2 * User, system, and password routines for CUPS.
4 * Copyright 2007-2017 by Apple Inc.
5 * Copyright 1997-2006 by Easy Software Products.
7 * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
11 * Include necessary headers...
14 #include "cups-private.h"
15 #include "debug-internal.h"
23 # include <sys/utsname.h>
26 # include <sys/sysctl.h>
27 #endif /* __APPLE__ */
36 # define kCUPSPrintingPrefs CFSTR(".GlobalPreferences")
37 # define kPREFIX "AirPrint"
39 # define kCUPSPrintingPrefs CFSTR("org.cups.PrintingPrefs")
41 # endif /* TARGET_OS_IOS */
42 # define kAllowAnyRootKey CFSTR(kPREFIX "AllowAnyRoot")
43 # define kAllowExpiredCertsKey CFSTR(kPREFIX "AllowExpiredCerts")
44 # define kEncryptionKey CFSTR(kPREFIX "Encryption")
45 # define kGSSServiceNameKey CFSTR(kPREFIX "GSSServiceName")
46 # define kSSLOptionsKey CFSTR(kPREFIX "SSLOptions")
47 # define kTrustOnFirstUseKey CFSTR(kPREFIX "TrustOnFirstUse")
48 # define kValidateCertsKey CFSTR(kPREFIX "ValidateCerts")
50 # define kAllowRC4 CFSTR(kPREFIX "AllowRC4")
51 # define kAllowSSL3 CFSTR(kPREFIX "AllowSSL3")
52 # define kAllowDH CFSTR(kPREFIX "AllowDH")
53 #endif /* __APPLE__ */
55 #define _CUPS_PASSCHAR '*' /* Character that is echoed for password */
62 typedef struct _cups_client_conf_s
/**** client.conf config data ****/
65 int ssl_options
, /* SSLOptions values */
66 ssl_min_version
,/* Minimum SSL/TLS version */
67 ssl_max_version
;/* Maximum SSL/TLS version */
69 int trust_first
, /* Trust on first use? */
70 any_root
, /* Allow any (e.g., self-signed) root */
71 expired_certs
, /* Allow expired certs */
72 validate_certs
; /* Validate certificates */
73 http_encryption_t encryption
; /* Encryption setting */
74 char user
[65], /* User name */
78 char gss_service_name
[32];
79 /* Kerberos service name */
80 #endif /* HAVE_GSSAPI */
81 } _cups_client_conf_t
;
89 static int cups_apple_get_boolean(CFStringRef key
, int *value
);
90 static int cups_apple_get_string(CFStringRef key
, char *value
, size_t valsize
);
91 #endif /* __APPLE__ */
92 static int cups_boolean_value(const char *value
);
93 static void cups_finalize_client_conf(_cups_client_conf_t
*cc
);
94 static void cups_init_client_conf(_cups_client_conf_t
*cc
);
95 static void cups_read_client_conf(cups_file_t
*fp
, _cups_client_conf_t
*cc
);
96 static void cups_set_default_ipp_port(_cups_globals_t
*cg
);
97 static void cups_set_encryption(_cups_client_conf_t
*cc
, const char *value
);
99 static void cups_set_gss_service_name(_cups_client_conf_t
*cc
, const char *value
);
100 #endif /* HAVE_GSSAPI */
101 static void cups_set_server_name(_cups_client_conf_t
*cc
, const char *value
);
103 static void cups_set_ssl_options(_cups_client_conf_t
*cc
, const char *value
);
104 #endif /* HAVE_SSL */
105 static void cups_set_user(_cups_client_conf_t
*cc
, const char *value
);
109 * 'cupsEncryption()' - Get the current encryption settings.
111 * The default encryption setting comes from the CUPS_ENCRYPTION
112 * environment variable, then the ~/.cups/client.conf file, and finally the
113 * /etc/cups/client.conf file. If not set, the default is
114 * @code HTTP_ENCRYPTION_IF_REQUESTED@.
116 * Note: The current encryption setting is tracked separately for each thread
117 * in a program. Multi-threaded programs that override the setting via the
118 * @link cupsSetEncryption@ function need to do so in each thread for the same
119 * setting to be used.
122 http_encryption_t
/* O - Encryption settings */
125 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
128 if (cg
->encryption
== (http_encryption_t
)-1)
131 return (cg
->encryption
);
136 * 'cupsGetPassword()' - Get a password from the user.
138 * Uses the current password callback function. Returns @code NULL@ if the
139 * user does not provide a password.
141 * Note: The current password callback function is tracked separately for each
142 * thread in a program. Multi-threaded programs that override the setting via
143 * the @link cupsSetPasswordCB@ or @link cupsSetPasswordCB2@ functions need to
144 * do so in each thread for the same function to be used.
149 const char * /* O - Password */
150 cupsGetPassword(const char *prompt
) /* I - Prompt string */
152 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
155 return ((cg
->password_cb
)(prompt
, NULL
, NULL
, NULL
, cg
->password_data
));
160 * 'cupsGetPassword2()' - Get a password from the user using the current
163 * Uses the current password callback function. Returns @code NULL@ if the
164 * user does not provide a password.
166 * Note: The current password callback function is tracked separately for each
167 * thread in a program. Multi-threaded programs that override the setting via
168 * the @link cupsSetPasswordCB2@ function need to do so in each thread for the
169 * same function to be used.
171 * @since CUPS 1.4/macOS 10.6@
174 const char * /* O - Password */
175 cupsGetPassword2(const char *prompt
, /* I - Prompt string */
176 http_t
*http
, /* I - Connection to server or @code CUPS_HTTP_DEFAULT@ */
177 const char *method
, /* I - Request method ("GET", "POST", "PUT") */
178 const char *resource
) /* I - Resource path */
180 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
184 http
= _cupsConnect();
186 return ((cg
->password_cb
)(prompt
, http
, method
, resource
, cg
->password_data
));
191 * 'cupsServer()' - Return the hostname/address of the current server.
193 * The default server comes from the CUPS_SERVER environment variable, then the
194 * ~/.cups/client.conf file, and finally the /etc/cups/client.conf file. If not
195 * set, the default is the local system - either "localhost" or a domain socket
198 * The returned value can be a fully-qualified hostname, a numeric IPv4 or IPv6
199 * address, or a domain socket pathname.
201 * Note: The current server is tracked separately for each thread in a program.
202 * Multi-threaded programs that override the server via the
203 * @link cupsSetServer@ function need to do so in each thread for the same
207 const char * /* O - Server name */
210 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
221 * 'cupsSetClientCertCB()' - Set the client certificate callback.
223 * Pass @code NULL@ to restore the default callback.
225 * Note: The current certificate callback is tracked separately for each thread
226 * in a program. Multi-threaded programs that override the callback need to do
227 * so in each thread for the same callback to be used.
229 * @since CUPS 1.5/macOS 10.7@
234 cups_client_cert_cb_t cb
, /* I - Callback function */
235 void *user_data
) /* I - User data pointer */
237 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
240 cg
->client_cert_cb
= cb
;
241 cg
->client_cert_data
= user_data
;
246 * 'cupsSetCredentials()' - Set the default credentials to be used for SSL/TLS
249 * Note: The default credentials are tracked separately for each thread in a
250 * program. Multi-threaded programs that override the setting need to do so in
251 * each thread for the same setting to be used.
253 * @since CUPS 1.5/macOS 10.7@
256 int /* O - Status of call (0 = success) */
258 cups_array_t
*credentials
) /* I - Array of credentials */
260 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
263 if (cupsArrayCount(credentials
) < 1)
267 _httpFreeCredentials(cg
->tls_credentials
);
268 cg
->tls_credentials
= _httpCreateCredentials(credentials
);
269 #endif /* HAVE_SSL */
271 return (cg
->tls_credentials
? 0 : -1);
276 * 'cupsSetEncryption()' - Set the encryption preference.
278 * The default encryption setting comes from the CUPS_ENCRYPTION
279 * environment variable, then the ~/.cups/client.conf file, and finally the
280 * /etc/cups/client.conf file. If not set, the default is
281 * @code HTTP_ENCRYPTION_IF_REQUESTED@.
283 * Note: The current encryption setting is tracked separately for each thread
284 * in a program. Multi-threaded programs that override the setting need to do
285 * so in each thread for the same setting to be used.
289 cupsSetEncryption(http_encryption_t e
) /* I - New encryption preference */
291 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
297 httpEncryption(cg
->http
, e
);
302 * 'cupsSetPasswordCB()' - Set the password callback for CUPS.
304 * Pass @code NULL@ to restore the default (console) password callback, which
305 * reads the password from the console. Programs should call either this
306 * function or @link cupsSetPasswordCB2@, as only one callback can be registered
307 * by a program per thread.
309 * Note: The current password callback is tracked separately for each thread
310 * in a program. Multi-threaded programs that override the callback need to do
311 * so in each thread for the same callback to be used.
317 cupsSetPasswordCB(cups_password_cb_t cb
)/* I - Callback function */
319 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
322 if (cb
== (cups_password_cb_t
)0)
323 cg
->password_cb
= (cups_password_cb2_t
)_cupsGetPassword
;
325 cg
->password_cb
= (cups_password_cb2_t
)cb
;
327 cg
->password_data
= NULL
;
332 * 'cupsSetPasswordCB2()' - Set the advanced password callback for CUPS.
334 * Pass @code NULL@ to restore the default (console) password callback, which
335 * reads the password from the console. Programs should call either this
336 * function or @link cupsSetPasswordCB2@, as only one callback can be registered
337 * by a program per thread.
339 * Note: The current password callback is tracked separately for each thread
340 * in a program. Multi-threaded programs that override the callback need to do
341 * so in each thread for the same callback to be used.
343 * @since CUPS 1.4/macOS 10.6@
348 cups_password_cb2_t cb
, /* I - Callback function */
349 void *user_data
) /* I - User data pointer */
351 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
354 if (cb
== (cups_password_cb2_t
)0)
355 cg
->password_cb
= (cups_password_cb2_t
)_cupsGetPassword
;
357 cg
->password_cb
= cb
;
359 cg
->password_data
= user_data
;
364 * 'cupsSetServer()' - Set the default server name and port.
366 * The "server" string can be a fully-qualified hostname, a numeric
367 * IPv4 or IPv6 address, or a domain socket pathname. Hostnames and numeric IP
368 * addresses can be optionally followed by a colon and port number to override
369 * the default port 631, e.g. "hostname:8631". Pass @code NULL@ to restore the
370 * default server name and port.
372 * Note: The current server is tracked separately for each thread in a program.
373 * Multi-threaded programs that override the server need to do so in each
374 * thread for the same server to be used.
378 cupsSetServer(const char *server
) /* I - Server name */
380 char *options
, /* Options */
381 *port
; /* Pointer to port */
382 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
387 strlcpy(cg
->server
, server
, sizeof(cg
->server
));
389 if (cg
->server
[0] != '/' && (options
= strrchr(cg
->server
, '/')) != NULL
)
393 if (!strcmp(options
, "version=1.0"))
394 cg
->server_version
= 10;
395 else if (!strcmp(options
, "version=1.1"))
396 cg
->server_version
= 11;
397 else if (!strcmp(options
, "version=2.0"))
398 cg
->server_version
= 20;
399 else if (!strcmp(options
, "version=2.1"))
400 cg
->server_version
= 21;
401 else if (!strcmp(options
, "version=2.2"))
402 cg
->server_version
= 22;
405 cg
->server_version
= 20;
407 if (cg
->server
[0] != '/' && (port
= strrchr(cg
->server
, ':')) != NULL
&&
408 !strchr(port
, ']') && isdigit(port
[1] & 255))
412 cg
->ipp_port
= atoi(port
);
416 cups_set_default_ipp_port(cg
);
418 if (cg
->server
[0] == '/')
419 strlcpy(cg
->servername
, "localhost", sizeof(cg
->servername
));
421 strlcpy(cg
->servername
, cg
->server
, sizeof(cg
->servername
));
425 cg
->server
[0] = '\0';
426 cg
->servername
[0] = '\0';
427 cg
->server_version
= 20;
440 * 'cupsSetServerCertCB()' - Set the server certificate callback.
442 * Pass @code NULL@ to restore the default callback.
444 * Note: The current credentials callback is tracked separately for each thread
445 * in a program. Multi-threaded programs that override the callback need to do
446 * so in each thread for the same callback to be used.
448 * @since CUPS 1.5/macOS 10.7@
453 cups_server_cert_cb_t cb
, /* I - Callback function */
454 void *user_data
) /* I - User data pointer */
456 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
459 cg
->server_cert_cb
= cb
;
460 cg
->server_cert_data
= user_data
;
465 * 'cupsSetUser()' - Set the default user name.
467 * Pass @code NULL@ to restore the default user name.
469 * Note: The current user name is tracked separately for each thread in a
470 * program. Multi-threaded programs that override the user name need to do so
471 * in each thread for the same user name to be used.
475 cupsSetUser(const char *user
) /* I - User name */
477 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
481 strlcpy(cg
->user
, user
, sizeof(cg
->user
));
488 * 'cupsSetUserAgent()' - Set the default HTTP User-Agent string.
490 * Setting the string to NULL forces the default value containing the CUPS
491 * version, IPP version, and operating system version and architecture.
493 * @since CUPS 1.7/macOS 10.9@
497 cupsSetUserAgent(const char *user_agent
)/* I - User-Agent string or @code NULL@ */
499 _cups_globals_t
*cg
= _cupsGlobals();
502 SYSTEM_INFO sysinfo
; /* System information */
503 OSVERSIONINFOA version
; /* OS version info */
504 const char *machine
; /* Hardware/machine name */
505 #elif defined(__APPLE__)
506 struct utsname name
; /* uname info */
507 char version
[256]; /* macOS/iOS version */
508 size_t len
; /* Length of value */
510 struct utsname name
; /* uname info */
516 strlcpy(cg
->user_agent
, user_agent
, sizeof(cg
->user_agent
));
522 * Gather Windows version information for the User-Agent string...
525 version
.dwOSVersionInfoSize
= sizeof(OSVERSIONINFO
);
526 GetVersionExA(&version
);
527 GetNativeSystemInfo(&sysinfo
);
529 switch (sysinfo
.wProcessorArchitecture
)
531 case PROCESSOR_ARCHITECTURE_AMD64
:
535 case PROCESSOR_ARCHITECTURE_ARM
:
539 case PROCESSOR_ARCHITECTURE_IA64
:
543 case PROCESSOR_ARCHITECTURE_INTEL
:
552 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (Windows %d.%d; %s) IPP/2.0", version
.dwMajorVersion
, version
.dwMinorVersion
, machine
);
554 #elif defined(__APPLE__)
556 * Gather macOS/iOS version information for the User-Agent string...
561 len
= sizeof(version
) - 1;
562 if (!sysctlbyname("kern.osproductversion", version
, &len
, NULL
, 0))
565 strlcpy(version
, "unknown", sizeof(version
));
568 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (iOS %s; %s) IPP/2.0", version
, name
.machine
);
570 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (macOS %s; %s) IPP/2.0", version
, name
.machine
);
571 # endif /* TARGET_OS_IOS */
575 * Gather generic UNIX version information for the User-Agent string...
580 snprintf(cg
->user_agent
, sizeof(cg
->user_agent
), CUPS_MINIMAL
" (%s %s; %s) IPP/2.0", name
.sysname
, name
.release
, name
.machine
);
586 * 'cupsUser()' - Return the current user's name.
588 * Note: The current user name is tracked separately for each thread in a
589 * program. Multi-threaded programs that override the user name with the
590 * @link cupsSetUser@ function need to do so in each thread for the same user
594 const char * /* O - User name */
597 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
608 * 'cupsUserAgent()' - Return the default HTTP User-Agent string.
610 * @since CUPS 1.7/macOS 10.9@
613 const char * /* O - User-Agent string */
616 _cups_globals_t
*cg
= _cupsGlobals(); /* Thread globals */
619 if (!cg
->user_agent
[0])
620 cupsSetUserAgent(NULL
);
622 return (cg
->user_agent
);
627 * '_cupsGetPassword()' - Get a password from the user.
630 const char * /* O - Password or @code NULL@ if none */
631 _cupsGetPassword(const char *prompt
) /* I - Prompt string */
634 HANDLE tty
; /* Console handle */
635 DWORD mode
; /* Console mode */
636 char passch
, /* Current key press */
637 *passptr
, /* Pointer into password string */
638 *passend
; /* End of password string */
639 DWORD passbytes
; /* Bytes read */
640 _cups_globals_t
*cg
= _cupsGlobals();
645 * Disable input echo and set raw input...
648 if ((tty
= GetStdHandle(STD_INPUT_HANDLE
)) == INVALID_HANDLE_VALUE
)
651 if (!GetConsoleMode(tty
, &mode
))
654 if (!SetConsoleMode(tty
, 0))
658 * Display the prompt...
661 printf("%s ", prompt
);
665 * Read the password string from /dev/tty until we get interrupted or get a
666 * carriage return or newline...
669 passptr
= cg
->password
;
670 passend
= cg
->password
+ sizeof(cg
->password
) - 1;
672 while (ReadFile(tty
, &passch
, 1, &passbytes
, NULL
))
674 if (passch
== 0x0A || passch
== 0x0D)
682 else if (passch
== 0x08 || passch
== 0x7F)
685 * Backspace/delete (erase character)...
688 if (passptr
> cg
->password
)
691 fputs("\010 \010", stdout
);
696 else if (passch
== 0x15)
699 * CTRL+U (erase line)
702 if (passptr
> cg
->password
)
704 while (passptr
> cg
->password
)
707 fputs("\010 \010", stdout
);
713 else if (passch
== 0x03)
719 passptr
= cg
->password
;
722 else if ((passch
& 255) < 0x20 || passptr
>= passend
)
727 putchar(_CUPS_PASSCHAR
);
740 SetConsoleMode(tty
, mode
);
743 * Return the proper value...
746 if (passbytes
== 1 && passptr
> cg
->password
)
749 return (cg
->password
);
753 memset(cg
->password
, 0, sizeof(cg
->password
));
758 int tty
; /* /dev/tty - never read from stdin */
759 struct termios original
, /* Original input mode */
760 noecho
; /* No echo input mode */
761 char passch
, /* Current key press */
762 *passptr
, /* Pointer into password string */
763 *passend
; /* End of password string */
764 ssize_t passbytes
; /* Bytes read */
765 _cups_globals_t
*cg
= _cupsGlobals();
770 * Disable input echo and set raw input...
773 if ((tty
= open("/dev/tty", O_RDONLY
)) < 0)
776 if (tcgetattr(tty
, &original
))
783 noecho
.c_lflag
&= (tcflag_t
)~(ICANON
| ECHO
| ECHOE
| ISIG
);
784 noecho
.c_cc
[VMIN
] = 1;
785 noecho
.c_cc
[VTIME
] = 0;
787 if (tcsetattr(tty
, TCSAFLUSH
, &noecho
))
794 * Display the prompt...
797 printf("%s ", prompt
);
801 * Read the password string from /dev/tty until we get interrupted or get a
802 * carriage return or newline...
805 passptr
= cg
->password
;
806 passend
= cg
->password
+ sizeof(cg
->password
) - 1;
808 while ((passbytes
= read(tty
, &passch
, 1)) == 1)
810 if (passch
== noecho
.c_cc
[VEOL
] ||
812 passch
== noecho
.c_cc
[VEOL2
] ||
814 passch
== 0x0A || passch
== 0x0D)
822 else if (passch
== noecho
.c_cc
[VERASE
] ||
823 passch
== 0x08 || passch
== 0x7F)
826 * Backspace/delete (erase character)...
829 if (passptr
> cg
->password
)
832 fputs("\010 \010", stdout
);
837 else if (passch
== noecho
.c_cc
[VKILL
])
840 * CTRL+U (erase line)
843 if (passptr
> cg
->password
)
845 while (passptr
> cg
->password
)
848 fputs("\010 \010", stdout
);
854 else if (passch
== noecho
.c_cc
[VINTR
] || passch
== noecho
.c_cc
[VQUIT
] ||
855 passch
== noecho
.c_cc
[VEOF
])
858 * CTRL+C, CTRL+D, or CTRL+Z...
861 passptr
= cg
->password
;
864 else if ((passch
& 255) < 0x20 || passptr
>= passend
)
869 putchar(_CUPS_PASSCHAR
);
882 tcsetattr(tty
, TCSAFLUSH
, &original
);
886 * Return the proper value...
889 if (passbytes
== 1 && passptr
> cg
->password
)
892 return (cg
->password
);
896 memset(cg
->password
, 0, sizeof(cg
->password
));
905 * '_cupsGSSServiceName()' - Get the GSS (Kerberos) service name.
909 _cupsGSSServiceName(void)
911 _cups_globals_t
*cg
= _cupsGlobals(); /* Thread globals */
914 if (!cg
->gss_service_name
[0])
917 return (cg
->gss_service_name
);
919 #endif /* HAVE_GSSAPI */
923 * '_cupsSetDefaults()' - Set the default server, port, and encryption.
927 _cupsSetDefaults(void)
929 cups_file_t
*fp
; /* File */
930 const char *home
; /* Home directory of user */
931 char filename
[1024]; /* Filename */
932 _cups_client_conf_t cc
; /* client.conf values */
933 _cups_globals_t
*cg
= _cupsGlobals(); /* Pointer to library globals */
936 DEBUG_puts("_cupsSetDefaults()");
939 * Load initial client.conf values...
942 cups_init_client_conf(&cc
);
945 * Read the /etc/cups/client.conf and ~/.cups/client.conf files, if
949 snprintf(filename
, sizeof(filename
), "%s/client.conf", cg
->cups_serverroot
);
950 if ((fp
= cupsFileOpen(filename
, "r")) != NULL
)
952 cups_read_client_conf(fp
, &cc
);
957 if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home
= getenv("HOME")) != NULL
)
958 # elif !defined(_WIN32)
959 if (getuid() && (home
= getenv("HOME")) != NULL
)
961 if ((home
= getenv("HOME")) != NULL
)
962 # endif /* HAVE_GETEUID */
965 * Look for ~/.cups/client.conf...
968 snprintf(filename
, sizeof(filename
), "%s/.cups/client.conf", home
);
969 if ((fp
= cupsFileOpen(filename
, "r")) != NULL
)
971 cups_read_client_conf(fp
, &cc
);
977 * Finalize things so every client.conf value is set...
980 cups_finalize_client_conf(&cc
);
982 if (cg
->encryption
== (http_encryption_t
)-1)
983 cg
->encryption
= cc
.encryption
;
985 if (!cg
->server
[0] || !cg
->ipp_port
)
986 cupsSetServer(cc
.server_name
);
989 cups_set_default_ipp_port(cg
);
992 strlcpy(cg
->user
, cc
.user
, sizeof(cg
->user
));
995 if (!cg
->gss_service_name
[0])
996 strlcpy(cg
->gss_service_name
, cc
.gss_service_name
, sizeof(cg
->gss_service_name
));
997 #endif /* HAVE_GSSAPI */
999 if (cg
->trust_first
< 0)
1000 cg
->trust_first
= cc
.trust_first
;
1002 if (cg
->any_root
< 0)
1003 cg
->any_root
= cc
.any_root
;
1005 if (cg
->expired_certs
< 0)
1006 cg
->expired_certs
= cc
.expired_certs
;
1008 if (cg
->validate_certs
< 0)
1009 cg
->validate_certs
= cc
.validate_certs
;
1012 _httpTLSSetOptions(cc
.ssl_options
| _HTTP_TLS_SET_DEFAULT
, cc
.ssl_min_version
, cc
.ssl_max_version
);
1013 #endif /* HAVE_SSL */
1019 * 'cups_apple_get_boolean()' - Get a boolean setting from the CUPS preferences.
1022 static int /* O - 1 if set, 0 otherwise */
1023 cups_apple_get_boolean(
1024 CFStringRef key
, /* I - Key (name) */
1025 int *value
) /* O - Boolean value */
1027 Boolean bval
, /* Preference value */
1028 bval_set
; /* Value is set? */
1031 bval
= CFPreferencesGetAppBooleanValue(key
, kCUPSPrintingPrefs
, &bval_set
);
1036 return ((int)bval_set
);
1041 * 'cups_apple_get_string()' - Get a string setting from the CUPS preferences.
1044 static int /* O - 1 if set, 0 otherwise */
1045 cups_apple_get_string(
1046 CFStringRef key
, /* I - Key (name) */
1047 char *value
, /* O - String value */
1048 size_t valsize
) /* I - Size of value buffer */
1050 CFStringRef sval
; /* String value */
1053 if ((sval
= CFPreferencesCopyAppValue(key
, kCUPSPrintingPrefs
)) != NULL
)
1055 Boolean result
= CFStringGetCString(sval
, value
, (CFIndex
)valsize
, kCFStringEncodingUTF8
);
1065 #endif /* __APPLE__ */
1069 * 'cups_boolean_value()' - Convert a string to a boolean value.
1072 static int /* O - Boolean value */
1073 cups_boolean_value(const char *value
) /* I - String value */
1075 return (!_cups_strcasecmp(value
, "yes") || !_cups_strcasecmp(value
, "on") || !_cups_strcasecmp(value
, "true"));
1080 * 'cups_finalize_client_conf()' - Finalize client.conf values.
1084 cups_finalize_client_conf(
1085 _cups_client_conf_t
*cc
) /* I - client.conf values */
1087 const char *value
; /* Environment variable */
1090 if ((value
= getenv("CUPS_TRUSTFIRST")) != NULL
)
1091 cc
->trust_first
= cups_boolean_value(value
);
1093 if ((value
= getenv("CUPS_ANYROOT")) != NULL
)
1094 cc
->any_root
= cups_boolean_value(value
);
1096 if ((value
= getenv("CUPS_ENCRYPTION")) != NULL
)
1097 cups_set_encryption(cc
, value
);
1099 if ((value
= getenv("CUPS_EXPIREDCERTS")) != NULL
)
1100 cc
->expired_certs
= cups_boolean_value(value
);
1103 if ((value
= getenv("CUPS_GSSSERVICENAME")) != NULL
)
1104 cups_set_gss_service_name(cc
, value
);
1105 #endif /* HAVE_GSSAPI */
1107 if ((value
= getenv("CUPS_SERVER")) != NULL
)
1108 cups_set_server_name(cc
, value
);
1110 if ((value
= getenv("CUPS_USER")) != NULL
)
1111 cups_set_user(cc
, value
);
1113 if ((value
= getenv("CUPS_VALIDATECERTS")) != NULL
)
1114 cc
->validate_certs
= cups_boolean_value(value
);
1117 * Then apply defaults for those values that haven't been set...
1120 if (cc
->trust_first
< 0)
1121 cc
->trust_first
= 1;
1123 if (cc
->any_root
< 0)
1126 if (cc
->encryption
== (http_encryption_t
)-1)
1127 cc
->encryption
= HTTP_ENCRYPTION_IF_REQUESTED
;
1129 if (cc
->expired_certs
< 0)
1130 cc
->expired_certs
= 0;
1133 if (!cc
->gss_service_name
[0])
1134 cups_set_gss_service_name(cc
, CUPS_DEFAULT_GSSSERVICENAME
);
1135 #endif /* HAVE_GSSAPI */
1137 if (!cc
->server_name
[0])
1139 #ifdef CUPS_DEFAULT_DOMAINSOCKET
1141 * If we are compiled with domain socket support, only use the
1142 * domain socket if it exists and has the right permissions...
1145 if (!access(CUPS_DEFAULT_DOMAINSOCKET
, R_OK
))
1146 cups_set_server_name(cc
, CUPS_DEFAULT_DOMAINSOCKET
);
1148 #endif /* CUPS_DEFAULT_DOMAINSOCKET */
1149 cups_set_server_name(cc
, "localhost");
1156 * Get the current user name from the OS...
1159 DWORD size
; /* Size of string */
1161 size
= sizeof(cc
->user
);
1162 if (!GetUserNameA(cc
->user
, &size
))
1165 * Try the USER environment variable as the default username...
1168 const char *envuser
= getenv("USER");
1169 /* Default username */
1170 struct passwd
*pw
= NULL
; /* Account information */
1175 * Validate USER matches the current UID, otherwise don't allow it to
1176 * override things... This makes sure that printing after doing su
1177 * or sudo records the correct username.
1180 if ((pw
= getpwnam(envuser
)) != NULL
&& pw
->pw_uid
!= getuid())
1185 pw
= getpwuid(getuid());
1188 strlcpy(cc
->user
, pw
->pw_name
, sizeof(cc
->user
));
1193 * Use the default "unknown" user name...
1196 strlcpy(cc
->user
, "unknown", sizeof(cc
->user
));
1200 if (cc
->validate_certs
< 0)
1201 cc
->validate_certs
= 0;
1206 * 'cups_init_client_conf()' - Initialize client.conf values.
1210 cups_init_client_conf(
1211 _cups_client_conf_t
*cc
) /* I - client.conf values */
1214 * Clear all values to "not set"...
1217 memset(cc
, 0, sizeof(_cups_client_conf_t
));
1220 cups_set_user(cc
, "mobile");
1221 #endif /* TARGET_OS_IOS */
1224 cc
->ssl_min_version
= _HTTP_TLS_1_0
;
1225 cc
->ssl_max_version
= _HTTP_TLS_MAX
;
1226 #endif /* HAVE_SSL */
1227 cc
->encryption
= (http_encryption_t
)-1;
1228 cc
->trust_first
= -1;
1230 cc
->expired_certs
= -1;
1231 cc
->validate_certs
= -1;
1234 * Load settings from the org.cups.PrintingPrefs plist (which trump
1238 #if defined(__APPLE__) && defined(HAVE_SSL)
1239 char sval
[1024]; /* String value */
1240 int bval
; /* Boolean value */
1242 if (cups_apple_get_boolean(kAllowAnyRootKey
, &bval
))
1243 cc
->any_root
= bval
;
1245 if (cups_apple_get_boolean(kAllowExpiredCertsKey
, &bval
))
1246 cc
->expired_certs
= bval
;
1248 if (cups_apple_get_string(kEncryptionKey
, sval
, sizeof(sval
)))
1249 cups_set_encryption(cc
, sval
);
1251 if (cups_apple_get_string(kSSLOptionsKey
, sval
, sizeof(sval
)))
1253 cups_set_ssl_options(cc
, sval
);
1259 if (cups_apple_get_boolean(kAllowRC4
, &bval
) && bval
)
1260 strlcat(sval
, " AllowRC4", sizeof(sval
));
1261 if (cups_apple_get_boolean(kAllowSSL3
, &bval
) && bval
)
1262 strlcat(sval
, " AllowSSL3", sizeof(sval
));
1263 if (cups_apple_get_boolean(kAllowDH
, &bval
) && bval
)
1264 strlcat(sval
, " AllowDH", sizeof(sval
));
1267 cups_set_ssl_options(cc
, sval
);
1270 if (cups_apple_get_boolean(kTrustOnFirstUseKey
, &bval
))
1271 cc
->trust_first
= bval
;
1273 if (cups_apple_get_boolean(kValidateCertsKey
, &bval
))
1274 cc
->validate_certs
= bval
;
1275 #endif /* __APPLE__ && HAVE_SSL */
1280 * 'cups_read_client_conf()' - Read a client.conf file.
1284 cups_read_client_conf(
1285 cups_file_t
*fp
, /* I - File to read */
1286 _cups_client_conf_t
*cc
) /* I - client.conf values */
1288 int linenum
; /* Current line number */
1289 char line
[1024], /* Line from file */
1290 *value
; /* Pointer into line */
1294 * Read from the file...
1298 while (cupsFileGetConf(fp
, line
, sizeof(line
), &value
, &linenum
))
1300 if (!_cups_strcasecmp(line
, "Encryption") && value
)
1301 cups_set_encryption(cc
, value
);
1304 * The ServerName directive is not supported on macOS due to app
1305 * sandboxing restrictions, i.e. not all apps request network access.
1307 else if (!_cups_strcasecmp(line
, "ServerName") && value
)
1308 cups_set_server_name(cc
, value
);
1309 #endif /* !__APPLE__ */
1310 else if (!_cups_strcasecmp(line
, "User") && value
)
1311 cups_set_user(cc
, value
);
1312 else if (!_cups_strcasecmp(line
, "TrustOnFirstUse") && value
)
1313 cc
->trust_first
= cups_boolean_value(value
);
1314 else if (!_cups_strcasecmp(line
, "AllowAnyRoot") && value
)
1315 cc
->any_root
= cups_boolean_value(value
);
1316 else if (!_cups_strcasecmp(line
, "AllowExpiredCerts") &&
1318 cc
->expired_certs
= cups_boolean_value(value
);
1319 else if (!_cups_strcasecmp(line
, "ValidateCerts") && value
)
1320 cc
->validate_certs
= cups_boolean_value(value
);
1322 else if (!_cups_strcasecmp(line
, "GSSServiceName") && value
)
1323 cups_set_gss_service_name(cc
, value
);
1324 #endif /* HAVE_GSSAPI */
1326 else if (!_cups_strcasecmp(line
, "SSLOptions") && value
)
1327 cups_set_ssl_options(cc
, value
);
1328 #endif /* HAVE_SSL */
1334 * 'cups_set_default_ipp_port()' - Set the default IPP port value.
1338 cups_set_default_ipp_port(
1339 _cups_globals_t
*cg
) /* I - Global data */
1341 const char *ipp_port
; /* IPP_PORT environment variable */
1344 if ((ipp_port
= getenv("IPP_PORT")) != NULL
)
1346 if ((cg
->ipp_port
= atoi(ipp_port
)) <= 0)
1347 cg
->ipp_port
= CUPS_DEFAULT_IPP_PORT
;
1350 cg
->ipp_port
= CUPS_DEFAULT_IPP_PORT
;
1354 * 'cups_set_encryption()' - Set the Encryption value.
1358 cups_set_encryption(
1359 _cups_client_conf_t
*cc
, /* I - client.conf values */
1360 const char *value
) /* I - Value */
1362 if (!_cups_strcasecmp(value
, "never"))
1363 cc
->encryption
= HTTP_ENCRYPTION_NEVER
;
1364 else if (!_cups_strcasecmp(value
, "always"))
1365 cc
->encryption
= HTTP_ENCRYPTION_ALWAYS
;
1366 else if (!_cups_strcasecmp(value
, "required"))
1367 cc
->encryption
= HTTP_ENCRYPTION_REQUIRED
;
1369 cc
->encryption
= HTTP_ENCRYPTION_IF_REQUESTED
;
1374 * 'cups_set_gss_service_name()' - Set the GSSServiceName value.
1379 cups_set_gss_service_name(
1380 _cups_client_conf_t
*cc
, /* I - client.conf values */
1381 const char *value
) /* I - Value */
1383 strlcpy(cc
->gss_service_name
, value
, sizeof(cc
->gss_service_name
));
1385 #endif /* HAVE_GSSAPI */
1389 * 'cups_set_server_name()' - Set the ServerName value.
1393 cups_set_server_name(
1394 _cups_client_conf_t
*cc
, /* I - client.conf values */
1395 const char *value
) /* I - Value */
1397 strlcpy(cc
->server_name
, value
, sizeof(cc
->server_name
));
1402 * 'cups_set_ssl_options()' - Set the SSLOptions value.
1407 cups_set_ssl_options(
1408 _cups_client_conf_t
*cc
, /* I - client.conf values */
1409 const char *value
) /* I - Value */
1412 * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
1415 int options
= _HTTP_TLS_NONE
, /* SSL/TLS options */
1416 min_version
= _HTTP_TLS_1_0
, /* Minimum SSL/TLS version */
1417 max_version
= _HTTP_TLS_MAX
; /* Maximum SSL/TLS version */
1418 char temp
[256], /* Copy of value */
1419 *start
, /* Start of option */
1420 *end
; /* End of option */
1423 strlcpy(temp
, value
, sizeof(temp
));
1425 for (start
= temp
; *start
; start
= end
)
1428 * Find end of keyword...
1432 while (*end
&& !_cups_isspace(*end
))
1442 if (!_cups_strcasecmp(start
, "AllowRC4"))
1443 options
|= _HTTP_TLS_ALLOW_RC4
;
1444 else if (!_cups_strcasecmp(start
, "AllowSSL3"))
1445 min_version
= _HTTP_TLS_SSL3
;
1446 else if (!_cups_strcasecmp(start
, "AllowDH"))
1447 options
|= _HTTP_TLS_ALLOW_DH
;
1448 else if (!_cups_strcasecmp(start
, "DenyCBC"))
1449 options
|= _HTTP_TLS_DENY_CBC
;
1450 else if (!_cups_strcasecmp(start
, "DenyTLS1.0"))
1451 min_version
= _HTTP_TLS_1_1
;
1452 else if (!_cups_strcasecmp(start
, "MaxTLS1.0"))
1453 max_version
= _HTTP_TLS_1_0
;
1454 else if (!_cups_strcasecmp(start
, "MaxTLS1.1"))
1455 max_version
= _HTTP_TLS_1_1
;
1456 else if (!_cups_strcasecmp(start
, "MaxTLS1.2"))
1457 max_version
= _HTTP_TLS_1_2
;
1458 else if (!_cups_strcasecmp(start
, "MaxTLS1.3"))
1459 max_version
= _HTTP_TLS_1_3
;
1460 else if (!_cups_strcasecmp(start
, "MinTLS1.0"))
1461 min_version
= _HTTP_TLS_1_0
;
1462 else if (!_cups_strcasecmp(start
, "MinTLS1.1"))
1463 min_version
= _HTTP_TLS_1_1
;
1464 else if (!_cups_strcasecmp(start
, "MinTLS1.2"))
1465 min_version
= _HTTP_TLS_1_2
;
1466 else if (!_cups_strcasecmp(start
, "MinTLS1.3"))
1467 min_version
= _HTTP_TLS_1_3
;
1468 else if (!_cups_strcasecmp(start
, "None"))
1469 options
= _HTTP_TLS_NONE
;
1472 cc
->ssl_options
= options
;
1473 cc
->ssl_max_version
= max_version
;
1474 cc
->ssl_min_version
= min_version
;
1476 DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x, min_version=%d, max_version=%d", (void *)cc
, value
, options
, min_version
, max_version
));
1478 #endif /* HAVE_SSL */
1482 * 'cups_set_user()' - Set the User value.
1487 _cups_client_conf_t
*cc
, /* I - client.conf values */
1488 const char *value
) /* I - Value */
1490 strlcpy(cc
->user
, value
, sizeof(cc
->user
));