NetworkPkg/IpSecDxe/IpSecImpl.h File Reference


Data Structures

struct  _EFI_AH_HEADER
struct  _EFI_ESP_HEADER
struct  _EFI_ESP_TAIL
struct  _IPSEC_SPD_DATA
struct  _IPSEC_SPD_ENTRY
struct  _IPSEC_SAD_DATA
struct  _IPSEC_SAD_ENTRY
struct  _IPSEC_PAD_ENTRY
struct  _IPSEC_RECYCLE_CONTEXT
struct  HASH_DATA_FRAGMENT
struct  _IPSEC_PRIVATE_DATA

Defines

#define IPSEC_PRIVATE_DATA_SIGNATURE   SIGNATURE_32 ('I', 'P', 'S', 'E')
#define IPSEC_PRIVATE_DATA_FROM_IPSEC(a)   CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)
#define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a)   CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)
#define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a)   CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)
#define IPSEC_UDP_SERVICE_FROM_LIST(a)   BASE_CR (a, IKE_UDP_SERVICE, List)
#define IPSEC_SPD_ENTRY_FROM_LIST(a)   BASE_CR (a, IPSEC_SPD_ENTRY, List)
#define IPSEC_SAD_ENTRY_FROM_LIST(a)   BASE_CR (a, IPSEC_SAD_ENTRY, List)
#define IPSEC_PAD_ENTRY_FROM_LIST(a)   BASE_CR (a, IPSEC_PAD_ENTRY, List)
#define IPSEC_SAD_ENTRY_FROM_SPD(a)   BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)
#define IPSEC_STATUS_DISABLED   0
#define IPSEC_STATUS_ENABLED   1
#define IPSEC_ESP_PROTOCOL   50
#define IPSEC_AH_PROTOCOL   51
#define IPSEC_DEFAULT_VARIABLE_SIZE   0x100

Typedefs

typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA
typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY
typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY
typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA
typedef struct _EFI_AH_HEADER EFI_AH_HEADER
typedef struct _EFI_ESP_HEADER EFI_ESP_HEADER
typedef struct _EFI_ESP_TAIL EFI_ESP_TAIL
typedef struct _IPSEC_SAD_DATA IPSEC_SAD_DATA
typedef struct _IPSEC_SAD_ENTRY IPSEC_SAD_ENTRY
typedef struct
_IPSEC_RECYCLE_CONTEXT 
IPSEC_RECYCLE_CONTEXT

Functions

EFI_STATUS IpSecProtectInboundPacket (IN UINT8 IpVersion, IN OUT VOID *IpHead, IN OUT UINT8 *LastHead, IN OUT VOID **OptionsBuffer, IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, IN OUT UINT32 *FragmentCount, OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry, OUT EFI_EVENT *RecycleEvent)
EFI_STATUS IpSecProtectOutboundPacket (IN UINT8 IpVersion, IN OUT VOID *IpHead, IN OUT UINT8 *LastHead, IN OUT VOID **OptionsBuffer, IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, IN OUT UINT32 *FragmentCount, IN IPSEC_SAD_ENTRY *SadEntry, OUT EFI_EVENT *RecycleEvent)
BOOLEAN IpSecMatchIpAddress (IN UINT8 IpVersion, IN EFI_IP_ADDRESS *IpAddr, IN EFI_IP_ADDRESS_INFO *AddressInfo, IN UINT32 AddressCount)
IPSEC_PAD_ENTRYIpSecLookupPadEntry (IN UINT8 IpVersion, IN EFI_IP_ADDRESS *IpAddr)
EFI_STATUS IpSecLookupSpdEntry (IN IPSEC_SPD_ENTRY *SpdEntry, IN UINT8 IpVersion, IN VOID *IpHead, IN UINT8 *IpPayload, IN UINT8 Protocol, IN BOOLEAN IsOutbound, OUT EFI_IPSEC_ACTION *Action)
EFI_STATUS IpSecLookupSadEntry (IN IPSEC_PRIVATE_DATA *Private, IN EFI_HANDLE NicHandle, IN UINT8 IpVersion, IN VOID *IpHead, IN UINT8 *IpPayload, IN UINT8 OldLastHead, IN IPSEC_SPD_ENTRY *SpdEntry, OUT IPSEC_SAD_ENTRY **SadEntry)
IPSEC_SAD_ENTRYIpSecLookupSadBySpi (IN UINT32 Spi, IN EFI_IP_ADDRESS *DestAddress, IN UINT8 IpVersion)
EFI_STATUS EFIAPI IpSecProcess (IN EFI_IPSEC2_PROTOCOL *This, IN EFI_HANDLE NicHandle, IN UINT8 IpVersion, IN OUT VOID *IpHead, IN OUT UINT8 *LastHead, IN OUT VOID **OptionsBuffer, IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, IN OUT UINT32 *FragmentCount, IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, OUT EFI_EVENT *RecycleSignal)

Variables

EFI_DPC_PROTOCOL * mDpc
EFI_IPSEC2_PROTOCOL mIpSecInstance
EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2
EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName

Detailed Description

The definitions related to IPsec protocol implementation.

Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.

This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php.

THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.


Define Documentation

#define IPSEC_AH_PROTOCOL   51

#define IPSEC_DEFAULT_VARIABLE_SIZE   0x100

Referenced by IpSecConfigSave().

#define IPSEC_ESP_PROTOCOL   50

#define IPSEC_PAD_ENTRY_FROM_LIST (  )     BASE_CR (a, IPSEC_PAD_ENTRY, List)

#define IPSEC_PRIVATE_DATA_FROM_IPSEC (  )     CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)

Referenced by IpSecProcess(), IpSecStart(), and IpSecStop().

#define IPSEC_PRIVATE_DATA_FROM_UDP4LIST (  )     CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)

#define IPSEC_PRIVATE_DATA_FROM_UDP6LIST (  )     CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)

#define IPSEC_PRIVATE_DATA_SIGNATURE   SIGNATURE_32 ('I', 'P', 'S', 'E')

Referenced by IpSecDriverEntryPoint().

#define IPSEC_SAD_ENTRY_FROM_LIST (  )     BASE_CR (a, IPSEC_SAD_ENTRY, List)

#define IPSEC_SAD_ENTRY_FROM_SPD (  )     BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)

#define IPSEC_SPD_ENTRY_FROM_LIST (  )     BASE_CR (a, IPSEC_SPD_ENTRY, List)

#define IPSEC_STATUS_DISABLED   0

#define IPSEC_STATUS_ENABLED   1

#define IPSEC_UDP_SERVICE_FROM_LIST (  )     BASE_CR (a, IKE_UDP_SERVICE, List)

Referenced by IkeLookupUdp(), and IpSecStop().


Typedef Documentation

typedef struct _EFI_AH_HEADER EFI_AH_HEADER

typedef struct _EFI_ESP_TAIL EFI_ESP_TAIL


Function Documentation

IPSEC_PAD_ENTRY* IpSecLookupPadEntry ( IN UINT8  IpVersion,
IN EFI_IP_ADDRESS *  IpAddr 
)

Find a PAD entry according to remote IP address.

Parameters:
[in] IpVersion The version of IP.
[in] IpAddr Point to remote IP address.
Returns:
The pointer of related PAD entry.
Find a PAD entry according to a remote IP address.

Parameters:
[in] IpVersion The version of IP.
[in] IpAddr Points to remote IP address.
Returns:
the pointer of related PAD entry.

References _IPSEC_PAD_ENTRY::Id, IPSEC_PAD_ENTRY_FROM_LIST, IpSecMatchIpAddress(), and mConfigData.

Referenced by IkeNegotiate(), and Ikev2HandleSa().

IPSEC_SAD_ENTRY* IpSecLookupSadBySpi ( IN UINT32  Spi,
IN EFI_IP_ADDRESS *  DestAddress,
IN UINT8  IpVersion 
)

Find the SAD through whole SAD list.

Parameters:
[in] Spi The SPI used to search the SAD entry.
[in] DestAddress The destination used to search the SAD entry.
[in] IpVersion The IP version. Ip4 or Ip6.
Returns:
The pointer to a certain SAD entry.
Find the SAD through whole SAD list.

Parameters:
[in] Spi The SPI used to search the SAD entry.
[in] DestAddress The destination used to search the SAD entry.
[in] IpVersion The IP version. Ip4 or Ip6.
Returns:
the pointer to a certain SAD entry.

References _IPSEC_SAD_ENTRY::Data, _IPSEC_SAD_ENTRY::Id, IPSEC_SAD_ENTRY_FROM_LIST, IpSecMatchIpAddress(), mConfigData, _IPSEC_SAD_DATA::Mode, _IPSEC_SAD_DATA::SpdSelector, and _IPSEC_SAD_DATA::TunnelDestAddress.

Referenced by IpSecFoundSadFromInboundPacket().

EFI_STATUS IpSecLookupSadEntry ( IN IPSEC_PRIVATE_DATA Private,
IN EFI_HANDLE  NicHandle,
IN UINT8  IpVersion,
IN VOID *  IpHead,
IN UINT8 *  IpPayload,
IN UINT8  OldLastHead,
IN IPSEC_SPD_ENTRY SpdEntry,
OUT IPSEC_SAD_ENTRY **  SadEntry 
)

Look up if there is existing SAD entry for specified IP packet sending.

This function is called by the IPsecProcess when there is some IP packet needed to send out. This function checks if there is an existing SAD entry that can be serviced to this IP packet sending. If no existing SAD entry could be used, this function will invoke an IPsec Key Exchange Negotiation.

Parameters:
[in] Private Points to private data.
[in] NicHandle Points to a NIC handle.
[in] IpVersion The version of IP.
[in] IpHead The IP Header of packet to be sent out.
[in] IpPayload The IP Payload to be sent out.
[in] OldLastHead The Last protocol of the IP packet.
[in] SpdEntry Points to a related SPD entry.
[out] SadEntry Contains the Point of a related SAD entry.
Return values:
EFI_DEVICE_ERROR One of following conditions is TRUE:
  • If don't find related UDP service.
  • Sequence Number is used up.
  • Extension Sequence Number is used up.
EFI_NOT_READY No existing SAD entry could be used.
EFI_SUCCESS Find the related SAD entry.

References _IPSEC_SAD_ENTRY::Data, _IPSEC_SAD_DATA::ESNEnabled, IkeLookupUdp(), IkeNegotiate(), IpSecLookupSadBySpd(), _IPSEC_SAD_DATA::ManualSet, and _IPSEC_SAD_DATA::SequenceNumber.

Referenced by IpSecProcess().

EFI_STATUS IpSecLookupSpdEntry ( IN IPSEC_SPD_ENTRY SpdEntry,
IN UINT8  IpVersion,
IN VOID *  IpHead,
IN UINT8 *  IpPayload,
IN UINT8  Protocol,
IN BOOLEAN  IsOutbound,
OUT EFI_IPSEC_ACTION *  Action 
)

Check if the specified IP packet can be serviced by this SPD entry.

Parameters:
[in] SpdEntry Point to SPD entry.
[in] IpVersion Version of IP.
[in] IpHead Point to IP header.
[in] IpPayload Point to IP payload.
[in] Protocol The Last protocol of IP packet.
[in] IsOutbound Traffic direction.
[out] Action The support action of SPD entry.
Return values:
EFI_SUCCESS Find the related SPD.
EFI_NOT_FOUND Not find the related SPD entry;

References IpSecMatchIpAddress(), and IpSecMatchNextLayerProtocol().

Referenced by IpSecProcess().

BOOLEAN IpSecMatchIpAddress ( IN UINT8  IpVersion,
IN EFI_IP_ADDRESS *  IpAddr,
IN EFI_IP_ADDRESS_INFO *  AddressInfo,
IN UINT32  AddressCount 
)

Check if the IP Address in the address range of AddressInfos specified.

Parameters:
[in] IpVersion The IP version.
[in] IpAddr Points to EFI_IP_ADDRESS to be check.
[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check the IP Address is matched.
[in] AddressCount The total numbers of the AddressInfo.
Return values:
TRUE If the Specified IP Address is in the range of the AddressInfos specified.
FALSE If the Specified IP Address is not in the range of the AddressInfos specified.
Checks if the IP Address in the address range of AddressInfos specified.

Parameters:
[in] IpVersion The IP version.
[in] IpAddr Point to EFI_IP_ADDRESS to be check.
[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check the IP Address is matched.
[in] AddressCount The total numbers of the AddressInfo.
Return values:
TRUE If the Specified IP Address is in the range of the AddressInfos specified.
FALSE If the Specified IP Address is not in the range of the AddressInfos specified.

References IpSecExtractAddressRange(), and IpSecValidAddressRange().

Referenced by Ikev2MatchSpdEntry(), IpSecLookupPadEntry(), IpSecLookupSadBySpd(), IpSecLookupSadBySpi(), and IpSecLookupSpdEntry().

EFI_STATUS EFIAPI IpSecProcess ( IN EFI_IPSEC2_PROTOCOL *  This,
IN EFI_HANDLE  NicHandle,
IN UINT8  IpVersion,
IN OUT VOID *  IpHead,
IN OUT UINT8 *  LastHead,
IN OUT VOID **  OptionsBuffer,
IN OUT UINT32 *  OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **  FragmentTable,
IN OUT UINT32 *  FragmentCount,
IN EFI_IPSEC_TRAFFIC_DIR  TrafficDirection,
OUT EFI_EVENT *  RecycleSignal 
)

Handles IPsec packet processing for inbound and outbound IP packets.

The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet. The behavior is that it can perform one of the following actions: bypass the packet, discard the packet, or protect the packet.

Parameters:
[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.
[in] NicHandle Instance of the network interface.
[in] IpVersion IPV4 or IPV6.
[in,out] IpHead Pointer to the IP Header.
[in,out] LastHead The protocol of the next layer to be processed by IPsec.
[in,out] OptionsBuffer Pointer to the options buffer.
[in,out] OptionsLength Length of the options buffer.
[in,out] FragmentTable Pointer to a list of fragments.
[in,out] FragmentCount Number of fragments.
[in] TrafficDirection Traffic direction.
[out] RecycleSignal Event for recycling of resources.
Return values:
EFI_SUCCESS The packet was bypassed and all buffers remain the same.
EFI_SUCCESS The packet was protected.
EFI_ACCESS_DENIED The packet was discarded.

References IPSEC_PRIVATE_DATA_FROM_IPSEC, IPSEC_SPD_ENTRY_FROM_LIST, IpSecLookupSadEntry(), IpSecLookupSpdEntry(), IpSecProtectInboundPacket(), IpSecProtectOutboundPacket(), IsSubSpdSelector(), mConfigData, and _IPSEC_SPD_ENTRY::Selector.

EFI_STATUS IpSecProtectInboundPacket ( IN UINT8  IpVersion,
IN OUT VOID *  IpHead,
IN OUT UINT8 *  LastHead,
IN OUT VOID **  OptionsBuffer,
IN OUT UINT32 *  OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **  FragmentTable,
IN OUT UINT32 *  FragmentCount,
OUT EFI_IPSEC_SPD_SELECTOR **  SpdEntry,
OUT EFI_EVENT *  RecycleEvent 
)

This function processes the inbound traffic with IPsec.

It checks the received packet security property, trims the ESP/AH header, and then returns without an IPsec protected IP Header and FragmentTable.

Parameters:
[in] IpVersion The version of IP.
[in,out] IpHead Points to IP header containing the ESP/AH header to be trimed on input, and without ESP/AH header on return.
[in,out] LastHead The Last Header in IP header on return.
[in,out] OptionsBuffer Pointer to the options buffer.
[in,out] OptionsLength Length of the options buffer.
[in,out] FragmentTable Pointer to a list of fragments in form of IPsec protected on input, and without IPsec protected on return.
[in,out] FragmentCount The number of fragments.
[out] SpdEntry Pointer to contain the address of SPD entry on return.
[out] RecycleEvent The event for recycling of resources.
Return values:
EFI_SUCCESS The operation was successful.
EFI_UNSUPPORTED The IPSEC protocol is not supported.
This function processes the inbound traffic with IPsec.

It checks the received packet security property, trims the ESP/AH header, and then returns without an IPsec protected IP Header and FragmentTable.

Parameters:
[in] IpVersion The version of IP.
[in,out] IpHead Points to IP header containing the ESP/AH header to be trimed on input, and without ESP/AH header on return.
[in,out] LastHead The Last Header in IP header on return.
[in,out] OptionsBuffer Pointer to the options buffer.
[in,out] OptionsLength Length of the options buffer.
[in,out] FragmentTable Pointer to a list of fragments in form of IPsec protected on input, and without IPsec protected on return.
[in,out] FragmentCount The number of fragments.
[out] SpdEntry Pointer to contain the address of SPD entry on return.
[out] RecycleEvent The event for recycling of resources.
Return values:
EFI_SUCCESS The operation was successful.
EFI_UNSUPPORTED The IPSEC protocol is not supported.

References IPSEC_ESP_PROTOCOL, and IpSecEspInboundPacket().

Referenced by IpSecProcess().

EFI_STATUS IpSecProtectOutboundPacket ( IN UINT8  IpVersion,
IN OUT VOID *  IpHead,
IN OUT UINT8 *  LastHead,
IN OUT VOID **  OptionsBuffer,
IN OUT UINT32 *  OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **  FragmentTable,
IN OUT UINT32 *  FragmentCount,
IN IPSEC_SAD_ENTRY SadEntry,
OUT EFI_EVENT *  RecycleEvent 
)

This fucntion processes the output traffic with IPsec.

It protected the sending packet by encrypting it payload and inserting ESP/AH header in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.

Parameters:
[in] IpVersion The version of IP.
[in,out] IpHead Point to IP header containing the orginal IP header to be processed on input, and inserted ESP/AH header on return.
[in,out] LastHead The Last Header in IP header.
[in,out] OptionsBuffer Pointer to the options buffer.
[in,out] OptionsLength Length of the options buffer.
[in,out] FragmentTable Pointer to a list of fragments to be protected by IPsec on input, and with IPsec protected on return.
[in,out] FragmentCount Number of fragments.
[in] SadEntry Related SAD entry.
[out] RecycleEvent Event for recycling of resources.
Return values:
EFI_SUCCESS The operation is successful.
EFI_UNSUPPORTED If the IPSEC protocol is not supported.

References IpSecEspOutboundPacket().

Referenced by IpSecProcess().


Variable Documentation

EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName

EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2

Referenced by IpSecDriverEntryPoint().

EFI_DPC_PROTOCOL* mDpc

Referenced by IpSecDriverEntryPoint().

EFI_IPSEC2_PROTOCOL mIpSecInstance

Referenced by IpSecDriverEntryPoint().


Generated on Mon Sep 28 08:49:06 2015 for NetworkPkg[ALL] by  doxygen 1.5.7.1