X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fcups.git;a=blobdiff_plain;f=cups%2Ftls-darwin.c;h=cec08f53f25115ca73fc2eae9e456d93972ea798;hp=42156daa3ff78291fa097e1ebc72d6d860dafb85;hb=3c2cb8228e5a90fe93b938f55cfbfa538e313d40;hpb=376d7c6937442c5e7afb8e1f34c8b1d1430d3659 diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c index 42156daa3..cec08f53f 100644 --- a/cups/tls-darwin.c +++ b/cups/tls-darwin.c @@ -1,21 +1,13 @@ /* - * "$Id$" + * TLS support code for CUPS on macOS. * - * TLS support code for CUPS on OS X. + * Copyright © 2007-2018 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products, all rights reserved. * - * Copyright 2007-2014 by Apple Inc. - * Copyright 1997-2007 by Easy Software Products, all rights reserved. - * - * These coded instructions, statements, and computer programs are the - * property of Apple Inc. and are protected by Federal copyright - * law. Distribution and use rights are outlined in the file "LICENSE.txt" - * which should have been included with this file. If this file is - * file is missing or damaged, see the license at "http://www.cups.org/". - * - * This file is subject to the Apple OS-Developed Software exception. + * Licensed under Apache License v2.0. See the file "LICENSE" for more information. */ -/**** This file is included from http.c ****/ +/**** This file is included from tls.c ****/ /* * Include necessary headers... @@ -26,50 +18,194 @@ extern char **environ; +#ifndef _SECURITY_VERSION_GREATER_THAN_57610_ +typedef CF_OPTIONS(uint32_t, SecKeyUsage) { + kSecKeyUsageAll = 0x7FFFFFFF +}; +#endif /* !_SECURITY_VERSION_GREATER_THAN_57610_ */ +extern const void * kSecCSRChallengePassword; +extern const void * kSecSubjectAltName; +extern const void * kSecCertificateKeyUsage; +extern const void * kSecCSRBasicContraintsPathLen; +extern const void * kSecCertificateExtensions; +extern const void * kSecCertificateExtensionsEncoded; +extern const void * kSecOidCommonName; +extern const void * kSecOidCountryName; +extern const void * kSecOidStateProvinceName; +extern const void * kSecOidLocalityName; +extern const void * kSecOidOrganization; +extern const void * kSecOidOrganizationalUnit; +extern bool SecCertificateIsValid(SecCertificateRef certificate, CFAbsoluteTime verifyTime); +extern CFAbsoluteTime SecCertificateNotValidAfter(SecCertificateRef certificate); +extern SecCertificateRef SecGenerateSelfSignedCertificate(CFArrayRef subject, CFDictionaryRef parameters, SecKeyRef publicKey, SecKeyRef privateKey); +extern SecIdentityRef SecIdentityCreate(CFAllocatorRef allocator, SecCertificateRef certificate, SecKeyRef privateKey); + + +/* + * Constants, very secure stuff... + */ + +#define _CUPS_CDSA_PASSWORD "42" /* CUPS keychain password */ +#define _CUPS_CDSA_PASSLEN 2 /* Length of keychain password */ + + /* * Local globals... */ -#ifdef HAVE_SECKEYCHAINOPEN static int tls_auto_create = 0; /* Auto-create self-signed certs? */ static char *tls_common_name = NULL; /* Default common name */ +#if TARGET_OS_OSX +static int tls_cups_keychain = 0; + /* Opened the CUPS keychain? */ static SecKeychainRef tls_keychain = NULL; /* Server cert keychain */ +#else +static SecIdentityRef tls_selfsigned = NULL; + /* Temporary self-signed cert */ +#endif /* TARGET_OS_OSX */ static char *tls_keypath = NULL; /* Server cert keychain path */ static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER; /* Mutex for keychain/certs */ -#endif /* HAVE_SECKEYCHAINOPEN */ +static int tls_options = -1,/* Options for TLS connections */ + tls_min_version = _HTTP_TLS_1_0, + tls_max_version = _HTTP_TLS_MAX; /* * Local functions... */ -#ifdef HAVE_SECKEYCHAINOPEN static CFArrayRef http_cdsa_copy_server(const char *common_name); -#endif /* HAVE_SECKEYCHAINOPEN */ +static SecCertificateRef http_cdsa_create_credential(http_credential_t *credential); +#if TARGET_OS_OSX +static const char *http_cdsa_default_path(char *buffer, size_t bufsize); +static SecKeychainRef http_cdsa_open_keychain(const char *path, char *filename, size_t filesize); +static SecKeychainRef http_cdsa_open_system_keychain(void); +#endif /* TARGET_OS_OSX */ static OSStatus http_cdsa_read(SSLConnectionRef connection, void *data, size_t *dataLength); +static int http_cdsa_set_credentials(http_t *http); static OSStatus http_cdsa_write(SSLConnectionRef connection, const void *data, size_t *dataLength); /* * 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair. * - * @since CUPS 2.0@ + * @since CUPS 2.0/OS 10.10@ */ int /* O - 1 on success, 0 on failure */ cupsMakeServerCredentials( - const char *path, /* I - Path to keychain/directory */ + const char *path, /* I - Keychain path or @code NULL@ for default */ const char *common_name, /* I - Common name */ int num_alt_names, /* I - Number of subject alternate names */ const char **alt_names, /* I - Subject Alternate Names */ time_t expiration_date) /* I - Expiration date */ { -#if defined(HAVE_SECGENERATESELFSIGNEDCERTIFICATE) && defined(HAVE_SECKEYCHAINOPEN) +#if TARGET_OS_OSX + int pid, /* Process ID of command */ + status, /* Status of command */ + i; /* Looping var */ + char command[1024], /* Command */ + *argv[5], /* Command-line arguments */ + *envp[1000], /* Environment variables */ + days[32], /* CERTTOOL_EXPIRATION_DAYS env var */ + keychain[1024], /* Keychain argument */ + infofile[1024], /* Type-in information for cert */ + filename[1024]; /* Default keychain path */ + cups_file_t *fp; /* Seed/info file */ + + + DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, (void *)alt_names, (int)expiration_date)); + + (void)num_alt_names; + (void)alt_names; + + if (!path) + path = http_cdsa_default_path(filename, sizeof(filename)); + + /* + * Run the "certtool" command to generate a self-signed certificate... + */ + + if (!cupsFileFind("certtool", getenv("PATH"), 1, command, sizeof(command))) + return (-1); + + /* + * Create a file with the certificate information fields... + * + * Note: This assumes that the default questions are asked by the certtool + * command... + */ + + if ((fp = cupsTempFile2(infofile, sizeof(infofile))) == NULL) + return (-1); + + cupsFilePrintf(fp, + "CUPS Self-Signed Certificate\n" + /* Enter key and certificate label */ + "r\n" /* Generate RSA key pair */ + "2048\n" /* 2048 bit encryption key */ + "y\n" /* OK (y = yes) */ + "b\n" /* Usage (b=signing/encryption) */ + "2\n" /* Sign with SHA256 */ + "y\n" /* OK (y = yes) */ + "%s\n" /* Common name */ + "\n" /* Country (default) */ + "\n" /* Organization (default) */ + "\n" /* Organizational unit (default) */ + "\n" /* State/Province (default) */ + "\n" /* Email address */ + "y\n", /* OK (y = yes) */ + common_name); + cupsFileClose(fp); + + snprintf(keychain, sizeof(keychain), "k=%s", path); + + argv[0] = "certtool"; + argv[1] = "c"; + argv[2] = keychain; + argv[3] = NULL; + + snprintf(days, sizeof(days), "CERTTOOL_EXPIRATION_DAYS=%d", (int)((expiration_date - time(NULL) + 86399) / 86400)); + envp[0] = days; + for (i = 0; i < (int)(sizeof(envp) / sizeof(envp[0]) - 2) && environ[i]; i ++) + envp[i + 1] = environ[i]; + envp[i] = NULL; + + posix_spawn_file_actions_t actions; /* File actions */ + + posix_spawn_file_actions_init(&actions); + posix_spawn_file_actions_addclose(&actions, 0); + posix_spawn_file_actions_addopen(&actions, 0, infofile, O_RDONLY, 0); + posix_spawn_file_actions_addclose(&actions, 1); + posix_spawn_file_actions_addopen(&actions, 1, "/dev/null", O_WRONLY, 0); + posix_spawn_file_actions_addclose(&actions, 2); + posix_spawn_file_actions_addopen(&actions, 2, "/dev/null", O_WRONLY, 0); + + if (posix_spawn(&pid, command, &actions, NULL, argv, envp)) + { + unlink(infofile); + return (-1); + } + + posix_spawn_file_actions_destroy(&actions); + + unlink(infofile); + + while (waitpid(pid, &status, 0) < 0) + if (errno != EINTR) + { + status = -1; + break; + } + + return (!status); + +#else int status = 0; /* Return status */ OSStatus err; /* Error code (if any) */ CFStringRef cfcommon_name = NULL; @@ -79,47 +215,72 @@ cupsMakeServerCredentials( /* Public key */ privateKey = NULL; /* Private key */ + SecCertificateRef cert = NULL; /* Self-signed certificate */ CFMutableDictionaryRef keyParams = NULL; /* Key generation parameters */ + DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date)); + + (void)path; (void)num_alt_names; (void)alt_names; (void)expiration_date; - cfcommon_name = CFStringCreateWithCString(kCFAllocatorDefault, common_name, - kCFStringEncodingUTF8); + if (path) + { + DEBUG_puts("1cupsMakeServerCredentials: No keychain support compiled in, returning 0."); + return (0); + } + + if (tls_selfsigned) + { + DEBUG_puts("1cupsMakeServerCredentials: Using existing self-signed cert."); + return (1); + } + + cfcommon_name = CFStringCreateWithCString(kCFAllocatorDefault, common_name, kCFStringEncodingUTF8); if (!cfcommon_name) + { + DEBUG_puts("1cupsMakeServerCredentials: Unable to create CF string of common name."); goto cleanup; + } /* * Create a public/private key pair... */ - keyParams = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, - &kCFTypeDictionaryKeyCallBacks, - &kCFTypeDictionaryValueCallBacks); + keyParams = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); if (!keyParams) + { + DEBUG_puts("1cupsMakeServerCredentials: Unable to create key parameters dictionary."); goto cleanup; + } CFDictionaryAddValue(keyParams, kSecAttrKeyType, kSecAttrKeyTypeRSA); CFDictionaryAddValue(keyParams, kSecAttrKeySizeInBits, CFSTR("2048")); - CFDictionaryAddValue(keyParams, kSecAttrLabel, - CFSTR("CUPS Self-Signed Certificate")); + CFDictionaryAddValue(keyParams, kSecAttrLabel, cfcommon_name); err = SecKeyGeneratePair(keyParams, &publicKey, &privateKey); if (err != noErr) + { + DEBUG_printf(("1cupsMakeServerCredentials: Unable to generate key pair: %d.", (int)err)); goto cleanup; + } /* * Create a self-signed certificate using the public/private key pair... */ CFIndex usageInt = kSecKeyUsageAll; - CFNumberRef usage = CFNumberCreate(alloc, kCFNumberCFIndexType, &usageInt); - CFDictionaryRef certParams = CFDictionaryCreateMutable(kCFAllocatorDefault, -kSecCSRBasicContraintsPathLen, CFINT(0), kSecSubjectAltName, cfcommon_name, kSecCertificateKeyUsage, usage, NULL, NULL); + CFNumberRef usage = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &usageInt); + CFIndex lenInt = 0; + CFNumberRef len = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &lenInt); + CFTypeRef certKeys[] = { kSecCSRBasicContraintsPathLen, kSecSubjectAltName, kSecCertificateKeyUsage }; + CFTypeRef certValues[] = { len, cfcommon_name, usage }; + CFDictionaryRef certParams = CFDictionaryCreate(kCFAllocatorDefault, certKeys, certValues, sizeof(certKeys) / sizeof(certKeys[0]), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); CFRelease(usage); + CFRelease(len); const void *ca_o[] = { kSecOidOrganization, CFSTR("") }; const void *ca_cn[] = { kSecOidCommonName, cfcommon_name }; @@ -131,17 +292,52 @@ kSecCSRBasicContraintsPathLen, CFINT(0), kSecSubjectAltName, cfcommon_name, kSec ca_dn_array[1] = CFArrayCreate(kCFAllocatorDefault, (const void **)&ca_cn_dn, 1, NULL); CFArrayRef subject = CFArrayCreate(kCFAllocatorDefault, ca_dn_array, 2, NULL); - SecCertificateRef cert = SecGenerateSelfSignedCertificate(subject, certParams, publicKey, privateKey); + + cert = SecGenerateSelfSignedCertificate(subject, certParams, publicKey, privateKey); + CFRelease(subject); CFRelease(certParams); if (!cert) + { + DEBUG_puts("1cupsMakeServerCredentials: Unable to create self-signed certificate."); goto cleanup; + } ident = SecIdentityCreate(kCFAllocatorDefault, cert, privateKey); if (ident) + { + _cupsMutexLock(&tls_mutex); + + if (tls_selfsigned) + CFRelease(ident); + else + tls_selfsigned = ident; + + _cupsMutexLock(&tls_mutex); + +# if 0 /* Someday perhaps SecItemCopyMatching will work for identities, at which point */ + CFTypeRef itemKeys[] = { kSecClass, kSecAttrLabel, kSecValueRef }; + CFTypeRef itemValues[] = { kSecClassIdentity, cfcommon_name, ident }; + CFDictionaryRef itemAttrs = CFDictionaryCreate(kCFAllocatorDefault, itemKeys, itemValues, sizeof(itemKeys) / sizeof(itemKeys[0]), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + + err = SecItemAdd(itemAttrs, NULL); + /* SecItemAdd consumes itemAttrs... */ + + CFRelease(ident); + + if (err != noErr) + { + DEBUG_printf(("1cupsMakeServerCredentials: Unable to add identity to keychain: %d.", (int)err)); + goto cleanup; + } +# endif /* 0 */ + status = 1; + } + else + DEBUG_puts("1cupsMakeServerCredentials: Unable to create identity from cert and keys."); /* * Cleanup and return... @@ -155,9 +351,6 @@ cleanup: if (keyParams) CFRelease(keyParams); - if (ident) - CFRelease(ident); - if (cert) CFRelease(cert); @@ -165,92 +358,12 @@ cleanup: CFRelease(publicKey); if (privateKey) - CFRelease(publicKey); - - return (status); + CFRelease(privateKey); -#else /* !(HAVE_SECGENERATESELFSIGNEDCERTIFICATE && HAVE_SECKEYCHAINOPEN) */ - int pid, /* Process ID of command */ - status; /* Status of command */ - char command[1024], /* Command */ - *argv[4], /* Command-line arguments */ - keychain[1024], /* Keychain argument */ - infofile[1024]; /* Type-in information for cert */ - cups_file_t *fp; /* Seed/info file */ - - - (void)num_alt_names; - (void)alt_names; - (void)expiration_date; - - /* - * Run the "certtool" command to generate a self-signed certificate... - */ - - if (!cupsFileFind("certtool", getenv("PATH"), 1, command, sizeof(command))) - return (-1); - - /* - * Create a file with the certificate information fields... - * - * Note: This assumes that the default questions are asked by the certtool - * command... - */ - - if ((fp = cupsTempFile2(infofile, sizeof(infofile))) == NULL) - return (-1); - - cupsFilePrintf(fp, - "CUPS Self-Signed Certificate\n" - /* Enter key and certificate label */ - "r\n" /* Generate RSA key pair */ - "2048\n" /* Key size in bits */ - "y\n" /* OK (y = yes) */ - "b\n" /* Usage (b=signing/encryption) */ - "s\n" /* Sign with SHA1 */ - "y\n" /* OK (y = yes) */ - "%s\n" /* Common name */ - "\n" /* Country (default) */ - "\n" /* Organization (default) */ - "\n" /* Organizational unit (default) */ - "\n" /* State/Province (default) */ - "\n" /* Email address */ - "y\n", /* OK (y = yes) */ - common_name); - cupsFileClose(fp); - - snprintf(keychain, sizeof(keychain), "k=%s", path); - - argv[0] = "certtool"; - argv[1] = "c"; - argv[2] = keychain; - argv[3] = NULL; - - posix_spawn_file_actions_t actions; /* File actions */ - - posix_spawn_file_actions_init(&actions); - posix_spawn_file_actions_addclose(&actions, 0); - posix_spawn_file_actions_addopen(&actions, 0, infofile, O_RDONLY, 0); - - if (posix_spawn(&pid, command, &actions, NULL, argv, environ)) - { - unlink(infofile); - return (-1); - } - - posix_spawn_file_actions_destroy(&actions); - - unlink(infofile); - - while (waitpid(pid, &status, 0) < 0) - if (errno != EINTR) - { - status = -1; - break; - } + DEBUG_printf(("1cupsMakeServerCredentials: Returning %d.", status)); - return (!status); -#endif /* HAVE_SECGENERATESELFSIGNEDCERTIFICATE && HAVE_SECKEYCHAINOPEN */ + return (status); +#endif /* TARGET_OS_OSX */ } @@ -260,25 +373,24 @@ cleanup: * Note: The server credentials are used by all threads in the running process. * This function is threadsafe. * - * @since CUPS 2.0@ + * @since CUPS 2.0/macOS 10.10@ */ int /* O - 1 on success, 0 on failure */ cupsSetServerCredentials( - const char *path, /* I - Path to keychain/directory */ + const char *path, /* I - Keychain path or @code NULL@ for default */ const char *common_name, /* I - Default common name for server */ int auto_create) /* I - 1 = automatically create self-signed certificates */ { DEBUG_printf(("cupsSetServerCredentials(path=\"%s\", common_name=\"%s\", auto_create=%d)", path, common_name, auto_create)); -#ifdef HAVE_SECKEYCHAINOPEN - SecKeychainRef keychain = NULL;/* Temporary keychain */ - +#if TARGET_OS_OSX + char filename[1024]; /* Keychain filename */ + SecKeychainRef keychain = http_cdsa_open_keychain(path, filename, sizeof(filename)); - if (SecKeychainOpen(path, &keychain) != noErr) + if (!keychain) { - /* TODO: Set cups last error string */ - DEBUG_puts("1cupsSetServerCredentials: Unable to open keychain, returning 0."); + DEBUG_puts("1cupsSetServerCredentials: Unable to open keychain."); return (0); } @@ -302,7 +414,7 @@ cupsSetServerCredentials( */ tls_keychain = keychain; - tls_keypath = _cupsStrAlloc(path); + tls_keypath = _cupsStrAlloc(filename); tls_auto_create = auto_create; tls_common_name = _cupsStrAlloc(common_name); @@ -312,9 +424,17 @@ cupsSetServerCredentials( return (1); #else - DEBUG_puts("1cupsSetServerCredentials: No keychain support compiled in, returning 0."); - return (0); -#endif /* HAVE_SECKEYCHAINOPEN */ + if (path) + { + DEBUG_puts("1cupsSetServerCredentials: No keychain support compiled in, returning 0."); + return (0); + } + + tls_auto_create = auto_create; + tls_common_name = _cupsStrAlloc(common_name); + + return (1); +#endif /* TARGET_OS_OSX */ } @@ -322,7 +442,7 @@ cupsSetServerCredentials( * 'httpCopyCredentials()' - Copy the credentials associated with the peer in * an encrypted connection. * - * @since CUPS 1.5/OS X 10.7@ + * @since CUPS 1.5/macOS 10.7@ */ int /* O - Status of call (0 = success) */ @@ -338,7 +458,7 @@ httpCopyCredentials( int i; /* Looping var */ - DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials)); + DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", (void *)http, (void *)credentials)); if (credentials) *credentials = NULL; @@ -369,7 +489,7 @@ httpCopyCredentials( DEBUG_printf(("2httpCopyCredentials: Certificate %d name is \"%s\".", i, name)); #endif /* DEBUG */ - if ((data = SecCertificateCopyData(secCert))) + if ((data = SecCertificateCopyData(secCert)) != NULL) { DEBUG_printf(("2httpCopyCredentials: Adding %d byte certificate blob.", (int)CFDataGetLength(data))); @@ -386,21 +506,6 @@ httpCopyCredentials( } -/* - * 'http_cdsa_create_credential()' - Create a single credential in the internal format. - */ - -static SecCertificateRef /* O - Certificate */ -http_cdsa_create_credential( - http_credential_t *credential) /* I - Credential */ -{ - if (!credential) - return (NULL); - - return (SecCertificateCreateWithBytes(kCFAllocatorDefault, credential->data, (CFIndex)credential->datalen)); -} - - /* * '_httpCreateCredentials()' - Create credentials in the internal format. */ @@ -438,52 +543,112 @@ _httpCreateCredentials( /* - * 'httpCredentialsAreTrusted()' - Return whether the credentials are trusted. + * 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name. * - * @since CUPS 2.0@ + * @since CUPS 2.0/macOS 10.10@ */ -int /* O - 1 if trusted, 0 if not/unknown */ -httpCredentialsAreTrusted( +int /* O - 1 if valid, 0 otherwise */ +httpCredentialsAreValidForName( cups_array_t *credentials, /* I - Credentials */ - const char *common_name) /* I - Common name for trust lookup */ + const char *common_name) /* I - Name to check */ { SecCertificateRef secCert; /* Certificate reference */ - int trusted = 1; /* Trusted? */ - int save = 0; /* Save credentials? */ - const char *home = getenv("HOME"); - /* Home directory */ - char filename[1024]; /* Path to login keychain */ - cups_array_t *tcreds = NULL; /* Trusted credentials */ - Boolean isSelfSigned; /* Is this certificate self-signed? */ - _cups_globals_t *cg = _cupsGlobals(); - /* Per-thread globals */ - + CFStringRef cfcert_name = NULL; + /* Certificate's common name (CF string) */ + char cert_name[256]; /* Certificate's common name (C string) */ + int valid = 1; /* Valid name? */ - if (!common_name) - return (0); if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL) return (0); /* - * Look this common name up in the login and system keychains... + * Compare the common names... */ - - if (home) + if ((cfcert_name = SecCertificateCopySubjectSummary(secCert)) == NULL) { - snprintf(filename, sizeof(filename), "%s/Library/login.keychain", home); - httpLoadCredentials(filename, &tcreds, common_name); - } - - if (!tcreds) - httpLoadCredentials("/Library/Keychains/System.keychain", &tcreds, common_name); + /* + * Can't get common name, cannot be valid... + */ - if (tcreds) + valid = 0; + } + else if (CFStringGetCString(cfcert_name, cert_name, sizeof(cert_name), kCFStringEncodingUTF8) && + _cups_strcasecmp(common_name, cert_name)) { - char credentials_str[1024], /* String for incoming credentials */ - tcreds_str[1024]; /* String for saved credentials */ + /* + * Not an exact match for the common name, check for wildcard certs... + */ + + const char *domain = strchr(common_name, '.'); + /* Domain in common name */ + + if (strncmp(cert_name, "*.", 2) || !domain || _cups_strcasecmp(domain, cert_name + 1)) + { + /* + * Not a wildcard match. + */ + + /* TODO: Check subject alternate names */ + valid = 0; + } + } + + if (cfcert_name) + CFRelease(cfcert_name); + + CFRelease(secCert); + + return (valid); +} + + +/* + * 'httpCredentialsGetTrust()' - Return the trust of credentials. + * + * @since CUPS 2.0/macOS 10.10@ + */ + +http_trust_t /* O - Level of trust */ +httpCredentialsGetTrust( + cups_array_t *credentials, /* I - Credentials */ + const char *common_name) /* I - Common name for trust lookup */ +{ + SecCertificateRef secCert; /* Certificate reference */ + http_trust_t trust = HTTP_TRUST_OK; + /* Trusted? */ + cups_array_t *tcreds = NULL; /* Trusted credentials */ + _cups_globals_t *cg = _cupsGlobals(); + /* Per-thread globals */ + + + if (!common_name) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No common name specified."), 1); + return (HTTP_TRUST_UNKNOWN); + } + + if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create credentials from array."), 1); + return (HTTP_TRUST_UNKNOWN); + } + + if (cg->any_root < 0) + _cupsSetDefaults(); + + /* + * Look this common name up in the default keychains... + */ + + httpLoadCredentials(NULL, &tcreds, common_name); + + if (tcreds) + { + char credentials_str[1024], /* String for incoming credentials */ + tcreds_str[1024]; /* String for saved credentials */ httpCredentialsString(credentials, credentials_str, sizeof(credentials_str)); httpCredentialsString(tcreds, tcreds_str, sizeof(tcreds_str)); @@ -495,56 +660,121 @@ httpCredentialsAreTrusted( * credentials and allow if the new ones have a later expiration... */ - if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds) || - !httpCredentialsIsValidName(credentials, common_name)) + if (!cg->trust_first) { /* - * Either the new credentials are not newly issued, or the common name - * does not match the issued certificate... + * Do not trust certificates on first use... */ - trusted = 0; + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); + + trust = HTTP_TRUST_INVALID; } - else + else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds)) + { + /* + * The new credentials are not newly issued... + */ + + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), 1); + + trust = HTTP_TRUST_INVALID; + } + else if (!httpCredentialsAreValidForName(credentials, common_name)) + { + /* + * The common name does not match the issued certificate... + */ + + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), 1); + + trust = HTTP_TRUST_INVALID; + } + else if (httpCredentialsGetExpiration(tcreds) < time(NULL)) { /* - * Flag that we should save the new credentials... + * Save the renewed credentials... */ - save = 1; + trust = HTTP_TRUST_RENEWED; + + httpSaveCredentials(NULL, credentials, common_name); } } httpFreeCredentials(tcreds); } - else if (!httpCredentialsIsValidName(credentials, common_name)) - trusted = 0; - else - save = 1; + else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1); + trust = HTTP_TRUST_INVALID; + } + else if (!cg->trust_first) + { + /* + * See if we have a site CA certificate we can compare... + */ + + if (!httpLoadCredentials(NULL, &tcreds, "site")) + { + if (cupsArrayCount(credentials) != (cupsArrayCount(tcreds) + 1)) + { + /* + * Certificate isn't directly generated from the CA cert... + */ + + trust = HTTP_TRUST_INVALID; + } + else + { + /* + * Do a tail comparison of the two certificates... + */ + + http_credential_t *a, *b; /* Certificates */ + + for (a = (http_credential_t *)cupsArrayFirst(tcreds), b = (http_credential_t *)cupsArrayIndex(credentials, 1); + a && b; + a = (http_credential_t *)cupsArrayNext(tcreds), b = (http_credential_t *)cupsArrayNext(credentials)) + if (a->datalen != b->datalen || memcmp(a->data, b->data, a->datalen)) + break; + + if (a || b) + trust = HTTP_TRUST_INVALID; + } + + if (trust != HTTP_TRUST_OK) + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1); + } + else + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1); + trust = HTTP_TRUST_INVALID; + } + } - if (!cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent())) - trusted = 0; - else if (!cg->any_root && (SecCertificateIsSelfSigned(secCert, &isSelfSigned) != noErr || isSelfSigned)) - trusted = 0; + if (trust == HTTP_TRUST_OK && !cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent())) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), 1); + trust = HTTP_TRUST_EXPIRED; + } - if (trusted && save) + if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1) { - if (home) - httpSaveCredentials(filename, credentials, common_name); - else if (!getuid()) - httpSaveCredentials("/Library/Keychains/System.keychain", credentials, common_name); + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1); + trust = HTTP_TRUST_INVALID; } CFRelease(secCert); - return (trusted); + return (trust); } /* * 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials. * - * @since CUPS 2.0@ + * @since CUPS 2.0/macOS 10.10@ */ time_t /* O - Expiration date of credentials */ @@ -566,73 +796,10 @@ httpCredentialsGetExpiration( } -/* - * 'httpCredentialsIsValidName()' - Return whether the credentials are valid for the given name. - * - * @since CUPS 2.0@ - */ - -int /* O - 1 if valid, 0 otherwise */ -httpCredentialsIsValidName( - cups_array_t *credentials, /* I - Credentials */ - const char *common_name) /* I - Name to check */ -{ - SecCertificateRef secCert; /* Certificate reference */ - CFStringRef cfcert_name = NULL; - /* Certificate's common name (CF string) */ - char cert_name[256]; /* Certificate's common name (C string) */ - int valid = 1; /* Valid name? */ - - - if ((secCert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL) - return (0); - - /* - * Compare the common names... - */ - - if ((cfcert_name = SecCertificateCopySubjectSummary(secCert)) == NULL) - { - /* - * Can't get common name, cannot be valid... - */ - - valid = 0; - } - else if (CFStringGetCString(cfcert_name, cert_name, sizeof(cert_name), kCFStringEncodingUTF8) && - _cups_strcasecmp(common_name, cert_name)) - { - /* - * Not an exact match for the common name, check for wildcard certs... - */ - - const char *domain = strchr(common_name, '.'); - /* Domain in common name */ - - if (strncmp(cert_name, "*.", 2) || !domain || _cups_strcasecmp(domain, cert_name + 1)) - { - /* - * Not a wildcard match. - */ - - /* TODO: Check subject alternate names */ - valid = 0; - } - } - - if (cfcert_name) - CFRelease(cfcert_name); - - CFRelease(secCert); - - return (valid); -} - - /* * 'httpCredentialsString()' - Return a string representing the credentials. * - * @since CUPS 2.0@ + * @since CUPS 2.0/macOS 10.10@ */ size_t /* O - Total size of credentials string */ @@ -645,7 +812,7 @@ httpCredentialsString( SecCertificateRef secCert; /* Certificate reference */ - DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize)); + DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", (void *)credentials, (void *)buffer, CUPS_LLCAST bufsize)); if (!buffer) return (0); @@ -656,27 +823,89 @@ httpCredentialsString( if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL && (secCert = http_cdsa_create_credential(first)) != NULL) { - CFStringRef cf_name; /* CF common name string */ - char name[256]; /* Common name associated with cert */ + /* + * Copy certificate (string) values from the SecCertificateRef and produce + * a one-line summary. The API for accessing certificate values like the + * issuer name is, um, "interesting"... + */ + +# if TARGET_OS_OSX + CFDictionaryRef cf_dict; /* Dictionary for certificate */ +# endif /* TARGET_OS_OSX */ + CFStringRef cf_string; /* CF string */ + char commonName[256],/* Common name associated with cert */ + issuer[256], /* Issuer name */ + sigalg[256]; /* Signature algorithm */ time_t expiration; /* Expiration date of cert */ - _cups_md5_state_t md5_state; /* MD5 state */ unsigned char md5_digest[16]; /* MD5 result */ - if ((cf_name = SecCertificateCopySubjectSummary(secCert)) != NULL) + if (SecCertificateCopyCommonName(secCert, &cf_string) == noErr) { - CFStringGetCString(cf_name, name, (CFIndex)sizeof(name), kCFStringEncodingUTF8); - CFRelease(cf_name); + CFStringGetCString(cf_string, commonName, (CFIndex)sizeof(commonName), kCFStringEncodingUTF8); + CFRelease(cf_string); } else - strlcpy(name, "unknown", sizeof(name)); + { + strlcpy(commonName, "unknown", sizeof(commonName)); + } + + strlcpy(issuer, "unknown", sizeof(issuer)); + strlcpy(sigalg, "UnknownSignature", sizeof(sigalg)); + +# if TARGET_OS_OSX + if ((cf_dict = SecCertificateCopyValues(secCert, NULL, NULL)) != NULL) + { + CFDictionaryRef cf_issuer = CFDictionaryGetValue(cf_dict, kSecOIDX509V1IssuerName); + CFDictionaryRef cf_sigalg = CFDictionaryGetValue(cf_dict, kSecOIDX509V1SignatureAlgorithm); + + if (cf_issuer) + { + CFArrayRef cf_values = CFDictionaryGetValue(cf_issuer, kSecPropertyKeyValue); + CFIndex i, count = CFArrayGetCount(cf_values); + CFDictionaryRef cf_value; + + for (i = 0; i < count; i ++) + { + cf_value = CFArrayGetValueAtIndex(cf_values, i); + + if (!CFStringCompare(CFDictionaryGetValue(cf_value, kSecPropertyKeyLabel), kSecOIDOrganizationName, kCFCompareCaseInsensitive)) + CFStringGetCString(CFDictionaryGetValue(cf_value, kSecPropertyKeyValue), issuer, (CFIndex)sizeof(issuer), kCFStringEncodingUTF8); + } + } + + if (cf_sigalg) + { + CFArrayRef cf_values = CFDictionaryGetValue(cf_sigalg, kSecPropertyKeyValue); + CFIndex i, count = CFArrayGetCount(cf_values); + CFDictionaryRef cf_value; + + for (i = 0; i < count; i ++) + { + cf_value = CFArrayGetValueAtIndex(cf_values, i); + + if (!CFStringCompare(CFDictionaryGetValue(cf_value, kSecPropertyKeyLabel), CFSTR("Algorithm"), kCFCompareCaseInsensitive)) + { + CFStringRef cf_algorithm = CFDictionaryGetValue(cf_value, kSecPropertyKeyValue); + + if (!CFStringCompare(cf_algorithm, CFSTR("1.2.840.113549.1.1.5"), kCFCompareCaseInsensitive)) + strlcpy(sigalg, "SHA1WithRSAEncryption", sizeof(sigalg)); + else if (!CFStringCompare(cf_algorithm, CFSTR("1.2.840.113549.1.1.11"), kCFCompareCaseInsensitive)) + strlcpy(sigalg, "SHA256WithRSAEncryption", sizeof(sigalg)); + else if (!CFStringCompare(cf_algorithm, CFSTR("1.2.840.113549.1.1.4"), kCFCompareCaseInsensitive)) + strlcpy(sigalg, "MD5WithRSAEncryption", sizeof(sigalg)); + } + } + } + + CFRelease(cf_dict); + } +# endif /* TARGET_OS_OSX */ expiration = (time_t)(SecCertificateNotValidAfter(secCert) + kCFAbsoluteTimeIntervalSince1970); - _cupsMD5Init(&md5_state); - _cupsMD5Append(&md5_state, first->data, (int)first->datalen); - _cupsMD5Finish(&md5_state, md5_digest); + cupsHashData("md5", first->data, first->datalen, md5_digest, sizeof(md5_digest)); - snprintf(buffer, bufsize, "%s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, httpGetDateString(expiration), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]); + snprintf(buffer, bufsize, "%s (issued by %s) / %s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", commonName, issuer, httpGetDateString(expiration), sigalg, md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]); CFRelease(secCert); } @@ -705,38 +934,50 @@ _httpFreeCredentials( /* * 'httpLoadCredentials()' - Load X.509 credentials from a keychain file. * - * @since CUPS 2.0@ + * @since CUPS 2.0/OS 10.10@ */ int /* O - 0 on success, -1 on error */ httpLoadCredentials( - const char *path, /* I - Keychain/PKCS#12 path */ + const char *path, /* I - Keychain path or @code NULL@ for default */ cups_array_t **credentials, /* IO - Credentials */ const char *common_name) /* I - Common name for credentials */ { - (void)path; - (void)credentials; - (void)common_name; - - return (-1); - -#if 0 OSStatus err; /* Error info */ - SecKeychainRef keychain = NULL;/* Keychain reference */ - SecIdentitySearchRef search = NULL; /* Search reference */ - SecIdentityRef identity = NULL;/* Identity */ - CFArrayRef certificates = NULL; - /* Certificate array */ +#if TARGET_OS_OSX + char filename[1024]; /* Filename for keychain */ + SecKeychainRef keychain = NULL,/* Keychain reference */ + syschain = NULL;/* System keychain */ + CFArrayRef list; /* Keychain list */ +#endif /* TARGET_OS_OSX */ + SecCertificateRef cert = NULL; /* Certificate */ + CFDataRef data; /* Certificate data */ SecPolicyRef policy = NULL; /* Policy ref */ CFStringRef cfcommon_name = NULL; /* Server name */ CFMutableDictionaryRef query = NULL; /* Query qualifiers */ - CFArrayRef list = NULL; /* Keychain list */ - if ((err = SecKeychainOpen(path, &keychain))) + DEBUG_printf(("httpLoadCredentials(path=\"%s\", credentials=%p, common_name=\"%s\")", path, (void *)credentials, common_name)); + + if (!credentials) + return (-1); + + *credentials = NULL; + +#if TARGET_OS_OSX + keychain = http_cdsa_open_keychain(path, filename, sizeof(filename)); + + if (!keychain) goto cleanup; + syschain = http_cdsa_open_system_keychain(); + +#else + if (path) + return (-1); +#endif /* TARGET_OS_OSX */ + cfcommon_name = CFStringCreateWithCString(kCFAllocatorDefault, common_name, kCFStringEncodingUTF8); policy = SecPolicyCreateSSL(1, cfcommon_name); @@ -750,453 +991,157 @@ httpLoadCredentials( if (!(query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks))) goto cleanup; - list = CFArrayCreate(kCFAllocatorDefault, (const void **)&keychain, 1, - &kCFTypeArrayCallBacks); - - CFDictionaryAddValue(query, kSecClass, kSecClassIdentity); + CFDictionaryAddValue(query, kSecClass, kSecClassCertificate); CFDictionaryAddValue(query, kSecMatchPolicy, policy); CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue); CFDictionaryAddValue(query, kSecMatchLimit, kSecMatchLimitOne); - CFDictionaryAddValue(query, kSecMatchSearchList, list); +#if TARGET_OS_OSX + if (syschain) + { + const void *values[2] = { syschain, keychain }; + + list = CFArrayCreate(kCFAllocatorDefault, (const void **)values, 2, &kCFTypeArrayCallBacks); + } + else + list = CFArrayCreate(kCFAllocatorDefault, (const void **)&keychain, 1, &kCFTypeArrayCallBacks); + CFDictionaryAddValue(query, kSecMatchSearchList, list); CFRelease(list); +#endif /* TARGET_OS_OSX */ - err = SecItemCopyMatching(query, (CFTypeRef *)&identity); + err = SecItemCopyMatching(query, (CFTypeRef *)&cert); if (err) goto cleanup; - if (CFGetTypeID(identity) != SecIdentityGetTypeID()) + if (CFGetTypeID(cert) != SecCertificateGetTypeID()) goto cleanup; - if ((certificates = CFArrayCreate(NULL, (const void **)&identity, 1, &kCFTypeArrayCallBacks)) == NULL) - goto cleanup; + if ((data = SecCertificateCopyData(cert)) != NULL) + { + DEBUG_printf(("1httpLoadCredentials: Adding %d byte certificate blob.", (int)CFDataGetLength(data))); + + *credentials = cupsArrayNew(NULL, NULL); + httpAddCredential(*credentials, CFDataGetBytePtr(data), (size_t)CFDataGetLength(data)); + CFRelease(data); + } cleanup : +#if TARGET_OS_OSX if (keychain) CFRelease(keychain); - if (search) - CFRelease(search); - if (identity) - CFRelease(identity); + if (syschain) + CFRelease(syschain); +#endif /* TARGET_OS_OSX */ + if (cert) + CFRelease(cert); if (policy) CFRelease(policy); if (query) CFRelease(query); - return (certificates); -#endif /* 0 */ + DEBUG_printf(("1httpLoadCredentials: Returning %d.", *credentials ? 0 : -1)); + + return (*credentials ? 0 : -1); } -#if 0 /* - * 'cupsMakeCredentials()' - Create self-signed credentials for the given - * name. + * 'httpSaveCredentials()' - Save X.509 credentials to a keychain file. * - * @since CUPS 2.0@ + * @since CUPS 2.0/OS 10.10@ */ -int /* O - 0 on success, -1 on error */ -cupsMakeCredentials( - const char *path, /* I - Keychain/PKCS#12 path */ - cups_array_t **credentials, /* O - Credentials */ - const char *common_name) /* I - Common name for X.509 cert */ +int /* O - -1 on error, 0 on success */ +httpSaveCredentials( + const char *path, /* I - Keychain path or @code NULL@ for default */ + cups_array_t *credentials, /* I - Credentials */ + const char *common_name) /* I - Common name for credentials */ { -# ifdef HAVE_SECGENERATESELFSIGNEDCERTIFICATE - int status = -1; /* Return status */ - OSStatus err; /* Error code (if any) */ - CFStringRef cfcommon_name = NULL; - /* CF string for server name */ - SecIdentityRef ident = NULL; /* Identity */ - SecKeyRef publicKey = NULL, - /* Public key */ - privateKey = NULL; - /* Private key */ - CFMutableDictionaryRef keyParams = NULL; - /* Key generation parameters */ - + int ret = -1; /* Return value */ + OSStatus err; /* Error info */ +#if TARGET_OS_OSX + char filename[1024]; /* Filename for keychain */ + SecKeychainRef keychain = NULL;/* Keychain reference */ + CFArrayRef list; /* Keychain list */ +#endif /* TARGET_OS_OSX */ + SecCertificateRef cert = NULL; /* Certificate */ + CFMutableDictionaryRef attrs = NULL; /* Attributes for add */ - if (credentials) - *credentials = NULL; - cfcommon_name = CFStringCreateWithCString(kCFAllocatorDefault, servername, - kCFStringEncodingUTF8); - if (!cfcommon_name) + DEBUG_printf(("httpSaveCredentials(path=\"%s\", credentials=%p, common_name=\"%s\")", path, (void *)credentials, common_name)); + if (!credentials) goto cleanup; - /* - * Create a public/private key pair... - */ + if (!httpCredentialsAreValidForName(credentials, common_name)) + { + DEBUG_puts("1httpSaveCredentials: Common name does not match."); + return (-1); + } - keyParams = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, - &kCFTypeDictionaryKeyCallBacks, - &kCFTypeDictionaryValueCallBacks); - if (!keyParams) + if ((cert = http_cdsa_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL) + { + DEBUG_puts("1httpSaveCredentials: Unable to create certificate."); goto cleanup; + } - CFDictionaryAddValue(keyParams, kSecAttrKeyType, kSecAttrKeyTypeRSA); - CFDictionaryAddValue(keyParams, kSecAttrKeySizeInBits, CFSTR("2048")); - CFDictionaryAddValue(keyParams, kSecAttrLabel, - CFSTR("CUPS Self-Signed Certificate")); +#if TARGET_OS_OSX + keychain = http_cdsa_open_keychain(path, filename, sizeof(filename)); - err = SecKeyGeneratePair(keyParams, &publicKey, &privateKey); - if (err != noErr) + if (!keychain) goto cleanup; - /* - * Create a self-signed certificate using the public/private key pair... - */ - - CFIndex usageInt = kSecKeyUsageAll; - CFNumberRef usage = CFNumberCreate(alloc, kCFNumberCFIndexType, &usageInt); - CFDictionaryRef certParams = CFDictionaryCreateMutable(kCFAllocatorDefault, -kSecCSRBasicContraintsPathLen, CFINT(0), kSecSubjectAltName, cfcommon_name, kSecCertificateKeyUsage, usage, NULL, NULL); - CFRelease(usage); - - const void *ca_o[] = { kSecOidOrganization, CFSTR("") }; - const void *ca_cn[] = { kSecOidCommonName, cfcommon_name }; - CFArrayRef ca_o_dn = CFArrayCreate(kCFAllocatorDefault, ca_o, 2, NULL); - CFArrayRef ca_cn_dn = CFArrayCreate(kCFAllocatorDefault, ca_cn, 2, NULL); - const void *ca_dn_array[2]; - - ca_dn_array[0] = CFArrayCreate(kCFAllocatorDefault, (const void **)&ca_o_dn, 1, NULL); - ca_dn_array[1] = CFArrayCreate(kCFAllocatorDefault, (const void **)&ca_cn_dn, 1, NULL); - - CFArrayRef subject = CFArrayCreate(kCFAllocatorDefault, ca_dn_array, 2, NULL); - SecCertificateRef cert = SecGenerateSelfSignedCertificate(subject, certParams, publicKey, privateKey); - CFRelease(subject); - CFRelease(certParams); - - if (!cert) - goto cleanup; - - ident = SecIdentityCreate(kCFAllocatorDefault, cert, privateKey); - - if (ident) - status = 0; - - /* - * Cleanup and return... - */ - -cleanup: - - if (cfcommon_name) - CFRelease(cfcommon_name); - - if (keyParams) - CFRelease(keyParams); - - if (ident) - CFRelease(ident); - - if (cert) - CFRelease(cert); - - if (publicKey) - CFRelease(publicKey); - - if (privateKey) - CFRelease(publicKey); - - return (status); - -# else /* !HAVE_SECGENERATESELFSIGNEDCERTIFICATE */ - int pid, /* Process ID of command */ - status; /* Status of command */ - char command[1024], /* Command */ - *argv[4], /* Command-line arguments */ - keychain[1024], /* Keychain argument */ - infofile[1024]; /* Type-in information for cert */ - cups_file_t *fp; /* Seed/info file */ - - - /* - * Run the "certtool" command to generate a self-signed certificate... - */ - - if (!cupsFileFind("certtool", getenv("PATH"), 1, command, sizeof(command))) - return (-1); - - /* - * Create a file with the certificate information fields... - * - * Note: This assumes that the default questions are asked by the certtool - * command... - */ - - if ((fp = cupsTempFile2(infofile, sizeof(infofile))) == NULL) +#else + if (path) return (-1); +#endif /* TARGET_OS_OSX */ - cupsFilePrintf(fp, - "%s\n" /* Enter key and certificate label */ - "r\n" /* Generate RSA key pair */ - "2048\n" /* Key size in bits */ - "y\n" /* OK (y = yes) */ - "b\n" /* Usage (b=signing/encryption) */ - "s\n" /* Sign with SHA1 */ - "y\n" /* OK (y = yes) */ - "%s\n" /* Common name */ - "\n" /* Country (default) */ - "\n" /* Organization (default) */ - "\n" /* Organizational unit (default) */ - "\n" /* State/Province (default) */ - "%s\n" /* Email address */ - "y\n", /* OK (y = yes) */ - common_name, common_name, ""); - cupsFileClose(fp); - - snprintf(keychain, sizeof(keychain), "k=%s", path); - - argv[0] = "certtool"; - argv[1] = "c"; - argv[2] = keychain; - argv[3] = NULL; - - posix_spawn_file_actions_t actions; /* File actions */ - - posix_spawn_file_actions_init(&actions); - posix_spawn_file_actions_addclose(&actions, 0); - posix_spawn_file_actions_addopen(&actions, 0, infofile, O_RDONLY, 0); - - if (posix_spawn(&pid, command, &actions, NULL, argv, environ)) + if ((attrs = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks)) == NULL) { - unlink(infofile); - return (-1); - } - - posix_spawn_file_actions_destroy(&actions); - - unlink(infofile); - - while (waitpid(pid, &status, 0) < 0) - if (errno != EINTR) - { - status = -1; - break; - } - - if (status) - return (-1); - -# endif /* HAVE_SECGENERATESELFSIGNEDCERTIFICATE */ - - return (httpLoadCredentials(path, credentials, common_name)); -} -#endif /* 0 */ - - -/* - * 'httpSaveCredentials()' - Save X.509 credentials to a keychain file. - * - * @since CUPS 2.0@ - */ - -int /* O - -1 on error, 0 on success */ -httpSaveCredentials( - const char *path, /* I - Keychain/PKCS#12 path */ - cups_array_t *credentials, /* I - Credentials */ - const char *common_name) /* I - Common name for credentials */ -{ - (void)path; - (void)credentials; - (void)common_name; - - return (-1); -} - - -#ifdef HAVE_SECKEYCHAINOPEN -/* - * 'http_cdsa_copy_server()' - Find and copy server credentials from the keychain. - */ - -static CFArrayRef /* O - Array of certificates or NULL */ -http_cdsa_copy_server( - const char *common_name) /* I - Server's hostname */ -{ - OSStatus err; /* Error info */ - SecIdentitySearchRef search = NULL; /* Search reference */ - SecIdentityRef identity = NULL;/* Identity */ - CFArrayRef certificates = NULL; - /* Certificate array */ - SecPolicyRef policy = NULL; /* Policy ref */ - CFStringRef cfcommon_name = NULL; - /* Server name */ - CFMutableDictionaryRef query = NULL; /* Query qualifiers */ - CFArrayRef list = NULL; /* Keychain list */ - - - cfcommon_name = CFStringCreateWithCString(kCFAllocatorDefault, common_name, kCFStringEncodingUTF8); - - policy = SecPolicyCreateSSL(1, cfcommon_name); - - if (cfcommon_name) - CFRelease(cfcommon_name); - - if (!policy) - goto cleanup; - - if (!(query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks))) + DEBUG_puts("1httpSaveCredentials: Unable to create dictionary."); goto cleanup; - - list = CFArrayCreate(kCFAllocatorDefault, (const void **)&tls_keychain, 1, &kCFTypeArrayCallBacks); - - CFDictionaryAddValue(query, kSecClass, kSecClassIdentity); - CFDictionaryAddValue(query, kSecMatchPolicy, policy); - CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue); - CFDictionaryAddValue(query, kSecMatchLimit, kSecMatchLimitOne); - CFDictionaryAddValue(query, kSecMatchSearchList, list); - - CFRelease(list); - - err = SecItemCopyMatching(query, (CFTypeRef *)&identity); - - if (err) - goto cleanup; - - if (CFGetTypeID(identity) != SecIdentityGetTypeID()) - goto cleanup; - - if ((certificates = CFArrayCreate(NULL, (const void **)&identity, 1, &kCFTypeArrayCallBacks)) == NULL) - goto cleanup; - - cleanup : - - if (search) - CFRelease(search); - if (identity) - CFRelease(identity); - - if (policy) - CFRelease(policy); - if (query) - CFRelease(query); - - return (certificates); -} -#endif /* HAVE_SECKEYCHAINOPEN */ - - -/* - * 'http_cdsa_read()' - Read function for the CDSA library. - */ - -static OSStatus /* O - -1 on error, 0 on success */ -http_cdsa_read( - SSLConnectionRef connection, /* I - SSL/TLS connection */ - void *data, /* I - Data buffer */ - size_t *dataLength) /* IO - Number of bytes */ -{ - OSStatus result; /* Return value */ - ssize_t bytes; /* Number of bytes read */ - http_t *http; /* HTTP connection */ - - - http = (http_t *)connection; - - if (!http->blocking) - { - /* - * Make sure we have data before we read... - */ - - while (!_httpWait(http, http->wait_value, 0)) - { - if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data)) - continue; - - http->error = ETIMEDOUT; - return (-1); - } } - do - { - bytes = recv(http->fd, data, *dataLength, 0); - } - while (bytes == -1 && (errno == EINTR || errno == EAGAIN)); + CFDictionaryAddValue(attrs, kSecClass, kSecClassCertificate); + CFDictionaryAddValue(attrs, kSecValueRef, cert); - if ((size_t)bytes == *dataLength) - { - result = 0; - } - else if (bytes > 0) - { - *dataLength = (size_t)bytes; - result = errSSLWouldBlock; - } - else +#if TARGET_OS_OSX + if ((list = CFArrayCreate(kCFAllocatorDefault, (const void **)&keychain, 1, &kCFTypeArrayCallBacks)) == NULL) { - *dataLength = 0; - - if (bytes == 0) - result = errSSLClosedGraceful; - else if (errno == EAGAIN) - result = errSSLWouldBlock; - else - result = errSSLClosedAbort; + DEBUG_puts("1httpSaveCredentials: Unable to create list of keychains."); + goto cleanup; } + CFDictionaryAddValue(attrs, kSecMatchSearchList, list); + CFRelease(list); +#endif /* TARGET_OS_OSX */ - return (result); -} - - -/* - * 'http_cdsa_write()' - Write function for the CDSA library. - */ - -static OSStatus /* O - -1 on error, 0 on success */ -http_cdsa_write( - SSLConnectionRef connection, /* I - SSL/TLS connection */ - const void *data, /* I - Data buffer */ - size_t *dataLength) /* IO - Number of bytes */ -{ - OSStatus result; /* Return value */ - ssize_t bytes; /* Number of bytes read */ - http_t *http; /* HTTP connection */ - - - http = (http_t *)connection; - - do - { - bytes = write(http->fd, data, *dataLength); - } - while (bytes == -1 && (errno == EINTR || errno == EAGAIN)); + /* Note: SecItemAdd consumes "attrs"... */ + err = SecItemAdd(attrs, NULL); + DEBUG_printf(("1httpSaveCredentials: SecItemAdd returned %d.", (int)err)); - if ((size_t)bytes == *dataLength) - { - result = 0; - } - else if (bytes >= 0) - { - *dataLength = (size_t)bytes; - result = errSSLWouldBlock; - } - else - { - *dataLength = 0; + cleanup : - if (errno == EAGAIN) - result = errSSLWouldBlock; - else - result = errSSLClosedAbort; - } +#if TARGET_OS_OSX + if (keychain) + CFRelease(keychain); +#endif /* TARGET_OS_OSX */ + if (cert) + CFRelease(cert); - return (result); + DEBUG_printf(("1httpSaveCredentials: Returning %d.", ret)); + + return (ret); } /* - * 'http_tls_initialize()' - Initialize the TLS stack. + * '_httpTLSInitialize()' - Initialize the TLS stack. */ -static void -http_tls_initialize(void) +void +_httpTLSInitialize(void) { /* * Nothing to do... @@ -1205,11 +1150,11 @@ http_tls_initialize(void) /* - * 'http_tls_pending()' - Return the number of pending TLS-encrypted bytes. + * '_httpTLSPending()' - Return the number of pending TLS-encrypted bytes. */ -static size_t -http_tls_pending(http_t *http) /* I - HTTP connection */ +size_t +_httpTLSPending(http_t *http) /* I - HTTP connection */ { size_t bytes; /* Bytes that are available */ @@ -1222,11 +1167,11 @@ http_tls_pending(http_t *http) /* I - HTTP connection */ /* - * 'http_tls_read()' - Read from a SSL/TLS connection. + * '_httpTLSRead()' - Read from a SSL/TLS connection. */ -static int /* O - Bytes read */ -http_tls_read(http_t *http, /* I - HTTP connection */ +int /* O - Bytes read */ +_httpTLSRead(http_t *http, /* I - HTTP connection */ char *buf, /* I - Buffer to store data */ int len) /* I - Length of buffer */ { @@ -1236,7 +1181,7 @@ http_tls_read(http_t *http, /* I - HTTP connection */ error = SSLRead(http->tls, buf, (size_t)len, &processed); - DEBUG_printf(("6http_tls_read: error=%d, processed=%d", (int)error, + DEBUG_printf(("6_httpTLSRead: error=%d, processed=%d", (int)error, (int)processed)); switch (error) { @@ -1271,46 +1216,29 @@ http_tls_read(http_t *http, /* I - HTTP connection */ /* - * 'http_tls_set_credentials()' - Set the TLS credentials. + * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options. */ -static int /* O - Status of connection */ -http_tls_set_credentials(http_t *http) /* I - HTTP connection */ +void +_httpTLSSetOptions(int options, /* I - Options */ + int min_version, /* I - Minimum TLS version */ + int max_version) /* I - Maximum TLS version */ { - _cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */ - OSStatus error = 0; /* Error code */ - http_tls_credentials_t credentials = NULL; - /* TLS credentials */ - - - DEBUG_printf(("7http_tls_set_credentials(%p)", http)); - - /* - * Prefer connection specific credentials... - */ - - if ((credentials = http->tls_credentials) == NULL) - credentials = cg->tls_credentials; - - if (credentials) + if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0) { - error = SSLSetCertificate(http->tls, credentials); - DEBUG_printf(("4http_tls_set_credentials: SSLSetCertificate, error=%d", - (int)error)); + tls_options = options; + tls_min_version = min_version; + tls_max_version = max_version; } - else - DEBUG_puts("4http_tls_set_credentials: No credentials to set."); - - return (error); } /* - * 'http_tls_start()' - Set up SSL/TLS support on a connection. + * '_httpTLSStart()' - Set up SSL/TLS support on a connection. */ -static int /* O - 0 on success, -1 on failure */ -http_tls_start(http_t *http) /* I - HTTP connection */ +int /* O - 0 on success, -1 on failure */ +_httpTLSStart(http_t *http) /* I - HTTP connection */ { char hostname[256], /* Hostname */ *hostptr; /* Pointer into hostname */ @@ -1318,6 +1246,7 @@ http_tls_start(http_t *http) /* I - HTTP connection */ /* Pointer to library globals */ OSStatus error; /* Error code */ const char *message = NULL;/* Error message */ + char msgbuf[1024]; /* Error message buffer */ cups_array_t *credentials; /* Credentials array */ cups_array_t *names; /* CUPS distinguished names */ CFArrayRef dn_array; /* CF distinguished names array */ @@ -1327,25 +1256,30 @@ http_tls_start(http_t *http) /* I - HTTP connection */ http_credential_t *credential; /* Credential data */ - DEBUG_printf(("7http_tls_start(http=%p)", http)); + DEBUG_printf(("3_httpTLSStart(http=%p)", (void *)http)); -#ifdef HAVE_SECKEYCHAINOPEN + if (tls_options < 0) + { + DEBUG_puts("4_httpTLSStart: Setting defaults."); + _cupsSetDefaults(); + DEBUG_printf(("4_httpTLSStart: tls_options=%x, tls_min_version=%d, tls_max_version=%d", tls_options, tls_min_version, tls_max_version)); + } + +#if TARGET_OS_OSX if (http->mode == _HTTP_MODE_SERVER && !tls_keychain) -#else - if (http->mode == _HTTP_MODE_SERVER) -#endif /* HAVE_SECKEYCHAINOPEN */ { - DEBUG_puts("4http_tls_start: cupsSetServerCredentials not called."); + DEBUG_puts("4_httpTLSStart: cupsSetServerCredentials not called."); http->error = errno = EINVAL; http->status = HTTP_STATUS_ERROR; _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Server credentials not set."), 1); return (-1); } +#endif /* TARGET_OS_OSX */ if ((http->tls = SSLCreateContext(kCFAllocatorDefault, http->mode == _HTTP_MODE_CLIENT ? kSSLClientSide : kSSLServerSide, kSSLStreamType)) == NULL) { - DEBUG_puts("4http_tls_start: SSLCreateContext failed."); + DEBUG_puts("4_httpTLSStart: SSLCreateContext failed."); http->error = errno = ENOMEM; http->status = HTTP_STATUS_ERROR; _cupsSetHTTPError(HTTP_STATUS_ERROR); @@ -1354,20 +1288,203 @@ http_tls_start(http_t *http) /* I - HTTP connection */ } error = SSLSetConnection(http->tls, http); - DEBUG_printf(("4http_tls_start: SSLSetConnection, error=%d", (int)error)); + DEBUG_printf(("4_httpTLSStart: SSLSetConnection, error=%d", (int)error)); if (!error) { error = SSLSetIOFuncs(http->tls, http_cdsa_read, http_cdsa_write); - DEBUG_printf(("4http_tls_start: SSLSetIOFuncs, error=%d", (int)error)); + DEBUG_printf(("4_httpTLSStart: SSLSetIOFuncs, error=%d", (int)error)); } if (!error) { error = SSLSetSessionOption(http->tls, kSSLSessionOptionBreakOnServerAuth, true); - DEBUG_printf(("4http_tls_start: SSLSetSessionOption, error=%d", - (int)error)); + DEBUG_printf(("4_httpTLSStart: SSLSetSessionOption, error=%d", (int)error)); + } + + if (!error) + { + static const SSLProtocol protocols[] = /* Min/max protocol versions */ + { + kSSLProtocol3, + kTLSProtocol1, + kTLSProtocol11, + kTLSProtocol12, + kTLSProtocol13 + }; + + if (tls_min_version < _HTTP_TLS_MAX) + { + error = SSLSetProtocolVersionMin(http->tls, protocols[tls_min_version]); + DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", protocols[tls_min_version], (int)error)); + } + + if (!error && tls_max_version < _HTTP_TLS_MAX) + { + error = SSLSetProtocolVersionMax(http->tls, protocols[tls_max_version]); + DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(%d), error=%d", protocols[tls_max_version], (int)error)); + } + } + + if (!error) + { + SSLCipherSuite supported[100]; /* Supported cipher suites */ + size_t num_supported; /* Number of supported cipher suites */ + SSLCipherSuite enabled[100]; /* Cipher suites to enable */ + size_t num_enabled; /* Number of cipher suites to enable */ + + num_supported = sizeof(supported) / sizeof(supported[0]); + error = SSLGetSupportedCiphers(http->tls, supported, &num_supported); + + if (!error) + { + DEBUG_printf(("4_httpTLSStart: %d cipher suites supported.", (int)num_supported)); + + for (i = 0, num_enabled = 0; i < (int)num_supported && num_enabled < (sizeof(enabled) / sizeof(enabled[0])); i ++) + { + switch (supported[i]) + { + /* Obviously insecure cipher suites that we never want to use */ + case SSL_NULL_WITH_NULL_NULL : + case SSL_RSA_WITH_NULL_MD5 : + case SSL_RSA_WITH_NULL_SHA : + case SSL_RSA_EXPORT_WITH_RC4_40_MD5 : + case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 : + case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA : + case SSL_RSA_WITH_DES_CBC_SHA : + case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA : + case SSL_DH_DSS_WITH_DES_CBC_SHA : + case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA : + case SSL_DH_RSA_WITH_DES_CBC_SHA : + case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA : + case SSL_DHE_DSS_WITH_DES_CBC_SHA : + case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA : + case SSL_DHE_RSA_WITH_DES_CBC_SHA : + case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 : + case SSL_DH_anon_WITH_RC4_128_MD5 : + case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA : + case SSL_DH_anon_WITH_DES_CBC_SHA : + case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA : + case SSL_FORTEZZA_DMS_WITH_NULL_SHA : + case TLS_DH_anon_WITH_AES_128_CBC_SHA : + case TLS_DH_anon_WITH_AES_256_CBC_SHA : + case TLS_ECDH_ECDSA_WITH_NULL_SHA : + case TLS_ECDHE_RSA_WITH_NULL_SHA : + case TLS_ECDH_anon_WITH_NULL_SHA : + case TLS_ECDH_anon_WITH_RC4_128_SHA : + case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA : + case TLS_ECDH_anon_WITH_AES_128_CBC_SHA : + case TLS_ECDH_anon_WITH_AES_256_CBC_SHA : + case TLS_RSA_WITH_NULL_SHA256 : + case TLS_DH_anon_WITH_AES_128_CBC_SHA256 : + case TLS_DH_anon_WITH_AES_256_CBC_SHA256 : + case TLS_PSK_WITH_NULL_SHA : + case TLS_DHE_PSK_WITH_NULL_SHA : + case TLS_RSA_PSK_WITH_NULL_SHA : + case TLS_DH_anon_WITH_AES_128_GCM_SHA256 : + case TLS_DH_anon_WITH_AES_256_GCM_SHA384 : + case TLS_PSK_WITH_NULL_SHA256 : + case TLS_PSK_WITH_NULL_SHA384 : + case TLS_DHE_PSK_WITH_NULL_SHA256 : + case TLS_DHE_PSK_WITH_NULL_SHA384 : + case TLS_RSA_PSK_WITH_NULL_SHA256 : + case TLS_RSA_PSK_WITH_NULL_SHA384 : + case SSL_RSA_WITH_DES_CBC_MD5 : + DEBUG_printf(("4_httpTLSStart: Excluding insecure cipher suite %d", supported[i])); + break; + + /* RC4 cipher suites that should only be used as a last resort */ + case SSL_RSA_WITH_RC4_128_MD5 : + case SSL_RSA_WITH_RC4_128_SHA : + case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : + case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : + case TLS_ECDH_RSA_WITH_RC4_128_SHA : + case TLS_ECDHE_RSA_WITH_RC4_128_SHA : + case TLS_PSK_WITH_RC4_128_SHA : + case TLS_DHE_PSK_WITH_RC4_128_SHA : + case TLS_RSA_PSK_WITH_RC4_128_SHA : + if (tls_options & _HTTP_TLS_ALLOW_RC4) + enabled[num_enabled ++] = supported[i]; + else + DEBUG_printf(("4_httpTLSStart: Excluding RC4 cipher suite %d", supported[i])); + break; + + /* DH/DHE cipher suites that are problematic with parameters < 1024 bits */ + case TLS_DH_DSS_WITH_AES_128_CBC_SHA : + case TLS_DH_RSA_WITH_AES_128_CBC_SHA : + case TLS_DHE_DSS_WITH_AES_128_CBC_SHA : + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA : + case TLS_DH_DSS_WITH_AES_256_CBC_SHA : + case TLS_DH_RSA_WITH_AES_256_CBC_SHA : + case TLS_DHE_DSS_WITH_AES_256_CBC_SHA : + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : + case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA : + case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA : + case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA : + case TLS_DH_DSS_WITH_AES_128_CBC_SHA256 : + case TLS_DH_RSA_WITH_AES_128_CBC_SHA256 : + case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 : + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 : + case TLS_DH_DSS_WITH_AES_256_CBC_SHA256 : + case TLS_DH_RSA_WITH_AES_256_CBC_SHA256 : + case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 : + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 : + case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA : + case TLS_DHE_PSK_WITH_AES_128_CBC_SHA : + case TLS_DHE_PSK_WITH_AES_256_CBC_SHA : + case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 : + case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 : + if (tls_options & _HTTP_TLS_DENY_CBC) + { + DEBUG_printf(("4_httpTLSStart: Excluding CBC cipher suite %d", supported[i])); + break; + } + +// case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 : +// case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : + case TLS_DH_RSA_WITH_AES_128_GCM_SHA256 : + case TLS_DH_RSA_WITH_AES_256_GCM_SHA384 : +// case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 : +// case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 : + case TLS_DH_DSS_WITH_AES_128_GCM_SHA256 : + case TLS_DH_DSS_WITH_AES_256_GCM_SHA384 : + case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 : + case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 : + if (tls_options & _HTTP_TLS_ALLOW_DH) + enabled[num_enabled ++] = supported[i]; + else + DEBUG_printf(("4_httpTLSStart: Excluding DH/DHE cipher suite %d", supported[i])); + break; + + case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA : + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : + case TLS_RSA_WITH_3DES_EDE_CBC_SHA : + case TLS_RSA_WITH_AES_128_CBC_SHA : + case TLS_RSA_WITH_AES_256_CBC_SHA : + if (tls_options & _HTTP_TLS_DENY_CBC) + { + DEBUG_printf(("4_httpTLSStart: Excluding CBC cipher suite %d", supported[i])); + break; + } + + /* Anything else we'll assume is "secure" */ + default : + enabled[num_enabled ++] = supported[i]; + break; + } + } + + DEBUG_printf(("4_httpTLSStart: %d cipher suites enabled.", (int)num_enabled)); + error = SSLSetEnabledCiphers(http->tls, enabled, num_enabled); + } } if (!error && http->mode == _HTTP_MODE_CLIENT) @@ -1380,13 +1497,13 @@ http_tls_start(http_t *http) /* I - HTTP connection */ { error = SSLSetSessionOption(http->tls, kSSLSessionOptionBreakOnCertRequested, true); - DEBUG_printf(("4http_tls_start: kSSLSessionOptionBreakOnCertRequested, " + DEBUG_printf(("4_httpTLSStart: kSSLSessionOptionBreakOnCertRequested, " "error=%d", (int)error)); } else { - error = http_tls_set_credentials(http); - DEBUG_printf(("4http_tls_start: http_tls_set_credentials, error=%d", + error = http_cdsa_set_credentials(http); + DEBUG_printf(("4_httpTLSStart: http_cdsa_set_credentials, error=%d", (int)error)); } } @@ -1396,7 +1513,7 @@ http_tls_start(http_t *http) /* I - HTTP connection */ * Server: find/create a certificate for TLS... */ - if (http->fields[HTTP_FIELD_HOST][0]) + if (http->fields[HTTP_FIELD_HOST]) { /* * Use hostname for TLS upgrade... @@ -1416,7 +1533,7 @@ http_tls_start(http_t *http) /* I - HTTP connection */ addrlen = sizeof(addr); if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen)) { - DEBUG_printf(("4http_tls_start: Unable to get socket address: %s", strerror(errno))); + DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno))); hostname[0] = '\0'; } else if (httpAddrLocalhost(&addr)) @@ -1424,11 +1541,10 @@ http_tls_start(http_t *http) /* I - HTTP connection */ else { httpAddrLookup(&addr, hostname, sizeof(hostname)); - DEBUG_printf(("4http_tls_start: Resolved socket address to \"%s\".", hostname)); + DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname)); } } -#ifdef HAVE_SECKEYCHAINOPEN if (isdigit(hostname[0] & 255) || hostname[0] == '[') hostname[0] = '\0'; /* Don't allow numeric addresses */ @@ -1439,11 +1555,11 @@ http_tls_start(http_t *http) /* I - HTTP connection */ if (!http->tls_credentials && tls_auto_create && (hostname[0] || tls_common_name)) { - DEBUG_printf(("4http_tls_start: Auto-create credentials for \"%s\".", hostname[0] ? hostname : tls_common_name)); + DEBUG_printf(("4_httpTLSStart: Auto-create credentials for \"%s\".", hostname[0] ? hostname : tls_common_name)); if (!cupsMakeServerCredentials(tls_keypath, hostname[0] ? hostname : tls_common_name, 0, NULL, time(NULL) + 365 * 86400)) { - DEBUG_puts("4http_tls_start: cupsMakeServerCredentials failed."); + DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed."); http->error = errno = EINVAL; http->status = HTTP_STATUS_ERROR; _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1); @@ -1453,11 +1569,10 @@ http_tls_start(http_t *http) /* I - HTTP connection */ http->tls_credentials = http_cdsa_copy_server(hostname[0] ? hostname : tls_common_name); } -#endif /* HAVE_SECKEYCHAINOPEN */ if (!http->tls_credentials) { - DEBUG_puts("4http_tls_start: Unable to find server credentials."); + DEBUG_puts("4_httpTLSStart: Unable to find server credentials."); http->error = errno = EINVAL; http->status = HTTP_STATUS_ERROR; _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to find server credentials."), 1); @@ -1467,10 +1582,10 @@ http_tls_start(http_t *http) /* I - HTTP connection */ error = SSLSetCertificate(http->tls, http->tls_credentials); - DEBUG_printf(("4http_tls_start: SSLSetCertificate, error=%d", (int)error)); + DEBUG_printf(("4_httpTLSStart: SSLSetCertificate, error=%d", (int)error)); } - DEBUG_printf(("4http_tls_start: tls_credentials=%p", http->tls_credentials)); + DEBUG_printf(("4_httpTLSStart: tls_credentials=%p", (void *)http->tls_credentials)); /* * Let the server know which hostname/domain we are trying to connect to @@ -1501,18 +1616,39 @@ http_tls_start(http_t *http) /* I - HTTP connection */ error = SSLSetPeerDomainName(http->tls, hostname, strlen(hostname)); - DEBUG_printf(("4http_tls_start: SSLSetPeerDomainName, error=%d", (int)error)); + DEBUG_printf(("4_httpTLSStart: SSLSetPeerDomainName, error=%d", (int)error)); } if (!error) { - int done = 0; /* Are we done yet? */ + int done = 0; /* Are we done yet? */ + double old_timeout; /* Old timeout value */ + http_timeout_cb_t old_cb; /* Old timeout callback */ + void *old_data; /* Old timeout data */ + + /* + * Enforce a minimum timeout of 10 seconds for the TLS handshake... + */ + + old_timeout = http->timeout_value; + old_cb = http->timeout_cb; + old_data = http->timeout_data; + + if (!old_cb || old_timeout < 10.0) + { + DEBUG_puts("4_httpTLSStart: Setting timeout to 10 seconds."); + httpSetTimeout(http, 10.0, NULL, NULL); + } + + /* + * Do the TLS handshake... + */ while (!error && !done) { error = SSLHandshake(http->tls); - DEBUG_printf(("4http_tls_start: SSLHandshake returned %d.", (int)error)); + DEBUG_printf(("4_httpTLSStart: SSLHandshake returned %d.", (int)error)); switch (error) { @@ -1537,7 +1673,7 @@ http_tls_start(http_t *http) /* I - HTTP connection */ httpFreeCredentials(credentials); } - DEBUG_printf(("4http_tls_start: Server certificate callback " + DEBUG_printf(("4_httpTLSStart: Server certificate callback " "returned %d.", (int)error)); } break; @@ -1580,7 +1716,7 @@ http_tls_start(http_t *http) /* I - HTTP connection */ error = (cg->client_cert_cb)(http, http->tls, names, cg->client_cert_data); - DEBUG_printf(("4http_tls_start: Client certificate callback " + DEBUG_printf(("4_httpTLSStart: Client certificate callback " "returned %d.", (int)error)); } @@ -1627,6 +1763,12 @@ http_tls_start(http_t *http) /* I - HTTP connection */ break; } } + + /* + * Restore the previous timeout settings... + */ + + httpSetTimeout(http, old_timeout, old_cb, old_data); } if (error) @@ -1638,221 +1780,562 @@ http_tls_start(http_t *http) /* I - HTTP connection */ CFRelease(http->tls); http->tls = NULL; - /* - * If an error string wasn't set by the callbacks use a generic one... - */ + /* + * If an error string wasn't set by the callbacks use a generic one... + */ + + if (!message) + { + if (!cg->lang_default) + cg->lang_default = cupsLangDefault(); + + snprintf(msgbuf, sizeof(msgbuf), _cupsLangString(cg->lang_default, _("Unable to establish a secure connection to host (%d).")), error); + message = msgbuf; + } + + _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, message, 1); + + return (-1); + } + + return (0); +} + + +/* + * '_httpTLSStop()' - Shut down SSL/TLS on a connection. + */ + +void +_httpTLSStop(http_t *http) /* I - HTTP connection */ +{ + while (SSLClose(http->tls) == errSSLWouldBlock) + usleep(1000); + + CFRelease(http->tls); + + if (http->tls_credentials) + CFRelease(http->tls_credentials); + + http->tls = NULL; + http->tls_credentials = NULL; +} + + +/* + * '_httpTLSWrite()' - Write to a SSL/TLS connection. + */ + +int /* O - Bytes written */ +_httpTLSWrite(http_t *http, /* I - HTTP connection */ + const char *buf, /* I - Buffer holding data */ + int len) /* I - Length of buffer */ +{ + ssize_t result; /* Return value */ + OSStatus error; /* Error info */ + size_t processed; /* Number of bytes processed */ + + + DEBUG_printf(("2_httpTLSWrite(http=%p, buf=%p, len=%d)", (void *)http, (void *)buf, len)); + + error = SSLWrite(http->tls, buf, (size_t)len, &processed); + + switch (error) + { + case 0 : + result = (int)processed; + break; + + case errSSLWouldBlock : + if (processed) + { + result = (int)processed; + } + else + { + result = -1; + errno = EINTR; + } + break; + + case errSSLClosedGraceful : + default : + if (processed) + { + result = (int)processed; + } + else + { + result = -1; + errno = EPIPE; + } + break; + } + + DEBUG_printf(("3_httpTLSWrite: Returning %d.", (int)result)); + + return ((int)result); +} + + +/* + * 'http_cdsa_copy_server()' - Find and copy server credentials from the keychain. + */ + +static CFArrayRef /* O - Array of certificates or NULL */ +http_cdsa_copy_server( + const char *common_name) /* I - Server's hostname */ +{ +#if TARGET_OS_OSX + OSStatus err; /* Error info */ + SecIdentityRef identity = NULL;/* Identity */ + CFArrayRef certificates = NULL; + /* Certificate array */ + SecPolicyRef policy = NULL; /* Policy ref */ + CFStringRef cfcommon_name = NULL; + /* Server name */ + CFMutableDictionaryRef query = NULL; /* Query qualifiers */ + CFArrayRef list = NULL; /* Keychain list */ + SecKeychainRef syschain = NULL;/* System keychain */ + SecKeychainStatus status = 0; /* Keychain status */ + + + DEBUG_printf(("3http_cdsa_copy_server(common_name=\"%s\")", common_name)); + + cfcommon_name = CFStringCreateWithCString(kCFAllocatorDefault, common_name, kCFStringEncodingUTF8); + + policy = SecPolicyCreateSSL(1, cfcommon_name); + + if (!policy) + { + DEBUG_puts("4http_cdsa_copy_server: Unable to create SSL policy."); + goto cleanup; + } + + if (!(query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks))) + { + DEBUG_puts("4http_cdsa_copy_server: Unable to create query dictionary."); + goto cleanup; + } + + _cupsMutexLock(&tls_mutex); + + err = SecKeychainGetStatus(tls_keychain, &status); + + if (err == noErr && !(status & kSecUnlockStateStatus) && tls_cups_keychain) + SecKeychainUnlock(tls_keychain, _CUPS_CDSA_PASSLEN, _CUPS_CDSA_PASSWORD, TRUE); + + CFDictionaryAddValue(query, kSecClass, kSecClassIdentity); + CFDictionaryAddValue(query, kSecMatchPolicy, policy); + CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue); + CFDictionaryAddValue(query, kSecMatchLimit, kSecMatchLimitOne); + + syschain = http_cdsa_open_system_keychain(); + + if (syschain) + { + const void *values[2] = { syschain, tls_keychain }; + + list = CFArrayCreate(kCFAllocatorDefault, (const void **)values, 2, &kCFTypeArrayCallBacks); + } + else + list = CFArrayCreate(kCFAllocatorDefault, (const void **)&tls_keychain, 1, &kCFTypeArrayCallBacks); + + CFDictionaryAddValue(query, kSecMatchSearchList, list); + CFRelease(list); + + err = SecItemCopyMatching(query, (CFTypeRef *)&identity); + + _cupsMutexUnlock(&tls_mutex); + + if (err != noErr) + { + DEBUG_printf(("4http_cdsa_copy_server: SecItemCopyMatching failed with status %d.", (int)err)); + goto cleanup; + } + + if (CFGetTypeID(identity) != SecIdentityGetTypeID()) + { + DEBUG_puts("4http_cdsa_copy_server: Search returned something that is not an identity."); + goto cleanup; + } + + if ((certificates = CFArrayCreate(NULL, (const void **)&identity, 1, &kCFTypeArrayCallBacks)) == NULL) + { + DEBUG_puts("4http_cdsa_copy_server: Unable to create array of certificates."); + goto cleanup; + } + + cleanup : + + if (syschain) + CFRelease(syschain); + if (identity) + CFRelease(identity); + if (policy) + CFRelease(policy); + if (cfcommon_name) + CFRelease(cfcommon_name); + if (query) + CFRelease(query); + + DEBUG_printf(("4http_cdsa_copy_server: Returning %p.", (void *)certificates)); + + return (certificates); +#else + + (void)common_name; + + if (!tls_selfsigned) + return (NULL); + + return (CFArrayCreate(NULL, (const void **)&tls_selfsigned, 1, &kCFTypeArrayCallBacks)); +#endif /* TARGET_OS_OSX */ +} + + +/* + * 'http_cdsa_create_credential()' - Create a single credential in the internal format. + */ - if (!message) -#ifdef HAVE_CSSMERRORSTRING - message = cssmErrorString(error); -#else - message = _("Unable to establish a secure connection to host."); -#endif /* HAVE_CSSMERRORSTRING */ +static SecCertificateRef /* O - Certificate */ +http_cdsa_create_credential( + http_credential_t *credential) /* I - Credential */ +{ + SecCertificateRef cert; /* Certificate */ + CFDataRef data; /* Data object */ - _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, message, 1); - return (-1); - } + if (!credential) + return (NULL); - return (0); + data = CFDataCreate(kCFAllocatorDefault, credential->data, (CFIndex)credential->datalen); + cert = SecCertificateCreateWithData(kCFAllocatorDefault, data); + CFRelease(data); + + return (cert); } +#if TARGET_OS_OSX /* - * 'http_tls_stop()' - Shut down SSL/TLS on a connection. + * 'http_cdsa_default_path()' - Get the default keychain path. */ -static void -http_tls_stop(http_t *http) /* I - HTTP connection */ +static const char * /* O - Keychain path */ +http_cdsa_default_path(char *buffer, /* I - Path buffer */ + size_t bufsize) /* I - Size of buffer */ { - while (SSLClose(http->tls) == errSSLWouldBlock) - usleep(1000); + const char *home = getenv("HOME"); /* HOME environment variable */ - CFRelease(http->tls); - if (http->tls_credentials) - CFRelease(http->tls_credentials); + /* + * Determine the default keychain path. Note that the login and system + * keychains are no longer accessible to user applications starting in macOS + * 10.11.4 (!), so we need to create our own keychain just for CUPS. + */ - http->tls = NULL; - http->tls_credentials = NULL; + if (getuid() && home) + snprintf(buffer, bufsize, "%s/.cups/ssl.keychain", home); + else + strlcpy(buffer, "/etc/cups/ssl.keychain", bufsize); + + DEBUG_printf(("1http_cdsa_default_path: Using default path \"%s\".", buffer)); + + return (buffer); } /* - * 'http_tls_write()' - Write to a SSL/TLS connection. + * 'http_cdsa_open_keychain()' - Open (or create) a keychain. */ -static int /* O - Bytes written */ -http_tls_write(http_t *http, /* I - HTTP connection */ - const char *buf, /* I - Buffer holding data */ - int len) /* I - Length of buffer */ +static SecKeychainRef /* O - Keychain or NULL */ +http_cdsa_open_keychain( + const char *path, /* I - Path to keychain */ + char *filename, /* I - Keychain filename */ + size_t filesize) /* I - Size of filename buffer */ { - ssize_t result; /* Return value */ - OSStatus error; /* Error info */ - size_t processed; /* Number of bytes processed */ + SecKeychainRef keychain = NULL;/* Temporary keychain */ + OSStatus err; /* Error code */ + Boolean interaction; /* Interaction allowed? */ + SecKeychainStatus status = 0; /* Keychain status */ - DEBUG_printf(("2http_tls_write(http=%p, buf=%p, len=%d)", http, buf, len)); + /* + * Get the keychain filename... + */ - error = SSLWrite(http->tls, buf, (size_t)len, &processed); + if (!path) + { + path = http_cdsa_default_path(filename, filesize); + tls_cups_keychain = 1; + } + else + { + strlcpy(filename, path, filesize); + tls_cups_keychain = 0; + } - switch (error) + /* + * Save the interaction setting and disable while we open the keychain... + */ + + SecKeychainGetUserInteractionAllowed(&interaction); + SecKeychainSetUserInteractionAllowed(FALSE); + + if (access(path, R_OK) && tls_cups_keychain) { - case 0 : - result = (int)processed; - break; + /* + * Create a new keychain at the given path... + */ - case errSSLWouldBlock : - if (processed) - { - result = (int)processed; - } - else - { - result = -1; - errno = EINTR; - } - break; + err = SecKeychainCreate(path, _CUPS_CDSA_PASSLEN, _CUPS_CDSA_PASSWORD, FALSE, NULL, &keychain); + } + else + { + /* + * Open the existing keychain and unlock as needed... + */ - case errSSLClosedGraceful : - default : - if (processed) - { - result = (int)processed; - } - else - { - result = -1; - errno = EPIPE; - } - break; + err = SecKeychainOpen(path, &keychain); + + if (err == noErr) + err = SecKeychainGetStatus(keychain, &status); + + if (err == noErr && !(status & kSecUnlockStateStatus) && tls_cups_keychain) + err = SecKeychainUnlock(keychain, _CUPS_CDSA_PASSLEN, _CUPS_CDSA_PASSWORD, TRUE); } - DEBUG_printf(("3http_tls_write: Returning %d.", (int)result)); + /* + * Restore interaction setting... + */ - return ((int)result); + SecKeychainSetUserInteractionAllowed(interaction); + + /* + * Release the keychain if we had any errors... + */ + + if (err != noErr) + { + /* TODO: Set cups last error string */ + DEBUG_printf(("4http_cdsa_open_keychain: Unable to open keychain (%d), returning NULL.", (int)err)); + + if (keychain) + { + CFRelease(keychain); + keychain = NULL; + } + } + + /* + * Return the keychain or NULL... + */ + + return (keychain); } -#if 0 /* - * 'cupsdEndTLS()' - Shutdown a secure session with the client. + * 'http_cdsa_open_system_keychain()' - Open the System keychain. */ -int /* O - 1 on success, 0 on error */ -cupsdEndTLS(cupsd_client_t *con) /* I - Client connection */ +static SecKeychainRef +http_cdsa_open_system_keychain(void) { - while (SSLClose(con->http.tls) == errSSLWouldBlock) - usleep(1000); + SecKeychainRef keychain = NULL;/* Temporary keychain */ + OSStatus err; /* Error code */ + Boolean interaction; /* Interaction allowed? */ + SecKeychainStatus status = 0; /* Keychain status */ - CFRelease(con->http.tls); - con->http.tls = NULL; - if (con->http.tls_credentials) - CFRelease(con->http.tls_credentials); + /* + * Save the interaction setting and disable while we open the keychain... + */ - return (1); -} + SecKeychainGetUserInteractionAllowed(&interaction); + SecKeychainSetUserInteractionAllowed(TRUE); + err = SecKeychainOpen("/Library/Keychains/System.keychain", &keychain); -/* - * 'cupsdStartTLS()' - Start a secure session with the client. - */ + if (err == noErr) + err = SecKeychainGetStatus(keychain, &status); -int /* O - 1 on success, 0 on error */ -cupsdStartTLS(cupsd_client_t *con) /* I - Client connection */ -{ - OSStatus error = 0; /* Error code */ - SecTrustRef peerTrust; /* Peer certificates */ + if (err == noErr && !(status & kSecUnlockStateStatus)) + err = errSecInteractionNotAllowed; + /* + * Restore interaction setting... + */ - cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] Encrypting connection.", - con->http.fd); + SecKeychainSetUserInteractionAllowed(interaction); - con->http.tls_credentials = copy_cdsa_certificate(con); + /* + * Release the keychain if we had any errors... + */ - if (!con->http.tls_credentials) + if (err != noErr) { - /* - * No keychain (yet), make a self-signed certificate... - */ + /* TODO: Set cups last error string */ + DEBUG_printf(("4http_cdsa_open_system_keychain: Unable to open keychain (%d), returning NULL.", (int)err)); - if (make_certificate(con)) - con->http.tls_credentials = copy_cdsa_certificate(con); + if (keychain) + { + CFRelease(keychain); + keychain = NULL; + } } - if (!con->http.tls_credentials) - { - cupsdLogMessage(CUPSD_LOG_ERROR, - "Could not find signing key in keychain \"%s\"", - ServerCertificate); - error = errSSLBadConfiguration; - } + /* + * Return the keychain or NULL... + */ - if (!error) - con->http.tls = SSLCreateContext(kCFAllocatorDefault, kSSLServerSide, - kSSLStreamType); + return (keychain); +} +#endif /* TARGET_OS_OSX */ - if (!error) - error = SSLSetIOFuncs(con->http.tls, http_cdsa_read, http_cdsa_write); - if (!error) - error = SSLSetConnection(con->http.tls, HTTP(con)); +/* + * 'http_cdsa_read()' - Read function for the CDSA library. + */ - if (!error) - error = SSLSetCertificate(con->http.tls, con->http.tls_credentials); +static OSStatus /* O - -1 on error, 0 on success */ +http_cdsa_read( + SSLConnectionRef connection, /* I - SSL/TLS connection */ + void *data, /* I - Data buffer */ + size_t *dataLength) /* IO - Number of bytes */ +{ + OSStatus result; /* Return value */ + ssize_t bytes; /* Number of bytes read */ + http_t *http; /* HTTP connection */ - if (!error) + + http = (http_t *)connection; + + if (!http->blocking || http->timeout_value > 0.0) { /* - * Perform SSL/TLS handshake + * Make sure we have data before we read... */ - while ((error = SSLHandshake(con->http.tls)) == errSSLWouldBlock) - usleep(1000); + while (!_httpWait(http, http->wait_value, 0)) + { + if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data)) + continue; + + http->error = ETIMEDOUT; + return (-1); + } } - if (error) + do + { + bytes = recv(http->fd, data, *dataLength, 0); + } + while (bytes == -1 && (errno == EINTR || errno == EAGAIN)); + + if ((size_t)bytes == *dataLength) + { + result = 0; + } + else if (bytes > 0) { - cupsdLogMessage(CUPSD_LOG_ERROR, - "Unable to encrypt connection from %s - %s (%d)", - con->http.hostname, cssmErrorString(error), (int)error); + *dataLength = (size_t)bytes; + result = errSSLWouldBlock; + } + else + { + *dataLength = 0; + + if (bytes == 0) + result = errSSLClosedGraceful; + else if (errno == EAGAIN) + result = errSSLWouldBlock; + else + result = errSSLClosedAbort; + } - con->http.error = error; - con->http.status = HTTP_ERROR; + return (result); +} - if (con->http.tls) - { - CFRelease(con->http.tls); - con->http.tls = NULL; - } - if (con->http.tls_credentials) - { - CFRelease(con->http.tls_credentials); - con->http.tls_credentials = NULL; - } +/* + * 'http_cdsa_set_credentials()' - Set the TLS credentials. + */ - return (0); - } +static int /* O - Status of connection */ +http_cdsa_set_credentials(http_t *http) /* I - HTTP connection */ +{ + _cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */ + OSStatus error = 0; /* Error code */ + http_tls_credentials_t credentials = NULL; + /* TLS credentials */ + + + DEBUG_printf(("7http_tls_set_credentials(%p)", (void *)http)); - cupsdLogMessage(CUPSD_LOG_DEBUG, "Connection from %s now encrypted.", - con->http.hostname); + /* + * Prefer connection specific credentials... + */ + + if ((credentials = http->tls_credentials) == NULL) + credentials = cg->tls_credentials; - if (!SSLCopyPeerTrust(con->http.tls, &peerTrust) && peerTrust) + if (credentials) { - cupsdLogMessage(CUPSD_LOG_DEBUG, "Received %d peer certificates.", - (int)SecTrustGetCertificateCount(peerTrust)); - CFRelease(peerTrust); + error = SSLSetCertificate(http->tls, credentials); + DEBUG_printf(("4http_tls_set_credentials: SSLSetCertificate, error=%d", + (int)error)); } else - cupsdLogMessage(CUPSD_LOG_DEBUG, "Received NO peer certificates."); + DEBUG_puts("4http_tls_set_credentials: No credentials to set."); - return (1); + return (error); } -#endif /* 0 */ /* - * End of "$Id$". + * 'http_cdsa_write()' - Write function for the CDSA library. */ + +static OSStatus /* O - -1 on error, 0 on success */ +http_cdsa_write( + SSLConnectionRef connection, /* I - SSL/TLS connection */ + const void *data, /* I - Data buffer */ + size_t *dataLength) /* IO - Number of bytes */ +{ + OSStatus result; /* Return value */ + ssize_t bytes; /* Number of bytes read */ + http_t *http; /* HTTP connection */ + + + http = (http_t *)connection; + + do + { + bytes = write(http->fd, data, *dataLength); + } + while (bytes == -1 && (errno == EINTR || errno == EAGAIN)); + + if ((size_t)bytes == *dataLength) + { + result = 0; + } + else if (bytes >= 0) + { + *dataLength = (size_t)bytes; + result = errSSLWouldBlock; + } + else + { + *dataLength = 0; + + if (errno == EAGAIN) + result = errSSLWouldBlock; + else + result = errSSLClosedAbort; + } + + return (result); +}