/*
* User, system, and password routines for CUPS.
*
- * Copyright 2007-2015 by Apple Inc.
+ * Copyright 2007-2017 by Apple Inc.
* Copyright 1997-2006 by Easy Software Products.
*
- * These coded instructions, statements, and computer programs are the
- * property of Apple Inc. and are protected by Federal copyright
- * law. Distribution and use rights are outlined in the file "LICENSE.txt"
- * which should have been included with this file. If this file is
- * file is missing or damaged, see the license at "http://www.cups.org/".
- *
- * This file is subject to the Apple OS-Developed Software exception.
+ * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
*/
/*
#include "cups-private.h"
#include <stdlib.h>
#include <sys/stat.h>
-#ifdef WIN32
+#ifdef _WIN32
# include <windows.h>
#else
# include <pwd.h>
# include <termios.h>
# include <sys/utsname.h>
-#endif /* WIN32 */
+#endif /* _WIN32 */
/*
* Local constants...
*/
+#ifdef __APPLE__
+# define kCUPSPrintingPrefs CFSTR("org.cups.PrintingPrefs")
+# define kAllowAnyRootKey CFSTR("AllowAnyRoot")
+# define kAllowExpiredCertsKey CFSTR("AllowExpiredCerts")
+# define kEncryptionKey CFSTR("Encryption")
+# define kGSSServiceNameKey CFSTR("GSSServiceName")
+# define kSSLOptionsKey CFSTR("SSLOptions")
+# define kTrustOnFirstUseKey CFSTR("TrustOnFirstUse")
+# define kValidateCertsKey CFSTR("ValidateCerts")
+#endif /* __APPLE__ */
+
#define _CUPS_PASSCHAR '*' /* Character that is echoed for password */
typedef struct _cups_client_conf_s /**** client.conf config data ****/
{
#ifdef HAVE_SSL
- int ssl_options; /* SSLOptions values */
+ int ssl_options, /* SSLOptions values */
+ ssl_min_version,/* Minimum SSL/TLS version */
+ ssl_max_version;/* Maximum SSL/TLS version */
#endif /* HAVE_SSL */
- int any_root, /* Allow any (e.g., self-signed) root */
+ int trust_first, /* Trust on first use? */
+ any_root, /* Allow any (e.g., self-signed) root */
expired_certs, /* Allow expired certs */
validate_certs; /* Validate certificates */
http_encryption_t encryption; /* Encryption setting */
* Local functions...
*/
+#ifdef __APPLE__
+static int cups_apple_get_boolean(CFStringRef key, int *value);
+static int cups_apple_get_string(CFStringRef key, char *value, size_t valsize);
+#endif /* __APPLE__ */
+static int cups_boolean_value(const char *value);
static void cups_finalize_client_conf(_cups_client_conf_t *cc);
static void cups_init_client_conf(_cups_client_conf_t *cc);
static void cups_read_client_conf(cups_file_t *fp, _cups_client_conf_t *cc);
* thread in a program. Multi-threaded programs that override the setting via
* the @link cupsSetPasswordCB@ or @link cupsSetPasswordCB2@ functions need to
* do so in each thread for the same function to be used.
+ *
+ * @exclude all@
*/
const char * /* O - Password */
/*
- * 'cupsGetPassword2()' - Get a password from the user using the advanced
+ * 'cupsGetPassword2()' - Get a password from the user using the current
* password callback.
*
* Uses the current password callback function. Returns @code NULL@ if the
*
* Note: The current password callback function is tracked separately for each
* thread in a program. Multi-threaded programs that override the setting via
- * the @link cupsSetPasswordCB@ or @link cupsSetPasswordCB2@ functions need to
- * do so in each thread for the same function to be used.
+ * the @link cupsSetPasswordCB2@ function need to do so in each thread for the
+ * same function to be used.
*
- * @since CUPS 1.4/OS X 10.6@
+ * @since CUPS 1.4/macOS 10.6@
*/
const char * /* O - Password */
* in a program. Multi-threaded programs that override the callback need to do
* so in each thread for the same callback to be used.
*
- * @since CUPS 1.5/OS X 10.7@
+ * @since CUPS 1.5/macOS 10.7@
*/
void
* program. Multi-threaded programs that override the setting need to do so in
* each thread for the same setting to be used.
*
- * @since CUPS 1.5/OS X 10.7@
+ * @since CUPS 1.5/macOS 10.7@
*/
int /* O - Status of call (0 = success) */
* Note: The current password callback is tracked separately for each thread
* in a program. Multi-threaded programs that override the callback need to do
* so in each thread for the same callback to be used.
+ *
+ * @exclude all@
*/
void
* in a program. Multi-threaded programs that override the callback need to do
* so in each thread for the same callback to be used.
*
- * @since CUPS 1.4/OS X 10.6@
+ * @since CUPS 1.4/macOS 10.6@
*/
void
* in a program. Multi-threaded programs that override the callback need to do
* so in each thread for the same callback to be used.
*
- * @since CUPS 1.5/OS X 10.7@
+ * @since CUPS 1.5/macOS 10.7@
*/
void
* Setting the string to NULL forces the default value containing the CUPS
* version, IPP version, and operating system version and architecture.
*
- * @since CUPS 1.7/OS X 10.9@
+ * @since CUPS 1.7/macOS 10.9@
*/
void
{
_cups_globals_t *cg = _cupsGlobals();
/* Thread globals */
-#ifdef WIN32
+#ifdef _WIN32
SYSTEM_INFO sysinfo; /* System information */
OSVERSIONINFO version; /* OS version info */
#else
struct utsname name; /* uname info */
-#endif /* WIN32 */
+#endif /* _WIN32 */
if (user_agent)
return;
}
-#ifdef WIN32
+#ifdef _WIN32
version.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&version);
GetNativeSystemInfo(&sysinfo);
snprintf(cg->user_agent, sizeof(cg->user_agent),
CUPS_MINIMAL " (%s %s; %s) IPP/2.0",
name.sysname, name.release, name.machine);
-#endif /* WIN32 */
+#endif /* _WIN32 */
}
/*
* 'cupsUserAgent()' - Return the default HTTP User-Agent string.
*
- * @since CUPS 1.7/OS X 10.9@
+ * @since CUPS 1.7/macOS 10.9@
*/
const char * /* O - User-Agent string */
const char * /* O - Password or @code NULL@ if none */
_cupsGetPassword(const char *prompt) /* I - Prompt string */
{
-#ifdef WIN32
+#ifdef _WIN32
HANDLE tty; /* Console handle */
DWORD mode; /* Console mode */
char passch, /* Current key press */
memset(cg->password, 0, sizeof(cg->password));
return (NULL);
}
-#endif /* WIN32 */
+#endif /* _WIN32 */
}
# ifdef HAVE_GETEUID
if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home = getenv("HOME")) != NULL)
-# elif !defined(WIN32)
+# elif !defined(_WIN32)
if (getuid() && (home = getenv("HOME")) != NULL)
# else
if ((home = getenv("HOME")) != NULL)
strlcpy(cg->gss_service_name, cc.gss_service_name, sizeof(cg->gss_service_name));
#endif /* HAVE_GSSAPI */
+ if (cg->trust_first < 0)
+ cg->trust_first = cc.trust_first;
+
if (cg->any_root < 0)
cg->any_root = cc.any_root;
cg->validate_certs = cc.validate_certs;
#ifdef HAVE_SSL
- _httpTLSSetOptions(cc.ssl_options);
+ _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT, cc.ssl_min_version, cc.ssl_max_version);
#endif /* HAVE_SSL */
}
+#ifdef __APPLE__
+/*
+ * 'cups_apple_get_boolean()' - Get a boolean setting from the CUPS preferences.
+ */
+
+static int /* O - 1 if set, 0 otherwise */
+cups_apple_get_boolean(
+ CFStringRef key, /* I - Key (name) */
+ int *value) /* O - Boolean value */
+{
+ Boolean bval, /* Preference value */
+ bval_set; /* Value is set? */
+
+
+ bval = CFPreferencesGetAppBooleanValue(key, kCUPSPrintingPrefs, &bval_set);
+
+ if (bval_set)
+ *value = (int)bval;
+
+ return ((int)bval_set);
+}
+
+
+/*
+ * 'cups_apple_get_string()' - Get a string setting from the CUPS preferences.
+ */
+
+static int /* O - 1 if set, 0 otherwise */
+cups_apple_get_string(
+ CFStringRef key, /* I - Key (name) */
+ char *value, /* O - String value */
+ size_t valsize) /* I - Size of value buffer */
+{
+ CFStringRef sval; /* String value */
+
+
+ if ((sval = CFPreferencesCopyAppValue(key, kCUPSPrintingPrefs)) != NULL)
+ {
+ Boolean result = CFStringGetCString(sval, value, (CFIndex)valsize, kCFStringEncodingUTF8);
+
+ CFRelease(sval);
+
+ if (result)
+ return (1);
+ }
+
+ return (0);
+}
+#endif /* __APPLE__ */
+
+
/*
* 'cups_boolean_value()' - Convert a string to a boolean value.
*/
const char *value; /* Environment variable */
+ if ((value = getenv("CUPS_TRUSTFIRST")) != NULL)
+ cc->trust_first = cups_boolean_value(value);
+
if ((value = getenv("CUPS_ANYROOT")) != NULL)
cc->any_root = cups_boolean_value(value);
* Then apply defaults for those values that haven't been set...
*/
+ if (cc->trust_first < 0)
+ cc->trust_first = 1;
+
if (cc->any_root < 0)
cc->any_root = 1;
cc->encryption = HTTP_ENCRYPTION_IF_REQUESTED;
if (cc->expired_certs < 0)
- cc->expired_certs = 1;
+ cc->expired_certs = 0;
#ifdef HAVE_GSSAPI
if (!cc->gss_service_name[0])
if (!cc->user[0])
{
-#ifdef WIN32
+#ifdef _WIN32
/*
* Get the current user name from the OS...
*/
if (pw)
strlcpy(cc->user, pw->pw_name, sizeof(cc->user));
else
-#endif /* WIN32 */
+#endif /* _WIN32 */
{
/*
* Use the default "unknown" user name...
memset(cc, 0, sizeof(_cups_client_conf_t));
- cc->encryption = (http_encryption_t)-1;
- cc->any_root = -1;
- cc->expired_certs = -1;
- cc->validate_certs = -1;
+#ifdef HAVE_SSL
+ cc->ssl_min_version = _HTTP_TLS_1_0;
+ cc->ssl_max_version = _HTTP_TLS_MAX;
+#endif /* HAVE_SSL */
+ cc->encryption = (http_encryption_t)-1;
+ cc->trust_first = -1;
+ cc->any_root = -1;
+ cc->expired_certs = -1;
+ cc->validate_certs = -1;
+
+ /*
+ * Load settings from the org.cups.PrintingPrefs plist (which trump
+ * everything...)
+ */
+
+#if defined(__APPLE__) && defined(HAVE_SSL)
+ char sval[1024]; /* String value */
+ int bval; /* Boolean value */
+
+ if (cups_apple_get_boolean(kAllowAnyRootKey, &bval))
+ cc->any_root = bval;
+
+ if (cups_apple_get_boolean(kAllowExpiredCertsKey, &bval))
+ cc->expired_certs = bval;
+
+ if (cups_apple_get_string(kEncryptionKey, sval, sizeof(sval)))
+ cups_set_encryption(cc, sval);
+
+ if (cups_apple_get_string(kSSLOptionsKey, sval, sizeof(sval)))
+ cups_set_ssl_options(cc, sval);
+
+ if (cups_apple_get_boolean(kTrustOnFirstUseKey, &bval))
+ cc->trust_first = bval;
+
+ if (cups_apple_get_boolean(kValidateCertsKey, &bval))
+ cc->validate_certs = bval;
+#endif /* __APPLE__ && HAVE_SSL */
}
cups_set_encryption(cc, value);
#ifndef __APPLE__
/*
- * The ServerName directive is not supported on OS X due to app
+ * The ServerName directive is not supported on macOS due to app
* sandboxing restrictions, i.e. not all apps request network access.
*/
else if (!_cups_strcasecmp(line, "ServerName") && value)
#endif /* !__APPLE__ */
else if (!_cups_strcasecmp(line, "User") && value)
cups_set_user(cc, value);
+ else if (!_cups_strcasecmp(line, "TrustOnFirstUse") && value)
+ cc->trust_first = cups_boolean_value(value);
else if (!_cups_strcasecmp(line, "AllowAnyRoot") && value)
cc->any_root = cups_boolean_value(value);
else if (!_cups_strcasecmp(line, "AllowExpiredCerts") &&
* SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
*/
- int options = _HTTP_TLS_NONE; /* SSL/TLS options */
+ int options = _HTTP_TLS_NONE, /* SSL/TLS options */
+ min_version = _HTTP_TLS_1_0, /* Minimum SSL/TLS version */
+ max_version = _HTTP_TLS_MAX; /* Maximum SSL/TLS version */
char temp[256], /* Copy of value */
*start, /* Start of option */
*end; /* End of option */
if (!_cups_strcasecmp(start, "AllowRC4"))
options |= _HTTP_TLS_ALLOW_RC4;
else if (!_cups_strcasecmp(start, "AllowSSL3"))
- options |= _HTTP_TLS_ALLOW_SSL3;
+ min_version = _HTTP_TLS_SSL3;
else if (!_cups_strcasecmp(start, "AllowDH"))
options |= _HTTP_TLS_ALLOW_DH;
+ else if (!_cups_strcasecmp(start, "DenyCBC"))
+ options |= _HTTP_TLS_DENY_CBC;
else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
- options |= _HTTP_TLS_DENY_TLS10;
+ min_version = _HTTP_TLS_1_1;
+ else if (!_cups_strcasecmp(start, "MaxTLS1.0"))
+ max_version = _HTTP_TLS_1_0;
+ else if (!_cups_strcasecmp(start, "MaxTLS1.1"))
+ max_version = _HTTP_TLS_1_1;
+ else if (!_cups_strcasecmp(start, "MaxTLS1.2"))
+ max_version = _HTTP_TLS_1_2;
+ else if (!_cups_strcasecmp(start, "MaxTLS1.3"))
+ max_version = _HTTP_TLS_1_3;
+ else if (!_cups_strcasecmp(start, "MinTLS1.0"))
+ min_version = _HTTP_TLS_1_0;
+ else if (!_cups_strcasecmp(start, "MinTLS1.1"))
+ min_version = _HTTP_TLS_1_1;
+ else if (!_cups_strcasecmp(start, "MinTLS1.2"))
+ min_version = _HTTP_TLS_1_2;
+ else if (!_cups_strcasecmp(start, "MinTLS1.3"))
+ min_version = _HTTP_TLS_1_3;
else if (!_cups_strcasecmp(start, "None"))
options = _HTTP_TLS_NONE;
}
- cc->ssl_options = options;
+ cc->ssl_options = options;
+ cc->ssl_max_version = max_version;
+ cc->ssl_min_version = min_version;
- DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x", (void *)cc, value, options));
+ DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x, min_version=%d, max_version=%d", (void *)cc, value, options, min_version, max_version));
}
#endif /* HAVE_SSL */
projects / thirdparty / cups.git / blobdiff