]> git.ipfire.org Git - thirdparty/cups.git/blob - cups/tls-gnutls.c
projects / thirdparty / cups.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Greatly simplify the man page handling.
[thirdparty/cups.git] / cups / tls-gnutls.c
1 /*
2 * TLS support code for CUPS using GNU TLS.
3 *
4 * Copyright © 2007-2019 by Apple Inc.
5 * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
6 *
7 * Licensed under Apache License v2.0. See the file "LICENSE" for more
8 * information.
9 */
10
11 /**** This file is included from tls.c ****/
12
13 /*
14 * Include necessary headers...
15 */
16
17 #include <sys/stat.h>
18
19
20 /*
21 * Local globals...
22 */
23
24 static int tls_auto_create = 0;
25 /* Auto-create self-signed certs? */
26 static char *tls_common_name = NULL;
27 /* Default common name */
28 static gnutls_x509_crl_t tls_crl = NULL;/* Certificate revocation list */
29 static char *tls_keypath = NULL;
30 /* Server cert keychain path */
31 static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
32 /* Mutex for keychain/certs */
33 static int tls_options = -1,/* Options for TLS connections */
34 tls_min_version = _HTTP_TLS_1_0,
35 tls_max_version = _HTTP_TLS_MAX;
36
37
38 /*
39 * Local functions...
40 */
41
42 static gnutls_x509_crt_t http_gnutls_create_credential(http_credential_t *credential);
43 static const char *http_gnutls_default_path(char *buffer, size_t bufsize);
44 static void http_gnutls_load_crl(void);
45 static const char *http_gnutls_make_path(char *buffer, size_t bufsize, const char *dirname, const char *filename, const char *ext);
46 static ssize_t http_gnutls_read(gnutls_transport_ptr_t ptr, void *data, size_t length);
47 static ssize_t http_gnutls_write(gnutls_transport_ptr_t ptr, const void *data, size_t length);
48
49
50 /*
51 * 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair.
52 *
53 * @since CUPS 2.0/OS 10.10@
54 */
55
56 int /* O - 1 on success, 0 on failure */
57 cupsMakeServerCredentials(
58 const char *path, /* I - Path to keychain/directory */
59 const char *common_name, /* I - Common name */
60 int num_alt_names, /* I - Number of subject alternate names */
61 const char **alt_names, /* I - Subject Alternate Names */
62 time_t expiration_date) /* I - Expiration date */
63 {
64 gnutls_x509_crt_t crt; /* Self-signed certificate */
65 gnutls_x509_privkey_t key; /* Encryption private key */
66 char temp[1024], /* Temporary directory name */
67 crtfile[1024], /* Certificate filename */
68 keyfile[1024]; /* Private key filename */
69 cups_lang_t *language; /* Default language info */
70 cups_file_t *fp; /* Key/cert file */
71 unsigned char buffer[8192]; /* Buffer for x509 data */
72 size_t bytes; /* Number of bytes of data */
73 unsigned char serial[4]; /* Serial number buffer */
74 time_t curtime; /* Current time */
75 int result; /* Result of GNU TLS calls */
76
77
78 DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date));
79
80 /*
81 * Filenames...
82 */
83
84 if (!path)
85 path = http_gnutls_default_path(temp, sizeof(temp));
86
87 if (!path || !common_name)
88 {
89 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
90 return (0);
91 }
92
93 http_gnutls_make_path(crtfile, sizeof(crtfile), path, common_name, "crt");
94 http_gnutls_make_path(keyfile, sizeof(keyfile), path, common_name, "key");
95
96 /*
97 * Create the encryption key...
98 */
99
100 DEBUG_puts("1cupsMakeServerCredentials: Creating key pair.");
101
102 gnutls_x509_privkey_init(&key);
103 gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 2048, 0);
104
105 DEBUG_puts("1cupsMakeServerCredentials: Key pair created.");
106
107 /*
108 * Save it...
109 */
110
111 bytes = sizeof(buffer);
112
113 if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
114 {
115 DEBUG_printf(("1cupsMakeServerCredentials: Unable to export private key: %s", gnutls_strerror(result)));
116 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
117 gnutls_x509_privkey_deinit(key);
118 return (0);
119 }
120 else if ((fp = cupsFileOpen(keyfile, "w")) != NULL)
121 {
122 DEBUG_printf(("1cupsMakeServerCredentials: Writing private key to \"%s\".", keyfile));
123 cupsFileWrite(fp, (char *)buffer, bytes);
124 cupsFileClose(fp);
125 }
126 else
127 {
128 DEBUG_printf(("1cupsMakeServerCredentials: Unable to create private key file \"%s\": %s", keyfile, strerror(errno)));
129 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
130 gnutls_x509_privkey_deinit(key);
131 return (0);
132 }
133
134 /*
135 * Create the self-signed certificate...
136 */
137
138 DEBUG_puts("1cupsMakeServerCredentials: Generating self-signed X.509 certificate.");
139
140 language = cupsLangDefault();
141 curtime = time(NULL);
142 serial[0] = curtime >> 24;
143 serial[1] = curtime >> 16;
144 serial[2] = curtime >> 8;
145 serial[3] = curtime;
146
147 gnutls_x509_crt_init(&crt);
148 if (strlen(language->language) == 5)
149 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
150 language->language + 3, 2);
151 else
152 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
153 "US", 2);
154 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0,
155 common_name, strlen(common_name));
156 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
157 common_name, strlen(common_name));
158 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
159 0, "Unknown", 7);
160 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0,
161 "Unknown", 7);
162 gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_LOCALITY_NAME, 0,
163 "Unknown", 7);
164 /* gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_PKCS9_EMAIL, 0,
165 ServerAdmin, strlen(ServerAdmin));*/
166 gnutls_x509_crt_set_key(crt, key);
167 gnutls_x509_crt_set_serial(crt, serial, sizeof(serial));
168 gnutls_x509_crt_set_activation_time(crt, curtime);
169 gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
170 gnutls_x509_crt_set_ca_status(crt, 0);
171 gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, common_name, (unsigned)strlen(common_name), GNUTLS_FSAN_SET);
172 if (!strchr(common_name, '.'))
173 {
174 /*
175 * Add common_name.local to the list, too...
176 */
177
178 char localname[256]; /* hostname.local */
179
180 snprintf(localname, sizeof(localname), "%s.local", common_name);
181 gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, localname, (unsigned)strlen(localname), GNUTLS_FSAN_APPEND);
182 }
183 gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, "localhost", 9, GNUTLS_FSAN_APPEND);
184 if (num_alt_names > 0)
185 {
186 int i; /* Looping var */
187
188 for (i = 0; i < num_alt_names; i ++)
189 {
190 if (strcmp(alt_names[i], "localhost"))
191 {
192 gnutls_x509_crt_set_subject_alt_name(crt, GNUTLS_SAN_DNSNAME, alt_names[i], (unsigned)strlen(alt_names[i]), GNUTLS_FSAN_APPEND);
193 }
194 }
195 }
196 gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
197 gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT);
198 gnutls_x509_crt_set_version(crt, 3);
199
200 bytes = sizeof(buffer);
201 if (gnutls_x509_crt_get_key_id(crt, 0, buffer, &bytes) >= 0)
202 gnutls_x509_crt_set_subject_key_id(crt, buffer, bytes);
203
204 gnutls_x509_crt_sign(crt, crt, key);
205
206 /*
207 * Save it...
208 */
209
210 bytes = sizeof(buffer);
211 if ((result = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
212 {
213 DEBUG_printf(("1cupsMakeServerCredentials: Unable to export public key and X.509 certificate: %s", gnutls_strerror(result)));
214 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
215 gnutls_x509_crt_deinit(crt);
216 gnutls_x509_privkey_deinit(key);
217 return (0);
218 }
219 else if ((fp = cupsFileOpen(crtfile, "w")) != NULL)
220 {
221 DEBUG_printf(("1cupsMakeServerCredentials: Writing public key and X.509 certificate to \"%s\".", crtfile));
222 cupsFileWrite(fp, (char *)buffer, bytes);
223 cupsFileClose(fp);
224 }
225 else
226 {
227 DEBUG_printf(("1cupsMakeServerCredentials: Unable to create public key and X.509 certificate file \"%s\": %s", crtfile, strerror(errno)));
228 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
229 gnutls_x509_crt_deinit(crt);
230 gnutls_x509_privkey_deinit(key);
231 return (0);
232 }
233
234 /*
235 * Cleanup...
236 */
237
238 gnutls_x509_crt_deinit(crt);
239 gnutls_x509_privkey_deinit(key);
240
241 DEBUG_puts("1cupsMakeServerCredentials: Successfully created credentials.");
242
243 return (1);
244 }
245
246
247 /*
248 * 'cupsSetServerCredentials()' - Set the default server credentials.
249 *
250 * Note: The server credentials are used by all threads in the running process.
251 * This function is threadsafe.
252 *
253 * @since CUPS 2.0/OS 10.10@
254 */
255
256 int /* O - 1 on success, 0 on failure */
257 cupsSetServerCredentials(
258 const char *path, /* I - Path to keychain/directory */
259 const char *common_name, /* I - Default common name for server */
260 int auto_create) /* I - 1 = automatically create self-signed certificates */
261 {
262 char temp[1024]; /* Default path buffer */
263
264
265 DEBUG_printf(("cupsSetServerCredentials(path=\"%s\", common_name=\"%s\", auto_create=%d)", path, common_name, auto_create));
266
267 /*
268 * Use defaults as needed...
269 */
270
271 if (!path)
272 path = http_gnutls_default_path(temp, sizeof(temp));
273
274 /*
275 * Range check input...
276 */
277
278 if (!path || !common_name)
279 {
280 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
281 return (0);
282 }
283
284 _cupsMutexLock(&tls_mutex);
285
286 /*
287 * Free old values...
288 */
289
290 if (tls_keypath)
291 _cupsStrFree(tls_keypath);
292
293 if (tls_common_name)
294 _cupsStrFree(tls_common_name);
295
296 /*
297 * Save the new values...
298 */
299
300 tls_keypath = _cupsStrAlloc(path);
301 tls_auto_create = auto_create;
302 tls_common_name = _cupsStrAlloc(common_name);
303
304 _cupsMutexUnlock(&tls_mutex);
305
306 return (1);
307 }
308
309
310 /*
311 * 'httpCopyCredentials()' - Copy the credentials associated with the peer in
312 * an encrypted connection.
313 *
314 * @since CUPS 1.5/macOS 10.7@
315 */
316
317 int /* O - Status of call (0 = success) */
318 httpCopyCredentials(
319 http_t *http, /* I - Connection to server */
320 cups_array_t **credentials) /* O - Array of credentials */
321 {
322 unsigned count; /* Number of certificates */
323 const gnutls_datum_t *certs; /* Certificates */
324
325
326 DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
327
328 if (credentials)
329 *credentials = NULL;
330
331 if (!http || !http->tls || !credentials)
332 return (-1);
333
334 *credentials = cupsArrayNew(NULL, NULL);
335 certs = gnutls_certificate_get_peers(http->tls, &count);
336
337 DEBUG_printf(("1httpCopyCredentials: certs=%p, count=%u", certs, count));
338
339 if (certs && count)
340 {
341 while (count > 0)
342 {
343 httpAddCredential(*credentials, certs->data, certs->size);
344 certs ++;
345 count --;
346 }
347 }
348
349 return (0);
350 }
351
352
353 /*
354 * '_httpCreateCredentials()' - Create credentials in the internal format.
355 */
356
357 http_tls_credentials_t /* O - Internal credentials */
358 _httpCreateCredentials(
359 cups_array_t *credentials) /* I - Array of credentials */
360 {
361 (void)credentials;
362
363 return (NULL);
364 }
365
366
367 /*
368 * '_httpFreeCredentials()' - Free internal credentials.
369 */
370
371 void
372 _httpFreeCredentials(
373 http_tls_credentials_t credentials) /* I - Internal credentials */
374 {
375 (void)credentials;
376 }
377
378
379 /*
380 * 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
381 *
382 * @since CUPS 2.0/OS 10.10@
383 */
384
385 int /* O - 1 if valid, 0 otherwise */
386 httpCredentialsAreValidForName(
387 cups_array_t *credentials, /* I - Credentials */
388 const char *common_name) /* I - Name to check */
389 {
390 gnutls_x509_crt_t cert; /* Certificate */
391 int result = 0; /* Result */
392
393
394 cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
395 if (cert)
396 {
397 result = gnutls_x509_crt_check_hostname(cert, common_name) != 0;
398
399 if (result)
400 {
401 gnutls_x509_crl_iter_t iter = NULL;
402 /* Iterator */
403 unsigned char cserial[1024], /* Certificate serial number */
404 rserial[1024]; /* Revoked serial number */
405 size_t cserial_size, /* Size of cert serial number */
406 rserial_size; /* Size of revoked serial number */
407
408 _cupsMutexLock(&tls_mutex);
409
410 if (gnutls_x509_crl_get_crt_count(tls_crl) > 0)
411 {
412 cserial_size = sizeof(cserial);
413 gnutls_x509_crt_get_serial(cert, cserial, &cserial_size);
414
415 rserial_size = sizeof(rserial);
416
417 while (!gnutls_x509_crl_iter_crt_serial(tls_crl, &iter, rserial, &rserial_size, NULL))
418 {
419 if (cserial_size == rserial_size && !memcmp(cserial, rserial, rserial_size))
420 {
421 result = 0;
422 break;
423 }
424
425 rserial_size = sizeof(rserial);
426 }
427 gnutls_x509_crl_iter_deinit(iter);
428 }
429
430 _cupsMutexUnlock(&tls_mutex);
431 }
432
433 gnutls_x509_crt_deinit(cert);
434 }
435
436 return (result);
437 }
438
439
440 /*
441 * 'httpCredentialsGetTrust()' - Return the trust of credentials.
442 *
443 * @since CUPS 2.0/OS 10.10@
444 */
445
446 http_trust_t /* O - Level of trust */
447 httpCredentialsGetTrust(
448 cups_array_t *credentials, /* I - Credentials */
449 const char *common_name) /* I - Common name for trust lookup */
450 {
451 http_trust_t trust = HTTP_TRUST_OK;
452 /* Trusted? */
453 gnutls_x509_crt_t cert; /* Certificate */
454 cups_array_t *tcreds = NULL; /* Trusted credentials */
455 _cups_globals_t *cg = _cupsGlobals();
456 /* Per-thread globals */
457
458
459 if (!common_name)
460 {
461 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No common name specified."), 1);
462 return (HTTP_TRUST_UNKNOWN);
463 }
464
465 if ((cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
466 {
467 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create credentials from array."), 1);
468 return (HTTP_TRUST_UNKNOWN);
469 }
470
471 if (cg->any_root < 0)
472 {
473 _cupsSetDefaults();
474 http_gnutls_load_crl();
475 }
476
477 /*
478 * Look this common name up in the default keychains...
479 */
480
481 httpLoadCredentials(NULL, &tcreds, common_name);
482
483 if (tcreds)
484 {
485 char credentials_str[1024], /* String for incoming credentials */
486 tcreds_str[1024]; /* String for saved credentials */
487
488 httpCredentialsString(credentials, credentials_str, sizeof(credentials_str));
489 httpCredentialsString(tcreds, tcreds_str, sizeof(tcreds_str));
490
491 if (strcmp(credentials_str, tcreds_str))
492 {
493 /*
494 * Credentials don't match, let's look at the expiration date of the new
495 * credentials and allow if the new ones have a later expiration...
496 */
497
498 if (!cg->trust_first)
499 {
500 /*
501 * Do not trust certificates on first use...
502 */
503
504 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
505
506 trust = HTTP_TRUST_INVALID;
507 }
508 else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds))
509 {
510 /*
511 * The new credentials are not newly issued...
512 */
513
514 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), 1);
515
516 trust = HTTP_TRUST_INVALID;
517 }
518 else if (!httpCredentialsAreValidForName(credentials, common_name))
519 {
520 /*
521 * The common name does not match the issued certificate...
522 */
523
524 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), 1);
525
526 trust = HTTP_TRUST_INVALID;
527 }
528 else if (httpCredentialsGetExpiration(tcreds) < time(NULL))
529 {
530 /*
531 * Save the renewed credentials...
532 */
533
534 trust = HTTP_TRUST_RENEWED;
535
536 httpSaveCredentials(NULL, credentials, common_name);
537 }
538 }
539
540 httpFreeCredentials(tcreds);
541 }
542 else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name))
543 {
544 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1);
545 trust = HTTP_TRUST_INVALID;
546 }
547 else if (!cg->trust_first)
548 {
549 /*
550 * See if we have a site CA certificate we can compare...
551 */
552
553 if (!httpLoadCredentials(NULL, &tcreds, "site"))
554 {
555 if (cupsArrayCount(credentials) != (cupsArrayCount(tcreds) + 1))
556 {
557 /*
558 * Certificate isn't directly generated from the CA cert...
559 */
560
561 trust = HTTP_TRUST_INVALID;
562 }
563 else
564 {
565 /*
566 * Do a tail comparison of the two certificates...
567 */
568
569 http_credential_t *a, *b; /* Certificates */
570
571 for (a = (http_credential_t *)cupsArrayFirst(tcreds), b = (http_credential_t *)cupsArrayIndex(credentials, 1);
572 a && b;
573 a = (http_credential_t *)cupsArrayNext(tcreds), b = (http_credential_t *)cupsArrayNext(credentials))
574 if (a->datalen != b->datalen || memcmp(a->data, b->data, a->datalen))
575 break;
576
577 if (a || b)
578 trust = HTTP_TRUST_INVALID;
579 }
580
581 if (trust != HTTP_TRUST_OK)
582 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1);
583 }
584 else
585 {
586 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
587 trust = HTTP_TRUST_INVALID;
588 }
589 }
590
591 if (trust == HTTP_TRUST_OK && !cg->expired_certs)
592 {
593 time_t curtime; /* Current date/time */
594
595 time(&curtime);
596 if (curtime < gnutls_x509_crt_get_activation_time(cert) ||
597 curtime > gnutls_x509_crt_get_expiration_time(cert))
598 {
599 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), 1);
600 trust = HTTP_TRUST_EXPIRED;
601 }
602 }
603
604 if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1)
605 {
606 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1);
607 trust = HTTP_TRUST_INVALID;
608 }
609
610 gnutls_x509_crt_deinit(cert);
611
612 return (trust);
613 }
614
615
616 /*
617 * 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials.
618 *
619 * @since CUPS 2.0/OS 10.10@
620 */
621
622 time_t /* O - Expiration date of credentials */
623 httpCredentialsGetExpiration(
624 cups_array_t *credentials) /* I - Credentials */
625 {
626 gnutls_x509_crt_t cert; /* Certificate */
627 time_t result = 0; /* Result */
628
629
630 cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
631 if (cert)
632 {
633 result = gnutls_x509_crt_get_expiration_time(cert);
634 gnutls_x509_crt_deinit(cert);
635 }
636
637 return (result);
638 }
639
640
641 /*
642 * 'httpCredentialsString()' - Return a string representing the credentials.
643 *
644 * @since CUPS 2.0/OS 10.10@
645 */
646
647 size_t /* O - Total size of credentials string */
648 httpCredentialsString(
649 cups_array_t *credentials, /* I - Credentials */
650 char *buffer, /* I - Buffer or @code NULL@ */
651 size_t bufsize) /* I - Size of buffer */
652 {
653 http_credential_t *first; /* First certificate */
654 gnutls_x509_crt_t cert; /* Certificate */
655
656
657 DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize));
658
659 if (!buffer)
660 return (0);
661
662 if (buffer && bufsize > 0)
663 *buffer = '\0';
664
665 if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL &&
666 (cert = http_gnutls_create_credential(first)) != NULL)
667 {
668 char name[256], /* Common name associated with cert */
669 issuer[256]; /* Issuer associated with cert */
670 size_t len; /* Length of string */
671 time_t expiration; /* Expiration date of cert */
672 int sigalg; /* Signature algorithm */
673 unsigned char md5_digest[16]; /* MD5 result */
674
675 len = sizeof(name) - 1;
676 if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, name, &len) >= 0)
677 name[len] = '\0';
678 else
679 strlcpy(name, "unknown", sizeof(name));
680
681 len = sizeof(issuer) - 1;
682 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, issuer, &len) >= 0)
683 issuer[len] = '\0';
684 else
685 strlcpy(issuer, "unknown", sizeof(issuer));
686
687 expiration = gnutls_x509_crt_get_expiration_time(cert);
688 sigalg = gnutls_x509_crt_get_signature_algorithm(cert);
689
690 cupsHashData("md5", first->data, first->datalen, md5_digest, sizeof(md5_digest));
691
692 snprintf(buffer, bufsize, "%s (issued by %s) / %s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, issuer, httpGetDateString(expiration), gnutls_sign_get_name((gnutls_sign_algorithm_t)sigalg), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
693
694 gnutls_x509_crt_deinit(cert);
695 }
696
697 DEBUG_printf(("1httpCredentialsString: Returning \"%s\".", buffer));
698
699 return (strlen(buffer));
700 }
701
702
703 /*
704 * 'httpLoadCredentials()' - Load X.509 credentials from a keychain file.
705 *
706 * @since CUPS 2.0/OS 10.10@
707 */
708
709 int /* O - 0 on success, -1 on error */
710 httpLoadCredentials(
711 const char *path, /* I - Keychain/PKCS#12 path */
712 cups_array_t **credentials, /* IO - Credentials */
713 const char *common_name) /* I - Common name for credentials */
714 {
715 cups_file_t *fp; /* Certificate file */
716 char filename[1024], /* filename.crt */
717 temp[1024], /* Temporary string */
718 line[256]; /* Base64-encoded line */
719 unsigned char *data = NULL; /* Buffer for cert data */
720 size_t alloc_data = 0, /* Bytes allocated */
721 num_data = 0; /* Bytes used */
722 int decoded; /* Bytes decoded */
723 int in_certificate = 0;
724 /* In a certificate? */
725
726
727 if (!credentials || !common_name)
728 return (-1);
729
730 if (!path)
731 path = http_gnutls_default_path(temp, sizeof(temp));
732 if (!path)
733 return (-1);
734
735 http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
736
737 if ((fp = cupsFileOpen(filename, "r")) == NULL)
738 return (-1);
739
740 while (cupsFileGets(fp, line, sizeof(line)))
741 {
742 if (!strcmp(line, "-----BEGIN CERTIFICATE-----"))
743 {
744 if (in_certificate)
745 {
746 /*
747 * Missing END CERTIFICATE...
748 */
749
750 httpFreeCredentials(*credentials);
751 *credentials = NULL;
752 break;
753 }
754
755 in_certificate = 1;
756 }
757 else if (!strcmp(line, "-----END CERTIFICATE-----"))
758 {
759 if (!in_certificate || !num_data)
760 {
761 /*
762 * Missing data...
763 */
764
765 httpFreeCredentials(*credentials);
766 *credentials = NULL;
767 break;
768 }
769
770 if (!*credentials)
771 *credentials = cupsArrayNew(NULL, NULL);
772
773 if (httpAddCredential(*credentials, data, num_data))
774 {
775 httpFreeCredentials(*credentials);
776 *credentials = NULL;
777 break;
778 }
779
780 num_data = 0;
781 in_certificate = 0;
782 }
783 else if (in_certificate)
784 {
785 if (alloc_data == 0)
786 {
787 data = malloc(2048);
788 alloc_data = 2048;
789
790 if (!data)
791 break;
792 }
793 else if ((num_data + strlen(line)) >= alloc_data)
794 {
795 unsigned char *tdata = realloc(data, alloc_data + 1024);
796 /* Expanded buffer */
797
798 if (!tdata)
799 {
800 httpFreeCredentials(*credentials);
801 *credentials = NULL;
802 break;
803 }
804
805 data = tdata;
806 alloc_data += 1024;
807 }
808
809 decoded = alloc_data - num_data;
810 httpDecode64_2((char *)data + num_data, &decoded, line);
811 num_data += (size_t)decoded;
812 }
813 }
814
815 cupsFileClose(fp);
816
817 if (in_certificate)
818 {
819 /*
820 * Missing END CERTIFICATE...
821 */
822
823 httpFreeCredentials(*credentials);
824 *credentials = NULL;
825 }
826
827 if (data)
828 free(data);
829
830 return (*credentials ? 0 : -1);
831 }
832
833
834 /*
835 * 'httpSaveCredentials()' - Save X.509 credentials to a keychain file.
836 *
837 * @since CUPS 2.0/OS 10.10@
838 */
839
840 int /* O - -1 on error, 0 on success */
841 httpSaveCredentials(
842 const char *path, /* I - Keychain/PKCS#12 path */
843 cups_array_t *credentials, /* I - Credentials */
844 const char *common_name) /* I - Common name for credentials */
845 {
846 cups_file_t *fp; /* Certificate file */
847 char filename[1024], /* filename.crt */
848 nfilename[1024],/* filename.crt.N */
849 temp[1024], /* Temporary string */
850 line[256]; /* Base64-encoded line */
851 const unsigned char *ptr; /* Pointer into certificate */
852 ssize_t remaining; /* Bytes left */
853 http_credential_t *cred; /* Current credential */
854
855
856 if (!credentials || !common_name)
857 return (-1);
858
859 if (!path)
860 path = http_gnutls_default_path(temp, sizeof(temp));
861 if (!path)
862 return (-1);
863
864 http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
865 snprintf(nfilename, sizeof(nfilename), "%s.N", filename);
866
867 if ((fp = cupsFileOpen(nfilename, "w")) == NULL)
868 return (-1);
869
870 fchmod(cupsFileNumber(fp), 0600);
871
872 for (cred = (http_credential_t *)cupsArrayFirst(credentials);
873 cred;
874 cred = (http_credential_t *)cupsArrayNext(credentials))
875 {
876 cupsFilePuts(fp, "-----BEGIN CERTIFICATE-----\n");
877 for (ptr = cred->data, remaining = (ssize_t)cred->datalen; remaining > 0; remaining -= 45, ptr += 45)
878 {
879 httpEncode64_2(line, sizeof(line), (char *)ptr, remaining > 45 ? 45 : remaining);
880 cupsFilePrintf(fp, "%s\n", line);
881 }
882 cupsFilePuts(fp, "-----END CERTIFICATE-----\n");
883 }
884
885 cupsFileClose(fp);
886
887 return (rename(nfilename, filename));
888 }
889
890
891 /*
892 * 'http_gnutls_create_credential()' - Create a single credential in the internal format.
893 */
894
895 static gnutls_x509_crt_t /* O - Certificate */
896 http_gnutls_create_credential(
897 http_credential_t *credential) /* I - Credential */
898 {
899 int result; /* Result from GNU TLS */
900 gnutls_x509_crt_t cert; /* Certificate */
901 gnutls_datum_t datum; /* Data record */
902
903
904 DEBUG_printf(("3http_gnutls_create_credential(credential=%p)", credential));
905
906 if (!credential)
907 return (NULL);
908
909 if ((result = gnutls_x509_crt_init(&cert)) < 0)
910 {
911 DEBUG_printf(("4http_gnutls_create_credential: init error: %s", gnutls_strerror(result)));
912 return (NULL);
913 }
914
915 datum.data = credential->data;
916 datum.size = credential->datalen;
917
918 if ((result = gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) < 0)
919 {
920 DEBUG_printf(("4http_gnutls_create_credential: import error: %s", gnutls_strerror(result)));
921
922 gnutls_x509_crt_deinit(cert);
923 return (NULL);
924 }
925
926 return (cert);
927 }
928
929
930 /*
931 * 'http_gnutls_default_path()' - Get the default credential store path.
932 */
933
934 static const char * /* O - Path or NULL on error */
935 http_gnutls_default_path(char *buffer,/* I - Path buffer */
936 size_t bufsize)/* I - Size of path buffer */
937 {
938 const char *home = getenv("HOME"); /* HOME environment variable */
939
940
941 if (getuid() && home)
942 {
943 snprintf(buffer, bufsize, "%s/.cups", home);
944 if (access(buffer, 0))
945 {
946 DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
947 if (mkdir(buffer, 0700))
948 {
949 DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
950 return (NULL);
951 }
952 }
953
954 snprintf(buffer, bufsize, "%s/.cups/ssl", home);
955 if (access(buffer, 0))
956 {
957 DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
958 if (mkdir(buffer, 0700))
959 {
960 DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
961 return (NULL);
962 }
963 }
964 }
965 else
966 strlcpy(buffer, CUPS_SERVERROOT "/ssl", bufsize);
967
968 DEBUG_printf(("1http_gnutls_default_path: Using default path \"%s\".", buffer));
969
970 return (buffer);
971 }
972
973
974 /*
975 * 'http_gnutls_load_crl()' - Load the certificate revocation list, if any.
976 */
977
978 static void
979 http_gnutls_load_crl(void)
980 {
981 _cupsMutexLock(&tls_mutex);
982
983 if (!gnutls_x509_crl_init(&tls_crl))
984 {
985 cups_file_t *fp; /* CRL file */
986 char filename[1024], /* site.crl */
987 line[256]; /* Base64-encoded line */
988 unsigned char *data = NULL; /* Buffer for cert data */
989 size_t alloc_data = 0, /* Bytes allocated */
990 num_data = 0; /* Bytes used */
991 int decoded; /* Bytes decoded */
992 gnutls_datum_t datum; /* Data record */
993
994
995 http_gnutls_make_path(filename, sizeof(filename), CUPS_SERVERROOT, "site", "crl");
996
997 if ((fp = cupsFileOpen(filename, "r")) != NULL)
998 {
999 while (cupsFileGets(fp, line, sizeof(line)))
1000 {
1001 if (!strcmp(line, "-----BEGIN X509 CRL-----"))
1002 {
1003 if (num_data)
1004 {
1005 /*
1006 * Missing END X509 CRL...
1007 */
1008
1009 break;
1010 }
1011 }
1012 else if (!strcmp(line, "-----END X509 CRL-----"))
1013 {
1014 if (!num_data)
1015 {
1016 /*
1017 * Missing data...
1018 */
1019
1020 break;
1021 }
1022
1023 datum.data = data;
1024 datum.size = num_data;
1025
1026 gnutls_x509_crl_import(tls_crl, &datum, GNUTLS_X509_FMT_PEM);
1027
1028 num_data = 0;
1029 }
1030 else
1031 {
1032 if (alloc_data == 0)
1033 {
1034 data = malloc(2048);
1035 alloc_data = 2048;
1036
1037 if (!data)
1038 break;
1039 }
1040 else if ((num_data + strlen(line)) >= alloc_data)
1041 {
1042 unsigned char *tdata = realloc(data, alloc_data + 1024);
1043 /* Expanded buffer */
1044
1045 if (!tdata)
1046 break;
1047
1048 data = tdata;
1049 alloc_data += 1024;
1050 }
1051
1052 decoded = alloc_data - num_data;
1053 httpDecode64_2((char *)data + num_data, &decoded, line);
1054 num_data += (size_t)decoded;
1055 }
1056 }
1057
1058 cupsFileClose(fp);
1059
1060 if (data)
1061 free(data);
1062 }
1063 }
1064
1065 _cupsMutexUnlock(&tls_mutex);
1066 }
1067
1068
1069 /*
1070 * 'http_gnutls_make_path()' - Format a filename for a certificate or key file.
1071 */
1072
1073 static const char * /* O - Filename */
1074 http_gnutls_make_path(
1075 char *buffer, /* I - Filename buffer */
1076 size_t bufsize, /* I - Size of buffer */
1077 const char *dirname, /* I - Directory */
1078 const char *filename, /* I - Filename (usually hostname) */
1079 const char *ext) /* I - Extension */
1080 {
1081 char *bufptr, /* Pointer into buffer */
1082 *bufend = buffer + bufsize - 1; /* End of buffer */
1083
1084
1085 snprintf(buffer, bufsize, "%s/", dirname);
1086 bufptr = buffer + strlen(buffer);
1087
1088 while (*filename && bufptr < bufend)
1089 {
1090 if (_cups_isalnum(*filename) || *filename == '-' || *filename == '.')
1091 *bufptr++ = *filename;
1092 else
1093 *bufptr++ = '_';
1094
1095 filename ++;
1096 }
1097
1098 if (bufptr < bufend)
1099 *bufptr++ = '.';
1100
1101 strlcpy(bufptr, ext, (size_t)(bufend - bufptr + 1));
1102
1103 return (buffer);
1104 }
1105
1106
1107 /*
1108 * 'http_gnutls_read()' - Read function for the GNU TLS library.
1109 */
1110
1111 static ssize_t /* O - Number of bytes read or -1 on error */
1112 http_gnutls_read(
1113 gnutls_transport_ptr_t ptr, /* I - Connection to server */
1114 void *data, /* I - Buffer */
1115 size_t length) /* I - Number of bytes to read */
1116 {
1117 http_t *http; /* HTTP connection */
1118 ssize_t bytes; /* Bytes read */
1119
1120
1121 DEBUG_printf(("6http_gnutls_read(ptr=%p, data=%p, length=%d)", ptr, data, (int)length));
1122
1123 http = (http_t *)ptr;
1124
1125 if (!http->blocking || http->timeout_value > 0.0)
1126 {
1127 /*
1128 * Make sure we have data before we read...
1129 */
1130
1131 while (!_httpWait(http, http->wait_value, 0))
1132 {
1133 if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
1134 continue;
1135
1136 http->error = ETIMEDOUT;
1137 return (-1);
1138 }
1139 }
1140
1141 bytes = recv(http->fd, data, length, 0);
1142 DEBUG_printf(("6http_gnutls_read: bytes=%d", (int)bytes));
1143 return (bytes);
1144 }
1145
1146
1147 /*
1148 * 'http_gnutls_write()' - Write function for the GNU TLS library.
1149 */
1150
1151 static ssize_t /* O - Number of bytes written or -1 on error */
1152 http_gnutls_write(
1153 gnutls_transport_ptr_t ptr, /* I - Connection to server */
1154 const void *data, /* I - Data buffer */
1155 size_t length) /* I - Number of bytes to write */
1156 {
1157 ssize_t bytes; /* Bytes written */
1158
1159
1160 DEBUG_printf(("6http_gnutls_write(ptr=%p, data=%p, length=%d)", ptr, data,
1161 (int)length));
1162 bytes = send(((http_t *)ptr)->fd, data, length, 0);
1163 DEBUG_printf(("http_gnutls_write: bytes=%d", (int)bytes));
1164
1165 return (bytes);
1166 }
1167
1168
1169 /*
1170 * '_httpTLSInitialize()' - Initialize the TLS stack.
1171 */
1172
1173 void
1174 _httpTLSInitialize(void)
1175 {
1176 /*
1177 * Initialize GNU TLS...
1178 */
1179
1180 gnutls_global_init();
1181 }
1182
1183
1184 /*
1185 * '_httpTLSPending()' - Return the number of pending TLS-encrypted bytes.
1186 */
1187
1188 size_t /* O - Bytes available */
1189 _httpTLSPending(http_t *http) /* I - HTTP connection */
1190 {
1191 return (gnutls_record_check_pending(http->tls));
1192 }
1193
1194
1195 /*
1196 * '_httpTLSRead()' - Read from a SSL/TLS connection.
1197 */
1198
1199 int /* O - Bytes read */
1200 _httpTLSRead(http_t *http, /* I - Connection to server */
1201 char *buf, /* I - Buffer to store data */
1202 int len) /* I - Length of buffer */
1203 {
1204 ssize_t result; /* Return value */
1205
1206
1207 result = gnutls_record_recv(http->tls, buf, (size_t)len);
1208
1209 if (result < 0 && !errno)
1210 {
1211 /*
1212 * Convert GNU TLS error to errno value...
1213 */
1214
1215 switch (result)
1216 {
1217 case GNUTLS_E_INTERRUPTED :
1218 errno = EINTR;
1219 break;
1220
1221 case GNUTLS_E_AGAIN :
1222 errno = EAGAIN;
1223 break;
1224
1225 default :
1226 errno = EPIPE;
1227 break;
1228 }
1229
1230 result = -1;
1231 }
1232
1233 return ((int)result);
1234 }
1235
1236
1237 /*
1238 * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
1239 */
1240
1241 void
1242 _httpTLSSetOptions(int options, /* I - Options */
1243 int min_version, /* I - Minimum TLS version */
1244 int max_version) /* I - Maximum TLS version */
1245 {
1246 if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
1247 {
1248 tls_options = options;
1249 tls_min_version = min_version;
1250 tls_max_version = max_version;
1251 }
1252 }
1253
1254
1255 /*
1256 * '_httpTLSStart()' - Set up SSL/TLS support on a connection.
1257 */
1258
1259 int /* O - 0 on success, -1 on failure */
1260 _httpTLSStart(http_t *http) /* I - Connection to server */
1261 {
1262 char hostname[256], /* Hostname */
1263 *hostptr; /* Pointer into hostname */
1264 int status; /* Status of handshake */
1265 gnutls_certificate_credentials_t *credentials;
1266 /* TLS credentials */
1267 char priority_string[2048];
1268 /* Priority string */
1269 int version; /* Current version */
1270 double old_timeout; /* Old timeout value */
1271 http_timeout_cb_t old_cb; /* Old timeout callback */
1272 void *old_data; /* Old timeout data */
1273 static const char * const versions[] =/* SSL/TLS versions */
1274 {
1275 "VERS-SSL3.0",
1276 "VERS-TLS1.0",
1277 "VERS-TLS1.1",
1278 "VERS-TLS1.2",
1279 "VERS-TLS1.3",
1280 "VERS-TLS-ALL"
1281 };
1282
1283
1284 DEBUG_printf(("3_httpTLSStart(http=%p)", http));
1285
1286 if (tls_options < 0)
1287 {
1288 DEBUG_puts("4_httpTLSStart: Setting defaults.");
1289 _cupsSetDefaults();
1290 DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
1291 }
1292
1293 if (http->mode == _HTTP_MODE_SERVER && !tls_keypath)
1294 {
1295 DEBUG_puts("4_httpTLSStart: cupsSetServerCredentials not called.");
1296 http->error = errno = EINVAL;
1297 http->status = HTTP_STATUS_ERROR;
1298 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Server credentials not set."), 1);
1299
1300 return (-1);
1301 }
1302
1303 credentials = (gnutls_certificate_credentials_t *)
1304 malloc(sizeof(gnutls_certificate_credentials_t));
1305 if (credentials == NULL)
1306 {
1307 DEBUG_printf(("8_httpStartTLS: Unable to allocate credentials: %s",
1308 strerror(errno)));
1309 http->error = errno;
1310 http->status = HTTP_STATUS_ERROR;
1311 _cupsSetHTTPError(HTTP_STATUS_ERROR);
1312
1313 return (-1);
1314 }
1315
1316 gnutls_certificate_allocate_credentials(credentials);
1317 status = gnutls_init(&http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_CLIENT : GNUTLS_SERVER);
1318 if (!status)
1319 status = gnutls_set_default_priority(http->tls);
1320
1321 if (status)
1322 {
1323 http->error = EIO;
1324 http->status = HTTP_STATUS_ERROR;
1325
1326 DEBUG_printf(("4_httpTLSStart: Unable to initialize common TLS parameters: %s", gnutls_strerror(status)));
1327 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1328
1329 gnutls_deinit(http->tls);
1330 gnutls_certificate_free_credentials(*credentials);
1331 free(credentials);
1332 http->tls = NULL;
1333
1334 return (-1);
1335 }
1336
1337 if (http->mode == _HTTP_MODE_CLIENT)
1338 {
1339 /*
1340 * Client: get the hostname to use for TLS...
1341 */
1342
1343 if (httpAddrLocalhost(http->hostaddr))
1344 {
1345 strlcpy(hostname, "localhost", sizeof(hostname));
1346 }
1347 else
1348 {
1349 /*
1350 * Otherwise make sure the hostname we have does not end in a trailing dot.
1351 */
1352
1353 strlcpy(hostname, http->hostname, sizeof(hostname));
1354 if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
1355 *hostptr == '.')
1356 *hostptr = '\0';
1357 }
1358
1359 status = gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname, strlen(hostname));
1360 }
1361 else
1362 {
1363 /*
1364 * Server: get certificate and private key...
1365 */
1366
1367 char crtfile[1024], /* Certificate file */
1368 keyfile[1024]; /* Private key file */
1369 int have_creds = 0; /* Have credentials? */
1370
1371 if (http->fields[HTTP_FIELD_HOST])
1372 {
1373 /*
1374 * Use hostname for TLS upgrade...
1375 */
1376
1377 strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
1378 }
1379 else
1380 {
1381 /*
1382 * Resolve hostname from connection address...
1383 */
1384
1385 http_addr_t addr; /* Connection address */
1386 socklen_t addrlen; /* Length of address */
1387
1388 addrlen = sizeof(addr);
1389 if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
1390 {
1391 DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
1392 hostname[0] = '\0';
1393 }
1394 else if (httpAddrLocalhost(&addr))
1395 hostname[0] = '\0';
1396 else
1397 {
1398 httpAddrLookup(&addr, hostname, sizeof(hostname));
1399 DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
1400 }
1401 }
1402
1403 if (isdigit(hostname[0] & 255) || hostname[0] == '[')
1404 hostname[0] = '\0'; /* Don't allow numeric addresses */
1405
1406 if (hostname[0])
1407 {
1408 /*
1409 * First look in the CUPS keystore...
1410 */
1411
1412 http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
1413 http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
1414
1415 if (access(crtfile, R_OK) || access(keyfile, R_OK))
1416 {
1417 /*
1418 * No CUPS-managed certs, look for CA certs...
1419 */
1420
1421 char cacrtfile[1024], cakeyfile[1024]; /* CA cert files */
1422
1423 snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostname);
1424 snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostname);
1425
1426 if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(hostname, '.')) != NULL)
1427 {
1428 /*
1429 * Try just domain name...
1430 */
1431
1432 hostptr ++;
1433 if (strchr(hostptr, '.'))
1434 {
1435 snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
1436 snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
1437 }
1438 }
1439
1440 if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
1441 {
1442 /*
1443 * Use the CA certs...
1444 */
1445
1446 strlcpy(crtfile, cacrtfile, sizeof(crtfile));
1447 strlcpy(keyfile, cakeyfile, sizeof(keyfile));
1448 }
1449 }
1450
1451 have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
1452 }
1453 else if (tls_common_name)
1454 {
1455 /*
1456 * First look in the CUPS keystore...
1457 */
1458
1459 http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
1460 http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
1461
1462 if (access(crtfile, R_OK) || access(keyfile, R_OK))
1463 {
1464 /*
1465 * No CUPS-managed certs, look for CA certs...
1466 */
1467
1468 char cacrtfile[1024], cakeyfile[1024]; /* CA cert files */
1469
1470 snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", tls_common_name);
1471 snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", tls_common_name);
1472
1473 if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(tls_common_name, '.')) != NULL)
1474 {
1475 /*
1476 * Try just domain name...
1477 */
1478
1479 hostptr ++;
1480 if (strchr(hostptr, '.'))
1481 {
1482 snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
1483 snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
1484 }
1485 }
1486
1487 if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
1488 {
1489 /*
1490 * Use the CA certs...
1491 */
1492
1493 strlcpy(crtfile, cacrtfile, sizeof(crtfile));
1494 strlcpy(keyfile, cakeyfile, sizeof(keyfile));
1495 }
1496 }
1497
1498 have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
1499 }
1500
1501 if (!have_creds && tls_auto_create && (hostname[0] || tls_common_name))
1502 {
1503 DEBUG_printf(("4_httpTLSStart: Auto-create credentials for \"%s\".", hostname[0] ? hostname : tls_common_name));
1504
1505 if (!cupsMakeServerCredentials(tls_keypath, hostname[0] ? hostname : tls_common_name, 0, NULL, time(NULL) + 365 * 86400))
1506 {
1507 DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed.");
1508 http->error = errno = EINVAL;
1509 http->status = HTTP_STATUS_ERROR;
1510 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1);
1511
1512 return (-1);
1513 }
1514 }
1515
1516 DEBUG_printf(("4_httpTLSStart: Using certificate \"%s\" and private key \"%s\".", crtfile, keyfile));
1517
1518 if (!status)
1519 status = gnutls_certificate_set_x509_key_file(*credentials, crtfile, keyfile, GNUTLS_X509_FMT_PEM);
1520 }
1521
1522 if (!status)
1523 status = gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
1524
1525 if (status)
1526 {
1527 http->error = EIO;
1528 http->status = HTTP_STATUS_ERROR;
1529
1530 DEBUG_printf(("4_httpTLSStart: Unable to complete client/server setup: %s", gnutls_strerror(status)));
1531 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1532
1533 gnutls_deinit(http->tls);
1534 gnutls_certificate_free_credentials(*credentials);
1535 free(credentials);
1536 http->tls = NULL;
1537
1538 return (-1);
1539 }
1540
1541 strlcpy(priority_string, "NORMAL", sizeof(priority_string));
1542
1543 if (tls_max_version < _HTTP_TLS_MAX)
1544 {
1545 /*
1546 * Require specific TLS versions...
1547 */
1548
1549 strlcat(priority_string, ":-VERS-TLS-ALL", sizeof(priority_string));
1550 for (version = tls_min_version; version <= tls_max_version; version ++)
1551 {
1552 strlcat(priority_string, ":+", sizeof(priority_string));
1553 strlcat(priority_string, versions[version], sizeof(priority_string));
1554 }
1555 }
1556 else if (tls_min_version == _HTTP_TLS_SSL3)
1557 {
1558 /*
1559 * Allow all versions of TLS and SSL/3.0...
1560 */
1561
1562 strlcat(priority_string, ":+VERS-TLS-ALL:+VERS-SSL3.0", sizeof(priority_string));
1563 }
1564 else
1565 {
1566 /*
1567 * Require a minimum version...
1568 */
1569
1570 strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
1571 for (version = 0; version < tls_min_version; version ++)
1572 {
1573 strlcat(priority_string, ":-", sizeof(priority_string));
1574 strlcat(priority_string, versions[version], sizeof(priority_string));
1575 }
1576 }
1577
1578 if (tls_options & _HTTP_TLS_ALLOW_RC4)
1579 strlcat(priority_string, ":+ARCFOUR-128", sizeof(priority_string));
1580 else
1581 strlcat(priority_string, ":!ARCFOUR-128", sizeof(priority_string));
1582
1583 strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
1584
1585 if (tls_options & _HTTP_TLS_DENY_CBC)
1586 strlcat(priority_string, ":!AES-128-CBC:!AES-256-CBC:!CAMELLIA-128-CBC:!CAMELLIA-256-CBC:!3DES-CBC", sizeof(priority_string));
1587
1588 #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
1589 gnutls_priority_set_direct(http->tls, priority_string, NULL);
1590
1591 #else
1592 gnutls_priority_t priority; /* Priority */
1593
1594 gnutls_priority_init(&priority, priority_string, NULL);
1595 gnutls_priority_set(http->tls, priority);
1596 gnutls_priority_deinit(priority);
1597 #endif /* HAVE_GNUTLS_PRIORITY_SET_DIRECT */
1598
1599 gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http);
1600 gnutls_transport_set_pull_function(http->tls, http_gnutls_read);
1601 #ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION
1602 gnutls_transport_set_pull_timeout_function(http->tls, (gnutls_pull_timeout_func)httpWait);
1603 #endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */
1604 gnutls_transport_set_push_function(http->tls, http_gnutls_write);
1605
1606 /*
1607 * Enforce a minimum timeout of 10 seconds for the TLS handshake...
1608 */
1609
1610 old_timeout = http->timeout_value;
1611 old_cb = http->timeout_cb;
1612 old_data = http->timeout_data;
1613
1614 if (!old_cb || old_timeout < 10.0)
1615 {
1616 DEBUG_puts("4_httpTLSStart: Setting timeout to 10 seconds.");
1617 httpSetTimeout(http, 10.0, NULL, NULL);
1618 }
1619
1620 /*
1621 * Do the TLS handshake...
1622 */
1623
1624 while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS)
1625 {
1626 DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)",
1627 status, gnutls_strerror(status)));
1628
1629 if (gnutls_error_is_fatal(status))
1630 {
1631 http->error = EIO;
1632 http->status = HTTP_STATUS_ERROR;
1633
1634 _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1635
1636 gnutls_deinit(http->tls);
1637 gnutls_certificate_free_credentials(*credentials);
1638 free(credentials);
1639 http->tls = NULL;
1640
1641 httpSetTimeout(http, old_timeout, old_cb, old_data);
1642
1643 return (-1);
1644 }
1645 }
1646
1647 /*
1648 * Restore the previous timeout settings...
1649 */
1650
1651 httpSetTimeout(http, old_timeout, old_cb, old_data);
1652
1653 http->tls_credentials = credentials;
1654
1655 return (0);
1656 }
1657
1658
1659 /*
1660 * '_httpTLSStop()' - Shut down SSL/TLS on a connection.
1661 */
1662
1663 void
1664 _httpTLSStop(http_t *http) /* I - Connection to server */
1665 {
1666 int error; /* Error code */
1667
1668
1669 error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
1670 if (error != GNUTLS_E_SUCCESS)
1671 _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0);
1672
1673 gnutls_deinit(http->tls);
1674 http->tls = NULL;
1675
1676 if (http->tls_credentials)
1677 {
1678 gnutls_certificate_free_credentials(*(http->tls_credentials));
1679 free(http->tls_credentials);
1680 http->tls_credentials = NULL;
1681 }
1682 }
1683
1684
1685 /*
1686 * '_httpTLSWrite()' - Write to a SSL/TLS connection.
1687 */
1688
1689 int /* O - Bytes written */
1690 _httpTLSWrite(http_t *http, /* I - Connection to server */
1691 const char *buf, /* I - Buffer holding data */
1692 int len) /* I - Length of buffer */
1693 {
1694 ssize_t result; /* Return value */
1695
1696
1697 DEBUG_printf(("2http_write_ssl(http=%p, buf=%p, len=%d)", http, buf, len));
1698
1699 result = gnutls_record_send(http->tls, buf, (size_t)len);
1700
1701 if (result < 0 && !errno)
1702 {
1703 /*
1704 * Convert GNU TLS error to errno value...
1705 */
1706
1707 switch (result)
1708 {
1709 case GNUTLS_E_INTERRUPTED :
1710 errno = EINTR;
1711 break;
1712
1713 case GNUTLS_E_AGAIN :
1714 errno = EAGAIN;
1715 break;
1716
1717 default :
1718 errno = EPIPE;
1719 break;
1720 }
1721
1722 result = -1;
1723 }
1724
1725 DEBUG_printf(("3http_write_ssl: Returning %d.", (int)result));
1726
1727 return ((int)result);
1728 }
Unnamed repository; edit this file 'description' to name the repository.