From 6d38db8acca4f73e6929f8c6df22b4315126d31a Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Wed, 8 Jan 2025 13:28:02 +0100 Subject: [PATCH] Add NoSystem SSLOptions value Resolves: RHEL-68414 --- 0001-Add-NoSystem-SSLOptions-value.patch | 174 +++++++++++++++++++++++ cups.spec | 39 ++++- 2 files changed, 212 insertions(+), 1 deletion(-) create mode 100644 0001-Add-NoSystem-SSLOptions-value.patch diff --git a/0001-Add-NoSystem-SSLOptions-value.patch b/0001-Add-NoSystem-SSLOptions-value.patch new file mode 100644 index 0000000..d29a865 --- /dev/null +++ b/0001-Add-NoSystem-SSLOptions-value.patch @@ -0,0 +1,174 @@ +From 40e62848ab3aa94b98dfaf1334e1c478c266bc73 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Tue, 7 Jan 2025 15:12:15 +0100 +Subject: [PATCH] Add `NoSystem` SSLOptions value + +In case using system crypto policy breaks communication with device +irreversibly (f.e. if device does not support better key exchange +algorithm), the new option value gives a way how to opt-out from crypto +policy if user do not want to change default system crypto policy for +the whole machine. +--- + CHANGES.md | 1 + + cups/http-private.h | 3 ++- + cups/tls-gnutls.c | 7 ++++++- + cups/usersys.c | 2 ++ + doc/help/man-client.conf.html | 3 ++- + doc/help/man-cupsd.conf.html | 5 +++-- + man/client.conf.5 | 3 ++- + man/cupsd.conf.5 | 3 ++- + scheduler/conf.c | 2 ++ + 9 files changed, 22 insertions(+), 7 deletions(-) + +diff --git a/cups/http-private.h b/cups/http-private.h +index 5f77b8ef0..f248bbb8d 100644 +--- a/cups/http-private.h ++++ b/cups/http-private.h +@@ -131,7 +131,8 @@ extern "C" { + # define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */ + # define _HTTP_TLS_ALLOW_DH 2 /* Allow DH/DHE key negotiation */ + # define _HTTP_TLS_DENY_CBC 4 /* Deny CBC cipher suites */ +-# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */ ++# define _HTTP_TLS_NO_SYSTEM 8 /* No system crypto policy */ ++# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */ + + # define _HTTP_TLS_SSL3 0 /* Min/max version is SSL/3.0 */ + # define _HTTP_TLS_1_0 1 /* Min/max version is TLS/1.0 */ +diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c +index 719161da7..e8224b217 100644 +--- a/cups/tls-gnutls.c ++++ b/cups/tls-gnutls.c +@@ -1285,6 +1285,8 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ + + DEBUG_printf(("3_httpTLSStart(http=%p)", http)); + ++ priority_string[0] = '\0'; ++ + if (tls_options < 0) + { + DEBUG_puts("4_httpTLSStart: Setting defaults."); +@@ -1504,7 +1506,10 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ + return (-1); + } + +- strlcpy(priority_string, "@SYSTEM,NORMAL", sizeof(priority_string)); ++ if (!(tls_options & _HTTP_TLS_NO_SYSTEM)) ++ strlcpy(priority_string, "@SYSTEM,", sizeof(priority_string)); ++ ++ strlcat(priority_string, "NORMAL", sizeof(priority_string)); + + if (tls_max_version < _HTTP_TLS_MAX) + { +diff --git a/cups/usersys.c b/cups/usersys.c +index f752159b0..607587307 100644 +--- a/cups/usersys.c ++++ b/cups/usersys.c +@@ -1608,6 +1608,8 @@ cups_set_ssl_options( + min_version = _HTTP_TLS_1_3; + else if (!_cups_strcasecmp(start, "None")) + options = _HTTP_TLS_NONE; ++ else if (!_cups_strcasecmp(start, "NoSystem")) ++ options |= _HTTP_TLS_NO_SYSTEM; + } + + cc->ssl_options = options; +diff --git a/doc/help/man-client.conf.html b/doc/help/man-client.conf.html +index 81cd73a1a..9194481bb 100644 +--- a/doc/help/man-client.conf.html ++++ b/doc/help/man-client.conf.html +@@ -44,7 +44,7 @@ CUPS adds the remote hostname ("name@server.example.com") for you. The default n + Note: This directive is not supported on macOS 10.7 or later. +
ServerName hostname-or-ip-address[:port]/version=1.1 +
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. +-
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] ++
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] [NoSystem] +
SSLOptions None +
Sets encryption options (only in /etc/cups/client.conf). + By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. +@@ -57,6 +57,7 @@ The DenyCBC option disables all CBC cipher suites. + The DenyTLS1.0 option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. + The MinTLS options set the minimum TLS version to support. + The MaxTLS options set the maximum TLS version to support. ++The NoSystem option disables applying system cryptographic policy. + Not all operating systems support TLS 1.3 at this time. +
TrustOnFirstUse Yes +
TrustOnFirstUse No +diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html +index 4fd42f314..4a5395387 100644 +--- a/doc/help/man-cupsd.conf.html ++++ b/doc/help/man-cupsd.conf.html +@@ -285,7 +285,7 @@ The default is "Minimal". +
SSLListen [ipv6-address]:port +
SSLListen *:port +
Listens on the specified address and port for encrypted connections. +-
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] ++
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] [NoSystem] +
SSLOptions None +
Sets encryption options (only in /etc/cups/client.conf). + By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. +@@ -298,6 +298,7 @@ The DenyCBC option disables all CBC cipher suites. + The DenyTLS1.0 option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. + The MinTLS options set the minimum TLS version to support. + The MaxTLS options set the maximum TLS version to support. ++The NoSystem option disables applying system cryptographic policy. + Not all operating systems support TLS 1.3 at this time. +
SSLPort port +
Listens on the specified port for encrypted connections. +diff --git a/man/client.conf.5 b/man/client.conf.5 +index 54808c09f..56d6ec3ec 100644 +--- a/man/client.conf.5 ++++ b/man/client.conf.5 +@@ -67,7 +67,7 @@ Specifies the address and optionally the port to use when connecting to the serv + Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. + .\"#SSLOptions + .TP 5 +-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] ++\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR] + .TP 5 + \fBSSLOptions None\fR + Sets encryption options (only in /etc/cups/client.conf). +@@ -81,6 +81,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites. + The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. + The \fIMinTLS\fR options set the minimum TLS version to support. + The \fIMaxTLS\fR options set the maximum TLS version to support. ++The \fINoSystem\fR option disables applying system cryptographic policy. + Not all operating systems support TLS 1.3 at this time. + .\"#TrustOnFirstUse + .TP 5 +diff --git a/man/cupsd.conf.5 b/man/cupsd.conf.5 +index fd5762dfd..4e1a7ca81 100644 +--- a/man/cupsd.conf.5 ++++ b/man/cupsd.conf.5 +@@ -447,7 +447,7 @@ Listens on the specified address and port for encrypted connections. + .\"#SSLOptions + .TP 5 + .TP 5 +-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] ++\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR] + .TP 5 + \fBSSLOptions None\fR + Sets encryption options (only in /etc/cups/client.conf). +@@ -461,6 +461,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites. + The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. + The \fIMinTLS\fR options set the minimum TLS version to support. + The \fIMaxTLS\fR options set the maximum TLS version to support. ++The \fINoSystem\fR option disables applying system cryptographic policy. + Not all operating systems support TLS 1.3 at this time. + .\"#SSLPort + .TP 5 +diff --git a/scheduler/conf.c b/scheduler/conf.c +index 3184d72f0..3bf176479 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -3054,6 +3054,8 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + min_version = _HTTP_TLS_1_3; + else if (!_cups_strcasecmp(start, "None")) + options = _HTTP_TLS_NONE; ++ else if (!_cups_strcasecmp(start, "NoSystem")) ++ options |= _HTTP_TLS_NO_SYSTEM; + else if (_cups_strcasecmp(start, "NoEmptyFragments")) + cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum); + } +-- +2.47.1 + diff --git a/cups.spec b/cups.spec index 12ed71a..a2b08f0 100644 --- a/cups.spec +++ b/cups.spec @@ -24,7 +24,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.3.3%{OP_VER} -Release: 32%{?dist} +Release: 33%{?dist} License: ASL 2.0 Url: http://www.cups.org/ # Apple stopped uploading the new versions into github, use OpenPrinting fork @@ -157,7 +157,10 @@ Patch47: 0001-ppdize-preset-and-template-names.patch Patch48: 0001-quote-ppd-localized-strings.patch Patch49: 0001-fix-warnings-for-unused-vars.patch # RHEL-68414 Inability to disable weak ciphers in CUPS configuration +# patches: 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch +# 0001-Add-NoSystem-SSLOptions-value.patch Patch50: 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch +Patch51: 0001-Add-NoSystem-SSLOptions-value.patch ##### Patches removed because IMHO they aren't no longer needed @@ -444,6 +447,7 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch49 -p1 -b .fix-warn # RHEL-68414 Inability to disable weak ciphers in CUPS configuration %patch50 -p1 -b .tls-system +%patch51 -p1 -b .ssl-nosystem %if %{lspp} @@ -666,6 +670,36 @@ done %{_sbindir}/upgrade_get_document +# to prevent possible breakage due starting following system crypto policy +# within minor releases +# SSLOptions in cupsd.conf influences what SSL cupsd daemon will offer to clients, +# SSLOptions in client.conf influences what SSL clients using libcups will use to +# connect with destionation (destination can be other cupsd or printer) +for conf in %{_sysconfdir}/cups/cupsd.conf %{_sysconfdir}/cups/client.conf +do + # do not update anything if we already put changes into the file + if ! grep -q "# RHEL-68414 Fix" ${conf} + then + # backup the file if there is no rpmsave already + if ! test -f ${conf}.rpmsave + then + cp ${conf}{,.rpmsave} + fi + + # two situations can happen: + # - no SSLOptions in the file - just put the new lines into file + # - SSLOptions already exists in the file - we append NoSystem to the + # directive + if ! grep -q "^\s*SSLOptions" ${conf} + then + echo -e "# RHEL-68414 Fix\nSSLOptions NoSystem\n" >> ${conf} + else + # captures the group into \1, which can be later used + sed -i 's,^\s*SSLOptions \(.*\)$,# RHEL-68414 Fix\nSSLOptions \1 NoSystem,' ${conf} + fi + fi +done + exit 0 %post client @@ -879,6 +913,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Wed Jan 08 2025 Zdenek Dohnal - 1:2.3.3op2-33 +- Add NoSystem SSLOptions value + * Mon Dec 09 2024 Zdenek Dohnal - 1:2.3.3op2-32 - RHEL-68414 Inability to disable weak ciphers in CUPS configuration