From: Michael R Sweet <msweet@msweet.org>
Date: Mon, 7 Apr 2025 19:19:30 +0000 (-0400)
Subject: Add httpGetSecurity API.
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=e83739273d37f1cae240ab009e3fb46580cb9ba5;p=thirdparty%2Fcups.git

Add httpGetSecurity API.
---

diff --git a/CHANGES.md b/CHANGES.md
index 703c51708d..702d9f6365 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -9,6 +9,7 @@ Changes in CUPS v2.5b1 (YYYY-MM-DD)
   APIs.
 - Added new `cupsRasterInitHeader` API.
 - Added `httpConnectURI` API.
+- Added `httpGetSecurity` API.
 - Added `ippAddCredentialsString`, `ippGetFirstAttribute`,
   `ippGetNextAttribute`, `ippRestore`, and `ippSave` APIs.
 - Added new DNS-SD APIs.
diff --git a/cups/http.h b/cups/http.h
index 68c1c95853..d8aa2e7e5c 100644
--- a/cups/http.h
+++ b/cups/http.h
@@ -1,7 +1,7 @@
 //
 // Hyper-Text Transport Protocol definitions for CUPS.
 //
-// Copyright © 2020-2024 by OpenPrinting.
+// Copyright © 2020-2025 by OpenPrinting.
 // Copyright © 2007-2018 by Apple Inc.
 // Copyright © 1997-2007 by Easy Software Products, all rights reserved.
 //
@@ -454,6 +454,7 @@ extern off_t		httpGetLength2(http_t *http) _CUPS_PUBLIC;
 extern size_t		httpGetPending(http_t *http) _CUPS_PUBLIC;
 extern size_t		httpGetReady(http_t *http) _CUPS_PUBLIC;
 extern size_t		httpGetRemaining(http_t *http) _CUPS_PUBLIC;
+extern const char	*httpGetSecurity(http_t *http, char *buffer, size_t bufsize) _CUPS_PUBLIC;
 extern http_state_t	httpGetState(http_t *http) _CUPS_PUBLIC;
 extern http_status_t	httpGetStatus(http_t *http) _CUPS_PUBLIC;
 extern char		*httpGetSubField(http_t *http, http_field_t field, const char *name, char *value) _CUPS_DEPRECATED_MSG("Use httpGetSubField2 instead.");
diff --git a/cups/libcups2.def b/cups/libcups2.def
index 51ae18d4cf..6d519e3165 100644
--- a/cups/libcups2.def
+++ b/cups/libcups2.def
@@ -539,6 +539,7 @@ httpGetLength2
 httpGetPending
 httpGetReady
 httpGetRemaining
+httpGetSecurity
 httpGetState
 httpGetStatus
 httpGetSubField
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index 3dd25c1384..78dbe60e31 100644
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -1520,6 +1520,62 @@ _httpFreeCredentials(
 }
 
 
+//
+// 'httpGetSecurity()' - Get the TLS version and cipher suite used by a connection.
+//
+// This function gets the TLS version and cipher suite being used by a
+// connection, if any.  The string is copied to "buffer" and is of the form
+// "TLS/major.minor CipherSuite".  If not encrypted, the buffer is cleared to
+// the empty string.
+//
+// @since CUPS 2.5@
+//
+
+const char *				// O - Security information or `NULL` if not encrypted
+httpGetSecurity(http_t *http,		// I - HTTP connection
+                char   *buffer,		// I - String buffer
+                size_t bufsize)		// I - Size of buffer
+{
+  const char	*cipherName;		// Cipher suite name
+
+
+  // Range check input...
+  if (buffer)
+    *buffer = '\0';
+
+  if (!http || !http->tls || !buffer || bufsize < 16)
+    return (NULL);
+
+  // Record the TLS version and cipher suite...
+  cipherName = gnutls_session_get_desc(http->tls);
+
+  switch (gnutls_protocol_get_version(http->tls))
+  {
+    default :
+        snprintf(buffer, bufsize, "TLS/?.? %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_0 :
+        snprintf(buffer, bufsize, "TLS/1.0 %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_1 :
+        snprintf(buffer, bufsize, "TLS/1.1 %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_2 :
+        snprintf(buffer, bufsize, "TLS/1.2 %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_3 :
+        snprintf(buffer, bufsize, "TLS/1.3 %s", cipherName);
+        break;
+  }
+
+  return (buffer);
+}
+
+
 //
 // '_httpTLSInitialize()' - Initialize the TLS stack.
 //
diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c
index 48a5ab8a26..5474d57c91 100644
--- a/cups/tls-openssl.c
+++ b/cups/tls-openssl.c
@@ -1534,6 +1534,64 @@ _httpFreeCredentials(
 }
 
 
+//
+// 'httpGetSecurity()' - Get the TLS version and cipher suite used by a connection.
+//
+// This function gets the TLS version and cipher suite being used by a
+// connection, if any.  The string is copied to "buffer" and is of the form
+// "TLS/major.minor CipherSuite".  If not encrypted, the buffer is cleared to
+// the empty string.
+//
+// @since CUPS 2.5@
+//
+
+const char *				// O - Security information or `NULL` if not encrypted
+httpGetSecurity(http_t *http,		// I - HTTP connection
+                char   *buffer,		// I - String buffer
+                size_t bufsize)		// I - Size of buffer
+{
+  const char	*cipherName;		// Cipher suite name
+
+
+  // Range check input...
+  if (buffer)
+    *buffer = '\0';
+
+  if (!http || !http->tls || !buffer || bufsize < 16)
+    return (NULL);
+
+  // Record the TLS version and cipher suite...
+  cipherName = SSL_get_cipher_name(http->tls);
+
+  switch (SSL_version(http->tls))
+  {
+    default :
+        snprintf(buffer, bufsize, "TLS/?.? %s", cipherName);
+        break;
+
+    case TLS1_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.0 %s", cipherName);
+        break;
+
+    case TLS1_1_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.1 %s", cipherName);
+        break;
+
+    case TLS1_2_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.2 %s", cipherName);
+        break;
+
+#  ifdef TLS1_3_VERSION
+    case TLS1_3_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.3 %s", cipherName);
+        break;
+#  endif // TLS1_3_VERSION
+  }
+
+  return (buffer);
+}
+
+
 //
 // '_httpTLSInitialize()' - Initialize the TLS stack.
 //
diff --git a/cups/tlscheck.c b/cups/tlscheck.c
index 36fb135abc..ec5cc308eb 100644
--- a/cups/tlscheck.c
+++ b/cups/tlscheck.c
@@ -1,7 +1,7 @@
 //
 // TLS check program for CUPS.
 //
-// Copyright © 2020-2024 by OpenPrinting.
+// Copyright © 2020-2025 by OpenPrinting.
 // Copyright © 2007-2017 by Apple Inc.
 // Copyright © 1997-2006 by Easy Software Products.
 //
@@ -31,11 +31,10 @@ main(int  argc,				// I - Number of command-line arguments
   http_t	*http = NULL;		// HTTP connection
   const char	*server = NULL;		// Hostname from command-line
   int		port = 0;		// Port number
-  char		*creds;			// Server credentials
-  char		creds_str[2048];	// Credentials string
-  const char	*cipherName;		// Cipher suite name
-  int		tlsVersion = 0;		// TLS version number
-  char		uri[1024],		// Printer URI
+  char		*creds,			// Server credentials
+		creds_str[2048],	// Credentials string
+		security[256],		// Security string
+		uri[1024],		// Printer URI
 		scheme[32],		// URI scheme
 		host[256],		// Hostname
 		userpass[256],		// Username/password
@@ -184,57 +183,7 @@ main(int  argc,				// I - Number of command-line arguments
     free(creds);
   }
 
-#ifdef HAVE_OPENSSL
-  switch (SSL_version(http->tls))
-  {
-    default :
-        tlsVersion = 0;
-        break;
-
-    case TLS1_VERSION :
-        tlsVersion = 10;
-        break;
-
-    case TLS1_1_VERSION :
-        tlsVersion = 11;
-        break;
-
-    case TLS1_2_VERSION :
-        tlsVersion = 12;
-        break;
-
-#  ifdef TLS1_3_VERSION
-    case TLS1_3_VERSION :
-        tlsVersion = 13;
-        break;
-#  endif // TLS1_3_VERSION
-  }
-
-  cipherName = SSL_get_cipher_name(http->tls);
-
-#else // HAVE_GNUTLS
-  switch (gnutls_protocol_get_version(http->tls))
-  {
-    default :
-        tlsVersion = 0;
-        break;
-    case GNUTLS_TLS1_0 :
-        tlsVersion = 10;
-        break;
-    case GNUTLS_TLS1_1 :
-        tlsVersion = 11;
-        break;
-    case GNUTLS_TLS1_2 :
-        tlsVersion = 12;
-        break;
-    case GNUTLS_TLS1_3 :
-        tlsVersion = 13;
-        break;
-  }
-  cipherName = gnutls_session_get_desc(http->tls);
-#endif // HAVE_OPENSSL
-
-  printf("%s: OK (TLS: %d.%d, %s)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName);
+  printf("%s: OK (%s)\n", server, httpGetSecurity(http, security, sizeof(security)));
   printf("    %s\n", creds_str);
 
   if (verbose)
diff --git a/tools/ippeveprinter.c b/tools/ippeveprinter.c
index fd616f23a9..6b04247ee3 100644
--- a/tools/ippeveprinter.c
+++ b/tools/ippeveprinter.c
@@ -1,7 +1,7 @@
 //
 // IPP Everywhere printer application for CUPS.
 //
-// Copyright © 2020-2024 by OpenPrinting.
+// Copyright © 2020-2025 by OpenPrinting.
 // Copyright © 2020 by the IEEE-ISTO Printer Working Group.
 // Copyright © 2010-2021 by Apple Inc.
 //
@@ -4708,6 +4708,8 @@ process_client(ippeve_client_t *client)	// I - Client
 
       if (recv(httpGetFd(client->http), buf, 1, MSG_PEEK) == 1 && (!buf[0] || !strchr("DGHOPT", buf[0])))
       {
+        char	security[256];		// Security description
+
         fprintf(stderr, "%s Starting HTTPS session.\n", client->hostname);
 
 	if (!httpSetEncryption(client->http, HTTP_ENCRYPTION_ALWAYS))
@@ -4716,7 +4718,7 @@ process_client(ippeve_client_t *client)	// I - Client
 	  break;
         }
 
-        fprintf(stderr, "%s Connection now encrypted.\n", client->hostname);
+	fprintf(stderr, "%s Connection now encrypted (%s).\n", client->hostname, httpGetSecurity(client->http, security, sizeof(security)));
       }
 
       first_time = false;
@@ -4853,6 +4855,8 @@ process_http(ippeve_client_t *client)	// I - Client connection
   {
     if (strstr(httpGetField(client->http, HTTP_FIELD_UPGRADE), "TLS/") != NULL && !httpIsEncrypted(client->http))
     {
+      char	security[256];		// Security description
+
       if (!respond_http(client, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL, NULL, 0))
         return (0);
 
@@ -4864,7 +4868,7 @@ process_http(ippeve_client_t *client)	// I - Client connection
 	return (0);
       }
 
-      fprintf(stderr, "%s Connection now encrypted.\n", client->hostname);
+      fprintf(stderr, "%s Connection now encrypted (%s).\n", client->hostname, httpGetSecurity(client->http, security, sizeof(security)));
     }
     else if (!respond_http(client, HTTP_STATUS_NOT_IMPLEMENTED, NULL, NULL, 0))
       return (0);