2 * User, system, and password routines for CUPS.
4 * Copyright 2007-2019 by Apple Inc.
5 * Copyright 1997-2006 by Easy Software Products.
7 * Licensed under Apache License v2.0. See the file "LICENSE" for more
12 * Include necessary headers...
15 #include "cups-private.h"
16 #include "debug-internal.h"
24 # include <sys/utsname.h>
27 # include <sys/sysctl.h>
28 #endif /* __APPLE__ */
37 # define kCUPSPrintingPrefs CFSTR("org.cups.PrintingPrefs")
40 # define kCUPSPrintingPrefs CFSTR(".GlobalPreferences")
41 # define kPREFIX "AirPrint"
42 # endif /* TARGET_OS_OSX */
43 # define kDigestOptionsKey CFSTR(kPREFIX "DigestOptions")
44 # define kUserKey CFSTR(kPREFIX "User")
45 # define kUserAgentTokensKey CFSTR(kPREFIX "UserAgentTokens")
46 # define kAllowAnyRootKey CFSTR(kPREFIX "AllowAnyRoot")
47 # define kAllowExpiredCertsKey CFSTR(kPREFIX "AllowExpiredCerts")
48 # define kEncryptionKey CFSTR(kPREFIX "Encryption")
49 # define kGSSServiceNameKey CFSTR(kPREFIX "GSSServiceName")
50 # define kSSLOptionsKey CFSTR(kPREFIX "SSLOptions")
51 # define kTrustOnFirstUseKey CFSTR(kPREFIX "TrustOnFirstUse")
52 # define kValidateCertsKey CFSTR(kPREFIX "ValidateCerts")
54 # define kAllowRC4 CFSTR(kPREFIX "AllowRC4")
55 # define kAllowSSL3 CFSTR(kPREFIX "AllowSSL3")
56 # define kAllowDH CFSTR(kPREFIX "AllowDH")
57 #endif /* __APPLE__ */
59 #define _CUPS_PASSCHAR '*' /* Character that is echoed for password */
66 typedef struct _cups_client_conf_s
/**** client.conf config data ****/
68 _cups_digestoptions_t digestoptions
; /* DigestOptions values */
69 _cups_uatokens_t uatokens
; /* UserAgentTokens values */
71 int ssl_options
, /* SSLOptions values */
72 ssl_min_version
,/* Minimum SSL/TLS version */
73 ssl_max_version
;/* Maximum SSL/TLS version */
75 int trust_first
, /* Trust on first use? */
76 any_root
, /* Allow any (e.g., self-signed) root */
77 expired_certs
, /* Allow expired certs */
78 validate_certs
; /* Validate certificates */
79 http_encryption_t encryption
; /* Encryption setting */
80 char user
[65], /* User name */
84 char gss_service_name
[32];
85 /* Kerberos service name */
86 #endif /* HAVE_GSSAPI */
87 } _cups_client_conf_t
;
95 static int cups_apple_get_boolean(CFStringRef key
, int *value
);
96 static int cups_apple_get_string(CFStringRef key
, char *value
, size_t valsize
);
97 #endif /* __APPLE__ */
98 static int cups_boolean_value(const char *value
);
99 static void cups_finalize_client_conf(_cups_client_conf_t
*cc
);
100 static void cups_init_client_conf(_cups_client_conf_t
*cc
);
101 static void cups_read_client_conf(cups_file_t
*fp
, _cups_client_conf_t
*cc
);
102 static void cups_set_default_ipp_port(_cups_globals_t
*cg
);
103 static void cups_set_digestoptions(_cups_client_conf_t
*cc
, const char *value
);
104 static void cups_set_encryption(_cups_client_conf_t
*cc
, const char *value
);
106 static void cups_set_gss_service_name(_cups_client_conf_t
*cc
, const char *value
);
107 #endif /* HAVE_GSSAPI */
108 static void cups_set_server_name(_cups_client_conf_t
*cc
, const char *value
);
110 static void cups_set_ssl_options(_cups_client_conf_t
*cc
, const char *value
);
111 #endif /* HAVE_SSL */
112 static void cups_set_uatokens(_cups_client_conf_t
*cc
, const char *value
);
113 static void cups_set_user(_cups_client_conf_t
*cc
, const char *value
);
117 * 'cupsEncryption()' - Get the current encryption settings.
119 * The default encryption setting comes from the CUPS_ENCRYPTION
120 * environment variable, then the ~/.cups/client.conf file, and finally the
121 * /etc/cups/client.conf file. If not set, the default is
122 * @code HTTP_ENCRYPTION_IF_REQUESTED@.
124 * Note: The current encryption setting is tracked separately for each thread
125 * in a program. Multi-threaded programs that override the setting via the
126 * @link cupsSetEncryption@ function need to do so in each thread for the same
127 * setting to be used.
130 http_encryption_t
/* O - Encryption settings */
133 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
136 if (cg
->encryption
== (http_encryption_t
)-1)
139 return (cg
->encryption
);
144 * 'cupsGetPassword()' - Get a password from the user.
146 * Uses the current password callback function. Returns @code NULL@ if the
147 * user does not provide a password.
149 * Note: The current password callback function is tracked separately for each
150 * thread in a program. Multi-threaded programs that override the setting via
151 * the @link cupsSetPasswordCB@ or @link cupsSetPasswordCB2@ functions need to
152 * do so in each thread for the same function to be used.
157 const char * /* O - Password */
158 cupsGetPassword(const char *prompt
) /* I - Prompt string */
160 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
163 return ((cg
->password_cb
)(prompt
, NULL
, NULL
, NULL
, cg
->password_data
));
168 * 'cupsGetPassword2()' - Get a password from the user using the current
171 * Uses the current password callback function. Returns @code NULL@ if the
172 * user does not provide a password.
174 * Note: The current password callback function is tracked separately for each
175 * thread in a program. Multi-threaded programs that override the setting via
176 * the @link cupsSetPasswordCB2@ function need to do so in each thread for the
177 * same function to be used.
179 * @since CUPS 1.4/macOS 10.6@
182 const char * /* O - Password */
183 cupsGetPassword2(const char *prompt
, /* I - Prompt string */
184 http_t
*http
, /* I - Connection to server or @code CUPS_HTTP_DEFAULT@ */
185 const char *method
, /* I - Request method ("GET", "POST", "PUT") */
186 const char *resource
) /* I - Resource path */
188 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
192 http
= _cupsConnect();
194 return ((cg
->password_cb
)(prompt
, http
, method
, resource
, cg
->password_data
));
199 * 'cupsServer()' - Return the hostname/address of the current server.
201 * The default server comes from the CUPS_SERVER environment variable, then the
202 * ~/.cups/client.conf file, and finally the /etc/cups/client.conf file. If not
203 * set, the default is the local system - either "localhost" or a domain socket
206 * The returned value can be a fully-qualified hostname, a numeric IPv4 or IPv6
207 * address, or a domain socket pathname.
209 * Note: The current server is tracked separately for each thread in a program.
210 * Multi-threaded programs that override the server via the
211 * @link cupsSetServer@ function need to do so in each thread for the same
215 const char * /* O - Server name */
218 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
229 * 'cupsSetClientCertCB()' - Set the client certificate callback.
231 * Pass @code NULL@ to restore the default callback.
233 * Note: The current certificate callback is tracked separately for each thread
234 * in a program. Multi-threaded programs that override the callback need to do
235 * so in each thread for the same callback to be used.
237 * @since CUPS 1.5/macOS 10.7@
242 cups_client_cert_cb_t cb
, /* I - Callback function */
243 void *user_data
) /* I - User data pointer */
245 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
248 cg
->client_cert_cb
= cb
;
249 cg
->client_cert_data
= user_data
;
254 * 'cupsSetCredentials()' - Set the default credentials to be used for SSL/TLS
257 * Note: The default credentials are tracked separately for each thread in a
258 * program. Multi-threaded programs that override the setting need to do so in
259 * each thread for the same setting to be used.
261 * @since CUPS 1.5/macOS 10.7@
264 int /* O - Status of call (0 = success) */
266 cups_array_t
*credentials
) /* I - Array of credentials */
268 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
271 if (cupsArrayCount(credentials
) < 1)
275 _httpFreeCredentials(cg
->tls_credentials
);
276 cg
->tls_credentials
= _httpCreateCredentials(credentials
);
277 #endif /* HAVE_SSL */
279 return (cg
->tls_credentials
? 0 : -1);
284 * 'cupsSetEncryption()' - Set the encryption preference.
286 * The default encryption setting comes from the CUPS_ENCRYPTION
287 * environment variable, then the ~/.cups/client.conf file, and finally the
288 * /etc/cups/client.conf file. If not set, the default is
289 * @code HTTP_ENCRYPTION_IF_REQUESTED@.
291 * Note: The current encryption setting is tracked separately for each thread
292 * in a program. Multi-threaded programs that override the setting need to do
293 * so in each thread for the same setting to be used.
297 cupsSetEncryption(http_encryption_t e
) /* I - New encryption preference */
299 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
305 httpEncryption(cg
->http
, e
);
310 * 'cupsSetPasswordCB()' - Set the password callback for CUPS.
312 * Pass @code NULL@ to restore the default (console) password callback, which
313 * reads the password from the console. Programs should call either this
314 * function or @link cupsSetPasswordCB2@, as only one callback can be registered
315 * by a program per thread.
317 * Note: The current password callback is tracked separately for each thread
318 * in a program. Multi-threaded programs that override the callback need to do
319 * so in each thread for the same callback to be used.
325 cupsSetPasswordCB(cups_password_cb_t cb
)/* I - Callback function */
327 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
330 if (cb
== (cups_password_cb_t
)0)
331 cg
->password_cb
= (cups_password_cb2_t
)_cupsGetPassword
;
333 cg
->password_cb
= (cups_password_cb2_t
)cb
;
335 cg
->password_data
= NULL
;
340 * 'cupsSetPasswordCB2()' - Set the advanced password callback for CUPS.
342 * Pass @code NULL@ to restore the default (console) password callback, which
343 * reads the password from the console. Programs should call either this
344 * function or @link cupsSetPasswordCB2@, as only one callback can be registered
345 * by a program per thread.
347 * Note: The current password callback is tracked separately for each thread
348 * in a program. Multi-threaded programs that override the callback need to do
349 * so in each thread for the same callback to be used.
351 * @since CUPS 1.4/macOS 10.6@
356 cups_password_cb2_t cb
, /* I - Callback function */
357 void *user_data
) /* I - User data pointer */
359 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
362 if (cb
== (cups_password_cb2_t
)0)
363 cg
->password_cb
= (cups_password_cb2_t
)_cupsGetPassword
;
365 cg
->password_cb
= cb
;
367 cg
->password_data
= user_data
;
372 * 'cupsSetServer()' - Set the default server name and port.
374 * The "server" string can be a fully-qualified hostname, a numeric
375 * IPv4 or IPv6 address, or a domain socket pathname. Hostnames and numeric IP
376 * addresses can be optionally followed by a colon and port number to override
377 * the default port 631, e.g. "hostname:8631". Pass @code NULL@ to restore the
378 * default server name and port.
380 * Note: The current server is tracked separately for each thread in a program.
381 * Multi-threaded programs that override the server need to do so in each
382 * thread for the same server to be used.
386 cupsSetServer(const char *server
) /* I - Server name */
388 char *options
, /* Options */
389 *port
; /* Pointer to port */
390 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
395 strlcpy(cg
->server
, server
, sizeof(cg
->server
));
397 if (cg
->server
[0] != '/' && (options
= strrchr(cg
->server
, '/')) != NULL
)
401 if (!strcmp(options
, "version=1.0"))
402 cg
->server_version
= 10;
403 else if (!strcmp(options
, "version=1.1"))
404 cg
->server_version
= 11;
405 else if (!strcmp(options
, "version=2.0"))
406 cg
->server_version
= 20;
407 else if (!strcmp(options
, "version=2.1"))
408 cg
->server_version
= 21;
409 else if (!strcmp(options
, "version=2.2"))
410 cg
->server_version
= 22;
413 cg
->server_version
= 20;
415 if (cg
->server
[0] != '/' && (port
= strrchr(cg
->server
, ':')) != NULL
&&
416 !strchr(port
, ']') && isdigit(port
[1] & 255))
420 cg
->ipp_port
= atoi(port
);
424 cups_set_default_ipp_port(cg
);
426 if (cg
->server
[0] == '/')
427 strlcpy(cg
->servername
, "localhost", sizeof(cg
->servername
));
429 strlcpy(cg
->servername
, cg
->server
, sizeof(cg
->servername
));
433 cg
->server
[0] = '\0';
434 cg
->servername
[0] = '\0';
435 cg
->server_version
= 20;
448 * 'cupsSetServerCertCB()' - Set the server certificate callback.
450 * Pass @code NULL@ to restore the default callback.
452 * Note: The current credentials callback is tracked separately for each thread
453 * in a program. Multi-threaded programs that override the callback need to do
454 * so in each thread for the same callback to be used.
456 * @since CUPS 1.5/macOS 10.7@
461 cups_server_cert_cb_t cb
, /* I - Callback function */
462 void *user_data
) /* I - User data pointer */
464 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
467 cg
->server_cert_cb
= cb
;
468 cg
->server_cert_data
= user_data
;
473 * 'cupsSetUser()' - Set the default user name.
475 * Pass @code NULL@ to restore the default user name.
477 * Note: The current user name is tracked separately for each thread in a
478 * program. Multi-threaded programs that override the user name need to do so
479 * in each thread for the same user name to be used.
483 cupsSetUser(const char *user
) /* I - User name */
485 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
489 strlcpy(cg
->user
, user
, sizeof(cg
->user
));
496 * 'cupsSetUserAgent()' - Set the default HTTP User-Agent string.
498 * Setting the string to NULL forces the default value containing the CUPS
499 * version, IPP version, and operating system version and architecture.
501 * @since CUPS 1.7/macOS 10.9@
505 cupsSetUserAgent(const char *user_agent
)/* I - User-Agent string or @code NULL@ */
507 _cups_globals_t
*cg
= _cupsGlobals();
510 SYSTEM_INFO sysinfo
; /* System information */
511 OSVERSIONINFOA version
; /* OS version info */
512 const char *machine
; /* Hardware/machine name */
513 #elif defined(__APPLE__)
514 struct utsname name
; /* uname info */
515 char version
[256]; /* macOS/iOS version */
516 size_t len
; /* Length of value */
518 struct utsname name
; /* uname info */
524 strlcpy(cg
->user_agent
, user_agent
, sizeof(cg
->user_agent
));
528 if (cg
->uatokens
< _CUPS_UATOKENS_OS
)
530 switch (cg
->uatokens
)
533 case _CUPS_UATOKENS_NONE
:
534 cg
->user_agent
[0] = '\0';
536 case _CUPS_UATOKENS_PRODUCT_ONLY
:
537 strlcpy(cg
->user_agent
, "CUPS IPP", sizeof(cg
->user_agent
));
539 case _CUPS_UATOKENS_MAJOR
:
540 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), "CUPS/%d IPP/2", CUPS_VERSION_MAJOR
);
542 case _CUPS_UATOKENS_MINOR
:
543 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), "CUPS/%d.%d IPP/2.1", CUPS_VERSION_MAJOR
, CUPS_VERSION_MINOR
);
545 case _CUPS_UATOKENS_MINIMAL
:
546 strlcpy(cg
->user_agent
, CUPS_MINIMAL
" IPP/2.1", sizeof(cg
->user_agent
));
553 * Gather Windows version information for the User-Agent string...
556 version
.dwOSVersionInfoSize
= sizeof(OSVERSIONINFO
);
557 GetVersionExA(&version
);
558 GetNativeSystemInfo(&sysinfo
);
560 switch (sysinfo
.wProcessorArchitecture
)
562 case PROCESSOR_ARCHITECTURE_AMD64
:
566 case PROCESSOR_ARCHITECTURE_ARM
:
570 case PROCESSOR_ARCHITECTURE_IA64
:
574 case PROCESSOR_ARCHITECTURE_INTEL
:
583 if (cg
->uatokens
== _CUPS_UATOKENS_OS
)
584 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (Windows %d.%d) IPP/2.0", version
.dwMajorVersion
, version
.dwMinorVersion
);
586 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (Windows %d.%d; %s) IPP/2.0", version
.dwMajorVersion
, version
.dwMinorVersion
, machine
);
588 #elif defined(__APPLE__)
590 * Gather macOS/iOS version information for the User-Agent string...
595 len
= sizeof(version
) - 1;
596 if (!sysctlbyname("kern.osproductversion", version
, &len
, NULL
, 0))
599 strlcpy(version
, "unknown", sizeof(version
));
602 if (cg
->uatokens
== _CUPS_UATOKENS_OS
)
603 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (macOS %s) IPP/2.0", version
);
605 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (macOS %s; %s) IPP/2.0", version
, name
.machine
);
608 if (cg
->uatokens
== _CUPS_UATOKENS_OS
)
609 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (iOS %s) IPP/2.0", version
);
611 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (iOS %s; %s) IPP/2.0", version
, name
.machine
);
612 # endif /* TARGET_OS_OSX */
616 * Gather generic UNIX version information for the User-Agent string...
621 if (cg
->uatokens
== _CUPS_UATOKENS_OS
)
622 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (%s %s) IPP/2.0", name
.sysname
, name
.release
);
624 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (%s %s; %s) IPP/2.0", name
.sysname
, name
.release
, name
.machine
);
630 * 'cupsUser()' - Return the current user's name.
632 * Note: The current user name is tracked separately for each thread in a
633 * program. Multi-threaded programs that override the user name with the
634 * @link cupsSetUser@ function need to do so in each thread for the same user
638 const char * /* O - User name */
641 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
652 * 'cupsUserAgent()' - Return the default HTTP User-Agent string.
654 * @since CUPS 1.7/macOS 10.9@
657 const char * /* O - User-Agent string */
660 _cups_globals_t
*cg
= _cupsGlobals(); /* Thread globals */
663 if (!cg
->user_agent
[0])
664 cupsSetUserAgent(NULL
);
666 return (cg
->user_agent
);
671 * '_cupsGetPassword()' - Get a password from the user.
674 const char * /* O - Password or @code NULL@ if none */
675 _cupsGetPassword(const char *prompt
) /* I - Prompt string */
678 HANDLE tty
; /* Console handle */
679 DWORD mode
; /* Console mode */
680 char passch
, /* Current key press */
681 *passptr
, /* Pointer into password string */
682 *passend
; /* End of password string */
683 DWORD passbytes
; /* Bytes read */
684 _cups_globals_t
*cg
= _cupsGlobals();
689 * Disable input echo and set raw input...
692 if ((tty
= GetStdHandle(STD_INPUT_HANDLE
)) == INVALID_HANDLE_VALUE
)
695 if (!GetConsoleMode(tty
, &mode
))
698 if (!SetConsoleMode(tty
, 0))
702 * Display the prompt...
705 printf("%s ", prompt
);
709 * Read the password string from /dev/tty until we get interrupted or get a
710 * carriage return or newline...
713 passptr
= cg
->password
;
714 passend
= cg
->password
+ sizeof(cg
->password
) - 1;
716 while (ReadFile(tty
, &passch
, 1, &passbytes
, NULL
))
718 if (passch
== 0x0A || passch
== 0x0D)
726 else if (passch
== 0x08 || passch
== 0x7F)
729 * Backspace/delete (erase character)...
732 if (passptr
> cg
->password
)
735 fputs("\010 \010", stdout
);
740 else if (passch
== 0x15)
743 * CTRL+U (erase line)
746 if (passptr
> cg
->password
)
748 while (passptr
> cg
->password
)
751 fputs("\010 \010", stdout
);
757 else if (passch
== 0x03)
763 passptr
= cg
->password
;
766 else if ((passch
& 255) < 0x20 || passptr
>= passend
)
771 putchar(_CUPS_PASSCHAR
);
784 SetConsoleMode(tty
, mode
);
787 * Return the proper value...
790 if (passbytes
== 1 && passptr
> cg
->password
)
793 return (cg
->password
);
797 memset(cg
->password
, 0, sizeof(cg
->password
));
802 int tty
; /* /dev/tty - never read from stdin */
803 struct termios original
, /* Original input mode */
804 noecho
; /* No echo input mode */
805 char passch
, /* Current key press */
806 *passptr
, /* Pointer into password string */
807 *passend
; /* End of password string */
808 ssize_t passbytes
; /* Bytes read */
809 _cups_globals_t
*cg
= _cupsGlobals();
814 * Disable input echo and set raw input...
817 if ((tty
= open("/dev/tty", O_RDONLY
)) < 0)
820 if (tcgetattr(tty
, &original
))
827 noecho
.c_lflag
&= (tcflag_t
)~(ICANON
| ECHO
| ECHOE
| ISIG
);
828 noecho
.c_cc
[VMIN
] = 1;
829 noecho
.c_cc
[VTIME
] = 0;
831 if (tcsetattr(tty
, TCSAFLUSH
, &noecho
))
838 * Display the prompt...
841 printf("%s ", prompt
);
845 * Read the password string from /dev/tty until we get interrupted or get a
846 * carriage return or newline...
849 passptr
= cg
->password
;
850 passend
= cg
->password
+ sizeof(cg
->password
) - 1;
852 while ((passbytes
= read(tty
, &passch
, 1)) == 1)
854 if (passch
== noecho
.c_cc
[VEOL
] ||
856 passch
== noecho
.c_cc
[VEOL2
] ||
858 passch
== 0x0A || passch
== 0x0D)
866 else if (passch
== noecho
.c_cc
[VERASE
] ||
867 passch
== 0x08 || passch
== 0x7F)
870 * Backspace/delete (erase character)...
873 if (passptr
> cg
->password
)
876 fputs("\010 \010", stdout
);
881 else if (passch
== noecho
.c_cc
[VKILL
])
884 * CTRL+U (erase line)
887 if (passptr
> cg
->password
)
889 while (passptr
> cg
->password
)
892 fputs("\010 \010", stdout
);
898 else if (passch
== noecho
.c_cc
[VINTR
] || passch
== noecho
.c_cc
[VQUIT
] ||
899 passch
== noecho
.c_cc
[VEOF
])
902 * CTRL+C, CTRL+D, or CTRL+Z...
905 passptr
= cg
->password
;
908 else if ((passch
& 255) < 0x20 || passptr
>= passend
)
913 putchar(_CUPS_PASSCHAR
);
926 tcsetattr(tty
, TCSAFLUSH
, &original
);
930 * Return the proper value...
933 if (passbytes
== 1 && passptr
> cg
->password
)
936 return (cg
->password
);
940 memset(cg
->password
, 0, sizeof(cg
->password
));
949 * '_cupsGSSServiceName()' - Get the GSS (Kerberos) service name.
953 _cupsGSSServiceName(void)
955 _cups_globals_t
*cg
= _cupsGlobals(); /* Thread globals */
958 if (!cg
->gss_service_name
[0])
961 return (cg
->gss_service_name
);
963 #endif /* HAVE_GSSAPI */
967 * '_cupsSetDefaults()' - Set the default server, port, and encryption.
971 _cupsSetDefaults(void)
973 cups_file_t
*fp
; /* File */
974 char filename
[1024]; /* Filename */
975 _cups_client_conf_t cc
; /* client.conf values */
976 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
979 DEBUG_puts("_cupsSetDefaults()");
982 * Load initial client.conf values...
985 cups_init_client_conf(&cc
);
988 * Read the /etc/cups/client.conf and ~/.cups/client.conf files, if
992 snprintf(filename
, sizeof(filename
), "%s/client.conf", cg
->cups_serverroot
);
993 if ((fp
= cupsFileOpen(filename
, "r")) != NULL
)
995 cups_read_client_conf(fp
, &cc
);
1002 * Look for ~/.cups/client.conf...
1005 snprintf(filename
, sizeof(filename
), "%s/.cups/client.conf", cg
->home
);
1006 if ((fp
= cupsFileOpen(filename
, "r")) != NULL
)
1008 cups_read_client_conf(fp
, &cc
);
1014 * Finalize things so every client.conf value is set...
1017 cups_finalize_client_conf(&cc
);
1019 cg
->uatokens
= cc
.uatokens
;
1021 if (cg
->encryption
== (http_encryption_t
)-1)
1022 cg
->encryption
= cc
.encryption
;
1024 if (!cg
->server
[0] || !cg
->ipp_port
)
1025 cupsSetServer(cc
.server_name
);
1028 cups_set_default_ipp_port(cg
);
1031 strlcpy(cg
->user
, cc
.user
, sizeof(cg
->user
));
1034 if (!cg
->gss_service_name
[0])
1035 strlcpy(cg
->gss_service_name
, cc
.gss_service_name
, sizeof(cg
->gss_service_name
));
1036 #endif /* HAVE_GSSAPI */
1038 if (cg
->trust_first
< 0)
1039 cg
->trust_first
= cc
.trust_first
;
1041 if (cg
->any_root
< 0)
1042 cg
->any_root
= cc
.any_root
;
1044 if (cg
->expired_certs
< 0)
1045 cg
->expired_certs
= cc
.expired_certs
;
1047 if (cg
->validate_certs
< 0)
1048 cg
->validate_certs
= cc
.validate_certs
;
1051 _httpTLSSetOptions(cc
.ssl_options
| _HTTP_TLS_SET_DEFAULT
, cc
.ssl_min_version
, cc
.ssl_max_version
);
1052 #endif /* HAVE_SSL */
1058 * 'cups_apple_get_boolean()' - Get a boolean setting from the CUPS preferences.
1061 static int /* O - 1 if set, 0 otherwise */
1062 cups_apple_get_boolean(
1063 CFStringRef key
, /* I - Key (name) */
1064 int *value
) /* O - Boolean value */
1066 Boolean bval
, /* Preference value */
1067 bval_set
; /* Value is set? */
1070 bval
= CFPreferencesGetAppBooleanValue(key
, kCUPSPrintingPrefs
, &bval_set
);
1075 return ((int)bval_set
);
1080 * 'cups_apple_get_string()' - Get a string setting from the CUPS preferences.
1083 static int /* O - 1 if set, 0 otherwise */
1084 cups_apple_get_string(
1085 CFStringRef key
, /* I - Key (name) */
1086 char *value
, /* O - String value */
1087 size_t valsize
) /* I - Size of value buffer */
1089 CFStringRef sval
; /* String value */
1092 if ((sval
= CFPreferencesCopyAppValue(key
, kCUPSPrintingPrefs
)) != NULL
)
1094 Boolean result
= CFStringGetCString(sval
, value
, (CFIndex
)valsize
, kCFStringEncodingUTF8
);
1104 #endif /* __APPLE__ */
1108 * 'cups_boolean_value()' - Convert a string to a boolean value.
1111 static int /* O - Boolean value */
1112 cups_boolean_value(const char *value
) /* I - String value */
1114 return (!_cups_strcasecmp(value
, "yes") || !_cups_strcasecmp(value
, "on") || !_cups_strcasecmp(value
, "true"));
1119 * 'cups_finalize_client_conf()' - Finalize client.conf values.
1123 cups_finalize_client_conf(
1124 _cups_client_conf_t
*cc
) /* I - client.conf values */
1126 const char *value
; /* Environment variable */
1129 if ((value
= getenv("CUPS_TRUSTFIRST")) != NULL
)
1130 cc
->trust_first
= cups_boolean_value(value
);
1132 if ((value
= getenv("CUPS_ANYROOT")) != NULL
)
1133 cc
->any_root
= cups_boolean_value(value
);
1135 if ((value
= getenv("CUPS_ENCRYPTION")) != NULL
)
1136 cups_set_encryption(cc
, value
);
1138 if ((value
= getenv("CUPS_EXPIREDCERTS")) != NULL
)
1139 cc
->expired_certs
= cups_boolean_value(value
);
1142 if ((value
= getenv("CUPS_GSSSERVICENAME")) != NULL
)
1143 cups_set_gss_service_name(cc
, value
);
1144 #endif /* HAVE_GSSAPI */
1146 if ((value
= getenv("CUPS_SERVER")) != NULL
)
1147 cups_set_server_name(cc
, value
);
1149 if ((value
= getenv("CUPS_USER")) != NULL
)
1150 cups_set_user(cc
, value
);
1152 if ((value
= getenv("CUPS_VALIDATECERTS")) != NULL
)
1153 cc
->validate_certs
= cups_boolean_value(value
);
1156 * Then apply defaults for those values that haven't been set...
1159 if (cc
->trust_first
< 0)
1160 cc
->trust_first
= 1;
1162 if (cc
->any_root
< 0)
1165 if (cc
->encryption
== (http_encryption_t
)-1)
1166 cc
->encryption
= HTTP_ENCRYPTION_IF_REQUESTED
;
1168 if (cc
->expired_certs
< 0)
1169 cc
->expired_certs
= 0;
1172 if (!cc
->gss_service_name
[0])
1173 cups_set_gss_service_name(cc
, CUPS_DEFAULT_GSSSERVICENAME
);
1174 #endif /* HAVE_GSSAPI */
1176 if (!cc
->server_name
[0])
1179 * If we are compiled with domain socket support, only use the
1180 * domain socket if it exists and has the right permissions...
1183 #if defined(__APPLE__) && !TARGET_OS_OSX
1184 cups_set_server_name(cc
, "/private/var/run/printd");
1187 # ifdef CUPS_DEFAULT_DOMAINSOCKET
1188 if (!access(CUPS_DEFAULT_DOMAINSOCKET
, R_OK
))
1189 cups_set_server_name(cc
, CUPS_DEFAULT_DOMAINSOCKET
);
1191 # endif /* CUPS_DEFAULT_DOMAINSOCKET */
1192 cups_set_server_name(cc
, "localhost");
1193 #endif /* __APPLE__ && !TARGET_OS_OSX */
1200 * Get the current user name from the OS...
1203 DWORD size
; /* Size of string */
1205 size
= sizeof(cc
->user
);
1206 if (!GetUserNameA(cc
->user
, &size
))
1209 * Try the USER environment variable as the default username...
1212 const char *envuser
= getenv("USER");
1213 /* Default username */
1214 struct passwd
*pw
= NULL
; /* Account information */
1219 * Validate USER matches the current UID, otherwise don't allow it to
1220 * override things... This makes sure that printing after doing su
1221 * or sudo records the correct username.
1224 if ((pw
= getpwnam(envuser
)) != NULL
&& pw
->pw_uid
!= getuid())
1229 pw
= getpwuid(getuid());
1232 strlcpy(cc
->user
, pw
->pw_name
, sizeof(cc
->user
));
1237 * Use the default "unknown" user name...
1240 strlcpy(cc
->user
, "unknown", sizeof(cc
->user
));
1244 if (cc
->validate_certs
< 0)
1245 cc
->validate_certs
= 0;
1250 * 'cups_init_client_conf()' - Initialize client.conf values.
1254 cups_init_client_conf(
1255 _cups_client_conf_t
*cc
) /* I - client.conf values */
1258 * Clear all values to "not set"...
1261 memset(cc
, 0, sizeof(_cups_client_conf_t
));
1263 cc
->uatokens
= _CUPS_UATOKENS_MINIMAL
;
1265 #if defined(__APPLE__) && !TARGET_OS_OSX
1266 cups_set_user(cc
, "mobile");
1267 #endif /* __APPLE__ && !TARGET_OS_OSX */
1270 cc
->ssl_min_version
= _HTTP_TLS_1_0
;
1271 cc
->ssl_max_version
= _HTTP_TLS_MAX
;
1272 #endif /* HAVE_SSL */
1273 cc
->encryption
= (http_encryption_t
)-1;
1274 cc
->trust_first
= -1;
1276 cc
->expired_certs
= -1;
1277 cc
->validate_certs
= -1;
1280 * Load settings from the org.cups.PrintingPrefs plist (which trump
1284 #if defined(__APPLE__)
1285 char sval
[1024]; /* String value */
1287 int bval
; /* Boolean value */
1289 if (cups_apple_get_boolean(kAllowAnyRootKey
, &bval
))
1290 cc
->any_root
= bval
;
1292 if (cups_apple_get_boolean(kAllowExpiredCertsKey
, &bval
))
1293 cc
->expired_certs
= bval
;
1295 if (cups_apple_get_string(kEncryptionKey
, sval
, sizeof(sval
)))
1296 cups_set_encryption(cc
, sval
);
1298 if (cups_apple_get_string(kSSLOptionsKey
, sval
, sizeof(sval
)))
1300 cups_set_ssl_options(cc
, sval
);
1306 if (cups_apple_get_boolean(kAllowRC4
, &bval
) && bval
)
1307 strlcat(sval
, " AllowRC4", sizeof(sval
));
1308 if (cups_apple_get_boolean(kAllowSSL3
, &bval
) && bval
)
1309 strlcat(sval
, " AllowSSL3", sizeof(sval
));
1310 if (cups_apple_get_boolean(kAllowDH
, &bval
) && bval
)
1311 strlcat(sval
, " AllowDH", sizeof(sval
));
1314 cups_set_ssl_options(cc
, sval
);
1317 if (cups_apple_get_boolean(kTrustOnFirstUseKey
, &bval
))
1318 cc
->trust_first
= bval
;
1320 if (cups_apple_get_boolean(kValidateCertsKey
, &bval
))
1321 cc
->validate_certs
= bval
;
1322 # endif /* HAVE_SSL */
1324 if (cups_apple_get_string(kDigestOptionsKey
, sval
, sizeof(sval
)))
1325 cups_set_digestoptions(cc
, sval
);
1327 if (cups_apple_get_string(kUserKey
, sval
, sizeof(sval
)))
1328 strlcpy(cc
->user
, sval
, sizeof(cc
->user
));
1330 if (cups_apple_get_string(kUserAgentTokensKey
, sval
, sizeof(sval
)))
1331 cups_set_uatokens(cc
, sval
);
1332 #endif /* __APPLE__ */
1337 * 'cups_read_client_conf()' - Read a client.conf file.
1341 cups_read_client_conf(
1342 cups_file_t
*fp
, /* I - File to read */
1343 _cups_client_conf_t
*cc
) /* I - client.conf values */
1345 int linenum
; /* Current line number */
1346 char line
[1024], /* Line from file */
1347 *value
; /* Pointer into line */
1351 * Read from the file...
1355 while (cupsFileGetConf(fp
, line
, sizeof(line
), &value
, &linenum
))
1357 if (!_cups_strcasecmp(line
, "DigestOptions") && value
)
1358 cups_set_digestoptions(cc
, value
);
1359 else if (!_cups_strcasecmp(line
, "Encryption") && value
)
1360 cups_set_encryption(cc
, value
);
1363 * The ServerName directive is not supported on macOS due to app
1364 * sandboxing restrictions, i.e. not all apps request network access.
1366 else if (!_cups_strcasecmp(line
, "ServerName") && value
)
1367 cups_set_server_name(cc
, value
);
1368 #endif /* !__APPLE__ */
1369 else if (!_cups_strcasecmp(line
, "User") && value
)
1370 cups_set_user(cc
, value
);
1371 else if (!_cups_strcasecmp(line
, "UserAgentTokens") && value
)
1372 cups_set_uatokens(cc
, value
);
1373 else if (!_cups_strcasecmp(line
, "TrustOnFirstUse") && value
)
1374 cc
->trust_first
= cups_boolean_value(value
);
1375 else if (!_cups_strcasecmp(line
, "AllowAnyRoot") && value
)
1376 cc
->any_root
= cups_boolean_value(value
);
1377 else if (!_cups_strcasecmp(line
, "AllowExpiredCerts") &&
1379 cc
->expired_certs
= cups_boolean_value(value
);
1380 else if (!_cups_strcasecmp(line
, "ValidateCerts") && value
)
1381 cc
->validate_certs
= cups_boolean_value(value
);
1383 else if (!_cups_strcasecmp(line
, "GSSServiceName") && value
)
1384 cups_set_gss_service_name(cc
, value
);
1385 #endif /* HAVE_GSSAPI */
1387 else if (!_cups_strcasecmp(line
, "SSLOptions") && value
)
1388 cups_set_ssl_options(cc
, value
);
1389 #endif /* HAVE_SSL */
1395 * 'cups_set_default_ipp_port()' - Set the default IPP port value.
1399 cups_set_default_ipp_port(
1400 _cups_globals_t
*cg
) /* I - Global data */
1402 const char *ipp_port
; /* IPP_PORT environment variable */
1405 if ((ipp_port
= getenv("IPP_PORT")) != NULL
)
1407 if ((cg
->ipp_port
= atoi(ipp_port
)) <= 0)
1408 cg
->ipp_port
= CUPS_DEFAULT_IPP_PORT
;
1411 cg
->ipp_port
= CUPS_DEFAULT_IPP_PORT
;
1416 * 'cups_set_digestoptions()' - Set the DigestOptions value.
1420 cups_set_digestoptions(
1421 _cups_client_conf_t
*cc
, /* I - client.conf values */
1422 const char *value
) /* I - Value */
1424 if (!_cups_strcasecmp(value
, "DenyMD5"))
1425 cc
->digestoptions
= _CUPS_DIGESTOPTIONS_DENYMD5
;
1426 else if (!_cups_strcasecmp(value
, "None"))
1427 cc
->digestoptions
= _CUPS_DIGESTOPTIONS_NONE
;
1432 * 'cups_set_encryption()' - Set the Encryption value.
1436 cups_set_encryption(
1437 _cups_client_conf_t
*cc
, /* I - client.conf values */
1438 const char *value
) /* I - Value */
1440 if (!_cups_strcasecmp(value
, "never"))
1441 cc
->encryption
= HTTP_ENCRYPTION_NEVER
;
1442 else if (!_cups_strcasecmp(value
, "always"))
1443 cc
->encryption
= HTTP_ENCRYPTION_ALWAYS
;
1444 else if (!_cups_strcasecmp(value
, "required"))
1445 cc
->encryption
= HTTP_ENCRYPTION_REQUIRED
;
1447 cc
->encryption
= HTTP_ENCRYPTION_IF_REQUESTED
;
1452 * 'cups_set_gss_service_name()' - Set the GSSServiceName value.
1457 cups_set_gss_service_name(
1458 _cups_client_conf_t
*cc
, /* I - client.conf values */
1459 const char *value
) /* I - Value */
1461 strlcpy(cc
->gss_service_name
, value
, sizeof(cc
->gss_service_name
));
1463 #endif /* HAVE_GSSAPI */
1467 * 'cups_set_server_name()' - Set the ServerName value.
1471 cups_set_server_name(
1472 _cups_client_conf_t
*cc
, /* I - client.conf values */
1473 const char *value
) /* I - Value */
1475 strlcpy(cc
->server_name
, value
, sizeof(cc
->server_name
));
1480 * 'cups_set_ssl_options()' - Set the SSLOptions value.
1485 cups_set_ssl_options(
1486 _cups_client_conf_t
*cc
, /* I - client.conf values */
1487 const char *value
) /* I - Value */
1490 * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
1493 int options
= _HTTP_TLS_NONE
, /* SSL/TLS options */
1494 min_version
= _HTTP_TLS_1_0
, /* Minimum SSL/TLS version */
1495 max_version
= _HTTP_TLS_MAX
; /* Maximum SSL/TLS version */
1496 char temp
[256], /* Copy of value */
1497 *start
, /* Start of option */
1498 *end
; /* End of option */
1501 strlcpy(temp
, value
, sizeof(temp
));
1503 for (start
= temp
; *start
; start
= end
)
1506 * Find end of keyword...
1510 while (*end
&& !_cups_isspace(*end
))
1520 if (!_cups_strcasecmp(start
, "AllowRC4"))
1521 options
|= _HTTP_TLS_ALLOW_RC4
;
1522 else if (!_cups_strcasecmp(start
, "AllowSSL3"))
1523 min_version
= _HTTP_TLS_SSL3
;
1524 else if (!_cups_strcasecmp(start
, "AllowDH"))
1525 options
|= _HTTP_TLS_ALLOW_DH
;
1526 else if (!_cups_strcasecmp(start
, "DenyCBC"))
1527 options
|= _HTTP_TLS_DENY_CBC
;
1528 else if (!_cups_strcasecmp(start
, "DenyTLS1.0"))
1529 min_version
= _HTTP_TLS_1_1
;
1530 else if (!_cups_strcasecmp(start
, "MaxTLS1.0"))
1531 max_version
= _HTTP_TLS_1_0
;
1532 else if (!_cups_strcasecmp(start
, "MaxTLS1.1"))
1533 max_version
= _HTTP_TLS_1_1
;
1534 else if (!_cups_strcasecmp(start
, "MaxTLS1.2"))
1535 max_version
= _HTTP_TLS_1_2
;
1536 else if (!_cups_strcasecmp(start
, "MaxTLS1.3"))
1537 max_version
= _HTTP_TLS_1_3
;
1538 else if (!_cups_strcasecmp(start
, "MinTLS1.0"))
1539 min_version
= _HTTP_TLS_1_0
;
1540 else if (!_cups_strcasecmp(start
, "MinTLS1.1"))
1541 min_version
= _HTTP_TLS_1_1
;
1542 else if (!_cups_strcasecmp(start
, "MinTLS1.2"))
1543 min_version
= _HTTP_TLS_1_2
;
1544 else if (!_cups_strcasecmp(start
, "MinTLS1.3"))
1545 min_version
= _HTTP_TLS_1_3
;
1546 else if (!_cups_strcasecmp(start
, "None"))
1547 options
= _HTTP_TLS_NONE
;
1550 cc
->ssl_options
= options
;
1551 cc
->ssl_max_version
= max_version
;
1552 cc
->ssl_min_version
= min_version
;
1554 DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x, min_version=%d, max_version=%d", (void *)cc
, value
, options
, min_version
, max_version
));
1556 #endif /* HAVE_SSL */
1560 * 'cups_set_uatokens()' - Set the UserAgentTokens value.
1565 _cups_client_conf_t
*cc
, /* I - client.conf values */
1566 const char *value
) /* I - Value */
1568 int i
; /* Looping var */
1569 static const char * const uatokens
[] =/* UserAgentTokens values */
1580 for (i
= 0; i
< (int)(sizeof(uatokens
) / sizeof(uatokens
[0])); i
++)
1582 if (!_cups_strcasecmp(value
, uatokens
[i
]))
1584 cc
->uatokens
= (_cups_uatokens_t
)i
;
1592 * 'cups_set_user()' - Set the User value.
1597 _cups_client_conf_t
*cc
, /* I - client.conf values */
1598 const char *value
) /* I - Value */
1600 strlcpy(cc
->user
, value
, sizeof(cc
->user
));