Bump version to 2.2.1.

Fix some manpage formatting inconsistencies

CHANGES.txt

@@ -1,6 +1,19 @@
-CHANGES.txt - 2.2.0 - 2016-09-13
+CHANGES.txt - 2.2.1 - 2016-10-03
 --------------------------------
 
+CHANGES IN CUPS V2.2.1
+
+	- Added "CreateSelfSignedCerts" directive for cups-files.conf to
+          control whether the scheduler automatically creates its own
+          self-signed X.509 certificates for TLS connections (Issue #4876)
+        - http*Connect did not handle partial failures (Issue #4870)
+        - Addressed some build warnings on Linux (Issue #4881)
+        - cupsHashData did not use the correct hashing algorithm
+          (<rdar://problem/28209220>)
+        - Updated man pages (PR #4885)
+        - Updated localizations (PR #4877, PR #4886)
+
+
 CHANGES IN CUPS V2.2.0
 
 	- Normalized the TLS certificate validation code and added additional

CREDITS.txt

@@ -41,6 +41,7 @@ like to thank the following individuals for their contributions:
     Petter Reinholdtsen            - HP-UX compiler stuff.
     Juan Pablo González Riopedre   - Spanish localization.
     Giovanni Scafora               - Italian localization.
+    Joachim Schwender              - German localization.
     Opher Shachar                  - Hebrew localization.
     Stuart Stevens                 - HP JetDirect IPP information.
     Andrea Suatoni                 - IRIX desktop integration and testing.

INSTALL.txt

@@ -1,4 +1,4 @@
-INSTALL - CUPS v2.2.0 - 2016-09-13
+INSTALL - CUPS v2.2.1 - 2016-10-03
 ----------------------------------
 
 This file describes how to compile and install CUPS from source code. For more

README.txt

@@ -1,4 +1,4 @@
-README - CUPS v2.2.0 - 2016-09-13
+README - CUPS v2.2.1 - 2016-10-03
 ---------------------------------
 
 Looking for compile instructions?  Read the file "INSTALL.txt" instead...

backend/ieee1284.c

@@ -88,7 +88,7 @@ backendGetDeviceID(
     *device_id = '\0';
 
 #  ifdef __linux
-    if (ioctl(fd, LPIOC_GET_DEVICE_ID(device_id_size), device_id))
+    if (ioctl(fd, LPIOC_GET_DEVICE_ID((unsigned)device_id_size), device_id))
     {
      /*
       * Linux has to implement things differently for every device it seems.

configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for CUPS 2.2.0.
+# Generated by GNU Autoconf 2.68 for CUPS 2.2.1.
 #
 # Report bugs to <https://github.com/apple/cups/issues>.
 #
@@ -560,8 +560,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='CUPS'
 PACKAGE_TARNAME='cups'
-PACKAGE_VERSION='2.2.0'
-PACKAGE_STRING='CUPS 2.2.0'
+PACKAGE_VERSION='2.2.1'
+PACKAGE_STRING='CUPS 2.2.1'
 PACKAGE_BUGREPORT='https://github.com/apple/cups/issues'
 PACKAGE_URL='https://www.cups.org/'
 
@@ -1448,7 +1448,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures CUPS 2.2.0 to adapt to many kinds of systems.
+\`configure' configures CUPS 2.2.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1509,7 +1509,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of CUPS 2.2.0:";;
+     short | recursive ) echo "Configuration of CUPS 2.2.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1689,7 +1689,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-CUPS configure 2.2.0
+CUPS configure 2.2.1
 generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -2153,7 +2153,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by CUPS $as_me 2.2.0, which was
+It was created by CUPS $as_me 2.2.1, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
@@ -2527,7 +2527,7 @@ esac
 ac_config_headers="$ac_config_headers config.h"
 
 
-CUPS_VERSION="2.2.0"
+CUPS_VERSION="2.2.1"
 CUPS_REVISION=""
 CUPS_BUILD="cups-$CUPS_VERSION"
 
@@ -10755,7 +10755,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by CUPS $as_me 2.2.0, which was
+This file was extended by CUPS $as_me 2.2.1, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -10818,7 +10818,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-CUPS config.status 2.2.0
+CUPS config.status 2.2.1
 configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 

configure.ac

@@ -15,7 +15,7 @@ dnl We need at least autoconf 2.60...
 AC_PREREQ(2.60)
 
 dnl Package name and version...
-AC_INIT([CUPS], [2.2.0], [https://github.com/apple/cups/issues], [cups], [https://www.cups.org/])
+AC_INIT([CUPS], [2.2.1], [https://github.com/apple/cups/issues], [cups], [https://www.cups.org/])
 
 sinclude(config-scripts/cups-opsys.m4)
 sinclude(config-scripts/cups-common.m4)

cups/cups.h

@@ -47,10 +47,10 @@ extern "C" {
  * Constants...
  */
 
-#  define CUPS_VERSION			2.0200
+#  define CUPS_VERSION			2.0201
 #  define CUPS_VERSION_MAJOR		2
 #  define CUPS_VERSION_MINOR		2
-#  define CUPS_VERSION_PATCH		0
+#  define CUPS_VERSION_PATCH		1
 
 #  define CUPS_BC_FD			3
 					/* Back-channel file descriptor for

cups/hash.c

@@ -1,7 +1,7 @@
 /*
  * Hashing function for CUPS.
  *
- * Copyright 2015 by Apple Inc.
+ * Copyright 2015-2016 by Apple Inc.
  *
  * These coded instructions, statements, and computer programs are the
  * property of Apple Inc. and are protected by Federal copyright
@@ -53,7 +53,7 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
   }
 
 #ifdef __APPLE__
-  if (strcmp(algorithm, "sha"))
+  if (!strcmp(algorithm, "sha"))
   {
    /*
     * SHA-1...
@@ -70,7 +70,7 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
 
     return (CC_SHA1_DIGEST_LENGTH);
   }
-  else if (strcmp(algorithm, "sha2-224"))
+  else if (!strcmp(algorithm, "sha2-224"))
   {
     CC_SHA256_CTX	ctx;		/* SHA-224 context */
 
@@ -83,7 +83,7 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
 
     return (CC_SHA224_DIGEST_LENGTH);
   }
-  else if (strcmp(algorithm, "sha2-256"))
+  else if (!strcmp(algorithm, "sha2-256"))
   {
     CC_SHA256_CTX	ctx;		/* SHA-256 context */
 
@@ -96,7 +96,7 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
 
     return (CC_SHA256_DIGEST_LENGTH);
   }
-  else if (strcmp(algorithm, "sha2-384"))
+  else if (!strcmp(algorithm, "sha2-384"))
   {
     CC_SHA512_CTX	ctx;		/* SHA-384 context */
 
@@ -109,7 +109,7 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
 
     return (CC_SHA384_DIGEST_LENGTH);
   }
-  else if (strcmp(algorithm, "sha2-512"))
+  else if (!strcmp(algorithm, "sha2-512"))
   {
     CC_SHA512_CTX	ctx;		/* SHA-512 context */
 
@@ -122,7 +122,7 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
 
     return (CC_SHA512_DIGEST_LENGTH);
   }
-  else if (strcmp(algorithm, "sha2-512_224"))
+  else if (!strcmp(algorithm, "sha2-512_224"))
   {
     CC_SHA512_CTX	ctx;		/* SHA-512 context */
     unsigned char	temp[CC_SHA512_DIGEST_LENGTH];
@@ -143,7 +143,7 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
 
     return (CC_SHA224_DIGEST_LENGTH);
   }
-  else if (strcmp(algorithm, "sha2-512_256"))
+  else if (!strcmp(algorithm, "sha2-512_256"))
   {
     CC_SHA512_CTX	ctx;		/* SHA-512 context */
     unsigned char	temp[CC_SHA512_DIGEST_LENGTH];
@@ -171,22 +171,22 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
   unsigned char	temp[64];		/* Temporary hash buffer */
   size_t	tempsize = 0;		/* Truncate to this size? */
 
-  if (strcmp(algorithm, "sha"))
+  if (!strcmp(algorithm, "sha"))
     alg = GNUTLS_DIG_SHA1;
-  else if (strcmp(algorithm, "sha2-224"))
+  else if (!strcmp(algorithm, "sha2-224"))
     alg = GNUTLS_DIG_SHA224;
-  else if (strcmp(algorithm, "sha2-256"))
+  else if (!strcmp(algorithm, "sha2-256"))
     alg = GNUTLS_DIG_SHA256;
-  else if (strcmp(algorithm, "sha2-384"))
+  else if (!strcmp(algorithm, "sha2-384"))
     alg = GNUTLS_DIG_SHA384;
-  else if (strcmp(algorithm, "sha2-512"))
+  else if (!strcmp(algorithm, "sha2-512"))
     alg = GNUTLS_DIG_SHA512;
-  else if (strcmp(algorithm, "sha2-512_224"))
+  else if (!strcmp(algorithm, "sha2-512_224"))
   {
     alg      = GNUTLS_DIG_SHA512;
     tempsize = 28;
   }
-  else if (strcmp(algorithm, "sha2-512_256"))
+  else if (!strcmp(algorithm, "sha2-512_256"))
   {
     alg      = GNUTLS_DIG_SHA512;
     tempsize = 32;

cups/http-addrlist.c

@@ -304,6 +304,8 @@ httpAddrConnect2(
 
     if (result > 0)
     {
+      http_addrlist_t *connaddr = NULL;	/* Connected address, if any */
+
       for (i = 0; i < nfds; i ++)
       {
 #  ifdef HAVE_POLL
@@ -314,7 +316,7 @@ httpAddrConnect2(
 #  endif /* HAVE_POLL */
 	{
 	  *sock    = fds[i];
-	  addrlist = addrs[i];
+	  connaddr = addrs[i];
 
 #  ifdef DEBUG
 	  len   = sizeof(peer);
@@ -322,11 +324,29 @@ httpAddrConnect2(
 	    DEBUG_printf(("1httpAddrConnect2: Connected to %s:%d...", httpAddrString(&peer, temp, sizeof(temp)), httpAddrPort(&peer)));
 #  endif /* DEBUG */
 	}
-	else
+#  ifdef HAVE_POLL
+	else if (pfds[i].revents & (POLLERR | POLLHUP))
+#  else
+	else if (FD_ISSET(fds[i], &error))
+#  endif /* HAVE_POLL */
+        {
+         /*
+          * Error on socket, remove from the "pool"...
+          */
+
 	  httpAddrClose(NULL, fds[i]);
+          nfds --;
+          if (i < nfds)
+          {
+            memmove(fds + i, fds + i + 1, (size_t)(nfds - i) * (sizeof(fds[0])));
+            memmove(addrs + i, addrs + i + 1, (size_t)(nfds - i) * (sizeof(addrs[0])));
+          }
+          i --;
+        }
       }
 
-      return (addrlist);
+      if (connaddr)
+        return (connaddr);
     }
 #endif /* O_NONBLOCK */
 

cups/tls-gnutls.c

@@ -1371,34 +1371,46 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
     if (hostname[0])
     {
      /*
-      * First look for CA certs...
+      * First look in the CUPS keystore...
       */
 
-      snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostname);
-      snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostname);
-
-      if ((access(crtfile, R_OK) || access(keyfile, R_OK)) && (hostptr = strchr(hostname, '.')) != NULL)
-      {
-       /*
-        * Try just domain name...
-	*/
-
-        hostptr ++;
-	if (strchr(hostptr, '.'))
-	{
-	  snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
-	  snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
-	}
-      }
+      http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
+      http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
 
       if (access(crtfile, R_OK) || access(keyfile, R_OK))
       {
        /*
-        * Then look in the CUPS keystore...
-	*/
+        * No CUPS-managed certs, look for CA certs...
+        */
 
-	http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, hostname, "crt");
-	http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, hostname, "key");
+        char cacrtfile[1024], cakeyfile[1024];	/* CA cert files */
+
+        snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostname);
+        snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostname);
+
+        if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(hostname, '.')) != NULL)
+        {
+         /*
+          * Try just domain name...
+          */
+
+          hostptr ++;
+          if (strchr(hostptr, '.'))
+          {
+            snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
+            snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
+          }
+        }
+
+        if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
+        {
+         /*
+          * Use the CA certs...
+          */
+
+          strlcpy(crtfile, cacrtfile, sizeof(crtfile));
+          strlcpy(keyfile, cakeyfile, sizeof(keyfile));
+        }
       }
 
       have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);
@@ -1406,34 +1418,46 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
     else if (tls_common_name)
     {
      /*
-      * First look for CA certs...
+      * First look in the CUPS keystore...
       */
 
-      snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", tls_common_name);
-      snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", tls_common_name);
-
-      if ((access(crtfile, R_OK) || access(keyfile, R_OK)) && (hostptr = strchr(tls_common_name, '.')) != NULL)
-      {
-       /*
-        * Try just domain name...
-	*/
-
-        hostptr ++;
-	if (strchr(hostptr, '.'))
-	{
-	  snprintf(crtfile, sizeof(crtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
-	  snprintf(keyfile, sizeof(keyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
-	}
-      }
+      http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
+      http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
 
       if (access(crtfile, R_OK) || access(keyfile, R_OK))
       {
        /*
-        * Then look in the CUPS keystore...
-	*/
+        * No CUPS-managed certs, look for CA certs...
+        */
 
-	http_gnutls_make_path(crtfile, sizeof(crtfile), tls_keypath, tls_common_name, "crt");
-	http_gnutls_make_path(keyfile, sizeof(keyfile), tls_keypath, tls_common_name, "key");
+        char cacrtfile[1024], cakeyfile[1024];	/* CA cert files */
+
+        snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", tls_common_name);
+        snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", tls_common_name);
+
+        if ((access(cacrtfile, R_OK) || access(cakeyfile, R_OK)) && (hostptr = strchr(tls_common_name, '.')) != NULL)
+        {
+         /*
+          * Try just domain name...
+          */
+
+          hostptr ++;
+          if (strchr(hostptr, '.'))
+          {
+            snprintf(cacrtfile, sizeof(cacrtfile), "/etc/letsencrypt/live/%s/fullchain.pem", hostptr);
+            snprintf(cakeyfile, sizeof(cakeyfile), "/etc/letsencrypt/live/%s/privkey.pem", hostptr);
+          }
+        }
+
+        if (!access(cacrtfile, R_OK) && !access(cakeyfile, R_OK))
+        {
+         /*
+          * Use the CA certs...
+          */
+
+          strlcpy(crtfile, cacrtfile, sizeof(crtfile));
+          strlcpy(keyfile, cakeyfile, sizeof(keyfile));
+        }
       }
 
       have_creds = !access(crtfile, R_OK) && !access(keyfile, R_OK);

doc/Makefile

@@ -54,6 +54,7 @@ HELPFILES	=	\
 			help/api-ppd.html \
 			help/api-raster.html \
 			help/cgi.html \
+			help/encryption.html \
 			help/glossary.html \
 			help/kerberos.html \
 			help/license.html \

doc/help/encryption.html

@@ -0,0 +1,55 @@
+<!doctype html>
+<html>
+<!-- SECTION: Getting Started -->
+  <head>
+    <title>Managing Encryption</title>
+    <link rel="STYLESHEET" type="text/css" href="../cups-printable.css">
+  </head>
+  <body>
+    <h1 class="title">Managing Encryption</h1>
+    <p>CUPS supports TLS encryption in two ways:</p>
+    <ol>
+      <li>Using HTTPS (always on) as soon as a connection is established, and</li>
+      <li>Using HTTP Upgrade to TLS (opportunistic) after the connection is established.</li>
+    </ol>
+    <p>CUPS supports self-signed, CA-signed, and enterprise certificates, with configurable certificate validation, cipher suite, and SSL/TLS version policies.</p>
+    <p>Out of the box, CUPS uses a Trust On First Use ("TOFU") certificate validation policy like the popular Secure Shell (ssh) software, requires TLS/1.0 or higher, only allows secure cipher suites, and automatically creates a "self-signed" certificate and private key for the scheduler so that remote administration operations and printer sharing are encrypted by default.</p>
+
+    <h2>Configuring Client TLS Policies</h2>
+    <p>The <a href="man-client.conf.html"><var>client.conf</var></a> file controls the client TLS policies. The default policy is:</p>
+    <pre class="command">
+AllowAnyRoot Yes
+AllowExpiredCerts No
+Encryption IfRequested
+SSLOptions None
+TrustOnFirstUse Yes
+ValidateCerts No
+</pre>
+    <p>A client can be configured to only communicate with trusted TLS/1.1+ servers and printers by copying the corresponding certificates to the client (<a href="#PLATFORM">see below</a>) and using the following policy in the <var>client.conf</var> file or macOS<sup>&reg;</sup> printing preferences:</p>
+    <pre class="command">
+AllowAnyRoot No
+AllowExpiredCerts No
+Encryption Required
+SSLOptions DenyTLS1.0
+TrustOnFirstUse No
+ValidateCerts Yes
+</pre>
+    <p>Similarly, if a client needs to support an older server that only supports SSL/3.0 and RC4 cipher suites you can use the following policy option:</p>
+    <pre class="command">
+SSLOptions AllowRC4 AllowSSL3
+</pre>
+
+    <h2>Configuring Server TLS Policies</h2>
+    <p>Two directives in the <a href="man-cups-files.conf.html"><var>cups-files.conf</var></a> file control the server (scheduler) TLS policies - <a href="man-cups-files.conf.html#CreateSelfSignedCerts"><code>CreateSelfSignedCerts</code></a> and <a href="man-cups-files.conf.html#ServerKeychain"><code>ServerKeychain</code></a>. The default policy creates self-signed certificates as needed.</p>
+    <p>The <a href="man-cupsd.conf.html#DefaultEncryption"><code>DefaultEncryption</code></a> and <a href="man-cupsd.conf.html#Encryption"><code>Encryption</code></a> directives in the <a href="man-cupsd.conf.html"><var>cupsd.conf</var></a> file control whether encryption is used. The default configuration requires encryption for remote access whenever authentication is required.</p>
+
+    <h2><a name="PLATFORM">Platform Differences</a></h2>
+    <h3>macOS<sup>&reg;</sup></h3>
+    <p>On macOS, client configuration settings for ordinary users are stored in the <var>~/Library/Preferences/org.cups.PrintingPrefs.plist</var> file. System-wide and user certificates are stored in the system and login keychains, with private CUPS keychains being used for self-signed and CUPS-managed certificates.</p>
+    <h3>Windows<sup>&reg;</sup></h3>
+    <p>On Windows, client configuration settings are controlled by the SSL/TLS Group Policy settings and certificate stores.</p>
+    <h3>Other Platforms</h3>
+    <p>Other platforms only use the <var>client.conf</var> file and PEM-encoded certificates (<i>hostname</i>.crt) and private keys (<i>hostname</i>.key) in the <var>/etc/cups/ssl</var> and <var>~/.cups/ssl</var> directories. If present, the <var>/etc/cups/ssl/site.crt</var> file defines a site-wide CA certificate that is used to validate server and printer certificates. Certificates for known servers and printers are stored by CUPS in the corresponding <var>ssl</var> directory so they can be validated for subsequent connections.</p>
+    <p>CUPS also supports certificates created and managed by the popular <a href="https://letsencrypt.org/">Let's Encrypt</a> certificate service, which are stored in the <var>/etc/letsencrypt/live</var> directory.</p>
+  </body>
+</html>

doc/help/network.html

@@ -435,7 +435,7 @@ CUPS_DEBUG_LEVEL=2 /usr/lib/cups/backend/snmp 2>&1 | tee snmp.log
 (setenv CUPS_DEBUG_LEVEL 2; /usr/lib/cups/backend/snmp) |& tee snmp.log
 </PRE>
 
-<P>On MacmacOS you'll find the SNMP backend in /usr/libexec/cups/backend instead:</P>
+<P>On macOS you'll find the SNMP backend in /usr/libexec/cups/backend instead:</P>
 
 <PRE CLASS="command">
 CUPS_DEBUG_LEVEL=2 /usr/libexec/cups/backend/snmp 2>&amp;1 | tee snmp.log

doc/help/security.html

@@ -33,7 +33,7 @@ server.</P>
 
 	<P><B>Recommendation:</B> Enable encryption to hide the
 	username and password information - this is the default on
-	MacmacOS and systems with GNU TLS or OpenSSL installed.</P></LI>
+	macOS and systems with GNU TLS installed.</P></LI>
 
 	<LI>Local certificate authentication passes 128-bit
 	"certificates" that identify an authenticated user.

man/backend.man

@@ -69,7 +69,7 @@ Back-channel data from the device should be relayed to the job filters using the
 Backends are responsible for reading side-channel requests using the
 .BR cupsSideChannelRead ()
 function and responding with the
-.BR cupsSideChannelWrite()
+.BR cupsSideChannelWrite ()
 function. The
 .B CUPS_SC_FD
 constant defines the file descriptor that should be monitored for incoming requests.
@@ -170,7 +170,7 @@ The device URI associated with the printer.
 .SH FILES
 .I /etc/cups/cups-files.conf
 .SH NOTES
-CUPS backends are not generally design to be run directly by the user. Aside from the device URI issue (
+CUPS backends are not generally designed to be run directly by the user. Aside from the device URI issue (
 .I argv[0]
 and
 .B DEVICE_URI

man/client.conf.man.in

@@ -51,7 +51,7 @@ CUPS adds the remote hostname ("name@server.example.com") for you. The default n
 .TP 5
 \fBServerName \fI/domain/socket\fR
 Specifies the address and optionally the port to use when connecting to the server.
-\fBNote: This directive it not supported on macOS 10.7 or later.\fR
+\fBNote: This directive is not supported on macOS 10.7 or later.\fR
 .TP 5
 \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
 Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.

man/cups-files.conf.man.in

@@ -10,7 +10,7 @@
 .\" which should have been included with this file.  If this file is
 .\" file is missing or damaged, see the license at "http://www.cups.org/".
 .\"
-.TH cups-files.conf 5 "CUPS" "20 June 2016" "Apple Inc."
+.TH cups-files.conf 5 "CUPS" "19 September 2016" "Apple Inc."
 .SH NAME
 cups\-files.conf \- file and directory configuration file for cups
 .SH DESCRIPTION
@@ -54,6 +54,13 @@ The default is "0644" on macOS and "0640" on all other operating systems.
 \fBNote:\fR The permissions for the \fIprinters.conf\fR file are currently masked to only allow access from the scheduler user (typically root).
 This is done because printer device URIs sometimes contain sensitive authentication information that should not be generally known on the system.
 There is no way to disable this security feature.
+.\"#CreateSelfSignedCerts
+.TP 5
+\fBCreateSelfSignedCerts yes\fR
+.TP 5
+\fBCreateSelfSignedCerts no\fR
+Specifies whether the scheduler automatically creates self-signed certificates for client connections using TLS.
+The default is yes.
 .\"#DataDir
 .TP 5
 \fBDataDir \fIpath\fR

man/cups-lpd.man.in

@@ -104,7 +104,7 @@ CUPS includes configuration files for
 .BR launchd (8),
 .BR systemd (8),
 and
-.BR xinetd(8).
+.BR xinetd (8).
 Simply enable the
 .B cups-lpd
 service using the corresponding control program.

man/cupsd.conf.man.in

@@ -231,14 +231,14 @@ The default is "30".
 .\"#LimitIPP
 .TP 5
 \fB<Limit \fIoperation \fR...\fB> \fR... \fB</Limit>\fR
-Specifies the IPP operations that are being limited inside a Policy section. IPP operation names are listed below in the section "IPP OPERATIONS".
+Specifies the IPP operations that are being limited inside a Policy section. IPP operation names are listed below in the section "IPP OPERATION NAMES".
 .\"#Limit
 .TP 5
 \fB<Limit \fImethod \fR...\fB> \fR... \fB</Limit>\fR
 .\"#LimitExcept
 .TP 5
 \fB<LimitExcept \fImethod \fR...\fB> \fR... \fB</LimitExcept>\fR
-Specifies the HTTP methods that are being limited inside a Location section. HTTP method names are listed below in the section "HTTP METHODS".
+Specifies the HTTP methods that are being limited inside a Location section. HTTP method names are listed below in the section "HTTP METHOD NAMES".
 .\"#LimitRequestBody
 .TP 5
 \fBLimitRequestBody \fIsize\fR
@@ -689,7 +689,7 @@ The resource for the named printer class
 The path for all jobs (hold-job, release-job, etc.)
 .TP 5
 /jobs/id
-The path for the specified job.
+The path for the specified job
 .TP 5
 /printers
 The path for all printers

packaging/cups.list.in

@@ -569,6 +569,7 @@ f 0444 root sys $DOCDIR/apple-touch-icon.png doc/apple-touch-icon.png
 d 0755 root sys $DOCDIR/help -
 f 0444 root sys $DOCDIR/help/accounting.html doc/help/accounting.html
 f 0444 root sys $DOCDIR/help/cgi.html doc/help/cgi.html
+f 0444 root sys $DOCDIR/help/encryption.html doc/help/encryption.html
 f 0444 root sys $DOCDIR/help/glossary.html doc/help/glossary.html
 f 0444 root sys $DOCDIR/help/kerberos.html doc/help/kerberos.html
 f 0444 root sys $DOCDIR/help/license.html doc/help/license.html

packaging/cups.spec.in

@@ -251,6 +251,7 @@ rm -rf $RPM_BUILD_ROOT
 %dir /usr/share/doc/cups/help
 /usr/share/doc/cups/help/accounting.html
 /usr/share/doc/cups/help/cgi.html
+/usr/share/doc/cups/help/encryption.html
 /usr/share/doc/cups/help/glossary.html
 /usr/share/doc/cups/help/kerberos.html
 /usr/share/doc/cups/help/license.html

scheduler/auth.c

@@ -1179,14 +1179,22 @@ cupsdCheckGroup(
 #ifdef HAVE_GETGROUPLIST
     if (user)
     {
-      int	ngroups,		/* Number of groups */
-		groups[2048];		/* Groups that user belongs to */
+      int	ngroups;		/* Number of groups */
+#  ifdef __APPLE__
+      int	groups[2048];		/* Groups that user belongs to */
+#  else
+      gid_t	groups[2048];		/* Groups that user belongs to */
+#  endif /* __APPLE__ */
 
       ngroups = (int)(sizeof(groups) / sizeof(groups[0]));
+#  ifdef __APPLE__
       getgrouplist(username, (int)user->pw_gid, groups, &ngroups);
+#  else
+      getgrouplist(username, user->pw_gid, groups, &ngroups);
+#endif /* __APPLE__ */
 
       for (i = 0; i < ngroups; i ++)
-        if ((int)group->gr_gid == groups[i])
+        if (group->gr_gid == groups[i])
 	  return (1);
     }
 #endif /* HAVE_GETGROUPLIST */

scheduler/conf.c

@@ -138,6 +138,9 @@ static const cupsd_var_t	cupsfiles_vars[] =
   { "AccessLog",		&AccessLog,		CUPSD_VARTYPE_STRING },
   { "CacheDir",			&CacheDir,		CUPSD_VARTYPE_STRING },
   { "ConfigFilePerm",		&ConfigFilePerm,	CUPSD_VARTYPE_PERM },
+#ifdef HAVE_SSL
+  { "CreateSelfSignedCerts",	&CreateSelfSignedCerts,	CUPSD_VARTYPE_BOOLEAN },
+#endif /* HAVE_SSL */
   { "DataDir",			&DataDir,		CUPSD_VARTYPE_STRING },
   { "DocumentRoot",		&DocumentRoot,		CUPSD_VARTYPE_STRING },
   { "ErrorLog",			&ErrorLog,		CUPSD_VARTYPE_STRING },
@@ -739,6 +742,7 @@ cupsdReadConfiguration(void)
   FatalErrors              = parse_fatal_errors(CUPS_DEFAULT_FATAL_ERRORS);
   default_auth_type        = CUPSD_AUTH_BASIC;
 #ifdef HAVE_SSL
+  CreateSelfSignedCerts    = TRUE;
   DefaultEncryption        = HTTP_ENCRYPT_REQUIRED;
 #endif /* HAVE_SSL */
   DirtyCleanInterval       = DEFAULT_KEEPALIVE;
@@ -1181,7 +1185,9 @@ cupsdReadConfiguration(void)
     cupsdSetStringf(&ServerKeychain, "%s/%s", ServerRoot, ServerKeychain);
 
   cupsdLogMessage(CUPSD_LOG_DEBUG, "Using keychain \"%s\" for server name \"%s\".", ServerKeychain, ServerName);
-  cupsSetServerCredentials(ServerKeychain, ServerName, 1);
+  if (!CreateSelfSignedCerts)
+    cupsdLogMessage(CUPSD_LOG_DEBUG, "Self-signed TLS certificate generation is disabled.");
+  cupsSetServerCredentials(ServerKeychain, ServerName, CreateSelfSignedCerts);
 #endif /* HAVE_SSL */
 
  /*

scheduler/conf.h

@@ -240,6 +240,8 @@ VAR const char		**MimeTypes		VALUE(NULL);
 					/* Array of MIME types */
 
 #ifdef HAVE_SSL
+VAR int			CreateSelfSignedCerts	VALUE(TRUE);
+					/* Automatically create self-signed certs? */
 VAR char		*ServerKeychain		VALUE(NULL);
 					/* Keychain holding cert + key */
 #endif /* HAVE_SSL */

test/run-stp-tests.sh

@@ -141,8 +141,7 @@ esac
 
 echo ""
 echo "Now you can choose whether to create a SSL/TLS encryption key and"
-echo "certificate for testing; these tests currently require the OpenSSL"
-echo "tools:"
+echo "certificate for testing:"
 echo ""
 echo "0 - Do not do SSL/TLS encryption tests"
 echo "1 - Test but do not require encryption"