Add httpGetSecurity API.

michaelrsweet · michaelrsweet · commit 00341463579f · 2025-04-07T14:59:45.000-04:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -4,6 +4,7 @@ Changes in libcups
 libcups v3.0.0 (YYYY-MM-DD)
 ---------------------------
 
+- Added `httpGetSecurity` API.
 - Updated `ippfind` to use `cupsGetClock` API.
 - Fixed return values of `ippDateToTime` when the timezone isn't GMT.
 - Fixed a potential timing issue with `cupsEnumDests`.
diff --git a/cups/http.h b/cups/http.h
@@ -1,7 +1,7 @@
 //
 // Hyper-Text Transport Protocol definitions for CUPS.
 //
-// Copyright © 2021-2024 by OpenPrinting.
+// Copyright © 2021-2025 by OpenPrinting.
 // Copyright © 2007-2018 by Apple Inc.
 // Copyright © 1997-2007 by Easy Software Products, all rights reserved.
 //
@@ -469,6 +469,7 @@ extern off_t		httpGetLength(http_t *http) _CUPS_PUBLIC;
 extern size_t		httpGetPending(http_t *http) _CUPS_PUBLIC;
 extern size_t		httpGetReady(http_t *http) _CUPS_PUBLIC;
 extern size_t		httpGetRemaining(http_t *http) _CUPS_PUBLIC;
+extern const char	*httpGetSecurity(http_t *http, char *buffer, size_t bufsize) _CUPS_PUBLIC;
 extern http_state_t	httpGetState(http_t *http) _CUPS_PUBLIC;
 extern http_status_t	httpGetStatus(http_t *http) _CUPS_PUBLIC;
 extern char		*httpGetSubField(http_t *http, http_field_t field, const char *name, char *value, size_t valuelen) _CUPS_PUBLIC;
diff --git a/cups/libcups3.def b/cups/libcups3.def
@@ -387,6 +387,7 @@ httpGetLength
 httpGetPending
 httpGetReady
 httpGetRemaining
+httpGetSecurity
 httpGetState
 httpGetStatus
 httpGetSubField
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
@@ -1520,6 +1520,60 @@ _httpFreeCredentials(
 }
 
 
+//
+// 'httpGetSecurity()' - Get the TLS version and cipher suite used by a connection.
+//
+// This function gets the TLS version and cipher suite being used by a
+// connection, if any.  The string is copied to "buffer" and is of the form
+// "TLS/major.minor CipherSuite".  If not encrypted, the buffer is cleared to
+// the empty string.
+//
+
+const char *				// O - Security information or `NULL` if not encrypted
+httpGetSecurity(http_t *http,		// I - HTTP connection
+                char   *buffer,		// I - String buffer
+                size_t bufsize)		// I - Size of buffer
+{
+  const char	*cipherName;		// Cipher suite name
+
+
+  // Range check input...
+  if (buffer)
+    *buffer = '\0';
+
+  if (!http || !http->tls || !buffer || bufsize < 16)
+    return (NULL);
+
+  // Record the TLS version and cipher suite...
+  cipherName = gnutls_session_get_desc(http->tls);
+
+  switch (gnutls_protocol_get_version(http->tls))
+  {
+    default :
+        snprintf(buffer, bufsize, "TLS/?.? %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_0 :
+        snprintf(buffer, bufsize, "TLS/1.0 %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_1 :
+        snprintf(buffer, bufsize, "TLS/1.1 %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_2 :
+        snprintf(buffer, bufsize, "TLS/1.2 %s", cipherName);
+        break;
+
+    case GNUTLS_TLS1_3 :
+        snprintf(buffer, bufsize, "TLS/1.3 %s", cipherName);
+        break;
+  }
+
+  return (buffer);
+}
+
+
 //
 // '_httpTLSInitialize()' - Initialize the TLS stack.
 //
diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c
@@ -1619,6 +1619,62 @@ _httpFreeCredentials(
 }
 
 
+//
+// 'httpGetSecurity()' - Get the TLS version and cipher suite used by a connection.
+//
+// This function gets the TLS version and cipher suite being used by a
+// connection, if any.  The string is copied to "buffer" and is of the form
+// "TLS/major.minor CipherSuite".  If not encrypted, the buffer is cleared to
+// the empty string.
+//
+
+const char *				// O - Security information or `NULL` if not encrypted
+httpGetSecurity(http_t *http,		// I - HTTP connection
+                char   *buffer,		// I - String buffer
+                size_t bufsize)		// I - Size of buffer
+{
+  const char	*cipherName;		// Cipher suite name
+
+
+  // Range check input...
+  if (buffer)
+    *buffer = '\0';
+
+  if (!http || !http->tls || !buffer || bufsize < 16)
+    return (NULL);
+
+  // Record the TLS version and cipher suite...
+  cipherName = SSL_get_cipher_name(http->tls);
+
+  switch (SSL_version(http->tls))
+  {
+    default :
+        snprintf(buffer, bufsize, "TLS/?.? %s", cipherName);
+        break;
+
+    case TLS1_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.0 %s", cipherName);
+        break;
+
+    case TLS1_1_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.1 %s", cipherName);
+        break;
+
+    case TLS1_2_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.2 %s", cipherName);
+        break;
+
+#  ifdef TLS1_3_VERSION
+    case TLS1_3_VERSION :
+        snprintf(buffer, bufsize, "TLS/1.3 %s", cipherName);
+        break;
+#  endif // TLS1_3_VERSION
+  }
+
+  return (buffer);
+}
+
+
 //
 // '_httpTLSInitialize()' - Initialize the TLS stack.
 //
diff --git a/cups/tlscheck.c b/cups/tlscheck.c
@@ -1,7 +1,7 @@
 //
 // TLS check program for CUPS.
 //
-// Copyright © 2021-2023 by OpenPrinting.
+// Copyright © 2021-2025 by OpenPrinting.
 // Copyright © 2007-2017 by Apple Inc.
 // Copyright © 1997-2006 by Easy Software Products.
 //
@@ -31,11 +31,10 @@ main(int  argc,				// I - Number of command-line arguments
   http_t	*http = NULL;		// HTTP connection
   const char	*server = NULL;		// Hostname from command-line
   int		port = 0;		// Port number
-  char		*creds;			// Server credentials
-  char		creds_str[2048];	// Credentials string
-  const char	*cipherName;		// Cipher suite name
-  int		tlsVersion = 0;		// TLS version number
-  char		uri[1024],		// Printer URI
+  char		*creds,			// Server credentials
+		creds_str[2048],	// Credentials string
+		security[256],		// Security string
+		uri[1024],		// Printer URI
 		scheme[32],		// URI scheme
 		host[256],		// Hostname
 		userpass[256],		// Username/password
@@ -184,57 +183,7 @@ main(int  argc,				// I - Number of command-line arguments
     free(creds);
   }
 
-#ifdef HAVE_OPENSSL
-  switch (SSL_version(http->tls))
-  {
-    default :
-        tlsVersion = 0;
-        break;
-
-    case TLS1_VERSION :
-        tlsVersion = 10;
-        break;
-
-    case TLS1_1_VERSION :
-        tlsVersion = 11;
-        break;
-
-    case TLS1_2_VERSION :
-        tlsVersion = 12;
-        break;
-
-#  ifdef TLS1_3_VERSION
-    case TLS1_3_VERSION :
-        tlsVersion = 13;
-        break;
-#  endif // TLS1_3_VERSION
-  }
-
-  cipherName = SSL_get_cipher_name(http->tls);
-
-#else // HAVE_GNUTLS
-  switch (gnutls_protocol_get_version(http->tls))
-  {
-    default :
-        tlsVersion = 0;
-        break;
-    case GNUTLS_TLS1_0 :
-        tlsVersion = 10;
-        break;
-    case GNUTLS_TLS1_1 :
-        tlsVersion = 11;
-        break;
-    case GNUTLS_TLS1_2 :
-        tlsVersion = 12;
-        break;
-    case GNUTLS_TLS1_3 :
-        tlsVersion = 13;
-        break;
-  }
-  cipherName = gnutls_session_get_desc(http->tls);
-#endif // HAVE_OPENSSL
-
-  printf("%s: OK (TLS: %d.%d, %s)\n", server, tlsVersion / 10, tlsVersion % 10, cipherName);
+  printf("%s: OK (%s)\n", server, httpGetSecurity(http, security, sizeof(security)));
   printf("    %s\n", creds_str);
 
   if (verbose)
diff --git a/doc/cupspm.epub b/doc/cupspm.epub
diff --git a/doc/cupspm.html b/doc/cupspm.html
@@ -619,6 +619,7 @@ <h2 class="title">Contents</h2>
 <li><a href="#httpGetPending">httpGetPending</a></li>
 <li><a href="#httpGetReady">httpGetReady</a></li>
 <li><a href="#httpGetRemaining">httpGetRemaining</a></li>
+<li><a href="#httpGetSecurity">httpGetSecurity</a></li>
 <li><a href="#httpGetState">httpGetState</a></li>
 <li><a href="#httpGetStatus">httpGetStatus</a></li>
 <li><a href="#httpGetSubField">httpGetSubField</a></li>
@@ -7940,6 +7941,26 @@ <h4 class="returnvalue">Return Value</h4>
 <h4 class="discussion">Discussion</h4>
 <p class="discussion">The <a href="#httpIsChunked"><code>httpIsChunked</code></a> function can be used to determine whether the
 message body is chunked or fixed-length.</p>
+<h3 class="function"><a id="httpGetSecurity">httpGetSecurity</a></h3>
+<p class="description">Get the TLS version and cipher suite used by a connection.</p>
+<p class="code">
+<span class="reserved">const</span> <span class="reserved">char</span> *httpGetSecurity(<a href="#http_t">http_t</a> *http, <span class="reserved">char</span> *buffer, size_t bufsize);</p>
+<h4 class="parameters">Parameters</h4>
+<table class="list"><tbody>
+<tr><th>http</th>
+<td class="description">HTTP connection</td></tr>
+<tr><th>buffer</th>
+<td class="description">String buffer</td></tr>
+<tr><th>bufsize</th>
+<td class="description">Size of buffer</td></tr>
+</tbody></table>
+<h4 class="returnvalue">Return Value</h4>
+<p class="description">Security information or <code>NULL</code> if not encrypted</p>
+<h4 class="discussion">Discussion</h4>
+<p class="discussion">This function gets the TLS version and cipher suite being used by a
+connection, if any.  The string is copied to &quot;buffer&quot; and is of the form
+&quot;TLS/major.minor CipherSuite&quot;.  If not encrypted, the buffer is cleared to
+the empty string.</p>
 <h3 class="function"><a id="httpGetState">httpGetState</a></h3>
 <p class="description">Get the current state of the HTTP request.</p>
 <p class="code">
