/*
- * "$Id$"
- *
* TLS support code for CUPS using GNU TLS.
*
- * Copyright 2007-2014 by Apple Inc.
- * Copyright 1997-2007 by Easy Software Products, all rights reserved.
- *
- * These coded instructions, statements, and computer programs are the
- * property of Apple Inc. and are protected by Federal copyright
- * law. Distribution and use rights are outlined in the file "LICENSE.txt"
- * which should have been included with this file. If this file is
- * file is missing or damaged, see the license at "http://www.cups.org/".
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
*
- * This file is subject to the Apple OS-Developed Software exception.
+ * Licensed under Apache License v2.0. See the file "LICENSE" for more
+ * information.
+ */
+
+/**** This file is included from tls.c ****/
+
+/*
+ * Include necessary headers...
*/
+#include <sys/stat.h>
+
/*
* Local globals...
/* Auto-create self-signed certs? */
static char *tls_common_name = NULL;
/* Default common name */
+static gnutls_x509_crl_t tls_crl = NULL;/* Certificate revocation list */
static char *tls_keypath = NULL;
/* Server cert keychain path */
static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
/* Mutex for keychain/certs */
+static int tls_options = -1,/* Options for TLS connections */
+ tls_min_version = _HTTP_TLS_1_0,
+ tls_max_version = _HTTP_TLS_MAX;
/*
* Local functions...
*/
-//static int make_certificate(cupsd_client_t *con);
-static ssize_t http_gnutls_read(gnutls_transport_ptr_t ptr, void *data, size_t length);
-static ssize_t http_gnutls_write(gnutls_transport_ptr_t ptr, const void *data, size_t length);
+static gnutls_x509_crt_t http_gnutls_create_credential(http_credential_t *credential);
+static const char *http_gnutls_default_path(char *buffer, size_t bufsize);
+static void http_gnutls_load_crl(void);
+static const char *http_gnutls_make_path(char *buffer, size_t bufsize, const char *dirname, const char *filename, const char *ext);
+static ssize_t http_gnutls_read(gnutls_transport_ptr_t ptr, void *data, size_t length);
+static ssize_t http_gnutls_write(gnutls_transport_ptr_t ptr, const void *data, size_t length);
/*
* 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 1 on success, 0 on failure */
*/
if (!path)
- {
- const char *home = getenv("HOME"); /* HOME environment variable */
+ path = http_gnutls_default_path(temp, sizeof(temp));
- if (getuid() && home)
- snprintf(temp, sizeof(temp), "%s/.cups/ssl", home);
- else
- snprintf(temp, sizeof(temp), "%s/ssl", CUPS_SERVERROOT);
-
- path = temp;
-
- DEBUG_printf(("1cupsMakeServerCredentials: Using default path \"%s\".", path));
+ if (!path || !common_name)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
+ return (0);
}
- snprintf(crtfile, sizeof(crtfile), "%s/%s.crt", path, common_name);
- snprintf(keyfile, sizeof(keyfile), "%s/%s.key", path, common_name);
+ http_gnutls_make_path(crtfile, sizeof(crtfile), path, common_name, "crt");
+ http_gnutls_make_path(keyfile, sizeof(keyfile), path, common_name, "key");
/*
* Create the encryption key...
*/
+ DEBUG_puts("1cupsMakeServerCredentials: Creating key pair.");
+
gnutls_x509_privkey_init(&key);
gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 2048, 0);
+ DEBUG_puts("1cupsMakeServerCredentials: Key pair created.");
+
/*
* Save it...
*/
bytes = sizeof(buffer);
- if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM,
- buffer, &bytes)) < 0)
+ if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
{
+ DEBUG_printf(("1cupsMakeServerCredentials: Unable to export private key: %s", gnutls_strerror(result)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
gnutls_x509_privkey_deinit(key);
return (0);
}
else if ((fp = cupsFileOpen(keyfile, "w")) != NULL)
{
+ DEBUG_printf(("1cupsMakeServerCredentials: Writing private key to \"%s\".", keyfile));
cupsFileWrite(fp, (char *)buffer, bytes);
cupsFileClose(fp);
}
else
{
+ DEBUG_printf(("1cupsMakeServerCredentials: Unable to create private key file \"%s\": %s", keyfile, strerror(errno)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
gnutls_x509_privkey_deinit(key);
return (0);
* Create the self-signed certificate...
*/
- DEBUG_puts("1cupsMakeServerCredentials: Generating self-signed SSL certificate.");
+ DEBUG_puts("1cupsMakeServerCredentials: Generating self-signed X.509 certificate.");
language = cupsLangDefault();
curtime = time(NULL);
gnutls_x509_crt_set_activation_time(crt, curtime);
gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
gnutls_x509_crt_set_ca_status(crt, 0);
+ gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, common_name, (unsigned)strlen(common_name), GNUTLS_FSAN_SET);
+ if (!strchr(common_name, '.'))
+ {
+ /*
+ * Add common_name.local to the list, too...
+ */
+
+ char localname[256]; /* hostname.local */
+
+ snprintf(localname, sizeof(localname), "%s.local", common_name);
+ gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, localname, (unsigned)strlen(localname), GNUTLS_FSAN_APPEND);
+ }
+ gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "localhost", 9, GNUTLS_FSAN_APPEND);
if (num_alt_names > 0)
- gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME, alt_names[0]);
+ {
+ int i; /* Looping var */
+
+ for (i = 0; i < num_alt_names; i ++)
+ {
+ if (strcmp(alt_names[i], "localhost"))
+ {
+ gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, alt_names[i], (unsigned)strlen(alt_names[i]), GNUTLS_FSAN_APPEND);
+ }
+ }
+ }
gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
- gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT);
+ gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT);
gnutls_x509_crt_set_version(crt, 3);
bytes = sizeof(buffer);
bytes = sizeof(buffer);
if ((result = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
{
+ DEBUG_printf(("1cupsMakeServerCredentials: Unable to export public key and X.509 certificate: %s", gnutls_strerror(result)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
gnutls_x509_crt_deinit(crt);
gnutls_x509_privkey_deinit(key);
}
else if ((fp = cupsFileOpen(crtfile, "w")) != NULL)
{
+ DEBUG_printf(("1cupsMakeServerCredentials: Writing public key and X.509 certificate to \"%s\".", crtfile));
cupsFileWrite(fp, (char *)buffer, bytes);
cupsFileClose(fp);
}
else
{
+ DEBUG_printf(("1cupsMakeServerCredentials: Unable to create public key and X.509 certificate file \"%s\": %s", crtfile, strerror(errno)));
_cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
gnutls_x509_crt_deinit(crt);
gnutls_x509_privkey_deinit(key);
gnutls_x509_crt_deinit(crt);
gnutls_x509_privkey_deinit(key);
+ DEBUG_puts("1cupsMakeServerCredentials: Successfully created credentials.");
+
return (1);
}
* Note: The server credentials are used by all threads in the running process.
* This function is threadsafe.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 1 on success, 0 on failure */
DEBUG_printf(("cupsSetServerCredentials(path=\"%s\", common_name=\"%s\", auto_create=%d)", path, common_name, auto_create));
- _cupsMutexLock(&tls_mutex);
-
/*
- * Free old values...
+ * Use defaults as needed...
*/
- if (tls_keypath)
- _cupsStrFree(tls_keypath);
-
- if (tls_common_name)
- _cupsStrFree(tls_common_name);
+ if (!path)
+ path = http_gnutls_default_path(temp, sizeof(temp));
/*
- * Use defaults as needed...
+ * Range check input...
*/
- if (!path)
+ if (!path || !common_name)
{
- const char *home = getenv("HOME"); /* HOME environment variable */
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
+ return (0);
+ }
- if (getuid() && home)
- snprintf(temp, sizeof(temp), "%s/.cups/ssl", home);
- else
- snprintf(temp, sizeof(temp), "%s/ssl", CUPS_SERVERROOT);
+ _cupsMutexLock(&tls_mutex);
+
+ /*
+ * Free old values...
+ */
- path = temp;
+ if (tls_keypath)
+ _cupsStrFree(tls_keypath);
- DEBUG_printf(("1cupsSetServerCredentials: Using default path \"%s\".", path));
- }
+ if (tls_common_name)
+ _cupsStrFree(tls_common_name);
/*
* Save the new values...
* 'httpCopyCredentials()' - Copy the credentials associated with the peer in
* an encrypted connection.
*
- * @since CUPS 1.5/OS X 10.7@
+ * @since CUPS 1.5/macOS 10.7@
*/
int /* O - Status of call (0 = success) */
http_t *http, /* I - Connection to server */
cups_array_t **credentials) /* O - Array of credentials */
{
+ unsigned count; /* Number of certificates */
+ const gnutls_datum_t *certs; /* Certificates */
+
+
+ DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
+
if (credentials)
*credentials = NULL;
if (!http || !http->tls || !credentials)
return (-1);
+ *credentials = cupsArrayNew(NULL, NULL);
+ certs = gnutls_certificate_get_peers(http->tls, &count);
+
+ DEBUG_printf(("1httpCopyCredentials: certs=%p, count=%u", certs, count));
+
+ if (certs && count)
+ {
+ while (count > 0)
+ {
+ httpAddCredential(*credentials, certs->data, certs->size);
+ certs ++;
+ count --;
+ }
+ }
+
return (0);
}
/*
- * 'http_gnutls_read()' - Read function for the GNU TLS library.
+ * 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
+ *
+ * @since CUPS 2.0/OS 10.10@
*/
-static ssize_t /* O - Number of bytes read or -1 on error */
-http_gnutls_read(
- gnutls_transport_ptr_t ptr, /* I - Connection to server */
- void *data, /* I - Buffer */
- size_t length) /* I - Number of bytes to read */
+int /* O - 1 if valid, 0 otherwise */
+httpCredentialsAreValidForName(
+ cups_array_t *credentials, /* I - Credentials */
+ const char *common_name) /* I - Name to check */
{
- http_t *http; /* HTTP connection */
- ssize_t bytes; /* Bytes read */
-
-
- DEBUG_printf(("6http_gnutls_read(ptr=%p, data=%p, length=%d)", ptr, data, (int)length));
+ gnutls_x509_crt_t cert; /* Certificate */
+ int result = 0; /* Result */
- http = (http_t *)ptr;
- if (!http->blocking)
+ cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
+ if (cert)
{
- /*
- * Make sure we have data before we read...
- */
+ result = gnutls_x509_crt_check_hostname(cert, common_name) != 0;
- while (!_httpWait(http, http->wait_value, 0))
+ if (result)
{
- if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
- continue;
+ gnutls_x509_crl_iter_t iter = NULL;
+ /* Iterator */
+ unsigned char cserial[1024], /* Certificate serial number */
+ rserial[1024]; /* Revoked serial number */
+ size_t cserial_size, /* Size of cert serial number */
+ rserial_size; /* Size of revoked serial number */
- http->error = ETIMEDOUT;
- return (-1);
+ _cupsMutexLock(&tls_mutex);
+
+ if (gnutls_x509_crl_get_crt_count(tls_crl) > 0)
+ {
+ cserial_size = sizeof(cserial);
+ gnutls_x509_crt_get_serial(cert, cserial, &cserial_size);
+
+ rserial_size = sizeof(rserial);
+
+ while (!gnutls_x509_crl_iter_crt_serial(tls_crl, &iter, rserial, &rserial_size, NULL))
+ {
+ if (cserial_size == rserial_size && !memcmp(cserial, rserial, rserial_size))
+ {
+ result = 0;
+ break;
+ }
+
+ rserial_size = sizeof(rserial);
+ }
+ gnutls_x509_crl_iter_deinit(iter);
+ }
+
+ _cupsMutexUnlock(&tls_mutex);
}
+
+ gnutls_x509_crt_deinit(cert);
}
- bytes = recv(http->fd, data, length, 0);
- DEBUG_printf(("6http_gnutls_read: bytes=%d", (int)bytes));
- return (bytes);
+ return (result);
}
/*
- * 'http_gnutls_write()' - Write function for the GNU TLS library.
+ * 'httpCredentialsGetTrust()' - Return the trust of credentials.
+ *
+ * @since CUPS 2.0/OS 10.10@
*/
-static ssize_t /* O - Number of bytes written or -1 on error */
-http_gnutls_write(
- gnutls_transport_ptr_t ptr, /* I - Connection to server */
- const void *data, /* I - Data buffer */
- size_t length) /* I - Number of bytes to write */
+http_trust_t /* O - Level of trust */
+httpCredentialsGetTrust(
+ cups_array_t *credentials, /* I - Credentials */
+ const char *common_name) /* I - Common name for trust lookup */
{
- ssize_t bytes; /* Bytes written */
-
+ http_trust_t trust = HTTP_TRUST_OK;
+ /* Trusted? */
+ gnutls_x509_crt_t cert; /* Certificate */
+ cups_array_t *tcreds = NULL; /* Trusted credentials */
+ _cups_globals_t *cg = _cupsGlobals();
+ /* Per-thread globals */
- DEBUG_printf(("6http_gnutls_write(ptr=%p, data=%p, length=%d)", ptr, data,
- (int)length));
- bytes = send(((http_t *)ptr)->fd, data, length, 0);
- DEBUG_printf(("http_gnutls_write: bytes=%d", (int)bytes));
- return (bytes);
-}
+ if (!common_name)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No common name specified."), 1);
+ return (HTTP_TRUST_UNKNOWN);
+ }
+ if ((cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create credentials from array."), 1);
+ return (HTTP_TRUST_UNKNOWN);
+ }
-/*
- * '_httpTLSInitialize()' - Initialize the TLS stack.
- */
+ if (cg->any_root < 0)
+ {
+ _cupsSetDefaults();
+ http_gnutls_load_crl();
+ }
-void
-_httpTLSInitialize(void)
-{
/*
- * Initialize GNU TLS...
+ * Look this common name up in the default keychains...
*/
- gnutls_global_init();
-}
+ httpLoadCredentials(NULL, &tcreds, common_name);
+ if (tcreds)
+ {
+ char credentials_str[1024], /* String for incoming credentials */
+ tcreds_str[1024]; /* String for saved credentials */
-/*
- * '_httpTLSPending()' - Return the number of pending TLS-encrypted bytes.
- */
+ httpCredentialsString(credentials, credentials_str, sizeof(credentials_str));
+ httpCredentialsString(tcreds, tcreds_str, sizeof(tcreds_str));
-size_t /* O - Bytes available */
-_httpTLSPending(http_t *http) /* I - HTTP connection */
-{
- return (gnutls_record_check_pending(http->tls));
-}
+ if (strcmp(credentials_str, tcreds_str))
+ {
+ /*
+ * Credentials don't match, let's look at the expiration date of the new
+ * credentials and allow if the new ones have a later expiration...
+ */
+ if (!cg->trust_first)
+ {
+ /*
+ * Do not trust certificates on first use...
+ */
-/*
- * '_httpTLSRead()' - Read from a SSL/TLS connection.
- */
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
-int /* O - Bytes read */
-_httpTLSRead(http_t *http, /* I - Connection to server */
- char *buf, /* I - Buffer to store data */
- int len) /* I - Length of buffer */
-{
- ssize_t result; /* Return value */
+ trust = HTTP_TRUST_INVALID;
+ }
+ else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds))
+ {
+ /*
+ * The new credentials are not newly issued...
+ */
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), 1);
- result = gnutls_record_recv(http->tls, buf, (size_t)len);
+ trust = HTTP_TRUST_INVALID;
+ }
+ else if (!httpCredentialsAreValidForName(credentials, common_name))
+ {
+ /*
+ * The common name does not match the issued certificate...
+ */
- if (result < 0 && !errno)
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), 1);
+
+ trust = HTTP_TRUST_INVALID;
+ }
+ else if (httpCredentialsGetExpiration(tcreds) < time(NULL))
+ {
+ /*
+ * Save the renewed credentials...
+ */
+
+ trust = HTTP_TRUST_RENEWED;
+
+ httpSaveCredentials(NULL, credentials, common_name);
+ }
+ }
+
+ httpFreeCredentials(tcreds);
+ }
+ else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name))
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1);
+ trust = HTTP_TRUST_INVALID;
+ }
+ else if (!cg->trust_first)
{
/*
- * Convert GNU TLS error to errno value...
+ * See if we have a site CA certificate we can compare...
*/
- switch (result)
+ if (!httpLoadCredentials(NULL, &tcreds, "site"))
{
- case GNUTLS_E_INTERRUPTED :
- errno = EINTR;
- break;
+ if (cupsArrayCount(credentials) != (cupsArrayCount(tcreds) + 1))
+ {
+ /*
+ * Certificate isn't directly generated from the CA cert...
+ */
- case GNUTLS_E_AGAIN :
- errno = EAGAIN;
- break;
+ trust = HTTP_TRUST_INVALID;
+ }
+ else
+ {
+ /*
+ * Do a tail comparison of the two certificates...
+ */
- default :
- errno = EPIPE;
- break;
+ http_credential_t *a, *b; /* Certificates */
+
+ for (a = (http_credential_t *)cupsArrayFirst(tcreds), b = (http_credential_t *)cupsArrayIndex(credentials, 1);
+ a && b;
+ a = (http_credential_t *)cupsArrayNext(tcreds), b = (http_credential_t *)cupsArrayNext(credentials))
+ if (a->datalen != b->datalen || memcmp(a->data, b->data, a->datalen))
+ break;
+
+ if (a || b)
+ trust = HTTP_TRUST_INVALID;
+ }
+
+ if (trust != HTTP_TRUST_OK)
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1);
+ }
+ else
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
+ trust = HTTP_TRUST_INVALID;
}
+ }
- result = -1;
+ if (trust == HTTP_TRUST_OK && !cg->expired_certs)
+ {
+ time_t curtime; /* Current date/time */
+
+ time(&curtime);
+ if (curtime < gnutls_x509_crt_get_activation_time(cert) ||
+ curtime > gnutls_x509_crt_get_expiration_time(cert))
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), 1);
+ trust = HTTP_TRUST_EXPIRED;
+ }
}
- return ((int)result);
+ if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1);
+ trust = HTTP_TRUST_INVALID;
+ }
+
+ gnutls_x509_crt_deinit(cert);
+
+ return (trust);
}
/*
- * '_httpTLSSetCredentials()' - Set the TLS credentials.
+ * 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials.
+ *
+ * @since CUPS 2.0/OS 10.10@
*/
-int /* O - Status of connection */
-_httpTLSSetCredentials(http_t *http) /* I - Connection to server */
+time_t /* O - Expiration date of credentials */
+httpCredentialsGetExpiration(
+ cups_array_t *credentials) /* I - Credentials */
{
- (void)http;
+ gnutls_x509_crt_t cert; /* Certificate */
+ time_t result = 0; /* Result */
- return (0);
+
+ cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
+ if (cert)
+ {
+ result = gnutls_x509_crt_get_expiration_time(cert);
+ gnutls_x509_crt_deinit(cert);
+ }
+
+ return (result);
}
/*
- * '_httpTLSStart()' - Set up SSL/TLS support on a connection.
+ * 'httpCredentialsString()' - Return a string representing the credentials.
+ *
+ * @since CUPS 2.0/OS 10.10@
*/
-int /* O - 0 on success, -1 on failure */
-_httpTLSStart(http_t *http) /* I - Connection to server */
+size_t /* O - Total size of credentials string */
+httpCredentialsString(
+ cups_array_t *credentials, /* I - Credentials */
+ char *buffer, /* I - Buffer or @code NULL@ */
+ size_t bufsize) /* I - Size of buffer */
{
- char hostname[256], /* Hostname */
- *hostptr; /* Pointer into hostname */
- int status; /* Status of handshake */
- gnutls_certificate_credentials_t *credentials;
- /* TLS credentials */
+ http_credential_t *first; /* First certificate */
+ gnutls_x509_crt_t cert; /* Certificate */
- DEBUG_printf(("7_httpTLSStart(http=%p)", http));
+ DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize));
- if (http->mode == _HTTP_MODE_SERVER && !tls_keypath)
- {
- DEBUG_puts("4_httpTLSStart: cupsSetServerCredentials not called.");
- http->error = errno = EINVAL;
- http->status = HTTP_STATUS_ERROR;
- _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Server credentials not set."), 1);
+ if (!buffer)
+ return (0);
- return (-1);
- }
+ if (buffer && bufsize > 0)
+ *buffer = '\0';
- credentials = (gnutls_certificate_credentials_t *)
- malloc(sizeof(gnutls_certificate_credentials_t));
- if (credentials == NULL)
+ if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL &&
+ (cert = http_gnutls_create_credential(first)) != NULL)
{
- DEBUG_printf(("8_httpStartTLS: Unable to allocate credentials: %s",
- strerror(errno)));
- http->error = errno;
- http->status = HTTP_STATUS_ERROR;
- _cupsSetHTTPError(HTTP_STATUS_ERROR);
-
- return (-1);
- }
+ char name[256], /* Common name associated with cert */
+ issuer[256]; /* Issuer associated with cert */
+ size_t len; /* Length of string */
+ time_t expiration; /* Expiration date of cert */
+ int sigalg; /* Signature algorithm */
+ unsigned char md5_digest[16]; /* MD5 result */
+
+ len = sizeof(name) - 1;
+ if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, name, &len) >= 0)
+ name[len] = '\0';
+ else
+ strlcpy(name, "unknown", sizeof(name));
- gnutls_certificate_allocate_credentials(credentials);
- gnutls_init(&http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_CLIENT : GNUTLS_SERVER);
- gnutls_set_default_priority(http->tls);
- gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http);
- gnutls_transport_set_pull_function(http->tls, http_gnutls_read);
- gnutls_transport_set_push_function(http->tls, http_gnutls_write);
+ len = sizeof(issuer) - 1;
+ if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, issuer, &len) >= 0)
+ issuer[len] = '\0';
+ else
+ strlcpy(issuer, "unknown", sizeof(issuer));
- if (http->mode == _HTTP_MODE_CLIENT)
- {
- /*
- * Client: get the hostname to use for TLS...
- */
+ expiration = gnutls_x509_crt_get_expiration_time(cert);
+ sigalg = gnutls_x509_crt_get_signature_algorithm(cert);
- if (httpAddrLocalhost(http->hostaddr))
- {
- strlcpy(hostname, "localhost", sizeof(hostname));
- }
- else
- {
- /*
- * Otherwise make sure the hostname we have does not end in a trailing dot.
- */
+ cupsHashData("md5", first->data, first->datalen, md5_digest, sizeof(md5_digest));
- strlcpy(hostname, http->hostname, sizeof(hostname));
- if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
- *hostptr == '.')
- *hostptr = '\0';
- }
+ snprintf(buffer, bufsize, "%s (issued by %s) / %s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, issuer, httpGetDateString(expiration), gnutls_sign_get_name((gnutls_sign_algorithm_t)sigalg), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
- gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname, strlen(hostname));
- gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
+ gnutls_x509_crt_deinit(cert);
}
- else
+
+ DEBUG_printf(("1httpCredentialsString: Returning \"%s\".", buffer));
+
+ return (strlen(buffer));
+}
+
+
+/*
+ * 'httpLoadCredentials()' - Load X.509 credentials from a keychain file.
+ *
+ * @since CUPS 2.0/OS 10.10@
+ */
+
+int /* O - 0 on success, -1 on error */
+httpLoadCredentials(
+ const char *path, /* I - Keychain/PKCS#12 path */
+ cups_array_t **credentials, /* IO - Credentials */
+ const char *common_name) /* I - Common name for credentials */
+{
+ cups_file_t *fp; /* Certificate file */
+ char filename[1024], /* filename.crt */
+ temp[1024], /* Temporary string */
+ line[256]; /* Base64-encoded line */
+ unsigned char *data = NULL; /* Buffer for cert data */
+ size_t alloc_data = 0, /* Bytes allocated */
+ num_data = 0; /* Bytes used */
+ int decoded; /* Bytes decoded */
+ int in_certificate = 0;
+ /* In a certificate? */
+
+
+ if (!credentials || !common_name)
+ return (-1);
+
+ if (!path)
+ path = http_gnutls_default_path(temp, sizeof(temp));
+ if (!path)
+ return (-1);
+
+ http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
+
+ if ((fp = cupsFileOpen(filename, "r")) == NULL)
+ return (-1);
+
+ while (cupsFileGets(fp, line, sizeof(line)))
+ {
+ if (!strcmp(line, "-----BEGIN CERTIFICATE-----"))
+ {
+ if (in_certificate)
+ {
+ /*
+ * Missing END CERTIFICATE...
+ */
+
+ httpFreeCredentials(*credentials);
+ *credentials = NULL;
+ break;
+ }
+
+ in_certificate = 1;
+ }
+ else if (!strcmp(line, "-----END CERTIFICATE-----"))
+ {
+ if (!in_certificate || !num_data)
+ {
+ /*
+ * Missing data...
+ */
+
+ httpFreeCredentials(*credentials);
+ *credentials = NULL;
+ break;
+ }
+
+ if (!*credentials)
+ *credentials = cupsArrayNew(NULL, NULL);
+
+ if (httpAddCredential(*credentials, data, num_data))
+ {
+ httpFreeCredentials(*credentials);
+ *credentials = NULL;
+ break;
+ }
+
+ num_data = 0;
+ in_certificate = 0;
+ }
+ else if (in_certificate)
+ {
+ if (alloc_data == 0)
+ {
+ data = malloc(2048);
+ alloc_data = 2048;
+
+ if (!data)
+ break;
+ }
+ else if ((num_data + strlen(line)) >= alloc_data)
+ {
+ unsigned char *tdata = realloc(data, alloc_data + 1024);
+ /* Expanded buffer */
+
+ if (!tdata)
+ {
+ httpFreeCredentials(*credentials);
+ *credentials = NULL;
+ break;
+ }
+
+ data = tdata;
+ alloc_data += 1024;
+ }
+
+ decoded = alloc_data - num_data;
+ httpDecode64_2((char *)data + num_data, &decoded, line);
+ num_data += (size_t)decoded;
+ }
+ }
+
+ cupsFileClose(fp);
+
+ if (in_certificate)
+ {
+ /*
+ * Missing END CERTIFICATE...
+ */
+
+ httpFreeCredentials(*credentials);
+ *credentials = NULL;
+ }
+
+ if (data)
+ free(data);
+
+ return (*credentials ? 0 : -1);
+}
+
+
+/*
+ * 'httpSaveCredentials()' - Save X.509 credentials to a keychain file.
+ *
+ * @since CUPS 2.0/OS 10.10@
+ */
+
+int /* O - -1 on error, 0 on success */
+httpSaveCredentials(
+ const char *path, /* I - Keychain/PKCS#12 path */
+ cups_array_t *credentials, /* I - Credentials */
+ const char *common_name) /* I - Common name for credentials */
+{
+ cups_file_t *fp; /* Certificate file */
+ char filename[1024], /* filename.crt */
+ nfilename[1024],/* filename.crt.N */
+ temp[1024], /* Temporary string */
+ line[256]; /* Base64-encoded line */
+ const unsigned char *ptr; /* Pointer into certificate */
+ ssize_t remaining; /* Bytes left */
+ http_credential_t *cred; /* Current credential */
+
+
+ if (!credentials || !common_name)
+ return (-1);
+
+ if (!path)
+ path = http_gnutls_default_path(temp, sizeof(temp));
+ if (!path)
+ return (-1);
+
+ http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
+ snprintf(nfilename, sizeof(nfilename), "%s.N", filename);
+
+ if ((fp = cupsFileOpen(nfilename, "w")) == NULL)
+ return (-1);
+
+ fchmod(cupsFileNumber(fp), 0600);
+
+ for (cred = (http_credential_t *)cupsArrayFirst(credentials);
+ cred;
+ cred = (http_credential_t *)cupsArrayNext(credentials))
+ {
+ cupsFilePuts(fp, "-----BEGIN CERTIFICATE-----\n");
+ for (ptr = cred->data, remaining = (ssize_t)cred->datalen; remaining > 0; remaining -= 45, ptr += 45)
+ {
+ httpEncode64_2(line, sizeof(line), (char *)ptr, remaining > 45 ? 45 : remaining);
+ cupsFilePrintf(fp, "%s\n", line);
+ }
+ cupsFilePuts(fp, "-----END CERTIFICATE-----\n");
+ }
+
+ cupsFileClose(fp);
+
+ return (rename(nfilename, filename));
+}
+
+
+/*
+ * 'http_gnutls_create_credential()' - Create a single credential in the internal format.
+ */
+
+static gnutls_x509_crt_t /* O - Certificate */
+http_gnutls_create_credential(
+ http_credential_t *credential) /* I - Credential */
+{
+ int result; /* Result from GNU TLS */
+ gnutls_x509_crt_t cert; /* Certificate */
+ gnutls_datum_t datum; /* Data record */
+
+
+ DEBUG_printf(("3http_gnutls_create_credential(credential=%p)", credential));
+
+ if (!credential)
+ return (NULL);
+
+ if ((result = gnutls_x509_crt_init(&cert)) < 0)
+ {
+ DEBUG_printf(("4http_gnutls_create_credential: init error: %s", gnutls_strerror(result)));
+ return (NULL);
+ }
+
+ datum.data = credential->data;
+ datum.size = credential->datalen;
+
+ if ((result = gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) < 0)
+ {
+ DEBUG_printf(("4http_gnutls_create_credential: import error: %s", gnutls_strerror(result)));
+
+ gnutls_x509_crt_deinit(cert);
+ return (NULL);
+ }
+
+ return (cert);
+}
+
+
+/*
+ * 'http_gnutls_default_path()' - Get the default credential store path.
+ */
+
+static const char * /* O - Path or NULL on error */
+http_gnutls_default_path(char *buffer,/* I - Path buffer */
+ size_t bufsize)/* I - Size of path buffer */
+{
+ const char *home = getenv("HOME"); /* HOME environment variable */
+
+
+ if (getuid() && home)
+ {
+ snprintf(buffer, bufsize, "%s/.cups", home);
+ if (access(buffer, 0))
+ {
+ DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
+ if (mkdir(buffer, 0700))
+ {
+ DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
+ return (NULL);
+ }
+ }
+
+ snprintf(buffer, bufsize, "%s/.cups/ssl", home);
+ if (access(buffer, 0))
+ {
+ DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
+ if (mkdir(buffer, 0700))
+ {
+ DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
+ return (NULL);
+ }
+ }
+ }
+ else
+ strlcpy(buffer, CUPS_SERVERROOT "/ssl", bufsize);
+
+ DEBUG_printf(("1http_gnutls_default_path: Using default path \"%s\".", buffer));
+
+ return (buffer);
+}
+
+
+/*
+ * 'http_gnutls_load_crl()' - Load the certificate revocation list, if any.
+ */
+
+static void
+http_gnutls_load_crl(void)
+{
+ _cupsMutexLock(&tls_mutex);
+
+ if (!gnutls_x509_crl_init(&tls_crl))
+ {
+ cups_file_t *fp; /* CRL file */
+ char filename[1024], /* site.crl */
+ line[256]; /* Base64-encoded line */
+ unsigned char *data = NULL; /* Buffer for cert data */
+ size_t alloc_data = 0, /* Bytes allocated */
+ num_data = 0; /* Bytes used */
+ int decoded; /* Bytes decoded */
+ gnutls_datum_t datum; /* Data record */
+
+
+ http_gnutls_make_path(filename, sizeof(filename), CUPS_SERVERROOT, "site", "crl");
+
+ if ((fp = cupsFileOpen(filename, "r")) != NULL)
+ {
+ while (cupsFileGets(fp, line, sizeof(line)))
+ {
+ if (!strcmp(line, "-----BEGIN X509 CRL-----"))
+ {
+ if (num_data)
+ {
+ /*
+ * Missing END X509 CRL...
+ */
+
+ break;
+ }
+ }
+ else if (!strcmp(line, "-----END X509 CRL-----"))
+ {
+ if (!num_data)
+ {
+ /*
+ * Missing data...
+ */
+
+ break;
+ }
+
+ datum.data = data;
+ datum.size = num_data;
+
+ gnutls_x509_crl_import(tls_crl, &datum, GNUTLS_X509_FMT_PEM);
+
+ num_data = 0;
+ }
+ else
+ {
+ if (alloc_data == 0)
+ {
+ data = malloc(2048);
+ alloc_data = 2048;
+
+ if (!data)
+ break;
+ }
+ else if ((num_data + strlen(line)) >= alloc_data)
+ {
+ unsigned char *tdata = realloc(data, alloc_data + 1024);
+ /* Expanded buffer */
+
+ if (!tdata)
+ break;
+
+ data = tdata;
+ alloc_data += 1024;
+ }
+
+ decoded = alloc_data - num_data;
+ httpDecode64_2((char *)data + num_data, &decoded, line);
+ num_data += (size_t)decoded;
+ }
+ }
+
+ cupsFileClose(fp);
+
+ if (data)
+ free(data);
+ }
+ }
+
+ _cupsMutexUnlock(&tls_mutex);
+}
+
+
+/*
+ * 'http_gnutls_make_path()' - Format a filename for a certificate or key file.
+ */
+
+static const char * /* O - Filename */
+http_gnutls_make_path(
+ char *buffer, /* I - Filename buffer */
+ size_t bufsize, /* I - Size of buffer */
+ const char *dirname, /* I - Directory */
+ const char *filename, /* I - Filename (usually hostname) */
+ const char *ext) /* I - Extension */
+{
+ char *bufptr, /* Pointer into buffer */
+ *bufend = buffer + bufsize - 1; /* End of buffer */
+
+
+ snprintf(buffer, bufsize, "%s/", dirname);
+ bufptr = buffer + strlen(buffer);
+
+ while (*filename && bufptr < bufend)
+ {
+ if (_cups_isalnum(*filename) || *filename == '-' || *filename == '.')
+ *bufptr++ = *filename;
+ else
+ *bufptr++ = '_';
+
+ filename ++;
+ }
+
+ if (bufptr < bufend)
+ *bufptr++ = '.';
+
+ strlcpy(bufptr, ext, (size_t)(bufend - bufptr + 1));
+
+ return (buffer);
+}
+
+
+/*
+ * 'http_gnutls_read()' - Read function for the GNU TLS library.
+ */
+
+static ssize_t /* O - Number of bytes read or -1 on error */
+http_gnutls_read(
+ gnutls_transport_ptr_t ptr, /* I - Connection to server */
+ void *data, /* I - Buffer */
+ size_t length) /* I - Number of bytes to read */
+{
+ http_t *http; /* HTTP connection */
+ ssize_t bytes; /* Bytes read */
+
+
+ DEBUG_printf(("6http_gnutls_read(ptr=%p, data=%p, length=%d)", ptr, data, (int)length));
+
+ http = (http_t *)ptr;
+
+ if (!http->blocking || http->timeout_value > 0.0)
+ {
+ /*
+ * Make sure we have data before we read...
+ */
+
+ while (!_httpWait(http, http->wait_value, 0))
+ {
+ if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
+ continue;
+
+ http->error = ETIMEDOUT;
+ return (-1);
+ }
+ }
+
+ bytes = recv(http->fd, data, length, 0);
+ DEBUG_printf(("6http_gnutls_read: bytes=%d", (int)bytes));
+ return (bytes);
+}
+
+
+/*
+ * 'http_gnutls_write()' - Write function for the GNU TLS library.
+ */
+
+static ssize_t /* O - Number of bytes written or -1 on error */
+http_gnutls_write(
+ gnutls_transport_ptr_t ptr, /* I - Connection to server */
+ const void *data, /* I - Data buffer */
+ size_t length) /* I - Number of bytes to write */
+{
+ ssize_t bytes; /* Bytes written */
+
+
+ DEBUG_printf(("6http_gnutls_write(ptr=%p, data=%p, length=%d)", ptr, data,
+ (int)length));
+ bytes = send(((http_t *)ptr)->fd, data, length, 0);
+ DEBUG_printf(("http_gnutls_write: bytes=%d", (int)bytes));
+
+ return (bytes);
+}
+
+
+/*
+ * '_httpTLSInitialize()' - Initialize the TLS stack.
+ */
+
+void
+_httpTLSInitialize(void)
+{
+ /*
+ * Initialize GNU TLS...
+ */
+
+ gnutls_global_init();
+}
+
+
+/*
+ * '_httpTLSPending()' - Return the number of pending TLS-encrypted bytes.
+ */
+
+size_t /* O - Bytes available */
+_httpTLSPending(http_t *http) /* I - HTTP connection */
+{
+ return (gnutls_record_check_pending(http->tls));
+}
+
+
+/*
+ * '_httpTLSRead()' - Read from a SSL/TLS connection.
+ */
+
+int /* O - Bytes read */
+_httpTLSRead(http_t *http, /* I - Connection to server */
+ char *buf, /* I - Buffer to store data */
+ int len) /* I - Length of buffer */
+{
+ ssize_t result; /* Return value */
+
+
+ result = gnutls_record_recv(http->tls, buf, (size_t)len);
+
+ if (result < 0 && !errno)
+ {
+ /*
+ * Convert GNU TLS error to errno value...
+ */
+
+ switch (result)
+ {
+ case GNUTLS_E_INTERRUPTED :
+ errno = EINTR;
+ break;
+
+ case GNUTLS_E_AGAIN :
+ errno = EAGAIN;
+ break;
+
+ default :
+ errno = EPIPE;
+ break;
+ }
+
+ result = -1;
+ }
+
+ return ((int)result);
+}
+
+
+/*
+ * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
+ */
+
+void
+_httpTLSSetOptions(int options, /* I - Options */
+ int min_version, /* I - Minimum TLS version */
+ int max_version) /* I - Maximum TLS version */
+{
+ if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
+ {
+ tls_options = options;
+ tls_min_version = min_version;
+ tls_max_version = max_version;
+ }
+}
+
+
+/*
+ * '_httpTLSStart()' - Set up SSL/TLS support on a connection.
+ */
+
+int /* O - 0 on success, -1 on failure */
+_httpTLSStart(http_t *http) /* I - Connection to server */
+{
+ char hostname[256], /* Hostname */
+ *hostptr; /* Pointer into hostname */
+ int status; /* Status of handshake */
+ gnutls_certificate_credentials_t *credentials;
+ /* TLS credentials */
+ char priority_string[2048];
+ /* Priority string */
+ int version; /* Current version */
+ double old_timeout; /* Old timeout value */
+ http_timeout_cb_t old_cb; /* Old timeout callback */
+ void *old_data; /* Old timeout data */
+ static const char * const versions[] =/* SSL/TLS versions */
+ {
+ "VERS-SSL3.0",
+ "VERS-TLS1.0",
+ "VERS-TLS1.1",
+ "VERS-TLS1.2",
+ "VERS-TLS1.3",
+ "VERS-TLS-ALL"
+ };
+
+
+ DEBUG_printf(("3_httpTLSStart(http=%p)", http));
+
+ if (tls_options < 0)
+ {
+ DEBUG_puts("4_httpTLSStart: Setting defaults.");
+ _cupsSetDefaults();
+ DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
+ }
+
+ if (http->mode == _HTTP_MODE_SERVER && !tls_keypath)
+ {
+ DEBUG_puts("4_httpTLSStart: cupsSetServerCredentials not called.");
+ http->error = errno = EINVAL;
+ http->status = HTTP_STATUS_ERROR;
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Server credentials not set."), 1);
+
+ return (-1);
+ }
+
+ credentials = (gnutls_certificate_credentials_t *)
+ malloc(sizeof(gnutls_certificate_credentials_t));
+ if (credentials == NULL)
+ {
+ DEBUG_printf(("8_httpStartTLS: Unable to allocate credentials: %s",
+ strerror(errno)));
+ http->error = errno;
+ http->status = HTTP_STATUS_ERROR;
+ _cupsSetHTTPError(HTTP_STATUS_ERROR);
+
+ return (-1);
+ }
+
+ gnutls_certificate_allocate_credentials(credentials);
+ status = gnutls_init(&http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_CLIENT : GNUTLS_SERVER);
+ if (!status)
+ status = gnutls_set_default_priority(http->tls);
+
+ if (status)
+ {
+ http->error = EIO;
+ http->status = HTTP_STATUS_ERROR;
+
+ DEBUG_printf(("4_httpTLSStart: Unable to initialize common TLS parameters: %s", gnutls_strerror(status)));
+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
+
+ gnutls_deinit(http->tls);
+ gnutls_certificate_free_credentials(*credentials);
+ free(credentials);
+ http->tls = NULL;
+
+ return (-1);
+ }
+
+ if (http->mode == _HTTP_MODE_CLIENT)
+ {
+ /*
+ * Client: get the hostname to use for TLS...
+ */
+
+ if (httpAddrLocalhost(http->hostaddr))
+ {
+ strlcpy(hostname, "localhost", sizeof(hostname));
+ }
+ else
+ {
+ /*
+ * Otherwise make sure the hostname we have does not end in a trailing dot.
+ */
+
+ strlcpy(hostname, http->hostname, sizeof(hostname));
+ if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
+ *hostptr == '.')
+ *hostptr = '\0';
+ }
+
+ status = gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname, strlen(hostname));
+ }
+ else
{
/*
* Server: get certificate and private key...
keyfile[1024]; /* Private key file */
int have_creds = 0; /* Have credentials? */
-
- if (http->fields[HTTP_FIELD_HOST][0])
+ if (http->fields[HTTP_FIELD_HOST])
{
/*
* Use hostname for TLS upgrade...
if (hostname[0])
{
- snprintf(crtfile, sizeof(crtfile), "%s/%s.crt", tls_keypath, hostname);
- snprintf(keyfile, sizeof(keyfile), "%s/%s.key", tls_keypath, hostname);
+ /*
+ * First look in the CUPS keystore...
+ */
+
+ http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
+ http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
- have_creds = !access(crtfile, 0) && !access(keyfile, 0);
+ if (access(crtfile, R_OK) || access(keyfile, R_OK))
+ {
+ /*
+ * No CUPS-managed certs, look for CA certs...
+ */
+
+ char cacrtfile[1024], cakeyfile[1024]; /* CA cert files */
+
+ snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostname);
+ snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostname);
+
+ if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(hostname, '.')) != NULL)
+ {
+ /*
+ * Try just domain name...
+ */
+
+ hostptr ++;
+ if (strchr(hostptr, '.'))
+ {
+ snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
+ snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
+ }
+ }
+
+ if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
+ {
+ /*
+ * Use the CA certs...
+ */
+
+ strlcpy(crtfile, cacrtfile, sizeof(crtfile));
+ strlcpy(keyfile, cakeyfile, sizeof(keyfile));
+ }
+ }
+
+ have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
}
else if (tls_common_name)
{
- snprintf(crtfile, sizeof(crtfile), "%s/%s.crt", tls_keypath, tls_common_name);
- snprintf(keyfile, sizeof(keyfile), "%s/%s.key", tls_keypath, tls_common_name);
+ /*
+ * First look in the CUPS keystore...
+ */
+
+ http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
+ http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
+
+ if (access(crtfile, R_OK) || access(keyfile, R_OK))
+ {
+ /*
+ * No CUPS-managed certs, look for CA certs...
+ */
+
+ char cacrtfile[1024], cakeyfile[1024]; /* CA cert files */
+
+ snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", tls_common_name);
+ snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", tls_common_name);
+
+ if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(tls_common_name, '.')) != NULL)
+ {
+ /*
+ * Try just domain name...
+ */
+
+ hostptr ++;
+ if (strchr(hostptr, '.'))
+ {
+ snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
+ snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
+ }
+ }
+
+ if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
+ {
+ /*
+ * Use the CA certs...
+ */
+
+ strlcpy(crtfile, cacrtfile, sizeof(crtfile));
+ strlcpy(keyfile, cakeyfile, sizeof(keyfile));
+ }
+ }
- have_creds = !access(crtfile, 0) && !access(keyfile, 0);
+ have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
}
if (!have_creds && tls_auto_create && (hostname[0] || tls_common_name))
}
}
- gnutls_certificate_set_x509_key_file(*credentials, crtfile, keyfile, GNUTLS_X509_FMT_PEM);
+ DEBUG_printf(("4_httpTLSStart: Using certificate \"%s\" and private key \"%s\".", crtfile, keyfile));
+
+ if (!status)
+ status = gnutls_certificate_set_x509_key_file(*credentials, crtfile, keyfile, GNUTLS_X509_FMT_PEM);
+ }
+
+ if (!status)
+ status = gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
+
+ if (status)
+ {
+ http->error = EIO;
+ http->status = HTTP_STATUS_ERROR;
+
+ DEBUG_printf(("4_httpTLSStart: Unable to complete client/server setup: %s", gnutls_strerror(status)));
+ _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
+
+ gnutls_deinit(http->tls);
+ gnutls_certificate_free_credentials(*credentials);
+ free(credentials);
+ http->tls = NULL;
+
+ return (-1);
+ }
+
+ strlcpy(priority_string, "NORMAL", sizeof(priority_string));
+
+ if (tls_max_version < _HTTP_TLS_MAX)
+ {
+ /*
+ * Require specific TLS versions...
+ */
+
+ strlcat(priority_string, ":-VERS-TLS-ALL", sizeof(priority_string));
+ for (version = tls_min_version; version <= tls_max_version; version ++)
+ {
+ strlcat(priority_string, ":+", sizeof(priority_string));
+ strlcat(priority_string, versions[version], sizeof(priority_string));
+ }
+ }
+ else if (tls_min_version == _HTTP_TLS_SSL3)
+ {
+ /*
+ * Allow all versions of TLS and SSL/3.0...
+ */
+
+ strlcat(priority_string, ":+VERS-TLS-ALL:+VERS-SSL3.0", sizeof(priority_string));
+ }
+ else
+ {
+ /*
+ * Require a minimum version...
+ */
+
+ strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
+ for (version = 0; version < tls_min_version; version ++)
+ {
+ strlcat(priority_string, ":-", sizeof(priority_string));
+ strlcat(priority_string, versions[version], sizeof(priority_string));
+ }
+ }
+
+ if (tls_options & _HTTP_TLS_ALLOW_RC4)
+ strlcat(priority_string, ":+ARCFOUR-128", sizeof(priority_string));
+ else
+ strlcat(priority_string, ":!ARCFOUR-128", sizeof(priority_string));
+
+ strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
+
+ if (tls_options & _HTTP_TLS_DENY_CBC)
+ strlcat(priority_string, ":!AES-128-CBC:!AES-256-CBC:!CAMELLIA-128-CBC:!CAMELLIA-256-CBC:!3DES-CBC", sizeof(priority_string));
+
+#ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
+ gnutls_priority_set_direct(http->tls, priority_string, NULL);
+
+#else
+ gnutls_priority_t priority; /* Priority */
+
+ gnutls_priority_init(&priority, priority_string, NULL);
+ gnutls_priority_set(http->tls, priority);
+ gnutls_priority_deinit(priority);
+#endif /* HAVE_GNUTLS_PRIORITY_SET_DIRECT */
+
+ gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http);
+ gnutls_transport_set_pull_function(http->tls, http_gnutls_read);
+#ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION
+ gnutls_transport_set_pull_timeout_function(http->tls, (gnutls_pull_timeout_func)httpWait);
+#endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */
+ gnutls_transport_set_push_function(http->tls, http_gnutls_write);
+
+ /*
+ * Enforce a minimum timeout of 10 seconds for the TLS handshake...
+ */
+
+ old_timeout = http->timeout_value;
+ old_cb = http->timeout_cb;
+ old_data = http->timeout_data;
+
+ if (!old_cb || old_timeout < 10.0)
+ {
+ DEBUG_puts("4_httpTLSStart: Setting timeout to 10 seconds.");
+ httpSetTimeout(http, 10.0, NULL, NULL);
}
+ /*
+ * Do the TLS handshake...
+ */
+
while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS)
{
- DEBUG_printf(("8_httpStartTLS: gnutls_handshake returned %d (%s)",
+ DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)",
status, gnutls_strerror(status)));
if (gnutls_error_is_fatal(status))
free(credentials);
http->tls = NULL;
+ httpSetTimeout(http, old_timeout, old_cb, old_data);
+
return (-1);
}
}
- http->tls_credentials = credentials;
+ /*
+ * Restore the previous timeout settings...
+ */
- // TODO: Put this in the right place; no-op for now, this to get things to compile
-// http_tls_set_credentials(http);
+ httpSetTimeout(http, old_timeout, old_cb, old_data);
+
+ http->tls_credentials = credentials;
return (0);
}
gnutls_deinit(http->tls);
http->tls = NULL;
- gnutls_certificate_free_credentials(*(http->tls_credentials));
- free(http->tls_credentials);
- http->tls_credentials = NULL;
+ if (http->tls_credentials)
+ {
+ gnutls_certificate_free_credentials(*(http->tls_credentials));
+ free(http->tls_credentials);
+ http->tls_credentials = NULL;
+ }
}
return ((int)result);
}
-
-
-#if 0
-/*
- * 'cupsdEndTLS()' - Shutdown a secure session with the client.
- */
-
-int /* O - 1 on success, 0 on error */
-cupsdEndTLS(cupsd_client_t *con) /* I - Client connection */
-{
- int error; /* Error code */
- gnutls_certificate_server_credentials *credentials;
- /* TLS credentials */
-
-
- credentials = (gnutls_certificate_server_credentials *)
- (con->http.tls_credentials);
-
- error = gnutls_bye(con->http.tls, GNUTLS_SHUT_WR);
- switch (error)
- {
- case GNUTLS_E_SUCCESS:
- cupsdLogMessage(CUPSD_LOG_DEBUG,
- "SSL shutdown successful!");
- break;
- default:
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "SSL shutdown failed: %s", gnutls_strerror(error));
- break;
- }
-
- gnutls_deinit(con->http.tls);
- con->http.tls = NULL;
-
- gnutls_certificate_free_credentials(*credentials);
- free(credentials);
-
- return (1);
-}
-
-
-/*
- * 'cupsdStartTLS()' - Start a secure session with the client.
- */
-
-int /* O - 1 on success, 0 on error */
-cupsdStartTLS(cupsd_client_t *con) /* I - Client connection */
-{
- int status; /* Error code */
- gnutls_certificate_credentials_t *credentials;
- /* TLS credentials */
-
-
- cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] Encrypting connection.",
- con->http.fd);
-
- /*
- * Verify that we have a certificate...
- */
-
- if (access(ServerKey, 0) || access(ServerCertificate, 0))
- {
- /*
- * Nope, make a self-signed certificate...
- */
-
- if (!make_certificate(con))
- return (0);
- }
-
- /*
- * Create the SSL object and perform the SSL handshake...
- */
-
- credentials = (gnutls_certificate_credentials_t *)
- malloc(sizeof(gnutls_certificate_credentials_t));
- if (credentials == NULL)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to encrypt connection from %s - %s",
- con->http.hostname, strerror(errno));
-
- return (0);
- }
-
- gnutls_certificate_allocate_credentials(credentials);
- gnutls_certificate_set_x509_key_file(*credentials, ServerCertificate,
- ServerKey, GNUTLS_X509_FMT_PEM);
-
- gnutls_init(&con->http.tls, GNUTLS_SERVER);
- gnutls_set_default_priority(con->http.tls);
-
- gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
- gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr_t)HTTP(con));
- gnutls_transport_set_pull_function(con->http.tls, http_gnutls_read);
- gnutls_transport_set_push_function(con->http.tls, http_gnutls_write);
-
- while ((status = gnutls_handshake(con->http.tls)) != GNUTLS_E_SUCCESS)
- {
- if (gnutls_error_is_fatal(status))
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to encrypt connection from %s - %s",
- con->http.hostname, gnutls_strerror(status));
-
- gnutls_deinit(con->http.tls);
- gnutls_certificate_free_credentials(*credentials);
- con->http.tls = NULL;
- free(credentials);
- return (0);
- }
- }
-
- cupsdLogMessage(CUPSD_LOG_DEBUG, "Connection from %s now encrypted.",
- con->http.hostname);
-
- con->http.tls_credentials = credentials;
- return (1);
-}
-
-
-/*
- * 'make_certificate()' - Make a self-signed SSL/TLS certificate.
- */
-
-static int /* O - 1 on success, 0 on failure */
-make_certificate(cupsd_client_t *con) /* I - Client connection */
-{
- gnutls_x509_crt crt; /* Self-signed certificate */
- gnutls_x509_privkey key; /* Encryption key */
- cups_lang_t *language; /* Default language info */
- cups_file_t *fp; /* Key/cert file */
- unsigned char buffer[8192]; /* Buffer for x509 data */
- size_t bytes; /* Number of bytes of data */
- unsigned char serial[4]; /* Serial number buffer */
- time_t curtime; /* Current time */
- int result; /* Result of GNU TLS calls */
-
-
- /*
- * Create the encryption key...
- */
-
- cupsdLogMessage(CUPSD_LOG_INFO, "Generating SSL server key...");
-
- gnutls_x509_privkey_init(&key);
- gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 2048, 0);
-
- /*
- * Save it...
- */
-
- bytes = sizeof(buffer);
-
- if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM,
- buffer, &bytes)) < 0)
- {
- cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to export SSL server key - %s",
- gnutls_strerror(result));
- gnutls_x509_privkey_deinit(key);
- return (0);
- }
- else if ((fp = cupsFileOpen(ServerKey, "w")) != NULL)
- {
- cupsFileWrite(fp, (char *)buffer, bytes);
- cupsFileClose(fp);
-
- cupsdLogMessage(CUPSD_LOG_INFO, "Created SSL server key file \"%s\"...",
- ServerKey);
- }
- else
- {
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to create SSL server key file \"%s\" - %s",
- ServerKey, strerror(errno));
- gnutls_x509_privkey_deinit(key);
- return (0);
- }
-
- /*
- * Create the self-signed certificate...
- */
-
- cupsdLogMessage(CUPSD_LOG_INFO, "Generating self-signed SSL certificate...");
-
- language = cupsLangDefault();
- curtime = time(NULL);
- serial[0] = curtime >> 24;
- serial[1] = curtime >> 16;
- serial[2] = curtime >> 8;
- serial[3] = curtime;
-
- gnutls_x509_crt_init(&crt);
- if (strlen(language->language) == 5)
- gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
- language->language + 3, 2);
- else
- gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
- "US", 2);
- gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0,
- ServerName, strlen(ServerName));
- gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
- ServerName, strlen(ServerName));
- gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
- 0, "Unknown", 7);
- gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0,
- "Unknown", 7);
- gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_LOCALITY_NAME, 0,
- "Unknown", 7);
- gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_PKCS9_EMAIL, 0,
- ServerAdmin, strlen(ServerAdmin));
- gnutls_x509_crt_set_key(crt, key);
- gnutls_x509_crt_set_serial(crt, serial, sizeof(serial));
- gnutls_x509_crt_set_activation_time(crt, curtime);
- gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
- gnutls_x509_crt_set_ca_status(crt, 0);
- gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME,
- ServerName);
- gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
- gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT);
- gnutls_x509_crt_set_version(crt, 3);
-
- bytes = sizeof(buffer);
- if (gnutls_x509_crt_get_key_id(crt, 0, buffer, &bytes) >= 0)
- gnutls_x509_crt_set_subject_key_id(crt, buffer, bytes);
-
- gnutls_x509_crt_sign(crt, crt, key);
-
- /*
- * Save it...
- */
-
- bytes = sizeof(buffer);
- if ((result = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM,
- buffer, &bytes)) < 0)
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to export SSL server certificate - %s",
- gnutls_strerror(result));
- else if ((fp = cupsFileOpen(ServerCertificate, "w")) != NULL)
- {
- cupsFileWrite(fp, (char *)buffer, bytes);
- cupsFileClose(fp);
-
- cupsdLogMessage(CUPSD_LOG_INFO,
- "Created SSL server certificate file \"%s\"...",
- ServerCertificate);
- }
- else
- cupsdLogMessage(CUPSD_LOG_ERROR,
- "Unable to create SSL server certificate file \"%s\" - %s",
- ServerCertificate, strerror(errno));
-
- /*
- * Cleanup...
- */
-
- gnutls_x509_crt_deinit(crt);
- gnutls_x509_privkey_deinit(key);
-
- return (1);
-}
-#endif /* 0 */
-
-
-/*
- * End of "$Id$".
- */
projects / thirdparty / cups.git / blobdiff