archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
3.8 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ipsec/ipseccmd/pol2stor.cpp

1051 lines
37 KiB
Raw Normal View History

Add source files
4 years ago
  4. #include "ipseccmd.h"
  6. #ifdef __cplusplus
  7. extern "C" {
  8. #endif
  11. IPSECPolicyToStorage::IPSECPolicyToStorage():
  12. myPolicyStorage(NULL),
  13. myIPSECPolicy(NULL),
  14. mybIsOpen(false),
  15. mybPolicyExists(false)
  16. {
  17. }
  19. IPSECPolicyToStorage::~IPSECPolicyToStorage()
  20. {
  22. // if (myIPSECPolicy) IPSecFreePolicyData(myIPSECPolicy);
  23. // polstore AVs if something inside the policy is missing
  25. if (myPolicyStorage)
  26. {
  27. IPSecClosePolicyStore(myPolicyStorage);
  28. }
  29. }
  31. // this small function will attempt to CreateIpsecPolicyData, and if it succeeds, it'll mark that object is created in the storage
  32. // so that next time we'll use Set routine, not Create
  33. void
  34. IPSECPolicyToStorage::TryToCreatePolicy()
  35. {
  36. if (IPSecCreatePolicyData(myPolicyStorage, myIPSECPolicy) == ERROR_SUCCESS)
  37. {
  38. mybPolicyExists = true;
  39. }
  40. }
  42. // opens storage an initializes policy
  43. // pass name as NULL for local storage or if you want
  44. // the DS to be located
  45. // szPolicyName is required
  46. // szDescription is optional
  47. HRESULT
  48. IPSECPolicyToStorage::Open(
  49. IN DWORD location,
  50. IN LPTSTR name,
  51. IN LPTSTR szPolicyName,
  52. IN LPTSTR szDescription,
  53. IN time_t tPollingInterval,
  54. IN bool bUseExisting)
  56. {
  57. HRESULT hrReturnCode = S_OK;
  58. RPC_STATUS RpcStat;
  60. // need to do error checking
  61. if (!szPolicyName || (szPolicyName[0] == TEXT('\0')) )
  62. {
  63. hrReturnCode = P2STORE_MISSING_NAME;
  64. }
  65. else
  66. {
  67. if (myPolicyStorage)
  68. {
  69. IPSecClosePolicyStore(myPolicyStorage);
  70. myPolicyStorage = NULL;
  71. }
  72. hrReturnCode = IPSecOpenPolicyStore(name, location, NULL, &myPolicyStorage);
  73. if (hrReturnCode == ERROR_SUCCESS)
  74. {
  75. mybIsOpen = true;
  76. if (myIPSECPolicy)
  77. {
  78. IPSecFreePolicyData(myIPSECPolicy);
  79. myIPSECPolicy = NULL;
  80. }
  81. if (bUseExisting)
  82. {
  83. // try to find existing policy cause user requested us to
  84. // myIPSECPolicy will be NULL if we haven't found it
  85. PIPSEC_POLICY_DATA *ppPolicyEnum = NULL;
  86. DWORD dwNumPolicies = 0;
  89. hrReturnCode = IPSecEnumPolicyData(myPolicyStorage, &ppPolicyEnum, &dwNumPolicies);
  90. if (hrReturnCode == ERROR_SUCCESS && dwNumPolicies > 0 && ppPolicyEnum != NULL)
  91. {
  92. // we have something in the storage, let's go through it
  93. int i;
  95. for (i = 0; i < (int) dwNumPolicies; i++)
  96. {
  97. if (wcscmp(ppPolicyEnum[i]->pszIpsecName, szPolicyName) == 0)
  98. {
  99. // we found it
  100. // make a copy in myIPSECPolicy and update description and polling interval
  101. hrReturnCode = IPSecCopyPolicyData(ppPolicyEnum[i], &myIPSECPolicy);
  102. mybPolicyExists = true;
  103. if (hrReturnCode == ERROR_SUCCESS)
  104. {
  105. hrReturnCode = IPSecEnumNFAData(myPolicyStorage, myIPSECPolicy->PolicyIdentifier
  106. , &(myIPSECPolicy->ppIpsecNFAData), &(myIPSECPolicy->dwNumNFACount));
  107. }
  108. if (hrReturnCode == ERROR_SUCCESS)
  109. {
  110. int i;
  112. // also get other parts of the policy, no error checks here
  113. IPSecGetISAKMPData(myPolicyStorage, myIPSECPolicy->ISAKMPIdentifier, &(myIPSECPolicy->pIpsecISAKMPData));
  114. for (i = 0; i < (int) myIPSECPolicy->dwNumNFACount; i++)
  115. {
  116. if (!UuidIsNil(&(myIPSECPolicy->ppIpsecNFAData[i]->NegPolIdentifier), &RpcStat))
  117. {
  118. IPSecGetNegPolData(myPolicyStorage,
  119. myIPSECPolicy->ppIpsecNFAData[i]->NegPolIdentifier,
  120. &(myIPSECPolicy->ppIpsecNFAData[i]->pIpsecNegPolData));
  121. }
  122. if (!UuidIsNil(&(myIPSECPolicy->ppIpsecNFAData[i]->FilterIdentifier), &RpcStat))
  123. {
  124. IPSecGetFilterData(myPolicyStorage,
  125. myIPSECPolicy->ppIpsecNFAData[i]->FilterIdentifier,
  126. &(myIPSECPolicy->ppIpsecNFAData[i]->pIpsecFilterData));
  127. }
  128. }
  130. if (myIPSECPolicy->pszDescription == NULL && szDescription != NULL)
  131. {
  132. // we've got description to set
  133. myIPSECPolicy->pszDescription = IPSecAllocPolStr(szDescription);
  134. }
  135. // set Polling Interval
  136. if (tPollingInterval >= 0)
  137. {
  138. myIPSECPolicy->dwPollingInterval = (DWORD) tPollingInterval;
  139. }
  140. // commit
  141. hrReturnCode = IPSecSetPolicyData(myPolicyStorage, myIPSECPolicy);
  142. }
  143. }
  144. }
  145. }
  146. else
  147. {
  148. hrReturnCode = ERROR_SUCCESS;
  149. }
  151. // clean it up
  152. if (dwNumPolicies > 0 && ppPolicyEnum != NULL)
  153. {
  154. IPSecFreeMulPolicyData(ppPolicyEnum, dwNumPolicies);
  155. }
  156. }
  158. // this is executed only when no bUseExisting was specified or existing policy wasn't found
  159. if (!bUseExisting || myIPSECPolicy == NULL)
  160. {
  161. // create
  162. mybPolicyExists = false;
  163. myIPSECPolicy = (PIPSEC_POLICY_DATA) IPSecAllocPolMem(sizeof(IPSEC_POLICY_DATA));
  164. if (myIPSECPolicy == NULL)
  165. {
  166. hrReturnCode = GetLastError();
  167. }
  168. else
  169. {
  170. myIPSECPolicy->pszIpsecName = IPSecAllocPolStr(szPolicyName);
  171. if (szDescription)
  172. {
  173. myIPSECPolicy->pszDescription = IPSecAllocPolStr(szDescription);
  174. }
  175. else
  176. {
  177. myIPSECPolicy->pszDescription = NULL;
  178. }
  179. myIPSECPolicy->dwPollingInterval = (DWORD) tPollingInterval;
  180. RpcStat = UuidCreate(&(myIPSECPolicy->PolicyIdentifier));
  181. assert(RpcStat == RPC_S_OK || RpcStat == RPC_S_UUID_LOCAL_ONLY);
  183. // now init other stuff somehow
  184. myIPSECPolicy->pIpsecISAKMPData = NULL;
  185. myIPSECPolicy->ppIpsecNFAData = NULL;
  186. myIPSECPolicy->dwNumNFACount = 0;
  187. myIPSECPolicy->dwWhenChanged = 0;
  188. UuidCreateNil(&(myIPSECPolicy->ISAKMPIdentifier));
  190. // TryToCreatePolicy();
  191. }
  192. }
  193. }
  194. }
  196. return hrReturnCode;
  197. }
  201. HRESULT
  202. IPSECPolicyToStorage::AddRule(
  203. IN IPSEC_IKE_POLICY IpsecIkePol,
  204. PSTORAGE_INFO pStorageInfo)
  205. {
  206. HRESULT hrReturn = S_OK;
  207. PIPSEC_NFA_DATA pRule = MakeRule(IpsecIkePol, pStorageInfo);
  208. int i;
  210. if (!IsOpen())
  211. {
  212. return ERROR_ACCESS_DENIED;
  213. }
  214. // form policy data structures
  215. myIPSECPolicy->dwNumNFACount++;
  216. myIPSECPolicy->ppIpsecNFAData = (PIPSEC_NFA_DATA *) ReallocPolMem(myIPSECPolicy->ppIpsecNFAData
  217. , (myIPSECPolicy->dwNumNFACount-1)*sizeof(PIPSEC_NFA_DATA)
  218. , (myIPSECPolicy->dwNumNFACount)*sizeof(PIPSEC_NFA_DATA));
  219. myIPSECPolicy->ppIpsecNFAData[myIPSECPolicy->dwNumNFACount-1] = pRule;
  221. // commit everything
  222. // start from qm policy
  223. if (!pRule->pIpsecFilterData)
  224. {
  225. // fix up neg pol
  226. pRule->pIpsecNegPolData->NegPolType = GUID_NEGOTIATION_TYPE_DEFAULT;
  227. }
  228. hrReturn = IPSecCreateNegPolData(myPolicyStorage, pRule->pIpsecNegPolData);
  229. if (hrReturn != ERROR_SUCCESS)
  230. {
  231. return hrReturn;
  232. }
  234. // filter
  235. if (pRule->pIpsecFilterData)
  236. {
  237. hrReturn = IPSecCreateFilterData(myPolicyStorage, pRule->pIpsecFilterData);
  238. if (hrReturn != ERROR_SUCCESS)
  239. {
  240. return hrReturn;
  241. }
  242. }
  244. // NFA
  245. IPSecCreateNFAData(myPolicyStorage, myIPSECPolicy->PolicyIdentifier, pRule);
  246. // policy
  247. if (IsPolicyInStorage())
  248. {
  249. IPSecSetPolicyData(myPolicyStorage, myIPSECPolicy);
  250. }
  251. else
  252. {
  253. TryToCreatePolicy();
  254. }
  256. return hrReturn;
  257. }
  259. // Add default response rule to the policy
  260. HRESULT IPSECPolicyToStorage::AddDefaultResponseRule ( )
  261. {
  262. HRESULT hrReturn = S_OK;
  263. PIPSEC_NFA_DATA pRule = MakeDefaultResponseRule();
  264. int i;
  266. if (!IsOpen())
  267. {
  268. return ERROR_ACCESS_DENIED;
  269. }
  270. // form policy data structures
  271. myIPSECPolicy->dwNumNFACount++;
  272. myIPSECPolicy->ppIpsecNFAData = (PIPSEC_NFA_DATA *) ReallocPolMem(myIPSECPolicy->ppIpsecNFAData
  273. , (myIPSECPolicy->dwNumNFACount-1)*sizeof(PIPSEC_NFA_DATA)
  274. , (myIPSECPolicy->dwNumNFACount)*sizeof(PIPSEC_NFA_DATA));
  275. myIPSECPolicy->ppIpsecNFAData[myIPSECPolicy->dwNumNFACount-1] = pRule;
  277. // commit everything
  278. // start from qm policy
  279. // fix up neg pol
  280. pRule->pIpsecNegPolData->NegPolType = GUID_NEGOTIATION_TYPE_DEFAULT;
  281. hrReturn = IPSecCreateNegPolData(myPolicyStorage, pRule->pIpsecNegPolData);
  282. if (hrReturn != ERROR_SUCCESS)
  283. {
  284. return hrReturn;
  285. }
  287. // NFA
  288. IPSecCreateNFAData(myPolicyStorage, myIPSECPolicy->PolicyIdentifier, pRule);
  289. // policy
  290. if (IsPolicyInStorage())
  291. {
  292. IPSecSetPolicyData(myPolicyStorage, myIPSECPolicy);
  293. }
  294. else
  295. {
  296. TryToCreatePolicy();
  297. }
  299. return hrReturn;
  300. }
  303. // this will update a rule:
  304. // if there are filters, all the filters from the current NFA
  305. // are removed and the ones passed in are added
  306. // same thing goes for negotiation policies and authinfos
  308. HRESULT
  309. IPSECPolicyToStorage::UpdateRule(
  310. IN PIPSEC_NFA_DATA pRule,
  311. IN IPSEC_IKE_POLICY IpsecIkePol,
  312. IN PSTORAGE_INFO pStorageInfo)
  313. {
  314. RPC_STATUS RpcStat;
  315. T2P_FILTER *pFilterList;
  316. IF_TYPE Interface;
  317. WCHAR wszRuleName[POTF_MAX_STRLEN];
  318. HRESULT hrReturn = S_OK;
  319. int i;
  320. GUID oldFilter, oldNegPol;
  322. if (pRule == NULL || !IsOpen())
  323. {
  324. return ERROR_ACCESS_DENIED;
  325. }
  327. // first, remove filter and policy data
  328. oldFilter = pRule->FilterIdentifier;
  329. if (pRule->pIpsecFilterData)
  330. {
  331. IPSecFreeFilterData(pRule->pIpsecFilterData);
  332. }
  333. oldNegPol = pRule->NegPolIdentifier;
  334. if (pRule->pIpsecNegPolData)
  335. {
  336. IPSecFreeNegPolData(pRule->pIpsecNegPolData);
  337. }
  338. // free auth methods
  339. if (pRule->ppAuthMethods)
  340. {
  341. for (i = 0; i < (int) pRule->dwAuthMethodCount; i++)
  342. {
  343. if (pRule->ppAuthMethods[i]->pszAuthMethod)
  344. {
  345. IPSecFreePolMem(pRule->ppAuthMethods[i]->pszAuthMethod);
  346. }
  347. if (pRule->ppAuthMethods[i]->dwAltAuthLen && pRule->ppAuthMethods[i]->pAltAuthMethod)
  348. {
  349. IPSecFreePolMem(pRule->ppAuthMethods[i]->pAltAuthMethod);
  350. }
  351. IPSecFreePolMem(pRule->ppAuthMethods[i]);
  352. }
  353. }
  354. IPSecFreePolMem(pRule->ppAuthMethods);
  355. // free strings
  356. if (pRule->pszIpsecName)
  357. {
  358. IPSecFreePolStr(pRule->pszIpsecName);
  359. }
  360. if (pRule->pszInterfaceName)
  361. {
  362. IPSecFreePolStr(pRule->pszInterfaceName);
  363. }
  364. if (pRule->pszEndPointName)
  365. {
  366. IPSecFreePolStr(pRule->pszEndPointName);
  367. }
  368. if (pRule->pszDescription)
  369. {
  370. IPSecFreePolStr(pRule->pszDescription);
  371. }
  373. // now make a rule
  374. pRule->pszIpsecName = pRule->pszDescription = pRule->pszInterfaceName = pRule->pszEndPointName = NULL;
  375. if (pStorageInfo)
  376. {
  377. pRule->pszIpsecName = IPSecAllocPolStr(pStorageInfo->szRuleName);
  378. }
  379. pRule->dwWhenChanged = 0;
  381. // filters
  382. if (IpsecIkePol.QMFilterType == QM_TRANSPORT_FILTER
  383. && IpsecIkePol.pTransportFilters[0].SrcAddr.AddrType == IP_ADDR_UNIQUE
  384. && IpsecIkePol.pTransportFilters[0].SrcAddr.uIpAddr == IP_ADDRESS_ME
  385. && IpsecIkePol.pTransportFilters[0].DesAddr.AddrType == IP_ADDR_UNIQUE
  386. && IpsecIkePol.pTransportFilters[0].DesAddr.uIpAddr == IP_ADDRESS_ME
  387. && IpsecIkePol.pTransportFilters[0].InboundFilterFlag == (FILTER_FLAG) POTF_DEFAULT_RESPONSE_FLAG
  388. && IpsecIkePol.pTransportFilters[0].OutboundFilterFlag == (FILTER_FLAG) POTF_DEFAULT_RESPONSE_FLAG)
  389. {
  390. pRule->pIpsecFilterData = NULL;
  391. UuidCreateNil(&(pRule->FilterIdentifier));
  392. }
  393. else
  394. {
  395. pFilterList = new T2P_FILTER[IpsecIkePol.dwNumFilters];
  396. for (i = 0; i < (int) IpsecIkePol.dwNumFilters; i++)
  397. {
  398. if (IpsecIkePol.QMFilterType == QM_TRANSPORT_FILTER)
  399. {
  400. pFilterList[i].QMFilterType = QM_TRANSPORT_FILTER;
  401. pFilterList[i].TransportFilter = IpsecIkePol.pTransportFilters[i];
  402. }
  403. else
  404. {
  405. // tunnel
  406. pFilterList[i].QMFilterType = QM_TUNNEL_FILTER;
  407. pFilterList[i].TunnelFilter = IpsecIkePol.pTunnelFilters[i];
  408. }
  409. }
  410. if (pStorageInfo)
  411. {
  412. pRule->pIpsecFilterData = MakeFilters(pFilterList, IpsecIkePol.dwNumFilters, pStorageInfo->szRuleName);
  413. }
  414. else
  415. {
  416. pRule->pIpsecFilterData = MakeFilters(pFilterList, IpsecIkePol.dwNumFilters, L"");
  417. }
  418. pRule->FilterIdentifier = pRule->pIpsecFilterData->FilterIdentifier;
  419. delete[] pFilterList;
  420. }
  422. // filter action
  423. if (pStorageInfo)
  424. {
  425. pRule->pIpsecNegPolData = MakeNegotiationPolicy(IpsecIkePol.IpsPol, pStorageInfo->szRuleName);
  426. }
  427. else
  428. {
  429. pRule->pIpsecNegPolData = MakeNegotiationPolicy(IpsecIkePol.IpsPol, L"");
  430. }
  431. pRule->NegPolIdentifier = pRule->pIpsecNegPolData->NegPolIdentifier;
  432. if (pStorageInfo && pStorageInfo->guidNegPolAction != GUID_NEGOTIATION_ACTION_NORMAL_IPSEC)
  433. {
  434. pRule->pIpsecNegPolData->NegPolAction = pStorageInfo->guidNegPolAction;
  435. }
  437. // tunnel address
  438. pRule->dwTunnelFlags = 0;
  439. if (IpsecIkePol.QMFilterType == QM_TUNNEL_FILTER)
  440. {
  441. pRule->dwTunnelFlags = 1;
  442. pRule->dwTunnelIpAddr = IpsecIkePol.pTunnelFilters[0].DesTunnelAddr.uIpAddr;
  443. }
  445. // interface type
  446. Interface = (IpsecIkePol.QMFilterType == QM_TRANSPORT_FILTER) ? IpsecIkePol.pTransportFilters[0].InterfaceType : IpsecIkePol.pTunnelFilters[0].InterfaceType;
  447. if (Interface == INTERFACE_TYPE_ALL)
  448. {
  449. pRule->dwInterfaceType = PAS_INTERFACE_TYPE_ALL;
  450. }
  451. else if (Interface == INTERFACE_TYPE_LAN)
  452. {
  453. pRule->dwInterfaceType = PAS_INTERFACE_TYPE_LAN;
  454. }
  455. else if (Interface == INTERFACE_TYPE_DIALUP)
  456. {
  457. pRule->dwInterfaceType = PAS_INTERFACE_TYPE_DIALUP;
  458. }
  459. else
  460. {
  461. pRule->dwInterfaceType = PAS_INTERFACE_TYPE_NONE;
  462. }
  464. // active flag
  465. pRule->dwActiveFlag = TRUE;
  467. // auth methods
  468. pRule->dwAuthMethodCount = IpsecIkePol.AuthInfos.dwNumAuthInfos;
  469. pRule->ppAuthMethods = (PIPSEC_AUTH_METHOD *) IPSecAllocPolMem(pRule->dwAuthMethodCount * sizeof(PIPSEC_AUTH_METHOD));
  470. for (i = 0; i < (int) pRule->dwAuthMethodCount; i++)
  471. {
  472. pRule->ppAuthMethods[i] = (PIPSEC_AUTH_METHOD) IPSecAllocPolMem(sizeof(IPSEC_AUTH_METHOD));
  473. pRule->ppAuthMethods[i]->dwAuthType = IpsecIkePol.AuthInfos.pAuthenticationInfo[i].AuthMethod;
  474. if (pRule->ppAuthMethods[i]->dwAuthType == IKE_SSPI)
  475. {
  476. pRule->ppAuthMethods[i]->dwAuthLen = 0;
  477. pRule->ppAuthMethods[i]->pszAuthMethod = NULL;
  478. pRule->ppAuthMethods[i]->dwAltAuthLen = 0;
  479. pRule->ppAuthMethods[i]->pAltAuthMethod = 0;
  480. }
  481. else if (pRule->ppAuthMethods[i]->dwAuthType == IKE_RSA_SIGNATURE)
  482. {
  483. LPTSTR pTemp = NULL;
  484. pRule->ppAuthMethods[i]->dwAltAuthLen = IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize;
  485. pRule->ppAuthMethods[i]->pAltAuthMethod = (PBYTE) IPSecAllocPolMem(IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize);
  486. memcpy(pRule->ppAuthMethods[i]->pAltAuthMethod, IpsecIkePol.AuthInfos.pAuthenticationInfo[i].pAuthInfo, IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize);
  488. hrReturn = CM_DecodeName(pRule->ppAuthMethods[i]->pAltAuthMethod, pRule->ppAuthMethods[i]->dwAltAuthLen, &pTemp);
  489. assert(hrReturn == ERROR_SUCCESS);
  490. pRule->ppAuthMethods[i]->pszAuthMethod = IPSecAllocPolStr(pTemp);
  491. pRule->ppAuthMethods[i]->dwAuthLen = wcslen(pRule->ppAuthMethods[i]->pszAuthMethod);
  492. delete[] pTemp;
  493. }
  494. else
  495. {
  496. pRule->ppAuthMethods[i]->dwAuthLen = IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize / sizeof(WCHAR);
  497. pRule->ppAuthMethods[i]->pszAuthMethod = (LPWSTR) IPSecAllocPolMem(IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize + sizeof(WCHAR));
  498. memcpy(pRule->ppAuthMethods[i]->pszAuthMethod, IpsecIkePol.AuthInfos.pAuthenticationInfo[i].pAuthInfo, IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize);
  499. // add trailing '\0' - this is requirement for the polstore
  500. pRule->ppAuthMethods[i]->pszAuthMethod[pRule->ppAuthMethods[i]->dwAuthLen] = 0;
  502. pRule->ppAuthMethods[i]->dwAltAuthLen = 0;
  503. pRule->ppAuthMethods[i]->pAltAuthMethod = 0;
  504. }
  505. }
  507. // plumb it
  508. if (!pRule->pIpsecFilterData)
  509. {
  510. // fix up neg pol
  511. pRule->pIpsecNegPolData->NegPolType = GUID_NEGOTIATION_TYPE_DEFAULT;
  512. }
  513. hrReturn = IPSecCreateNegPolData(myPolicyStorage, pRule->pIpsecNegPolData);
  514. if (hrReturn != ERROR_SUCCESS)
  515. {
  516. return hrReturn;
  517. }
  519. // filter
  520. if (pRule->pIpsecFilterData)
  521. {
  522. hrReturn = IPSecCreateFilterData(myPolicyStorage, pRule->pIpsecFilterData);
  523. if (hrReturn != ERROR_SUCCESS)
  524. {
  525. return hrReturn;
  526. }
  527. }
  529. // NFA
  530. IPSecSetNFAData(myPolicyStorage, myIPSECPolicy->PolicyIdentifier, pRule);
  531. // policy
  532. if (IsPolicyInStorage())
  533. {
  534. IPSecSetPolicyData(myPolicyStorage, myIPSECPolicy);
  535. }
  536. else
  537. {
  538. TryToCreatePolicy();
  539. }
  541. if (!UuidIsNil(&oldFilter, &RpcStat))
  542. {
  543. IPSecDeleteFilterData(myPolicyStorage, oldFilter);
  544. }
  545. IPSecDeleteNegPolData(myPolicyStorage, oldNegPol);
  546. return hrReturn;
  547. }
  549. // forms a rule but doesn't commit it
  550. PIPSEC_NFA_DATA
  551. IPSECPolicyToStorage::MakeRule(IN IPSEC_IKE_POLICY IpsecIkePol, IN PSTORAGE_INFO pStorageInfo)
  552. {
  553. RPC_STATUS RpcStat;
  554. T2P_FILTER *pFilterList;
  555. IF_TYPE Interface;
  556. int i;
  557. WCHAR wszRuleName[POTF_MAX_STRLEN];
  558. PIPSEC_NFA_DATA pRule = (PIPSEC_NFA_DATA) IPSecAllocPolMem(sizeof(IPSEC_NFA_DATA));
  559. HRESULT hrReturn = S_OK;
  561. assert(pRule);
  562. pRule->pszIpsecName = pRule->pszDescription = pRule->pszInterfaceName = pRule->pszEndPointName = NULL;
  563. if (pStorageInfo)
  564. {
  565. pRule->pszIpsecName = IPSecAllocPolStr(pStorageInfo->szRuleName);
  566. }
  567. RpcStat = UuidCreate(&(pRule->NFAIdentifier));
  568. assert(RpcStat == RPC_S_OK || RpcStat == RPC_S_UUID_LOCAL_ONLY);
  569. pRule->dwWhenChanged = 0;
  571. // filters
  572. if (IpsecIkePol.QMFilterType == QM_TRANSPORT_FILTER
  573. && IpsecIkePol.pTransportFilters[0].SrcAddr.AddrType == IP_ADDR_UNIQUE
  574. && IpsecIkePol.pTransportFilters[0].SrcAddr.uIpAddr == IP_ADDRESS_ME
  575. && IpsecIkePol.pTransportFilters[0].DesAddr.AddrType == IP_ADDR_UNIQUE
  576. && IpsecIkePol.pTransportFilters[0].DesAddr.uIpAddr == IP_ADDRESS_ME
  577. && IpsecIkePol.pTransportFilters[0].InboundFilterFlag == (FILTER_FLAG) POTF_DEFAULT_RESPONSE_FLAG
  578. && IpsecIkePol.pTransportFilters[0].OutboundFilterFlag == (FILTER_FLAG) POTF_DEFAULT_RESPONSE_FLAG)
  579. {
  580. pRule->pIpsecFilterData = NULL;
  581. UuidCreateNil(&(pRule->FilterIdentifier));
  582. }
  583. else
  584. {
  585. pFilterList = new T2P_FILTER[IpsecIkePol.dwNumFilters];
  586. for (i = 0; i < (int) IpsecIkePol.dwNumFilters; i++)
  587. {
  588. if (IpsecIkePol.QMFilterType == QM_TRANSPORT_FILTER)
  589. {
  590. pFilterList[i].QMFilterType = QM_TRANSPORT_FILTER;
  591. pFilterList[i].TransportFilter = IpsecIkePol.pTransportFilters[i];
  592. }
  593. else
  594. {
  595. // tunnel
  596. pFilterList[i].QMFilterType = QM_TUNNEL_FILTER;
  597. pFilterList[i].TunnelFilter = IpsecIkePol.pTunnelFilters[i];
  598. }
  599. }
  600. if (pStorageInfo)
  601. {
  602. pRule->pIpsecFilterData = MakeFilters(pFilterList, IpsecIkePol.dwNumFilters, pStorageInfo->szRuleName);
  603. }
  604. else
  605. {
  606. pRule->pIpsecFilterData = MakeFilters(pFilterList, IpsecIkePol.dwNumFilters, L"");
  607. }
  608. pRule->FilterIdentifier = pRule->pIpsecFilterData->FilterIdentifier;
  609. delete[] pFilterList;
  610. }
  612. // filter action
  613. if (pStorageInfo)
  614. {
  615. pRule->pIpsecNegPolData = MakeNegotiationPolicy(IpsecIkePol.IpsPol, pStorageInfo->szRuleName);
  616. }
  617. else
  618. {
  619. pRule->pIpsecNegPolData = MakeNegotiationPolicy(IpsecIkePol.IpsPol, L"");
  620. }
  621. pRule->NegPolIdentifier = pRule->pIpsecNegPolData->NegPolIdentifier;
  622. if (pStorageInfo && pStorageInfo->guidNegPolAction != GUID_NEGOTIATION_ACTION_NORMAL_IPSEC)
  623. {
  624. pRule->pIpsecNegPolData->NegPolAction = pStorageInfo->guidNegPolAction;
  625. }
  627. // tunnel address
  628. pRule->dwTunnelFlags = 0;
  629. if (IpsecIkePol.QMFilterType == QM_TUNNEL_FILTER)
  630. {
  631. pRule->dwTunnelFlags = 1;
  632. pRule->dwTunnelIpAddr = IpsecIkePol.pTunnelFilters[0].DesTunnelAddr.uIpAddr;
  633. }
  635. // interface type
  636. Interface = (IpsecIkePol.QMFilterType == QM_TRANSPORT_FILTER) ? IpsecIkePol.pTransportFilters[0].InterfaceType : IpsecIkePol.pTunnelFilters[0].InterfaceType;
  637. if (Interface == INTERFACE_TYPE_ALL)
  638. {
  639. pRule->dwInterfaceType = PAS_INTERFACE_TYPE_ALL;
  640. }
  641. else if (Interface == INTERFACE_TYPE_LAN)
  642. {
  643. pRule->dwInterfaceType = PAS_INTERFACE_TYPE_LAN;
  644. }
  645. else if (Interface == INTERFACE_TYPE_DIALUP)
  646. {
  647. pRule->dwInterfaceType = PAS_INTERFACE_TYPE_DIALUP;
  648. }
  649. else
  650. {
  651. pRule->dwInterfaceType = PAS_INTERFACE_TYPE_NONE;
  652. }
  654. // active flag
  655. pRule->dwActiveFlag = TRUE;
  657. // auth methods
  658. pRule->dwAuthMethodCount = IpsecIkePol.AuthInfos.dwNumAuthInfos;
  659. pRule->ppAuthMethods = (PIPSEC_AUTH_METHOD *) IPSecAllocPolMem(pRule->dwAuthMethodCount * sizeof(PIPSEC_AUTH_METHOD));
  660. for (i = 0; i < (int) pRule->dwAuthMethodCount; i++)
  661. {
  662. pRule->ppAuthMethods[i] = (PIPSEC_AUTH_METHOD) IPSecAllocPolMem(sizeof(IPSEC_AUTH_METHOD));
  663. pRule->ppAuthMethods[i]->dwAuthType = IpsecIkePol.AuthInfos.pAuthenticationInfo[i].AuthMethod;
  664. if (pRule->ppAuthMethods[i]->dwAuthType == IKE_SSPI)
  665. {
  666. pRule->ppAuthMethods[i]->dwAuthLen = 0;
  667. pRule->ppAuthMethods[i]->pszAuthMethod = NULL;
  668. pRule->ppAuthMethods[i]->dwAltAuthLen = 0;
  669. pRule->ppAuthMethods[i]->pAltAuthMethod = 0;
  670. }
  671. else if (pRule->ppAuthMethods[i]->dwAuthType == IKE_RSA_SIGNATURE)
  672. {
  673. LPTSTR pTemp = NULL;
  674. pRule->ppAuthMethods[i]->dwAltAuthLen = IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize;
  675. pRule->ppAuthMethods[i]->pAltAuthMethod = (PBYTE) IPSecAllocPolMem(IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize);
  676. memcpy(pRule->ppAuthMethods[i]->pAltAuthMethod, IpsecIkePol.AuthInfos.pAuthenticationInfo[i].pAuthInfo, IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize);
  678. hrReturn = CM_DecodeName(pRule->ppAuthMethods[i]->pAltAuthMethod, pRule->ppAuthMethods[i]->dwAltAuthLen, &pTemp);
  679. assert(hrReturn == ERROR_SUCCESS);
  680. pRule->ppAuthMethods[i]->pszAuthMethod = IPSecAllocPolStr(pTemp);
  681. pRule->ppAuthMethods[i]->dwAuthLen = wcslen(pRule->ppAuthMethods[i]->pszAuthMethod);
  682. delete[] pTemp;
  683. }
  684. else
  685. {
  686. pRule->ppAuthMethods[i]->dwAuthLen = IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize / sizeof(WCHAR);
  687. pRule->ppAuthMethods[i]->pszAuthMethod = (LPWSTR) IPSecAllocPolMem(IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize + sizeof(WCHAR));
  688. memcpy(pRule->ppAuthMethods[i]->pszAuthMethod, IpsecIkePol.AuthInfos.pAuthenticationInfo[i].pAuthInfo, IpsecIkePol.AuthInfos.pAuthenticationInfo[i].dwAuthInfoSize);
  689. // add trailing '\0' - this is requirement for the polstore
  690. pRule->ppAuthMethods[i]->pszAuthMethod[pRule->ppAuthMethods[i]->dwAuthLen] = 0;
  692. pRule->ppAuthMethods[i]->dwAltAuthLen = 0;
  693. pRule->ppAuthMethods[i]->pAltAuthMethod = 0;
  694. }
  695. }
  697. return pRule;
  698. }
  700. // does not commit it to the storage
  701. // it is assumed that action is NEGOTIATE_SECURITY. If that's not true, it'll be corrected in MakeRule call
  702. // Soft SA flag is handled here
  703. PIPSEC_NEGPOL_DATA
  704. IPSECPolicyToStorage::MakeNegotiationPolicy(IPSEC_QM_POLICY IpsPol,
  705. LPWSTR Name)
  706. {
  707. RPC_STATUS RpcStat;
  708. int i;
  709. PIPSEC_NEGPOL_DATA pNegPol = (PIPSEC_NEGPOL_DATA) IPSecAllocPolMem(sizeof(IPSEC_NEGPOL_DATA));
  710. BOOL bPFS = FALSE;
  711. WCHAR pFAName[POTF_MAX_STRLEN];
  713. RpcStat = UuidCreate(&(pNegPol->NegPolIdentifier));
  714. assert(RpcStat == RPC_S_OK || RpcStat == RPC_S_UUID_LOCAL_ONLY);
  715. pNegPol->NegPolAction = GUID_NEGOTIATION_ACTION_NORMAL_IPSEC;
  716. pNegPol->NegPolType = GUID_NEGOTIATION_TYPE_STANDARD;
  717. pNegPol->dwSecurityMethodCount = IpsPol.dwOfferCount;
  718. if (IpsPol.dwFlags & IPSEC_QM_POLICY_ALLOW_SOFT)
  719. {
  720. // we need to add one more offer with no security algorithms
  721. pNegPol->dwSecurityMethodCount++;
  722. }
  724. // allocate sec.methods
  725. pNegPol->pIpsecSecurityMethods = (IPSEC_SECURITY_METHOD *) IPSecAllocPolMem(pNegPol->dwSecurityMethodCount * sizeof(IPSEC_SECURITY_METHOD));
  726. // fix up PFS, in storage it is the property of the filter action, not individual offer
  727. for (i = 0; i < (int) IpsPol.dwOfferCount; i++)
  728. {
  729. if (IpsPol.pOffers[i].bPFSRequired)
  730. {
  731. bPFS = TRUE;
  732. }
  733. }
  735. // handle sec.methods
  736. for (i = 0; i < (int) IpsPol.dwOfferCount; i++)
  737. {
  738. int j;
  740. pNegPol->pIpsecSecurityMethods[i].Lifetime.KeyExpirationBytes = IpsPol.pOffers[i].Lifetime.uKeyExpirationKBytes;
  741. pNegPol->pIpsecSecurityMethods[i].Lifetime.KeyExpirationTime = IpsPol.pOffers[i].Lifetime.uKeyExpirationTime;
  742. pNegPol->pIpsecSecurityMethods[i].Flags = 0;
  743. pNegPol->pIpsecSecurityMethods[i].PfsQMRequired = bPFS;
  744. pNegPol->pIpsecSecurityMethods[i].Count = IpsPol.pOffers[i].dwNumAlgos;
  745. for (j = 0; j < (int) pNegPol->pIpsecSecurityMethods[i].Count && j < QM_MAX_ALGOS; j++)
  746. {
  747. pNegPol->pIpsecSecurityMethods[i].Algos[j].algoIdentifier = IpsPol.pOffers[i].Algos[j].uAlgoIdentifier;
  748. pNegPol->pIpsecSecurityMethods[i].Algos[j].secondaryAlgoIdentifier = IpsPol.pOffers[i].Algos[j].uSecAlgoIdentifier;
  749. pNegPol->pIpsecSecurityMethods[i].Algos[j].algoKeylen = IpsPol.pOffers[i].Algos[j].uAlgoKeyLen;
  750. pNegPol->pIpsecSecurityMethods[i].Algos[j].algoRounds = IpsPol.pOffers[i].Algos[j].uAlgoRounds;
  751. switch (IpsPol.pOffers[i].Algos[j].Operation)
  752. {
  753. case AUTHENTICATION:
  754. pNegPol->pIpsecSecurityMethods[i].Algos[j].operation = Auth;
  755. break;
  756. case ENCRYPTION:
  757. pNegPol->pIpsecSecurityMethods[i].Algos[j].operation = Encrypt;
  758. break;
  759. default:
  760. pNegPol->pIpsecSecurityMethods[i].Algos[j].operation = None;
  761. }
  762. }
  763. }
  764. // add soft
  765. if (IpsPol.dwFlags & IPSEC_QM_POLICY_ALLOW_SOFT)
  766. {
  767. // set Count (and everything) to 0
  768. memset(&(pNegPol->pIpsecSecurityMethods[pNegPol->dwSecurityMethodCount - 1]), 0, sizeof(IPSEC_SECURITY_METHOD));
  769. }
  771. // name
  772. swprintf(pFAName, TEXT("%s filter action"), Name);
  773. pNegPol->pszIpsecName = IPSecAllocPolStr(pFAName);
  774. pNegPol->pszDescription = NULL;
  775. return pNegPol;
  776. }
  779. PIPSEC_FILTER_DATA
  780. IPSECPolicyToStorage::MakeFilters(
  781. T2P_FILTER *Filters,
  782. UINT NumFilters,
  783. LPWSTR Name)
  784. {
  785. RPC_STATUS RpcStat;
  786. PIPSEC_FILTER_DATA pFilter = (PIPSEC_FILTER_DATA) IPSecAllocPolMem(sizeof(IPSEC_FILTER_DATA));
  787. int i;
  788. WCHAR pFLName[POTF_MAX_STRLEN];
  790. RpcStat = UuidCreate(&(pFilter->FilterIdentifier));
  791. assert(RpcStat == RPC_S_OK || RpcStat == RPC_S_UUID_LOCAL_ONLY);
  793. pFilter->dwNumFilterSpecs = NumFilters;
  794. pFilter->ppFilterSpecs = (PIPSEC_FILTER_SPEC *) IPSecAllocPolMem(NumFilters*sizeof(PIPSEC_FILTER_SPEC));
  795. assert(pFilter->ppFilterSpecs);
  797. for (i = 0; i < (int) NumFilters; i++)
  798. {
  799. pFilter->ppFilterSpecs[i] = (PIPSEC_FILTER_SPEC) IPSecAllocPolMem(sizeof(IPSEC_FILTER_SPEC));
  800. assert(pFilter->ppFilterSpecs[i]);
  801. ConvertFilter(Filters[i], *(pFilter->ppFilterSpecs[i]));
  802. }
  804. pFilter->dwWhenChanged = 0;
  805. swprintf(pFLName, TEXT("%s filter list"), Name);
  806. pFilter->pszIpsecName = IPSecAllocPolStr(pFLName);
  807. pFilter->pszDescription = NULL;
  809. return pFilter;
  810. }
  812. HRESULT
  813. IPSECPolicyToStorage::SetISAKMPPolicy(IPSEC_MM_POLICY IkePol)
  814. {
  815. HRESULT hrReturn = S_OK;
  816. RPC_STATUS RpcStat;
  817. GUID oldISAKMP;
  818. int i;
  820. if (!IsOpen())
  821. {
  822. return ERROR_ACCESS_DENIED;
  823. }
  825. oldISAKMP = myIPSECPolicy->ISAKMPIdentifier;
  826. if (myIPSECPolicy->pIpsecISAKMPData)
  827. {
  828. IPSecFreeISAKMPData(myIPSECPolicy->pIpsecISAKMPData);
  829. }
  831. RpcStat = UuidCreate(&(myIPSECPolicy->ISAKMPIdentifier));
  832. assert(RpcStat == RPC_S_OK || RpcStat == RPC_S_UUID_LOCAL_ONLY);
  834. myIPSECPolicy->pIpsecISAKMPData = (PIPSEC_ISAKMP_DATA) IPSecAllocPolMem(sizeof(IPSEC_ISAKMP_DATA));
  836. myIPSECPolicy->pIpsecISAKMPData->ISAKMPIdentifier = myIPSECPolicy->ISAKMPIdentifier;
  837. myIPSECPolicy->pIpsecISAKMPData->dwWhenChanged = 0;
  839. // sec methods stuff
  840. myIPSECPolicy->pIpsecISAKMPData->dwNumISAKMPSecurityMethods = IkePol.dwOfferCount;
  841. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods = (PCRYPTO_BUNDLE) IPSecAllocPolMem(sizeof(CRYPTO_BUNDLE)*IkePol.dwOfferCount);
  842. for (i = 0; i < (int) IkePol.dwOfferCount; i++)
  843. {
  844. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].MajorVersion = 0;
  845. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].MinorVersion = 0;
  846. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].AuthenticationMethod = 0;
  847. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].PseudoRandomFunction.AlgorithmIdentifier = 0;
  848. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].PseudoRandomFunction.KeySize = 0;
  849. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].PseudoRandomFunction.Rounds = 0;
  850. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].PfsIdentityRequired = (IkePol.pOffers[i].dwQuickModeLimit == 1);
  851. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].EncryptionAlgorithm.AlgorithmIdentifier = IkePol.pOffers[i].EncryptionAlgorithm.uAlgoIdentifier;
  852. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].EncryptionAlgorithm.KeySize = IkePol.pOffers[i].EncryptionAlgorithm.uAlgoKeyLen;
  853. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].EncryptionAlgorithm.Rounds = IkePol.pOffers[i].EncryptionAlgorithm.uAlgoRounds;
  854. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].HashAlgorithm.AlgorithmIdentifier = IkePol.pOffers[i].HashingAlgorithm.uAlgoIdentifier;
  855. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].HashAlgorithm.KeySize = IkePol.pOffers[i].HashingAlgorithm.uAlgoKeyLen;
  856. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].HashAlgorithm.Rounds = IkePol.pOffers[i].HashingAlgorithm.uAlgoRounds;
  857. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].OakleyGroup = IkePol.pOffers[i].dwDHGroup;
  858. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].QuickModeLimit = IkePol.pOffers[i].dwQuickModeLimit;
  859. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].Lifetime.KBytes = IkePol.pOffers[i].Lifetime.uKeyExpirationKBytes;
  860. myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[i].Lifetime.Seconds = IkePol.pOffers[i].Lifetime.uKeyExpirationTime;
  861. }
  863. // now for other stuff - ISAKMPPolicy
  864. myIPSECPolicy->pIpsecISAKMPData->ISAKMPPolicy.PolicyId = myIPSECPolicy->ISAKMPIdentifier;
  865. myIPSECPolicy->pIpsecISAKMPData->ISAKMPPolicy.IdentityProtectionRequired = 0;
  866. myIPSECPolicy->pIpsecISAKMPData->ISAKMPPolicy.PfsIdentityRequired = myIPSECPolicy->pIpsecISAKMPData->pSecurityMethods[0].PfsIdentityRequired;
  868. // save it
  869. hrReturn = IPSecCreateISAKMPData(myPolicyStorage, myIPSECPolicy->pIpsecISAKMPData);
  870. if (hrReturn != ERROR_SUCCESS)
  871. {
  872. return hrReturn;
  873. }
  875. if (IsPolicyInStorage())
  876. {
  877. IPSecSetPolicyData(myPolicyStorage, myIPSECPolicy);
  878. }
  879. else
  880. {
  881. TryToCreatePolicy();
  882. }
  884. IPSecDeleteISAKMPData(myPolicyStorage, oldISAKMP);
  886. return ERROR_SUCCESS;
  887. }
  889. LPVOID
  890. IPSECPolicyToStorage::ReallocPolMem(
  891. LPVOID pOldMem,
  892. DWORD cbOld,
  893. DWORD cbNew
  894. )
  895. {
  896. LPVOID pNewMem;
  898. pNewMem=IPSecAllocPolMem(cbNew);
  900. if (pOldMem && pNewMem) {
  901. memcpy(pNewMem, pOldMem, min(cbNew, cbOld));
  902. IPSecFreePolMem(pOldMem);
  903. }
  905. return pNewMem;
  906. }
  908. // forms a rule but doesn't commit it
  909. // forms default response rule
  910. PIPSEC_NFA_DATA
  911. IPSECPolicyToStorage::MakeDefaultResponseRule ()
  912. {
  913. RPC_STATUS RpcStat;
  914. PIPSEC_NFA_DATA pRule = (PIPSEC_NFA_DATA) IPSecAllocPolMem(sizeof(IPSEC_NFA_DATA));
  916. assert(pRule);
  917. pRule->pszIpsecName = pRule->pszDescription = pRule->pszInterfaceName = pRule->pszEndPointName = NULL;
  918. RpcStat = UuidCreate(&(pRule->NFAIdentifier));
  919. assert(RpcStat == RPC_S_OK || RpcStat == RPC_S_UUID_LOCAL_ONLY);
  920. pRule->dwWhenChanged = 0;
  922. // filter list
  923. pRule->pIpsecFilterData = NULL;
  924. UuidCreateNil(&(pRule->FilterIdentifier));
  926. // filter action
  927. pRule->pIpsecNegPolData = MakeDefaultResponseNegotiationPolicy ();
  929. pRule->NegPolIdentifier = pRule->pIpsecNegPolData->NegPolIdentifier;
  931. // tunnel address
  932. pRule->dwTunnelFlags = 0;
  934. // interface type
  935. pRule->dwInterfaceType = PAS_INTERFACE_TYPE_ALL;
  937. // active flag
  938. pRule->dwActiveFlag = FALSE;
  940. // auth methods
  941. pRule->dwAuthMethodCount = 1;
  942. pRule->ppAuthMethods = (PIPSEC_AUTH_METHOD *) IPSecAllocPolMem(pRule->dwAuthMethodCount * sizeof(PIPSEC_AUTH_METHOD));
  943. assert(pRule->ppAuthMethods);
  944. pRule->ppAuthMethods[0] = (PIPSEC_AUTH_METHOD) IPSecAllocPolMem(sizeof(IPSEC_AUTH_METHOD));
  945. pRule->ppAuthMethods[0]->dwAuthType = IKE_SSPI;
  946. pRule->ppAuthMethods[0]->dwAuthLen = 0;
  947. pRule->ppAuthMethods[0]->pszAuthMethod = NULL;
  949. return pRule;
  950. }
  952. // does not commit it to the storage
  953. PIPSEC_NEGPOL_DATA
  954. IPSECPolicyToStorage::MakeDefaultResponseNegotiationPolicy ( )
  955. {
  956. RPC_STATUS RpcStat;
  957. int i;
  958. PIPSEC_NEGPOL_DATA pNegPol = (PIPSEC_NEGPOL_DATA) IPSecAllocPolMem(sizeof(IPSEC_NEGPOL_DATA));
  959. WCHAR pFAName[POTF_MAX_STRLEN];
  961. RpcStat = UuidCreate(&(pNegPol->NegPolIdentifier));
  962. assert(RpcStat == RPC_S_OK || RpcStat == RPC_S_UUID_LOCAL_ONLY);
  963. pNegPol->NegPolAction = GUID_NEGOTIATION_ACTION_NORMAL_IPSEC;
  964. pNegPol->NegPolType = GUID_NEGOTIATION_TYPE_DEFAULT;
  965. pNegPol->dwSecurityMethodCount = 6;
  967. // allocate sec.methods
  968. pNegPol->pIpsecSecurityMethods = (IPSEC_SECURITY_METHOD *) IPSecAllocPolMem(pNegPol->dwSecurityMethodCount * sizeof(IPSEC_SECURITY_METHOD));
  970. // method 0 - ESP[3DES, SHA1]
  971. pNegPol->pIpsecSecurityMethods[0].Lifetime.KeyExpirationBytes = 0;
  972. pNegPol->pIpsecSecurityMethods[0].Lifetime.KeyExpirationTime = 0;
  973. pNegPol->pIpsecSecurityMethods[0].Flags = 0;
  974. pNegPol->pIpsecSecurityMethods[0].PfsQMRequired = FALSE;
  975. pNegPol->pIpsecSecurityMethods[0].Count = 1;
  976. pNegPol->pIpsecSecurityMethods[0].Algos[0].algoIdentifier = IPSEC_DOI_ESP_3_DES;
  977. pNegPol->pIpsecSecurityMethods[0].Algos[0].secondaryAlgoIdentifier = IPSEC_DOI_AH_SHA1;
  978. pNegPol->pIpsecSecurityMethods[0].Algos[0].algoKeylen = 0;
  979. pNegPol->pIpsecSecurityMethods[0].Algos[0].algoRounds = 0;
  980. pNegPol->pIpsecSecurityMethods[0].Algos[0].operation = Encrypt;
  982. // method 1 - ESP[3DES, MD5]
  983. pNegPol->pIpsecSecurityMethods[1].Lifetime.KeyExpirationBytes = 0;
  984. pNegPol->pIpsecSecurityMethods[1].Lifetime.KeyExpirationTime = 0;
  985. pNegPol->pIpsecSecurityMethods[1].Flags = 0;
  986. pNegPol->pIpsecSecurityMethods[1].PfsQMRequired = FALSE;
  987. pNegPol->pIpsecSecurityMethods[1].Count = 1;
  988. pNegPol->pIpsecSecurityMethods[1].Algos[0].algoIdentifier = IPSEC_DOI_ESP_3_DES;
  989. pNegPol->pIpsecSecurityMethods[1].Algos[0].secondaryAlgoIdentifier = IPSEC_DOI_AH_MD5;
  990. pNegPol->pIpsecSecurityMethods[1].Algos[0].algoKeylen = 0;
  991. pNegPol->pIpsecSecurityMethods[1].Algos[0].algoRounds = 0;
  992. pNegPol->pIpsecSecurityMethods[1].Algos[0].operation = Encrypt;
  994. // method 2 - ESP[DES, SHA1]
  995. pNegPol->pIpsecSecurityMethods[2].Lifetime.KeyExpirationBytes = 0;
  996. pNegPol->pIpsecSecurityMethods[2].Lifetime.KeyExpirationTime = 0;
  997. pNegPol->pIpsecSecurityMethods[2].Flags = 0;
  998. pNegPol->pIpsecSecurityMethods[2].PfsQMRequired = FALSE;
  999. pNegPol->pIpsecSecurityMethods[2].Count = 1;
  1000. pNegPol->pIpsecSecurityMethods[2].Algos[0].algoIdentifier = IPSEC_DOI_ESP_DES;
  1001. pNegPol->pIpsecSecurityMethods[2].Algos[0].secondaryAlgoIdentifier = IPSEC_DOI_AH_SHA1;
  1002. pNegPol->pIpsecSecurityMethods[2].Algos[0].algoKeylen = 0;
  1003. pNegPol->pIpsecSecurityMethods[2].Algos[0].algoRounds = 0;
  1004. pNegPol->pIpsecSecurityMethods[2].Algos[0].operation = Encrypt;
  1006. // method 3 - ESP[DES, MD5]
  1007. pNegPol->pIpsecSecurityMethods[3].Lifetime.KeyExpirationBytes = 0;
  1008. pNegPol->pIpsecSecurityMethods[3].Lifetime.KeyExpirationTime = 0;
  1009. pNegPol->pIpsecSecurityMethods[3].Flags = 0;
  1010. pNegPol->pIpsecSecurityMethods[3].PfsQMRequired = FALSE;
  1011. pNegPol->pIpsecSecurityMethods[3].Count = 1;
  1012. pNegPol->pIpsecSecurityMethods[3].Algos[0].algoIdentifier = IPSEC_DOI_ESP_DES;
  1013. pNegPol->pIpsecSecurityMethods[3].Algos[0].secondaryAlgoIdentifier = IPSEC_DOI_AH_MD5;
  1014. pNegPol->pIpsecSecurityMethods[3].Algos[0].algoKeylen = 0;
  1015. pNegPol->pIpsecSecurityMethods[3].Algos[0].algoRounds = 0;
  1016. pNegPol->pIpsecSecurityMethods[3].Algos[0].operation = Encrypt;
  1018. // method 4 - AH[SHA1]
  1019. pNegPol->pIpsecSecurityMethods[4].Lifetime.KeyExpirationBytes = 0;
  1020. pNegPol->pIpsecSecurityMethods[4].Lifetime.KeyExpirationTime = 0;
  1021. pNegPol->pIpsecSecurityMethods[4].Flags = 0;
  1022. pNegPol->pIpsecSecurityMethods[4].PfsQMRequired = FALSE;
  1023. pNegPol->pIpsecSecurityMethods[4].Count = 1;
  1024. pNegPol->pIpsecSecurityMethods[4].Algos[0].algoIdentifier = IPSEC_DOI_AH_SHA1;
  1025. pNegPol->pIpsecSecurityMethods[4].Algos[0].secondaryAlgoIdentifier = IPSEC_DOI_AH_NONE;
  1026. pNegPol->pIpsecSecurityMethods[4].Algos[0].algoKeylen = 0;
  1027. pNegPol->pIpsecSecurityMethods[4].Algos[0].algoRounds = 0;
  1028. pNegPol->pIpsecSecurityMethods[4].Algos[0].operation = Auth;
  1030. // method 5 - AH[MD5]
  1031. pNegPol->pIpsecSecurityMethods[5].Lifetime.KeyExpirationBytes = 0;
  1032. pNegPol->pIpsecSecurityMethods[5].Lifetime.KeyExpirationTime = 0;
  1033. pNegPol->pIpsecSecurityMethods[5].Flags = 0;
  1034. pNegPol->pIpsecSecurityMethods[5].PfsQMRequired = FALSE;
  1035. pNegPol->pIpsecSecurityMethods[5].Count = 1;
  1036. pNegPol->pIpsecSecurityMethods[5].Algos[0].algoIdentifier = IPSEC_DOI_AH_MD5;
  1037. pNegPol->pIpsecSecurityMethods[5].Algos[0].secondaryAlgoIdentifier = IPSEC_DOI_AH_NONE;
  1038. pNegPol->pIpsecSecurityMethods[5].Algos[0].algoKeylen = 0;
  1039. pNegPol->pIpsecSecurityMethods[5].Algos[0].algoRounds = 0;
  1040. pNegPol->pIpsecSecurityMethods[5].Algos[0].operation = Auth;
  1042. // name
  1043. swprintf(pFAName, TEXT(""));
  1044. pNegPol->pszIpsecName = IPSecAllocPolStr(pFAName);
  1045. pNegPol->pszDescription = NULL;
  1046. return pNegPol;
  1047. }
  1049. #ifdef __cplusplus
  1050. }
  1051. #endif
  1052.