You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2308 lines
58 KiB
2308 lines
58 KiB
|
|
|
|
#include "precomp.h"
|
|
#ifdef TRACE_ON
|
|
#include "paupdate.tmh"
|
|
#endif
|
|
|
|
|
|
DWORD
|
|
PADeleteObseleteISAKMPData(
|
|
PIPSEC_ISAKMP_DATA * ppOldIpsecISAKMPData,
|
|
DWORD dwNumOldPolicies,
|
|
PIPSEC_NFA_DATA * ppOldIpsecNFAData,
|
|
DWORD dwNumOldNFACount,
|
|
PIPSEC_ISAKMP_DATA * ppNewIpsecISAKMPData,
|
|
DWORD dwNumNewPolicies
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD i = 0;
|
|
PIPSEC_ISAKMP_DATA pOldIpsecISAKMPData = NULL;
|
|
PIPSEC_ISAKMP_DATA pFoundISAKMPData = NULL;
|
|
|
|
TRACE(TRC_INFORMATION, (L"Pastore update deleting obselete ISAKMP policy information"));
|
|
for (i = 0; i < dwNumOldPolicies; i++) {
|
|
|
|
pOldIpsecISAKMPData = *(ppOldIpsecISAKMPData + i);
|
|
|
|
pFoundISAKMPData = FindISAKMPData(
|
|
pOldIpsecISAKMPData,
|
|
ppNewIpsecISAKMPData,
|
|
dwNumNewPolicies
|
|
);
|
|
|
|
if (!pFoundISAKMPData) {
|
|
|
|
dwError = PADeleteMMFilters(
|
|
pOldIpsecISAKMPData,
|
|
ppOldIpsecNFAData,
|
|
dwNumOldNFACount
|
|
);
|
|
|
|
dwError = PADeleteMMPolicy(
|
|
pOldIpsecISAKMPData->ISAKMPIdentifier
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
PIPSEC_ISAKMP_DATA
|
|
FindISAKMPData(
|
|
PIPSEC_ISAKMP_DATA pIpsecISAKMPData,
|
|
PIPSEC_ISAKMP_DATA * ppIpsecISAKMPData,
|
|
DWORD dwNumPolicies
|
|
)
|
|
{
|
|
DWORD i = 0;
|
|
PIPSEC_ISAKMP_DATA pTemp = NULL;
|
|
|
|
|
|
for (i = 0; i < dwNumPolicies; i++) {
|
|
|
|
pTemp = *(ppIpsecISAKMPData + i);
|
|
|
|
if (!memcmp(
|
|
&(pIpsecISAKMPData->ISAKMPIdentifier),
|
|
&(pTemp->ISAKMPIdentifier),
|
|
sizeof(GUID))) {
|
|
return (pTemp);
|
|
}
|
|
|
|
}
|
|
|
|
return (NULL);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PADeleteObseleteNFAData(
|
|
PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData,
|
|
PIPSEC_NFA_DATA * ppOldIpsecNFAData,
|
|
DWORD dwNumOldNFACount,
|
|
PIPSEC_NFA_DATA * ppNewIpsecNFAData,
|
|
DWORD dwNumNewNFACount
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD i = 0;
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData = NULL;
|
|
PIPSEC_NFA_DATA pFoundNFAData = NULL;
|
|
|
|
TRACE(TRC_INFORMATION, (L"Pastore update deleting obselete MM and QM NFA-derived filters and policies"));
|
|
|
|
for (i = 0; i < dwNumOldNFACount; i++) {
|
|
|
|
pOldIpsecNFAData = *(ppOldIpsecNFAData + i);
|
|
|
|
pFoundNFAData = FindNFAData(
|
|
pOldIpsecNFAData,
|
|
ppNewIpsecNFAData,
|
|
dwNumNewNFACount
|
|
);
|
|
|
|
if (!pFoundNFAData) {
|
|
dwError = PADeleteMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pOldIpsecNFAData
|
|
);
|
|
|
|
dwError = PADeleteMMAuthMethod(
|
|
pOldIpsecNFAData->NFAIdentifier
|
|
);
|
|
|
|
dwError = PADeleteQMInfoForNFA(
|
|
pOldIpsecNFAData
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
PIPSEC_NFA_DATA
|
|
FindNFAData(
|
|
PIPSEC_NFA_DATA pIpsecNFAData,
|
|
PIPSEC_NFA_DATA * ppIpsecNFAData,
|
|
DWORD dwNumNFACount
|
|
)
|
|
{
|
|
DWORD i = 0;
|
|
PIPSEC_NFA_DATA pTemp = NULL;
|
|
|
|
|
|
for (i = 0; i < dwNumNFACount; i++) {
|
|
|
|
pTemp = *(ppIpsecNFAData + i);
|
|
|
|
if (!memcmp(
|
|
&(pIpsecNFAData->NFAIdentifier),
|
|
&(pTemp->NFAIdentifier),
|
|
sizeof(GUID))) {
|
|
return (pTemp);
|
|
}
|
|
|
|
}
|
|
|
|
return (NULL);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAUpdateISAKMPData(
|
|
PIPSEC_ISAKMP_DATA * ppNewIpsecISAKMPData,
|
|
DWORD dwNumNewPolicies,
|
|
PIPSEC_NFA_DATA * ppOldIpsecNFAData,
|
|
DWORD dwNumOldNFACount,
|
|
PIPSEC_ISAKMP_DATA * ppOldIpsecISAKMPData,
|
|
DWORD dwNumOldPolicies,
|
|
IN DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD i = 0;
|
|
PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData = NULL;
|
|
PIPSEC_ISAKMP_DATA pFoundISAKMPData = NULL;
|
|
|
|
TRACE(
|
|
TRC_INFORMATION,
|
|
(L"Pastore updating MM filters based on new ISAKMP data")
|
|
);
|
|
|
|
for (i = 0; i < dwNumNewPolicies; i++) {
|
|
|
|
pNewIpsecISAKMPData = *(ppNewIpsecISAKMPData + i);
|
|
|
|
pFoundISAKMPData = FindISAKMPData(
|
|
pNewIpsecISAKMPData,
|
|
ppOldIpsecISAKMPData,
|
|
dwNumOldPolicies
|
|
);
|
|
|
|
if (!pFoundISAKMPData) {
|
|
dwError = PAAddMMPolicies(
|
|
&pNewIpsecISAKMPData,
|
|
1,
|
|
dwSource
|
|
);
|
|
|
|
dwError = PAAddMMFilters(
|
|
pNewIpsecISAKMPData,
|
|
ppOldIpsecNFAData,
|
|
dwNumOldNFACount,
|
|
dwSource
|
|
);
|
|
}
|
|
else {
|
|
dwError = PAProcessISAKMPUpdate(
|
|
pFoundISAKMPData,
|
|
ppOldIpsecNFAData,
|
|
dwNumOldNFACount,
|
|
pNewIpsecISAKMPData,
|
|
dwSource
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAUpdateNFAData(
|
|
PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData,
|
|
PIPSEC_NFA_DATA * ppNewIpsecNFAData,
|
|
DWORD dwNumNewNFACount,
|
|
PIPSEC_NFA_DATA * ppOldIpsecNFAData,
|
|
DWORD dwNumOldNFACount,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD i = 0;
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData = NULL;
|
|
PIPSEC_NFA_DATA pFoundNFAData = NULL;
|
|
|
|
for (i = 0; i < dwNumNewNFACount; i++) {
|
|
|
|
pNewIpsecNFAData = *(ppNewIpsecNFAData + i);
|
|
|
|
TRACE(
|
|
TRC_INFORMATION,
|
|
(L"Pastore updating QM and MM filters and polcies based on NFA %!guid! data.",
|
|
&pNewIpsecNFAData->NFAIdentifier)
|
|
);
|
|
|
|
pFoundNFAData = FindNFAData(
|
|
pNewIpsecNFAData,
|
|
ppOldIpsecNFAData,
|
|
dwNumOldNFACount
|
|
);
|
|
|
|
if (!pFoundNFAData) {
|
|
|
|
dwError = PAAddMMAuthMethods(
|
|
&pNewIpsecNFAData,
|
|
1,
|
|
dwSource
|
|
);
|
|
|
|
dwError = PAAddMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
|
|
dwError = PAAddQMInfoForNFA(
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
|
|
}
|
|
else {
|
|
dwError = PAProcessNFAUpdate(
|
|
pNewIpsecISAKMPData,
|
|
pFoundNFAData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAProcessISAKMPUpdate(
|
|
PIPSEC_ISAKMP_DATA pOldIpsecISAKMPData,
|
|
PIPSEC_NFA_DATA * ppOldIpsecNFAData,
|
|
DWORD dwNumOldNFACount,
|
|
PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData,
|
|
IN DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PMMPOLICYSTATE pMMPolicyState = NULL;
|
|
BOOL bEqual = FALSE;
|
|
PIPSEC_MM_POLICY pSPDMMPolicy = NULL;
|
|
LPWSTR pServerName = NULL;
|
|
DWORD dwVersion = 0;
|
|
|
|
|
|
pMMPolicyState = FindMMPolicyState(
|
|
pOldIpsecISAKMPData->ISAKMPIdentifier
|
|
);
|
|
if (!pMMPolicyState) {
|
|
dwError = PAAddMMPolicies(
|
|
&pNewIpsecISAKMPData,
|
|
1,
|
|
dwSource
|
|
);
|
|
dwError = PAAddMMFilters(
|
|
pNewIpsecISAKMPData,
|
|
ppOldIpsecNFAData,
|
|
dwNumOldNFACount,
|
|
dwSource
|
|
);
|
|
return (dwError);
|
|
}
|
|
|
|
if (!(pMMPolicyState->bInSPD)) {
|
|
PADeleteMMPolicyState(pMMPolicyState);
|
|
dwError = PAAddMMPolicies(
|
|
&pNewIpsecISAKMPData,
|
|
1,
|
|
dwSource
|
|
);
|
|
dwError = PAAddMMFilters(
|
|
pNewIpsecISAKMPData,
|
|
ppOldIpsecNFAData,
|
|
dwNumOldNFACount,
|
|
dwSource
|
|
);
|
|
return (dwError);
|
|
}
|
|
|
|
bEqual = EqualISAKMPData(
|
|
pOldIpsecISAKMPData,
|
|
pNewIpsecISAKMPData
|
|
);
|
|
if (bEqual) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
|
|
dwError = PACreateMMPolicy(
|
|
pNewIpsecISAKMPData,
|
|
pMMPolicyState,
|
|
&pSPDMMPolicy
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = SetMMPolicy(
|
|
pServerName,
|
|
dwVersion,
|
|
pMMPolicyState->pszPolicyName,
|
|
pSPDMMPolicy,
|
|
NULL
|
|
);
|
|
if (dwError != WARNING_IPSEC_MM_POLICY_PRUNED) {
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
} else {
|
|
dwError = ERROR_SUCCESS;
|
|
}
|
|
|
|
error:
|
|
#ifdef TRACE_ON
|
|
if (dwError) {
|
|
TRACE(TRC_ERROR, (L"Pastore update failed during processing of ISAKMP policy update: %!winerr!", dwError));
|
|
}
|
|
#endif
|
|
|
|
|
|
if (pSPDMMPolicy) {
|
|
PAFreeMMPolicy(pSPDMMPolicy);
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
BOOL
|
|
EqualISAKMPData(
|
|
PIPSEC_ISAKMP_DATA pOldIpsecISAKMPData,
|
|
PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData
|
|
)
|
|
{
|
|
BOOL bEqual = FALSE;
|
|
DWORD dwOldCnt = 0;
|
|
PCRYPTO_BUNDLE pOldSecurityMethods = NULL;
|
|
DWORD dwNewCnt = 0;
|
|
PCRYPTO_BUNDLE pNewSecurityMethods = NULL;
|
|
DWORD i = 0;
|
|
PCRYPTO_BUNDLE pNewTemp = NULL;
|
|
PCRYPTO_BUNDLE pOldTemp = NULL;
|
|
|
|
|
|
//
|
|
// At this point, pszPolicyName and ISAKMPIdentifier are same and
|
|
// dwWhenChanged is different.
|
|
//
|
|
|
|
dwOldCnt = pOldIpsecISAKMPData->dwNumISAKMPSecurityMethods;
|
|
pOldSecurityMethods = pOldIpsecISAKMPData->pSecurityMethods;
|
|
|
|
dwNewCnt = pNewIpsecISAKMPData->dwNumISAKMPSecurityMethods;
|
|
pNewSecurityMethods = pNewIpsecISAKMPData->pSecurityMethods;
|
|
|
|
//
|
|
// At this point, dwOldCnt >= 1 and pOldSecurityMethods != NULL.
|
|
//
|
|
|
|
if (!dwNewCnt || !pNewSecurityMethods) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (dwOldCnt != dwNewCnt) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (pOldIpsecISAKMPData->ISAKMPPolicy.dwFlags != pNewIpsecISAKMPData->ISAKMPPolicy.dwFlags) {
|
|
return (FALSE);
|
|
}
|
|
|
|
pNewTemp = pNewSecurityMethods;
|
|
pOldTemp = pOldSecurityMethods;
|
|
|
|
for (i = 0; i < dwNewCnt; i++) {
|
|
|
|
bEqual = FALSE;
|
|
|
|
bEqual = EqualCryptoBundle(
|
|
pOldTemp,
|
|
pNewTemp
|
|
);
|
|
if (!bEqual) {
|
|
break;
|
|
}
|
|
|
|
pOldTemp++;
|
|
|
|
pNewTemp++;
|
|
|
|
}
|
|
|
|
return (bEqual);
|
|
}
|
|
|
|
|
|
BOOL
|
|
EqualCryptoBundle(
|
|
PCRYPTO_BUNDLE pOldBundle,
|
|
PCRYPTO_BUNDLE pNewBundle
|
|
)
|
|
{
|
|
if (memcmp(
|
|
&(pOldBundle->Lifetime),
|
|
&(pNewBundle->Lifetime),
|
|
sizeof(OAKLEY_LIFETIME))) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (pOldBundle->QuickModeLimit != pNewBundle->QuickModeLimit) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (pOldBundle->OakleyGroup != pNewBundle->OakleyGroup) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (memcmp(
|
|
&(pOldBundle->EncryptionAlgorithm),
|
|
&(pNewBundle->EncryptionAlgorithm),
|
|
sizeof(OAKLEY_ALGORITHM))) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (memcmp(
|
|
&(pOldBundle->HashAlgorithm),
|
|
&(pNewBundle->HashAlgorithm),
|
|
sizeof(OAKLEY_ALGORITHM))) {
|
|
return (FALSE);
|
|
}
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAProcessNFAUpdate(
|
|
PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData,
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bAddedMMFilters = FALSE;
|
|
|
|
dwError = PAUpdateAuthMethod(
|
|
pNewIpsecISAKMPData,
|
|
pOldIpsecNFAData,
|
|
pNewIpsecNFAData,
|
|
&bAddedMMFilters,
|
|
dwSource
|
|
);
|
|
|
|
if (!bAddedMMFilters) {
|
|
dwError = PAUpdateMMFilters(
|
|
pNewIpsecISAKMPData,
|
|
pOldIpsecNFAData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
}
|
|
|
|
dwError = PAProcessQMNFAUpdate(
|
|
pOldIpsecNFAData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAUpdateAuthMethod(
|
|
PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData,
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
PBOOL pbAddedMMFilters,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PMMAUTHSTATE pMMAuthState = NULL;
|
|
BOOL bEqual = FALSE;
|
|
PINT_MM_AUTH_METHODS pSPDMMAuthMethods = NULL;
|
|
LPWSTR pServerName = NULL;
|
|
DWORD dwVersion = 0;
|
|
|
|
*pbAddedMMFilters = FALSE;
|
|
|
|
pMMAuthState = FindMMAuthState(
|
|
pOldIpsecNFAData->NFAIdentifier
|
|
);
|
|
if (!pMMAuthState) {
|
|
dwError = PAAddMMAuthMethods(
|
|
&pNewIpsecNFAData,
|
|
1,
|
|
dwSource
|
|
);
|
|
dwError = PAAddMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
*pbAddedMMFilters = TRUE;
|
|
return (dwError);
|
|
}
|
|
|
|
if (!(pMMAuthState->bInSPD)) {
|
|
|
|
PADeleteMMAuthState(pMMAuthState);
|
|
dwError = PAAddMMAuthMethods(
|
|
&pNewIpsecNFAData,
|
|
1,
|
|
dwSource
|
|
);
|
|
dwError = PAAddMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
*pbAddedMMFilters = TRUE;
|
|
return (dwError);
|
|
}
|
|
|
|
bEqual = EqualAuthMethodData(
|
|
pOldIpsecNFAData,
|
|
pNewIpsecNFAData
|
|
);
|
|
if (bEqual) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
|
|
dwError = PACreateMMAuthMethods(
|
|
pNewIpsecNFAData,
|
|
&pSPDMMAuthMethods
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = IntSetMMAuthMethods(
|
|
pServerName,
|
|
dwVersion,
|
|
pMMAuthState->gMMAuthID,
|
|
pSPDMMAuthMethods,
|
|
NULL
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
error:
|
|
|
|
if (pSPDMMAuthMethods) {
|
|
PAFreeMMAuthMethods(pSPDMMAuthMethods);
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
BOOL
|
|
EqualAuthMethodData(
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData
|
|
)
|
|
{
|
|
BOOL bEqual = FALSE;
|
|
DWORD dwOldCnt = 0;
|
|
PIPSEC_AUTH_METHOD * ppOldAuthMethods = NULL;
|
|
DWORD dwNewCnt = 0;
|
|
PIPSEC_AUTH_METHOD * ppNewAuthMethods = NULL;
|
|
DWORD i = 0;
|
|
PIPSEC_AUTH_METHOD pNewAuthMethod = NULL;
|
|
PIPSEC_AUTH_METHOD pOldAuthMethod = NULL;
|
|
|
|
|
|
//
|
|
// At this point, NFAIdentifier is same and
|
|
// dwWhenChanged is different.
|
|
//
|
|
|
|
dwOldCnt = pOldIpsecNFAData->dwAuthMethodCount;
|
|
ppOldAuthMethods = pOldIpsecNFAData->ppAuthMethods;
|
|
|
|
dwNewCnt = pNewIpsecNFAData->dwAuthMethodCount;
|
|
ppNewAuthMethods = pNewIpsecNFAData->ppAuthMethods;
|
|
|
|
//
|
|
// At this point, dwOldCnt >= 1 and ppOldAuthMethods != NULL.
|
|
//
|
|
|
|
if (!dwNewCnt || !ppNewAuthMethods) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (dwOldCnt != dwNewCnt) {
|
|
return (FALSE);
|
|
}
|
|
|
|
|
|
for (i = 0; i < dwNewCnt; i++) {
|
|
|
|
pNewAuthMethod = *(ppNewAuthMethods + i);
|
|
|
|
pOldAuthMethod = *(ppOldAuthMethods + i);
|
|
|
|
bEqual = FALSE;
|
|
|
|
bEqual = EqualAuthBundle(
|
|
pOldAuthMethod,
|
|
pNewAuthMethod
|
|
);
|
|
|
|
if (!bEqual) {
|
|
break;
|
|
}
|
|
|
|
}
|
|
|
|
return (bEqual);
|
|
}
|
|
|
|
|
|
BOOL
|
|
EqualAuthBundle(
|
|
PIPSEC_AUTH_METHOD pOldAuthMethod,
|
|
PIPSEC_AUTH_METHOD pNewAuthMethod
|
|
)
|
|
{
|
|
BOOL bEqual = FALSE;
|
|
DWORD dwOldAuthLen = 0;
|
|
DWORD dwNewAuthLen = 0;
|
|
|
|
|
|
if (pOldAuthMethod->dwAuthType != pNewAuthMethod->dwAuthType) {
|
|
return (FALSE);
|
|
}
|
|
|
|
switch (pNewAuthMethod->dwAuthType) {
|
|
|
|
case OAK_SSPI:
|
|
|
|
bEqual = TRUE;
|
|
break;
|
|
|
|
default:
|
|
|
|
//
|
|
// Since auth version 2 also has auth version 1 fields filled in it, so
|
|
// there is no need to explicitly compare exclusive auth version 2 fields.
|
|
//
|
|
|
|
dwOldAuthLen = pOldAuthMethod->dwAuthLen;
|
|
dwNewAuthLen = pNewAuthMethod->dwAuthLen;
|
|
|
|
if (pOldAuthMethod->dwAuthFlags != pNewAuthMethod->dwAuthFlags) {
|
|
bEqual = FALSE;
|
|
break;
|
|
}
|
|
|
|
if (!dwNewAuthLen || !(pNewAuthMethod->pszAuthMethod)) {
|
|
bEqual = FALSE;
|
|
break;
|
|
}
|
|
|
|
if (dwOldAuthLen != dwNewAuthLen) {
|
|
bEqual = FALSE;
|
|
break;
|
|
}
|
|
|
|
if (!memcmp(
|
|
(LPBYTE) pNewAuthMethod->pszAuthMethod,
|
|
(LPBYTE) pOldAuthMethod->pszAuthMethod,
|
|
(dwNewAuthLen*sizeof(WCHAR)))) {
|
|
bEqual = TRUE;
|
|
break;
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return (bEqual);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAProcessQMNFAUpdate(
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PIPSEC_NEGPOL_DATA pOldIpsecNegPolData = NULL;
|
|
PIPSEC_NEGPOL_DATA pNewIpsecNegPolData = NULL;
|
|
BOOL bAddedQMFilters = FALSE;
|
|
|
|
|
|
pOldIpsecNegPolData = pOldIpsecNFAData->pIpsecNegPolData;
|
|
pNewIpsecNegPolData = pNewIpsecNFAData->pIpsecNegPolData;
|
|
|
|
if (memcmp(
|
|
&(pOldIpsecNegPolData->NegPolIdentifier),
|
|
&(pNewIpsecNegPolData->NegPolIdentifier),
|
|
sizeof(GUID))) {
|
|
|
|
dwError = PADeleteQMInfoForNFA(pOldIpsecNFAData);
|
|
|
|
dwError = PAAddQMInfoForNFA(pNewIpsecNFAData, dwSource);
|
|
|
|
}
|
|
else {
|
|
|
|
dwError = PAProcessNegPolUpdate(
|
|
pOldIpsecNFAData,
|
|
pNewIpsecNFAData,
|
|
&bAddedQMFilters,
|
|
dwSource
|
|
);
|
|
|
|
if (!bAddedQMFilters) {
|
|
dwError = PAUpdateQMFilters(
|
|
pOldIpsecNFAData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
}
|
|
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PADeleteQMInfoForNFA(
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PIPSEC_NEGPOL_DATA pOldIpsecNegPolData = NULL;
|
|
|
|
|
|
dwError = PADeleteQMFilterSpecs(
|
|
pOldIpsecNFAData
|
|
);
|
|
|
|
pOldIpsecNegPolData = pOldIpsecNFAData->pIpsecNegPolData;
|
|
|
|
dwError = PADeleteQMPolicy(
|
|
pOldIpsecNegPolData->NegPolIdentifier
|
|
);
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAAddQMInfoForNFA(
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
|
|
|
|
dwError = PAAddQMPolicies(
|
|
&pNewIpsecNFAData,
|
|
1,
|
|
dwSource
|
|
);
|
|
|
|
dwError = PAAddQMFilterSpecs(
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAProcessNegPolUpdate(
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
PBOOL pbAddedQMFilters,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PIPSEC_NEGPOL_DATA pOldIpsecNegPolData = NULL;
|
|
PIPSEC_NEGPOL_DATA pNewIpsecNegPolData = NULL;
|
|
PQMPOLICYSTATE pQMPolicyState = NULL;
|
|
BOOL bEqual = FALSE;
|
|
PIPSEC_QM_POLICY pSPDQMPolicy = NULL;
|
|
LPWSTR pServerName = NULL;
|
|
DWORD dwVersion = 0;
|
|
|
|
*pbAddedQMFilters = FALSE;
|
|
|
|
pOldIpsecNegPolData = pOldIpsecNFAData->pIpsecNegPolData;
|
|
pNewIpsecNegPolData = pNewIpsecNFAData->pIpsecNegPolData;
|
|
|
|
pQMPolicyState = FindQMPolicyState(
|
|
pOldIpsecNegPolData->NegPolIdentifier
|
|
);
|
|
if (!pQMPolicyState) {
|
|
dwError = PAAddQMInfoForNFA(pNewIpsecNFAData, dwSource);
|
|
*pbAddedQMFilters = TRUE;
|
|
return (dwError);
|
|
}
|
|
|
|
if (IsClearOnly(pQMPolicyState->gNegPolAction)) {
|
|
if (IsClearOnly(pNewIpsecNegPolData->NegPolAction)) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
else {
|
|
dwError = PADeleteQMInfoForNFA(pOldIpsecNFAData);
|
|
dwError = PAAddQMInfoForNFA(pNewIpsecNFAData, dwSource);
|
|
*pbAddedQMFilters = TRUE;
|
|
return (dwError);
|
|
}
|
|
}
|
|
|
|
if (IsBlocking(pQMPolicyState->gNegPolAction)) {
|
|
if (IsBlocking(pNewIpsecNegPolData->NegPolAction)) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
else {
|
|
dwError = PADeleteQMInfoForNFA(pOldIpsecNFAData);
|
|
dwError = PAAddQMInfoForNFA(pNewIpsecNFAData, dwSource);
|
|
*pbAddedQMFilters = TRUE;
|
|
return (dwError);
|
|
}
|
|
}
|
|
|
|
if (IsClearOnly(pNewIpsecNegPolData->NegPolAction)) {
|
|
if (IsClearOnly(pQMPolicyState->gNegPolAction)) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
else {
|
|
dwError = PADeleteQMInfoForNFA(pOldIpsecNFAData);
|
|
dwError = PAAddQMInfoForNFA(pNewIpsecNFAData, dwSource);
|
|
*pbAddedQMFilters = TRUE;
|
|
return (dwError);
|
|
}
|
|
}
|
|
|
|
if (IsBlocking(pNewIpsecNegPolData->NegPolAction)) {
|
|
if (IsBlocking(pQMPolicyState->gNegPolAction)) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
else {
|
|
dwError = PADeleteQMInfoForNFA(pOldIpsecNFAData);
|
|
dwError = PAAddQMInfoForNFA(pNewIpsecNFAData, dwSource);
|
|
*pbAddedQMFilters = TRUE;
|
|
return (dwError);
|
|
}
|
|
}
|
|
|
|
if (!(pQMPolicyState->bInSPD)) {
|
|
PADeleteQMPolicy(pQMPolicyState->gPolicyID);
|
|
dwError = PAAddQMInfoForNFA(pNewIpsecNFAData, dwSource);
|
|
*pbAddedQMFilters = TRUE;
|
|
return (dwError);
|
|
}
|
|
|
|
bEqual = EqualNegPolData(
|
|
pOldIpsecNegPolData,
|
|
pNewIpsecNegPolData
|
|
);
|
|
if (bEqual) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
|
|
memcpy(
|
|
&(pQMPolicyState->gNegPolType),
|
|
&(pNewIpsecNegPolData->NegPolType),
|
|
sizeof(GUID)
|
|
);
|
|
|
|
memcpy(
|
|
&(pQMPolicyState->gNegPolAction),
|
|
&(pNewIpsecNegPolData->NegPolAction),
|
|
sizeof(GUID)
|
|
);
|
|
|
|
dwError = PACreateQMPolicy(
|
|
pNewIpsecNFAData,
|
|
pQMPolicyState,
|
|
&pSPDQMPolicy
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = SetQMPolicy(
|
|
pServerName,
|
|
dwVersion,
|
|
pQMPolicyState->pszPolicyName,
|
|
pSPDQMPolicy,
|
|
NULL
|
|
);
|
|
if (dwError != WARNING_IPSEC_QM_POLICY_PRUNED) {
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
} else {
|
|
dwError = ERROR_SUCCESS;
|
|
}
|
|
|
|
|
|
error:
|
|
|
|
if (pSPDQMPolicy) {
|
|
PAFreeQMPolicy(pSPDQMPolicy);
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
BOOL
|
|
EqualNegPolData(
|
|
PIPSEC_NEGPOL_DATA pOldIpsecNegPolData,
|
|
PIPSEC_NEGPOL_DATA pNewIpsecNegPolData
|
|
)
|
|
{
|
|
BOOL bEqual = FALSE;
|
|
DWORD dwOldCnt = 0;
|
|
PIPSEC_SECURITY_METHOD pOldSecurityMethods = NULL;
|
|
DWORD dwNewCnt = 0;
|
|
PIPSEC_SECURITY_METHOD pNewSecurityMethods = NULL;
|
|
DWORD i = 0;
|
|
PIPSEC_SECURITY_METHOD pNewTemp = NULL;
|
|
PIPSEC_SECURITY_METHOD pOldTemp = NULL;
|
|
|
|
|
|
//
|
|
// At this point, pszPolicyName and NegPolIdentifier are same and
|
|
// dwWhenChanged is different.
|
|
//
|
|
|
|
if (memcmp(
|
|
&(pOldIpsecNegPolData->NegPolAction),
|
|
&(pNewIpsecNegPolData->NegPolAction),
|
|
sizeof(GUID))) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (memcmp(
|
|
&(pOldIpsecNegPolData->NegPolType),
|
|
&(pNewIpsecNegPolData->NegPolType),
|
|
sizeof(GUID))) {
|
|
return (FALSE);
|
|
}
|
|
|
|
dwOldCnt = pOldIpsecNegPolData->dwSecurityMethodCount;
|
|
pOldSecurityMethods = pOldIpsecNegPolData->pIpsecSecurityMethods;
|
|
|
|
dwNewCnt = pNewIpsecNegPolData->dwSecurityMethodCount;
|
|
pNewSecurityMethods = pNewIpsecNegPolData->pIpsecSecurityMethods;
|
|
|
|
//
|
|
// At this point, dwOldCnt >= 1 and pOldSecurityMethods != NULL.
|
|
//
|
|
|
|
if (!dwNewCnt || !pNewSecurityMethods) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (dwOldCnt != dwNewCnt) {
|
|
return (FALSE);
|
|
}
|
|
|
|
pNewTemp = pNewSecurityMethods;
|
|
pOldTemp = pOldSecurityMethods;
|
|
|
|
for (i = 0; i < dwNewCnt; i++) {
|
|
|
|
bEqual = FALSE;
|
|
|
|
bEqual = EqualSecurityMethod(
|
|
pOldTemp,
|
|
pNewTemp
|
|
);
|
|
|
|
if (!bEqual) {
|
|
break;
|
|
}
|
|
|
|
pOldTemp++;
|
|
|
|
pNewTemp++;
|
|
|
|
}
|
|
|
|
return (bEqual);
|
|
}
|
|
|
|
|
|
BOOL
|
|
EqualSecurityMethod(
|
|
PIPSEC_SECURITY_METHOD pOldBundle,
|
|
PIPSEC_SECURITY_METHOD pNewBundle
|
|
)
|
|
{
|
|
DWORD i = 0;
|
|
|
|
|
|
if (memcmp(
|
|
&(pOldBundle->Lifetime),
|
|
&(pNewBundle->Lifetime),
|
|
sizeof(LIFETIME))) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (pOldBundle->Flags != pNewBundle->Flags) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (pOldBundle->PfsQMRequired != pNewBundle->PfsQMRequired) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (pOldBundle->Count != pNewBundle->Count) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (pNewBundle->Count == 0) {
|
|
return (TRUE);
|
|
}
|
|
|
|
for (i = 0; i < (pNewBundle->Count); i++) {
|
|
|
|
if (memcmp(
|
|
&(pOldBundle->Algos[i]),
|
|
&(pNewBundle->Algos[i]),
|
|
sizeof(IPSEC_ALGO_INFO))) {
|
|
return (FALSE);
|
|
}
|
|
|
|
}
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAUpdateMMFilters(
|
|
PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData,
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bEqual = FALSE;
|
|
PIPSEC_NEGPOL_DATA pOldIpsecNegPolData = NULL;
|
|
PIPSEC_NEGPOL_DATA pNewIpsecNegPolData = NULL;
|
|
|
|
pOldIpsecNegPolData = pOldIpsecNFAData->pIpsecNegPolData;
|
|
pNewIpsecNegPolData = pNewIpsecNFAData->pIpsecNegPolData;
|
|
|
|
bEqual = EqualFilterKeysInNegPols(
|
|
pOldIpsecNegPolData,
|
|
pNewIpsecNegPolData
|
|
);
|
|
if (!bEqual) {
|
|
dwError = PADeleteMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pOldIpsecNFAData
|
|
);
|
|
dwError = PAAddMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
return (dwError);
|
|
}
|
|
|
|
bEqual = EqualFilterKeysInNFAs(
|
|
pOldIpsecNFAData,
|
|
pNewIpsecNFAData
|
|
);
|
|
if (!bEqual) {
|
|
dwError = PADeleteMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pOldIpsecNFAData
|
|
);
|
|
dwError = PAAddMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
return (dwError);
|
|
}
|
|
|
|
if (!memcmp(
|
|
&(pNewIpsecNegPolData->NegPolType),
|
|
&(GUID_NEGOTIATION_TYPE_DEFAULT),
|
|
sizeof(GUID))) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
|
|
if (IsClearOnly(pNewIpsecNegPolData->NegPolAction) ||
|
|
IsBlocking(pNewIpsecNegPolData->NegPolAction)) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
|
|
dwError = PAProcessMMFilterDataForNFAs(
|
|
pNewIpsecISAKMPData,
|
|
pOldIpsecNFAData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
BOOL
|
|
EqualFilterKeysInNegPols(
|
|
PIPSEC_NEGPOL_DATA pOldIpsecNegPolData,
|
|
PIPSEC_NEGPOL_DATA pNewIpsecNegPolData
|
|
)
|
|
{
|
|
BOOL bOldAllowsSoft = FALSE;
|
|
BOOL bNewAllowsSoft = FALSE;
|
|
|
|
|
|
if (memcmp(
|
|
&(pOldIpsecNegPolData->NegPolType),
|
|
&(pNewIpsecNegPolData->NegPolType),
|
|
sizeof(GUID))) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (memcmp(
|
|
&(pOldIpsecNegPolData->NegPolAction),
|
|
&(pNewIpsecNegPolData->NegPolAction),
|
|
sizeof(GUID))) {
|
|
return (FALSE);
|
|
}
|
|
|
|
bOldAllowsSoft = AllowsSoft(
|
|
pOldIpsecNegPolData->dwSecurityMethodCount,
|
|
pOldIpsecNegPolData->pIpsecSecurityMethods
|
|
);
|
|
|
|
bNewAllowsSoft = AllowsSoft(
|
|
pNewIpsecNegPolData->dwSecurityMethodCount,
|
|
pNewIpsecNegPolData->pIpsecSecurityMethods
|
|
);
|
|
|
|
if (bOldAllowsSoft != bNewAllowsSoft) {
|
|
return (FALSE);
|
|
}
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
|
|
BOOL
|
|
EqualFilterKeysInNFAs(
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData
|
|
)
|
|
{
|
|
if (pOldIpsecNFAData->dwInterfaceType !=
|
|
pNewIpsecNFAData->dwInterfaceType) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (pOldIpsecNFAData->dwTunnelFlags !=
|
|
pNewIpsecNFAData->dwTunnelFlags) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (pOldIpsecNFAData->dwTunnelIpAddr !=
|
|
pNewIpsecNFAData->dwTunnelIpAddr) {
|
|
return (FALSE);
|
|
}
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAProcessMMFilterDataForNFAs(
|
|
PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData,
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PIPSEC_FILTER_DATA pOldIpsecFilterData = NULL;
|
|
PIPSEC_FILTER_DATA pNewIpsecFilterData = NULL;
|
|
DWORD dwNumOldFilterSpecs = 0;
|
|
PIPSEC_FILTER_SPEC * ppOldFilterSpecs = NULL;
|
|
DWORD dwNumNewFilterSpecs = 0;
|
|
PIPSEC_FILTER_SPEC * ppNewFilterSpecs = NULL;
|
|
|
|
|
|
pOldIpsecFilterData = pOldIpsecNFAData->pIpsecFilterData;
|
|
pNewIpsecFilterData = pNewIpsecNFAData->pIpsecFilterData;
|
|
|
|
if (!pOldIpsecFilterData) {
|
|
if (!pNewIpsecFilterData) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
else {
|
|
dwError = PAAddMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
return (dwError);
|
|
}
|
|
}
|
|
|
|
if (!pNewIpsecFilterData) {
|
|
dwError = PADeleteMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pOldIpsecNFAData
|
|
);
|
|
return (dwError);
|
|
}
|
|
|
|
if (memcmp(
|
|
&(pOldIpsecFilterData->FilterIdentifier),
|
|
&(pNewIpsecFilterData->FilterIdentifier),
|
|
sizeof(GUID))) {
|
|
dwError = PADeleteMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pOldIpsecNFAData
|
|
);
|
|
dwError = PAAddMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
return (dwError);
|
|
}
|
|
|
|
dwNumOldFilterSpecs = pOldIpsecFilterData->dwNumFilterSpecs;
|
|
ppOldFilterSpecs = pOldIpsecFilterData->ppFilterSpecs;
|
|
|
|
dwNumNewFilterSpecs = pNewIpsecFilterData->dwNumFilterSpecs;
|
|
ppNewFilterSpecs = pNewIpsecFilterData->ppFilterSpecs;
|
|
|
|
dwError = PADeleteObseleteMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pOldIpsecNFAData,
|
|
dwNumOldFilterSpecs,
|
|
ppOldFilterSpecs,
|
|
pNewIpsecNFAData,
|
|
dwNumNewFilterSpecs,
|
|
ppNewFilterSpecs
|
|
);
|
|
|
|
dwError = PAUpdateMMFilterSpecs(
|
|
pNewIpsecISAKMPData,
|
|
pOldIpsecNFAData,
|
|
dwNumOldFilterSpecs,
|
|
ppOldFilterSpecs,
|
|
pNewIpsecNFAData,
|
|
dwNumNewFilterSpecs,
|
|
ppNewFilterSpecs,
|
|
dwSource
|
|
);
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PADeleteObseleteMMFilterSpecs(
|
|
PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData,
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
DWORD dwNumOldFilterSpecs,
|
|
PIPSEC_FILTER_SPEC * ppOldFilterSpecs,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwNumNewFilterSpecs,
|
|
PIPSEC_FILTER_SPEC * ppNewFilterSpecs
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD i = 0;
|
|
PIPSEC_FILTER_SPEC pOldFilterSpec = NULL;
|
|
PIPSEC_FILTER_SPEC pFoundFilterSpec = NULL;
|
|
|
|
for (i = 0; i < dwNumOldFilterSpecs; i++) {
|
|
|
|
pOldFilterSpec = *(ppOldFilterSpecs + i);
|
|
|
|
pFoundFilterSpec = FindFilterSpec(
|
|
pOldFilterSpec,
|
|
ppNewFilterSpecs,
|
|
dwNumNewFilterSpecs
|
|
);
|
|
|
|
if (!pFoundFilterSpec) {
|
|
dwError = PADeleteMMFilter(
|
|
pOldFilterSpec->FilterSpecGUID,
|
|
pOldIpsecNFAData->NFAIdentifier
|
|
);
|
|
}
|
|
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
PIPSEC_FILTER_SPEC
|
|
FindFilterSpec(
|
|
PIPSEC_FILTER_SPEC pFilterSpec,
|
|
PIPSEC_FILTER_SPEC * ppFilterSpecs,
|
|
DWORD dwNumFilterSpecs
|
|
)
|
|
{
|
|
DWORD i = 0;
|
|
PIPSEC_FILTER_SPEC pTemp = NULL;
|
|
|
|
|
|
for (i = 0; i < dwNumFilterSpecs; i++) {
|
|
|
|
pTemp = *(ppFilterSpecs + i);
|
|
|
|
if (!memcmp(
|
|
&(pFilterSpec->FilterSpecGUID),
|
|
&(pTemp->FilterSpecGUID),
|
|
sizeof(GUID))) {
|
|
return (pTemp);
|
|
}
|
|
|
|
}
|
|
|
|
return (NULL);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAUpdateMMFilterSpecs(
|
|
PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData,
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
DWORD dwNumOldFilterSpecs,
|
|
PIPSEC_FILTER_SPEC * ppOldFilterSpecs,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwNumNewFilterSpecs,
|
|
PIPSEC_FILTER_SPEC * ppNewFilterSpecs,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PMMPOLICYSTATE pMMPolicyState = NULL;
|
|
PMMAUTHSTATE pMMAuthState = NULL;
|
|
DWORD i = 0;
|
|
PIPSEC_FILTER_SPEC pNewFilterSpec = NULL;
|
|
PIPSEC_FILTER_SPEC pFoundFilterSpec = NULL;
|
|
BOOL bEqual = FALSE;
|
|
PMMFILTERSTATE pMMFilterState = NULL;
|
|
|
|
|
|
pMMPolicyState = FindMMPolicyState(
|
|
pNewIpsecISAKMPData->ISAKMPIdentifier
|
|
);
|
|
if (!pMMPolicyState || !(pMMPolicyState->bInSPD)) {
|
|
TRACE(
|
|
TRC_ERROR,
|
|
(L"Pastore update failed to find SPD MM policy state associated with ISAKMP policy %!guid!.",
|
|
&pNewIpsecISAKMPData->ISAKMPIdentifier)
|
|
);
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
return (dwError);
|
|
}
|
|
|
|
pMMAuthState = FindMMAuthState(
|
|
pNewIpsecNFAData->NFAIdentifier
|
|
);
|
|
if (!pMMAuthState || !(pMMAuthState->bInSPD)) {
|
|
TRACE(
|
|
TRC_ERROR,
|
|
(L"Pastore update failed to find SPD MM auth method state associated with NFA %!guid!.",
|
|
&pNewIpsecNFAData->NFAIdentifier)
|
|
);
|
|
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
return (dwError);
|
|
}
|
|
|
|
for (i = 0; i < dwNumNewFilterSpecs; i++) {
|
|
|
|
pNewFilterSpec = *(ppNewFilterSpecs + i);
|
|
|
|
pFoundFilterSpec = FindFilterSpec(
|
|
pNewFilterSpec,
|
|
ppOldFilterSpecs,
|
|
dwNumOldFilterSpecs
|
|
);
|
|
|
|
if (!pFoundFilterSpec) {
|
|
dwError = PAAddMMFilterSpec(
|
|
pNewIpsecISAKMPData,
|
|
pNewIpsecNFAData,
|
|
pNewFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
else {
|
|
bEqual = FALSE;
|
|
bEqual = EqualFilterSpecs(
|
|
pFoundFilterSpec,
|
|
pNewFilterSpec
|
|
);
|
|
if (!bEqual) {
|
|
// ASSERT: pOldIpsecNFAData->NFAIdentifier == pNewIpsecNFAData->NFAIdentifier
|
|
//
|
|
dwError = PADeleteMMFilter(
|
|
pFoundFilterSpec->FilterSpecGUID,
|
|
pOldIpsecNFAData->NFAIdentifier
|
|
);
|
|
dwError = PAAddMMFilterSpec(
|
|
pNewIpsecISAKMPData,
|
|
pNewIpsecNFAData,
|
|
pNewFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
else {
|
|
// ASSERT: pOldIpsecNFAData->NFAIdentifier == pNewIpsecNFAData->NFAIdentifier
|
|
//
|
|
pMMFilterState = FindMMFilterState(
|
|
pFoundFilterSpec->FilterSpecGUID,
|
|
pNewIpsecNFAData->NFAIdentifier
|
|
);
|
|
if (!pMMFilterState) {
|
|
dwError = PAAddMMFilterSpec(
|
|
pNewIpsecISAKMPData,
|
|
pNewIpsecNFAData,
|
|
pNewFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
else {
|
|
if (!pMMFilterState->hMMFilter) {
|
|
PADeleteMMFilterState(pMMFilterState);
|
|
dwError = PAAddMMFilterSpec(
|
|
pNewIpsecISAKMPData,
|
|
pNewIpsecNFAData,
|
|
pNewFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAAddMMFilterSpec(
|
|
PIPSEC_ISAKMP_DATA pIpsecISAKMPData,
|
|
PIPSEC_NFA_DATA pIpsecNFAData,
|
|
PIPSEC_FILTER_SPEC pFilterSpec,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PMMFILTERSTATE pMMFilterState = NULL;
|
|
PMM_FILTER pSPDMMFilter = NULL;
|
|
LPWSTR pServerName = NULL;
|
|
DWORD dwVersion = 0;
|
|
|
|
|
|
dwError = PACreateMMFilterState(
|
|
pIpsecISAKMPData,
|
|
pIpsecNFAData,
|
|
pFilterSpec,
|
|
&pMMFilterState
|
|
);
|
|
if (dwError) {
|
|
return (dwError);
|
|
}
|
|
|
|
dwError = PACreateMMFilter(
|
|
pIpsecISAKMPData,
|
|
pIpsecNFAData,
|
|
pFilterSpec,
|
|
&pSPDMMFilter
|
|
);
|
|
if (dwError) {
|
|
|
|
pMMFilterState->hMMFilter = NULL;
|
|
|
|
pMMFilterState->pNext = gpMMFilterState;
|
|
gpMMFilterState = pMMFilterState;
|
|
|
|
return (dwError);
|
|
|
|
}
|
|
|
|
dwError = AddMMFilterInternal(
|
|
pServerName,
|
|
dwVersion,
|
|
0,
|
|
dwSource,
|
|
pSPDMMFilter,
|
|
NULL,
|
|
&(pMMFilterState->hMMFilter)
|
|
);
|
|
|
|
pMMFilterState->pNext = gpMMFilterState;
|
|
gpMMFilterState = pMMFilterState;
|
|
|
|
PAFreeMMFilter(pSPDMMFilter);
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
BOOL
|
|
EqualFilterSpecs(
|
|
PIPSEC_FILTER_SPEC pOldFilterSpec,
|
|
PIPSEC_FILTER_SPEC pNewFilterSpec
|
|
)
|
|
{
|
|
BOOL bEqual = FALSE;
|
|
|
|
|
|
//
|
|
// At this point, FilterSpecGUID is same.
|
|
//
|
|
|
|
bEqual = AreNamesEqual(
|
|
pOldFilterSpec->pszDescription,
|
|
pNewFilterSpec->pszDescription
|
|
);
|
|
if (!bEqual) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (pOldFilterSpec->dwMirrorFlag !=
|
|
pNewFilterSpec->dwMirrorFlag) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (memcmp(
|
|
&(pOldFilterSpec->Filter),
|
|
&(pNewFilterSpec->Filter),
|
|
sizeof(IPSEC_FILTER))) {
|
|
return (FALSE);
|
|
}
|
|
|
|
return (TRUE);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAUpdateQMFilters(
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bEqual = FALSE;
|
|
PIPSEC_NEGPOL_DATA pOldIpsecNegPolData = NULL;
|
|
PIPSEC_NEGPOL_DATA pNewIpsecNegPolData = NULL;
|
|
BOOL bHardError = FALSE;
|
|
|
|
pOldIpsecNegPolData = pOldIpsecNFAData->pIpsecNegPolData;
|
|
pNewIpsecNegPolData = pNewIpsecNFAData->pIpsecNegPolData;
|
|
|
|
bEqual = EqualFilterKeysInNegPols(
|
|
pOldIpsecNegPolData,
|
|
pNewIpsecNegPolData
|
|
);
|
|
if (!bEqual) {
|
|
dwError = PADeleteQMFilterSpecs(
|
|
pOldIpsecNFAData
|
|
);
|
|
dwError = PAAddQMFilterSpecs(
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
return (dwError);
|
|
}
|
|
|
|
bEqual = EqualFilterKeysInNFAs(
|
|
pOldIpsecNFAData,
|
|
pNewIpsecNFAData
|
|
);
|
|
if (!bEqual) {
|
|
dwError = PADeleteQMFilterSpecs(
|
|
pOldIpsecNFAData
|
|
);
|
|
dwError = PAAddQMFilterSpecs(
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
return (dwError);
|
|
}
|
|
|
|
if (!memcmp(
|
|
&(pNewIpsecNegPolData->NegPolType),
|
|
&(GUID_NEGOTIATION_TYPE_DEFAULT),
|
|
sizeof(GUID))) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
|
|
dwError = PAProcessQMFilterDataForNFAs(
|
|
pOldIpsecNFAData,
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
|
|
// Not returning bHardError from here because for DCR 537526 we decided not to do
|
|
// anything for errors during updates.
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAAddQMFilterSpecs(
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bHardError = FALSE;
|
|
|
|
if (!(pNewIpsecNFAData->dwTunnelFlags)) {
|
|
dwError = PAAddTxFilterSpecs(
|
|
pNewIpsecNFAData,
|
|
dwSource,
|
|
&bHardError
|
|
);
|
|
}
|
|
else {
|
|
dwError = PAAddTnFilterSpecs(
|
|
pNewIpsecNFAData,
|
|
dwSource,
|
|
&bHardError
|
|
);
|
|
}
|
|
|
|
// Not returning bHardError from here because for DCR 537526 we decided not to do
|
|
// anything for errors during updates.
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PADeleteQMFilterSpecs(
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
|
|
if (!(pOldIpsecNFAData->dwTunnelFlags)) {
|
|
dwError = PADeleteTxFilterSpecs(
|
|
pOldIpsecNFAData
|
|
);
|
|
}
|
|
else {
|
|
dwError = PADeleteTnFilterSpecs(
|
|
pOldIpsecNFAData
|
|
);
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAProcessQMFilterDataForNFAs(
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PIPSEC_FILTER_DATA pOldIpsecFilterData = NULL;
|
|
PIPSEC_FILTER_DATA pNewIpsecFilterData = NULL;
|
|
DWORD dwNumOldFilterSpecs = 0;
|
|
PIPSEC_FILTER_SPEC * ppOldFilterSpecs = NULL;
|
|
DWORD dwNumNewFilterSpecs = 0;
|
|
PIPSEC_FILTER_SPEC * ppNewFilterSpecs = NULL;
|
|
|
|
|
|
pOldIpsecFilterData = pOldIpsecNFAData->pIpsecFilterData;
|
|
pNewIpsecFilterData = pNewIpsecNFAData->pIpsecFilterData;
|
|
|
|
if (!pOldIpsecFilterData) {
|
|
if (!pNewIpsecFilterData) {
|
|
dwError = ERROR_SUCCESS;
|
|
return (dwError);
|
|
}
|
|
else {
|
|
dwError = PAAddQMFilterSpecs(
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
return (dwError);
|
|
}
|
|
}
|
|
|
|
if (!pNewIpsecFilterData) {
|
|
dwError = PADeleteQMFilterSpecs(
|
|
pOldIpsecNFAData
|
|
);
|
|
return (dwError);
|
|
}
|
|
|
|
if (memcmp(
|
|
&(pOldIpsecFilterData->FilterIdentifier),
|
|
&(pNewIpsecFilterData->FilterIdentifier),
|
|
sizeof(GUID))) {
|
|
dwError = PADeleteQMFilterSpecs(
|
|
pOldIpsecNFAData
|
|
);
|
|
dwError = PAAddQMFilterSpecs(
|
|
pNewIpsecNFAData,
|
|
dwSource
|
|
);
|
|
return (dwError);
|
|
}
|
|
|
|
dwNumOldFilterSpecs = pOldIpsecFilterData->dwNumFilterSpecs;
|
|
ppOldFilterSpecs = pOldIpsecFilterData->ppFilterSpecs;
|
|
|
|
dwNumNewFilterSpecs = pNewIpsecFilterData->dwNumFilterSpecs;
|
|
ppNewFilterSpecs = pNewIpsecFilterData->ppFilterSpecs;
|
|
|
|
dwError = PADeleteObseleteQMFilterSpecs(
|
|
pOldIpsecNFAData,
|
|
dwNumOldFilterSpecs,
|
|
ppOldFilterSpecs,
|
|
pNewIpsecNFAData,
|
|
dwNumNewFilterSpecs,
|
|
ppNewFilterSpecs
|
|
);
|
|
|
|
dwError = PAUpdateQMFilterSpecs(
|
|
pOldIpsecNFAData,
|
|
dwNumOldFilterSpecs,
|
|
ppOldFilterSpecs,
|
|
pNewIpsecNFAData,
|
|
dwNumNewFilterSpecs,
|
|
ppNewFilterSpecs,
|
|
dwSource
|
|
);
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PADeleteObseleteQMFilterSpecs(
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
DWORD dwNumOldFilterSpecs,
|
|
PIPSEC_FILTER_SPEC * ppOldFilterSpecs,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwNumNewFilterSpecs,
|
|
PIPSEC_FILTER_SPEC * ppNewFilterSpecs
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD i = 0;
|
|
PIPSEC_FILTER_SPEC pOldFilterSpec = NULL;
|
|
PIPSEC_FILTER_SPEC pFoundFilterSpec = NULL;
|
|
|
|
|
|
for (i = 0; i < dwNumOldFilterSpecs; i++) {
|
|
|
|
pOldFilterSpec = *(ppOldFilterSpecs + i);
|
|
|
|
pFoundFilterSpec = FindFilterSpec(
|
|
pOldFilterSpec,
|
|
ppNewFilterSpecs,
|
|
dwNumNewFilterSpecs
|
|
);
|
|
|
|
if (!pFoundFilterSpec) {
|
|
dwError = PADeleteQMFilter(
|
|
pOldIpsecNFAData,
|
|
pOldFilterSpec->FilterSpecGUID
|
|
);
|
|
}
|
|
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAUpdateQMFilterSpecs(
|
|
PIPSEC_NFA_DATA pOldIpsecNFAData,
|
|
DWORD dwNumOldFilterSpecs,
|
|
PIPSEC_FILTER_SPEC * ppOldFilterSpecs,
|
|
PIPSEC_NFA_DATA pNewIpsecNFAData,
|
|
DWORD dwNumNewFilterSpecs,
|
|
PIPSEC_FILTER_SPEC * ppNewFilterSpecs,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PIPSEC_NEGPOL_DATA pNewIpsecNegPolData = NULL;
|
|
PQMPOLICYSTATE pQMPolicyState = NULL;
|
|
DWORD i = 0;
|
|
PIPSEC_FILTER_SPEC pNewFilterSpec = NULL;
|
|
PIPSEC_FILTER_SPEC pFoundFilterSpec = NULL;
|
|
BOOL bEqual = FALSE;
|
|
|
|
|
|
pNewIpsecNegPolData = pNewIpsecNFAData->pIpsecNegPolData;
|
|
|
|
pQMPolicyState = FindQMPolicyState(
|
|
pNewIpsecNegPolData->NegPolIdentifier
|
|
);
|
|
if (!pQMPolicyState) {
|
|
TRACE(
|
|
TRC_ERROR,
|
|
(L"Pastore update failed to find SPD QM policy state associated for neg pol %!guid!.",
|
|
&pNewIpsecNegPolData->NegPolIdentifier)
|
|
);
|
|
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
return (dwError);
|
|
}
|
|
|
|
if (!IsClearOnly(pQMPolicyState->gNegPolAction) &&
|
|
!IsBlocking(pQMPolicyState->gNegPolAction) &&
|
|
!(pQMPolicyState->bInSPD)) {
|
|
TRACE(
|
|
TRC_ERROR,
|
|
(L"Pastore update failed to find SPD QM policy plumbed into SPD for neg pol %!guid!.",
|
|
&pNewIpsecNegPolData->NegPolIdentifier)
|
|
);
|
|
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
return (dwError);
|
|
}
|
|
|
|
for (i = 0; i < dwNumNewFilterSpecs; i++) {
|
|
|
|
pNewFilterSpec = *(ppNewFilterSpecs + i);
|
|
|
|
pFoundFilterSpec = FindFilterSpec(
|
|
pNewFilterSpec,
|
|
ppOldFilterSpecs,
|
|
dwNumOldFilterSpecs
|
|
);
|
|
|
|
if (!pFoundFilterSpec) {
|
|
dwError = PAAddQMFilterSpec(
|
|
pNewIpsecNFAData,
|
|
pQMPolicyState,
|
|
pNewFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
else {
|
|
bEqual = FALSE;
|
|
bEqual = EqualFilterSpecs(
|
|
pFoundFilterSpec,
|
|
pNewFilterSpec
|
|
);
|
|
if (!bEqual) {
|
|
dwError = PADeleteQMFilter(
|
|
pOldIpsecNFAData,
|
|
pFoundFilterSpec->FilterSpecGUID
|
|
);
|
|
dwError = PAAddQMFilterSpec(
|
|
pNewIpsecNFAData,
|
|
pQMPolicyState,
|
|
pNewFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
else {
|
|
dwError = PAUpdateQMFilterSpec(
|
|
pNewIpsecNFAData,
|
|
pQMPolicyState,
|
|
pNewFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
}
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PADeleteQMFilter(
|
|
PIPSEC_NFA_DATA pIpsecNFAData,
|
|
GUID FilterSpecGUID
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
|
|
|
|
if (!(pIpsecNFAData->dwTunnelFlags)) {
|
|
dwError = PADeleteTxFilter(
|
|
FilterSpecGUID,
|
|
pIpsecNFAData->NFAIdentifier
|
|
);
|
|
}
|
|
else {
|
|
dwError = PADeleteTnFilter(
|
|
FilterSpecGUID,
|
|
pIpsecNFAData->NFAIdentifier
|
|
);
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAAddQMFilterSpec(
|
|
PIPSEC_NFA_DATA pIpsecNFAData,
|
|
PQMPOLICYSTATE pQMPolicyState,
|
|
PIPSEC_FILTER_SPEC pFilterSpec,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
|
|
|
|
if (!(pIpsecNFAData->dwTunnelFlags)) {
|
|
dwError = PAAddTxFilterSpec(
|
|
pIpsecNFAData,
|
|
pQMPolicyState,
|
|
pFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
else {
|
|
dwError = PAAddTnFilterSpec(
|
|
pIpsecNFAData,
|
|
pQMPolicyState,
|
|
pFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAAddTxFilterSpec(
|
|
PIPSEC_NFA_DATA pIpsecNFAData,
|
|
PQMPOLICYSTATE pQMPolicyState,
|
|
PIPSEC_FILTER_SPEC pFilterSpec,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PIPSEC_NEGPOL_DATA pIpsecNegPolData = NULL;
|
|
PTXFILTERSTATE pTxFilterState = NULL;
|
|
PTRANSPORT_FILTER pSPDTxFilter = NULL;
|
|
LPWSTR pServerName = NULL;
|
|
DWORD dwVersion = 0;
|
|
|
|
|
|
pIpsecNegPolData = pIpsecNFAData->pIpsecNegPolData;
|
|
|
|
dwError = PACreateTxFilterState(
|
|
pIpsecNegPolData,
|
|
pIpsecNFAData,
|
|
pFilterSpec,
|
|
&pTxFilterState
|
|
);
|
|
if (dwError) {
|
|
return (dwError);
|
|
}
|
|
|
|
dwError = PACreateTxFilter(
|
|
pIpsecNegPolData,
|
|
pIpsecNFAData,
|
|
pFilterSpec,
|
|
pQMPolicyState,
|
|
&pSPDTxFilter
|
|
);
|
|
if (dwError) {
|
|
|
|
pTxFilterState->hTxFilter = NULL;
|
|
|
|
pTxFilterState->pNext = gpTxFilterState;
|
|
gpTxFilterState = pTxFilterState;
|
|
|
|
return (dwError);
|
|
|
|
}
|
|
|
|
dwError = AddTransportFilterInternal(
|
|
pServerName,
|
|
dwVersion,
|
|
0,
|
|
dwSource,
|
|
pSPDTxFilter,
|
|
NULL,
|
|
&(pTxFilterState->hTxFilter)
|
|
);
|
|
|
|
pTxFilterState->pNext = gpTxFilterState;
|
|
gpTxFilterState = pTxFilterState;
|
|
|
|
PAFreeTxFilter(pSPDTxFilter);
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAAddTnFilterSpec(
|
|
PIPSEC_NFA_DATA pIpsecNFAData,
|
|
PQMPOLICYSTATE pQMPolicyState,
|
|
PIPSEC_FILTER_SPEC pFilterSpec,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PIPSEC_NEGPOL_DATA pIpsecNegPolData = NULL;
|
|
PTNFILTERSTATE pTnFilterState = NULL;
|
|
PTUNNEL_FILTER pSPDTnFilter = NULL;
|
|
LPWSTR pServerName = NULL;
|
|
DWORD dwVersion = 0;
|
|
|
|
|
|
pIpsecNegPolData = pIpsecNFAData->pIpsecNegPolData;
|
|
|
|
dwError = PACreateTnFilterState(
|
|
pIpsecNegPolData,
|
|
pIpsecNFAData,
|
|
pFilterSpec,
|
|
&pTnFilterState
|
|
);
|
|
if (dwError) {
|
|
return (dwError);
|
|
}
|
|
|
|
dwError = PACreateTnFilter(
|
|
pIpsecNegPolData,
|
|
pIpsecNFAData,
|
|
pFilterSpec,
|
|
pQMPolicyState,
|
|
&pSPDTnFilter
|
|
);
|
|
if (dwError) {
|
|
|
|
pTnFilterState->hTnFilter = NULL;
|
|
|
|
pTnFilterState->pNext = gpTnFilterState;
|
|
gpTnFilterState = pTnFilterState;
|
|
|
|
return (dwError);
|
|
|
|
}
|
|
|
|
dwError = AddTunnelFilterInternal(
|
|
pServerName,
|
|
dwVersion,
|
|
0,
|
|
dwSource,
|
|
pSPDTnFilter,
|
|
NULL,
|
|
&(pTnFilterState->hTnFilter)
|
|
);
|
|
|
|
pTnFilterState->pNext = gpTnFilterState;
|
|
gpTnFilterState = pTnFilterState;
|
|
|
|
PAFreeTnFilter(pSPDTnFilter);
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
BOOL
|
|
AllowsSoft(
|
|
DWORD dwSecurityMethodCount,
|
|
PIPSEC_SECURITY_METHOD pIpsecSecurityMethods
|
|
)
|
|
{
|
|
DWORD dwTempOfferCount = 0;
|
|
PIPSEC_SECURITY_METHOD pTempMethod = NULL;
|
|
BOOL bAllowsSoft = FALSE;
|
|
DWORD i = 0;
|
|
|
|
|
|
if (!dwSecurityMethodCount || !pIpsecSecurityMethods) {
|
|
return (FALSE);
|
|
}
|
|
|
|
if (dwSecurityMethodCount > IPSEC_MAX_QM_OFFERS) {
|
|
dwTempOfferCount = IPSEC_MAX_QM_OFFERS;
|
|
}
|
|
else {
|
|
dwTempOfferCount = dwSecurityMethodCount;
|
|
}
|
|
|
|
pTempMethod = pIpsecSecurityMethods;
|
|
|
|
for (i = 0; i < dwTempOfferCount; i++) {
|
|
|
|
if (pTempMethod->Count == 0) {
|
|
bAllowsSoft = TRUE;
|
|
break;
|
|
}
|
|
|
|
pTempMethod++;
|
|
|
|
}
|
|
|
|
return (bAllowsSoft);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAUpdateQMFilterSpec(
|
|
PIPSEC_NFA_DATA pIpsecNFAData,
|
|
PQMPOLICYSTATE pQMPolicyState,
|
|
PIPSEC_FILTER_SPEC pFilterSpec,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
|
|
|
|
if (!(pIpsecNFAData->dwTunnelFlags)) {
|
|
|
|
dwError = PAUpdateTxFilterSpec(
|
|
pIpsecNFAData,
|
|
pQMPolicyState,
|
|
pFilterSpec,
|
|
dwSource
|
|
);
|
|
|
|
}
|
|
else {
|
|
|
|
dwError = PAUpdateTnFilterSpec(
|
|
pIpsecNFAData,
|
|
pQMPolicyState,
|
|
pFilterSpec,
|
|
dwSource
|
|
);
|
|
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAUpdateTxFilterSpec(
|
|
PIPSEC_NFA_DATA pIpsecNFAData,
|
|
PQMPOLICYSTATE pQMPolicyState,
|
|
PIPSEC_FILTER_SPEC pFilterSpec,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PTXFILTERSTATE pTxFilterState = NULL;
|
|
|
|
|
|
pTxFilterState = FindTxFilterState(
|
|
pFilterSpec->FilterSpecGUID,
|
|
pIpsecNFAData->NFAIdentifier
|
|
);
|
|
if (!pTxFilterState) {
|
|
dwError = PAAddTxFilterSpec(
|
|
pIpsecNFAData,
|
|
pQMPolicyState,
|
|
pFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
else {
|
|
if (!pTxFilterState->hTxFilter) {
|
|
PADeleteTxFilterState(pTxFilterState);
|
|
dwError = PAAddTxFilterSpec(
|
|
pIpsecNFAData,
|
|
pQMPolicyState,
|
|
pFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
PAUpdateTnFilterSpec(
|
|
PIPSEC_NFA_DATA pIpsecNFAData,
|
|
PQMPOLICYSTATE pQMPolicyState,
|
|
PIPSEC_FILTER_SPEC pFilterSpec,
|
|
DWORD dwSource
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
PTNFILTERSTATE pTnFilterState = NULL;
|
|
|
|
|
|
pTnFilterState = FindTnFilterState(
|
|
pFilterSpec->FilterSpecGUID,
|
|
pIpsecNFAData->NFAIdentifier
|
|
);
|
|
if (!pTnFilterState) {
|
|
dwError = PAAddTnFilterSpec(
|
|
pIpsecNFAData,
|
|
pQMPolicyState,
|
|
pFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
else {
|
|
if (!pTnFilterState->hTnFilter) {
|
|
PADeleteTnFilterState(pTnFilterState);
|
|
dwError = PAAddTnFilterSpec(
|
|
pIpsecNFAData,
|
|
pQMPolicyState,
|
|
pFilterSpec,
|
|
dwSource
|
|
);
|
|
}
|
|
}
|
|
|
|
return (dwError);
|
|
}
|
|
|