647 lines
14 KiB
647 lines
14 KiB
|
|
|
|
#include "precomp.h"
|
|
#ifdef TRACE_ON
|
|
#include "pamm-pol.tmh"
|
|
#endif
|
|
|
|
|
|
DWORD
|
|
PAAddMMPolicies(
|
|
PIPSEC_ISAKMP_DATA * ppIpsecISAKMPData,
|
|
DWORD dwNumPolicies,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD i = 0;
|
|
PMMPOLICYSTATE pMMPolicyState = NULL;
|
|
PIPSEC_MM_POLICY pSPDMMPolicy = NULL;
|
|
LPWSTR pServerName = NULL;
|
|
DWORD dwPersist = 0;
|
|
DWORD dwVersion = 0;
|
|
|
|
for (i = 0; i < dwNumPolicies; i++) {
|
|
TRACE(
|
|
TRC_INFORMATION,
|
|
(L"Pastore adding MM policy based on ISAKMP data %!guid!",
|
|
&(*(ppIpsecISAKMPData + i))->ISAKMPIdentifier)
|
|
);
|
|
|
|
dwError = PACreateMMPolicyState(
|
|
*(ppIpsecISAKMPData + i),
|
|
&pMMPolicyState
|
|
);
|
|
if (dwError) {
|
|
continue;
|
|
}
|
|
|
|
dwError = PACreateMMPolicy(
|
|
*(ppIpsecISAKMPData + i),
|
|
pMMPolicyState,
|
|
&pSPDMMPolicy
|
|
);
|
|
if (dwError) {
|
|
|
|
pMMPolicyState->bInSPD = FALSE;
|
|
pMMPolicyState->dwErrorCode = dwError;
|
|
|
|
pMMPolicyState->pNext = gpMMPolicyState;
|
|
gpMMPolicyState = pMMPolicyState;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
dwError = AddMMPolicyInternal(
|
|
pServerName,
|
|
dwVersion,
|
|
dwPersist,
|
|
dwSource,
|
|
pSPDMMPolicy,
|
|
NULL
|
|
);
|
|
if (dwError && dwError != WARNING_IPSEC_MM_POLICY_PRUNED) {
|
|
pMMPolicyState->bInSPD = FALSE;
|
|
pMMPolicyState->dwErrorCode = dwError;
|
|
}
|
|
else {
|
|
pMMPolicyState->bInSPD = TRUE;
|
|
pMMPolicyState->dwErrorCode = ERROR_SUCCESS;
|
|
dwError = ERROR_SUCCESS;
|
|
}
|
|
|
|
pMMPolicyState->pNext = gpMMPolicyState;
|
|
gpMMPolicyState = pMMPolicyState;
|
|
|
|
PAFreeMMPolicy(pSPDMMPolicy);
|
|
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PACreateMMPolicyState(
|
|
PIPSEC_ISAKMP_DATA pIpsecISAKMPData,
|
|
PMMPOLICYSTATE * ppMMPolicyState
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PMMPOLICYSTATE pMMPolicyState = NULL;
|
|
WCHAR pszName[512];
|
|
|
|
|
|
dwError = AllocateSPDMemory(
|
|
sizeof(MMPOLICYSTATE),
|
|
&pMMPolicyState
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
memcpy(
|
|
&(pMMPolicyState->gPolicyID),
|
|
&(pIpsecISAKMPData->ISAKMPIdentifier),
|
|
sizeof(GUID)
|
|
);
|
|
|
|
wsprintf(pszName, L"%d", ++gdwMMPolicyCounter);
|
|
|
|
dwError = AllocateSPDString(
|
|
pszName,
|
|
&(pMMPolicyState->pszPolicyName)
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
pMMPolicyState->bInSPD = FALSE;
|
|
pMMPolicyState->dwErrorCode = 0;
|
|
pMMPolicyState->pNext = NULL;
|
|
|
|
*ppMMPolicyState = pMMPolicyState;
|
|
|
|
return (dwError);
|
|
|
|
error:
|
|
TRACE(
|
|
TRC_ERROR,
|
|
(L"Pastore failed to create MM policy state for %!guid!",
|
|
&(pIpsecISAKMPData->ISAKMPIdentifier))
|
|
);
|
|
|
|
if (pMMPolicyState) {
|
|
PAFreeMMPolicyState(pMMPolicyState);
|
|
}
|
|
|
|
*ppMMPolicyState = NULL;
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
VOID
|
|
PAFreeMMPolicyState(
|
|
PMMPOLICYSTATE pMMPolicyState
|
|
)
|
|
{
|
|
if (pMMPolicyState) {
|
|
if (pMMPolicyState->pszPolicyName) {
|
|
FreeSPDString(pMMPolicyState->pszPolicyName);
|
|
}
|
|
FreeSPDMemory(pMMPolicyState);
|
|
}
|
|
}
|
|
|
|
|
|
DWORD
|
|
PACreateMMPolicy(
|
|
PIPSEC_ISAKMP_DATA pIpsecISAKMPData,
|
|
PMMPOLICYSTATE pMMPolicyState,
|
|
PIPSEC_MM_POLICY * ppSPDMMPolicy
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PIPSEC_MM_POLICY pSPDMMPolicy = NULL;
|
|
|
|
|
|
dwError = AllocateSPDMemory(
|
|
sizeof(IPSEC_MM_POLICY),
|
|
&pSPDMMPolicy
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
memcpy(
|
|
&(pSPDMMPolicy->gPolicyID),
|
|
&(pIpsecISAKMPData->ISAKMPIdentifier),
|
|
sizeof(GUID)
|
|
);
|
|
|
|
dwError = AllocateSPDString(
|
|
pMMPolicyState->pszPolicyName,
|
|
&(pSPDMMPolicy->pszPolicyName)
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
pSPDMMPolicy->dwFlags = 0;
|
|
pSPDMMPolicy->dwFlags |= IPSEC_MM_POLICY_DEFAULT_POLICY;
|
|
|
|
dwError = PACreateMMOffers(
|
|
pIpsecISAKMPData->dwNumISAKMPSecurityMethods,
|
|
pIpsecISAKMPData->pSecurityMethods,
|
|
&(pSPDMMPolicy->dwOfferCount),
|
|
&(pSPDMMPolicy->pOffers)
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
pSPDMMPolicy->uSoftExpirationTime =
|
|
(pSPDMMPolicy->pOffers)->Lifetime.uKeyExpirationTime;
|
|
|
|
pSPDMMPolicy->dwFlags |= pIpsecISAKMPData->ISAKMPPolicy.dwFlags;
|
|
|
|
*ppSPDMMPolicy = pSPDMMPolicy;
|
|
|
|
return (dwError);
|
|
|
|
error:
|
|
TRACE(
|
|
TRC_ERROR,
|
|
(L"Pastore failed to create MM policy for %!guid!",
|
|
&(pIpsecISAKMPData->ISAKMPIdentifier))
|
|
);
|
|
|
|
|
|
if (pSPDMMPolicy) {
|
|
PAFreeMMPolicy(
|
|
pSPDMMPolicy
|
|
);
|
|
}
|
|
|
|
*ppSPDMMPolicy = NULL;
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PACreateMMOffers(
|
|
DWORD dwNumISAKMPSecurityMethods,
|
|
PCRYPTO_BUNDLE pSecurityMethods,
|
|
PDWORD pdwOfferCount,
|
|
PIPSEC_MM_OFFER * ppOffers
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD dwOfferCount = 0;
|
|
PIPSEC_MM_OFFER pOffers = NULL;
|
|
PIPSEC_MM_OFFER pTempOffer = NULL;
|
|
PCRYPTO_BUNDLE pTempBundle = NULL;
|
|
DWORD i = 0;
|
|
|
|
|
|
if (!dwNumISAKMPSecurityMethods || !pSecurityMethods) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (dwNumISAKMPSecurityMethods > IPSEC_MAX_MM_OFFERS) {
|
|
dwOfferCount = IPSEC_MAX_MM_OFFERS;
|
|
}
|
|
else {
|
|
dwOfferCount = dwNumISAKMPSecurityMethods;
|
|
}
|
|
|
|
dwError = AllocateSPDMemory(
|
|
sizeof(IPSEC_MM_OFFER)*dwOfferCount,
|
|
&(pOffers)
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
pTempOffer = pOffers;
|
|
pTempBundle = pSecurityMethods;
|
|
|
|
for (i = 0; i < dwOfferCount; i++) {
|
|
|
|
PACopyMMOffer(
|
|
pTempBundle,
|
|
pTempOffer
|
|
);
|
|
|
|
pTempOffer++;
|
|
pTempBundle++;
|
|
|
|
}
|
|
|
|
*pdwOfferCount = dwOfferCount;
|
|
*ppOffers = pOffers;
|
|
return (dwError);
|
|
|
|
error:
|
|
|
|
if (pOffers) {
|
|
PAFreeMMOffers(
|
|
i,
|
|
pOffers
|
|
);
|
|
}
|
|
|
|
*pdwOfferCount = 0;
|
|
*ppOffers = NULL;
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
VOID
|
|
PACopyMMOffer(
|
|
PCRYPTO_BUNDLE pBundle,
|
|
PIPSEC_MM_OFFER pOffer
|
|
)
|
|
{
|
|
pOffer->Lifetime.uKeyExpirationKBytes = pBundle->Lifetime.KBytes;
|
|
pOffer->Lifetime.uKeyExpirationTime = pBundle->Lifetime.Seconds;
|
|
|
|
pOffer->dwFlags = 0;
|
|
|
|
pOffer->dwQuickModeLimit = pBundle->QuickModeLimit;
|
|
|
|
pOffer->dwDHGroup = pBundle->OakleyGroup;
|
|
|
|
switch (pBundle->EncryptionAlgorithm.AlgorithmIdentifier) {
|
|
|
|
case IPSEC_ESP_DES:
|
|
pOffer->EncryptionAlgorithm.uAlgoIdentifier = CONF_ALGO_DES;
|
|
break;
|
|
|
|
case IPSEC_ESP_DES_40:
|
|
pOffer->EncryptionAlgorithm.uAlgoIdentifier = CONF_ALGO_DES;
|
|
break;
|
|
|
|
case IPSEC_ESP_3_DES:
|
|
pOffer->EncryptionAlgorithm.uAlgoIdentifier = CONF_ALGO_3_DES;
|
|
break;
|
|
|
|
default:
|
|
pOffer->EncryptionAlgorithm.uAlgoIdentifier= CONF_ALGO_NONE;
|
|
break;
|
|
|
|
}
|
|
|
|
pOffer->EncryptionAlgorithm.uAlgoKeyLen =
|
|
pBundle->EncryptionAlgorithm.KeySize;
|
|
|
|
pOffer->EncryptionAlgorithm.uAlgoRounds =
|
|
pBundle->EncryptionAlgorithm.Rounds;
|
|
|
|
switch(pBundle->HashAlgorithm.AlgorithmIdentifier) {
|
|
|
|
case IPSEC_AH_MD5:
|
|
pOffer->HashingAlgorithm.uAlgoIdentifier = AUTH_ALGO_MD5;
|
|
break;
|
|
|
|
case IPSEC_AH_SHA:
|
|
pOffer->HashingAlgorithm.uAlgoIdentifier = AUTH_ALGO_SHA1;
|
|
break;
|
|
|
|
default:
|
|
pOffer->HashingAlgorithm.uAlgoIdentifier = AUTH_ALGO_NONE;
|
|
break;
|
|
|
|
}
|
|
|
|
pOffer->HashingAlgorithm.uAlgoKeyLen =
|
|
pBundle->HashAlgorithm.KeySize;
|
|
|
|
pOffer->HashingAlgorithm.uAlgoRounds =
|
|
pBundle->HashAlgorithm.Rounds;
|
|
}
|
|
|
|
|
|
VOID
|
|
PAFreeMMPolicy(
|
|
PIPSEC_MM_POLICY pSPDMMPolicy
|
|
)
|
|
{
|
|
if (pSPDMMPolicy) {
|
|
|
|
if (pSPDMMPolicy->pszPolicyName) {
|
|
FreeSPDString(pSPDMMPolicy->pszPolicyName);
|
|
}
|
|
|
|
PAFreeMMOffers(
|
|
pSPDMMPolicy->dwOfferCount,
|
|
pSPDMMPolicy->pOffers
|
|
);
|
|
|
|
FreeSPDMemory(pSPDMMPolicy);
|
|
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
PAFreeMMOffers(
|
|
DWORD dwOfferCount,
|
|
PIPSEC_MM_OFFER pOffers
|
|
)
|
|
{
|
|
if (pOffers) {
|
|
FreeSPDMemory(pOffers);
|
|
}
|
|
}
|
|
|
|
|
|
DWORD
|
|
PADeleteAllMMPolicies(
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PMMPOLICYSTATE pMMPolicyState = NULL;
|
|
LPWSTR pServerName = NULL;
|
|
PMMPOLICYSTATE pTemp = NULL;
|
|
PMMPOLICYSTATE pLeftMMPolicyState = NULL;
|
|
DWORD dwVersion = 0;
|
|
|
|
TRACE(TRC_INFORMATION, (L"Pastore deleting all MM polcies."));
|
|
|
|
pMMPolicyState = gpMMPolicyState;
|
|
|
|
while (pMMPolicyState) {
|
|
|
|
if (pMMPolicyState->bInSPD) {
|
|
|
|
dwError = DeleteMMPolicy(
|
|
pServerName,
|
|
dwVersion,
|
|
pMMPolicyState->pszPolicyName,
|
|
NULL
|
|
);
|
|
if (!dwError) {
|
|
pTemp = pMMPolicyState;
|
|
pMMPolicyState = pMMPolicyState->pNext;
|
|
PAFreeMMPolicyState(pTemp);
|
|
}
|
|
else {
|
|
pMMPolicyState->dwErrorCode = dwError;
|
|
|
|
pTemp = pMMPolicyState;
|
|
pMMPolicyState = pMMPolicyState->pNext;
|
|
|
|
pTemp->pNext = pLeftMMPolicyState;
|
|
pLeftMMPolicyState = pTemp;
|
|
}
|
|
|
|
}
|
|
else {
|
|
|
|
pTemp = pMMPolicyState;
|
|
pMMPolicyState = pMMPolicyState->pNext;
|
|
PAFreeMMPolicyState(pTemp);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
gpMMPolicyState = pLeftMMPolicyState;
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
VOID
|
|
PAFreeMMPolicyStateList(
|
|
PMMPOLICYSTATE pMMPolicyState
|
|
)
|
|
{
|
|
PMMPOLICYSTATE pTemp = NULL;
|
|
|
|
|
|
while (pMMPolicyState) {
|
|
|
|
pTemp = pMMPolicyState;
|
|
pMMPolicyState = pMMPolicyState->pNext;
|
|
PAFreeMMPolicyState(pTemp);
|
|
|
|
}
|
|
}
|
|
|
|
|
|
PMMPOLICYSTATE
|
|
FindMMPolicyState(
|
|
GUID gPolicyID
|
|
)
|
|
{
|
|
PMMPOLICYSTATE pMMPolicyState = NULL;
|
|
|
|
|
|
pMMPolicyState = gpMMPolicyState;
|
|
|
|
while (pMMPolicyState) {
|
|
|
|
if (!memcmp(&(pMMPolicyState->gPolicyID), &gPolicyID, sizeof(GUID))) {
|
|
return (pMMPolicyState);
|
|
}
|
|
|
|
pMMPolicyState = pMMPolicyState->pNext;
|
|
|
|
}
|
|
|
|
return (NULL);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PADeleteMMPolicies(
|
|
PIPSEC_ISAKMP_DATA * ppIpsecISAKMPData,
|
|
DWORD dwNumPolicies
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD i = 0;
|
|
PIPSEC_ISAKMP_DATA pIpsecISAKMPData = NULL;
|
|
|
|
|
|
for (i = 0; i < dwNumPolicies; i++) {
|
|
|
|
pIpsecISAKMPData = *(ppIpsecISAKMPData + i);
|
|
|
|
dwError = PADeleteMMPolicy(
|
|
pIpsecISAKMPData->ISAKMPIdentifier
|
|
);
|
|
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PADeleteMMPolicy(
|
|
GUID gPolicyID
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PMMPOLICYSTATE pMMPolicyState = NULL;
|
|
LPWSTR pServerName = NULL;
|
|
DWORD dwVersion = 0;
|
|
|
|
TRACE(
|
|
TRC_INFORMATION,
|
|
(L"Pastore deleting MM policy %!guid!",
|
|
&gPolicyID)
|
|
);
|
|
|
|
pMMPolicyState = FindMMPolicyState(
|
|
gPolicyID
|
|
);
|
|
if (!pMMPolicyState) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
|
|
if (pMMPolicyState->bInSPD) {
|
|
|
|
dwError = DeleteMMPolicy(
|
|
pServerName,
|
|
dwVersion,
|
|
pMMPolicyState->pszPolicyName,
|
|
NULL
|
|
);
|
|
if (dwError) {
|
|
pMMPolicyState->dwErrorCode = dwError;
|
|
}
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
}
|
|
|
|
PADeleteMMPolicyState(pMMPolicyState);
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
VOID
|
|
PADeleteMMPolicyState(
|
|
PMMPOLICYSTATE pMMPolicyState
|
|
)
|
|
{
|
|
PMMPOLICYSTATE * ppTemp = NULL;
|
|
|
|
|
|
ppTemp = &gpMMPolicyState;
|
|
|
|
while (*ppTemp) {
|
|
|
|
if (*ppTemp == pMMPolicyState) {
|
|
break;
|
|
}
|
|
ppTemp = &((*ppTemp)->pNext);
|
|
|
|
}
|
|
|
|
if (*ppTemp) {
|
|
*ppTemp = pMMPolicyState->pNext;
|
|
}
|
|
|
|
PAFreeMMPolicyState(pMMPolicyState);
|
|
|
|
return;
|
|
}
|
|
|
|
|
|
DWORD
|
|
PADeleteInUseMMPolicies(
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PMMPOLICYSTATE pMMPolicyState = NULL;
|
|
LPWSTR pServerName = NULL;
|
|
PMMPOLICYSTATE pTemp = NULL;
|
|
PMMPOLICYSTATE pLeftMMPolicyState = NULL;
|
|
DWORD dwVersion = 0;
|
|
|
|
TRACE(TRC_INFORMATION, (L"Pastore deleting in-use MM polcies."));
|
|
|
|
pMMPolicyState = gpMMPolicyState;
|
|
|
|
while (pMMPolicyState) {
|
|
|
|
if (pMMPolicyState->bInSPD &&
|
|
(pMMPolicyState->dwErrorCode == ERROR_IPSEC_MM_POLICY_IN_USE)) {
|
|
|
|
dwError = DeleteMMPolicy(
|
|
pServerName,
|
|
dwVersion,
|
|
pMMPolicyState->pszPolicyName,
|
|
NULL
|
|
);
|
|
if (!dwError) {
|
|
pTemp = pMMPolicyState;
|
|
pMMPolicyState = pMMPolicyState->pNext;
|
|
PAFreeMMPolicyState(pTemp);
|
|
}
|
|
else {
|
|
pTemp = pMMPolicyState;
|
|
pMMPolicyState = pMMPolicyState->pNext;
|
|
|
|
pTemp->pNext = pLeftMMPolicyState;
|
|
pLeftMMPolicyState = pTemp;
|
|
}
|
|
|
|
}
|
|
else {
|
|
|
|
pTemp = pMMPolicyState;
|
|
pMMPolicyState = pMMPolicyState->pNext;
|
|
|
|
pTemp->pNext = pLeftMMPolicyState;
|
|
pLeftMMPolicyState = pTemp;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
gpMMPolicyState = pLeftMMPolicyState;
|
|
|
|
return (dwError);
|
|
}
|
|
|