712 lines
26 KiB
C
Executable File
712 lines
26 KiB
C
Executable File
/* Copyright (C) 2013-2014 Mamadou DIOP
|
|
* Copyright (C) 2013-2014 Doubango Telecom <http://www.doubango.org>
|
|
*
|
|
* This file is part of Open Source Doubango Framework.
|
|
*
|
|
* DOUBANGO is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* DOUBANGO is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with DOUBANGO.
|
|
*/
|
|
#include "plugin_win_ipsec_vista_config.h"
|
|
|
|
#include "tipsec.h" /* From tinyIPSec project. Requires linking against "tinyIPSec.lib" */
|
|
|
|
#include "tsk_memory.h"
|
|
#include "tsk_object.h"
|
|
#include "tsk_debug.h"
|
|
|
|
#include <ws2tcpip.h>
|
|
#include <Fwpmu.h>
|
|
#include <Rpc.h>
|
|
|
|
#if defined(_MSC_VER)
|
|
# pragma comment(lib, "Fwpuclnt.lib")
|
|
# pragma comment(lib, "Rpcrt4.lib")
|
|
#endif
|
|
|
|
typedef FWP_BYTE_BLOB* PFWP_BYTE_BLOB;
|
|
|
|
/* as WFP do not provide null encryption I define my own*/
|
|
static const IPSEC_CIPHER_TRANSFORM_ID0 IPSEC_CIPHER_TRANSFORM_ID_NULL_NULL= {
|
|
(IPSEC_CIPHER_TYPE)NULL,
|
|
(IPSEC_CIPHER_TYPE)NULL
|
|
};
|
|
|
|
#define TINYIPSEC_FILTER_NAME TEXT("Doubango Telecom tinyIPSec (Windows Vista)")
|
|
#define TINYIPSEC_PROVIDER_KEY NULL
|
|
|
|
#define TINYIPSEC_SA_NUM_ENTRIES_TO_REQUEST INT_MAX
|
|
#define TINYIPSEC_SA_MAX_LIFETIME 172799
|
|
|
|
#define TINYIPSEC_VISTA_GET_ALGO(algo) (algo == tipsec_alg_hmac_md5_96) ? IPSEC_AUTH_TRANSFORM_ID_HMAC_MD5_96 : IPSEC_AUTH_TRANSFORM_ID_HMAC_SHA_1_96
|
|
#define TINYIPSEC_VISTA_GET_EALGO(ealg) (ealg == tipsec_ealg_des_ede3_cbc) ? IPSEC_CIPHER_TRANSFORM_ID_CBC_3DES : ( (ealg == tipsec_ealg_aes) ? IPSEC_CIPHER_TRANSFORM_ID_AES_128 : IPSEC_CIPHER_TRANSFORM_ID_NULL_NULL )
|
|
#define TINYIPSEC_VISTA_GET_MODE(mode) (mode == tipsec_mode_tun) ? IPSEC_TRAFFIC_TYPE_TUNNEL : IPSEC_TRAFFIC_TYPE_TRANSPORT
|
|
#define TINYIPSEC_VISTA_GET_IPPROTO(ipproto) (ipproto == tipsec_ipproto_tcp) ? IPPROTO_TCP : ((ipproto == tipsec_ipproto_icmp) ? IPPROTO_ICMP : IPPROTO_UDP)
|
|
#define TINYIPSEC_VISTA_GET_IPVER(ipv6) (ipv6) ? FWP_IP_VERSION_V6 : FWP_IP_VERSION_V4
|
|
#define TINYIPSEC_VISTA_GET_PROTO(proto, ealg) (proto == tipsec_proto_ah) ? IPSEC_TRANSFORM_AH : ( (proto == tipsec_proto_esp) ? (ealg == tipsec_ealg_null ? IPSEC_TRANSFORM_ESP_AUTH : IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER) : IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER );
|
|
|
|
typedef struct plugin_win_ipsec_vista_ctx_s {
|
|
TIPSEC_DECLARE_CTX;
|
|
|
|
tipsec_ctx_t* pc_base;
|
|
UINT64 saId_us;
|
|
UINT64 saId_uc;
|
|
UINT64 filterId_in_us;
|
|
UINT64 filterId_out_us;
|
|
UINT64 filterId_in_uc;
|
|
UINT64 filterId_out_uc;
|
|
WCHAR filter_name[256];
|
|
|
|
HANDLE engine;
|
|
}
|
|
plugin_win_ipsec_vista_ctx_t;
|
|
|
|
static int _vista_createLocalSA(__in const plugin_win_ipsec_vista_ctx_t* p_ctx, __in tipsec_port_t local_port, __out tipsec_spi_t *spi, __out UINT64 *saId, __out UINT64 *filterId_in, __out UINT64 *filterId_out);
|
|
static int _vista_boundSA(__in const plugin_win_ipsec_vista_ctx_t* p_ctx, __in UINT64 local_saId, __in tipsec_spi_t remote_spi, __in BOOLEAN toInbound);
|
|
|
|
static int _vista_flushAll(const plugin_win_ipsec_vista_ctx_t* p_ctx);
|
|
static void _vista_deleteSaContextAndFilters(__in HANDLE engine, __in UINT64 inFilterId, __in UINT64 outFilterId, __in UINT64 saId);
|
|
|
|
//
|
|
// Plugin implementation
|
|
//
|
|
|
|
static tipsec_error_t _plugin_win_ipsec_vista_ctx_init(tipsec_ctx_t* _p_ctx)
|
|
{
|
|
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
|
|
DWORD code;
|
|
UUID uuid;
|
|
RPC_STATUS status;
|
|
static uint64_t __guard = 0;
|
|
|
|
if (p_ctx->pc_base->initialized) {
|
|
TSK_DEBUG_ERROR("Already initialized");
|
|
return tipsec_error_invalid_state;
|
|
}
|
|
|
|
/* Create filter name */
|
|
status = UuidCreate(&uuid);
|
|
if (status == RPC_S_OK) {
|
|
WCHAR* wszUuid = NULL;
|
|
UuidToStringW(&uuid, (RPC_WSTR*)&wszUuid);
|
|
if (!wszUuid) {
|
|
TSK_DEBUG_ERROR("Failed to convert the UUID");
|
|
return tipsec_error_sys;
|
|
}
|
|
swprintf(p_ctx->filter_name, sizeof(p_ctx->filter_name)/sizeof(p_ctx->filter_name[0]), L"%s//%s//%llu", TINYIPSEC_FILTER_NAME, wszUuid, __guard++);
|
|
RpcStringFree((RPC_WSTR*)&wszUuid);
|
|
}
|
|
else {
|
|
TSK_DEBUG_ERROR("Failed to create new UUID");
|
|
return tipsec_error_sys;
|
|
}
|
|
|
|
|
|
|
|
/* Open engine */
|
|
if ((code = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, NULL, &p_ctx->engine))) {
|
|
p_ctx->pc_base->initialized = tsk_false;
|
|
TSK_DEBUG_ERROR("FwpmEngineOpen0 failed with error code [%x].", code);
|
|
return tipsec_error_sys;
|
|
}
|
|
else {
|
|
p_ctx->pc_base->initialized = tsk_true;
|
|
p_ctx->pc_base->state = tipsec_state_initial;
|
|
return tipsec_error_success;
|
|
}
|
|
}
|
|
|
|
static tipsec_error_t _plugin_win_ipsec_vista_ctx_set_local(tipsec_ctx_t* _p_ctx, const char* addr_local, const char* addr_remote, tipsec_port_t port_uc, tipsec_port_t port_us)
|
|
{
|
|
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
|
|
int ret;
|
|
|
|
_p_ctx->addr_local = tsk_realloc(_p_ctx->addr_local, _p_ctx->use_ipv6 ? 16 : 4);
|
|
if (!_p_ctx->addr_local) {
|
|
return tipsec_error_outofmemory;
|
|
}
|
|
_p_ctx->addr_remote = tsk_realloc(_p_ctx->addr_remote, _p_ctx->use_ipv6 ? 16 : 4);
|
|
if (!_p_ctx->addr_remote) {
|
|
return tipsec_error_outofmemory;
|
|
}
|
|
|
|
/* Set local IP */
|
|
if (_p_ctx->use_ipv6) {
|
|
if ((ret = inet_pton(AF_INET6, addr_local, _p_ctx->addr_local)) != 1 ) {
|
|
TSK_DEBUG_ERROR("inet_pton(%s) have failed with error code [%x].", addr_local, ret);
|
|
return tipsec_error_sys;
|
|
}
|
|
if ((ret = inet_pton(AF_INET6, addr_remote, _p_ctx->addr_remote)) != 1 ) {
|
|
TSK_DEBUG_ERROR("inet_pton(%s) have failed with error code [%x].", addr_remote, ret);
|
|
return tipsec_error_sys;
|
|
}
|
|
}
|
|
else {
|
|
if ((ret = inet_pton(AF_INET, addr_local, _p_ctx->addr_local)) != 1 ) {
|
|
TSK_DEBUG_ERROR("inet_pton(%s) have failed with error code [%x].", addr_local, ret);
|
|
return tipsec_error_sys;
|
|
}
|
|
else {
|
|
*((UINT32*)_p_ctx->addr_local) = ntohl(*((UINT32*)_p_ctx->addr_local));
|
|
}
|
|
if ((ret = inet_pton(AF_INET, addr_remote, _p_ctx->addr_remote)) != 1 ) {
|
|
TSK_DEBUG_ERROR("inet_pton(%s) have failed with error code [%x].", addr_remote, ret);
|
|
return tipsec_error_sys;
|
|
}
|
|
else {
|
|
*((UINT32*)_p_ctx->addr_remote) = ntohl(*((UINT32*)_p_ctx->addr_remote));
|
|
}
|
|
}
|
|
|
|
/* Set ports */
|
|
_p_ctx->port_uc = port_uc;
|
|
_p_ctx->port_us = port_us;
|
|
|
|
// Create SA1: (UC -> PS)
|
|
if ((ret = _vista_createLocalSA(p_ctx, _p_ctx->port_uc, &_p_ctx->spi_uc, &p_ctx->saId_uc, &p_ctx->filterId_in_uc, &p_ctx->filterId_out_uc))) {
|
|
return tipsec_error_sys;
|
|
}
|
|
|
|
// Create SA2: (US <-PC)
|
|
if ((ret = _vista_createLocalSA(p_ctx, _p_ctx->port_us, &_p_ctx->spi_us, &p_ctx->saId_us, &p_ctx->filterId_in_us, &p_ctx->filterId_out_uc))) {
|
|
return tipsec_error_sys;
|
|
}
|
|
|
|
_p_ctx->state = tipsec_state_inbound;
|
|
|
|
return tipsec_error_success;
|
|
}
|
|
|
|
static tipsec_error_t _plugin_win_ipsec_vista_ctx_set_remote(tipsec_ctx_t* _p_ctx, tipsec_spi_t spi_pc, tipsec_spi_t spi_ps, tipsec_port_t port_pc, tipsec_port_t port_ps, tipsec_lifetime_t lifetime)
|
|
{
|
|
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
|
|
|
|
/* Set Lifetime */
|
|
_p_ctx->lifetime = lifetime;
|
|
|
|
/* Set ports */
|
|
_p_ctx->port_ps = port_ps;
|
|
_p_ctx->port_pc = port_pc;
|
|
|
|
/* Set SPIs */
|
|
_p_ctx->spi_ps = spi_ps;
|
|
_p_ctx->spi_pc = spi_pc;
|
|
|
|
_p_ctx->state = tipsec_state_full;
|
|
|
|
return tipsec_error_success;
|
|
}
|
|
|
|
static tipsec_error_t _plugin_win_ipsec_vista_ctx_set_keys(tipsec_ctx_t* _p_ctx, const tipsec_key_t* ik, const tipsec_key_t* ck)
|
|
{
|
|
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
|
|
PFWP_BYTE_BLOB _ik, _ck;
|
|
|
|
/* Compute ik and ck */
|
|
_p_ctx->ik = tsk_realloc(_p_ctx->ik, sizeof(FWP_BYTE_BLOB));
|
|
if (!_p_ctx->ik) {
|
|
return tipsec_error_outofmemory;
|
|
}
|
|
_ik = (PFWP_BYTE_BLOB)_p_ctx->ik;
|
|
_p_ctx->ck = tsk_realloc(_p_ctx->ck, sizeof(FWP_BYTE_BLOB));
|
|
if (!_p_ctx->ck) {
|
|
return tipsec_error_outofmemory;
|
|
}
|
|
_ck = (PFWP_BYTE_BLOB)_p_ctx->ck;
|
|
|
|
_ik->data = tsk_calloc(TIPSEC_IK_LEN, 1);
|
|
if (!_ik->data) {
|
|
return tipsec_error_outofmemory;
|
|
}
|
|
memcpy(_ik->data, ik, TIPSEC_KEY_LEN);
|
|
_ik->size = TIPSEC_KEY_LEN;
|
|
|
|
_ck->data = tsk_calloc(TIPSEC_CK_LEN, 1);
|
|
if (!_ck->data) {
|
|
return tipsec_error_outofmemory;
|
|
}
|
|
memcpy(_ck->data, ck, TIPSEC_KEY_LEN);
|
|
_ck->size = TIPSEC_KEY_LEN;
|
|
|
|
return tipsec_error_success;
|
|
}
|
|
|
|
static tipsec_error_t _plugin_win_ipsec_vista_ctx_start(tipsec_ctx_t* _p_ctx)
|
|
{
|
|
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
|
|
int ret;
|
|
|
|
/* VERY IMPORTANT: The SA context functions must be called in a specific order:
|
|
(http://msdn.microsoft.com/en-us/library/bb540652(VS.85).aspx).
|
|
|
|
IPsecSaContextCreate0
|
|
IPsecSaContextGetSpi0
|
|
IPsecSaContextAddInbound0
|
|
IPsecSaContextAddOutbound0
|
|
*/
|
|
|
|
/* US <- PC */
|
|
if ((ret = _vista_boundSA(p_ctx, p_ctx->saId_us, _p_ctx->spi_us, TRUE))) {
|
|
TSK_DEBUG_ERROR("Failed to setup [US <- PC] SA. Error code = %d", ret);
|
|
return tipsec_error_sys;
|
|
}
|
|
/* UC <- PS */
|
|
if ((ret = _vista_boundSA(p_ctx, p_ctx->saId_uc, _p_ctx->spi_uc, TRUE))) {
|
|
TSK_DEBUG_ERROR("Failed to setup [UC <- PS] SA. Error code = %d", ret);
|
|
return tipsec_error_sys;
|
|
}
|
|
|
|
/* UC -> PS */
|
|
if ((ret = _vista_boundSA(p_ctx, p_ctx->saId_uc, _p_ctx->spi_ps, FALSE))) {
|
|
TSK_DEBUG_ERROR("Failed to setup [UC -> PS] SA. Error code = %d", ret);
|
|
return tipsec_error_sys;
|
|
}
|
|
/* US -> PC */
|
|
if ((ret = _vista_boundSA(p_ctx, p_ctx->saId_us, _p_ctx->spi_pc, FALSE))) {
|
|
TSK_DEBUG_ERROR("Failed to setup [US -> PC] SA. Error code = %d", ret);
|
|
return tipsec_error_sys;
|
|
}
|
|
|
|
_p_ctx->state = tipsec_state_active;
|
|
_p_ctx->started = 1;
|
|
|
|
return tipsec_error_success;
|
|
}
|
|
|
|
static tipsec_error_t _plugin_win_ipsec_vista_ctx_stop(tipsec_ctx_t* _p_ctx)
|
|
{
|
|
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
|
|
tipsec_error_t err = tipsec_error_success;
|
|
|
|
//if (!_p_ctx->started) {
|
|
// return tipsec_error_success;
|
|
//}
|
|
|
|
/* Flush (delete) all SAs associated to tinyIPSEC */
|
|
_vista_flushAll(p_ctx);
|
|
|
|
_p_ctx->started = 0;
|
|
_p_ctx->state = tipsec_state_initial;
|
|
|
|
return tipsec_error_success;
|
|
}
|
|
|
|
//
|
|
// Private functions
|
|
//
|
|
static int _vista_createLocalSA(__in const plugin_win_ipsec_vista_ctx_t* p_ctx, __in tipsec_port_t local_port, __out tipsec_spi_t *spi, __out UINT64 *saId, __out UINT64 *filterId_in, __out UINT64 *filterId_out)
|
|
{
|
|
DWORD result = NO_ERROR;
|
|
UINT64 tmpInFilterId = 0, tmpOutFilterId = 0, tmpSaId = 0;
|
|
FWPM_FILTER0 filter;
|
|
IPSEC_TRAFFIC0 outTraffic;
|
|
IPSEC_GETSPI0 getSpi;
|
|
int ret = -1;
|
|
FWPM_FILTER_CONDITION0 conds[6];
|
|
UINT32 numFilterConditions = 3;
|
|
|
|
*spi = 0;
|
|
*saId = 0;
|
|
*filterId_in = 0;
|
|
*filterId_out = 0;
|
|
|
|
conds[0].fieldKey = FWPM_CONDITION_IP_LOCAL_ADDRESS;
|
|
conds[0].matchType = FWP_MATCH_EQUAL;
|
|
conds[1].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
|
|
conds[1].matchType = FWP_MATCH_EQUAL;
|
|
if (p_ctx->pc_base->use_ipv6) {
|
|
conds[0].conditionValue.type = FWP_BYTE_ARRAY16_TYPE;
|
|
conds[0].conditionValue.byteArray16 = (FWP_BYTE_ARRAY16*)p_ctx->pc_base->addr_local;
|
|
conds[1].conditionValue.type = FWP_BYTE_ARRAY16_TYPE;
|
|
conds[1].conditionValue.byteArray16 = (FWP_BYTE_ARRAY16*)p_ctx->pc_base->addr_remote;
|
|
}
|
|
else {
|
|
conds[0].conditionValue.type = FWP_UINT32;
|
|
conds[0].conditionValue.uint32 = *((UINT32*)p_ctx->pc_base->addr_local);
|
|
conds[1].conditionValue.type = FWP_UINT32;
|
|
conds[1].conditionValue.uint32 = *((UINT32*)p_ctx->pc_base->addr_remote);
|
|
}
|
|
|
|
conds[2].fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
|
|
conds[2].matchType = FWP_MATCH_EQUAL;
|
|
conds[2].conditionValue.type = FWP_UINT16;
|
|
conds[2].conditionValue.uint16 = local_port;
|
|
|
|
if (p_ctx->pc_base->ipproto != tipsec_ipproto_all) {
|
|
conds[numFilterConditions].fieldKey = FWPM_CONDITION_IP_PROTOCOL;
|
|
conds[numFilterConditions].matchType = FWP_MATCH_EQUAL;
|
|
conds[numFilterConditions].conditionValue.type = FWP_UINT8;
|
|
conds[numFilterConditions].conditionValue.uint8 = TINYIPSEC_VISTA_GET_IPPROTO(p_ctx->pc_base->ipproto);
|
|
++numFilterConditions;
|
|
}
|
|
|
|
// Fill in the common fields shared by both filters.
|
|
memset(&filter, 0, sizeof(filter));
|
|
// For MUI compatibility, object names should be indirect strings. See
|
|
// SHLoadIndirectString for details.
|
|
filter.displayData.name = (PWCHAR)p_ctx->filter_name;
|
|
// Link all objects to our provider. When multiple providers are installed
|
|
// on a computer, this makes it easy to determine who added what.
|
|
filter.providerKey = (GUID*)TINYIPSEC_PROVIDER_KEY;
|
|
filter.numFilterConditions = numFilterConditions;
|
|
filter.filterCondition = conds;
|
|
filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
|
|
filter.flags = FWPM_FILTER_FLAG_NONE;
|
|
filter.weight.type = FWP_EMPTY;
|
|
|
|
// Add the inbound filter.
|
|
filter.layerKey = (p_ctx->pc_base->use_ipv6) ? FWPM_LAYER_INBOUND_TRANSPORT_V6 : FWPM_LAYER_INBOUND_TRANSPORT_V4;
|
|
if (p_ctx->pc_base->mode == tipsec_mode_tun) {
|
|
filter.action.calloutKey = (p_ctx->pc_base->use_ipv6) ? FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 : FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4;
|
|
}
|
|
else {
|
|
filter.action.calloutKey = (p_ctx->pc_base->use_ipv6) ? FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6 : FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4;
|
|
}
|
|
if ((result = FwpmFilterAdd0(p_ctx->engine, &filter, NULL, &tmpInFilterId)) != ERROR_SUCCESS) {
|
|
TSK_DEBUG_ERROR("FwpmFilterAdd0 (inbound) failed with error code [%x]", result);
|
|
goto CLEANUP;
|
|
}
|
|
|
|
// Add the outbound filter.
|
|
filter.layerKey = (p_ctx->pc_base->use_ipv6) ? FWPM_LAYER_OUTBOUND_TRANSPORT_V6 : FWPM_LAYER_OUTBOUND_TRANSPORT_V4;
|
|
if (p_ctx->pc_base->mode == tipsec_mode_tun) {
|
|
filter.action.calloutKey = (p_ctx->pc_base->use_ipv6) ? FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 : FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4;
|
|
}
|
|
else {
|
|
filter.action.calloutKey = (p_ctx->pc_base->use_ipv6) ? FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 : FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4;
|
|
}
|
|
if ((result = FwpmFilterAdd0(p_ctx->engine, &filter, NULL, &tmpOutFilterId)) != ERROR_SUCCESS) {
|
|
TSK_DEBUG_ERROR("FwpmFilterAdd0(outbound) failed with error code [%x]", result);
|
|
goto CLEANUP;
|
|
}
|
|
|
|
// Create the SA context using the outbound traffic descriptor.
|
|
memset(&outTraffic, 0, sizeof(outTraffic));
|
|
outTraffic.ipVersion = TINYIPSEC_VISTA_GET_IPVER(p_ctx->pc_base->use_ipv6);
|
|
if (p_ctx->pc_base->use_ipv6) {
|
|
memcpy(outTraffic.localV6Address, p_ctx->pc_base->addr_local, 16);
|
|
memcpy(outTraffic.remoteV6Address, p_ctx->pc_base->addr_remote, 16);
|
|
}
|
|
else {
|
|
outTraffic.localV4Address = *((UINT32*)p_ctx->pc_base->addr_local);
|
|
outTraffic.remoteV4Address = *((UINT32*)p_ctx->pc_base->addr_remote);
|
|
}
|
|
outTraffic.trafficType = TINYIPSEC_VISTA_GET_MODE(p_ctx->pc_base->mode);
|
|
outTraffic.ipsecFilterId = tmpOutFilterId;
|
|
if ((result = IPsecSaContextCreate0(p_ctx->engine, &outTraffic, NULL, &tmpSaId)) != ERROR_SUCCESS) {
|
|
TSK_DEBUG_ERROR("IPsecSaContextCreate0 failed with error code [%x]", result);
|
|
goto CLEANUP;
|
|
}
|
|
|
|
// Get the inbound SPI using the inbound traffic descriptor.
|
|
memset(&getSpi, 0, sizeof(getSpi));
|
|
getSpi.inboundIpsecTraffic.ipVersion = TINYIPSEC_VISTA_GET_IPVER(p_ctx->pc_base->use_ipv6);
|
|
if (p_ctx->pc_base->use_ipv6) {
|
|
memcpy(getSpi.inboundIpsecTraffic.localV6Address, p_ctx->pc_base->addr_local, 16);
|
|
memcpy(getSpi.inboundIpsecTraffic.remoteV6Address, p_ctx->pc_base->addr_remote, 16);
|
|
}
|
|
else {
|
|
getSpi.inboundIpsecTraffic.localV4Address = *((UINT32*)p_ctx->pc_base->addr_local);
|
|
getSpi.inboundIpsecTraffic.remoteV4Address = *((UINT32*)p_ctx->pc_base->addr_remote);
|
|
}
|
|
getSpi.inboundIpsecTraffic.trafficType = TINYIPSEC_VISTA_GET_MODE(p_ctx->pc_base->mode);
|
|
getSpi.inboundIpsecTraffic.ipsecFilterId = tmpInFilterId;
|
|
getSpi.ipVersion = TINYIPSEC_VISTA_GET_IPVER(p_ctx->pc_base->use_ipv6);
|
|
if ((result = IPsecSaContextGetSpi0(p_ctx->engine, tmpSaId, &getSpi, spi))) {
|
|
TSK_DEBUG_ERROR("IPsecSaContextGetSpi0 failed with error code [%x]", result);
|
|
goto CLEANUP;
|
|
}
|
|
|
|
//// Return the various LUIDs to the caller, so he can clean up.
|
|
*filterId_in = tmpInFilterId;
|
|
*filterId_out = tmpOutFilterId;
|
|
*saId = tmpSaId;
|
|
|
|
CLEANUP:
|
|
if (result != NO_ERROR) {
|
|
_vista_deleteSaContextAndFilters(p_ctx->engine, tmpInFilterId, tmpOutFilterId, tmpSaId);
|
|
}
|
|
else {
|
|
ret = 0;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int _vista_boundSA(__in const plugin_win_ipsec_vista_ctx_t* p_ctx, __in UINT64 local_saId, __in tipsec_spi_t remote_spi, __in BOOLEAN toInbound)
|
|
{
|
|
UINT32 i=0, j=0;
|
|
DWORD result = NO_ERROR;
|
|
IPSEC_SA0 sa;
|
|
IPSEC_SA_BUNDLE0 bundle;
|
|
IPSEC_SA_AUTH_INFORMATION0 authInfo; // must be global because use as reference (X = &authInfo)
|
|
IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0 cipherAuthInfo; // must be global because use as reference (X = &cipherAuthInfo)
|
|
PFWP_BYTE_BLOB ik = (PFWP_BYTE_BLOB)p_ctx->pc_base->ik;
|
|
PFWP_BYTE_BLOB ck = (PFWP_BYTE_BLOB)p_ctx->pc_base->ck;
|
|
|
|
memset(&sa, 0, sizeof(sa));
|
|
sa.spi = remote_spi;
|
|
sa.saTransformType = TINYIPSEC_VISTA_GET_PROTO(p_ctx->pc_base->protocol, p_ctx->pc_base->ealg);
|
|
|
|
//
|
|
// Keys padding
|
|
//
|
|
if (p_ctx->pc_base->alg == tipsec_alg_hmac_sha_1_96) {
|
|
if (ik->size < TIPSEC_IK_LEN) {
|
|
for(i = ik->size; i < TIPSEC_KEY_LEN; i++) {
|
|
ik->data[i] = 0x00; /* Already done by "tsk_calloc" but ... */
|
|
}
|
|
ik->size = TIPSEC_IK_LEN;
|
|
}
|
|
}
|
|
if (p_ctx->pc_base->ealg == tipsec_ealg_des_ede3_cbc) {
|
|
if (ck->size < TIPSEC_CK_LEN) {
|
|
for (i = ck->size; i<TIPSEC_CK_LEN; i++) {
|
|
ck->data[i] = ck->data[j++];
|
|
}
|
|
ck->size = TIPSEC_CK_LEN;
|
|
}
|
|
}
|
|
|
|
//
|
|
// In all case create Authentication info
|
|
//
|
|
memset(&authInfo, 0, sizeof(authInfo));
|
|
authInfo.authTransform.authTransformId = TINYIPSEC_VISTA_GET_ALGO(p_ctx->pc_base->alg);
|
|
authInfo.authKey = *ik;
|
|
|
|
if ( sa.saTransformType == IPSEC_TRANSFORM_AH ) {
|
|
sa.ahInformation = &authInfo;
|
|
}
|
|
else if ( sa.saTransformType == IPSEC_TRANSFORM_ESP_AUTH ) {
|
|
sa.espAuthInformation = &authInfo;
|
|
}
|
|
else if ( sa.saTransformType == IPSEC_TRANSFORM_ESP_CIPHER ) {
|
|
IPSEC_SA_CIPHER_INFORMATION0 cipherInfo;
|
|
|
|
memset(&cipherInfo, 0, sizeof(cipherInfo));
|
|
cipherInfo.cipherTransform.cipherTransformId = TINYIPSEC_VISTA_GET_EALGO(p_ctx->pc_base->ealg);
|
|
cipherInfo.cipherKey = *ck;
|
|
|
|
sa.espCipherInformation = &cipherInfo;
|
|
}
|
|
else if ( sa.saTransformType == IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER ) {
|
|
IPSEC_SA_CIPHER_INFORMATION0 cipherInfo;
|
|
|
|
memset(&cipherInfo, 0, sizeof(cipherInfo));
|
|
cipherInfo.cipherTransform.cipherTransformId = TINYIPSEC_VISTA_GET_EALGO(p_ctx->pc_base->ealg);
|
|
cipherInfo.cipherKey = *ck;
|
|
|
|
memset(&cipherAuthInfo, 0, sizeof(cipherAuthInfo));
|
|
cipherAuthInfo.saAuthInformation = authInfo;
|
|
cipherAuthInfo.saCipherInformation = cipherInfo;
|
|
|
|
sa.espAuthAndCipherInformation = &cipherAuthInfo;
|
|
}
|
|
|
|
memset(&bundle, 0, sizeof(bundle));
|
|
bundle.numSAs = 1;
|
|
bundle.saList = &sa;
|
|
bundle.ipVersion = TINYIPSEC_VISTA_GET_IPVER(p_ctx->pc_base->use_ipv6);
|
|
bundle.lifetime.lifetimeSeconds = (UINT32)((p_ctx->pc_base->lifetime > TINYIPSEC_SA_MAX_LIFETIME) ? TINYIPSEC_SA_MAX_LIFETIME : p_ctx->pc_base->lifetime);
|
|
|
|
/* From remote to local (inbound) ? */
|
|
if (toInbound) {
|
|
if((result = IPsecSaContextAddInbound0(p_ctx->engine, local_saId, &bundle)) != ERROR_SUCCESS) {
|
|
TSK_DEBUG_ERROR("IPsecSaContextAddInbound0 failed with error code [%x]", result);
|
|
goto CLEANUP;
|
|
}
|
|
}
|
|
else {
|
|
if ((result = IPsecSaContextAddOutbound0(p_ctx->engine, local_saId, &bundle)) != ERROR_SUCCESS) {
|
|
TSK_DEBUG_ERROR("IPsecSaContextAddOutbound0 failed with error code [%x]", result);
|
|
goto CLEANUP;
|
|
}
|
|
}
|
|
|
|
CLEANUP:
|
|
return (result == ERROR_SUCCESS) ? 0 : -1;
|
|
}
|
|
|
|
static int _vista_flushAll(const plugin_win_ipsec_vista_ctx_t* p_ctx)
|
|
{
|
|
#if 1
|
|
int ret = -1;
|
|
if (p_ctx && p_ctx->engine) {
|
|
DWORD result;
|
|
result = FwpmFilterDeleteById0(p_ctx->engine, p_ctx->filterId_in_uc);
|
|
if (result != ERROR_SUCCESS && result != FWP_E_FILTER_NOT_FOUND) {
|
|
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 failed with error code [%x]", result);
|
|
}
|
|
result = FwpmFilterDeleteById0(p_ctx->engine, p_ctx->filterId_in_us);
|
|
if (result != ERROR_SUCCESS && result != FWP_E_FILTER_NOT_FOUND) {
|
|
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 failed with error code [%x]", result);
|
|
}
|
|
result = FwpmFilterDeleteById0(p_ctx->engine, p_ctx->filterId_out_uc);
|
|
if (result != ERROR_SUCCESS && result != FWP_E_FILTER_NOT_FOUND) {
|
|
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 failed with error code [%x]", result);
|
|
}
|
|
result = FwpmFilterDeleteById0(p_ctx->engine, p_ctx->filterId_out_us);
|
|
if (result != ERROR_SUCCESS && result != FWP_E_FILTER_NOT_FOUND) {
|
|
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 failed with error code [%x]", result);
|
|
}
|
|
return 0;
|
|
}
|
|
//
|
|
return ret;
|
|
#else
|
|
UINT32 i;
|
|
int ret = -1;
|
|
|
|
if (p_ctx && p_ctx->engine) {
|
|
HANDLE enumHandle = NULL;
|
|
IPSEC_SA_DETAILS0** entries = NULL;
|
|
UINT32 numEntriesReturned = 0;
|
|
DWORD result;
|
|
|
|
if ((result = IPsecSaCreateEnumHandle0(p_ctx->engine, NULL, &enumHandle)) != ERROR_SUCCESS) {
|
|
TSK_DEBUG_ERROR("IPsecSaCreateEnumHandle0 failed with error code [%x].", result);
|
|
goto CLEANUP;
|
|
}
|
|
|
|
if ((result = IPsecSaEnum0(p_ctx->engine, enumHandle, TINYIPSEC_SA_NUM_ENTRIES_TO_REQUEST, &entries, &numEntriesReturned)) != ERROR_SUCCESS) {
|
|
TSK_DEBUG_ERROR("IPsecSaEnum0 failed with error code [%x].", result);
|
|
goto CLEANUP;
|
|
}
|
|
|
|
for (i = 0; i<numEntriesReturned; i++) {
|
|
IPSEC_SA_DETAILS0* entry = (entries)[i];
|
|
if ( !wcscmp(entry->transportFilter->displayData.name, p_ctx->filter_name)) {
|
|
if ((result = FwpmFilterDeleteById0(p_ctx->engine, entry->transportFilter->filterId)) != ERROR_SUCCESS) {
|
|
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 failed with error code [%x].", result);
|
|
goto CLEANUP;
|
|
}
|
|
}
|
|
}
|
|
|
|
TSK_DEBUG_INFO("All SAs have been flushed.");
|
|
ret = 0;
|
|
|
|
CLEANUP:
|
|
if (entries) {
|
|
FwpmFreeMemory0((void**)entries);
|
|
}
|
|
if (enumHandle) {
|
|
if ((result = IPsecSaDestroyEnumHandle0(p_ctx->engine, enumHandle)) != ERROR_SUCCESS) {
|
|
TSK_DEBUG_ERROR("IPsecSaDestroyEnumHandle0 failed with error code [%x].", result);
|
|
}
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
#endif
|
|
}
|
|
|
|
static void _vista_deleteSaContextAndFilters(__in HANDLE engine, __in UINT64 inFilterId, __in UINT64 outFilterId, __in UINT64 saId)
|
|
{
|
|
DWORD result;
|
|
|
|
// Allow the LUIDs to be zero, so we can use this function to cleanup
|
|
// partial results.
|
|
if (saId != 0) {
|
|
result = IPsecSaContextDeleteById0(engine, saId);
|
|
if (result != ERROR_SUCCESS) {
|
|
// There's not much we can do if delete fails, so continue trying to
|
|
// clean up the remaining objects.
|
|
TSK_DEBUG_ERROR("IPsecSaContextDeleteById0 = 0x%08X\n", result);
|
|
}
|
|
}
|
|
if (outFilterId != 0) {
|
|
result = FwpmFilterDeleteById0(engine, outFilterId);
|
|
if (result != ERROR_SUCCESS) {
|
|
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 = 0x%08X\n", result);
|
|
}
|
|
}
|
|
if (inFilterId != 0) {
|
|
result = FwpmFilterDeleteById0(engine, inFilterId);
|
|
if (result != ERROR_SUCCESS) {
|
|
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 = 0x%08X\n", result);
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// Windows Vista IPSec Plugin definition
|
|
//
|
|
|
|
/* constructor */
|
|
static tsk_object_t* _plugin_win_ipsec_vista_ctx_ctor(tsk_object_t * self, va_list * app)
|
|
{
|
|
plugin_win_ipsec_vista_ctx_t *p_ctx = (plugin_win_ipsec_vista_ctx_t *)self;
|
|
if (p_ctx) {
|
|
p_ctx->pc_base = TIPSEC_CTX(p_ctx);
|
|
}
|
|
return self;
|
|
}
|
|
/* destructor */
|
|
static tsk_object_t* _plugin_win_ipsec_vista_ctx_dtor(tsk_object_t * self)
|
|
{
|
|
plugin_win_ipsec_vista_ctx_t *p_ctx = (plugin_win_ipsec_vista_ctx_t *)self;
|
|
if (p_ctx) {
|
|
DWORD code;
|
|
|
|
if (p_ctx->pc_base->started) {
|
|
tipsec_ctx_stop(p_ctx->pc_base);
|
|
}
|
|
|
|
/* Close engine */
|
|
if (p_ctx->engine) {
|
|
if ((code = FwpmEngineClose0(p_ctx->engine))) {
|
|
TSK_DEBUG_ERROR("FwpmEngineClose0 failed with error code [%x].", code);
|
|
}
|
|
}
|
|
|
|
TSK_FREE(p_ctx->pc_base->addr_local);
|
|
TSK_FREE(p_ctx->pc_base->addr_remote);
|
|
|
|
if (p_ctx->pc_base->ik) {
|
|
TSK_FREE(((PFWP_BYTE_BLOB)p_ctx->pc_base->ik)->data);
|
|
TSK_FREE(p_ctx->pc_base->ik);
|
|
}
|
|
if (p_ctx->pc_base->ck) {
|
|
TSK_FREE(((PFWP_BYTE_BLOB)p_ctx->pc_base->ck)->data);
|
|
TSK_FREE(p_ctx->pc_base->ck);
|
|
}
|
|
|
|
TSK_DEBUG_INFO("*** Windows Vista IPSec plugin (Windows Filtering Platform) context destroyed ***");
|
|
}
|
|
|
|
return self;
|
|
}
|
|
/* object definition */
|
|
static const tsk_object_def_t plugin_win_ipsec_vista_ctx_def_s = {
|
|
sizeof(plugin_win_ipsec_vista_ctx_t),
|
|
_plugin_win_ipsec_vista_ctx_ctor,
|
|
_plugin_win_ipsec_vista_ctx_dtor,
|
|
tsk_null,
|
|
};
|
|
/* plugin definition*/
|
|
static const tipsec_plugin_def_t plugin_win_ipsec_vista_plugin_def_s = {
|
|
&plugin_win_ipsec_vista_ctx_def_s,
|
|
|
|
tipsec_impl_type_vista,
|
|
"Windows Vista IPSec (Windows Filtering Platform)",
|
|
|
|
_plugin_win_ipsec_vista_ctx_init,
|
|
_plugin_win_ipsec_vista_ctx_set_local,
|
|
_plugin_win_ipsec_vista_ctx_set_remote,
|
|
_plugin_win_ipsec_vista_ctx_set_keys,
|
|
_plugin_win_ipsec_vista_ctx_start,
|
|
_plugin_win_ipsec_vista_ctx_stop,
|
|
};
|
|
const tipsec_plugin_def_t *plugin_win_ipsec_vista_plugin_def_t = &plugin_win_ipsec_vista_plugin_def_s;
|