1 | /** @file
|
---|
2 | The definitions related to IPsec protocol implementation.
|
---|
3 |
|
---|
4 | Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
|
---|
5 |
|
---|
6 | This program and the accompanying materials
|
---|
7 | are licensed and made available under the terms and conditions of the BSD License
|
---|
8 | which accompanies this distribution. The full text of the license may be found at
|
---|
9 | http://opensource.org/licenses/bsd-license.php.
|
---|
10 |
|
---|
11 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
---|
12 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
---|
13 |
|
---|
14 | **/
|
---|
15 |
|
---|
16 | #ifndef _IP_SEC_IMPL_H_
|
---|
17 | #define _IP_SEC_IMPL_H_
|
---|
18 |
|
---|
19 | #include <Uefi.h>
|
---|
20 | #include <Library/UefiLib.h>
|
---|
21 | #include <Library/NetLib.h>
|
---|
22 | #include <Library/BaseMemoryLib.h>
|
---|
23 | #include <Library/UefiBootServicesTableLib.h>
|
---|
24 | #include <Library/MemoryAllocationLib.h>
|
---|
25 | #include <Protocol/IpSec.h>
|
---|
26 | #include <Protocol/IpSecConfig.h>
|
---|
27 | #include <Protocol/Dpc.h>
|
---|
28 | #include <Protocol/ComponentName.h>
|
---|
29 | #include <Protocol/ComponentName2.h>
|
---|
30 |
|
---|
31 | typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA;
|
---|
32 | typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY;
|
---|
33 | typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY;
|
---|
34 | typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA;
|
---|
35 |
|
---|
36 | #define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')
|
---|
37 |
|
---|
38 | #define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)
|
---|
39 | #define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)
|
---|
40 | #define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)
|
---|
41 | #define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)
|
---|
42 | #define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)
|
---|
43 | #define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)
|
---|
44 | #define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)
|
---|
45 | #define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)
|
---|
46 |
|
---|
47 | #define IPSEC_STATUS_DISABLED 0
|
---|
48 | #define IPSEC_STATUS_ENABLED 1
|
---|
49 | #define IPSEC_ESP_PROTOCOL 50
|
---|
50 | #define IPSEC_AH_PROTOCOL 51
|
---|
51 | #define IPSEC_DEFAULT_VARIABLE_SIZE 0x100
|
---|
52 |
|
---|
53 | //
|
---|
54 | // Internal Structure Definition
|
---|
55 | //
|
---|
56 | #pragma pack(1)
|
---|
57 | typedef struct _EFI_AH_HEADER {
|
---|
58 | UINT8 NextHeader;
|
---|
59 | UINT8 PayloadLen;
|
---|
60 | UINT16 Reserved;
|
---|
61 | UINT32 Spi;
|
---|
62 | UINT32 SequenceNumber;
|
---|
63 | } EFI_AH_HEADER;
|
---|
64 |
|
---|
65 | typedef struct _EFI_ESP_HEADER {
|
---|
66 | UINT32 Spi;
|
---|
67 | UINT32 SequenceNumber;
|
---|
68 | } EFI_ESP_HEADER;
|
---|
69 |
|
---|
70 | typedef struct _EFI_ESP_TAIL {
|
---|
71 | UINT8 PaddingLength;
|
---|
72 | UINT8 NextHeader;
|
---|
73 | } EFI_ESP_TAIL;
|
---|
74 | #pragma pack()
|
---|
75 |
|
---|
76 | struct _IPSEC_SPD_DATA {
|
---|
77 | CHAR16 Name[100];
|
---|
78 | UINT32 PackageFlag;
|
---|
79 | EFI_IPSEC_ACTION Action;
|
---|
80 | EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;
|
---|
81 | LIST_ENTRY Sas;
|
---|
82 | };
|
---|
83 |
|
---|
84 | struct _IPSEC_SPD_ENTRY {
|
---|
85 | EFI_IPSEC_SPD_SELECTOR *Selector;
|
---|
86 | IPSEC_SPD_DATA *Data;
|
---|
87 | LIST_ENTRY List;
|
---|
88 | };
|
---|
89 |
|
---|
90 | typedef struct _IPSEC_SAD_DATA {
|
---|
91 | EFI_IPSEC_MODE Mode;
|
---|
92 | UINT64 SequenceNumber;
|
---|
93 | UINT8 AntiReplayWindowSize;
|
---|
94 | UINT64 AntiReplayBitmap[4]; // bitmap for received packet
|
---|
95 | EFI_IPSEC_ALGO_INFO AlgoInfo;
|
---|
96 | EFI_IPSEC_SA_LIFETIME SaLifetime;
|
---|
97 | UINT32 PathMTU;
|
---|
98 | IPSEC_SPD_ENTRY *SpdEntry;
|
---|
99 | EFI_IPSEC_SPD_SELECTOR *SpdSelector;
|
---|
100 | BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled
|
---|
101 | BOOLEAN ManualSet;
|
---|
102 | EFI_IP_ADDRESS TunnelDestAddress;
|
---|
103 | EFI_IP_ADDRESS TunnelSourceAddress;
|
---|
104 | } IPSEC_SAD_DATA;
|
---|
105 |
|
---|
106 | typedef struct _IPSEC_SAD_ENTRY {
|
---|
107 | EFI_IPSEC_SA_ID *Id;
|
---|
108 | IPSEC_SAD_DATA *Data;
|
---|
109 | LIST_ENTRY List;
|
---|
110 | LIST_ENTRY BySpd; // Linked on IPSEC_SPD_DATA.Sas
|
---|
111 | } IPSEC_SAD_ENTRY;
|
---|
112 |
|
---|
113 | struct _IPSEC_PAD_ENTRY {
|
---|
114 | EFI_IPSEC_PAD_ID *Id;
|
---|
115 | EFI_IPSEC_PAD_DATA *Data;
|
---|
116 | LIST_ENTRY List;
|
---|
117 | };
|
---|
118 |
|
---|
119 | typedef struct _IPSEC_RECYCLE_CONTEXT {
|
---|
120 | EFI_IPSEC_FRAGMENT_DATA *FragmentTable;
|
---|
121 | UINT8 *PayloadBuffer;
|
---|
122 | } IPSEC_RECYCLE_CONTEXT;
|
---|
123 |
|
---|
124 | //
|
---|
125 | // Struct used to store the Hash and its data.
|
---|
126 | //
|
---|
127 | typedef struct {
|
---|
128 | UINTN DataSize;
|
---|
129 | UINT8 *Data;
|
---|
130 | } HASH_DATA_FRAGMENT;
|
---|
131 |
|
---|
132 | struct _IPSEC_PRIVATE_DATA {
|
---|
133 | UINT32 Signature;
|
---|
134 | EFI_HANDLE Handle; // Virtual handle to install private prtocol
|
---|
135 | EFI_HANDLE ImageHandle;
|
---|
136 | EFI_IPSEC2_PROTOCOL IpSec;
|
---|
137 | EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;
|
---|
138 | BOOLEAN SetBySelf;
|
---|
139 | LIST_ENTRY Udp4List;
|
---|
140 | UINTN Udp4Num;
|
---|
141 | LIST_ENTRY Udp6List;
|
---|
142 | UINTN Udp6Num;
|
---|
143 | LIST_ENTRY Ikev1SessionList;
|
---|
144 | LIST_ENTRY Ikev1EstablishedList;
|
---|
145 | LIST_ENTRY Ikev2SessionList;
|
---|
146 | LIST_ENTRY Ikev2EstablishedList;
|
---|
147 | BOOLEAN IsIPsecDisabling;
|
---|
148 | };
|
---|
149 |
|
---|
150 | /**
|
---|
151 | This function processes the inbound traffic with IPsec.
|
---|
152 |
|
---|
153 | It checks the received packet security property, trims the ESP/AH header, and then
|
---|
154 | returns without an IPsec protected IP Header and FragmentTable.
|
---|
155 |
|
---|
156 | @param[in] IpVersion The version of IP.
|
---|
157 | @param[in, out] IpHead Points to IP header containing the ESP/AH header
|
---|
158 | to be trimed on input, and without ESP/AH header
|
---|
159 | on return.
|
---|
160 | @param[in, out] LastHead The Last Header in IP header on return.
|
---|
161 | @param[in, out] OptionsBuffer Pointer to the options buffer.
|
---|
162 | @param[in, out] OptionsLength Length of the options buffer.
|
---|
163 | @param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec
|
---|
164 | protected on input, and without IPsec protected
|
---|
165 | on return.
|
---|
166 | @param[in, out] FragmentCount The number of fragments.
|
---|
167 | @param[out] SpdEntry Pointer to contain the address of SPD entry on return.
|
---|
168 | @param[out] RecycleEvent The event for recycling of resources.
|
---|
169 |
|
---|
170 | @retval EFI_SUCCESS The operation was successful.
|
---|
171 | @retval EFI_UNSUPPORTED The IPSEC protocol is not supported.
|
---|
172 |
|
---|
173 | **/
|
---|
174 | EFI_STATUS
|
---|
175 | IpSecProtectInboundPacket (
|
---|
176 | IN UINT8 IpVersion,
|
---|
177 | IN OUT VOID *IpHead,
|
---|
178 | IN OUT UINT8 *LastHead,
|
---|
179 | IN OUT VOID **OptionsBuffer,
|
---|
180 | IN OUT UINT32 *OptionsLength,
|
---|
181 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
|
---|
182 | IN OUT UINT32 *FragmentCount,
|
---|
183 | OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry,
|
---|
184 | OUT EFI_EVENT *RecycleEvent
|
---|
185 | );
|
---|
186 |
|
---|
187 |
|
---|
188 | /**
|
---|
189 | This fucntion processes the output traffic with IPsec.
|
---|
190 |
|
---|
191 | It protected the sending packet by encrypting it payload and inserting ESP/AH header
|
---|
192 | in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.
|
---|
193 |
|
---|
194 | @param[in] IpVersion The version of IP.
|
---|
195 | @param[in, out] IpHead Point to IP header containing the orginal IP header
|
---|
196 | to be processed on input, and inserted ESP/AH header
|
---|
197 | on return.
|
---|
198 | @param[in, out] LastHead The Last Header in IP header.
|
---|
199 | @param[in, out] OptionsBuffer Pointer to the options buffer.
|
---|
200 | @param[in, out] OptionsLength Length of the options buffer.
|
---|
201 | @param[in, out] FragmentTable Pointer to a list of fragments to be protected by
|
---|
202 | IPsec on input, and with IPsec protected
|
---|
203 | on return.
|
---|
204 | @param[in, out] FragmentCount Number of fragments.
|
---|
205 | @param[in] SadEntry Related SAD entry.
|
---|
206 | @param[out] RecycleEvent Event for recycling of resources.
|
---|
207 |
|
---|
208 | @retval EFI_SUCCESS The operation is successful.
|
---|
209 | @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
|
---|
210 |
|
---|
211 | **/
|
---|
212 | EFI_STATUS
|
---|
213 | IpSecProtectOutboundPacket (
|
---|
214 | IN UINT8 IpVersion,
|
---|
215 | IN OUT VOID *IpHead,
|
---|
216 | IN OUT UINT8 *LastHead,
|
---|
217 | IN OUT VOID **OptionsBuffer,
|
---|
218 | IN OUT UINT32 *OptionsLength,
|
---|
219 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
|
---|
220 | IN OUT UINT32 *FragmentCount,
|
---|
221 | IN IPSEC_SAD_ENTRY *SadEntry,
|
---|
222 | OUT EFI_EVENT *RecycleEvent
|
---|
223 | );
|
---|
224 |
|
---|
225 | /**
|
---|
226 | Check if the IP Address in the address range of AddressInfos specified.
|
---|
227 |
|
---|
228 | @param[in] IpVersion The IP version.
|
---|
229 | @param[in] IpAddr Points to EFI_IP_ADDRESS to be check.
|
---|
230 | @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check
|
---|
231 | the IP Address is matched.
|
---|
232 | @param[in] AddressCount The total numbers of the AddressInfo.
|
---|
233 |
|
---|
234 | @retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.
|
---|
235 | @retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.
|
---|
236 |
|
---|
237 | **/
|
---|
238 | BOOLEAN
|
---|
239 | IpSecMatchIpAddress (
|
---|
240 | IN UINT8 IpVersion,
|
---|
241 | IN EFI_IP_ADDRESS *IpAddr,
|
---|
242 | IN EFI_IP_ADDRESS_INFO *AddressInfo,
|
---|
243 | IN UINT32 AddressCount
|
---|
244 | );
|
---|
245 |
|
---|
246 | /**
|
---|
247 | Find a PAD entry according to remote IP address.
|
---|
248 |
|
---|
249 | @param[in] IpVersion The version of IP.
|
---|
250 | @param[in] IpAddr Point to remote IP address.
|
---|
251 |
|
---|
252 | @return The pointer of related PAD entry.
|
---|
253 |
|
---|
254 | **/
|
---|
255 | IPSEC_PAD_ENTRY *
|
---|
256 | IpSecLookupPadEntry (
|
---|
257 | IN UINT8 IpVersion,
|
---|
258 | IN EFI_IP_ADDRESS *IpAddr
|
---|
259 | );
|
---|
260 |
|
---|
261 | /**
|
---|
262 | Check if the specified IP packet can be serviced by this SPD entry.
|
---|
263 |
|
---|
264 | @param[in] SpdEntry Point to SPD entry.
|
---|
265 | @param[in] IpVersion Version of IP.
|
---|
266 | @param[in] IpHead Point to IP header.
|
---|
267 | @param[in] IpPayload Point to IP payload.
|
---|
268 | @param[in] Protocol The Last protocol of IP packet.
|
---|
269 | @param[in] IsOutbound Traffic direction.
|
---|
270 | @param[out] Action The support action of SPD entry.
|
---|
271 |
|
---|
272 | @retval EFI_SUCCESS Find the related SPD.
|
---|
273 | @retval EFI_NOT_FOUND Not find the related SPD entry;
|
---|
274 |
|
---|
275 | **/
|
---|
276 | EFI_STATUS
|
---|
277 | IpSecLookupSpdEntry (
|
---|
278 | IN IPSEC_SPD_ENTRY *SpdEntry,
|
---|
279 | IN UINT8 IpVersion,
|
---|
280 | IN VOID *IpHead,
|
---|
281 | IN UINT8 *IpPayload,
|
---|
282 | IN UINT8 Protocol,
|
---|
283 | IN BOOLEAN IsOutbound,
|
---|
284 | OUT EFI_IPSEC_ACTION *Action
|
---|
285 | );
|
---|
286 |
|
---|
287 | /**
|
---|
288 | Look up if there is existing SAD entry for specified IP packet sending.
|
---|
289 |
|
---|
290 | This function is called by the IPsecProcess when there is some IP packet needed to
|
---|
291 | send out. This function checks if there is an existing SAD entry that can be serviced
|
---|
292 | to this IP packet sending. If no existing SAD entry could be used, this
|
---|
293 | function will invoke an IPsec Key Exchange Negotiation.
|
---|
294 |
|
---|
295 | @param[in] Private Points to private data.
|
---|
296 | @param[in] NicHandle Points to a NIC handle.
|
---|
297 | @param[in] IpVersion The version of IP.
|
---|
298 | @param[in] IpHead The IP Header of packet to be sent out.
|
---|
299 | @param[in] IpPayload The IP Payload to be sent out.
|
---|
300 | @param[in] OldLastHead The Last protocol of the IP packet.
|
---|
301 | @param[in] SpdEntry Points to a related SPD entry.
|
---|
302 | @param[out] SadEntry Contains the Point of a related SAD entry.
|
---|
303 |
|
---|
304 | @retval EFI_DEVICE_ERROR One of following conditions is TRUE:
|
---|
305 | - If don't find related UDP service.
|
---|
306 | - Sequence Number is used up.
|
---|
307 | - Extension Sequence Number is used up.
|
---|
308 | @retval EFI_NOT_READY No existing SAD entry could be used.
|
---|
309 | @retval EFI_SUCCESS Find the related SAD entry.
|
---|
310 |
|
---|
311 | **/
|
---|
312 | EFI_STATUS
|
---|
313 | IpSecLookupSadEntry (
|
---|
314 | IN IPSEC_PRIVATE_DATA *Private,
|
---|
315 | IN EFI_HANDLE NicHandle,
|
---|
316 | IN UINT8 IpVersion,
|
---|
317 | IN VOID *IpHead,
|
---|
318 | IN UINT8 *IpPayload,
|
---|
319 | IN UINT8 OldLastHead,
|
---|
320 | IN IPSEC_SPD_ENTRY *SpdEntry,
|
---|
321 | OUT IPSEC_SAD_ENTRY **SadEntry
|
---|
322 | );
|
---|
323 |
|
---|
324 | /**
|
---|
325 | Find the SAD through whole SAD list.
|
---|
326 |
|
---|
327 | @param[in] Spi The SPI used to search the SAD entry.
|
---|
328 | @param[in] DestAddress The destination used to search the SAD entry.
|
---|
329 | @param[in] IpVersion The IP version. Ip4 or Ip6.
|
---|
330 |
|
---|
331 | @return The pointer to a certain SAD entry.
|
---|
332 |
|
---|
333 | **/
|
---|
334 | IPSEC_SAD_ENTRY *
|
---|
335 | IpSecLookupSadBySpi (
|
---|
336 | IN UINT32 Spi,
|
---|
337 | IN EFI_IP_ADDRESS *DestAddress,
|
---|
338 | IN UINT8 IpVersion
|
---|
339 | )
|
---|
340 | ;
|
---|
341 |
|
---|
342 | /**
|
---|
343 | Handles IPsec packet processing for inbound and outbound IP packets.
|
---|
344 |
|
---|
345 | The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
|
---|
346 | The behavior is that it can perform one of the following actions:
|
---|
347 | bypass the packet, discard the packet, or protect the packet.
|
---|
348 |
|
---|
349 | @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.
|
---|
350 | @param[in] NicHandle Instance of the network interface.
|
---|
351 | @param[in] IpVersion IPV4 or IPV6.
|
---|
352 | @param[in, out] IpHead Pointer to the IP Header.
|
---|
353 | @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.
|
---|
354 | @param[in, out] OptionsBuffer Pointer to the options buffer.
|
---|
355 | @param[in, out] OptionsLength Length of the options buffer.
|
---|
356 | @param[in, out] FragmentTable Pointer to a list of fragments.
|
---|
357 | @param[in, out] FragmentCount Number of fragments.
|
---|
358 | @param[in] TrafficDirection Traffic direction.
|
---|
359 | @param[out] RecycleSignal Event for recycling of resources.
|
---|
360 |
|
---|
361 | @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
|
---|
362 | @retval EFI_SUCCESS The packet was protected.
|
---|
363 | @retval EFI_ACCESS_DENIED The packet was discarded.
|
---|
364 |
|
---|
365 | **/
|
---|
366 | EFI_STATUS
|
---|
367 | EFIAPI
|
---|
368 | IpSecProcess (
|
---|
369 | IN EFI_IPSEC2_PROTOCOL *This,
|
---|
370 | IN EFI_HANDLE NicHandle,
|
---|
371 | IN UINT8 IpVersion,
|
---|
372 | IN OUT VOID *IpHead,
|
---|
373 | IN OUT UINT8 *LastHead,
|
---|
374 | IN OUT VOID **OptionsBuffer,
|
---|
375 | IN OUT UINT32 *OptionsLength,
|
---|
376 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
|
---|
377 | IN OUT UINT32 *FragmentCount,
|
---|
378 | IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
|
---|
379 | OUT EFI_EVENT *RecycleSignal
|
---|
380 | );
|
---|
381 |
|
---|
382 | extern EFI_DPC_PROTOCOL *mDpc;
|
---|
383 | extern EFI_IPSEC2_PROTOCOL mIpSecInstance;
|
---|
384 |
|
---|
385 | extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;
|
---|
386 | extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;
|
---|
387 |
|
---|
388 |
|
---|
389 | #endif
|
---|