]>
Commit | Line | Data |
---|---|---|
fa05b97b | 1 | /** @file\r |
2 | EFI IPSEC Protocol Definition\r | |
3 | The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual\r | |
9095d37b | 4 | packets sent and received by the host and provide packet-level security for IP\r |
705f53a9 | 5 | datagram.\r |
6 | The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual\r | |
9095d37b LG |
7 | packets sent and received by the host and provide packet-level security for IP\r |
8 | datagram. In addition, it supports the Option (extension header) processing in\r | |
9 | IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to\r | |
10 | use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel\r | |
705f53a9 | 11 | Mode.\r |
fa05b97b | 12 | \r |
9095d37b | 13 | Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r |
9344f092 | 14 | SPDX-License-Identifier: BSD-2-Clause-Patent\r |
fa05b97b | 15 | \r |
9095d37b | 16 | @par Revision Reference:\r |
6361c6d5 | 17 | The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D.\r |
fa05b97b | 18 | \r |
19 | **/\r | |
20 | \r | |
21 | #ifndef __EFI_IPSEC_PROTOCOL_H__\r | |
22 | #define __EFI_IPSEC_PROTOCOL_H__\r | |
23 | \r | |
24 | #include <Protocol/IpSecConfig.h>\r | |
25 | \r | |
26 | #define EFI_IPSEC_PROTOCOL_GUID \\r | |
27 | { \\r | |
28 | 0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \\r | |
29 | }\r | |
30 | \r | |
705f53a9 | 31 | #define EFI_IPSEC2_PROTOCOL_GUID \\r |
32 | { \\r | |
33 | 0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \\r | |
34 | }\r | |
35 | \r | |
fa05b97b | 36 | typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;\r |
705f53a9 | 37 | typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;\r |
fa05b97b | 38 | \r |
39 | ///\r | |
9095d37b | 40 | /// EFI_IPSEC_FRAGMENT_DATA\r |
fa05b97b | 41 | /// defines the instances of packet fragments.\r |
42 | ///\r | |
9095d37b | 43 | typedef struct _EFI_IPSEC_FRAGMENT_DATA {\r |
fa05b97b | 44 | UINT32 FragmentLength;\r |
45 | VOID *FragmentBuffer;\r | |
9095d37b | 46 | } EFI_IPSEC_FRAGMENT_DATA;\r |
fa05b97b | 47 | \r |
48 | \r | |
49 | /**\r | |
9095d37b | 50 | Handles IPsec packet processing for inbound and outbound IP packets.\r |
fa05b97b | 51 | \r |
52 | The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r | |
9095d37b LG |
53 | The behavior is that it can perform one of the following actions:\r |
54 | bypass the packet, discard the packet, or protect the packet.\r | |
fa05b97b | 55 | \r |
56 | @param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.\r | |
57 | @param[in] NicHandle Instance of the network interface.\r | |
58 | @param[in] IpVer IPV4 or IPV6.\r | |
59 | @param[in, out] IpHead Pointer to the IP Header.\r | |
60 | @param[in] LastHead The protocol of the next layer to be processed by IPsec.\r | |
9095d37b | 61 | @param[in] OptionsBuffer Pointer to the options buffer.\r |
fa05b97b | 62 | @param[in] OptionsLength Length of the options buffer.\r |
9095d37b | 63 | @param[in, out] FragmentTable Pointer to a list of fragments.\r |
fa05b97b | 64 | @param[in] FragmentCount Number of fragments.\r |
65 | @param[in] TrafficDirection Traffic direction.\r | |
66 | @param[out] RecycleSignal Event for recycling of resources.\r | |
9095d37b | 67 | \r |
fa05b97b | 68 | @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.\r |
69 | @retval EFI_SUCCESS The packet was protected.\r | |
70 | @retval EFI_ACCESS_DENIED The packet was discarded.\r | |
71 | \r | |
72 | **/\r | |
73 | typedef\r | |
74 | EFI_STATUS\r | |
a1749b80 | 75 | (EFIAPI *EFI_IPSEC_PROCESS)(\r |
fa05b97b | 76 | IN EFI_IPSEC_PROTOCOL *This,\r |
77 | IN EFI_HANDLE NicHandle,\r | |
78 | IN UINT8 IpVer,\r | |
79 | IN OUT VOID *IpHead,\r | |
80 | IN UINT8 *LastHead,\r | |
81 | IN VOID *OptionsBuffer,\r | |
82 | IN UINT32 OptionsLength,\r | |
83 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r | |
84 | IN UINT32 *FragmentCount,\r | |
85 | IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r | |
86 | OUT EFI_EVENT *RecycleSignal\r | |
87 | );\r | |
88 | \r | |
89 | ///\r | |
9095d37b | 90 | /// EFI_IPSEC_PROTOCOL\r |
fa05b97b | 91 | /// provides the ability for securing IP communications by authenticating\r |
9095d37b | 92 | /// and/or encrypting each IP packet in a data stream.\r |
fa05b97b | 93 | // EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack.\r |
94 | // A user can employ this protocol for IPsec package handling in both IPv4\r | |
95 | // and IPv6 environment.\r | |
96 | ///\r | |
97 | struct _EFI_IPSEC_PROTOCOL {\r | |
98 | EFI_IPSEC_PROCESS Process; ///< Handle the IPsec message.\r | |
99 | EFI_EVENT DisabledEvent; ///< Event signaled when the interface is disabled.\r | |
100 | BOOLEAN DisabledFlag; ///< State of the interface.\r | |
101 | };\r | |
102 | \r | |
705f53a9 | 103 | /**\r |
9095d37b LG |
104 | Handles IPsec processing for both inbound and outbound IP packets. Compare with\r |
105 | Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process\r | |
106 | Option(Extension Header).\r | |
705f53a9 | 107 | \r |
108 | The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.\r | |
9095d37b LG |
109 | The behavior is that it can perform one of the following actions:\r |
110 | bypass the packet, discard the packet, or protect the packet.\r | |
705f53a9 | 111 | \r |
112 | @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r | |
9095d37b | 113 | @param[in] NicHandle Instance of the network interface.\r |
705f53a9 | 114 | @param[in] IpVer IP version.IPv4 or IPv6.\r |
9095d37b | 115 | @param[in, out] IpHead Pointer to the IP Header it is either\r |
705f53a9 | 116 | the EFI_IP4_HEADER or EFI_IP6_HEADER.\r |
9095d37b LG |
117 | On input, it contains the IP header.\r |
118 | On output, 1) in tunnel mode and the\r | |
119 | traffic direction is inbound, the buffer\r | |
120 | will be reset to zero by IPsec; 2) in\r | |
121 | tunnel mode and the traffic direction\r | |
122 | is outbound, the buffer will reset to\r | |
123 | be the tunnel IP header.3) in transport\r | |
124 | mode, the related fielders (like payload\r | |
125 | length, Next header) in IP header will\r | |
705f53a9 | 126 | be modified according to the condition.\r |
127 | @param[in, out] LastHead For IP4, it is the next protocol in IP\r | |
9095d37b | 128 | header. For IP6 it is the Next Header\r |
705f53a9 | 129 | of the last extension header.\r |
9095d37b LG |
130 | @param[in, out] OptionsBuffer On input, it contains the options\r |
131 | (extensions header) to be processed by\r | |
705f53a9 | 132 | IPsec. On output, 1) in tunnel mode and\r |
9095d37b LG |
133 | the traffic direction is outbound, it\r |
134 | will be set to NULL, and that means this\r | |
135 | contents was wrapped after inner header\r | |
136 | and should not be concatenated after\r | |
137 | tunnel header again; 2) in transport\r | |
138 | mode and the traffic direction is inbound,\r | |
139 | if there are IP options (extension headers)\r | |
140 | protected by IPsec, IPsec will concatenate\r | |
141 | the those options after the input options\r | |
142 | (extension headers); 3) on other situations,\r | |
143 | the output of contents of OptionsBuffer\r | |
144 | might be same with input's. The caller\r | |
145 | should take the responsibility to free\r | |
705f53a9 | 146 | the buffer both on input and on output.\r |
9095d37b LG |
147 | @param[in, out] OptionsLength On input, the input length of the options\r |
148 | buffer. On output, the output length of\r | |
705f53a9 | 149 | the options buffer.\r |
9095d37b LG |
150 | @param[in, out] FragmentTable Pointer to a list of fragments. On input,\r |
151 | these fragments contain the IP payload.\r | |
152 | On output, 1) in tunnel mode and the traffic\r | |
153 | direction is inbound, the fragments contain\r | |
154 | the whole IP payload which is from the\r | |
155 | IP inner header to the last byte of the\r | |
156 | packet; 2) in tunnel mode and the traffic\r | |
157 | direction is the outbound, the fragments\r | |
158 | contains the whole encapsulated payload\r | |
159 | which encapsulates the whole IP payload\r | |
160 | between the encapsulated header and\r | |
161 | encapsulated trailer fields. 3) in transport\r | |
162 | mode and the traffic direction is inbound,\r | |
163 | the fragments contains the IP payload\r | |
164 | which is from the next layer protocol to\r | |
165 | the last byte of the packet; 4) in transport\r | |
166 | mode and the traffic direction is outbound,\r | |
167 | the fragments contains the whole encapsulated\r | |
168 | payload which encapsulates the next layer\r | |
169 | protocol information between the encapsulated\r | |
705f53a9 | 170 | header and encapsulated trailer fields.\r |
171 | @param[in, out] FragmentCount Number of fragments.\r | |
172 | @param[in] TrafficDirection Traffic direction.\r | |
173 | @param[out] RecycleSignal Event for recycling of resources.\r | |
174 | \r | |
175 | @retval EFI_SUCCESS The packet was processed by IPsec successfully.\r | |
176 | @retval EFI_ACCESS_DENIED The packet was discarded.\r | |
9095d37b | 177 | @retval EFI_NOT_READY The IKE negotiation is invoked and the packet\r |
705f53a9 | 178 | was discarded.\r |
179 | @retval EFI_INVALID_PARAMETER One or more of following are TRUE:\r | |
180 | If OptionsBuffer is NULL;\r | |
181 | If OptionsLength is NULL;\r | |
182 | If FragmentTable is NULL;\r | |
183 | If FragmentCount is NULL.\r | |
184 | \r | |
185 | **/\r | |
9095d37b | 186 | typedef\r |
705f53a9 | 187 | EFI_STATUS\r |
9095d37b LG |
188 | (EFIAPI *EFI_IPSEC_PROCESSEXT) (\r |
189 | IN EFI_IPSEC2_PROTOCOL *This,\r | |
190 | IN EFI_HANDLE NicHandle,\r | |
191 | IN UINT8 IpVer,\r | |
192 | IN OUT VOID *IpHead,\r | |
193 | IN OUT UINT8 *LastHead,\r | |
194 | IN OUT VOID **OptionsBuffer,\r | |
195 | IN OUT UINT32 *OptionsLength,\r | |
196 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r | |
197 | IN OUT UINT32 *FragmentCount,\r | |
198 | IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r | |
705f53a9 | 199 | OUT EFI_EVENT *RecycleSignal\r |
200 | );\r | |
fa05b97b | 201 | \r |
9095d37b | 202 | ///\r |
705f53a9 | 203 | /// EFI_IPSEC2_PROTOCOL\r |
204 | /// supports the Option (extension header) processing in IPsec which doesn't support\r | |
205 | /// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead\r | |
206 | /// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.\r | |
207 | /// provides the ability for securing IP communications by authenticating and/or\r | |
208 | /// encrypting each IP packet in a data stream.\r | |
209 | ///\r | |
9095d37b | 210 | struct _EFI_IPSEC2_PROTOCOL {\r |
705f53a9 | 211 | EFI_IPSEC_PROCESSEXT ProcessExt;\r |
9095d37b LG |
212 | EFI_EVENT DisabledEvent;\r |
213 | BOOLEAN DisabledFlag;\r | |
705f53a9 | 214 | };\r |
215 | \r | |
216 | extern EFI_GUID gEfiIpSecProtocolGuid;\r | |
217 | extern EFI_GUID gEfiIpSec2ProtocolGuid;\r | |
fa05b97b | 218 | #endif\r |