+++ /dev/null
-/** @file\r
- The operations for IKEv2 SA.\r
-\r
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "Utility.h"\r
-#include "IpSecDebug.h"\r
-#include "IkeService.h"\r
-#include "Ikev2.h"\r
-\r
-/**\r
- Generates the DH Key.\r
-\r
- This generates the DH local public key and store it in the IKEv2 SA Session's GxBuffer.\r
-\r
- @param[in] IkeSaSession Pointer to related IKE SA Session.\r
-\r
- @retval EFI_SUCCESS The operation succeeded.\r
- @retval Others The operation failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateSaDhPublicKey (\r
- IN IKEV2_SA_SESSION *IkeSaSession\r
- );\r
-\r
-/**\r
- Generates the IKEv2 SA key for the furthure IKEv2 exchange.\r
-\r
- @param[in] IkeSaSession Pointer to IKEv2 SA Session.\r
- @param[in] KePayload Pointer to Key payload used to generate the Key.\r
-\r
- @retval EFI_UNSUPPORTED If the Algorithm Id is not supported.\r
- @retval EFI_SUCCESS The operation succeeded.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateSaKeys (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_PAYLOAD *KePayload\r
- );\r
-\r
-/**\r
- Generates the Keys for the furthure IPsec Protocol.\r
-\r
- @param[in] ChildSaSession Pointer to IKE Child SA Session.\r
- @param[in] KePayload Pointer to Key payload used to generate the Key.\r
-\r
- @retval EFI_UNSUPPORTED If one or more Algorithm Id is unsupported.\r
- @retval EFI_SUCCESS The operation succeeded.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateChildSaKeys (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession,\r
- IN IKE_PAYLOAD *KePayload\r
- );\r
-\r
-/**\r
- Gernerates IKEv2 packet for IKE_SA_INIT exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.\r
- @param[in] Context Context Data passed by caller.\r
-\r
- @retval EFI_SUCCESS The IKEv2 packet generation succeeded.\r
- @retval Others The IKEv2 packet generation failed.\r
-\r
-**/\r
-IKE_PACKET *\r
-Ikev2InitPskGenerator (\r
- IN UINT8 *SaSession,\r
- IN VOID *Context\r
- )\r
-{\r
- IKE_PACKET *IkePacket;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *KePayload;\r
- IKE_PAYLOAD *NoncePayload;\r
- IKE_PAYLOAD *NotifyPayload;\r
- EFI_STATUS Status;\r
-\r
- SaPayload = NULL;\r
- KePayload = NULL;\r
- NoncePayload = NULL;\r
- NotifyPayload = NULL;\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
-\r
- //\r
- // 1. Allocate IKE packet\r
- //\r
- IkePacket = IkePacketAlloc ();\r
- if (IkePacket == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 1.a Fill the IkePacket->Hdr\r
- //\r
- IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_INIT;\r
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;\r
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;\r
- IkePacket->Header->Version = (UINT8) (2 << 4);\r
- IkePacket->Header->MessageId = 0;\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;\r
- } else {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;\r
- }\r
-\r
- //\r
- // If the NCookie is not NULL, this IKE_SA_INIT packet is resent by the NCookie\r
- // and the NCookie payload should be the first payload in this packet.\r
- //\r
- if (IkeSaSession->NCookie != NULL) {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_NOTIFY;\r
- NotifyPayload = Ikev2GenerateNotifyPayload (\r
- IPSEC_PROTO_ISAKMP,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- 0,\r
- IKEV2_NOTIFICATION_COOKIE,\r
- NULL,\r
- IkeSaSession->NCookie,\r
- IkeSaSession->NCookieSize\r
- );\r
- } else {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_SA;\r
- }\r
-\r
- //\r
- // 2. Generate SA Payload according to the SaData & SaParams\r
- //\r
- SaPayload = Ikev2GenerateSaPayload (\r
- IkeSaSession->SaData,\r
- IKEV2_PAYLOAD_TYPE_KE,\r
- IkeSessionTypeIkeSa\r
- );\r
-\r
- //\r
- // 3. Generate DH public key.\r
- // The DhPrivate Key has been generated in Ikev2InitPskParser, if the\r
- // IkeSaSession is responder. If resending IKE_SA_INIT with Cookie Notify\r
- // No need to recompute the Public key.\r
- //\r
- if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) {\r
- Status = Ikev2GenerateSaDhPublicKey (IkeSaSession);\r
- if (EFI_ERROR (Status)) {\r
- goto CheckError;\r
- }\r
- }\r
-\r
- //\r
- // 4. Generate KE Payload according to SaParams->DhGroup\r
- //\r
- KePayload = Ikev2GenerateKePayload (\r
- IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_NONCE\r
- );\r
-\r
- //\r
- // 5. Generate Nonce Payload\r
- // If resending IKE_SA_INIT with Cookie Notify paylaod, no need to regenerate\r
- // the Nonce Payload.\r
- //\r
- if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) {\r
- IkeSaSession->NiBlkSize = IKE_NONCE_SIZE;\r
- IkeSaSession->NiBlock = IkeGenerateNonce (IKE_NONCE_SIZE);\r
- if (IkeSaSession->NiBlock == NULL) {\r
- goto CheckError;\r
- }\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- NoncePayload = Ikev2GenerateNoncePayload (\r
- IkeSaSession->NiBlock,\r
- IkeSaSession->NiBlkSize,\r
- IKEV2_PAYLOAD_TYPE_NONE\r
- );\r
- } else {\r
- //\r
- // The Nonce Payload has been created in Ikev2PskParser if the IkeSaSession is\r
- // responder.\r
- //\r
- NoncePayload = Ikev2GenerateNoncePayload (\r
- IkeSaSession->NrBlock,\r
- IkeSaSession->NrBlkSize,\r
- IKEV2_PAYLOAD_TYPE_NONE\r
- );\r
- }\r
-\r
- if (NotifyPayload != NULL) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);\r
- }\r
- if (SaPayload != NULL) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload);\r
- }\r
- if (KePayload != NULL) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, KePayload);\r
- }\r
- if (NoncePayload != NULL) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NoncePayload);\r
- }\r
-\r
- return IkePacket;\r
-\r
-CheckError:\r
- if (IkePacket != NULL) {\r
- IkePacketFree (IkePacket);\r
- }\r
- if (SaPayload != NULL) {\r
- IkePayloadFree (SaPayload);\r
- }\r
- return NULL;\r
-}\r
-\r
-/**\r
- Parses the IKEv2 packet for IKE_SA_INIT exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.\r
- @param[in] IkePacket The received IKE packet to be parsed.\r
-\r
- @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is\r
- saved for furthure communication.\r
- @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA proposal is unacceptable.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2InitPskParser (\r
- IN UINT8 *SaSession,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *KeyPayload;\r
- IKE_PAYLOAD *IkePayload;\r
- IKE_PAYLOAD *NoncePayload;\r
- IKE_PAYLOAD *NotifyPayload;\r
- UINT8 *NonceBuffer;\r
- UINTN NonceSize;\r
- LIST_ENTRY *Entry;\r
- EFI_STATUS Status;\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- KeyPayload = NULL;\r
- SaPayload = NULL;\r
- NoncePayload = NULL;\r
- IkePayload = NULL;\r
- NotifyPayload = NULL;\r
-\r
- //\r
- // Iterate payloads to find the SaPayload and KeyPayload.\r
- //\r
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) {\r
- SaPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_KE) {\r
- KeyPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NONCE) {\r
- NoncePayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NOTIFY) {\r
- NotifyPayload = IkePayload;\r
- }\r
- }\r
-\r
- //\r
- // According to RFC 4306 - 2.6. If the responder responds with the COOKIE Notify\r
- // payload with the cookie data, initiator MUST retry the IKE_SA_INIT with a\r
- // Notify payload of type COOKIE containing the responder suppplied cookie data\r
- // as first payload and all other payloads unchanged.\r
- //\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- if (NotifyPayload != NULL && !EFI_ERROR(Ikev2ParserNotifyCookiePayload (NotifyPayload, IkeSaSession))) {\r
- return EFI_SUCCESS;\r
- }\r
- }\r
-\r
- if ((KeyPayload == NULL) || (SaPayload == NULL) || (NoncePayload == NULL)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Store NoncePayload for SKEYID computing.\r
- //\r
- NonceSize = NoncePayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r
- NonceBuffer = (UINT8 *) AllocatePool (NonceSize);\r
- if (NonceBuffer == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto CheckError;\r
- }\r
-\r
- CopyMem (\r
- NonceBuffer,\r
- NoncePayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r
- NonceSize\r
- );\r
-\r
- //\r
- // Check if IkePacket Header matches the state\r
- //\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND\r
- //\r
- if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 2. Parse the SA Payload and Key Payload to find out the cryptographic\r
- // suite and fill in the Sa paramse into CommonSession->SaParams\r
- //\r
- if (!Ikev2SaParseSaPayload (IkeSaSession, SaPayload, IkePacket->Header->Flags)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 3. If Initiator, the NoncePayload is Nr_b.\r
- //\r
- IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateAuth);\r
- IkeSaSession->NrBlock = NonceBuffer;\r
- IkeSaSession->NrBlkSize = NonceSize;\r
- IkeSaSession->SessionCommon.State = IkeStateAuth;\r
- IkeSaSession->ResponderCookie = IkePacket->Header->ResponderCookie;\r
-\r
- //\r
- // 4. Change the state of IkeSaSession\r
- //\r
- IkeSaSession->SessionCommon.State = IkeStateAuth;\r
- } else {\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT\r
- //\r
- if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 2. Parse the SA payload and find out the perfered one\r
- // and fill in the SA parameters into CommonSession->SaParams and SaData into\r
- // IkeSaSession for the responder SA payload generation.\r
- //\r
- if (!Ikev2SaParseSaPayload (IkeSaSession, SaPayload, IkePacket->Header->Flags)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 3. Generat Dh Y parivate Key\r
- //\r
- Status = Ikev2GenerateSaDhPublicKey (IkeSaSession);\r
- if (EFI_ERROR (Status)) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 4. If Responder, the NoncePayload is Ni_b and go to generate Nr_b.\r
- //\r
- IkeSaSession->NiBlock = NonceBuffer;\r
- IkeSaSession->NiBlkSize = NonceSize;\r
-\r
- //\r
- // 5. Generate Nr_b\r
- //\r
- IkeSaSession->NrBlock = IkeGenerateNonce (IKE_NONCE_SIZE);\r
- ASSERT (IkeSaSession->NrBlock != NULL);\r
- IkeSaSession->NrBlkSize = IKE_NONCE_SIZE;\r
-\r
- //\r
- // 6. Save the Cookies\r
- //\r
- IkeSaSession->InitiatorCookie = IkePacket->Header->InitiatorCookie;\r
- IkeSaSession->ResponderCookie = IkeGenerateCookie ();\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.PreferDhGroup != ((IKEV2_KEY_EXCHANGE *)KeyPayload->PayloadBuf)->DhGroup) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto CheckError;\r
- }\r
- //\r
- // Call Ikev2GenerateSaKeys to create SKEYID, SKEYID_d, SKEYID_a, SKEYID_e.\r
- //\r
- Status = Ikev2GenerateSaKeys (IkeSaSession, KeyPayload);\r
- if (EFI_ERROR(Status)) {\r
- goto CheckError;\r
- }\r
- return EFI_SUCCESS;\r
-\r
-CheckError:\r
- if (NonceBuffer != NULL) {\r
- FreePool (NonceBuffer);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Generates the IKEv2 packet for IKE_AUTH exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION.\r
- @param[in] Context Context data passed by caller.\r
-\r
- @retval Pointer to IKE Packet to be sent out.\r
-\r
-**/\r
-IKE_PACKET *\r
-Ikev2AuthPskGenerator (\r
- IN UINT8 *SaSession,\r
- IN VOID *Context\r
- )\r
-{\r
- IKE_PACKET *IkePacket;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *IdPayload;\r
- IKE_PAYLOAD *AuthPayload;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *TsiPayload;\r
- IKE_PAYLOAD *TsrPayload;\r
- IKE_PAYLOAD *NotifyPayload;\r
- IKE_PAYLOAD *CpPayload;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
-\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));\r
-\r
- IkePacket = NULL;\r
- IdPayload = NULL;\r
- AuthPayload = NULL;\r
- SaPayload = NULL;\r
- TsiPayload = NULL;\r
- TsrPayload = NULL;\r
- NotifyPayload = NULL;\r
- CpPayload = NULL;\r
- NotifyPayload = NULL;\r
-\r
- //\r
- // 1. Allocate IKE Packet\r
- //\r
- IkePacket= IkePacketAlloc ();\r
- if (IkePacket == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // 1.a Fill the IkePacket Header.\r
- //\r
- IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_AUTH;\r
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;\r
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;\r
- IkePacket->Header->Version = (UINT8)(2 << 4);\r
- if (ChildSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_INIT;\r
- } else {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_RSP;\r
- }\r
-\r
- //\r
- // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should\r
- // be always number 0 and 1;\r
- //\r
- IkePacket->Header->MessageId = 1;\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;\r
- } else {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;\r
- }\r
-\r
- //\r
- // 2. Generate ID Payload according to IP version and address.\r
- //\r
- IdPayload = Ikev2GenerateIdPayload (\r
- &IkeSaSession->SessionCommon,\r
- IKEV2_PAYLOAD_TYPE_AUTH\r
- );\r
- if (IdPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 3. Generate Auth Payload\r
- // If it is tunnel mode, should create the configuration payload after the\r
- // Auth payload.\r
- //\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
-\r
- AuthPayload = Ikev2PskGenerateAuthPayload (\r
- ChildSaSession->IkeSaSession,\r
- IdPayload,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- FALSE\r
- );\r
- } else {\r
- AuthPayload = Ikev2PskGenerateAuthPayload (\r
- ChildSaSession->IkeSaSession,\r
- IdPayload,\r
- IKEV2_PAYLOAD_TYPE_CP,\r
- FALSE\r
- );\r
- if (IkeSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) {\r
- CpPayload = Ikev2GenerateCpPayload (\r
- ChildSaSession->IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS\r
- );\r
- } else {\r
- CpPayload = Ikev2GenerateCpPayload (\r
- ChildSaSession->IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS\r
- );\r
- }\r
-\r
- if (CpPayload == NULL) {\r
- goto CheckError;\r
- }\r
- }\r
-\r
- if (AuthPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 4. Generate SA Payload according to the SA Data in ChildSaSession\r
- //\r
- SaPayload = Ikev2GenerateSaPayload (\r
- ChildSaSession->SaData,\r
- IKEV2_PAYLOAD_TYPE_TS_INIT,\r
- IkeSessionTypeChildSa\r
- );\r
- if (SaPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
- //\r
- // Generate Tsi and Tsr.\r
- //\r
- TsiPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_TS_RSP,\r
- FALSE\r
- );\r
-\r
- TsrPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_NOTIFY,\r
- FALSE\r
- );\r
-\r
- //\r
- // Generate Notify Payload. If transport mode, there should have Notify\r
- // payload with TRANSPORT_MODE notification.\r
- //\r
- NotifyPayload = Ikev2GenerateNotifyPayload (\r
- 0,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- 0,\r
- IKEV2_NOTIFICATION_USE_TRANSPORT_MODE,\r
- NULL,\r
- NULL,\r
- 0\r
- );\r
- if (NotifyPayload == NULL) {\r
- goto CheckError;\r
- }\r
- } else {\r
- //\r
- // Generate Tsr for Tunnel mode.\r
- //\r
- TsiPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_TS_RSP,\r
- TRUE\r
- );\r
- TsrPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- FALSE\r
- );\r
- }\r
-\r
- if (TsiPayload == NULL || TsrPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, AuthPayload);\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CpPayload);\r
- }\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsiPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsrPayload);\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);\r
- }\r
-\r
- return IkePacket;\r
-\r
-CheckError:\r
- if (IkePacket != NULL) {\r
- IkePacketFree (IkePacket);\r
- }\r
-\r
- if (IdPayload != NULL) {\r
- IkePayloadFree (IdPayload);\r
- }\r
-\r
- if (AuthPayload != NULL) {\r
- IkePayloadFree (AuthPayload);\r
- }\r
-\r
- if (CpPayload != NULL) {\r
- IkePayloadFree (CpPayload);\r
- }\r
-\r
- if (SaPayload != NULL) {\r
- IkePayloadFree (SaPayload);\r
- }\r
-\r
- if (TsiPayload != NULL) {\r
- IkePayloadFree (TsiPayload);\r
- }\r
-\r
- if (TsrPayload != NULL) {\r
- IkePayloadFree (TsrPayload);\r
- }\r
-\r
- if (NotifyPayload != NULL) {\r
- IkePayloadFree (NotifyPayload);\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-/**\r
- Parses IKE_AUTH packet.\r
-\r
- @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.\r
- @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.\r
-\r
- @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA\r
- proposal is unacceptable.\r
- @retval EFI_SUCCESS The IKE packet is acceptable and the\r
- relative data is saved for furthure communication.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2AuthPskParser (\r
- IN UINT8 *SaSession,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *IkePayload;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *IdiPayload;\r
- IKE_PAYLOAD *IdrPayload;\r
- IKE_PAYLOAD *AuthPayload;\r
- IKE_PAYLOAD *TsiPayload;\r
- IKE_PAYLOAD *TsrPayload;\r
- IKE_PAYLOAD *VerifiedAuthPayload;\r
- LIST_ENTRY *Entry;\r
- EFI_STATUS Status;\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));\r
-\r
- SaPayload = NULL;\r
- IdiPayload = NULL;\r
- IdrPayload = NULL;\r
- AuthPayload = NULL;\r
- TsiPayload = NULL;\r
- TsrPayload = NULL;\r
-\r
- //\r
- // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload.\r
- //\r
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
-\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_INIT) {\r
- IdiPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_RSP) {\r
- IdrPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) {\r
- SaPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_AUTH) {\r
- AuthPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_INIT) {\r
- TsiPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_RSP) {\r
- TsrPayload = IkePayload;\r
- }\r
- }\r
-\r
- if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) || (TsrPayload == NULL)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- if ((IdiPayload == NULL) && (IdrPayload == NULL)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Check IkePacket Header is match the state\r
- //\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
-\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND\r
- //\r
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) ||\r
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- } else {\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT\r
- //\r
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) ||\r
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // 2. Parse the SA payload and Key Payload and find out the perferable one\r
- // and fill in the Sa paramse into CommonSession->SaParams and SaData into\r
- // IkeSaSession for the responder SA payload generation.\r
- //\r
- }\r
-\r
- //\r
- // Verify the Auth Payload.\r
- //\r
- VerifiedAuthPayload = Ikev2PskGenerateAuthPayload (\r
- IkeSaSession,\r
- IkeSaSession->SessionCommon.IsInitiator ? IdrPayload : IdiPayload,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- TRUE\r
- );\r
- if ((VerifiedAuthPayload != NULL) &&\r
- (0 != CompareMem (\r
- VerifiedAuthPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r
- AuthPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r
- VerifiedAuthPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER)\r
- ))) {\r
- return EFI_INVALID_PARAMETER;\r
- };\r
-\r
- //\r
- // 3. Parse the SA Payload to find out the cryptographic suite\r
- // and fill in the Sa paramse into CommonSession->SaParams. If no acceptable\r
- // porposal found, return EFI_INVALID_PARAMETER.\r
- //\r
- if (!Ikev2ChildSaParseSaPayload (ChildSaSession, SaPayload, IkePacket->Header->Flags)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // 4. Parse TSi, TSr payloads.\r
- //\r
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId !=\r
- ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId) &&\r
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (!IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- //TODO:check the Port range. Only support any port and one certain port here.\r
- //\r
- ChildSaSession->ProtoId = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId;\r
- ChildSaSession->LocalPort = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;\r
- ChildSaSession->RemotePort = ((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;\r
- //\r
- // Association a SPD with this SA.\r
- //\r
- Status = Ikev2ChildSaAssociateSpdEntry (ChildSaSession);\r
- if (EFI_ERROR (Status)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- //\r
- // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD.\r
- //\r
- if (ChildSaSession->IkeSaSession->Spd == NULL) {\r
- ChildSaSession->IkeSaSession->Spd = ChildSaSession->Spd;\r
- Status = Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
- }\r
- } else {\r
- //\r
- //TODO:check the Port range.\r
- //\r
- if ((((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- //\r
- // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector.\r
- //\r
- if (ChildSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- if (!ChildSaSession->IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- // If it is tunnel mode, the UEFI part must be the initiator.\r
- //\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- //\r
- // Get the Virtual IP address from the Tsi traffic selector.\r
- // TODO: check the CFG reply payload\r
- //\r
- CopyMem (\r
- &ChildSaSession->SpdSelector->LocalAddress[0].Address,\r
- TsiPayload->PayloadBuf + sizeof (IKEV2_TS) + sizeof (TRAFFIC_SELECTOR),\r
- (ChildSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) ?\r
- sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS)\r
- );\r
- }\r
- }\r
-\r
- //\r
- // 5. Generate keymats for IPsec protocol.\r
- //\r
- Status = Ikev2GenerateChildSaKeys (ChildSaSession, NULL);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- // 6. Change the state of IkeSaSession\r
- //\r
- IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEstablished);\r
- IkeSaSession->SessionCommon.State = IkeStateIkeSaEstablished;\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Gernerates IKEv2 packet for IKE_SA_INIT exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.\r
- @param[in] Context Context Data passed by caller.\r
-\r
- @retval EFI_SUCCESS The IKE packet generation succeeded.\r
- @retval Others The IKE packet generation failed.\r
-\r
-**/\r
-IKE_PACKET*\r
-Ikev2InitCertGenerator (\r
- IN UINT8 *SaSession,\r
- IN VOID *Context\r
- )\r
-{\r
- IKE_PACKET *IkePacket;\r
- IKE_PAYLOAD *CertReqPayload;\r
- LIST_ENTRY *Node;\r
- IKE_PAYLOAD *NoncePayload;\r
-\r
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // The first two messages exchange is same between PSK and Cert.\r
- //\r
- IkePacket = Ikev2InitPskGenerator (SaSession, Context);\r
-\r
- if ((IkePacket != NULL) && (!((IKEV2_SA_SESSION *)SaSession)->SessionCommon.IsInitiator)) {\r
- //\r
- // Add the Certification Request Payload\r
- //\r
- CertReqPayload = Ikev2GenerateCertificatePayload (\r
- (IKEV2_SA_SESSION *)SaSession,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- (UINT8*)PcdGetPtr(PcdIpsecUefiCaFile),\r
- PcdGet32(PcdIpsecUefiCaFileSize),\r
- IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT,\r
- TRUE\r
- );\r
- //\r
- // Change Nonce Payload Next payload type.\r
- //\r
- IKE_PACKET_END_PAYLOAD (IkePacket, Node);\r
- NoncePayload = IKE_PAYLOAD_BY_PACKET (Node);\r
- ((IKEV2_NONCE *)NoncePayload->PayloadBuf)->Header.NextPayload = IKEV2_PAYLOAD_TYPE_CERTREQ;\r
-\r
- //\r
- // Add Certification Request Payload\r
- //\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertReqPayload);\r
- }\r
-\r
- return IkePacket;\r
-}\r
-\r
-/**\r
- Parses the IKEv2 packet for IKE_SA_INIT exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.\r
- @param[in] IkePacket The received IKEv2 packet to be parsed.\r
-\r
- @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is\r
- saved for furthure communication.\r
- @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA proposal is unacceptable.\r
- @retval EFI_UNSUPPORTED The certificate authentication is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2InitCertParser (\r
- IN UINT8 *SaSession,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- //\r
- // The first two messages exchange is same between PSK and Cert.\r
- // Todo: Parse Certificate Request from responder Initial Exchange.\r
- //\r
- return Ikev2InitPskParser (SaSession, IkePacket);\r
-}\r
-\r
-/**\r
- Generates the IKEv2 packet for IKE_AUTH exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION.\r
- @param[in] Context Context data passed by caller.\r
-\r
- @retval Pointer to IKEv2 Packet to be sent out.\r
-\r
-**/\r
-IKE_PACKET *\r
-Ikev2AuthCertGenerator (\r
- IN UINT8 *SaSession,\r
- IN VOID *Context\r
- )\r
-{\r
- IKE_PACKET *IkePacket;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *IdPayload;\r
- IKE_PAYLOAD *AuthPayload;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *TsiPayload;\r
- IKE_PAYLOAD *TsrPayload;\r
- IKE_PAYLOAD *NotifyPayload;\r
- IKE_PAYLOAD *CpPayload;\r
- IKE_PAYLOAD *CertPayload;\r
- IKE_PAYLOAD *CertReqPayload;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
-\r
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {\r
- return NULL;\r
- }\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));\r
-\r
- IkePacket = NULL;\r
- IdPayload = NULL;\r
- AuthPayload = NULL;\r
- CpPayload = NULL;\r
- SaPayload = NULL;\r
- TsiPayload = NULL;\r
- TsrPayload = NULL;\r
- NotifyPayload = NULL;\r
- CertPayload = NULL;\r
- CertReqPayload = NULL;\r
-\r
- //\r
- // 1. Allocate IKE Packet\r
- //\r
- IkePacket= IkePacketAlloc ();\r
- if (IkePacket == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // 1.a Fill the IkePacket Header.\r
- //\r
- IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_AUTH;\r
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;\r
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;\r
- IkePacket->Header->Version = (UINT8)(2 << 4);\r
- if (ChildSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_INIT;\r
- } else {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_RSP;\r
- }\r
-\r
- //\r
- // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should\r
- // be always number 0 and 1;\r
- //\r
- IkePacket->Header->MessageId = 1;\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;\r
- } else {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;\r
- }\r
-\r
- //\r
- // 2. Generate ID Payload according to IP version and address.\r
- //\r
- IdPayload = Ikev2GenerateCertIdPayload (\r
- &IkeSaSession->SessionCommon,\r
- IKEV2_PAYLOAD_TYPE_CERT,\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate),\r
- PcdGet32 (PcdIpsecUefiCertificateSize)\r
- );\r
- if (IdPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 3. Generate Certificate Payload\r
- //\r
- CertPayload = Ikev2GenerateCertificatePayload (\r
- IkeSaSession,\r
- (UINT8)(IkeSaSession->SessionCommon.IsInitiator ? IKEV2_PAYLOAD_TYPE_CERTREQ : IKEV2_PAYLOAD_TYPE_AUTH),\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate),\r
- PcdGet32 (PcdIpsecUefiCertificateSize),\r
- IKEV2_CERT_ENCODEING_X509_CERT_SIGN,\r
- FALSE\r
- );\r
- if (CertPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- CertReqPayload = Ikev2GenerateCertificatePayload (\r
- IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_AUTH,\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate),\r
- PcdGet32 (PcdIpsecUefiCertificateSize),\r
- IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT,\r
- TRUE\r
- );\r
- if (CertReqPayload == NULL) {\r
- goto CheckError;\r
- }\r
- }\r
-\r
- //\r
- // 4. Generate Auth Payload\r
- // If it is tunnel mode, should create the configuration payload after the\r
- // Auth payload.\r
- //\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
- AuthPayload = Ikev2CertGenerateAuthPayload (\r
- ChildSaSession->IkeSaSession,\r
- IdPayload,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- FALSE,\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificateKey),\r
- PcdGet32 (PcdIpsecUefiCertificateKeySize),\r
- ChildSaSession->IkeSaSession->Pad->Data->AuthData,\r
- ChildSaSession->IkeSaSession->Pad->Data->AuthDataSize\r
- );\r
- } else {\r
- AuthPayload = Ikev2CertGenerateAuthPayload (\r
- ChildSaSession->IkeSaSession,\r
- IdPayload,\r
- IKEV2_PAYLOAD_TYPE_CP,\r
- FALSE,\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificateKey),\r
- PcdGet32 (PcdIpsecUefiCertificateKeySize),\r
- ChildSaSession->IkeSaSession->Pad->Data->AuthData,\r
- ChildSaSession->IkeSaSession->Pad->Data->AuthDataSize\r
- );\r
- if (IkeSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) {\r
- CpPayload = Ikev2GenerateCpPayload (\r
- ChildSaSession->IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS\r
- );\r
- } else {\r
- CpPayload = Ikev2GenerateCpPayload (\r
- ChildSaSession->IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS\r
- );\r
- }\r
-\r
- if (CpPayload == NULL) {\r
- goto CheckError;\r
- }\r
- }\r
-\r
- if (AuthPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 5. Generate SA Payload according to the Sa Data in ChildSaSession\r
- //\r
- SaPayload = Ikev2GenerateSaPayload (\r
- ChildSaSession->SaData,\r
- IKEV2_PAYLOAD_TYPE_TS_INIT,\r
- IkeSessionTypeChildSa\r
- );\r
- if (SaPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
- //\r
- // Generate Tsi and Tsr.\r
- //\r
- TsiPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_TS_RSP,\r
- FALSE\r
- );\r
-\r
- TsrPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_NOTIFY,\r
- FALSE\r
- );\r
-\r
- //\r
- // Generate Notify Payload. If transport mode, there should have Notify\r
- // payload with TRANSPORT_MODE notification.\r
- //\r
- NotifyPayload = Ikev2GenerateNotifyPayload (\r
- 0,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- 0,\r
- IKEV2_NOTIFICATION_USE_TRANSPORT_MODE,\r
- NULL,\r
- NULL,\r
- 0\r
- );\r
- if (NotifyPayload == NULL) {\r
- goto CheckError;\r
- }\r
- } else {\r
- //\r
- // Generate Tsr for Tunnel mode.\r
- //\r
- TsiPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_TS_RSP,\r
- TRUE\r
- );\r
- TsrPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- FALSE\r
- );\r
- }\r
-\r
- if (TsiPayload == NULL || TsrPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertPayload);\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertReqPayload);\r
- }\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, AuthPayload);\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CpPayload);\r
- }\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsiPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsrPayload);\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);\r
- }\r
-\r
- return IkePacket;\r
-\r
-CheckError:\r
- if (IkePacket != NULL) {\r
- IkePacketFree (IkePacket);\r
- }\r
-\r
- if (IdPayload != NULL) {\r
- IkePayloadFree (IdPayload);\r
- }\r
-\r
- if (CertPayload != NULL) {\r
- IkePayloadFree (CertPayload);\r
- }\r
-\r
- if (CertReqPayload != NULL) {\r
- IkePayloadFree (CertReqPayload);\r
- }\r
-\r
- if (AuthPayload != NULL) {\r
- IkePayloadFree (AuthPayload);\r
- }\r
-\r
- if (CpPayload != NULL) {\r
- IkePayloadFree (CpPayload);\r
- }\r
-\r
- if (SaPayload != NULL) {\r
- IkePayloadFree (SaPayload);\r
- }\r
-\r
- if (TsiPayload != NULL) {\r
- IkePayloadFree (TsiPayload);\r
- }\r
-\r
- if (TsrPayload != NULL) {\r
- IkePayloadFree (TsrPayload);\r
- }\r
-\r
- if (NotifyPayload != NULL) {\r
- IkePayloadFree (NotifyPayload);\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-/**\r
- Parses IKE_AUTH packet.\r
-\r
- @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.\r
- @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.\r
-\r
- @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA\r
- proposal is unacceptable.\r
- @retval EFI_SUCCESS The IKE packet is acceptable and the\r
- relative data is saved for furthure communication.\r
- @retval EFI_UNSUPPORTED The certificate authentication is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2AuthCertParser (\r
- IN UINT8 *SaSession,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *IkePayload;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *IdiPayload;\r
- IKE_PAYLOAD *IdrPayload;\r
- IKE_PAYLOAD *AuthPayload;\r
- IKE_PAYLOAD *TsiPayload;\r
- IKE_PAYLOAD *TsrPayload;\r
- IKE_PAYLOAD *CertPayload;\r
- IKE_PAYLOAD *VerifiedAuthPayload;\r
- LIST_ENTRY *Entry;\r
- EFI_STATUS Status;\r
-\r
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));\r
-\r
- SaPayload = NULL;\r
- IdiPayload = NULL;\r
- IdrPayload = NULL;\r
- AuthPayload = NULL;\r
- TsiPayload = NULL;\r
- TsrPayload = NULL;\r
- CertPayload = NULL;\r
- VerifiedAuthPayload = NULL;\r
- Status = EFI_INVALID_PARAMETER;\r
-\r
- //\r
- // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload.\r
- //\r
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
-\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_INIT) {\r
- IdiPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_RSP) {\r
- IdrPayload = IkePayload;\r
- }\r
-\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) {\r
- SaPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_AUTH) {\r
- AuthPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_INIT) {\r
- TsiPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_RSP) {\r
- TsrPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_CERT) {\r
- CertPayload = IkePayload;\r
- }\r
- }\r
-\r
- if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) ||\r
- (TsrPayload == NULL) || (CertPayload == NULL)) {\r
- goto Exit;\r
- }\r
- if ((IdiPayload == NULL) && (IdrPayload == NULL)) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Check IkePacket Header is match the state\r
- //\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
-\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND\r
- //\r
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) ||\r
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)) {\r
- goto Exit;\r
- }\r
- } else {\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT\r
- //\r
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) ||\r
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)) {\r
- goto Exit;\r
- }\r
- }\r
-\r
- //\r
- // Verify the Auth Payload.\r
- //\r
- VerifiedAuthPayload = Ikev2CertGenerateAuthPayload (\r
- IkeSaSession,\r
- IkeSaSession->SessionCommon.IsInitiator ? IdrPayload:IdiPayload,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- TRUE,\r
- NULL,\r
- 0,\r
- NULL,\r
- 0\r
- );\r
-\r
- if ((VerifiedAuthPayload != NULL) &&\r
- (!IpSecCryptoIoVerifySignDataByCertificate (\r
- CertPayload->PayloadBuf + sizeof (IKEV2_CERT),\r
- CertPayload->PayloadSize - sizeof (IKEV2_CERT),\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCaFile),\r
- PcdGet32 (PcdIpsecUefiCaFileSize),\r
- VerifiedAuthPayload->PayloadBuf + sizeof (IKEV2_AUTH),\r
- VerifiedAuthPayload->PayloadSize - sizeof (IKEV2_AUTH),\r
- AuthPayload->PayloadBuf + sizeof (IKEV2_AUTH),\r
- AuthPayload->PayloadSize - sizeof (IKEV2_AUTH)\r
- ))) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // 3. Parse the SA Payload to find out the cryptographic suite\r
- // and fill in the SA paramse into CommonSession->SaParams. If no acceptable\r
- // porposal found, return EFI_INVALID_PARAMETER.\r
- //\r
- if (!Ikev2ChildSaParseSaPayload (ChildSaSession, SaPayload, IkePacket->Header->Flags)) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // 4. Parse TSi, TSr payloads.\r
- //\r
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId !=\r
- ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId) &&\r
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0)\r
- ) {\r
- goto Exit;\r
- }\r
-\r
- if (!IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- //Todo:check the Port range. Only support any port and one certain port here.\r
- //\r
- ChildSaSession->ProtoId = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId;\r
- ChildSaSession->LocalPort = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;\r
- ChildSaSession->RemotePort = ((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;\r
- //\r
- // Association a SPD with this SA.\r
- //\r
- if (EFI_ERROR (Ikev2ChildSaAssociateSpdEntry (ChildSaSession))) {\r
- goto Exit;\r
- }\r
- //\r
- // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD.\r
- //\r
- if (ChildSaSession->IkeSaSession->Spd == NULL) {\r
- ChildSaSession->IkeSaSession->Spd = ChildSaSession->Spd;\r
- Status = Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession);\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
- }\r
- } else {\r
- //\r
- // Todo:check the Port range.\r
- //\r
- if ((((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort)\r
- ) {\r
- goto Exit;\r
- }\r
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort)\r
- ) {\r
- goto Exit;\r
- }\r
- //\r
- // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector.\r
- //\r
- if (ChildSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- if (!ChildSaSession->IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- // If it is tunnel mode, the UEFI part must be the initiator.\r
- //\r
- goto Exit;\r
- }\r
- //\r
- // Get the Virtual IP address from the Tsi traffic selector.\r
- // TODO: check the CFG reply payload\r
- //\r
- CopyMem (\r
- &ChildSaSession->SpdSelector->LocalAddress[0].Address,\r
- TsiPayload->PayloadBuf + sizeof (IKEV2_TS) + sizeof (TRAFFIC_SELECTOR),\r
- (ChildSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) ?\r
- sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS)\r
- );\r
- }\r
- }\r
-\r
- //\r
- // 5. Generat keymats for IPsec protocol.\r
- //\r
- Status = Ikev2GenerateChildSaKeys (ChildSaSession, NULL);\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- // 6. Change the state of IkeSaSession\r
- //\r
- IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEstablished);\r
- IkeSaSession->SessionCommon.State = IkeStateIkeSaEstablished;\r
- }\r
-\r
- Status = EFI_SUCCESS;\r
-\r
-Exit:\r
- if (VerifiedAuthPayload != NULL) {\r
- IkePayloadFree (VerifiedAuthPayload);\r
- }\r
- return Status;\r
-}\r
-\r
-/**\r
- Generates the DH Public Key.\r
-\r
- This generates the DH local public key and store it in the IKE SA Session's GxBuffer.\r
-\r
- @param[in] IkeSaSession Pointer to related IKE SA Session.\r
-\r
- @retval EFI_SUCCESS The operation succeeded.\r
- @retval Others The operation failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateSaDhPublicKey (\r
- IN IKEV2_SA_SESSION *IkeSaSession\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_SESSION_KEYS *IkeKeys;\r
-\r
- IkeSaSession->IkeKeys = AllocateZeroPool (sizeof (IKEV2_SESSION_KEYS));\r
- if (IkeSaSession->IkeKeys == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- IkeKeys = IkeSaSession->IkeKeys;\r
- IkeKeys->DhBuffer = AllocateZeroPool (sizeof (IKEV2_DH_BUFFER));\r
- if (IkeKeys->DhBuffer == NULL) {\r
- FreePool (IkeSaSession->IkeKeys);\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- //\r
- // Init DH with the certain DH Group Description.\r
- //\r
- IkeKeys->DhBuffer->GxSize = OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Size >> 3;\r
- IkeKeys->DhBuffer->GxBuffer = AllocateZeroPool (IkeKeys->DhBuffer->GxSize);\r
- if (IkeKeys->DhBuffer->GxBuffer == NULL) {\r
- FreePool (IkeKeys->DhBuffer);\r
- FreePool (IkeSaSession->IkeKeys);\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- //\r
- // Get X PublicKey\r
- //\r
- Status = IpSecCryptoIoDhGetPublicKey (\r
- &IkeKeys->DhBuffer->DhContext,\r
- OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].GroupGenerator,\r
- OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Size,\r
- OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Modulus,\r
- IkeKeys->DhBuffer->GxBuffer,\r
- &IkeKeys->DhBuffer->GxSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam X public key error Status = %r\n", Status));\r
-\r
- FreePool (IkeKeys->DhBuffer->GxBuffer);\r
-\r
- FreePool (IkeKeys->DhBuffer);\r
-\r
- FreePool (IkeSaSession->IkeKeys);\r
-\r
- return Status;\r
- }\r
-\r
- IPSEC_DUMP_BUF ("DH Public Key (g^x) Dump", IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize);\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Computes the DH Shared/Exchange Key.\r
-\r
- Given peer's public key, this function computes the exchanged common key and\r
- stores it in the IKEv2 SA Session's GxyBuffer.\r
-\r
- @param[in] DhBuffer Pointer to buffer of peer's puliic key.\r
- @param[in] KePayload Pointer to received key payload.\r
-\r
- @retval EFI_SUCCESS The operation succeeded.\r
- @retval Otherwise The operation failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateSaDhComputeKey (\r
- IN IKEV2_DH_BUFFER *DhBuffer,\r
- IN IKE_PAYLOAD *KePayload\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_KEY_EXCHANGE *Ke;\r
- UINT8 *PubKey;\r
- UINTN PubKeySize;\r
-\r
- Ke = (IKEV2_KEY_EXCHANGE *) KePayload->PayloadBuf;\r
- PubKey = (UINT8 *) (Ke + 1);\r
- PubKeySize = KePayload->PayloadSize - sizeof (IKEV2_KEY_EXCHANGE);\r
- DhBuffer->GxySize = DhBuffer->GxSize;\r
- DhBuffer->GxyBuffer = AllocateZeroPool (DhBuffer->GxySize);\r
- if (DhBuffer->GxyBuffer == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- //\r
- // Get GxyBuf\r
- //\r
- Status = IpSecCryptoIoDhComputeKey (\r
- DhBuffer->DhContext,\r
- PubKey,\r
- PubKeySize,\r
- DhBuffer->GxyBuffer,\r
- &DhBuffer->GxySize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam Y session key error Status = %r\n", Status));\r
-\r
- FreePool (DhBuffer->GxyBuffer);\r
-\r
- return Status;\r
- }\r
-\r
- //\r
- // Create GxyBuf.\r
- //\r
- DhBuffer->GySize = PubKeySize;\r
- DhBuffer->GyBuffer = AllocateZeroPool (DhBuffer->GySize);\r
- if (DhBuffer->GyBuffer == NULL) {\r
- FreePool (DhBuffer->GxyBuffer);\r
-\r
- return Status;\r
- }\r
-\r
- CopyMem (DhBuffer->GyBuffer, PubKey, DhBuffer->GySize);\r
-\r
- IPSEC_DUMP_BUF ("DH Public Key (g^y) Dump", DhBuffer->GyBuffer, DhBuffer->GySize);\r
- IPSEC_DUMP_BUF ("DH Shared Key (g^xy) Dump", DhBuffer->GxyBuffer, DhBuffer->GxySize);\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Generates the IKE SKEYSEED and seven other secrets. SK_d, SK_ai, SK_ar, SK_ei, SK_er,\r
- SK_pi, SK_pr are keys for the furthure IKE exchange.\r
-\r
- @param[in] IkeSaSession Pointer to IKE SA Session.\r
- @param[in] KePayload Pointer to Key payload used to generate the Key.\r
-\r
- @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported.\r
- @retval EFI_OUT_OF_RESOURCES If there is no enough resource to be allocated to\r
- meet the requirement.\r
- @retval EFI_SUCCESS The operation succeeded.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateSaKeys (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_PAYLOAD *KePayload\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_SA_PARAMS *SaParams;\r
- PRF_DATA_FRAGMENT Fragments[4];\r
- UINT64 InitiatorCookieNet;\r
- UINT64 ResponderCookieNet;\r
- UINT8 *KeyBuffer;\r
- UINTN KeyBufferSize;\r
- UINTN AuthAlgKeyLen;\r
- UINTN EncryptAlgKeyLen;\r
- UINTN IntegrityAlgKeyLen;\r
- UINTN PrfAlgKeyLen;\r
- UINT8 *OutputKey;\r
- UINTN OutputKeyLength;\r
- UINT8 *Digest;\r
- UINTN DigestSize;\r
-\r
- Digest = NULL;\r
- OutputKey = NULL;\r
- KeyBuffer = NULL;\r
- Status = EFI_SUCCESS;\r
-\r
- //\r
- // Generate Gxy\r
- //\r
- Status = Ikev2GenerateSaDhComputeKey (IkeSaSession->IkeKeys->DhBuffer, KePayload);\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Get the key length of Authenticaion, Encryption, PRF, and Integrity.\r
- //\r
- SaParams = IkeSaSession->SessionCommon.SaParams;\r
- AuthAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf);\r
- EncryptAlgKeyLen = IpSecGetEncryptKeyLength ((UINT8)SaParams->EncAlgId);\r
- IntegrityAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->IntegAlgId);\r
- PrfAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf);\r
-\r
- //\r
- // If one or more algorithm is not support, return EFI_UNSUPPORTED.\r
- //\r
- if (AuthAlgKeyLen == 0 ||\r
- EncryptAlgKeyLen == 0 ||\r
- IntegrityAlgKeyLen == 0 ||\r
- PrfAlgKeyLen == 0\r
- ) {\r
- Status = EFI_UNSUPPORTED;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Compute SKEYSEED = prf(Ni | Nr, g^ir)\r
- //\r
- KeyBufferSize = IkeSaSession->NiBlkSize + IkeSaSession->NrBlkSize;\r
- KeyBuffer = AllocateZeroPool (KeyBufferSize);\r
- if (KeyBuffer == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (KeyBuffer, IkeSaSession->NiBlock, IkeSaSession->NiBlkSize);\r
- CopyMem (KeyBuffer + IkeSaSession->NiBlkSize, IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);\r
-\r
- Fragments[0].Data = IkeSaSession->IkeKeys->DhBuffer->GxyBuffer;\r
- Fragments[0].DataSize = IkeSaSession->IkeKeys->DhBuffer->GxySize;\r
-\r
- DigestSize = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf);\r
- Digest = AllocateZeroPool (DigestSize);\r
-\r
- if (Digest == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- IpSecCryptoIoHmac (\r
- (UINT8)SaParams->Prf,\r
- KeyBuffer,\r
- KeyBufferSize,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 1,\r
- Digest,\r
- DigestSize\r
- );\r
-\r
- //\r
- // {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = prf+\r
- // (SKEYSEED, Ni | Nr | SPIi | SPIr )\r
- //\r
- Fragments[0].Data = IkeSaSession->NiBlock;\r
- Fragments[0].DataSize = IkeSaSession->NiBlkSize;\r
- Fragments[1].Data = IkeSaSession->NrBlock;\r
- Fragments[1].DataSize = IkeSaSession->NrBlkSize;\r
- InitiatorCookieNet = HTONLL (IkeSaSession->InitiatorCookie);\r
- ResponderCookieNet = HTONLL (IkeSaSession->ResponderCookie);\r
- Fragments[2].Data = (UINT8 *)(&InitiatorCookieNet);\r
- Fragments[2].DataSize = sizeof (IkeSaSession->InitiatorCookie);\r
- Fragments[3].Data = (UINT8 *)(&ResponderCookieNet);\r
- Fragments[3].DataSize = sizeof (IkeSaSession->ResponderCookie);\r
-\r
- IPSEC_DUMP_BUF (">>> NiBlock", IkeSaSession->NiBlock, IkeSaSession->NiBlkSize);\r
- IPSEC_DUMP_BUF (">>> NrBlock", IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);\r
- IPSEC_DUMP_BUF (">>> InitiatorCookie", (UINT8 *)&IkeSaSession->InitiatorCookie, sizeof(UINT64));\r
- IPSEC_DUMP_BUF (">>> ResponderCookie", (UINT8 *)&IkeSaSession->ResponderCookie, sizeof(UINT64));\r
-\r
- OutputKeyLength = PrfAlgKeyLen +\r
- 2 * EncryptAlgKeyLen +\r
- 2 * AuthAlgKeyLen +\r
- 2 * IntegrityAlgKeyLen;\r
- OutputKey = AllocateZeroPool (OutputKeyLength);\r
- if (OutputKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Generate Seven Keymates.\r
- //\r
- Status = Ikev2SaGenerateKey (\r
- (UINT8)SaParams->Prf,\r
- Digest,\r
- DigestSize,\r
- OutputKey,\r
- OutputKeyLength,\r
- Fragments,\r
- 4\r
- );\r
- if (EFI_ERROR(Status)) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Save the seven keys into KeySession.\r
- // First, SK_d\r
- //\r
- IkeSaSession->IkeKeys->SkdKey = AllocateZeroPool (PrfAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkdKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkdKeySize = PrfAlgKeyLen;\r
- CopyMem (IkeSaSession->IkeKeys->SkdKey, OutputKey, PrfAlgKeyLen);\r
-\r
- IPSEC_DUMP_BUF (">>> SK_D Key", IkeSaSession->IkeKeys->SkdKey, PrfAlgKeyLen);\r
-\r
- //\r
- // Second, Sk_ai\r
- //\r
- IkeSaSession->IkeKeys->SkAiKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkAiKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkAiKeySize = IntegrityAlgKeyLen;\r
- CopyMem (IkeSaSession->IkeKeys->SkAiKey, OutputKey + PrfAlgKeyLen, IntegrityAlgKeyLen);\r
-\r
- IPSEC_DUMP_BUF (">>> SK_Ai Key", IkeSaSession->IkeKeys->SkAiKey, IkeSaSession->IkeKeys->SkAiKeySize);\r
-\r
- //\r
- // Third, Sk_ar\r
- //\r
- IkeSaSession->IkeKeys->SkArKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkArKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkArKeySize = IntegrityAlgKeyLen;\r
- CopyMem (\r
- IkeSaSession->IkeKeys->SkArKey,\r
- OutputKey + PrfAlgKeyLen + IntegrityAlgKeyLen,\r
- IntegrityAlgKeyLen\r
- );\r
-\r
- IPSEC_DUMP_BUF (">>> SK_Ar Key", IkeSaSession->IkeKeys->SkArKey, IkeSaSession->IkeKeys->SkArKeySize);\r
-\r
- //\r
- // Fourth, Sk_ei\r
- //\r
- IkeSaSession->IkeKeys->SkEiKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkEiKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkEiKeySize = EncryptAlgKeyLen;\r
-\r
- CopyMem (\r
- IkeSaSession->IkeKeys->SkEiKey,\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- ">>> SK_Ei Key",\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Fifth, Sk_er\r
- //\r
- IkeSaSession->IkeKeys->SkErKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkErKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkErKeySize = EncryptAlgKeyLen;\r
-\r
- CopyMem (\r
- IkeSaSession->IkeKeys->SkErKey,\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + EncryptAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- ">>> SK_Er Key",\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + EncryptAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Sixth, Sk_pi\r
- //\r
- IkeSaSession->IkeKeys->SkPiKey = AllocateZeroPool (AuthAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkPiKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkPiKeySize = AuthAlgKeyLen;\r
-\r
- CopyMem (\r
- IkeSaSession->IkeKeys->SkPiKey,\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen,\r
- AuthAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- ">>> SK_Pi Key",\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen,\r
- AuthAlgKeyLen\r
- );\r
-\r
- //\r
- // Seventh, Sk_pr\r
- //\r
- IkeSaSession->IkeKeys->SkPrKey = AllocateZeroPool (AuthAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkPrKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkPrKeySize = AuthAlgKeyLen;\r
-\r
- CopyMem (\r
- IkeSaSession->IkeKeys->SkPrKey,\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen,\r
- AuthAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- ">>> SK_Pr Key",\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen,\r
- AuthAlgKeyLen\r
- );\r
-\r
-\r
-Exit:\r
- if (Digest != NULL) {\r
- FreePool (Digest);\r
- }\r
- if (KeyBuffer != NULL) {\r
- FreePool (KeyBuffer);\r
- }\r
- if (OutputKey != NULL) {\r
- FreePool (OutputKey);\r
- }\r
-\r
- if (EFI_ERROR(Status)) {\r
- if (IkeSaSession->IkeKeys->SkdKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkdKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkAiKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkAiKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkArKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkArKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkEiKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkEiKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkErKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkErKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkPiKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkPiKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkPrKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkPrKey);\r
- }\r
- }\r
-\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Generates the Keys for the furthure IPsec Protocol.\r
-\r
- @param[in] ChildSaSession Pointer to IKE Child SA Session.\r
- @param[in] KePayload Pointer to Key payload used to generate the Key.\r
-\r
- @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported.\r
- @retval EFI_SUCCESS The operation succeeded.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateChildSaKeys (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession,\r
- IN IKE_PAYLOAD *KePayload\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_SA_PARAMS *SaParams;\r
- PRF_DATA_FRAGMENT Fragments[3];\r
- UINTN EncryptAlgKeyLen;\r
- UINTN IntegrityAlgKeyLen;\r
- UINT8* OutputKey;\r
- UINTN OutputKeyLength;\r
-\r
- Status = EFI_SUCCESS;\r
- OutputKey = NULL;\r
-\r
- if (KePayload != NULL) {\r
- //\r
- // Generate Gxy\r
- //\r
- Status = Ikev2GenerateSaDhComputeKey (ChildSaSession->DhBuffer, KePayload);\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
-\r
- Fragments[0].Data = ChildSaSession->DhBuffer->GxyBuffer;\r
- Fragments[0].DataSize = ChildSaSession->DhBuffer->GxySize;\r
- }\r
-\r
- Fragments[1].Data = ChildSaSession->NiBlock;\r
- Fragments[1].DataSize = ChildSaSession->NiBlkSize;\r
- Fragments[2].Data = ChildSaSession->NrBlock;\r
- Fragments[2].DataSize = ChildSaSession->NrBlkSize;\r
-\r
- //\r
- // Get the key length of Authenticaion, Encryption, PRF, and Integrity.\r
- //\r
- SaParams = ChildSaSession->SessionCommon.SaParams;\r
- EncryptAlgKeyLen = IpSecGetEncryptKeyLength ((UINT8)SaParams->EncAlgId);\r
- IntegrityAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->IntegAlgId);\r
- OutputKeyLength = 2 * EncryptAlgKeyLen + 2 * IntegrityAlgKeyLen;\r
-\r
- if ((EncryptAlgKeyLen == 0) || (IntegrityAlgKeyLen == 0)) {\r
- Status = EFI_UNSUPPORTED;\r
- goto Exit;\r
- }\r
-\r
- //\r
- //\r
- // If KePayload is not NULL, calculate KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ),\r
- // otherwise, KEYMAT = prf+(SK_d, Ni | Nr )\r
- //\r
- OutputKey = AllocateZeroPool (OutputKeyLength);\r
- if (OutputKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Derive Key from the SkdKey Buffer.\r
- //\r
- Status = Ikev2SaGenerateKey (\r
- (UINT8)ChildSaSession->IkeSaSession->SessionCommon.SaParams->Prf,\r
- ChildSaSession->IkeSaSession->IkeKeys->SkdKey,\r
- ChildSaSession->IkeSaSession->IkeKeys->SkdKeySize,\r
- OutputKey,\r
- OutputKeyLength,\r
- KePayload == NULL ? &Fragments[1] : Fragments,\r
- KePayload == NULL ? 2 : 3\r
- );\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Copy KEYMATE (SK_ENCRYPT_i | SK_ENCRYPT_r | SK_INTEG_i | SK_INTEG_r) to\r
- // ChildKeyMates.\r
- //\r
- if (!ChildSaSession->SessionCommon.IsInitiator) {\r
-\r
- //\r
- // Initiator Encryption Key\r
- //\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey,\r
- OutputKey,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Initiator Authentication Key\r
- //\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,\r
- OutputKey + EncryptAlgKeyLen,\r
- IntegrityAlgKeyLen\r
- );\r
-\r
- //\r
- // Responder Encrypt Key\r
- //\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,\r
- OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Responder Authentication Key\r
- //\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,\r
- OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
- IntegrityAlgKeyLen\r
- );\r
- } else {\r
- //\r
- // Initiator Encryption Key\r
- //\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,\r
- OutputKey,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Initiator Authentication Key\r
- //\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,\r
- OutputKey + EncryptAlgKeyLen,\r
- IntegrityAlgKeyLen\r
- );\r
-\r
- //\r
- // Responder Encryption Key\r
- //\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey,\r
- OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Responder Authentication Key\r
- //\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,\r
- OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
- IntegrityAlgKeyLen\r
- );\r
- }\r
-\r
- IPSEC_DUMP_BUF (\r
- " >>> Local Encryption Key",\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey,\r
- EncryptAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- " >>> Remote Encryption Key",\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,\r
- EncryptAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- " >>> Local Authentication Key",\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,\r
- IntegrityAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- " >>> Remote Authentication Key",\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,\r
- IntegrityAlgKeyLen\r
- );\r
-\r
-\r
-\r
-Exit:\r
- if (EFI_ERROR (Status)) {\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey);\r
- }\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey);\r
- }\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey);\r
- }\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey);\r
- }\r
- }\r
-\r
- if (OutputKey != NULL) {\r
- FreePool (OutputKey);\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-GLOBAL_REMOVE_IF_UNREFERENCED IKEV2_PACKET_HANDLER mIkev2Initial[][2] = {\r
- { //PSK\r
- { // IKEV2_INIT\r
- Ikev2InitPskParser,\r
- Ikev2InitPskGenerator\r
- },\r
- { //IKEV2_AUTH\r
- Ikev2AuthPskParser,\r
- Ikev2AuthPskGenerator\r
- }\r
- },\r
- { // CERT\r
- { // IKEV2_INIT\r
- Ikev2InitCertParser,\r
- Ikev2InitCertGenerator\r
- },\r
- { // IKEV2_AUTH\r
- Ikev2AuthCertParser,\r
- Ikev2AuthCertGenerator\r
- },\r
- },\r
-};\r