Add httpGetSecurity API.

michaelrsweet · michaelrsweet · commit e83739273d37 · 2025-04-07T15:19:30.000-04:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -9,6 +9,7 @@ Changes in CUPS v2.5b1 (YYYY-MM-DD)
   APIs.
 - Added new `cupsRasterInitHeader` API.
 - Added `httpConnectURI` API.
+- Added `httpGetSecurity` API.
 - Added `ippAddCredentialsString`, `ippGetFirstAttribute`,
   `ippGetNextAttribute`, `ippRestore`, and `ippSave` APIs.
 - Added new DNS-SD APIs.
diff --git a/cups/http.h b/cups/http.h
@@ -1,7 +1,7 @@
 //
 // Hyper-Text Transport Protocol definitions for CUPS.
 //
-// Copyright © 2020-2024 by OpenPrinting.
+// Copyright © 2020-2025 by OpenPrinting.
 // Copyright © 2007-2018 by Apple Inc.
 // Copyright © 1997-2007 by Easy Software Products, all rights reserved.
 //
@@ -454,6 +454,7 @@ extern off_t		httpGetLength2(http_t *http) _CUPS_PUBLIC;
 extern size_t		httpGetPending(http_t *http) _CUPS_PUBLIC;
 extern size_t		httpGetReady(http_t *http) _CUPS_PUBLIC;
 extern size_t		httpGetRemaining(http_t *http) _CUPS_PUBLIC;
+extern const char	*httpGetSecurity(http_t *http, char *buffer, size_t bufsize) _CUPS_PUBLIC;
 extern http_state_t	httpGetState(http_t *http) _CUPS_PUBLIC;
 extern http_status_t	httpGetStatus(http_t *http) _CUPS_PUBLIC;
 extern char		*httpGetSubField(http_t *http, http_field_t field, const char *name, char *value) _CUPS_DEPRECATED_MSG("Use httpGetSubField2 instead.");
diff --git a/cups/libcups2.def b/cups/libcups2.def
@@ -539,6 +539,7 @@ httpGetLength2
 httpGetPending
 httpGetReady
 httpGetRemaining
+httpGetSecurity
 httpGetState
 httpGetStatus
 httpGetSubField
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
@@ -1520,6 +1520,62 @@ _httpFreeCredentials(
 }
 
 
+//
+// 'httpGetSecurity()' - Get the TLS version and cipher suite used by a connection.
+//
+// This function gets the TLS version and cipher suite being used by a
+// connection, if any.  The string is copied to "buffer" and is of the form
+// "TLS/major.minor CipherSuite".  If not encrypted, the buffer is cleared to
+// the empty string.
+//
+// @since CUPS 2.5@
+//
+
+const char *				// O - Security information or `NULL` if not encrypted
+httpGetSecurity(http_t *http,		// I - HTTP connection
+                char   *buffer,		// I - String buffer
+                size_t bufsize)		// I - Size of buffer
+{
+  const char	*cipherName;		// Cipher suite name
+
+
+  // Range check input...
+  if (buffer)
+    *buffer = '\0';
+
+  if (!http || !http->tls || !buffer || bufsize < 16)
+    return (NULL);
+
+  // Record the TLS version and cipher suite...
+  cipherName = gnutls_session_get_desc(http->tls);
+
+  switch (gnutls_protocol_get_version(http->tls))
+  {
+    default :
+        snprintf(buffer, bufsize, "TLS/?.? %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_0 :
+        snprintf(buffer, bufsize, "TLS/1.0 %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_1 :
+        snprintf(buffer, bufsize, "TLS/1.1 %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_2 :
+        snprintf(buffer, bufsize, "TLS/1.2 %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_3 :
+        snprintf(buffer, bufsize, "TLS/1.3 %s", cipherName);
+        break;
+  }
+
+  return (buffer);
+}
+
+
 //
 // '_httpTLSInitialize()' - Initialize the TLS stack.
 //
diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c
@@ -1534,6 +1534,64 @@ _httpFreeCredentials(
 }
 
 
+//
+// 'httpGetSecurity()' - Get the TLS version and cipher suite used by a connection.
+//
+// This function gets the TLS version and cipher suite being used by a
+// connection, if any.  The string is copied to "buffer" and is of the form
+// "TLS/major.minor CipherSuite".  If not encrypted, the buffer is cleared to
+// the empty string.
+//
+// @since CUPS 2.5@
+//
+
+const char *				// O - Security information or `NULL` if not encrypted
+httpGetSecurity(http_t *http,		// I - HTTP connection
+                char   *buffer,		// I - String buffer
+                size_t bufsize)		// I - Size of buffer
+{
+  const char	*cipherName;		// Cipher suite name
+
+
+  // Range check input...
+  if (buffer)
+    *buffer = '\0';
+
+  if (!http || !http->tls || !buffer || bufsize < 16)
+    return (NULL);
+
+  // Record the TLS version and cipher suite...
+  cipherName = SSL_get_cipher_name(http->tls);
+
+  switch (SSL_version(http->tls))
+  {
+    default :
+        snprintf(buffer, bufsize, "TLS/?.? %s", cipherName);
+        break;
+
+    case TLS1_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.0 %s", cipherName);
+        break;
+
+    case TLS1_1_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.1 %s", cipherName);
+        break;
+
+    case TLS1_2_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.2 %s", cipherName);
+        break;
+
+#  ifdef TLS1_3_VERSION
+    case TLS1_3_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.3 %s", cipherName);
+        break;
+#  endif // TLS1_3_VERSION
+  }
+
+  return (buffer);
+}
+
+
 //
 // '_httpTLSInitialize()' - Initialize the TLS stack.
 //
diff --git a/cups/tlscheck.c b/cups/tlscheck.c
@@ -1,7 +1,7 @@
 //
 // TLS check program for CUPS.
 //
-// Copyright © 2020-2024 by OpenPrinting.
+// Copyright © 2020-2025 by OpenPrinting.
 // Copyright © 2007-2017 by Apple Inc.
 // Copyright © 1997-2006 by Easy Software Products.
 //
@@ -31,11 +31,10 @@ main(int  argc,				// I - Number of command-line arguments
   http_t	*http = NULL;		// HTTP connection
   const char	*server = NULL;		// Hostname from command-line
   int		port = 0;		// Port number
-  char		*creds;			// Server credentials
-  char		creds_str[2048];	// Credentials string
-  const char	*cipherName;		// Cipher suite name
-  int		tlsVersion = 0;		// TLS version number
-  char		uri[1024],		// Printer URI
+  char		*creds,			// Server credentials
+		creds_str[2048],	// Credentials string
+		security[256],		// Security string
+		uri[1024],		// Printer URI
 		scheme[32],		// URI scheme
 		host[256],		// Hostname
 		userpass[256],		// Username/password
@@ -184,57 +183,7 @@ main(int  argc,				// I - Number of command-line arguments
     free(creds);
   }
 
-#ifdef HAVE_OPENSSL
-  switch (SSL_version(http->tls))
-  {
-    default :
-        tlsVersion = 0;
-        break;
-
-    case TLS1_VERSION :
-        tlsVersion = 10;
-        break;
-
-    case TLS1_1_VERSION :
-        tlsVersion = 11;
-        break;
-
-    case TLS1_2_VERSION :
-        tlsVersion = 12;
-        break;
-
-#  ifdef TLS1_3_VERSION
-    case TLS1_3_VERSION :
-        tlsVersion = 13;
-        break;
-#  endif // TLS1_3_VERSION
-  }
-
-  cipherName = SSL_get_cipher_name(http->tls);
-
-#else // HAVE_GNUTLS
-  switch (gnutls_protocol_get_version(http->tls))
-  {
-    default :
-        tlsVersion = 0;
-        break;
-    case GNUTLS_TLS1_0 :
-        tlsVersion = 10;
-        break;
-    case GNUTLS_TLS1_1 :
-        tlsVersion = 11;
-        break;
-    case GNUTLS_TLS1_2 :
-        tlsVersion = 12;
-        break;
-    case GNUTLS_TLS1_3 :
-        tlsVersion = 13;
-        break;
-  }
-  cipherName = gnutls_session_get_desc(http->tls);
-#endif // HAVE_OPENSSL
-
-  printf("%s: OK (TLS: %d.%d, %s)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName);
+  printf("%s: OK (%s)\n", server, httpGetSecurity(http, security, sizeof(security)));
   printf("    %s\n", creds_str);
 
   if (verbose)
diff --git a/tools/ippeveprinter.c b/tools/ippeveprinter.c
@@ -1,7 +1,7 @@
 //
 // IPP Everywhere printer application for CUPS.
 //
-// Copyright © 2020-2024 by OpenPrinting.
+// Copyright © 2020-2025 by OpenPrinting.
 // Copyright © 2020 by the IEEE-ISTO Printer Working Group.
 // Copyright © 2010-2021 by Apple Inc.
 //
@@ -4708,6 +4708,8 @@ process_client(ippeve_client_t *client)	// I - Client
 
       if (recv(httpGetFd(client->http), buf, 1, MSG_PEEK) == 1 && (!buf[0] || !strchr("DGHOPT", buf[0])))
       {
+        char	security[256];		// Security description
+
         fprintf(stderr, "%s Starting HTTPS session.\n", client->hostname);
 
 	if (!httpSetEncryption(client->http, HTTP_ENCRYPTION_ALWAYS))
@@ -4716,7 +4718,7 @@ process_client(ippeve_client_t *client)	// I - Client
 	  break;
         }
 
-        fprintf(stderr, "%s Connection now encrypted.\n", client->hostname);
+	fprintf(stderr, "%s Connection now encrypted (%s).\n", client->hostname, httpGetSecurity(client->http, security, sizeof(security)));
       }
 
       first_time = false;
@@ -4853,6 +4855,8 @@ process_http(ippeve_client_t *client)	// I - Client connection
   {
     if (strstr(httpGetField(client->http, HTTP_FIELD_UPGRADE), "TLS/") != NULL && !httpIsEncrypted(client->http))
     {
+      char	security[256];		// Security description
+
       if (!respond_http(client, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL, NULL, 0))
         return (0);
 
@@ -4864,7 +4868,7 @@ process_http(ippeve_client_t *client)	// I - Client connection
 	return (0);
       }
 
-      fprintf(stderr, "%s Connection now encrypted.\n", client->hostname);
+      fprintf(stderr, "%s Connection now encrypted (%s).\n", client->hostname, httpGetSecurity(client->http, security, sizeof(security)));
     }
     else if (!respond_http(client, HTTP_STATUS_NOT_IMPLEMENTED, NULL, NULL, 0))
       return (0);

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`//`
`2`	`2`	`// IPP Everywhere printer application for CUPS.`
`3`	`3`	`//`
`4`		`-// Copyright © 2020-2024 by OpenPrinting.`
	`4`	`+// Copyright © 2020-2025 by OpenPrinting.`
`5`	`5`	`// Copyright © 2020 by the IEEE-ISTO Printer Working Group.`
`6`	`6`	`// Copyright © 2010-2021 by Apple Inc.`
`7`	`7`	`//`
`@@ -4708,6 +4708,8 @@ process_client(ippeve_client_t *client) // I - Client`
`4708`	`4708`
`4709`	`4709`	`if (recv(httpGetFd(client->http), buf, 1, MSG_PEEK) == 1 && (!buf[0] \|\| !strchr("DGHOPT", buf[0])))`
`4710`	`4710`	`{`
	`4711`	`+ char security[256]; // Security description`
	`4712`	`+`
`4711`	`4713`	`fprintf(stderr, "%s Starting HTTPS session.\n", client->hostname);`
`4712`	`4714`
`4713`	`4715`	`if (!httpSetEncryption(client->http, HTTP_ENCRYPTION_ALWAYS))`
`@@ -4716,7 +4718,7 @@ process_client(ippeve_client_t *client) // I - Client`
`4716`	`4718`	`break;`
`4717`	`4719`	`}`
`4718`	`4720`
`4719`		`- fprintf(stderr, "%s Connection now encrypted.\n", client->hostname);`
	`4721`	`+ fprintf(stderr, "%s Connection now encrypted (%s).\n", client->hostname, httpGetSecurity(client->http, security, sizeof(security)));`
`4720`	`4722`	`}`
`4721`	`4723`
`4722`	`4724`	`first_time = false;`
`@@ -4853,6 +4855,8 @@ process_http(ippeve_client_t *client) // I - Client connection`
`4853`	`4855`	`{`
`4854`	`4856`	`if (strstr(httpGetField(client->http, HTTP_FIELD_UPGRADE), "TLS/") != NULL && !httpIsEncrypted(client->http))`
`4855`	`4857`	`{`
	`4858`	`+ char security[256]; // Security description`
	`4859`	`+`
`4856`	`4860`	`if (!respond_http(client, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL, NULL, 0))`
`4857`	`4861`	`return (0);`
`4858`	`4862`
`@@ -4864,7 +4868,7 @@ process_http(ippeve_client_t *client) // I - Client connection`
`4864`	`4868`	`return (0);`
`4865`	`4869`	`}`
`4866`	`4870`
`4867`		`- fprintf(stderr, "%s Connection now encrypted.\n", client->hostname);`
	`4871`	`+ fprintf(stderr, "%s Connection now encrypted (%s).\n", client->hostname, httpGetSecurity(client->http, security, sizeof(security)));`
`4868`	`4872`	`}`
`4869`	`4873`	`else if (!respond_http(client, HTTP_STATUS_NOT_IMPLEMENTED, NULL, NULL, 0))`
`4870`	`4874`	`return (0);`