]> git.proxmox.com Git - mirror_edk2.git/blob - MdePkg/Include/Protocol/IpSec.h
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
MdePkg/Include/Protocol/Tls.h: pack structures from the TLS RFC
[mirror_edk2.git] / MdePkg / Include / Protocol / IpSec.h
1 /** @file
2 EFI IPSEC Protocol Definition
3 The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual
4 packets sent and received by the host and provide packet-level security for IP
5 datagram.
6 The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual
7 packets sent and received by the host and provide packet-level security for IP
8 datagram. In addition, it supports the Option (extension header) processing in
9 IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to
10 use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel
11 Mode.
12
13 Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
14 This program and the accompanying materials
15 are licensed and made available under the terms and conditions of the BSD License
16 which accompanies this distribution. The full text of the license may be found at
17 http://opensource.org/licenses/bsd-license.php
18
19 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
20 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
21
22 @par Revision Reference:
23 The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D.
24
25 **/
26
27 #ifndef __EFI_IPSEC_PROTOCOL_H__
28 #define __EFI_IPSEC_PROTOCOL_H__
29
30 #include <Protocol/IpSecConfig.h>
31
32 #define EFI_IPSEC_PROTOCOL_GUID \
33 { \
34 0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \
35 }
36
37 #define EFI_IPSEC2_PROTOCOL_GUID \
38 { \
39 0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \
40 }
41
42 typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;
43 typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;
44
45 ///
46 /// EFI_IPSEC_FRAGMENT_DATA
47 /// defines the instances of packet fragments.
48 ///
49 typedef struct _EFI_IPSEC_FRAGMENT_DATA {
50 UINT32 FragmentLength;
51 VOID *FragmentBuffer;
52 } EFI_IPSEC_FRAGMENT_DATA;
53
54
55 /**
56 Handles IPsec packet processing for inbound and outbound IP packets.
57
58 The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
59 The behavior is that it can perform one of the following actions:
60 bypass the packet, discard the packet, or protect the packet.
61
62 @param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.
63 @param[in] NicHandle Instance of the network interface.
64 @param[in] IpVer IPV4 or IPV6.
65 @param[in, out] IpHead Pointer to the IP Header.
66 @param[in] LastHead The protocol of the next layer to be processed by IPsec.
67 @param[in] OptionsBuffer Pointer to the options buffer.
68 @param[in] OptionsLength Length of the options buffer.
69 @param[in, out] FragmentTable Pointer to a list of fragments.
70 @param[in] FragmentCount Number of fragments.
71 @param[in] TrafficDirection Traffic direction.
72 @param[out] RecycleSignal Event for recycling of resources.
73
74 @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
75 @retval EFI_SUCCESS The packet was protected.
76 @retval EFI_ACCESS_DENIED The packet was discarded.
77
78 **/
79 typedef
80 EFI_STATUS
81 (EFIAPI *EFI_IPSEC_PROCESS)(
82 IN EFI_IPSEC_PROTOCOL *This,
83 IN EFI_HANDLE NicHandle,
84 IN UINT8 IpVer,
85 IN OUT VOID *IpHead,
86 IN UINT8 *LastHead,
87 IN VOID *OptionsBuffer,
88 IN UINT32 OptionsLength,
89 IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
90 IN UINT32 *FragmentCount,
91 IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
92 OUT EFI_EVENT *RecycleSignal
93 );
94
95 ///
96 /// EFI_IPSEC_PROTOCOL
97 /// provides the ability for securing IP communications by authenticating
98 /// and/or encrypting each IP packet in a data stream.
99 // EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack.
100 // A user can employ this protocol for IPsec package handling in both IPv4
101 // and IPv6 environment.
102 ///
103 struct _EFI_IPSEC_PROTOCOL {
104 EFI_IPSEC_PROCESS Process; ///< Handle the IPsec message.
105 EFI_EVENT DisabledEvent; ///< Event signaled when the interface is disabled.
106 BOOLEAN DisabledFlag; ///< State of the interface.
107 };
108
109 /**
110 Handles IPsec processing for both inbound and outbound IP packets. Compare with
111 Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process
112 Option(Extension Header).
113
114 The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.
115 The behavior is that it can perform one of the following actions:
116 bypass the packet, discard the packet, or protect the packet.
117
118 @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.
119 @param[in] NicHandle Instance of the network interface.
120 @param[in] IpVer IP version.IPv4 or IPv6.
121 @param[in, out] IpHead Pointer to the IP Header it is either
122 the EFI_IP4_HEADER or EFI_IP6_HEADER.
123 On input, it contains the IP header.
124 On output, 1) in tunnel mode and the
125 traffic direction is inbound, the buffer
126 will be reset to zero by IPsec; 2) in
127 tunnel mode and the traffic direction
128 is outbound, the buffer will reset to
129 be the tunnel IP header.3) in transport
130 mode, the related fielders (like payload
131 length, Next header) in IP header will
132 be modified according to the condition.
133 @param[in, out] LastHead For IP4, it is the next protocol in IP
134 header. For IP6 it is the Next Header
135 of the last extension header.
136 @param[in, out] OptionsBuffer On input, it contains the options
137 (extensions header) to be processed by
138 IPsec. On output, 1) in tunnel mode and
139 the traffic direction is outbound, it
140 will be set to NULL, and that means this
141 contents was wrapped after inner header
142 and should not be concatenated after
143 tunnel header again; 2) in transport
144 mode and the traffic direction is inbound,
145 if there are IP options (extension headers)
146 protected by IPsec, IPsec will concatenate
147 the those options after the input options
148 (extension headers); 3) on other situations,
149 the output of contents of OptionsBuffer
150 might be same with input's. The caller
151 should take the responsibility to free
152 the buffer both on input and on output.
153 @param[in, out] OptionsLength On input, the input length of the options
154 buffer. On output, the output length of
155 the options buffer.
156 @param[in, out] FragmentTable Pointer to a list of fragments. On input,
157 these fragments contain the IP payload.
158 On output, 1) in tunnel mode and the traffic
159 direction is inbound, the fragments contain
160 the whole IP payload which is from the
161 IP inner header to the last byte of the
162 packet; 2) in tunnel mode and the traffic
163 direction is the outbound, the fragments
164 contains the whole encapsulated payload
165 which encapsulates the whole IP payload
166 between the encapsulated header and
167 encapsulated trailer fields. 3) in transport
168 mode and the traffic direction is inbound,
169 the fragments contains the IP payload
170 which is from the next layer protocol to
171 the last byte of the packet; 4) in transport
172 mode and the traffic direction is outbound,
173 the fragments contains the whole encapsulated
174 payload which encapsulates the next layer
175 protocol information between the encapsulated
176 header and encapsulated trailer fields.
177 @param[in, out] FragmentCount Number of fragments.
178 @param[in] TrafficDirection Traffic direction.
179 @param[out] RecycleSignal Event for recycling of resources.
180
181 @retval EFI_SUCCESS The packet was processed by IPsec successfully.
182 @retval EFI_ACCESS_DENIED The packet was discarded.
183 @retval EFI_NOT_READY The IKE negotiation is invoked and the packet
184 was discarded.
185 @retval EFI_INVALID_PARAMETER One or more of following are TRUE:
186 If OptionsBuffer is NULL;
187 If OptionsLength is NULL;
188 If FragmentTable is NULL;
189 If FragmentCount is NULL.
190
191 **/
192 typedef
193 EFI_STATUS
194 (EFIAPI *EFI_IPSEC_PROCESSEXT) (
195 IN EFI_IPSEC2_PROTOCOL *This,
196 IN EFI_HANDLE NicHandle,
197 IN UINT8 IpVer,
198 IN OUT VOID *IpHead,
199 IN OUT UINT8 *LastHead,
200 IN OUT VOID **OptionsBuffer,
201 IN OUT UINT32 *OptionsLength,
202 IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
203 IN OUT UINT32 *FragmentCount,
204 IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
205 OUT EFI_EVENT *RecycleSignal
206 );
207
208 ///
209 /// EFI_IPSEC2_PROTOCOL
210 /// supports the Option (extension header) processing in IPsec which doesn't support
211 /// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead
212 /// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.
213 /// provides the ability for securing IP communications by authenticating and/or
214 /// encrypting each IP packet in a data stream.
215 ///
216 struct _EFI_IPSEC2_PROTOCOL {
217 EFI_IPSEC_PROCESSEXT ProcessExt;
218 EFI_EVENT DisabledEvent;
219 BOOLEAN DisabledFlag;
220 };
221
222 extern EFI_GUID gEfiIpSecProtocolGuid;
223 extern EFI_GUID gEfiIpSec2ProtocolGuid;
224 #endif
EFI Development Kit II mirror for PVE