rpms / cups

Clone
Source Code
GIT

Blame SOURCES/cups-1.6.3-tlsv12.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   a80764847f60b84131f6a18073af84606b07ef3b
  2.   SOURCES
  3.   cups-1.6.3-tlsv12.patch
Blob History Raw
db5f83 
diff -up cups-1.6.3/cups/http.c.tlsv12 cups-1.6.3/cups/http.c
db5f83 
--- cups-1.6.3/cups/http.c.tlsv12	2017-12-12 14:40:02.672393885 +0100
db5f83 
+++ cups-1.6.3/cups/http.c	2017-12-12 16:45:11.417535244 +0100
db5f83 
@@ -3726,6 +3726,8 @@ http_send(http_t       *http,	/* I - Con
db5f83 
     httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade");
db5f83 
     if (tls_options & _HTTP_TLS_ALLOW_SSL3)
db5f83 
       httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0,SSL/3.0");
db5f83 
+    else if (tls_options & _HTTP_TLS_MIN_TLS12)
db5f83 
+      httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2+");
db5f83 
     else
db5f83 
       httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0");
db5f83 
   }
db5f83 
@@ -3968,6 +3970,8 @@ http_setup_ssl(http_t *http)		/* I - Con
db5f83 
     SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
db5f83 
   if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
db5f83 
     SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
db5f83 
+  if (tls_options & _HTTP_TLS_MIN_TLS12)
db5f83 
+    SSL_CTX_set_cipher_list(context, "DEFAULT:!SSLv3:!TLSv1");
db5f83
db5f83 
   bio = BIO_new(_httpBIOMethods());
db5f83 
   BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
db5f83 
@@ -4453,6 +4457,8 @@ http_upgrade(http_t *http)		/* I - Conne
db5f83 
   httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade");
db5f83 
   if (tls_options & _HTTP_TLS_ALLOW_SSL3)
db5f83 
     httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0");
db5f83 
+  else if (tls_options & _HTTP_TLS_MIN_TLS12)
db5f83 
+    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2+");
db5f83 
   else
db5f83 
     httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0");
db5f83
db5f83 
diff -up cups-1.6.3/cups/http-private.h.tlsv12 cups-1.6.3/cups/http-private.h
db5f83 
--- cups-1.6.3/cups/http-private.h.tlsv12	2017-12-12 14:40:02.642394135 +0100
db5f83 
+++ cups-1.6.3/cups/http-private.h	2017-12-12 14:40:02.689393744 +0100
db5f83 
@@ -143,6 +143,7 @@ extern "C" {
db5f83 
 /* care - these should be the same values as the CUPSD_SSL_* equivalents */
db5f83 
 #define _HTTP_TLS_ALLOW_RC4	2
db5f83 
 #define _HTTP_TLS_ALLOW_SSL3	4
db5f83 
+#define _HTTP_TLS_MIN_TLS12 8
db5f83
db5f83
db5f83 
 /*
db5f83 
diff -up cups-1.6.3/cups/usersys.c.tlsv12 cups-1.6.3/cups/usersys.c
db5f83 
--- cups-1.6.3/cups/usersys.c.tlsv12	2017-12-12 14:40:02.676393852 +0100
db5f83 
+++ cups-1.6.3/cups/usersys.c	2017-12-12 14:40:02.689393744 +0100
db5f83 
@@ -992,7 +992,7 @@ cups_read_client_conf(
db5f83 
     else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
db5f83 
     {
db5f83 
      /*
db5f83 
-      * SSLOptions [AllowRC4] [AllowSSL3] [None]
db5f83 
+      * SSLOptions [AllowRC4] [AllowSSL3] [MinTLS1.2] [None]
db5f83 
       */
db5f83
db5f83 
       int	options = 0;		/* SSL/TLS options */
db5f83 
@@ -1020,6 +1020,8 @@ cups_read_client_conf(
db5f83 
 	  options |= _HTTP_TLS_ALLOW_RC4;
db5f83 
 	else if (!_cups_strcasecmp(start, "AllowSSL3"))
db5f83 
 	  options |= _HTTP_TLS_ALLOW_SSL3;
db5f83 
+	else if (!_cups_strcasecmp(start, "MinTLS1.2"))
db5f83 
+	  options |= _HTTP_TLS_MIN_TLS12;
db5f83 
 	else if (!_cups_strcasecmp(start, "None"))
db5f83 
 	  options = 0;
db5f83 
       }
db5f83 
diff -up cups-1.6.3/man/client.conf.man.in.tlsv12 cups-1.6.3/man/client.conf.man.in
db5f83 
--- cups-1.6.3/man/client.conf.man.in.tlsv12	2017-12-12 14:40:02.643394126 +0100
db5f83 
+++ cups-1.6.3/man/client.conf.man.in	2017-12-14 12:51:09.366872384 +0100
db5f83 
@@ -53,14 +53,15 @@ Specifies the address and optionally the
db5f83 
 server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or
db5f83 
 later.\fR
db5f83 
 .TP 5
db5f83 
-SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR]
db5f83 
+SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR] [\fIMinTLS1.2\fR]
db5f83 
 .br
db5f83 
 Sets SSL/TLS protocol options for encrypted connections. By default,
db5f83 
 CUPS only supports encryption using TLS v1.0 or higher using known
db5f83 
 secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit
db5f83 
 RC4 cipher suites, which are required for some older clients that do
db5f83 
 not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
db5f83 
-which is required for some older clients that do not support TLS v1.0.
db5f83 
+which is required for some older clients that do not support TLS v1.0.
db5f83 
+The \fIMinTLS1.2\fR option enforces CUPS to use TLS v1.2 and higher.
db5f83 
 .TP 5
db5f83 
 User name
db5f83 
 .br
db5f83 
diff -up cups-1.6.3/man/cupsd.conf.man.in.tlsv12 cups-1.6.3/man/cupsd.conf.man.in
db5f83 
--- cups-1.6.3/man/cupsd.conf.man.in.tlsv12	2017-12-14 12:42:34.233473538 +0100
db5f83 
+++ cups-1.6.3/man/cupsd.conf.man.in	2017-12-14 12:51:09.327872724 +0100
db5f83 
@@ -480,7 +480,7 @@ Listens on the specified address and por
db5f83 
 .TP 5
db5f83 
 SSLOptions None
db5f83 
 .TP 5
db5f83 
-SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR]
db5f83 
+SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR] [\fIMinTLS1.2\fR]
db5f83 
 .br
db5f83 
 Sets SSL/TLS protocol options for encrypted connections. By default,
db5f83 
 CUPS only supports encryption using TLS v1.0 or higher using known
db5f83 
@@ -490,6 +490,7 @@ enabled. The \fIAllowRC4\fR option enabl
db5f83 
 suites, which are required for some older clients that do not
db5f83 
 implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
db5f83 
 which is required for some older clients that do not support TLS v1.0.
db5f83 
+The \fIMinTLS1.2\fR option enforces CUPS to use TLS v1.2 and higher.
db5f83 
 .TP 5
db5f83 
 SSLPort
db5f83 
 .br
db5f83 
diff -up cups-1.6.3/scheduler/client.c.tlsv12 cups-1.6.3/scheduler/client.c
db5f83 
--- cups-1.6.3/scheduler/client.c.tlsv12	2017-12-12 15:18:01.683589773 +0100
db5f83 
+++ cups-1.6.3/scheduler/client.c	2017-12-12 16:44:38.721796794 +0100
db5f83 
@@ -1189,7 +1189,11 @@ cupsdReadClient(cupsd_client_t *con)	/*
db5f83 
 	}
db5f83
db5f83 
 	httpPrintf(HTTP(con), "Connection: Upgrade\r\n");
db5f83 
-	httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
db5f83 
+	if ((SSLOptions & CUPSD_SSL_MIN_TLS12) ||
db5f83 
+	    !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+"))
db5f83 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.2+,HTTP/1.1\r\n");
db5f83 
+	else
db5f83 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
db5f83 
 	httpPrintf(HTTP(con), "Content-Length: 0\r\n");
db5f83 
 	httpPrintf(HTTP(con), "\r\n");
db5f83
db5f83 
@@ -1263,7 +1268,11 @@ cupsdReadClient(cupsd_client_t *con)	/*
db5f83 
 	}
db5f83
db5f83 
 	httpPrintf(HTTP(con), "Connection: Upgrade\r\n");
db5f83 
-	httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
db5f83 
+	if ((SSLOptions & CUPSD_SSL_MIN_TLS12) ||
db5f83 
+	    !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+"))
db5f83 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.2+,HTTP/1.1\r\n");
db5f83 
+	else
db5f83 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
db5f83 
 	httpPrintf(HTTP(con), "Content-Length: 0\r\n");
db5f83 
 	httpPrintf(HTTP(con), "\r\n");
db5f83
db5f83 
diff -up cups-1.6.3/scheduler/conf.c.tlsv12 cups-1.6.3/scheduler/conf.c
db5f83 
--- cups-1.6.3/scheduler/conf.c.tlsv12	2017-12-12 14:40:02.681393811 +0100
db5f83 
+++ cups-1.6.3/scheduler/conf.c	2017-12-12 14:40:02.689393744 +0100
db5f83 
@@ -3383,7 +3383,7 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
db5f83 
     else if (!_cups_strcasecmp(line, "SSLOptions"))
db5f83 
     {
db5f83 
      /*
db5f83 
-      * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None]
db5f83 
+      * SSLOptions [AllowRC4] [AllowSSL3] [MinTLS1.2] [NoEmptyFragments] [None]
db5f83 
       */
db5f83
db5f83 
       int	options = 0;	/* SSL/TLS options */
db5f83 
@@ -3420,6 +3420,8 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
db5f83 
 	    options |= CUPSD_SSL_ALLOW_RC4;
db5f83 
 	  else if (!_cups_strcasecmp(start, "AllowSSL3"))
db5f83 
 	    options |= CUPSD_SSL_ALLOW_SSL3;
db5f83 
+	  else if (!_cups_strcasecmp(start, "MinTLS1.2"))
db5f83 
+	    options |= CUPSD_SSL_MIN_TLS12;
db5f83 
 	  else if (!_cups_strcasecmp(start, "None"))
db5f83 
 	    options = 0;
db5f83 
 	  else
db5f83 
diff -up cups-1.6.3/scheduler/conf.h.tlsv12 cups-1.6.3/scheduler/conf.h
db5f83 
--- cups-1.6.3/scheduler/conf.h.tlsv12	2017-12-12 14:40:02.681393811 +0100
db5f83 
+++ cups-1.6.3/scheduler/conf.h	2017-12-12 14:40:02.690393736 +0100
db5f83 
@@ -80,7 +80,7 @@ typedef enum
db5f83 
 #define CUPSD_SSL_NOEMPTY	1	/* Do not insert empty fragments */
db5f83 
 #define CUPSD_SSL_ALLOW_RC4	2	/* Allow RC4 cipher suites */
db5f83 
 #define CUPSD_SSL_ALLOW_SSL3	4	/* Allow SSL 3.0 */
db5f83 
-
db5f83 
+#define CUPSD_SSL_MIN_TLS12    8   /* Deny TLS 1.1 */
db5f83
db5f83 
 /*
db5f83 
  * ServerAlias data...
db5f83 
diff -up cups-1.6.3/scheduler/tls-openssl.c.tlsv12 cups-1.6.3/scheduler/tls-openssl.c
db5f83 
--- cups-1.6.3/scheduler/tls-openssl.c.tlsv12	2017-12-12 14:40:02.645394110 +0100
db5f83 
+++ cups-1.6.3/scheduler/tls-openssl.c	2017-12-12 16:49:10.357623844 +0100
db5f83 
@@ -111,6 +111,9 @@ cupsdStartTLS(cupsd_client_t *con)	/* I
db5f83 
     SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
db5f83 
   if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4))
db5f83 
     SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
db5f83 
+  if ((SSLOptions & CUPSD_SSL_MIN_TLS12) ||
db5f83 
+      !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+"))
db5f83 
+    SSL_CTX_set_cipher_list(context, "DEFAULT:!SSLv3:!TLSv1");
db5f83 
   SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
db5f83 
   SSL_CTX_use_certificate_chain_file(context, ServerCertificate);
db5f83

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation