|
|
/*++
Copyright (c) 1997-2001 Microsoft Corporation
Module Name:
ipsec.h
Abstract:
Generic include file used by components to access the IPSEC driver. Contains the SAAPI IOCTLs and the structures relevant to them.
Author:
Sanjay Anand (SanjayAn) 2-January-1997
Environment:
Kernel mode
Revision History:
--*/#ifndef _IPSEC_H
#define _IPSEC_H
#include <windef.h>
#include <winipsec.h>
//
// NOTE: all addresses are expected in Network byte order
//
typedef unsigned long IPAddr;typedef unsigned long IPMask;
//
// This should go into a global header
//
#define DD_IPSEC_DEVICE_NAME L"\\Device\\IPSEC"
#define DD_IPSEC_SYM_NAME L"\\DosDevices\\IPSECDev"
#define DD_IPSEC_DOS_NAME L"\\\\.\\IPSECDev"
//
// This is the name of the event that will be signaled after any policy changes have been applied.
//
#define IPSEC_POLICY_CHANGE_NOTIFY L"IPSEC_POLICY_CHANGE_NOTIFY"
// //
// IOCTL code definitions and related structures //
// All the IOCTLs are synchronous and need administrator privilege //
// //
#define FSCTL_IPSEC_BASE FILE_DEVICE_NETWORK
#define _IPSEC_CTL_CODE(function, method, access) \
CTL_CODE(FSCTL_IPSEC_BASE, function, method, access)
//
// Security Association/Policy APIs implemented as Ioctls
//
#define IOCTL_IPSEC_ADD_FILTER \
_IPSEC_CTL_CODE(0, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_DELETE_FILTER \
_IPSEC_CTL_CODE(1, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_POST_FOR_ACQUIRE_SA \
_IPSEC_CTL_CODE(2, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_GET_SPI \
_IPSEC_CTL_CODE(3, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_UPDATE_SA \
_IPSEC_CTL_CODE(4, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_ADD_SA \
_IPSEC_CTL_CODE(5, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_DELETE_SA \
_IPSEC_CTL_CODE(6, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_EXPIRE_SA \
_IPSEC_CTL_CODE(7, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_ENUM_SAS \
_IPSEC_CTL_CODE(8, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
#define IOCTL_IPSEC_ENUM_FILTERS \
_IPSEC_CTL_CODE(9, METHOD_OUT_DIRECT, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_QUERY_EXPORT \
_IPSEC_CTL_CODE(10, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_IPSEC_QUERY_STATS \
_IPSEC_CTL_CODE(11, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_IPSEC_QUERY_SPI \
_IPSEC_CTL_CODE(12, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_IPSEC_SET_OPERATION_MODE \
_IPSEC_CTL_CODE(13, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_SET_TCPIP_STATUS \
_IPSEC_CTL_CODE(14, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_REGISTER_PROTOCOL \
_IPSEC_CTL_CODE(15, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_GET_OPERATION_MODE \
_IPSEC_CTL_CODE(16, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_IPSEC_SET_DIAGNOSTIC_MODE \
_IPSEC_CTL_CODE(17, METHOD_BUFFERED, FILE_WRITE_ACCESS)
//
// Structures to go with the ioctls above
//
#define FILTER_FLAGS_PASS_THRU 0x0001
#define FILTER_FLAGS_DROP 0x0002
#define FILTER_FLAGS_INBOUND 0x0004
#define FILTER_FLAGS_OUTBOUND 0x0008
#define FILTER_FLAGS_MANUAL 0x0010
// Flags for DestType in acquire
#define IPSEC_BCAST 0x1
#define IPSEC_MCAST 0x2
//
// Special constants for ExType member of _IPSEC_FILTER
//
#define EXT_NORMAL 0x00
#define EXT_DNS_SERVER 0X01
#define EXT_WINS_SERVER 0X02
#define EXT_DHCP_SERVER 0X03
#define EXT_DEFAULT_GATEWAY 0X04
// The following flag is OR-ed with the above to specify that the
// destination address is the special address. If not OR-ed, it this
// means the source address is the special address.
#define EXT_DEST 0x80
//
// for IOCTL_IPSEC_ADD_FILTER
//
typedef struct _IPSEC_FILTER { IPAddr SrcAddr; IPMask SrcMask; IPAddr DestAddr; IPMask DestMask; IPAddr TunnelAddr; DWORD Protocol; WORD SrcPort; WORD DestPort; BOOLEAN TunnelFilter; UCHAR ExType; WORD Flags;} IPSEC_FILTER, *PIPSEC_FILTER;
typedef struct _IPSEC_FILTER_INFO { GUID FilterId; // unique identifier to identify a filter
GUID PolicyId; // unique identifier to identify a policy entry
ULONG Index; // hint on where this entry fits in the ordered list of filters
IPSEC_FILTER AssociatedFilter;} IPSEC_FILTER_INFO, *PIPSEC_FILTER_INFO;
typedef struct _IPSEC_ADD_FILTER { DWORD NumEntries; IPSEC_FILTER_INFO pInfo[1]; } IPSEC_ADD_FILTER, *PIPSEC_ADD_FILTER;
//
// for IOCTL_IPSEC_DELETE_FILTER
//
typedef IPSEC_ADD_FILTER IPSEC_DELETE_FILTER, *PIPSEC_DELETE_FILTER;
//
// for IOCTL_IPSEC_ENUM_FILTERS
//
typedef struct _IPSEC_ENUM_FILTERS { DWORD NumEntries; // num entries for which there is space
DWORD NumEntriesPresent; // num entries actually present in the driver
IPSEC_FILTER_INFO pInfo[1]; } IPSEC_ENUM_FILTERS, *PIPSEC_ENUM_FILTERS;
//
// for IOCTL_IPSEC_QUERY_STATS
//
typedef IPSEC_STATISTICS IPSEC_QUERY_STATS, *PIPSEC_QUERY_STATS;
//
// for IOCTL_IPSEC_SET_OPERATION_MODE
// & IOCTL_IPSEC_GET_OPERATION_MODE
//
typedef enum _OPERATION_MODE { IPSEC_BYPASS_MODE = 0, IPSEC_BLOCK_MODE, IPSEC_SECURE_MODE, IPSEC_BOOTTIME_STATEFUL_MODE, IPSEC_OPERATION_MODE_MAX} OPERATION_MODE;
//defines the forwarding behavior to apply in
//boot and boottime stateful mode
typedef enum _IPSEC_FORWARDING_BEHAVIOR{ IPSEC_FORWARD_BYPASS =0, IPSEC_FORWARD_BLOCK, IPSEC_FORWARD_MAX} IPSEC_FORWARDING_BEHAVIOR;
// Following defines and structs
// for boot time security
#define EXEMPT_DIRECTION_INBOUND 0x1
#define EXEMPT_DIRECTION_OUTBOUND 0x2
#define EXEMPT_TYPE_PDP 0x1
typedef struct _IPSEC_EXEMPT_ENTRY { ULONG Type; ULONG Size; BYTE Protocol; BYTE Direction; USHORT SrcPort; USHORT DestPort; USHORT Reserved;} IPSEC_EXEMPT_ENTRY, *PIPSEC_EXEMPT_ENTRY;
typedef struct _IPSEC_SET_OPERATION_MODE { OPERATION_MODE OperationMode;} IPSEC_SET_OPERATION_MODE, *PIPSEC_SET_OPERATION_MODE;
typedef struct _IPSEC_GET_OPERATION_MODE { OPERATION_MODE OperationMode;} IPSEC_GET_OPERATION_MODE, * PIPSEC_GET_OPERATION_MODE;
// For IOCTL_IPSEC_SET_DIAGNOSTIC_MODE
#define IPSEC_DIAGNOSTIC_DISABLE_LOG 0x00000000
#define IPSEC_DIAGNOSTIC_ENABLE_LOG 0x00000001
#define IPSEC_DIAGNOSTIC_INBOUND 0x00000002
#define IPSEC_DIAGNOSTIC_OUTBOUND 0x00000004
#define IPSEC_DIAGNOSTIC_MAX 0x00000007
typedef struct _IPSEC_SET_DIAGNOSTIC_MODE{ DWORD Mode; DWORD LogInterval;} IPSEC_SET_DIAGNOSTIC_MODE, * PIPSEC_SET_DIAGNOSTIC_MODE;
// For IOCTL_IPSEC_REGISTER_PROTOCOL.
//
typedef enum _REGISTER_IPSEC_PROTOCOL { IPSEC_REGISTER_PROTOCOLS = 0, IPSEC_DEREGISTER_PROTOCOLS, REGISTER_IPSEC_PROTOCOL_MAX} REGISTER_IPSEC_PROTOCOL, * PREGISTER_IPSEC_PROTOCOL;
typedef struct _IPSEC_REGISTER_PROTOCOL { REGISTER_IPSEC_PROTOCOL RegisterProtocol;} IPSEC_REGISTER_PROTOCOL, * PIPSEC_REGISTER_PROTOCOL;
//
// for IOCTL_IPSEC_SET_TCPIP_STATUS
//
typedef struct _IPSEC_SET_TCPIP_STATUS { BOOLEAN TcpipStatus; PVOID TcpipFreeBuff; PVOID TcpipAllocBuff; PVOID TcpipGetInfo; PVOID TcpipNdisRequest; PVOID TcpipSetIPSecStatus; PVOID TcpipSetIPSecPtr; PVOID TcpipUnSetIPSecPtr; PVOID TcpipUnSetIPSecSendPtr; PVOID TcpipTCPXsum; PVOID TcpipSendICMPErr;} IPSEC_SET_TCPIP_STATUS, *PIPSEC_SET_TCPIP_STATUS;
//
// The base Security Association structure for IOCTL_IPSEC_*_SA
//
typedef ULONG SPI_TYPE;
typedef enum _Operation { None = 0, Auth, // AH
Encrypt, // ESP
Compress} OPERATION_E;
//
// IPSEC DOI ESP algorithms
//
typedef enum _ESP_ALGO { IPSEC_ESP_NONE = 0, IPSEC_ESP_DES, IPSEC_ESP_DES_40, IPSEC_ESP_3_DES, IPSEC_ESP_MAX} ESP_ALGO;
//
// IPSEC DOI AH algorithms
//
typedef enum _AH_ALGO { IPSEC_AH_NONE = 0, IPSEC_AH_MD5, IPSEC_AH_SHA, IPSEC_AH_MAX} AH_ALGO;
//
// Lifetime structure - 0 => not significant
//
typedef struct _LIFETIME { ULONG KeyExpirationTime; // lifetime of key - in seconds
ULONG KeyExpirationBytes; // max # of KBytes xformed till re-key
} LIFETIME, *PLIFETIME;
//
// describes generic algorithm properties
//
typedef struct _ALGO_INFO { ULONG algoIdentifier; // ESP_ALGO or AH_ALGO
ULONG algoKeylen; // len in bytes
ULONG algoRounds; // # of algo rounds
} ALGO_INFO, *PALGO_INFO;
//
// Security Association
//
//
// Flags - not mutually exclusive
//
typedef ULONG SA_FLAGS;
#define IPSEC_SA_INTERNAL_IOCTL_DELETE 0x10000000
#define MAX_SAS 3 // COMP, ESP, AH
#define MAX_OPS MAX_SAS
typedef struct _SECURITY_ASSOCIATION { OPERATION_E Operation; // ordered set of operations
SPI_TYPE SPI; // SPI in order of operations in OperationArray
ALGO_INFO IntegrityAlgo; // AH
ALGO_INFO ConfAlgo; // ESP
PVOID CompAlgo; // compression algo info
} SECURITY_ASSOCIATION, *PSECURITY_ASSOCIATION;
typedef struct _SA_STRUCT { HANDLE Context; // context of the original ACQUIRE request
ULONG NumSAs; // number of SAs following
SA_FLAGS Flags; IPAddr TunnelAddr; // Tunnel end IP Addr
IPAddr SrcTunnelAddr; // Tunnel src IP Addr
LIFETIME Lifetime; IPSEC_FILTER InstantiatedFilter; // the actual addresses for which this SA was setup
SECURITY_ASSOCIATION SecAssoc[MAX_SAS]; DWORD dwQMPFSGroup; IKE_COOKIE_PAIR CookiePair; IPSEC_SA_UDP_ENCAP_TYPE EncapType; WORD SrcEncapPort; //Src, Dst encapsulation ports for NAT
WORD DestEncapPort; IPAddr PeerPrivateAddr; ULONG KeyLen; // key len in # of chars
UCHAR KeyMat[1];} SA_STRUCT, *PSA_STRUCT;
typedef struct _IPSEC_ADD_UPDATE_SA { SA_STRUCT SAInfo;} IPSEC_ADD_UPDATE_SA, *PIPSEC_ADD_UPDATE_SA;
//
// Outbound SAs are typically deleted
//
typedef struct _IPSEC_DELETE_SA { IPSEC_QM_SA SATemplate; // template used for SA match
} IPSEC_DELETE_SA, *PIPSEC_DELETE_SA;
//
// Inbound SAs are typically expired
//
typedef struct _IPSEC_DELETE_INFO { IPAddr DestAddr; IPAddr SrcAddr; SPI_TYPE SPI;} IPSEC_DELETE_INFO, *PIPSEC_DELETE_INFO;
typedef struct _IPSEC_EXPIRE_SA { IPSEC_DELETE_INFO DelInfo;} IPSEC_EXPIRE_SA, *PIPSEC_EXPIRE_SA;
typedef struct _IPSEC_GET_SPI { HANDLE Context; // context to represent this SA negotiation
IPSEC_FILTER InstantiatedFilter; // the actual addresses for which this SA was setup
SPI_TYPE SPI; // filled out on return
} IPSEC_GET_SPI, *PIPSEC_GET_SPI;
typedef IPSEC_GET_SPI IPSEC_SET_SPI, *PIPSEC_SET_SPI;
typedef struct _IPSEC_SA_ALGO_INFO { ALGO_INFO IntegrityAlgo; ALGO_INFO ConfAlgo; ALGO_INFO CompAlgo;} IPSEC_SA_ALGO_INFO, *PIPSEC_SA_ALGO_INFO;
typedef ULONG SA_ENUM_FLAGS;
#define SA_ENUM_FLAGS_INITIATOR 0x00000001
#define SA_ENUM_FLAGS_MTU_BUMPED 0x00000002
#define SA_ENUM_FLAGS_OFFLOADED 0x00000004
#define SA_ENUM_FLAGS_OFFLOAD_FAILED 0x00000008
#define SA_ENUM_FLAGS_OFFLOADABLE 0x00000010
#define SA_ENUM_FLAGS_IN_REKEY 0x00000020
typedef struct _IPSEC_SA_STATS { ULARGE_INTEGER ConfidentialBytesSent; ULARGE_INTEGER ConfidentialBytesReceived; ULARGE_INTEGER AuthenticatedBytesSent; ULARGE_INTEGER AuthenticatedBytesReceived; ULARGE_INTEGER TotalBytesSent; ULARGE_INTEGER TotalBytesReceived; ULARGE_INTEGER OffloadedBytesSent; ULARGE_INTEGER OffloadedBytesReceived;} IPSEC_SA_STATS, *PIPSEC_SA_STATS;
typedef struct _IPSEC_SA_INFO { GUID PolicyId; // unique identifier to identify a policy entry
GUID FilterId; LIFETIME Lifetime; IPAddr InboundTunnelAddr; ULONG NumOps; SPI_TYPE InboundSPI[MAX_OPS]; SPI_TYPE OutboundSPI[MAX_OPS]; OPERATION_E Operation[MAX_OPS]; IPSEC_SA_ALGO_INFO AlgoInfo[MAX_OPS]; IPSEC_FILTER AssociatedFilter; DWORD dwQMPFSGroup; IKE_COOKIE_PAIR CookiePair; SA_ENUM_FLAGS EnumFlags; IPSEC_SA_STATS Stats; UDP_ENCAP_INFO EncapInfo;} IPSEC_SA_INFO, *PIPSEC_SA_INFO;
typedef struct _SECURITY_ASSOCIATION_OUT { DWORD Operation; // ordered set of operations
SPI_TYPE SPI; // SPI in order of operations in OperationArray
ALGO_INFO IntegrityAlgo; // AH
ALGO_INFO ConfAlgo; // ESP
ALGO_INFO CompAlgo; // compression algo info
} SECURITY_ASSOCIATION_OUT, *PSECURITY_ASSOCIATION_OUT;
typedef struct _IPSEC_SA_QUERY_INFO { GUID PolicyId; // unique identifier to identify a policy entry
LIFETIME Lifetime; ULONG NumSAs; SECURITY_ASSOCIATION_OUT SecAssoc[MAX_SAS]; IPSEC_FILTER AssociatedFilter; DWORD Flags; IKE_COOKIE_PAIR AssociatedMainMode;} IPSEC_SA_QUERY_INFO, *PIPSEC_SA_QUERY_INFO;
typedef struct _IPSEC_ENUM_SAS { DWORD NumEntries; // num entries for which there is space
DWORD NumEntriesPresent; // num entries actually present in the driver
DWORD Index; // num entries to skip
IPSEC_QM_SA SATemplate; // template used for SA match
IPSEC_SA_INFO pInfo[1];} IPSEC_ENUM_SAS, *PIPSEC_ENUM_SAS;
typedef struct _IPSEC_POST_FOR_ACQUIRE_SA { HANDLE IdentityInfo; // identity of Principal
HANDLE Context; // context to represent this SA negotiation
GUID PolicyId; // GUID for QM policy
IPAddr SrcAddr; IPMask SrcMask; IPAddr DestAddr; IPMask DestMask; IPAddr TunnelAddr; IPAddr InboundTunnelAddr; DWORD Protocol; IKE_COOKIE_PAIR CookiePair; // only used for notify
WORD SrcPort; WORD DestPort; BOOLEAN TunnelFilter; // TRUE => this is a tunnel filter
UCHAR DestType; WORD SrcEncapPort; WORD DestEncapPort; BYTE Pad1[4]; UCHAR Pad2[2];} IPSEC_POST_FOR_ACQUIRE_SA, *PIPSEC_POST_FOR_ACQUIRE_SA;
//NB. This must be <= size as the IPSEC_POST_FOR_ACQUIRE_SA
typedef struct _IPSEC_POST_EXPIRE_NOTIFY { HANDLE IdentityInfo; // identity of Principal
HANDLE Context; // context to represent this SA negotiation
SPI_TYPE InboundSpi; SPI_TYPE OutboundSpi; DWORD Flags; IPAddr SrcAddr; IPMask SrcMask; IPAddr DestAddr; IPMask DestMask; IPAddr TunnelAddr; IPAddr InboundTunnelAddr; DWORD Protocol; IKE_COOKIE_PAIR CookiePair; WORD SrcPort; WORD DestPort; BOOLEAN TunnelFilter; // TRUE => this is a tunnel filter
WORD SrcEncapPort; WORD DestEncapPort; IPAddr PeerPrivateAddr; UCHAR Pad[3];} IPSEC_POST_EXPIRE_NOTIFY, *PIPSEC_POST_EXPIRE_NOTIFY;
typedef struct _IPSEC_QUERY_EXPORT { BOOLEAN Export;} IPSEC_QUERY_EXPORT, *PIPSEC_QUERY_EXPORT;
typedef struct _IPSEC_FILTER_SPI { IPSEC_FILTER Filter; SPI_TYPE Spi; DWORD Operation; DWORD Flags; struct _IPSEC_FILTER_SPI *Next;} IPSEC_FILTER_SPI, *PIPSEC_FILTER_SPI;
typedef struct _QOS_FILTER_SPI { IPAddr SrcAddr; IPAddr DestAddr; DWORD Protocol; WORD SrcPort; WORD DestPort; DWORD Operation; DWORD Flags; SPI_TYPE Spi;} QOS_FILTER_SPI, *PQOS_FILTER_SPI;
typedef struct _IPSEC_QUERY_SPI { IPSEC_FILTER Filter; SPI_TYPE Spi; // inbound spi
SPI_TYPE OtherSpi; // outbound spi
DWORD Operation;} IPSEC_QUERY_SPI, *PIPSEC_QUERY_SPI;
#define IPSEC_NOTIFY_EXPIRE_CONTEXT 0x00000000
#define IPSEC_RPC_CONTEXT 0x00000001
#endif _IPSEC_H
|
