/*
* User, system, and password routines for CUPS.
*
- * Copyright 2007-2017 by Apple Inc.
+ * Copyright 2007-2019 by Apple Inc.
* Copyright 1997-2006 by Easy Software Products.
*
- * These coded instructions, statements, and computer programs are the
- * property of Apple Inc. and are protected by Federal copyright
- * law. Distribution and use rights are outlined in the file "LICENSE.txt"
- * which should have been included with this file. If this file is
- * missing or damaged, see the license at "http://www.cups.org/".
- *
- * This file is subject to the Apple OS-Developed Software exception.
+ * Licensed under Apache License v2.0. See the file "LICENSE" for more
+ * information.
*/
/*
*/
#include "cups-private.h"
+#include "debug-internal.h"
#include <stdlib.h>
#include <sys/stat.h>
-#ifdef WIN32
+#ifdef _WIN32
# include <windows.h>
#else
# include <pwd.h>
# include <termios.h>
# include <sys/utsname.h>
-#endif /* WIN32 */
+#endif /* _WIN32 */
+#ifdef __APPLE__
+# include <sys/sysctl.h>
+#endif /* __APPLE__ */
/*
*/
#ifdef __APPLE__
-# define kCUPSPrintingPrefs CFSTR("org.cups.PrintingPrefs")
-# define kAllowAnyRootKey CFSTR("AllowAnyRoot")
-# define kAllowExpiredCertsKey CFSTR("AllowExpiredCerts")
-# define kEncryptionKey CFSTR("Encryption")
-# define kGSSServiceNameKey CFSTR("GSSServiceName")
-# define kSSLOptionsKey CFSTR("SSLOptions")
-# define kTrustOnFirstUseKey CFSTR("TrustOnFirstUse")
-# define kValidateCertsKey CFSTR("ValidateCerts")
+# if TARGET_OS_OSX
+# define kCUPSPrintingPrefs CFSTR("org.cups.PrintingPrefs")
+# define kPREFIX ""
+# else
+# define kCUPSPrintingPrefs CFSTR(".GlobalPreferences")
+# define kPREFIX "AirPrint"
+# endif /* TARGET_OS_OSX */
+# define kAllowAnyRootKey CFSTR(kPREFIX "AllowAnyRoot")
+# define kAllowExpiredCertsKey CFSTR(kPREFIX "AllowExpiredCerts")
+# define kEncryptionKey CFSTR(kPREFIX "Encryption")
+# define kGSSServiceNameKey CFSTR(kPREFIX "GSSServiceName")
+# define kSSLOptionsKey CFSTR(kPREFIX "SSLOptions")
+# define kTrustOnFirstUseKey CFSTR(kPREFIX "TrustOnFirstUse")
+# define kValidateCertsKey CFSTR(kPREFIX "ValidateCerts")
+/* Deprecated */
+# define kAllowRC4 CFSTR(kPREFIX "AllowRC4")
+# define kAllowSSL3 CFSTR(kPREFIX "AllowSSL3")
+# define kAllowDH CFSTR(kPREFIX "AllowDH")
#endif /* __APPLE__ */
#define _CUPS_PASSCHAR '*' /* Character that is echoed for password */
typedef struct _cups_client_conf_s /**** client.conf config data ****/
{
#ifdef HAVE_SSL
- int ssl_options; /* SSLOptions values */
+ int ssl_options, /* SSLOptions values */
+ ssl_min_version,/* Minimum SSL/TLS version */
+ ssl_max_version;/* Maximum SSL/TLS version */
#endif /* HAVE_SSL */
int trust_first, /* Trust on first use? */
any_root, /* Allow any (e.g., self-signed) root */
{
_cups_globals_t *cg = _cupsGlobals();
/* Thread globals */
-#ifdef WIN32
+#ifdef _WIN32
SYSTEM_INFO sysinfo; /* System information */
- OSVERSIONINFO version; /* OS version info */
+ OSVERSIONINFOA version; /* OS version info */
+ const char *machine; /* Hardware/machine name */
+#elif defined(__APPLE__)
+ struct utsname name; /* uname info */
+ char version[256]; /* macOS/iOS version */
+ size_t len; /* Length of value */
#else
struct utsname name; /* uname info */
-#endif /* WIN32 */
+#endif /* _WIN32 */
if (user_agent)
return;
}
-#ifdef WIN32
+#ifdef _WIN32
+ /*
+ * Gather Windows version information for the User-Agent string...
+ */
+
version.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
- GetVersionEx(&version);
+ GetVersionExA(&version);
GetNativeSystemInfo(&sysinfo);
- snprintf(cg->user_agent, sizeof(cg->user_agent),
- CUPS_MINIMAL " (Windows %d.%d; %s) IPP/2.0",
- version.dwMajorVersion, version.dwMinorVersion,
- sysinfo.wProcessorArchitecture
- == PROCESSOR_ARCHITECTURE_AMD64 ? "amd64" :
- sysinfo.wProcessorArchitecture
- == PROCESSOR_ARCHITECTURE_ARM ? "arm" :
- sysinfo.wProcessorArchitecture
- == PROCESSOR_ARCHITECTURE_IA64 ? "ia64" :
- sysinfo.wProcessorArchitecture
- == PROCESSOR_ARCHITECTURE_INTEL ? "intel" :
- "unknown");
+ switch (sysinfo.wProcessorArchitecture)
+ {
+ case PROCESSOR_ARCHITECTURE_AMD64 :
+ machine = "amd64";
+ break;
+
+ case PROCESSOR_ARCHITECTURE_ARM :
+ machine = "arm";
+ break;
+
+ case PROCESSOR_ARCHITECTURE_IA64 :
+ machine = "ia64";
+ break;
+
+ case PROCESSOR_ARCHITECTURE_INTEL :
+ machine = "intel";
+ break;
+
+ default :
+ machine = "unknown";
+ break;
+ }
+
+ snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (Windows %d.%d; %s) IPP/2.0", version.dwMajorVersion, version.dwMinorVersion, machine);
+
+#elif defined(__APPLE__)
+ /*
+ * Gather macOS/iOS version information for the User-Agent string...
+ */
+
+ uname(&name);
+
+ len = sizeof(version) - 1;
+ if (!sysctlbyname("kern.osproductversion", version, &len, NULL, 0))
+ version[len] = '\0';
+ else
+ strlcpy(version, "unknown", sizeof(version));
+
+# if TARGET_OS_OSX
+ snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (macOS %s; %s) IPP/2.0", version, name.machine);
+# else
+ snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (iOS %s; %s) IPP/2.0", version, name.machine);
+# endif /* TARGET_OS_OSX */
#else
+ /*
+ * Gather generic UNIX version information for the User-Agent string...
+ */
+
uname(&name);
- snprintf(cg->user_agent, sizeof(cg->user_agent),
- CUPS_MINIMAL " (%s %s; %s) IPP/2.0",
- name.sysname, name.release, name.machine);
-#endif /* WIN32 */
+ snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (%s %s; %s) IPP/2.0", name.sysname, name.release, name.machine);
+#endif /* _WIN32 */
}
const char * /* O - Password or @code NULL@ if none */
_cupsGetPassword(const char *prompt) /* I - Prompt string */
{
-#ifdef WIN32
+#ifdef _WIN32
HANDLE tty; /* Console handle */
DWORD mode; /* Console mode */
char passch, /* Current key press */
memset(cg->password, 0, sizeof(cg->password));
return (NULL);
}
-#endif /* WIN32 */
+#endif /* _WIN32 */
}
# ifdef HAVE_GETEUID
if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() && (home = getenv("HOME")) != NULL)
-# elif !defined(WIN32)
+# elif !defined(_WIN32)
if (getuid() && (home = getenv("HOME")) != NULL)
# else
if ((home = getenv("HOME")) != NULL)
cg->validate_certs = cc.validate_certs;
#ifdef HAVE_SSL
- if (cc.ssl_options != _HTTP_TLS_UNCHANGED)
- {
- _httpTLSSetOptions(cc.ssl_options);
- }
+ _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT, cc.ssl_min_version, cc.ssl_max_version);
#endif /* HAVE_SSL */
}
if (!cc->user[0])
{
-#ifdef WIN32
+#ifdef _WIN32
/*
* Get the current user name from the OS...
*/
DWORD size; /* Size of string */
size = sizeof(cc->user);
- if (!GetUserName(cc->user, &size))
+ if (!GetUserNameA(cc->user, &size))
#else
/*
* Try the USER environment variable as the default username...
if (pw)
strlcpy(cc->user, pw->pw_name, sizeof(cc->user));
else
-#endif /* WIN32 */
+#endif /* _WIN32 */
{
/*
* Use the default "unknown" user name...
memset(cc, 0, sizeof(_cups_client_conf_t));
- cc->encryption = (http_encryption_t)-1;
- cc->trust_first = -1;
- cc->any_root = -1;
- cc->expired_certs = -1;
- cc->validate_certs = -1;
+#if defined(__APPLE__) && !TARGET_OS_OSX
+ cups_set_user(cc, "mobile");
+#endif /* __APPLE__ && !TARGET_OS_OSX */
+
+#ifdef HAVE_SSL
+ cc->ssl_min_version = _HTTP_TLS_1_0;
+ cc->ssl_max_version = _HTTP_TLS_MAX;
+#endif /* HAVE_SSL */
+ cc->encryption = (http_encryption_t)-1;
+ cc->trust_first = -1;
+ cc->any_root = -1;
+ cc->expired_certs = -1;
+ cc->validate_certs = -1;
/*
* Load settings from the org.cups.PrintingPrefs plist (which trump
cups_set_encryption(cc, sval);
if (cups_apple_get_string(kSSLOptionsKey, sval, sizeof(sval)))
+ {
cups_set_ssl_options(cc, sval);
+ }
+ else
+ {
+ sval[0] = '\0';
+
+ if (cups_apple_get_boolean(kAllowRC4, &bval) && bval)
+ strlcat(sval, " AllowRC4", sizeof(sval));
+ if (cups_apple_get_boolean(kAllowSSL3, &bval) && bval)
+ strlcat(sval, " AllowSSL3", sizeof(sval));
+ if (cups_apple_get_boolean(kAllowDH, &bval) && bval)
+ strlcat(sval, " AllowDH", sizeof(sval));
+
+ if (sval[0])
+ cups_set_ssl_options(cc, sval);
+ }
if (cups_apple_get_boolean(kTrustOnFirstUseKey, &bval))
cc->trust_first = bval;
* SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
*/
- unsigned int options = _HTTP_TLS_UNCHANGED; /* SSL/TLS options */
- char temp[256], /* Copy of value */
- *start, /* Start of option */
- *end; /* End of option */
+ int options = _HTTP_TLS_NONE, /* SSL/TLS options */
+ min_version = _HTTP_TLS_1_0, /* Minimum SSL/TLS version */
+ max_version = _HTTP_TLS_MAX; /* Maximum SSL/TLS version */
+ char temp[256], /* Copy of value */
+ *start, /* Start of option */
+ *end; /* End of option */
strlcpy(temp, value, sizeof(temp));
if (!_cups_strcasecmp(start, "AllowRC4"))
options |= _HTTP_TLS_ALLOW_RC4;
else if (!_cups_strcasecmp(start, "AllowSSL3"))
- options |= _HTTP_TLS_ALLOW_SSL3;
+ min_version = _HTTP_TLS_SSL3;
else if (!_cups_strcasecmp(start, "AllowDH"))
options |= _HTTP_TLS_ALLOW_DH;
else if (!_cups_strcasecmp(start, "DenyCBC"))
options |= _HTTP_TLS_DENY_CBC;
else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
- options |= _HTTP_TLS_DENY_TLS10;
+ min_version = _HTTP_TLS_1_1;
+ else if (!_cups_strcasecmp(start, "MaxTLS1.0"))
+ max_version = _HTTP_TLS_1_0;
+ else if (!_cups_strcasecmp(start, "MaxTLS1.1"))
+ max_version = _HTTP_TLS_1_1;
+ else if (!_cups_strcasecmp(start, "MaxTLS1.2"))
+ max_version = _HTTP_TLS_1_2;
+ else if (!_cups_strcasecmp(start, "MaxTLS1.3"))
+ max_version = _HTTP_TLS_1_3;
+ else if (!_cups_strcasecmp(start, "MinTLS1.0"))
+ min_version = _HTTP_TLS_1_0;
+ else if (!_cups_strcasecmp(start, "MinTLS1.1"))
+ min_version = _HTTP_TLS_1_1;
+ else if (!_cups_strcasecmp(start, "MinTLS1.2"))
+ min_version = _HTTP_TLS_1_2;
+ else if (!_cups_strcasecmp(start, "MinTLS1.3"))
+ min_version = _HTTP_TLS_1_3;
else if (!_cups_strcasecmp(start, "None"))
options = _HTTP_TLS_NONE;
}
- cc->ssl_options = options;
+ cc->ssl_options = options;
+ cc->ssl_max_version = max_version;
+ cc->ssl_min_version = min_version;
- DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x", (void *)cc, value, options));
+ DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x, min_version=%d, max_version=%d", (void *)cc, value, options, min_version, max_version));
}
#endif /* HAVE_SSL */