/*
* "$Id$"
*
- * TLS support for CUPS on Windows using SSPI.
+ * TLS support for CUPS on Windows using the Security Support Provider
+ * Interface (SSPI).
*
* Copyright 2010-2014 by Apple Inc.
*
* This file is subject to the Apple OS-Developed Software exception.
*/
+/**** This file is included from tls.c ****/
+
/*
* Include necessary headers...
*/
# define SECURITY_FLAG_IGNORE_CERT_DATE_INVALID 0x00002000 /* Expired X509 Cert. */
#endif /* !SECURITY_FLAG_IGNORE_CERT_DATE_INVALID */
+
+/*
+ * Local globals...
+ */
+
+static int tls_options = 0;/* Options for TLS connections */
+
+
/*
* Local functions...
*/
/*
* 'cupsMakeServerCredentials()' - Make a self-signed certificate and private key pair.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 1 on success, 0 on failure */
* Note: The server credentials are used by all threads in the running process.
* This function is threadsafe.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 1 on success, 0 on failure */
/*
* 'httpCredentialsAreValidForName()' - Return whether the credentials are valid for the given name.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 1 if valid, 0 otherwise */
/*
* 'httpCredentialsGetTrust()' - Return the trust of credentials.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
http_trust_t /* O - Level of trust */
/*
* 'httpCredentialsGetExpiration()' - Return the expiration date of the credentials.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
time_t /* O - Expiration date of credentials */
/*
* 'httpCredentialsString()' - Return a string representing the credentials.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
size_t /* O - Total size of credentials string */
/*
* 'httpLoadCredentials()' - Load X.509 credentials from a keychain file.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - 0 on success, -1 on error */
/*
* 'httpSaveCredentials()' - Save X.509 credentials to a keychain file.
*
- * @since CUPS 2.0@
+ * @since CUPS 2.0/OS 10.10@
*/
int /* O - -1 on error, 0 on success */
cups_array_t *credentials, /* I - Credentials */
const char *common_name) /* I - Common name for credentials */
{
- _http_sspi_t *sspi = http->tls; /* SSPI data */
HCERTSTORE store = NULL; /* Certificate store */
PCCERT_CONTEXT storedContext = NULL; /* Context created from the store */
PCCERT_CONTEXT createdContext = NULL; /* Context created by us */
PBYTE p = NULL; /* Temporary storage */
HCRYPTPROV hProv = (HCRYPTPROV)NULL;
/* Handle to a CSP */
- CERT_NAME_BLOB sib; /* Arbitrary array of bytes */
+ CRYPT_KEY_PROV_INFO ckp; /* Handle to crypto key */
int ret = -1; /* Return value */
#ifdef DEBUG
char error[1024]; /* Error message buffer */
return (-1);
}
- createdContext = http_sspi_create_credential(credentials);
+ createdContext = http_sspi_create_credential((http_credential_t *)cupsArrayFirst(credentials));
if (!createdContext)
{
DEBUG_puts("1httpSaveCredentials: Bad credentials, returning -1.");
}
+/*
+ * '_httpTLSSetOptions()' - Set TLS protocol and cipher suite options.
+ */
+
+void
+_httpTLSSetOptions(int options) /* I - Options */
+{
+ tls_options = options;
+}
+
+
/*
* '_httpTLSStart()' - Set up SSL/TLS support on a connection.
*/
SchannelCred.paCred = &storedContext;
/*
- * SSPI doesn't seem to like it if grbitEnabledProtocols is set for a client.
+ * Set supported protocols (can also be overriden in the registry...)
*/
+#ifdef SP_PROT_TLS1_2_SERVER
if (http->mode == _HTTP_MODE_SERVER)
- SchannelCred.grbitEnabledProtocols = SP_PROT_SSL3TLS1;
+ {
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER | SP_PROT_SSL3_SERVER;
+ else
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_0_SERVER;
+ }
+ else
+ {
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_SSL3_CLIENT;
+ else
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_0_CLIENT;
+ }
+
+#else
+ if (http->mode == _HTTP_MODE_SERVER)
+ {
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER;
+ else
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER;
+ }
+ else
+ {
+ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT;
+ else
+ SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
+ }
+#endif /* SP_PROT_TLS1_2_SERVER */
+
+ /* TODO: Support _HTTP_TLS_ALLOW_RC4 option; right now we'll rely on Windows registry to enable/disable RC4... */
/*
* Create an SSPI credential.
/* Number of ites in rgszUsages */
DWORD count; /* 32 bit count variable */
DWORD status; /* Return value */
+#ifdef DEBUG
+ char error[1024]; /* Error message string */
+#endif /* DEBUG */
if (!cert)
{
status = GetLastError();
-#ifdef DEBUG
- char error[1024]; /* Error message string */
-
DEBUG_printf(("CertGetCertificateChain returned: %s", http_sspi_strerror(error, sizeof(error), status)));
-#endif /* DEBUG */
LocalFree(commonNameUnicode);
return (status);
{
status = GetLastError();
-#ifdef DEBUG
- char error[1024]; /* Error message string */
-
DEBUG_printf(("CertVerifyCertificateChainPolicy returned %s", http_sspi_strerror(error, sizeof(error), status)));
-#endif /* DEBUG */
}
else if (policyStatus.dwError)
status = policyStatus.dwError;