windows-nt/Source/XPSP1/NT/net/ipsec/spd/server/mmspecific.c

/*++

Copyright (c) 1999 Microsoft Corporation


Module Name:

    mmspecific.c

Abstract:

    This module contains all of the code to drive the
    mm specific filter list management of IPSecSPD Service.

Author:

    abhisheV    08-December-1999

Environment

    User Level: Win32

Revision History:


--*/


#include "precomp.h"


DWORD
ApplyMMTransform(
    PINIMMFILTER pFilter,
    MATCHING_ADDR * pMatchingAddresses,
    DWORD dwAddrCnt,
    PINIMMSFILTER * ppSpecificFilters
    )
/*++

Routine Description:

    This function expands a generic mm filter into its
    corresponding specific filters.

Arguments:

    pFilter - Generic filter to expand.

    pMatchingAddresses - List of local ip addresses whose interface
                         type matches that of the filter.

    dwAddrCnt - Number of local ip addresses in the list.

    ppSpecificFilters - List of specific filters expanded for the
                        given generic filter.

Return Value:

    ERROR_SUCCESS - Success.

    Win32 Error - Failure.

--*/
{
    DWORD dwError = 0;
    PINIMMSFILTER pSpecificFilters = NULL;
    PINIMMSFILTER pOutboundSpecificFilters = NULL;
    PINIMMSFILTER pInboundSpecificFilters = NULL;

    PADDR pOutSrcAddrList = NULL;
    DWORD dwOutSrcAddrCnt = 0;
    PADDR pInSrcAddrList = NULL;
    DWORD dwInSrcAddrCnt = 0;

    PADDR pOutDesAddrList = NULL;
    DWORD dwOutDesAddrCnt = 0;
    PADDR pInDesAddrList = NULL;
    DWORD dwInDesAddrCnt = 0;


    // 
    // Form the outbound and inbound source and destination
    // address lists.
    // 

    dwError = FormMMOutboundInboundAddresses(
                  pFilter,
                  pMatchingAddresses,
                  dwAddrCnt,
                  &pOutSrcAddrList,
                  &dwOutSrcAddrCnt,
                  &pInSrcAddrList,
                  &dwInSrcAddrCnt,
                  &pOutDesAddrList,
                  &dwOutDesAddrCnt,
                  &pInDesAddrList,
                  &dwInDesAddrCnt
                  );
    BAIL_ON_WIN32_ERROR(dwError);


    //
    // Form outbound specific filters.
    //

    dwError = FormSpecificMMFilters(
                  pFilter,
                  pOutSrcAddrList,
                  dwOutSrcAddrCnt,
                  pOutDesAddrList,
                  dwOutDesAddrCnt,
                  FILTER_DIRECTION_OUTBOUND,
                  &pOutboundSpecificFilters
                  );
    BAIL_ON_WIN32_ERROR(dwError);


    //
    // Form inbound specific filters.
    //

    dwError = FormSpecificMMFilters(
                  pFilter,
                  pInSrcAddrList,
                  dwInSrcAddrCnt,
                  pInDesAddrList,
                  dwInDesAddrCnt,
                  FILTER_DIRECTION_INBOUND,
                  &pInboundSpecificFilters
                  );
    BAIL_ON_WIN32_ERROR(dwError);


    pSpecificFilters = pOutboundSpecificFilters;

    AddToSpecificMMList(
        &pSpecificFilters,
        pInboundSpecificFilters
        );


    *ppSpecificFilters = pSpecificFilters;

cleanup:

    if (pOutSrcAddrList) {
        FreeSPDMemory(pOutSrcAddrList);
    }

    if (pInSrcAddrList) {
        FreeSPDMemory(pInSrcAddrList);
    }

    if (pOutDesAddrList) {
        FreeSPDMemory(pOutDesAddrList);
    }

    if (pInDesAddrList) {
        FreeSPDMemory(pInDesAddrList);
    }

    return (dwError);

error:

    if (pOutboundSpecificFilters) {
        FreeIniMMSFilterList(pOutboundSpecificFilters);
    }

    if (pInboundSpecificFilters) {
        FreeIniMMSFilterList(pInboundSpecificFilters);
    }


    *ppSpecificFilters = NULL;
    goto cleanup;
}


DWORD
FormMMOutboundInboundAddresses(
    PINIMMFILTER pFilter,
    MATCHING_ADDR * pMatchingAddresses,
    DWORD dwAddrCnt,
    PADDR * ppOutSrcAddrList,
    PDWORD pdwOutSrcAddrCnt,
    PADDR * ppInSrcAddrList,
    PDWORD pdwInSrcAddrCnt,
    PADDR * ppOutDesAddrList,
    PDWORD pdwOutDesAddrCnt,
    PADDR * ppInDesAddrList,
    PDWORD pdwInDesAddrCnt
    )
/*++

Routine Description:

    This function forms the outbound and inbound source and
    destination address sets for a generic filter.

Arguments:

    pFilter - Generic filter under consideration.

    pMatchingAddresses - List of local ip addresses whose interface
                         type matches that of the filter.

    dwAddrCnt - Number of local ip addresses in the list.

    ppOutSrcAddrList - List of outbound source addresses.

    pdwOutSrcAddrCnt - Number of addresses in the outbound
                       source address list.

    ppInSrcAddrList - List of inbound source addresses.

    pdwInSrcAddrCnt - Number of addresses in the inbound
                      source address list.

    ppOutDesAddrList - List of outbound destination addresses.

    pdwOutDesAddrCnt - Number of addresses in the outbound
                       destination address list.

    ppInDesAddrList - List of inbound destination addresses.

    pdwInDesAddrCnt - Number of addresses in the inbound
                      destination address list.

Return Value:

    ERROR_SUCCESS - Success.

    Win32 Error - Failure.

--*/
{
    DWORD dwError = 0;

    PADDR pSrcAddrList = NULL;
    DWORD dwSrcAddrCnt = 0;
    PADDR pDesAddrList = NULL;
    DWORD dwDesAddrCnt = 0;

    PADDR pOutSrcAddrList = NULL;
    DWORD dwOutSrcAddrCnt = 0;
    PADDR pInSrcAddrList = NULL;
    DWORD dwInSrcAddrCnt = 0;

    PADDR pOutDesAddrList = NULL;
    DWORD dwOutDesAddrCnt = 0;
    PADDR pInDesAddrList = NULL;
    DWORD dwInDesAddrCnt = 0;


    //
    // Replace wild card information to generate the new source
    // address list.
    //

    dwError = FormAddressList(
                  pFilter->SrcAddr,
                  pMatchingAddresses,
                  dwAddrCnt,
                  &pSrcAddrList,
                  &dwSrcAddrCnt
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    //
    // Replace wild card information to generate the new destination
    // address list.
    //

    dwError = FormAddressList(
                  pFilter->DesAddr,
                  pMatchingAddresses,
                  dwAddrCnt,
                  &pDesAddrList,
                  &dwDesAddrCnt
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    //
    // Separate the source address list into outbound and inbound 
    // source address sets based on the local machine's ip addresses.
    //

    dwError = SeparateAddrList(
                  pFilter->SrcAddr.AddrType,
                  pSrcAddrList,
                  dwSrcAddrCnt,
                  pMatchingAddresses,
                  dwAddrCnt,
                  &pOutSrcAddrList,
                  &dwOutSrcAddrCnt,
                  &pInSrcAddrList,
                  &dwInSrcAddrCnt
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    //
    // Separate the destination address list into outbound and inbound
    // destination address sets based on the local machine's ip 
    // addresses.
    //

    dwError = SeparateAddrList(
                  pFilter->DesAddr.AddrType,
                  pDesAddrList,
                  dwDesAddrCnt,
                  pMatchingAddresses,
                  dwAddrCnt,
                  &pInDesAddrList,
                  &dwInDesAddrCnt,
                  &pOutDesAddrList,
                  &dwOutDesAddrCnt
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    *ppOutSrcAddrList = pOutSrcAddrList;
    *pdwOutSrcAddrCnt = dwOutSrcAddrCnt;
    *ppInSrcAddrList = pInSrcAddrList;
    *pdwInSrcAddrCnt = dwInSrcAddrCnt;

    *ppOutDesAddrList = pOutDesAddrList;
    *pdwOutDesAddrCnt = dwOutDesAddrCnt;
    *ppInDesAddrList = pInDesAddrList;
    *pdwInDesAddrCnt = dwInDesAddrCnt;

cleanup:

    if (pSrcAddrList) {
        FreeSPDMemory(pSrcAddrList);
    }

    if (pDesAddrList) {
        FreeSPDMemory(pDesAddrList);
    }

    return (dwError);

error:

    if (pOutSrcAddrList) {
        FreeSPDMemory(pOutSrcAddrList);
    }

    if (pInSrcAddrList) {
        FreeSPDMemory(pInSrcAddrList);
    }

    if (pOutDesAddrList) {
        FreeSPDMemory(pOutDesAddrList);
    }

    if (pInDesAddrList) {
        FreeSPDMemory(pInDesAddrList);
    }

    *ppOutSrcAddrList = NULL;
    *pdwOutSrcAddrCnt = 0;
    *ppInSrcAddrList = NULL;
    *pdwInSrcAddrCnt = 0;

    *ppOutDesAddrList = NULL;
    *pdwOutDesAddrCnt = 0;
    *ppInDesAddrList = NULL;
    *pdwInDesAddrCnt = 0;

    goto cleanup;
}


DWORD
FormSpecificMMFilters(
    PINIMMFILTER pFilter,
    PADDR pSrcAddrList,
    DWORD dwSrcAddrCnt,
    PADDR pDesAddrList,
    DWORD dwDesAddrCnt,
    DWORD dwDirection,
    PINIMMSFILTER * ppSpecificFilters
    )
/*++

Routine Description:

    This function forms the specific main mode filters
    for the given generic filter and the source and 
    destination address sets.

Arguments:

    pFilter - Generic filter for which specific filters
              are to be created.

    pSrcAddrList - List of source addresses.

    dwSrcAddrCnt - Number of addresses in the source
                   address list.

    pDesAddrList - List of destination addresses.

    dwDesAddrCnt - Number of addresses in the destination
                   address list.

    ppSpecificFilters - Specific filters created for the given
                        generic filter and the given addresses.

Return Value:

    ERROR_SUCCESS - Success.

    Win32 Error - Failure.

--*/
{
    DWORD dwError = 0;
    PINIMMSFILTER pSpecificFilters = NULL;
    DWORD i = 0, j = 0;
    PINIMMSFILTER pSpecificFilter = NULL;



    for (i = 0; i < dwSrcAddrCnt; i++) {

        for (j = 0; j < dwDesAddrCnt; j++) {

            dwError = CreateSpecificMMFilter(
                          pFilter,
                          pSrcAddrList[i],
                          pDesAddrList[j],
                          &pSpecificFilter
                          );
            BAIL_ON_WIN32_ERROR(dwError);

            //
            // Set the direction of the filter.
            //

            pSpecificFilter->dwDirection = dwDirection;

            AssignMMFilterWeight(pSpecificFilter);

            AddToSpecificMMList(
                &pSpecificFilters,
                pSpecificFilter
                );

        }

    }

    *ppSpecificFilters = pSpecificFilters;
    return (dwError);

error:

    if (pSpecificFilters) {
        FreeIniMMSFilterList(pSpecificFilters);
    }

    *ppSpecificFilters = NULL;
    return (dwError);
}


DWORD
CreateSpecificMMFilter(
    PINIMMFILTER pGenericFilter,
    ADDR SrcAddr,
    ADDR DesAddr,
    PINIMMSFILTER * ppSpecificFilter
    )
{
    DWORD dwError = 0; 
    PINIMMSFILTER pSpecificFilter = NULL;


    dwError = AllocateSPDMemory(
                    sizeof(INIMMSFILTER),
                    &pSpecificFilter
                    );
    BAIL_ON_WIN32_ERROR(dwError);

    pSpecificFilter->cRef = 0;

    CopyGuid(pGenericFilter->gFilterID, &(pSpecificFilter->gParentID));

    dwError = AllocateSPDString(
                  pGenericFilter->pszFilterName,
                  &(pSpecificFilter->pszFilterName)
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    pSpecificFilter->InterfaceType = pGenericFilter->InterfaceType;

    pSpecificFilter->dwFlags = pGenericFilter->dwFlags;

    CopyAddresses(SrcAddr, &(pSpecificFilter->SrcAddr));

    CopyAddresses(DesAddr, &(pSpecificFilter->DesAddr));

    //
    // Direction must be set in the calling routine.
    //

    pSpecificFilter->dwDirection = 0;

    //
    // Weight must be set in the calling routine.
    //

    pSpecificFilter->dwWeight = 0;

    CopyGuid(pGenericFilter->gMMAuthID, &(pSpecificFilter->gMMAuthID));

    CopyGuid(pGenericFilter->gPolicyID, &(pSpecificFilter->gPolicyID));

    pSpecificFilter->pIniMMAuthMethods = NULL;

    pSpecificFilter->pIniMMPolicy = NULL;

    pSpecificFilter->pNext = NULL;

    *ppSpecificFilter = pSpecificFilter;
    return (dwError);

error:

    if (pSpecificFilter) {
        FreeIniMMSFilter(pSpecificFilter);
    }

    *ppSpecificFilter = NULL;
    return (dwError);
}


VOID
AssignMMFilterWeight(
    PINIMMSFILTER pSpecificFilter
    )
/*++

Routine Description:

    Computes and assigns the weight to a specific mm filter.

    The mm filter weight consists of the following:

    31         16       12           8        0
    +-----------+--------+-----------+--------+
    |AddrMaskWgt|           Reserved          |
    +-----------+--------+-----------+--------+

Arguments:

    pSpecificFilter - Specific mm filter to which the weight 
                      is to be assigned.

Return Value:

    None.

--*/
{
    DWORD dwWeight = 0;
    ULONG SrcMask = 0;
    ULONG DesMask = 0;
    DWORD dwMaskWeight = 0;
    DWORD i = 0;


    //
    // Weight Rule:
    // A field with a more specific value gets a higher weight than
    // the same field with a lesser specific value.
    //

    //
    // IP addresses get the weight values based on their mask values.
    // In the address case, the weight is computed as a sum of the 
    // bit positions starting from the position that contains the 
    // first least significant non-zero bit to the most significant
    // bit position of the mask. 
    // All unique ip addresses have a mask of 0xFFFFFFFF and thus get
    // the same weight, which is 1 + 2 + .... + 32.
    // A subnet address has a mask with atleast the least significant
    // bit zero and thus gets weight in the range (2 + .. + 32) to 0.
    //
  
    DesMask = ntohl(pSpecificFilter->DesAddr.uSubNetMask);

    for (i = 0; i < sizeof(ULONG) * 8; i++) {

         //
         // If the bit position contains a non-zero bit, add the bit
         // position to the sum.
         //

         if ((DesMask & 0x1) == 0x1) {
             dwMaskWeight += (i+1);
         }

         //
         // Move to the next bit position.
         //

         DesMask = DesMask >> 1;

    }


    SrcMask = ntohl(pSpecificFilter->SrcAddr.uSubNetMask);

    for (i = 0; i < sizeof(ULONG) * 8; i++) {

         //
         // If the bit position contains a non-zero bit, add the bit
         // position to the sum.
         //

         if ((SrcMask & 0x1) == 0x1) {
             dwMaskWeight += (i+1);
         }

         //
         // Move to the next bit position.
         //

         SrcMask = SrcMask >> 1;

    }

    //
    // Move the mask weight to the set of bits in the overall weight
    // that it occupies.
    //

    dwMaskWeight = dwMaskWeight << 16;

    dwWeight += dwMaskWeight;

    pSpecificFilter->dwWeight = dwWeight;
}


VOID
AddToSpecificMMList(
    PINIMMSFILTER * ppSpecificMMFilterList,
    PINIMMSFILTER pSpecificMMFilters
    )
{
    PINIMMSFILTER pListOne = NULL;
    PINIMMSFILTER pListTwo = NULL;
    PINIMMSFILTER pListMerge = NULL;
    PINIMMSFILTER pLast = NULL;

    if (!(*ppSpecificMMFilterList) && !pSpecificMMFilters) {
        return;
    }

    if (!(*ppSpecificMMFilterList)) {
        *ppSpecificMMFilterList = pSpecificMMFilters;
        return;
    }

    if (!pSpecificMMFilters) {
        return;
    }

    pListOne = *ppSpecificMMFilterList;
    pListTwo = pSpecificMMFilters;

    while (pListOne && pListTwo) {

        if ((pListOne->dwWeight) > (pListTwo->dwWeight)) {

            if (!pListMerge) {
                pListMerge = pListOne;
                pLast = pListOne;
                pListOne = pListOne->pNext;
            }
            else {
                pLast->pNext = pListOne;
                pListOne = pListOne->pNext;
                pLast = pLast->pNext;
            }

        }
        else {

            if (!pListMerge) {
                pListMerge = pListTwo;
                pLast = pListTwo;
                pListTwo = pListTwo->pNext;
            }
            else {
                pLast->pNext = pListTwo;
                pListTwo = pListTwo->pNext;
                pLast = pLast->pNext;
            }

        }

    }

    if (pListOne) {
        pLast->pNext = pListOne;
    }
    else {
        pLast->pNext = pListTwo;
    }

    *ppSpecificMMFilterList = pListMerge;
    return;
}


VOID
FreeIniMMSFilterList(
    PINIMMSFILTER pIniMMSFilterList
    )
{
    PINIMMSFILTER pFilter = NULL;
    PINIMMSFILTER pTempFilter = NULL;

    pFilter = pIniMMSFilterList;

    while (pFilter) {
        pTempFilter = pFilter;
        pFilter = pFilter->pNext;
        FreeIniMMSFilter(pTempFilter);
    }
}


VOID
FreeIniMMSFilter(
    PINIMMSFILTER pIniMMSFilter
    )
{
    if (pIniMMSFilter) {
        if (pIniMMSFilter->pszFilterName) {
            FreeSPDString(pIniMMSFilter->pszFilterName);
        }

        //
        // Must not ever free pIniMMSFilter->pIniMMPolicy.
        //

        FreeSPDMemory(pIniMMSFilter);
    }
}


VOID
LinkMMSpecificFiltersToPolicy(
    PINIMMPOLICY pIniMMPolicy,
    PINIMMSFILTER pIniMMSFilters
    )
{
    PINIMMSFILTER pTemp = NULL;

    pTemp = pIniMMSFilters;

    while (pTemp) {
        pTemp->pIniMMPolicy = pIniMMPolicy;
        pTemp = pTemp->pNext;
    }

    return;
}


VOID
LinkMMSpecificFiltersToAuth(
    PINIMMAUTHMETHODS pIniMMAuthMethods,
    PINIMMSFILTER pIniMMSFilters
    )
{
    PINIMMSFILTER pTemp = NULL;

    pTemp = pIniMMSFilters;

    while (pTemp) {
        pTemp->pIniMMAuthMethods = pIniMMAuthMethods;
        pTemp = pTemp->pNext;
    }

    return;
}


VOID
RemoveIniMMSFilter(
    PINIMMSFILTER pIniMMSFilter
    )
{
    PINIMMSFILTER * ppTemp = NULL;

    ppTemp = &gpIniMMSFilter;

    while (*ppTemp) {

        if (*ppTemp == pIniMMSFilter) {
            break;
        }
        ppTemp = &((*ppTemp)->pNext);
    }

    if (*ppTemp) {
        *ppTemp = pIniMMSFilter->pNext;
    }

    return;
}


DWORD
EnumSpecificMMFilters(
    PINIMMSFILTER pIniMMSFilterList,
    DWORD dwResumeHandle,
    DWORD dwPreferredNumEntries,
    PMM_FILTER * ppMMFilters,
    PDWORD pdwNumMMFilters
    )
/*++

Routine Description:

    This function creates enumerated specific filters.

Arguments:

    pIniMMSFilterList - List of specific filters to enumerate.

    dwResumeHandle - Location in the specific filter list from which
                     to resume enumeration.

    dwPreferredNumEntries - Preferred number of enumeration entries.

    ppMMFilters - Enumerated filters returned to the caller.

    pdwNumMMFilters - Number of filters actually enumerated.

Return Value:

    ERROR_SUCCESS - Success.

    Win32 Error - Failure.

--*/
{
    DWORD dwError = 0;
    DWORD dwNumToEnum = 0;
    PINIMMSFILTER pIniMMSFilter = NULL;
    DWORD i = 0;
    PINIMMSFILTER pTemp = NULL;
    DWORD dwNumMMFilters = 0;
    PMM_FILTER pMMFilters = 0;
    PMM_FILTER pMMFilter = 0;


    if (!dwPreferredNumEntries || 
        (dwPreferredNumEntries > MAX_MMFILTER_ENUM_COUNT)) {
        dwNumToEnum = MAX_MMFILTER_ENUM_COUNT;
    }
    else {
        dwNumToEnum = dwPreferredNumEntries;
    }

    pIniMMSFilter = pIniMMSFilterList;

    for (i = 0; (i < dwResumeHandle) && (pIniMMSFilter != NULL); i++) {
        pIniMMSFilter = pIniMMSFilter->pNext;
    }

    if (!pIniMMSFilter) {
        dwError = ERROR_NO_DATA;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    pTemp = pIniMMSFilter;

    while (pTemp && (dwNumMMFilters < dwNumToEnum)) {
        dwNumMMFilters++;
        pTemp = pTemp->pNext;
    }

    dwError = SPDApiBufferAllocate(
                  sizeof(MM_FILTER)*dwNumMMFilters,
                  &pMMFilters
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    pTemp = pIniMMSFilter;
    pMMFilter = pMMFilters;

    for (i = 0; i < dwNumMMFilters; i++) {

        dwError = CopyMMSFilter(
                      pTemp,
                      pMMFilter
                      );
        BAIL_ON_WIN32_ERROR(dwError);

        pTemp = pTemp->pNext;
        pMMFilter++;

    }

    *ppMMFilters = pMMFilters;
    *pdwNumMMFilters = dwNumMMFilters;
    return (dwError);

error:

    if (pMMFilters) {
        FreeMMFilters(
            i,
            pMMFilters
            );
    }

    *ppMMFilters = NULL;
    *pdwNumMMFilters = 0;

    return (dwError);
}


DWORD
CopyMMSFilter(
    PINIMMSFILTER pIniMMSFilter,
    PMM_FILTER pMMFilter
    )
/*++

Routine Description:

    This function copies an internal filter into an external filter
    container.

Arguments:

    pIniMMSFilter - Internal filter to copy.

    pMMFilter - External filter container in which to copy.

Return Value:

    ERROR_SUCCESS - Success.

    Win32 Error - Failure.

--*/
{
    DWORD dwError = 0;

    CopyGuid(pIniMMSFilter->gParentID, &(pMMFilter->gFilterID));

    dwError = CopyName(
                  pIniMMSFilter->pszFilterName,
                  &(pMMFilter->pszFilterName)
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    pMMFilter->InterfaceType = pIniMMSFilter->InterfaceType;

    pMMFilter->bCreateMirror = FALSE;

    pMMFilter->dwFlags = pIniMMSFilter->dwFlags;

    CopyAddresses(pIniMMSFilter->SrcAddr, &(pMMFilter->SrcAddr));

    CopyAddresses(pIniMMSFilter->DesAddr, &(pMMFilter->DesAddr));

    pMMFilter->dwDirection = pIniMMSFilter->dwDirection;

    pMMFilter->dwWeight = pIniMMSFilter->dwWeight;

    CopyGuid(pIniMMSFilter->gMMAuthID, &(pMMFilter->gMMAuthID));

    CopyGuid(pIniMMSFilter->gPolicyID, &(pMMFilter->gPolicyID));

error:

    return (dwError);
}


DWORD
EnumSelectSpecificMMFilters(
    PINIMMFILTER pIniMMFilter,
    DWORD dwResumeHandle,
    DWORD dwPreferredNumEntries,
    PMM_FILTER * ppMMFilters,
    PDWORD pdwNumMMFilters
    )
/*++

Routine Description:

    This function creates enumerated specific filters for
    the given generic filter.

Arguments:

    pIniMMFilter - Generic filter for which specific filters
                   are to be enumerated.

    dwResumeHandle - Location in the specific filter list for the
                     given generic filter from which to resume
                     enumeration.

    dwPreferredNumEntries - Preferred number of enumeration entries.

    ppMMFilters - Enumerated filters returned to the caller.

    pdwNumMMFilters - Number of filters actually enumerated.

Return Value:

    ERROR_SUCCESS - Success.

    Win32 Error - Failure.

--*/
{
    DWORD dwError = 0;
    DWORD dwNumToEnum = 0;
    DWORD dwNumMMSFilters = 0; 
    PINIMMSFILTER * ppIniMMSFilters = NULL;
    DWORD i = 0;
    DWORD dwNumMMFilters = 0;
    PMM_FILTER pMMFilters = 0;
    PMM_FILTER pMMFilter = 0;


    if (!dwPreferredNumEntries || 
        (dwPreferredNumEntries > MAX_MMFILTER_ENUM_COUNT)) {
        dwNumToEnum = MAX_MMFILTER_ENUM_COUNT;
    }
    else {
        dwNumToEnum = dwPreferredNumEntries;
    }

    dwNumMMSFilters = pIniMMFilter->dwNumMMSFilters;
    ppIniMMSFilters = pIniMMFilter->ppIniMMSFilters;

    if (!dwNumMMSFilters || (dwNumMMSFilters <= dwResumeHandle)) {
        dwError = ERROR_NO_DATA;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwNumMMFilters = min((dwNumMMSFilters-dwResumeHandle),
                         dwNumToEnum);
 
    dwError = SPDApiBufferAllocate(
                  sizeof(MM_FILTER)*dwNumMMFilters,
                  &pMMFilters
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    pMMFilter = pMMFilters;

    for (i = 0; i < dwNumMMFilters; i++) {

        dwError = CopyMMSFilter(
                      *(ppIniMMSFilters + (dwResumeHandle + i)),
                      pMMFilter
                      );
        BAIL_ON_WIN32_ERROR(dwError);
        pMMFilter++;

    }

    *ppMMFilters = pMMFilters;
    *pdwNumMMFilters = dwNumMMFilters;
    return (dwError);

error:

    if (pMMFilters) {
        FreeMMFilters(
            i,
            pMMFilters
            );
    }

    *ppMMFilters = NULL;
    *pdwNumMMFilters = 0;

    return (dwError);
}


DWORD
MatchMMFilter(
    LPWSTR pServerName,
    PMM_FILTER pMMFilter,
    DWORD dwFlags,
    PMM_FILTER * ppMatchedMMFilters,
    PIPSEC_MM_POLICY * ppMatchedMMPolicies,
    PMM_AUTH_METHODS * ppMatchedMMAuthMethods,
    DWORD dwPreferredNumEntries,
    LPDWORD pdwNumMatches,
    LPDWORD pdwResumeHandle
    )
/*++

Routine Description:

    This function finds the matching mm filters for the given mm
    filter template. The matched filters can not be more specific
    than the given filter template.

Arguments:

    pServerName - Server on which a filter template is to be matched.

    pMMFilter - Filter template to match.

    dwFlags - Flags.

    ppMatchedMMFilters - Matched main mode filters returned to the
                         caller.

    ppMatchedMMPolicies - Main mode policies corresponding to the 
                          matched main mode filters returned to the
                          caller.

    ppMatchedMMAuthMethods - Main mode auth methods corresponding to the
                             matched main mode filters returned to the
                             caller.

    dwPreferredNumEntries - Preferred number of matched entries.

    pdwNumMatches - Number of filters actually matched.

    pdwResumeHandle - Handle to the location in the matched filter 
                      list from which to resume enumeration.

Return Value:

    ERROR_SUCCESS - Success.

    Win32 Error - Failure.

--*/
{
    DWORD dwError = 0;
    DWORD dwResumeHandle = 0;
    DWORD dwNumToMatch = 0;
    PINIMMSFILTER pIniMMSFilter = NULL;
    DWORD i = 0;
    BOOL bMatches = FALSE;
    PINIMMSFILTER pTemp = NULL;
    DWORD dwNumMatches = 0;
    PINIMMSFILTER pLastMatchedFilter = NULL;
    PMM_FILTER pMatchedMMFilters = NULL;
    PIPSEC_MM_POLICY pMatchedMMPolicies = NULL;
    PMM_AUTH_METHODS pMatchedMMAuthMethods = NULL;
    DWORD dwNumFilters = 0;
    DWORD dwNumPolicies = 0;
    DWORD dwNumAuthMethods = 0;
    PMM_FILTER pMatchedMMFilter = NULL;
    PIPSEC_MM_POLICY pMatchedMMPolicy = NULL;
    PMM_AUTH_METHODS pTempMMAuthMethods = NULL;


    dwError = ValidateMMFilterTemplate(
                  pMMFilter
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    dwResumeHandle = *pdwResumeHandle;

    if (!dwPreferredNumEntries) {
        dwNumToMatch = 1;
    }
    else if (dwPreferredNumEntries > MAX_MMFILTER_ENUM_COUNT) {
        dwNumToMatch = MAX_MMFILTER_ENUM_COUNT;
    }
    else {
        dwNumToMatch = dwPreferredNumEntries;
    }

    ENTER_SPD_SECTION();

    dwError = ValidateMMSecurity(
                  SPD_OBJECT_SERVER,
                  SERVER_ACCESS_ADMINISTER,
                  NULL,
                  NULL
                  );
    BAIL_ON_LOCK_ERROR(dwError);

    pIniMMSFilter = gpIniMMSFilter;

    while ((i < dwResumeHandle) && (pIniMMSFilter != NULL)) {
        bMatches = MatchIniMMSFilter(
                       pIniMMSFilter,
                       pMMFilter
                       );
        if (bMatches) {
            i++;
        }
        pIniMMSFilter = pIniMMSFilter->pNext;
    }

    if (!pIniMMSFilter) {
        if (!(dwFlags & RETURN_DEFAULTS_ON_NO_MATCH)) {
            dwError = ERROR_NO_DATA;
            BAIL_ON_LOCK_ERROR(dwError);
        }
        else {
            dwError = CopyMMMatchDefaults(
                          &pMatchedMMFilters,
                          &pMatchedMMAuthMethods,
                          &pMatchedMMPolicies,
                          &dwNumMatches
                          );
            BAIL_ON_LOCK_ERROR(dwError);
            BAIL_ON_LOCK_SUCCESS(dwError);
        }
    }

    pTemp = pIniMMSFilter;

    while (pTemp && (dwNumMatches < dwNumToMatch)) {
        bMatches = MatchIniMMSFilter(
                       pTemp,
                       pMMFilter
                       );
        if (bMatches) {
            pLastMatchedFilter = pTemp;
            dwNumMatches++;
        }
        pTemp = pTemp->pNext;
    }

    if (!dwNumMatches) {
        if (!(dwFlags & RETURN_DEFAULTS_ON_NO_MATCH)) {
            dwError = ERROR_NO_DATA;
            BAIL_ON_LOCK_ERROR(dwError);
        }
        else {
            dwError = CopyMMMatchDefaults(
                          &pMatchedMMFilters,
                          &pMatchedMMAuthMethods,
                          &pMatchedMMPolicies,
                          &dwNumMatches
                          );
            BAIL_ON_LOCK_ERROR(dwError);
            BAIL_ON_LOCK_SUCCESS(dwError);
        }
    }

    dwError = SPDApiBufferAllocate(
                  sizeof(MM_FILTER)*dwNumMatches,
                  &pMatchedMMFilters
                  );
    BAIL_ON_LOCK_ERROR(dwError);

    dwError = SPDApiBufferAllocate(
                  sizeof(IPSEC_MM_POLICY)*dwNumMatches,
                  &pMatchedMMPolicies
                  );
    BAIL_ON_LOCK_ERROR(dwError);

    dwError = SPDApiBufferAllocate(
                  sizeof(MM_AUTH_METHODS)*dwNumMatches,
                  &pMatchedMMAuthMethods
                  );
    BAIL_ON_LOCK_ERROR(dwError);

    if (dwNumMatches == 1) {

        dwError = CopyMMSFilter(
                      pLastMatchedFilter,
                      pMatchedMMFilters
                      );
        BAIL_ON_LOCK_ERROR(dwError);
        dwNumFilters++;

        if (pLastMatchedFilter->pIniMMPolicy) {
            dwError = CopyMMPolicy(
                          pLastMatchedFilter->pIniMMPolicy,
                          pMatchedMMPolicies
                          );
            BAIL_ON_LOCK_ERROR(dwError);
        }
        else {
            memset(pMatchedMMPolicies, 0, sizeof(IPSEC_MM_POLICY));
        }
        dwNumPolicies++;

        if (pLastMatchedFilter->pIniMMAuthMethods) {
            dwError = CopyMMAuthMethods(
                          pLastMatchedFilter->pIniMMAuthMethods,
                          pMatchedMMAuthMethods
                          );
            BAIL_ON_LOCK_ERROR(dwError);
        }
        else {
            memset(pMatchedMMAuthMethods, 0, sizeof(MM_AUTH_METHODS));
        }
        dwNumAuthMethods++;

    }
    else {

        pTemp = pIniMMSFilter;
        pMatchedMMFilter = pMatchedMMFilters;
        pMatchedMMPolicy = pMatchedMMPolicies;
        pTempMMAuthMethods = pMatchedMMAuthMethods;
        i = 0;

        while (i < dwNumMatches) {

            bMatches = MatchIniMMSFilter(
                           pTemp,
                           pMMFilter
                           );
            if (bMatches) {

                dwError = CopyMMSFilter(
                              pTemp,
                              pMatchedMMFilter
                              );
                BAIL_ON_LOCK_ERROR(dwError);
                pMatchedMMFilter++;
                dwNumFilters++;

                if (pTemp->pIniMMPolicy) {
                    dwError = CopyMMPolicy(
                                  pTemp->pIniMMPolicy,
                                  pMatchedMMPolicy
                                  );
                    BAIL_ON_LOCK_ERROR(dwError);
                }
                else {
                    memset(pMatchedMMPolicy, 0, sizeof(IPSEC_MM_POLICY));
                }
                pMatchedMMPolicy++;
                dwNumPolicies++;

                if (pTemp->pIniMMAuthMethods) {
                    dwError = CopyMMAuthMethods(
                                  pTemp->pIniMMAuthMethods,
                                  pTempMMAuthMethods
                                  );
                    BAIL_ON_LOCK_ERROR(dwError);
                }
                else {
                    memset(pTempMMAuthMethods, 0, sizeof(MM_AUTH_METHODS));
                }
                pTempMMAuthMethods++;
                dwNumAuthMethods++;

                i++;

            }

            pTemp = pTemp->pNext;

        }

    }

lock_success:

    LEAVE_SPD_SECTION();

    *ppMatchedMMFilters = pMatchedMMFilters;
    *ppMatchedMMPolicies = pMatchedMMPolicies;
    *ppMatchedMMAuthMethods = pMatchedMMAuthMethods;
    *pdwNumMatches = dwNumMatches;
    *pdwResumeHandle = dwResumeHandle + dwNumMatches;

    return (dwError);

lock:

    LEAVE_SPD_SECTION();

error:

    if (pMatchedMMFilters) {
        FreeMMFilters(
            dwNumFilters,
            pMatchedMMFilters
            );
    }

    if (pMatchedMMPolicies) {
        FreeMMPolicies(
            dwNumPolicies,
            pMatchedMMPolicies
            );
    }

    if (pMatchedMMAuthMethods) {
        FreeMMAuthMethods(
            dwNumAuthMethods,
            pMatchedMMAuthMethods
            );
    }

    *ppMatchedMMFilters = NULL;
    *ppMatchedMMPolicies = NULL;
    *ppMatchedMMAuthMethods = NULL;
    *pdwNumMatches = 0;
    *pdwResumeHandle = dwResumeHandle;

    return (dwError);
}


DWORD
ValidateMMFilterTemplate(
    PMM_FILTER pMMFilter
    )
{
    DWORD dwError = 0;
    BOOL bConflicts = FALSE;


    if (!pMMFilter) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = VerifyAddresses(pMMFilter->SrcAddr, TRUE, FALSE);
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = VerifyAddresses(pMMFilter->DesAddr, TRUE, TRUE);
    BAIL_ON_WIN32_ERROR(dwError);

    bConflicts = AddressesConflict(
                     pMMFilter->SrcAddr,
                     pMMFilter->DesAddr
                     );
    if (bConflicts) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    if (pMMFilter->dwDirection) {
        if ((pMMFilter->dwDirection != FILTER_DIRECTION_INBOUND) &&
            (pMMFilter->dwDirection != FILTER_DIRECTION_OUTBOUND)) {
            dwError = ERROR_INVALID_PARAMETER;
            BAIL_ON_WIN32_ERROR(dwError);
        }
    }

error:

    return (dwError);
}


BOOL
MatchIniMMSFilter(
    PINIMMSFILTER pIniMMSFilter,
    PMM_FILTER pMMFilter
    )
{
    BOOL bMatches = FALSE;

    if (pMMFilter->dwDirection) {
        if (pMMFilter->dwDirection != pIniMMSFilter->dwDirection) {
            return (FALSE);
        }
    }

    bMatches = MatchAddresses(
                   pIniMMSFilter->SrcAddr,
                   pMMFilter->SrcAddr
                   );
    if (!bMatches) {
        return (FALSE);
    }

    bMatches = MatchAddresses(
                   pIniMMSFilter->DesAddr,
                   pMMFilter->DesAddr
                   );
    if (!bMatches) {
        return (FALSE);
    }

    return (TRUE);
}


DWORD
CopyMMMatchDefaults(
    PMM_FILTER * ppMMFilters,
    PMM_AUTH_METHODS * ppMMAuthMethods,
    PIPSEC_MM_POLICY * ppMMPolicies,
    PDWORD pdwNumMatches
    )
{
    DWORD dwError = 0;
    PMM_FILTER pMMFilters = NULL;
    PMM_AUTH_METHODS pMMAuthMethods = NULL;
    PIPSEC_MM_POLICY pMMPolicies = NULL;
    DWORD dwNumFilters = 0;
    DWORD dwNumAuthMethods = 0;
    DWORD dwNumPolicies = 0;


    if (!gpIniDefaultMMPolicy) {
        dwError = ERROR_IPSEC_DEFAULT_MM_POLICY_NOT_FOUND;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    if (!gpIniDefaultMMAuthMethods) {
        dwError = ERROR_IPSEC_DEFAULT_MM_AUTH_NOT_FOUND;
        BAIL_ON_WIN32_ERROR(dwError);
    }

    dwError = SPDApiBufferAllocate(
                  sizeof(MM_FILTER),
                  &pMMFilters
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = SPDApiBufferAllocate(
                  sizeof(IPSEC_MM_POLICY),
                  &pMMPolicies
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = SPDApiBufferAllocate(
                  sizeof(MM_AUTH_METHODS),
                  &pMMAuthMethods
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    dwError = CopyDefaultMMFilter(
                  pMMFilters,
                  gpIniDefaultMMAuthMethods,
                  gpIniDefaultMMPolicy
                  );
    BAIL_ON_WIN32_ERROR(dwError);
    dwNumFilters++;

    dwError = CopyMMPolicy(
                  gpIniDefaultMMPolicy,
                  pMMPolicies
                  );
    BAIL_ON_WIN32_ERROR(dwError);
    pMMPolicies->dwFlags |= IPSEC_MM_POLICY_ON_NO_MATCH;
    dwNumPolicies++;

    dwError = CopyMMAuthMethods(
                  gpIniDefaultMMAuthMethods,
                  pMMAuthMethods
                  );
    BAIL_ON_WIN32_ERROR(dwError);
    pMMAuthMethods->dwFlags |= IPSEC_MM_AUTH_ON_NO_MATCH;
    dwNumAuthMethods++;

    *ppMMFilters = pMMFilters;
    *ppMMPolicies = pMMPolicies;
    *ppMMAuthMethods = pMMAuthMethods;
    *pdwNumMatches = 1;

    return (dwError);

error:

    if (pMMFilters) {
        FreeMMFilters(
            dwNumFilters,
            pMMFilters
            );
    }

    if (pMMPolicies) {
        FreeMMPolicies(
            dwNumPolicies,
            pMMPolicies
            );
    }

    if (pMMAuthMethods) {
        FreeMMAuthMethods(
            dwNumAuthMethods,
            pMMAuthMethods
            );
    }

    *ppMMFilters = NULL;
    *ppMMPolicies = NULL;
    *ppMMAuthMethods = NULL;
    *pdwNumMatches = 0;

    return (dwError);
}


DWORD
CopyDefaultMMFilter(
    PMM_FILTER pMMFilter,
    PINIMMAUTHMETHODS pIniMMAuthMethods,
    PINIMMPOLICY pIniMMPolicy
    )
{
    DWORD dwError = 0;


    UuidCreate(&(pMMFilter->gFilterID));

    dwError = CopyName(
                  L"0",
                  &(pMMFilter->pszFilterName)
                  );
    BAIL_ON_WIN32_ERROR(dwError);

    pMMFilter->InterfaceType = INTERFACE_TYPE_ALL;

    pMMFilter->bCreateMirror = TRUE;

    pMMFilter->dwFlags = 0;

    pMMFilter->dwFlags |= IPSEC_MM_POLICY_DEFAULT_POLICY;
    pMMFilter->dwFlags |= IPSEC_MM_AUTH_DEFAULT_AUTH;

    pMMFilter->SrcAddr.AddrType = IP_ADDR_SUBNET;
    pMMFilter->SrcAddr.uIpAddr = SUBNET_ADDRESS_ANY;
    pMMFilter->SrcAddr.uSubNetMask = SUBNET_MASK_ANY;

    pMMFilter->DesAddr.AddrType = IP_ADDR_SUBNET;
    pMMFilter->DesAddr.uIpAddr = SUBNET_ADDRESS_ANY;
    pMMFilter->DesAddr.uSubNetMask = SUBNET_MASK_ANY;

    pMMFilter->dwDirection = 0;

    pMMFilter->dwWeight = 0;

    CopyGuid(pIniMMAuthMethods->gMMAuthID, &(pMMFilter->gMMAuthID));

    CopyGuid(pIniMMPolicy->gPolicyID, &(pMMFilter->gPolicyID));

error:

    return (dwError);
}