ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
strongswan/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c

2702 lines
63 KiB
C
Raw Blame History

/*
* Copyright (C) 2013 Martin Willi
* Copyright (C) 2013 revosec AG
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/* Windows 7, for some fwpmu.h functionality */
#define _WIN32_WINNT 0x0601
#include "kernel_wfp_compat.h"
#include "kernel_wfp_ipsec.h"
#include <daemon.h>
#include <threading/mutex.h>
#include <collections/array.h>
#include <collections/hashtable.h>
#include <processing/jobs/callback_job.h>
#ifndef IPPROTO_IPIP
#define IPPROTO_IPIP 4
#endif
#ifndef IPPROTO_IPV6
#define IPPROTO_IPV6 41
#endif
typedef struct private_kernel_wfp_ipsec_t private_kernel_wfp_ipsec_t;
struct private_kernel_wfp_ipsec_t {
/**
* Public interface
*/
kernel_wfp_ipsec_t public;
/**
* Next SPI to allocate
*/
refcount_t nextspi;
/**
* Mix value to distribute SPI allocation randomly
*/
uint32_t mixspi;
/**
* IKE bypass filters, as UINT64 filter LUID
*/
array_t *bypass;
/**
* Temporary SAD/SPD entries referenced reqid, as uintptr_t => entry_t
*/
hashtable_t *tsas;
/**
* SAD/SPD entries referenced by inbound SA, as sa_entry_t => entry_t
*/
hashtable_t *isas;
/**
* SAD/SPD entries referenced by outbound SA, as sa_entry_t => entry_t
*/
hashtable_t *osas;
/**
* Installed routes, as route_t => route_t
*/
hashtable_t *routes;
/**
* Installed traps, as trap_t => trap_t
*/
hashtable_t *traps;
/**
* Mutex for accessing entries
*/
mutex_t *mutex;
/**
* WFP session handle
*/
HANDLE handle;
/**
* Provider charon registers as
*/
FWPM_PROVIDER0 provider;
/**
* Event handle
*/
HANDLE event;
};
/**
* Security association entry
*/
typedef struct {
/** SPI for this SA */
uint32_t spi;
/** protocol, IPPROTO_ESP/IPPROTO_AH */
uint8_t protocol;
/** hard lifetime of SA */
uint32_t lifetime;
/** destination host address for this SPI */
host_t *dst;
struct {
/** algorithm */
uint16_t alg;
/** key */
chunk_t key;
} integ, encr;
} sa_entry_t;
/**
* Hash function for sas lookup table
*/
static u_int hash_sa(sa_entry_t *key)
{
return chunk_hash_inc(chunk_from_thing(key->spi),
chunk_hash(key->dst->get_address(key->dst)));
}
/**
* equals function for sas lookup table
*/
static bool equals_sa(sa_entry_t *a, sa_entry_t *b)
{
return a->spi == b->spi && a->dst->ip_equals(a->dst, b->dst);
}
/**
* Security policy entry
*/
typedef struct {
/** policy source addresses */
traffic_selector_t *src;
/** policy destination addresses */
traffic_selector_t *dst;
/** WFP allocated LUID for inbound filter ID */
uint64_t policy_in;
/** WFP allocated LUID for outbound filter ID */
uint64_t policy_out;
/** WFP allocated LUID for forward inbound filter ID, tunnel mode only */
uint64_t policy_fwd_in;
/** WFP allocated LUID for forward outbound filter ID, tunnel mode only */
uint64_t policy_fwd_out;
/** have installed a route for it? */
bool route;
} sp_entry_t;
/**
* Destroy an SP entry
*/
static void sp_entry_destroy(sp_entry_t *sp)
{
sp->src->destroy(sp->src);
sp->dst->destroy(sp->dst);
free(sp);
}
/**
* Collection of SA/SP database entries for a reqid
*/
typedef struct {
/** reqid of entry */
uint32_t reqid;
/** outer address on local host */
host_t *local;
/** outer address on remote host */
host_t *remote;
/** inbound SA entry */
sa_entry_t isa;
/** outbound SA entry */
sa_entry_t osa;
/** associated (outbound) policies, as sp_entry_t* */
array_t *sps;
/** IPsec mode, tunnel|transport */
ipsec_mode_t mode;
/** UDP encapsulation */
bool encap;
/** provider context, for tunnel mode only */
uint64_t provider;
/** WFP allocated LUID for SA context */
uint64_t sa_id;
/** WFP allocated LUID for tunnel mode IP-IPv4 inbound filter */
uint64_t ip_ipv4_in;
/** WFP allocated LUID for tunnel mode IP-IPv4 outbound filter */
uint64_t ip_ipv4_out;
/** WFP allocated LUID for tunnel mode IP-IPv6 inbound filter */
uint64_t ip_ipv6_in;
/** WFP allocated LUID for tunnel mode IP-IPv6 outbound filter */
uint64_t ip_ipv6_out;
} entry_t;
/**
* Installed route
*/
typedef struct {
/** destination net of route */
host_t *dst;
/** prefix length of dst */
uint8_t mask;
/** source address for route */
host_t *src;
/** gateway of route, NULL if directly attached */
host_t *gtw;
/** references for route */
u_int refs;
} route_t;
/**
* Destroy a route_t
*/
static void destroy_route(route_t *this)
{
this->dst->destroy(this->dst);
this->src->destroy(this->src);
DESTROY_IF(this->gtw);
free(this);
}
/**
* Hashtable equals function for routes
*/
static bool equals_route(route_t *a, route_t *b)
{
return a->mask == b->mask &&
a->dst->ip_equals(a->dst, b->dst) &&
a->src->ip_equals(a->src, b->src);
}
/**
* Hashtable hash function for routes
*/
static u_int hash_route(route_t *route)
{
return chunk_hash_inc(route->src->get_address(route->src),
chunk_hash_inc(route->dst->get_address(route->dst), route->mask));
}
/** forward declaration */
static bool manage_routes(private_kernel_wfp_ipsec_t *this, entry_t *entry,
bool add);
/**
* Remove policies associated to an entry from kernel
*/
static void cleanup_policies(private_kernel_wfp_ipsec_t *this, entry_t *entry)
{
enumerator_t *enumerator;
sp_entry_t *sp;
if (entry->mode == MODE_TUNNEL)
{
manage_routes(this, entry, FALSE);
}
enumerator = array_create_enumerator(entry->sps);
while (enumerator->enumerate(enumerator, &sp))
{
if (sp->policy_in)
{
FwpmFilterDeleteById0(this->handle, sp->policy_in);
sp->policy_in = 0;
}
if (sp->policy_out)
{
FwpmFilterDeleteById0(this->handle, sp->policy_out);
sp->policy_out = 0;
}
if (sp->policy_fwd_in)
{
FwpmFilterDeleteById0(this->handle, sp->policy_fwd_in);
sp->policy_fwd_in = 0;
}
if (sp->policy_fwd_out)
{
FwpmFilterDeleteById0(this->handle, sp->policy_fwd_out);
sp->policy_fwd_out = 0;
}
}
enumerator->destroy(enumerator);
}
/**
* Destroy a SA/SP entry set
*/
static void entry_destroy(private_kernel_wfp_ipsec_t *this, entry_t *entry)
{
if (entry->ip_ipv4_in)
{
FwpmFilterDeleteById0(this->handle, entry->ip_ipv4_in);
}
if (entry->ip_ipv4_out)
{
FwpmFilterDeleteById0(this->handle, entry->ip_ipv4_out);
}
if (entry->ip_ipv6_in)
{
FwpmFilterDeleteById0(this->handle, entry->ip_ipv6_in);
}
if (entry->ip_ipv6_out)
{
FwpmFilterDeleteById0(this->handle, entry->ip_ipv6_out);
}
if (entry->sa_id)
{
IPsecSaContextDeleteById0(this->handle, entry->sa_id);
}
if (entry->provider)
{
FwpmProviderContextDeleteById0(this->handle, entry->provider);
}
cleanup_policies(this, entry);
array_destroy_function(entry->sps, (void*)sp_entry_destroy, NULL);
entry->local->destroy(entry->local);
entry->remote->destroy(entry->remote);
chunk_clear(&entry->isa.integ.key);
chunk_clear(&entry->isa.encr.key);
chunk_clear(&entry->osa.integ.key);
chunk_clear(&entry->osa.encr.key);
free(entry);
}
/**
* Append/Realloc a filter condition to an existing condition set
*/
static FWPM_FILTER_CONDITION0 *append_condition(FWPM_FILTER_CONDITION0 *conds[],
int *count)
{
FWPM_FILTER_CONDITION0 *cond;
(*count)++;
*conds = realloc(*conds, *count * sizeof(*cond));
cond = *conds + *count - 1;
memset(cond, 0, sizeof(*cond));
return cond;
}
/**
* Convert an IPv4 prefix to a host order subnet mask
*/
static uint32_t prefix2mask(uint8_t prefix)
{
uint8_t netmask[4] = {};
int i;
for (i = 0; i < sizeof(netmask); i++)
{
if (prefix < 8)
{
netmask[i] = 0xFF << (8 - prefix);
break;
}
netmask[i] = 0xFF;
prefix -= 8;
}
return untoh32(netmask);
}
/**
* Convert a 16-bit range to a WFP condition
*/
static void range2cond(FWPM_FILTER_CONDITION0 *cond,
uint16_t from, uint16_t to)
{
if (from == to)
{
cond->matchType = FWP_MATCH_EQUAL;
cond->conditionValue.type = FWP_UINT16;
cond->conditionValue.uint16 = from;
}
else
{
cond->matchType = FWP_MATCH_RANGE;
cond->conditionValue.type = FWP_RANGE_TYPE;
cond->conditionValue.rangeValue = calloc(1, sizeof(FWP_RANGE0));
cond->conditionValue.rangeValue->valueLow.type = FWP_UINT16;
cond->conditionValue.rangeValue->valueLow.uint16 = from;
cond->conditionValue.rangeValue->valueHigh.type = FWP_UINT16;
cond->conditionValue.rangeValue->valueHigh.uint16 = to;
}
}
/**
* (Re-)allocate filter conditions for given local or remote traffic selector
*/
static bool ts2condition(traffic_selector_t *ts, const GUID *target,
FWPM_FILTER_CONDITION0 *conds[], int *count)
{
FWPM_FILTER_CONDITION0 *cond;
FWP_BYTE_ARRAY16 *addr;
FWP_RANGE0 *range;
uint16_t from_port, to_port;
void *from, *to;
uint8_t proto;
host_t *net;
uint8_t prefix;
from = ts->get_from_address(ts).ptr;
to = ts->get_to_address(ts).ptr;
from_port = ts->get_from_port(ts);
to_port = ts->get_to_port(ts);
cond = append_condition(conds, count);
cond->fieldKey = *target;
if (ts->is_host(ts, NULL))
{
cond->matchType = FWP_MATCH_EQUAL;
switch (ts->get_type(ts))
{
case TS_IPV4_ADDR_RANGE:
cond->conditionValue.type = FWP_UINT32;
cond->conditionValue.uint32 = untoh32(from);
break;
case TS_IPV6_ADDR_RANGE:
cond->conditionValue.type = FWP_BYTE_ARRAY16_TYPE;
cond->conditionValue.byteArray16 = addr = malloc(sizeof(*addr));
memcpy(addr, from, sizeof(*addr));
break;
default:
return FALSE;
}
}
else if (ts->to_subnet(ts, &net, &prefix))
{
FWP_V6_ADDR_AND_MASK *m6;
FWP_V4_ADDR_AND_MASK *m4;
cond->matchType = FWP_MATCH_EQUAL;
switch (net->get_family(net))
{
case AF_INET:
cond->conditionValue.type = FWP_V4_ADDR_MASK;
cond->conditionValue.v4AddrMask = m4 = calloc(1, sizeof(*m4));
m4->addr = untoh32(from);
m4->mask = prefix2mask(prefix);
break;
case AF_INET6:
cond->conditionValue.type = FWP_V6_ADDR_MASK;
cond->conditionValue.v6AddrMask = m6 = calloc(1, sizeof(*m6));
memcpy(m6->addr, from, sizeof(m6->addr));
m6->prefixLength = prefix;
break;
default:
net->destroy(net);
return FALSE;
}
net->destroy(net);
}
else
{
cond->matchType = FWP_MATCH_RANGE;
cond->conditionValue.type = FWP_RANGE_TYPE;
cond->conditionValue.rangeValue = range = calloc(1, sizeof(*range));
switch (ts->get_type(ts))
{
case TS_IPV4_ADDR_RANGE:
range->valueLow.type = FWP_UINT32;
range->valueLow.uint32 = untoh32(from);
range->valueHigh.type = FWP_UINT32;
range->valueHigh.uint32 = untoh32(to);
break;
case TS_IPV6_ADDR_RANGE:
range->valueLow.type = FWP_BYTE_ARRAY16_TYPE;
range->valueLow.byteArray16 = addr = malloc(sizeof(*addr));
memcpy(addr, from, sizeof(*addr));
range->valueHigh.type = FWP_BYTE_ARRAY16_TYPE;
range->valueHigh.byteArray16 = addr = malloc(sizeof(*addr));
memcpy(addr, to, sizeof(*addr));
break;
default:
return FALSE;
}
}
proto = ts->get_protocol(ts);
if (proto && target == &FWPM_CONDITION_IP_LOCAL_ADDRESS)
{
cond = append_condition(conds, count);
cond->fieldKey = FWPM_CONDITION_IP_PROTOCOL;
cond->matchType = FWP_MATCH_EQUAL;
cond->conditionValue.type = FWP_UINT8;
cond->conditionValue.uint8 = proto;
}
if (proto == IPPROTO_ICMP)
{
if (target == &FWPM_CONDITION_IP_LOCAL_ADDRESS)
{
uint8_t from_type, to_type, from_code, to_code;
from_type = traffic_selector_icmp_type(from_port);
to_type = traffic_selector_icmp_type(to_port);
from_code = traffic_selector_icmp_code(from_port);
to_code = traffic_selector_icmp_code(to_port);
if (from_type != 0 || to_type != 0xFF)
{
cond = append_condition(conds, count);
cond->fieldKey = FWPM_CONDITION_ICMP_TYPE;
range2cond(cond, from_type, to_type);
}
if (from_code != 0 || to_code != 0xFF)
{
cond = append_condition(conds, count);
cond->fieldKey = FWPM_CONDITION_ICMP_CODE;
range2cond(cond, from_code, to_code);
}
}
}
else if (from_port != 0 || to_port != 0xFFFF)
{
if (target == &FWPM_CONDITION_IP_LOCAL_ADDRESS)
{
cond = append_condition(conds, count);
cond->fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
range2cond(cond, from_port, to_port);
}
if (target == &FWPM_CONDITION_IP_REMOTE_ADDRESS)
{
cond = append_condition(conds, count);
cond->fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;
range2cond(cond, from_port, to_port);
}
}
return TRUE;
}
/**
* Free memory associated to a single condition
*/
static void free_condition(FWP_DATA_TYPE type, void *value)
{
FWP_RANGE0 *range;
switch (type)
{
case FWP_BYTE_ARRAY16_TYPE:
case FWP_V4_ADDR_MASK:
case FWP_V6_ADDR_MASK:
free(value);
break;
case FWP_RANGE_TYPE:
range = value;
free_condition(range->valueLow.type, range->valueLow.sd);
free_condition(range->valueHigh.type, range->valueHigh.sd);
free(range);
break;
default:
break;
}
}
/**
* Free memory used by a set of conditions
*/
static void free_conditions(FWPM_FILTER_CONDITION0 *conds, int count)
{
int i;
for (i = 0; i < count; i++)
{
free_condition(conds[i].conditionValue.type, conds[i].conditionValue.sd);
}
free(conds);
}
/**
* Find the callout GUID for given parameters
*/
static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward,
bool ale, GUID *layer, GUID *sublayer, GUID *callout)
{
struct {
bool tunnel;
bool v6;
bool inbound;
bool forward;
bool ale;
const GUID *layer;
const GUID *sublayer;
const GUID *callout;
} map[] = {
{ 0, 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4, NULL,
&FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4 },
{ 0, 0, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4, NULL,
&FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 },
{ 0, 1, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6, NULL,
&FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 },
{ 0, 1, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6, NULL,
&FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6 },
{ 1, 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4,
&FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 },
{ 1, 0, 0, 1, 0, &FWPM_LAYER_IPFORWARD_V4,
&FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL,
&FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 },
{ 1, 0, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4,
&FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4 },
{ 1, 0, 1, 1, 0, &FWPM_LAYER_IPFORWARD_V4,
&FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 },
{ 1, 0, 0, 0, 1, &FWPM_LAYER_ALE_AUTH_CONNECT_V4, NULL,
&FWPM_CALLOUT_IPSEC_ALE_CONNECT_V4 },
{ 1, 0, 1, 0, 1, &FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, NULL,
&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V4},
{ 1, 1, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6,
&FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 },
{ 1, 1, 0, 1, 0, &FWPM_LAYER_IPFORWARD_V6,
&FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL,
&FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 },
{ 1, 1, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6,
&FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 },
{ 1, 1, 1, 1, 0, &FWPM_LAYER_IPFORWARD_V6,
&FWPM_SUBLAYER_IPSEC_TUNNEL,
&FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 },
{ 1, 1, 0, 0, 1, &FWPM_LAYER_ALE_AUTH_CONNECT_V6, NULL,
&FWPM_CALLOUT_IPSEC_ALE_CONNECT_V6 },
{ 1, 1, 1, 0, 1, &FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, NULL,
&FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V6},
};
int i;
for (i = 0; i < countof(map); i++)
{
if (tunnel == map[i].tunnel &&
v6 == map[i].v6 &&
inbound == map[i].inbound &&
forward == map[i].forward &&
ale == map[i].ale)
{
*callout = *map[i].callout;
*layer = *map[i].layer;
if (map[i].sublayer)
{
*sublayer = *map[i].sublayer;
}
return TRUE;
}
}
return FALSE;
}
/**
* Install a single policy in to the kernel
*/
static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp,
GUID *context, bool inbound, bool fwd, UINT64 *filter_id)
{
FWPM_FILTER_CONDITION0 *conds = NULL;
traffic_selector_t *local, *remote;
const GUID *ltarget, *rtarget;
int count = 0;
bool v6;
DWORD res;
FWPM_FILTER0 filter = {
.displayData = {
.name = L"charon IPsec policy",
},
.action = {
.type = FWP_ACTION_CALLOUT_TERMINATING,
},
};
if (context)
{
filter.flags |= FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT;
filter.providerKey = (GUID*)&this->provider.providerKey;
filter.providerContextKey = *context;
}
v6 = sp->src->get_type(sp->src) == TS_IPV6_ADDR_RANGE;
if (!find_callout(context != NULL, v6, inbound, fwd, FALSE,
&filter.layerKey, &filter.subLayerKey,
&filter.action.calloutKey))
{
return FALSE;
}
if (inbound && fwd)
{
local = sp->dst;
remote = sp->src;
}
else
{
local = sp->src;
remote = sp->dst;
}
if (fwd)
{
ltarget = &FWPM_CONDITION_IP_SOURCE_ADDRESS;
rtarget = &FWPM_CONDITION_IP_DESTINATION_ADDRESS;
}
else
{
ltarget = &FWPM_CONDITION_IP_LOCAL_ADDRESS;
rtarget = &FWPM_CONDITION_IP_REMOTE_ADDRESS;
}
if (!ts2condition(local, ltarget, &conds, &count) ||
!ts2condition(remote, rtarget, &conds, &count))
{
free_conditions(conds, count);
return FALSE;
}
filter.numFilterConditions = count;
filter.filterCondition = conds;
res = FwpmFilterAdd0(this->handle, &filter, NULL, filter_id);
free_conditions(conds, count);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "installing IPv%d %s%sbound %s WFP filter failed: 0x%08x",
v6 ? 6 : 4, fwd ? "forward " : "", inbound ? "in" : "out",
context ? "tunnel" : "transport", res);
return FALSE;
}
return TRUE;
}
/**
* Install an IP-IP allow filter for SA specific hosts
*/
static bool install_ipip_ale(private_kernel_wfp_ipsec_t *this,
host_t *local, host_t *remote, GUID *context,
bool inbound, int proto, uint64_t *filter_id)
{
traffic_selector_t *lts, *rts;
FWPM_FILTER_CONDITION0 *conds = NULL;
int count = 0;
bool v6;
DWORD res;
FWPM_FILTER0 filter = {
.displayData = {
.name = L"charon IPsec IP-in-IP ALE policy",
},
.action = {
.type = FWP_ACTION_CALLOUT_TERMINATING,
},
};
if (context)
{
filter.flags |= FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT;
filter.providerKey = (GUID*)&this->provider.providerKey;
filter.providerContextKey = *context;
}
v6 = local->get_family(local) == AF_INET6;
if (!find_callout(TRUE, v6, inbound, FALSE, TRUE, &filter.layerKey,
&filter.subLayerKey, &filter.action.calloutKey))
{
return FALSE;
}
lts = traffic_selector_create_from_subnet(local->clone(local),
v6 ? 128 : 32 , proto, 0, 65535);
rts = traffic_selector_create_from_subnet(remote->clone(remote),
v6 ? 128 : 32 , proto, 0, 65535);
if (!ts2condition(lts, &FWPM_CONDITION_IP_LOCAL_ADDRESS, &conds, &count) ||
!ts2condition(rts, &FWPM_CONDITION_IP_REMOTE_ADDRESS, &conds, &count))
{
free_conditions(conds, count);
lts->destroy(lts);
rts->destroy(rts);
return FALSE;
}
lts->destroy(lts);
rts->destroy(rts);
filter.numFilterConditions = count;
filter.filterCondition = conds;
res = FwpmFilterAdd0(this->handle, &filter, NULL, filter_id);
free_conditions(conds, count);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "installing IP-IPv%d %s ALE WFP filter failed: 0x%08x",
v6 ? 6 : 4, inbound ? "inbound" : "outbound", res);
return FALSE;
}
return TRUE;
}
/**
* Install a set of policies in to the kernel
*/
static bool install_sps(private_kernel_wfp_ipsec_t *this,
entry_t *entry, GUID *context)
{
enumerator_t *enumerator;
sp_entry_t *sp;
bool has_v4 = FALSE, has_v6 = FALSE;
enumerator = array_create_enumerator(entry->sps);
while (enumerator->enumerate(enumerator, &sp))
{
switch (sp->src->get_type(sp->src))
{
case TS_IPV4_ADDR_RANGE:
has_v4 = TRUE;
break;
case TS_IPV6_ADDR_RANGE:
has_v6 = TRUE;
break;
}
/* inbound policy */
if (!install_sp(this, sp, context, TRUE, FALSE, &sp->policy_in))
{
enumerator->destroy(enumerator);
return FALSE;
}
/* outbound policy */
if (!install_sp(this, sp, context, FALSE, FALSE, &sp->policy_out))
{
enumerator->destroy(enumerator);
return FALSE;
}
if (context)
{
if (!sp->src->is_host(sp->src, entry->local) ||
!sp->dst->is_host(sp->dst, entry->remote))
{
/* inbound forward policy, from decapsulation */
if (!install_sp(this, sp, context, TRUE, TRUE,
&sp->policy_fwd_in))
{
enumerator->destroy(enumerator);
return FALSE;
}
/* outbound forward policy, to encapsulate */
if (!install_sp(this, sp, context, FALSE, TRUE,
&sp->policy_fwd_out))
{
enumerator->destroy(enumerator);
return FALSE;
}
}
}
}
enumerator->destroy(enumerator);
if (context)
{
/* In tunnel mode, Windows does firewall filtering on decrypted but
* non-unwrapped packets: It sees them as IP-in-IP packets. When using
* a default-drop policy, we need to allow such packets explicitly. */
if (has_v4)
{
if (!install_ipip_ale(this, entry->local, entry->remote, context,
TRUE, IPPROTO_IPIP, &entry->ip_ipv4_in))
{
return FALSE;
}
if (!install_ipip_ale(this, entry->local, entry->remote, NULL,
FALSE, IPPROTO_IPIP, &entry->ip_ipv4_out))
{
return FALSE;
}
}
if (has_v6)
{
if (!install_ipip_ale(this, entry->local, entry->remote, context,
TRUE, IPPROTO_IPV6, &entry->ip_ipv6_in))
{
return FALSE;
}
if (!install_ipip_ale(this, entry->local, entry->remote, NULL,
FALSE, IPPROTO_IPV6, &entry->ip_ipv6_out))
{
return FALSE;
}
}
}
return TRUE;
}
/**
* Convert a chunk_t to a WFP FWP_BYTE_BLOB
*/
static inline FWP_BYTE_BLOB chunk2blob(chunk_t chunk)
{
return (FWP_BYTE_BLOB){
.size = chunk.len,
.data = chunk.ptr,
};
}
/**
* Convert an integrity_algorithm_t to a WFP IPSEC_AUTH_TRANFORM_ID0
*/
static bool alg2auth(integrity_algorithm_t alg,
IPSEC_SA_AUTH_INFORMATION0 *info)
{
struct {
integrity_algorithm_t alg;
IPSEC_AUTH_TRANSFORM_ID0 transform;
} map[] = {
{ AUTH_HMAC_MD5_96, IPSEC_AUTH_TRANSFORM_ID_HMAC_MD5_96 },
{ AUTH_HMAC_SHA1_96, IPSEC_AUTH_TRANSFORM_ID_HMAC_SHA_1_96 },
{ AUTH_HMAC_SHA2_256_128, IPSEC_AUTH_TRANSFORM_ID_HMAC_SHA_256_128},
{ AUTH_AES_128_GMAC, IPSEC_AUTH_TRANSFORM_ID_GCM_AES_128 },
{ AUTH_AES_192_GMAC, IPSEC_AUTH_TRANSFORM_ID_GCM_AES_192 },
{ AUTH_AES_256_GMAC, IPSEC_AUTH_TRANSFORM_ID_GCM_AES_256 },
};
int i;
for (i = 0; i < countof(map); i++)
{
if (map[i].alg == alg)
{
info->authTransform.authTransformId = map[i].transform;
return TRUE;
}
}
return FALSE;
}
/**
* Convert an encryption_algorithm_t to a WFP IPSEC_CIPHER_TRANFORM_ID0
*/
static bool alg2cipher(encryption_algorithm_t alg, int keylen,
IPSEC_SA_CIPHER_INFORMATION0 *info)
{
struct {
encryption_algorithm_t alg;
int keylen;
IPSEC_CIPHER_TRANSFORM_ID0 transform;
} map[] = {
{ ENCR_DES, 8, IPSEC_CIPHER_TRANSFORM_ID_CBC_DES },
{ ENCR_3DES, 24, IPSEC_CIPHER_TRANSFORM_ID_CBC_3DES },
{ ENCR_AES_CBC, 16, IPSEC_CIPHER_TRANSFORM_ID_AES_128 },
{ ENCR_AES_CBC, 24, IPSEC_CIPHER_TRANSFORM_ID_AES_192 },
{ ENCR_AES_CBC, 32, IPSEC_CIPHER_TRANSFORM_ID_AES_256 },
{ ENCR_AES_GCM_ICV16, 20, IPSEC_CIPHER_TRANSFORM_ID_GCM_AES_128 },
{ ENCR_AES_GCM_ICV16, 28, IPSEC_CIPHER_TRANSFORM_ID_GCM_AES_192 },
{ ENCR_AES_GCM_ICV16, 36, IPSEC_CIPHER_TRANSFORM_ID_GCM_AES_256 },
};
int i;
for (i = 0; i < countof(map); i++)
{
if (map[i].alg == alg && map[i].keylen == keylen)
{
info->cipherTransform.cipherTransformId = map[i].transform;
return TRUE;
}
}
return FALSE;
}
/**
* Get the integrity algorithm used for an AEAD transform
*/
static integrity_algorithm_t encr2integ(encryption_algorithm_t encr, int keylen)
{
struct {
encryption_algorithm_t encr;
int keylen;
integrity_algorithm_t integ;
} map[] = {
{ ENCR_NULL_AUTH_AES_GMAC, 20, AUTH_AES_128_GMAC },
{ ENCR_NULL_AUTH_AES_GMAC, 28, AUTH_AES_192_GMAC },
{ ENCR_NULL_AUTH_AES_GMAC, 36, AUTH_AES_256_GMAC },
{ ENCR_AES_GCM_ICV16, 20, AUTH_AES_128_GMAC },
{ ENCR_AES_GCM_ICV16, 28, AUTH_AES_192_GMAC },
{ ENCR_AES_GCM_ICV16, 36, AUTH_AES_256_GMAC },
};
int i;
for (i = 0; i < countof(map); i++)
{
if (map[i].encr == encr && map[i].keylen == keylen)
{
return map[i].integ;
}
}
return AUTH_UNDEFINED;
}
/**
* Install a single SA
*/
static bool install_sa(private_kernel_wfp_ipsec_t *this, entry_t *entry,
bool inbound, sa_entry_t *sa, FWP_IP_VERSION version)
{
IPSEC_SA_AUTH_AND_CIPHER_INFORMATION0 info = {};
IPSEC_SA0 ipsec = {
.spi = ntohl(sa->spi),
};
IPSEC_SA_BUNDLE0 bundle = {
.lifetime = {
.lifetimeSeconds = inbound ? entry->isa.lifetime
: entry->osa.lifetime,
},
.saList = &ipsec,
.numSAs = 1,
.ipVersion = version,
};
struct {
uint16_t alg;
chunk_t key;
} integ = {}, encr = {};
DWORD res;
switch (sa->protocol)
{
case IPPROTO_AH:
ipsec.saTransformType = IPSEC_TRANSFORM_AH;
ipsec.ahInformation = &info.saAuthInformation;
integ.key = sa->integ.key;
integ.alg = sa->integ.alg;
break;
case IPPROTO_ESP:
if (sa->encr.alg == ENCR_NULL ||
sa->encr.alg == ENCR_NULL_AUTH_AES_GMAC)
{
ipsec.saTransformType = IPSEC_TRANSFORM_ESP_AUTH;
ipsec.espAuthInformation = &info.saAuthInformation;
}
else
{
ipsec.saTransformType = IPSEC_TRANSFORM_ESP_AUTH_AND_CIPHER;
ipsec.espAuthAndCipherInformation = &info;
encr.key = sa->encr.key;
encr.alg = sa->encr.alg;
}
if (encryption_algorithm_is_aead(sa->encr.alg))
{
integ.alg = encr2integ(sa->encr.alg, sa->encr.key.len);
integ.key = sa->encr.key;
}
else
{
integ.alg = sa->integ.alg;
integ.key = sa->integ.key;
}
break;
default:
return FALSE;
}
if (integ.alg)
{
info.saAuthInformation.authKey = chunk2blob(integ.key);
if (!alg2auth(integ.alg, &info.saAuthInformation))
{
DBG1(DBG_KNL, "integrity algorithm %N not supported by WFP",
integrity_algorithm_names, integ.alg);
return FALSE;
}
}
if (encr.alg)
{
info.saCipherInformation.cipherKey = chunk2blob(encr.key);
if (!alg2cipher(encr.alg, encr.key.len, &info.saCipherInformation))
{
DBG1(DBG_KNL, "encryption algorithm %N not supported by WFP",
encryption_algorithm_names, encr.alg);
return FALSE;
}
}
if (inbound)
{
res = IPsecSaContextAddInbound0(this->handle, entry->sa_id, &bundle);
}
else
{
bundle.flags |= IPSEC_SA_BUNDLE_FLAG_ASSUME_UDP_CONTEXT_OUTBOUND;
res = IPsecSaContextAddOutbound0(this->handle, entry->sa_id, &bundle);
}
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "adding %sbound WFP SA failed: 0x%08x",
inbound ? "in" : "out", res);
return FALSE;
}
return TRUE;
}
/**
* Convert an IPv6 host address to WFP representation
*/
static void host2address6(host_t *host, void *out)
{
uint32_t *src, *dst = out;
src = (uint32_t*)host->get_address(host).ptr;
dst[0] = untoh32(&src[3]);
dst[1] = untoh32(&src[2]);
dst[2] = untoh32(&src[1]);
dst[3] = untoh32(&src[0]);
}
/**
* Fill in traffic structure from entry addresses
*/
static bool hosts2traffic(private_kernel_wfp_ipsec_t *this,
host_t *l, host_t *r, IPSEC_TRAFFIC1 *traffic)
{
if (l->get_family(l) != r->get_family(r))
{
return FALSE;
}
switch (l->get_family(l))
{
case AF_INET:
traffic->ipVersion = FWP_IP_VERSION_V4;
traffic->localV4Address = untoh32(l->get_address(l).ptr);
traffic->remoteV4Address = untoh32(r->get_address(r).ptr);
return TRUE;
case AF_INET6:
traffic->ipVersion = FWP_IP_VERSION_V6;
host2address6(l, &traffic->localV6Address);
host2address6(r, &traffic->remoteV6Address);
return TRUE;
default:
return FALSE;
}
}
/**
* Install SAs to the kernel
*/
static bool install_sas(private_kernel_wfp_ipsec_t *this, entry_t *entry,
IPSEC_TRAFFIC_TYPE type)
{
IPSEC_TRAFFIC1 traffic = {
.trafficType = type,
};
IPSEC_GETSPI1 spi = {
.inboundIpsecTraffic = {
.trafficType = type,
},
};
enumerator_t *enumerator;
sp_entry_t *sp;
DWORD res;
if (type == IPSEC_TRAFFIC_TYPE_TRANSPORT)
{
enumerator = array_create_enumerator(entry->sps);
if (enumerator->enumerate(enumerator, &sp))
{
traffic.ipsecFilterId = sp->policy_out;
spi.inboundIpsecTraffic.ipsecFilterId = sp->policy_in;
}
else
{
enumerator->destroy(enumerator);
return FALSE;
}
enumerator->destroy(enumerator);
}
else
{
traffic.tunnelPolicyId = entry->provider;
spi.inboundIpsecTraffic.tunnelPolicyId = entry->provider;
}
if (!hosts2traffic(this, entry->local, entry->remote, &traffic))
{
return FALSE;
}
res = IPsecSaContextCreate1(this->handle, &traffic, NULL, NULL,
&entry->sa_id);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "creating WFP SA context failed: 0x%08x", res);
return FALSE;
}
memcpy(spi.inboundIpsecTraffic.localV6Address, traffic.localV6Address,
sizeof(traffic.localV6Address));
memcpy(spi.inboundIpsecTraffic.remoteV6Address, traffic.remoteV6Address,
sizeof(traffic.remoteV6Address));
spi.ipVersion = traffic.ipVersion;
res = IPsecSaContextSetSpi0(this->handle, entry->sa_id, &spi,
ntohl(entry->isa.spi));
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "setting WFP SA SPI failed: 0x%08x", res);
IPsecSaContextDeleteById0(this->handle, entry->sa_id);
entry->sa_id = 0;
return FALSE;
}
if (!install_sa(this, entry, TRUE, &entry->isa, spi.ipVersion) ||
!install_sa(this, entry, FALSE, &entry->osa, spi.ipVersion))
{
IPsecSaContextDeleteById0(this->handle, entry->sa_id);
entry->sa_id = 0;
return FALSE;
}
if (entry->encap)
{
IPSEC_V4_UDP_ENCAPSULATION0 encap = {
.localUdpEncapPort = entry->local->get_port(entry->local),
.remoteUdpEncapPort = entry->remote->get_port(entry->remote),
};
IPSEC_SA_CONTEXT1 *ctx;
res = IPsecSaContextGetById1(this->handle, entry->sa_id, &ctx);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "getting WFP SA for UDP encap failed: 0x%08x", res);
IPsecSaContextDeleteById0(this->handle, entry->sa_id);
entry->sa_id = 0;
return FALSE;
}
ctx->inboundSa->udpEncapsulation = &encap;
ctx->outboundSa->udpEncapsulation = &encap;
res = IPsecSaContextUpdate0(this->handle,
IPSEC_SA_DETAILS_UPDATE_UDP_ENCAPSULATION, ctx);
FwpmFreeMemory0((void**)&ctx);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "enable WFP UDP encap failed: 0x%08x", res);
IPsecSaContextDeleteById0(this->handle, entry->sa_id);
entry->sa_id = 0;
return FALSE;
}
}
return TRUE;
}
/**
* Install a transport mode SA/SP set to the kernel
*/
static bool install_transport(private_kernel_wfp_ipsec_t *this, entry_t *entry)
{
if (install_sps(this, entry, NULL) &&
install_sas(this, entry, IPSEC_TRAFFIC_TYPE_TRANSPORT))
{
return TRUE;
}
cleanup_policies(this, entry);
return FALSE;
}
/**
* Generate a new GUID, random
*/
static bool generate_guid(private_kernel_wfp_ipsec_t *this, GUID *guid)
{
bool ok;
rng_t *rng;
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (!rng)
{
return FALSE;
}
ok = rng->get_bytes(rng, sizeof(GUID), (uint8_t*)guid);
rng->destroy(rng);
return ok;
}
/**
* Register a dummy tunnel provider to associate tunnel filters to
*/
static bool add_tunnel_provider(private_kernel_wfp_ipsec_t *this,
entry_t *entry, GUID *guid, UINT64 *luid)
{
DWORD res;
IPSEC_AUTH_TRANSFORM0 transform = {
/* Create any valid proposal. This is actually not used, as we
* don't create an SA from this information. */
.authTransformId = IPSEC_AUTH_TRANSFORM_ID_HMAC_SHA_1_96,
};
IPSEC_SA_TRANSFORM0 transforms = {
.ipsecTransformType = IPSEC_TRANSFORM_ESP_AUTH,
.espAuthTransform = &transform,
};
IPSEC_PROPOSAL0 proposal = {
.lifetime = {
/* We need a valid lifetime, even if we don't create any SA
* from these values. Pick some values accepted. */
.lifetimeSeconds = 0xFFFF,
.lifetimeKilobytes = 0xFFFFFFFF,
.lifetimePackets = 0xFFFFFFFF,
},
.numSaTransforms = 1,
.saTransforms = &transforms,
};
IPSEC_TUNNEL_POLICY0 policy = {
.numIpsecProposals = 1,
.ipsecProposals = &proposal,
.saIdleTimeout = {
/* not used, set to lifetime for maximum */
.idleTimeoutSeconds = proposal.lifetime.lifetimeSeconds,
.idleTimeoutSecondsFailOver = proposal.lifetime.lifetimeSeconds,
},
};
FWPM_PROVIDER_CONTEXT0 qm = {
.displayData = {
.name = L"charon tunnel provider",
},
.providerKey = (GUID*)&this->provider.providerKey,
.type = FWPM_IPSEC_IKE_QM_TUNNEL_CONTEXT,
.ikeQmTunnelPolicy = &policy,
};
switch (entry->local->get_family(entry->local))
{
case AF_INET:
policy.tunnelEndpoints.ipVersion = FWP_IP_VERSION_V4;
policy.tunnelEndpoints.localV4Address =
untoh32(entry->local->get_address(entry->local).ptr);
policy.tunnelEndpoints.remoteV4Address =
untoh32(entry->remote->get_address(entry->remote).ptr);
break;
case AF_INET6:
policy.tunnelEndpoints.ipVersion = FWP_IP_VERSION_V6;
host2address6(entry->local, &policy.tunnelEndpoints.localV6Address);
host2address6(entry->remote, &policy.tunnelEndpoints.remoteV6Address);
break;
default:
return FALSE;
}
if (!generate_guid(this, &qm.providerContextKey))
{
return FALSE;
}
res = FwpmProviderContextAdd0(this->handle, &qm, NULL, luid);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "adding provider context failed: 0x%08x", res);
return FALSE;
}
*guid = qm.providerContextKey;
return TRUE;
}
/**
* Install tunnel mode SPs to the kernel
*/
static bool install_tunnel_sps(private_kernel_wfp_ipsec_t *this, entry_t *entry)
{
GUID guid;
if (!add_tunnel_provider(this, entry, &guid, &entry->provider))
{
return FALSE;
}
if (!install_sps(this, entry, &guid))
{
return FALSE;
}
return TRUE;
}
/**
* Reduce refcount, or uninstall a route if all refs gone
*/
static bool uninstall_route(private_kernel_wfp_ipsec_t *this,
host_t *dst, uint8_t mask, host_t *src, host_t *gtw)
{
route_t *route, key = {
.dst = dst,
.mask = mask,
.src = src,
};
char *name;
bool res = FALSE;
this->mutex->lock(this->mutex);
route = this->routes->get(this->routes, &key);
if (route)
{
if (--route->refs == 0)
{
if (charon->kernel->get_interface(charon->kernel, src, &name))
{
res = charon->kernel->del_route(charon->kernel,
dst->get_address(dst), mask, gtw, src, name) == SUCCESS;
free(name);
}
route = this->routes->remove(this->routes, route);
if (route)
{
destroy_route(route);
}
}
else
{
res = TRUE;
}
}
this->mutex->unlock(this->mutex);
return res;
}
/**
* Install a single route, or refcount if exists
*/
static bool install_route(private_kernel_wfp_ipsec_t *this,
host_t *dst, uint8_t mask, host_t *src, host_t *gtw)
{
route_t *route, key = {
.dst = dst,
.mask = mask,
.src = src,
};
char *name;
bool res = FALSE;
this->mutex->lock(this->mutex);
route = this->routes->get(this->routes, &key);
if (route)
{
route->refs++;
res = TRUE;
}
else
{
if (charon->kernel->get_interface(charon->kernel, src, &name))
{
if (charon->kernel->add_route(charon->kernel,
dst->get_address(dst), mask, gtw, src, name) == SUCCESS)
{
INIT(route,
.dst = dst->clone(dst),
.mask = mask,
.src = src->clone(src),
.gtw = gtw ? gtw->clone(gtw) : NULL,
.refs = 1,
);
route = this->routes->put(this->routes, route, route);
if (route)
{
destroy_route(route);
}
res = TRUE;
}
free(name);
}
}
this->mutex->unlock(this->mutex);
return res;
}
/**
* (Un)-install a single route
*/
static bool manage_route(private_kernel_wfp_ipsec_t *this,
host_t *local, host_t *remote,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
bool add)
{
host_t *src, *dst, *gtw;
uint8_t mask;
bool done;
if (!dst_ts->to_subnet(dst_ts, &dst, &mask))
{
return FALSE;
}
if (charon->kernel->get_address_by_ts(charon->kernel, src_ts, &src,
NULL) != SUCCESS)
{
dst->destroy(dst);
return FALSE;
}
gtw = charon->kernel->get_nexthop(charon->kernel, remote, -1, local, NULL);
if (add)
{
done = install_route(this, dst, mask, src, gtw);
}
else
{
done = uninstall_route(this, dst, mask, src, gtw);
}
dst->destroy(dst);
src->destroy(src);
DESTROY_IF(gtw);
if (!done)
{
DBG1(DBG_KNL, "%sinstalling route for policy %R === %R failed",
add ? "" : "un", src_ts, dst_ts);
}
return done;
}
/**
* (Un)-install routes for IPsec policies
*/
static bool manage_routes(private_kernel_wfp_ipsec_t *this, entry_t *entry,
bool add)
{
enumerator_t *enumerator;
sp_entry_t *sp;
enumerator = array_create_enumerator(entry->sps);
while (enumerator->enumerate(enumerator, &sp))
{
if (add && sp->route)
{
continue;
}
if (!add && !sp->route)
{
continue;
}
if (manage_route(this, entry->local, entry->remote,
sp->src, sp->dst, add))
{
sp->route = add;
}
}
enumerator->destroy(enumerator);
return TRUE;
}
/**
* Install a tunnel mode SA/SP set to the kernel
*/
static bool install_tunnel(private_kernel_wfp_ipsec_t *this, entry_t *entry)
{
if (install_tunnel_sps(this, entry) &&
manage_routes(this, entry, TRUE) &&
install_sas(this, entry, IPSEC_TRAFFIC_TYPE_TUNNEL))
{
return TRUE;
}
cleanup_policies(this, entry);
return FALSE;
}
/**
* Install a SA/SP set to the kernel
*/
static bool install(private_kernel_wfp_ipsec_t *this, entry_t *entry)
{
switch (entry->mode)
{
case MODE_TRANSPORT:
return install_transport(this, entry);
case MODE_TUNNEL:
return install_tunnel(this, entry);
case MODE_BEET:
default:
return FALSE;
}
}
/**
* Installed trap entry
*/
typedef struct {
/** reqid this trap is installed for */
uint32_t reqid;
/** is this a forward policy trap for tunnel mode? */
bool fwd;
/** do we have installed a route for this trap policy? */
bool route;
/** local address of associated route */
host_t *local;
/** remote address of associated route */
host_t *remote;
/** src traffic selector */
traffic_selector_t *src;
/** dst traffic selector */
traffic_selector_t *dst;
/** LUID of installed tunnel policy filter */
UINT64 filter_id;
} trap_t;
/**
* Destroy a trap entry
*/
static void destroy_trap(trap_t *this)
{
this->local->destroy(this->local);
this->remote->destroy(this->remote);
this->src->destroy(this->src);
this->dst->destroy(this->dst);
free(this);
}
/**
* Hashtable equals function for traps
*/
static bool equals_trap(trap_t *a, trap_t *b)
{
return a->filter_id == b->filter_id;
}
/**
* Hashtable hash function for traps
*/
static u_int hash_trap(trap_t *trap)
{
return chunk_hash(chunk_from_thing(trap->filter_id));
}
/**
* Send an acquire for an installed trap filter
*/
static void acquire(private_kernel_wfp_ipsec_t *this, UINT64 filter_id,
traffic_selector_t *src, traffic_selector_t *dst)
{
uint32_t reqid = 0;
trap_t *trap, key = {
.filter_id = filter_id,
};
this->mutex->lock(this->mutex);
trap = this->traps->get(this->traps, &key);
if (trap)
{
reqid = trap->reqid;
}
this->mutex->unlock(this->mutex);
if (reqid)
{
src = src ? src->clone(src) : NULL;
dst = dst ? dst->clone(dst) : NULL;
charon->kernel->acquire(charon->kernel, reqid, src, dst);
}
}
/**
* Create a single host traffic selector from an FWP address definition
*/
static traffic_selector_t *addr2ts(FWP_IP_VERSION version, void *data,
uint8_t protocol, uint16_t from_port, uint16_t to_port)
{
ts_type_t type;
UINT32 ints[4];
chunk_t addr;
switch (version)
{
case FWP_IP_VERSION_V4:
ints[0] = untoh32(data);
addr = chunk_from_thing(ints[0]);
type = TS_IPV4_ADDR_RANGE;
break;
case FWP_IP_VERSION_V6:
ints[3] = untoh32(data);
ints[2] = untoh32(data + 4);
ints[1] = untoh32(data + 8);
ints[0] = untoh32(data + 12);
addr = chunk_from_thing(ints);
type = TS_IPV6_ADDR_RANGE;
break;
default:
return NULL;
}
return traffic_selector_create_from_bytes(protocol, type, addr, from_port,
addr, to_port);
}
/**
* FwpmNetEventSubscribe0() callback
*/
static void WINAPI event_callback(void *user, const FWPM_NET_EVENT1 *event)
{
private_kernel_wfp_ipsec_t *this = user;
traffic_selector_t *local = NULL, *remote = NULL;
uint8_t protocol = 0;
uint16_t from_local = 0, to_local = 65535;
uint16_t from_remote = 0, to_remote = 65535;
if ((event->header.flags & FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET) &&
(event->header.flags & FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET))
{
if (event->header.flags & FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET)
{
from_local = to_local = event->header.localPort;
}
if (event->header.flags & FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET)
{
from_remote = to_remote = event->header.remotePort;
}
if (event->header.flags & FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET)
{
protocol = event->header.ipProtocol;
}
local = addr2ts(event->header.ipVersion,
(void*)&event->header.localAddrV6,
protocol, from_local, to_local);
remote = addr2ts(event->header.ipVersion,
(void*)&event->header.remoteAddrV6,
protocol, from_remote, to_remote);
}
switch (event->type)
{
case FWPM_NET_EVENT_TYPE_CLASSIFY_DROP:
acquire(this, event->classifyDrop->filterId, local, remote);
break;
case FWPM_NET_EVENT_TYPE_IKEEXT_MM_FAILURE:
DBG1(DBG_KNL, "WFP MM failure: %R === %R, 0x%08x, filterId %llu",
local, remote, event->ikeMmFailure->failureErrorCode,
event->ikeMmFailure->mmFilterId);
break;
case FWPM_NET_EVENT_TYPE_IKEEXT_QM_FAILURE:
DBG1(DBG_KNL, "WFP QM failure: %R === %R, 0x%08x, filterId %llu",
local, remote, event->ikeQmFailure->failureErrorCode,
event->ikeQmFailure->qmFilterId);
break;
case FWPM_NET_EVENT_TYPE_IKEEXT_EM_FAILURE:
DBG1(DBG_KNL, "WFP EM failure: %R === %R, 0x%08x, filterId %llu",
local, remote, event->ikeEmFailure->failureErrorCode,
event->ikeEmFailure->qmFilterId);
break;
case FWPM_NET_EVENT_TYPE_IPSEC_KERNEL_DROP:
DBG1(DBG_KNL, "IPsec kernel drop: %R === %R, error 0x%08x, "
"SPI 0x%08x, %s filterId %llu", local, remote,
event->ipsecDrop->failureStatus, event->ipsecDrop->spi,
event->ipsecDrop->direction ? "in" : "out",
event->ipsecDrop->filterId);
break;
case FWPM_NET_EVENT_TYPE_IPSEC_DOSP_DROP:
default:
break;
}
DESTROY_IF(local);
DESTROY_IF(remote);
}
/**
* Register for net events
*/
static bool register_events(private_kernel_wfp_ipsec_t *this)
{
FWPM_NET_EVENT_SUBSCRIPTION0 subscription = {};
DWORD res;
res = FwpmNetEventSubscribe0(this->handle, &subscription,
event_callback, this, &this->event);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "registering for WFP events failed: 0x%08x", res);
return FALSE;
}
return TRUE;
}
/**
* Install a trap policy to kernel
*/
static bool install_trap(private_kernel_wfp_ipsec_t *this, trap_t *trap)
{
FWPM_FILTER_CONDITION0 *conds = NULL;
int count = 0;
DWORD res;
const GUID *starget, *dtarget;
UINT64 weight = 0x000000000000ff00;
FWPM_FILTER0 filter = {
.displayData = {
.name = L"charon IPsec trap",
},
.action = {
.type = FWP_ACTION_BLOCK,
},
.weight = {
.type = FWP_UINT64,
.uint64 = &weight,
},
};
if (trap->fwd)
{
if (trap->src->get_type(trap->src) == TS_IPV4_ADDR_RANGE)
{
filter.layerKey = FWPM_LAYER_IPFORWARD_V4;
}
else
{
filter.layerKey = FWPM_LAYER_IPFORWARD_V6;
}
starget = &FWPM_CONDITION_IP_SOURCE_ADDRESS;
dtarget = &FWPM_CONDITION_IP_DESTINATION_ADDRESS;
}
else
{
if (trap->src->get_type(trap->src) == TS_IPV4_ADDR_RANGE)
{
filter.layerKey = FWPM_LAYER_OUTBOUND_TRANSPORT_V4;
}
else
{
filter.layerKey = FWPM_LAYER_OUTBOUND_TRANSPORT_V6;
}
starget = &FWPM_CONDITION_IP_LOCAL_ADDRESS;
dtarget = &FWPM_CONDITION_IP_REMOTE_ADDRESS;
}
if (!ts2condition(trap->src, starget, &conds, &count) ||
!ts2condition(trap->dst, dtarget, &conds, &count))
{
free_conditions(conds, count);
return FALSE;
}
filter.numFilterConditions = count;
filter.filterCondition = conds;
res = FwpmFilterAdd0(this->handle, &filter, NULL, &trap->filter_id);
free_conditions(conds, count);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "installing WFP trap filter failed: 0x%08x", res);
return FALSE;
}
return TRUE;
}
/**
* Uninstall a trap policy from kernel
*/
static bool uninstall_trap(private_kernel_wfp_ipsec_t *this, trap_t *trap)
{
DWORD res;
res = FwpmFilterDeleteById0(this->handle, trap->filter_id);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "uninstalling WFP trap filter failed: 0x%08x", res);
return FALSE;
}
return TRUE;
}
/**
* Create and install a new trap entry
*/
static bool add_trap(private_kernel_wfp_ipsec_t *this,
uint32_t reqid, bool fwd, host_t *local, host_t *remote,
traffic_selector_t *src, traffic_selector_t *dst)
{
trap_t *trap;
INIT(trap,
.reqid = reqid,
.fwd = fwd,
.src = src->clone(src),
.dst = dst->clone(dst),
.local = local->clone(local),
.remote = remote->clone(remote),
);
if (!install_trap(this, trap))
{
destroy_trap(trap);
return FALSE;
}
trap->route = manage_route(this, local, remote, src, dst, TRUE);
this->mutex->lock(this->mutex);
this->traps->put(this->traps, trap, trap);
this->mutex->unlock(this->mutex);
return TRUE;
}
/**
* Uninstall and remove a new trap entry
*/
static bool remove_trap(private_kernel_wfp_ipsec_t *this,
uint32_t reqid, bool fwd,
traffic_selector_t *src, traffic_selector_t *dst)
{
enumerator_t *enumerator;
trap_t *trap, *found = NULL;
this->mutex->lock(this->mutex);
enumerator = this->traps->create_enumerator(this->traps);
while (enumerator->enumerate(enumerator, NULL, &trap))
{
if (reqid == trap->reqid &&
fwd == trap->fwd &&
src->equals(src, trap->src) &&
dst->equals(dst, trap->dst))
{
this->traps->remove_at(this->traps, enumerator);
found = trap;
break;
}
}
enumerator->destroy(enumerator);
this->mutex->unlock(this->mutex);
if (found)
{
if (trap->route)
{
trap->route = !manage_route(this, trap->local, trap->remote,
src, dst, FALSE);
}
uninstall_trap(this, found);
destroy_trap(found);
return TRUE;
}
return FALSE;
}
METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
private_kernel_wfp_ipsec_t *this)
{
return KERNEL_ESP_V3_TFC | KERNEL_NO_POLICY_UPDATES;
}
/**
* Initialize seeds for SPI generation
*/
static bool init_spi(private_kernel_wfp_ipsec_t *this)
{
bool ok = TRUE;
rng_t *rng;
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
if (!rng)
{
return FALSE;
}
ok = rng->get_bytes(rng, sizeof(this->nextspi), (uint8_t*)&this->nextspi);
if (ok)
{
ok = rng->get_bytes(rng, sizeof(this->mixspi), (uint8_t*)&this->mixspi);
}
rng->destroy(rng);
return ok;
}
/**
* Map an integer x with a one-to-one function using quadratic residues.
*/
static u_int permute(u_int x, u_int p)
{
u_int qr;
x = x % p;
qr = ((uint64_t)x * x) % p;
if (x <= p / 2)
{
return qr;
}
return p - qr;
}
METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
uint8_t protocol, uint32_t *spi)
{
/* To avoid sequential SPIs, we use a one-to-one permutation function on
* an incrementing counter, that is a full period PRNG for the range we
* allocate SPIs in. We add some randomness using a fixed XOR and start
* the counter at random position. This is not cryptographically safe,
* but that is actually not required.
* The selected prime should be smaller than the range we allocate SPIs
* in, and it must satisfy p % 4 == 3 to map x > p/2 using p - qr. */
static const u_int p = 268435399, offset = 0xc0000000;
*spi = htonl(offset + permute(ref_get(&this->nextspi) ^ this->mixspi, p));
return SUCCESS;
}
METHOD(kernel_ipsec_t, get_cpi, status_t,
private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
uint16_t *cpi)
{
return NOT_SUPPORTED;
}
/**
* Data for an expire callback job
*/
typedef struct {
/* backref to kernel backend */
private_kernel_wfp_ipsec_t *this;
/* SPI of expiring SA */
uint32_t spi;
/* destination address of expiring SA */
host_t *dst;
/* is this a hard expire, or a rekey request? */
bool hard;
} expire_data_t;
/**
* Clean up expire data
*/
static void expire_data_destroy(expire_data_t *data)
{
data->dst->destroy(data->dst);
free(data);
}
/**
* Callback job for SA expiration
*/
static job_requeue_t expire_job(expire_data_t *data)
{
private_kernel_wfp_ipsec_t *this = data->this;
uint8_t protocol;
entry_t *entry = NULL;
sa_entry_t key = {
.spi = data->spi,
.dst = data->dst,
};
if (data->hard)
{
this->mutex->lock(this->mutex);
entry = this->isas->remove(this->isas, &key);
this->mutex->unlock(this->mutex);
if (entry)
{
protocol = entry->isa.protocol;
if (entry->osa.dst)
{
key.dst = entry->osa.dst;
key.spi = entry->osa.spi;
this->osas->remove(this->osas, &key);
}
entry_destroy(this, entry);
}
}
else
{
this->mutex->lock(this->mutex);
entry = this->isas->get(this->isas, &key);
if (entry)
{
protocol = entry->isa.protocol;
}
this->mutex->unlock(this->mutex);
}
if (entry)
{
charon->kernel->expire(charon->kernel, protocol, data->spi, data->dst,
data->hard);
}
return JOB_REQUEUE_NONE;
}
/**
* Schedule an expire event for an SA
*/
static void schedule_expire(private_kernel_wfp_ipsec_t *this, uint32_t spi,
host_t *dst, uint32_t lifetime, bool hard)
{
expire_data_t *data;
INIT(data,
.this = this,
.spi = spi,
.dst = dst->clone(dst),
.hard = hard,
);
lib->scheduler->schedule_job(lib->scheduler, (job_t*)
callback_job_create((void*)expire_job, data,
(void*)expire_data_destroy, NULL),
lifetime);
}
METHOD(kernel_ipsec_t, add_sa, status_t,
private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
kernel_ipsec_add_sa_t *data)
{
host_t *local, *remote;
entry_t *entry;
if (data->inbound)
{
/* comes first, create new entry */
local = id->dst->clone(id->dst);
remote = id->src->clone(id->src);
INIT(entry,
.reqid = data->reqid,
.isa = {
.spi = id->spi,
.dst = local,
.protocol = id->proto,
.lifetime = data->lifetime->time.life,
.encr = {
.alg = data->enc_alg,
.key = chunk_clone(data->enc_key),
},
.integ = {
.alg = data->int_alg,
.key = chunk_clone(data->int_key),
},
},
.sps = array_create(0, 0),
.local = local,
.remote = remote,
.mode = data->mode,
.encap = data->encap,
);
if (data->lifetime->time.life)
{
schedule_expire(this, id->spi, local,
data->lifetime->time.life, TRUE);
}
if (data->lifetime->time.rekey &&
data->lifetime->time.rekey != data->lifetime->time.life)
{
schedule_expire(this, id->spi, local,
data->lifetime->time.rekey, FALSE);
}
this->mutex->lock(this->mutex);
this->tsas->put(this->tsas, (void*)(uintptr_t)data->reqid, entry);
this->isas->put(this->isas, &entry->isa, entry);
this->mutex->unlock(this->mutex);
}
else
{
/* comes after inbound, update entry */
this->mutex->lock(this->mutex);
entry = this->tsas->remove(this->tsas, (void*)(uintptr_t)data->reqid);
this->mutex->unlock(this->mutex);
if (!entry)
{
DBG1(DBG_KNL, "adding outbound SA failed, no inbound SA found "
"for reqid %u ", data->reqid);
return NOT_FOUND;
}
/* TODO: should we check for local/remote, mode etc.? */
entry->osa = (sa_entry_t){
.spi = id->spi,
.dst = entry->remote,
.protocol = id->proto,
.lifetime = data->lifetime->time.life,
.encr = {
.alg = data->enc_alg,
.key = chunk_clone(data->enc_key),
},
.integ = {
.alg = data->int_alg,
.key = chunk_clone(data->int_key),
},
};
this->mutex->lock(this->mutex);
this->osas->put(this->osas, &entry->osa, entry);
this->mutex->unlock(this->mutex);
}
return SUCCESS;
}
METHOD(kernel_ipsec_t, update_sa, status_t,
private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
kernel_ipsec_update_sa_t *data)
{
entry_t *entry;
sa_entry_t key = {
.dst = id->dst,
.spi = id->spi,
};
UINT64 sa_id = 0;
IPSEC_SA_CONTEXT1 *ctx;
IPSEC_V4_UDP_ENCAPSULATION0 ports;
UINT32 flags = IPSEC_SA_DETAILS_UPDATE_TRAFFIC;
DWORD res;
this->mutex->lock(this->mutex);
entry = this->osas->get(this->osas, &key);
this->mutex->unlock(this->mutex);
if (entry)
{
/* outbound entry, nothing to do */
return SUCCESS;
}
this->mutex->lock(this->mutex);
entry = this->isas->get(this->isas, &key);
if (entry)
{
/* inbound entry, do update */
sa_id = entry->sa_id;
ports.localUdpEncapPort = entry->local->get_port(entry->local);
ports.remoteUdpEncapPort = entry->remote->get_port(entry->remote);
}
this->mutex->unlock(this->mutex);
if (!sa_id)
{
return NOT_FOUND;
}
res = IPsecSaContextGetById1(this->handle, sa_id, &ctx);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "getting WFP SA context for updated failed: 0x%08x", res);
return FAILED;
}
if (!hosts2traffic(this, data->new_dst, data->new_src, &ctx->inboundSa->traffic) ||
!hosts2traffic(this, data->new_dst, data->new_src, &ctx->outboundSa->traffic))
{
FwpmFreeMemory0((void**)&ctx);
return FAILED;
}
if (data->new_encap != data->encap)
{
if (data->new_encap)
{
ctx->inboundSa->udpEncapsulation = &ports;
ctx->outboundSa->udpEncapsulation = &ports;
}
else
{
ctx->inboundSa->udpEncapsulation = NULL;
ctx->outboundSa->udpEncapsulation = NULL;
}
flags |= IPSEC_SA_DETAILS_UPDATE_UDP_ENCAPSULATION;
}
res = IPsecSaContextUpdate0(this->handle, flags, ctx);
FwpmFreeMemory0((void**)&ctx);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "updating WFP SA context failed: 0x%08x", res);
return FAILED;
}
this->mutex->lock(this->mutex);
entry = this->isas->remove(this->isas, &key);
if (entry)
{
key.spi = entry->osa.spi;
key.dst = entry->osa.dst;
this->osas->remove(this->osas, &key);
entry->local->destroy(entry->local);
entry->remote->destroy(entry->remote);
entry->local = data->new_dst->clone(data->new_dst);
entry->remote = data->new_src->clone(data->new_src);
entry->isa.dst = entry->local;
entry->osa.dst = entry->remote;
this->isas->put(this->isas, &entry->isa, entry);
this->osas->put(this->osas, &entry->osa, entry);
manage_routes(this, entry, FALSE);
manage_routes(this, entry, TRUE);
}
this->mutex->unlock(this->mutex);
return SUCCESS;
}
METHOD(kernel_ipsec_t, query_sa, status_t,
private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
time_t *time)
{
/* It does not seem that WFP provides any means of getting per-SA traffic
* statistics. IPsecGetStatistics0/1() provides global stats, and
* IPsecSaContextEnum0/1() and IPsecSaEnum0/1() return the configured
* values only. */
return NOT_SUPPORTED;
}
METHOD(kernel_ipsec_t, del_sa, status_t,
private_kernel_wfp_ipsec_t *this, kernel_ipsec_sa_id_t *id,
kernel_ipsec_del_sa_t *data)
{
entry_t *entry;
sa_entry_t key = {
.dst = id->dst,
.spi = id->spi,
};
this->mutex->lock(this->mutex);
entry = this->isas->remove(this->isas, &key);
this->mutex->unlock(this->mutex);
if (entry)
{
/* keep entry until removal of outbound */
return SUCCESS;
}
this->mutex->lock(this->mutex);
entry = this->osas->remove(this->osas, &key);
this->mutex->unlock(this->mutex);
if (entry)
{
entry_destroy(this, entry);
return SUCCESS;
}
return NOT_FOUND;
}
METHOD(kernel_ipsec_t, flush_sas, status_t,
private_kernel_wfp_ipsec_t *this)
{
return NOT_SUPPORTED;
}
METHOD(kernel_ipsec_t, add_policy, status_t,
private_kernel_wfp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
kernel_ipsec_manage_policy_t *data)
{
status_t status = SUCCESS;
entry_t *entry;
sp_entry_t *sp;
sa_entry_t key = {
.spi = data->sa->esp.use ? data->sa->esp.spi : data->sa->ah.spi,
.dst = data->dst,
};
if (data->sa->esp.use && data->sa->ah.use)
{
return NOT_SUPPORTED;
}
switch (data->type)
{
case POLICY_IPSEC:
break;
case POLICY_PASS:
case POLICY_DROP:
return NOT_SUPPORTED;
}
switch (id->dir)
{
case POLICY_OUT:
break;
case POLICY_IN:
case POLICY_FWD:
/* not required */
return SUCCESS;
default:
return NOT_SUPPORTED;
}
switch (data->prio)
{
case POLICY_PRIORITY_DEFAULT:
break;
case POLICY_PRIORITY_ROUTED:
if (!add_trap(this, data->sa->reqid, FALSE, data->src, data->dst,
id->src_ts, id->dst_ts))
{
return FAILED;
}
if (data->sa->mode == MODE_TUNNEL)
{
if (!add_trap(this, data->sa->reqid, TRUE, data->src, data->dst,
id->src_ts, id->dst_ts))
{
return FAILED;
}
}
return SUCCESS;
case POLICY_PRIORITY_FALLBACK:
default:
return NOT_SUPPORTED;
}
this->mutex->lock(this->mutex);
entry = this->osas->get(this->osas, &key);
if (entry)
{
if (data->sa->mode == MODE_TUNNEL || array_count(entry->sps) == 0)
{
INIT(sp,
.src = id->src_ts->clone(id->src_ts),
.dst = id->dst_ts->clone(id->dst_ts),
);
array_insert(entry->sps, -1, sp);
if (array_count(entry->sps) == data->sa->policy_count)
{
if (!install(this, entry))
{
status = FAILED;
}
}
}
else
{
/* TODO: reinstall with a filter using multiple TS?
* Filters are ANDed for a match, but we could install a filter
* with the inverse TS set using NOT-matches... */
DBG1(DBG_KNL, "multiple transport mode traffic selectors not "
"supported by WFP");
status = NOT_SUPPORTED;
}
}
else
{
DBG1(DBG_KNL, "adding SP failed, no SA found for SPI 0x%08x", key.spi);
status = FAILED;
}
this->mutex->unlock(this->mutex);
return status;
}
METHOD(kernel_ipsec_t, query_policy, status_t,
private_kernel_wfp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
kernel_ipsec_query_policy_t *data, time_t *use_time)
{
/* see query_sa() for some notes */
return NOT_SUPPORTED;
}
METHOD(kernel_ipsec_t, del_policy, status_t,
private_kernel_wfp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
kernel_ipsec_manage_policy_t *data)
{
if (id->dir == POLICY_OUT && data->prio == POLICY_PRIORITY_ROUTED)
{
if (remove_trap(this, data->sa->reqid, FALSE, id->src_ts,
id->dst_ts))
{
remove_trap(this, data->sa->reqid, TRUE, id->src_ts,
id->dst_ts);
return SUCCESS;
}
return NOT_FOUND;
}
/* not required, as we delete the whole SA/SP set during del_sa() */
return SUCCESS;
}
METHOD(kernel_ipsec_t, flush_policies, status_t,
private_kernel_wfp_ipsec_t *this)
{
return NOT_SUPPORTED;
}
/**
* Add a bypass policy for a specific UDP port
*/
static bool add_bypass(private_kernel_wfp_ipsec_t *this,
int family, uint16_t port, bool inbound, UINT64 *luid)
{
FWPM_FILTER_CONDITION0 *cond, *conds = NULL;
int count = 0;
DWORD res;
UINT64 weight = 0xff00000000000000;
FWPM_FILTER0 filter = {
.displayData = {
.name = L"charon IKE bypass",
},
.action = {
.type = FWP_ACTION_PERMIT,
},
.weight = {
.type = FWP_UINT64,
.uint64 = &weight,
},
};
switch (family)
{
case AF_INET:
filter.layerKey = inbound ? FWPM_LAYER_INBOUND_TRANSPORT_V4
: FWPM_LAYER_OUTBOUND_TRANSPORT_V4;
break;
case AF_INET6:
filter.layerKey = inbound ? FWPM_LAYER_INBOUND_TRANSPORT_V6
: FWPM_LAYER_OUTBOUND_TRANSPORT_V6;
break;
default:
return FALSE;
}
cond = append_condition(&conds, &count);
cond->fieldKey = FWPM_CONDITION_IP_PROTOCOL;
cond->matchType = FWP_MATCH_EQUAL;
cond->conditionValue.type = FWP_UINT8;
cond->conditionValue.uint8 = IPPROTO_UDP;
cond = append_condition(&conds, &count);
cond->fieldKey = FWPM_CONDITION_IP_LOCAL_PORT;
cond->matchType = FWP_MATCH_EQUAL;
cond->conditionValue.type = FWP_UINT16;
cond->conditionValue.uint16 = port;
filter.numFilterConditions = count;
filter.filterCondition = conds;
res = FwpmFilterAdd0(this->handle, &filter, NULL, luid);
free_conditions(conds, count);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "installing WFP bypass filter failed: 0x%08x", res);
return FALSE;
}
return TRUE;
}
METHOD(kernel_ipsec_t, bypass_socket, bool,
private_kernel_wfp_ipsec_t *this, int fd, int family)
{
union {
struct sockaddr sa;
SOCKADDR_IN in;
SOCKADDR_IN6 in6;
} saddr;
int addrlen = sizeof(saddr);
UINT64 filter_out, filter_in = 0;
uint16_t port;
if (getsockname(fd, &saddr.sa, &addrlen) == SOCKET_ERROR)
{
return FALSE;
}
switch (family)
{
case AF_INET:
port = ntohs(saddr.in.sin_port);
break;
case AF_INET6:
port = ntohs(saddr.in6.sin6_port);
break;
default:
return FALSE;
}
if (!add_bypass(this, family, port, TRUE, &filter_in) ||
!add_bypass(this, family, port, FALSE, &filter_out))
{
if (filter_in)
{
FwpmFilterDeleteById0(this->handle, filter_in);
}
return FALSE;
}
this->mutex->lock(this->mutex);
array_insert(this->bypass, ARRAY_TAIL, &filter_in);
array_insert(this->bypass, ARRAY_TAIL, &filter_out);
this->mutex->unlock(this->mutex);
return TRUE;
}
METHOD(kernel_ipsec_t, enable_udp_decap, bool,
private_kernel_wfp_ipsec_t *this, int fd, int family, uint16_t port)
{
return FALSE;
}
METHOD(kernel_ipsec_t, destroy, void,
private_kernel_wfp_ipsec_t *this)
{
UINT64 filter;
while (array_remove(this->bypass, ARRAY_TAIL, &filter))
{
FwpmFilterDeleteById0(this->handle, filter);
}
if (this->handle)
{
if (this->event)
{
FwpmNetEventUnsubscribe0(this->handle, this->event);
}
FwpmProviderDeleteByKey0(this->handle, &this->provider.providerKey);
FwpmEngineClose0(this->handle);
}
array_destroy(this->bypass);
this->tsas->destroy(this->tsas);
this->isas->destroy(this->isas);
this->osas->destroy(this->osas);
this->routes->destroy(this->routes);
this->traps->destroy(this->traps);
this->mutex->destroy(this->mutex);
free(this);
}
/*
* Described in header.
*/
kernel_wfp_ipsec_t *kernel_wfp_ipsec_create()
{
private_kernel_wfp_ipsec_t *this;
DWORD res;
FWPM_SESSION0 session = {
.displayData = {
.name = L"charon",
.description = L"strongSwan IKE kernel-wfp backend",
},
};
INIT(this,
.public = {
.interface = {
.get_features = _get_features,
.get_spi = _get_spi,
.get_cpi = _get_cpi,
.add_sa = _add_sa,
.update_sa = _update_sa,
.query_sa = _query_sa,
.del_sa = _del_sa,
.flush_sas = _flush_sas,
.add_policy = _add_policy,
.query_policy = _query_policy,
.del_policy = _del_policy,
.flush_policies = _flush_policies,
.bypass_socket = _bypass_socket,
.enable_udp_decap = _enable_udp_decap,
.destroy = _destroy,
},
},
.provider = {
.displayData = {
.name = L"charon",
.description = L"strongSwan IKE kernel-wfp backend",
},
.providerKey = { 0x59cdae2e, 0xf6bb, 0x4c09,
{ 0xa9,0x59,0x9d,0x91,0xac,0xaf,0xf9,0x19 }},
},
.mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
.bypass = array_create(sizeof(UINT64), 2),
.tsas = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 4),
.isas = hashtable_create((void*)hash_sa, (void*)equals_sa, 4),
.osas = hashtable_create((void*)hash_sa, (void*)equals_sa, 4),
.routes = hashtable_create((void*)hash_route, (void*)equals_route, 4),
.traps = hashtable_create((void*)hash_trap, (void*)equals_trap, 4),
);
if (!init_spi(this))
{
destroy(this);
return NULL;
}
res = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, &session,
&this->handle);
if (res != ERROR_SUCCESS)
{
DBG1(DBG_KNL, "opening WFP engine failed: 0x%08x", res);
destroy(this);
return NULL;
}
res = FwpmProviderAdd0(this->handle, &this->provider, NULL);
if (res != ERROR_SUCCESS && res != FWP_E_ALREADY_EXISTS)
{
DBG1(DBG_KNL, "registering WFP provider failed: 0x%08x", res);
destroy(this);
return NULL;
}
if (!register_events(this))
{
destroy(this);
return NULL;
}
return &this->public;
}
View Git Blame Copy Permalink