/*
- * "$Id$"
- *
* TLS support code for CUPS using GNU TLS.
*
- * Copyright 2007-2014 by Apple Inc.
+ * Copyright 2007-2015 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
* These coded instructions, statements, and computer programs are the
* This file is subject to the Apple OS-Developed Software exception.
*/
+/**** This file is included from tls.c ****/
/*
* Include necessary headers...
/* Server cert keychain path */
static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER;
/* Mutex for keychain/certs */
+static int tls_options = -1;/* Options for TLS connections */
/*
/*
* 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 1 on success, 0 on failure */
* Note: The server credentials are used by all threads in the running process.
* This function is threadsafe.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 1 on success, 0 on failure */
/*
* 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 1 if valid, 0 otherwise */
/*
* 'httpCredentialsGetTrust()' - Return the trust of credentials.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
http_trust_t /* O - Level of trust */
if ((cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
return (HTTP_TRUST_UNKNOWN);
+ if (cg->any_root < 0)
+ _cupsSetDefaults();
+
/*
* Look this common name up in the default keychains...
*/
/*
* 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
time_t /* O - Expiration date of credentials */
/*
* 'httpCredentialsString()' - Return a string representing the credentials.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
size_t /* O - Total size of credentials string */
/*
* 'httpLoadCredentials()' - Load X.509 credentials from a keychain file.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 0 on success, -1 on error */
/*
* 'httpSaveCredentials()' - Save X.509 credentials to a keychain file.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - -1 on error, 0 on success */
}
+/*
+ * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
+ */
+
+void
+_httpTLSSetOptions(int options) /* I - Options */
+{
+ tls_options = options;
+}
+
+
/*
* '_httpTLSStart()' - Set up SSL/TLS support on a connection.
*/
int status; /* Status of handshake */
gnutls_certificate_credentials_t *credentials;
/* TLS credentials */
+ char priority_string[1024];
+ /* Priority string */
- DEBUG_printf(("7_httpTLSStart(http=%p)", http));
+ DEBUG_printf(("3_httpTLSStart(http=%p)", http));
+
+ if (tls_options < 0)
+ {
+ DEBUG_puts("4_httpTLSStart: Setting defaults.");
+ _cupsSetDefaults();
+ DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
+ }
if (http->mode == _HTTP_MODE_SERVER && !tls_keypath)
{
keyfile[1024]; /* Private key file */
int have_creds = 0; /* Have credentials? */
-
if (http->fields[HTTP_FIELD_HOST][0])
{
/*
return (-1);
}
+ strlcpy(priority_string, "NORMAL", sizeof(priority_string));
+
+ if (tls_options & _HTTP_TLS_DENY_TLS10)
+ strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
+ else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+ strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
+ else
+ strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
+
+ if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
+ strlcat(priority_string, ":-ARCFOUR-128", sizeof(priority_string));
+
+ if (!(tls_options & _HTTP_TLS_ALLOW_DH))
+ strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
+
+#ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
+ gnutls_priority_set_direct(http->tls, priority_string, NULL);
+
+#else
+ gnutls_priority_t priority; /* Priority */
+
+ gnutls_priority_init(&priority, priority_string, NULL);
+ gnutls_priority_set(http->tls, priority);
+ gnutls_priority_deinit(priority);
+#endif /* HAVE_GNUTLS_PRIORITY_SET_DIRECT */
+
gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http);
gnutls_transport_set_pull_function(http->tls, http_gnutls_read);
+#ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION
gnutls_transport_set_pull_timeout_function(http->tls, (gnutls_pull_timeout_func)httpWait);
+#endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */
gnutls_transport_set_push_function(http->tls, http_gnutls_write);
while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS)
return ((int)result);
}
-
-
-/*
- * End of "$Id$".
- */