archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/protocols/schannel/lsa/spreg.c

887 lines
25 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992 - 2000.
  5. //
  6. // File: spreg.c
  7. //
  8. // Contents: Schannel registry management routines.
  9. //
  10. // Classes:
  11. //
  12. // Functions:
  13. //
  14. // History: 11-24-97 jbanes Enabled TLS
  15. //
  16. //----------------------------------------------------------------------------
  18. #include <sslp.h>
  19. #include "spreg.h"
  20. #include <mapper.h>
  21. #include <sidfilter.h>
  23. HKEY g_hkBase = NULL;
  24. HANDLE g_hParamEvent = NULL;
  25. HANDLE g_hWait = NULL;
  27. HKEY g_hkFipsBase = NULL;
  28. HANDLE g_hFipsParamEvent = NULL;
  29. HANDLE g_hFipsWait = NULL;
  31. BOOL g_fManualCredValidation = MANUAL_CRED_VALIDATION_SETTING;
  32. BOOL g_PctClientDisabledByDefault = PCT_CLIENT_DISABLED_SETTING;
  33. BOOL g_Ssl2ClientDisabledByDefault = SSL2_CLIENT_DISABLED_SETTING;
  35. DWORD g_dwEventLogging = DEFAULT_EVENT_LOGGING_SETTING;
  36. DWORD g_ProtEnabled = DEFAULT_ENABLED_PROTOCOLS_SETTING;
  38. BOOL g_fSendIssuerList = TRUE;
  40. DWORD g_dwCertMappingMethods = DEFAULT_CERTMAP_SETTING;
  42. BOOL g_fFipsMode = FALSE;
  43. BOOL g_fFranceLocale = FALSE;
  45. BOOL g_SslS4U2SelfInitialized = FALSE;
  47. typedef struct enamap
  48. {
  49. TCHAR *pKey;
  50. DWORD Mask;
  51. } enamap;
  53. enamap g_ProtMap[] =
  54. {
  55. {SP_REG_KEY_PCT1 TEXT("\\") SP_REG_KEY_CLIENT, SP_PROT_PCT1_CLIENT},
  56. {SP_REG_KEY_PCT1 TEXT("\\") SP_REG_KEY_SERVER, SP_PROT_PCT1_SERVER},
  57. {SP_REG_KEY_SSL2 TEXT("\\") SP_REG_KEY_CLIENT, SP_PROT_SSL2_CLIENT},
  58. {SP_REG_KEY_SSL2 TEXT("\\") SP_REG_KEY_SERVER, SP_PROT_SSL2_SERVER},
  59. {SP_REG_KEY_SSL3 TEXT("\\") SP_REG_KEY_CLIENT, SP_PROT_SSL3_CLIENT},
  60. {SP_REG_KEY_SSL3 TEXT("\\") SP_REG_KEY_SERVER, SP_PROT_SSL3_SERVER},
  61. {SP_REG_KEY_TLS1 TEXT("\\") SP_REG_KEY_CLIENT, SP_PROT_TLS1_CLIENT},
  62. {SP_REG_KEY_TLS1 TEXT("\\") SP_REG_KEY_SERVER, SP_PROT_TLS1_SERVER}
  63. };
  65. VOID
  66. SslWatchParamKey(
  67. PVOID pCtxt,
  68. BOOLEAN fWaitStatus);
  70. VOID
  71. FipsWatchParamKey(
  72. PVOID pCtxt,
  73. BOOLEAN fWaitStatus);
  75. BOOL
  76. SslReadRegOptions(
  77. BOOL fFirstTime);
  79. BOOL SPLoadRegOptions(void)
  80. {
  81. g_hParamEvent = CreateEvent(NULL,
  82. FALSE,
  83. FALSE,
  84. NULL);
  86. SslWatchParamKey(g_hParamEvent, FALSE);
  88. g_hFipsParamEvent = CreateEvent(NULL,
  89. FALSE,
  90. FALSE,
  91. NULL);
  93. FipsWatchParamKey(g_hFipsParamEvent, FALSE);
  95. return TRUE;
  96. }
  98. void SPUnloadRegOptions(void)
  99. {
  100. if (NULL != g_hWait)
  101. {
  102. RtlDeregisterWait(g_hWait);
  103. g_hWait = NULL;
  104. }
  106. if(NULL != g_hkBase)
  107. {
  108. RegCloseKey(g_hkBase);
  109. }
  111. if(NULL != g_hParamEvent)
  112. {
  113. CloseHandle(g_hParamEvent);
  114. }
  116. if (NULL != g_hFipsWait)
  117. {
  118. RtlDeregisterWait(g_hFipsWait);
  119. g_hFipsWait = NULL;
  120. }
  122. if(NULL != g_hkFipsBase)
  123. {
  124. RegCloseKey(g_hkFipsBase);
  125. }
  127. if(NULL != g_hFipsParamEvent)
  128. {
  129. CloseHandle(g_hFipsParamEvent);
  130. }
  131. }
  133. BOOL
  134. ReadRegistrySetting(
  135. HKEY hReadKey,
  136. HKEY hWriteKey,
  137. LPCTSTR pszValueName,
  138. DWORD * pdwValue,
  139. DWORD dwDefaultValue)
  140. {
  141. DWORD dwSize;
  142. DWORD dwType;
  143. DWORD dwOriginalValue = *pdwValue;
  145. dwSize = sizeof(DWORD);
  146. if(RegQueryValueEx(hReadKey,
  147. pszValueName,
  148. NULL,
  149. &dwType,
  150. (PUCHAR)pdwValue,
  151. &dwSize) != STATUS_SUCCESS)
  152. {
  153. *pdwValue = dwDefaultValue;
  155. if(hWriteKey)
  156. {
  157. RegSetValueEx(hWriteKey,
  158. pszValueName,
  159. 0,
  160. REG_DWORD,
  161. (PUCHAR)pdwValue,
  162. sizeof(DWORD));
  163. }
  164. }
  166. return (dwOriginalValue != *pdwValue);
  167. }
  170. ////////////////////////////////////////////////////////////////////
  171. //
  172. // Name: SslWatchParamKey
  173. //
  174. // Synopsis: Sets RegNotifyChangeKeyValue() on param key, initializes
  175. // debug level, then utilizes thread pool to wait on
  176. // changes to this registry key. Enables dynamic debug
  177. // level changes, as this function will also be callback
  178. // if registry key modified.
  179. //
  180. // Arguments: pCtxt is actually a HANDLE to an event. This event
  181. // will be triggered when key is modified.
  182. //
  183. // Notes: .
  184. //
  185. VOID
  186. SslWatchParamKey(
  187. PVOID pCtxt,
  188. BOOLEAN fWaitStatus)
  189. {
  190. NTSTATUS Status;
  191. LONG lRes = ERROR_SUCCESS;
  192. BOOL fFirstTime = FALSE;
  193. DWORD disp;
  195. UNREFERENCED_PARAMETER(fWaitStatus);
  197. if(g_hkBase == NULL)
  198. {
  199. // First time we've been called.
  200. Status = RegCreateKeyEx(HKEY_LOCAL_MACHINE,
  201. SP_REG_KEY_BASE,
  202. 0,
  203. TEXT(""),
  204. REG_OPTION_NON_VOLATILE,
  205. KEY_READ,
  206. NULL,
  207. &g_hkBase,
  208. &disp);
  209. if(Status)
  210. {
  211. DebugLog((DEB_WARN,"Failed to open SCHANNEL key: 0x%x\n", Status));
  212. return;
  213. }
  215. fFirstTime = TRUE;
  216. }
  218. if(pCtxt != NULL)
  219. {
  220. if (NULL != g_hWait)
  221. {
  222. Status = RtlDeregisterWait(g_hWait);
  223. if(!NT_SUCCESS(Status))
  224. {
  225. DebugLog((DEB_WARN, "Failed to Deregister wait on registry key: 0x%x\n", Status));
  226. goto Reregister;
  227. }
  228. }
  230. lRes = RegNotifyChangeKeyValue(
  231. g_hkBase,
  232. TRUE,
  233. REG_NOTIFY_CHANGE_NAME | REG_NOTIFY_CHANGE_LAST_SET,
  234. (HANDLE)pCtxt,
  235. TRUE);
  237. if (ERROR_SUCCESS != lRes)
  238. {
  239. DebugLog((DEB_ERROR,"Debug RegNotify setup failed: 0x%x\n", lRes));
  240. // we're tanked now. No further notifications, so get this one
  241. }
  242. }
  244. SslReadRegOptions(fFirstTime);
  246. #if DBG
  247. InitDebugSupport(g_hkBase);
  248. #endif
  250. Reregister:
  252. if(pCtxt != NULL)
  253. {
  254. Status = RtlRegisterWait(&g_hWait,
  255. (HANDLE)pCtxt,
  256. SslWatchParamKey,
  257. (HANDLE)pCtxt,
  258. INFINITE,
  259. WT_EXECUTEINPERSISTENTIOTHREAD|
  260. WT_EXECUTEONLYONCE);
  261. }
  262. }
  265. ////////////////////////////////////////////////////////////////////
  266. //
  267. // Name: FipsWatchParamKey
  268. //
  269. // Synopsis: Sets RegNotifyChangeKeyValue() on param key, initializes
  270. // debug level, then utilizes thread pool to wait on
  271. // changes to this registry key. Enables dynamic debug
  272. // level changes, as this function will also be callback
  273. // if registry key modified.
  274. //
  275. // Arguments: pCtxt is actually a HANDLE to an event. This event
  276. // will be triggered when key is modified.
  277. //
  278. // Notes: .
  279. //
  280. VOID
  281. FipsWatchParamKey(
  282. PVOID pCtxt,
  283. BOOLEAN fWaitStatus)
  284. {
  285. NTSTATUS Status;
  286. LONG lRes = ERROR_SUCCESS;
  287. DWORD disp;
  289. UNREFERENCED_PARAMETER(fWaitStatus);
  291. if(g_hkFipsBase == NULL)
  292. {
  293. // First time we've been called.
  294. Status = RegCreateKeyEx(HKEY_LOCAL_MACHINE,
  295. SP_REG_FIPS_BASE_KEY,
  296. 0,
  297. TEXT(""),
  298. REG_OPTION_NON_VOLATILE,
  299. KEY_READ,
  300. NULL,
  301. &g_hkFipsBase,
  302. &disp);
  303. if(Status)
  304. {
  305. DebugLog((DEB_WARN,"Failed to open FIPS key: 0x%x\n", Status));
  306. return;
  307. }
  308. }
  310. if(pCtxt != NULL)
  311. {
  312. if (NULL != g_hFipsWait)
  313. {
  314. Status = RtlDeregisterWait(g_hFipsWait);
  315. if(!NT_SUCCESS(Status))
  316. {
  317. DebugLog((DEB_WARN, "Failed to Deregister wait on registry key: 0x%x\n", Status));
  318. goto Reregister;
  319. }
  320. }
  322. lRes = RegNotifyChangeKeyValue(
  323. g_hkFipsBase,
  324. TRUE,
  325. REG_NOTIFY_CHANGE_NAME | REG_NOTIFY_CHANGE_LAST_SET,
  326. (HANDLE)pCtxt,
  327. TRUE);
  329. if (ERROR_SUCCESS != lRes)
  330. {
  331. DebugLog((DEB_ERROR,"Debug RegNotify setup failed: 0x%x\n", lRes));
  332. // we're tanked now. No further notifications, so get this one
  333. }
  334. }
  336. SslReadRegOptions(FALSE);
  338. Reregister:
  340. if(pCtxt != NULL)
  341. {
  342. Status = RtlRegisterWait(&g_hFipsWait,
  343. (HANDLE)pCtxt,
  344. FipsWatchParamKey,
  345. (HANDLE)pCtxt,
  346. INFINITE,
  347. WT_EXECUTEINPERSISTENTIOTHREAD|
  348. WT_EXECUTEONLYONCE);
  349. }
  350. }
  353. BOOL
  354. SslReadRegOptions(
  355. BOOL fFirstTime)
  356. {
  357. DWORD err;
  358. DWORD dwType;
  359. DWORD fVal;
  360. DWORD dwSize;
  361. HKEY hKey;
  362. HKEY hWriteKey;
  363. DWORD disp;
  364. DWORD i;
  365. HKEY hkProtocols = NULL;
  366. HKEY hkCiphers = NULL;
  367. HKEY hkHashes = NULL;
  368. HKEY hkKeyExch = NULL;
  369. DWORD dwSetting = 0;
  370. BOOL fSettingsChanged = FALSE;
  371. DWORD dwOriginalValue;
  373. DebugLog((DEB_TRACE,"Load configuration parameters from registry.\n"));
  376. // "FipsAlgorithmPolicy"
  377. ReadRegistrySetting(
  378. g_hkFipsBase,
  379. 0,
  380. SP_REG_FIPS_POLICY,
  381. &dwSetting,
  382. 0);
  383. if((dwSetting == 1) != g_fFipsMode)
  384. {
  385. g_fFipsMode = (dwSetting == 1);
  386. fSettingsChanged = TRUE;
  387. }
  390. //
  391. // Read top-level configuration options.
  392. //
  394. // Open top-level key that has write access.
  395. if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
  396. SP_REG_KEY_BASE,
  397. 0,
  398. KEY_READ | KEY_SET_VALUE,
  399. &hWriteKey) != STATUS_SUCCESS)
  400. {
  401. hWriteKey = 0;
  402. }
  404. // "EventLogging"
  405. if(ReadRegistrySetting(
  406. g_hkBase,
  407. hWriteKey,
  408. SP_REG_VAL_EVENTLOG,
  409. &g_dwEventLogging,
  410. DEFAULT_EVENT_LOGGING_SETTING))
  411. {
  412. fSettingsChanged = TRUE;
  413. }
  415. // "ManualCredValidation"
  416. ReadRegistrySetting(
  417. g_hkBase,
  418. 0,
  419. SP_REG_VAL_MANUAL_CRED_VALIDATION,
  420. &dwSetting,
  421. MANUAL_CRED_VALIDATION_SETTING);
  422. if((dwSetting != 0) != g_fManualCredValidation)
  423. {
  424. g_fManualCredValidation = (dwSetting != 0);
  425. fSettingsChanged = TRUE;
  426. }
  428. // "ClientCacheTime"
  429. if(ReadRegistrySetting(
  430. g_hkBase,
  431. 0,
  432. SP_REG_VAL_CLIENT_CACHE_TIME,
  433. &SchannelCache.dwClientLifespan,
  434. SP_CACHE_CLIENT_LIFESPAN))
  435. {
  436. fSettingsChanged = TRUE;
  437. }
  439. // "ServerCacheTime"
  440. if(ReadRegistrySetting(
  441. g_hkBase,
  442. 0,
  443. SP_REG_VAL_SERVER_CACHE_TIME,
  444. &SchannelCache.dwServerLifespan,
  445. SP_CACHE_SERVER_LIFESPAN))
  446. {
  447. fSettingsChanged = TRUE;
  448. }
  450. // "MaximumCacheSize"
  451. if(ReadRegistrySetting(
  452. g_hkBase,
  453. 0,
  454. SP_REG_VAL_MAXUMUM_CACHE_SIZE,
  455. &SchannelCache.dwMaximumEntries,
  456. SP_MAXIMUM_CACHE_ELEMENTS))
  457. {
  458. fSettingsChanged = TRUE;
  459. }
  461. if(fFirstTime)
  462. {
  463. SchannelCache.dwCacheSize = SchannelCache.dwMaximumEntries;
  464. }
  466. // "MultipleProcessClientCache"
  467. ReadRegistrySetting(
  468. g_hkBase,
  469. 0,
  470. SP_REG_VAL_MULTI_PROC_CLIENT_CACHE,
  471. &dwSetting,
  472. FALSE);
  473. if((dwSetting != 0) != g_fMultipleProcessClientCache)
  474. {
  475. g_fMultipleProcessClientCache = (dwSetting != 0);
  476. fSettingsChanged = TRUE;
  477. }
  479. // "SendTrustedIssuerList"
  480. ReadRegistrySetting(
  481. g_hkBase,
  482. 0,
  483. SP_REG_VAL_SEND_ISSUER_LIST,
  484. &dwSetting,
  485. TRUE);
  486. if((dwSetting != 0) != g_fSendIssuerList)
  487. {
  488. g_fSendIssuerList = (dwSetting != 0);
  489. fSettingsChanged = TRUE;
  490. }
  492. // "CertificateMappingMethods"
  493. if(ReadRegistrySetting(
  494. g_hkBase,
  495. 0,
  496. SP_REG_VAL_CERT_MAPPING_METHODS,
  497. &g_dwCertMappingMethods,
  498. DEFAULT_CERTMAP_SETTING))
  499. {
  500. fSettingsChanged = TRUE;
  502. if((g_dwCertMappingMethods & SP_REG_CERTMAP_SUBJECT_FLAG) == 0)
  503. {
  504. DebugLog((DEB_TRACE, "Subject/Issuer certificate mapping disabled\n"));
  505. }
  506. if((g_dwCertMappingMethods & SP_REG_CERTMAP_ISSUER_FLAG) == 0)
  507. {
  508. DebugLog((DEB_TRACE, "Issuer certificate mapping disabled\n"));
  509. }
  510. if((g_dwCertMappingMethods & SP_REG_CERTMAP_UPN_FLAG) == 0)
  511. {
  512. DebugLog((DEB_TRACE, "UPN certificate mapping disabled\n"));
  513. }
  514. if((g_dwCertMappingMethods & SP_REG_CERTMAP_S4U2SELF_FLAG) == 0)
  515. {
  516. DebugLog((DEB_TRACE, "S4U2Self certificate mapping disabled\n"));
  517. }
  518. }
  520. if(hWriteKey)
  521. {
  522. RegCloseKey(hWriteKey);
  523. hWriteKey = 0;
  524. }
  527. // "IssuerCacheTime"
  528. ReadRegistrySetting(
  529. g_hkBase,
  530. 0,
  531. SP_REG_VAL_ISSUER_CACHE_TIME,
  532. &IssuerCache.dwLifespan,
  533. ISSUER_CACHE_LIFESPAN);
  535. // "IssuerCacheSize"
  536. ReadRegistrySetting(
  537. g_hkBase,
  538. 0,
  539. SP_REG_VAL_ISSUER_CACHE_SIZE,
  540. &IssuerCache.dwMaximumEntries,
  541. ISSUER_CACHE_SIZE);
  543. if(fFirstTime)
  544. {
  545. IssuerCache.dwCacheSize = IssuerCache.dwMaximumEntries;
  546. }
  549. #ifdef ROGUE_DC
  550. if(g_hSslRogueKey == NULL)
  551. {
  552. if(RegOpenKeyExW(HKEY_LOCAL_MACHINE,
  553. SP_REG_ROGUE_BASE_KEY,
  554. 0,
  555. KEY_READ,
  556. &g_hSslRogueKey) != STATUS_SUCCESS)
  557. {
  558. DebugLog((DEB_WARN,"Failed to open \"rogue\" ssl key\n" ));
  559. g_hSslRogueKey = NULL;
  560. }
  561. }
  562. #endif
  565. //
  566. // Enable/Disable Protocols
  567. //
  569. if(g_fFipsMode)
  570. {
  571. // Disable everything except TLS.
  572. g_ProtEnabled = SP_PROT_TLS1;
  573. }
  574. else
  575. {
  576. DWORD dwProtEnabled = DEFAULT_ENABLED_PROTOCOLS_SETTING;
  578. err = RegCreateKeyEx( g_hkBase,
  579. SP_REG_KEY_PROTOCOL,
  580. 0,
  581. TEXT(""),
  582. REG_OPTION_NON_VOLATILE,
  583. KEY_READ,
  584. NULL,
  585. &hkProtocols,
  586. &disp);
  588. if(err == ERROR_SUCCESS)
  589. {
  590. for(i=0; i < (sizeof(g_ProtMap)/sizeof(enamap)); i++)
  591. {
  592. if(g_ProtMap[i].Mask & SP_PROT_PCT1)
  593. {
  594. if(g_fFranceLocale)
  595. {
  596. // Don't allow PCT to be enabled in France.
  597. continue;
  598. }
  599. }
  601. err = RegCreateKeyEx( hkProtocols,
  602. g_ProtMap[i].pKey,
  603. 0,
  604. TEXT(""),
  605. REG_OPTION_NON_VOLATILE,
  606. KEY_READ,
  607. NULL,
  608. &hKey,
  609. &disp);
  610. if(!err)
  611. {
  612. dwSize = sizeof(DWORD);
  613. err = RegQueryValueEx(hKey,
  614. SP_REG_VAL_ENABLED,
  615. NULL, &dwType,
  616. (PUCHAR)&fVal,
  617. &dwSize);
  618. if(!err)
  619. {
  620. if(fVal)
  621. {
  622. dwProtEnabled |= g_ProtMap[i].Mask;
  623. }
  624. else
  625. {
  626. dwProtEnabled &= ~g_ProtMap[i].Mask;
  627. }
  628. }
  630. if(g_ProtMap[i].Mask & SP_PROT_PCT1_CLIENT)
  631. {
  632. // "DisabledByDefault"
  633. ReadRegistrySetting(
  634. hKey,
  635. 0,
  636. SP_REG_VAL_DISABLED_BY_DEFAULT,
  637. &dwSetting,
  638. PCT_CLIENT_DISABLED_SETTING);
  639. g_PctClientDisabledByDefault = (dwSetting != 0);
  640. }
  642. if(g_ProtMap[i].Mask & SP_PROT_SSL2_CLIENT)
  643. {
  644. // "DisabledByDefault"
  645. ReadRegistrySetting(
  646. hKey,
  647. 0,
  648. SP_REG_VAL_DISABLED_BY_DEFAULT,
  649. &dwSetting,
  650. SSL2_CLIENT_DISABLED_SETTING);
  651. g_Ssl2ClientDisabledByDefault = (dwSetting != 0);
  652. }
  654. RegCloseKey(hKey);
  655. }
  656. }
  658. RegCloseKey(hkProtocols);
  659. }
  661. if(g_ProtEnabled != dwProtEnabled)
  662. {
  663. g_ProtEnabled = dwProtEnabled;
  664. fSettingsChanged = TRUE;
  665. }
  666. }
  669. //
  670. // Enable/Disable Ciphers
  671. //
  673. if(g_fFipsMode)
  674. {
  675. // Disable everything except 3DES.
  676. for(i=0; i < g_cAvailableCiphers; i++)
  677. {
  678. if(g_AvailableCiphers[i].aiCipher != CALG_3DES)
  679. {
  680. g_AvailableCiphers[i].fProtocol = 0;
  681. }
  682. }
  683. }
  684. else
  685. {
  686. err = RegCreateKeyEx( g_hkBase,
  687. SP_REG_KEY_CIPHERS,
  688. 0,
  689. TEXT(""),
  690. REG_OPTION_NON_VOLATILE,
  691. KEY_READ,
  692. NULL,
  693. &hkCiphers,
  694. &disp);
  696. if(err == ERROR_SUCCESS)
  697. {
  698. for(i=0; i < g_cAvailableCiphers; i++)
  699. {
  700. dwOriginalValue = g_AvailableCiphers[i].fProtocol;
  702. g_AvailableCiphers[i].fProtocol = g_AvailableCiphers[i].fDefault;
  703. fVal = g_AvailableCiphers[i].fDefault;
  704. err = RegCreateKeyExA( hkCiphers,
  705. g_AvailableCiphers[i].szName,
  706. 0,
  707. "",
  708. REG_OPTION_NON_VOLATILE,
  709. KEY_READ,
  710. NULL,
  711. &hKey,
  712. &disp);
  713. if(!err)
  714. {
  715. dwSize = sizeof(DWORD);
  716. err = RegQueryValueEx(hKey,
  717. SP_REG_VAL_ENABLED,
  718. NULL,
  719. &dwType,
  720. (PUCHAR)&fVal,
  721. &dwSize);
  722. if(err)
  723. {
  724. fVal = g_AvailableCiphers[i].fDefault;
  725. }
  726. RegCloseKey(hKey);
  727. }
  728. g_AvailableCiphers[i].fProtocol &= fVal;
  730. if(g_AvailableCiphers[i].fProtocol != dwOriginalValue)
  731. {
  732. fSettingsChanged = TRUE;
  733. }
  734. }
  736. RegCloseKey(hkCiphers);
  737. }
  738. }
  741. //
  742. // Enable/Disable Hashes
  743. //
  745. err = RegCreateKeyEx( g_hkBase,
  746. SP_REG_KEY_HASHES,
  747. 0,
  748. TEXT(""),
  749. REG_OPTION_NON_VOLATILE,
  750. KEY_READ,
  751. NULL,
  752. &hkHashes,
  753. &disp);
  755. if(err == ERROR_SUCCESS)
  756. {
  757. for(i = 0; i < g_cAvailableHashes; i++)
  758. {
  759. dwOriginalValue = g_AvailableHashes[i].fProtocol;
  761. g_AvailableHashes[i].fProtocol = g_AvailableHashes[i].fDefault;
  762. fVal = g_AvailableHashes[i].fDefault;
  763. err = RegCreateKeyExA( hkHashes,
  764. g_AvailableHashes[i].szName,
  765. 0,
  766. "",
  767. REG_OPTION_NON_VOLATILE,
  768. KEY_READ,
  769. NULL,
  770. &hKey,
  771. &disp);
  772. if(!err)
  773. {
  774. dwSize = sizeof(DWORD);
  775. err = RegQueryValueEx(hKey,
  776. SP_REG_VAL_ENABLED,
  777. NULL,
  778. &dwType,
  779. (PUCHAR)&fVal,
  780. &dwSize);
  782. if(err)
  783. {
  784. fVal = g_AvailableHashes[i].fDefault;
  785. }
  786. RegCloseKey(hKey);
  787. }
  788. g_AvailableHashes[i].fProtocol &= fVal;
  790. if(dwOriginalValue != g_AvailableHashes[i].fProtocol)
  791. {
  792. fSettingsChanged = TRUE;
  793. }
  794. }
  796. RegCloseKey(hkHashes);
  797. }
  800. //
  801. // Enable/Disable Key Exchange algs.
  802. //
  804. if(g_fFipsMode)
  805. {
  806. // Disable everything except RSA.
  807. for(i=0; i < g_cAvailableExch; i++)
  808. {
  809. if(g_AvailableExch[i].aiExch != CALG_RSA_KEYX &&
  810. g_AvailableExch[i].aiExch != CALG_RSA_SIGN)
  811. {
  812. g_AvailableExch[i].fProtocol = 0;
  813. }
  814. }
  815. }
  816. else
  817. {
  818. err = RegCreateKeyEx( g_hkBase,
  819. SP_REG_KEY_KEYEXCH,
  820. 0,
  821. TEXT(""),
  822. REG_OPTION_NON_VOLATILE,
  823. KEY_READ,
  824. NULL,
  825. &hkKeyExch,
  826. &disp);
  828. if(err == ERROR_SUCCESS)
  829. {
  830. for(i = 0; i < g_cAvailableExch; i++)
  831. {
  832. dwOriginalValue = g_AvailableExch[i].fProtocol;
  834. g_AvailableExch[i].fProtocol = g_AvailableExch[i].fDefault;
  835. fVal = g_AvailableExch[i].fDefault;
  836. err = RegCreateKeyExA( hkKeyExch,
  837. g_AvailableExch[i].szName,
  838. 0,
  839. "",
  840. REG_OPTION_NON_VOLATILE,
  841. KEY_READ,
  842. NULL,
  843. &hKey,
  844. &disp);
  845. if(!err)
  846. {
  847. dwSize = sizeof(DWORD);
  848. err = RegQueryValueEx(hKey,
  849. SP_REG_VAL_ENABLED,
  850. NULL,
  851. &dwType,
  852. (PUCHAR)&fVal,
  853. &dwSize);
  854. if(err)
  855. {
  856. fVal = g_AvailableExch[i].fDefault;
  857. }
  858. g_AvailableExch[i].fProtocol &= fVal;
  860. RegCloseKey(hKey);
  861. }
  863. if(dwOriginalValue != g_AvailableExch[i].fProtocol)
  864. {
  865. fSettingsChanged = TRUE;
  866. }
  867. }
  869. RegCloseKey(hkKeyExch);
  870. }
  871. }
  873. //
  874. // Purge the session cache.
  875. //
  877. if(g_fCacheInitialized && fSettingsChanged)
  878. {
  879. SPCachePurgeEntries(NULL,
  880. 0,
  881. NULL,
  882. SSL_PURGE_CLIENT_ALL_ENTRIES |
  883. SSL_PURGE_SERVER_ALL_ENTRIES);
  884. }
  886. return TRUE;
  887. }