]>
Commit | Line | Data |
---|---|---|
79a37326 | 1 | /* |
79a37326 MS |
2 | * TLS check program for CUPS. |
3 | * | |
4f272af7 | 4 | * Copyright 2007-2017 by Apple Inc. |
79a37326 MS |
5 | * Copyright 1997-2006 by Easy Software Products. |
6 | * | |
e3101897 | 7 | * Licensed under Apache License v2.0. See the file "LICENSE" for more information. |
79a37326 MS |
8 | */ |
9 | ||
10 | /* | |
11 | * Include necessary headers... | |
12 | */ | |
13 | ||
14 | #include "cups-private.h" | |
15 | ||
16 | ||
58796d49 MS |
17 | #ifndef HAVE_SSL |
18 | int main(void) { puts("Sorry, no TLS support compiled in."); return (1); } | |
19 | #else | |
20 | ||
bdc4056c MS |
21 | /* |
22 | * Local functions... | |
23 | */ | |
24 | ||
25 | static void usage(void); | |
26 | ||
27 | ||
79a37326 MS |
28 | /* |
29 | * 'main()' - Main entry. | |
30 | */ | |
31 | ||
32 | int /* O - Exit status */ | |
33 | main(int argc, /* I - Number of command-line arguments */ | |
34 | char *argv[]) /* I - Command-line arguments */ | |
35 | { | |
bdc4056c | 36 | int i; /* Looping var */ |
79a37326 | 37 | http_t *http; /* HTTP connection */ |
bdc4056c MS |
38 | const char *server = NULL; /* Hostname from command-line */ |
39 | int port = 0; /* Port number */ | |
073b3929 MS |
40 | cups_array_t *creds; /* Server credentials */ |
41 | char creds_str[2048]; /* Credentials string */ | |
79a37326 | 42 | const char *cipherName = "UNKNOWN";/* Cipher suite name */ |
bdc4056c | 43 | int dhBits = 0; /* Diffie-Hellman bits */ |
72b9a313 | 44 | int tlsVersion = 0; /* TLS version number */ |
bdc4056c MS |
45 | char uri[1024], /* Printer URI */ |
46 | scheme[32], /* URI scheme */ | |
47 | host[256], /* Hostname */ | |
48 | userpass[256], /* Username/password */ | |
49 | resource[256]; /* Resource path */ | |
23abf279 MS |
50 | int af = AF_UNSPEC, /* Address family */ |
51 | tls_options = _HTTP_TLS_NONE, | |
bdc4056c | 52 | /* TLS options */ |
8f1fbdec MS |
53 | tls_min_version = _HTTP_TLS_1_0, |
54 | tls_max_version = _HTTP_TLS_MAX, | |
bdc4056c MS |
55 | verbose = 0; /* Verbosity */ |
56 | ipp_t *request, /* IPP Get-Printer-Attributes request */ | |
57 | *response; /* IPP Get-Printer-Attributes response */ | |
58 | ipp_attribute_t *attr; /* Current attribute */ | |
59 | const char *name; /* Attribute name */ | |
60 | char value[1024]; /* Attribute (string) value */ | |
61 | static const char * const pattrs[] = /* Requested attributes */ | |
79a37326 | 62 | { |
bdc4056c MS |
63 | "color-supported", |
64 | "compression-supported", | |
65 | "document-format-supported", | |
66 | "pages-per-minute", | |
67 | "printer-location", | |
68 | "printer-make-and-model", | |
69 | "printer-state", | |
70 | "printer-state-reasons", | |
71 | "sides-supported", | |
72 | "uri-authentication-supported", | |
73 | "uri-security-supported" | |
74 | }; | |
75 | ||
79a37326 | 76 | |
bdc4056c | 77 | for (i = 1; i < argc; i ++) |
fb9d90d6 | 78 | { |
bdc4056c MS |
79 | if (!strcmp(argv[i], "--dh")) |
80 | { | |
81 | tls_options |= _HTTP_TLS_ALLOW_DH; | |
82 | } | |
4f272af7 MS |
83 | else if (!strcmp(argv[i], "--no-cbc")) |
84 | { | |
85 | tls_options |= _HTTP_TLS_DENY_CBC; | |
86 | } | |
bdc4056c MS |
87 | else if (!strcmp(argv[i], "--no-tls10")) |
88 | { | |
8f1fbdec | 89 | tls_min_version = _HTTP_TLS_1_1; |
bdc4056c | 90 | } |
4f272af7 MS |
91 | else if (!strcmp(argv[i], "--tls10")) |
92 | { | |
8f1fbdec MS |
93 | tls_min_version = _HTTP_TLS_1_0; |
94 | tls_max_version = _HTTP_TLS_1_0; | |
4f272af7 | 95 | } |
bdc4056c MS |
96 | else if (!strcmp(argv[i], "--rc4")) |
97 | { | |
98 | tls_options |= _HTTP_TLS_ALLOW_RC4; | |
99 | } | |
100 | else if (!strcmp(argv[i], "--verbose") || !strcmp(argv[i], "-v")) | |
101 | { | |
102 | verbose = 1; | |
103 | } | |
23abf279 MS |
104 | else if (!strcmp(argv[i], "-4")) |
105 | { | |
106 | af = AF_INET; | |
107 | } | |
108 | else if (!strcmp(argv[i], "-6")) | |
109 | { | |
110 | af = AF_INET6; | |
111 | } | |
bdc4056c MS |
112 | else if (argv[i][0] == '-') |
113 | { | |
114 | printf("tlscheck: Unknown option '%s'.\n", argv[i]); | |
115 | usage(); | |
116 | } | |
117 | else if (!server) | |
118 | { | |
119 | if (!strncmp(argv[i], "ipps://", 7)) | |
120 | { | |
121 | httpSeparateURI(HTTP_URI_CODING_ALL, argv[i], scheme, sizeof(scheme), userpass, sizeof(userpass), host, sizeof(host), &port, resource, sizeof(resource)); | |
122 | server = host; | |
123 | } | |
124 | else | |
125 | { | |
126 | server = argv[i]; | |
127 | strlcpy(resource, "/ipp/print", sizeof(resource)); | |
128 | } | |
129 | } | |
130 | else if (!port && (argv[i][0] == '=' || isdigit(argv[i][0] & 255))) | |
131 | { | |
132 | if (argv[i][0] == '=') | |
133 | port = atoi(argv[i] + 1); | |
134 | else | |
135 | port = atoi(argv[i]); | |
136 | } | |
fb9d90d6 | 137 | else |
bdc4056c MS |
138 | { |
139 | printf("tlscheck: Unexpected argument '%s'.\n", argv[i]); | |
140 | usage(); | |
141 | } | |
fb9d90d6 | 142 | } |
79a37326 | 143 | |
bdc4056c MS |
144 | if (!server) |
145 | usage(); | |
146 | ||
147 | if (!port) | |
148 | port = 631; | |
149 | ||
8f1fbdec | 150 | _httpTLSSetOptions(tls_options, tls_min_version, tls_max_version); |
bdc4056c | 151 | |
23abf279 | 152 | http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL); |
79a37326 MS |
153 | if (!http) |
154 | { | |
155 | printf("%s: ERROR (%s)\n", server, cupsLastErrorString()); | |
156 | return (1); | |
157 | } | |
158 | ||
073b3929 MS |
159 | if (httpCopyCredentials(http, &creds)) |
160 | { | |
161 | strlcpy(creds_str, "Unable to get server X.509 credentials.", sizeof(creds_str)); | |
162 | } | |
163 | else | |
164 | { | |
165 | httpCredentialsString(creds, creds_str, sizeof(creds_str)); | |
166 | httpFreeCredentials(creds); | |
167 | } | |
168 | ||
79a37326 | 169 | #ifdef __APPLE__ |
72b9a313 | 170 | SSLProtocol protocol; |
79a37326 MS |
171 | SSLCipherSuite cipher; |
172 | char unknownCipherName[256]; | |
173 | int paramsNeeded = 0; | |
174 | const void *params; | |
175 | size_t paramsLen; | |
176 | OSStatus err; | |
177 | ||
72b9a313 MS |
178 | if ((err = SSLGetNegotiatedProtocolVersion(http->tls, &protocol)) != noErr) |
179 | { | |
180 | printf("%s: ERROR (No protocol version - %d)\n", server, (int)err); | |
181 | httpClose(http); | |
182 | return (1); | |
183 | } | |
184 | ||
185 | switch (protocol) | |
186 | { | |
187 | default : | |
188 | tlsVersion = 0; | |
189 | break; | |
190 | case kSSLProtocol3 : | |
191 | tlsVersion = 30; | |
192 | break; | |
193 | case kTLSProtocol1 : | |
194 | tlsVersion = 10; | |
195 | break; | |
196 | case kTLSProtocol11 : | |
197 | tlsVersion = 11; | |
198 | break; | |
199 | case kTLSProtocol12 : | |
200 | tlsVersion = 12; | |
201 | break; | |
202 | } | |
203 | ||
79a37326 MS |
204 | if ((err = SSLGetNegotiatedCipher(http->tls, &cipher)) != noErr) |
205 | { | |
206 | printf("%s: ERROR (No cipher suite - %d)\n", server, (int)err); | |
207 | httpClose(http); | |
208 | return (1); | |
209 | } | |
210 | ||
211 | switch (cipher) | |
212 | { | |
213 | case TLS_NULL_WITH_NULL_NULL: | |
214 | cipherName = "TLS_NULL_WITH_NULL_NULL"; | |
215 | break; | |
216 | case TLS_RSA_WITH_NULL_MD5: | |
217 | cipherName = "TLS_RSA_WITH_NULL_MD5"; | |
218 | break; | |
219 | case TLS_RSA_WITH_NULL_SHA: | |
220 | cipherName = "TLS_RSA_WITH_NULL_SHA"; | |
221 | break; | |
222 | case TLS_RSA_WITH_RC4_128_MD5: | |
223 | cipherName = "TLS_RSA_WITH_RC4_128_MD5"; | |
224 | break; | |
225 | case TLS_RSA_WITH_RC4_128_SHA: | |
226 | cipherName = "TLS_RSA_WITH_RC4_128_SHA"; | |
227 | break; | |
228 | case TLS_RSA_WITH_3DES_EDE_CBC_SHA: | |
229 | cipherName = "TLS_RSA_WITH_3DES_EDE_CBC_SHA"; | |
230 | break; | |
231 | case TLS_RSA_WITH_NULL_SHA256: | |
232 | cipherName = "TLS_RSA_WITH_NULL_SHA256"; | |
233 | break; | |
234 | case TLS_RSA_WITH_AES_128_CBC_SHA256: | |
235 | cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA256"; | |
236 | break; | |
237 | case TLS_RSA_WITH_AES_256_CBC_SHA256: | |
238 | cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA256"; | |
239 | break; | |
240 | case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: | |
241 | cipherName = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"; | |
242 | paramsNeeded = 1; | |
243 | break; | |
244 | case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: | |
245 | cipherName = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"; | |
246 | paramsNeeded = 1; | |
247 | break; | |
248 | case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: | |
249 | cipherName = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"; | |
250 | paramsNeeded = 1; | |
251 | break; | |
252 | case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: | |
253 | cipherName = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"; | |
254 | paramsNeeded = 1; | |
255 | break; | |
256 | case TLS_DH_DSS_WITH_AES_128_CBC_SHA256: | |
257 | cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256"; | |
258 | paramsNeeded = 1; | |
259 | break; | |
260 | case TLS_DH_RSA_WITH_AES_128_CBC_SHA256: | |
261 | cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256"; | |
262 | paramsNeeded = 1; | |
263 | break; | |
264 | case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: | |
265 | cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"; | |
266 | paramsNeeded = 1; | |
267 | break; | |
268 | case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: | |
269 | cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; | |
270 | paramsNeeded = 1; | |
271 | break; | |
272 | case TLS_DH_DSS_WITH_AES_256_CBC_SHA256: | |
273 | cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256"; | |
274 | paramsNeeded = 1; | |
275 | break; | |
276 | case TLS_DH_RSA_WITH_AES_256_CBC_SHA256: | |
277 | cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256"; | |
278 | paramsNeeded = 1; | |
279 | break; | |
280 | case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: | |
281 | cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"; | |
282 | paramsNeeded = 1; | |
283 | break; | |
284 | case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: | |
285 | cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"; | |
286 | paramsNeeded = 1; | |
287 | break; | |
288 | case TLS_DH_anon_WITH_RC4_128_MD5: | |
289 | cipherName = "TLS_DH_anon_WITH_RC4_128_MD5"; | |
290 | paramsNeeded = 1; | |
291 | break; | |
292 | case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA: | |
293 | cipherName = "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"; | |
294 | paramsNeeded = 1; | |
295 | break; | |
296 | case TLS_DH_anon_WITH_AES_128_CBC_SHA256: | |
297 | cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA256"; | |
298 | paramsNeeded = 1; | |
299 | break; | |
300 | case TLS_DH_anon_WITH_AES_256_CBC_SHA256: | |
301 | cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA256"; | |
302 | paramsNeeded = 1; | |
303 | break; | |
304 | case TLS_PSK_WITH_RC4_128_SHA: | |
305 | cipherName = "TLS_PSK_WITH_RC4_128_SHA"; | |
306 | break; | |
307 | case TLS_PSK_WITH_3DES_EDE_CBC_SHA: | |
308 | cipherName = "TLS_PSK_WITH_3DES_EDE_CBC_SHA"; | |
309 | break; | |
310 | case TLS_PSK_WITH_AES_128_CBC_SHA: | |
311 | cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA"; | |
312 | break; | |
313 | case TLS_PSK_WITH_AES_256_CBC_SHA: | |
314 | cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA"; | |
315 | break; | |
316 | case TLS_DHE_PSK_WITH_RC4_128_SHA: | |
317 | cipherName = "TLS_DHE_PSK_WITH_RC4_128_SHA"; | |
318 | paramsNeeded = 1; | |
319 | break; | |
320 | case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: | |
321 | cipherName = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA"; | |
322 | paramsNeeded = 1; | |
323 | break; | |
324 | case TLS_DHE_PSK_WITH_AES_128_CBC_SHA: | |
325 | cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA"; | |
326 | paramsNeeded = 1; | |
327 | break; | |
328 | case TLS_DHE_PSK_WITH_AES_256_CBC_SHA: | |
329 | cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA"; | |
330 | paramsNeeded = 1; | |
331 | break; | |
332 | case TLS_RSA_PSK_WITH_RC4_128_SHA: | |
333 | cipherName = "TLS_RSA_PSK_WITH_RC4_128_SHA"; | |
334 | break; | |
335 | case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: | |
336 | cipherName = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA"; | |
337 | break; | |
338 | case TLS_RSA_PSK_WITH_AES_128_CBC_SHA: | |
339 | cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA"; | |
340 | break; | |
341 | case TLS_RSA_PSK_WITH_AES_256_CBC_SHA: | |
342 | cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA"; | |
343 | break; | |
344 | case TLS_PSK_WITH_NULL_SHA: | |
345 | cipherName = "TLS_PSK_WITH_NULL_SHA"; | |
346 | break; | |
347 | case TLS_DHE_PSK_WITH_NULL_SHA: | |
348 | cipherName = "TLS_DHE_PSK_WITH_NULL_SHA"; | |
349 | paramsNeeded = 1; | |
350 | break; | |
351 | case TLS_RSA_PSK_WITH_NULL_SHA: | |
352 | cipherName = "TLS_RSA_PSK_WITH_NULL_SHA"; | |
353 | break; | |
354 | case TLS_RSA_WITH_AES_128_GCM_SHA256: | |
355 | cipherName = "TLS_RSA_WITH_AES_128_GCM_SHA256"; | |
356 | break; | |
357 | case TLS_RSA_WITH_AES_256_GCM_SHA384: | |
358 | cipherName = "TLS_RSA_WITH_AES_256_GCM_SHA384"; | |
359 | break; | |
360 | case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: | |
361 | cipherName = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"; | |
362 | paramsNeeded = 1; | |
363 | break; | |
364 | case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: | |
365 | cipherName = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"; | |
366 | paramsNeeded = 1; | |
367 | break; | |
368 | case TLS_DH_RSA_WITH_AES_128_GCM_SHA256: | |
369 | cipherName = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256"; | |
370 | paramsNeeded = 1; | |
371 | break; | |
372 | case TLS_DH_RSA_WITH_AES_256_GCM_SHA384: | |
373 | cipherName = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384"; | |
374 | paramsNeeded = 1; | |
375 | break; | |
376 | case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: | |
377 | cipherName = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"; | |
378 | paramsNeeded = 1; | |
379 | break; | |
380 | case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: | |
381 | cipherName = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"; | |
382 | paramsNeeded = 1; | |
383 | break; | |
384 | case TLS_DH_DSS_WITH_AES_128_GCM_SHA256: | |
385 | cipherName = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256"; | |
386 | paramsNeeded = 1; | |
387 | break; | |
388 | case TLS_DH_DSS_WITH_AES_256_GCM_SHA384: | |
389 | cipherName = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384"; | |
390 | paramsNeeded = 1; | |
391 | break; | |
392 | case TLS_DH_anon_WITH_AES_128_GCM_SHA256: | |
393 | cipherName = "TLS_DH_anon_WITH_AES_128_GCM_SHA256"; | |
394 | paramsNeeded = 1; | |
395 | break; | |
396 | case TLS_DH_anon_WITH_AES_256_GCM_SHA384: | |
397 | cipherName = "TLS_DH_anon_WITH_AES_256_GCM_SHA384"; | |
398 | paramsNeeded = 1; | |
399 | break; | |
400 | case TLS_PSK_WITH_AES_128_GCM_SHA256: | |
401 | cipherName = "TLS_PSK_WITH_AES_128_GCM_SHA256"; | |
402 | break; | |
403 | case TLS_PSK_WITH_AES_256_GCM_SHA384: | |
404 | cipherName = "TLS_PSK_WITH_AES_256_GCM_SHA384"; | |
405 | break; | |
406 | case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: | |
407 | cipherName = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"; | |
408 | paramsNeeded = 1; | |
409 | break; | |
410 | case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: | |
411 | cipherName = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"; | |
412 | paramsNeeded = 1; | |
413 | break; | |
414 | case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: | |
415 | cipherName = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"; | |
416 | break; | |
417 | case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: | |
418 | cipherName = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"; | |
419 | break; | |
420 | case TLS_PSK_WITH_AES_128_CBC_SHA256: | |
421 | cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA256"; | |
422 | break; | |
423 | case TLS_PSK_WITH_AES_256_CBC_SHA384: | |
424 | cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA384"; | |
425 | break; | |
426 | case TLS_PSK_WITH_NULL_SHA256: | |
427 | cipherName = "TLS_PSK_WITH_NULL_SHA256"; | |
428 | break; | |
429 | case TLS_PSK_WITH_NULL_SHA384: | |
430 | cipherName = "TLS_PSK_WITH_NULL_SHA384"; | |
431 | break; | |
432 | case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: | |
433 | cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"; | |
434 | paramsNeeded = 1; | |
435 | break; | |
436 | case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: | |
437 | cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"; | |
438 | paramsNeeded = 1; | |
439 | break; | |
440 | case TLS_DHE_PSK_WITH_NULL_SHA256: | |
441 | cipherName = "TLS_DHE_PSK_WITH_NULL_SHA256"; | |
442 | paramsNeeded = 1; | |
443 | break; | |
444 | case TLS_DHE_PSK_WITH_NULL_SHA384: | |
445 | cipherName = "TLS_DHE_PSK_WITH_NULL_SHA384"; | |
446 | paramsNeeded = 1; | |
447 | break; | |
448 | case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: | |
449 | cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"; | |
450 | break; | |
451 | case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: | |
452 | cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"; | |
453 | break; | |
454 | case TLS_RSA_PSK_WITH_NULL_SHA256: | |
455 | cipherName = "TLS_RSA_PSK_WITH_NULL_SHA256"; | |
456 | break; | |
457 | case TLS_RSA_PSK_WITH_NULL_SHA384: | |
458 | cipherName = "TLS_RSA_PSK_WITH_NULL_SHA384"; | |
459 | break; | |
460 | case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: | |
461 | cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"; | |
462 | paramsNeeded = 1; | |
463 | break; | |
464 | case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: | |
465 | cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"; | |
466 | paramsNeeded = 1; | |
467 | break; | |
468 | case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: | |
469 | cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"; | |
470 | paramsNeeded = 1; | |
471 | break; | |
472 | case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: | |
473 | cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"; | |
474 | paramsNeeded = 1; | |
475 | break; | |
476 | case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: | |
477 | cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; | |
478 | paramsNeeded = 1; | |
479 | break; | |
480 | case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: | |
481 | cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; | |
482 | paramsNeeded = 1; | |
483 | break; | |
484 | case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: | |
485 | cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"; | |
486 | paramsNeeded = 1; | |
487 | break; | |
488 | case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: | |
489 | cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"; | |
490 | paramsNeeded = 1; | |
491 | break; | |
492 | case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: | |
493 | cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; | |
494 | paramsNeeded = 1; | |
495 | break; | |
496 | case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: | |
497 | cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; | |
498 | paramsNeeded = 1; | |
499 | break; | |
500 | case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: | |
501 | cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"; | |
502 | paramsNeeded = 1; | |
503 | break; | |
504 | case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: | |
505 | cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"; | |
506 | paramsNeeded = 1; | |
507 | break; | |
508 | case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: | |
509 | cipherName = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; | |
510 | paramsNeeded = 1; | |
511 | break; | |
512 | case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: | |
513 | cipherName = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; | |
514 | paramsNeeded = 1; | |
515 | break; | |
516 | case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: | |
517 | cipherName = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"; | |
518 | paramsNeeded = 1; | |
519 | break; | |
520 | case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: | |
521 | cipherName = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"; | |
522 | paramsNeeded = 1; | |
523 | break; | |
88da3fd7 MS |
524 | case TLS_RSA_WITH_AES_128_CBC_SHA: |
525 | cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA"; | |
526 | break; | |
527 | case TLS_DH_DSS_WITH_AES_128_CBC_SHA: | |
528 | cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA"; | |
529 | paramsNeeded = 1; | |
530 | break; | |
531 | case TLS_DH_RSA_WITH_AES_128_CBC_SHA: | |
532 | cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA"; | |
533 | paramsNeeded = 1; | |
534 | break; | |
535 | case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: | |
536 | cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"; | |
537 | paramsNeeded = 1; | |
538 | break; | |
539 | case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: | |
540 | cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"; | |
541 | paramsNeeded = 1; | |
542 | break; | |
543 | case TLS_DH_anon_WITH_AES_128_CBC_SHA: | |
544 | cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA"; | |
545 | paramsNeeded = 1; | |
546 | break; | |
547 | case TLS_RSA_WITH_AES_256_CBC_SHA: | |
548 | cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA"; | |
549 | break; | |
550 | case TLS_DH_DSS_WITH_AES_256_CBC_SHA: | |
551 | cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA"; | |
552 | paramsNeeded = 1; | |
553 | break; | |
554 | case TLS_DH_RSA_WITH_AES_256_CBC_SHA: | |
555 | cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA"; | |
556 | paramsNeeded = 1; | |
557 | break; | |
558 | case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: | |
559 | cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"; | |
560 | paramsNeeded = 1; | |
561 | break; | |
562 | case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: | |
563 | cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"; | |
564 | paramsNeeded = 1; | |
565 | break; | |
566 | case TLS_DH_anon_WITH_AES_256_CBC_SHA: | |
567 | cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA"; | |
568 | paramsNeeded = 1; | |
569 | break; | |
570 | case TLS_ECDH_ECDSA_WITH_NULL_SHA: | |
571 | cipherName = "TLS_ECDH_ECDSA_WITH_NULL_SHA"; | |
572 | paramsNeeded = 1; | |
573 | break; | |
574 | case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: | |
575 | cipherName = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA"; | |
576 | paramsNeeded = 1; | |
577 | break; | |
578 | case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: | |
579 | cipherName = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"; | |
580 | paramsNeeded = 1; | |
581 | break; | |
582 | case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: | |
583 | cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"; | |
584 | paramsNeeded = 1; | |
585 | break; | |
586 | case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: | |
587 | cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"; | |
588 | paramsNeeded = 1; | |
589 | break; | |
590 | case TLS_ECDHE_ECDSA_WITH_NULL_SHA: | |
591 | cipherName = "TLS_ECDHE_ECDSA_WITH_NULL_SHA"; | |
592 | paramsNeeded = 1; | |
593 | break; | |
594 | case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: | |
595 | cipherName = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"; | |
596 | paramsNeeded = 1; | |
597 | break; | |
598 | case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: | |
599 | cipherName = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"; | |
600 | paramsNeeded = 1; | |
601 | break; | |
602 | case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: | |
603 | cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"; | |
604 | paramsNeeded = 1; | |
605 | break; | |
606 | case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: | |
607 | cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"; | |
608 | paramsNeeded = 1; | |
609 | break; | |
610 | case TLS_ECDH_RSA_WITH_NULL_SHA: | |
611 | cipherName = "TLS_ECDH_RSA_WITH_NULL_SHA"; | |
612 | paramsNeeded = 1; | |
613 | break; | |
614 | case TLS_ECDH_RSA_WITH_RC4_128_SHA: | |
615 | cipherName = "TLS_ECDH_RSA_WITH_RC4_128_SHA"; | |
616 | paramsNeeded = 1; | |
617 | break; | |
618 | case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: | |
619 | cipherName = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"; | |
620 | paramsNeeded = 1; | |
621 | break; | |
622 | case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: | |
623 | cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"; | |
624 | paramsNeeded = 1; | |
625 | break; | |
626 | case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: | |
627 | cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"; | |
628 | paramsNeeded = 1; | |
629 | break; | |
630 | case TLS_ECDHE_RSA_WITH_NULL_SHA: | |
631 | cipherName = "TLS_ECDHE_RSA_WITH_NULL_SHA"; | |
632 | paramsNeeded = 1; | |
633 | break; | |
634 | case TLS_ECDHE_RSA_WITH_RC4_128_SHA: | |
635 | cipherName = "TLS_ECDHE_RSA_WITH_RC4_128_SHA"; | |
636 | paramsNeeded = 1; | |
637 | break; | |
638 | case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: | |
639 | cipherName = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"; | |
640 | paramsNeeded = 1; | |
641 | break; | |
642 | case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: | |
643 | cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"; | |
644 | paramsNeeded = 1; | |
645 | break; | |
646 | case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: | |
647 | cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"; | |
648 | paramsNeeded = 1; | |
649 | break; | |
650 | case TLS_ECDH_anon_WITH_NULL_SHA: | |
651 | cipherName = "TLS_ECDH_anon_WITH_NULL_SHA"; | |
652 | paramsNeeded = 1; | |
653 | break; | |
654 | case TLS_ECDH_anon_WITH_RC4_128_SHA: | |
655 | cipherName = "TLS_ECDH_anon_WITH_RC4_128_SHA"; | |
656 | paramsNeeded = 1; | |
657 | break; | |
658 | case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA: | |
659 | cipherName = "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA"; | |
660 | paramsNeeded = 1; | |
661 | break; | |
662 | case TLS_ECDH_anon_WITH_AES_128_CBC_SHA: | |
663 | cipherName = "TLS_ECDH_anon_WITH_AES_128_CBC_SHA"; | |
664 | paramsNeeded = 1; | |
665 | break; | |
666 | case TLS_ECDH_anon_WITH_AES_256_CBC_SHA: | |
667 | cipherName = "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"; | |
668 | paramsNeeded = 1; | |
669 | break; | |
79a37326 MS |
670 | default : |
671 | snprintf(unknownCipherName, sizeof(unknownCipherName), "UNKNOWN_%04X", cipher); | |
672 | cipherName = unknownCipherName; | |
673 | break; | |
674 | } | |
675 | ||
676 | if (cipher == TLS_RSA_WITH_RC4_128_MD5 || | |
677 | cipher == TLS_RSA_WITH_RC4_128_SHA) | |
678 | { | |
47ddc812 | 679 | printf("%s: ERROR (Printers MUST NOT negotiate RC4 cipher suites.)\n", server); |
79a37326 MS |
680 | httpClose(http); |
681 | return (1); | |
682 | } | |
683 | ||
684 | if ((err = SSLGetDiffieHellmanParams(http->tls, ¶ms, ¶msLen)) != noErr && paramsNeeded) | |
685 | { | |
47ddc812 | 686 | printf("%s: ERROR (Unable to get Diffie-Hellman parameters - %d)\n", server, (int)err); |
79a37326 MS |
687 | httpClose(http); |
688 | return (1); | |
689 | } | |
690 | ||
691 | if (paramsLen < 128 && paramsLen != 0) | |
692 | { | |
47ddc812 | 693 | printf("%s: ERROR (Diffie-Hellman parameters MUST be at least 2048 bits, but Printer uses only %d bits/%d bytes)\n", server, (int)paramsLen * 8, (int)paramsLen); |
79a37326 MS |
694 | httpClose(http); |
695 | return (1); | |
696 | } | |
bdc4056c MS |
697 | |
698 | dhBits = (int)paramsLen * 8; | |
79a37326 MS |
699 | #endif /* __APPLE__ */ |
700 | ||
bdc4056c | 701 | if (dhBits > 0) |
47ddc812 | 702 | printf("%s: OK (TLS: %d.%d, %s, %d DH bits)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName, dhBits); |
bdc4056c | 703 | else |
47ddc812 | 704 | printf("%s: OK (TLS: %d.%d, %s)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName); |
bdc4056c | 705 | |
073b3929 MS |
706 | printf(" %s\n", creds_str); |
707 | ||
bdc4056c MS |
708 | if (verbose) |
709 | { | |
710 | httpAssembleURI(HTTP_URI_CODING_ALL, uri, sizeof(uri), "ipps", NULL, host, port, resource); | |
711 | request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES); | |
712 | ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL, uri); | |
713 | ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "requesting-user-name", NULL, cupsUser()); | |
714 | ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", (int)(sizeof(pattrs) / sizeof(pattrs[0])), NULL, pattrs); | |
715 | ||
716 | response = cupsDoRequest(http, request, resource); | |
717 | ||
718 | for (attr = ippFirstAttribute(response); attr; attr = ippNextAttribute(response)) | |
719 | { | |
720 | if (ippGetGroupTag(attr) != IPP_TAG_PRINTER) | |
721 | continue; | |
722 | ||
723 | if ((name = ippGetName(attr)) == NULL) | |
724 | continue; | |
725 | ||
726 | ippAttributeString(attr, value, sizeof(value)); | |
727 | printf(" %s=%s\n", name, value); | |
728 | } | |
729 | ||
730 | ippDelete(response); | |
073b3929 | 731 | puts(""); |
bdc4056c | 732 | } |
79a37326 MS |
733 | |
734 | httpClose(http); | |
735 | ||
736 | return (0); | |
737 | } | |
738 | ||
739 | ||
bdc4056c MS |
740 | /* |
741 | * 'usage()' - Show program usage. | |
742 | */ | |
743 | ||
744 | static void | |
745 | usage(void) | |
746 | { | |
747 | puts("Usage: ./tlscheck [options] server [port]"); | |
748 | puts(" ./tlscheck [options] ipps://server[:port]/path"); | |
749 | puts(""); | |
750 | puts("Options:"); | |
751 | puts(" --dh Allow DH/DHE key exchange"); | |
4f272af7 | 752 | puts(" --no-cbc Disable CBC cipher suites"); |
bdc4056c MS |
753 | puts(" --no-tls10 Disable TLS/1.0"); |
754 | puts(" --rc4 Allow RC4 encryption"); | |
4f272af7 | 755 | puts(" --tls10 Only use TLS/1.0"); |
bdc4056c | 756 | puts(" --verbose Be verbose"); |
23abf279 MS |
757 | puts(" -4 Connect using IPv4 addresses only"); |
758 | puts(" -6 Connect using IPv6 addresses only"); | |
bdc4056c MS |
759 | puts(" -v Be verbose"); |
760 | puts(""); | |
761 | puts("The default port is 631."); | |
762 | ||
763 | exit(1); | |
764 | } | |
58796d49 | 765 | #endif /* !HAVE_SSL */ |