archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/net/tcpip/driver/ipsec/sys/gpc.c

875 lines
24 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1999-2001 Microsoft Corporation
  5. Module Name:
  7. gpc.c
  9. Abstract:
  11. This module contains the GPC implementation
  13. Author:
  15. ChunYe
  17. Environment:
  19. Kernel mode
  21. Revision History:
  23. --*/
  26. #include "precomp.h"
  28. #ifdef RUN_WPP
  29. #include "gpc.tmh"
  30. #endif
  32. #if GPC
  35. NTSTATUS
  36. IPSecGpcInitialize()
  37. {
  38. NTSTATUS status;
  39. INT cf, i;
  41. PAGED_CODE();
  43. //
  44. // Initialize FilterList for patterns that are not installed in GPC.
  45. //
  46. for (i = MIN_FILTER; i <= MAX_FILTER; i++) {
  47. InitializeListHead(&g_ipsec.GpcFilterList[i]);
  48. }
  50. //
  51. // Start with inactive state for the error path.
  52. //
  53. IPSEC_DRIVER_INIT_GPC() = FALSE;
  54. IPSEC_UNSET_GPC_ACTIVE();
  56. //
  57. // GPC registration.
  58. //
  59. status = GpcInitialize(&g_ipsec.GpcEntries);
  61. if (status == STATUS_SUCCESS) {
  62. for (cf = GPC_CF_IPSEC_MIN; cf <= GPC_CF_IPSEC_MAX; cf++) {
  63. status = GPC_REGISTER_CLIENT( cf,
  64. 0,
  65. GPC_PRIORITY_IPSEC,
  66. NULL,
  67. NULL,
  68. &g_ipsec.GpcClients[cf]);
  70. if (status != STATUS_SUCCESS) {
  71. IPSEC_DEBUG(LL_A, DBF_LOAD, ("GPC failed to register cf %d", cf));
  73. g_ipsec.GpcClients[cf] = NULL;
  74. IPSecGpcDeinitialize();
  76. return status;
  77. }
  78. }
  79. } else {
  80. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to init GPC structures"));
  81. return status;
  82. }
  84. IPSEC_SET_GPC_ACTIVE();
  85. IPSEC_DRIVER_INIT_GPC() = TRUE;
  87. return STATUS_SUCCESS;
  88. }
  91. NTSTATUS
  92. IPSecGpcDeinitialize()
  93. {
  94. INT cf;
  96. PAGED_CODE();
  98. IPSEC_UNSET_GPC_ACTIVE();
  100. //
  101. // GPC deregistration.
  102. //
  103. for (cf = GPC_CF_IPSEC_MIN; cf <= GPC_CF_IPSEC_MAX; cf++) {
  104. if (g_ipsec.GpcClients[cf]) {
  105. GPC_DEREGISTER_CLIENT(g_ipsec.GpcClients[cf]);
  106. }
  107. }
  109. GpcDeinitialize(&g_ipsec.GpcEntries);
  111. return STATUS_SUCCESS;
  112. }
  115. NTSTATUS
  116. IPSecEnableGpc()
  117. {
  118. KIRQL kIrql;
  120. PAGED_CODE();
  122. if (IPSEC_DRIVER_INIT_GPC()) {
  123. AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
  125. IPSEC_SET_GPC_ACTIVE();
  127. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  128. }
  130. return STATUS_SUCCESS;
  131. }
  134. NTSTATUS
  135. IPSecDisableGpc()
  136. {
  137. KIRQL kIrql;
  139. PAGED_CODE();
  141. if (IPSEC_DRIVER_INIT_GPC()) {
  142. AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
  144. IPSEC_UNSET_GPC_ACTIVE();
  146. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  147. }
  149. return STATUS_SUCCESS;
  150. }
  153. NTSTATUS
  154. IPSecInitGpcFilter(
  155. IN PFILTER pFilter,
  156. IN PGPC_IP_PATTERN pPattern,
  157. IN PGPC_IP_PATTERN pMask
  158. )
  159. {
  160. PAGED_CODE();
  162. RtlZeroMemory(pPattern, sizeof(GPC_IP_PATTERN));
  163. RtlZeroMemory(pMask, sizeof(GPC_IP_PATTERN));
  165. pPattern->SrcAddr = pFilter->SRC_ADDR;
  166. pPattern->DstAddr = pFilter->DEST_ADDR;
  167. pPattern->ProtocolId = (UCHAR)pFilter->PROTO;
  168. pPattern->gpcSrcPort = FI_SRC_PORT(pFilter);
  169. pPattern->gpcDstPort = FI_DEST_PORT(pFilter);
  171. pMask->SrcAddr = pFilter->SRC_MASK;
  172. pMask->DstAddr = pFilter->DEST_MASK;
  173. pMask->ProtocolId = (UCHAR)IPSEC_GPC_MASK_ALL;
  174. pMask->gpcSrcPort = IPSEC_GPC_MASK_NONE;
  175. pMask->gpcDstPort = IPSEC_GPC_MASK_NONE;
  177. switch (pFilter->PROTO) {
  178. case FILTER_PROTO_ANY:
  179. if (FI_SRC_PORT(pFilter) != FILTER_TCPUDP_PORT_ANY) {
  180. RtlFillMemory( &pMask->gpcSrcPort,
  181. sizeof(pMask->gpcSrcPort),
  182. IPSEC_GPC_MASK_ALL);
  183. }
  184. if (FI_DEST_PORT(pFilter) != FILTER_TCPUDP_PORT_ANY) {
  185. RtlFillMemory( &pMask->gpcDstPort,
  186. sizeof(pMask->gpcDstPort),
  187. IPSEC_GPC_MASK_ALL);
  188. }
  189. pMask->ProtocolId = (UCHAR)IPSEC_GPC_MASK_NONE;
  190. break;
  192. case FILTER_PROTO_TCP:
  193. case FILTER_PROTO_UDP:
  194. if (FI_SRC_PORT(pFilter) != FILTER_TCPUDP_PORT_ANY) {
  195. RtlFillMemory( &pMask->gpcSrcPort,
  196. sizeof(pMask->gpcSrcPort),
  197. IPSEC_GPC_MASK_ALL);
  198. }
  199. if (FI_DEST_PORT(pFilter) != FILTER_TCPUDP_PORT_ANY) {
  200. RtlFillMemory( &pMask->gpcDstPort,
  201. sizeof(pMask->gpcDstPort),
  202. IPSEC_GPC_MASK_ALL);
  203. }
  204. break;
  206. default:
  207. break;
  208. }
  210. return STATUS_SUCCESS;
  211. }
  214. NTSTATUS
  215. IPSecInsertGpcPattern(
  216. IN PFILTER pFilter
  217. )
  218. {
  219. CLASSIFICATION_HANDLE GpcHandle;
  220. GPC_IP_PATTERN GpcPattern;
  221. GPC_IP_PATTERN GpcMask;
  222. ULONG GpcPriority;
  223. INT GpcCf;
  224. NTSTATUS status;
  226. PAGED_CODE();
  228. GpcCf = IPSecResolveGpcCf(IS_OUTBOUND_FILTER(pFilter));
  230. //
  231. // Add the filter as a CfInfo
  232. //
  233. status = GPC_ADD_CFINFO(g_ipsec.GpcClients[GpcCf],
  234. sizeof(PFILTER),
  235. (PVOID)&pFilter,
  236. (GPC_CLIENT_HANDLE)pFilter,
  237. &pFilter->GpcFilter.GpcCfInfoHandle);
  239. if (status == STATUS_SUCCESS) {
  240. //
  241. // Now add the filter as a pattern
  242. //
  243. IPSecInitGpcFilter(pFilter, &GpcPattern, &GpcMask);
  245. if (FI_DEST_PORT(pFilter) == FILTER_TCPUDP_PORT_ANY) {
  246. GpcPriority = 1;
  247. } else {
  248. GpcPriority = 0;
  249. }
  251. ASSERT(GpcPriority < GPC_PRIORITY_IPSEC);
  253. status = GPC_ADD_PATTERN( g_ipsec.GpcClients[GpcCf],
  254. GPC_PROTOCOL_TEMPLATE_IP,
  255. &GpcPattern,
  256. &GpcMask,
  257. GpcPriority,
  258. pFilter->GpcFilter.GpcCfInfoHandle,
  259. &pFilter->GpcFilter.GpcPatternHandle,
  260. &GpcHandle);
  262. if (status != STATUS_SUCCESS) {
  263. IPSEC_DEBUG(LL_A, DBF_GPC, ("GpcAddPattern: failed with status %lx", status));
  265. GPC_REMOVE_CFINFO( g_ipsec.GpcClients[GpcCf],
  266. pFilter->GpcFilter.GpcCfInfoHandle);
  268. pFilter->GpcFilter.GpcCfInfoHandle = NULL;
  269. pFilter->GpcFilter.GpcPatternHandle = NULL;
  270. } else {
  271. g_ipsec.GpcNumFilters[GpcPriority]++;
  272. }
  273. }
  275. return status;
  276. }
  279. NTSTATUS
  280. IPSecDeleteGpcPattern(
  281. IN PFILTER pFilter
  282. )
  283. {
  284. ULONG GpcPriority;
  285. INT GpcCf = IPSecResolveGpcCf(IS_OUTBOUND_FILTER(pFilter));
  287. PAGED_CODE();
  289. if (pFilter->GpcFilter.GpcPatternHandle) {
  290. GPC_REMOVE_PATTERN( g_ipsec.GpcClients[GpcCf],
  291. pFilter->GpcFilter.GpcPatternHandle);
  293. pFilter->GpcFilter.GpcPatternHandle = NULL;
  295. ASSERT(pFilter->GpcFilter.GpcCfInfoHandle);
  297. if (pFilter->GpcFilter.GpcCfInfoHandle) {
  298. GPC_REMOVE_CFINFO( g_ipsec.GpcClients[GpcCf],
  299. pFilter->GpcFilter.GpcCfInfoHandle);
  301. pFilter->GpcFilter.GpcCfInfoHandle = NULL;
  302. }
  304. if (FI_DEST_PORT(pFilter) == FILTER_TCPUDP_PORT_ANY) {
  305. GpcPriority = 1;
  306. } else {
  307. GpcPriority = 0;
  308. }
  310. ASSERT(GpcPriority < GPC_PRIORITY_IPSEC);
  312. g_ipsec.GpcNumFilters[GpcPriority]--;
  313. }
  315. return STATUS_SUCCESS;
  316. }
  319. NTSTATUS
  320. IPSecInsertGpcFilter(
  321. IN PFILTER pFilter
  322. )
  323. {
  324. NTSTATUS status;
  325. PFILTER pTempFilter;
  326. BOOL InsertedFilter = FALSE;
  327. PLIST_ENTRY pEntry, pPrev;
  328. PLIST_ENTRY pFilterList;
  329. KIRQL kIrql;
  331. PAGED_CODE();
  333. AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
  335. pFilterList = IPSecResolveGpcFilterList(IS_TUNNEL_FILTER(pFilter),
  336. IS_OUTBOUND_FILTER(pFilter));
  338. pEntry = pFilterList->Flink;
  339. pPrev = pFilterList;
  341. while (pEntry != pFilterList) {
  342. pTempFilter = CONTAINING_RECORD(pEntry,
  343. FILTER,
  344. GpcLinkage);
  346. if (pFilter->Index > pTempFilter->Index) {
  347. //
  348. // found the spot, insert it before pTempFilter
  349. //
  350. InsertHeadList(pPrev, &pFilter->GpcLinkage);
  351. InsertedFilter = TRUE;
  352. break;
  353. }
  355. pPrev = pEntry;
  356. pEntry = pEntry->Flink;
  357. }
  359. if (!InsertedFilter) {
  360. //
  361. // didn't find spot, stick it in the end
  362. //
  363. InsertTailList(pFilterList, &pFilter->GpcLinkage);
  364. }
  366. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  368. return STATUS_SUCCESS;
  369. }
  372. NTSTATUS
  373. IPSecDeleteGpcFilter(
  374. IN PFILTER pFilter
  375. )
  376. {
  377. KIRQL kIrql;
  379. PAGED_CODE();
  381. if (!pFilter->GpcLinkage.Flink || !pFilter->GpcLinkage.Blink) {
  382. return STATUS_SUCCESS;
  383. }
  385. AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
  387. IPSecRemoveEntryList(&pFilter->GpcLinkage);
  389. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  391. return STATUS_SUCCESS;
  392. }
  395. NTSTATUS
  396. IPSecInstallGpcFilter(
  397. IN PFILTER pFilter
  398. )
  399. {
  400. PAGED_CODE();
  402. if (IS_TUNNEL_FILTER(pFilter)) {
  403. return STATUS_SUCCESS;
  404. }
  406. if (IS_GPC_FILTER(pFilter)) {
  407. return IPSecInsertGpcPattern(pFilter);
  408. } else {
  409. return IPSecInsertGpcFilter(pFilter);
  410. }
  411. }
  414. NTSTATUS
  415. IPSecUninstallGpcFilter(
  416. IN PFILTER pFilter
  417. )
  418. {
  419. PAGED_CODE();
  421. if (IS_TUNNEL_FILTER(pFilter)) {
  422. return STATUS_SUCCESS;
  423. }
  425. if (IS_GPC_FILTER(pFilter)) {
  426. return IPSecDeleteGpcPattern(pFilter);
  427. } else {
  428. return IPSecDeleteGpcFilter(pFilter);
  429. }
  430. }
  433. NTSTATUS
  434. IPSecLookupGpcSA(
  435. IN ULARGE_INTEGER uliSrcDstAddr,
  436. IN ULARGE_INTEGER uliProtoSrcDstPort,
  437. IN CLASSIFICATION_HANDLE GpcHandle,
  438. OUT PFILTER *ppFilter,
  439. OUT PSA_TABLE_ENTRY *ppSA,
  440. OUT PSA_TABLE_ENTRY *ppNextSA,
  441. OUT PSA_TABLE_ENTRY *ppTunnelSA,
  442. IN BOOLEAN fOutbound,
  443. IN BOOLEAN fVerify,
  444. IN PIPSEC_UDP_ENCAP_CONTEXT pNatContext
  445. )
  446. {
  447. PFILTER pFilter;
  448. PFILTER pTempFilter;
  449. PLIST_ENTRY pEntry;
  450. PLIST_ENTRY pFilterList;
  451. PLIST_ENTRY pSAChain;
  452. PSA_TABLE_ENTRY pSA;
  453. REGISTER ULARGE_INTEGER uliPort;
  454. REGISTER ULARGE_INTEGER uliAddr;
  455. BOOLEAN fFound = FALSE;
  456. INT GpcCf;
  457. CLASSIFICATION_HANDLE TempGpcHandle;
  459. *ppSA = NULL;
  460. *ppFilter = NULL;
  461. *ppTunnelSA = NULL;
  463. //
  464. // Search in Tunnel filters list first.
  465. //
  466. pFilterList = IPSecResolveFilterList(TRUE, fOutbound);
  468. for ( pEntry = pFilterList->Flink;
  469. pEntry != pFilterList;
  470. pEntry = pEntry->Flink) {
  472. pFilter = CONTAINING_RECORD(pEntry,
  473. FILTER,
  474. MaskedLinkage);
  476. uliAddr.QuadPart = uliSrcDstAddr.QuadPart & pFilter->uliSrcDstMask.QuadPart;
  477. uliPort.QuadPart = uliProtoSrcDstPort.QuadPart & pFilter->uliProtoSrcDstMask.QuadPart;
  479. if ((uliAddr.QuadPart == pFilter->uliSrcDstAddr.QuadPart) &&
  480. (uliPort.QuadPart == pFilter->uliProtoSrcDstPort.QuadPart)) {
  481. //
  482. // Found filter
  483. //
  484. fFound = TRUE;
  485. break;
  486. }
  487. }
  489. if (fFound) {
  490. //
  491. // Search for the particular SA now.
  492. //
  493. fFound = FALSE;
  495. pSAChain = IPSecResolveSAChain(pFilter, fOutbound? DEST_ADDR: SRC_ADDR);
  497. for ( pEntry = pSAChain->Flink;
  498. pEntry != pSAChain;
  499. pEntry = pEntry->Flink) {
  501. pSA = CONTAINING_RECORD(pEntry,
  502. SA_TABLE_ENTRY,
  503. sa_FilterLinkage);
  505. ASSERT(pSA->sa_Flags & FLAGS_SA_TUNNEL);
  507. if (pFilter->TunnelAddr != 0 && EQUAL_NATENCAP(pNatContext,pSA)) {
  508. //
  509. // match the outbound flag also
  510. //
  511. ASSERT(fOutbound == (BOOLEAN)((pSA->sa_Flags & FLAGS_SA_OUTBOUND) != 0));
  512. fFound = TRUE;
  513. *ppTunnelSA = pSA;
  514. break;
  515. }
  516. }
  518. if (fFound) {
  519. fFound = FALSE;
  520. *ppFilter = pFilter;
  521. } else {
  522. //
  523. // Found a filter entry, but need to negotiate keys.
  524. //
  525. *ppFilter = pFilter;
  526. return STATUS_PENDING;
  527. }
  528. }
  530. #if DBG
  531. if (fOutbound) {
  532. ADD_TO_LARGE_INTEGER(&g_ipsec.GpcTotalPassedIn, 1);
  533. }
  534. #endif
  536. GpcCf = IPSecResolveGpcCf(fOutbound);
  538. TempGpcHandle = 0;
  540. if (GpcHandle == 0) {
  541. #if DBG
  542. if (fOutbound) {
  543. ADD_TO_LARGE_INTEGER(&g_ipsec.GpcClassifyNeeded, 1);
  544. }
  545. #endif
  547. //
  548. // Classify directly if no GpcHandle passed in.
  549. //
  550. IPSEC_CLASSIFY_PACKET( GpcCf,
  551. uliSrcDstAddr,
  552. uliProtoSrcDstPort,
  553. &pFilter,
  554. &TempGpcHandle);
  555. } else {
  556. NTSTATUS status;
  558. //
  559. // Or we use GpcHandle directly to get the filter installed.
  560. //
  561. pFilter = NULL;
  563. status = GPC_GET_CLIENT_CONTEXT(g_ipsec.GpcClients[GpcCf],
  564. GpcHandle,
  565. &pFilter);
  567. if (status == STATUS_INVALID_HANDLE) {
  568. //
  569. // Re-classify if handle is invalid.
  570. //
  571. IPSEC_CLASSIFY_PACKET( GpcCf,
  572. uliSrcDstAddr,
  573. uliProtoSrcDstPort,
  574. &pFilter,
  575. &TempGpcHandle);
  576. }
  577. }
  579. #if DBG
  580. if (IPSecDebug & DBF_EXTRADIAGNOSTIC) {
  581. PFILTER pDbgFilter = NULL;
  583. pFilterList = IPSecResolveFilterList(FALSE, fOutbound);
  585. for ( pEntry = pFilterList->Flink;
  586. pEntry != pFilterList;
  587. pEntry = pEntry->Flink) {
  589. pTempFilter = CONTAINING_RECORD(pEntry,
  590. FILTER,
  591. MaskedLinkage);
  593. uliAddr.QuadPart = uliSrcDstAddr.QuadPart & pTempFilter->uliSrcDstMask.QuadPart;
  594. uliPort.QuadPart = uliProtoSrcDstPort.QuadPart & pTempFilter->uliProtoSrcDstMask.QuadPart;
  596. if ((uliAddr.QuadPart == pTempFilter->uliSrcDstAddr.QuadPart) &&
  597. (uliPort.QuadPart == pTempFilter->uliProtoSrcDstPort.QuadPart)) {
  598. pDbgFilter = pTempFilter;
  599. break;
  600. }
  601. }
  603. if (pFilter != pDbgFilter &&
  604. (!pDbgFilter || IS_GPC_FILTER(pDbgFilter))) {
  605. IPSEC_DEBUG(LL_A, DBF_GPC, ("LookupGpcSA: pFilter %p, pDbgFilter %p, GpcHandle %lx, TempGpcHandle %lx", pFilter, pDbgFilter, GpcHandle, TempGpcHandle));
  606. IPSEC_DEBUG(LL_A, DBF_GPC, ("LookupGpcSA: Src %lx, Dest %lx, Protocol %d, SPort %lx, DPort %lx", SRC_ADDR, DEST_ADDR, PROTO, SRC_PORT, DEST_PORT));
  608. if (DebugGPC) {
  609. DbgBreakPoint();
  610. }
  611. }
  612. }
  613. #endif
  615. //
  616. // Continue searching the local GPC filter list if not found.
  617. //
  618. if (!pFilter) {
  619. pFilterList = IPSecResolveGpcFilterList(FALSE, fOutbound);
  621. for ( pEntry = pFilterList->Flink;
  622. pEntry != pFilterList;
  623. pEntry = pEntry->Flink) {
  625. pTempFilter = CONTAINING_RECORD(pEntry,
  626. FILTER,
  627. GpcLinkage);
  629. uliAddr.QuadPart = uliSrcDstAddr.QuadPart & pTempFilter->uliSrcDstMask.QuadPart;
  630. uliPort.QuadPart = uliProtoSrcDstPort.QuadPart & pTempFilter->uliProtoSrcDstMask.QuadPart;
  632. if ((uliAddr.QuadPart == pTempFilter->uliSrcDstAddr.QuadPart) &&
  633. (uliPort.QuadPart == pTempFilter->uliProtoSrcDstPort.QuadPart)) {
  634. pFilter = pTempFilter;
  635. break;
  636. }
  637. }
  638. }
  641. if (pFilter) {
  642. //
  643. // Search for the particular SA now.
  644. //
  646. fFound=FALSE;
  647. pSAChain = IPSecResolveSAChain(pFilter, fOutbound? DEST_ADDR: SRC_ADDR);
  649. for ( pEntry = pSAChain->Flink;
  650. pEntry != pSAChain;
  651. pEntry = pEntry->Flink) {
  653. pSA = CONTAINING_RECORD(pEntry,
  654. SA_TABLE_ENTRY,
  655. sa_FilterLinkage);
  658. if (IS_CLASSD(NET_LONG(pSA->SA_SRC_ADDR))
  659. || IS_CLASSD(NET_LONG(pSA->SA_DEST_ADDR))) {
  660. uliAddr.QuadPart = uliSrcDstAddr.QuadPart & pSA->sa_uliSrcDstMask.QuadPart;
  662. IPSEC_DEBUG(LL_A, DBF_HASH, ("MCAST: %d %d %d %d", uliAddr.LowPart, uliAddr.HighPart,
  663. pSA->sa_uliSrcDstAddr.LowPart,pSA->sa_uliSrcDstAddr.HighPart));
  665. if (uliAddr.QuadPart == pSA->sa_uliSrcDstAddr.QuadPart) {
  666. fFound=TRUE;
  667. }
  668. } else if (uliSrcDstAddr.QuadPart == pSA->sa_uliSrcDstAddr.QuadPart && EQUAL_NATENCAP(pNatContext,pSA)) {
  669. fFound=TRUE;
  670. }
  671. if (fFound) {
  672. IPSEC_DEBUG(LL_A, DBF_HASH, ("Matched entry: %p", pSA));
  673. ASSERT(fOutbound == (BOOLEAN)((pSA->sa_Flags & FLAGS_SA_OUTBOUND) != 0));
  675. //
  676. // if there is also a tunnel SA, associate it here.
  677. //
  678. if (*ppTunnelSA && (fOutbound || fVerify)) {
  679. *ppNextSA = *ppTunnelSA;
  680. *ppTunnelSA = NULL;
  681. }
  683. *ppFilter = pFilter;
  684. *ppSA = pSA;
  685. return STATUS_SUCCESS;
  686. }
  687. }
  689. //
  690. // Found a filter entry, but need to negotiate keys
  691. // Also, ppTunnelSA is set to the proper tunnel SA we need
  692. // to hook to this end-2-end SA once it is negotiated.
  693. //
  694. *ppFilter = pFilter;
  696. return STATUS_PENDING;
  697. } else {
  698. //
  699. // if only tunnel SA found, return that as the SA found.
  700. //
  701. if (*ppTunnelSA) {
  702. *ppSA = *ppTunnelSA;
  703. *ppTunnelSA = NULL;
  704. return STATUS_SUCCESS;
  705. }
  706. }
  708. //
  709. // no entry found
  710. //
  711. return STATUS_NOT_FOUND;
  713. }
  716. NTSTATUS
  717. IPSecLookupGpcMaskedSA(
  718. IN ULARGE_INTEGER uliSrcDstAddr,
  719. IN ULARGE_INTEGER uliProtoSrcDstPort,
  720. OUT PFILTER *ppFilter,
  721. OUT PSA_TABLE_ENTRY *ppSA,
  722. IN BOOLEAN fOutbound,
  723. IN PIPSEC_UDP_ENCAP_CONTEXT pNatContext
  724. )
  725. /*++
  727. Routine Description:
  729. Looks up the SA given the relevant addresses.
  731. Arguments:
  733. uliSrcDstAddr - src/dest IP addr
  734. uliProtoSrcDstPort - protocol, src/dest port
  735. ppFilter - filter found
  736. ppSA - SA found
  737. fOutbound - direction flag
  739. Return Value:
  741. STATUS_SUCCESS - both filter and SA found
  742. STATUS_UNSUCCESSFUL - none found
  743. STATUS_PENDING - filter found, but no SA
  745. Notes:
  747. Called with SADBLock held.
  749. --*/
  750. {
  751. REGISTER ULARGE_INTEGER uliPort;
  752. REGISTER ULARGE_INTEGER uliAddr;
  753. PFILTER pFilter;
  754. PFILTER pTempFilter;
  755. PLIST_ENTRY pFilterList;
  756. PLIST_ENTRY pSAChain;
  757. PLIST_ENTRY pEntry;
  758. PSA_TABLE_ENTRY pSA;
  759. CLASSIFICATION_HANDLE GpcHandle;
  760. INT GpcCf;
  762. *ppSA = NULL;
  763. *ppFilter = NULL;
  765. GpcCf = IPSecResolveGpcCf(fOutbound);
  767. GpcHandle = 0;
  769. IPSEC_CLASSIFY_PACKET( GpcCf,
  770. uliSrcDstAddr,
  771. uliProtoSrcDstPort,
  772. &pFilter,
  773. &GpcHandle);
  775. #if DBG
  776. if (IPSecDebug & DBF_EXTRADIAGNOSTIC) {
  777. PFILTER pDbgFilter = NULL;
  779. pFilterList = IPSecResolveFilterList(FALSE, fOutbound);
  781. for ( pEntry = pFilterList->Flink;
  782. pEntry != pFilterList;
  783. pEntry = pEntry->Flink) {
  785. pTempFilter = CONTAINING_RECORD(pEntry,
  786. FILTER,
  787. MaskedLinkage);
  789. uliAddr.QuadPart = uliSrcDstAddr.QuadPart & pTempFilter->uliSrcDstMask.QuadPart;
  790. uliPort.QuadPart = uliProtoSrcDstPort.QuadPart & pTempFilter->uliProtoSrcDstMask.QuadPart;
  792. if ((uliAddr.QuadPart == pTempFilter->uliSrcDstAddr.QuadPart) &&
  793. (uliPort.QuadPart == pTempFilter->uliProtoSrcDstPort.QuadPart)) {
  794. pDbgFilter = pTempFilter;
  795. break;
  796. }
  797. }
  799. if (pFilter != pDbgFilter &&
  800. (!pDbgFilter || IS_GPC_FILTER(pDbgFilter))) {
  801. IPSEC_DEBUG(LL_A, DBF_GPC, ("LookupMaskedSA: pFilter %p, pDbgFilter %p, GpcHandle %lx", pFilter, pDbgFilter, GpcHandle));
  802. IPSEC_DEBUG(LL_A, DBF_GPC, ("LookupMaskedSA: Src %lx, Dest %lx, Protocol %d, SPort %lx, DPort %lx", SRC_ADDR, DEST_ADDR, PROTO, SRC_PORT, DEST_PORT));
  804. if (DebugGPC) {
  805. DbgBreakPoint();
  806. }
  807. }
  808. }
  809. #endif
  811. //
  812. // Continue searching the local GPC filter list if not found.
  813. //
  814. if (!pFilter) {
  815. pFilterList = IPSecResolveGpcFilterList(FALSE, fOutbound);
  817. for ( pEntry = pFilterList->Flink;
  818. pEntry != pFilterList;
  819. pEntry = pEntry->Flink) {
  821. pTempFilter = CONTAINING_RECORD(pEntry,
  822. FILTER,
  823. GpcLinkage);
  825. uliAddr.QuadPart = uliSrcDstAddr.QuadPart & pTempFilter->uliSrcDstMask.QuadPart;
  826. uliPort.QuadPart = uliProtoSrcDstPort.QuadPart & pTempFilter->uliProtoSrcDstMask.QuadPart;
  828. if ((uliAddr.QuadPart == pTempFilter->uliSrcDstAddr.QuadPart) &&
  829. (uliPort.QuadPart == pTempFilter->uliProtoSrcDstPort.QuadPart)) {
  830. pFilter = pTempFilter;
  831. break;
  832. }
  833. }
  834. }
  836. if (pFilter) {
  837. //
  838. // Search for the particular SA now.
  839. //
  840. pSAChain = IPSecResolveSAChain(pFilter, fOutbound? DEST_ADDR: SRC_ADDR);
  842. for ( pEntry = pSAChain->Flink;
  843. pEntry != pSAChain;
  844. pEntry = pEntry->Flink) {
  846. pSA = CONTAINING_RECORD(pEntry,
  847. SA_TABLE_ENTRY,
  848. sa_FilterLinkage);
  850. if (uliSrcDstAddr.QuadPart == pSA->sa_uliSrcDstAddr.QuadPart && EQUAL_NATENCAP(pNatContext,pSA) ) {
  852. IPSEC_DEBUG(LL_A, DBF_HASH, ("Matched entry: %p", pSA));
  853. ASSERT(fOutbound == (BOOLEAN)((pSA->sa_Flags & FLAGS_SA_OUTBOUND) != 0));
  854. *ppFilter = pFilter;
  855. *ppSA = pSA;
  856. return STATUS_SUCCESS;
  857. }
  858. }
  860. //
  861. // Found a filter entry, but need to negotiate keys
  862. //
  863. *ppFilter = pFilter;
  864. return STATUS_PENDING;
  865. }
  867. //
  868. // no entry found
  869. //
  870. return STATUS_NOT_FOUND;
  871. }
  874. #endif