windows-server-2003/net/tcpip/driver/ipsec/sys/globals.h

/*++

Copyright (c) 1997-2001  Microsoft Corporation

Module Name:

    globals.h

Abstract:

    This is the main header file for IPSEC. Contains all the globals.

Author:

    Sanjay Anand (SanjayAn) 2-January-1997
    ChunYe

Environment:

    Kernel mode

Revision History:

--*/


#ifndef  _GLOBALS_H
#define  _GLOBALS_H

#include "NsIpsec.h"


#define MAX_COUNT_STRING_LEN    32

#define MAX_IP_OPTION_SIZE      40



// 64 bytes
#define MAX_KEYLEN_SHA  64
#define MAX_KEYLEN_MD5  64

// 8 bytes
#define MAX_KEYLEN_DES  8
#define MAX_IV_LEN      DES_BLOCKLEN

#define MAX_KEY_LEN     MAX(MAX_KEYLEN_MD5, MAX_KEYLEN_DES)

//
// we set aside SPIs between 256 and 65536 (64K) for hardware offload
//
#define LOWER_BOUND_SPI     256
#define UPPER_BOUND_SPI     ((ULONG) -1)    // MAX_ULONG

#define INVALID_INDEX       0xffffffff

#define RNG_KEY_SIZE        256         // 2048 bits
#define RNG_REKEY_THRESHOLD 65536       // 64K raw bytes

//
// Constants related to filter lists
//
#define INBOUND_TRANSPORT_FILTER    0
#define OUTBOUND_TRANSPORT_FILTER   1
#define INBOUND_TUNNEL_FILTER       2
#define OUTBOUND_TUNNEL_FILTER      3

#define MIN_FILTER                  INBOUND_TRANSPORT_FILTER
#define MAX_FILTER                  OUTBOUND_TUNNEL_FILTER

#define MIN_TRANSPORT_FILTER        INBOUND_TRANSPORT_FILTER
#define MAX_TRANSPORT_FILTER        OUTBOUND_TRANSPORT_FILTER

#define MIN_TUNNEL_FILTER           INBOUND_TUNNEL_FILTER
#define MAX_TUNNEL_FILTER           OUTBOUND_TUNNEL_FILTER

#define INBOUND_OUTBOUND_INCREMENT  1
#define TRANSPORT_TUNNEL_INCREMENT  2

#define NUM_FILTERS                 (MAX_FILTER - MIN_FILTER + 1)

//
// Number of extra bytes when we pad - one for padlen and other for payloadtype
//
#define NUM_EXTRA   2

#define ESP_SIZE (sizeof(ESP) + DES_BLOCKLEN * sizeof(UCHAR))

#define TRUNCATED_HASH_LEN  12 // 96 bits
#define REPLAY_WINDOW_SIZE  64

#define MAX_PAD_LEN         (DES_BLOCKLEN + NUM_EXTRA - 1)

#define IPSEC_SMALL_BUFFER_SIZE 50
#define IPSEC_LARGE_BUFFER_SIZE 200

#define IPSEC_CACHE_LINE_SIZE   16

#define IPSEC_LIST_DEPTH    5

typedef ULONG tSPI;

#define MAX_BLOCKLEN    MAX(DES_BLOCKLEN, 0)

#define IPSEC_TAG_INIT              'ISpI'
#define IPSEC_TAG_AH                'TApI'
#define IPSEC_TAG_AH_TU             'UApI'
#define IPSEC_TAG_ESP               'TEpI'
#define IPSEC_TAG_ESP_TU            'UEpI'
#define IPSEC_TAG_HUGHES            'THpI'
#define IPSEC_TAG_HUGHES_TU         'UHpI'
#define IPSEC_TAG_ACQUIRE_CTX       'XApI'
#define IPSEC_TAG_FILTER            'IFpI'
#define IPSEC_TAG_SA                'ASpI'
#define IPSEC_TAG_KEY               'EKpI'
#define IPSEC_TAG_TIMER             'ITpI'
#define IPSEC_TAG_STALL_QUEUE       'QSpI'
#define IPSEC_TAG_LOOKASIDE_LISTS   'ALpI'
#define IPSEC_TAG_BUFFER_POOL       'PBpI'
#define IPSEC_TAG_SEND_COMPLETE     'CSpI'
#define IPSEC_TAG_EVT_QUEUE         'QEpI'
#define IPSEC_TAG_HW                'WHpI'
#define IPSEC_TAG_HW_PKTINFO        'KPpI'
#define IPSEC_TAG_HW_PKTEXT         'XEpI'
#define IPSEC_TAG_HW_ADDSA          'SApI'
#define IPSEC_TAG_HW_DELSA          'SDpI'
#define IPSEC_TAG_HW_PLUMB          'LPpI'
#define IPSEC_TAG_COMP              'OCpI'
#define IPSEC_TAG_REINJECT          'ERpI'
#define IPSEC_TAG_IOCTL             'OIpI'
#define IPSEC_TAG_LOG               'OLpI'
#define IPSEC_TAG_PARSER            'sPpI'
#define IPSEC_TAG_ICMP              'cIpI'
#define IPSEC_TAG_STATEFUL_ENTRY    'ESpI'
#define IPSEC_TAG_STATEFUL_HT       'HSpI'
#define IPSEC_TAG_HASH_POOL       'PHpI'



#define IPSEC_LOG_PACKET_SIZE 128 //Size in bytes of stored packet in troubleshoot mode


//
// The IPSEC ESP payload
//
typedef struct  _ESP {
    tSPI   esp_spi;
} ESP, *PESP;

typedef struct  _NATENCAP {
    ushort      uh_src;             // Source port.
    ushort      uh_dest;            // Destination port.
    ushort      uh_length;          // Length
    ushort      uh_xsum;            // Checksum.
    UCHAR  Zero[8];
} NATENCAP, *PNATENCAP;

typedef struct  _NATENCAP_OTHER {
    ushort      uh_src;             // Source port.
    ushort      uh_dest;            // Destination port.
    ushort      uh_length;          // Length
    ushort      uh_xsum;            // Checksum.
} NATENCAP_OTHER, *PNATENCAP_OTHER;


//
// SA Flags - Not mutually exclusive
//
#define FLAGS_SA_INITIATOR          0x00000001  // use Initiator keys? might be deprecated soon
#define FLAGS_SA_OUTBOUND           0x00000002  // outbound SA?
#define FLAGS_SA_TUNNEL             0x00000004  // tunnel mode? sa_TunnelAddr is significant
#define FLAGS_SA_REKEY              0x00000010  // is this rekeyed LarvalSA?
#define FLAGS_SA_REKEY_ORI          0x00000020  // did this kick off a rekey?
#define FLAGS_SA_MANUAL             0x00000040  // manual keyed?
#define FLAGS_SA_MTU_BUMPED         0x00000080  // was MTU bumped down on this SA?
#define FLAGS_SA_PENDING            0x00000100  // this is on the pending queue.
#define FLAGS_SA_TIMER_STARTED      0x00000200  // timer started on this SA
#define FLAGS_SA_HW_PLUMBED         0x00000400  // hw acceleration plumbed successfully
#define FLAGS_SA_HW_PLUMB_FAILED    0x00000800  // hw acceleration plumbing failed
#define FLAGS_SA_HW_DELETE_SA       0x00001000  // hw acceleration - this is the pending delete.
#define FLAGS_SA_HW_CRYPTO_ONLY     0x00002000  // hw acceleration - this is a crypto-only provider.
#define FLAGS_SA_HW_RESET           0x00004000  // hw acceleration - this offload SA has been reset
#define FLAGS_SA_HW_DELETE_QUEUED   0x00008000  // hw acceleration - this SA delete is queued so make sure reset doesn't touch it
#define FLAGS_SA_REFERENCED         0x00010000  // is this SA the next of another?
#define FLAGS_SA_NOTIFY_PERFORMED   0x00020000  // For inbound only.  Notification performed
#define FLAGS_SA_ON_FILTER_LIST     0x00040000  // used on inbound SAs to indicate they are on filter lists
#define FLAGS_SA_ON_SPI_HASH        0x00080000  // used on inbound SAs to indicate they are on spi hash lists
#define FLAGS_SA_EXPIRED            0x00100000  // has this SA expired?
#define FLAGS_SA_IDLED_OUT          0x00200000  // has this SA idled out?
#define FLAGS_SA_HIBERNATED         0x00400000  // has this SA been hibernated?
#define FLAGS_SA_DELETE_BY_IOCTL    0x00800000  // sa delete initiated by external source
#define FLAGS_SA_OFFLOADABLE        0x01000000  // is this SA offloadable?
#define FLAGS_SA_PASSTHRU_FILTER    0x02000000  // sa derived from a pass-thru filter
#define FLAGS_SA_DISABLE_IDLE_OUT          0x04000000  // don't idle out
#define FLAGS_SA_DISABLE_ANTI_REPLAY_CHECK 0x08000000  // don't check anti-replay
#define FLAGS_SA_DISABLE_LIFETIME_CHECK    0x10000000  // don't check lifetimes
#define FLAGS_SA_ENABLE_NLBS_IDLE_CHECK    0x20000000  // Idle out faster




//
// SA States - Mutually exclusive
//
typedef enum    _SA_STATE   {
    STATE_SA_CREATED =   1,     // when created
    STATE_SA_LARVAL,            // Key negotiation going on - outbound SAs only
    STATE_SA_ACTIVE,            // outbound SA completely setup
    STATE_SA_LARVAL_ACTIVE,     // inbound active SA without the associated outbound SA
    STATE_SA_ZOMBIE             // SAs flushed, ready to be deleted
} SA_STATE, *PSA_STATE;

#define IPSEC_SA_SIGNATURE  0x4601
#define IPSEC_FILTER_SIGNATURE  0x4602

#if DBG
#define IPSEC_SA_D_1    'SAD1'
#define IPSEC_SA_D_2    'SAD2'
#define IPSEC_SA_D_3    'SAD3'
#define IPSEC_SA_D_4    'SAD4'
#endif

typedef struct _FILTER  FILTER, *PFILTER;

typedef    struct    _INTERNAL_ALGO_INFO {
    ULONG   algoIdentifier;
    PUCHAR  algoKey;
    ULONG   algoKeylen;
    ULONG   algoRounds;
} INTERNAL_ALGO_INFO, *PINTERNAL_ALGO_INFO;

typedef struct    _INTERNAL_ALGO {
    INTERNAL_ALGO_INFO    integrityAlgo;
    INTERNAL_ALGO_INFO    confAlgo;
    INTERNAL_ALGO_INFO    compAlgo;
} INTERNAL_ALGO, *PINTERNAL_ALGO;

typedef struct  _IPSEC_ACQUIRE_CONTEXT  IPSEC_ACQUIRE_CONTEXT, *PIPSEC_ACQUIRE_CONTEXT;
typedef struct  _FILTER_CACHE           FILTER_CACHE, *PFILTER_CACHE;

//
// Security Association Table (SATable)
//
// Indexed by the following:
//
// Sender maps {Src Addr, Dest Addr, User Context} to the index
//
// Receiver maps {Dest Addr, SPI} to the index
// SPI values are unique when generated manually, so can be used directly
// to index into the SATable for
//
typedef struct  _SATableEntry   {
    LIST_ENTRY      sa_SPILinkage;      // linkage in SPI hash table list
    LIST_ENTRY      sa_FilterLinkage;   // linkage in Filter table list
    LIST_ENTRY      sa_LarvalLinkage;   // linkage in Larval SA list
    LIST_ENTRY      sa_PendingLinkage;  // linkage in pending SA list - waiting for Acquire Irp

    struct  _SATableEntry *sa_AssociatedSA;    // outbound -> inbound link
    struct  _SATableEntry *sa_RekeyLarvalSA;   // points to the Larval SA on a rekey
    struct  _SATableEntry *sa_RekeyOriginalSA; // Rekey Larval SA points to the original SA that kicked off the rekey

    ULONG           sa_Signature;       // contains 4601

    ULONG           sa_AcquireId;       // cross-check with the Acquire Irp context
    PIPSEC_ACQUIRE_CONTEXT  sa_AcquireCtx;  // actual acquire context - used to invalidate the context.

    ULONG           sa_Flags;           // flags as defined above
    SA_STATE        sa_State;           // states as defined above

    ULONG           sa_Reference;       // ref count
    PFILTER         sa_Filter;          // assoc filter entry
    PFILTER_CACHE   sa_FilterCache;     // back pointer to cache entry so we can disable it when an SA goes away

    KSPIN_LOCK      sa_Lock;            // lock to protect the FilterCache ptr.

#if DBG
    ULONG           sa_d1;
#endif

    ULARGE_INTEGER  sa_uliSrcDstAddr;
    ULARGE_INTEGER  sa_uliSrcDstMask;
    ULARGE_INTEGER  sa_uliProtoSrcDstPort;

    IPAddr          sa_TunnelAddr;      // Tunnel dest end IP Addr
    IPAddr          sa_SrcTunnelAddr;   // Tunnel src end IP Addr

    // SPI - host order -   if outbound, SPI for remote,
    //                      else inbound (our) SPI

    tSPI            sa_SPI;                 // Inbound: in the multiple ops case, this is the SPI of the last operation.
                                            // Outbound: order is as specified in the update.

    LONG            sa_NumOps;              // the total number of operations to be done

    tSPI            sa_OtherSPIs[MAX_OPS];  // the other alternate SPIs.

    OPERATION_E     sa_Operation[MAX_OPS];
    INTERNAL_ALGO   sa_Algorithm[MAX_OPS];

    ULONG           sa_ReplayStartPoint;        // corresponds to RP_Key_I/R
    ULONG           sa_ReplayLastSeq[MAX_OPS];  // for replay detection - last seq recd
    ULONGLONG       sa_ReplayBitmap[MAX_OPS];   // for replay detection - 64 packet window
    ULONG           sa_ReplaySendSeq[MAX_OPS];  // for replay detection - next seq # to send
    ULONG           sa_ReplayLen;               // for replay detection - length of replay field - 32 bits

#if DBG
    ULONG           sa_d2;
#endif

    UCHAR           sa_iv[MAX_OPS][DES_BLOCKLEN];      // IV_Key_I/R
    ULONG           sa_ivlen;

    ULONG           sa_TruncatedLen;    // length of final hash after truncation

    LARGE_INTEGER   sa_KeyExpirationTime;   // time till re-key
    LARGE_INTEGER   sa_KeyExpirationBytes;  // max # of KBytes xformed till re-key
    LARGE_INTEGER   sa_TotalBytesTransformed; // running total
    LARGE_INTEGER   sa_KeyExpirationTimeWithPad;
    LARGE_INTEGER   sa_KeyExpirationBytesWithPad;

    LARGE_INTEGER   sa_IdleTime;            // total time this SA can sit idle
    LARGE_INTEGER   sa_LastUsedTime;        // time this SA was used last

#if DBG
    ULONG           sa_d3;
#endif

    LIFETIME        sa_Lifetime;

    ULONG           sa_BlockedDataLen;  // amount of pended data
    PNDIS_BUFFER    sa_BlockedBuffer;   // stall queue of 1 Mdl chain

#if DBG
    ULONG           sa_d4;
#endif

    Interface       *sa_IPIF;

    IPSEC_TIMER     sa_Timer;           // Timer struct for timer queue

    ULONG           sa_ExpiryTime;      // time until this SA expires
    NDIS_HANDLE     sa_OffloadHandle;
    LONG            sa_NumSends;
    WORK_QUEUE_ITEM sa_QueueItem;

    ULONG           sa_IPSecOverhead;
    ULONG           sa_NewMTU;

    DWORD           sa_QMPFSGroup;
    IKE_COOKIE_PAIR sa_CookiePair;
    IPSEC_SA_STATS  sa_Stats;
    UCHAR           sa_DestType;
    IPSEC_SA_UDP_ENCAP_TYPE sa_EncapType;

    IPSEC_UDP_ENCAP_CONTEXT sa_EncapContext;
    IPAddr          sa_PeerPrivateAddr;

} SA_TABLE_ENTRY, *PSA_TABLE_ENTRY;

//
// Context used between Key manager and IPSEC. Points to the Larval SA basically.
//
typedef struct  _IPSEC_ACQUIRE_CONTEXT {
    ULONG           AcquireId;      // unique ID to represent this transaction
    PSA_TABLE_ENTRY pSA;            // larval SA should contain this ID
} IPSEC_ACQUIRE_CONTEXT, *PIPSEC_ACQUIRE_CONTEXT;

//
// Packet Classification/Policy Setting is similar to that of the
// Filter Driver. We dont have filters per interface, however.
//
typedef struct _FILTER {
    ULONG           Signature;      // contains 4602
    BOOLEAN         TunnelFilter;
    BOOLEAN         LinkedFilter;   // true if on linked list
    USHORT          Flags;
    PFILTER_CACHE   FilterCache;    // back pointer to cache entry so we can disable it when filter is deleted
    LIST_ENTRY      MaskedLinkage;
    ULARGE_INTEGER  uliSrcDstAddr;
    ULARGE_INTEGER  uliSrcDstMask;
    ULARGE_INTEGER  uliProtoSrcDstPort;
    ULARGE_INTEGER  uliProtoSrcDstMask;
    IPAddr          TunnelAddr;
    ULONG           Reference;      // ref count
    LONG            SAChainSize;    // number of entries for SA chain hash
    ULONG           Index;          // hinted index
    GUID            PolicyId;       // policy GUID
    GUID            FilterId;       // filter GUID
#if GPC
    union {
        LIST_ENTRY          GpcLinkage;
        struct _GPC_FILTER {
            GPC_HANDLE      GpcCfInfoHandle;
            GPC_HANDLE      GpcPatternHandle;
        } GpcFilter;
    };
#endif
    LIST_ENTRY      SAChain[1];     // chain of SAs associated with this Filter
} FILTER, *PFILTER;

//
// a first level cache, contains IP headers cached for fast lookups
//
typedef struct _FILTER_CACHE {
    ULARGE_INTEGER  uliSrcDstAddr;
    ULARGE_INTEGER  uliProtoSrcDstPort;
    BOOLEAN         FilterEntry;    // if TRUE, the next one is a Filter
    union {
        PSA_TABLE_ENTRY pSAEntry;   // points to the associated SAEntry
        PFILTER         pFilter;    // points to the (drop/PassThru filter)
    };
    PSA_TABLE_ENTRY pNextSAEntry;   // points to the associated NextSAEntry
#if DBG
    ULARGE_INTEGER  CacheHitCount;
#endif
} FILTER_CACHE, *PFILTER_CACHE;

//
// Hash tables for specific SAs
//
typedef struct  _SA_HASH {
    LIST_ENTRY  SAList;
} SA_HASH, *PSA_HASH;

//
// This structure is used to hold on to an Irp from the Key manager.
// The Irp is completed to kick off an SA negotiation.
//
typedef struct _IPSEC_ACQUIRE_INFO {
    PIRP        Irp;     // irp passed down from Key manager
    LIST_ENTRY  PendingAcquires;    // linked list of pending acquire requests
    LIST_ENTRY  PendingNotifies;    // linked list of pending notifications
    KSPIN_LOCK  Lock;
    BOOLEAN     ResolvingNow;       // irp is in user mode doing a resolve
    BOOLEAN     InMe;       // irp is in user mode doing a resolve
} IPSEC_ACQUIRE_INFO, *PIPSEC_ACQUIRE_INFO;

//
// Buffer for lookaside list descriptors. Lookaside list descriptors
// cannot be statically allocated, as they need to ALWAYS be nonpageable,
// even when the entire driver is paged out.
//
typedef struct _IPSEC_LOOKASIDE_LISTS {
    NPAGED_LOOKASIDE_LIST SendCompleteCtxList;
    NPAGED_LOOKASIDE_LIST LargeBufferList;
    NPAGED_LOOKASIDE_LIST SmallBufferList;
} IPSEC_LOOKASIDE_LISTS, *PIPSEC_LOOKASIDE_LISTS;

//
// Data is organized as an MDL followed by the actual buffer being described by
// the mdl.
//
// !!NOTE: In the struct below, Data should be quadaligned since MDLs are always
// quad-aligned.
//
typedef struct _IPSEC_LA_BUFFER {
    ULONG   Tag;            // the actual tag this was used for
    PVOID   Buffer;         // the actual buffer
    ULONG   BufferLength;   // length of the buffer pointed by MDL
    PMDL    Mdl;            // pointer to an MDL describing the buffer
    UCHAR   Data[1];        // the real data starts here
} IPSEC_LA_BUFFER, *PIPSEC_LA_BUFFER;






#define IPSEC_STATEFUL_HASH_TABLE_SIZE 1000


typedef struct _IPSEC_STATEFUL_HASH_TABLE{
    // Array of lists
    // Lists of IPSEC_STATEFUL_ENTRY
    LIST_ENTRY   Entry[IPSEC_STATEFUL_HASH_TABLE_SIZE];
}IPSEC_STATEFUL_HASH_TABLE, *PIPSEC_STATEFUL_HASH_TABLE;

   

// Always stored outbound
// Allocated from IPSEC_HASH_BUFFER_POOL
// Stored in IPSEC_STATEFUL_HASH_TABLE
typedef struct _IPSEC_STATEFUL_ENTRY {
   LIST_ENTRY CollisionLinkage;
   IPAddr SrcAddr;
   IPAddr DestAddr;
   BYTE Protocol;
   USHORT SrcPort;
   USHORT DestPort;
} IPSEC_STATEFUL_ENTRY, *PIPSEC_STATEFUL_ENTRY;

#define TOTAL_STATEFUL_ENTRY_COUNT 10000

//Write access to SADBLock required for allocation
//Cycle around when full.
//Use list entries in the IPSEC_STATEFUL_ENTRY 
//to remove from hash table.
typedef struct _IPSEC_HASH_BUFFER_POOL {
   ULONG ulEntriesUsed;
   ULONG ulCurrentPosition;
   IPSEC_STATEFUL_ENTRY  PoolEntry[TOTAL_STATEFUL_ENTRY_COUNT];
} IPSEC_HASH_BUFFER_POOL, * PIPSEC_HASH_BUFFER_POOL;

    


typedef struct _IPSEC_GLOBAL {
    BOOLEAN     DriverUnloading;    // Is driver being unloaded?
    BOOLEAN     BoundToIP;          // Are we bound to IP yet?
    BOOLEAN     SendBoundToIP;      // Is IPSecHandler bound to IP?
    BOOLEAN     InitCrypto;         // Are crypto routines initialized?
    BOOLEAN     InitRNG;            // Is RNG initialized?
    BOOLEAN     InitTcpip;          // Is TCP/IP loaded?
#if FIPS
    BOOLEAN     InitFips;           // Is Fips driver loaded and function table set?
#endif
#if GPC
    BOOLEAN     InitGpc;            // Is GPC driver loaded and function table set?
#endif

    LONG        NumSends;           // counts the number of pending sends
    LONG        NumThreads;         // counts the number of threads in driver
    LONG        NumWorkers;         // counts the number of worker threads
    LONG        NumTimers;          // counts the number of active timers
    LONG        NumIoctls;          // counts the number of active IOCTLs

    LIST_ENTRY  LarvalSAList;
    KSPIN_LOCK  LarvalListLock;     // protects the larval SA list

    MRSW_LOCK   SADBLock;           // protects the Filter/SA DB
    MRSW_LOCK   SPIListLock;        // protects the SPI list

    //
    // We partition the filters into tunnel/masked and inbound/outbound filters.
    //
    LIST_ENTRY  FilterList[NUM_FILTERS];

    ULONG       NumPolicies;        // number of filters plumbed in the driver
    ULONG       NumTunnelFilters;
    ULONG       NumMaskedFilters;
    ULONG       NumOutboundSAs;
    ULONG       NumMulticastFilters;

    //
    // Inbound <SPI, dest> hash
    //
    PSA_HASH    pSADb;
    LONG        NumSA;
    LONG        SAHashSize;

    PFILTER_CACHE   *ppCache;
    ULONG           CacheSize;
    ULONG           CacheHalfSize;

    //
    // SA negotiate context
    //
    IPSEC_ACQUIRE_INFO  AcquireInfo;

    //
    // timers
    //
    KSPIN_LOCK          TimerLock;
    IPSEC_TIMER_LIST    TimerList[IPSEC_CLASS_MAX];

    IPSEC_TIMER         ReaperTimer;    // reaper thread runs here.

    //
    // Global lookaside lists. These must always be in nonpaged pool,
    // even when the driver is paged out.
    //
    PIPSEC_LOOKASIDE_LISTS IPSecLookasideLists;

    ULONG   IPSecLargeBufferSize;
    ULONG   IPSecLargeBufferListDepth;

    ULONG   IPSecSmallBufferSize;
    ULONG   IPSecSmallBufferListDepth;

    ULONG   IPSecSendCompleteCtxSize;
    ULONG   IPSecSendCompleteCtxDepth;

    ULONG   IPSecCacheLineSize;

    PDEVICE_OBJECT  IPSecDevice;
    PDRIVER_OBJECT  IPSecDriverObject;

    ProtInfo    IPProtInfo;
    IPOptInfo   OptInfo;

    //
    // stats
    //
    IPSEC_QUERY_STATS   Statistics;


    DWORD 	dwPacketsOnWrongSA;  
    ULONG       EnableOffload;
    ULONG       DefaultSAIdleTime;
    ULONG       LogInterval;
    ULONG       EventQueueSize;
    ULONG       RekeyTime;
    ULONG       NoDefaultExempt;

    KSPIN_LOCK  EventLogLock;   // lock to protect event queue
    IPSEC_TIMER EventLogTimer;
    ULONG       IPSecBufferedEvents;
    PUCHAR      IPSecLogMemory;
    PUCHAR      IPSecLogMemoryLoc;
    PUCHAR      IPSecLogMemoryEnd;


    LARGE_INTEGER   SAIdleTime;

#if DBG
    ULARGE_INTEGER  CacheHitCount;
#endif
   
    OPERATION_MODE  OperationMode;
    IPSEC_FORWARDING_BEHAVIOR DefaultForwardingBehavior;
    ULONG DiagnosticMode;

#if GPC
    GPC_EXPORTED_CALLS  GpcEntries;
    GPC_HANDLE          GpcClients[GPC_CF_MAX];
    ULONG               GpcActive;
    ULONG               GpcNumFilters[GPC_CF_MAX];
    LIST_ENTRY          GpcFilterList[NUM_FILTERS];
#if DBG
    LARGE_INTEGER       GpcTotalPassedIn;
    LARGE_INTEGER       GpcClassifyNeeded;
    LARGE_INTEGER       GpcReClassified;
#endif
#endif

#if FIPS
    PFILE_OBJECT        FipsFileObject;
    FIPS_FUNCTION_TABLE FipsFunctionTable;
#endif

    PIPSEC_EXEMPT_ENTRY BootExemptList;
    ULONG	 BootExemptListSize;		//Entry count

    // Pointer to the Hash table 
    // Initialized in DriverEntry
    PIPSEC_STATEFUL_HASH_TABLE BootStatefulHT;
    PIPSEC_HASH_BUFFER_POOL     BootBufferPool;
     
    LARGE_INTEGER StartTimeDelta;



    IPSEC_NATSHIM_FUNCTIONS ShimFunctions;

    VOID        (*TcpipFreeBuff)(struct IPRcvBuf *);
    INT         (*TcpipAllocBuff)(struct IPRcvBuf *, UINT);
    UCHAR       (*TcpipGetAddrType)(IPAddr);
    IP_STATUS   (*TcpipGetInfo)(IPInfo *, INT);
    NDIS_STATUS (*TcpipNdisRequest)(PVOID, NDIS_REQUEST_TYPE, NDIS_OID, PVOID, UINT, PUINT);
    PVOID       (*TcpipRegisterProtocol)(UCHAR, PVOID, PVOID, PVOID, PVOID, PVOID, PVOID);
    NTSTATUS    (*TcpipSetIPSecStatus)(BOOLEAN);
    IP_STATUS   (*TcpipIPTransmit)(PVOID, PVOID, PNDIS_BUFFER, UINT, IPAddr, IPAddr, IPOptInfo *, RouteCacheEntry *, UCHAR, PIRP);
    IP_STATUS   (*TcpipSetIPSecPtr)(PIPSEC_FUNCTIONS);
    IP_STATUS   (*TcpipUnSetIPSecPtr)(PIPSEC_FUNCTIONS);
    IP_STATUS   (*TcpipUnSetIPSecSendPtr)(PIPSEC_FUNCTIONS);
    UINT        (*TcpipTCPXsum)(UINT, PVOID, UINT);
    USHORT      (*TcpipGenIpId)();
    PVOID       (*TcpipDeRegisterProtocol)(UCHAR);
    IP_STATUS   (*TcpipGetPInfo)(IPAddr, IPAddr, uint *, uint *, RouteCacheEntry *);
    IP_STATUS   (*TcpipSendICMPErr)(IPAddr, IPHeader UNALIGNED *, uchar, uchar, ulong, uchar);
} IPSEC_GLOBAL, *PIPSEC_GLOBAL;


//
// Contexts used to store eventlog contexts.
//
#define IPSEC_DROP_STATUS_CRYPTO_DONE      0x00000001
#define IPSEC_DROP_STATUS_NEXT_CRYPTO_DONE 0x00000002
#define IPSEC_DROP_STATUS_SA_DELETE_REQ    0x00000004
#define IPSEC_DROP_STATUS_DONT_LOG         0x00000008

typedef struct _IPSEC_DROP_STATUS {
    ULONG           IPSecStatus;
    ULONG           OffloadStatus;
    ULONG           Flags;
} IPSEC_DROP_STATUS, *PIPSEC_DROP_STATUS;

typedef struct  _IPSEC_EVENT_CTX {
    IPAddr  Addr;
    ULONG   EventCode;
    ULONG   UniqueEventValue;
    ULONG   EventCount;
    PUCHAR  pPacket;
    ULONG   PacketSize;
    IPSEC_DROP_STATUS DropStatus;
} IPSEC_EVENT_CTX, *PIPSEC_EVENT_CTX;

typedef struct _IPSEC_NOTIFY_EXPIRE {
    LIST_ENTRY      notify_PendingLinkage;  // linkage in pending SA list - waiting for Acquire Irp
    ULARGE_INTEGER  sa_uliSrcDstAddr;
    ULARGE_INTEGER  sa_uliSrcDstMask;
    ULARGE_INTEGER  sa_uliProtoSrcDstPort;

    IPAddr          sa_TunnelAddr;  // Tunnel end IP Addr
    IPAddr          sa_InboundTunnelAddr;  // Tunnel end IP Addr

    tSPI            InboundSpi;                 // Inbound: in the multiple ops case, this is the SPI of the last operation.
    tSPI            OutboundSpi;

    IKE_COOKIE_PAIR sa_CookiePair;
    DWORD           Flags;
    IPSEC_UDP_ENCAP_CONTEXT sa_EncapContext;
    IPAddr          sa_PeerPrivateAddr;
} IPSEC_NOTIFY_EXPIRE, *PIPSEC_NOTIFY_EXPIRE;


typedef IPSEC_ADD_UPDATE_SA IPSEC_ADD_SA, *PIPSEC_ADD_SA;
typedef IPSEC_ADD_UPDATE_SA IPSEC_UPDATE_SA, *PIPSEC_UPDATE_SA;

#define IPSEC_ADD_SA_NO_KEY_SIZE    FIELD_OFFSET(IPSEC_ADD_SA, SAInfo.KeyMat[0])
#define IPSEC_UPDATE_SA_NO_KEY_SIZE FIELD_OFFSET(IPSEC_UPDATE_SA, SAInfo.KeyMat[0])

typedef struct _PARSER_IFENTRY {
    struct _PARSER_IFENTRY * pNext;
    UDP_ENCAP_TYPE UdpEncapType;
    USHORT usDstEncapPort;
    HANDLE hInterface;
    HANDLE hParserIfOffload;
    ULONG uRefCnt;
} PARSER_IFENTRY, * PPARSER_IFENTRY;


//
// Contexts used to store SA plumbing contexts.
//
typedef struct _IPSEC_PLUMB_SA {
    Interface       *DestIF;
    PSA_TABLE_ENTRY pSA;
    PPARSER_IFENTRY pParserIfEntry;
    PUCHAR          Buf;
    ULONG           Len;
    WORK_QUEUE_ITEM PlumbQueueItem;
} IPSEC_PLUMB_SA, *PIPSEC_PLUMB_SA;


typedef struct _IPSEC_MTU_CONTEXT {
    IPAddr Src;
    IPAddr TransportDest;
    IPAddr TunnelDest;
    tSPI TransportSPI;
    tSPI TunnelSPI;
} IPSEC_MTU_CONTEXT, *PIPSEC_MTU_CONTEXT;


//
// Contexts used to log events
//
typedef struct _IPSEC_LOG_EVENT {
    LONG            LogSize;
    WORK_QUEUE_ITEM LogQueueItem;
    UCHAR           pLog[1];
} IPSEC_LOG_EVENT, *PIPSEC_LOG_EVENT;

#define PROTOCOL_UDP 17


#define TCP_HEADER_SIZE 20
#define UDP_HEADER_SIZE 8

#define MIN_ACQUIRE_ID 5
#endif  _GLOBALS_H