Blame - NetworkPkg/IpSecDxe/IpSecImpl.h - SHIFTPHONES/android/bootable/bootloader/edk2

blob: ff7a189395b1ed4bd7f2dfeb6eadf8db85ae0646 [file] [log] [blame]

hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	1	/** @file
				2	The definitions related to IPsec protocol implementation.
				3
qianouyang	47b2710	2011-05-31 02:03:57 +0000	[diff] [blame]	4	Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	5
				6	This program and the accompanying materials
				7	are licensed and made available under the terms and conditions of the BSD License
				8	which accompanies this distribution. The full text of the license may be found at
				9	http://opensource.org/licenses/bsd-license.php.
				10
				11	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
				12	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
				13
				14	**/
				15
				16	#ifndef _IP_SEC_IMPL_H_
				17	#define _IP_SEC_IMPL_H_
				18
				19	#include <Uefi.h>
				20	#include <Library/UefiLib.h>
				21	#include <Library/NetLib.h>
				22	#include <Library/BaseMemoryLib.h>
				23	#include <Library/UefiBootServicesTableLib.h>
				24	#include <Library/MemoryAllocationLib.h>
				25	#include <Protocol/IpSec.h>
				26	#include <Protocol/IpSecConfig.h>
				27	#include <Protocol/Dpc.h>
				28	#include <Protocol/ComponentName.h>
				29	#include <Protocol/ComponentName2.h>
				30
				31	typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA;
				32	typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY;
				33	typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY;
				34	typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA;
				35
				36	#define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')
				37
				38	#define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)
				39	#define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)
				40	#define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)
				41	#define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)
				42	#define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)
				43	#define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)
				44	#define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)
				45	#define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)
				46
				47	#define IPSEC_STATUS_DISABLED 0
				48	#define IPSEC_STATUS_ENABLED 1
				49	#define IPSEC_ESP_PROTOCOL 50
				50	#define IPSEC_AH_PROTOCOL 51
				51	#define IPSEC_DEFAULT_VARIABLE_SIZE 0x100
				52
				53	//
				54	// Internal Structure Definition
				55	//
				56	#pragma pack(1)
				57	typedef struct _EFI_AH_HEADER {
				58	UINT8 NextHeader;
				59	UINT8 PayloadLen;
				60	UINT16 Reserved;
				61	UINT32 Spi;
				62	UINT32 SequenceNumber;
				63	} EFI_AH_HEADER;
				64
				65	typedef struct _EFI_ESP_HEADER {
				66	UINT32 Spi;
				67	UINT32 SequenceNumber;
				68	} EFI_ESP_HEADER;
				69
				70	typedef struct _EFI_ESP_TAIL {
				71	UINT8 PaddingLength;
				72	UINT8 NextHeader;
				73	} EFI_ESP_TAIL;
				74	#pragma pack()
				75
				76	struct _IPSEC_SPD_DATA {
				77	CHAR16 Name[100];
				78	UINT32 PackageFlag;
				79	EFI_IPSEC_ACTION Action;
				80	EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;
				81	LIST_ENTRY Sas;
				82	};
				83
				84	struct _IPSEC_SPD_ENTRY {
				85	EFI_IPSEC_SPD_SELECTOR *Selector;
				86	IPSEC_SPD_DATA *Data;
				87	LIST_ENTRY List;
				88	};
				89
				90	typedef struct _IPSEC_SAD_DATA {
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	91	EFI_IPSEC_MODE Mode;
				92	UINT64 SequenceNumber;
				93	UINT8 AntiReplayWindowSize;
				94	UINT64 AntiReplayBitmap[4]; // bitmap for received packet
				95	EFI_IPSEC_ALGO_INFO AlgoInfo;
				96	EFI_IPSEC_SA_LIFETIME SaLifetime;
				97	UINT32 PathMTU;
				98	IPSEC_SPD_ENTRY *SpdEntry;
				99	EFI_IPSEC_SPD_SELECTOR *SpdSelector;
				100	BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled
				101	BOOLEAN ManualSet;
				102	EFI_IP_ADDRESS TunnelDestAddress;
				103	EFI_IP_ADDRESS TunnelSourceAddress;
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	104	} IPSEC_SAD_DATA;
				105
				106	typedef struct _IPSEC_SAD_ENTRY {
				107	EFI_IPSEC_SA_ID *Id;
				108	IPSEC_SAD_DATA *Data;
				109	LIST_ENTRY List;
				110	LIST_ENTRY BySpd; // Linked on IPSEC_SPD_DATA.Sas
				111	} IPSEC_SAD_ENTRY;
				112
				113	struct _IPSEC_PAD_ENTRY {
				114	EFI_IPSEC_PAD_ID *Id;
				115	EFI_IPSEC_PAD_DATA *Data;
				116	LIST_ENTRY List;
				117	};
				118
				119	typedef struct _IPSEC_RECYCLE_CONTEXT {
				120	EFI_IPSEC_FRAGMENT_DATA *FragmentTable;
				121	UINT8 *PayloadBuffer;
				122	} IPSEC_RECYCLE_CONTEXT;
				123
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	124	//
				125	// Struct used to store the Hash and its data.
				126	//
				127	typedef struct {
				128	UINTN DataSize;
				129	UINT8 *Data;
				130	} HASH_DATA_FRAGMENT;
				131
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	132	struct _IPSEC_PRIVATE_DATA {
				133	UINT32 Signature;
				134	EFI_HANDLE Handle; // Virtual handle to install private prtocol
				135	EFI_HANDLE ImageHandle;
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	136	EFI_IPSEC2_PROTOCOL IpSec;
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	137	EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;
				138	BOOLEAN SetBySelf;
				139	LIST_ENTRY Udp4List;
				140	UINTN Udp4Num;
				141	LIST_ENTRY Udp6List;
				142	UINTN Udp6Num;
				143	LIST_ENTRY Ikev1SessionList;
				144	LIST_ENTRY Ikev1EstablishedList;
				145	LIST_ENTRY Ikev2SessionList;
				146	LIST_ENTRY Ikev2EstablishedList;
				147	BOOLEAN IsIPsecDisabling;
				148	};
				149
				150	/**
				151	This function processes the inbound traffic with IPsec.
				152
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	153	It checks the received packet security property, trims the ESP/AH header, and then
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	154	returns without an IPsec protected IP Header and FragmentTable.
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	155
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	156	@param[in] IpVersion The version of IP.
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	157	@param[in, out] IpHead Points to IP header containing the ESP/AH header
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	158	to be trimed on input, and without ESP/AH header
				159	on return.
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	160	@param[in, out] LastHead The Last Header in IP header on return.
qianouyang	47b2710	2011-05-31 02:03:57 +0000	[diff] [blame]	161	@param[in, out] OptionsBuffer Pointer to the options buffer.
				162	@param[in, out] OptionsLength Length of the options buffer.
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	163	@param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	164	protected on input, and without IPsec protected
				165	on return.
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	166	@param[in, out] FragmentCount The number of fragments.
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	167	@param[out] SpdEntry Pointer to contain the address of SPD entry on return.
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	168	@param[out] RecycleEvent The event for recycling of resources.
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	169
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	170	@retval EFI_SUCCESS The operation was successful.
				171	@retval EFI_UNSUPPORTED The IPSEC protocol is not supported.
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	172
				173	**/
				174	EFI_STATUS
				175	IpSecProtectInboundPacket (
				176	IN UINT8 IpVersion,
				177	IN OUT VOID *IpHead,
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	178	IN OUT UINT8 *LastHead,
qianouyang	47b2710	2011-05-31 02:03:57 +0000	[diff] [blame]	179	IN OUT VOID **OptionsBuffer,
				180	IN OUT UINT32 *OptionsLength,
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	181	IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	182	IN OUT UINT32 *FragmentCount,
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	183	OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry,
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	184	OUT EFI_EVENT *RecycleEvent
				185	);
				186
				187
				188	/**
				189	This fucntion processes the output traffic with IPsec.
				190
				191	It protected the sending packet by encrypting it payload and inserting ESP/AH header
				192	in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.
				193
				194	@param[in] IpVersion The version of IP.
				195	@param[in, out] IpHead Point to IP header containing the orginal IP header
				196	to be processed on input, and inserted ESP/AH header
				197	on return.
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	198	@param[in, out] LastHead The Last Header in IP header.
qianouyang	47b2710	2011-05-31 02:03:57 +0000	[diff] [blame]	199	@param[in, out] OptionsBuffer Pointer to the options buffer.
				200	@param[in, out] OptionsLength Length of the options buffer.
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	201	@param[in, out] FragmentTable Pointer to a list of fragments to be protected by
				202	IPsec on input, and with IPsec protected
				203	on return.
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	204	@param[in, out] FragmentCount Number of fragments.
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	205	@param[in] SadEntry Related SAD entry.
				206	@param[out] RecycleEvent Event for recycling of resources.
				207
				208	@retval EFI_SUCCESS The operation is successful.
				209	@retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
				210
				211	**/
				212	EFI_STATUS
				213	IpSecProtectOutboundPacket (
				214	IN UINT8 IpVersion,
				215	IN OUT VOID *IpHead,
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	216	IN OUT UINT8 *LastHead,
qianouyang	47b2710	2011-05-31 02:03:57 +0000	[diff] [blame]	217	IN OUT VOID **OptionsBuffer,
				218	IN OUT UINT32 *OptionsLength,
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	219	IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	220	IN OUT UINT32 *FragmentCount,
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	221	IN IPSEC_SAD_ENTRY *SadEntry,
				222	OUT EFI_EVENT *RecycleEvent
				223	);
				224
				225	/**
				226	Check if the IP Address in the address range of AddressInfos specified.
				227
				228	@param[in] IpVersion The IP version.
				229	@param[in] IpAddr Points to EFI_IP_ADDRESS to be check.
				230	@param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check
				231	the IP Address is matched.
				232	@param[in] AddressCount The total numbers of the AddressInfo.
				233
				234	@retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.
				235	@retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.
				236
				237	**/
				238	BOOLEAN
				239	IpSecMatchIpAddress (
				240	IN UINT8 IpVersion,
				241	IN EFI_IP_ADDRESS *IpAddr,
				242	IN EFI_IP_ADDRESS_INFO *AddressInfo,
				243	IN UINT32 AddressCount
				244	);
				245
				246	/**
				247	Find a PAD entry according to remote IP address.
				248
				249	@param[in] IpVersion The version of IP.
				250	@param[in] IpAddr Point to remote IP address.
				251
				252	@return The pointer of related PAD entry.
				253
				254	**/
				255	IPSEC_PAD_ENTRY *
				256	IpSecLookupPadEntry (
				257	IN UINT8 IpVersion,
				258	IN EFI_IP_ADDRESS *IpAddr
				259	);
				260
				261	/**
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	262	Check if the specified IP packet can be serviced by this SPD entry.
				263
				264	@param[in] SpdEntry Point to SPD entry.
				265	@param[in] IpVersion Version of IP.
				266	@param[in] IpHead Point to IP header.
				267	@param[in] IpPayload Point to IP payload.
				268	@param[in] Protocol The Last protocol of IP packet.
				269	@param[in] IsOutbound Traffic direction.
				270	@param[out] Action The support action of SPD entry.
				271
				272	@retval EFI_SUCCESS Find the related SPD.
				273	@retval EFI_NOT_FOUND Not find the related SPD entry;
				274
				275	**/
				276	EFI_STATUS
				277	IpSecLookupSpdEntry (
				278	IN IPSEC_SPD_ENTRY *SpdEntry,
				279	IN UINT8 IpVersion,
				280	IN VOID *IpHead,
				281	IN UINT8 *IpPayload,
				282	IN UINT8 Protocol,
				283	IN BOOLEAN IsOutbound,
				284	OUT EFI_IPSEC_ACTION *Action
				285	);
				286
				287	/**
				288	Look up if there is existing SAD entry for specified IP packet sending.
				289
				290	This function is called by the IPsecProcess when there is some IP packet needed to
				291	send out. This function checks if there is an existing SAD entry that can be serviced
				292	to this IP packet sending. If no existing SAD entry could be used, this
				293	function will invoke an IPsec Key Exchange Negotiation.
				294
				295	@param[in] Private Points to private data.
				296	@param[in] NicHandle Points to a NIC handle.
				297	@param[in] IpVersion The version of IP.
				298	@param[in] IpHead The IP Header of packet to be sent out.
				299	@param[in] IpPayload The IP Payload to be sent out.
				300	@param[in] OldLastHead The Last protocol of the IP packet.
				301	@param[in] SpdEntry Points to a related SPD entry.
				302	@param[out] SadEntry Contains the Point of a related SAD entry.
				303
				304	@retval EFI_DEVICE_ERROR One of following conditions is TRUE:
				305	- If don't find related UDP service.
				306	- Sequence Number is used up.
				307	- Extension Sequence Number is used up.
				308	@retval EFI_NOT_READY No existing SAD entry could be used.
				309	@retval EFI_SUCCESS Find the related SAD entry.
				310
				311	**/
				312	EFI_STATUS
				313	IpSecLookupSadEntry (
				314	IN IPSEC_PRIVATE_DATA *Private,
				315	IN EFI_HANDLE NicHandle,
				316	IN UINT8 IpVersion,
				317	IN VOID *IpHead,
				318	IN UINT8 *IpPayload,
				319	IN UINT8 OldLastHead,
				320	IN IPSEC_SPD_ENTRY *SpdEntry,
				321	OUT IPSEC_SAD_ENTRY **SadEntry
				322	);
				323
				324	/**
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	325	Find the SAD through whole SAD list.
				326
				327	@param[in] Spi The SPI used to search the SAD entry.
				328	@param[in] DestAddress The destination used to search the SAD entry.
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	329	@param[in] IpVersion The IP version. Ip4 or Ip6.
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	330
				331	@return The pointer to a certain SAD entry.
				332
				333	**/
				334	IPSEC_SAD_ENTRY *
				335	IpSecLookupSadBySpi (
				336	IN UINT32 Spi,
qianouyang	9166f84	2010-12-31 10:43:54 +0000	[diff] [blame]	337	IN EFI_IP_ADDRESS *DestAddress,
				338	IN UINT8 IpVersion
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	339	)
				340	;
				341
				342	/**
				343	Handles IPsec packet processing for inbound and outbound IP packets.
				344
				345	The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
				346	The behavior is that it can perform one of the following actions:
				347	bypass the packet, discard the packet, or protect the packet.
				348
qianouyang	0a7294f	2011-04-20 10:01:48 +0000	[diff] [blame]	349	@param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	350	@param[in] NicHandle Instance of the network interface.
				351	@param[in] IpVersion IPV4 or IPV6.
				352	@param[in, out] IpHead Pointer to the IP Header.
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	353	@param[in, out] LastHead The protocol of the next layer to be processed by IPsec.
				354	@param[in, out] OptionsBuffer Pointer to the options buffer.
				355	@param[in, out] OptionsLength Length of the options buffer.
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	356	@param[in, out] FragmentTable Pointer to a list of fragments.
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	357	@param[in, out] FragmentCount Number of fragments.
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	358	@param[in] TrafficDirection Traffic direction.
				359	@param[out] RecycleSignal Event for recycling of resources.
				360
				361	@retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
				362	@retval EFI_SUCCESS The packet was protected.
				363	@retval EFI_ACCESS_DENIED The packet was discarded.
				364
				365	**/
				366	EFI_STATUS
				367	EFIAPI
				368	IpSecProcess (
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	369	IN EFI_IPSEC2_PROTOCOL *This,
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	370	IN EFI_HANDLE NicHandle,
				371	IN UINT8 IpVersion,
				372	IN OUT VOID *IpHead,
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	373	IN OUT UINT8 *LastHead,
				374	IN OUT VOID **OptionsBuffer,
				375	IN OUT UINT32 *OptionsLength,
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	376	IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	377	IN OUT UINT32 *FragmentCount,
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	378	IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
				379	OUT EFI_EVENT *RecycleSignal
				380	);
				381
				382	extern EFI_DPC_PROTOCOL *mDpc;
xdu2	68d3f2f	2010-11-01 08:19:28 +0000	[diff] [blame]	383	extern EFI_IPSEC2_PROTOCOL mIpSecInstance;
hhtian	a3bcde7	2010-11-01 06:13:54 +0000	[diff] [blame]	384
				385	extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;
				386	extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;
				387
				388
				389	#endif