[mirror_edk2.git] / NetworkPkg / IpSecDxe / IkeCommon.c

/** @file\r
  Common operation of the IKE\r
  \r
  Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>\r
\r
  This program and the accompanying materials\r
  are licensed and made available under the terms and conditions of the BSD License\r
  which accompanies this distribution.  The full text of the license may be found at\r
  http://opensource.org/licenses/bsd-license.php.\r
\r
  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
**/\r
\r
#include "Ike.h"\r
#include "IkeCommon.h"\r
#include "IpSecConfigImpl.h"\r
#include "IpSecDebug.h"\r
\r
/**\r
  Check whether the new generated Spi has existed.\r
\r
  @param[in]   IkeSaSession   Pointer to the Child SA Session.\r
  @param[in]   SpiValue       SPI Value.\r
\r
  @retval  TRUE    This SpiValue has existed in the Child SA Session\r
  @retval  FALSE   This SpiValue doesn't exist in the Child SA Session.\r
  \r
**/\r
BOOLEAN\r
IkeSpiValueExisted (\r
  IN IKEV2_SA_SESSION      *IkeSaSession,\r
  IN UINT32                SpiValue\r
  )\r
{\r
  LIST_ENTRY              *Entry;\r
  LIST_ENTRY              *Next;\r
  IKEV2_CHILD_SA_SESSION  *SaSession;\r
\r
  Entry     = NULL;\r
  Next      = NULL;\r
  SaSession = NULL; \r
    \r
  //\r
  // Check whether the SPI value has existed in ChildSaEstablishSessionList.\r
  //\r
  NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaEstablishSessionList) {\r
    SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
    if (SaSession->LocalPeerSpi == SpiValue) {\r
      return TRUE;\r
    }\r
  }\r
\r
  //\r
  // Check whether the SPI value has existed in ChildSaSessionList.\r
  //\r
  NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaSessionList) {\r
    SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
    if (SaSession->LocalPeerSpi == SpiValue) {\r
      return TRUE;\r
    }\r
  }\r
\r
  return FALSE;\r
}\r
\r
/**\r
  Call Crypto Lib to generate a random value with eight-octet length.\r
  \r
  @return the 64 byte vaule.\r
\r
**/\r
UINT64\r
IkeGenerateCookie (\r
  VOID\r
  )\r
{\r
  UINT64     Cookie;\r
  EFI_STATUS Status;\r
\r
  Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)&Cookie, sizeof (UINT64));\r
  if (EFI_ERROR (Status)) {\r
    return 0;\r
  } else {\r
    return Cookie;\r
  }\r
}\r
\r
/**\r
  Generate the random data for Nonce payload.\r
\r
  @param[in]  NonceSize      Size of the data in bytes.\r
  \r
  @return Buffer which contains the random data of the spcified size. \r
\r
**/\r
UINT8 *\r
IkeGenerateNonce (\r
  IN UINTN              NonceSize\r
  )\r
{\r
  UINT8                  *Nonce;\r
  EFI_STATUS             Status;\r
\r
  Nonce = AllocateZeroPool (NonceSize);\r
  if (Nonce == NULL) {\r
    return NULL;\r
  }\r
\r
  Status = IpSecCryptoIoGenerateRandomBytes (Nonce, NonceSize);\r
  if (EFI_ERROR (Status)) {\r
    FreePool (Nonce);\r
    return NULL;\r
  } else {\r
    return Nonce;\r
  }\r
}\r
\r
/**\r
  Convert the IKE Header from Network order to Host order.\r
\r
  @param[in, out]  Header    The pointer of the IKE_HEADER.\r
\r
**/\r
VOID\r
IkeHdrNetToHost (\r
  IN OUT IKE_HEADER *Header\r
  )\r
{\r
  Header->InitiatorCookie = NTOHLL (Header->InitiatorCookie);\r
  Header->ResponderCookie = NTOHLL (Header->ResponderCookie);\r
  Header->MessageId       = NTOHL (Header->MessageId);\r
  Header->Length          = NTOHL (Header->Length);\r
}\r
\r
/**\r
  Convert the IKE Header from Host order to Network order.\r
\r
  @param[in, out] Header     The pointer of the IKE_HEADER.\r
\r
**/\r
VOID\r
IkeHdrHostToNet (\r
  IN OUT IKE_HEADER *Header\r
  )\r
{\r
  Header->InitiatorCookie = HTONLL (Header->InitiatorCookie);\r
  Header->ResponderCookie = HTONLL (Header->ResponderCookie);\r
  Header->MessageId       = HTONL (Header->MessageId);\r
  Header->Length          = HTONL (Header->Length);\r
}\r
\r
/**\r
  Allocate a buffer of IKE_PAYLOAD and set its Signature.\r
\r
  @return A buffer of IKE_PAYLOAD.\r
\r
**/\r
IKE_PAYLOAD *\r
IkePayloadAlloc (\r
  VOID\r
  )\r
{\r
  IKE_PAYLOAD *IkePayload;\r
\r
  IkePayload            = (IKE_PAYLOAD *) AllocateZeroPool (sizeof (IKE_PAYLOAD));\r
  if (IkePayload == NULL) {\r
    return NULL;\r
  }\r
  \r
  IkePayload->Signature = IKE_PAYLOAD_SIGNATURE;\r
\r
  return IkePayload;\r
}\r
\r
/**\r
  Free a specified IKE_PAYLOAD buffer.\r
\r
  @param[in]  IkePayload   Pointer of IKE_PAYLOAD to be freed.\r
\r
**/\r
VOID\r
IkePayloadFree (\r
  IN IKE_PAYLOAD *IkePayload\r
  )\r
{\r
  if (IkePayload == NULL) {\r
    return;\r
  }\r
  //\r
  // If this IkePayload is not referred by others, free it.\r
  //\r
  if (!IkePayload->IsPayloadBufExt && (IkePayload->PayloadBuf != NULL)) {\r
    FreePool (IkePayload->PayloadBuf);\r
  }\r
\r
  FreePool (IkePayload);\r
}\r
\r
/**\r
  Generate an new SPI.\r
  \r
  @param[in]      IkeSaSession   Pointer to IKEV2_SA_SESSION related to this Child SA \r
                                 Session.\r
  @param[in out]  SpiValue       Pointer to the new generated SPI value. \r
                              \r
  @retval EFI_SUCCESS         The operation performs successfully.\r
  @retval Otherwise           The operation is failed.\r
\r
**/\r
EFI_STATUS\r
IkeGenerateSpi (\r
  IN  IKEV2_SA_SESSION         *IkeSaSession,\r
  OUT UINT32                   *SpiValue\r
  )\r
{\r
  EFI_STATUS   Status;\r
\r
  Status = EFI_SUCCESS;\r
 \r
  while (TRUE) {\r
    //\r
    // Generate SPI randomly\r
    //\r
    Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)SpiValue, sizeof (UINT32));\r
    if (EFI_ERROR (Status)) {\r
      break;\r
    }\r
\r
    //\r
    // The set of SPI values in the range 1 through 255 are reserved by the \r
    // Internet Assigned Numbers Authority (IANA) for future use; a reserved \r
    // SPI value will not normally be assigned by IANA unless the use of the \r
    // assigned SPI value is specified in an RFC.\r
    //\r
    if (*SpiValue < IKE_SPI_BASE) {\r
      *SpiValue += IKE_SPI_BASE; \r
    }\r
\r
    //\r
    // Check whether the new generated SPI has existed.\r
    //\r
    if (!IkeSpiValueExisted (IkeSaSession, *SpiValue)) {\r
      break;\r
    }\r
  }\r
  \r
  return Status;\r
}\r
\r
/**\r
  Generate a random data for IV\r
\r
  @param[in]  IvBuffer  The pointer of the IV buffer.\r
  @param[in]  IvSize    The IV size.\r
\r
  @retval     EFI_SUCCESS  Create a random data for IV.\r
  @retval     otherwise    Failed.\r
\r
**/\r
EFI_STATUS\r
IkeGenerateIv (\r
  IN UINT8                           *IvBuffer,\r
  IN UINTN                           IvSize\r
  )\r
{\r
  return IpSecCryptoIoGenerateRandomBytes (IvBuffer, IvSize);\r
}\r
\r
\r
/**\r
  Find SPD entry by a specified SPD selector.\r
\r
  @param[in] SpdSel       Point to SPD Selector to be searched for.\r
\r
  @retval Point to SPD Entry if the SPD entry found.\r
  @retval NULL if not found.\r
\r
**/\r
IPSEC_SPD_ENTRY *\r
IkeSearchSpdEntry (\r
  IN EFI_IPSEC_SPD_SELECTOR             *SpdSel\r
  )\r
{\r
  IPSEC_SPD_ENTRY *SpdEntry;\r
  LIST_ENTRY      *SpdList;\r
  LIST_ENTRY      *Entry;\r
\r
  SpdList = &mConfigData[IPsecConfigDataTypeSpd];\r
\r
  NET_LIST_FOR_EACH (Entry, SpdList) {\r
    SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);\r
\r
    //\r
    // Find the required SPD entry\r
    //\r
    if (CompareSpdSelector (\r
          (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel,\r
          (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector\r
          )) {\r
      return SpdEntry;\r
    }\r
\r
  }\r
\r
  return NULL;\r
}\r
\r
/**\r
  Get the IKE Version from the IKE_SA_SESSION.\r
\r
  @param[in]  Session  Pointer of the IKE_SA_SESSION.\r
\r
**/\r
UINT8\r
IkeGetVersionFromSession (\r
  IN UINT8    *Session\r
  )\r
{\r
  if (*(UINT32 *) Session == IKEV2_SA_SESSION_SIGNATURE) {\r
    return ((IKEV2_SA_SESSION *) Session)->SessionCommon.IkeVer;\r
  } else {\r
    //\r
    // Add IKEv1 support here.\r
    //\r
    return 0;\r
  }\r
}\r
\r
Commit	Line	Data
9166f840	1	/** @file\r
	2	Common operation of the IKE\r
	3	\r
96c13c01	4	Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>\r
9166f840	5	\r
	6	This program and the accompanying materials\r
	7	are licensed and made available under the terms and conditions of the BSD License\r
	8	which accompanies this distribution. The full text of the license may be found at\r
	9	http://opensource.org/licenses/bsd-license.php.\r
	10	\r
	11	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	12	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	13	\r
	14	**/\r
	15	\r
	16	#include "Ike.h"\r
	17	#include "IkeCommon.h"\r
	18	#include "IpSecConfigImpl.h"\r
	19	#include "IpSecDebug.h"\r
	20	\r
96c13c01 JW	21	/**\r
	22	Check whether the new generated Spi has existed.\r
	23	\r
	24	@param[in] IkeSaSession Pointer to the Child SA Session.\r
	25	@param[in] SpiValue SPI Value.\r
	26	\r
	27	@retval TRUE This SpiValue has existed in the Child SA Session\r
	28	@retval FALSE This SpiValue doesn't exist in the Child SA Session.\r
	29	\r
	30	**/\r
	31	BOOLEAN\r
	32	IkeSpiValueExisted (\r
	33	IN IKEV2_SA_SESSION *IkeSaSession,\r
	34	IN UINT32 SpiValue\r
	35	)\r
	36	{\r
	37	LIST_ENTRY *Entry;\r
	38	LIST_ENTRY *Next;\r
	39	IKEV2_CHILD_SA_SESSION *SaSession;\r
	40	\r
	41	Entry = NULL;\r
	42	Next = NULL;\r
	43	SaSession = NULL; \r
	44	\r
	45	//\r
	46	// Check whether the SPI value has existed in ChildSaEstablishSessionList.\r
	47	//\r
	48	NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaEstablishSessionList) {\r
	49	SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
	50	if (SaSession->LocalPeerSpi == SpiValue) {\r
	51	return TRUE;\r
	52	}\r
	53	}\r
	54	\r
	55	//\r
	56	// Check whether the SPI value has existed in ChildSaSessionList.\r
	57	//\r
	58	NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaSessionList) {\r
	59	SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
	60	if (SaSession->LocalPeerSpi == SpiValue) {\r
	61	return TRUE;\r
	62	}\r
	63	}\r
	64	\r
	65	return FALSE;\r
	66	}\r
9166f840	67	\r
	68	/**\r
	69	Call Crypto Lib to generate a random value with eight-octet length.\r
	70	\r
	71	@return the 64 byte vaule.\r
	72	\r
	73	**/\r
	74	UINT64\r
	75	IkeGenerateCookie (\r
	76	VOID\r
	77	)\r
	78	{\r
	79	UINT64 Cookie;\r
	80	EFI_STATUS Status;\r
	81	\r
	82	Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)&Cookie, sizeof (UINT64));\r
	83	if (EFI_ERROR (Status)) {\r
	84	return 0;\r
	85	} else {\r
	86	return Cookie;\r
	87	}\r
	88	}\r
	89	\r
	90	/**\r
	91	Generate the random data for Nonce payload.\r
	92	\r
	93	@param[in] NonceSize Size of the data in bytes.\r
	94	\r
	95	@return Buffer which contains the random data of the spcified size. \r
	96	\r
	97	**/\r
	98	UINT8 *\r
	99	IkeGenerateNonce (\r
	100	IN UINTN NonceSize\r
	101	)\r
	102	{\r
	103	UINT8 *Nonce;\r
	104	EFI_STATUS Status;\r
	105	\r
	106	Nonce = AllocateZeroPool (NonceSize);\r
	107	if (Nonce == NULL) {\r
	108	return NULL;\r
	109	}\r
	110	\r
	111	Status = IpSecCryptoIoGenerateRandomBytes (Nonce, NonceSize);\r
	112	if (EFI_ERROR (Status)) {\r
	113	FreePool (Nonce);\r
	114	return NULL;\r
	115	} else {\r
	116	return Nonce;\r
	117	}\r
	118	}\r
	119	\r
	120	/**\r
	121	Convert the IKE Header from Network order to Host order.\r
	122	\r
	123	@param[in, out] Header The pointer of the IKE_HEADER.\r
	124	\r
	125	**/\r
	126	VOID\r
	127	IkeHdrNetToHost (\r
	128	IN OUT IKE_HEADER *Header\r
	129	)\r
	130	{\r
131	Header->InitiatorCookie = NTOHLL (Header->InitiatorCookie);\r
132	Header->ResponderCookie = NTOHLL (Header->ResponderCookie);\r
133	Header->MessageId = NTOHL (Header->MessageId);\r
134	Header->Length = NTOHL (Header->Length);\r
135	}\r
136	\r
137	/**\r
138	Convert the IKE Header from Host order to Network order.\r
139	\r
140	@param[in, out] Header The pointer of the IKE_HEADER.\r
141	\r
142	**/\r
143	VOID\r
144	IkeHdrHostToNet (\r
145	IN OUT IKE_HEADER *Header\r
146	)\r
147	{\r
148	Header->InitiatorCookie = HTONLL (Header->InitiatorCookie);\r
149	Header->ResponderCookie = HTONLL (Header->ResponderCookie);\r
150	Header->MessageId = HTONL (Header->MessageId);\r
151	Header->Length = HTONL (Header->Length);\r
152	}\r
153	\r
154	/**\r
155	Allocate a buffer of IKE_PAYLOAD and set its Signature.\r
156	\r
157	@return A buffer of IKE_PAYLOAD.\r
158	\r
159	**/\r
160	IKE_PAYLOAD *\r
161	IkePayloadAlloc (\r
162	VOID\r
163	)\r
164	{\r
165	IKE_PAYLOAD *IkePayload;\r
166	\r
167	IkePayload = (IKE_PAYLOAD *) AllocateZeroPool (sizeof (IKE_PAYLOAD));\r
168	if (IkePayload == NULL) {\r
169	return NULL;\r
170	}\r
171	\r
172	IkePayload->Signature = IKE_PAYLOAD_SIGNATURE;\r
173	\r
174	return IkePayload;\r
175	}\r
176	\r
177	/**\r
178	Free a specified IKE_PAYLOAD buffer.\r
179	\r
180	@param[in] IkePayload Pointer of IKE_PAYLOAD to be freed.\r
181	\r
182	**/\r
183	VOID\r
184	IkePayloadFree (\r
185	IN IKE_PAYLOAD *IkePayload\r
186	)\r
187	{\r
188	if (IkePayload == NULL) {\r
189	return;\r
190	}\r
191	//\r
192	// If this IkePayload is not referred by others, free it.\r
193	//\r
194	if (!IkePayload->IsPayloadBufExt && (IkePayload->PayloadBuf != NULL)) {\r
195	FreePool (IkePayload->PayloadBuf);\r
196	}\r
197	\r
198	FreePool (IkePayload);\r
199	}\r
200	\r
201	/**\r
202	Generate an new SPI.\r
96c13c01 JW	203	\r
	204	@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA \r
	205	Session.\r
	206	@param[in out] SpiValue Pointer to the new generated SPI value. \r
	207	\r
	208	@retval EFI_SUCCESS The operation performs successfully.\r
	209	@retval Otherwise The operation is failed.\r
9166f840	210	\r
9166f840	211	**/\r
96c13c01	212	EFI_STATUS\r
9166f840	213	IkeGenerateSpi (\r
96c13c01 JW	214	IN IKEV2_SA_SESSION *IkeSaSession,\r
96c13c01 JW	215	OUT UINT32 *SpiValue\r
9166f840	216	)\r
9166f840	217	{\r
96c13c01 JW	218	EFI_STATUS Status;\r
	219	\r
	220	Status = EFI_SUCCESS;\r
	221	\r
	222	while (TRUE) {\r
	223	//\r
	224	// Generate SPI randomly\r
	225	//\r
	226	Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)SpiValue, sizeof (UINT32));\r
	227	if (EFI_ERROR (Status)) {\r
	228	break;\r
	229	}\r
	230	\r
	231	//\r
	232	// The set of SPI values in the range 1 through 255 are reserved by the \r
	233	// Internet Assigned Numbers Authority (IANA) for future use; a reserved \r
	234	// SPI value will not normally be assigned by IANA unless the use of the \r
	235	// assigned SPI value is specified in an RFC.\r
	236	//\r
	237	if (*SpiValue < IKE_SPI_BASE) {\r
	238	*SpiValue += IKE_SPI_BASE; \r
	239	}\r
	240	\r
	241	//\r
	242	// Check whether the new generated SPI has existed.\r
	243	//\r
	244	if (!IkeSpiValueExisted (IkeSaSession, *SpiValue)) {\r
	245	break;\r
	246	}\r
	247	}\r
	248	\r
	249	return Status;\r
9166f840	250	}\r
	251	\r
	252	/**\r
	253	Generate a random data for IV\r
	254	\r
	255	@param[in] IvBuffer The pointer of the IV buffer.\r
	256	@param[in] IvSize The IV size.\r
	257	\r
	258	@retval EFI_SUCCESS Create a random data for IV.\r
	259	@retval otherwise Failed.\r
	260	\r
	261	**/\r
	262	EFI_STATUS\r
	263	IkeGenerateIv (\r
	264	IN UINT8 *IvBuffer,\r
	265	IN UINTN IvSize\r
	266	)\r
	267	{\r
	268	return IpSecCryptoIoGenerateRandomBytes (IvBuffer, IvSize);\r
	269	}\r
	270	\r
	271	\r
44de1013 HT	272	/**\r
	273	Find SPD entry by a specified SPD selector.\r
	274	\r
9166f840	275	@param[in] SpdSel Point to SPD Selector to be searched for.\r
44de1013	276	\r
9166f840	277	@retval Point to SPD Entry if the SPD entry found.\r
44de1013 HT	278	@retval NULL if not found.\r
	279	\r
	280	**/\r
	281	IPSEC_SPD_ENTRY *\r
9166f840	282	IkeSearchSpdEntry (\r
44de1013 HT	283	IN EFI_IPSEC_SPD_SELECTOR *SpdSel\r
	284	)\r
	285	{\r
	286	IPSEC_SPD_ENTRY *SpdEntry;\r
	287	LIST_ENTRY *SpdList;\r
	288	LIST_ENTRY *Entry;\r
	289	\r
	290	SpdList = &mConfigData[IPsecConfigDataTypeSpd];\r
	291	\r
	292	NET_LIST_FOR_EACH (Entry, SpdList) {\r
	293	SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);\r
	294	\r
	295	//\r
9166f840	296	// Find the required SPD entry\r
44de1013 HT	297	//\r
	298	if (CompareSpdSelector (\r
	299	(EFI_IPSEC_CONFIG_SELECTOR *) SpdSel,\r
	300	(EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector\r
	301	)) {\r
	302	return SpdEntry;\r
	303	}\r
	304	\r
	305	}\r
	306	\r
	307	return NULL;\r
9166f840	308	}\r
	309	\r
	310	/**\r
	311	Get the IKE Version from the IKE_SA_SESSION.\r
	312	\r
	313	@param[in] Session Pointer of the IKE_SA_SESSION.\r
	314	\r
	315	**/\r
	316	UINT8\r
	317	IkeGetVersionFromSession (\r
	318	IN UINT8 *Session\r
	319	)\r
	320	{\r
	321	if ((UINT32 ) Session == IKEV2_SA_SESSION_SIGNATURE) {\r
	322	return ((IKEV2_SA_SESSION *) Session)->SessionCommon.IkeVer;\r
	323	} else {\r
	324	//\r
	325	// Add IKEv1 support here.\r
	326	//\r
	327	return 0;\r
	328	}\r
	329	}\r
	330	\r