File cups-2.2.7-web-ui-kerberos-authentication.patch of Package cups.34762
From 6e974208d20312e6c382dfbdf2b9523c06caa00b Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Wed, 11 Apr 2018 13:10:24 -0400
Subject: [PATCH 1/5] Fix a parsing bug in the new authentication code.
(cherry picked from commit 44cb0dd233921557c0db586072b2bcb46ca8a16f)
---
cups/auth.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/cups/auth.c b/cups/auth.c
index 4c38c9b..effbd15 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -218,7 +218,7 @@ cupsDoAuthentication(
if (!cg->lang_default)
cg->lang_default = cupsLangDefault();
- if (cups_auth_param(scheme, "username", default_username, sizeof(default_username)))
+ if (cups_auth_param(schemedata, "username", default_username, sizeof(default_username)))
cupsSetUser(default_username);
snprintf(prompt, sizeof(prompt), _cupsLangString(cg->lang_default, _("Password for %s on %s? ")), cupsUser(), http->hostname[0] == '/' ? "localhost" : http->hostname);
@@ -801,7 +801,7 @@ cups_auth_scheme(const char *www_authenticate, /* I - Pointer into WWW-Authentic
* Parse the scheme name or param="value" string...
*/
- for (sptr = scheme, start = www_authenticate, param = 0; *www_authenticate && !isspace(*www_authenticate & 255); www_authenticate ++)
+ for (sptr = scheme, start = www_authenticate, param = 0; *www_authenticate && *www_authenticate != ',' && !isspace(*www_authenticate & 255); www_authenticate ++)
{
if (*www_authenticate == '=')
param = 1;
--
2.35.3
From a4d7d98908989a01bc47816ab4addb2b860dd1d8 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 26 Oct 2020 17:35:22 +0100
Subject: [PATCH 2/5] Avoid infinite loop in admin.cgi when negotiate is used
SetAuthorizationString with NULL argument sets an empty string.
Related: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cups/auth.c b/cups/auth.c
index effbd15..3785e6d 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -387,7 +387,7 @@ cupsDoAuthentication(
}
}
- if (http->authstring)
+ if (http->authstring && http->authstring[0])
{
DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\"", http->authstring));
--
2.35.3
From ed932fd1805ad8c47be16f7245e8e0d99480b984 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 27 Oct 2020 16:11:41 +0100
Subject: [PATCH 3/5] Add cups_is_local_connection() to check if connection is
to localhost
Related: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/cups/auth.c b/cups/auth.c
index 3785e6d..ca90f35 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -97,6 +97,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
# define cups_gss_printf(major, minor, message)
# endif /* DEBUG */
#endif /* HAVE_GSSAPI */
+static int cups_is_local_connection(http_t *http);
static int cups_local_auth(http_t *http);
@@ -1000,6 +1001,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */
# endif /* DEBUG */
#endif /* HAVE_GSSAPI */
+static int /* O - 0 if not a local connection */
+ /* 1 if local connection */
+cups_is_local_connection(http_t *http) /* I - HTTP connection to server */
+{
+ if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+ return 0;
+ return 1;
+}
/*
* 'cups_local_auth()' - Get the local authorization certificate if
@@ -1042,7 +1051,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
* See if we are accessing localhost...
*/
- if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
+ if (!cups_is_local_connection(http))
{
DEBUG_puts("8cups_local_auth: Not a local connection!");
return (1);
--
2.35.3
From e476e8bd5a8a7d69ed527579e87ab64c4bd5454f Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 27 Oct 2020 16:23:30 +0100
Subject: [PATCH 4/5] Try local kerberos ccache credentials only for remote
servers
If connecting to localhost then proceed to ask the client for the
authorization using cupsGetPassword2. The get password callback will
return 401 to the client with WWW-Authenticate: Negotiate.
Fixes: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 23 ++++++++++-------------
1 file changed, 10 insertions(+), 13 deletions(-)
diff --git a/cups/auth.c b/cups/auth.c
index ca90f35..15734d5 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -182,30 +182,27 @@ cupsDoAuthentication(
*/
#ifdef HAVE_GSSAPI
- if (!_cups_strcasecmp(scheme, "Negotiate"))
- {
- /*
- * Kerberos authentication...
- */
-
- if (_cupsSetNegotiateAuthString(http, method, resource))
- {
- http->status = HTTP_STATUS_CUPS_AUTHORIZATION_CANCELED;
- return (-1);
- }
+ /*
+ * Kerberos authentication
+ */
+ if (!_cups_strcasecmp(scheme, "Negotiate") &&
+ _cupsSetNegotiateAuthString(http, method, resource) == 0)
+ {
break;
}
else
#endif /* HAVE_GSSAPI */
- if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest"))
+ if (_cups_strcasecmp(scheme, "Basic") &&
+ _cups_strcasecmp(scheme, "Digest") &&
+ _cups_strcasecmp(scheme, "Negotiate"))
continue; /* Not supported (yet) */
/*
* See if we should retry the current username:password...
*/
- if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest"))))
+ if (http->digest_tries > 1 || !http->userpass[0])
{
/*
* Nope - get a new password from the user...
--
2.35.3
From e926f016b2d3ee09f95722a8e1fc6cadbd136f6d Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 27 Oct 2020 16:18:03 +0100
Subject: [PATCH 5/5] Allow Local authentication for Negotiate
PeerCred is also possible if address family is AF_LOCAL. This will allow
the CGI programs to generate the authorization from the local
certificates based on PID also when Negotiate is used for local
connections:
Client CGI
Browser <- Remote conn -> admin.cgi <--- Localhost conn ---> Scheduler
| | |
+ --- HTTP/POST /admin/ --> | |
| + --- CUPS-Get-Devices ------------> |
| | |
| | <-- 401 Unauthorized --------------+
| | WWW-Authenticate: |
| | Negotiate, (PeerCred,) Local |
| | |
| <-- 401 Unauthorized -----+ |
| WWW-Authenticate: | |
| Negotiate | |
| | |
| --- HTTP/POST /admin/ --> | |
| Authorization: + --- IPP CUPS-GetDevices ---------> |
| Negotiate | Authorization: Local <cert> |
| | |
Fixes: #5596
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
cups/auth.c | 4 ----
scheduler/client.c | 10 ++--------
2 files changed, 2 insertions(+), 12 deletions(-)
diff --git a/cups/auth.c b/cups/auth.c
index 15734d5..3508102 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -1123,10 +1123,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */
}
# endif /* HAVE_AUTHORIZATION_H */
-# ifdef HAVE_GSSAPI
- if (cups_auth_find(www_auth, "Negotiate"))
- return (1);
-# endif /* HAVE_GSSAPI */
# ifdef HAVE_AUTHORIZATION_H
if (cups_auth_find(www_auth, "AuthRef"))
return (1);
diff --git a/scheduler/client.c b/scheduler/client.c
index adae6c9..0cdc57e 100644
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -2354,19 +2354,13 @@ cupsdSendHeader(
strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
else if (auth_type == CUPSD_AUTH_NEGOTIATE)
{
-#ifdef AF_LOCAL
- if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
- strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
- else
-#endif /* AF_LOCAL */
strlcpy(auth_str, "Negotiate", sizeof(auth_str));
}
- if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE &&
- !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
+ if (con->best && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
{
/*
- * Add a "trc" (try root certification) parameter for local non-Kerberos
+ * Add a "trc" (try root certification) parameter for local
* requests when the request requires system group membership - then the
* client knows the root certificate can/should be used.
*
--
2.35.3
