//+---------------------------------------------------------------------------
//
//  Microsoft Windows
//  Copyright (C) Microsoft Corporation, 1992 - 1995.
//
//  File:       specmap.c
//
//  Contents:   
//
//  Classes:
//
//  Functions:
//
//  History:    09-23-97   jbanes   LSA integration stuff.
//
//----------------------------------------------------------------------------
 
#include <spbase.h>
#include <des.h>
#include <des3.h>
#include <rc2.h>


/* supported cipher type arrays */

CipherInfo g_AvailableCiphers[] = {
    { 
        // 128 bit RC4
        SP_PROT_ALL,
        SP_PROT_ALL,
        TEXT("RC4 128/128"),
        CALG_RC4,
        1,
        128,
        16,
        16,
        CF_DOMESTIC | CF_SGC,
    },
    { 
        // 168 bit Triple DES
        SP_PROT_ALL,
        SP_PROT_ALL,
        TEXT("Triple DES 168/168"),
        CALG_3DES,
        DES_BLOCKLEN,
        168,
        DES3_KEYSIZE,
        DES3_KEYSIZE,
        CF_DOMESTIC | CF_SGC,
    },
    { 
        // 128 bit RC2
        SP_PROT_ALL,
        SP_PROT_ALL, 
        TEXT("RC2 128/128"),
        CALG_RC2,
        RC2_BLOCKLEN,
        128,
        16,
        16,
        CF_DOMESTIC | CF_SGC,
    },
    { 
        // 56 bit RC4
        SP_PROT_SSL3 | SP_PROT_TLS1, 
        SP_PROT_SSL3 | SP_PROT_TLS1, 
        TEXT("RC4 56/128"),
        CALG_RC4,
        1,
        56,
        16,
        7,
        CF_EXPORT,
    },

    { 
        // 56 bit RC2
        SP_PROT_SSL3 | SP_PROT_TLS1, 
        SP_PROT_SSL3 | SP_PROT_TLS1, 
        TEXT("RC2 56/128"),
        CALG_RC2,
        RC2_BLOCKLEN,
        56,
        16,
        7,
        CF_EXPORT,
    },

    { 
        // 56 bit DES
        SP_PROT_ALL,
        SP_PROT_ALL,
        TEXT("DES 56/56"),
        CALG_DES,
        DES_BLOCKLEN,
        56,
        DES_KEYSIZE,
        DES_KEYSIZE,
        CF_EXPORT,
    },

    { 
        // 40 bit RC4
        SP_PROT_ALL, 
        SP_PROT_ALL, 
        TEXT("RC4 40/128"),
        CALG_RC4,
        1,
        40,
        16,
        5,
        CF_EXPORT,
    },

    { 
        // 40 bit RC2
        SP_PROT_ALL, 
        SP_PROT_ALL, 
        TEXT("RC2 40/128"),
        CALG_RC2,
        RC2_BLOCKLEN,
        40,
        16,
        5,
        CF_EXPORT,
    },

    { 
        // No encryption.
        SP_PROT_SSL3TLS1, 
        SP_PROT_SSL3TLS1, 
        TEXT("NULL"),
        CALG_NULLCIPHER,
        1,
        0,
        0,
        1,
        CF_EXPORT,
    },
};

DWORD g_cAvailableCiphers = sizeof(g_AvailableCiphers)/sizeof(CipherInfo);

HashInfo g_AvailableHashes[] = 
{
    { 
        SP_PROT_ALL, 
        SP_PROT_ALL, 
        TEXT("MD5"),
        CALG_MD5,
        CB_MD5_DIGEST_LEN,
    },
    { 
        SP_PROT_ALL, 
        SP_PROT_ALL,
        TEXT("SHA"),
        CALG_SHA,
        CB_SHA_DIGEST_LEN,
    }
};

DWORD g_cAvailableHashes = sizeof(g_AvailableHashes)/sizeof(HashInfo);


CertSysInfo g_AvailableCerts[] = 
{
    {
        SP_PROT_ALL, 
        SP_PROT_ALL, 
        X509_ASN_ENCODING, 
        TEXT("X.509")
    }
};

DWORD g_cAvailableCerts = sizeof(g_AvailableCerts)/sizeof(CertSysInfo);

SigInfo g_AvailableSigs[] = 
{
    { 
        SP_PROT_ALL, 
        SP_PROT_ALL, 
        SP_SIG_RSA_MD2, 
        TEXT("RSA Signed MD2"),
        CALG_MD2,
        CALG_RSA_SIGN,
    },
    { 
        SP_PROT_ALL,
        SP_PROT_ALL,
        SP_SIG_RSA_MD5, 
        TEXT("RSA Signed MD5"),
        CALG_MD5,
        CALG_RSA_SIGN,
    },
    { 
        SP_PROT_SSL3TLS1,
        SP_PROT_SSL3TLS1,
        SP_SIG_RSA_SHAMD5,
        TEXT("RSA Signed MD5/SHA combination"),
        (ALG_CLASS_HASH | ALG_TYPE_ANY | ALG_SID_SSL3SHAMD5),  // CALG_SSL3_SHAMD5
        CALG_RSA_SIGN,
    }
};

DWORD g_cAvailableSigs = sizeof(g_AvailableSigs)/sizeof(SigInfo);


KeyExchangeInfo g_AvailableExch[] = 
{
    { 
        CALG_RSA_SIGN,
        SP_PROT_ALL,
        SP_PROT_ALL,
        SP_EXCH_RSA_PKCS1,
        TEXT("PKCS"),
        &keyexchPKCS 
    },
    { 
        CALG_RSA_KEYX,
        SP_PROT_ALL,
        SP_PROT_ALL,
        SP_EXCH_RSA_PKCS1,
        TEXT("PKCS"),
        &keyexchPKCS 
    },
    { 
        CALG_DH_EPHEM,
        SP_PROT_SSL3 | SP_PROT_TLS1,
        SP_PROT_SSL3 | SP_PROT_TLS1,
        SP_EXCH_DH_PKCS3,
        TEXT("Diffie-Hellman"),
        &keyexchDH 
    },
};

DWORD g_cAvailableExch = sizeof(g_AvailableExch)/sizeof(KeyExchangeInfo);



PCipherInfo GetCipherInfo(ALG_ID aiCipher, DWORD dwStrength)
{
    DWORD i;
    for (i = 0; i < g_cAvailableCiphers; i++ )
    {
        if(g_AvailableCiphers[i].aiCipher == aiCipher &&
           g_AvailableCiphers[i].dwStrength == dwStrength) 
        { 
            return &g_AvailableCiphers[i]; 
        }       
    }
    return NULL;
}

PHashInfo GetHashInfo(ALG_ID aiHash)
{
    DWORD i;
    for (i = 0; i < g_cAvailableHashes; i++ )
    {
        if(g_AvailableHashes[i].aiHash == aiHash) 
        { 
            return &g_AvailableHashes[i]; 
        }       
    }
    return NULL;
}

PKeyExchangeInfo GetKeyExchangeInfo(ExchSpec Spec)
{
    DWORD i;
    for (i = 0; i < g_cAvailableExch; i++ )
    {
        if(g_AvailableExch[i].Spec == Spec) 
        { 
            return &g_AvailableExch[i]; 
        }       
    }
    return NULL;
}

PKeyExchangeInfo GetKeyExchangeInfoByAlg(ALG_ID aiExch)
{
    DWORD i;
    for (i = 0; i < g_cAvailableExch; i++ )
    {
        if(g_AvailableExch[i].aiExch == aiExch) 
        { 
            return &g_AvailableExch[i]; 
        }       
    }
    return NULL;
}

PCertSysInfo GetCertSysInfo(CertSpec Spec)
{
    DWORD i;
    for (i = 0; i < g_cAvailableCerts; i++ )
    {
        if(g_AvailableCerts[i].Spec == Spec) 
        { 
            return &g_AvailableCerts[i]; 
        }       
    }
    return NULL;
}


PSigInfo GetSigInfo(SigSpec Spec)
{
    DWORD i;
    for (i = 0; i < g_cAvailableSigs; i++ )
    {
        if(g_AvailableSigs[i].Spec == Spec) 
        { 
            return &g_AvailableSigs[i]; 
        }       
    }
    return NULL;
}


KeyExchangeSystem * 
KeyExchangeFromSpec(ExchSpec Spec, DWORD fProtocol)
{
    PKeyExchangeInfo pInfo;
    pInfo = GetKeyExchangeInfo(Spec);
    if(pInfo == NULL)
    {
        return NULL;
    }
    if(pInfo->fProtocol & fProtocol)
    {
        return pInfo->System;
    }
    return NULL;
}

BOOL GetBaseCipherSizes(DWORD *dwMin, DWORD *dwMax)
{
    DWORD i;
    DWORD dwFlags = CF_EXPORT | CF_FASTSGC | CF_SGC;
    *dwMin = 1000;
    *dwMax = 0;

    if(SslGlobalStrongEncryptionPermitted)
    {
        dwFlags |= CF_DOMESTIC;
    }

    for (i = 0; i < g_cAvailableCiphers; i++ )
    {
        if(g_AvailableCiphers[i].fProtocol)
        {
            if(g_AvailableCiphers[i].dwFlags & dwFlags)
            {
                *dwMin = min(g_AvailableCiphers[i].dwStrength, *dwMin);
                *dwMax = max(g_AvailableCiphers[i].dwStrength, *dwMax);
            }
        }

    }
    return TRUE;
}

void 
GetDisplayCipherSizes(
    PSPCredentialGroup pCredGroup,
    DWORD *dwMin, 
    DWORD *dwMax)
{
    DWORD i;
    DWORD dwFlags = CF_EXPORT;

    *dwMin = 1000;
    *dwMax = 0;

    if(SslGlobalStrongEncryptionPermitted)
    {
        dwFlags |= CF_DOMESTIC;
    }

    for (i = 0; i < g_cAvailableCiphers; i++ )
    {
        if(g_AvailableCiphers[i].fProtocol)
        {
            if((g_AvailableCiphers[i].dwFlags & dwFlags) && 
               (g_AvailableCiphers[i].dwStrength > 0))
            {
                *dwMin = min(g_AvailableCiphers[i].dwStrength, *dwMin);
                *dwMax = max(g_AvailableCiphers[i].dwStrength, *dwMax);
            }
        }
    }

    if(pCredGroup)
    {
        *dwMin = max(pCredGroup->dwMinStrength, *dwMin);
        *dwMax = min(pCredGroup->dwMaxStrength, *dwMax);
    }
}

BOOL IsCipherAllowed(
    PSPContext  pContext, 
    PCipherInfo pCipher, 
    DWORD       dwProtocol,
    DWORD       dwFlags)
{
    PSPCredentialGroup pCred;

    pCred = pContext->pCredGroup;
    if(!pCred) return FALSE;

    if(!pCipher) return FALSE;

    if(pCipher->dwStrength < pCred->dwMinStrength)
    {
        return FALSE;
    }

    if(pCipher->dwStrength > pCred->dwMaxStrength)
    {
        return FALSE;
    }
    if((pCipher->fProtocol & dwProtocol) == 0)
    {
        return FALSE;
    }
    if((pCipher->dwFlags & dwFlags) == 0)
    {
        return FALSE;
    }

    return IsAlgAllowed(pCred, pCipher->aiCipher);

}

BOOL 
IsCipherSuiteAllowed(
    PSPContext  pContext, 
    PCipherInfo pCipher, 
    DWORD       dwProtocol,
    DWORD       dwFlags,
    DWORD       dwSuiteFlags)
{
    if(!IsCipherAllowed(pContext, pCipher, dwProtocol, dwFlags))
    {
        return FALSE;
    }

    // Don't allow cipher suites using as domestic DES unless we're a 
    // domestic schannel or we're using SGC.
    if(!SslGlobalStrongEncryptionPermitted)
    {
        if((dwSuiteFlags & DOMESTIC_CIPHER_SUITE) &&
           (pCipher->dwStrength > 0) &&
           (dwFlags & (CF_SGC | CF_FASTSGC)) == 0)
        {
            return FALSE;
        }
    }

    return TRUE;
}

BOOL IsHashAllowed(
    PSPContext  pContext, 
    PHashInfo   pHash,
    DWORD       dwProtocol)
{
    PSPCredentialGroup pCred;

    pCred = pContext->pCredGroup;
    if(!pCred) return FALSE;

    if(!pHash) return FALSE;

    if((pHash->fProtocol & dwProtocol) == 0)
    {
        return FALSE;
    }

    return IsAlgAllowed(pCred, pHash->aiHash);
}

BOOL IsExchAllowed(
    PSPContext       pContext, 
    PKeyExchangeInfo pExch,
    DWORD            dwProtocol)
{
    PSPCredentialGroup  pCred;

    pCred = pContext->pCredGroup;
    if(!pCred) return FALSE;

    if(!pExch) return FALSE;

    if((pExch->fProtocol & dwProtocol) == 0)
    {
        return FALSE;
    }

    return IsAlgAllowed(pCred, pExch->aiExch);
}


BOOL IsAlgAllowed(
    PSPCredentialGroup pCred, 
    ALG_ID aiAlg)
{
    DWORD i;

    if(!pCred) return FALSE;

    if(pCred->palgSupportedAlgs == NULL)
    {
        return FALSE;
    }

    for(i = 0; i < pCred->cSupportedAlgs; i++)
    {   
        if(pCred->palgSupportedAlgs[i] == CALG_RSA_KEYX || 
           pCred->palgSupportedAlgs[i] == CALG_RSA_SIGN)
        {
            // accept either algid
            if(CALG_RSA_KEYX == aiAlg || CALG_RSA_SIGN == aiAlg)
            {
                return TRUE;
            }
        }
        else
        {
            if(pCred->palgSupportedAlgs[i] == aiAlg)
            {
                return TRUE;
            }
        }
    }

    return FALSE;
}

BOOL BuildAlgList(
    PSPCredentialGroup  pCred, 
    ALG_ID *            aalgRequestedAlgs, 
    DWORD               cRequestedAlgs)
{
    DWORD i,j;
    DWORD dwAlgClass;

    BOOL                fCipher=FALSE;
    BOOL                fHash=FALSE;
    BOOL                fExch=FALSE;


    if(!pCred) return FALSE;

    dwAlgClass = 0;

    // Get a buffer to hold the algs.
    pCred->palgSupportedAlgs = (ALG_ID *)SPExternalAlloc(sizeof(ALG_ID) * 
                                                          (g_cAvailableCiphers + 
                                                           g_cAvailableHashes + 
                                                           g_cAvailableExch));
    pCred->cSupportedAlgs = 0;

    if(pCred->palgSupportedAlgs == NULL)
    {
        return FALSE;
    }

    // Get a list of Alg Classes not specified
    if(aalgRequestedAlgs != NULL)
    {
        for(i=0; i < cRequestedAlgs; i++)
        {
            BOOL fAddAlg = FALSE;
            if(GET_ALG_CLASS(aalgRequestedAlgs[i]) == ALG_CLASS_DATA_ENCRYPT) 
            {
                fCipher=TRUE;
                for (j = 0; j < g_cAvailableCiphers; j++ )
                {

                    if((g_AvailableCiphers[j].aiCipher == aalgRequestedAlgs[i]) &&
                       (g_AvailableCiphers[j].dwStrength >= pCred->dwMinStrength) &&
                       (g_AvailableCiphers[j].dwStrength <= pCred->dwMaxStrength) &&
                       (g_AvailableCiphers[j].fProtocol & pCred->grbitEnabledProtocols))
                    {
                        fAddAlg = TRUE;
                        break;
                    }       
                }             
            } 
            else if(GET_ALG_CLASS(aalgRequestedAlgs[i]) == ALG_CLASS_HASH)
            {
                PHashInfo pHash;
                fHash = TRUE;
                pHash = GetHashInfo(aalgRequestedAlgs[i]);
                if((NULL != pHash) && (pHash->fProtocol & pCred->grbitEnabledProtocols))
                {
                    fAddAlg = TRUE;
                }

            }
            else if(GET_ALG_CLASS(aalgRequestedAlgs[i]) == ALG_CLASS_KEY_EXCHANGE)
            {
                PKeyExchangeInfo pExch;
                fExch = TRUE;
                pExch = GetKeyExchangeInfoByAlg(aalgRequestedAlgs[i]);
                if((NULL != pExch) && (pExch->fProtocol & pCred->grbitEnabledProtocols))
                {
                    fAddAlg = TRUE;
                }                
            }

            if(fAddAlg & !IsAlgAllowed(pCred, aalgRequestedAlgs[i]))
            {
                pCred->palgSupportedAlgs[pCred->cSupportedAlgs++] = aalgRequestedAlgs[i];
            }
        }
    }

    if(!fCipher)
    {
        // No ciphers were included in our list, so supply the default ones

        for (j = 0; j < g_cAvailableCiphers; j++ )
        {

            if((g_AvailableCiphers[j].dwStrength >= pCred->dwMinStrength) &&
               (g_AvailableCiphers[j].dwStrength <= pCred->dwMaxStrength) &&
               (g_AvailableCiphers[j].fProtocol & pCred->grbitEnabledProtocols))
            { 
                if(!IsAlgAllowed(pCred, g_AvailableCiphers[j].aiCipher))
                {
                    pCred->palgSupportedAlgs[pCred->cSupportedAlgs++] = g_AvailableCiphers[j].aiCipher;
                }
            }       
        }
    }
    if(!fHash)
    {
        // No hashes were included in our list, so supply the default ones

        for (j = 0; j < g_cAvailableHashes; j++ )
        {

            if(g_AvailableHashes[j].fProtocol & pCred->grbitEnabledProtocols)
            { 
                if(!IsAlgAllowed(pCred, g_AvailableHashes[j].aiHash))
                {
                    pCred->palgSupportedAlgs[pCred->cSupportedAlgs++] = g_AvailableHashes[j].aiHash;
                }
            }       
        }
    }
    if(!fExch)
    {
        // No key exchange algs were included in our list, so supply the default ones

        for(j = 0; j < g_cAvailableExch; j++ )
        {

            if(g_AvailableExch[j].fProtocol & pCred->grbitEnabledProtocols)
            { 
                if(!IsAlgAllowed(pCred, g_AvailableExch[j].aiExch))
                {
                    pCred->palgSupportedAlgs[pCred->cSupportedAlgs++] = g_AvailableExch[j].aiExch;
                }
            }       
        }
    }

    return TRUE;
}


static DWORD
ConvertCapiProtocol(DWORD dwCapiProtocol)
{
    DWORD dwProtocol = 0;

    if(dwCapiProtocol & CRYPT_FLAG_PCT1)
    {
        dwProtocol |= SP_PROT_PCT1;
    }
    if(dwCapiProtocol & CRYPT_FLAG_SSL2)
    {
        dwProtocol |= SP_PROT_SSL2;
    }
    if(dwCapiProtocol & CRYPT_FLAG_SSL3)
    {
        dwProtocol |= SP_PROT_SSL3;
    }
    if(dwCapiProtocol & CRYPT_FLAG_TLS1)
    {
        dwProtocol |= SP_PROT_TLS1;
    }

    return dwProtocol;
}


//+---------------------------------------------------------------------------
//
//  Function:   IsAlgSupportedCapi
//
//  Synopsis:   Examine the cipher suite input, and determine if this is
//              supported by the schannel CSP. Return TRUE if the 
//              cipher suite is supported.
//
//  Arguments:  [dwProtocol]    --  Protocols to be included in the
//                                  ClientHello message.
//
//              [pCipherMap]    --  Cipher suite to be examined.
//
//              [pCapiAlgs]     --  Array of algorithms supported by the
//                                  schannel CSP.
//
//              [cCapiAlgs]     --  Number of elements in the pCapiAlgs
//                                  array.
//
//  History:    10-29-97   jbanes   Created
//
//  Notes:      
//
//----------------------------------------------------------------------------
BOOL
IsAlgSupportedCapi(
    DWORD               dwProtocol, 
    UNICipherMap *      pCipherMap,
    PROV_ENUMALGS_EX *  pCapiAlgs,
    DWORD               cCapiAlgs)
{
    BOOL    fFound;
    DWORD   dwCapiProtocol;
    DWORD   i;

    // Is cipher supported?
    if(pCipherMap->aiCipher != 0 && pCipherMap->aiCipher != CALG_NULLCIPHER)
    {
        for(fFound = FALSE, i = 0; i < cCapiAlgs; i++)
        {
            if(pCipherMap->aiCipher != pCapiAlgs[i].aiAlgid)
            {
                continue;
            }

            if(pCipherMap->dwStrength > pCapiAlgs[i].dwMaxLen ||
               pCipherMap->dwStrength < pCapiAlgs[i].dwMinLen)
            {
                continue;
            }

            dwCapiProtocol = ConvertCapiProtocol(pCapiAlgs[i].dwProtocols);
            if((dwCapiProtocol & dwProtocol) == 0)
            {
                continue;
            }

            fFound = TRUE;
            break;
        }
        if(!fFound)
        {
            return FALSE;
        }
    }


    // Is hash supported?
    if(pCipherMap->aiHash != 0)
    {
        for(fFound = FALSE, i = 0; i < cCapiAlgs; i++)
        {
            if(pCipherMap->aiHash != pCapiAlgs[i].aiAlgid)
            {
                continue;
            }

            dwCapiProtocol = ConvertCapiProtocol(pCapiAlgs[i].dwProtocols);
            if((dwCapiProtocol & dwProtocol) == 0)
            {
                continue;
            }

            fFound = TRUE;
            break;
        }
        if(!fFound)
        {
            return FALSE;
        }
    }

    // Is exchange alg supported?
    if(pCipherMap->KeyExch != SP_EXCH_UNKNOWN)
    {
        for(fFound = FALSE, i = 0; i < cCapiAlgs; i++)
        {

            // RSA
            if(pCipherMap->KeyExch == SP_EXCH_RSA_PKCS1)
            {
                if(pCapiAlgs[i].aiAlgid != CALG_RSA_KEYX)
                {
                    continue;
                }
            }

            // DH
            else if(pCipherMap->KeyExch == SP_EXCH_DH_PKCS3)
            {
                if(pCapiAlgs[i].aiAlgid != CALG_DH_EPHEM)
                {
                    continue;
                }
            }

            // Any other key exchange algorithm
            else
            {
                // Not supported.
                continue;
            }


            dwCapiProtocol = ConvertCapiProtocol(pCapiAlgs[i].dwProtocols);
            if((dwCapiProtocol & dwProtocol) == 0)
            {
                continue;
            }

            fFound = TRUE;
            break;
        }
        if(!fFound)
        {
            return FALSE;
        }
    }

    return TRUE;
}