[mirror_edk2.git] / NetworkPkg / IpSecDxe / IpSecImpl.h

/** @file\r
  The definitions related to IPsec protocol implementation.\r
\r
  Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
\r
  This program and the accompanying materials\r
  are licensed and made available under the terms and conditions of the BSD License\r
  which accompanies this distribution.  The full text of the license may be found at\r
  http://opensource.org/licenses/bsd-license.php.\r
\r
  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
**/\r
\r
#ifndef _IP_SEC_IMPL_H_\r
#define _IP_SEC_IMPL_H_\r
\r
#include <Uefi.h>\r
#include <Library/UefiLib.h>\r
#include <Library/NetLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include <Library/UefiBootServicesTableLib.h>\r
#include <Library/MemoryAllocationLib.h>\r
#include <Protocol/IpSec.h>\r
#include <Protocol/IpSecConfig.h>\r
#include <Protocol/Dpc.h>\r
#include <Protocol/ComponentName.h>\r
#include <Protocol/ComponentName2.h>\r
\r
typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA;\r
typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY;\r
typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY;\r
typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA;\r
\r
#define IPSEC_PRIVATE_DATA_SIGNATURE        SIGNATURE_32 ('I', 'P', 'S', 'E')\r
\r
#define IPSEC_PRIVATE_DATA_FROM_IPSEC(a)    CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)\r
#define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)\r
#define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)\r
#define IPSEC_UDP_SERVICE_FROM_LIST(a)      BASE_CR (a, IKE_UDP_SERVICE, List)\r
#define IPSEC_SPD_ENTRY_FROM_LIST(a)        BASE_CR (a, IPSEC_SPD_ENTRY, List)\r
#define IPSEC_SAD_ENTRY_FROM_LIST(a)        BASE_CR (a, IPSEC_SAD_ENTRY, List)\r
#define IPSEC_PAD_ENTRY_FROM_LIST(a)        BASE_CR (a, IPSEC_PAD_ENTRY, List)\r
#define IPSEC_SAD_ENTRY_FROM_SPD(a)         BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)\r
\r
#define IPSEC_STATUS_DISABLED       0\r
#define IPSEC_STATUS_ENABLED        1\r
#define IPSEC_ESP_PROTOCOL          50\r
#define IPSEC_AH_PROTOCOL           51\r
#define IPSEC_DEFAULT_VARIABLE_SIZE 0x100\r
\r
//\r
// Internal Structure Definition\r
//\r
#pragma pack(1)\r
typedef struct _EFI_AH_HEADER {\r
  UINT8   NextHeader;\r
  UINT8   PayloadLen;\r
  UINT16  Reserved;\r
  UINT32  Spi;\r
  UINT32  SequenceNumber;\r
} EFI_AH_HEADER;\r
\r
typedef struct _EFI_ESP_HEADER {\r
  UINT32  Spi;\r
  UINT32  SequenceNumber;\r
} EFI_ESP_HEADER;\r
\r
typedef struct _EFI_ESP_TAIL {\r
  UINT8 PaddingLength;\r
  UINT8 NextHeader;\r
} EFI_ESP_TAIL;\r
#pragma pack()\r
\r
struct _IPSEC_SPD_DATA {\r
  CHAR16                    Name[100];\r
  UINT32                    PackageFlag;\r
  EFI_IPSEC_ACTION          Action;\r
  EFI_IPSEC_PROCESS_POLICY  *ProcessingPolicy;\r
  LIST_ENTRY                Sas;\r
};\r
\r
struct _IPSEC_SPD_ENTRY {\r
  EFI_IPSEC_SPD_SELECTOR  *Selector;\r
  IPSEC_SPD_DATA          *Data;\r
  LIST_ENTRY              List;\r
};\r
\r
typedef struct _IPSEC_SAD_DATA {\r
  EFI_IPSEC_MODE         Mode;\r
  UINT64                 SequenceNumber;\r
  UINT8                  AntiReplayWindowSize;\r
  UINT64                 AntiReplayBitmap[4];  // bitmap for received packet\r
  EFI_IPSEC_ALGO_INFO    AlgoInfo;\r
  EFI_IPSEC_SA_LIFETIME  SaLifetime;\r
  UINT32                 PathMTU;\r
  IPSEC_SPD_ENTRY        *SpdEntry;\r
  EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
  BOOLEAN                ESNEnabled;           // Extended (64-bit) SN enabled\r
  BOOLEAN                ManualSet;\r
  EFI_IP_ADDRESS         TunnelDestAddress;\r
  EFI_IP_ADDRESS         TunnelSourceAddress;\r
} IPSEC_SAD_DATA;\r
\r
typedef struct _IPSEC_SAD_ENTRY {\r
  EFI_IPSEC_SA_ID  *Id;\r
  IPSEC_SAD_DATA  *Data;\r
  LIST_ENTRY      List;\r
  LIST_ENTRY      BySpd;                      // Linked on IPSEC_SPD_DATA.Sas\r
} IPSEC_SAD_ENTRY;\r
\r
struct _IPSEC_PAD_ENTRY {\r
  EFI_IPSEC_PAD_ID    *Id;\r
  EFI_IPSEC_PAD_DATA  *Data;\r
  LIST_ENTRY          List;\r
};\r
\r
typedef struct _IPSEC_RECYCLE_CONTEXT {\r
  EFI_IPSEC_FRAGMENT_DATA *FragmentTable;\r
  UINT8                   *PayloadBuffer;\r
} IPSEC_RECYCLE_CONTEXT;\r
\r
struct _IPSEC_PRIVATE_DATA {\r
  UINT32                    Signature;\r
  EFI_HANDLE                Handle;           // Virtual handle to install private prtocol\r
  EFI_HANDLE                ImageHandle;\r
  EFI_IPSEC2_PROTOCOL       IpSec;\r
  EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;\r
  BOOLEAN                   SetBySelf;\r
  LIST_ENTRY                Udp4List;\r
  UINTN                     Udp4Num;\r
  LIST_ENTRY                Udp6List;\r
  UINTN                     Udp6Num;\r
  LIST_ENTRY                Ikev1SessionList;\r
  LIST_ENTRY                Ikev1EstablishedList;\r
  LIST_ENTRY                Ikev2SessionList;\r
  LIST_ENTRY                Ikev2EstablishedList;\r
  BOOLEAN                   IsIPsecDisabling;\r
};\r
\r
/**\r
  This function processes the inbound traffic with IPsec.\r
\r
  It checks the received packet security property, trims the ESP/AH header, and then\r
  returns without an IPsec protected IP Header and FragmentTable.\r
\r
  @param[in]      IpVersion          The version of IP.\r
  @param[in, out] IpHead             Points to IP header containing the ESP/AH header\r
                                     to be trimed on input, and without ESP/AH header\r
                                     on return.\r
  @param[out]     LastHead           The Last Header in IP header on return.\r
  @param[in, out] OptionsBuffer      Pointer to the options buffer. It is optional.\r
  @param[in, out] OptionsLength      Length of the options buffer. It is optional.\r
  @param[in, out] FragmentTable      Pointer to a list of fragments in the form of IPsec\r
                                     protected on input, and without IPsec protected\r
                                     on return.\r
  @param[in, out] FragmentCount      Number of fragments.\r
  @param[out]     SpdEntry           Pointer to contain the address of SPD entry on return.\r
  @param[out]     RecycleEvent       Event for recycling of resources.\r
\r
  @retval EFI_SUCCESS              The operation is successful.\r
  @retval EFI_UNSUPPORTED          If the IPSEC protocol is not supported.\r
\r
**/\r
EFI_STATUS\r
IpSecProtectInboundPacket (\r
  IN     UINT8                       IpVersion,\r
  IN OUT VOID                        *IpHead,\r
     OUT UINT8                       *LastHead,\r
  IN OUT VOID                        **OptionsBuffer, OPTIONAL\r
  IN OUT UINT32                      *OptionsLength,  OPTIONAL\r
  IN OUT EFI_IPSEC_FRAGMENT_DATA     **FragmentTable,\r
  IN OUT UINT32                      *FragmentCount,\r
     OUT IPSEC_SPD_ENTRY             **SpdEntry,\r
     OUT EFI_EVENT                   *RecycleEvent\r
  );\r
\r
\r
/**\r
  This fucntion processes the output traffic with IPsec.\r
\r
  It protected the sending packet by encrypting it payload and inserting ESP/AH header\r
  in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.\r
\r
  @param[in]      IpVersion          The version of IP.\r
  @param[in, out] IpHead             Point to IP header containing the orginal IP header\r
                                     to be processed on input, and inserted ESP/AH header\r
                                     on return.\r
  @param[in, out] LastHead           The Last Header in IP header.\r
  @param[in, out] OptionsBuffer      Pointer to the options buffer. It is optional.\r
  @param[in, out] OptionsLength      Length of the options buffer. It is optional.\r
  @param[in, out] FragmentTable      Pointer to a list of fragments to be protected by\r
                                     IPsec on input, and with IPsec protected\r
                                     on return.\r
  @param[in, out] FragmentCount      Number of fragments.\r
  @param[in]      SadEntry           Related SAD entry.\r
  @param[out]     RecycleEvent       Event for recycling of resources.\r
\r
  @retval EFI_SUCCESS              The operation is successful.\r
  @retval EFI_UNSUPPORTED          If the IPSEC protocol is not supported.\r
\r
**/\r
EFI_STATUS\r
IpSecProtectOutboundPacket (\r
  IN     UINT8                       IpVersion,\r
  IN OUT VOID                        *IpHead,\r
  IN OUT UINT8                       *LastHead,\r
  IN OUT VOID                        **OptionsBuffer, OPTIONAL\r
  IN OUT UINT32                      *OptionsLength,  OPTIONAL\r
  IN OUT EFI_IPSEC_FRAGMENT_DATA     **FragmentTable,\r
  IN OUT UINT32                      *FragmentCount,\r
  IN     IPSEC_SAD_ENTRY             *SadEntry,\r
     OUT EFI_EVENT                   *RecycleEvent\r
  );\r
\r
/**\r
  Check if the IP Address in the address range of AddressInfos specified.\r
\r
  @param[in]  IpVersion         The IP version.\r
  @param[in]  IpAddr            Points to EFI_IP_ADDRESS to be check.\r
  @param[in]  AddressInfo       A list of EFI_IP_ADDRESS_INFO that is used to check\r
                                the IP Address is matched.\r
  @param[in]  AddressCount      The total numbers of the AddressInfo.\r
\r
  @retval   TRUE    If the Specified IP Address is in the range of the AddressInfos specified.\r
  @retval   FALSE   If the Specified IP Address is not in the range of the AddressInfos specified.\r
\r
**/\r
BOOLEAN\r
IpSecMatchIpAddress (\r
  IN UINT8                                  IpVersion,\r
  IN EFI_IP_ADDRESS                         *IpAddr,\r
  IN EFI_IP_ADDRESS_INFO                    *AddressInfo,\r
  IN UINT32                                 AddressCount\r
  );\r
\r
/**\r
  Find a PAD entry according to remote IP address.\r
\r
  @param[in]  IpVersion         The version of IP.\r
  @param[in]  IpAddr            Point to remote IP address.\r
\r
  @return The pointer of related PAD entry.\r
\r
**/\r
IPSEC_PAD_ENTRY *\r
IpSecLookupPadEntry (\r
  IN UINT8                                  IpVersion,\r
  IN EFI_IP_ADDRESS                         *IpAddr\r
  );\r
\r
/**\r
  Find the SAD through whole SAD list.\r
\r
  @param[in]  Spi               The SPI used to search the SAD entry.\r
  @param[in]  DestAddress       The destination used to search the SAD entry.\r
\r
  @return  The pointer to a certain SAD entry.\r
\r
**/\r
IPSEC_SAD_ENTRY *\r
IpSecLookupSadBySpi (\r
  IN UINT32                                 Spi,\r
  IN EFI_IP_ADDRESS                         *DestAddress\r
  )\r
;\r
\r
/**\r
  Handles IPsec packet processing for inbound and outbound IP packets.\r
\r
  The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r
  The behavior is that it can perform one of the following actions:\r
  bypass the packet, discard the packet, or protect the packet.\r
\r
  @param[in]      This             Pointer to the EFI_IPSEC_PROTOCOL instance.\r
  @param[in]      NicHandle        Instance of the network interface.\r
  @param[in]      IpVersion        IPV4 or IPV6.\r
  @param[in, out] IpHead           Pointer to the IP Header.\r
  @param[in, out] LastHead         The protocol of the next layer to be processed by IPsec.\r
  @param[in, out] OptionsBuffer    Pointer to the options buffer.\r
  @param[in, out] OptionsLength    Length of the options buffer.\r
  @param[in, out] FragmentTable    Pointer to a list of fragments.\r
  @param[in, out] FragmentCount    Number of fragments.\r
  @param[in]      TrafficDirection Traffic direction.\r
  @param[out]     RecycleSignal    Event for recycling of resources.\r
\r
  @retval EFI_SUCCESS              The packet was bypassed and all buffers remain the same.\r
  @retval EFI_SUCCESS              The packet was protected.\r
  @retval EFI_ACCESS_DENIED        The packet was discarded.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
IpSecProcess (\r
  IN     EFI_IPSEC2_PROTOCOL              *This,\r
  IN     EFI_HANDLE                      NicHandle,\r
  IN     UINT8                           IpVersion,\r
  IN OUT VOID                            *IpHead,\r
  IN OUT UINT8                           *LastHead,\r
  IN OUT VOID                            **OptionsBuffer,\r
  IN OUT UINT32                          *OptionsLength,\r
  IN OUT EFI_IPSEC_FRAGMENT_DATA         **FragmentTable,\r
  IN OUT UINT32                          *FragmentCount,\r
  IN     EFI_IPSEC_TRAFFIC_DIR           TrafficDirection,\r
     OUT EFI_EVENT                       *RecycleSignal\r
  );\r
\r
extern EFI_DPC_PROTOCOL    *mDpc;\r
extern EFI_IPSEC2_PROTOCOL  mIpSecInstance;\r
\r
extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;\r
extern EFI_COMPONENT_NAME_PROTOCOL  gIpSecComponentName;\r
\r
\r
#endif\r
Commit	Line	Data
a3bcde70 HT	1	/** @file\r
	2	The definitions related to IPsec protocol implementation.\r
	3	\r
	4	Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
	5	\r
	6	This program and the accompanying materials\r
	7	are licensed and made available under the terms and conditions of the BSD License\r
	8	which accompanies this distribution. The full text of the license may be found at\r
	9	http://opensource.org/licenses/bsd-license.php.\r
	10	\r
	11	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	12	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	13	\r
	14	**/\r
	15	\r
	16	#ifndef _IP_SEC_IMPL_H_\r
	17	#define _IP_SEC_IMPL_H_\r
	18	\r
	19	#include <Uefi.h>\r
	20	#include <Library/UefiLib.h>\r
	21	#include <Library/NetLib.h>\r
	22	#include <Library/BaseMemoryLib.h>\r
	23	#include <Library/UefiBootServicesTableLib.h>\r
	24	#include <Library/MemoryAllocationLib.h>\r
	25	#include <Protocol/IpSec.h>\r
	26	#include <Protocol/IpSecConfig.h>\r
	27	#include <Protocol/Dpc.h>\r
	28	#include <Protocol/ComponentName.h>\r
	29	#include <Protocol/ComponentName2.h>\r
	30	\r
	31	typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA;\r
	32	typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY;\r
	33	typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY;\r
	34	typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA;\r
	35	\r
	36	#define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')\r
	37	\r
	38	#define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)\r
	39	#define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)\r
	40	#define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)\r
	41	#define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)\r
	42	#define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)\r
	43	#define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)\r
	44	#define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)\r
	45	#define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)\r
	46	\r
	47	#define IPSEC_STATUS_DISABLED 0\r
	48	#define IPSEC_STATUS_ENABLED 1\r
	49	#define IPSEC_ESP_PROTOCOL 50\r
	50	#define IPSEC_AH_PROTOCOL 51\r
	51	#define IPSEC_DEFAULT_VARIABLE_SIZE 0x100\r
	52	\r
	53	//\r
	54	// Internal Structure Definition\r
	55	//\r
	56	#pragma pack(1)\r
	57	typedef struct _EFI_AH_HEADER {\r
	58	UINT8 NextHeader;\r
	59	UINT8 PayloadLen;\r
	60	UINT16 Reserved;\r
	61	UINT32 Spi;\r
	62	UINT32 SequenceNumber;\r
	63	} EFI_AH_HEADER;\r
	64	\r
65	typedef struct _EFI_ESP_HEADER {\r
66	UINT32 Spi;\r
67	UINT32 SequenceNumber;\r
68	} EFI_ESP_HEADER;\r
69	\r
70	typedef struct _EFI_ESP_TAIL {\r
71	UINT8 PaddingLength;\r
72	UINT8 NextHeader;\r
73	} EFI_ESP_TAIL;\r
74	#pragma pack()\r
75	\r
76	struct _IPSEC_SPD_DATA {\r
77	CHAR16 Name[100];\r
78	UINT32 PackageFlag;\r
79	EFI_IPSEC_ACTION Action;\r
80	EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;\r
81	LIST_ENTRY Sas;\r
82	};\r
83	\r
84	struct _IPSEC_SPD_ENTRY {\r
85	EFI_IPSEC_SPD_SELECTOR *Selector;\r
86	IPSEC_SPD_DATA *Data;\r
87	LIST_ENTRY List;\r
88	};\r
89	\r
90	typedef struct _IPSEC_SAD_DATA {\r
68d3f2fb	91	EFI_IPSEC_MODE Mode;\r
	92	UINT64 SequenceNumber;\r
	93	UINT8 AntiReplayWindowSize;\r
	94	UINT64 AntiReplayBitmap[4]; // bitmap for received packet\r
	95	EFI_IPSEC_ALGO_INFO AlgoInfo;\r
	96	EFI_IPSEC_SA_LIFETIME SaLifetime;\r
	97	UINT32 PathMTU;\r
	98	IPSEC_SPD_ENTRY *SpdEntry;\r
	99	EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
	100	BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled\r
	101	BOOLEAN ManualSet;\r
	102	EFI_IP_ADDRESS TunnelDestAddress;\r
	103	EFI_IP_ADDRESS TunnelSourceAddress;\r
a3bcde70 HT	104	} IPSEC_SAD_DATA;\r
	105	\r
	106	typedef struct _IPSEC_SAD_ENTRY {\r
	107	EFI_IPSEC_SA_ID *Id;\r
	108	IPSEC_SAD_DATA *Data;\r
	109	LIST_ENTRY List;\r
	110	LIST_ENTRY BySpd; // Linked on IPSEC_SPD_DATA.Sas\r
	111	} IPSEC_SAD_ENTRY;\r
	112	\r
	113	struct _IPSEC_PAD_ENTRY {\r
	114	EFI_IPSEC_PAD_ID *Id;\r
	115	EFI_IPSEC_PAD_DATA *Data;\r
	116	LIST_ENTRY List;\r
	117	};\r
	118	\r
	119	typedef struct _IPSEC_RECYCLE_CONTEXT {\r
	120	EFI_IPSEC_FRAGMENT_DATA *FragmentTable;\r
	121	UINT8 *PayloadBuffer;\r
	122	} IPSEC_RECYCLE_CONTEXT;\r
	123	\r
	124	struct _IPSEC_PRIVATE_DATA {\r
	125	UINT32 Signature;\r
	126	EFI_HANDLE Handle; // Virtual handle to install private prtocol\r
	127	EFI_HANDLE ImageHandle;\r
68d3f2fb	128	EFI_IPSEC2_PROTOCOL IpSec;\r
a3bcde70 HT	129	EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;\r
	130	BOOLEAN SetBySelf;\r
	131	LIST_ENTRY Udp4List;\r
	132	UINTN Udp4Num;\r
	133	LIST_ENTRY Udp6List;\r
	134	UINTN Udp6Num;\r
	135	LIST_ENTRY Ikev1SessionList;\r
	136	LIST_ENTRY Ikev1EstablishedList;\r
	137	LIST_ENTRY Ikev2SessionList;\r
	138	LIST_ENTRY Ikev2EstablishedList;\r
	139	BOOLEAN IsIPsecDisabling;\r
	140	};\r
	141	\r
	142	/**\r
	143	This function processes the inbound traffic with IPsec.\r
	144	\r
	145	It checks the received packet security property, trims the ESP/AH header, and then\r
	146	returns without an IPsec protected IP Header and FragmentTable.\r
	147	\r
	148	@param[in] IpVersion The version of IP.\r
	149	@param[in, out] IpHead Points to IP header containing the ESP/AH header\r
	150	to be trimed on input, and without ESP/AH header\r
	151	on return.\r
68d3f2fb	152	@param[out] LastHead The Last Header in IP header on return.\r
	153	@param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.\r
	154	@param[in, out] OptionsLength Length of the options buffer. It is optional.\r
a3bcde70 HT	155	@param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec\r
	156	protected on input, and without IPsec protected\r
	157	on return.\r
68d3f2fb	158	@param[in, out] FragmentCount Number of fragments.\r
a3bcde70 HT	159	@param[out] SpdEntry Pointer to contain the address of SPD entry on return.\r
	160	@param[out] RecycleEvent Event for recycling of resources.\r
	161	\r
	162	@retval EFI_SUCCESS The operation is successful.\r
	163	@retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.\r
	164	\r
	165	**/\r
	166	EFI_STATUS\r
	167	IpSecProtectInboundPacket (\r
	168	IN UINT8 IpVersion,\r
	169	IN OUT VOID *IpHead,\r
68d3f2fb	170	OUT UINT8 *LastHead,\r
	171	IN OUT VOID **OptionsBuffer, OPTIONAL\r
	172	IN OUT UINT32 *OptionsLength, OPTIONAL\r
a3bcde70	173	IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
68d3f2fb	174	IN OUT UINT32 *FragmentCount,\r
a3bcde70 HT	175	OUT IPSEC_SPD_ENTRY **SpdEntry,\r
	176	OUT EFI_EVENT *RecycleEvent\r
	177	);\r
	178	\r
	179	\r
	180	/**\r
	181	This fucntion processes the output traffic with IPsec.\r
	182	\r
	183	It protected the sending packet by encrypting it payload and inserting ESP/AH header\r
	184	in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.\r
	185	\r
	186	@param[in] IpVersion The version of IP.\r
	187	@param[in, out] IpHead Point to IP header containing the orginal IP header\r
	188	to be processed on input, and inserted ESP/AH header\r
	189	on return.\r
68d3f2fb	190	@param[in, out] LastHead The Last Header in IP header.\r
	191	@param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.\r
	192	@param[in, out] OptionsLength Length of the options buffer. It is optional.\r
a3bcde70 HT	193	@param[in, out] FragmentTable Pointer to a list of fragments to be protected by\r
	194	IPsec on input, and with IPsec protected\r
	195	on return.\r
68d3f2fb	196	@param[in, out] FragmentCount Number of fragments.\r
a3bcde70 HT	197	@param[in] SadEntry Related SAD entry.\r
	198	@param[out] RecycleEvent Event for recycling of resources.\r
	199	\r
	200	@retval EFI_SUCCESS The operation is successful.\r
	201	@retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.\r
	202	\r
	203	**/\r
	204	EFI_STATUS\r
	205	IpSecProtectOutboundPacket (\r
	206	IN UINT8 IpVersion,\r
	207	IN OUT VOID *IpHead,\r
68d3f2fb	208	IN OUT UINT8 *LastHead,\r
	209	IN OUT VOID **OptionsBuffer, OPTIONAL\r
	210	IN OUT UINT32 *OptionsLength, OPTIONAL\r
a3bcde70	211	IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
68d3f2fb	212	IN OUT UINT32 *FragmentCount,\r
a3bcde70 HT	213	IN IPSEC_SAD_ENTRY *SadEntry,\r
	214	OUT EFI_EVENT *RecycleEvent\r
	215	);\r
	216	\r
	217	/**\r
	218	Check if the IP Address in the address range of AddressInfos specified.\r
	219	\r
	220	@param[in] IpVersion The IP version.\r
	221	@param[in] IpAddr Points to EFI_IP_ADDRESS to be check.\r
	222	@param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check\r
	223	the IP Address is matched.\r
	224	@param[in] AddressCount The total numbers of the AddressInfo.\r
	225	\r
	226	@retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.\r
	227	@retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.\r
	228	\r
	229	**/\r
	230	BOOLEAN\r
	231	IpSecMatchIpAddress (\r
	232	IN UINT8 IpVersion,\r
	233	IN EFI_IP_ADDRESS *IpAddr,\r
	234	IN EFI_IP_ADDRESS_INFO *AddressInfo,\r
	235	IN UINT32 AddressCount\r
	236	);\r
	237	\r
	238	/**\r
	239	Find a PAD entry according to remote IP address.\r
	240	\r
	241	@param[in] IpVersion The version of IP.\r
	242	@param[in] IpAddr Point to remote IP address.\r
	243	\r
	244	@return The pointer of related PAD entry.\r
	245	\r
	246	**/\r
	247	IPSEC_PAD_ENTRY *\r
	248	IpSecLookupPadEntry (\r
	249	IN UINT8 IpVersion,\r
	250	IN EFI_IP_ADDRESS *IpAddr\r
	251	);\r
	252	\r
	253	/**\r
	254	Find the SAD through whole SAD list.\r
	255	\r
	256	@param[in] Spi The SPI used to search the SAD entry.\r
	257	@param[in] DestAddress The destination used to search the SAD entry.\r
	258	\r
	259	@return The pointer to a certain SAD entry.\r
	260	\r
	261	**/\r
	262	IPSEC_SAD_ENTRY *\r
	263	IpSecLookupSadBySpi (\r
	264	IN UINT32 Spi,\r
	265	IN EFI_IP_ADDRESS *DestAddress\r
	266	)\r
	267	;\r
	268	\r
	269	/**\r
	270	Handles IPsec packet processing for inbound and outbound IP packets.\r
	271	\r
	272	The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r
	273	The behavior is that it can perform one of the following actions:\r
	274	bypass the packet, discard the packet, or protect the packet.\r
	275	\r
	276	@param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.\r
277	@param[in] NicHandle Instance of the network interface.\r
278	@param[in] IpVersion IPV4 or IPV6.\r
279	@param[in, out] IpHead Pointer to the IP Header.\r
68d3f2fb	280	@param[in, out] LastHead The protocol of the next layer to be processed by IPsec.\r
	281	@param[in, out] OptionsBuffer Pointer to the options buffer.\r
	282	@param[in, out] OptionsLength Length of the options buffer.\r
a3bcde70	283	@param[in, out] FragmentTable Pointer to a list of fragments.\r
68d3f2fb	284	@param[in, out] FragmentCount Number of fragments.\r
a3bcde70 HT	285	@param[in] TrafficDirection Traffic direction.\r
	286	@param[out] RecycleSignal Event for recycling of resources.\r
	287	\r
	288	@retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.\r
	289	@retval EFI_SUCCESS The packet was protected.\r
	290	@retval EFI_ACCESS_DENIED The packet was discarded.\r
	291	\r
	292	**/\r
	293	EFI_STATUS\r
	294	EFIAPI\r
	295	IpSecProcess (\r
68d3f2fb	296	IN EFI_IPSEC2_PROTOCOL *This,\r
a3bcde70 HT	297	IN EFI_HANDLE NicHandle,\r
	298	IN UINT8 IpVersion,\r
	299	IN OUT VOID *IpHead,\r
68d3f2fb	300	IN OUT UINT8 *LastHead,\r
	301	IN OUT VOID **OptionsBuffer,\r
	302	IN OUT UINT32 *OptionsLength,\r
a3bcde70	303	IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
68d3f2fb	304	IN OUT UINT32 *FragmentCount,\r
a3bcde70 HT	305	IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r
	306	OUT EFI_EVENT *RecycleSignal\r
	307	);\r
	308	\r
	309	extern EFI_DPC_PROTOCOL *mDpc;\r
68d3f2fb	310	extern EFI_IPSEC2_PROTOCOL mIpSecInstance;\r
a3bcde70 HT	311	\r
	312	extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;\r
	313	extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;\r
	314	\r
	315	\r
	316	#endif\r