From: Michael R Sweet Date: Tue, 15 Oct 2019 21:34:21 +0000 (-0400) Subject: Add support for DigestOptions directive in client.conf (Issue #5647) X-Git-Tag: v2.3.1~40 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ec8beb8952388a3ce650cc1477cd386546ed7318;p=thirdparty%2Fcups.git Add support for DigestOptions directive in client.conf (Issue #5647) --- diff --git a/.gitignore b/.gitignore index 2a8d1e42ac..a5e32e600a 100644 --- a/.gitignore +++ b/.gitignore @@ -80,14 +80,6 @@ filter/rastertopwg locale/checkpo locale/po2strings locale/strings2po -man/client.conf.man -man/cups-files.conf.man -man/cups-lpd.man -man/cups-snmp.man -man/cupsaddsmb.man -man/cupsd.conf.man -man/cupsd.man -man/lpoptions.man man/mantohtml monitor/bcp monitor/tbcp diff --git a/CHANGES.md b/CHANGES.md index 4bd9d12d16..4e8fd7259f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -9,14 +9,16 @@ Changes in CUPS v2.3.1 - Fixed a crash bug in the web interface (Issue #5621) - PPD files containing "custom" option keywords did not work (Issue #5639) - Added a workaround for the scheduler's systemd support (Issue #5640) -- Fixed spelling of "fold-accordion". -- Fixed the default common name for TLS certificates used by `ippeveprinter`. +- Added a DigestOptions directive for the `client.conf` file to control whether + MD5-based Digest authentication is allowed (Issue #5647) - Fixed a bug in the handling of printer resource files (Issue #5652) - The libusb-based USB backend now reports an error when the distribution permissions are wrong (Issue #5658) - Added paint can labels to Dymo driver (Issue #5662) - The IPP backend did not detect all cases where a job should be retried using a raster format (rdar://56021091) +- Fixed spelling of "fold-accordion". +- Fixed the default common name for TLS certificates used by `ippeveprinter`. Changes in CUPS v2.3.0 diff --git a/cups/auth.c b/cups/auth.c index 634ed1fba2..db45bbba68 100644 --- a/cups/auth.c +++ b/cups/auth.c @@ -289,7 +289,7 @@ cupsDoAuthentication( if (_httpSetDigestAuthString(http, nonce, method, resource)) { - DEBUG_puts("2cupsDoAuthentication: Using Basic."); + DEBUG_puts("2cupsDoAuthentication: Using Digest."); break; } } diff --git a/cups/cups-private.h b/cups/cups-private.h index f1b052a307..aeba7176b1 100644 --- a/cups/cups-private.h +++ b/cups/cups-private.h @@ -57,6 +57,12 @@ typedef struct _cups_raster_error_s /**** Error buffer structure ****/ *end; /* End of buffer */ } _cups_raster_error_t; +typedef enum _cups_digestoptions_e /**** Digest Options values */ +{ + _CUPS_DIGESTOPTIONS_NONE, /* No Digest authentication options */ + _CUPS_DIGESTOPTIONS_DENYMD5 /* Do not use MD5 hashes for digest */ +} _cups_digestoptions_t; + typedef enum _cups_uatokens_e /**** UserAgentTokens values */ { _CUPS_UATOKENS_NONE, /* Do not send User-Agent */ @@ -157,6 +163,7 @@ typedef struct _cups_globals_s /**** CUPS global state data ****/ char tempfile[1024]; /* cupsTempFd/File buffer */ /* usersys.c */ + _cups_digestoptions_t digestoptions; /* DigestOptions setting */ _cups_uatokens_t uatokens; /* UserAgentTokens setting */ http_encryption_t encryption; /* Encryption setting */ char user[65], /* User name */ diff --git a/cups/http-support.c b/cups/http-support.c index 6d86071407..824b8dcf1b 100644 --- a/cups/http-support.c +++ b/cups/http-support.c @@ -1,7 +1,7 @@ /* * HTTP support routines for CUPS. * - * Copyright 2007-2018 by Apple Inc. + * Copyright 2007-2019 by Apple Inc. * Copyright 1997-2007 by Easy Software Products, all rights reserved. * * Licensed under Apache License v2.0. See the file "LICENSE" for more @@ -1321,6 +1321,7 @@ _httpSetDigestAuthString( digest[1024]; /* Digest auth data */ unsigned char hash[32]; /* Hash buffer */ size_t hashsize; /* Size of hash */ + _cups_globals_t *cg = _cupsGlobals(); /* Per-thread globals */ DEBUG_printf(("2_httpSetDigestAuthString(http=%p, nonce=\"%s\", method=\"%s\", resource=\"%s\")", (void *)http, nonce, method, resource)); @@ -1363,6 +1364,12 @@ _httpSetDigestAuthString( * RFC 2617 Digest with MD5 */ + if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5) + { + DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled."); + return (0); + } + hashalg = "md5"; } else if (!_cups_strcasecmp(http->algorithm, "SHA-256")) diff --git a/cups/usersys.c b/cups/usersys.c index 497681e274..3acfd2bd91 100644 --- a/cups/usersys.c +++ b/cups/usersys.c @@ -40,6 +40,8 @@ # define kCUPSPrintingPrefs CFSTR(".GlobalPreferences") # define kPREFIX "AirPrint" # endif /* TARGET_OS_OSX */ +# define kDigestOptionsKey CFSTR(kPREFIX "DigestOptions") +# define kUserKey CFSTR(kPREFIX "User") # define kUserAgentTokensKey CFSTR(kPREFIX "UserAgentTokens") # define kAllowAnyRootKey CFSTR(kPREFIX "AllowAnyRoot") # define kAllowExpiredCertsKey CFSTR(kPREFIX "AllowExpiredCerts") @@ -63,6 +65,7 @@ typedef struct _cups_client_conf_s /**** client.conf config data ****/ { + _cups_digestoptions_t digestoptions; /* DigestOptions values */ _cups_uatokens_t uatokens; /* UserAgentTokens values */ #ifdef HAVE_SSL int ssl_options, /* SSLOptions values */ @@ -97,6 +100,7 @@ static void cups_finalize_client_conf(_cups_client_conf_t *cc); static void cups_init_client_conf(_cups_client_conf_t *cc); static void cups_read_client_conf(cups_file_t *fp, _cups_client_conf_t *cc); static void cups_set_default_ipp_port(_cups_globals_t *cg); +static void cups_set_digestoptions(_cups_client_conf_t *cc, const char *value); static void cups_set_encryption(_cups_client_conf_t *cc, const char *value); #ifdef HAVE_GSSAPI static void cups_set_gss_service_name(_cups_client_conf_t *cc, const char *value); @@ -1324,10 +1328,14 @@ cups_init_client_conf( cc->validate_certs = bval; # endif /* HAVE_SSL */ + if (cups_apple_get_string(kDigestOptionsKey, sval, sizeof(sval))) + cups_set_digestoptions(cc, sval); + + if (cups_apple_get_string(kUserKey, sval, sizeof(sval))) + strlcpy(cc->user, sval, sizeof(cc->user)); + if (cups_apple_get_string(kUserAgentTokensKey, sval, sizeof(sval))) - { cups_set_uatokens(cc, sval); - } #endif /* __APPLE__ */ } @@ -1353,7 +1361,9 @@ cups_read_client_conf( linenum = 0; while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum)) { - if (!_cups_strcasecmp(line, "Encryption") && value) + if (!_cups_strcasecmp(line, "DigestOptions") && value) + cups_set_digestoptions(cc, value); + else if (!_cups_strcasecmp(line, "Encryption") && value) cups_set_encryption(cc, value); #ifndef __APPLE__ /* @@ -1408,6 +1418,23 @@ cups_set_default_ipp_port( cg->ipp_port = CUPS_DEFAULT_IPP_PORT; } + +/* + * 'cups_set_digestoptions()' - Set the DigestOptions value. + */ + +static void +cups_set_digestoptions( + _cups_client_conf_t *cc, /* I - client.conf values */ + const char *value) /* I - Value */ +{ + if (!_cups_strcasecmp(value, "DenyMD5")) + cc->digestoptions = _CUPS_DIGESTOPTIONS_DENYMD5; + else if (!_cups_strcasecmp(value, "None")) + cc->digestoptions = _CUPS_DIGESTOPTIONS_NONE; +} + + /* * 'cups_set_encryption()' - Set the Encryption value. */ diff --git a/doc/help/man-client.conf.html b/doc/help/man-client.conf.html index 58b091fe05..032cd333d8 100644 --- a/doc/help/man-client.conf.html +++ b/doc/help/man-client.conf.html @@ -19,28 +19,32 @@ See the NOTES section below for more information.

Directives

The following directives are understood by the client. Consult the online help for detailed descriptions:
-
AllowAnyRoot Yes +
AllowAnyRoot Yes
AllowAnyRoot No
Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority. The default is "Yes". -
AllowExpiredCerts Yes +
AllowExpiredCerts Yes
AllowExpiredCerts No
Specifies whether to allow TLS with expired certificates. The default is "No". -
Encryption IfRequested +
DigestOptions DenyMD5 +
DigestOptions None +
Specifies HTTP Digest authentication options. +DenyMD5 disables support for the original MD5 hash algorithm. +
Encryption IfRequested
Encryption Never
Encryption Required
Specifies the level of encryption that should be used. -
GSSServiceName name +
GSSServiceName name
Specifies the Kerberos service name that is used for authentication, typically "host", "http", or "ipp". CUPS adds the remote hostname ("name@server.example.com") for you. The default name is "http". -
ServerName hostname-or-ip-address[:port] +
ServerName hostname-or-ip-address[:port]
ServerName /domain/socket
Specifies the address and optionally the port to use when connecting to the server. Note: This directive is not supported on macOS 10.7 or later.
ServerName hostname-or-ip-address[:port]/version=1.1
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. -
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] +
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3]
SSLOptions None
Sets encryption options (only in /etc/cups/client.conf). By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. @@ -54,11 +58,11 @@ The DenyTLS1.0 option disables TLS v1.0 support - this sets the minimum p The MinTLS options set the minimum TLS version to support. The MaxTLS options set the maximum TLS version to support. Not all operating systems support TLS 1.3 at this time. -
TrustOnFirstUse Yes +
TrustOnFirstUse Yes
TrustOnFirstUse No
Specifies whether to trust new TLS certificates by default. The default is "Yes". -
User name +
User name
Specifies the default user name to use for requests.
UserAgentTokens None
UserAgentTokens ProductOnly @@ -76,7 +80,7 @@ The default is "Yes". "OS" reports "CUPS/major.minor.path (osname osversion) IPP/2.1". "Full" reports "CUPS/major.minor.path (osname osversion; architecture) IPP/2.1". The default is "Minimal". -
ValidateCerts Yes +
ValidateCerts Yes
ValidateCerts No
Specifies whether to only allow TLS with certificates whose common name matches the hostname. The default is "No". diff --git a/man/client.conf.5 b/man/client.conf.5 index 8805561dbc..4dbf0c49b5 100644 --- a/man/client.conf.5 +++ b/man/client.conf.5 @@ -7,7 +7,7 @@ .\" Licensed under Apache License v2.0. See the file "LICENSE" for more .\" information. .\" -.TH client.conf 5 "CUPS" "26 April 2019" "Apple Inc." +.TH client.conf 5 "CUPS" "15 October 2019" "Apple Inc." .SH NAME client.conf \- client configuration file for cups (deprecated on macos) .SH DESCRIPTION @@ -20,18 +20,28 @@ Starting with macOS 10.12, all applications can access these settings in the \fI See the NOTES section below for more information. .SS DIRECTIVES The following directives are understood by the client. Consult the online help for detailed descriptions: +.\"#AllowAnyRoot .TP 5 \fBAllowAnyRoot Yes\fR .TP 5 \fBAllowAnyRoot No\fR Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority. The default is "Yes". +.\"#AllowExpiredCerts .TP 5 \fBAllowExpiredCerts Yes\fR .TP 5 \fBAllowExpiredCerts No\fR Specifies whether to allow TLS with expired certificates. The default is "No". +.\"#DigestOptions +.TP 5 +\fBDigestOptions DenyMD5\fR +.TP 5 +\fBDigestOptions None\fR +Specifies HTTP Digest authentication options. +\fBDenyMD5\fR disables support for the original MD5 hash algorithm. +.\"#Encryption .TP 5 \fBEncryption IfRequested\fR .TP 5 @@ -39,10 +49,12 @@ The default is "No". .TP 5 \fBEncryption Required\fR Specifies the level of encryption that should be used. +.\"#GSSServiceName .TP 5 \fBGSSServiceName \fIname\fR Specifies the Kerberos service name that is used for authentication, typically "host", "http", or "ipp". CUPS adds the remote hostname ("name@server.example.com") for you. The default name is "http". +.\"#ServerName .TP 5 \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR] .TP 5 @@ -52,6 +64,7 @@ Specifies the address and optionally the port to use when connecting to the serv .TP 5 \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. +.\"#SSLOptions .TP 5 \fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] .TP 5 @@ -68,12 +81,14 @@ The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum pr The \fIMinTLS\fR options set the minimum TLS version to support. The \fIMaxTLS\fR options set the maximum TLS version to support. Not all operating systems support TLS 1.3 at this time. +.\"#TrustOnFirstUse .TP 5 \fBTrustOnFirstUse Yes\fR .TP 5 \fBTrustOnFirstUse No\fR Specifies whether to trust new TLS certificates by default. The default is "Yes". +.\"#User .TP 5 \fBUser \fIname\fR Specifies the default user name to use for requests. @@ -101,6 +116,7 @@ Specifies what information is included in the User-Agent header of HTTP requests "OS" reports "CUPS/major.minor.path (osname osversion) IPP/2.1". "Full" reports "CUPS/major.minor.path (osname osversion; architecture) IPP/2.1". The default is "Minimal". +.\"#ValidateCerts .TP 5 \fBValidateCerts Yes\fR .TP 5