From: msweet Date: Wed, 7 May 2014 23:55:35 +0000 (+0000) Subject: Add code to validate trust when printing via the IPP backend. X-Git-Tag: v2.2b1~647 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f51f3773d1c141dfeffcb6ef478129197dde3a96;p=thirdparty%2Fcups.git Add code to validate trust when printing via the IPP backend. Add new CUPS_VALIDATECERTS (ValidateCerts in the conf file) setting to control whether we require the common name to match the host name, default is no. (currently) httpCredentialsGetTrust now only checks hostname/common name matches when validation is enabled. Otherwise we just look for changes to certs. git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@11851 a1ca3aef-8c08-0410-bb20-df032aa958be --- diff --git a/backend/ipp.c b/backend/ipp.c index eb61b4769c..ba4189f4fe 100644 --- a/backend/ipp.c +++ b/backend/ipp.c @@ -679,6 +679,32 @@ main(int argc, /* I - Number of command-line args */ 0, NULL); httpSetTimeout(http, 30.0, timeout_cb, NULL); + if (httpIsEncrypted(http)) + { + /* + * Validate TLS credentials... + */ + + cups_array_t *creds; /* TLS credentials */ + http_trust_t trust; /* Trust level */ + static const char *trusts[] = { NULL, "+cups-pki-invalid", "+cups-pki-changed", "+cups-pki-expired", NULL, "+cups-pki-unknown" }; + /* Trust keywords */ + + if (!httpCopyCredentials(http, &creds)) + { + trust = httpCredentialsGetTrust(creds, hostname); + + update_reasons(NULL, "-cups-pki-invalid,cups-pki-changed,cups-pki-expired,cups-pki-unknown"); + if (trusts[trust]) + { + update_reasons(NULL, trusts[trust]); + return (CUPS_BACKEND_STOP); + } + + httpFreeCredentials(creds); + } + } + /* * See if the printer supports SNMP... */ diff --git a/cups/cups-private.h b/cups/cups-private.h index f4c075c565..8e2d69295c 100644 --- a/cups/cups-private.h +++ b/cups/cups-private.h @@ -167,7 +167,8 @@ typedef struct _cups_globals_s /**** CUPS global state data ****/ /* Server certificate user data */ int server_version, /* Server IPP version */ any_root, /* Allow any (e.g., self-signed) root */ - expired_certs; /* Allow expired certs */ + expired_certs, /* Allow expired certs */ + validate_certs; /* Validate certificates */ /* util.c */ char def_printer[256]; diff --git a/cups/globals.c b/cups/globals.c index 724c961d86..df742c4077 100644 --- a/cups/globals.c +++ b/cups/globals.c @@ -218,6 +218,7 @@ cups_globals_alloc(void) cg->password_cb = (cups_password_cb2_t)_cupsGetPassword; cg->any_root = 1; cg->expired_certs = 1; + cg->validate_certs = 0; #ifdef DEBUG /* diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c index 61b71a7ce2..81f5106022 100644 --- a/cups/tls-darwin.c +++ b/cups/tls-darwin.c @@ -579,7 +579,7 @@ httpCredentialsGetTrust( httpFreeCredentials(tcreds); } - else if (!httpCredentialsAreValidForName(credentials, common_name)) + else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name)) trust = HTTP_TRUST_INVALID; if (!cg->expired_certs && !SecCertificateIsValid(secCert, CFAbsoluteTimeGetCurrent())) diff --git a/cups/usersys.c b/cups/usersys.c index aa4127c7e0..22d0f3464d 100644 --- a/cups/usersys.c +++ b/cups/usersys.c @@ -51,7 +51,8 @@ static void cups_read_client_conf(cups_file_t *fp, const char *cups_gssservicename, #endif /* HAVE_GSSAPI */ const char *cups_anyroot, - const char *cups_expiredcerts); + const char *cups_expiredcerts, + const char *cups_validatecerts); /* @@ -830,7 +831,8 @@ _cupsSetDefaults(void) *cups_gssservicename, /* CUPS_GSSSERVICENAME env var */ #endif /* HAVE_GSSAPI */ *cups_anyroot, /* CUPS_ANYROOT env var */ - *cups_expiredcerts; /* CUPS_EXPIREDCERTS env var */ + *cups_expiredcerts, /* CUPS_EXPIREDCERTS env var */ + *cups_validatecerts; /* CUPS_VALIDATECERTS env var */ char filename[1024]; /* Filename */ _cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */ @@ -848,6 +850,7 @@ _cupsSetDefaults(void) #endif /* HAVE_GSSAPI */ cups_anyroot = getenv("CUPS_ANYROOT"); cups_expiredcerts = getenv("CUPS_EXPIREDCERTS"); + cups_validatecerts = getenv("CUPS_VALIDATECERTS"); if ((cups_user = getenv("CUPS_USER")) == NULL) { @@ -916,7 +919,7 @@ _cupsSetDefaults(void) #ifdef HAVE_GSSAPI cups_gssservicename, #endif /* HAVE_GSSAPI */ - cups_anyroot, cups_expiredcerts); + cups_anyroot, cups_expiredcerts, cups_validatecerts); cupsFileClose(fp); } } @@ -938,7 +941,8 @@ cups_read_client_conf( /* I - CUPS_GSSSERVICENAME env var */ #endif /* HAVE_GSSAPI */ const char *cups_anyroot, /* I - CUPS_ANYROOT env var */ - const char *cups_expiredcerts) /* I - CUPS_EXPIREDCERTS env var */ + const char *cups_expiredcerts, /* I - CUPS_EXPIREDCERTS env var */ + const char *cups_validatecerts)/* I - CUPS_VALIDATECERTS env var */ { int linenum; /* Current line number */ char line[1024], /* Line from file */ @@ -949,7 +953,8 @@ cups_read_client_conf( #endif /* !__APPLE__ */ user[256], /* User value */ any_root[1024], /* AllowAnyRoot value */ - expired_certs[1024]; /* AllowExpiredCerts value */ + expired_certs[1024], /* AllowExpiredCerts value */ + validate_certs[1024]; /* ValidateCerts value */ #ifdef HAVE_GSSAPI char gss_service_name[32]; /* GSSServiceName value */ #endif /* HAVE_GSSAPI */ @@ -996,6 +1001,11 @@ cups_read_client_conf( strlcpy(expired_certs, value, sizeof(expired_certs)); cups_expiredcerts = expired_certs; } + else if (!cups_validatecerts && !_cups_strcasecmp(line, "ValidateCerts") && value) + { + strlcpy(validate_certs, value, sizeof(validate_certs)); + cups_validatecerts = validate_certs; + } #ifdef HAVE_GSSAPI else if (!cups_gssservicename && !_cups_strcasecmp(line, "GSSServiceName") && value) @@ -1118,6 +1128,11 @@ cups_read_client_conf( cg->expired_certs = !_cups_strcasecmp(cups_expiredcerts, "yes") || !_cups_strcasecmp(cups_expiredcerts, "on") || !_cups_strcasecmp(cups_expiredcerts, "true"); + + if (cups_validatecerts) + cg->validate_certs = !_cups_strcasecmp(cups_validatecerts, "yes") || + !_cups_strcasecmp(cups_validatecerts, "on") || + !_cups_strcasecmp(cups_validatecerts, "true"); } diff --git a/man/client.conf.man.in b/man/client.conf.man.in index 9affb57350..6d1a5a14e8 100644 --- a/man/client.conf.man.in +++ b/man/client.conf.man.in @@ -12,7 +12,7 @@ .\" which should have been included with this file. If this file is .\" file is missing or damaged, see the license at "http://www.cups.org/". .\" -.TH client.conf 5 "CUPS" "16 April 2014" "Apple Inc." +.TH client.conf 5 "CUPS" "7 May 2014" "Apple Inc." .SH NAME client.conf \- client configuration file for cups (deprecated) .SH DESCRIPTION @@ -24,17 +24,17 @@ The \fBServerName\fR directive is not supported on OS X at all. .SS DIRECTIVES The following directives are understood by the client. Consult the online help for detailed descriptions: .TP 5 -\fBAllowAnyRoot Y\fR +\fBAllowAnyRoot Yes\fR .TP 5 -\fBAllowAnyRoot N\fR +\fBAllowAnyRoot No\fR Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority. -The default is "Y". +The default is "Yes". .TP 5 -\fBAllowExpiredCerts Y\fR +\fBAllowExpiredCerts Yes\fR .TP 5 -\fBAllowExpiredCerts N\fR +\fBAllowExpiredCerts No\fR Specifies whether to allow TLS with expired certificates. -The default is "Y". +The default is "Yes". .TP 5 \fBEncryption IfRequested\fR .TP 5 @@ -58,6 +58,12 @@ Specifies the address and optionally the port to use when connecting to a server .TP 5 \fBUser \fIname\fR Specifies the default user name to use for requests. +.TP 5 +\fBValidateCerts Yes\fR +.TP 5 +\fBValidateCerts No\fR +Specifies whether to only allow TLS with certificates whose common name matches the hostname. +The default is "No". .SH NOTES The \fBclient.conf\fR file is deprecated and will no longer be supported in a future version of CUPS. .SH SEE ALSO