diff options
Diffstat (limited to 'cups/tls-sspi.c')
-rw-r--r-- | cups/tls-sspi.c | 45 |
1 files changed, 27 insertions, 18 deletions
diff --git a/cups/tls-sspi.c b/cups/tls-sspi.c index 6eaec4c8..ea3fb007 100644 --- a/cups/tls-sspi.c +++ b/cups/tls-sspi.c @@ -2,7 +2,7 @@ * TLS support for CUPS on Windows using the Security Support Provider * Interface (SSPI). * - * Copyright 2010-2017 by Apple Inc. + * Copyright 2010-2018 by Apple Inc. * * These coded instructions, statements, and computer programs are the * property of Apple Inc. and are protected by Federal copyright @@ -52,7 +52,9 @@ * Local globals... */ -static int tls_options = -1;/* Options for TLS connections */ +static int tls_options = -1,/* Options for TLS connections */ + tls_min_version = _HTTP_TLS_1_0, + tls_max_version = _HTTP_TLS_MAX; /* @@ -351,7 +353,6 @@ httpCredentialsString( SYSTEMTIME systime; /* System time */ struct tm tm; /* UNIX date/time */ time_t expiration; /* Expiration date of cert */ - _cups_md5_state_t md5_state; /* MD5 state */ unsigned char md5_digest[16]; /* MD5 result */ FileTimeToSystemTime(&(cert->pCertInfo->NotAfter), &systime); @@ -378,9 +379,7 @@ httpCredentialsString( else strlcpy(cert_name, "unknown", sizeof(cert_name)); - _cupsMD5Init(&md5_state); - _cupsMD5Append(&md5_state, first->data, (int)first->datalen); - _cupsMD5Finish(&md5_state, md5_digest); + cupsHashData("md5", first->data, first->datalen, md5_digest, sizeof(md5_digest)); snprintf(buffer, bufsize, "%s / %s / %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", cert_name, httpGetDateString(expiration), md5_digest[0], md5_digest[1], md5_digest[2], md5_digest[3], md5_digest[4], md5_digest[5], md5_digest[6], md5_digest[7], md5_digest[8], md5_digest[9], md5_digest[10], md5_digest[11], md5_digest[12], md5_digest[13], md5_digest[14], md5_digest[15]); @@ -911,10 +910,16 @@ _httpTLSRead(http_t *http, /* I - HTTP connection */ */ void -_httpTLSSetOptions(int options) /* I - Options */ +_httpTLSSetOptions(int options, /* I - Options */ + int min_version, /* I - Minimum TLS version */ + int max_version) /* I - Maximum TLS version */ { if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0) - tls_options = options; + { + tls_options = options; + tls_min_version = min_version; + tls_max_version = max_version; + } } @@ -1762,34 +1767,38 @@ http_sspi_find_credentials( #ifdef SP_PROT_TLS1_2_SERVER if (http->mode == _HTTP_MODE_SERVER) { - if (tls_options & _HTTP_TLS_DENY_TLS10) - SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER; - else if (tls_options & _HTTP_TLS_ALLOW_SSL3) + if (tls_min_version == _HTTP_TLS_SSL3) SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER | SP_PROT_SSL3_SERVER; - else + else if (tls_min_version == _HTTP_TLS_1_0) SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER; + else if (tls_min_version == _HTTP_TLS_1_1) + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER; + else + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER; } else { - if (tls_options & _HTTP_TLS_DENY_TLS10) - SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT; - else if (tls_options & _HTTP_TLS_ALLOW_SSL3) + if (tls_min_version == _HTTP_TLS_SSL3) SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_SSL3_CLIENT; - else + else if (tls_min_version == _HTTP_TLS_1_0) SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT; + else if (tls_min_version == _HTTP_TLS_1_1) + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT; + else + SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT; } #else if (http->mode == _HTTP_MODE_SERVER) { - if (tls_options & _HTTP_TLS_ALLOW_SSL3) + if (tls_min_version == _HTTP_TLS_SSL3) SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER; else SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER; } else { - if (tls_options & _HTTP_TLS_ALLOW_SSL3) + if (tls_min_version == _HTTP_TLS_SSL3) SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT; else SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT; |