Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

584 lines
14 KiB

#include "precomp.h"
#pragma hdrstop
NTSTATUS
IPSecGetSPI(
PIPSEC_GET_SPI pIpsecGetSPI
)
/*++
Routine Description:
This routine returns the SPI.
Arguments:
pIpsecGetSPI - Pointer to the ipsec get spi structure.
Return Value:
NTSTATUS - The status code from this routine.
--*/
{
NTSTATUS ntStatus = STATUS_SUCCESS;
//
// If context was passed in, then there's a larval SA already setup.
// This is the case for the initiator.
//
if (pIpsecGetSPI->Context) {
ntStatus = IPSecInitiatorGetSPI(
pIpsecGetSPI
);
}
else {
ntStatus = IPSecResponderGetSPI(
pIpsecGetSPI
);
}
return (ntStatus);
}
NTSTATUS
IPSecInitiatorGetSPI(
PIPSEC_GET_SPI pIpsecGetSPI
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PIPSEC_ACQUIRE_CONTEXT pIpsecAcquireCtx = NULL;
KIRQL kIrql;
//
// Sanity check the incoming context to see if it is actually
// an SA block.
//
ACQUIRE_LOCK(&g_ipsec.LarvalListLock, &kIrql);
if (!NT_SUCCESS(IPSecValidateHandle(HandleToUlong(pIpsecGetSPI->Context),&pIpsecAcquireCtx, STATE_SA_LARVAL))) {
ntStatus = STATUS_INVALID_PARAMETER;
BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
}
pIpsecGetSPI->SPI = pIpsecAcquireCtx->pSA->sa_SPI;
pIpsecAcquireCtx->pSA->sa_Flags |= FLAGS_SA_INITIATOR;
ntStatus = STATUS_SUCCESS;
lock:
RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
return (ntStatus);
}
NTSTATUS
IPSecResponderGetSPI(
PIPSEC_GET_SPI pIpsecGetSPI
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
KIRQL kIrql;
PSA_TABLE_ENTRY pInboundSA = NULL;
ULARGE_INTEGER uliSrcDstAddr = {0};
PSA_TABLE_ENTRY pSA = NULL;
PIPSEC_ACQUIRE_CONTEXT pIpsecAcquireCtx = NULL;
AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
if (pIpsecGetSPI->SPI) {
if (!(pIpsecGetSPI->InstantiatedFilter.TunnelFilter)) {
pInboundSA = IPSecLookupSABySPI(
pIpsecGetSPI->SPI,
pIpsecGetSPI->InstantiatedFilter.DestAddr
);
}
else {
pInboundSA = IPSecLookupSABySPI(
pIpsecGetSPI->SPI,
pIpsecGetSPI->InstantiatedFilter.TunnelAddr
);
}
if (pInboundSA) {
ntStatus = STATUS_UNSUCCESSFUL;
BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
}
}
ntStatus = IPSecResponderCreateLarvalSA(
pIpsecGetSPI,
uliSrcDstAddr,
&pSA
);
BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
//
// Get the acquire Context and associate it with the larval SA.
//
pIpsecAcquireCtx = IPSecGetAcquireContext();
if (!pIpsecAcquireCtx) {
ntStatus = STATUS_INSUFFICIENT_RESOURCES;
BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
}
pIpsecAcquireCtx->AcquireId = IPSecGetAcquireId();
pIpsecAcquireCtx->pSA = pSA;
pSA->sa_AcquireId = pIpsecAcquireCtx->AcquireId;
pIpsecGetSPI->Context = UlongToHandle(pIpsecAcquireCtx->AcquireId);
pSA->sa_AcquireCtx = pIpsecAcquireCtx;
pIpsecGetSPI->SPI = pSA->sa_SPI;
ntStatus = STATUS_SUCCESS;
lock:
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
return (ntStatus);
}
NTSTATUS
IPSecResponderCreateLarvalSA(
PIPSEC_GET_SPI pIpsecGetSPI,
ULARGE_INTEGER uliAddr,
PSA_TABLE_ENTRY * ppSA
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PSA_TABLE_ENTRY pSA = NULL;
KIRQL kIrql;
ntStatus = IPSecCreateSA(&pSA);
BAIL_ON_NTSTATUS_ERROR(ntStatus);
pSA->sa_Filter = NULL;
pSA->sa_State = STATE_SA_LARVAL;
IPSEC_BUILD_SRC_DEST_ADDR(
pSA->sa_uliSrcDstAddr,
pIpsecGetSPI->InstantiatedFilter.SrcAddr,
pIpsecGetSPI->InstantiatedFilter.DestAddr
);
IPSEC_BUILD_SRC_DEST_MASK(
pSA->sa_uliSrcDstMask,
pIpsecGetSPI->InstantiatedFilter.SrcMask,
pIpsecGetSPI->InstantiatedFilter.DestMask
);
IPSEC_BUILD_PROTO_PORT_LI(
pSA->sa_uliProtoSrcDstPort,
pIpsecGetSPI->InstantiatedFilter.Protocol,
pIpsecGetSPI->InstantiatedFilter.SrcPort,
pIpsecGetSPI->InstantiatedFilter.DestPort
);
ntStatus = IPSecResponderInsertInboundSA(
pSA,
pIpsecGetSPI,
pIpsecGetSPI->InstantiatedFilter.TunnelFilter
);
BAIL_ON_NTSTATUS_ERROR(ntStatus);
ACQUIRE_LOCK(&g_ipsec.LarvalListLock, &kIrql);
InsertTailList(&g_ipsec.LarvalSAList, &pSA->sa_LarvalLinkage);
IPSEC_INC_STATISTIC(dwNumPendingKeyOps);
RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
ACQUIRE_LOCK(&pSA->sa_Lock, &kIrql);
IPSecStartSATimer(
pSA,
IPSecSAExpired,
pSA->sa_ExpiryTime
);
RELEASE_LOCK(&pSA->sa_Lock, kIrql);
*ppSA = pSA;
return (ntStatus);
error:
if (pSA) {
IPSecFreeSA(pSA);
}
*ppSA = NULL;
return (ntStatus);
}
NTSTATUS
IPSecInitiatorCreateLarvalSA(
PFILTER pFilter,
ULARGE_INTEGER uliAddr,
PSA_TABLE_ENTRY * ppSA,
UCHAR DestType,
PIPSEC_UDP_ENCAP_CONTEXT pEncapContext
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PSA_TABLE_ENTRY pSA = NULL;
ULARGE_INTEGER uliSrcDstAddr = {0};
ULARGE_INTEGER uliSrcDstMask = {0};
ULARGE_INTEGER uliProtoSrcDstPort = {0};
KIRQL kIrql;
ntStatus = IPSecCreateSA(&pSA);
BAIL_ON_NTSTATUS_ERROR(ntStatus);
pSA->sa_Filter = pFilter;
pSA->sa_State = STATE_SA_LARVAL;
uliSrcDstAddr = uliAddr;
uliSrcDstMask = pFilter->uliSrcDstMask;
uliProtoSrcDstPort = pFilter->uliProtoSrcDstPort;
IPSEC_BUILD_SRC_DEST_ADDR(
pSA->sa_uliSrcDstAddr,
DEST_ADDR,
SRC_ADDR
);
IPSEC_BUILD_SRC_DEST_MASK(
pSA->sa_uliSrcDstMask,
DEST_MASK,
SRC_MASK
);
IPSEC_BUILD_PROTO_PORT_LI(
pSA->sa_uliProtoSrcDstPort,
PROTO,
DEST_PORT,
SRC_PORT
);
pSA->sa_DestType=DestType;
if (pEncapContext) {
RtlCopyMemory(&pSA->sa_EncapContext,pEncapContext,sizeof(IPSEC_UDP_ENCAP_CONTEXT));
}
ntStatus = IPSecInitiatorInsertInboundSA(
pSA,
pFilter->TunnelFilter
);
BAIL_ON_NTSTATUS_ERROR(ntStatus);
ACQUIRE_LOCK(&g_ipsec.LarvalListLock, &kIrql);
InsertTailList(&g_ipsec.LarvalSAList, &pSA->sa_LarvalLinkage);
IPSEC_INC_STATISTIC(dwNumPendingKeyOps);
RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
ACQUIRE_LOCK(&pSA->sa_Lock, &kIrql);
IPSecStartSATimer(
pSA,
IPSecSAExpired,
pSA->sa_ExpiryTime
);
RELEASE_LOCK(&pSA->sa_Lock, kIrql);
*ppSA = pSA;
return (ntStatus);
error:
if (pSA) {
IPSecFreeSA(pSA);
}
*ppSA = NULL;
return (ntStatus);
}
NTSTATUS
IPSecFindSA(
BOOLEAN bTunnelFilter,
ULARGE_INTEGER uliSrcDstAddr,
ULARGE_INTEGER uliProtoSrcDstPort,
PFILTER * ppFilter,
PSA_TABLE_ENTRY * ppSA,
IN PIPSEC_UDP_ENCAP_CONTEXT pNatContext
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
if (bTunnelFilter) {
ntStatus = IPSecLookupTunnelSA(
uliSrcDstAddr,
uliProtoSrcDstPort,
ppFilter,
ppSA,
FALSE,
pNatContext
);
}
else {
#if GPC
if (IS_GPC_ACTIVE()) {
ntStatus = IPSecLookupGpcMaskedSA(
uliSrcDstAddr,
uliProtoSrcDstPort,
ppFilter,
ppSA,
FALSE,
pNatContext
);
}
else {
ntStatus = IPSecLookupMaskedSA(
uliSrcDstAddr,
uliProtoSrcDstPort,
ppFilter,
ppSA,
FALSE,
pNatContext
);
}
#else
ntStatus = IPSecLookupMaskedSA(
uliSrcDstAddr,
uliProtoSrcDstPort,
ppFilter,
ppSA,
FALSE,
pNatContext
);
#endif
}
return (ntStatus);
}
NTSTATUS
IPSecResponderInsertInboundSA(
PSA_TABLE_ENTRY pSA,
PIPSEC_GET_SPI pIpsecGetSPI,
BOOLEAN bTunnelFilter
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PFILTER pFilter = NULL;
PSA_TABLE_ENTRY pInboundSA = NULL;
PLIST_ENTRY pSAChain = NULL;
KIRQL kIrql;
tSPI tSpi = 0;
PSA_HASH pHash = NULL;
ntStatus = IPSecFindSA(
bTunnelFilter,
pSA->sa_uliSrcDstAddr,
pSA->sa_uliProtoSrcDstPort,
&pFilter,
&pInboundSA,
NULL
);
if (!NT_SUCCESS(ntStatus)) {
IPSecBufferEvent(
pSA->SA_SRC_ADDR,
EVENT_IPSEC_NEG_FAILURE,
1,
FALSE
);
return (ntStatus);
}
ASSERT(pFilter);
if (pIpsecGetSPI->InstantiatedFilter.Protocol != pFilter->PROTO ||
pIpsecGetSPI->InstantiatedFilter.SrcPort != FI_SRC_PORT(pFilter) ||
pIpsecGetSPI->InstantiatedFilter.DestPort != FI_DEST_PORT(pFilter)) {
ntStatus = STATUS_OBJECT_TYPE_MISMATCH;
return (ntStatus);
}
pSAChain = IPSecResolveSAChain(pFilter, pSA->SA_SRC_ADDR);
InsertHeadList(pSAChain, &pSA->sa_FilterLinkage);
pSA->sa_Flags |= FLAGS_SA_ON_FILTER_LIST;
if (pFilter->Flags & FILTER_FLAGS_PASS_THRU) {
pSA->sa_Flags |= FLAGS_SA_PASSTHRU_FILTER;
}
if (pFilter->TunnelFilter) {
pSA->sa_Flags |= FLAGS_SA_TUNNEL;
pSA->sa_TunnelAddr = pFilter->TunnelAddr;
}
//
// Flush this filter from the cache table so that the SA instead of the
// filter is matched on the next lookup.
//
if (IS_EXEMPT_FILTER(pFilter)) {
IPSecInvalidateFilterCacheEntry(pFilter);
}
AcquireWriteLock(&g_ipsec.SPIListLock, &kIrql);
tSpi = pIpsecGetSPI->SPI;
ntStatus = IPSecAllocateSPI(&tSpi, pSA);
if (!NT_SUCCESS(ntStatus)) {
ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
return (ntStatus);
}
pSA->sa_SPI = tSpi;
IPSEC_HASH_SPI(
(pSA->sa_TunnelAddr) ? pSA->sa_TunnelAddr : pSA->SA_DEST_ADDR,
tSpi,
pHash
);
InsertHeadList(&pHash->SAList, &pSA->sa_SPILinkage);
pSA->sa_Flags |= FLAGS_SA_ON_SPI_HASH;
ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
return (STATUS_SUCCESS);
}
NTSTATUS
IPSecInitiatorInsertInboundSA(
PSA_TABLE_ENTRY pSA,
BOOLEAN bTunnelFilter
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PFILTER pFilter = NULL;
PSA_TABLE_ENTRY pInboundSA = NULL;
PLIST_ENTRY pSAChain = NULL;
KIRQL kIrql;
tSPI tSpi = 0;
PSA_HASH pHash = NULL;
ntStatus = IPSecFindSA(
bTunnelFilter,
pSA->sa_uliSrcDstAddr,
pSA->sa_uliProtoSrcDstPort,
&pFilter,
&pInboundSA,
NULL
);
if (!NT_SUCCESS(ntStatus)) {
IPSecBufferEvent(
pSA->SA_SRC_ADDR,
EVENT_IPSEC_NEG_FAILURE,
1,
FALSE
);
return (ntStatus);
}
if (ntStatus == STATUS_SUCCESS) {
if (pInboundSA->sa_State == STATE_SA_LARVAL) {
ntStatus = STATUS_DUPLICATE_OBJECTID;
return (ntStatus);
}
}
ASSERT(pFilter);
pSAChain = IPSecResolveSAChain(pFilter, pSA->SA_SRC_ADDR);
InsertHeadList(pSAChain, &pSA->sa_FilterLinkage);
pSA->sa_Flags |= FLAGS_SA_ON_FILTER_LIST;
if (pFilter->Flags & FILTER_FLAGS_PASS_THRU) {
pSA->sa_Flags |= FLAGS_SA_PASSTHRU_FILTER;
}
if (pFilter->TunnelFilter) {
pSA->sa_Flags |= FLAGS_SA_TUNNEL;
pSA->sa_TunnelAddr = pFilter->TunnelAddr;
}
//
// Flush this filter from the cache table so that the SA instead of the
// filter is matched on the next lookup.
//
if (IS_EXEMPT_FILTER(pFilter)) {
IPSecInvalidateFilterCacheEntry(pFilter);
}
AcquireWriteLock(&g_ipsec.SPIListLock, &kIrql);
tSpi = 0;
ntStatus = IPSecAllocateSPI(&tSpi, pSA);
if (!NT_SUCCESS(ntStatus)) {
ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
return (ntStatus);
}
pSA->sa_SPI = tSpi;
IPSEC_HASH_SPI(
(pSA->sa_TunnelAddr) ? pSA->sa_TunnelAddr : pSA->SA_DEST_ADDR,
tSpi,
pHash
);
InsertHeadList(&pHash->SAList, &pSA->sa_SPILinkage);
pSA->sa_Flags |= FLAGS_SA_ON_SPI_HASH;
ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
return (STATUS_SUCCESS);
}