2 The definitions related to IPsec protocol implementation.
4 Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
16 #ifndef _IP_SEC_IMPL_H_
17 #define _IP_SEC_IMPL_H_
20 #include <Library/UefiLib.h>
21 #include <Library/NetLib.h>
22 #include <Library/BaseMemoryLib.h>
23 #include <Library/UefiBootServicesTableLib.h>
24 #include <Library/MemoryAllocationLib.h>
25 #include <Protocol/IpSec.h>
26 #include <Protocol/IpSecConfig.h>
27 #include <Protocol/Dpc.h>
28 #include <Protocol/ComponentName.h>
29 #include <Protocol/ComponentName2.h>
31 typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA
;
32 typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY
;
33 typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY
;
34 typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA
;
36 #define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')
38 #define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)
39 #define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)
40 #define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)
41 #define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)
42 #define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)
43 #define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)
44 #define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)
45 #define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)
47 #define IPSEC_STATUS_DISABLED 0
48 #define IPSEC_STATUS_ENABLED 1
49 #define IPSEC_ESP_PROTOCOL 50
50 #define IPSEC_AH_PROTOCOL 51
51 #define IPSEC_DEFAULT_VARIABLE_SIZE 0x100
54 // Internal Structure Definition
57 typedef struct _EFI_AH_HEADER
{
62 UINT32 SequenceNumber
;
65 typedef struct _EFI_ESP_HEADER
{
67 UINT32 SequenceNumber
;
70 typedef struct _EFI_ESP_TAIL
{
76 struct _IPSEC_SPD_DATA
{
79 EFI_IPSEC_ACTION Action
;
80 EFI_IPSEC_PROCESS_POLICY
*ProcessingPolicy
;
84 struct _IPSEC_SPD_ENTRY
{
85 EFI_IPSEC_SPD_SELECTOR
*Selector
;
90 typedef struct _IPSEC_SAD_DATA
{
92 UINT64 SequenceNumber
;
93 UINT8 AntiReplayWindowSize
;
94 UINT64 AntiReplayBitmap
[4]; // bitmap for received packet
95 EFI_IPSEC_ALGO_INFO AlgoInfo
;
96 EFI_IPSEC_SA_LIFETIME SaLifetime
;
98 IPSEC_SPD_ENTRY
*SpdEntry
;
99 BOOLEAN ESNEnabled
; // Extended (64-bit) SN enabled
103 typedef struct _IPSEC_SAD_ENTRY
{
105 IPSEC_SAD_DATA
*Data
;
107 LIST_ENTRY BySpd
; // Linked on IPSEC_SPD_DATA.Sas
110 struct _IPSEC_PAD_ENTRY
{
111 EFI_IPSEC_PAD_ID
*Id
;
112 EFI_IPSEC_PAD_DATA
*Data
;
116 typedef struct _IPSEC_RECYCLE_CONTEXT
{
117 EFI_IPSEC_FRAGMENT_DATA
*FragmentTable
;
118 UINT8
*PayloadBuffer
;
119 } IPSEC_RECYCLE_CONTEXT
;
121 struct _IPSEC_PRIVATE_DATA
{
123 EFI_HANDLE Handle
; // Virtual handle to install private prtocol
124 EFI_HANDLE ImageHandle
;
125 EFI_IPSEC_PROTOCOL IpSec
;
126 EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig
;
132 LIST_ENTRY Ikev1SessionList
;
133 LIST_ENTRY Ikev1EstablishedList
;
134 LIST_ENTRY Ikev2SessionList
;
135 LIST_ENTRY Ikev2EstablishedList
;
136 BOOLEAN IsIPsecDisabling
;
140 This function processes the inbound traffic with IPsec.
142 It checks the received packet security property, trims the ESP/AH header, and then
143 returns without an IPsec protected IP Header and FragmentTable.
145 @param[in] IpVersion The version of IP.
146 @param[in, out] IpHead Points to IP header containing the ESP/AH header
147 to be trimed on input, and without ESP/AH header
149 @param[in] LastHead The Last Header in IP header on return.
150 @param[in] OptionsBuffer Pointer to the options buffer. It is optional.
151 @param[in] OptionsLength Length of the options buffer. It is optional.
152 @param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec
153 protected on input, and without IPsec protected
155 @param[in] FragmentCount Number of fragments.
156 @param[out] SpdEntry Pointer to contain the address of SPD entry on return.
157 @param[out] RecycleEvent Event for recycling of resources.
159 @retval EFI_SUCCESS The operation is successful.
160 @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
164 IpSecProtectInboundPacket (
168 IN VOID
*OptionsBuffer
, OPTIONAL
169 IN UINT32 OptionsLength
, OPTIONAL
170 IN OUT EFI_IPSEC_FRAGMENT_DATA
**FragmentTable
,
171 IN UINT32
*FragmentCount
,
172 OUT IPSEC_SPD_ENTRY
**SpdEntry
,
173 OUT EFI_EVENT
*RecycleEvent
178 This fucntion processes the output traffic with IPsec.
180 It protected the sending packet by encrypting it payload and inserting ESP/AH header
181 in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.
183 @param[in] IpVersion The version of IP.
184 @param[in, out] IpHead Point to IP header containing the orginal IP header
185 to be processed on input, and inserted ESP/AH header
187 @param[in] LastHead The Last Header in IP header.
188 @param[in] OptionsBuffer Pointer to the options buffer. It is optional.
189 @param[in] OptionsLength Length of the options buffer. It is optional.
190 @param[in, out] FragmentTable Pointer to a list of fragments to be protected by
191 IPsec on input, and with IPsec protected
193 @param[in] FragmentCount Number of fragments.
194 @param[in] SadEntry Related SAD entry.
195 @param[out] RecycleEvent Event for recycling of resources.
197 @retval EFI_SUCCESS The operation is successful.
198 @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
202 IpSecProtectOutboundPacket (
206 IN VOID
*OptionsBuffer
, OPTIONAL
207 IN UINT32 OptionsLength
, OPTIONAL
208 IN OUT EFI_IPSEC_FRAGMENT_DATA
**FragmentTable
,
209 IN UINT32
*FragmentCount
,
210 IN IPSEC_SAD_ENTRY
*SadEntry
,
211 OUT EFI_EVENT
*RecycleEvent
215 Check if the IP Address in the address range of AddressInfos specified.
217 @param[in] IpVersion The IP version.
218 @param[in] IpAddr Points to EFI_IP_ADDRESS to be check.
219 @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check
220 the IP Address is matched.
221 @param[in] AddressCount The total numbers of the AddressInfo.
223 @retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.
224 @retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.
228 IpSecMatchIpAddress (
230 IN EFI_IP_ADDRESS
*IpAddr
,
231 IN EFI_IP_ADDRESS_INFO
*AddressInfo
,
232 IN UINT32 AddressCount
236 Find a PAD entry according to remote IP address.
238 @param[in] IpVersion The version of IP.
239 @param[in] IpAddr Point to remote IP address.
241 @return The pointer of related PAD entry.
245 IpSecLookupPadEntry (
247 IN EFI_IP_ADDRESS
*IpAddr
251 Find the SAD through whole SAD list.
253 @param[in] Spi The SPI used to search the SAD entry.
254 @param[in] DestAddress The destination used to search the SAD entry.
256 @return The pointer to a certain SAD entry.
260 IpSecLookupSadBySpi (
262 IN EFI_IP_ADDRESS
*DestAddress
267 Handles IPsec packet processing for inbound and outbound IP packets.
269 The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
270 The behavior is that it can perform one of the following actions:
271 bypass the packet, discard the packet, or protect the packet.
273 @param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.
274 @param[in] NicHandle Instance of the network interface.
275 @param[in] IpVersion IPV4 or IPV6.
276 @param[in, out] IpHead Pointer to the IP Header.
277 @param[in] LastHead The protocol of the next layer to be processed by IPsec.
278 @param[in] OptionsBuffer Pointer to the options buffer.
279 @param[in] OptionsLength Length of the options buffer.
280 @param[in, out] FragmentTable Pointer to a list of fragments.
281 @param[in] FragmentCount Number of fragments.
282 @param[in] TrafficDirection Traffic direction.
283 @param[out] RecycleSignal Event for recycling of resources.
285 @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
286 @retval EFI_SUCCESS The packet was protected.
287 @retval EFI_ACCESS_DENIED The packet was discarded.
293 IN EFI_IPSEC_PROTOCOL
*This
,
294 IN EFI_HANDLE NicHandle
,
298 IN VOID
*OptionsBuffer
,
299 IN UINT32 OptionsLength
,
300 IN OUT EFI_IPSEC_FRAGMENT_DATA
**FragmentTable
,
301 IN UINT32
*FragmentCount
,
302 IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection
,
303 OUT EFI_EVENT
*RecycleSignal
306 extern EFI_DPC_PROTOCOL
*mDpc
;
307 extern EFI_IPSEC_PROTOCOL mIpSecInstance
;
309 extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2
;
310 extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName
;