From 40e62848ab3aa94b98dfaf1334e1c478c266bc73 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Tue, 7 Jan 2025 15:12:15 +0100
Subject: [PATCH] Add `NoSystem` SSLOptions value

In case using system crypto policy breaks communication with device
irreversibly (f.e. if device does not support better key exchange
algorithm), the new option value gives a way how to opt-out from crypto
policy if user do not want to change default system crypto policy for
the whole machine.
---
 CHANGES.md                    | 1 +
 cups/http-private.h           | 3 ++-
 cups/tls-gnutls.c             | 7 ++++++-
 cups/usersys.c                | 2 ++
 doc/help/man-client.conf.html | 3 ++-
 doc/help/man-cupsd.conf.html  | 5 +++--
 man/client.conf.5             | 3 ++-
 man/cupsd.conf.5              | 3 ++-
 scheduler/conf.c              | 2 ++
 9 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/cups/http-private.h b/cups/http-private.h
index 5f77b8ef0..f248bbb8d 100644
--- a/cups/http-private.h
+++ b/cups/http-private.h
@@ -131,7 +131,8 @@ extern "C" {
 #  define _HTTP_TLS_ALLOW_RC4	1	/* Allow RC4 cipher suites */
 #  define _HTTP_TLS_ALLOW_DH	2	/* Allow DH/DHE key negotiation */
 #  define _HTTP_TLS_DENY_CBC	4	/* Deny CBC cipher suites */
-#  define _HTTP_TLS_SET_DEFAULT 128     /* Setting the default TLS options */
+#  define _HTTP_TLS_NO_SYSTEM	8	/* No system crypto policy */
+#  define _HTTP_TLS_SET_DEFAULT 128	/* Setting the default TLS options */
 
 #  define _HTTP_TLS_SSL3	0	/* Min/max version is SSL/3.0 */
 #  define _HTTP_TLS_1_0		1	/* Min/max version is TLS/1.0 */
diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
index 719161da7..e8224b217 100644
--- a/cups/tls-gnutls.c
+++ b/cups/tls-gnutls.c
@@ -1285,6 +1285,8 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
 
   DEBUG_printf(("3_httpTLSStart(http=%p)", http));
 
+  priority_string[0] = '\0';
+
   if (tls_options < 0)
   {
     DEBUG_puts("4_httpTLSStart: Setting defaults.");
@@ -1504,7 +1506,10 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
     return (-1);
   }
 
-  strlcpy(priority_string, "@SYSTEM,NORMAL", sizeof(priority_string));
+  if (!(tls_options & _HTTP_TLS_NO_SYSTEM))
+    strlcpy(priority_string, "@SYSTEM,", sizeof(priority_string));
+
+  strlcat(priority_string, "NORMAL", sizeof(priority_string));
 
   if (tls_max_version < _HTTP_TLS_MAX)
   {
diff --git a/cups/usersys.c b/cups/usersys.c
index f752159b0..607587307 100644
--- a/cups/usersys.c
+++ b/cups/usersys.c
@@ -1608,6 +1608,8 @@ cups_set_ssl_options(
       min_version = _HTTP_TLS_1_3;
     else if (!_cups_strcasecmp(start, "None"))
       options = _HTTP_TLS_NONE;
+    else if (!_cups_strcasecmp(start, "NoSystem"))
+      options |= _HTTP_TLS_NO_SYSTEM;
   }
 
   cc->ssl_options     = options;
diff --git a/doc/help/man-client.conf.html b/doc/help/man-client.conf.html
index 81cd73a1a..9194481bb 100644
--- a/doc/help/man-client.conf.html
+++ b/doc/help/man-client.conf.html
@@ -44,7 +44,7 @@ CUPS adds the remote hostname ("name@server.example.com") for you. The default n
 <b>Note: This directive is not supported on macOS 10.7 or later.</b>
 <dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]<b>/version=1.1</b>
 <dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
-<dt><a name="SSLOptions"></a><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
+<dt><a name="SSLOptions"></a><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>] [<i>NoSystem</i>]
 <dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
 <dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
 By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
@@ -57,6 +57,7 @@ The <i>DenyCBC</i> option disables all CBC cipher suites.
 The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
 The <i>MinTLS</i> options set the minimum TLS version to support.
 The <i>MaxTLS</i> options set the maximum TLS version to support.
+The <i>NoSystem</i> option disables applying system cryptographic policy.
 Not all operating systems support TLS 1.3 at this time.
 <dt><a name="TrustOnFirstUse"></a><b>TrustOnFirstUse Yes</b>
 <dd style="margin-left: 5.0em"><dt><b>TrustOnFirstUse No</b>
diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html
index 4fd42f314..4a5395387 100644
--- a/doc/help/man-cupsd.conf.html
+++ b/doc/help/man-cupsd.conf.html
@@ -285,7 +285,7 @@ The default is "Minimal".
 <dd style="margin-left: 5.0em"><dt><b>SSLListen [</b><i>ipv6-address</i><b>]:</b><i>port</i>
 <dd style="margin-left: 5.0em"><dt><b>SSLListen *:</b><i>port</i>
 <dd style="margin-left: 5.0em">Listens on the specified address and port for encrypted connections.
-<dt><a name="SSLOptions"></a><dt><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
+<dt><a name="SSLOptions"></a><dt><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>] [<i>NoSystem</i>]
 <dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
 <dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
 By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
@@ -298,6 +298,7 @@ The <i>DenyCBC</i> option disables all CBC cipher suites.
 The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
 The <i>MinTLS</i> options set the minimum TLS version to support.
 The <i>MaxTLS</i> options set the maximum TLS version to support.
+The <i>NoSystem</i> option disables applying system cryptographic policy.
 Not all operating systems support TLS 1.3 at this time.
 <dt><a name="SSLPort"></a><b>SSLPort </b><i>port</i>
 <dd style="margin-left: 5.0em">Listens on the specified port for encrypted connections.
diff --git a/man/client.conf.5 b/man/client.conf.5
index 54808c09f..56d6ec3ec 100644
--- a/man/client.conf.5
+++ b/man/client.conf.5
@@ -67,7 +67,7 @@ Specifies the address and optionally the port to use when connecting to the serv
 Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
 .\"#SSLOptions
 .TP 5
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR]
 .TP 5
 \fBSSLOptions None\fR
 Sets encryption options (only in /etc/cups/client.conf).
@@ -81,6 +81,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites.
 The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
 The \fIMinTLS\fR options set the minimum TLS version to support.
 The \fIMaxTLS\fR options set the maximum TLS version to support.
+The \fINoSystem\fR option disables applying system cryptographic policy.
 Not all operating systems support TLS 1.3 at this time.
 .\"#TrustOnFirstUse
 .TP 5
diff --git a/man/cupsd.conf.5 b/man/cupsd.conf.5
index fd5762dfd..4e1a7ca81 100644
--- a/man/cupsd.conf.5
+++ b/man/cupsd.conf.5
@@ -447,7 +447,7 @@ Listens on the specified address and port for encrypted connections.
 .\"#SSLOptions
 .TP 5
 .TP 5
-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR]
 .TP 5
 \fBSSLOptions None\fR
 Sets encryption options (only in /etc/cups/client.conf).
@@ -461,6 +461,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites.
 The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
 The \fIMinTLS\fR options set the minimum TLS version to support.
 The \fIMaxTLS\fR options set the maximum TLS version to support.
+The \fINoSystem\fR option disables applying system cryptographic policy.
 Not all operating systems support TLS 1.3 at this time.
 .\"#SSLPort
 .TP 5
diff --git a/scheduler/conf.c b/scheduler/conf.c
index 3184d72f0..3bf176479 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -3054,6 +3054,8 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
 	    min_version = _HTTP_TLS_1_3;
 	  else if (!_cups_strcasecmp(start, "None"))
 	    options = _HTTP_TLS_NONE;
+	  else if (!_cups_strcasecmp(start, "NoSystem"))
+	    options |= _HTTP_TLS_NO_SYSTEM;
 	  else if (_cups_strcasecmp(start, "NoEmptyFragments"))
 	    cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum);
         }
-- 
2.47.1