[mirror_edk2.git] / NetworkPkg / IpSecDxe / Ike.h

/** @file\r
  The common definition of IPsec Key Exchange (IKE).\r
\r
  Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
\r
**/\r
\r
#ifndef _IKE_H_\r
#define _IKE_H_\r
\r
#include <Library/UdpIoLib.h>\r
#include <Library/BaseCryptLib.h>\r
#include "IpSecImpl.h"\r
\r
#define IKE_VERSION_MAJOR_MASK  0xf0\r
#define IKE_VERSION_MINOR_MASK  0x0f\r
\r
#define IKE_MAJOR_VERSION(v)    (((v) & IKE_VERSION_MAJOR_MASK) >> 4)\r
#define IKE_MINOR_VERSION(v)    ((v) & IKE_VERSION_MINOR_MASK)\r
\r
//\r
// Protocol Value Use in IKEv1 and IKEv2\r
//\r
#define IPSEC_PROTO_ISAKMP    1\r
#define IPSEC_PROTO_IPSEC_AH  2\r
#define IPSEC_PROTO_IPSEC_ESP 3\r
#define IPSEC_PROTO_IPCOMP    4 // For IKEv1 this value is reserved\r
\r
//\r
//  For Algorithm search in support list.Last two types are for IKEv2 only.\r
//\r
#define IKE_ENCRYPT_TYPE      0\r
#define IKE_AUTH_TYPE         1\r
#define IKE_PRF_TYPE          2\r
#define IKE_DH_TYPE           3\r
\r
//\r
// Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)\r
//\r
#define IPSEC_ESP_DES_IV64            1\r
#define IPSEC_ESP_DES                 2\r
#define IPSEC_ESP_3DES                3\r
#define IPSEC_ESP_RC5                 4\r
#define IPSEC_ESP_IDEA                5\r
#define IPSEC_ESP_CAST                6\r
#define IPSEC_ESP_BLOWFISH            7\r
#define IPSEC_ESP_3IDEA               8\r
#define IPSEC_ESP_DES_IV32            9\r
#define IPSEC_ESP_RC4                 10  // It's reserved in IKEv2\r
#define IPSEC_ESP_NULL                11\r
#define IPSEC_ESP_AES                 12\r
\r
#define IKE_XCG_TYPE_NONE             0\r
#define IKE_XCG_TYPE_BASE             1\r
#define IKE_XCG_TYPE_IDENTITY_PROTECT 2\r
#define IKE_XCG_TYPE_AUTH_ONLY        3\r
#define IKE_XCG_TYPE_AGGR             4\r
#define IKE_XCG_TYPE_INFO             5\r
#define IKE_XCG_TYPE_QM               32\r
#define IKE_XCG_TYPE_NGM              33\r
#define IKE_XCG_TYPE_SA_INIT          34\r
#define IKE_XCG_TYPE_AUTH             35\r
#define IKE_XCG_TYPE_CREATE_CHILD_SA  36\r
#define IKE_XCG_TYPE_INFO2            37\r
\r
#define IKE_LIFE_TYPE_SECONDS         1\r
#define IKE_LIFE_TYPE_KILOBYTES       2\r
\r
//\r
// Deafult IKE SA lifetime and CHILD SA lifetime\r
//\r
#define IKE_SA_DEFAULT_LIFETIME       1200\r
#define CHILD_SA_DEFAULT_LIFETIME     3600\r
\r
//\r
// Next payload type presented within Proposal payload\r
//\r
#define IKE_PROPOSAL_NEXT_PAYLOAD_MORE  2\r
#define IKE_PROPOSAL_NEXT_PAYLOAD_NONE  0\r
\r
//\r
// Next payload type presented within Transform payload\r
//\r
#define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3\r
#define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0\r
\r
//\r
// Max size of the SA attribute\r
//\r
#define MAX_SA_ATTRS_SIZE     48\r
#define SA_ATTR_FORMAT_BIT    0x8000\r
//\r
// The definition for Information Message ID.\r
//\r
#define INFO_MID_SIGNATURE    SIGNATURE_32 ('I', 'N', 'F', 'M')\r
\r
//\r
// Type for the IKE SESSION COMMON\r
//\r
typedef enum {\r
  IkeSessionTypeIkeSa,\r
  IkeSessionTypeChildSa,\r
  IkeSessionTypeInfo,\r
  IkeSessionTypeMax\r
} IKE_SESSION_TYPE;\r
\r
//\r
// The DH Group ID defined RFC3526 and RFC 2409\r
//\r
typedef enum {\r
  OakleyGroupModp768  = 1,\r
  OakleyGroupModp1024 = 2,\r
  OakleyGroupGp155    = 3,  // Unsupported Now.\r
  OakleyGroupGp185    = 4,  // Unsupported Now.\r
  OakleyGroupModp1536 = 5,\r
\r
  OakleyGroupModp2048 = 14,\r
  OakleyGroupModp3072 = 15,\r
  OakleyGroupModp4096 = 16,\r
  OakleyGroupModp6144 = 17,\r
  OakleyGroupModp8192 = 18,\r
  OakleyGroupMax\r
} OAKLEY_GROUP_ID;\r
\r
//\r
// IKE Header\r
//\r
#pragma pack(1)\r
typedef struct {\r
  UINT64  InitiatorCookie;\r
  UINT64  ResponderCookie;\r
  UINT8   NextPayload;\r
  UINT8   Version;\r
  UINT8   ExchangeType;\r
  UINT8   Flags;\r
  UINT32  MessageId;\r
  UINT32  Length;\r
} IKE_HEADER;\r
#pragma pack()\r
\r
typedef union {\r
  UINT16  AttrLength;\r
  UINT16  AttrValue;\r
} IKE_SA_ATTR_UNION;\r
\r
//\r
// SA Attribute present in Transform Payload\r
//\r
#pragma pack(1)\r
typedef struct {\r
  UINT16            AttrType;\r
  IKE_SA_ATTR_UNION Attr;\r
} IKE_SA_ATTRIBUTE;\r
#pragma pack()\r
\r
//\r
// Contains the IKE packet information.\r
//\r
typedef struct {\r
  UINTN               RefCount;\r
  BOOLEAN             IsHdrExt;\r
  IKE_HEADER          *Header;\r
  BOOLEAN             IsPayloadsBufExt;\r
  UINT8               *PayloadsBuf; // The whole IkePakcet trimed the IKE header.\r
  UINTN               PayloadTotalSize;\r
  LIST_ENTRY          PayloadList;\r
  EFI_IP_ADDRESS      RemotePeerIp;\r
  BOOLEAN             IsEncoded;    // whether HTON is done when sending the packet\r
  UINT32              Spi;          // For the Delete Information Exchange\r
  BOOLEAN             IsDeleteInfo; // For the Delete Information Exchange\r
  IPSEC_PRIVATE_DATA  *Private;     // For the Delete Information Exchange\r
} IKE_PACKET;\r
\r
//\r
// The generic structure to all kinds of IKE payloads.\r
//\r
typedef struct {\r
  UINT32      Signature;\r
  BOOLEAN     IsPayloadBufExt;\r
  UINT8       PayloadType;\r
  UINT8       *PayloadBuf;\r
  UINTN       PayloadSize;\r
  LIST_ENTRY  ByPacket;\r
} IKE_PAYLOAD;\r
\r
//\r
// Udp Service\r
//\r
typedef struct {\r
  UINT32          Signature;\r
  UINT8           IpVersion;\r
  LIST_ENTRY      List;\r
  LIST_ENTRY      *ListHead;\r
  EFI_HANDLE      NicHandle;\r
  EFI_HANDLE      ImageHandle;\r
  UDP_IO          *Input;\r
  UDP_IO          *Output;\r
  EFI_IP_ADDRESS  DefaultAddress;\r
  BOOLEAN         IsConfigured;\r
} IKE_UDP_SERVICE;\r
\r
//\r
// Each IKE session has its own Key sets for local peer and remote peer.\r
//\r
typedef struct {\r
  EFI_IPSEC_ALGO_INFO LocalPeerInfo;\r
  EFI_IPSEC_ALGO_INFO RemotePeerInfo;\r
} SA_KEYMATS;\r
\r
//\r
// Each algorithm has its own Id, Guid, BlockSize and KeyLength.\r
// This struct contains these information for each algorithm. It is generic structure\r
// for both encryption and authentication algorithm.\r
// For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,\r
// it means IvSize.\r
//\r
#pragma pack(1)\r
typedef struct {\r
  UINT8     AlgorithmId;       // Encryption or Authentication Id used by ESP/AH\r
  EFI_GUID  *AlgGuid;\r
  UINT8     AlgSize;     // IcvSize or IvSize\r
  UINT8     BlockSize;\r
  UINTN     KeyMateLen;\r
} IKE_ALG_GUID_INFO;   // For IPsec Authentication and Encryption Algorithm.\r
#pragma pack()\r
\r
//\r
// Structure used to store the DH group\r
//\r
typedef struct {\r
  UINT8 GroupId;\r
  UINTN Size;\r
  UINT8 *Modulus;\r
  UINTN GroupGenerator;\r
} MODP_GROUP;\r
\r
/**\r
  This is prototype definition of general interface to phase the payloads\r
  after/before the decode/encode.\r
\r
  @param[in]  SessionCommon    Point to the SessionCommon\r
  @param[in]  PayloadBuf       Point to the buffer of Payload.\r
  @param[in]  PayloadSize      The size of the PayloadBuf in bytes.\r
  @param[in]  PayloadType      The type of Payload.\r
\r
**/\r
typedef\r
VOID\r
(*IKE_ON_PAYLOAD_FROM_NET) (\r
  IN UINT8    *SessionCommon,\r
  IN UINT8    *PayloadBuf,\r
  IN UINTN    PayloadSize,\r
  IN UINT8    PayloadType\r
  );\r
\r
#endif\r
\r
Commit	Line	Data
9166f840	1	/** @file\r
	2	The common definition of IPsec Key Exchange (IKE).\r
	3	\r
f75a7f56	4	Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
9166f840	5	\r
ecf98fbc	6	SPDX-License-Identifier: BSD-2-Clause-Patent\r
9166f840	7	\r
	8	\r
	9	**/\r
	10	\r
	11	#ifndef _IKE_H_\r
	12	#define _IKE_H_\r
	13	\r
	14	#include <Library/UdpIoLib.h>\r
	15	#include <Library/BaseCryptLib.h>\r
	16	#include "IpSecImpl.h"\r
	17	\r
	18	#define IKE_VERSION_MAJOR_MASK 0xf0\r
	19	#define IKE_VERSION_MINOR_MASK 0x0f\r
	20	\r
	21	#define IKE_MAJOR_VERSION(v) (((v) & IKE_VERSION_MAJOR_MASK) >> 4)\r
	22	#define IKE_MINOR_VERSION(v) ((v) & IKE_VERSION_MINOR_MASK)\r
	23	\r
	24	//\r
	25	// Protocol Value Use in IKEv1 and IKEv2\r
	26	//\r
	27	#define IPSEC_PROTO_ISAKMP 1\r
	28	#define IPSEC_PROTO_IPSEC_AH 2\r
	29	#define IPSEC_PROTO_IPSEC_ESP 3\r
	30	#define IPSEC_PROTO_IPCOMP 4 // For IKEv1 this value is reserved\r
	31	\r
	32	//\r
	33	// For Algorithm search in support list.Last two types are for IKEv2 only.\r
	34	//\r
	35	#define IKE_ENCRYPT_TYPE 0\r
	36	#define IKE_AUTH_TYPE 1\r
	37	#define IKE_PRF_TYPE 2\r
	38	#define IKE_DH_TYPE 3\r
	39	\r
	40	//\r
	41	// Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)\r
	42	//\r
	43	#define IPSEC_ESP_DES_IV64 1\r
	44	#define IPSEC_ESP_DES 2\r
	45	#define IPSEC_ESP_3DES 3\r
	46	#define IPSEC_ESP_RC5 4\r
	47	#define IPSEC_ESP_IDEA 5\r
	48	#define IPSEC_ESP_CAST 6\r
	49	#define IPSEC_ESP_BLOWFISH 7\r
	50	#define IPSEC_ESP_3IDEA 8\r
	51	#define IPSEC_ESP_DES_IV32 9\r
f75a7f56	52	#define IPSEC_ESP_RC4 10 // It's reserved in IKEv2\r
9166f840	53	#define IPSEC_ESP_NULL 11\r
	54	#define IPSEC_ESP_AES 12\r
	55	\r
	56	#define IKE_XCG_TYPE_NONE 0\r
	57	#define IKE_XCG_TYPE_BASE 1\r
	58	#define IKE_XCG_TYPE_IDENTITY_PROTECT 2\r
	59	#define IKE_XCG_TYPE_AUTH_ONLY 3\r
	60	#define IKE_XCG_TYPE_AGGR 4\r
	61	#define IKE_XCG_TYPE_INFO 5\r
	62	#define IKE_XCG_TYPE_QM 32\r
	63	#define IKE_XCG_TYPE_NGM 33\r
	64	#define IKE_XCG_TYPE_SA_INIT 34\r
	65	#define IKE_XCG_TYPE_AUTH 35\r
	66	#define IKE_XCG_TYPE_CREATE_CHILD_SA 36\r
	67	#define IKE_XCG_TYPE_INFO2 37\r
	68	\r
	69	#define IKE_LIFE_TYPE_SECONDS 1\r
	70	#define IKE_LIFE_TYPE_KILOBYTES 2\r
	71	\r
	72	//\r
	73	// Deafult IKE SA lifetime and CHILD SA lifetime\r
	74	//\r
	75	#define IKE_SA_DEFAULT_LIFETIME 1200\r
	76	#define CHILD_SA_DEFAULT_LIFETIME 3600\r
	77	\r
	78	//\r
	79	// Next payload type presented within Proposal payload\r
	80	//\r
	81	#define IKE_PROPOSAL_NEXT_PAYLOAD_MORE 2\r
	82	#define IKE_PROPOSAL_NEXT_PAYLOAD_NONE 0\r
	83	\r
	84	//\r
	85	// Next payload type presented within Transform payload\r
	86	//\r
	87	#define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3\r
	88	#define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0\r
	89	\r
44de1013 HT	90	//\r
	91	// Max size of the SA attribute\r
	92	//\r
	93	#define MAX_SA_ATTRS_SIZE 48\r
9166f840	94	#define SA_ATTR_FORMAT_BIT 0x8000\r
	95	//\r
	96	// The definition for Information Message ID.\r
	97	//\r
	98	#define INFO_MID_SIGNATURE SIGNATURE_32 ('I', 'N', 'F', 'M')\r
	99	\r
	100	//\r
	101	// Type for the IKE SESSION COMMON\r
	102	//\r
	103	typedef enum {\r
	104	IkeSessionTypeIkeSa,\r
	105	IkeSessionTypeChildSa,\r
	106	IkeSessionTypeInfo,\r
	107	IkeSessionTypeMax\r
	108	} IKE_SESSION_TYPE;\r
	109	\r
	110	//\r
	111	// The DH Group ID defined RFC3526 and RFC 2409\r
	112	//\r
	113	typedef enum {\r
	114	OakleyGroupModp768 = 1,\r
	115	OakleyGroupModp1024 = 2,\r
	116	OakleyGroupGp155 = 3, // Unsupported Now.\r
	117	OakleyGroupGp185 = 4, // Unsupported Now.\r
	118	OakleyGroupModp1536 = 5,\r
	119	\r
	120	OakleyGroupModp2048 = 14,\r
	121	OakleyGroupModp3072 = 15,\r
	122	OakleyGroupModp4096 = 16,\r
	123	OakleyGroupModp6144 = 17,\r
	124	OakleyGroupModp8192 = 18,\r
	125	OakleyGroupMax\r
	126	} OAKLEY_GROUP_ID;\r
	127	\r
	128	//\r
	129	// IKE Header\r
	130	//\r
	131	#pragma pack(1)\r
	132	typedef struct {\r
	133	UINT64 InitiatorCookie;\r
	134	UINT64 ResponderCookie;\r
	135	UINT8 NextPayload;\r
	136	UINT8 Version;\r
	137	UINT8 ExchangeType;\r
	138	UINT8 Flags;\r
	139	UINT32 MessageId;\r
	140	UINT32 Length;\r
	141	} IKE_HEADER;\r
	142	#pragma pack()\r
	143	\r
	144	typedef union {\r
	145	UINT16 AttrLength;\r
	146	UINT16 AttrValue;\r
f75a7f56	147	} IKE_SA_ATTR_UNION;\r
9166f840	148	\r
	149	//\r
	150	// SA Attribute present in Transform Payload\r
	151	//\r
	152	#pragma pack(1)\r
	153	typedef struct {\r
	154	UINT16 AttrType;\r
	155	IKE_SA_ATTR_UNION Attr;\r
	156	} IKE_SA_ATTRIBUTE;\r
	157	#pragma pack()\r
	158	\r
	159	//\r
f75a7f56	160	// Contains the IKE packet information.\r
9166f840	161	//\r
	162	typedef struct {\r
	163	UINTN RefCount;\r
	164	BOOLEAN IsHdrExt;\r
	165	IKE_HEADER *Header;\r
	166	BOOLEAN IsPayloadsBufExt;\r
	167	UINT8 *PayloadsBuf; // The whole IkePakcet trimed the IKE header.\r
	168	UINTN PayloadTotalSize;\r
	169	LIST_ENTRY PayloadList;\r
	170	EFI_IP_ADDRESS RemotePeerIp;\r
	171	BOOLEAN IsEncoded; // whether HTON is done when sending the packet\r
	172	UINT32 Spi; // For the Delete Information Exchange\r
	173	BOOLEAN IsDeleteInfo; // For the Delete Information Exchange\r
	174	IPSEC_PRIVATE_DATA *Private; // For the Delete Information Exchange\r
	175	} IKE_PACKET;\r
	176	\r
	177	//\r
	178	// The generic structure to all kinds of IKE payloads.\r
	179	//\r
	180	typedef struct {\r
	181	UINT32 Signature;\r
	182	BOOLEAN IsPayloadBufExt;\r
	183	UINT8 PayloadType;\r
	184	UINT8 *PayloadBuf;\r
	185	UINTN PayloadSize;\r
	186	LIST_ENTRY ByPacket;\r
	187	} IKE_PAYLOAD;\r
	188	\r
	189	//\r
	190	// Udp Service\r
	191	//\r
	192	typedef struct {\r
	193	UINT32 Signature;\r
	194	UINT8 IpVersion;\r
	195	LIST_ENTRY List;\r
	196	LIST_ENTRY *ListHead;\r
	197	EFI_HANDLE NicHandle;\r
	198	EFI_HANDLE ImageHandle;\r
	199	UDP_IO *Input;\r
	200	UDP_IO *Output;\r
	201	EFI_IP_ADDRESS DefaultAddress;\r
	202	BOOLEAN IsConfigured;\r
	203	} IKE_UDP_SERVICE;\r
	204	\r
	205	//\r
	206	// Each IKE session has its own Key sets for local peer and remote peer.\r
	207	//\r
	208	typedef struct {\r
	209	EFI_IPSEC_ALGO_INFO LocalPeerInfo;\r
	210	EFI_IPSEC_ALGO_INFO RemotePeerInfo;\r
	211	} SA_KEYMATS;\r
	212	\r
	213	//\r
	214	// Each algorithm has its own Id, Guid, BlockSize and KeyLength.\r
	215	// This struct contains these information for each algorithm. It is generic structure\r
f75a7f56	216	// for both encryption and authentication algorithm.\r
9166f840	217	// For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,\r
	218	// it means IvSize.\r
	219	//\r
	220	#pragma pack(1)\r
	221	typedef struct {\r
	222	UINT8 AlgorithmId; // Encryption or Authentication Id used by ESP/AH\r
	223	EFI_GUID *AlgGuid;\r
	224	UINT8 AlgSize; // IcvSize or IvSize\r
	225	UINT8 BlockSize;\r
	226	UINTN KeyMateLen;\r
	227	} IKE_ALG_GUID_INFO; // For IPsec Authentication and Encryption Algorithm.\r
	228	#pragma pack()\r
	229	\r
	230	//\r
	231	// Structure used to store the DH group\r
	232	//\r
	233	typedef struct {\r
	234	UINT8 GroupId;\r
	235	UINTN Size;\r
	236	UINT8 *Modulus;\r
	237	UINTN GroupGenerator;\r
	238	} MODP_GROUP;\r
	239	\r
	240	/**\r
	241	This is prototype definition of general interface to phase the payloads\r
	242	after/before the decode/encode.\r
	243	\r
	244	@param[in] SessionCommon Point to the SessionCommon\r
	245	@param[in] PayloadBuf Point to the buffer of Payload.\r
	246	@param[in] PayloadSize The size of the PayloadBuf in bytes.\r
	247	@param[in] PayloadType The type of Payload.\r
	248	\r
	249	**/\r
	250	typedef\r
	251	VOID\r
	252	(*IKE_ON_PAYLOAD_FROM_NET) (\r
	253	IN UINT8 *SessionCommon,\r
	254	IN UINT8 *PayloadBuf,\r
	255	IN UINTN PayloadSize,\r
	256	IN UINT8 PayloadType\r
	257	);\r
	258	\r
	259	#endif\r
	260	\r