archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 75c48ba87f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '75c48ba87f'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ipsec/spd/server/pastore.c

1980 lines
44 KiB
Raw Normal View History

Add source files
4 years ago
  3. #include "precomp.h"
  6. VOID
  7. InitializePolicyStateBlock(
  8. PIPSEC_POLICY_STATE pIpsecPolicyState
  9. )
  10. {
  11. memset(pIpsecPolicyState, 0, sizeof(IPSEC_POLICY_STATE));
  12. pIpsecPolicyState->DefaultPollingInterval = gDefaultPollingInterval;
  13. }
  16. DWORD
  17. StartStatePollingManager(
  18. PIPSEC_POLICY_STATE pIpsecPolicyState
  19. )
  20. {
  21. DWORD dwError = 0;
  24. dwError = PlumbDirectoryPolicy(
  25. pIpsecPolicyState
  26. );
  28. if (dwError) {
  30. dwError = PlumbCachePolicy(
  31. pIpsecPolicyState
  32. );
  34. if (dwError) {
  36. dwError = PlumbRegistryPolicy(
  37. pIpsecPolicyState
  38. );
  39. BAIL_ON_WIN32_ERROR(dwError);
  41. }
  43. }
  45. //
  46. // The new polling interval has been set by either the
  47. // registry code or the DS code.
  48. //
  50. gCurrentPollingInterval = pIpsecPolicyState->CurrentPollingInterval;
  52. return (dwError);
  54. error:
  56. //
  57. // On error, set the state to INITIAL.
  58. //
  60. pIpsecPolicyState->dwCurrentState = POLL_STATE_INITIAL;
  62. gCurrentPollingInterval = pIpsecPolicyState->DefaultPollingInterval;
  64. return (dwError);
  65. }
  68. DWORD
  69. PlumbDirectoryPolicy(
  70. PIPSEC_POLICY_STATE pIpsecPolicyState
  71. )
  72. {
  73. DWORD dwError = 0;
  74. LPWSTR pszDirectoryPolicyDN = NULL;
  75. PIPSEC_POLICY_OBJECT pIpsecPolicyObject = NULL;
  76. PIPSEC_POLICY_DATA pIpsecPolicyData = NULL;
  77. DWORD dwStoreType = IPSEC_DIRECTORY_PROVIDER;
  78. DWORD dwSlientErrorCode = 0;
  79. BOOL bIsActivePolicy = FALSE;
  82. dwError = GetDirectoryPolicyDN(
  83. &pszDirectoryPolicyDN
  84. );
  85. BAIL_ON_WIN32_ERROR(dwError);
  86. bIsActivePolicy = TRUE;
  88. dwError = LoadDirectoryPolicy(
  89. pszDirectoryPolicyDN,
  90. &pIpsecPolicyObject
  91. );
  92. BAIL_ON_WIN32_ERROR(dwError);
  94. dwError = ProcessNFAs(
  95. pIpsecPolicyObject,
  96. dwStoreType,
  97. &dwSlientErrorCode,
  98. &pIpsecPolicyData
  99. );
  100. BAIL_ON_WIN32_ERROR(dwError);
  102. //
  103. // Plumb the DS policy.
  104. //
  106. dwError = AddPolicyInformation(
  107. pIpsecPolicyData
  108. );
  110. if (pIpsecPolicyState->pIpsecPolicyObject) {
  111. FreeIpsecPolicyObject(pIpsecPolicyState->pIpsecPolicyObject);
  112. }
  114. if (pIpsecPolicyState->pIpsecPolicyData) {
  115. FreeIpsecPolicyData(pIpsecPolicyState->pIpsecPolicyData);
  116. }
  118. if (pIpsecPolicyState->pszDirectoryPolicyDN) {
  119. FreeSPDStr(pIpsecPolicyState->pszDirectoryPolicyDN);
  120. }
  122. //
  123. // Delete the old cache and write the new one in.
  124. //
  126. DeleteRegistryCache();
  128. CacheDirectorytoRegistry(pIpsecPolicyObject);
  130. pIpsecPolicyState->pIpsecPolicyObject = pIpsecPolicyObject;
  132. pIpsecPolicyState->pIpsecPolicyData = pIpsecPolicyData;
  134. pIpsecPolicyState->pszDirectoryPolicyDN = pszDirectoryPolicyDN;
  136. //
  137. // Set the state to DS_DOWNLOADED.
  138. //
  140. pIpsecPolicyState->dwCurrentState = POLL_STATE_DS_DOWNLOADED;
  142. //
  143. // Compute the new polling interval.
  144. //
  146. pIpsecPolicyState->CurrentPollingInterval = pIpsecPolicyData->dwPollingInterval;
  148. pIpsecPolicyState->DSIncarnationNumber = pIpsecPolicyData->dwWhenChanged;
  150. pIpsecPolicyState->RegIncarnationNumber = 0;
  152. gCurrentPollingInterval = pIpsecPolicyState->CurrentPollingInterval;
  154. dwError = ERROR_SUCCESS;
  155. if (dwSlientErrorCode) {
  156. AuditIPSecPolicyErrorEvent(
  157. SE_CATEGID_POLICY_CHANGE,
  158. SE_AUDITID_IPSEC_POLICY_CHANGED,
  159. PASTORE_FAILED_SOME_NFA_APPLICATION,
  160. pIpsecPolicyData->pszIpsecName,
  161. dwSlientErrorCode,
  162. FALSE,
  163. TRUE
  164. );
  165. }
  166. AuditIPSecPolicyEvent(
  167. SE_CATEGID_POLICY_CHANGE,
  168. SE_AUDITID_IPSEC_POLICY_CHANGED,
  169. PASTORE_APPLIED_DS_POLICY,
  170. pIpsecPolicyData->pszIpsecName,
  171. TRUE,
  172. TRUE
  173. );
  174. return (dwError);
  176. error:
  178. //
  179. // Check pszDirectoryPolicyDN for non-NULL.
  180. //
  182. if (bIsActivePolicy && pszDirectoryPolicyDN) {
  183. AuditIPSecPolicyErrorEvent(
  184. SE_CATEGID_POLICY_CHANGE,
  185. SE_AUDITID_IPSEC_POLICY_CHANGED,
  186. PASTORE_FAILED_DS_POLICY_APPLICATION,
  187. pszDirectoryPolicyDN,
  188. dwError,
  189. FALSE,
  190. TRUE
  191. );
  192. }
  194. if (pszDirectoryPolicyDN) {
  195. FreeSPDStr(pszDirectoryPolicyDN);
  196. }
  198. if (pIpsecPolicyObject) {
  199. FreeIpsecPolicyObject(pIpsecPolicyObject);
  200. }
  202. if (pIpsecPolicyData) {
  203. FreeIpsecPolicyData(pIpsecPolicyData);
  204. }
  206. return (dwError);
  207. }
  210. DWORD
  211. GetDirectoryPolicyDN(
  212. LPWSTR * ppszDirectoryPolicyDN
  213. )
  214. {
  215. DWORD dwError = 0;
  216. HKEY hPolicyKey = NULL;
  217. LPWSTR pszIpsecPolicyName = NULL;
  218. DWORD dwSize = 0;
  219. LPWSTR pszPolicyDN = NULL;
  220. LPWSTR pszDirectoryPolicyDN = NULL;
  223. *ppszDirectoryPolicyDN = NULL;
  225. dwError = RegOpenKeyExW(
  226. HKEY_LOCAL_MACHINE,
  227. gpszIpsecDSPolicyKey,
  228. 0,
  229. KEY_ALL_ACCESS,
  230. &hPolicyKey
  231. );
  232. BAIL_ON_WIN32_ERROR(dwError);
  234. dwError = RegstoreQueryValue(
  235. hPolicyKey,
  236. L"DSIPSECPolicyPath",
  237. REG_SZ,
  238. (LPBYTE *)&pszIpsecPolicyName,
  239. &dwSize
  240. );
  241. BAIL_ON_WIN32_ERROR(dwError);
  243. //
  244. // Move by LDAP:// to get the real DN and allocate
  245. // this string.
  246. // Fix this by fixing the gpo extension.
  247. //
  249. pszPolicyDN = pszIpsecPolicyName + wcslen(L"LDAP://");
  251. pszDirectoryPolicyDN = AllocSPDStr(pszPolicyDN);
  253. if (!pszDirectoryPolicyDN) {
  254. dwError = ERROR_OUTOFMEMORY;
  255. BAIL_ON_WIN32_ERROR(dwError);
  256. }
  258. *ppszDirectoryPolicyDN = pszDirectoryPolicyDN;
  260. error:
  262. if (pszIpsecPolicyName) {
  263. FreeSPDStr(pszIpsecPolicyName);
  264. }
  266. if (hPolicyKey) {
  267. CloseHandle(hPolicyKey);
  268. }
  270. return (dwError);
  271. }
  274. DWORD
  275. LoadDirectoryPolicy(
  276. LPWSTR pszDirectoryPolicyDN,
  277. PIPSEC_POLICY_OBJECT * ppIpsecPolicyObject
  278. )
  279. {
  280. DWORD dwError = 0;
  281. LPWSTR pszDefaultDirectory = NULL;
  282. HLDAP hLdapBindHandle = NULL;
  283. PIPSEC_POLICY_OBJECT pIpsecPolicyObject = NULL;
  286. dwError = ComputeDefaultDirectory(
  287. &pszDefaultDirectory
  288. );
  289. BAIL_ON_WIN32_ERROR(dwError);
  291. dwError = OpenDirectoryServerHandle(
  292. pszDefaultDirectory,
  293. 389,
  294. &hLdapBindHandle
  295. );
  296. BAIL_ON_WIN32_ERROR(dwError);
  298. dwError = ReadPolicyObjectFromDirectory(
  299. hLdapBindHandle,
  300. pszDirectoryPolicyDN,
  301. &pIpsecPolicyObject
  302. );
  303. BAIL_ON_WIN32_ERROR(dwError);
  305. *ppIpsecPolicyObject = pIpsecPolicyObject;
  307. cleanup:
  309. if (pszDefaultDirectory) {
  310. FreeSPDStr(pszDefaultDirectory);
  311. }
  313. if (hLdapBindHandle) {
  314. CloseDirectoryServerHandle(hLdapBindHandle);
  315. }
  317. return (dwError);
  319. error:
  321. *ppIpsecPolicyObject = NULL;
  323. goto cleanup;
  324. }
  327. DWORD
  328. PlumbCachePolicy(
  329. PIPSEC_POLICY_STATE pIpsecPolicyState
  330. )
  331. {
  332. DWORD dwError = 0;
  333. LPWSTR pszCachePolicyDN = NULL;
  334. PIPSEC_POLICY_OBJECT pIpsecPolicyObject = NULL;
  335. PIPSEC_POLICY_DATA pIpsecPolicyData = NULL;
  336. DWORD dwStoreType = IPSEC_REGISTRY_PROVIDER;
  337. DWORD dwSlientErrorCode = 0;
  338. BOOL bIsActivePolicy = FALSE;
  340. dwError = GetCachePolicyDN(
  341. &pszCachePolicyDN
  342. );
  343. BAIL_ON_WIN32_ERROR(dwError);
  344. bIsActivePolicy = TRUE;
  346. dwError = LoadCachePolicy(
  347. pszCachePolicyDN,
  348. &pIpsecPolicyObject
  349. );
  350. BAIL_ON_WIN32_ERROR(dwError);
  352. dwError = ProcessNFAs(
  353. pIpsecPolicyObject,
  354. dwStoreType,
  355. &dwSlientErrorCode,
  356. &pIpsecPolicyData
  357. );
  358. BAIL_ON_WIN32_ERROR(dwError);
  360. dwError = AddPolicyInformation(
  361. pIpsecPolicyData
  362. );
  364. if (pIpsecPolicyState->pIpsecPolicyObject) {
  365. FreeIpsecPolicyObject(pIpsecPolicyState->pIpsecPolicyObject);
  366. }
  368. if (pIpsecPolicyState->pIpsecPolicyData) {
  369. FreeIpsecPolicyData(pIpsecPolicyState->pIpsecPolicyData);
  370. }
  372. if (pIpsecPolicyState->pszCachePolicyDN) {
  373. FreeSPDStr(pIpsecPolicyState->pszCachePolicyDN);
  374. }
  376. pIpsecPolicyState->pIpsecPolicyObject = pIpsecPolicyObject;
  378. pIpsecPolicyState->pIpsecPolicyData = pIpsecPolicyData;
  380. pIpsecPolicyState->pszCachePolicyDN = pszCachePolicyDN;
  382. //
  383. // Set the state to CACHE_DOWNLOADED.
  384. //
  385. //
  387. pIpsecPolicyState->dwCurrentState = POLL_STATE_CACHE_DOWNLOADED;
  389. //
  390. // Compute the new polling interval.
  391. //
  393. pIpsecPolicyState->CurrentPollingInterval = pIpsecPolicyData->dwPollingInterval;
  395. pIpsecPolicyState->DSIncarnationNumber = 0;
  397. pIpsecPolicyState->RegIncarnationNumber = pIpsecPolicyData->dwWhenChanged;
  399. gCurrentPollingInterval = pIpsecPolicyState->CurrentPollingInterval;
  401. dwError = ERROR_SUCCESS;
  402. if (dwSlientErrorCode) {
  403. AuditIPSecPolicyErrorEvent(
  404. SE_CATEGID_POLICY_CHANGE,
  405. SE_AUDITID_IPSEC_POLICY_CHANGED,
  406. PASTORE_FAILED_SOME_NFA_APPLICATION,
  407. pIpsecPolicyData->pszIpsecName,
  408. dwSlientErrorCode,
  409. FALSE,
  410. TRUE
  411. );
  412. }
  413. AuditIPSecPolicyEvent(
  414. SE_CATEGID_POLICY_CHANGE,
  415. SE_AUDITID_IPSEC_POLICY_CHANGED,
  416. PASTORE_APPLIED_CACHED_POLICY,
  417. pIpsecPolicyData->pszIpsecName,
  418. TRUE,
  419. TRUE
  420. );
  421. return (dwError);
  423. error:
  425. //
  426. // Check pszCachePolicyDN for non-NULL.
  427. //
  429. if (bIsActivePolicy && pszCachePolicyDN) {
  430. AuditIPSecPolicyErrorEvent(
  431. SE_CATEGID_POLICY_CHANGE,
  432. SE_AUDITID_IPSEC_POLICY_CHANGED,
  433. PASTORE_FAILED_CACHED_POLICY_APPLICATION,
  434. pszCachePolicyDN,
  435. dwError,
  436. FALSE,
  437. TRUE
  438. );
  439. }
  441. if (pszCachePolicyDN) {
  442. FreeSPDStr(pszCachePolicyDN);
  443. }
  445. if (pIpsecPolicyObject) {
  446. FreeIpsecPolicyObject(pIpsecPolicyObject);
  447. }
  449. if (pIpsecPolicyData) {
  450. FreeIpsecPolicyData(pIpsecPolicyData);
  451. }
  453. return (dwError);
  454. }
  457. DWORD
  458. GetCachePolicyDN(
  459. LPWSTR * ppszCachePolicyDN
  460. )
  461. {
  462. DWORD dwError = 0;
  463. LPWSTR pszDirectoryPolicyDN = NULL;
  464. LPWSTR pszCachePolicyDN = NULL;
  467. *ppszCachePolicyDN = NULL;
  469. dwError = GetDirectoryPolicyDN(
  470. &pszDirectoryPolicyDN
  471. );
  472. BAIL_ON_WIN32_ERROR(dwError);
  474. dwError = CopyPolicyDSToFQRegString(
  475. pszDirectoryPolicyDN,
  476. &pszCachePolicyDN
  477. );
  478. BAIL_ON_WIN32_ERROR(dwError);
  480. *ppszCachePolicyDN = pszCachePolicyDN;
  482. error:
  484. if (pszDirectoryPolicyDN) {
  485. FreeSPDStr(pszDirectoryPolicyDN);
  486. }
  488. return (dwError);
  489. }
  492. DWORD
  493. LoadCachePolicy(
  494. LPWSTR pszCachePolicyDN,
  495. PIPSEC_POLICY_OBJECT * ppIpsecPolicyObject
  496. )
  497. {
  498. DWORD dwError = 0;
  499. HKEY hRegistryKey = NULL;
  500. PIPSEC_POLICY_OBJECT pIpsecPolicyObject = NULL;
  503. dwError = OpenRegistryIPSECRootKey(
  504. NULL,
  505. gpszIpsecCachePolicyKey,
  506. &hRegistryKey
  507. );
  508. BAIL_ON_WIN32_ERROR(dwError);
  510. dwError = ReadPolicyObjectFromRegistry(
  511. hRegistryKey,
  512. pszCachePolicyDN,
  513. gpszIpsecCachePolicyKey,
  514. &pIpsecPolicyObject
  515. );
  516. BAIL_ON_WIN32_ERROR(dwError);
  518. *ppIpsecPolicyObject = pIpsecPolicyObject;
  520. cleanup:
  522. if (hRegistryKey) {
  523. CloseHandle(hRegistryKey);
  524. }
  526. return (dwError);
  528. error:
  530. *ppIpsecPolicyObject = NULL;
  532. goto cleanup;
  533. }
  536. DWORD
  537. PlumbRegistryPolicy(
  538. PIPSEC_POLICY_STATE pIpsecPolicyState
  539. )
  540. {
  541. DWORD dwError = 0;
  542. LPWSTR pszRegistryPolicyDN = NULL;
  543. PIPSEC_POLICY_OBJECT pIpsecPolicyObject = NULL;
  544. PIPSEC_POLICY_DATA pIpsecPolicyData = NULL;
  545. DWORD dwStoreType = IPSEC_REGISTRY_PROVIDER;
  546. DWORD dwSlientErrorCode = 0;
  547. BOOL bIsActivePolicy = FALSE;
  549. dwError = GetRegistryPolicyDN(
  550. &pszRegistryPolicyDN
  551. );
  552. BAIL_ON_WIN32_ERROR(dwError);
  553. bIsActivePolicy = TRUE;
  555. dwError = LoadRegistryPolicy(
  556. pszRegistryPolicyDN,
  557. &pIpsecPolicyObject
  558. );
  559. BAIL_ON_WIN32_ERROR(dwError);
  561. dwError = ProcessNFAs(
  562. pIpsecPolicyObject,
  563. dwStoreType,
  564. &dwSlientErrorCode,
  565. &pIpsecPolicyData
  566. );
  567. BAIL_ON_WIN32_ERROR(dwError);
  569. dwError = AddPolicyInformation(
  570. pIpsecPolicyData
  571. );
  573. if (pIpsecPolicyState->pIpsecPolicyObject) {
  574. FreeIpsecPolicyObject(pIpsecPolicyState->pIpsecPolicyObject);
  575. }
  577. if (pIpsecPolicyState->pIpsecPolicyData) {
  578. FreeIpsecPolicyData(pIpsecPolicyState->pIpsecPolicyData);
  579. }
  581. if (pIpsecPolicyState->pszRegistryPolicyDN) {
  582. FreeSPDStr(pIpsecPolicyState->pszRegistryPolicyDN);
  583. }
  585. pIpsecPolicyState->pIpsecPolicyObject = pIpsecPolicyObject;
  587. pIpsecPolicyState->pIpsecPolicyData = pIpsecPolicyData;
  589. pIpsecPolicyState->pszRegistryPolicyDN = pszRegistryPolicyDN;
  591. //
  592. // Set the state to LOCAL_DOWNLOADED.
  593. //
  595. pIpsecPolicyState->dwCurrentState = POLL_STATE_LOCAL_DOWNLOADED;
  597. //
  598. // Compute the new polling interval.
  599. //
  601. pIpsecPolicyState->CurrentPollingInterval = pIpsecPolicyData->dwPollingInterval;
  603. pIpsecPolicyState->DSIncarnationNumber = 0;
  605. pIpsecPolicyState->RegIncarnationNumber = pIpsecPolicyData->dwWhenChanged;
  607. gCurrentPollingInterval = pIpsecPolicyState->CurrentPollingInterval;
  609. dwError = ERROR_SUCCESS;
  610. if (dwSlientErrorCode) {
  611. AuditIPSecPolicyErrorEvent(
  612. SE_CATEGID_POLICY_CHANGE,
  613. SE_AUDITID_IPSEC_POLICY_CHANGED,
  614. PASTORE_FAILED_SOME_NFA_APPLICATION,
  615. pIpsecPolicyData->pszIpsecName,
  616. dwSlientErrorCode,
  617. FALSE,
  618. TRUE
  619. );
  620. }
  621. AuditIPSecPolicyEvent(
  622. SE_CATEGID_POLICY_CHANGE,
  623. SE_AUDITID_IPSEC_POLICY_CHANGED,
  624. PASTORE_APPLIED_LOCAL_POLICY,
  625. pIpsecPolicyData->pszIpsecName,
  626. TRUE,
  627. TRUE
  628. );
  629. return (dwError);
  631. error:
  633. //
  634. // Check pszRegistryPolicyDN for non-NULL.
  635. //
  637. if (bIsActivePolicy && pszRegistryPolicyDN) {
  638. AuditIPSecPolicyErrorEvent(
  639. SE_CATEGID_POLICY_CHANGE,
  640. SE_AUDITID_IPSEC_POLICY_CHANGED,
  641. PASTORE_FAILED_LOCAL_POLICY_APPLICATION,
  642. pszRegistryPolicyDN,
  643. dwError,
  644. FALSE,
  645. TRUE
  646. );
  647. }
  649. if (pszRegistryPolicyDN) {
  650. FreeSPDStr(pszRegistryPolicyDN);
  651. }
  653. if (pIpsecPolicyObject) {
  654. FreeIpsecPolicyObject(pIpsecPolicyObject);
  655. }
  657. if (pIpsecPolicyData) {
  658. FreeIpsecPolicyData(pIpsecPolicyData);
  659. }
  661. return (dwError);
  662. }
  665. DWORD
  666. GetRegistryPolicyDN(
  667. LPWSTR * ppszRegistryPolicyDN
  668. )
  669. {
  670. DWORD dwError = 0;
  671. HKEY hPolicyKey = NULL;
  672. LPWSTR pszIpsecPolicyName = NULL;
  673. DWORD dwSize = 0;
  676. dwError = RegOpenKeyExW(
  677. HKEY_LOCAL_MACHINE,
  678. gpszIpsecLocalPolicyKey,
  679. 0,
  680. KEY_ALL_ACCESS,
  681. &hPolicyKey
  682. );
  683. BAIL_ON_WIN32_ERROR(dwError);
  685. dwError = RegstoreQueryValue(
  686. hPolicyKey,
  687. L"ActivePolicy",
  688. REG_SZ,
  689. (LPBYTE *)&pszIpsecPolicyName,
  690. &dwSize
  691. );
  692. BAIL_ON_WIN32_ERROR(dwError);
  694. if (!pszIpsecPolicyName || !*pszIpsecPolicyName) {
  695. dwError = ERROR_OUTOFMEMORY;
  696. BAIL_ON_WIN32_ERROR(dwError);
  697. }
  699. *ppszRegistryPolicyDN = pszIpsecPolicyName;
  701. cleanup:
  703. if (hPolicyKey) {
  704. CloseHandle(hPolicyKey);
  705. }
  707. return (dwError);
  709. error:
  711. if (pszIpsecPolicyName) {
  712. FreeSPDStr(pszIpsecPolicyName);
  713. }
  715. *ppszRegistryPolicyDN = NULL;
  717. goto cleanup;
  718. }
  721. DWORD
  722. LoadRegistryPolicy(
  723. LPWSTR pszRegistryPolicyDN,
  724. PIPSEC_POLICY_OBJECT * ppIpsecPolicyObject
  725. )
  726. {
  727. DWORD dwError = 0;
  728. HKEY hRegistryKey = NULL;
  729. PIPSEC_POLICY_OBJECT pIpsecPolicyObject = NULL;
  732. dwError = OpenRegistryIPSECRootKey(
  733. NULL,
  734. gpszIpsecLocalPolicyKey,
  735. &hRegistryKey
  736. );
  737. BAIL_ON_WIN32_ERROR(dwError);
  739. dwError = ReadPolicyObjectFromRegistry(
  740. hRegistryKey,
  741. pszRegistryPolicyDN,
  742. gpszIpsecLocalPolicyKey,
  743. &pIpsecPolicyObject
  744. );
  745. BAIL_ON_WIN32_ERROR(dwError);
  747. *ppIpsecPolicyObject = pIpsecPolicyObject;
  749. cleanup:
  751. if (hRegistryKey) {
  752. CloseHandle(hRegistryKey);
  753. }
  755. return (dwError);
  757. error:
  759. *ppIpsecPolicyObject = NULL;
  761. goto cleanup;
  762. }
  765. DWORD
  766. AddPolicyInformation(
  767. PIPSEC_POLICY_DATA pIpsecPolicyData
  768. )
  769. {
  770. DWORD dwError = 0;
  773. dwError = AddMMPolicyInformation(pIpsecPolicyData);
  775. dwError = AddQMPolicyInformation(pIpsecPolicyData);
  777. dwError = ERROR_SUCCESS;
  779. return (dwError);
  780. }
  783. DWORD
  784. AddMMPolicyInformation(
  785. PIPSEC_POLICY_DATA pIpsecPolicyData
  786. )
  787. {
  788. DWORD dwError = 0;
  791. dwError = PAAddMMPolicies(
  792. &(pIpsecPolicyData->pIpsecISAKMPData),
  793. 1
  794. );
  796. dwError = PAAddMMAuthMethods(
  797. pIpsecPolicyData->ppIpsecNFAData,
  798. pIpsecPolicyData->dwNumNFACount
  799. );
  801. dwError = PAAddMMFilters(
  802. pIpsecPolicyData->pIpsecISAKMPData,
  803. pIpsecPolicyData->ppIpsecNFAData,
  804. pIpsecPolicyData->dwNumNFACount
  805. );
  806. BAIL_ON_WIN32_ERROR(dwError);
  808. error:
  810. return (dwError);
  811. }
  814. DWORD
  815. AddQMPolicyInformation(
  816. PIPSEC_POLICY_DATA pIpsecPolicyData
  817. )
  818. {
  819. DWORD dwError = 0;
  822. dwError = PAAddQMPolicies(
  823. pIpsecPolicyData->ppIpsecNFAData,
  824. pIpsecPolicyData->dwNumNFACount
  825. );
  827. dwError = PAAddQMFilters(
  828. pIpsecPolicyData->ppIpsecNFAData,
  829. pIpsecPolicyData->dwNumNFACount
  830. );
  831. BAIL_ON_WIN32_ERROR(dwError);
  833. error:
  835. return (dwError);
  836. }
  839. DWORD
  840. OnPolicyChanged(
  841. PIPSEC_POLICY_STATE pIpsecPolicyState
  842. )
  843. {
  844. DWORD dwError = 0;
  847. //
  848. // Remove all the old policy that was plumbed.
  849. //
  851. dwError = DeletePolicyInformation(
  852. pIpsecPolicyState->pIpsecPolicyData
  853. );
  855. ClearPolicyStateBlock(
  856. pIpsecPolicyState
  857. );
  859. //
  860. // Calling the Initializer again.
  861. //
  863. dwError = StartStatePollingManager(
  864. pIpsecPolicyState
  865. );
  867. return (dwError);
  868. }
  871. DWORD
  872. DeletePolicyInformation(
  873. PIPSEC_POLICY_DATA pIpsecPolicyData
  874. )
  875. {
  876. DWORD dwError = 0;
  879. if (!pIpsecPolicyData) {
  880. dwError = ERROR_SUCCESS;
  881. return (dwError);
  882. }
  884. dwError = DeleteMMPolicyInformation(pIpsecPolicyData);
  886. dwError = DeleteQMPolicyInformation(pIpsecPolicyData);
  888. dwError = ERROR_SUCCESS;
  890. return (dwError);
  891. }
  894. DWORD
  895. DeleteMMPolicyInformation(
  896. PIPSEC_POLICY_DATA pIpsecPolicyData
  897. )
  898. {
  899. DWORD dwError = 0;
  902. dwError = PADeleteMMFilters(
  903. pIpsecPolicyData->pIpsecISAKMPData,
  904. pIpsecPolicyData->ppIpsecNFAData,
  905. pIpsecPolicyData->dwNumNFACount
  906. );
  908. dwError = PADeleteMMAuthMethods(
  909. pIpsecPolicyData->ppIpsecNFAData,
  910. pIpsecPolicyData->dwNumNFACount
  911. );
  913. dwError = PADeleteMMPolicies(
  914. &(pIpsecPolicyData->pIpsecISAKMPData),
  915. 1
  916. );
  918. return (dwError);
  919. }
  922. DWORD
  923. DeleteQMPolicyInformation(
  924. PIPSEC_POLICY_DATA pIpsecPolicyData
  925. )
  926. {
  927. DWORD dwError = 0;
  930. dwError = PADeleteQMFilters(
  931. pIpsecPolicyData->ppIpsecNFAData,
  932. pIpsecPolicyData->dwNumNFACount
  933. );
  935. dwError = PADeleteQMPolicies(
  936. pIpsecPolicyData->ppIpsecNFAData,
  937. pIpsecPolicyData->dwNumNFACount
  938. );
  940. return (dwError);
  941. }
  944. DWORD
  945. DeleteAllPolicyInformation(
  946. )
  947. {
  948. DWORD dwError = 0;
  951. dwError = DeleteAllMMPolicyInformation();
  953. dwError = DeleteAllQMPolicyInformation();
  955. dwError = ERROR_SUCCESS;
  957. return (dwError);
  958. }
  961. DWORD
  962. DeleteAllMMPolicyInformation(
  963. )
  964. {
  965. DWORD dwError = 0;
  968. dwError = PADeleteAllMMFilters();
  970. dwError = PADeleteAllMMAuthMethods();
  972. dwError = PADeleteAllMMPolicies();
  974. return (dwError);
  975. }
  978. DWORD
  979. DeleteAllQMPolicyInformation(
  980. )
  981. {
  982. DWORD dwError = 0;
  985. dwError = PADeleteAllTxFilters();
  987. dwError = PADeleteAllTnFilters();
  989. dwError = PADeleteAllQMPolicies();
  991. return (dwError);
  992. }
  995. VOID
  996. ClearPolicyStateBlock(
  997. PIPSEC_POLICY_STATE pIpsecPolicyState
  998. )
  999. {
  1000. if (pIpsecPolicyState->pIpsecPolicyObject) {
  1001. FreeIpsecPolicyObject(
  1002. pIpsecPolicyState->pIpsecPolicyObject
  1003. );
  1004. pIpsecPolicyState->pIpsecPolicyObject = NULL;
  1005. }
  1007. if (pIpsecPolicyState->pIpsecPolicyData) {
  1008. FreeIpsecPolicyData(
  1009. pIpsecPolicyState->pIpsecPolicyData
  1010. );
  1011. pIpsecPolicyState->pIpsecPolicyData = NULL;
  1012. }
  1014. if (pIpsecPolicyState->pszDirectoryPolicyDN) {
  1015. FreeSPDStr(pIpsecPolicyState->pszDirectoryPolicyDN);
  1016. pIpsecPolicyState->pszDirectoryPolicyDN = NULL;
  1017. }
  1019. pIpsecPolicyState->CurrentPollingInterval = gDefaultPollingInterval;
  1020. pIpsecPolicyState->DefaultPollingInterval = gDefaultPollingInterval;
  1021. pIpsecPolicyState->DSIncarnationNumber = 0;
  1022. pIpsecPolicyState->RegIncarnationNumber = 0;
  1023. pIpsecPolicyState->dwCurrentState = POLL_STATE_INITIAL;
  1024. }
  1027. DWORD
  1028. OnPolicyPoll(
  1029. PIPSEC_POLICY_STATE pIpsecPolicyState
  1030. )
  1031. {
  1032. DWORD dwError = 0;
  1035. switch (pIpsecPolicyState->dwCurrentState) {
  1037. case POLL_STATE_DS_DOWNLOADED:
  1038. dwError = ProcessDirectoryPolicyPollState(pIpsecPolicyState);
  1039. BAIL_ON_WIN32_ERROR(dwError);
  1040. break;
  1042. case POLL_STATE_CACHE_DOWNLOADED:
  1043. dwError = ProcessCachePolicyPollState(pIpsecPolicyState);
  1044. BAIL_ON_WIN32_ERROR(dwError);
  1045. break;
  1047. case POLL_STATE_LOCAL_DOWNLOADED:
  1048. dwError = ProcessLocalPolicyPollState(pIpsecPolicyState);
  1049. BAIL_ON_WIN32_ERROR(dwError);
  1050. break;
  1052. case POLL_STATE_INITIAL:
  1053. dwError = OnPolicyChanged(pIpsecPolicyState);
  1054. BAIL_ON_WIN32_ERROR(dwError);
  1055. break;
  1057. }
  1059. //
  1060. // Set the new polling interval.
  1061. //
  1063. gCurrentPollingInterval = pIpsecPolicyState->CurrentPollingInterval;
  1065. return (dwError);
  1067. error:
  1069. //
  1070. // If in any of the three states other than the initial state,
  1071. // then there was an error in pulling down the incarnation number
  1072. // or the IPSec Policy from either the directory or the registry
  1073. // or there might not no longer be any IPSec policy assigned to
  1074. // this machine. So the polling state must reset back to the
  1075. // start state through a forced policy change. This is also
  1076. // necessary if the polling state is already in the initial state.
  1077. //
  1079. dwError = OnPolicyChanged(
  1080. pIpsecPolicyState
  1081. );
  1083. return (dwError);
  1084. }
  1087. DWORD
  1088. ProcessDirectoryPolicyPollState(
  1089. PIPSEC_POLICY_STATE pIpsecPolicyState
  1090. )
  1091. {
  1092. DWORD dwError = 0;
  1093. DWORD dwIncarnationNumber = 0;
  1094. PIPSEC_POLICY_OBJECT pIpsecPolicyObject = NULL;
  1095. PIPSEC_POLICY_DATA pIpsecPolicyData = NULL;
  1096. DWORD dwStoreType = IPSEC_DIRECTORY_PROVIDER;
  1097. DWORD dwSlientErrorCode = 0;
  1100. //
  1101. // The directory policy DN has to be the same, otherwise the
  1102. // IPSec extension in Winlogon would have already notified
  1103. // PA Store of the DS policy change.
  1104. //
  1106. dwError = GetDirectoryIncarnationNumber(
  1107. pIpsecPolicyState->pszDirectoryPolicyDN,
  1108. &dwIncarnationNumber
  1109. );
  1110. if (dwError) {
  1111. dwError = MigrateFromDSToCache(pIpsecPolicyState);
  1112. BAIL_ON_WIN32_ERROR(dwError);
  1113. return (ERROR_SUCCESS);
  1114. }
  1116. if (dwIncarnationNumber == pIpsecPolicyState->DSIncarnationNumber) {
  1118. //
  1119. // The policy has not changed at all.
  1120. //
  1122. AuditEvent(
  1123. SE_CATEGID_POLICY_CHANGE,
  1124. SE_AUDITID_IPSEC_POLICY_CHANGED,
  1125. PASTORE_POLLING_NO_CHANGES,
  1126. NULL,
  1127. TRUE,
  1128. TRUE
  1129. );
  1130. return (ERROR_SUCCESS);
  1131. }
  1133. //
  1134. // The incarnation number is different, so there's a need to
  1135. // update the policy.
  1136. //
  1138. dwError = LoadDirectoryPolicy(
  1139. pIpsecPolicyState->pszDirectoryPolicyDN,
  1140. &pIpsecPolicyObject
  1141. );
  1142. if (dwError) {
  1143. dwError = MigrateFromDSToCache(pIpsecPolicyState);
  1144. BAIL_ON_WIN32_ERROR(dwError);
  1145. return (ERROR_SUCCESS);
  1146. }
  1148. dwError = ProcessNFAs(
  1149. pIpsecPolicyObject,
  1150. dwStoreType,
  1151. &dwSlientErrorCode,
  1152. &pIpsecPolicyData
  1153. );
  1154. if (dwError) {
  1155. dwError = MigrateFromDSToCache(pIpsecPolicyState);
  1156. BAIL_ON_WIN32_ERROR(dwError);
  1157. if (pIpsecPolicyObject) {
  1158. FreeIpsecPolicyObject(pIpsecPolicyObject);
  1159. }
  1160. return (ERROR_SUCCESS);
  1161. }
  1163. dwError = UpdatePolicyInformation(
  1164. pIpsecPolicyState->pIpsecPolicyData,
  1165. pIpsecPolicyData
  1166. );
  1168. if (pIpsecPolicyState->pIpsecPolicyObject) {
  1169. FreeIpsecPolicyObject(pIpsecPolicyState->pIpsecPolicyObject);
  1170. }
  1172. if (pIpsecPolicyState->pIpsecPolicyData) {
  1173. FreeIpsecPolicyData(pIpsecPolicyState->pIpsecPolicyData);
  1174. }
  1176. //
  1177. // Now delete the old cache and write the new one in.
  1178. //
  1180. DeleteRegistryCache();
  1182. CacheDirectorytoRegistry(pIpsecPolicyObject);
  1184. pIpsecPolicyState->pIpsecPolicyObject = pIpsecPolicyObject;
  1186. pIpsecPolicyState->pIpsecPolicyData = pIpsecPolicyData;
  1188. pIpsecPolicyState->CurrentPollingInterval = pIpsecPolicyData->dwPollingInterval;
  1190. pIpsecPolicyState->DSIncarnationNumber = dwIncarnationNumber;
  1192. NotifyIpsecPolicyChange();
  1194. dwError = ERROR_SUCCESS;
  1195. if (dwSlientErrorCode) {
  1196. AuditIPSecPolicyErrorEvent(
  1197. SE_CATEGID_POLICY_CHANGE,
  1198. SE_AUDITID_IPSEC_POLICY_CHANGED,
  1199. PASTORE_FAILED_SOME_NFA_APPLICATION,
  1200. pIpsecPolicyData->pszIpsecName,
  1201. dwSlientErrorCode,
  1202. FALSE,
  1203. TRUE
  1204. );
  1205. }
  1206. AuditEvent(
  1207. SE_CATEGID_POLICY_CHANGE,
  1208. SE_AUDITID_IPSEC_POLICY_CHANGED,
  1209. PASTORE_POLLING_APPLIED_CHANGES,
  1210. NULL,
  1211. TRUE,
  1212. TRUE
  1213. );
  1214. return (dwError);
  1216. error:
  1218. if (pIpsecPolicyObject) {
  1219. FreeIpsecPolicyObject(pIpsecPolicyObject);
  1220. }
  1222. if (pIpsecPolicyData) {
  1223. FreeIpsecPolicyData(pIpsecPolicyData);
  1224. }
  1226. return (dwError);
  1227. }
  1230. DWORD
  1231. GetDirectoryIncarnationNumber(
  1232. LPWSTR pszIpsecPolicyDN,
  1233. DWORD * pdwIncarnationNumber
  1234. )
  1235. {
  1236. DWORD dwError = 0;
  1237. LPWSTR pszDefaultDirectory = NULL;
  1238. HLDAP hLdapBindHandle = NULL;
  1239. LPWSTR Attributes[] = {L"whenChanged", NULL};
  1240. LDAPMessage *res = NULL;
  1241. LDAPMessage *e = NULL;
  1242. WCHAR **strvalues = NULL;
  1243. DWORD dwCount = 0;
  1244. DWORD dwWhenChanged = 0;
  1247. *pdwIncarnationNumber = 0;
  1249. //
  1250. // Open the directory store.
  1251. //
  1253. dwError = ComputeDefaultDirectory(
  1254. &pszDefaultDirectory
  1255. );
  1256. BAIL_ON_WIN32_ERROR(dwError);
  1258. dwError = OpenDirectoryServerHandle(
  1259. pszDefaultDirectory,
  1260. 389,
  1261. &hLdapBindHandle
  1262. );
  1263. BAIL_ON_WIN32_ERROR(dwError);
  1265. dwError = LdapSearchST(
  1266. hLdapBindHandle,
  1267. pszIpsecPolicyDN,
  1268. LDAP_SCOPE_BASE,
  1269. L"(objectClass=*)",
  1270. Attributes,
  1271. 0,
  1272. NULL,
  1273. &res
  1274. );
  1275. BAIL_ON_WIN32_ERROR(dwError);
  1277. dwError = LdapFirstEntry(
  1278. hLdapBindHandle,
  1279. res,
  1280. &e
  1281. );
  1282. BAIL_ON_WIN32_ERROR(dwError);
  1284. dwError = LdapGetValues(
  1285. hLdapBindHandle,
  1286. e,
  1287. L"whenChanged",
  1288. (WCHAR ***)&strvalues,
  1289. (int *)&dwCount
  1290. );
  1291. BAIL_ON_WIN32_ERROR(dwError);
  1293. dwWhenChanged = _wtol(LDAPOBJECT_STRING((PLDAPOBJECT)strvalues));
  1295. *pdwIncarnationNumber = dwWhenChanged;
  1297. error:
  1299. if (pszDefaultDirectory) {
  1300. FreeSPDStr(pszDefaultDirectory);
  1301. }
  1303. if (hLdapBindHandle) {
  1304. CloseDirectoryServerHandle(hLdapBindHandle);
  1305. }
  1307. if (res) {
  1308. LdapMsgFree(res);
  1309. }
  1311. if (strvalues) {
  1312. LdapValueFree(strvalues);
  1313. }
  1315. return (dwError);
  1316. }
  1319. DWORD
  1320. MigrateFromDSToCache(
  1321. PIPSEC_POLICY_STATE pIpsecPolicyState
  1322. )
  1323. {
  1324. DWORD dwError = 0;
  1325. LPWSTR pszCachePolicyDN = NULL;
  1328. dwError = GetCachePolicyDN(
  1329. &pszCachePolicyDN
  1330. );
  1331. BAIL_ON_WIN32_ERROR(dwError);
  1333. if (pIpsecPolicyState->pszDirectoryPolicyDN) {
  1334. FreeSPDStr(pIpsecPolicyState->pszDirectoryPolicyDN);
  1335. pIpsecPolicyState->pszDirectoryPolicyDN = NULL;
  1336. }
  1338. pIpsecPolicyState->pszCachePolicyDN = pszCachePolicyDN;
  1340. //
  1341. // Keep pIpsecPolicyState->pIpsecPolicyData.
  1342. // Keep pIpsecPolicyState->pIpsecPolicyObject.
  1343. // Change the incarnation numbers.
  1344. //
  1346. pIpsecPolicyState->RegIncarnationNumber = pIpsecPolicyState->DSIncarnationNumber;
  1348. pIpsecPolicyState->DSIncarnationNumber = 0;
  1350. pIpsecPolicyState->dwCurrentState = POLL_STATE_CACHE_DOWNLOADED;
  1352. //
  1353. // Keep pIpsecPolicyState->CurrentPollingInterval.
  1354. // Keep pIpsecPolicyState->DefaultPollingInterval.
  1355. //
  1357. gCurrentPollingInterval = pIpsecPolicyState->CurrentPollingInterval;
  1359. AuditEvent(
  1360. SE_CATEGID_POLICY_CHANGE,
  1361. SE_AUDITID_IPSEC_POLICY_CHANGED,
  1362. PASTORE_MIGRATE_DS_TO_CACHE,
  1363. NULL,
  1364. TRUE,
  1365. TRUE
  1366. );
  1368. error:
  1370. return (dwError);
  1371. }
  1374. DWORD
  1375. ProcessCachePolicyPollState(
  1376. PIPSEC_POLICY_STATE pIpsecPolicyState
  1377. )
  1378. {
  1379. DWORD dwError = 0;
  1380. LPWSTR pszDirectoryPolicyDN = NULL;
  1381. DWORD dwIncarnationNumber = 0;
  1382. LPWSTR pszCachePolicyDN = NULL;
  1385. dwError = GetDirectoryPolicyDN(
  1386. &pszDirectoryPolicyDN
  1387. );
  1389. if (!dwError) {
  1391. dwError = GetDirectoryIncarnationNumber(
  1392. pszDirectoryPolicyDN,
  1393. &dwIncarnationNumber
  1394. );
  1396. if (!dwError) {
  1398. dwError = CopyPolicyDSToFQRegString(
  1399. pszDirectoryPolicyDN,
  1400. &pszCachePolicyDN
  1401. );
  1403. if (!dwError) {
  1405. if (!_wcsicmp(pIpsecPolicyState->pszCachePolicyDN, pszCachePolicyDN)) {
  1407. if (pIpsecPolicyState->RegIncarnationNumber == dwIncarnationNumber) {
  1408. dwError = MigrateFromCacheToDS(pIpsecPolicyState);
  1409. }
  1410. else {
  1411. dwError = UpdateFromCacheToDS(pIpsecPolicyState);
  1412. }
  1414. if (dwError) {
  1415. dwError = OnPolicyChanged(pIpsecPolicyState);
  1416. }
  1418. }
  1419. else {
  1421. dwError = OnPolicyChanged(pIpsecPolicyState);
  1423. }
  1425. }
  1427. }
  1429. }
  1431. if (pszDirectoryPolicyDN) {
  1432. FreeSPDStr(pszDirectoryPolicyDN);
  1433. }
  1435. if (pszCachePolicyDN) {
  1436. FreeSPDStr(pszCachePolicyDN);
  1437. }
  1439. return (ERROR_SUCCESS);
  1440. }
  1443. DWORD
  1444. MigrateFromCacheToDS(
  1445. PIPSEC_POLICY_STATE pIpsecPolicyState
  1446. )
  1447. {
  1448. DWORD dwError = 0;
  1449. LPWSTR pszDirectoryPolicyDN = NULL;
  1452. dwError = GetDirectoryPolicyDN(
  1453. &pszDirectoryPolicyDN
  1454. );
  1455. BAIL_ON_WIN32_ERROR(dwError);
  1457. if (pIpsecPolicyState->pszCachePolicyDN) {
  1458. FreeSPDStr(pIpsecPolicyState->pszCachePolicyDN);
  1459. pIpsecPolicyState->pszCachePolicyDN = NULL;
  1460. }
  1462. pIpsecPolicyState->pszDirectoryPolicyDN = pszDirectoryPolicyDN;
  1464. //
  1465. // Keep pIpsecPolicyState->pIpsecPolicyData.
  1466. // Keep pIpsecPolicyState->pIpsecPolicyObject.
  1467. // Change the incarnation numbers.
  1468. //
  1470. pIpsecPolicyState->DSIncarnationNumber = pIpsecPolicyState->RegIncarnationNumber;
  1472. pIpsecPolicyState->RegIncarnationNumber = 0;
  1474. pIpsecPolicyState->dwCurrentState = POLL_STATE_DS_DOWNLOADED;
  1476. //
  1477. // Keep pIpsecPolicyState->CurrentPollingInterval.
  1478. // Keep pIpsecPolicyState->DefaultPollingInterval.
  1479. //
  1481. gCurrentPollingInterval = pIpsecPolicyState->CurrentPollingInterval;
  1483. AuditEvent(
  1484. SE_CATEGID_POLICY_CHANGE,
  1485. SE_AUDITID_IPSEC_POLICY_CHANGED,
  1486. PASTORE_MIGRATE_CACHE_TO_DS,
  1487. NULL,
  1488. TRUE,
  1489. TRUE
  1490. );
  1492. error:
  1494. return (dwError);
  1495. }
  1498. DWORD
  1499. UpdateFromCacheToDS(
  1500. PIPSEC_POLICY_STATE pIpsecPolicyState
  1501. )
  1502. {
  1503. DWORD dwError = 0;
  1504. LPWSTR pszDirectoryPolicyDN = NULL;
  1505. PIPSEC_POLICY_OBJECT pIpsecPolicyObject = NULL;
  1506. PIPSEC_POLICY_DATA pIpsecPolicyData = NULL;
  1507. DWORD dwStoreType = IPSEC_DIRECTORY_PROVIDER;
  1508. DWORD dwSlientErrorCode = 0;
  1511. dwError = GetDirectoryPolicyDN(
  1512. &pszDirectoryPolicyDN
  1513. );
  1514. BAIL_ON_WIN32_ERROR(dwError);
  1516. dwError = LoadDirectoryPolicy(
  1517. pszDirectoryPolicyDN,
  1518. &pIpsecPolicyObject
  1519. );
  1520. BAIL_ON_WIN32_ERROR(dwError);
  1522. dwError = ProcessNFAs(
  1523. pIpsecPolicyObject,
  1524. dwStoreType,
  1525. &dwSlientErrorCode,
  1526. &pIpsecPolicyData
  1527. );
  1528. BAIL_ON_WIN32_ERROR(dwError);
  1530. dwError = UpdatePolicyInformation(
  1531. pIpsecPolicyState->pIpsecPolicyData,
  1532. pIpsecPolicyData
  1533. );
  1535. if (pIpsecPolicyState->pIpsecPolicyObject) {
  1536. FreeIpsecPolicyObject(pIpsecPolicyState->pIpsecPolicyObject);
  1537. }
  1539. if (pIpsecPolicyState->pIpsecPolicyData) {
  1540. FreeIpsecPolicyData(pIpsecPolicyState->pIpsecPolicyData);
  1541. }
  1543. if (pIpsecPolicyState->pszCachePolicyDN) {
  1544. FreeSPDStr(pIpsecPolicyState->pszCachePolicyDN);
  1545. }
  1547. //
  1548. // Now delete the old cache and write the new one in.
  1549. //
  1551. DeleteRegistryCache();
  1553. CacheDirectorytoRegistry(pIpsecPolicyObject);
  1555. pIpsecPolicyState->pIpsecPolicyObject = pIpsecPolicyObject;
  1557. pIpsecPolicyState->pIpsecPolicyData = pIpsecPolicyData;
  1559. pIpsecPolicyState->pszDirectoryPolicyDN = pszDirectoryPolicyDN;
  1561. //
  1562. // Set the state to DS-DOWNLOADED.
  1563. //
  1565. pIpsecPolicyState->dwCurrentState = POLL_STATE_DS_DOWNLOADED;
  1567. //
  1568. // Compute the new polling interval.
  1569. //
  1571. pIpsecPolicyState->CurrentPollingInterval = pIpsecPolicyData->dwPollingInterval;
  1573. pIpsecPolicyState->DSIncarnationNumber = pIpsecPolicyData->dwWhenChanged;
  1575. pIpsecPolicyState->RegIncarnationNumber = 0;
  1577. gCurrentPollingInterval = pIpsecPolicyState->CurrentPollingInterval;
  1579. NotifyIpsecPolicyChange();
  1581. dwError = ERROR_SUCCESS;
  1582. if (dwSlientErrorCode) {
  1583. AuditIPSecPolicyErrorEvent(
  1584. SE_CATEGID_POLICY_CHANGE,
  1585. SE_AUDITID_IPSEC_POLICY_CHANGED,
  1586. PASTORE_FAILED_SOME_NFA_APPLICATION,
  1587. pIpsecPolicyData->pszIpsecName,
  1588. dwSlientErrorCode,
  1589. FALSE,
  1590. TRUE
  1591. );
  1592. }
  1593. AuditEvent(
  1594. SE_CATEGID_POLICY_CHANGE,
  1595. SE_AUDITID_IPSEC_POLICY_CHANGED,
  1596. PASTORE_UPDATE_CACHE_TO_DS,
  1597. NULL,
  1598. TRUE,
  1599. TRUE
  1600. );
  1601. return (dwError);
  1603. error:
  1605. if (pszDirectoryPolicyDN) {
  1606. FreeSPDStr(pszDirectoryPolicyDN);
  1607. }
  1609. if (pIpsecPolicyObject) {
  1610. FreeIpsecPolicyObject(pIpsecPolicyObject);
  1611. }
  1613. if (pIpsecPolicyData) {
  1614. FreeIpsecPolicyData(pIpsecPolicyData);
  1615. }
  1617. return (dwError);
  1618. }
  1621. DWORD
  1622. ProcessLocalPolicyPollState(
  1623. PIPSEC_POLICY_STATE pIpsecPolicyState
  1624. )
  1625. {
  1626. DWORD dwStatus = 0;
  1627. LPWSTR pszDirectoryPolicyDN = NULL;
  1628. DWORD dwDSIncarnationNumber = 0;
  1629. DWORD dwError = 0;
  1630. BOOL bChanged = FALSE;
  1631. DWORD dwIncarnationNumber = 0;
  1632. PIPSEC_POLICY_OBJECT pIpsecPolicyObject = NULL;
  1633. PIPSEC_POLICY_DATA pIpsecPolicyData = NULL;
  1634. DWORD dwStoreType = IPSEC_REGISTRY_PROVIDER;
  1635. DWORD dwSlientErrorCode = 0;
  1638. dwStatus = GetDirectoryPolicyDN(
  1639. &pszDirectoryPolicyDN
  1640. );
  1641. if (!dwStatus) {
  1643. dwStatus = GetDirectoryIncarnationNumber(
  1644. pszDirectoryPolicyDN,
  1645. &dwDSIncarnationNumber
  1646. );
  1647. if (pszDirectoryPolicyDN) {
  1648. FreeSPDStr(pszDirectoryPolicyDN);
  1649. }
  1650. if (!dwStatus) {
  1651. dwStatus = OnPolicyChanged(pIpsecPolicyState);
  1652. return (dwStatus);
  1653. }
  1655. }
  1657. dwError = HasRegistryPolicyChanged(
  1658. pIpsecPolicyState->pszRegistryPolicyDN,
  1659. &bChanged
  1660. );
  1661. BAIL_ON_WIN32_ERROR(dwError);
  1663. if (bChanged) {
  1665. dwError = OnPolicyChanged(pIpsecPolicyState);
  1666. return (dwError);
  1668. }
  1670. if (pIpsecPolicyState->dwCurrentState == POLL_STATE_INITIAL) {
  1671. return (ERROR_SUCCESS);
  1672. }
  1674. dwError = GetRegistryIncarnationNumber(
  1675. pIpsecPolicyState->pszRegistryPolicyDN,
  1676. &dwIncarnationNumber
  1677. );
  1678. BAIL_ON_WIN32_ERROR(dwError);
  1680. if (dwIncarnationNumber == pIpsecPolicyState->RegIncarnationNumber) {
  1682. //
  1683. // The policy has not changed at all.
  1684. //
  1686. AuditEvent(
  1687. SE_CATEGID_POLICY_CHANGE,
  1688. SE_AUDITID_IPSEC_POLICY_CHANGED,
  1689. PASTORE_POLLING_NO_CHANGES,
  1690. NULL,
  1691. TRUE,
  1692. TRUE
  1693. );
  1694. return (ERROR_SUCCESS);
  1695. }
  1697. dwError = LoadRegistryPolicy(
  1698. pIpsecPolicyState->pszRegistryPolicyDN,
  1699. &pIpsecPolicyObject
  1700. );
  1701. BAIL_ON_WIN32_ERROR(dwError);
  1703. dwError = ProcessNFAs(
  1704. pIpsecPolicyObject,
  1705. dwStoreType,
  1706. &dwSlientErrorCode,
  1707. &pIpsecPolicyData
  1708. );
  1709. BAIL_ON_WIN32_ERROR(dwError);
  1711. dwError = UpdatePolicyInformation(
  1712. pIpsecPolicyState->pIpsecPolicyData,
  1713. pIpsecPolicyData
  1714. );
  1716. if (pIpsecPolicyState->pIpsecPolicyObject) {
  1717. FreeIpsecPolicyObject(pIpsecPolicyState->pIpsecPolicyObject);
  1718. }
  1720. if (pIpsecPolicyState->pIpsecPolicyData) {
  1721. FreeIpsecPolicyData(pIpsecPolicyState->pIpsecPolicyData);
  1722. }
  1724. pIpsecPolicyState->pIpsecPolicyObject = pIpsecPolicyObject;
  1726. pIpsecPolicyState->pIpsecPolicyData = pIpsecPolicyData;
  1728. pIpsecPolicyState->CurrentPollingInterval = pIpsecPolicyData->dwPollingInterval;
  1730. pIpsecPolicyState->RegIncarnationNumber = dwIncarnationNumber;
  1732. NotifyIpsecPolicyChange();
  1734. dwError = ERROR_SUCCESS;
  1735. if (dwSlientErrorCode) {
  1736. AuditIPSecPolicyErrorEvent(
  1737. SE_CATEGID_POLICY_CHANGE,
  1738. SE_AUDITID_IPSEC_POLICY_CHANGED,
  1739. PASTORE_FAILED_SOME_NFA_APPLICATION,
  1740. pIpsecPolicyData->pszIpsecName,
  1741. dwSlientErrorCode,
  1742. FALSE,
  1743. TRUE
  1744. );
  1745. }
  1746. AuditEvent(
  1747. SE_CATEGID_POLICY_CHANGE,
  1748. SE_AUDITID_IPSEC_POLICY_CHANGED,
  1749. PASTORE_POLLING_APPLIED_CHANGES,
  1750. NULL,
  1751. TRUE,
  1752. TRUE
  1753. );
  1754. return (dwError);
  1756. error:
  1758. if (pIpsecPolicyObject) {
  1759. FreeIpsecPolicyObject(pIpsecPolicyObject);
  1760. }
  1762. if (pIpsecPolicyData) {
  1763. FreeIpsecPolicyData(pIpsecPolicyData);
  1764. }
  1766. return (dwError);
  1767. }
  1770. DWORD
  1771. HasRegistryPolicyChanged(
  1772. LPWSTR pszCurrentPolicyDN,
  1773. PBOOL pbChanged
  1774. )
  1775. {
  1776. DWORD dwError = 0;
  1777. HKEY hRegKey = NULL;
  1778. LPWSTR pszIpsecPolicyName = NULL;
  1779. DWORD dwSize = 0;
  1780. BOOL bChanged = FALSE;
  1783. dwError = RegOpenKeyExW(
  1784. HKEY_LOCAL_MACHINE,
  1785. gpszIpsecLocalPolicyKey,
  1786. 0,
  1787. KEY_ALL_ACCESS,
  1788. &hRegKey
  1789. );
  1790. BAIL_ON_WIN32_ERROR(dwError);
  1792. dwError = RegstoreQueryValue(
  1793. hRegKey,
  1794. L"ActivePolicy",
  1795. REG_SZ,
  1796. (LPBYTE *)&pszIpsecPolicyName,
  1797. &dwSize
  1798. );
  1799. //
  1800. // Must not bail from here, as there can be no
  1801. // active local policy.
  1802. //
  1804. if (pszIpsecPolicyName && *pszIpsecPolicyName) {
  1806. if (!pszCurrentPolicyDN || !*pszCurrentPolicyDN) {
  1807. bChanged = TRUE;
  1808. }
  1809. else {
  1811. if (!_wcsicmp(pszIpsecPolicyName, pszCurrentPolicyDN)) {
  1812. bChanged = FALSE;
  1813. }
  1814. else {
  1815. bChanged = TRUE;
  1816. }
  1818. }
  1820. }
  1821. else {
  1822. if (!pszCurrentPolicyDN || !*pszCurrentPolicyDN) {
  1823. bChanged = FALSE;
  1824. }
  1825. else {
  1826. bChanged = TRUE;
  1827. }
  1828. }
  1830. *pbChanged = bChanged;
  1831. dwError = ERROR_SUCCESS;
  1833. cleanup:
  1835. if (hRegKey) {
  1836. CloseHandle(hRegKey);
  1837. }
  1839. if (pszIpsecPolicyName) {
  1840. FreeSPDStr(pszIpsecPolicyName);
  1841. }
  1843. return (dwError);
  1845. error:
  1847. *pbChanged = FALSE;
  1849. goto cleanup;
  1850. }
  1853. DWORD
  1854. GetRegistryIncarnationNumber(
  1855. LPWSTR pszIpsecPolicyDN,
  1856. DWORD * pdwIncarnationNumber
  1857. )
  1858. {
  1859. DWORD dwError = 0;
  1860. HKEY hRegKey = NULL;
  1861. DWORD dwType = REG_DWORD;
  1862. DWORD dwWhenChanged = 0;
  1863. DWORD dwSize = sizeof(DWORD);
  1866. *pdwIncarnationNumber = 0;
  1868. dwError = RegOpenKeyExW(
  1869. HKEY_LOCAL_MACHINE,
  1870. pszIpsecPolicyDN,
  1871. 0,
  1872. KEY_ALL_ACCESS,
  1873. &hRegKey
  1874. );
  1875. BAIL_ON_WIN32_ERROR(dwError);
  1877. dwError = RegQueryValueExW(
  1878. hRegKey,
  1879. L"whenChanged",
  1880. NULL,
  1881. &dwType,
  1882. (LPBYTE)&dwWhenChanged,
  1883. &dwSize
  1884. );
  1885. BAIL_ON_WIN32_ERROR(dwError);
  1887. *pdwIncarnationNumber = dwWhenChanged;
  1889. error:
  1891. if (hRegKey) {
  1892. CloseHandle(hRegKey);
  1893. }
  1895. return(dwError);
  1896. }
  1899. DWORD
  1900. UpdatePolicyInformation(
  1901. PIPSEC_POLICY_DATA pOldIpsecPolicyData,
  1902. PIPSEC_POLICY_DATA pNewIpsecPolicyData
  1903. )
  1904. {
  1905. DWORD dwError = 0;
  1906. PIPSEC_ISAKMP_DATA pOldIpsecISAKMPData = NULL;
  1907. PIPSEC_NFA_DATA * ppOldIpsecNFAData = NULL;
  1908. DWORD dwNumOldNFACount = 0;
  1909. PIPSEC_ISAKMP_DATA pNewIpsecISAKMPData = NULL;
  1910. PIPSEC_NFA_DATA * ppNewIpsecNFAData = NULL;
  1911. DWORD dwNumNewNFACount = 0;
  1914. pOldIpsecISAKMPData = pOldIpsecPolicyData->pIpsecISAKMPData;
  1915. ppOldIpsecNFAData = pOldIpsecPolicyData->ppIpsecNFAData;
  1916. dwNumOldNFACount = pOldIpsecPolicyData->dwNumNFACount;
  1918. pNewIpsecISAKMPData = pNewIpsecPolicyData->pIpsecISAKMPData;
  1919. ppNewIpsecNFAData = pNewIpsecPolicyData->ppIpsecNFAData;
  1920. dwNumNewNFACount = pNewIpsecPolicyData->dwNumNFACount;
  1922. dwError = PADeleteObseleteISAKMPData(
  1923. &pOldIpsecISAKMPData,
  1924. 1,
  1925. ppOldIpsecNFAData,
  1926. dwNumOldNFACount,
  1927. &pNewIpsecISAKMPData,
  1928. 1
  1929. );
  1931. dwError = PAUpdateISAKMPData(
  1932. &pNewIpsecISAKMPData,
  1933. 1,
  1934. ppOldIpsecNFAData,
  1935. dwNumOldNFACount,
  1936. &pOldIpsecISAKMPData,
  1937. 1
  1938. );
  1940. dwError = PADeleteObseleteNFAData(
  1941. pNewIpsecISAKMPData,
  1942. ppOldIpsecNFAData,
  1943. dwNumOldNFACount,
  1944. ppNewIpsecNFAData,
  1945. dwNumNewNFACount
  1946. );
  1948. dwError = PAUpdateNFAData(
  1949. pNewIpsecISAKMPData,
  1950. ppNewIpsecNFAData,
  1951. dwNumNewNFACount,
  1952. ppOldIpsecNFAData,
  1953. dwNumOldNFACount
  1954. );
  1956. return (dwError);
  1957. }
  1960. DWORD
  1961. LoadDefaultISAKMPInformation(
  1962. LPWSTR pszDefaultISAKMPDN
  1963. )
  1964. {
  1965. DWORD dwError = 0;
  1967. gbLoadedISAKMPDefaults = TRUE;
  1969. return (dwError);
  1970. }
  1973. VOID
  1974. UnLoadDefaultISAKMPInformation(
  1975. LPWSTR pszDefaultISAKMPDN
  1976. )
  1977. {
  1978. return;
  1979. }