};\r
\r
typedef struct _IPSEC_SAD_DATA {\r
- EFI_IPSEC_MODE Mode;\r
- UINT64 SequenceNumber;\r
- UINT8 AntiReplayWindowSize;\r
- UINT64 AntiReplayBitmap[4]; // bitmap for received packet\r
- EFI_IPSEC_ALGO_INFO AlgoInfo;\r
- EFI_IPSEC_SA_LIFETIME SaLifetime;\r
- UINT32 PathMTU;\r
- IPSEC_SPD_ENTRY *SpdEntry;\r
- BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled\r
- BOOLEAN ManualSet;\r
+ EFI_IPSEC_MODE Mode;\r
+ UINT64 SequenceNumber;\r
+ UINT8 AntiReplayWindowSize;\r
+ UINT64 AntiReplayBitmap[4]; // bitmap for received packet\r
+ EFI_IPSEC_ALGO_INFO AlgoInfo;\r
+ EFI_IPSEC_SA_LIFETIME SaLifetime;\r
+ UINT32 PathMTU;\r
+ IPSEC_SPD_ENTRY *SpdEntry;\r
+ EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
+ BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled\r
+ BOOLEAN ManualSet;\r
+ EFI_IP_ADDRESS TunnelDestAddress;\r
+ EFI_IP_ADDRESS TunnelSourceAddress;\r
} IPSEC_SAD_DATA;\r
\r
typedef struct _IPSEC_SAD_ENTRY {\r
UINT8 *PayloadBuffer;\r
} IPSEC_RECYCLE_CONTEXT;\r
\r
+//\r
+// Struct used to store the Hash and its data.\r
+//\r
+typedef struct {
+ UINTN DataSize;
+ UINT8 *Data;
+} HASH_DATA_FRAGMENT;\r
+\r
struct _IPSEC_PRIVATE_DATA {\r
UINT32 Signature;\r
EFI_HANDLE Handle; // Virtual handle to install private prtocol\r
EFI_HANDLE ImageHandle;\r
- EFI_IPSEC_PROTOCOL IpSec;\r
+ EFI_IPSEC2_PROTOCOL IpSec;\r
EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;\r
BOOLEAN SetBySelf;\r
LIST_ENTRY Udp4List;\r
/**\r
This function processes the inbound traffic with IPsec.\r
\r
- It checks the received packet security property, trims the ESP/AH header, and then\r
+ It checks the received packet security property, trims the ESP/AH header, and then \r
returns without an IPsec protected IP Header and FragmentTable.\r
-\r
+ \r
@param[in] IpVersion The version of IP.\r
- @param[in, out] IpHead Points to IP header containing the ESP/AH header\r
+ @param[in, out] IpHead Points to IP header containing the ESP/AH header \r
to be trimed on input, and without ESP/AH header\r
on return.\r
- @param[in] LastHead The Last Header in IP header on return.\r
- @param[in] OptionsBuffer Pointer to the options buffer. It is optional.\r
- @param[in] OptionsLength Length of the options buffer. It is optional.\r
- @param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec\r
+ @param[in, out] LastHead The Last Header in IP header on return.\r
+ @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.\r
+ @param[in, out] OptionsLength Length of the options buffer. It is optional.\r
+ @param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec\r
protected on input, and without IPsec protected\r
on return.\r
- @param[in] FragmentCount Number of fragments.\r
+ @param[in, out] FragmentCount The number of fragments.\r
@param[out] SpdEntry Pointer to contain the address of SPD entry on return.\r
- @param[out] RecycleEvent Event for recycling of resources.\r
+ @param[out] RecycleEvent The event for recycling of resources.\r
\r
- @retval EFI_SUCCESS The operation is successful.\r
- @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.\r
+ @retval EFI_SUCCESS The operation was successful.\r
+ @retval EFI_UNSUPPORTED The IPSEC protocol is not supported.\r
\r
**/\r
EFI_STATUS\r
IpSecProtectInboundPacket (\r
IN UINT8 IpVersion,\r
IN OUT VOID *IpHead,\r
- IN UINT8 *LastHead,\r
- IN VOID *OptionsBuffer, OPTIONAL\r
- IN UINT32 OptionsLength, OPTIONAL\r
+ IN OUT UINT8 *LastHead,\r
+ IN OUT VOID **OptionsBuffer, OPTIONAL\r
+ IN OUT UINT32 *OptionsLength, OPTIONAL\r
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN UINT32 *FragmentCount,\r
- OUT IPSEC_SPD_ENTRY **SpdEntry,\r
+ IN OUT UINT32 *FragmentCount,\r
+ OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry,\r
OUT EFI_EVENT *RecycleEvent\r
);\r
\r
@param[in, out] IpHead Point to IP header containing the orginal IP header\r
to be processed on input, and inserted ESP/AH header\r
on return.\r
- @param[in] LastHead The Last Header in IP header.\r
- @param[in] OptionsBuffer Pointer to the options buffer. It is optional.\r
- @param[in] OptionsLength Length of the options buffer. It is optional.\r
+ @param[in, out] LastHead The Last Header in IP header.\r
+ @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.\r
+ @param[in, out] OptionsLength Length of the options buffer. It is optional.\r
@param[in, out] FragmentTable Pointer to a list of fragments to be protected by\r
IPsec on input, and with IPsec protected\r
on return.\r
- @param[in] FragmentCount Number of fragments.\r
+ @param[in, out] FragmentCount Number of fragments.\r
@param[in] SadEntry Related SAD entry.\r
@param[out] RecycleEvent Event for recycling of resources.\r
\r
IpSecProtectOutboundPacket (\r
IN UINT8 IpVersion,\r
IN OUT VOID *IpHead,\r
- IN UINT8 *LastHead,\r
- IN VOID *OptionsBuffer, OPTIONAL\r
- IN UINT32 OptionsLength, OPTIONAL\r
+ IN OUT UINT8 *LastHead,\r
+ IN OUT VOID **OptionsBuffer, OPTIONAL\r
+ IN OUT UINT32 *OptionsLength, OPTIONAL\r
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN UINT32 *FragmentCount,\r
+ IN OUT UINT32 *FragmentCount,\r
IN IPSEC_SAD_ENTRY *SadEntry,\r
OUT EFI_EVENT *RecycleEvent\r
);\r
IN EFI_IP_ADDRESS *IpAddr\r
);\r
\r
+/**\r
+ Check if the specified IP packet can be serviced by this SPD entry.\r
+\r
+ @param[in] SpdEntry Point to SPD entry.\r
+ @param[in] IpVersion Version of IP.\r
+ @param[in] IpHead Point to IP header.\r
+ @param[in] IpPayload Point to IP payload.\r
+ @param[in] Protocol The Last protocol of IP packet.\r
+ @param[in] IsOutbound Traffic direction.\r
+ @param[out] Action The support action of SPD entry.\r
+\r
+ @retval EFI_SUCCESS Find the related SPD.\r
+ @retval EFI_NOT_FOUND Not find the related SPD entry;\r
+\r
+**/\r
+EFI_STATUS\r
+IpSecLookupSpdEntry (\r
+ IN IPSEC_SPD_ENTRY *SpdEntry,\r
+ IN UINT8 IpVersion,\r
+ IN VOID *IpHead,\r
+ IN UINT8 *IpPayload,\r
+ IN UINT8 Protocol,\r
+ IN BOOLEAN IsOutbound, \r
+ OUT EFI_IPSEC_ACTION *Action\r
+ );\r
+\r
+/**\r
+ Look up if there is existing SAD entry for specified IP packet sending.\r
+\r
+ This function is called by the IPsecProcess when there is some IP packet needed to\r
+ send out. This function checks if there is an existing SAD entry that can be serviced\r
+ to this IP packet sending. If no existing SAD entry could be used, this\r
+ function will invoke an IPsec Key Exchange Negotiation.\r
+\r
+ @param[in] Private Points to private data.\r
+ @param[in] NicHandle Points to a NIC handle.\r
+ @param[in] IpVersion The version of IP.\r
+ @param[in] IpHead The IP Header of packet to be sent out.\r
+ @param[in] IpPayload The IP Payload to be sent out.\r
+ @param[in] OldLastHead The Last protocol of the IP packet.\r
+ @param[in] SpdEntry Points to a related SPD entry.\r
+ @param[out] SadEntry Contains the Point of a related SAD entry.\r
+\r
+ @retval EFI_DEVICE_ERROR One of following conditions is TRUE:\r
+ - If don't find related UDP service.\r
+ - Sequence Number is used up.\r
+ - Extension Sequence Number is used up.\r
+ @retval EFI_NOT_READY No existing SAD entry could be used.\r
+ @retval EFI_SUCCESS Find the related SAD entry.\r
+\r
+**/\r
+EFI_STATUS\r
+IpSecLookupSadEntry (\r
+ IN IPSEC_PRIVATE_DATA *Private,\r
+ IN EFI_HANDLE NicHandle,\r
+ IN UINT8 IpVersion,\r
+ IN VOID *IpHead,\r
+ IN UINT8 *IpPayload,\r
+ IN UINT8 OldLastHead,\r
+ IN IPSEC_SPD_ENTRY *SpdEntry,\r
+ OUT IPSEC_SAD_ENTRY **SadEntry\r
+ );\r
+\r
/**\r
Find the SAD through whole SAD list.\r
\r
@param[in] Spi The SPI used to search the SAD entry.\r
@param[in] DestAddress The destination used to search the SAD entry.\r
+ @param[in] IpVersion The IP version. Ip4 or Ip6.\r
\r
@return The pointer to a certain SAD entry.\r
\r
IPSEC_SAD_ENTRY *\r
IpSecLookupSadBySpi (\r
IN UINT32 Spi,\r
- IN EFI_IP_ADDRESS *DestAddress\r
+ IN EFI_IP_ADDRESS *DestAddress,\r
+ IN UINT8 IpVersion\r
)\r
;\r
\r
The behavior is that it can perform one of the following actions:\r
bypass the packet, discard the packet, or protect the packet.\r
\r
- @param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.\r
+ @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r
@param[in] NicHandle Instance of the network interface.\r
@param[in] IpVersion IPV4 or IPV6.\r
@param[in, out] IpHead Pointer to the IP Header.\r
- @param[in] LastHead The protocol of the next layer to be processed by IPsec.\r
- @param[in] OptionsBuffer Pointer to the options buffer.\r
- @param[in] OptionsLength Length of the options buffer.\r
+ @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.\r
+ @param[in, out] OptionsBuffer Pointer to the options buffer.\r
+ @param[in, out] OptionsLength Length of the options buffer.\r
@param[in, out] FragmentTable Pointer to a list of fragments.\r
- @param[in] FragmentCount Number of fragments.\r
+ @param[in, out] FragmentCount Number of fragments.\r
@param[in] TrafficDirection Traffic direction.\r
@param[out] RecycleSignal Event for recycling of resources.\r
\r
EFI_STATUS\r
EFIAPI\r
IpSecProcess (\r
- IN EFI_IPSEC_PROTOCOL *This,\r
+ IN EFI_IPSEC2_PROTOCOL *This,\r
IN EFI_HANDLE NicHandle,\r
IN UINT8 IpVersion,\r
IN OUT VOID *IpHead,\r
- IN UINT8 *LastHead,\r
- IN VOID *OptionsBuffer,\r
- IN UINT32 OptionsLength,\r
+ IN OUT UINT8 *LastHead,\r
+ IN OUT VOID **OptionsBuffer,\r
+ IN OUT UINT32 *OptionsLength,\r
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN UINT32 *FragmentCount,\r
+ IN OUT UINT32 *FragmentCount,\r
IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r
OUT EFI_EVENT *RecycleSignal\r
);\r
\r
extern EFI_DPC_PROTOCOL *mDpc;\r
-extern EFI_IPSEC_PROTOCOL mIpSecInstance;\r
+extern EFI_IPSEC2_PROTOCOL mIpSecInstance;\r
\r
extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;\r
extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;\r