/** @file\r
EFI IPSEC Protocol Definition\r
The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual\r
- packets sent and received by the host and provide packet-level security for IP datagram.\r
+ packets sent and received by the host and provide packet-level security for IP\r
+ datagram.\r
+ The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual\r
+ packets sent and received by the host and provide packet-level security for IP\r
+ datagram. In addition, it supports the Option (extension header) processing in\r
+ IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to\r
+ use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel\r
+ Mode.\r
\r
- Copyright (c) 2009, Intel Corporation\r
- All rights reserved. This program and the accompanying materials\r
- are licensed and made available under the terms and conditions of the BSD License\r
- which accompanies this distribution. The full text of the license may be found at\r
- http://opensource.org/licenses/bsd-license.php\r
+ Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
+ SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
- THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
- WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
-\r
- @par Revision Reference: \r
- This Protocol is introduced in UEFI Specification 2.3\r
+ @par Revision Reference:\r
+ The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D.\r
\r
**/\r
\r
0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \\r
}\r
\r
+#define EFI_IPSEC2_PROTOCOL_GUID \\r
+ { \\r
+ 0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \\r
+ }\r
+\r
typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;\r
+typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;\r
\r
///\r
-/// EFI_IPSEC_FRAGMENT_DATA \r
+/// EFI_IPSEC_FRAGMENT_DATA\r
/// defines the instances of packet fragments.\r
///\r
-typedef struct _EFI_IPSEC_FRAGMENT_DATA { \r
+typedef struct _EFI_IPSEC_FRAGMENT_DATA {\r
UINT32 FragmentLength;\r
VOID *FragmentBuffer;\r
-} EFI_IPSEC_FRAGMENT_DATA; \r
+} EFI_IPSEC_FRAGMENT_DATA;\r
\r
\r
/**\r
- Handles IPsec packet processing for inbound and outbound IP packets. \r
+ Handles IPsec packet processing for inbound and outbound IP packets.\r
\r
The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r
- The behavior is that it can perform one of the following actions: \r
- bypass the packet, discard the packet, or protect the packet. \r
+ The behavior is that it can perform one of the following actions:\r
+ bypass the packet, discard the packet, or protect the packet.\r
\r
@param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.\r
@param[in] NicHandle Instance of the network interface.\r
@param[in] IpVer IPV4 or IPV6.\r
@param[in, out] IpHead Pointer to the IP Header.\r
@param[in] LastHead The protocol of the next layer to be processed by IPsec.\r
- @param[in] OptionsBuffer Pointer to the options buffer. \r
+ @param[in] OptionsBuffer Pointer to the options buffer.\r
@param[in] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments. \r
+ @param[in, out] FragmentTable Pointer to a list of fragments.\r
@param[in] FragmentCount Number of fragments.\r
@param[in] TrafficDirection Traffic direction.\r
@param[out] RecycleSignal Event for recycling of resources.\r
- \r
+\r
@retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.\r
@retval EFI_SUCCESS The packet was protected.\r
@retval EFI_ACCESS_DENIED The packet was discarded.\r
**/\r
typedef\r
EFI_STATUS\r
-(EFIAPI *EFI_IPSEC_PROCESS) (\r
+(EFIAPI *EFI_IPSEC_PROCESS)(\r
IN EFI_IPSEC_PROTOCOL *This,\r
IN EFI_HANDLE NicHandle,\r
IN UINT8 IpVer,\r
);\r
\r
///\r
-/// EFI_IPSEC_PROTOCOL \r
+/// EFI_IPSEC_PROTOCOL\r
/// provides the ability for securing IP communications by authenticating\r
-/// and/or encrypting each IP packet in a data stream. \r
+/// and/or encrypting each IP packet in a data stream.\r
// EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack.\r
// A user can employ this protocol for IPsec package handling in both IPv4\r
// and IPv6 environment.\r
BOOLEAN DisabledFlag; ///< State of the interface.\r
};\r
\r
-extern EFI_GUID gEfiIpSecProtocolGuid;\r
+/**\r
+ Handles IPsec processing for both inbound and outbound IP packets. Compare with\r
+ Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process\r
+ Option(Extension Header).\r
+\r
+ The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.\r
+ The behavior is that it can perform one of the following actions:\r
+ bypass the packet, discard the packet, or protect the packet.\r
+\r
+ @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r
+ @param[in] NicHandle Instance of the network interface.\r
+ @param[in] IpVer IP version.IPv4 or IPv6.\r
+ @param[in, out] IpHead Pointer to the IP Header it is either\r
+ the EFI_IP4_HEADER or EFI_IP6_HEADER.\r
+ On input, it contains the IP header.\r
+ On output, 1) in tunnel mode and the\r
+ traffic direction is inbound, the buffer\r
+ will be reset to zero by IPsec; 2) in\r
+ tunnel mode and the traffic direction\r
+ is outbound, the buffer will reset to\r
+ be the tunnel IP header.3) in transport\r
+ mode, the related fielders (like payload\r
+ length, Next header) in IP header will\r
+ be modified according to the condition.\r
+ @param[in, out] LastHead For IP4, it is the next protocol in IP\r
+ header. For IP6 it is the Next Header\r
+ of the last extension header.\r
+ @param[in, out] OptionsBuffer On input, it contains the options\r
+ (extensions header) to be processed by\r
+ IPsec. On output, 1) in tunnel mode and\r
+ the traffic direction is outbound, it\r
+ will be set to NULL, and that means this\r
+ contents was wrapped after inner header\r
+ and should not be concatenated after\r
+ tunnel header again; 2) in transport\r
+ mode and the traffic direction is inbound,\r
+ if there are IP options (extension headers)\r
+ protected by IPsec, IPsec will concatenate\r
+ the those options after the input options\r
+ (extension headers); 3) on other situations,\r
+ the output of contents of OptionsBuffer\r
+ might be same with input's. The caller\r
+ should take the responsibility to free\r
+ the buffer both on input and on output.\r
+ @param[in, out] OptionsLength On input, the input length of the options\r
+ buffer. On output, the output length of\r
+ the options buffer.\r
+ @param[in, out] FragmentTable Pointer to a list of fragments. On input,\r
+ these fragments contain the IP payload.\r
+ On output, 1) in tunnel mode and the traffic\r
+ direction is inbound, the fragments contain\r
+ the whole IP payload which is from the\r
+ IP inner header to the last byte of the\r
+ packet; 2) in tunnel mode and the traffic\r
+ direction is the outbound, the fragments\r
+ contains the whole encapsulated payload\r
+ which encapsulates the whole IP payload\r
+ between the encapsulated header and\r
+ encapsulated trailer fields. 3) in transport\r
+ mode and the traffic direction is inbound,\r
+ the fragments contains the IP payload\r
+ which is from the next layer protocol to\r
+ the last byte of the packet; 4) in transport\r
+ mode and the traffic direction is outbound,\r
+ the fragments contains the whole encapsulated\r
+ payload which encapsulates the next layer\r
+ protocol information between the encapsulated\r
+ header and encapsulated trailer fields.\r
+ @param[in, out] FragmentCount Number of fragments.\r
+ @param[in] TrafficDirection Traffic direction.\r
+ @param[out] RecycleSignal Event for recycling of resources.\r
+\r
+ @retval EFI_SUCCESS The packet was processed by IPsec successfully.\r
+ @retval EFI_ACCESS_DENIED The packet was discarded.\r
+ @retval EFI_NOT_READY The IKE negotiation is invoked and the packet\r
+ was discarded.\r
+ @retval EFI_INVALID_PARAMETER One or more of following are TRUE:\r
+ If OptionsBuffer is NULL;\r
+ If OptionsLength is NULL;\r
+ If FragmentTable is NULL;\r
+ If FragmentCount is NULL.\r
+\r
+**/\r
+typedef\r
+EFI_STATUS\r
+(EFIAPI *EFI_IPSEC_PROCESSEXT) (\r
+ IN EFI_IPSEC2_PROTOCOL *This,\r
+ IN EFI_HANDLE NicHandle,\r
+ IN UINT8 IpVer,\r
+ IN OUT VOID *IpHead,\r
+ IN OUT UINT8 *LastHead,\r
+ IN OUT VOID **OptionsBuffer,\r
+ IN OUT UINT32 *OptionsLength,\r
+ IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
+ IN OUT UINT32 *FragmentCount,\r
+ IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r
+ OUT EFI_EVENT *RecycleSignal\r
+ );\r
\r
+///\r
+/// EFI_IPSEC2_PROTOCOL\r
+/// supports the Option (extension header) processing in IPsec which doesn't support\r
+/// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead\r
+/// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.\r
+/// provides the ability for securing IP communications by authenticating and/or\r
+/// encrypting each IP packet in a data stream.\r
+///\r
+struct _EFI_IPSEC2_PROTOCOL {\r
+EFI_IPSEC_PROCESSEXT ProcessExt;\r
+EFI_EVENT DisabledEvent;\r
+BOOLEAN DisabledFlag;\r
+};\r
+\r
+extern EFI_GUID gEfiIpSecProtocolGuid;\r
+extern EFI_GUID gEfiIpSec2ProtocolGuid;\r
#endif\r