From: Michael R Sweet Date: Tue, 29 Mar 2022 21:42:04 +0000 (-0400) Subject: Save work on certificate support code and tlscheck. X-Git-Tag: v2.4.2~29^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=59de3322660549ad6b2fa5a210ff4ebbfe46ea93;p=thirdparty%2Fcups.git Save work on certificate support code and tlscheck. --- diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c index 4a6d9e96fa..45bc9cde45 100644 --- a/cups/tls-openssl.c +++ b/cups/tls-openssl.c @@ -421,6 +421,7 @@ httpCredentialsAreValidForName( cert = http_create_credential((http_credential_t *)cupsArrayFirst(credentials)); if (cert) { + result = 1; #if 0 result = openssl_x509_crt_check_hostname(cert, common_name) != 0; @@ -684,9 +685,8 @@ httpCredentialsString( char *buffer, // I - Buffer size_t bufsize) // I - Size of buffer { -#if 0 - http_credential_t *first; /* First certificate */ - openssl_x509_crt_t cert; /* Certificate */ + http_credential_t *first; // First certificate + X509 *cert; // Certificate DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize)); @@ -697,44 +697,33 @@ httpCredentialsString( if (bufsize > 0) *buffer = '\0'; - if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL && - (cert = http_create_credential(first)) != NULL) + if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL && (cert = http_create_credential(first)) != NULL) { - char name[256], /* Common name associated with cert */ - issuer[256]; /* Issuer associated with cert */ - size_t len; /* Length of string */ - time_t expiration; /* Expiration date of cert */ - int sigalg; /* Signature algorithm */ - unsigned char md5_digest[16]; /* MD5 result */ - - len = sizeof(name) - 1; - if (openssl_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, name, &len) >= 0) - name[len] = '\0'; - else - strlcpy(name, "unknown", sizeof(name)); + char name[256], // Common name associated with cert + issuer[256]; // Issuer associated with cert + time_t expiration; // Expiration date of cert +// struct tm exptm; // Expiration date/time of cert + int sigalg; // Signature algorithm + unsigned char md5_digest[16]; // MD5 result - len = sizeof(issuer) - 1; - if (openssl_x509_crt_get_issuer_dn_by_oid(cert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, issuer, &len) >= 0) - issuer[len] = '\0'; - else - strlcpy(issuer, "unknown", sizeof(issuer)); - expiration = openssl_x509_crt_get_expiration_time(cert); - sigalg = openssl_x509_crt_get_signature_algorithm(cert); + X509_NAME_oneline(X509_get_subject_name(cert), name, sizeof(name)); + X509_NAME_oneline(X509_get_issuer_name(cert), issuer, sizeof(issuer)); - cupsHashData("md5", first->data, first->datalen, md5_digest, sizeof(md5_digest)); +// ASN1_TIME_to_tm(X509_get0_notAfter(cert), &exptm); +// expiration = mktime(&exptm); + expiration = 0; + sigalg = X509_get_signature_nid(cert); - snprintf(buffer, bufsize, "%s (issued by %s) / %s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, issuer, httpGetDateString(expiration), openssl_sign_get_name((openssl_sign_algorithm_t)sigalg), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]); + cupsHashData("md5", first->data, first->datalen, md5_digest, sizeof(md5_digest)); - openssl_x509_crt_deinit(cert); + snprintf(buffer, bufsize, "%s (issued by %s) / %s / sig(%d) / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, issuer, httpGetDateString(expiration), sigalg, md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]); + X509_free(cert); } DEBUG_printf(("1httpCredentialsString: Returning \"%s\".", buffer)); return (strlen(buffer)); -#else - return (0); -#endif // 0 } diff --git a/cups/tlscheck.c b/cups/tlscheck.c index 0e6e3a3758..7b42903d45 100644 --- a/cups/tlscheck.c +++ b/cups/tlscheck.c @@ -183,7 +183,39 @@ main(int argc, /* I - Number of command-line arguments */ httpFreeCredentials(creds); } -#ifdef __APPLE__ +#ifdef HAVE_OPENSSL + int cipherBits; // Encryption key bits + char cipherStr[1024]; // Combined cipher name + + switch (SSL_version(http->tls)) + { + default : + tlsVersion = 0; + break; + + case TLS1_VERSION : + tlsVersion = 10; + break; + + case TLS1_1_VERSION : + tlsVersion = 11; + break; + + case TLS1_2_VERSION : + tlsVersion = 12; + break; + + case TLS1_3_VERSION : + tlsVersion = 13; + break; + } + + snprintf(cipherStr, sizeof(cipherStr), "%s_%dbits", SSL_get_cipher_name(http->tls), SSL_get_cipher_bits(http->tls, &cipherBits)); + + cipherName = cipherStr; + +#elif defined(HAVE_GNUTLS) +#elif defined(__APPLE__) SSLProtocol protocol; SSLCipherSuite cipher; char unknownCipherName[256]; @@ -713,7 +745,7 @@ main(int argc, /* I - Number of command-line arguments */ } dhBits = (int)paramsLen * 8; -#endif /* __APPLE__ */ +#endif /* HAVE_OPENSSL */ if (dhBits > 0) printf("%s: OK (TLS: %d.%d, %s, %d DH bits)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName, dhBits);