summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--NetworkPkg/Ip6Dxe/Ip6Impl.c2
-rw-r--r--NetworkPkg/Ip6Dxe/Ip6Impl.h2
-rw-r--r--NetworkPkg/Ip6Dxe/Ip6Input.c348
-rw-r--r--NetworkPkg/Ip6Dxe/Ip6Input.h32
-rw-r--r--NetworkPkg/Ip6Dxe/Ip6Output.c6
-rw-r--r--NetworkPkg/IpSecDxe/IpSecConfigImpl.c2
-rw-r--r--NetworkPkg/IpSecDxe/IpSecCryptIo.c6
-rw-r--r--NetworkPkg/IpSecDxe/IpSecCryptIo.h17
-rw-r--r--NetworkPkg/IpSecDxe/IpSecDriver.c4
-rw-r--r--NetworkPkg/IpSecDxe/IpSecImpl.c20
-rw-r--r--NetworkPkg/IpSecDxe/IpSecImpl.h77
-rw-r--r--NetworkPkg/IpSecDxe/IpSecSaEngine.c96
12 files changed, 364 insertions, 248 deletions
diff --git a/NetworkPkg/Ip6Dxe/Ip6Impl.c b/NetworkPkg/Ip6Dxe/Ip6Impl.c
index 9b34ece..9775aec 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Impl.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Impl.c
@@ -15,7 +15,7 @@
#include "Ip6Impl.h"
-EFI_IPSEC_PROTOCOL *mIpSec = NULL;
+EFI_IPSEC2_PROTOCOL *mIpSec = NULL;
EFI_IP6_PROTOCOL mEfiIp6ProtocolTemplete = {
EfiIp6GetModeData,
diff --git a/NetworkPkg/Ip6Dxe/Ip6Impl.h b/NetworkPkg/Ip6Dxe/Ip6Impl.h
index 524de5e..1241e63 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Impl.h
+++ b/NetworkPkg/Ip6Dxe/Ip6Impl.h
@@ -89,7 +89,7 @@
#define IP6_NO_MAPPING(IpInstance) (!(IpInstance)->Interface->Configured)
-extern EFI_IPSEC_PROTOCOL *mIpSec;
+extern EFI_IPSEC2_PROTOCOL *mIpSec;
//
// IP6_TXTOKEN_WRAP wraps the upper layer's transmit token.
diff --git a/NetworkPkg/Ip6Dxe/Ip6Input.c b/NetworkPkg/Ip6Dxe/Ip6Input.c
index c18811b..f63c1af 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Input.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Input.c
@@ -481,11 +481,11 @@ Ip6IpSecFree (
actions: bypass the packet, discard the packet, or protect the packet.
@param[in] IpSb The IP6 service instance.
- @param[in] Head The caller-supplied IP6 header.
+ @param[in, out] Head The caller-supplied IP6 header.
@param[in, out] LastHead The next header field of last IP header.
@param[in, out] Netbuf The IP6 packet to be processed by IPsec.
- @param[in] ExtHdrs The caller-supplied options.
- @param[in] ExtHdrsLen The length of the option.
+ @param[in, out] ExtHdrs The caller-supplied options.
+ @param[in, out] ExtHdrsLen The length of the option.
@param[in] Direction The directionality in an SPD entry,
EfiIPsecInBound, or EfiIPsecOutBound.
@param[in] Context The token's wrap.
@@ -501,18 +501,20 @@ Ip6IpSecFree (
**/
EFI_STATUS
Ip6IpSecProcessPacket (
- IN IP6_SERVICE *IpSb,
- IN EFI_IP6_HEADER *Head,
- IN OUT UINT8 *LastHead,
- IN OUT NET_BUF **Netbuf,
- IN VOID *ExtHdrs,
- IN UINT32 ExtHdrsLen,
- IN EFI_IPSEC_TRAFFIC_DIR Direction,
- IN VOID *Context
+ IN IP6_SERVICE *IpSb,
+ IN OUT EFI_IP6_HEADER **Head,
+ IN OUT UINT8 *LastHead,
+ IN OUT NET_BUF **Netbuf,
+ IN OUT UINT8 **ExtHdrs,
+ IN OUT UINT32 *ExtHdrsLen,
+ IN EFI_IPSEC_TRAFFIC_DIR Direction,
+ IN VOID *Context
)
{
NET_FRAGMENT *FragmentTable;
+ NET_FRAGMENT *OriginalFragmentTable;
UINT32 FragmentCount;
+ UINT32 OriginalFragmentCount;
EFI_EVENT RecycleEvent;
NET_BUF *Packet;
IP6_TXTOKEN_WRAP *TxWrap;
@@ -520,6 +522,7 @@ Ip6IpSecProcessPacket (
EFI_STATUS Status;
EFI_IP6_HEADER *PacketHead;
UINT8 *Buf;
+ EFI_IP6_HEADER ZeroHead;
Status = EFI_SUCCESS;
Packet = *Netbuf;
@@ -530,6 +533,7 @@ Ip6IpSecProcessPacket (
Buf = NULL;
TxWrap = (IP6_TXTOKEN_WRAP *) Context;
FragmentCount = Packet->BlockOpNum;
+ ZeroMem (&ZeroHead, sizeof (EFI_IP6_HEADER));
if (mIpSec == NULL) {
gBS->LocateProtocol (&gEfiIpSecProtocolGuid, NULL, (VOID **) &mIpSec);
@@ -562,7 +566,7 @@ Ip6IpSecProcessPacket (
//
// Bypass all multicast inbound or outbound traffic.
//
- if (IP6_IS_MULTICAST (&Head->DestinationAddress) || IP6_IS_MULTICAST (&Head->SourceAddress)) {
+ if (IP6_IS_MULTICAST (&(*Head)->DestinationAddress) || IP6_IS_MULTICAST (&(*Head)->SourceAddress)) {
goto ON_EXIT;
}
@@ -577,6 +581,8 @@ Ip6IpSecProcessPacket (
}
Status = NetbufBuildExt (Packet, FragmentTable, &FragmentCount);
+ OriginalFragmentTable = FragmentTable;
+ OriginalFragmentCount = FragmentCount;
if (EFI_ERROR(Status)) {
FreePool (FragmentTable);
@@ -586,16 +592,16 @@ Ip6IpSecProcessPacket (
//
// Convert host byte order to network byte order
//
- Ip6NtohHead (Head);
+ Ip6NtohHead (*Head);
- Status = mIpSec->Process (
+ Status = mIpSec->ProcessExt (
mIpSec,
IpSb->Controller,
IP_VERSION_6,
- (VOID *) Head,
+ (VOID *) (*Head),
LastHead,
- NULL,
- 0,
+ (VOID **) ExtHdrs,
+ ExtHdrsLen,
(EFI_IPSEC_FRAGMENT_DATA **) (&FragmentTable),
&FragmentCount,
Direction,
@@ -604,14 +610,20 @@ Ip6IpSecProcessPacket (
//
// Convert back to host byte order
//
- Ip6NtohHead (Head);
+ Ip6NtohHead (*Head);
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
- if (Direction == EfiIPsecOutBound && TxWrap != NULL) {
+ if (OriginalFragmentCount == FragmentCount && OriginalFragmentTable == FragmentTable) {
+ //
+ // For ByPass Packet
+ //
+ goto ON_EXIT;
+ }
+ if (Direction == EfiIPsecOutBound && TxWrap != NULL) {
TxWrap->IpSecRecycleSignal = RecycleEvent;
TxWrap->Packet = NetbufFromExt (
FragmentTable,
@@ -626,6 +638,13 @@ Ip6IpSecProcessPacket (
goto ON_EXIT;
}
+ CopyMem (
+ IP6_GET_CLIP_INFO (TxWrap->Packet),
+ IP6_GET_CLIP_INFO (Packet),
+ sizeof (IP6_CLIP_INFO)
+ );
+
+ NetIpSecNetbufFree(Packet);
*Netbuf = TxWrap->Packet;
} else {
@@ -652,11 +671,11 @@ Ip6IpSecProcessPacket (
goto ON_EXIT;
}
- if (Direction == EfiIPsecInBound) {
+ if (Direction == EfiIPsecInBound && 0 != CompareMem (&ZeroHead, *Head, sizeof (EFI_IP6_HEADER))) {
PacketHead = (EFI_IP6_HEADER *) NetbufAllocSpace (
Packet,
- sizeof (EFI_IP6_HEADER) + ExtHdrsLen,
+ sizeof (EFI_IP6_HEADER) + *ExtHdrsLen,
NET_BUF_HEAD
);
if (PacketHead == NULL) {
@@ -664,22 +683,22 @@ Ip6IpSecProcessPacket (
goto ON_EXIT;
}
- CopyMem (PacketHead, Head, sizeof (EFI_IP6_HEADER));
+ CopyMem (PacketHead, *Head, sizeof (EFI_IP6_HEADER));
+ *Head = PacketHead;
Packet->Ip.Ip6 = PacketHead;
- if (ExtHdrs != NULL) {
+ if (*ExtHdrs != NULL) {
Buf = (UINT8 *) (PacketHead + 1);
- CopyMem (Buf, ExtHdrs, ExtHdrsLen);
+ CopyMem (Buf, *ExtHdrs, *ExtHdrsLen);
}
- NetbufTrim (Packet, sizeof (EFI_IP6_HEADER) + ExtHdrsLen, TRUE);
+ NetbufTrim (Packet, sizeof (EFI_IP6_HEADER) + *ExtHdrsLen, TRUE);
CopyMem (
IP6_GET_CLIP_INFO (Packet),
IP6_GET_CLIP_INFO (IpSecWrap->Packet),
sizeof (IP6_CLIP_INFO)
);
}
-
*Netbuf = Packet;
}
@@ -688,73 +707,72 @@ ON_EXIT:
}
/**
- The IP6 input routine. It is called by the IP6_INTERFACE when an
- IP6 fragment is received from MNP.
-
- @param[in] Packet The IP6 packet received.
- @param[in] IoStatus The return status of receive request.
- @param[in] Flag The link layer flag for the packet received, such
- as multicast.
- @param[in] Context The IP6 service instance that owns the MNP.
+ Pre-process the IPv6 packet. First validates the IPv6 packet, and
+ then reassembles packet if it is necessary.
+
+ @param[in] IpSb The IP6 service instance.
+ @param[in, out] Packet The received IP6 packet to be processed.
+ @param[in] Flag The link layer flag for the packet received, such
+ as multicast.
+ @param[out] Payload The pointer to the payload of the recieved packet.
+ it starts from the first byte of the extension header.
+ @param[out] LastHead The pointer of NextHeader of the last extension
+ header processed by IP6.
+ @param[out] ExtHdrsLen The length of the whole option.
+ @param[out] UnFragmentLen The length of unfragmented length of extension headers.
+ @param[out] Fragmented Indicate whether the packet is fragmented.
+ @param[out] Head The pointer to the EFI_IP6_Header.
+
+ @retval EFI_SUCCESS The received packet is well format.
+ @retval EFI_INVALID_PARAMETER The received packet is malformed.
**/
-VOID
-Ip6AcceptFrame (
- IN NET_BUF *Packet,
- IN EFI_STATUS IoStatus,
- IN UINT32 Flag,
- IN VOID *Context
+EFI_STATUS
+Ip6PreProcessPacket (
+ IN IP6_SERVICE *IpSb,
+ IN OUT NET_BUF **Packet,
+ IN UINT32 Flag,
+ OUT UINT8 **Payload,
+ OUT UINT8 **LastHead,
+ OUT UINT32 *ExtHdrsLen,
+ OUT UINT32 *UnFragmentLen,
+ OUT BOOLEAN *Fragmented,
+ OUT EFI_IP6_HEADER **Head
+
+
)
{
- IP6_SERVICE *IpSb;
- IP6_CLIP_INFO *Info;
- EFI_IP6_HEADER *Head;
UINT16 PayloadLen;
- UINT8 *Payload;
UINT16 TotalLen;
- UINT8 *LastHead;
UINT32 FormerHeadOffset;
- UINT32 UnFragmentLen;
- UINT32 ExtHdrsLen;
UINT32 HeadLen;
- BOOLEAN Fragmented;
IP6_FRAGMENT_HEADER *FragmentHead;
UINT16 FragmentOffset;
- EFI_STATUS Status;
+ IP6_CLIP_INFO *Info;
EFI_IPv6_ADDRESS Loopback;
- IpSb = (IP6_SERVICE *) Context;
- NET_CHECK_SIGNATURE (IpSb, IP6_SERVICE_SIGNATURE);
-
- Payload = NULL;
-
- //
- // Check input parameters
- //
- if (EFI_ERROR (IoStatus) || (IpSb->State == IP6_SERVICE_DESTROY)) {
- goto Drop;
- }
-
+ HeadLen = 0;
+ PayloadLen = 0;
//
// Check whether the input packet is a valid packet
//
- if (Packet->TotalSize < IP6_MIN_HEADLEN) {
- goto Restart;
+ if ((*Packet)->TotalSize < IP6_MIN_HEADLEN) {
+ return EFI_INVALID_PARAMETER;
}
//
// Get header information of the packet.
//
- Head = (EFI_IP6_HEADER *) NetbufGetByte (Packet, 0, NULL);
- if (Head == NULL) {
- goto Restart;
+ *Head = (EFI_IP6_HEADER *) NetbufGetByte (*Packet, 0, NULL);
+ if (*Head == NULL) {
+ return EFI_INVALID_PARAMETER;
}
//
// Multicast addresses must not be used as source addresses in IPv6 packets.
//
- if ((Head->Version != 6) || (IP6_IS_MULTICAST (&Head->SourceAddress))) {
- goto Restart;
+ if (((*Head)->Version != 6) || (IP6_IS_MULTICAST (&(*Head)->SourceAddress))) {
+ return EFI_INVALID_PARAMETER;
}
//
@@ -762,20 +780,20 @@ Ip6AcceptFrame (
//
ZeroMem (&Loopback, sizeof (EFI_IPv6_ADDRESS));
Loopback.Addr[15] = 0x1;
- if ((CompareMem (&Loopback, &Head->DestinationAddress, sizeof (EFI_IPv6_ADDRESS)) == 0) ||
- (NetIp6IsUnspecifiedAddr (&Head->DestinationAddress))) {
- goto Restart;
+ if ((CompareMem (&Loopback, &(*Head)->DestinationAddress, sizeof (EFI_IPv6_ADDRESS)) == 0) ||
+ (NetIp6IsUnspecifiedAddr (&(*Head)->DestinationAddress))) {
+ return EFI_INVALID_PARAMETER;
}
//
// Convert the IP header to host byte order.
//
- Packet->Ip.Ip6 = Ip6NtohHead (Head);
+ (*Packet)->Ip.Ip6 = Ip6NtohHead (*Head);
//
// Get the per packet info.
//
- Info = IP6_GET_CLIP_INFO (Packet);
+ Info = IP6_GET_CLIP_INFO (*Packet);
Info->LinkFlag = Flag;
Info->CastType = 0;
@@ -783,10 +801,10 @@ Ip6AcceptFrame (
Info->CastType = Ip6Promiscuous;
}
- if (Ip6IsOneOfSetAddress (IpSb, &Head->DestinationAddress, NULL, NULL)) {
+ if (Ip6IsOneOfSetAddress (IpSb, &(*Head)->DestinationAddress, NULL, NULL)) {
Info->CastType = Ip6Unicast;
- } else if (IP6_IS_MULTICAST (&Head->DestinationAddress)) {
- if (Ip6FindMldEntry (IpSb, &Head->DestinationAddress) != NULL) {
+ } else if (IP6_IS_MULTICAST (&(*Head)->DestinationAddress)) {
+ if (Ip6FindMldEntry (IpSb, &(*Head)->DestinationAddress) != NULL) {
Info->CastType = Ip6Multicast;
}
}
@@ -795,11 +813,11 @@ Ip6AcceptFrame (
// Drop the packet that is not delivered to us.
//
if (Info->CastType == 0) {
- goto Restart;
+ return EFI_INVALID_PARAMETER;
}
- PayloadLen = Head->PayloadLength;
+ PayloadLen = (*Head)->PayloadLength;
Info->Start = 0;
Info->Length = PayloadLen;
@@ -813,52 +831,51 @@ Ip6AcceptFrame (
//
// Mnp may deliver frame trailer sequence up, trim it off.
//
- if (TotalLen < Packet->TotalSize) {
- NetbufTrim (Packet, Packet->TotalSize - TotalLen, FALSE);
+ if (TotalLen < (*Packet)->TotalSize) {
+ NetbufTrim (*Packet, (*Packet)->TotalSize - TotalLen, FALSE);
}
- if (TotalLen != Packet->TotalSize) {
- goto Restart;
+ if (TotalLen != (*Packet)->TotalSize) {
+ return EFI_INVALID_PARAMETER;
}
//
// Check the extension headers, if exist validate them
//
if (PayloadLen != 0) {
- Payload = AllocatePool ((UINTN) PayloadLen);
- if (Payload == NULL) {
- goto Restart;
+ *Payload = AllocatePool ((UINTN) PayloadLen);
+ if (*Payload == NULL) {
+ return EFI_INVALID_PARAMETER;
}
- NetbufCopy (Packet, sizeof (EFI_IP6_HEADER), PayloadLen, Payload);
+ NetbufCopy (*Packet, sizeof (EFI_IP6_HEADER), PayloadLen, *Payload);
}
- LastHead = NULL;
if (!Ip6IsExtsValid (
IpSb,
- Packet,
- &Head->NextHeader,
- Payload,
+ *Packet,
+ &(*Head)->NextHeader,
+ *Payload,
(UINT32) PayloadLen,
TRUE,
&FormerHeadOffset,
- &LastHead,
- &ExtHdrsLen,
- &UnFragmentLen,
- &Fragmented
+ LastHead,
+ ExtHdrsLen,
+ UnFragmentLen,
+ Fragmented
)) {
- goto Restart;
+ return EFI_INVALID_PARAMETER;
}
- HeadLen = sizeof (EFI_IP6_HEADER) + UnFragmentLen;
+ HeadLen = sizeof (EFI_IP6_HEADER) + *UnFragmentLen;
- if (Fragmented) {
+ if (*Fragmented) {
//
// Get the fragment offset from the Fragment header
//
- FragmentHead = (IP6_FRAGMENT_HEADER *) NetbufGetByte (Packet, HeadLen, NULL);
+ FragmentHead = (IP6_FRAGMENT_HEADER *) NetbufGetByte (*Packet, HeadLen, NULL);
if (FragmentHead == NULL) {
- goto Restart;
+ return EFI_INVALID_PARAMETER;
}
FragmentOffset = NTOHS (FragmentHead->FragmentOffset);
@@ -888,49 +905,49 @@ Ip6AcceptFrame (
// Fragments should in the unit of 8 octets long except the last one.
//
if ((Info->LastFrag == 0) && (Info->Length % 8 != 0)) {
- goto Restart;
+ return EFI_INVALID_PARAMETER;
}
//
// Reassemble the packet.
//
- Packet = Ip6Reassemble (&IpSb->Assemble, Packet);
- if (Packet == NULL) {
- goto Restart;
+ *Packet = Ip6Reassemble (&IpSb->Assemble, *Packet);
+ if (*Packet == NULL) {
+ return EFI_INVALID_PARAMETER;
}
//
// Re-check the assembled packet to get the right values.
//
- Head = Packet->Ip.Ip6;
- PayloadLen = Head->PayloadLength;
+ *Head = (*Packet)->Ip.Ip6;
+ PayloadLen = (*Head)->PayloadLength;
if (PayloadLen != 0) {
- if (Payload != NULL) {
- FreePool (Payload);
+ if (*Payload != NULL) {
+ FreePool (*Payload);
}
- Payload = AllocatePool ((UINTN) PayloadLen);
- if (Payload == NULL) {
- goto Restart;
+ *Payload = AllocatePool ((UINTN) PayloadLen);
+ if (*Payload == NULL) {
+ return EFI_INVALID_PARAMETER;
}
- NetbufCopy (Packet, sizeof (EFI_IP6_HEADER), PayloadLen, Payload);
+ NetbufCopy (*Packet, sizeof (EFI_IP6_HEADER), PayloadLen, *Payload);
}
if (!Ip6IsExtsValid (
IpSb,
- Packet,
- &Head->NextHeader,
- Payload,
+ *Packet,
+ &(*Head)->NextHeader,
+ *Payload,
(UINT32) PayloadLen,
TRUE,
NULL,
- &LastHead,
- &ExtHdrsLen,
- &UnFragmentLen,
- &Fragmented
+ LastHead,
+ ExtHdrsLen,
+ UnFragmentLen,
+ Fragmented
)) {
- goto Restart;
+ return EFI_INVALID_PARAMETER;
}
}
@@ -938,30 +955,109 @@ Ip6AcceptFrame (
// Trim the head off, after this point, the packet is headless.
// and Packet->TotalLen == Info->Length.
//
- NetbufTrim (Packet, sizeof (EFI_IP6_HEADER) + ExtHdrsLen, TRUE);
+ NetbufTrim (*Packet, sizeof (EFI_IP6_HEADER) + *ExtHdrsLen, TRUE);
+
+ return EFI_SUCCESS;
+}
+
+/**
+ The IP6 input routine. It is called by the IP6_INTERFACE when an
+ IP6 fragment is received from MNP.
+
+ @param[in] Packet The IP6 packet received.
+ @param[in] IoStatus The return status of receive request.
+ @param[in] Flag The link layer flag for the packet received, such
+ as multicast.
+ @param[in] Context The IP6 service instance that owns the MNP.
+
+**/
+VOID
+Ip6AcceptFrame (
+ IN NET_BUF *Packet,
+ IN EFI_STATUS IoStatus,
+ IN UINT32 Flag,
+ IN VOID *Context
+ )
+{
+ IP6_SERVICE *IpSb;
+ EFI_IP6_HEADER *Head;
+ UINT8 *Payload;
+ UINT8 *LastHead;
+ UINT32 UnFragmentLen;
+ UINT32 ExtHdrsLen;
+ BOOLEAN Fragmented;
+ EFI_STATUS Status;
+ EFI_IP6_HEADER ZeroHead;
+
+ IpSb = (IP6_SERVICE *) Context;
+ NET_CHECK_SIGNATURE (IpSb, IP6_SERVICE_SIGNATURE);
+
+ Payload = NULL;
+ LastHead = NULL;
//
+ // Check input parameters
+ //
+ if (EFI_ERROR (IoStatus) || (IpSb->State == IP6_SERVICE_DESTROY)) {
+ goto Drop;
+ }
+
+ //
+ // Pre-Process the Ipv6 Packet and then reassemble if it is necessary.
+ //
+ Status = Ip6PreProcessPacket (
+ IpSb,
+ &Packet,
+ Flag,
+ &Payload,
+ &LastHead,
+ &ExtHdrsLen,
+ &UnFragmentLen,
+ &Fragmented,
+ &Head
+ );
+ if (EFI_ERROR (Status)) {
+ goto Restart;
+ }
+ //
// After trim off, the packet is a esp/ah/udp/tcp/icmp6 net buffer,
// and no need consider any other ahead ext headers.
//
Status = Ip6IpSecProcessPacket (
IpSb,
- Head,
+ &Head,
LastHead, // need get the lasthead value for input
&Packet,
- NULL,
- 0,
+ &Payload,
+ &ExtHdrsLen,
EfiIPsecInBound,
NULL
);
- if (EFI_ERROR(Status)) {
+ if (EFI_ERROR (Status)) {
goto Restart;
}
//
- // TODO: may check the last head again, the same as the output routine
- //
+ // If the packet is protected by IPsec Tunnel Mode, Check the Inner Ip Packet.
+ //
+ ZeroMem (&ZeroHead, sizeof (EFI_IP6_HEADER));
+ if (0 == CompareMem (Head, &ZeroHead, sizeof (EFI_IP6_HEADER))) {
+ Status = Ip6PreProcessPacket (
+ IpSb,
+ &Packet,
+ Flag,
+ &Payload,
+ &LastHead,
+ &ExtHdrsLen,
+ &UnFragmentLen,
+ &Fragmented,
+ &Head
+ );
+ if (EFI_ERROR (Status)) {
+ goto Restart;
+ }
+ }
//
// Packet may have been changed. The ownership of the packet
diff --git a/NetworkPkg/Ip6Dxe/Ip6Input.h b/NetworkPkg/Ip6Dxe/Ip6Input.h
index 8594896..4d7ffc1 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Input.h
+++ b/NetworkPkg/Ip6Dxe/Ip6Input.h
@@ -137,39 +137,39 @@ Ip6InstanceDeliverPacket (
);
/**
- The work function to locate IPsec protocol to process the inbound or
- outbound IP packets. The process routine handls the packet with the following
+ The work function to locate the IPsec protocol to process the inbound or
+ outbound IP packets. The process routine handles the packet with the following
actions: bypass the packet, discard the packet, or protect the packet.
@param[in] IpSb The IP6 service instance.
- @param[in] Head The caller supplied IP6 header.
+ @param[in, out] Head The caller-supplied IP6 header.
@param[in, out] LastHead The next header field of last IP header.
@param[in, out] Netbuf The IP6 packet to be processed by IPsec.
- @param[in] ExtHdrs The caller supplied options.
- @param[in] ExtHdrsLen The length of the option.
+ @param[in, out] ExtHdrs The caller-supplied options.
+ @param[in, out] ExtHdrsLen The length of the option.
@param[in] Direction The directionality in an SPD entry,
- EfiIPsecInBound or EfiIPsecOutBound.
+ EfiIPsecInBound, or EfiIPsecOutBound.
@param[in] Context The token's wrap.
@retval EFI_SUCCESS The IPsec protocol is not available or disabled.
- @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
+ @retval EFI_SUCCESS The packet was bypassed, and all buffers remain the same.
@retval EFI_SUCCESS The packet was protected.
@retval EFI_ACCESS_DENIED The packet was discarded.
@retval EFI_OUT_OF_RESOURCES There are not suffcient resources to complete the operation.
- @retval EFI_BUFFER_TOO_SMALL The number of non-empty block is bigger than the
+ @retval EFI_BUFFER_TOO_SMALL The number of non-empty blocks is bigger than the
number of input data blocks when building a fragment table.
**/
EFI_STATUS
Ip6IpSecProcessPacket (
- IN IP6_SERVICE *IpSb,
- IN EFI_IP6_HEADER *Head,
- IN OUT UINT8 *LastHead,
- IN OUT NET_BUF **Netbuf,
- IN VOID *ExtHdrs,
- IN UINT32 ExtHdrsLen,
- IN EFI_IPSEC_TRAFFIC_DIR Direction,
- IN VOID *Context
+ IN IP6_SERVICE *IpSb,
+ IN OUT EFI_IP6_HEADER **Head,
+ IN OUT UINT8 *LastHead,
+ IN OUT NET_BUF **Netbuf,
+ IN OUT UINT8 **ExtHdrs,
+ IN OUT UINT32 *ExtHdrsLen,
+ IN EFI_IPSEC_TRAFFIC_DIR Direction,
+ IN VOID *Context
);
/**
diff --git a/NetworkPkg/Ip6Dxe/Ip6Output.c b/NetworkPkg/Ip6Dxe/Ip6Output.c
index baa4904..ecbaf2d 100644
--- a/NetworkPkg/Ip6Dxe/Ip6Output.c
+++ b/NetworkPkg/Ip6Dxe/Ip6Output.c
@@ -638,11 +638,11 @@ Ip6Output (
Status = Ip6IpSecProcessPacket (
IpSb,
- Head,
+ &Head,
LastHeader, // no need get the lasthead value for output
&Packet,
- ExtHdrs,
- ExtHdrsLen,
+ &ExtHdrs,
+ &ExtHdrsLen,
EfiIPsecOutBound,
Context
);
diff --git a/NetworkPkg/IpSecDxe/IpSecConfigImpl.c b/NetworkPkg/IpSecDxe/IpSecConfigImpl.c
index e671e42..0b52a49 100644
--- a/NetworkPkg/IpSecDxe/IpSecConfigImpl.c
+++ b/NetworkPkg/IpSecDxe/IpSecConfigImpl.c
@@ -2365,7 +2365,7 @@ EfiIpSecConfigGetNextSelector (
NET_LIST_FOR_EACH (Link, &mConfigData[DataType]) {
CommonEntry = BASE_CR (Link, IPSEC_COMMON_POLICY_ENTRY, List);
- if (IsFound || mIsZeroSelector[DataType](Selector)) {
+ if (IsFound || (BOOLEAN)(mIsZeroSelector[DataType](Selector))) {
//
// If found the appointed entry, then duplicate the next one and return,
// or if the appointed entry is zero, then return the first one directly.
diff --git a/NetworkPkg/IpSecDxe/IpSecCryptIo.c b/NetworkPkg/IpSecDxe/IpSecCryptIo.c
index 7011f98..93b69a6 100644
--- a/NetworkPkg/IpSecDxe/IpSecCryptIo.c
+++ b/NetworkPkg/IpSecDxe/IpSecCryptIo.c
@@ -18,15 +18,15 @@
// Alogrithm's informations for the Encrypt/Decrpt Alogrithm.
//
ENCRYPT_ALGORITHM mIpsecEncryptAlgorithmList[IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE] = {
- {EFI_IPSEC_EALG_NULL, 0, 0, 1, NULL, NULL, NULL, NULL},
+ {IKE_EALG_NULL, 0, 0, 1, NULL, NULL, NULL, NULL},
{(UINT8)-1, 0, 0, 0, NULL, NULL, NULL, NULL}
};
//
// Alogrithm's informations for the Authentication algorithm
//
AUTH_ALGORITHM mIpsecAuthAlgorithmList[IPSEC_AUTH_ALGORITHM_LIST_SIZE] = {
- {EFI_IPSEC_AALG_NONE, 0, 0, 0, NULL, NULL, NULL, NULL},
- {EFI_IPSEC_AALG_NULL, 0, 0, 0, NULL, NULL, NULL, NULL},
+ {IKE_AALG_NONE, 0, 0, 0, NULL, NULL, NULL, NULL},
+ {IKE_AALG_NULL, 0, 0, 0, NULL, NULL, NULL, NULL},
{(UINT8)-1, 0, 0, 0, NULL, NULL, NULL, NULL}
};
diff --git a/NetworkPkg/IpSecDxe/IpSecCryptIo.h b/NetworkPkg/IpSecDxe/IpSecCryptIo.h
index d883a2e..ddceb12 100644
--- a/NetworkPkg/IpSecDxe/IpSecCryptIo.h
+++ b/NetworkPkg/IpSecDxe/IpSecCryptIo.h
@@ -22,6 +22,23 @@
#define IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE 2
#define IPSEC_AUTH_ALGORITHM_LIST_SIZE 3
+///
+/// Authentication Algorithm Definition
+/// The number value definition is aligned to IANA assignment
+///
+#define IKE_AALG_NONE 0x00
+#define IKE_AALG_SHA1HMAC 0x02
+#define IKE_AALG_NULL 0xFB
+
+///
+/// Encryption Algorithm Definition
+/// The number value definition is aligned to IANA assignment
+///
+#define IKE_EALG_NONE 0x00
+#define IKE_EALG_3DESCBC 0x03
+#define IKE_EALG_NULL 0x0B
+#define IKE_EALG_AESCBC 0x0C
+
/**
Prototype of Hash GetContextSize.
diff --git a/NetworkPkg/IpSecDxe/IpSecDriver.c b/NetworkPkg/IpSecDxe/IpSecDriver.c
index b38f2a9..00fb26f 100644
--- a/NetworkPkg/IpSecDxe/IpSecDriver.c
+++ b/NetworkPkg/IpSecDxe/IpSecDriver.c
@@ -174,7 +174,7 @@ IpSecDriverEntryPoint (
{
EFI_STATUS Status;
IPSEC_PRIVATE_DATA *Private;
- EFI_IPSEC_PROTOCOL *IpSec;
+ EFI_IPSEC2_PROTOCOL *IpSec;
//
// Check whether ipsec protocol has already been installed.
@@ -218,7 +218,7 @@ IpSecDriverEntryPoint (
Private->Signature = IPSEC_PRIVATE_DATA_SIGNATURE;
Private->ImageHandle = ImageHandle;
- CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC_PROTOCOL));
+ CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL));
//
// Initilize Private's members. Thess members is used for IKE.
diff --git a/NetworkPkg/IpSecDxe/IpSecImpl.c b/NetworkPkg/IpSecDxe/IpSecImpl.c
index 15884ae..b693eb9 100644
--- a/NetworkPkg/IpSecDxe/IpSecImpl.c
+++ b/NetworkPkg/IpSecDxe/IpSecImpl.c
@@ -15,7 +15,7 @@
#include "IpSecConfigImpl.h"
-EFI_IPSEC_PROTOCOL mIpSecInstance = { IpSecProcess, NULL, TRUE };
+EFI_IPSEC2_PROTOCOL mIpSecInstance = { IpSecProcess, NULL, TRUE };
extern LIST_ENTRY mConfigData[IPsecConfigDataTypeMaximum];
@@ -656,11 +656,11 @@ IpSecLookupSpdEntry (
@param[in] NicHandle Instance of the network interface.
@param[in] IpVersion IPV4 or IPV6.
@param[in, out] IpHead Pointer to the IP Header.
- @param[in] LastHead The protocol of the next layer to be processed by IPsec.
- @param[in] OptionsBuffer Pointer to the options buffer.
- @param[in] OptionsLength Length of the options buffer.
+ @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.
+ @param[in, out] OptionsBuffer Pointer to the options buffer.
+ @param[in, out] OptionsLength Length of the options buffer.
@param[in, out] FragmentTable Pointer to a list of fragments.
- @param[in] FragmentCount Number of fragments.
+ @param[in, out] FragmentCount Number of fragments.
@param[in] TrafficDirection Traffic direction.
@param[out] RecycleSignal Event for recycling of resources.
@@ -672,15 +672,15 @@ IpSecLookupSpdEntry (
EFI_STATUS
EFIAPI
IpSecProcess (
- IN EFI_IPSEC_PROTOCOL *This,
+ IN EFI_IPSEC2_PROTOCOL *This,
IN EFI_HANDLE NicHandle,
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
- IN UINT8 *LastHead,
- IN VOID *OptionsBuffer,
- IN UINT32 OptionsLength,
+ IN OUT UINT8 *LastHead,
+ IN OUT VOID **OptionsBuffer,
+ IN OUT UINT32 *OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN UINT32 *FragmentCount,
+ IN OUT UINT32 *FragmentCount,
IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
OUT EFI_EVENT *RecycleSignal
)
diff --git a/NetworkPkg/IpSecDxe/IpSecImpl.h b/NetworkPkg/IpSecDxe/IpSecImpl.h
index 644c658..8449446 100644
--- a/NetworkPkg/IpSecDxe/IpSecImpl.h
+++ b/NetworkPkg/IpSecDxe/IpSecImpl.h
@@ -88,16 +88,19 @@ struct _IPSEC_SPD_ENTRY {
};
typedef struct _IPSEC_SAD_DATA {
- EFI_IPSEC_MODE Mode;
- UINT64 SequenceNumber;
- UINT8 AntiReplayWindowSize;
- UINT64 AntiReplayBitmap[4]; // bitmap for received packet
- EFI_IPSEC_ALGO_INFO AlgoInfo;
- EFI_IPSEC_SA_LIFETIME SaLifetime;
- UINT32 PathMTU;
- IPSEC_SPD_ENTRY *SpdEntry;
- BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled
- BOOLEAN ManualSet;
+ EFI_IPSEC_MODE Mode;
+ UINT64 SequenceNumber;
+ UINT8 AntiReplayWindowSize;
+ UINT64 AntiReplayBitmap[4]; // bitmap for received packet
+ EFI_IPSEC_ALGO_INFO AlgoInfo;
+ EFI_IPSEC_SA_LIFETIME SaLifetime;
+ UINT32 PathMTU;
+ IPSEC_SPD_ENTRY *SpdEntry;
+ EFI_IPSEC_SPD_SELECTOR *SpdSelector;
+ BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled
+ BOOLEAN ManualSet;
+ EFI_IP_ADDRESS TunnelDestAddress;
+ EFI_IP_ADDRESS TunnelSourceAddress;
} IPSEC_SAD_DATA;
typedef struct _IPSEC_SAD_ENTRY {
@@ -122,7 +125,7 @@ struct _IPSEC_PRIVATE_DATA {
UINT32 Signature;
EFI_HANDLE Handle; // Virtual handle to install private prtocol
EFI_HANDLE ImageHandle;
- EFI_IPSEC_PROTOCOL IpSec;
+ EFI_IPSEC2_PROTOCOL IpSec;
EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;
BOOLEAN SetBySelf;
LIST_ENTRY Udp4List;
@@ -146,13 +149,13 @@ struct _IPSEC_PRIVATE_DATA {
@param[in, out] IpHead Points to IP header containing the ESP/AH header
to be trimed on input, and without ESP/AH header
on return.
- @param[in] LastHead The Last Header in IP header on return.
- @param[in] OptionsBuffer Pointer to the options buffer. It is optional.
- @param[in] OptionsLength Length of the options buffer. It is optional.
+ @param[out] LastHead The Last Header in IP header on return.
+ @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.
+ @param[in, out] OptionsLength Length of the options buffer. It is optional.
@param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec
protected on input, and without IPsec protected
on return.
- @param[in] FragmentCount Number of fragments.
+ @param[in, out] FragmentCount Number of fragments.
@param[out] SpdEntry Pointer to contain the address of SPD entry on return.
@param[out] RecycleEvent Event for recycling of resources.
@@ -164,11 +167,11 @@ EFI_STATUS
IpSecProtectInboundPacket (
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
- IN UINT8 *LastHead,
- IN VOID *OptionsBuffer, OPTIONAL
- IN UINT32 OptionsLength, OPTIONAL
+ OUT UINT8 *LastHead,
+ IN OUT VOID **OptionsBuffer, OPTIONAL
+ IN OUT UINT32 *OptionsLength, OPTIONAL
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN UINT32 *FragmentCount,
+ IN OUT UINT32 *FragmentCount,
OUT IPSEC_SPD_ENTRY **SpdEntry,
OUT EFI_EVENT *RecycleEvent
);
@@ -184,13 +187,13 @@ IpSecProtectInboundPacket (
@param[in, out] IpHead Point to IP header containing the orginal IP header
to be processed on input, and inserted ESP/AH header
on return.
- @param[in] LastHead The Last Header in IP header.
- @param[in] OptionsBuffer Pointer to the options buffer. It is optional.
- @param[in] OptionsLength Length of the options buffer. It is optional.
+ @param[in, out] LastHead The Last Header in IP header.
+ @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.
+ @param[in, out] OptionsLength Length of the options buffer. It is optional.
@param[in, out] FragmentTable Pointer to a list of fragments to be protected by
IPsec on input, and with IPsec protected
on return.
- @param[in] FragmentCount Number of fragments.
+ @param[in, out] FragmentCount Number of fragments.
@param[in] SadEntry Related SAD entry.
@param[out] RecycleEvent Event for recycling of resources.
@@ -202,11 +205,11 @@ EFI_STATUS
IpSecProtectOutboundPacket (
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
- IN UINT8 *LastHead,
- IN VOID *OptionsBuffer, OPTIONAL
- IN UINT32 OptionsLength, OPTIONAL
+ IN OUT UINT8 *LastHead,
+ IN OUT VOID **OptionsBuffer, OPTIONAL
+ IN OUT UINT32 *OptionsLength, OPTIONAL
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN UINT32 *FragmentCount,
+ IN OUT UINT32 *FragmentCount,
IN IPSEC_SAD_ENTRY *SadEntry,
OUT EFI_EVENT *RecycleEvent
);
@@ -274,11 +277,11 @@ IpSecLookupSadBySpi (
@param[in] NicHandle Instance of the network interface.
@param[in] IpVersion IPV4 or IPV6.
@param[in, out] IpHead Pointer to the IP Header.
- @param[in] LastHead The protocol of the next layer to be processed by IPsec.
- @param[in] OptionsBuffer Pointer to the options buffer.
- @param[in] OptionsLength Length of the options buffer.
+ @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.
+ @param[in, out] OptionsBuffer Pointer to the options buffer.
+ @param[in, out] OptionsLength Length of the options buffer.
@param[in, out] FragmentTable Pointer to a list of fragments.
- @param[in] FragmentCount Number of fragments.
+ @param[in, out] FragmentCount Number of fragments.
@param[in] TrafficDirection Traffic direction.
@param[out] RecycleSignal Event for recycling of resources.
@@ -290,21 +293,21 @@ IpSecLookupSadBySpi (
EFI_STATUS
EFIAPI
IpSecProcess (
- IN EFI_IPSEC_PROTOCOL *This,
+ IN EFI_IPSEC2_PROTOCOL *This,
IN EFI_HANDLE NicHandle,
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
- IN UINT8 *LastHead,
- IN VOID *OptionsBuffer,
- IN UINT32 OptionsLength,
+ IN OUT UINT8 *LastHead,
+ IN OUT VOID **OptionsBuffer,
+ IN OUT UINT32 *OptionsLength,
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN UINT32 *FragmentCount,
+ IN OUT UINT32 *FragmentCount,
IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
OUT EFI_EVENT *RecycleSignal
);
extern EFI_DPC_PROTOCOL *mDpc;
-extern EFI_IPSEC_PROTOCOL mIpSecInstance;
+extern EFI_IPSEC2_PROTOCOL mIpSecInstance;
extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;
extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;
diff --git a/NetworkPkg/IpSecDxe/IpSecSaEngine.c b/NetworkPkg/IpSecDxe/IpSecSaEngine.c
index 8abf4d6..b556b24 100644
--- a/NetworkPkg/IpSecDxe/IpSecSaEngine.c
+++ b/NetworkPkg/IpSecDxe/IpSecSaEngine.c
@@ -124,8 +124,8 @@ IpSecAuthPayload (
)
{
switch (AuthAlgId) {
- case EFI_IPSEC_AALG_NONE :
- case EFI_IPSEC_AALG_NULL :
+ case IKE_AALG_NONE :
+ case IKE_AALG_NULL :
return EFI_SUCCESS;
default:
@@ -222,15 +222,15 @@ IpSecEspDecryptPayload (
EFI_ESP_TAIL *EspTail;
switch (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId) {
- case EFI_IPSEC_EALG_NULL:
+ case IKE_EALG_NULL:
EspTail = (EFI_ESP_TAIL *) (PayloadBuffer + EncryptSize - sizeof (EFI_ESP_TAIL));
*PaddingSize = EspTail->PaddingLength;
*NextHeader = EspTail->NextHeader;
*PlainPayloadSize = EncryptSize - EspTail->PaddingLength - sizeof (EFI_ESP_TAIL);
break;
- case EFI_IPSEC_EALG_3DESCBC:
- case EFI_IPSEC_EALG_AESCBC:
+ case IKE_EALG_3DESCBC:
+ case IKE_EALG_AESCBC:
//
// TODO: support these algorithm
//
@@ -269,11 +269,11 @@ IpSecEspEncryptPayload (
)
{
switch (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId) {
- case EFI_IPSEC_EALG_NULL:
+ case IKE_EALG_NULL:
return EFI_SUCCESS;
- case EFI_IPSEC_EALG_3DESCBC:
- case EFI_IPSEC_EALG_AESCBC:
+ case IKE_EALG_3DESCBC:
+ case IKE_EALG_AESCBC:
//
// TODO: support these algorithms
//
@@ -296,12 +296,12 @@ IpSecEspEncryptPayload (
to be trimed on input, and without ESP header
on return.
@param[out] LastHead The Last Header in IP header on return.
- @param[in] OptionsBuffer Pointer to the options buffer. It is optional.
- @param[in] OptionsLength Length of the options buffer. It is optional.
+ @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.
+ @param[in, out] OptionsLength Length of the options buffer. It is optional.
@param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec
protected on input, and without IPsec protected
on return.
- @param[in] FragmentCount The number of fragments.
+ @param[in, out] FragmentCount The number of fragments.
@param[out] SpdEntry Pointer to contain the address of SPD entry on return.
@param[out] RecycleEvent The event for recycling of resources.
@@ -318,10 +318,10 @@ IpSecEspInboundPacket (
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
OUT UINT8 *LastHead,
- IN VOID *OptionsBuffer, OPTIONAL
- IN UINT32 OptionsLength, OPTIONAL
+ IN OUT VOID **OptionsBuffer, OPTIONAL
+ IN OUT UINT32 *OptionsLength, OPTIONAL
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN UINT32 *FragmentCount,
+ IN OUT UINT32 *FragmentCount,
OUT IPSEC_SPD_ENTRY **SpdEntry,
OUT EFI_EVENT *RecycleEvent
)
@@ -558,13 +558,13 @@ ON_EXIT:
@param[in, out] IpHead Points to IP header containing the orginal IP header
to be processed on input, and inserted ESP header
on return.
- @param[in] LastHead The Last Header in IP header.
- @param[in] OptionsBuffer Pointer to the options buffer. It is optional.
- @param[in] OptionsLength Length of the options buffer. It is optional.
+ @param[in, out] LastHead The Last Header in IP header.
+ @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.
+ @param[in, out] OptionsLength Length of the options buffer. It is optional.
@param[in, out] FragmentTable Pointer to a list of fragments to be protected by
IPsec on input, and with IPsec protected
on return.
- @param[in] FragmentCount The number of fragments.
+ @param[in, out] FragmentCount The number of fragments.
@param[in] SadEntry The related SAD entry.
@param[out] RecycleEvent The event for recycling of resources.
@@ -576,11 +576,11 @@ EFI_STATUS
IpSecEspOutboundPacket (
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
- IN UINT8 *LastHead,
- IN VOID *OptionsBuffer, OPTIONAL
- IN UINT32 OptionsLength, OPTIONAL
+ IN OUT UINT8 *LastHead,
+ IN OUT VOID **OptionsBuffer, OPTIONAL
+ IN OUT UINT32 *OptionsLength, OPTIONAL
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN UINT32 *FragmentCount,
+ IN OUT UINT32 *FragmentCount,
IN IPSEC_SAD_ENTRY *SadEntry,
OUT EFI_EVENT *RecycleEvent
)
@@ -825,29 +825,29 @@ ON_EXIT:
@param[in, out] IpHead Points to IP header containing the ESP/AH header
to be trimed on input, and without ESP/AH header
on return.
- @param[in] LastHead The Last Header in IP header on return.
- @param[in] OptionsBuffer Pointer to the options buffer. It is optional.
- @param[in] OptionsLength Length of the options buffer. It is optional.
- @param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec
+ @param[out] LastHead The Last Header in IP header on return.
+ @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.
+ @param[in, out] OptionsLength Length of the options buffer. It is optional.
+ @param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec
protected on input, and without IPsec protected
on return.
- @param[in] FragmentCount The number of fragments.
+ @param[in, out] FragmentCount Number of fragments.
@param[out] SpdEntry Pointer to contain the address of SPD entry on return.
- @param[out] RecycleEvent The event for recycling of resources.
+ @param[out] RecycleEvent Event for recycling of resources.
- @retval EFI_SUCCESS The operation was successful.
- @retval EFI_UNSUPPORTED The IPSEC protocol is not supported.
+ @retval EFI_SUCCESS The operation is successful.
+ @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
**/
EFI_STATUS
IpSecProtectInboundPacket (
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
- IN UINT8 *LastHead,
- IN VOID *OptionsBuffer, OPTIONAL
- IN UINT32 OptionsLength, OPTIONAL
+ OUT UINT8 *LastHead,
+ IN OUT VOID **OptionsBuffer, OPTIONAL
+ IN OUT UINT32 *OptionsLength, OPTIONAL
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN UINT32 *FragmentCount,
+ IN OUT UINT32 *FragmentCount,
OUT IPSEC_SPD_ENTRY **SpdEntry,
OUT EFI_EVENT *RecycleEvent
)
@@ -875,26 +875,26 @@ IpSecProtectInboundPacket (
}
/**
- This function processes the output traffic with IPsec.
+ This fucntion processes the output traffic with IPsec.
It protected the sending packet by encrypting it payload and inserting ESP/AH header
- in the orginal IP header, then returns the IpHeader and IPsec protected Fragmentable.
+ in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.
@param[in] IpVersion The version of IP.
- @param[in, out] IpHead Points to IP header containing the orginal IP header
+ @param[in, out] IpHead Point to IP header containing the orginal IP header
to be processed on input, and inserted ESP/AH header
on return.
- @param[in] LastHead The Last Header in the IP header.
- @param[in] OptionsBuffer Pointer to the options buffer. It is optional.
- @param[in] OptionsLength Length of the options buffer. It is optional.
+ @param[in, out] LastHead The Last Header in IP header.
+ @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional.
+ @param[in, out] OptionsLength Length of the options buffer. It is optional.
@param[in, out] FragmentTable Pointer to a list of fragments to be protected by
IPsec on input, and with IPsec protected
on return.
- @param[in] FragmentCount The number of fragments.
- @param[in] SadEntry The related SAD entry.
- @param[out] RecycleEvent The event for recycling of resources.
+ @param[in, out] FragmentCount Number of fragments.
+ @param[in] SadEntry Related SAD entry.
+ @param[out] RecycleEvent Event for recycling of resources.
- @retval EFI_SUCCESS The operation was successful.
+ @retval EFI_SUCCESS The operation is successful.
@retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
**/
@@ -902,11 +902,11 @@ EFI_STATUS
IpSecProtectOutboundPacket (
IN UINT8 IpVersion,
IN OUT VOID *IpHead,
- IN UINT8 *LastHead,
- IN VOID *OptionsBuffer, OPTIONAL
- IN UINT32 OptionsLength, OPTIONAL
+ IN OUT UINT8 *LastHead,
+ IN OUT VOID **OptionsBuffer, OPTIONAL
+ IN OUT UINT32 *OptionsLength, OPTIONAL
IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN UINT32 *FragmentCount,
+ IN OUT UINT32 *FragmentCount,
IN IPSEC_SAD_ENTRY *SadEntry,
OUT EFI_EVENT *RecycleEvent
)