[mirror_edk2.git] / MdePkg / Include / Protocol / IpSec.h

/** @file\r
  EFI IPSEC Protocol Definition\r
  The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual\r
  packets sent and received by the host and provide packet-level security for IP\r
  datagram.\r
  The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual\r
  packets sent and received by the host and provide packet-level security for IP\r
  datagram. In addition, it supports the Option (extension header) processing in\r
  IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to\r
  use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel\r
  Mode.\r
\r
  Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
  @par Revision Reference:\r
  The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D.\r
\r
**/\r
\r
#ifndef __EFI_IPSEC_PROTOCOL_H__\r
#define __EFI_IPSEC_PROTOCOL_H__\r
\r
#include <Protocol/IpSecConfig.h>\r
\r
#define EFI_IPSEC_PROTOCOL_GUID \\r
  { \\r
    0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \\r
  }\r
\r
#define EFI_IPSEC2_PROTOCOL_GUID \\r
  { \\r
    0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \\r
  }\r
\r
typedef struct _EFI_IPSEC_PROTOCOL   EFI_IPSEC_PROTOCOL;\r
typedef struct _EFI_IPSEC2_PROTOCOL  EFI_IPSEC2_PROTOCOL;\r
\r
///\r
/// EFI_IPSEC_FRAGMENT_DATA\r
/// defines the instances of packet fragments.\r
///\r
typedef struct _EFI_IPSEC_FRAGMENT_DATA {\r
  UINT32    FragmentLength;\r
  VOID      *FragmentBuffer;\r
} EFI_IPSEC_FRAGMENT_DATA;\r
\r
/**\r
  Handles IPsec packet processing for inbound and outbound IP packets.\r
\r
  The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r
  The behavior is that it can perform one of the following actions:\r
  bypass the packet, discard the packet, or protect the packet.\r
\r
  @param[in]      This             Pointer to the EFI_IPSEC_PROTOCOL instance.\r
  @param[in]      NicHandle        Instance of the network interface.\r
  @param[in]      IpVer            IPV4 or IPV6.\r
  @param[in, out] IpHead           Pointer to the IP Header.\r
  @param[in]      LastHead         The protocol of the next layer to be processed by IPsec.\r
  @param[in]      OptionsBuffer    Pointer to the options buffer.\r
  @param[in]      OptionsLength    Length of the options buffer.\r
  @param[in, out] FragmentTable    Pointer to a list of fragments.\r
  @param[in]      FragmentCount    Number of fragments.\r
  @param[in]      TrafficDirection Traffic direction.\r
  @param[out]     RecycleSignal    Event for recycling of resources.\r
\r
  @retval EFI_SUCCESS              The packet was bypassed and all buffers remain the same.\r
  @retval EFI_SUCCESS              The packet was protected.\r
  @retval EFI_ACCESS_DENIED        The packet was discarded.\r
\r
**/\r
typedef\r
EFI_STATUS\r
(EFIAPI  *EFI_IPSEC_PROCESS)(\r
  IN     EFI_IPSEC_PROTOCOL      *This,\r
  IN     EFI_HANDLE              NicHandle,\r
  IN     UINT8                   IpVer,\r
  IN OUT VOID                    *IpHead,\r
  IN     UINT8                   *LastHead,\r
  IN     VOID                    *OptionsBuffer,\r
  IN     UINT32                  OptionsLength,\r
  IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
  IN     UINT32                  *FragmentCount,\r
  IN     EFI_IPSEC_TRAFFIC_DIR   TrafficDirection,\r
  OUT EFI_EVENT               *RecycleSignal\r
  );\r
\r
///\r
/// EFI_IPSEC_PROTOCOL\r
/// provides the ability for  securing IP communications by authenticating\r
/// and/or encrypting each IP packet in a data stream.\r
//  EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack.\r
//  A user can employ this protocol for IPsec package handling in both IPv4\r
//  and IPv6 environment.\r
///\r
struct _EFI_IPSEC_PROTOCOL {\r
  EFI_IPSEC_PROCESS    Process;             ///< Handle the IPsec message.\r
  EFI_EVENT            DisabledEvent;       ///< Event signaled when the interface is disabled.\r
  BOOLEAN              DisabledFlag;        ///< State of the interface.\r
};\r
\r
/**\r
  Handles IPsec processing for both inbound and outbound IP packets. Compare with\r
  Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process\r
  Option(Extension Header).\r
\r
  The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.\r
  The behavior is that it can perform one of the following actions:\r
  bypass the packet, discard the packet, or protect the packet.\r
\r
  @param[in]       This               Pointer to the EFI_IPSEC2_PROTOCOL instance.\r
  @param[in]       NicHandle          Instance of the network interface.\r
  @param[in]       IpVer              IP version.IPv4 or IPv6.\r
  @param[in, out]  IpHead             Pointer to the IP Header it is either\r
                                      the EFI_IP4_HEADER or EFI_IP6_HEADER.\r
                                      On input, it contains the IP header.\r
                                      On output, 1) in tunnel mode and the\r
                                      traffic direction is inbound, the buffer\r
                                      will be reset to zero by IPsec; 2) in\r
                                      tunnel mode and the traffic direction\r
                                      is outbound, the buffer will reset to\r
                                      be the tunnel IP header.3) in transport\r
                                      mode, the related fielders (like payload\r
                                      length, Next header) in IP header will\r
                                      be modified according to the condition.\r
  @param[in, out]  LastHead           For IP4, it is the next protocol in IP\r
                                      header. For IP6 it is the Next Header\r
                                      of the last extension header.\r
  @param[in, out]  OptionsBuffer      On input, it contains the options\r
                                      (extensions header) to be processed by\r
                                      IPsec. On output, 1) in tunnel mode and\r
                                      the traffic direction is outbound, it\r
                                      will be set to NULL, and that means this\r
                                      contents was wrapped after inner header\r
                                      and should not be concatenated after\r
                                      tunnel header again; 2) in transport\r
                                      mode and the traffic direction is inbound,\r
                                      if there are IP options (extension headers)\r
                                      protected by IPsec, IPsec will concatenate\r
                                      the those options after the input options\r
                                      (extension headers); 3) on other situations,\r
                                      the output of contents of OptionsBuffer\r
                                      might be same with input's. The caller\r
                                      should take the responsibility to free\r
                                      the buffer both on input and on output.\r
  @param[in, out]  OptionsLength      On input, the input length of the options\r
                                      buffer. On output, the output length of\r
                                      the options buffer.\r
  @param[in, out]  FragmentTable      Pointer to a list of fragments. On input,\r
                                      these fragments contain the IP payload.\r
                                      On output, 1) in tunnel mode and the traffic\r
                                      direction is inbound, the fragments contain\r
                                      the whole IP payload which is from the\r
                                      IP inner header to the last byte of the\r
                                      packet; 2) in tunnel mode and the traffic\r
                                      direction is the outbound, the fragments\r
                                      contains the whole encapsulated payload\r
                                      which encapsulates the whole IP payload\r
                                      between the encapsulated header and\r
                                      encapsulated trailer fields. 3) in transport\r
                                      mode and the traffic direction is inbound,\r
                                      the fragments contains the IP payload\r
                                      which is from the next layer protocol to\r
                                      the last byte of the packet; 4) in transport\r
                                      mode and the traffic direction is outbound,\r
                                      the fragments contains the whole encapsulated\r
                                      payload which encapsulates the next layer\r
                                      protocol information between the encapsulated\r
                                      header and encapsulated trailer fields.\r
  @param[in, out]  FragmentCount      Number of fragments.\r
  @param[in]       TrafficDirection   Traffic direction.\r
  @param[out]      RecycleSignal      Event for recycling of resources.\r
\r
  @retval      EFI_SUCCESS           The packet was processed by IPsec successfully.\r
  @retval      EFI_ACCESS_DENIED     The packet was discarded.\r
  @retval      EFI_NOT_READY         The IKE negotiation is invoked and the packet\r
                                     was discarded.\r
  @retval      EFI_INVALID_PARAMETER One or more of following are TRUE:\r
                                     If OptionsBuffer is NULL;\r
                                     If OptionsLength is NULL;\r
                                     If FragmentTable is NULL;\r
                                     If FragmentCount is NULL.\r
\r
**/\r
typedef\r
EFI_STATUS\r
(EFIAPI *EFI_IPSEC_PROCESSEXT)(\r
  IN EFI_IPSEC2_PROTOCOL         *This,\r
  IN EFI_HANDLE                  NicHandle,\r
  IN UINT8                       IpVer,\r
  IN OUT VOID                    *IpHead,\r
  IN OUT UINT8                   *LastHead,\r
  IN OUT VOID                    **OptionsBuffer,\r
  IN OUT UINT32                  *OptionsLength,\r
  IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
  IN OUT UINT32                  *FragmentCount,\r
  IN EFI_IPSEC_TRAFFIC_DIR       TrafficDirection,\r
  OUT EFI_EVENT               *RecycleSignal\r
  );\r
\r
///\r
/// EFI_IPSEC2_PROTOCOL\r
/// supports the Option (extension header) processing in IPsec which doesn't support\r
/// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead\r
/// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.\r
/// provides the ability for securing IP communications by authenticating and/or\r
/// encrypting each IP packet in a data stream.\r
///\r
struct _EFI_IPSEC2_PROTOCOL {\r
  EFI_IPSEC_PROCESSEXT    ProcessExt;\r
  EFI_EVENT               DisabledEvent;\r
  BOOLEAN                 DisabledFlag;\r
};\r
\r
extern EFI_GUID  gEfiIpSecProtocolGuid;\r
extern EFI_GUID  gEfiIpSec2ProtocolGuid;\r
#endif\r
Commit	Line	Data
fa05b97b	1	/** @file\r
	2	EFI IPSEC Protocol Definition\r
	3	The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual\r
9095d37b	4	packets sent and received by the host and provide packet-level security for IP\r
705f53a9	5	datagram.\r
705f53a9	6	The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual\r
9095d37b LG	7	packets sent and received by the host and provide packet-level security for IP\r
	8	datagram. In addition, it supports the Option (extension header) processing in\r
	9	IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to\r
	10	use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel\r
705f53a9	11	Mode.\r
fa05b97b	12	\r
9095d37b	13	Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
9344f092	14	SPDX-License-Identifier: BSD-2-Clause-Patent\r
fa05b97b	15	\r
9095d37b	16	@par Revision Reference:\r
6361c6d5	17	The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D.\r
fa05b97b	18	\r
	19	**/\r
	20	\r
	21	#ifndef __EFI_IPSEC_PROTOCOL_H__\r
	22	#define __EFI_IPSEC_PROTOCOL_H__\r
	23	\r
	24	#include <Protocol/IpSecConfig.h>\r
	25	\r
	26	#define EFI_IPSEC_PROTOCOL_GUID \\r
	27	{ \\r
	28	0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \\r
	29	}\r
	30	\r
705f53a9	31	#define EFI_IPSEC2_PROTOCOL_GUID \\r
	32	{ \\r
	33	0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \\r
	34	}\r
	35	\r
2f88bd3a MK	36	typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;\r
2f88bd3a MK	37	typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;\r
fa05b97b	38	\r
fa05b97b	39	///\r
9095d37b	40	/// EFI_IPSEC_FRAGMENT_DATA\r
fa05b97b	41	/// defines the instances of packet fragments.\r
fa05b97b	42	///\r
9095d37b	43	typedef struct _EFI_IPSEC_FRAGMENT_DATA {\r
2f88bd3a MK	44	UINT32 FragmentLength;\r
2f88bd3a MK	45	VOID *FragmentBuffer;\r
9095d37b	46	} EFI_IPSEC_FRAGMENT_DATA;\r
fa05b97b	47	\r
fa05b97b	48	/**\r
9095d37b	49	Handles IPsec packet processing for inbound and outbound IP packets.\r
fa05b97b	50	\r
fa05b97b	51	The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r
9095d37b LG	52	The behavior is that it can perform one of the following actions:\r
9095d37b LG	53	bypass the packet, discard the packet, or protect the packet.\r
fa05b97b	54	\r
	55	@param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.\r
	56	@param[in] NicHandle Instance of the network interface.\r
	57	@param[in] IpVer IPV4 or IPV6.\r
	58	@param[in, out] IpHead Pointer to the IP Header.\r
	59	@param[in] LastHead The protocol of the next layer to be processed by IPsec.\r
9095d37b	60	@param[in] OptionsBuffer Pointer to the options buffer.\r
fa05b97b	61	@param[in] OptionsLength Length of the options buffer.\r
9095d37b	62	@param[in, out] FragmentTable Pointer to a list of fragments.\r
fa05b97b	63	@param[in] FragmentCount Number of fragments.\r
	64	@param[in] TrafficDirection Traffic direction.\r
	65	@param[out] RecycleSignal Event for recycling of resources.\r
9095d37b	66	\r
fa05b97b	67	@retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.\r
	68	@retval EFI_SUCCESS The packet was protected.\r
	69	@retval EFI_ACCESS_DENIED The packet was discarded.\r
	70	\r
	71	**/\r
	72	typedef\r
	73	EFI_STATUS\r
a1749b80	74	(EFIAPI *EFI_IPSEC_PROCESS)(\r
fa05b97b	75	IN EFI_IPSEC_PROTOCOL *This,\r
	76	IN EFI_HANDLE NicHandle,\r
	77	IN UINT8 IpVer,\r
	78	IN OUT VOID *IpHead,\r
	79	IN UINT8 *LastHead,\r
	80	IN VOID *OptionsBuffer,\r
	81	IN UINT32 OptionsLength,\r
	82	IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
	83	IN UINT32 *FragmentCount,\r
	84	IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r
2f88bd3a	85	OUT EFI_EVENT *RecycleSignal\r
fa05b97b	86	);\r
	87	\r
	88	///\r
9095d37b	89	/// EFI_IPSEC_PROTOCOL\r
fa05b97b	90	/// provides the ability for securing IP communications by authenticating\r
9095d37b	91	/// and/or encrypting each IP packet in a data stream.\r
fa05b97b	92	// EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack.\r
	93	// A user can employ this protocol for IPsec package handling in both IPv4\r
	94	// and IPv6 environment.\r
	95	///\r
	96	struct _EFI_IPSEC_PROTOCOL {\r
2f88bd3a MK	97	EFI_IPSEC_PROCESS Process; ///< Handle the IPsec message.\r
	98	EFI_EVENT DisabledEvent; ///< Event signaled when the interface is disabled.\r
	99	BOOLEAN DisabledFlag; ///< State of the interface.\r
fa05b97b	100	};\r
fa05b97b	101	\r
705f53a9	102	/**\r
9095d37b LG	103	Handles IPsec processing for both inbound and outbound IP packets. Compare with\r
	104	Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process\r
	105	Option(Extension Header).\r
705f53a9	106	\r
705f53a9	107	The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.\r
9095d37b LG	108	The behavior is that it can perform one of the following actions:\r
9095d37b LG	109	bypass the packet, discard the packet, or protect the packet.\r
705f53a9	110	\r
705f53a9	111	@param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r
9095d37b	112	@param[in] NicHandle Instance of the network interface.\r
705f53a9	113	@param[in] IpVer IP version.IPv4 or IPv6.\r
9095d37b	114	@param[in, out] IpHead Pointer to the IP Header it is either\r
705f53a9	115	the EFI_IP4_HEADER or EFI_IP6_HEADER.\r
9095d37b LG	116	On input, it contains the IP header.\r
	117	On output, 1) in tunnel mode and the\r
	118	traffic direction is inbound, the buffer\r
	119	will be reset to zero by IPsec; 2) in\r
	120	tunnel mode and the traffic direction\r
	121	is outbound, the buffer will reset to\r
	122	be the tunnel IP header.3) in transport\r
	123	mode, the related fielders (like payload\r
	124	length, Next header) in IP header will\r
705f53a9	125	be modified according to the condition.\r
705f53a9	126	@param[in, out] LastHead For IP4, it is the next protocol in IP\r
9095d37b	127	header. For IP6 it is the Next Header\r
705f53a9	128	of the last extension header.\r
9095d37b LG	129	@param[in, out] OptionsBuffer On input, it contains the options\r
9095d37b LG	130	(extensions header) to be processed by\r
705f53a9	131	IPsec. On output, 1) in tunnel mode and\r
9095d37b LG	132	the traffic direction is outbound, it\r
	133	will be set to NULL, and that means this\r
	134	contents was wrapped after inner header\r
	135	and should not be concatenated after\r
	136	tunnel header again; 2) in transport\r
	137	mode and the traffic direction is inbound,\r
	138	if there are IP options (extension headers)\r
	139	protected by IPsec, IPsec will concatenate\r
	140	the those options after the input options\r
	141	(extension headers); 3) on other situations,\r
	142	the output of contents of OptionsBuffer\r
	143	might be same with input's. The caller\r
	144	should take the responsibility to free\r
705f53a9	145	the buffer both on input and on output.\r
9095d37b LG	146	@param[in, out] OptionsLength On input, the input length of the options\r
9095d37b LG	147	buffer. On output, the output length of\r
705f53a9	148	the options buffer.\r
9095d37b LG	149	@param[in, out] FragmentTable Pointer to a list of fragments. On input,\r
	150	these fragments contain the IP payload.\r
	151	On output, 1) in tunnel mode and the traffic\r
	152	direction is inbound, the fragments contain\r
	153	the whole IP payload which is from the\r
	154	IP inner header to the last byte of the\r
	155	packet; 2) in tunnel mode and the traffic\r
	156	direction is the outbound, the fragments\r
	157	contains the whole encapsulated payload\r
	158	which encapsulates the whole IP payload\r
	159	between the encapsulated header and\r
	160	encapsulated trailer fields. 3) in transport\r
	161	mode and the traffic direction is inbound,\r
	162	the fragments contains the IP payload\r
	163	which is from the next layer protocol to\r
	164	the last byte of the packet; 4) in transport\r
	165	mode and the traffic direction is outbound,\r
	166	the fragments contains the whole encapsulated\r
	167	payload which encapsulates the next layer\r
	168	protocol information between the encapsulated\r
705f53a9	169	header and encapsulated trailer fields.\r
	170	@param[in, out] FragmentCount Number of fragments.\r
	171	@param[in] TrafficDirection Traffic direction.\r
	172	@param[out] RecycleSignal Event for recycling of resources.\r
	173	\r
	174	@retval EFI_SUCCESS The packet was processed by IPsec successfully.\r
	175	@retval EFI_ACCESS_DENIED The packet was discarded.\r
9095d37b	176	@retval EFI_NOT_READY The IKE negotiation is invoked and the packet\r
705f53a9	177	was discarded.\r
	178	@retval EFI_INVALID_PARAMETER One or more of following are TRUE:\r
	179	If OptionsBuffer is NULL;\r
	180	If OptionsLength is NULL;\r
	181	If FragmentTable is NULL;\r
	182	If FragmentCount is NULL.\r
	183	\r
	184	**/\r
9095d37b	185	typedef\r
705f53a9	186	EFI_STATUS\r
2f88bd3a	187	(EFIAPI *EFI_IPSEC_PROCESSEXT)(\r
9095d37b LG	188	IN EFI_IPSEC2_PROTOCOL *This,\r
	189	IN EFI_HANDLE NicHandle,\r
	190	IN UINT8 IpVer,\r
	191	IN OUT VOID *IpHead,\r
	192	IN OUT UINT8 *LastHead,\r
	193	IN OUT VOID **OptionsBuffer,\r
	194	IN OUT UINT32 *OptionsLength,\r
	195	IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
	196	IN OUT UINT32 *FragmentCount,\r
	197	IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r
2f88bd3a	198	OUT EFI_EVENT *RecycleSignal\r
705f53a9	199	);\r
fa05b97b	200	\r
9095d37b	201	///\r
705f53a9	202	/// EFI_IPSEC2_PROTOCOL\r
	203	/// supports the Option (extension header) processing in IPsec which doesn't support\r
	204	/// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead\r
	205	/// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.\r
	206	/// provides the ability for securing IP communications by authenticating and/or\r
	207	/// encrypting each IP packet in a data stream.\r
	208	///\r
9095d37b	209	struct _EFI_IPSEC2_PROTOCOL {\r
2f88bd3a MK	210	EFI_IPSEC_PROCESSEXT ProcessExt;\r
	211	EFI_EVENT DisabledEvent;\r
	212	BOOLEAN DisabledFlag;\r
705f53a9	213	};\r
705f53a9	214	\r
2f88bd3a MK	215	extern EFI_GUID gEfiIpSecProtocolGuid;\r
2f88bd3a MK	216	extern EFI_GUID gEfiIpSec2ProtocolGuid;\r
fa05b97b	217	#endif\r