ims-volte-vowifi
/
doubango
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
doubango/plugins/pluginWinIPSecVista/plugin_win_ipsec_vista.c

712 lines
26 KiB
C
Executable File
Raw Permalink Blame History

/* Copyright (C) 2013-2014 Mamadou DIOP
* Copyright (C) 2013-2014 Doubango Telecom <http://www.doubango.org>
*
* This file is part of Open Source Doubango Framework.
*
* DOUBANGO is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* DOUBANGO is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with DOUBANGO.
*/
#include "plugin_win_ipsec_vista_config.h"
#include "tipsec.h" /* From tinyIPSec project. Requires linking against "tinyIPSec.lib" */
#include "tsk_memory.h"
#include "tsk_object.h"
#include "tsk_debug.h"
#include <ws2tcpip.h>
#include <Fwpmu.h>
#include <Rpc.h>
#if defined(_MSC_VER)
# pragma comment(lib, "Fwpuclnt.lib")
# pragma comment(lib, "Rpcrt4.lib")
#endif
typedef FWP_BYTE_BLOB* PFWP_BYTE_BLOB;
/* as WFP do not provide null encryption I define my own*/
static const IPSEC_CIPHER_TRANSFORM_ID0 IPSEC_CIPHER_TRANSFORM_ID_NULL_NULL= {
(IPSEC_CIPHER_TYPE)NULL,
(IPSEC_CIPHER_TYPE)NULL
};
#define TINYIPSEC_FILTER_NAME TEXT("Doubango Telecom tinyIPSec (Windows Vista)")
#define TINYIPSEC_PROVIDER_KEY NULL
#define TINYIPSEC_SA_NUM_ENTRIES_TO_REQUEST INT_MAX
#define TINYIPSEC_SA_MAX_LIFETIME 172799
#define TINYIPSEC_VISTA_GET_ALGO(algo) (algo == tipsec_alg_hmac_md5_96) ? IPSEC_AUTH_TRANSFORM_ID_HMAC_MD5_96 : IPSEC_AUTH_TRANSFORM_ID_HMAC_SHA_1_96
#define TINYIPSEC_VISTA_GET_EALGO(ealg) (ealg == tipsec_ealg_des_ede3_cbc) ? IPSEC_CIPHER_TRANSFORM_ID_CBC_3DES : ( (ealg == tipsec_ealg_aes) ? IPSEC_CIPHER_TRANSFORM_ID_AES_128 : IPSEC_CIPHER_TRANSFORM_ID_NULL_NULL )
#define TINYIPSEC_VISTA_GET_MODE(mode) (mode == tipsec_mode_tun) ? IPSEC_TRAFFIC_TYPE_TUNNEL : IPSEC_TRAFFIC_TYPE_TRANSPORT
#define TINYIPSEC_VISTA_GET_IPPROTO(ipproto) (ipproto == tipsec_ipproto_tcp) ? IPPROTO_TCP : ((ipproto == tipsec_ipproto_icmp) ? IPPROTO_ICMP : IPPROTO_UDP)
#define TINYIPSEC_VISTA_GET_IPVER(ipv6) (ipv6) ? FWP_IP_VERSION_V6 : FWP_IP_VERSION_V4
#define TINYIPSEC_VISTA_GET_PROTO(proto, ealg) (proto == tipsec_proto_ah) ? IPSEC_TRANSFORM_AH : ( (proto == tipsec_proto_esp) ? (ealg == tipsec_ealg_null ? IPSEC_TRANSFORM_ESP_AUTH : IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER) : IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER );
typedef struct plugin_win_ipsec_vista_ctx_s {
TIPSEC_DECLARE_CTX;
tipsec_ctx_t* pc_base;
UINT64 saId_us;
UINT64 saId_uc;
UINT64 filterId_in_us;
UINT64 filterId_out_us;
UINT64 filterId_in_uc;
UINT64 filterId_out_uc;
WCHAR filter_name[256];
HANDLE engine;
}
plugin_win_ipsec_vista_ctx_t;
static int _vista_createLocalSA(__in const plugin_win_ipsec_vista_ctx_t* p_ctx, __in tipsec_port_t local_port, __out tipsec_spi_t *spi, __out UINT64 *saId, __out UINT64 *filterId_in, __out UINT64 *filterId_out);
static int _vista_boundSA(__in const plugin_win_ipsec_vista_ctx_t* p_ctx, __in UINT64 local_saId, __in tipsec_spi_t remote_spi, __in BOOLEAN toInbound);
static int _vista_flushAll(const plugin_win_ipsec_vista_ctx_t* p_ctx);
static void _vista_deleteSaContextAndFilters(__in HANDLE engine, __in UINT64 inFilterId, __in UINT64 outFilterId, __in UINT64 saId);
//
// Plugin implementation
//
static tipsec_error_t _plugin_win_ipsec_vista_ctx_init(tipsec_ctx_t* _p_ctx)
{
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
DWORD code;
UUID uuid;
RPC_STATUS status;
static uint64_t __guard = 0;
if (p_ctx->pc_base->initialized) {
TSK_DEBUG_ERROR("Already initialized");
return tipsec_error_invalid_state;
}
/* Create filter name */
status = UuidCreate(&uuid);
if (status == RPC_S_OK) {
WCHAR* wszUuid = NULL;
UuidToStringW(&uuid, (RPC_WSTR*)&wszUuid);
if (!wszUuid) {
TSK_DEBUG_ERROR("Failed to convert the UUID");
return tipsec_error_sys;
}
swprintf(p_ctx->filter_name, sizeof(p_ctx->filter_name)/sizeof(p_ctx->filter_name[0]), L"%s//%s//%llu", TINYIPSEC_FILTER_NAME, wszUuid, __guard++);
RpcStringFree((RPC_WSTR*)&wszUuid);
}
else {
TSK_DEBUG_ERROR("Failed to create new UUID");
return tipsec_error_sys;
}
/* Open engine */
if ((code = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, NULL, &p_ctx->engine))) {
p_ctx->pc_base->initialized = tsk_false;
TSK_DEBUG_ERROR("FwpmEngineOpen0 failed with error code [%x].", code);
return tipsec_error_sys;
}
else {
p_ctx->pc_base->initialized = tsk_true;
p_ctx->pc_base->state = tipsec_state_initial;
return tipsec_error_success;
}
}
static tipsec_error_t _plugin_win_ipsec_vista_ctx_set_local(tipsec_ctx_t* _p_ctx, const char* addr_local, const char* addr_remote, tipsec_port_t port_uc, tipsec_port_t port_us)
{
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
int ret;
_p_ctx->addr_local = tsk_realloc(_p_ctx->addr_local, _p_ctx->use_ipv6 ? 16 : 4);
if (!_p_ctx->addr_local) {
return tipsec_error_outofmemory;
}
_p_ctx->addr_remote = tsk_realloc(_p_ctx->addr_remote, _p_ctx->use_ipv6 ? 16 : 4);
if (!_p_ctx->addr_remote) {
return tipsec_error_outofmemory;
}
/* Set local IP */
if (_p_ctx->use_ipv6) {
if ((ret = inet_pton(AF_INET6, addr_local, _p_ctx->addr_local)) != 1 ) {
TSK_DEBUG_ERROR("inet_pton(%s) have failed with error code [%x].", addr_local, ret);
return tipsec_error_sys;
}
if ((ret = inet_pton(AF_INET6, addr_remote, _p_ctx->addr_remote)) != 1 ) {
TSK_DEBUG_ERROR("inet_pton(%s) have failed with error code [%x].", addr_remote, ret);
return tipsec_error_sys;
}
}
else {
if ((ret = inet_pton(AF_INET, addr_local, _p_ctx->addr_local)) != 1 ) {
TSK_DEBUG_ERROR("inet_pton(%s) have failed with error code [%x].", addr_local, ret);
return tipsec_error_sys;
}
else {
*((UINT32*)_p_ctx->addr_local) = ntohl(*((UINT32*)_p_ctx->addr_local));
}
if ((ret = inet_pton(AF_INET, addr_remote, _p_ctx->addr_remote)) != 1 ) {
TSK_DEBUG_ERROR("inet_pton(%s) have failed with error code [%x].", addr_remote, ret);
return tipsec_error_sys;
}
else {
*((UINT32*)_p_ctx->addr_remote) = ntohl(*((UINT32*)_p_ctx->addr_remote));
}
}
/* Set ports */
_p_ctx->port_uc = port_uc;
_p_ctx->port_us = port_us;
// Create SA1: (UC -> PS)
if ((ret = _vista_createLocalSA(p_ctx, _p_ctx->port_uc, &_p_ctx->spi_uc, &p_ctx->saId_uc, &p_ctx->filterId_in_uc, &p_ctx->filterId_out_uc))) {
return tipsec_error_sys;
}
// Create SA2: (US <-PC)
if ((ret = _vista_createLocalSA(p_ctx, _p_ctx->port_us, &_p_ctx->spi_us, &p_ctx->saId_us, &p_ctx->filterId_in_us, &p_ctx->filterId_out_uc))) {
return tipsec_error_sys;
}
_p_ctx->state = tipsec_state_inbound;
return tipsec_error_success;
}
static tipsec_error_t _plugin_win_ipsec_vista_ctx_set_remote(tipsec_ctx_t* _p_ctx, tipsec_spi_t spi_pc, tipsec_spi_t spi_ps, tipsec_port_t port_pc, tipsec_port_t port_ps, tipsec_lifetime_t lifetime)
{
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
/* Set Lifetime */
_p_ctx->lifetime = lifetime;
/* Set ports */
_p_ctx->port_ps = port_ps;
_p_ctx->port_pc = port_pc;
/* Set SPIs */
_p_ctx->spi_ps = spi_ps;
_p_ctx->spi_pc = spi_pc;
_p_ctx->state = tipsec_state_full;
return tipsec_error_success;
}
static tipsec_error_t _plugin_win_ipsec_vista_ctx_set_keys(tipsec_ctx_t* _p_ctx, const tipsec_key_t* ik, const tipsec_key_t* ck)
{
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
PFWP_BYTE_BLOB _ik, _ck;
/* Compute ik and ck */
_p_ctx->ik = tsk_realloc(_p_ctx->ik, sizeof(FWP_BYTE_BLOB));
if (!_p_ctx->ik) {
return tipsec_error_outofmemory;
}
_ik = (PFWP_BYTE_BLOB)_p_ctx->ik;
_p_ctx->ck = tsk_realloc(_p_ctx->ck, sizeof(FWP_BYTE_BLOB));
if (!_p_ctx->ck) {
return tipsec_error_outofmemory;
}
_ck = (PFWP_BYTE_BLOB)_p_ctx->ck;
_ik->data = tsk_calloc(TIPSEC_IK_LEN, 1);
if (!_ik->data) {
return tipsec_error_outofmemory;
}
memcpy(_ik->data, ik, TIPSEC_KEY_LEN);
_ik->size = TIPSEC_KEY_LEN;
_ck->data = tsk_calloc(TIPSEC_CK_LEN, 1);
if (!_ck->data) {
return tipsec_error_outofmemory;
}
memcpy(_ck->data, ck, TIPSEC_KEY_LEN);
_ck->size = TIPSEC_KEY_LEN;
return tipsec_error_success;
}
static tipsec_error_t _plugin_win_ipsec_vista_ctx_start(tipsec_ctx_t* _p_ctx)
{
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
int ret;
/* VERY IMPORTANT: The SA context functions must be called in a specific order:
(http://msdn.microsoft.com/en-us/library/bb540652(VS.85).aspx).
IPsecSaContextCreate0
IPsecSaContextGetSpi0
IPsecSaContextAddInbound0
IPsecSaContextAddOutbound0
*/
/* US <- PC */
if ((ret = _vista_boundSA(p_ctx, p_ctx->saId_us, _p_ctx->spi_us, TRUE))) {
TSK_DEBUG_ERROR("Failed to setup [US <- PC] SA. Error code = %d", ret);
return tipsec_error_sys;
}
/* UC <- PS */
if ((ret = _vista_boundSA(p_ctx, p_ctx->saId_uc, _p_ctx->spi_uc, TRUE))) {
TSK_DEBUG_ERROR("Failed to setup [UC <- PS] SA. Error code = %d", ret);
return tipsec_error_sys;
}
/* UC -> PS */
if ((ret = _vista_boundSA(p_ctx, p_ctx->saId_uc, _p_ctx->spi_ps, FALSE))) {
TSK_DEBUG_ERROR("Failed to setup [UC -> PS] SA. Error code = %d", ret);
return tipsec_error_sys;
}
/* US -> PC */
if ((ret = _vista_boundSA(p_ctx, p_ctx->saId_us, _p_ctx->spi_pc, FALSE))) {
TSK_DEBUG_ERROR("Failed to setup [US -> PC] SA. Error code = %d", ret);
return tipsec_error_sys;
}
_p_ctx->state = tipsec_state_active;
_p_ctx->started = 1;
return tipsec_error_success;
}
static tipsec_error_t _plugin_win_ipsec_vista_ctx_stop(tipsec_ctx_t* _p_ctx)
{
plugin_win_ipsec_vista_ctx_t* p_ctx = (plugin_win_ipsec_vista_ctx_t*)_p_ctx;
tipsec_error_t err = tipsec_error_success;
//if (!_p_ctx->started) {
// return tipsec_error_success;
//}
/* Flush (delete) all SAs associated to tinyIPSEC */
_vista_flushAll(p_ctx);
_p_ctx->started = 0;
_p_ctx->state = tipsec_state_initial;
return tipsec_error_success;
}
//
// Private functions
//
static int _vista_createLocalSA(__in const plugin_win_ipsec_vista_ctx_t* p_ctx, __in tipsec_port_t local_port, __out tipsec_spi_t *spi, __out UINT64 *saId, __out UINT64 *filterId_in, __out UINT64 *filterId_out)
{
DWORD result = NO_ERROR;
UINT64 tmpInFilterId = 0, tmpOutFilterId = 0, tmpSaId = 0;
FWPM_FILTER0 filter;
IPSEC_TRAFFIC0 outTraffic;
IPSEC_GETSPI0 getSpi;
int ret = -1;
FWPM_FILTER_CONDITION0 conds[6];
UINT32 numFilterConditions = 3;
*spi = 0;
*saId = 0;
*filterId_in = 0;
*filterId_out = 0;
conds[0].fieldKey = FWPM_CONDITION_IP_LOCAL_ADDRESS;
conds[0].matchType = FWP_MATCH_EQUAL;
conds[1].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
conds[1].matchType = FWP_MATCH_EQUAL;
if (p_ctx->pc_base->use_ipv6) {
conds[0].conditionValue.type = FWP_BYTE_ARRAY16_TYPE;
conds[0].conditionValue.byteArray16 = (FWP_BYTE_ARRAY16*)p_ctx->pc_base->addr_local;
conds[1].conditionValue.type = FWP_BYTE_ARRAY16_TYPE;
conds[1].conditionValue.byteArray16 = (FWP_BYTE_ARRAY16*)p_ctx->pc_base->addr_remote;
}
else {
conds[0].conditionValue.type = FWP_UINT32;
conds[0].conditionValue.uint32 = *((UINT32*)p_ctx->pc_base->addr_local);
conds[1].conditionValue.type = FWP_UINT32;
conds[1].conditionValue.uint32 = *((UINT32*)p_ctx->pc_base->addr_remote);
}
conds[2].fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
conds[2].matchType = FWP_MATCH_EQUAL;
conds[2].conditionValue.type = FWP_UINT16;
conds[2].conditionValue.uint16 = local_port;
if (p_ctx->pc_base->ipproto != tipsec_ipproto_all) {
conds[numFilterConditions].fieldKey = FWPM_CONDITION_IP_PROTOCOL;
conds[numFilterConditions].matchType = FWP_MATCH_EQUAL;
conds[numFilterConditions].conditionValue.type = FWP_UINT8;
conds[numFilterConditions].conditionValue.uint8 = TINYIPSEC_VISTA_GET_IPPROTO(p_ctx->pc_base->ipproto);
++numFilterConditions;
}
// Fill in the common fields shared by both filters.
memset(&filter, 0, sizeof(filter));
// For MUI compatibility, object names should be indirect strings. See
// SHLoadIndirectString for details.
filter.displayData.name = (PWCHAR)p_ctx->filter_name;
// Link all objects to our provider. When multiple providers are installed
// on a computer, this makes it easy to determine who added what.
filter.providerKey = (GUID*)TINYIPSEC_PROVIDER_KEY;
filter.numFilterConditions = numFilterConditions;
filter.filterCondition = conds;
filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
filter.flags = FWPM_FILTER_FLAG_NONE;
filter.weight.type = FWP_EMPTY;
// Add the inbound filter.
filter.layerKey = (p_ctx->pc_base->use_ipv6) ? FWPM_LAYER_INBOUND_TRANSPORT_V6 : FWPM_LAYER_INBOUND_TRANSPORT_V4;
if (p_ctx->pc_base->mode == tipsec_mode_tun) {
filter.action.calloutKey = (p_ctx->pc_base->use_ipv6) ? FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 : FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4;
}
else {
filter.action.calloutKey = (p_ctx->pc_base->use_ipv6) ? FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6 : FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4;
}
if ((result = FwpmFilterAdd0(p_ctx->engine, &filter, NULL, &tmpInFilterId)) != ERROR_SUCCESS) {
TSK_DEBUG_ERROR("FwpmFilterAdd0 (inbound) failed with error code [%x]", result);
goto CLEANUP;
}
// Add the outbound filter.
filter.layerKey = (p_ctx->pc_base->use_ipv6) ? FWPM_LAYER_OUTBOUND_TRANSPORT_V6 : FWPM_LAYER_OUTBOUND_TRANSPORT_V4;
if (p_ctx->pc_base->mode == tipsec_mode_tun) {
filter.action.calloutKey = (p_ctx->pc_base->use_ipv6) ? FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 : FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4;
}
else {
filter.action.calloutKey = (p_ctx->pc_base->use_ipv6) ? FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 : FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4;
}
if ((result = FwpmFilterAdd0(p_ctx->engine, &filter, NULL, &tmpOutFilterId)) != ERROR_SUCCESS) {
TSK_DEBUG_ERROR("FwpmFilterAdd0(outbound) failed with error code [%x]", result);
goto CLEANUP;
}
// Create the SA context using the outbound traffic descriptor.
memset(&outTraffic, 0, sizeof(outTraffic));
outTraffic.ipVersion = TINYIPSEC_VISTA_GET_IPVER(p_ctx->pc_base->use_ipv6);
if (p_ctx->pc_base->use_ipv6) {
memcpy(outTraffic.localV6Address, p_ctx->pc_base->addr_local, 16);
memcpy(outTraffic.remoteV6Address, p_ctx->pc_base->addr_remote, 16);
}
else {
outTraffic.localV4Address = *((UINT32*)p_ctx->pc_base->addr_local);
outTraffic.remoteV4Address = *((UINT32*)p_ctx->pc_base->addr_remote);
}
outTraffic.trafficType = TINYIPSEC_VISTA_GET_MODE(p_ctx->pc_base->mode);
outTraffic.ipsecFilterId = tmpOutFilterId;
if ((result = IPsecSaContextCreate0(p_ctx->engine, &outTraffic, NULL, &tmpSaId)) != ERROR_SUCCESS) {
TSK_DEBUG_ERROR("IPsecSaContextCreate0 failed with error code [%x]", result);
goto CLEANUP;
}
// Get the inbound SPI using the inbound traffic descriptor.
memset(&getSpi, 0, sizeof(getSpi));
getSpi.inboundIpsecTraffic.ipVersion = TINYIPSEC_VISTA_GET_IPVER(p_ctx->pc_base->use_ipv6);
if (p_ctx->pc_base->use_ipv6) {
memcpy(getSpi.inboundIpsecTraffic.localV6Address, p_ctx->pc_base->addr_local, 16);
memcpy(getSpi.inboundIpsecTraffic.remoteV6Address, p_ctx->pc_base->addr_remote, 16);
}
else {
getSpi.inboundIpsecTraffic.localV4Address = *((UINT32*)p_ctx->pc_base->addr_local);
getSpi.inboundIpsecTraffic.remoteV4Address = *((UINT32*)p_ctx->pc_base->addr_remote);
}
getSpi.inboundIpsecTraffic.trafficType = TINYIPSEC_VISTA_GET_MODE(p_ctx->pc_base->mode);
getSpi.inboundIpsecTraffic.ipsecFilterId = tmpInFilterId;
getSpi.ipVersion = TINYIPSEC_VISTA_GET_IPVER(p_ctx->pc_base->use_ipv6);
if ((result = IPsecSaContextGetSpi0(p_ctx->engine, tmpSaId, &getSpi, spi))) {
TSK_DEBUG_ERROR("IPsecSaContextGetSpi0 failed with error code [%x]", result);
goto CLEANUP;
}
//// Return the various LUIDs to the caller, so he can clean up.
*filterId_in = tmpInFilterId;
*filterId_out = tmpOutFilterId;
*saId = tmpSaId;
CLEANUP:
if (result != NO_ERROR) {
_vista_deleteSaContextAndFilters(p_ctx->engine, tmpInFilterId, tmpOutFilterId, tmpSaId);
}
else {
ret = 0;
}
return ret;
}
static int _vista_boundSA(__in const plugin_win_ipsec_vista_ctx_t* p_ctx, __in UINT64 local_saId, __in tipsec_spi_t remote_spi, __in BOOLEAN toInbound)
{
UINT32 i=0, j=0;
DWORD result = NO_ERROR;
IPSEC_SA0 sa;
IPSEC_SA_BUNDLE0 bundle;
IPSEC_SA_AUTH_INFORMATION0 authInfo; // must be global because use as reference (X = &authInfo)
IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0 cipherAuthInfo; // must be global because use as reference (X = &cipherAuthInfo)
PFWP_BYTE_BLOB ik = (PFWP_BYTE_BLOB)p_ctx->pc_base->ik;
PFWP_BYTE_BLOB ck = (PFWP_BYTE_BLOB)p_ctx->pc_base->ck;
memset(&sa, 0, sizeof(sa));
sa.spi = remote_spi;
sa.saTransformType = TINYIPSEC_VISTA_GET_PROTO(p_ctx->pc_base->protocol, p_ctx->pc_base->ealg);
//
// Keys padding
//
if (p_ctx->pc_base->alg == tipsec_alg_hmac_sha_1_96) {
if (ik->size < TIPSEC_IK_LEN) {
for(i = ik->size; i < TIPSEC_KEY_LEN; i++) {
ik->data[i] = 0x00; /* Already done by "tsk_calloc" but ... */
}
ik->size = TIPSEC_IK_LEN;
}
}
if (p_ctx->pc_base->ealg == tipsec_ealg_des_ede3_cbc) {
if (ck->size < TIPSEC_CK_LEN) {
for (i = ck->size; i<TIPSEC_CK_LEN; i++) {
ck->data[i] = ck->data[j++];
}
ck->size = TIPSEC_CK_LEN;
}
}
//
// In all case create Authentication info
//
memset(&authInfo, 0, sizeof(authInfo));
authInfo.authTransform.authTransformId = TINYIPSEC_VISTA_GET_ALGO(p_ctx->pc_base->alg);
authInfo.authKey = *ik;
if ( sa.saTransformType == IPSEC_TRANSFORM_AH ) {
sa.ahInformation = &authInfo;
}
else if ( sa.saTransformType == IPSEC_TRANSFORM_ESP_AUTH ) {
sa.espAuthInformation = &authInfo;
}
else if ( sa.saTransformType == IPSEC_TRANSFORM_ESP_CIPHER ) {
IPSEC_SA_CIPHER_INFORMATION0 cipherInfo;
memset(&cipherInfo, 0, sizeof(cipherInfo));
cipherInfo.cipherTransform.cipherTransformId = TINYIPSEC_VISTA_GET_EALGO(p_ctx->pc_base->ealg);
cipherInfo.cipherKey = *ck;
sa.espCipherInformation = &cipherInfo;
}
else if ( sa.saTransformType == IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER ) {
IPSEC_SA_CIPHER_INFORMATION0 cipherInfo;
memset(&cipherInfo, 0, sizeof(cipherInfo));
cipherInfo.cipherTransform.cipherTransformId = TINYIPSEC_VISTA_GET_EALGO(p_ctx->pc_base->ealg);
cipherInfo.cipherKey = *ck;
memset(&cipherAuthInfo, 0, sizeof(cipherAuthInfo));
cipherAuthInfo.saAuthInformation = authInfo;
cipherAuthInfo.saCipherInformation = cipherInfo;
sa.espAuthAndCipherInformation = &cipherAuthInfo;
}
memset(&bundle, 0, sizeof(bundle));
bundle.numSAs = 1;
bundle.saList = &sa;
bundle.ipVersion = TINYIPSEC_VISTA_GET_IPVER(p_ctx->pc_base->use_ipv6);
bundle.lifetime.lifetimeSeconds = (UINT32)((p_ctx->pc_base->lifetime > TINYIPSEC_SA_MAX_LIFETIME) ? TINYIPSEC_SA_MAX_LIFETIME : p_ctx->pc_base->lifetime);
/* From remote to local (inbound) ? */
if (toInbound) {
if((result = IPsecSaContextAddInbound0(p_ctx->engine, local_saId, &bundle)) != ERROR_SUCCESS) {
TSK_DEBUG_ERROR("IPsecSaContextAddInbound0 failed with error code [%x]", result);
goto CLEANUP;
}
}
else {
if ((result = IPsecSaContextAddOutbound0(p_ctx->engine, local_saId, &bundle)) != ERROR_SUCCESS) {
TSK_DEBUG_ERROR("IPsecSaContextAddOutbound0 failed with error code [%x]", result);
goto CLEANUP;
}
}
CLEANUP:
return (result == ERROR_SUCCESS) ? 0 : -1;
}
static int _vista_flushAll(const plugin_win_ipsec_vista_ctx_t* p_ctx)
{
#if 1
int ret = -1;
if (p_ctx && p_ctx->engine) {
DWORD result;
result = FwpmFilterDeleteById0(p_ctx->engine, p_ctx->filterId_in_uc);
if (result != ERROR_SUCCESS && result != FWP_E_FILTER_NOT_FOUND) {
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 failed with error code [%x]", result);
}
result = FwpmFilterDeleteById0(p_ctx->engine, p_ctx->filterId_in_us);
if (result != ERROR_SUCCESS && result != FWP_E_FILTER_NOT_FOUND) {
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 failed with error code [%x]", result);
}
result = FwpmFilterDeleteById0(p_ctx->engine, p_ctx->filterId_out_uc);
if (result != ERROR_SUCCESS && result != FWP_E_FILTER_NOT_FOUND) {
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 failed with error code [%x]", result);
}
result = FwpmFilterDeleteById0(p_ctx->engine, p_ctx->filterId_out_us);
if (result != ERROR_SUCCESS && result != FWP_E_FILTER_NOT_FOUND) {
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 failed with error code [%x]", result);
}
return 0;
}
//
return ret;
#else
UINT32 i;
int ret = -1;
if (p_ctx && p_ctx->engine) {
HANDLE enumHandle = NULL;
IPSEC_SA_DETAILS0** entries = NULL;
UINT32 numEntriesReturned = 0;
DWORD result;
if ((result = IPsecSaCreateEnumHandle0(p_ctx->engine, NULL, &enumHandle)) != ERROR_SUCCESS) {
TSK_DEBUG_ERROR("IPsecSaCreateEnumHandle0 failed with error code [%x].", result);
goto CLEANUP;
}
if ((result = IPsecSaEnum0(p_ctx->engine, enumHandle, TINYIPSEC_SA_NUM_ENTRIES_TO_REQUEST, &entries, &numEntriesReturned)) != ERROR_SUCCESS) {
TSK_DEBUG_ERROR("IPsecSaEnum0 failed with error code [%x].", result);
goto CLEANUP;
}
for (i = 0; i<numEntriesReturned; i++) {
IPSEC_SA_DETAILS0* entry = (entries)[i];
if ( !wcscmp(entry->transportFilter->displayData.name, p_ctx->filter_name)) {
if ((result = FwpmFilterDeleteById0(p_ctx->engine, entry->transportFilter->filterId)) != ERROR_SUCCESS) {
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 failed with error code [%x].", result);
goto CLEANUP;
}
}
}
TSK_DEBUG_INFO("All SAs have been flushed.");
ret = 0;
CLEANUP:
if (entries) {
FwpmFreeMemory0((void**)entries);
}
if (enumHandle) {
if ((result = IPsecSaDestroyEnumHandle0(p_ctx->engine, enumHandle)) != ERROR_SUCCESS) {
TSK_DEBUG_ERROR("IPsecSaDestroyEnumHandle0 failed with error code [%x].", result);
}
}
}
return ret;
#endif
}
static void _vista_deleteSaContextAndFilters(__in HANDLE engine, __in UINT64 inFilterId, __in UINT64 outFilterId, __in UINT64 saId)
{
DWORD result;
// Allow the LUIDs to be zero, so we can use this function to cleanup
// partial results.
if (saId != 0) {
result = IPsecSaContextDeleteById0(engine, saId);
if (result != ERROR_SUCCESS) {
// There's not much we can do if delete fails, so continue trying to
// clean up the remaining objects.
TSK_DEBUG_ERROR("IPsecSaContextDeleteById0 = 0x%08X\n", result);
}
}
if (outFilterId != 0) {
result = FwpmFilterDeleteById0(engine, outFilterId);
if (result != ERROR_SUCCESS) {
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 = 0x%08X\n", result);
}
}
if (inFilterId != 0) {
result = FwpmFilterDeleteById0(engine, inFilterId);
if (result != ERROR_SUCCESS) {
TSK_DEBUG_ERROR("FwpmFilterDeleteById0 = 0x%08X\n", result);
}
}
}
//
// Windows Vista IPSec Plugin definition
//
/* constructor */
static tsk_object_t* _plugin_win_ipsec_vista_ctx_ctor(tsk_object_t * self, va_list * app)
{
plugin_win_ipsec_vista_ctx_t *p_ctx = (plugin_win_ipsec_vista_ctx_t *)self;
if (p_ctx) {
p_ctx->pc_base = TIPSEC_CTX(p_ctx);
}
return self;
}
/* destructor */
static tsk_object_t* _plugin_win_ipsec_vista_ctx_dtor(tsk_object_t * self)
{
plugin_win_ipsec_vista_ctx_t *p_ctx = (plugin_win_ipsec_vista_ctx_t *)self;
if (p_ctx) {
DWORD code;
if (p_ctx->pc_base->started) {
tipsec_ctx_stop(p_ctx->pc_base);
}
/* Close engine */
if (p_ctx->engine) {
if ((code = FwpmEngineClose0(p_ctx->engine))) {
TSK_DEBUG_ERROR("FwpmEngineClose0 failed with error code [%x].", code);
}
}
TSK_FREE(p_ctx->pc_base->addr_local);
TSK_FREE(p_ctx->pc_base->addr_remote);
if (p_ctx->pc_base->ik) {
TSK_FREE(((PFWP_BYTE_BLOB)p_ctx->pc_base->ik)->data);
TSK_FREE(p_ctx->pc_base->ik);
}
if (p_ctx->pc_base->ck) {
TSK_FREE(((PFWP_BYTE_BLOB)p_ctx->pc_base->ck)->data);
TSK_FREE(p_ctx->pc_base->ck);
}
TSK_DEBUG_INFO("*** Windows Vista IPSec plugin (Windows Filtering Platform) context destroyed ***");
}
return self;
}
/* object definition */
static const tsk_object_def_t plugin_win_ipsec_vista_ctx_def_s = {
sizeof(plugin_win_ipsec_vista_ctx_t),
_plugin_win_ipsec_vista_ctx_ctor,
_plugin_win_ipsec_vista_ctx_dtor,
tsk_null,
};
/* plugin definition*/
static const tipsec_plugin_def_t plugin_win_ipsec_vista_plugin_def_s = {
&plugin_win_ipsec_vista_ctx_def_s,
tipsec_impl_type_vista,
"Windows Vista IPSec (Windows Filtering Platform)",
_plugin_win_ipsec_vista_ctx_init,
_plugin_win_ipsec_vista_ctx_set_local,
_plugin_win_ipsec_vista_ctx_set_remote,
_plugin_win_ipsec_vista_ctx_set_keys,
_plugin_win_ipsec_vista_ctx_start,
_plugin_win_ipsec_vista_ctx_stop,
};
const tipsec_plugin_def_t *plugin_win_ipsec_vista_plugin_def_t = &plugin_win_ipsec_vista_plugin_def_s;
Reference in New Issue View Git Blame Copy Permalink