Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1514 lines
42 KiB

  1. #include "precomp.h"
  2. const DWORD PS_INTERFACE_TYPE_NONE = 0;
  3. const DWORD PS_INTERFACE_TYPE_DIALUP = -1;
  4. const DWORD PS_INTERFACE_TYPE_LAN = -2;
  5. const DWORD PS_INTERFACE_TYPE_ALL = -3;
  6. DWORD
  7. GenerateDefaultInformation(
  8. HANDLE hPolicyStore
  9. )
  10. {
  11. DWORD dwError = 0;
  12. PIPSEC_FILTER_DATA pAllFilter = NULL;
  13. PIPSEC_FILTER_DATA pAllICMPFilter = NULL;
  14. PIPSEC_NEGPOL_DATA pPermitNegPol = NULL;
  15. PIPSEC_NEGPOL_DATA pRequestSecurityNegPol = NULL;
  16. PIPSEC_NEGPOL_DATA pRequireSecurityNegPol = NULL;
  17. PIPSEC_ISAKMP_DATA pDefaultISAKMP = NULL;
  18. // {72385234-70FA-11d1-864C-14A300000000}
  19. static const GUID GUID_DEFAULT_ISAKMP=
  20. { 0x72385234, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  21. dwError = CreateAllFilter(
  22. hPolicyStore,
  23. &pAllFilter
  24. );
  25. BAIL_ON_WIN32_ERROR(dwError);
  26. dwError = CreateAllICMPFilter(
  27. hPolicyStore,
  28. &pAllICMPFilter
  29. );
  30. BAIL_ON_WIN32_ERROR(dwError);
  31. dwError = CreatePermitNegPol(
  32. hPolicyStore,
  33. &pPermitNegPol
  34. );
  35. BAIL_ON_WIN32_ERROR(dwError);
  36. dwError = CreateRequestSecurityNegPol(
  37. hPolicyStore,
  38. &pRequestSecurityNegPol
  39. );
  40. BAIL_ON_WIN32_ERROR(dwError);
  41. dwError = CreateRequireSecurityNegPol(
  42. hPolicyStore,
  43. &pRequireSecurityNegPol
  44. );
  45. BAIL_ON_WIN32_ERROR(dwError);
  46. dwError = CreateClientPolicy(
  47. hPolicyStore
  48. );
  49. BAIL_ON_WIN32_ERROR(dwError);
  50. dwError = CreateRequestSecurityPolicy(
  51. hPolicyStore,
  52. pAllFilter,
  53. pAllICMPFilter,
  54. pPermitNegPol,
  55. pRequestSecurityNegPol
  56. );
  57. BAIL_ON_WIN32_ERROR(dwError);
  58. dwError = CreateRequireSecurityPolicy(
  59. hPolicyStore,
  60. pAllFilter,
  61. pAllICMPFilter,
  62. pPermitNegPol,
  63. pRequireSecurityNegPol
  64. );
  65. BAIL_ON_WIN32_ERROR(dwError);
  66. dwError = CreateISAKMP(
  67. hPolicyStore,
  68. GUID_DEFAULT_ISAKMP,
  69. &pDefaultISAKMP
  70. );
  71. BAIL_ON_WIN32_ERROR(dwError);
  72. error:
  73. if (pAllFilter) {
  74. FreeIpsecFilterData(pAllFilter);
  75. }
  76. if (pAllICMPFilter) {
  77. FreeIpsecFilterData(pAllICMPFilter);
  78. }
  79. if (pPermitNegPol) {
  80. FreeIpsecNegPolData(pPermitNegPol);
  81. }
  82. if (pRequestSecurityNegPol) {
  83. FreeIpsecNegPolData(pRequestSecurityNegPol);
  84. }
  85. if (pRequireSecurityNegPol) {
  86. FreeIpsecNegPolData(pRequireSecurityNegPol);
  87. }
  88. if (pDefaultISAKMP) {
  89. FreeIpsecISAKMPData(pDefaultISAKMP);
  90. }
  91. return(dwError);
  92. }
  93. DWORD
  94. CreateAllFilter(
  95. HANDLE hPolicyStore,
  96. PIPSEC_FILTER_DATA * ppAllFilter
  97. )
  98. {
  99. DWORD dwError = 0;
  100. PIPSEC_FILTER_DATA pAllFilter = NULL;
  101. DWORD dwNumFilterSpecs = 0;
  102. PIPSEC_FILTER_SPEC * ppFilterSpecs = NULL;
  103. PIPSEC_FILTER_SPEC pFilterSpec = NULL;
  104. // {7238523a-70FA-11d1-864C-14A300000000}
  105. static const GUID GUID_ALL_FILTER=
  106. { 0x7238523a, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  107. pAllFilter = (PIPSEC_FILTER_DATA) AllocPolMem(
  108. sizeof(IPSEC_FILTER_DATA)
  109. );
  110. if (!pAllFilter) {
  111. dwError = ERROR_OUTOFMEMORY;
  112. BAIL_ON_WIN32_ERROR(dwError);
  113. }
  114. memcpy(
  115. &(pAllFilter->FilterIdentifier),
  116. &(GUID_ALL_FILTER),
  117. sizeof(GUID)
  118. );
  119. pAllFilter->dwWhenChanged = 0;
  120. dwError = MapAndAllocPolStr(&(pAllFilter->pszIpsecName),
  121. POLSTORE_ALL_FILTER_NAME
  122. );
  123. BAIL_ON_WIN32_ERROR(dwError);
  124. dwError = MapAndAllocPolStr(&(pAllFilter->pszDescription),
  125. POLSTORE_ALL_FILTER_DESCRIPTION
  126. );
  127. BAIL_ON_WIN32_ERROR(dwError);
  128. dwNumFilterSpecs = 1;
  129. ppFilterSpecs = (PIPSEC_FILTER_SPEC *) AllocPolMem(
  130. sizeof(PIPSEC_FILTER_SPEC)*dwNumFilterSpecs
  131. );
  132. if (!ppFilterSpecs) {
  133. dwError = ERROR_OUTOFMEMORY;
  134. BAIL_ON_WIN32_ERROR(dwError);
  135. }
  136. pAllFilter->dwNumFilterSpecs = dwNumFilterSpecs;
  137. pAllFilter->ppFilterSpecs = ppFilterSpecs;
  138. pFilterSpec = (PIPSEC_FILTER_SPEC) AllocPolMem(
  139. sizeof(IPSEC_FILTER_SPEC)
  140. );
  141. if (!pFilterSpec) {
  142. dwError = ERROR_OUTOFMEMORY;
  143. BAIL_ON_WIN32_ERROR(dwError);
  144. }
  145. *(ppFilterSpecs + 0) = pFilterSpec;
  146. pFilterSpec->pszSrcDNSName = NULL;
  147. pFilterSpec->pszDestDNSName = NULL;
  148. pFilterSpec->pszDescription = NULL;
  149. dwError = UuidCreate(
  150. &pFilterSpec->FilterSpecGUID
  151. );
  152. BAIL_ON_WIN32_ERROR(dwError);
  153. pFilterSpec->dwMirrorFlag = 1;
  154. pFilterSpec->Filter.SrcAddr = 0;
  155. pFilterSpec->Filter.SrcMask = -1;
  156. pFilterSpec->Filter.DestAddr = 0;
  157. pFilterSpec->Filter.DestMask = 0;
  158. pFilterSpec->Filter.TunnelAddr = 0;
  159. pFilterSpec->Filter.Protocol = 0;
  160. pFilterSpec->Filter.SrcPort = 0;
  161. pFilterSpec->Filter.DestPort = 0;
  162. pFilterSpec->Filter.TunnelFilter = 0;
  163. pFilterSpec->Filter.Flags = 0;
  164. dwError = IPSecCreateFilterData(
  165. hPolicyStore,
  166. pAllFilter
  167. );
  168. BAIL_ON_WIN32_ERROR(dwError);
  169. *ppAllFilter = pAllFilter;
  170. return (dwError);
  171. error:
  172. if (pAllFilter) {
  173. FreeIpsecFilterData(pAllFilter);
  174. }
  175. *ppAllFilter = NULL;
  176. return (dwError);
  177. }
  178. DWORD
  179. CreateAllICMPFilter(
  180. HANDLE hPolicyStore,
  181. PIPSEC_FILTER_DATA * ppAllICMPFilter
  182. )
  183. {
  184. DWORD dwError = 0;
  185. PIPSEC_FILTER_DATA pAllICMPFilter = NULL;
  186. DWORD dwNumFilterSpecs = 0;
  187. PIPSEC_FILTER_SPEC * ppFilterSpecs = NULL;
  188. PIPSEC_FILTER_SPEC pFilterSpec = NULL;
  189. // {72385235-70FA-11d1-864C-14A300000000}
  190. static const GUID GUID_ALL_ICMP_FILTER =
  191. { 0x72385235, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  192. pAllICMPFilter = (PIPSEC_FILTER_DATA) AllocPolMem(
  193. sizeof(IPSEC_FILTER_DATA)
  194. );
  195. if (!pAllICMPFilter) {
  196. dwError = ERROR_OUTOFMEMORY;
  197. BAIL_ON_WIN32_ERROR(dwError);
  198. }
  199. memcpy(
  200. &(pAllICMPFilter->FilterIdentifier),
  201. &(GUID_ALL_ICMP_FILTER),
  202. sizeof(GUID)
  203. );
  204. pAllICMPFilter->dwWhenChanged = 0;
  205. dwError = MapAndAllocPolStr(&(pAllICMPFilter->pszIpsecName),
  206. POLSTORE_ALL_ICMP_FILTER_NAME
  207. );
  208. BAIL_ON_WIN32_ERROR(dwError);
  209. dwError = MapAndAllocPolStr(&(pAllICMPFilter->pszDescription),
  210. POLSTORE_ALL_ICMP_FILTER_DESCRIPTION
  211. );
  212. BAIL_ON_WIN32_ERROR(dwError);
  213. dwNumFilterSpecs = 1;
  214. ppFilterSpecs = (PIPSEC_FILTER_SPEC *) AllocPolMem(
  215. sizeof(PIPSEC_FILTER_SPEC)*dwNumFilterSpecs
  216. );
  217. if (!ppFilterSpecs) {
  218. dwError = ERROR_OUTOFMEMORY;
  219. BAIL_ON_WIN32_ERROR(dwError);
  220. }
  221. pAllICMPFilter->dwNumFilterSpecs = dwNumFilterSpecs;
  222. pAllICMPFilter->ppFilterSpecs = ppFilterSpecs;
  223. pFilterSpec = (PIPSEC_FILTER_SPEC) AllocPolMem(
  224. sizeof(IPSEC_FILTER_SPEC)
  225. );
  226. if (!pFilterSpec) {
  227. dwError = ERROR_OUTOFMEMORY;
  228. BAIL_ON_WIN32_ERROR(dwError);
  229. }
  230. *(ppFilterSpecs + 0) = pFilterSpec;
  231. pFilterSpec->pszSrcDNSName = NULL;
  232. pFilterSpec->pszDestDNSName = NULL;
  233. dwError = MapAndAllocPolStr(&(pFilterSpec->pszDescription),
  234. POLSTORE_ICMPFILTER_SPEC_DESCRIPTION
  235. );
  236. BAIL_ON_WIN32_ERROR(dwError);
  237. dwError = UuidCreate(
  238. &pFilterSpec->FilterSpecGUID
  239. );
  240. BAIL_ON_WIN32_ERROR(dwError);
  241. pFilterSpec->dwMirrorFlag = 1;
  242. pFilterSpec->Filter.SrcAddr = 0;
  243. pFilterSpec->Filter.SrcMask = -1;
  244. pFilterSpec->Filter.DestAddr = 0;
  245. pFilterSpec->Filter.DestMask = 0;
  246. pFilterSpec->Filter.TunnelAddr = 0;
  247. pFilterSpec->Filter.Protocol = 1;
  248. pFilterSpec->Filter.SrcPort = 0;
  249. pFilterSpec->Filter.DestPort = 0;
  250. pFilterSpec->Filter.TunnelFilter = 0;
  251. pFilterSpec->Filter.Flags = 0;
  252. dwError = IPSecCreateFilterData(
  253. hPolicyStore,
  254. pAllICMPFilter
  255. );
  256. BAIL_ON_WIN32_ERROR(dwError);
  257. *ppAllICMPFilter = pAllICMPFilter;
  258. return (dwError);
  259. error:
  260. if (pAllICMPFilter) {
  261. FreeIpsecFilterData(pAllICMPFilter);
  262. }
  263. *ppAllICMPFilter = NULL;
  264. return (dwError);
  265. }
  266. DWORD
  267. CreatePermitNegPol(
  268. HANDLE hPolicyStore,
  269. PIPSEC_NEGPOL_DATA * ppPermitNegPol
  270. )
  271. {
  272. DWORD dwError = 0;
  273. PIPSEC_NEGPOL_DATA pPermitNegPol = NULL;
  274. static const GUID GUID_PERMIT_NEGPOL =
  275. { 0x7238523b, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  276. pPermitNegPol = (PIPSEC_NEGPOL_DATA) AllocPolMem(
  277. sizeof(IPSEC_NEGPOL_DATA)
  278. );
  279. if (!pPermitNegPol) {
  280. dwError = ERROR_OUTOFMEMORY;
  281. BAIL_ON_WIN32_ERROR(dwError);
  282. }
  283. memcpy(
  284. &(pPermitNegPol->NegPolIdentifier),
  285. &(GUID_PERMIT_NEGPOL),
  286. sizeof(GUID)
  287. );
  288. memcpy(
  289. &(pPermitNegPol->NegPolAction),
  290. &(GUID_NEGOTIATION_ACTION_NO_IPSEC),
  291. sizeof(GUID)
  292. );
  293. memcpy(
  294. &(pPermitNegPol->NegPolType),
  295. &(GUID_NEGOTIATION_TYPE_STANDARD),
  296. sizeof(GUID)
  297. );
  298. pPermitNegPol->dwSecurityMethodCount = 0;
  299. pPermitNegPol->pIpsecSecurityMethods = NULL;
  300. pPermitNegPol->dwWhenChanged = 0;
  301. dwError = MapAndAllocPolStr(&(pPermitNegPol->pszIpsecName),
  302. POLSTORE_PERMIT_NEG_POL_NAME
  303. );
  304. BAIL_ON_WIN32_ERROR(dwError);
  305. dwError = MapAndAllocPolStr(&(pPermitNegPol->pszDescription),
  306. POLSTORE_PERMIT_NEG_POL_DESCRIPTION
  307. );
  308. BAIL_ON_WIN32_ERROR(dwError);
  309. dwError = IPSecCreateNegPolData(
  310. hPolicyStore,
  311. pPermitNegPol
  312. );
  313. BAIL_ON_WIN32_ERROR(dwError);
  314. *ppPermitNegPol = pPermitNegPol;
  315. return (dwError);
  316. error:
  317. if (pPermitNegPol) {
  318. FreeIpsecNegPolData(pPermitNegPol);
  319. }
  320. *ppPermitNegPol = NULL;
  321. return (dwError);
  322. }
  323. DWORD
  324. CreateRequestSecurityNegPol(
  325. HANDLE hPolicyStore,
  326. PIPSEC_NEGPOL_DATA * ppRequestSecurityNegPol
  327. )
  328. {
  329. DWORD dwError = 0;
  330. PIPSEC_NEGPOL_DATA pRequestSecurityNegPol = NULL;
  331. DWORD dwSecurityMethodCount = 0;
  332. PIPSEC_SECURITY_METHOD pIpsecSecurityMethods = NULL;
  333. PIPSEC_SECURITY_METHOD pMethod = NULL;
  334. // {72385233-70FA-11d1-864C-14A300000000}
  335. static const GUID GUID_SECURE_INITIATOR_NEGPOL =
  336. { 0x72385233, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  337. pRequestSecurityNegPol = (PIPSEC_NEGPOL_DATA) AllocPolMem(
  338. sizeof(IPSEC_NEGPOL_DATA)
  339. );
  340. if (!pRequestSecurityNegPol) {
  341. dwError = ERROR_OUTOFMEMORY;
  342. BAIL_ON_WIN32_ERROR(dwError);
  343. }
  344. memcpy(
  345. &(pRequestSecurityNegPol->NegPolIdentifier),
  346. &(GUID_SECURE_INITIATOR_NEGPOL),
  347. sizeof(GUID)
  348. );
  349. memcpy(
  350. &(pRequestSecurityNegPol->NegPolAction),
  351. &(GUID_NEGOTIATION_ACTION_INBOUND_PASSTHRU),
  352. sizeof(GUID)
  353. );
  354. memcpy(
  355. &(pRequestSecurityNegPol->NegPolType),
  356. &(GUID_NEGOTIATION_TYPE_STANDARD),
  357. sizeof(GUID)
  358. );
  359. dwSecurityMethodCount = 5;
  360. pIpsecSecurityMethods = (PIPSEC_SECURITY_METHOD) AllocPolMem(
  361. sizeof(IPSEC_SECURITY_METHOD)*dwSecurityMethodCount
  362. );
  363. if (!pIpsecSecurityMethods) {
  364. dwError = ERROR_OUTOFMEMORY;
  365. BAIL_ON_WIN32_ERROR(dwError);
  366. }
  367. pMethod = pIpsecSecurityMethods;
  368. pMethod->Lifetime.KeyExpirationTime = 900;
  369. pMethod->Lifetime.KeyExpirationBytes = 100000;
  370. pMethod->Flags = 0;
  371. pMethod->PfsQMRequired = FALSE;
  372. pMethod->Count = 1;
  373. pMethod->Algos[0].operation = Encrypt;
  374. pMethod->Algos[0].algoIdentifier = IPSEC_ESP_3_DES;
  375. pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA;
  376. pMethod ++;
  377. pMethod->Lifetime.KeyExpirationTime = 900;
  378. pMethod->Lifetime.KeyExpirationBytes = 100000;
  379. pMethod->Flags = 0;
  380. pMethod->PfsQMRequired = FALSE;
  381. pMethod->Count = 1;
  382. pMethod->Algos[0].operation = Encrypt;
  383. pMethod->Algos[0].algoIdentifier = IPSEC_ESP_DES;
  384. pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA;
  385. pMethod ++;
  386. pMethod->Lifetime.KeyExpirationTime = 300;
  387. pMethod->Lifetime.KeyExpirationBytes = 100000;
  388. pMethod->Flags = 0;
  389. pMethod->PfsQMRequired = FALSE;
  390. pMethod->Count = 1;
  391. pMethod->Algos[0].operation = Auth;
  392. pMethod->Algos[0].algoIdentifier = IPSEC_AH_SHA;
  393. pMethod->Algos[0].secondaryAlgoIdentifier = 0;;
  394. pMethod ++;
  395. pMethod->Lifetime.KeyExpirationTime = 300;
  396. pMethod->Lifetime.KeyExpirationBytes = 100000;
  397. pMethod->Flags = 0;
  398. pMethod->PfsQMRequired = FALSE;
  399. pMethod->Count = 1;
  400. pMethod->Algos[0].operation = Auth;
  401. pMethod->Algos[0].algoIdentifier = IPSEC_AH_MD5;
  402. pMethod->Algos[0].secondaryAlgoIdentifier = 0;
  403. pMethod ++;
  404. pMethod->Lifetime.KeyExpirationTime = 0;
  405. pMethod->Lifetime.KeyExpirationBytes = 0;
  406. pMethod->Flags = 0;
  407. pMethod->PfsQMRequired = FALSE;
  408. pMethod->Count = 0;
  409. pRequestSecurityNegPol->dwSecurityMethodCount = dwSecurityMethodCount;
  410. pRequestSecurityNegPol->pIpsecSecurityMethods = pIpsecSecurityMethods;
  411. pRequestSecurityNegPol->dwWhenChanged = 0;
  412. dwError = MapAndAllocPolStr(&(pRequestSecurityNegPol->pszIpsecName),
  413. POLSTORE_REQUEST_SECURITY_NEG_POL_NAME
  414. );
  415. BAIL_ON_WIN32_ERROR(dwError);
  416. dwError = MapAndAllocPolStr(&(pRequestSecurityNegPol->pszDescription),
  417. POLSTORE_REQUEST_SECURITY_NEG_POL_DESCRIPTION
  418. );
  419. BAIL_ON_WIN32_ERROR(dwError);
  420. dwError = IPSecCreateNegPolData(
  421. hPolicyStore,
  422. pRequestSecurityNegPol
  423. );
  424. BAIL_ON_WIN32_ERROR(dwError);
  425. *ppRequestSecurityNegPol = pRequestSecurityNegPol;
  426. return (dwError);
  427. error:
  428. if (pRequestSecurityNegPol) {
  429. FreeIpsecNegPolData(pRequestSecurityNegPol);
  430. }
  431. *ppRequestSecurityNegPol = NULL;
  432. return (dwError);
  433. }
  434. DWORD
  435. CreateRequireSecurityNegPol(
  436. HANDLE hPolicyStore,
  437. PIPSEC_NEGPOL_DATA * ppRequireSecurityNegPol
  438. )
  439. {
  440. DWORD dwError = 0;
  441. PIPSEC_NEGPOL_DATA pRequireSecurityNegPol = NULL;
  442. DWORD dwSecurityMethodCount = 0;
  443. PIPSEC_SECURITY_METHOD pIpsecSecurityMethods = NULL;
  444. PIPSEC_SECURITY_METHOD pMethod = NULL;
  445. // {7238523f-70FA-11d1-864C-14A300000000}
  446. static const GUID GUID_LOCKDOWN_NEGPOL =
  447. { 0x7238523f, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  448. pRequireSecurityNegPol = (PIPSEC_NEGPOL_DATA) AllocPolMem(
  449. sizeof(IPSEC_NEGPOL_DATA)
  450. );
  451. if (!pRequireSecurityNegPol) {
  452. dwError = ERROR_OUTOFMEMORY;
  453. BAIL_ON_WIN32_ERROR(dwError);
  454. }
  455. memcpy(
  456. &(pRequireSecurityNegPol->NegPolIdentifier),
  457. &(GUID_LOCKDOWN_NEGPOL),
  458. sizeof(GUID)
  459. );
  460. memcpy(
  461. &(pRequireSecurityNegPol->NegPolAction),
  462. &(GUID_NEGOTIATION_ACTION_INBOUND_PASSTHRU),
  463. sizeof(GUID)
  464. );
  465. memcpy(
  466. &(pRequireSecurityNegPol->NegPolType),
  467. &(GUID_NEGOTIATION_TYPE_STANDARD),
  468. sizeof(GUID)
  469. );
  470. dwSecurityMethodCount = 4;
  471. pIpsecSecurityMethods = (PIPSEC_SECURITY_METHOD) AllocPolMem(
  472. sizeof(IPSEC_SECURITY_METHOD)*dwSecurityMethodCount
  473. );
  474. if (!pIpsecSecurityMethods) {
  475. dwError = ERROR_OUTOFMEMORY;
  476. BAIL_ON_WIN32_ERROR(dwError);
  477. }
  478. pMethod = pIpsecSecurityMethods;
  479. pMethod->Lifetime.KeyExpirationTime = 900;
  480. pMethod->Lifetime.KeyExpirationBytes = 100000;
  481. pMethod->Flags = 0;
  482. pMethod->PfsQMRequired = FALSE;
  483. pMethod->Count = 1;
  484. pMethod->Algos[0].operation = Encrypt;
  485. pMethod->Algos[0].algoIdentifier = IPSEC_ESP_3_DES;
  486. pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA;
  487. pMethod ++;
  488. pMethod->Lifetime.KeyExpirationTime = 900;
  489. pMethod->Lifetime.KeyExpirationBytes = 100000;
  490. pMethod->Flags = 0;
  491. pMethod->PfsQMRequired = FALSE;
  492. pMethod->Count = 1;
  493. pMethod->Algos[0].operation = Encrypt;
  494. pMethod->Algos[0].algoIdentifier = IPSEC_ESP_3_DES;
  495. pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_MD5;
  496. pMethod ++;
  497. pMethod->Lifetime.KeyExpirationTime = 900;
  498. pMethod->Lifetime.KeyExpirationBytes = 100000;
  499. pMethod->Flags = 0;
  500. pMethod->PfsQMRequired = FALSE;
  501. pMethod->Count = 1;
  502. pMethod->Algos[0].operation = Encrypt;
  503. pMethod->Algos[0].algoIdentifier = IPSEC_ESP_DES;
  504. pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA;
  505. pMethod ++;
  506. pMethod->Lifetime.KeyExpirationTime = 900;
  507. pMethod->Lifetime.KeyExpirationBytes = 100000;
  508. pMethod->Flags = 0;
  509. pMethod->PfsQMRequired = FALSE;
  510. pMethod->Count = 1;
  511. pMethod->Algos[0].operation = Encrypt;
  512. pMethod->Algos[0].algoIdentifier = IPSEC_ESP_DES;
  513. pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_MD5;
  514. pRequireSecurityNegPol->dwSecurityMethodCount = dwSecurityMethodCount;
  515. pRequireSecurityNegPol->pIpsecSecurityMethods = pIpsecSecurityMethods;
  516. pRequireSecurityNegPol->dwWhenChanged = 0;
  517. dwError = MapAndAllocPolStr(&(pRequireSecurityNegPol->pszIpsecName),
  518. POLSTORE_REQUIRE_SECURITY_NEG_POL_NAME
  519. );
  520. BAIL_ON_WIN32_ERROR(dwError);
  521. dwError = MapAndAllocPolStr(&(pRequireSecurityNegPol->pszDescription),
  522. POLSTORE_REQUIRE_SECURITY_NEG_POL_DESCRIPTION
  523. );
  524. BAIL_ON_WIN32_ERROR(dwError);
  525. dwError = IPSecCreateNegPolData(
  526. hPolicyStore,
  527. pRequireSecurityNegPol
  528. );
  529. BAIL_ON_WIN32_ERROR(dwError);
  530. *ppRequireSecurityNegPol = pRequireSecurityNegPol;
  531. return (dwError);
  532. error:
  533. if (pRequireSecurityNegPol) {
  534. FreeIpsecNegPolData(pRequireSecurityNegPol);
  535. }
  536. *ppRequireSecurityNegPol = NULL;
  537. return (dwError);
  538. }
  539. DWORD
  540. CreateClientPolicy(
  541. HANDLE hPolicyStore
  542. )
  543. {
  544. DWORD dwError = 0;
  545. PIPSEC_ISAKMP_DATA pClientISAKMP = NULL;
  546. PIPSEC_POLICY_DATA pIpsecPolicyData = NULL;
  547. PIPSEC_NEGPOL_DATA pDefaultNegPol = NULL;
  548. GUID NFAIdentifier;
  549. GUID FilterIdentifier;
  550. LPWSTR pszNFAName = NULL;
  551. LPWSTR pszNFADescription = NULL;
  552. // {72385237-70FA-11d1-864C-14A300000000}
  553. static const GUID GUID_RESPONDER_ISAKMP =
  554. { 0x72385237, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  555. // {72385236-70FA-11d1-864C-14A300000000}
  556. static const GUID GUID_RESPONDER_POLICY =
  557. { 0x72385236, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  558. dwError = CreateISAKMP(
  559. hPolicyStore,
  560. GUID_RESPONDER_ISAKMP,
  561. &pClientISAKMP
  562. );
  563. BAIL_ON_WIN32_ERROR(dwError);
  564. pIpsecPolicyData = (PIPSEC_POLICY_DATA) AllocPolMem(
  565. sizeof(IPSEC_POLICY_DATA)
  566. );
  567. if (!pIpsecPolicyData) {
  568. dwError = ERROR_OUTOFMEMORY;
  569. BAIL_ON_WIN32_ERROR(dwError);
  570. }
  571. memcpy(
  572. &(pIpsecPolicyData->PolicyIdentifier),
  573. &GUID_RESPONDER_POLICY,
  574. sizeof(GUID)
  575. );
  576. pIpsecPolicyData->dwPollingInterval = 10800;
  577. pIpsecPolicyData->pIpsecISAKMPData = NULL;
  578. pIpsecPolicyData->ppIpsecNFAData = NULL;
  579. pIpsecPolicyData->dwNumNFACount = 0;
  580. pIpsecPolicyData->dwWhenChanged = 0;
  581. dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszIpsecName),
  582. POLSTORE_CLIENT_POLICY_NAME
  583. );
  584. BAIL_ON_WIN32_ERROR(dwError);
  585. dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszDescription),
  586. POLSTORE_CLIENT_POLICY_DESCRIPTION
  587. );
  588. BAIL_ON_WIN32_ERROR(dwError);
  589. memcpy(
  590. &(pIpsecPolicyData->ISAKMPIdentifier),
  591. &(pClientISAKMP->ISAKMPIdentifier),
  592. sizeof(GUID)
  593. );
  594. dwError = IPSecCreatePolicyData(
  595. hPolicyStore,
  596. pIpsecPolicyData
  597. );
  598. BAIL_ON_WIN32_ERROR(dwError);
  599. dwError = CreateDefaultNegPol(
  600. hPolicyStore,
  601. &pDefaultNegPol
  602. );
  603. BAIL_ON_WIN32_ERROR(dwError);
  604. dwError = UuidCreate(
  605. &NFAIdentifier
  606. );
  607. BAIL_ON_WIN32_ERROR(dwError);
  608. memset(&FilterIdentifier, 0, sizeof(GUID));
  609. dwError = CreateNFA(
  610. hPolicyStore,
  611. NFAIdentifier,
  612. GUID_RESPONDER_POLICY,
  613. FilterIdentifier,
  614. pDefaultNegPol->NegPolIdentifier,
  615. pszNFAName,
  616. pszNFADescription
  617. );
  618. BAIL_ON_WIN32_ERROR(dwError);
  619. error:
  620. if (pIpsecPolicyData) {
  621. FreeIpsecPolicyData(pIpsecPolicyData);
  622. }
  623. if (pClientISAKMP) {
  624. FreeIpsecISAKMPData(pClientISAKMP);
  625. }
  626. if (pDefaultNegPol) {
  627. FreeIpsecNegPolData(pDefaultNegPol);
  628. }
  629. return (dwError);
  630. }
  631. DWORD
  632. CreateRequestSecurityPolicy(
  633. HANDLE hPolicyStore,
  634. PIPSEC_FILTER_DATA pAllFilter,
  635. PIPSEC_FILTER_DATA pAllICMPFilter,
  636. PIPSEC_NEGPOL_DATA pPermitNegPol,
  637. PIPSEC_NEGPOL_DATA pRequestSecurityNegPol
  638. )
  639. {
  640. DWORD dwError = 0;
  641. PIPSEC_ISAKMP_DATA pRequestSecurityISAKMP = NULL;
  642. PIPSEC_POLICY_DATA pIpsecPolicyData = NULL;
  643. PIPSEC_NEGPOL_DATA pDefaultNegPol = NULL;
  644. GUID NFAIdentifier;
  645. GUID FilterIdentifier;
  646. LPWSTR pszNFAName = NULL;
  647. LPWSTR pszNFADescription = NULL;
  648. // {72385231-70FA-11d1-864C-14A300000000}
  649. static const GUID GUID_SECURE_INITIATOR_ISAKMP =
  650. { 0x72385231, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  651. // {72385230-70FA-11d1-864C-14A300000000}
  652. static const GUID GUID_SECURE_INITIATOR_POLICY =
  653. { 0x72385230, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  654. dwError = CreateISAKMP(
  655. hPolicyStore,
  656. GUID_SECURE_INITIATOR_ISAKMP,
  657. &pRequestSecurityISAKMP
  658. );
  659. BAIL_ON_WIN32_ERROR(dwError);
  660. pIpsecPolicyData = (PIPSEC_POLICY_DATA) AllocPolMem(
  661. sizeof(IPSEC_POLICY_DATA)
  662. );
  663. if (!pIpsecPolicyData) {
  664. dwError = ERROR_OUTOFMEMORY;
  665. BAIL_ON_WIN32_ERROR(dwError);
  666. }
  667. memcpy(
  668. &(pIpsecPolicyData->PolicyIdentifier),
  669. &GUID_SECURE_INITIATOR_POLICY,
  670. sizeof(GUID)
  671. );
  672. pIpsecPolicyData->dwPollingInterval = 10800;
  673. pIpsecPolicyData->pIpsecISAKMPData = NULL;
  674. pIpsecPolicyData->ppIpsecNFAData = NULL;
  675. pIpsecPolicyData->dwNumNFACount = 0;
  676. pIpsecPolicyData->dwWhenChanged = 0;
  677. dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszIpsecName),
  678. POLSTORE_SECURE_INITIATOR_POLICY_NAME
  679. );
  680. BAIL_ON_WIN32_ERROR(dwError);
  681. dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszDescription),
  682. POLSTORE_SECURE_INITIATOR_POLICY_DESCRIPTION
  683. );
  684. BAIL_ON_WIN32_ERROR(dwError);
  685. memcpy(
  686. &(pIpsecPolicyData->ISAKMPIdentifier),
  687. &(pRequestSecurityISAKMP->ISAKMPIdentifier),
  688. sizeof(GUID)
  689. );
  690. dwError = IPSecCreatePolicyData(
  691. hPolicyStore,
  692. pIpsecPolicyData
  693. );
  694. BAIL_ON_WIN32_ERROR(dwError);
  695. dwError = CreateDefaultNegPol(
  696. hPolicyStore,
  697. &pDefaultNegPol
  698. );
  699. BAIL_ON_WIN32_ERROR(dwError);
  700. dwError = UuidCreate(
  701. &NFAIdentifier
  702. );
  703. BAIL_ON_WIN32_ERROR(dwError);
  704. memset(&FilterIdentifier, 0, sizeof(GUID));
  705. dwError = CreateNFA(
  706. hPolicyStore,
  707. NFAIdentifier,
  708. GUID_SECURE_INITIATOR_POLICY,
  709. FilterIdentifier,
  710. pDefaultNegPol->NegPolIdentifier,
  711. pszNFAName,
  712. pszNFADescription
  713. );
  714. BAIL_ON_WIN32_ERROR(dwError);
  715. dwError = UuidCreate(
  716. &NFAIdentifier
  717. );
  718. BAIL_ON_WIN32_ERROR(dwError);
  719. //
  720. // Create the ICMP Rule.
  721. //
  722. dwError = MapIdAndCreateNFA(
  723. hPolicyStore,
  724. NFAIdentifier,
  725. GUID_SECURE_INITIATOR_POLICY,
  726. pAllICMPFilter->FilterIdentifier,
  727. pPermitNegPol->NegPolIdentifier,
  728. POLSTORE_ICMP_NFA_NAME,
  729. POLSTORE_ICMP_NFA_DESCRIPTION
  730. );
  731. BAIL_ON_WIN32_ERROR(dwError);
  732. dwError = UuidCreate(
  733. &NFAIdentifier
  734. );
  735. BAIL_ON_WIN32_ERROR(dwError);
  736. //
  737. // Create the Secure Initiator Rule.
  738. //
  739. dwError = MapIdAndCreateNFA(
  740. hPolicyStore,
  741. NFAIdentifier,
  742. GUID_SECURE_INITIATOR_POLICY,
  743. pAllFilter->FilterIdentifier,
  744. pRequestSecurityNegPol->NegPolIdentifier,
  745. POLSTORE_SECURE_INITIATOR_NFA_NAME,
  746. POLSTORE_SECURE_INITIATOR_NFA_DESCRIPTION
  747. );
  748. BAIL_ON_WIN32_ERROR(dwError);
  749. error:
  750. if (pIpsecPolicyData) {
  751. FreeIpsecPolicyData(pIpsecPolicyData);
  752. }
  753. if (pRequestSecurityISAKMP) {
  754. FreeIpsecISAKMPData(pRequestSecurityISAKMP);
  755. }
  756. if (pDefaultNegPol) {
  757. FreeIpsecNegPolData(pDefaultNegPol);
  758. }
  759. return (dwError);
  760. }
  761. DWORD
  762. CreateRequireSecurityPolicy(
  763. HANDLE hPolicyStore,
  764. PIPSEC_FILTER_DATA pAllFilter,
  765. PIPSEC_FILTER_DATA pAllICMPFilter,
  766. PIPSEC_NEGPOL_DATA pPermitNegPol,
  767. PIPSEC_NEGPOL_DATA pRequireSecurityNegPol
  768. )
  769. {
  770. DWORD dwError = 0;
  771. PIPSEC_ISAKMP_DATA pRequireSecurityISAKMP = NULL;
  772. PIPSEC_POLICY_DATA pIpsecPolicyData = NULL;
  773. PIPSEC_NEGPOL_DATA pDefaultNegPol = NULL;
  774. GUID NFAIdentifier;
  775. GUID FilterIdentifier;
  776. LPWSTR pszNFAName = NULL;
  777. LPWSTR pszNFADescription = NULL;
  778. // {7238523d-70FA-11d1-864C-14A300000000}
  779. static const GUID GUID_LOCKDOWN_ISAKMP =
  780. { 0x7238523d, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  781. // {7238523c-70FA-11d1-864C-14A300000000}
  782. static const GUID GUID_LOCKDOWN_POLICY =
  783. { 0x7238523c, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
  784. dwError = CreateISAKMP(
  785. hPolicyStore,
  786. GUID_LOCKDOWN_ISAKMP,
  787. &pRequireSecurityISAKMP
  788. );
  789. BAIL_ON_WIN32_ERROR(dwError);
  790. pIpsecPolicyData = (PIPSEC_POLICY_DATA) AllocPolMem(
  791. sizeof(IPSEC_POLICY_DATA)
  792. );
  793. if (!pIpsecPolicyData) {
  794. dwError = ERROR_OUTOFMEMORY;
  795. BAIL_ON_WIN32_ERROR(dwError);
  796. }
  797. memcpy(
  798. &(pIpsecPolicyData->PolicyIdentifier),
  799. &GUID_LOCKDOWN_POLICY,
  800. sizeof(GUID)
  801. );
  802. pIpsecPolicyData->dwPollingInterval = 10800;
  803. pIpsecPolicyData->pIpsecISAKMPData = NULL;
  804. pIpsecPolicyData->ppIpsecNFAData = NULL;
  805. pIpsecPolicyData->dwNumNFACount = 0;
  806. pIpsecPolicyData->dwWhenChanged = 0;
  807. dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszIpsecName),
  808. POLSTORE_LOCKDOWN_POLICY_NAME
  809. );
  810. BAIL_ON_WIN32_ERROR(dwError);
  811. dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszDescription),
  812. POLSTORE_LOCKDOWN_POLICY_DESCRIPTION
  813. );
  814. BAIL_ON_WIN32_ERROR(dwError);
  815. memcpy(
  816. &(pIpsecPolicyData->ISAKMPIdentifier),
  817. &(pRequireSecurityISAKMP->ISAKMPIdentifier),
  818. sizeof(GUID)
  819. );
  820. dwError = IPSecCreatePolicyData(
  821. hPolicyStore,
  822. pIpsecPolicyData
  823. );
  824. BAIL_ON_WIN32_ERROR(dwError);
  825. dwError = CreateDefaultNegPol(
  826. hPolicyStore,
  827. &pDefaultNegPol
  828. );
  829. BAIL_ON_WIN32_ERROR(dwError);
  830. dwError = UuidCreate(
  831. &NFAIdentifier
  832. );
  833. BAIL_ON_WIN32_ERROR(dwError);
  834. memset(&FilterIdentifier, 0, sizeof(GUID));
  835. dwError = CreateNFA(
  836. hPolicyStore,
  837. NFAIdentifier,
  838. GUID_LOCKDOWN_POLICY,
  839. FilterIdentifier,
  840. pDefaultNegPol->NegPolIdentifier,
  841. pszNFAName,
  842. pszNFADescription
  843. );
  844. BAIL_ON_WIN32_ERROR(dwError);
  845. dwError = UuidCreate(
  846. &NFAIdentifier
  847. );
  848. BAIL_ON_WIN32_ERROR(dwError);
  849. //
  850. // Create the ICMP Rule.
  851. //
  852. dwError = MapIdAndCreateNFA(
  853. hPolicyStore,
  854. NFAIdentifier,
  855. GUID_LOCKDOWN_POLICY,
  856. pAllICMPFilter->FilterIdentifier,
  857. pPermitNegPol->NegPolIdentifier,
  858. POLSTORE_ICMP_NFA_NAME,
  859. POLSTORE_ICMP_NFA_DESCRIPTION
  860. );
  861. BAIL_ON_WIN32_ERROR(dwError);
  862. dwError = UuidCreate(
  863. &NFAIdentifier
  864. );
  865. BAIL_ON_WIN32_ERROR(dwError);
  866. //
  867. // Create the Secure Initiator Rule.
  868. //
  869. dwError = MapIdAndCreateNFA(
  870. hPolicyStore,
  871. NFAIdentifier,
  872. GUID_LOCKDOWN_POLICY,
  873. pAllFilter->FilterIdentifier,
  874. pRequireSecurityNegPol->NegPolIdentifier,
  875. POLSTORE_LOCKDOWN_NFA_NAME,
  876. POLSTORE_LOCKDOWN_NFA_DESCRIPTION
  877. );
  878. BAIL_ON_WIN32_ERROR(dwError);
  879. error:
  880. if (pIpsecPolicyData) {
  881. FreeIpsecPolicyData(pIpsecPolicyData);
  882. }
  883. if (pRequireSecurityISAKMP) {
  884. FreeIpsecISAKMPData(pRequireSecurityISAKMP);
  885. }
  886. if (pDefaultNegPol) {
  887. FreeIpsecNegPolData(pDefaultNegPol);
  888. }
  889. return (dwError);
  890. }
  891. DWORD
  892. CreateISAKMP(
  893. HANDLE hPolicyStore,
  894. GUID ISAKMPIdentifier,
  895. PIPSEC_ISAKMP_DATA * ppIpsecISAKMPData
  896. )
  897. {
  898. DWORD dwError = 0;
  899. PIPSEC_ISAKMP_DATA pIpsecISAKMPData = NULL;
  900. DWORD dwNumISAKMPSecurityMethods = 0;
  901. PCRYPTO_BUNDLE pSecurityMethods = NULL;
  902. PCRYPTO_BUNDLE pBundle = NULL;
  903. pIpsecISAKMPData = (PIPSEC_ISAKMP_DATA) AllocPolMem(
  904. sizeof(IPSEC_ISAKMP_DATA)
  905. );
  906. if (!pIpsecISAKMPData) {
  907. dwError = ERROR_OUTOFMEMORY;
  908. BAIL_ON_WIN32_ERROR(dwError);
  909. }
  910. memcpy(
  911. &(pIpsecISAKMPData->ISAKMPIdentifier),
  912. &(ISAKMPIdentifier),
  913. sizeof(GUID)
  914. );
  915. memset(
  916. &(pIpsecISAKMPData->ISAKMPPolicy),
  917. 0,
  918. sizeof(ISAKMP_POLICY)
  919. );
  920. dwNumISAKMPSecurityMethods = 4;
  921. pSecurityMethods = (PCRYPTO_BUNDLE) AllocPolMem(
  922. sizeof(CRYPTO_BUNDLE)*dwNumISAKMPSecurityMethods
  923. );
  924. if (!pSecurityMethods) {
  925. dwError = ERROR_OUTOFMEMORY;
  926. BAIL_ON_WIN32_ERROR(dwError);
  927. }
  928. pBundle = pSecurityMethods;
  929. pBundle->Lifetime.Seconds = 480*60;
  930. pBundle->EncryptionAlgorithm.AlgorithmIdentifier = IPSEC_ESP_3_DES;
  931. pBundle->HashAlgorithm.AlgorithmIdentifier = IPSEC_AH_SHA;
  932. pBundle->OakleyGroup = 2;
  933. pBundle++;
  934. pBundle->Lifetime.Seconds = 480*60;
  935. pBundle->EncryptionAlgorithm.AlgorithmIdentifier = IPSEC_ESP_3_DES;
  936. pBundle->HashAlgorithm.AlgorithmIdentifier = IPSEC_AH_MD5;
  937. pBundle->OakleyGroup = 2;
  938. pBundle++;
  939. pBundle->Lifetime.Seconds = 480*60;
  940. pBundle->EncryptionAlgorithm.AlgorithmIdentifier = IPSEC_ESP_DES;
  941. pBundle->HashAlgorithm.AlgorithmIdentifier = IPSEC_AH_SHA;
  942. pBundle->OakleyGroup = 1;
  943. pBundle++;
  944. pBundle->Lifetime.Seconds = 480*60;
  945. pBundle->EncryptionAlgorithm.AlgorithmIdentifier = IPSEC_ESP_DES;
  946. pBundle->HashAlgorithm.AlgorithmIdentifier = IPSEC_AH_MD5;
  947. pBundle->OakleyGroup = 1;
  948. pIpsecISAKMPData->dwNumISAKMPSecurityMethods = dwNumISAKMPSecurityMethods;
  949. pIpsecISAKMPData->pSecurityMethods = pSecurityMethods;
  950. pIpsecISAKMPData->dwWhenChanged = 0;
  951. dwError = IPSecCreateISAKMPData(
  952. hPolicyStore,
  953. pIpsecISAKMPData
  954. );
  955. BAIL_ON_WIN32_ERROR(dwError);
  956. *ppIpsecISAKMPData = pIpsecISAKMPData;
  957. return (dwError);
  958. error:
  959. if (pIpsecISAKMPData) {
  960. FreeIpsecISAKMPData(pIpsecISAKMPData);
  961. }
  962. *ppIpsecISAKMPData = NULL;
  963. return (dwError);
  964. }
  965. DWORD
  966. CreateDefaultNegPol(
  967. HANDLE hPolicyStore,
  968. PIPSEC_NEGPOL_DATA * ppDefaultNegPol
  969. )
  970. {
  971. DWORD dwError = 0;
  972. PIPSEC_NEGPOL_DATA pDefaultNegPol = NULL;
  973. DWORD dwSecurityMethodCount = 0;
  974. PIPSEC_SECURITY_METHOD pIpsecSecurityMethods = NULL;
  975. PIPSEC_SECURITY_METHOD pMethod = NULL;
  976. pDefaultNegPol = (PIPSEC_NEGPOL_DATA) AllocPolMem(
  977. sizeof(IPSEC_NEGPOL_DATA)
  978. );
  979. if (!pDefaultNegPol) {
  980. dwError = ERROR_OUTOFMEMORY;
  981. BAIL_ON_WIN32_ERROR(dwError);
  982. }
  983. dwError = UuidCreate(
  984. &(pDefaultNegPol->NegPolIdentifier)
  985. );
  986. BAIL_ON_WIN32_ERROR(dwError);
  987. memcpy(
  988. &(pDefaultNegPol->NegPolAction),
  989. &(GUID_NEGOTIATION_ACTION_NORMAL_IPSEC),
  990. sizeof(GUID)
  991. );
  992. memcpy(
  993. &(pDefaultNegPol->NegPolType),
  994. &(GUID_NEGOTIATION_TYPE_DEFAULT),
  995. sizeof(GUID)
  996. );
  997. dwSecurityMethodCount = 6;
  998. pIpsecSecurityMethods = (PIPSEC_SECURITY_METHOD) AllocPolMem(
  999. sizeof(IPSEC_SECURITY_METHOD)*dwSecurityMethodCount
  1000. );
  1001. if (!pIpsecSecurityMethods) {
  1002. dwError = ERROR_OUTOFMEMORY;
  1003. BAIL_ON_WIN32_ERROR(dwError);
  1004. }
  1005. pMethod = pIpsecSecurityMethods;
  1006. pMethod->Lifetime.KeyExpirationTime = 0;
  1007. pMethod->Lifetime.KeyExpirationBytes = 0;
  1008. pMethod->Flags = 0;
  1009. pMethod->PfsQMRequired = FALSE;
  1010. pMethod->Count = 1;
  1011. pMethod->Algos[0].operation = Encrypt;
  1012. pMethod->Algos[0].algoIdentifier = IPSEC_ESP_3_DES;
  1013. pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA;
  1014. pMethod ++;
  1015. pMethod->Lifetime.KeyExpirationTime = 0;
  1016. pMethod->Lifetime.KeyExpirationBytes = 0;
  1017. pMethod->Flags = 0;
  1018. pMethod->PfsQMRequired = FALSE;
  1019. pMethod->Count = 1;
  1020. pMethod->Algos[0].operation = Encrypt;
  1021. pMethod->Algos[0].algoIdentifier = IPSEC_ESP_3_DES;
  1022. pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_MD5;
  1023. pMethod ++;
  1024. pMethod->Lifetime.KeyExpirationTime = 0;
  1025. pMethod->Lifetime.KeyExpirationBytes = 0;
  1026. pMethod->Flags = 0;
  1027. pMethod->PfsQMRequired = FALSE;
  1028. pMethod->Count = 1;
  1029. pMethod->Algos[0].operation = Encrypt;
  1030. pMethod->Algos[0].algoIdentifier = IPSEC_ESP_DES;
  1031. pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA;
  1032. pMethod ++;
  1033. pMethod->Lifetime.KeyExpirationTime = 0;
  1034. pMethod->Lifetime.KeyExpirationBytes = 0;
  1035. pMethod->Flags = 0;
  1036. pMethod->PfsQMRequired = FALSE;
  1037. pMethod->Count = 1;
  1038. pMethod->Algos[0].operation = Encrypt;
  1039. pMethod->Algos[0].algoIdentifier = IPSEC_ESP_DES;
  1040. pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_MD5;
  1041. pMethod ++;
  1042. pMethod->Lifetime.KeyExpirationTime = 0;
  1043. pMethod->Lifetime.KeyExpirationBytes = 0;
  1044. pMethod->Flags = 0;
  1045. pMethod->PfsQMRequired = FALSE;
  1046. pMethod->Count = 1;
  1047. pMethod->Algos[0].operation = Auth;
  1048. pMethod->Algos[0].algoIdentifier = IPSEC_AH_SHA;
  1049. pMethod->Algos[0].secondaryAlgoIdentifier = 0;
  1050. pMethod ++;
  1051. pMethod->Lifetime.KeyExpirationTime = 0;
  1052. pMethod->Lifetime.KeyExpirationBytes = 0;
  1053. pMethod->Flags = 0;
  1054. pMethod->PfsQMRequired = FALSE;
  1055. pMethod->Count = 1;
  1056. pMethod->Algos[0].operation = Auth;
  1057. pMethod->Algos[0].algoIdentifier = IPSEC_AH_MD5;
  1058. pMethod->Algos[0].secondaryAlgoIdentifier = 0;
  1059. pDefaultNegPol->dwSecurityMethodCount = dwSecurityMethodCount;
  1060. pDefaultNegPol->pIpsecSecurityMethods = pIpsecSecurityMethods;
  1061. pDefaultNegPol->dwWhenChanged = 0;
  1062. pDefaultNegPol->pszIpsecName = NULL;
  1063. pDefaultNegPol->pszDescription = NULL;
  1064. dwError = IPSecCreateNegPolData(
  1065. hPolicyStore,
  1066. pDefaultNegPol
  1067. );
  1068. BAIL_ON_WIN32_ERROR(dwError);
  1069. *ppDefaultNegPol = pDefaultNegPol;
  1070. return (dwError);
  1071. error:
  1072. if (pDefaultNegPol) {
  1073. FreeIpsecNegPolData(pDefaultNegPol);
  1074. }
  1075. *ppDefaultNegPol = NULL;
  1076. return (dwError);
  1077. }
  1078. DWORD
  1079. CreateNFA(
  1080. HANDLE hPolicyStore,
  1081. GUID NFAIdentifier,
  1082. GUID PolicyIdentifier,
  1083. GUID FilterIdentifier,
  1084. GUID NegPolIdentifier,
  1085. LPWSTR pszNFAName,
  1086. LPWSTR pszNFADescription
  1087. )
  1088. {
  1089. DWORD dwError = 0;
  1090. PIPSEC_NFA_DATA pIpsecNFAData = NULL;
  1091. DWORD dwAuthMethodCount = 0;
  1092. PIPSEC_AUTH_METHOD * ppAuthMethods = NULL;
  1093. PIPSEC_AUTH_METHOD pMethod = NULL;
  1094. pIpsecNFAData = (PIPSEC_NFA_DATA) AllocPolMem(
  1095. sizeof(IPSEC_NFA_DATA)
  1096. );
  1097. if (!pIpsecNFAData) {
  1098. dwError = ERROR_OUTOFMEMORY;
  1099. BAIL_ON_WIN32_ERROR(dwError);
  1100. }
  1101. if (pszNFAName) {
  1102. pIpsecNFAData->pszIpsecName = AllocPolStr(pszNFAName);
  1103. if (!pIpsecNFAData->pszIpsecName) {
  1104. dwError = ERROR_OUTOFMEMORY;
  1105. BAIL_ON_WIN32_ERROR(dwError);
  1106. }
  1107. }
  1108. memcpy(
  1109. &(pIpsecNFAData->NFAIdentifier),
  1110. &(NFAIdentifier),
  1111. sizeof(GUID)
  1112. );
  1113. dwAuthMethodCount = 1;
  1114. ppAuthMethods = (PIPSEC_AUTH_METHOD *) AllocPolMem(
  1115. sizeof(PIPSEC_AUTH_METHOD)*dwAuthMethodCount
  1116. );
  1117. if (!ppAuthMethods) {
  1118. dwError = ERROR_OUTOFMEMORY;
  1119. BAIL_ON_WIN32_ERROR(dwError);
  1120. }
  1121. pIpsecNFAData->dwAuthMethodCount = dwAuthMethodCount;
  1122. pIpsecNFAData->ppAuthMethods = ppAuthMethods;
  1123. pMethod = (PIPSEC_AUTH_METHOD) AllocPolMem(
  1124. sizeof(IPSEC_AUTH_METHOD)
  1125. );
  1126. if (!pMethod) {
  1127. dwError = ERROR_OUTOFMEMORY;
  1128. BAIL_ON_WIN32_ERROR(dwError);
  1129. }
  1130. pMethod->dwAuthType = OAK_SSPI;
  1131. pMethod->dwAuthLen = 0;
  1132. pMethod->pszAuthMethod = NULL;
  1133. pMethod->dwAltAuthLen = 0;
  1134. pMethod->pAltAuthMethod = NULL;
  1135. *(ppAuthMethods + 0) = pMethod;
  1136. pIpsecNFAData->dwInterfaceType = PS_INTERFACE_TYPE_ALL;
  1137. pIpsecNFAData->pszInterfaceName = NULL;
  1138. pIpsecNFAData->dwTunnelIpAddr = 0;
  1139. pIpsecNFAData->dwTunnelFlags = 0;
  1140. pIpsecNFAData->dwActiveFlag = 1;
  1141. pIpsecNFAData->pszEndPointName = NULL;
  1142. pIpsecNFAData->pIpsecFilterData = NULL;
  1143. pIpsecNFAData->pIpsecNegPolData = NULL;
  1144. pIpsecNFAData->dwWhenChanged = 0;
  1145. memcpy(
  1146. &(pIpsecNFAData->NegPolIdentifier),
  1147. &(NegPolIdentifier),
  1148. sizeof(GUID)
  1149. );
  1150. memcpy(
  1151. &(pIpsecNFAData->FilterIdentifier),
  1152. &(FilterIdentifier),
  1153. sizeof(GUID)
  1154. );
  1155. if (pszNFADescription) {
  1156. pIpsecNFAData->pszDescription = AllocPolStr(pszNFADescription);
  1157. if (!pIpsecNFAData->pszDescription) {
  1158. dwError = ERROR_OUTOFMEMORY;
  1159. BAIL_ON_WIN32_ERROR(dwError);
  1160. }
  1161. }
  1162. dwError = IPSecCreateNFAData(
  1163. hPolicyStore,
  1164. PolicyIdentifier,
  1165. pIpsecNFAData
  1166. );
  1167. BAIL_ON_WIN32_ERROR(dwError);
  1168. error:
  1169. if (pIpsecNFAData) {
  1170. FreeIpsecNFAData(pIpsecNFAData);
  1171. }
  1172. return (dwError);
  1173. }
  1174. DWORD
  1175. MapIdAndCreateNFA(
  1176. HANDLE hPolicyStore,
  1177. GUID NFAIdentifier,
  1178. GUID PolicyIdentifier,
  1179. GUID FilterIdentifier,
  1180. GUID NegPolIdentifier,
  1181. DWORD dwNFANameID,
  1182. DWORD dwNFADescriptionID
  1183. )
  1184. {
  1185. LPWSTR pszNFAName = NULL, pszNFADescription = NULL;
  1186. DWORD dwError = 0;
  1187. dwError = MapAndAllocPolStr(&pszNFAName, dwNFANameID);
  1188. BAIL_ON_WIN32_ERROR(dwError);
  1189. dwError = MapAndAllocPolStr(&pszNFADescription, dwNFADescriptionID);
  1190. BAIL_ON_WIN32_ERROR(dwError);
  1191. dwError = CreateNFA(hPolicyStore,
  1192. NFAIdentifier,
  1193. PolicyIdentifier,
  1194. FilterIdentifier,
  1195. NegPolIdentifier,
  1196. pszNFAName,
  1197. pszNFADescription
  1198. );
  1199. error:
  1200. LocalFree(pszNFADescription);
  1201. LocalFree(pszNFAName);
  1202. return dwError;
  1203. }
  1204. DWORD
  1205. MapAndAllocPolStr(
  1206. LPWSTR * plpStr,
  1207. DWORD dwStrID
  1208. )
  1209. {
  1210. LPWSTR lpStr;
  1211. DWORD dwResult;
  1212. dwResult = FormatMessageW(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_HMODULE
  1213. | FORMAT_MESSAGE_IGNORE_INSERTS,
  1214. GetModuleHandleW(SZAPPNAME),
  1215. dwStrID, LANG_NEUTRAL,
  1216. (LPWSTR) plpStr, 0, NULL);
  1217. if (dwResult == 0) {
  1218. *plpStr = NULL;
  1219. return GetLastError();
  1220. }
  1221. return ERROR_SUCCESS;
  1222. }