From b1ba0a666c4a46740bae63fd3cc005b7abfbe86d Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Fri, 15 Nov 2013 12:09:46 +0100 Subject: kernel-wfp: Fix/Complete some fwpuclnt functionality in MinGW While MinGW declares all the required symbols, some of them are missing in the library files. We provide missing variables locally, functions get a stub that call the GetProcAddress()ed function from the DLL. Also some MinGW headers define some enum values incorrectly, we overload these using defines. --- .../plugins/kernel_wfp/kernel_wfp_compat.c | 83 ++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c (limited to 'src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c') diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c new file mode 100644 index 000000000..1b20d8990 --- /dev/null +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c @@ -0,0 +1,83 @@ +/* + * Copyright (C) 2013 Martin Willi + * Copyright (C) 2013 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +const GUID FWPM_CONDITION_IP_REMOTE_ADDRESS = { + 0xb235ae9a, 0x1d64, 0x49b8, { 0xa4,0x4c,0x5f,0xf3,0xd9,0x09,0x50,0x45 } +}; +const GUID FWPM_CONDITION_IP_LOCAL_ADDRESS = { + 0xd9ee00de, 0xc1ef, 0x4617, { 0xbf,0xe3,0xff,0xd8,0xf5,0xa0,0x89,0x57 } +}; +const GUID FWPM_LAYER_INBOUND_TRANSPORT_V4 = { + 0x5926dfc8, 0xe3cf, 0x4426, { 0xa2,0x83,0xdc,0x39,0x3f,0x5d,0x0f,0x9d } +}; +const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V4 = { + 0x09e61aea, 0xd214, 0x46e2, { 0x9b,0x21,0xb2,0x6b,0x0b,0x2f,0x28,0xc8 } +}; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 = { + 0x5132900d, 0x5e84, 0x4b5f, { 0x80,0xe4,0x01,0x74,0x1e,0x81,0xff,0x10 } +}; +const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4 = { + 0x4b46bf0a, 0x4523, 0x4e57, { 0xaa,0x38,0xa8,0x79,0x87,0xc9,0x10,0xd9 } +}; + +/** + * Load a function symbol from a loaded dll + */ +static inline void *load_function(char *dll, char *name) +{ + HANDLE handle; + void *sym = NULL; + + handle = GetModuleHandle(dll); + if (!handle) + { + return NULL; + } + sym = GetProcAddress(handle, name); + return sym; +} + +/** + * Macro that defines a stub for a function that calls the same DLL function + * + * @param dll DLL to find function in + * @param ret return type of function + * @param name function name + * @param size size of all arguments on stack + * @param ... arguments of function + */ +#define STUB(dll, ret, name, size, ...) \ +ret WINAPI name(__VA_ARGS__) \ +{ \ + static void (*fun)() = NULL; \ + if (!fun) \ + { \ + fun = load_function(#dll, #name); \ + } \ + if (fun) \ + { \ + __builtin_return(__builtin_apply(fun, __builtin_apply_args(), size)); \ + } \ + return ERROR_NOT_SUPPORTED; \ +} + +STUB(fwpuclnt, DWORD, IPsecSaContextCreate1, 40, + HANDLE engineHandle, const void *outboundTraffic, + const void *virtualIfTunnelInfo, UINT64 *inboundFilterId, UINT64 *id) + +STUB(fwpuclnt, DWORD, IPsecSaContextSetSpi0, 32, + HANDLE engineHandle, UINT64 id, const void *getSpi, UINT32 inboundSpi) -- cgit v1.2.3 From 149fc48e030981aa41ab5f282691a865449504e7 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 18 Nov 2013 12:57:36 +0100 Subject: kernel-wfp: Preliminary support for transport mode connections --- src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c') diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c index 1b20d8990..a687c4371 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c @@ -21,6 +21,15 @@ const GUID FWPM_CONDITION_IP_REMOTE_ADDRESS = { const GUID FWPM_CONDITION_IP_LOCAL_ADDRESS = { 0xd9ee00de, 0xc1ef, 0x4617, { 0xbf,0xe3,0xff,0xd8,0xf5,0xa0,0x89,0x57 } }; +const GUID FWPM_CONDITION_IP_LOCAL_PORT = { + 0x0c1ba1af, 0x5765, 0x453f, { 0xaf,0x22,0xa8,0xf7,0x91,0xac,0x77,0x5b } +}; +const GUID FWPM_CONDITION_IP_REMOTE_PORT = { + 0xc35a604d, 0xd22b, 0x4e1a, { 0x91,0xb4,0x68,0xf6,0x74,0xee,0x67,0x4b } +}; +const GUID FWPM_CONDITION_IP_PROTOCOL = { + 0x3971ef2b, 0x623e, 0x4f9a, { 0x8c,0xb1,0x6e,0x79,0xb8,0x06,0xb9,0xa7 } +}; const GUID FWPM_LAYER_INBOUND_TRANSPORT_V4 = { 0x5926dfc8, 0xe3cf, 0x4426, { 0xa2,0x83,0xdc,0x39,0x3f,0x5d,0x0f,0x9d } }; -- cgit v1.2.3 From 5a5b9925f87136fe0ca1c39448205018e69b6248 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Fri, 13 Dec 2013 17:14:26 +0100 Subject: kernel-wfp: Implement update_sa() --- src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c') diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c index a687c4371..6b32f3192 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c @@ -90,3 +90,9 @@ STUB(fwpuclnt, DWORD, IPsecSaContextCreate1, 40, STUB(fwpuclnt, DWORD, IPsecSaContextSetSpi0, 32, HANDLE engineHandle, UINT64 id, const void *getSpi, UINT32 inboundSpi) + +STUB(fwpuclnt, DWORD, IPsecSaContextGetById1, 24, + HANDLE engineHandle, UINT64 id, void **saContext) + +STUB(fwpuclnt, DWORD, IPsecSaContextUpdate0, 24, + HANDLE engineHandle, UINT32 flags, const void *newValues) -- cgit v1.2.3 From 489a4f2192a4cc246869fe8e129e7f31196ccc77 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Mon, 16 Dec 2013 17:13:03 +0100 Subject: kernel-wfp: Add an ipsecdump utility to show installed SAs/SPs on Windows --- src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c') diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c index 6b32f3192..05659399d 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c @@ -96,3 +96,7 @@ STUB(fwpuclnt, DWORD, IPsecSaContextGetById1, 24, STUB(fwpuclnt, DWORD, IPsecSaContextUpdate0, 24, HANDLE engineHandle, UINT32 flags, const void *newValues) + +STUB(fwpuclnt, DWORD, IPsecSaContextEnum1, 40, + HANDLE engineHandle, HANDLE enumHandle, UINT32 numEntriesRequested, + void ***entries, UINT32 *numEntriesReturned) -- cgit v1.2.3 From 6aaa432741c6675493c7a07bc5e9c5ea69eaf21e Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 18 Dec 2013 11:56:36 +0100 Subject: kernel-wfp: Add some missing IPv6 GUIDs, fix IPv6 host conversion --- src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c') diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c index 05659399d..2be369159 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c @@ -33,15 +33,27 @@ const GUID FWPM_CONDITION_IP_PROTOCOL = { const GUID FWPM_LAYER_INBOUND_TRANSPORT_V4 = { 0x5926dfc8, 0xe3cf, 0x4426, { 0xa2,0x83,0xdc,0x39,0x3f,0x5d,0x0f,0x9d } }; +const GUID FWPM_LAYER_INBOUND_TRANSPORT_V6 = { + 0x634a869f, 0xfc23, 0x4b90, { 0xb0,0xc1,0xbf,0x62,0x0a,0x36,0xae,0x6f } +}; const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V4 = { 0x09e61aea, 0xd214, 0x46e2, { 0x9b,0x21,0xb2,0x6b,0x0b,0x2f,0x28,0xc8 } }; +const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V6 = { + 0xe1735bde, 0x013f, 0x4655, { 0xb3,0x51,0xa4,0x9e,0x15,0x76,0x2d,0xf0 } +}; const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 = { 0x5132900d, 0x5e84, 0x4b5f, { 0x80,0xe4,0x01,0x74,0x1e,0x81,0xff,0x10 } }; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6 = { + 0x49d3ac92, 0x2a6c, 0x4dcf, { 0x95,0x5f,0x1c,0x3b,0xe0,0x09,0xdd,0x99 } +}; const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4 = { 0x4b46bf0a, 0x4523, 0x4e57, { 0xaa,0x38,0xa8,0x79,0x87,0xc9,0x10,0xd9 } }; +const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 = { + 0x38d87722, 0xad83, 0x4f11, { 0xa9,0x1f,0xdf,0x0f,0xb0,0x77,0x22,0x5b } +}; /** * Load a function symbol from a loaded dll -- cgit v1.2.3 From 28683140282493fb6b9dbf825961154d0ff02504 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 19 Dec 2013 09:48:43 +0100 Subject: kernel-wfp: Register for WFP Net events --- src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c') diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c index 2be369159..4296e147c 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c @@ -112,3 +112,10 @@ STUB(fwpuclnt, DWORD, IPsecSaContextUpdate0, 24, STUB(fwpuclnt, DWORD, IPsecSaContextEnum1, 40, HANDLE engineHandle, HANDLE enumHandle, UINT32 numEntriesRequested, void ***entries, UINT32 *numEntriesReturned) + +STUB(fwpuclnt, DWORD, FwpmNetEventSubscribe0, 40, + HANDLE engineHandle, const void *subscription, void(*callback)(), + void *context, HANDLE *eventsHandle) + +STUB(fwpuclnt, DWORD, FwpmNetEventUnsubscribe0, 16, + HANDLE engineHandle, HANDLE eventsHandle) -- cgit v1.2.3 From 1678f0a999bed5e486b56824381332a85c505033 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 19 Dec 2013 16:55:43 +0100 Subject: kernel-wfp: Manually create a ProviderContext to attach individual filters This gives us more flexibility than using the intransparent FwpmIPsecTunnelAdd, and fixes the issues we have seen with trap policies. Forward filters are still missing, but required for site-to-site tunnels. --- src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c') diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c index 4296e147c..3660ac9d6 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c @@ -54,6 +54,18 @@ const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4 = { const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 = { 0x38d87722, 0xad83, 0x4f11, { 0xa9,0x1f,0xdf,0x0f,0xb0,0x77,0x22,0x5b } }; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4 = { + 0x191a8a46, 0x0bf8, 0x46cf, { 0xb0,0x45,0x4b,0x45,0xdf,0xa6,0xa3,0x24 } +}; +const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 = { + 0x80c342e3, 0x1e53, 0x4d6f, { 0x9b,0x44,0x03,0xdf,0x5a,0xee,0xe1,0x54 } +}; +const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 = { + 0x70a4196c, 0x835b, 0x4fb0, { 0x98,0xe8,0x07,0x5f,0x4d,0x97,0x7d,0x46 } +}; +const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 = { + 0xf1835363, 0xa6a5, 0x4e62, { 0xb1,0x80,0x23,0xdb,0x78,0x9d,0x8d,0xa6 } +}; /** * Load a function symbol from a loaded dll -- cgit v1.2.3 From 6de788704b0cb4b087719341f0900b1b1992cdb0 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Fri, 20 Dec 2013 14:42:10 +0100 Subject: kernel-wfp: Install tunnel and trap forward policies --- .../plugins/kernel_wfp/kernel_wfp_compat.c | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c') diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c index 3660ac9d6..41f85ba5c 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c @@ -21,6 +21,12 @@ const GUID FWPM_CONDITION_IP_REMOTE_ADDRESS = { const GUID FWPM_CONDITION_IP_LOCAL_ADDRESS = { 0xd9ee00de, 0xc1ef, 0x4617, { 0xbf,0xe3,0xff,0xd8,0xf5,0xa0,0x89,0x57 } }; +const GUID FWPM_CONDITION_IP_SOURCE_ADDRESS = { + 0xae96897e, 0x2e94, 0x4bc9, { 0xb3,0x13,0xb2,0x7e,0xe8,0x0e,0x57,0x4d } +}; +const GUID FWPM_CONDITION_IP_DESTINATION_ADDRESS = { + 0x2d79133b, 0xb390, 0x45c6, { 0x86,0x99,0xac,0xac,0xea,0xaf,0xed,0x33 } +}; const GUID FWPM_CONDITION_IP_LOCAL_PORT = { 0x0c1ba1af, 0x5765, 0x453f, { 0xaf,0x22,0xa8,0xf7,0x91,0xac,0x77,0x5b } }; @@ -42,6 +48,12 @@ const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V4 = { const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V6 = { 0xe1735bde, 0x013f, 0x4655, { 0xb3,0x51,0xa4,0x9e,0x15,0x76,0x2d,0xf0 } }; +const GUID FWPM_LAYER_IPFORWARD_V4 = { + 0xa82acc24, 0x4ee1, 0x4ee1, { 0xb4,0x65,0xfd,0x1d,0x25,0xcb,0x10,0xa4} +}; +const GUID FWPM_LAYER_IPFORWARD_V6 = { + 0x7b964818, 0x19c7, 0x493a, { 0xb7,0x1f,0x83,0x2c,0x36,0x84,0xd2,0x8c } +}; const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 = { 0x5132900d, 0x5e84, 0x4b5f, { 0x80,0xe4,0x01,0x74,0x1e,0x81,0xff,0x10 } }; @@ -66,6 +78,18 @@ const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 = { const GUID FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 = { 0xf1835363, 0xa6a5, 0x4e62, { 0xb1,0x80,0x23,0xdb,0x78,0x9d,0x8d,0xa6 } }; +const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 = { + 0x28829633, 0xc4f0, 0x4e66, { 0x87,0x3f,0x84,0x4d,0xb2,0xa8,0x99,0xc7 } +}; +const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 = { + 0xaf50bec2, 0xc686, 0x429a, { 0x88,0x4d,0xb7,0x44,0x43,0xe7,0xb0,0xb4 } +}; +const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 = { + 0xfb532136, 0x15cb, 0x440b, { 0x93,0x7c,0x17,0x17,0xca,0x32,0x0c,0x40 } +}; +const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 = { + 0xdae640cc, 0xe021, 0x4bee, { 0x9e,0xb6,0xa4,0x8b,0x27,0x5c,0x8c,0x1d } +}; /** * Load a function symbol from a loaded dll -- cgit v1.2.3