rpms / cups

Clone
Source Code
GIT

Blame SOURCES/cups-1.6.3-tlsv12.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   5e704158657f7e31e3871077034d1393a782dd0b
  2.   SOURCES
  3.   cups-1.6.3-tlsv12.patch
Blob History Raw
5e7041 
diff -up cups-1.6.3/cups/http.c.tlsv12 cups-1.6.3/cups/http.c
5e7041 
--- cups-1.6.3/cups/http.c.tlsv12	2017-12-12 14:40:02.672393885 +0100
5e7041 
+++ cups-1.6.3/cups/http.c	2017-12-12 16:45:11.417535244 +0100
5e7041 
@@ -3726,6 +3726,8 @@ http_send(http_t       *http,	/* I - Con
5e7041 
     httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade");
5e7041 
     if (tls_options & _HTTP_TLS_ALLOW_SSL3)
5e7041 
       httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0,SSL/3.0");
5e7041 
+    else if (tls_options & _HTTP_TLS_MIN_TLS12)
5e7041 
+      httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2+");
5e7041 
     else
5e7041 
       httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0");
5e7041 
   }
5e7041 
@@ -3968,6 +3970,8 @@ http_setup_ssl(http_t *http)		/* I - Con
5e7041 
     SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
5e7041 
   if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
5e7041 
     SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
5e7041 
+  if (tls_options & _HTTP_TLS_MIN_TLS12)
5e7041 
+    SSL_CTX_set_cipher_list(context, "DEFAULT:!SSLv3:!TLSv1");
5e7041
5e7041 
   bio = BIO_new(_httpBIOMethods());
5e7041 
   BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
5e7041 
@@ -4453,6 +4457,8 @@ http_upgrade(http_t *http)		/* I - Conne
5e7041 
   httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade");
5e7041 
   if (tls_options & _HTTP_TLS_ALLOW_SSL3)
5e7041 
     httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0");
5e7041 
+  else if (tls_options & _HTTP_TLS_MIN_TLS12)
5e7041 
+    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2+");
5e7041 
   else
5e7041 
     httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0");
5e7041
5e7041 
diff -up cups-1.6.3/cups/http-private.h.tlsv12 cups-1.6.3/cups/http-private.h
5e7041 
--- cups-1.6.3/cups/http-private.h.tlsv12	2017-12-12 14:40:02.642394135 +0100
5e7041 
+++ cups-1.6.3/cups/http-private.h	2017-12-12 14:40:02.689393744 +0100
5e7041 
@@ -143,6 +143,7 @@ extern "C" {
5e7041 
 /* care - these should be the same values as the CUPSD_SSL_* equivalents */
5e7041 
 #define _HTTP_TLS_ALLOW_RC4	2
5e7041 
 #define _HTTP_TLS_ALLOW_SSL3	4
5e7041 
+#define _HTTP_TLS_MIN_TLS12 8
5e7041
5e7041
5e7041 
 /*
5e7041 
diff -up cups-1.6.3/cups/usersys.c.tlsv12 cups-1.6.3/cups/usersys.c
5e7041 
--- cups-1.6.3/cups/usersys.c.tlsv12	2017-12-12 14:40:02.676393852 +0100
5e7041 
+++ cups-1.6.3/cups/usersys.c	2017-12-12 14:40:02.689393744 +0100
5e7041 
@@ -992,7 +992,7 @@ cups_read_client_conf(
5e7041 
     else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
5e7041 
     {
5e7041 
      /*
5e7041 
-      * SSLOptions [AllowRC4] [AllowSSL3] [None]
5e7041 
+      * SSLOptions [AllowRC4] [AllowSSL3] [MinTLS1.2] [None]
5e7041 
       */
5e7041
5e7041 
       int	options = 0;		/* SSL/TLS options */
5e7041 
@@ -1020,6 +1020,8 @@ cups_read_client_conf(
5e7041 
 	  options |= _HTTP_TLS_ALLOW_RC4;
5e7041 
 	else if (!_cups_strcasecmp(start, "AllowSSL3"))
5e7041 
 	  options |= _HTTP_TLS_ALLOW_SSL3;
5e7041 
+	else if (!_cups_strcasecmp(start, "MinTLS1.2"))
5e7041 
+	  options |= _HTTP_TLS_MIN_TLS12;
5e7041 
 	else if (!_cups_strcasecmp(start, "None"))
5e7041 
 	  options = 0;
5e7041 
       }
5e7041 
diff -up cups-1.6.3/man/client.conf.man.in.tlsv12 cups-1.6.3/man/client.conf.man.in
5e7041 
--- cups-1.6.3/man/client.conf.man.in.tlsv12	2017-12-12 14:40:02.643394126 +0100
5e7041 
+++ cups-1.6.3/man/client.conf.man.in	2017-12-14 12:51:09.366872384 +0100
5e7041 
@@ -53,14 +53,15 @@ Specifies the address and optionally the
5e7041 
 server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or
5e7041 
 later.\fR
5e7041 
 .TP 5
5e7041 
-SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR]
5e7041 
+SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR] [\fIMinTLS1.2\fR]
5e7041 
 .br
5e7041 
 Sets SSL/TLS protocol options for encrypted connections. By default,
5e7041 
 CUPS only supports encryption using TLS v1.0 or higher using known
5e7041 
 secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit
5e7041 
 RC4 cipher suites, which are required for some older clients that do
5e7041 
 not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
5e7041 
-which is required for some older clients that do not support TLS v1.0.
5e7041 
+which is required for some older clients that do not support TLS v1.0.
5e7041 
+The \fIMinTLS1.2\fR option enforces CUPS to use TLS v1.2 and higher.
5e7041 
 .TP 5
5e7041 
 User name
5e7041 
 .br
5e7041 
diff -up cups-1.6.3/man/cupsd.conf.man.in.tlsv12 cups-1.6.3/man/cupsd.conf.man.in
5e7041 
--- cups-1.6.3/man/cupsd.conf.man.in.tlsv12	2017-12-14 12:42:34.233473538 +0100
5e7041 
+++ cups-1.6.3/man/cupsd.conf.man.in	2017-12-14 12:51:09.327872724 +0100
5e7041 
@@ -480,7 +480,7 @@ Listens on the specified address and por
5e7041 
 .TP 5
5e7041 
 SSLOptions None
5e7041 
 .TP 5
5e7041 
-SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR]
5e7041 
+SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR] [\fIMinTLS1.2\fR]
5e7041 
 .br
5e7041 
 Sets SSL/TLS protocol options for encrypted connections. By default,
5e7041 
 CUPS only supports encryption using TLS v1.0 or higher using known
5e7041 
@@ -490,6 +490,7 @@ enabled. The \fIAllowRC4\fR option enabl
5e7041 
 suites, which are required for some older clients that do not
5e7041 
 implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
5e7041 
 which is required for some older clients that do not support TLS v1.0.
5e7041 
+The \fIMinTLS1.2\fR option enforces CUPS to use TLS v1.2 and higher.
5e7041 
 .TP 5
5e7041 
 SSLPort
5e7041 
 .br
5e7041 
diff -up cups-1.6.3/scheduler/client.c.tlsv12 cups-1.6.3/scheduler/client.c
5e7041 
--- cups-1.6.3/scheduler/client.c.tlsv12	2017-12-12 15:18:01.683589773 +0100
5e7041 
+++ cups-1.6.3/scheduler/client.c	2017-12-12 16:44:38.721796794 +0100
5e7041 
@@ -1189,7 +1189,11 @@ cupsdReadClient(cupsd_client_t *con)	/*
5e7041 
 	}
5e7041
5e7041 
 	httpPrintf(HTTP(con), "Connection: Upgrade\r\n");
5e7041 
-	httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
5e7041 
+	if ((SSLOptions & CUPSD_SSL_MIN_TLS12) ||
5e7041 
+	    !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+"))
5e7041 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.2+,HTTP/1.1\r\n");
5e7041 
+	else
5e7041 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
5e7041 
 	httpPrintf(HTTP(con), "Content-Length: 0\r\n");
5e7041 
 	httpPrintf(HTTP(con), "\r\n");
5e7041
5e7041 
@@ -1263,7 +1268,11 @@ cupsdReadClient(cupsd_client_t *con)	/*
5e7041 
 	}
5e7041
5e7041 
 	httpPrintf(HTTP(con), "Connection: Upgrade\r\n");
5e7041 
-	httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
5e7041 
+	if ((SSLOptions & CUPSD_SSL_MIN_TLS12) ||
5e7041 
+	    !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+"))
5e7041 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.2+,HTTP/1.1\r\n");
5e7041 
+	else
5e7041 
+	  httpPrintf(HTTP(con), "Upgrade: TLS/1.0,HTTP/1.1\r\n");
5e7041 
 	httpPrintf(HTTP(con), "Content-Length: 0\r\n");
5e7041 
 	httpPrintf(HTTP(con), "\r\n");
5e7041
5e7041 
diff -up cups-1.6.3/scheduler/conf.c.tlsv12 cups-1.6.3/scheduler/conf.c
5e7041 
--- cups-1.6.3/scheduler/conf.c.tlsv12	2017-12-12 14:40:02.681393811 +0100
5e7041 
+++ cups-1.6.3/scheduler/conf.c	2017-12-12 14:40:02.689393744 +0100
5e7041 
@@ -3383,7 +3383,7 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
5e7041 
     else if (!_cups_strcasecmp(line, "SSLOptions"))
5e7041 
     {
5e7041 
      /*
5e7041 
-      * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None]
5e7041 
+      * SSLOptions [AllowRC4] [AllowSSL3] [MinTLS1.2] [NoEmptyFragments] [None]
5e7041 
       */
5e7041
5e7041 
       int	options = 0;	/* SSL/TLS options */
5e7041 
@@ -3420,6 +3420,8 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
5e7041 
 	    options |= CUPSD_SSL_ALLOW_RC4;
5e7041 
 	  else if (!_cups_strcasecmp(start, "AllowSSL3"))
5e7041 
 	    options |= CUPSD_SSL_ALLOW_SSL3;
5e7041 
+	  else if (!_cups_strcasecmp(start, "MinTLS1.2"))
5e7041 
+	    options |= CUPSD_SSL_MIN_TLS12;
5e7041 
 	  else if (!_cups_strcasecmp(start, "None"))
5e7041 
 	    options = 0;
5e7041 
 	  else
5e7041 
diff -up cups-1.6.3/scheduler/conf.h.tlsv12 cups-1.6.3/scheduler/conf.h
5e7041 
--- cups-1.6.3/scheduler/conf.h.tlsv12	2017-12-12 14:40:02.681393811 +0100
5e7041 
+++ cups-1.6.3/scheduler/conf.h	2017-12-12 14:40:02.690393736 +0100
5e7041 
@@ -80,7 +80,7 @@ typedef enum
5e7041 
 #define CUPSD_SSL_NOEMPTY	1	/* Do not insert empty fragments */
5e7041 
 #define CUPSD_SSL_ALLOW_RC4	2	/* Allow RC4 cipher suites */
5e7041 
 #define CUPSD_SSL_ALLOW_SSL3	4	/* Allow SSL 3.0 */
5e7041 
-
5e7041 
+#define CUPSD_SSL_MIN_TLS12    8   /* Deny TLS 1.1 */
5e7041
5e7041 
 /*
5e7041 
  * ServerAlias data...
5e7041 
diff -up cups-1.6.3/scheduler/tls-openssl.c.tlsv12 cups-1.6.3/scheduler/tls-openssl.c
5e7041 
--- cups-1.6.3/scheduler/tls-openssl.c.tlsv12	2017-12-12 14:40:02.645394110 +0100
5e7041 
+++ cups-1.6.3/scheduler/tls-openssl.c	2017-12-12 16:49:10.357623844 +0100
5e7041 
@@ -111,6 +111,9 @@ cupsdStartTLS(cupsd_client_t *con)	/* I
5e7041 
     SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
5e7041 
   if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4))
5e7041 
     SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
5e7041 
+  if ((SSLOptions & CUPSD_SSL_MIN_TLS12) ||
5e7041 
+      !_cups_strcasecmp(con->http.fields[HTTP_FIELD_UPGRADE], "TLS/1.2+"))
5e7041 
+    SSL_CTX_set_cipher_list(context, "DEFAULT:!SSLv3:!TLSv1");
5e7041 
   SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
5e7041 
   SSL_CTX_use_certificate_chain_file(context, ServerCertificate);
5e7041

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation