]> git.proxmox.com Git - mirror_edk2.git/blob - NetworkPkg/IpSecDxe/IpSecImpl.h
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
1. Update IPsec driver to produce EFI_IPSEC2_PROTOCOL which is defined by UEFI errata...
[mirror_edk2.git] / NetworkPkg / IpSecDxe / IpSecImpl.h
1 /** @file
2 The definitions related to IPsec protocol implementation.
3
4 Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
5
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
10
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
13
14 **/
15
16 #ifndef _IP_SEC_IMPL_H_
17 #define _IP_SEC_IMPL_H_
18
19 #include <Uefi.h>
20 #include <Library/UefiLib.h>
21 #include <Library/NetLib.h>
22 #include <Library/BaseMemoryLib.h>
23 #include <Library/UefiBootServicesTableLib.h>
24 #include <Library/MemoryAllocationLib.h>
25 #include <Protocol/IpSec.h>
26 #include <Protocol/IpSecConfig.h>
27 #include <Protocol/Dpc.h>
28 #include <Protocol/ComponentName.h>
29 #include <Protocol/ComponentName2.h>
30
31 typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA;
32 typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY;
33 typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY;
34 typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA;
35
36 #define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')
37
38 #define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)
39 #define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)
40 #define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)
41 #define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)
42 #define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)
43 #define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)
44 #define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)
45 #define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)
46
47 #define IPSEC_STATUS_DISABLED 0
48 #define IPSEC_STATUS_ENABLED 1
49 #define IPSEC_ESP_PROTOCOL 50
50 #define IPSEC_AH_PROTOCOL 51
51 #define IPSEC_DEFAULT_VARIABLE_SIZE 0x100
52
53 //
54 // Internal Structure Definition
55 //
56 #pragma pack(1)
57 typedef struct _EFI_AH_HEADER {
58 UINT8 NextHeader;
59 UINT8 PayloadLen;
60 UINT16 Reserved;
61 UINT32 Spi;
62 UINT32 SequenceNumber;
63 } EFI_AH_HEADER;
64
65 typedef struct _EFI_ESP_HEADER {
66 UINT32 Spi;
67 UINT32 SequenceNumber;
68 } EFI_ESP_HEADER;
69
70 typedef struct _EFI_ESP_TAIL {
71 UINT8 PaddingLength;
72 UINT8 NextHeader;
73 } EFI_ESP_TAIL;
74 #pragma pack()
75
76 struct _IPSEC_SPD_DATA {
77 CHAR16 Name[100];
78 UINT32 PackageFlag;
79 EFI_IPSEC_ACTION Action;
80 EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;
81 LIST_ENTRY Sas;
82 };
83
84 struct _IPSEC_SPD_ENTRY {
85 EFI_IPSEC_SPD_SELECTOR *Selector;
86 IPSEC_SPD_DATA *Data;
87 LIST_ENTRY List;
88 };
89
90 typedef struct _IPSEC_SAD_DATA {
91 EFI_IPSEC_MODE Mode;
92 UINT64 SequenceNumber;
93 UINT8 AntiReplayWindowSize;
94 UINT64 AntiReplayBitmap[4]; // bitmap for received packet
95 EFI_IPSEC_ALGO_INFO AlgoInfo;
96 EFI_IPSEC_SA_LIFETIME SaLifetime;
97 UINT32 PathMTU;
98 IPSEC_SPD_ENTRY *SpdEntry;
99 EFI_IPSEC_SPD_SELECTOR *SpdSelector;
100 BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled
101 BOOLEAN ManualSet;
102 EFI_IP_ADDRESS TunnelDestAddress;
103 EFI_IP_ADDRESS TunnelSourceAddress;
104 } IPSEC_SAD_DATA;
105
106 typedef struct _IPSEC_SAD_ENTRY {
107 EFI_IPSEC_SA_ID *Id;
108 IPSEC_SAD_DATA *Data;
109 LIST_ENTRY List;
110 LIST_ENTRY BySpd; // Linked on IPSEC_SPD_DATA.Sas
111 } IPSEC_SAD_ENTRY;
112
113 struct _IPSEC_PAD_ENTRY {
114 EFI_IPSEC_PAD_ID *Id;
115 EFI_IPSEC_PAD_DATA *Data;
116 LIST_ENTRY List;
117 };
118
119 typedef struct _IPSEC_RECYCLE_CONTEXT {
120 EFI_IPSEC_FRAGMENT_DATA *FragmentTable;
121 UINT8 *PayloadBuffer;
122 } IPSEC_RECYCLE_CONTEXT;
123
124 struct _IPSEC_PRIVATE_DATA {
125 UINT32 Signature;
126 EFI_HANDLE Handle; // Virtual handle to install private prtocol
127 EFI_HANDLE ImageHandle;
128 EFI_IPSEC2_PROTOCOL IpSec;
129 EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;
130 BOOLEAN SetBySelf;
131 LIST_ENTRY Udp4List;
132 UINTN Udp4Num;
133 LIST_ENTRY Udp6List;
134 UINTN Udp6Num;
135 LIST_ENTRY Ikev1SessionList;
136 LIST_ENTRY Ikev1EstablishedList;
137 LIST_ENTRY Ikev2SessionList;
138 LIST_ENTRY Ikev2EstablishedList;
139 BOOLEAN IsIPsecDisabling;
140 };
141
142 /**
143 This function processes the inbound traffic with IPsec.
144
145 It checks the received packet security property, trims the ESP/AH header, and then
146 returns without an IPsec protected IP Header and FragmentTable.
147
148 @param[in] IpVersion The version of IP.
149 @param[in, out] IpHead Points to IP header containing the ESP/AH header
150 to be trimed on input, and without ESP/AH header
151 on return.
152 @param[out] LastHead The Last Header in IP header on return.
153 @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.
154 @param[in, out] OptionsLength Length of the options buffer. It is optional.
155 @param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec
156 protected on input, and without IPsec protected
157 on return.
158 @param[in, out] FragmentCount Number of fragments.
159 @param[out] SpdEntry Pointer to contain the address of SPD entry on return.
160 @param[out] RecycleEvent Event for recycling of resources.
161
162 @retval EFI_SUCCESS The operation is successful.
163 @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
164
165 **/
166 EFI_STATUS
167 IpSecProtectInboundPacket (
168 IN UINT8 IpVersion,
169 IN OUT VOID *IpHead,
170 OUT UINT8 *LastHead,
171 IN OUT VOID **OptionsBuffer, OPTIONAL
172 IN OUT UINT32 *OptionsLength, OPTIONAL
173 IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
174 IN OUT UINT32 *FragmentCount,
175 OUT IPSEC_SPD_ENTRY **SpdEntry,
176 OUT EFI_EVENT *RecycleEvent
177 );
178
179
180 /**
181 This fucntion processes the output traffic with IPsec.
182
183 It protected the sending packet by encrypting it payload and inserting ESP/AH header
184 in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.
185
186 @param[in] IpVersion The version of IP.
187 @param[in, out] IpHead Point to IP header containing the orginal IP header
188 to be processed on input, and inserted ESP/AH header
189 on return.
190 @param[in, out] LastHead The Last Header in IP header.
191 @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.
192 @param[in, out] OptionsLength Length of the options buffer. It is optional.
193 @param[in, out] FragmentTable Pointer to a list of fragments to be protected by
194 IPsec on input, and with IPsec protected
195 on return.
196 @param[in, out] FragmentCount Number of fragments.
197 @param[in] SadEntry Related SAD entry.
198 @param[out] RecycleEvent Event for recycling of resources.
199
200 @retval EFI_SUCCESS The operation is successful.
201 @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
202
203 **/
204 EFI_STATUS
205 IpSecProtectOutboundPacket (
206 IN UINT8 IpVersion,
207 IN OUT VOID *IpHead,
208 IN OUT UINT8 *LastHead,
209 IN OUT VOID **OptionsBuffer, OPTIONAL
210 IN OUT UINT32 *OptionsLength, OPTIONAL
211 IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
212 IN OUT UINT32 *FragmentCount,
213 IN IPSEC_SAD_ENTRY *SadEntry,
214 OUT EFI_EVENT *RecycleEvent
215 );
216
217 /**
218 Check if the IP Address in the address range of AddressInfos specified.
219
220 @param[in] IpVersion The IP version.
221 @param[in] IpAddr Points to EFI_IP_ADDRESS to be check.
222 @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check
223 the IP Address is matched.
224 @param[in] AddressCount The total numbers of the AddressInfo.
225
226 @retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.
227 @retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.
228
229 **/
230 BOOLEAN
231 IpSecMatchIpAddress (
232 IN UINT8 IpVersion,
233 IN EFI_IP_ADDRESS *IpAddr,
234 IN EFI_IP_ADDRESS_INFO *AddressInfo,
235 IN UINT32 AddressCount
236 );
237
238 /**
239 Find a PAD entry according to remote IP address.
240
241 @param[in] IpVersion The version of IP.
242 @param[in] IpAddr Point to remote IP address.
243
244 @return The pointer of related PAD entry.
245
246 **/
247 IPSEC_PAD_ENTRY *
248 IpSecLookupPadEntry (
249 IN UINT8 IpVersion,
250 IN EFI_IP_ADDRESS *IpAddr
251 );
252
253 /**
254 Find the SAD through whole SAD list.
255
256 @param[in] Spi The SPI used to search the SAD entry.
257 @param[in] DestAddress The destination used to search the SAD entry.
258
259 @return The pointer to a certain SAD entry.
260
261 **/
262 IPSEC_SAD_ENTRY *
263 IpSecLookupSadBySpi (
264 IN UINT32 Spi,
265 IN EFI_IP_ADDRESS *DestAddress
266 )
267 ;
268
269 /**
270 Handles IPsec packet processing for inbound and outbound IP packets.
271
272 The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
273 The behavior is that it can perform one of the following actions:
274 bypass the packet, discard the packet, or protect the packet.
275
276 @param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.
277 @param[in] NicHandle Instance of the network interface.
278 @param[in] IpVersion IPV4 or IPV6.
279 @param[in, out] IpHead Pointer to the IP Header.
280 @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.
281 @param[in, out] OptionsBuffer Pointer to the options buffer.
282 @param[in, out] OptionsLength Length of the options buffer.
283 @param[in, out] FragmentTable Pointer to a list of fragments.
284 @param[in, out] FragmentCount Number of fragments.
285 @param[in] TrafficDirection Traffic direction.
286 @param[out] RecycleSignal Event for recycling of resources.
287
288 @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
289 @retval EFI_SUCCESS The packet was protected.
290 @retval EFI_ACCESS_DENIED The packet was discarded.
291
292 **/
293 EFI_STATUS
294 EFIAPI
295 IpSecProcess (
296 IN EFI_IPSEC2_PROTOCOL *This,
297 IN EFI_HANDLE NicHandle,
298 IN UINT8 IpVersion,
299 IN OUT VOID *IpHead,
300 IN OUT UINT8 *LastHead,
301 IN OUT VOID **OptionsBuffer,
302 IN OUT UINT32 *OptionsLength,
303 IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
304 IN OUT UINT32 *FragmentCount,
305 IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
306 OUT EFI_EVENT *RecycleSignal
307 );
308
309 extern EFI_DPC_PROTOCOL *mDpc;
310 extern EFI_IPSEC2_PROTOCOL mIpSecInstance;
311
312 extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;
313 extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;
314
315
316 #endif
EFI Development Kit II mirror for PVE