locale/checkpo
locale/po2strings
locale/strings2po
-man/client.conf.man
-man/cups-files.conf.man
-man/cups-lpd.man
-man/cups-snmp.man
-man/cupsaddsmb.man
-man/cupsd.conf.man
-man/cupsd.man
-man/lpoptions.man
man/mantohtml
monitor/bcp
monitor/tbcp
- Fixed a crash bug in the web interface (Issue #5621)
- PPD files containing "custom" option keywords did not work (Issue #5639)
- Added a workaround for the scheduler's systemd support (Issue #5640)
-- Fixed spelling of "fold-accordion".
-- Fixed the default common name for TLS certificates used by `ippeveprinter`.
+- Added a DigestOptions directive for the `client.conf` file to control whether
+ MD5-based Digest authentication is allowed (Issue #5647)
- Fixed a bug in the handling of printer resource files (Issue #5652)
- The libusb-based USB backend now reports an error when the distribution
permissions are wrong (Issue #5658)
- Added paint can labels to Dymo driver (Issue #5662)
- The IPP backend did not detect all cases where a job should be retried using
a raster format (rdar://56021091)
+- Fixed spelling of "fold-accordion".
+- Fixed the default common name for TLS certificates used by `ippeveprinter`.
Changes in CUPS v2.3.0
if (_httpSetDigestAuthString(http, nonce, method, resource))
{
- DEBUG_puts("2cupsDoAuthentication: Using Basic.");
+ DEBUG_puts("2cupsDoAuthentication: Using Digest.");
break;
}
}
*end; /* End of buffer */
} _cups_raster_error_t;
+typedef enum _cups_digestoptions_e /**** Digest Options values */
+{
+ _CUPS_DIGESTOPTIONS_NONE, /* No Digest authentication options */
+ _CUPS_DIGESTOPTIONS_DENYMD5 /* Do not use MD5 hashes for digest */
+} _cups_digestoptions_t;
+
typedef enum _cups_uatokens_e /**** UserAgentTokens values */
{
_CUPS_UATOKENS_NONE, /* Do not send User-Agent */
char tempfile[1024]; /* cupsTempFd/File buffer */
/* usersys.c */
+ _cups_digestoptions_t digestoptions; /* DigestOptions setting */
_cups_uatokens_t uatokens; /* UserAgentTokens setting */
http_encryption_t encryption; /* Encryption setting */
char user[65], /* User name */
/*
* HTTP support routines for CUPS.
*
- * Copyright 2007-2018 by Apple Inc.
+ * Copyright 2007-2019 by Apple Inc.
* Copyright 1997-2007 by Easy Software Products, all rights reserved.
*
* Licensed under Apache License v2.0. See the file "LICENSE" for more
digest[1024]; /* Digest auth data */
unsigned char hash[32]; /* Hash buffer */
size_t hashsize; /* Size of hash */
+ _cups_globals_t *cg = _cupsGlobals(); /* Per-thread globals */
DEBUG_printf(("2_httpSetDigestAuthString(http=%p, nonce=\"%s\", method=\"%s\", resource=\"%s\")", (void *)http, nonce, method, resource));
* RFC 2617 Digest with MD5
*/
+ if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5)
+ {
+ DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled.");
+ return (0);
+ }
+
hashalg = "md5";
}
else if (!_cups_strcasecmp(http->algorithm, "SHA-256"))
# define kCUPSPrintingPrefs CFSTR(".GlobalPreferences")
# define kPREFIX "AirPrint"
# endif /* TARGET_OS_OSX */
+# define kDigestOptionsKey CFSTR(kPREFIX "DigestOptions")
+# define kUserKey CFSTR(kPREFIX "User")
# define kUserAgentTokensKey CFSTR(kPREFIX "UserAgentTokens")
# define kAllowAnyRootKey CFSTR(kPREFIX "AllowAnyRoot")
# define kAllowExpiredCertsKey CFSTR(kPREFIX "AllowExpiredCerts")
typedef struct _cups_client_conf_s /**** client.conf config data ****/
{
+ _cups_digestoptions_t digestoptions; /* DigestOptions values */
_cups_uatokens_t uatokens; /* UserAgentTokens values */
#ifdef HAVE_SSL
int ssl_options, /* SSLOptions values */
static void cups_init_client_conf(_cups_client_conf_t *cc);
static void cups_read_client_conf(cups_file_t *fp, _cups_client_conf_t *cc);
static void cups_set_default_ipp_port(_cups_globals_t *cg);
+static void cups_set_digestoptions(_cups_client_conf_t *cc, const char *value);
static void cups_set_encryption(_cups_client_conf_t *cc, const char *value);
#ifdef HAVE_GSSAPI
static void cups_set_gss_service_name(_cups_client_conf_t *cc, const char *value);
cc->validate_certs = bval;
# endif /* HAVE_SSL */
+ if (cups_apple_get_string(kDigestOptionsKey, sval, sizeof(sval)))
+ cups_set_digestoptions(cc, sval);
+
+ if (cups_apple_get_string(kUserKey, sval, sizeof(sval)))
+ strlcpy(cc->user, sval, sizeof(cc->user));
+
if (cups_apple_get_string(kUserAgentTokensKey, sval, sizeof(sval)))
- {
cups_set_uatokens(cc, sval);
- }
#endif /* __APPLE__ */
}
linenum = 0;
while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))
{
- if (!_cups_strcasecmp(line, "Encryption") && value)
+ if (!_cups_strcasecmp(line, "DigestOptions") && value)
+ cups_set_digestoptions(cc, value);
+ else if (!_cups_strcasecmp(line, "Encryption") && value)
cups_set_encryption(cc, value);
#ifndef __APPLE__
/*
cg->ipp_port = CUPS_DEFAULT_IPP_PORT;
}
+
+/*
+ * 'cups_set_digestoptions()' - Set the DigestOptions value.
+ */
+
+static void
+cups_set_digestoptions(
+ _cups_client_conf_t *cc, /* I - client.conf values */
+ const char *value) /* I - Value */
+{
+ if (!_cups_strcasecmp(value, "DenyMD5"))
+ cc->digestoptions = _CUPS_DIGESTOPTIONS_DENYMD5;
+ else if (!_cups_strcasecmp(value, "None"))
+ cc->digestoptions = _CUPS_DIGESTOPTIONS_NONE;
+}
+
+
/*
* 'cups_set_encryption()' - Set the Encryption value.
*/
<h3><a name="DIRECTIVES">Directives</a></h3>
The following directives are understood by the client. Consult the online help for detailed descriptions:
<dl class="man">
-<dt><b>AllowAnyRoot Yes</b>
+<dt><a name="AllowAnyRoot"></a><b>AllowAnyRoot Yes</b>
<dd style="margin-left: 5.0em"><dt><b>AllowAnyRoot No</b>
<dd style="margin-left: 5.0em">Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority.
The default is "Yes".
-<dt><b>AllowExpiredCerts Yes</b>
+<dt><a name="AllowExpiredCerts"></a><b>AllowExpiredCerts Yes</b>
<dd style="margin-left: 5.0em"><dt><b>AllowExpiredCerts No</b>
<dd style="margin-left: 5.0em">Specifies whether to allow TLS with expired certificates.
The default is "No".
-<dt><b>Encryption IfRequested</b>
+<dt><a name="DigestOptions"></a><b>DigestOptions DenyMD5</b>
+<dd style="margin-left: 5.0em"><dt><b>DigestOptions None</b>
+<dd style="margin-left: 5.0em">Specifies HTTP Digest authentication options.
+<b>DenyMD5</b> disables support for the original MD5 hash algorithm.
+<dt><a name="Encryption"></a><b>Encryption IfRequested</b>
<dd style="margin-left: 5.0em"><dt><b>Encryption Never</b>
<dd style="margin-left: 5.0em"><dt><b>Encryption Required</b>
<dd style="margin-left: 5.0em">Specifies the level of encryption that should be used.
-<dt><b>GSSServiceName </b><i>name</i>
+<dt><a name="GSSServiceName"></a><b>GSSServiceName </b><i>name</i>
<dd style="margin-left: 5.0em">Specifies the Kerberos service name that is used for authentication, typically "host", "http", or "ipp".
CUPS adds the remote hostname ("name@server.example.com") for you. The default name is "http".
-<dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]
+<dt><a name="ServerName"></a><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]
<dd style="margin-left: 5.0em"><dt><b>ServerName </b><i>/domain/socket</i>
<dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to the server.
<b>Note: This directive is not supported on macOS 10.7 or later.</b>
<dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]<b>/version=1.1</b>
<dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
-<dt><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
+<dt><a name="SSLOptions"></a><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
<dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
<dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
The <i>MinTLS</i> options set the minimum TLS version to support.
The <i>MaxTLS</i> options set the maximum TLS version to support.
Not all operating systems support TLS 1.3 at this time.
-<dt><b>TrustOnFirstUse Yes</b>
+<dt><a name="TrustOnFirstUse"></a><b>TrustOnFirstUse Yes</b>
<dd style="margin-left: 5.0em"><dt><b>TrustOnFirstUse No</b>
<dd style="margin-left: 5.0em">Specifies whether to trust new TLS certificates by default.
The default is "Yes".
-<dt><b>User </b><i>name</i>
+<dt><a name="User"></a><b>User </b><i>name</i>
<dd style="margin-left: 5.0em">Specifies the default user name to use for requests.
<dt><a name="UserAgentTokens"></a><b>UserAgentTokens None</b>
<dd style="margin-left: 5.0em"><dt><b>UserAgentTokens ProductOnly</b>
"OS" reports "CUPS/major.minor.path (osname osversion) IPP/2.1".
"Full" reports "CUPS/major.minor.path (osname osversion; architecture) IPP/2.1".
The default is "Minimal".
-<dt><b>ValidateCerts Yes</b>
+<dt><a name="ValidateCerts"></a><b>ValidateCerts Yes</b>
<dd style="margin-left: 5.0em"><dt><b>ValidateCerts No</b>
<dd style="margin-left: 5.0em">Specifies whether to only allow TLS with certificates whose common name matches the hostname.
The default is "No".
.\" Licensed under Apache License v2.0. See the file "LICENSE" for more
.\" information.
.\"
-.TH client.conf 5 "CUPS" "26 April 2019" "Apple Inc."
+.TH client.conf 5 "CUPS" "15 October 2019" "Apple Inc."
.SH NAME
client.conf \- client configuration file for cups (deprecated on macos)
.SH DESCRIPTION
See the NOTES section below for more information.
.SS DIRECTIVES
The following directives are understood by the client. Consult the online help for detailed descriptions:
+.\"#AllowAnyRoot
.TP 5
\fBAllowAnyRoot Yes\fR
.TP 5
\fBAllowAnyRoot No\fR
Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority.
The default is "Yes".
+.\"#AllowExpiredCerts
.TP 5
\fBAllowExpiredCerts Yes\fR
.TP 5
\fBAllowExpiredCerts No\fR
Specifies whether to allow TLS with expired certificates.
The default is "No".
+.\"#DigestOptions
+.TP 5
+\fBDigestOptions DenyMD5\fR
+.TP 5
+\fBDigestOptions None\fR
+Specifies HTTP Digest authentication options.
+\fBDenyMD5\fR disables support for the original MD5 hash algorithm.
+.\"#Encryption
.TP 5
\fBEncryption IfRequested\fR
.TP 5
.TP 5
\fBEncryption Required\fR
Specifies the level of encryption that should be used.
+.\"#GSSServiceName
.TP 5
\fBGSSServiceName \fIname\fR
Specifies the Kerberos service name that is used for authentication, typically "host", "http", or "ipp".
CUPS adds the remote hostname ("name@server.example.com") for you. The default name is "http".
+.\"#ServerName
.TP 5
\fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]
.TP 5
.TP 5
\fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
+.\"#SSLOptions
.TP 5
\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
.TP 5
The \fIMinTLS\fR options set the minimum TLS version to support.
The \fIMaxTLS\fR options set the maximum TLS version to support.
Not all operating systems support TLS 1.3 at this time.
+.\"#TrustOnFirstUse
.TP 5
\fBTrustOnFirstUse Yes\fR
.TP 5
\fBTrustOnFirstUse No\fR
Specifies whether to trust new TLS certificates by default.
The default is "Yes".
+.\"#User
.TP 5
\fBUser \fIname\fR
Specifies the default user name to use for requests.
"OS" reports "CUPS/major.minor.path (osname osversion) IPP/2.1".
"Full" reports "CUPS/major.minor.path (osname osversion; architecture) IPP/2.1".
The default is "Minimal".
+.\"#ValidateCerts
.TP 5
\fBValidateCerts Yes\fR
.TP 5