]>
Commit | Line | Data |
---|---|---|
82cc1f9a MS |
1 | /* |
2 | * "$Id$" | |
3 | * | |
4 | * TLS support code for the CUPS scheduler using OpenSSL. | |
5 | * | |
6 | * Copyright 2007-2012 by Apple Inc. | |
7 | * Copyright 1997-2007 by Easy Software Products, all rights reserved. | |
8 | * | |
9 | * These coded instructions, statements, and computer programs are the | |
10 | * property of Apple Inc. and are protected by Federal copyright | |
11 | * law. Distribution and use rights are outlined in the file "LICENSE.txt" | |
12 | * which should have been included with this file. If this file is | |
13 | * file is missing or damaged, see the license at "http://www.cups.org/". | |
14 | * | |
15 | * Contents: | |
16 | * | |
17 | * cupsdEndTLS() - Shutdown a secure session with the client. | |
18 | * cupsdStartTLS() - Start a secure session with the client. | |
19 | * make_certificate() - Make a self-signed SSL/TLS certificate. | |
20 | */ | |
21 | ||
22 | ||
23 | /* | |
24 | * Local functions... | |
25 | */ | |
26 | ||
27 | static int make_certificate(cupsd_client_t *con); | |
28 | ||
29 | ||
30 | /* | |
31 | * 'cupsdEndTLS()' - Shutdown a secure session with the client. | |
32 | */ | |
33 | ||
34 | int /* O - 1 on success, 0 on error */ | |
35 | cupsdEndTLS(cupsd_client_t *con) /* I - Client connection */ | |
36 | { | |
37 | SSL_CTX *context; /* Context for encryption */ | |
38 | unsigned long error; /* Error code */ | |
39 | int status; /* Return status */ | |
40 | ||
41 | ||
42 | context = SSL_get_SSL_CTX(con->http.tls); | |
43 | ||
44 | switch (SSL_shutdown(con->http.tls)) | |
45 | { | |
46 | case 1 : | |
47 | cupsdLogMessage(CUPSD_LOG_DEBUG, | |
48 | "SSL shutdown successful!"); | |
49 | status = 1; | |
50 | break; | |
51 | ||
52 | case -1 : | |
53 | cupsdLogMessage(CUPSD_LOG_ERROR, | |
54 | "Fatal error during SSL shutdown!"); | |
55 | ||
56 | default : | |
57 | while ((error = ERR_get_error()) != 0) | |
58 | cupsdLogMessage(CUPSD_LOG_ERROR, "SSL shutdown failed: %s", | |
59 | ERR_error_string(error, NULL)); | |
60 | status = 0; | |
61 | break; | |
62 | } | |
63 | ||
64 | SSL_CTX_free(context); | |
65 | SSL_free(con->http.tls); | |
66 | con->http.tls = NULL; | |
67 | ||
68 | return (status); | |
69 | } | |
70 | ||
71 | ||
72 | /* | |
73 | * 'cupsdStartTLS()' - Start a secure session with the client. | |
74 | */ | |
75 | ||
76 | int /* O - 1 on success, 0 on error */ | |
77 | cupsdStartTLS(cupsd_client_t *con) /* I - Client connection */ | |
78 | { | |
79 | SSL_CTX *context; /* Context for encryption */ | |
80 | BIO *bio; /* BIO data */ | |
81 | unsigned long error; /* Error code */ | |
82 | ||
83 | ||
84 | cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] Encrypting connection.", | |
85 | con->http.fd); | |
86 | ||
87 | /* | |
88 | * Verify that we have a certificate... | |
89 | */ | |
90 | ||
91 | if (access(ServerKey, 0) || access(ServerCertificate, 0)) | |
92 | { | |
93 | /* | |
94 | * Nope, make a self-signed certificate... | |
95 | */ | |
96 | ||
97 | if (!make_certificate(con)) | |
98 | return (0); | |
99 | } | |
100 | ||
101 | /* | |
102 | * Create the SSL context and accept the connection... | |
103 | */ | |
104 | ||
105 | context = SSL_CTX_new(SSLv23_server_method()); | |
106 | ||
107 | SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */ | |
108 | if (SSLOptions & CUPSD_SSL_NOEMPTY) | |
109 | SSL_CTX_set_options(context, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); | |
110 | SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM); | |
111 | SSL_CTX_use_certificate_chain_file(context, ServerCertificate); | |
112 | ||
113 | bio = BIO_new(_httpBIOMethods()); | |
114 | BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)HTTP(con)); | |
115 | ||
116 | con->http.tls = SSL_new(context); | |
117 | SSL_set_bio(con->http.tls, bio, bio); | |
118 | ||
119 | if (SSL_accept(con->http.tls) != 1) | |
120 | { | |
121 | cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to encrypt connection from %s.", | |
122 | con->http.hostname); | |
123 | ||
124 | while ((error = ERR_get_error()) != 0) | |
125 | cupsdLogMessage(CUPSD_LOG_ERROR, "%s", ERR_error_string(error, NULL)); | |
126 | ||
127 | SSL_CTX_free(context); | |
128 | SSL_free(con->http.tls); | |
129 | con->http.tls = NULL; | |
130 | return (0); | |
131 | } | |
132 | ||
133 | cupsdLogMessage(CUPSD_LOG_DEBUG, "Connection from %s now encrypted.", | |
134 | con->http.hostname); | |
135 | ||
136 | return (1); | |
137 | } | |
138 | ||
139 | ||
140 | /* | |
141 | * 'make_certificate()' - Make a self-signed SSL/TLS certificate. | |
142 | */ | |
143 | ||
144 | static int /* O - 1 on success, 0 on failure */ | |
145 | make_certificate(cupsd_client_t *con) /* I - Client connection */ | |
146 | { | |
147 | #ifdef HAVE_WAITPID | |
148 | int pid, /* Process ID of command */ | |
149 | status; /* Status of command */ | |
150 | char command[1024], /* Command */ | |
151 | *argv[12], /* Command-line arguments */ | |
152 | *envp[MAX_ENV + 1], /* Environment variables */ | |
153 | infofile[1024], /* Type-in information for cert */ | |
154 | seedfile[1024]; /* Random number seed file */ | |
155 | int envc, /* Number of environment variables */ | |
156 | bytes; /* Bytes written */ | |
157 | cups_file_t *fp; /* Seed/info file */ | |
158 | int infofd; /* Info file descriptor */ | |
159 | ||
160 | ||
161 | /* | |
162 | * Run the "openssl" command to seed the random number generator and | |
163 | * generate a self-signed certificate that is good for 10 years: | |
164 | * | |
165 | * openssl rand -rand seedfile 1 | |
166 | * | |
167 | * openssl req -new -x509 -keyout ServerKey \ | |
168 | * -out ServerCertificate -days 3650 -nodes | |
169 | * | |
170 | * The seeding step is crucial in ensuring that the openssl command | |
171 | * does not block on systems without sufficient entropy... | |
172 | */ | |
173 | ||
174 | if (!cupsFileFind("openssl", getenv("PATH"), 1, command, sizeof(command))) | |
175 | { | |
176 | cupsdLogMessage(CUPSD_LOG_ERROR, | |
177 | "No SSL certificate and openssl command not found!"); | |
178 | return (0); | |
179 | } | |
180 | ||
181 | if (access("/dev/urandom", 0)) | |
182 | { | |
183 | /* | |
184 | * If the system doesn't provide /dev/urandom, then any random source | |
185 | * will probably be blocking-style, so generate some random data to | |
186 | * use as a seed for the certificate. Note that we have already | |
187 | * seeded the random number generator in cupsdInitCerts()... | |
188 | */ | |
189 | ||
190 | cupsdLogMessage(CUPSD_LOG_INFO, | |
191 | "Seeding the random number generator..."); | |
192 | ||
193 | /* | |
194 | * Write the seed file... | |
195 | */ | |
196 | ||
197 | if ((fp = cupsTempFile2(seedfile, sizeof(seedfile))) == NULL) | |
198 | { | |
199 | cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to create seed file %s - %s", | |
200 | seedfile, strerror(errno)); | |
201 | return (0); | |
202 | } | |
203 | ||
204 | for (bytes = 0; bytes < 262144; bytes ++) | |
205 | cupsFilePutChar(fp, CUPS_RAND()); | |
206 | ||
207 | cupsFileClose(fp); | |
208 | ||
209 | /* | |
210 | * Run the openssl command to seed its random number generator... | |
211 | */ | |
212 | ||
213 | argv[0] = "openssl"; | |
214 | argv[1] = "rand"; | |
215 | argv[2] = "-rand"; | |
216 | argv[3] = seedfile; | |
217 | argv[4] = "1"; | |
218 | argv[5] = NULL; | |
219 | ||
220 | envc = cupsdLoadEnv(envp, MAX_ENV); | |
221 | envp[envc] = NULL; | |
222 | ||
223 | if (!cupsdStartProcess(command, argv, envp, -1, -1, -1, -1, -1, 1, NULL, | |
224 | NULL, &pid)) | |
225 | { | |
226 | unlink(seedfile); | |
227 | return (0); | |
228 | } | |
229 | ||
230 | while (waitpid(pid, &status, 0) < 0) | |
231 | if (errno != EINTR) | |
232 | { | |
233 | status = 1; | |
234 | break; | |
235 | } | |
236 | ||
237 | cupsdFinishProcess(pid, command, sizeof(command), NULL); | |
238 | ||
239 | /* | |
240 | * Remove the seed file, as it is no longer needed... | |
241 | */ | |
242 | ||
243 | unlink(seedfile); | |
244 | ||
245 | if (status) | |
246 | { | |
247 | if (WIFEXITED(status)) | |
248 | cupsdLogMessage(CUPSD_LOG_ERROR, | |
249 | "Unable to seed random number generator - " | |
250 | "the openssl command stopped with status %d!", | |
251 | WEXITSTATUS(status)); | |
252 | else | |
253 | cupsdLogMessage(CUPSD_LOG_ERROR, | |
254 | "Unable to seed random number generator - " | |
255 | "the openssl command crashed on signal %d!", | |
256 | WTERMSIG(status)); | |
257 | ||
258 | return (0); | |
259 | } | |
260 | } | |
261 | ||
262 | /* | |
263 | * Create a file with the certificate information fields... | |
264 | * | |
265 | * Note: This assumes that the default questions are asked by the openssl | |
266 | * command... | |
267 | */ | |
268 | ||
269 | if ((fp = cupsTempFile2(infofile, sizeof(infofile))) == NULL) | |
270 | { | |
271 | cupsdLogMessage(CUPSD_LOG_ERROR, | |
272 | "Unable to create certificate information file %s - %s", | |
273 | infofile, strerror(errno)); | |
274 | return (0); | |
275 | } | |
276 | ||
277 | cupsFilePrintf(fp, ".\n.\n.\n%s\n.\n%s\n%s\n", | |
278 | ServerName, ServerName, ServerAdmin); | |
279 | cupsFileClose(fp); | |
280 | ||
281 | cupsdLogMessage(CUPSD_LOG_INFO, | |
282 | "Generating SSL server key and certificate..."); | |
283 | ||
284 | argv[0] = "openssl"; | |
285 | argv[1] = "req"; | |
286 | argv[2] = "-new"; | |
287 | argv[3] = "-x509"; | |
288 | argv[4] = "-keyout"; | |
289 | argv[5] = ServerKey; | |
290 | argv[6] = "-out"; | |
291 | argv[7] = ServerCertificate; | |
292 | argv[8] = "-days"; | |
293 | argv[9] = "3650"; | |
294 | argv[10] = "-nodes"; | |
295 | argv[11] = NULL; | |
296 | ||
297 | cupsdLoadEnv(envp, MAX_ENV); | |
298 | ||
299 | infofd = open(infofile, O_RDONLY); | |
300 | ||
301 | if (!cupsdStartProcess(command, argv, envp, infofd, -1, -1, -1, -1, 1, NULL, | |
302 | NULL, &pid)) | |
303 | { | |
304 | close(infofd); | |
305 | unlink(infofile); | |
306 | return (0); | |
307 | } | |
308 | ||
309 | close(infofd); | |
310 | unlink(infofile); | |
311 | ||
312 | while (waitpid(pid, &status, 0) < 0) | |
313 | if (errno != EINTR) | |
314 | { | |
315 | status = 1; | |
316 | break; | |
317 | } | |
318 | ||
319 | cupsdFinishProcess(pid, command, sizeof(command), NULL); | |
320 | ||
321 | if (status) | |
322 | { | |
323 | if (WIFEXITED(status)) | |
324 | cupsdLogMessage(CUPSD_LOG_ERROR, | |
325 | "Unable to create SSL server key and certificate - " | |
326 | "the openssl command stopped with status %d!", | |
327 | WEXITSTATUS(status)); | |
328 | else | |
329 | cupsdLogMessage(CUPSD_LOG_ERROR, | |
330 | "Unable to create SSL server key and certificate - " | |
331 | "the openssl command crashed on signal %d!", | |
332 | WTERMSIG(status)); | |
333 | } | |
334 | else | |
335 | { | |
336 | cupsdLogMessage(CUPSD_LOG_INFO, "Created SSL server key file \"%s\"...", | |
337 | ServerKey); | |
338 | cupsdLogMessage(CUPSD_LOG_INFO, | |
339 | "Created SSL server certificate file \"%s\"...", | |
340 | ServerCertificate); | |
341 | } | |
342 | ||
343 | return (!status); | |
344 | ||
345 | #else | |
346 | return (0); | |
347 | #endif /* HAVE_WAITPID */ | |
348 | } | |
349 | ||
350 | ||
351 | /* | |
352 | * End of "$Id$". | |
353 | */ |