[mirror_edk2.git] / NetworkPkg / IpSecDxe / Ike.h

/** @file\r
  The common definition of IPsec Key Exchange (IKE).\r
\r
  Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>\r
\r
  This program and the accompanying materials\r
  are licensed and made available under the terms and conditions of the BSD License\r
  which accompanies this distribution.  The full text of the license may be found at\r
  http://opensource.org/licenses/bsd-license.php.\r
\r
  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
\r
**/\r
\r
#ifndef _IKE_H_\r
#define _IKE_H_\r
\r
#include <Library/UdpIoLib.h>\r
#include <Library/BaseCryptLib.h>\r
#include "IpSecImpl.h"\r
\r
#define IKE_VERSION_MAJOR_MASK  0xf0\r
#define IKE_VERSION_MINOR_MASK  0x0f\r
\r
#define IKE_MAJOR_VERSION(v)    (((v) & IKE_VERSION_MAJOR_MASK) >> 4)\r
#define IKE_MINOR_VERSION(v)    ((v) & IKE_VERSION_MINOR_MASK)\r
\r
//\r
// Protocol Value Use in IKEv1 and IKEv2\r
//\r
#define IPSEC_PROTO_ISAKMP    1\r
#define IPSEC_PROTO_IPSEC_AH  2\r
#define IPSEC_PROTO_IPSEC_ESP 3\r
#define IPSEC_PROTO_IPCOMP    4 // For IKEv1 this value is reserved\r
\r
//\r
//  For Algorithm search in support list.Last two types are for IKEv2 only.\r
//\r
#define IKE_ENCRYPT_TYPE      0\r
#define IKE_AUTH_TYPE         1\r
#define IKE_PRF_TYPE          2\r
#define IKE_DH_TYPE           3\r
\r
//\r
// Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)\r
//\r
#define IPSEC_ESP_DES_IV64            1\r
#define IPSEC_ESP_DES                 2\r
#define IPSEC_ESP_3DES                3\r
#define IPSEC_ESP_RC5                 4\r
#define IPSEC_ESP_IDEA                5\r
#define IPSEC_ESP_CAST                6\r
#define IPSEC_ESP_BLOWFISH            7\r
#define IPSEC_ESP_3IDEA               8\r
#define IPSEC_ESP_DES_IV32            9\r
#define IPSEC_ESP_RC4                 10  // It's reserved in IKEv2 \r
#define IPSEC_ESP_NULL                11\r
#define IPSEC_ESP_AES                 12\r
\r
#define IKE_XCG_TYPE_NONE             0\r
#define IKE_XCG_TYPE_BASE             1\r
#define IKE_XCG_TYPE_IDENTITY_PROTECT 2\r
#define IKE_XCG_TYPE_AUTH_ONLY        3\r
#define IKE_XCG_TYPE_AGGR             4\r
#define IKE_XCG_TYPE_INFO             5\r
#define IKE_XCG_TYPE_QM               32\r
#define IKE_XCG_TYPE_NGM              33\r
#define IKE_XCG_TYPE_SA_INIT          34\r
#define IKE_XCG_TYPE_AUTH             35\r
#define IKE_XCG_TYPE_CREATE_CHILD_SA  36\r
#define IKE_XCG_TYPE_INFO2            37\r
\r
#define IKE_LIFE_TYPE_SECONDS         1\r
#define IKE_LIFE_TYPE_KILOBYTES       2\r
\r
//\r
// Deafult IKE SA lifetime and CHILD SA lifetime\r
//\r
#define IKE_SA_DEFAULT_LIFETIME       1200\r
#define CHILD_SA_DEFAULT_LIFETIME     3600\r
\r
//\r
// Next payload type presented within Proposal payload\r
//\r
#define IKE_PROPOSAL_NEXT_PAYLOAD_MORE  2\r
#define IKE_PROPOSAL_NEXT_PAYLOAD_NONE  0\r
\r
//\r
// Next payload type presented within Transform payload\r
//\r
#define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3\r
#define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0\r
\r
//
// Max size of the SA attribute
//
#define MAX_SA_ATTRS_SIZE     48
#define SA_ATTR_FORMAT_BIT    0x8000\r
//\r
// The definition for Information Message ID.\r
//\r
#define INFO_MID_SIGNATURE    SIGNATURE_32 ('I', 'N', 'F', 'M')\r
\r
//\r
// Type for the IKE SESSION COMMON\r
//\r
typedef enum {\r
  IkeSessionTypeIkeSa,\r
  IkeSessionTypeChildSa,\r
  IkeSessionTypeInfo,\r
  IkeSessionTypeMax\r
} IKE_SESSION_TYPE;\r
\r
//\r
// The DH Group ID defined RFC3526 and RFC 2409\r
//\r
typedef enum {\r
  OakleyGroupModp768  = 1,\r
  OakleyGroupModp1024 = 2,\r
  OakleyGroupGp155    = 3,  // Unsupported Now.\r
  OakleyGroupGp185    = 4,  // Unsupported Now.\r
  OakleyGroupModp1536 = 5,\r
\r
  OakleyGroupModp2048 = 14,\r
  OakleyGroupModp3072 = 15,\r
  OakleyGroupModp4096 = 16,\r
  OakleyGroupModp6144 = 17,\r
  OakleyGroupModp8192 = 18,\r
  OakleyGroupMax\r
} OAKLEY_GROUP_ID;\r
\r
//\r
// IKE Header\r
//\r
#pragma pack(1)\r
typedef struct {\r
  UINT64  InitiatorCookie;\r
  UINT64  ResponderCookie;\r
  UINT8   NextPayload;\r
  UINT8   Version;\r
  UINT8   ExchangeType;\r
  UINT8   Flags;\r
  UINT32  MessageId;\r
  UINT32  Length;\r
} IKE_HEADER;\r
#pragma pack()\r
\r
typedef union {\r
  UINT16  AttrLength;\r
  UINT16  AttrValue;\r
} IKE_SA_ATTR_UNION; \r
\r
//\r
// SA Attribute present in Transform Payload\r
//\r
#pragma pack(1)\r
typedef struct {\r
  UINT16            AttrType;\r
  IKE_SA_ATTR_UNION Attr;\r
} IKE_SA_ATTRIBUTE;\r
#pragma pack()\r
\r
//\r
// Contains the IKE packet information. \r
//\r
typedef struct {\r
  UINTN               RefCount;\r
  BOOLEAN             IsHdrExt;\r
  IKE_HEADER          *Header;\r
  BOOLEAN             IsPayloadsBufExt;\r
  UINT8               *PayloadsBuf; // The whole IkePakcet trimed the IKE header.\r
  UINTN               PayloadTotalSize;\r
  LIST_ENTRY          PayloadList;\r
  EFI_IP_ADDRESS      RemotePeerIp;\r
  BOOLEAN             IsEncoded;    // whether HTON is done when sending the packet\r
  UINT32              Spi;          // For the Delete Information Exchange\r
  BOOLEAN             IsDeleteInfo; // For the Delete Information Exchange\r
  IPSEC_PRIVATE_DATA  *Private;     // For the Delete Information Exchange\r
} IKE_PACKET;\r
\r
//\r
// The generic structure to all kinds of IKE payloads.\r
//\r
typedef struct {\r
  UINT32      Signature;\r
  BOOLEAN     IsPayloadBufExt;\r
  UINT8       PayloadType;\r
  UINT8       *PayloadBuf;\r
  UINTN       PayloadSize;\r
  LIST_ENTRY  ByPacket;\r
} IKE_PAYLOAD;\r
\r
//\r
// Udp Service\r
//\r
typedef struct {\r
  UINT32          Signature;\r
  UINT8           IpVersion;\r
  LIST_ENTRY      List;\r
  LIST_ENTRY      *ListHead;\r
  EFI_HANDLE      NicHandle;\r
  EFI_HANDLE      ImageHandle;\r
  UDP_IO          *Input;\r
  UDP_IO          *Output;\r
  EFI_IP_ADDRESS  DefaultAddress;\r
  BOOLEAN         IsConfigured;\r
} IKE_UDP_SERVICE;\r
\r
//\r
// Each IKE session has its own Key sets for local peer and remote peer.\r
//\r
typedef struct {\r
  EFI_IPSEC_ALGO_INFO LocalPeerInfo;\r
  EFI_IPSEC_ALGO_INFO RemotePeerInfo;\r
} SA_KEYMATS;\r
\r
//\r
// Each algorithm has its own Id, Guid, BlockSize and KeyLength.\r
// This struct contains these information for each algorithm. It is generic structure\r
// for both encryption and authentication algorithm. \r
// For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,\r
// it means IvSize.\r
//\r
#pragma pack(1)\r
typedef struct {\r
  UINT8     AlgorithmId;       // Encryption or Authentication Id used by ESP/AH\r
  EFI_GUID  *AlgGuid;\r
  UINT8     AlgSize;     // IcvSize or IvSize\r
  UINT8     BlockSize;\r
  UINTN     KeyMateLen;\r
} IKE_ALG_GUID_INFO;   // For IPsec Authentication and Encryption Algorithm.\r
#pragma pack()\r
\r
//\r
// Structure used to store the DH group\r
//\r
typedef struct {\r
  UINT8 GroupId;\r
  UINTN Size;\r
  UINT8 *Modulus;\r
  UINTN GroupGenerator;\r
} MODP_GROUP;\r
\r
/**\r
  This is prototype definition of general interface to phase the payloads\r
  after/before the decode/encode.\r
\r
  @param[in]  SessionCommon    Point to the SessionCommon\r
  @param[in]  PayloadBuf       Point to the buffer of Payload.\r
  @param[in]  PayloadSize      The size of the PayloadBuf in bytes.\r
  @param[in]  PayloadType      The type of Payload.\r
\r
**/\r
typedef\r
VOID\r
(*IKE_ON_PAYLOAD_FROM_NET) (\r
  IN UINT8    *SessionCommon,\r
  IN UINT8    *PayloadBuf,\r
  IN UINTN    PayloadSize,\r
  IN UINT8    PayloadType\r
  );\r
\r
#endif\r
\r
Commit	Line	Data
9166f840	1	/** @file\r
	2	The common definition of IPsec Key Exchange (IKE).\r
	3	\r
	4	Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>\r
	5	\r
	6	This program and the accompanying materials\r
	7	are licensed and made available under the terms and conditions of the BSD License\r
	8	which accompanies this distribution. The full text of the license may be found at\r
	9	http://opensource.org/licenses/bsd-license.php.\r
	10	\r
	11	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	12	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	13	\r
	14	\r
	15	**/\r
	16	\r
	17	#ifndef _IKE_H_\r
	18	#define _IKE_H_\r
	19	\r
	20	#include <Library/UdpIoLib.h>\r
	21	#include <Library/BaseCryptLib.h>\r
	22	#include "IpSecImpl.h"\r
	23	\r
	24	#define IKE_VERSION_MAJOR_MASK 0xf0\r
	25	#define IKE_VERSION_MINOR_MASK 0x0f\r
	26	\r
	27	#define IKE_MAJOR_VERSION(v) (((v) & IKE_VERSION_MAJOR_MASK) >> 4)\r
	28	#define IKE_MINOR_VERSION(v) ((v) & IKE_VERSION_MINOR_MASK)\r
	29	\r
	30	//\r
	31	// Protocol Value Use in IKEv1 and IKEv2\r
	32	//\r
	33	#define IPSEC_PROTO_ISAKMP 1\r
	34	#define IPSEC_PROTO_IPSEC_AH 2\r
	35	#define IPSEC_PROTO_IPSEC_ESP 3\r
	36	#define IPSEC_PROTO_IPCOMP 4 // For IKEv1 this value is reserved\r
	37	\r
	38	//\r
	39	// For Algorithm search in support list.Last two types are for IKEv2 only.\r
	40	//\r
	41	#define IKE_ENCRYPT_TYPE 0\r
	42	#define IKE_AUTH_TYPE 1\r
	43	#define IKE_PRF_TYPE 2\r
	44	#define IKE_DH_TYPE 3\r
	45	\r
	46	//\r
	47	// Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)\r
	48	//\r
	49	#define IPSEC_ESP_DES_IV64 1\r
	50	#define IPSEC_ESP_DES 2\r
	51	#define IPSEC_ESP_3DES 3\r
	52	#define IPSEC_ESP_RC5 4\r
	53	#define IPSEC_ESP_IDEA 5\r
	54	#define IPSEC_ESP_CAST 6\r
	55	#define IPSEC_ESP_BLOWFISH 7\r
	56	#define IPSEC_ESP_3IDEA 8\r
	57	#define IPSEC_ESP_DES_IV32 9\r
	58	#define IPSEC_ESP_RC4 10 // It's reserved in IKEv2 \r
	59	#define IPSEC_ESP_NULL 11\r
	60	#define IPSEC_ESP_AES 12\r
	61	\r
	62	#define IKE_XCG_TYPE_NONE 0\r
	63	#define IKE_XCG_TYPE_BASE 1\r
	64	#define IKE_XCG_TYPE_IDENTITY_PROTECT 2\r
65	#define IKE_XCG_TYPE_AUTH_ONLY 3\r
66	#define IKE_XCG_TYPE_AGGR 4\r
67	#define IKE_XCG_TYPE_INFO 5\r
68	#define IKE_XCG_TYPE_QM 32\r
69	#define IKE_XCG_TYPE_NGM 33\r
70	#define IKE_XCG_TYPE_SA_INIT 34\r
71	#define IKE_XCG_TYPE_AUTH 35\r
72	#define IKE_XCG_TYPE_CREATE_CHILD_SA 36\r
73	#define IKE_XCG_TYPE_INFO2 37\r
74	\r
75	#define IKE_LIFE_TYPE_SECONDS 1\r
76	#define IKE_LIFE_TYPE_KILOBYTES 2\r
77	\r
78	//\r
79	// Deafult IKE SA lifetime and CHILD SA lifetime\r
80	//\r
81	#define IKE_SA_DEFAULT_LIFETIME 1200\r
82	#define CHILD_SA_DEFAULT_LIFETIME 3600\r
83	\r
84	//\r
85	// Next payload type presented within Proposal payload\r
86	//\r
87	#define IKE_PROPOSAL_NEXT_PAYLOAD_MORE 2\r
88	#define IKE_PROPOSAL_NEXT_PAYLOAD_NONE 0\r
89	\r
90	//\r
91	// Next payload type presented within Transform payload\r
92	//\r
93	#define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3\r
94	#define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0\r
95	\r
96	//
97	// Max size of the SA attribute
98	//
99	#define MAX_SA_ATTRS_SIZE 48
100	#define SA_ATTR_FORMAT_BIT 0x8000\r
101	//\r
102	// The definition for Information Message ID.\r
103	//\r
104	#define INFO_MID_SIGNATURE SIGNATURE_32 ('I', 'N', 'F', 'M')\r
105	\r
106	//\r
107	// Type for the IKE SESSION COMMON\r
108	//\r
109	typedef enum {\r
110	IkeSessionTypeIkeSa,\r
111	IkeSessionTypeChildSa,\r
112	IkeSessionTypeInfo,\r
113	IkeSessionTypeMax\r
114	} IKE_SESSION_TYPE;\r
115	\r
116	//\r
117	// The DH Group ID defined RFC3526 and RFC 2409\r
118	//\r
119	typedef enum {\r
120	OakleyGroupModp768 = 1,\r
121	OakleyGroupModp1024 = 2,\r
122	OakleyGroupGp155 = 3, // Unsupported Now.\r
123	OakleyGroupGp185 = 4, // Unsupported Now.\r
124	OakleyGroupModp1536 = 5,\r
125	\r
126	OakleyGroupModp2048 = 14,\r
127	OakleyGroupModp3072 = 15,\r
128	OakleyGroupModp4096 = 16,\r
129	OakleyGroupModp6144 = 17,\r
130	OakleyGroupModp8192 = 18,\r
131	OakleyGroupMax\r
132	} OAKLEY_GROUP_ID;\r
133	\r
134	//\r
135	// IKE Header\r
136	//\r
137	#pragma pack(1)\r
138	typedef struct {\r
139	UINT64 InitiatorCookie;\r
140	UINT64 ResponderCookie;\r
141	UINT8 NextPayload;\r
142	UINT8 Version;\r
143	UINT8 ExchangeType;\r
144	UINT8 Flags;\r
145	UINT32 MessageId;\r
146	UINT32 Length;\r
147	} IKE_HEADER;\r
148	#pragma pack()\r
149	\r
150	typedef union {\r
151	UINT16 AttrLength;\r
152	UINT16 AttrValue;\r
153	} IKE_SA_ATTR_UNION; \r
154	\r
155	//\r
156	// SA Attribute present in Transform Payload\r
157	//\r
158	#pragma pack(1)\r
159	typedef struct {\r
160	UINT16 AttrType;\r
161	IKE_SA_ATTR_UNION Attr;\r
162	} IKE_SA_ATTRIBUTE;\r
163	#pragma pack()\r
164	\r
165	//\r
166	// Contains the IKE packet information. \r
167	//\r
168	typedef struct {\r
169	UINTN RefCount;\r
170	BOOLEAN IsHdrExt;\r
171	IKE_HEADER *Header;\r
172	BOOLEAN IsPayloadsBufExt;\r
173	UINT8 *PayloadsBuf; // The whole IkePakcet trimed the IKE header.\r
174	UINTN PayloadTotalSize;\r
175	LIST_ENTRY PayloadList;\r
176	EFI_IP_ADDRESS RemotePeerIp;\r
177	BOOLEAN IsEncoded; // whether HTON is done when sending the packet\r
178	UINT32 Spi; // For the Delete Information Exchange\r
179	BOOLEAN IsDeleteInfo; // For the Delete Information Exchange\r
180	IPSEC_PRIVATE_DATA *Private; // For the Delete Information Exchange\r
181	} IKE_PACKET;\r
182	\r
183	//\r
184	// The generic structure to all kinds of IKE payloads.\r
185	//\r
186	typedef struct {\r
187	UINT32 Signature;\r
188	BOOLEAN IsPayloadBufExt;\r
189	UINT8 PayloadType;\r
190	UINT8 *PayloadBuf;\r
191	UINTN PayloadSize;\r
192	LIST_ENTRY ByPacket;\r
193	} IKE_PAYLOAD;\r
194	\r
195	//\r
196	// Udp Service\r
197	//\r
198	typedef struct {\r
199	UINT32 Signature;\r
200	UINT8 IpVersion;\r
201	LIST_ENTRY List;\r
202	LIST_ENTRY *ListHead;\r
203	EFI_HANDLE NicHandle;\r
204	EFI_HANDLE ImageHandle;\r
205	UDP_IO *Input;\r
206	UDP_IO *Output;\r
207	EFI_IP_ADDRESS DefaultAddress;\r
208	BOOLEAN IsConfigured;\r
209	} IKE_UDP_SERVICE;\r
210	\r
211	//\r
212	// Each IKE session has its own Key sets for local peer and remote peer.\r
213	//\r
214	typedef struct {\r
215	EFI_IPSEC_ALGO_INFO LocalPeerInfo;\r
216	EFI_IPSEC_ALGO_INFO RemotePeerInfo;\r
217	} SA_KEYMATS;\r
218	\r
219	//\r
220	// Each algorithm has its own Id, Guid, BlockSize and KeyLength.\r
221	// This struct contains these information for each algorithm. It is generic structure\r
222	// for both encryption and authentication algorithm. \r
223	// For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,\r
224	// it means IvSize.\r
225	//\r
226	#pragma pack(1)\r
227	typedef struct {\r
228	UINT8 AlgorithmId; // Encryption or Authentication Id used by ESP/AH\r
229	EFI_GUID *AlgGuid;\r
230	UINT8 AlgSize; // IcvSize or IvSize\r
231	UINT8 BlockSize;\r
232	UINTN KeyMateLen;\r
233	} IKE_ALG_GUID_INFO; // For IPsec Authentication and Encryption Algorithm.\r
234	#pragma pack()\r
235	\r
236	//\r
237	// Structure used to store the DH group\r
238	//\r
239	typedef struct {\r
240	UINT8 GroupId;\r
241	UINTN Size;\r
242	UINT8 *Modulus;\r
243	UINTN GroupGenerator;\r
244	} MODP_GROUP;\r
245	\r
246	/**\r
247	This is prototype definition of general interface to phase the payloads\r
248	after/before the decode/encode.\r
249	\r
250	@param[in] SessionCommon Point to the SessionCommon\r
251	@param[in] PayloadBuf Point to the buffer of Payload.\r
252	@param[in] PayloadSize The size of the PayloadBuf in bytes.\r
253	@param[in] PayloadType The type of Payload.\r
254	\r
255	**/\r
256	typedef\r
257	VOID\r
258	(*IKE_ON_PAYLOAD_FROM_NET) (\r
259	IN UINT8 *SessionCommon,\r
260	IN UINT8 *PayloadBuf,\r
261	IN UINTN PayloadSize,\r
262	IN UINT8 PayloadType\r
263	);\r
264	\r
265	#endif\r
266	\r