archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/net/tcpip/driver/ipsec/sys/intirspn.c

584 lines
13 KiB
Raw Normal View History

Add source files
4 years ago
  3. #include "precomp.h"
  6. #pragma hdrstop
  9. NTSTATUS
  10. IPSecGetSPI(
  11. PIPSEC_GET_SPI pIpsecGetSPI
  12. )
  13. /*++
  15. Routine Description:
  17. This routine returns the SPI.
  19. Arguments:
  21. pIpsecGetSPI - Pointer to the ipsec get spi structure.
  23. Return Value:
  25. NTSTATUS - The status code from this routine.
  27. --*/
  28. {
  29. NTSTATUS ntStatus = STATUS_SUCCESS;
  30. PIPSEC_ACQUIRE_CONTEXT pIpsecAcquireCtx = NULL;
  33. pIpsecAcquireCtx = (PIPSEC_ACQUIRE_CONTEXT) pIpsecGetSPI->Context;
  35. //
  36. // If context was passed in, then there's a larval SA already setup.
  37. // This is the case for the initiator.
  38. //
  40. if (pIpsecAcquireCtx) {
  41. ntStatus = IPSecInitiatorGetSPI(
  42. pIpsecGetSPI
  43. );
  44. }
  45. else {
  46. ntStatus = IPSecResponderGetSPI(
  47. pIpsecGetSPI
  48. );
  49. }
  51. return (ntStatus);
  52. }
  55. NTSTATUS
  56. IPSecInitiatorGetSPI(
  57. PIPSEC_GET_SPI pIpsecGetSPI
  58. )
  59. {
  60. NTSTATUS ntStatus = STATUS_SUCCESS;
  61. PIPSEC_ACQUIRE_CONTEXT pIpsecAcquireCtx = NULL;
  62. KIRQL kIrql;
  65. pIpsecAcquireCtx = (PIPSEC_ACQUIRE_CONTEXT) pIpsecGetSPI->Context;
  67. //
  68. // Sanity check the incoming context to see if it is actually
  69. // an SA block.
  70. //
  72. ACQUIRE_LOCK(&g_ipsec.LarvalListLock, &kIrql);
  74. if (!NT_SUCCESS(IPSecValidateHandle(pIpsecAcquireCtx, STATE_SA_LARVAL))) {
  75. ntStatus = STATUS_INVALID_PARAMETER;
  76. BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
  77. }
  79. pIpsecGetSPI->SPI = pIpsecAcquireCtx->pSA->sa_SPI;
  81. pIpsecAcquireCtx->pSA->sa_Flags |= FLAGS_SA_INITIATOR;
  83. ntStatus = STATUS_SUCCESS;
  85. lock:
  87. RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
  89. return (ntStatus);
  90. }
  93. NTSTATUS
  94. IPSecResponderGetSPI(
  95. PIPSEC_GET_SPI pIpsecGetSPI
  96. )
  97. {
  98. NTSTATUS ntStatus = STATUS_SUCCESS;
  99. KIRQL kIrql;
  100. PSA_TABLE_ENTRY pInboundSA = NULL;
  101. ULARGE_INTEGER uliSrcDstAddr = {0};
  102. PSA_TABLE_ENTRY pSA = NULL;
  103. PIPSEC_ACQUIRE_CONTEXT pIpsecAcquireCtx = NULL;
  106. AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
  108. if (pIpsecGetSPI->SPI) {
  110. if (!(pIpsecGetSPI->InstantiatedFilter.TunnelFilter)) {
  111. pInboundSA = IPSecLookupSABySPI(
  112. pIpsecGetSPI->SPI,
  113. pIpsecGetSPI->InstantiatedFilter.DestAddr
  114. );
  115. }
  116. else {
  117. pInboundSA = IPSecLookupSABySPI(
  118. pIpsecGetSPI->SPI,
  119. pIpsecGetSPI->InstantiatedFilter.TunnelAddr
  120. );
  121. }
  123. if (pInboundSA) {
  124. ntStatus = STATUS_UNSUCCESSFUL;
  125. BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
  126. }
  128. }
  130. ntStatus = IPSecResponderCreateLarvalSA(
  131. pIpsecGetSPI,
  132. uliSrcDstAddr,
  133. &pSA
  134. );
  135. BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
  137. //
  138. // Get the acquire Context and associate it with the larval SA.
  139. //
  141. pIpsecAcquireCtx = IPSecGetAcquireContext();
  143. if (!pIpsecAcquireCtx) {
  144. ntStatus = STATUS_INSUFFICIENT_RESOURCES;
  145. BAIL_ON_LOCK_NTSTATUS_ERROR(ntStatus);
  146. }
  148. pIpsecAcquireCtx->AcquireId = (ULONG)(ULONG_PTR) pSA;
  150. IPSecGenerateRandom(
  151. (PUCHAR)&pIpsecAcquireCtx->AcquireId,
  152. sizeof(ULONG)
  153. );
  155. pIpsecAcquireCtx->pSA = pSA;
  156. pSA->sa_AcquireId = pIpsecAcquireCtx->AcquireId;
  158. pIpsecGetSPI->Context = pIpsecAcquireCtx;
  159. pSA->sa_AcquireCtx = pIpsecAcquireCtx;
  161. pIpsecGetSPI->SPI = pSA->sa_SPI;
  163. ntStatus = STATUS_SUCCESS;
  165. lock:
  167. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  169. return (ntStatus);
  170. }
  173. NTSTATUS
  174. IPSecResponderCreateLarvalSA(
  175. PIPSEC_GET_SPI pIpsecGetSPI,
  176. ULARGE_INTEGER uliAddr,
  177. PSA_TABLE_ENTRY * ppSA
  178. )
  179. {
  180. NTSTATUS ntStatus = STATUS_SUCCESS;
  181. PSA_TABLE_ENTRY pSA = NULL;
  182. KIRQL kIrql;
  185. ntStatus = IPSecCreateSA(&pSA);
  186. BAIL_ON_NTSTATUS_ERROR(ntStatus);
  188. pSA->sa_Filter = NULL;
  189. pSA->sa_State = STATE_SA_LARVAL;
  191. IPSEC_BUILD_SRC_DEST_ADDR(
  192. pSA->sa_uliSrcDstAddr,
  193. pIpsecGetSPI->InstantiatedFilter.SrcAddr,
  194. pIpsecGetSPI->InstantiatedFilter.DestAddr
  195. );
  197. IPSEC_BUILD_SRC_DEST_MASK(
  198. pSA->sa_uliSrcDstMask,
  199. pIpsecGetSPI->InstantiatedFilter.SrcMask,
  200. pIpsecGetSPI->InstantiatedFilter.DestMask
  201. );
  203. IPSEC_BUILD_PROTO_PORT_LI(
  204. pSA->sa_uliProtoSrcDstPort,
  205. pIpsecGetSPI->InstantiatedFilter.Protocol,
  206. pIpsecGetSPI->InstantiatedFilter.SrcPort,
  207. pIpsecGetSPI->InstantiatedFilter.DestPort
  208. );
  210. ntStatus = IPSecResponderInsertInboundSA(
  211. pSA,
  212. pIpsecGetSPI,
  213. pIpsecGetSPI->InstantiatedFilter.TunnelFilter
  214. );
  215. BAIL_ON_NTSTATUS_ERROR(ntStatus);
  217. ACQUIRE_LOCK(&g_ipsec.LarvalListLock, &kIrql);
  219. InsertTailList(&g_ipsec.LarvalSAList, &pSA->sa_LarvalLinkage);
  221. IPSEC_INC_STATISTIC(dwNumPendingKeyOps);
  223. RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
  225. ACQUIRE_LOCK(&pSA->sa_Lock, &kIrql);
  227. IPSecStartSATimer(
  228. pSA,
  229. IPSecSAExpired,
  230. pSA->sa_ExpiryTime
  231. );
  233. RELEASE_LOCK(&pSA->sa_Lock, kIrql);
  235. *ppSA = pSA;
  237. return (ntStatus);
  239. error:
  241. if (pSA) {
  242. IPSecFreeSA(pSA);
  243. }
  245. *ppSA = NULL;
  246. return (ntStatus);
  247. }
  250. NTSTATUS
  251. IPSecInitiatorCreateLarvalSA(
  252. PFILTER pFilter,
  253. ULARGE_INTEGER uliAddr,
  254. PSA_TABLE_ENTRY * ppSA,
  255. UCHAR DestType
  256. )
  257. {
  258. NTSTATUS ntStatus = STATUS_SUCCESS;
  259. PSA_TABLE_ENTRY pSA = NULL;
  260. ULARGE_INTEGER uliSrcDstAddr = {0};
  261. ULARGE_INTEGER uliSrcDstMask = {0};
  262. ULARGE_INTEGER uliProtoSrcDstPort = {0};
  263. KIRQL kIrql;
  266. ntStatus = IPSecCreateSA(&pSA);
  267. BAIL_ON_NTSTATUS_ERROR(ntStatus);
  269. pSA->sa_Filter = pFilter;
  270. pSA->sa_State = STATE_SA_LARVAL;
  272. uliSrcDstAddr = uliAddr;
  273. uliSrcDstMask = pFilter->uliSrcDstMask;
  274. uliProtoSrcDstPort = pFilter->uliProtoSrcDstPort;
  276. IPSEC_BUILD_SRC_DEST_ADDR(
  277. pSA->sa_uliSrcDstAddr,
  278. DEST_ADDR,
  279. SRC_ADDR
  280. );
  282. IPSEC_BUILD_SRC_DEST_MASK(
  283. pSA->sa_uliSrcDstMask,
  284. DEST_MASK,
  285. SRC_MASK
  286. );
  288. IPSEC_BUILD_PROTO_PORT_LI(
  289. pSA->sa_uliProtoSrcDstPort,
  290. PROTO,
  291. DEST_PORT,
  292. SRC_PORT
  293. );
  295. pSA->sa_DestType=DestType;
  297. ntStatus = IPSecInitiatorInsertInboundSA(
  298. pSA,
  299. pFilter->TunnelFilter
  300. );
  301. BAIL_ON_NTSTATUS_ERROR(ntStatus);
  303. ACQUIRE_LOCK(&g_ipsec.LarvalListLock, &kIrql);
  305. InsertTailList(&g_ipsec.LarvalSAList, &pSA->sa_LarvalLinkage);
  307. IPSEC_INC_STATISTIC(dwNumPendingKeyOps);
  309. RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
  311. ACQUIRE_LOCK(&pSA->sa_Lock, &kIrql);
  313. IPSecStartSATimer(
  314. pSA,
  315. IPSecSAExpired,
  316. pSA->sa_ExpiryTime
  317. );
  319. RELEASE_LOCK(&pSA->sa_Lock, kIrql);
  321. *ppSA = pSA;
  323. return (ntStatus);
  325. error:
  327. if (pSA) {
  328. IPSecFreeSA(pSA);
  329. }
  331. *ppSA = NULL;
  332. return (ntStatus);
  333. }
  336. NTSTATUS
  337. IPSecFindSA(
  338. BOOLEAN bTunnelFilter,
  339. ULARGE_INTEGER uliSrcDstAddr,
  340. ULARGE_INTEGER uliProtoSrcDstPort,
  341. PFILTER * ppFilter,
  342. PSA_TABLE_ENTRY * ppSA
  343. )
  344. {
  345. NTSTATUS ntStatus = STATUS_SUCCESS;
  348. if (bTunnelFilter) {
  349. ntStatus = IPSecLookupTunnelSA(
  350. uliSrcDstAddr,
  351. uliProtoSrcDstPort,
  352. ppFilter,
  353. ppSA,
  354. FALSE
  355. );
  356. }
  357. else {
  359. #if GPC
  361. if (IS_GPC_ACTIVE()) {
  362. ntStatus = IPSecLookupGpcMaskedSA(
  363. uliSrcDstAddr,
  364. uliProtoSrcDstPort,
  365. ppFilter,
  366. ppSA,
  367. FALSE
  368. );
  369. }
  370. else {
  371. ntStatus = IPSecLookupMaskedSA(
  372. uliSrcDstAddr,
  373. uliProtoSrcDstPort,
  374. ppFilter,
  375. ppSA,
  376. FALSE
  377. );
  378. }
  379. #else
  381. ntStatus = IPSecLookupMaskedSA(
  382. uliSrcDstAddr,
  383. uliProtoSrcDstPort,
  384. ppFilter,
  385. ppSA,
  386. FALSE
  387. );
  389. #endif
  391. }
  393. return (ntStatus);
  394. }
  397. NTSTATUS
  398. IPSecResponderInsertInboundSA(
  399. PSA_TABLE_ENTRY pSA,
  400. PIPSEC_GET_SPI pIpsecGetSPI,
  401. BOOLEAN bTunnelFilter
  402. )
  403. {
  404. NTSTATUS ntStatus = STATUS_SUCCESS;
  405. PFILTER pFilter = NULL;
  406. PSA_TABLE_ENTRY pInboundSA = NULL;
  407. PLIST_ENTRY pSAChain = NULL;
  408. KIRQL kIrql;
  409. tSPI tSpi = 0;
  410. PSA_HASH pHash = NULL;
  413. ntStatus = IPSecFindSA(
  414. bTunnelFilter,
  415. pSA->sa_uliSrcDstAddr,
  416. pSA->sa_uliProtoSrcDstPort,
  417. &pFilter,
  418. &pInboundSA
  419. );
  420. if (!NT_SUCCESS(ntStatus)) {
  421. IPSecBufferEvent(
  422. pSA->SA_SRC_ADDR,
  423. EVENT_IPSEC_NEG_FAILURE,
  424. 1,
  425. FALSE
  426. );
  427. return (ntStatus);
  428. }
  430. ASSERT(pFilter);
  432. if (pIpsecGetSPI->InstantiatedFilter.Protocol != pFilter->PROTO ||
  433. pIpsecGetSPI->InstantiatedFilter.SrcPort != FI_SRC_PORT(pFilter) ||
  434. pIpsecGetSPI->InstantiatedFilter.DestPort != FI_DEST_PORT(pFilter)) {
  435. ntStatus = STATUS_OBJECT_TYPE_MISMATCH;
  436. return (ntStatus);
  437. }
  439. pSAChain = IPSecResolveSAChain(pFilter, pSA->SA_SRC_ADDR);
  441. InsertHeadList(pSAChain, &pSA->sa_FilterLinkage);
  443. pSA->sa_Flags |= FLAGS_SA_ON_FILTER_LIST;
  445. if (pFilter->Flags & FILTER_FLAGS_PASS_THRU) {
  446. pSA->sa_Flags |= FLAGS_SA_PASSTHRU_FILTER;
  447. }
  449. if (pFilter->TunnelFilter) {
  450. pSA->sa_Flags |= FLAGS_SA_TUNNEL;
  451. pSA->sa_TunnelAddr = pFilter->TunnelAddr;
  452. }
  454. //
  455. // Flush this filter from the cache table so that the SA instead of the
  456. // filter is matched on the next lookup.
  457. //
  459. if (IS_EXEMPT_FILTER(pFilter)) {
  460. IPSecInvalidateFilterCacheEntry(pFilter);
  461. }
  463. AcquireWriteLock(&g_ipsec.SPIListLock, &kIrql);
  465. tSpi = pIpsecGetSPI->SPI;
  467. ntStatus = IPSecAllocateSPI(&tSpi, pSA);
  469. if (!NT_SUCCESS(ntStatus)) {
  470. ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
  471. return (ntStatus);
  472. }
  474. pSA->sa_SPI = tSpi;
  476. IPSEC_HASH_SPI(
  477. (pSA->sa_TunnelAddr) ? pSA->sa_TunnelAddr : pSA->SA_DEST_ADDR,
  478. tSpi,
  479. pHash
  480. );
  482. InsertHeadList(&pHash->SAList, &pSA->sa_SPILinkage);
  484. pSA->sa_Flags |= FLAGS_SA_ON_SPI_HASH;
  486. ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
  488. return (STATUS_SUCCESS);
  489. }
  492. NTSTATUS
  493. IPSecInitiatorInsertInboundSA(
  494. PSA_TABLE_ENTRY pSA,
  495. BOOLEAN bTunnelFilter
  496. )
  497. {
  498. NTSTATUS ntStatus = STATUS_SUCCESS;
  499. PFILTER pFilter = NULL;
  500. PSA_TABLE_ENTRY pInboundSA = NULL;
  501. PLIST_ENTRY pSAChain = NULL;
  502. KIRQL kIrql;
  503. tSPI tSpi = 0;
  504. PSA_HASH pHash = NULL;
  507. ntStatus = IPSecFindSA(
  508. bTunnelFilter,
  509. pSA->sa_uliSrcDstAddr,
  510. pSA->sa_uliProtoSrcDstPort,
  511. &pFilter,
  512. &pInboundSA
  513. );
  514. if (!NT_SUCCESS(ntStatus)) {
  515. IPSecBufferEvent(
  516. pSA->SA_SRC_ADDR,
  517. EVENT_IPSEC_NEG_FAILURE,
  518. 1,
  519. FALSE
  520. );
  521. return (ntStatus);
  522. }
  524. if (ntStatus == STATUS_SUCCESS) {
  525. if (pInboundSA->sa_State == STATE_SA_LARVAL) {
  526. ntStatus = STATUS_DUPLICATE_OBJECTID;
  527. return (ntStatus);
  528. }
  529. }
  531. ASSERT(pFilter);
  533. pSAChain = IPSecResolveSAChain(pFilter, pSA->SA_SRC_ADDR);
  535. InsertHeadList(pSAChain, &pSA->sa_FilterLinkage);
  537. pSA->sa_Flags |= FLAGS_SA_ON_FILTER_LIST;
  539. if (pFilter->Flags & FILTER_FLAGS_PASS_THRU) {
  540. pSA->sa_Flags |= FLAGS_SA_PASSTHRU_FILTER;
  541. }
  543. if (pFilter->TunnelFilter) {
  544. pSA->sa_Flags |= FLAGS_SA_TUNNEL;
  545. pSA->sa_TunnelAddr = pFilter->TunnelAddr;
  546. }
  548. //
  549. // Flush this filter from the cache table so that the SA instead of the
  550. // filter is matched on the next lookup.
  551. //
  553. if (IS_EXEMPT_FILTER(pFilter)) {
  554. IPSecInvalidateFilterCacheEntry(pFilter);
  555. }
  557. AcquireWriteLock(&g_ipsec.SPIListLock, &kIrql);
  559. tSpi = 0;
  561. ntStatus = IPSecAllocateSPI(&tSpi, pSA);
  563. if (!NT_SUCCESS(ntStatus)) {
  564. ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
  565. return (ntStatus);
  566. }
  568. pSA->sa_SPI = tSpi;
  570. IPSEC_HASH_SPI(
  571. (pSA->sa_TunnelAddr) ? pSA->sa_TunnelAddr : pSA->SA_DEST_ADDR,
  572. tSpi,
  573. pHash
  574. );
  576. InsertHeadList(&pHash->SAList, &pSA->sa_SPILinkage);
  578. pSA->sa_Flags |= FLAGS_SA_ON_SPI_HASH;
  580. ReleaseWriteLock(&g_ipsec.SPIListLock, kIrql);
  582. return (STATUS_SUCCESS);
  583. }