diff options
author | msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be> | 2015-05-19 02:12:22 +0000 |
---|---|---|
committer | msweet <msweet@a1ca3aef-8c08-0410-bb20-df032aa958be> | 2015-05-19 02:12:22 +0000 |
commit | 79a373262641162b3d88362352fc5b41385aad18 (patch) | |
tree | ab8a97498f2dcf2af6da8ebeed463634133db064 /cups/tlscheck.c | |
parent | d25e43cfbe8fa4664e7f5f8fb9ca248a575f03e9 (diff) | |
download | cups-79a373262641162b3d88362352fc5b41385aad18.tar.gz |
Start of check program for TLS implementations.
git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/trunk@12635 a1ca3aef-8c08-0410-bb20-df032aa958be
Diffstat (limited to 'cups/tlscheck.c')
-rw-r--r-- | cups/tlscheck.c | 424 |
1 files changed, 424 insertions, 0 deletions
diff --git a/cups/tlscheck.c b/cups/tlscheck.c new file mode 100644 index 000000000..b3cd5a595 --- /dev/null +++ b/cups/tlscheck.c @@ -0,0 +1,424 @@ +/* + * "$Id$" + * + * TLS check program for CUPS. + * + * Copyright 2007-2015 by Apple Inc. + * Copyright 1997-2006 by Easy Software Products. + * + * These coded instructions, statements, and computer programs are the + * property of Apple Inc. and are protected by Federal copyright + * law. Distribution and use rights are outlined in the file "LICENSE.txt" + * which should have been included with this file. If this file is + * file is missing or damaged, see the license at "http://www.cups.org/". + * + * This file is subject to the Apple OS-Developed Software exception. + */ + +/* + * Include necessary headers... + */ + +#include "cups-private.h" + + +/* + * 'main()' - Main entry. + */ + +int /* O - Exit status */ +main(int argc, /* I - Number of command-line arguments */ + char *argv[]) /* I - Command-line arguments */ +{ + http_t *http; /* HTTP connection */ + const char *server = argv[1]; /* Hostname from command-line */ + int port = 631; /* Port number */ + const char *cipherName = "UNKNOWN";/* Cipher suite name */ + + + if (argc < 2 || argc > 3) + { + puts("Usage: ./tlscheck server [port]"); + puts(""); + puts("The default port is 631."); + return (1); + } + + if (argc == 3) + port = atoi(argv[2]); + + http = httpConnect2(server, port, NULL, AF_UNSPEC, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL); + if (!http) + { + printf("%s: ERROR (%s)\n", server, cupsLastErrorString()); + return (1); + } + +#ifdef __APPLE__ + SSLCipherSuite cipher; + char unknownCipherName[256]; + int paramsNeeded = 0; + const void *params; + size_t paramsLen; + OSStatus err; + + if ((err = SSLGetNegotiatedCipher(http->tls, &cipher)) != noErr) + { + printf("%s: ERROR (No cipher suite - %d)\n", server, (int)err); + httpClose(http); + return (1); + } + + switch (cipher) + { + case TLS_NULL_WITH_NULL_NULL: + cipherName = "TLS_NULL_WITH_NULL_NULL"; + break; + case TLS_RSA_WITH_NULL_MD5: + cipherName = "TLS_RSA_WITH_NULL_MD5"; + break; + case TLS_RSA_WITH_NULL_SHA: + cipherName = "TLS_RSA_WITH_NULL_SHA"; + break; + case TLS_RSA_WITH_RC4_128_MD5: + cipherName = "TLS_RSA_WITH_RC4_128_MD5"; + break; + case TLS_RSA_WITH_RC4_128_SHA: + cipherName = "TLS_RSA_WITH_RC4_128_SHA"; + break; + case TLS_RSA_WITH_3DES_EDE_CBC_SHA: + cipherName = "TLS_RSA_WITH_3DES_EDE_CBC_SHA"; + break; + case TLS_RSA_WITH_NULL_SHA256: + cipherName = "TLS_RSA_WITH_NULL_SHA256"; + break; + case TLS_RSA_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_RSA_WITH_AES_128_CBC_SHA256"; + break; + case TLS_RSA_WITH_AES_256_CBC_SHA256: + cipherName = "TLS_RSA_WITH_AES_256_CBC_SHA256"; + break; + case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: + cipherName = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"; + paramsNeeded = 1; + break; + case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: + cipherName = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"; + paramsNeeded = 1; + break; + case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: + cipherName = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"; + paramsNeeded = 1; + break; + case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: + cipherName = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"; + paramsNeeded = 1; + break; + case TLS_DH_DSS_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_DH_RSA_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_DH_DSS_WITH_AES_256_CBC_SHA256: + cipherName = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_DH_RSA_WITH_AES_256_CBC_SHA256: + cipherName = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: + cipherName = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: + cipherName = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_DH_anon_WITH_RC4_128_MD5: + cipherName = "TLS_DH_anon_WITH_RC4_128_MD5"; + paramsNeeded = 1; + break; + case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA: + cipherName = "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"; + paramsNeeded = 1; + break; + case TLS_DH_anon_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_DH_anon_WITH_AES_128_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_DH_anon_WITH_AES_256_CBC_SHA256: + cipherName = "TLS_DH_anon_WITH_AES_256_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_PSK_WITH_RC4_128_SHA: + cipherName = "TLS_PSK_WITH_RC4_128_SHA"; + break; + case TLS_PSK_WITH_3DES_EDE_CBC_SHA: + cipherName = "TLS_PSK_WITH_3DES_EDE_CBC_SHA"; + break; + case TLS_PSK_WITH_AES_128_CBC_SHA: + cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA"; + break; + case TLS_PSK_WITH_AES_256_CBC_SHA: + cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA"; + break; + case TLS_DHE_PSK_WITH_RC4_128_SHA: + cipherName = "TLS_DHE_PSK_WITH_RC4_128_SHA"; + paramsNeeded = 1; + break; + case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: + cipherName = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA"; + paramsNeeded = 1; + break; + case TLS_DHE_PSK_WITH_AES_128_CBC_SHA: + cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA"; + paramsNeeded = 1; + break; + case TLS_DHE_PSK_WITH_AES_256_CBC_SHA: + cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA"; + paramsNeeded = 1; + break; + case TLS_RSA_PSK_WITH_RC4_128_SHA: + cipherName = "TLS_RSA_PSK_WITH_RC4_128_SHA"; + break; + case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: + cipherName = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA"; + break; + case TLS_RSA_PSK_WITH_AES_128_CBC_SHA: + cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA"; + break; + case TLS_RSA_PSK_WITH_AES_256_CBC_SHA: + cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA"; + break; + case TLS_PSK_WITH_NULL_SHA: + cipherName = "TLS_PSK_WITH_NULL_SHA"; + break; + case TLS_DHE_PSK_WITH_NULL_SHA: + cipherName = "TLS_DHE_PSK_WITH_NULL_SHA"; + paramsNeeded = 1; + break; + case TLS_RSA_PSK_WITH_NULL_SHA: + cipherName = "TLS_RSA_PSK_WITH_NULL_SHA"; + break; + case TLS_RSA_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_RSA_WITH_AES_128_GCM_SHA256"; + break; + case TLS_RSA_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_RSA_WITH_AES_256_GCM_SHA384"; + break; + case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"; + paramsNeeded = 1; + break; + case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"; + paramsNeeded = 1; + break; + case TLS_DH_RSA_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256"; + paramsNeeded = 1; + break; + case TLS_DH_RSA_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384"; + paramsNeeded = 1; + break; + case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"; + paramsNeeded = 1; + break; + case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"; + paramsNeeded = 1; + break; + case TLS_DH_DSS_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256"; + paramsNeeded = 1; + break; + case TLS_DH_DSS_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384"; + paramsNeeded = 1; + break; + case TLS_DH_anon_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_DH_anon_WITH_AES_128_GCM_SHA256"; + paramsNeeded = 1; + break; + case TLS_DH_anon_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_DH_anon_WITH_AES_256_GCM_SHA384"; + paramsNeeded = 1; + break; + case TLS_PSK_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_PSK_WITH_AES_128_GCM_SHA256"; + break; + case TLS_PSK_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_PSK_WITH_AES_256_GCM_SHA384"; + break; + case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"; + paramsNeeded = 1; + break; + case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"; + paramsNeeded = 1; + break; + case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"; + break; + case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"; + break; + case TLS_PSK_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_PSK_WITH_AES_128_CBC_SHA256"; + break; + case TLS_PSK_WITH_AES_256_CBC_SHA384: + cipherName = "TLS_PSK_WITH_AES_256_CBC_SHA384"; + break; + case TLS_PSK_WITH_NULL_SHA256: + cipherName = "TLS_PSK_WITH_NULL_SHA256"; + break; + case TLS_PSK_WITH_NULL_SHA384: + cipherName = "TLS_PSK_WITH_NULL_SHA384"; + break; + case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: + cipherName = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"; + paramsNeeded = 1; + break; + case TLS_DHE_PSK_WITH_NULL_SHA256: + cipherName = "TLS_DHE_PSK_WITH_NULL_SHA256"; + paramsNeeded = 1; + break; + case TLS_DHE_PSK_WITH_NULL_SHA384: + cipherName = "TLS_DHE_PSK_WITH_NULL_SHA384"; + paramsNeeded = 1; + break; + case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"; + break; + case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: + cipherName = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"; + break; + case TLS_RSA_PSK_WITH_NULL_SHA256: + cipherName = "TLS_RSA_PSK_WITH_NULL_SHA256"; + break; + case TLS_RSA_PSK_WITH_NULL_SHA384: + cipherName = "TLS_RSA_PSK_WITH_NULL_SHA384"; + break; + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: + cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"; + paramsNeeded = 1; + break; + case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: + cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"; + paramsNeeded = 1; + break; + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: + cipherName = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"; + paramsNeeded = 1; + break; + case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: + cipherName = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"; + paramsNeeded = 1; + break; + case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: + cipherName = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"; + paramsNeeded = 1; + break; + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"; + paramsNeeded = 1; + break; + case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; + paramsNeeded = 1; + break; + case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"; + paramsNeeded = 1; + break; + case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"; + paramsNeeded = 1; + break; + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"; + paramsNeeded = 1; + break; + case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; + paramsNeeded = 1; + break; + case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: + cipherName = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"; + paramsNeeded = 1; + break; + case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: + cipherName = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"; + paramsNeeded = 1; + break; + default : + snprintf(unknownCipherName, sizeof(unknownCipherName), "UNKNOWN_%04X", cipher); + cipherName = unknownCipherName; + break; + } + + if (cipher == TLS_RSA_WITH_RC4_128_MD5 || + cipher == TLS_RSA_WITH_RC4_128_SHA) + { + printf("%s: ERROR (Insecure RC4 negotiated)\n", server); + httpClose(http); + return (1); + } + + if ((err = SSLGetDiffieHellmanParams(http->tls, ¶ms, ¶msLen)) != noErr && paramsNeeded) + { + printf("%s: ERROR (Unable to get Diffie Hellman parameters - %d)\n", server, (int)err); + httpClose(http); + return (1); + } + + if (paramsLen < 128 && paramsLen != 0) + { + printf("%s: ERROR (Diffie Hellman parameters only %d bytes/%d bits)\n", server, (int)paramsLen, (int)paramsLen * 8); + httpClose(http); + return (1); + } +#endif /* __APPLE__ */ + + printf("%s: OK (%s)\n", server, cipherName); + + httpClose(http); + + return (0); +} + + +/* + * End of "$Id$". + */ |