2 The implementation of policy entry operation function in IpSecConfig application.
4 Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
16 #include "IpSecConfig.h"
21 #include "PolicyEntryOperation.h"
24 Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list.
26 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
27 @param[in] ParamPackage The pointer to the ParamPackage list.
28 @param[in, out] Mask The pointer to the Mask.
30 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR successfully.
31 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
36 OUT EFI_IPSEC_SPD_SELECTOR
*Selector
,
37 IN LIST_ENTRY
*ParamPackage
,
42 EFI_STATUS ReturnStatus
;
43 CONST CHAR16
*ValueStr
;
46 ReturnStatus
= EFI_SUCCESS
;
49 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
51 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local");
52 if (ValueStr
!= NULL
) {
53 Selector
->LocalAddressCount
= 1;
54 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->LocalAddress
);
55 if (EFI_ERROR (Status
)) {
60 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
66 ReturnStatus
= EFI_INVALID_PARAMETER
;
73 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
75 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote");
76 if (ValueStr
!= NULL
) {
77 Selector
->RemoteAddressCount
= 1;
78 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->RemoteAddress
);
79 if (EFI_ERROR (Status
)) {
84 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
90 ReturnStatus
= EFI_INVALID_PARAMETER
;
96 Selector
->NextLayerProtocol
= EFI_IPSEC_ANY_PROTOCOL
;
99 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
104 &Selector
->NextLayerProtocol
,
108 FORMAT_NUMBER
| FORMAT_STRING
110 if (!EFI_ERROR (Status
)) {
114 if (Status
== EFI_INVALID_PARAMETER
) {
115 ReturnStatus
= EFI_INVALID_PARAMETER
;
118 Selector
->LocalPort
= EFI_IPSEC_ANY_PORT
;
119 Selector
->RemotePort
= EFI_IPSEC_ANY_PORT
;
122 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
124 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local-port");
125 if (ValueStr
!= NULL
) {
126 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->LocalPort
, &Selector
->LocalPortRange
);
127 if (EFI_ERROR (Status
)) {
132 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
138 ReturnStatus
= EFI_INVALID_PARAMETER
;
145 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
147 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote-port");
148 if (ValueStr
!= NULL
) {
149 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->RemotePort
, &Selector
->RemotePortRange
);
150 if (EFI_ERROR (Status
)) {
155 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
161 ReturnStatus
= EFI_INVALID_PARAMETER
;
163 *Mask
|= REMOTE_PORT
;
168 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
173 &Selector
->LocalPort
,
179 if (!EFI_ERROR (Status
)) {
183 if (Status
== EFI_INVALID_PARAMETER
) {
184 ReturnStatus
= EFI_INVALID_PARAMETER
;
188 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
193 &Selector
->RemotePort
,
199 if (!EFI_ERROR (Status
)) {
203 if (Status
== EFI_INVALID_PARAMETER
) {
204 ReturnStatus
= EFI_INVALID_PARAMETER
;
211 Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPackage list.
213 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
214 @param[out] Data The pointer to the EFI_IPSEC_SPD_DATA structure.
215 @param[in] ParamPackage The pointer to the ParamPackage list.
216 @param[out] Mask The pointer to the Mask.
217 @param[in] CreateNew The switch to create new.
219 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA successfully.
220 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
225 OUT EFI_IPSEC_SPD_SELECTOR
**Selector
,
226 OUT EFI_IPSEC_SPD_DATA
**Data
,
227 IN LIST_ENTRY
*ParamPackage
,
233 EFI_STATUS ReturnStatus
;
234 CONST CHAR16
*ValueStr
;
237 Status
= EFI_SUCCESS
;
240 *Selector
= AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR
) + 2 * sizeof (EFI_IP_ADDRESS_INFO
));
241 ASSERT (*Selector
!= NULL
);
243 (*Selector
)->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) (*Selector
+ 1);
244 (*Selector
)->RemoteAddress
= (*Selector
)->LocalAddress
+ 1;
246 ReturnStatus
= CreateSpdSelector (*Selector
, ParamPackage
, Mask
);
250 // NOTE: Allocate enough memory and add padding for different arch.
252 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA
));
253 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_PROCESS_POLICY
));
254 DataSize
+= sizeof (EFI_IPSEC_TUNNEL_OPTION
);
256 *Data
= AllocateZeroPool (DataSize
);
257 ASSERT (*Data
!= NULL
);
259 (*Data
)->ProcessingPolicy
= (EFI_IPSEC_PROCESS_POLICY
*) ALIGN_POINTER (
263 (*Data
)->ProcessingPolicy
->TunnelOption
= (EFI_IPSEC_TUNNEL_OPTION
*) ALIGN_POINTER (
264 ((*Data
)->ProcessingPolicy
+ 1),
270 // Convert user imput from string to integer, and fill in the Name in EFI_IPSEC_SPD_DATA.
272 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--name");
273 if (ValueStr
!= NULL
) {
274 UnicodeStrToAsciiStr (ValueStr
, (CHAR8
*) (*Data
)->Name
);
279 // Convert user imput from string to integer, and fill in the PackageFlag in EFI_IPSEC_SPD_DATA.
284 &(*Data
)->PackageFlag
,
290 if (!EFI_ERROR (Status
)) {
291 *Mask
|= PACKET_FLAG
;
294 if (Status
== EFI_INVALID_PARAMETER
) {
295 ReturnStatus
= EFI_INVALID_PARAMETER
;
299 // Convert user imput from string to integer, and fill in the Action in EFI_IPSEC_SPD_DATA.
310 if (!EFI_ERROR (Status
)) {
314 if (Status
== EFI_INVALID_PARAMETER
) {
315 ReturnStatus
= EFI_INVALID_PARAMETER
;
319 // Convert user imput from string to integer, and fill in the ExtSeqNum in EFI_IPSEC_SPD_DATA.
321 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence")) {
322 (*Data
)->ProcessingPolicy
->ExtSeqNum
= TRUE
;
323 *Mask
|= EXT_SEQUENCE
;
324 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence-")) {
325 (*Data
)->ProcessingPolicy
->ExtSeqNum
= FALSE
;
326 *Mask
|= EXT_SEQUENCE
;
330 // Convert user imput from string to integer, and fill in the SeqOverflow in EFI_IPSEC_SPD_DATA.
332 if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow")) {
333 (*Data
)->ProcessingPolicy
->SeqOverflow
= TRUE
;
334 *Mask
|= SEQUENCE_OVERFLOW
;
335 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow-")) {
336 (*Data
)->ProcessingPolicy
->SeqOverflow
= FALSE
;
337 *Mask
|= SEQUENCE_OVERFLOW
;
341 // Convert user imput from string to integer, and fill in the FragCheck in EFI_IPSEC_SPD_DATA.
343 if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check")) {
344 (*Data
)->ProcessingPolicy
->FragCheck
= TRUE
;
345 *Mask
|= FRAGMENT_CHECK
;
346 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check-")) {
347 (*Data
)->ProcessingPolicy
->FragCheck
= FALSE
;
348 *Mask
|= FRAGMENT_CHECK
;
352 // Convert user imput from string to integer, and fill in the ProcessingPolicy in EFI_IPSEC_SPD_DATA.
357 &(*Data
)->ProcessingPolicy
->SaLifetime
.ByteCount
,
363 if (!EFI_ERROR (Status
)) {
367 if (Status
== EFI_INVALID_PARAMETER
) {
368 ReturnStatus
= EFI_INVALID_PARAMETER
;
374 &(*Data
)->ProcessingPolicy
->SaLifetime
.HardLifetime
,
380 if (!EFI_ERROR (Status
)) {
383 if (Status
== EFI_INVALID_PARAMETER
) {
384 ReturnStatus
= EFI_INVALID_PARAMETER
;
390 &(*Data
)->ProcessingPolicy
->SaLifetime
.SoftLifetime
,
396 if (!EFI_ERROR (Status
)) {
397 *Mask
|= LIFETIME_SOFT
;
400 if (Status
== EFI_INVALID_PARAMETER
) {
401 ReturnStatus
= EFI_INVALID_PARAMETER
;
404 (*Data
)->ProcessingPolicy
->Mode
= EfiIPsecTransport
;
408 &(*Data
)->ProcessingPolicy
->Mode
,
414 if (!EFI_ERROR (Status
)) {
418 if (Status
== EFI_INVALID_PARAMETER
) {
419 ReturnStatus
= EFI_INVALID_PARAMETER
;
422 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-local");
423 if (ValueStr
!= NULL
) {
424 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
);
425 if (EFI_ERROR (Status
)) {
430 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
436 ReturnStatus
= EFI_INVALID_PARAMETER
;
438 *Mask
|= TUNNEL_LOCAL
;
442 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-remote");
443 if (ValueStr
!= NULL
) {
444 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
);
445 if (EFI_ERROR (Status
)) {
450 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
456 ReturnStatus
= EFI_INVALID_PARAMETER
;
458 *Mask
|= TUNNEL_REMOTE
;
462 (*Data
)->ProcessingPolicy
->TunnelOption
->DF
= EfiIPsecTunnelCopyDf
;
466 &(*Data
)->ProcessingPolicy
->TunnelOption
->DF
,
472 if (!EFI_ERROR (Status
)) {
473 *Mask
|= DONT_FRAGMENT
;
476 if (Status
== EFI_INVALID_PARAMETER
) {
477 ReturnStatus
= EFI_INVALID_PARAMETER
;
480 (*Data
)->ProcessingPolicy
->Proto
= EfiIPsecESP
;
484 &(*Data
)->ProcessingPolicy
->Proto
,
490 if (!EFI_ERROR (Status
)) {
491 *Mask
|= IPSEC_PROTO
;
494 if (Status
== EFI_INVALID_PARAMETER
) {
495 ReturnStatus
= EFI_INVALID_PARAMETER
;
501 &(*Data
)->ProcessingPolicy
->EncAlgoId
,
507 if (!EFI_ERROR (Status
)) {
508 *Mask
|= ENCRYPT_ALGO
;
511 if (Status
== EFI_INVALID_PARAMETER
) {
512 ReturnStatus
= EFI_INVALID_PARAMETER
;
518 &(*Data
)->ProcessingPolicy
->AuthAlgoId
,
524 if (!EFI_ERROR (Status
)) {
528 if (Status
== EFI_INVALID_PARAMETER
) {
529 ReturnStatus
= EFI_INVALID_PARAMETER
;
533 // Cannot check Mode against EfiIPsecTunnel, because user may want to change tunnel_remote only so the Mode is not set.
535 if ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
| DONT_FRAGMENT
)) == 0) {
536 (*Data
)->ProcessingPolicy
->TunnelOption
= NULL
;
539 if ((*Mask
& (EXT_SEQUENCE
| SEQUENCE_OVERFLOW
| FRAGMENT_CHECK
| LIFEBYTE
|
540 LIFETIME_SOFT
| LIFETIME
| MODE
| TUNNEL_LOCAL
| TUNNEL_REMOTE
|
541 DONT_FRAGMENT
| IPSEC_PROTO
| AUTH_ALGO
| ENCRYPT_ALGO
)) == 0) {
542 if ((*Data
)->Action
!= EfiIPsecActionProtect
) {
544 // User may not provide additional parameter for Protect action, so we cannot simply set ProcessingPolicy to NULL.
546 (*Data
)->ProcessingPolicy
= NULL
;
551 if ((*Mask
& (LOCAL
| REMOTE
| PROTO
| ACTION
)) != (LOCAL
| REMOTE
| PROTO
| ACTION
)) {
556 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
559 L
"--local --remote --proto --action"
561 ReturnStatus
= EFI_INVALID_PARAMETER
;
562 } else if (((*Data
)->Action
== EfiIPsecActionProtect
) &&
563 ((*Data
)->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) &&
564 ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
))) {
569 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
572 L
"--tunnel-local --tunnel-remote"
574 ReturnStatus
= EFI_INVALID_PARAMETER
;
582 Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 through ParamPackage list.
584 @param[out] SaId The pointer to the EFI_IPSEC_SA_ID structure.
585 @param[out] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.
586 @param[in] ParamPackage The pointer to the ParamPackage list.
587 @param[out] Mask The pointer to the Mask.
588 @param[in] CreateNew The switch to create new.
590 @retval EFI_SUCCESS Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 successfully.
591 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
596 OUT EFI_IPSEC_SA_ID
**SaId
,
597 OUT EFI_IPSEC_SA_DATA2
**Data
,
598 IN LIST_ENTRY
*ParamPackage
,
604 EFI_STATUS ReturnStatus
;
607 CONST CHAR16
*ValueStr
;
611 Status
= EFI_SUCCESS
;
612 ReturnStatus
= EFI_SUCCESS
;
617 *SaId
= AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID
));
618 ASSERT (*SaId
!= NULL
);
621 // Convert user imput from string to integer, and fill in the Spi in EFI_IPSEC_SA_ID.
623 Status
= GetNumber (L
"--spi", (UINT32
) -1, &(*SaId
)->Spi
, sizeof (UINT32
), NULL
, ParamPackage
, FORMAT_NUMBER
);
624 if (!EFI_ERROR (Status
)) {
628 if (Status
== EFI_INVALID_PARAMETER
) {
629 ReturnStatus
= EFI_INVALID_PARAMETER
;
633 // Convert user imput from string to integer, and fill in the Proto in EFI_IPSEC_SA_ID.
639 sizeof (EFI_IPSEC_PROTOCOL_TYPE
),
644 if (!EFI_ERROR (Status
)) {
645 *Mask
|= IPSEC_PROTO
;
648 if (Status
== EFI_INVALID_PARAMETER
) {
649 ReturnStatus
= EFI_INVALID_PARAMETER
;
653 // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_DATA2.
655 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
656 if (ValueStr
!= NULL
) {
657 AuthKeyLength
= StrLen (ValueStr
);
660 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
661 if (ValueStr
!= NULL
) {
662 EncKeyLength
= StrLen (ValueStr
);
666 // EFI_IPSEC_SA_DATA2:
668 // | EFI_IPSEC_SA_DATA2
669 // +-----------------------
671 // +-------------------------
673 // +-------------------------
676 // Notes: To make sure the address alignment add padding after each data if needed.
678 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2
));
679 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthKeyLength
);
680 DataSize
= ALIGN_VARIABLE (DataSize
+ EncKeyLength
);
681 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_SPD_SELECTOR
));
682 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IP_ADDRESS_INFO
));
683 DataSize
+= sizeof (EFI_IP_ADDRESS_INFO
);
687 *Data
= AllocateZeroPool (DataSize
);
688 ASSERT (*Data
!= NULL
);
690 (*Data
)->ManualSet
= TRUE
;
691 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= (VOID
*) ALIGN_POINTER (((*Data
) + 1), sizeof (UINTN
));
692 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= (VOID
*) ALIGN_POINTER (
693 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
+ AuthKeyLength
),
696 (*Data
)->SpdSelector
= (EFI_IPSEC_SPD_SELECTOR
*) ALIGN_POINTER (
697 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
+ EncKeyLength
),
700 (*Data
)->SpdSelector
->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
701 ((UINT8
*) (*Data
)->SpdSelector
+ sizeof (EFI_IPSEC_SPD_SELECTOR
)),
703 (*Data
)->SpdSelector
->RemoteAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
704 (*Data
)->SpdSelector
->LocalAddress
+ 1,
708 (*Data
)->Mode
= EfiIPsecTransport
;
713 sizeof (EFI_IPSEC_MODE
),
718 if (!EFI_ERROR (Status
)) {
722 if (Status
== EFI_INVALID_PARAMETER
) {
723 ReturnStatus
= EFI_INVALID_PARAMETER
;
727 // According to RFC 4303-3.3.3. The first packet sent using a given SA
728 // will contain a sequence number of 1.
730 (*Data
)->SNCount
= 1;
732 L
"--sequence-number",
740 if (!EFI_ERROR (Status
)) {
741 *Mask
|= SEQUENCE_NUMBER
;
744 if (Status
== EFI_INVALID_PARAMETER
) {
745 ReturnStatus
= EFI_INVALID_PARAMETER
;
748 (*Data
)->AntiReplayWindows
= 0;
750 L
"--antireplay-window",
752 &(*Data
)->AntiReplayWindows
,
758 if (!EFI_ERROR (Status
)) {
759 *Mask
|= SEQUENCE_NUMBER
;
762 if (Status
== EFI_INVALID_PARAMETER
) {
763 ReturnStatus
= EFI_INVALID_PARAMETER
;
769 &(*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
,
775 if (!EFI_ERROR (Status
)) {
776 *Mask
|= ENCRYPT_ALGO
;
779 if (Status
== EFI_INVALID_PARAMETER
) {
780 ReturnStatus
= EFI_INVALID_PARAMETER
;
783 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
784 if (ValueStr
!= NULL
) {
785 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= EncKeyLength
;
786 AsciiStr
= AllocateZeroPool (EncKeyLength
+ 1);
787 ASSERT (AsciiStr
!= NULL
);
788 UnicodeStrToAsciiStr (ValueStr
, AsciiStr
);
789 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
, AsciiStr
, EncKeyLength
);
791 *Mask
|= ENCRYPT_KEY
;
793 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= NULL
;
799 &(*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
,
805 if (!EFI_ERROR (Status
)) {
809 if (Status
== EFI_INVALID_PARAMETER
) {
810 ReturnStatus
= EFI_INVALID_PARAMETER
;
813 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
814 if (ValueStr
!= NULL
) {
815 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= AuthKeyLength
;
816 AsciiStr
= AllocateZeroPool (AuthKeyLength
+ 1);
817 ASSERT (AsciiStr
!= NULL
);
818 UnicodeStrToAsciiStr (ValueStr
, AsciiStr
);
819 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
, AsciiStr
, AuthKeyLength
);
823 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= NULL
;
829 &(*Data
)->SaLifetime
.ByteCount
,
835 if (!EFI_ERROR (Status
)) {
839 if (Status
== EFI_INVALID_PARAMETER
) {
840 ReturnStatus
= EFI_INVALID_PARAMETER
;
846 &(*Data
)->SaLifetime
.HardLifetime
,
852 if (!EFI_ERROR (Status
)) {
856 if (Status
== EFI_INVALID_PARAMETER
) {
857 ReturnStatus
= EFI_INVALID_PARAMETER
;
863 &(*Data
)->SaLifetime
.SoftLifetime
,
869 if (!EFI_ERROR (Status
)) {
870 *Mask
|= LIFETIME_SOFT
;
873 if (Status
== EFI_INVALID_PARAMETER
) {
874 ReturnStatus
= EFI_INVALID_PARAMETER
;
886 if (!EFI_ERROR (Status
)) {
890 if (Status
== EFI_INVALID_PARAMETER
) {
891 ReturnStatus
= EFI_INVALID_PARAMETER
;
895 // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
897 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-dest");
898 if (ValueStr
!= NULL
) {
899 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->TunnelDestinationAddress
);
900 if (EFI_ERROR (Status
)) {
905 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
911 ReturnStatus
= EFI_INVALID_PARAMETER
;
918 // Convert user input from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
920 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-source");
921 if (ValueStr
!= NULL
) {
922 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->TunnelSourceAddress
);
923 if (EFI_ERROR (Status
)) {
928 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
934 ReturnStatus
= EFI_INVALID_PARAMETER
;
941 // If it is TunnelMode, then check if the tunnel-source and --tunnel-dest are set
943 if ((*Data
)->Mode
== EfiIPsecTunnel
) {
944 if ((*Mask
& (DEST
|SOURCE
)) != (DEST
|SOURCE
)) {
949 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
952 L
"--tunnel-source --tunnel-dest"
954 ReturnStatus
= EFI_INVALID_PARAMETER
;
957 ReturnStatus
= CreateSpdSelector ((*Data
)->SpdSelector
, ParamPackage
, Mask
);
960 if ((*Mask
& (SPI
|IPSEC_PROTO
|LOCAL
|REMOTE
)) != (SPI
|IPSEC_PROTO
|LOCAL
|REMOTE
)) {
965 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
968 L
"--spi --ipsec-proto --local --remote"
970 ReturnStatus
= EFI_INVALID_PARAMETER
;
972 if ((*SaId
)->Proto
== EfiIPsecAH
) {
973 if ((*Mask
& AUTH_ALGO
) == 0) {
978 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
983 ReturnStatus
= EFI_INVALID_PARAMETER
;
984 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
!= IPSEC_AALG_NONE
&& (*Mask
& AUTH_KEY
) == 0) {
989 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
994 ReturnStatus
= EFI_INVALID_PARAMETER
;
997 if ((*Mask
& (ENCRYPT_ALGO
|AUTH_ALGO
)) != (ENCRYPT_ALGO
|AUTH_ALGO
) ) {
1002 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1005 L
"--encrypt-algo --auth-algo"
1007 ReturnStatus
= EFI_INVALID_PARAMETER
;
1008 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (*Mask
& ENCRYPT_KEY
) == 0) {
1013 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1018 ReturnStatus
= EFI_INVALID_PARAMETER
;
1019 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
!= IPSEC_AALG_NONE
&& (*Mask
& AUTH_KEY
) == 0) {
1024 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1029 ReturnStatus
= EFI_INVALID_PARAMETER
;
1035 return ReturnStatus
;
1039 Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage list.
1041 @param[out] PadId The pointer to the EFI_IPSEC_PAD_ID structure.
1042 @param[out] Data The pointer to the EFI_IPSEC_PAD_DATA structure.
1043 @param[in] ParamPackage The pointer to the ParamPackage list.
1044 @param[out] Mask The pointer to the Mask.
1045 @param[in] CreateNew The switch to create new.
1047 @retval EFI_SUCCESS Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA successfully.
1048 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1053 OUT EFI_IPSEC_PAD_ID
**PadId
,
1054 OUT EFI_IPSEC_PAD_DATA
**Data
,
1055 IN LIST_ENTRY
*ParamPackage
,
1057 IN BOOLEAN CreateNew
1061 EFI_STATUS ReturnStatus
;
1062 SHELL_FILE_HANDLE FileHandle
;
1064 UINTN AuthDataLength
;
1065 UINTN RevocationDataLength
;
1068 CONST CHAR16
*ValueStr
;
1071 Status
= EFI_SUCCESS
;
1072 ReturnStatus
= EFI_SUCCESS
;
1075 RevocationDataLength
= 0;
1077 *PadId
= AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID
));
1078 ASSERT (*PadId
!= NULL
);
1081 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_ID.
1083 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-address");
1084 if (ValueStr
!= NULL
) {
1085 (*PadId
)->PeerIdValid
= FALSE
;
1086 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, &(*PadId
)->Id
.IpAddress
);
1087 if (EFI_ERROR (Status
)) {
1092 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
1098 ReturnStatus
= EFI_INVALID_PARAMETER
;
1100 *Mask
|= PEER_ADDRESS
;
1104 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-id");
1105 if (ValueStr
!= NULL
) {
1106 (*PadId
)->PeerIdValid
= TRUE
;
1107 StrnCpy ((CHAR16
*) (*PadId
)->Id
.PeerId
, ValueStr
, ARRAY_SIZE ((*PadId
)->Id
.PeerId
) - 1);
1111 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1112 if (ValueStr
!= NULL
) {
1113 if (ValueStr
[0] == L
'@') {
1115 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1117 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1118 if (EFI_ERROR (Status
)) {
1123 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1128 ReturnStatus
= EFI_INVALID_PARAMETER
;
1130 Status
= ShellGetFileSize (FileHandle
, &FileSize
);
1131 ShellCloseFile (&FileHandle
);
1132 if (EFI_ERROR (Status
)) {
1137 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1142 ReturnStatus
= EFI_INVALID_PARAMETER
;
1144 AuthDataLength
= (UINTN
) FileSize
;
1148 AuthDataLength
= StrLen (ValueStr
);
1152 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1153 if (ValueStr
!= NULL
) {
1154 RevocationDataLength
= (StrLen (ValueStr
) + 1) * sizeof (CHAR16
);
1158 // Allocate Buffer for Data. Add padding after each struct to make sure the alignment
1159 // in different Arch.
1161 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA
));
1162 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthDataLength
);
1163 DataSize
+= RevocationDataLength
;
1165 *Data
= AllocateZeroPool (DataSize
);
1166 ASSERT (*Data
!= NULL
);
1168 (*Data
)->AuthData
= (VOID
*) ALIGN_POINTER ((*Data
+ 1), sizeof (UINTN
));
1169 (*Data
)->RevocationData
= (VOID
*) ALIGN_POINTER (((UINT8
*) (*Data
+ 1) + AuthDataLength
), sizeof (UINTN
));
1170 (*Data
)->AuthProtocol
= EfiIPsecAuthProtocolIKEv1
;
1173 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_DATA.
1175 Status
= GetNumber (
1178 &(*Data
)->AuthProtocol
,
1179 sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE
),
1184 if (!EFI_ERROR (Status
)) {
1185 *Mask
|= AUTH_PROTO
;
1188 if (Status
== EFI_INVALID_PARAMETER
) {
1189 ReturnStatus
= EFI_INVALID_PARAMETER
;
1192 Status
= GetNumber (
1195 &(*Data
)->AuthMethod
,
1196 sizeof (EFI_IPSEC_AUTH_METHOD
),
1201 if (!EFI_ERROR (Status
)) {
1202 *Mask
|= AUTH_METHOD
;
1205 if (Status
== EFI_INVALID_PARAMETER
) {
1206 ReturnStatus
= EFI_INVALID_PARAMETER
;
1209 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id")) {
1210 (*Data
)->IkeIdFlag
= TRUE
;
1214 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id-")) {
1215 (*Data
)->IkeIdFlag
= FALSE
;
1219 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1220 if (ValueStr
!= NULL
) {
1221 if (ValueStr
[0] == L
'@') {
1223 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1226 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1227 if (EFI_ERROR (Status
)) {
1232 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1237 ReturnStatus
= EFI_INVALID_PARAMETER
;
1238 (*Data
)->AuthData
= NULL
;
1240 DataLength
= AuthDataLength
;
1241 Status
= ShellReadFile (FileHandle
, &DataLength
, (*Data
)->AuthData
);
1242 ShellCloseFile (&FileHandle
);
1243 if (EFI_ERROR (Status
)) {
1248 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1253 ReturnStatus
= EFI_INVALID_PARAMETER
;
1254 (*Data
)->AuthData
= NULL
;
1256 ASSERT (DataLength
== AuthDataLength
);
1261 for (Index
= 0; Index
< AuthDataLength
; Index
++) {
1262 ((CHAR8
*) (*Data
)->AuthData
)[Index
] = (CHAR8
) ValueStr
[Index
];
1264 (*Data
)->AuthDataSize
= AuthDataLength
;
1269 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1270 if (ValueStr
!= NULL
) {
1271 CopyMem ((*Data
)->RevocationData
, ValueStr
, RevocationDataLength
);
1272 (*Data
)->RevocationDataSize
= RevocationDataLength
;
1273 *Mask
|= REVOCATION_DATA
;
1275 (*Data
)->RevocationData
= NULL
;
1279 if ((*Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1284 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1287 L
"--peer-id --peer-address"
1289 ReturnStatus
= EFI_INVALID_PARAMETER
;
1290 } else if ((*Mask
& (AUTH_METHOD
| AUTH_DATA
)) != (AUTH_METHOD
| AUTH_DATA
)) {
1295 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1298 L
"--auth-method --auth-data"
1300 ReturnStatus
= EFI_INVALID_PARAMETER
;
1304 return ReturnStatus
;
1307 CREATE_POLICY_ENTRY mCreatePolicyEntry
[] = {
1308 (CREATE_POLICY_ENTRY
) CreateSpdEntry
,
1309 (CREATE_POLICY_ENTRY
) CreateSadEntry
,
1310 (CREATE_POLICY_ENTRY
) CreatePadEntry
1314 Combine old SPD entry with new SPD entry.
1316 @param[in, out] OldSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1317 @param[in, out] OldData The pointer to the EFI_IPSEC_SPD_DATA structure.
1318 @param[in] NewSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1319 @param[in] NewData The pointer to the EFI_IPSEC_SPD_DATA structure.
1320 @param[in] Mask The pointer to the Mask.
1321 @param[out] CreateNew The switch to create new.
1323 @retval EFI_SUCCESS Combined successfully.
1324 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1329 IN OUT EFI_IPSEC_SPD_SELECTOR
*OldSelector
,
1330 IN OUT EFI_IPSEC_SPD_DATA
*OldData
,
1331 IN EFI_IPSEC_SPD_SELECTOR
*NewSelector
,
1332 IN EFI_IPSEC_SPD_DATA
*NewData
,
1334 OUT BOOLEAN
*CreateNew
1342 if ((Mask
& LOCAL
) == 0) {
1343 NewSelector
->LocalAddressCount
= OldSelector
->LocalAddressCount
;
1344 NewSelector
->LocalAddress
= OldSelector
->LocalAddress
;
1345 } else if ((NewSelector
->LocalAddressCount
!= OldSelector
->LocalAddressCount
) ||
1346 (CompareMem (NewSelector
->LocalAddress
, OldSelector
->LocalAddress
, NewSelector
->LocalAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1350 if ((Mask
& REMOTE
) == 0) {
1351 NewSelector
->RemoteAddressCount
= OldSelector
->RemoteAddressCount
;
1352 NewSelector
->RemoteAddress
= OldSelector
->RemoteAddress
;
1353 } else if ((NewSelector
->RemoteAddressCount
!= OldSelector
->RemoteAddressCount
) ||
1354 (CompareMem (NewSelector
->RemoteAddress
, OldSelector
->RemoteAddress
, NewSelector
->RemoteAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1358 if ((Mask
& PROTO
) == 0) {
1359 NewSelector
->NextLayerProtocol
= OldSelector
->NextLayerProtocol
;
1360 } else if (NewSelector
->NextLayerProtocol
!= OldSelector
->NextLayerProtocol
) {
1364 switch (NewSelector
->NextLayerProtocol
) {
1365 case EFI_IP4_PROTO_TCP
:
1366 case EFI_IP4_PROTO_UDP
:
1367 if ((Mask
& LOCAL_PORT
) == 0) {
1368 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1369 NewSelector
->LocalPortRange
= OldSelector
->LocalPortRange
;
1370 } else if ((NewSelector
->LocalPort
!= OldSelector
->LocalPort
) ||
1371 (NewSelector
->LocalPortRange
!= OldSelector
->LocalPortRange
)) {
1375 if ((Mask
& REMOTE_PORT
) == 0) {
1376 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1377 NewSelector
->RemotePortRange
= OldSelector
->RemotePortRange
;
1378 } else if ((NewSelector
->RemotePort
!= OldSelector
->RemotePort
) ||
1379 (NewSelector
->RemotePortRange
!= OldSelector
->RemotePortRange
)) {
1384 case EFI_IP4_PROTO_ICMP
:
1385 if ((Mask
& ICMP_TYPE
) == 0) {
1386 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1387 } else if (NewSelector
->LocalPort
!= OldSelector
->LocalPort
) {
1391 if ((Mask
& ICMP_CODE
) == 0) {
1392 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1393 } else if (NewSelector
->RemotePort
!= OldSelector
->RemotePort
) {
1401 if ((Mask
& NAME
) != 0) {
1402 AsciiStrCpy ((CHAR8
*) OldData
->Name
, (CHAR8
*) NewData
->Name
);
1405 if ((Mask
& PACKET_FLAG
) != 0) {
1406 OldData
->PackageFlag
= NewData
->PackageFlag
;
1409 if ((Mask
& ACTION
) != 0) {
1410 OldData
->Action
= NewData
->Action
;
1413 if (OldData
->Action
!= EfiIPsecActionProtect
) {
1414 OldData
->ProcessingPolicy
= NULL
;
1419 if (OldData
->ProcessingPolicy
== NULL
) {
1421 // Just point to new data if originally NULL.
1423 OldData
->ProcessingPolicy
= NewData
->ProcessingPolicy
;
1424 if (OldData
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
&&
1425 (Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)
1428 // Change to Protect action and Tunnel mode, but without providing local/remote tunnel address.
1434 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1437 L
"--tunnel-local --tunnel-remote"
1439 return EFI_INVALID_PARAMETER
;
1443 // Modify some of the data.
1445 if ((Mask
& EXT_SEQUENCE
) != 0) {
1446 OldData
->ProcessingPolicy
->ExtSeqNum
= NewData
->ProcessingPolicy
->ExtSeqNum
;
1449 if ((Mask
& SEQUENCE_OVERFLOW
) != 0) {
1450 OldData
->ProcessingPolicy
->SeqOverflow
= NewData
->ProcessingPolicy
->SeqOverflow
;
1453 if ((Mask
& FRAGMENT_CHECK
) != 0) {
1454 OldData
->ProcessingPolicy
->FragCheck
= NewData
->ProcessingPolicy
->FragCheck
;
1457 if ((Mask
& LIFEBYTE
) != 0) {
1458 OldData
->ProcessingPolicy
->SaLifetime
.ByteCount
= NewData
->ProcessingPolicy
->SaLifetime
.ByteCount
;
1461 if ((Mask
& LIFETIME_SOFT
) != 0) {
1462 OldData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
;
1465 if ((Mask
& LIFETIME
) != 0) {
1466 OldData
->ProcessingPolicy
->SaLifetime
.HardLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.HardLifetime
;
1469 if ((Mask
& MODE
) != 0) {
1470 OldData
->ProcessingPolicy
->Mode
= NewData
->ProcessingPolicy
->Mode
;
1473 if ((Mask
& IPSEC_PROTO
) != 0) {
1474 OldData
->ProcessingPolicy
->Proto
= NewData
->ProcessingPolicy
->Proto
;
1477 if ((Mask
& AUTH_ALGO
) != 0) {
1478 OldData
->ProcessingPolicy
->AuthAlgoId
= NewData
->ProcessingPolicy
->AuthAlgoId
;
1481 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1482 OldData
->ProcessingPolicy
->EncAlgoId
= NewData
->ProcessingPolicy
->EncAlgoId
;
1485 if (OldData
->ProcessingPolicy
->Mode
!= EfiIPsecTunnel
) {
1486 OldData
->ProcessingPolicy
->TunnelOption
= NULL
;
1488 if (OldData
->ProcessingPolicy
->TunnelOption
== NULL
) {
1490 // Set from Transport mode to Tunnel mode, should ensure TUNNEL_LOCAL & TUNNEL_REMOTE both exists.
1492 if ((Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) {
1497 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1500 L
"--tunnel-local --tunnel-remote"
1502 return EFI_INVALID_PARAMETER
;
1505 OldData
->ProcessingPolicy
->TunnelOption
= NewData
->ProcessingPolicy
->TunnelOption
;
1507 if ((Mask
& TUNNEL_LOCAL
) != 0) {
1509 &OldData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1510 &NewData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1511 sizeof (EFI_IP_ADDRESS
)
1515 if ((Mask
& TUNNEL_REMOTE
) != 0) {
1517 &OldData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1518 &NewData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1519 sizeof (EFI_IP_ADDRESS
)
1523 if ((Mask
& DONT_FRAGMENT
) != 0) {
1524 OldData
->ProcessingPolicy
->TunnelOption
->DF
= NewData
->ProcessingPolicy
->TunnelOption
->DF
;
1535 Combine old SAD entry with new SAD entry.
1537 @param[in, out] OldSaId The pointer to the EFI_IPSEC_SA_ID structure.
1538 @param[in, out] OldData The pointer to the EFI_IPSEC_SA_DATA2 structure.
1539 @param[in] NewSaId The pointer to the EFI_IPSEC_SA_ID structure.
1540 @param[in] NewData The pointer to the EFI_IPSEC_SA_DATA2 structure.
1541 @param[in] Mask The pointer to the Mask.
1542 @param[out] CreateNew The switch to create new.
1544 @retval EFI_SUCCESS Combined successfully.
1545 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1550 IN OUT EFI_IPSEC_SA_ID
*OldSaId
,
1551 IN OUT EFI_IPSEC_SA_DATA2
*OldData
,
1552 IN EFI_IPSEC_SA_ID
*NewSaId
,
1553 IN EFI_IPSEC_SA_DATA2
*NewData
,
1555 OUT BOOLEAN
*CreateNew
1561 if ((Mask
& SPI
) == 0) {
1562 NewSaId
->Spi
= OldSaId
->Spi
;
1563 } else if (NewSaId
->Spi
!= OldSaId
->Spi
) {
1567 if ((Mask
& IPSEC_PROTO
) == 0) {
1568 NewSaId
->Proto
= OldSaId
->Proto
;
1569 } else if (NewSaId
->Proto
!= OldSaId
->Proto
) {
1573 if ((Mask
& DEST
) == 0) {
1574 CopyMem (&NewData
->TunnelDestinationAddress
, &OldData
->TunnelDestinationAddress
, sizeof (EFI_IP_ADDRESS
));
1575 } else if (CompareMem (&NewData
->TunnelDestinationAddress
, &OldData
->TunnelDestinationAddress
, sizeof (EFI_IP_ADDRESS
)) != 0) {
1579 if ((Mask
& SOURCE
) == 0) {
1580 CopyMem (&NewData
->TunnelSourceAddress
, &OldData
->TunnelSourceAddress
, sizeof (EFI_IP_ADDRESS
));
1581 } else if (CompareMem (&NewData
->TunnelSourceAddress
, &OldData
->TunnelSourceAddress
, sizeof (EFI_IP_ADDRESS
)) != 0) {
1587 if ((Mask
& MODE
) != 0) {
1588 OldData
->Mode
= NewData
->Mode
;
1591 if ((Mask
& SEQUENCE_NUMBER
) != 0) {
1592 OldData
->SNCount
= NewData
->SNCount
;
1595 if ((Mask
& ANTIREPLAY_WINDOW
) != 0) {
1596 OldData
->AntiReplayWindows
= NewData
->AntiReplayWindows
;
1599 if ((Mask
& AUTH_ALGO
) != 0) {
1600 OldData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
;
1603 if ((Mask
& AUTH_KEY
) != 0) {
1604 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKey
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKey
;
1605 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
;
1608 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1609 OldData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
;
1612 if ((Mask
& ENCRYPT_KEY
) != 0) {
1613 OldData
->AlgoInfo
.EspAlgoInfo
.EncKey
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKey
;
1614 OldData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
;
1617 if (NewSaId
->Proto
== EfiIPsecAH
) {
1618 if ((Mask
& (ENCRYPT_ALGO
| ENCRYPT_KEY
)) != 0) {
1620 // Should not provide encrypt_* if AH.
1626 STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER
),
1629 L
"--encrypt-algo --encrypt-key"
1631 return EFI_INVALID_PARAMETER
;
1635 if (NewSaId
->Proto
== EfiIPsecESP
&& OldSaId
->Proto
== EfiIPsecAH
) {
1638 // Should provide encrypt_algo at least.
1640 if ((Mask
& ENCRYPT_ALGO
) == 0) {
1645 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1650 return EFI_INVALID_PARAMETER
;
1654 // Encrypt_key should be provided if algorithm is not NONE.
1656 if (NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (Mask
& ENCRYPT_KEY
) == 0) {
1661 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1666 return EFI_INVALID_PARAMETER
;
1670 if ((Mask
& LIFEBYTE
) != 0) {
1671 OldData
->SaLifetime
.ByteCount
= NewData
->SaLifetime
.ByteCount
;
1674 if ((Mask
& LIFETIME_SOFT
) != 0) {
1675 OldData
->SaLifetime
.SoftLifetime
= NewData
->SaLifetime
.SoftLifetime
;
1678 if ((Mask
& LIFETIME
) != 0) {
1679 OldData
->SaLifetime
.HardLifetime
= NewData
->SaLifetime
.HardLifetime
;
1682 if ((Mask
& PATH_MTU
) != 0) {
1683 OldData
->PathMTU
= NewData
->PathMTU
;
1686 // Process SpdSelector.
1688 if (OldData
->SpdSelector
== NULL
) {
1689 if ((Mask
& (LOCAL
| REMOTE
| PROTO
| LOCAL_PORT
| REMOTE_PORT
| ICMP_TYPE
| ICMP_CODE
)) != 0) {
1690 if ((Mask
& (LOCAL
| REMOTE
| PROTO
)) != (LOCAL
| REMOTE
| PROTO
)) {
1695 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1698 L
"--local --remote --proto"
1700 return EFI_INVALID_PARAMETER
;
1703 OldData
->SpdSelector
= NewData
->SpdSelector
;
1706 if ((Mask
& LOCAL
) != 0) {
1707 OldData
->SpdSelector
->LocalAddressCount
= NewData
->SpdSelector
->LocalAddressCount
;
1708 OldData
->SpdSelector
->LocalAddress
= NewData
->SpdSelector
->LocalAddress
;
1711 if ((Mask
& REMOTE
) != 0) {
1712 OldData
->SpdSelector
->RemoteAddressCount
= NewData
->SpdSelector
->RemoteAddressCount
;
1713 OldData
->SpdSelector
->RemoteAddress
= NewData
->SpdSelector
->RemoteAddress
;
1716 if ((Mask
& PROTO
) != 0) {
1717 OldData
->SpdSelector
->NextLayerProtocol
= NewData
->SpdSelector
->NextLayerProtocol
;
1720 if (OldData
->SpdSelector
!= NULL
) {
1721 switch (OldData
->SpdSelector
->NextLayerProtocol
) {
1722 case EFI_IP4_PROTO_TCP
:
1723 case EFI_IP4_PROTO_UDP
:
1724 if ((Mask
& LOCAL_PORT
) != 0) {
1725 OldData
->SpdSelector
->LocalPort
= NewData
->SpdSelector
->LocalPort
;
1728 if ((Mask
& REMOTE_PORT
) != 0) {
1729 OldData
->SpdSelector
->RemotePort
= NewData
->SpdSelector
->RemotePort
;
1733 case EFI_IP4_PROTO_ICMP
:
1734 if ((Mask
& ICMP_TYPE
) != 0) {
1735 OldData
->SpdSelector
->LocalPort
= (UINT8
) NewData
->SpdSelector
->LocalPort
;
1738 if ((Mask
& ICMP_CODE
) != 0) {
1739 OldData
->SpdSelector
->RemotePort
= (UINT8
) NewData
->SpdSelector
->RemotePort
;
1750 Combine old PAD entry with new PAD entry.
1752 @param[in, out] OldPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1753 @param[in, out] OldData The pointer to the EFI_IPSEC_PAD_DATA structure.
1754 @param[in] NewPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1755 @param[in] NewData The pointer to the EFI_IPSEC_PAD_DATA structure.
1756 @param[in] Mask The pointer to the Mask.
1757 @param[out] CreateNew The switch to create new.
1759 @retval EFI_SUCCESS Combined successfully.
1760 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1765 IN OUT EFI_IPSEC_PAD_ID
*OldPadId
,
1766 IN OUT EFI_IPSEC_PAD_DATA
*OldData
,
1767 IN EFI_IPSEC_PAD_ID
*NewPadId
,
1768 IN EFI_IPSEC_PAD_DATA
*NewData
,
1770 OUT BOOLEAN
*CreateNew
1776 if ((Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1777 CopyMem (NewPadId
, OldPadId
, sizeof (EFI_IPSEC_PAD_ID
));
1779 if ((Mask
& PEER_ID
) != 0) {
1780 if (OldPadId
->PeerIdValid
) {
1781 if (StrCmp ((CONST CHAR16
*) OldPadId
->Id
.PeerId
, (CONST CHAR16
*) NewPadId
->Id
.PeerId
) != 0) {
1789 // MASK & PEER_ADDRESS
1791 if (OldPadId
->PeerIdValid
) {
1794 if ((CompareMem (&OldPadId
->Id
.IpAddress
.Address
, &NewPadId
->Id
.IpAddress
.Address
, sizeof (EFI_IP_ADDRESS
)) != 0) ||
1795 (OldPadId
->Id
.IpAddress
.PrefixLength
!= NewPadId
->Id
.IpAddress
.PrefixLength
)) {
1802 if ((Mask
& AUTH_PROTO
) != 0) {
1803 OldData
->AuthProtocol
= NewData
->AuthProtocol
;
1806 if ((Mask
& AUTH_METHOD
) != 0) {
1807 OldData
->AuthMethod
= NewData
->AuthMethod
;
1810 if ((Mask
& IKE_ID
) != 0) {
1811 OldData
->IkeIdFlag
= NewData
->IkeIdFlag
;
1814 if ((Mask
& AUTH_DATA
) != 0) {
1815 OldData
->AuthDataSize
= NewData
->AuthDataSize
;
1816 OldData
->AuthData
= NewData
->AuthData
;
1819 if ((Mask
& REVOCATION_DATA
) != 0) {
1820 OldData
->RevocationDataSize
= NewData
->RevocationDataSize
;
1821 OldData
->RevocationData
= NewData
->RevocationData
;
1827 COMBINE_POLICY_ENTRY mCombinePolicyEntry
[] = {
1828 (COMBINE_POLICY_ENTRY
) CombineSpdEntry
,
1829 (COMBINE_POLICY_ENTRY
) CombineSadEntry
,
1830 (COMBINE_POLICY_ENTRY
) CombinePadEntry
1834 Edit entry information in the database.
1836 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1837 @param[in] Data The pointer to the data.
1838 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1840 @retval EFI_SUCCESS Continue the iteration.
1841 @retval EFI_ABORTED Abort the iteration.
1844 EditOperatePolicyEntry (
1845 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1847 IN EDIT_POLICY_ENTRY_CONTEXT
*Context
1853 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1854 ASSERT (Context
->DataType
< 3);
1856 Status
= mCombinePolicyEntry
[Context
->DataType
] (
1864 if (!EFI_ERROR (Status
)) {
1867 // Insert new entry before old entry
1869 Status
= mIpSecConfig
->SetData (
1876 ASSERT_EFI_ERROR (Status
);
1880 Status
= mIpSecConfig
->SetData (
1887 ASSERT_EFI_ERROR (Status
);
1889 Status
= mIpSecConfig
->SetData (
1899 Context
->Status
= Status
;
1907 Edit entry information in database according to datatype.
1909 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
1910 @param[in] ParamPackage The pointer to the ParamPackage list.
1912 @retval EFI_SUCCESS Edit entry information successfully.
1913 @retval EFI_NOT_FOUND Can't find the specified entry.
1914 @retval Others Some mistaken case.
1918 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
1919 IN LIST_ENTRY
*ParamPackage
1923 EDIT_POLICY_ENTRY_CONTEXT Context
;
1924 CONST CHAR16
*ValueStr
;
1926 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-e");
1927 if (ValueStr
== NULL
) {
1928 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
1929 return EFI_NOT_FOUND
;
1932 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
1933 if (!EFI_ERROR (Status
)) {
1934 Context
.DataType
= DataType
;
1935 Context
.Status
= EFI_NOT_FOUND
;
1936 Status
= mCreatePolicyEntry
[DataType
] (&Context
.Selector
, &Context
.Data
, ParamPackage
, &Context
.Mask
, FALSE
);
1937 if (!EFI_ERROR (Status
)) {
1938 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) EditOperatePolicyEntry
, &Context
);
1939 Status
= Context
.Status
;
1942 if (Context
.Selector
!= NULL
) {
1943 gBS
->FreePool (Context
.Selector
);
1946 if (Context
.Data
!= NULL
) {
1947 gBS
->FreePool (Context
.Data
);
1951 if (Status
== EFI_NOT_FOUND
) {
1952 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
1953 } else if (EFI_ERROR (Status
)) {
1954 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAILED
), mHiiHandle
, mAppName
);
1962 Insert entry information in database.
1964 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1965 @param[in] Data The pointer to the data.
1966 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1968 @retval EFI_SUCCESS Continue the iteration.
1969 @retval EFI_ABORTED Abort the iteration.
1973 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1975 IN INSERT_POLICY_ENTRY_CONTEXT
*Context
1979 // Found the entry which we want to insert before.
1981 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1983 Context
->Status
= mIpSecConfig
->SetData (
1991 // Abort the iteration after the insertion.
2000 Insert or add entry information in database according to datatype.
2002 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
2003 @param[in] ParamPackage The pointer to the ParamPackage list.
2005 @retval EFI_SUCCESS Insert or add entry information successfully.
2006 @retval EFI_NOT_FOUND Can't find the specified entry.
2007 @retval EFI_BUFFER_TOO_SMALL The entry already existed.
2008 @retval EFI_UNSUPPORTED The operation is not supported.
2009 @retval Others Some mistaken case.
2012 AddOrInsertPolicyEntry (
2013 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
2014 IN LIST_ENTRY
*ParamPackage
2018 EFI_IPSEC_CONFIG_SELECTOR
*Selector
;
2020 INSERT_POLICY_ENTRY_CONTEXT Context
;
2023 CONST CHAR16
*ValueStr
;
2025 Status
= mCreatePolicyEntry
[DataType
] (&Selector
, &Data
, ParamPackage
, &Mask
, TRUE
);
2026 if (!EFI_ERROR (Status
)) {
2028 // Find if the Selector to be inserted already exists.
2031 Status
= mIpSecConfig
->GetData (
2038 if (Status
== EFI_BUFFER_TOO_SMALL
) {
2039 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_EXISTS
), mHiiHandle
, mAppName
);
2040 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"-a")) {
2041 Status
= mIpSecConfig
->SetData (
2049 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-i");
2050 if (ValueStr
== NULL
) {
2051 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
2052 return EFI_NOT_FOUND
;
2055 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
2056 if (!EFI_ERROR (Status
)) {
2057 Context
.DataType
= DataType
;
2058 Context
.Status
= EFI_NOT_FOUND
;
2059 Context
.Selector
= Selector
;
2060 Context
.Data
= Data
;
2062 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) InsertPolicyEntry
, &Context
);
2063 Status
= Context
.Status
;
2064 if (Status
== EFI_NOT_FOUND
) {
2065 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
2070 gBS
->FreePool (Selector
);
2071 gBS
->FreePool (Data
);
2074 if (Status
== EFI_UNSUPPORTED
) {
2075 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_UNSUPPORT
), mHiiHandle
, mAppName
);
2076 } else if (EFI_ERROR (Status
)) {
2077 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_FAILED
), mHiiHandle
, mAppName
);