]> git.ipfire.org Git - thirdparty/cups.git/blame - cups/tls-gnutls.c
projects / thirdparty / cups.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Clean up implementation for SSLOptions
[thirdparty/cups.git] / cups / tls-gnutls.c
CommitLineData
2c85b752 1/*
2c85b752
MS		 2 * TLS support code for CUPS using GNU TLS.
3 *
163a773e 4 * Copyright 2007-2017 by Apple Inc.
2c85b752
MS		 5 * Copyright 1997-2007 by Easy Software Products, all rights reserved.
6 *
7 * These coded instructions, statements, and computer programs are the
8 * property of Apple Inc. and are protected by Federal copyright
9 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
10 * which should have been included with this file. If this file is
57b7b66b 11 * missing or damaged, see the license at "http://www.cups.org/".
2c85b752
MS		 12 *
13 * This file is subject to the Apple OS-Developed Software exception.
14 */
15
ebb24a07 16/**** This file is included from tls.c ****/
2c85b752 17
d0facf48
MS		 18/*
19 * Include necessary headers...
20 */
21
22#include <sys/stat.h>
23
24
07623986
MS		 25/*
26 * Local globals...
27 */
28
c61b78bd
PE		 29static int tls_auto_create = 0; /* Auto-create self-signed certs? */
30static char *tls_common_name = NULL; /* Default common name */
31static gnutls_x509_crl_t tls_crl = NULL; /* Certificate revocation list */
32static char *tls_keypath = NULL; /* Server cert keychain path */
33static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER; /* Mutex for keychain/certs */
34static unsigned int tls_options = _HTTP_TLS_NONE; /* Options for TLS connections */
07623986
MS		 35
36
2c85b752
MS		 37/*
38 * Local functions...
39 */
40
ff82e169 41static gnutls_x509_crt_t http_gnutls_create_credential(http_credential_t *credential);
d0facf48 42static const char *http_gnutls_default_path(char *buffer, size_t bufsize);
08d56b1f 43static void http_gnutls_load_crl(void);
a2751f30 44static const char *http_gnutls_make_path(char *buffer, size_t bufsize, const char *dirname, const char *filename, const char *ext);
d0facf48
MS		 45static ssize_t http_gnutls_read(gnutls_transport_ptr_t ptr, void *data, size_t length);
46static ssize_t http_gnutls_write(gnutls_transport_ptr_t ptr, const void *data, size_t length);
dd332638
MS		 47
48
07623986
MS		 49/*
50 * 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair.
51 *
e1f19878 52 * @since CUPS 2.0/OS 10.10@
07623986
MS		 53 */
54
55int /* O - 1 on success, 0 on failure */
56cupsMakeServerCredentials(
57 const char *path, /* I - Path to keychain/directory */
58 const char *common_name, /* I - Common name */
59 int num_alt_names, /* I - Number of subject alternate names */
60 const char **alt_names, /* I - Subject Alternate Names */
61 time_t expiration_date) /* I - Expiration date */
62{
f394e0f7
MS		 63 gnutls_x509_crt_t crt; /* Self-signed certificate */
64 gnutls_x509_privkey_t key; /* Encryption private key */
65 char temp[1024], /* Temporary directory name */
66 crtfile[1024], /* Certificate filename */
172bdf5d
MS		 67 keyfile[1024]; /* Private key filename */
68 cups_lang_t *language; /* Default language info */
69 cups_file_t *fp; /* Key/cert file */
70 unsigned char buffer[8192]; /* Buffer for x509 data */
71 size_t bytes; /* Number of bytes of data */
72 unsigned char serial[4]; /* Serial number buffer */
73 time_t curtime; /* Current time */
74 int result; /* Result of GNU TLS calls */
07623986 75
172bdf5d
MS		 76
77 DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date));
78
79 /*
80 * Filenames...
81 */
82
83 if (!path)
d0facf48 84 path = http_gnutls_default_path(temp, sizeof(temp));
172bdf5d 85
d0facf48
MS		 86 if (!path || !common_name)
87 {
88 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
89 return (0);
172bdf5d 90 }
26435c51
MS		 91
92 http_gnutls_make_path(crtfile, sizeof(crtfile), path, common_name, "crt");
93 http_gnutls_make_path(keyfile, sizeof(keyfile), path, common_name, "key");
172bdf5d
MS		 94
95 /*
96 * Create the encryption key...
97 */
98
d0facf48
MS		 99 DEBUG_puts("1cupsMakeServerCredentials: Creating key pair.");
100
172bdf5d
MS		 101 gnutls_x509_privkey_init(&key);
102 gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 2048, 0);
103
d0facf48
MS		 104 DEBUG_puts("1cupsMakeServerCredentials: Key pair created.");
105
172bdf5d
MS		 106 /*
107 * Save it...
108 */
109
110 bytes = sizeof(buffer);
111
d0facf48 112 if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
172bdf5d 113 {
d0facf48 114 DEBUG_printf(("1cupsMakeServerCredentials: Unable to export private key: %s", gnutls_strerror(result)));
172bdf5d
MS		 115 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
116 gnutls_x509_privkey_deinit(key);
117 return (0);
118 }
119 else if ((fp = cupsFileOpen(keyfile, "w")) != NULL)
120 {
d0facf48 121 DEBUG_printf(("1cupsMakeServerCredentials: Writing private key to \"%s\".", keyfile));
172bdf5d
MS		 122 cupsFileWrite(fp, (char *)buffer, bytes);
123 cupsFileClose(fp);
124 }
125 else
126 {
d0facf48 127 DEBUG_printf(("1cupsMakeServerCredentials: Unable to create private key file \"%s\": %s", keyfile, strerror(errno)));
172bdf5d
MS		 128 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
129 gnutls_x509_privkey_deinit(key);
130 return (0);
131 }
132
133 /*
134 * Create the self-signed certificate...
135 */
136
d0facf48 137 DEBUG_puts("1cupsMakeServerCredentials: Generating self-signed X.509 certificate.");
172bdf5d
MS		 138
139 language = cupsLangDefault();
140 curtime = time(NULL);
141 serial[0] = curtime >> 24;
142 serial[1] = curtime >> 16;
143 serial[2] = curtime >> 8;
144 serial[3] = curtime;
145
146 gnutls_x509_crt_init(&crt);
147 if (strlen(language->language) == 5)
148 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
149 language->language + 3, 2);
150 else
151 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
152 "US", 2);
153 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0,
154 common_name, strlen(common_name));
155 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
156 common_name, strlen(common_name));
157 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
158 0, "Unknown", 7);
159 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0,
160 "Unknown", 7);
161 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_LOCALITY_NAME, 0,
162 "Unknown", 7);
163/* gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_PKCS9_EMAIL, 0,
164 ServerAdmin, strlen(ServerAdmin));*/
165 gnutls_x509_crt_set_key(crt, key);
166 gnutls_x509_crt_set_serial(crt, serial, sizeof(serial));
167 gnutls_x509_crt_set_activation_time(crt, curtime);
168 gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
169 gnutls_x509_crt_set_ca_status(crt, 0);
170 if (num_alt_names > 0)
171 gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME, alt_names[0]);
172 gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
173 gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT);
174 gnutls_x509_crt_set_version(crt, 3);
175
176 bytes = sizeof(buffer);
177 if (gnutls_x509_crt_get_key_id(crt, 0, buffer, &bytes) >= 0)
178 gnutls_x509_crt_set_subject_key_id(crt, buffer, bytes);
179
180 gnutls_x509_crt_sign(crt, crt, key);
181
182 /*
183 * Save it...
184 */
185
186 bytes = sizeof(buffer);
187 if ((result = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
188 {
d0facf48 189 DEBUG_printf(("1cupsMakeServerCredentials: Unable to export public key and X.509 certificate: %s", gnutls_strerror(result)));
172bdf5d
MS		 190 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
191 gnutls_x509_crt_deinit(crt);
192 gnutls_x509_privkey_deinit(key);
193 return (0);
194 }
195 else if ((fp = cupsFileOpen(crtfile, "w")) != NULL)
196 {
d0facf48 197 DEBUG_printf(("1cupsMakeServerCredentials: Writing public key and X.509 certificate to \"%s\".", crtfile));
172bdf5d
MS		 198 cupsFileWrite(fp, (char *)buffer, bytes);
199 cupsFileClose(fp);
200 }
201 else
202 {
d0facf48 203 DEBUG_printf(("1cupsMakeServerCredentials: Unable to create public key and X.509 certificate file \"%s\": %s", crtfile, strerror(errno)));
172bdf5d
MS		 204 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
205 gnutls_x509_crt_deinit(crt);
206 gnutls_x509_privkey_deinit(key);
207 return (0);
208 }
209
210 /*
211 * Cleanup...
212 */
213
214 gnutls_x509_crt_deinit(crt);
215 gnutls_x509_privkey_deinit(key);
216
d0facf48
MS		 217 DEBUG_puts("1cupsMakeServerCredentials: Successfully created credentials.");
218
172bdf5d 219 return (1);
07623986
MS		 220}
221
222
223/*
224 * 'cupsSetServerCredentials()' - Set the default server credentials.
225 *
226 * Note: The server credentials are used by all threads in the running process.
227 * This function is threadsafe.
228 *
e1f19878 229 * @since CUPS 2.0/OS 10.10@
07623986
MS		 230 */
231
232int /* O - 1 on success, 0 on failure */
233cupsSetServerCredentials(
234 const char *path, /* I - Path to keychain/directory */
235 const char *common_name, /* I - Default common name for server */
236 int auto_create) /* I - 1 = automatically create self-signed certificates */
237{
f394e0f7 238 char temp[1024]; /* Default path buffer */
172bdf5d
MS		 239
240
241 DEBUG_printf(("cupsSetServerCredentials(path=\"%s\", common_name=\"%s\", auto_create=%d)", path, common_name, auto_create));
242
07623986 243 /*
d0facf48 244 * Use defaults as needed...
07623986
MS		 245 */
246
d0facf48
MS		 247 if (!path)
248 path = http_gnutls_default_path(temp, sizeof(temp));
07623986 249
172bdf5d 250 /*
d0facf48 251 * Range check input...
172bdf5d
MS		 252 */
253
d0facf48 254 if (!path || !common_name)
172bdf5d 255 {
d0facf48
MS		 256 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
257 return (0);
258 }
172bdf5d 259
d0facf48
MS		 260 _cupsMutexLock(&tls_mutex);
261
262 /*
263 * Free old values...
264 */
172bdf5d 265
d0facf48
MS		 266 if (tls_keypath)
267 _cupsStrFree(tls_keypath);
172bdf5d 268
d0facf48
MS		 269 if (tls_common_name)
270 _cupsStrFree(tls_common_name);
172bdf5d 271
07623986
MS		 272 /*
273 * Save the new values...
274 */
275
276 tls_keypath = _cupsStrAlloc(path);
277 tls_auto_create = auto_create;
278 tls_common_name = _cupsStrAlloc(common_name);
279
280 _cupsMutexUnlock(&tls_mutex);
281
282 return (1);
283}
284
285
dd332638
MS		 286/*
287 * 'httpCopyCredentials()' - Copy the credentials associated with the peer in
288 * an encrypted connection.
289 *
8072030b 290 * @since CUPS 1.5/macOS 10.7@
dd332638
MS		 291 */
292
293int /* O - Status of call (0 = success) */
294httpCopyCredentials(
295 http_t *http, /* I - Connection to server */
296 cups_array_t **credentials) /* O - Array of credentials */
297{
bdc8d1ad
MS		 298 unsigned count; /* Number of certificates */
299 const gnutls_datum_t *certs; /* Certificates */
300
301
302 DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
303
dd332638
MS		 304 if (credentials)
305 *credentials = NULL;
306
307 if (!http || !http->tls || !credentials)
308 return (-1);
309
bdc8d1ad
MS		 310 *credentials = cupsArrayNew(NULL, NULL);
311 certs = gnutls_certificate_get_peers(http->tls, &count);
312
313 DEBUG_printf(("1httpCopyCredentials: certs=%p, count=%u", certs, count));
314
315 if (certs && count)
316 {
317 while (count > 0)
318 {
319 httpAddCredential(*credentials, certs->data, certs->size);
320 certs ++;
321 count --;
322 }
323 }
324
dd332638
MS		 325 return (0);
326}
327
328
329/*
330 * '_httpCreateCredentials()' - Create credentials in the internal format.
331 */
332
333http_tls_credentials_t /* O - Internal credentials */
334_httpCreateCredentials(
335 cups_array_t *credentials) /* I - Array of credentials */
336{
337 (void)credentials;
338
339 return (NULL);
340}
341
342
343/*
344 * '_httpFreeCredentials()' - Free internal credentials.
345 */
346
347void
348_httpFreeCredentials(
349 http_tls_credentials_t credentials) /* I - Internal credentials */
350{
351 (void)credentials;
352}
353
354
a15960a1
MS		 355/*
356 * 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
357 *
e1f19878 358 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 359 */
360
361int /* O - 1 if valid, 0 otherwise */
362httpCredentialsAreValidForName(
363 cups_array_t *credentials, /* I - Credentials */
364 const char *common_name) /* I - Name to check */
365{
ff82e169
MS		 366 gnutls_x509_crt_t cert; /* Certificate */
367 int result = 0; /* Result */
a15960a1
MS		 368
369
ff82e169
MS		 370 cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
371 if (cert)
a15960a1 372 {
ff82e169 373 result = gnutls_x509_crt_check_hostname(cert, common_name) != 0;
08d56b1f
MS		 374
375 if (result)
376 {
377 int i, /* Looping var */
378 count; /* Number of revoked certificates */
379 unsigned char cserial[1024], /* Certificate serial number */
380 rserial[1024]; /* Revoked serial number */
381 size_t cserial_size, /* Size of cert serial number */
382 rserial_size; /* Size of revoked serial number */
383
384 _cupsMutexLock(&tls_mutex);
385
386 count = gnutls_x509_crl_get_crt_count(tls_crl);
387
388 if (count > 0)
389 {
390 cserial_size = sizeof(cserial);
391 gnutls_x509_crt_get_serial(cert, cserial, &cserial_size);
392
393 for (i = 0; i < count; i ++)
394 {
395 rserial_size = sizeof(rserial);
163a773e 396 if (!gnutls_x509_crl_get_crt_serial(tls_crl, (unsigned)i, rserial, &rserial_size, NULL) && cserial_size == rserial_size && !memcmp(cserial, rserial, rserial_size))
08d56b1f
MS		 397 {
398 result = 0;
399 break;
400 }
401 }
402 }
403
404 _cupsMutexUnlock(&tls_mutex);
405 }
406
ff82e169 407 gnutls_x509_crt_deinit(cert);
a15960a1 408 }
a15960a1 409
ff82e169 410 return (result);
a15960a1
MS		 411}
412
413
414/*
415 * 'httpCredentialsGetTrust()' - Return the trust of credentials.
416 *
e1f19878 417 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 418 */
419
420http_trust_t /* O - Level of trust */
421httpCredentialsGetTrust(
422 cups_array_t *credentials, /* I - Credentials */
423 const char *common_name) /* I - Common name for trust lookup */
424{
425 http_trust_t trust = HTTP_TRUST_OK;
426 /* Trusted? */
ff82e169 427 gnutls_x509_crt_t cert; /* Certificate */
a15960a1
MS		 428 cups_array_t *tcreds = NULL; /* Trusted credentials */
429 _cups_globals_t *cg = _cupsGlobals();
430 /* Per-thread globals */
431
432
433 if (!common_name)
e5aa186c
MS		 434 {
435 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No common name specified."), 1);
a15960a1 436 return (HTTP_TRUST_UNKNOWN);
e5aa186c 437 }
a15960a1 438
ff82e169 439 if ((cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
e5aa186c
MS		 440 {
441 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create credentials from array."), 1);
a15960a1 442 return (HTTP_TRUST_UNKNOWN);
e5aa186c 443 }
a15960a1 444
3abb875b 445 if (cg->any_root < 0)
08d56b1f 446 {
3abb875b 447 _cupsSetDefaults();
08d56b1f
MS		 448 http_gnutls_load_crl();
449 }
3abb875b 450
a15960a1
MS		 451 /*
452 * Look this common name up in the default keychains...
453 */
454
455 httpLoadCredentials(NULL, &tcreds, common_name);
456
457 if (tcreds)
458 {
459 char credentials_str[1024], /* String for incoming credentials */
460 tcreds_str[1024]; /* String for saved credentials */
461
462 httpCredentialsString(credentials, credentials_str, sizeof(credentials_str));
463 httpCredentialsString(tcreds, tcreds_str, sizeof(tcreds_str));
464
465 if (strcmp(credentials_str, tcreds_str))
466 {
467 /*
468 * Credentials don't match, let's look at the expiration date of the new
469 * credentials and allow if the new ones have a later expiration...
470 */
471
08d56b1f
MS		 472 if (!cg->trust_first)
473 {
474 /*
475 * Do not trust certificates on first use...
476 */
477
e5aa186c
MS		 478 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
479
08d56b1f
MS		 480 trust = HTTP_TRUST_INVALID;
481 }
e5aa186c 482 else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds))
a15960a1
MS		 483 {
484 /*
e5aa186c 485 * The new credentials are not newly issued...
a15960a1
MS		 486 */
487
e5aa186c
MS		 488 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), 1);
489
490 trust = HTTP_TRUST_INVALID;
491 }
492 else if (!httpCredentialsAreValidForName(credentials, common_name))
493 {
494 /*
495 * The common name does not match the issued certificate...
496 */
497
498 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), 1);
499
a15960a1
MS		 500 trust = HTTP_TRUST_INVALID;
501 }
502 else if (httpCredentialsGetExpiration(tcreds) < time(NULL))
503 {
504 /*
505 * Save the renewed credentials...
506 */
507
508 trust = HTTP_TRUST_RENEWED;
509
510 httpSaveCredentials(NULL, credentials, common_name);
511 }
512 }
513
514 httpFreeCredentials(tcreds);
515 }
516 else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name))
e5aa186c
MS		 517 {
518 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1);
a15960a1 519 trust = HTTP_TRUST_INVALID;
e5aa186c 520 }
7aeb3615
MS		 521 else if (!cg->trust_first)
522 {
f8e19681
MS		 523 /*
524 * See if we have a site CA certificate we can compare...
525 */
526
527 if (!httpLoadCredentials(NULL, &tcreds, "site"))
528 {
529 if (cupsArrayCount(credentials) != (cupsArrayCount(tcreds) + 1))
530 {
531 /*
532 * Certificate isn't directly generated from the CA cert...
533 */
534
535 trust = HTTP_TRUST_INVALID;
536 }
537 else
538 {
539 /*
540 * Do a tail comparison of the two certificates...
541 */
542
543 http_credential_t *a, *b; /* Certificates */
544
545 for (a = (http_credential_t *)cupsArrayFirst(tcreds), b = (http_credential_t *)cupsArrayIndex(credentials, 1);
546 a && b;
547 a = (http_credential_t *)cupsArrayNext(tcreds), b = (http_credential_t *)cupsArrayNext(credentials))
548 if (a->datalen != b->datalen || memcmp(a->data, b->data, a->datalen))
549 break;
550
551 if (a || b)
552 trust = HTTP_TRUST_INVALID;
553 }
554
555 if (trust != HTTP_TRUST_OK)
556 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1);
557 }
558 else
559 {
560 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
561 trust = HTTP_TRUST_INVALID;
562 }
7aeb3615 563 }
a15960a1 564
ff82e169
MS		 565 if (trust == HTTP_TRUST_OK && !cg->expired_certs)
566 {
567 time_t curtime; /* Current date/time */
568
569 time(&curtime);
570 if (curtime < gnutls_x509_crt_get_activation_time(cert) ||
571 curtime > gnutls_x509_crt_get_expiration_time(cert))
e5aa186c
MS		 572 {
573 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), 1);
ff82e169 574 trust = HTTP_TRUST_EXPIRED;
e5aa186c 575 }
ff82e169
MS		 576 }
577
578 if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1)
e5aa186c
MS		 579 {
580 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1);
a15960a1 581 trust = HTTP_TRUST_INVALID;
e5aa186c 582 }
a15960a1 583
ff82e169 584 gnutls_x509_crt_deinit(cert);
a15960a1
MS		 585
586 return (trust);
587}
588
589
590/*
591 * 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials.
592 *
e1f19878 593 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 594 */
595
596time_t /* O - Expiration date of credentials */
597httpCredentialsGetExpiration(
598 cups_array_t *credentials) /* I - Credentials */
599{
ff82e169
MS		 600 gnutls_x509_crt_t cert; /* Certificate */
601 time_t result = 0; /* Result */
602
603
604 cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
605 if (cert)
606 {
bdc8d1ad 607 result = gnutls_x509_crt_get_expiration_time(cert);
ff82e169
MS		 608 gnutls_x509_crt_deinit(cert);
609 }
a15960a1 610
ff82e169 611 return (result);
a15960a1
MS		 612}
613
614
615/*
616 * 'httpCredentialsString()' - Return a string representing the credentials.
617 *
e1f19878 618 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 619 */
620
621size_t /* O - Total size of credentials string */
622httpCredentialsString(
623 cups_array_t *credentials, /* I - Credentials */
624 char *buffer, /* I - Buffer or @code NULL@ */
625 size_t bufsize) /* I - Size of buffer */
626{
ff82e169
MS		 627 http_credential_t *first; /* First certificate */
628 gnutls_x509_crt_t cert; /* Certificate */
629
630
a15960a1
MS		 631 DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize));
632
633 if (!buffer)
634 return (0);
635
636 if (buffer && bufsize > 0)
637 *buffer = '\0';
638
a15960a1 639 if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL &&
ff82e169 640 (cert = http_gnutls_create_credential(first)) != NULL)
a15960a1 641 {
a15960a1 642 char name[256]; /* Common name associated with cert */
bdc8d1ad 643 size_t namelen; /* Length of name */
a15960a1
MS		 644 time_t expiration; /* Expiration date of cert */
645 _cups_md5_state_t md5_state; /* MD5 state */
646 unsigned char md5_digest[16]; /* MD5 result */
647
bdc8d1ad
MS		 648 namelen = sizeof(name) - 1;
649 if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, name, &namelen) >= 0)
650 name[namelen] = '\0';
651 else
a15960a1
MS		 652 strlcpy(name, "unknown", sizeof(name));
653
ff82e169 654 expiration = gnutls_x509_crt_get_expiration_time(cert);
a15960a1
MS		 655
656 _cupsMD5Init(&md5_state);
657 _cupsMD5Append(&md5_state, first->data, (int)first->datalen);
658 _cupsMD5Finish(&md5_state, md5_digest);
659
660 snprintf(buffer, bufsize, "%s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, httpGetDateString(expiration), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
661
ff82e169 662 gnutls_x509_crt_deinit(cert);
a15960a1 663 }
a15960a1
MS		 664
665 DEBUG_printf(("1httpCredentialsString: Returning \"%s\".", buffer));
666
667 return (strlen(buffer));
668}
669
670
671/*
672 * 'httpLoadCredentials()' - Load X.509 credentials from a keychain file.
673 *
e1f19878 674 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 675 */
676
677int /* O - 0 on success, -1 on error */
678httpLoadCredentials(
679 const char *path, /* I - Keychain/PKCS#12 path */
680 cups_array_t **credentials, /* IO - Credentials */
681 const char *common_name) /* I - Common name for credentials */
682{
ff82e169
MS		 683 cups_file_t *fp; /* Certificate file */
684 char filename[1024], /* filename.crt */
685 temp[1024], /* Temporary string */
686 line[256]; /* Base64-encoded line */
687 unsigned char *data = NULL; /* Buffer for cert data */
688 size_t alloc_data = 0, /* Bytes allocated */
689 num_data = 0; /* Bytes used */
690 int decoded; /* Bytes decoded */
0de71d36
MS		 691 int in_certificate = 0;
692 /* In a certificate? */
ff82e169
MS		 693
694
695 if (!credentials || !common_name)
696 return (-1);
697
698 if (!path)
699 path = http_gnutls_default_path(temp, sizeof(temp));
700 if (!path)
701 return (-1);
702
26435c51 703 http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
ff82e169
MS		 704
705 if ((fp = cupsFileOpen(filename, "r")) == NULL)
706 return (-1);
707
708 while (cupsFileGets(fp, line, sizeof(line)))
709 {
710 if (!strcmp(line, "-----BEGIN CERTIFICATE-----"))
711 {
0de71d36 712 if (in_certificate)
ff82e169
MS		 713 {
714 /*
715 * Missing END CERTIFICATE...
716 */
717
718 httpFreeCredentials(*credentials);
719 *credentials = NULL;
720 break;
721 }
0de71d36
MS		 722
723 in_certificate = 1;
ff82e169
MS		 724 }
725 else if (!strcmp(line, "-----END CERTIFICATE-----"))
726 {
0de71d36 727 if (!in_certificate || !num_data)
ff82e169
MS		 728 {
729 /*
730 * Missing data...
731 */
a15960a1 732
ff82e169
MS		 733 httpFreeCredentials(*credentials);
734 *credentials = NULL;
735 break;
736 }
737
738 if (!*credentials)
739 *credentials = cupsArrayNew(NULL, NULL);
740
741 if (httpAddCredential(*credentials, data, num_data))
742 {
743 httpFreeCredentials(*credentials);
744 *credentials = NULL;
745 break;
746 }
747
0de71d36
MS		 748 num_data = 0;
749 in_certificate = 0;
ff82e169 750 }
0de71d36 751 else if (in_certificate)
ff82e169
MS		 752 {
753 if (alloc_data == 0)
754 {
755 data = malloc(2048);
756 alloc_data = 2048;
757
758 if (!data)
759 break;
760 }
761 else if ((num_data + strlen(line)) >= alloc_data)
762 {
763 unsigned char *tdata = realloc(data, alloc_data + 1024);
764 /* Expanded buffer */
765
766 if (!tdata)
767 {
768 httpFreeCredentials(*credentials);
769 *credentials = NULL;
770 break;
771 }
772
773 data = tdata;
774 alloc_data += 1024;
775 }
776
777 decoded = alloc_data - num_data;
bdc8d1ad
MS		 778 httpDecode64_2((char *)data + num_data, &decoded, line);
779 num_data += (size_t)decoded;
ff82e169
MS		 780 }
781 }
782
783 cupsFileClose(fp);
784
0de71d36 785 if (in_certificate)
ff82e169
MS		 786 {
787 /*
788 * Missing END CERTIFICATE...
789 */
790
791 httpFreeCredentials(*credentials);
792 *credentials = NULL;
793 }
794
795 if (data)
796 free(data);
797
798 return (*credentials ? 0 : -1);
a15960a1
MS		 799}
800
801
802/*
803 * 'httpSaveCredentials()' - Save X.509 credentials to a keychain file.
804 *
e1f19878 805 * @since CUPS 2.0/OS 10.10@
a15960a1
MS		 806 */
807
808int /* O - -1 on error, 0 on success */
809httpSaveCredentials(
810 const char *path, /* I - Keychain/PKCS#12 path */
811 cups_array_t *credentials, /* I - Credentials */
812 const char *common_name) /* I - Common name for credentials */
813{
ff82e169
MS		 814 cups_file_t *fp; /* Certificate file */
815 char filename[1024], /* filename.crt */
816 nfilename[1024],/* filename.crt.N */
817 temp[1024], /* Temporary string */
bdc8d1ad 818 line[256]; /* Base64-encoded line */
ff82e169 819 const unsigned char *ptr; /* Pointer into certificate */
bdc8d1ad 820 ssize_t remaining; /* Bytes left */
ff82e169
MS		 821 http_credential_t *cred; /* Current credential */
822
823
824 if (!credentials || !common_name)
825 return (-1);
826
827 if (!path)
828 path = http_gnutls_default_path(temp, sizeof(temp));
829 if (!path)
830 return (-1);
831
26435c51
MS		 832 http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
833 snprintf(nfilename, sizeof(nfilename), "%s.N", filename);
ff82e169
MS		 834
835 if ((fp = cupsFileOpen(nfilename, "w")) == NULL)
836 return (-1);
837
838 fchmod(cupsFileNumber(fp), 0600);
839
840 for (cred = (http_credential_t *)cupsArrayFirst(credentials);
841 cred;
842 cred = (http_credential_t *)cupsArrayNext(credentials))
843 {
844 cupsFilePuts(fp, "-----BEGIN CERTIFICATE-----\n");
bdc8d1ad 845 for (ptr = cred->data, remaining = (ssize_t)cred->datalen; remaining > 0; remaining -= 45, ptr += 45)
ff82e169 846 {
bdc8d1ad 847 httpEncode64_2(line, sizeof(line), (char *)ptr, remaining > 45 ? 45 : remaining);
ff82e169
MS		 848 cupsFilePrintf(fp, "%s\n", line);
849 }
850 cupsFilePuts(fp, "-----END CERTIFICATE-----\n");
851 }
852
853 cupsFileClose(fp);
854
855 return (rename(nfilename, filename));
856}
857
858
859/*
860 * 'http_gnutls_create_credential()' - Create a single credential in the internal format.
861 */
862
863static gnutls_x509_crt_t /* O - Certificate */
864http_gnutls_create_credential(
865 http_credential_t *credential) /* I - Credential */
866{
bdc8d1ad
MS		 867 int result; /* Result from GNU TLS */
868 gnutls_x509_crt_t cert; /* Certificate */
ff82e169
MS		 869 gnutls_datum_t datum; /* Data record */
870
871
bdc8d1ad
MS		 872 DEBUG_printf(("3http_gnutls_create_credential(credential=%p)", credential));
873
ff82e169
MS		 874 if (!credential)
875 return (NULL);
876
bdc8d1ad
MS		 877 if ((result = gnutls_x509_crt_init(&cert)) < 0)
878 {
879 DEBUG_printf(("4http_gnutls_create_credential: init error: %s", gnutls_strerror(result)));
ff82e169 880 return (NULL);
bdc8d1ad 881 }
ff82e169 882
bdc8d1ad
MS		 883 datum.data = credential->data;
884 datum.size = credential->datalen;
ff82e169 885
bdc8d1ad 886 if ((result = gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) < 0)
ff82e169 887 {
bdc8d1ad
MS		 888 DEBUG_printf(("4http_gnutls_create_credential: import error: %s", gnutls_strerror(result)));
889
ff82e169
MS		 890 gnutls_x509_crt_deinit(cert);
891 return (NULL);
892 }
a15960a1 893
ff82e169 894 return (cert);
a15960a1
MS		 895}
896
897
d0facf48
MS		 898/*
899 * 'http_gnutls_default_path()' - Get the default credential store path.
900 */
901
902static const char * /* O - Path or NULL on error */
903http_gnutls_default_path(char *buffer,/* I - Path buffer */
904 size_t bufsize)/* I - Size of path buffer */
905{
906 const char *home = getenv("HOME"); /* HOME environment variable */
907
908
909 if (getuid() && home)
910 {
911 snprintf(buffer, bufsize, "%s/.cups", home);
912 if (access(buffer, 0))
913 {
914 DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
915 if (mkdir(buffer, 0700))
916 {
917 DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
918 return (NULL);
919 }
920 }
921
922 snprintf(buffer, bufsize, "%s/.cups/ssl", home);
923 if (access(buffer, 0))
924 {
925 DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
926 if (mkdir(buffer, 0700))
927 {
928 DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
929 return (NULL);
930 }
931 }
932 }
933 else
934 strlcpy(buffer, CUPS_SERVERROOT "/ssl", bufsize);
935
936 DEBUG_printf(("1http_gnutls_default_path: Using default path \"%s\".", buffer));
937
938 return (buffer);
939}
940
941
08d56b1f
MS		 942/*
943 * 'http_gnutls_load_crl()' - Load the certificate revocation list, if any.
944 */
945
946static void
947http_gnutls_load_crl(void)
948{
949 _cupsMutexLock(&tls_mutex);
950
951 if (!gnutls_x509_crl_init(&tls_crl))
952 {
953 cups_file_t *fp; /* CRL file */
954 char filename[1024], /* site.crl */
955 line[256]; /* Base64-encoded line */
956 unsigned char *data = NULL; /* Buffer for cert data */
957 size_t alloc_data = 0, /* Bytes allocated */
958 num_data = 0; /* Bytes used */
959 int decoded; /* Bytes decoded */
960 gnutls_datum_t datum; /* Data record */
961
962
963 http_gnutls_make_path(filename, sizeof(filename), CUPS_SERVERROOT, "site", "crl");
964
965 if ((fp = cupsFileOpen(filename, "r")) != NULL)
966 {
967 while (cupsFileGets(fp, line, sizeof(line)))
968 {
969 if (!strcmp(line, "-----BEGIN X509 CRL-----"))
970 {
971 if (num_data)
972 {
973 /*
974 * Missing END X509 CRL...
975 */
976
977 break;
978 }
979 }
980 else if (!strcmp(line, "-----END X509 CRL-----"))
981 {
982 if (!num_data)
983 {
984 /*
985 * Missing data...
986 */
987
988 break;
989 }
990
991 datum.data = data;
992 datum.size = num_data;
993
0eff12fa 994 gnutls_x509_crl_import(tls_crl, &datum, GNUTLS_X509_FMT_PEM);
08d56b1f
MS		 995
996 num_data = 0;
997 }
998 else
999 {
1000 if (alloc_data == 0)
1001 {
1002 data = malloc(2048);
1003 alloc_data = 2048;
1004
1005 if (!data)
1006 break;
1007 }
1008 else if ((num_data + strlen(line)) >= alloc_data)
1009 {
1010 unsigned char *tdata = realloc(data, alloc_data + 1024);
1011 /* Expanded buffer */
1012
1013 if (!tdata)
08d56b1f 1014 break;
08d56b1f
MS		 1015
1016 data = tdata;
1017 alloc_data += 1024;
1018 }
1019
1020 decoded = alloc_data - num_data;
1021 httpDecode64_2((char *)data + num_data, &decoded, line);
1022 num_data += (size_t)decoded;
1023 }
1024 }
1025
1026 cupsFileClose(fp);
1027
1028 if (data)
1029 free(data);
1030 }
1031 }
1032
1033 _cupsMutexUnlock(&tls_mutex);
1034}
1035
1036
26435c51
MS		 1037/*
1038 * 'http_gnutls_make_path()' - Format a filename for a certificate or key file.
1039 */
1040
1041static const char * /* O - Filename */
1042http_gnutls_make_path(
1043 char *buffer, /* I - Filename buffer */
1044 size_t bufsize, /* I - Size of buffer */
1045 const char *dirname, /* I - Directory */
1046 const char *filename, /* I - Filename (usually hostname) */
1047 const char *ext) /* I - Extension */
1048{
1049 char *bufptr, /* Pointer into buffer */
1050 *bufend = buffer + bufsize - 1; /* End of buffer */
1051
1052
1053 snprintf(buffer, bufsize, "%s/", dirname);
1054 bufptr = buffer + strlen(buffer);
1055
1056 while (*filename && bufptr < bufend)
1057 {
1058 if (_cups_isalnum(*filename) || *filename == '-' || *filename == '.')
1059 *bufptr++ = *filename;
1060 else
1061 *bufptr++ = '_';
1062
1063 filename ++;
1064 }
1065
1066 if (bufptr < bufend)
1067 *bufptr++ = '.';
1068
a2751f30 1069 strlcpy(bufptr, ext, (size_t)(bufend - bufptr + 1));
26435c51
MS		 1070
1071 return (buffer);
1072}
1073
1074
dd332638
MS		 1075/*
1076 * 'http_gnutls_read()' - Read function for the GNU TLS library.
1077 */
1078
1079static ssize_t /* O - Number of bytes read or -1 on error */
1080http_gnutls_read(
1081 gnutls_transport_ptr_t ptr, /* I - Connection to server */
1082 void *data, /* I - Buffer */
1083 size_t length) /* I - Number of bytes to read */
1084{
1085 http_t *http; /* HTTP connection */
1086 ssize_t bytes; /* Bytes read */
1087
1088
1089 DEBUG_printf(("6http_gnutls_read(ptr=%p, data=%p, length=%d)", ptr, data, (int)length));
1090
1091 http = (http_t *)ptr;
1092
1093 if (!http->blocking)
1094 {
1095 /*
1096 * Make sure we have data before we read...
1097 */
1098
1099 while (!_httpWait(http, http->wait_value, 0))
1100 {
1101 if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
1102 continue;
1103
1104 http->error = ETIMEDOUT;
1105 return (-1);
1106 }
1107 }
1108
1109 bytes = recv(http->fd, data, length, 0);
1110 DEBUG_printf(("6http_gnutls_read: bytes=%d", (int)bytes));
1111 return (bytes);
1112}
1113
1114
1115/*
1116 * 'http_gnutls_write()' - Write function for the GNU TLS library.
1117 */
1118
1119static ssize_t /* O - Number of bytes written or -1 on error */
1120http_gnutls_write(
1121 gnutls_transport_ptr_t ptr, /* I - Connection to server */
1122 const void *data, /* I - Data buffer */
1123 size_t length) /* I - Number of bytes to write */
1124{
1125 ssize_t bytes; /* Bytes written */
1126
1127
1128 DEBUG_printf(("6http_gnutls_write(ptr=%p, data=%p, length=%d)", ptr, data,
1129 (int)length));
dd332638
MS		 1130 bytes = send(((http_t *)ptr)->fd, data, length, 0);
1131 DEBUG_printf(("http_gnutls_write: bytes=%d", (int)bytes));
1132
1133 return (bytes);
1134}
2c85b752
MS		 1135
1136
1137/*
172bdf5d 1138 * '_httpTLSInitialize()' - Initialize the TLS stack.
2c85b752
MS		 1139 */
1140
172bdf5d
MS		 1141void
1142_httpTLSInitialize(void)
2c85b752 1143{
2c85b752
MS		 1144 /*
1145 * Initialize GNU TLS...
1146 */
1147
1148 gnutls_global_init();
dd332638 1149}
2c85b752 1150
2c85b752 1151
dd332638 1152/*
172bdf5d 1153 * '_httpTLSPending()' - Return the number of pending TLS-encrypted bytes.
dd332638 1154 */
2c85b752 1155
172bdf5d
MS		 1156size_t /* O - Bytes available */
1157_httpTLSPending(http_t *http) /* I - HTTP connection */
dd332638
MS		 1158{
1159 return (gnutls_record_check_pending(http->tls));
2c85b752
MS		 1160}
1161
1162
2c85b752 1163/*
172bdf5d 1164 * '_httpTLSRead()' - Read from a SSL/TLS connection.
2c85b752
MS		 1165 */
1166
172bdf5d
MS		 1167int /* O - Bytes read */
1168_httpTLSRead(http_t *http, /* I - Connection to server */
1169 char *buf, /* I - Buffer to store data */
1170 int len) /* I - Length of buffer */
2c85b752 1171{
2c85b752
MS		 1172 ssize_t result; /* Return value */
1173
1174
07623986 1175 result = gnutls_record_recv(http->tls, buf, (size_t)len);
2c85b752
MS		 1176
1177 if (result < 0 && !errno)
1178 {
1179 /*
1180 * Convert GNU TLS error to errno value...
1181 */
1182
1183 switch (result)
1184 {
1185 case GNUTLS_E_INTERRUPTED :
1186 errno = EINTR;
1187 break;
1188
1189 case GNUTLS_E_AGAIN :
1190 errno = EAGAIN;
1191 break;
1192
1193 default :
1194 errno = EPIPE;
1195 break;
1196 }
1197
1198 result = -1;
1199 }
1200
1201 return ((int)result);
dd332638 1202}
2c85b752
MS		 1203
1204
dd332638 1205/*
172bdf5d 1206 * '_httpTLSSetCredentials()' - Set the TLS credentials.
dd332638 1207 */
2c85b752 1208
172bdf5d
MS		 1209int /* O - Status of connection */
1210_httpTLSSetCredentials(http_t *http) /* I - Connection to server */
dd332638
MS		 1211{
1212 (void)http;
2c85b752 1213
dd332638 1214 return (0);
2c85b752 1215}
2c85b752
MS		 1216
1217
63aefcd5
MS		 1218/*
1219 * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
1220 */
1221
1222void
c61b78bd 1223_httpTLSSetOptions(unsigned int options) /* I - Options */
63aefcd5
MS		 1224{
1225 tls_options = options;
1226}
1227
1228
2c85b752 1229/*
172bdf5d 1230 * '_httpTLSStart()' - Set up SSL/TLS support on a connection.
2c85b752
MS		 1231 */
1232
172bdf5d
MS		 1233int /* O - 0 on success, -1 on failure */
1234_httpTLSStart(http_t *http) /* I - Connection to server */
2c85b752
MS		 1235{
1236 char hostname[256], /* Hostname */
1237 *hostptr; /* Pointer into hostname */
2c85b752 1238 int status; /* Status of handshake */
172bdf5d 1239 gnutls_certificate_credentials_t *credentials;
2c85b752 1240 /* TLS credentials */
5e59cd06 1241 char priority_string[2048];
ee6226a5 1242 /* Priority string */
2c85b752
MS		 1243
1244
b37d45d9
MS		 1245 DEBUG_printf(("3_httpTLSStart(http=%p)", http));
1246
c61b78bd 1247 if ((tls_options == _HTTP_TLS_UNCHANGED) || (tls_options == _HTTP_TLS_NONE))
b37d45d9
MS		 1248 {
1249 DEBUG_puts("4_httpTLSStart: Setting defaults.");
1250 _cupsSetDefaults();
1251 DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
1252 }
2c85b752 1253
172bdf5d 1254 if (http->mode == _HTTP_MODE_SERVER && !tls_keypath)
2c85b752 1255 {
172bdf5d
MS		 1256 DEBUG_puts("4_httpTLSStart: cupsSetServerCredentials not called.");
1257 http->error = errno = EINVAL;
1258 http->status = HTTP_STATUS_ERROR;
1259 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Server credentials not set."), 1);
2c85b752 1260
172bdf5d 1261 return (-1);
2c85b752
MS		 1262 }
1263
172bdf5d
MS		 1264 credentials = (gnutls_certificate_credentials_t *)
1265 malloc(sizeof(gnutls_certificate_credentials_t));
2c85b752
MS		 1266 if (credentials == NULL)
1267 {
172bdf5d 1268 DEBUG_printf(("8_httpStartTLS: Unable to allocate credentials: %s",
2c85b752
MS		 1269 strerror(errno)));
1270 http->error = errno;
1271 http->status = HTTP_STATUS_ERROR;
1272 _cupsSetHTTPError(HTTP_STATUS_ERROR);
1273
1274 return (-1);
1275 }
1276
1277 gnutls_certificate_allocate_credentials(credentials);
d0facf48 1278 status = gnutls_init(&http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_CLIENT : GNUTLS_SERVER);
d0facf48 1279 if (!status)
005f7f1f 1280 status = gnutls_set_default_priority(http->tls);
d0facf48
MS		 1281
1282 if (status)
1283 {
1284 http->error = EIO;
1285 http->status = HTTP_STATUS_ERROR;
1286
1287 DEBUG_printf(("4_httpTLSStart: Unable to initialize common TLS parameters: %s", gnutls_strerror(status)));
1288 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1289
1290 gnutls_deinit(http->tls);
1291 gnutls_certificate_free_credentials(*credentials);
1292 free(credentials);
1293 http->tls = NULL;
1294
1295 return (-1);
1296 }
2c85b752 1297
f394e0f7 1298 if (http->mode == _HTTP_MODE_CLIENT)
172bdf5d
MS		 1299 {
1300 /*
1301 * Client: get the hostname to use for TLS...
1302 */
1303
1304 if (httpAddrLocalhost(http->hostaddr))
1305 {
1306 strlcpy(hostname, "localhost", sizeof(hostname));
1307 }
1308 else
1309 {
1310 /*
1311 * Otherwise make sure the hostname we have does not end in a trailing dot.
1312 */
1313
1314 strlcpy(hostname, http->hostname, sizeof(hostname));
1315 if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
1316 *hostptr == '.')
1317 *hostptr = '\0';
1318 }
1319
d0facf48 1320 status = gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname, strlen(hostname));
172bdf5d
MS		 1321 }
1322 else
1323 {
1324 /*
1325 * Server: get certificate and private key...
1326 */
1327
1328 char crtfile[1024], /* Certificate file */
1329 keyfile[1024]; /* Private key file */
1330 int have_creds = 0; /* Have credentials? */
1331
172bdf5d
MS		 1332 if (http->fields[HTTP_FIELD_HOST][0])
1333 {
1334 /*
1335 * Use hostname for TLS upgrade...
1336 */
1337
1338 strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
1339 }
1340 else
1341 {
1342 /*
1343 * Resolve hostname from connection address...
1344 */
1345
1346 http_addr_t addr; /* Connection address */
1347 socklen_t addrlen; /* Length of address */
1348
1349 addrlen = sizeof(addr);
1350 if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
1351 {
1352 DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
1353 hostname[0] = '\0';
1354 }
1355 else if (httpAddrLocalhost(&addr))
1356 hostname[0] = '\0';
1357 else
1358 {
1359 httpAddrLookup(&addr, hostname, sizeof(hostname));
1360 DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
1361 }
1362 }
1363
1364 if (isdigit(hostname[0] & 255) || hostname[0] == '[')
1365 hostname[0] = '\0'; /* Don't allow numeric addresses */
1366
1367 if (hostname[0])
1368 {
9e5e2cef 1369 /*
7b98e44e 1370 * First look in the CUPS keystore...
9e5e2cef
MS		 1371 */
1372
7b98e44e
MS		 1373 http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
1374 http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
9e5e2cef
MS		 1375
1376 if (access(crtfile, R_OK) || access(keyfile, R_OK))
1377 {
1378 /*
7b98e44e
MS		 1379 * No CUPS-managed certs, look for CA certs...
1380 */
1381
1382 char cacrtfile[1024], cakeyfile[1024]; /* CA cert files */
1383
1384 snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostname);
1385 snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostname);
1386
1387 if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(hostname, '.')) != NULL)
1388 {
1389 /*
1390 * Try just domain name...
1391 */
1392
1393 hostptr ++;
1394 if (strchr(hostptr, '.'))
1395 {
1396 snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
1397 snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
1398 }
1399 }
1400
1401 if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
1402 {
1403 /*
1404 * Use the CA certs...
1405 */
1406
1407 strlcpy(crtfile, cacrtfile, sizeof(crtfile));
1408 strlcpy(keyfile, cakeyfile, sizeof(keyfile));
1409 }
9e5e2cef 1410 }
172bdf5d 1411
9e5e2cef 1412 have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
172bdf5d
MS		 1413 }
1414 else if (tls_common_name)
1415 {
9e5e2cef 1416 /*
7b98e44e 1417 * First look in the CUPS keystore...
9e5e2cef
MS		 1418 */
1419
7b98e44e
MS		 1420 http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
1421 http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
9e5e2cef
MS		 1422
1423 if (access(crtfile, R_OK) || access(keyfile, R_OK))
1424 {
1425 /*
7b98e44e
MS		 1426 * No CUPS-managed certs, look for CA certs...
1427 */
1428
1429 char cacrtfile[1024], cakeyfile[1024]; /* CA cert files */
1430
1431 snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", tls_common_name);
1432 snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", tls_common_name);
1433
1434 if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(tls_common_name, '.')) != NULL)
1435 {
1436 /*
1437 * Try just domain name...
1438 */
1439
1440 hostptr ++;
1441 if (strchr(hostptr, '.'))
1442 {
1443 snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
1444 snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
1445 }
1446 }
1447
1448 if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
1449 {
1450 /*
1451 * Use the CA certs...
1452 */
1453
1454 strlcpy(crtfile, cacrtfile, sizeof(crtfile));
1455 strlcpy(keyfile, cakeyfile, sizeof(keyfile));
1456 }
9e5e2cef 1457 }
172bdf5d 1458
9e5e2cef 1459 have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
172bdf5d
MS		 1460 }
1461
1462 if (!have_creds && tls_auto_create && (hostname[0] || tls_common_name))
1463 {
1464 DEBUG_printf(("4_httpTLSStart: Auto-create credentials for \"%s\".", hostname[0] ? hostname : tls_common_name));
1465
1466 if (!cupsMakeServerCredentials(tls_keypath, hostname[0] ? hostname : tls_common_name, 0, NULL, time(NULL) + 365 * 86400))
1467 {
1468 DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed.");
1469 http->error = errno = EINVAL;
1470 http->status = HTTP_STATUS_ERROR;
1471 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1);
1472
1473 return (-1);
1474 }
1475 }
1476
d0facf48
MS		 1477 DEBUG_printf(("4_httpTLSStart: Using certificate \"%s\" and private key \"%s\".", crtfile, keyfile));
1478
9e5e2cef
MS		 1479 if (!status)
1480 status = gnutls_certificate_set_x509_key_file(*credentials, crtfile, keyfile, GNUTLS_X509_FMT_PEM);
d0facf48
MS		 1481 }
1482
1483 if (!status)
1484 status = gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
1485
1486 if (status)
1487 {
1488 http->error = EIO;
1489 http->status = HTTP_STATUS_ERROR;
1490
1491 DEBUG_printf(("4_httpTLSStart: Unable to complete client/server setup: %s", gnutls_strerror(status)));
1492 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1493
1494 gnutls_deinit(http->tls);
1495 gnutls_certificate_free_credentials(*credentials);
1496 free(credentials);
1497 http->tls = NULL;
1498
1499 return (-1);
172bdf5d
MS		 1500 }
1501
838bcb92
MS		 1502 strlcpy(priority_string, "NORMAL", sizeof(priority_string));
1503
1504 if (tls_options & _HTTP_TLS_DENY_TLS10)
c61b78bd 1505 strlcat(priority_string, ":+VERS-TLS-ALL:!VERS-TLS1.0:!VERS-SSL3.0", sizeof(priority_string));
838bcb92
MS		 1506 else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1507 strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
4f272af7 1508 else if (tls_options & _HTTP_TLS_ONLY_TLS10)
c61b78bd 1509 strlcat(priority_string, ":!VERS-TLS-ALL:!VERS-SSL3.0:+VERS-TLS1.0", sizeof(priority_string));
63aefcd5 1510 else
c61b78bd 1511 strlcat(priority_string, ":+VERS-TLS-ALL:!VERS-SSL3.0", sizeof(priority_string));
ee6226a5 1512
c61b78bd
PE		 1513 if (tls_options & _HTTP_TLS_ALLOW_RC4)
1514 strlcat(priority_string, ":+ARCFOUR-128", sizeof(priority_string));
1515 else
1516 strlcat(priority_string, ":!ARCFOUR-128", sizeof(priority_string));
ee6226a5 1517
c61b78bd
PE		 1518 if (tls_options & _HTTP_TLS_ALLOW_DH)
1519 strlcat(priority_string, ":+ANON-DH", sizeof(priority_string));
1520 else
72aa7cb4 1521 strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
ee6226a5 1522
c61b78bd 1523 if (tls_options & _HTTP_TLS_DENY_CBC)
5e59cd06 1524 strlcat(priority_string, ":!AES-128-CBC:!AES-256-CBC:!CAMELLIA-128-CBC:!CAMELLIA-256-CBC:!3DES-CBC", sizeof(priority_string));
f2e87147 1525
ee6226a5
MS		 1526#ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
1527 gnutls_priority_set_direct(http->tls, priority_string, NULL);
63aefcd5 1528
19ba6878
MS		 1529#else
1530 gnutls_priority_t priority; /* Priority */
1531
ee6226a5 1532 gnutls_priority_init(&priority, priority_string, NULL);
19ba6878
MS		 1533 gnutls_priority_set(http->tls, priority);
1534 gnutls_priority_deinit(priority);
1535#endif /* HAVE_GNUTLS_PRIORITY_SET_DIRECT */
1536
d0facf48
MS		 1537 gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http);
1538 gnutls_transport_set_pull_function(http->tls, http_gnutls_read);
e7312eb4 1539#ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION
d0facf48 1540 gnutls_transport_set_pull_timeout_function(http->tls, (gnutls_pull_timeout_func)httpWait);
e7312eb4 1541#endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */
d0facf48
MS		 1542 gnutls_transport_set_push_function(http->tls, http_gnutls_write);
1543
2c85b752
MS		 1544 while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS)
1545 {
d0facf48 1546 DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)",
2c85b752
MS		 1547 status, gnutls_strerror(status)));
1548
1549 if (gnutls_error_is_fatal(status))
1550 {
1551 http->error = EIO;
1552 http->status = HTTP_STATUS_ERROR;
1553
1554 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1555
1556 gnutls_deinit(http->tls);
1557 gnutls_certificate_free_credentials(*credentials);
1558 free(credentials);
1559 http->tls = NULL;
1560
1561 return (-1);
1562 }
1563 }
1564
1565 http->tls_credentials = credentials;
1566
2c85b752
MS		 1567 return (0);
1568}
1569
1570
1571/*
172bdf5d 1572 * '_httpTLSStop()' - Shut down SSL/TLS on a connection.
2c85b752
MS		 1573 */
1574
172bdf5d
MS		 1575void
1576_httpTLSStop(http_t *http) /* I - Connection to server */
2c85b752 1577{
172bdf5d
MS		 1578 int error; /* Error code */
1579
2c85b752 1580
f394e0f7 1581 error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
172bdf5d 1582 if (error != GNUTLS_E_SUCCESS)
f394e0f7 1583 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0);
2c85b752 1584
2c85b752 1585 gnutls_deinit(http->tls);
172bdf5d
MS		 1586 http->tls = NULL;
1587
d0facf48
MS		 1588 if (http->tls_credentials)
1589 {
1590 gnutls_certificate_free_credentials(*(http->tls_credentials));
1591 free(http->tls_credentials);
1592 http->tls_credentials = NULL;
1593 }
2c85b752 1594}
2c85b752
MS		 1595
1596
2c85b752 1597/*
172bdf5d 1598 * '_httpTLSWrite()' - Write to a SSL/TLS connection.
2c85b752
MS		 1599 */
1600
172bdf5d
MS		 1601int /* O - Bytes written */
1602_httpTLSWrite(http_t *http, /* I - Connection to server */
1603 const char *buf, /* I - Buffer holding data */
1604 int len) /* I - Length of buffer */
2c85b752
MS		 1605{
1606 ssize_t result; /* Return value */
1607
1608
1609 DEBUG_printf(("2http_write_ssl(http=%p, buf=%p, len=%d)", http, buf, len));
1610
07623986 1611 result = gnutls_record_send(http->tls, buf, (size_t)len);
2c85b752
MS		 1612
1613 if (result < 0 && !errno)
1614 {
1615 /*
1616 * Convert GNU TLS error to errno value...
1617 */
1618
1619 switch (result)
1620 {
1621 case GNUTLS_E_INTERRUPTED :
1622 errno = EINTR;
1623 break;
1624
1625 case GNUTLS_E_AGAIN :
1626 errno = EAGAIN;
1627 break;
1628
1629 default :
1630 errno = EPIPE;
1631 break;
1632 }
1633
1634 result = -1;
1635 }
1636
2c85b752
MS		 1637 DEBUG_printf(("3http_write_ssl: Returning %d.", (int)result));
1638
1639 return ((int)result);
1640}
Unnamed repository; edit this file 'description' to name the repository.