6361c6d50c
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@11074 6f19259b-4bc3-4df7-8a09-765794883524
225 lines
11 KiB
C
225 lines
11 KiB
C
/** @file
|
|
EFI IPSEC Protocol Definition
|
|
The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual
|
|
packets sent and received by the host and provide packet-level security for IP
|
|
datagram.
|
|
The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual
|
|
packets sent and received by the host and provide packet-level security for IP
|
|
datagram. In addition, it supports the Option (extension header) processing in
|
|
IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to
|
|
use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel
|
|
Mode.
|
|
|
|
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
|
|
This program and the accompanying materials
|
|
are licensed and made available under the terms and conditions of the BSD License
|
|
which accompanies this distribution. The full text of the license may be found at
|
|
http://opensource.org/licenses/bsd-license.php
|
|
|
|
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
|
|
|
@par Revision Reference:
|
|
The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D.
|
|
|
|
**/
|
|
|
|
#ifndef __EFI_IPSEC_PROTOCOL_H__
|
|
#define __EFI_IPSEC_PROTOCOL_H__
|
|
|
|
#include <Protocol/IpSecConfig.h>
|
|
|
|
#define EFI_IPSEC_PROTOCOL_GUID \
|
|
{ \
|
|
0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \
|
|
}
|
|
|
|
#define EFI_IPSEC2_PROTOCOL_GUID \
|
|
{ \
|
|
0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \
|
|
}
|
|
|
|
typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;
|
|
typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;
|
|
|
|
///
|
|
/// EFI_IPSEC_FRAGMENT_DATA
|
|
/// defines the instances of packet fragments.
|
|
///
|
|
typedef struct _EFI_IPSEC_FRAGMENT_DATA {
|
|
UINT32 FragmentLength;
|
|
VOID *FragmentBuffer;
|
|
} EFI_IPSEC_FRAGMENT_DATA;
|
|
|
|
|
|
/**
|
|
Handles IPsec packet processing for inbound and outbound IP packets.
|
|
|
|
The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
|
|
The behavior is that it can perform one of the following actions:
|
|
bypass the packet, discard the packet, or protect the packet.
|
|
|
|
@param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.
|
|
@param[in] NicHandle Instance of the network interface.
|
|
@param[in] IpVer IPV4 or IPV6.
|
|
@param[in, out] IpHead Pointer to the IP Header.
|
|
@param[in] LastHead The protocol of the next layer to be processed by IPsec.
|
|
@param[in] OptionsBuffer Pointer to the options buffer.
|
|
@param[in] OptionsLength Length of the options buffer.
|
|
@param[in, out] FragmentTable Pointer to a list of fragments.
|
|
@param[in] FragmentCount Number of fragments.
|
|
@param[in] TrafficDirection Traffic direction.
|
|
@param[out] RecycleSignal Event for recycling of resources.
|
|
|
|
@retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
|
|
@retval EFI_SUCCESS The packet was protected.
|
|
@retval EFI_ACCESS_DENIED The packet was discarded.
|
|
|
|
**/
|
|
typedef
|
|
EFI_STATUS
|
|
(EFIAPI *EFI_IPSEC_PROCESS)(
|
|
IN EFI_IPSEC_PROTOCOL *This,
|
|
IN EFI_HANDLE NicHandle,
|
|
IN UINT8 IpVer,
|
|
IN OUT VOID *IpHead,
|
|
IN UINT8 *LastHead,
|
|
IN VOID *OptionsBuffer,
|
|
IN UINT32 OptionsLength,
|
|
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
|
|
IN UINT32 *FragmentCount,
|
|
IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
|
|
OUT EFI_EVENT *RecycleSignal
|
|
);
|
|
|
|
///
|
|
/// EFI_IPSEC_PROTOCOL
|
|
/// provides the ability for securing IP communications by authenticating
|
|
/// and/or encrypting each IP packet in a data stream.
|
|
// EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack.
|
|
// A user can employ this protocol for IPsec package handling in both IPv4
|
|
// and IPv6 environment.
|
|
///
|
|
struct _EFI_IPSEC_PROTOCOL {
|
|
EFI_IPSEC_PROCESS Process; ///< Handle the IPsec message.
|
|
EFI_EVENT DisabledEvent; ///< Event signaled when the interface is disabled.
|
|
BOOLEAN DisabledFlag; ///< State of the interface.
|
|
};
|
|
|
|
/**
|
|
Handles IPsec processing for both inbound and outbound IP packets. Compare with
|
|
Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process
|
|
Option(Extension Header).
|
|
|
|
The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.
|
|
The behavior is that it can perform one of the following actions:
|
|
bypass the packet, discard the packet, or protect the packet.
|
|
|
|
@param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.
|
|
@param[in] NicHandle Instance of the network interface.
|
|
@param[in] IpVer IP version.IPv4 or IPv6.
|
|
@param[in, out] IpHead Pointer to the IP Header it is either
|
|
the EFI_IP4_HEADER or EFI_IP6_HEADER.
|
|
On input, it contains the IP header.
|
|
On output, 1) in tunnel mode and the
|
|
traffic direction is inbound, the buffer
|
|
will be reset to zero by IPsec; 2) in
|
|
tunnel mode and the traffic direction
|
|
is outbound, the buffer will reset to
|
|
be the tunnel IP header.3) in transport
|
|
mode, the related fielders (like payload
|
|
length, Next header) in IP header will
|
|
be modified according to the condition.
|
|
@param[in, out] LastHead For IP4, it is the next protocol in IP
|
|
header. For IP6 it is the Next Header
|
|
of the last extension header.
|
|
@param[in, out] OptionsBuffer On input, it contains the options
|
|
(extensions header) to be processed by
|
|
IPsec. On output, 1) in tunnel mode and
|
|
the traffic direction is outbound, it
|
|
will be set to NULL, and that means this
|
|
contents was wrapped after inner header
|
|
and should not be concatenated after
|
|
tunnel header again; 2) in transport
|
|
mode and the traffic direction is inbound,
|
|
if there are IP options (extension headers)
|
|
protected by IPsec, IPsec will concatenate
|
|
the those options after the input options
|
|
(extension headers); 3) on other situations,
|
|
the output of contents of OptionsBuffer
|
|
might be same with input's. The caller
|
|
should take the responsibility to free
|
|
the buffer both on input and on output.
|
|
@param[in, out] OptionsLength On input, the input length of the options
|
|
buffer. On output, the output length of
|
|
the options buffer.
|
|
@param[in, out] FragmentTable Pointer to a list of fragments. On input,
|
|
these fragments contain the IP payload.
|
|
On output, 1) in tunnel mode and the traffic
|
|
direction is inbound, the fragments contain
|
|
the whole IP payload which is from the
|
|
IP inner header to the last byte of the
|
|
packet; 2) in tunnel mode and the traffic
|
|
direction is the outbound, the fragments
|
|
contains the whole encapsulated payload
|
|
which encapsulates the whole IP payload
|
|
between the encapsulated header and
|
|
encapsulated trailer fields. 3) in transport
|
|
mode and the traffic direction is inbound,
|
|
the fragments contains the IP payload
|
|
which is from the next layer protocol to
|
|
the last byte of the packet; 4) in transport
|
|
mode and the traffic direction is outbound,
|
|
the fragments contains the whole encapsulated
|
|
payload which encapsulates the next layer
|
|
protocol information between the encapsulated
|
|
header and encapsulated trailer fields.
|
|
@param[in, out] FragmentCount Number of fragments.
|
|
@param[in] TrafficDirection Traffic direction.
|
|
@param[out] RecycleSignal Event for recycling of resources.
|
|
|
|
@retval EFI_SUCCESS The packet was processed by IPsec successfully.
|
|
@retval EFI_ACCESS_DENIED The packet was discarded.
|
|
@retval EFI_NOT_READY The IKE negotiation is invoked and the packet
|
|
was discarded.
|
|
@retval EFI_INVALID_PARAMETER One or more of following are TRUE:
|
|
If OptionsBuffer is NULL;
|
|
If OptionsLength is NULL;
|
|
If FragmentTable is NULL;
|
|
If FragmentCount is NULL.
|
|
|
|
**/
|
|
typedef
|
|
EFI_STATUS
|
|
(EFIAPI *EFI_IPSEC_PROCESSEXT) (
|
|
IN EFI_IPSEC2_PROTOCOL *This,
|
|
IN EFI_HANDLE NicHandle,
|
|
IN UINT8 IpVer,
|
|
IN OUT VOID *IpHead,
|
|
IN OUT UINT8 *LastHead,
|
|
IN OUT VOID **OptionsBuffer,
|
|
IN OUT UINT32 *OptionsLength,
|
|
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
|
|
IN OUT UINT32 *FragmentCount,
|
|
IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
|
|
OUT EFI_EVENT *RecycleSignal
|
|
);
|
|
|
|
///
|
|
/// EFI_IPSEC2_PROTOCOL
|
|
/// supports the Option (extension header) processing in IPsec which doesn't support
|
|
/// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead
|
|
/// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.
|
|
/// provides the ability for securing IP communications by authenticating and/or
|
|
/// encrypting each IP packet in a data stream.
|
|
///
|
|
struct _EFI_IPSEC2_PROTOCOL {
|
|
EFI_IPSEC_PROCESSEXT ProcessExt;
|
|
EFI_EVENT DisabledEvent;
|
|
BOOLEAN DisabledFlag;
|
|
};
|
|
|
|
extern EFI_GUID gEfiIpSecProtocolGuid;
|
|
extern EFI_GUID gEfiIpSec2ProtocolGuid;
|
|
#endif
|