]>
Commit | Line | Data |
---|---|---|
a3bcde70 HT |
1 | /** @file\r |
2 | The definitions related to IPsec protocol implementation.\r | |
3 | \r | |
47b27101 | 4 | Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>\r |
a3bcde70 HT |
5 | \r |
6 | This program and the accompanying materials\r | |
7 | are licensed and made available under the terms and conditions of the BSD License\r | |
8 | which accompanies this distribution. The full text of the license may be found at\r | |
9 | http://opensource.org/licenses/bsd-license.php.\r | |
10 | \r | |
11 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
12 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
13 | \r | |
14 | **/\r | |
15 | \r | |
16 | #ifndef _IP_SEC_IMPL_H_\r | |
17 | #define _IP_SEC_IMPL_H_\r | |
18 | \r | |
19 | #include <Uefi.h>\r | |
20 | #include <Library/UefiLib.h>\r | |
21 | #include <Library/NetLib.h>\r | |
22 | #include <Library/BaseMemoryLib.h>\r | |
23 | #include <Library/UefiBootServicesTableLib.h>\r | |
24 | #include <Library/MemoryAllocationLib.h>\r | |
25 | #include <Protocol/IpSec.h>\r | |
26 | #include <Protocol/IpSecConfig.h>\r | |
27 | #include <Protocol/Dpc.h>\r | |
28 | #include <Protocol/ComponentName.h>\r | |
29 | #include <Protocol/ComponentName2.h>\r | |
30 | \r | |
31 | typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA;\r | |
32 | typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY;\r | |
33 | typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY;\r | |
34 | typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA;\r | |
35 | \r | |
36 | #define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')\r | |
37 | \r | |
38 | #define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)\r | |
39 | #define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)\r | |
40 | #define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)\r | |
41 | #define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)\r | |
42 | #define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)\r | |
43 | #define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)\r | |
44 | #define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)\r | |
45 | #define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)\r | |
46 | \r | |
47 | #define IPSEC_STATUS_DISABLED 0\r | |
48 | #define IPSEC_STATUS_ENABLED 1\r | |
49 | #define IPSEC_ESP_PROTOCOL 50\r | |
50 | #define IPSEC_AH_PROTOCOL 51\r | |
51 | #define IPSEC_DEFAULT_VARIABLE_SIZE 0x100\r | |
52 | \r | |
53 | //\r | |
54 | // Internal Structure Definition\r | |
55 | //\r | |
56 | #pragma pack(1)\r | |
57 | typedef struct _EFI_AH_HEADER {\r | |
58 | UINT8 NextHeader;\r | |
59 | UINT8 PayloadLen;\r | |
60 | UINT16 Reserved;\r | |
61 | UINT32 Spi;\r | |
62 | UINT32 SequenceNumber;\r | |
63 | } EFI_AH_HEADER;\r | |
64 | \r | |
65 | typedef struct _EFI_ESP_HEADER {\r | |
66 | UINT32 Spi;\r | |
67 | UINT32 SequenceNumber;\r | |
68 | } EFI_ESP_HEADER;\r | |
69 | \r | |
70 | typedef struct _EFI_ESP_TAIL {\r | |
71 | UINT8 PaddingLength;\r | |
72 | UINT8 NextHeader;\r | |
73 | } EFI_ESP_TAIL;\r | |
74 | #pragma pack()\r | |
75 | \r | |
76 | struct _IPSEC_SPD_DATA {\r | |
77 | CHAR16 Name[100];\r | |
78 | UINT32 PackageFlag;\r | |
96702f88 | 79 | EFI_IPSEC_TRAFFIC_DIR TrafficDirection;\r |
a3bcde70 HT |
80 | EFI_IPSEC_ACTION Action;\r |
81 | EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;\r | |
82 | LIST_ENTRY Sas;\r | |
83 | };\r | |
84 | \r | |
85 | struct _IPSEC_SPD_ENTRY {\r | |
86 | EFI_IPSEC_SPD_SELECTOR *Selector;\r | |
87 | IPSEC_SPD_DATA *Data;\r | |
88 | LIST_ENTRY List;\r | |
89 | };\r | |
90 | \r | |
91 | typedef struct _IPSEC_SAD_DATA {\r | |
68d3f2fb | 92 | EFI_IPSEC_MODE Mode;\r |
93 | UINT64 SequenceNumber;\r | |
94 | UINT8 AntiReplayWindowSize;\r | |
95 | UINT64 AntiReplayBitmap[4]; // bitmap for received packet\r | |
96 | EFI_IPSEC_ALGO_INFO AlgoInfo;\r | |
97 | EFI_IPSEC_SA_LIFETIME SaLifetime;\r | |
98 | UINT32 PathMTU;\r | |
99 | IPSEC_SPD_ENTRY *SpdEntry;\r | |
100 | EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r | |
101 | BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled\r | |
102 | BOOLEAN ManualSet;\r | |
103 | EFI_IP_ADDRESS TunnelDestAddress;\r | |
104 | EFI_IP_ADDRESS TunnelSourceAddress;\r | |
a3bcde70 HT |
105 | } IPSEC_SAD_DATA;\r |
106 | \r | |
107 | typedef struct _IPSEC_SAD_ENTRY {\r | |
108 | EFI_IPSEC_SA_ID *Id;\r | |
109 | IPSEC_SAD_DATA *Data;\r | |
110 | LIST_ENTRY List;\r | |
111 | LIST_ENTRY BySpd; // Linked on IPSEC_SPD_DATA.Sas\r | |
112 | } IPSEC_SAD_ENTRY;\r | |
113 | \r | |
114 | struct _IPSEC_PAD_ENTRY {\r | |
115 | EFI_IPSEC_PAD_ID *Id;\r | |
116 | EFI_IPSEC_PAD_DATA *Data;\r | |
117 | LIST_ENTRY List;\r | |
118 | };\r | |
119 | \r | |
120 | typedef struct _IPSEC_RECYCLE_CONTEXT {\r | |
121 | EFI_IPSEC_FRAGMENT_DATA *FragmentTable;\r | |
122 | UINT8 *PayloadBuffer;\r | |
123 | } IPSEC_RECYCLE_CONTEXT;\r | |
124 | \r | |
9166f840 | 125 | //\r |
126 | // Struct used to store the Hash and its data.\r | |
127 | //\r | |
44de1013 HT |
128 | typedef struct {\r |
129 | UINTN DataSize;\r | |
130 | UINT8 *Data;\r | |
9166f840 | 131 | } HASH_DATA_FRAGMENT;\r |
132 | \r | |
a3bcde70 HT |
133 | struct _IPSEC_PRIVATE_DATA {\r |
134 | UINT32 Signature;\r | |
135 | EFI_HANDLE Handle; // Virtual handle to install private prtocol\r | |
136 | EFI_HANDLE ImageHandle;\r | |
68d3f2fb | 137 | EFI_IPSEC2_PROTOCOL IpSec;\r |
a3bcde70 HT |
138 | EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;\r |
139 | BOOLEAN SetBySelf;\r | |
140 | LIST_ENTRY Udp4List;\r | |
141 | UINTN Udp4Num;\r | |
142 | LIST_ENTRY Udp6List;\r | |
143 | UINTN Udp6Num;\r | |
144 | LIST_ENTRY Ikev1SessionList;\r | |
145 | LIST_ENTRY Ikev1EstablishedList;\r | |
146 | LIST_ENTRY Ikev2SessionList;\r | |
147 | LIST_ENTRY Ikev2EstablishedList;\r | |
148 | BOOLEAN IsIPsecDisabling;\r | |
149 | };\r | |
150 | \r | |
151 | /**\r | |
152 | This function processes the inbound traffic with IPsec.\r | |
153 | \r | |
9166f840 | 154 | It checks the received packet security property, trims the ESP/AH header, and then \r |
a3bcde70 | 155 | returns without an IPsec protected IP Header and FragmentTable.\r |
9166f840 | 156 | \r |
a3bcde70 | 157 | @param[in] IpVersion The version of IP.\r |
9166f840 | 158 | @param[in, out] IpHead Points to IP header containing the ESP/AH header \r |
a3bcde70 HT |
159 | to be trimed on input, and without ESP/AH header\r |
160 | on return.\r | |
9166f840 | 161 | @param[in, out] LastHead The Last Header in IP header on return.\r |
47b27101 | 162 | @param[in, out] OptionsBuffer Pointer to the options buffer.\r |
163 | @param[in, out] OptionsLength Length of the options buffer.\r | |
9166f840 | 164 | @param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec\r |
a3bcde70 HT |
165 | protected on input, and without IPsec protected\r |
166 | on return.\r | |
9166f840 | 167 | @param[in, out] FragmentCount The number of fragments.\r |
a3bcde70 | 168 | @param[out] SpdEntry Pointer to contain the address of SPD entry on return.\r |
9166f840 | 169 | @param[out] RecycleEvent The event for recycling of resources.\r |
a3bcde70 | 170 | \r |
9166f840 | 171 | @retval EFI_SUCCESS The operation was successful.\r |
172 | @retval EFI_UNSUPPORTED The IPSEC protocol is not supported.\r | |
a3bcde70 HT |
173 | \r |
174 | **/\r | |
175 | EFI_STATUS\r | |
176 | IpSecProtectInboundPacket (\r | |
177 | IN UINT8 IpVersion,\r | |
178 | IN OUT VOID *IpHead,\r | |
9166f840 | 179 | IN OUT UINT8 *LastHead,\r |
47b27101 | 180 | IN OUT VOID **OptionsBuffer,\r |
181 | IN OUT UINT32 *OptionsLength,\r | |
a3bcde70 | 182 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r |
68d3f2fb | 183 | IN OUT UINT32 *FragmentCount,\r |
9166f840 | 184 | OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry,\r |
a3bcde70 HT |
185 | OUT EFI_EVENT *RecycleEvent\r |
186 | );\r | |
187 | \r | |
188 | \r | |
189 | /**\r | |
190 | This fucntion processes the output traffic with IPsec.\r | |
191 | \r | |
192 | It protected the sending packet by encrypting it payload and inserting ESP/AH header\r | |
193 | in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.\r | |
194 | \r | |
195 | @param[in] IpVersion The version of IP.\r | |
196 | @param[in, out] IpHead Point to IP header containing the orginal IP header\r | |
197 | to be processed on input, and inserted ESP/AH header\r | |
198 | on return.\r | |
68d3f2fb | 199 | @param[in, out] LastHead The Last Header in IP header.\r |
47b27101 | 200 | @param[in, out] OptionsBuffer Pointer to the options buffer.\r |
201 | @param[in, out] OptionsLength Length of the options buffer.\r | |
a3bcde70 HT |
202 | @param[in, out] FragmentTable Pointer to a list of fragments to be protected by\r |
203 | IPsec on input, and with IPsec protected\r | |
204 | on return.\r | |
68d3f2fb | 205 | @param[in, out] FragmentCount Number of fragments.\r |
a3bcde70 HT |
206 | @param[in] SadEntry Related SAD entry.\r |
207 | @param[out] RecycleEvent Event for recycling of resources.\r | |
208 | \r | |
209 | @retval EFI_SUCCESS The operation is successful.\r | |
210 | @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.\r | |
211 | \r | |
212 | **/\r | |
213 | EFI_STATUS\r | |
214 | IpSecProtectOutboundPacket (\r | |
215 | IN UINT8 IpVersion,\r | |
216 | IN OUT VOID *IpHead,\r | |
68d3f2fb | 217 | IN OUT UINT8 *LastHead,\r |
47b27101 | 218 | IN OUT VOID **OptionsBuffer,\r |
219 | IN OUT UINT32 *OptionsLength,\r | |
a3bcde70 | 220 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r |
68d3f2fb | 221 | IN OUT UINT32 *FragmentCount,\r |
a3bcde70 HT |
222 | IN IPSEC_SAD_ENTRY *SadEntry,\r |
223 | OUT EFI_EVENT *RecycleEvent\r | |
224 | );\r | |
225 | \r | |
226 | /**\r | |
227 | Check if the IP Address in the address range of AddressInfos specified.\r | |
228 | \r | |
229 | @param[in] IpVersion The IP version.\r | |
230 | @param[in] IpAddr Points to EFI_IP_ADDRESS to be check.\r | |
231 | @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check\r | |
232 | the IP Address is matched.\r | |
233 | @param[in] AddressCount The total numbers of the AddressInfo.\r | |
234 | \r | |
235 | @retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.\r | |
236 | @retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.\r | |
237 | \r | |
238 | **/\r | |
239 | BOOLEAN\r | |
240 | IpSecMatchIpAddress (\r | |
241 | IN UINT8 IpVersion,\r | |
242 | IN EFI_IP_ADDRESS *IpAddr,\r | |
243 | IN EFI_IP_ADDRESS_INFO *AddressInfo,\r | |
244 | IN UINT32 AddressCount\r | |
245 | );\r | |
246 | \r | |
247 | /**\r | |
248 | Find a PAD entry according to remote IP address.\r | |
249 | \r | |
250 | @param[in] IpVersion The version of IP.\r | |
251 | @param[in] IpAddr Point to remote IP address.\r | |
252 | \r | |
253 | @return The pointer of related PAD entry.\r | |
254 | \r | |
255 | **/\r | |
256 | IPSEC_PAD_ENTRY *\r | |
257 | IpSecLookupPadEntry (\r | |
258 | IN UINT8 IpVersion,\r | |
259 | IN EFI_IP_ADDRESS *IpAddr\r | |
260 | );\r | |
261 | \r | |
9166f840 | 262 | /**\r |
263 | Check if the specified IP packet can be serviced by this SPD entry.\r | |
264 | \r | |
265 | @param[in] SpdEntry Point to SPD entry.\r | |
266 | @param[in] IpVersion Version of IP.\r | |
267 | @param[in] IpHead Point to IP header.\r | |
268 | @param[in] IpPayload Point to IP payload.\r | |
269 | @param[in] Protocol The Last protocol of IP packet.\r | |
270 | @param[in] IsOutbound Traffic direction.\r | |
271 | @param[out] Action The support action of SPD entry.\r | |
272 | \r | |
273 | @retval EFI_SUCCESS Find the related SPD.\r | |
274 | @retval EFI_NOT_FOUND Not find the related SPD entry;\r | |
275 | \r | |
276 | **/\r | |
277 | EFI_STATUS\r | |
278 | IpSecLookupSpdEntry (\r | |
279 | IN IPSEC_SPD_ENTRY *SpdEntry,\r | |
280 | IN UINT8 IpVersion,\r | |
281 | IN VOID *IpHead,\r | |
282 | IN UINT8 *IpPayload,\r | |
283 | IN UINT8 Protocol,\r | |
284 | IN BOOLEAN IsOutbound, \r | |
285 | OUT EFI_IPSEC_ACTION *Action\r | |
286 | );\r | |
287 | \r | |
288 | /**\r | |
289 | Look up if there is existing SAD entry for specified IP packet sending.\r | |
290 | \r | |
291 | This function is called by the IPsecProcess when there is some IP packet needed to\r | |
292 | send out. This function checks if there is an existing SAD entry that can be serviced\r | |
293 | to this IP packet sending. If no existing SAD entry could be used, this\r | |
294 | function will invoke an IPsec Key Exchange Negotiation.\r | |
295 | \r | |
296 | @param[in] Private Points to private data.\r | |
297 | @param[in] NicHandle Points to a NIC handle.\r | |
298 | @param[in] IpVersion The version of IP.\r | |
299 | @param[in] IpHead The IP Header of packet to be sent out.\r | |
300 | @param[in] IpPayload The IP Payload to be sent out.\r | |
301 | @param[in] OldLastHead The Last protocol of the IP packet.\r | |
302 | @param[in] SpdEntry Points to a related SPD entry.\r | |
303 | @param[out] SadEntry Contains the Point of a related SAD entry.\r | |
304 | \r | |
305 | @retval EFI_DEVICE_ERROR One of following conditions is TRUE:\r | |
306 | - If don't find related UDP service.\r | |
307 | - Sequence Number is used up.\r | |
308 | - Extension Sequence Number is used up.\r | |
309 | @retval EFI_NOT_READY No existing SAD entry could be used.\r | |
310 | @retval EFI_SUCCESS Find the related SAD entry.\r | |
311 | \r | |
312 | **/\r | |
313 | EFI_STATUS\r | |
314 | IpSecLookupSadEntry (\r | |
315 | IN IPSEC_PRIVATE_DATA *Private,\r | |
316 | IN EFI_HANDLE NicHandle,\r | |
317 | IN UINT8 IpVersion,\r | |
318 | IN VOID *IpHead,\r | |
319 | IN UINT8 *IpPayload,\r | |
320 | IN UINT8 OldLastHead,\r | |
321 | IN IPSEC_SPD_ENTRY *SpdEntry,\r | |
322 | OUT IPSEC_SAD_ENTRY **SadEntry\r | |
323 | );\r | |
324 | \r | |
a3bcde70 HT |
325 | /**\r |
326 | Find the SAD through whole SAD list.\r | |
327 | \r | |
328 | @param[in] Spi The SPI used to search the SAD entry.\r | |
329 | @param[in] DestAddress The destination used to search the SAD entry.\r | |
9166f840 | 330 | @param[in] IpVersion The IP version. Ip4 or Ip6.\r |
a3bcde70 HT |
331 | \r |
332 | @return The pointer to a certain SAD entry.\r | |
333 | \r | |
334 | **/\r | |
335 | IPSEC_SAD_ENTRY *\r | |
336 | IpSecLookupSadBySpi (\r | |
337 | IN UINT32 Spi,\r | |
9166f840 | 338 | IN EFI_IP_ADDRESS *DestAddress,\r |
339 | IN UINT8 IpVersion\r | |
a3bcde70 HT |
340 | )\r |
341 | ;\r | |
342 | \r | |
343 | /**\r | |
344 | Handles IPsec packet processing for inbound and outbound IP packets.\r | |
345 | \r | |
346 | The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r | |
347 | The behavior is that it can perform one of the following actions:\r | |
348 | bypass the packet, discard the packet, or protect the packet.\r | |
349 | \r | |
0a7294f7 | 350 | @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r |
a3bcde70 HT |
351 | @param[in] NicHandle Instance of the network interface.\r |
352 | @param[in] IpVersion IPV4 or IPV6.\r | |
353 | @param[in, out] IpHead Pointer to the IP Header.\r | |
68d3f2fb | 354 | @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.\r |
355 | @param[in, out] OptionsBuffer Pointer to the options buffer.\r | |
356 | @param[in, out] OptionsLength Length of the options buffer.\r | |
a3bcde70 | 357 | @param[in, out] FragmentTable Pointer to a list of fragments.\r |
68d3f2fb | 358 | @param[in, out] FragmentCount Number of fragments.\r |
a3bcde70 HT |
359 | @param[in] TrafficDirection Traffic direction.\r |
360 | @param[out] RecycleSignal Event for recycling of resources.\r | |
361 | \r | |
362 | @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.\r | |
363 | @retval EFI_SUCCESS The packet was protected.\r | |
364 | @retval EFI_ACCESS_DENIED The packet was discarded.\r | |
365 | \r | |
366 | **/\r | |
367 | EFI_STATUS\r | |
368 | EFIAPI\r | |
369 | IpSecProcess (\r | |
68d3f2fb | 370 | IN EFI_IPSEC2_PROTOCOL *This,\r |
a3bcde70 HT |
371 | IN EFI_HANDLE NicHandle,\r |
372 | IN UINT8 IpVersion,\r | |
373 | IN OUT VOID *IpHead,\r | |
68d3f2fb | 374 | IN OUT UINT8 *LastHead,\r |
375 | IN OUT VOID **OptionsBuffer,\r | |
376 | IN OUT UINT32 *OptionsLength,\r | |
a3bcde70 | 377 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r |
68d3f2fb | 378 | IN OUT UINT32 *FragmentCount,\r |
a3bcde70 HT |
379 | IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r |
380 | OUT EFI_EVENT *RecycleSignal\r | |
381 | );\r | |
382 | \r | |
383 | extern EFI_DPC_PROTOCOL *mDpc;\r | |
68d3f2fb | 384 | extern EFI_IPSEC2_PROTOCOL mIpSecInstance;\r |
a3bcde70 HT |
385 | \r |
386 | extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;\r | |
387 | extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;\r | |
388 | \r | |
389 | \r | |
390 | #endif\r |