The Common operations used by IKE Exchange Process.\r
\r
(C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>\r
- Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>\r
+ Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
\r
- This program and the accompanying materials\r
- are licensed and made available under the terms and conditions of the BSD License\r
- which accompanies this distribution. The full text of the license may be found at\r
- http://opensource.org/licenses/bsd-license.php.\r
-\r
- THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
- WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+ SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
\r
UINT16 mIkev2EncryptAlgorithmList[IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM] = {\r
IKEV2_TRANSFORM_ID_ENCR_3DES,\r
- IKEV2_TRANSFORM_ID_ENCR_AES_CBC, \r
+ IKEV2_TRANSFORM_ID_ENCR_AES_CBC,\r
};\r
\r
UINT16 mIkev2PrfAlgorithmList[IKEV2_SUPPORT_PRF_ALGORITHM_NUM] = {\r
IkeSaSession->InitiatorCookie = IkeGenerateCookie ();\r
IkeSaSession->ResponderCookie = 0;\r
//\r
- // BUGBUG: Message ID starts from 2 is to match the OpenSwan requirement, but it \r
+ // BUGBUG: Message ID starts from 2 is to match the OpenSwan requirement, but it\r
// might not match the IPv6 Logo. In its test specification, it mentions that\r
// the Message ID should start from zero after the IKE_SA_INIT exchange.\r
//\r
\r
//\r
// Cleanup the fields of SessionCommon for processing.\r
- // \r
+ //\r
Ikev2SessionCommonRefresh (SessionCommon);\r
\r
//\r
);\r
if (EFI_ERROR(Status)){\r
//\r
- // If TimerEvent creation failed, the SA will be alive untill user disable it or \r
- // receiving a Delete Payload from peer. \r
+ // If TimerEvent creation failed, the SA will be alive untill user disable it or\r
+ // receiving a Delete Payload from peer.\r
//\r
return;\r
}\r
} else {\r
Lifetime = IkeSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime;\r
}\r
- \r
+\r
Status = gBS->SetTimer (\r
SessionCommon->TimeoutEvent,\r
TimerRelative,\r
);\r
if (EFI_ERROR(Status)){\r
//\r
- // If SetTimer failed, the SA will be alive untill user disable it or \r
- // receiving a Delete Payload from peer. \r
+ // If SetTimer failed, the SA will be alive untill user disable it or\r
+ // receiving a Delete Payload from peer.\r
//\r
return ;\r
}\r
Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.\r
\r
@param[in] SaSessionList Pointer to list to be inserted into.\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted. \r
- @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the \r
+ @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.\r
+ @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the\r
unique IKEV2_SA_SESSION.\r
\r
**/\r
@param[in] SaSessionList Pointer to list to be searched.\r
@param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.\r
\r
- @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address or NULL. \r
+ @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address or NULL.\r
\r
**/\r
IKEV2_SA_SESSION *\r
return NULL;\r
}\r
\r
-/**\r
- Marking a SA session as on deleting.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION.\r
-\r
- @retval EFI_SUCCESS Find the related SA session and marked it.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2SaSessionOnDeleting (\r
- IN IKEV2_SA_SESSION *IkeSaSession\r
- )\r
-{\r
- return EFI_SUCCESS;\r
-}\r
\r
/**\r
- Free specified Seession Common. The session common would belong to a IKE SA or \r
+ Free specified Seession Common. The session common would belong to a IKE SA or\r
a Child SA.\r
\r
@param[in] SessionCommon Pointer to a Session Common.\r
return ;\r
}\r
/**\r
- Free specified IKEV2 SA Session. \r
+ Free specified IKEV2 SA Session.\r
\r
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.\r
\r
IKEV2_DH_BUFFER *DhBuffer;\r
\r
ASSERT (IkeSaSession != NULL);\r
- \r
+\r
//\r
// Delete Common Session\r
//\r
\r
//\r
// Delete Keys\r
- // \r
+ //\r
if (IkeKeys->SkAiKey != NULL) {\r
FreePool (IkeKeys->SkAiKey);\r
}\r
\r
/**\r
Allocate memory for IKEV2 Child SA Session.\r
- \r
+\r
@param[in] UdpService Pointer to IKE_UDP_SERVICE.\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA \r
+ @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA\r
Session.\r
\r
@retval Pointer of a new created IKEV2 Child SA Session or NULL.\r
FreePool (ChildSaSession);\r
return NULL;\r
}\r
- \r
+\r
ChildSaCommon = &ChildSaSession->SessionCommon;\r
ChildSaCommon->UdpService = UdpService;\r
ChildSaCommon->Private = IkeSaSession->SessionCommon.Private;\r
}\r
\r
/**\r
- Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList. \r
- If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one \r
+ Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.\r
+ If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one\r
then register the new one.\r
\r
@param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.\r
\r
//\r
// Cleanup the fields of SessionCommon for processing.\r
- // \r
+ //\r
Ikev2SessionCommonRefresh (SessionCommon);\r
- \r
+\r
//\r
// Insert the ready child SA session into established list.\r
//\r
return ;\r
}\r
\r
-/**\r
- Find the ChildSaSession by it's MessagId.\r
-\r
- @param[in] SaSessionList Pointer to a ChildSaSession List.\r
- @param[in] Mid The messageId used to search ChildSaSession.\r
-\r
- @return Pointer to IKEV2_CHILD_SA_SESSION or NULL.\r
-\r
-**/\r
-IKEV2_CHILD_SA_SESSION *\r
-Ikev2ChildSaSessionLookupByMid (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN UINT32 Mid\r
- )\r
-{\r
- LIST_ENTRY *Entry;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
-\r
- NET_LIST_FOR_EACH (Entry, SaSessionList) {\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
-\r
- if (ChildSaSession->MessageId == Mid) {\r
- return ChildSaSession;\r
- }\r
- }\r
- return NULL;\r
-}\r
\r
/**\r
This function find the Child SA by the specified SPI.\r
\r
This functin find a ChildSA session by searching the ChildSaSessionlist of\r
the input IKEV2_SA_SESSION by specified MessageID.\r
- \r
+\r
@param[in] SaSessionList Pointer to List to be searched.\r
@param[in] Spi Specified SPI.\r
\r
\r
/**\r
Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.\r
- \r
+\r
@param[in] SaSessionList The SA Session List to be iterated.\r
@param[in] Spi Spi used to identified the IKEV2_CHILD_SA_SESSION.\r
- @param[in] ListType The type of the List to indicate whether it is a \r
- Established. \r
+ @param[in] ListType The type of the List to indicate whether it is a\r
+ Established.\r
\r
@return The point to IKEV2_CHILD_SA_SESSION or NULL.\r
- \r
+\r
**/\r
IKEV2_CHILD_SA_SESSION *\r
Ikev2ChildSaSessionRemove (\r
IN LIST_ENTRY *SaSessionList,\r
- IN UINT32 Spi, \r
+ IN UINT32 Spi,\r
IN UINT8 ListType\r
)\r
{\r
IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
\r
NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, SaSessionList) {\r
- \r
+\r
if (ListType == IKEV2_ESTABLISHED_CHILDSA_LIST || ListType == IKEV2_ESTABLISHING_CHILDSA_LIST) {\r
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
} else if (ListType == IKEV2_DELET_CHILDSA_LIST) {\r
}\r
\r
/**\r
- Mark a specified Child SA Session as on deleting.\r
-\r
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.\r
-\r
- @retval EFI_SUCCESS Operation is successful.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2ChildSaSessionOnDeleting (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- )\r
-{\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Free the memory located for the specified IKEV2_CHILD_SA_SESSION. \r
+ Free the memory located for the specified IKEV2_CHILD_SA_SESSION.\r
\r
@param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.\r
\r
//\r
ChildSession = Ikev2ChildSaSessionRemove(\r
&(IkeSaSession->ChildSaEstablishSessionList),\r
- Spi, \r
+ Spi,\r
IKEV2_ESTABLISHED_CHILDSA_LIST\r
);\r
if (ChildSession == NULL) {\r
\r
LocalSpi = ChildSession->LocalPeerSpi;\r
RemoteSpi = ChildSession->RemotePeerSpi;\r
- \r
+\r
SelectorSize = sizeof (EFI_IPSEC_CONFIG_SELECTOR);\r
Selector = AllocateZeroPool (SelectorSize);\r
if (Selector == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
break;\r
}\r
- \r
+\r
Status = EfiIpSecConfigGetNextSelector (\r
&Private->IpSecConfig,\r
IPsecConfigDataTypeSad,\r
Status = EFI_OUT_OF_RESOURCES;\r
break;\r
}\r
- \r
+\r
CopyMem (RemoteSelector, Selector, SelectorSize);\r
}\r
\r
Status = EFI_OUT_OF_RESOURCES;\r
break;\r
}\r
- \r
+\r
CopyMem (LocalSelector, Selector, SelectorSize);\r
}\r
}\r
Free the specified DhBuffer.\r
\r
@param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.\r
- \r
+\r
**/\r
VOID\r
Ikev2DhBufferFree (\r
IKEV2_DH_BUFFER *DhBuffer\r
-) \r
+)\r
{\r
if (DhBuffer != NULL) {\r
if (DhBuffer->GxBuffer != NULL) {\r
\r
/**\r
This function is to parse a request IKE packet and return its request type.\r
- The request type is one of IKE CHILD SA creation, IKE SA rekeying and \r
+ The request type is one of IKE CHILD SA creation, IKE SA rekeying and\r
IKE CHILD SA rekeying.\r
\r
@param[in] IkePacket IKE packet to be prased.\r
//\r
Flag = TRUE;\r
}\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NOTIFY) { \r
+ if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NOTIFY) {\r
if (((IKEV2_NOTIFY*)IkePayload)->MessageType == IKEV2_NOTIFICATION_REKEY_SA) {\r
//\r
- // If notify payload with REKEY_SA message type, the IkePacket is for \r
+ // If notify payload with REKEY_SA message type, the IkePacket is for\r
// rekeying Child SA.\r
//\r
return IkeRequestTypeRekeyChildSa;\r
return IkeRequestTypeRekeyIkeSa;\r
} else {\r
//\r
- // If the Notify payloaad with transport mode message type, the IkePacket is \r
+ // If the Notify payloaad with transport mode message type, the IkePacket is\r
// for create Child SA.\r
//\r
return IkeRequestTypeCreateChildSa;\r
/**\r
Associate a SPD selector to the Child SA Session.\r
\r
- This function is called when the Child SA is not the first child SA of its \r
+ This function is called when the Child SA is not the first child SA of its\r
IKE SA. It associate a SPD to this Child SA.\r
\r
- @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to \r
+ @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to\r
a SPD selector.\r
\r
@retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.\r
}\r
\r
\r
-/**\r
- This function finds the SPI from Create Child SA Exchange Packet.\r
- \r
- @param[in] IkePacket Pointer to IKE_PACKET to be searched.\r
-\r
- @retval SPI number or 0 if it is not supported.\r
-\r
-**/\r
-UINT32\r
-Ikev2ChildExchangeRekeySpi (\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- //\r
- // Not support yet.\r
- // \r
- return 0;\r
-}\r
\r
/**\r
Validate the IKE header of received IKE packet.\r
//\r
// Information Exchagne and Create Child Exchange can be started from each part.\r
//\r
- if (IkeHdr->ExchangeType != IKEV2_EXCHANGE_TYPE_INFO && \r
+ if (IkeHdr->ExchangeType != IKEV2_EXCHANGE_TYPE_INFO &&\r
IkeHdr->ExchangeType != IKEV2_EXCHANGE_TYPE_CREATE_CHILD\r
) {\r
if (IkeSaSession->SessionCommon.IsInitiator) {\r
ProposalData->ProposalIndex = 1;\r
\r
//\r
- // If SA data for IKE_SA_INIT exchage, contains 4 transforms. If SA data for \r
+ // If SA data for IKE_SA_INIT exchage, contains 4 transforms. If SA data for\r
// IKE_AUTH exchange contains 3 transforms.\r
//\r
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
FreePool (SaData);\r
return NULL;\r
}\r
- \r
+\r
CopyMem (\r
ProposalData->Spi,\r
&ChildSaSession->LocalPeerSpi,\r
FreePool (SaData);\r
return NULL;\r
}\r
- \r
+\r
CopyMem (\r
ProposalData->Spi,\r
&ChildSaSession->LocalPeerSpi,\r
\r
//\r
// Create a SpdSelector. In this implementation, one SPD represents\r
- // 2 direction traffic, so in here, there needs to reverse the local address \r
+ // 2 direction traffic, so in here, there needs to reverse the local address\r
// and remote address for Remote Peer's SA, then reverse again for the locate\r
- // SA. \r
+ // SA.\r
//\r
TempAddressCount = ChildSaSession->SpdSelector->LocalAddressCount;\r
TempAddressInfo = ChildSaSession->SpdSelector->LocalAddress;\r
//\r
if (SaData.Mode == EfiIPsecTunnel) {\r
CopyMem (\r
- &SaData.TunnelSourceAddress, \r
+ &SaData.TunnelSourceAddress,\r
&ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,\r
sizeof (EFI_IP_ADDRESS)\r
);\r
\r
//\r
// Store the local SA into SAD.\r
- // \r
+ //\r
ChildSaSession->SpdSelector->RemoteAddressCount = ChildSaSession->SpdSelector->LocalAddressCount;\r
ChildSaSession->SpdSelector->RemoteAddress = ChildSaSession->SpdSelector->LocalAddress;\r
\r
ChildSaSession->SpdSelector->LocalAddress = TempAddressInfo;\r
ChildSaSession->SpdSelector->LocalAddressCount = TempAddressCount;\r
- \r
+\r
SaId.Spi = ChildSaSession->RemotePeerSpi;\r
\r
CopyMem (&SaId.DestAddress, &ChildSaSession->SessionCommon.RemotePeerIp, sizeof (EFI_IP_ADDRESS));\r
/**\r
Call back function of the IKE life time is over.\r
\r
- This function will mark the related IKE SA Session as deleting and trigger a \r
+ This function will mark the related IKE SA Session as deleting and trigger a\r
Information negotiation.\r
\r
@param[in] Event The signaled Event.\r
@param[in] Context Pointer to data passed by caller.\r
- \r
+\r
**/\r
VOID\r
EFIAPI\r
\r
//\r
// Change the Child SA Session's State to IKE_STATE_SA_DELETING.\r
- // \r
+ //\r
DEBUG ((\r
DEBUG_INFO,\r
"\n------ChildSa Lifetime is out(SPI):(0x%x)------\n",\r
UINT8 Value;\r
EFI_STATUS Status;\r
\r
- ASSERT (Context != NULL); \r
+ ASSERT (Context != NULL);\r
IkeSaSession = NULL;\r
ChildSaSession = NULL;\r
SessionCommon = (IKEV2_SESSION_COMMON *) Context;\r
if (ChildSaSession->SessionCommon.State == IkeStateSaDeleting) {\r
\r
//\r
- // Established Child SA should be remove from the SAD entry and \r
- // DeleteList. The function of Ikev2DeleteChildSaSilent() will remove \r
- // the childSA from the IkeSaSession->ChildSaEstablishedList. So there \r
+ // Established Child SA should be remove from the SAD entry and\r
+ // DeleteList. The function of Ikev2DeleteChildSaSilent() will remove\r
+ // the childSA from the IkeSaSession->ChildSaEstablishedList. So there\r
// is no need to remove it here.\r
//\r
Ikev2ChildSaSilentDelete (IkeSaSession, ChildSaSession->LocalPeerSpi);\r
Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.\r
\r
ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,\r
- the SpdSelector in ChildSaSession is more accurated or the scope is smaller \r
+ the SpdSelector in ChildSaSession is more accurated or the scope is smaller\r
than the one in ChildSaSession->Spd, especially for the tunnel mode.\r
- \r
+\r
@param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.\r
\r
@retval EFI_SUCCESS The operation complete successfully.\r
@retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.\r
- \r
+\r
**/\r
EFI_STATUS\r
Ikev2ChildSaSessionSpdSelectorCreate (\r
IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- ) \r
+ )\r
{\r
EFI_STATUS Status;\r
\r
}\r
}\r
CopyMem (\r
- ChildSaSession->SpdSelector, \r
- ChildSaSession->Spd->Selector, \r
+ ChildSaSession->SpdSelector,\r
+ ChildSaSession->Spd->Selector,\r
sizeof (EFI_IPSEC_SPD_SELECTOR)\r
);\r
ChildSaSession->SpdSelector->RemoteAddress = AllocateCopyPool (\r
- ChildSaSession->Spd->Selector->RemoteAddressCount * \r
- sizeof (EFI_IP_ADDRESS_INFO), \r
+ ChildSaSession->Spd->Selector->RemoteAddressCount *\r
+ sizeof (EFI_IP_ADDRESS_INFO),\r
ChildSaSession->Spd->Selector->RemoteAddress\r
);\r
if (ChildSaSession->SpdSelector->RemoteAddress == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
\r
FreePool (ChildSaSession->SpdSelector);\r
- \r
+\r
return Status;\r
}\r
- \r
+\r
ChildSaSession->SpdSelector->LocalAddress = AllocateCopyPool (\r
- ChildSaSession->Spd->Selector->LocalAddressCount * \r
- sizeof (EFI_IP_ADDRESS_INFO), \r
+ ChildSaSession->Spd->Selector->LocalAddressCount *\r
+ sizeof (EFI_IP_ADDRESS_INFO),\r
ChildSaSession->Spd->Selector->LocalAddress\r
);\r
if (ChildSaSession->SpdSelector->LocalAddress == NULL) {\r
FreePool (ChildSaSession->SpdSelector->RemoteAddress);\r
\r
FreePool (ChildSaSession->SpdSelector);\r
- \r
+\r
return Status;\r
}\r
\r
ChildSaSession->SpdSelector->RemoteAddressCount = ChildSaSession->Spd->Selector->RemoteAddressCount;\r
- ChildSaSession->SpdSelector->LocalAddressCount = ChildSaSession->Spd->Selector->LocalAddressCount; \r
+ ChildSaSession->SpdSelector->LocalAddressCount = ChildSaSession->Spd->Selector->LocalAddressCount;\r
}\r
\r
return Status;\r
\r
//\r
// Set the specific parameters.\r
- // \r
+ //\r
ChildSaSession->Spd = IkeSaSession->Spd;\r
ChildSaCommon = &ChildSaSession->SessionCommon;\r
ChildSaCommon->IsInitiator = IkeSaSession->SessionCommon.IsInitiator;\r
Ikev2ChildSaSessionFree (ChildSaSession);\r
return NULL;\r
}\r
- \r
+\r
ChildSaSession->NiBlkSize = IkeSaSession->NiBlkSize;\r
CopyMem (ChildSaSession->NiBlock, IkeSaSession->NiBlock, IkeSaSession->NiBlkSize);\r
\r
Ikev2ChildSaSessionFree (ChildSaSession);\r
return NULL;\r
}\r
- \r
+\r
ChildSaSession->NrBlkSize = IkeSaSession->NrBlkSize;\r
CopyMem (ChildSaSession->NrBlock, IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);\r
\r
//\r
- // Only if the Create Child SA is called for the IKE_INIT Exchange and \r
- // IkeSaSession is initiator (Only Initiator's SPD is not NULL), Set the \r
+ // Only if the Create Child SA is called for the IKE_INIT Exchange and\r
+ // IkeSaSession is initiator (Only Initiator's SPD is not NULL), Set the\r
// Traffic Selectors related information here.\r
//\r
if (IkeSaSession->SessionCommon.State == IkeStateAuth && IkeSaSession->Spd != NULL) {\r
Check if the SPD is related to the input Child SA Session.\r
\r
This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call\r
- back function of IpSecVisitConfigData(). \r
- \r
+ back function of IpSecVisitConfigData().\r
+\r
\r
@param[in] Type Type of the input Config Selector.\r
- @param[in] Selector Pointer to the Configure Selector to be checked. \r
- @param[in] Data Pointer to the Configure Selector's Data passed \r
+ @param[in] Selector Pointer to the Configure Selector to be checked.\r
+ @param[in] Data Pointer to the Configure Selector's Data passed\r
from the caller.\r
@param[in] SelectorSize The buffer size of Selector.\r
@param[in] DataSize The buffer size of the Data.\r
@param[in] Context The data passed from the caller. It is a Child\r
SA Session in this context.\r
\r
- @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session. \r
- @retval EFI_ABORTED The SPD Selector is related to the Child SA session and \r
+ @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.\r
+ @retval EFI_ABORTED The SPD Selector is related to the Child SA session and\r
set the ChildSaSession->Spd to point to this SPD Selector.\r
\r
**/\r
\r
ChildSaSession = (IKEV2_CHILD_SA_SESSION *) Context;\r
IpVersion = ChildSaSession->SessionCommon.UdpService->IpVersion;\r
- SpdSelector = (EFI_IPSEC_SPD_SELECTOR *) Selector; \r
+ SpdSelector = (EFI_IPSEC_SPD_SELECTOR *) Selector;\r
IsMatch = TRUE;\r
\r
if (SpdSelector->NextLayerProtocol == EFI_IP_PROTO_UDP &&\r
IsMatch = FALSE;\r
}\r
\r
- IsMatch = (BOOLEAN) (IsMatch && \r
+ IsMatch = (BOOLEAN) (IsMatch &&\r
IpSecMatchIpAddress (\r
IpVersion,\r
&ChildSaSession->SessionCommon.LocalPeerIp,\r
SpdSelector->LocalAddressCount\r
));\r
\r
- IsMatch = (BOOLEAN) (IsMatch && \r
+ IsMatch = (BOOLEAN) (IsMatch &&\r
IpSecMatchIpAddress (\r
IpVersion,\r
&ChildSaSession->SessionCommon.RemotePeerIp,\r
/**\r
Get the preferred algorithm types from ProposalData.\r
\r
- @param[in] ProposalData Pointer to related IKEV2_PROPOSAL_DATA.\r
- @param[out] PreferEncryptAlgorithm Output of preferred encrypt algorithm.\r
- @param[out] PreferIntegrityAlgorithm Output of preferred integrity algorithm. \r
- @param[out] PreferPrfAlgorithm Output of preferred PRF algorithm. Only \r
- for IKE SA.\r
- @param[out] PreferDhGroup Output of preferred DH group. Only for \r
- IKE SA.\r
- @param[out] PreferEncryptKeylength Output of preferred encrypt key length \r
- in bytes.\r
- @param[out] IsSupportEsn Output of value about the Extented Sequence\r
- Number is support or not. Only for Child SA.\r
- @param[in] IsChildSa If it is ture, the ProposalData is for IKE\r
- SA. Otherwise the proposalData is for Child SA.\r
+ @param[in] ProposalData Pointer to related IKEV2_PROPOSAL_DATA.\r
+ @param[in, out] PreferEncryptAlgorithm Pointer to buffer which is used to store the\r
+ preferred encrypt algorithm.\r
+ Input value shall be initialized to zero that\r
+ indicates to be parsed from ProposalData.\r
+ Output of preferred encrypt algorithm.\r
+ @param[in, out] PreferIntegrityAlgorithm Pointer to buffer which is used to store the\r
+ preferred integrity algorithm.\r
+ Input value shall be initialized to zero that\r
+ indicates to be parsed from ProposalData.\r
+ Output of preferred integrity algorithm.\r
+ @param[in, out] PreferPrfAlgorithm Pointer to buffer which is used to store the\r
+ preferred PRF algorithm.\r
+ Input value shall be initialized to zero that\r
+ indicates to be parsed from ProposalData.\r
+ Output of preferred PRF algorithm. Only\r
+ for IKE SA.\r
+ @param[in, out] PreferDhGroup Pointer to buffer which is used to store the\r
+ preferred DH group.\r
+ Input value shall be initialized to zero that\r
+ indicates to be parsed from ProposalData.\r
+ Output of preferred DH group. Only for\r
+ IKE SA.\r
+ @param[out] PreferEncryptKeylength Pointer to buffer which is used to store the\r
+ preferred encrypt key length in bytes.\r
+ @param[out] IsSupportEsn Pointer to buffer which is used to store the\r
+ value about the Extented Sequence Number is\r
+ support or not. Only for Child SA.\r
+ @param[in] IsChildSa If it is ture, the ProposalData is for IKE\r
+ SA. Otherwise the proposalData is for Child SA.\r
\r
**/\r
VOID\r
Ikev2ParseProposalData (\r
- IN IKEV2_PROPOSAL_DATA *ProposalData, \r
- OUT UINT16 *PreferEncryptAlgorithm,\r
- OUT UINT16 *PreferIntegrityAlgorithm,\r
- OUT UINT16 *PreferPrfAlgorithm,\r
- OUT UINT16 *PreferDhGroup,\r
+ IN IKEV2_PROPOSAL_DATA *ProposalData,\r
+ IN OUT UINT16 *PreferEncryptAlgorithm,\r
+ IN OUT UINT16 *PreferIntegrityAlgorithm,\r
+ IN OUT UINT16 *PreferPrfAlgorithm,\r
+ IN OUT UINT16 *PreferDhGroup,\r
OUT UINTN *PreferEncryptKeylength,\r
OUT BOOLEAN *IsSupportEsn,\r
IN BOOLEAN IsChildSa\r
-) \r
+)\r
{\r
IKEV2_TRANSFORM_DATA *TransformData;\r
UINT8 TransformIndex;\r
// Check input parameters.\r
//\r
if (ProposalData == NULL ||\r
- PreferEncryptAlgorithm == NULL || \r
+ PreferEncryptAlgorithm == NULL ||\r
PreferIntegrityAlgorithm == NULL ||\r
PreferEncryptKeylength == NULL\r
) {\r
if (PreferPrfAlgorithm == NULL || PreferDhGroup == NULL) {\r
return;\r
}\r
- } \r
+ }\r
\r
TransformData = (IKEV2_TRANSFORM_DATA *)(ProposalData + 1);\r
for (TransformIndex = 0; TransformIndex < ProposalData->NumTransforms; TransformIndex++) {\r
- switch (TransformData->TransformType) { \r
+ switch (TransformData->TransformType) {\r
//\r
- // For IKE SA there are four algorithm types. Encryption Algorithm, Pseudo-random Function, \r
- // Integrity Algorithm, Diffie-Hellman Group. For Child SA, there are three algorithm types. \r
+ // For IKE SA there are four algorithm types. Encryption Algorithm, Pseudo-random Function,\r
+ // Integrity Algorithm, Diffie-Hellman Group. For Child SA, there are three algorithm types.\r
// Encryption Algorithm, Integrity Algorithm, Extended Sequence Number.\r
//\r
case IKEV2_TRANSFORM_TYPE_ENCR:\r
if (*PreferPrfAlgorithm == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_PRF_TYPE)) {\r
*PreferPrfAlgorithm = TransformData->TransformId;\r
}\r
- } \r
+ }\r
break;\r
\r
case IKEV2_TRANSFORM_TYPE_INTEG :\r
*PreferIntegrityAlgorithm = TransformData->TransformId;\r
}\r
break;\r
- \r
+\r
case IKEV2_TRANSFORM_TYPE_DH :\r
if (!IsChildSa) {\r
if (*PreferDhGroup == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_DH_TYPE)) {\r
*PreferDhGroup = TransformData->TransformId;\r
}\r
- } \r
+ }\r
break;\r
- \r
+\r
case IKEV2_TRANSFORM_TYPE_ESN :\r
if (IsChildSa) {\r
if (TransformData->TransformId != 0) {\r
*IsSupportEsn = TRUE;\r
}\r
- } \r
+ }\r
break;\r
\r
default:\r
\r
/**\r
Parse the received Initial Exchange Packet.\r
- \r
- This function parse the SA Payload and Key Payload to find out the cryptographic \r
- suite for the further IKE negotiation and fill it into the IKE SA Session's \r
+\r
+ This function parse the SA Payload and Key Payload to find out the cryptographic\r
+ suite for the further IKE negotiation and fill it into the IKE SA Session's\r
CommonSession->SaParams.\r
\r
@param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.\r
@param[in] SaPayload The received packet.\r
- @param[in] Type The received packet IKE header flag. \r
+ @param[in] Type The received packet IKE header flag.\r
\r
@retval TRUE If the SA proposal in Packet is acceptable.\r
@retval FALSE If the SA proposal in Packet is not acceptable.\r
// Get the preferred algorithms.\r
//\r
Ikev2ParseProposalData (\r
- ProposalData, \r
+ ProposalData,\r
&PreferEncryptAlgorithm,\r
&PreferIntegrityAlgorithm,\r
&PreferPrfAlgorithm,\r
\r
if (PreferEncryptAlgorithm != 0 &&\r
PreferIntegrityAlgorithm != 0 &&\r
- PreferPrfAlgorithm != 0 && \r
+ PreferPrfAlgorithm != 0 &&\r
PreferDhGroup != 0\r
) {\r
//\r
- // Find the matched one. \r
+ // Find the matched one.\r
//\r
IkeSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));\r
if (IkeSaSession->SessionCommon.SaParams == NULL) {\r
return FALSE;\r
}\r
- \r
+\r
IkeSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;\r
IkeSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;\r
IkeSaSession->SessionCommon.SaParams->DhGroup = PreferDhGroup;\r
// one than one transform with same type.\r
//\r
CopyMem (\r
- (IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1), \r
- ProposalData, \r
+ (IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1),\r
+ ProposalData,\r
SaDataSize - sizeof (IKEV2_SA_DATA)\r
);\r
\r
((IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1))->ProposalIndex = 1;\r
- \r
+\r
return TRUE;\r
} else {\r
PreferEncryptAlgorithm = 0;\r
//\r
// Point to next Proposal.\r
//\r
- ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) + \r
+ ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +\r
ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));\r
}\r
} else if (Type == IKE_HEADER_FLAGS_RESPOND) {\r
//\r
- // First check the SA proposal's ProtoctolID and Transform Numbers. Since it is \r
- // the responded SA proposal, suppose it only has one proposal and the transform Numbers \r
- // is 4. \r
+ // First check the SA proposal's ProtoctolID and Transform Numbers. Since it is\r
+ // the responded SA proposal, suppose it only has one proposal and the transform Numbers\r
+ // is 4.\r
//\r
ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *) SaPayload->PayloadBuf + 1);\r
if (ProposalData->ProtocolId != IPSEC_PROTO_ISAKMP || ProposalData->NumTransforms != 4) {\r
return FALSE;\r
}\r
//\r
- // Get the preferred algorithms. \r
+ // Get the preferred algorithms.\r
//\r
Ikev2ParseProposalData (\r
ProposalData,\r
&PreferPrfAlgorithm,\r
&PreferDhGroup,\r
&PreferEncryptKeylength,\r
- NULL, \r
+ NULL,\r
FALSE\r
);\r
- // \r
+ //\r
// Check if the Sa proposal data from received packet is in the IkeSaSession->SaData.\r
//\r
ProposalData = (IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1);\r
\r
for (ProposalIndex = 0; ProposalIndex < IkeSaSession->SaData->NumProposals && (!IsMatch); ProposalIndex++) {\r
Ikev2ParseProposalData (\r
- ProposalData, \r
+ ProposalData,\r
&EncryptAlgorithm,\r
&IntegrityAlgorithm,\r
&PrfAlgorithm,\r
IntegrityAlgorithm = 0;\r
PrfAlgorithm = 0;\r
DhGroup = 0;\r
- EncryptKeylength = 0; \r
+ EncryptKeylength = 0;\r
}\r
\r
- ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) + \r
- ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA)); \r
+ ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +\r
+ ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));\r
}\r
\r
if (IsMatch) {\r
if (IkeSaSession->SessionCommon.SaParams == NULL) {\r
return FALSE;\r
}\r
- \r
+\r
IkeSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;\r
IkeSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;\r
IkeSaSession->SessionCommon.SaParams->DhGroup = PreferDhGroup;\r
IkeSaSession->SessionCommon.SaParams->Prf = PreferPrfAlgorithm;\r
IkeSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;\r
IkeSaSession->SessionCommon.PreferDhGroup = PreferDhGroup;\r
- \r
+\r
return TRUE;\r
}\r
}\r
- \r
+\r
return FALSE;\r
}\r
\r
/**\r
Parse the received Authentication Exchange Packet.\r
- \r
+\r
This function parse the SA Payload and Key Payload to find out the cryptographic\r
suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.\r
- \r
- @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to \r
+\r
+ @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to\r
this Authentication Exchange.\r
@param[in] SaPayload The received packet.\r
- @param[in] Type The IKE header's flag of received packet . \r
- \r
+ @param[in] Type The IKE header's flag of received packet .\r
+\r
@retval TRUE If the SA proposal in Packet is acceptable.\r
@retval FALSE If the SA proposal in Packet is not acceptable.\r
\r
IntegrityAlgorithm = 0;\r
EncryptAlgorithm = 0;\r
EncryptKeylength = 0;\r
- IsMatch = TRUE;\r
+ IsMatch = FALSE;\r
IsSupportEsn = FALSE;\r
PreferIsSupportEsn = FALSE;\r
\r
//\r
// Don't support the ESN now.\r
//\r
- if (PreferEncryptAlgorithm != 0 && \r
+ if (PreferEncryptAlgorithm != 0 &&\r
PreferIntegrityAlgorithm != 0 &&\r
!IsSupportEsn\r
) {\r
//\r
- // Find the matched one. \r
+ // Find the matched one.\r
//\r
ChildSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));\r
if (ChildSaSession->SessionCommon.SaParams == NULL) {\r
return FALSE;\r
}\r
- \r
+\r
ChildSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;\r
ChildSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;\r
ChildSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;\r
\r
//\r
// BUGBUG: Suppose there are 4 transforms in the matched proposal. If\r
- // the matched Proposal has more than 4 transforms that means there \r
+ // the matched Proposal has more than 4 transforms that means there\r
// are more than one transform with same type.\r
//\r
CopyMem (\r
((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->ProposalIndex = 1;\r
\r
((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->Spi = AllocateCopyPool (\r
- sizeof (ChildSaSession->LocalPeerSpi), \r
+ sizeof (ChildSaSession->LocalPeerSpi),\r
&ChildSaSession->LocalPeerSpi\r
);\r
if (((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->Spi == NULL) {\r
FreePool (ChildSaSession->SessionCommon.SaParams);\r
\r
FreePool (ChildSaSession->SaData );\r
- \r
+\r
return FALSE;\r
}\r
- \r
+\r
return TRUE;\r
\r
} else {\r
//\r
// Point to next Proposal\r
//\r
- ProposalData = (IKEV2_PROPOSAL_DATA *)((UINT8 *)(ProposalData + 1) + \r
+ ProposalData = (IKEV2_PROPOSAL_DATA *)((UINT8 *)(ProposalData + 1) +\r
ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));\r
}\r
} else if (Type == IKE_HEADER_FLAGS_RESPOND) {\r
//\r
- // First check the SA proposal's ProtoctolID and Transform Numbers. Since it is \r
- // the responded SA proposal, suppose it only has one proposal and the transform Numbers \r
- // is 3. \r
+ // First check the SA proposal's ProtoctolID and Transform Numbers. Since it is\r
+ // the responded SA proposal, suppose it only has one proposal and the transform Numbers\r
+ // is 3.\r
//\r
ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->PayloadBuf + 1);\r
if (ProposalData->ProtocolId != IPSEC_PROTO_IPSEC_ESP || ProposalData->NumTransforms != 3) {\r
\r
for (ProposalIndex = 0; ProposalIndex < ChildSaSession->SaData->NumProposals && (!IsMatch); ProposalIndex++) {\r
Ikev2ParseProposalData (\r
- ProposalData, \r
+ ProposalData,\r
&EncryptAlgorithm,\r
&IntegrityAlgorithm,\r
NULL,\r
if (EncryptAlgorithm == PreferEncryptAlgorithm &&\r
EncryptKeylength == PreferEncryptKeylength &&\r
IntegrityAlgorithm == PreferIntegrityAlgorithm &&\r
- IsSupportEsn == PreferIsSupportEsn \r
+ IsSupportEsn == PreferIsSupportEsn\r
) {\r
IsMatch = TRUE;\r
} else {\r
- PreferEncryptAlgorithm = 0;\r
- PreferIntegrityAlgorithm = 0;\r
- IsSupportEsn = TRUE;\r
+ IntegrityAlgorithm = 0;\r
+ EncryptAlgorithm = 0;\r
+ EncryptKeylength = 0;\r
+ IsSupportEsn = FALSE;\r
}\r
- ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) + \r
- ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA)); \r
+ ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +\r
+ ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));\r
}\r
- \r
+\r
ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->PayloadBuf + 1);\r
if (IsMatch) {\r
ChildSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));\r
if (ChildSaSession->SessionCommon.SaParams == NULL) {\r
return FALSE;\r
}\r
- \r
+\r
ChildSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;\r
ChildSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;\r
ChildSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;\r
/**\r
Generate Key buffer from fragments.\r
\r
- If the digest length of specified HashAlgId is larger than or equal with the \r
- required output key length, derive the key directly. Otherwise, Key Material \r
- needs to be PRF-based concatenation according to 2.13 of RFC 4306: \r
+ If the digest length of specified HashAlgId is larger than or equal with the\r
+ required output key length, derive the key directly. Otherwise, Key Material\r
+ needs to be PRF-based concatenation according to 2.13 of RFC 4306:\r
prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),\r
T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)\r
then derive the key from this key material.\r
- \r
+\r
@param[in] HashAlgId The Hash Algorithm ID used to generate key.\r
@param[in] HashKey Pointer to a key buffer which contains hash key.\r
@param[in] HashKeyLength The length of HashKey in bytes.\r
- @param[in, out] OutputKey Pointer to buffer which is used to receive the \r
+ @param[in, out] OutputKey Pointer to buffer which is used to receive the\r
output key.\r
@param[in] OutputKeyLength The length of OutPutKey buffer.\r
@param[in] Fragments Pointer to the data to be used to generate key.\r
\r
@retval EFI_SUCCESS The operation complete successfully.\r
@retval EFI_INVALID_PARAMETER If NumFragments is zero.\r
+ If the authentication algorithm given by HashAlgId\r
+ cannot be found.\r
@retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.\r
@retval Others The operation is failed.\r
\r
LocalFragments[2].Data = NULL;\r
\r
AuthKeyLength = IpSecGetHmacDigestLength (HashAlgId);\r
+ if (AuthKeyLength == 0) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
DigestSize = AuthKeyLength;\r
Digest = AllocateZeroPool (AuthKeyLength);\r
\r
if (OutputKeyLength <= DigestSize) {\r
Status = IpSecCryptoIoHmac (\r
HashAlgId,\r
- HashKey, \r
- HashKeyLength, \r
- (HASH_DATA_FRAGMENT *) Fragments, \r
- NumFragments, \r
- Digest, \r
+ HashKey,\r
+ HashKeyLength,\r
+ (HASH_DATA_FRAGMENT *) Fragments,\r
+ NumFragments,\r
+ Digest,\r
DigestSize\r
);\r
if (EFI_ERROR (Status)) {\r
Status = EFI_OUT_OF_RESOURCES;\r
goto Exit;\r
}\r
- \r
+\r
LocalFragments[1].DataSize = FragmentsSize;\r
\r
//\r
FragmentsSize = 0;\r
for (Index = 0; Index < NumFragments; Index++) {\r
CopyMem (\r
- LocalFragments[1].Data + FragmentsSize, \r
+ LocalFragments[1].Data + FragmentsSize,\r
Fragments[Index].Data,\r
Fragments[Index].DataSize\r
);\r
Status = EFI_OUT_OF_RESOURCES;\r
goto Exit;\r
}\r
- \r
+\r
LocalFragments[0].DataSize = AuthKeyLength;\r
\r
Round = (OutputKeyLength - 1) / AuthKeyLength + 1;\r
for (Index = 0; Index < Round; Index++) {\r
Status = IpSecCryptoIoHmac (\r
- HashAlgId, \r
- HashKey, \r
- HashKeyLength, \r
+ HashAlgId,\r
+ HashKey,\r
+ HashKeyLength,\r
(HASH_DATA_FRAGMENT *)(Index == 0 ? &LocalFragments[1] : LocalFragments),\r
- Index == 0 ? 2 : 3, \r
+ Index == 0 ? 2 : 3,\r
Digest,\r
DigestSize\r
);\r
goto Exit;\r
}\r
CopyMem (\r
- LocalFragments[0].Data, \r
- Digest, \r
+ LocalFragments[0].Data,\r
+ Digest,\r
DigestSize\r
);\r
if (OutputKeyLength > DigestSize * (Index + 1)) {\r
CopyMem (\r
- OutputKey + Index * DigestSize, \r
- Digest, \r
+ OutputKey + Index * DigestSize,\r
+ Digest,\r
DigestSize\r
);\r
LocalFragments[0].DataSize = DigestSize;\r
TailData ++;\r
} else {\r
- // \r
+ //\r
// The last round\r
//\r
CopyMem (\r
- OutputKey + Index * DigestSize, \r
- Digest, \r
+ OutputKey + Index * DigestSize,\r
+ Digest,\r
OutputKeyLength - Index * DigestSize\r
);\r
}\r