/*++ Copyright (c) 1997-2001 Microsoft Corporation Module Name: globals.h Abstract: This is the main header file for IPSEC. Contains all the globals. Author: Sanjay Anand (SanjayAn) 2-January-1997 ChunYe Environment: Kernel mode Revision History: --*/ #ifndef _GLOBALS_H #define _GLOBALS_H #include "NsIpsec.h" #define MAX_COUNT_STRING_LEN 32 #define MAX_IP_OPTION_SIZE 40 // 64 bytes #define MAX_KEYLEN_SHA 64 #define MAX_KEYLEN_MD5 64 // 8 bytes #define MAX_KEYLEN_DES 8 #define MAX_IV_LEN DES_BLOCKLEN #define MAX_KEY_LEN MAX(MAX_KEYLEN_MD5, MAX_KEYLEN_DES) // // we set aside SPIs between 256 and 65536 (64K) for hardware offload // #define LOWER_BOUND_SPI 256 #define UPPER_BOUND_SPI ((ULONG) -1) // MAX_ULONG #define INVALID_INDEX 0xffffffff #define RNG_KEY_SIZE 256 // 2048 bits #define RNG_REKEY_THRESHOLD 65536 // 64K raw bytes // // Constants related to filter lists // #define INBOUND_TRANSPORT_FILTER 0 #define OUTBOUND_TRANSPORT_FILTER 1 #define INBOUND_TUNNEL_FILTER 2 #define OUTBOUND_TUNNEL_FILTER 3 #define MIN_FILTER INBOUND_TRANSPORT_FILTER #define MAX_FILTER OUTBOUND_TUNNEL_FILTER #define MIN_TRANSPORT_FILTER INBOUND_TRANSPORT_FILTER #define MAX_TRANSPORT_FILTER OUTBOUND_TRANSPORT_FILTER #define MIN_TUNNEL_FILTER INBOUND_TUNNEL_FILTER #define MAX_TUNNEL_FILTER OUTBOUND_TUNNEL_FILTER #define INBOUND_OUTBOUND_INCREMENT 1 #define TRANSPORT_TUNNEL_INCREMENT 2 #define NUM_FILTERS (MAX_FILTER - MIN_FILTER + 1) // // Number of extra bytes when we pad - one for padlen and other for payloadtype // #define NUM_EXTRA 2 #define ESP_SIZE (sizeof(ESP) + DES_BLOCKLEN * sizeof(UCHAR)) #define TRUNCATED_HASH_LEN 12 // 96 bits #define REPLAY_WINDOW_SIZE 64 #define MAX_PAD_LEN (DES_BLOCKLEN + NUM_EXTRA - 1) #define IPSEC_SMALL_BUFFER_SIZE 50 #define IPSEC_LARGE_BUFFER_SIZE 200 #define IPSEC_CACHE_LINE_SIZE 16 #define IPSEC_LIST_DEPTH 5 typedef ULONG tSPI; #define MAX_BLOCKLEN MAX(DES_BLOCKLEN, 0) #define IPSEC_TAG_INIT 'ISpI' #define IPSEC_TAG_AH 'TApI' #define IPSEC_TAG_AH_TU 'UApI' #define IPSEC_TAG_ESP 'TEpI' #define IPSEC_TAG_ESP_TU 'UEpI' #define IPSEC_TAG_HUGHES 'THpI' #define IPSEC_TAG_HUGHES_TU 'UHpI' #define IPSEC_TAG_ACQUIRE_CTX 'XApI' #define IPSEC_TAG_FILTER 'IFpI' #define IPSEC_TAG_SA 'ASpI' #define IPSEC_TAG_KEY 'EKpI' #define IPSEC_TAG_TIMER 'ITpI' #define IPSEC_TAG_STALL_QUEUE 'QSpI' #define IPSEC_TAG_LOOKASIDE_LISTS 'ALpI' #define IPSEC_TAG_BUFFER_POOL 'PBpI' #define IPSEC_TAG_SEND_COMPLETE 'CSpI' #define IPSEC_TAG_EVT_QUEUE 'QEpI' #define IPSEC_TAG_HW 'WHpI' #define IPSEC_TAG_HW_PKTINFO 'KPpI' #define IPSEC_TAG_HW_PKTEXT 'XEpI' #define IPSEC_TAG_HW_ADDSA 'SApI' #define IPSEC_TAG_HW_DELSA 'SDpI' #define IPSEC_TAG_HW_PLUMB 'LPpI' #define IPSEC_TAG_COMP 'OCpI' #define IPSEC_TAG_REINJECT 'ERpI' #define IPSEC_TAG_IOCTL 'OIpI' #define IPSEC_TAG_LOG 'OLpI' #define IPSEC_TAG_PARSER 'sPpI' #define IPSEC_TAG_ICMP 'cIpI' #define IPSEC_TAG_STATEFUL_ENTRY 'ESpI' #define IPSEC_TAG_STATEFUL_HT 'HSpI' #define IPSEC_TAG_HASH_POOL 'PHpI' #define IPSEC_LOG_PACKET_SIZE 128 //Size in bytes of stored packet in troubleshoot mode // // The IPSEC ESP payload // typedef struct _ESP { tSPI esp_spi; } ESP, *PESP; typedef struct _NATENCAP { ushort uh_src; // Source port. ushort uh_dest; // Destination port. ushort uh_length; // Length ushort uh_xsum; // Checksum. UCHAR Zero[8]; } NATENCAP, *PNATENCAP; typedef struct _NATENCAP_OTHER { ushort uh_src; // Source port. ushort uh_dest; // Destination port. ushort uh_length; // Length ushort uh_xsum; // Checksum. } NATENCAP_OTHER, *PNATENCAP_OTHER; // // SA Flags - Not mutually exclusive // #define FLAGS_SA_INITIATOR 0x00000001 // use Initiator keys? might be deprecated soon #define FLAGS_SA_OUTBOUND 0x00000002 // outbound SA? #define FLAGS_SA_TUNNEL 0x00000004 // tunnel mode? sa_TunnelAddr is significant #define FLAGS_SA_REKEY 0x00000010 // is this rekeyed LarvalSA? #define FLAGS_SA_REKEY_ORI 0x00000020 // did this kick off a rekey? #define FLAGS_SA_MANUAL 0x00000040 // manual keyed? #define FLAGS_SA_MTU_BUMPED 0x00000080 // was MTU bumped down on this SA? #define FLAGS_SA_PENDING 0x00000100 // this is on the pending queue. #define FLAGS_SA_TIMER_STARTED 0x00000200 // timer started on this SA #define FLAGS_SA_HW_PLUMBED 0x00000400 // hw acceleration plumbed successfully #define FLAGS_SA_HW_PLUMB_FAILED 0x00000800 // hw acceleration plumbing failed #define FLAGS_SA_HW_DELETE_SA 0x00001000 // hw acceleration - this is the pending delete. #define FLAGS_SA_HW_CRYPTO_ONLY 0x00002000 // hw acceleration - this is a crypto-only provider. #define FLAGS_SA_HW_RESET 0x00004000 // hw acceleration - this offload SA has been reset #define FLAGS_SA_HW_DELETE_QUEUED 0x00008000 // hw acceleration - this SA delete is queued so make sure reset doesn't touch it #define FLAGS_SA_REFERENCED 0x00010000 // is this SA the next of another? #define FLAGS_SA_NOTIFY_PERFORMED 0x00020000 // For inbound only. Notification performed #define FLAGS_SA_ON_FILTER_LIST 0x00040000 // used on inbound SAs to indicate they are on filter lists #define FLAGS_SA_ON_SPI_HASH 0x00080000 // used on inbound SAs to indicate they are on spi hash lists #define FLAGS_SA_EXPIRED 0x00100000 // has this SA expired? #define FLAGS_SA_IDLED_OUT 0x00200000 // has this SA idled out? #define FLAGS_SA_HIBERNATED 0x00400000 // has this SA been hibernated? #define FLAGS_SA_DELETE_BY_IOCTL 0x00800000 // sa delete initiated by external source #define FLAGS_SA_OFFLOADABLE 0x01000000 // is this SA offloadable? #define FLAGS_SA_PASSTHRU_FILTER 0x02000000 // sa derived from a pass-thru filter #define FLAGS_SA_DISABLE_IDLE_OUT 0x04000000 // don't idle out #define FLAGS_SA_DISABLE_ANTI_REPLAY_CHECK 0x08000000 // don't check anti-replay #define FLAGS_SA_DISABLE_LIFETIME_CHECK 0x10000000 // don't check lifetimes #define FLAGS_SA_ENABLE_NLBS_IDLE_CHECK 0x20000000 // Idle out faster // // SA States - Mutually exclusive // typedef enum _SA_STATE { STATE_SA_CREATED = 1, // when created STATE_SA_LARVAL, // Key negotiation going on - outbound SAs only STATE_SA_ACTIVE, // outbound SA completely setup STATE_SA_LARVAL_ACTIVE, // inbound active SA without the associated outbound SA STATE_SA_ZOMBIE // SAs flushed, ready to be deleted } SA_STATE, *PSA_STATE; #define IPSEC_SA_SIGNATURE 0x4601 #define IPSEC_FILTER_SIGNATURE 0x4602 #if DBG #define IPSEC_SA_D_1 'SAD1' #define IPSEC_SA_D_2 'SAD2' #define IPSEC_SA_D_3 'SAD3' #define IPSEC_SA_D_4 'SAD4' #endif typedef struct _FILTER FILTER, *PFILTER; typedef struct _INTERNAL_ALGO_INFO { ULONG algoIdentifier; PUCHAR algoKey; ULONG algoKeylen; ULONG algoRounds; } INTERNAL_ALGO_INFO, *PINTERNAL_ALGO_INFO; typedef struct _INTERNAL_ALGO { INTERNAL_ALGO_INFO integrityAlgo; INTERNAL_ALGO_INFO confAlgo; INTERNAL_ALGO_INFO compAlgo; } INTERNAL_ALGO, *PINTERNAL_ALGO; typedef struct _IPSEC_ACQUIRE_CONTEXT IPSEC_ACQUIRE_CONTEXT, *PIPSEC_ACQUIRE_CONTEXT; typedef struct _FILTER_CACHE FILTER_CACHE, *PFILTER_CACHE; // // Security Association Table (SATable) // // Indexed by the following: // // Sender maps {Src Addr, Dest Addr, User Context} to the index // // Receiver maps {Dest Addr, SPI} to the index // SPI values are unique when generated manually, so can be used directly // to index into the SATable for // typedef struct _SATableEntry { LIST_ENTRY sa_SPILinkage; // linkage in SPI hash table list LIST_ENTRY sa_FilterLinkage; // linkage in Filter table list LIST_ENTRY sa_LarvalLinkage; // linkage in Larval SA list LIST_ENTRY sa_PendingLinkage; // linkage in pending SA list - waiting for Acquire Irp struct _SATableEntry *sa_AssociatedSA; // outbound -> inbound link struct _SATableEntry *sa_RekeyLarvalSA; // points to the Larval SA on a rekey struct _SATableEntry *sa_RekeyOriginalSA; // Rekey Larval SA points to the original SA that kicked off the rekey ULONG sa_Signature; // contains 4601 ULONG sa_AcquireId; // cross-check with the Acquire Irp context PIPSEC_ACQUIRE_CONTEXT sa_AcquireCtx; // actual acquire context - used to invalidate the context. ULONG sa_Flags; // flags as defined above SA_STATE sa_State; // states as defined above ULONG sa_Reference; // ref count PFILTER sa_Filter; // assoc filter entry PFILTER_CACHE sa_FilterCache; // back pointer to cache entry so we can disable it when an SA goes away KSPIN_LOCK sa_Lock; // lock to protect the FilterCache ptr. #if DBG ULONG sa_d1; #endif ULARGE_INTEGER sa_uliSrcDstAddr; ULARGE_INTEGER sa_uliSrcDstMask; ULARGE_INTEGER sa_uliProtoSrcDstPort; IPAddr sa_TunnelAddr; // Tunnel dest end IP Addr IPAddr sa_SrcTunnelAddr; // Tunnel src end IP Addr // SPI - host order - if outbound, SPI for remote, // else inbound (our) SPI tSPI sa_SPI; // Inbound: in the multiple ops case, this is the SPI of the last operation. // Outbound: order is as specified in the update. LONG sa_NumOps; // the total number of operations to be done tSPI sa_OtherSPIs[MAX_OPS]; // the other alternate SPIs. OPERATION_E sa_Operation[MAX_OPS]; INTERNAL_ALGO sa_Algorithm[MAX_OPS]; ULONG sa_ReplayStartPoint; // corresponds to RP_Key_I/R ULONG sa_ReplayLastSeq[MAX_OPS]; // for replay detection - last seq recd ULONGLONG sa_ReplayBitmap[MAX_OPS]; // for replay detection - 64 packet window ULONG sa_ReplaySendSeq[MAX_OPS]; // for replay detection - next seq # to send ULONG sa_ReplayLen; // for replay detection - length of replay field - 32 bits #if DBG ULONG sa_d2; #endif UCHAR sa_iv[MAX_OPS][DES_BLOCKLEN]; // IV_Key_I/R ULONG sa_ivlen; ULONG sa_TruncatedLen; // length of final hash after truncation LARGE_INTEGER sa_KeyExpirationTime; // time till re-key LARGE_INTEGER sa_KeyExpirationBytes; // max # of KBytes xformed till re-key LARGE_INTEGER sa_TotalBytesTransformed; // running total LARGE_INTEGER sa_KeyExpirationTimeWithPad; LARGE_INTEGER sa_KeyExpirationBytesWithPad; LARGE_INTEGER sa_IdleTime; // total time this SA can sit idle LARGE_INTEGER sa_LastUsedTime; // time this SA was used last #if DBG ULONG sa_d3; #endif LIFETIME sa_Lifetime; ULONG sa_BlockedDataLen; // amount of pended data PNDIS_BUFFER sa_BlockedBuffer; // stall queue of 1 Mdl chain #if DBG ULONG sa_d4; #endif Interface *sa_IPIF; IPSEC_TIMER sa_Timer; // Timer struct for timer queue ULONG sa_ExpiryTime; // time until this SA expires NDIS_HANDLE sa_OffloadHandle; LONG sa_NumSends; WORK_QUEUE_ITEM sa_QueueItem; ULONG sa_IPSecOverhead; ULONG sa_NewMTU; DWORD sa_QMPFSGroup; IKE_COOKIE_PAIR sa_CookiePair; IPSEC_SA_STATS sa_Stats; UCHAR sa_DestType; IPSEC_SA_UDP_ENCAP_TYPE sa_EncapType; IPSEC_UDP_ENCAP_CONTEXT sa_EncapContext; IPAddr sa_PeerPrivateAddr; } SA_TABLE_ENTRY, *PSA_TABLE_ENTRY; // // Context used between Key manager and IPSEC. Points to the Larval SA basically. // typedef struct _IPSEC_ACQUIRE_CONTEXT { ULONG AcquireId; // unique ID to represent this transaction PSA_TABLE_ENTRY pSA; // larval SA should contain this ID } IPSEC_ACQUIRE_CONTEXT, *PIPSEC_ACQUIRE_CONTEXT; // // Packet Classification/Policy Setting is similar to that of the // Filter Driver. We dont have filters per interface, however. // typedef struct _FILTER { ULONG Signature; // contains 4602 BOOLEAN TunnelFilter; BOOLEAN LinkedFilter; // true if on linked list USHORT Flags; PFILTER_CACHE FilterCache; // back pointer to cache entry so we can disable it when filter is deleted LIST_ENTRY MaskedLinkage; ULARGE_INTEGER uliSrcDstAddr; ULARGE_INTEGER uliSrcDstMask; ULARGE_INTEGER uliProtoSrcDstPort; ULARGE_INTEGER uliProtoSrcDstMask; IPAddr TunnelAddr; ULONG Reference; // ref count LONG SAChainSize; // number of entries for SA chain hash ULONG Index; // hinted index GUID PolicyId; // policy GUID GUID FilterId; // filter GUID #if GPC union { LIST_ENTRY GpcLinkage; struct _GPC_FILTER { GPC_HANDLE GpcCfInfoHandle; GPC_HANDLE GpcPatternHandle; } GpcFilter; }; #endif LIST_ENTRY SAChain[1]; // chain of SAs associated with this Filter } FILTER, *PFILTER; // // a first level cache, contains IP headers cached for fast lookups // typedef struct _FILTER_CACHE { ULARGE_INTEGER uliSrcDstAddr; ULARGE_INTEGER uliProtoSrcDstPort; BOOLEAN FilterEntry; // if TRUE, the next one is a Filter union { PSA_TABLE_ENTRY pSAEntry; // points to the associated SAEntry PFILTER pFilter; // points to the (drop/PassThru filter) }; PSA_TABLE_ENTRY pNextSAEntry; // points to the associated NextSAEntry #if DBG ULARGE_INTEGER CacheHitCount; #endif } FILTER_CACHE, *PFILTER_CACHE; // // Hash tables for specific SAs // typedef struct _SA_HASH { LIST_ENTRY SAList; } SA_HASH, *PSA_HASH; // // This structure is used to hold on to an Irp from the Key manager. // The Irp is completed to kick off an SA negotiation. // typedef struct _IPSEC_ACQUIRE_INFO { PIRP Irp; // irp passed down from Key manager LIST_ENTRY PendingAcquires; // linked list of pending acquire requests LIST_ENTRY PendingNotifies; // linked list of pending notifications KSPIN_LOCK Lock; BOOLEAN ResolvingNow; // irp is in user mode doing a resolve BOOLEAN InMe; // irp is in user mode doing a resolve } IPSEC_ACQUIRE_INFO, *PIPSEC_ACQUIRE_INFO; // // Buffer for lookaside list descriptors. Lookaside list descriptors // cannot be statically allocated, as they need to ALWAYS be nonpageable, // even when the entire driver is paged out. // typedef struct _IPSEC_LOOKASIDE_LISTS { NPAGED_LOOKASIDE_LIST SendCompleteCtxList; NPAGED_LOOKASIDE_LIST LargeBufferList; NPAGED_LOOKASIDE_LIST SmallBufferList; } IPSEC_LOOKASIDE_LISTS, *PIPSEC_LOOKASIDE_LISTS; // // Data is organized as an MDL followed by the actual buffer being described by // the mdl. // // !!NOTE: In the struct below, Data should be quadaligned since MDLs are always // quad-aligned. // typedef struct _IPSEC_LA_BUFFER { ULONG Tag; // the actual tag this was used for PVOID Buffer; // the actual buffer ULONG BufferLength; // length of the buffer pointed by MDL PMDL Mdl; // pointer to an MDL describing the buffer UCHAR Data[1]; // the real data starts here } IPSEC_LA_BUFFER, *PIPSEC_LA_BUFFER; #define IPSEC_STATEFUL_HASH_TABLE_SIZE 1000 typedef struct _IPSEC_STATEFUL_HASH_TABLE{ // Array of lists // Lists of IPSEC_STATEFUL_ENTRY LIST_ENTRY Entry[IPSEC_STATEFUL_HASH_TABLE_SIZE]; }IPSEC_STATEFUL_HASH_TABLE, *PIPSEC_STATEFUL_HASH_TABLE; // Always stored outbound // Allocated from IPSEC_HASH_BUFFER_POOL // Stored in IPSEC_STATEFUL_HASH_TABLE typedef struct _IPSEC_STATEFUL_ENTRY { LIST_ENTRY CollisionLinkage; IPAddr SrcAddr; IPAddr DestAddr; BYTE Protocol; USHORT SrcPort; USHORT DestPort; } IPSEC_STATEFUL_ENTRY, *PIPSEC_STATEFUL_ENTRY; #define TOTAL_STATEFUL_ENTRY_COUNT 10000 //Write access to SADBLock required for allocation //Cycle around when full. //Use list entries in the IPSEC_STATEFUL_ENTRY //to remove from hash table. typedef struct _IPSEC_HASH_BUFFER_POOL { ULONG ulEntriesUsed; ULONG ulCurrentPosition; IPSEC_STATEFUL_ENTRY PoolEntry[TOTAL_STATEFUL_ENTRY_COUNT]; } IPSEC_HASH_BUFFER_POOL, * PIPSEC_HASH_BUFFER_POOL; typedef struct _IPSEC_GLOBAL { BOOLEAN DriverUnloading; // Is driver being unloaded? BOOLEAN BoundToIP; // Are we bound to IP yet? BOOLEAN SendBoundToIP; // Is IPSecHandler bound to IP? BOOLEAN InitCrypto; // Are crypto routines initialized? BOOLEAN InitRNG; // Is RNG initialized? BOOLEAN InitTcpip; // Is TCP/IP loaded? #if FIPS BOOLEAN InitFips; // Is Fips driver loaded and function table set? #endif #if GPC BOOLEAN InitGpc; // Is GPC driver loaded and function table set? #endif LONG NumSends; // counts the number of pending sends LONG NumThreads; // counts the number of threads in driver LONG NumWorkers; // counts the number of worker threads LONG NumTimers; // counts the number of active timers LONG NumIoctls; // counts the number of active IOCTLs LIST_ENTRY LarvalSAList; KSPIN_LOCK LarvalListLock; // protects the larval SA list MRSW_LOCK SADBLock; // protects the Filter/SA DB MRSW_LOCK SPIListLock; // protects the SPI list // // We partition the filters into tunnel/masked and inbound/outbound filters. // LIST_ENTRY FilterList[NUM_FILTERS]; ULONG NumPolicies; // number of filters plumbed in the driver ULONG NumTunnelFilters; ULONG NumMaskedFilters; ULONG NumOutboundSAs; ULONG NumMulticastFilters; // // Inbound hash // PSA_HASH pSADb; LONG NumSA; LONG SAHashSize; PFILTER_CACHE *ppCache; ULONG CacheSize; ULONG CacheHalfSize; // // SA negotiate context // IPSEC_ACQUIRE_INFO AcquireInfo; // // timers // KSPIN_LOCK TimerLock; IPSEC_TIMER_LIST TimerList[IPSEC_CLASS_MAX]; IPSEC_TIMER ReaperTimer; // reaper thread runs here. // // Global lookaside lists. These must always be in nonpaged pool, // even when the driver is paged out. // PIPSEC_LOOKASIDE_LISTS IPSecLookasideLists; ULONG IPSecLargeBufferSize; ULONG IPSecLargeBufferListDepth; ULONG IPSecSmallBufferSize; ULONG IPSecSmallBufferListDepth; ULONG IPSecSendCompleteCtxSize; ULONG IPSecSendCompleteCtxDepth; ULONG IPSecCacheLineSize; PDEVICE_OBJECT IPSecDevice; PDRIVER_OBJECT IPSecDriverObject; ProtInfo IPProtInfo; IPOptInfo OptInfo; // // stats // IPSEC_QUERY_STATS Statistics; DWORD dwPacketsOnWrongSA; ULONG EnableOffload; ULONG DefaultSAIdleTime; ULONG LogInterval; ULONG EventQueueSize; ULONG RekeyTime; ULONG NoDefaultExempt; KSPIN_LOCK EventLogLock; // lock to protect event queue IPSEC_TIMER EventLogTimer; ULONG IPSecBufferedEvents; PUCHAR IPSecLogMemory; PUCHAR IPSecLogMemoryLoc; PUCHAR IPSecLogMemoryEnd; LARGE_INTEGER SAIdleTime; #if DBG ULARGE_INTEGER CacheHitCount; #endif OPERATION_MODE OperationMode; IPSEC_FORWARDING_BEHAVIOR DefaultForwardingBehavior; ULONG DiagnosticMode; #if GPC GPC_EXPORTED_CALLS GpcEntries; GPC_HANDLE GpcClients[GPC_CF_MAX]; ULONG GpcActive; ULONG GpcNumFilters[GPC_CF_MAX]; LIST_ENTRY GpcFilterList[NUM_FILTERS]; #if DBG LARGE_INTEGER GpcTotalPassedIn; LARGE_INTEGER GpcClassifyNeeded; LARGE_INTEGER GpcReClassified; #endif #endif #if FIPS PFILE_OBJECT FipsFileObject; FIPS_FUNCTION_TABLE FipsFunctionTable; #endif PIPSEC_EXEMPT_ENTRY BootExemptList; ULONG BootExemptListSize; //Entry count // Pointer to the Hash table // Initialized in DriverEntry PIPSEC_STATEFUL_HASH_TABLE BootStatefulHT; PIPSEC_HASH_BUFFER_POOL BootBufferPool; LARGE_INTEGER StartTimeDelta; IPSEC_NATSHIM_FUNCTIONS ShimFunctions; VOID (*TcpipFreeBuff)(struct IPRcvBuf *); INT (*TcpipAllocBuff)(struct IPRcvBuf *, UINT); UCHAR (*TcpipGetAddrType)(IPAddr); IP_STATUS (*TcpipGetInfo)(IPInfo *, INT); NDIS_STATUS (*TcpipNdisRequest)(PVOID, NDIS_REQUEST_TYPE, NDIS_OID, PVOID, UINT, PUINT); PVOID (*TcpipRegisterProtocol)(UCHAR, PVOID, PVOID, PVOID, PVOID, PVOID, PVOID); NTSTATUS (*TcpipSetIPSecStatus)(BOOLEAN); IP_STATUS (*TcpipIPTransmit)(PVOID, PVOID, PNDIS_BUFFER, UINT, IPAddr, IPAddr, IPOptInfo *, RouteCacheEntry *, UCHAR, PIRP); IP_STATUS (*TcpipSetIPSecPtr)(PIPSEC_FUNCTIONS); IP_STATUS (*TcpipUnSetIPSecPtr)(PIPSEC_FUNCTIONS); IP_STATUS (*TcpipUnSetIPSecSendPtr)(PIPSEC_FUNCTIONS); UINT (*TcpipTCPXsum)(UINT, PVOID, UINT); USHORT (*TcpipGenIpId)(); PVOID (*TcpipDeRegisterProtocol)(UCHAR); IP_STATUS (*TcpipGetPInfo)(IPAddr, IPAddr, uint *, uint *, RouteCacheEntry *); IP_STATUS (*TcpipSendICMPErr)(IPAddr, IPHeader UNALIGNED *, uchar, uchar, ulong, uchar); } IPSEC_GLOBAL, *PIPSEC_GLOBAL; // // Contexts used to store eventlog contexts. // #define IPSEC_DROP_STATUS_CRYPTO_DONE 0x00000001 #define IPSEC_DROP_STATUS_NEXT_CRYPTO_DONE 0x00000002 #define IPSEC_DROP_STATUS_SA_DELETE_REQ 0x00000004 #define IPSEC_DROP_STATUS_DONT_LOG 0x00000008 typedef struct _IPSEC_DROP_STATUS { ULONG IPSecStatus; ULONG OffloadStatus; ULONG Flags; } IPSEC_DROP_STATUS, *PIPSEC_DROP_STATUS; typedef struct _IPSEC_EVENT_CTX { IPAddr Addr; ULONG EventCode; ULONG UniqueEventValue; ULONG EventCount; PUCHAR pPacket; ULONG PacketSize; IPSEC_DROP_STATUS DropStatus; } IPSEC_EVENT_CTX, *PIPSEC_EVENT_CTX; typedef struct _IPSEC_NOTIFY_EXPIRE { LIST_ENTRY notify_PendingLinkage; // linkage in pending SA list - waiting for Acquire Irp ULARGE_INTEGER sa_uliSrcDstAddr; ULARGE_INTEGER sa_uliSrcDstMask; ULARGE_INTEGER sa_uliProtoSrcDstPort; IPAddr sa_TunnelAddr; // Tunnel end IP Addr IPAddr sa_InboundTunnelAddr; // Tunnel end IP Addr tSPI InboundSpi; // Inbound: in the multiple ops case, this is the SPI of the last operation. tSPI OutboundSpi; IKE_COOKIE_PAIR sa_CookiePair; DWORD Flags; IPSEC_UDP_ENCAP_CONTEXT sa_EncapContext; IPAddr sa_PeerPrivateAddr; } IPSEC_NOTIFY_EXPIRE, *PIPSEC_NOTIFY_EXPIRE; typedef IPSEC_ADD_UPDATE_SA IPSEC_ADD_SA, *PIPSEC_ADD_SA; typedef IPSEC_ADD_UPDATE_SA IPSEC_UPDATE_SA, *PIPSEC_UPDATE_SA; #define IPSEC_ADD_SA_NO_KEY_SIZE FIELD_OFFSET(IPSEC_ADD_SA, SAInfo.KeyMat[0]) #define IPSEC_UPDATE_SA_NO_KEY_SIZE FIELD_OFFSET(IPSEC_UPDATE_SA, SAInfo.KeyMat[0]) typedef struct _PARSER_IFENTRY { struct _PARSER_IFENTRY * pNext; UDP_ENCAP_TYPE UdpEncapType; USHORT usDstEncapPort; HANDLE hInterface; HANDLE hParserIfOffload; ULONG uRefCnt; } PARSER_IFENTRY, * PPARSER_IFENTRY; // // Contexts used to store SA plumbing contexts. // typedef struct _IPSEC_PLUMB_SA { Interface *DestIF; PSA_TABLE_ENTRY pSA; PPARSER_IFENTRY pParserIfEntry; PUCHAR Buf; ULONG Len; WORK_QUEUE_ITEM PlumbQueueItem; } IPSEC_PLUMB_SA, *PIPSEC_PLUMB_SA; typedef struct _IPSEC_MTU_CONTEXT { IPAddr Src; IPAddr TransportDest; IPAddr TunnelDest; tSPI TransportSPI; tSPI TunnelSPI; } IPSEC_MTU_CONTEXT, *PIPSEC_MTU_CONTEXT; // // Contexts used to log events // typedef struct _IPSEC_LOG_EVENT { LONG LogSize; WORK_QUEUE_ITEM LogQueueItem; UCHAR pLog[1]; } IPSEC_LOG_EVENT, *PIPSEC_LOG_EVENT; #define PROTOCOL_UDP 17 #define TCP_HEADER_SIZE 20 #define UDP_HEADER_SIZE 8 #define MIN_ACQUIRE_ID 5 #endif _GLOBALS_H