]> git.proxmox.com Git - mirror_edk2.git/blob - NetworkPkg/IpSecDxe/IpSecImpl.h
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add NetworkPkg (P.UDK2010.UP3.Network.P1)
[mirror_edk2.git] / NetworkPkg / IpSecDxe / IpSecImpl.h
1 /** @file
2 The definitions related to IPsec protocol implementation.
3
4 Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
5
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
10
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13
14 **/
15
16 #ifndef _IP_SEC_IMPL_H_
17 #define _IP_SEC_IMPL_H_
18
19 #include <Uefi.h>
20 #include <Library/UefiLib.h>
21 #include <Library/NetLib.h>
22 #include <Library/BaseMemoryLib.h>
23 #include <Library/UefiBootServicesTableLib.h>
24 #include <Library/MemoryAllocationLib.h>
25 #include <Protocol/IpSec.h>
26 #include <Protocol/IpSecConfig.h>
27 #include <Protocol/Dpc.h>
28 #include <Protocol/ComponentName.h>
29 #include <Protocol/ComponentName2.h>
30
31 typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA;
32 typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY;
33 typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY;
34 typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA;
35
36 #define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')
37
38 #define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)
39 #define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)
40 #define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)
41 #define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)
42 #define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)
43 #define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)
44 #define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)
45 #define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)
46
47 #define IPSEC_STATUS_DISABLED 0
48 #define IPSEC_STATUS_ENABLED 1
49 #define IPSEC_ESP_PROTOCOL 50
50 #define IPSEC_AH_PROTOCOL 51
51 #define IPSEC_DEFAULT_VARIABLE_SIZE 0x100
52
53 //
54 // Internal Structure Definition
55 //
56 #pragma pack(1)
57 typedef struct _EFI_AH_HEADER {
58 UINT8 NextHeader;
59 UINT8 PayloadLen;
60 UINT16 Reserved;
61 UINT32 Spi;
62 UINT32 SequenceNumber;
63 } EFI_AH_HEADER;
64
65 typedef struct _EFI_ESP_HEADER {
66 UINT32 Spi;
67 UINT32 SequenceNumber;
68 } EFI_ESP_HEADER;
69
70 typedef struct _EFI_ESP_TAIL {
71 UINT8 PaddingLength;
72 UINT8 NextHeader;
73 } EFI_ESP_TAIL;
74 #pragma pack()
75
76 struct _IPSEC_SPD_DATA {
77 CHAR16 Name[100];
78 UINT32 PackageFlag;
79 EFI_IPSEC_ACTION Action;
80 EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;
81 LIST_ENTRY Sas;
82 };
83
84 struct _IPSEC_SPD_ENTRY {
85 EFI_IPSEC_SPD_SELECTOR *Selector;
86 IPSEC_SPD_DATA *Data;
87 LIST_ENTRY List;
88 };
89
90 typedef struct _IPSEC_SAD_DATA {
91 EFI_IPSEC_MODE Mode;
92 UINT64 SequenceNumber;
93 UINT8 AntiReplayWindowSize;
94 UINT64 AntiReplayBitmap[4]; // bitmap for received packet
95 EFI_IPSEC_ALGO_INFO AlgoInfo;
96 EFI_IPSEC_SA_LIFETIME SaLifetime;
97 UINT32 PathMTU;
98 IPSEC_SPD_ENTRY *SpdEntry;
99 BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled
100 BOOLEAN ManualSet;
101 } IPSEC_SAD_DATA;
102
103 typedef struct _IPSEC_SAD_ENTRY {
104 EFI_IPSEC_SA_ID *Id;
105 IPSEC_SAD_DATA *Data;
106 LIST_ENTRY List;
107 LIST_ENTRY BySpd; // Linked on IPSEC_SPD_DATA.Sas
108 } IPSEC_SAD_ENTRY;
109
110 struct _IPSEC_PAD_ENTRY {
111 EFI_IPSEC_PAD_ID *Id;
112 EFI_IPSEC_PAD_DATA *Data;
113 LIST_ENTRY List;
114 };
115
116 typedef struct _IPSEC_RECYCLE_CONTEXT {
117 EFI_IPSEC_FRAGMENT_DATA *FragmentTable;
118 UINT8 *PayloadBuffer;
119 } IPSEC_RECYCLE_CONTEXT;
120
121 struct _IPSEC_PRIVATE_DATA {
122 UINT32 Signature;
123 EFI_HANDLE Handle; // Virtual handle to install private prtocol
124 EFI_HANDLE ImageHandle;
125 EFI_IPSEC_PROTOCOL IpSec;
126 EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;
127 BOOLEAN SetBySelf;
128 LIST_ENTRY Udp4List;
129 UINTN Udp4Num;
130 LIST_ENTRY Udp6List;
131 UINTN Udp6Num;
132 LIST_ENTRY Ikev1SessionList;
133 LIST_ENTRY Ikev1EstablishedList;
134 LIST_ENTRY Ikev2SessionList;
135 LIST_ENTRY Ikev2EstablishedList;
136 BOOLEAN IsIPsecDisabling;
137 };
138
139 /**
140 This function processes the inbound traffic with IPsec.
141
142 It checks the received packet security property, trims the ESP/AH header, and then
143 returns without an IPsec protected IP Header and FragmentTable.
144
145 @param[in] IpVersion The version of IP.
146 @param[in, out] IpHead Points to IP header containing the ESP/AH header
147 to be trimed on input, and without ESP/AH header
148 on return.
149 @param[in] LastHead The Last Header in IP header on return.
150 @param[in] OptionsBuffer Pointer to the options buffer. It is optional.
151 @param[in] OptionsLength Length of the options buffer. It is optional.
152 @param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec
153 protected on input, and without IPsec protected
154 on return.
155 @param[in] FragmentCount Number of fragments.
156 @param[out] SpdEntry Pointer to contain the address of SPD entry on return.
157 @param[out] RecycleEvent Event for recycling of resources.
158
159 @retval EFI_SUCCESS The operation is successful.
160 @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
161
162 **/
163 EFI_STATUS
164 IpSecProtectInboundPacket (
165 IN UINT8 IpVersion,
166 IN OUT VOID *IpHead,
167 IN UINT8 *LastHead,
168 IN VOID *OptionsBuffer, OPTIONAL
169 IN UINT32 OptionsLength, OPTIONAL
170 IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
171 IN UINT32 *FragmentCount,
172 OUT IPSEC_SPD_ENTRY **SpdEntry,
173 OUT EFI_EVENT *RecycleEvent
174 );
175
176
177 /**
178 This fucntion processes the output traffic with IPsec.
179
180 It protected the sending packet by encrypting it payload and inserting ESP/AH header
181 in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.
182
183 @param[in] IpVersion The version of IP.
184 @param[in, out] IpHead Point to IP header containing the orginal IP header
185 to be processed on input, and inserted ESP/AH header
186 on return.
187 @param[in] LastHead The Last Header in IP header.
188 @param[in] OptionsBuffer Pointer to the options buffer. It is optional.
189 @param[in] OptionsLength Length of the options buffer. It is optional.
190 @param[in, out] FragmentTable Pointer to a list of fragments to be protected by
191 IPsec on input, and with IPsec protected
192 on return.
193 @param[in] FragmentCount Number of fragments.
194 @param[in] SadEntry Related SAD entry.
195 @param[out] RecycleEvent Event for recycling of resources.
196
197 @retval EFI_SUCCESS The operation is successful.
198 @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
199
200 **/
201 EFI_STATUS
202 IpSecProtectOutboundPacket (
203 IN UINT8 IpVersion,
204 IN OUT VOID *IpHead,
205 IN UINT8 *LastHead,
206 IN VOID *OptionsBuffer, OPTIONAL
207 IN UINT32 OptionsLength, OPTIONAL
208 IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
209 IN UINT32 *FragmentCount,
210 IN IPSEC_SAD_ENTRY *SadEntry,
211 OUT EFI_EVENT *RecycleEvent
212 );
213
214 /**
215 Check if the IP Address in the address range of AddressInfos specified.
216
217 @param[in] IpVersion The IP version.
218 @param[in] IpAddr Points to EFI_IP_ADDRESS to be check.
219 @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check
220 the IP Address is matched.
221 @param[in] AddressCount The total numbers of the AddressInfo.
222
223 @retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.
224 @retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.
225
226 **/
227 BOOLEAN
228 IpSecMatchIpAddress (
229 IN UINT8 IpVersion,
230 IN EFI_IP_ADDRESS *IpAddr,
231 IN EFI_IP_ADDRESS_INFO *AddressInfo,
232 IN UINT32 AddressCount
233 );
234
235 /**
236 Find a PAD entry according to remote IP address.
237
238 @param[in] IpVersion The version of IP.
239 @param[in] IpAddr Point to remote IP address.
240
241 @return The pointer of related PAD entry.
242
243 **/
244 IPSEC_PAD_ENTRY *
245 IpSecLookupPadEntry (
246 IN UINT8 IpVersion,
247 IN EFI_IP_ADDRESS *IpAddr
248 );
249
250 /**
251 Find the SAD through whole SAD list.
252
253 @param[in] Spi The SPI used to search the SAD entry.
254 @param[in] DestAddress The destination used to search the SAD entry.
255
256 @return The pointer to a certain SAD entry.
257
258 **/
259 IPSEC_SAD_ENTRY *
260 IpSecLookupSadBySpi (
261 IN UINT32 Spi,
262 IN EFI_IP_ADDRESS *DestAddress
263 )
264 ;
265
266 /**
267 Handles IPsec packet processing for inbound and outbound IP packets.
268
269 The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
270 The behavior is that it can perform one of the following actions:
271 bypass the packet, discard the packet, or protect the packet.
272
273 @param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.
274 @param[in] NicHandle Instance of the network interface.
275 @param[in] IpVersion IPV4 or IPV6.
276 @param[in, out] IpHead Pointer to the IP Header.
277 @param[in] LastHead The protocol of the next layer to be processed by IPsec.
278 @param[in] OptionsBuffer Pointer to the options buffer.
279 @param[in] OptionsLength Length of the options buffer.
280 @param[in, out] FragmentTable Pointer to a list of fragments.
281 @param[in] FragmentCount Number of fragments.
282 @param[in] TrafficDirection Traffic direction.
283 @param[out] RecycleSignal Event for recycling of resources.
284
285 @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
286 @retval EFI_SUCCESS The packet was protected.
287 @retval EFI_ACCESS_DENIED The packet was discarded.
288
289 **/
290 EFI_STATUS
291 EFIAPI
292 IpSecProcess (
293 IN EFI_IPSEC_PROTOCOL *This,
294 IN EFI_HANDLE NicHandle,
295 IN UINT8 IpVersion,
296 IN OUT VOID *IpHead,
297 IN UINT8 *LastHead,
298 IN VOID *OptionsBuffer,
299 IN UINT32 OptionsLength,
300 IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
301 IN UINT32 *FragmentCount,
302 IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
303 OUT EFI_EVENT *RecycleSignal
304 );
305
306 extern EFI_DPC_PROTOCOL *mDpc;
307 extern EFI_IPSEC_PROTOCOL mIpSecInstance;
308
309 extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;
310 extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;
311
312
313 #endif
EFI Development Kit II mirror for PVE