Data Structures | |
struct | _EFI_AH_HEADER |
struct | _EFI_ESP_HEADER |
struct | _EFI_ESP_TAIL |
struct | _IPSEC_SPD_DATA |
struct | _IPSEC_SPD_ENTRY |
struct | _IPSEC_SAD_DATA |
struct | _IPSEC_SAD_ENTRY |
struct | _IPSEC_PAD_ENTRY |
struct | _IPSEC_RECYCLE_CONTEXT |
struct | HASH_DATA_FRAGMENT |
struct | _IPSEC_PRIVATE_DATA |
Defines | |
#define | IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E') |
#define | IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE) |
#define | IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE) |
#define | IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE) |
#define | IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List) |
#define | IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List) |
#define | IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List) |
#define | IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List) |
#define | IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd) |
#define | IPSEC_STATUS_DISABLED 0 |
#define | IPSEC_STATUS_ENABLED 1 |
#define | IPSEC_ESP_PROTOCOL 50 |
#define | IPSEC_AH_PROTOCOL 51 |
#define | IPSEC_DEFAULT_VARIABLE_SIZE 0x100 |
Typedefs | |
typedef struct _IPSEC_PRIVATE_DATA | IPSEC_PRIVATE_DATA |
typedef struct _IPSEC_SPD_ENTRY | IPSEC_SPD_ENTRY |
typedef struct _IPSEC_PAD_ENTRY | IPSEC_PAD_ENTRY |
typedef struct _IPSEC_SPD_DATA | IPSEC_SPD_DATA |
typedef struct _EFI_AH_HEADER | EFI_AH_HEADER |
typedef struct _EFI_ESP_HEADER | EFI_ESP_HEADER |
typedef struct _EFI_ESP_TAIL | EFI_ESP_TAIL |
typedef struct _IPSEC_SAD_DATA | IPSEC_SAD_DATA |
typedef struct _IPSEC_SAD_ENTRY | IPSEC_SAD_ENTRY |
typedef struct _IPSEC_RECYCLE_CONTEXT | IPSEC_RECYCLE_CONTEXT |
Functions | |
EFI_STATUS | IpSecProtectInboundPacket (IN UINT8 IpVersion, IN OUT VOID *IpHead, IN OUT UINT8 *LastHead, IN OUT VOID **OptionsBuffer, IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, IN OUT UINT32 *FragmentCount, OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry, OUT EFI_EVENT *RecycleEvent) |
EFI_STATUS | IpSecProtectOutboundPacket (IN UINT8 IpVersion, IN OUT VOID *IpHead, IN OUT UINT8 *LastHead, IN OUT VOID **OptionsBuffer, IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, IN OUT UINT32 *FragmentCount, IN IPSEC_SAD_ENTRY *SadEntry, OUT EFI_EVENT *RecycleEvent) |
BOOLEAN | IpSecMatchIpAddress (IN UINT8 IpVersion, IN EFI_IP_ADDRESS *IpAddr, IN EFI_IP_ADDRESS_INFO *AddressInfo, IN UINT32 AddressCount) |
IPSEC_PAD_ENTRY * | IpSecLookupPadEntry (IN UINT8 IpVersion, IN EFI_IP_ADDRESS *IpAddr) |
EFI_STATUS | IpSecLookupSpdEntry (IN IPSEC_SPD_ENTRY *SpdEntry, IN UINT8 IpVersion, IN VOID *IpHead, IN UINT8 *IpPayload, IN UINT8 Protocol, IN BOOLEAN IsOutbound, OUT EFI_IPSEC_ACTION *Action) |
EFI_STATUS | IpSecLookupSadEntry (IN IPSEC_PRIVATE_DATA *Private, IN EFI_HANDLE NicHandle, IN UINT8 IpVersion, IN VOID *IpHead, IN UINT8 *IpPayload, IN UINT8 OldLastHead, IN IPSEC_SPD_ENTRY *SpdEntry, OUT IPSEC_SAD_ENTRY **SadEntry) |
IPSEC_SAD_ENTRY * | IpSecLookupSadBySpi (IN UINT32 Spi, IN EFI_IP_ADDRESS *DestAddress, IN UINT8 IpVersion) |
EFI_STATUS EFIAPI | IpSecProcess (IN EFI_IPSEC2_PROTOCOL *This, IN EFI_HANDLE NicHandle, IN UINT8 IpVersion, IN OUT VOID *IpHead, IN OUT UINT8 *LastHead, IN OUT VOID **OptionsBuffer, IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, IN OUT UINT32 *FragmentCount, IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, OUT EFI_EVENT *RecycleSignal) |
Variables | |
EFI_DPC_PROTOCOL * | mDpc |
EFI_IPSEC2_PROTOCOL | mIpSecInstance |
EFI_COMPONENT_NAME2_PROTOCOL | gIpSecComponentName2 |
EFI_COMPONENT_NAME_PROTOCOL | gIpSecComponentName |
Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php.
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define IPSEC_AH_PROTOCOL 51 |
#define IPSEC_DEFAULT_VARIABLE_SIZE 0x100 |
Referenced by IpSecConfigSave().
#define IPSEC_ESP_PROTOCOL 50 |
Referenced by IpSecEspOutboundPacket(), and IpSecProtectInboundPacket().
#define IPSEC_PAD_ENTRY_FROM_LIST | ( | a | ) | BASE_CR (a, IPSEC_PAD_ENTRY, List) |
Referenced by GetPadEntry(), IpSecLookupPadEntry(), and SetPadEntry().
#define IPSEC_PRIVATE_DATA_FROM_IPSEC | ( | a | ) | CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE) |
Referenced by IpSecProcess(), IpSecStart(), and IpSecStop().
#define IPSEC_PRIVATE_DATA_FROM_UDP4LIST | ( | a | ) | CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE) |
Referenced by IkeDispatch(), IkeNegotiate(), Ikev2HandleChildSa(), Ikev2HandleInfo(), Ikev2HandleSa(), and Ikev2NegotiateSa().
#define IPSEC_PRIVATE_DATA_FROM_UDP6LIST | ( | a | ) | CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE) |
Referenced by IkeDispatch(), IkeNegotiate(), Ikev2HandleChildSa(), Ikev2HandleInfo(), Ikev2HandleSa(), and Ikev2NegotiateSa().
#define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E') |
Referenced by IpSecDriverEntryPoint().
#define IPSEC_SAD_ENTRY_FROM_LIST | ( | a | ) | BASE_CR (a, IPSEC_SAD_ENTRY, List) |
Referenced by GetSadEntry(), IpSecLookupSadBySpi(), SetSadEntry(), and SetSpdEntry().
#define IPSEC_SAD_ENTRY_FROM_SPD | ( | a | ) | BASE_CR (a, IPSEC_SAD_ENTRY, BySpd) |
Referenced by GetSpdEntry(), IpSecLookupSadBySpd(), and SetSpdEntry().
#define IPSEC_SPD_ENTRY_FROM_LIST | ( | a | ) | BASE_CR (a, IPSEC_SPD_ENTRY, List) |
Referenced by GetSpdEntry(), IkeSearchSpdEntry(), IpSecProcess(), SetSadEntry(), and SetSpdEntry().
#define IPSEC_STATUS_DISABLED 0 |
#define IPSEC_STATUS_ENABLED 1 |
#define IPSEC_UDP_SERVICE_FROM_LIST | ( | a | ) | BASE_CR (a, IKE_UDP_SERVICE, List) |
Referenced by IkeLookupUdp(), and IpSecStop().
typedef struct _EFI_AH_HEADER EFI_AH_HEADER |
typedef struct _EFI_ESP_HEADER EFI_ESP_HEADER |
typedef struct _EFI_ESP_TAIL EFI_ESP_TAIL |
typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY |
typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA |
typedef struct _IPSEC_RECYCLE_CONTEXT IPSEC_RECYCLE_CONTEXT |
typedef struct _IPSEC_SAD_DATA IPSEC_SAD_DATA |
typedef struct _IPSEC_SAD_ENTRY IPSEC_SAD_ENTRY |
typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA |
typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY |
IPSEC_PAD_ENTRY* IpSecLookupPadEntry | ( | IN UINT8 | IpVersion, | |
IN EFI_IP_ADDRESS * | IpAddr | |||
) |
Find a PAD entry according to remote IP address.
[in] | IpVersion | The version of IP. |
[in] | IpAddr | Point to remote IP address. |
[in] | IpVersion | The version of IP. |
[in] | IpAddr | Points to remote IP address. |
References _IPSEC_PAD_ENTRY::Id, IPSEC_PAD_ENTRY_FROM_LIST, IpSecMatchIpAddress(), and mConfigData.
Referenced by IkeNegotiate(), and Ikev2HandleSa().
IPSEC_SAD_ENTRY* IpSecLookupSadBySpi | ( | IN UINT32 | Spi, | |
IN EFI_IP_ADDRESS * | DestAddress, | |||
IN UINT8 | IpVersion | |||
) |
Find the SAD through whole SAD list.
[in] | Spi | The SPI used to search the SAD entry. |
[in] | DestAddress | The destination used to search the SAD entry. |
[in] | IpVersion | The IP version. Ip4 or Ip6. |
[in] | Spi | The SPI used to search the SAD entry. |
[in] | DestAddress | The destination used to search the SAD entry. |
[in] | IpVersion | The IP version. Ip4 or Ip6. |
References _IPSEC_SAD_ENTRY::Data, _IPSEC_SAD_ENTRY::Id, IPSEC_SAD_ENTRY_FROM_LIST, IpSecMatchIpAddress(), mConfigData, _IPSEC_SAD_DATA::Mode, _IPSEC_SAD_DATA::SpdSelector, and _IPSEC_SAD_DATA::TunnelDestAddress.
Referenced by IpSecFoundSadFromInboundPacket().
EFI_STATUS IpSecLookupSadEntry | ( | IN IPSEC_PRIVATE_DATA * | Private, | |
IN EFI_HANDLE | NicHandle, | |||
IN UINT8 | IpVersion, | |||
IN VOID * | IpHead, | |||
IN UINT8 * | IpPayload, | |||
IN UINT8 | OldLastHead, | |||
IN IPSEC_SPD_ENTRY * | SpdEntry, | |||
OUT IPSEC_SAD_ENTRY ** | SadEntry | |||
) |
Look up if there is existing SAD entry for specified IP packet sending.
This function is called by the IPsecProcess when there is some IP packet needed to send out. This function checks if there is an existing SAD entry that can be serviced to this IP packet sending. If no existing SAD entry could be used, this function will invoke an IPsec Key Exchange Negotiation.
[in] | Private | Points to private data. |
[in] | NicHandle | Points to a NIC handle. |
[in] | IpVersion | The version of IP. |
[in] | IpHead | The IP Header of packet to be sent out. |
[in] | IpPayload | The IP Payload to be sent out. |
[in] | OldLastHead | The Last protocol of the IP packet. |
[in] | SpdEntry | Points to a related SPD entry. |
[out] | SadEntry | Contains the Point of a related SAD entry. |
EFI_DEVICE_ERROR | One of following conditions is TRUE:
| |
EFI_NOT_READY | No existing SAD entry could be used. | |
EFI_SUCCESS | Find the related SAD entry. |
References _IPSEC_SAD_ENTRY::Data, _IPSEC_SAD_DATA::ESNEnabled, IkeLookupUdp(), IkeNegotiate(), IpSecLookupSadBySpd(), _IPSEC_SAD_DATA::ManualSet, and _IPSEC_SAD_DATA::SequenceNumber.
Referenced by IpSecProcess().
EFI_STATUS IpSecLookupSpdEntry | ( | IN IPSEC_SPD_ENTRY * | SpdEntry, | |
IN UINT8 | IpVersion, | |||
IN VOID * | IpHead, | |||
IN UINT8 * | IpPayload, | |||
IN UINT8 | Protocol, | |||
IN BOOLEAN | IsOutbound, | |||
OUT EFI_IPSEC_ACTION * | Action | |||
) |
Check if the specified IP packet can be serviced by this SPD entry.
[in] | SpdEntry | Point to SPD entry. |
[in] | IpVersion | Version of IP. |
[in] | IpHead | Point to IP header. |
[in] | IpPayload | Point to IP payload. |
[in] | Protocol | The Last protocol of IP packet. |
[in] | IsOutbound | Traffic direction. |
[out] | Action | The support action of SPD entry. |
EFI_SUCCESS | Find the related SPD. | |
EFI_NOT_FOUND | Not find the related SPD entry; |
References IpSecMatchIpAddress(), and IpSecMatchNextLayerProtocol().
Referenced by IpSecProcess().
BOOLEAN IpSecMatchIpAddress | ( | IN UINT8 | IpVersion, | |
IN EFI_IP_ADDRESS * | IpAddr, | |||
IN EFI_IP_ADDRESS_INFO * | AddressInfo, | |||
IN UINT32 | AddressCount | |||
) |
Check if the IP Address in the address range of AddressInfos specified.
[in] | IpVersion | The IP version. |
[in] | IpAddr | Points to EFI_IP_ADDRESS to be check. |
[in] | AddressInfo | A list of EFI_IP_ADDRESS_INFO that is used to check the IP Address is matched. |
[in] | AddressCount | The total numbers of the AddressInfo. |
TRUE | If the Specified IP Address is in the range of the AddressInfos specified. | |
FALSE | If the Specified IP Address is not in the range of the AddressInfos specified. |
[in] | IpVersion | The IP version. |
[in] | IpAddr | Point to EFI_IP_ADDRESS to be check. |
[in] | AddressInfo | A list of EFI_IP_ADDRESS_INFO that is used to check the IP Address is matched. |
[in] | AddressCount | The total numbers of the AddressInfo. |
TRUE | If the Specified IP Address is in the range of the AddressInfos specified. | |
FALSE | If the Specified IP Address is not in the range of the AddressInfos specified. |
References IpSecExtractAddressRange(), and IpSecValidAddressRange().
Referenced by Ikev2MatchSpdEntry(), IpSecLookupPadEntry(), IpSecLookupSadBySpd(), IpSecLookupSadBySpi(), and IpSecLookupSpdEntry().
EFI_STATUS EFIAPI IpSecProcess | ( | IN EFI_IPSEC2_PROTOCOL * | This, | |
IN EFI_HANDLE | NicHandle, | |||
IN UINT8 | IpVersion, | |||
IN OUT VOID * | IpHead, | |||
IN OUT UINT8 * | LastHead, | |||
IN OUT VOID ** | OptionsBuffer, | |||
IN OUT UINT32 * | OptionsLength, | |||
IN OUT EFI_IPSEC_FRAGMENT_DATA ** | FragmentTable, | |||
IN OUT UINT32 * | FragmentCount, | |||
IN EFI_IPSEC_TRAFFIC_DIR | TrafficDirection, | |||
OUT EFI_EVENT * | RecycleSignal | |||
) |
Handles IPsec packet processing for inbound and outbound IP packets.
The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet. The behavior is that it can perform one of the following actions: bypass the packet, discard the packet, or protect the packet.
[in] | This | Pointer to the EFI_IPSEC2_PROTOCOL instance. |
[in] | NicHandle | Instance of the network interface. |
[in] | IpVersion | IPV4 or IPV6. |
[in,out] | IpHead | Pointer to the IP Header. |
[in,out] | LastHead | The protocol of the next layer to be processed by IPsec. |
[in,out] | OptionsBuffer | Pointer to the options buffer. |
[in,out] | OptionsLength | Length of the options buffer. |
[in,out] | FragmentTable | Pointer to a list of fragments. |
[in,out] | FragmentCount | Number of fragments. |
[in] | TrafficDirection | Traffic direction. |
[out] | RecycleSignal | Event for recycling of resources. |
EFI_SUCCESS | The packet was bypassed and all buffers remain the same. | |
EFI_SUCCESS | The packet was protected. | |
EFI_ACCESS_DENIED | The packet was discarded. |
References IPSEC_PRIVATE_DATA_FROM_IPSEC, IPSEC_SPD_ENTRY_FROM_LIST, IpSecLookupSadEntry(), IpSecLookupSpdEntry(), IpSecProtectInboundPacket(), IpSecProtectOutboundPacket(), IsSubSpdSelector(), mConfigData, and _IPSEC_SPD_ENTRY::Selector.
EFI_STATUS IpSecProtectInboundPacket | ( | IN UINT8 | IpVersion, | |
IN OUT VOID * | IpHead, | |||
IN OUT UINT8 * | LastHead, | |||
IN OUT VOID ** | OptionsBuffer, | |||
IN OUT UINT32 * | OptionsLength, | |||
IN OUT EFI_IPSEC_FRAGMENT_DATA ** | FragmentTable, | |||
IN OUT UINT32 * | FragmentCount, | |||
OUT EFI_IPSEC_SPD_SELECTOR ** | SpdEntry, | |||
OUT EFI_EVENT * | RecycleEvent | |||
) |
This function processes the inbound traffic with IPsec.
It checks the received packet security property, trims the ESP/AH header, and then returns without an IPsec protected IP Header and FragmentTable.
[in] | IpVersion | The version of IP. |
[in,out] | IpHead | Points to IP header containing the ESP/AH header to be trimed on input, and without ESP/AH header on return. |
[in,out] | LastHead | The Last Header in IP header on return. |
[in,out] | OptionsBuffer | Pointer to the options buffer. |
[in,out] | OptionsLength | Length of the options buffer. |
[in,out] | FragmentTable | Pointer to a list of fragments in form of IPsec protected on input, and without IPsec protected on return. |
[in,out] | FragmentCount | The number of fragments. |
[out] | SpdEntry | Pointer to contain the address of SPD entry on return. |
[out] | RecycleEvent | The event for recycling of resources. |
EFI_SUCCESS | The operation was successful. | |
EFI_UNSUPPORTED | The IPSEC protocol is not supported. |
It checks the received packet security property, trims the ESP/AH header, and then returns without an IPsec protected IP Header and FragmentTable.
[in] | IpVersion | The version of IP. |
[in,out] | IpHead | Points to IP header containing the ESP/AH header to be trimed on input, and without ESP/AH header on return. |
[in,out] | LastHead | The Last Header in IP header on return. |
[in,out] | OptionsBuffer | Pointer to the options buffer. |
[in,out] | OptionsLength | Length of the options buffer. |
[in,out] | FragmentTable | Pointer to a list of fragments in form of IPsec protected on input, and without IPsec protected on return. |
[in,out] | FragmentCount | The number of fragments. |
[out] | SpdEntry | Pointer to contain the address of SPD entry on return. |
[out] | RecycleEvent | The event for recycling of resources. |
EFI_SUCCESS | The operation was successful. | |
EFI_UNSUPPORTED | The IPSEC protocol is not supported. |
References IPSEC_ESP_PROTOCOL, and IpSecEspInboundPacket().
Referenced by IpSecProcess().
EFI_STATUS IpSecProtectOutboundPacket | ( | IN UINT8 | IpVersion, | |
IN OUT VOID * | IpHead, | |||
IN OUT UINT8 * | LastHead, | |||
IN OUT VOID ** | OptionsBuffer, | |||
IN OUT UINT32 * | OptionsLength, | |||
IN OUT EFI_IPSEC_FRAGMENT_DATA ** | FragmentTable, | |||
IN OUT UINT32 * | FragmentCount, | |||
IN IPSEC_SAD_ENTRY * | SadEntry, | |||
OUT EFI_EVENT * | RecycleEvent | |||
) |
This fucntion processes the output traffic with IPsec.
It protected the sending packet by encrypting it payload and inserting ESP/AH header in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.
[in] | IpVersion | The version of IP. |
[in,out] | IpHead | Point to IP header containing the orginal IP header to be processed on input, and inserted ESP/AH header on return. |
[in,out] | LastHead | The Last Header in IP header. |
[in,out] | OptionsBuffer | Pointer to the options buffer. |
[in,out] | OptionsLength | Length of the options buffer. |
[in,out] | FragmentTable | Pointer to a list of fragments to be protected by IPsec on input, and with IPsec protected on return. |
[in,out] | FragmentCount | Number of fragments. |
[in] | SadEntry | Related SAD entry. |
[out] | RecycleEvent | Event for recycling of resources. |
EFI_SUCCESS | The operation is successful. | |
EFI_UNSUPPORTED | If the IPSEC protocol is not supported. |
References IpSecEspOutboundPacket().
Referenced by IpSecProcess().
EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName |
EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2 |
Referenced by IpSecDriverEntryPoint().
EFI_DPC_PROTOCOL* mDpc |
Referenced by IpSecDriverEntryPoint().
EFI_IPSEC2_PROTOCOL mIpSecInstance |
Referenced by IpSecDriverEntryPoint().