From b0d51ff6a2c46cd829ecee2615935a976f639c8e Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Tue, 7 Jan 2025 18:32:03 +0100 Subject: [PATCH] provide a way how to opt-out from system crypto policy if needed Resolves: RHEL-68415 --- 0001-Add-NoSystem-SSLOptions-value.patch | 183 +++++++++++++++++++++++ cups.spec | 12 +- 2 files changed, 193 insertions(+), 2 deletions(-) create mode 100644 0001-Add-NoSystem-SSLOptions-value.patch diff --git a/0001-Add-NoSystem-SSLOptions-value.patch b/0001-Add-NoSystem-SSLOptions-value.patch new file mode 100644 index 0000000..879ce15 --- /dev/null +++ b/0001-Add-NoSystem-SSLOptions-value.patch @@ -0,0 +1,183 @@ +From 40e62848ab3aa94b98dfaf1334e1c478c266bc73 Mon Sep 17 00:00:00 2001 +From: Zdenek Dohnal +Date: Tue, 7 Jan 2025 15:12:15 +0100 +Subject: [PATCH] Add `NoSystem` SSLOptions value + +In case using system crypto policy breaks communication with device +irreversibly (f.e. if device does not support better key exchange +algorithm), the new option value gives a way how to opt-out from crypto +policy if user do not want to change default system crypto policy for +the whole machine. +--- + CHANGES.md | 1 + + cups/http-private.h | 3 ++- + cups/tls-gnutls.c | 7 ++++++- + cups/usersys.c | 2 ++ + doc/help/man-client.conf.html | 3 ++- + doc/help/man-cupsd.conf.html | 5 +++-- + man/client.conf.5 | 3 ++- + man/cupsd.conf.5 | 3 ++- + scheduler/conf.c | 2 ++ + 9 files changed, 22 insertions(+), 7 deletions(-) + +diff --git a/cups/http-private.h b/cups/http-private.h +index 5f77b8ef0..f248bbb8d 100644 +--- a/cups/http-private.h ++++ b/cups/http-private.h +@@ -131,7 +131,8 @@ extern "C" { + # define _HTTP_TLS_ALLOW_RC4 1 /* Allow RC4 cipher suites */ + # define _HTTP_TLS_ALLOW_DH 2 /* Allow DH/DHE key negotiation */ + # define _HTTP_TLS_DENY_CBC 4 /* Deny CBC cipher suites */ +-# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */ ++# define _HTTP_TLS_NO_SYSTEM 8 /* No system crypto policy */ ++# define _HTTP_TLS_SET_DEFAULT 128 /* Setting the default TLS options */ + + # define _HTTP_TLS_SSL3 0 /* Min/max version is SSL/3.0 */ + # define _HTTP_TLS_1_0 1 /* Min/max version is TLS/1.0 */ +diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c +index 719161da7..e8224b217 100644 +--- a/cups/tls-gnutls.c ++++ b/cups/tls-gnutls.c +@@ -1285,6 +1285,8 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ + + DEBUG_printf(("3_httpTLSStart(http=%p)", http)); + ++ priority_string[0] = '\0'; ++ + if (tls_options < 0) + { + DEBUG_puts("4_httpTLSStart: Setting defaults."); +@@ -1504,7 +1506,10 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ + return (-1); + } + +- strlcpy(priority_string, "@SYSTEM,NORMAL", sizeof(priority_string)); ++ if (!(tls_options & _HTTP_TLS_NO_SYSTEM)) ++ strlcpy(priority_string, "@SYSTEM,", sizeof(priority_string)); ++ ++ strlcat(priority_string, "NORMAL", sizeof(priority_string)); + + if (tls_max_version < _HTTP_TLS_MAX) + { +diff --git a/cups/usersys.c b/cups/usersys.c +index f752159b0..607587307 100644 +--- a/cups/usersys.c ++++ b/cups/usersys.c +@@ -1608,6 +1608,8 @@ cups_set_ssl_options( + min_version = _HTTP_TLS_1_3; + else if (!_cups_strcasecmp(start, "None")) + options = _HTTP_TLS_NONE; ++ else if (!_cups_strcasecmp(start, "NoSystem")) ++ options |= _HTTP_TLS_NO_SYSTEM; + } + + cc->ssl_options = options; +diff --git a/doc/help/man-client.conf.html b/doc/help/man-client.conf.html +index 81cd73a1a..9194481bb 100644 +--- a/doc/help/man-client.conf.html ++++ b/doc/help/man-client.conf.html +@@ -44,7 +44,7 @@ CUPS adds the remote hostname ("name@server.example.com") for you. The default n + Note: This directive is not supported on macOS 10.7 or later. +
ServerName hostname-or-ip-address[:port]/version=1.1 +
Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. +-
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] ++
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] [NoSystem] +
SSLOptions None +
Sets encryption options (only in /etc/cups/client.conf). + By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. +@@ -57,6 +57,7 @@ The DenyCBC option disables all CBC cipher suites. + The DenyTLS1.0 option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. + The MinTLS options set the minimum TLS version to support. + The MaxTLS options set the maximum TLS version to support. ++The NoSystem option disables applying system cryptographic policy. + Not all operating systems support TLS 1.3 at this time. +
TrustOnFirstUse Yes +
TrustOnFirstUse No +diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html +index 4fd42f314..4a5395387 100644 +--- a/doc/help/man-cupsd.conf.html ++++ b/doc/help/man-cupsd.conf.html +@@ -285,7 +285,7 @@ The default is "Minimal". +
SSLListen [ipv6-address]:port +
SSLListen *:port +
Listens on the specified address and port for encrypted connections. +-
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] ++
SSLOptions [AllowDH] [AllowRC4] [AllowSSL3] [DenyCBC] [DenyTLS1.0] [MaxTLS1.0] [MaxTLS1.1] [MaxTLS1.2] [MaxTLS1.3] [MinTLS1.0] [MinTLS1.1] [MinTLS1.2] [MinTLS1.3] [NoSystem] +
SSLOptions None +
Sets encryption options (only in /etc/cups/client.conf). + By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites. +@@ -298,6 +298,7 @@ The DenyCBC option disables all CBC cipher suites. + The DenyTLS1.0 option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. + The MinTLS options set the minimum TLS version to support. + The MaxTLS options set the maximum TLS version to support. ++The NoSystem option disables applying system cryptographic policy. + Not all operating systems support TLS 1.3 at this time. +
SSLPort port +
Listens on the specified port for encrypted connections. +@@ -632,7 +633,7 @@ Require authentication for accesses from outside the 10. network: + subscriptions.conf(5), + CUPS Online Help (http://localhost:631/help) +

Copyright

+-Copyright © 2020-2023 by OpenPrinting. ++Copyright © 2020-2024 by OpenPrinting. + + + +diff --git a/man/client.conf.5 b/man/client.conf.5 +index 54808c09f..56d6ec3ec 100644 +--- a/man/client.conf.5 ++++ b/man/client.conf.5 +@@ -67,7 +67,7 @@ Specifies the address and optionally the port to use when connecting to the serv + Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier. + .\"#SSLOptions + .TP 5 +-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] ++\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR] + .TP 5 + \fBSSLOptions None\fR + Sets encryption options (only in /etc/cups/client.conf). +@@ -81,6 +81,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites. + The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. + The \fIMinTLS\fR options set the minimum TLS version to support. + The \fIMaxTLS\fR options set the maximum TLS version to support. ++The \fINoSystem\fR option disables applying system cryptographic policy. + Not all operating systems support TLS 1.3 at this time. + .\"#TrustOnFirstUse + .TP 5 +diff --git a/man/cupsd.conf.5 b/man/cupsd.conf.5 +index fd5762dfd..4e1a7ca81 100644 +--- a/man/cupsd.conf.5 ++++ b/man/cupsd.conf.5 +@@ -447,7 +447,7 @@ Listens on the specified address and port for encrypted connections. + .\"#SSLOptions + .TP 5 + .TP 5 +-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] ++\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR] + .TP 5 + \fBSSLOptions None\fR + Sets encryption options (only in /etc/cups/client.conf). +@@ -461,6 +461,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites. + The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1. + The \fIMinTLS\fR options set the minimum TLS version to support. + The \fIMaxTLS\fR options set the maximum TLS version to support. ++The \fINoSystem\fR option disables applying system cryptographic policy. + Not all operating systems support TLS 1.3 at this time. + .\"#SSLPort + .TP 5 +diff --git a/scheduler/conf.c b/scheduler/conf.c +index 3184d72f0..3bf176479 100644 +--- a/scheduler/conf.c ++++ b/scheduler/conf.c +@@ -3054,6 +3054,8 @@ read_cupsd_conf(cups_file_t *fp) /* I - File to read from */ + min_version = _HTTP_TLS_1_3; + else if (!_cups_strcasecmp(start, "None")) + options = _HTTP_TLS_NONE; ++ else if (!_cups_strcasecmp(start, "NoSystem")) ++ options |= _HTTP_TLS_NO_SYSTEM; + else if (_cups_strcasecmp(start, "NoEmptyFragments")) + cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum); + } +-- +2.47.1 + diff --git a/cups.spec b/cups.spec index f894f43..c60a493 100644 --- a/cups.spec +++ b/cups.spec @@ -22,7 +22,7 @@ Summary: CUPS printing system Name: cups Epoch: 1 Version: 2.4.10 -Release: 10%{?dist} +Release: 11%{?dist} # backend/failover.c - BSD-3-Clause # cups/md5* - Zlib # scheduler/colorman.c - Apache-2.0 WITH LLVM-exception AND BSD-2-Clause @@ -100,8 +100,11 @@ Patch1009: 0001-fix-warnings-for-unused-vars.patch Patch1010: 0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch # RHEL-69638 IPP Everywhere permanent queue is not removed if PPD generation fails Patch1011: 0001-scheduler-Clean-up-failed-IPP-Everywhere-permanent-q.patch -# RHEL-68415 Inability to disable weak ciphers in CUPS configuration +# RHEL-68415 Inability to disable weak ciphers in CUPS configuration: +# 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch +# 0001-Add-NoSystem-SSLOptions-value.patch Patch1012: 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch +Patch1013: 0001-Add-NoSystem-SSLOptions-value.patch ##### Patches removed because IMHO they aren't no longer needed @@ -357,6 +360,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in %patch -P 1011 -p1 -b .clean-failed-eve # RHEL-68415 Inability to disable weak ciphers in CUPS configuration %patch -P 1012 -p1 -b .tls-system-policy +# give a way how to opt-out from crypto policy +%patch -P 1013 -p1 -b .nosystem-ssloption # Log to the system journal by default (bug #1078781, bug #1519331). @@ -826,6 +831,9 @@ rm -f %{cups_serverbin}/backend/smb %{_mandir}/man7/ippeveps.7.gz %changelog +* Tue Jan 07 2025 Zdenek Dohnal - 1:2.4.10-11 +- provide a way how to opt-out from system crypto policy if needed + * Fri Dec 06 2024 Zdenek Dohnal - 1:2.4.10-10 - RHEL-68415 Inability to disable weak ciphers in CUPS configuration