1 /*
2  * User, system, and password routines for CUPS.
3  *
4  * Copyright 2007-2019 by Apple Inc.
5  * Copyright 1997-2006 by Easy Software Products.
6  *
7  * Licensed under Apache License v2.0.  See the file "LICENSE" for more
8  * information.
9  */
10 
11 /*
12  * Include necessary headers...
13  */
14 
15 #include "cups-private.h"
16 #include "debug-internal.h"
17 #include <stdlib.h>
18 #include <sys/stat.h>
19 #ifdef _WIN32
20 #  include <windows.h>
21 #else
22 #  include <pwd.h>
23 #  include <termios.h>
24 #  include <sys/utsname.h>
25 #endif /* _WIN32 */
26 #ifdef __APPLE__
27 #  include <sys/sysctl.h>
28 #endif /* __APPLE__ */
29 
30 
31 /*
32  * Local constants...
33  */
34 
35 #ifdef __APPLE__
36 #  if TARGET_OS_OSX
37 #    define kCUPSPrintingPrefs	CFSTR("org.cups.PrintingPrefs")
38 #    define kPREFIX		""
39 #  else
40 #    define kCUPSPrintingPrefs	CFSTR(".GlobalPreferences")
41 #    define kPREFIX		"AirPrint"
42 #  endif /* TARGET_OS_OSX */
43 #  define kDigestOptionsKey	CFSTR(kPREFIX "DigestOptions")
44 #  define kUserKey		CFSTR(kPREFIX "User")
45 #  define kUserAgentTokensKey	CFSTR(kPREFIX "UserAgentTokens")
46 #  define kAllowAnyRootKey	CFSTR(kPREFIX "AllowAnyRoot")
47 #  define kAllowExpiredCertsKey	CFSTR(kPREFIX "AllowExpiredCerts")
48 #  define kEncryptionKey	CFSTR(kPREFIX "Encryption")
49 #  define kGSSServiceNameKey	CFSTR(kPREFIX "GSSServiceName")
50 #  define kSSLOptionsKey	CFSTR(kPREFIX "SSLOptions")
51 #  define kTrustOnFirstUseKey	CFSTR(kPREFIX "TrustOnFirstUse")
52 #  define kValidateCertsKey	CFSTR(kPREFIX "ValidateCerts")
53 /* Deprecated */
54 #  define kAllowRC4		CFSTR(kPREFIX "AllowRC4")
55 #  define kAllowSSL3		CFSTR(kPREFIX "AllowSSL3")
56 #  define kAllowDH		CFSTR(kPREFIX "AllowDH")
57 #endif /* __APPLE__ */
58 
59 #define _CUPS_PASSCHAR	'*'		/* Character that is echoed for password */
60 
61 
62 /*
63  * Local types...
64  */
65 
66 typedef struct _cups_client_conf_s	/**** client.conf config data ****/
67 {
68   _cups_digestoptions_t	digestoptions;	/* DigestOptions values */
69   _cups_uatokens_t	uatokens;	/* UserAgentTokens values */
70 #ifdef HAVE_SSL
71   int			ssl_options,	/* SSLOptions values */
72 			ssl_min_version,/* Minimum SSL/TLS version */
73 			ssl_max_version;/* Maximum SSL/TLS version */
74 #endif /* HAVE_SSL */
75   int			trust_first,	/* Trust on first use? */
76 			any_root,	/* Allow any (e.g., self-signed) root */
77 			expired_certs,	/* Allow expired certs */
78 			validate_certs;	/* Validate certificates */
79   http_encryption_t	encryption;	/* Encryption setting */
80   char			user[65],	/* User name */
81 			server_name[256];
82 					/* Server hostname */
83 #ifdef HAVE_GSSAPI
84   char			gss_service_name[32];
85   					/* Kerberos service name */
86 #endif /* HAVE_GSSAPI */
87 } _cups_client_conf_t;
88 
89 
90 /*
91  * Local functions...
92  */
93 
94 #ifdef __APPLE__
95 static int	cups_apple_get_boolean(CFStringRef key, int *value);
96 static int	cups_apple_get_string(CFStringRef key, char *value, size_t valsize);
97 #endif /* __APPLE__ */
98 static int	cups_boolean_value(const char *value);
99 static void	cups_finalize_client_conf(_cups_client_conf_t *cc);
100 static void	cups_init_client_conf(_cups_client_conf_t *cc);
101 static void	cups_read_client_conf(cups_file_t *fp, _cups_client_conf_t *cc);
102 static void	cups_set_default_ipp_port(_cups_globals_t *cg);
103 static void	cups_set_digestoptions(_cups_client_conf_t *cc, const char *value);
104 static void	cups_set_encryption(_cups_client_conf_t *cc, const char *value);
105 #ifdef HAVE_GSSAPI
106 static void	cups_set_gss_service_name(_cups_client_conf_t *cc, const char *value);
107 #endif /* HAVE_GSSAPI */
108 static void	cups_set_server_name(_cups_client_conf_t *cc, const char *value);
109 #ifdef HAVE_SSL
110 static void	cups_set_ssl_options(_cups_client_conf_t *cc, const char *value);
111 #endif /* HAVE_SSL */
112 static void	cups_set_uatokens(_cups_client_conf_t *cc, const char *value);
113 static void	cups_set_user(_cups_client_conf_t *cc, const char *value);
114 
115 
116 /*
117  * 'cupsEncryption()' - Get the current encryption settings.
118  *
119  * The default encryption setting comes from the CUPS_ENCRYPTION
120  * environment variable, then the ~/.cups/client.conf file, and finally the
121  * /etc/cups/client.conf file. If not set, the default is
122  * @code HTTP_ENCRYPTION_IF_REQUESTED@.
123  *
124  * Note: The current encryption setting is tracked separately for each thread
125  * in a program. Multi-threaded programs that override the setting via the
126  * @link cupsSetEncryption@ function need to do so in each thread for the same
127  * setting to be used.
128  */
129 
130 http_encryption_t			/* O - Encryption settings */
cupsEncryption(void)131 cupsEncryption(void)
132 {
133   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
134 
135 
136   if (cg->encryption == (http_encryption_t)-1)
137     _cupsSetDefaults();
138 
139   return (cg->encryption);
140 }
141 
142 
143 /*
144  * 'cupsGetPassword()' - Get a password from the user.
145  *
146  * Uses the current password callback function. Returns @code NULL@ if the
147  * user does not provide a password.
148  *
149  * Note: The current password callback function is tracked separately for each
150  * thread in a program. Multi-threaded programs that override the setting via
151  * the @link cupsSetPasswordCB@ or @link cupsSetPasswordCB2@ functions need to
152  * do so in each thread for the same function to be used.
153  *
154  * @exclude all@
155  */
156 
157 const char *				/* O - Password */
cupsGetPassword(const char * prompt)158 cupsGetPassword(const char *prompt)	/* I - Prompt string */
159 {
160   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
161 
162 
163   return ((cg->password_cb)(prompt, NULL, NULL, NULL, cg->password_data));
164 }
165 
166 
167 /*
168  * 'cupsGetPassword2()' - Get a password from the user using the current
169  *                        password callback.
170  *
171  * Uses the current password callback function. Returns @code NULL@ if the
172  * user does not provide a password.
173  *
174  * Note: The current password callback function is tracked separately for each
175  * thread in a program. Multi-threaded programs that override the setting via
176  * the @link cupsSetPasswordCB2@ function need to do so in each thread for the
177  * same function to be used.
178  *
179  * @since CUPS 1.4/macOS 10.6@
180  */
181 
182 const char *				/* O - Password */
cupsGetPassword2(const char * prompt,http_t * http,const char * method,const char * resource)183 cupsGetPassword2(const char *prompt,	/* I - Prompt string */
184 		 http_t     *http,	/* I - Connection to server or @code CUPS_HTTP_DEFAULT@ */
185 		 const char *method,	/* I - Request method ("GET", "POST", "PUT") */
186 		 const char *resource)	/* I - Resource path */
187 {
188   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
189 
190 
191   if (!http)
192     http = _cupsConnect();
193 
194   return ((cg->password_cb)(prompt, http, method, resource, cg->password_data));
195 }
196 
197 
198 /*
199  * 'cupsServer()' - Return the hostname/address of the current server.
200  *
201  * The default server comes from the CUPS_SERVER environment variable, then the
202  * ~/.cups/client.conf file, and finally the /etc/cups/client.conf file. If not
203  * set, the default is the local system - either "localhost" or a domain socket
204  * path.
205  *
206  * The returned value can be a fully-qualified hostname, a numeric IPv4 or IPv6
207  * address, or a domain socket pathname.
208  *
209  * Note: The current server is tracked separately for each thread in a program.
210  * Multi-threaded programs that override the server via the
211  * @link cupsSetServer@ function need to do so in each thread for the same
212  * server to be used.
213  */
214 
215 const char *				/* O - Server name */
cupsServer(void)216 cupsServer(void)
217 {
218   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
219 
220 
221   if (!cg->server[0])
222     _cupsSetDefaults();
223 
224   return (cg->server);
225 }
226 
227 
228 /*
229  * 'cupsSetClientCertCB()' - Set the client certificate callback.
230  *
231  * Pass @code NULL@ to restore the default callback.
232  *
233  * Note: The current certificate callback is tracked separately for each thread
234  * in a program. Multi-threaded programs that override the callback need to do
235  * so in each thread for the same callback to be used.
236  *
237  * @since CUPS 1.5/macOS 10.7@
238  */
239 
240 void
cupsSetClientCertCB(cups_client_cert_cb_t cb,void * user_data)241 cupsSetClientCertCB(
242     cups_client_cert_cb_t cb,		/* I - Callback function */
243     void                  *user_data)	/* I - User data pointer */
244 {
245   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
246 
247 
248   cg->client_cert_cb	= cb;
249   cg->client_cert_data	= user_data;
250 }
251 
252 
253 /*
254  * 'cupsSetCredentials()' - Set the default credentials to be used for SSL/TLS
255  *			    connections.
256  *
257  * Note: The default credentials are tracked separately for each thread in a
258  * program. Multi-threaded programs that override the setting need to do so in
259  * each thread for the same setting to be used.
260  *
261  * @since CUPS 1.5/macOS 10.7@
262  */
263 
264 int					/* O - Status of call (0 = success) */
cupsSetCredentials(cups_array_t * credentials)265 cupsSetCredentials(
266     cups_array_t *credentials)		/* I - Array of credentials */
267 {
268   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
269 
270 
271   if (cupsArrayCount(credentials) < 1)
272     return (-1);
273 
274 #ifdef HAVE_SSL
275   _httpFreeCredentials(cg->tls_credentials);
276   cg->tls_credentials = _httpCreateCredentials(credentials);
277 #endif /* HAVE_SSL */
278 
279   return (cg->tls_credentials ? 0 : -1);
280 }
281 
282 
283 /*
284  * 'cupsSetEncryption()' - Set the encryption preference.
285  *
286  * The default encryption setting comes from the CUPS_ENCRYPTION
287  * environment variable, then the ~/.cups/client.conf file, and finally the
288  * /etc/cups/client.conf file. If not set, the default is
289  * @code HTTP_ENCRYPTION_IF_REQUESTED@.
290  *
291  * Note: The current encryption setting is tracked separately for each thread
292  * in a program. Multi-threaded programs that override the setting need to do
293  * so in each thread for the same setting to be used.
294  */
295 
296 void
cupsSetEncryption(http_encryption_t e)297 cupsSetEncryption(http_encryption_t e)	/* I - New encryption preference */
298 {
299   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
300 
301 
302   cg->encryption = e;
303 
304   if (cg->http)
305     httpEncryption(cg->http, e);
306 }
307 
308 
309 /*
310  * 'cupsSetPasswordCB()' - Set the password callback for CUPS.
311  *
312  * Pass @code NULL@ to restore the default (console) password callback, which
313  * reads the password from the console. Programs should call either this
314  * function or @link cupsSetPasswordCB2@, as only one callback can be registered
315  * by a program per thread.
316  *
317  * Note: The current password callback is tracked separately for each thread
318  * in a program. Multi-threaded programs that override the callback need to do
319  * so in each thread for the same callback to be used.
320  *
321  * @exclude all@
322  */
323 
324 void
cupsSetPasswordCB(cups_password_cb_t cb)325 cupsSetPasswordCB(cups_password_cb_t cb)/* I - Callback function */
326 {
327   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
328 
329 
330   if (cb == (cups_password_cb_t)0)
331     cg->password_cb = (cups_password_cb2_t)_cupsGetPassword;
332   else
333     cg->password_cb = (cups_password_cb2_t)cb;
334 
335   cg->password_data = NULL;
336 }
337 
338 
339 /*
340  * 'cupsSetPasswordCB2()' - Set the advanced password callback for CUPS.
341  *
342  * Pass @code NULL@ to restore the default (console) password callback, which
343  * reads the password from the console. Programs should call either this
344  * function or @link cupsSetPasswordCB2@, as only one callback can be registered
345  * by a program per thread.
346  *
347  * Note: The current password callback is tracked separately for each thread
348  * in a program. Multi-threaded programs that override the callback need to do
349  * so in each thread for the same callback to be used.
350  *
351  * @since CUPS 1.4/macOS 10.6@
352  */
353 
354 void
cupsSetPasswordCB2(cups_password_cb2_t cb,void * user_data)355 cupsSetPasswordCB2(
356     cups_password_cb2_t cb,		/* I - Callback function */
357     void                *user_data)	/* I - User data pointer */
358 {
359   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
360 
361 
362   if (cb == (cups_password_cb2_t)0)
363     cg->password_cb = (cups_password_cb2_t)_cupsGetPassword;
364   else
365     cg->password_cb = cb;
366 
367   cg->password_data = user_data;
368 }
369 
370 
371 /*
372  * 'cupsSetServer()' - Set the default server name and port.
373  *
374  * The "server" string can be a fully-qualified hostname, a numeric
375  * IPv4 or IPv6 address, or a domain socket pathname. Hostnames and numeric IP
376  * addresses can be optionally followed by a colon and port number to override
377  * the default port 631, e.g. "hostname:8631". Pass @code NULL@ to restore the
378  * default server name and port.
379  *
380  * Note: The current server is tracked separately for each thread in a program.
381  * Multi-threaded programs that override the server need to do so in each
382  * thread for the same server to be used.
383  */
384 
385 void
cupsSetServer(const char * server)386 cupsSetServer(const char *server)	/* I - Server name */
387 {
388   char		*options,		/* Options */
389 		*port;			/* Pointer to port */
390   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
391 
392 
393   if (server)
394   {
395     strlcpy(cg->server, server, sizeof(cg->server));
396 
397     if (cg->server[0] != '/' && (options = strrchr(cg->server, '/')) != NULL)
398     {
399       *options++ = '\0';
400 
401       if (!strcmp(options, "version=1.0"))
402         cg->server_version = 10;
403       else if (!strcmp(options, "version=1.1"))
404         cg->server_version = 11;
405       else if (!strcmp(options, "version=2.0"))
406         cg->server_version = 20;
407       else if (!strcmp(options, "version=2.1"))
408         cg->server_version = 21;
409       else if (!strcmp(options, "version=2.2"))
410         cg->server_version = 22;
411     }
412     else
413       cg->server_version = 20;
414 
415     if (cg->server[0] != '/' && (port = strrchr(cg->server, ':')) != NULL &&
416         !strchr(port, ']') && isdigit(port[1] & 255))
417     {
418       *port++ = '\0';
419 
420       cg->ipp_port = atoi(port);
421     }
422 
423     if (!cg->ipp_port)
424       cups_set_default_ipp_port(cg);
425 
426     if (cg->server[0] == '/')
427       strlcpy(cg->servername, "localhost", sizeof(cg->servername));
428     else
429       strlcpy(cg->servername, cg->server, sizeof(cg->servername));
430   }
431   else
432   {
433     cg->server[0]      = '\0';
434     cg->servername[0]  = '\0';
435     cg->server_version = 20;
436     cg->ipp_port       = 0;
437   }
438 
439   if (cg->http)
440   {
441     httpClose(cg->http);
442     cg->http = NULL;
443   }
444 }
445 
446 
447 /*
448  * 'cupsSetServerCertCB()' - Set the server certificate callback.
449  *
450  * Pass @code NULL@ to restore the default callback.
451  *
452  * Note: The current credentials callback is tracked separately for each thread
453  * in a program. Multi-threaded programs that override the callback need to do
454  * so in each thread for the same callback to be used.
455  *
456  * @since CUPS 1.5/macOS 10.7@
457  */
458 
459 void
cupsSetServerCertCB(cups_server_cert_cb_t cb,void * user_data)460 cupsSetServerCertCB(
461     cups_server_cert_cb_t cb,		/* I - Callback function */
462     void		  *user_data)	/* I - User data pointer */
463 {
464   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
465 
466 
467   cg->server_cert_cb	= cb;
468   cg->server_cert_data	= user_data;
469 }
470 
471 
472 /*
473  * 'cupsSetUser()' - Set the default user name.
474  *
475  * Pass @code NULL@ to restore the default user name.
476  *
477  * Note: The current user name is tracked separately for each thread in a
478  * program. Multi-threaded programs that override the user name need to do so
479  * in each thread for the same user name to be used.
480  */
481 
482 void
cupsSetUser(const char * user)483 cupsSetUser(const char *user)		/* I - User name */
484 {
485   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
486 
487 
488   if (user)
489     strlcpy(cg->user, user, sizeof(cg->user));
490   else
491     cg->user[0] = '\0';
492 }
493 
494 
495 /*
496  * 'cupsSetUserAgent()' - Set the default HTTP User-Agent string.
497  *
498  * Setting the string to NULL forces the default value containing the CUPS
499  * version, IPP version, and operating system version and architecture.
500  *
501  * @since CUPS 1.7/macOS 10.9@
502  */
503 
504 void
cupsSetUserAgent(const char * user_agent)505 cupsSetUserAgent(const char *user_agent)/* I - User-Agent string or @code NULL@ */
506 {
507   _cups_globals_t	*cg = _cupsGlobals();
508 					/* Thread globals */
509 #ifdef _WIN32
510   SYSTEM_INFO		sysinfo;	/* System information */
511   OSVERSIONINFOA	version;	/* OS version info */
512   const char		*machine;	/* Hardware/machine name */
513 #elif defined(__APPLE__)
514   struct utsname	name;		/* uname info */
515   char			version[256];	/* macOS/iOS version */
516   size_t		len;		/* Length of value */
517 #else
518   struct utsname	name;		/* uname info */
519 #endif /* _WIN32 */
520 
521 
522   if (user_agent)
523   {
524     strlcpy(cg->user_agent, user_agent, sizeof(cg->user_agent));
525     return;
526   }
527 
528   if (cg->uatokens < _CUPS_UATOKENS_OS)
529   {
530     switch (cg->uatokens)
531     {
532       default :
533       case _CUPS_UATOKENS_NONE :
534 	  cg->user_agent[0] = '\0';
535 	  break;
536       case _CUPS_UATOKENS_PRODUCT_ONLY :
537 	  strlcpy(cg->user_agent, "CUPS IPP", sizeof(cg->user_agent));
538 	  break;
539       case _CUPS_UATOKENS_MAJOR :
540 	  snprintf(cg->user_agent, sizeof(cg->user_agent), "CUPS/%d IPP/2", CUPS_VERSION_MAJOR);
541 	  break;
542       case _CUPS_UATOKENS_MINOR :
543 	  snprintf(cg->user_agent, sizeof(cg->user_agent), "CUPS/%d.%d IPP/2.1", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
544 	  break;
545       case _CUPS_UATOKENS_MINIMAL :
546 	  strlcpy(cg->user_agent, CUPS_MINIMAL " IPP/2.1", sizeof(cg->user_agent));
547 	  break;
548     }
549   }
550 
551 #ifdef _WIN32
552  /*
553   * Gather Windows version information for the User-Agent string...
554   */
555 
556   version.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
557   GetVersionExA(&version);
558   GetNativeSystemInfo(&sysinfo);
559 
560   switch (sysinfo.wProcessorArchitecture)
561   {
562     case PROCESSOR_ARCHITECTURE_AMD64 :
563         machine = "amd64";
564         break;
565 
566     case PROCESSOR_ARCHITECTURE_ARM :
567         machine = "arm";
568         break;
569 
570     case PROCESSOR_ARCHITECTURE_IA64 :
571         machine = "ia64";
572         break;
573 
574     case PROCESSOR_ARCHITECTURE_INTEL :
575         machine = "intel";
576         break;
577 
578     default :
579         machine = "unknown";
580         break;
581   }
582 
583   if (cg->uatokens == _CUPS_UATOKENS_OS)
584     snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (Windows %d.%d) IPP/2.0", version.dwMajorVersion, version.dwMinorVersion);
585   else
586     snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (Windows %d.%d; %s) IPP/2.0", version.dwMajorVersion, version.dwMinorVersion, machine);
587 
588 #elif defined(__APPLE__)
589  /*
590   * Gather macOS/iOS version information for the User-Agent string...
591   */
592 
593   uname(&name);
594 
595   len = sizeof(version) - 1;
596   if (!sysctlbyname("kern.osproductversion", version, &len, NULL, 0))
597     version[len] = '\0';
598   else
599     strlcpy(version, "unknown", sizeof(version));
600 
601 #  if TARGET_OS_OSX
602   if (cg->uatokens == _CUPS_UATOKENS_OS)
603     snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (macOS %s) IPP/2.0", version);
604   else
605     snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (macOS %s; %s) IPP/2.0", version, name.machine);
606 
607 #  else
608   if (cg->uatokens == _CUPS_UATOKENS_OS)
609     snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (iOS %s) IPP/2.0", version);
610   else
611     snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (iOS %s; %s) IPP/2.0", version, name.machine);
612 #  endif /* TARGET_OS_OSX */
613 
614 #else
615  /*
616   * Gather generic UNIX version information for the User-Agent string...
617   */
618 
619   uname(&name);
620 
621   if (cg->uatokens == _CUPS_UATOKENS_OS)
622     snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (%s %s) IPP/2.0", name.sysname, name.release);
623   else
624     snprintf(cg->user_agent, sizeof(cg->user_agent), CUPS_MINIMAL " (%s %s; %s) IPP/2.0", name.sysname, name.release, name.machine);
625 #endif /* _WIN32 */
626 }
627 
628 
629 /*
630  * 'cupsUser()' - Return the current user's name.
631  *
632  * Note: The current user name is tracked separately for each thread in a
633  * program. Multi-threaded programs that override the user name with the
634  * @link cupsSetUser@ function need to do so in each thread for the same user
635  * name to be used.
636  */
637 
638 const char *				/* O - User name */
cupsUser(void)639 cupsUser(void)
640 {
641   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
642 
643 
644   if (!cg->user[0])
645     _cupsSetDefaults();
646 
647   return (cg->user);
648 }
649 
650 
651 /*
652  * 'cupsUserAgent()' - Return the default HTTP User-Agent string.
653  *
654  * @since CUPS 1.7/macOS 10.9@
655  */
656 
657 const char *				/* O - User-Agent string */
cupsUserAgent(void)658 cupsUserAgent(void)
659 {
660   _cups_globals_t *cg = _cupsGlobals();	/* Thread globals */
661 
662 
663   if (!cg->user_agent[0])
664     cupsSetUserAgent(NULL);
665 
666   return (cg->user_agent);
667 }
668 
669 
670 /*
671  * '_cupsGetPassword()' - Get a password from the user.
672  */
673 
674 const char *				/* O - Password or @code NULL@ if none */
_cupsGetPassword(const char * prompt)675 _cupsGetPassword(const char *prompt)	/* I - Prompt string */
676 {
677 #ifdef _WIN32
678   HANDLE		tty;		/* Console handle */
679   DWORD			mode;		/* Console mode */
680   char			passch,		/* Current key press */
681 			*passptr,	/* Pointer into password string */
682 			*passend;	/* End of password string */
683   DWORD			passbytes;	/* Bytes read */
684   _cups_globals_t	*cg = _cupsGlobals();
685 					/* Thread globals */
686 
687 
688  /*
689   * Disable input echo and set raw input...
690   */
691 
692   if ((tty = GetStdHandle(STD_INPUT_HANDLE)) == INVALID_HANDLE_VALUE)
693     return (NULL);
694 
695   if (!GetConsoleMode(tty, &mode))
696     return (NULL);
697 
698   if (!SetConsoleMode(tty, 0))
699     return (NULL);
700 
701  /*
702   * Display the prompt...
703   */
704 
705   printf("%s ", prompt);
706   fflush(stdout);
707 
708  /*
709   * Read the password string from /dev/tty until we get interrupted or get a
710   * carriage return or newline...
711   */
712 
713   passptr = cg->password;
714   passend = cg->password + sizeof(cg->password) - 1;
715 
716   while (ReadFile(tty, &passch, 1, &passbytes, NULL))
717   {
718     if (passch == 0x0A || passch == 0x0D)
719     {
720      /*
721       * Enter/return...
722       */
723 
724       break;
725     }
726     else if (passch == 0x08 || passch == 0x7F)
727     {
728      /*
729       * Backspace/delete (erase character)...
730       */
731 
732       if (passptr > cg->password)
733       {
734         passptr --;
735         fputs("\010 \010", stdout);
736       }
737       else
738         putchar(0x07);
739     }
740     else if (passch == 0x15)
741     {
742      /*
743       * CTRL+U (erase line)
744       */
745 
746       if (passptr > cg->password)
747       {
748 	while (passptr > cg->password)
749 	{
750           passptr --;
751           fputs("\010 \010", stdout);
752         }
753       }
754       else
755         putchar(0x07);
756     }
757     else if (passch == 0x03)
758     {
759      /*
760       * CTRL+C...
761       */
762 
763       passptr = cg->password;
764       break;
765     }
766     else if ((passch & 255) < 0x20 || passptr >= passend)
767       putchar(0x07);
768     else
769     {
770       *passptr++ = passch;
771       putchar(_CUPS_PASSCHAR);
772     }
773 
774     fflush(stdout);
775   }
776 
777   putchar('\n');
778   fflush(stdout);
779 
780  /*
781   * Cleanup...
782   */
783 
784   SetConsoleMode(tty, mode);
785 
786  /*
787   * Return the proper value...
788   */
789 
790   if (passbytes == 1 && passptr > cg->password)
791   {
792     *passptr = '\0';
793     return (cg->password);
794   }
795   else
796   {
797     memset(cg->password, 0, sizeof(cg->password));
798     return (NULL);
799   }
800 
801 #else
802   int			tty;		/* /dev/tty - never read from stdin */
803   struct termios	original,	/* Original input mode */
804 			noecho;		/* No echo input mode */
805   char			passch,		/* Current key press */
806 			*passptr,	/* Pointer into password string */
807 			*passend;	/* End of password string */
808   ssize_t		passbytes;	/* Bytes read */
809   _cups_globals_t	*cg = _cupsGlobals();
810 					/* Thread globals */
811 
812 
813  /*
814   * Disable input echo and set raw input...
815   */
816 
817   if ((tty = open("/dev/tty", O_RDONLY)) < 0)
818     return (NULL);
819 
820   if (tcgetattr(tty, &original))
821   {
822     close(tty);
823     return (NULL);
824   }
825 
826   noecho = original;
827   noecho.c_lflag &= (tcflag_t)~(ICANON | ECHO | ECHOE | ISIG);
828   noecho.c_cc[VMIN]  = 1;
829   noecho.c_cc[VTIME] = 0;
830 
831   if (tcsetattr(tty, TCSAFLUSH, &noecho))
832   {
833     close(tty);
834     return (NULL);
835   }
836 
837  /*
838   * Display the prompt...
839   */
840 
841   printf("%s ", prompt);
842   fflush(stdout);
843 
844  /*
845   * Read the password string from /dev/tty until we get interrupted or get a
846   * carriage return or newline...
847   */
848 
849   passptr = cg->password;
850   passend = cg->password + sizeof(cg->password) - 1;
851 
852   while ((passbytes = read(tty, &passch, 1)) == 1)
853   {
854     if (passch == noecho.c_cc[VEOL] ||
855 #  ifdef VEOL2
856         passch == noecho.c_cc[VEOL2] ||
857 #  endif /* VEOL2 */
858         passch == 0x0A || passch == 0x0D)
859     {
860      /*
861       * Enter/return...
862       */
863 
864       break;
865     }
866     else if (passch == noecho.c_cc[VERASE] ||
867              passch == 0x08 || passch == 0x7F)
868     {
869      /*
870       * Backspace/delete (erase character)...
871       */
872 
873       if (passptr > cg->password)
874       {
875         passptr --;
876         fputs("\010 \010", stdout);
877       }
878       else
879         putchar(0x07);
880     }
881     else if (passch == noecho.c_cc[VKILL])
882     {
883      /*
884       * CTRL+U (erase line)
885       */
886 
887       if (passptr > cg->password)
888       {
889 	while (passptr > cg->password)
890 	{
891           passptr --;
892           fputs("\010 \010", stdout);
893         }
894       }
895       else
896         putchar(0x07);
897     }
898     else if (passch == noecho.c_cc[VINTR] || passch == noecho.c_cc[VQUIT] ||
899              passch == noecho.c_cc[VEOF])
900     {
901      /*
902       * CTRL+C, CTRL+D, or CTRL+Z...
903       */
904 
905       passptr = cg->password;
906       break;
907     }
908     else if ((passch & 255) < 0x20 || passptr >= passend)
909       putchar(0x07);
910     else
911     {
912       *passptr++ = passch;
913       putchar(_CUPS_PASSCHAR);
914     }
915 
916     fflush(stdout);
917   }
918 
919   putchar('\n');
920   fflush(stdout);
921 
922  /*
923   * Cleanup...
924   */
925 
926   tcsetattr(tty, TCSAFLUSH, &original);
927   close(tty);
928 
929  /*
930   * Return the proper value...
931   */
932 
933   if (passbytes == 1 && passptr > cg->password)
934   {
935     *passptr = '\0';
936     return (cg->password);
937   }
938   else
939   {
940     memset(cg->password, 0, sizeof(cg->password));
941     return (NULL);
942   }
943 #endif /* _WIN32 */
944 }
945 
946 
947 #ifdef HAVE_GSSAPI
948 /*
949  * '_cupsGSSServiceName()' - Get the GSS (Kerberos) service name.
950  */
951 
952 const char *
_cupsGSSServiceName(void)953 _cupsGSSServiceName(void)
954 {
955   _cups_globals_t *cg = _cupsGlobals();	/* Thread globals */
956 
957 
958   if (!cg->gss_service_name[0])
959     _cupsSetDefaults();
960 
961   return (cg->gss_service_name);
962 }
963 #endif /* HAVE_GSSAPI */
964 
965 
966 /*
967  * '_cupsSetDefaults()' - Set the default server, port, and encryption.
968  */
969 
970 void
_cupsSetDefaults(void)971 _cupsSetDefaults(void)
972 {
973   cups_file_t	*fp;			/* File */
974   char		filename[1024];		/* Filename */
975   _cups_client_conf_t cc;		/* client.conf values */
976   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
977 
978 
979   DEBUG_puts("_cupsSetDefaults()");
980 
981  /*
982   * Load initial client.conf values...
983   */
984 
985   cups_init_client_conf(&cc);
986 
987  /*
988   * Read the /etc/cups/client.conf and ~/.cups/client.conf files, if
989   * present.
990   */
991 
992   snprintf(filename, sizeof(filename), "%s/client.conf", cg->cups_serverroot);
993   if ((fp = cupsFileOpen(filename, "r")) != NULL)
994   {
995     cups_read_client_conf(fp, &cc);
996     cupsFileClose(fp);
997   }
998 
999   if (cg->home)
1000   {
1001    /*
1002     * Look for ~/.cups/client.conf...
1003     */
1004 
1005     snprintf(filename, sizeof(filename), "%s/.cups/client.conf", cg->home);
1006     if ((fp = cupsFileOpen(filename, "r")) != NULL)
1007     {
1008       cups_read_client_conf(fp, &cc);
1009       cupsFileClose(fp);
1010     }
1011   }
1012 
1013  /*
1014   * Finalize things so every client.conf value is set...
1015   */
1016 
1017   cups_finalize_client_conf(&cc);
1018 
1019   cg->uatokens = cc.uatokens;
1020 
1021   if (cg->encryption == (http_encryption_t)-1)
1022     cg->encryption = cc.encryption;
1023 
1024   if (!cg->server[0] || !cg->ipp_port)
1025     cupsSetServer(cc.server_name);
1026 
1027   if (!cg->ipp_port)
1028     cups_set_default_ipp_port(cg);
1029 
1030   if (!cg->user[0])
1031     strlcpy(cg->user, cc.user, sizeof(cg->user));
1032 
1033 #ifdef HAVE_GSSAPI
1034   if (!cg->gss_service_name[0])
1035     strlcpy(cg->gss_service_name, cc.gss_service_name, sizeof(cg->gss_service_name));
1036 #endif /* HAVE_GSSAPI */
1037 
1038   if (cg->trust_first < 0)
1039     cg->trust_first = cc.trust_first;
1040 
1041   if (cg->any_root < 0)
1042     cg->any_root = cc.any_root;
1043 
1044   if (cg->expired_certs < 0)
1045     cg->expired_certs = cc.expired_certs;
1046 
1047   if (cg->validate_certs < 0)
1048     cg->validate_certs = cc.validate_certs;
1049 
1050 #ifdef HAVE_SSL
1051   _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT, cc.ssl_min_version, cc.ssl_max_version);
1052 #endif /* HAVE_SSL */
1053 }
1054 
1055 
1056 #ifdef __APPLE__
1057 /*
1058  * 'cups_apple_get_boolean()' - Get a boolean setting from the CUPS preferences.
1059  */
1060 
1061 static int				/* O - 1 if set, 0 otherwise */
cups_apple_get_boolean(CFStringRef key,int * value)1062 cups_apple_get_boolean(
1063     CFStringRef key,			/* I - Key (name) */
1064     int         *value)			/* O - Boolean value */
1065 {
1066   Boolean	bval,			/* Preference value */
1067 		bval_set;		/* Value is set? */
1068 
1069 
1070   bval = CFPreferencesGetAppBooleanValue(key, kCUPSPrintingPrefs, &bval_set);
1071 
1072   if (bval_set)
1073     *value = (int)bval;
1074 
1075   return ((int)bval_set);
1076 }
1077 
1078 
1079 /*
1080  * 'cups_apple_get_string()' - Get a string setting from the CUPS preferences.
1081  */
1082 
1083 static int				/* O - 1 if set, 0 otherwise */
cups_apple_get_string(CFStringRef key,char * value,size_t valsize)1084 cups_apple_get_string(
1085     CFStringRef key,			/* I - Key (name) */
1086     char        *value,			/* O - String value */
1087     size_t      valsize)		/* I - Size of value buffer */
1088 {
1089   CFStringRef	sval;			/* String value */
1090 
1091 
1092   if ((sval = CFPreferencesCopyAppValue(key, kCUPSPrintingPrefs)) != NULL)
1093   {
1094     Boolean result = CFStringGetCString(sval, value, (CFIndex)valsize, kCFStringEncodingUTF8);
1095 
1096     CFRelease(sval);
1097 
1098     if (result)
1099       return (1);
1100   }
1101 
1102   return (0);
1103 }
1104 #endif /* __APPLE__ */
1105 
1106 
1107 /*
1108  * 'cups_boolean_value()' - Convert a string to a boolean value.
1109  */
1110 
1111 static int				/* O - Boolean value */
cups_boolean_value(const char * value)1112 cups_boolean_value(const char *value)	/* I - String value */
1113 {
1114   return (!_cups_strcasecmp(value, "yes") || !_cups_strcasecmp(value, "on") || !_cups_strcasecmp(value, "true"));
1115 }
1116 
1117 
1118 /*
1119  * 'cups_finalize_client_conf()' - Finalize client.conf values.
1120  */
1121 
1122 static void
cups_finalize_client_conf(_cups_client_conf_t * cc)1123 cups_finalize_client_conf(
1124     _cups_client_conf_t *cc)		/* I - client.conf values */
1125 {
1126   const char	*value;			/* Environment variable */
1127 
1128 
1129   if ((value = getenv("CUPS_TRUSTFIRST")) != NULL)
1130     cc->trust_first = cups_boolean_value(value);
1131 
1132   if ((value = getenv("CUPS_ANYROOT")) != NULL)
1133     cc->any_root = cups_boolean_value(value);
1134 
1135   if ((value = getenv("CUPS_ENCRYPTION")) != NULL)
1136     cups_set_encryption(cc, value);
1137 
1138   if ((value = getenv("CUPS_EXPIREDCERTS")) != NULL)
1139     cc->expired_certs = cups_boolean_value(value);
1140 
1141 #ifdef HAVE_GSSAPI
1142   if ((value = getenv("CUPS_GSSSERVICENAME")) != NULL)
1143     cups_set_gss_service_name(cc, value);
1144 #endif /* HAVE_GSSAPI */
1145 
1146   if ((value = getenv("CUPS_SERVER")) != NULL)
1147     cups_set_server_name(cc, value);
1148 
1149   if ((value = getenv("CUPS_USER")) != NULL)
1150     cups_set_user(cc, value);
1151 
1152   if ((value = getenv("CUPS_VALIDATECERTS")) != NULL)
1153     cc->validate_certs = cups_boolean_value(value);
1154 
1155  /*
1156   * Then apply defaults for those values that haven't been set...
1157   */
1158 
1159   if (cc->trust_first < 0)
1160     cc->trust_first = 1;
1161 
1162   if (cc->any_root < 0)
1163     cc->any_root = 1;
1164 
1165   if (cc->encryption == (http_encryption_t)-1)
1166     cc->encryption = HTTP_ENCRYPTION_IF_REQUESTED;
1167 
1168   if (cc->expired_certs < 0)
1169     cc->expired_certs = 0;
1170 
1171 #ifdef HAVE_GSSAPI
1172   if (!cc->gss_service_name[0])
1173     cups_set_gss_service_name(cc, CUPS_DEFAULT_GSSSERVICENAME);
1174 #endif /* HAVE_GSSAPI */
1175 
1176   if (!cc->server_name[0])
1177   {
1178    /*
1179     * If we are compiled with domain socket support, only use the
1180     * domain socket if it exists and has the right permissions...
1181     */
1182 
1183 #if defined(__APPLE__) && !TARGET_OS_OSX
1184     cups_set_server_name(cc, "/private/var/run/printd");
1185 
1186 #else
1187 #  ifdef CUPS_DEFAULT_DOMAINSOCKET
1188     if (!access(CUPS_DEFAULT_DOMAINSOCKET, R_OK))
1189       cups_set_server_name(cc, CUPS_DEFAULT_DOMAINSOCKET);
1190     else
1191 #  endif /* CUPS_DEFAULT_DOMAINSOCKET */
1192     cups_set_server_name(cc, "localhost");
1193 #endif /* __APPLE__ && !TARGET_OS_OSX */
1194   }
1195 
1196   if (!cc->user[0])
1197   {
1198 #ifdef _WIN32
1199    /*
1200     * Get the current user name from the OS...
1201     */
1202 
1203     DWORD	size;			/* Size of string */
1204 
1205     size = sizeof(cc->user);
1206     if (!GetUserNameA(cc->user, &size))
1207 #else
1208    /*
1209     * Try the USER environment variable as the default username...
1210     */
1211 
1212     const char *envuser = getenv("USER");
1213 					/* Default username */
1214     struct passwd *pw = NULL;		/* Account information */
1215 
1216     if (envuser)
1217     {
1218      /*
1219       * Validate USER matches the current UID, otherwise don't allow it to
1220       * override things...  This makes sure that printing after doing su
1221       * or sudo records the correct username.
1222       */
1223 
1224       if ((pw = getpwnam(envuser)) != NULL && pw->pw_uid != getuid())
1225 	pw = NULL;
1226     }
1227 
1228     if (!pw)
1229       pw = getpwuid(getuid());
1230 
1231     if (pw)
1232       strlcpy(cc->user, pw->pw_name, sizeof(cc->user));
1233     else
1234 #endif /* _WIN32 */
1235     {
1236      /*
1237       * Use the default "unknown" user name...
1238       */
1239 
1240       strlcpy(cc->user, "unknown", sizeof(cc->user));
1241     }
1242   }
1243 
1244   if (cc->validate_certs < 0)
1245     cc->validate_certs = 0;
1246 }
1247 
1248 
1249 /*
1250  * 'cups_init_client_conf()' - Initialize client.conf values.
1251  */
1252 
1253 static void
cups_init_client_conf(_cups_client_conf_t * cc)1254 cups_init_client_conf(
1255     _cups_client_conf_t *cc)		/* I - client.conf values */
1256 {
1257  /*
1258   * Clear all values to "not set"...
1259   */
1260 
1261   memset(cc, 0, sizeof(_cups_client_conf_t));
1262 
1263   cc->uatokens = _CUPS_UATOKENS_MINIMAL;
1264 
1265 #if defined(__APPLE__) && !TARGET_OS_OSX
1266   cups_set_user(cc, "mobile");
1267 #endif /* __APPLE__ && !TARGET_OS_OSX */
1268 
1269 #ifdef HAVE_SSL
1270   cc->ssl_min_version = _HTTP_TLS_1_0;
1271   cc->ssl_max_version = _HTTP_TLS_MAX;
1272 #endif /* HAVE_SSL */
1273   cc->encryption      = (http_encryption_t)-1;
1274   cc->trust_first     = -1;
1275   cc->any_root        = -1;
1276   cc->expired_certs   = -1;
1277   cc->validate_certs  = -1;
1278 
1279  /*
1280   * Load settings from the org.cups.PrintingPrefs plist (which trump
1281   * everything...)
1282   */
1283 
1284 #if defined(__APPLE__)
1285   char	sval[1024];			/* String value */
1286 #  ifdef HAVE_SSL
1287   int	bval;				/* Boolean value */
1288 
1289   if (cups_apple_get_boolean(kAllowAnyRootKey, &bval))
1290     cc->any_root = bval;
1291 
1292   if (cups_apple_get_boolean(kAllowExpiredCertsKey, &bval))
1293     cc->expired_certs = bval;
1294 
1295   if (cups_apple_get_string(kEncryptionKey, sval, sizeof(sval)))
1296     cups_set_encryption(cc, sval);
1297 
1298   if (cups_apple_get_string(kSSLOptionsKey, sval, sizeof(sval)))
1299   {
1300     cups_set_ssl_options(cc, sval);
1301   }
1302   else
1303   {
1304     sval[0] = '\0';
1305 
1306     if (cups_apple_get_boolean(kAllowRC4, &bval) && bval)
1307       strlcat(sval, " AllowRC4", sizeof(sval));
1308     if (cups_apple_get_boolean(kAllowSSL3, &bval) && bval)
1309       strlcat(sval, " AllowSSL3", sizeof(sval));
1310     if (cups_apple_get_boolean(kAllowDH, &bval) && bval)
1311       strlcat(sval, " AllowDH", sizeof(sval));
1312 
1313     if (sval[0])
1314       cups_set_ssl_options(cc, sval);
1315   }
1316 
1317   if (cups_apple_get_boolean(kTrustOnFirstUseKey, &bval))
1318     cc->trust_first = bval;
1319 
1320   if (cups_apple_get_boolean(kValidateCertsKey, &bval))
1321     cc->validate_certs = bval;
1322 #  endif /* HAVE_SSL */
1323 
1324   if (cups_apple_get_string(kDigestOptionsKey, sval, sizeof(sval)))
1325     cups_set_digestoptions(cc, sval);
1326 
1327   if (cups_apple_get_string(kUserKey, sval, sizeof(sval)))
1328     strlcpy(cc->user, sval, sizeof(cc->user));
1329 
1330   if (cups_apple_get_string(kUserAgentTokensKey, sval, sizeof(sval)))
1331     cups_set_uatokens(cc, sval);
1332 #endif /* __APPLE__ */
1333 }
1334 
1335 
1336 /*
1337  * 'cups_read_client_conf()' - Read a client.conf file.
1338  */
1339 
1340 static void
cups_read_client_conf(cups_file_t * fp,_cups_client_conf_t * cc)1341 cups_read_client_conf(
1342     cups_file_t         *fp,		/* I - File to read */
1343     _cups_client_conf_t *cc)		/* I - client.conf values */
1344 {
1345   int	linenum;			/* Current line number */
1346   char	line[1024],			/* Line from file */
1347         *value;				/* Pointer into line */
1348 
1349 
1350  /*
1351   * Read from the file...
1352   */
1353 
1354   linenum = 0;
1355   while (cupsFileGetConf(fp, line, sizeof(line), &value, &linenum))
1356   {
1357     if (!_cups_strcasecmp(line, "DigestOptions") && value)
1358       cups_set_digestoptions(cc, value);
1359     else if (!_cups_strcasecmp(line, "Encryption") && value)
1360       cups_set_encryption(cc, value);
1361 #ifndef __APPLE__
1362    /*
1363     * The ServerName directive is not supported on macOS due to app
1364     * sandboxing restrictions, i.e. not all apps request network access.
1365     */
1366     else if (!_cups_strcasecmp(line, "ServerName") && value)
1367       cups_set_server_name(cc, value);
1368 #endif /* !__APPLE__ */
1369     else if (!_cups_strcasecmp(line, "User") && value)
1370       cups_set_user(cc, value);
1371     else if (!_cups_strcasecmp(line, "UserAgentTokens") && value)
1372       cups_set_uatokens(cc, value);
1373     else if (!_cups_strcasecmp(line, "TrustOnFirstUse") && value)
1374       cc->trust_first = cups_boolean_value(value);
1375     else if (!_cups_strcasecmp(line, "AllowAnyRoot") && value)
1376       cc->any_root = cups_boolean_value(value);
1377     else if (!_cups_strcasecmp(line, "AllowExpiredCerts") &&
1378              value)
1379       cc->expired_certs = cups_boolean_value(value);
1380     else if (!_cups_strcasecmp(line, "ValidateCerts") && value)
1381       cc->validate_certs = cups_boolean_value(value);
1382 #ifdef HAVE_GSSAPI
1383     else if (!_cups_strcasecmp(line, "GSSServiceName") && value)
1384       cups_set_gss_service_name(cc, value);
1385 #endif /* HAVE_GSSAPI */
1386 #ifdef HAVE_SSL
1387     else if (!_cups_strcasecmp(line, "SSLOptions") && value)
1388       cups_set_ssl_options(cc, value);
1389 #endif /* HAVE_SSL */
1390   }
1391 }
1392 
1393 
1394 /*
1395  * 'cups_set_default_ipp_port()' - Set the default IPP port value.
1396  */
1397 
1398 static void
cups_set_default_ipp_port(_cups_globals_t * cg)1399 cups_set_default_ipp_port(
1400     _cups_globals_t *cg)		/* I - Global data */
1401 {
1402   const char	*ipp_port;		/* IPP_PORT environment variable */
1403 
1404 
1405   if ((ipp_port = getenv("IPP_PORT")) != NULL)
1406   {
1407     if ((cg->ipp_port = atoi(ipp_port)) <= 0)
1408       cg->ipp_port = CUPS_DEFAULT_IPP_PORT;
1409   }
1410   else
1411     cg->ipp_port = CUPS_DEFAULT_IPP_PORT;
1412 }
1413 
1414 
1415 /*
1416  * 'cups_set_digestoptions()' - Set the DigestOptions value.
1417  */
1418 
1419 static void
cups_set_digestoptions(_cups_client_conf_t * cc,const char * value)1420 cups_set_digestoptions(
1421     _cups_client_conf_t *cc,		/* I - client.conf values */
1422     const char          *value)		/* I - Value */
1423 {
1424   if (!_cups_strcasecmp(value, "DenyMD5"))
1425     cc->digestoptions = _CUPS_DIGESTOPTIONS_DENYMD5;
1426   else if (!_cups_strcasecmp(value, "None"))
1427     cc->digestoptions = _CUPS_DIGESTOPTIONS_NONE;
1428 }
1429 
1430 
1431 /*
1432  * 'cups_set_encryption()' - Set the Encryption value.
1433  */
1434 
1435 static void
cups_set_encryption(_cups_client_conf_t * cc,const char * value)1436 cups_set_encryption(
1437     _cups_client_conf_t *cc,		/* I - client.conf values */
1438     const char          *value)		/* I - Value */
1439 {
1440   if (!_cups_strcasecmp(value, "never"))
1441     cc->encryption = HTTP_ENCRYPTION_NEVER;
1442   else if (!_cups_strcasecmp(value, "always"))
1443     cc->encryption = HTTP_ENCRYPTION_ALWAYS;
1444   else if (!_cups_strcasecmp(value, "required"))
1445     cc->encryption = HTTP_ENCRYPTION_REQUIRED;
1446   else
1447     cc->encryption = HTTP_ENCRYPTION_IF_REQUESTED;
1448 }
1449 
1450 
1451 /*
1452  * 'cups_set_gss_service_name()' - Set the GSSServiceName value.
1453  */
1454 
1455 #ifdef HAVE_GSSAPI
1456 static void
cups_set_gss_service_name(_cups_client_conf_t * cc,const char * value)1457 cups_set_gss_service_name(
1458     _cups_client_conf_t *cc,		/* I - client.conf values */
1459     const char          *value)		/* I - Value */
1460 {
1461   strlcpy(cc->gss_service_name, value, sizeof(cc->gss_service_name));
1462 }
1463 #endif /* HAVE_GSSAPI */
1464 
1465 
1466 /*
1467  * 'cups_set_server_name()' - Set the ServerName value.
1468  */
1469 
1470 static void
cups_set_server_name(_cups_client_conf_t * cc,const char * value)1471 cups_set_server_name(
1472     _cups_client_conf_t *cc,		/* I - client.conf values */
1473     const char          *value)		/* I - Value */
1474 {
1475   strlcpy(cc->server_name, value, sizeof(cc->server_name));
1476 }
1477 
1478 
1479 /*
1480  * 'cups_set_ssl_options()' - Set the SSLOptions value.
1481  */
1482 
1483 #ifdef HAVE_SSL
1484 static void
cups_set_ssl_options(_cups_client_conf_t * cc,const char * value)1485 cups_set_ssl_options(
1486     _cups_client_conf_t *cc,		/* I - client.conf values */
1487     const char          *value)		/* I - Value */
1488 {
1489  /*
1490   * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
1491   */
1492 
1493   int	options = _HTTP_TLS_NONE,	/* SSL/TLS options */
1494 	min_version = _HTTP_TLS_1_0,	/* Minimum SSL/TLS version */
1495 	max_version = _HTTP_TLS_MAX;	/* Maximum SSL/TLS version */
1496   char	temp[256],			/* Copy of value */
1497 	*start,				/* Start of option */
1498 	*end;				/* End of option */
1499 
1500 
1501   strlcpy(temp, value, sizeof(temp));
1502 
1503   for (start = temp; *start; start = end)
1504   {
1505    /*
1506     * Find end of keyword...
1507     */
1508 
1509     end = start;
1510     while (*end && !_cups_isspace(*end))
1511       end ++;
1512 
1513     if (*end)
1514       *end++ = '\0';
1515 
1516    /*
1517     * Compare...
1518     */
1519 
1520     if (!_cups_strcasecmp(start, "AllowRC4"))
1521       options |= _HTTP_TLS_ALLOW_RC4;
1522     else if (!_cups_strcasecmp(start, "AllowSSL3"))
1523       min_version = _HTTP_TLS_SSL3;
1524     else if (!_cups_strcasecmp(start, "AllowDH"))
1525       options |= _HTTP_TLS_ALLOW_DH;
1526     else if (!_cups_strcasecmp(start, "DenyCBC"))
1527       options |= _HTTP_TLS_DENY_CBC;
1528     else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
1529       min_version = _HTTP_TLS_1_1;
1530     else if (!_cups_strcasecmp(start, "MaxTLS1.0"))
1531       max_version = _HTTP_TLS_1_0;
1532     else if (!_cups_strcasecmp(start, "MaxTLS1.1"))
1533       max_version = _HTTP_TLS_1_1;
1534     else if (!_cups_strcasecmp(start, "MaxTLS1.2"))
1535       max_version = _HTTP_TLS_1_2;
1536     else if (!_cups_strcasecmp(start, "MaxTLS1.3"))
1537       max_version = _HTTP_TLS_1_3;
1538     else if (!_cups_strcasecmp(start, "MinTLS1.0"))
1539       min_version = _HTTP_TLS_1_0;
1540     else if (!_cups_strcasecmp(start, "MinTLS1.1"))
1541       min_version = _HTTP_TLS_1_1;
1542     else if (!_cups_strcasecmp(start, "MinTLS1.2"))
1543       min_version = _HTTP_TLS_1_2;
1544     else if (!_cups_strcasecmp(start, "MinTLS1.3"))
1545       min_version = _HTTP_TLS_1_3;
1546     else if (!_cups_strcasecmp(start, "None"))
1547       options = _HTTP_TLS_NONE;
1548   }
1549 
1550   cc->ssl_options     = options;
1551   cc->ssl_max_version = max_version;
1552   cc->ssl_min_version = min_version;
1553 
1554   DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x, min_version=%d, max_version=%d", (void *)cc, value, options, min_version, max_version));
1555 }
1556 #endif /* HAVE_SSL */
1557 
1558 
1559 /*
1560  * 'cups_set_uatokens()' - Set the UserAgentTokens value.
1561  */
1562 
1563 static void
cups_set_uatokens(_cups_client_conf_t * cc,const char * value)1564 cups_set_uatokens(
1565     _cups_client_conf_t *cc,		/* I - client.conf values */
1566     const char          *value)		/* I - Value */
1567 {
1568   int	i;				/* Looping var */
1569   static const char * const uatokens[] =/* UserAgentTokens values */
1570   {
1571     "NONE",
1572     "PRODUCTONLY",
1573     "MAJOR",
1574     "MINOR",
1575     "MINIMAL",
1576     "OS",
1577     "FULL"
1578   };
1579 
1580   for (i = 0; i < (int)(sizeof(uatokens) / sizeof(uatokens[0])); i ++)
1581   {
1582     if (!_cups_strcasecmp(value, uatokens[i]))
1583     {
1584       cc->uatokens = (_cups_uatokens_t)i;
1585       return;
1586     }
1587   }
1588 }
1589 
1590 
1591 /*
1592  * 'cups_set_user()' - Set the User value.
1593  */
1594 
1595 static void
cups_set_user(_cups_client_conf_t * cc,const char * value)1596 cups_set_user(
1597     _cups_client_conf_t *cc,		/* I - client.conf values */
1598     const char          *value)		/* I - Value */
1599 {
1600   strlcpy(cc->user, value, sizeof(cc->user));
1601 }
1602