2 The common definition of IPsec Key Exchange (IKE).
4 Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
20 #include <Library/UdpIoLib.h>
21 #include <Library/BaseCryptLib.h>
22 #include "IpSecImpl.h"
24 #define IKE_VERSION_MAJOR_MASK 0xf0
25 #define IKE_VERSION_MINOR_MASK 0x0f
27 #define IKE_MAJOR_VERSION(v) (((v) & IKE_VERSION_MAJOR_MASK) >> 4)
28 #define IKE_MINOR_VERSION(v) ((v) & IKE_VERSION_MINOR_MASK)
31 // Protocol Value Use in IKEv1 and IKEv2
33 #define IPSEC_PROTO_ISAKMP 1
34 #define IPSEC_PROTO_IPSEC_AH 2
35 #define IPSEC_PROTO_IPSEC_ESP 3
36 #define IPSEC_PROTO_IPCOMP 4 // For IKEv1 this value is reserved
39 // For Algorithm search in support list.Last two types are for IKEv2 only.
41 #define IKE_ENCRYPT_TYPE 0
42 #define IKE_AUTH_TYPE 1
43 #define IKE_PRF_TYPE 2
47 // Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)
49 #define IPSEC_ESP_DES_IV64 1
50 #define IPSEC_ESP_DES 2
51 #define IPSEC_ESP_3DES 3
52 #define IPSEC_ESP_RC5 4
53 #define IPSEC_ESP_IDEA 5
54 #define IPSEC_ESP_CAST 6
55 #define IPSEC_ESP_BLOWFISH 7
56 #define IPSEC_ESP_3IDEA 8
57 #define IPSEC_ESP_DES_IV32 9
58 #define IPSEC_ESP_RC4 10 // It's reserved in IKEv2
59 #define IPSEC_ESP_NULL 11
60 #define IPSEC_ESP_AES 12
62 #define IKE_XCG_TYPE_NONE 0
63 #define IKE_XCG_TYPE_BASE 1
64 #define IKE_XCG_TYPE_IDENTITY_PROTECT 2
65 #define IKE_XCG_TYPE_AUTH_ONLY 3
66 #define IKE_XCG_TYPE_AGGR 4
67 #define IKE_XCG_TYPE_INFO 5
68 #define IKE_XCG_TYPE_QM 32
69 #define IKE_XCG_TYPE_NGM 33
70 #define IKE_XCG_TYPE_SA_INIT 34
71 #define IKE_XCG_TYPE_AUTH 35
72 #define IKE_XCG_TYPE_CREATE_CHILD_SA 36
73 #define IKE_XCG_TYPE_INFO2 37
75 #define IKE_LIFE_TYPE_SECONDS 1
76 #define IKE_LIFE_TYPE_KILOBYTES 2
79 // Deafult IKE SA lifetime and CHILD SA lifetime
81 #define IKE_SA_DEFAULT_LIFETIME 1200
82 #define CHILD_SA_DEFAULT_LIFETIME 3600
85 // Next payload type presented within Proposal payload
87 #define IKE_PROPOSAL_NEXT_PAYLOAD_MORE 2
88 #define IKE_PROPOSAL_NEXT_PAYLOAD_NONE 0
91 // Next payload type presented within Transform payload
93 #define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3
94 #define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0
97 // Max size of the SA attribute
99 #define MAX_SA_ATTRS_SIZE 48
100 #define SA_ATTR_FORMAT_BIT 0x8000
102 // The definition for Information Message ID.
104 #define INFO_MID_SIGNATURE SIGNATURE_32 ('I', 'N', 'F', 'M')
107 // Type for the IKE SESSION COMMON
111 IkeSessionTypeChildSa
,
117 // The DH Group ID defined RFC3526 and RFC 2409
120 OakleyGroupModp768
= 1,
121 OakleyGroupModp1024
= 2,
122 OakleyGroupGp155
= 3, // Unsupported Now.
123 OakleyGroupGp185
= 4, // Unsupported Now.
124 OakleyGroupModp1536
= 5,
126 OakleyGroupModp2048
= 14,
127 OakleyGroupModp3072
= 15,
128 OakleyGroupModp4096
= 16,
129 OakleyGroupModp6144
= 17,
130 OakleyGroupModp8192
= 18,
139 UINT64 InitiatorCookie
;
140 UINT64 ResponderCookie
;
156 // SA Attribute present in Transform Payload
161 IKE_SA_ATTR_UNION Attr
;
166 // Contains the IKE packet information.
172 BOOLEAN IsPayloadsBufExt
;
173 UINT8
*PayloadsBuf
; // The whole IkePakcet trimed the IKE header.
174 UINTN PayloadTotalSize
;
175 LIST_ENTRY PayloadList
;
176 EFI_IP_ADDRESS RemotePeerIp
;
177 BOOLEAN IsEncoded
; // whether HTON is done when sending the packet
178 UINT32 Spi
; // For the Delete Information Exchange
179 BOOLEAN IsDeleteInfo
; // For the Delete Information Exchange
180 IPSEC_PRIVATE_DATA
*Private
; // For the Delete Information Exchange
184 // The generic structure to all kinds of IKE payloads.
188 BOOLEAN IsPayloadBufExt
;
202 LIST_ENTRY
*ListHead
;
203 EFI_HANDLE NicHandle
;
204 EFI_HANDLE ImageHandle
;
207 EFI_IP_ADDRESS DefaultAddress
;
208 BOOLEAN IsConfigured
;
212 // Each IKE session has its own Key sets for local peer and remote peer.
215 EFI_IPSEC_ALGO_INFO LocalPeerInfo
;
216 EFI_IPSEC_ALGO_INFO RemotePeerInfo
;
220 // Each algorithm has its own Id, Guid, BlockSize and KeyLength.
221 // This struct contains these information for each algorithm. It is generic structure
222 // for both encryption and authentication algorithm.
223 // For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,
228 UINT8 AlgorithmId
; // Encryption or Authentication Id used by ESP/AH
230 UINT8 AlgSize
; // IcvSize or IvSize
233 } IKE_ALG_GUID_INFO
; // For IPsec Authentication and Encryption Algorithm.
237 // Structure used to store the DH group
243 UINTN GroupGenerator
;
247 This is prototype definition of general interface to phase the payloads
248 after/before the decode/encode.
250 @param[in] SessionCommon Point to the SessionCommon
251 @param[in] PayloadBuf Point to the buffer of Payload.
252 @param[in] PayloadSize The size of the PayloadBuf in bytes.
253 @param[in] PayloadType The type of Payload.
258 (*IKE_ON_PAYLOAD_FROM_NET
) (
259 IN UINT8
*SessionCommon
,
260 IN UINT8
*PayloadBuf
,
261 IN UINTN PayloadSize
,