[mirror_edk2.git] / NetworkPkg / IpSecDxe / IkeCommon.c

/** @file\r
  Common operation of the IKE\r
\r
  Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include "Ike.h"\r
#include "IkeCommon.h"\r
#include "IpSecConfigImpl.h"\r
#include "IpSecDebug.h"\r
\r
/**\r
  Check whether the new generated Spi has existed.\r
\r
  @param[in]   IkeSaSession   Pointer to the Child SA Session.\r
  @param[in]   SpiValue       SPI Value.\r
\r
  @retval  TRUE    This SpiValue has existed in the Child SA Session\r
  @retval  FALSE   This SpiValue doesn't exist in the Child SA Session.\r
\r
**/\r
BOOLEAN\r
IkeSpiValueExisted (\r
  IN IKEV2_SA_SESSION      *IkeSaSession,\r
  IN UINT32                SpiValue\r
  )\r
{\r
  LIST_ENTRY              *Entry;\r
  LIST_ENTRY              *Next;\r
  IKEV2_CHILD_SA_SESSION  *SaSession;\r
\r
  Entry     = NULL;\r
  Next      = NULL;\r
  SaSession = NULL;\r
\r
  //\r
  // Check whether the SPI value has existed in ChildSaEstablishSessionList.\r
  //\r
  NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaEstablishSessionList) {\r
    SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
    if (SaSession->LocalPeerSpi == SpiValue) {\r
      return TRUE;\r
    }\r
  }\r
\r
  //\r
  // Check whether the SPI value has existed in ChildSaSessionList.\r
  //\r
  NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaSessionList) {\r
    SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
    if (SaSession->LocalPeerSpi == SpiValue) {\r
      return TRUE;\r
    }\r
  }\r
\r
  return FALSE;\r
}\r
\r
/**\r
  Call Crypto Lib to generate a random value with eight-octet length.\r
\r
  @return the 64 byte vaule.\r
\r
**/\r
UINT64\r
IkeGenerateCookie (\r
  VOID\r
  )\r
{\r
  UINT64     Cookie;\r
  EFI_STATUS Status;\r
\r
  Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)&Cookie, sizeof (UINT64));\r
  if (EFI_ERROR (Status)) {\r
    return 0;\r
  } else {\r
    return Cookie;\r
  }\r
}\r
\r
/**\r
  Generate the random data for Nonce payload.\r
\r
  @param[in]  NonceSize      Size of the data in bytes.\r
\r
  @return Buffer which contains the random data of the spcified size.\r
\r
**/\r
UINT8 *\r
IkeGenerateNonce (\r
  IN UINTN              NonceSize\r
  )\r
{\r
  UINT8                  *Nonce;\r
  EFI_STATUS             Status;\r
\r
  Nonce = AllocateZeroPool (NonceSize);\r
  if (Nonce == NULL) {\r
    return NULL;\r
  }\r
\r
  Status = IpSecCryptoIoGenerateRandomBytes (Nonce, NonceSize);\r
  if (EFI_ERROR (Status)) {\r
    FreePool (Nonce);\r
    return NULL;\r
  } else {\r
    return Nonce;\r
  }\r
}\r
\r
/**\r
  Convert the IKE Header from Network order to Host order.\r
\r
  @param[in, out]  Header    The pointer of the IKE_HEADER.\r
\r
**/\r
VOID\r
IkeHdrNetToHost (\r
  IN OUT IKE_HEADER *Header\r
  )\r
{\r
  Header->InitiatorCookie = NTOHLL (Header->InitiatorCookie);\r
  Header->ResponderCookie = NTOHLL (Header->ResponderCookie);\r
  Header->MessageId       = NTOHL (Header->MessageId);\r
  Header->Length          = NTOHL (Header->Length);\r
}\r
\r
/**\r
  Convert the IKE Header from Host order to Network order.\r
\r
  @param[in, out] Header     The pointer of the IKE_HEADER.\r
\r
**/\r
VOID\r
IkeHdrHostToNet (\r
  IN OUT IKE_HEADER *Header\r
  )\r
{\r
  Header->InitiatorCookie = HTONLL (Header->InitiatorCookie);\r
  Header->ResponderCookie = HTONLL (Header->ResponderCookie);\r
  Header->MessageId       = HTONL (Header->MessageId);\r
  Header->Length          = HTONL (Header->Length);\r
}\r
\r
/**\r
  Allocate a buffer of IKE_PAYLOAD and set its Signature.\r
\r
  @return A buffer of IKE_PAYLOAD.\r
\r
**/\r
IKE_PAYLOAD *\r
IkePayloadAlloc (\r
  VOID\r
  )\r
{\r
  IKE_PAYLOAD *IkePayload;\r
\r
  IkePayload            = (IKE_PAYLOAD *) AllocateZeroPool (sizeof (IKE_PAYLOAD));\r
  if (IkePayload == NULL) {\r
    return NULL;\r
  }\r
\r
  IkePayload->Signature = IKE_PAYLOAD_SIGNATURE;\r
\r
  return IkePayload;\r
}\r
\r
/**\r
  Free a specified IKE_PAYLOAD buffer.\r
\r
  @param[in]  IkePayload   Pointer of IKE_PAYLOAD to be freed.\r
\r
**/\r
VOID\r
IkePayloadFree (\r
  IN IKE_PAYLOAD *IkePayload\r
  )\r
{\r
  if (IkePayload == NULL) {\r
    return;\r
  }\r
  //\r
  // If this IkePayload is not referred by others, free it.\r
  //\r
  if (!IkePayload->IsPayloadBufExt && (IkePayload->PayloadBuf != NULL)) {\r
    FreePool (IkePayload->PayloadBuf);\r
  }\r
\r
  FreePool (IkePayload);\r
}\r
\r
/**\r
  Generate an new SPI.\r
\r
  @param[in]       IkeSaSession   Pointer to IKEV2_SA_SESSION related to this Child SA\r
                                  Session.\r
  @param[in, out]  SpiValue       Pointer to the new generated SPI value.\r
\r
  @retval EFI_SUCCESS         The operation performs successfully.\r
  @retval Otherwise           The operation is failed.\r
\r
**/\r
EFI_STATUS\r
IkeGenerateSpi (\r
  IN     IKEV2_SA_SESSION         *IkeSaSession,\r
  IN OUT UINT32                   *SpiValue\r
  )\r
{\r
  EFI_STATUS   Status;\r
\r
  Status = EFI_SUCCESS;\r
\r
  while (TRUE) {\r
    //\r
    // Generate SPI randomly\r
    //\r
    Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)SpiValue, sizeof (UINT32));\r
    if (EFI_ERROR (Status)) {\r
      break;\r
    }\r
\r
    //\r
    // The set of SPI values in the range 1 through 255 are reserved by the\r
    // Internet Assigned Numbers Authority (IANA) for future use; a reserved\r
    // SPI value will not normally be assigned by IANA unless the use of the\r
    // assigned SPI value is specified in an RFC.\r
    //\r
    if (*SpiValue < IKE_SPI_BASE) {\r
      *SpiValue += IKE_SPI_BASE;\r
    }\r
\r
    //\r
    // Check whether the new generated SPI has existed.\r
    //\r
    if (!IkeSpiValueExisted (IkeSaSession, *SpiValue)) {\r
      break;\r
    }\r
  }\r
\r
  return Status;\r
}\r
\r
/**\r
  Generate a random data for IV\r
\r
  @param[in]  IvBuffer  The pointer of the IV buffer.\r
  @param[in]  IvSize    The IV size.\r
\r
  @retval     EFI_SUCCESS  Create a random data for IV.\r
  @retval     otherwise    Failed.\r
\r
**/\r
EFI_STATUS\r
IkeGenerateIv (\r
  IN UINT8                           *IvBuffer,\r
  IN UINTN                           IvSize\r
  )\r
{\r
  return IpSecCryptoIoGenerateRandomBytes (IvBuffer, IvSize);\r
}\r
\r
\r
/**\r
  Find SPD entry by a specified SPD selector.\r
\r
  @param[in] SpdSel       Point to SPD Selector to be searched for.\r
\r
  @retval Point to SPD Entry if the SPD entry found.\r
  @retval NULL if not found.\r
\r
**/\r
IPSEC_SPD_ENTRY *\r
IkeSearchSpdEntry (\r
  IN EFI_IPSEC_SPD_SELECTOR             *SpdSel\r
  )\r
{\r
  IPSEC_SPD_ENTRY *SpdEntry;\r
  LIST_ENTRY      *SpdList;\r
  LIST_ENTRY      *Entry;\r
\r
  SpdList = &mConfigData[IPsecConfigDataTypeSpd];\r
\r
  NET_LIST_FOR_EACH (Entry, SpdList) {\r
    SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);\r
\r
    //\r
    // Find the required SPD entry\r
    //\r
    if (CompareSpdSelector (\r
          (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel,\r
          (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector\r
          )) {\r
      return SpdEntry;\r
    }\r
\r
  }\r
\r
  return NULL;\r
}\r
\r
/**\r
  Get the IKE Version from the IKE_SA_SESSION.\r
\r
  @param[in]  Session  Pointer of the IKE_SA_SESSION.\r
\r
**/\r
UINT8\r
IkeGetVersionFromSession (\r
  IN UINT8    *Session\r
  )\r
{\r
  if (*(UINT32 *) Session == IKEV2_SA_SESSION_SIGNATURE) {\r
    return ((IKEV2_SA_SESSION *) Session)->SessionCommon.IkeVer;\r
  } else {\r
    //\r
    // Add IKEv1 support here.\r
    //\r
    return 0;\r
  }\r
}\r
\r
Commit	Line	Data
9166f840	1	/** @file\r
9166f840	2	Common operation of the IKE\r
f75a7f56 LG	3	\r
f75a7f56 LG	4	Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
9166f840	5	\r
ecf98fbc	6	SPDX-License-Identifier: BSD-2-Clause-Patent\r
9166f840	7	\r
	8	**/\r
	9	\r
	10	#include "Ike.h"\r
	11	#include "IkeCommon.h"\r
	12	#include "IpSecConfigImpl.h"\r
	13	#include "IpSecDebug.h"\r
	14	\r
96c13c01 JW	15	/**\r
	16	Check whether the new generated Spi has existed.\r
	17	\r
	18	@param[in] IkeSaSession Pointer to the Child SA Session.\r
	19	@param[in] SpiValue SPI Value.\r
	20	\r
	21	@retval TRUE This SpiValue has existed in the Child SA Session\r
	22	@retval FALSE This SpiValue doesn't exist in the Child SA Session.\r
f75a7f56	23	\r
96c13c01 JW	24	**/\r
	25	BOOLEAN\r
	26	IkeSpiValueExisted (\r
	27	IN IKEV2_SA_SESSION *IkeSaSession,\r
	28	IN UINT32 SpiValue\r
	29	)\r
	30	{\r
	31	LIST_ENTRY *Entry;\r
	32	LIST_ENTRY *Next;\r
	33	IKEV2_CHILD_SA_SESSION *SaSession;\r
	34	\r
	35	Entry = NULL;\r
	36	Next = NULL;\r
f75a7f56 LG	37	SaSession = NULL;\r
f75a7f56 LG	38	\r
96c13c01 JW	39	//\r
	40	// Check whether the SPI value has existed in ChildSaEstablishSessionList.\r
	41	//\r
	42	NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaEstablishSessionList) {\r
	43	SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
	44	if (SaSession->LocalPeerSpi == SpiValue) {\r
	45	return TRUE;\r
	46	}\r
	47	}\r
	48	\r
	49	//\r
	50	// Check whether the SPI value has existed in ChildSaSessionList.\r
	51	//\r
	52	NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaSessionList) {\r
	53	SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
	54	if (SaSession->LocalPeerSpi == SpiValue) {\r
	55	return TRUE;\r
	56	}\r
	57	}\r
	58	\r
	59	return FALSE;\r
	60	}\r
9166f840	61	\r
	62	/**\r
	63	Call Crypto Lib to generate a random value with eight-octet length.\r
f75a7f56	64	\r
9166f840	65	@return the 64 byte vaule.\r
	66	\r
	67	**/\r
	68	UINT64\r
	69	IkeGenerateCookie (\r
	70	VOID\r
	71	)\r
	72	{\r
	73	UINT64 Cookie;\r
	74	EFI_STATUS Status;\r
	75	\r
	76	Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)&Cookie, sizeof (UINT64));\r
	77	if (EFI_ERROR (Status)) {\r
	78	return 0;\r
	79	} else {\r
	80	return Cookie;\r
	81	}\r
	82	}\r
	83	\r
	84	/**\r
	85	Generate the random data for Nonce payload.\r
	86	\r
	87	@param[in] NonceSize Size of the data in bytes.\r
f75a7f56 LG	88	\r
f75a7f56 LG	89	@return Buffer which contains the random data of the spcified size.\r
9166f840	90	\r
	91	**/\r
	92	UINT8 *\r
	93	IkeGenerateNonce (\r
	94	IN UINTN NonceSize\r
	95	)\r
	96	{\r
	97	UINT8 *Nonce;\r
	98	EFI_STATUS Status;\r
	99	\r
	100	Nonce = AllocateZeroPool (NonceSize);\r
	101	if (Nonce == NULL) {\r
	102	return NULL;\r
	103	}\r
	104	\r
	105	Status = IpSecCryptoIoGenerateRandomBytes (Nonce, NonceSize);\r
	106	if (EFI_ERROR (Status)) {\r
	107	FreePool (Nonce);\r
	108	return NULL;\r
	109	} else {\r
	110	return Nonce;\r
	111	}\r
	112	}\r
	113	\r
	114	/**\r
	115	Convert the IKE Header from Network order to Host order.\r
	116	\r
	117	@param[in, out] Header The pointer of the IKE_HEADER.\r
	118	\r
	119	**/\r
	120	VOID\r
	121	IkeHdrNetToHost (\r
	122	IN OUT IKE_HEADER *Header\r
	123	)\r
	124	{\r
	125	Header->InitiatorCookie = NTOHLL (Header->InitiatorCookie);\r
	126	Header->ResponderCookie = NTOHLL (Header->ResponderCookie);\r
	127	Header->MessageId = NTOHL (Header->MessageId);\r
	128	Header->Length = NTOHL (Header->Length);\r
	129	}\r
	130	\r
	131	/**\r
	132	Convert the IKE Header from Host order to Network order.\r
	133	\r
	134	@param[in, out] Header The pointer of the IKE_HEADER.\r
	135	\r
	136	**/\r
	137	VOID\r
	138	IkeHdrHostToNet (\r
	139	IN OUT IKE_HEADER *Header\r
	140	)\r
	141	{\r
	142	Header->InitiatorCookie = HTONLL (Header->InitiatorCookie);\r
	143	Header->ResponderCookie = HTONLL (Header->ResponderCookie);\r
	144	Header->MessageId = HTONL (Header->MessageId);\r
	145	Header->Length = HTONL (Header->Length);\r
	146	}\r
	147	\r
	148	/**\r
	149	Allocate a buffer of IKE_PAYLOAD and set its Signature.\r
	150	\r
	151	@return A buffer of IKE_PAYLOAD.\r
	152	\r
	153	**/\r
154	IKE_PAYLOAD *\r
155	IkePayloadAlloc (\r
156	VOID\r
157	)\r
158	{\r
159	IKE_PAYLOAD *IkePayload;\r
160	\r
161	IkePayload = (IKE_PAYLOAD *) AllocateZeroPool (sizeof (IKE_PAYLOAD));\r
162	if (IkePayload == NULL) {\r
163	return NULL;\r
164	}\r
f75a7f56	165	\r
9166f840	166	IkePayload->Signature = IKE_PAYLOAD_SIGNATURE;\r
	167	\r
	168	return IkePayload;\r
	169	}\r
	170	\r
	171	/**\r
	172	Free a specified IKE_PAYLOAD buffer.\r
	173	\r
	174	@param[in] IkePayload Pointer of IKE_PAYLOAD to be freed.\r
	175	\r
	176	**/\r
	177	VOID\r
	178	IkePayloadFree (\r
	179	IN IKE_PAYLOAD *IkePayload\r
	180	)\r
	181	{\r
	182	if (IkePayload == NULL) {\r
	183	return;\r
	184	}\r
	185	//\r
	186	// If this IkePayload is not referred by others, free it.\r
	187	//\r
	188	if (!IkePayload->IsPayloadBufExt && (IkePayload->PayloadBuf != NULL)) {\r
	189	FreePool (IkePayload->PayloadBuf);\r
	190	}\r
	191	\r
	192	FreePool (IkePayload);\r
	193	}\r
	194	\r
	195	/**\r
	196	Generate an new SPI.\r
f75a7f56 LG	197	\r
f75a7f56 LG	198	@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA\r
55d05ae1	199	Session.\r
f75a7f56 LG	200	@param[in, out] SpiValue Pointer to the new generated SPI value.\r
f75a7f56 LG	201	\r
96c13c01 JW	202	@retval EFI_SUCCESS The operation performs successfully.\r
96c13c01 JW	203	@retval Otherwise The operation is failed.\r
9166f840	204	\r
9166f840	205	**/\r
96c13c01	206	EFI_STATUS\r
9166f840	207	IkeGenerateSpi (\r
55d05ae1 JW	208	IN IKEV2_SA_SESSION *IkeSaSession,\r
55d05ae1 JW	209	IN OUT UINT32 *SpiValue\r
9166f840	210	)\r
9166f840	211	{\r
96c13c01 JW	212	EFI_STATUS Status;\r
	213	\r
	214	Status = EFI_SUCCESS;\r
f75a7f56	215	\r
96c13c01 JW	216	while (TRUE) {\r
	217	//\r
	218	// Generate SPI randomly\r
	219	//\r
	220	Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)SpiValue, sizeof (UINT32));\r
	221	if (EFI_ERROR (Status)) {\r
	222	break;\r
	223	}\r
	224	\r
	225	//\r
f75a7f56 LG	226	// The set of SPI values in the range 1 through 255 are reserved by the\r
	227	// Internet Assigned Numbers Authority (IANA) for future use; a reserved\r
	228	// SPI value will not normally be assigned by IANA unless the use of the\r
96c13c01 JW	229	// assigned SPI value is specified in an RFC.\r
	230	//\r
	231	if (*SpiValue < IKE_SPI_BASE) {\r
f75a7f56	232	*SpiValue += IKE_SPI_BASE;\r
96c13c01 JW	233	}\r
	234	\r
	235	//\r
	236	// Check whether the new generated SPI has existed.\r
	237	//\r
	238	if (!IkeSpiValueExisted (IkeSaSession, *SpiValue)) {\r
	239	break;\r
	240	}\r
	241	}\r
f75a7f56	242	\r
96c13c01	243	return Status;\r
9166f840	244	}\r
	245	\r
	246	/**\r
	247	Generate a random data for IV\r
	248	\r
	249	@param[in] IvBuffer The pointer of the IV buffer.\r
	250	@param[in] IvSize The IV size.\r
	251	\r
	252	@retval EFI_SUCCESS Create a random data for IV.\r
	253	@retval otherwise Failed.\r
	254	\r
	255	**/\r
	256	EFI_STATUS\r
	257	IkeGenerateIv (\r
	258	IN UINT8 *IvBuffer,\r
	259	IN UINTN IvSize\r
	260	)\r
	261	{\r
	262	return IpSecCryptoIoGenerateRandomBytes (IvBuffer, IvSize);\r
	263	}\r
	264	\r
	265	\r
44de1013 HT	266	/**\r
	267	Find SPD entry by a specified SPD selector.\r
	268	\r
9166f840	269	@param[in] SpdSel Point to SPD Selector to be searched for.\r
44de1013	270	\r
9166f840	271	@retval Point to SPD Entry if the SPD entry found.\r
44de1013 HT	272	@retval NULL if not found.\r
	273	\r
	274	**/\r
	275	IPSEC_SPD_ENTRY *\r
9166f840	276	IkeSearchSpdEntry (\r
44de1013 HT	277	IN EFI_IPSEC_SPD_SELECTOR *SpdSel\r
	278	)\r
	279	{\r
	280	IPSEC_SPD_ENTRY *SpdEntry;\r
	281	LIST_ENTRY *SpdList;\r
	282	LIST_ENTRY *Entry;\r
	283	\r
	284	SpdList = &mConfigData[IPsecConfigDataTypeSpd];\r
	285	\r
	286	NET_LIST_FOR_EACH (Entry, SpdList) {\r
	287	SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);\r
	288	\r
	289	//\r
9166f840	290	// Find the required SPD entry\r
44de1013 HT	291	//\r
	292	if (CompareSpdSelector (\r
	293	(EFI_IPSEC_CONFIG_SELECTOR *) SpdSel,\r
	294	(EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector\r
	295	)) {\r
	296	return SpdEntry;\r
	297	}\r
	298	\r
	299	}\r
	300	\r
	301	return NULL;\r
9166f840	302	}\r
	303	\r
	304	/**\r
	305	Get the IKE Version from the IKE_SA_SESSION.\r
	306	\r
	307	@param[in] Session Pointer of the IKE_SA_SESSION.\r
	308	\r
	309	**/\r
	310	UINT8\r
	311	IkeGetVersionFromSession (\r
	312	IN UINT8 *Session\r
	313	)\r
	314	{\r
	315	if ((UINT32 ) Session == IKEV2_SA_SESSION_SIGNATURE) {\r
	316	return ((IKEV2_SA_SESSION *) Session)->SessionCommon.IkeVer;\r
	317	} else {\r
	318	//\r
	319	// Add IKEv1 support here.\r
	320	//\r
	321	return 0;\r
	322	}\r
	323	}\r
	324	\r