Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1895 lines
46 KiB

  1. //----------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 2000.
  5. //
  6. // File: rules-d.c
  7. //
  8. // Contents: Rule management for directory.
  9. //
  10. //
  11. // History: AbhisheV
  12. //
  13. //----------------------------------------------------------------------------
  14. #include "precomp.h"
  15. extern LPWSTR NFADNAttributes[];
  16. extern LPWSTR PolicyDNAttributes[];
  17. DWORD
  18. DirEnumNFAData(
  19. HLDAP hLdapBindHandle,
  20. LPWSTR pszIpsecRootContainer,
  21. GUID PolicyIdentifier,
  22. PIPSEC_NFA_DATA ** pppIpsecNFAData,
  23. PDWORD pdwNumNFAObjects
  24. )
  25. {
  26. DWORD dwError = 0;
  27. LPWSTR pszPolicyString = NULL;
  28. PIPSEC_NFA_OBJECT * ppIpsecNFAObject = NULL;
  29. DWORD dwNumNFAObjects = 0;
  30. PIPSEC_NFA_DATA * ppIpsecNFAData = NULL;
  31. DWORD i = 0;
  32. PIPSEC_NFA_OBJECT pIpsecNFAObject = NULL;
  33. PIPSEC_NFA_DATA pIpsecNFAData = NULL;
  34. DWORD j = 0;
  35. dwError = GenerateSpecificPolicyQuery(
  36. PolicyIdentifier,
  37. &pszPolicyString
  38. );
  39. BAIL_ON_WIN32_ERROR(dwError);
  40. dwError = DirEnumNFAObjects(
  41. hLdapBindHandle,
  42. pszIpsecRootContainer,
  43. pszPolicyString,
  44. &ppIpsecNFAObject,
  45. &dwNumNFAObjects
  46. );
  47. BAIL_ON_WIN32_ERROR(dwError);
  48. if (dwNumNFAObjects) {
  49. ppIpsecNFAData = (PIPSEC_NFA_DATA *)AllocPolMem(
  50. sizeof(PIPSEC_NFA_DATA)*dwNumNFAObjects
  51. );
  52. if (!ppIpsecNFAData) {
  53. dwError = ERROR_OUTOFMEMORY;
  54. BAIL_ON_WIN32_ERROR(dwError);
  55. }
  56. }
  57. for (i = 0; i < dwNumNFAObjects; i++) {
  58. pIpsecNFAObject = *(ppIpsecNFAObject + i);
  59. dwError = DirUnmarshallNFAData(
  60. pIpsecNFAObject,
  61. &pIpsecNFAData
  62. );
  63. if (!dwError) {
  64. *(ppIpsecNFAData + j) = pIpsecNFAData;
  65. j++;
  66. }
  67. }
  68. if (j == 0) {
  69. if (ppIpsecNFAData) {
  70. FreePolMem(ppIpsecNFAData);
  71. ppIpsecNFAData = NULL;
  72. }
  73. }
  74. *pppIpsecNFAData = ppIpsecNFAData;
  75. *pdwNumNFAObjects = j;
  76. dwError = ERROR_SUCCESS;
  77. cleanup:
  78. if (ppIpsecNFAObject) {
  79. FreeIpsecNFAObjects(
  80. ppIpsecNFAObject,
  81. dwNumNFAObjects
  82. );
  83. }
  84. if (pszPolicyString) {
  85. FreePolStr(pszPolicyString);
  86. }
  87. return(dwError);
  88. error:
  89. if (ppIpsecNFAData) {
  90. FreeMulIpsecNFAData(
  91. ppIpsecNFAData,
  92. i
  93. );
  94. }
  95. *pppIpsecNFAData = NULL;
  96. *pdwNumNFAObjects = 0;
  97. goto cleanup;
  98. }
  99. DWORD
  100. DirEnumNFAObjects(
  101. HLDAP hLdapBindHandle,
  102. LPWSTR pszIpsecRootContainer,
  103. LPWSTR pszIpsecPolicyName,
  104. PIPSEC_NFA_OBJECT ** pppIpsecNFAObjects,
  105. PDWORD pdwNumNFAObjects
  106. )
  107. {
  108. DWORD dwError = 0;
  109. LPWSTR * ppszNFADNs = NULL;
  110. DWORD dwNumNFAObjects = 0;
  111. LPWSTR pszFilterString = NULL;
  112. LDAPMessage *res = NULL;
  113. DWORD dwCount = 0;
  114. PIPSEC_NFA_OBJECT * ppIpsecNFAObjects = NULL;
  115. DWORD i = 0;
  116. LDAPMessage *e = NULL;
  117. PIPSEC_NFA_OBJECT pIpsecNFAObject = NULL;
  118. DWORD dwNumNFAObjectsReturned = 0;
  119. LPWSTR pszFilterReference = NULL;
  120. LPWSTR pszNegPolReference = NULL;
  121. dwError = DirGetNFADNsForPolicy(
  122. hLdapBindHandle,
  123. pszIpsecRootContainer,
  124. pszIpsecPolicyName,
  125. &ppszNFADNs,
  126. &dwNumNFAObjects
  127. );
  128. BAIL_ON_WIN32_ERROR(dwError);
  129. dwError = GenerateNFAQuery(
  130. ppszNFADNs,
  131. dwNumNFAObjects,
  132. &pszFilterString
  133. );
  134. BAIL_ON_WIN32_ERROR(dwError);
  135. dwError = LdapSearchST(
  136. hLdapBindHandle,
  137. pszIpsecRootContainer,
  138. LDAP_SCOPE_ONELEVEL,
  139. pszFilterString,
  140. NFADNAttributes,
  141. 0,
  142. NULL,
  143. &res
  144. );
  145. BAIL_ON_WIN32_ERROR(dwError);
  146. dwCount = LdapCountEntries(
  147. hLdapBindHandle,
  148. res
  149. );
  150. if (!dwCount) {
  151. dwError = ERROR_DS_NO_ATTRIBUTE_OR_VALUE;
  152. BAIL_ON_WIN32_ERROR(dwError);
  153. }
  154. ppIpsecNFAObjects = (PIPSEC_NFA_OBJECT *)AllocPolMem(
  155. sizeof(PIPSEC_NFA_OBJECT)*dwCount
  156. );
  157. if (!ppIpsecNFAObjects) {
  158. dwError = ERROR_OUTOFMEMORY;
  159. BAIL_ON_WIN32_ERROR(dwError);
  160. }
  161. for (i = 0; i < dwCount; i++) {
  162. if (i == 0) {
  163. dwError = LdapFirstEntry(
  164. hLdapBindHandle,
  165. res,
  166. &e
  167. );
  168. BAIL_ON_WIN32_ERROR(dwError);
  169. }
  170. else {
  171. dwError = LdapNextEntry(
  172. hLdapBindHandle,
  173. e,
  174. &e
  175. );
  176. BAIL_ON_WIN32_ERROR(dwError);
  177. }
  178. dwError =UnMarshallNFAObject(
  179. hLdapBindHandle,
  180. e,
  181. &pIpsecNFAObject,
  182. &pszFilterReference,
  183. &pszNegPolReference
  184. );
  185. if (dwError == ERROR_SUCCESS) {
  186. *(ppIpsecNFAObjects + dwNumNFAObjectsReturned) = pIpsecNFAObject;
  187. dwNumNFAObjectsReturned++;
  188. if (pszFilterReference) {
  189. FreePolStr(pszFilterReference);
  190. pszFilterReference = NULL;
  191. }
  192. if (pszNegPolReference) {
  193. FreePolStr(pszNegPolReference);
  194. pszNegPolReference = NULL;
  195. }
  196. }
  197. }
  198. *pppIpsecNFAObjects = ppIpsecNFAObjects;
  199. *pdwNumNFAObjects = dwNumNFAObjectsReturned;
  200. dwError = ERROR_SUCCESS;
  201. cleanup:
  202. if (res) {
  203. LdapMsgFree(res);
  204. }
  205. if (pszFilterString) {
  206. FreePolStr(pszFilterString);
  207. }
  208. if (ppszNFADNs) {
  209. FreeNFAReferences(
  210. ppszNFADNs,
  211. dwNumNFAObjects
  212. );
  213. }
  214. return(dwError);
  215. error:
  216. if (ppIpsecNFAObjects) {
  217. FreeIpsecNFAObjects(
  218. ppIpsecNFAObjects,
  219. dwNumNFAObjectsReturned
  220. );
  221. }
  222. *pppIpsecNFAObjects = NULL;
  223. *pdwNumNFAObjects = 0;
  224. goto cleanup;
  225. }
  226. DWORD
  227. DirGetNFADNsForPolicy(
  228. HLDAP hLdapBindHandle,
  229. LPWSTR pszIpsecRootContainer,
  230. LPWSTR pszIpsecPolicyName,
  231. LPWSTR ** pppszNFADNs,
  232. PDWORD pdwNumNFAObjects
  233. )
  234. {
  235. DWORD dwError = 0;
  236. LDAPMessage * res = NULL;
  237. DWORD dwCount = 0;
  238. LDAPMessage * e = NULL;
  239. PIPSEC_POLICY_OBJECT pIpsecPolicyObject = NULL;
  240. LPWSTR * ppszNFADNs = NULL;
  241. LPWSTR * ppszIpsecNFANames = NULL;
  242. DWORD dwNumberOfRules = 0;
  243. DWORD i = 0;
  244. LPWSTR pszIpsecNFAName = NULL;
  245. LPWSTR pszNFADN = NULL;
  246. dwError = LdapSearchST(
  247. hLdapBindHandle,
  248. pszIpsecRootContainer,
  249. LDAP_SCOPE_ONELEVEL,
  250. pszIpsecPolicyName,
  251. PolicyDNAttributes,
  252. 0,
  253. NULL,
  254. &res
  255. );
  256. BAIL_ON_WIN32_ERROR(dwError);
  257. dwCount = LdapCountEntries(
  258. hLdapBindHandle,
  259. res
  260. );
  261. if (!dwCount) {
  262. dwError = ERROR_DS_NO_ATTRIBUTE_OR_VALUE;
  263. BAIL_ON_WIN32_ERROR(dwError);
  264. }
  265. dwError = LdapFirstEntry(
  266. hLdapBindHandle,
  267. res,
  268. &e
  269. );
  270. BAIL_ON_WIN32_ERROR(dwError);
  271. dwError = UnMarshallPolicyObject2(
  272. hLdapBindHandle,
  273. e,
  274. &pIpsecPolicyObject
  275. );
  276. BAIL_ON_WIN32_ERROR(dwError);
  277. ppszIpsecNFANames = pIpsecPolicyObject->ppszIpsecNFAReferences;
  278. dwNumberOfRules = pIpsecPolicyObject->NumberofRules;
  279. if (!dwNumberOfRules) {
  280. dwError = ERROR_INVALID_DATA;
  281. BAIL_ON_WIN32_ERROR(dwError);
  282. }
  283. ppszNFADNs = (LPWSTR *)AllocPolMem(
  284. sizeof(LPWSTR)*dwNumberOfRules
  285. );
  286. if (!ppszNFADNs) {
  287. dwError = ERROR_OUTOFMEMORY;
  288. BAIL_ON_WIN32_ERROR(dwError);
  289. }
  290. for (i = 0; i < dwNumberOfRules; i++) {
  291. pszIpsecNFAName = *(ppszIpsecNFANames + i);
  292. pszNFADN = AllocPolStr(pszIpsecNFAName);
  293. if (!pszNFADN) {
  294. dwError = ERROR_OUTOFMEMORY;
  295. BAIL_ON_WIN32_ERROR(dwError);
  296. }
  297. *(ppszNFADNs + i) = pszNFADN;
  298. }
  299. *pppszNFADNs = ppszNFADNs;
  300. *pdwNumNFAObjects = dwNumberOfRules;
  301. cleanup:
  302. if (res) {
  303. LdapMsgFree(res);
  304. }
  305. if (pIpsecPolicyObject) {
  306. FreeIpsecPolicyObject(pIpsecPolicyObject);
  307. }
  308. return(dwError);
  309. error:
  310. if (ppszNFADNs) {
  311. FreeNFAReferences(
  312. ppszNFADNs,
  313. i
  314. );
  315. }
  316. *pppszNFADNs = NULL;
  317. *pdwNumNFAObjects = 0;
  318. goto cleanup;
  319. }
  320. DWORD
  321. DirUnmarshallNFAData(
  322. PIPSEC_NFA_OBJECT pIpsecNFAObject,
  323. PIPSEC_NFA_DATA * ppIpsecNFAData
  324. )
  325. {
  326. DWORD dwError = 0;
  327. dwError = UnmarshallNFAObject(
  328. pIpsecNFAObject,
  329. IPSEC_DIRECTORY_PROVIDER,
  330. ppIpsecNFAData
  331. );
  332. BAIL_ON_WIN32_ERROR(dwError);
  333. error:
  334. return(dwError);
  335. }
  336. DWORD
  337. DirCreateNFAData(
  338. HLDAP hLdapBindHandle,
  339. LPWSTR pszIpsecRootContainer,
  340. GUID PolicyIdentifier,
  341. PIPSEC_NFA_DATA pIpsecNFAData
  342. )
  343. {
  344. DWORD dwError = 0;
  345. PIPSEC_NFA_OBJECT pIpsecNFAObject = NULL;
  346. LPWSTR pszIpsecPolicyReference = NULL;
  347. dwError = DirMarshallNFAObject(
  348. pIpsecNFAData,
  349. pszIpsecRootContainer,
  350. &pIpsecNFAObject
  351. );
  352. BAIL_ON_WIN32_ERROR(dwError);
  353. dwError = ConvertGuidToDirPolicyString(
  354. PolicyIdentifier,
  355. pszIpsecRootContainer,
  356. &pszIpsecPolicyReference
  357. );
  358. BAIL_ON_WIN32_ERROR(dwError);
  359. dwError = DirCreateNFAObject(
  360. hLdapBindHandle,
  361. pszIpsecRootContainer,
  362. pIpsecNFAObject
  363. );
  364. BAIL_ON_WIN32_ERROR(dwError);
  365. //
  366. // Write the policy object reference.
  367. //
  368. dwError = DirAddNFAReferenceToPolicyObject(
  369. hLdapBindHandle,
  370. pszIpsecPolicyReference,
  371. pIpsecNFAObject->pszDistinguishedName
  372. );
  373. BAIL_ON_WIN32_ERROR(dwError);
  374. //
  375. // Write the NFA object reference.
  376. //
  377. dwError = DirAddPolicyReferenceToNFAObject(
  378. hLdapBindHandle,
  379. pIpsecNFAObject->pszDistinguishedName,
  380. pszIpsecPolicyReference
  381. );
  382. BAIL_ON_WIN32_ERROR(dwError);
  383. //
  384. // Write the filter object reference for the NFA
  385. // only if the NFA is not a default rule.
  386. //
  387. if (pIpsecNFAObject->pszIpsecFilterReference) {
  388. dwError = DirAddNFAReferenceToFilterObject(
  389. hLdapBindHandle,
  390. pIpsecNFAObject->pszIpsecFilterReference,
  391. pIpsecNFAObject->pszDistinguishedName
  392. );
  393. BAIL_ON_WIN32_ERROR(dwError);
  394. }
  395. //
  396. // Write the NFA object reference for the filter
  397. // only if the NFA is not a default rule.
  398. //
  399. if (pIpsecNFAObject->pszIpsecFilterReference) {
  400. dwError = DirAddFilterReferenceToNFAObject(
  401. hLdapBindHandle,
  402. pIpsecNFAObject->pszDistinguishedName,
  403. pIpsecNFAObject->pszIpsecFilterReference
  404. );
  405. BAIL_ON_WIN32_ERROR(dwError);
  406. }
  407. //
  408. // Write the negpol object reference for the NFA.
  409. //
  410. dwError = DirAddNFAReferenceToNegPolObject(
  411. hLdapBindHandle,
  412. pIpsecNFAObject->pszIpsecNegPolReference,
  413. pIpsecNFAObject->pszDistinguishedName
  414. );
  415. BAIL_ON_WIN32_ERROR(dwError);
  416. //
  417. // Write the NFA object reference for the negpol.
  418. //
  419. dwError = DirAddNegPolReferenceToNFAObject(
  420. hLdapBindHandle,
  421. pIpsecNFAObject->pszDistinguishedName,
  422. pIpsecNFAObject->pszIpsecNegPolReference
  423. );
  424. BAIL_ON_WIN32_ERROR(dwError);
  425. error:
  426. if (pIpsecNFAObject) {
  427. FreeIpsecNFAObject(
  428. pIpsecNFAObject
  429. );
  430. }
  431. if (pszIpsecPolicyReference) {
  432. FreePolStr(pszIpsecPolicyReference);
  433. }
  434. return(dwError);
  435. }
  436. DWORD
  437. DirMarshallNFAObject(
  438. PIPSEC_NFA_DATA pIpsecNFAData,
  439. LPWSTR pszIpsecRootContainer,
  440. PIPSEC_NFA_OBJECT * ppIpsecNFAObject
  441. )
  442. {
  443. DWORD dwError = 0;
  444. PIPSEC_NFA_OBJECT pIpsecNFAObject = NULL;
  445. WCHAR szGuid[MAX_PATH];
  446. WCHAR szDistinguishedName[MAX_PATH];
  447. LPBYTE pBuffer = NULL;
  448. DWORD dwBufferLen = 0;
  449. LPWSTR pszStringUuid = NULL;
  450. LPWSTR pszIpsecFilterReference = NULL;
  451. LPWSTR pszIpsecNegPolReference = NULL;
  452. GUID ZeroGuid;
  453. memset(&ZeroGuid, 0, sizeof(GUID));
  454. szGuid[0] = L'\0';
  455. szDistinguishedName[0] = L'\0';
  456. pIpsecNFAObject = (PIPSEC_NFA_OBJECT)AllocPolMem(
  457. sizeof(IPSEC_NFA_OBJECT)
  458. );
  459. if (!pIpsecNFAObject) {
  460. dwError = ERROR_OUTOFMEMORY;
  461. BAIL_ON_WIN32_ERROR(dwError);
  462. }
  463. dwError = UuidToString(
  464. &pIpsecNFAData->NFAIdentifier,
  465. &pszStringUuid
  466. );
  467. BAIL_ON_WIN32_ERROR(dwError);
  468. wcscpy(szGuid, L"{");
  469. wcscat(szGuid, pszStringUuid);
  470. wcscat(szGuid, L"}");
  471. //
  472. // Fill in the distinguishedName
  473. //
  474. wcscpy(szDistinguishedName,L"CN=ipsecNFA");
  475. wcscat(szDistinguishedName, szGuid);
  476. wcscat(szDistinguishedName, L",");
  477. SecStrCatW(szDistinguishedName, pszIpsecRootContainer, MAX_PATH);
  478. pIpsecNFAObject->pszDistinguishedName = AllocPolStr(
  479. szDistinguishedName
  480. );
  481. if (!pIpsecNFAObject->pszDistinguishedName) {
  482. dwError = ERROR_OUTOFMEMORY;
  483. BAIL_ON_WIN32_ERROR(dwError);
  484. }
  485. //
  486. // Fill in the ipsecName
  487. //
  488. if (pIpsecNFAData->pszIpsecName &&
  489. *pIpsecNFAData->pszIpsecName) {
  490. pIpsecNFAObject->pszIpsecName = AllocPolStr(
  491. pIpsecNFAData->pszIpsecName
  492. );
  493. if (!pIpsecNFAObject->pszIpsecName) {
  494. dwError = ERROR_OUTOFMEMORY;
  495. BAIL_ON_WIN32_ERROR(dwError);
  496. }
  497. }
  498. if (pIpsecNFAData->pszDescription &&
  499. *pIpsecNFAData->pszDescription) {
  500. pIpsecNFAObject->pszDescription = AllocPolStr(
  501. pIpsecNFAData->pszDescription
  502. );
  503. if (!pIpsecNFAObject->pszDescription) {
  504. dwError = ERROR_OUTOFMEMORY;
  505. BAIL_ON_WIN32_ERROR(dwError);
  506. }
  507. }
  508. //
  509. // Fill in the ipsecID
  510. //
  511. pIpsecNFAObject->pszIpsecID = AllocPolStr(
  512. szGuid
  513. );
  514. if (!pIpsecNFAObject->pszIpsecID) {
  515. dwError = ERROR_OUTOFMEMORY;
  516. BAIL_ON_WIN32_ERROR(dwError);
  517. }
  518. //
  519. // Fill in the ipsecDataType
  520. //
  521. pIpsecNFAObject->dwIpsecDataType = 0x100;
  522. //
  523. // Marshall the pIpsecDataBuffer and the Length
  524. //
  525. dwError = MarshallNFABuffer(
  526. pIpsecNFAData,
  527. &pBuffer,
  528. &dwBufferLen
  529. );
  530. BAIL_ON_WIN32_ERROR(dwError);
  531. pIpsecNFAObject->pIpsecData = pBuffer;
  532. pIpsecNFAObject->dwIpsecDataLen = dwBufferLen;
  533. //
  534. // Marshall the Filter Reference.
  535. // There's no filter reference for a default rule.
  536. //
  537. if (memcmp(
  538. &pIpsecNFAData->FilterIdentifier,
  539. &ZeroGuid,
  540. sizeof(GUID))) {
  541. dwError = ConvertGuidToDirFilterString(
  542. pIpsecNFAData->FilterIdentifier,
  543. pszIpsecRootContainer,
  544. &pszIpsecFilterReference
  545. );
  546. BAIL_ON_WIN32_ERROR(dwError);
  547. pIpsecNFAObject->pszIpsecFilterReference = pszIpsecFilterReference;
  548. }
  549. else {
  550. pIpsecNFAObject->pszIpsecFilterReference = NULL;
  551. }
  552. //
  553. // Marshall the NegPol Reference
  554. //
  555. dwError = ConvertGuidToDirNegPolString(
  556. pIpsecNFAData->NegPolIdentifier,
  557. pszIpsecRootContainer,
  558. &pszIpsecNegPolReference
  559. );
  560. BAIL_ON_WIN32_ERROR(dwError);
  561. pIpsecNFAObject->pszIpsecNegPolReference = pszIpsecNegPolReference;
  562. pIpsecNFAObject->dwWhenChanged = 0;
  563. *ppIpsecNFAObject = pIpsecNFAObject;
  564. cleanup:
  565. if (pszStringUuid) {
  566. RpcStringFree(
  567. &pszStringUuid
  568. );
  569. }
  570. return(dwError);
  571. error:
  572. if (pIpsecNFAObject) {
  573. FreeIpsecNFAObject(
  574. pIpsecNFAObject
  575. );
  576. }
  577. *ppIpsecNFAObject = NULL;
  578. goto cleanup;
  579. }
  580. DWORD
  581. ConvertGuidToDirFilterString(
  582. GUID FilterIdentifier,
  583. LPWSTR pszIpsecRootContainer,
  584. LPWSTR * ppszIpsecFilterReference
  585. )
  586. {
  587. DWORD dwError = 0;
  588. LPWSTR pszStringUuid = NULL;
  589. WCHAR szGuidString[MAX_PATH];
  590. WCHAR szFilterReference[MAX_PATH];
  591. LPWSTR pszIpsecFilterReference = NULL;
  592. dwError = UuidToString(
  593. &FilterIdentifier,
  594. &pszStringUuid
  595. );
  596. BAIL_ON_WIN32_ERROR(dwError);
  597. szGuidString[0] = L'\0';
  598. wcscpy(szGuidString, L"{");
  599. wcscat(szGuidString, pszStringUuid);
  600. wcscat(szGuidString, L"}");
  601. szFilterReference[0] = L'\0';
  602. wcscpy(szFilterReference,L"CN=ipsecFilter");
  603. wcscat(szFilterReference, szGuidString);
  604. wcscat(szFilterReference, L",");
  605. SecStrCatW(szFilterReference, pszIpsecRootContainer, MAX_PATH);
  606. pszIpsecFilterReference = AllocPolStr(
  607. szFilterReference
  608. );
  609. if (!pszIpsecFilterReference) {
  610. dwError = ERROR_OUTOFMEMORY;
  611. BAIL_ON_WIN32_ERROR(dwError);
  612. }
  613. *ppszIpsecFilterReference = pszIpsecFilterReference;
  614. cleanup:
  615. if (pszStringUuid) {
  616. RpcStringFree(&pszStringUuid);
  617. }
  618. return(dwError);
  619. error:
  620. *ppszIpsecFilterReference = NULL;
  621. goto cleanup;
  622. }
  623. DWORD
  624. ConvertGuidToDirNegPolString(
  625. GUID NegPolIdentifier,
  626. LPWSTR pszIpsecRootContainer,
  627. LPWSTR * ppszIpsecNegPolReference
  628. )
  629. {
  630. DWORD dwError = 0;
  631. LPWSTR pszStringUuid = NULL;
  632. WCHAR szGuidString[MAX_PATH];
  633. WCHAR szNegPolReference[MAX_PATH];
  634. LPWSTR pszIpsecNegPolReference = NULL;
  635. dwError = UuidToString(
  636. &NegPolIdentifier,
  637. &pszStringUuid
  638. );
  639. BAIL_ON_WIN32_ERROR(dwError);
  640. szGuidString[0] = L'\0';
  641. wcscpy(szGuidString, L"{");
  642. wcscat(szGuidString, pszStringUuid);
  643. wcscat(szGuidString, L"}");
  644. szNegPolReference[0] = L'\0';
  645. wcscpy(szNegPolReference,L"CN=ipsecNegotiationPolicy");
  646. wcscat(szNegPolReference, szGuidString);
  647. wcscat(szNegPolReference, L",");
  648. SecStrCatW(szNegPolReference, pszIpsecRootContainer, MAX_PATH);
  649. pszIpsecNegPolReference = AllocPolStr(
  650. szNegPolReference
  651. );
  652. if (!pszIpsecNegPolReference) {
  653. dwError = ERROR_OUTOFMEMORY;
  654. BAIL_ON_WIN32_ERROR(dwError);
  655. }
  656. *ppszIpsecNegPolReference = pszIpsecNegPolReference;
  657. cleanup:
  658. if (pszStringUuid) {
  659. RpcStringFree(&pszStringUuid);
  660. }
  661. return(dwError);
  662. error:
  663. *ppszIpsecNegPolReference = NULL;
  664. goto cleanup;
  665. }
  666. DWORD
  667. DirCreateNFAObject(
  668. HLDAP hLdapBindHandle,
  669. LPWSTR pszIpsecRootContainer,
  670. PIPSEC_NFA_OBJECT pIpsecNFAObject
  671. )
  672. {
  673. DWORD dwError = 0;
  674. LDAPModW ** ppLDAPModW = NULL;
  675. dwError = DirMarshallAddNFAObject(
  676. hLdapBindHandle,
  677. pszIpsecRootContainer,
  678. pIpsecNFAObject,
  679. &ppLDAPModW
  680. );
  681. BAIL_ON_WIN32_ERROR(dwError);
  682. dwError = LdapAddS(
  683. hLdapBindHandle,
  684. pIpsecNFAObject->pszDistinguishedName,
  685. ppLDAPModW
  686. );
  687. BAIL_ON_WIN32_ERROR(dwError);
  688. error:
  689. //
  690. // Free the amods structures.
  691. //
  692. if (ppLDAPModW) {
  693. FreeLDAPModWs(
  694. ppLDAPModW
  695. );
  696. }
  697. return(dwError);
  698. }
  699. DWORD
  700. DirMarshallAddNFAObject(
  701. HLDAP hLdapBindHandle,
  702. LPWSTR pszIpsecRootContainer,
  703. PIPSEC_NFA_OBJECT pIpsecNFAObject,
  704. LDAPModW *** pppLDAPModW
  705. )
  706. {
  707. DWORD i = 0;
  708. LDAPModW ** ppLDAPModW = NULL;
  709. LDAPModW * pLDAPModW = NULL;
  710. DWORD dwNumAttributes = 6;
  711. DWORD dwError = 0;
  712. WCHAR Buffer[64];
  713. if (!pIpsecNFAObject->pszIpsecName ||
  714. !*pIpsecNFAObject->pszIpsecName) {
  715. dwNumAttributes--;
  716. }
  717. if (!pIpsecNFAObject->pszDescription ||
  718. !*pIpsecNFAObject->pszDescription) {
  719. dwNumAttributes--;
  720. }
  721. ppLDAPModW = (LDAPModW **) AllocPolMem(
  722. (dwNumAttributes+1) * sizeof(LDAPModW*)
  723. );
  724. if (!ppLDAPModW) {
  725. dwError = ERROR_OUTOFMEMORY;
  726. BAIL_ON_WIN32_ERROR(dwError);
  727. }
  728. pLDAPModW = (LDAPModW *) AllocPolMem(
  729. dwNumAttributes * sizeof(LDAPModW)
  730. );
  731. if (!pLDAPModW) {
  732. dwError = ERROR_OUTOFMEMORY;
  733. BAIL_ON_WIN32_ERROR(dwError);
  734. }
  735. //
  736. // 0. objectClass
  737. //
  738. ppLDAPModW[i] = pLDAPModW + i;
  739. dwError = AllocatePolString(
  740. L"objectClass",
  741. &(pLDAPModW +i)->mod_type
  742. );
  743. BAIL_ON_WIN32_ERROR(dwError);
  744. dwError = AllocateLDAPStringValue(
  745. L"ipsecNFA",
  746. (PLDAPOBJECT *)&(pLDAPModW +i)->mod_values
  747. );
  748. BAIL_ON_WIN32_ERROR(dwError);
  749. (pLDAPModW + i)->mod_op |= LDAP_MOD_REPLACE;
  750. i++;
  751. //
  752. // 1. ipsecName
  753. //
  754. if (pIpsecNFAObject->pszIpsecName &&
  755. *pIpsecNFAObject->pszIpsecName) {
  756. ppLDAPModW[i] = pLDAPModW + i;
  757. dwError = AllocatePolString(
  758. L"ipsecName",
  759. &(pLDAPModW +i)->mod_type
  760. );
  761. BAIL_ON_WIN32_ERROR(dwError);
  762. dwError = AllocateLDAPStringValue(
  763. pIpsecNFAObject->pszIpsecName,
  764. (PLDAPOBJECT *)&(pLDAPModW +i)->mod_values
  765. );
  766. BAIL_ON_WIN32_ERROR(dwError);
  767. (pLDAPModW + i)->mod_op |= LDAP_MOD_REPLACE;
  768. i++;
  769. }
  770. //
  771. // 2. ipsecID
  772. //
  773. ppLDAPModW[i] = pLDAPModW + i;
  774. dwError = AllocatePolString(
  775. L"ipsecID",
  776. &(pLDAPModW +i)->mod_type
  777. );
  778. BAIL_ON_WIN32_ERROR(dwError);
  779. dwError = AllocateLDAPStringValue(
  780. pIpsecNFAObject->pszIpsecID,
  781. (PLDAPOBJECT *)&(pLDAPModW +i)->mod_values
  782. );
  783. BAIL_ON_WIN32_ERROR(dwError);
  784. (pLDAPModW + i)->mod_op |= LDAP_MOD_REPLACE;
  785. i++;
  786. //
  787. // 3. ipsecDataType
  788. //
  789. ppLDAPModW[i] = pLDAPModW + i;
  790. dwError = AllocatePolString(
  791. L"ipsecDataType",
  792. &(pLDAPModW +i)->mod_type
  793. );
  794. BAIL_ON_WIN32_ERROR(dwError);
  795. _itow( pIpsecNFAObject->dwIpsecDataType, Buffer, 10 );
  796. dwError = AllocateLDAPStringValue(
  797. Buffer,
  798. (PLDAPOBJECT *)&(pLDAPModW +i)->mod_values
  799. );
  800. BAIL_ON_WIN32_ERROR(dwError);
  801. (pLDAPModW + i)->mod_op |= LDAP_MOD_REPLACE;
  802. i++;
  803. //
  804. // 4. ipsecData
  805. //
  806. ppLDAPModW[i] = pLDAPModW + i;
  807. dwError = AllocatePolString(
  808. L"ipsecData",
  809. &(pLDAPModW +i)->mod_type
  810. );
  811. BAIL_ON_WIN32_ERROR(dwError);
  812. dwError = AllocateLDAPBinaryValue(
  813. pIpsecNFAObject->pIpsecData,
  814. pIpsecNFAObject->dwIpsecDataLen,
  815. (PLDAPOBJECT *)&(pLDAPModW +i)->mod_values
  816. );
  817. BAIL_ON_WIN32_ERROR(dwError);
  818. (pLDAPModW+i)->mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
  819. i++;
  820. //
  821. // 5. description
  822. //
  823. if (pIpsecNFAObject->pszDescription &&
  824. *pIpsecNFAObject->pszDescription) {
  825. ppLDAPModW[i] = pLDAPModW + i;
  826. dwError = AllocatePolString(
  827. L"description",
  828. &(pLDAPModW +i)->mod_type
  829. );
  830. BAIL_ON_WIN32_ERROR(dwError);
  831. dwError = AllocateLDAPStringValue(
  832. pIpsecNFAObject->pszDescription,
  833. (PLDAPOBJECT *)&(pLDAPModW +i)->mod_values
  834. );
  835. BAIL_ON_WIN32_ERROR(dwError);
  836. (pLDAPModW + i)->mod_op |= LDAP_MOD_REPLACE;
  837. i++;
  838. }
  839. *pppLDAPModW = ppLDAPModW;
  840. return(dwError);
  841. error:
  842. if (ppLDAPModW) {
  843. FreeLDAPModWs(
  844. ppLDAPModW
  845. );
  846. }
  847. *pppLDAPModW = NULL;
  848. return(dwError);
  849. }
  850. DWORD
  851. DirSetNFAData(
  852. HLDAP hLdapBindHandle,
  853. LPWSTR pszIpsecRootContainer,
  854. GUID PolicyIdentifier,
  855. PIPSEC_NFA_DATA pIpsecNFAData
  856. )
  857. {
  858. DWORD dwError = 0;
  859. PIPSEC_NFA_OBJECT pIpsecNFAObject = NULL;
  860. LPWSTR pszOldIpsecFilterReference = NULL;
  861. LPWSTR pszOldIpsecNegPolReference = NULL;
  862. dwError = DirMarshallNFAObject(
  863. pIpsecNFAData,
  864. pszIpsecRootContainer,
  865. &pIpsecNFAObject
  866. );
  867. BAIL_ON_WIN32_ERROR(dwError);
  868. dwError = DirGetNFAExistingFilterRef(
  869. hLdapBindHandle,
  870. pszIpsecRootContainer,
  871. pIpsecNFAData,
  872. &pszOldIpsecFilterReference
  873. );
  874. // BAIL_ON_WIN32_ERROR(dwError);
  875. dwError = DirGetNFAExistingNegPolRef(
  876. hLdapBindHandle,
  877. pszIpsecRootContainer,
  878. pIpsecNFAData,
  879. &pszOldIpsecNegPolReference
  880. );
  881. // BAIL_ON_WIN32_ERROR(dwError);
  882. dwError = DirSetNFAObject(
  883. hLdapBindHandle,
  884. pszIpsecRootContainer,
  885. pIpsecNFAObject
  886. );
  887. BAIL_ON_WIN32_ERROR(dwError);
  888. if (pszOldIpsecFilterReference) {
  889. dwError = DirDeleteNFAReferenceInFilterObject(
  890. hLdapBindHandle,
  891. pszOldIpsecFilterReference,
  892. pIpsecNFAObject->pszDistinguishedName
  893. );
  894. // BAIL_ON_WIN32_ERROR(dwError);
  895. }
  896. if (pIpsecNFAObject->pszIpsecFilterReference) {
  897. dwError = DirAddNFAReferenceToFilterObject(
  898. hLdapBindHandle,
  899. pIpsecNFAObject->pszIpsecFilterReference,
  900. pIpsecNFAObject->pszDistinguishedName
  901. );
  902. BAIL_ON_WIN32_ERROR(dwError);
  903. }
  904. //
  905. // Update the NFA object reference for the filter.
  906. //
  907. if (pIpsecNFAObject->pszIpsecFilterReference) {
  908. dwError = DirUpdateFilterReferenceInNFAObject(
  909. hLdapBindHandle,
  910. pIpsecNFAObject->pszDistinguishedName,
  911. pszOldIpsecFilterReference,
  912. pIpsecNFAObject->pszIpsecFilterReference
  913. );
  914. BAIL_ON_WIN32_ERROR(dwError);
  915. }
  916. else {
  917. dwError = DirRemoveFilterReferenceInNFAObject(
  918. hLdapBindHandle,
  919. pIpsecNFAObject->pszDistinguishedName
  920. );
  921. // BAIL_ON_WIN32_ERROR(dwError);
  922. }
  923. if (pszOldIpsecNegPolReference) {
  924. dwError = DirDeleteNFAReferenceInNegPolObject(
  925. hLdapBindHandle,
  926. pszOldIpsecNegPolReference,
  927. pIpsecNFAObject->pszDistinguishedName
  928. );
  929. // BAIL_ON_WIN32_ERROR(dwError);
  930. }
  931. dwError = DirAddNFAReferenceToNegPolObject(
  932. hLdapBindHandle,
  933. pIpsecNFAObject->pszIpsecNegPolReference,
  934. pIpsecNFAObject->pszDistinguishedName
  935. );
  936. BAIL_ON_WIN32_ERROR(dwError);
  937. //
  938. // Update the NFA object reference for the negpol.
  939. //
  940. dwError = DirUpdateNegPolReferenceInNFAObject(
  941. hLdapBindHandle,
  942. pIpsecNFAObject->pszDistinguishedName,
  943. pszOldIpsecNegPolReference,
  944. pIpsecNFAObject->pszIpsecNegPolReference
  945. );
  946. BAIL_ON_WIN32_ERROR(dwError);
  947. dwError = DirBackPropIncChangesForNFAToPolicy(
  948. hLdapBindHandle,
  949. pszIpsecRootContainer,
  950. pIpsecNFAObject->pszDistinguishedName
  951. );
  952. BAIL_ON_WIN32_ERROR(dwError);
  953. error:
  954. if (pIpsecNFAObject) {
  955. FreeIpsecNFAObject(pIpsecNFAObject);
  956. }
  957. if (pszOldIpsecFilterReference) {
  958. FreePolStr(pszOldIpsecFilterReference);
  959. }
  960. if (pszOldIpsecNegPolReference) {
  961. FreePolStr(pszOldIpsecNegPolReference);
  962. }
  963. return(dwError);
  964. }
  965. DWORD
  966. DirSetNFAObject(
  967. HLDAP hLdapBindHandle,
  968. LPWSTR pszIpsecRootContainer,
  969. PIPSEC_NFA_OBJECT pIpsecNFAObject
  970. )
  971. {
  972. DWORD dwError = 0;
  973. LDAPModW ** ppLDAPModW = NULL;
  974. dwError = DirMarshallSetNFAObject(
  975. hLdapBindHandle,
  976. pszIpsecRootContainer,
  977. pIpsecNFAObject,
  978. &ppLDAPModW
  979. );
  980. BAIL_ON_WIN32_ERROR(dwError);
  981. dwError = LdapModifyS(
  982. hLdapBindHandle,
  983. pIpsecNFAObject->pszDistinguishedName,
  984. ppLDAPModW
  985. );
  986. BAIL_ON_WIN32_ERROR(dwError);
  987. error:
  988. //
  989. // Free the amods structures.
  990. //
  991. if (ppLDAPModW) {
  992. FreeLDAPModWs(
  993. ppLDAPModW
  994. );
  995. }
  996. return(dwError);
  997. }
  998. DWORD
  999. DirMarshallSetNFAObject(
  1000. HLDAP hLdapBindHandle,
  1001. LPWSTR pszIpsecRootContainer,
  1002. PIPSEC_NFA_OBJECT pIpsecNFAObject,
  1003. LDAPModW *** pppLDAPModW
  1004. )
  1005. {
  1006. DWORD i = 0;
  1007. LDAPModW ** ppLDAPModW = NULL;
  1008. LDAPModW * pLDAPModW = NULL;
  1009. DWORD dwNumAttributes = 5;
  1010. DWORD dwError = 0;
  1011. WCHAR Buffer[64];
  1012. if (!pIpsecNFAObject->pszIpsecName ||
  1013. !*pIpsecNFAObject->pszIpsecName) {
  1014. dwNumAttributes--;
  1015. }
  1016. if (!pIpsecNFAObject->pszDescription ||
  1017. !*pIpsecNFAObject->pszDescription) {
  1018. dwNumAttributes--;
  1019. }
  1020. ppLDAPModW = (LDAPModW **) AllocPolMem(
  1021. (dwNumAttributes+1) * sizeof(LDAPModW*)
  1022. );
  1023. if (!ppLDAPModW) {
  1024. dwError = ERROR_OUTOFMEMORY;
  1025. BAIL_ON_WIN32_ERROR(dwError);
  1026. }
  1027. pLDAPModW = (LDAPModW *) AllocPolMem(
  1028. dwNumAttributes * sizeof(LDAPModW)
  1029. );
  1030. if (!pLDAPModW) {
  1031. dwError = ERROR_OUTOFMEMORY;
  1032. BAIL_ON_WIN32_ERROR(dwError);
  1033. }
  1034. //
  1035. // 1. ipsecName
  1036. //
  1037. if (pIpsecNFAObject->pszIpsecName &&
  1038. *pIpsecNFAObject->pszIpsecName) {
  1039. ppLDAPModW[i] = pLDAPModW + i;
  1040. dwError = AllocatePolString(
  1041. L"ipsecName",
  1042. &(pLDAPModW +i)->mod_type
  1043. );
  1044. BAIL_ON_WIN32_ERROR(dwError);
  1045. dwError = AllocateLDAPStringValue(
  1046. pIpsecNFAObject->pszIpsecName,
  1047. (PLDAPOBJECT *)&(pLDAPModW +i)->mod_values
  1048. );
  1049. BAIL_ON_WIN32_ERROR(dwError);
  1050. (pLDAPModW + i)->mod_op |= LDAP_MOD_REPLACE;
  1051. i++;
  1052. }
  1053. //
  1054. // 2. ipsecID
  1055. //
  1056. ppLDAPModW[i] = pLDAPModW + i;
  1057. dwError = AllocatePolString(
  1058. L"ipsecID",
  1059. &(pLDAPModW +i)->mod_type
  1060. );
  1061. BAIL_ON_WIN32_ERROR(dwError);
  1062. dwError = AllocateLDAPStringValue(
  1063. pIpsecNFAObject->pszIpsecID,
  1064. (PLDAPOBJECT *)&(pLDAPModW +i)->mod_values
  1065. );
  1066. BAIL_ON_WIN32_ERROR(dwError);
  1067. (pLDAPModW + i)->mod_op |= LDAP_MOD_REPLACE;
  1068. i++;
  1069. //
  1070. // 3. ipsecDataType
  1071. //
  1072. ppLDAPModW[i] = pLDAPModW + i;
  1073. dwError = AllocatePolString(
  1074. L"ipsecDataType",
  1075. &(pLDAPModW +i)->mod_type
  1076. );
  1077. BAIL_ON_WIN32_ERROR(dwError);
  1078. _itow( pIpsecNFAObject->dwIpsecDataType, Buffer, 10 );
  1079. dwError = AllocateLDAPStringValue(
  1080. Buffer,
  1081. (PLDAPOBJECT *)&(pLDAPModW +i)->mod_values
  1082. );
  1083. BAIL_ON_WIN32_ERROR(dwError);
  1084. (pLDAPModW + i)->mod_op |= LDAP_MOD_REPLACE;
  1085. i++;
  1086. //
  1087. // 4. ipsecData
  1088. //
  1089. ppLDAPModW[i] = pLDAPModW + i;
  1090. dwError = AllocatePolString(
  1091. L"ipsecData",
  1092. &(pLDAPModW +i)->mod_type
  1093. );
  1094. BAIL_ON_WIN32_ERROR(dwError);
  1095. dwError = AllocateLDAPBinaryValue(
  1096. pIpsecNFAObject->pIpsecData,
  1097. pIpsecNFAObject->dwIpsecDataLen,
  1098. (PLDAPOBJECT *)&(pLDAPModW +i)->mod_values
  1099. );
  1100. BAIL_ON_WIN32_ERROR(dwError);
  1101. (pLDAPModW+i)->mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES;
  1102. i++;
  1103. //
  1104. // 5. description
  1105. //
  1106. if (pIpsecNFAObject->pszDescription &&
  1107. *pIpsecNFAObject->pszDescription) {
  1108. ppLDAPModW[i] = pLDAPModW + i;
  1109. dwError = AllocatePolString(
  1110. L"description",
  1111. &(pLDAPModW +i)->mod_type
  1112. );
  1113. BAIL_ON_WIN32_ERROR(dwError);
  1114. dwError = AllocateLDAPStringValue(
  1115. pIpsecNFAObject->pszDescription,
  1116. (PLDAPOBJECT *)&(pLDAPModW +i)->mod_values
  1117. );
  1118. BAIL_ON_WIN32_ERROR(dwError);
  1119. (pLDAPModW + i)->mod_op |= LDAP_MOD_REPLACE;
  1120. i++;
  1121. }
  1122. *pppLDAPModW = ppLDAPModW;
  1123. return(dwError);
  1124. error:
  1125. if (ppLDAPModW) {
  1126. FreeLDAPModWs(
  1127. ppLDAPModW
  1128. );
  1129. }
  1130. *pppLDAPModW = NULL;
  1131. return(dwError);
  1132. }
  1133. DWORD
  1134. DirDeleteNFAData(
  1135. HLDAP hLdapBindHandle,
  1136. LPWSTR pszIpsecRootContainer,
  1137. GUID PolicyIdentifier,
  1138. PIPSEC_NFA_DATA pIpsecNFAData
  1139. )
  1140. {
  1141. DWORD dwError = 0;
  1142. PIPSEC_NFA_OBJECT pIpsecNFAObject = NULL;
  1143. LPWSTR pszIpsecPolicyReference = NULL;
  1144. dwError = DirMarshallNFAObject(
  1145. pIpsecNFAData,
  1146. pszIpsecRootContainer,
  1147. &pIpsecNFAObject
  1148. );
  1149. BAIL_ON_WIN32_ERROR(dwError);
  1150. dwError = ConvertGuidToDirPolicyString(
  1151. PolicyIdentifier,
  1152. pszIpsecRootContainer,
  1153. &pszIpsecPolicyReference
  1154. );
  1155. BAIL_ON_WIN32_ERROR(dwError);
  1156. //
  1157. // Remove the NFA reference from the policy object.
  1158. //
  1159. dwError = DirRemoveNFAReferenceFromPolicyObject(
  1160. hLdapBindHandle,
  1161. pszIpsecPolicyReference,
  1162. pIpsecNFAObject->pszDistinguishedName
  1163. );
  1164. BAIL_ON_WIN32_ERROR(dwError);
  1165. //
  1166. // Remove the NFA Reference from the negpol object.
  1167. //
  1168. dwError = DirDeleteNFAReferenceInNegPolObject(
  1169. hLdapBindHandle,
  1170. pIpsecNFAObject->pszIpsecNegPolReference,
  1171. pIpsecNFAObject->pszDistinguishedName
  1172. );
  1173. // BAIL_ON_WIN32_ERROR(dwError);
  1174. //
  1175. // Remove the NFA Reference from the filter object.
  1176. //
  1177. if (pIpsecNFAObject->pszIpsecFilterReference) {
  1178. dwError = DirDeleteNFAReferenceInFilterObject(
  1179. hLdapBindHandle,
  1180. pIpsecNFAObject->pszIpsecFilterReference,
  1181. pIpsecNFAObject->pszDistinguishedName
  1182. );
  1183. // BAIL_ON_WIN32_ERROR(dwError);
  1184. }
  1185. dwError = LdapDeleteS(
  1186. hLdapBindHandle,
  1187. pIpsecNFAObject->pszDistinguishedName
  1188. );
  1189. BAIL_ON_WIN32_ERROR(dwError);
  1190. error:
  1191. if (pIpsecNFAObject) {
  1192. FreeIpsecNFAObject(pIpsecNFAObject);
  1193. }
  1194. if (pszIpsecPolicyReference) {
  1195. FreePolStr(pszIpsecPolicyReference);
  1196. }
  1197. return(dwError);
  1198. }
  1199. DWORD
  1200. DirGetNFAExistingFilterRef(
  1201. HLDAP hLdapBindHandle,
  1202. LPWSTR pszIpsecRootContainer,
  1203. PIPSEC_NFA_DATA pIpsecNFAData,
  1204. LPWSTR * ppszIpsecFilterName
  1205. )
  1206. {
  1207. DWORD dwError = 0;
  1208. LPWSTR pszNFAString = NULL;
  1209. LDAPMessage * res = NULL;
  1210. DWORD dwCount = 0;
  1211. LDAPMessage * e = NULL;
  1212. PIPSEC_NFA_OBJECT pIpsecNFAObject = NULL;
  1213. LPWSTR pszIpsecFilterName = NULL;
  1214. LPWSTR pszFilterReference = NULL;
  1215. LPWSTR pszNegPolReference = NULL;
  1216. dwError = GenerateSpecificNFAQuery(
  1217. pIpsecNFAData->NFAIdentifier,
  1218. &pszNFAString
  1219. );
  1220. BAIL_ON_WIN32_ERROR(dwError);
  1221. dwError = LdapSearchST(
  1222. hLdapBindHandle,
  1223. pszIpsecRootContainer,
  1224. LDAP_SCOPE_ONELEVEL,
  1225. pszNFAString,
  1226. NFADNAttributes,
  1227. 0,
  1228. NULL,
  1229. &res
  1230. );
  1231. BAIL_ON_WIN32_ERROR(dwError);
  1232. dwCount = LdapCountEntries(
  1233. hLdapBindHandle,
  1234. res
  1235. );
  1236. if (!dwCount) {
  1237. dwError = ERROR_DS_NO_ATTRIBUTE_OR_VALUE;
  1238. BAIL_ON_WIN32_ERROR(dwError);
  1239. }
  1240. dwError = LdapFirstEntry(
  1241. hLdapBindHandle,
  1242. res,
  1243. &e
  1244. );
  1245. BAIL_ON_WIN32_ERROR(dwError);
  1246. dwError =UnMarshallNFAObject(
  1247. hLdapBindHandle,
  1248. e,
  1249. &pIpsecNFAObject,
  1250. &pszFilterReference,
  1251. &pszNegPolReference
  1252. );
  1253. BAIL_ON_WIN32_ERROR(dwError);
  1254. if (pszFilterReference) {
  1255. FreePolStr(pszFilterReference);
  1256. }
  1257. if (pszNegPolReference) {
  1258. FreePolStr(pszNegPolReference);
  1259. }
  1260. if (pIpsecNFAObject->pszIpsecFilterReference) {
  1261. pszIpsecFilterName = AllocPolStr(
  1262. pIpsecNFAObject->pszIpsecFilterReference
  1263. );
  1264. if (!pszIpsecFilterName) {
  1265. dwError = ERROR_OUTOFMEMORY;
  1266. BAIL_ON_WIN32_ERROR(dwError);
  1267. }
  1268. }
  1269. *ppszIpsecFilterName = pszIpsecFilterName;
  1270. dwError = ERROR_SUCCESS;
  1271. cleanup:
  1272. if (pszNFAString) {
  1273. FreePolMem(pszNFAString);
  1274. }
  1275. if (res) {
  1276. LdapMsgFree(res);
  1277. }
  1278. if (pIpsecNFAObject) {
  1279. FreeIpsecNFAObject(pIpsecNFAObject);
  1280. }
  1281. return(dwError);
  1282. error:
  1283. *ppszIpsecFilterName = NULL;
  1284. goto cleanup;
  1285. }
  1286. DWORD
  1287. GenerateSpecificNFAQuery(
  1288. GUID NFAIdentifier,
  1289. LPWSTR * ppszNFAString
  1290. )
  1291. {
  1292. DWORD dwError = ERROR_SUCCESS;
  1293. WCHAR szGuid[MAX_PATH];
  1294. WCHAR szCommonName[MAX_PATH];
  1295. LPWSTR pszStringUuid = NULL;
  1296. DWORD dwLength = 0;
  1297. LPWSTR pszNFAString = NULL;
  1298. szGuid[0] = L'\0';
  1299. szCommonName[0] = L'\0';
  1300. dwError = UuidToString(
  1301. &NFAIdentifier,
  1302. &pszStringUuid
  1303. );
  1304. BAIL_ON_WIN32_ERROR(dwError);
  1305. wcscpy(szGuid, L"{");
  1306. wcscat(szGuid, pszStringUuid);
  1307. wcscat(szGuid, L"}");
  1308. wcscpy(szCommonName, L"cn=ipsecNFA");
  1309. wcscat(szCommonName, szGuid);
  1310. //
  1311. // Compute Length of Buffer to be allocated
  1312. //
  1313. dwLength = wcslen(L"(&(objectclass=ipsecNFA)");
  1314. dwLength += wcslen(L"(");
  1315. dwLength += wcslen(szCommonName);
  1316. dwLength += wcslen(L"))");
  1317. pszNFAString = (LPWSTR) AllocPolMem((dwLength + 1)*sizeof(WCHAR));
  1318. if (!pszNFAString) {
  1319. dwError = ERROR_OUTOFMEMORY;
  1320. BAIL_ON_WIN32_ERROR(dwError);
  1321. }
  1322. wcscpy(pszNFAString, L"(&(objectclass=ipsecNFA)");
  1323. wcscat(pszNFAString, L"(");
  1324. wcscat(pszNFAString, szCommonName);
  1325. wcscat(pszNFAString, L"))");
  1326. *ppszNFAString = pszNFAString;
  1327. cleanup:
  1328. if (pszStringUuid) {
  1329. RpcStringFree(&pszStringUuid);
  1330. }
  1331. return(dwError);
  1332. error:
  1333. if (pszNFAString) {
  1334. FreePolMem(pszNFAString);
  1335. }
  1336. *ppszNFAString = NULL;
  1337. goto cleanup;
  1338. }
  1339. DWORD
  1340. DirGetNFAExistingNegPolRef(
  1341. HLDAP hLdapBindHandle,
  1342. LPWSTR pszIpsecRootContainer,
  1343. PIPSEC_NFA_DATA pIpsecNFAData,
  1344. LPWSTR * ppszIpsecNegPolName
  1345. )
  1346. {
  1347. DWORD dwError = 0;
  1348. LPWSTR pszNFAString = NULL;
  1349. LDAPMessage * res = NULL;
  1350. DWORD dwCount = 0;
  1351. LDAPMessage * e = NULL;
  1352. PIPSEC_NFA_OBJECT pIpsecNFAObject = NULL;
  1353. LPWSTR pszIpsecNegPolName = NULL;
  1354. LPWSTR pszFilterReference = NULL;
  1355. LPWSTR pszNegPolReference = NULL;
  1356. dwError = GenerateSpecificNFAQuery(
  1357. pIpsecNFAData->NFAIdentifier,
  1358. &pszNFAString
  1359. );
  1360. BAIL_ON_WIN32_ERROR(dwError);
  1361. dwError = LdapSearchST(
  1362. hLdapBindHandle,
  1363. pszIpsecRootContainer,
  1364. LDAP_SCOPE_ONELEVEL,
  1365. pszNFAString,
  1366. NFADNAttributes,
  1367. 0,
  1368. NULL,
  1369. &res
  1370. );
  1371. BAIL_ON_WIN32_ERROR(dwError);
  1372. dwCount = LdapCountEntries(
  1373. hLdapBindHandle,
  1374. res
  1375. );
  1376. if (!dwCount) {
  1377. dwError = ERROR_DS_NO_ATTRIBUTE_OR_VALUE;
  1378. BAIL_ON_WIN32_ERROR(dwError);
  1379. }
  1380. dwError = LdapFirstEntry(
  1381. hLdapBindHandle,
  1382. res,
  1383. &e
  1384. );
  1385. BAIL_ON_WIN32_ERROR(dwError);
  1386. dwError =UnMarshallNFAObject(
  1387. hLdapBindHandle,
  1388. e,
  1389. &pIpsecNFAObject,
  1390. &pszFilterReference,
  1391. &pszNegPolReference
  1392. );
  1393. BAIL_ON_WIN32_ERROR(dwError);
  1394. if (pszFilterReference) {
  1395. FreePolStr(pszFilterReference);
  1396. }
  1397. if (pszNegPolReference) {
  1398. FreePolStr(pszNegPolReference);
  1399. }
  1400. pszIpsecNegPolName = AllocPolStr(
  1401. pIpsecNFAObject->pszIpsecNegPolReference
  1402. );
  1403. if (!pszIpsecNegPolName) {
  1404. dwError = ERROR_OUTOFMEMORY;
  1405. BAIL_ON_WIN32_ERROR(dwError);
  1406. }
  1407. *ppszIpsecNegPolName = pszIpsecNegPolName;
  1408. dwError = ERROR_SUCCESS;
  1409. cleanup:
  1410. if (pszNFAString) {
  1411. FreePolMem(pszNFAString);
  1412. }
  1413. if (res) {
  1414. LdapMsgFree(res);
  1415. }
  1416. if (pIpsecNFAObject) {
  1417. FreeIpsecNFAObject(pIpsecNFAObject);
  1418. }
  1419. return(dwError);
  1420. error:
  1421. *ppszIpsecNegPolName = NULL;
  1422. goto cleanup;
  1423. }
  1424. DWORD
  1425. DirGetNFAObject(
  1426. HLDAP hLdapBindHandle,
  1427. LPWSTR pszIpsecRootContainer,
  1428. GUID NFAGUID,
  1429. PIPSEC_NFA_OBJECT * ppIpsecNFAObject
  1430. )
  1431. {
  1432. DWORD dwError = 0;
  1433. LPWSTR pszNFAString = NULL;
  1434. LDAPMessage * res = NULL;
  1435. DWORD dwCount = 0;
  1436. LDAPMessage * e = NULL;
  1437. PIPSEC_NFA_OBJECT pIpsecNFAObject = NULL;
  1438. LPWSTR pszFilterReference = NULL;
  1439. LPWSTR pszNegPolReference = NULL;
  1440. dwError = GenerateSpecificNFAQuery(
  1441. NFAGUID,
  1442. &pszNFAString
  1443. );
  1444. BAIL_ON_WIN32_ERROR(dwError);
  1445. dwError = LdapSearchST(
  1446. hLdapBindHandle,
  1447. pszIpsecRootContainer,
  1448. LDAP_SCOPE_ONELEVEL,
  1449. pszNFAString,
  1450. NFADNAttributes,
  1451. 0,
  1452. NULL,
  1453. &res
  1454. );
  1455. BAIL_ON_WIN32_ERROR(dwError);
  1456. dwCount = LdapCountEntries(
  1457. hLdapBindHandle,
  1458. res
  1459. );
  1460. if (!dwCount) {
  1461. dwError = ERROR_DS_NO_ATTRIBUTE_OR_VALUE;
  1462. BAIL_ON_WIN32_ERROR(dwError);
  1463. }
  1464. dwError = LdapFirstEntry(
  1465. hLdapBindHandle,
  1466. res,
  1467. &e
  1468. );
  1469. BAIL_ON_WIN32_ERROR(dwError);
  1470. dwError = UnMarshallNFAObject(
  1471. hLdapBindHandle,
  1472. e,
  1473. &pIpsecNFAObject,
  1474. &pszFilterReference,
  1475. &pszNegPolReference
  1476. );
  1477. BAIL_ON_WIN32_ERROR(dwError);
  1478. if (pszFilterReference) {
  1479. FreePolStr(pszFilterReference);
  1480. }
  1481. if (pszNegPolReference) {
  1482. FreePolStr(pszNegPolReference);
  1483. }
  1484. *ppIpsecNFAObject = pIpsecNFAObject;
  1485. dwError = ERROR_SUCCESS;
  1486. cleanup:
  1487. if (pszNFAString) {
  1488. FreePolMem(pszNFAString);
  1489. }
  1490. if (res) {
  1491. LdapMsgFree(res);
  1492. }
  1493. return(dwError);
  1494. error:
  1495. if (pIpsecNFAObject) {
  1496. FreeIpsecNFAObject(
  1497. pIpsecNFAObject
  1498. );
  1499. }
  1500. *ppIpsecNFAObject = NULL;
  1501. goto cleanup;
  1502. }