[HTTP_MAX_VALUE]; 316 /* Username:password string */ 317 int digest_tries; /* Number of tries for digest auth */ 318 319 /**** New in CUPS 1.2 ****/ 320 off_t data_remaining; /* Number of bytes left */ 321 http_addr_t *hostaddr; /* Current host address and port */ 322 http_addrlist_t *addrlist; /* List of valid addresses */ 323 char wbuffer[HTTP_MAX_BUFFER]; 324 /* Buffer for outgoing data */ 325 int wused; /* Write buffer bytes used */ 326 327 /**** New in CUPS 1.3 ****/ 328 char *field_authorization; 329 /* Authorization field */ 330 char *authstring; /* Current Authorization field */ 331# ifdef HAVE_GSSAPI 332 gss_OID gssmech; /* Authentication mechanism */ 333 gss_ctx_id_t gssctx; /* Authentication context */ 334 gss_name_t gssname; /* Authentication server name */ 335# endif /* HAVE_GSSAPI */ 336# ifdef HAVE_AUTHORIZATION_H 337 AuthorizationRef auth_ref; /* Authorization ref */ 338# endif /* HAVE_AUTHORIZATION_H */ 339 340 /**** New in CUPS 1.5 ****/ 341 http_tls_credentials_t tls_credentials; 342 /* TLS credentials */ 343 http_timeout_cb_t timeout_cb; /* Timeout callback */ 344 void *timeout_data; /* User data pointer */ 345 double timeout_value; /* Timeout in seconds */ 346 int wait_value; /* httpWait value for timeout */ 347# ifdef HAVE_GSSAPI 348 char gsshost[256]; /* Hostname for Kerberos */ 349# endif /* HAVE_GSSAPI */ 350 351 /**** New in CUPS 1.7 ****/ 352 int tls_upgrade; /* Non-zero if we are doing an upgrade */ 353 _http_mode_t mode; /* _HTTP_MODE_CLIENT or _HTTP_MODE_SERVER */ 354 char *accept_encoding, 355 /* Accept-Encoding field */ 356 *allow, /* Allow field */ 357 *server, /* Server field */ 358 *default_accept_encoding, 359 *default_server, 360 *default_user_agent; 361 /* Default field values */ 362# ifdef HAVE_LIBZ 363 _http_coding_t coding; /* _HTTP_CODING_xxx */ 364 z_stream stream; /* (De)compression stream */ 365 Bytef *sbuffer; /* (De)compression buffer */ 366# endif /* HAVE_LIBZ */ 367}; 368# endif /* !_HTTP_NO_PRIVATE */ 369 370 371/* 372 * Some OS's don't have hstrerror(), most notably Solaris... 373 */ 374 375# ifndef HAVE_HSTRERROR 376extern const char *_cups_hstrerror(int error); 377# define hstrerror _cups_hstrerror 378# endif /* !HAVE_HSTRERROR */ 379 380 381/* 382 * Some OS's don't have getifaddrs() and freeifaddrs()... 383 */ 384 385# if !defined(WIN32) && !defined(HAVE_GETIFADDRS) 386# ifdef ifa_dstaddr 387# undef ifa_dstaddr 388# endif /* ifa_dstaddr */ 389# ifndef ifr_netmask 390# define ifr_netmask ifr_addr 391# endif /* !ifr_netmask */ 392 393struct ifaddrs /**** Interface Structure ****/ 394{ 395 struct ifaddrs *ifa_next; /* Next interface in list */ 396 char *ifa_name; /* Name of interface */ 397 unsigned int ifa_flags; /* Flags (up, point-to-point, etc.) */ 398 struct sockaddr *ifa_addr, /* Network address */ 399 *ifa_netmask; /* Address mask */ 400 union 401 { 402 struct sockaddr *ifu_broadaddr; /* Broadcast address of this interface. */ 403 struct sockaddr *ifu_dstaddr; /* Point-to-point destination address. */ 404 } ifa_ifu; 405 406 void *ifa_data; /* Interface statistics */ 407}; 408 409# ifndef ifa_broadaddr 410# define ifa_broadaddr ifa_ifu.ifu_broadaddr 411# endif /* !ifa_broadaddr */ 412# ifndef ifa_dstaddr 413# define ifa_dstaddr ifa_ifu.ifu_dstaddr 414# endif /* !ifa_dstaddr */ 415 416extern int _cups_getifaddrs(struct ifaddrs **addrs); 417# define getifaddrs _cups_getifaddrs 418extern void _cups_freeifaddrs(struct ifaddrs *addrs); 419# define freeifaddrs _cups_freeifaddrs 420# endif /* !WIN32 && !HAVE_GETIFADDRS */ 421 422 423/* 424 * Prototypes... 425 */ 426 427extern void _httpAddrSetPort(http_addr_t *addr, int port); 428extern http_tls_credentials_t 429 _httpCreateCredentials(cups_array_t *credentials); 430extern char *_httpDecodeURI(char *dst, const char *src, 431 size_t dstsize); 432extern void _httpDisconnect(http_t *http); 433extern char *_httpEncodeURI(char *dst, const char *src, 434 size_t dstsize); 435extern void _httpFreeCredentials(http_tls_credentials_t credentials); 436extern const char *_httpResolveURI(const char *uri, char *resolved_uri, 437 size_t resolved_size, int options, 438 int (*cb)(void *context), 439 void *context); 440extern const char *_httpStatus(cups_lang_t *lang, http_status_t status); 441extern void _httpTLSInitialize(void); 442extern size_t _httpTLSPending(http_t *http); 443extern int _httpTLSRead(http_t *http, char *buf, int len); 444extern int _httpTLSSetCredentials(http_t *http); 445extern void _httpTLSSetOptions(int options); 446extern int _httpTLSStart(http_t *http); 447extern void _httpTLSStop(http_t *http); 448extern int _httpTLSWrite(http_t *http, const char *buf, int len); 449extern int _httpUpdate(http_t *http, http_status_t *status); 450extern int _httpWait(http_t *http, int msec, int usessl); 451 452 453/* 454 * C++ magic... 455 */ 456 457# ifdef __cplusplus 458} 459# endif /* __cplusplus */ 460 461#endif /* !_CUPS_HTTP_PRIVATE_H_ */ 462