/*
* TLS support code for CUPS using GNU TLS.
*
- * Copyright 2007-2016 by Apple Inc.
+ * Copyright 2007-2017 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
- * These coded instructions, statements, and computer programs are the
- * property of Apple Inc. and are protected by Federal copyright
- * law. Distribution and use rights are outlined in the file "LICENSE.txt"
- * which should have been included with this file. If this file is
- * file is missing or damaged, see the license at "http://www.cups.org/".
- *
- * This file is subject to the Apple OS-Developed Software exception.
+ * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
*/
/**** This file is included from tls.c ****/
/* Server cert keychain path */
static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
/* Mutex for keychain/certs */
-static int tls_options = -1;/* Options for TLS connections */
+static int tls_options = -1,/* Options for TLS connections */
+ tls_min_version = _HTTP_TLS_1_0,
+ tls_max_version = _HTTP_TLS_MAX;
/*
for (i = 0; i < count; i ++)
{
rserial_size = sizeof(rserial);
- if (!gnutls_x509_crl_get_crt_serial(tls_crl, i, rserial, &rserial_size, NULL) && cserial_size == rserial_size && !memcmp(cserial, rserial, rserial_size))
+ if (!gnutls_x509_crl_get_crt_serial(tls_crl, (unsigned)i, rserial, &rserial_size, NULL) && cserial_size == rserial_size && !memcmp(cserial, rserial, rserial_size))
{
result = 0;
break;
if (!common_name)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No common name specified."), 1);
return (HTTP_TRUST_UNKNOWN);
+ }
if ((cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create credentials from array."), 1);
return (HTTP_TRUST_UNKNOWN);
+ }
if (cg->any_root < 0)
{
* Do not trust certificates on first use...
*/
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
+
trust = HTTP_TRUST_INVALID;
}
- else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds) || !httpCredentialsAreValidForName(credentials, common_name))
+ else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds))
{
/*
- * Either the new credentials are not newly issued, or the common name
- * does not match the issued certificate...
+ * The new credentials are not newly issued...
*/
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), 1);
+
+ trust = HTTP_TRUST_INVALID;
+ }
+ else if (!httpCredentialsAreValidForName(credentials, common_name))
+ {
+ /*
+ * The common name does not match the issued certificate...
+ */
+
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), 1);
+
trust = HTTP_TRUST_INVALID;
}
else if (httpCredentialsGetExpiration(tcreds) < time(NULL))
httpFreeCredentials(tcreds);
}
else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name))
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1);
trust = HTTP_TRUST_INVALID;
+ }
+ else if (!cg->trust_first)
+ {
+ /*
+ * See if we have a site CA certificate we can compare...
+ */
+
+ if (!httpLoadCredentials(NULL, &tcreds, "site"))
+ {
+ if (cupsArrayCount(credentials) != (cupsArrayCount(tcreds) + 1))
+ {
+ /*
+ * Certificate isn't directly generated from the CA cert...
+ */
+
+ trust = HTTP_TRUST_INVALID;
+ }
+ else
+ {
+ /*
+ * Do a tail comparison of the two certificates...
+ */
+
+ http_credential_t *a, *b; /* Certificates */
+
+ for (a = (http_credential_t *)cupsArrayFirst(tcreds), b = (http_credential_t *)cupsArrayIndex(credentials, 1);
+ a && b;
+ a = (http_credential_t *)cupsArrayNext(tcreds), b = (http_credential_t *)cupsArrayNext(credentials))
+ if (a->datalen != b->datalen || memcmp(a->data, b->data, a->datalen))
+ break;
+
+ if (a || b)
+ trust = HTTP_TRUST_INVALID;
+ }
+
+ if (trust != HTTP_TRUST_OK)
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1);
+ }
+ else
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
+ trust = HTTP_TRUST_INVALID;
+ }
+ }
if (trust == HTTP_TRUST_OK && !cg->expired_certs)
{
time(&curtime);
if (curtime < gnutls_x509_crt_get_activation_time(cert) ||
curtime > gnutls_x509_crt_get_expiration_time(cert))
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), 1);
trust = HTTP_TRUST_EXPIRED;
+ }
}
if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1)
+ {
+ _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1);
trust = HTTP_TRUST_INVALID;
+ }
gnutls_x509_crt_deinit(cert);
char name[256]; /* Common name associated with cert */
size_t namelen; /* Length of name */
time_t expiration; /* Expiration date of cert */
- _cups_md5_state_t md5_state; /* MD5 state */
unsigned char md5_digest[16]; /* MD5 result */
namelen = sizeof(name) - 1;
expiration = gnutls_x509_crt_get_expiration_time(cert);
- _cupsMD5Init(&md5_state);
- _cupsMD5Append(&md5_state, first->data, (int)first->datalen);
- _cupsMD5Finish(&md5_state, md5_digest);
+ cupsHashData("md5", first->data, first->datalen, md5_digest, sizeof(md5_digest));
snprintf(buffer, bufsize, "%s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, httpGetDateString(expiration), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
size_t alloc_data = 0, /* Bytes allocated */
num_data = 0; /* Bytes used */
int decoded; /* Bytes decoded */
+ int in_certificate = 0;
+ /* In a certificate? */
if (!credentials || !common_name)
{
if (!strcmp(line, "-----BEGIN CERTIFICATE-----"))
{
- if (num_data)
+ if (in_certificate)
{
/*
* Missing END CERTIFICATE...
*credentials = NULL;
break;
}
+
+ in_certificate = 1;
}
else if (!strcmp(line, "-----END CERTIFICATE-----"))
{
- if (!num_data)
+ if (!in_certificate || !num_data)
{
/*
* Missing data...
break;
}
- num_data = 0;
+ num_data = 0;
+ in_certificate = 0;
}
- else
+ else if (in_certificate)
{
if (alloc_data == 0)
{
cupsFileClose(fp);
- if (num_data)
+ if (in_certificate)
{
/*
* Missing END CERTIFICATE...
void
_httpTLSSetOptions(int options) /* I - Options */
{
- tls_options = options;
+ if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
+ {
+ tls_options = options;
+ tls_min_version = min_version;
+ tls_max_version = max_version;
+ }
}
int status; /* Status of handshake */
gnutls_certificate_credentials_t *credentials;
/* TLS credentials */
- char priority_string[1024];
+ char priority_string[2048];
/* Priority string */
+ int version; /* Current version */
+ static const char * const versions[] =/* SSL/TLS versions */
+ {
+ "VERS-SSL3.0",
+ "VERS-TLS1.0",
+ "VERS-TLS1.1",
+ "VERS-TLS1.2",
+ "VERS-TLS1.3",
+ "VERS-TLS-ALL"
+ };
DEBUG_printf(("3_httpTLSStart(http=%p)", http));
if (hostname[0])
{
/*
- * First look for CA certs...
+ * First look in the CUPS keystore...
*/
- snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostname);
- snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostname);
-
- if ((access(crtfile, R_OK) || access(keyfile, R_OK)) && (hostptr = strchr(hostname, '.')) != NULL)
- {
- /*
- * Try just domain name...
- */
-
- hostptr ++;
- if (strchr(hostptr, '.'))
- {
- snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
- snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
- }
- }
+ http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
+ http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
if (access(crtfile, R_OK) || access(keyfile, R_OK))
{
/*
- * Then look in the CUPS keystore...
- */
-
- http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
- http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
+ * No CUPS-managed certs, look for CA certs...
+ */
+
+ char cacrtfile[1024], cakeyfile[1024]; /* CA cert files */
+
+ snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostname);
+ snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostname);
+
+ if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(hostname, '.')) != NULL)
+ {
+ /*
+ * Try just domain name...
+ */
+
+ hostptr ++;
+ if (strchr(hostptr, '.'))
+ {
+ snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
+ snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
+ }
+ }
+
+ if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
+ {
+ /*
+ * Use the CA certs...
+ */
+
+ strlcpy(crtfile, cacrtfile, sizeof(crtfile));
+ strlcpy(keyfile, cakeyfile, sizeof(keyfile));
+ }
}
have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
else if (tls_common_name)
{
/*
- * First look for CA certs...
+ * First look in the CUPS keystore...
*/
- snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", tls_common_name);
- snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", tls_common_name);
-
- if ((access(crtfile, R_OK) || access(keyfile, R_OK)) && (hostptr = strchr(tls_common_name, '.')) != NULL)
- {
- /*
- * Try just domain name...
- */
-
- hostptr ++;
- if (strchr(hostptr, '.'))
- {
- snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
- snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
- }
- }
+ http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
+ http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
if (access(crtfile, R_OK) || access(keyfile, R_OK))
{
/*
- * Then look in the CUPS keystore...
- */
-
- http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
- http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
+ * No CUPS-managed certs, look for CA certs...
+ */
+
+ char cacrtfile[1024], cakeyfile[1024]; /* CA cert files */
+
+ snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", tls_common_name);
+ snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", tls_common_name);
+
+ if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(tls_common_name, '.')) != NULL)
+ {
+ /*
+ * Try just domain name...
+ */
+
+ hostptr ++;
+ if (strchr(hostptr, '.'))
+ {
+ snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
+ snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
+ }
+ }
+
+ if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
+ {
+ /*
+ * Use the CA certs...
+ */
+
+ strlcpy(crtfile, cacrtfile, sizeof(crtfile));
+ strlcpy(keyfile, cakeyfile, sizeof(keyfile));
+ }
}
have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
strlcpy(priority_string, "NORMAL", sizeof(priority_string));
- if (tls_options & _HTTP_TLS_DENY_TLS10)
- strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
- else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+ if (tls_max_version < _HTTP_TLS_MAX)
+ {
+ /*
+ * Require specific TLS versions...
+ */
+
+ strlcat(priority_string, ":-VERS-TLS-ALL", sizeof(priority_string));
+ for (version = tls_min_version; version <= tls_max_version; version ++)
+ {
+ strlcat(priority_string, ":+", sizeof(priority_string));
+ strlcat(priority_string, versions[version], sizeof(priority_string));
+ }
+ }
+ else if (tls_min_version == _HTTP_TLS_SSL3)
+ {
+ /*
+ * Allow all versions of TLS and SSL/3.0...
+ */
+
+ strlcat(priority_string, ":+VERS-TLS-ALL:+VERS-SSL3.0", sizeof(priority_string));
+ }
+ else
+ {
+ /*
+ * Require a minimum version...
+ */
+
strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
+ for (version = 0; version < tls_min_version; version ++)
+ {
+ strlcat(priority_string, ":-", sizeof(priority_string));
+ strlcat(priority_string, versions[version], sizeof(priority_string));
+ }
+ }
+
+ if (tls_options & _HTTP_TLS_ALLOW_RC4)
+ strlcat(priority_string, ":+ARCFOUR-128", sizeof(priority_string));
else
- strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
+ strlcat(priority_string, ":!ARCFOUR-128", sizeof(priority_string));
- if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
- strlcat(priority_string, ":-ARCFOUR-128", sizeof(priority_string));
+ strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
- if (!(tls_options & _HTTP_TLS_ALLOW_DH))
- strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
+ if (tls_options & _HTTP_TLS_DENY_CBC)
+ strlcat(priority_string, ":!AES-128-CBC:!AES-256-CBC:!CAMELLIA-128-CBC:!CAMELLIA-256-CBC:!3DES-CBC", sizeof(priority_string));
#ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
gnutls_priority_set_direct(http->tls, priority_string, NULL);