Add support for DigestOptions directive in client.conf (Issue #5647)

.gitignore

@@ -80,14 +80,6 @@ filter/rastertopwg
 locale/checkpo
 locale/po2strings
 locale/strings2po
-man/client.conf.man
-man/cups-files.conf.man
-man/cups-lpd.man
-man/cups-snmp.man
-man/cupsaddsmb.man
-man/cupsd.conf.man
-man/cupsd.man
-man/lpoptions.man
 man/mantohtml
 monitor/bcp
 monitor/tbcp

CHANGES.md

@@ -9,14 +9,16 @@ Changes in CUPS v2.3.1
 - Fixed a crash bug in the web interface (Issue #5621)
 - PPD files containing "custom" option keywords did not work (Issue #5639)
 - Added a workaround for the scheduler's systemd support (Issue #5640)
-- Fixed spelling of "fold-accordion".
-- Fixed the default common name for TLS certificates used by `ippeveprinter`.
+- Added a DigestOptions directive for the `client.conf` file to control whether
+  MD5-based Digest authentication is allowed (Issue #5647)
 - Fixed a bug in the handling of printer resource files (Issue #5652)
 - The libusb-based USB backend now reports an error when the distribution
   permissions are wrong (Issue #5658)
 - Added paint can labels to Dymo driver (Issue #5662)
 - The IPP backend did not detect all cases where a job should be retried using
   a raster format (rdar://56021091)
+- Fixed spelling of "fold-accordion".
+- Fixed the default common name for TLS certificates used by `ippeveprinter`.
 
 
 Changes in CUPS v2.3.0

cups/auth.c

@@ -289,7 +289,7 @@ cupsDoAuthentication(
 
       if (_httpSetDigestAuthString(http, nonce, method, resource))
       {
-	DEBUG_puts("2cupsDoAuthentication: Using Basic.");
+	DEBUG_puts("2cupsDoAuthentication: Using Digest.");
         break;
       }
     }

cups/cups-private.h

@@ -57,6 +57,12 @@ typedef struct _cups_raster_error_s	/**** Error buffer structure ****/
 	*end;				/* End of buffer */
 } _cups_raster_error_t;
 
+typedef enum _cups_digestoptions_e	/**** Digest Options values */
+{
+  _CUPS_DIGESTOPTIONS_NONE,		/* No Digest authentication options */
+  _CUPS_DIGESTOPTIONS_DENYMD5		/* Do not use MD5 hashes for digest */
+} _cups_digestoptions_t;
+
 typedef enum _cups_uatokens_e		/**** UserAgentTokens values */
 {
   _CUPS_UATOKENS_NONE,			/* Do not send User-Agent */
@@ -157,6 +163,7 @@ typedef struct _cups_globals_s		/**** CUPS global state data ****/
   char			tempfile[1024];	/* cupsTempFd/File buffer */
 
   /* usersys.c */
+  _cups_digestoptions_t	digestoptions;	/* DigestOptions setting */
   _cups_uatokens_t	uatokens;	/* UserAgentTokens setting */
   http_encryption_t	encryption;	/* Encryption setting */
   char			user[65],	/* User name */

cups/http-support.c

@@ -1,7 +1,7 @@
 /*
  * HTTP support routines for CUPS.
  *
- * Copyright 2007-2018 by Apple Inc.
+ * Copyright 2007-2019 by Apple Inc.
  * Copyright 1997-2007 by Easy Software Products, all rights reserved.
  *
  * Licensed under Apache License v2.0.  See the file "LICENSE" for more
@@ -1321,6 +1321,7 @@ _httpSetDigestAuthString(
 		digest[1024];		/* Digest auth data */
   unsigned char	hash[32];		/* Hash buffer */
   size_t	hashsize;		/* Size of hash */
+  _cups_globals_t *cg = _cupsGlobals();	/* Per-thread globals */
 
 
   DEBUG_printf(("2_httpSetDigestAuthString(http=%p, nonce=\"%s\", method=\"%s\", resource=\"%s\")", (void *)http, nonce, method, resource));
@@ -1363,6 +1364,12 @@ _httpSetDigestAuthString(
       * RFC 2617 Digest with MD5
       */
 
+      if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5)
+      {
+	DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled.");
+	return (0);
+      }
+
       hashalg = "md5";
     }
     else if (!_cups_strcasecmp(http->algorithm, "SHA-256"))

cups/usersys.c

@@ -40,6 +40,8 @@
 #    define kCUPSPrintingPrefs	CFSTR(".GlobalPreferences")
 #    define kPREFIX		"AirPrint"
 #  endif /* TARGET_OS_OSX */
+#  define kDigestOptionsKey	CFSTR(kPREFIX "DigestOptions")
+#  define kUserKey		CFSTR(kPREFIX "User")
 #  define kUserAgentTokensKey	CFSTR(kPREFIX "UserAgentTokens")
 #  define kAllowAnyRootKey	CFSTR(kPREFIX "AllowAnyRoot")
 #  define kAllowExpiredCertsKey	CFSTR(kPREFIX "AllowExpiredCerts")
@@ -63,6 +65,7 @@
 
 typedef struct _cups_client_conf_s	/**** client.conf config data ****/
 {
+  _cups_digestoptions_t	digestoptions;	/* DigestOptions values */
   _cups_uatokens_t	uatokens;	/* UserAgentTokens values */
 #ifdef HAVE_SSL
   int			ssl_options,	/* SSLOptions values */
@@ -97,6 +100,7 @@ static void	cups_finalize_client_conf(_cups_client_conf_t *cc);
 static void	cups_init_client_conf(_cups_client_conf_t *cc);
 static void	cups_read_client_conf(cups_file_t *fp, _cups_client_conf_t *cc);
 static void	cups_set_default_ipp_port(_cups_globals_t *cg);
+static void	cups_set_digestoptions(_cups_client_conf_t *cc, const char *value);
 static void	cups_set_encryption(_cups_client_conf_t *cc, const char *value);
 #ifdef HAVE_GSSAPI
 static void	cups_set_gss_service_name(_cups_client_conf_t *cc, const char *value);
@@ -1324,10 +1328,14 @@ cups_init_client_conf(
     cc->validate_certs = bval;
 #  endif /* HAVE_SSL */
 
+  if (cups_apple_get_string(kDigestOptionsKey, sval, sizeof(sval)))
+    cups_set_digestoptions(cc, sval);
+
+  if (cups_apple_get_string(kUserKey, sval, sizeof(sval)))
+    strlcpy(cc->user, sval, sizeof(cc->user));
+
   if (cups_apple_get_string(kUserAgentTokensKey, sval, sizeof(sval)))
-  {
     cups_set_uatokens(cc, sval);
-  }
 #endif /* __APPLE__ */
 }
 
@@ -1353,7 +1361,9 @@ cups_read_client_conf(
   linenum = 0;
   while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))
   {
-    if (!_cups_strcasecmp(line, "Encryption") && value)
+    if (!_cups_strcasecmp(line, "DigestOptions") && value)
+      cups_set_digestoptions(cc, value);
+    else if (!_cups_strcasecmp(line, "Encryption") && value)
       cups_set_encryption(cc, value);
 #ifndef __APPLE__
    /*
@@ -1408,6 +1418,23 @@ cups_set_default_ipp_port(
     cg->ipp_port = CUPS_DEFAULT_IPP_PORT;
 }
 
+
+/*
+ * 'cups_set_digestoptions()' - Set the DigestOptions value.
+ */
+
+static void
+cups_set_digestoptions(
+    _cups_client_conf_t *cc,		/* I - client.conf values */
+    const char          *value)		/* I - Value */
+{
+  if (!_cups_strcasecmp(value, "DenyMD5"))
+    cc->digestoptions = _CUPS_DIGESTOPTIONS_DENYMD5;
+  else if (!_cups_strcasecmp(value, "None"))
+    cc->digestoptions = _CUPS_DIGESTOPTIONS_NONE;
+}
+
+
 /*
  * 'cups_set_encryption()' - Set the Encryption value.
  */

doc/help/man-client.conf.html

@@ -19,28 +19,32 @@ See the NOTES section below for more information.
 <h3><a name="DIRECTIVES">Directives</a></h3>
 The following directives are understood by the client. Consult the online help for detailed descriptions:
 <dl class="man">
-<dt><b>AllowAnyRoot Yes</b>
+<dt><a name="AllowAnyRoot"></a><b>AllowAnyRoot Yes</b>
 <dd style="margin-left: 5.0em"><dt><b>AllowAnyRoot No</b>
 <dd style="margin-left: 5.0em">Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority.
 The default is "Yes".
-<dt><b>AllowExpiredCerts Yes</b>
+<dt><a name="AllowExpiredCerts"></a><b>AllowExpiredCerts Yes</b>
 <dd style="margin-left: 5.0em"><dt><b>AllowExpiredCerts No</b>
 <dd style="margin-left: 5.0em">Specifies whether to allow TLS with expired certificates.
 The default is "No".
-<dt><b>Encryption IfRequested</b>
+<dt><a name="DigestOptions"></a><b>DigestOptions DenyMD5</b>
+<dd style="margin-left: 5.0em"><dt><b>DigestOptions None</b>
+<dd style="margin-left: 5.0em">Specifies HTTP Digest authentication options.
+<b>DenyMD5</b> disables support for the original MD5 hash algorithm.
+<dt><a name="Encryption"></a><b>Encryption IfRequested</b>
 <dd style="margin-left: 5.0em"><dt><b>Encryption Never</b>
 <dd style="margin-left: 5.0em"><dt><b>Encryption Required</b>
 <dd style="margin-left: 5.0em">Specifies the level of encryption that should be used.
-<dt><b>GSSServiceName </b><i>name</i>
+<dt><a name="GSSServiceName"></a><b>GSSServiceName </b><i>name</i>
 <dd style="margin-left: 5.0em">Specifies the Kerberos service name that is used for authentication, typically "host", "http", or "ipp".
 CUPS adds the remote hostname ("name@server.example.com") for you. The default name is "http".
-<dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]
+<dt><a name="ServerName"></a><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]
 <dd style="margin-left: 5.0em"><dt><b>ServerName </b><i>/domain/socket</i>
 <dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to the server.
 <b>Note: This directive is not supported on macOS 10.7 or later.</b>
 <dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]<b>/version=1.1</b>
 <dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
-<dt><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
+<dt><a name="SSLOptions"></a><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
 <dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
 <dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
 By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
@@ -54,11 +58,11 @@ The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum p
 The <i>MinTLS</i> options set the minimum TLS version to support.
 The <i>MaxTLS</i> options set the maximum TLS version to support.
 Not all operating systems support TLS 1.3 at this time.
-<dt><b>TrustOnFirstUse Yes</b>
+<dt><a name="TrustOnFirstUse"></a><b>TrustOnFirstUse Yes</b>
 <dd style="margin-left: 5.0em"><dt><b>TrustOnFirstUse No</b>
 <dd style="margin-left: 5.0em">Specifies whether to trust new TLS certificates by default.
 The default is "Yes".
-<dt><b>User </b><i>name</i>
+<dt><a name="User"></a><b>User </b><i>name</i>
 <dd style="margin-left: 5.0em">Specifies the default user name to use for requests.
 <dt><a name="UserAgentTokens"></a><b>UserAgentTokens None</b>
 <dd style="margin-left: 5.0em"><dt><b>UserAgentTokens ProductOnly</b>
@@ -76,7 +80,7 @@ The default is "Yes".
 "OS" reports "CUPS/major.minor.path (osname osversion) IPP/2.1".
 "Full" reports "CUPS/major.minor.path (osname osversion; architecture) IPP/2.1".
 The default is "Minimal".
-<dt><b>ValidateCerts Yes</b>
+<dt><a name="ValidateCerts"></a><b>ValidateCerts Yes</b>
 <dd style="margin-left: 5.0em"><dt><b>ValidateCerts No</b>
 <dd style="margin-left: 5.0em">Specifies whether to only allow TLS with certificates whose common name matches the hostname.
 The default is "No".

man/client.conf.5

@@ -7,7 +7,7 @@
 .\" Licensed under Apache License v2.0.  See the file "LICENSE" for more
 .\" information.
 .\"
-.TH client.conf 5 "CUPS" "26 April 2019" "Apple Inc."
+.TH client.conf 5 "CUPS" "15 October 2019" "Apple Inc."
 .SH NAME
 client.conf \- client configuration file for cups (deprecated on macos)
 .SH DESCRIPTION
@@ -20,18 +20,28 @@ Starting with macOS 10.12, all applications can access these settings in the \fI
 See the NOTES section below for more information.
 .SS DIRECTIVES
 The following directives are understood by the client. Consult the online help for detailed descriptions:
+.\"#AllowAnyRoot
 .TP 5
 \fBAllowAnyRoot Yes\fR
 .TP 5
 \fBAllowAnyRoot No\fR
 Specifies whether to allow TLS with certificates that have not been signed by a trusted Certificate Authority.
 The default is "Yes".
+.\"#AllowExpiredCerts
 .TP 5
 \fBAllowExpiredCerts Yes\fR
 .TP 5
 \fBAllowExpiredCerts No\fR
 Specifies whether to allow TLS with expired certificates.
 The default is "No".
+.\"#DigestOptions
+.TP 5
+\fBDigestOptions DenyMD5\fR
+.TP 5
+\fBDigestOptions None\fR
+Specifies HTTP Digest authentication options.
+\fBDenyMD5\fR disables support for the original MD5 hash algorithm.
+.\"#Encryption
 .TP 5
 \fBEncryption IfRequested\fR
 .TP 5
@@ -39,10 +49,12 @@ The default is "No".
 .TP 5
 \fBEncryption Required\fR
 Specifies the level of encryption that should be used.
+.\"#GSSServiceName
 .TP 5
 \fBGSSServiceName \fIname\fR
 Specifies the Kerberos service name that is used for authentication, typically "host", "http", or "ipp".
 CUPS adds the remote hostname ("name@server.example.com") for you. The default name is "http".
+.\"#ServerName
 .TP 5
 \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]
 .TP 5
@@ -52,6 +64,7 @@ Specifies the address and optionally the port to use when connecting to the serv
 .TP 5
 \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
 Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
+.\"#SSLOptions
 .TP 5
 \fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
 .TP 5
@@ -68,12 +81,14 @@ The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum pr
 The \fIMinTLS\fR options set the minimum TLS version to support.
 The \fIMaxTLS\fR options set the maximum TLS version to support.
 Not all operating systems support TLS 1.3 at this time.
+.\"#TrustOnFirstUse
 .TP 5
 \fBTrustOnFirstUse Yes\fR
 .TP 5
 \fBTrustOnFirstUse No\fR
 Specifies whether to trust new TLS certificates by default.
 The default is "Yes".
+.\"#User
 .TP 5
 \fBUser \fIname\fR
 Specifies the default user name to use for requests.
@@ -101,6 +116,7 @@ Specifies what information is included in the User-Agent header of HTTP requests
 "OS" reports "CUPS/major.minor.path (osname osversion) IPP/2.1".
 "Full" reports "CUPS/major.minor.path (osname osversion; architecture) IPP/2.1".
 The default is "Minimal".
+.\"#ValidateCerts
 .TP 5
 \fBValidateCerts Yes\fR
 .TP 5