2 * User, system, and password routines for CUPS.
4 * Copyright 2007-2017 by Apple Inc.
5 * Copyright 1997-2006 by Easy Software Products.
7 * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
11 * Include necessary headers...
14 #include "cups-private.h"
15 #include "debug-internal.h"
23 # include <sys/utsname.h>
32 # define kCUPSPrintingPrefs CFSTR("org.cups.PrintingPrefs")
33 # define kAllowAnyRootKey CFSTR("AllowAnyRoot")
34 # define kAllowExpiredCertsKey CFSTR("AllowExpiredCerts")
35 # define kEncryptionKey CFSTR("Encryption")
36 # define kGSSServiceNameKey CFSTR("GSSServiceName")
37 # define kSSLOptionsKey CFSTR("SSLOptions")
38 # define kTrustOnFirstUseKey CFSTR("TrustOnFirstUse")
39 # define kValidateCertsKey CFSTR("ValidateCerts")
40 #endif /* __APPLE__ */
42 #define _CUPS_PASSCHAR '*' /* Character that is echoed for password */
49 typedef struct _cups_client_conf_s
/**** client.conf config data ****/
52 int ssl_options
, /* SSLOptions values */
53 ssl_min_version
,/* Minimum SSL/TLS version */
54 ssl_max_version
;/* Maximum SSL/TLS version */
56 int trust_first
, /* Trust on first use? */
57 any_root
, /* Allow any (e.g., self-signed) root */
58 expired_certs
, /* Allow expired certs */
59 validate_certs
; /* Validate certificates */
60 http_encryption_t encryption
; /* Encryption setting */
61 char user
[65], /* User name */
65 char gss_service_name
[32];
66 /* Kerberos service name */
67 #endif /* HAVE_GSSAPI */
68 } _cups_client_conf_t
;
76 static int cups_apple_get_boolean(CFStringRef key
, int *value
);
77 static int cups_apple_get_string(CFStringRef key
, char *value
, size_t valsize
);
78 #endif /* __APPLE__ */
79 static int cups_boolean_value(const char *value
);
80 static void cups_finalize_client_conf(_cups_client_conf_t
*cc
);
81 static void cups_init_client_conf(_cups_client_conf_t
*cc
);
82 static void cups_read_client_conf(cups_file_t
*fp
, _cups_client_conf_t
*cc
);
83 static void cups_set_default_ipp_port(_cups_globals_t
*cg
);
84 static void cups_set_encryption(_cups_client_conf_t
*cc
, const char *value
);
86 static void cups_set_gss_service_name(_cups_client_conf_t
*cc
, const char *value
);
87 #endif /* HAVE_GSSAPI */
88 static void cups_set_server_name(_cups_client_conf_t
*cc
, const char *value
);
90 static void cups_set_ssl_options(_cups_client_conf_t
*cc
, const char *value
);
92 static void cups_set_user(_cups_client_conf_t
*cc
, const char *value
);
96 * 'cupsEncryption()' - Get the current encryption settings.
98 * The default encryption setting comes from the CUPS_ENCRYPTION
99 * environment variable, then the ~/.cups/client.conf file, and finally the
100 * /etc/cups/client.conf file. If not set, the default is
101 * @code HTTP_ENCRYPTION_IF_REQUESTED@.
103 * Note: The current encryption setting is tracked separately for each thread
104 * in a program. Multi-threaded programs that override the setting via the
105 * @link cupsSetEncryption@ function need to do so in each thread for the same
106 * setting to be used.
109 http_encryption_t
/* O - Encryption settings */
112 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
115 if (cg
->encryption
== (http_encryption_t
)-1)
118 return (cg
->encryption
);
123 * 'cupsGetPassword()' - Get a password from the user.
125 * Uses the current password callback function. Returns @code NULL@ if the
126 * user does not provide a password.
128 * Note: The current password callback function is tracked separately for each
129 * thread in a program. Multi-threaded programs that override the setting via
130 * the @link cupsSetPasswordCB@ or @link cupsSetPasswordCB2@ functions need to
131 * do so in each thread for the same function to be used.
136 const char * /* O - Password */
137 cupsGetPassword(const char *prompt
) /* I - Prompt string */
139 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
142 return ((cg
->password_cb
)(prompt
, NULL
, NULL
, NULL
, cg
->password_data
));
147 * 'cupsGetPassword2()' - Get a password from the user using the current
150 * Uses the current password callback function. Returns @code NULL@ if the
151 * user does not provide a password.
153 * Note: The current password callback function is tracked separately for each
154 * thread in a program. Multi-threaded programs that override the setting via
155 * the @link cupsSetPasswordCB2@ function need to do so in each thread for the
156 * same function to be used.
158 * @since CUPS 1.4/macOS 10.6@
161 const char * /* O - Password */
162 cupsGetPassword2(const char *prompt
, /* I - Prompt string */
163 http_t
*http
, /* I - Connection to server or @code CUPS_HTTP_DEFAULT@ */
164 const char *method
, /* I - Request method ("GET", "POST", "PUT") */
165 const char *resource
) /* I - Resource path */
167 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
171 http
= _cupsConnect();
173 return ((cg
->password_cb
)(prompt
, http
, method
, resource
, cg
->password_data
));
178 * 'cupsServer()' - Return the hostname/address of the current server.
180 * The default server comes from the CUPS_SERVER environment variable, then the
181 * ~/.cups/client.conf file, and finally the /etc/cups/client.conf file. If not
182 * set, the default is the local system - either "localhost" or a domain socket
185 * The returned value can be a fully-qualified hostname, a numeric IPv4 or IPv6
186 * address, or a domain socket pathname.
188 * Note: The current server is tracked separately for each thread in a program.
189 * Multi-threaded programs that override the server via the
190 * @link cupsSetServer@ function need to do so in each thread for the same
194 const char * /* O - Server name */
197 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
208 * 'cupsSetClientCertCB()' - Set the client certificate callback.
210 * Pass @code NULL@ to restore the default callback.
212 * Note: The current certificate callback is tracked separately for each thread
213 * in a program. Multi-threaded programs that override the callback need to do
214 * so in each thread for the same callback to be used.
216 * @since CUPS 1.5/macOS 10.7@
221 cups_client_cert_cb_t cb
, /* I - Callback function */
222 void *user_data
) /* I - User data pointer */
224 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
227 cg
->client_cert_cb
= cb
;
228 cg
->client_cert_data
= user_data
;
233 * 'cupsSetCredentials()' - Set the default credentials to be used for SSL/TLS
236 * Note: The default credentials are tracked separately for each thread in a
237 * program. Multi-threaded programs that override the setting need to do so in
238 * each thread for the same setting to be used.
240 * @since CUPS 1.5/macOS 10.7@
243 int /* O - Status of call (0 = success) */
245 cups_array_t
*credentials
) /* I - Array of credentials */
247 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
250 if (cupsArrayCount(credentials
) < 1)
254 _httpFreeCredentials(cg
->tls_credentials
);
255 cg
->tls_credentials
= _httpCreateCredentials(credentials
);
256 #endif /* HAVE_SSL */
258 return (cg
->tls_credentials
? 0 : -1);
263 * 'cupsSetEncryption()' - Set the encryption preference.
265 * The default encryption setting comes from the CUPS_ENCRYPTION
266 * environment variable, then the ~/.cups/client.conf file, and finally the
267 * /etc/cups/client.conf file. If not set, the default is
268 * @code HTTP_ENCRYPTION_IF_REQUESTED@.
270 * Note: The current encryption setting is tracked separately for each thread
271 * in a program. Multi-threaded programs that override the setting need to do
272 * so in each thread for the same setting to be used.
276 cupsSetEncryption(http_encryption_t e
) /* I - New encryption preference */
278 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
284 httpEncryption(cg
->http
, e
);
289 * 'cupsSetPasswordCB()' - Set the password callback for CUPS.
291 * Pass @code NULL@ to restore the default (console) password callback, which
292 * reads the password from the console. Programs should call either this
293 * function or @link cupsSetPasswordCB2@, as only one callback can be registered
294 * by a program per thread.
296 * Note: The current password callback is tracked separately for each thread
297 * in a program. Multi-threaded programs that override the callback need to do
298 * so in each thread for the same callback to be used.
304 cupsSetPasswordCB(cups_password_cb_t cb
)/* I - Callback function */
306 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
309 if (cb
== (cups_password_cb_t
)0)
310 cg
->password_cb
= (cups_password_cb2_t
)_cupsGetPassword
;
312 cg
->password_cb
= (cups_password_cb2_t
)cb
;
314 cg
->password_data
= NULL
;
319 * 'cupsSetPasswordCB2()' - Set the advanced password callback for CUPS.
321 * Pass @code NULL@ to restore the default (console) password callback, which
322 * reads the password from the console. Programs should call either this
323 * function or @link cupsSetPasswordCB2@, as only one callback can be registered
324 * by a program per thread.
326 * Note: The current password callback is tracked separately for each thread
327 * in a program. Multi-threaded programs that override the callback need to do
328 * so in each thread for the same callback to be used.
330 * @since CUPS 1.4/macOS 10.6@
335 cups_password_cb2_t cb
, /* I - Callback function */
336 void *user_data
) /* I - User data pointer */
338 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
341 if (cb
== (cups_password_cb2_t
)0)
342 cg
->password_cb
= (cups_password_cb2_t
)_cupsGetPassword
;
344 cg
->password_cb
= cb
;
346 cg
->password_data
= user_data
;
351 * 'cupsSetServer()' - Set the default server name and port.
353 * The "server" string can be a fully-qualified hostname, a numeric
354 * IPv4 or IPv6 address, or a domain socket pathname. Hostnames and numeric IP
355 * addresses can be optionally followed by a colon and port number to override
356 * the default port 631, e.g. "hostname:8631". Pass @code NULL@ to restore the
357 * default server name and port.
359 * Note: The current server is tracked separately for each thread in a program.
360 * Multi-threaded programs that override the server need to do so in each
361 * thread for the same server to be used.
365 cupsSetServer(const char *server
) /* I - Server name */
367 char *options
, /* Options */
368 *port
; /* Pointer to port */
369 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
374 strlcpy(cg
->server
, server
, sizeof(cg
->server
));
376 if (cg
->server
[0] != '/' && (options
= strrchr(cg
->server
, '/')) != NULL
)
380 if (!strcmp(options
, "version=1.0"))
381 cg
->server_version
= 10;
382 else if (!strcmp(options
, "version=1.1"))
383 cg
->server_version
= 11;
384 else if (!strcmp(options
, "version=2.0"))
385 cg
->server_version
= 20;
386 else if (!strcmp(options
, "version=2.1"))
387 cg
->server_version
= 21;
388 else if (!strcmp(options
, "version=2.2"))
389 cg
->server_version
= 22;
392 cg
->server_version
= 20;
394 if (cg
->server
[0] != '/' && (port
= strrchr(cg
->server
, ':')) != NULL
&&
395 !strchr(port
, ']') && isdigit(port
[1] & 255))
399 cg
->ipp_port
= atoi(port
);
403 cups_set_default_ipp_port(cg
);
405 if (cg
->server
[0] == '/')
406 strlcpy(cg
->servername
, "localhost", sizeof(cg
->servername
));
408 strlcpy(cg
->servername
, cg
->server
, sizeof(cg
->servername
));
412 cg
->server
[0] = '\0';
413 cg
->servername
[0] = '\0';
414 cg
->server_version
= 20;
427 * 'cupsSetServerCertCB()' - Set the server certificate callback.
429 * Pass @code NULL@ to restore the default callback.
431 * Note: The current credentials callback is tracked separately for each thread
432 * in a program. Multi-threaded programs that override the callback need to do
433 * so in each thread for the same callback to be used.
435 * @since CUPS 1.5/macOS 10.7@
440 cups_server_cert_cb_t cb
, /* I - Callback function */
441 void *user_data
) /* I - User data pointer */
443 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
446 cg
->server_cert_cb
= cb
;
447 cg
->server_cert_data
= user_data
;
452 * 'cupsSetUser()' - Set the default user name.
454 * Pass @code NULL@ to restore the default user name.
456 * Note: The current user name is tracked separately for each thread in a
457 * program. Multi-threaded programs that override the user name need to do so
458 * in each thread for the same user name to be used.
462 cupsSetUser(const char *user
) /* I - User name */
464 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
468 strlcpy(cg
->user
, user
, sizeof(cg
->user
));
475 * 'cupsSetUserAgent()' - Set the default HTTP User-Agent string.
477 * Setting the string to NULL forces the default value containing the CUPS
478 * version, IPP version, and operating system version and architecture.
480 * @since CUPS 1.7/macOS 10.9@
484 cupsSetUserAgent(const char *user_agent
)/* I - User-Agent string or @code NULL@ */
486 _cups_globals_t
*cg
= _cupsGlobals();
489 SYSTEM_INFO sysinfo
; /* System information */
490 OSVERSIONINFOA version
; /* OS version info */
492 struct utsname name
; /* uname info */
498 strlcpy(cg
->user_agent
, user_agent
, sizeof(cg
->user_agent
));
503 version
.dwOSVersionInfoSize
= sizeof(OSVERSIONINFO
);
504 GetVersionExA(&version
);
505 GetNativeSystemInfo(&sysinfo
);
507 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
),
508 CUPS_MINIMAL
" (Windows %d.%d; %s) IPP/2.0",
509 version
.dwMajorVersion
, version
.dwMinorVersion
,
510 sysinfo
.wProcessorArchitecture
511 == PROCESSOR_ARCHITECTURE_AMD64
? "amd64" :
512 sysinfo
.wProcessorArchitecture
513 == PROCESSOR_ARCHITECTURE_ARM
? "arm" :
514 sysinfo
.wProcessorArchitecture
515 == PROCESSOR_ARCHITECTURE_IA64
? "ia64" :
516 sysinfo
.wProcessorArchitecture
517 == PROCESSOR_ARCHITECTURE_INTEL
? "intel" :
523 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
),
524 CUPS_MINIMAL
" (%s %s; %s) IPP/2.0",
525 name
.sysname
, name
.release
, name
.machine
);
531 * 'cupsUser()' - Return the current user's name.
533 * Note: The current user name is tracked separately for each thread in a
534 * program. Multi-threaded programs that override the user name with the
535 * @link cupsSetUser@ function need to do so in each thread for the same user
539 const char * /* O - User name */
542 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
553 * 'cupsUserAgent()' - Return the default HTTP User-Agent string.
555 * @since CUPS 1.7/macOS 10.9@
558 const char * /* O - User-Agent string */
561 _cups_globals_t
*cg
= _cupsGlobals(); /* Thread globals */
564 if (!cg
->user_agent
[0])
565 cupsSetUserAgent(NULL
);
567 return (cg
->user_agent
);
572 * '_cupsGetPassword()' - Get a password from the user.
575 const char * /* O - Password or @code NULL@ if none */
576 _cupsGetPassword(const char *prompt
) /* I - Prompt string */
579 HANDLE tty
; /* Console handle */
580 DWORD mode
; /* Console mode */
581 char passch
, /* Current key press */
582 *passptr
, /* Pointer into password string */
583 *passend
; /* End of password string */
584 DWORD passbytes
; /* Bytes read */
585 _cups_globals_t
*cg
= _cupsGlobals();
590 * Disable input echo and set raw input...
593 if ((tty
= GetStdHandle(STD_INPUT_HANDLE
)) == INVALID_HANDLE_VALUE
)
596 if (!GetConsoleMode(tty
, &mode
))
599 if (!SetConsoleMode(tty
, 0))
603 * Display the prompt...
606 printf("%s ", prompt
);
610 * Read the password string from /dev/tty until we get interrupted or get a
611 * carriage return or newline...
614 passptr
= cg
->password
;
615 passend
= cg
->password
+ sizeof(cg
->password
) - 1;
617 while (ReadFile(tty
, &passch
, 1, &passbytes
, NULL
))
619 if (passch
== 0x0A || passch
== 0x0D)
627 else if (passch
== 0x08 || passch
== 0x7F)
630 * Backspace/delete (erase character)...
633 if (passptr
> cg
->password
)
636 fputs("\010 \010", stdout
);
641 else if (passch
== 0x15)
644 * CTRL+U (erase line)
647 if (passptr
> cg
->password
)
649 while (passptr
> cg
->password
)
652 fputs("\010 \010", stdout
);
658 else if (passch
== 0x03)
664 passptr
= cg
->password
;
667 else if ((passch
& 255) < 0x20 || passptr
>= passend
)
672 putchar(_CUPS_PASSCHAR
);
685 SetConsoleMode(tty
, mode
);
688 * Return the proper value...
691 if (passbytes
== 1 && passptr
> cg
->password
)
694 return (cg
->password
);
698 memset(cg
->password
, 0, sizeof(cg
->password
));
703 int tty
; /* /dev/tty - never read from stdin */
704 struct termios original
, /* Original input mode */
705 noecho
; /* No echo input mode */
706 char passch
, /* Current key press */
707 *passptr
, /* Pointer into password string */
708 *passend
; /* End of password string */
709 ssize_t passbytes
; /* Bytes read */
710 _cups_globals_t
*cg
= _cupsGlobals();
715 * Disable input echo and set raw input...
718 if ((tty
= open("/dev/tty", O_RDONLY
)) < 0)
721 if (tcgetattr(tty
, &original
))
728 noecho
.c_lflag
&= (tcflag_t
)~(ICANON
| ECHO
| ECHOE
| ISIG
);
729 noecho
.c_cc
[VMIN
] = 1;
730 noecho
.c_cc
[VTIME
] = 0;
732 if (tcsetattr(tty
, TCSAFLUSH
, &noecho
))
739 * Display the prompt...
742 printf("%s ", prompt
);
746 * Read the password string from /dev/tty until we get interrupted or get a
747 * carriage return or newline...
750 passptr
= cg
->password
;
751 passend
= cg
->password
+ sizeof(cg
->password
) - 1;
753 while ((passbytes
= read(tty
, &passch
, 1)) == 1)
755 if (passch
== noecho
.c_cc
[VEOL
] ||
757 passch
== noecho
.c_cc
[VEOL2
] ||
759 passch
== 0x0A || passch
== 0x0D)
767 else if (passch
== noecho
.c_cc
[VERASE
] ||
768 passch
== 0x08 || passch
== 0x7F)
771 * Backspace/delete (erase character)...
774 if (passptr
> cg
->password
)
777 fputs("\010 \010", stdout
);
782 else if (passch
== noecho
.c_cc
[VKILL
])
785 * CTRL+U (erase line)
788 if (passptr
> cg
->password
)
790 while (passptr
> cg
->password
)
793 fputs("\010 \010", stdout
);
799 else if (passch
== noecho
.c_cc
[VINTR
] || passch
== noecho
.c_cc
[VQUIT
] ||
800 passch
== noecho
.c_cc
[VEOF
])
803 * CTRL+C, CTRL+D, or CTRL+Z...
806 passptr
= cg
->password
;
809 else if ((passch
& 255) < 0x20 || passptr
>= passend
)
814 putchar(_CUPS_PASSCHAR
);
827 tcsetattr(tty
, TCSAFLUSH
, &original
);
831 * Return the proper value...
834 if (passbytes
== 1 && passptr
> cg
->password
)
837 return (cg
->password
);
841 memset(cg
->password
, 0, sizeof(cg
->password
));
850 * '_cupsGSSServiceName()' - Get the GSS (Kerberos) service name.
854 _cupsGSSServiceName(void)
856 _cups_globals_t
*cg
= _cupsGlobals(); /* Thread globals */
859 if (!cg
->gss_service_name
[0])
862 return (cg
->gss_service_name
);
864 #endif /* HAVE_GSSAPI */
868 * '_cupsSetDefaults()' - Set the default server, port, and encryption.
872 _cupsSetDefaults(void)
874 cups_file_t
*fp
; /* File */
875 const char *home
; /* Home directory of user */
876 char filename
[1024]; /* Filename */
877 _cups_client_conf_t cc
; /* client.conf values */
878 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
881 DEBUG_puts("_cupsSetDefaults()");
884 * Load initial client.conf values...
887 cups_init_client_conf(&cc
);
890 * Read the /etc/cups/client.conf and ~/.cups/client.conf files, if
894 snprintf(filename
, sizeof(filename
), "%s/client.conf", cg
->cups_serverroot
);
895 if ((fp
= cupsFileOpen(filename
, "r")) != NULL
)
897 cups_read_client_conf(fp
, &cc
);
902 if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home
= getenv("HOME")) != NULL
)
903 # elif !defined(_WIN32)
904 if (getuid() && (home
= getenv("HOME")) != NULL
)
906 if ((home
= getenv("HOME")) != NULL
)
907 # endif /* HAVE_GETEUID */
910 * Look for ~/.cups/client.conf...
913 snprintf(filename
, sizeof(filename
), "%s/.cups/client.conf", home
);
914 if ((fp
= cupsFileOpen(filename
, "r")) != NULL
)
916 cups_read_client_conf(fp
, &cc
);
922 * Finalize things so every client.conf value is set...
925 cups_finalize_client_conf(&cc
);
927 if (cg
->encryption
== (http_encryption_t
)-1)
928 cg
->encryption
= cc
.encryption
;
930 if (!cg
->server
[0] || !cg
->ipp_port
)
931 cupsSetServer(cc
.server_name
);
934 cups_set_default_ipp_port(cg
);
937 strlcpy(cg
->user
, cc
.user
, sizeof(cg
->user
));
940 if (!cg
->gss_service_name
[0])
941 strlcpy(cg
->gss_service_name
, cc
.gss_service_name
, sizeof(cg
->gss_service_name
));
942 #endif /* HAVE_GSSAPI */
944 if (cg
->trust_first
< 0)
945 cg
->trust_first
= cc
.trust_first
;
947 if (cg
->any_root
< 0)
948 cg
->any_root
= cc
.any_root
;
950 if (cg
->expired_certs
< 0)
951 cg
->expired_certs
= cc
.expired_certs
;
953 if (cg
->validate_certs
< 0)
954 cg
->validate_certs
= cc
.validate_certs
;
957 _httpTLSSetOptions(cc
.ssl_options
| _HTTP_TLS_SET_DEFAULT
, cc
.ssl_min_version
, cc
.ssl_max_version
);
958 #endif /* HAVE_SSL */
964 * 'cups_apple_get_boolean()' - Get a boolean setting from the CUPS preferences.
967 static int /* O - 1 if set, 0 otherwise */
968 cups_apple_get_boolean(
969 CFStringRef key
, /* I - Key (name) */
970 int *value
) /* O - Boolean value */
972 Boolean bval
, /* Preference value */
973 bval_set
; /* Value is set? */
976 bval
= CFPreferencesGetAppBooleanValue(key
, kCUPSPrintingPrefs
, &bval_set
);
981 return ((int)bval_set
);
986 * 'cups_apple_get_string()' - Get a string setting from the CUPS preferences.
989 static int /* O - 1 if set, 0 otherwise */
990 cups_apple_get_string(
991 CFStringRef key
, /* I - Key (name) */
992 char *value
, /* O - String value */
993 size_t valsize
) /* I - Size of value buffer */
995 CFStringRef sval
; /* String value */
998 if ((sval
= CFPreferencesCopyAppValue(key
, kCUPSPrintingPrefs
)) != NULL
)
1000 Boolean result
= CFStringGetCString(sval
, value
, (CFIndex
)valsize
, kCFStringEncodingUTF8
);
1010 #endif /* __APPLE__ */
1014 * 'cups_boolean_value()' - Convert a string to a boolean value.
1017 static int /* O - Boolean value */
1018 cups_boolean_value(const char *value
) /* I - String value */
1020 return (!_cups_strcasecmp(value
, "yes") || !_cups_strcasecmp(value
, "on") || !_cups_strcasecmp(value
, "true"));
1025 * 'cups_finalize_client_conf()' - Finalize client.conf values.
1029 cups_finalize_client_conf(
1030 _cups_client_conf_t
*cc
) /* I - client.conf values */
1032 const char *value
; /* Environment variable */
1035 if ((value
= getenv("CUPS_TRUSTFIRST")) != NULL
)
1036 cc
->trust_first
= cups_boolean_value(value
);
1038 if ((value
= getenv("CUPS_ANYROOT")) != NULL
)
1039 cc
->any_root
= cups_boolean_value(value
);
1041 if ((value
= getenv("CUPS_ENCRYPTION")) != NULL
)
1042 cups_set_encryption(cc
, value
);
1044 if ((value
= getenv("CUPS_EXPIREDCERTS")) != NULL
)
1045 cc
->expired_certs
= cups_boolean_value(value
);
1048 if ((value
= getenv("CUPS_GSSSERVICENAME")) != NULL
)
1049 cups_set_gss_service_name(cc
, value
);
1050 #endif /* HAVE_GSSAPI */
1052 if ((value
= getenv("CUPS_SERVER")) != NULL
)
1053 cups_set_server_name(cc
, value
);
1055 if ((value
= getenv("CUPS_USER")) != NULL
)
1056 cups_set_user(cc
, value
);
1058 if ((value
= getenv("CUPS_VALIDATECERTS")) != NULL
)
1059 cc
->validate_certs
= cups_boolean_value(value
);
1062 * Then apply defaults for those values that haven't been set...
1065 if (cc
->trust_first
< 0)
1066 cc
->trust_first
= 1;
1068 if (cc
->any_root
< 0)
1071 if (cc
->encryption
== (http_encryption_t
)-1)
1072 cc
->encryption
= HTTP_ENCRYPTION_IF_REQUESTED
;
1074 if (cc
->expired_certs
< 0)
1075 cc
->expired_certs
= 0;
1078 if (!cc
->gss_service_name
[0])
1079 cups_set_gss_service_name(cc
, CUPS_DEFAULT_GSSSERVICENAME
);
1080 #endif /* HAVE_GSSAPI */
1082 if (!cc
->server_name
[0])
1084 #ifdef CUPS_DEFAULT_DOMAINSOCKET
1086 * If we are compiled with domain socket support, only use the
1087 * domain socket if it exists and has the right permissions...
1090 if (!access(CUPS_DEFAULT_DOMAINSOCKET
, R_OK
))
1091 cups_set_server_name(cc
, CUPS_DEFAULT_DOMAINSOCKET
);
1093 #endif /* CUPS_DEFAULT_DOMAINSOCKET */
1094 cups_set_server_name(cc
, "localhost");
1101 * Get the current user name from the OS...
1104 DWORD size
; /* Size of string */
1106 size
= sizeof(cc
->user
);
1107 if (!GetUserNameA(cc
->user
, &size
))
1110 * Try the USER environment variable as the default username...
1113 const char *envuser
= getenv("USER");
1114 /* Default username */
1115 struct passwd
*pw
= NULL
; /* Account information */
1120 * Validate USER matches the current UID, otherwise don't allow it to
1121 * override things... This makes sure that printing after doing su
1122 * or sudo records the correct username.
1125 if ((pw
= getpwnam(envuser
)) != NULL
&& pw
->pw_uid
!= getuid())
1130 pw
= getpwuid(getuid());
1133 strlcpy(cc
->user
, pw
->pw_name
, sizeof(cc
->user
));
1138 * Use the default "unknown" user name...
1141 strlcpy(cc
->user
, "unknown", sizeof(cc
->user
));
1145 if (cc
->validate_certs
< 0)
1146 cc
->validate_certs
= 0;
1151 * 'cups_init_client_conf()' - Initialize client.conf values.
1155 cups_init_client_conf(
1156 _cups_client_conf_t
*cc
) /* I - client.conf values */
1159 * Clear all values to "not set"...
1162 memset(cc
, 0, sizeof(_cups_client_conf_t
));
1165 cc
->ssl_min_version
= _HTTP_TLS_1_0
;
1166 cc
->ssl_max_version
= _HTTP_TLS_MAX
;
1167 #endif /* HAVE_SSL */
1168 cc
->encryption
= (http_encryption_t
)-1;
1169 cc
->trust_first
= -1;
1171 cc
->expired_certs
= -1;
1172 cc
->validate_certs
= -1;
1175 * Load settings from the org.cups.PrintingPrefs plist (which trump
1179 #if defined(__APPLE__) && defined(HAVE_SSL)
1180 char sval
[1024]; /* String value */
1181 int bval
; /* Boolean value */
1183 if (cups_apple_get_boolean(kAllowAnyRootKey
, &bval
))
1184 cc
->any_root
= bval
;
1186 if (cups_apple_get_boolean(kAllowExpiredCertsKey
, &bval
))
1187 cc
->expired_certs
= bval
;
1189 if (cups_apple_get_string(kEncryptionKey
, sval
, sizeof(sval
)))
1190 cups_set_encryption(cc
, sval
);
1192 if (cups_apple_get_string(kSSLOptionsKey
, sval
, sizeof(sval
)))
1193 cups_set_ssl_options(cc
, sval
);
1195 if (cups_apple_get_boolean(kTrustOnFirstUseKey
, &bval
))
1196 cc
->trust_first
= bval
;
1198 if (cups_apple_get_boolean(kValidateCertsKey
, &bval
))
1199 cc
->validate_certs
= bval
;
1200 #endif /* __APPLE__ && HAVE_SSL */
1205 * 'cups_read_client_conf()' - Read a client.conf file.
1209 cups_read_client_conf(
1210 cups_file_t
*fp
, /* I - File to read */
1211 _cups_client_conf_t
*cc
) /* I - client.conf values */
1213 int linenum
; /* Current line number */
1214 char line
[1024], /* Line from file */
1215 *value
; /* Pointer into line */
1219 * Read from the file...
1223 while (cupsFileGetConf(fp
, line
, sizeof(line
), &value
, &linenum
))
1225 if (!_cups_strcasecmp(line
, "Encryption") && value
)
1226 cups_set_encryption(cc
, value
);
1229 * The ServerName directive is not supported on macOS due to app
1230 * sandboxing restrictions, i.e. not all apps request network access.
1232 else if (!_cups_strcasecmp(line
, "ServerName") && value
)
1233 cups_set_server_name(cc
, value
);
1234 #endif /* !__APPLE__ */
1235 else if (!_cups_strcasecmp(line
, "User") && value
)
1236 cups_set_user(cc
, value
);
1237 else if (!_cups_strcasecmp(line
, "TrustOnFirstUse") && value
)
1238 cc
->trust_first
= cups_boolean_value(value
);
1239 else if (!_cups_strcasecmp(line
, "AllowAnyRoot") && value
)
1240 cc
->any_root
= cups_boolean_value(value
);
1241 else if (!_cups_strcasecmp(line
, "AllowExpiredCerts") &&
1243 cc
->expired_certs
= cups_boolean_value(value
);
1244 else if (!_cups_strcasecmp(line
, "ValidateCerts") && value
)
1245 cc
->validate_certs
= cups_boolean_value(value
);
1247 else if (!_cups_strcasecmp(line
, "GSSServiceName") && value
)
1248 cups_set_gss_service_name(cc
, value
);
1249 #endif /* HAVE_GSSAPI */
1251 else if (!_cups_strcasecmp(line
, "SSLOptions") && value
)
1252 cups_set_ssl_options(cc
, value
);
1253 #endif /* HAVE_SSL */
1259 * 'cups_set_default_ipp_port()' - Set the default IPP port value.
1263 cups_set_default_ipp_port(
1264 _cups_globals_t
*cg
) /* I - Global data */
1266 const char *ipp_port
; /* IPP_PORT environment variable */
1269 if ((ipp_port
= getenv("IPP_PORT")) != NULL
)
1271 if ((cg
->ipp_port
= atoi(ipp_port
)) <= 0)
1272 cg
->ipp_port
= CUPS_DEFAULT_IPP_PORT
;
1275 cg
->ipp_port
= CUPS_DEFAULT_IPP_PORT
;
1279 * 'cups_set_encryption()' - Set the Encryption value.
1283 cups_set_encryption(
1284 _cups_client_conf_t
*cc
, /* I - client.conf values */
1285 const char *value
) /* I - Value */
1287 if (!_cups_strcasecmp(value
, "never"))
1288 cc
->encryption
= HTTP_ENCRYPTION_NEVER
;
1289 else if (!_cups_strcasecmp(value
, "always"))
1290 cc
->encryption
= HTTP_ENCRYPTION_ALWAYS
;
1291 else if (!_cups_strcasecmp(value
, "required"))
1292 cc
->encryption
= HTTP_ENCRYPTION_REQUIRED
;
1294 cc
->encryption
= HTTP_ENCRYPTION_IF_REQUESTED
;
1299 * 'cups_set_gss_service_name()' - Set the GSSServiceName value.
1304 cups_set_gss_service_name(
1305 _cups_client_conf_t
*cc
, /* I - client.conf values */
1306 const char *value
) /* I - Value */
1308 strlcpy(cc
->gss_service_name
, value
, sizeof(cc
->gss_service_name
));
1310 #endif /* HAVE_GSSAPI */
1314 * 'cups_set_server_name()' - Set the ServerName value.
1318 cups_set_server_name(
1319 _cups_client_conf_t
*cc
, /* I - client.conf values */
1320 const char *value
) /* I - Value */
1322 strlcpy(cc
->server_name
, value
, sizeof(cc
->server_name
));
1327 * 'cups_set_ssl_options()' - Set the SSLOptions value.
1332 cups_set_ssl_options(
1333 _cups_client_conf_t
*cc
, /* I - client.conf values */
1334 const char *value
) /* I - Value */
1337 * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
1340 int options
= _HTTP_TLS_NONE
, /* SSL/TLS options */
1341 min_version
= _HTTP_TLS_1_0
, /* Minimum SSL/TLS version */
1342 max_version
= _HTTP_TLS_MAX
; /* Maximum SSL/TLS version */
1343 char temp
[256], /* Copy of value */
1344 *start
, /* Start of option */
1345 *end
; /* End of option */
1348 strlcpy(temp
, value
, sizeof(temp
));
1350 for (start
= temp
; *start
; start
= end
)
1353 * Find end of keyword...
1357 while (*end
&& !_cups_isspace(*end
))
1367 if (!_cups_strcasecmp(start
, "AllowRC4"))
1368 options
|= _HTTP_TLS_ALLOW_RC4
;
1369 else if (!_cups_strcasecmp(start
, "AllowSSL3"))
1370 min_version
= _HTTP_TLS_SSL3
;
1371 else if (!_cups_strcasecmp(start
, "AllowDH"))
1372 options
|= _HTTP_TLS_ALLOW_DH
;
1373 else if (!_cups_strcasecmp(start
, "DenyCBC"))
1374 options
|= _HTTP_TLS_DENY_CBC
;
1375 else if (!_cups_strcasecmp(start
, "DenyTLS1.0"))
1376 min_version
= _HTTP_TLS_1_1
;
1377 else if (!_cups_strcasecmp(start
, "MaxTLS1.0"))
1378 max_version
= _HTTP_TLS_1_0
;
1379 else if (!_cups_strcasecmp(start
, "MaxTLS1.1"))
1380 max_version
= _HTTP_TLS_1_1
;
1381 else if (!_cups_strcasecmp(start
, "MaxTLS1.2"))
1382 max_version
= _HTTP_TLS_1_2
;
1383 else if (!_cups_strcasecmp(start
, "MaxTLS1.3"))
1384 max_version
= _HTTP_TLS_1_3
;
1385 else if (!_cups_strcasecmp(start
, "MinTLS1.0"))
1386 min_version
= _HTTP_TLS_1_0
;
1387 else if (!_cups_strcasecmp(start
, "MinTLS1.1"))
1388 min_version
= _HTTP_TLS_1_1
;
1389 else if (!_cups_strcasecmp(start
, "MinTLS1.2"))
1390 min_version
= _HTTP_TLS_1_2
;
1391 else if (!_cups_strcasecmp(start
, "MinTLS1.3"))
1392 min_version
= _HTTP_TLS_1_3
;
1393 else if (!_cups_strcasecmp(start
, "None"))
1394 options
= _HTTP_TLS_NONE
;
1397 cc
->ssl_options
= options
;
1398 cc
->ssl_max_version
= max_version
;
1399 cc
->ssl_min_version
= min_version
;
1401 DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x, min_version=%d, max_version=%d", (void *)cc
, value
, options
, min_version
, max_version
));
1403 #endif /* HAVE_SSL */
1407 * 'cups_set_user()' - Set the User value.
1412 _cups_client_conf_t
*cc
, /* I - client.conf values */
1413 const char *value
) /* I - Value */
1415 strlcpy(cc
->user
, value
, sizeof(cc
->user
));