From 705f53a9b49e7ee3d1ca4bcc7133534ed64590dc Mon Sep 17 00:00:00 2001 From: qianouyang Date: Fri, 15 Oct 2010 05:40:41 +0000 Subject: Update IPsec.h file to follow approved ECR which will be collected into future UEFI 2.3 Specification after 2.3 errata B and future UEFI Specifications after 2.3. The changes mainly include: 1. Add EFI_IPSEC2_PROTOCOL 2. Remove IPsec Authentication Algorithm Definition and IPsec Encryption Algorithm Definition. 3. Add EFI_IPSEC_SA_DATA2 data structure. And also update IPv4 driver to call EFI_IPSEC2_PROTOCOL. git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@10941 6f19259b-4bc3-4df7-8a09-765794883524 --- MdePkg/Include/Protocol/IpSec.h | 130 +++++++++++++++++++++++++++++++++- MdePkg/Include/Protocol/IpSecConfig.h | 84 +++++++++++++--------- 2 files changed, 180 insertions(+), 34 deletions(-) (limited to 'MdePkg') diff --git a/MdePkg/Include/Protocol/IpSec.h b/MdePkg/Include/Protocol/IpSec.h index 626c87003b..f5571db645 100644 --- a/MdePkg/Include/Protocol/IpSec.h +++ b/MdePkg/Include/Protocol/IpSec.h @@ -1,7 +1,14 @@ /** @file EFI IPSEC Protocol Definition The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual - packets sent and received by the host and provide packet-level security for IP datagram. + packets sent and received by the host and provide packet-level security for IP + datagram. + The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual + packets sent and received by the host and provide packet-level security for IP + datagram. In addition, it supports the Option (extension header) processing in + IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to + use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel + Mode. Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
This program and the accompanying materials @@ -27,7 +34,13 @@ 0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \ } +#define EFI_IPSEC2_PROTOCOL_GUID \ + { \ + 0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \ + } + typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL; +typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL; /// /// EFI_IPSEC_FRAGMENT_DATA @@ -93,6 +106,119 @@ struct _EFI_IPSEC_PROTOCOL { BOOLEAN DisabledFlag; ///< State of the interface. }; -extern EFI_GUID gEfiIpSecProtocolGuid; +/** + Handles IPsec processing for both inbound and outbound IP packets. Compare with + Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process + Option(Extension Header). + + The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet. + The behavior is that it can perform one of the following actions: + bypass the packet, discard the packet, or protect the packet. + + @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance. + @param[in] NicHandle Instance of the network interface. + @param[in] IpVer IP version.IPv4 or IPv6. + @param[in, out] IpHead Pointer to the IP Header it is either + the EFI_IP4_HEADER or EFI_IP6_HEADER. + On input, it contains the IP header. + On output, 1) in tunnel mode and the + traffic direction is inbound, the buffer + will be reset to zero by IPsec; 2) in + tunnel mode and the traffic direction + is outbound, the buffer will reset to + be the tunnel IP header.3) in transport + mode, the related fielders (like payload + length, Next header) in IP header will + be modified according to the condition. + @param[in, out] LastHead For IP4, it is the next protocol in IP + header. For IP6 it is the Next Header + of the last extension header. + @param[in, out] OptionsBuffer On input, it contains the options + (extensions header) to be processed by + IPsec. On output, 1) in tunnel mode and + the traffic direction is outbound, it + will be set to NULL, and that means this + contents was wrapped after inner header + and should not be concatenated after + tunnel header again; 2) in transport + mode and the traffic direction is inbound, + if there are IP options (extension headers) + protected by IPsec, IPsec will concatenate + the those options after the input options + (extension headers); 3) on other situations, + the output of contents of OptionsBuffer + might be same with input's. The caller + should take the responsibility to free + the buffer both on input and on output. + @param[in, out] OptionsLength On input, the input length of the options + buffer. On output, the output length of + the options buffer. + @param[in, out] FragmentTable Pointer to a list of fragments. On input, + these fragments contain the IP payload. + On output, 1) in tunnel mode and the traffic + direction is inbound, the fragments contain + the whole IP payload which is from the + IP inner header to the last byte of the + packet; 2) in tunnel mode and the traffic + direction is the outbound, the fragments + contains the whole encapsulated payload + which encapsulates the whole IP payload + between the encapsulated header and + encapsulated trailer fields. 3) in transport + mode and the traffic direction is inbound, + the fragments contains the IP payload + which is from the next layer protocol to + the last byte of the packet; 4) in transport + mode and the traffic direction is outbound, + the fragments contains the whole encapsulated + payload which encapsulates the next layer + protocol information between the encapsulated + header and encapsulated trailer fields. + @param[in, out] FragmentCount Number of fragments. + @param[in] TrafficDirection Traffic direction. + @param[out] RecycleSignal Event for recycling of resources. + + @retval EFI_SUCCESS The packet was processed by IPsec successfully. + @retval EFI_ACCESS_DENIED The packet was discarded. + @retval EFI_NOT_READY The IKE negotiation is invoked and the packet + was discarded. + @retval EFI_INVALID_PARAMETER One or more of following are TRUE: + If OptionsBuffer is NULL; + If OptionsLength is NULL; + If FragmentTable is NULL; + If FragmentCount is NULL. + +**/ +typedef +EFI_STATUS +(EFIAPI *EFI_IPSEC_PROCESSEXT) ( + IN EFI_IPSEC2_PROTOCOL *This, + IN EFI_HANDLE NicHandle, + IN UINT8 IpVer, + IN OUT VOID *IpHead, + IN OUT UINT8 *LastHead, + IN OUT VOID **OptionsBuffer, + IN OUT UINT32 *OptionsLength, + IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, + IN OUT UINT32 *FragmentCount, + IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, + OUT EFI_EVENT *RecycleSignal + ); +/// +/// EFI_IPSEC2_PROTOCOL +/// supports the Option (extension header) processing in IPsec which doesn't support +/// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead +/// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode. +/// provides the ability for securing IP communications by authenticating and/or +/// encrypting each IP packet in a data stream. +/// +struct _EFI_IPSEC2_PROTOCOL { +EFI_IPSEC_PROCESSEXT ProcessExt; +EFI_EVENT DisabledEvent; +BOOLEAN DisabledFlag; +}; + +extern EFI_GUID gEfiIpSecProtocolGuid; +extern EFI_GUID gEfiIpSec2ProtocolGuid; #endif diff --git a/MdePkg/Include/Protocol/IpSecConfig.h b/MdePkg/Include/Protocol/IpSecConfig.h index 4c4dad0403..e305381f7e 100644 --- a/MdePkg/Include/Protocol/IpSecConfig.h +++ b/MdePkg/Include/Protocol/IpSecConfig.h @@ -302,38 +302,6 @@ typedef struct _EFI_IPSEC_PROCESS_POLICY { UINT8 EncAlgoId; } EFI_IPSEC_PROCESS_POLICY; -/// -/// IPsec Authentication Algorithm Definition -/// The number value definition is aligned to IANA assignment -/// -#define EFI_IPSEC_AALG_NONE 0x00 -#define EFI_IPSEC_AALG_MD5HMAC 0x02 -#define EFI_IPSEC_AALG_SHA1HMAC 0x03 -#define EFI_IPSEC_AALG_SHA2_256HMAC 0x05 -#define EFI_IPSEC_AALG_SHA2_384HMAC 0x06 -#define EFI_IPSEC_AALG_SHA2_512HMAC 0x07 -#define EFI_IPSEC_AALG_AES_XCBC_MAC 0x09 -#define EFI_IPSEC_AALG_NULL 0xFB - -/// -/// IPsec Encryption Algorithm Definition -/// The number value definition is aligned to IANA assignment -/// -#define EFI_IPSEC_EALG_NONE 0x00 -#define EFI_IPSEC_EALG_DESCBC 0x02 -#define EFI_IPSEC_EALG_3DESCBC 0x03 -#define EFI_IPSEC_EALG_CASTCBC 0x06 -#define EFI_IPSEC_EALG_BLOWFISHCBC 0x07 -#define EFI_IPSEC_EALG_NULL 0x0B -#define EFI_IPSEC_EALG_AESCBC 0x0C -#define EFI_IPSEC_EALG_AESCTR 0x0D -#define EFI_IPSEC_EALG_AES_CCM_ICV8 0x0E -#define EFI_IPSEC_EALG_AES_CCM_ICV12 0x0F -#define EFI_IPSEC_EALG_AES_CCM_ICV16 0x10 -#define EFI_IPSEC_EALG_AES_GCM_ICV8 0x12 -#define EFI_IPSEC_EALG_AES_GCM_ICV12 0x13 -#define EFI_IPSEC_EALG_AES_GCM_ICV16 0x14 - /// /// EFI_IPSEC_SA_ID /// A triplet to identify an SA, consisting of the following members. @@ -486,6 +454,58 @@ typedef struct _EFI_IPSEC_SA_DATA { BOOLEAN ManualSet; } EFI_IPSEC_SA_DATA; +/// +/// EFI_IPSEC_SA_DATA2 +/// +typedef struct _EFI_IPSEC_SA_DATA2 { + /// + /// IPsec mode: tunnel or transport + /// + EFI_IPSEC_MODE Mode; + /// + /// Sequence Number Counter. A 64-bit counter used to generate the sequence + /// number field in AH or ESP headers. + /// + UINT64 SNCount; + /// + /// Anti-Replay Window. A 64-bit counter and a bit-map used to determine + /// whether an inbound AH or ESP packet is a replay. + /// + UINT8 AntiReplayWindows; + /// + /// AH/ESP cryptographic algorithm, key and parameters. + /// + EFI_IPSEC_ALGO_INFO AlgoInfo; + /// + /// Lifetime of this SA. + /// + EFI_IPSEC_SA_LIFETIME SaLifetime; + /// + /// Any observed path MTU and aging variables. The Path MTU processing is + /// defined in section 8 of RFC 4301. + /// + UINT32 PathMTU; + /// + /// Link to one SPD entry + /// + EFI_IPSEC_SPD_SELECTOR *SpdSelector; + /// + /// Indication of whether it's manually set or negotiated automatically. + /// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE + /// protocol negotiation + /// + BOOLEAN ManualSet; + /// + /// The tunnel header IP source address. + /// + EFI_IP_ADDRESS TunnelSourceAddress; + /// + /// The tunnel header IP destination address. + /// + EFI_IP_ADDRESS TunnelDestinationAddress; +} EFI_IPSEC_SA_DATA2; + + /// /// EFI_IPSEC_PAD_ID /// specifies the identifier for PAD entry, which is also used for SPD lookup. -- cgit v1.2.3