cups/tls-gnutls.c

   1 /*
   2  * TLS support code for CUPS using GNU TLS.
   3  *
   4  * Copyright 2007-2016 by Apple Inc.
   5  * Copyright 1997-2007 by Easy Software Products, all rights reserved.
   6  *
   7  * These coded instructions, statements, and computer programs are the
   8  * property of Apple Inc. and are protected by Federal copyright
   9  * law.  Distribution and use rights are outlined in the file "LICENSE.txt"
  10  * which should have been included with this file.  If this file is
  11  * file is missing or damaged, see the license at "http://www.cups.org/".
  12  *
  13  * This file is subject to the Apple OS-Developed Software exception.
  14  */
  15
  16 /**** This file is included from tls.c ****/
  17
  18 /*
  19  * Include necessary headers...
  20  */
  21
  22 #include <sys/stat.h>
  23
  24
  25 /*
  26  * Local globals...
  27  */
  28
  29 static int              tls_auto_create = 0;
  30                                         /* Auto-create self-signed certs? */
  31 static char             *tls_common_name = NULL;
  32                                         /* Default common name */
  33 static gnutls_x509_crl_t tls_crl = NULL;/* Certificate revocation list */
  34 static char             *tls_keypath = NULL;
  35                                         /* Server cert keychain path */
  36 static _cups_mutex_t    tls_mutex = _CUPS_MUTEX_INITIALIZER;
  37                                         /* Mutex for keychain/certs */
  38 static int              tls_options = -1;/* Options for TLS connections */
  39
  40
  41 /*
  42  * Local functions...
  43  */
  44
  45 static gnutls_x509_crt_t http_gnutls_create_credential(http_credential_t *credential);
  46 static const char       *http_gnutls_default_path(char *buffer, size_t bufsize);
  47 static void             http_gnutls_load_crl(void);
  48 static const char       *http_gnutls_make_path(char *buffer, size_t bufsize, const char *dirname, const char *filename, const char *ext);
  49 static ssize_t          http_gnutls_read(gnutls_transport_ptr_t ptr, void *data, size_t length);
  50 static ssize_t          http_gnutls_write(gnutls_transport_ptr_t ptr, const void *data, size_t length);
  51
  52
  53 /*
  54  * 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair.
  55  *
  56  * @since CUPS 2.0/OS 10.10@
  57  */
  58
  59 int                                     /* O - 1 on success, 0 on failure */
  60 cupsMakeServerCredentials(
  61     const char *path,                   /* I - Path to keychain/directory */
  62     const char *common_name,            /* I - Common name */
  63     int        num_alt_names,           /* I - Number of subject alternate names */
  64     const char **alt_names,             /* I - Subject Alternate Names */
  65     time_t     expiration_date)         /* I - Expiration date */
  66 {
  67   gnutls_x509_crt_t     crt;            /* Self-signed certificate */
  68   gnutls_x509_privkey_t key;            /* Encryption private key */
  69   char                  temp[1024],     /* Temporary directory name */
  70                         crtfile[1024],  /* Certificate filename */
  71                         keyfile[1024];  /* Private key filename */
  72   cups_lang_t           *language;      /* Default language info */
  73   cups_file_t           *fp;            /* Key/cert file */
  74   unsigned char         buffer[8192];   /* Buffer for x509 data */
  75   size_t                bytes;          /* Number of bytes of data */
  76   unsigned char         serial[4];      /* Serial number buffer */
  77   time_t                curtime;        /* Current time */
  78   int                   result;         /* Result of GNU TLS calls */
  79
  80
  81   DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date));
  82
  83  /*
  84   * Filenames...
  85   */
  86
  87   if (!path)
  88     path = http_gnutls_default_path(temp, sizeof(temp));
  89
  90   if (!path || !common_name)
  91   {
  92     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
  93     return (0);
  94   }
  95
  96   http_gnutls_make_path(crtfile, sizeof(crtfile), path, common_name, "crt");
  97   http_gnutls_make_path(keyfile, sizeof(keyfile), path, common_name, "key");
  98
  99  /*
 100   * Create the encryption key...
 101   */
 102
 103   DEBUG_puts("1cupsMakeServerCredentials: Creating key pair.");
 104
 105   gnutls_x509_privkey_init(&key);
 106   gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 2048, 0);
 107
 108   DEBUG_puts("1cupsMakeServerCredentials: Key pair created.");
 109
 110  /*
 111   * Save it...
 112   */
 113
 114   bytes = sizeof(buffer);
 115
 116   if ((result = gnutls_x509_privkey_export(key, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
 117   {
 118     DEBUG_printf(("1cupsMakeServerCredentials: Unable to export private key: %s", gnutls_strerror(result)));
 119     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
 120     gnutls_x509_privkey_deinit(key);
 121     return (0);
 122   }
 123   else if ((fp = cupsFileOpen(keyfile, "w")) != NULL)
 124   {
 125     DEBUG_printf(("1cupsMakeServerCredentials: Writing private key to \"%s\".", keyfile));
 126     cupsFileWrite(fp, (char *)buffer, bytes);
 127     cupsFileClose(fp);
 128   }
 129   else
 130   {
 131     DEBUG_printf(("1cupsMakeServerCredentials: Unable to create private key file \"%s\": %s", keyfile, strerror(errno)));
 132     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
 133     gnutls_x509_privkey_deinit(key);
 134     return (0);
 135   }
 136
 137  /*
 138   * Create the self-signed certificate...
 139   */
 140
 141   DEBUG_puts("1cupsMakeServerCredentials: Generating self-signed X.509 certificate.");
 142
 143   language  = cupsLangDefault();
 144   curtime   = time(NULL);
 145   serial[0] = curtime >> 24;
 146   serial[1] = curtime >> 16;
 147   serial[2] = curtime >> 8;
 148   serial[3] = curtime;
 149
 150   gnutls_x509_crt_init(&crt);
 151   if (strlen(language->language) == 5)
 152     gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
 153                                   language->language + 3, 2);
 154   else
 155     gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COUNTRY_NAME, 0,
 156                                   "US", 2);
 157   gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_COMMON_NAME, 0,
 158                                 common_name, strlen(common_name));
 159   gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATION_NAME, 0,
 160                                 common_name, strlen(common_name));
 161   gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
 162                                 0, "Unknown", 7);
 163   gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0,
 164                                 "Unknown", 7);
 165   gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_X520_LOCALITY_NAME, 0,
 166                                 "Unknown", 7);
 167 /*  gnutls_x509_crt_set_dn_by_oid(crt, GNUTLS_OID_PKCS9_EMAIL, 0,
 168                                 ServerAdmin, strlen(ServerAdmin));*/
 169   gnutls_x509_crt_set_key(crt, key);
 170   gnutls_x509_crt_set_serial(crt, serial, sizeof(serial));
 171   gnutls_x509_crt_set_activation_time(crt, curtime);
 172   gnutls_x509_crt_set_expiration_time(crt, curtime + 10 * 365 * 86400);
 173   gnutls_x509_crt_set_ca_status(crt, 0);
 174   if (num_alt_names > 0)
 175     gnutls_x509_crt_set_subject_alternative_name(crt, GNUTLS_SAN_DNSNAME, alt_names[0]);
 176   gnutls_x509_crt_set_key_purpose_oid(crt, GNUTLS_KP_TLS_WWW_SERVER, 0);
 177   gnutls_x509_crt_set_key_usage(crt, GNUTLS_KEY_KEY_ENCIPHERMENT);
 178   gnutls_x509_crt_set_version(crt, 3);
 179
 180   bytes = sizeof(buffer);
 181   if (gnutls_x509_crt_get_key_id(crt, 0, buffer, &bytes) >= 0)
 182     gnutls_x509_crt_set_subject_key_id(crt, buffer, bytes);
 183
 184   gnutls_x509_crt_sign(crt, crt, key);
 185
 186  /*
 187   * Save it...
 188   */
 189
 190   bytes = sizeof(buffer);
 191   if ((result = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buffer, &bytes)) < 0)
 192   {
 193     DEBUG_printf(("1cupsMakeServerCredentials: Unable to export public key and X.509 certificate: %s", gnutls_strerror(result)));
 194     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(result), 0);
 195     gnutls_x509_crt_deinit(crt);
 196     gnutls_x509_privkey_deinit(key);
 197     return (0);
 198   }
 199   else if ((fp = cupsFileOpen(crtfile, "w")) != NULL)
 200   {
 201     DEBUG_printf(("1cupsMakeServerCredentials: Writing public key and X.509 certificate to \"%s\".", crtfile));
 202     cupsFileWrite(fp, (char *)buffer, bytes);
 203     cupsFileClose(fp);
 204   }
 205   else
 206   {
 207     DEBUG_printf(("1cupsMakeServerCredentials: Unable to create public key and X.509 certificate file \"%s\": %s", crtfile, strerror(errno)));
 208     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
 209     gnutls_x509_crt_deinit(crt);
 210     gnutls_x509_privkey_deinit(key);
 211     return (0);
 212   }
 213
 214  /*
 215   * Cleanup...
 216   */
 217
 218   gnutls_x509_crt_deinit(crt);
 219   gnutls_x509_privkey_deinit(key);
 220
 221   DEBUG_puts("1cupsMakeServerCredentials: Successfully created credentials.");
 222
 223   return (1);
 224 }
 225
 226
 227 /*
 228  * 'cupsSetServerCredentials()' - Set the default server credentials.
 229  *
 230  * Note: The server credentials are used by all threads in the running process.
 231  * This function is threadsafe.
 232  *
 233  * @since CUPS 2.0/OS 10.10@
 234  */
 235
 236 int                                     /* O - 1 on success, 0 on failure */
 237 cupsSetServerCredentials(
 238     const char *path,                   /* I - Path to keychain/directory */
 239     const char *common_name,            /* I - Default common name for server */
 240     int        auto_create)             /* I - 1 = automatically create self-signed certificates */
 241 {
 242   char  temp[1024];                     /* Default path buffer */
 243
 244
 245   DEBUG_printf(("cupsSetServerCredentials(path=\"%s\", common_name=\"%s\", auto_create=%d)", path, common_name, auto_create));
 246
 247  /*
 248   * Use defaults as needed...
 249   */
 250
 251   if (!path)
 252     path = http_gnutls_default_path(temp, sizeof(temp));
 253
 254  /*
 255   * Range check input...
 256   */
 257
 258   if (!path || !common_name)
 259   {
 260     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(EINVAL), 0);
 261     return (0);
 262   }
 263
 264   _cupsMutexLock(&tls_mutex);
 265
 266  /*
 267   * Free old values...
 268   */
 269
 270   if (tls_keypath)
 271     _cupsStrFree(tls_keypath);
 272
 273   if (tls_common_name)
 274     _cupsStrFree(tls_common_name);
 275
 276  /*
 277   * Save the new values...
 278   */
 279
 280   tls_keypath     = _cupsStrAlloc(path);
 281   tls_auto_create = auto_create;
 282   tls_common_name = _cupsStrAlloc(common_name);
 283
 284   _cupsMutexUnlock(&tls_mutex);
 285
 286   return (1);
 287 }
 288
 289
 290 /*
 291  * 'httpCopyCredentials()' - Copy the credentials associated with the peer in
 292  *                           an encrypted connection.
 293  *
 294  * @since CUPS 1.5/macOS 10.7@
 295  */
 296
 297 int                                     /* O - Status of call (0 = success) */
 298 httpCopyCredentials(
 299     http_t       *http,                 /* I - Connection to server */
 300     cups_array_t **credentials)         /* O - Array of credentials */
 301 {
 302   unsigned              count;          /* Number of certificates */
 303   const gnutls_datum_t *certs;          /* Certificates */
 304
 305
 306   DEBUG_printf(("httpCopyCredentials(http=%p, credentials=%p)", http, credentials));
 307
 308   if (credentials)
 309     *credentials = NULL;
 310
 311   if (!http || !http->tls || !credentials)
 312     return (-1);
 313
 314   *credentials = cupsArrayNew(NULL, NULL);
 315   certs        = gnutls_certificate_get_peers(http->tls, &count);
 316
 317   DEBUG_printf(("1httpCopyCredentials: certs=%p, count=%u", certs, count));
 318
 319   if (certs && count)
 320   {
 321     while (count > 0)
 322     {
 323       httpAddCredential(*credentials, certs->data, certs->size);
 324       certs ++;
 325       count --;
 326     }
 327   }
 328
 329   return (0);
 330 }
 331
 332
 333 /*
 334  * '_httpCreateCredentials()' - Create credentials in the internal format.
 335  */
 336
 337 http_tls_credentials_t                  /* O - Internal credentials */
 338 _httpCreateCredentials(
 339     cups_array_t *credentials)          /* I - Array of credentials */
 340 {
 341   (void)credentials;
 342
 343   return (NULL);
 344 }
 345
 346
 347 /*
 348  * '_httpFreeCredentials()' - Free internal credentials.
 349  */
 350
 351 void
 352 _httpFreeCredentials(
 353     http_tls_credentials_t credentials) /* I - Internal credentials */
 354 {
 355   (void)credentials;
 356 }
 357
 358
 359 /*
 360  * 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
 361  *
 362  * @since CUPS 2.0/OS 10.10@
 363  */
 364
 365 int                                     /* O - 1 if valid, 0 otherwise */
 366 httpCredentialsAreValidForName(
 367     cups_array_t *credentials,          /* I - Credentials */
 368     const char   *common_name)          /* I - Name to check */
 369 {
 370   gnutls_x509_crt_t     cert;           /* Certificate */
 371   int                   result = 0;     /* Result */
 372
 373
 374   cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
 375   if (cert)
 376   {
 377     result = gnutls_x509_crt_check_hostname(cert, common_name) != 0;
 378
 379     if (result)
 380     {
 381       int               i,              /* Looping var */
 382                         count;          /* Number of revoked certificates */
 383       unsigned char     cserial[1024],  /* Certificate serial number */
 384                         rserial[1024];  /* Revoked serial number */
 385       size_t            cserial_size,   /* Size of cert serial number */
 386                         rserial_size;   /* Size of revoked serial number */
 387
 388       _cupsMutexLock(&tls_mutex);
 389
 390       count = gnutls_x509_crl_get_crt_count(tls_crl);
 391
 392       if (count > 0)
 393       {
 394         cserial_size = sizeof(cserial);
 395         gnutls_x509_crt_get_serial(cert, cserial, &cserial_size);
 396
 397         for (i = 0; i < count; i ++)
 398         {
 399           rserial_size = sizeof(rserial);
 400           if (!gnutls_x509_crl_get_crt_serial(tls_crl, i, rserial, &rserial_size, NULL) && cserial_size == rserial_size && !memcmp(cserial, rserial, rserial_size))
 401           {
 402             result = 0;
 403             break;
 404           }
 405         }
 406       }
 407
 408       _cupsMutexUnlock(&tls_mutex);
 409     }
 410
 411     gnutls_x509_crt_deinit(cert);
 412   }
 413
 414   return (result);
 415 }
 416
 417
 418 /*
 419  * 'httpCredentialsGetTrust()' - Return the trust of credentials.
 420  *
 421  * @since CUPS 2.0/OS 10.10@
 422  */
 423
 424 http_trust_t                            /* O - Level of trust */
 425 httpCredentialsGetTrust(
 426     cups_array_t *credentials,          /* I - Credentials */
 427     const char   *common_name)          /* I - Common name for trust lookup */
 428 {
 429   http_trust_t          trust = HTTP_TRUST_OK;
 430                                         /* Trusted? */
 431   gnutls_x509_crt_t     cert;           /* Certificate */
 432   cups_array_t          *tcreds = NULL; /* Trusted credentials */
 433   _cups_globals_t       *cg = _cupsGlobals();
 434                                         /* Per-thread globals */
 435
 436
 437   if (!common_name)
 438   {
 439     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No common name specified."), 1);
 440     return (HTTP_TRUST_UNKNOWN);
 441   }
 442
 443   if ((cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials))) == NULL)
 444   {
 445     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create credentials from array."), 1);
 446     return (HTTP_TRUST_UNKNOWN);
 447   }
 448
 449   if (cg->any_root < 0)
 450   {
 451     _cupsSetDefaults();
 452     http_gnutls_load_crl();
 453   }
 454
 455  /*
 456   * Look this common name up in the default keychains...
 457   */
 458
 459   httpLoadCredentials(NULL, &tcreds, common_name);
 460
 461   if (tcreds)
 462   {
 463     char        credentials_str[1024],  /* String for incoming credentials */
 464                 tcreds_str[1024];       /* String for saved credentials */
 465
 466     httpCredentialsString(credentials, credentials_str, sizeof(credentials_str));
 467     httpCredentialsString(tcreds, tcreds_str, sizeof(tcreds_str));
 468
 469     if (strcmp(credentials_str, tcreds_str))
 470     {
 471      /*
 472       * Credentials don't match, let's look at the expiration date of the new
 473       * credentials and allow if the new ones have a later expiration...
 474       */
 475
 476       if (!cg->trust_first)
 477       {
 478        /*
 479         * Do not trust certificates on first use...
 480         */
 481
 482         _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
 483
 484         trust = HTTP_TRUST_INVALID;
 485       }
 486       else if (httpCredentialsGetExpiration(credentials) <= httpCredentialsGetExpiration(tcreds))
 487       {
 488        /*
 489         * The new credentials are not newly issued...
 490         */
 491
 492         _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are older than stored credentials."), 1);
 493
 494         trust = HTTP_TRUST_INVALID;
 495       }
 496       else if (!httpCredentialsAreValidForName(credentials, common_name))
 497       {
 498        /*
 499         * The common name does not match the issued certificate...
 500         */
 501
 502         _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("New credentials are not valid for name."), 1);
 503
 504         trust = HTTP_TRUST_INVALID;
 505       }
 506       else if (httpCredentialsGetExpiration(tcreds) < time(NULL))
 507       {
 508        /*
 509         * Save the renewed credentials...
 510         */
 511
 512         trust = HTTP_TRUST_RENEWED;
 513
 514         httpSaveCredentials(NULL, credentials, common_name);
 515       }
 516     }
 517
 518     httpFreeCredentials(tcreds);
 519   }
 520   else if (cg->validate_certs && !httpCredentialsAreValidForName(credentials, common_name))
 521   {
 522     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("No stored credentials, not valid for name."), 1);
 523     trust = HTTP_TRUST_INVALID;
 524   }
 525   else if (!cg->trust_first)
 526   {
 527    /*
 528     * See if we have a site CA certificate we can compare...
 529     */
 530
 531     if (!httpLoadCredentials(NULL, &tcreds, "site"))
 532     {
 533       if (cupsArrayCount(credentials) != (cupsArrayCount(tcreds) + 1))
 534       {
 535        /*
 536         * Certificate isn't directly generated from the CA cert...
 537         */
 538
 539         trust = HTTP_TRUST_INVALID;
 540       }
 541       else
 542       {
 543        /*
 544         * Do a tail comparison of the two certificates...
 545         */
 546
 547         http_credential_t       *a, *b;         /* Certificates */
 548
 549         for (a = (http_credential_t *)cupsArrayFirst(tcreds), b = (http_credential_t *)cupsArrayIndex(credentials, 1);
 550              a && b;
 551              a = (http_credential_t *)cupsArrayNext(tcreds), b = (http_credential_t *)cupsArrayNext(credentials))
 552           if (a->datalen != b->datalen || memcmp(a->data, b->data, a->datalen))
 553             break;
 554
 555         if (a || b)
 556           trust = HTTP_TRUST_INVALID;
 557       }
 558
 559       if (trust != HTTP_TRUST_OK)
 560         _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials do not validate against site CA certificate."), 1);
 561     }
 562     else
 563     {
 564       _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Trust on first use is disabled."), 1);
 565       trust = HTTP_TRUST_INVALID;
 566     }
 567   }
 568
 569   if (trust == HTTP_TRUST_OK && !cg->expired_certs)
 570   {
 571     time_t      curtime;                /* Current date/time */
 572
 573     time(&curtime);
 574     if (curtime < gnutls_x509_crt_get_activation_time(cert) ||
 575         curtime > gnutls_x509_crt_get_expiration_time(cert))
 576     {
 577       _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Credentials have expired."), 1);
 578       trust = HTTP_TRUST_EXPIRED;
 579     }
 580   }
 581
 582   if (trust == HTTP_TRUST_OK && !cg->any_root && cupsArrayCount(credentials) == 1)
 583   {
 584     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Self-signed credentials are blocked."), 1);
 585     trust = HTTP_TRUST_INVALID;
 586   }
 587
 588   gnutls_x509_crt_deinit(cert);
 589
 590   return (trust);
 591 }
 592
 593
 594 /*
 595  * 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials.
 596  *
 597  * @since CUPS 2.0/OS 10.10@
 598  */
 599
 600 time_t                                  /* O - Expiration date of credentials */
 601 httpCredentialsGetExpiration(
 602     cups_array_t *credentials)          /* I - Credentials */
 603 {
 604   gnutls_x509_crt_t     cert;           /* Certificate */
 605   time_t                result = 0;     /* Result */
 606
 607
 608   cert = http_gnutls_create_credential((http_credential_t *)cupsArrayFirst(credentials));
 609   if (cert)
 610   {
 611     result = gnutls_x509_crt_get_expiration_time(cert);
 612     gnutls_x509_crt_deinit(cert);
 613   }
 614
 615   return (result);
 616 }
 617
 618
 619 /*
 620  * 'httpCredentialsString()' - Return a string representing the credentials.
 621  *
 622  * @since CUPS 2.0/OS 10.10@
 623  */
 624
 625 size_t                                  /* O - Total size of credentials string */
 626 httpCredentialsString(
 627     cups_array_t *credentials,          /* I - Credentials */
 628     char         *buffer,               /* I - Buffer or @code NULL@ */
 629     size_t       bufsize)               /* I - Size of buffer */
 630 {
 631   http_credential_t     *first;         /* First certificate */
 632   gnutls_x509_crt_t     cert;           /* Certificate */
 633
 634
 635   DEBUG_printf(("httpCredentialsString(credentials=%p, buffer=%p, bufsize=" CUPS_LLFMT ")", credentials, buffer, CUPS_LLCAST bufsize));
 636
 637   if (!buffer)
 638     return (0);
 639
 640   if (buffer && bufsize > 0)
 641     *buffer = '\0';
 642
 643   if ((first = (http_credential_t *)cupsArrayFirst(credentials)) != NULL &&
 644       (cert = http_gnutls_create_credential(first)) != NULL)
 645   {
 646     char                name[256];      /* Common name associated with cert */
 647     size_t              namelen;        /* Length of name */
 648     time_t              expiration;     /* Expiration date of cert */
 649     _cups_md5_state_t   md5_state;      /* MD5 state */
 650     unsigned char       md5_digest[16]; /* MD5 result */
 651
 652     namelen = sizeof(name) - 1;
 653     if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, name, &namelen) >= 0)
 654       name[namelen] = '\0';
 655     else
 656       strlcpy(name, "unknown", sizeof(name));
 657
 658     expiration = gnutls_x509_crt_get_expiration_time(cert);
 659
 660     _cupsMD5Init(&md5_state);
 661     _cupsMD5Append(&md5_state, first->data, (int)first->datalen);
 662     _cupsMD5Finish(&md5_state, md5_digest);
 663
 664     snprintf(buffer, bufsize, "%s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", name, httpGetDateString(expiration), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]);
 665
 666     gnutls_x509_crt_deinit(cert);
 667   }
 668
 669   DEBUG_printf(("1httpCredentialsString: Returning \"%s\".", buffer));
 670
 671   return (strlen(buffer));
 672 }
 673
 674
 675 /*
 676  * 'httpLoadCredentials()' - Load X.509 credentials from a keychain file.
 677  *
 678  * @since CUPS 2.0/OS 10.10@
 679  */
 680
 681 int                                     /* O - 0 on success, -1 on error */
 682 httpLoadCredentials(
 683     const char   *path,                 /* I  - Keychain/PKCS#12 path */
 684     cups_array_t **credentials,         /* IO - Credentials */
 685     const char   *common_name)          /* I  - Common name for credentials */
 686 {
 687   cups_file_t           *fp;            /* Certificate file */
 688   char                  filename[1024], /* filename.crt */
 689                         temp[1024],     /* Temporary string */
 690                         line[256];      /* Base64-encoded line */
 691   unsigned char         *data = NULL;   /* Buffer for cert data */
 692   size_t                alloc_data = 0, /* Bytes allocated */
 693                         num_data = 0;   /* Bytes used */
 694   int                   decoded;        /* Bytes decoded */
 695   int                   in_certificate = 0;
 696                                         /* In a certificate? */
 697
 698
 699   if (!credentials || !common_name)
 700     return (-1);
 701
 702   if (!path)
 703     path = http_gnutls_default_path(temp, sizeof(temp));
 704   if (!path)
 705     return (-1);
 706
 707   http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
 708
 709   if ((fp = cupsFileOpen(filename, "r")) == NULL)
 710     return (-1);
 711
 712   while (cupsFileGets(fp, line, sizeof(line)))
 713   {
 714     if (!strcmp(line, "-----BEGIN CERTIFICATE-----"))
 715     {
 716       if (in_certificate)
 717       {
 718        /*
 719         * Missing END CERTIFICATE...
 720         */
 721
 722         httpFreeCredentials(*credentials);
 723         *credentials = NULL;
 724         break;
 725       }
 726
 727       in_certificate = 1;
 728     }
 729     else if (!strcmp(line, "-----END CERTIFICATE-----"))
 730     {
 731       if (!in_certificate || !num_data)
 732       {
 733        /*
 734         * Missing data...
 735         */
 736
 737         httpFreeCredentials(*credentials);
 738         *credentials = NULL;
 739         break;
 740       }
 741
 742       if (!*credentials)
 743         *credentials = cupsArrayNew(NULL, NULL);
 744
 745       if (httpAddCredential(*credentials, data, num_data))
 746       {
 747         httpFreeCredentials(*credentials);
 748         *credentials = NULL;
 749         break;
 750       }
 751
 752       num_data       = 0;
 753       in_certificate = 0;
 754     }
 755     else if (in_certificate)
 756     {
 757       if (alloc_data == 0)
 758       {
 759         data       = malloc(2048);
 760         alloc_data = 2048;
 761
 762         if (!data)
 763           break;
 764       }
 765       else if ((num_data + strlen(line)) >= alloc_data)
 766       {
 767         unsigned char *tdata = realloc(data, alloc_data + 1024);
 768                                         /* Expanded buffer */
 769
 770         if (!tdata)
 771         {
 772           httpFreeCredentials(*credentials);
 773           *credentials = NULL;
 774           break;
 775         }
 776
 777         data       = tdata;
 778         alloc_data += 1024;
 779       }
 780
 781       decoded = alloc_data - num_data;
 782       httpDecode64_2((char *)data + num_data, &decoded, line);
 783       num_data += (size_t)decoded;
 784     }
 785   }
 786
 787   cupsFileClose(fp);
 788
 789   if (in_certificate)
 790   {
 791    /*
 792     * Missing END CERTIFICATE...
 793     */
 794
 795     httpFreeCredentials(*credentials);
 796     *credentials = NULL;
 797   }
 798
 799   if (data)
 800     free(data);
 801
 802   return (*credentials ? 0 : -1);
 803 }
 804
 805
 806 /*
 807  * 'httpSaveCredentials()' - Save X.509 credentials to a keychain file.
 808  *
 809  * @since CUPS 2.0/OS 10.10@
 810  */
 811
 812 int                                     /* O - -1 on error, 0 on success */
 813 httpSaveCredentials(
 814     const char   *path,                 /* I - Keychain/PKCS#12 path */
 815     cups_array_t *credentials,          /* I - Credentials */
 816     const char   *common_name)          /* I - Common name for credentials */
 817 {
 818   cups_file_t           *fp;            /* Certificate file */
 819   char                  filename[1024], /* filename.crt */
 820                         nfilename[1024],/* filename.crt.N */
 821                         temp[1024],     /* Temporary string */
 822                         line[256];      /* Base64-encoded line */
 823   const unsigned char   *ptr;           /* Pointer into certificate */
 824   ssize_t               remaining;      /* Bytes left */
 825   http_credential_t     *cred;          /* Current credential */
 826
 827
 828   if (!credentials || !common_name)
 829     return (-1);
 830
 831   if (!path)
 832     path = http_gnutls_default_path(temp, sizeof(temp));
 833   if (!path)
 834     return (-1);
 835
 836   http_gnutls_make_path(filename, sizeof(filename), path, common_name, "crt");
 837   snprintf(nfilename, sizeof(nfilename), "%s.N", filename);
 838
 839   if ((fp = cupsFileOpen(nfilename, "w")) == NULL)
 840     return (-1);
 841
 842   fchmod(cupsFileNumber(fp), 0600);
 843
 844   for (cred = (http_credential_t *)cupsArrayFirst(credentials);
 845        cred;
 846        cred = (http_credential_t *)cupsArrayNext(credentials))
 847   {
 848     cupsFilePuts(fp, "-----BEGIN CERTIFICATE-----\n");
 849     for (ptr = cred->data, remaining = (ssize_t)cred->datalen; remaining > 0; remaining -= 45, ptr += 45)
 850     {
 851       httpEncode64_2(line, sizeof(line), (char *)ptr, remaining > 45 ? 45 : remaining);
 852       cupsFilePrintf(fp, "%s\n", line);
 853     }
 854     cupsFilePuts(fp, "-----END CERTIFICATE-----\n");
 855   }
 856
 857   cupsFileClose(fp);
 858
 859   return (rename(nfilename, filename));
 860 }
 861
 862
 863 /*
 864  * 'http_gnutls_create_credential()' - Create a single credential in the internal format.
 865  */
 866
 867 static gnutls_x509_crt_t                        /* O - Certificate */
 868 http_gnutls_create_credential(
 869     http_credential_t *credential)              /* I - Credential */
 870 {
 871   int                   result;                 /* Result from GNU TLS */
 872   gnutls_x509_crt_t     cert;                   /* Certificate */
 873   gnutls_datum_t        datum;                  /* Data record */
 874
 875
 876   DEBUG_printf(("3http_gnutls_create_credential(credential=%p)", credential));
 877
 878   if (!credential)
 879     return (NULL);
 880
 881   if ((result = gnutls_x509_crt_init(&cert)) < 0)
 882   {
 883     DEBUG_printf(("4http_gnutls_create_credential: init error: %s", gnutls_strerror(result)));
 884     return (NULL);
 885   }
 886
 887   datum.data = credential->data;
 888   datum.size = credential->datalen;
 889
 890   if ((result = gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) < 0)
 891   {
 892     DEBUG_printf(("4http_gnutls_create_credential: import error: %s", gnutls_strerror(result)));
 893
 894     gnutls_x509_crt_deinit(cert);
 895     return (NULL);
 896   }
 897
 898   return (cert);
 899 }
 900
 901
 902 /*
 903  * 'http_gnutls_default_path()' - Get the default credential store path.
 904  */
 905
 906 static const char *                     /* O - Path or NULL on error */
 907 http_gnutls_default_path(char   *buffer,/* I - Path buffer */
 908                          size_t bufsize)/* I - Size of path buffer */
 909 {
 910   const char *home = getenv("HOME");    /* HOME environment variable */
 911
 912
 913   if (getuid() && home)
 914   {
 915     snprintf(buffer, bufsize, "%s/.cups", home);
 916     if (access(buffer, 0))
 917     {
 918       DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
 919       if (mkdir(buffer, 0700))
 920       {
 921         DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
 922         return (NULL);
 923       }
 924     }
 925
 926     snprintf(buffer, bufsize, "%s/.cups/ssl", home);
 927     if (access(buffer, 0))
 928     {
 929       DEBUG_printf(("1http_gnutls_default_path: Making directory \"%s\".", buffer));
 930       if (mkdir(buffer, 0700))
 931       {
 932         DEBUG_printf(("1http_gnutls_default_path: Failed to make directory: %s", strerror(errno)));
 933         return (NULL);
 934       }
 935     }
 936   }
 937   else
 938     strlcpy(buffer, CUPS_SERVERROOT "/ssl", bufsize);
 939
 940   DEBUG_printf(("1http_gnutls_default_path: Using default path \"%s\".", buffer));
 941
 942   return (buffer);
 943 }
 944
 945
 946 /*
 947  * 'http_gnutls_load_crl()' - Load the certificate revocation list, if any.
 948  */
 949
 950 static void
 951 http_gnutls_load_crl(void)
 952 {
 953   _cupsMutexLock(&tls_mutex);
 954
 955   if (!gnutls_x509_crl_init(&tls_crl))
 956   {
 957     cups_file_t         *fp;            /* CRL file */
 958     char                filename[1024], /* site.crl */
 959                         line[256];      /* Base64-encoded line */
 960     unsigned char       *data = NULL;   /* Buffer for cert data */
 961     size_t              alloc_data = 0, /* Bytes allocated */
 962                         num_data = 0;   /* Bytes used */
 963     int                 decoded;        /* Bytes decoded */
 964     gnutls_datum_t      datum;          /* Data record */
 965
 966
 967     http_gnutls_make_path(filename, sizeof(filename), CUPS_SERVERROOT, "site", "crl");
 968
 969     if ((fp = cupsFileOpen(filename, "r")) != NULL)
 970     {
 971       while (cupsFileGets(fp, line, sizeof(line)))
 972       {
 973         if (!strcmp(line, "-----BEGIN X509 CRL-----"))
 974         {
 975           if (num_data)
 976           {
 977            /*
 978             * Missing END X509 CRL...
 979             */
 980
 981             break;
 982           }
 983         }
 984         else if (!strcmp(line, "-----END X509 CRL-----"))
 985         {
 986           if (!num_data)
 987           {
 988            /*
 989             * Missing data...
 990             */
 991
 992             break;
 993           }
 994
 995           datum.data = data;
 996           datum.size = num_data;
 997
 998           gnutls_x509_crl_import(tls_crl, &datum, GNUTLS_X509_FMT_PEM);
 999
1000           num_data = 0;
1001         }
1002         else
1003         {
1004           if (alloc_data == 0)
1005           {
1006             data       = malloc(2048);
1007             alloc_data = 2048;
1008
1009             if (!data)
1010               break;
1011           }
1012           else if ((num_data + strlen(line)) >= alloc_data)
1013           {
1014             unsigned char *tdata = realloc(data, alloc_data + 1024);
1015                                             /* Expanded buffer */
1016
1017             if (!tdata)
1018               break;
1019
1020             data       = tdata;
1021             alloc_data += 1024;
1022           }
1023
1024           decoded = alloc_data - num_data;
1025           httpDecode64_2((char *)data + num_data, &decoded, line);
1026           num_data += (size_t)decoded;
1027         }
1028       }
1029
1030       cupsFileClose(fp);
1031
1032       if (data)
1033         free(data);
1034     }
1035   }
1036
1037   _cupsMutexUnlock(&tls_mutex);
1038 }
1039
1040
1041 /*
1042  * 'http_gnutls_make_path()' - Format a filename for a certificate or key file.
1043  */
1044
1045 static const char *                     /* O - Filename */
1046 http_gnutls_make_path(
1047     char       *buffer,                 /* I - Filename buffer */
1048     size_t     bufsize,                 /* I - Size of buffer */
1049     const char *dirname,                /* I - Directory */
1050     const char *filename,               /* I - Filename (usually hostname) */
1051     const char *ext)                    /* I - Extension */
1052 {
1053   char  *bufptr,                        /* Pointer into buffer */
1054         *bufend = buffer + bufsize - 1; /* End of buffer */
1055
1056
1057   snprintf(buffer, bufsize, "%s/", dirname);
1058   bufptr = buffer + strlen(buffer);
1059
1060   while (*filename && bufptr < bufend)
1061   {
1062     if (_cups_isalnum(*filename) || *filename == '-' || *filename == '.')
1063       *bufptr++ = *filename;
1064     else
1065       *bufptr++ = '_';
1066
1067     filename ++;
1068   }
1069
1070   if (bufptr < bufend)
1071     *bufptr++ = '.';
1072
1073   strlcpy(bufptr, ext, (size_t)(bufend - bufptr + 1));
1074
1075   return (buffer);
1076 }
1077
1078
1079 /*
1080  * 'http_gnutls_read()' - Read function for the GNU TLS library.
1081  */
1082
1083 static ssize_t                          /* O - Number of bytes read or -1 on error */
1084 http_gnutls_read(
1085     gnutls_transport_ptr_t ptr,         /* I - Connection to server */
1086     void                   *data,       /* I - Buffer */
1087     size_t                 length)      /* I - Number of bytes to read */
1088 {
1089   http_t        *http;                  /* HTTP connection */
1090   ssize_t       bytes;                  /* Bytes read */
1091
1092
1093   DEBUG_printf(("6http_gnutls_read(ptr=%p, data=%p, length=%d)", ptr, data, (int)length));
1094
1095   http = (http_t *)ptr;
1096
1097   if (!http->blocking)
1098   {
1099    /*
1100     * Make sure we have data before we read...
1101     */
1102
1103     while (!_httpWait(http, http->wait_value, 0))
1104     {
1105       if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
1106         continue;
1107
1108       http->error = ETIMEDOUT;
1109       return (-1);
1110     }
1111   }
1112
1113   bytes = recv(http->fd, data, length, 0);
1114   DEBUG_printf(("6http_gnutls_read: bytes=%d", (int)bytes));
1115   return (bytes);
1116 }
1117
1118
1119 /*
1120  * 'http_gnutls_write()' - Write function for the GNU TLS library.
1121  */
1122
1123 static ssize_t                          /* O - Number of bytes written or -1 on error */
1124 http_gnutls_write(
1125     gnutls_transport_ptr_t ptr,         /* I - Connection to server */
1126     const void             *data,       /* I - Data buffer */
1127     size_t                 length)      /* I - Number of bytes to write */
1128 {
1129   ssize_t bytes;                        /* Bytes written */
1130
1131
1132   DEBUG_printf(("6http_gnutls_write(ptr=%p, data=%p, length=%d)", ptr, data,
1133                 (int)length));
1134   bytes = send(((http_t *)ptr)->fd, data, length, 0);
1135   DEBUG_printf(("http_gnutls_write: bytes=%d", (int)bytes));
1136
1137   return (bytes);
1138 }
1139
1140
1141 /*
1142  * '_httpTLSInitialize()' - Initialize the TLS stack.
1143  */
1144
1145 void
1146 _httpTLSInitialize(void)
1147 {
1148  /*
1149   * Initialize GNU TLS...
1150   */
1151
1152   gnutls_global_init();
1153 }
1154
1155
1156 /*
1157  * '_httpTLSPending()' - Return the number of pending TLS-encrypted bytes.
1158  */
1159
1160 size_t                                  /* O - Bytes available */
1161 _httpTLSPending(http_t *http)           /* I - HTTP connection */
1162 {
1163   return (gnutls_record_check_pending(http->tls));
1164 }
1165
1166
1167 /*
1168  * '_httpTLSRead()' - Read from a SSL/TLS connection.
1169  */
1170
1171 int                                     /* O - Bytes read */
1172 _httpTLSRead(http_t *http,              /* I - Connection to server */
1173              char   *buf,               /* I - Buffer to store data */
1174              int    len)                /* I - Length of buffer */
1175 {
1176   ssize_t       result;                 /* Return value */
1177
1178
1179   result = gnutls_record_recv(http->tls, buf, (size_t)len);
1180
1181   if (result < 0 && !errno)
1182   {
1183    /*
1184     * Convert GNU TLS error to errno value...
1185     */
1186
1187     switch (result)
1188     {
1189       case GNUTLS_E_INTERRUPTED :
1190           errno = EINTR;
1191           break;
1192
1193       case GNUTLS_E_AGAIN :
1194           errno = EAGAIN;
1195           break;
1196
1197       default :
1198           errno = EPIPE;
1199           break;
1200     }
1201
1202     result = -1;
1203   }
1204
1205   return ((int)result);
1206 }
1207
1208
1209 /*
1210  * '_httpTLSSetCredentials()' - Set the TLS credentials.
1211  */
1212
1213 int                                     /* O - Status of connection */
1214 _httpTLSSetCredentials(http_t *http)    /* I - Connection to server */
1215 {
1216   (void)http;
1217
1218   return (0);
1219 }
1220
1221
1222 /*
1223  * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
1224  */
1225
1226 void
1227 _httpTLSSetOptions(int options)         /* I - Options */
1228 {
1229   tls_options = options;
1230 }
1231
1232
1233 /*
1234  * '_httpTLSStart()' - Set up SSL/TLS support on a connection.
1235  */
1236
1237 int                                     /* O - 0 on success, -1 on failure */
1238 _httpTLSStart(http_t *http)             /* I - Connection to server */
1239 {
1240   char                  hostname[256],  /* Hostname */
1241                         *hostptr;       /* Pointer into hostname */
1242   int                   status;         /* Status of handshake */
1243   gnutls_certificate_credentials_t *credentials;
1244                                         /* TLS credentials */
1245   char                  priority_string[1024];
1246                                         /* Priority string */
1247
1248
1249   DEBUG_printf(("3_httpTLSStart(http=%p)", http));
1250
1251   if (tls_options < 0)
1252   {
1253     DEBUG_puts("4_httpTLSStart: Setting defaults.");
1254     _cupsSetDefaults();
1255     DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
1256   }
1257
1258   if (http->mode == _HTTP_MODE_SERVER && !tls_keypath)
1259   {
1260     DEBUG_puts("4_httpTLSStart: cupsSetServerCredentials not called.");
1261     http->error  = errno = EINVAL;
1262     http->status = HTTP_STATUS_ERROR;
1263     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Server credentials not set."), 1);
1264
1265     return (-1);
1266   }
1267
1268   credentials = (gnutls_certificate_credentials_t *)
1269                     malloc(sizeof(gnutls_certificate_credentials_t));
1270   if (credentials == NULL)
1271   {
1272     DEBUG_printf(("8_httpStartTLS: Unable to allocate credentials: %s",
1273                   strerror(errno)));
1274     http->error  = errno;
1275     http->status = HTTP_STATUS_ERROR;
1276     _cupsSetHTTPError(HTTP_STATUS_ERROR);
1277
1278     return (-1);
1279   }
1280
1281   gnutls_certificate_allocate_credentials(credentials);
1282   status = gnutls_init(&http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_CLIENT : GNUTLS_SERVER);
1283   if (!status)
1284     status = gnutls_set_default_priority(http->tls);
1285
1286   if (status)
1287   {
1288     http->error  = EIO;
1289     http->status = HTTP_STATUS_ERROR;
1290
1291     DEBUG_printf(("4_httpTLSStart: Unable to initialize common TLS parameters: %s", gnutls_strerror(status)));
1292     _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1293
1294     gnutls_deinit(http->tls);
1295     gnutls_certificate_free_credentials(*credentials);
1296     free(credentials);
1297     http->tls = NULL;
1298
1299     return (-1);
1300   }
1301
1302   if (http->mode == _HTTP_MODE_CLIENT)
1303   {
1304    /*
1305     * Client: get the hostname to use for TLS...
1306     */
1307
1308     if (httpAddrLocalhost(http->hostaddr))
1309     {
1310       strlcpy(hostname, "localhost", sizeof(hostname));
1311     }
1312     else
1313     {
1314      /*
1315       * Otherwise make sure the hostname we have does not end in a trailing dot.
1316       */
1317
1318       strlcpy(hostname, http->hostname, sizeof(hostname));
1319       if ((hostptr = hostname + strlen(hostname) - 1) >= hostname &&
1320           *hostptr == '.')
1321         *hostptr = '\0';
1322     }
1323
1324     status = gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname, strlen(hostname));
1325   }
1326   else
1327   {
1328    /*
1329     * Server: get certificate and private key...
1330     */
1331
1332     char        crtfile[1024],          /* Certificate file */
1333                 keyfile[1024];          /* Private key file */
1334     int         have_creds = 0;         /* Have credentials? */
1335
1336     if (http->fields[HTTP_FIELD_HOST][0])
1337     {
1338      /*
1339       * Use hostname for TLS upgrade...
1340       */
1341
1342       strlcpy(hostname, http->fields[HTTP_FIELD_HOST], sizeof(hostname));
1343     }
1344     else
1345     {
1346      /*
1347       * Resolve hostname from connection address...
1348       */
1349
1350       http_addr_t       addr;           /* Connection address */
1351       socklen_t         addrlen;        /* Length of address */
1352
1353       addrlen = sizeof(addr);
1354       if (getsockname(http->fd, (struct sockaddr *)&addr, &addrlen))
1355       {
1356         DEBUG_printf(("4_httpTLSStart: Unable to get socket address: %s", strerror(errno)));
1357         hostname[0] = '\0';
1358       }
1359       else if (httpAddrLocalhost(&addr))
1360         hostname[0] = '\0';
1361       else
1362       {
1363         httpAddrLookup(&addr, hostname, sizeof(hostname));
1364         DEBUG_printf(("4_httpTLSStart: Resolved socket address to \"%s\".", hostname));
1365       }
1366     }
1367
1368     if (isdigit(hostname[0] & 255) || hostname[0] == '[')
1369       hostname[0] = '\0';               /* Don't allow numeric addresses */
1370
1371     if (hostname[0])
1372     {
1373      /*
1374       * First look in the CUPS keystore...
1375       */
1376
1377       http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
1378       http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
1379
1380       if (access(crtfile, R_OK) || access(keyfile, R_OK))
1381       {
1382        /*
1383         * No CUPS-managed certs, look for CA certs...
1384         */
1385
1386         char cacrtfile[1024], cakeyfile[1024];  /* CA cert files */
1387
1388         snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostname);
1389         snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostname);
1390
1391         if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(hostname, '.')) != NULL)
1392         {
1393          /*
1394           * Try just domain name...
1395           */
1396
1397           hostptr ++;
1398           if (strchr(hostptr, '.'))
1399           {
1400             snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
1401             snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
1402           }
1403         }
1404
1405         if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
1406         {
1407          /*
1408           * Use the CA certs...
1409           */
1410
1411           strlcpy(crtfile, cacrtfile, sizeof(crtfile));
1412           strlcpy(keyfile, cakeyfile, sizeof(keyfile));
1413         }
1414       }
1415
1416       have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
1417     }
1418     else if (tls_common_name)
1419     {
1420      /*
1421       * First look in the CUPS keystore...
1422       */
1423
1424       http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
1425       http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
1426
1427       if (access(crtfile, R_OK) || access(keyfile, R_OK))
1428       {
1429        /*
1430         * No CUPS-managed certs, look for CA certs...
1431         */
1432
1433         char cacrtfile[1024], cakeyfile[1024];  /* CA cert files */
1434
1435         snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", tls_common_name);
1436         snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", tls_common_name);
1437
1438         if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(tls_common_name, '.')) != NULL)
1439         {
1440          /*
1441           * Try just domain name...
1442           */
1443
1444           hostptr ++;
1445           if (strchr(hostptr, '.'))
1446           {
1447             snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
1448             snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
1449           }
1450         }
1451
1452         if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
1453         {
1454          /*
1455           * Use the CA certs...
1456           */
1457
1458           strlcpy(crtfile, cacrtfile, sizeof(crtfile));
1459           strlcpy(keyfile, cakeyfile, sizeof(keyfile));
1460         }
1461       }
1462
1463       have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
1464     }
1465
1466     if (!have_creds && tls_auto_create && (hostname[0] || tls_common_name))
1467     {
1468       DEBUG_printf(("4_httpTLSStart: Auto-create credentials for \"%s\".", hostname[0] ? hostname : tls_common_name));
1469
1470       if (!cupsMakeServerCredentials(tls_keypath, hostname[0] ? hostname : tls_common_name, 0, NULL, time(NULL) + 365 * 86400))
1471       {
1472         DEBUG_puts("4_httpTLSStart: cupsMakeServerCredentials failed.");
1473         http->error  = errno = EINVAL;
1474         http->status = HTTP_STATUS_ERROR;
1475         _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to create server credentials."), 1);
1476
1477         return (-1);
1478       }
1479     }
1480
1481     DEBUG_printf(("4_httpTLSStart: Using certificate \"%s\" and private key \"%s\".", crtfile, keyfile));
1482
1483     if (!status)
1484       status = gnutls_certificate_set_x509_key_file(*credentials, crtfile, keyfile, GNUTLS_X509_FMT_PEM);
1485   }
1486
1487   if (!status)
1488     status = gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
1489
1490   if (status)
1491   {
1492     http->error  = EIO;
1493     http->status = HTTP_STATUS_ERROR;
1494
1495     DEBUG_printf(("4_httpTLSStart: Unable to complete client/server setup: %s", gnutls_strerror(status)));
1496     _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1497
1498     gnutls_deinit(http->tls);
1499     gnutls_certificate_free_credentials(*credentials);
1500     free(credentials);
1501     http->tls = NULL;
1502
1503     return (-1);
1504   }
1505
1506   strlcpy(priority_string, "NORMAL", sizeof(priority_string));
1507
1508   if (tls_options & _HTTP_TLS_DENY_TLS10)
1509     strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
1510   else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
1511     strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
1512   else
1513     strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
1514
1515   if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
1516     strlcat(priority_string, ":-ARCFOUR-128", sizeof(priority_string));
1517
1518   if (!(tls_options & _HTTP_TLS_ALLOW_DH))
1519     strlcat(priority_string, ":!ANON-DH", sizeof(priority_string));
1520
1521 #ifdef HAVE_GNUTLS_PRIORITY_SET_DIRECT
1522   gnutls_priority_set_direct(http->tls, priority_string, NULL);
1523
1524 #else
1525   gnutls_priority_t priority;           /* Priority */
1526
1527   gnutls_priority_init(&priority, priority_string, NULL);
1528   gnutls_priority_set(http->tls, priority);
1529   gnutls_priority_deinit(priority);
1530 #endif /* HAVE_GNUTLS_PRIORITY_SET_DIRECT */
1531
1532   gnutls_transport_set_ptr(http->tls, (gnutls_transport_ptr_t)http);
1533   gnutls_transport_set_pull_function(http->tls, http_gnutls_read);
1534 #ifdef HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION
1535   gnutls_transport_set_pull_timeout_function(http->tls, (gnutls_pull_timeout_func)httpWait);
1536 #endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */
1537   gnutls_transport_set_push_function(http->tls, http_gnutls_write);
1538
1539   while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS)
1540   {
1541     DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)",
1542                   status, gnutls_strerror(status)));
1543
1544     if (gnutls_error_is_fatal(status))
1545     {
1546       http->error  = EIO;
1547       http->status = HTTP_STATUS_ERROR;
1548
1549       _cupsSetError(IPP_STATUS_ERROR_CUPS_PKI, gnutls_strerror(status), 0);
1550
1551       gnutls_deinit(http->tls);
1552       gnutls_certificate_free_credentials(*credentials);
1553       free(credentials);
1554       http->tls = NULL;
1555
1556       return (-1);
1557     }
1558   }
1559
1560   http->tls_credentials = credentials;
1561
1562   return (0);
1563 }
1564
1565
1566 /*
1567  * '_httpTLSStop()' - Shut down SSL/TLS on a connection.
1568  */
1569
1570 void
1571 _httpTLSStop(http_t *http)              /* I - Connection to server */
1572 {
1573   int   error;                          /* Error code */
1574
1575
1576   error = gnutls_bye(http->tls, http->mode == _HTTP_MODE_CLIENT ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
1577   if (error != GNUTLS_E_SUCCESS)
1578     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, gnutls_strerror(errno), 0);
1579
1580   gnutls_deinit(http->tls);
1581   http->tls = NULL;
1582
1583   if (http->tls_credentials)
1584   {
1585     gnutls_certificate_free_credentials(*(http->tls_credentials));
1586     free(http->tls_credentials);
1587     http->tls_credentials = NULL;
1588   }
1589 }
1590
1591
1592 /*
1593  * '_httpTLSWrite()' - Write to a SSL/TLS connection.
1594  */
1595
1596 int                                     /* O - Bytes written */
1597 _httpTLSWrite(http_t     *http,         /* I - Connection to server */
1598               const char *buf,          /* I - Buffer holding data */
1599               int        len)           /* I - Length of buffer */
1600 {
1601   ssize_t       result;                 /* Return value */
1602
1603
1604   DEBUG_printf(("2http_write_ssl(http=%p, buf=%p, len=%d)", http, buf, len));
1605
1606   result = gnutls_record_send(http->tls, buf, (size_t)len);
1607
1608   if (result < 0 && !errno)
1609   {
1610    /*
1611     * Convert GNU TLS error to errno value...
1612     */
1613
1614     switch (result)
1615     {
1616       case GNUTLS_E_INTERRUPTED :
1617           errno = EINTR;
1618           break;
1619
1620       case GNUTLS_E_AGAIN :
1621           errno = EAGAIN;
1622           break;
1623
1624       default :
1625           errno = EPIPE;
1626           break;
1627     }
1628
1629     result = -1;
1630   }
1631
1632   DEBUG_printf(("3http_write_ssl: Returning %d.", (int)result));
1633
1634   return ((int)result);
1635 }