]>
Commit | Line | Data |
---|---|---|
fa05b97b | 1 | /** @file\r |
2 | EFI IPSEC Protocol Definition\r | |
3 | The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual\r | |
705f53a9 | 4 | packets sent and received by the host and provide packet-level security for IP \r |
5 | datagram.\r | |
6 | The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual\r | |
7 | packets sent and received by the host and provide packet-level security for IP \r | |
8 | datagram. In addition, it supports the Option (extension header) processing in \r | |
9 | IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to \r | |
10 | use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel \r | |
11 | Mode.\r | |
fa05b97b | 12 | \r |
9df063a0 HT |
13 | Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r |
14 | This program and the accompanying materials\r | |
fa05b97b | 15 | are licensed and made available under the terms and conditions of the BSD License\r |
16 | which accompanies this distribution. The full text of the license may be found at\r | |
17 | http://opensource.org/licenses/bsd-license.php\r | |
18 | \r | |
19 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
20 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
21 | \r | |
22 | @par Revision Reference: \r | |
6361c6d5 | 23 | The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D.\r |
fa05b97b | 24 | \r |
25 | **/\r | |
26 | \r | |
27 | #ifndef __EFI_IPSEC_PROTOCOL_H__\r | |
28 | #define __EFI_IPSEC_PROTOCOL_H__\r | |
29 | \r | |
30 | #include <Protocol/IpSecConfig.h>\r | |
31 | \r | |
32 | #define EFI_IPSEC_PROTOCOL_GUID \\r | |
33 | { \\r | |
34 | 0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \\r | |
35 | }\r | |
36 | \r | |
705f53a9 | 37 | #define EFI_IPSEC2_PROTOCOL_GUID \\r |
38 | { \\r | |
39 | 0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \\r | |
40 | }\r | |
41 | \r | |
fa05b97b | 42 | typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;\r |
705f53a9 | 43 | typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;\r |
fa05b97b | 44 | \r |
45 | ///\r | |
46 | /// EFI_IPSEC_FRAGMENT_DATA \r | |
47 | /// defines the instances of packet fragments.\r | |
48 | ///\r | |
49 | typedef struct _EFI_IPSEC_FRAGMENT_DATA { \r | |
50 | UINT32 FragmentLength;\r | |
51 | VOID *FragmentBuffer;\r | |
52 | } EFI_IPSEC_FRAGMENT_DATA; \r | |
53 | \r | |
54 | \r | |
55 | /**\r | |
56 | Handles IPsec packet processing for inbound and outbound IP packets. \r | |
57 | \r | |
58 | The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r | |
59 | The behavior is that it can perform one of the following actions: \r | |
60 | bypass the packet, discard the packet, or protect the packet. \r | |
61 | \r | |
62 | @param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.\r | |
63 | @param[in] NicHandle Instance of the network interface.\r | |
64 | @param[in] IpVer IPV4 or IPV6.\r | |
65 | @param[in, out] IpHead Pointer to the IP Header.\r | |
66 | @param[in] LastHead The protocol of the next layer to be processed by IPsec.\r | |
67 | @param[in] OptionsBuffer Pointer to the options buffer. \r | |
68 | @param[in] OptionsLength Length of the options buffer.\r | |
69 | @param[in, out] FragmentTable Pointer to a list of fragments. \r | |
70 | @param[in] FragmentCount Number of fragments.\r | |
71 | @param[in] TrafficDirection Traffic direction.\r | |
72 | @param[out] RecycleSignal Event for recycling of resources.\r | |
73 | \r | |
74 | @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.\r | |
75 | @retval EFI_SUCCESS The packet was protected.\r | |
76 | @retval EFI_ACCESS_DENIED The packet was discarded.\r | |
77 | \r | |
78 | **/\r | |
79 | typedef\r | |
80 | EFI_STATUS\r | |
a1749b80 | 81 | (EFIAPI *EFI_IPSEC_PROCESS)(\r |
fa05b97b | 82 | IN EFI_IPSEC_PROTOCOL *This,\r |
83 | IN EFI_HANDLE NicHandle,\r | |
84 | IN UINT8 IpVer,\r | |
85 | IN OUT VOID *IpHead,\r | |
86 | IN UINT8 *LastHead,\r | |
87 | IN VOID *OptionsBuffer,\r | |
88 | IN UINT32 OptionsLength,\r | |
89 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r | |
90 | IN UINT32 *FragmentCount,\r | |
91 | IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r | |
92 | OUT EFI_EVENT *RecycleSignal\r | |
93 | );\r | |
94 | \r | |
95 | ///\r | |
96 | /// EFI_IPSEC_PROTOCOL \r | |
97 | /// provides the ability for securing IP communications by authenticating\r | |
98 | /// and/or encrypting each IP packet in a data stream. \r | |
99 | // EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack.\r | |
100 | // A user can employ this protocol for IPsec package handling in both IPv4\r | |
101 | // and IPv6 environment.\r | |
102 | ///\r | |
103 | struct _EFI_IPSEC_PROTOCOL {\r | |
104 | EFI_IPSEC_PROCESS Process; ///< Handle the IPsec message.\r | |
105 | EFI_EVENT DisabledEvent; ///< Event signaled when the interface is disabled.\r | |
106 | BOOLEAN DisabledFlag; ///< State of the interface.\r | |
107 | };\r | |
108 | \r | |
705f53a9 | 109 | /**\r |
110 | Handles IPsec processing for both inbound and outbound IP packets. Compare with \r | |
111 | Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process \r | |
112 | Option(Extension Header). \r | |
113 | \r | |
114 | The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.\r | |
115 | The behavior is that it can perform one of the following actions: \r | |
116 | bypass the packet, discard the packet, or protect the packet. \r | |
117 | \r | |
118 | @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r | |
119 | @param[in] NicHandle Instance of the network interface. \r | |
120 | @param[in] IpVer IP version.IPv4 or IPv6.\r | |
121 | @param[in, out] IpHead Pointer to the IP Header it is either \r | |
122 | the EFI_IP4_HEADER or EFI_IP6_HEADER.\r | |
123 | On input, it contains the IP header. \r | |
124 | On output, 1) in tunnel mode and the \r | |
125 | traffic direction is inbound, the buffer \r | |
126 | will be reset to zero by IPsec; 2) in \r | |
127 | tunnel mode and the traffic direction \r | |
128 | is outbound, the buffer will reset to \r | |
129 | be the tunnel IP header.3) in transport \r | |
130 | mode, the related fielders (like payload \r | |
131 | length, Next header) in IP header will \r | |
132 | be modified according to the condition.\r | |
133 | @param[in, out] LastHead For IP4, it is the next protocol in IP\r | |
134 | header. For IP6 it is the Next Header \r | |
135 | of the last extension header.\r | |
136 | @param[in, out] OptionsBuffer On input, it contains the options \r | |
137 | (extensions header) to be processed by \r | |
138 | IPsec. On output, 1) in tunnel mode and\r | |
139 | the traffic direction is outbound, it \r | |
140 | will be set to NULL, and that means this \r | |
141 | contents was wrapped after inner header \r | |
142 | and should not be concatenated after \r | |
143 | tunnel header again; 2) in transport \r | |
144 | mode and the traffic direction is inbound, \r | |
145 | if there are IP options (extension headers) \r | |
146 | protected by IPsec, IPsec will concatenate \r | |
147 | the those options after the input options \r | |
148 | (extension headers); 3) on other situations, \r | |
149 | the output of contents of OptionsBuffer \r | |
150 | might be same with input's. The caller \r | |
151 | should take the responsibility to free \r | |
152 | the buffer both on input and on output.\r | |
153 | @param[in, out] OptionsLength On input, the input length of the options \r | |
154 | buffer. On output, the output length of \r | |
155 | the options buffer.\r | |
156 | @param[in, out] FragmentTable Pointer to a list of fragments. On input, \r | |
157 | these fragments contain the IP payload. \r | |
158 | On output, 1) in tunnel mode and the traffic \r | |
159 | direction is inbound, the fragments contain \r | |
160 | the whole IP payload which is from the \r | |
161 | IP inner header to the last byte of the \r | |
162 | packet; 2) in tunnel mode and the traffic \r | |
163 | direction is the outbound, the fragments \r | |
164 | contains the whole encapsulated payload \r | |
165 | which encapsulates the whole IP payload \r | |
166 | between the encapsulated header and \r | |
167 | encapsulated trailer fields. 3) in transport \r | |
168 | mode and the traffic direction is inbound, \r | |
169 | the fragments contains the IP payload \r | |
170 | which is from the next layer protocol to \r | |
171 | the last byte of the packet; 4) in transport \r | |
172 | mode and the traffic direction is outbound, \r | |
173 | the fragments contains the whole encapsulated \r | |
174 | payload which encapsulates the next layer \r | |
175 | protocol information between the encapsulated \r | |
176 | header and encapsulated trailer fields.\r | |
177 | @param[in, out] FragmentCount Number of fragments.\r | |
178 | @param[in] TrafficDirection Traffic direction.\r | |
179 | @param[out] RecycleSignal Event for recycling of resources.\r | |
180 | \r | |
181 | @retval EFI_SUCCESS The packet was processed by IPsec successfully.\r | |
182 | @retval EFI_ACCESS_DENIED The packet was discarded.\r | |
183 | @retval EFI_NOT_READY The IKE negotiation is invoked and the packet \r | |
184 | was discarded.\r | |
185 | @retval EFI_INVALID_PARAMETER One or more of following are TRUE:\r | |
186 | If OptionsBuffer is NULL;\r | |
187 | If OptionsLength is NULL;\r | |
188 | If FragmentTable is NULL;\r | |
189 | If FragmentCount is NULL.\r | |
190 | \r | |
191 | **/\r | |
192 | typedef \r | |
193 | EFI_STATUS\r | |
194 | (EFIAPI *EFI_IPSEC_PROCESSEXT) ( \r | |
195 | IN EFI_IPSEC2_PROTOCOL *This, \r | |
196 | IN EFI_HANDLE NicHandle, \r | |
197 | IN UINT8 IpVer, \r | |
198 | IN OUT VOID *IpHead, \r | |
199 | IN OUT UINT8 *LastHead, \r | |
200 | IN OUT VOID **OptionsBuffer, \r | |
201 | IN OUT UINT32 *OptionsLength, \r | |
202 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, \r | |
203 | IN OUT UINT32 *FragmentCount, \r | |
204 | IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, \r | |
205 | OUT EFI_EVENT *RecycleSignal\r | |
206 | );\r | |
fa05b97b | 207 | \r |
705f53a9 | 208 | /// \r |
209 | /// EFI_IPSEC2_PROTOCOL\r | |
210 | /// supports the Option (extension header) processing in IPsec which doesn't support\r | |
211 | /// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead\r | |
212 | /// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.\r | |
213 | /// provides the ability for securing IP communications by authenticating and/or\r | |
214 | /// encrypting each IP packet in a data stream.\r | |
215 | ///\r | |
216 | struct _EFI_IPSEC2_PROTOCOL { \r | |
217 | EFI_IPSEC_PROCESSEXT ProcessExt;\r | |
218 | EFI_EVENT DisabledEvent; \r | |
219 | BOOLEAN DisabledFlag; \r | |
220 | };\r | |
221 | \r | |
222 | extern EFI_GUID gEfiIpSecProtocolGuid;\r | |
223 | extern EFI_GUID gEfiIpSec2ProtocolGuid;\r | |
fa05b97b | 224 | #endif\r |