[mirror_edk2.git] / MdePkg / Include / Protocol / IpSec.h

/** @file\r
  EFI IPSEC Protocol Definition\r
  The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual\r
  packets sent and received by the host and provide packet-level security for IP\r
  datagram.\r
  The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual\r
  packets sent and received by the host and provide packet-level security for IP\r
  datagram. In addition, it supports the Option (extension header) processing in\r
  IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to\r
  use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel\r
  Mode.\r
\r
  Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
  @par Revision Reference:\r
  The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D.\r
\r
**/\r
\r
#ifndef __EFI_IPSEC_PROTOCOL_H__\r
#define __EFI_IPSEC_PROTOCOL_H__\r
\r
#include <Protocol/IpSecConfig.h>\r
\r
#define EFI_IPSEC_PROTOCOL_GUID \\r
  { \\r
    0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \\r
  }\r
\r
#define EFI_IPSEC2_PROTOCOL_GUID \\r
  { \\r
    0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \\r
  }\r
\r
typedef struct _EFI_IPSEC_PROTOCOL  EFI_IPSEC_PROTOCOL;\r
typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;\r
\r
///\r
/// EFI_IPSEC_FRAGMENT_DATA\r
/// defines the instances of packet fragments.\r
///\r
typedef struct _EFI_IPSEC_FRAGMENT_DATA {\r
  UINT32  FragmentLength;\r
  VOID    *FragmentBuffer;\r
} EFI_IPSEC_FRAGMENT_DATA;\r
\r
\r
/**\r
  Handles IPsec packet processing for inbound and outbound IP packets.\r
\r
  The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r
  The behavior is that it can perform one of the following actions:\r
  bypass the packet, discard the packet, or protect the packet.\r
\r
  @param[in]      This             Pointer to the EFI_IPSEC_PROTOCOL instance.\r
  @param[in]      NicHandle        Instance of the network interface.\r
  @param[in]      IpVer            IPV4 or IPV6.\r
  @param[in, out] IpHead           Pointer to the IP Header.\r
  @param[in]      LastHead         The protocol of the next layer to be processed by IPsec.\r
  @param[in]      OptionsBuffer    Pointer to the options buffer.\r
  @param[in]      OptionsLength    Length of the options buffer.\r
  @param[in, out] FragmentTable    Pointer to a list of fragments.\r
  @param[in]      FragmentCount    Number of fragments.\r
  @param[in]      TrafficDirection Traffic direction.\r
  @param[out]     RecycleSignal    Event for recycling of resources.\r
\r
  @retval EFI_SUCCESS              The packet was bypassed and all buffers remain the same.\r
  @retval EFI_SUCCESS              The packet was protected.\r
  @retval EFI_ACCESS_DENIED        The packet was discarded.\r
\r
**/\r
typedef\r
EFI_STATUS\r
(EFIAPI  *EFI_IPSEC_PROCESS)(\r
  IN     EFI_IPSEC_PROTOCOL      *This,\r
  IN     EFI_HANDLE              NicHandle,\r
  IN     UINT8                   IpVer,\r
  IN OUT VOID                    *IpHead,\r
  IN     UINT8                   *LastHead,\r
  IN     VOID                    *OptionsBuffer,\r
  IN     UINT32                  OptionsLength,\r
  IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
  IN     UINT32                  *FragmentCount,\r
  IN     EFI_IPSEC_TRAFFIC_DIR   TrafficDirection,\r
     OUT EFI_EVENT               *RecycleSignal\r
  );\r
\r
///\r
/// EFI_IPSEC_PROTOCOL\r
/// provides the ability for  securing IP communications by authenticating\r
/// and/or encrypting each IP packet in a data stream.\r
//  EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack.\r
//  A user can employ this protocol for IPsec package handling in both IPv4\r
//  and IPv6 environment.\r
///\r
struct _EFI_IPSEC_PROTOCOL {\r
  EFI_IPSEC_PROCESS      Process;           ///< Handle the IPsec message.\r
  EFI_EVENT              DisabledEvent;     ///< Event signaled when the interface is disabled.\r
  BOOLEAN                DisabledFlag;      ///< State of the interface.\r
};\r
\r
/**\r
  Handles IPsec processing for both inbound and outbound IP packets. Compare with\r
  Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process\r
  Option(Extension Header).\r
\r
  The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.\r
  The behavior is that it can perform one of the following actions:\r
  bypass the packet, discard the packet, or protect the packet.\r
\r
  @param[in]       This               Pointer to the EFI_IPSEC2_PROTOCOL instance.\r
  @param[in]       NicHandle          Instance of the network interface.\r
  @param[in]       IpVer              IP version.IPv4 or IPv6.\r
  @param[in, out]  IpHead             Pointer to the IP Header it is either\r
                                      the EFI_IP4_HEADER or EFI_IP6_HEADER.\r
                                      On input, it contains the IP header.\r
                                      On output, 1) in tunnel mode and the\r
                                      traffic direction is inbound, the buffer\r
                                      will be reset to zero by IPsec; 2) in\r
                                      tunnel mode and the traffic direction\r
                                      is outbound, the buffer will reset to\r
                                      be the tunnel IP header.3) in transport\r
                                      mode, the related fielders (like payload\r
                                      length, Next header) in IP header will\r
                                      be modified according to the condition.\r
  @param[in, out]  LastHead           For IP4, it is the next protocol in IP\r
                                      header. For IP6 it is the Next Header\r
                                      of the last extension header.\r
  @param[in, out]  OptionsBuffer      On input, it contains the options\r
                                      (extensions header) to be processed by\r
                                      IPsec. On output, 1) in tunnel mode and\r
                                      the traffic direction is outbound, it\r
                                      will be set to NULL, and that means this\r
                                      contents was wrapped after inner header\r
                                      and should not be concatenated after\r
                                      tunnel header again; 2) in transport\r
                                      mode and the traffic direction is inbound,\r
                                      if there are IP options (extension headers)\r
                                      protected by IPsec, IPsec will concatenate\r
                                      the those options after the input options\r
                                      (extension headers); 3) on other situations,\r
                                      the output of contents of OptionsBuffer\r
                                      might be same with input's. The caller\r
                                      should take the responsibility to free\r
                                      the buffer both on input and on output.\r
  @param[in, out]  OptionsLength      On input, the input length of the options\r
                                      buffer. On output, the output length of\r
                                      the options buffer.\r
  @param[in, out]  FragmentTable      Pointer to a list of fragments. On input,\r
                                      these fragments contain the IP payload.\r
                                      On output, 1) in tunnel mode and the traffic\r
                                      direction is inbound, the fragments contain\r
                                      the whole IP payload which is from the\r
                                      IP inner header to the last byte of the\r
                                      packet; 2) in tunnel mode and the traffic\r
                                      direction is the outbound, the fragments\r
                                      contains the whole encapsulated payload\r
                                      which encapsulates the whole IP payload\r
                                      between the encapsulated header and\r
                                      encapsulated trailer fields. 3) in transport\r
                                      mode and the traffic direction is inbound,\r
                                      the fragments contains the IP payload\r
                                      which is from the next layer protocol to\r
                                      the last byte of the packet; 4) in transport\r
                                      mode and the traffic direction is outbound,\r
                                      the fragments contains the whole encapsulated\r
                                      payload which encapsulates the next layer\r
                                      protocol information between the encapsulated\r
                                      header and encapsulated trailer fields.\r
  @param[in, out]  FragmentCount      Number of fragments.\r
  @param[in]       TrafficDirection   Traffic direction.\r
  @param[out]      RecycleSignal      Event for recycling of resources.\r
\r
  @retval      EFI_SUCCESS           The packet was processed by IPsec successfully.\r
  @retval      EFI_ACCESS_DENIED     The packet was discarded.\r
  @retval      EFI_NOT_READY         The IKE negotiation is invoked and the packet\r
                                     was discarded.\r
  @retval      EFI_INVALID_PARAMETER One or more of following are TRUE:\r
                                     If OptionsBuffer is NULL;\r
                                     If OptionsLength is NULL;\r
                                     If FragmentTable is NULL;\r
                                     If FragmentCount is NULL.\r
\r
**/\r
typedef\r
EFI_STATUS\r
(EFIAPI *EFI_IPSEC_PROCESSEXT) (\r
  IN EFI_IPSEC2_PROTOCOL         *This,\r
  IN EFI_HANDLE                  NicHandle,\r
  IN UINT8                       IpVer,\r
  IN OUT VOID                    *IpHead,\r
  IN OUT UINT8                   *LastHead,\r
  IN OUT VOID                    **OptionsBuffer,\r
  IN OUT UINT32                  *OptionsLength,\r
  IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
  IN OUT UINT32                  *FragmentCount,\r
  IN EFI_IPSEC_TRAFFIC_DIR       TrafficDirection,\r
     OUT EFI_EVENT               *RecycleSignal\r
  );\r
\r
///\r
/// EFI_IPSEC2_PROTOCOL\r
/// supports the Option (extension header) processing in IPsec which doesn't support\r
/// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead\r
/// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.\r
/// provides the ability for securing IP communications by authenticating and/or\r
/// encrypting each IP packet in a data stream.\r
///\r
struct _EFI_IPSEC2_PROTOCOL {\r
EFI_IPSEC_PROCESSEXT ProcessExt;\r
EFI_EVENT            DisabledEvent;\r
BOOLEAN              DisabledFlag;\r
};\r
\r
extern EFI_GUID gEfiIpSecProtocolGuid;\r
extern EFI_GUID gEfiIpSec2ProtocolGuid;\r
#endif\r
Commit	Line	Data
fa05b97b	1	/** @file\r
	2	EFI IPSEC Protocol Definition\r
	3	The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual\r
9095d37b	4	packets sent and received by the host and provide packet-level security for IP\r
705f53a9	5	datagram.\r
705f53a9	6	The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual\r
9095d37b LG	7	packets sent and received by the host and provide packet-level security for IP\r
	8	datagram. In addition, it supports the Option (extension header) processing in\r
	9	IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to\r
	10	use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel\r
705f53a9	11	Mode.\r
fa05b97b	12	\r
9095d37b	13	Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
9344f092	14	SPDX-License-Identifier: BSD-2-Clause-Patent\r
fa05b97b	15	\r
9095d37b	16	@par Revision Reference:\r
6361c6d5	17	The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D.\r
fa05b97b	18	\r
	19	**/\r
	20	\r
	21	#ifndef __EFI_IPSEC_PROTOCOL_H__\r
	22	#define __EFI_IPSEC_PROTOCOL_H__\r
	23	\r
	24	#include <Protocol/IpSecConfig.h>\r
	25	\r
	26	#define EFI_IPSEC_PROTOCOL_GUID \\r
	27	{ \\r
	28	0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \\r
	29	}\r
	30	\r
705f53a9	31	#define EFI_IPSEC2_PROTOCOL_GUID \\r
	32	{ \\r
	33	0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \\r
	34	}\r
	35	\r
fa05b97b	36	typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;\r
705f53a9	37	typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;\r
fa05b97b	38	\r
fa05b97b	39	///\r
9095d37b	40	/// EFI_IPSEC_FRAGMENT_DATA\r
fa05b97b	41	/// defines the instances of packet fragments.\r
fa05b97b	42	///\r
9095d37b	43	typedef struct _EFI_IPSEC_FRAGMENT_DATA {\r
fa05b97b	44	UINT32 FragmentLength;\r
fa05b97b	45	VOID *FragmentBuffer;\r
9095d37b	46	} EFI_IPSEC_FRAGMENT_DATA;\r
fa05b97b	47	\r
	48	\r
	49	/**\r
9095d37b	50	Handles IPsec packet processing for inbound and outbound IP packets.\r
fa05b97b	51	\r
fa05b97b	52	The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r
9095d37b LG	53	The behavior is that it can perform one of the following actions:\r
9095d37b LG	54	bypass the packet, discard the packet, or protect the packet.\r
fa05b97b	55	\r
	56	@param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.\r
	57	@param[in] NicHandle Instance of the network interface.\r
	58	@param[in] IpVer IPV4 or IPV6.\r
	59	@param[in, out] IpHead Pointer to the IP Header.\r
	60	@param[in] LastHead The protocol of the next layer to be processed by IPsec.\r
9095d37b	61	@param[in] OptionsBuffer Pointer to the options buffer.\r
fa05b97b	62	@param[in] OptionsLength Length of the options buffer.\r
9095d37b	63	@param[in, out] FragmentTable Pointer to a list of fragments.\r
fa05b97b	64	@param[in] FragmentCount Number of fragments.\r
	65	@param[in] TrafficDirection Traffic direction.\r
	66	@param[out] RecycleSignal Event for recycling of resources.\r
9095d37b	67	\r
fa05b97b	68	@retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.\r
	69	@retval EFI_SUCCESS The packet was protected.\r
	70	@retval EFI_ACCESS_DENIED The packet was discarded.\r
	71	\r
	72	**/\r
	73	typedef\r
	74	EFI_STATUS\r
a1749b80	75	(EFIAPI *EFI_IPSEC_PROCESS)(\r
fa05b97b	76	IN EFI_IPSEC_PROTOCOL *This,\r
	77	IN EFI_HANDLE NicHandle,\r
	78	IN UINT8 IpVer,\r
	79	IN OUT VOID *IpHead,\r
	80	IN UINT8 *LastHead,\r
	81	IN VOID *OptionsBuffer,\r
	82	IN UINT32 OptionsLength,\r
	83	IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
	84	IN UINT32 *FragmentCount,\r
	85	IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r
	86	OUT EFI_EVENT *RecycleSignal\r
	87	);\r
	88	\r
	89	///\r
9095d37b	90	/// EFI_IPSEC_PROTOCOL\r
fa05b97b	91	/// provides the ability for securing IP communications by authenticating\r
9095d37b	92	/// and/or encrypting each IP packet in a data stream.\r
fa05b97b	93	// EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack.\r
	94	// A user can employ this protocol for IPsec package handling in both IPv4\r
	95	// and IPv6 environment.\r
	96	///\r
	97	struct _EFI_IPSEC_PROTOCOL {\r
	98	EFI_IPSEC_PROCESS Process; ///< Handle the IPsec message.\r
	99	EFI_EVENT DisabledEvent; ///< Event signaled when the interface is disabled.\r
	100	BOOLEAN DisabledFlag; ///< State of the interface.\r
	101	};\r
	102	\r
705f53a9	103	/**\r
9095d37b LG	104	Handles IPsec processing for both inbound and outbound IP packets. Compare with\r
	105	Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process\r
	106	Option(Extension Header).\r
705f53a9	107	\r
705f53a9	108	The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.\r
9095d37b LG	109	The behavior is that it can perform one of the following actions:\r
9095d37b LG	110	bypass the packet, discard the packet, or protect the packet.\r
705f53a9	111	\r
705f53a9	112	@param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r
9095d37b	113	@param[in] NicHandle Instance of the network interface.\r
705f53a9	114	@param[in] IpVer IP version.IPv4 or IPv6.\r
9095d37b	115	@param[in, out] IpHead Pointer to the IP Header it is either\r
705f53a9	116	the EFI_IP4_HEADER or EFI_IP6_HEADER.\r
9095d37b LG	117	On input, it contains the IP header.\r
	118	On output, 1) in tunnel mode and the\r
	119	traffic direction is inbound, the buffer\r
	120	will be reset to zero by IPsec; 2) in\r
	121	tunnel mode and the traffic direction\r
	122	is outbound, the buffer will reset to\r
	123	be the tunnel IP header.3) in transport\r
	124	mode, the related fielders (like payload\r
	125	length, Next header) in IP header will\r
705f53a9	126	be modified according to the condition.\r
705f53a9	127	@param[in, out] LastHead For IP4, it is the next protocol in IP\r
9095d37b	128	header. For IP6 it is the Next Header\r
705f53a9	129	of the last extension header.\r
9095d37b LG	130	@param[in, out] OptionsBuffer On input, it contains the options\r
9095d37b LG	131	(extensions header) to be processed by\r
705f53a9	132	IPsec. On output, 1) in tunnel mode and\r
9095d37b LG	133	the traffic direction is outbound, it\r
	134	will be set to NULL, and that means this\r
	135	contents was wrapped after inner header\r
	136	and should not be concatenated after\r
	137	tunnel header again; 2) in transport\r
	138	mode and the traffic direction is inbound,\r
	139	if there are IP options (extension headers)\r
	140	protected by IPsec, IPsec will concatenate\r
	141	the those options after the input options\r
	142	(extension headers); 3) on other situations,\r
	143	the output of contents of OptionsBuffer\r
	144	might be same with input's. The caller\r
	145	should take the responsibility to free\r
705f53a9	146	the buffer both on input and on output.\r
9095d37b LG	147	@param[in, out] OptionsLength On input, the input length of the options\r
9095d37b LG	148	buffer. On output, the output length of\r
705f53a9	149	the options buffer.\r
9095d37b LG	150	@param[in, out] FragmentTable Pointer to a list of fragments. On input,\r
	151	these fragments contain the IP payload.\r
	152	On output, 1) in tunnel mode and the traffic\r
	153	direction is inbound, the fragments contain\r
	154	the whole IP payload which is from the\r
	155	IP inner header to the last byte of the\r
	156	packet; 2) in tunnel mode and the traffic\r
	157	direction is the outbound, the fragments\r
	158	contains the whole encapsulated payload\r
	159	which encapsulates the whole IP payload\r
	160	between the encapsulated header and\r
	161	encapsulated trailer fields. 3) in transport\r
	162	mode and the traffic direction is inbound,\r
	163	the fragments contains the IP payload\r
	164	which is from the next layer protocol to\r
	165	the last byte of the packet; 4) in transport\r
	166	mode and the traffic direction is outbound,\r
	167	the fragments contains the whole encapsulated\r
	168	payload which encapsulates the next layer\r
	169	protocol information between the encapsulated\r
705f53a9	170	header and encapsulated trailer fields.\r
	171	@param[in, out] FragmentCount Number of fragments.\r
	172	@param[in] TrafficDirection Traffic direction.\r
	173	@param[out] RecycleSignal Event for recycling of resources.\r
	174	\r
	175	@retval EFI_SUCCESS The packet was processed by IPsec successfully.\r
	176	@retval EFI_ACCESS_DENIED The packet was discarded.\r
9095d37b	177	@retval EFI_NOT_READY The IKE negotiation is invoked and the packet\r
705f53a9	178	was discarded.\r
	179	@retval EFI_INVALID_PARAMETER One or more of following are TRUE:\r
	180	If OptionsBuffer is NULL;\r
	181	If OptionsLength is NULL;\r
	182	If FragmentTable is NULL;\r
	183	If FragmentCount is NULL.\r
	184	\r
	185	**/\r
9095d37b	186	typedef\r
705f53a9	187	EFI_STATUS\r
9095d37b LG	188	(EFIAPI *EFI_IPSEC_PROCESSEXT) (\r
	189	IN EFI_IPSEC2_PROTOCOL *This,\r
	190	IN EFI_HANDLE NicHandle,\r
	191	IN UINT8 IpVer,\r
	192	IN OUT VOID *IpHead,\r
	193	IN OUT UINT8 *LastHead,\r
	194	IN OUT VOID **OptionsBuffer,\r
	195	IN OUT UINT32 *OptionsLength,\r
	196	IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
	197	IN OUT UINT32 *FragmentCount,\r
	198	IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r
705f53a9	199	OUT EFI_EVENT *RecycleSignal\r
705f53a9	200	);\r
fa05b97b	201	\r
9095d37b	202	///\r
705f53a9	203	/// EFI_IPSEC2_PROTOCOL\r
	204	/// supports the Option (extension header) processing in IPsec which doesn't support\r
	205	/// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead\r
	206	/// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.\r
	207	/// provides the ability for securing IP communications by authenticating and/or\r
	208	/// encrypting each IP packet in a data stream.\r
	209	///\r
9095d37b	210	struct _EFI_IPSEC2_PROTOCOL {\r
705f53a9	211	EFI_IPSEC_PROCESSEXT ProcessExt;\r
9095d37b LG	212	EFI_EVENT DisabledEvent;\r
9095d37b LG	213	BOOLEAN DisabledFlag;\r
705f53a9	214	};\r
	215	\r
	216	extern EFI_GUID gEfiIpSecProtocolGuid;\r
	217	extern EFI_GUID gEfiIpSec2ProtocolGuid;\r
fa05b97b	218	#endif\r