+++ /dev/null
-/** @file\r
- The definitions related to IPsec protocol implementation.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _IP_SEC_IMPL_H_\r
-#define _IP_SEC_IMPL_H_\r
-\r
-#include <Uefi.h>\r
-#include <Library/UefiLib.h>\r
-#include <Library/NetLib.h>\r
-#include <Library/BaseMemoryLib.h>\r
-#include <Library/UefiBootServicesTableLib.h>\r
-#include <Library/MemoryAllocationLib.h>\r
-#include <Protocol/IpSec.h>\r
-#include <Protocol/IpSecConfig.h>\r
-#include <Protocol/Dpc.h>\r
-#include <Protocol/ComponentName.h>\r
-#include <Protocol/ComponentName2.h>\r
-\r
-typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA;\r
-typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY;\r
-typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY;\r
-typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA;\r
-\r
-#define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')\r
-\r
-#define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)\r
-#define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)\r
-#define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)\r
-#define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)\r
-#define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)\r
-#define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)\r
-#define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)\r
-#define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)\r
-\r
-#define IPSEC_STATUS_DISABLED 0\r
-#define IPSEC_STATUS_ENABLED 1\r
-#define IPSEC_ESP_PROTOCOL 50\r
-#define IPSEC_AH_PROTOCOL 51\r
-#define IPSEC_DEFAULT_VARIABLE_SIZE 0x100\r
-\r
-//\r
-// Internal Structure Definition\r
-//\r
-#pragma pack(1)\r
-typedef struct _EFI_AH_HEADER {\r
- UINT8 NextHeader;\r
- UINT8 PayloadLen;\r
- UINT16 Reserved;\r
- UINT32 Spi;\r
- UINT32 SequenceNumber;\r
-} EFI_AH_HEADER;\r
-\r
-typedef struct _EFI_ESP_HEADER {\r
- UINT32 Spi;\r
- UINT32 SequenceNumber;\r
-} EFI_ESP_HEADER;\r
-\r
-typedef struct _EFI_ESP_TAIL {\r
- UINT8 PaddingLength;\r
- UINT8 NextHeader;\r
-} EFI_ESP_TAIL;\r
-#pragma pack()\r
-\r
-struct _IPSEC_SPD_DATA {\r
- CHAR16 Name[100];\r
- UINT32 PackageFlag;\r
- EFI_IPSEC_TRAFFIC_DIR TrafficDirection;\r
- EFI_IPSEC_ACTION Action;\r
- EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;\r
- LIST_ENTRY Sas;\r
-};\r
-\r
-struct _IPSEC_SPD_ENTRY {\r
- EFI_IPSEC_SPD_SELECTOR *Selector;\r
- IPSEC_SPD_DATA *Data;\r
- LIST_ENTRY List;\r
-};\r
-\r
-typedef struct _IPSEC_SAD_DATA {\r
- EFI_IPSEC_MODE Mode;\r
- UINT64 SequenceNumber;\r
- UINT8 AntiReplayWindowSize;\r
- UINT64 AntiReplayBitmap[4]; // bitmap for received packet\r
- EFI_IPSEC_ALGO_INFO AlgoInfo;\r
- EFI_IPSEC_SA_LIFETIME SaLifetime;\r
- UINT32 PathMTU;\r
- IPSEC_SPD_ENTRY *SpdEntry;\r
- EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
- BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled\r
- BOOLEAN ManualSet;\r
- EFI_IP_ADDRESS TunnelDestAddress;\r
- EFI_IP_ADDRESS TunnelSourceAddress;\r
-} IPSEC_SAD_DATA;\r
-\r
-typedef struct _IPSEC_SAD_ENTRY {\r
- EFI_IPSEC_SA_ID *Id;\r
- IPSEC_SAD_DATA *Data;\r
- LIST_ENTRY List;\r
- LIST_ENTRY BySpd; // Linked on IPSEC_SPD_DATA.Sas\r
-} IPSEC_SAD_ENTRY;\r
-\r
-struct _IPSEC_PAD_ENTRY {\r
- EFI_IPSEC_PAD_ID *Id;\r
- EFI_IPSEC_PAD_DATA *Data;\r
- LIST_ENTRY List;\r
-};\r
-\r
-typedef struct _IPSEC_RECYCLE_CONTEXT {\r
- EFI_IPSEC_FRAGMENT_DATA *FragmentTable;\r
- UINT8 *PayloadBuffer;\r
-} IPSEC_RECYCLE_CONTEXT;\r
-\r
-//\r
-// Struct used to store the Hash and its data.\r
-//\r
-typedef struct {\r
- UINTN DataSize;\r
- UINT8 *Data;\r
-} HASH_DATA_FRAGMENT;\r
-\r
-struct _IPSEC_PRIVATE_DATA {\r
- UINT32 Signature;\r
- EFI_HANDLE Handle; // Virtual handle to install private prtocol\r
- EFI_HANDLE ImageHandle;\r
- EFI_IPSEC2_PROTOCOL IpSec;\r
- EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;\r
- BOOLEAN SetBySelf;\r
- LIST_ENTRY Udp4List;\r
- UINTN Udp4Num;\r
- LIST_ENTRY Udp6List;\r
- UINTN Udp6Num;\r
- LIST_ENTRY Ikev1SessionList;\r
- LIST_ENTRY Ikev1EstablishedList;\r
- LIST_ENTRY Ikev2SessionList;\r
- LIST_ENTRY Ikev2EstablishedList;\r
- BOOLEAN IsIPsecDisabling;\r
-};\r
-\r
-/**\r
- This function processes the inbound traffic with IPsec.\r
-\r
- It checks the received packet security property, trims the ESP/AH header, and then\r
- returns without an IPsec protected IP Header and FragmentTable.\r
-\r
- @param[in] IpVersion The version of IP.\r
- @param[in, out] IpHead Points to IP header containing the ESP/AH header\r
- to be trimed on input, and without ESP/AH header\r
- on return.\r
- @param[in, out] LastHead The Last Header in IP header on return.\r
- @param[in, out] OptionsBuffer Pointer to the options buffer.\r
- @param[in, out] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec\r
- protected on input, and without IPsec protected\r
- on return.\r
- @param[in, out] FragmentCount The number of fragments.\r
- @param[out] SpdEntry Pointer to contain the address of SPD entry on return.\r
- @param[out] RecycleEvent The event for recycling of resources.\r
-\r
- @retval EFI_SUCCESS The operation was successful.\r
- @retval EFI_UNSUPPORTED The IPSEC protocol is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecProtectInboundPacket (\r
- IN UINT8 IpVersion,\r
- IN OUT VOID *IpHead,\r
- IN OUT UINT8 *LastHead,\r
- IN OUT VOID **OptionsBuffer,\r
- IN OUT UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN OUT UINT32 *FragmentCount,\r
- OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry,\r
- OUT EFI_EVENT *RecycleEvent\r
- );\r
-\r
-\r
-/**\r
- This fucntion processes the output traffic with IPsec.\r
-\r
- It protected the sending packet by encrypting it payload and inserting ESP/AH header\r
- in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.\r
-\r
- @param[in] IpVersion The version of IP.\r
- @param[in, out] IpHead Point to IP header containing the orginal IP header\r
- to be processed on input, and inserted ESP/AH header\r
- on return.\r
- @param[in, out] LastHead The Last Header in IP header.\r
- @param[in, out] OptionsBuffer Pointer to the options buffer.\r
- @param[in, out] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments to be protected by\r
- IPsec on input, and with IPsec protected\r
- on return.\r
- @param[in, out] FragmentCount Number of fragments.\r
- @param[in] SadEntry Related SAD entry.\r
- @param[out] RecycleEvent Event for recycling of resources.\r
-\r
- @retval EFI_SUCCESS The operation is successful.\r
- @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecProtectOutboundPacket (\r
- IN UINT8 IpVersion,\r
- IN OUT VOID *IpHead,\r
- IN OUT UINT8 *LastHead,\r
- IN OUT VOID **OptionsBuffer,\r
- IN OUT UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN OUT UINT32 *FragmentCount,\r
- IN IPSEC_SAD_ENTRY *SadEntry,\r
- OUT EFI_EVENT *RecycleEvent\r
- );\r
-\r
-/**\r
- Check if the IP Address in the address range of AddressInfos specified.\r
-\r
- @param[in] IpVersion The IP version.\r
- @param[in] IpAddr Points to EFI_IP_ADDRESS to be check.\r
- @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check\r
- the IP Address is matched.\r
- @param[in] AddressCount The total numbers of the AddressInfo.\r
-\r
- @retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.\r
- @retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.\r
-\r
-**/\r
-BOOLEAN\r
-IpSecMatchIpAddress (\r
- IN UINT8 IpVersion,\r
- IN EFI_IP_ADDRESS *IpAddr,\r
- IN EFI_IP_ADDRESS_INFO *AddressInfo,\r
- IN UINT32 AddressCount\r
- );\r
-\r
-/**\r
- Find a PAD entry according to remote IP address.\r
-\r
- @param[in] IpVersion The version of IP.\r
- @param[in] IpAddr Point to remote IP address.\r
-\r
- @return The pointer of related PAD entry.\r
-\r
-**/\r
-IPSEC_PAD_ENTRY *\r
-IpSecLookupPadEntry (\r
- IN UINT8 IpVersion,\r
- IN EFI_IP_ADDRESS *IpAddr\r
- );\r
-\r
-/**\r
- Check if the specified IP packet can be serviced by this SPD entry.\r
-\r
- @param[in] SpdEntry Point to SPD entry.\r
- @param[in] IpVersion Version of IP.\r
- @param[in] IpHead Point to IP header.\r
- @param[in] IpPayload Point to IP payload.\r
- @param[in] Protocol The Last protocol of IP packet.\r
- @param[in] IsOutbound Traffic direction.\r
- @param[out] Action The support action of SPD entry.\r
-\r
- @retval EFI_SUCCESS Find the related SPD.\r
- @retval EFI_NOT_FOUND Not find the related SPD entry;\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecLookupSpdEntry (\r
- IN IPSEC_SPD_ENTRY *SpdEntry,\r
- IN UINT8 IpVersion,\r
- IN VOID *IpHead,\r
- IN UINT8 *IpPayload,\r
- IN UINT8 Protocol,\r
- IN BOOLEAN IsOutbound,\r
- OUT EFI_IPSEC_ACTION *Action\r
- );\r
-\r
-/**\r
- Look up if there is existing SAD entry for specified IP packet sending.\r
-\r
- This function is called by the IPsecProcess when there is some IP packet needed to\r
- send out. This function checks if there is an existing SAD entry that can be serviced\r
- to this IP packet sending. If no existing SAD entry could be used, this\r
- function will invoke an IPsec Key Exchange Negotiation.\r
-\r
- @param[in] Private Points to private data.\r
- @param[in] NicHandle Points to a NIC handle.\r
- @param[in] IpVersion The version of IP.\r
- @param[in] IpHead The IP Header of packet to be sent out.\r
- @param[in] IpPayload The IP Payload to be sent out.\r
- @param[in] OldLastHead The Last protocol of the IP packet.\r
- @param[in] SpdEntry Points to a related SPD entry.\r
- @param[out] SadEntry Contains the Point of a related SAD entry.\r
-\r
- @retval EFI_DEVICE_ERROR One of following conditions is TRUE:\r
- - If don't find related UDP service.\r
- - Sequence Number is used up.\r
- - Extension Sequence Number is used up.\r
- @retval EFI_NOT_READY No existing SAD entry could be used.\r
- @retval EFI_SUCCESS Find the related SAD entry.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecLookupSadEntry (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN EFI_HANDLE NicHandle,\r
- IN UINT8 IpVersion,\r
- IN VOID *IpHead,\r
- IN UINT8 *IpPayload,\r
- IN UINT8 OldLastHead,\r
- IN IPSEC_SPD_ENTRY *SpdEntry,\r
- OUT IPSEC_SAD_ENTRY **SadEntry\r
- );\r
-\r
-/**\r
- Find the SAD through whole SAD list.\r
-\r
- @param[in] Spi The SPI used to search the SAD entry.\r
- @param[in] DestAddress The destination used to search the SAD entry.\r
- @param[in] IpVersion The IP version. Ip4 or Ip6.\r
-\r
- @return The pointer to a certain SAD entry.\r
-\r
-**/\r
-IPSEC_SAD_ENTRY *\r
-IpSecLookupSadBySpi (\r
- IN UINT32 Spi,\r
- IN EFI_IP_ADDRESS *DestAddress,\r
- IN UINT8 IpVersion\r
- )\r
-;\r
-\r
-/**\r
- Handles IPsec packet processing for inbound and outbound IP packets.\r
-\r
- The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r
- The behavior is that it can perform one of the following actions:\r
- bypass the packet, discard the packet, or protect the packet.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r
- @param[in] NicHandle Instance of the network interface.\r
- @param[in] IpVersion IPV4 or IPV6.\r
- @param[in, out] IpHead Pointer to the IP Header.\r
- @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.\r
- @param[in, out] OptionsBuffer Pointer to the options buffer.\r
- @param[in, out] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments.\r
- @param[in, out] FragmentCount Number of fragments.\r
- @param[in] TrafficDirection Traffic direction.\r
- @param[out] RecycleSignal Event for recycling of resources.\r
-\r
- @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.\r
- @retval EFI_SUCCESS The packet was protected.\r
- @retval EFI_ACCESS_DENIED The packet was discarded.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSecProcess (\r
- IN EFI_IPSEC2_PROTOCOL *This,\r
- IN EFI_HANDLE NicHandle,\r
- IN UINT8 IpVersion,\r
- IN OUT VOID *IpHead,\r
- IN OUT UINT8 *LastHead,\r
- IN OUT VOID **OptionsBuffer,\r
- IN OUT UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN OUT UINT32 *FragmentCount,\r
- IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r
- OUT EFI_EVENT *RecycleSignal\r
- );\r
-\r
-extern EFI_DPC_PROTOCOL *mDpc;\r
-extern EFI_IPSEC2_PROTOCOL mIpSecInstance;\r
-\r
-extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;\r
-extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;\r
-\r
-\r
-#endif\r