|
|
#include "precomp.h"
const DWORD PS_INTERFACE_TYPE_NONE = 0;const DWORD PS_INTERFACE_TYPE_DIALUP = -1;const DWORD PS_INTERFACE_TYPE_LAN = -2;const DWORD PS_INTERFACE_TYPE_ALL = -3;
DWORDGenerateDefaultInformation( HANDLE hPolicyStore ){ DWORD dwError = 0; PIPSEC_FILTER_DATA pAllFilter = NULL; PIPSEC_FILTER_DATA pAllICMPFilter = NULL; PIPSEC_NEGPOL_DATA pPermitNegPol = NULL; PIPSEC_NEGPOL_DATA pRequestSecurityNegPol = NULL; PIPSEC_NEGPOL_DATA pRequireSecurityNegPol = NULL; PIPSEC_ISAKMP_DATA pDefaultISAKMP = NULL;
// {72385234-70FA-11d1-864C-14A300000000}
static const GUID GUID_DEFAULT_ISAKMP= { 0x72385234, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
dwError = CreateAllFilter( hPolicyStore, &pAllFilter ); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreateAllICMPFilter( hPolicyStore, &pAllICMPFilter ); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreatePermitNegPol( hPolicyStore, &pPermitNegPol ); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreateRequestSecurityNegPol( hPolicyStore, &pRequestSecurityNegPol ); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreateRequireSecurityNegPol( hPolicyStore, &pRequireSecurityNegPol ); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreateClientPolicy( hPolicyStore ); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreateRequestSecurityPolicy( hPolicyStore, pAllFilter, pAllICMPFilter, pPermitNegPol, pRequestSecurityNegPol ); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreateRequireSecurityPolicy( hPolicyStore, pAllFilter, pAllICMPFilter, pPermitNegPol, pRequireSecurityNegPol ); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreateISAKMP( hPolicyStore, GUID_DEFAULT_ISAKMP, &pDefaultISAKMP ); BAIL_ON_WIN32_ERROR(dwError);
error:
if (pAllFilter) { FreeIpsecFilterData(pAllFilter); }
if (pAllICMPFilter) { FreeIpsecFilterData(pAllICMPFilter); }
if (pPermitNegPol) { FreeIpsecNegPolData(pPermitNegPol); }
if (pRequestSecurityNegPol) { FreeIpsecNegPolData(pRequestSecurityNegPol); }
if (pRequireSecurityNegPol) { FreeIpsecNegPolData(pRequireSecurityNegPol); }
if (pDefaultISAKMP) { FreeIpsecISAKMPData(pDefaultISAKMP); }
return(dwError);}
DWORDCreateAllFilter( HANDLE hPolicyStore, PIPSEC_FILTER_DATA * ppAllFilter ){ DWORD dwError = 0; PIPSEC_FILTER_DATA pAllFilter = NULL; DWORD dwNumFilterSpecs = 0; PIPSEC_FILTER_SPEC * ppFilterSpecs = NULL; PIPSEC_FILTER_SPEC pFilterSpec = NULL;
// {7238523a-70FA-11d1-864C-14A300000000}
static const GUID GUID_ALL_FILTER= { 0x7238523a, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
pAllFilter = (PIPSEC_FILTER_DATA) AllocPolMem( sizeof(IPSEC_FILTER_DATA) ); if (!pAllFilter) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
memcpy( &(pAllFilter->FilterIdentifier), &(GUID_ALL_FILTER), sizeof(GUID) );
pAllFilter->dwWhenChanged = 0;
dwError = MapAndAllocPolStr(&(pAllFilter->pszIpsecName), POLSTORE_ALL_FILTER_NAME ); BAIL_ON_WIN32_ERROR(dwError);
dwError = MapAndAllocPolStr(&(pAllFilter->pszDescription), POLSTORE_ALL_FILTER_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
dwNumFilterSpecs = 1; ppFilterSpecs = (PIPSEC_FILTER_SPEC *) AllocPolMem( sizeof(PIPSEC_FILTER_SPEC)*dwNumFilterSpecs ); if (!ppFilterSpecs) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); } pAllFilter->dwNumFilterSpecs = dwNumFilterSpecs; pAllFilter->ppFilterSpecs = ppFilterSpecs;
pFilterSpec = (PIPSEC_FILTER_SPEC) AllocPolMem( sizeof(IPSEC_FILTER_SPEC) ); if (!pFilterSpec) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); } *(ppFilterSpecs + 0) = pFilterSpec;
pFilterSpec->pszSrcDNSName = NULL; pFilterSpec->pszDestDNSName = NULL; pFilterSpec->pszDescription = NULL;
dwError = UuidCreate( &pFilterSpec->FilterSpecGUID ); BAIL_ON_WIN32_ERROR(dwError);
pFilterSpec->dwMirrorFlag = 1;
pFilterSpec->Filter.SrcAddr = 0; pFilterSpec->Filter.SrcMask = -1; pFilterSpec->Filter.DestAddr = 0; pFilterSpec->Filter.DestMask = 0; pFilterSpec->Filter.TunnelAddr = 0; pFilterSpec->Filter.Protocol = 0; pFilterSpec->Filter.SrcPort = 0; pFilterSpec->Filter.DestPort = 0; pFilterSpec->Filter.TunnelFilter = 0; pFilterSpec->Filter.Flags = 0;
dwError = IPSecCreateFilterData( hPolicyStore, pAllFilter ); BAIL_ON_WIN32_ERROR(dwError);
*ppAllFilter = pAllFilter;
return (dwError);
error:
if (pAllFilter) { FreeIpsecFilterData(pAllFilter); }
*ppAllFilter = NULL; return (dwError);}
DWORDCreateAllICMPFilter( HANDLE hPolicyStore, PIPSEC_FILTER_DATA * ppAllICMPFilter ){ DWORD dwError = 0; PIPSEC_FILTER_DATA pAllICMPFilter = NULL; DWORD dwNumFilterSpecs = 0; PIPSEC_FILTER_SPEC * ppFilterSpecs = NULL; PIPSEC_FILTER_SPEC pFilterSpec = NULL;
// {72385235-70FA-11d1-864C-14A300000000}
static const GUID GUID_ALL_ICMP_FILTER = { 0x72385235, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
pAllICMPFilter = (PIPSEC_FILTER_DATA) AllocPolMem( sizeof(IPSEC_FILTER_DATA) ); if (!pAllICMPFilter) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
memcpy( &(pAllICMPFilter->FilterIdentifier), &(GUID_ALL_ICMP_FILTER), sizeof(GUID) );
pAllICMPFilter->dwWhenChanged = 0;
dwError = MapAndAllocPolStr(&(pAllICMPFilter->pszIpsecName), POLSTORE_ALL_ICMP_FILTER_NAME ); BAIL_ON_WIN32_ERROR(dwError);
dwError = MapAndAllocPolStr(&(pAllICMPFilter->pszDescription), POLSTORE_ALL_ICMP_FILTER_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
dwNumFilterSpecs = 1; ppFilterSpecs = (PIPSEC_FILTER_SPEC *) AllocPolMem( sizeof(PIPSEC_FILTER_SPEC)*dwNumFilterSpecs ); if (!ppFilterSpecs) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); } pAllICMPFilter->dwNumFilterSpecs = dwNumFilterSpecs; pAllICMPFilter->ppFilterSpecs = ppFilterSpecs;
pFilterSpec = (PIPSEC_FILTER_SPEC) AllocPolMem( sizeof(IPSEC_FILTER_SPEC) ); if (!pFilterSpec) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); } *(ppFilterSpecs + 0) = pFilterSpec;
pFilterSpec->pszSrcDNSName = NULL; pFilterSpec->pszDestDNSName = NULL; dwError = MapAndAllocPolStr(&(pFilterSpec->pszDescription), POLSTORE_ICMPFILTER_SPEC_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
dwError = UuidCreate( &pFilterSpec->FilterSpecGUID ); BAIL_ON_WIN32_ERROR(dwError);
pFilterSpec->dwMirrorFlag = 1;
pFilterSpec->Filter.SrcAddr = 0; pFilterSpec->Filter.SrcMask = -1; pFilterSpec->Filter.DestAddr = 0; pFilterSpec->Filter.DestMask = 0; pFilterSpec->Filter.TunnelAddr = 0; pFilterSpec->Filter.Protocol = 1; pFilterSpec->Filter.SrcPort = 0; pFilterSpec->Filter.DestPort = 0; pFilterSpec->Filter.TunnelFilter = 0; pFilterSpec->Filter.Flags = 0;
dwError = IPSecCreateFilterData( hPolicyStore, pAllICMPFilter ); BAIL_ON_WIN32_ERROR(dwError);
*ppAllICMPFilter = pAllICMPFilter;
return (dwError);
error:
if (pAllICMPFilter) { FreeIpsecFilterData(pAllICMPFilter); }
*ppAllICMPFilter = NULL; return (dwError);}
DWORDCreatePermitNegPol( HANDLE hPolicyStore, PIPSEC_NEGPOL_DATA * ppPermitNegPol ){ DWORD dwError = 0; PIPSEC_NEGPOL_DATA pPermitNegPol = NULL;
static const GUID GUID_PERMIT_NEGPOL = { 0x7238523b, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
pPermitNegPol = (PIPSEC_NEGPOL_DATA) AllocPolMem( sizeof(IPSEC_NEGPOL_DATA) ); if (!pPermitNegPol) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
memcpy( &(pPermitNegPol->NegPolIdentifier), &(GUID_PERMIT_NEGPOL), sizeof(GUID) );
memcpy( &(pPermitNegPol->NegPolAction), &(GUID_NEGOTIATION_ACTION_NO_IPSEC), sizeof(GUID) );
memcpy( &(pPermitNegPol->NegPolType), &(GUID_NEGOTIATION_TYPE_STANDARD), sizeof(GUID) );
pPermitNegPol->dwSecurityMethodCount = 0; pPermitNegPol->pIpsecSecurityMethods = NULL;
pPermitNegPol->dwWhenChanged = 0;
dwError = MapAndAllocPolStr(&(pPermitNegPol->pszIpsecName), POLSTORE_PERMIT_NEG_POL_NAME ); BAIL_ON_WIN32_ERROR(dwError);
dwError = MapAndAllocPolStr(&(pPermitNegPol->pszDescription), POLSTORE_PERMIT_NEG_POL_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
dwError = IPSecCreateNegPolData( hPolicyStore, pPermitNegPol ); BAIL_ON_WIN32_ERROR(dwError);
*ppPermitNegPol = pPermitNegPol;
return (dwError);
error:
if (pPermitNegPol) { FreeIpsecNegPolData(pPermitNegPol); }
*ppPermitNegPol = NULL; return (dwError);}
DWORDCreateRequestSecurityNegPol( HANDLE hPolicyStore, PIPSEC_NEGPOL_DATA * ppRequestSecurityNegPol ){ DWORD dwError = 0; PIPSEC_NEGPOL_DATA pRequestSecurityNegPol = NULL; DWORD dwSecurityMethodCount = 0; PIPSEC_SECURITY_METHOD pIpsecSecurityMethods = NULL; PIPSEC_SECURITY_METHOD pMethod = NULL;
// {72385233-70FA-11d1-864C-14A300000000}
static const GUID GUID_SECURE_INITIATOR_NEGPOL = { 0x72385233, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
pRequestSecurityNegPol = (PIPSEC_NEGPOL_DATA) AllocPolMem( sizeof(IPSEC_NEGPOL_DATA) ); if (!pRequestSecurityNegPol) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
memcpy( &(pRequestSecurityNegPol->NegPolIdentifier), &(GUID_SECURE_INITIATOR_NEGPOL), sizeof(GUID) );
memcpy( &(pRequestSecurityNegPol->NegPolAction), &(GUID_NEGOTIATION_ACTION_INBOUND_PASSTHRU), sizeof(GUID) );
memcpy( &(pRequestSecurityNegPol->NegPolType), &(GUID_NEGOTIATION_TYPE_STANDARD), sizeof(GUID) );
dwSecurityMethodCount = 5; pIpsecSecurityMethods = (PIPSEC_SECURITY_METHOD) AllocPolMem( sizeof(IPSEC_SECURITY_METHOD)*dwSecurityMethodCount ); if (!pIpsecSecurityMethods) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
pMethod = pIpsecSecurityMethods;
pMethod->Lifetime.KeyExpirationTime = 900; pMethod->Lifetime.KeyExpirationBytes = 100000; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Encrypt; pMethod->Algos[0].algoIdentifier = IPSEC_ESP_3_DES; pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 900; pMethod->Lifetime.KeyExpirationBytes = 100000; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Encrypt; pMethod->Algos[0].algoIdentifier = IPSEC_ESP_DES; pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 300; pMethod->Lifetime.KeyExpirationBytes = 100000; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Auth; pMethod->Algos[0].algoIdentifier = IPSEC_AH_SHA; pMethod->Algos[0].secondaryAlgoIdentifier = 0;; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 300; pMethod->Lifetime.KeyExpirationBytes = 100000; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Auth; pMethod->Algos[0].algoIdentifier = IPSEC_AH_MD5; pMethod->Algos[0].secondaryAlgoIdentifier = 0; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 0; pMethod->Lifetime.KeyExpirationBytes = 0; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 0;
pRequestSecurityNegPol->dwSecurityMethodCount = dwSecurityMethodCount; pRequestSecurityNegPol->pIpsecSecurityMethods = pIpsecSecurityMethods;
pRequestSecurityNegPol->dwWhenChanged = 0;
dwError = MapAndAllocPolStr(&(pRequestSecurityNegPol->pszIpsecName), POLSTORE_REQUEST_SECURITY_NEG_POL_NAME ); BAIL_ON_WIN32_ERROR(dwError);
dwError = MapAndAllocPolStr(&(pRequestSecurityNegPol->pszDescription), POLSTORE_REQUEST_SECURITY_NEG_POL_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
dwError = IPSecCreateNegPolData( hPolicyStore, pRequestSecurityNegPol ); BAIL_ON_WIN32_ERROR(dwError);
*ppRequestSecurityNegPol = pRequestSecurityNegPol;
return (dwError);
error:
if (pRequestSecurityNegPol) { FreeIpsecNegPolData(pRequestSecurityNegPol); }
*ppRequestSecurityNegPol = NULL; return (dwError);}
DWORDCreateRequireSecurityNegPol( HANDLE hPolicyStore, PIPSEC_NEGPOL_DATA * ppRequireSecurityNegPol ){ DWORD dwError = 0; PIPSEC_NEGPOL_DATA pRequireSecurityNegPol = NULL; DWORD dwSecurityMethodCount = 0; PIPSEC_SECURITY_METHOD pIpsecSecurityMethods = NULL; PIPSEC_SECURITY_METHOD pMethod = NULL;
// {7238523f-70FA-11d1-864C-14A300000000}
static const GUID GUID_LOCKDOWN_NEGPOL = { 0x7238523f, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
pRequireSecurityNegPol = (PIPSEC_NEGPOL_DATA) AllocPolMem( sizeof(IPSEC_NEGPOL_DATA) ); if (!pRequireSecurityNegPol) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
memcpy( &(pRequireSecurityNegPol->NegPolIdentifier), &(GUID_LOCKDOWN_NEGPOL), sizeof(GUID) );
memcpy( &(pRequireSecurityNegPol->NegPolAction), &(GUID_NEGOTIATION_ACTION_INBOUND_PASSTHRU), sizeof(GUID) );
memcpy( &(pRequireSecurityNegPol->NegPolType), &(GUID_NEGOTIATION_TYPE_STANDARD), sizeof(GUID) );
dwSecurityMethodCount = 4; pIpsecSecurityMethods = (PIPSEC_SECURITY_METHOD) AllocPolMem( sizeof(IPSEC_SECURITY_METHOD)*dwSecurityMethodCount ); if (!pIpsecSecurityMethods) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
pMethod = pIpsecSecurityMethods;
pMethod->Lifetime.KeyExpirationTime = 900; pMethod->Lifetime.KeyExpirationBytes = 100000; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Encrypt; pMethod->Algos[0].algoIdentifier = IPSEC_ESP_3_DES; pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 900; pMethod->Lifetime.KeyExpirationBytes = 100000; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Encrypt; pMethod->Algos[0].algoIdentifier = IPSEC_ESP_3_DES; pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_MD5; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 900; pMethod->Lifetime.KeyExpirationBytes = 100000; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Encrypt; pMethod->Algos[0].algoIdentifier = IPSEC_ESP_DES; pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 900; pMethod->Lifetime.KeyExpirationBytes = 100000; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Encrypt; pMethod->Algos[0].algoIdentifier = IPSEC_ESP_DES; pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_MD5;
pRequireSecurityNegPol->dwSecurityMethodCount = dwSecurityMethodCount; pRequireSecurityNegPol->pIpsecSecurityMethods = pIpsecSecurityMethods;
pRequireSecurityNegPol->dwWhenChanged = 0;
dwError = MapAndAllocPolStr(&(pRequireSecurityNegPol->pszIpsecName), POLSTORE_REQUIRE_SECURITY_NEG_POL_NAME ); BAIL_ON_WIN32_ERROR(dwError);
dwError = MapAndAllocPolStr(&(pRequireSecurityNegPol->pszDescription), POLSTORE_REQUIRE_SECURITY_NEG_POL_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
dwError = IPSecCreateNegPolData( hPolicyStore, pRequireSecurityNegPol ); BAIL_ON_WIN32_ERROR(dwError);
*ppRequireSecurityNegPol = pRequireSecurityNegPol;
return (dwError);
error:
if (pRequireSecurityNegPol) { FreeIpsecNegPolData(pRequireSecurityNegPol); }
*ppRequireSecurityNegPol = NULL; return (dwError);}
DWORDCreateClientPolicy( HANDLE hPolicyStore ){ DWORD dwError = 0; PIPSEC_ISAKMP_DATA pClientISAKMP = NULL; PIPSEC_POLICY_DATA pIpsecPolicyData = NULL; PIPSEC_NEGPOL_DATA pDefaultNegPol = NULL; GUID NFAIdentifier; GUID FilterIdentifier; LPWSTR pszNFAName = NULL; LPWSTR pszNFADescription = NULL;
// {72385237-70FA-11d1-864C-14A300000000}
static const GUID GUID_RESPONDER_ISAKMP = { 0x72385237, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
// {72385236-70FA-11d1-864C-14A300000000}
static const GUID GUID_RESPONDER_POLICY = { 0x72385236, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
dwError = CreateISAKMP( hPolicyStore, GUID_RESPONDER_ISAKMP, &pClientISAKMP ); BAIL_ON_WIN32_ERROR(dwError);
pIpsecPolicyData = (PIPSEC_POLICY_DATA) AllocPolMem( sizeof(IPSEC_POLICY_DATA) ); if (!pIpsecPolicyData) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
memcpy( &(pIpsecPolicyData->PolicyIdentifier), &GUID_RESPONDER_POLICY, sizeof(GUID) );
pIpsecPolicyData->dwPollingInterval = 10800;
pIpsecPolicyData->pIpsecISAKMPData = NULL; pIpsecPolicyData->ppIpsecNFAData = NULL; pIpsecPolicyData->dwNumNFACount = 0;
pIpsecPolicyData->dwWhenChanged = 0;
dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszIpsecName), POLSTORE_CLIENT_POLICY_NAME ); BAIL_ON_WIN32_ERROR(dwError);
dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszDescription), POLSTORE_CLIENT_POLICY_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
memcpy( &(pIpsecPolicyData->ISAKMPIdentifier), &(pClientISAKMP->ISAKMPIdentifier), sizeof(GUID) );
dwError = IPSecCreatePolicyData( hPolicyStore, pIpsecPolicyData ); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreateDefaultNegPol( hPolicyStore, &pDefaultNegPol ); BAIL_ON_WIN32_ERROR(dwError);
dwError = UuidCreate( &NFAIdentifier ); BAIL_ON_WIN32_ERROR(dwError);
memset(&FilterIdentifier, 0, sizeof(GUID));
dwError = CreateNFA( hPolicyStore, NFAIdentifier, GUID_RESPONDER_POLICY, FilterIdentifier, pDefaultNegPol->NegPolIdentifier, pszNFAName, pszNFADescription ); BAIL_ON_WIN32_ERROR(dwError);
error:
if (pIpsecPolicyData) { FreeIpsecPolicyData(pIpsecPolicyData); }
if (pClientISAKMP) { FreeIpsecISAKMPData(pClientISAKMP); }
if (pDefaultNegPol) { FreeIpsecNegPolData(pDefaultNegPol); }
return (dwError);}
DWORDCreateRequestSecurityPolicy( HANDLE hPolicyStore, PIPSEC_FILTER_DATA pAllFilter, PIPSEC_FILTER_DATA pAllICMPFilter, PIPSEC_NEGPOL_DATA pPermitNegPol, PIPSEC_NEGPOL_DATA pRequestSecurityNegPol ){ DWORD dwError = 0; PIPSEC_ISAKMP_DATA pRequestSecurityISAKMP = NULL; PIPSEC_POLICY_DATA pIpsecPolicyData = NULL; PIPSEC_NEGPOL_DATA pDefaultNegPol = NULL; GUID NFAIdentifier; GUID FilterIdentifier; LPWSTR pszNFAName = NULL; LPWSTR pszNFADescription = NULL;
// {72385231-70FA-11d1-864C-14A300000000}
static const GUID GUID_SECURE_INITIATOR_ISAKMP = { 0x72385231, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
// {72385230-70FA-11d1-864C-14A300000000}
static const GUID GUID_SECURE_INITIATOR_POLICY = { 0x72385230, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
dwError = CreateISAKMP( hPolicyStore, GUID_SECURE_INITIATOR_ISAKMP, &pRequestSecurityISAKMP ); BAIL_ON_WIN32_ERROR(dwError);
pIpsecPolicyData = (PIPSEC_POLICY_DATA) AllocPolMem( sizeof(IPSEC_POLICY_DATA) ); if (!pIpsecPolicyData) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
memcpy( &(pIpsecPolicyData->PolicyIdentifier), &GUID_SECURE_INITIATOR_POLICY, sizeof(GUID) );
pIpsecPolicyData->dwPollingInterval = 10800;
pIpsecPolicyData->pIpsecISAKMPData = NULL; pIpsecPolicyData->ppIpsecNFAData = NULL; pIpsecPolicyData->dwNumNFACount = 0;
pIpsecPolicyData->dwWhenChanged = 0;
dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszIpsecName), POLSTORE_SECURE_INITIATOR_POLICY_NAME ); BAIL_ON_WIN32_ERROR(dwError);
dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszDescription), POLSTORE_SECURE_INITIATOR_POLICY_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
memcpy( &(pIpsecPolicyData->ISAKMPIdentifier), &(pRequestSecurityISAKMP->ISAKMPIdentifier), sizeof(GUID) );
dwError = IPSecCreatePolicyData( hPolicyStore, pIpsecPolicyData ); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreateDefaultNegPol( hPolicyStore, &pDefaultNegPol ); BAIL_ON_WIN32_ERROR(dwError);
dwError = UuidCreate( &NFAIdentifier ); BAIL_ON_WIN32_ERROR(dwError);
memset(&FilterIdentifier, 0, sizeof(GUID));
dwError = CreateNFA( hPolicyStore, NFAIdentifier, GUID_SECURE_INITIATOR_POLICY, FilterIdentifier, pDefaultNegPol->NegPolIdentifier, pszNFAName, pszNFADescription ); BAIL_ON_WIN32_ERROR(dwError);
dwError = UuidCreate( &NFAIdentifier ); BAIL_ON_WIN32_ERROR(dwError);
//
// Create the ICMP Rule.
//
dwError = MapIdAndCreateNFA( hPolicyStore, NFAIdentifier, GUID_SECURE_INITIATOR_POLICY, pAllICMPFilter->FilterIdentifier, pPermitNegPol->NegPolIdentifier, POLSTORE_ICMP_NFA_NAME, POLSTORE_ICMP_NFA_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
dwError = UuidCreate( &NFAIdentifier ); BAIL_ON_WIN32_ERROR(dwError);
//
// Create the Secure Initiator Rule.
//
dwError = MapIdAndCreateNFA( hPolicyStore, NFAIdentifier, GUID_SECURE_INITIATOR_POLICY, pAllFilter->FilterIdentifier, pRequestSecurityNegPol->NegPolIdentifier, POLSTORE_SECURE_INITIATOR_NFA_NAME, POLSTORE_SECURE_INITIATOR_NFA_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
error:
if (pIpsecPolicyData) { FreeIpsecPolicyData(pIpsecPolicyData); }
if (pRequestSecurityISAKMP) { FreeIpsecISAKMPData(pRequestSecurityISAKMP); }
if (pDefaultNegPol) { FreeIpsecNegPolData(pDefaultNegPol); }
return (dwError);}
DWORDCreateRequireSecurityPolicy( HANDLE hPolicyStore, PIPSEC_FILTER_DATA pAllFilter, PIPSEC_FILTER_DATA pAllICMPFilter, PIPSEC_NEGPOL_DATA pPermitNegPol, PIPSEC_NEGPOL_DATA pRequireSecurityNegPol ){ DWORD dwError = 0; PIPSEC_ISAKMP_DATA pRequireSecurityISAKMP = NULL; PIPSEC_POLICY_DATA pIpsecPolicyData = NULL; PIPSEC_NEGPOL_DATA pDefaultNegPol = NULL; GUID NFAIdentifier; GUID FilterIdentifier; LPWSTR pszNFAName = NULL; LPWSTR pszNFADescription = NULL;
// {7238523d-70FA-11d1-864C-14A300000000}
static const GUID GUID_LOCKDOWN_ISAKMP = { 0x7238523d, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
// {7238523c-70FA-11d1-864C-14A300000000}
static const GUID GUID_LOCKDOWN_POLICY = { 0x7238523c, 0x70fa, 0x11d1, { 0x86, 0x4c, 0x14, 0xa3, 0x0, 0x0, 0x0, 0x0 } };
dwError = CreateISAKMP( hPolicyStore, GUID_LOCKDOWN_ISAKMP, &pRequireSecurityISAKMP ); BAIL_ON_WIN32_ERROR(dwError);
pIpsecPolicyData = (PIPSEC_POLICY_DATA) AllocPolMem( sizeof(IPSEC_POLICY_DATA) ); if (!pIpsecPolicyData) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
memcpy( &(pIpsecPolicyData->PolicyIdentifier), &GUID_LOCKDOWN_POLICY, sizeof(GUID) );
pIpsecPolicyData->dwPollingInterval = 10800;
pIpsecPolicyData->pIpsecISAKMPData = NULL; pIpsecPolicyData->ppIpsecNFAData = NULL; pIpsecPolicyData->dwNumNFACount = 0;
pIpsecPolicyData->dwWhenChanged = 0;
dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszIpsecName), POLSTORE_LOCKDOWN_POLICY_NAME ); BAIL_ON_WIN32_ERROR(dwError);
dwError = MapAndAllocPolStr(&(pIpsecPolicyData->pszDescription), POLSTORE_LOCKDOWN_POLICY_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
memcpy( &(pIpsecPolicyData->ISAKMPIdentifier), &(pRequireSecurityISAKMP->ISAKMPIdentifier), sizeof(GUID) );
dwError = IPSecCreatePolicyData( hPolicyStore, pIpsecPolicyData ); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreateDefaultNegPol( hPolicyStore, &pDefaultNegPol ); BAIL_ON_WIN32_ERROR(dwError);
dwError = UuidCreate( &NFAIdentifier ); BAIL_ON_WIN32_ERROR(dwError);
memset(&FilterIdentifier, 0, sizeof(GUID));
dwError = CreateNFA( hPolicyStore, NFAIdentifier, GUID_LOCKDOWN_POLICY, FilterIdentifier, pDefaultNegPol->NegPolIdentifier, pszNFAName, pszNFADescription ); BAIL_ON_WIN32_ERROR(dwError);
dwError = UuidCreate( &NFAIdentifier ); BAIL_ON_WIN32_ERROR(dwError);
//
// Create the ICMP Rule.
//
dwError = MapIdAndCreateNFA( hPolicyStore, NFAIdentifier, GUID_LOCKDOWN_POLICY, pAllICMPFilter->FilterIdentifier, pPermitNegPol->NegPolIdentifier, POLSTORE_ICMP_NFA_NAME, POLSTORE_ICMP_NFA_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
dwError = UuidCreate( &NFAIdentifier ); BAIL_ON_WIN32_ERROR(dwError);
//
// Create the Secure Initiator Rule.
//
dwError = MapIdAndCreateNFA( hPolicyStore, NFAIdentifier, GUID_LOCKDOWN_POLICY, pAllFilter->FilterIdentifier, pRequireSecurityNegPol->NegPolIdentifier, POLSTORE_LOCKDOWN_NFA_NAME, POLSTORE_LOCKDOWN_NFA_DESCRIPTION ); BAIL_ON_WIN32_ERROR(dwError);
error:
if (pIpsecPolicyData) { FreeIpsecPolicyData(pIpsecPolicyData); }
if (pRequireSecurityISAKMP) { FreeIpsecISAKMPData(pRequireSecurityISAKMP); }
if (pDefaultNegPol) { FreeIpsecNegPolData(pDefaultNegPol); }
return (dwError);}
DWORDCreateISAKMP( HANDLE hPolicyStore, GUID ISAKMPIdentifier, PIPSEC_ISAKMP_DATA * ppIpsecISAKMPData ){ DWORD dwError = 0; PIPSEC_ISAKMP_DATA pIpsecISAKMPData = NULL; DWORD dwNumISAKMPSecurityMethods = 0; PCRYPTO_BUNDLE pSecurityMethods = NULL; PCRYPTO_BUNDLE pBundle = NULL;
pIpsecISAKMPData = (PIPSEC_ISAKMP_DATA) AllocPolMem( sizeof(IPSEC_ISAKMP_DATA) ); if (!pIpsecISAKMPData) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
memcpy( &(pIpsecISAKMPData->ISAKMPIdentifier), &(ISAKMPIdentifier), sizeof(GUID) );
memset( &(pIpsecISAKMPData->ISAKMPPolicy), 0, sizeof(ISAKMP_POLICY) );
dwNumISAKMPSecurityMethods = 4;
pSecurityMethods = (PCRYPTO_BUNDLE) AllocPolMem( sizeof(CRYPTO_BUNDLE)*dwNumISAKMPSecurityMethods ); if (!pSecurityMethods) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
pBundle = pSecurityMethods;
pBundle->Lifetime.Seconds = 480*60; pBundle->EncryptionAlgorithm.AlgorithmIdentifier = IPSEC_ESP_3_DES; pBundle->HashAlgorithm.AlgorithmIdentifier = IPSEC_AH_SHA; pBundle->OakleyGroup = 2; pBundle++;
pBundle->Lifetime.Seconds = 480*60; pBundle->EncryptionAlgorithm.AlgorithmIdentifier = IPSEC_ESP_3_DES; pBundle->HashAlgorithm.AlgorithmIdentifier = IPSEC_AH_MD5; pBundle->OakleyGroup = 2; pBundle++;
pBundle->Lifetime.Seconds = 480*60; pBundle->EncryptionAlgorithm.AlgorithmIdentifier = IPSEC_ESP_DES; pBundle->HashAlgorithm.AlgorithmIdentifier = IPSEC_AH_SHA; pBundle->OakleyGroup = 1; pBundle++;
pBundle->Lifetime.Seconds = 480*60; pBundle->EncryptionAlgorithm.AlgorithmIdentifier = IPSEC_ESP_DES; pBundle->HashAlgorithm.AlgorithmIdentifier = IPSEC_AH_MD5; pBundle->OakleyGroup = 1;
pIpsecISAKMPData->dwNumISAKMPSecurityMethods = dwNumISAKMPSecurityMethods; pIpsecISAKMPData->pSecurityMethods = pSecurityMethods;
pIpsecISAKMPData->dwWhenChanged = 0;
dwError = IPSecCreateISAKMPData( hPolicyStore, pIpsecISAKMPData ); BAIL_ON_WIN32_ERROR(dwError);
*ppIpsecISAKMPData = pIpsecISAKMPData; return (dwError);
error:
if (pIpsecISAKMPData) { FreeIpsecISAKMPData(pIpsecISAKMPData); }
*ppIpsecISAKMPData = NULL; return (dwError);}
DWORDCreateDefaultNegPol( HANDLE hPolicyStore, PIPSEC_NEGPOL_DATA * ppDefaultNegPol ){ DWORD dwError = 0; PIPSEC_NEGPOL_DATA pDefaultNegPol = NULL; DWORD dwSecurityMethodCount = 0; PIPSEC_SECURITY_METHOD pIpsecSecurityMethods = NULL; PIPSEC_SECURITY_METHOD pMethod = NULL;
pDefaultNegPol = (PIPSEC_NEGPOL_DATA) AllocPolMem( sizeof(IPSEC_NEGPOL_DATA) ); if (!pDefaultNegPol) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
dwError = UuidCreate( &(pDefaultNegPol->NegPolIdentifier) ); BAIL_ON_WIN32_ERROR(dwError);
memcpy( &(pDefaultNegPol->NegPolAction), &(GUID_NEGOTIATION_ACTION_NORMAL_IPSEC), sizeof(GUID) );
memcpy( &(pDefaultNegPol->NegPolType), &(GUID_NEGOTIATION_TYPE_DEFAULT), sizeof(GUID) );
dwSecurityMethodCount = 6; pIpsecSecurityMethods = (PIPSEC_SECURITY_METHOD) AllocPolMem( sizeof(IPSEC_SECURITY_METHOD)*dwSecurityMethodCount ); if (!pIpsecSecurityMethods) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
pMethod = pIpsecSecurityMethods;
pMethod->Lifetime.KeyExpirationTime = 0; pMethod->Lifetime.KeyExpirationBytes = 0; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Encrypt; pMethod->Algos[0].algoIdentifier = IPSEC_ESP_3_DES; pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 0; pMethod->Lifetime.KeyExpirationBytes = 0; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Encrypt; pMethod->Algos[0].algoIdentifier = IPSEC_ESP_3_DES; pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_MD5; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 0; pMethod->Lifetime.KeyExpirationBytes = 0; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Encrypt; pMethod->Algos[0].algoIdentifier = IPSEC_ESP_DES; pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_SHA; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 0; pMethod->Lifetime.KeyExpirationBytes = 0; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Encrypt; pMethod->Algos[0].algoIdentifier = IPSEC_ESP_DES; pMethod->Algos[0].secondaryAlgoIdentifier = IPSEC_AH_MD5; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 0; pMethod->Lifetime.KeyExpirationBytes = 0; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Auth; pMethod->Algos[0].algoIdentifier = IPSEC_AH_SHA; pMethod->Algos[0].secondaryAlgoIdentifier = 0; pMethod ++;
pMethod->Lifetime.KeyExpirationTime = 0; pMethod->Lifetime.KeyExpirationBytes = 0; pMethod->Flags = 0; pMethod->PfsQMRequired = FALSE; pMethod->Count = 1; pMethod->Algos[0].operation = Auth; pMethod->Algos[0].algoIdentifier = IPSEC_AH_MD5; pMethod->Algos[0].secondaryAlgoIdentifier = 0;
pDefaultNegPol->dwSecurityMethodCount = dwSecurityMethodCount; pDefaultNegPol->pIpsecSecurityMethods = pIpsecSecurityMethods;
pDefaultNegPol->dwWhenChanged = 0;
pDefaultNegPol->pszIpsecName = NULL;
pDefaultNegPol->pszDescription = NULL;
dwError = IPSecCreateNegPolData( hPolicyStore, pDefaultNegPol ); BAIL_ON_WIN32_ERROR(dwError);
*ppDefaultNegPol = pDefaultNegPol;
return (dwError);
error:
if (pDefaultNegPol) { FreeIpsecNegPolData(pDefaultNegPol); }
*ppDefaultNegPol = NULL; return (dwError);}
DWORDCreateNFA( HANDLE hPolicyStore, GUID NFAIdentifier, GUID PolicyIdentifier, GUID FilterIdentifier, GUID NegPolIdentifier, LPWSTR pszNFAName, LPWSTR pszNFADescription ){ DWORD dwError = 0; PIPSEC_NFA_DATA pIpsecNFAData = NULL; DWORD dwAuthMethodCount = 0; PIPSEC_AUTH_METHOD * ppAuthMethods = NULL; PIPSEC_AUTH_METHOD pMethod = NULL;
pIpsecNFAData = (PIPSEC_NFA_DATA) AllocPolMem( sizeof(IPSEC_NFA_DATA) ); if (!pIpsecNFAData) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
if (pszNFAName) { pIpsecNFAData->pszIpsecName = AllocPolStr(pszNFAName); if (!pIpsecNFAData->pszIpsecName) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); } }
memcpy( &(pIpsecNFAData->NFAIdentifier), &(NFAIdentifier), sizeof(GUID) );
dwAuthMethodCount = 1; ppAuthMethods = (PIPSEC_AUTH_METHOD *) AllocPolMem( sizeof(PIPSEC_AUTH_METHOD)*dwAuthMethodCount ); if (!ppAuthMethods) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); } pIpsecNFAData->dwAuthMethodCount = dwAuthMethodCount; pIpsecNFAData->ppAuthMethods = ppAuthMethods;
pMethod = (PIPSEC_AUTH_METHOD) AllocPolMem( sizeof(IPSEC_AUTH_METHOD) ); if (!pMethod) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); }
pMethod->dwAuthType = OAK_SSPI; pMethod->dwAuthLen = 0; pMethod->pszAuthMethod = NULL; pMethod->dwAltAuthLen = 0; pMethod->pAltAuthMethod = NULL;
*(ppAuthMethods + 0) = pMethod;
pIpsecNFAData->dwInterfaceType = PS_INTERFACE_TYPE_ALL; pIpsecNFAData->pszInterfaceName = NULL;
pIpsecNFAData->dwTunnelIpAddr = 0; pIpsecNFAData->dwTunnelFlags = 0;
pIpsecNFAData->dwActiveFlag = 1;
pIpsecNFAData->pszEndPointName = NULL;
pIpsecNFAData->pIpsecFilterData = NULL; pIpsecNFAData->pIpsecNegPolData = NULL;
pIpsecNFAData->dwWhenChanged = 0;
memcpy( &(pIpsecNFAData->NegPolIdentifier), &(NegPolIdentifier), sizeof(GUID) ); memcpy( &(pIpsecNFAData->FilterIdentifier), &(FilterIdentifier), sizeof(GUID) );
if (pszNFADescription) { pIpsecNFAData->pszDescription = AllocPolStr(pszNFADescription); if (!pIpsecNFAData->pszDescription) { dwError = ERROR_OUTOFMEMORY; BAIL_ON_WIN32_ERROR(dwError); } }
dwError = IPSecCreateNFAData( hPolicyStore, PolicyIdentifier, pIpsecNFAData ); BAIL_ON_WIN32_ERROR(dwError);
error:
if (pIpsecNFAData) { FreeIpsecNFAData(pIpsecNFAData); }
return (dwError);}
DWORDMapIdAndCreateNFA( HANDLE hPolicyStore, GUID NFAIdentifier, GUID PolicyIdentifier, GUID FilterIdentifier, GUID NegPolIdentifier, DWORD dwNFANameID, DWORD dwNFADescriptionID ){ LPWSTR pszNFAName = NULL, pszNFADescription = NULL; DWORD dwError = 0;
dwError = MapAndAllocPolStr(&pszNFAName, dwNFANameID); BAIL_ON_WIN32_ERROR(dwError);
dwError = MapAndAllocPolStr(&pszNFADescription, dwNFADescriptionID); BAIL_ON_WIN32_ERROR(dwError);
dwError = CreateNFA(hPolicyStore, NFAIdentifier, PolicyIdentifier, FilterIdentifier, NegPolIdentifier, pszNFAName, pszNFADescription );error: LocalFree(pszNFADescription); LocalFree(pszNFAName);
return dwError;}
DWORDMapAndAllocPolStr( LPWSTR * plpStr, DWORD dwStrID ){ LPWSTR lpStr; DWORD dwResult;
dwResult = FormatMessageW(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS, GetModuleHandleW(SZAPPNAME), dwStrID, LANG_NEUTRAL, (LPWSTR) plpStr, 0, NULL);
if (dwResult == 0) { *plpStr = NULL; return GetLastError(); }
return ERROR_SUCCESS;}
|
