From 86243a7551807f728b7c2cdc42c8b5c38eef5823 Mon Sep 17 00:00:00 2001 From: Michael Sweet Date: Tue, 15 Mar 2016 10:40:34 -0400 Subject: [PATCH] Import CUPS v2.0.1 --- CHANGES.txt | 30 +- INSTALL.txt | 2 +- README.txt | 2 +- backend/org.cups.usb-quirks | 3 + backend/snmp-supplies.c | 6 +- conf/cups-files.conf.in | 1 + config-scripts/cups-common.m4 | 6 +- configure | 5 +- configure.ac | 5 +- cups/auth.c | 8 +- cups/cups.h | 8 +- cups/http-private.h | 8 +- cups/http.c | 28 +- cups/ipp-support.c | 12 +- cups/tls-darwin.c | 127 ++++++++- cups/tls-gnutls.c | 25 +- cups/tls-sspi.c | 62 ++++- cups/usersys.c | 98 +++++-- cups/util.c | 8 +- doc/help/man-client.conf.html | 6 + doc/help/man-cupsd.conf.html | 6 + man/client.conf.man.in | 14 +- man/cupsd.conf.man.in | 14 +- packaging/cups.spec | 21 +- packaging/cups.spec.in | 17 +- scheduler/Makefile | 11 +- scheduler/colorman.c | 7 +- scheduler/conf.c | 52 +++- scheduler/main.c | 171 ++++++------ scheduler/org.cups.cups-lpd.socket | 9 + scheduler/org.cups.cups-lpdAT.service.in | 9 + scheduler/org.cups.cupsd.service.in | 1 + scheduler/org.cups.cupsd.socket.in | 4 - scheduler/process.c | 32 ++- systemv/cancel.c | 6 +- templates/es/header.tmpl.in | 8 + templates/header.tmpl.in | 8 + test/ippserver.c | 331 +++++++++++++++++------ test/run-stp-tests.sh | 6 +- vcnet/config.h | 8 +- xcode/config.h | 8 +- 41 files changed, 909 insertions(+), 284 deletions(-) create mode 100644 scheduler/org.cups.cups-lpd.socket create mode 100644 scheduler/org.cups.cups-lpdAT.service.in diff --git a/CHANGES.txt b/CHANGES.txt index 84405df66d..1d1b67e8d9 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,6 +1,34 @@ -CHANGES.txt - 2.0.0 - 2014-10-01 +CHANGES.txt - 2.0.1 - 2014-11-14 -------------------------------- +CHANGES IN CUPS V2.0.1 + + - Security: SSLv3 is now disabled by default to protect against the + POODLE attack (STR #4476) + - Printer sharing did not work when systemd was being used (STR #4497) + - cupsGetPPD* would return a symlink to the PPD in /etc/cups/ppd even if + it was not readable by the user (STR #4500) + - The web interface now protects against frame "click-jacking" attacks + (STR #4492) + - Fixed a crash in ippAttributeString () + - Fixed a crash in the scheduler on Linux/*BSD if colord was not running + (STR #4496) + - Fixed a random crash in the scheduler when not using systemd + (STR #4484) + - Added systemd support for cups-lpd (STR #4493) + - The scheduler did not honor the FatalErrors directive for mis- + configured Group and SystemGroup values (STR #4495) + - The network backends no longer report waste-receptacle conditions when + using SNMP (STR #4499) + - The IPP backend did not work with some configurations of Windows + (STR #4503) + - RPMs did not build (STR #4490) + - Added a USB quirk rule for the Brother HL-1250 (STR #4519) + - Fixed compiles on unsupported platforms (STR #4510) + - "cancel -a" did not cancel all jobs on all destinations (STR #4513) + - The web interface did not work on OpenBSD (STR #4496) + + CHANGES IN CUPS V2.0.0 - The scheduler did not preserve listener sockets from launchd or diff --git a/INSTALL.txt b/INSTALL.txt index d05de97ec5..0609e6e25a 100644 --- a/INSTALL.txt +++ b/INSTALL.txt @@ -1,4 +1,4 @@ -INSTALL - CUPS v2.0.0 - 2014-10-01 +INSTALL - CUPS v2.0.1 - 2014-11-14 ---------------------------------- This file describes how to compile and install CUPS from source code. For more diff --git a/README.txt b/README.txt index a2f12f2dce..4ce7eaee19 100644 --- a/README.txt +++ b/README.txt @@ -1,4 +1,4 @@ -README - CUPS v2.0.0 - 2014-10-01 +README - CUPS v2.0.1 - 2014-11-14 --------------------------------- Looking for compile instructions? Read the file "INSTALL.txt" instead... diff --git a/backend/org.cups.usb-quirks b/backend/org.cups.usb-quirks index aecb9ea696..6566b73bc9 100644 --- a/backend/org.cups.usb-quirks +++ b/backend/org.cups.usb-quirks @@ -84,6 +84,9 @@ # Canon, Inc. MF4150 Printer, https://bugs.launchpad.net/bugs/1160638 0x04a9 0x26a3 no-reattach +# Brother Industries, Ltd HL-1250 Laser Printer, https://bugs.debian.org/712512 +0x04f9 0x0007 no-reattach + # Brother Industries, Ltd HL-1430 Laser Printer, https://bugs.launchpad.net/bugs/1038695 0x04f9 0x001a no-reattach diff --git a/backend/snmp-supplies.c b/backend/snmp-supplies.c index 4b1f138675..93d0ff114f 100644 --- a/backend/snmp-supplies.c +++ b/backend/snmp-supplies.c @@ -1,5 +1,5 @@ /* - * "$Id: snmp-supplies.c 11558 2014-02-06 18:33:34Z msweet $" + * "$Id: snmp-supplies.c 12228 2014-10-21 13:42:05Z msweet $" * * SNMP supplies functions for CUPS. * @@ -297,6 +297,7 @@ backendSNMPSupplies( else new_supply_state |= CUPS_OPC_NEAR_EOL; break; +#if 0 /* Because no two vendors report waste containers the same, disable SNMP reporting of same */ case CUPS_TC_wasteInk : case CUPS_TC_wastePaper : case CUPS_TC_wasteToner : @@ -307,6 +308,7 @@ backendSNMPSupplies( else new_supply_state |= CUPS_WASTE_ALMOST_FULL; break; +#endif /* 0 */ case CUPS_TC_cleanerUnit : case CUPS_TC_fuserCleaningPad : if (percent <= 1) @@ -1096,5 +1098,5 @@ utf16_to_utf8( /* - * End of "$Id: snmp-supplies.c 11558 2014-02-06 18:33:34Z msweet $". + * End of "$Id: snmp-supplies.c 12228 2014-10-21 13:42:05Z msweet $". */ diff --git a/conf/cups-files.conf.in b/conf/cups-files.conf.in index f3f702321a..71683a6549 100644 --- a/conf/cups-files.conf.in +++ b/conf/cups-files.conf.in @@ -15,6 +15,7 @@ #Group @CUPS_GROUP@ # Administrator user group, used to match @SYSTEM in cupsd.conf policy rules... +# This cannot contain the Group value for security reasons... SystemGroup @CUPS_SYSTEM_GROUPS@ @CUPS_SYSTEM_AUTHKEY@ diff --git a/config-scripts/cups-common.m4 b/config-scripts/cups-common.m4 index 88aaabbc11..30b04233ac 100644 --- a/config-scripts/cups-common.m4 +++ b/config-scripts/cups-common.m4 @@ -1,5 +1,5 @@ dnl -dnl "$Id: cups-common.m4 12180 2014-10-01 12:08:02Z msweet $" +dnl "$Id: cups-common.m4 12195 2014-10-02 18:45:59Z msweet $" dnl dnl Common configuration stuff for CUPS. dnl @@ -20,7 +20,7 @@ dnl Set the name of the config header file... AC_CONFIG_HEADER(config.h) dnl Version number information... -CUPS_VERSION=2.0.0 +CUPS_VERSION=2.0.1 CUPS_REVISION= #if test -z "$CUPS_REVISION" -a -d .svn; then # CUPS_REVISION="-r`svnversion . | awk -F: '{print $NF}' | sed -e '1,$s/[[a-zA-Z]]*//g'`" @@ -462,5 +462,5 @@ esac AC_SUBST(BUILDDIRS) dnl -dnl End of "$Id: cups-common.m4 12180 2014-10-01 12:08:02Z msweet $". +dnl End of "$Id: cups-common.m4 12195 2014-10-02 18:45:59Z msweet $". dnl diff --git a/configure b/configure index 5a7a5dfe39..0598fdb3c5 100755 --- a/configure +++ b/configure @@ -2520,7 +2520,7 @@ esac ac_config_headers="$ac_config_headers config.h" -CUPS_VERSION=2.0.0 +CUPS_VERSION=2.0.1 CUPS_REVISION= #if test -z "$CUPS_REVISION" -a -d .svn; then # CUPS_REVISION="-r`svnversion . | awk -F: '{print $NF}' | sed -e '1,$s/[[a-zA-Z]]*//g'`" @@ -10101,7 +10101,7 @@ fi -ac_config_files="$ac_config_files Makedefs conf/cups-files.conf conf/cupsd.conf conf/mime.convs conf/pam.std conf/snmp.conf cups-config data/testprint desktop/cups.desktop doc/index.html man/client.conf.man man/cups-files.conf.man man/cups-lpd.man man/cups-snmp.man man/cupsaddsmb.man man/cupsd.conf.man man/cupsd.man man/lpoptions.man scheduler/cups-lpd.xinetd scheduler/cups.sh scheduler/cups.xml scheduler/org.cups.cups-lpd.plist scheduler/org.cups.cupsd.path scheduler/org.cups.cupsd.service scheduler/org.cups.cupsd.socket templates/header.tmpl packaging/cups.list $LANGFILES" +ac_config_files="$ac_config_files Makedefs conf/cups-files.conf conf/cupsd.conf conf/mime.convs conf/pam.std conf/snmp.conf cups-config data/testprint desktop/cups.desktop doc/index.html man/client.conf.man man/cups-files.conf.man man/cups-lpd.man man/cups-snmp.man man/cupsaddsmb.man man/cupsd.conf.man man/cupsd.man man/lpoptions.man scheduler/cups-lpd.xinetd scheduler/cups.sh scheduler/cups.xml scheduler/org.cups.cups-lpd.plist scheduler/org.cups.cups-lpdAT.service scheduler/org.cups.cupsd.path scheduler/org.cups.cupsd.service scheduler/org.cups.cupsd.socket templates/header.tmpl packaging/cups.list $LANGFILES" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -10828,6 +10828,7 @@ do "scheduler/cups.sh") CONFIG_FILES="$CONFIG_FILES scheduler/cups.sh" ;; "scheduler/cups.xml") CONFIG_FILES="$CONFIG_FILES scheduler/cups.xml" ;; "scheduler/org.cups.cups-lpd.plist") CONFIG_FILES="$CONFIG_FILES scheduler/org.cups.cups-lpd.plist" ;; + "scheduler/org.cups.cups-lpdAT.service") CONFIG_FILES="$CONFIG_FILES scheduler/org.cups.cups-lpdAT.service" ;; "scheduler/org.cups.cupsd.path") CONFIG_FILES="$CONFIG_FILES scheduler/org.cups.cupsd.path" ;; "scheduler/org.cups.cupsd.service") CONFIG_FILES="$CONFIG_FILES scheduler/org.cups.cupsd.service" ;; "scheduler/org.cups.cupsd.socket") CONFIG_FILES="$CONFIG_FILES scheduler/org.cups.cupsd.socket" ;; diff --git a/configure.ac b/configure.ac index 21d7f93a76..26b7b713e3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ dnl -dnl "$Id: configure.ac 11823 2014-04-21 12:22:03Z msweet $" +dnl "$Id: configure.ac 12222 2014-10-21 11:55:01Z msweet $" dnl dnl Configuration script for CUPS. dnl @@ -81,6 +81,7 @@ AC_OUTPUT(Makedefs scheduler/cups.sh scheduler/cups.xml scheduler/org.cups.cups-lpd.plist + scheduler/org.cups.cups-lpdAT.service scheduler/org.cups.cupsd.path scheduler/org.cups.cupsd.service scheduler/org.cups.cupsd.socket @@ -91,5 +92,5 @@ AC_OUTPUT(Makedefs chmod +x cups-config dnl -dnl End of "$Id: configure.ac 11823 2014-04-21 12:22:03Z msweet $". +dnl End of "$Id: configure.ac 12222 2014-10-21 11:55:01Z msweet $". dnl diff --git a/cups/auth.c b/cups/auth.c index 048dd4f08a..4b4c936adb 100644 --- a/cups/auth.c +++ b/cups/auth.c @@ -1,5 +1,5 @@ /* - * "$Id: auth.c 11776 2014-03-28 19:16:05Z msweet $" + * "$Id: auth.c 12230 2014-10-21 13:55:24Z msweet $" * * Authentication functions for CUPS. * @@ -761,7 +761,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ if ( # ifdef HAVE_GSSAPI - strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9) && + _cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9) && # endif /* HAVE_GSSAPI */ # ifdef HAVE_AUTHORIZATION_H !httpGetSubField2(http, HTTP_FIELD_WWW_AUTHENTICATE, "authkey", @@ -808,7 +808,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ filename, strerror(errno))); # ifdef HAVE_GSSAPI - if (!strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9)) + if (!_cups_strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Negotiate", 9)) { /* * Kerberos required, don't try the root certificate... @@ -876,5 +876,5 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ /* - * End of "$Id: auth.c 11776 2014-03-28 19:16:05Z msweet $". + * End of "$Id: auth.c 12230 2014-10-21 13:55:24Z msweet $". */ diff --git a/cups/cups.h b/cups/cups.h index b7047dae5b..e8bf4cc9d2 100644 --- a/cups/cups.h +++ b/cups/cups.h @@ -1,5 +1,5 @@ /* - * "$Id: cups.h 12094 2014-08-19 12:15:11Z msweet $" + * "$Id: cups.h 12195 2014-10-02 18:45:59Z msweet $" * * API definitions for CUPS. * @@ -49,10 +49,10 @@ extern "C" { * Constants... */ -# define CUPS_VERSION 2.0000 +# define CUPS_VERSION 2.0001 # define CUPS_VERSION_MAJOR 2 # define CUPS_VERSION_MINOR 0 -# define CUPS_VERSION_PATCH 0 +# define CUPS_VERSION_PATCH 1 # define CUPS_BC_FD 3 /* Back-channel file descriptor for @@ -628,5 +628,5 @@ extern int cupsSetServerCredentials(const char *path, const char *common_name, #endif /* !_CUPS_CUPS_H_ */ /* - * End of "$Id: cups.h 12094 2014-08-19 12:15:11Z msweet $". + * End of "$Id: cups.h 12195 2014-10-02 18:45:59Z msweet $". */ diff --git a/cups/http-private.h b/cups/http-private.h index 2c18052c5c..7156bf8690 100644 --- a/cups/http-private.h +++ b/cups/http-private.h @@ -1,5 +1,5 @@ /* - * "$Id: http-private.h 12126 2014-08-28 16:02:00Z msweet $" + * "$Id: http-private.h 12243 2014-11-12 12:12:59Z msweet $" * * Private HTTP definitions for CUPS. * @@ -161,6 +161,9 @@ extern "C" { #define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */ #define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */ +#define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */ +#define _HTTP_TLS_ALLOW_SSL3 2 /* Allow SSL 3.0 */ + /* * Types and functions for SSL support... @@ -420,6 +423,7 @@ extern void _httpTLSInitialize(void); extern size_t _httpTLSPending(http_t *http); extern int _httpTLSRead(http_t *http, char *buf, int len); extern int _httpTLSSetCredentials(http_t *http); +extern void _httpTLSSetOptions(int options); extern int _httpTLSStart(http_t *http); extern void _httpTLSStop(http_t *http); extern int _httpTLSWrite(http_t *http, const char *buf, int len); @@ -438,5 +442,5 @@ extern int _httpWait(http_t *http, int msec, int usessl); #endif /* !_CUPS_HTTP_PRIVATE_H_ */ /* - * End of "$Id: http-private.h 12126 2014-08-28 16:02:00Z msweet $". + * End of "$Id: http-private.h 12243 2014-11-12 12:12:59Z msweet $". */ diff --git a/cups/http.c b/cups/http.c index b5cf4e167b..23d56d2de0 100644 --- a/cups/http.c +++ b/cups/http.c @@ -1,5 +1,5 @@ /* - * "$Id: http.c 12125 2014-08-28 15:49:29Z msweet $" + * "$Id: http.c 12230 2014-10-21 13:55:24Z msweet $" * * HTTP routines for CUPS. * @@ -2702,6 +2702,19 @@ httpSetField(http_t *http, /* I - HTTP connection */ http->server = _cupsStrAlloc(value); break; + case HTTP_FIELD_WWW_AUTHENTICATE : + /* CUPS STR #4503 - don't override WWW-Authenticate for unknown auth schemes */ + if (http->fields[HTTP_FIELD_WWW_AUTHENTICATE][0] && + _cups_strncasecmp(value, "Basic ", 6) && + _cups_strncasecmp(value, "Digest ", 7) && + _cups_strncasecmp(value, "Negotiate ", 10)) + { + DEBUG_printf(("1httpSetField: Ignoring unknown auth scheme in \"%s\".", value)); + return; + } + + /* Fall through to copy */ + default : strlcpy(http->fields[field], value, HTTP_MAX_VALUE); break; @@ -3611,6 +3624,17 @@ httpWriteResponse(http_t *http, /* I - HTTP connection */ return (-1); } } + + /* + * "Click-jacking" defense (STR #4492)... + */ + + if (httpPrintf(http, "X-Frame-Options: DENY\r\n" + "Content-Security-Policy: frame-ancestors 'none'\r\n") < 1) + { + http->status = HTTP_STATUS_ERROR; + return (-1); + } } if (httpWrite2(http, "\r\n", 2) < 2) @@ -4826,5 +4850,5 @@ http_write_chunk(http_t *http, /* I - HTTP connection */ /* - * End of "$Id: http.c 12125 2014-08-28 15:49:29Z msweet $". + * End of "$Id: http.c 12230 2014-10-21 13:55:24Z msweet $". */ diff --git a/cups/ipp-support.c b/cups/ipp-support.c index 926be7a5ee..88e4065f9c 100644 --- a/cups/ipp-support.c +++ b/cups/ipp-support.c @@ -1,5 +1,5 @@ /* - * "$Id: ipp-support.c 12095 2014-08-19 16:16:06Z msweet $" + * "$Id: ipp-support.c 12194 2014-10-02 18:44:36Z msweet $" * * Internet Printing Protocol support functions for CUPS. * @@ -2223,6 +2223,14 @@ ipp_col_string(ipp_t *col, /* I - Collection attribute */ ipp_attribute_t *attr; /* Current member attribute */ + if (!col) + { + if (buffer) + *buffer = '\0'; + + return (0); + } + bufptr = buffer; bufend = buffer + bufsize - 1; @@ -2263,5 +2271,5 @@ ipp_col_string(ipp_t *col, /* I - Collection attribute */ /* - * End of "$Id: ipp-support.c 12095 2014-08-19 16:16:06Z msweet $". + * End of "$Id: ipp-support.c 12194 2014-10-02 18:44:36Z msweet $". */ diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c index be788a608a..3509a47667 100644 --- a/cups/tls-darwin.c +++ b/cups/tls-darwin.c @@ -1,5 +1,5 @@ /* - * "$Id: tls-darwin.c 12159 2014-09-23 14:56:14Z msweet $" + * "$Id: tls-darwin.c 12215 2014-10-20 18:24:56Z msweet $" * * TLS support code for CUPS on OS X. * @@ -26,6 +26,14 @@ extern char **environ; +/* + * Test define - set to 1 to use SSLSetEnabledCiphers. Currently disabled (0) + * because of . + */ + +#define USE_SET_ENABLED_CIPHERS 0 + + /* * Local globals... */ @@ -41,6 +49,7 @@ static char *tls_keypath = NULL; /* Server cert keychain path */ static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER; /* Mutex for keychain/certs */ +static int tls_options = 0;/* Options for TLS connections */ #endif /* HAVE_SECKEYCHAINOPEN */ @@ -972,6 +981,17 @@ _httpTLSRead(http_t *http, /* I - HTTP connection */ } +/* + * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options. + */ + +void +_httpTLSSetOptions(int options) /* I - Options */ +{ + tls_options = options; +} + + /* * '_httpTLSStart()' - Set up SSL/TLS support on a connection. */ @@ -1033,9 +1053,108 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ { error = SSLSetSessionOption(http->tls, kSSLSessionOptionBreakOnServerAuth, true); - DEBUG_printf(("4_httpTLSStart: SSLSetSessionOption, error=%d", - (int)error)); + DEBUG_printf(("4_httpTLSStart: SSLSetSessionOption, error=%d", (int)error)); + } + + if (!error) + { + error = SSLSetProtocolVersionMin(http->tls, (tls_options & _HTTP_TLS_ALLOW_SSL3) ? kSSLProtocol3 : kTLSProtocol1); + DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin, error=%d", (int)error)); + } + +# if USE_SET_ENABLED_CIPHERS + if (!error) + { + SSLCipherSuite supported[100]; /* Supported cipher suites */ + size_t num_supported; /* Number of supported cipher suites */ + SSLCipherSuite enabled[100]; /* Cipher suites to enable */ + size_t num_enabled; /* Number of cipher suites to enable */ + + num_supported = sizeof(supported) / sizeof(supported[0]); + error = SSLGetSupportedCiphers(http->tls, supported, &num_supported); + + if (!error) + { + DEBUG_printf(("4_httpTLSStart: %d cipher suites supported.", (int)num_supported)); + + for (i = 0, num_enabled = 0; i < (int)num_supported && num_enabled < (sizeof(enabled) / sizeof(enabled[0])); i ++) + { + switch (supported[i]) + { + /* Obviously insecure cipher suites that we never want to use */ + case SSL_NULL_WITH_NULL_NULL : + case SSL_RSA_WITH_NULL_MD5 : + case SSL_RSA_WITH_NULL_SHA : + case SSL_RSA_EXPORT_WITH_RC4_40_MD5 : + case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 : + case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA : + case SSL_RSA_WITH_DES_CBC_SHA : + case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA : + case SSL_DH_DSS_WITH_DES_CBC_SHA : + case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA : + case SSL_DH_RSA_WITH_DES_CBC_SHA : + case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA : + case SSL_DHE_DSS_WITH_DES_CBC_SHA : + case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA : + case SSL_DHE_RSA_WITH_DES_CBC_SHA : + case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 : + case SSL_DH_anon_WITH_RC4_128_MD5 : + case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA : + case SSL_DH_anon_WITH_DES_CBC_SHA : + case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA : + case SSL_FORTEZZA_DMS_WITH_NULL_SHA : + case TLS_DH_anon_WITH_AES_128_CBC_SHA : + case TLS_DH_anon_WITH_AES_256_CBC_SHA : + case TLS_ECDH_ECDSA_WITH_NULL_SHA : + case TLS_ECDHE_RSA_WITH_NULL_SHA : + case TLS_ECDH_anon_WITH_NULL_SHA : + case TLS_ECDH_anon_WITH_RC4_128_SHA : + case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA : + case TLS_ECDH_anon_WITH_AES_128_CBC_SHA : + case TLS_ECDH_anon_WITH_AES_256_CBC_SHA : + case TLS_RSA_WITH_NULL_SHA256 : + case TLS_DH_anon_WITH_AES_128_CBC_SHA256 : + case TLS_DH_anon_WITH_AES_256_CBC_SHA256 : + case TLS_PSK_WITH_NULL_SHA : + case TLS_DHE_PSK_WITH_NULL_SHA : + case TLS_RSA_PSK_WITH_NULL_SHA : + case TLS_DH_anon_WITH_AES_128_GCM_SHA256 : + case TLS_DH_anon_WITH_AES_256_GCM_SHA384 : + case TLS_PSK_WITH_NULL_SHA256 : + case TLS_PSK_WITH_NULL_SHA384 : + case TLS_DHE_PSK_WITH_NULL_SHA256 : + case TLS_DHE_PSK_WITH_NULL_SHA384 : + case TLS_RSA_PSK_WITH_NULL_SHA256 : + case TLS_RSA_PSK_WITH_NULL_SHA384 : + case SSL_RSA_WITH_DES_CBC_MD5 : + break; + + /* RC4 cipher suites that should only be used as a last resort */ + case SSL_RSA_WITH_RC4_128_MD5 : + case SSL_RSA_WITH_RC4_128_SHA : + case TLS_ECDH_ECDSA_WITH_RC4_128_SHA : + case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA : + case TLS_ECDH_RSA_WITH_RC4_128_SHA : + case TLS_ECDHE_RSA_WITH_RC4_128_SHA : + case TLS_PSK_WITH_RC4_128_SHA : + case TLS_DHE_PSK_WITH_RC4_128_SHA : + case TLS_RSA_PSK_WITH_RC4_128_SHA : + if (tls_options & _HTTP_TLS_ALLOW_RC4) + enabled[num_enabled ++] = supported[i]; + break; + + /* Anything else we'll assume is secure */ + default : + enabled[num_enabled ++] = supported[i]; + break; + } + } + + DEBUG_printf(("4_httpTLSStart: %d cipher suites enabled.", (int)num_enabled)); + error = SSLSetEnabledCiphers(http->tls, enabled, num_enabled); + } } +#endif /* USE_SET_ENABLED_CIPHERS */ if (!error && http->mode == _HTTP_MODE_CLIENT) { @@ -1660,5 +1779,5 @@ http_cdsa_write( /* - * End of "$Id: tls-darwin.c 12159 2014-09-23 14:56:14Z msweet $". + * End of "$Id: tls-darwin.c 12215 2014-10-20 18:24:56Z msweet $". */ diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index 36331d4375..e8a795c414 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -1,5 +1,5 @@ /* - * "$Id: tls-gnutls.c 12159 2014-09-23 14:56:14Z msweet $" + * "$Id: tls-gnutls.c 12215 2014-10-20 18:24:56Z msweet $" * * TLS support code for CUPS using GNU TLS. * @@ -36,6 +36,7 @@ static char *tls_keypath = NULL; /* Server cert keychain path */ static _cups_mutex_t tls_mutex = _CUPS_MUTEX_INITIALIZER; /* Mutex for keychain/certs */ +static int tls_options = 0;/* Options for TLS connections */ /* @@ -1001,6 +1002,17 @@ _httpTLSSetCredentials(http_t *http) /* I - Connection to server */ } +/* + * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options. + */ + +void +_httpTLSSetOptions(int options) /* I - Options */ +{ + tls_options = options; +} + + /* * '_httpTLSStart()' - Set up SSL/TLS support on a connection. */ @@ -1185,6 +1197,15 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ return (-1); } + if (!tls_options) + gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:VERS-TLS-ALL:-VERS-SSL3.0", NULL); + else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) && (tls_options & _HTTP_TLS_ALLOW_RC4)) + gnutls_priority_set_direct(http->tls, "NORMAL", NULL); + else if (tls_options & _HTTP_TLS_ALLOW_SSL3) + gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:VERS-TLS-ALL", NULL); + else + gnutls_priority_set_direct(http->tls, "NORMAL:VERS-TLS-ALL:-VERS-SSL3.0", NULL); + gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http); gnutls_transport_set_pull_function(http->tls, http_gnutls_read); #ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION @@ -1292,5 +1313,5 @@ _httpTLSWrite(http_t *http, /* I - Connection to server */ /* - * End of "$Id: tls-gnutls.c 12159 2014-09-23 14:56:14Z msweet $". + * End of "$Id: tls-gnutls.c 12215 2014-10-20 18:24:56Z msweet $". */ diff --git a/cups/tls-sspi.c b/cups/tls-sspi.c index 171fa45bf6..b8e4a3faef 100644 --- a/cups/tls-sspi.c +++ b/cups/tls-sspi.c @@ -1,7 +1,8 @@ /* - * "$Id: tls-sspi.c 12159 2014-09-23 14:56:14Z msweet $" + * "$Id: tls-sspi.c 12215 2014-10-20 18:24:56Z msweet $" * - * TLS support for CUPS on Windows using SSPI. + * TLS support for CUPS on Windows using the Security Support Provider + * Interface (SSPI). * * Copyright 2010-2014 by Apple Inc. * @@ -48,6 +49,14 @@ # define SECURITY_FLAG_IGNORE_CERT_DATE_INVALID 0x00002000 /* Expired X509 Cert. */ #endif /* !SECURITY_FLAG_IGNORE_CERT_DATE_INVALID */ + +/* + * Local globals... + */ + +static int tls_options = 0;/* Options for TLS connections */ + + /* * Local functions... */ @@ -896,6 +905,17 @@ _httpTLSRead(http_t *http, /* I - HTTP connection */ } +/* + * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options. + */ + +void +_httpTLSSetOptions(int options) /* I - Options */ +{ + tls_options = options; +} + + /* * '_httpTLSStart()' - Set up SSL/TLS support on a connection. */ @@ -1727,11 +1747,43 @@ http_sspi_find_credentials( SchannelCred.paCred = &storedContext; /* - * SSPI doesn't seem to like it if grbitEnabledProtocols is set for a client. + * Set supported protocols (can also be overriden in the registry...) */ +#ifdef SP_PROT_TLS1_2_SERVER if (http->mode == _HTTP_MODE_SERVER) - SchannelCred.grbitEnabledProtocols = SP_PROT_SSL3TLS1; + { + if (tls_options & _HTTP_TLS_ALLOW_SSL3) + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER | SP_PROT_SSL3_SERVER; + else + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER; + } + else + { + if (tls_options & _HTTP_TLS_ALLOW_SSL3) + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_SSL3_CLIENT; + else + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT; + } + +#else + if (http->mode == _HTTP_MODE_SERVER) + { + if (tls_options & _HTTP_TLS_ALLOW_SSL3) + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER; + else + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER; + } + else + { + if (tls_options & _HTTP_TLS_ALLOW_SSL3) + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT; + else + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT; + } +#endif /* SP_PROT_TLS1_2_SERVER */ + + /* TODO: Support _HTTP_TLS_ALLOW_RC4 option; right now we'll rely on Windows registry to enable/disable RC4... */ /* * Create an SSPI credential. @@ -2361,5 +2413,5 @@ http_sspi_verify( /* - * End of "$Id: tls-sspi.c 12159 2014-09-23 14:56:14Z msweet $". + * End of "$Id: tls-sspi.c 12215 2014-10-20 18:24:56Z msweet $". */ diff --git a/cups/usersys.c b/cups/usersys.c index 8b00cb8cd7..2e5472b105 100644 --- a/cups/usersys.c +++ b/cups/usersys.c @@ -1,5 +1,5 @@ /* - * "$Id: usersys.c 12124 2014-08-28 15:37:22Z msweet $" + * "$Id: usersys.c 12215 2014-10-20 18:24:56Z msweet $" * * User, system, and password routines for CUPS. * @@ -52,7 +52,8 @@ static void cups_read_client_conf(cups_file_t *fp, #endif /* HAVE_GSSAPI */ const char *cups_anyroot, const char *cups_expiredcerts, - const char *cups_validatecerts); + const char *cups_validatecerts, + int ssl_options); /* @@ -863,6 +864,30 @@ _cupsSetDefaults(void) if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] || !cg->user[0] || !cg->ipp_port) { + /* + * Look for CUPS_SERVERROOT/client.conf... + */ + + snprintf(filename, sizeof(filename), "%s/client.conf", + cg->cups_serverroot); + fp = cupsFileOpen(filename, "r"); + + /* + * Read the configuration file and apply any environment variables; both + * functions handle NULL cups_file_t pointers... + */ + + cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user, +#ifdef HAVE_GSSAPI + cups_gssservicename, +#endif /* HAVE_GSSAPI */ + cups_anyroot, cups_expiredcerts, cups_validatecerts, 1); + cupsFileClose(fp); + + /* + * Then user defaults, if it is safe to do so... + */ + # ifdef HAVE_GETEUID if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home = getenv("HOME")) != NULL) # elif !defined(WIN32) @@ -877,32 +902,19 @@ _cupsSetDefaults(void) snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home); fp = cupsFileOpen(filename, "r"); - } - else - fp = NULL; - if (!fp) - { /* - * Look for CUPS_SERVERROOT/client.conf... + * Read the configuration file and apply any environment variables; both + * functions handle NULL cups_file_t pointers... */ - snprintf(filename, sizeof(filename), "%s/client.conf", - cg->cups_serverroot); - fp = cupsFileOpen(filename, "r"); - } - - /* - * Read the configuration file and apply any environment variables; both - * functions handle NULL cups_file_t pointers... - */ - - cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user, + cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user, #ifdef HAVE_GSSAPI - cups_gssservicename, + cups_gssservicename, #endif /* HAVE_GSSAPI */ - cups_anyroot, cups_expiredcerts, cups_validatecerts); - cupsFileClose(fp); + cups_anyroot, cups_expiredcerts, cups_validatecerts, 0); + cupsFileClose(fp); + } } } @@ -924,7 +936,8 @@ cups_read_client_conf( #endif /* HAVE_GSSAPI */ const char *cups_anyroot, /* I - CUPS_ANYROOT env var */ const char *cups_expiredcerts, /* I - CUPS_EXPIREDCERTS env var */ - const char *cups_validatecerts)/* I - CUPS_VALIDATECERTS env var */ + const char *cups_validatecerts,/* I - CUPS_VALIDATECERTS env var */ + int ssl_options) /* I - Allow setting of SSLOptions? */ { int linenum; /* Current line number */ char line[1024], /* Line from file */ @@ -996,6 +1009,43 @@ cups_read_client_conf( cups_gssservicename = gss_service_name; } #endif /* HAVE_GSSAPI */ + else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value) + { + /* + * SSLOptions [AllowRC4] [AllowSSL3] [None] + */ + + int options = 0; /* SSL/TLS options */ + char *start, /* Start of option */ + *end; /* End of option */ + + for (start = value; *start; start = end) + { + /* + * Find end of keyword... + */ + + end = start; + while (*end && !_cups_isspace(*end)) + end ++; + + if (*end) + *end++ = '\0'; + + /* + * Compare... + */ + + if (!_cups_strcasecmp(start, "AllowRC4")) + options |= _HTTP_TLS_ALLOW_RC4; + else if (!_cups_strcasecmp(start, "AllowSSL3")) + options |= _HTTP_TLS_ALLOW_SSL3; + else if (!_cups_strcasecmp(start, "None")) + options = 0; + } + + _httpTLSSetOptions(options); + } } /* @@ -1129,5 +1179,5 @@ cups_read_client_conf( /* - * End of "$Id: usersys.c 12124 2014-08-28 15:37:22Z msweet $". + * End of "$Id: usersys.c 12215 2014-10-20 18:24:56Z msweet $". */ diff --git a/cups/util.c b/cups/util.c index 753fbbccc7..89f8a26b9a 100644 --- a/cups/util.c +++ b/cups/util.c @@ -1,5 +1,5 @@ /* - * "$Id: util.c 12073 2014-07-31 00:58:00Z msweet $" + * "$Id: util.c 12220 2014-10-20 22:03:01Z msweet $" * * Printing utilities for CUPS. * @@ -846,10 +846,10 @@ cupsGetPPD3(http_t *http, /* I - HTTP connection or @code CUPS_HTTP_DEFAUL snprintf(ppdname, sizeof(ppdname), "%s/ppd/%s.ppd", cg->cups_serverroot, name); - if (!stat(ppdname, &ppdinfo)) + if (!stat(ppdname, &ppdinfo) && !access(ppdname, R_OK)) { /* - * OK, the file exists, use it! + * OK, the file exists and is readable, use it! */ if (buffer[0]) @@ -1655,5 +1655,5 @@ cups_get_printer_uri( /* - * End of "$Id: util.c 12073 2014-07-31 00:58:00Z msweet $". + * End of "$Id: util.c 12220 2014-10-20 22:03:01Z msweet $". */ diff --git a/doc/help/man-client.conf.html b/doc/help/man-client.conf.html index a25435927c..06093fb77a 100644 --- a/doc/help/man-client.conf.html +++ b/doc/help/man-client.conf.html @@ -38,6 +38,12 @@ CUPS adds the remote hostname ("name@server.example.com") for you. The default n Note: This directive it not supported on OS X 10.7 or later.
ServerName hostname-or-ip-address[:port]/version=1.1
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. +
SSLOptions [AllowRC4] [AllowSSL3] +
SSLOptions None +
Sets encryption options (only in /etc/cups/client.conf). +By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. +The AllowRC4 option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. +The AllowSSL3 option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
User name
Specifies the default user name to use for requests.
ValidateCerts Yes diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html index c627824a71..d6a927b6ac 100644 --- a/doc/help/man-cupsd.conf.html +++ b/doc/help/man-cupsd.conf.html @@ -303,6 +303,12 @@ The default is "Minimal".
SSLListen [ipv6-address]:port
SSLListen *:port
Listens on the specified address and port for encrypted connections. +
SSLOptions [AllowRC4] [AllowSSL3] +
SSLOptions None +
Sets encryption options. +By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. +The AllowRC4 option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. +The AllowSSL3 option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
SSLPort port
Listens on the specified port for encrypted connections.
StrictConformance Yes diff --git a/man/client.conf.man.in b/man/client.conf.man.in index a32316e911..30e0d1ea03 100644 --- a/man/client.conf.man.in +++ b/man/client.conf.man.in @@ -1,5 +1,5 @@ .\" -.\" "$Id: client.conf.man.in 11851 2014-05-07 23:55:35Z msweet $" +.\" "$Id: client.conf.man.in 12215 2014-10-20 18:24:56Z msweet $" .\" .\" client.conf man page for CUPS. .\" @@ -12,7 +12,7 @@ .\" which should have been included with this file. If this file is .\" file is missing or damaged, see the license at "http://www.cups.org/". .\" -.TH client.conf 5 "CUPS" "7 May 2014" "Apple Inc." +.TH client.conf 5 "CUPS" "20 October 2014" "Apple Inc." .SH NAME client.conf \- client configuration file for cups (deprecated) .SH DESCRIPTION @@ -56,6 +56,14 @@ Specifies the address and optionally the port to use when connecting to the serv \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. .TP 5 +\fBSSLOptions \fR[\fIAllowRC4\fR] [\fIAllowSSL3\fR] +.TP 5 +\fBSSLOptions None\fR +Sets encryption options (only in /etc/cups/client.conf). +By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. +The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. +The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. +.TP 5 \fBUser \fIname\fR Specifies the default user name to use for requests. .TP 5 @@ -72,5 +80,5 @@ CUPS Online Help (http://localhost:631/help) .SH COPYRIGHT Copyright \[co] 2007-2014 by Apple Inc. .\" -.\" End of "$Id: client.conf.man.in 11851 2014-05-07 23:55:35Z msweet $". +.\" End of "$Id: client.conf.man.in 12215 2014-10-20 18:24:56Z msweet $". .\" diff --git a/man/cupsd.conf.man.in b/man/cupsd.conf.man.in index 3926a53242..dcbbff44ee 100644 --- a/man/cupsd.conf.man.in +++ b/man/cupsd.conf.man.in @@ -1,5 +1,5 @@ .\" -.\" "$Id: cupsd.conf.man.in 12059 2014-07-28 14:04:32Z msweet $" +.\" "$Id: cupsd.conf.man.in 12215 2014-10-20 18:24:56Z msweet $" .\" .\" cupsd.conf man page for CUPS. .\" @@ -12,7 +12,7 @@ .\" which should have been included with this file. If this file is .\" file is missing or damaged, see the license at "http://www.cups.org/". .\" -.TH cupsd.conf 5 "CUPS" "28 July 2014" "Apple Inc." +.TH cupsd.conf 5 "CUPS" "20 October 2014" "Apple Inc." .SH NAME cupsd.conf \- server configuration file for cups .SH DESCRIPTION @@ -415,6 +415,14 @@ Set the specified environment variable to be passed to child processes. \fBSSLListen *:\fIport\fR Listens on the specified address and port for encrypted connections. .TP 5 +\fBSSLOptions \fR[\fIAllowRC4\fR] [\fIAllowSSL3\fR] +.TP 5 +\fBSSLOptions None\fR +Sets encryption options. +By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. +The \fIAllowRC4\fR option enables the 128-bit RC4 cipher suites, which are required for some older clients that do not implement newer ones. +The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0. +.TP 5 \fBSSLPort \fIport\fR Listens on the specified port for encrypted connections. .TP 5 @@ -801,5 +809,5 @@ CUPS Online Help (http://localhost:631/help) .SH COPYRIGHT Copyright \[co] 2007-2014 by Apple Inc. .\" -.\" End of "$Id: cupsd.conf.man.in 12059 2014-07-28 14:04:32Z msweet $". +.\" End of "$Id: cupsd.conf.man.in 12215 2014-10-20 18:24:56Z msweet $". .\" diff --git a/packaging/cups.spec b/packaging/cups.spec index 0aa786f5a5..1c10ef05d1 100644 --- a/packaging/cups.spec +++ b/packaging/cups.spec @@ -1,5 +1,5 @@ # -# "$Id: cups.spec.in 12074 2014-07-31 01:10:14Z msweet $" +# "$Id: cups.spec.in 12222 2014-10-21 11:55:01Z msweet $" # # RPM "spec" file for CUPS. # @@ -44,12 +44,12 @@ Summary: CUPS Name: cups -Version: 2.0.0 +Version: 2.0.1 Release: 1 Epoch: 1 License: GPL Group: System Environment/Daemons -Source: http://www.cups.org/software/2.0.0/cups-2.0.0-source.tar.bz2 +Source: http://www.cups.org/software/2.0.1/cups-2.0.1-source.tar.bz2 Url: http://www.cups.org Packager: Anonymous Vendor: Apple Inc. @@ -180,7 +180,7 @@ rm -rf $RPM_BUILD_ROOT %if %{?_with_systemd:1}%{!?_with_systemd:0} # SystemD -/usr/lib/systemd/system/* +/usr/lib/systemd/system/org.cups.cupsd.* %else # Legacy init support on Linux @@ -268,8 +268,8 @@ rm -rf $RPM_BUILD_ROOT #/usr/share/doc/cups/ca/* #%dir /usr/share/doc/cups/cs #/usr/share/doc/cups/cs/* -#%dir /usr/share/doc/cups/es -#/usr/share/doc/cups/es/* +%dir /usr/share/doc/cups/es +/usr/share/doc/cups/es/* #%dir /usr/share/doc/cups/fr #/usr/share/doc/cups/fr/* #%dir /usr/share/doc/cups/ja @@ -379,7 +379,14 @@ rm -rf $RPM_BUILD_ROOT %files lpd %defattr(-,root,root) +%if %{?_with_systemd:1}%{!?_with_systemd:0} +# SystemD +/usr/lib/systemd/system/org.cups.cups-lpd* +%else +# Legacy xinetd /etc/xinetd.d/cups-lpd +%endif + %dir /usr/lib/cups %dir /usr/lib/cups/daemon /usr/lib/cups/daemon/cups-lpd @@ -388,5 +395,5 @@ rm -rf $RPM_BUILD_ROOT # -# End of "$Id: cups.spec.in 12074 2014-07-31 01:10:14Z msweet $". +# End of "$Id: cups.spec.in 12222 2014-10-21 11:55:01Z msweet $". # diff --git a/packaging/cups.spec.in b/packaging/cups.spec.in index dc942e68a4..efdab213e7 100644 --- a/packaging/cups.spec.in +++ b/packaging/cups.spec.in @@ -1,5 +1,5 @@ # -# "$Id: cups.spec.in 12074 2014-07-31 01:10:14Z msweet $" +# "$Id: cups.spec.in 12222 2014-10-21 11:55:01Z msweet $" # # RPM "spec" file for CUPS. # @@ -180,7 +180,7 @@ rm -rf $RPM_BUILD_ROOT %if %{?_with_systemd:1}%{!?_with_systemd:0} # SystemD -/usr/lib/systemd/system/* +/usr/lib/systemd/system/org.cups.cupsd.* %else # Legacy init support on Linux @@ -268,8 +268,8 @@ rm -rf $RPM_BUILD_ROOT #/usr/share/doc/cups/ca/* #%dir /usr/share/doc/cups/cs #/usr/share/doc/cups/cs/* -#%dir /usr/share/doc/cups/es -#/usr/share/doc/cups/es/* +%dir /usr/share/doc/cups/es +/usr/share/doc/cups/es/* #%dir /usr/share/doc/cups/fr #/usr/share/doc/cups/fr/* #%dir /usr/share/doc/cups/ja @@ -379,7 +379,14 @@ rm -rf $RPM_BUILD_ROOT %files lpd %defattr(-,root,root) +%if %{?_with_systemd:1}%{!?_with_systemd:0} +# SystemD +/usr/lib/systemd/system/org.cups.cups-lpd* +%else +# Legacy xinetd /etc/xinetd.d/cups-lpd +%endif + %dir /usr/lib/cups %dir /usr/lib/cups/daemon /usr/lib/cups/daemon/cups-lpd @@ -388,5 +395,5 @@ rm -rf $RPM_BUILD_ROOT # -# End of "$Id: cups.spec.in 12074 2014-07-31 01:10:14Z msweet $". +# End of "$Id: cups.spec.in 12222 2014-10-21 11:55:01Z msweet $". # diff --git a/scheduler/Makefile b/scheduler/Makefile index c0c54a4b6d..3e0884a211 100644 --- a/scheduler/Makefile +++ b/scheduler/Makefile @@ -1,9 +1,9 @@ # -# "$Id: Makefile 12132 2014-08-29 11:27:18Z msweet $" +# "$Id: Makefile 12222 2014-10-21 11:55:01Z msweet $" # # Scheduler Makefile for CUPS. # -# Copyright 2007-2013 by Apple Inc. +# Copyright 2007-2014 by Apple Inc. # Copyright 1997-2007 by Easy Software Products, all rights reserved. # # These coded instructions, statements, and computer programs are the @@ -206,8 +206,9 @@ install-data: $(INSTALL_DATA) org.cups.cupsd.path $(BUILDROOT)$(SYSTEMD_DIR); \ $(INSTALL_DATA) org.cups.cupsd.service $(BUILDROOT)$(SYSTEMD_DIR); \ $(INSTALL_DATA) org.cups.cupsd.socket $(BUILDROOT)$(SYSTEMD_DIR); \ - fi - if test "x$(XINETD)" != x; then \ + $(INSTALL_DATA) org.cups.cups-lpdAT.service $(BUILDROOT)$(SYSTEMD_DIR)/org.cups.cups-lpd@.service; \ + $(INSTALL_DATA) org.cups.cups-lpd.socket $(BUILDROOT)$(SYSTEMD_DIR); \ + elif test "x$(XINETD)" != x; then \ echo Installing xinetd configuration file for cups-lpd...; \ $(INSTALL_DIR) -m 755 $(BUILDROOT)$(XINETD); \ $(INSTALL_DATA) cups-lpd.xinetd $(BUILDROOT)$(XINETD)/cups-lpd; \ @@ -547,5 +548,5 @@ include Dependencies # -# End of "$Id: Makefile 12132 2014-08-29 11:27:18Z msweet $". +# End of "$Id: Makefile 12222 2014-10-21 11:55:01Z msweet $". # diff --git a/scheduler/colorman.c b/scheduler/colorman.c index 964932a3fa..4a3f030776 100644 --- a/scheduler/colorman.c +++ b/scheduler/colorman.c @@ -1,5 +1,5 @@ /* - * "$Id: colorman.c 11558 2014-02-06 18:33:34Z msweet $" + * "$Id: colorman.c 12226 2014-10-21 13:36:05Z msweet $" * * Color management routines for the CUPS scheduler. * @@ -186,7 +186,8 @@ void cupsdStopColor(void) { #if !defined(__APPLE__) && defined(HAVE_DBUS) - dbus_connection_unref(colord_con); + if (colord_con) + dbus_connection_unref(colord_con); colord_con = NULL; #endif /* !__APPLE__ && HAVE_DBUS */ } @@ -1514,5 +1515,5 @@ colord_unregister_printer( /* - * End of "$Id: colorman.c 11558 2014-02-06 18:33:34Z msweet $". + * End of "$Id: colorman.c 12226 2014-10-21 13:36:05Z msweet $". */ diff --git a/scheduler/conf.c b/scheduler/conf.c index 454fd240da..68ab093191 100644 --- a/scheduler/conf.c +++ b/scheduler/conf.c @@ -1,5 +1,5 @@ /* - * "$Id: conf.c 12178 2014-09-30 18:56:48Z msweet $" + * "$Id: conf.c 12224 2014-10-21 13:16:30Z msweet $" * * Configuration routines for the CUPS scheduler. * @@ -596,6 +596,8 @@ cupsdReadConfiguration(void) # else cupsdSetString(&ServerKeychain, "/Library/Keychains/System.keychain"); # endif /* HAVE_GNUTLS */ + + _httpTLSSetOptions(0); #endif /* HAVE_SSL */ language = cupsLangDefault(); @@ -993,6 +995,9 @@ cupsdReadConfiguration(void) cupsdLogMessage(CUPSD_LOG_NOTICE, "Group and SystemGroup cannot use the same groups."); + if (FatalErrors & (CUPSD_FATAL_CONFIG | CUPSD_FATAL_PERMISSIONS)) + return (0); + cupsdLogMessage(CUPSD_LOG_INFO, "Resetting Group to \"nobody\"..."); group = getgrnam("nobody"); @@ -2929,6 +2934,49 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ "FaxRetryLimit is deprecated; use " "JobRetryLimit on line %d.", linenum); } + else if (!_cups_strcasecmp(line, "SSLOptions")) + { + /* + * SSLOptions [AllowRC4] [AllowSSL3] [None] + */ + + int options = 0; /* SSL/TLS options */ + + if (value) + { + char *start, /* Start of option */ + *end; /* End of option */ + + for (start = value; *start; start = end) + { + /* + * Find end of keyword... + */ + + end = start; + while (*end && !_cups_isspace(*end)) + end ++; + + if (*end) + *end++ = '\0'; + + /* + * Compare... + */ + + if (!_cups_strcasecmp(start, "AllowRC4")) + options |= _HTTP_TLS_ALLOW_RC4; + else if (!_cups_strcasecmp(start, "AllowSSL3")) + options |= _HTTP_TLS_ALLOW_SSL3; + else if (!_cups_strcasecmp(start, "None")) + options = 0; + else if (_cups_strcasecmp(start, "NoEmptyFragments")) + cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum); + } + } + + _httpTLSSetOptions(options); + } else if ((!_cups_strcasecmp(line, "Port") || !_cups_strcasecmp(line, "Listen") #ifdef HAVE_SSL || !_cups_strcasecmp(line, "SSLPort") || !_cups_strcasecmp(line, "SSLListen") @@ -4093,5 +4141,5 @@ set_policy_defaults(cupsd_policy_t *pol)/* I - Policy */ /* - * End of "$Id: conf.c 12178 2014-09-30 18:56:48Z msweet $". + * End of "$Id: conf.c 12224 2014-10-21 13:16:30Z msweet $". */ diff --git a/scheduler/main.c b/scheduler/main.c index 1d3ac1b555..76e095bfdb 100644 --- a/scheduler/main.c +++ b/scheduler/main.c @@ -1,5 +1,5 @@ /* - * "$Id: main.c 12140 2014-08-30 01:51:22Z msweet $" + * "$Id: main.c 12248 2014-11-12 16:32:57Z msweet $" * * Main loop for the CUPS scheduler. * @@ -100,7 +100,11 @@ main(int argc, /* I - Number of command-line args */ { int i; /* Looping var */ char *opt; /* Option character */ - int fg; /* Run in the foreground */ + int close_all = 1, /* Close all file descriptors? */ + disconnect = 1, /* Disconnect from controlling terminal? */ + fg = 0, /* Run in foreground? */ + run_as_child = 0; + /* Running as child process? */ int fds; /* Number of ready descriptors */ cupsd_client_t *con; /* Current client */ cupsd_job_t *job; /* Current job */ @@ -116,8 +120,6 @@ main(int argc, /* I - Number of command-line args */ #if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET) struct sigaction action; /* Actions for POSIX signals */ #endif /* HAVE_SIGACTION && !HAVE_SIGSET */ - int run_as_child = 0; - /* Needed for background fork/exec */ #ifdef __APPLE__ int use_sysman = 1; /* Use system management functions? */ #else @@ -150,8 +152,10 @@ main(int argc, /* I - Number of command-line args */ #ifdef HAVE_LAUNCHD if (getenv("CUPSD_LAUNCHD")) { - OnDemand = 1; - fg = 1; + OnDemand = 1; + fg = 1; + close_all = 0; + disconnect = 0; } #endif /* HAVE_LAUNCHD */ @@ -162,7 +166,8 @@ main(int argc, /* I - Number of command-line args */ { case 'C' : /* Run as child with config file */ run_as_child = 1; - fg = -1; + fg = 1; + close_all = 0; case 'c' : /* Configuration file */ i ++; @@ -217,11 +222,14 @@ main(int argc, /* I - Number of command-line args */ break; case 'f' : /* Run in foreground... */ - fg = 1; + fg = 1; + disconnect = 0; + close_all = 0; break; case 'F' : /* Run in foreground, but disconnect from terminal... */ - fg = -1; + fg = 1; + close_all = 0; break; case 'h' : /* Show usage/help */ @@ -230,12 +238,16 @@ main(int argc, /* I - Number of command-line args */ case 'l' : /* Started by launchd/systemd... */ #if defined(HAVE_LAUNCHD) || defined(HAVE_SYSTEMD) - OnDemand = 1; - fg = 1; + OnDemand = 1; + fg = 1; + close_all = 0; + disconnect = 0; #else _cupsLangPuts(stderr, _("cupsd: On-demand support not compiled " "in, running in normal mode.")); - fg = 0; + fg = 0; + disconnect = 1; + close_all = 1; #endif /* HAVE_LAUNCHD || HAVE_SYSTEMD */ break; @@ -244,6 +256,8 @@ main(int argc, /* I - Number of command-line args */ "use only!\n", stderr); stop_scheduler = 1; fg = 1; + disconnect = 0; + close_all = 0; break; case 'P' : /* Disable security profiles */ @@ -285,6 +299,8 @@ main(int argc, /* I - Number of command-line args */ case 't' : /* Test the cupsd.conf file... */ TestConfigFile = 1; fg = 1; + disconnect = 0; + close_all = 0; break; default : /* Unknown option */ @@ -332,8 +348,57 @@ main(int argc, /* I - Number of command-line args */ free(filename); } + if (disconnect) + { + /* + * Make sure we aren't tying up any filesystems... + */ + + chdir("/"); + + /* + * Disconnect from the controlling terminal... + */ + + setsid(); + } + + if (close_all) + { + /* + * Close all open files... + */ + + getrlimit(RLIMIT_NOFILE, &limit); + + for (i = 0; i < (int)limit.rlim_cur && i < 1024; i ++) + close(i); + + /* + * Redirect stdin/out/err to /dev/null... + */ + + if ((i = open("/dev/null", O_RDONLY)) != 0) + { + dup2(i, 0); + close(i); + } + + if ((i = open("/dev/null", O_WRONLY)) != 1) + { + dup2(i, 1); + close(i); + } + + if ((i = open("/dev/null", O_WRONLY)) != 2) + { + dup2(i, 2); + close(i); + } + } + /* - * If the user hasn't specified "-f", run in the background... + * Run in the background as needed... */ if (!fg) @@ -408,74 +473,17 @@ main(int argc, /* I - Number of command-line args */ #endif /* __OpenBSD__ && OpenBSD < 201211 */ /* - * Since CoreFoundation and DBUS both create fork-unsafe data on execution of - * a program, and since this kind of really unfriendly behavior seems to be - * more common these days in system libraries, we need to re-execute the - * background cupsd with the "-C" option to avoid problems. Unfortunately, - * we also have to assume that argv[0] contains the name of the cupsd - * executable - there is no portable way to get the real pathname... + * Since many system libraries create fork-unsafe data on execution of a + * program, we need to re-execute the background cupsd with the "-C" and "-s" + * options to avoid problems. Unfortunately, we also have to assume that + * argv[0] contains the name of the cupsd executable - there is no portable + * way to get the real pathname... */ - execlp(argv[0], argv[0], "-C", ConfigurationFile, (char *)0); + execlp(argv[0], argv[0], "-C", ConfigurationFile, "-s", CupsFilesFile, (char *)0); exit(errno); } - if (fg < 1) - { - /* - * Make sure we aren't tying up any filesystems... - */ - - chdir("/"); - -#ifndef DEBUG - /* - * Disable core dumps... - */ - - getrlimit(RLIMIT_CORE, &limit); - limit.rlim_cur = 0; - setrlimit(RLIMIT_CORE, &limit); - - /* - * Disconnect from the controlling terminal... - */ - - setsid(); - - /* - * Close all open files... - */ - - getrlimit(RLIMIT_NOFILE, &limit); - - for (i = 0; i < limit.rlim_cur && i < 1024; i ++) - close(i); - - /* - * Redirect stdin/out/err to /dev/null... - */ - - if ((i = open("/dev/null", O_RDONLY)) != 0) - { - dup2(i, 0); - close(i); - } - - if ((i = open("/dev/null", O_WRONLY)) != 1) - { - dup2(i, 1); - close(i); - } - - if ((i = open("/dev/null", O_WRONLY)) != 2) - { - dup2(i, 2); - close(i); - } -#endif /* DEBUG */ - } - /* * Set the timezone info... */ @@ -763,6 +771,9 @@ main(int argc, /* I - Number of command-line args */ if (timeout == 86400 && OnDemand && IdleExitTimeout && !cupsArrayCount(ActiveJobs) && +# ifdef HAVE_SYSTEMD + !WebInterface && +# endif /* HAVE_SYSTEMD */ (!Browsing || !BrowseLocalProtocols || !cupsArrayCount(Printers))) { timeout = IdleExitTimeout; @@ -2114,8 +2125,12 @@ service_checkout(void) * jobs or shared printers to advertise... */ - if (cupsArrayCount(ActiveJobs) || + if (cupsArrayCount(ActiveJobs) || /* Active jobs */ +# ifdef HAVE_SYSTEMD + WebInterface || /* Web interface enabled */ +# endif /* HAVE_SYSTEMD */ (Browsing && BrowseLocalProtocols && cupsArrayCount(Printers))) + /* Printers being shared */ { cupsdLogMessage(CUPSD_LOG_DEBUG, "Creating keep-alive file \"" CUPS_KEEPALIVE "\"."); @@ -2158,5 +2173,5 @@ usage(int status) /* O - Exit status */ /* - * End of "$Id: main.c 12140 2014-08-30 01:51:22Z msweet $". + * End of "$Id: main.c 12248 2014-11-12 16:32:57Z msweet $". */ diff --git a/scheduler/org.cups.cups-lpd.socket b/scheduler/org.cups.cups-lpd.socket new file mode 100644 index 0000000000..dd5288c62c --- /dev/null +++ b/scheduler/org.cups.cups-lpd.socket @@ -0,0 +1,9 @@ +[Unit] +Description=CUPS LPD Server Socket + +[Socket] +ListenStream=515 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/scheduler/org.cups.cups-lpdAT.service.in b/scheduler/org.cups.cups-lpdAT.service.in new file mode 100644 index 0000000000..5c7827340b --- /dev/null +++ b/scheduler/org.cups.cups-lpdAT.service.in @@ -0,0 +1,9 @@ +[Unit] +Description=CUPS LPD server +Documentation=man:cups-lpd(8) + +[Service] +ExecStart=-@CUPS_SERVERBIN@/daemon/cups-lpd +StandardInput=socket +User=@CUPS_USER@ + diff --git a/scheduler/org.cups.cupsd.service.in b/scheduler/org.cups.cupsd.service.in index 43900167be..0a27c769f2 100644 --- a/scheduler/org.cups.cupsd.service.in +++ b/scheduler/org.cups.cupsd.service.in @@ -1,5 +1,6 @@ [Unit] Description=CUPS Scheduler +Documentation=man:cupsd(8) [Service] ExecStart=@sbindir@/cupsd -l diff --git a/scheduler/org.cups.cupsd.socket.in b/scheduler/org.cups.cupsd.socket.in index cd98aa56e0..b0928c51c8 100644 --- a/scheduler/org.cups.cupsd.socket.in +++ b/scheduler/org.cups.cupsd.socket.in @@ -3,10 +3,6 @@ Description=CUPS Scheduler [Socket] ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@ -ListenStream=[::1]:631 -ListenStream=127.0.0.1:631 -BindIPv6Only=ipv6-only -ReusePort=true [Install] WantedBy=sockets.target diff --git a/scheduler/process.c b/scheduler/process.c index d23a352c7f..7a9df0f343 100644 --- a/scheduler/process.c +++ b/scheduler/process.c @@ -1,5 +1,5 @@ /* - * "$Id: process.c 12102 2014-08-20 15:19:09Z msweet $" + * "$Id: process.c 12252 2014-11-14 17:14:45Z msweet $" * * Process management routines for the CUPS scheduler. * @@ -459,18 +459,19 @@ cupsdStartProcess( int i; /* Looping var */ const char *exec_path = command; /* Command to be exec'd */ char *real_argv[110], /* Real command-line arguments */ - cups_exec[1024]; /* Path to "cups-exec" program */ + cups_exec[1024], /* Path to "cups-exec" program */ + user_str[16], /* User string */ + group_str[16], /* Group string */ + nice_str[16]; /* FilterNice string */ uid_t user; /* Command UID */ cupsd_proc_t *proc; /* New process record */ -#ifdef HAVE_POSIX_SPAWN +#if defined(HAVE_POSIX_SPAWN) && !defined(__OpenBSD__) posix_spawn_file_actions_t actions; /* Spawn file actions */ posix_spawnattr_t attrs; /* Spawn attributes */ - char user_str[16], /* User string */ - group_str[16], /* Group string */ - nice_str[16]; /* FilterNice string */ + sigset_t defsignals; /* Default signals */ #elif defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET) struct sigaction action; /* POSIX signal handler */ -#endif /* HAVE_POSIX_SPAWN */ +#endif /* HAVE_POSIX_SPAWN && !__OpenBSD__ */ #if defined(__APPLE__) char processPath[1024], /* CFProcessPath environment variable */ linkpath[1024]; /* Link path for symlinks... */ @@ -534,9 +535,9 @@ cupsdStartProcess( * Use helper program when we have a sandbox profile... */ -#ifndef HAVE_POSIX_SPAWN +#if !defined(HAVE_POSIX_SPAWN) || defined(__OpenBSD__) if (profile) -#endif /* !HAVE_POSIX_SPAWN */ +#endif /* !HAVE_POSIX_SPAWN || __OpenBSD__ */ { snprintf(cups_exec, sizeof(cups_exec), "%s/daemon/cups-exec", ServerBin); snprintf(user_str, sizeof(user_str), "%d", user); @@ -572,14 +573,21 @@ cupsdStartProcess( cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdStartProcess: argv[%d] = \"%s\"", i, argv[i]); } -#ifdef HAVE_POSIX_SPAWN +#if defined(HAVE_POSIX_SPAWN) && !defined(__OpenBSD__) /* OpenBSD posix_spawn is busted with SETSIGDEF */ /* * Setup attributes and file actions for the spawn... */ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdStartProcess: Setting spawn attributes."); + sigemptyset(&defsignals); + sigaddset(&defsignals, SIGTERM); + sigaddset(&defsignals, SIGCHLD); + sigaddset(&defsignals, SIGPIPE); + posix_spawnattr_init(&attrs); posix_spawnattr_setflags(&attrs, POSIX_SPAWN_SETPGROUP | POSIX_SPAWN_SETSIGDEF); + posix_spawnattr_setpgroup(&attrs, 0); + posix_spawnattr_setsigdefault(&attrs, &defsignals); cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdStartProcess: Setting file actions."); posix_spawn_file_actions_init(&actions); @@ -788,7 +796,7 @@ cupsdStartProcess( } cupsdReleaseSignals(); -#endif /* HAVE_POSIX_SPAWN */ +#endif /* HAVE_POSIX_SPAWN && !__OpenBSD__ */ if (*pid) { @@ -870,5 +878,5 @@ cupsd_requote(char *dst, /* I - Destination buffer */ /* - * End of "$Id: process.c 12102 2014-08-20 15:19:09Z msweet $". + * End of "$Id: process.c 12252 2014-11-14 17:14:45Z msweet $". */ diff --git a/systemv/cancel.c b/systemv/cancel.c index 02c56911c3..dbe5e70be2 100644 --- a/systemv/cancel.c +++ b/systemv/cancel.c @@ -1,5 +1,5 @@ /* - * "$Id: cancel.c 10996 2013-05-29 11:51:34Z msweet $" + * "$Id: cancel.c 12248 2014-11-12 16:32:57Z msweet $" * * "cancel" command for CUPS. * @@ -315,7 +315,7 @@ main(int argc, /* I - Number of command-line arguments */ ippDelete(response); } - if (num_dests == 0 && op == IPP_PURGE_JOBS) + if (num_dests == 0 && op != IPP_CANCEL_JOB) { /* * Open a connection to the server... @@ -383,5 +383,5 @@ main(int argc, /* I - Number of command-line arguments */ /* - * End of "$Id: cancel.c 10996 2013-05-29 11:51:34Z msweet $". + * End of "$Id: cancel.c 12248 2014-11-12 16:32:57Z msweet $". */ diff --git a/templates/es/header.tmpl.in b/templates/es/header.tmpl.in index 0449661572..a6df94cfb9 100644 --- a/templates/es/header.tmpl.in +++ b/templates/es/header.tmpl.in @@ -8,7 +8,15 @@ {refresh_page?:} +