archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/net/tcpip/driver/ipsec/sys/intirspn.c

584 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  3. #include "precomp.h"
  5. #pragma hdrstop
  8. NTSTATUS
  9. IPSecGetSPI(
  10. PIPSEC_GET_SPI pIpsecGetSPI
  11. )
  12. /*++
  14. Routine Description:
  16. This routine returns the SPI.
  18. Arguments:
  20. pIpsecGetSPI - Pointer to the ipsec get spi structure.
  22. Return Value:
  24. NTSTATUS - The status code from this routine.
  26. --*/
  27. {
  28. NTSTATUS ntStatus = STATUS_SUCCESS;
  30. //
  31. // If context was passed in, then there's a larval SA already setup.
  32. // This is the case for the initiator.
  33. //
  35. if (pIpsecGetSPI->Context) {
  36. ntStatus = IPSecInitiatorGetSPI(
  37. pIpsecGetSPI
  38. );
  39. }
  40. else {
  41. ntStatus = IPSecResponderGetSPI(
  42. pIpsecGetSPI
  43. );
  44. }
  46. return (ntStatus);
  47. }
  50. NTSTATUS
  51. IPSecInitiatorGetSPI(
  52. PIPSEC_GET_SPI pIpsecGetSPI
  53. )
  54. {
  55. NTSTATUS ntStatus = STATUS_SUCCESS;
  56. PIPSEC_ACQUIRE_CONTEXT pIpsecAcquireCtx = NULL;
  57. KIRQL kIrql;
  60. //
  61. // Sanity check the incoming context to see if it is actually
  62. // an SA block.
  63. //
  65. ACQUIRE_LOCK(&g_ipsec.LarvalListLock, &kIrql);
  67. if (!NT_SUCCESS(IPSecValidateHandle(HandleToUlong(pIpsecGetSPI->Context),&pIpsecAcquireCtx, STATE_SA_LARVAL))) {
  68. ntStatus = STATUS_INVALID_PARAMETER;
  69. BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
  70. }
  72. pIpsecGetSPI->SPI = pIpsecAcquireCtx->pSA->sa_SPI;
  74. pIpsecAcquireCtx->pSA->sa_Flags |= FLAGS_SA_INITIATOR;
  76. ntStatus = STATUS_SUCCESS;
  78. lock:
  80. RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
  82. return (ntStatus);
  83. }
  86. NTSTATUS
  87. IPSecResponderGetSPI(
  88. PIPSEC_GET_SPI pIpsecGetSPI
  89. )
  90. {
  91. NTSTATUS ntStatus = STATUS_SUCCESS;
  92. KIRQL kIrql;
  93. PSA_TABLE_ENTRY pInboundSA = NULL;
  94. ULARGE_INTEGER uliSrcDstAddr = {0};
  95. PSA_TABLE_ENTRY pSA = NULL;
  96. PIPSEC_ACQUIRE_CONTEXT pIpsecAcquireCtx = NULL;
  99. AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
  101. if (pIpsecGetSPI->SPI) {
  103. if (!(pIpsecGetSPI->InstantiatedFilter.TunnelFilter)) {
  104. pInboundSA = IPSecLookupSABySPI(
  105. pIpsecGetSPI->SPI,
  106. pIpsecGetSPI->InstantiatedFilter.DestAddr
  107. );
  108. }
  109. else {
  110. pInboundSA = IPSecLookupSABySPI(
  111. pIpsecGetSPI->SPI,
  112. pIpsecGetSPI->InstantiatedFilter.TunnelAddr
  113. );
  114. }
  116. if (pInboundSA) {
  117. ntStatus = STATUS_UNSUCCESSFUL;
  118. BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
  119. }
  121. }
  123. ntStatus = IPSecResponderCreateLarvalSA(
  124. pIpsecGetSPI,
  125. uliSrcDstAddr,
  126. &pSA
  127. );
  128. BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
  130. //
  131. // Get the acquire Context and associate it with the larval SA.
  132. //
  134. pIpsecAcquireCtx = IPSecGetAcquireContext();
  136. if (!pIpsecAcquireCtx) {
  137. ntStatus = STATUS_INSUFFICIENT_RESOURCES;
  138. BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
  139. }
  141. pIpsecAcquireCtx->AcquireId = IPSecGetAcquireId();
  143. pIpsecAcquireCtx->pSA = pSA;
  144. pSA->sa_AcquireId = pIpsecAcquireCtx->AcquireId;
  146. pIpsecGetSPI->Context = UlongToHandle(pIpsecAcquireCtx->AcquireId);
  147. pSA->sa_AcquireCtx = pIpsecAcquireCtx;
  149. pIpsecGetSPI->SPI = pSA->sa_SPI;
  151. ntStatus = STATUS_SUCCESS;
  153. lock:
  155. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  157. return (ntStatus);
  158. }
  161. NTSTATUS
  162. IPSecResponderCreateLarvalSA(
  163. PIPSEC_GET_SPI pIpsecGetSPI,
  164. ULARGE_INTEGER uliAddr,
  165. PSA_TABLE_ENTRY * ppSA
  166. )
  167. {
  168. NTSTATUS ntStatus = STATUS_SUCCESS;
  169. PSA_TABLE_ENTRY pSA = NULL;
  170. KIRQL kIrql;
  173. ntStatus = IPSecCreateSA(&pSA);
  174. BAIL_ON_NTSTATUS_ERROR(ntStatus);
  176. pSA->sa_Filter = NULL;
  177. pSA->sa_State = STATE_SA_LARVAL;
  179. IPSEC_BUILD_SRC_DEST_ADDR(
  180. pSA->sa_uliSrcDstAddr,
  181. pIpsecGetSPI->InstantiatedFilter.SrcAddr,
  182. pIpsecGetSPI->InstantiatedFilter.DestAddr
  183. );
  185. IPSEC_BUILD_SRC_DEST_MASK(
  186. pSA->sa_uliSrcDstMask,
  187. pIpsecGetSPI->InstantiatedFilter.SrcMask,
  188. pIpsecGetSPI->InstantiatedFilter.DestMask
  189. );
  191. IPSEC_BUILD_PROTO_PORT_LI(
  192. pSA->sa_uliProtoSrcDstPort,
  193. pIpsecGetSPI->InstantiatedFilter.Protocol,
  194. pIpsecGetSPI->InstantiatedFilter.SrcPort,
  195. pIpsecGetSPI->InstantiatedFilter.DestPort
  196. );
  198. ntStatus = IPSecResponderInsertInboundSA(
  199. pSA,
  200. pIpsecGetSPI,
  201. pIpsecGetSPI->InstantiatedFilter.TunnelFilter
  202. );
  203. BAIL_ON_NTSTATUS_ERROR(ntStatus);
  205. ACQUIRE_LOCK(&g_ipsec.LarvalListLock, &kIrql);
  207. InsertTailList(&g_ipsec.LarvalSAList, &pSA->sa_LarvalLinkage);
  209. IPSEC_INC_STATISTIC(dwNumPendingKeyOps);
  211. RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
  213. ACQUIRE_LOCK(&pSA->sa_Lock, &kIrql);
  215. IPSecStartSATimer(
  216. pSA,
  217. IPSecSAExpired,
  218. pSA->sa_ExpiryTime
  219. );
  221. RELEASE_LOCK(&pSA->sa_Lock, kIrql);
  223. *ppSA = pSA;
  225. return (ntStatus);
  227. error:
  229. if (pSA) {
  230. IPSecFreeSA(pSA);
  231. }
  233. *ppSA = NULL;
  234. return (ntStatus);
  235. }
  238. NTSTATUS
  239. IPSecInitiatorCreateLarvalSA(
  240. PFILTER pFilter,
  241. ULARGE_INTEGER uliAddr,
  242. PSA_TABLE_ENTRY * ppSA,
  243. UCHAR DestType,
  244. PIPSEC_UDP_ENCAP_CONTEXT pEncapContext
  245. )
  246. {
  247. NTSTATUS ntStatus = STATUS_SUCCESS;
  248. PSA_TABLE_ENTRY pSA = NULL;
  249. ULARGE_INTEGER uliSrcDstAddr = {0};
  250. ULARGE_INTEGER uliSrcDstMask = {0};
  251. ULARGE_INTEGER uliProtoSrcDstPort = {0};
  252. KIRQL kIrql;
  255. ntStatus = IPSecCreateSA(&pSA);
  256. BAIL_ON_NTSTATUS_ERROR(ntStatus);
  258. pSA->sa_Filter = pFilter;
  259. pSA->sa_State = STATE_SA_LARVAL;
  261. uliSrcDstAddr = uliAddr;
  262. uliSrcDstMask = pFilter->uliSrcDstMask;
  263. uliProtoSrcDstPort = pFilter->uliProtoSrcDstPort;
  265. IPSEC_BUILD_SRC_DEST_ADDR(
  266. pSA->sa_uliSrcDstAddr,
  267. DEST_ADDR,
  268. SRC_ADDR
  269. );
  271. IPSEC_BUILD_SRC_DEST_MASK(
  272. pSA->sa_uliSrcDstMask,
  273. DEST_MASK,
  274. SRC_MASK
  275. );
  277. IPSEC_BUILD_PROTO_PORT_LI(
  278. pSA->sa_uliProtoSrcDstPort,
  279. PROTO,
  280. DEST_PORT,
  281. SRC_PORT
  282. );
  284. pSA->sa_DestType=DestType;
  286. if (pEncapContext) {
  287. RtlCopyMemory(&pSA->sa_EncapContext,pEncapContext,sizeof(IPSEC_UDP_ENCAP_CONTEXT));
  288. }
  290. ntStatus = IPSecInitiatorInsertInboundSA(
  291. pSA,
  292. pFilter->TunnelFilter
  293. );
  294. BAIL_ON_NTSTATUS_ERROR(ntStatus);
  296. ACQUIRE_LOCK(&g_ipsec.LarvalListLock, &kIrql);
  298. InsertTailList(&g_ipsec.LarvalSAList, &pSA->sa_LarvalLinkage);
  300. IPSEC_INC_STATISTIC(dwNumPendingKeyOps);
  302. RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
  304. ACQUIRE_LOCK(&pSA->sa_Lock, &kIrql);
  306. IPSecStartSATimer(
  307. pSA,
  308. IPSecSAExpired,
  309. pSA->sa_ExpiryTime
  310. );
  312. RELEASE_LOCK(&pSA->sa_Lock, kIrql);
  314. *ppSA = pSA;
  316. return (ntStatus);
  318. error:
  320. if (pSA) {
  321. IPSecFreeSA(pSA);
  322. }
  324. *ppSA = NULL;
  325. return (ntStatus);
  326. }
  329. NTSTATUS
  330. IPSecFindSA(
  331. BOOLEAN bTunnelFilter,
  332. ULARGE_INTEGER uliSrcDstAddr,
  333. ULARGE_INTEGER uliProtoSrcDstPort,
  334. PFILTER * ppFilter,
  335. PSA_TABLE_ENTRY * ppSA,
  336. IN PIPSEC_UDP_ENCAP_CONTEXT pNatContext
  337. )
  338. {
  339. NTSTATUS ntStatus = STATUS_SUCCESS;
  342. if (bTunnelFilter) {
  343. ntStatus = IPSecLookupTunnelSA(
  344. uliSrcDstAddr,
  345. uliProtoSrcDstPort,
  346. ppFilter,
  347. ppSA,
  348. FALSE,
  349. pNatContext
  350. );
  351. }
  352. else {
  354. #if GPC
  356. if (IS_GPC_ACTIVE()) {
  357. ntStatus = IPSecLookupGpcMaskedSA(
  358. uliSrcDstAddr,
  359. uliProtoSrcDstPort,
  360. ppFilter,
  361. ppSA,
  362. FALSE,
  363. pNatContext
  364. );
  365. }
  366. else {
  367. ntStatus = IPSecLookupMaskedSA(
  368. uliSrcDstAddr,
  369. uliProtoSrcDstPort,
  370. ppFilter,
  371. ppSA,
  372. FALSE,
  373. pNatContext
  374. );
  375. }
  376. #else
  378. ntStatus = IPSecLookupMaskedSA(
  379. uliSrcDstAddr,
  380. uliProtoSrcDstPort,
  381. ppFilter,
  382. ppSA,
  383. FALSE,
  384. pNatContext
  385. );
  387. #endif
  389. }
  391. return (ntStatus);
  392. }
  395. NTSTATUS
  396. IPSecResponderInsertInboundSA(
  397. PSA_TABLE_ENTRY pSA,
  398. PIPSEC_GET_SPI pIpsecGetSPI,
  399. BOOLEAN bTunnelFilter
  400. )
  401. {
  402. NTSTATUS ntStatus = STATUS_SUCCESS;
  403. PFILTER pFilter = NULL;
  404. PSA_TABLE_ENTRY pInboundSA = NULL;
  405. PLIST_ENTRY pSAChain = NULL;
  406. KIRQL kIrql;
  407. tSPI tSpi = 0;
  408. PSA_HASH pHash = NULL;
  411. ntStatus = IPSecFindSA(
  412. bTunnelFilter,
  413. pSA->sa_uliSrcDstAddr,
  414. pSA->sa_uliProtoSrcDstPort,
  415. &pFilter,
  416. &pInboundSA,
  417. NULL
  418. );
  419. if (!NT_SUCCESS(ntStatus)) {
  420. IPSecBufferEvent(
  421. pSA->SA_SRC_ADDR,
  422. EVENT_IPSEC_NEG_FAILURE,
  423. 1,
  424. FALSE
  425. );
  426. return (ntStatus);
  427. }
  429. ASSERT(pFilter);
  431. if (pIpsecGetSPI->InstantiatedFilter.Protocol != pFilter->PROTO ||
  432. pIpsecGetSPI->InstantiatedFilter.SrcPort != FI_SRC_PORT(pFilter) ||
  433. pIpsecGetSPI->InstantiatedFilter.DestPort != FI_DEST_PORT(pFilter)) {
  434. ntStatus = STATUS_OBJECT_TYPE_MISMATCH;
  435. return (ntStatus);
  436. }
  438. pSAChain = IPSecResolveSAChain(pFilter, pSA->SA_SRC_ADDR);
  440. InsertHeadList(pSAChain, &pSA->sa_FilterLinkage);
  442. pSA->sa_Flags |= FLAGS_SA_ON_FILTER_LIST;
  444. if (pFilter->Flags & FILTER_FLAGS_PASS_THRU) {
  445. pSA->sa_Flags |= FLAGS_SA_PASSTHRU_FILTER;
  446. }
  448. if (pFilter->TunnelFilter) {
  449. pSA->sa_Flags |= FLAGS_SA_TUNNEL;
  450. pSA->sa_TunnelAddr = pFilter->TunnelAddr;
  451. }
  453. //
  454. // Flush this filter from the cache table so that the SA instead of the
  455. // filter is matched on the next lookup.
  456. //
  458. if (IS_EXEMPT_FILTER(pFilter)) {
  459. IPSecInvalidateFilterCacheEntry(pFilter);
  460. }
  462. AcquireWriteLock(&g_ipsec.SPIListLock, &kIrql);
  464. tSpi = pIpsecGetSPI->SPI;
  466. ntStatus = IPSecAllocateSPI(&tSpi, pSA);
  468. if (!NT_SUCCESS(ntStatus)) {
  469. ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
  470. return (ntStatus);
  471. }
  473. pSA->sa_SPI = tSpi;
  475. IPSEC_HASH_SPI(
  476. (pSA->sa_TunnelAddr) ? pSA->sa_TunnelAddr : pSA->SA_DEST_ADDR,
  477. tSpi,
  478. pHash
  479. );
  481. InsertHeadList(&pHash->SAList, &pSA->sa_SPILinkage);
  483. pSA->sa_Flags |= FLAGS_SA_ON_SPI_HASH;
  485. ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
  487. return (STATUS_SUCCESS);
  488. }
  491. NTSTATUS
  492. IPSecInitiatorInsertInboundSA(
  493. PSA_TABLE_ENTRY pSA,
  494. BOOLEAN bTunnelFilter
  495. )
  496. {
  497. NTSTATUS ntStatus = STATUS_SUCCESS;
  498. PFILTER pFilter = NULL;
  499. PSA_TABLE_ENTRY pInboundSA = NULL;
  500. PLIST_ENTRY pSAChain = NULL;
  501. KIRQL kIrql;
  502. tSPI tSpi = 0;
  503. PSA_HASH pHash = NULL;
  506. ntStatus = IPSecFindSA(
  507. bTunnelFilter,
  508. pSA->sa_uliSrcDstAddr,
  509. pSA->sa_uliProtoSrcDstPort,
  510. &pFilter,
  511. &pInboundSA,
  512. NULL
  513. );
  514. if (!NT_SUCCESS(ntStatus)) {
  515. IPSecBufferEvent(
  516. pSA->SA_SRC_ADDR,
  517. EVENT_IPSEC_NEG_FAILURE,
  518. 1,
  519. FALSE
  520. );
  521. return (ntStatus);
  522. }
  524. if (ntStatus == STATUS_SUCCESS) {
  525. if (pInboundSA->sa_State == STATE_SA_LARVAL) {
  526. ntStatus = STATUS_DUPLICATE_OBJECTID;
  527. return (ntStatus);
  528. }
  529. }
  531. ASSERT(pFilter);
  533. pSAChain = IPSecResolveSAChain(pFilter, pSA->SA_SRC_ADDR);
  535. InsertHeadList(pSAChain, &pSA->sa_FilterLinkage);
  537. pSA->sa_Flags |= FLAGS_SA_ON_FILTER_LIST;
  539. if (pFilter->Flags & FILTER_FLAGS_PASS_THRU) {
  540. pSA->sa_Flags |= FLAGS_SA_PASSTHRU_FILTER;
  541. }
  543. if (pFilter->TunnelFilter) {
  544. pSA->sa_Flags |= FLAGS_SA_TUNNEL;
  545. pSA->sa_TunnelAddr = pFilter->TunnelAddr;
  546. }
  548. //
  549. // Flush this filter from the cache table so that the SA instead of the
  550. // filter is matched on the next lookup.
  551. //
  553. if (IS_EXEMPT_FILTER(pFilter)) {
  554. IPSecInvalidateFilterCacheEntry(pFilter);
  555. }
  557. AcquireWriteLock(&g_ipsec.SPIListLock, &kIrql);
  559. tSpi = 0;
  561. ntStatus = IPSecAllocateSPI(&tSpi, pSA);
  563. if (!NT_SUCCESS(ntStatus)) {
  564. ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
  565. return (ntStatus);
  566. }
  568. pSA->sa_SPI = tSpi;
  570. IPSEC_HASH_SPI(
  571. (pSA->sa_TunnelAddr) ? pSA->sa_TunnelAddr : pSA->SA_DEST_ADDR,
  572. tSpi,
  573. pHash
  574. );
  576. InsertHeadList(&pHash->SAList, &pSA->sa_SPILinkage);
  578. pSA->sa_Flags |= FLAGS_SA_ON_SPI_HASH;
  580. ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
  582. return (STATUS_SUCCESS);
  583. }