mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1207 lines
27 KiB
1207 lines
27 KiB
|
|
|
|
#include "precomp.h"
|
|
|
|
|
|
DWORD
|
|
ValidateMMPolicy(
|
|
PIPSEC_MM_POLICY pMMPolicy
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
|
|
|
|
if (!pMMPolicy) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (!(pMMPolicy->pszPolicyName) || !(*(pMMPolicy->pszPolicyName))) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = ValidateMMOffers(
|
|
pMMPolicy->dwOfferCount,
|
|
pMMPolicy->pOffers
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
ValidateMMOffers(
|
|
DWORD dwOfferCount,
|
|
PIPSEC_MM_OFFER pOffers
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD i = 0;
|
|
PIPSEC_MM_OFFER pTemp = NULL;
|
|
|
|
|
|
if (!dwOfferCount || !pOffers || (dwOfferCount > IPSEC_MAX_MM_OFFERS)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
//
|
|
// Need to catch the exception when the number of offers
|
|
// specified is more than the actual number of offers.
|
|
//
|
|
|
|
|
|
pTemp = pOffers;
|
|
|
|
for (i = 0; i < dwOfferCount; i++) {
|
|
|
|
if ((pTemp->dwDHGroup != DH_GROUP_1) &&
|
|
(pTemp->dwDHGroup != DH_GROUP_2)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTemp->EncryptionAlgorithm.uAlgoIdentifier >= IPSEC_DOI_ESP_MAX) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTemp->HashingAlgorithm.uAlgoIdentifier >= IPSEC_DOI_AH_MAX) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
pTemp++;
|
|
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
ValidateMMAuthMethods(
|
|
PMM_AUTH_METHODS pMMAuthMethods
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD i = 0;
|
|
PIPSEC_MM_AUTH_INFO pTemp = NULL;
|
|
DWORD dwNumAuthInfos = 0;
|
|
PIPSEC_MM_AUTH_INFO pAuthenticationInfo = NULL;
|
|
BOOL bSSPI = FALSE;
|
|
BOOL bPresharedKey = FALSE;
|
|
|
|
|
|
if (!pMMAuthMethods) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwNumAuthInfos = pMMAuthMethods->dwNumAuthInfos;
|
|
pAuthenticationInfo = pMMAuthMethods->pAuthenticationInfo;
|
|
|
|
if (!dwNumAuthInfos || !pAuthenticationInfo) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
//
|
|
// Need to catch the exception when the number of auth infos
|
|
// specified is more than the actual number of auth infos.
|
|
//
|
|
|
|
|
|
pTemp = pAuthenticationInfo;
|
|
|
|
for (i = 0; i < dwNumAuthInfos; i++) {
|
|
|
|
if ((pTemp->AuthMethod != IKE_PRESHARED_KEY) &&
|
|
(pTemp->AuthMethod != IKE_RSA_SIGNATURE) &&
|
|
(pTemp->AuthMethod != IKE_SSPI)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTemp->AuthMethod != IKE_SSPI) {
|
|
if (!(pTemp->dwAuthInfoSize) || !(pTemp->pAuthInfo)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
}
|
|
|
|
if (pTemp->AuthMethod == IKE_SSPI) {
|
|
if (bSSPI) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
bSSPI = TRUE;
|
|
}
|
|
|
|
if (pTemp->AuthMethod == IKE_PRESHARED_KEY) {
|
|
if (bPresharedKey) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
bPresharedKey = TRUE;
|
|
}
|
|
|
|
pTemp++;
|
|
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
ValidateQMPolicy(
|
|
PIPSEC_QM_POLICY pQMPolicy
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
|
|
|
|
if (!pQMPolicy) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (!(pQMPolicy->pszPolicyName) || !(*(pQMPolicy->pszPolicyName))) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = ValidateQMOffers(
|
|
pQMPolicy->dwOfferCount,
|
|
pQMPolicy->pOffers
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
ValidateQMOffers(
|
|
DWORD dwOfferCount,
|
|
PIPSEC_QM_OFFER pOffers
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
DWORD i = 0;
|
|
PIPSEC_QM_OFFER pTemp = NULL;
|
|
DWORD j = 0;
|
|
BOOL bAH = FALSE;
|
|
BOOL bESP = FALSE;
|
|
DWORD dwQMGroup = PFS_GROUP_NONE;
|
|
|
|
|
|
if (!dwOfferCount || !pOffers || (dwOfferCount > IPSEC_MAX_QM_OFFERS)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
//
|
|
// Need to catch the exception when the number of offers
|
|
// specified is more than the actual number of offers.
|
|
//
|
|
|
|
|
|
pTemp = pOffers;
|
|
|
|
if (pTemp->bPFSRequired) {
|
|
if ((pTemp->dwPFSGroup != PFS_GROUP_1) &&
|
|
(pTemp->dwPFSGroup != PFS_GROUP_2) &&
|
|
(pTemp->dwPFSGroup != PFS_GROUP_MM)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
dwQMGroup=pTemp->dwPFSGroup;
|
|
}
|
|
else {
|
|
if (pTemp->dwPFSGroup != PFS_GROUP_NONE) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
}
|
|
|
|
for (i = 0; i < dwOfferCount; i++) {
|
|
|
|
if (dwQMGroup) {
|
|
if ((!pTemp->bPFSRequired) || (pTemp->dwPFSGroup != dwQMGroup)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
} else {
|
|
if ((pTemp->bPFSRequired) || (pTemp->dwPFSGroup != PFS_GROUP_NONE)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
}
|
|
|
|
if (!(pTemp->dwNumAlgos) || (pTemp->dwNumAlgos > QM_MAX_ALGOS)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
bAH = FALSE;
|
|
bESP = FALSE;
|
|
|
|
for (j = 0; j < (pTemp->dwNumAlgos); j++) {
|
|
|
|
switch (pTemp->Algos[j].Operation) {
|
|
|
|
case AUTHENTICATION:
|
|
if (bAH) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
if ((pTemp->Algos[j].uAlgoIdentifier == IPSEC_DOI_AH_NONE) ||
|
|
(pTemp->Algos[j].uAlgoIdentifier >= IPSEC_DOI_AH_MAX)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
if (pTemp->Algos[j].uSecAlgoIdentifier != HMAC_AH_NONE) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
bAH = TRUE;
|
|
break;
|
|
|
|
case ENCRYPTION:
|
|
if (bESP) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
if (pTemp->Algos[j].uAlgoIdentifier >= IPSEC_DOI_ESP_MAX) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
if (pTemp->Algos[j].uSecAlgoIdentifier >= HMAC_AH_MAX) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
if (pTemp->Algos[j].uAlgoIdentifier == IPSEC_DOI_ESP_NONE) {
|
|
if (pTemp->Algos[j].uSecAlgoIdentifier == HMAC_AH_NONE) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
}
|
|
bESP = TRUE;
|
|
break;
|
|
|
|
case NONE:
|
|
case COMPRESSION:
|
|
default:
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
pTemp++;
|
|
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
ValidateMMFilter(
|
|
PMM_FILTER pMMFilter
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function validates an external generic MM filter.
|
|
|
|
Arguments:
|
|
|
|
pMMFilter - Filter to validate.
|
|
|
|
Return Value:
|
|
|
|
ERROR_SUCCESS - Success.
|
|
|
|
Win32 Error - Failure.
|
|
|
|
--*/
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bConflicts = FALSE;
|
|
|
|
|
|
if (!pMMFilter) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyAddresses(pMMFilter->SrcAddr, TRUE , FALSE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyAddresses(pMMFilter->DesAddr, TRUE , TRUE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
bConflicts = AddressesConflict(
|
|
pMMFilter->SrcAddr,
|
|
pMMFilter->DesAddr
|
|
);
|
|
if (bConflicts) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (!(pMMFilter->pszFilterName) || !(*(pMMFilter->pszFilterName))) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pMMFilter->InterfaceType >= INTERFACE_TYPE_MAX) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pMMFilter->dwFlags &&
|
|
!(pMMFilter->dwFlags & IPSEC_MM_POLICY_DEFAULT_POLICY) &&
|
|
!(pMMFilter->dwFlags & IPSEC_MM_AUTH_DEFAULT_AUTH)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = ApplyMulticastFilterValidation(
|
|
pMMFilter->DesAddr,
|
|
pMMFilter->bCreateMirror
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
VerifyAddresses(
|
|
ADDR Addr,
|
|
BOOL bAcceptMe,
|
|
BOOL bIsDesAddr
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bIsValid = FALSE;
|
|
|
|
switch (Addr.AddrType) {
|
|
|
|
case IP_ADDR_UNIQUE:
|
|
bIsValid = bIsValidIPAddress(
|
|
ntohl(Addr.uIpAddr),
|
|
bAcceptMe,
|
|
bIsDesAddr
|
|
);
|
|
if (!bIsValid) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
break;
|
|
|
|
case IP_ADDR_SUBNET:
|
|
dwError = VerifySubNetAddress(
|
|
ntohl(Addr.uIpAddr),
|
|
ntohl(Addr.uSubNetMask),
|
|
bIsDesAddr
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
break;
|
|
|
|
case IP_ADDR_INTERFACE:
|
|
if (Addr.uIpAddr) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
break;
|
|
|
|
default:
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
break;
|
|
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
VerifySubNetAddress(
|
|
ULONG uSubNetAddr,
|
|
ULONG uSubNetMask,
|
|
BOOL bIsDesAddr
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bIsValid = FALSE;
|
|
|
|
if (uSubNetAddr == SUBNET_ADDRESS_ANY) {
|
|
if (uSubNetMask != SUBNET_MASK_ANY) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
}
|
|
else {
|
|
bIsValid = bIsValidSubnet(
|
|
uSubNetAddr,
|
|
uSubNetMask,
|
|
bIsDesAddr
|
|
);
|
|
if (!bIsValid) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
BOOL
|
|
bIsValidIPMask(
|
|
ULONG uMask
|
|
)
|
|
{
|
|
BOOL bValidMask = FALSE;
|
|
ULONG uTestMask = 0;
|
|
|
|
//
|
|
// Mask must be contiguous bits.
|
|
//
|
|
|
|
for (uTestMask = 0xFFFFFFFF; uTestMask; uTestMask <<= 1) {
|
|
|
|
if (uTestMask == uMask) {
|
|
bValidMask = TRUE;
|
|
break;
|
|
}
|
|
|
|
}
|
|
|
|
return (bValidMask);
|
|
}
|
|
|
|
|
|
BOOL
|
|
bIsValidIPAddress(
|
|
ULONG uIpAddr,
|
|
BOOL bAcceptMe,
|
|
BOOL bIsDesAddr
|
|
)
|
|
{
|
|
ULONG uHostMask = IN_CLASSA_HOST; // Default host mask.
|
|
|
|
|
|
//
|
|
// Accept the address if its "me".
|
|
//
|
|
|
|
if (bAcceptMe) {
|
|
if (uIpAddr == IP_ADDRESS_ME) {
|
|
return TRUE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Reject if its a multicast address and is not the
|
|
// destination address.
|
|
//
|
|
|
|
if (IN_CLASSD(uIpAddr)) {
|
|
if (bIsDesAddr) {
|
|
return TRUE;
|
|
}
|
|
else {
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Reject if its a Class E address.
|
|
//
|
|
|
|
if (IN_CLASSE(uIpAddr)) {
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Reject if the first octet is zero.
|
|
//
|
|
|
|
if (!(IN_CLASSA_NET & uIpAddr)) {
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Use default mask based on Class when none is provided.
|
|
//
|
|
|
|
if (IN_CLASSA(uIpAddr)) {
|
|
uHostMask = IN_CLASSA_HOST;
|
|
}
|
|
else if (IN_CLASSB(uIpAddr)) {
|
|
uHostMask = IN_CLASSB_HOST;
|
|
}
|
|
else if (IN_CLASSC(uIpAddr)) {
|
|
uHostMask = IN_CLASSC_HOST;
|
|
}
|
|
|
|
//
|
|
// Accept address when host portion is non-zero.
|
|
//
|
|
|
|
if (uHostMask & uIpAddr) {
|
|
return TRUE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
BOOL
|
|
bIsValidSubnet(
|
|
ULONG uIpAddr,
|
|
ULONG uMask,
|
|
BOOL bIsDesAddr
|
|
)
|
|
{
|
|
ULONG uHostMask = 0;
|
|
|
|
|
|
//
|
|
// Reject if its a multicast address and is not the
|
|
// destination address.
|
|
//
|
|
|
|
if (IN_CLASSD(uIpAddr)) {
|
|
if (!bIsDesAddr) {
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Reject if its a Class E address.
|
|
//
|
|
|
|
if (IN_CLASSE(uIpAddr)) {
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Reject if the first octet is zero.
|
|
//
|
|
|
|
if (!(IN_CLASSA_NET & uIpAddr)) {
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// If the mask is invalid then return.
|
|
//
|
|
|
|
if (!bIsValidIPMask(uMask)) {
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Use the provided subnet mask to generate the host mask.
|
|
//
|
|
|
|
uHostMask = 0xFFFFFFFF ^ uMask;
|
|
|
|
//
|
|
// Validate the address and the mask.
|
|
//
|
|
|
|
if (IN_CLASSA(uIpAddr)) {
|
|
if (IN_CLASSA_NET > uMask) {
|
|
return FALSE;
|
|
}
|
|
}
|
|
else if (IN_CLASSB(uIpAddr)) {
|
|
if (IN_CLASSB_NET > uMask) {
|
|
return FALSE;
|
|
}
|
|
}
|
|
else if (IN_CLASSC(uIpAddr)) {
|
|
if (IN_CLASSC_NET > uMask) {
|
|
return TRUE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Accept address only when the host portion is zero, network
|
|
// portion is non-zero and first octet is non-zero.
|
|
//
|
|
|
|
if (!(uHostMask & uIpAddr) &&
|
|
(uMask & uIpAddr) &&
|
|
(IN_CLASSA_NET & uIpAddr)) {
|
|
return TRUE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
BOOL
|
|
AddressesConflict(
|
|
ADDR SrcAddr,
|
|
ADDR DesAddr
|
|
)
|
|
{
|
|
if ((SrcAddr.AddrType == IP_ADDR_UNIQUE) &&
|
|
(DesAddr.AddrType == IP_ADDR_UNIQUE)) {
|
|
|
|
if (SrcAddr.uIpAddr == DesAddr.uIpAddr) {
|
|
return (TRUE);
|
|
}
|
|
|
|
}
|
|
|
|
if ((SrcAddr.AddrType == IP_ADDR_INTERFACE) &&
|
|
(DesAddr.AddrType == IP_ADDR_INTERFACE)) {
|
|
return (TRUE);
|
|
}
|
|
|
|
return (FALSE);
|
|
}
|
|
|
|
|
|
DWORD
|
|
ValidateTransportFilter(
|
|
PTRANSPORT_FILTER pTransportFilter
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bConflicts = FALSE;
|
|
|
|
|
|
if (!pTransportFilter) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyAddresses(pTransportFilter->SrcAddr, TRUE, FALSE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyAddresses(pTransportFilter->DesAddr, TRUE, TRUE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
bConflicts = AddressesConflict(
|
|
pTransportFilter->SrcAddr,
|
|
pTransportFilter->DesAddr
|
|
);
|
|
if (bConflicts) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyProtocols(pTransportFilter->Protocol);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyPortsForProtocol(
|
|
pTransportFilter->SrcPort,
|
|
pTransportFilter->Protocol
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyPortsForProtocol(
|
|
pTransportFilter->DesPort,
|
|
pTransportFilter->Protocol
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
if (!(pTransportFilter->pszFilterName) || !(*(pTransportFilter->pszFilterName))) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTransportFilter->InterfaceType >= INTERFACE_TYPE_MAX) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTransportFilter->InboundFilterFlag >= FILTER_FLAG_MAX) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTransportFilter->OutboundFilterFlag >= FILTER_FLAG_MAX) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTransportFilter->dwFlags &&
|
|
!(pTransportFilter->dwFlags & IPSEC_QM_POLICY_DEFAULT_POLICY)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = ApplyMulticastFilterValidation(
|
|
pTransportFilter->DesAddr,
|
|
pTransportFilter->bCreateMirror
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
DWORD
|
|
ValidateIPSecQMFilter(
|
|
PIPSEC_QM_FILTER pQMFilter
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bConflicts = FALSE;
|
|
|
|
if (!pQMFilter) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyAddresses(pQMFilter->SrcAddr, FALSE, FALSE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyAddresses(pQMFilter->DesAddr, FALSE, TRUE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
bConflicts = AddressesConflict(
|
|
pQMFilter->SrcAddr,
|
|
pQMFilter->DesAddr
|
|
);
|
|
if (bConflicts) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyProtocols(pQMFilter->Protocol);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyPortsForProtocol(
|
|
pQMFilter->SrcPort,
|
|
pQMFilter->Protocol
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyPortsForProtocol(
|
|
pQMFilter->DesPort,
|
|
pQMFilter->Protocol
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
|
|
if (pQMFilter->QMFilterType == QM_TUNNEL_FILTER) {
|
|
|
|
if (pQMFilter->MyTunnelEndpt.AddrType != IP_ADDR_UNIQUE) {
|
|
dwError=ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pQMFilter->PeerTunnelEndpt.AddrType != IP_ADDR_UNIQUE) {
|
|
dwError=ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyAddresses(pQMFilter->MyTunnelEndpt, FALSE, FALSE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyAddresses(pQMFilter->PeerTunnelEndpt, FALSE, FALSE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
}
|
|
|
|
if (pQMFilter->QMFilterType != QM_TUNNEL_FILTER &&
|
|
pQMFilter->QMFilterType != QM_TRANSPORT_FILTER) {
|
|
dwError=ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
DWORD
|
|
VerifyProtocols(
|
|
PROTOCOL Protocol
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
|
|
switch (Protocol.ProtocolType) {
|
|
|
|
case PROTOCOL_UNIQUE:
|
|
if (Protocol.dwProtocol > 255) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
break;
|
|
|
|
default:
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
break;
|
|
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
VerifyPortsForProtocol(
|
|
PORT Port,
|
|
PROTOCOL Protocol
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
|
|
switch (Port.PortType) {
|
|
|
|
case PORT_UNIQUE:
|
|
|
|
if (Port.wPort < 0) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
switch (Protocol.ProtocolType) {
|
|
|
|
case PROTOCOL_UNIQUE:
|
|
if ((Protocol.dwProtocol != IPPROTO_TCP) &&
|
|
(Protocol.dwProtocol != IPPROTO_UDP)) {
|
|
if (Port.wPort != 0) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
}
|
|
break;
|
|
|
|
default:
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
break;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
break;
|
|
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
ValidateMMFilterTemplate(
|
|
PMM_FILTER pMMFilter
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bConflicts = FALSE;
|
|
|
|
|
|
if (!pMMFilter) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyAddresses(pMMFilter->SrcAddr, TRUE, FALSE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyAddresses(pMMFilter->DesAddr, TRUE, TRUE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
bConflicts = AddressesConflict(
|
|
pMMFilter->SrcAddr,
|
|
pMMFilter->DesAddr
|
|
);
|
|
if (bConflicts) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pMMFilter->dwDirection) {
|
|
if ((pMMFilter->dwDirection != FILTER_DIRECTION_INBOUND) &&
|
|
(pMMFilter->dwDirection != FILTER_DIRECTION_OUTBOUND)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
ValidateTxFilterTemplate(
|
|
PTRANSPORT_FILTER pTxFilter
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bConflicts = FALSE;
|
|
|
|
|
|
if (!pTxFilter) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyAddresses(pTxFilter->SrcAddr, TRUE, FALSE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyAddresses(pTxFilter->DesAddr, TRUE, TRUE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
bConflicts = AddressesConflict(
|
|
pTxFilter->SrcAddr,
|
|
pTxFilter->DesAddr
|
|
);
|
|
if (bConflicts) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyProtocols(pTxFilter->Protocol);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyPortsForProtocol(
|
|
pTxFilter->SrcPort,
|
|
pTxFilter->Protocol
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyPortsForProtocol(
|
|
pTxFilter->DesPort,
|
|
pTxFilter->Protocol
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
if (pTxFilter->dwDirection) {
|
|
if ((pTxFilter->dwDirection != FILTER_DIRECTION_INBOUND) &&
|
|
(pTxFilter->dwDirection != FILTER_DIRECTION_OUTBOUND)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
ValidateTunnelFilter(
|
|
PTUNNEL_FILTER pTunnelFilter
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bConflicts = FALSE;
|
|
|
|
|
|
if (!pTunnelFilter) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyAddresses(pTunnelFilter->SrcAddr, TRUE, FALSE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyAddresses(pTunnelFilter->DesAddr, TRUE, TRUE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
bConflicts = AddressesConflict(
|
|
pTunnelFilter->SrcAddr,
|
|
pTunnelFilter->DesAddr
|
|
);
|
|
if (bConflicts) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyAddresses(pTunnelFilter->DesTunnelAddr, TRUE, FALSE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyProtocols(pTunnelFilter->Protocol);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyPortsForProtocol(
|
|
pTunnelFilter->SrcPort,
|
|
pTunnelFilter->Protocol
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyPortsForProtocol(
|
|
pTunnelFilter->DesPort,
|
|
pTunnelFilter->Protocol
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
if (!(pTunnelFilter->pszFilterName) || !(*(pTunnelFilter->pszFilterName))) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTunnelFilter->InterfaceType >= INTERFACE_TYPE_MAX) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTunnelFilter->bCreateMirror) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTunnelFilter->InboundFilterFlag >= FILTER_FLAG_MAX) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTunnelFilter->OutboundFilterFlag >= FILTER_FLAG_MAX) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
if (pTunnelFilter->dwFlags &&
|
|
!(pTunnelFilter->dwFlags & IPSEC_QM_POLICY_DEFAULT_POLICY)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
//
|
|
// No need to call ApplyMulticastFilterValidation as bCreateMirror
|
|
// is always false for a tunnel filter.
|
|
//
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
ValidateTnFilterTemplate(
|
|
PTUNNEL_FILTER pTnFilter
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
BOOL bConflicts = FALSE;
|
|
|
|
|
|
if (!pTnFilter) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyAddresses(pTnFilter->SrcAddr, TRUE, FALSE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyAddresses(pTnFilter->DesAddr, TRUE, TRUE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
bConflicts = AddressesConflict(
|
|
pTnFilter->SrcAddr,
|
|
pTnFilter->DesAddr
|
|
);
|
|
if (bConflicts) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
dwError = VerifyAddresses(pTnFilter->DesTunnelAddr, TRUE, FALSE);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyProtocols(pTnFilter->Protocol);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyPortsForProtocol(
|
|
pTnFilter->SrcPort,
|
|
pTnFilter->Protocol
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
dwError = VerifyPortsForProtocol(
|
|
pTnFilter->DesPort,
|
|
pTnFilter->Protocol
|
|
);
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
|
|
if (pTnFilter->dwDirection) {
|
|
if ((pTnFilter->dwDirection != FILTER_DIRECTION_INBOUND) &&
|
|
(pTnFilter->dwDirection != FILTER_DIRECTION_OUTBOUND)) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|
|
|
|
DWORD
|
|
ApplyMulticastFilterValidation(
|
|
ADDR Addr,
|
|
BOOL bCreateMirror
|
|
)
|
|
{
|
|
DWORD dwError = 0;
|
|
|
|
|
|
if (((Addr.AddrType == IP_ADDR_UNIQUE) ||
|
|
(Addr.AddrType == IP_ADDR_SUBNET)) &&
|
|
(IN_CLASSD(ntohl(Addr.uIpAddr))) &&
|
|
bCreateMirror) {
|
|
dwError = ERROR_INVALID_PARAMETER;
|
|
BAIL_ON_WIN32_ERROR(dwError);
|
|
}
|
|
|
|
error:
|
|
|
|
return (dwError);
|
|
}
|
|
|