windows-nt/Source/XPSP1/NT/inetsrv/iis/setup/osrc/ipsec.cpp
2020-09-26 16:20:57 +08:00

588 lines
13 KiB
C++

// to be linked with:
// uuid.lib ole32.lib user32.lib kernel32.lib advapi32.lib wsock32.lib
// iis\svcs\infocomm\rdns\obj\i386\isrdns.lib iis\svcs\lib\i386\tsstr.lib iis\svcs\lib\i386\isdebug.lib
#include "stdafx.h"
#ifndef _CHICAGO_
#define _RDNS_STANDALONE
#include <winsock2.h>
#include <rdns.hxx>
#include <buffer.hxx>
#include <ole2.h>
#include <iadm.h>
#include <iiscnfg.h>
#include "mdkey.h"
#include "mdentry.h"
#include "helper.h"
#include <inetinfo.h>
extern int g_CheckIfMetabaseValueWasWritten;
#define TIMEOUT_VALUE 5000
//
// Global Data
//
//
// The registry parameter key names for the grant list and deny
// list. We use the kludgemultisz thing for Chicago
//
#define IPSEC_DENY_LIST L"Deny IP List"
#define IPSEC_GRANT_LIST L"Grant IP List"
//
// Private prototypes.
//
BOOL
DottedDecimalToDword(
CHAR * * ppszAddress,
DWORD * pdwAddress
);
CHAR *
KludgeMultiSz(
HKEY hkey,
LPDWORD lpdwLength
)
{
LONG err;
DWORD iValue;
DWORD cchTotal;
DWORD cchValue;
CHAR szValue[MAX_PATH];
LPSTR lpMultiSz;
LPSTR lpTmp;
LPSTR lpEnd;
//
// Enumerate the values and total up the lengths.
//
iValue = 0;
cchTotal = 0;
for( ; ; )
{
cchValue = sizeof(szValue);
err = RegEnumValueA( hkey,
iValue,
szValue,
&cchValue,
NULL,
NULL,
NULL,
NULL );
if( err != NO_ERROR )
{
break;
}
//
// Add the length of the value's name, plus one
// for the terminator.
//
cchTotal += strlen( szValue ) + 1;
//
// Advance to next value.
//
iValue++;
}
//
// Add one for the final terminating NULL.
//
cchTotal++;
*lpdwLength = cchTotal;
//
// Allocate the MULTI_SZ buffer.
//
lpMultiSz = (CHAR *) LocalAlloc( LMEM_FIXED, cchTotal * sizeof(CHAR) );
if( lpMultiSz == NULL )
{
SetLastError( ERROR_NOT_ENOUGH_MEMORY );
return NULL;
}
memset( lpMultiSz, 0, cchTotal * sizeof(CHAR) );
//
// Enumerate the values and append to the buffer.
//
iValue = 0;
lpTmp = lpMultiSz;
lpEnd = lpMultiSz + cchTotal;
for( ; ; )
{
cchValue = sizeof(szValue)/sizeof(CHAR);
err = RegEnumValueA( hkey,
iValue,
szValue,
&cchValue,
NULL,
NULL,
NULL,
NULL );
if( err != NO_ERROR )
{
break;
}
//
// Compute the length of the value name (including
// the terminating NULL).
//
cchValue = strlen( szValue ) + 1;
//
// Determine if there is room in the array, taking into
// account the second NULL that terminates the string list.
//
if( ( lpTmp + cchValue + 1 ) > lpEnd )
{
break;
}
//
// Append the value name.
//
strcpy( lpTmp, szValue );
lpTmp += cchValue;
//
// Advance to next value.
//
iValue++;
}
//
// Success!
//
return (LPSTR)lpMultiSz;
} // KludgeMultiSz
BOOL
ReadIPList(
LPWSTR pszRegKey,
LPWSTR pszRegSubKey,
INETA_IP_SEC_LIST** ppIpSec
)
/*++
Description:
This function reads the IP list from registry location
specified in the pszRegKey + pszRegSubKey and stores the list in the
internal list in memory.
If there are no entries in the registry then this returns
a NULL IP Security list object.
If there is a new list, this function also frees the old list
present in *ppIPSecList
Arguments:
pszRegKey - pointer to string containing the registry key
where pszRegSubKey is located
pszRegSubKey - pointer to string containing the registry key
where IP list is stored relative to pszRegKey
Returns:
TRUE on success and FALSE on failure
--*/
{
HKEY hkey;
DWORD dwError;
BOOL fReturn = TRUE;
LPWSTR pszK;
*ppIpSec = NULL;
if ( (pszK = (LPWSTR)LocalAlloc(LMEM_FIXED, (wcslen(pszRegKey)+wcslen(pszRegSubKey)+2)*sizeof(WCHAR))) == NULL )
{
return FALSE;
}
wcscpy( pszK, pszRegKey );
wcscat( pszK, L"\\" );
wcscat( pszK, pszRegSubKey );
dwError = RegOpenKeyExW(HKEY_LOCAL_MACHINE,
pszK,
0,
KEY_ALL_ACCESS,
&hkey );
LocalFree( pszK );
if ( dwError != NO_ERROR) {
if ( dwError != ERROR_FILE_NOT_FOUND ) {
// maybe access denied or some other error.
SetLastError( dwError );
return (FALSE);
}
//
// A non-existent key is the same as a blank key
//
} else {
CHAR * psz;
CHAR * pszTmp;
DWORD cb;
DWORD cEntries = 0;
INETA_IP_SEC_LIST * pIPSec = NULL;
psz = pszTmp = KludgeMultiSz( hkey, &cb );
RegCloseKey( hkey );
//
// Count the number of addresses and then add them to the list
//
if ( psz != NULL ) {
for( ; *pszTmp; cEntries++ ) {
pszTmp += strlen( pszTmp ) + 1;
}
pszTmp = psz;
if ( cEntries > 0) {
pIPSec = ((INETA_IP_SEC_LIST *)
LocalAlloc( LMEM_FIXED,
sizeof(INETA_IP_SEC_LIST) +
cEntries * sizeof(INETA_IP_SEC_ENTRY ))
);
if ( pIPSec == NULL ) {
dwError = ERROR_NOT_ENOUGH_MEMORY;
fReturn = FALSE;
} else {
for( pIPSec->cEntries = 0;
*pszTmp;
pszTmp += strlen( pszTmp ) + 1
) {
if (!DottedDecimalToDword( &pszTmp,
&pIPSec->aIPSecEntry[pIPSec->cEntries].dwMask ) ||
!DottedDecimalToDword( &pszTmp,
&pIPSec->aIPSecEntry[pIPSec->cEntries].dwNetwork )
) {
} else {
pIPSec->cEntries++;
}
} // for
dwError = NO_ERROR;
}
}
if ( dwError == NO_ERROR) {
*ppIpSec = pIPSec;
}
LocalFree( psz );
}
if ( !fReturn) {
SetLastError( dwError);
}
}
return ( fReturn);
} // IPAccessList::ReadIPList()
BOOL
DottedDecimalToDword(
CHAR * * ppszAddress,
DWORD * pdwAddress )
/*++
Routine Description:
Converts a dotted decimal IP string to it's network equivalent
Note: White space is eaten before *pszAddress and pszAddress is set
to the character following the converted address
Arguments:
ppszAddress - Pointer to address to convert. White space before the
address is OK. Will be changed to point to the first character after
the address
pdwAddress - DWORD equivalent address in network order
returns TRUE if successful, FALSE if the address is not correct
--*/
{
CHAR * psz;
USHORT i;
ULONG value;
int iSum =0;
ULONG k = 0;
UCHAR Chr;
UCHAR pArray[4];
psz = *ppszAddress;
//
// Skip white space
//
while ( *psz && !isdigit( (UCHAR)(*psz) ))
psz++;
//
// Convert the four segments
//
pArray[0] = 0;
while ((Chr = *psz) && (Chr != ' ') )
{
if (Chr == '.')
{
// be sure not to overflow a byte.
if (iSum <= 0xFF)
pArray[k] = (UCHAR)iSum;
else
return FALSE;
// check for too many periods in the address
if (++k > 3)
return FALSE;
pArray[k] = 0;
iSum = 0;
}
else
{
Chr = Chr - '0';
// be sure character is a number 0..9
if ((Chr < 0) || (Chr > 9))
return FALSE;
iSum = iSum*10 + Chr;
}
psz++;
}
// save the last sum in the byte and be sure there are 4 pieces to the
// address
if ((iSum <= 0xFF) && (k == 3))
pArray[k] = (UCHAR)iSum;
else
return FALSE;
// now convert to a ULONG, in network order...
value = 0;
// go through the array of bytes and concatenate into a ULONG
for (i=0; i < 4; i++ )
{
value = (value << 8) + pArray[i];
}
*pdwAddress = htonl( value );
*ppszAddress = psz;
return TRUE;
}
BOOL
FillAddrCheckFromIpList(
BOOL fIsGrant,
LPINET_INFO_IP_SEC_LIST pInfo,
ADDRESS_CHECK *pCheck
)
/*++
Routine Description:
Fill an access check object from an IP address list from
Arguments:
fIsGrant - TRUE to access grant list, FALSE to access deny list
pInfo - ptr to IP address list
pCheck - ptr to address check object to update
Return:
TRUE if success, otherwise FALSE
--*/
{
UINT x;
if ( pInfo )
{
for ( x = 0 ; x < pInfo->cEntries ; ++x )
{
if ( ! pCheck->AddAddr( fIsGrant,
AF_INET,
(LPBYTE)&pInfo->aIPSecEntry[x].dwMask,
(LPBYTE)&pInfo->aIPSecEntry[x].dwNetwork ) )
{
return FALSE;
}
}
}
return TRUE;
}
DWORD
MigrateServiceIpSec(
LPWSTR pszSrvRegKey,
LPWSTR pszSrvMetabasePath
)
{
INETA_IP_SEC_LIST* pGrant = NULL;
INETA_IP_SEC_LIST* pDeny = NULL;
ADDRESS_CHECK acCheck;
DWORD err = 0;
if ( ReadIPList( pszSrvRegKey, IPSEC_GRANT_LIST, &pGrant ) &&
ReadIPList( pszSrvRegKey, IPSEC_DENY_LIST, &pDeny ) )
{
if ( pGrant || pDeny )
{
acCheck.BindCheckList( NULL, 0 );
if ( FillAddrCheckFromIpList( TRUE, pGrant, &acCheck ) &&
FillAddrCheckFromIpList( FALSE, pDeny, &acCheck ) )
{
CMDKey cmdKey;
cmdKey.OpenNode(pszSrvMetabasePath);
if ( (METADATA_HANDLE)cmdKey ) {
cmdKey.SetData(
MD_IP_SEC,
METADATA_INHERIT | METADATA_REFERENCE,
IIS_MD_UT_FILE,
BINARY_METADATA,
acCheck.GetStorage()->GetUsed(),
(acCheck.GetStorage()->GetAlloc()
? acCheck.GetStorage()->GetAlloc() : (LPBYTE)"")
);
cmdKey.Close();
}
}
}
acCheck.UnbindCheckList();
}
else
{
err = GetLastError();
}
if ( pGrant )
{
LocalFree( pGrant );
}
if ( pDeny )
{
LocalFree( pDeny );
}
return err;
}
VOID SetLocalHostRestriction(LPCTSTR szKeyPath)
{
DWORD dwReturn = 0;
ADDRESS_CHECK acCheck;
iisDebugOut_Start1(_T("SetLocalHostRestriction"), (LPTSTR) szKeyPath, LOG_TYPE_TRACE);
acCheck.BindCheckList( NULL, 0 );
acCheck.AddAddr(TRUE, AF_INET, (LPBYTE)"\xff\xff\xff\xff", (LPBYTE)"\x7f\x0\x0\x1");
MDEntry stMDEntry;
stMDEntry.szMDPath = (LPTSTR)(LPCTSTR)szKeyPath;
stMDEntry.dwMDIdentifier = MD_IP_SEC;
stMDEntry.dwMDAttributes = METADATA_INHERIT | METADATA_REFERENCE;
stMDEntry.dwMDUserType = IIS_MD_UT_FILE;
stMDEntry.dwMDDataType = BINARY_METADATA;
stMDEntry.dwMDDataLen = acCheck.GetStorage()->GetUsed();
if (acCheck.GetStorage()->GetAlloc())
{
stMDEntry.pbMDData = (LPBYTE) acCheck.GetStorage()->GetAlloc();
dwReturn = SetMDEntry_Wrap(&stMDEntry);
}
else
{
stMDEntry.pbMDData = (LPBYTE) "";
int iBeforeValue = FALSE;
iBeforeValue = g_CheckIfMetabaseValueWasWritten;
g_CheckIfMetabaseValueWasWritten = FALSE;
dwReturn = SetMDEntry_Wrap(&stMDEntry);
// Set the flag back after calling the function
g_CheckIfMetabaseValueWasWritten = iBeforeValue;
}
/*
CMDKey cmdKey;
cmdKey.OpenNode(szKeyPath);
if ( (METADATA_HANDLE)cmdKey )
{
cmdKey.SetData(MD_IP_SEC,METADATA_INHERIT | METADATA_REFERENCE,IIS_MD_UT_FILE,BINARY_METADATA,acCheck.GetStorage()->GetUsed(),(acCheck.GetStorage()->GetAlloc()? acCheck.GetStorage()->GetAlloc() : (LPBYTE)"") );
cmdKey.Close();
}
*/
acCheck.UnbindCheckList();
iisDebugOut_End1(_T("SetLocalHostRestriction"), (LPTSTR) szKeyPath, LOG_TYPE_TRACE);
return;
}
DWORD SetIISADMINRestriction(LPCTSTR szKeyPath)
{
SetLocalHostRestriction(szKeyPath);
return 0;
}
#endif //_CHICAGO_