archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/net/tcpip/driver/ipsec/sys/driver.c

3790 lines
102 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1997-2001 Microsoft Corporation
  5. Module Name:
  7. driver.c
  9. Abstract:
  11. This module contains the DriverEntry and other initialization
  12. code for the IPSEC module of the Tcpip transport.
  14. Author:
  16. Sanjay Anand (SanjayAn) 2-January-1997
  17. ChunYe
  19. Environment:
  21. Kernel mode
  23. Revision History:
  25. --*/
  28. #include "precomp.h"
  30. #ifdef RUN_WPP
  31. #include "driver.tmh"
  32. #endif
  34. #ifdef ALLOC_PRAGMA
  35. #pragma alloc_text(INIT, DriverEntry)
  36. #pragma alloc_text(INIT, IPSecGeneralInit)
  37. #pragma alloc_text(PAGE, IPSecBindToIP)
  38. #pragma alloc_text(PAGE, IPSecUnbindFromIP)
  39. #pragma alloc_text(PAGE, IPSecFreeConfig)
  40. #pragma alloc_text(PAGE, IPSecInitMdlPool)
  41. #pragma alloc_text(PAGE, AllocateCacheStructures)
  42. #pragma alloc_text(PAGE, FreeExistingCache)
  43. #pragma alloc_text(PAGE, FreePatternDbase)
  44. #pragma alloc_text(PAGE, OpenRegKey)
  45. #pragma alloc_text(PAGE, GetRegDWORDValue)
  46. #pragma alloc_text(PAGE, IPSecCryptoInitialize)
  47. #pragma alloc_text(PAGE, IPSecCryptoDeinitialize)
  48. #endif
  51. NTSTATUS
  52. DriverEntry(
  53. IN PDRIVER_OBJECT DriverObject,
  54. IN PUNICODE_STRING RegistryPath
  55. )
  56. /*++
  58. Routine Description:
  60. This routine performs initialization of the IPSEC module.
  61. It creates the device object for the transport
  62. provider and performs other driver initialization.
  64. Arguments:
  66. DriverObject - Pointer to driver object created by the system.
  68. RegistryPath - The name of IPSEC's node in the registry.
  70. Return Value:
  72. The function value is the final status from the initialization operation.
  74. --*/
  75. {
  76. PDEVICE_OBJECT deviceObject = NULL;
  77. WCHAR deviceNameBuffer[] = DD_IPSEC_DEVICE_NAME;
  78. WCHAR symbolicLinkBuffer[] = DD_IPSEC_SYM_NAME;
  79. UNICODE_STRING symbolicLinkName;
  80. UNICODE_STRING deviceNameUnicodeString;
  81. NTSTATUS status;
  82. NTSTATUS status1;
  84. //DbgBreakPoint();
  86. // WPP tracing
  87. //
  88. WPP_INIT_TRACING(DriverObject, RegistryPath);
  90. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Entering DriverEntry"));
  92. //
  93. // Init g_ipsec structure and read reg keys.
  94. //
  97. IPSecZeroMemory(&g_ipsec, sizeof(g_ipsec));
  99. //
  100. // Create the device - do we need a device at all?
  101. //
  102. // Setup the handlers.
  103. //
  104. //
  105. // Initialize the driver object with this driver's entry points.
  106. //
  107. g_ipsec.IPSecDriverObject = DriverObject;
  109. IPSecReadRegistry();
  112. DriverObject->MajorFunction [IRP_MJ_CREATE] =
  113. DriverObject->MajorFunction [IRP_MJ_CLOSE] =
  114. DriverObject->MajorFunction [IRP_MJ_CLEANUP] =
  115. DriverObject->MajorFunction [IRP_MJ_INTERNAL_DEVICE_CONTROL] =
  116. DriverObject->MajorFunction [IRP_MJ_DEVICE_CONTROL] = IPSecDispatch;
  118. DriverObject->DriverUnload = IPSecUnload;
  120. RtlInitUnicodeString (&deviceNameUnicodeString, deviceNameBuffer);
  122. status = IoCreateDevice(
  123. DriverObject,
  124. 0, // DeviceExtensionSize
  125. &deviceNameUnicodeString, // DeviceName
  126. FILE_DEVICE_NETWORK, // DeviceType
  127. FILE_DEVICE_SECURE_OPEN, // DeviceCharacteristics
  128. FALSE, // Exclusive
  129. &deviceObject); // *DeviceObject
  131. if (!NT_SUCCESS (status)) {
  132. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to create device: %lx", status));
  134. LOG_EVENT(
  135. DriverObject,
  136. EVENT_IPSEC_CREATE_DEVICE_FAILED,
  137. 1,
  138. 1,
  139. &deviceNameUnicodeString.Buffer,
  140. 0,
  141. NULL);
  143. goto err;
  144. }
  146. deviceObject->Flags |= DO_BUFFERED_IO;
  148. IPSecDevice = deviceObject;
  150. RtlInitUnicodeString (&symbolicLinkName, symbolicLinkBuffer);
  152. status = IoCreateSymbolicLink(&symbolicLinkName, &deviceNameUnicodeString);
  154. if (!NT_SUCCESS (status)) {
  155. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to create symbolic link: %lx", status));
  157. LOG_EVENT(
  158. DriverObject,
  159. EVENT_IPSEC_CREATE_DEVICE_FAILED,
  160. 2,
  161. 1,
  162. &deviceNameUnicodeString.Buffer,
  163. 0,
  164. NULL);
  166. IoDeleteDevice(DriverObject->DeviceObject);
  168. goto err;
  169. }
  171. //
  172. // General structs init here.
  173. // Allocates the SA Table etc.
  174. //
  175. status = IPSecGeneralInit();
  177. if (!NT_SUCCESS (status)) {
  178. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to init general structs: %lx", status));
  180. //
  181. // Free the general structs and SA Table etc.
  182. //
  183. status1 = IPSecGeneralFree();
  185. if (!NT_SUCCESS (status1)) {
  186. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to free config: %lx", status1));
  187. }
  189. LOG_EVENT(
  190. DriverObject,
  191. EVENT_IPSEC_NO_RESOURCES_FOR_INIT,
  192. 1,
  193. 0,
  194. NULL,
  195. 0,
  196. NULL);
  198. IoDeleteSymbolicLink(&symbolicLinkName);
  200. IoDeleteDevice(DriverObject->DeviceObject);
  202. goto err;
  203. }
  205. //
  206. // Wait for TCP/IP to load and call IOCTL_IPSEC_SET_TCPIP_STATUS where we
  207. // would finish the initialization.
  208. //
  210. status = STATUS_SUCCESS;
  212. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Exiting DriverEntry; SUCCESS"));
  214. err:
  215. return status;
  216. }
  219. VOID
  220. IPSecUnload(
  221. IN PDRIVER_OBJECT DriverObject
  222. )
  223. /*++
  225. Routine Description:
  227. Called when the driver is unloaded.
  229. Arguments:
  231. DriverObject
  233. Return Value:
  235. None
  237. --*/
  238. {
  239. UNICODE_STRING IPSecLinkName;
  240. KIRQL OldIrq;
  241. KIRQL kIrql;
  242. NTSTATUS status;
  243. INT class;
  245. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Entering IPSecUnload"));
  247. //
  248. // Set IPSEC_DRIVER_UNLOADING bit.
  249. //
  250. IPSEC_DRIVER_UNLOADING() = TRUE;
  252. AcquireWriteLock(&g_ipsec.SADBLock,&kIrql);
  253. if (g_ipsec.BootStatefulHT){
  254. IPSecFreeMemory(g_ipsec.BootStatefulHT);
  255. g_ipsec.BootStatefulHT = NULL;
  256. }
  257. if (g_ipsec.BootBufferPool){
  258. IPSecFreeMemory(g_ipsec.BootBufferPool);
  259. g_ipsec.BootBufferPool = NULL;
  260. }
  261. if (g_ipsec.BootExemptList){
  262. IPSecFreeMemory(g_ipsec.BootExemptList);
  263. g_ipsec.BootExemptList = NULL;
  264. }
  265. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  268. //
  269. // Stop the reaper timer.
  270. //
  271. IPSecStopTimer(&g_ipsec.ReaperTimer);
  273. //
  274. // Stop the EventLog timer.
  275. //
  276. IPSecStopTimer(&g_ipsec.EventLogTimer);
  278. //
  279. // Complete the Acquire Irp with error status
  280. //
  281. if (g_ipsec.AcquireInfo.Irp) {
  282. IPSEC_DEBUG(LL_A, DBF_ACQUIRE, ("Unload: Completing Irp.."));
  283. if (g_ipsec.AcquireInfo.InMe) {
  284. IoAcquireCancelSpinLock(&g_ipsec.AcquireInfo.Irp->CancelIrql);
  285. IPSecAcquireIrpCancel(NULL, g_ipsec.AcquireInfo.Irp);
  286. }
  287. }
  289. //
  290. // Stop timers for all SAs (of all states)
  291. //
  292. IPSecStopSATimers();
  294. if (g_ipsec.ShimFunctions.pCleanupRoutine) {
  295. (g_ipsec.ShimFunctions.pCleanupRoutine)();
  296. }
  298. //
  299. // Wait for all timers to clear before going further
  300. //
  301. while (IPSEC_GET_VALUE(g_ipsec.NumTimers) != 0) {
  302. IPSEC_DELAY_EXECUTION();
  303. }
  305. //
  306. // Cleanup any larval SAs
  307. //
  308. AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
  309. ACQUIRE_LOCK(&g_ipsec.AcquireInfo.Lock, &OldIrq);
  310. IPSecFlushLarvalSAList();
  311. IPSecFlushSAExpirations();
  312. RELEASE_LOCK(&g_ipsec.AcquireInfo.Lock, OldIrq);
  313. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  315. //
  316. // Free the SA Table.
  317. //
  318. status = IPSecFreeConfig();
  320. if (!NT_SUCCESS (status)) {
  321. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to free config: %lx", status));
  322. }
  324. //
  325. // Free the MDL pools and run down all buffered packets.
  326. //
  327. status = IPSecQuiesce();
  329. if (!NT_SUCCESS (status)) {
  330. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to reach quiescent state: %lx", status));
  331. }
  333. AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
  334. ASSERT (gpParserIfEntry == NULL);
  335. FlushAllParserEntries();
  336. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  338. //
  339. // Destroy timer structures
  340. //
  341. ACQUIRE_LOCK(&g_ipsec.TimerLock, &kIrql);
  343. for (class = 0; class < IPSEC_CLASS_MAX; class++) {
  344. ASSERT(g_ipsec.TimerList[class].TimerCount == 0);
  345. IPSecFreeMemory(g_ipsec.TimerList[class].pTimers);
  346. }
  348. RELEASE_LOCK(&g_ipsec.TimerLock, kIrql);
  350. IPSecCryptoDeinitialize();
  352. #if GPC
  353. IPSecGpcDeinitialize();
  354. #endif
  356. RtlInitUnicodeString(&IPSecLinkName, DD_IPSEC_SYM_NAME);
  358. IoDeleteSymbolicLink(&IPSecLinkName);
  360. WPP_CLEANUP(DriverObject);
  362. IoDeleteDevice(DriverObject->DeviceObject);
  364. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Exiting IPSecUnload"));
  365. }
  368. NTSTATUS
  369. IPSecDispatch(
  370. IN PDEVICE_OBJECT DeviceObject,
  371. IN PIRP Irp
  372. )
  373. /*++
  374. Routine Description:
  376. Dispatch Routine for the driver. Gets the current irp stack location, validates
  377. the parameters and routes the calls
  379. Arguments:
  381. DeviceObject
  382. Irp
  384. Return Value:
  386. Status as returned by the worker functions
  388. --*/
  389. {
  390. PIO_STACK_LOCATION irpStack;
  391. PVOID pvIoBuffer;
  392. LONG inputBufferLength;
  393. LONG outputBufferLength;
  394. ULONG ioControlCode;
  395. NTSTATUS status = STATUS_SUCCESS;
  396. LONG dwSize = 0;
  398. PAGED_CODE();
  400. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("Entering IPSecDispath"));
  402. Irp->IoStatus.Status = status;
  403. Irp->IoStatus.Information = 0;
  405. //
  406. // Get a pointer to the current location in the Irp. This is where
  407. // the function codes and parameters are located.
  408. //
  409. irpStack = IoGetCurrentIrpStackLocation(Irp);
  411. //
  412. // Get the pointer to the input/output buffer and its length.
  413. //
  414. pvIoBuffer = Irp->AssociatedIrp.SystemBuffer;
  415. inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
  416. outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
  418. switch (irpStack->MajorFunction) {
  419. case IRP_MJ_CREATE: {
  420. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IRP_MJ_CREATE"));
  421. break;
  422. }
  424. case IRP_MJ_CLOSE: {
  425. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IRP_MJ_CLOSE"));
  426. break;
  427. }
  429. case IRP_MJ_DEVICE_CONTROL: {
  430. ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
  432. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IRP_MJ_DEVICE_CONTROL: %lx", ioControlCode));
  434. if (ioControlCode != IOCTL_IPSEC_SET_TCPIP_STATUS) {
  435. if (IPSEC_DRIVER_IS_INACTIVE()) {
  436. status = STATUS_INVALID_DEVICE_STATE;
  437. break;
  438. }
  440. if (!IPSecCryptoInitialize()) {
  441. status = STATUS_CRYPTO_SYSTEM_INVALID;
  442. break;
  443. }
  444. }
  446. IPSEC_INCREMENT(g_ipsec.NumIoctls);
  448. switch (ioControlCode) {
  449. case IOCTL_IPSEC_ADD_FILTER: {
  450. PIPSEC_ADD_FILTER pAddFilter = (PIPSEC_ADD_FILTER)pvIoBuffer;
  452. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IOCTL_IPSEC_ADD_FILTER"));
  454. dwSize = sizeof(IPSEC_ADD_FILTER);
  456. if (inputBufferLength < dwSize) {
  457. status = STATUS_BUFFER_TOO_SMALL;
  458. break;
  459. }
  461. //
  462. // Check the size of the entry
  463. //
  464. if (pAddFilter->NumEntries == 0) {
  465. status = STATUS_SUCCESS;
  466. } else {
  467. dwSize = FIELD_OFFSET(IPSEC_ADD_FILTER, pInfo[0]) +
  468. pAddFilter->NumEntries * sizeof(IPSEC_FILTER_INFO);
  470. if (dwSize < FIELD_OFFSET(IPSEC_ADD_FILTER, pInfo[0]) ||
  471. inputBufferLength < dwSize) {
  472. status = STATUS_BUFFER_TOO_SMALL;
  473. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("returning: %lx", status));
  474. break;
  475. }
  476. status = IPSecAddFilter(pAddFilter);
  477. }
  479. break;
  480. }
  482. case IOCTL_IPSEC_DELETE_FILTER: {
  483. PIPSEC_DELETE_FILTER pDelFilter = (PIPSEC_DELETE_FILTER)pvIoBuffer;
  485. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IOCTL_IPSEC_DELETE_FILTER"));
  487. dwSize = sizeof(IPSEC_DELETE_FILTER);
  489. if (inputBufferLength < dwSize) {
  490. status = STATUS_BUFFER_TOO_SMALL;
  491. break;
  492. }
  494. //
  495. // Check the size of the entry
  496. //
  497. if (pDelFilter->NumEntries == 0) {
  498. status = STATUS_SUCCESS;
  499. } else {
  500. dwSize = FIELD_OFFSET(IPSEC_DELETE_FILTER, pInfo[0]) +
  501. pDelFilter->NumEntries * sizeof(IPSEC_FILTER_INFO);
  503. if (dwSize < FIELD_OFFSET(IPSEC_DELETE_FILTER, pInfo[0]) ||
  504. inputBufferLength < dwSize) {
  505. status = STATUS_BUFFER_TOO_SMALL;
  506. break;
  507. }
  509. status = IPSecDeleteFilter(pDelFilter);
  510. }
  512. break;
  513. }
  515. case IOCTL_IPSEC_ENUM_SAS: {
  517. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IOCTL_IPSEC_ENUM_SAS"));
  518. dwSize = sizeof(IPSEC_ENUM_SAS);
  520. //
  521. // Output/Input in the same buffer at MdlAddress
  522. //
  523. // This functions accesses Irp->MdlAddress
  524. // and checks if it is NULL too.
  526. status = IPSecEnumSAs(Irp, &dwSize);
  527. break;
  528. }
  530. case IOCTL_IPSEC_ENUM_FILTERS: {
  531. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IOCTL_IPSEC_ENUM_FILTERS"));
  532. dwSize = sizeof(IPSEC_ENUM_FILTERS);
  534. //
  535. // Output/Input in the same buffer at MdlAddress
  536. //
  537. // This functions accesses Irp->MdlAddress
  538. // and checks if it is NULL too.
  540. status = IPSecEnumFilters(Irp, &dwSize);
  541. break;
  542. }
  544. case IOCTL_IPSEC_QUERY_STATS: {
  545. //
  546. // The minimum size is without any Keys
  547. //
  548. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IOCTL_IPSEC_QUERY_STATS"));
  549. dwSize = sizeof(IPSEC_QUERY_STATS);
  551. if (outputBufferLength < dwSize) {
  552. status = STATUS_BUFFER_TOO_SMALL;
  553. break;
  554. }
  556. *((PIPSEC_QUERY_STATS)pvIoBuffer) = g_ipsec.Statistics;
  558. status = STATUS_SUCCESS;
  559. break;
  560. }
  562. case IOCTL_IPSEC_ADD_SA: {
  563. //
  564. // Adds the SA to the relevant database.
  565. // Typically used to add outbound SAs to the DB.
  566. //
  567. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IOCTL_IPSEC_ADD_SA"));
  569. //
  570. // The minimum size is without any Keys
  571. //
  572. dwSize = IPSEC_ADD_SA_NO_KEY_SIZE;
  574. if (inputBufferLength < dwSize) {
  575. status = STATUS_BUFFER_TOO_SMALL;
  576. break;
  577. }
  579. status = IPSecAddSA((PIPSEC_ADD_SA)pvIoBuffer, inputBufferLength);
  581. ASSERT(status != STATUS_PENDING);
  583. if (outputBufferLength >= sizeof(NTSTATUS)) {
  584. (*(NTSTATUS *)pvIoBuffer) = status;
  585. dwSize = sizeof(NTSTATUS);
  586. } else {
  587. dwSize = 0;
  588. }
  590. status = STATUS_SUCCESS;
  591. break;
  592. }
  594. case IOCTL_IPSEC_UPDATE_SA: {
  595. //
  596. // This completes the negotiation kicked off via the Acquire.
  597. //
  598. // Adds the SA to the relevant database.
  599. // Typically used to complete inbound SA acquisitions.
  600. //
  601. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IOCTL_IPSEC_UPDATE_SA"));
  603. //
  604. // The minimum size is without any Keys
  605. //
  606. dwSize = IPSEC_UPDATE_SA_NO_KEY_SIZE;
  607. if (inputBufferLength < dwSize) {
  608. status = STATUS_BUFFER_TOO_SMALL;
  609. break;
  610. }
  612. status = IPSecUpdateSA((PIPSEC_UPDATE_SA)pvIoBuffer, inputBufferLength);
  614. ASSERT(status != STATUS_PENDING);
  616. if (outputBufferLength >= sizeof(NTSTATUS)) {
  617. (*(NTSTATUS *)pvIoBuffer)=status;
  618. dwSize = sizeof(NTSTATUS);
  619. } else {
  620. dwSize = 0;
  621. }
  623. status = STATUS_SUCCESS;
  624. break;
  625. }
  627. case IOCTL_IPSEC_EXPIRE_SA: {
  628. //
  629. // Deref the particular SA - delete when ref cnt drops to 0.
  630. //
  631. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IOCTL_IPSEC_EXPIRE_SA"));
  633. dwSize = sizeof(IPSEC_EXPIRE_SA);
  634. if (inputBufferLength < dwSize) {
  635. status = STATUS_BUFFER_TOO_SMALL;
  636. break;
  637. }
  639. status = IPSecExpireSA((PIPSEC_EXPIRE_SA)pvIoBuffer);
  640. break;
  641. }
  643. case IOCTL_IPSEC_GET_SPI: {
  644. //
  645. // returns the SPI for an inbound SA
  646. //
  647. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IOCTL_IPSEC_GET_SPI"));
  649. dwSize = sizeof(IPSEC_GET_SPI);
  650. if (outputBufferLength < dwSize) {
  651. status = STATUS_BUFFER_TOO_SMALL;
  652. break;
  653. }
  655. status = IPSecGetSPI((PIPSEC_GET_SPI)pvIoBuffer);
  656. break;
  657. }
  659. case IOCTL_IPSEC_POST_FOR_ACQUIRE_SA: {
  660. //
  661. // The SAAPI client posts a request that we complete when
  662. // an SA needs to be initialized or updated (due to
  663. // re-key).
  664. // We keep the Irp around until we need an SA to be
  665. // negotiated.
  666. //
  667. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IPSEC_POST_FOR_ACQUIRE_SA"));
  669. dwSize = sizeof(IPSEC_POST_FOR_ACQUIRE_SA);
  670. if (outputBufferLength < dwSize) {
  671. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IPSEC_POST_FOR_ACQUIRE_SA: bad size: dwSize: %lx, input: %lx",
  672. dwSize, inputBufferLength));
  674. status = STATUS_BUFFER_TOO_SMALL;
  675. break;
  676. }
  678. Irp->IoStatus.Status = STATUS_PENDING;
  680. status = IPSecHandleAcquireRequest( Irp,
  681. (PIPSEC_POST_FOR_ACQUIRE_SA)pvIoBuffer);
  683. if (status == STATUS_PENDING) {
  684. IPSEC_DECREMENT(g_ipsec.NumIoctls);
  685. return status;
  686. }
  688. break;
  689. }
  691. case IOCTL_IPSEC_QUERY_EXPORT: {
  692. //
  693. // Queries whether the driver is built for export. Used by the IPSEC components
  694. // to decide what key lengths to use for encryption.
  695. //
  696. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IPSEC_QUERY_EXPORT"));
  698. dwSize = sizeof(IPSEC_QUERY_EXPORT);
  699. if (outputBufferLength < dwSize) {
  700. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IPSEC_QUERY_EXPORT: bad size: dwSize: %lx, input: %lx",
  701. dwSize, inputBufferLength));
  702. status = STATUS_BUFFER_TOO_SMALL;
  703. break;
  704. }
  706. ((PIPSEC_QUERY_EXPORT)pvIoBuffer)->Export = FALSE;
  708. status = STATUS_SUCCESS;
  709. break;
  710. }
  712. case IOCTL_IPSEC_QUERY_SPI: {
  713. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("Entered Query SPI"));
  715. dwSize = sizeof(IPSEC_QUERY_SPI);
  716. if (inputBufferLength < dwSize) {
  717. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IPSEC_QUERY_SPI: bad size: dwSize: %lx, input: %lx",
  718. dwSize, inputBufferLength));
  719. status = STATUS_BUFFER_TOO_SMALL;
  720. break;
  721. }
  723. status = IPSecQuerySpi((PIPSEC_QUERY_SPI)pvIoBuffer);
  724. break;
  725. }
  727. case IOCTL_IPSEC_DELETE_SA: {
  728. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("Entered Delete SA"));
  730. dwSize = sizeof(IPSEC_DELETE_SA);
  731. if (inputBufferLength < dwSize) {
  732. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IPSEC_DELETE_SA: bad size: dwSize: %lx, input: %lx",
  733. dwSize, inputBufferLength));
  734. status = STATUS_BUFFER_TOO_SMALL;
  735. break;
  736. }
  738. status = IPSecDeleteSA((PIPSEC_DELETE_SA)pvIoBuffer);
  739. break;
  740. }
  742. case IOCTL_IPSEC_SET_OPERATION_MODE: {
  743. OPERATION_MODE LastMode = g_ipsec.OperationMode;
  744. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("Entered Set Operation Mode"));
  746. dwSize = sizeof(IPSEC_SET_OPERATION_MODE);
  747. if (inputBufferLength < dwSize) {
  748. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IPSEC_SET_OPERATION_MODE: bad size: dwSize: %lx, input: %lx",
  749. dwSize, inputBufferLength));
  750. status = STATUS_BUFFER_TOO_SMALL;
  751. break;
  752. }
  754. status = IPSecSetOperationMode((PIPSEC_SET_OPERATION_MODE)pvIoBuffer);
  755. if (IPSEC_BOOTTIME_STATEFUL_MODE == LastMode)
  756. {
  757. LARGE_INTEGER CurTime;
  758. LARGE_INTEGER Delta;
  759. NdisGetCurrentSystemTime(&CurTime);
  760. IPSecCleanupBoottimeStatefulStructs();
  761. Delta = RtlLargeIntegerSubtract(CurTime,g_ipsec.StartTimeDelta);
  762. IPSEC_DEBUG(LL_A,DBF_BOOTTIME,("Delta %d %d",Delta.HighPart,Delta.LowPart));
  764. }
  766. break;
  767. }
  770. case IOCTL_IPSEC_GET_OPERATION_MODE: {
  771. OPERATION_MODE CurrentMode = g_ipsec.OperationMode;
  772. dwSize = sizeof(IPSEC_GET_OPERATION_MODE);
  773. if (outputBufferLength< dwSize) {
  774. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IPSEC_SET_OPERATION_MODE: bad size: dwSize: %lx, input: %lx",
  775. dwSize, inputBufferLength));
  776. status = STATUS_BUFFER_TOO_SMALL;
  777. break;
  778. }
  779. ((PIPSEC_SET_OPERATION_MODE)pvIoBuffer)->OperationMode = CurrentMode;
  780. break;
  781. }
  784. case IOCTL_IPSEC_SET_DIAGNOSTIC_MODE: {
  785. DWORD Mode;
  786. DWORD LogInterval;
  787. // Initialize the return status
  788. status = STATUS_SUCCESS;
  789. dwSize = sizeof (IPSEC_SET_DIAGNOSTIC_MODE);
  790. // Check Input Buffer Length
  791. if (inputBufferLength < dwSize) {
  792. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IPSEC_SET_DIAGNOSTIC_MODE : bad size: dwSize : %lx, input %lx",
  793. dwSize, inputBufferLength));
  794. status = STATUS_BUFFER_TOO_SMALL;
  795. break;
  796. }
  797. // Get the input Parameters
  798. Mode = ((PIPSEC_SET_DIAGNOSTIC_MODE)pvIoBuffer)->Mode;
  799. LogInterval = ((PIPSEC_SET_DIAGNOSTIC_MODE)pvIoBuffer)->LogInterval;
  801. // Validate the diagnostic mode : Fail IOCTL if invalid
  802. if (Mode > IPSEC_DIAGNOSTIC_MAX ){
  803. status = STATUS_INVALID_PARAMETER;
  804. break;
  805. }
  806. // Set the Diagnostic Mode
  807. g_ipsec.DiagnosticMode = Mode;
  809. // If LogInterval = 0 then dont change log interval
  810. if ( IPSEC_NOCHANGE_LOG_INTERVAL == LogInterval){
  811. break;
  812. }
  813. // Default to MIN and MAX limits
  814. if (IPSEC_MIN_LOG_INTERVAL > LogInterval ){
  815. LogInterval = IPSEC_MIN_LOG_INTERVAL;
  816. }
  817. if (IPSEC_MAX_LOG_INTERVAL < LogInterval ){
  818. LogInterval = IPSEC_MAX_LOG_INTERVAL;
  819. }
  820. // Set the Log Interval
  821. g_ipsec.LogInterval = LogInterval;
  822. break;
  823. }
  828. case IOCTL_IPSEC_SET_TCPIP_STATUS: {
  829. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("Entered Set Tcpip Status"));
  831. if (Irp->RequestorMode != KernelMode) {
  832. status = STATUS_ACCESS_DENIED;
  833. break;
  834. }
  836. dwSize = sizeof(IPSEC_SET_TCPIP_STATUS);
  837. if (inputBufferLength < dwSize) {
  838. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IPSEC_SET_TCPIP_STATUS: bad size: dwSize: %lx, input: %lx",
  839. dwSize, inputBufferLength));
  840. status = STATUS_BUFFER_TOO_SMALL;
  841. break;
  842. }
  844. status = IPSecSetTcpipStatus((PIPSEC_SET_TCPIP_STATUS)pvIoBuffer);
  846. break;
  847. }
  849. case IOCTL_IPSEC_REGISTER_PROTOCOL: {
  851. dwSize = sizeof(IPSEC_REGISTER_PROTOCOL);
  852. if (inputBufferLength < dwSize) {
  853. status = STATUS_BUFFER_TOO_SMALL;
  854. break;
  855. }
  857. status = IPSecRegisterProtocols(
  858. (PIPSEC_REGISTER_PROTOCOL) pvIoBuffer
  859. );
  860. break;
  861. }
  863. default: {
  865. status = STATUS_INVALID_PARAMETER;
  866. break;
  867. }
  868. }
  870. IPSEC_DECREMENT(g_ipsec.NumIoctls);
  872. break ;
  873. }
  875. default: {
  876. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("IPSEC: unknown IRP_MJ_XXX: %lx", irpStack->MajorFunction));
  877. status = STATUS_INVALID_PARAMETER;
  878. break;
  879. }
  880. }
  882. ASSERT(status != STATUS_PENDING);
  883. ASSERT(KeGetCurrentIrql() <= APC_LEVEL);
  885. Irp->IoStatus.Status = status;
  886. Irp->IoStatus.Information = MIN(dwSize, outputBufferLength);
  888. IoCompleteRequest(Irp, IO_NO_INCREMENT);
  890. IPSEC_DEBUG(LL_A, DBF_IOCTL, ("Exiting IPSecDispath"));
  892. return status;
  893. }
  896. NTSTATUS
  897. IPSecBindToIP()
  898. /*++
  900. Routine Description:
  902. This bind exchanges a number of entrypoints with IP so that
  904. - packets relevant to IPSEC can be handed over from the IP driver.
  905. - buffered packets can be flushed.
  906. - SA Table indices can be plumbed.
  907. - ....
  909. Arguments:
  911. NONE
  913. Return Value:
  915. The function value is the final status from the bind operation.
  917. --*/
  918. {
  919. NTSTATUS status;
  920. IPSEC_FUNCTIONS ipsecFns;
  922. PAGED_CODE();
  924. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Entering IPSecBindToIP"));
  926. ipsecFns.Version = IP_IPSEC_BIND_VERSION;
  927. ipsecFns.IPSecHandler = IPSecHandlePacket;
  928. ipsecFns.IPSecQStatus = IPSecQueryStatus;
  929. ipsecFns.IPSecSendCmplt = IPSecSendComplete;
  930. ipsecFns.IPSecNdisStatus = IPSecNdisStatus;
  931. ipsecFns.IPSecRcvFWPacket = IPSecRcvFWPacket;
  933. status = TCPIP_SET_IPSEC(&ipsecFns);
  935. if (status != IP_SUCCESS) {
  936. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to bind to IP: %lx", status));
  937. } else {
  938. IPSEC_DRIVER_BOUND() = TRUE;
  939. IPSEC_DRIVER_SEND_BOUND() = TRUE;
  940. }
  942. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Exiting IPSecBindToIP"));
  944. return status;
  945. }
  948. NTSTATUS
  949. IPSecUnbindFromIP()
  950. /*++
  952. Routine Description:
  954. This unbinds from the Filter Driver
  956. Arguments:
  958. NONE
  960. Return Value:
  962. The function value is the final status from the bind operation.
  964. --*/
  965. {
  966. NTSTATUS status;
  967. IPSEC_FUNCTIONS ipsecFns={0};
  969. PAGED_CODE();
  971. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Entering IPSecUnbindFromIP"));
  973. ipsecFns.Version = IP_IPSEC_BIND_VERSION;
  975. status = TCPIP_UNSET_IPSEC(&ipsecFns);
  977. if (status != IP_SUCCESS) {
  978. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to bind to IP: %lx", status));
  979. } else {
  980. IPSEC_DRIVER_BOUND() = FALSE;
  981. }
  983. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Exiting IPSecUnbindFromIP"));
  985. return status;
  986. }
  989. NTSTATUS
  990. IPSecUnbindSendFromIP()
  991. /*++
  993. Routine Description:
  995. Unbinds just the send handler from IP
  997. Arguments:
  999. NONE
  1001. Return Value:
  1003. The function value is the final status from the bind operation.
  1005. --*/
  1006. {
  1007. NTSTATUS status;
  1008. IPSEC_FUNCTIONS ipsecFns={0};
  1010. PAGED_CODE();
  1012. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Entering IPSecUnbindSendFromIP"));
  1014. ipsecFns.Version = IP_IPSEC_BIND_VERSION;
  1016. status = TCPIP_UNSET_IPSEC_SEND(&ipsecFns);
  1018. if (status != IP_SUCCESS) {
  1019. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to bind to IP: %lx", status));
  1020. } else {
  1021. IPSEC_DRIVER_SEND_BOUND() = FALSE;
  1022. }
  1024. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Exiting IPSecUnbindSendFromIP"));
  1026. return status;
  1027. }
  1030. NTSTATUS
  1031. OpenRegKey(
  1032. PHANDLE HandlePtr,
  1033. PWCHAR KeyName
  1034. )
  1035. /*++
  1037. Routine Description:
  1039. Opens a Registry key and returns a handle to it.
  1041. Arguments:
  1043. HandlePtr - The varible into which to write the opened handle.
  1044. KeyName - The name of the Registry key to open.
  1046. Return Value:
  1048. STATUS_SUCCESS or an appropriate failure code.
  1050. --*/
  1051. {
  1052. NTSTATUS Status;
  1053. OBJECT_ATTRIBUTES ObjectAttributes;
  1054. UNICODE_STRING UKeyName;
  1056. PAGED_CODE();
  1058. RtlInitUnicodeString(&UKeyName, KeyName);
  1060. memset(&ObjectAttributes, 0, sizeof(OBJECT_ATTRIBUTES));
  1061. InitializeObjectAttributes(&ObjectAttributes,
  1062. &UKeyName,
  1063. OBJ_CASE_INSENSITIVE,
  1064. NULL,
  1065. NULL);
  1067. Status = ZwOpenKey(HandlePtr,
  1068. KEY_READ,
  1069. &ObjectAttributes);
  1071. return Status;
  1072. }
  1075. NTSTATUS
  1076. GetRegDWORDValue(
  1077. HANDLE KeyHandle,
  1078. PWCHAR ValueName,
  1079. PULONG ValueData
  1080. )
  1081. /*++
  1083. Routine Description:
  1085. Reads a REG_DWORD value from the registry into the supplied variable.
  1087. Arguments:
  1089. KeyHandle - Open handle to the parent key of the value to read.
  1090. ValueName - The name of the value to read.
  1091. ValueData - The variable into which to read the data.
  1093. Return Value:
  1095. STATUS_SUCCESS or an appropriate failure code.
  1097. --*/
  1098. {
  1099. NTSTATUS status;
  1100. ULONG resultLength;
  1101. PKEY_VALUE_FULL_INFORMATION keyValueFullInformation;
  1102. UCHAR keybuf[WORK_BUFFER_SIZE];
  1103. UNICODE_STRING UValueName;
  1105. PAGED_CODE();
  1107. RtlInitUnicodeString(&UValueName, ValueName);
  1109. keyValueFullInformation = (PKEY_VALUE_FULL_INFORMATION)keybuf;
  1110. RtlZeroMemory(keyValueFullInformation, sizeof(keyValueFullInformation));
  1113. status = ZwQueryValueKey(KeyHandle,
  1114. &UValueName,
  1115. KeyValueFullInformation,
  1116. keyValueFullInformation,
  1117. WORK_BUFFER_SIZE,
  1118. &resultLength);
  1120. if (NT_SUCCESS(status)) {
  1121. if (keyValueFullInformation->Type != REG_DWORD) {
  1122. status = STATUS_INVALID_PARAMETER_MIX;
  1123. } else {
  1124. *ValueData = *((ULONG UNALIGNED *)((PCHAR)keyValueFullInformation +
  1125. keyValueFullInformation->DataOffset));
  1126. }
  1127. }
  1129. return status;
  1130. }
  1133. NTSTATUS
  1134. GetRegStringValue(
  1135. HANDLE KeyHandle,
  1136. PWCHAR ValueName,
  1137. PKEY_VALUE_PARTIAL_INFORMATION *ValueData,
  1138. PUSHORT ValueSize
  1139. )
  1141. /*++
  1143. Routine Description:
  1145. Reads a REG_*_SZ string value from the Registry into the supplied
  1146. key value buffer. If the buffer string buffer is not large enough,
  1147. it is reallocated.
  1149. Arguments:
  1151. KeyHandle - Open handle to the parent key of the value to read.
  1152. ValueName - The name of the value to read.
  1153. ValueData - Destination for the read data.
  1154. ValueSize - Size of the ValueData buffer. Updated on output.
  1156. Return Value:
  1158. STATUS_SUCCESS or an appropriate failure code.
  1160. --*/
  1161. {
  1162. NTSTATUS status;
  1163. ULONG resultLength;
  1164. UNICODE_STRING UValueName;
  1167. PAGED_CODE();
  1169. RtlInitUnicodeString(&UValueName, ValueName);
  1171. status = ZwQueryValueKey(
  1172. KeyHandle,
  1173. &UValueName,
  1174. KeyValuePartialInformation,
  1175. *ValueData,
  1176. (ULONG) *ValueSize,
  1177. &resultLength
  1178. );
  1180. if ( (status == STATUS_BUFFER_OVERFLOW) ||
  1181. (status == STATUS_BUFFER_TOO_SMALL)
  1182. )
  1183. {
  1184. PVOID temp;
  1186. //
  1187. // Free the old buffer and allocate a new one of the
  1188. // appropriate size.
  1189. //
  1191. ASSERT(resultLength > (ULONG) *ValueSize);
  1193. if (resultLength <= 0xFFFF) {
  1195. temp = IPSecAllocateMemory(resultLength, IPSEC_TAG_IOCTL);
  1197. if (temp != NULL) {
  1199. if (*ValueData != NULL) {
  1200. IPSecFreeMemory(*ValueData);
  1201. }
  1203. *ValueData = temp;
  1204. *ValueSize = (USHORT) resultLength;
  1206. status = ZwQueryValueKey(KeyHandle,
  1207. &UValueName,
  1208. KeyValuePartialInformation,
  1209. *ValueData,
  1210. *ValueSize,
  1211. &resultLength
  1212. );
  1214. ASSERT( (status != STATUS_BUFFER_OVERFLOW) &&
  1215. (status != STATUS_BUFFER_TOO_SMALL)
  1216. );
  1217. }
  1218. else {
  1219. status = STATUS_INSUFFICIENT_RESOURCES;
  1220. }
  1221. }
  1222. else {
  1223. status = STATUS_BUFFER_TOO_SMALL;
  1224. }
  1225. }
  1227. return status;
  1228. }
  1230. NTSTATUS
  1231. GetRegBinaryValue(
  1232. HANDLE KeyHandle,
  1233. PWCHAR ValueName,
  1234. PKEY_VALUE_PARTIAL_INFORMATION *ValueData,
  1235. PUSHORT ValueSize
  1236. )
  1238. /*++
  1240. Routine Description:
  1242. Reads a binary from the Registry into the supplied
  1243. key value buffer. If the buffer is not large enough,
  1244. it is reallocated.
  1246. Arguments:
  1248. KeyHandle - Open handle to the parent key of the value to read.
  1249. ValueName - The name of the value to read.
  1250. ValueData - Destination for the read data.
  1251. ValueSize - Size of the ValueData buffer. Updated on output.
  1253. Return Value:
  1255. STATUS_SUCCESS or an appropriate failure code.
  1257. --*/
  1258. {
  1259. NTSTATUS status;
  1260. ULONG resultLength;
  1261. UNICODE_STRING UValueName;
  1264. PAGED_CODE();
  1266. RtlInitUnicodeString(&UValueName, ValueName);
  1268. status = ZwQueryValueKey(
  1269. KeyHandle,
  1270. &UValueName,
  1271. KeyValuePartialInformation,
  1272. *ValueData,
  1273. (ULONG) *ValueSize,
  1274. &resultLength
  1275. );
  1277. if ( (status == STATUS_BUFFER_OVERFLOW) ||
  1278. (status == STATUS_BUFFER_TOO_SMALL)
  1279. )
  1280. {
  1281. PVOID temp;
  1283. //
  1284. // Free the old buffer and allocate a new one of the
  1285. // appropriate size.
  1286. //
  1288. ASSERT(resultLength > (ULONG) *ValueSize);
  1290. if (resultLength <= 0xFFFF) {
  1292. temp = IPSecAllocateMemory(resultLength, IPSEC_TAG_IOCTL);
  1294. if (temp != NULL) {
  1296. if (*ValueData != NULL) {
  1297. IPSecFreeMemory(*ValueData);
  1298. }
  1300. *ValueData = temp;
  1301. *ValueSize = (USHORT) resultLength;
  1303. status = ZwQueryValueKey(KeyHandle,
  1304. &UValueName,
  1305. KeyValuePartialInformation,
  1306. *ValueData,
  1307. *ValueSize,
  1308. &resultLength
  1309. );
  1311. ASSERT( (status != STATUS_BUFFER_OVERFLOW) &&
  1312. (status != STATUS_BUFFER_TOO_SMALL)
  1313. );
  1314. }
  1315. else {
  1316. status = STATUS_INSUFFICIENT_RESOURCES;
  1317. }
  1318. }
  1319. else {
  1320. status = STATUS_BUFFER_TOO_SMALL;
  1321. }
  1322. }
  1324. return status;
  1325. }
  1331. NTSTATUS
  1332. GetRegMultiSZValue(
  1333. HANDLE KeyHandle,
  1334. PWCHAR ValueName,
  1335. PUNICODE_STRING ValueData
  1336. )
  1338. /*++
  1340. Routine Description:
  1342. Reads a REG_MULTI_SZ string value from the Registry into the supplied
  1343. Unicode string. If the Unicode string buffer is not large enough,
  1344. it is reallocated.
  1346. Arguments:
  1348. KeyHandle - Open handle to the parent key of the value to read.
  1349. ValueName - The name of the value to read.
  1350. ValueData - Destination Unicode string for the value data.
  1352. Return Value:
  1354. STATUS_SUCCESS or an appropriate failure code.
  1356. --*/
  1357. {
  1358. NTSTATUS status;
  1359. ULONG resultLength;
  1360. PKEY_VALUE_PARTIAL_INFORMATION keyValuePartialInformation;
  1361. UNICODE_STRING UValueName;
  1364. PAGED_CODE();
  1366. ValueData->Length = 0;
  1368. status = GetRegStringValue(
  1369. KeyHandle,
  1370. ValueName,
  1371. (PKEY_VALUE_PARTIAL_INFORMATION *) &(ValueData->Buffer),
  1372. &(ValueData->MaximumLength)
  1373. );
  1375. if (NT_SUCCESS(status)) {
  1377. keyValuePartialInformation =
  1378. (PKEY_VALUE_PARTIAL_INFORMATION) ValueData->Buffer;
  1380. if (keyValuePartialInformation->Type == REG_MULTI_SZ) {
  1382. ValueData->Length = (USHORT)
  1383. keyValuePartialInformation->DataLength;
  1385. RtlCopyMemory(
  1386. ValueData->Buffer,
  1387. &(keyValuePartialInformation->Data),
  1388. ValueData->Length
  1389. );
  1390. }
  1391. else {
  1392. status = STATUS_INVALID_PARAMETER_MIX;
  1393. }
  1394. }
  1396. return status;
  1398. } // GetRegMultiSZValue
  1401. VOID
  1402. IPSecReadRegistry()
  1403. /*++
  1405. Routine Description:
  1407. Reads config info from registry into g_ipsec
  1409. Arguments:
  1412. Return Value:
  1414. status of the read.
  1416. --*/
  1417. {
  1418. NTSTATUS status;
  1419. HANDLE hRegKey;
  1420. WCHAR IPSecParametersRegistryKey[] = IPSEC_REG_KEY;
  1421. BOOLEAN isAs = MmIsThisAnNtAsSystem();
  1423. g_ipsec.EnableOffload = IPSEC_DEFAULT_ENABLE_OFFLOAD;
  1424. g_ipsec.DefaultSAIdleTime = IPSEC_DEFAULT_SA_IDLE_TIME;
  1425. g_ipsec.LogInterval = IPSEC_DEFAULT_LOG_INTERVAL;
  1426. g_ipsec.EventQueueSize = IPSEC_DEFAULT_EVENT_QUEUE_SIZE;
  1427. g_ipsec.RekeyTime = IPSEC_DEFAULT_REKEY;
  1428. g_ipsec.NoDefaultExempt = IPSEC_DEFAULT_NO_DEFAULT_EXEMPT;
  1429. g_ipsec.OperationMode = IPSEC_BLOCK_MODE;
  1430. g_ipsec.DiagnosticMode = IPSEC_DEFAULT_ENABLE_DIAGNOSTICS;
  1432. if (isAs) {
  1433. g_ipsec.CacheSize = IPSEC_DEFAULT_AS_CACHE_SIZE;
  1434. g_ipsec.SAHashSize = IPSEC_DEFAULT_AS_SA_HASH_SIZE;
  1435. } else {
  1436. g_ipsec.CacheSize = IPSEC_DEFAULT_CACHE_SIZE;
  1437. g_ipsec.SAHashSize = IPSEC_DEFAULT_SA_HASH_SIZE;
  1438. }
  1440. status = OpenRegKey(&hRegKey,
  1441. IPSecParametersRegistryKey);
  1444. if (NT_SUCCESS(status)) {
  1445. //
  1446. // Expected configuration values. We use reasonable defaults if they
  1447. // aren't available for some reason.
  1448. //
  1449. IPSecRegReadDword( hRegKey,
  1450. IPSEC_REG_PARAM_ENABLE_OFFLOAD,
  1451. &g_ipsec.EnableOffload,
  1452. IPSEC_DEFAULT_ENABLE_OFFLOAD,
  1453. IPSEC_MAX_ENABLE_OFFLOAD,
  1454. IPSEC_MIN_ENABLE_OFFLOAD);
  1456. IPSecRegReadDword( hRegKey,
  1457. IPSEC_REG_PARAM_SA_IDLE_TIME,
  1458. &g_ipsec.DefaultSAIdleTime,
  1459. IPSEC_DEFAULT_SA_IDLE_TIME,
  1460. IPSEC_MAX_SA_IDLE_TIME,
  1461. IPSEC_MIN_SA_IDLE_TIME);
  1463. IPSecRegReadDword( hRegKey,
  1464. IPSEC_REG_PARAM_EVENT_QUEUE_SIZE,
  1465. &g_ipsec.EventQueueSize,
  1466. IPSEC_DEFAULT_EVENT_QUEUE_SIZE,
  1467. IPSEC_MAX_EVENT_QUEUE_SIZE,
  1468. IPSEC_MIN_EVENT_QUEUE_SIZE);
  1470. IPSecRegReadDword( hRegKey,
  1471. IPSEC_REG_PARAM_LOG_INTERVAL,
  1472. &g_ipsec.LogInterval,
  1473. IPSEC_DEFAULT_LOG_INTERVAL,
  1474. IPSEC_MAX_LOG_INTERVAL,
  1475. IPSEC_MIN_LOG_INTERVAL);
  1477. IPSecRegReadDword( hRegKey,
  1478. IPSEC_REG_PARAM_REKEY_TIME,
  1479. &g_ipsec.RekeyTime,
  1480. IPSEC_DEFAULT_REKEY,
  1481. IPSEC_MAX_REKEY,
  1482. IPSEC_MIN_REKEY);
  1484. IPSecRegReadDword( hRegKey,
  1485. IPSEC_REG_PARAM_CACHE_SIZE,
  1486. &g_ipsec.CacheSize,
  1487. isAs? IPSEC_DEFAULT_AS_CACHE_SIZE:
  1488. IPSEC_DEFAULT_CACHE_SIZE,
  1489. IPSEC_MAX_CACHE_SIZE,
  1490. IPSEC_MIN_CACHE_SIZE);
  1492. IPSecRegReadDword( hRegKey,
  1493. IPSEC_REG_PARAM_SA_HASH_SIZE,
  1494. &g_ipsec.SAHashSize,
  1495. isAs? IPSEC_DEFAULT_AS_SA_HASH_SIZE:
  1496. IPSEC_DEFAULT_SA_HASH_SIZE,
  1497. IPSEC_MAX_SA_HASH_SIZE,
  1498. IPSEC_MIN_SA_HASH_SIZE);
  1500. IPSecRegReadDword( hRegKey,
  1501. IPSEC_REG_PARAM_NO_DEFAULT_EXEMPT,
  1502. &g_ipsec.NoDefaultExempt,
  1503. IPSEC_DEFAULT_NO_DEFAULT_EXEMPT,
  1504. IPSEC_MAX_NO_DEFAULT_EXEMPT,
  1505. IPSEC_MIN_NO_DEFAULT_EXEMPT);
  1507. IPSecRegReadDword( hRegKey,
  1508. IPSEC_REG_PARAM_ENABLE_DIAGNOSTICS,
  1509. &g_ipsec.DiagnosticMode,
  1510. IPSEC_DEFAULT_ENABLE_DIAGNOSTICS,
  1511. IPSEC_MAX_ENABLE_DIAGNOSTICS,
  1512. IPSEC_MIN_ENABLE_DIAGNOSTICS);
  1514. IPSecRegReadDwordEx( hRegKey,
  1515. IPSEC_REG_PARAM_OPERATION_MODE,
  1516. &(ULONG)g_ipsec.OperationMode,
  1517. IPSEC_OPERATION_MODE_MAX-1, // Max valid value
  1518. 0, //Min valid value
  1519. IPSEC_BYPASS_MODE,//Key not exist
  1520. IPSEC_BLOCK_MODE, // Error in reading the key
  1521. IPSEC_BLOCK_MODE);// Key value out of range
  1522. IPSecRegReadDwordEx(hRegKey,
  1523. IPSEC_REG_PARAM_DFLT_FWDING_BEHAVIOR,
  1524. &(ULONG)g_ipsec.DefaultForwardingBehavior,
  1525. IPSEC_FORWARD_MAX-1,//Max valid
  1526. 0,
  1527. IPSEC_FORWARD_BLOCK,//Key not exist
  1528. IPSEC_FORWARD_BLOCK,// Error in reading
  1529. IPSEC_FORWARD_BLOCK);//Value out of range
  1531. ZwClose(hRegKey);
  1532. }
  1534. g_ipsec.CacheHalfSize = g_ipsec.CacheSize / 2;
  1536. //
  1537. // Init SAIdleTime for low memory reaper
  1538. //
  1539. IPSEC_CONVERT_SECS_TO_100NS(g_ipsec.SAIdleTime, g_ipsec.DefaultSAIdleTime);
  1541. if (IS_DRIVER_BLOCK() || IS_DRIVER_BOOTSTATEFUL()) {
  1542. // Make sure SPD will be starting
  1543. ULONG SPDStart=0;
  1544. WCHAR SPDParametersRegistryKey[] = SPD_REG_KEY;
  1546. status = OpenRegKey(&hRegKey,
  1547. SPDParametersRegistryKey);
  1549. if (NT_SUCCESS(status)) {
  1550. IPSecRegReadDword( hRegKey,
  1551. SPD_REG_PARAM_START,
  1552. &SPDStart,
  1553. 0,
  1554. 4,
  1555. 0);
  1557. if (SPDStart != 2) {
  1558. g_ipsec.OperationMode = IPSEC_BYPASS_MODE;
  1559. }
  1561. ZwClose(hRegKey);
  1563. } else {
  1564. g_ipsec.OperationMode = IPSEC_BYPASS_MODE;
  1566. }
  1568. }
  1569. IPSEC_DEBUG(LL_A,DBF_BOOTTIME,("IPSEC BOOT MODE %d\n",g_ipsec.OperationMode));
  1570. //
  1571. // Log the boot mode to the system event log
  1572. //
  1573. IPSecLogBootOperationMode();
  1574. }
  1576. NTSTATUS IPSecConvertRegExemptPolicy(
  1577. PKEY_VALUE_PARTIAL_INFORMATION pKeyData,
  1578. PIPSEC_EXEMPT_ENTRY *pBootExemptList,
  1579. ULONG *pBootExemptListSize
  1580. )
  1581. {
  1583. ULONG i;
  1584. LONG DataLeft = pKeyData->DataLength;
  1585. PIPSEC_EXEMPT_ENTRY pCurEntry;
  1586. ULONG TotalEntries=0;
  1587. ULONG CurIndex=0;
  1590. pCurEntry = (PIPSEC_EXEMPT_ENTRY)&(pKeyData->Data[0]);
  1591. while (DataLeft >= (LONG)sizeof(IPSEC_EXEMPT_ENTRY)) {
  1593. if ((pCurEntry->Type == EXEMPT_TYPE_PDP) &&
  1594. ((pCurEntry->Direction == EXEMPT_DIRECTION_INBOUND) ||
  1595. (pCurEntry->Direction == EXEMPT_DIRECTION_OUTBOUND)) &&
  1596. (pCurEntry->Size == sizeof(IPSEC_EXEMPT_ENTRY))) {
  1597. TotalEntries++;
  1598. }
  1599. DataLeft -= pCurEntry->Size;
  1600. if (pCurEntry->Size == 0) {
  1601. break;
  1602. }
  1603. pCurEntry = (PIPSEC_EXEMPT_ENTRY) ((PBYTE)pCurEntry + pCurEntry->Size);
  1604. }
  1606. if (0 != TotalEntries ){
  1607. *pBootExemptList = (PIPSEC_EXEMPT_ENTRY)IPSecAllocateMemory(TotalEntries * sizeof(IPSEC_EXEMPT_ENTRY),
  1608. IPSEC_TAG_INIT);
  1609. }
  1610. else {
  1611. *pBootExemptList = NULL;
  1612. *pBootExemptListSize=0;
  1613. return STATUS_SUCCESS;
  1614. }
  1616. if (*pBootExemptList == NULL) {
  1617. *pBootExemptListSize=0;
  1618. return STATUS_INSUFFICIENT_RESOURCES;
  1619. }
  1621. pCurEntry = (PIPSEC_EXEMPT_ENTRY)&(pKeyData->Data[0]);
  1622. DataLeft = pKeyData->DataLength;
  1623. while (DataLeft >= (LONG)sizeof(IPSEC_EXEMPT_ENTRY)) {
  1625. if ((pCurEntry->Type == EXEMPT_TYPE_PDP) &&
  1626. ((pCurEntry->Direction == EXEMPT_DIRECTION_INBOUND) ||
  1627. (pCurEntry->Direction == EXEMPT_DIRECTION_OUTBOUND)) &&
  1628. (pCurEntry->Size == sizeof(IPSEC_EXEMPT_ENTRY))){
  1629. RtlCopyMemory(&((*pBootExemptList)[CurIndex]),pCurEntry,sizeof(IPSEC_EXEMPT_ENTRY));
  1630. IPSEC_DEBUG(LL_A,DBF_BOOTTIME,("RegSrcPort %x : RegDstPort %x",
  1631. (*pBootExemptList)[CurIndex].DestPort,(*pBootExemptList)[CurIndex].SrcPort));
  1632. (*pBootExemptList)[CurIndex].DestPort = NET_SHORT((*pBootExemptList)[CurIndex].DestPort);
  1633. (*pBootExemptList)[CurIndex].SrcPort = NET_SHORT((*pBootExemptList)[CurIndex].SrcPort);
  1634. IPSEC_DEBUG(LL_A,DBF_BOOTTIME,("Post swap RegSrcPort %x : RegDstPort %x",
  1635. (*pBootExemptList)[CurIndex].DestPort,(*pBootExemptList)[CurIndex].SrcPort));
  1636. CurIndex++;
  1637. }
  1638. DataLeft -= pCurEntry->Size;
  1639. if (pCurEntry->Size == 0) {
  1640. break;
  1641. }
  1642. pCurEntry = (PIPSEC_EXEMPT_ENTRY) ((PBYTE)pCurEntry + pCurEntry->Size);
  1644. }
  1645. *pBootExemptListSize = TotalEntries;
  1646. return STATUS_SUCCESS;
  1647. }
  1651. NTSTATUS IPSecReadExemptPolicy()
  1652. {
  1654. WCHAR IPSecParametersRegistryKey[] = IPSEC_REG_KEY;
  1655. HANDLE hRegKey = NULL;
  1656. USHORT BlobSize=0;
  1657. NTSTATUS Status;
  1658. PKEY_VALUE_PARTIAL_INFORMATION pKeyData=NULL;
  1661. Status = OpenRegKey(&hRegKey,
  1662. IPSecParametersRegistryKey);
  1664. if (!NT_SUCCESS(Status)) {
  1665. goto err;
  1666. }
  1668. Status = GetRegBinaryValue(hRegKey,
  1669. IPSEC_REG_PARAM_EXEMPT_LIST,
  1670. &pKeyData,
  1671. &BlobSize);
  1673. if (!NT_SUCCESS(Status)) {
  1674. goto err;
  1675. }
  1677. if (pKeyData->Type != REG_BINARY) {
  1678. Status = STATUS_INVALID_PARAMETER;
  1679. goto err;
  1680. }
  1682. Status = IPSecConvertRegExemptPolicy(pKeyData,
  1683. &g_ipsec.BootExemptList,
  1684. &g_ipsec.BootExemptListSize);
  1686. if (!NT_SUCCESS(Status)) {
  1687. goto err;
  1688. }
  1690. err:
  1691. if (hRegKey) {
  1692. ZwClose(hRegKey);
  1693. }
  1694. if (pKeyData) {
  1695. IPSecFreeMemory(pKeyData);
  1696. }
  1698. return Status;
  1701. }
  1704. NTSTATUS
  1705. IPSecGeneralInit()
  1706. /*++
  1708. Routine Description:
  1710. General structures are initialized here.
  1712. Arguments:
  1714. None
  1716. Return Value:
  1719. --*/
  1720. {
  1721. PSA_TABLE_ENTRY pSA;
  1722. LONG i;
  1723. NTSTATUS status = STATUS_SUCCESS;
  1725. PAGED_CODE();
  1727. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Entering IPSecGeneralInit"));
  1730. NdisGetCurrentSystemTime(&g_ipsec.StartTimeDelta);
  1732. IPSEC_DEBUG(LL_A,DBF_LOAD, ("Entering IPSecGeneralInit\n"));
  1733. //
  1734. // Initialize our counters
  1735. //
  1736. g_ipsec.dwPacketsOnWrongSA = 0;
  1741. //
  1742. // init the acquireinfo struct
  1743. //
  1744. InitializeListHead(&g_ipsec.AcquireInfo.PendingAcquires);
  1745. InitializeListHead(&g_ipsec.AcquireInfo.PendingNotifies);
  1746. InitializeListHead(&g_ipsec.LarvalSAList);
  1747. INIT_LOCK(&g_ipsec.LarvalListLock);
  1748. INIT_LOCK(&g_ipsec.AcquireInfo.Lock);
  1750. //
  1751. // Set up the hashes/tables
  1752. //
  1753. InitializeMRSWLock(&g_ipsec.SADBLock);
  1754. InitializeMRSWLock(&g_ipsec.SPIListLock);
  1756. g_ipsec.IPProtInfo.pi_xmitdone = IPSecProtocolSendComplete;
  1757. g_ipsec.IPProtInfo.pi_protocol = PROTOCOL_ESP;
  1759. //
  1760. // init filter linked lists
  1761. //
  1762. for (i = MIN_FILTER; i <= MAX_FILTER; i++) {
  1763. InitializeListHead(&g_ipsec.FilterList[i]);
  1764. }
  1766. //
  1767. // SAs in a hash table, hashed by <SPI, Dest addr>
  1768. //
  1769. g_ipsec.pSADb = IPSecAllocateMemory(g_ipsec.SAHashSize * sizeof(SA_HASH), IPSEC_TAG_INIT);
  1771. if (!g_ipsec.pSADb) {
  1772. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to alloc SADb hash"));
  1773. return STATUS_INSUFFICIENT_RESOURCES;
  1774. }
  1776. IPSecInitFlag |= INIT_SA_DATABASE;
  1778. IPSecZeroMemory(g_ipsec.pSADb, g_ipsec.SAHashSize * sizeof(SA_HASH));
  1780. for (i = 0; i < g_ipsec.SAHashSize; i++) {
  1781. PSA_HASH Entry = &g_ipsec.pSADb[i];
  1782. InitializeListHead(&Entry->SAList);
  1783. }
  1785. //
  1786. // Initialize the MDL pools.
  1787. //
  1788. status = IPSecInitMdlPool();
  1789. if (!NT_SUCCESS (status)) {
  1790. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to alloc MDL pools"));
  1791. return STATUS_INSUFFICIENT_RESOURCES;
  1792. }
  1794. IPSecInitFlag |= INIT_MDL_POOLS;
  1796. //
  1797. // Initialize the cache structures.
  1798. //
  1799. if (!AllocateCacheStructures()) {
  1800. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to alloc cache structs"));
  1801. return STATUS_INSUFFICIENT_RESOURCES;
  1802. }
  1804. IPSecInitFlag |= INIT_CACHE_STRUCT;
  1806. //
  1807. // Allocate EventQueue memory.
  1808. //
  1809. g_ipsec.IPSecLogMemory = IPSecAllocateMemory( g_ipsec.EventQueueSize * sizeof(IPSEC_EVENT_CTX),
  1810. IPSEC_TAG_EVT_QUEUE);
  1812. if (!g_ipsec.IPSecLogMemory) {
  1813. return STATUS_INSUFFICIENT_RESOURCES;
  1814. }
  1816. IPSecInitFlag |= INIT_DEBUG_MEMORY;
  1818. g_ipsec.IPSecLogMemoryLoc = &g_ipsec.IPSecLogMemory[0];
  1819. g_ipsec.IPSecLogMemoryEnd = &g_ipsec.IPSecLogMemory[g_ipsec.EventQueueSize * sizeof(IPSEC_EVENT_CTX)];
  1821. //
  1822. // Init the timer stuff.
  1823. //
  1824. if (!IPSecInitTimer()) {
  1825. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to init timer"));
  1826. return STATUS_INSUFFICIENT_RESOURCES;
  1827. }
  1829. IPSecInitFlag |= INIT_TIMERS;
  1831. #if GPC
  1832. status = IPSecGpcInitialize();
  1833. if (status != STATUS_SUCCESS) {
  1834. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to register GPC clients"));
  1835. }
  1836. #endif
  1838. //
  1839. // Arm the reaper timer
  1840. //
  1841. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Starting ReaperTimer"));
  1842. IPSecStartTimer(&g_ipsec.ReaperTimer,
  1843. IPSecReaper,
  1844. IPSEC_REAPER_TIME,
  1845. (PVOID)NULL);
  1847. //
  1848. // Start EventLog timer
  1849. //
  1850. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Starting EventLogTimer"));
  1851. IPSecStartTimer(&g_ipsec.EventLogTimer,
  1852. IPSecFlushEventLog,
  1853. g_ipsec.LogInterval,
  1854. (PVOID)NULL);
  1856. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Exiting IPSecGeneralInit"));
  1858. status = NsInitializeShim(IPSecDevice,
  1859. &g_ipsec.ShimFunctions);
  1860. if (status != STATUS_SUCCESS) {
  1861. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Failed to init natshim"));
  1862. return status;
  1863. }
  1865. status = IPSecReadExemptPolicy();
  1866. if (!NT_SUCCESS (status)) {
  1867. IPSEC_DEBUG(LL_A,DBF_LOAD, ("Failed to read exempt policy\n"));
  1868. status = STATUS_SUCCESS;
  1869. }
  1871. //
  1872. // Initialize the boot data structures
  1873. //
  1874. g_ipsec.BootBufferPool = NULL;
  1875. g_ipsec.BootStatefulHT = NULL;
  1878. if (IPSEC_BOOTTIME_STATEFUL_MODE == g_ipsec.OperationMode){
  1879. //
  1880. // Allocate the boot time stateful exemption hash table
  1881. //
  1882. g_ipsec.BootStatefulHT = (PIPSEC_STATEFUL_HASH_TABLE)IPSecAllocateMemory(sizeof(IPSEC_STATEFUL_HASH_TABLE),
  1883. IPSEC_TAG_STATEFUL_HT);
  1884. if(g_ipsec.BootStatefulHT == NULL){
  1885. status = STATUS_INSUFFICIENT_RESOURCES;
  1886. goto exit;
  1887. }
  1889. //
  1890. // Allocate the memory pool for hash table entries
  1891. //
  1892. g_ipsec.BootBufferPool = (PIPSEC_HASH_BUFFER_POOL)IPSecAllocateMemory(sizeof(IPSEC_HASH_BUFFER_POOL),IPSEC_TAG_HASH_POOL);
  1893. if(g_ipsec.BootBufferPool == NULL){
  1894. status = STATUS_INSUFFICIENT_RESOURCES;
  1895. goto exit;
  1896. }
  1898. for (i=0;i<IPSEC_STATEFUL_HASH_TABLE_SIZE;i++){
  1899. InitializeListHead(&(g_ipsec.BootStatefulHT->Entry[i]));
  1900. }
  1902. RtlZeroMemory(g_ipsec.BootBufferPool,sizeof(IPSEC_HASH_BUFFER_POOL));
  1903. }
  1906. return STATUS_SUCCESS;
  1907. exit:
  1908. return status;
  1909. }
  1912. NTSTATUS
  1913. IPSecGeneralFree()
  1914. /*++
  1916. Routine Description:
  1918. Free general structures if IPSecGeneralInit fails.
  1920. Arguments:
  1922. None
  1924. Return Value:
  1927. --*/
  1928. {
  1929. INT index;
  1930. KIRQL kIrql;
  1932. //
  1933. // Free SA database.
  1934. //
  1935. if (IPSecInitFlag & INIT_SA_DATABASE) {
  1936. if (g_ipsec.pSADb) {
  1937. IPSecFreeMemory(g_ipsec.pSADb);
  1938. }
  1939. }
  1941. //
  1942. // Free MDL pool.
  1943. //
  1944. if (IPSecInitFlag & INIT_MDL_POOLS) {
  1945. IPSecDeinitMdlPool();
  1946. }
  1948. //
  1949. // Free cache struct.
  1950. //
  1951. if (IPSecInitFlag & INIT_CACHE_STRUCT) {
  1952. FreeExistingCache();
  1953. }
  1955. //
  1956. // Free EventQueue memory.
  1957. //
  1958. if (IPSecInitFlag & INIT_DEBUG_MEMORY) {
  1959. if (g_ipsec.IPSecLogMemory) {
  1960. IPSecFreeMemory(g_ipsec.IPSecLogMemory);
  1961. }
  1962. }
  1964. //
  1965. // Free timers allocated.
  1966. //
  1967. if (IPSecInitFlag & INIT_TIMERS) {
  1968. for (index = 0; index < IPSEC_CLASS_MAX; index++) {
  1969. IPSecFreeMemory(g_ipsec.TimerList[index].pTimers);
  1970. }
  1971. }
  1973. AcquireWriteLock(&g_ipsec.SADBLock,&kIrql);
  1975. if (g_ipsec.BootStatefulHT){
  1976. IPSecFreeMemory(g_ipsec.BootStatefulHT);
  1977. g_ipsec.BootStatefulHT = NULL;
  1978. }
  1979. if (g_ipsec.BootBufferPool){
  1980. IPSecFreeMemory(g_ipsec.BootBufferPool);
  1981. g_ipsec.BootBufferPool = NULL;
  1982. }
  1983. if (g_ipsec.BootExemptList){
  1984. IPSecFreeMemory(g_ipsec.BootExemptList);
  1985. g_ipsec.BootExemptList = NULL;
  1986. }
  1987. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  1989. return STATUS_SUCCESS;
  1990. }
  1993. NTSTATUS
  1994. IPSecFreeConfig()
  1995. /*++
  1997. Routine Description:
  1999. Free the SA table etc.
  2001. Arguments:
  2003. None
  2005. Return Value:
  2008. --*/
  2009. {
  2010. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Entering IPSecFreeConfig"));
  2012. PAGED_CODE();
  2014. FreeExistingCache();
  2015. FreePatternDbase();
  2017. if (g_ipsec.IPSecLogMemory) {
  2018. IPSecFreeMemory(g_ipsec.IPSecLogMemory);
  2019. }
  2021. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Exiting IPSecFreeConfig"));
  2022. return STATUS_SUCCESS;
  2024. }
  2027. NTSTATUS
  2028. IPSecInitMdlPool()
  2029. /*++
  2031. Routine Description:
  2033. Create the MDL pool for AH and ESP headers.
  2035. Arguments:
  2037. None
  2039. Return Value:
  2042. --*/
  2043. {
  2044. PAGED_CODE();
  2045. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Entering IPSecInitMdlPool"));
  2047. g_ipsec.IPSecSmallBufferSize = IPSEC_SMALL_BUFFER_SIZE;
  2048. g_ipsec.IPSecLargeBufferSize = IPSEC_LARGE_BUFFER_SIZE;
  2049. g_ipsec.IPSecSendCompleteCtxSize = sizeof(IPSEC_SEND_COMPLETE_CONTEXT);
  2051. g_ipsec.IPSecSmallBufferListDepth = IPSEC_LIST_DEPTH;
  2052. g_ipsec.IPSecLargeBufferListDepth = IPSEC_LIST_DEPTH;
  2053. g_ipsec.IPSecSendCompleteCtxDepth = IPSEC_LIST_DEPTH;
  2055. g_ipsec.IPSecCacheLineSize = IPSEC_CACHE_LINE_SIZE;
  2057. //
  2058. // Initialize the lookaside lists.
  2059. //
  2061. g_ipsec.IPSecLookasideLists = IPSecAllocateMemory(
  2062. sizeof(*g_ipsec.IPSecLookasideLists),
  2063. IPSEC_TAG_LOOKASIDE_LISTS);
  2065. if (g_ipsec.IPSecLookasideLists == NULL) {
  2066. return STATUS_INSUFFICIENT_RESOURCES;
  2067. }
  2069. //
  2070. // Initialize the IPSEC buffer lookaside lists.
  2071. //
  2072. ExInitializeNPagedLookasideList(&g_ipsec.IPSecLookasideLists->LargeBufferList,
  2073. IPSecAllocateBufferPool,
  2074. NULL,
  2075. 0,
  2076. g_ipsec.IPSecLargeBufferSize,
  2077. IPSEC_TAG_BUFFER_POOL,
  2078. (USHORT)g_ipsec.IPSecLargeBufferListDepth);
  2080. ExInitializeNPagedLookasideList(&g_ipsec.IPSecLookasideLists->SmallBufferList,
  2081. IPSecAllocateBufferPool,
  2082. NULL,
  2083. 0,
  2084. g_ipsec.IPSecSmallBufferSize,
  2085. IPSEC_TAG_BUFFER_POOL,
  2086. (USHORT)g_ipsec.IPSecSmallBufferListDepth);
  2088. ExInitializeNPagedLookasideList(&g_ipsec.IPSecLookasideLists->SendCompleteCtxList,
  2089. NULL,
  2090. NULL,
  2091. 0,
  2092. g_ipsec.IPSecSendCompleteCtxSize,
  2093. IPSEC_TAG_SEND_COMPLETE,
  2094. (USHORT)g_ipsec.IPSecSendCompleteCtxDepth);
  2096. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Exiting IPSecInitMdlPool"));
  2097. return STATUS_SUCCESS;
  2098. }
  2101. VOID
  2102. IPSecDeinitMdlPool()
  2103. /*++
  2105. Routine Description:
  2107. Free the MDL pool for AH and ESP headers.
  2109. Arguments:
  2111. None
  2113. Return Value:
  2116. --*/
  2117. {
  2118. PAGED_CODE();
  2119. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Entering IPSecDeinitMdlPool"));
  2121. //
  2122. // Destroy the lookaside lists.
  2123. //
  2125. if (g_ipsec.IPSecLookasideLists != NULL) {
  2126. ExDeleteNPagedLookasideList(&g_ipsec.IPSecLookasideLists->LargeBufferList);
  2127. ExDeleteNPagedLookasideList(&g_ipsec.IPSecLookasideLists->SmallBufferList);
  2128. ExDeleteNPagedLookasideList(&g_ipsec.IPSecLookasideLists->SendCompleteCtxList);
  2130. IPSecFreeMemory(g_ipsec.IPSecLookasideLists);
  2131. }
  2133. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Exiting IPSecDeinitMdlPool"));
  2134. }
  2137. NTSTATUS
  2138. IPSecQuiesce()
  2139. /*++
  2141. Routine Description:
  2143. Destroy MDL pools and run down all driver activity
  2145. Arguments:
  2147. None
  2149. Return Value:
  2152. --*/
  2153. {
  2154. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Entering IPSecQuiesce"));
  2155. IPSecDeinitMdlPool();
  2156. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Exiting IPSecQuiesce"));
  2157. return STATUS_SUCCESS;
  2158. }
  2161. BOOLEAN
  2162. AllocateCacheStructures()
  2163. /*++
  2165. Routine Description:
  2167. Allocates the necessary memory for cache (which is an array of pointers to
  2168. cache entries)
  2169. Allocates necessary number of cache entries (but doesnt initialize them)
  2170. Allocates a small number of entries and puts them on the free list (doesnt
  2171. initialize these either)
  2173. Arguments:
  2175. None
  2177. Return Value:
  2179. True if the function completely succeeds, else FALSE. If FALSE, it is upto
  2180. the CALLER to do a rollback and clear any allocated memory
  2183. --*/
  2184. {
  2185. ULONG i;
  2187. PAGED_CODE();
  2189. g_ipsec.ppCache = IPSecAllocateMemory(g_ipsec.CacheSize * sizeof(PFILTER_CACHE), IPSEC_TAG_INIT);
  2191. if (!g_ipsec.ppCache) {
  2192. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Couldnt allocate memory for Input Cache"));
  2193. return FALSE;
  2194. }
  2196. IPSecZeroMemory(g_ipsec.ppCache, g_ipsec.CacheSize * sizeof(PFILTER_CACHE));
  2198. for (i = 0; i < g_ipsec.CacheSize; i++) {
  2199. PFILTER_CACHE pTemp1;
  2201. pTemp1 = IPSecAllocateMemory(sizeof(FILTER_CACHE), IPSEC_TAG_INIT);
  2203. if (!pTemp1) {
  2204. FreeExistingCache();
  2205. return FALSE;
  2206. }
  2208. IPSecZeroMemory(pTemp1, sizeof(FILTER_CACHE));
  2210. g_ipsec.ppCache[i] = pTemp1;
  2212. }
  2214. return TRUE;
  2215. }
  2218. VOID
  2219. FreeExistingCache()
  2220. /*++
  2222. Routine Description
  2224. Frees all the cache entries, free entries and cache pointer array
  2226. Arguments
  2228. None
  2230. Return Value
  2232. None
  2234. --*/
  2235. {
  2236. ULONG i;
  2238. PAGED_CODE();
  2240. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Freeing existing cache..."));
  2242. IPSecResetCacheTable();
  2244. if (g_ipsec.ppCache) {
  2245. for (i = 0; i < g_ipsec.CacheSize; i++) {
  2246. if (g_ipsec.ppCache[i]) {
  2247. ExFreePool(g_ipsec.ppCache[i]);
  2248. }
  2249. }
  2251. ExFreePool(g_ipsec.ppCache);
  2252. g_ipsec.ppCache = NULL;
  2253. }
  2254. }
  2257. VOID
  2258. FreePatternDbase()
  2259. /*++
  2261. Routine Description
  2263. Frees all filters and SAs.
  2265. Arguments
  2267. None
  2269. Return Value
  2271. None
  2273. --*/
  2274. {
  2275. PLIST_ENTRY pEntry;
  2276. PFILTER pFilter;
  2277. PSA_TABLE_ENTRY pSA;
  2278. LONG i, j;
  2280. PAGED_CODE();
  2282. //
  2283. // Free all masked filters and associated (outbound) SAs
  2284. //
  2285. for (i = MIN_FILTER; i <= MAX_FILTER; i++) {
  2287. while (!IsListEmpty(&g_ipsec.FilterList[i])) {
  2289. pEntry = RemoveHeadList(&g_ipsec.FilterList[i]);
  2291. pFilter = CONTAINING_RECORD(pEntry,
  2292. FILTER,
  2293. MaskedLinkage);
  2295. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Freeing filter: %p", pFilter));
  2297. //
  2298. // Free each SA under it.
  2299. //
  2300. for (j = 0; j < pFilter->SAChainSize; j++) {
  2302. while (!IsListEmpty(&pFilter->SAChain[j])) {
  2304. pEntry = RemoveHeadList(&pFilter->SAChain[j]);
  2306. pSA = CONTAINING_RECORD(pEntry,
  2307. SA_TABLE_ENTRY,
  2308. sa_FilterLinkage);
  2310. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Freeing SA: %p", pSA));
  2312. //
  2313. // Remove SA from miniport if plumbed
  2314. //
  2315. if (pSA->sa_Flags & FLAGS_SA_HW_PLUMBED) {
  2316. IPSecDelHWSA(pSA);
  2317. }
  2319. //
  2320. // Also remove the inbound SAs from their SPI list
  2321. // so we dont double free them below.
  2322. //
  2323. IPSecRemoveSPIEntry(pSA);
  2325. //
  2326. // Stop the timer if armed and deref SA.
  2327. //
  2328. IPSecStopTimerDerefSA(pSA);
  2329. }
  2330. }
  2332. #if GPC
  2333. IPSecUninstallGpcFilter(pFilter);
  2334. #endif
  2336. IPSecFreeFilter(pFilter);
  2337. }
  2338. }
  2340. //
  2341. // Free all SAs under the SPI hashes.
  2342. //
  2343. for (i = 0; i < g_ipsec.SAHashSize; i++) {
  2344. PSA_HASH pHash = &g_ipsec.pSADb[i];
  2346. while (!IsListEmpty(&pHash->SAList)) {
  2348. pEntry = RemoveHeadList(&pHash->SAList);
  2350. pSA = CONTAINING_RECORD(pEntry,
  2351. SA_TABLE_ENTRY,
  2352. sa_SPILinkage);
  2354. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Freeing SA: %p", pSA));
  2356. if (pSA->sa_Flags & FLAGS_SA_HW_PLUMBED) {
  2357. IPSecDelHWSA(pSA);
  2358. }
  2360. IPSecStopTimerDerefSA(pSA);
  2361. }
  2362. }
  2364. IPSecFreeMemory(g_ipsec.pSADb);
  2366. IPSEC_DEBUG(LL_A, DBF_LOAD, ("Freed filters/SAs"));
  2367. }
  2370. SIZE_T
  2371. IPSecCalculateBufferSize(
  2372. IN SIZE_T BufferDataSize
  2373. )
  2374. /*++
  2376. Routine Description:
  2378. Determines the size of an AFD buffer structure given the amount of
  2379. data that the buffer contains.
  2381. Arguments:
  2383. BufferDataSize - data length of the buffer.
  2385. AddressSize - length of address structure for the buffer.
  2387. Return Value:
  2389. Number of bytes needed for an IPSEC_LA_BUFFER structure for data of
  2390. this size.
  2392. --*/
  2393. {
  2394. SIZE_T mdlSize;
  2395. SIZE_T bufferSize;
  2397. ASSERT(BufferDataSize != 0);
  2399. ASSERT(g_ipsec.IPSecCacheLineSize < 100);
  2401. //
  2402. // Determine the sizes of the various components of an IPSEC_LA_BUFFER
  2403. // structure. Note that these are all worst-case calculations--
  2404. // actual sizes of the MDL and the buffer may be smaller.
  2405. //
  2406. bufferSize = BufferDataSize + g_ipsec.IPSecCacheLineSize;
  2407. mdlSize = MmSizeOfMdl( (PVOID)(PAGE_SIZE-1), bufferSize );
  2409. return ((sizeof(IPSEC_LA_BUFFER) + mdlSize + bufferSize + 3) & ~3);
  2411. }
  2414. VOID
  2415. IPSecInitializeBuffer(
  2416. IN PIPSEC_LA_BUFFER IPSecBuffer,
  2417. IN SIZE_T BufferDataSize
  2418. )
  2419. /*++
  2421. Routine Description:
  2423. Initializes an IPSec buffer. Sets up fields in the actual IPSEC_LA_BUFFER
  2424. structure and initializes the MDL associated with the buffer. This routine
  2425. assumes that the caller has properly allocated sufficient space for all this.
  2427. Arguments:
  2429. IPSecBuffer - points to the IPSEC_LA_BUFFER structure to initialize.
  2431. BufferDataSize - the size of the data buffer that goes along with the
  2432. buffer structure.
  2434. Return Value:
  2436. None
  2438. --*/
  2439. {
  2440. SIZE_T mdlSize;
  2442. //
  2443. // Set up the MDL pointer but don't build it yet. We have to wait
  2444. // until after the data buffer is built to build the MDL.
  2445. //
  2446. mdlSize = MmSizeOfMdl( (PVOID)(PAGE_SIZE-1), BufferDataSize );
  2447. IPSecBuffer->Mdl = (PMDL)&IPSecBuffer->Data[0];
  2449. IPSEC_DEBUG(LL_A, DBF_POOL, ("IPSecBuffer: %p, MDL: %p", IPSecBuffer, IPSecBuffer->Mdl));
  2451. //
  2452. // Set up the data buffer pointer and length. Note that the buffer
  2453. // MUST begin on a cache line boundary so that we can use the fast
  2454. // copy routines like RtlCopyMemory on the buffer.
  2455. //
  2456. IPSecBuffer->Buffer = (PVOID)
  2457. (((ULONG_PTR)((PCHAR)IPSecBuffer->Mdl + mdlSize) +
  2458. g_ipsec.IPSecCacheLineSize - 1 ) & ~((ULONG_PTR)(g_ipsec.IPSecCacheLineSize - 1)));
  2460. IPSecBuffer->BufferLength = (ULONG)BufferDataSize; // Sundown - FIX
  2462. //
  2463. // Now build the MDL and set up a pointer to the MDL in the IRP.
  2464. //
  2465. MmInitializeMdl( IPSecBuffer->Mdl, IPSecBuffer->Buffer, BufferDataSize );
  2466. MmBuildMdlForNonPagedPool( IPSecBuffer->Mdl );
  2468. }
  2471. PVOID
  2472. IPSecAllocateBufferPool(
  2473. IN POOL_TYPE PoolType,
  2474. IN SIZE_T NumberOfBytes,
  2475. IN ULONG Tag
  2476. )
  2477. /*++
  2479. Routine Description:
  2481. Used by the lookaside list allocation function to allocate a new
  2482. IPSec buffer structure. The returned structure will be fully
  2483. initialized.
  2485. Arguments:
  2487. PoolType - passed to ExAllocatePoolWithTag.
  2489. NumberOfBytes - the number of bytes required for the data buffer
  2490. portion of the IPSec buffer.
  2492. Tag - passed to ExAllocatePoolWithTag.
  2494. Return Value:
  2496. PVOID - a fully initialized PIPSEC_LA_BUFFER, or NULL if the allocation
  2497. attempt fails.
  2499. --*/
  2500. {
  2501. PIPSEC_LA_BUFFER IPSecBuffer;
  2502. SIZE_T bytesRequired;
  2504. //
  2505. // The requested length must be the same as one of the standard
  2506. // IPSec buffer sizes.
  2507. //
  2509. ASSERT( NumberOfBytes == g_ipsec.IPSecSmallBufferSize ||
  2510. NumberOfBytes == g_ipsec.IPSecLargeBufferSize );
  2512. //
  2513. // Determine how much data we'll actually need for the buffer.
  2514. //
  2516. bytesRequired = IPSecCalculateBufferSize(NumberOfBytes);
  2518. //
  2519. // Get nonpaged pool for the buffer.
  2520. //
  2522. IPSecBuffer = IPSecAllocateMemory( bytesRequired, Tag );
  2523. if ( IPSecBuffer == NULL ) {
  2524. return NULL;
  2525. }
  2527. //
  2528. // Initialize the buffer and return a pointer to it.
  2529. //
  2531. IPSecInitializeBuffer( IPSecBuffer, NumberOfBytes );
  2533. return IPSecBuffer;
  2536. }
  2539. PIPSEC_LA_BUFFER
  2540. IPSecGetBuffer(
  2541. IN CLONG BufferDataSize,
  2542. IN ULONG Tag
  2543. )
  2544. /*++
  2546. Routine Description:
  2548. Obtains a buffer of the appropriate size for the caller. Uses
  2549. the preallocated buffers if possible, or else allocates a new buffer
  2550. structure if required.
  2552. Arguments:
  2554. BufferDataSize - the size of the data buffer that goes along with the
  2555. buffer structure.
  2557. Return Value:
  2559. PIPSEC_LA_BUFFER - a pointer to an IPSEC_LA_BUFFER structure, or NULL if one
  2560. was not available or could not be allocated.
  2562. --*/
  2563. {
  2564. PIPSEC_LA_BUFFER IPSecBuffer;
  2565. SIZE_T bufferSize;
  2566. PLIST_ENTRY listEntry;
  2567. PNPAGED_LOOKASIDE_LIST lookasideList;
  2569. //
  2570. // If possible, allocate the buffer from one of the lookaside lists.
  2571. //
  2572. if (BufferDataSize <= g_ipsec.IPSecLargeBufferSize) {
  2574. if ( BufferDataSize <= g_ipsec.IPSecSmallBufferSize ) {
  2576. lookasideList = &g_ipsec.IPSecLookasideLists->SmallBufferList;
  2577. BufferDataSize = g_ipsec.IPSecSmallBufferSize;
  2579. } else {
  2581. lookasideList = &g_ipsec.IPSecLookasideLists->LargeBufferList;
  2582. BufferDataSize = g_ipsec.IPSecLargeBufferSize;
  2584. }
  2586. IPSecBuffer = ExAllocateFromNPagedLookasideList( lookasideList );
  2588. if (!IPSecBuffer) {
  2589. return NULL;
  2590. }
  2592. IPSecBuffer->Tag = Tag;
  2594. return IPSecBuffer;
  2595. }
  2597. //
  2598. // Couldn't find an appropriate buffer that was preallocated.
  2599. // Allocate one manually. If the buffer size requested was
  2600. // zero bytes, give them four bytes. This is because some of
  2601. // the routines like MmSizeOfMdl() cannot handle getting passed
  2602. // in a length of zero.
  2603. //
  2604. // !!! It would be good to ROUND_TO_PAGES for this allocation
  2605. // if appropriate, then use entire buffer size.
  2606. //
  2607. if ( BufferDataSize == 0 ) {
  2608. BufferDataSize = sizeof(ULONG);
  2609. }
  2611. bufferSize = IPSecCalculateBufferSize(BufferDataSize);
  2613. IPSecBuffer = IPSecAllocateMemory(bufferSize, IPSEC_TAG_BUFFER_POOL);
  2615. if ( IPSecBuffer == NULL ) {
  2616. return NULL;
  2617. }
  2619. //
  2620. // Initialize the IPSec buffer structure and return it.
  2621. //
  2622. IPSecInitializeBuffer(IPSecBuffer, BufferDataSize);
  2624. IPSecBuffer->Tag = Tag;
  2626. return IPSecBuffer;
  2627. }
  2630. VOID
  2631. IPSecReturnBuffer (
  2632. IN PIPSEC_LA_BUFFER IPSecBuffer
  2633. )
  2634. /*++
  2636. Routine Description:
  2638. Returns an IPSec buffer to the appropriate global list, or frees
  2639. it if necessary.
  2641. Arguments:
  2643. IPSecBufferHeader - points to the IPSec_BUFFER_HEADER structure to return or free.
  2645. Return Value:
  2647. None
  2649. --*/
  2650. {
  2651. PNPAGED_LOOKASIDE_LIST lookasideList;
  2653. //
  2654. // If appropriate, return the buffer to one of the IPSec buffer
  2655. // lookaside lists.
  2656. //
  2657. if (IPSecBuffer->BufferLength <= g_ipsec.IPSecLargeBufferSize) {
  2659. if (IPSecBuffer->BufferLength==g_ipsec.IPSecSmallBufferSize) {
  2660. lookasideList = &g_ipsec.IPSecLookasideLists->SmallBufferList;
  2661. } else {
  2662. ASSERT (IPSecBuffer->BufferLength==g_ipsec.IPSecLargeBufferSize);
  2663. lookasideList = &g_ipsec.IPSecLookasideLists->LargeBufferList;
  2664. }
  2666. ExFreeToNPagedLookasideList( lookasideList, IPSecBuffer );
  2668. return;
  2670. }
  2672. IPSecFreeMemory(IPSecBuffer);
  2673. }
  2676. NTSTATUS
  2677. IPSecWriteEvent(
  2678. PDRIVER_OBJECT IPSecDriverObject,
  2679. IN ULONG EventCode,
  2680. IN NTSTATUS NtStatusCode,
  2681. IN ULONG OffloadStatus,
  2682. IN ULONG ExtraStatus1,
  2683. IN ULONG ExtraStatus2,
  2684. IN PVOID RawDataBuffer,
  2685. IN USHORT RawDataLength,
  2686. IN USHORT NumberOfInsertionStrings,
  2687. ...
  2688. )
  2690. #define LAST_NAMED_ARGUMENT NumberOfInsertionStrings
  2693. /*++
  2695. Routine Description:
  2697. This function allocates an I/O error log record, fills it in and writes it
  2698. to the I/O error log.
  2700. Arguments:
  2704. Return Value:
  2706. None.
  2709. --*/
  2710. {
  2711. PIO_ERROR_LOG_PACKET ErrorLogEntry;
  2712. va_list ParmPtr; // Pointer to stack parms.
  2713. PCHAR DumpData;
  2714. LONG Length;
  2715. ULONG i, SizeOfRawData, RemainingSpace, TotalErrorLogEntryLength;
  2716. ULONG SizeOfStringData = 0;
  2717. PWSTR StringOffset, InsertionString;
  2719. if (NumberOfInsertionStrings != 0)
  2720. {
  2721. va_start (ParmPtr, LAST_NAMED_ARGUMENT);
  2723. for (i = 0; i < NumberOfInsertionStrings; i += 1)
  2724. {
  2725. InsertionString = va_arg (ParmPtr, PWSTR);
  2726. Length = wcslen (InsertionString);
  2727. while ((Length > 0) && (InsertionString[Length-1] == L' '))
  2728. {
  2729. Length--;
  2730. }
  2732. SizeOfStringData += (Length + 1) * sizeof(WCHAR);
  2733. }
  2734. }
  2736. //
  2737. // Ideally we want the packet to hold the servername and ExtraInformation.
  2738. // Usually the ExtraInformation gets truncated.
  2739. //
  2741. TotalErrorLogEntryLength = min (RawDataLength + sizeof(IO_ERROR_LOG_PACKET) + 1 + SizeOfStringData,
  2742. ERROR_LOG_MAXIMUM_SIZE);
  2744. RemainingSpace = TotalErrorLogEntryLength - FIELD_OFFSET(IO_ERROR_LOG_PACKET, DumpData);
  2745. if (RemainingSpace > SizeOfStringData)
  2746. {
  2747. SizeOfRawData = RemainingSpace - SizeOfStringData;
  2748. }
  2749. else
  2750. {
  2751. SizeOfStringData = RemainingSpace;
  2752. SizeOfRawData = 0;
  2753. }
  2755. ErrorLogEntry = IoAllocateErrorLogEntry (IPSecDriverObject, (UCHAR) TotalErrorLogEntryLength);
  2756. if (ErrorLogEntry == NULL)
  2757. {
  2758. return(STATUS_INSUFFICIENT_RESOURCES);
  2759. }
  2761. //
  2762. // Fill in the error log entry
  2763. //
  2764. ErrorLogEntry->ErrorCode = EventCode;
  2765. ErrorLogEntry->UniqueErrorValue = OffloadStatus;
  2766. ErrorLogEntry->FinalStatus = NtStatusCode;
  2767. ErrorLogEntry->MajorFunctionCode = 0;
  2768. ErrorLogEntry->RetryCount = 0;
  2769. ErrorLogEntry->IoControlCode = 0;
  2770. ErrorLogEntry->DeviceOffset.LowPart = ExtraStatus1;
  2771. ErrorLogEntry->DeviceOffset.HighPart = ExtraStatus2;
  2772. ErrorLogEntry->DumpDataSize = 0;
  2773. ErrorLogEntry->NumberOfStrings = 0;
  2774. ErrorLogEntry->SequenceNumber = 0;
  2775. ErrorLogEntry->StringOffset = (USHORT) (ROUND_UP_COUNT (FIELD_OFFSET(IO_ERROR_LOG_PACKET, DumpData)
  2776. + SizeOfRawData, ALIGN_WORD));
  2779. //
  2780. // Append the dump data. This information is typically an SMB header.
  2781. //
  2782. if ((RawDataBuffer) && (SizeOfRawData))
  2783. {
  2784. DumpData = (PCHAR) ErrorLogEntry->DumpData;
  2785. Length = min (RawDataLength, (USHORT)SizeOfRawData);
  2786. RtlCopyMemory (DumpData, RawDataBuffer, Length);
  2787. ErrorLogEntry->DumpDataSize = (USHORT)Length;
  2788. }
  2790. //
  2791. // Add the debug informatuion strings
  2792. //
  2793. if (NumberOfInsertionStrings)
  2794. {
  2795. StringOffset = (PWSTR) ((PCHAR)ErrorLogEntry + ErrorLogEntry->StringOffset);
  2797. //
  2798. // Set up ParmPtr to point to first of the caller's parameters.
  2799. //
  2800. va_start(ParmPtr, LAST_NAMED_ARGUMENT);
  2802. for (i = 0 ; i < NumberOfInsertionStrings ; i+= 1)
  2803. {
  2804. InsertionString = va_arg(ParmPtr, PWSTR);
  2805. Length = wcslen(InsertionString);
  2806. while ( (Length > 0) && (InsertionString[Length-1] == L' '))
  2807. {
  2808. Length--;
  2809. }
  2811. if (((Length + 1) * sizeof(WCHAR)) > SizeOfStringData)
  2812. {
  2813. Length = (SizeOfStringData/sizeof(WCHAR)) - 1;
  2814. }
  2816. if (Length > 0)
  2817. {
  2818. RtlCopyMemory (StringOffset, InsertionString, Length*sizeof(WCHAR));
  2819. StringOffset += Length;
  2820. *StringOffset++ = L'\0';
  2822. SizeOfStringData -= (Length + 1) * sizeof(WCHAR);
  2824. ErrorLogEntry->NumberOfStrings += 1;
  2825. }
  2826. }
  2827. }
  2829. IoWriteErrorLogEntry(ErrorLogEntry);
  2831. return(STATUS_SUCCESS);
  2832. }
  2835. VOID
  2836. IPSecLogEvents(
  2837. IN PVOID Context
  2838. )
  2839. /*++
  2841. Routine Description:
  2843. Dumps events from the circular buffer to the eventlog when the
  2844. circular buffer overflows.
  2846. Arguments:
  2848. Context - unused.
  2850. Return Value:
  2852. None
  2854. --*/
  2855. {
  2856. PIPSEC_LOG_EVENT pLogEvent;
  2857. LONG LogSize;
  2858. PUCHAR pLog;
  2860. pLogEvent = (PIPSEC_LOG_EVENT)Context;
  2861. LogSize = 0;
  2862. pLog = (PUCHAR)pLogEvent + FIELD_OFFSET(IPSEC_LOG_EVENT, pLog[0]);
  2864. while (LogSize < pLogEvent->LogSize) {
  2865. PIPSEC_EVENT_CTX ctx = (PIPSEC_EVENT_CTX)pLog;
  2867. if (ctx->EventCode == EVENT_IPSEC_DROP_PACKET_INBOUND ||
  2868. ctx->EventCode == EVENT_IPSEC_DROP_PACKET_OUTBOUND) {
  2869. WCHAR IPAddrBufferS[(sizeof(IPAddr) * 4) + 1];
  2870. WCHAR IPAddrBufferD[(sizeof(IPAddr) * 4) + 1];
  2871. WCHAR IPProtocolBuffer[(sizeof(IPAddr) * 4) + 1];
  2872. WCHAR IPSPortBuffer[(sizeof(IPAddr) * 4) + 1];
  2873. WCHAR IPDPortBuffer[(sizeof(IPAddr) * 4) + 1];
  2875. PWCHAR stringlist[5];
  2876. IPHeader UNALIGNED *pIPH;
  2877. USHORT SrcPort=0;
  2878. USHORT DestPort=0;
  2879. ULONG HeaderLen;
  2881. pIPH = (IPHeader UNALIGNED *)ctx->pPacket;
  2882. HeaderLen=(pIPH->iph_verlen & (UCHAR)~IP_VER_FLAG) << 2;
  2883. IPSecIPAddrToUnicodeString( pIPH->iph_src,
  2884. IPAddrBufferS);
  2885. IPSecIPAddrToUnicodeString( pIPH->iph_dest,
  2886. IPAddrBufferD);
  2887. IPSecCountToUnicodeString ( pIPH->iph_protocol,
  2888. IPProtocolBuffer);
  2890. if (pIPH->iph_protocol == PROTOCOL_TCP ||
  2891. pIPH->iph_protocol == PROTOCOL_UDP) {
  2892. RtlCopyMemory(&SrcPort,&ctx->pPacket[HeaderLen],sizeof(USHORT));
  2893. RtlCopyMemory(&DestPort,&ctx->pPacket[HeaderLen+sizeof(USHORT)],sizeof(USHORT));
  2894. }
  2896. IPSecCountToUnicodeString ( NET_SHORT(SrcPort),
  2897. IPSPortBuffer);
  2899. IPSecCountToUnicodeString ( NET_SHORT(DestPort),
  2900. IPDPortBuffer);
  2902. IPSecWriteEvent(
  2903. g_ipsec.IPSecDriverObject,
  2904. ctx->EventCode,
  2905. ctx->DropStatus.IPSecStatus,
  2906. ctx->DropStatus.OffloadStatus,
  2907. ctx->DropStatus.Flags,
  2908. 0,
  2909. ctx->pPacket,
  2910. (USHORT)ctx->PacketSize,
  2911. 5,
  2912. IPAddrBufferS,
  2913. IPAddrBufferD,
  2914. IPProtocolBuffer,
  2915. IPSPortBuffer,
  2916. IPDPortBuffer);
  2918. } else if (ctx->Addr && ctx->EventCount > 0) {
  2919. WCHAR IPAddrBuffer[(sizeof(IPAddr) * 4) + 1];
  2920. WCHAR CountBuffer[MAX_COUNT_STRING_LEN + 1];
  2921. PWCHAR stringList[2];
  2923. IPSecIPAddrToUnicodeString( ctx->Addr,
  2924. IPAddrBuffer);
  2925. IPSecCountToUnicodeString( ctx->EventCount,
  2926. CountBuffer);
  2927. stringList[0] = CountBuffer;
  2928. stringList[1] = IPAddrBuffer;
  2929. LOG_EVENT(
  2930. g_ipsec.IPSecDriverObject,
  2931. ctx->EventCode,
  2932. ctx->UniqueEventValue,
  2933. 2,
  2934. stringList,
  2935. 0,
  2936. NULL);
  2937. } else if (ctx->Addr) {
  2938. WCHAR IPAddrBuffer[(sizeof(IPAddr) * 4) + 1];
  2939. PWCHAR stringList[1];
  2941. IPSecIPAddrToUnicodeString( ctx->Addr,
  2942. IPAddrBuffer);
  2943. stringList[0] = IPAddrBuffer;
  2944. LOG_EVENT(
  2945. g_ipsec.IPSecDriverObject,
  2946. ctx->EventCode,
  2947. ctx->UniqueEventValue,
  2948. 1,
  2949. stringList,
  2950. 0,
  2951. NULL);
  2952. } else {
  2953. LOG_EVENT(
  2954. g_ipsec.IPSecDriverObject,
  2955. ctx->EventCode,
  2956. ctx->UniqueEventValue,
  2957. 0,
  2958. NULL,
  2959. 0,
  2960. NULL);
  2961. }
  2963. if (ctx->pPacket) {
  2964. IPSecFreeLogBuffer(ctx->pPacket);
  2965. ctx->pPacket=NULL;
  2966. }
  2967. pLog += sizeof(IPSEC_EVENT_CTX);
  2968. LogSize += sizeof(IPSEC_EVENT_CTX);
  2969. }
  2971. IPSecFreeMemory(pLogEvent);
  2973. IPSEC_DECREMENT(g_ipsec.NumWorkers);
  2974. }
  2977. VOID
  2978. IPSecBufferEvent(
  2979. IN IPAddr Addr,
  2980. IN ULONG EventCode,
  2981. IN ULONG UniqueEventValue,
  2982. IN BOOLEAN fBufferEvent
  2983. )
  2984. /*++
  2986. Routine Description:
  2988. Buffers events in a circular buffer; dumps them to the eventlog when the
  2989. circular buffer overflows.
  2991. Arguments:
  2993. Addr - [OPTIONAL] the source IP addr of the offending peer.
  2995. EventCode - Identifies the error message.
  2997. UniqueEventValue - Identifies this instance of a given error message.
  2999. Return Value:
  3001. None
  3003. --*/
  3004. {
  3005. KIRQL kIrql;
  3007. if (!(g_ipsec.DiagnosticMode & IPSEC_DIAGNOSTIC_ENABLE_LOG)) {
  3008. return;
  3009. }
  3011. ACQUIRE_LOCK(&g_ipsec.EventLogLock, &kIrql);
  3013. if (fBufferEvent) {
  3014. PIPSEC_EVENT_CTX ctx;
  3016. g_ipsec.IPSecBufferedEvents++;
  3018. ctx = (PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc;
  3019. ctx--;
  3020. while (ctx >= (PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemory) {
  3021. if (ctx->Addr == Addr &&
  3022. ctx->EventCode == EventCode &&
  3023. ctx->UniqueEventValue == UniqueEventValue) {
  3024. //
  3025. // Found a duplicate; update count and exit.
  3026. //
  3027. ctx->EventCount++;
  3029. if (g_ipsec.IPSecBufferedEvents >= g_ipsec.EventQueueSize) {
  3030. goto logit;
  3031. }
  3033. RELEASE_LOCK(&g_ipsec.EventLogLock, kIrql);
  3034. return;
  3035. }
  3036. ctx--;
  3037. }
  3038. }
  3040. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->Addr = Addr;
  3041. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->EventCode = EventCode;
  3042. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->UniqueEventValue = UniqueEventValue;
  3044. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->pPacket=NULL;
  3045. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->PacketSize=0;
  3048. if (fBufferEvent) {
  3049. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->EventCount = 1;
  3050. } else {
  3051. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->EventCount = 0;
  3052. }
  3054. g_ipsec.IPSecLogMemoryLoc += sizeof(IPSEC_EVENT_CTX);
  3056. logit:
  3057. if (!fBufferEvent ||
  3058. g_ipsec.IPSecLogMemoryLoc >= g_ipsec.IPSecLogMemoryEnd ||
  3059. g_ipsec.IPSecBufferedEvents >= g_ipsec.EventQueueSize) {
  3060. //
  3061. // Flush the logs.
  3062. //
  3063. IPSecQueueLogEvent();
  3064. }
  3066. RELEASE_LOCK(&g_ipsec.EventLogLock, kIrql);
  3067. }
  3070. NTSTATUS
  3071. CopyOutboundPacketToBuffer(
  3072. IN PUCHAR pIPHeader,
  3073. IN PVOID pData,
  3074. OUT PUCHAR * pPacket,
  3075. OUT ULONG * PacketSize
  3076. )
  3077. {
  3078. PNDIS_BUFFER pTemp;
  3079. ULONG Length;
  3080. ULONG dataLength=0;
  3081. IPHeader UNALIGNED *pIPH;
  3082. ULONG HeaderLen=0;
  3083. PUCHAR pBuffer;
  3084. ULONG CopyPos=0;
  3085. PUCHAR pPacketData;
  3087. pIPH = (IPHeader UNALIGNED *)pIPHeader;
  3089. pTemp = (PNDIS_BUFFER)pData;
  3091. while (pTemp) {
  3092. pBuffer = NULL;
  3093. Length = 0;
  3095. NdisQueryBufferSafe(pTemp,
  3096. &pBuffer,
  3097. &Length,
  3098. NormalPagePriority);
  3100. if (!pBuffer) {
  3101. return STATUS_UNSUCCESSFUL;
  3102. }
  3104. dataLength += Length;
  3106. pTemp = NDIS_BUFFER_LINKAGE(pTemp);
  3107. }
  3109. HeaderLen=(pIPH->iph_verlen & (UCHAR)~IP_VER_FLAG) << 2;
  3111. dataLength += HeaderLen;
  3113. if (dataLength > IPSEC_LOG_PACKET_SIZE) {
  3114. dataLength = IPSEC_LOG_PACKET_SIZE;
  3115. }
  3117. if (dataLength < sizeof(IPHeader)) {
  3118. // doesn't even have a full ip header
  3119. return STATUS_UNSUCCESSFUL;
  3120. }
  3121. if ((pIPH->iph_protocol == PROTOCOL_TCP) ||
  3122. (pIPH->iph_protocol == PROTOCOL_UDP)) {
  3123. if (dataLength - HeaderLen < 8) {
  3124. // not enough room for ports
  3125. return STATUS_UNSUCCESSFUL;
  3126. }
  3127. }
  3129. *pPacket = IPSecAllocateLogBuffer(dataLength);
  3130. if (! (*pPacket)) {
  3131. return STATUS_UNSUCCESSFUL;
  3132. }
  3133. *PacketSize=dataLength;
  3135. pTemp = (PNDIS_BUFFER)pData;
  3136. CopyPos=0;
  3138. while (pTemp && CopyPos < dataLength) {
  3139. IPSecQueryNdisBuf(pTemp,&pPacketData,&Length);
  3140. if (CopyPos + Length > dataLength) {
  3141. Length = (dataLength - CopyPos);
  3142. }
  3143. RtlCopyMemory(*pPacket+CopyPos,pPacketData,Length);
  3144. CopyPos += Length;
  3145. pTemp = NDIS_BUFFER_LINKAGE(pTemp);
  3146. }
  3148. return STATUS_SUCCESS;
  3149. }
  3152. //
  3153. // pData is data after IPHeader, IPRcvBuf.
  3154. //
  3156. NTSTATUS
  3157. CopyInboundPacketToBuffer(
  3158. IN PUCHAR pIPHeader,
  3159. IN PVOID pData,
  3160. OUT PUCHAR * pPacket,
  3161. OUT ULONG * PacketSize
  3162. )
  3163. {
  3164. IPRcvBuf *pTemp;
  3165. ULONG Length;
  3166. ULONG dataLength=0;
  3167. IPHeader UNALIGNED *pIPH;
  3168. ULONG HeaderLen=0;
  3169. PUCHAR pBuffer;
  3170. ULONG CopyPos=0;
  3171. PUCHAR pPacketData;
  3173. pIPH = (IPHeader UNALIGNED *)pIPHeader;
  3175. pTemp = (IPRcvBuf*)pData;
  3177. while (pTemp) {
  3178. pBuffer = NULL;
  3179. Length = 0;
  3181. IPSecQueryRcvBuf(pTemp,
  3182. &pBuffer,
  3183. &Length);
  3185. if (!pBuffer) {
  3186. return STATUS_UNSUCCESSFUL;
  3187. }
  3189. dataLength += Length;
  3191. pTemp = IPSEC_BUFFER_LINKAGE(pTemp);
  3192. }
  3194. HeaderLen=(pIPH->iph_verlen & (UCHAR)~IP_VER_FLAG) << 2;
  3196. dataLength += HeaderLen;
  3198. if (dataLength > IPSEC_LOG_PACKET_SIZE) {
  3199. dataLength = IPSEC_LOG_PACKET_SIZE;
  3200. }
  3202. // Sanity check length
  3203. if (dataLength < sizeof(IPHeader)) {
  3204. // doesn't even have a full ip header
  3205. return STATUS_UNSUCCESSFUL;
  3206. }
  3207. if ((pIPH->iph_protocol == PROTOCOL_TCP) ||
  3208. (pIPH->iph_protocol == PROTOCOL_UDP)) {
  3209. if (dataLength - HeaderLen < 8) {
  3210. // not enough room for ports
  3211. return STATUS_UNSUCCESSFUL;
  3212. }
  3213. }
  3215. *pPacket = IPSecAllocateLogBuffer(dataLength);
  3216. if (! (*pPacket)) {
  3217. return STATUS_UNSUCCESSFUL;
  3218. }
  3219. *PacketSize=dataLength;
  3221. pTemp = (IPRcvBuf*)pData;
  3223. RtlCopyMemory(*pPacket,pIPH,HeaderLen);
  3224. CopyPos=HeaderLen;
  3226. while (pTemp && CopyPos < dataLength) {
  3227. IPSecQueryRcvBuf(pTemp,&pPacketData,&Length);
  3228. if (CopyPos + Length > dataLength) {
  3229. Length = (dataLength - CopyPos);
  3230. }
  3231. RtlCopyMemory(*pPacket+CopyPos,pPacketData,Length);
  3232. CopyPos += Length;
  3233. pTemp = IPSEC_BUFFER_LINKAGE(pTemp);
  3234. }
  3236. return STATUS_SUCCESS;
  3237. }
  3240. VOID
  3241. IPSecBufferPacketDrop(
  3242. IN PUCHAR pIPHeader,
  3243. IN PVOID pData,
  3244. IN OUT PULONG pIpsecFlags,
  3245. IN PIPSEC_DROP_STATUS pDropStatus
  3246. )
  3247. /*++
  3249. Routine Description:
  3251. Buffers events in a circular buffer; dumps them to the eventlog when the
  3252. circular buffer overflows.
  3254. Arguments:
  3256. EventCode - Identifies the error message.
  3258. Return Value:
  3260. None
  3262. --*/
  3263. {
  3264. KIRQL kIrql;
  3265. PIPSEC_EVENT_CTX ctx;
  3266. IPHeader UNALIGNED *pIPH;
  3267. PNDIS_BUFFER pTemp;
  3268. PUCHAR pPacket=NULL;
  3269. ULONG PacketSize=0;
  3270. ULONG Status;
  3271. BOOL bLockHeld=FALSE;
  3274. pIPH = (IPHeader UNALIGNED *)pIPHeader;
  3276. if (*pIpsecFlags & IPSEC_FLAG_INCOMING) {
  3277. if (!(g_ipsec.DiagnosticMode & IPSEC_DIAGNOSTIC_INBOUND)) {
  3278. // Don't log
  3279. goto out;
  3280. }
  3281. Status=CopyInboundPacketToBuffer(pIPHeader,
  3282. pData,
  3283. &pPacket,
  3284. &PacketSize);
  3285. } else {
  3286. if (!(g_ipsec.DiagnosticMode & IPSEC_DIAGNOSTIC_OUTBOUND)) {
  3287. //Don't log
  3288. goto out;
  3289. }
  3290. Status=CopyOutboundPacketToBuffer(pIPHeader,
  3291. pData,
  3292. &pPacket,
  3293. &PacketSize);
  3294. }
  3296. if (Status != STATUS_SUCCESS) {
  3297. goto out;
  3298. }
  3300. ACQUIRE_LOCK(&g_ipsec.EventLogLock, &kIrql);
  3301. bLockHeld=TRUE;
  3303. g_ipsec.IPSecBufferedEvents++;
  3305. ctx = (PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc;
  3306. ctx--;
  3308. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->Addr=pIPH->iph_src;
  3310. if (*pIpsecFlags & IPSEC_FLAG_INCOMING) {
  3311. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->EventCode = EVENT_IPSEC_DROP_PACKET_INBOUND;
  3312. } else {
  3313. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->EventCode = EVENT_IPSEC_DROP_PACKET_OUTBOUND;
  3314. }
  3315. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->EventCount = 1;
  3318. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->pPacket = pPacket;
  3319. ((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->PacketSize = PacketSize;
  3321. if (pDropStatus) {
  3322. RtlCopyMemory(&(((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->DropStatus),
  3323. pDropStatus,sizeof(IPSEC_DROP_STATUS));
  3324. } else {
  3325. RtlZeroMemory(&(((PIPSEC_EVENT_CTX)g_ipsec.IPSecLogMemoryLoc)->DropStatus),
  3326. sizeof(IPSEC_DROP_STATUS));
  3327. }
  3329. g_ipsec.IPSecLogMemoryLoc += sizeof(IPSEC_EVENT_CTX);
  3332. if (g_ipsec.IPSecLogMemoryLoc >= g_ipsec.IPSecLogMemoryEnd ||
  3333. g_ipsec.IPSecBufferedEvents >= g_ipsec.EventQueueSize) {
  3334. //
  3335. // Flush the logs.
  3336. //
  3337. IPSecQueueLogEvent();
  3338. }
  3340. out:
  3341. if (bLockHeld) {
  3342. RELEASE_LOCK(&g_ipsec.EventLogLock, kIrql);
  3343. }
  3344. }
  3347. VOID
  3348. IPSecQueueLogEvent(
  3349. VOID
  3350. )
  3351. /*++
  3353. Routine Description:
  3355. Copies the LogMemory to a temporary buffer and schedule an event to
  3356. flush logs.
  3358. Arguments:
  3360. None
  3362. Return Value:
  3364. None
  3366. Notes:
  3368. Called with EventLogLock held.
  3370. --*/
  3371. {
  3372. PIPSEC_LOG_EVENT pLogEvent;
  3373. LONG LogSize;
  3374. PUCHAR pLog;
  3376. LogSize = (LONG)(g_ipsec.IPSecLogMemoryLoc - g_ipsec.IPSecLogMemory);
  3378. //
  3379. // Reset the log memory so we can record again.
  3380. //
  3381. g_ipsec.IPSecLogMemoryLoc = g_ipsec.IPSecLogMemory;
  3382. g_ipsec.IPSecBufferedEvents = 0;
  3384. if (LogSize <= 0) {
  3385. ASSERT(FALSE);
  3386. return;
  3387. }
  3389. pLogEvent = IPSecAllocateMemory(LogSize + FIELD_OFFSET(IPSEC_LOG_EVENT, pLog[0]),
  3390. IPSEC_TAG_EVT_QUEUE);
  3392. if (!pLogEvent) {
  3393. return;
  3394. }
  3396. pLogEvent->LogSize = LogSize;
  3398. pLog = (PUCHAR)pLogEvent + FIELD_OFFSET(IPSEC_LOG_EVENT, pLog[0]);
  3399. RtlCopyMemory(pLog, g_ipsec.IPSecLogMemory, LogSize);
  3401. //
  3402. // Queue work item to dump these into the eventlog.
  3403. //
  3404. ExInitializeWorkItem(&pLogEvent->LogQueueItem, IPSecLogEvents, pLogEvent);
  3405. ExQueueWorkItem(&pLogEvent->LogQueueItem, DelayedWorkQueue);
  3407. IPSEC_INCREMENT(g_ipsec.NumWorkers);
  3408. }
  3411. #if FIPS
  3412. BOOLEAN
  3413. IPSecFipsInitialize(
  3414. VOID
  3415. )
  3416. /*++
  3418. Routine Description:
  3420. Initialize the FIPS library table.
  3422. Arguments:
  3424. Called at PASSIVE level.
  3426. Return Value:
  3428. TRUE/FALSE.
  3430. --*/
  3431. {
  3432. UNICODE_STRING DeviceName;
  3433. PDEVICE_OBJECT pFipsDeviceObject = NULL;
  3434. PIRP pIrp;
  3435. IO_STATUS_BLOCK StatusBlock;
  3436. KEVENT Event;
  3437. NTSTATUS status;
  3439. PAGED_CODE();
  3441. //
  3442. // Return success if FIPS already initialized.
  3443. //
  3444. if (IPSEC_DRIVER_INIT_FIPS()) {
  3445. return TRUE;
  3446. }
  3448. RtlInitUnicodeString(&DeviceName, FIPS_DEVICE_NAME);
  3450. //
  3451. // Get the file and device objects for FIPS.
  3452. //
  3453. status = IoGetDeviceObjectPointer( &DeviceName,
  3454. FILE_ALL_ACCESS,
  3455. &g_ipsec.FipsFileObject,
  3456. &pFipsDeviceObject);
  3458. if (!NT_SUCCESS(status)) {
  3459. g_ipsec.FipsFileObject = NULL;
  3460. return FALSE;
  3461. }
  3463. //
  3464. // Build the request to send to FIPS to get library table.
  3465. //
  3466. KeInitializeEvent(&Event, SynchronizationEvent, FALSE);
  3468. pIrp = IoBuildDeviceIoControlRequest( IOCTL_FIPS_GET_FUNCTION_TABLE,
  3469. pFipsDeviceObject,
  3470. NULL,
  3471. 0,
  3472. &g_ipsec.FipsFunctionTable,
  3473. sizeof(FIPS_FUNCTION_TABLE),
  3474. FALSE,
  3475. &Event,
  3476. &StatusBlock);
  3478. if (pIrp == NULL) {
  3479. IPSEC_DEBUG(LL_A, DBF_LOAD, ("IoBuildDeviceIoControlRequest IOCTL_FIPS_GET_FUNCTION_TABLE failed."));
  3481. ObDereferenceObject(g_ipsec.FipsFileObject);
  3482. g_ipsec.FipsFileObject = NULL;
  3484. return FALSE;
  3485. }
  3487. status = IoCallDriver(pFipsDeviceObject, pIrp);
  3489. if (status == STATUS_PENDING) {
  3490. status = KeWaitForSingleObject( &Event,
  3491. Executive,
  3492. KernelMode,
  3493. FALSE,
  3494. NULL);
  3495. if (status == STATUS_SUCCESS) {
  3496. status = StatusBlock.Status;
  3497. }
  3498. }
  3500. if (status != STATUS_SUCCESS) {
  3501. IPSEC_DEBUG(LL_A, DBF_LOAD, ("IoCallDriver: IOCTL_FIPS_GET_FUNCTION_TABLE failed %#x", status));
  3503. ObDereferenceObject(g_ipsec.FipsFileObject);
  3504. g_ipsec.FipsFileObject = NULL;
  3506. return FALSE;
  3507. }
  3509. IPSEC_DRIVER_INIT_FIPS() = TRUE;
  3511. return TRUE;
  3512. }
  3513. #endif
  3516. BOOLEAN
  3517. IPSecCryptoInitialize(
  3518. VOID
  3519. )
  3520. /*++
  3522. Routine Description:
  3524. Initialize RNG and FIPS library table.
  3526. Arguments:
  3528. None
  3530. Return Value:
  3532. TRUE/FALSE
  3534. --*/
  3535. {
  3536. PAGED_CODE();
  3538. if (IPSEC_DRIVER_INIT_CRYPTO()) {
  3539. return TRUE;
  3540. }
  3542. #if FIPS
  3543. //
  3544. // Init the FIPS crypto library.
  3545. //
  3546. if (!IPSecFipsInitialize()) {
  3547. return FALSE;
  3548. }
  3549. #endif
  3551. //
  3552. // Init the RC4 key for RNG.
  3553. //
  3554. if (!IPSEC_DRIVER_INIT_RNG()) {
  3555. InitializeRNG(NULL);
  3557. if (!IPSecInitRandom()) {
  3558. ShutdownRNG(NULL);
  3559. return FALSE;
  3560. }
  3562. IPSEC_DRIVER_INIT_RNG() = TRUE;
  3563. }
  3565. IPSEC_DRIVER_INIT_CRYPTO() = TRUE;
  3567. return TRUE;
  3568. }
  3571. BOOLEAN
  3572. IPSecCryptoDeinitialize(
  3573. VOID
  3574. )
  3575. /*++
  3577. Routine Description:
  3579. Deinitialize RNG and dereference FipsFileObject.
  3581. Arguments:
  3583. None
  3585. Return Value:
  3587. TRUE/FALSE
  3589. --*/
  3590. {
  3591. PAGED_CODE();
  3593. //
  3594. // Don't forget to shutdown RNG or we will leak memory.
  3595. //
  3596. if (IPSEC_DRIVER_INIT_RNG()) {
  3597. ShutdownRNG(NULL);
  3598. }
  3600. #if FIPS
  3601. //
  3602. // Dereference FipsFileObject.
  3603. //
  3604. if (g_ipsec.FipsFileObject) {
  3605. ObDereferenceObject(g_ipsec.FipsFileObject);
  3606. }
  3607. #endif
  3609. return TRUE;
  3610. }
  3613. NTSTATUS
  3614. IPSecRegisterProtocols(
  3615. PIPSEC_REGISTER_PROTOCOL pIpsecRegisterProtocol
  3616. )
  3617. {
  3618. KIRQL kIrql = 0;
  3620. if (pIpsecRegisterProtocol->RegisterProtocol == IPSEC_REGISTER_PROTOCOLS) {
  3621. if (!IPSEC_GET_VALUE(gdwInitEsp)) {
  3622. if (TCPIP_REGISTER_PROTOCOL(
  3623. PROTOCOL_ESP,
  3624. NULL,
  3625. NULL,
  3626. IPSecESPStatus,
  3627. NULL,
  3628. NULL,
  3629. NULL
  3630. )) {
  3631. IPSEC_SET_VALUE(gdwInitEsp, 1);
  3632. }
  3633. else {
  3634. ASSERT(FALSE);
  3635. return (STATUS_INSUFFICIENT_RESOURCES);
  3636. }
  3637. }
  3638. if (!IPSEC_GET_VALUE(gdwInitAh)) {
  3639. if (TCPIP_REGISTER_PROTOCOL(
  3640. PROTOCOL_AH,
  3641. NULL,
  3642. NULL,
  3643. IPSecAHStatus,
  3644. NULL,
  3645. NULL,
  3646. NULL
  3647. )) {
  3648. IPSEC_SET_VALUE(gdwInitAh, 1);
  3649. }
  3650. else {
  3651. ASSERT(FALSE);
  3652. TCPIP_DEREGISTER_PROTOCOL(PROTOCOL_ESP);
  3653. IPSEC_SET_VALUE(gdwInitEsp, 0);
  3654. return (STATUS_INSUFFICIENT_RESOURCES);
  3655. }
  3656. }
  3657. }
  3658. else if (pIpsecRegisterProtocol->RegisterProtocol == IPSEC_DEREGISTER_PROTOCOLS) {
  3659. if (IPSEC_GET_VALUE(gdwInitEsp)) {
  3660. TCPIP_DEREGISTER_PROTOCOL(PROTOCOL_ESP);
  3661. IPSEC_SET_VALUE(gdwInitEsp, 0);
  3662. }
  3663. if (IPSEC_GET_VALUE(gdwInitAh)) {
  3664. TCPIP_DEREGISTER_PROTOCOL(PROTOCOL_AH);
  3665. IPSEC_SET_VALUE(gdwInitAh, 0);
  3666. }
  3667. AcquireWriteLock(&g_ipsec.SADBLock, &kIrql);
  3668. ASSERT (gpParserIfEntry == NULL);
  3669. FlushAllParserEntries();
  3670. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  3671. }
  3672. else {
  3673. return (STATUS_INVALID_PARAMETER);
  3674. }
  3676. return (STATUS_SUCCESS);
  3677. }
  3681. VOID IPSecCleanupBoottimeStatefulStructs(VOID)
  3682. {
  3683. KIRQL kIrql;
  3684. IPSEC_DEBUG(LL_A,DBF_BOOTTIME,
  3685. ("Number of connections %d",
  3686. g_ipsec.BootBufferPool->ulEntriesUsed));
  3689. AcquireWriteLock(&g_ipsec.SADBLock,&kIrql);
  3690. //Release memory used for the boottime stateful
  3691. //mode operation
  3692. if (g_ipsec.BootStatefulHT){
  3693. IPSecFreeMemory(g_ipsec.BootStatefulHT);
  3694. g_ipsec.BootStatefulHT = NULL;
  3695. }
  3696. if (g_ipsec.BootBufferPool){
  3697. IPSecFreeMemory(g_ipsec.BootBufferPool);
  3698. g_ipsec.BootBufferPool = NULL;
  3699. }
  3700. //Let the exemptlist hang around
  3701. //We will use it only if someone
  3702. //moves us back into block mode.
  3703. //We dont expect it to be too big
  3704. //anyway.
  3705. ReleaseWriteLock(&g_ipsec.SADBLock, kIrql);
  3707. }
  3710. VOID IPSecLogBootOperationMode(VOID)
  3711. {
  3712. NDIS_STATUS status;
  3713. switch (g_ipsec.OperationMode){
  3714. case IPSEC_BOOTTIME_STATEFUL_MODE:
  3715. status= LOG_EVENT(
  3716. g_ipsec.IPSecDriverObject,
  3717. EVENT_IPSEC_BOOT_STATEFUL_MODE,
  3718. 1,
  3719. 0,
  3720. NULL,
  3721. 0,
  3722. NULL);
  3723. break;
  3724. case IPSEC_BYPASS_MODE:
  3725. case IPSEC_SECURE_MODE:
  3726. status = LOG_EVENT(
  3727. g_ipsec.IPSecDriverObject,
  3728. EVENT_IPSEC_BOOT_BYPASS_MODE,
  3729. 1,
  3730. 0,
  3731. NULL,
  3732. 0,
  3733. NULL);
  3734. break;
  3735. case IPSEC_BLOCK_MODE:
  3736. status = LOG_EVENT(
  3737. g_ipsec.IPSecDriverObject,
  3738. EVENT_IPSEC_BOOT_BLOCK_MODE,
  3739. 1,
  3740. 0,
  3741. NULL,
  3742. 0,
  3743. NULL);
  3744. break;
  3745. default:
  3746. break;
  3747. }
  3748. IPSEC_DEBUG(LL_A,DBF_BOOTTIME,("Boot Operation Mode = %d\n",g_ipsec.OperationMode));
  3749. }
  3752. VOID IPSecLogChangeOperationMode(VOID)
  3753. {
  3754. switch (g_ipsec.OperationMode){
  3755. case IPSEC_BLOCK_MODE:
  3756. LOG_EVENT(
  3757. g_ipsec.IPSecDriverObject,
  3758. EVENT_IPSEC_SET_BLOCK_MODE,
  3759. 1,
  3760. 0,
  3761. NULL,
  3762. 0,
  3763. NULL);
  3764. break;
  3765. case IPSEC_SECURE_MODE:
  3766. LOG_EVENT(
  3767. g_ipsec.IPSecDriverObject,
  3768. EVENT_IPSEC_SET_SECURE_MODE,
  3769. 1,
  3770. 0,
  3771. NULL,
  3772. 0,
  3773. NULL);
  3774. break;
  3775. case IPSEC_BYPASS_MODE:
  3776. LOG_EVENT(
  3777. g_ipsec.IPSecDriverObject,
  3778. EVENT_IPSEC_SET_BYPASS_MODE,
  3779. 1,
  3780. 0,
  3781. NULL,
  3782. 0,
  3783. NULL);
  3784. break;
  3785. default:
  3786. break;
  3787. }
  3788. }