Clean up implementation for SSLOptions

diff --git a/cups/http-private.h b/cups/http-private.h
index 00afed0df123382687ff4076eb8068514d19d1af..c756cd0816ea30de4df774c58a1437f4b4442591 100644 (file)
--- a/cups/http-private.h
+++ b/cups/http-private.h
@@ -179,13 +179,14 @@ extern "C" {
 #define _HTTP_RESOLVE_FQDN     2       /* Resolve to a FQDN */
 #define _HTTP_RESOLVE_FAXOUT   4       /* Resolve FaxOut service? */
 
 #define _HTTP_RESOLVE_FQDN     2       /* Resolve to a FQDN */
 #define _HTTP_RESOLVE_FAXOUT   4       /* Resolve FaxOut service? */
 

-#define _HTTP_TLS_NONE         0       /* No TLS options */
-#define _HTTP_TLS_ALLOW_RC4    1       /* Allow RC4 cipher suites */
-#define _HTTP_TLS_ALLOW_SSL3   2       /* Allow SSL 3.0 */
-#define _HTTP_TLS_ALLOW_DH     4       /* Allow DH/DHE key negotiation */
-#define _HTTP_TLS_DENY_TLS10   16      /* Deny TLS 1.0 */
-#define _HTTP_TLS_DENY_CBC     32      /* Deny CBC cipher suites */
-#define _HTTP_TLS_ONLY_TLS10    64      /* Only use TLS 1.0 */
+#define _HTTP_TLS_UNCHANGED     0   /* Don't change TLS options */
+#define _HTTP_TLS_NONE          1   /* No TLS options */
+#define _HTTP_TLS_ALLOW_RC4     2   /* Allow RC4 cipher suites */
+#define _HTTP_TLS_ALLOW_SSL3    4   /* Allow SSL 3.0 */
+#define _HTTP_TLS_ALLOW_DH      8   /* Allow DH/DHE key negotiation */
+#define _HTTP_TLS_DENY_TLS10    16  /* Deny TLS 1.0 */
+#define _HTTP_TLS_DENY_CBC      32  /* Deny CBC cipher suites */
+#define _HTTP_TLS_ONLY_TLS10    64  /* Only use TLS 1.0 */

 
 
 /*
 
 
 /*


@@ -442,7 +443,7 @@ extern void         _httpTLSInitialize(void);
 extern size_t          _httpTLSPending(http_t *http);
 extern int             _httpTLSRead(http_t *http, char *buf, int len);
 extern int             _httpTLSSetCredentials(http_t *http);
 extern size_t          _httpTLSPending(http_t *http);
 extern int             _httpTLSRead(http_t *http, char *buf, int len);
 extern int             _httpTLSSetCredentials(http_t *http);

-extern void            _httpTLSSetOptions(int options);
+extern void            _httpTLSSetOptions(unsigned int options);

 extern int             _httpTLSStart(http_t *http);
 extern void            _httpTLSStop(http_t *http);
 extern int             _httpTLSWrite(http_t *http, const char *buf, int len);
 extern int             _httpTLSStart(http_t *http);
 extern void            _httpTLSStop(http_t *http);
 extern int             _httpTLSWrite(http_t *http, const char *buf, int len);

diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c
index d2d3687a1134998afcb2b2419ecd8efd684598a7..1be63fc309cbc685b5b61c487c5481d9e652a2f3 100644 (file)
--- a/cups/tls-darwin.c
+++ b/cups/tls-darwin.c
@@ -36,24 +36,17 @@ extern char **environ; /* @private@ */
  * Local globals...
  */
 
  * Local globals...
  */
 

-static int             tls_auto_create = 0;
-                                       /* Auto-create self-signed certs? */
-static char            *tls_common_name = NULL;
-                                       /* Default common name */
+static int            tls_auto_create = 0;                 /* Auto-create self-signed certs? */
+static char          *tls_common_name = NULL;              /* Default common name */

 #ifdef HAVE_SECKEYCHAINOPEN
 #ifdef HAVE_SECKEYCHAINOPEN

-static int             tls_cups_keychain = 0;
-                                       /* Opened the CUPS keychain? */
-static SecKeychainRef  tls_keychain = NULL;
-                                       /* Server cert keychain */
+static int            tls_cups_keychain = 0;               /* Opened the CUPS keychain? */
+static SecKeychainRef tls_keychain = NULL;                 /* Server cert keychain */

 #else
 #else

-static SecIdentityRef  tls_selfsigned = NULL;
-                                       /* Temporary self-signed cert */
+static SecIdentityRef tls_selfsigned = NULL;               /* Temporary self-signed cert */

 #endif /* HAVE_SECKEYCHAINOPEN */
 #endif /* HAVE_SECKEYCHAINOPEN */

-static char            *tls_keypath = NULL;
-                                       /* Server cert keychain path */
-static _cups_mutex_t   tls_mutex = _CUPS_MUTEX_INITIALIZER;
-                                       /* Mutex for keychain/certs */
-static int             tls_options = -1;/* Options for TLS connections */
+static char          *tls_keypath = NULL;                  /* Server cert keychain path */
+static _cups_mutex_t  tls_mutex = _CUPS_MUTEX_INITIALIZER; /* Mutex for keychain/certs */
+static unsigned int   tls_options = _HTTP_TLS_NONE;        /* Options for TLS connections */

 
 
 /*
 
 
 /*


@@ -1139,7 +1132,7 @@ _httpTLSRead(http_t *http,                /* I - HTTP connection */
  */
 
 void
  */
 
 void

-_httpTLSSetOptions(int options)                /* I - Options */
+_httpTLSSetOptions(unsigned int options)               /* I - Options */

 {
   tls_options = options;
 }
 {
   tls_options = options;
 }


@@ -1169,7 +1162,7 @@ _httpTLSStart(http_t *http)               /* I - HTTP connection */
 
   DEBUG_printf(("3_httpTLSStart(http=%p)", (void *)http));
 
 
   DEBUG_printf(("3_httpTLSStart(http=%p)", (void *)http));
 

-  if (tls_options < 0)
+  if ((tls_options == _HTTP_TLS_UNCHANGED) || (tls_options == _HTTP_TLS_NONE))

   {
     DEBUG_puts("4_httpTLSStart: Setting defaults.");
     _cupsSetDefaults();
   {
     DEBUG_puts("4_httpTLSStart: Setting defaults.");
     _cupsSetDefaults();

diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index 3f13760b2b0c3b40d3dd6e947331dda57ca6321f..379ecf9e04e96f092e21de2b9dcba8caf3dd920d 100644 (file)
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -26,16 +26,12 @@
  * Local globals...
  */
 
  * Local globals...
  */
 

-static int             tls_auto_create = 0;
-                                       /* Auto-create self-signed certs? */
-static char            *tls_common_name = NULL;
-                                       /* Default common name */
-static gnutls_x509_crl_t tls_crl = NULL;/* Certificate revocation list */
-static char            *tls_keypath = NULL;
-                                       /* Server cert keychain path */
-static _cups_mutex_t   tls_mutex = _CUPS_MUTEX_INITIALIZER;
-                                       /* Mutex for keychain/certs */
-static int             tls_options = -1;/* Options for TLS connections */
+static int               tls_auto_create = 0;                 /* Auto-create self-signed certs? */
+static char             *tls_common_name = NULL;              /* Default common name */
+static gnutls_x509_crl_t tls_crl = NULL;                      /* Certificate revocation list */
+static char             *tls_keypath = NULL;                  /* Server cert keychain path */
+static _cups_mutex_t     tls_mutex = _CUPS_MUTEX_INITIALIZER; /* Mutex for keychain/certs */
+static unsigned int      tls_options = _HTTP_TLS_NONE;        /* Options for TLS connections */

 
 
 /*
 
 
 /*


@@ -1224,7 +1220,7 @@ _httpTLSSetCredentials(http_t *http)      /* I - Connection to server */
  */
 
 void
  */
 
 void

-_httpTLSSetOptions(int options)                /* I - Options */
+_httpTLSSetOptions(unsigned int options)               /* I - Options */

 {
   tls_options = options;
 }
 {
   tls_options = options;
 }


@@ -1248,7 +1244,7 @@ _httpTLSStart(http_t *http)               /* I - Connection to server */
 
   DEBUG_printf(("3_httpTLSStart(http=%p)", http));
 
 
   DEBUG_printf(("3_httpTLSStart(http=%p)", http));
 

-  if (tls_options < 0)
+  if ((tls_options == _HTTP_TLS_UNCHANGED) || (tls_options == _HTTP_TLS_NONE))

   {
     DEBUG_puts("4_httpTLSStart: Setting defaults.");
     _cupsSetDefaults();
   {
     DEBUG_puts("4_httpTLSStart: Setting defaults.");
     _cupsSetDefaults();


@@ -1506,21 +1502,25 @@ _httpTLSStart(http_t *http)             /* I - Connection to server */
   strlcpy(priority_string, "NORMAL", sizeof(priority_string));
 
   if (tls_options & _HTTP_TLS_DENY_TLS10)
   strlcpy(priority_string, "NORMAL", sizeof(priority_string));
 
   if (tls_options & _HTTP_TLS_DENY_TLS10)

-    strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
+    strlcat(priority_string, ":+VERS-TLS-ALL:!VERS-TLS1.0:!VERS-SSL3.0", sizeof(priority_string));

   else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
     strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
   else if (tls_options & _HTTP_TLS_ONLY_TLS10)
   else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
     strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
   else if (tls_options & _HTTP_TLS_ONLY_TLS10)

-    strlcat(priority_string, ":-VERS-TLS-ALL:-VERS-SSL3.0:+VERS-TLS1.0", sizeof(priority_string));
+    strlcat(priority_string, ":!VERS-TLS-ALL:!VERS-SSL3.0:+VERS-TLS1.0", sizeof(priority_string));

   else
   else

-    strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
+    strlcat(priority_string, ":+VERS-TLS-ALL:!VERS-SSL3.0", sizeof(priority_string));

 
 

-  if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
-    strlcat(priority_string, ":-ARCFOUR-128", sizeof(priority_string));
+  if (tls_options & _HTTP_TLS_ALLOW_RC4)
+    strlcat(priority_string, ":+ARCFOUR-128", sizeof(priority_string));
+  else
+    strlcat(priority_string, ":!ARCFOUR-128", sizeof(priority_string));

 
 

-  if (!(tls_options & _HTTP_TLS_ALLOW_DH))
+  if (tls_options & _HTTP_TLS_ALLOW_DH)
+    strlcat(priority_string, ":+ANON-DH", sizeof(priority_string));
+  else

     strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
 
     strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
 

-  if (!(tls_options & _HTTP_TLS_DENY_CBC))
+  if (tls_options & _HTTP_TLS_DENY_CBC)

     strlcat(priority_string, ":!AES-128-CBC:!AES-256-CBC:!CAMELLIA-128-CBC:!CAMELLIA-256-CBC:!3DES-CBC", sizeof(priority_string));
 
 #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
     strlcat(priority_string, ":!AES-128-CBC:!AES-256-CBC:!CAMELLIA-128-CBC:!CAMELLIA-256-CBC:!3DES-CBC", sizeof(priority_string));
 
 #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT

diff --git a/cups/tls-sspi.c b/cups/tls-sspi.c
index 77b883b2297622eb03ffebccf5fac6fee1642b1b..80c8cfe1257217a612fc0121ef29035191a1a3b6 100644 (file)
--- a/cups/tls-sspi.c
+++ b/cups/tls-sspi.c
@@ -52,7 +52,7 @@
  * Local globals...
  */
 
  * Local globals...
  */
 

-static int             tls_options = -1;/* Options for TLS connections */
+static unsigned int tls_options = _HTTP_TLS_NONE; /* Options for TLS connections */

 
 
 /*
 
 
 /*


@@ -911,7 +911,7 @@ _httpTLSRead(http_t *http,          /* I - HTTP connection */
  */
 
 void
  */
 
 void

-_httpTLSSetOptions(int options)                /* I - Options */
+_httpTLSSetOptions(unsigned int options)               /* I - Options */

 {
   tls_options = options;
 }
 {
   tls_options = options;
 }


@@ -930,7 +930,7 @@ _httpTLSStart(http_t *http)         /* I - HTTP connection */
 
   DEBUG_printf(("3_httpTLSStart(http=%p)", http));
 
 
   DEBUG_printf(("3_httpTLSStart(http=%p)", http));
 

-  if (tls_options < 0)
+  if ((tls_options == _HTTP_TLS_UNCHANGED) || (tls_options == _HTTP_TLS_NONE))

   {
     DEBUG_puts("4_httpTLSStart: Setting defaults.");
     _cupsSetDefaults();
   {
     DEBUG_puts("4_httpTLSStart: Setting defaults.");
     _cupsSetDefaults();

diff --git a/cups/usersys.c b/cups/usersys.c
index 026b4a7cc493760193de0b93d989b4784b6066f8..38e412d2e7ea9e7ea5043ca9ec2b6bd2101795cf 100644 (file)
--- a/cups/usersys.c
+++ b/cups/usersys.c
@@ -957,7 +957,10 @@ _cupsSetDefaults(void)
     cg->validate_certs = cc.validate_certs;
 
 #ifdef HAVE_SSL
     cg->validate_certs = cc.validate_certs;
 
 #ifdef HAVE_SSL

-  _httpTLSSetOptions(cc.ssl_options);
+  if (cc.ssl_options != _HTTP_TLS_UNCHANGED)
+  {
+    _httpTLSSetOptions(cc.ssl_options);
+  }

 #endif /* HAVE_SSL */
 }
 
 #endif /* HAVE_SSL */
 }
 


@@ -1336,10 +1339,10 @@ cups_set_ssl_options(
   * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
   */
 
   * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
   */
 

-  int  options = _HTTP_TLS_NONE;       /* SSL/TLS options */
-  char temp[256],                      /* Copy of value */
-       *start,                         /* Start of option */
-       *end;                           /* End of option */
+  unsigned int options = _HTTP_TLS_UNCHANGED; /* SSL/TLS options */
+  char         temp[256],                     /* Copy of value */
+              *start,                         /* Start of option */
+              *end;                           /* End of option */

 
 
   strlcpy(temp, value, sizeof(temp));
 
 
   strlcpy(temp, value, sizeof(temp));

diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html
index 908234855edfe7bdab4bbedce2e77a35aa7f8633..1a22a8618d8557ebc636a98d56926c20d047b732 100644 (file)
--- a/doc/help/man-cupsd.conf.html
+++ b/doc/help/man-cupsd.conf.html
@@ -283,9 +283,9 @@ The default is "Minimal".
 <dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
 <dd style="margin-left: 5.0em">Sets encryption options.
 By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
 <dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
 <dd style="margin-left: 5.0em">Sets encryption options.
 By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.

-The <i>AllowDH</i> option enables cipher suites using plain Diffie-Hellman key negotiation.
-The <i>AllowRC4</i> option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
-The <i>AllowSSL3</i> option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
+The <i>AllowDH</i> option enables cipher suites using the horribly insecure anonymous Diffie-Hellman key negotiation which is vulnerable to man-in-the-middle attacks.
+The <i>AllowRC4</i> option enables the insecure 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
+The <i>AllowSSL3</i> option enables the insecure SSL v3.0 protocol, which is required for some older clients that do not support TLS v1.0.

 The <i>DenyCBC</i> option disables all CBC cipher suites.
 The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
 <dt><a name="SSLPort"></a><b>SSLPort </b><i>port</i>
 The <i>DenyCBC</i> option disables all CBC cipher suites.
 The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
 <dt><a name="SSLPort"></a><b>SSLPort </b><i>port</i>

diff --git a/man/cupsd.conf.man.in b/man/cupsd.conf.man.in
index 918bbee7aa1333a47f98b765dcda9a125f71f74f..6e9690b43f0b0dda447fa91364384c38faca6267 100644 (file)
--- a/man/cupsd.conf.man.in
+++ b/man/cupsd.conf.man.in
@@ -445,9 +445,9 @@ Listens on the specified address and port for encrypted connections.
 \fBSSLOptions None\fR
 Sets encryption options.
 By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
 \fBSSLOptions None\fR
 Sets encryption options.
 By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.

-The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation.
-The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
-The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
+The \fIAllowDH\fR option enables cipher suites using the horribly insecure anonymous Diffie-Hellman key negotiation which is vulnerable to man-in-the-middle attacks.
+The \fIAllowRC4\fR option enables the insecure 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones.
+The \fIAllowSSL3\fR option enables the insecure SSL v3.0 protocol, which is required for some older clients that do not support TLS v1.0.

 The \fIDenyCBC\fR option disables all CBC cipher suites.
 The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
 .\"#SSLPort
 The \fIDenyCBC\fR option disables all CBC cipher suites.
 The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
 .\"#SSLPort