2 The definitions related to IPsec protocol implementation.
4 Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
16 #ifndef _IP_SEC_IMPL_H_
17 #define _IP_SEC_IMPL_H_
20 #include <Library/UefiLib.h>
21 #include <Library/NetLib.h>
22 #include <Library/BaseMemoryLib.h>
23 #include <Library/UefiBootServicesTableLib.h>
24 #include <Library/MemoryAllocationLib.h>
25 #include <Protocol/IpSec.h>
26 #include <Protocol/IpSecConfig.h>
27 #include <Protocol/Dpc.h>
28 #include <Protocol/ComponentName.h>
29 #include <Protocol/ComponentName2.h>
31 typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA
;
32 typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY
;
33 typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY
;
34 typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA
;
36 #define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')
38 #define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)
39 #define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)
40 #define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)
41 #define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)
42 #define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)
43 #define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)
44 #define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)
45 #define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)
47 #define IPSEC_STATUS_DISABLED 0
48 #define IPSEC_STATUS_ENABLED 1
49 #define IPSEC_ESP_PROTOCOL 50
50 #define IPSEC_AH_PROTOCOL 51
51 #define IPSEC_DEFAULT_VARIABLE_SIZE 0x100
54 // Internal Structure Definition
57 typedef struct _EFI_AH_HEADER
{
62 UINT32 SequenceNumber
;
65 typedef struct _EFI_ESP_HEADER
{
67 UINT32 SequenceNumber
;
70 typedef struct _EFI_ESP_TAIL
{
76 struct _IPSEC_SPD_DATA
{
79 EFI_IPSEC_ACTION Action
;
80 EFI_IPSEC_PROCESS_POLICY
*ProcessingPolicy
;
84 struct _IPSEC_SPD_ENTRY
{
85 EFI_IPSEC_SPD_SELECTOR
*Selector
;
90 typedef struct _IPSEC_SAD_DATA
{
92 UINT64 SequenceNumber
;
93 UINT8 AntiReplayWindowSize
;
94 UINT64 AntiReplayBitmap
[4]; // bitmap for received packet
95 EFI_IPSEC_ALGO_INFO AlgoInfo
;
96 EFI_IPSEC_SA_LIFETIME SaLifetime
;
98 IPSEC_SPD_ENTRY
*SpdEntry
;
99 EFI_IPSEC_SPD_SELECTOR
*SpdSelector
;
100 BOOLEAN ESNEnabled
; // Extended (64-bit) SN enabled
102 EFI_IP_ADDRESS TunnelDestAddress
;
103 EFI_IP_ADDRESS TunnelSourceAddress
;
106 typedef struct _IPSEC_SAD_ENTRY
{
108 IPSEC_SAD_DATA
*Data
;
110 LIST_ENTRY BySpd
; // Linked on IPSEC_SPD_DATA.Sas
113 struct _IPSEC_PAD_ENTRY
{
114 EFI_IPSEC_PAD_ID
*Id
;
115 EFI_IPSEC_PAD_DATA
*Data
;
119 typedef struct _IPSEC_RECYCLE_CONTEXT
{
120 EFI_IPSEC_FRAGMENT_DATA
*FragmentTable
;
121 UINT8
*PayloadBuffer
;
122 } IPSEC_RECYCLE_CONTEXT
;
124 struct _IPSEC_PRIVATE_DATA
{
126 EFI_HANDLE Handle
; // Virtual handle to install private prtocol
127 EFI_HANDLE ImageHandle
;
128 EFI_IPSEC2_PROTOCOL IpSec
;
129 EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig
;
135 LIST_ENTRY Ikev1SessionList
;
136 LIST_ENTRY Ikev1EstablishedList
;
137 LIST_ENTRY Ikev2SessionList
;
138 LIST_ENTRY Ikev2EstablishedList
;
139 BOOLEAN IsIPsecDisabling
;
143 This function processes the inbound traffic with IPsec.
145 It checks the received packet security property, trims the ESP/AH header, and then
146 returns without an IPsec protected IP Header and FragmentTable.
148 @param[in] IpVersion The version of IP.
149 @param[in, out] IpHead Points to IP header containing the ESP/AH header
150 to be trimed on input, and without ESP/AH header
152 @param[out] LastHead The Last Header in IP header on return.
153 @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.
154 @param[in, out] OptionsLength Length of the options buffer. It is optional.
155 @param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec
156 protected on input, and without IPsec protected
158 @param[in, out] FragmentCount Number of fragments.
159 @param[out] SpdEntry Pointer to contain the address of SPD entry on return.
160 @param[out] RecycleEvent Event for recycling of resources.
162 @retval EFI_SUCCESS The operation is successful.
163 @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
167 IpSecProtectInboundPacket (
171 IN OUT VOID
**OptionsBuffer
, OPTIONAL
172 IN OUT UINT32
*OptionsLength
, OPTIONAL
173 IN OUT EFI_IPSEC_FRAGMENT_DATA
**FragmentTable
,
174 IN OUT UINT32
*FragmentCount
,
175 OUT IPSEC_SPD_ENTRY
**SpdEntry
,
176 OUT EFI_EVENT
*RecycleEvent
181 This fucntion processes the output traffic with IPsec.
183 It protected the sending packet by encrypting it payload and inserting ESP/AH header
184 in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.
186 @param[in] IpVersion The version of IP.
187 @param[in, out] IpHead Point to IP header containing the orginal IP header
188 to be processed on input, and inserted ESP/AH header
190 @param[in, out] LastHead The Last Header in IP header.
191 @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.
192 @param[in, out] OptionsLength Length of the options buffer. It is optional.
193 @param[in, out] FragmentTable Pointer to a list of fragments to be protected by
194 IPsec on input, and with IPsec protected
196 @param[in, out] FragmentCount Number of fragments.
197 @param[in] SadEntry Related SAD entry.
198 @param[out] RecycleEvent Event for recycling of resources.
200 @retval EFI_SUCCESS The operation is successful.
201 @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
205 IpSecProtectOutboundPacket (
208 IN OUT UINT8
*LastHead
,
209 IN OUT VOID
**OptionsBuffer
, OPTIONAL
210 IN OUT UINT32
*OptionsLength
, OPTIONAL
211 IN OUT EFI_IPSEC_FRAGMENT_DATA
**FragmentTable
,
212 IN OUT UINT32
*FragmentCount
,
213 IN IPSEC_SAD_ENTRY
*SadEntry
,
214 OUT EFI_EVENT
*RecycleEvent
218 Check if the IP Address in the address range of AddressInfos specified.
220 @param[in] IpVersion The IP version.
221 @param[in] IpAddr Points to EFI_IP_ADDRESS to be check.
222 @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check
223 the IP Address is matched.
224 @param[in] AddressCount The total numbers of the AddressInfo.
226 @retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.
227 @retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.
231 IpSecMatchIpAddress (
233 IN EFI_IP_ADDRESS
*IpAddr
,
234 IN EFI_IP_ADDRESS_INFO
*AddressInfo
,
235 IN UINT32 AddressCount
239 Find a PAD entry according to remote IP address.
241 @param[in] IpVersion The version of IP.
242 @param[in] IpAddr Point to remote IP address.
244 @return The pointer of related PAD entry.
248 IpSecLookupPadEntry (
250 IN EFI_IP_ADDRESS
*IpAddr
254 Find the SAD through whole SAD list.
256 @param[in] Spi The SPI used to search the SAD entry.
257 @param[in] DestAddress The destination used to search the SAD entry.
259 @return The pointer to a certain SAD entry.
263 IpSecLookupSadBySpi (
265 IN EFI_IP_ADDRESS
*DestAddress
270 Handles IPsec packet processing for inbound and outbound IP packets.
272 The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
273 The behavior is that it can perform one of the following actions:
274 bypass the packet, discard the packet, or protect the packet.
276 @param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.
277 @param[in] NicHandle Instance of the network interface.
278 @param[in] IpVersion IPV4 or IPV6.
279 @param[in, out] IpHead Pointer to the IP Header.
280 @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.
281 @param[in, out] OptionsBuffer Pointer to the options buffer.
282 @param[in, out] OptionsLength Length of the options buffer.
283 @param[in, out] FragmentTable Pointer to a list of fragments.
284 @param[in, out] FragmentCount Number of fragments.
285 @param[in] TrafficDirection Traffic direction.
286 @param[out] RecycleSignal Event for recycling of resources.
288 @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
289 @retval EFI_SUCCESS The packet was protected.
290 @retval EFI_ACCESS_DENIED The packet was discarded.
296 IN EFI_IPSEC2_PROTOCOL
*This
,
297 IN EFI_HANDLE NicHandle
,
300 IN OUT UINT8
*LastHead
,
301 IN OUT VOID
**OptionsBuffer
,
302 IN OUT UINT32
*OptionsLength
,
303 IN OUT EFI_IPSEC_FRAGMENT_DATA
**FragmentTable
,
304 IN OUT UINT32
*FragmentCount
,
305 IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection
,
306 OUT EFI_EVENT
*RecycleSignal
309 extern EFI_DPC_PROTOCOL
*mDpc
;
310 extern EFI_IPSEC2_PROTOCOL mIpSecInstance
;
312 extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2
;
313 extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName
;