From: Michael R Sweet Date: Mon, 26 Jun 2017 17:22:57 +0000 (-0400) Subject: The `SSLOptions` directive in "client.conf" and "cupsd.conf" now supports `DenyCBC... X-Git-Tag: v2.2.4~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2e8714723abaa8c0e05abaf2f64e45ad5856598;p=thirdparty%2Fcups.git The `SSLOptions` directive in "client.conf" and "cupsd.conf" now supports `DenyCBC` and `DenyTLS1.0` options (Issue #5037) --- diff --git a/CHANGES.md b/CHANGES.md index ad51b0debe..3e9285fa02 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -35,6 +35,8 @@ CHANGES IN CUPS V2.2.4 - The `cupsConnectDest` function now supports the `CUPS_DEST_FLAGS_DEVICE` flag for explicitly connecting to the device (printer) associated with the destination. +- The `SSLOptions` directive in "client.conf" and "cupsd.conf" now supports + `DenyCBC` and `DenyTLS1.0` options (Issue #5037) CHANGES IN CUPS V2.2.3 diff --git a/cups/http-private.h b/cups/http-private.h index ec908a660a..7c39c045a6 100644 --- a/cups/http-private.h +++ b/cups/http-private.h @@ -1,7 +1,7 @@ /* * Private HTTP definitions for CUPS. * - * Copyright 2007-2016 by Apple Inc. + * Copyright 2007-2017 by Apple Inc. * Copyright 1997-2007 by Easy Software Products, all rights reserved. * * These coded instructions, statements, and computer programs are the @@ -184,6 +184,7 @@ extern "C" { #define _HTTP_TLS_ALLOW_SSL3 2 /* Allow SSL 3.0 */ #define _HTTP_TLS_ALLOW_DH 4 /* Allow DH/DHE key negotiation */ #define _HTTP_TLS_DENY_TLS10 16 /* Deny TLS 1.0 */ +#define _HTTP_TLS_DENY_CBC 32 /* Deny CBC cipher suites */ /* diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c index 30b1e86de8..78d6de2910 100644 --- a/cups/tls-darwin.c +++ b/cups/tls-darwin.c @@ -1324,7 +1324,6 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ case TLS_DHE_RSA_WITH_AES_256_CBC_SHA : case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA : case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA : -// case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA : case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA : case TLS_DH_DSS_WITH_AES_128_CBC_SHA256 : case TLS_DH_RSA_WITH_AES_128_CBC_SHA256 : @@ -1337,6 +1336,14 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA : case TLS_DHE_PSK_WITH_AES_128_CBC_SHA : case TLS_DHE_PSK_WITH_AES_256_CBC_SHA : + case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 : + case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 : + if (tls_options & _HTTP_TLS_DENY_CBC) + { + DEBUG_printf(("4_httpTLSStart: Excluding CBC cipher suite %d", supported[i])); + break; + } + // case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 : // case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 : case TLS_DH_RSA_WITH_AES_128_GCM_SHA256 : @@ -1347,15 +1354,28 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ case TLS_DH_DSS_WITH_AES_256_GCM_SHA384 : case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 : case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 : - case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 : - case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 : if (tls_options & _HTTP_TLS_ALLOW_DH) enabled[num_enabled ++] = supported[i]; else DEBUG_printf(("4_httpTLSStart: Excluding DH/DHE cipher suite %d", supported[i])); break; - /* Anything else we'll assume is secure */ + case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA : + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 : + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 : + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 : + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 : + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 : + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 : + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 : + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 : + if (tls_options & _HTTP_TLS_DENY_CBC) + { + DEBUG_printf(("4_httpTLSStart: Excluding CBC cipher suite %d", supported[i])); + break; + } + + /* Anything else we'll assume is "secure" */ default : enabled[num_enabled ++] = supported[i]; break; diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index 3a2c4e4375..48bc11aa96 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -1518,6 +1518,9 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ if (!(tls_options & _HTTP_TLS_ALLOW_DH)) strlcat(priority_string, ":!ANON-DH", sizeof(priority_string)); + if (!(tls_options & _HTTP_TLS_DENY_CBC)) + strlcat(priority_string, ":!CBC", sizeof(priority_string)); + #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT gnutls_priority_set_direct(http->tls, priority_string, NULL); diff --git a/cups/tls-sspi.c b/cups/tls-sspi.c index 46f6e79095..77b883b229 100644 --- a/cups/tls-sspi.c +++ b/cups/tls-sspi.c @@ -1795,7 +1795,7 @@ http_sspi_find_credentials( } #endif /* SP_PROT_TLS1_2_SERVER */ - /* TODO: Support _HTTP_TLS_ALLOW_RC4 and _HTTP_TLS_ALLOW_DH options; right now we'll rely on Windows registry to enable/disable RC4/DH... */ + /* TODO: Support _HTTP_TLS_ALLOW_RC4, _HTTP_TLS_ALLOW_DH, and _HTTP_TLS_DENY_CBC options; right now we'll rely on Windows registry to enable/disable RC4/DH/CBC... */ /* * Create an SSPI credential. diff --git a/cups/usersys.c b/cups/usersys.c index 88cccfa238..ff5cb30837 100644 --- a/cups/usersys.c +++ b/cups/usersys.c @@ -1367,6 +1367,8 @@ cups_set_ssl_options( options |= _HTTP_TLS_ALLOW_SSL3; else if (!_cups_strcasecmp(start, "AllowDH")) options |= _HTTP_TLS_ALLOW_DH; + else if (!_cups_strcasecmp(start, "DenyCBC")) + options |= _HTTP_TLS_DENY_CBC; else if (!_cups_strcasecmp(start, "DenyTLS1.0")) options |= _HTTP_TLS_DENY_TLS10; else if (!_cups_strcasecmp(start, "None")) diff --git a/man/client.conf.man.in b/man/client.conf.man.in index 15b2a80663..fba9fe9777 100644 --- a/man/client.conf.man.in +++ b/man/client.conf.man.in @@ -1,7 +1,7 @@ .\" .\" client.conf man page for CUPS. .\" -.\" Copyright 2007-2016 by Apple Inc. +.\" Copyright 2007-2017 by Apple Inc. .\" Copyright 2006 by Easy Software Products. .\" .\" These coded instructions, statements, and computer programs are the @@ -10,7 +10,7 @@ .\" which should have been included with this file. If this file is .\" file is missing or damaged, see the license at "http://www.cups.org/". .\" -.TH client.conf 5 "CUPS" "20 June 2016" "Apple Inc." +.TH client.conf 5 "CUPS" "26 June 2017" "Apple Inc." .SH NAME client.conf \- client configuration file for cups .SH DESCRIPTION @@ -56,7 +56,7 @@ Specifies the address and optionally the port to use when connecting to the serv \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. .TP 5 -\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyTLS1.0\fR] +\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] .TP 5 \fBSSLOptions None\fR Sets encryption options (only in /etc/cups/client.conf). @@ -64,6 +64,7 @@ By default, CUPS only supports encryption using TLS v1.0 or higher using known s The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. +The \fIDenyCBC\fR option disables all CBC cipher suites. The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. .TP 5 \fBTrustOnFirstUse Yes\fR diff --git a/man/cupsd.conf.man.in b/man/cupsd.conf.man.in index 9ef7c93916..7843360b42 100644 --- a/man/cupsd.conf.man.in +++ b/man/cupsd.conf.man.in @@ -10,7 +10,7 @@ .\" which should have been included with this file. If this file is .\" file is missing or damaged, see the license at "http://www.cups.org/". .\" -.TH cupsd.conf 5 "CUPS" "21 June 2016" "Apple Inc." +.TH cupsd.conf 5 "CUPS" "26 June 2017" "Apple Inc." .SH NAME cupsd.conf \- server configuration file for cups .SH DESCRIPTION @@ -480,13 +480,16 @@ Set the specified environment variable to be passed to child processes. Listens on the specified address and port for encrypted connections. .\"#SSLOptions .TP 5 -\fBSSLOptions \fR[\fIAllowRC4\fR] [\fIAllowSSL3\fR] +\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] .TP 5 \fBSSLOptions None\fR Sets encryption options. By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. +The \fIAllowDH\fR option enables cipher suites using plain Diffie-Hellman key negotiation. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. +The \fIDenyCBC\fR option disables all CBC cipher suites. +The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. .\"#SSLPort .TP 5 \fBSSLPort \fIport\fR diff --git a/scheduler/conf.c b/scheduler/conf.c index 36f043f650..3897073e44 100644 --- a/scheduler/conf.c +++ b/scheduler/conf.c @@ -2987,7 +2987,7 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ else if (!_cups_strcasecmp(line, "SSLOptions")) { /* - * SSLOptions [AllowRC4] [AllowSSL3] [None] + * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyCBC] [DenyTLS1.0] [None] */ int options = 0; /* SSL/TLS options */ @@ -3018,6 +3018,12 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ options |= _HTTP_TLS_ALLOW_RC4; else if (!_cups_strcasecmp(start, "AllowSSL3")) options |= _HTTP_TLS_ALLOW_SSL3; + else if (!_cups_strcasecmp(start, "AllowDH")) + options |= _HTTP_TLS_ALLOW_DH; + else if (!_cups_strcasecmp(start, "DenyCBC")) + options |= _HTTP_TLS_DENY_CBC; + else if (!_cups_strcasecmp(start, "DenyTLS1.0")) + options |= _HTTP_TLS_DENY_TLS10; else if (!_cups_strcasecmp(start, "None")) options = 0; else if (_cups_strcasecmp(start, "NoEmptyFragments"))