]> git.ipfire.org Git - thirdparty/cups.git/blame - cups/tls-gnutls.c
projects / thirdparty / cups.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Sync up GNU TLS and Darwin TLS certificate validation code.
[thirdparty/cups.git] / cups / tls-gnutls.c
CommitLineData
2c85b752 1/*
2c85b752
MS		 2 * TLS support code for CUPS using GNU TLS.
3 *
08d56b1f 4 * Copyright 2007-2016 by Apple Inc.
2c85b752
MS		 5 * Copyright 1997-2007 by Easy Software Products, all rights reserved.
6 *
7 * These coded instructions, statements, and computer programs are the
8 * property of Apple Inc. and are protected by Federal copyright
9 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
10 * which should have been included with this file. If this file is
11 * file is missing or damaged, see the license at "http://www.cups.org/".
12 *
13 * This file is subject to the Apple OS-Developed Software exception.
14 */
15
ebb24a07 16/**** This file is included from tls.c ****/
2c85b752 17
d0facf48
MS		 18/*
19 * Include necessary headers...
20 */
21
22#include <sys/stat.h>
23
24
07623986
MS		 25/*
26 * Local globals...
27 */
28
29static int tls_auto_create = 0;
30 /* Auto-create self-signed certs? */
31static char *tls_common_name = NULL;
32 /* Default common name */
08d56b1f 33static gnutls_x509_crl_t tls_crl = NULL;/* Certificate revocation list */
07623986
MS		 34static char *tls_keypath = NULL;
35 /* Server cert keychain path */
36static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
37 /* Mutex for keychain/certs */
b37d45d9 38static int tls_options = -1;/* Options for TLS connections */
07623986
MS		 39
40
2c85b752
MS		 41/*
42 * Local functions...
43 */
44
ff82e169 45static gnutls_x509_crt_t http_gnutls_create_credential(http_credential_t *credential);
d0facf48 46static const char *http_gnutls_default_path(char *buffer, size_t bufsize);
08d56b1f 47static void http_gnutls_load_crl(void);
a2751f30 48static const char *http_gnutls_make_path(char *buffer, size_t bufsize, const char *dirname, const char *filename, const char *ext);
d0facf48
MS		 49static ssize_t http_gnutls_read(gnutls_transport_ptr_t ptr, void *data, size_t length);
50static ssize_t http_gnutls_write(gnutls_transport_ptr_t ptr, const void *data, size_t length);
dd332638
MS		 51
52
07623986
MS		 53/*
54 * 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair.
55 *
e1f19878 56 * @since CUPS 2.0/OS 10.10@
07623986
MS		 57 */
58
59int /* O - 1 on success, 0 on failure */
60cupsMakeServerCredentials(
61 const char *path, /* I - Path to keychain/directory */
62 const char *common_name, /* I - Common name */
63 int num_alt_names, /* I - Number of subject alternate names */
64 const char **alt_names, /* I - Subject Alternate Names */
65 time_t expiration_date) /* I - Expiration date */
66{
f394e0f7
MS		 67 gnutls_x509_crt_t crt; /* Self-signed certificate */
68 gnutls_x509_privkey_t key; /* Encryption private key */
69 char temp[1024], /* Temporary directory name */
70 crtfile[1024], /* Certificate filename */
172bdf5d
MS		 71 keyfile[1024]; /* Private key filename */
72 cups_lang_t *language; /* Default language info */
73 cups_file_t *fp; /* Key/cert file */
74 unsigned char buffer[8192]; /* Buffer for x509 data */
75 size_t bytes; /* Number of bytes of data */
76 unsigned char serial[4]; /* Serial number buffer */
77 time_t curtime; /* Current time */
78 int result; /* Result of GNU TLS calls */
07623986 79
172bdf5d
MS		 80
81 DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date));
82
83 /*
84 * Filenames...
85 */
86
87 if (!path)
d0facf48 88 path = http_gnutls_default_path(temp, sizeof(temp));
172bdf5d 89
d0facf48
MS		 90 if (!path || !common_name)
91 {
92 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
93 return (0);
172bdf5d 94 }
26435c51
MS		 95
96 http_gnutls_make_path(crtfile, sizeof(crtfile), path, common_name, "crt");
97 http_gnutls_make_path(keyfile, sizeof(keyfile), path, common_name, "key");
172bdf5d
MS		 98
99 /*
100 * Create the encryption key...
101 */
102
d0facf48
MS		 103 DEBUG_puts("1cupsMakeServerCredentials: Creating key pair.");
104
172bdf5d
MS		 105 gnutls_x509_privkey_init(&key);
106 gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 2048, 0);
107
d0facf48
MS		 108 DEBUG_puts("1cupsMakeServerCredentials: Key pair created.");
109
172bdf5d
MS		 110 /*
111 * Save it...
112 */
113
114 bytes = sizeof(buffer);
115
d0facf48 116 if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
172bdf5d 117 {
d0facf48 118 DEBUG_printf(("1cupsMakeServerCredentials: Unable to export private key: %s", gnutls_strerror(result)));
172bdf5d
MS		 119 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
120 gnutls_x509_privkey_deinit(key);
121 return (0);
122 }
123 else if ((fp = cupsFileOpen(keyfile, "w")) != NULL)
124 {
d0facf48 125 DEBUG_printf(("1cupsMakeServerCredentials: Writing private key to \"%s\".", keyfile));
172bdf5d
MS		 126 cupsFileWrite(fp, (char *)buffer, bytes);
127 cupsFileClose(fp);
128 }
129 else
130 {
d0facf48 131 DEBUG_printf(("1cupsMakeServerCredentials: Unable to create private key file \"%s\": %s", keyfile, strerror(errno)));
172bdf5d
MS		 132 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
133 gnutls_x509_privkey_deinit(key);
134 return (0);
135 }
136
137 /*
138 * Create the self-signed certificate...
139 */
140
d0facf48 141 DEBUG_puts("1cupsMakeServerCredentials: Generating self-signed X.509 certificate.");
172bdf5d
MS		 142
143 language = cupsLangDefault();
144 curtime = time(NULL);
145 serial[0] = curtime >> 24;
146 serial[1] = curtime >> 16;
147 serial[2] = curtime >> 8;
148 serial[3] = curtime;
149
150 gnutls_x509_crt_init(&crt);
151 if (strlen(language->language) == 5)
152 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
153 language->language + 3, 2);
154 else
155 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
156 "US", 2);
157 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0,
158 common_name, strlen(common_name));
159 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
160 common_name, strlen(common_name));
161 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
162 0, "Unknown", 7);
163 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0,
164 "Unknown", 7);
165 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_LOCALITY_NAME, 0,
166 "Unknown", 7);
167/* gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_PKCS9_EMAIL, 0,
168 ServerAdmin, strlen(ServerAdmin));*/
169 gnutls_x509_crt_set_key(crt, key);
170 gnutls_x509_crt_set_serial(crt, serial, sizeof(serial));
171 gnutls_x509_crt_set_activation_time(crt, curtime);
172 gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
173 gnutls_x509_crt_set_ca_status(crt, 0);
174 if (num_alt_names > 0)
175 gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME, alt_names[0]);
176 gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
177 gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT);
178 gnutls_x509_crt_set_version(crt, 3);
179
180 bytes = sizeof(buffer);
181 if (gnutls_x509_crt_get_key_id(crt, 0, buffer, &bytes) >= 0)
182 gnutls_x509_crt_set_subject_key_id(crt, buffer, bytes);
183
184 gnutls_x509_crt_sign(crt, crt, key);
185
186 /*
187 * Save it...
188 */
189
190 bytes = sizeof(buffer);
191 if ((result = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
192 {
d0facf48 193 DEBUG_printf(("1cupsMakeServerCredentials: Unable to export public key and X.509 certificate: %s", gnutls_strerror(result)));
172bdf5d
MS		 194 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
195 gnutls_x509_crt_deinit(crt);
196 gnutls_x509_privkey_deinit(key);
197 return (0);
198 }
199 else if ((fp = cupsFileOpen(crtfile, "w")) != NULL)
200 {
d0facf48 201 DEBUG_printf(("1cupsMakeServerCredentials: Writing public key and X.509 certificate to \"%s\".", crtfile));
172bdf5d
MS		 202 cupsFileWrite(fp, (char *)buffer, bytes);
203 cupsFileClose(fp);
204 }
205 else
206 {
d0facf48 207 DEBUG_printf(("1cupsMakeServerCredentials: Unable to create public key and X.509 certificate file \"%s\": %s", crtfile, strerror(errno)));
172bdf5d
MS		 208 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
209 gnutls_x509_crt_deinit(crt);
210 gnutls_x509_privkey_deinit(key);
211 return (0);
212 }
213
214 /*
215 * Cleanup...
216 */
217
218 gnutls_x509_crt_deinit(crt);
219 gnutls_x509_privkey_deinit(key);
220
d0facf48
MS		 221 DEBUG_puts("1cupsMakeServerCredentials: Successfully created credentials.");
222
172bdf5d 223 return (1);
07623986
MS		 224}
225
226
227/*
228 * 'cupsSetServerCredentials()' - Set the default server credentials.
229 *
230 * Note: The server credentials are used by all threads in the running process.
231 * This function is threadsafe.
232 *
e1f19878 233 * @since CUPS 2.0/OS 10.10@
07623986
MS		 234 */
235
236int /* O - 1 on success, 0 on failure */
237cupsSetServerCredentials(
238 const char *path, /* I - Path to keychain/directory */
239 const char *common_name, /* I - Default common name for server */
240 int auto_create) /* I - 1 = automatically create self-signed certificates */
241{
f394e0f7 242 char temp[1024]; /* Default path buffer */
172bdf5d
MS		 243
244
245 DEBUG_printf(("cupsSetServerCredentials(path=\"%s\", common_name=\"%s\", auto_create=%d)", path, common_name, auto_create));
246
07623986 247 /*
d0facf48 248 * Use defaults as needed...
07623986
MS		 249 */
250
d0facf48
MS		 251 if (!path)
252 path = http_gnutls_default_path(temp, sizeof(temp));
07623986 253
172bdf5d 254 /*
d0facf48 255 * Range check input...
172bdf5d
MS		 256 */
257
d0facf48 258 if (!path || !common_name)
172bdf5d 259 {
d0facf48
MS		 260 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
261 return (0);
262 }
172bdf5d 263
d0facf48
MS		 264 _cupsMutexLock(&tls_mutex);
265
266 /*
267 * Free old values...
268 */
172bdf5d 269
d0facf48
MS		 270 if (tls_keypath)
271 _cupsStrFree(tls_keypath);
172bdf5d 272
d0facf48
MS		 273 if (tls_common_name)
274 _cupsStrFree(tls_common_name);
172bdf5d 275
07623986
MS		 276 /*
277 * Save the new values...
278 */
279
280 tls_keypath = _cupsStrAlloc(path);
281 tls_auto_create = auto_create;
282 tls_common_name = _cupsStrAlloc(common_name);
283
284 _cupsMutexUnlock(&tls_mutex);
285
286 return (1);
287}
288
289
dd332638
MS		 290/*
291 * 'httpCopyCredentials()' - Copy the credentials associated with the peer in
292 * an encrypted connection.
293 *
8072030b 294 * @since CUPS 1.5/macOS 10.7@
dd332638
MS		 295 */
296
297int /* O - Status of call (0 = success) */
298httpCopyCredentials(
299 http_t *http, /* I - Connection to server */
300 cups_array_t **credentials) /* O - Array of credentials */
301{
bdc8d1ad
MS		 302 unsigned count; /* Number of certificates */
303 const gnutls_datum_t *certs; /* Certificates */
304
305
306 DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
307
dd332638
MS		 308 if (credentials)
309 *credentials = NULL;
310
311 if (!http || !http->tls || !credentials)
312 return (-1);
313
bdc8d1ad
MS		 314 *credentials = cupsArrayNew(NULL, NULL);
315 certs = gnutls_certificate_get_peers(http->tls, &count);
316
317 DEBUG_printf(("1httpCopyCredentials: certs=%p, count=%u", certs, count));
318
319 if (certs && count)
320 {
321 while (count > 0)
322 {
323 httpAddCredential(*credentials, certs->data, certs->size);
324 certs ++;
325 count --;
326 }
327 }
328
dd332638
MS		 329 return (0);
330}
331
332
333/*
334 * '_httpCreateCredentials()' - Create credentials in the internal format.
335 */
336
337http_tls_credentials_t /* O - Internal credentials */
338_httpCreateCredentials(
339 cups_array_t *credentials) /* I - Array of credentials */
340{
341 (void)credentials;
342
343 return (NULL);
344}
345
346
347/*
348 * '_httpFreeCredentials()' - Free internal credentials.
349 */
350
351void
352_httpFreeCredentials(
353 http_tls_credentials_t credentials) /* I - Internal credentials */
354{
355 (void)credentials;
356}
357
358
a15960a1
MS		 359/*
360 * 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
361 *
e1f19878 362 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 363 */
364
365int /* O - 1 if valid, 0 otherwise */
366httpCredentialsAreValidForName(
367 cups_array_t *credentials, /* I - Credentials */
368 const char *common_name) /* I - Name to check */
369{
ff82e169
MS		 370 gnutls_x509_crt_t cert; /* Certificate */
371 int result = 0; /* Result */
a15960a1
MS		 372
373
ff82e169
MS		 374 cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
375 if (cert)
a15960a1 376 {
ff82e169 377 result = gnutls_x509_crt_check_hostname(cert, common_name) != 0;
08d56b1f
MS		 378
379 if (result)
380 {
381 int i, /* Looping var */
382 count; /* Number of revoked certificates */
383 unsigned char cserial[1024], /* Certificate serial number */
384 rserial[1024]; /* Revoked serial number */
385 size_t cserial_size, /* Size of cert serial number */
386 rserial_size; /* Size of revoked serial number */
387
388 _cupsMutexLock(&tls_mutex);
389
390 count = gnutls_x509_crl_get_crt_count(tls_crl);
391
392 if (count > 0)
393 {
394 cserial_size = sizeof(cserial);
395 gnutls_x509_crt_get_serial(cert, cserial, &cserial_size);
396
397 for (i = 0; i < count; i ++)
398 {
399 rserial_size = sizeof(rserial);
0eff12fa 400 if (!gnutls_x509_crl_get_crt_serial(tls_crl, i, rserial, &rserial_size, NULL) && cserial_size == rserial_size && !memcmp(cserial, rserial, rserial_size))
08d56b1f
MS		 401 {
402 result = 0;
403 break;
404 }
405 }
406 }
407
408 _cupsMutexUnlock(&tls_mutex);
409 }
410
ff82e169 411 gnutls_x509_crt_deinit(cert);
a15960a1 412 }
a15960a1 413
ff82e169 414 return (result);
a15960a1
MS		 415}
416
417
418/*
419 * 'httpCredentialsGetTrust()' - Return the trust of credentials.
420 *
e1f19878 421 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 422 */
423
424http_trust_t /* O - Level of trust */
425httpCredentialsGetTrust(
426 cups_array_t *credentials, /* I - Credentials */
427 const char *common_name) /* I - Common name for trust lookup */
428{
429 http_trust_t trust = HTTP_TRUST_OK;
430 /* Trusted? */
ff82e169 431 gnutls_x509_crt_t cert; /* Certificate */
a15960a1
MS		 432 cups_array_t *tcreds = NULL; /* Trusted credentials */
433 _cups_globals_t *cg = _cupsGlobals();
434 /* Per-thread globals */
435
436
437 if (!common_name)
e5aa186c
MS		 438 {
439 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No common name specified."), 1);
a15960a1 440 return (HTTP_TRUST_UNKNOWN);
e5aa186c 441 }
a15960a1 442
ff82e169 443 if ((cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
e5aa186c
MS		 444 {
445 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create credentials from array."), 1);
a15960a1 446 return (HTTP_TRUST_UNKNOWN);
e5aa186c 447 }
a15960a1 448
3abb875b 449 if (cg->any_root < 0)
08d56b1f 450 {
3abb875b 451 _cupsSetDefaults();
08d56b1f
MS		 452 http_gnutls_load_crl();
453 }
3abb875b 454
a15960a1
MS		 455 /*
456 * Look this common name up in the default keychains...
457 */
458
459 httpLoadCredentials(NULL, &tcreds, common_name);
460
461 if (tcreds)
462 {
463 char credentials_str[1024], /* String for incoming credentials */
464 tcreds_str[1024]; /* String for saved credentials */
465
466 httpCredentialsString(credentials, credentials_str, sizeof(credentials_str));
467 httpCredentialsString(tcreds, tcreds_str, sizeof(tcreds_str));
468
469 if (strcmp(credentials_str, tcreds_str))
470 {
471 /*
472 * Credentials don't match, let's look at the expiration date of the new
473 * credentials and allow if the new ones have a later expiration...
474 */
475
08d56b1f
MS		 476 if (!cg->trust_first)
477 {
478 /*
479 * Do not trust certificates on first use...
480 */
481
e5aa186c
MS		 482 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
483
08d56b1f
MS		 484 trust = HTTP_TRUST_INVALID;
485 }
e5aa186c 486 else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds))
a15960a1
MS		 487 {
488 /*
e5aa186c 489 * The new credentials are not newly issued...
a15960a1
MS		 490 */
491
e5aa186c
MS		 492 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), 1);
493
494 trust = HTTP_TRUST_INVALID;
495 }
496 else if (!httpCredentialsAreValidForName(credentials, common_name))
497 {
498 /*
499 * The common name does not match the issued certificate...
500 */
501
502 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), 1);
503
a15960a1
MS		 504 trust = HTTP_TRUST_INVALID;
505 }
506 else if (httpCredentialsGetExpiration(tcreds) < time(NULL))
507 {
508 /*
509 * Save the renewed credentials...
510 */
511
512 trust = HTTP_TRUST_RENEWED;
513
514 httpSaveCredentials(NULL, credentials, common_name);
515 }
516 }
517
518 httpFreeCredentials(tcreds);
519 }
520 else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name))
e5aa186c
MS		 521 {
522 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1);
a15960a1 523 trust = HTTP_TRUST_INVALID;
e5aa186c 524 }
7aeb3615
MS		 525 else if (!cg->trust_first)
526 {
527 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
528 trust = HTTP_TRUST_INVALID;
529 }
a15960a1 530
ff82e169
MS		 531 if (trust == HTTP_TRUST_OK && !cg->expired_certs)
532 {
533 time_t curtime; /* Current date/time */
534
535 time(&curtime);
536 if (curtime < gnutls_x509_crt_get_activation_time(cert) ||
537 curtime > gnutls_x509_crt_get_expiration_time(cert))
e5aa186c
MS		 538 {
539 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), 1);
ff82e169 540 trust = HTTP_TRUST_EXPIRED;
e5aa186c 541 }
ff82e169
MS		 542 }
543
544 if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1)
e5aa186c
MS		 545 {
546 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1);
a15960a1 547 trust = HTTP_TRUST_INVALID;
e5aa186c 548 }
a15960a1 549
ff82e169 550 gnutls_x509_crt_deinit(cert);
a15960a1
MS		 551
552 return (trust);
553}
554
555
556/*
557 * 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials.
558 *
e1f19878 559 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 560 */
561
562time_t /* O - Expiration date of credentials */
563httpCredentialsGetExpiration(
564 cups_array_t *credentials) /* I - Credentials */
565{
ff82e169
MS		 566 gnutls_x509_crt_t cert; /* Certificate */
567 time_t result = 0; /* Result */
568
569
570 cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
571 if (cert)
572 {
bdc8d1ad 573 result = gnutls_x509_crt_get_expiration_time(cert);
ff82e169
MS		 574 gnutls_x509_crt_deinit(cert);
575 }
a15960a1 576
ff82e169 577 return (result);
a15960a1
MS		 578}
579
580
581/*
582 * 'httpCredentialsString()' - Return a string representing the credentials.
583 *
e1f19878 584 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 585 */
586
587size_t /* O - Total size of credentials string */
588httpCredentialsString(
589 cups_array_t *credentials, /* I - Credentials */
590 char *buffer, /* I - Buffer or @code NULL@ */
591 size_t bufsize) /* I - Size of buffer */
592{
ff82e169
MS		 593 http_credential_t *first; /* First certificate */
594 gnutls_x509_crt_t cert; /* Certificate */
595
596
a15960a1
MS		 597 DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize));
598
599 if (!buffer)
600 return (0);
601
602 if (buffer && bufsize > 0)
603 *buffer = '\0';
604
a15960a1 605 if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL &&
ff82e169 606 (cert = http_gnutls_create_credential(first)) != NULL)
a15960a1 607 {
a15960a1 608 char name[256]; /* Common name associated with cert */
bdc8d1ad 609 size_t namelen; /* Length of name */
a15960a1
MS		 610 time_t expiration; /* Expiration date of cert */
611 _cups_md5_state_t md5_state; /* MD5 state */
612 unsigned char md5_digest[16]; /* MD5 result */
613
bdc8d1ad
MS		 614 namelen = sizeof(name) - 1;
615 if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, name, &namelen) >= 0)
616 name[namelen] = '\0';
617 else
a15960a1
MS		 618 strlcpy(name, "unknown", sizeof(name));
619
ff82e169 620 expiration = gnutls_x509_crt_get_expiration_time(cert);
a15960a1
MS		 621
622 _cupsMD5Init(&md5_state);
623 _cupsMD5Append(&md5_state, first->data, (int)first->datalen);
624 _cupsMD5Finish(&md5_state, md5_digest);
625
626 snprintf(buffer, bufsize, "%s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, httpGetDateString(expiration), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
627
ff82e169 628 gnutls_x509_crt_deinit(cert);
a15960a1 629 }
a15960a1
MS		 630
631 DEBUG_printf(("1httpCredentialsString: Returning \"%s\".", buffer));
632
633 return (strlen(buffer));
634}
635
636
637/*
638 * 'httpLoadCredentials()' - Load X.509 credentials from a keychain file.
639 *
e1f19878 640 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 641 */
642
643int /* O - 0 on success, -1 on error */
644httpLoadCredentials(
645 const char *path, /* I - Keychain/PKCS#12 path */
646 cups_array_t **credentials, /* IO - Credentials */
647 const char *common_name) /* I - Common name for credentials */
648{
ff82e169
MS		 649 cups_file_t *fp; /* Certificate file */
650 char filename[1024], /* filename.crt */
651 temp[1024], /* Temporary string */
652 line[256]; /* Base64-encoded line */
653 unsigned char *data = NULL; /* Buffer for cert data */
654 size_t alloc_data = 0, /* Bytes allocated */
655 num_data = 0; /* Bytes used */
656 int decoded; /* Bytes decoded */
0de71d36
MS		 657 int in_certificate = 0;
658 /* In a certificate? */
ff82e169
MS		 659
660
661 if (!credentials || !common_name)
662 return (-1);
663
664 if (!path)
665 path = http_gnutls_default_path(temp, sizeof(temp));
666 if (!path)
667 return (-1);
668
26435c51 669 http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
ff82e169
MS		 670
671 if ((fp = cupsFileOpen(filename, "r")) == NULL)
672 return (-1);
673
674 while (cupsFileGets(fp, line, sizeof(line)))
675 {
676 if (!strcmp(line, "-----BEGIN CERTIFICATE-----"))
677 {
0de71d36 678 if (in_certificate)
ff82e169
MS		 679 {
680 /*
681 * Missing END CERTIFICATE...
682 */
683
684 httpFreeCredentials(*credentials);
685 *credentials = NULL;
686 break;
687 }
0de71d36
MS		 688
689 in_certificate = 1;
ff82e169
MS		 690 }
691 else if (!strcmp(line, "-----END CERTIFICATE-----"))
692 {
0de71d36 693 if (!in_certificate || !num_data)
ff82e169
MS		 694 {
695 /*
696 * Missing data...
697 */
a15960a1 698
ff82e169
MS		 699 httpFreeCredentials(*credentials);
700 *credentials = NULL;
701 break;
702 }
703
704 if (!*credentials)
705 *credentials = cupsArrayNew(NULL, NULL);
706
707 if (httpAddCredential(*credentials, data, num_data))
708 {
709 httpFreeCredentials(*credentials);
710 *credentials = NULL;
711 break;
712 }
713
0de71d36
MS		 714 num_data = 0;
715 in_certificate = 0;
ff82e169 716 }
0de71d36 717 else if (in_certificate)
ff82e169
MS		 718 {
719 if (alloc_data == 0)
720 {
721 data = malloc(2048);
722 alloc_data = 2048;
723
724 if (!data)
725 break;
726 }
727 else if ((num_data + strlen(line)) >= alloc_data)
728 {
729 unsigned char *tdata = realloc(data, alloc_data + 1024);
730 /* Expanded buffer */
731
732 if (!tdata)
733 {
734 httpFreeCredentials(*credentials);
735 *credentials = NULL;
736 break;
737 }
738
739 data = tdata;
740 alloc_data += 1024;
741 }
742
743 decoded = alloc_data - num_data;
bdc8d1ad
MS		 744 httpDecode64_2((char *)data + num_data, &decoded, line);
745 num_data += (size_t)decoded;
ff82e169
MS		 746 }
747 }
748
749 cupsFileClose(fp);
750
0de71d36 751 if (in_certificate)
ff82e169
MS		 752 {
753 /*
754 * Missing END CERTIFICATE...
755 */
756
757 httpFreeCredentials(*credentials);
758 *credentials = NULL;
759 }
760
761 if (data)
762 free(data);
763
764 return (*credentials ? 0 : -1);
a15960a1
MS		 765}
766
767
768/*
769 * 'httpSaveCredentials()' - Save X.509 credentials to a keychain file.
770 *
e1f19878 771 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 772 */
773
774int /* O - -1 on error, 0 on success */
775httpSaveCredentials(
776 const char *path, /* I - Keychain/PKCS#12 path */
777 cups_array_t *credentials, /* I - Credentials */
778 const char *common_name) /* I - Common name for credentials */
779{
ff82e169
MS		 780 cups_file_t *fp; /* Certificate file */
781 char filename[1024], /* filename.crt */
782 nfilename[1024],/* filename.crt.N */
783 temp[1024], /* Temporary string */
bdc8d1ad 784 line[256]; /* Base64-encoded line */
ff82e169 785 const unsigned char *ptr; /* Pointer into certificate */
bdc8d1ad 786 ssize_t remaining; /* Bytes left */
ff82e169
MS		 787 http_credential_t *cred; /* Current credential */
788
789
790 if (!credentials || !common_name)
791 return (-1);
792
793 if (!path)
794 path = http_gnutls_default_path(temp, sizeof(temp));
795 if (!path)
796 return (-1);
797
26435c51
MS		 798 http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
799 snprintf(nfilename, sizeof(nfilename), "%s.N", filename);
ff82e169
MS		 800
801 if ((fp = cupsFileOpen(nfilename, "w")) == NULL)
802 return (-1);
803
804 fchmod(cupsFileNumber(fp), 0600);
805
806 for (cred = (http_credential_t *)cupsArrayFirst(credentials);
807 cred;
808 cred = (http_credential_t *)cupsArrayNext(credentials))
809 {
810 cupsFilePuts(fp, "-----BEGIN CERTIFICATE-----\n");
bdc8d1ad 811 for (ptr = cred->data, remaining = (ssize_t)cred->datalen; remaining > 0; remaining -= 45, ptr += 45)
ff82e169 812 {
bdc8d1ad 813 httpEncode64_2(line, sizeof(line), (char *)ptr, remaining > 45 ? 45 : remaining);
ff82e169
MS		 814 cupsFilePrintf(fp, "%s\n", line);
815 }
816 cupsFilePuts(fp, "-----END CERTIFICATE-----\n");
817 }
818
819 cupsFileClose(fp);
820
821 return (rename(nfilename, filename));
822}
823
824
825/*
826 * 'http_gnutls_create_credential()' - Create a single credential in the internal format.
827 */
828
829static gnutls_x509_crt_t /* O - Certificate */
830http_gnutls_create_credential(
831 http_credential_t *credential) /* I - Credential */
832{
bdc8d1ad
MS		 833 int result; /* Result from GNU TLS */
834 gnutls_x509_crt_t cert; /* Certificate */
ff82e169
MS		 835 gnutls_datum_t datum; /* Data record */
836
837
bdc8d1ad
MS		 838 DEBUG_printf(("3http_gnutls_create_credential(credential=%p)", credential));
839
ff82e169
MS		 840 if (!credential)
841 return (NULL);
842
bdc8d1ad
MS		 843 if ((result = gnutls_x509_crt_init(&cert)) < 0)
844 {
845 DEBUG_printf(("4http_gnutls_create_credential: init error: %s", gnutls_strerror(result)));
ff82e169 846 return (NULL);
bdc8d1ad 847 }
ff82e169 848
bdc8d1ad
MS		 849 datum.data = credential->data;
850 datum.size = credential->datalen;
ff82e169 851
bdc8d1ad 852 if ((result = gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) < 0)
ff82e169 853 {
bdc8d1ad
MS		 854 DEBUG_printf(("4http_gnutls_create_credential: import error: %s", gnutls_strerror(result)));
855
ff82e169
MS		 856 gnutls_x509_crt_deinit(cert);
857 return (NULL);
858 }
a15960a1 859
ff82e169 860 return (cert);
a15960a1
MS		 861}
862
863
d0facf48
MS		 864/*
865 * 'http_gnutls_default_path()' - Get the default credential store path.
866 */
867
868static const char * /* O - Path or NULL on error */
869http_gnutls_default_path(char *buffer,/* I - Path buffer */
870 size_t bufsize)/* I - Size of path buffer */
871{
872 const char *home = getenv("HOME"); /* HOME environment variable */
873
874
875 if (getuid() && home)
876 {
877 snprintf(buffer, bufsize, "%s/.cups", home);
878 if (access(buffer, 0))
879 {
880 DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
881 if (mkdir(buffer, 0700))
882 {
883 DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
884 return (NULL);
885 }
886 }
887
888 snprintf(buffer, bufsize, "%s/.cups/ssl", home);
889 if (access(buffer, 0))
890 {
891 DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
892 if (mkdir(buffer, 0700))
893 {
894 DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
895 return (NULL);
896 }
897 }
898 }
899 else
900 strlcpy(buffer, CUPS_SERVERROOT "/ssl", bufsize);
901
902 DEBUG_printf(("1http_gnutls_default_path: Using default path \"%s\".", buffer));
903
904 return (buffer);
905}
906
907
08d56b1f
MS		 908/*
909 * 'http_gnutls_load_crl()' - Load the certificate revocation list, if any.
910 */
911
912static void
913http_gnutls_load_crl(void)
914{
915 _cupsMutexLock(&tls_mutex);
916
917 if (!gnutls_x509_crl_init(&tls_crl))
918 {
919 cups_file_t *fp; /* CRL file */
920 char filename[1024], /* site.crl */
921 line[256]; /* Base64-encoded line */
922 unsigned char *data = NULL; /* Buffer for cert data */
923 size_t alloc_data = 0, /* Bytes allocated */
924 num_data = 0; /* Bytes used */
925 int decoded; /* Bytes decoded */
926 gnutls_datum_t datum; /* Data record */
927
928
929 http_gnutls_make_path(filename, sizeof(filename), CUPS_SERVERROOT, "site", "crl");
930
931 if ((fp = cupsFileOpen(filename, "r")) != NULL)
932 {
933 while (cupsFileGets(fp, line, sizeof(line)))
934 {
935 if (!strcmp(line, "-----BEGIN X509 CRL-----"))
936 {
937 if (num_data)
938 {
939 /*
940 * Missing END X509 CRL...
941 */
942
943 break;
944 }
945 }
946 else if (!strcmp(line, "-----END X509 CRL-----"))
947 {
948 if (!num_data)
949 {
950 /*
951 * Missing data...
952 */
953
954 break;
955 }
956
957 datum.data = data;
958 datum.size = num_data;
959
0eff12fa 960 gnutls_x509_crl_import(tls_crl, &datum, GNUTLS_X509_FMT_PEM);
08d56b1f
MS		 961
962 num_data = 0;
963 }
964 else
965 {
966 if (alloc_data == 0)
967 {
968 data = malloc(2048);
969 alloc_data = 2048;
970
971 if (!data)
972 break;
973 }
974 else if ((num_data + strlen(line)) >= alloc_data)
975 {
976 unsigned char *tdata = realloc(data, alloc_data + 1024);
977 /* Expanded buffer */
978
979 if (!tdata)
08d56b1f 980 break;
08d56b1f
MS		 981
982 data = tdata;
983 alloc_data += 1024;
984 }
985
986 decoded = alloc_data - num_data;
987 httpDecode64_2((char *)data + num_data, &decoded, line);
988 num_data += (size_t)decoded;
989 }
990 }
991
992 cupsFileClose(fp);
993
994 if (data)
995 free(data);
996 }
997 }
998
999 _cupsMutexUnlock(&tls_mutex);
1000}
1001
1002
26435c51
MS		 1003/*
1004 * 'http_gnutls_make_path()' - Format a filename for a certificate or key file.
1005 */
1006
1007static const char * /* O - Filename */
1008http_gnutls_make_path(
1009 char *buffer, /* I - Filename buffer */
1010 size_t bufsize, /* I - Size of buffer */
1011 const char *dirname, /* I - Directory */
1012 const char *filename, /* I - Filename (usually hostname) */
1013 const char *ext) /* I - Extension */
1014{
1015 char *bufptr, /* Pointer into buffer */
1016 *bufend = buffer + bufsize - 1; /* End of buffer */
1017
1018
1019 snprintf(buffer, bufsize, "%s/", dirname);
1020 bufptr = buffer + strlen(buffer);
1021
1022 while (*filename && bufptr < bufend)
1023 {
1024 if (_cups_isalnum(*filename) || *filename == '-' || *filename == '.')
1025 *bufptr++ = *filename;
1026 else
1027 *bufptr++ = '_';
1028
1029 filename ++;
1030 }
1031
1032 if (bufptr < bufend)
1033 *bufptr++ = '.';
1034
a2751f30 1035 strlcpy(bufptr, ext, (size_t)(bufend - bufptr + 1));
26435c51
MS		 1036
1037 return (buffer);
1038}
1039
1040
dd332638
MS		 1041/*
1042 * 'http_gnutls_read()' - Read function for the GNU TLS library.
1043 */
1044
1045static ssize_t /* O - Number of bytes read or -1 on error */
1046http_gnutls_read(
1047 gnutls_transport_ptr_t ptr, /* I - Connection to server */
1048 void *data, /* I - Buffer */
1049 size_t length) /* I - Number of bytes to read */
1050{
1051 http_t *http; /* HTTP connection */
1052 ssize_t bytes; /* Bytes read */
1053
1054
1055 DEBUG_printf(("6http_gnutls_read(ptr=%p, data=%p, length=%d)", ptr, data, (int)length));
1056
1057 http = (http_t *)ptr;
1058
1059 if (!http->blocking)
1060 {
1061 /*
1062 * Make sure we have data before we read...
1063 */
1064
1065 while (!_httpWait(http, http->wait_value, 0))
1066 {
1067 if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
1068 continue;
1069
1070 http->error = ETIMEDOUT;
1071 return (-1);
1072 }
1073 }
1074
1075 bytes = recv(http->fd, data, length, 0);
1076 DEBUG_printf(("6http_gnutls_read: bytes=%d", (int)bytes));
1077 return (bytes);
1078}
1079
1080
1081/*
1082 * 'http_gnutls_write()' - Write function for the GNU TLS library.
1083 */
1084
1085static ssize_t /* O - Number of bytes written or -1 on error */
1086http_gnutls_write(
1087 gnutls_transport_ptr_t ptr, /* I - Connection to server */
1088 const void *data, /* I - Data buffer */
1089 size_t length) /* I - Number of bytes to write */
1090{
1091 ssize_t bytes; /* Bytes written */
1092
1093
1094 DEBUG_printf(("6http_gnutls_write(ptr=%p, data=%p, length=%d)", ptr, data,
1095 (int)length));
dd332638
MS		 1096 bytes = send(((http_t *)ptr)->fd, data, length, 0);
1097 DEBUG_printf(("http_gnutls_write: bytes=%d", (int)bytes));
1098
1099 return (bytes);
1100}
2c85b752
MS		 1101
1102
1103/*
172bdf5d 1104 * '_httpTLSInitialize()' - Initialize the TLS stack.
2c85b752
MS		 1105 */
1106
172bdf5d
MS		 1107void
1108_httpTLSInitialize(void)
2c85b752 1109{
2c85b752
MS		 1110 /*
1111 * Initialize GNU TLS...
1112 */
1113
1114 gnutls_global_init();
dd332638 1115}
2c85b752 1116
2c85b752 1117
dd332638 1118/*
172bdf5d 1119 * '_httpTLSPending()' - Return the number of pending TLS-encrypted bytes.
dd332638 1120 */
2c85b752 1121
172bdf5d
MS		 1122size_t /* O - Bytes available */
1123_httpTLSPending(http_t *http) /* I - HTTP connection */
dd332638
MS		 1124{
1125 return (gnutls_record_check_pending(http->tls));
2c85b752
MS		 1126}
1127
1128
2c85b752 1129/*
172bdf5d 1130 * '_httpTLSRead()' - Read from a SSL/TLS connection.
2c85b752
MS		 1131 */
1132
172bdf5d
MS		 1133int /* O - Bytes read */
1134_httpTLSRead(http_t *http, /* I - Connection to server */
1135 char *buf, /* I - Buffer to store data */
1136 int len) /* I - Length of buffer */
2c85b752 1137{
2c85b752
MS		 1138 ssize_t result; /* Return value */
1139
1140
07623986 1141 result = gnutls_record_recv(http->tls, buf, (size_t)len);
2c85b752
MS		 1142
1143 if (result < 0 && !errno)
1144 {
1145 /*
1146 * Convert GNU TLS error to errno value...
1147 */
1148
1149 switch (result)
1150 {
1151 case GNUTLS_E_INTERRUPTED :
1152 errno = EINTR;
1153 break;
1154
1155 case GNUTLS_E_AGAIN :
1156 errno = EAGAIN;
1157 break;
1158
1159 default :
1160 errno = EPIPE;
1161 break;
1162 }
1163
1164 result = -1;
1165 }
1166
1167 return ((int)result);
dd332638 1168}
2c85b752
MS		 1169
1170
dd332638 1171/*
172bdf5d 1172 * '_httpTLSSetCredentials()' - Set the TLS credentials.
dd332638 1173 */
2c85b752 1174
172bdf5d
MS		 1175int /* O - Status of connection */
1176_httpTLSSetCredentials(http_t *http) /* I - Connection to server */
dd332638
MS		 1177{
1178 (void)http;
2c85b752 1179
dd332638 1180 return (0);
2c85b752 1181}
2c85b752
MS		 1182
1183
63aefcd5
MS		 1184/*
1185 * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
1186 */
1187
1188void
1189_httpTLSSetOptions(int options) /* I - Options */
1190{
1191 tls_options = options;
1192}
1193
1194
2c85b752 1195/*
172bdf5d 1196 * '_httpTLSStart()' - Set up SSL/TLS support on a connection.
2c85b752
MS		 1197 */
1198
172bdf5d
MS		 1199int /* O - 0 on success, -1 on failure */
1200_httpTLSStart(http_t *http) /* I - Connection to server */
2c85b752
MS		 1201{
1202 char hostname[256], /* Hostname */
1203 *hostptr; /* Pointer into hostname */
2c85b752 1204 int status; /* Status of handshake */
172bdf5d 1205 gnutls_certificate_credentials_t *credentials;
2c85b752 1206 /* TLS credentials */
ee6226a5
MS		 1207 char priority_string[1024];
1208 /* Priority string */
2c85b752
MS		 1209
1210
b37d45d9
MS		 1211 DEBUG_printf(("3_httpTLSStart(http=%p)", http));
1212
1213 if (tls_options < 0)
1214 {
1215 DEBUG_puts("4_httpTLSStart: Setting defaults.");
1216 _cupsSetDefaults();
1217 DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
1218 }
2c85b752 1219
172bdf5d 1220 if (http->mode == _HTTP_MODE_SERVER && !tls_keypath)
2c85b752 1221 {
172bdf5d
MS		 1222 DEBUG_puts("4_httpTLSStart: cupsSetServerCredentials not called.");
1223 http->error = errno = EINVAL;
1224 http->status = HTTP_STATUS_ERROR;
1225 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Server credentials not set."), 1);
2c85b752 1226
172bdf5d 1227 return (-1);
2c85b752
MS		 1228 }
1229
172bdf5d
MS		 1230 credentials = (gnutls_certificate_credentials_t *)
1231 malloc(sizeof(gnutls_certificate_credentials_t));
2c85b752
MS		 1232 if (credentials == NULL)
1233 {
172bdf5d 1234 DEBUG_printf(("8_httpStartTLS: Unable to allocate credentials: %s",
2c85b752
MS		 1235 strerror(errno)));
1236 http->error = errno;
1237 http->status = HTTP_STATUS_ERROR;
1238 _cupsSetHTTPError(HTTP_STATUS_ERROR);
1239
1240 return (-1);
1241 }
1242
1243 gnutls_certificate_allocate_credentials(credentials);
d0facf48 1244 status = gnutls_init(&http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_CLIENT : GNUTLS_SERVER);
d0facf48 1245 if (!status)
005f7f1f 1246 status = gnutls_set_default_priority(http->tls);
d0facf48
MS		 1247
1248 if (status)
1249 {
1250 http->error = EIO;
1251 http->status = HTTP_STATUS_ERROR;
1252
1253 DEBUG_printf(("4_httpTLSStart: Unable to initialize common TLS parameters: %s", gnutls_strerror(status)));
1254 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1255
1256 gnutls_deinit(http->tls);
1257 gnutls_certificate_free_credentials(*credentials);
1258 free(credentials);
1259 http->tls = NULL;
1260
1261 return (-1);
1262 }
2c85b752 1263
f394e0f7 1264 if (http->mode == _HTTP_MODE_CLIENT)
172bdf5d
MS		 1265 {
1266 /*
1267 * Client: get the hostname to use for TLS...
1268 */
1269
1270 if (httpAddrLocalhost(http->hostaddr))
1271 {
1272 strlcpy(hostname, "localhost", sizeof(hostname));
1273 }
1274 else
1275 {
1276 /*
1277 * Otherwise make sure the hostname we have does not end in a trailing dot.
1278 */
1279
1280 strlcpy(hostname, http->hostname, sizeof(hostname));
1281 if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
1282 *hostptr == '.')
1283 *hostptr = '\0';
1284 }
1285
d0facf48 1286 status = gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname, strlen(hostname));
172bdf5d
MS		 1287 }
1288 else
1289 {
1290 /*
1291 * Server: get certificate and private key...
1292 */
1293
1294 char crtfile[1024], /* Certificate file */
1295 keyfile[1024]; /* Private key file */
1296 int have_creds = 0; /* Have credentials? */
1297
172bdf5d
MS		 1298 if (http->fields[HTTP_FIELD_HOST][0])
1299 {
1300 /*
1301 * Use hostname for TLS upgrade...
1302 */
1303
1304 strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
1305 }
1306 else
1307 {
1308 /*
1309 * Resolve hostname from connection address...
1310 */
1311
1312 http_addr_t addr; /* Connection address */
1313 socklen_t addrlen; /* Length of address */
1314
1315 addrlen = sizeof(addr);
1316 if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
1317 {
1318 DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
1319 hostname[0] = '\0';
1320 }
1321 else if (httpAddrLocalhost(&addr))
1322 hostname[0] = '\0';
1323 else
1324 {
1325 httpAddrLookup(&addr, hostname, sizeof(hostname));
1326 DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
1327 }
1328 }
1329
1330 if (isdigit(hostname[0] & 255) || hostname[0] == '[')
1331 hostname[0] = '\0'; /* Don't allow numeric addresses */
1332
1333 if (hostname[0])
1334 {
9e5e2cef
MS		 1335 /*
1336 * First look for CA certs...
1337 */
1338
1339 snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostname);
1340 snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostname);
1341
1342 if ((access(crtfile, R_OK) || access(keyfile, R_OK)) && (hostptr = strchr(hostname, '.')) != NULL)
1343 {
1344 /*
1345 * Try just domain name...
1346 */
1347
1348 hostptr ++;
1349 if (strchr(hostptr, '.'))
1350 {
1351 snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
1352 snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
1353 }
1354 }
1355
1356 if (access(crtfile, R_OK) || access(keyfile, R_OK))
1357 {
1358 /*
1359 * Then look in the CUPS keystore...
1360 */
1361
1362 http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
1363 http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
1364 }
172bdf5d 1365
9e5e2cef 1366 have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
172bdf5d
MS		 1367 }
1368 else if (tls_common_name)
1369 {
9e5e2cef
MS		 1370 /*
1371 * First look for CA certs...
1372 */
1373
1374 snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", tls_common_name);
1375 snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", tls_common_name);
1376
1377 if ((access(crtfile, R_OK) || access(keyfile, R_OK)) && (hostptr = strchr(tls_common_name, '.')) != NULL)
1378 {
1379 /*
1380 * Try just domain name...
1381 */
1382
1383 hostptr ++;
1384 if (strchr(hostptr, '.'))
1385 {
1386 snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
1387 snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
1388 }
1389 }
1390
1391 if (access(crtfile, R_OK) || access(keyfile, R_OK))
1392 {
1393 /*
1394 * Then look in the CUPS keystore...
1395 */
1396
1397 http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
1398 http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
1399 }
172bdf5d 1400
9e5e2cef 1401 have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
172bdf5d
MS		 1402 }
1403
1404 if (!have_creds && tls_auto_create && (hostname[0] || tls_common_name))
1405 {
1406 DEBUG_printf(("4_httpTLSStart: Auto-create credentials for \"%s\".", hostname[0] ? hostname : tls_common_name));
1407
1408 if (!cupsMakeServerCredentials(tls_keypath, hostname[0] ? hostname : tls_common_name, 0, NULL, time(NULL) + 365 * 86400))
1409 {
1410 DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed.");
1411 http->error = errno = EINVAL;
1412 http->status = HTTP_STATUS_ERROR;
1413 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1);
1414
1415 return (-1);
1416 }
1417 }
1418
d0facf48
MS		 1419 DEBUG_printf(("4_httpTLSStart: Using certificate \"%s\" and private key \"%s\".", crtfile, keyfile));
1420
9e5e2cef
MS		 1421 if (!status)
1422 status = gnutls_certificate_set_x509_key_file(*credentials, crtfile, keyfile, GNUTLS_X509_FMT_PEM);
d0facf48
MS		 1423 }
1424
1425 if (!status)
1426 status = gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
1427
1428 if (status)
1429 {
1430 http->error = EIO;
1431 http->status = HTTP_STATUS_ERROR;
1432
1433 DEBUG_printf(("4_httpTLSStart: Unable to complete client/server setup: %s", gnutls_strerror(status)));
1434 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1435
1436 gnutls_deinit(http->tls);
1437 gnutls_certificate_free_credentials(*credentials);
1438 free(credentials);
1439 http->tls = NULL;
1440
1441 return (-1);
172bdf5d
MS		 1442 }
1443
838bcb92
MS		 1444 strlcpy(priority_string, "NORMAL", sizeof(priority_string));
1445
1446 if (tls_options & _HTTP_TLS_DENY_TLS10)
1447 strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
1448 else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1449 strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
63aefcd5 1450 else
838bcb92 1451 strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
ee6226a5 1452
838bcb92
MS		 1453 if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
1454 strlcat(priority_string, ":-ARCFOUR-128", sizeof(priority_string));
ee6226a5 1455
838bcb92 1456 if (!(tls_options & _HTTP_TLS_ALLOW_DH))
72aa7cb4 1457 strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
ee6226a5 1458
ee6226a5
MS		 1459#ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
1460 gnutls_priority_set_direct(http->tls, priority_string, NULL);
63aefcd5 1461
19ba6878
MS		 1462#else
1463 gnutls_priority_t priority; /* Priority */
1464
ee6226a5 1465 gnutls_priority_init(&priority, priority_string, NULL);
19ba6878
MS		 1466 gnutls_priority_set(http->tls, priority);
1467 gnutls_priority_deinit(priority);
1468#endif /* HAVE_GNUTLS_PRIORITY_SET_DIRECT */
1469
d0facf48
MS		 1470 gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http);
1471 gnutls_transport_set_pull_function(http->tls, http_gnutls_read);
e7312eb4 1472#ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION
d0facf48 1473 gnutls_transport_set_pull_timeout_function(http->tls, (gnutls_pull_timeout_func)httpWait);
e7312eb4 1474#endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */
d0facf48
MS		 1475 gnutls_transport_set_push_function(http->tls, http_gnutls_write);
1476
2c85b752
MS		 1477 while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS)
1478 {
d0facf48 1479 DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)",
2c85b752
MS		 1480 status, gnutls_strerror(status)));
1481
1482 if (gnutls_error_is_fatal(status))
1483 {
1484 http->error = EIO;
1485 http->status = HTTP_STATUS_ERROR;
1486
1487 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1488
1489 gnutls_deinit(http->tls);
1490 gnutls_certificate_free_credentials(*credentials);
1491 free(credentials);
1492 http->tls = NULL;
1493
1494 return (-1);
1495 }
1496 }
1497
1498 http->tls_credentials = credentials;
1499
2c85b752
MS		 1500 return (0);
1501}
1502
1503
1504/*
172bdf5d 1505 * '_httpTLSStop()' - Shut down SSL/TLS on a connection.
2c85b752
MS		 1506 */
1507
172bdf5d
MS		 1508void
1509_httpTLSStop(http_t *http) /* I - Connection to server */
2c85b752 1510{
172bdf5d
MS		 1511 int error; /* Error code */
1512
2c85b752 1513
f394e0f7 1514 error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
172bdf5d 1515 if (error != GNUTLS_E_SUCCESS)
f394e0f7 1516 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0);
2c85b752 1517
2c85b752 1518 gnutls_deinit(http->tls);
172bdf5d
MS		 1519 http->tls = NULL;
1520
d0facf48
MS		 1521 if (http->tls_credentials)
1522 {
1523 gnutls_certificate_free_credentials(*(http->tls_credentials));
1524 free(http->tls_credentials);
1525 http->tls_credentials = NULL;
1526 }
2c85b752 1527}
2c85b752
MS		 1528
1529
2c85b752 1530/*
172bdf5d 1531 * '_httpTLSWrite()' - Write to a SSL/TLS connection.
2c85b752
MS		 1532 */
1533
172bdf5d
MS		 1534int /* O - Bytes written */
1535_httpTLSWrite(http_t *http, /* I - Connection to server */
1536 const char *buf, /* I - Buffer holding data */
1537 int len) /* I - Length of buffer */
2c85b752
MS		 1538{
1539 ssize_t result; /* Return value */
1540
1541
1542 DEBUG_printf(("2http_write_ssl(http=%p, buf=%p, len=%d)", http, buf, len));
1543
07623986 1544 result = gnutls_record_send(http->tls, buf, (size_t)len);
2c85b752
MS		 1545
1546 if (result < 0 && !errno)
1547 {
1548 /*
1549 * Convert GNU TLS error to errno value...
1550 */
1551
1552 switch (result)
1553 {
1554 case GNUTLS_E_INTERRUPTED :
1555 errno = EINTR;
1556 break;
1557
1558 case GNUTLS_E_AGAIN :
1559 errno = EAGAIN;
1560 break;
1561
1562 default :
1563 errno = EPIPE;
1564 break;
1565 }
1566
1567 result = -1;
1568 }
1569
2c85b752
MS		 1570 DEBUG_printf(("3http_write_ssl: Returning %d.", (int)result));
1571
1572 return ((int)result);
1573}
Unnamed repository; edit this file 'description' to name the repository.