NetworkPkg/IpSecDxe/IpSecImpl.c File Reference


Functions

BOOLEAN IpSecValidAddressRange (IN UINT8 IpVersion, IN EFI_IP_ADDRESS *Address, IN UINT8 PrefixLength)
VOID IpSecExtractAddressRange (IN EFI_IP_ADDRESS *Address, IN UINT8 PrefixLength, OUT EFI_IP_ADDRESS *Range)
BOOLEAN IpSecMatchIpAddress (IN UINT8 IpVersion, IN EFI_IP_ADDRESS *IpAddr, IN EFI_IP_ADDRESS_INFO *AddressInfo, IN UINT32 AddressCount)
BOOLEAN IpSecMatchNextLayerProtocol (IN UINT8 Protocol, IN UINT8 *IpPayload, IN UINT16 SpdProtocol, IN UINT16 SpdLocalPort, IN UINT16 SpdRemotePort, IN BOOLEAN IsOutbound)
IPSEC_SAD_ENTRYIpSecLookupSadBySpd (IN LIST_ENTRY *SadList, IN EFI_IP_ADDRESS *DestAddress, IN UINT8 IpVersion)
IPSEC_SAD_ENTRYIpSecLookupSadBySpi (IN UINT32 Spi, IN EFI_IP_ADDRESS *DestAddress, IN UINT8 IpVersion)
EFI_STATUS IpSecLookupSadEntry (IN IPSEC_PRIVATE_DATA *Private, IN EFI_HANDLE NicHandle, IN UINT8 IpVersion, IN VOID *IpHead, IN UINT8 *IpPayload, IN UINT8 OldLastHead, IN IPSEC_SPD_ENTRY *SpdEntry, OUT IPSEC_SAD_ENTRY **SadEntry)
IPSEC_PAD_ENTRYIpSecLookupPadEntry (IN UINT8 IpVersion, IN EFI_IP_ADDRESS *IpAddr)
EFI_STATUS IpSecLookupSpdEntry (IN IPSEC_SPD_ENTRY *SpdEntry, IN UINT8 IpVersion, IN VOID *IpHead, IN UINT8 *IpPayload, IN UINT8 Protocol, IN BOOLEAN IsOutbound, OUT EFI_IPSEC_ACTION *Action)
VOID EFIAPI IpSecOnRecyclePacket (IN VOID *Arg)
VOID EFIAPI IpSecRecycleCallback (IN EFI_EVENT Event, IN VOID *Context)
UINT16 IpSecGetPlainExtHeadSize (IN VOID *IpHead, IN UINT8 *LastHead)
EFI_STATUS IpSecEspAuthVerifyPayload (IN UINT8 *EspBuffer, IN UINTN EspSize, IN IPSEC_SAD_ENTRY *SadEntry, IN UINTN IcvSize)
IPSEC_SAD_ENTRYIpSecFoundSadFromInboundPacket (UINT8 *IpHead, UINT8 IpVersion, UINT32 Spi)
BOOLEAN IpSecIsIp6ExtsValid (IN UINT8 *NextHeader, IN UINT8 *ExtHdrs, IN UINT32 ExtHdrsLen, OUT UINT8 **LastHeader, OUT UINT32 *RealExtsLen)
VOID IpSecTunnelInboundPacket (IN OUT UINT8 *IpHead, IN UINT8 *IpPayload, IN UINT8 IpVersion, IN IPSEC_SAD_DATA *SadData, IN OUT UINT8 *LastHead)
UINT8 * IpSecTunnelOutboundPacket (IN OUT UINT8 *IpHead, IN UINT8 IpVersion, IN IPSEC_SAD_DATA *SadData, IN OUT UINT8 *LastHead, IN VOID **OptionsBuffer, IN UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, IN UINT32 *FragmentCount)
EFI_STATUS IpSecEspInboundPacket (IN UINT8 IpVersion, IN OUT VOID *IpHead, OUT UINT8 *LastHead, IN OUT VOID **OptionsBuffer, IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, IN OUT UINT32 *FragmentCount, OUT EFI_IPSEC_SPD_SELECTOR **SpdSelector, OUT EFI_EVENT *RecycleEvent)
EFI_STATUS IpSecEspOutboundPacket (IN UINT8 IpVersion, IN OUT VOID *IpHead, IN OUT UINT8 *LastHead, IN OUT VOID **OptionsBuffer, IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, IN OUT UINT32 *FragmentCount, IN IPSEC_SAD_ENTRY *SadEntry, OUT EFI_EVENT *RecycleEvent)
EFI_STATUS IpSecProtectInboundPacket (IN UINT8 IpVersion, IN OUT VOID *IpHead, IN OUT UINT8 *LastHead, IN OUT VOID **OptionsBuffer, IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, IN OUT UINT32 *FragmentCount, OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry, OUT EFI_EVENT *RecycleEvent)
EFI_STATUS IpSecProtectOutboundPacket (IN UINT8 IpVersion, IN OUT VOID *IpHead, IN OUT UINT8 *LastHead, IN OUT VOID **OptionsBuffer, IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, IN OUT UINT32 *FragmentCount, IN IPSEC_SAD_ENTRY *SadEntry, OUT EFI_EVENT *RecycleEvent)

Detailed Description

The implementation of IPsec.

(C) Copyright 2015 Hewlett-Packard Development Company, L.P.
Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.

This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at http://opensource.org/licenses/bsd-license.php.

THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.


Function Documentation

EFI_STATUS IpSecEspAuthVerifyPayload ( IN UINT8 *  EspBuffer,
IN UINTN  EspSize,
IN IPSEC_SAD_ENTRY SadEntry,
IN UINTN  IcvSize 
)

Verify if the Authentication payload is correct.

Parameters:
[in] EspBuffer Points to the ESP wrapped buffer.
[in] EspSize The size of the ESP wrapped buffer.
[in] SadEntry The related SAD entry to store the authentication algorithm key.
[in] IcvSize The length of ICV.
Return values:
EFI_SUCCESS The authentication data is correct.
EFI_ACCESS_DENIED The authentication data is not correct.

References HASH_DATA_FRAGMENT::Data, HASH_DATA_FRAGMENT::DataSize, and IpSecCryptoIoHmac().

Referenced by IpSecEspInboundPacket().

EFI_STATUS IpSecEspInboundPacket ( IN UINT8  IpVersion,
IN OUT VOID *  IpHead,
OUT UINT8 *  LastHead,
IN OUT VOID **  OptionsBuffer,
IN OUT UINT32 *  OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **  FragmentTable,
IN OUT UINT32 *  FragmentCount,
OUT EFI_IPSEC_SPD_SELECTOR **  SpdSelector,
OUT EFI_EVENT *  RecycleEvent 
)

The actual entry to relative function processes the inbound traffic of ESP header.

This function is the subfunction of IpSecProtectInboundPacket(). It checks the received packet security property and trim the ESP header and then returns without an IPsec protected IP Header and FramgmentTable.

Parameters:
[in] IpVersion The version of IP.
[in,out] IpHead Points to the IP header containing the ESP header to be trimed on input, and without ESP header on return.
[out] LastHead The Last Header in IP header on return.
[in,out] OptionsBuffer Pointer to the options buffer.
[in,out] OptionsLength Length of the options buffer.
[in,out] FragmentTable Pointer to a list of fragments in the form of IPsec protected on input, and without IPsec protected on return.
[in,out] FragmentCount The number of fragments.
[out] SpdSelector Pointer to contain the address of SPD selector on return.
[out] RecycleEvent The event for recycling of resources.
Return values:
EFI_SUCCESS The operation was successful.
EFI_ACCESS_DENIED One or more following conditions is TRUE:
  • ESP header was not found or mal-format.
  • The related SAD entry was not found.
  • The related SAD entry does not support the ESP protocol.
EFI_OUT_OF_RESOURCES The required system resource can't be allocated.

References _IPSEC_SAD_DATA::AlgoInfo, _IPSEC_SAD_ENTRY::Data, _IPSEC_RECYCLE_CONTEXT::FragmentTable, _IPSEC_SAD_ENTRY::Id, IpSecCryptoIoDecrypt(), IpSecEspAuthVerifyPayload(), IpSecFoundSadFromInboundPacket(), IpSecGetEncryptBlockSize(), IpSecGetEncryptIvLength(), IpSecGetIcvLength(), IpSecGetPlainExtHeadSize(), IpSecOnRecyclePacket(), IpSecRecycleCallback(), IpSecTunnelInboundPacket(), _IPSEC_SAD_DATA::ManualSet, _IPSEC_SAD_DATA::Mode, _EFI_ESP_TAIL::NextHeader, _EFI_ESP_TAIL::PaddingLength, _IPSEC_RECYCLE_CONTEXT::PayloadBuffer, _IPSEC_SAD_DATA::SpdSelector, and _EFI_ESP_HEADER::Spi.

Referenced by IpSecProtectInboundPacket().

EFI_STATUS IpSecEspOutboundPacket ( IN UINT8  IpVersion,
IN OUT VOID *  IpHead,
IN OUT UINT8 *  LastHead,
IN OUT VOID **  OptionsBuffer,
IN OUT UINT32 *  OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **  FragmentTable,
IN OUT UINT32 *  FragmentCount,
IN IPSEC_SAD_ENTRY SadEntry,
OUT EFI_EVENT *  RecycleEvent 
)

The actual entry to the relative function processes the output traffic using the ESP protocol.

This function is the subfunction of IpSecProtectOutboundPacket(). It protected the sending packet by encrypting its payload and inserting ESP header in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.

Parameters:
[in] IpVersion The version of IP.
[in,out] IpHead Points to IP header containing the orginal IP header to be processed on input, and inserted ESP header on return.
[in,out] LastHead The Last Header in IP header.
[in,out] OptionsBuffer Pointer to the options buffer.
[in,out] OptionsLength Length of the options buffer.
[in,out] FragmentTable Pointer to a list of fragments to be protected by IPsec on input, and with IPsec protected on return.
[in,out] FragmentCount The number of fragments.
[in] SadEntry The related SAD entry.
[out] RecycleEvent The event for recycling of resources.
Return values:
EFI_SUCCESS The operation was successful.
EFI_OUT_OF_RESOURCES The required system resources can't be allocated.

References _IPSEC_SAD_DATA::AlgoInfo, HASH_DATA_FRAGMENT::Data, HASH_DATA_FRAGMENT::DataSize, _IPSEC_RECYCLE_CONTEXT::FragmentTable, IPSEC_ESP_PROTOCOL, IpSecCryptoIoEncrypt(), IpSecCryptoIoHmac(), IpSecGenerateIv(), IpSecGetEncryptBlockSize(), IpSecGetEncryptIvLength(), IpSecGetIcvLength(), IpSecGetPlainExtHeadSize(), IpSecRecycleCallback(), IpSecTunnelOutboundPacket(), _IPSEC_SAD_DATA::ManualSet, _IPSEC_SAD_DATA::Mode, _EFI_ESP_TAIL::NextHeader, _EFI_ESP_TAIL::PaddingLength, _IPSEC_RECYCLE_CONTEXT::PayloadBuffer, _IPSEC_SAD_DATA::SequenceNumber, _EFI_ESP_HEADER::SequenceNumber, _EFI_ESP_HEADER::Spi, _IPSEC_SAD_DATA::TunnelDestAddress, and _IPSEC_SAD_DATA::TunnelSourceAddress.

Referenced by IpSecProtectOutboundPacket().

VOID IpSecExtractAddressRange ( IN EFI_IP_ADDRESS *  Address,
IN UINT8  PrefixLength,
OUT EFI_IP_ADDRESS *  Range 
)

Extrct the Address Range from a Address.

This function keep the prefix address and zero other part address.

Parameters:
[in] Address Point to a specified address.
[in] PrefixLength The prefix length.
[out] Range Contain the return Address Range.

Referenced by IpSecMatchIpAddress().

IPSEC_SAD_ENTRY* IpSecFoundSadFromInboundPacket ( UINT8 *  IpHead,
UINT8  IpVersion,
UINT32  Spi 
)

Search the related SAD entry by the input .

Parameters:
[in] IpHead The pointer to IP header.
[in] IpVersion The version of IP (IP4 or IP6).
[in] Spi The SPI used to search the related SAD entry.
Return values:
NULL Not find the related SAD entry.
IPSEC_SAD_ENTRY Return the related SAD entry.

References IpSecLookupSadBySpi().

Referenced by IpSecEspInboundPacket().

UINT16 IpSecGetPlainExtHeadSize ( IN VOID *  IpHead,
IN UINT8 *  LastHead 
)

Calculate the extension hader of IP. The return length only doesn't contain the fixed IP header length.

Parameters:
[in] IpHead Points to an IP head to be calculated.
[in] LastHead Points to the last header of the IP header.
Returns:
The length of the extension header.

Referenced by IpSecEspInboundPacket(), and IpSecEspOutboundPacket().

BOOLEAN IpSecIsIp6ExtsValid ( IN UINT8 *  NextHeader,
IN UINT8 *  ExtHdrs,
IN UINT32  ExtHdrsLen,
OUT UINT8 **  LastHeader,
OUT UINT32 *  RealExtsLen 
)

Validate the IP6 extension header format for both the packets we received and that we will transmit.

Parameters:
[in] NextHeader The next header field in IPv6 basic header.
[in] ExtHdrs The first bye of the option.
[in] ExtHdrsLen The length of the whole option.
[out] LastHeader The pointer of NextHeader of the last extension header processed by IP6.
[out] RealExtsLen The length of extension headers processed by IP6 layer. This is an optional parameter that may be NULL.
Return values:
TRUE The option is properly formated.
FALSE The option is malformated.

Referenced by IpSecTunnelInboundPacket().

IPSEC_PAD_ENTRY* IpSecLookupPadEntry ( IN UINT8  IpVersion,
IN EFI_IP_ADDRESS *  IpAddr 
)

Find a PAD entry according to a remote IP address.

Parameters:
[in] IpVersion The version of IP.
[in] IpAddr Points to remote IP address.
Returns:
the pointer of related PAD entry.

References _IPSEC_PAD_ENTRY::Id, IPSEC_PAD_ENTRY_FROM_LIST, IpSecMatchIpAddress(), and mConfigData.

Referenced by IkeNegotiate(), and Ikev2HandleSa().

IPSEC_SAD_ENTRY* IpSecLookupSadBySpd ( IN LIST_ENTRY *  SadList,
IN EFI_IP_ADDRESS *  DestAddress,
IN UINT8  IpVersion 
)

Find the SAD through a specified SPD's SAD list.

Parameters:
[in] SadList SAD list related to a specified SPD entry.
[in] DestAddress The destination address used to find the SAD entry.
[in] IpVersion The IP version. Ip4 or Ip6.
Returns:
The pointer to a certain SAD entry.

References _IPSEC_SAD_ENTRY::Data, IPSEC_SAD_ENTRY_FROM_SPD, IpSecMatchIpAddress(), and _IPSEC_SAD_DATA::SpdSelector.

Referenced by IpSecLookupSadEntry().

IPSEC_SAD_ENTRY* IpSecLookupSadBySpi ( IN UINT32  Spi,
IN EFI_IP_ADDRESS *  DestAddress,
IN UINT8  IpVersion 
)

Find the SAD through whole SAD list.

Parameters:
[in] Spi The SPI used to search the SAD entry.
[in] DestAddress The destination used to search the SAD entry.
[in] IpVersion The IP version. Ip4 or Ip6.
Returns:
the pointer to a certain SAD entry.

References _IPSEC_SAD_ENTRY::Data, _IPSEC_SAD_ENTRY::Id, IPSEC_SAD_ENTRY_FROM_LIST, IpSecMatchIpAddress(), mConfigData, _IPSEC_SAD_DATA::Mode, _IPSEC_SAD_DATA::SpdSelector, and _IPSEC_SAD_DATA::TunnelDestAddress.

Referenced by IpSecFoundSadFromInboundPacket().

EFI_STATUS IpSecLookupSadEntry ( IN IPSEC_PRIVATE_DATA Private,
IN EFI_HANDLE  NicHandle,
IN UINT8  IpVersion,
IN VOID *  IpHead,
IN UINT8 *  IpPayload,
IN UINT8  OldLastHead,
IN IPSEC_SPD_ENTRY SpdEntry,
OUT IPSEC_SAD_ENTRY **  SadEntry 
)

Look up if there is existing SAD entry for specified IP packet sending.

This function is called by the IPsecProcess when there is some IP packet needed to send out. This function checks if there is an existing SAD entry that can be serviced to this IP packet sending. If no existing SAD entry could be used, this function will invoke an IPsec Key Exchange Negotiation.

Parameters:
[in] Private Points to private data.
[in] NicHandle Points to a NIC handle.
[in] IpVersion The version of IP.
[in] IpHead The IP Header of packet to be sent out.
[in] IpPayload The IP Payload to be sent out.
[in] OldLastHead The Last protocol of the IP packet.
[in] SpdEntry Points to a related SPD entry.
[out] SadEntry Contains the Point of a related SAD entry.
Return values:
EFI_DEVICE_ERROR One of following conditions is TRUE:
  • If don't find related UDP service.
  • Sequence Number is used up.
  • Extension Sequence Number is used up.
EFI_NOT_READY No existing SAD entry could be used.
EFI_SUCCESS Find the related SAD entry.

References _IPSEC_SAD_ENTRY::Data, _IPSEC_SAD_DATA::ESNEnabled, IkeLookupUdp(), IkeNegotiate(), IpSecLookupSadBySpd(), _IPSEC_SAD_DATA::ManualSet, and _IPSEC_SAD_DATA::SequenceNumber.

Referenced by IpSecProcess().

EFI_STATUS IpSecLookupSpdEntry ( IN IPSEC_SPD_ENTRY SpdEntry,
IN UINT8  IpVersion,
IN VOID *  IpHead,
IN UINT8 *  IpPayload,
IN UINT8  Protocol,
IN BOOLEAN  IsOutbound,
OUT EFI_IPSEC_ACTION *  Action 
)

Check if the specified IP packet can be serviced by this SPD entry.

Parameters:
[in] SpdEntry Point to SPD entry.
[in] IpVersion Version of IP.
[in] IpHead Point to IP header.
[in] IpPayload Point to IP payload.
[in] Protocol The Last protocol of IP packet.
[in] IsOutbound Traffic direction.
[out] Action The support action of SPD entry.
Return values:
EFI_SUCCESS Find the related SPD.
EFI_NOT_FOUND Not find the related SPD entry;

References IpSecMatchIpAddress(), and IpSecMatchNextLayerProtocol().

Referenced by IpSecProcess().

BOOLEAN IpSecMatchIpAddress ( IN UINT8  IpVersion,
IN EFI_IP_ADDRESS *  IpAddr,
IN EFI_IP_ADDRESS_INFO *  AddressInfo,
IN UINT32  AddressCount 
)

Checks if the IP Address in the address range of AddressInfos specified.

Parameters:
[in] IpVersion The IP version.
[in] IpAddr Point to EFI_IP_ADDRESS to be check.
[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check the IP Address is matched.
[in] AddressCount The total numbers of the AddressInfo.
Return values:
TRUE If the Specified IP Address is in the range of the AddressInfos specified.
FALSE If the Specified IP Address is not in the range of the AddressInfos specified.

References IpSecExtractAddressRange(), and IpSecValidAddressRange().

Referenced by Ikev2MatchSpdEntry(), IpSecLookupPadEntry(), IpSecLookupSadBySpd(), IpSecLookupSadBySpi(), and IpSecLookupSpdEntry().

BOOLEAN IpSecMatchNextLayerProtocol ( IN UINT8  Protocol,
IN UINT8 *  IpPayload,
IN UINT16  SpdProtocol,
IN UINT16  SpdLocalPort,
IN UINT16  SpdRemotePort,
IN BOOLEAN  IsOutbound 
)

Check if the specified Protocol and Prot is supported by the specified SPD Entry.

This function is the subfunction of IPsecLookUpSpdEntry() that is used to check if the sent/received IKE packet has the related SPD entry support.

Parameters:
[in] Protocol The Protocol to be checked.
[in] IpPayload Point to IP Payload to be check.
[in] SpdProtocol The Protocol supported by SPD.
[in] SpdLocalPort The Local Port in SPD.
[in] SpdRemotePort The Remote Port in SPD.
[in] IsOutbound Flag to indicate the is for IKE Packet sending or recieving.
Return values:
TRUE The Protocol and Port are supported by the SPD Entry.
FALSE The Protocol and Port are not supported by the SPD Entry.

References EFI_IPSEC_ANY_PROTOCOL.

Referenced by IpSecLookupSpdEntry().

VOID EFIAPI IpSecOnRecyclePacket ( IN VOID *  Arg  ) 

The call back function of NetbufFromExt.

Parameters:
[in] Arg The argument passed from the caller.

Referenced by IpSecEspInboundPacket(), and IpSecTunnelOutboundPacket().

EFI_STATUS IpSecProtectInboundPacket ( IN UINT8  IpVersion,
IN OUT VOID *  IpHead,
IN OUT UINT8 *  LastHead,
IN OUT VOID **  OptionsBuffer,
IN OUT UINT32 *  OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **  FragmentTable,
IN OUT UINT32 *  FragmentCount,
OUT EFI_IPSEC_SPD_SELECTOR **  SpdEntry,
OUT EFI_EVENT *  RecycleEvent 
)

This function processes the inbound traffic with IPsec.

It checks the received packet security property, trims the ESP/AH header, and then returns without an IPsec protected IP Header and FragmentTable.

Parameters:
[in] IpVersion The version of IP.
[in,out] IpHead Points to IP header containing the ESP/AH header to be trimed on input, and without ESP/AH header on return.
[in,out] LastHead The Last Header in IP header on return.
[in,out] OptionsBuffer Pointer to the options buffer.
[in,out] OptionsLength Length of the options buffer.
[in,out] FragmentTable Pointer to a list of fragments in form of IPsec protected on input, and without IPsec protected on return.
[in,out] FragmentCount The number of fragments.
[out] SpdEntry Pointer to contain the address of SPD entry on return.
[out] RecycleEvent The event for recycling of resources.
Return values:
EFI_SUCCESS The operation was successful.
EFI_UNSUPPORTED The IPSEC protocol is not supported.

References IPSEC_ESP_PROTOCOL, and IpSecEspInboundPacket().

Referenced by IpSecProcess().

EFI_STATUS IpSecProtectOutboundPacket ( IN UINT8  IpVersion,
IN OUT VOID *  IpHead,
IN OUT UINT8 *  LastHead,
IN OUT VOID **  OptionsBuffer,
IN OUT UINT32 *  OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **  FragmentTable,
IN OUT UINT32 *  FragmentCount,
IN IPSEC_SAD_ENTRY SadEntry,
OUT EFI_EVENT *  RecycleEvent 
)

This fucntion processes the output traffic with IPsec.

It protected the sending packet by encrypting it payload and inserting ESP/AH header in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.

Parameters:
[in] IpVersion The version of IP.
[in,out] IpHead Point to IP header containing the orginal IP header to be processed on input, and inserted ESP/AH header on return.
[in,out] LastHead The Last Header in IP header.
[in,out] OptionsBuffer Pointer to the options buffer.
[in,out] OptionsLength Length of the options buffer.
[in,out] FragmentTable Pointer to a list of fragments to be protected by IPsec on input, and with IPsec protected on return.
[in,out] FragmentCount Number of fragments.
[in] SadEntry Related SAD entry.
[out] RecycleEvent Event for recycling of resources.
Return values:
EFI_SUCCESS The operation is successful.
EFI_UNSUPPORTED If the IPSEC protocol is not supported.

References IpSecEspOutboundPacket().

Referenced by IpSecProcess().

VOID EFIAPI IpSecRecycleCallback ( IN EFI_EVENT  Event,
IN VOID *  Context 
)

This is a Notification function. It is called when the related IP6_TXTOKEN_WRAP is released.

Parameters:
[in] Event The related event.
[in] Context The data passed by the caller.

References _IPSEC_RECYCLE_CONTEXT::FragmentTable, and _IPSEC_RECYCLE_CONTEXT::PayloadBuffer.

Referenced by IpSecEspInboundPacket(), and IpSecEspOutboundPacket().

VOID IpSecTunnelInboundPacket ( IN OUT UINT8 *  IpHead,
IN UINT8 *  IpPayload,
IN UINT8  IpVersion,
IN IPSEC_SAD_DATA SadData,
IN OUT UINT8 *  LastHead 
)

The actual entry to process the tunnel header and inner header for tunnel mode outbound traffic.

This function is the subfunction of IpSecEspInboundPacket(). It change the destination Ip address to the station address and recalculate the uplayyer's checksum.

Parameters:
[in,out] IpHead Points to the IP header containing the ESP header to be trimed on input, and without ESP header on return.
[in] IpPayload The decrypted Ip payload. It start from the inner header.
[in] IpVersion The version of IP.
[in] SadData Pointer of the relevant SAD.
[in,out] LastHead The Last Header in IP header on return.

References IpSecIsIp6ExtsValid().

Referenced by IpSecEspInboundPacket().

UINT8* IpSecTunnelOutboundPacket ( IN OUT UINT8 *  IpHead,
IN UINT8  IpVersion,
IN IPSEC_SAD_DATA SadData,
IN OUT UINT8 *  LastHead,
IN VOID **  OptionsBuffer,
IN UINT32 *  OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **  FragmentTable,
IN UINT32 *  FragmentCount 
)

The actual entry to create inner header for tunnel mode inbound traffic.

This function is the subfunction of IpSecEspOutboundPacket(). It create the sending packet by encrypting its payload and inserting ESP header in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.

Parameters:
[in,out] IpHead Points to IP header containing the orginal IP header to be processed on input, and inserted ESP header on return.
[in] IpVersion The version of IP.
[in] SadData The related SAD data.
[in,out] LastHead The Last Header in IP header.
[in] OptionsBuffer Pointer to the options buffer.
[in] OptionsLength Length of the options buffer.
[in,out] FragmentTable Pointer to a list of fragments to be protected by IPsec on input, and with IPsec protected on return.
[in] FragmentCount The number of fragments.
Return values:
EFI_SUCCESS The operation was successful.
EFI_OUT_OF_RESOURCES The required system resources can't be allocated.

References IpSecOnRecyclePacket().

Referenced by IpSecEspOutboundPacket().

BOOLEAN IpSecValidAddressRange ( IN UINT8  IpVersion,
IN EFI_IP_ADDRESS *  Address,
IN UINT8  PrefixLength 
)

Check if the specified Address is the Valid Address Range.

This function checks if the bytes after prefixed length are all Zero in this Address. This Address is supposed to point to a range address. That means it should gives the correct prefixed address and the bytes outside the prefixed are zero.

Parameters:
[in] IpVersion The IP version.
[in] Address Points to EFI_IP_ADDRESS to be checked.
[in] PrefixLength The PrefixeLength of this address.
Return values:
TRUE The address is a vaild address range.
FALSE The address is not a vaild address range.

Referenced by IpSecMatchIpAddress().


Generated on Mon Sep 28 08:49:06 2015 for NetworkPkg[ALL] by  doxygen 1.5.7.1