diff options
Diffstat (limited to 'MdePkg')
-rw-r--r-- | MdePkg/Include/Protocol/IpSec.h | 130 | ||||
-rw-r--r-- | MdePkg/Include/Protocol/IpSecConfig.h | 84 |
2 files changed, 180 insertions, 34 deletions
diff --git a/MdePkg/Include/Protocol/IpSec.h b/MdePkg/Include/Protocol/IpSec.h index 626c87003b..f5571db645 100644 --- a/MdePkg/Include/Protocol/IpSec.h +++ b/MdePkg/Include/Protocol/IpSec.h @@ -1,7 +1,14 @@ /** @file
EFI IPSEC Protocol Definition
The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual
- packets sent and received by the host and provide packet-level security for IP datagram.
+ packets sent and received by the host and provide packet-level security for IP
+ datagram.
+ The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual
+ packets sent and received by the host and provide packet-level security for IP
+ datagram. In addition, it supports the Option (extension header) processing in
+ IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to
+ use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel
+ Mode.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
@@ -27,7 +34,13 @@ 0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \
}
+#define EFI_IPSEC2_PROTOCOL_GUID \
+ { \
+ 0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \
+ }
+
typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;
+typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;
///
/// EFI_IPSEC_FRAGMENT_DATA
@@ -93,6 +106,119 @@ struct _EFI_IPSEC_PROTOCOL { BOOLEAN DisabledFlag; ///< State of the interface.
};
-extern EFI_GUID gEfiIpSecProtocolGuid;
+/**
+ Handles IPsec processing for both inbound and outbound IP packets. Compare with
+ Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process
+ Option(Extension Header).
+
+ The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.
+ The behavior is that it can perform one of the following actions:
+ bypass the packet, discard the packet, or protect the packet.
+
+ @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.
+ @param[in] NicHandle Instance of the network interface.
+ @param[in] IpVer IP version.IPv4 or IPv6.
+ @param[in, out] IpHead Pointer to the IP Header it is either
+ the EFI_IP4_HEADER or EFI_IP6_HEADER.
+ On input, it contains the IP header.
+ On output, 1) in tunnel mode and the
+ traffic direction is inbound, the buffer
+ will be reset to zero by IPsec; 2) in
+ tunnel mode and the traffic direction
+ is outbound, the buffer will reset to
+ be the tunnel IP header.3) in transport
+ mode, the related fielders (like payload
+ length, Next header) in IP header will
+ be modified according to the condition.
+ @param[in, out] LastHead For IP4, it is the next protocol in IP
+ header. For IP6 it is the Next Header
+ of the last extension header.
+ @param[in, out] OptionsBuffer On input, it contains the options
+ (extensions header) to be processed by
+ IPsec. On output, 1) in tunnel mode and
+ the traffic direction is outbound, it
+ will be set to NULL, and that means this
+ contents was wrapped after inner header
+ and should not be concatenated after
+ tunnel header again; 2) in transport
+ mode and the traffic direction is inbound,
+ if there are IP options (extension headers)
+ protected by IPsec, IPsec will concatenate
+ the those options after the input options
+ (extension headers); 3) on other situations,
+ the output of contents of OptionsBuffer
+ might be same with input's. The caller
+ should take the responsibility to free
+ the buffer both on input and on output.
+ @param[in, out] OptionsLength On input, the input length of the options
+ buffer. On output, the output length of
+ the options buffer.
+ @param[in, out] FragmentTable Pointer to a list of fragments. On input,
+ these fragments contain the IP payload.
+ On output, 1) in tunnel mode and the traffic
+ direction is inbound, the fragments contain
+ the whole IP payload which is from the
+ IP inner header to the last byte of the
+ packet; 2) in tunnel mode and the traffic
+ direction is the outbound, the fragments
+ contains the whole encapsulated payload
+ which encapsulates the whole IP payload
+ between the encapsulated header and
+ encapsulated trailer fields. 3) in transport
+ mode and the traffic direction is inbound,
+ the fragments contains the IP payload
+ which is from the next layer protocol to
+ the last byte of the packet; 4) in transport
+ mode and the traffic direction is outbound,
+ the fragments contains the whole encapsulated
+ payload which encapsulates the next layer
+ protocol information between the encapsulated
+ header and encapsulated trailer fields.
+ @param[in, out] FragmentCount Number of fragments.
+ @param[in] TrafficDirection Traffic direction.
+ @param[out] RecycleSignal Event for recycling of resources.
+
+ @retval EFI_SUCCESS The packet was processed by IPsec successfully.
+ @retval EFI_ACCESS_DENIED The packet was discarded.
+ @retval EFI_NOT_READY The IKE negotiation is invoked and the packet
+ was discarded.
+ @retval EFI_INVALID_PARAMETER One or more of following are TRUE:
+ If OptionsBuffer is NULL;
+ If OptionsLength is NULL;
+ If FragmentTable is NULL;
+ If FragmentCount is NULL.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_IPSEC_PROCESSEXT) (
+ IN EFI_IPSEC2_PROTOCOL *This,
+ IN EFI_HANDLE NicHandle,
+ IN UINT8 IpVer,
+ IN OUT VOID *IpHead,
+ IN OUT UINT8 *LastHead,
+ IN OUT VOID **OptionsBuffer,
+ IN OUT UINT32 *OptionsLength,
+ IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
+ IN OUT UINT32 *FragmentCount,
+ IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
+ OUT EFI_EVENT *RecycleSignal
+ );
+///
+/// EFI_IPSEC2_PROTOCOL
+/// supports the Option (extension header) processing in IPsec which doesn't support
+/// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead
+/// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.
+/// provides the ability for securing IP communications by authenticating and/or
+/// encrypting each IP packet in a data stream.
+///
+struct _EFI_IPSEC2_PROTOCOL {
+EFI_IPSEC_PROCESSEXT ProcessExt;
+EFI_EVENT DisabledEvent;
+BOOLEAN DisabledFlag;
+};
+
+extern EFI_GUID gEfiIpSecProtocolGuid;
+extern EFI_GUID gEfiIpSec2ProtocolGuid;
#endif
diff --git a/MdePkg/Include/Protocol/IpSecConfig.h b/MdePkg/Include/Protocol/IpSecConfig.h index 4c4dad0403..e305381f7e 100644 --- a/MdePkg/Include/Protocol/IpSecConfig.h +++ b/MdePkg/Include/Protocol/IpSecConfig.h @@ -303,38 +303,6 @@ typedef struct _EFI_IPSEC_PROCESS_POLICY { } EFI_IPSEC_PROCESS_POLICY;
///
-/// IPsec Authentication Algorithm Definition
-/// The number value definition is aligned to IANA assignment
-///
-#define EFI_IPSEC_AALG_NONE 0x00
-#define EFI_IPSEC_AALG_MD5HMAC 0x02
-#define EFI_IPSEC_AALG_SHA1HMAC 0x03
-#define EFI_IPSEC_AALG_SHA2_256HMAC 0x05
-#define EFI_IPSEC_AALG_SHA2_384HMAC 0x06
-#define EFI_IPSEC_AALG_SHA2_512HMAC 0x07
-#define EFI_IPSEC_AALG_AES_XCBC_MAC 0x09
-#define EFI_IPSEC_AALG_NULL 0xFB
-
-///
-/// IPsec Encryption Algorithm Definition
-/// The number value definition is aligned to IANA assignment
-///
-#define EFI_IPSEC_EALG_NONE 0x00
-#define EFI_IPSEC_EALG_DESCBC 0x02
-#define EFI_IPSEC_EALG_3DESCBC 0x03
-#define EFI_IPSEC_EALG_CASTCBC 0x06
-#define EFI_IPSEC_EALG_BLOWFISHCBC 0x07
-#define EFI_IPSEC_EALG_NULL 0x0B
-#define EFI_IPSEC_EALG_AESCBC 0x0C
-#define EFI_IPSEC_EALG_AESCTR 0x0D
-#define EFI_IPSEC_EALG_AES_CCM_ICV8 0x0E
-#define EFI_IPSEC_EALG_AES_CCM_ICV12 0x0F
-#define EFI_IPSEC_EALG_AES_CCM_ICV16 0x10
-#define EFI_IPSEC_EALG_AES_GCM_ICV8 0x12
-#define EFI_IPSEC_EALG_AES_GCM_ICV12 0x13
-#define EFI_IPSEC_EALG_AES_GCM_ICV16 0x14
-
-///
/// EFI_IPSEC_SA_ID
/// A triplet to identify an SA, consisting of the following members.
///
@@ -487,6 +455,58 @@ typedef struct _EFI_IPSEC_SA_DATA { } EFI_IPSEC_SA_DATA;
///
+/// EFI_IPSEC_SA_DATA2
+///
+typedef struct _EFI_IPSEC_SA_DATA2 {
+ ///
+ /// IPsec mode: tunnel or transport
+ ///
+ EFI_IPSEC_MODE Mode;
+ ///
+ /// Sequence Number Counter. A 64-bit counter used to generate the sequence
+ /// number field in AH or ESP headers.
+ ///
+ UINT64 SNCount;
+ ///
+ /// Anti-Replay Window. A 64-bit counter and a bit-map used to determine
+ /// whether an inbound AH or ESP packet is a replay.
+ ///
+ UINT8 AntiReplayWindows;
+ ///
+ /// AH/ESP cryptographic algorithm, key and parameters.
+ ///
+ EFI_IPSEC_ALGO_INFO AlgoInfo;
+ ///
+ /// Lifetime of this SA.
+ ///
+ EFI_IPSEC_SA_LIFETIME SaLifetime;
+ ///
+ /// Any observed path MTU and aging variables. The Path MTU processing is
+ /// defined in section 8 of RFC 4301.
+ ///
+ UINT32 PathMTU;
+ ///
+ /// Link to one SPD entry
+ ///
+ EFI_IPSEC_SPD_SELECTOR *SpdSelector;
+ ///
+ /// Indication of whether it's manually set or negotiated automatically.
+ /// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE
+ /// protocol negotiation
+ ///
+ BOOLEAN ManualSet;
+ ///
+ /// The tunnel header IP source address.
+ ///
+ EFI_IP_ADDRESS TunnelSourceAddress;
+ ///
+ /// The tunnel header IP destination address.
+ ///
+ EFI_IP_ADDRESS TunnelDestinationAddress;
+} EFI_IPSEC_SA_DATA2;
+
+
+///
/// EFI_IPSEC_PAD_ID
/// specifies the identifier for PAD entry, which is also used for SPD lookup.
/// IpAddress Pointer to the IPv4 or IPv6 address range.
|