Add code to validate trust when printing via the IPP backend.

author msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>

Wed, 7 May 2014 23:55:35 +0000 (23:55 +0000)

committer msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>

Wed, 7 May 2014 23:55:35 +0000 (23:55 +0000)
author msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Wed, 7 May 2014 23:55:35 +0000 (23:55 +0000)
committer msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
Wed, 7 May 2014 23:55:35 +0000 (23:55 +0000)
diff --git a/backend/ipp.c b/backend/ipp.c

index eb61b4769c4748fb7d443c3b271234486ab8de58..ba4189f4fe3d882205ed18b107ea929f28156c1d 100644 (file)
--- a/backend/ipp.c
+++ b/backend/ipp.c
@@ -679,6 +679,32 @@ main(int  argc,                            /* I - Number of command-line args */
                        0, NULL);
    httpSetTimeout(http, 30.0, timeout_cb, NULL);
  
+  if (httpIsEncrypted(http))
+  {
+   /*
+    * Validate TLS credentials...
+    */
+
+    cups_array_t       *creds;         /* TLS credentials */
+    http_trust_t       trust;          /* Trust level */
+    static const char  *trusts[] = { NULL, "+cups-pki-invalid", "+cups-pki-changed", "+cups-pki-expired", NULL, "+cups-pki-unknown" };
+                                       /* Trust keywords */
+
+    if (!httpCopyCredentials(http, &creds))
+    {
+      trust = httpCredentialsGetTrust(creds, hostname);
+
+      update_reasons(NULL, "-cups-pki-invalid,cups-pki-changed,cups-pki-expired,cups-pki-unknown");
+      if (trusts[trust])
+      {
+        update_reasons(NULL, trusts[trust]);
+        return (CUPS_BACKEND_STOP);
+      }
+
+      httpFreeCredentials(creds);
+    }
+  }
+
   /*
    * See if the printer supports SNMP...
    */
diff --git a/cups/cups-private.h b/cups/cups-private.h

index f4c075c5656c0fecc26e708f1fff1294700270d9..8e2d69295c7d5f686e368128147595ba53e6566f 100644 (file)
--- a/cups/cups-private.h
+++ b/cups/cups-private.h
@@ -167,7 +167,8 @@ typedef struct _cups_globals_s              /**** CUPS global state data ****/
                                         /* Server certificate user data */
    int                  server_version, /* Server IPP version */
                         any_root,       /* Allow any (e.g., self-signed) root */
-                       expired_certs;  /* Allow expired certs */
+                       expired_certs,  /* Allow expired certs */
+                       validate_certs; /* Validate certificates */
  
    /* util.c */
    char                 def_printer[256];
diff --git a/cups/globals.c b/cups/globals.c

index 724c961d868c950eba81a24b652c801afcefc5af..df742c4077754a1952f75447bf40dc6ac41594a0 100644 (file)
--- a/cups/globals.c
+++ b/cups/globals.c
@@ -218,6 +218,7 @@ cups_globals_alloc(void)
    cg->password_cb    = (cups_password_cb2_t)_cupsGetPassword;
    cg->any_root       = 1;
    cg->expired_certs  = 1;
+  cg->validate_certs = 0;
  
  #ifdef DEBUG
   /*
diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c

index 61b71a7ce2ef592e4db468026de7951cb90164c3..81f5106022df54a2a48334bb5159c0a94254720c 100644 (file)
--- a/cups/tls-darwin.c
+++ b/cups/tls-darwin.c
@@ -579,7 +579,7 @@ httpCredentialsGetTrust(
  
      httpFreeCredentials(tcreds);
    }
-  else if (!httpCredentialsAreValidForName(credentials, common_name))
+  else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name))
      trust = HTTP_TRUST_INVALID;
  
    if (!cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent()))
diff --git a/cups/usersys.c b/cups/usersys.c

index aa4127c7e0f2a6891ab071fae3923d2c036ab576..22d0f3464d6a6c91d25c057e033f6742c9e7fe5c 100644 (file)
--- a/cups/usersys.c
+++ b/cups/usersys.c
@@ -51,7 +51,8 @@ static void   cups_read_client_conf(cups_file_t *fp,
                                        const char *cups_gssservicename,
  #endif /* HAVE_GSSAPI */
                                       const char *cups_anyroot,
-                                     const char *cups_expiredcerts);
+                                     const char *cups_expiredcerts,
+                                     const char *cups_validatecerts);
  
  
  /*
@@ -830,7 +831,8 @@ _cupsSetDefaults(void)
                 *cups_gssservicename,   /* CUPS_GSSSERVICENAME env var */
  #endif /* HAVE_GSSAPI */
                 *cups_anyroot,          /* CUPS_ANYROOT env var */
-               *cups_expiredcerts;     /* CUPS_EXPIREDCERTS env var */
+               *cups_expiredcerts,     /* CUPS_EXPIREDCERTS env var */
+               *cups_validatecerts;    /* CUPS_VALIDATECERTS env var */
    char         filename[1024];         /* Filename */
    _cups_globals_t *cg = _cupsGlobals();        /* Pointer to library globals */
  
@@ -848,6 +850,7 @@ _cupsSetDefaults(void)
  #endif /* HAVE_GSSAPI */
    cups_anyroot       = getenv("CUPS_ANYROOT");
    cups_expiredcerts   = getenv("CUPS_EXPIREDCERTS");
+  cups_validatecerts  = getenv("CUPS_VALIDATECERTS");
  
    if ((cups_user = getenv("CUPS_USER")) == NULL)
    {
@@ -916,7 +919,7 @@ _cupsSetDefaults(void)
  #ifdef HAVE_GSSAPI
                           cups_gssservicename,
  #endif /* HAVE_GSSAPI */
-                         cups_anyroot, cups_expiredcerts);
+                         cups_anyroot, cups_expiredcerts, cups_validatecerts);
      cupsFileClose(fp);
    }
  }
@@ -938,7 +941,8 @@ cups_read_client_conf(
                                         /* I - CUPS_GSSSERVICENAME env var */
  #endif /* HAVE_GSSAPI */
      const char     *cups_anyroot,      /* I - CUPS_ANYROOT env var */
-    const char     *cups_expiredcerts) /* I - CUPS_EXPIREDCERTS env var */
+    const char     *cups_expiredcerts, /* I - CUPS_EXPIREDCERTS env var */
+    const char      *cups_validatecerts)/* I - CUPS_VALIDATECERTS env var */
  {
    int  linenum;                        /* Current line number */
    char line[1024],                     /* Line from file */
@@ -949,7 +953,8 @@ cups_read_client_conf(
  #endif /* !__APPLE__ */
         user[256],                      /* User value */
         any_root[1024],                 /* AllowAnyRoot value */
-       expired_certs[1024];            /* AllowExpiredCerts value */
+       expired_certs[1024],            /* AllowExpiredCerts value */
+       validate_certs[1024];           /* ValidateCerts value */
  #ifdef HAVE_GSSAPI
    char gss_service_name[32];           /* GSSServiceName value */
  #endif /* HAVE_GSSAPI */
@@ -996,6 +1001,11 @@ cups_read_client_conf(
        strlcpy(expired_certs, value, sizeof(expired_certs));
        cups_expiredcerts = expired_certs;
      }
+    else if (!cups_validatecerts && !_cups_strcasecmp(line, "ValidateCerts") && value)
+    {
+      strlcpy(validate_certs, value, sizeof(validate_certs));
+      cups_validatecerts = validate_certs;
+    }
  #ifdef HAVE_GSSAPI
      else if (!cups_gssservicename && !_cups_strcasecmp(line, "GSSServiceName") &&
               value)
@@ -1118,6 +1128,11 @@ cups_read_client_conf(
      cg->expired_certs = !_cups_strcasecmp(cups_expiredcerts, "yes") ||
                         !_cups_strcasecmp(cups_expiredcerts, "on")  ||
                         !_cups_strcasecmp(cups_expiredcerts, "true");
+
+  if (cups_validatecerts)
+    cg->validate_certs = !_cups_strcasecmp(cups_validatecerts, "yes") ||
+                        !_cups_strcasecmp(cups_validatecerts, "on")  ||
+                        !_cups_strcasecmp(cups_validatecerts, "true");
  }
  
  
diff --git a/man/client.conf.man.in b/man/client.conf.man.in

index 9affb57350115d94608c7f562d350cf1f34b9410..6d1a5a14e84cfc3108d4c5a0747849b148ac2bf6 100644 (file)
--- a/man/client.conf.man.in
+++ b/man/client.conf.man.in
@@ -12,7 +12,7 @@
  .\" which should have been included with this file.  If this file is
  .\" file is missing or damaged, see the license at "http://www.cups.org/".
  .\"
-.TH client.conf 5 "CUPS" "16 April 2014" "Apple Inc."
+.TH client.conf 5 "CUPS" "7 May 2014" "Apple Inc."
  .SH NAME
  client.conf \- client configuration file for cups (deprecated)
  .SH DESCRIPTION
@@ -24,17 +24,17 @@ The \fBServerName\fR directive is not supported on OS X at all.
  .SS DIRECTIVES
  The following directives are understood by the client. Consult the online help for detailed descriptions:
  .TP 5
-\fBAllowAnyRoot Y\fR
+\fBAllowAnyRoot Yes\fR
  .TP 5
-\fBAllowAnyRoot N\fR
+\fBAllowAnyRoot No\fR
  Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority.
-The default is "Y".
+The default is "Yes".
  .TP 5
-\fBAllowExpiredCerts Y\fR
+\fBAllowExpiredCerts Yes\fR
  .TP 5
-\fBAllowExpiredCerts N\fR
+\fBAllowExpiredCerts No\fR
  Specifies whether to allow TLS with expired certificates.
-The default is "Y".
+The default is "Yes".
  .TP 5
  \fBEncryption IfRequested\fR
  .TP 5
@@ -58,6 +58,12 @@ Specifies the address and optionally the port to use when connecting to a server
  .TP 5
  \fBUser \fIname\fR
  Specifies the default user name to use for requests.
+.TP 5
+\fBValidateCerts Yes\fR
+.TP 5
+\fBValidateCerts No\fR
+Specifies whether to only allow TLS with certificates whose common name matches the hostname.
+The default is "No".
  .SH NOTES
  The \fBclient.conf\fR file is deprecated and will no longer be supported in a future version of CUPS.
  .SH SEE ALSO
author	msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
	Wed, 7 May 2014 23:55:35 +0000 (23:55 +0000)
committer	msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be>
	Wed, 7 May 2014 23:55:35 +0000 (23:55 +0000)
backend/ipp.c		patch \| blob \| blame \| history
cups/cups-private.h		patch \| blob \| blame \| history
cups/globals.c		patch \| blob \| blame \| history
cups/tls-darwin.c		patch \| blob \| blame \| history
cups/usersys.c		patch \| blob \| blame \| history
man/client.conf.man.in		patch \| blob \| blame \| history