mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3389 lines
94 KiB
3389 lines
94 KiB
/*++
|
|
|
|
Copyright (c) 1997-2001 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
ipsec.c
|
|
|
|
Abstract:
|
|
|
|
This module contains the code that handles incoming/outgoing packets.
|
|
|
|
Author:
|
|
|
|
Sanjay Anand (SanjayAn) 2-January-1997
|
|
ChunYe
|
|
|
|
Environment:
|
|
|
|
Kernel mode
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
|
|
#include "precomp.h"
|
|
|
|
IPSEC_ACTION
|
|
IPSecHandlePacket(
|
|
IN PUCHAR pIPHeader,
|
|
IN PVOID pData,
|
|
IN PVOID IPContext,
|
|
IN PNDIS_PACKET Packet,
|
|
IN OUT PULONG pExtraBytes,
|
|
IN OUT PULONG pMTU,
|
|
OUT PVOID *pNewData,
|
|
IN OUT PULONG pIpsecFlags,
|
|
IN UCHAR DestType
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Called by the Filter Driver to submit a packet for IPSEC processing.
|
|
|
|
Arguments:
|
|
|
|
pIPHeader - points to start of IP header.
|
|
|
|
pData - points to the data after the IP header. On the send side, this is an MDL chain
|
|
On the recv side this is an IPRcvBuf pointer.
|
|
|
|
IPContext - contains the destination interface.
|
|
|
|
pExtraBytes - IPSEC header expansion value; on coming in, it contains the amount of ipsec
|
|
header space that can fit into the MTU. so, if MTU is 1400, say, and the
|
|
datasize + option size is 1390, this contains 10, meaning that upto
|
|
10 bytes of IPSEC expansion is allowed. This lets IPSEC know when a packet
|
|
would be fragmented, so it can do the right thing on send complete.
|
|
|
|
pMTU - passes in the link MTU on send path.
|
|
|
|
pNewData - if packet modified, this points to the new data.
|
|
|
|
IpsecFlags - flags for SrcRoute, Incoming, Forward and Lookback.
|
|
|
|
Return Value:
|
|
|
|
eFORWARD
|
|
eDROP
|
|
eABSORB
|
|
|
|
--*/
|
|
{
|
|
IPSEC_ACTION eAction;
|
|
IPSEC_DROP_STATUS DropStatus;
|
|
PIPSEC_DROP_STATUS pDropStatus=NULL;
|
|
|
|
IPSEC_DEBUG(PARSE, ("Entering IPSecHandlePacket\n"));
|
|
|
|
#if DBG
|
|
{
|
|
IPHeader UNALIGNED *pIPH;
|
|
|
|
pIPH = (IPHeader UNALIGNED *)pIPHeader;
|
|
if ((DebugSrc || DebugDst || DebugPro) &&
|
|
(!DebugSrc || pIPH->iph_src == DebugSrc) &&
|
|
(!DebugDst || pIPH->iph_dest == DebugDst) &&
|
|
(!DebugPro || pIPH->iph_protocol == DebugPro)) {
|
|
DbgPrint("Packet from %lx to %lx with protocol %lx length %lx id %lx\n",
|
|
pIPH->iph_src,
|
|
pIPH->iph_dest,
|
|
pIPH->iph_protocol,
|
|
NET_SHORT(pIPH->iph_length),
|
|
NET_SHORT(pIPH->iph_id));
|
|
if (DebugPkt) {
|
|
DbgBreakPoint();
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// Drop all packets if PA sets us so or if the driver is inactive.
|
|
//
|
|
if (IS_DRIVER_BLOCK() || IPSEC_DRIVER_IS_INACTIVE()) {
|
|
eAction=eDROP;
|
|
goto out;
|
|
}
|
|
|
|
//
|
|
// Bypass all packets if PA sets us so or no filters are plumbed or the
|
|
// packet is broadcast. If multicast filter present, process all multicast
|
|
// Once we support any-any tunnels, this check will need to be smarter
|
|
//
|
|
if (IS_DRIVER_BYPASS() || IPSEC_DRIVER_IS_EMPTY() ||
|
|
(IS_BCAST_DEST(DestType) && !IPSEC_MANDBCAST_PROCESS())) {
|
|
|
|
*pExtraBytes = 0;
|
|
*pMTU = 0;
|
|
eAction= eFORWARD;
|
|
goto out;
|
|
}
|
|
|
|
ASSERT(IS_DRIVER_SECURE());
|
|
ASSERT(IPContext);
|
|
|
|
IPSEC_INCREMENT(g_ipsec.NumThreads);
|
|
|
|
if (IS_DRIVER_DIAGNOSTIC()) {
|
|
pDropStatus=&DropStatus;
|
|
RtlZeroMemory(pDropStatus,sizeof(IPSEC_DROP_STATUS));
|
|
}
|
|
|
|
if (*pIpsecFlags & IPSEC_FLAG_INCOMING) {
|
|
eAction = IPSecRecvPacket( &pIPHeader,
|
|
pData,
|
|
IPContext,
|
|
Packet,
|
|
pExtraBytes,
|
|
pIpsecFlags,
|
|
pDropStatus,
|
|
DestType);
|
|
} else {
|
|
eAction = IPSecSendPacket( pIPHeader,
|
|
pData,
|
|
IPContext,
|
|
Packet,
|
|
pExtraBytes,
|
|
pMTU,
|
|
pNewData,
|
|
pIpsecFlags,
|
|
pDropStatus,
|
|
DestType);
|
|
}
|
|
|
|
IPSEC_DECREMENT(g_ipsec.NumThreads);
|
|
|
|
out:
|
|
if (eAction == eDROP) {
|
|
if (IS_DRIVER_DIAGNOSTIC() &&
|
|
(!pDropStatus || (pDropStatus && !(pDropStatus->Flags & IPSEC_DROP_STATUS_DONT_LOG)))) {
|
|
IPSecBufferPacketDrop(
|
|
pIPHeader,
|
|
pData,
|
|
pIpsecFlags,
|
|
pDropStatus);
|
|
}
|
|
}
|
|
return eAction;
|
|
}
|
|
|
|
|
|
IPSEC_ACTION
|
|
IPSecSendPacket(
|
|
IN PUCHAR pIPHeader,
|
|
IN PVOID pData,
|
|
IN PVOID IPContext,
|
|
IN PNDIS_PACKET Packet,
|
|
IN OUT PULONG pExtraBytes,
|
|
IN OUT PULONG pMTU,
|
|
OUT PVOID *pNewData,
|
|
IN OUT PULONG pIpsecFlags,
|
|
OUT PIPSEC_DROP_STATUS pDropStatus,
|
|
IN UCHAR DestType
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Called by the Filter Driver to submit a packet for IPSEC processing.
|
|
|
|
Arguments:
|
|
|
|
pIPHeader - points to start of IP header.
|
|
|
|
pData - points to the data after the IP header, an MDL chain.
|
|
|
|
IPContext - contains the destination interface.
|
|
|
|
pExtraBytes - IPSEC header expansion value.
|
|
|
|
pMTU - passes in the link MTU on send path.
|
|
|
|
pNewData - if packet modified, this points to the new data.
|
|
|
|
IpsecFlags - flags for SrcRoute, Incoming, Forward and Lookback.
|
|
|
|
Return Value:
|
|
|
|
eFORWARD
|
|
eDROP
|
|
eABSORB
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS status = STATUS_SUCCESS;
|
|
IPSEC_ACTION eRetAction = eFORWARD;
|
|
PSA_TABLE_ENTRY pSA = NULL;
|
|
PSA_TABLE_ENTRY pSaveSA = NULL;
|
|
PSA_TABLE_ENTRY pNextSA = NULL;
|
|
USHORT FilterFlags = 0;
|
|
BOOLEAN fLifetime = FALSE;
|
|
ULONG ipsecHdrSpace = *pExtraBytes;
|
|
ULONG ipsecOverhead = 0;
|
|
ULONG ipsecMTU = *pMTU;
|
|
ULONG newMTU = MAX_LONG;
|
|
ULONG dataLength = 0;
|
|
IPHeader UNALIGNED *pIPH = (IPHeader UNALIGNED *)pIPHeader;
|
|
Interface *DestIF = (Interface *)IPContext;
|
|
PNDIS_PACKET_EXTENSION PktExt = NULL;
|
|
PNDIS_IPSEC_PACKET_INFO IPSecPktInfo = NULL;
|
|
BOOLEAN fCryptoOnly = FALSE;
|
|
BOOLEAN fFWPacket = FALSE;
|
|
BOOLEAN fSrcRoute = FALSE;
|
|
BOOLEAN fLoopback = FALSE;
|
|
PVOID *ppSCContext;
|
|
KIRQL kIrql;
|
|
LONG Index;
|
|
PNDIS_BUFFER pTemp;
|
|
ULONG Length;
|
|
PUCHAR pBuffer;
|
|
|
|
IPSEC_DEBUG(PARSE, ("Entering IPSecSendPacket\n"));
|
|
|
|
if (*pIpsecFlags & IPSEC_FLAG_FORWARD) {
|
|
fFWPacket = TRUE;
|
|
}
|
|
if (*pIpsecFlags & IPSEC_FLAG_SSRR) {
|
|
fSrcRoute = TRUE;
|
|
}
|
|
if (*pIpsecFlags & IPSEC_FLAG_LOOPBACK) {
|
|
fLoopback = TRUE;
|
|
}
|
|
|
|
*pExtraBytes = 0;
|
|
*pMTU = 0;
|
|
|
|
if (fLoopback) {
|
|
IPSEC_DEBUG(PARSE, ("IPSecSendPacket: Packet on loopback interface - returning\n"));
|
|
status = STATUS_SUCCESS;
|
|
goto out;
|
|
}
|
|
|
|
//
|
|
// Walk through the MDL chain to make sure we have memory locked.
|
|
//
|
|
pTemp = (PNDIS_BUFFER)pData;
|
|
|
|
while (pTemp) {
|
|
pBuffer = NULL;
|
|
Length = 0;
|
|
|
|
NdisQueryBufferSafe(pTemp,
|
|
&pBuffer,
|
|
&Length,
|
|
NormalPagePriority);
|
|
|
|
if (!pBuffer) {
|
|
//
|
|
// QueryBuffer failed, drop the packet.
|
|
//
|
|
status = STATUS_UNSUCCESSFUL;
|
|
goto out;
|
|
}
|
|
|
|
dataLength += Length;
|
|
|
|
pTemp = NDIS_BUFFER_LINKAGE(pTemp);
|
|
}
|
|
|
|
dataLength -= sizeof(IPHeader);
|
|
|
|
//
|
|
// Set send complete context in the NDIS packet.
|
|
//
|
|
if (Packet) {
|
|
PacketContext *pContext;
|
|
|
|
pContext = (PacketContext *)Packet->ProtocolReserved;
|
|
ppSCContext = &pContext->pc_common.pc_IpsecCtx;
|
|
} else {
|
|
ASSERT(FALSE);
|
|
status = STATUS_UNSUCCESSFUL;
|
|
goto out;
|
|
}
|
|
|
|
status = IPSecClassifyPacket( pIPHeader,
|
|
pData,
|
|
&pSA,
|
|
&pNextSA,
|
|
&FilterFlags,
|
|
#if GPC
|
|
PtrToUlong(NDIS_PER_PACKET_INFO_FROM_PACKET(Packet, ClassificationHandlePacketInfo)),
|
|
#endif
|
|
|
|
TRUE, // fOutbound
|
|
fFWPacket,
|
|
TRUE, // do bypass check
|
|
DestType);
|
|
|
|
if (status == STATUS_PENDING) {
|
|
//
|
|
// Negotiation kicked off; drop the packet silently.
|
|
//
|
|
return eABSORB;
|
|
} else if (status != STATUS_SUCCESS) {
|
|
status = STATUS_SUCCESS;
|
|
goto out;
|
|
}
|
|
|
|
if (FilterFlags) {
|
|
ASSERT(pSA == NULL);
|
|
|
|
//
|
|
// This is either a drop or pass thru filter.
|
|
//
|
|
if (FilterFlags & FILTER_FLAGS_DROP) {
|
|
IPSEC_DEBUG(PARSE, ("Drop filter\n"));
|
|
status = STATUS_UNSUCCESSFUL;
|
|
} else if (FilterFlags & FILTER_FLAGS_PASS_THRU) {
|
|
IPSEC_DEBUG(PARSE, ("Pass thru' filter\n"));
|
|
status = STATUS_SUCCESS;
|
|
} else {
|
|
ASSERT(FALSE);
|
|
}
|
|
|
|
goto out;
|
|
}
|
|
|
|
//
|
|
// Consider only outbound SAs
|
|
//
|
|
ASSERT(pSA);
|
|
ASSERT(pSA->sa_Flags & FLAGS_SA_OUTBOUND);
|
|
|
|
//
|
|
// We don't support Source Route with IPSec Tunneling.
|
|
//
|
|
if (fSrcRoute && (pSA->sa_Flags & FLAGS_SA_TUNNEL)) {
|
|
IPSEC_DEBUG(TUNNEL, ("No tunneling source route: pSA: %lx\n", pSA));
|
|
IPSecDerefSANextSA(pSA, pNextSA);
|
|
status = STATUS_UNSUCCESSFUL;
|
|
goto out;
|
|
}
|
|
|
|
//
|
|
// Set the last used time.
|
|
//
|
|
NdisGetCurrentSystemTime(&pSA->sa_LastUsedTime);
|
|
|
|
|
|
if (!(pSA->sa_Flags & FLAGS_SA_DISABLE_LIFETIME_CHECK)) {
|
|
//
|
|
// check if we might expire soon - start rekey operation now.
|
|
//
|
|
IPSEC_CHECK_PADDED_LIFETIME(pSA, fLifetime, pSA->sa_NumOps - 1);
|
|
|
|
if (fLifetime == FALSE) {
|
|
IPSecRekeyOutboundSA(pSA);
|
|
}
|
|
|
|
//
|
|
// check the real lifetime - if we have expired, ensure that the
|
|
// re-key was submitted and then cancel the current SAs.
|
|
//
|
|
IPSEC_CHECK_LIFETIME(pSA, fLifetime, pSA->sa_NumOps - 1);
|
|
|
|
//
|
|
// this time it really expired - we are in trouble since this shd have gone away
|
|
// earlier.
|
|
//
|
|
if (fLifetime == FALSE) {
|
|
IPSecPuntOutboundSA(pSA);
|
|
IPSecDerefSANextSA(pSA, pNextSA);
|
|
status = STATUS_UNSUCCESSFUL;
|
|
goto out;
|
|
}
|
|
|
|
}
|
|
|
|
//
|
|
// Compute the total IPSec overhead.
|
|
//
|
|
ipsecOverhead = pSA->sa_IPSecOverhead;
|
|
if (pNextSA) {
|
|
ipsecOverhead += pNextSA->sa_IPSecOverhead;
|
|
}
|
|
|
|
//
|
|
// Check if total data length exceeds 65535.
|
|
//
|
|
if ((dataLength + ipsecOverhead) > (MAX_IP_DATA_LENGTH - sizeof(IPHeader))) {
|
|
IPSecDerefSANextSA(pSA, pNextSA);
|
|
status = STATUS_UNSUCCESSFUL;
|
|
goto out;
|
|
}
|
|
|
|
//
|
|
// If no enough header space, return right away if DF bit is set. We also
|
|
// have to adjust for PMTU recorded in the SAs.
|
|
//
|
|
if (pIPH->iph_offset & IP_DF_FLAG) {
|
|
//
|
|
// First get MTU recorded from IPSecStatus.
|
|
//
|
|
if (pNextSA) {
|
|
newMTU = MIN(IPSEC_GET_VALUE(pSA->sa_NewMTU),
|
|
IPSEC_GET_VALUE(pNextSA->sa_NewMTU));
|
|
} else {
|
|
newMTU = IPSEC_GET_VALUE(pSA->sa_NewMTU);
|
|
}
|
|
|
|
//
|
|
// Use the smaller of link MTU and new MTU from SA.
|
|
//
|
|
newMTU = MIN(newMTU, ipsecMTU);
|
|
|
|
//
|
|
// See if we have enough header space; if not pass back the new smaller
|
|
// MTU minus IPSec overhead to the upper stack.
|
|
//
|
|
if (newMTU < (ipsecOverhead + dataLength)) {
|
|
*pMTU = newMTU - ipsecOverhead;
|
|
|
|
IPSecDerefSANextSA(pSA, pNextSA);
|
|
|
|
IPSEC_DEBUG(PMTU, ("OldMTU %lx, HdrSpace: %lx, NewMTU: %lx\n", ipsecMTU, ipsecHdrSpace, *pMTU));
|
|
status = STATUS_UNSUCCESSFUL;
|
|
goto out;
|
|
}
|
|
}
|
|
|
|
//
|
|
// See if hardware offload can be arranged here. If successful, we pass the
|
|
// flag to the create routines so they create only the framing, leaving the
|
|
// core crypto to the hardware.
|
|
//
|
|
if (g_ipsec.EnableOffload && ipsecOverhead <= ipsecHdrSpace) {
|
|
IPSecSendOffload( pIPH,
|
|
Packet,
|
|
DestIF,
|
|
pSA,
|
|
pNextSA,
|
|
ppSCContext,
|
|
&fCryptoOnly);
|
|
}
|
|
|
|
//
|
|
// Make sure IPSecPktInfo is NULL if there is no offload for this
|
|
// packet. This could be set in reinject path which is then
|
|
// forwarded.
|
|
//
|
|
if (!fCryptoOnly) {
|
|
ASSERT(Packet != NULL);
|
|
|
|
PktExt = NDIS_PACKET_EXTENSION_FROM_PACKET(Packet);
|
|
PktExt->NdisPacketInfo[IpSecPacketInfo] = NULL;
|
|
}
|
|
|
|
if (fCryptoOnly) {
|
|
ADD_TO_LARGE_INTEGER(
|
|
&g_ipsec.Statistics.uOffloadedBytesSent,
|
|
NET_SHORT(pIPH->iph_length));
|
|
if (pDropStatus) {
|
|
pDropStatus->Flags |= IPSEC_DROP_STATUS_CRYPTO_DONE;
|
|
}
|
|
|
|
}
|
|
|
|
do {
|
|
ADD_TO_LARGE_INTEGER(
|
|
&pSA->sa_Stats.TotalBytesSent,
|
|
NET_SHORT(pIPH->iph_length));
|
|
|
|
if (pSA->sa_Flags & FLAGS_SA_TUNNEL) {
|
|
ADD_TO_LARGE_INTEGER(
|
|
&g_ipsec.Statistics.uBytesSentInTunnels,
|
|
NET_SHORT(pIPH->iph_length));
|
|
} else {
|
|
ADD_TO_LARGE_INTEGER(
|
|
&g_ipsec.Statistics.uTransportBytesSent,
|
|
NET_SHORT(pIPH->iph_length));
|
|
}
|
|
|
|
if (fCryptoOnly) {
|
|
ADD_TO_LARGE_INTEGER(
|
|
&pSA->sa_Stats.OffloadedBytesSent,
|
|
NET_SHORT(pIPH->iph_length));
|
|
}
|
|
|
|
//
|
|
// Multiple ops here - iterate thru the headers. Inner first.
|
|
//
|
|
for (Index = 0; Index < pSA->sa_NumOps; Index++) {
|
|
switch (pSA->sa_Operation[Index]) {
|
|
case Auth:
|
|
status = IPSecCreateAH( pIPHeader,
|
|
pData,
|
|
pSA,
|
|
Index,
|
|
pNewData,
|
|
ppSCContext,
|
|
pExtraBytes,
|
|
ipsecHdrSpace,
|
|
fSrcRoute,
|
|
fCryptoOnly);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
IPSEC_DEBUG(PARSE, ("AH failed: pSA: %lx, status: %lx\n",
|
|
pSA,
|
|
status));
|
|
IPSecDerefSANextSA(pSA, pNextSA);
|
|
goto out;
|
|
}
|
|
|
|
//
|
|
// Save the new MDL for future operation; also query the new header (if it changed)
|
|
//
|
|
if (*pNewData) {
|
|
pData = *pNewData;
|
|
IPSecQueryNdisBuf((PNDIS_BUFFER)pData, &pIPHeader, &Length);
|
|
}
|
|
|
|
break;
|
|
|
|
case Encrypt:
|
|
status = IPSecCreateHughes( pIPHeader,
|
|
pData,
|
|
pSA,
|
|
Index,
|
|
pNewData,
|
|
ppSCContext,
|
|
pExtraBytes,
|
|
ipsecHdrSpace,
|
|
Packet,
|
|
fCryptoOnly);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
IPSEC_DEBUG(PARSE, ("HUGHES failed: pSA: %lx, status: %lx\n",
|
|
pSA,
|
|
status));
|
|
IPSecDerefSANextSA(pSA, pNextSA);
|
|
goto out;
|
|
}
|
|
|
|
//
|
|
// Save the new MDL for future operation; also query the new header (if it changed)
|
|
//
|
|
if (*pNewData) {
|
|
pData = *pNewData;
|
|
IPSecQueryNdisBuf((PNDIS_BUFFER)pData, &pIPHeader, &Length);
|
|
}
|
|
|
|
break;
|
|
|
|
case None:
|
|
status = STATUS_SUCCESS;
|
|
break;
|
|
|
|
default:
|
|
IPSEC_DEBUG(PARSE, ("No valid operation: %lx\n", pSA->sa_Operation));
|
|
break;
|
|
}
|
|
}
|
|
|
|
pSaveSA = pSA;
|
|
pSA = pNextSA;
|
|
if (!pSA) {
|
|
IPSecDerefSA(pSaveSA);
|
|
break;
|
|
}
|
|
|
|
pNextSA = NULL;
|
|
IPSecDerefSA(pSaveSA);
|
|
} while (TRUE);
|
|
|
|
//
|
|
// Remember if we are going to fragment.
|
|
//
|
|
if (ipsecHdrSpace < *pExtraBytes) {
|
|
IPSEC_DEBUG(PARSE, ("ipsecHdrSpace: FRAG\n"));
|
|
((IPSEC_SEND_COMPLETE_CONTEXT *)*ppSCContext)->Flags |= SCF_FRAG;
|
|
}
|
|
|
|
out:
|
|
if (!NT_SUCCESS(status)) {
|
|
IPSEC_DEBUG(PARSE, ("IPSecSendPacket failed: %lx\n", status));
|
|
eRetAction = eDROP;
|
|
}
|
|
|
|
if (pDropStatus) {
|
|
pDropStatus->IPSecStatus=status;
|
|
}
|
|
IPSEC_DEBUG(PARSE, ("Exiting IPSecSendPacket; action %lx\n", eRetAction));
|
|
|
|
return eRetAction;
|
|
}
|
|
|
|
|
|
IPSEC_ACTION
|
|
IPSecRecvPacket(
|
|
IN PUCHAR *pIPHeader,
|
|
IN PVOID pData,
|
|
IN PVOID IPContext,
|
|
IN PNDIS_PACKET Packet,
|
|
IN OUT PULONG pExtraBytes,
|
|
IN OUT PULONG pIpsecFlags,
|
|
OUT PIPSEC_DROP_STATUS pDropStatus,
|
|
IN UCHAR DestType
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This is the IPSecRecvHandler.
|
|
|
|
Arguments:
|
|
|
|
pIPHeader - points to start of IP header.
|
|
|
|
pData - points to the data after the IP header, an IPRcvBuf pointer.
|
|
|
|
IPContext - contains the destination interface.
|
|
|
|
pExtraBytes - IPSEC header expansion value.
|
|
|
|
IpsecFlags - flags for SrcRoute, Incoming, Forward and Lookback.
|
|
|
|
Return Value:
|
|
|
|
eFORWARD
|
|
eDROP
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS status = STATUS_SUCCESS;
|
|
IPSEC_ACTION eRetAction = eFORWARD;
|
|
PSA_TABLE_ENTRY pSA = NULL;
|
|
PSA_TABLE_ENTRY pSaveSA = NULL;
|
|
PSA_TABLE_ENTRY pNextSA = NULL;
|
|
USHORT FilterFlags = 0;
|
|
BOOLEAN fLifetime = FALSE;
|
|
IPHeader UNALIGNED *pIPH = (IPHeader UNALIGNED *)*pIPHeader;
|
|
Interface *DestIF = (Interface *)IPContext;
|
|
PNDIS_PACKET OrigPacket = NULL;
|
|
PNDIS_PACKET_EXTENSION PktExt = NULL;
|
|
PNDIS_IPSEC_PACKET_INFO IPSecPktInfo = NULL;
|
|
BOOLEAN fCryptoOnly = FALSE;
|
|
BOOLEAN fFWPacket = FALSE;
|
|
BOOLEAN fSrcRoute = FALSE;
|
|
BOOLEAN fLoopback = FALSE;
|
|
BOOLEAN fFastRcv = FALSE;
|
|
tSPI SPI;
|
|
KIRQL kIrql;
|
|
LONG Index;
|
|
|
|
IPSEC_DEBUG(PARSE, ("Entering IPSecRecvPacket\n"));
|
|
|
|
if (*pIpsecFlags & IPSEC_FLAG_FORWARD) {
|
|
fFWPacket = TRUE;
|
|
}
|
|
if (*pIpsecFlags & IPSEC_FLAG_SSRR) {
|
|
fSrcRoute = TRUE;
|
|
}
|
|
if (*pIpsecFlags & IPSEC_FLAG_LOOPBACK) {
|
|
fLoopback = TRUE;
|
|
}
|
|
if (*pIpsecFlags & IPSEC_FLAG_FASTRCV) {
|
|
fFastRcv = TRUE;
|
|
}
|
|
|
|
*pExtraBytes = 0;
|
|
|
|
if (Packet) {
|
|
OrigPacket = (PNDIS_PACKET)NDIS_GET_ORIGINAL_PACKET(Packet);
|
|
if (OrigPacket) {
|
|
PktExt = NDIS_PACKET_EXTENSION_FROM_PACKET(OrigPacket);
|
|
} else {
|
|
PktExt = NDIS_PACKET_EXTENSION_FROM_PACKET(Packet);
|
|
}
|
|
IPSecPktInfo = PktExt->NdisPacketInfo[IpSecPacketInfo];
|
|
}
|
|
|
|
#if DBG
|
|
if (DebugOff) {
|
|
if (pIPH->iph_protocol == PROTOCOL_AH ||
|
|
pIPH->iph_protocol == PROTOCOL_ESP) {
|
|
DbgPrint("Packet %lx, OrigPacket %lx, CRYPTO %d, CryptoStatus %d\n",
|
|
Packet,
|
|
OrigPacket,
|
|
IPSecPktInfo? IPSecPktInfo->Receive.CRYPTO_DONE: 0,
|
|
IPSecPktInfo? IPSecPktInfo->Receive.CryptoStatus: 0);
|
|
if (DebugPkt) {
|
|
DbgBreakPoint();
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// If the packet is IPSec protected, set the appropriate flags for firewall/NAT.
|
|
//
|
|
|
|
if (pIPH->iph_protocol == PROTOCOL_AH ||
|
|
pIPH->iph_protocol == PROTOCOL_ESP) {
|
|
*pIpsecFlags |= IPSEC_FLAG_TRANSFORMED;
|
|
}
|
|
|
|
if (IPSecPktInfo && pDropStatus) {
|
|
if (IPSecPktInfo->Receive.CRYPTO_DONE) {
|
|
pDropStatus->Flags |= IPSEC_DROP_STATUS_CRYPTO_DONE;
|
|
}
|
|
if (IPSecPktInfo->Receive.NEXT_CRYPTO_DONE) {
|
|
pDropStatus->Flags |= IPSEC_DROP_STATUS_NEXT_CRYPTO_DONE;
|
|
}
|
|
if (IPSecPktInfo->Receive.SA_DELETE_REQ) {
|
|
pDropStatus->Flags |= IPSEC_DROP_STATUS_SA_DELETE_REQ;
|
|
}
|
|
pDropStatus->OffloadStatus=IPSecPktInfo->Receive.CryptoStatus;
|
|
}
|
|
|
|
if (IPSecPktInfo &&
|
|
IPSecPktInfo->Receive.CRYPTO_DONE &&
|
|
IPSecPktInfo->Receive.CryptoStatus != CRYPTO_SUCCESS) {
|
|
//
|
|
// Error reported by offload card. Discard the packet and apply
|
|
// the necessary acountings.
|
|
//
|
|
IPSecBufferOffloadEvent(pIPH, IPSecPktInfo);
|
|
|
|
status = STATUS_UNSUCCESSFUL;
|
|
goto out;
|
|
}
|
|
|
|
//
|
|
// Walk the packet to determine the SPI
|
|
//
|
|
status = IPSecParsePacket( *pIPHeader,
|
|
pData,
|
|
&SPI);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
IPSEC_DEBUG(PARSE, ("IPSecParsePkt no IPSEC headers: %lx\n", status));
|
|
|
|
if (fLoopback) {
|
|
IPSEC_DEBUG(PARSE, ("loopback was on, not doing inbound policy check\n"));
|
|
status = STATUS_SUCCESS;
|
|
goto out;
|
|
}
|
|
|
|
status = IPSecClassifyPacket( *pIPHeader,
|
|
pData,
|
|
&pSA,
|
|
&pNextSA,
|
|
&FilterFlags,
|
|
#if GPC
|
|
0,
|
|
#endif
|
|
FALSE, // fOutbound
|
|
fFWPacket,
|
|
TRUE, // do bypass check
|
|
DestType);
|
|
|
|
|
|
if (status != STATUS_SUCCESS) {
|
|
ASSERT(pSA == NULL);
|
|
|
|
//
|
|
// If we didnt find an SA, but found a filter, bad, drop.
|
|
//
|
|
if (status == STATUS_PENDING) {
|
|
if (FilterFlags & FILTER_FLAGS_PASS_THRU) {
|
|
// Allow this clear text traffic in
|
|
status = STATUS_SUCCESS;
|
|
} else {
|
|
IPSEC_DEBUG(PARSE, ("IPSecParsePkt cleartext when filter exists: %lx\n", status));
|
|
status = IPSEC_NEGOTIATION_PENDING;
|
|
}
|
|
} else {
|
|
status = STATUS_SUCCESS;
|
|
}
|
|
|
|
goto out;
|
|
} else {
|
|
if (FilterFlags) {
|
|
ASSERT(pSA == NULL);
|
|
|
|
//
|
|
// This is either a drop or pass thru filter.
|
|
//
|
|
if (FilterFlags & FILTER_FLAGS_DROP) {
|
|
IPSEC_DEBUG(PARSE, ("Drop filter\n"));
|
|
status = IPSEC_BLOCK;
|
|
} else if (FilterFlags & FILTER_FLAGS_PASS_THRU) {
|
|
IPSEC_DEBUG(PARSE, ("Pass thru' filter\n"));
|
|
status = STATUS_SUCCESS;
|
|
} else {
|
|
ASSERT(FALSE);
|
|
}
|
|
|
|
goto out;
|
|
}
|
|
|
|
ASSERT(pSA);
|
|
|
|
//
|
|
// Set the last used time.
|
|
//
|
|
NdisGetCurrentSystemTime(&pSA->sa_LastUsedTime);
|
|
|
|
//
|
|
// We found an SA; we are OK if the SA is set to None
|
|
// or if it is a tunnel SA; we are here because
|
|
// IPSecClassifyPacket finds and SA and returns SUCCESS.
|
|
//
|
|
if (pSA->sa_Operation[0] != None &&
|
|
!(pSA->sa_Flags & FLAGS_SA_TUNNEL) &&
|
|
!(pSA->sa_Flags & FLAGS_SA_PASSTHRU_FILTER)) {
|
|
|
|
if (g_ipsec.DiagnosticMode & IPSEC_DIAGNOSTIC_INBOUND) {
|
|
IPSecBufferEvent( pIPH->iph_src,
|
|
EVENT_IPSEC_UNEXPECTED_CLEARTEXT,
|
|
2,
|
|
TRUE);
|
|
}
|
|
|
|
#if DBG
|
|
if (IPSecDebug & IPSEC_DEBUG_CLEARTEXT) {
|
|
PUCHAR pTpt;
|
|
ULONG tptLen;
|
|
UNALIGNED WORD *pwPort;
|
|
|
|
IPSecQueryRcvBuf(pData, &pTpt, &tptLen);
|
|
pwPort = (UNALIGNED WORD *)(pTpt);
|
|
DbgPrint("Unexpected clear text: src %lx, dest %lx, protocol %lx, sport %lx, dport %lx\n", pIPH->iph_src, pIPH->iph_dest, pIPH->iph_protocol, pwPort[0], pwPort[1]);
|
|
}
|
|
#endif
|
|
|
|
IPSEC_DEBUG(PARSE, ("Real SA present\n"));
|
|
status = IPSEC_INVALID_CLEARTEXT;
|
|
}
|
|
|
|
IPSecDerefSA(pSA);
|
|
}
|
|
} else {
|
|
IPHeader UNALIGNED *pIPH = (UNALIGNED IPHeader *)*pIPHeader;
|
|
|
|
IPSEC_SPI_TO_ENTRY(SPI, &pSA, pIPH->iph_dest);
|
|
|
|
//
|
|
// Report Bad SPI event only if there is no matching SA.
|
|
//
|
|
if (!pSA) {
|
|
IPSEC_INC_STATISTIC(dwNumBadSPIPackets);
|
|
|
|
IPSecBufferEvent( pIPH->iph_src,
|
|
EVENT_IPSEC_BAD_SPI_RECEIVED,
|
|
1,
|
|
TRUE);
|
|
|
|
IPSEC_DEBUG(PARSE, ("Bad spi: %lx\n", SPI));
|
|
|
|
status = IPSEC_BAD_SPI;
|
|
goto out;
|
|
}
|
|
|
|
//
|
|
// If larval SA exits, silently discard the packet.
|
|
//
|
|
if (pSA->sa_State != STATE_SA_ACTIVE) {
|
|
IPSecDerefSA(pSA);
|
|
status = STATUS_INVALID_PARAMETER;
|
|
goto out;
|
|
}
|
|
|
|
//
|
|
// Set the last used time.
|
|
//
|
|
NdisGetCurrentSystemTime(&pSA->sa_LastUsedTime);
|
|
|
|
if (!(pSA->sa_Flags & FLAGS_SA_DISABLE_LIFETIME_CHECK)) {
|
|
|
|
//
|
|
// Check if we might expire soon - start rekey operation now.
|
|
//
|
|
IPSEC_CHECK_PADDED_LIFETIME(pSA, fLifetime, 0);
|
|
|
|
if (fLifetime == FALSE) {
|
|
IPSecRekeyInboundSA(pSA);
|
|
}
|
|
|
|
//
|
|
// Check the real lifetime - if we have expired, ensure that the
|
|
// rekey was submitted and then cancel the current SAs.
|
|
//
|
|
IPSEC_CHECK_LIFETIME(pSA, fLifetime, 0);
|
|
|
|
if (fLifetime == FALSE) {
|
|
IPSecPuntInboundSA(pSA);
|
|
IPSecDerefSA(pSA);
|
|
status = STATUS_UNSUCCESSFUL;
|
|
goto out;
|
|
}
|
|
}
|
|
|
|
if (pSA->sa_Flags & FLAGS_SA_TUNNEL) {
|
|
ADD_TO_LARGE_INTEGER(
|
|
&g_ipsec.Statistics.uBytesReceivedInTunnels,
|
|
NET_SHORT(pIPH->iph_length));
|
|
} else {
|
|
ADD_TO_LARGE_INTEGER(
|
|
&g_ipsec.Statistics.uTransportBytesReceived,
|
|
NET_SHORT(pIPH->iph_length));
|
|
}
|
|
|
|
ADD_TO_LARGE_INTEGER(
|
|
&pSA->sa_Stats.TotalBytesReceived,
|
|
NET_SHORT(pIPH->iph_length));
|
|
|
|
//
|
|
// If this was supposed to be handled by hardware, then make sure he
|
|
// either punted it or this was cryptoonly.
|
|
//
|
|
if (IPSecPktInfo != NULL) {
|
|
if (IPSecPktInfo->Receive.CRYPTO_DONE) {
|
|
//
|
|
// Offload has been applied to this packet so
|
|
// record it. We are here because CryptoStatus
|
|
// equals CRYPTO_SUCCESS.
|
|
//
|
|
ASSERT(IPSecPktInfo->Receive.CryptoStatus == CRYPTO_SUCCESS);
|
|
fCryptoOnly = TRUE;
|
|
|
|
ADD_TO_LARGE_INTEGER(
|
|
&pSA->sa_Stats.OffloadedBytesReceived,
|
|
NET_SHORT(pIPH->iph_length));
|
|
|
|
ADD_TO_LARGE_INTEGER(
|
|
&g_ipsec.Statistics.uOffloadedBytesReceived,
|
|
NET_SHORT(pIPH->iph_length));
|
|
}
|
|
|
|
if (IPSecPktInfo->Receive.SA_DELETE_REQ) {
|
|
//
|
|
// No more offload on this SA and its corresponding
|
|
// outbound SA.
|
|
//
|
|
AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
|
|
|
|
if ((pSA->sa_Flags & FLAGS_SA_HW_PLUMBED) &&
|
|
(pSA->sa_IPIF == DestIF)) {
|
|
IPSecDelHWSAAtDpc(pSA);
|
|
}
|
|
|
|
if (pSA->sa_AssociatedSA &&
|
|
(pSA->sa_AssociatedSA->sa_Flags & FLAGS_SA_HW_PLUMBED) &&
|
|
(pSA->sa_AssociatedSA->sa_IPIF == DestIF)) {
|
|
IPSecDelHWSAAtDpc(pSA->sa_AssociatedSA);
|
|
}
|
|
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
}
|
|
}
|
|
|
|
//
|
|
// If SA is not offloaded, try to offload it now.
|
|
//
|
|
if (!fCryptoOnly) {
|
|
IPSecRecvOffload(pIPH, DestIF, pSA);
|
|
}
|
|
|
|
//
|
|
// With multiple SAs coming in, we need to iterate through the operations,
|
|
// last first.
|
|
//
|
|
for (Index = pSA->sa_NumOps-1; (LONG)Index >= 0; Index--) {
|
|
|
|
//
|
|
// Got to keep resetting pIPH since pIPHeader can change in the
|
|
// IPSecVerifyXXX calls
|
|
//
|
|
pIPH = (UNALIGNED IPHeader *)*pIPHeader;
|
|
|
|
switch (pSA->sa_Operation[Index]) {
|
|
case Auth:
|
|
//
|
|
// Verify AH
|
|
//
|
|
if (pIPH->iph_protocol != PROTOCOL_AH) {
|
|
IPSecBufferEvent( pIPH->iph_src,
|
|
EVENT_IPSEC_BAD_PROTOCOL_RECEIVED,
|
|
1,
|
|
TRUE);
|
|
status = STATUS_UNSUCCESSFUL;
|
|
break;
|
|
}
|
|
|
|
status = IPSecVerifyAH( pIPHeader,
|
|
pData,
|
|
pSA,
|
|
Index,
|
|
pExtraBytes,
|
|
fSrcRoute,
|
|
fCryptoOnly,
|
|
fFastRcv);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
IPSEC_DEBUG(PARSE, ("AH failed: pSA: %lx, status: %lx\n",
|
|
pSA,
|
|
status));
|
|
IPSecDerefSA(pSA);
|
|
goto out;
|
|
}
|
|
|
|
break;
|
|
|
|
case Encrypt:
|
|
//
|
|
// Hughes ..
|
|
//
|
|
if (pIPH->iph_protocol != PROTOCOL_ESP) {
|
|
IPSecBufferEvent( pIPH->iph_src,
|
|
EVENT_IPSEC_BAD_PROTOCOL_RECEIVED,
|
|
2,
|
|
TRUE);
|
|
status = STATUS_UNSUCCESSFUL;
|
|
break;
|
|
}
|
|
|
|
status = IPSecVerifyHughes( pIPHeader,
|
|
pData,
|
|
pSA,
|
|
Index,
|
|
pExtraBytes,
|
|
fCryptoOnly,
|
|
fFastRcv);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
IPSEC_DEBUG(PARSE, ("Hughes failed: pSA: %lx, status: %lx\n",
|
|
pSA,
|
|
status));
|
|
IPSecDerefSA(pSA);
|
|
goto out;
|
|
}
|
|
|
|
break;
|
|
|
|
case None:
|
|
//
|
|
// None is useful for down-level clients - if the peer is incapable
|
|
// of IPSEC, we might have a system policy to send in clear. in that
|
|
// case, the Operation will be None.
|
|
//
|
|
status = STATUS_SUCCESS;
|
|
break;
|
|
|
|
default:
|
|
IPSEC_DEBUG(PARSE, ("Invalid op in SA: %lx, Index: %d\n", pSA, Index));
|
|
ASSERT(FALSE);
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// If this was a tunnel SA that succeeded in decrypt/auth,
|
|
// drop this packet and re-inject a copy.
|
|
//
|
|
if ((status == STATUS_SUCCESS) &&
|
|
(pSA->sa_Flags & FLAGS_SA_TUNNEL)) {
|
|
IPSecReinjectPacket(pData, fCryptoOnly? PktExt: NULL);
|
|
status = STATUS_INVALID_PARAMETER;
|
|
if (pDropStatus) {
|
|
pDropStatus->Flags |= IPSEC_DROP_STATUS_DONT_LOG;
|
|
}
|
|
}
|
|
|
|
IPSecDerefSA(pSA);
|
|
}
|
|
|
|
out:
|
|
if (!NT_SUCCESS(status)) {
|
|
IPSEC_DEBUG(PARSE, ("IPSecRecvPacket failed: %lx\n", status));
|
|
eRetAction = eDROP;
|
|
}
|
|
if (pDropStatus) {
|
|
pDropStatus->IPSecStatus=status;
|
|
}
|
|
|
|
IPSEC_DEBUG(PARSE, ("Exiting IPSecRecvPacket; action %lx\n", eRetAction));
|
|
|
|
return eRetAction;
|
|
}
|
|
|
|
|
|
VOID
|
|
IPSecCalcHeaderOverheadFromSA(
|
|
IN PSA_TABLE_ENTRY pSA,
|
|
OUT PULONG pOverhead
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Called from IP to query the IPSEC header overhead.
|
|
|
|
Arguments:
|
|
|
|
pIPHeader - points to start of IP header.
|
|
|
|
pOverhead - number of bytes in IPSEC header.
|
|
|
|
Return Value:
|
|
|
|
None
|
|
|
|
--*/
|
|
{
|
|
LONG Index;
|
|
ULONG AHSize = sizeof(AH) + pSA->sa_TruncatedLen;
|
|
ULONG ESPSize = sizeof(ESP) + pSA->sa_ivlen + pSA->sa_ReplayLen + MAX_PAD_LEN + pSA->sa_TruncatedLen;
|
|
|
|
//
|
|
// Take the actual SA to get the exact value.
|
|
//
|
|
*pOverhead = 0;
|
|
|
|
for (Index = 0; Index < pSA->sa_NumOps; Index++) {
|
|
switch (pSA->sa_Operation[Index]) {
|
|
case Encrypt:
|
|
*pOverhead += ESPSize;
|
|
IPSEC_DEBUG(PMTU, ("PROTOCOL_ESP: overhead: %lx\n", *pOverhead));
|
|
break;
|
|
|
|
case Auth:
|
|
*pOverhead += AHSize;
|
|
IPSEC_DEBUG(PMTU, ("PROTOCOL_AH: overhead: %lx\n", *pOverhead));
|
|
break;
|
|
|
|
default:
|
|
IPSEC_DEBUG(PMTU, ("No IPSEC headers\n"));
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (pSA->sa_Flags & FLAGS_SA_TUNNEL) {
|
|
*pOverhead += sizeof(IPHeader);
|
|
IPSEC_DEBUG(PMTU, ("TUNNEL: overhead: %lx\n", *pOverhead));
|
|
}
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
IPSecParsePacket(
|
|
IN PUCHAR pIPHeader,
|
|
IN PVOID *pData,
|
|
OUT tSPI *pSPI
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Walk the packet to determine the SPI, this also returns the
|
|
next header that might be also an IPSEC component.
|
|
|
|
Arguments:
|
|
|
|
pIPHeader - points to start of IP header.
|
|
|
|
pData - points to the data after the IP header.
|
|
|
|
pSPI - to return the SPI value.
|
|
|
|
Return Value:
|
|
|
|
--*/
|
|
{
|
|
IPHeader UNALIGNED *pIPH = (IPHeader UNALIGNED *)pIPHeader;
|
|
AH UNALIGNED *pAH;
|
|
ESP UNALIGNED *pEsp;
|
|
NTSTATUS status = STATUS_NOT_FOUND;
|
|
PUCHAR pPyld;
|
|
ULONG Len;
|
|
|
|
IPSEC_DEBUG(PARSE, ("Entering IPSecParsePacket\n"));
|
|
|
|
IPSecQueryRcvBuf(pData, &pPyld, &Len);
|
|
|
|
if (pIPH->iph_protocol == PROTOCOL_AH) {
|
|
pAH = (UNALIGNED AH *)pPyld;
|
|
if (Len >= sizeof(AH)) {
|
|
*pSPI = NET_TO_HOST_LONG(pAH->ah_spi);
|
|
status = STATUS_SUCCESS;
|
|
}
|
|
} else if (pIPH->iph_protocol == PROTOCOL_ESP) {
|
|
pEsp = (UNALIGNED ESP *)pPyld;
|
|
if (Len >= sizeof(ESP)) {
|
|
*pSPI = NET_TO_HOST_LONG(pEsp->esp_spi);
|
|
status = STATUS_SUCCESS;
|
|
}
|
|
}
|
|
|
|
IPSEC_DEBUG(PARSE, ("Exiting IPSecParsePacket\n"));
|
|
|
|
return status;
|
|
}
|
|
|
|
|
|
PSA_TABLE_ENTRY
|
|
IPSecLookupSAInLarval(
|
|
IN ULARGE_INTEGER uliSrcDstAddr,
|
|
IN ULARGE_INTEGER uliProtoSrcDstPort
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Search for SA (in larval list) matching the input params.
|
|
|
|
Arguments:
|
|
|
|
Return Value:
|
|
|
|
Pointer to SA matched else NULL
|
|
|
|
--*/
|
|
{
|
|
PLIST_ENTRY pEntry;
|
|
KIRQL kIrql;
|
|
ULARGE_INTEGER uliAddr;
|
|
ULARGE_INTEGER uliPort;
|
|
PSA_TABLE_ENTRY pSA = NULL;
|
|
|
|
IPSEC_BUILD_SRC_DEST_ADDR(uliAddr, DEST_ADDR, SRC_ADDR);
|
|
|
|
ACQUIRE_LOCK(&g_ipsec.LarvalListLock, &kIrql);
|
|
|
|
for ( pEntry = g_ipsec.LarvalSAList.Flink;
|
|
pEntry != &g_ipsec.LarvalSAList;
|
|
pEntry = pEntry->Flink) {
|
|
|
|
pSA = CONTAINING_RECORD(pEntry,
|
|
SA_TABLE_ENTRY,
|
|
sa_LarvalLinkage);
|
|
|
|
//
|
|
// responder inbound has no filter ptr
|
|
//
|
|
if (pSA->sa_Filter) {
|
|
uliPort.QuadPart = uliProtoSrcDstPort.QuadPart & pSA->sa_Filter->uliProtoSrcDstMask.QuadPart;
|
|
|
|
if ((uliAddr.QuadPart == pSA->sa_uliSrcDstAddr.QuadPart) &&
|
|
(uliPort.QuadPart == pSA->sa_Filter->uliProtoSrcDstPort.QuadPart)) {
|
|
IPSEC_DEBUG(HASH, ("Matched entry: %lx\n", pSA));
|
|
|
|
RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
|
|
return pSA;
|
|
}
|
|
} else {
|
|
if (uliAddr.QuadPart == pSA->sa_uliSrcDstAddr.QuadPart) {
|
|
IPSEC_DEBUG(HASH, ("Matched entry: %lx\n", pSA));
|
|
|
|
RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
|
|
return pSA;
|
|
}
|
|
}
|
|
}
|
|
|
|
RELEASE_LOCK(&g_ipsec.LarvalListLock, kIrql);
|
|
|
|
return NULL;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
IPSecClassifyPacket(
|
|
IN PUCHAR pHeader,
|
|
IN PVOID pData,
|
|
OUT PSA_TABLE_ENTRY *ppSA,
|
|
OUT PSA_TABLE_ENTRY *ppNextSA,
|
|
OUT USHORT *pFilterFlags,
|
|
#if GPC
|
|
IN CLASSIFICATION_HANDLE GpcHandle,
|
|
#endif
|
|
IN BOOLEAN fOutbound,
|
|
IN BOOLEAN fFWPacket,
|
|
IN BOOLEAN fDoBypassCheck,
|
|
IN UCHAR DestType
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Classifies the outgoing packet be matching the Src/Dest Address/Ports
|
|
with the filter database to arrive at an IPSEC_CONTEXT which is a set
|
|
of AH/ESP indices into the SA Table.
|
|
|
|
Adapted in most part from the Filter Driver.
|
|
|
|
Arguments:
|
|
|
|
pIPHeader - points to start of IP header.
|
|
|
|
pData - points to the data after the IP header.
|
|
|
|
ppSA - returns the SA if found.
|
|
|
|
pFilterFlags - flags of the filter if found returned here.
|
|
|
|
fOutbound - direction flag used in lookups.
|
|
|
|
fDoBypassCheck - if TRUE, we bypass port 500 traffic, else we block it.
|
|
|
|
Return Value:
|
|
|
|
Pointer to IPSEC_CONTEXT if packet matched else NULL
|
|
|
|
--*/
|
|
{
|
|
REGISTER UNALIGNED ULARGE_INTEGER *puliSrcDstAddr;
|
|
REGISTER ULARGE_INTEGER uliProtoSrcDstPort;
|
|
UNALIGNED WORD *pwPort;
|
|
PUCHAR pTpt;
|
|
ULONG tptLen;
|
|
REGISTER ULARGE_INTEGER uliAddr;
|
|
REGISTER ULARGE_INTEGER uliPort;
|
|
KIRQL kIrql;
|
|
REGISTER ULONG dwIndex;
|
|
REGISTER PFILTER_CACHE pCache;
|
|
IPHeader UNALIGNED *pIPHeader = (IPHeader UNALIGNED *)pHeader;
|
|
PSA_TABLE_ENTRY pSA = NULL;
|
|
PSA_TABLE_ENTRY pNextSA = NULL;
|
|
PSA_TABLE_ENTRY pTunnelSA = NULL;
|
|
PFILTER pFilter = NULL;
|
|
NTSTATUS status;
|
|
BOOLEAN fBypass;
|
|
PNDIS_BUFFER pTempBuf;
|
|
WORD wTpt[2];
|
|
|
|
*ppSA = NULL;
|
|
*ppNextSA = NULL;
|
|
*pFilterFlags = 0;
|
|
wTpt[0] = wTpt[1] = 0;
|
|
|
|
|
|
//
|
|
// First buffer in pData chain points to start of IP header
|
|
//
|
|
if (fOutbound) {
|
|
if (((pIPHeader->iph_verlen & (UCHAR)~IP_VER_FLAG) << 2) > sizeof(IPHeader)) {
|
|
//
|
|
// Options -> third MDL has Tpt header
|
|
//
|
|
if (!(pTempBuf = IPSEC_NEXT_BUFFER((PNDIS_BUFFER)pData))) {
|
|
ASSERT(FALSE);
|
|
*pFilterFlags |= FILTER_FLAGS_DROP;
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
if (!(pTempBuf = IPSEC_NEXT_BUFFER(pTempBuf))) {
|
|
*pFilterFlags |= FILTER_FLAGS_DROP;
|
|
pwPort = (UNALIGNED WORD *) (wTpt);
|
|
}
|
|
else {
|
|
IPSecQueryNdisBuf(pTempBuf, &pTpt, &tptLen);
|
|
pwPort = (UNALIGNED WORD *)(pTpt);
|
|
}
|
|
|
|
} else {
|
|
//
|
|
// no options -> second MDL has Tpt header
|
|
//
|
|
if (!(pTempBuf = IPSEC_NEXT_BUFFER((PNDIS_BUFFER)pData))) {
|
|
*pFilterFlags |= FILTER_FLAGS_DROP;
|
|
pwPort = (UNALIGNED WORD *) (wTpt);
|
|
}
|
|
else {
|
|
IPSecQueryNdisBuf(pTempBuf, &pTpt, &tptLen);
|
|
pwPort = (UNALIGNED WORD *)(pTpt);
|
|
}
|
|
|
|
}
|
|
} else {
|
|
//
|
|
// inbound side; tpt starts at pData
|
|
//
|
|
IPSecQueryRcvBuf(pData, &pTpt, &tptLen);
|
|
if (pIPHeader->iph_protocol == PROTOCOL_TCP ||
|
|
pIPHeader->iph_protocol == PROTOCOL_UDP) {
|
|
if (tptLen < sizeof(WORD)*2) {
|
|
pwPort = (UNALIGNED WORD *) (wTpt);
|
|
}
|
|
else {
|
|
pwPort = (UNALIGNED WORD *)(pTpt);
|
|
}
|
|
}
|
|
else {
|
|
pwPort = (UNALIGNED WORD *) (wTpt);
|
|
}
|
|
}
|
|
|
|
puliSrcDstAddr = (UNALIGNED ULARGE_INTEGER*)(&(pIPHeader->iph_src));
|
|
|
|
IPSEC_DEBUG(PARSE, ("Ports: %d.%d\n", pwPort[0], pwPort[1]));
|
|
|
|
IPSEC_BUILD_PROTO_PORT_LI( uliProtoSrcDstPort,
|
|
pIPHeader->iph_protocol,
|
|
pwPort[0],
|
|
pwPort[1]);
|
|
|
|
#if DBG
|
|
if (IPSecDebug & (IPSEC_DEBUG_PATTERN)) {
|
|
DbgPrint("Addr Large Int: High= %0#8x Low= %0#8x\n",
|
|
puliSrcDstAddr->HighPart,
|
|
puliSrcDstAddr->LowPart);
|
|
|
|
DbgPrint("Packet value is Src: %0#8x Dst: %0#8x\n",
|
|
pIPHeader->iph_src,
|
|
pIPHeader->iph_dest);
|
|
|
|
DbgPrint("Proto/Port:High= %0#8x Low= %0#8x\n",
|
|
uliProtoSrcDstPort.HighPart,
|
|
uliProtoSrcDstPort.LowPart);
|
|
|
|
DbgPrint("Iph is %x\n",pIPHeader);
|
|
DbgPrint("Addr of src is %x\n",&(pIPHeader->iph_src));
|
|
DbgPrint("Ptr to LI is %x\n",puliSrcDstAddr);
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// Determine if this is a packet that needs bypass checking
|
|
//
|
|
if (fDoBypassCheck && IPSEC_BYPASS_TRAFFIC() && !IPSEC_FORWARD_PATH()) {
|
|
fBypass = TRUE;
|
|
} else {
|
|
fBypass = FALSE;
|
|
}
|
|
|
|
//
|
|
// Sum up the fields and get the cache index. We make sure the sum
|
|
// is assymetric, i.e. a packet from A->B goes to different bucket
|
|
// than one from B->A
|
|
//
|
|
dwIndex = CalcCacheIndex( pIPHeader->iph_src,
|
|
pIPHeader->iph_dest,
|
|
pIPHeader->iph_protocol,
|
|
pwPort[0],
|
|
pwPort[1],
|
|
fOutbound);
|
|
|
|
IPSEC_DEBUG(PATTERN, ("Cache Index is %d\n", dwIndex));
|
|
|
|
AcquireReadLock(&g_ipsec.SADBLock, &kIrql);
|
|
|
|
pCache = g_ipsec.ppCache[dwIndex];
|
|
|
|
//
|
|
// Try for a quick cache probe
|
|
//
|
|
if (!(*pFilterFlags & FILTER_FLAGS_DROP) && IS_VALID_CACHE_ENTRY(pCache) &&
|
|
CacheMatch(*puliSrcDstAddr, uliProtoSrcDstPort, pCache)) {
|
|
if (!pCache->FilterEntry) {
|
|
pSA = pCache->pSAEntry;
|
|
pNextSA = pCache->pNextSAEntry;
|
|
|
|
ASSERT(pSA->sa_State == STATE_SA_ACTIVE);
|
|
|
|
if (fOutbound == (BOOLEAN)((pSA->sa_Flags & FLAGS_SA_OUTBOUND) != 0)) {
|
|
if (fBypass) {
|
|
if (pNextSA) {
|
|
IPSecRefSA(pNextSA);
|
|
*ppSA = pNextSA;
|
|
status = STATUS_SUCCESS;
|
|
} else {
|
|
status = STATUS_UNSUCCESSFUL;
|
|
}
|
|
} else {
|
|
if (pNextSA) {
|
|
IPSecRefSA(pNextSA);
|
|
*ppNextSA = pNextSA;
|
|
}
|
|
IPSecRefSA(pSA);
|
|
*ppSA = pSA;
|
|
status = STATUS_SUCCESS;
|
|
}
|
|
|
|
#if DBG
|
|
ADD_TO_LARGE_INTEGER(&pCache->CacheHitCount, 1);
|
|
ADD_TO_LARGE_INTEGER(&g_ipsec.CacheHitCount, 1);
|
|
#endif
|
|
ReleaseReadLock(&g_ipsec.SADBLock, kIrql);
|
|
return status;
|
|
}
|
|
} else if (!fBypass) {
|
|
pFilter = pCache->pFilter;
|
|
ASSERT(IS_EXEMPT_FILTER(pFilter));
|
|
*pFilterFlags = pFilter->Flags;
|
|
#if DBG
|
|
ADD_TO_LARGE_INTEGER(&pCache->CacheHitCount, 1);
|
|
ADD_TO_LARGE_INTEGER(&g_ipsec.CacheHitCount, 1);
|
|
#endif
|
|
ReleaseReadLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_SUCCESS;
|
|
}
|
|
}
|
|
|
|
//
|
|
// check the non-manual filters first.
|
|
//
|
|
#if GPC
|
|
if (fBypass || fFWPacket || !IS_GPC_ACTIVE()) {
|
|
status = IPSecLookupSAByAddr( *puliSrcDstAddr,
|
|
uliProtoSrcDstPort,
|
|
&pFilter,
|
|
&pSA,
|
|
&pNextSA,
|
|
&pTunnelSA,
|
|
fOutbound,
|
|
fFWPacket,
|
|
fBypass);
|
|
} else {
|
|
status = IPSecLookupGpcSA( *puliSrcDstAddr,
|
|
uliProtoSrcDstPort,
|
|
GpcHandle,
|
|
&pFilter,
|
|
&pSA,
|
|
&pNextSA,
|
|
&pTunnelSA,
|
|
fOutbound);
|
|
}
|
|
#else
|
|
status = IPSecLookupSAByAddr( *puliSrcDstAddr,
|
|
uliProtoSrcDstPort,
|
|
&pFilter,
|
|
&pSA,
|
|
&pNextSA,
|
|
&pTunnelSA,
|
|
fOutbound,
|
|
fFWPacket,
|
|
fBypass);
|
|
#endif
|
|
|
|
//
|
|
// Special Processing for zero length payload packets.
|
|
//
|
|
|
|
if (*pFilterFlags & FILTER_FLAGS_DROP) {
|
|
if (pFilter) {
|
|
if (IS_EXEMPT_FILTER(pFilter)) {
|
|
*pFilterFlags = pFilter->Flags;
|
|
}
|
|
}
|
|
else {
|
|
*pFilterFlags = FILTER_FLAGS_PASS_THRU;
|
|
}
|
|
ReleaseReadLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
if (status == STATUS_SUCCESS) {
|
|
if (fBypass) {
|
|
if (pNextSA) {
|
|
if (pNextSA->sa_State == STATE_SA_ACTIVE) {
|
|
IPSecRefSA(pNextSA);
|
|
*ppSA = pNextSA;
|
|
status = STATUS_SUCCESS;
|
|
} else {
|
|
*pFilterFlags = pFilter->Flags;
|
|
status = STATUS_PENDING;
|
|
}
|
|
} else {
|
|
status = STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
ReleaseReadLock(&g_ipsec.SADBLock, kIrql);
|
|
return status;
|
|
}
|
|
|
|
if (pSA->sa_State != STATE_SA_ACTIVE ||
|
|
(pNextSA && pNextSA->sa_State != STATE_SA_ACTIVE)) {
|
|
IPSEC_DEBUG(PATTERN, ("State is not active: %lx, %lx\n", pSA, pSA->sa_State));
|
|
*pFilterFlags = pFilter->Flags;
|
|
ReleaseReadLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_PENDING;
|
|
} else {
|
|
if (pNextSA) {
|
|
IPSecRefSA(pNextSA);
|
|
*ppNextSA = pNextSA;
|
|
}
|
|
IPSecRefSA(pSA);
|
|
*ppSA = pSA;
|
|
ReleaseReadLockFromDpc(&g_ipsec.SADBLock);
|
|
|
|
AcquireWriteLockAtDpc(&g_ipsec.SADBLock);
|
|
if (pSA->sa_State == STATE_SA_ACTIVE &&
|
|
(!pNextSA ||
|
|
pNextSA->sa_State == STATE_SA_ACTIVE)) {
|
|
CacheUpdate(*puliSrcDstAddr,
|
|
uliProtoSrcDstPort,
|
|
pSA,
|
|
pNextSA,
|
|
dwIndex,
|
|
FALSE);
|
|
}
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
} else if (status == STATUS_PENDING) {
|
|
if (IS_EXEMPT_FILTER(pFilter)) {
|
|
IPSEC_DEBUG(PARSE, ("Drop or Pass thru flags: %lx\n", pFilter));
|
|
*pFilterFlags = pFilter->Flags;
|
|
IPSecRefFilter(pFilter);
|
|
ReleaseReadLockFromDpc(&g_ipsec.SADBLock);
|
|
|
|
AcquireWriteLockAtDpc(&g_ipsec.SADBLock);
|
|
if (pFilter->LinkedFilter) {
|
|
CacheUpdate(*puliSrcDstAddr,
|
|
uliProtoSrcDstPort,
|
|
pFilter,
|
|
NULL,
|
|
dwIndex,
|
|
TRUE);
|
|
}
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
|
|
IPSecDerefFilter(pFilter);
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
//
|
|
// This is ensure that in a tunnel+tpt mode, the oakley packet for
|
|
// the tpt SA goes thru the tunnel.
|
|
//
|
|
if (pTunnelSA) {
|
|
if (fBypass) {
|
|
if (pTunnelSA->sa_State != STATE_SA_ACTIVE) {
|
|
IPSEC_DEBUG(PATTERN, ("State is not active: %lx, %lx\n", pTunnelSA, pTunnelSA->sa_State));
|
|
*pFilterFlags = pFilter->Flags;
|
|
|
|
ReleaseReadLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_PENDING;
|
|
} else {
|
|
IPSecRefSA(pTunnelSA);
|
|
*ppSA = pTunnelSA;
|
|
|
|
//
|
|
// we dont update the cache since this SA, once it comes up,
|
|
// it is the one that is looked up first.
|
|
//
|
|
ReleaseReadLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_SUCCESS;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (fBypass) {
|
|
ReleaseReadLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
//
|
|
// We only negotiate outbound SAs.
|
|
//
|
|
if (!fOutbound) {
|
|
*pFilterFlags = pFilter->Flags;
|
|
ReleaseReadLock(&g_ipsec.SADBLock, kIrql);
|
|
return status;
|
|
}
|
|
|
|
//
|
|
// need to negotiate the keys - filter exists.
|
|
//
|
|
IPSEC_DEBUG(PATTERN, ("need to negotiate the keys - filter exists: %lx\n", pFilter));
|
|
|
|
ASSERT(pSA == NULL);
|
|
|
|
IPSecRefFilter(pFilter);
|
|
|
|
ReleaseReadLock(&g_ipsec.SADBLock, kIrql);
|
|
|
|
AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
|
|
|
|
//
|
|
// If filter is deleted here we want to discard this packet
|
|
//
|
|
if (!pFilter->LinkedFilter) {
|
|
*pFilterFlags = pFilter->Flags;
|
|
IPSecDerefFilter(pFilter);
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_PENDING;
|
|
}
|
|
|
|
status = IPSecNegotiateSA( pFilter,
|
|
*puliSrcDstAddr,
|
|
uliProtoSrcDstPort,
|
|
MAX_LONG,
|
|
&pSA,
|
|
DestType);
|
|
|
|
IPSecDerefFilter(pFilter);
|
|
|
|
//
|
|
// Duplicate is returned if a neg is already on. Tell the caller to
|
|
// hold on to his horses.
|
|
//
|
|
if ((status != STATUS_DUPLICATE_OBJECTID) &&
|
|
!NT_SUCCESS(status)) {
|
|
IPSEC_DEBUG(PATTERN, ("NegotiateSA failed: %lx\n", status));
|
|
*pFilterFlags = pFilter->Flags;
|
|
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_PENDING;
|
|
}
|
|
|
|
//
|
|
// Pend this packet
|
|
//
|
|
if (pSA) {
|
|
IPSecQueuePacket(pSA, pData);
|
|
}
|
|
IPSEC_DEBUG(PATTERN, ("Packet queued: %lx, %lx\n", pSA, pData));
|
|
*pFilterFlags = pFilter->Flags;
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_PENDING;
|
|
} else {
|
|
ReleaseReadLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_UNSUCCESSFUL;
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
IPSecSendComplete(
|
|
IN PNDIS_PACKET Packet,
|
|
IN PVOID pData,
|
|
IN PIPSEC_SEND_COMPLETE_CONTEXT pContext,
|
|
IN IP_STATUS Status,
|
|
OUT PVOID *ppNewData
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Called by the stack on a SendComplete - frees up IPSEC's Mdls
|
|
|
|
Arguments:
|
|
|
|
pData - points to the data after the IP header. On the send side, this is an MDL chain
|
|
On the recv side this is an IPRcvBuf pointer.
|
|
|
|
pContext - send complete context
|
|
pNewData - if packet modified, this points to the new data.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS => Forward - Filter driver passes packet on to IP
|
|
STATUS_PENDING => Drop, IPSEC will re-inject
|
|
|
|
Others:
|
|
STATUS_INSUFFICIENT_RESOURCES => Drop
|
|
STATUS_UNSUCCESSFUL (error in algo./bad packet received) => Drop
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS status;
|
|
PNDIS_BUFFER pMdl;
|
|
PNDIS_BUFFER pNextMdl;
|
|
BOOLEAN fFreeContext = TRUE;
|
|
|
|
*ppNewData = pData;
|
|
|
|
if (!pContext) {
|
|
return;
|
|
}
|
|
|
|
#if DBG
|
|
IPSEC_DEBUG(MDL, ("Entering IPSecSendComplete\n"));
|
|
IPSEC_PRINT_CONTEXT(pContext);
|
|
IPSEC_PRINT_MDL(*ppNewData);
|
|
#endif
|
|
|
|
if (pContext->Flags & SCF_PKTINFO) {
|
|
IPSecFreePktInfo(pContext->PktInfo);
|
|
|
|
if (pContext->pSA) {
|
|
KIRQL kIrql;
|
|
PSA_TABLE_ENTRY pSA;
|
|
|
|
AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
|
|
|
|
pSA = (PSA_TABLE_ENTRY)pContext->pSA;
|
|
IPSEC_DECREMENT(pSA->sa_NumSends);
|
|
if (pSA->sa_Flags & FLAGS_SA_HW_DELETE_SA) {
|
|
IPSecDelHWSAAtDpc(pSA);
|
|
}
|
|
IPSecDerefSA(pSA);
|
|
|
|
pSA = (PSA_TABLE_ENTRY)pContext->pNextSA;
|
|
if (pSA) {
|
|
IPSEC_DECREMENT(pSA->sa_NumSends);
|
|
if (pSA->sa_Flags & FLAGS_SA_HW_DELETE_SA) {
|
|
IPSecDelHWSAAtDpc(pSA);
|
|
}
|
|
IPSecDerefSA(pSA);
|
|
}
|
|
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
}
|
|
}
|
|
|
|
if (pContext->Flags & SCF_PKTEXT) {
|
|
IPSecFreePktExt(pContext->PktExt);
|
|
}
|
|
|
|
if (pContext->Flags & SCF_AH_2) {
|
|
|
|
IPSEC_DEBUG(SEND, ("SendComplete: Outer AH: pContext: %lx\n", pContext));
|
|
pMdl = pContext->AHMdl2;
|
|
|
|
ASSERT(pMdl);
|
|
|
|
IPSecFreeBuffer(&status, pMdl);
|
|
|
|
//
|
|
// return the older chain
|
|
//
|
|
if (pContext->Flags & SCF_FLUSH) {
|
|
NDIS_BUFFER_LINKAGE(pContext->PrevAHMdl2) = pContext->OriAHMdl2;
|
|
} else if (!(pContext->Flags & SCF_FRAG)) {
|
|
NDIS_BUFFER_LINKAGE(pContext->PrevAHMdl2) = pContext->OriAHMdl2;
|
|
// *ppNewData = (PVOID)(pContext->PrevMdl);
|
|
}
|
|
pContext->OriAHMdl2 = NULL;
|
|
}
|
|
|
|
if (pContext->Flags & SCF_AH_TU) {
|
|
IPSEC_DEBUG(SEND, ("SendComplete: AH_TU: pContext: %lx\n", pContext));
|
|
|
|
//
|
|
// Free the new IP header and the AH buffer and return the old chain
|
|
//
|
|
pMdl = pContext->AHTuMdl;
|
|
|
|
ASSERT(pMdl);
|
|
|
|
pNextMdl = NDIS_BUFFER_LINKAGE(pMdl);
|
|
IPSecFreeBuffer(&status, pMdl);
|
|
IPSecFreeBuffer(&status, pNextMdl);
|
|
|
|
//
|
|
// return the older chain
|
|
//
|
|
if (pContext->Flags & SCF_FLUSH) {
|
|
NDIS_BUFFER_LINKAGE(pContext->PrevTuMdl) = pContext->OriTuMdl;
|
|
} else if (!(pContext->Flags & SCF_FRAG)) {
|
|
NDIS_BUFFER_LINKAGE(pContext->PrevTuMdl) = pContext->OriTuMdl;
|
|
}
|
|
|
|
if (pContext->OptMdl) {
|
|
IPSecFreeBuffer(&status, pContext->OptMdl);
|
|
}
|
|
}
|
|
|
|
if (pContext->Flags & SCF_HU_TU) {
|
|
IPSEC_DEBUG(SEND, ("SendComplete: HU_TU: pContext: %lx\n", pContext));
|
|
//
|
|
// Free the encrypt chain and return the old chain
|
|
//
|
|
pMdl = pContext->HUTuMdl;
|
|
ASSERT(pMdl);
|
|
|
|
//
|
|
// In none case, free the esp header and the IP header.
|
|
//
|
|
if (pContext->Flags & SCF_NOE_TU) {
|
|
IPSecFreeBuffer(&status, pMdl);
|
|
ASSERT(pContext->PadTuMdl);
|
|
} else {
|
|
ASSERT(NDIS_BUFFER_LINKAGE(pMdl));
|
|
while (pMdl) {
|
|
pNextMdl = NDIS_BUFFER_LINKAGE(pMdl);
|
|
IPSecFreeBuffer(&status, pMdl);
|
|
pMdl = pNextMdl;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Free the Pad mdl
|
|
//
|
|
if (pContext->PadTuMdl) {
|
|
IPSecFreeBuffer(&status, pContext->PadTuMdl);
|
|
}
|
|
|
|
if (pContext->HUHdrMdl) {
|
|
IPSecFreeBuffer(&status, pContext->HUHdrMdl);
|
|
}
|
|
|
|
if (pContext->OptMdl) {
|
|
IPSecFreeBuffer(&status, pContext->OptMdl);
|
|
}
|
|
|
|
NDIS_BUFFER_LINKAGE(pContext->BeforePadTuMdl) = NULL;
|
|
|
|
//
|
|
// return the older chain
|
|
//
|
|
if (pContext->Flags & SCF_FLUSH) {
|
|
NDIS_BUFFER_LINKAGE(pContext->PrevTuMdl) = pContext->OriTuMdl;
|
|
} else if (!(pContext->Flags & SCF_FRAG)) {
|
|
NDIS_BUFFER_LINKAGE(pContext->PrevTuMdl) = pContext->OriTuMdl;
|
|
}
|
|
}
|
|
|
|
if (pContext->Flags & SCF_AH) {
|
|
|
|
IPSEC_DEBUG(SEND, ("SendComplete: AH: pContext: %lx\n", pContext));
|
|
pMdl = pContext->AHMdl;
|
|
|
|
ASSERT(pMdl);
|
|
|
|
IPSecFreeBuffer(&status, pMdl);
|
|
|
|
//
|
|
// return the older chain
|
|
//
|
|
if (pContext->Flags & SCF_FLUSH) {
|
|
NDIS_BUFFER_LINKAGE(pContext->PrevMdl) = pContext->OriAHMdl;
|
|
} else if (!(pContext->Flags & SCF_FRAG)) {
|
|
NDIS_BUFFER_LINKAGE(pContext->PrevMdl) = pContext->OriAHMdl;
|
|
// *ppNewData = (PVOID)(pContext->PrevMdl);
|
|
}
|
|
pContext->OriAHMdl = NULL;
|
|
}
|
|
|
|
if (pContext->Flags & SCF_HU_TPT) {
|
|
IPSEC_DEBUG(SEND, ("SendComplete: HU_TPT: pContext: %lx\n", pContext));
|
|
|
|
//
|
|
// Hook the older chain into the first buffer
|
|
//
|
|
if (pContext->Flags & SCF_FLUSH) {
|
|
NDIS_BUFFER_LINKAGE(pContext->PrevMdl) = pContext->OriHUMdl;
|
|
} else if (!(pContext->Flags & SCF_FRAG)) {
|
|
NDIS_BUFFER_LINKAGE(pContext->PrevMdl) = pContext->OriHUMdl;
|
|
}
|
|
|
|
//
|
|
// Free the encryption buffer chain
|
|
//
|
|
pMdl = pContext->HUMdl;
|
|
ASSERT(pMdl);
|
|
|
|
//
|
|
// In none case, free the esp header.
|
|
//
|
|
if (pContext->Flags & SCF_NOE_TPT) {
|
|
IPSecFreeBuffer(&status, pMdl);
|
|
ASSERT(pContext->PadMdl);
|
|
} else {
|
|
ASSERT(NDIS_BUFFER_LINKAGE(pMdl));
|
|
while (pMdl) {
|
|
pNextMdl = NDIS_BUFFER_LINKAGE(pMdl);
|
|
IPSecFreeBuffer(&status, pMdl);
|
|
pMdl = pNextMdl;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Free the Pad mdl and zero the reference to the pad mdl in the
|
|
// previous (payload) mdl.
|
|
//
|
|
if (pContext->PadMdl) {
|
|
IPSecFreeBuffer(&status, pContext->PadMdl);
|
|
}
|
|
|
|
NDIS_BUFFER_LINKAGE(pContext->BeforePadMdl) = NULL;
|
|
}
|
|
|
|
//
|
|
// these are freed in IPSecProtocolSendComplete now.
|
|
//
|
|
if (Packet && (pContext->Flags & SCF_FLUSH)) {
|
|
|
|
IPSEC_DEBUG(SEND, ("SendComplete: FLUSH: pContext: %lx\n", pContext));
|
|
//
|
|
// Free the encrypt chain and return the old chain
|
|
//
|
|
pMdl = pContext->FlushMdl;
|
|
|
|
ASSERT(pMdl);
|
|
|
|
//
|
|
// We will be called at ProtocolSendComplete, where we free this chain.
|
|
//
|
|
fFreeContext = FALSE;
|
|
|
|
//
|
|
// If this was just a reinjected packet and never IPSEC'ed, then we know
|
|
// that all the buffers are in line - call the ProtocolSendComplete here
|
|
// and NULL the returned buffer.
|
|
//
|
|
// The best way to do this is to do the same trick we apply on fragmented
|
|
// packets (see IPTransmit) viz. attaching another header and 0'ing out
|
|
// the IPSEC header. There is obviously a perf hit when attaching another IP
|
|
// header since we alloc new MDLs, etc. Hence, we take the approach of using
|
|
// the header in the IPSEC buffers directly.
|
|
//
|
|
// So, here we see if the packet was fragmented; in which case, we let
|
|
// ProtocolSendComplete do the freeing. Else, we free the buffers ourselves.
|
|
//
|
|
{
|
|
PacketContext *PContext = (PacketContext *)Packet->ProtocolReserved;
|
|
|
|
if (PContext->pc_br == NULL ||
|
|
(PContext->pc_ipsec_flags & IPSEC_FLAG_FLUSH)) {
|
|
|
|
//
|
|
// this will also free the context.
|
|
//
|
|
IPSecProtocolSendComplete(pContext, pMdl, IP_SUCCESS);
|
|
*ppNewData = NULL;
|
|
}
|
|
}
|
|
} else if (!Packet && (pContext->Flags & SCF_FLUSH)) {
|
|
//
|
|
// ProtocolSendComplete will be called next in IPFragment.
|
|
//
|
|
fFreeContext = FALSE;
|
|
}
|
|
|
|
//
|
|
// If context not needed anymore, free it now.
|
|
//
|
|
if (fFreeContext) {
|
|
IPSecFreeSendCompleteCtx(pContext);
|
|
}
|
|
|
|
#if DBG
|
|
IPSEC_DEBUG(MDL, ("Exiting IPSecSendComplete\n"));
|
|
IPSEC_PRINT_CONTEXT(pContext);
|
|
IPSEC_PRINT_MDL(*ppNewData);
|
|
#endif
|
|
}
|
|
|
|
|
|
VOID
|
|
IPSecProtocolSendComplete (
|
|
IN PVOID pContext,
|
|
IN PNDIS_BUFFER pMdl,
|
|
IN IP_STATUS Status
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Called by the stack on a SendComplete - frees up IPSEC's Mdls.
|
|
This is only called when IPSEC injects packets into the stack.
|
|
|
|
Arguments:
|
|
|
|
|
|
pMdl - points to the data after the IP header. On the send side, this is an MDL chain
|
|
On the recv side this is an IPRcvBuf pointer.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS => Forward - Filter driver passes packet on to IP
|
|
STATUS_PENDING => Drop, IPSEC will re-inject
|
|
|
|
Others:
|
|
STATUS_INSUFFICIENT_RESOURCES => Drop
|
|
STATUS_UNSUCCESSFUL (error in algo./bad packet received) => Drop
|
|
|
|
--*/
|
|
{
|
|
PNDIS_BUFFER pNextMdl;
|
|
NTSTATUS status;
|
|
PIPSEC_SEND_COMPLETE_CONTEXT pSCContext = (PIPSEC_SEND_COMPLETE_CONTEXT)pContext;
|
|
|
|
if (!pSCContext->Flags) {
|
|
return;
|
|
}
|
|
|
|
ASSERT(pMdl);
|
|
|
|
while (pMdl) {
|
|
pNextMdl = NDIS_BUFFER_LINKAGE(pMdl);
|
|
IPSecFreeBuffer(&status, pMdl);
|
|
pMdl = pNextMdl;
|
|
}
|
|
|
|
IPSecFreeSendCompleteCtx(pSCContext);
|
|
|
|
return;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
IPSecChkReplayWindow(
|
|
IN ULONG Seq,
|
|
IN PSA_TABLE_ENTRY pSA,
|
|
IN ULONG Index
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Checks if the received packet is in the received window to prevent against
|
|
replay attacks.
|
|
|
|
We keep track of the last Sequence number received and ensure that the
|
|
received packets is within the packet window (currently 32 packets).
|
|
|
|
Arguments:
|
|
|
|
Seq - received Sequence number
|
|
|
|
pSA - points to the security association
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS => packet in window
|
|
STATUS_UNSUCCESSFUL => packet rejected
|
|
|
|
--*/
|
|
{
|
|
ULONG diff;
|
|
ULONG ReplayWindowSize = REPLAY_WINDOW_SIZE;
|
|
ULONG lastSeq = pSA->sa_ReplayLastSeq[Index];
|
|
ULONGLONG bitmap = pSA->sa_ReplayBitmap[Index];
|
|
ULONGLONG dbgbitmap = bitmap;
|
|
|
|
if (pSA->sa_Flags & FLAGS_SA_DISABLE_ANTI_REPLAY_CHECK) {
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
if (Seq == pSA->sa_ReplayStartPoint) {
|
|
//
|
|
// first == 0 or wrapped
|
|
//
|
|
IPSEC_DEBUG(SEND, ("Replay: out @1 - Seq: %lx, pSA->sa_ReplayStartPoint: %lx\n",
|
|
Seq, pSA->sa_ReplayStartPoint));
|
|
return IPSEC_INVALID_REPLAY_WINDOW1;
|
|
}
|
|
|
|
#if DBG
|
|
IPSEC_DEBUG(SEND, ("Replay: Last Seq.: %lx, Cur Seq.: %lx, window size %d & bit window (in nibbles) %08lx%08lx\n",
|
|
lastSeq, Seq, sizeof(bitmap)*8, (ULONG) (dbgbitmap >> 32), (ULONG) dbgbitmap));
|
|
#endif
|
|
|
|
//
|
|
// new larger Sequence number
|
|
//
|
|
if (Seq > lastSeq) {
|
|
diff = Seq - lastSeq;
|
|
if (diff < ReplayWindowSize) {
|
|
//
|
|
// In window
|
|
// set bit for this packet
|
|
bitmap = (bitmap << diff) | 1;
|
|
} else {
|
|
//
|
|
// This packet has a "way larger" Seq
|
|
//
|
|
bitmap = 1;
|
|
}
|
|
lastSeq = Seq;
|
|
pSA->sa_ReplayLastSeq[Index] = lastSeq;
|
|
pSA->sa_ReplayBitmap[Index] = bitmap;
|
|
|
|
//
|
|
// larger is good
|
|
//
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
diff = lastSeq - Seq;
|
|
if (diff >= ReplayWindowSize) {
|
|
//
|
|
// too old or wrapped
|
|
//
|
|
IPSEC_DEBUG(SEND, ("Replay: out @3 - Seq: %lx, lastSeq: %lx\n",
|
|
Seq, lastSeq));
|
|
return IPSEC_INVALID_REPLAY_WINDOW2;
|
|
}
|
|
|
|
if (bitmap & (1l << diff)) {
|
|
//
|
|
// this packet already seen
|
|
//
|
|
IPSEC_DEBUG(SEND, ("Replay: out @4 - Seq: %lx, lastSeq: %lx\n",
|
|
Seq, lastSeq));
|
|
return IPSEC_DUPE_PACKET;
|
|
}
|
|
|
|
//
|
|
// mark as seen
|
|
//
|
|
bitmap |= (1l << diff);
|
|
|
|
pSA->sa_ReplayLastSeq[Index] = lastSeq;
|
|
pSA->sa_ReplayBitmap[Index] = bitmap;
|
|
|
|
//
|
|
// out of order but good
|
|
//
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
IPSecReinjectPacket(
|
|
IN PVOID pData,
|
|
IN PNDIS_PACKET_EXTENSION pPktExt
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Re-injects packet into the stack's send path - makes a copy
|
|
of the packet then calls into IPTransmit, making sure the SendComplete
|
|
Context is setup properly.
|
|
|
|
Arguments:
|
|
|
|
pData - Points to "un-tunneled" data, starting at the encapsulated IP header
|
|
|
|
pPktExt - Points to the NDIS Packet extension structure
|
|
|
|
Return Value:
|
|
|
|
Status of copy/transmit operation
|
|
|
|
--*/
|
|
{
|
|
IPOptInfo optInfo;
|
|
PNDIS_BUFFER pOptMdl;
|
|
PNDIS_BUFFER pHdrMdl;
|
|
PNDIS_BUFFER pDataMdl;
|
|
ULONG len;
|
|
ULONG len1;
|
|
ULONG hdrLen;
|
|
IPRcvBuf *pNextData;
|
|
IPHeader UNALIGNED * pIPH;
|
|
IPHeader UNALIGNED * pIPH1;
|
|
ULONG offset;
|
|
NTSTATUS status;
|
|
ULONG tag = IPSEC_TAG_REINJECT;
|
|
PIPSEC_SEND_COMPLETE_CONTEXT pContext;
|
|
NDIS_PACKET_EXTENSION PktExt = {0};
|
|
PNDIS_IPSEC_PACKET_INFO IPSecPktInfo;
|
|
|
|
//
|
|
// Allocate context for IPSecSencComplete use
|
|
//
|
|
pContext = IPSecAllocateSendCompleteCtx(tag);
|
|
|
|
if (!pContext) {
|
|
IPSEC_DEBUG(ESP, ("Failed to alloc. SendCtx\n"));
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
IPSEC_INCREMENT(g_ipsec.NumSends);
|
|
|
|
IPSecZeroMemory(pContext, sizeof(IPSEC_SEND_COMPLETE_CONTEXT));
|
|
|
|
#if DBG
|
|
RtlCopyMemory(pContext->Signature, "ISC5", 4);
|
|
#endif
|
|
|
|
//
|
|
// Pass along IPSEC_PKT_INFO for transport offload if needed
|
|
//
|
|
if (pPktExt) {
|
|
IPSecPktInfo = pPktExt->NdisPacketInfo[IpSecPacketInfo];
|
|
|
|
if (IPSecPktInfo) {
|
|
ASSERT(IPSecPktInfo->Receive.CryptoStatus == CRYPTO_SUCCESS);
|
|
ASSERT(IPSecPktInfo->Receive.CRYPTO_DONE);
|
|
|
|
//
|
|
// Only interested in NEXT_CRYPTO_DONE if packet is reinjected.
|
|
//
|
|
if (!(IPSecPktInfo->Receive.NEXT_CRYPTO_DONE)) {
|
|
IPSecPktInfo = NULL;
|
|
}
|
|
}
|
|
} else {
|
|
IPSecPktInfo = NULL;
|
|
}
|
|
|
|
if (IPSecPktInfo) {
|
|
//
|
|
// Pass the IPSecPktInfo to IPTransmit.
|
|
//
|
|
pContext->PktExt = IPSecAllocatePktExt(IPSEC_TAG_HW_PKTEXT);
|
|
|
|
if (!pContext->PktExt) {
|
|
IPSEC_DEBUG(ESP, ("Failed to alloc. PktInfo\n"));
|
|
IPSecFreeSendCompleteCtx(pContext);
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
pContext->Flags |= SCF_PKTEXT;
|
|
|
|
RtlCopyMemory( pContext->PktExt,
|
|
IPSecPktInfo,
|
|
sizeof(NDIS_IPSEC_PACKET_INFO));
|
|
PktExt.NdisPacketInfo[IpSecPacketInfo] = (PNDIS_IPSEC_PACKET_INFO)(pContext->PktExt);
|
|
}
|
|
|
|
//
|
|
// Re-package into MDLs for the send - these will be released on the
|
|
// SendComplete.
|
|
//
|
|
// FUTURE WORK: right now we copy the data out, this shd be optimized
|
|
// by calling IPRcvPacket and using buffer ownership.
|
|
//
|
|
IPSEC_GET_TOTAL_LEN_RCV_BUF(pData, &len);
|
|
|
|
//
|
|
// IPH is at head of pData
|
|
//
|
|
IPSecQueryRcvBuf(pData, (PVOID)&pIPH, &len1);
|
|
|
|
//
|
|
// Allocate MDL for the IP header
|
|
//
|
|
hdrLen = (pIPH->iph_verlen & (UCHAR)~IP_VER_FLAG) << 2;
|
|
|
|
if (len <= hdrLen) {
|
|
IPSEC_DEBUG(ESP, ("TotLen of the buffers %d <= hdrLen %d\n", len, hdrLen));
|
|
if (pContext->PktExt) {
|
|
IPSecFreeMemory(pContext->PktExt);
|
|
}
|
|
IPSecFreeSendCompleteCtx(pContext);
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
IPSecAllocateBuffer(&status,
|
|
&pHdrMdl,
|
|
(PUCHAR *)&pIPH1,
|
|
sizeof(IPHeader),
|
|
tag);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
IPSEC_DEBUG(ESP, ("Failed to alloc. header MDL\n"));
|
|
if (pContext->PktExt) {
|
|
IPSecFreeMemory(pContext->PktExt);
|
|
}
|
|
IPSecFreeSendCompleteCtx(pContext);
|
|
return status;
|
|
}
|
|
|
|
//
|
|
// Copy over the header
|
|
//
|
|
RtlCopyMemory(pIPH1, pIPH, sizeof(IPHeader));
|
|
|
|
len -= hdrLen;
|
|
offset = hdrLen;
|
|
|
|
IPSecAllocateBuffer(&status,
|
|
&pDataMdl,
|
|
NULL,
|
|
len,
|
|
tag);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
NTSTATUS ntstatus;
|
|
|
|
IPSEC_DEBUG(ESP, ("Failed to alloc. encrypt MDL\n"));
|
|
IPSecFreeBuffer(&ntstatus, pHdrMdl);
|
|
if (pContext->PktExt) {
|
|
IPSecFreeMemory(pContext->PktExt);
|
|
}
|
|
IPSecFreeSendCompleteCtx(pContext);
|
|
return status;
|
|
}
|
|
|
|
if (hdrLen > sizeof(IPHeader)) {
|
|
PUCHAR Options;
|
|
PUCHAR pOpt;
|
|
|
|
//
|
|
// Options present - another Mdl
|
|
//
|
|
IPSecAllocateBuffer(&status,
|
|
&pOptMdl,
|
|
&Options,
|
|
hdrLen - sizeof(IPHeader),
|
|
tag);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
NTSTATUS ntstatus;
|
|
|
|
IPSecFreeBuffer(&ntstatus, pHdrMdl);
|
|
IPSecFreeBuffer(&ntstatus, pDataMdl);
|
|
if (pContext->PktExt) {
|
|
IPSecFreeMemory(pContext->PktExt);
|
|
}
|
|
IPSecFreeSendCompleteCtx(pContext);
|
|
IPSEC_DEBUG(ESP, ("Failed to alloc. options MDL\n"));
|
|
return status;
|
|
}
|
|
|
|
//
|
|
// Copy over the options - we need to fish for it - could be in next MDL
|
|
//
|
|
if (len1 >= hdrLen) {
|
|
//
|
|
// all in this buffer - jump over IP header
|
|
//
|
|
RtlCopyMemory(Options, (PUCHAR)(pIPH + 1), hdrLen - sizeof(IPHeader));
|
|
} else {
|
|
//
|
|
// next buffer, copy from next
|
|
//
|
|
pData = IPSEC_BUFFER_LINKAGE(pData);
|
|
IPSecQueryRcvBuf(pData, (PVOID)&pOpt, &len1);
|
|
RtlCopyMemory(Options, pOpt, hdrLen - sizeof(IPHeader));
|
|
offset = hdrLen - sizeof(IPHeader);
|
|
}
|
|
|
|
//
|
|
// Link in the Options buffer
|
|
//
|
|
NDIS_BUFFER_LINKAGE(pHdrMdl) = pOptMdl;
|
|
NDIS_BUFFER_LINKAGE(pOptMdl) = pDataMdl;
|
|
} else {
|
|
//
|
|
// Link in the Data buffer
|
|
//
|
|
NDIS_BUFFER_LINKAGE(pHdrMdl) = pDataMdl;
|
|
}
|
|
|
|
//
|
|
// Now bulk copy the entire data
|
|
//
|
|
IPSEC_COPY_FROM_RCVBUF( pDataMdl,
|
|
pData,
|
|
len,
|
|
offset);
|
|
|
|
//
|
|
// Fill up the SendCompleteContext
|
|
//
|
|
pContext->FlushMdl = pHdrMdl;
|
|
pContext->Flags |= SCF_FLUSH;
|
|
|
|
//
|
|
// Call IPTransmit with proper Protocol type so it takes this packet
|
|
// at *face* value.
|
|
//
|
|
optInfo = g_ipsec.OptInfo;
|
|
optInfo.ioi_options = (PUCHAR)&PktExt;
|
|
optInfo.ioi_flags |= IP_FLAG_IPSEC;
|
|
status = TCPIP_IP_TRANSMIT( &g_ipsec.IPProtInfo,
|
|
pContext,
|
|
pHdrMdl,
|
|
len,
|
|
pIPH->iph_dest,
|
|
pIPH->iph_src,
|
|
&optInfo,
|
|
NULL,
|
|
pIPH->iph_protocol,
|
|
NULL);
|
|
|
|
//
|
|
// IPTransmit may fail to allocate a Packet so it returns
|
|
// IP_NO_RESOURCES. If this is the case, we need to free the MDL chain.
|
|
// This is taken care of in IPTransmit().
|
|
//
|
|
// Even in the synchronous case, we free the MDL chain in ProtocolSendComplete (called by IPSecSendComplete).
|
|
// So, we dont call anything here.
|
|
//
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
IPSecQueuePacket(
|
|
IN PSA_TABLE_ENTRY pSA,
|
|
IN PVOID pDataBuf
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Copies the packet into the SAs Stall Queue.
|
|
|
|
Arguments:
|
|
|
|
Return Value:
|
|
|
|
--*/
|
|
{
|
|
ULONG len;
|
|
ULONG len1;
|
|
PNDIS_BUFFER pOptMdl;
|
|
PNDIS_BUFFER pHdrMdl;
|
|
PNDIS_BUFFER pDataMdl;
|
|
KIRQL kIrql;
|
|
ULONG hdrLen;
|
|
IPHeader UNALIGNED * pIPH;
|
|
IPHeader UNALIGNED * pIPH1;
|
|
NTSTATUS status;
|
|
ULONG offset;
|
|
ULONG tag = IPSEC_TAG_STALL_QUEUE;
|
|
PNDIS_BUFFER pData = (PNDIS_BUFFER)pDataBuf;
|
|
|
|
//
|
|
// Queue last packet so if we already have one free it first.
|
|
//
|
|
if (pSA->sa_BlockedBuffer != NULL) {
|
|
IPSecFlushQueuedPackets(pSA, STATUS_ABANDONED);
|
|
}
|
|
|
|
ACQUIRE_LOCK(&pSA->sa_Lock, &kIrql);
|
|
|
|
//
|
|
// Need a lock here - sa_Lock.
|
|
//
|
|
if (pSA->sa_State == STATE_SA_LARVAL) {
|
|
|
|
IPSEC_DEBUG(ACQUIRE, ("Pending packet: %lx\n", pSA));
|
|
|
|
//
|
|
// Copy over the Mdl chain to this SAs pend queue.
|
|
//
|
|
IPSEC_GET_TOTAL_LEN(pData, &len);
|
|
|
|
//
|
|
// IPH is at head of pData
|
|
//
|
|
IPSecQueryNdisBuf(pData, &pIPH, &len1);
|
|
|
|
hdrLen = (pIPH->iph_verlen & (UCHAR)~IP_VER_FLAG) << 2;
|
|
|
|
IPSecAllocateBuffer(&status,
|
|
&pHdrMdl,
|
|
(PUCHAR *)&pIPH1,
|
|
sizeof(IPHeader),
|
|
tag);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
NTSTATUS ntstatus;
|
|
IPSEC_DEBUG(ESP, ("Failed to alloc. header MDL\n"));
|
|
RELEASE_LOCK(&pSA->sa_Lock, kIrql);
|
|
return status;
|
|
}
|
|
|
|
IPSEC_DEBUG(POOL, ("IPSecQueuePacket: pHdrMdl: %lx, pIPH1: %lx\n", pHdrMdl, pIPH1));
|
|
|
|
//
|
|
// Copy over the header
|
|
//
|
|
RtlCopyMemory(pIPH1, pIPH, sizeof(IPHeader));
|
|
|
|
len -= hdrLen;
|
|
offset = hdrLen;
|
|
|
|
IPSecAllocateBuffer(&status,
|
|
&pDataMdl,
|
|
NULL,
|
|
len,
|
|
tag);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
NTSTATUS ntstatus;
|
|
IPSEC_DEBUG(ESP, ("Failed to alloc. encrypt MDL\n"));
|
|
IPSecFreeBuffer(&status, pHdrMdl);
|
|
RELEASE_LOCK(&pSA->sa_Lock, kIrql);
|
|
return status;
|
|
}
|
|
|
|
if (hdrLen > sizeof(IPHeader)) {
|
|
PUCHAR Options;
|
|
PUCHAR pOpt;
|
|
|
|
//
|
|
// Options present - another Mdl
|
|
//
|
|
IPSecAllocateBuffer(&status,
|
|
&pOptMdl,
|
|
&Options,
|
|
hdrLen - sizeof(IPHeader),
|
|
tag);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
IPSecFreeBuffer(&status, pHdrMdl);
|
|
IPSecFreeBuffer(&status, pDataMdl);
|
|
IPSEC_DEBUG(ESP, ("Failed to alloc. options MDL\n"));
|
|
RELEASE_LOCK(&pSA->sa_Lock, kIrql);
|
|
return status;
|
|
}
|
|
|
|
//
|
|
// Copy over the options - we need to fish for it - could be in next MDL
|
|
//
|
|
if (len1 >= hdrLen) {
|
|
//
|
|
// all in this buffer - jump over IP header
|
|
//
|
|
RtlCopyMemory(Options, (PUCHAR)(pIPH + 1), hdrLen - sizeof(IPHeader));
|
|
} else {
|
|
//
|
|
// next buffer, copy from next
|
|
//
|
|
pData = NDIS_BUFFER_LINKAGE(pData);
|
|
IPSecQueryNdisBuf(pData, &pOpt, &len1);
|
|
RtlCopyMemory(Options, pOpt, hdrLen - sizeof(IPHeader));
|
|
offset = hdrLen - sizeof(IPHeader);
|
|
}
|
|
|
|
//
|
|
// Link in the Options buffer
|
|
//
|
|
NDIS_BUFFER_LINKAGE(pHdrMdl) = pOptMdl;
|
|
NDIS_BUFFER_LINKAGE(pOptMdl) = pDataMdl;
|
|
} else {
|
|
//
|
|
// Link in the Data buffer
|
|
//
|
|
NDIS_BUFFER_LINKAGE(pHdrMdl) = pDataMdl;
|
|
}
|
|
|
|
//
|
|
// Now bulk copy the entire data
|
|
//
|
|
IPSEC_COPY_FROM_NDISBUF(pDataMdl,
|
|
pData,
|
|
len,
|
|
offset);
|
|
|
|
pSA->sa_BlockedBuffer = pHdrMdl;
|
|
pSA->sa_BlockedDataLen = len;
|
|
|
|
IPSEC_DEBUG(ACQUIRE, ("Queued buffer: %lx on SA: %lx, psa->sa_BlockedBuffer: %lx\n", pHdrMdl, pSA, &pSA->sa_BlockedBuffer));
|
|
}
|
|
|
|
RELEASE_LOCK(&pSA->sa_Lock, kIrql);
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
VOID
|
|
IPSecIPAddrToUnicodeString(
|
|
IN IPAddr Addr,
|
|
OUT PWCHAR UCIPAddrBuffer
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Converts an IP addr into a wchar string
|
|
|
|
Arguments:
|
|
|
|
Return Value:
|
|
|
|
--*/
|
|
{
|
|
UINT IPAddrCharCount=0;
|
|
UINT i;
|
|
UCHAR IPAddrBuffer[(sizeof(IPAddr) * 4)];
|
|
UNICODE_STRING unicodeString;
|
|
ANSI_STRING ansiString;
|
|
|
|
//
|
|
// Convert the IP address into a string.
|
|
//
|
|
for (i = 0; i < sizeof(IPAddr); i++) {
|
|
UINT CurrentByte;
|
|
|
|
CurrentByte = Addr & 0xff;
|
|
if (CurrentByte > 99) {
|
|
IPAddrBuffer[IPAddrCharCount++] = (CurrentByte / 100) + '0';
|
|
CurrentByte %= 100;
|
|
IPAddrBuffer[IPAddrCharCount++] = (CurrentByte / 10) + '0';
|
|
CurrentByte %= 10;
|
|
} else if (CurrentByte > 9) {
|
|
IPAddrBuffer[IPAddrCharCount++] = (CurrentByte / 10) + '0';
|
|
CurrentByte %= 10;
|
|
}
|
|
|
|
IPAddrBuffer[IPAddrCharCount++] = CurrentByte + '0';
|
|
if (i != (sizeof(IPAddr) - 1))
|
|
IPAddrBuffer[IPAddrCharCount++] = '.';
|
|
|
|
Addr >>= 8;
|
|
}
|
|
|
|
//
|
|
// Unicode the strings.
|
|
//
|
|
*UCIPAddrBuffer = UNICODE_NULL;
|
|
|
|
unicodeString.Buffer = UCIPAddrBuffer;
|
|
unicodeString.Length = 0;
|
|
unicodeString.MaximumLength =
|
|
(USHORT)(sizeof(WCHAR) * ((sizeof(IPAddr) * 4) + 1));
|
|
ansiString.Buffer = IPAddrBuffer;
|
|
ansiString.Length = (USHORT)IPAddrCharCount;
|
|
ansiString.MaximumLength = (USHORT)IPAddrCharCount;
|
|
|
|
RtlAnsiStringToUnicodeString( &unicodeString,
|
|
&ansiString,
|
|
FALSE);
|
|
}
|
|
|
|
|
|
VOID
|
|
IPSecCountToUnicodeString(
|
|
IN ULONG Count,
|
|
OUT PWCHAR UCCountBuffer
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Converts a count a wchar string
|
|
|
|
Arguments:
|
|
|
|
Return Value:
|
|
|
|
--*/
|
|
{
|
|
UNICODE_STRING unicodeString;
|
|
|
|
//
|
|
// Unicode the strings.
|
|
//
|
|
*UCCountBuffer = UNICODE_NULL;
|
|
|
|
unicodeString.Buffer = UCCountBuffer;
|
|
unicodeString.Length = 0;
|
|
unicodeString.MaximumLength = (USHORT)sizeof(WCHAR) * (MAX_COUNT_STRING_LEN + 1);
|
|
|
|
RtlIntegerToUnicodeString ( Count,
|
|
10, // Base
|
|
&unicodeString);
|
|
}
|
|
|
|
|
|
VOID
|
|
IPSecESPStatus(
|
|
IN UCHAR StatusType,
|
|
IN IP_STATUS StatusCode,
|
|
IN IPAddr OrigDest,
|
|
IN IPAddr OrigSrc,
|
|
IN IPAddr Src,
|
|
IN ULONG Param,
|
|
IN PVOID Data
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Handle a status indication for ESP, mostly for PMTU handling.
|
|
|
|
Arguments:
|
|
|
|
StatusType - Type of status.
|
|
StatusCode - Code identifying IP_STATUS.
|
|
OrigDest - If this is NET status, the original dest. of DG that
|
|
triggered it.
|
|
OrigSrc - The original src corr. OrigDest.
|
|
Src - IP address of status originator (could be local or remote).
|
|
Param - Additional information for status - i.e. the param field of
|
|
an ICMP message.
|
|
Data - Data pertaining to status - for NET status, this is the
|
|
first 8 bytes of the original DG.
|
|
|
|
Return Value:
|
|
|
|
--*/
|
|
{
|
|
IPSEC_DEBUG(PMTU, ("PMTU for ESP recieved from %lx to %lx\n", OrigSrc, OrigDest));
|
|
|
|
if (StatusType == IP_NET_STATUS && StatusCode == IP_SPEC_MTU_CHANGE) {
|
|
IPSecProcessPMTU( OrigDest,
|
|
OrigSrc,
|
|
NET_TO_HOST_LONG(((UNALIGNED ESP *)Data)->esp_spi),
|
|
Encrypt,
|
|
Param);
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
IPSecAHStatus(
|
|
IN UCHAR StatusType,
|
|
IN IP_STATUS StatusCode,
|
|
IN IPAddr OrigDest,
|
|
IN IPAddr OrigSrc,
|
|
IN IPAddr Src,
|
|
IN ULONG Param,
|
|
IN PVOID Data
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Handle a status indication for AH, mostly for PMTU handling.
|
|
|
|
Arguments:
|
|
|
|
StatusType - Type of status.
|
|
StatusCode - Code identifying IP_STATUS.
|
|
OrigDest - If this is NET status, the original dest. of DG that
|
|
triggered it.
|
|
OrigSrc - The original src corr. OrigDest.
|
|
Src - IP address of status originator (could be local or remote).
|
|
Param - Additional information for status - i.e. the param field of
|
|
an ICMP message.
|
|
Data - Data pertaining to status - for NET status, this is the
|
|
first 8 bytes of the original DG.
|
|
|
|
Return Value:
|
|
|
|
--*/
|
|
{
|
|
IPSEC_DEBUG(PMTU, ("PMTU for AH recieved from %lx to %lx\n", OrigSrc, OrigDest));
|
|
|
|
if (StatusType == IP_NET_STATUS && StatusCode == IP_SPEC_MTU_CHANGE) {
|
|
IPSecProcessPMTU( OrigDest,
|
|
OrigSrc,
|
|
NET_TO_HOST_LONG(((UNALIGNED AH *)Data)->ah_spi),
|
|
Auth,
|
|
Param);
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
IPSecProcessPMTU(
|
|
IN IPAddr OrigDest,
|
|
IN IPAddr OrigSrc,
|
|
IN tSPI SPI,
|
|
IN OPERATION_E Operation,
|
|
IN ULONG NewMTU
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Process PMTU.
|
|
|
|
Arguments:
|
|
|
|
OrigDest - The original dest. of DG that triggered it.
|
|
OrigSrc - The original src corr. OrigDest.
|
|
SPI - SPI of the outer IPSec header.
|
|
Operation - AH or ESP operation of IPSec.
|
|
NewMTU - The new MTU indicated by the intermediate gateway.
|
|
|
|
Return Value:
|
|
|
|
--*/
|
|
{
|
|
PLIST_ENTRY pFilterEntry;
|
|
PLIST_ENTRY pSAEntry;
|
|
PFILTER pFilter;
|
|
PSA_TABLE_ENTRY pSA;
|
|
IPAddr SADest;
|
|
KIRQL kIrql;
|
|
LONG Index;
|
|
LONG SAIndex;
|
|
BOOLEAN fFound = FALSE;
|
|
|
|
IPSEC_DEBUG(PMTU, ("IPSecProcessPMTU: NewMTU arrived %lx\n", NewMTU));
|
|
|
|
AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
|
|
|
|
//
|
|
// Search Tunnel and Masked filter list for an outbound SA that matches
|
|
// OrigDest, OrigSrc and SPI. If such an SA is found, update its NewMTU
|
|
// field so that next packet using the SA propogate a smaller MTU
|
|
// back to TCP/IP stack. Tunnel filter should be searched first because
|
|
// if in the case transport over tunnel operation, the packet going out
|
|
// will have the Tunnel header.
|
|
//
|
|
for ( Index = OUTBOUND_TUNNEL_FILTER;
|
|
(Index >= OUTBOUND_TRANSPORT_FILTER) && !fFound;
|
|
Index -= TRANSPORT_TUNNEL_INCREMENT) {
|
|
|
|
for ( pFilterEntry = g_ipsec.FilterList[Index].Flink;
|
|
!fFound && pFilterEntry != &g_ipsec.FilterList[Index];
|
|
pFilterEntry = pFilterEntry->Flink) {
|
|
|
|
pFilter = CONTAINING_RECORD(pFilterEntry,
|
|
FILTER,
|
|
MaskedLinkage);
|
|
|
|
for ( SAIndex = 0;
|
|
(SAIndex < pFilter->SAChainSize) && !fFound;
|
|
SAIndex++) {
|
|
|
|
for ( pSAEntry = pFilter->SAChain[SAIndex].Flink;
|
|
pSAEntry != &pFilter->SAChain[SAIndex];
|
|
pSAEntry = pSAEntry->Flink) {
|
|
|
|
pSA = CONTAINING_RECORD(pSAEntry,
|
|
SA_TABLE_ENTRY,
|
|
sa_FilterLinkage);
|
|
|
|
if (pSA->sa_Flags & FLAGS_SA_TUNNEL) {
|
|
SADest = pSA->sa_TunnelAddr;
|
|
} else {
|
|
SADest = pSA->SA_DEST_ADDR;
|
|
}
|
|
|
|
if (SADest == OrigDest &&
|
|
pSA->sa_SPI == SPI &&
|
|
pSA->sa_Operation[pSA->sa_NumOps - 1] == Operation) {
|
|
//
|
|
// We matched the triple for a unique SA so this must be it.
|
|
//
|
|
fFound = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// Update the NewMTU field of the found SA. We only do this if the new
|
|
// MTU is lower than the current one.
|
|
//
|
|
if (fFound && NewMTU < pSA->sa_NewMTU && NewMTU > sizeof(IPHeader)) {
|
|
IPSEC_SET_VALUE(pSA->sa_NewMTU, NewMTU);
|
|
IPSEC_DEBUG(PMTU, ("NewMTU %lx for pSA %lx\n", NewMTU, pSA));
|
|
}
|
|
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
}
|
|
|
|
|
|
IPSEC_ACTION
|
|
IPSecRcvFWPacket(
|
|
IN PCHAR pIPHeader,
|
|
IN PVOID pData,
|
|
IN UINT DataLength,
|
|
IN UCHAR DestType
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
To match a inbound tunnel rule for a packet received on the inbound forward path.
|
|
|
|
Arguments:
|
|
|
|
pIPHeader - the IP header
|
|
pData - the data portion of the packet
|
|
DataLength - data length
|
|
|
|
Return Value:
|
|
|
|
eFORWARD
|
|
eDROP
|
|
|
|
--*/
|
|
{
|
|
PSA_TABLE_ENTRY pSA;
|
|
PSA_TABLE_ENTRY pNextSA;
|
|
USHORT FilterFlags;
|
|
NTSTATUS status;
|
|
IPSEC_ACTION action = eFORWARD;
|
|
IPRcvBuf RcvBuf = {0};
|
|
|
|
//
|
|
// We are not interested in non multicast broadcast packets.
|
|
//
|
|
if (IS_BCAST_DEST(DestType) && !IPSEC_MANDBCAST_PROCESS()) {
|
|
return action;
|
|
}
|
|
|
|
//
|
|
// Build a fake IPRcvBuf so we can reuse the classification routine.
|
|
//
|
|
RcvBuf.ipr_buffer = pData;
|
|
RcvBuf.ipr_size = DataLength;
|
|
|
|
status = IPSecClassifyPacket( (PUCHAR)pIPHeader,
|
|
&RcvBuf,
|
|
&pSA,
|
|
&pNextSA,
|
|
&FilterFlags,
|
|
#if GPC
|
|
0,
|
|
#endif
|
|
FALSE,
|
|
TRUE,
|
|
TRUE,
|
|
DestType);
|
|
|
|
if (status != STATUS_SUCCESS) {
|
|
if (status == STATUS_PENDING) {
|
|
//
|
|
// SA is being negotiated - drop.
|
|
//
|
|
action = eDROP;
|
|
} else {
|
|
//
|
|
// No Filter/SA match found - forward.
|
|
//
|
|
//action = eFORWARD;
|
|
}
|
|
} else {
|
|
if (FilterFlags) {
|
|
if (FilterFlags & FILTER_FLAGS_DROP) {
|
|
//
|
|
// Drop filter matched - drop.
|
|
//
|
|
action = eDROP;
|
|
} else if (FilterFlags & FILTER_FLAGS_PASS_THRU) {
|
|
//
|
|
// Pass-thru filter matched - forward.
|
|
//
|
|
//action = eFORWARD;
|
|
} else {
|
|
ASSERT(FALSE);
|
|
}
|
|
} else {
|
|
ASSERT(pSA);
|
|
ASSERT(pSA->sa_Flags & FLAGS_SA_TUNNEL);
|
|
//
|
|
// A real SA is matched - drop.
|
|
//
|
|
action = eDROP;
|
|
IPSecDerefSA(pSA);
|
|
}
|
|
}
|
|
|
|
return action;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
IPSecRekeyInboundSA(
|
|
IN PSA_TABLE_ENTRY pSA
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Rekey a SA because we hit the rekey threshold.
|
|
|
|
Arguments:
|
|
|
|
|
|
Return Value:
|
|
|
|
|
|
--*/
|
|
{
|
|
PSA_TABLE_ENTRY pLarvalSA;
|
|
PSA_TABLE_ENTRY pOutboundSA;
|
|
NTSTATUS status;
|
|
KIRQL kIrql;
|
|
|
|
AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
|
|
|
|
//
|
|
// If SA already expired, no rekey is necessary.
|
|
//
|
|
pOutboundSA = pSA->sa_AssociatedSA;
|
|
|
|
if (!pOutboundSA) {
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
if (!(pOutboundSA->sa_Flags & FLAGS_SA_REKEY_ORI)) {
|
|
pOutboundSA->sa_Flags |= FLAGS_SA_REKEY_ORI;
|
|
|
|
IPSEC_DEBUG(SA, ("SA: %lx expiring soon\n", pOutboundSA));
|
|
|
|
//
|
|
// Rekey, but still continue to use this SA until the actual expiry.
|
|
//
|
|
status = IPSecNegotiateSA( pOutboundSA->sa_Filter,
|
|
pOutboundSA->sa_uliSrcDstAddr,
|
|
pOutboundSA->sa_uliProtoSrcDstPort,
|
|
pOutboundSA->sa_NewMTU,
|
|
&pLarvalSA,
|
|
pOutboundSA->sa_DestType);
|
|
|
|
if (!NT_SUCCESS(status) && status != STATUS_DUPLICATE_OBJECTID) {
|
|
pOutboundSA->sa_Flags &= ~FLAGS_SA_REKEY_ORI;
|
|
status = STATUS_UNSUCCESSFUL;
|
|
}
|
|
}
|
|
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
|
|
return status;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
IPSecRekeyOutboundSA(
|
|
IN PSA_TABLE_ENTRY pSA
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Rekey a SA because we hit the rekey threshold.
|
|
|
|
Arguments:
|
|
|
|
|
|
Return Value:
|
|
|
|
|
|
--*/
|
|
{
|
|
PSA_TABLE_ENTRY pLarvalSA;
|
|
NTSTATUS status;
|
|
KIRQL kIrql;
|
|
|
|
AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
|
|
|
|
if (!(pSA->sa_Flags & FLAGS_SA_REKEY_ORI)) {
|
|
pSA->sa_Flags |= FLAGS_SA_REKEY_ORI;
|
|
|
|
IPSEC_DEBUG(SA, ("SA: %lx expiring soon\n", pSA));
|
|
|
|
//
|
|
// Rekey, but still continue to use this SA until the actual expiry.
|
|
//
|
|
status = IPSecNegotiateSA( pSA->sa_Filter,
|
|
pSA->sa_uliSrcDstAddr,
|
|
pSA->sa_uliProtoSrcDstPort,
|
|
pSA->sa_NewMTU,
|
|
&pLarvalSA,
|
|
pSA->sa_DestType);
|
|
|
|
if (!NT_SUCCESS(status) && status != STATUS_DUPLICATE_OBJECTID) {
|
|
pSA->sa_Flags &= ~FLAGS_SA_REKEY_ORI;
|
|
status = STATUS_UNSUCCESSFUL;
|
|
}
|
|
}
|
|
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
|
|
return status;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
IPSecPuntInboundSA(
|
|
IN PSA_TABLE_ENTRY pSA
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Punt a SA because we have exceeded the rekey threshold.
|
|
|
|
Arguments:
|
|
|
|
|
|
Return Value:
|
|
|
|
|
|
--*/
|
|
{
|
|
PSA_TABLE_ENTRY pOutboundSA;
|
|
KIRQL kIrql;
|
|
|
|
AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
|
|
|
|
//
|
|
// If SA already expired, no punt is necessary.
|
|
//
|
|
pOutboundSA = pSA->sa_AssociatedSA;
|
|
|
|
if (!pOutboundSA) {
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
if (IPSEC_GET_VALUE(pOutboundSA->sa_Reference) > 1 &&
|
|
!(pOutboundSA->sa_Flags & FLAGS_SA_EXPIRED) &&
|
|
pOutboundSA->sa_State == STATE_SA_ACTIVE) {
|
|
pOutboundSA->sa_Flags |= FLAGS_SA_EXPIRED;
|
|
|
|
IPSEC_DEBUG(SA, ("SA: %lx has expired\n", pOutboundSA));
|
|
|
|
if (pOutboundSA->sa_Flags & FLAGS_SA_REKEY_ORI) {
|
|
pOutboundSA->sa_Flags &= ~FLAGS_SA_REKEY_ORI;
|
|
|
|
if (pOutboundSA->sa_RekeyLarvalSA) {
|
|
if (pOutboundSA->sa_RekeyLarvalSA->sa_RekeyOriginalSA) {
|
|
pOutboundSA->sa_RekeyLarvalSA->sa_RekeyOriginalSA = NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// Delete this SA and expire the corresponding inbound SA.
|
|
//
|
|
IPSecDeleteInboundSA(pSA);
|
|
}
|
|
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
IPSecPuntOutboundSA(
|
|
IN PSA_TABLE_ENTRY pSA
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Punt a SA because we have exceeded the rekey threshold.
|
|
|
|
Arguments:
|
|
|
|
|
|
Return Value:
|
|
|
|
|
|
--*/
|
|
{
|
|
KIRQL kIrql;
|
|
|
|
AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
|
|
|
|
if (IPSEC_GET_VALUE(pSA->sa_Reference) > 1 &&
|
|
!(pSA->sa_Flags & FLAGS_SA_EXPIRED) &&
|
|
pSA->sa_State == STATE_SA_ACTIVE &&
|
|
pSA->sa_AssociatedSA != NULL) {
|
|
pSA->sa_Flags |= FLAGS_SA_EXPIRED;
|
|
|
|
IPSEC_DEBUG(SA, ("SA: %lx has expired\n", pSA));
|
|
|
|
if (pSA->sa_Flags & FLAGS_SA_REKEY_ORI) {
|
|
pSA->sa_Flags &= ~FLAGS_SA_REKEY_ORI;
|
|
|
|
if (pSA->sa_RekeyLarvalSA) {
|
|
if (pSA->sa_RekeyLarvalSA->sa_RekeyOriginalSA) {
|
|
pSA->sa_RekeyLarvalSA->sa_RekeyOriginalSA = NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// Delete this SA and expire the corresponding inbound SA.
|
|
//
|
|
IPSecExpireInboundSA(pSA->sa_AssociatedSA);
|
|
}
|
|
|
|
ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
BOOLEAN
|
|
IPSecQueryStatus(
|
|
IN CLASSIFICATION_HANDLE GpcHandle
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Query IPSec to see if IPSec applies to this flow. TCP/IP then decides whether
|
|
to take fast or slow path in IPTransmit.
|
|
|
|
Arguments:
|
|
|
|
GpcHandle
|
|
|
|
Return Value:
|
|
|
|
TRUE - if IPSec applies to this packet; slow path
|
|
FALSE - if IPSec doesn't apply to this packet; fast path
|
|
|
|
--*/
|
|
{
|
|
PLIST_ENTRY pFilterList;
|
|
PFILTER pFilter;
|
|
NTSTATUS status;
|
|
|
|
#if DBG
|
|
//
|
|
// This should force all traffic going through IPSecHandlePacket.
|
|
//
|
|
if (DebugQry) {
|
|
return TRUE;
|
|
}
|
|
#endif
|
|
|
|
if (IS_DRIVER_BYPASS() || IPSEC_DRIVER_IS_EMPTY()) {
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// If no GpcHandle passed in, take slow path.
|
|
//
|
|
if (!GpcHandle) {
|
|
return TRUE;
|
|
}
|
|
|
|
//
|
|
// Search in the tunnel filter list first.
|
|
//
|
|
pFilterList = &g_ipsec.FilterList[OUTBOUND_TUNNEL_FILTER];
|
|
|
|
//
|
|
// If any tunnel filters exist, take slow path.
|
|
//
|
|
if (!IsListEmpty(pFilterList)) {
|
|
return TRUE;
|
|
}
|
|
|
|
#if GPC
|
|
//
|
|
// Search the local GPC filter list.
|
|
//
|
|
pFilterList = &g_ipsec.GpcFilterList[OUTBOUND_TRANSPORT_FILTER];
|
|
|
|
//
|
|
// If any generic filters exist, take slow path.
|
|
//
|
|
if (!IsListEmpty(pFilterList)) {
|
|
return TRUE;
|
|
}
|
|
|
|
pFilter = NULL;
|
|
|
|
//
|
|
// Use GpcHandle directly to get the filter installed.
|
|
//
|
|
status = GPC_GET_CLIENT_CONTEXT(g_ipsec.GpcClients[GPC_CF_IPSEC_OUT],
|
|
GpcHandle,
|
|
&pFilter);
|
|
|
|
if (status == STATUS_INVALID_HANDLE) {
|
|
//
|
|
// Handle has expired, take slow path because re-classification will
|
|
// have to be applied to this flow from now on until connection breaks.
|
|
// So why bother performing a re-classification here?
|
|
//
|
|
return TRUE;
|
|
}
|
|
|
|
return pFilter != NULL;
|
|
#else
|
|
return TRUE;
|
|
#endif
|
|
}
|
|
|