archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/net/ipsec/spd/server/patn-fil.c

618 lines
15 KiB
Raw Normal View History

commiting as it is
4 years ago
  3. #include "precomp.h"
  4. #ifdef TRACE_ON
  5. #include "patn-fil.tmh"
  6. #endif
  8. DWORD
  9. PAAddTnFilterSpecs(
  10. PIPSEC_NFA_DATA pIpsecNFAData,
  11. DWORD dwSource,
  12. BOOL * pbHardError
  13. )
  14. {
  15. DWORD dwError = 0;
  16. PIPSEC_NEGPOL_DATA pIpsecNegPolData = NULL;
  17. PIPSEC_FILTER_DATA pIpsecFilterData = NULL;
  18. PQMPOLICYSTATE pQMPolicyState = NULL;
  19. DWORD dwNumFilterSpecs = 0;
  20. PIPSEC_FILTER_SPEC * ppFilterSpecs = NULL;
  21. DWORD i = 0;
  22. PTNFILTERSTATE pTnFilterState = NULL;
  23. PTUNNEL_FILTER pSPDTnFilter = NULL;
  24. LPWSTR pServerName = NULL;
  25. DWORD dwVersion = 0;
  26. BOOL bHardError = FALSE;
  28. TRACE(TRC_INFORMATION, ("Pastore adding tunnel filters for rule %!guid!.", &pIpsecNFAData->NFAIdentifier));
  30. pIpsecNegPolData = pIpsecNFAData->pIpsecNegPolData;
  32. if (!memcmp(
  33. &(pIpsecNegPolData->NegPolType),
  34. &(GUID_NEGOTIATION_TYPE_DEFAULT),
  35. sizeof(GUID))) {
  36. TRACE(TRC_INFORMATION, ("Pastore found default response rule: not adding an associated tunnel filter."));
  37. dwError = ERROR_SUCCESS;
  38. BAIL_OUT;
  39. }
  41. pQMPolicyState = FindQMPolicyState(
  42. pIpsecNegPolData->NegPolIdentifier
  43. );
  44. if (!pQMPolicyState) {
  45. bHardError = TRUE;
  46. dwError = ERROR_INVALID_PARAMETER;
  48. TRACE(
  49. TRC_ERROR,
  50. ("Pastore failed to find associated QM policy %!guid! when adding rule %!guid!.",
  51. &pIpsecNegPolData->NegPolIdentifier,
  52. &pIpsecNFAData->NFAIdentifier)
  53. );
  55. BAIL_ON_WIN32_ERROR(dwError);
  56. }
  58. if (!IsClearOnly(pQMPolicyState->gNegPolAction) &&
  59. !IsBlocking(pQMPolicyState->gNegPolAction) &&
  60. !(pQMPolicyState->bInSPD)) {
  61. bHardError = TRUE;
  62. dwError = ERROR_INVALID_PARAMETER;
  64. TRACE(
  65. TRC_ERROR,
  66. ("Pastore failed to get associated QM policy in SPD %!guid! when adding rule %!guid!.",
  67. &pIpsecNFAData->NFAIdentifier,
  68. &pIpsecNegPolData->NegPolIdentifier)
  69. );
  71. BAIL_ON_WIN32_ERROR(dwError);
  72. }
  74. pIpsecFilterData = pIpsecNFAData->pIpsecFilterData;
  76. if (!pIpsecFilterData) {
  77. TRACE(
  78. TRC_ERROR,
  79. ("Pastore found no associated filter data when adding rule %!guid!.",
  80. &pIpsecNFAData->NFAIdentifier)
  81. );
  83. dwError = ERROR_INVALID_PARAMETER;
  84. SET_IF_HARD_ERROR(
  85. dwError,
  86. pQMPolicyState->gNegPolAction,
  87. bHardError
  88. );
  89. if (!bHardError) {
  90. dwError = ERROR_SUCCESS;
  91. }
  92. BAIL_OUT;
  93. }
  95. dwNumFilterSpecs = pIpsecFilterData->dwNumFilterSpecs;
  96. ppFilterSpecs = pIpsecFilterData->ppFilterSpecs;
  99. for (i = 0; i < dwNumFilterSpecs; i++) {
  101. dwError = PACreateTnFilterState(
  102. pIpsecNegPolData,
  103. pIpsecNFAData,
  104. *(ppFilterSpecs + i),
  105. &pTnFilterState
  106. );
  107. if (dwError) {
  108. SET_IF_HARD_ERROR(
  109. dwError,
  110. pQMPolicyState->gNegPolAction,
  111. bHardError
  112. );
  113. continue;
  114. }
  116. dwError = PACreateTnFilter(
  117. pIpsecNegPolData,
  118. pIpsecNFAData,
  119. *(ppFilterSpecs + i),
  120. pQMPolicyState,
  121. &pSPDTnFilter
  122. );
  123. if (dwError) {
  125. pTnFilterState->hTnFilter = NULL;
  127. pTnFilterState->pNext = gpTnFilterState;
  128. gpTnFilterState = pTnFilterState;
  130. SET_IF_HARD_ERROR(
  131. dwError,
  132. pQMPolicyState->gNegPolAction,
  133. bHardError
  134. );
  135. continue;
  137. }
  139. dwError = AddTunnelFilterInternal(
  140. pServerName,
  141. dwVersion,
  142. 0,
  143. dwSource,
  144. pSPDTnFilter,
  145. NULL,
  146. &(pTnFilterState->hTnFilter)
  147. );
  148. // Catch the driver error that can happen because of adding duplicated
  149. // expanded filters. We don't want this to be a hard error.
  150. //
  151. if (dwError == STATUS_DUPLICATE_OBJECTID
  152. || dwError == GPC_STATUS_CONFLICT)
  153. {
  154. AuditIPSecPolicyErrorEvent(
  155. SE_CATEGID_POLICY_CHANGE,
  156. SE_AUDITID_IPSEC_POLICY_CHANGED,
  157. PASTORE_ADD_QM_FILTER_FAIL,
  158. pIpsecNFAData->pszIpsecName,
  159. dwError,
  160. FALSE,
  161. TRUE
  162. );
  163. } else {
  164. SET_IF_HARD_ERROR(
  165. dwError,
  166. pQMPolicyState->gNegPolAction,
  167. bHardError
  168. );
  169. }
  171. pTnFilterState->pNext = gpTnFilterState;
  172. gpTnFilterState = pTnFilterState;
  174. PAFreeTnFilter(pSPDTnFilter);
  176. }
  178. error:
  179. *pbHardError = bHardError;
  181. return (dwError);
  182. }
  184. DWORD
  185. PACreateTnFilterState(
  186. PIPSEC_NEGPOL_DATA pIpsecNegPolData,
  187. PIPSEC_NFA_DATA pIpsecNFAData,
  188. PIPSEC_FILTER_SPEC pFilterSpec,
  189. PTNFILTERSTATE * ppTnFilterState
  190. )
  191. {
  192. DWORD dwError = 0;
  193. PTNFILTERSTATE pTnFilterState = NULL;
  196. dwError = AllocateSPDMemory(
  197. sizeof(TNFILTERSTATE),
  198. &pTnFilterState
  199. );
  200. BAIL_ON_WIN32_ERROR(dwError);
  202. memcpy(
  203. &(pTnFilterState->gFilterID),
  204. &(pFilterSpec->FilterSpecGUID),
  205. sizeof(GUID)
  206. );
  208. memcpy(
  209. &(pTnFilterState->gNFAIdentifier),
  210. &(pIpsecNFAData->NFAIdentifier),
  211. sizeof(GUID)
  212. );
  214. memcpy(
  215. &(pTnFilterState->gPolicyID),
  216. &(pIpsecNegPolData->NegPolIdentifier),
  217. sizeof(GUID)
  218. );
  220. pTnFilterState->hTnFilter = NULL;
  221. pTnFilterState->pNext = NULL;
  223. *ppTnFilterState = pTnFilterState;
  225. return (dwError);
  227. error:
  228. TRACE(
  229. TRC_ERROR,
  230. ("Pastore failed to create state node for tunnel filter %!guid!. %!winerr!",
  231. &pFilterSpec->FilterSpecGUID,
  232. dwError)
  233. );
  235. *ppTnFilterState = NULL;
  237. return (dwError);
  238. }
  241. DWORD
  242. PACreateTnFilter(
  243. PIPSEC_NEGPOL_DATA pIpsecNegPolData,
  244. PIPSEC_NFA_DATA pIpsecNFAData,
  245. PIPSEC_FILTER_SPEC pFilterSpec,
  246. PQMPOLICYSTATE pQMPolicyState,
  247. PTUNNEL_FILTER * ppSPDTnFilter
  248. )
  249. {
  250. DWORD dwError = 0;
  251. PTUNNEL_FILTER pSPDTnFilter = NULL;
  252. WCHAR pszName[512];
  255. dwError = AllocateSPDMemory(
  256. sizeof(TUNNEL_FILTER),
  257. &pSPDTnFilter
  258. );
  259. BAIL_ON_WIN32_ERROR(dwError);
  261. pSPDTnFilter->IpVersion = IPSEC_PROTOCOL_V4;
  263. memcpy(
  264. &(pSPDTnFilter->gFilterID),
  265. &(pFilterSpec->FilterSpecGUID),
  266. sizeof(GUID)
  267. );
  269. if (pFilterSpec->pszDescription && *(pFilterSpec->pszDescription)) {
  271. dwError = AllocateSPDString(
  272. pFilterSpec->pszDescription,
  273. &(pSPDTnFilter->pszFilterName)
  274. );
  275. BAIL_ON_WIN32_ERROR(dwError);
  277. }
  278. else {
  280. wsprintf(pszName, L"%d", ++gdwTnFilterCounter);
  282. dwError = AllocateSPDString(
  283. pszName,
  284. &(pSPDTnFilter->pszFilterName)
  285. );
  286. BAIL_ON_WIN32_ERROR(dwError);
  288. }
  290. PASetInterfaceType(
  291. pIpsecNFAData->dwInterfaceType,
  292. &(pSPDTnFilter->InterfaceType)
  293. );
  295. pSPDTnFilter->bCreateMirror = FALSE;
  297. pSPDTnFilter->dwFlags = 0;
  299. PASetAddress(
  300. pFilterSpec->Filter.SrcMask,
  301. pFilterSpec->Filter.SrcAddr,
  302. &(pSPDTnFilter->SrcAddr)
  303. );
  305. PASetAddress(
  306. pFilterSpec->Filter.DestMask,
  307. pFilterSpec->Filter.DestAddr,
  308. &(pSPDTnFilter->DesAddr)
  309. );
  311. if (pFilterSpec->Filter.ExType) {
  312. if (pFilterSpec->Filter.ExType & EXT_DEST) {
  313. pSPDTnFilter->DesAddr.AddrType = ExTypeToAddrType(
  314. pFilterSpec->Filter.ExType
  315. );
  316. } else {
  317. pSPDTnFilter->SrcAddr.AddrType = ExTypeToAddrType(
  318. pFilterSpec->Filter.ExType
  319. );
  320. }
  321. }
  323. PASetAddress(
  324. SUBNET_MASK_ANY,
  325. SUBNET_ADDRESS_ANY,
  326. &(pSPDTnFilter->SrcTunnelAddr)
  327. );
  329. PASetTunnelAddress(
  330. ((ULONG) pIpsecNFAData->dwTunnelIpAddr),
  331. &(pSPDTnFilter->DesTunnelAddr)
  332. );
  334. pSPDTnFilter->Protocol.ProtocolType = PROTOCOL_UNIQUE;
  335. pSPDTnFilter->Protocol.dwProtocol = pFilterSpec->Filter.Protocol;
  337. pSPDTnFilter->SrcPort.PortType = PORT_UNIQUE;
  338. pSPDTnFilter->SrcPort.wPort = pFilterSpec->Filter.SrcPort;
  340. pSPDTnFilter->DesPort.PortType = PORT_UNIQUE;
  341. pSPDTnFilter->DesPort.wPort = pFilterSpec->Filter.DestPort;
  343. SetFilterActions(
  344. pQMPolicyState,
  345. &(pSPDTnFilter->InboundFilterAction),
  346. &(pSPDTnFilter->OutboundFilterAction)
  347. );
  349. pSPDTnFilter->dwDirection = 0;
  351. pSPDTnFilter->dwWeight = 0;
  353. memcpy(
  354. &(pSPDTnFilter->gPolicyID),
  355. &(pIpsecNegPolData->NegPolIdentifier),
  356. sizeof(GUID)
  357. );
  359. *ppSPDTnFilter = pSPDTnFilter;
  361. return (dwError);
  363. error:
  364. TRACE(
  365. TRC_WARNING,
  366. ("Pastore failed to create tunnel filter %!guid!. %!winerr!",
  367. &pFilterSpec->FilterSpecGUID,
  368. dwError)
  369. );
  371. if (pSPDTnFilter) {
  372. PAFreeTnFilter(
  373. pSPDTnFilter
  374. );
  375. }
  377. *ppSPDTnFilter = NULL;
  379. return (dwError);
  380. }
  383. VOID
  384. PAFreeTnFilter(
  385. PTUNNEL_FILTER pSPDTnFilter
  386. )
  387. {
  388. if (pSPDTnFilter) {
  390. if (pSPDTnFilter->pszFilterName) {
  391. FreeSPDString(pSPDTnFilter->pszFilterName);
  392. }
  394. FreeSPDMemory(pSPDTnFilter);
  396. }
  398. return;
  399. }
  402. DWORD
  403. PADeleteAllTnFilters(
  404. )
  405. {
  406. DWORD dwError = 0;
  407. PTNFILTERSTATE pTnFilterState = NULL;
  408. PTNFILTERSTATE pTemp = NULL;
  409. PTNFILTERSTATE pLeftTnFilterState = NULL;
  411. TRACE(TRC_INFORMATION, (L"Pastore deleting all its tunnel filters"));
  413. pTnFilterState = gpTnFilterState;
  415. while (pTnFilterState) {
  417. if (pTnFilterState->hTnFilter) {
  419. dwError = DeleteTunnelFilter(
  420. pTnFilterState->hTnFilter
  421. );
  422. if (!dwError) {
  423. pTemp = pTnFilterState;
  424. pTnFilterState = pTnFilterState->pNext;
  425. FreeSPDMemory(pTemp);
  426. }
  427. else {
  428. pTemp = pTnFilterState;
  429. pTnFilterState = pTnFilterState->pNext;
  431. pTemp->pNext = pLeftTnFilterState;
  432. pLeftTnFilterState = pTemp;
  433. }
  435. }
  436. else {
  438. pTemp = pTnFilterState;
  439. pTnFilterState = pTnFilterState->pNext;
  440. FreeSPDMemory(pTemp);
  442. }
  444. }
  446. gpTnFilterState = pLeftTnFilterState;
  448. return (dwError);
  449. }
  452. VOID
  453. PAFreeTnFilterStateList(
  454. PTNFILTERSTATE pTnFilterState
  455. )
  456. {
  457. PTNFILTERSTATE pTemp = NULL;
  460. while (pTnFilterState) {
  462. pTemp = pTnFilterState;
  463. pTnFilterState = pTnFilterState->pNext;
  464. FreeSPDMemory(pTemp);
  466. }
  467. }
  470. DWORD
  471. PADeleteTnFilterSpecs(
  472. PIPSEC_NFA_DATA pIpsecNFAData
  473. )
  474. {
  475. DWORD dwError = 0;
  476. PIPSEC_NEGPOL_DATA pIpsecNegPolData = NULL;
  477. PIPSEC_FILTER_DATA pIpsecFilterData = NULL;
  478. DWORD dwNumFilterSpecs = 0;
  479. PIPSEC_FILTER_SPEC * ppFilterSpecs = NULL;
  480. DWORD i = 0;
  481. PIPSEC_FILTER_SPEC pFilterSpec = NULL;
  484. pIpsecNegPolData = pIpsecNFAData->pIpsecNegPolData;
  486. if (!memcmp(
  487. &(pIpsecNegPolData->NegPolType),
  488. &(GUID_NEGOTIATION_TYPE_DEFAULT),
  489. sizeof(GUID))) {
  490. dwError = ERROR_SUCCESS;
  491. return (dwError);
  492. }
  494. pIpsecFilterData = pIpsecNFAData->pIpsecFilterData;
  496. if (!pIpsecFilterData) {
  497. dwError = ERROR_SUCCESS;
  498. return (dwError);
  499. }
  501. dwNumFilterSpecs = pIpsecFilterData->dwNumFilterSpecs;
  502. ppFilterSpecs = pIpsecFilterData->ppFilterSpecs;
  504. for (i = 0; i < dwNumFilterSpecs; i++) {
  506. pFilterSpec = *(ppFilterSpecs + i);
  508. dwError = PADeleteTnFilter(
  509. pFilterSpec->FilterSpecGUID,
  510. pIpsecNFAData->NFAIdentifier
  511. );
  513. }
  515. return (dwError);
  516. }
  519. DWORD
  520. PADeleteTnFilter(
  521. GUID gFilterID,
  522. GUID gNFAIdentifier
  523. )
  524. {
  525. DWORD dwError = 0;
  526. PTNFILTERSTATE pTnFilterState = NULL;
  528. pTnFilterState = FindTnFilterState(
  529. gFilterID,
  530. gNFAIdentifier
  531. );
  532. if (!pTnFilterState) {
  533. dwError = ERROR_SUCCESS;
  534. return (dwError);
  535. }
  537. if (pTnFilterState->hTnFilter) {
  539. dwError = DeleteTunnelFilter(
  540. pTnFilterState->hTnFilter
  541. );
  542. BAIL_ON_WIN32_ERROR(dwError);
  544. }
  546. PADeleteTnFilterState(pTnFilterState);
  548. error:
  549. #ifdef TRACE_ON
  550. if (dwError) {
  551. TRACE(
  552. TRC_WARNING,
  553. ("Pastore failed to delete tunnel filter %!guid!. %!winerr!",
  554. &gFilterID,
  555. dwError)
  556. );
  557. }
  558. #endif
  560. return (dwError);
  561. }
  564. VOID
  565. PADeleteTnFilterState(
  566. PTNFILTERSTATE pTnFilterState
  567. )
  568. {
  569. PTNFILTERSTATE * ppTemp = NULL;
  572. ppTemp = &gpTnFilterState;
  574. while (*ppTemp) {
  576. if (*ppTemp == pTnFilterState) {
  577. break;
  578. }
  579. ppTemp = &((*ppTemp)->pNext);
  581. }
  583. if (*ppTemp) {
  584. *ppTemp = pTnFilterState->pNext;
  585. }
  587. FreeSPDMemory(pTnFilterState);
  589. return;
  590. }
  593. PTNFILTERSTATE
  594. FindTnFilterState(
  595. GUID gFilterID,
  596. GUID gNFAIdentifier
  597. )
  598. {
  599. PTNFILTERSTATE pTnFilterState = NULL;
  601. pTnFilterState = gpTnFilterState;
  603. while (pTnFilterState) {
  604. // gNFAIdentifier+gFilterID forms primary key for tunnel filter state
  605. //
  606. if (!memcmp(&(pTnFilterState->gFilterID), &gFilterID, sizeof(GUID))
  607. && !memcmp(&(pTnFilterState->gNFAIdentifier), &gNFAIdentifier, sizeof(GUID)))
  608. {
  609. return (pTnFilterState);
  610. }
  612. pTnFilterState = pTnFilterState->pNext;
  614. }
  616. return (NULL);
  617. }