/** @file | |
EFI IPSEC Protocol Definition | |
The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual | |
packets sent and received by the host and provide packet-level security for IP | |
datagram. | |
The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual | |
packets sent and received by the host and provide packet-level security for IP | |
datagram. In addition, it supports the Option (extension header) processing in | |
IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to | |
use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel | |
Mode. | |
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR> | |
This program and the accompanying materials | |
are licensed and made available under the terms and conditions of the BSD License | |
which accompanies this distribution. The full text of the license may be found at | |
http://opensource.org/licenses/bsd-license.php | |
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, | |
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. | |
@par Revision Reference: | |
The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D. | |
**/ | |
#ifndef __EFI_IPSEC_PROTOCOL_H__ | |
#define __EFI_IPSEC_PROTOCOL_H__ | |
#include <Protocol/IpSecConfig.h> | |
#define EFI_IPSEC_PROTOCOL_GUID \ | |
{ \ | |
0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \ | |
} | |
#define EFI_IPSEC2_PROTOCOL_GUID \ | |
{ \ | |
0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \ | |
} | |
typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL; | |
typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL; | |
/// | |
/// EFI_IPSEC_FRAGMENT_DATA | |
/// defines the instances of packet fragments. | |
/// | |
typedef struct _EFI_IPSEC_FRAGMENT_DATA { | |
UINT32 FragmentLength; | |
VOID *FragmentBuffer; | |
} EFI_IPSEC_FRAGMENT_DATA; | |
/** | |
Handles IPsec packet processing for inbound and outbound IP packets. | |
The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet. | |
The behavior is that it can perform one of the following actions: | |
bypass the packet, discard the packet, or protect the packet. | |
@param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance. | |
@param[in] NicHandle Instance of the network interface. | |
@param[in] IpVer IPV4 or IPV6. | |
@param[in, out] IpHead Pointer to the IP Header. | |
@param[in] LastHead The protocol of the next layer to be processed by IPsec. | |
@param[in] OptionsBuffer Pointer to the options buffer. | |
@param[in] OptionsLength Length of the options buffer. | |
@param[in, out] FragmentTable Pointer to a list of fragments. | |
@param[in] FragmentCount Number of fragments. | |
@param[in] TrafficDirection Traffic direction. | |
@param[out] RecycleSignal Event for recycling of resources. | |
@retval EFI_SUCCESS The packet was bypassed and all buffers remain the same. | |
@retval EFI_SUCCESS The packet was protected. | |
@retval EFI_ACCESS_DENIED The packet was discarded. | |
**/ | |
typedef | |
EFI_STATUS | |
(EFIAPI *EFI_IPSEC_PROCESS)( | |
IN EFI_IPSEC_PROTOCOL *This, | |
IN EFI_HANDLE NicHandle, | |
IN UINT8 IpVer, | |
IN OUT VOID *IpHead, | |
IN UINT8 *LastHead, | |
IN VOID *OptionsBuffer, | |
IN UINT32 OptionsLength, | |
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, | |
IN UINT32 *FragmentCount, | |
IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, | |
OUT EFI_EVENT *RecycleSignal | |
); | |
/// | |
/// EFI_IPSEC_PROTOCOL | |
/// provides the ability for securing IP communications by authenticating | |
/// and/or encrypting each IP packet in a data stream. | |
// EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack. | |
// A user can employ this protocol for IPsec package handling in both IPv4 | |
// and IPv6 environment. | |
/// | |
struct _EFI_IPSEC_PROTOCOL { | |
EFI_IPSEC_PROCESS Process; ///< Handle the IPsec message. | |
EFI_EVENT DisabledEvent; ///< Event signaled when the interface is disabled. | |
BOOLEAN DisabledFlag; ///< State of the interface. | |
}; | |
/** | |
Handles IPsec processing for both inbound and outbound IP packets. Compare with | |
Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process | |
Option(Extension Header). | |
The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet. | |
The behavior is that it can perform one of the following actions: | |
bypass the packet, discard the packet, or protect the packet. | |
@param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance. | |
@param[in] NicHandle Instance of the network interface. | |
@param[in] IpVer IP version.IPv4 or IPv6. | |
@param[in, out] IpHead Pointer to the IP Header it is either | |
the EFI_IP4_HEADER or EFI_IP6_HEADER. | |
On input, it contains the IP header. | |
On output, 1) in tunnel mode and the | |
traffic direction is inbound, the buffer | |
will be reset to zero by IPsec; 2) in | |
tunnel mode and the traffic direction | |
is outbound, the buffer will reset to | |
be the tunnel IP header.3) in transport | |
mode, the related fielders (like payload | |
length, Next header) in IP header will | |
be modified according to the condition. | |
@param[in, out] LastHead For IP4, it is the next protocol in IP | |
header. For IP6 it is the Next Header | |
of the last extension header. | |
@param[in, out] OptionsBuffer On input, it contains the options | |
(extensions header) to be processed by | |
IPsec. On output, 1) in tunnel mode and | |
the traffic direction is outbound, it | |
will be set to NULL, and that means this | |
contents was wrapped after inner header | |
and should not be concatenated after | |
tunnel header again; 2) in transport | |
mode and the traffic direction is inbound, | |
if there are IP options (extension headers) | |
protected by IPsec, IPsec will concatenate | |
the those options after the input options | |
(extension headers); 3) on other situations, | |
the output of contents of OptionsBuffer | |
might be same with input's. The caller | |
should take the responsibility to free | |
the buffer both on input and on output. | |
@param[in, out] OptionsLength On input, the input length of the options | |
buffer. On output, the output length of | |
the options buffer. | |
@param[in, out] FragmentTable Pointer to a list of fragments. On input, | |
these fragments contain the IP payload. | |
On output, 1) in tunnel mode and the traffic | |
direction is inbound, the fragments contain | |
the whole IP payload which is from the | |
IP inner header to the last byte of the | |
packet; 2) in tunnel mode and the traffic | |
direction is the outbound, the fragments | |
contains the whole encapsulated payload | |
which encapsulates the whole IP payload | |
between the encapsulated header and | |
encapsulated trailer fields. 3) in transport | |
mode and the traffic direction is inbound, | |
the fragments contains the IP payload | |
which is from the next layer protocol to | |
the last byte of the packet; 4) in transport | |
mode and the traffic direction is outbound, | |
the fragments contains the whole encapsulated | |
payload which encapsulates the next layer | |
protocol information between the encapsulated | |
header and encapsulated trailer fields. | |
@param[in, out] FragmentCount Number of fragments. | |
@param[in] TrafficDirection Traffic direction. | |
@param[out] RecycleSignal Event for recycling of resources. | |
@retval EFI_SUCCESS The packet was processed by IPsec successfully. | |
@retval EFI_ACCESS_DENIED The packet was discarded. | |
@retval EFI_NOT_READY The IKE negotiation is invoked and the packet | |
was discarded. | |
@retval EFI_INVALID_PARAMETER One or more of following are TRUE: | |
If OptionsBuffer is NULL; | |
If OptionsLength is NULL; | |
If FragmentTable is NULL; | |
If FragmentCount is NULL. | |
**/ | |
typedef | |
EFI_STATUS | |
(EFIAPI *EFI_IPSEC_PROCESSEXT) ( | |
IN EFI_IPSEC2_PROTOCOL *This, | |
IN EFI_HANDLE NicHandle, | |
IN UINT8 IpVer, | |
IN OUT VOID *IpHead, | |
IN OUT UINT8 *LastHead, | |
IN OUT VOID **OptionsBuffer, | |
IN OUT UINT32 *OptionsLength, | |
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, | |
IN OUT UINT32 *FragmentCount, | |
IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, | |
OUT EFI_EVENT *RecycleSignal | |
); | |
/// | |
/// EFI_IPSEC2_PROTOCOL | |
/// supports the Option (extension header) processing in IPsec which doesn't support | |
/// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead | |
/// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode. | |
/// provides the ability for securing IP communications by authenticating and/or | |
/// encrypting each IP packet in a data stream. | |
/// | |
struct _EFI_IPSEC2_PROTOCOL { | |
EFI_IPSEC_PROCESSEXT ProcessExt; | |
EFI_EVENT DisabledEvent; | |
BOOLEAN DisabledFlag; | |
}; | |
extern EFI_GUID gEfiIpSecProtocolGuid; | |
extern EFI_GUID gEfiIpSec2ProtocolGuid; | |
#endif |