]> git.ipfire.org Git - thirdparty/cups.git/blob - cups/tls-gnutls.c
projects / thirdparty / cups.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
CUPS did not work with older versions of GNU TLS (STR #4527)
[thirdparty/cups.git] / cups / tls-gnutls.c
1 /*
2 * "$Id$"
3 *
4 * TLS support code for CUPS using GNU TLS.
5 *
6 * Copyright 2007-2014 by Apple Inc.
7 * Copyright 1997-2007 by Easy Software Products, all rights reserved.
8 *
9 * These coded instructions, statements, and computer programs are the
10 * property of Apple Inc. and are protected by Federal copyright
11 * law. Distribution and use rights are outlined in the file "LICENSE.txt"
12 * which should have been included with this file. If this file is
13 * file is missing or damaged, see the license at "http://www.cups.org/".
14 *
15 * This file is subject to the Apple OS-Developed Software exception.
16 */
17
18 /**** This file is included from tls.c ****/
19
20 /*
21 * Include necessary headers...
22 */
23
24 #include <sys/stat.h>
25
26
27 /*
28 * Local globals...
29 */
30
31 static int tls_auto_create = 0;
32 /* Auto-create self-signed certs? */
33 static char *tls_common_name = NULL;
34 /* Default common name */
35 static char *tls_keypath = NULL;
36 /* Server cert keychain path */
37 static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
38 /* Mutex for keychain/certs */
39 static int tls_options = 0;/* Options for TLS connections */
40
41
42 /*
43 * Local functions...
44 */
45
46 static gnutls_x509_crt_t http_gnutls_create_credential(http_credential_t *credential);
47 static const char *http_gnutls_default_path(char *buffer, size_t bufsize);
48 static const char *http_gnutls_make_path(char *buffer, size_t bufsize, const char *dirname, const char *filename, const char *ext);
49 static ssize_t http_gnutls_read(gnutls_transport_ptr_t ptr, void *data, size_t length);
50 static ssize_t http_gnutls_write(gnutls_transport_ptr_t ptr, const void *data, size_t length);
51
52
53 /*
54 * 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair.
55 *
56 * @since CUPS 2.0/OS 10.10@
57 */
58
59 int /* O - 1 on success, 0 on failure */
60 cupsMakeServerCredentials(
61 const char *path, /* I - Path to keychain/directory */
62 const char *common_name, /* I - Common name */
63 int num_alt_names, /* I - Number of subject alternate names */
64 const char **alt_names, /* I - Subject Alternate Names */
65 time_t expiration_date) /* I - Expiration date */
66 {
67 gnutls_x509_crt_t crt; /* Self-signed certificate */
68 gnutls_x509_privkey_t key; /* Encryption private key */
69 char temp[1024], /* Temporary directory name */
70 crtfile[1024], /* Certificate filename */
71 keyfile[1024]; /* Private key filename */
72 cups_lang_t *language; /* Default language info */
73 cups_file_t *fp; /* Key/cert file */
74 unsigned char buffer[8192]; /* Buffer for x509 data */
75 size_t bytes; /* Number of bytes of data */
76 unsigned char serial[4]; /* Serial number buffer */
77 time_t curtime; /* Current time */
78 int result; /* Result of GNU TLS calls */
79
80
81 DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date));
82
83 /*
84 * Filenames...
85 */
86
87 if (!path)
88 path = http_gnutls_default_path(temp, sizeof(temp));
89
90 if (!path || !common_name)
91 {
92 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
93 return (0);
94 }
95
96 http_gnutls_make_path(crtfile, sizeof(crtfile), path, common_name, "crt");
97 http_gnutls_make_path(keyfile, sizeof(keyfile), path, common_name, "key");
98
99 /*
100 * Create the encryption key...
101 */
102
103 DEBUG_puts("1cupsMakeServerCredentials: Creating key pair.");
104
105 gnutls_x509_privkey_init(&key);
106 gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 2048, 0);
107
108 DEBUG_puts("1cupsMakeServerCredentials: Key pair created.");
109
110 /*
111 * Save it...
112 */
113
114 bytes = sizeof(buffer);
115
116 if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
117 {
118 DEBUG_printf(("1cupsMakeServerCredentials: Unable to export private key: %s", gnutls_strerror(result)));
119 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
120 gnutls_x509_privkey_deinit(key);
121 return (0);
122 }
123 else if ((fp = cupsFileOpen(keyfile, "w")) != NULL)
124 {
125 DEBUG_printf(("1cupsMakeServerCredentials: Writing private key to \"%s\".", keyfile));
126 cupsFileWrite(fp, (char *)buffer, bytes);
127 cupsFileClose(fp);
128 }
129 else
130 {
131 DEBUG_printf(("1cupsMakeServerCredentials: Unable to create private key file \"%s\": %s", keyfile, strerror(errno)));
132 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
133 gnutls_x509_privkey_deinit(key);
134 return (0);
135 }
136
137 /*
138 * Create the self-signed certificate...
139 */
140
141 DEBUG_puts("1cupsMakeServerCredentials: Generating self-signed X.509 certificate.");
142
143 language = cupsLangDefault();
144 curtime = time(NULL);
145 serial[0] = curtime >> 24;
146 serial[1] = curtime >> 16;
147 serial[2] = curtime >> 8;
148 serial[3] = curtime;
149
150 gnutls_x509_crt_init(&crt);
151 if (strlen(language->language) == 5)
152 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
153 language->language + 3, 2);
154 else
155 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
156 "US", 2);
157 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0,
158 common_name, strlen(common_name));
159 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
160 common_name, strlen(common_name));
161 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
162 0, "Unknown", 7);
163 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0,
164 "Unknown", 7);
165 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_LOCALITY_NAME, 0,
166 "Unknown", 7);
167 /* gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_PKCS9_EMAIL, 0,
168 ServerAdmin, strlen(ServerAdmin));*/
169 gnutls_x509_crt_set_key(crt, key);
170 gnutls_x509_crt_set_serial(crt, serial, sizeof(serial));
171 gnutls_x509_crt_set_activation_time(crt, curtime);
172 gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
173 gnutls_x509_crt_set_ca_status(crt, 0);
174 if (num_alt_names > 0)
175 gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME, alt_names[0]);
176 gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
177 gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT);
178 gnutls_x509_crt_set_version(crt, 3);
179
180 bytes = sizeof(buffer);
181 if (gnutls_x509_crt_get_key_id(crt, 0, buffer, &bytes) >= 0)
182 gnutls_x509_crt_set_subject_key_id(crt, buffer, bytes);
183
184 gnutls_x509_crt_sign(crt, crt, key);
185
186 /*
187 * Save it...
188 */
189
190 bytes = sizeof(buffer);
191 if ((result = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
192 {
193 DEBUG_printf(("1cupsMakeServerCredentials: Unable to export public key and X.509 certificate: %s", gnutls_strerror(result)));
194 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
195 gnutls_x509_crt_deinit(crt);
196 gnutls_x509_privkey_deinit(key);
197 return (0);
198 }
199 else if ((fp = cupsFileOpen(crtfile, "w")) != NULL)
200 {
201 DEBUG_printf(("1cupsMakeServerCredentials: Writing public key and X.509 certificate to \"%s\".", crtfile));
202 cupsFileWrite(fp, (char *)buffer, bytes);
203 cupsFileClose(fp);
204 }
205 else
206 {
207 DEBUG_printf(("1cupsMakeServerCredentials: Unable to create public key and X.509 certificate file \"%s\": %s", crtfile, strerror(errno)));
208 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
209 gnutls_x509_crt_deinit(crt);
210 gnutls_x509_privkey_deinit(key);
211 return (0);
212 }
213
214 /*
215 * Cleanup...
216 */
217
218 gnutls_x509_crt_deinit(crt);
219 gnutls_x509_privkey_deinit(key);
220
221 DEBUG_puts("1cupsMakeServerCredentials: Successfully created credentials.");
222
223 return (1);
224 }
225
226
227 /*
228 * 'cupsSetServerCredentials()' - Set the default server credentials.
229 *
230 * Note: The server credentials are used by all threads in the running process.
231 * This function is threadsafe.
232 *
233 * @since CUPS 2.0/OS 10.10@
234 */
235
236 int /* O - 1 on success, 0 on failure */
237 cupsSetServerCredentials(
238 const char *path, /* I - Path to keychain/directory */
239 const char *common_name, /* I - Default common name for server */
240 int auto_create) /* I - 1 = automatically create self-signed certificates */
241 {
242 char temp[1024]; /* Default path buffer */
243
244
245 DEBUG_printf(("cupsSetServerCredentials(path=\"%s\", common_name=\"%s\", auto_create=%d)", path, common_name, auto_create));
246
247 /*
248 * Use defaults as needed...
249 */
250
251 if (!path)
252 path = http_gnutls_default_path(temp, sizeof(temp));
253
254 /*
255 * Range check input...
256 */
257
258 if (!path || !common_name)
259 {
260 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
261 return (0);
262 }
263
264 _cupsMutexLock(&tls_mutex);
265
266 /*
267 * Free old values...
268 */
269
270 if (tls_keypath)
271 _cupsStrFree(tls_keypath);
272
273 if (tls_common_name)
274 _cupsStrFree(tls_common_name);
275
276 /*
277 * Save the new values...
278 */
279
280 tls_keypath = _cupsStrAlloc(path);
281 tls_auto_create = auto_create;
282 tls_common_name = _cupsStrAlloc(common_name);
283
284 _cupsMutexUnlock(&tls_mutex);
285
286 return (1);
287 }
288
289
290 /*
291 * 'httpCopyCredentials()' - Copy the credentials associated with the peer in
292 * an encrypted connection.
293 *
294 * @since CUPS 1.5/OS X 10.7@
295 */
296
297 int /* O - Status of call (0 = success) */
298 httpCopyCredentials(
299 http_t *http, /* I - Connection to server */
300 cups_array_t **credentials) /* O - Array of credentials */
301 {
302 unsigned count; /* Number of certificates */
303 const gnutls_datum_t *certs; /* Certificates */
304
305
306 DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
307
308 if (credentials)
309 *credentials = NULL;
310
311 if (!http || !http->tls || !credentials)
312 return (-1);
313
314 *credentials = cupsArrayNew(NULL, NULL);
315 certs = gnutls_certificate_get_peers(http->tls, &count);
316
317 DEBUG_printf(("1httpCopyCredentials: certs=%p, count=%u", certs, count));
318
319 if (certs && count)
320 {
321 while (count > 0)
322 {
323 httpAddCredential(*credentials, certs->data, certs->size);
324 certs ++;
325 count --;
326 }
327 }
328
329 return (0);
330 }
331
332
333 /*
334 * '_httpCreateCredentials()' - Create credentials in the internal format.
335 */
336
337 http_tls_credentials_t /* O - Internal credentials */
338 _httpCreateCredentials(
339 cups_array_t *credentials) /* I - Array of credentials */
340 {
341 (void)credentials;
342
343 return (NULL);
344 }
345
346
347 /*
348 * '_httpFreeCredentials()' - Free internal credentials.
349 */
350
351 void
352 _httpFreeCredentials(
353 http_tls_credentials_t credentials) /* I - Internal credentials */
354 {
355 (void)credentials;
356 }
357
358
359 /*
360 * 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
361 *
362 * @since CUPS 2.0/OS 10.10@
363 */
364
365 int /* O - 1 if valid, 0 otherwise */
366 httpCredentialsAreValidForName(
367 cups_array_t *credentials, /* I - Credentials */
368 const char *common_name) /* I - Name to check */
369 {
370 gnutls_x509_crt_t cert; /* Certificate */
371 int result = 0; /* Result */
372
373
374 cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
375 if (cert)
376 {
377 result = gnutls_x509_crt_check_hostname(cert, common_name) != 0;
378 gnutls_x509_crt_deinit(cert);
379 }
380
381 return (result);
382 }
383
384
385 /*
386 * 'httpCredentialsGetTrust()' - Return the trust of credentials.
387 *
388 * @since CUPS 2.0/OS 10.10@
389 */
390
391 http_trust_t /* O - Level of trust */
392 httpCredentialsGetTrust(
393 cups_array_t *credentials, /* I - Credentials */
394 const char *common_name) /* I - Common name for trust lookup */
395 {
396 http_trust_t trust = HTTP_TRUST_OK;
397 /* Trusted? */
398 gnutls_x509_crt_t cert; /* Certificate */
399 cups_array_t *tcreds = NULL; /* Trusted credentials */
400 _cups_globals_t *cg = _cupsGlobals();
401 /* Per-thread globals */
402
403
404 if (!common_name)
405 return (HTTP_TRUST_UNKNOWN);
406
407 if ((cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
408 return (HTTP_TRUST_UNKNOWN);
409
410 /*
411 * Look this common name up in the default keychains...
412 */
413
414 httpLoadCredentials(NULL, &tcreds, common_name);
415
416 if (tcreds)
417 {
418 char credentials_str[1024], /* String for incoming credentials */
419 tcreds_str[1024]; /* String for saved credentials */
420
421 httpCredentialsString(credentials, credentials_str, sizeof(credentials_str));
422 httpCredentialsString(tcreds, tcreds_str, sizeof(tcreds_str));
423
424 if (strcmp(credentials_str, tcreds_str))
425 {
426 /*
427 * Credentials don't match, let's look at the expiration date of the new
428 * credentials and allow if the new ones have a later expiration...
429 */
430
431 if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds) ||
432 !httpCredentialsAreValidForName(credentials, common_name))
433 {
434 /*
435 * Either the new credentials are not newly issued, or the common name
436 * does not match the issued certificate...
437 */
438
439 trust = HTTP_TRUST_INVALID;
440 }
441 else if (httpCredentialsGetExpiration(tcreds) < time(NULL))
442 {
443 /*
444 * Save the renewed credentials...
445 */
446
447 trust = HTTP_TRUST_RENEWED;
448
449 httpSaveCredentials(NULL, credentials, common_name);
450 }
451 }
452
453 httpFreeCredentials(tcreds);
454 }
455 else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name))
456 trust = HTTP_TRUST_INVALID;
457
458 if (trust == HTTP_TRUST_OK && !cg->expired_certs)
459 {
460 time_t curtime; /* Current date/time */
461
462 time(&curtime);
463 if (curtime < gnutls_x509_crt_get_activation_time(cert) ||
464 curtime > gnutls_x509_crt_get_expiration_time(cert))
465 trust = HTTP_TRUST_EXPIRED;
466 }
467
468 if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1)
469 trust = HTTP_TRUST_INVALID;
470
471 gnutls_x509_crt_deinit(cert);
472
473 return (trust);
474 }
475
476
477 /*
478 * 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials.
479 *
480 * @since CUPS 2.0/OS 10.10@
481 */
482
483 time_t /* O - Expiration date of credentials */
484 httpCredentialsGetExpiration(
485 cups_array_t *credentials) /* I - Credentials */
486 {
487 gnutls_x509_crt_t cert; /* Certificate */
488 time_t result = 0; /* Result */
489
490
491 cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
492 if (cert)
493 {
494 result = gnutls_x509_crt_get_expiration_time(cert);
495 gnutls_x509_crt_deinit(cert);
496 }
497
498 return (result);
499 }
500
501
502 /*
503 * 'httpCredentialsString()' - Return a string representing the credentials.
504 *
505 * @since CUPS 2.0/OS 10.10@
506 */
507
508 size_t /* O - Total size of credentials string */
509 httpCredentialsString(
510 cups_array_t *credentials, /* I - Credentials */
511 char *buffer, /* I - Buffer or @code NULL@ */
512 size_t bufsize) /* I - Size of buffer */
513 {
514 http_credential_t *first; /* First certificate */
515 gnutls_x509_crt_t cert; /* Certificate */
516
517
518 DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize));
519
520 if (!buffer)
521 return (0);
522
523 if (buffer && bufsize > 0)
524 *buffer = '\0';
525
526 if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL &&
527 (cert = http_gnutls_create_credential(first)) != NULL)
528 {
529 char name[256]; /* Common name associated with cert */
530 size_t namelen; /* Length of name */
531 time_t expiration; /* Expiration date of cert */
532 _cups_md5_state_t md5_state; /* MD5 state */
533 unsigned char md5_digest[16]; /* MD5 result */
534
535 namelen = sizeof(name) - 1;
536 if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, name, &namelen) >= 0)
537 name[namelen] = '\0';
538 else
539 strlcpy(name, "unknown", sizeof(name));
540
541 expiration = gnutls_x509_crt_get_expiration_time(cert);
542
543 _cupsMD5Init(&md5_state);
544 _cupsMD5Append(&md5_state, first->data, (int)first->datalen);
545 _cupsMD5Finish(&md5_state, md5_digest);
546
547 snprintf(buffer, bufsize, "%s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, httpGetDateString(expiration), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
548
549 gnutls_x509_crt_deinit(cert);
550 }
551
552 DEBUG_printf(("1httpCredentialsString: Returning \"%s\".", buffer));
553
554 return (strlen(buffer));
555 }
556
557
558 /*
559 * 'httpLoadCredentials()' - Load X.509 credentials from a keychain file.
560 *
561 * @since CUPS 2.0/OS 10.10@
562 */
563
564 int /* O - 0 on success, -1 on error */
565 httpLoadCredentials(
566 const char *path, /* I - Keychain/PKCS#12 path */
567 cups_array_t **credentials, /* IO - Credentials */
568 const char *common_name) /* I - Common name for credentials */
569 {
570 cups_file_t *fp; /* Certificate file */
571 char filename[1024], /* filename.crt */
572 temp[1024], /* Temporary string */
573 line[256]; /* Base64-encoded line */
574 unsigned char *data = NULL; /* Buffer for cert data */
575 size_t alloc_data = 0, /* Bytes allocated */
576 num_data = 0; /* Bytes used */
577 int decoded; /* Bytes decoded */
578
579
580 if (!credentials || !common_name)
581 return (-1);
582
583 if (!path)
584 path = http_gnutls_default_path(temp, sizeof(temp));
585 if (!path)
586 return (-1);
587
588 http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
589
590 if ((fp = cupsFileOpen(filename, "r")) == NULL)
591 return (-1);
592
593 while (cupsFileGets(fp, line, sizeof(line)))
594 {
595 if (!strcmp(line, "-----BEGIN CERTIFICATE-----"))
596 {
597 if (num_data)
598 {
599 /*
600 * Missing END CERTIFICATE...
601 */
602
603 httpFreeCredentials(*credentials);
604 *credentials = NULL;
605 break;
606 }
607 }
608 else if (!strcmp(line, "-----END CERTIFICATE-----"))
609 {
610 if (!num_data)
611 {
612 /*
613 * Missing data...
614 */
615
616 httpFreeCredentials(*credentials);
617 *credentials = NULL;
618 break;
619 }
620
621 if (!*credentials)
622 *credentials = cupsArrayNew(NULL, NULL);
623
624 if (httpAddCredential(*credentials, data, num_data))
625 {
626 httpFreeCredentials(*credentials);
627 *credentials = NULL;
628 break;
629 }
630
631 num_data = 0;
632 }
633 else
634 {
635 if (alloc_data == 0)
636 {
637 data = malloc(2048);
638 alloc_data = 2048;
639
640 if (!data)
641 break;
642 }
643 else if ((num_data + strlen(line)) >= alloc_data)
644 {
645 unsigned char *tdata = realloc(data, alloc_data + 1024);
646 /* Expanded buffer */
647
648 if (!tdata)
649 {
650 httpFreeCredentials(*credentials);
651 *credentials = NULL;
652 break;
653 }
654
655 data = tdata;
656 alloc_data += 1024;
657 }
658
659 decoded = alloc_data - num_data;
660 httpDecode64_2((char *)data + num_data, &decoded, line);
661 num_data += (size_t)decoded;
662 }
663 }
664
665 cupsFileClose(fp);
666
667 if (num_data)
668 {
669 /*
670 * Missing END CERTIFICATE...
671 */
672
673 httpFreeCredentials(*credentials);
674 *credentials = NULL;
675 }
676
677 if (data)
678 free(data);
679
680 return (*credentials ? 0 : -1);
681 }
682
683
684 /*
685 * 'httpSaveCredentials()' - Save X.509 credentials to a keychain file.
686 *
687 * @since CUPS 2.0/OS 10.10@
688 */
689
690 int /* O - -1 on error, 0 on success */
691 httpSaveCredentials(
692 const char *path, /* I - Keychain/PKCS#12 path */
693 cups_array_t *credentials, /* I - Credentials */
694 const char *common_name) /* I - Common name for credentials */
695 {
696 cups_file_t *fp; /* Certificate file */
697 char filename[1024], /* filename.crt */
698 nfilename[1024],/* filename.crt.N */
699 temp[1024], /* Temporary string */
700 line[256]; /* Base64-encoded line */
701 const unsigned char *ptr; /* Pointer into certificate */
702 ssize_t remaining; /* Bytes left */
703 http_credential_t *cred; /* Current credential */
704
705
706 if (!credentials || !common_name)
707 return (-1);
708
709 if (!path)
710 path = http_gnutls_default_path(temp, sizeof(temp));
711 if (!path)
712 return (-1);
713
714 http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
715 snprintf(nfilename, sizeof(nfilename), "%s.N", filename);
716
717 if ((fp = cupsFileOpen(nfilename, "w")) == NULL)
718 return (-1);
719
720 fchmod(cupsFileNumber(fp), 0600);
721
722 for (cred = (http_credential_t *)cupsArrayFirst(credentials);
723 cred;
724 cred = (http_credential_t *)cupsArrayNext(credentials))
725 {
726 cupsFilePuts(fp, "-----BEGIN CERTIFICATE-----\n");
727 for (ptr = cred->data, remaining = (ssize_t)cred->datalen; remaining > 0; remaining -= 45, ptr += 45)
728 {
729 httpEncode64_2(line, sizeof(line), (char *)ptr, remaining > 45 ? 45 : remaining);
730 cupsFilePrintf(fp, "%s\n", line);
731 }
732 cupsFilePuts(fp, "-----END CERTIFICATE-----\n");
733 }
734
735 cupsFileClose(fp);
736
737 return (rename(nfilename, filename));
738 }
739
740
741 /*
742 * 'http_gnutls_create_credential()' - Create a single credential in the internal format.
743 */
744
745 static gnutls_x509_crt_t /* O - Certificate */
746 http_gnutls_create_credential(
747 http_credential_t *credential) /* I - Credential */
748 {
749 int result; /* Result from GNU TLS */
750 gnutls_x509_crt_t cert; /* Certificate */
751 gnutls_datum_t datum; /* Data record */
752
753
754 DEBUG_printf(("3http_gnutls_create_credential(credential=%p)", credential));
755
756 if (!credential)
757 return (NULL);
758
759 if ((result = gnutls_x509_crt_init(&cert)) < 0)
760 {
761 DEBUG_printf(("4http_gnutls_create_credential: init error: %s", gnutls_strerror(result)));
762 return (NULL);
763 }
764
765 datum.data = credential->data;
766 datum.size = credential->datalen;
767
768 if ((result = gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) < 0)
769 {
770 DEBUG_printf(("4http_gnutls_create_credential: import error: %s", gnutls_strerror(result)));
771
772 gnutls_x509_crt_deinit(cert);
773 return (NULL);
774 }
775
776 return (cert);
777 }
778
779
780 /*
781 * 'http_gnutls_default_path()' - Get the default credential store path.
782 */
783
784 static const char * /* O - Path or NULL on error */
785 http_gnutls_default_path(char *buffer,/* I - Path buffer */
786 size_t bufsize)/* I - Size of path buffer */
787 {
788 const char *home = getenv("HOME"); /* HOME environment variable */
789
790
791 if (getuid() && home)
792 {
793 snprintf(buffer, bufsize, "%s/.cups", home);
794 if (access(buffer, 0))
795 {
796 DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
797 if (mkdir(buffer, 0700))
798 {
799 DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
800 return (NULL);
801 }
802 }
803
804 snprintf(buffer, bufsize, "%s/.cups/ssl", home);
805 if (access(buffer, 0))
806 {
807 DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
808 if (mkdir(buffer, 0700))
809 {
810 DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
811 return (NULL);
812 }
813 }
814 }
815 else
816 strlcpy(buffer, CUPS_SERVERROOT "/ssl", bufsize);
817
818 DEBUG_printf(("1http_gnutls_default_path: Using default path \"%s\".", buffer));
819
820 return (buffer);
821 }
822
823
824 /*
825 * 'http_gnutls_make_path()' - Format a filename for a certificate or key file.
826 */
827
828 static const char * /* O - Filename */
829 http_gnutls_make_path(
830 char *buffer, /* I - Filename buffer */
831 size_t bufsize, /* I - Size of buffer */
832 const char *dirname, /* I - Directory */
833 const char *filename, /* I - Filename (usually hostname) */
834 const char *ext) /* I - Extension */
835 {
836 char *bufptr, /* Pointer into buffer */
837 *bufend = buffer + bufsize - 1; /* End of buffer */
838
839
840 snprintf(buffer, bufsize, "%s/", dirname);
841 bufptr = buffer + strlen(buffer);
842
843 while (*filename && bufptr < bufend)
844 {
845 if (_cups_isalnum(*filename) || *filename == '-' || *filename == '.')
846 *bufptr++ = *filename;
847 else
848 *bufptr++ = '_';
849
850 filename ++;
851 }
852
853 if (bufptr < bufend)
854 *bufptr++ = '.';
855
856 strlcpy(bufptr, ext, (size_t)(bufend - bufptr + 1));
857
858 return (buffer);
859 }
860
861
862 /*
863 * 'http_gnutls_read()' - Read function for the GNU TLS library.
864 */
865
866 static ssize_t /* O - Number of bytes read or -1 on error */
867 http_gnutls_read(
868 gnutls_transport_ptr_t ptr, /* I - Connection to server */
869 void *data, /* I - Buffer */
870 size_t length) /* I - Number of bytes to read */
871 {
872 http_t *http; /* HTTP connection */
873 ssize_t bytes; /* Bytes read */
874
875
876 DEBUG_printf(("6http_gnutls_read(ptr=%p, data=%p, length=%d)", ptr, data, (int)length));
877
878 http = (http_t *)ptr;
879
880 if (!http->blocking)
881 {
882 /*
883 * Make sure we have data before we read...
884 */
885
886 while (!_httpWait(http, http->wait_value, 0))
887 {
888 if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
889 continue;
890
891 http->error = ETIMEDOUT;
892 return (-1);
893 }
894 }
895
896 bytes = recv(http->fd, data, length, 0);
897 DEBUG_printf(("6http_gnutls_read: bytes=%d", (int)bytes));
898 return (bytes);
899 }
900
901
902 /*
903 * 'http_gnutls_write()' - Write function for the GNU TLS library.
904 */
905
906 static ssize_t /* O - Number of bytes written or -1 on error */
907 http_gnutls_write(
908 gnutls_transport_ptr_t ptr, /* I - Connection to server */
909 const void *data, /* I - Data buffer */
910 size_t length) /* I - Number of bytes to write */
911 {
912 ssize_t bytes; /* Bytes written */
913
914
915 DEBUG_printf(("6http_gnutls_write(ptr=%p, data=%p, length=%d)", ptr, data,
916 (int)length));
917 bytes = send(((http_t *)ptr)->fd, data, length, 0);
918 DEBUG_printf(("http_gnutls_write: bytes=%d", (int)bytes));
919
920 return (bytes);
921 }
922
923
924 /*
925 * '_httpTLSInitialize()' - Initialize the TLS stack.
926 */
927
928 void
929 _httpTLSInitialize(void)
930 {
931 /*
932 * Initialize GNU TLS...
933 */
934
935 gnutls_global_init();
936 }
937
938
939 /*
940 * '_httpTLSPending()' - Return the number of pending TLS-encrypted bytes.
941 */
942
943 size_t /* O - Bytes available */
944 _httpTLSPending(http_t *http) /* I - HTTP connection */
945 {
946 return (gnutls_record_check_pending(http->tls));
947 }
948
949
950 /*
951 * '_httpTLSRead()' - Read from a SSL/TLS connection.
952 */
953
954 int /* O - Bytes read */
955 _httpTLSRead(http_t *http, /* I - Connection to server */
956 char *buf, /* I - Buffer to store data */
957 int len) /* I - Length of buffer */
958 {
959 ssize_t result; /* Return value */
960
961
962 result = gnutls_record_recv(http->tls, buf, (size_t)len);
963
964 if (result < 0 && !errno)
965 {
966 /*
967 * Convert GNU TLS error to errno value...
968 */
969
970 switch (result)
971 {
972 case GNUTLS_E_INTERRUPTED :
973 errno = EINTR;
974 break;
975
976 case GNUTLS_E_AGAIN :
977 errno = EAGAIN;
978 break;
979
980 default :
981 errno = EPIPE;
982 break;
983 }
984
985 result = -1;
986 }
987
988 return ((int)result);
989 }
990
991
992 /*
993 * '_httpTLSSetCredentials()' - Set the TLS credentials.
994 */
995
996 int /* O - Status of connection */
997 _httpTLSSetCredentials(http_t *http) /* I - Connection to server */
998 {
999 (void)http;
1000
1001 return (0);
1002 }
1003
1004
1005 /*
1006 * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
1007 */
1008
1009 void
1010 _httpTLSSetOptions(int options) /* I - Options */
1011 {
1012 tls_options = options;
1013 }
1014
1015
1016 /*
1017 * '_httpTLSStart()' - Set up SSL/TLS support on a connection.
1018 */
1019
1020 int /* O - 0 on success, -1 on failure */
1021 _httpTLSStart(http_t *http) /* I - Connection to server */
1022 {
1023 char hostname[256], /* Hostname */
1024 *hostptr; /* Pointer into hostname */
1025 int status; /* Status of handshake */
1026 gnutls_certificate_credentials_t *credentials;
1027 /* TLS credentials */
1028
1029
1030 DEBUG_printf(("7_httpTLSStart(http=%p)", http));
1031
1032 if (http->mode == _HTTP_MODE_SERVER && !tls_keypath)
1033 {
1034 DEBUG_puts("4_httpTLSStart: cupsSetServerCredentials not called.");
1035 http->error = errno = EINVAL;
1036 http->status = HTTP_STATUS_ERROR;
1037 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Server credentials not set."), 1);
1038
1039 return (-1);
1040 }
1041
1042 credentials = (gnutls_certificate_credentials_t *)
1043 malloc(sizeof(gnutls_certificate_credentials_t));
1044 if (credentials == NULL)
1045 {
1046 DEBUG_printf(("8_httpStartTLS: Unable to allocate credentials: %s",
1047 strerror(errno)));
1048 http->error = errno;
1049 http->status = HTTP_STATUS_ERROR;
1050 _cupsSetHTTPError(HTTP_STATUS_ERROR);
1051
1052 return (-1);
1053 }
1054
1055 gnutls_certificate_allocate_credentials(credentials);
1056 status = gnutls_init(&http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_CLIENT : GNUTLS_SERVER);
1057 if (!status)
1058 status = gnutls_set_default_priority(http->tls);
1059
1060 if (status)
1061 {
1062 http->error = EIO;
1063 http->status = HTTP_STATUS_ERROR;
1064
1065 DEBUG_printf(("4_httpTLSStart: Unable to initialize common TLS parameters: %s", gnutls_strerror(status)));
1066 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1067
1068 gnutls_deinit(http->tls);
1069 gnutls_certificate_free_credentials(*credentials);
1070 free(credentials);
1071 http->tls = NULL;
1072
1073 return (-1);
1074 }
1075
1076 if (http->mode == _HTTP_MODE_CLIENT)
1077 {
1078 /*
1079 * Client: get the hostname to use for TLS...
1080 */
1081
1082 if (httpAddrLocalhost(http->hostaddr))
1083 {
1084 strlcpy(hostname, "localhost", sizeof(hostname));
1085 }
1086 else
1087 {
1088 /*
1089 * Otherwise make sure the hostname we have does not end in a trailing dot.
1090 */
1091
1092 strlcpy(hostname, http->hostname, sizeof(hostname));
1093 if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
1094 *hostptr == '.')
1095 *hostptr = '\0';
1096 }
1097
1098 status = gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname, strlen(hostname));
1099 }
1100 else
1101 {
1102 /*
1103 * Server: get certificate and private key...
1104 */
1105
1106 char crtfile[1024], /* Certificate file */
1107 keyfile[1024]; /* Private key file */
1108 int have_creds = 0; /* Have credentials? */
1109
1110 if (http->fields[HTTP_FIELD_HOST][0])
1111 {
1112 /*
1113 * Use hostname for TLS upgrade...
1114 */
1115
1116 strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
1117 }
1118 else
1119 {
1120 /*
1121 * Resolve hostname from connection address...
1122 */
1123
1124 http_addr_t addr; /* Connection address */
1125 socklen_t addrlen; /* Length of address */
1126
1127 addrlen = sizeof(addr);
1128 if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
1129 {
1130 DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
1131 hostname[0] = '\0';
1132 }
1133 else if (httpAddrLocalhost(&addr))
1134 hostname[0] = '\0';
1135 else
1136 {
1137 httpAddrLookup(&addr, hostname, sizeof(hostname));
1138 DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
1139 }
1140 }
1141
1142 if (isdigit(hostname[0] & 255) || hostname[0] == '[')
1143 hostname[0] = '\0'; /* Don't allow numeric addresses */
1144
1145 if (hostname[0])
1146 {
1147 http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
1148 http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
1149
1150 have_creds = !access(crtfile, 0) && !access(keyfile, 0);
1151 }
1152 else if (tls_common_name)
1153 {
1154 http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
1155 http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
1156
1157 have_creds = !access(crtfile, 0) && !access(keyfile, 0);
1158 }
1159
1160 if (!have_creds && tls_auto_create && (hostname[0] || tls_common_name))
1161 {
1162 DEBUG_printf(("4_httpTLSStart: Auto-create credentials for \"%s\".", hostname[0] ? hostname : tls_common_name));
1163
1164 if (!cupsMakeServerCredentials(tls_keypath, hostname[0] ? hostname : tls_common_name, 0, NULL, time(NULL) + 365 * 86400))
1165 {
1166 DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed.");
1167 http->error = errno = EINVAL;
1168 http->status = HTTP_STATUS_ERROR;
1169 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1);
1170
1171 return (-1);
1172 }
1173 }
1174
1175 DEBUG_printf(("4_httpTLSStart: Using certificate \"%s\" and private key \"%s\".", crtfile, keyfile));
1176
1177 status = gnutls_certificate_set_x509_key_file(*credentials, crtfile, keyfile, GNUTLS_X509_FMT_PEM);
1178 }
1179
1180 if (!status)
1181 status = gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
1182
1183 if (status)
1184 {
1185 http->error = EIO;
1186 http->status = HTTP_STATUS_ERROR;
1187
1188 DEBUG_printf(("4_httpTLSStart: Unable to complete client/server setup: %s", gnutls_strerror(status)));
1189 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1190
1191 gnutls_deinit(http->tls);
1192 gnutls_certificate_free_credentials(*credentials);
1193 free(credentials);
1194 http->tls = NULL;
1195
1196 return (-1);
1197 }
1198
1199 #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
1200 if (!tls_options)
1201 gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:VERS-TLS-ALL:-VERS-SSL3.0", NULL);
1202 else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) && (tls_options & _HTTP_TLS_ALLOW_RC4))
1203 gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
1204 else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1205 gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:VERS-TLS-ALL", NULL);
1206 else
1207 gnutls_priority_set_direct(http->tls, "NORMAL:VERS-TLS-ALL:-VERS-SSL3.0", NULL);
1208
1209 #else
1210 gnutls_priority_t priority; /* Priority */
1211
1212 if (!tls_options)
1213 gnutls_priority_init(&priority, "NORMAL:-ARCFOUR-128:VERS-TLS-ALL:-VERS-SSL3.0", NULL);
1214 else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) && (tls_options & _HTTP_TLS_ALLOW_RC4))
1215 gnutls_priority_init(&priority, "NORMAL", NULL);
1216 else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1217 gnutls_priority_init(&priority, "NORMAL:-ARCFOUR-128:VERS-TLS-ALL", NULL);
1218 else
1219 gnutls_priority_init(&priority, "NORMAL:VERS-TLS-ALL:-VERS-SSL3.0", NULL);
1220
1221 gnutls_priority_set(http->tls, priority);
1222 gnutls_priority_deinit(priority);
1223 #endif /* HAVE_GNUTLS_PRIORITY_SET_DIRECT */
1224
1225 gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http);
1226 gnutls_transport_set_pull_function(http->tls, http_gnutls_read);
1227 #ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION
1228 gnutls_transport_set_pull_timeout_function(http->tls, (gnutls_pull_timeout_func)httpWait);
1229 #endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */
1230 gnutls_transport_set_push_function(http->tls, http_gnutls_write);
1231
1232 while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS)
1233 {
1234 DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)",
1235 status, gnutls_strerror(status)));
1236
1237 if (gnutls_error_is_fatal(status))
1238 {
1239 http->error = EIO;
1240 http->status = HTTP_STATUS_ERROR;
1241
1242 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1243
1244 gnutls_deinit(http->tls);
1245 gnutls_certificate_free_credentials(*credentials);
1246 free(credentials);
1247 http->tls = NULL;
1248
1249 return (-1);
1250 }
1251 }
1252
1253 http->tls_credentials = credentials;
1254
1255 return (0);
1256 }
1257
1258
1259 /*
1260 * '_httpTLSStop()' - Shut down SSL/TLS on a connection.
1261 */
1262
1263 void
1264 _httpTLSStop(http_t *http) /* I - Connection to server */
1265 {
1266 int error; /* Error code */
1267
1268
1269 error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
1270 if (error != GNUTLS_E_SUCCESS)
1271 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0);
1272
1273 gnutls_deinit(http->tls);
1274 http->tls = NULL;
1275
1276 if (http->tls_credentials)
1277 {
1278 gnutls_certificate_free_credentials(*(http->tls_credentials));
1279 free(http->tls_credentials);
1280 http->tls_credentials = NULL;
1281 }
1282 }
1283
1284
1285 /*
1286 * '_httpTLSWrite()' - Write to a SSL/TLS connection.
1287 */
1288
1289 int /* O - Bytes written */
1290 _httpTLSWrite(http_t *http, /* I - Connection to server */
1291 const char *buf, /* I - Buffer holding data */
1292 int len) /* I - Length of buffer */
1293 {
1294 ssize_t result; /* Return value */
1295
1296
1297 DEBUG_printf(("2http_write_ssl(http=%p, buf=%p, len=%d)", http, buf, len));
1298
1299 result = gnutls_record_send(http->tls, buf, (size_t)len);
1300
1301 if (result < 0 && !errno)
1302 {
1303 /*
1304 * Convert GNU TLS error to errno value...
1305 */
1306
1307 switch (result)
1308 {
1309 case GNUTLS_E_INTERRUPTED :
1310 errno = EINTR;
1311 break;
1312
1313 case GNUTLS_E_AGAIN :
1314 errno = EAGAIN;
1315 break;
1316
1317 default :
1318 errno = EPIPE;
1319 break;
1320 }
1321
1322 result = -1;
1323 }
1324
1325 DEBUG_printf(("3http_write_ssl: Returning %d.", (int)result));
1326
1327 return ((int)result);
1328 }
1329
1330
1331 /*
1332 * End of "$Id$".
1333 */
Unnamed repository; edit this file 'description' to name the repository.