sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update IPsec.h file to follow approved ECR which will be collected into future UEFI 2.3 Specification after 2.3 errata B and future UEFI Specifications after 2.3. The changes mainly include:

Browse Source 
1. Add EFI_IPSEC2_PROTOCOL
  2. Remove IPsec Authentication Algorithm Definition and IPsec Encryption Algorithm    
     Definition.
  3. Add EFI_IPSEC_SA_DATA2 data structure.
And also update IPv4 driver to call EFI_IPSEC2_PROTOCOL.

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@10941 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
qianouyang
2010-10-15 05:40:41 +00:00
parent a725268048
commit 705f53a9b4
9 changed files with 506 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
MdePkg/Include/Protocol/IpSec.h
View File

@@ -1,7 +1,14 @@
/** @file
EFI IPSEC Protocol Definition
The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual
packets sent and received by the host and provide packet-level security for IP datagram.
packets sent and received by the host and provide packet-level security for IP
datagram.
The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual
packets sent and received by the host and provide packet-level security for IP
datagram. In addition, it supports the Option (extension header) processing in
IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to
use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel
Mode.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
@@ -27,7 +34,13 @@
0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \
}
#define EFI_IPSEC2_PROTOCOL_GUID \
{ \
0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \
}
typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;
typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;
///
/// EFI_IPSEC_FRAGMENT_DATA
@@ -93,6 +106,119 @@ struct _EFI_IPSEC_PROTOCOL {
BOOLEAN DisabledFlag; ///< State of the interface.
};
extern EFI_GUID gEfiIpSecProtocolGuid;
/**
Handles IPsec processing for both inbound and outbound IP packets. Compare with
Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process
Option(Extension Header).
The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.
The behavior is that it can perform one of the following actions:
bypass the packet, discard the packet, or protect the packet.
@param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.
@param[in] NicHandle Instance of the network interface.
@param[in] IpVer IP version.IPv4 or IPv6.
@param[in, out] IpHead Pointer to the IP Header it is either
the EFI_IP4_HEADER or EFI_IP6_HEADER.
On input, it contains the IP header.
On output, 1) in tunnel mode and the
traffic direction is inbound, the buffer
will be reset to zero by IPsec; 2) in
tunnel mode and the traffic direction
is outbound, the buffer will reset to
be the tunnel IP header.3) in transport
mode, the related fielders (like payload
length, Next header) in IP header will
be modified according to the condition.
@param[in, out] LastHead For IP4, it is the next protocol in IP
header. For IP6 it is the Next Header
of the last extension header.
@param[in, out] OptionsBuffer On input, it contains the options
(extensions header) to be processed by
IPsec. On output, 1) in tunnel mode and
the traffic direction is outbound, it
will be set to NULL, and that means this
contents was wrapped after inner header
and should not be concatenated after
tunnel header again; 2) in transport
mode and the traffic direction is inbound,
if there are IP options (extension headers)
protected by IPsec, IPsec will concatenate
the those options after the input options
(extension headers); 3) on other situations,
the output of contents of OptionsBuffer
might be same with input's. The caller
should take the responsibility to free
the buffer both on input and on output.
@param[in, out] OptionsLength On input, the input length of the options
buffer. On output, the output length of
the options buffer.
@param[in, out] FragmentTable Pointer to a list of fragments. On input,
these fragments contain the IP payload.
On output, 1) in tunnel mode and the traffic
direction is inbound, the fragments contain
the whole IP payload which is from the
IP inner header to the last byte of the
packet; 2) in tunnel mode and the traffic
direction is the outbound, the fragments
contains the whole encapsulated payload
which encapsulates the whole IP payload
between the encapsulated header and
encapsulated trailer fields. 3) in transport
mode and the traffic direction is inbound,
the fragments contains the IP payload
which is from the next layer protocol to
the last byte of the packet; 4) in transport
mode and the traffic direction is outbound,
the fragments contains the whole encapsulated
payload which encapsulates the next layer
protocol information between the encapsulated
header and encapsulated trailer fields.
@param[in, out] FragmentCount Number of fragments.
@param[in] TrafficDirection Traffic direction.
@param[out] RecycleSignal Event for recycling of resources.
@retval EFI_SUCCESS The packet was processed by IPsec successfully.
@retval EFI_ACCESS_DENIED The packet was discarded.
@retval EFI_NOT_READY The IKE negotiation is invoked and the packet
was discarded.
@retval EFI_INVALID_PARAMETER One or more of following are TRUE:
If OptionsBuffer is NULL;
If OptionsLength is NULL;
If FragmentTable is NULL;
If FragmentCount is NULL.
**/
typedef
EFI_STATUS
(EFIAPI *EFI_IPSEC_PROCESSEXT) (
IN EFI_IPSEC2_PROTOCOL *This,
IN EFI_HANDLE NicHandle,
IN UINT8 IpVer,
IN OUT VOID *IpHead,
IN OUT UINT8 *LastHead,
IN OUT VOID **OptionsBuffer,
IN OUT UINT32 *OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
IN OUT UINT32 *FragmentCount,
IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
OUT EFI_EVENT *RecycleSignal
);
///
/// EFI_IPSEC2_PROTOCOL
/// supports the Option (extension header) processing in IPsec which doesn't support
/// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead
/// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.
/// provides the ability for securing IP communications by authenticating and/or
/// encrypting each IP packet in a data stream.
///
struct _EFI_IPSEC2_PROTOCOL {
EFI_IPSEC_PROCESSEXT ProcessExt;
EFI_EVENT DisabledEvent;
BOOLEAN DisabledFlag;
};
extern EFI_GUID gEfiIpSecProtocolGuid;
extern EFI_GUID gEfiIpSec2ProtocolGuid;
#endif

84
MdePkg/Include/Protocol/IpSecConfig.h
View File

@@ -302,38 +302,6 @@ typedef struct _EFI_IPSEC_PROCESS_POLICY {
UINT8 EncAlgoId;
} EFI_IPSEC_PROCESS_POLICY;
///
/// IPsec Authentication Algorithm Definition
/// The number value definition is aligned to IANA assignment
///
#define EFI_IPSEC_AALG_NONE 0x00
#define EFI_IPSEC_AALG_MD5HMAC 0x02
#define EFI_IPSEC_AALG_SHA1HMAC 0x03
#define EFI_IPSEC_AALG_SHA2_256HMAC 0x05
#define EFI_IPSEC_AALG_SHA2_384HMAC 0x06
#define EFI_IPSEC_AALG_SHA2_512HMAC 0x07
#define EFI_IPSEC_AALG_AES_XCBC_MAC 0x09
#define EFI_IPSEC_AALG_NULL 0xFB
///
/// IPsec Encryption Algorithm Definition
/// The number value definition is aligned to IANA assignment
///
#define EFI_IPSEC_EALG_NONE 0x00
#define EFI_IPSEC_EALG_DESCBC 0x02
#define EFI_IPSEC_EALG_3DESCBC 0x03
#define EFI_IPSEC_EALG_CASTCBC 0x06
#define EFI_IPSEC_EALG_BLOWFISHCBC 0x07
#define EFI_IPSEC_EALG_NULL 0x0B
#define EFI_IPSEC_EALG_AESCBC 0x0C
#define EFI_IPSEC_EALG_AESCTR 0x0D
#define EFI_IPSEC_EALG_AES_CCM_ICV8 0x0E
#define EFI_IPSEC_EALG_AES_CCM_ICV12 0x0F
#define EFI_IPSEC_EALG_AES_CCM_ICV16 0x10
#define EFI_IPSEC_EALG_AES_GCM_ICV8 0x12
#define EFI_IPSEC_EALG_AES_GCM_ICV12 0x13
#define EFI_IPSEC_EALG_AES_GCM_ICV16 0x14
///
/// EFI_IPSEC_SA_ID
/// A triplet to identify an SA, consisting of the following members.
@@ -486,6 +454,58 @@ typedef struct _EFI_IPSEC_SA_DATA {
BOOLEAN ManualSet;
} EFI_IPSEC_SA_DATA;
///
/// EFI_IPSEC_SA_DATA2
///
typedef struct _EFI_IPSEC_SA_DATA2 {
///
/// IPsec mode: tunnel or transport
///
EFI_IPSEC_MODE Mode;
///
/// Sequence Number Counter. A 64-bit counter used to generate the sequence
/// number field in AH or ESP headers.
///
UINT64 SNCount;
///
/// Anti-Replay Window. A 64-bit counter and a bit-map used to determine
/// whether an inbound AH or ESP packet is a replay.
///
UINT8 AntiReplayWindows;
///
/// AH/ESP cryptographic algorithm, key and parameters.
///
EFI_IPSEC_ALGO_INFO AlgoInfo;
///
/// Lifetime of this SA.
///
EFI_IPSEC_SA_LIFETIME SaLifetime;
///
/// Any observed path MTU and aging variables. The Path MTU processing is
/// defined in section 8 of RFC 4301.
///
UINT32 PathMTU;
///
/// Link to one SPD entry
///
EFI_IPSEC_SPD_SELECTOR *SpdSelector;
///
/// Indication of whether it's manually set or negotiated automatically.
/// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE
/// protocol negotiation
///
BOOLEAN ManualSet;
///
/// The tunnel header IP source address.
///
EFI_IP_ADDRESS TunnelSourceAddress;
///
/// The tunnel header IP destination address.
///
EFI_IP_ADDRESS TunnelDestinationAddress;
} EFI_IPSEC_SA_DATA2;
///
/// EFI_IPSEC_PAD_ID
/// specifies the identifier for PAD entry, which is also used for SPD lookup.