windows-server-2003/net/ipsec/ipsecshr/utils.c

#include "precomp.h"
#include "Nsu.h"


#define PADDR_NET_PORTION(pAddr) ((pAddr)->uSubNetMask & (pAddr)->uIpAddr)
#define PADDR_HOST_PORTION(pAddr) ((0xffffffff ^ (pAddr)->uSubNetMask) & (pAddr)->uIpAddr)


DWORD
ValidateAddr(
    PADDR pAddr
    )
{
    DWORD dwError = 0;

    if (pAddr->AddrType == IP_ADDR_INTERFACE) {
        if (!(pAddr->pgInterfaceID)) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
    }
    else {
        if (pAddr->pgInterfaceID) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
    }

error:

    return (dwError);
}


BOOL
IsMulticastAddress(PADDR pAddr)
{
	ASSERT (pAddr != NULL);
	return IN_MULTICAST(pAddr->uIpAddr);
}


BOOL
IsBroadcastAddress(PADDR pAddr)
{
	ASSERT (pAddr != NULL);
	return (pAddr->uIpAddr == INADDR_BROADCAST || IsSubnetBroadcastAddress(pAddr));
}


BOOL
IsSubnetBroadcastAddress(
	PADDR pAddr
	)
{
	ASSERT (pAddr != NULL);

	return (((pAddr->uSubNetMask == 0) ||bIsValidIPMask(pAddr->uSubNetMask)) &&
		(PADDR_NET_PORTION(pAddr) != 0) &&
		(pAddr->uSubNetMask != 0xffffffff) &&
		((PADDR_HOST_PORTION(pAddr) | pAddr->uSubNetMask) == 0xffffffff));
}


BOOL
IsUnicastAddress(PADDR pAddr)
{
	ASSERT (pAddr != NULL);
	return (!(IsMulticastAddress(pAddr) || IsBroadcastAddress(pAddr)));
}


// This will go away if/when we change the code to accept any unicast address; at that time IsUnicastAddress() will
// be the correct function to call
BOOL
IsSupportedAddress(PADDR pAddr)
{
	ASSERT (pAddr != NULL);

	if (!IsSpecialServer(pAddr) && (
		(IN_CLASSE(pAddr->uIpAddr)) ||
		((IN_CLASSA_NET & pAddr->uIpAddr) == 0) || // first octet can't be 0
		(IsLoopbackAddress(pAddr))
		))
	{
		return FALSE;
	}

	return TRUE;
}


BOOL
IsLoopbackAddress(PADDR pAddr)
{
	ASSERT (pAddr != NULL);
	return (pAddr->uIpAddr == INADDR_LOOPBACK);
}


BOOL
IsValidTunnelEndpointAddress(PADDR pAddr)
{
	ASSERT (pAddr != NULL);
	return IsUnicastAddress(pAddr);
}


BOOL
IsSpecialServer(PADDR pAddr)
{
	ASSERT (pAddr != NULL);
	return IsSpecialServ(pAddr->AddrType);
}


BOOL
IsValidSubnet(
	PADDR pAddr
	)
{
	ASSERT (pAddr != NULL);
	return ((PADDR_NET_PORTION(pAddr) != 0) && (PADDR_HOST_PORTION(pAddr) == 0));
}


BOOL
IsValidSubnettedAddress(
	PADDR pAddr
	)
{
	ASSERT (pAddr != NULL);
	if ((pAddr->AddrType != IP_ADDR_UNIQUE) || (!bIsValidIPMask(pAddr->uSubNetMask)))
	{
		return FALSE;
	}

	return ((PADDR_NET_PORTION(pAddr) != 0) && (PADDR_HOST_PORTION(pAddr) != 0));
}


DWORD
ValidateMMPolicy(
    PIPSEC_MM_POLICY pMMPolicy
    )
{
    DWORD dwError = 0;


    if (!pMMPolicy) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    if (!(pMMPolicy->pszPolicyName) || !(*(pMMPolicy->pszPolicyName))) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = ValidateMMOffers(
                  pMMPolicy->dwOfferCount,
                  pMMPolicy->pOffers
                  );
    BAIL_ON_WIN32_ERROR(dwError);

error:

    return (dwError);
}


DWORD
ValidateMMOffers(
    DWORD dwOfferCount,
    PIPSEC_MM_OFFER pOffers
    )
{
    DWORD dwError = 0;
    DWORD i = 0;


    if (!dwOfferCount || !pOffers || (dwOfferCount > IPSEC_MAX_MM_OFFERS)) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

error:

    return (dwError);
}

DWORD CompareCertRootConfig(PCERT_ROOT_CONFIG pCertRootConfig1,
                            PCERT_ROOT_CONFIG pCertRootConfig2)
{
    
    DWORD dwError = ERROR_SUCCESS;
    
    if (pCertRootConfig1->dwCertDataSize != pCertRootConfig2->dwCertDataSize) {
        dwError = ERROR_NOT_SUPPORTED;
        BAIL_ON_WIN32_ERROR(dwError);
    }
    if (memcmp(pCertRootConfig1->pCertData,
               pCertRootConfig2->pCertData,
               pCertRootConfig1->dwCertDataSize) != 0) {
        dwError = ERROR_NOT_SUPPORTED;
        BAIL_ON_WIN32_ERROR(dwError);
    }
    
    // Don't need to compare AuthorizationData since this must currently always be 0.

error:

    return (dwError);
}


DWORD ValidateCertRootConfig(PCERT_ROOT_CONFIG pCertRootConfig)
{

    DWORD dwError = 0;

    if (pCertRootConfig->dwCertDataSize == 0 || 
        pCertRootConfig->pCertData == NULL) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    if (pCertRootConfig->dwAuthorizationDataSize || 
        pCertRootConfig->pAuthorizationData) {
        dwError = ERROR_NOT_SUPPORTED;
        BAIL_ON_WIN32_ERROR(dwError);
    }
    
error:
    return (dwError);

}


DWORD ValidateCertAuthInfo(PMM_CERT_INFO pCertInfo)
{
    DWORD dwError = 0;
    DWORD i;

    if (pCertInfo->dwVersion != 0) {
        dwError = ERROR_NOT_SUPPORTED;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    if (pCertInfo->dwMyCertHashSize || pCertInfo->pMyCertHash) {
        dwError = ERROR_NOT_SUPPORTED;
        BAIL_ON_WIN32_ERROR(dwError);
    }
    
    // Outbound root array MUST be idential to inbound
    if (pCertInfo->dwInboundRootArraySize != pCertInfo->dwOutboundRootArraySize) {
        dwError = ERROR_NOT_SUPPORTED;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    for (i=0; i < pCertInfo->dwInboundRootArraySize; i++) {
        dwError = ValidateCertRootConfig(&pCertInfo->pInboundRootArray[i]);
        BAIL_ON_WIN32_ERROR(dwError);

        // Outbound root array MUST be idential to inbound
        dwError = CompareCertRootConfig(&pCertInfo->pInboundRootArray[i],
                     &pCertInfo->pOutboundRootArray[i]);
        BAIL_ON_WIN32_ERROR(dwError);
    }

    
error:

    return (dwError);
}

DWORD
ValidateMMAuthMethods(
    PMM_AUTH_METHODS pMMAuthMethods
    )
{
    DWORD dwError = 0;
    DWORD i = 0;
    PIPSEC_MM_AUTH_INFO pTemp = NULL;
    DWORD dwNumAuthInfos = 0;
    PIPSEC_MM_AUTH_INFO pAuthenticationInfo = NULL;
    BOOL bSSPI = FALSE;
    BOOL bPresharedKey = FALSE;
    BOOL bRSASig= FALSE;


    if (!pMMAuthMethods) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwNumAuthInfos = pMMAuthMethods->dwNumAuthInfos;
    pAuthenticationInfo = pMMAuthMethods->pAuthenticationInfo;

    if (!dwNumAuthInfos || !pAuthenticationInfo) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    //
    // Need to catch the exception when the number of auth infos
    // specified is more than the actual number of auth infos.
    //


    pTemp = pAuthenticationInfo;

    for (i = 0; i < dwNumAuthInfos; i++) {

        if ((pTemp->AuthMethod != IKE_PRESHARED_KEY) &&
            (pTemp->AuthMethod != IKE_RSA_SIGNATURE) &&
            (pTemp->AuthMethod != IKE_SSPI)) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }

        if (pTemp->AuthMethod == IKE_RSA_SIGNATURE) {
            dwError = ValidateCertAuthInfo(&pTemp->CertAuthInfo);
            BAIL_ON_WIN32_ERROR(dwError);
            if (bRSASig) {
                dwError = ERROR_INVALID_PARAMETER;
                BAIL_ON_WIN32_ERROR(dwError);
            }
            bRSASig = TRUE;
        }

        if (pTemp->AuthMethod == IKE_SSPI) {
            if (bSSPI) {
                dwError = ERROR_INVALID_PARAMETER;
                BAIL_ON_WIN32_ERROR(dwError);
            }
            bSSPI = TRUE;
        }

        if (pTemp->AuthMethod == IKE_PRESHARED_KEY) {
            if (!(pTemp->GeneralAuthInfo.dwAuthInfoSize) || 
                !(pTemp->GeneralAuthInfo.pAuthInfo)) {
                dwError = ERROR_INVALID_PARAMETER;
                BAIL_ON_WIN32_ERROR(dwError);
            }
            if (bPresharedKey) {
                dwError = ERROR_INVALID_PARAMETER;
                BAIL_ON_WIN32_ERROR(dwError);
            }
            bPresharedKey = TRUE;
        }

        pTemp++;

    }

error:

    return (dwError);
}

DWORD
ValidateQMPolicy(
    PIPSEC_QM_POLICY pQMPolicy
    )
{
    DWORD dwError = 0;


    if (!pQMPolicy) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    if (!(pQMPolicy->pszPolicyName) || !(*(pQMPolicy->pszPolicyName))) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = ValidateQMOffers(
                  pQMPolicy->dwOfferCount,
                  pQMPolicy->pOffers
                  );
    BAIL_ON_WIN32_ERROR(dwError);

error:

    return (dwError);
}


DWORD
ValidateQMOffers(
    DWORD dwOfferCount,
    PIPSEC_QM_OFFER pOffers
    )
{
    DWORD dwError = 0;

    if (!dwOfferCount || !pOffers || (dwOfferCount > IPSEC_MAX_QM_OFFERS)) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

error:

    return (dwError);
}


DWORD
ValidateMMFilter(
    PMM_FILTER pMMFilter
    )
/*++

Routine Description:

    This function validates an external generic MM filter.

Arguments:

    pMMFilter - Filter to validate.

Return Value:

    ERROR_SUCCESS - Success.

    Win32 Error - Failure.

--*/
{
    DWORD dwError = 0;
    BOOL bConflicts = FALSE;


    if (!pMMFilter) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = VerifyAddresses(&(pMMFilter->SrcAddr), TRUE , FALSE);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyAddresses(&(pMMFilter->DesAddr), TRUE , TRUE);
    BAIL_ON_WIN32_ERROR(dwError);

    bConflicts = HtoNAddressesConflict(
                     pMMFilter->SrcAddr,
                     pMMFilter->DesAddr
                     );
    if (bConflicts) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    if (!(pMMFilter->pszFilterName) || !(*(pMMFilter->pszFilterName))) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = ValidateInterfaceType(pMMFilter->InterfaceType);
    BAIL_ON_WIN32_ERROR(dwError);

    if (pMMFilter->dwFlags &&
        !(pMMFilter->dwFlags & IPSEC_MM_POLICY_DEFAULT_POLICY) &&
        !(pMMFilter->dwFlags & IPSEC_MM_AUTH_DEFAULT_AUTH)) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = ApplyMulticastFilterValidation(
                  pMMFilter->DesAddr,
                  pMMFilter->bCreateMirror
                  );
    BAIL_ON_WIN32_ERROR(dwError);

error:

    return (dwError);
}


DWORD
VerifyAddresses(
    PADDR pAddr,
    BOOL bAcceptMe,
    BOOL bIsDesAddr
    )
{
    DWORD   dwError = 0;
    BOOL    bIsValid = FALSE;

    switch (pAddr->AddrType) {

    case IP_ADDR_UNIQUE:
        bIsValid = bIsValidIPAddress(
                       ntohl(pAddr->uIpAddr),
                       bAcceptMe,
                       bIsDesAddr
                       );
        if (!bIsValid) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
        if (pAddr->pgInterfaceID) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
        break;

    case IP_ADDR_SUBNET:
        dwError = VerifySubNetAddress(
                      ntohl(pAddr->uIpAddr),
                      ntohl(pAddr->uSubNetMask),
                      bIsDesAddr
                      );
        BAIL_ON_WIN32_ERROR(dwError);
        if (pAddr->pgInterfaceID) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
        break;

    case IP_ADDR_INTERFACE:
        if (pAddr->uIpAddr) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
        if (!(pAddr->pgInterfaceID)) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
        break;
    default:
        if (!IsSpecialServ(pAddr->AddrType)) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
        break;
    }

error:

    return (dwError);
}


DWORD
VerifySubNetAddress(
    ULONG uSubNetAddr,
    ULONG uSubNetMask,
    BOOL bIsDesAddr
    )
{
    DWORD dwError = 0;
    BOOL  bIsValid = FALSE;

    if (uSubNetAddr == SUBNET_ADDRESS_ANY) {
        if (uSubNetMask != SUBNET_MASK_ANY) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
    }
    else {
        bIsValid = bIsValidSubnet(
                       uSubNetAddr,
                       uSubNetMask,
                       bIsDesAddr
                       );
        if (!bIsValid) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
    }

error:

    return (dwError);
}


BOOL
bIsValidIPMask(
    ULONG uMask
    )
{
	BOOL bValidMask = FALSE;
	ULONG uTestMask = 0;

	//
	// Mask must be contiguous bits.
	//

	for (uTestMask = 0xFFFFFFFF; uTestMask; uTestMask <<= 1) {
		if (uTestMask == uMask) {
			bValidMask = TRUE;
			break;
		}
	}

	return (bValidMask);
}


BOOL
bIsValidIPAddress(
    ULONG uIpAddr,
    BOOL bAcceptMe,
    BOOL bIsDesAddr
    )
{
    ULONG uHostMask = IN_CLASSA_HOST;   // Default host mask.


    //
    // Accept the address if its "me".
    //

    if (bAcceptMe) {
        if (uIpAddr == IP_ADDRESS_ME) {
            return TRUE;
        }
    }

    //
    // Reject if its a multicast address and is not the 
    // destination address.
    //

    if (IN_CLASSD(uIpAddr)) {
        if (bIsDesAddr) {
            return TRUE;
        }
        else {
            return FALSE;
        }
    }

    //
    // Reject if its a Class E address.
    //

    if (IN_CLASSE(uIpAddr)) {
        return FALSE;
    }

    //
    // Reject if the first octet is zero.
    //

    if (!(IN_CLASSA_NET & uIpAddr)) {
        return FALSE;
    }

    //
    // Use default mask based on Class when none is provided.
    //

    if (IN_CLASSA(uIpAddr)) {
        uHostMask = IN_CLASSA_HOST;
    }
    else if (IN_CLASSB(uIpAddr)) {
        uHostMask = IN_CLASSB_HOST;
    }
    else if (IN_CLASSC(uIpAddr)) {
        uHostMask = IN_CLASSC_HOST;
    }

    //
    // Accept address when host portion is non-zero.
    //

    if (uHostMask & uIpAddr) {
        return TRUE;
    }

    return FALSE;
}


BOOL
bIsValidSubnet(
    ULONG uIpAddr,
    ULONG uMask,
    BOOL bIsDesAddr
    )
{
    ULONG uHostMask = 0;


    //
    // Reject if its a multicast address and is not the 
    // destination address.
    //

    if (IN_CLASSD(uIpAddr)) {
        if (!bIsDesAddr) {
            return FALSE;
        }
    }

    //
    // Reject if its a Class E address.
    //

    if (IN_CLASSE(uIpAddr)) {
        return FALSE;
    }

    //
    // Reject if the first octet is zero.
    //

    if (!(IN_CLASSA_NET & uIpAddr)) {
        return FALSE;
    }

    //
    // If the mask is invalid then return.
    //

    if (!bIsValidIPMask(uMask)) {
        return FALSE;
    }

    //
    // Use the provided subnet mask to generate the host mask.
    //

    uHostMask = 0xFFFFFFFF ^ uMask;

    //
    // Accept address only when the host portion is zero, network
    // portion is non-zero and first octet is non-zero.
    //

    if (!(uHostMask & uIpAddr) &&
        (uMask & uIpAddr) &&
        (IN_CLASSA_NET & uIpAddr)) {
        return TRUE;
    }

    return FALSE;
}


// AddressesConflict requires addresses in network byte order.
//
BOOL
AddressesConflict(
    ADDR    SrcAddr,
    ADDR    DesAddr
    )
{
	if ((SrcAddr.AddrType == IP_ADDR_UNIQUE) &&
		(DesAddr.AddrType == IP_ADDR_UNIQUE) &&
		(SrcAddr.uIpAddr == DesAddr.uIpAddr))
	{
		return (TRUE);
	}

	if ((SrcAddr.AddrType == IP_ADDR_INTERFACE) &&
		(DesAddr.AddrType == IP_ADDR_INTERFACE))
	{
		return (TRUE);
	}

	if (IsSpecialServer(&SrcAddr) &&
		(SrcAddr.AddrType == DesAddr.AddrType))
	{
		return (TRUE);
	}

	if (IsMulticastAddress(&SrcAddr) || IsBroadcastAddress(&SrcAddr))
	{
		return (TRUE);
	}

	return (FALSE);
}


// Special version of AddressesConflict for Winipsec.dll functions that requires 
// addresses in Host order. This fix was made for bug# 708188
// "IPSec validation functions must convert from host to network order before validation"
// for RC2 and given test and dev resources was the safest and quickest fix.

BOOL
HtoNAddressesConflict(
    ADDR    SrcAddr,
    ADDR    DesAddr
    )
{
	SrcAddr.uIpAddr=htonl(SrcAddr.uIpAddr);
	SrcAddr.uSubNetMask=htonl(SrcAddr.uSubNetMask);

	DesAddr.uIpAddr=htonl(DesAddr.uIpAddr);
	DesAddr.uSubNetMask=htonl(DesAddr.uSubNetMask);

   return AddressesConflict(SrcAddr, DesAddr);
}


DWORD
ValidateTransportFilter(
    PTRANSPORT_FILTER pTransportFilter
    )
{
    DWORD dwError = 0;
    BOOL bConflicts = FALSE;


    if (!pTransportFilter) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = VerifyAddresses(&(pTransportFilter->SrcAddr), TRUE, FALSE);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyAddresses(&(pTransportFilter->DesAddr), TRUE, TRUE);
    BAIL_ON_WIN32_ERROR(dwError);

    bConflicts = HtoNAddressesConflict(
                     pTransportFilter->SrcAddr,
                     pTransportFilter->DesAddr
                     );
    if (bConflicts) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = VerifyProtocols(pTransportFilter->Protocol);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyPortsForProtocol(
                  pTransportFilter->SrcPort,
                  pTransportFilter->Protocol
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyPortsForProtocol(
                  pTransportFilter->DesPort,
                  pTransportFilter->Protocol
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    if (!(pTransportFilter->pszFilterName) || !(*(pTransportFilter->pszFilterName))) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = ValidateInterfaceType(pTransportFilter->InterfaceType);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = ValidateFilterAction(pTransportFilter->InboundFilterAction);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = ValidateFilterAction(pTransportFilter->OutboundFilterAction);
    BAIL_ON_WIN32_ERROR(dwError);

    if (pTransportFilter->dwFlags &&
        !(pTransportFilter->dwFlags & IPSEC_QM_POLICY_DEFAULT_POLICY)) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = ApplyMulticastFilterValidation(
                  pTransportFilter->DesAddr,
                  pTransportFilter->bCreateMirror
                  );
    BAIL_ON_WIN32_ERROR(dwError);

error:

    return (dwError);
}

DWORD
ValidateIPSecQMFilter(
    PIPSEC_QM_FILTER pQMFilter
    )
{
    DWORD dwError = 0;
    BOOL bConflicts = FALSE;

    if (!pQMFilter) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = VerifyAddresses(&(pQMFilter->SrcAddr), FALSE, FALSE);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyAddresses(&(pQMFilter->DesAddr), FALSE, TRUE);
    BAIL_ON_WIN32_ERROR(dwError);

    bConflicts = HtoNAddressesConflict(
                     pQMFilter->SrcAddr,
                     pQMFilter->DesAddr
                     );
    if (bConflicts) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = VerifyProtocols(pQMFilter->Protocol);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyPortsForProtocol(
                  pQMFilter->SrcPort,
                  pQMFilter->Protocol
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyPortsForProtocol(
                  pQMFilter->DesPort,
                  pQMFilter->Protocol
                  );
    BAIL_ON_WIN32_ERROR(dwError);


    if (pQMFilter->QMFilterType == QM_TUNNEL_FILTER) {

        if (pQMFilter->MyTunnelEndpt.AddrType != IP_ADDR_UNIQUE) {
            dwError=ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
        
        if (pQMFilter->PeerTunnelEndpt.AddrType != IP_ADDR_UNIQUE) {
            dwError=ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
        
        dwError = VerifyAddresses(&(pQMFilter->MyTunnelEndpt), FALSE, FALSE);
        BAIL_ON_WIN32_ERROR(dwError);
        
        dwError = VerifyAddresses(&(pQMFilter->PeerTunnelEndpt), FALSE, FALSE);
        BAIL_ON_WIN32_ERROR(dwError);

    }
    else {

        dwError = ValidateAddr(&(pQMFilter->MyTunnelEndpt));
        BAIL_ON_WIN32_ERROR(dwError);

        dwError = ValidateAddr(&(pQMFilter->PeerTunnelEndpt));
        BAIL_ON_WIN32_ERROR(dwError);

    }

    if (pQMFilter->QMFilterType != QM_TUNNEL_FILTER &&
        pQMFilter->QMFilterType != QM_TRANSPORT_FILTER) {
        dwError=ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

error:

    return (dwError);
}

DWORD
VerifyProtocols(
    PROTOCOL Protocol
    )
{
    DWORD dwError = 0;

    switch (Protocol.ProtocolType) {

    case PROTOCOL_UNIQUE:
        if (Protocol.dwProtocol > 255) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
        break;

    default:
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
        break;

    }

error:

    return (dwError);
}


DWORD
VerifyPortsForProtocol(
    PORT Port,
    PROTOCOL Protocol
    )
{
    DWORD dwError = 0;

    switch (Port.PortType) {

    case PORT_UNIQUE:

        if (Port.wPort < 0) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }

        switch (Protocol.ProtocolType) {

        case PROTOCOL_UNIQUE:
            if ((Protocol.dwProtocol != IPPROTO_TCP) &&
                (Protocol.dwProtocol != IPPROTO_UDP)) {
                if (Port.wPort != 0) {
                    dwError = ERROR_INVALID_PARAMETER;
                    BAIL_ON_WIN32_ERROR(dwError);
                }
            }
            break;

        default:
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
            break;

        }

        break;

    default:

        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
        break;

    }

error:

    return (dwError);
}


DWORD
ValidateMMFilterTemplate(
    PMM_FILTER pMMFilter
    )
{
    DWORD dwError = 0;
    BOOL bConflicts = FALSE;


    if (!pMMFilter) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = VerifyAddresses(&(pMMFilter->SrcAddr), TRUE, FALSE);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyAddresses(&(pMMFilter->DesAddr), TRUE, TRUE);
    BAIL_ON_WIN32_ERROR(dwError);

    bConflicts = HtoNAddressesConflict(
                     pMMFilter->SrcAddr,
                     pMMFilter->DesAddr
                     );
    if (bConflicts) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    if (pMMFilter->dwDirection) {
        if ((pMMFilter->dwDirection != FILTER_DIRECTION_INBOUND) &&
            (pMMFilter->dwDirection != FILTER_DIRECTION_OUTBOUND)) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
    }

error:

    return (dwError);
}


DWORD
ValidateTxFilterTemplate(
    PTRANSPORT_FILTER pTxFilter
    )
{
    DWORD dwError = 0;
    BOOL bConflicts = FALSE;


    if (!pTxFilter) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = VerifyAddresses(&(pTxFilter->SrcAddr), TRUE, FALSE);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyAddresses(&(pTxFilter->DesAddr), TRUE, TRUE);
    BAIL_ON_WIN32_ERROR(dwError);

    bConflicts = HtoNAddressesConflict(
                     pTxFilter->SrcAddr,
                     pTxFilter->DesAddr
                     );
    if (bConflicts) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = VerifyProtocols(pTxFilter->Protocol);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyPortsForProtocol(
                  pTxFilter->SrcPort,
                  pTxFilter->Protocol
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyPortsForProtocol(
                  pTxFilter->DesPort,
                  pTxFilter->Protocol
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    if (pTxFilter->dwDirection) {
        if ((pTxFilter->dwDirection != FILTER_DIRECTION_INBOUND) &&
            (pTxFilter->dwDirection != FILTER_DIRECTION_OUTBOUND)) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
    }

error:

    return (dwError);
}


DWORD
ValidateTunnelFilter(
    PTUNNEL_FILTER pTunnelFilter
    )
{
    DWORD dwError = 0;
    BOOL bConflicts = FALSE;


    if (!pTunnelFilter) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = VerifyAddresses(&(pTunnelFilter->SrcAddr), TRUE, FALSE);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyAddresses(&(pTunnelFilter->DesAddr), TRUE, TRUE);
    BAIL_ON_WIN32_ERROR(dwError);

    bConflicts = HtoNAddressesConflict(
                     pTunnelFilter->SrcAddr,
                     pTunnelFilter->DesAddr
                     );
    if (bConflicts) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = ValidateAddr(&(pTunnelFilter->SrcTunnelAddr));
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyAddresses(&(pTunnelFilter->DesTunnelAddr), TRUE, FALSE);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyProtocols(pTunnelFilter->Protocol);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyPortsForProtocol(
                  pTunnelFilter->SrcPort,
                  pTunnelFilter->Protocol
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyPortsForProtocol(
                  pTunnelFilter->DesPort,
                  pTunnelFilter->Protocol
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    if (!(pTunnelFilter->pszFilterName) || !(*(pTunnelFilter->pszFilterName))) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = ValidateInterfaceType(pTunnelFilter->InterfaceType);
    BAIL_ON_WIN32_ERROR(dwError);

    if (pTunnelFilter->bCreateMirror) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = ValidateFilterAction(pTunnelFilter->InboundFilterAction);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = ValidateFilterAction(pTunnelFilter->OutboundFilterAction);
    BAIL_ON_WIN32_ERROR(dwError);

    if (pTunnelFilter->dwFlags &&
        !(pTunnelFilter->dwFlags & IPSEC_QM_POLICY_DEFAULT_POLICY)) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    //
    // No need to call ApplyMulticastFilterValidation as bCreateMirror
    // is always false for a tunnel filter.
    //

error:

    return (dwError);
}


DWORD
ValidateTnFilterTemplate(
    PTUNNEL_FILTER pTnFilter
    )
{
    DWORD dwError = 0;
    BOOL bConflicts = FALSE;


    if (!pTnFilter) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = VerifyAddresses(&(pTnFilter->SrcAddr), TRUE, FALSE);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyAddresses(&(pTnFilter->DesAddr), TRUE, TRUE);
    BAIL_ON_WIN32_ERROR(dwError);

    bConflicts = HtoNAddressesConflict(
                     pTnFilter->SrcAddr,
                     pTnFilter->DesAddr
                     );
    if (bConflicts) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = ValidateAddr(&(pTnFilter->SrcTunnelAddr));
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyAddresses(&(pTnFilter->DesTunnelAddr), TRUE, FALSE);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyProtocols(pTnFilter->Protocol);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyPortsForProtocol(
                  pTnFilter->SrcPort,
                  pTnFilter->Protocol
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyPortsForProtocol(
                  pTnFilter->DesPort,
                  pTnFilter->Protocol
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    if (pTnFilter->dwDirection) {
        if ((pTnFilter->dwDirection != FILTER_DIRECTION_INBOUND) &&
            (pTnFilter->dwDirection != FILTER_DIRECTION_OUTBOUND)) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
    }

error:

    return (dwError);
}


DWORD
ApplyMulticastFilterValidation(
    ADDR Addr,
    BOOL bCreateMirror
    )
{
    DWORD dwError = 0;


    if (((Addr.AddrType == IP_ADDR_UNIQUE) ||
        (Addr.AddrType == IP_ADDR_SUBNET)) &&
        (IN_CLASSD(ntohl(Addr.uIpAddr))) &&
        bCreateMirror) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

error:

    return (dwError);
}


DWORD
ValidateQMFilterAddresses(
    PIPSEC_QM_FILTER pIpsecQMFilter
    )
{
    DWORD dwError = 0;


    dwError = ValidateAddr(&(pIpsecQMFilter->SrcAddr));
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = ValidateAddr(&(pIpsecQMFilter->DesAddr));
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = ValidateAddr(&(pIpsecQMFilter->MyTunnelEndpt));
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = ValidateAddr(&(pIpsecQMFilter->PeerTunnelEndpt));
    BAIL_ON_WIN32_ERROR(dwError);

error:

    return (dwError);
}