Fix crash in unit tests.

Fix mapping of HTTP_STATUS_NOT_MODIFIED to IPP_STATUS_OK_EVENTS_COMPLETE. Only test pinning for self-signed certs. Fix sanity check for cupsSaveCredentials (copy/paste error)
OpenPrinting · Oct 18, 2024 · 187243a · 187243a
1 parent bbd2f70
commit 187243a
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 3 deletions.
diff --git a/cups/request.c b/cups/request.c
@@ -1156,6 +1156,10 @@ _cupsSetHTTPError(http_t	*http,	/* I - HTTP connection */
 {
   switch (status)
   {
+    case HTTP_STATUS_NOT_MODIFIED :
+        _cupsSetError(IPP_STATUS_OK_EVENTS_COMPLETE, httpStatus(status), 0);
+        break;
+
     case HTTP_STATUS_NOT_FOUND :
 	_cupsSetError(IPP_STATUS_ERROR_NOT_FOUND, httpStatus(status), 0);
 	break;

diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
@@ -829,7 +829,7 @@ cupsGetCredentialsTrust(
   }
 
   // Look this common name up in the default keychains...
-  if ((tcreds = cupsCopyCredentials(path, common_name)) != NULL)
+  if (num_certs == 1 && (tcreds = cupsCopyCredentials(path, common_name)) != NULL)
   {
     char	credentials_str[1024],	// String for incoming credentials
 		tcreds_str[1024];	// String for saved credentials

diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c
@@ -777,6 +777,8 @@ cupsGetCredentialsTrust(
   _cups_globals_t *cg = _cupsGlobals();	// Per-thread globals
 
 
+  DEBUG_printf("cupsGetCredentialsTrust(path=\"%s\", common_name=\"%s\", credentials=\"%lu bytes\", require_ca=%s)", path, common_name, (unsigned long)(credentials ? strlen(credentials) : 0), require_ca ? "true" : "false");
+
   // Range check input...
   if (!path)
     path = http_default_path(defpath, sizeof(defpath));
@@ -796,14 +798,16 @@ cupsGetCredentialsTrust(
 
   cert = sk_X509_value(certs, 0);
 
+  DEBUG_printf("1cupsGetCredentialsGetTrust: certs=%p, sk_X509_num(certs)=%d", (void *)certs, sk_X509_num(certs));
+
   if (cg->any_root < 0)
   {
     _cupsSetDefaults();
 //    openssl_load_crl();
   }
 
   // Look this common name up in the default keychains...
-  if ((tcreds = cupsCopyCredentials(path, common_name)) != NULL)
+  if (sk_X509_num(certs) == 1 && (tcreds = cupsCopyCredentials(path, common_name)) != NULL)
   {
     char	credentials_str[1024],	// String for incoming credentials
 		tcreds_str[1024];	// String for saved credentials

diff --git a/cups/tls.c b/cups/tls.c
@@ -140,7 +140,7 @@ cupsSaveCredentials(
   if (credentials)
   {
     // Make sure it looks like a PEM-encoded cert...
-    if (strncmp(credentials, "-----BEGIN CERTIFICATE-----", 27) || strstr(key, "-----END CERTIFICATE-----") == NULL)
+    if (strncmp(credentials, "-----BEGIN CERTIFICATE-----", 27) || strstr(credentials, "-----END CERTIFICATE-----") == NULL)
       return (false);
   }
 
@@ -266,6 +266,8 @@ http_check_roots(const char *creds)	// I - Credentials
   bool		ret = false;		// Return value
 
 
+  DEBUG_printf("3http_check_roots(creds=\"%s\")", creds);
+
 #ifdef __APPLE__
   // Apple hides all of the keychain stuff (all deprecated) so the best we can
   // do is use the SecTrust API to evaluate the certificate...
@@ -327,11 +329,19 @@ http_check_roots(const char *creds)	// I - Credentials
   // Test the certificate list against the macOS/iOS trust store...
   if ((policy = SecPolicyCreateBasicX509()) != NULL)
   {
+    DEBUG_puts("4http_check_roots: SecPolicyCreateBasicX509 succeeded.");
+
     if (SecTrustCreateWithCertificates(certs, policy, &trust) == noErr)
     {
       ret = SecTrustEvaluateWithError(trust, NULL);
       CFRelease(trust);
+
+      DEBUG_printf("4http_check_roots: SecTrustEvaluateWithError returned %d.", ret);
     }
+#ifdef DEBUG
+    else
+      DEBUG_printf("4http_check_roots: SecTrustCreateWithCertificates returned %d.", SecTrustCreateWithCertificates(certs, policy, &trust));
+#endif // DEBUG
 
     CFRelease(policy);
   }