]>
Commit | Line | Data |
---|---|---|
9166f840 | 1 | /** @file\r |
2 | Provide IPsec Key Exchange (IKE) service general interfaces.\r | |
6cf9230f | 3 | \r |
39561686 | 4 | Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>\r |
9166f840 | 5 | \r |
6 | This program and the accompanying materials\r | |
7 | are licensed and made available under the terms and conditions of the BSD License\r | |
8 | which accompanies this distribution. The full text of the license may be found at\r | |
9 | http://opensource.org/licenses/bsd-license.php.\r | |
10 | \r | |
11 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
12 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
13 | \r | |
14 | **/\r | |
15 | \r | |
16 | #include "IkeService.h"\r | |
17 | #include "IpSecConfigImpl.h"\r | |
9166f840 | 18 | \r |
19 | IKE_EXCHANGE_INTERFACE *mIkeExchange[] = {\r | |
20 | &mIkev1Exchange,\r | |
21 | &mIkev2Exchange\r | |
22 | };\r | |
23 | \r | |
24 | EFI_UDP4_CONFIG_DATA mUdp4Conf = {\r | |
25 | FALSE,\r | |
26 | FALSE,\r | |
27 | FALSE,\r | |
28 | TRUE,\r | |
29 | //\r | |
30 | // IO parameters\r | |
31 | //\r | |
32 | 0,\r | |
33 | 64,\r | |
34 | FALSE,\r | |
35 | 0,\r | |
36 | 1000000,\r | |
37 | FALSE,\r | |
ce68d3bc SZ |
38 | {{0,0,0,0}},\r |
39 | {{0,0,0,0}},\r | |
9166f840 | 40 | IKE_DEFAULT_PORT,\r |
ce68d3bc | 41 | {{0,0,0,0}},\r |
9166f840 | 42 | 0\r |
43 | };\r | |
44 | \r | |
45 | EFI_UDP6_CONFIG_DATA mUdp6Conf = {\r | |
46 | FALSE,\r | |
47 | FALSE,\r | |
48 | TRUE,\r | |
49 | //\r | |
50 | // IO parameters\r | |
51 | //\r | |
52 | 0,\r | |
53 | 128,\r | |
54 | 0,\r | |
55 | 1000000,\r | |
56 | //Access Point\r | |
ce68d3bc | 57 | {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},\r |
9166f840 | 58 | IKE_DEFAULT_PORT,\r |
ce68d3bc | 59 | {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},\r |
9166f840 | 60 | 0\r |
61 | };\r | |
62 | \r | |
63 | /**\r | |
64 | Check if the NIC handle is binded to a Udp service.\r | |
65 | \r | |
66 | @param[in] Private Pointer of IPSEC_PRIVATE_DATA.\r | |
76389e18 | 67 | @param[in] Handle The Handle of the NIC card.\r |
9166f840 | 68 | @param[in] IpVersion The version of the IP stack.\r |
69 | \r | |
70 | @return a pointer of IKE_UDP_SERVICE.\r | |
71 | \r | |
72 | **/\r | |
73 | IKE_UDP_SERVICE *\r | |
74 | IkeLookupUdp (\r | |
75 | IN IPSEC_PRIVATE_DATA *Private,\r | |
76 | IN EFI_HANDLE Handle,\r | |
77 | IN UINT8 IpVersion\r | |
78 | )\r | |
79 | {\r | |
80 | LIST_ENTRY *Head;\r | |
81 | LIST_ENTRY *Entry;\r | |
82 | LIST_ENTRY *Next;\r | |
83 | IKE_UDP_SERVICE *Udp;\r | |
84 | \r | |
85 | Udp = NULL;\r | |
86 | Head = (IpVersion == IP_VERSION_4) ? &Private->Udp4List : &Private->Udp6List;\r | |
87 | \r | |
88 | NET_LIST_FOR_EACH_SAFE (Entry, Next, Head) {\r | |
89 | \r | |
90 | Udp = IPSEC_UDP_SERVICE_FROM_LIST (Entry);\r | |
91 | //\r | |
92 | // Find the right udp service which installed on the appointed NIC handle.\r | |
93 | //\r | |
94 | if (Handle == Udp->NicHandle) {\r | |
95 | break;\r | |
96 | } else {\r | |
97 | Udp = NULL;\r | |
98 | }\r | |
99 | }\r | |
100 | \r | |
101 | return Udp;\r | |
102 | }\r | |
103 | \r | |
104 | /**\r | |
105 | Configure a UDPIO's UDP4 instance.\r | |
6cf9230f | 106 | \r |
107 | This fuction is called by the UdpIoCreateIo() to configures a\r | |
9166f840 | 108 | UDP4 instance.\r |
6cf9230f | 109 | \r |
9166f840 | 110 | @param[in] UdpIo The UDP_IO to be configured.\r |
111 | @param[in] Context User-defined data when calling UdpIoCreateIo().\r | |
6cf9230f | 112 | \r |
9166f840 | 113 | @retval EFI_SUCCESS The configuration succeeded.\r |
114 | @retval Others The UDP4 instance fails to configure.\r | |
115 | \r | |
116 | **/\r | |
117 | EFI_STATUS\r | |
1d8fa5e9 | 118 | EFIAPI\r |
9166f840 | 119 | IkeConfigUdp4 (\r |
120 | IN UDP_IO *UdpIo,\r | |
121 | IN VOID *Context\r | |
122 | )\r | |
123 | {\r | |
124 | EFI_UDP4_CONFIG_DATA Udp4Cfg;\r | |
125 | EFI_UDP4_PROTOCOL *Udp4;\r | |
126 | \r | |
127 | ZeroMem (&Udp4Cfg, sizeof (EFI_UDP4_CONFIG_DATA));\r | |
128 | \r | |
129 | Udp4 = UdpIo->Protocol.Udp4;\r | |
130 | CopyMem (\r | |
131 | &Udp4Cfg,\r | |
132 | &mUdp4Conf,\r | |
133 | sizeof (EFI_UDP4_CONFIG_DATA)\r | |
134 | );\r | |
135 | \r | |
136 | if (Context != NULL) {\r | |
137 | //\r | |
138 | // Configure udp4 io with local default address.\r | |
139 | //\r | |
140 | Udp4Cfg.UseDefaultAddress = TRUE;\r | |
141 | }\r | |
142 | \r | |
143 | return Udp4->Configure (Udp4, &Udp4Cfg);\r | |
144 | }\r | |
145 | \r | |
146 | /**\r | |
147 | Configure a UDPIO's UDP6 instance.\r | |
6cf9230f | 148 | \r |
149 | This fuction is called by the UdpIoCreateIo()to configure a\r | |
9166f840 | 150 | UDP6 instance.\r |
6cf9230f | 151 | \r |
9166f840 | 152 | @param[in] UdpIo The UDP_IO to be configured.\r |
153 | @param[in] Context User-defined data when calling UdpIoCreateIo().\r | |
6cf9230f | 154 | \r |
9166f840 | 155 | @retval EFI_SUCCESS The configuration succeeded.\r |
156 | @retval Others The configuration fails.\r | |
157 | \r | |
158 | **/\r | |
159 | EFI_STATUS\r | |
1d8fa5e9 | 160 | EFIAPI\r |
9166f840 | 161 | IkeConfigUdp6 (\r |
162 | IN UDP_IO *UdpIo,\r | |
163 | IN VOID *Context\r | |
164 | )\r | |
165 | {\r | |
166 | EFI_UDP6_PROTOCOL *Udp6;\r | |
167 | EFI_UDP6_CONFIG_DATA Udp6Cfg;\r | |
168 | \r | |
169 | ZeroMem (&Udp6Cfg, sizeof (EFI_UDP6_CONFIG_DATA));\r | |
170 | \r | |
171 | Udp6 = UdpIo->Protocol.Udp6;\r | |
172 | CopyMem (\r | |
173 | &Udp6Cfg,\r | |
174 | &mUdp6Conf,\r | |
175 | sizeof (EFI_UDP6_CONFIG_DATA)\r | |
176 | );\r | |
177 | \r | |
178 | if (Context != NULL) {\r | |
179 | //\r | |
180 | // Configure instance with a destination address to start source address\r | |
181 | // selection, and then get the configure data from the mode data to store\r | |
182 | // the source address.\r | |
183 | //\r | |
184 | CopyMem (\r | |
185 | &Udp6Cfg.RemoteAddress,\r | |
186 | Context,\r | |
187 | sizeof (EFI_IPv6_ADDRESS)\r | |
188 | );\r | |
189 | }\r | |
190 | \r | |
191 | return Udp6->Configure (Udp6, &Udp6Cfg);\r | |
192 | }\r | |
193 | \r | |
194 | /**\r | |
195 | Open and configure the related output UDPIO for IKE packet sending.\r | |
6cf9230f | 196 | \r |
197 | If the UdpService is not configured, this fuction calls UdpIoCreatIo() to\r | |
9166f840 | 198 | create UDPIO to bind this UdpService for IKE packet sending. If the UdpService\r |
199 | has already been configured, then return.\r | |
6cf9230f | 200 | \r |
9166f840 | 201 | @param[in] UdpService The UDP_IO to be configured.\r |
202 | @param[in] RemoteIp User-defined data when calling UdpIoCreateIo().\r | |
6cf9230f | 203 | \r |
9166f840 | 204 | @retval EFI_SUCCESS The configuration is successful.\r |
205 | @retval Others The configuration fails.\r | |
206 | \r | |
207 | **/\r | |
208 | EFI_STATUS\r | |
209 | IkeOpenOutputUdp (\r | |
210 | IN IKE_UDP_SERVICE *UdpService,\r | |
211 | IN EFI_IP_ADDRESS *RemoteIp\r | |
212 | )\r | |
213 | {\r | |
39561686 | 214 | EFI_STATUS Status;\r |
215 | EFI_IP4_CONFIG2_PROTOCOL *Ip4Cfg2;\r | |
216 | EFI_IP4_CONFIG2_INTERFACE_INFO *IfInfo;\r | |
217 | UINTN BufSize;\r | |
218 | EFI_IP6_MODE_DATA Ip6ModeData;\r | |
219 | EFI_UDP6_PROTOCOL *Udp6;\r | |
9166f840 | 220 | \r |
221 | Status = EFI_SUCCESS;\r | |
39561686 | 222 | IfInfo = NULL;\r |
9166f840 | 223 | BufSize = 0;\r |
224 | \r | |
225 | //\r | |
226 | // Check whether the input and output udp io are both configured.\r | |
227 | //\r | |
228 | if (UdpService->IsConfigured) {\r | |
229 | goto ON_EXIT;\r | |
230 | }\r | |
231 | \r | |
232 | if (UdpService->IpVersion == UDP_IO_UDP4_VERSION) {\r | |
233 | //\r | |
234 | // Handle ip4config protocol to get local default address.\r | |
235 | //\r | |
236 | Status = gBS->HandleProtocol (\r | |
237 | UdpService->NicHandle,\r | |
39561686 | 238 | &gEfiIp4Config2ProtocolGuid,\r |
239 | (VOID **) &Ip4Cfg2\r | |
9166f840 | 240 | );\r |
241 | \r | |
242 | if (EFI_ERROR (Status)) {\r | |
243 | goto ON_EXIT;\r | |
244 | }\r | |
245 | \r | |
39561686 | 246 | //\r |
247 | // Get the interface information size.\r | |
248 | //\r | |
249 | Status = Ip4Cfg2->GetData (\r | |
250 | Ip4Cfg2,\r | |
251 | Ip4Config2DataTypeInterfaceInfo,\r | |
252 | &BufSize,\r | |
253 | NULL\r | |
254 | );\r | |
9166f840 | 255 | \r |
256 | if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) {\r | |
257 | goto ON_EXIT;\r | |
258 | }\r | |
259 | \r | |
39561686 | 260 | IfInfo = AllocateZeroPool (BufSize);\r |
9166f840 | 261 | \r |
39561686 | 262 | if (IfInfo == NULL) {\r |
9166f840 | 263 | Status = EFI_OUT_OF_RESOURCES;\r |
264 | goto ON_EXIT;\r | |
265 | }\r | |
266 | \r | |
39561686 | 267 | //\r |
268 | // Get the interface info.\r | |
269 | //\r | |
270 | Status = Ip4Cfg2->GetData (\r | |
271 | Ip4Cfg2,\r | |
272 | Ip4Config2DataTypeInterfaceInfo,\r | |
273 | &BufSize,\r | |
274 | IfInfo\r | |
275 | );\r | |
276 | \r | |
9166f840 | 277 | if (EFI_ERROR (Status)) {\r |
278 | goto ON_EXIT;\r | |
279 | }\r | |
280 | \r | |
281 | CopyMem (\r | |
282 | &UdpService->DefaultAddress.v4,\r | |
39561686 | 283 | &IfInfo->StationAddress,\r |
9166f840 | 284 | sizeof (EFI_IPv4_ADDRESS)\r |
285 | );\r | |
286 | \r | |
287 | //\r | |
288 | // Create udp4 io for output with local default address.\r | |
289 | //\r | |
290 | UdpService->Output = UdpIoCreateIo (\r | |
291 | UdpService->NicHandle,\r | |
292 | UdpService->ImageHandle,\r | |
293 | IkeConfigUdp4,\r | |
294 | UDP_IO_UDP4_VERSION,\r | |
295 | &UdpService->DefaultAddress\r | |
296 | );\r | |
297 | \r | |
298 | if (UdpService->Output == NULL) {\r | |
299 | Status = EFI_OUT_OF_RESOURCES;\r | |
300 | goto ON_EXIT;\r | |
301 | }\r | |
302 | \r | |
303 | } else {\r | |
304 | //\r | |
305 | // Create udp6 io for output with remote address.\r | |
306 | //\r | |
307 | UdpService->Output = UdpIoCreateIo (\r | |
308 | UdpService->NicHandle,\r | |
309 | UdpService->ImageHandle,\r | |
310 | IkeConfigUdp6,\r | |
311 | UDP_IO_UDP6_VERSION,\r | |
312 | RemoteIp\r | |
313 | );\r | |
314 | \r | |
315 | if (UdpService->Output == NULL) {\r | |
316 | Status = EFI_OUT_OF_RESOURCES;\r | |
317 | goto ON_EXIT;\r | |
318 | }\r | |
319 | //\r | |
320 | // Get ip6 mode data to get the result of source address selection.\r | |
321 | //\r | |
322 | ZeroMem (&Ip6ModeData, sizeof (EFI_IP6_MODE_DATA));\r | |
323 | \r | |
324 | Udp6 = UdpService->Output->Protocol.Udp6;\r | |
325 | Status = Udp6->GetModeData (Udp6, NULL, &Ip6ModeData, NULL, NULL);\r | |
326 | \r | |
327 | if (EFI_ERROR (Status)) {\r | |
328 | UdpIoFreeIo (UdpService->Output);\r | |
329 | goto ON_EXIT;\r | |
330 | }\r | |
331 | //\r | |
332 | // Reconfigure udp6 io without remote address.\r | |
333 | //\r | |
334 | Udp6->Configure (Udp6, NULL);\r | |
335 | Status = IkeConfigUdp6 (UdpService->Output, NULL);\r | |
336 | \r | |
337 | //\r | |
338 | // Record the selected source address for ipsec process later.\r | |
339 | //\r | |
340 | CopyMem (\r | |
341 | &UdpService->DefaultAddress.v6,\r | |
342 | &Ip6ModeData.ConfigData.StationAddress,\r | |
343 | sizeof (EFI_IPv6_ADDRESS)\r | |
344 | );\r | |
345 | }\r | |
346 | \r | |
347 | UdpService->IsConfigured = TRUE;\r | |
348 | \r | |
349 | ON_EXIT:\r | |
39561686 | 350 | if (IfInfo != NULL) {\r |
351 | FreePool (IfInfo);\r | |
9166f840 | 352 | }\r |
353 | \r | |
354 | return Status;\r | |
355 | }\r | |
356 | \r | |
357 | /**\r | |
358 | Open and configure a UDPIO of Udp4 for IKE packet receiving.\r | |
6cf9230f | 359 | \r |
360 | This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and\r | |
9166f840 | 361 | UDP4 IO for each NIC handle.\r |
6cf9230f | 362 | \r |
9166f840 | 363 | @param[in] Private Point to IPSEC_PRIVATE_DATA\r |
364 | @param[in] Controller Handler for NIC card.\r | |
6879581d | 365 | @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.\r |
6cf9230f | 366 | \r |
9166f840 | 367 | @retval EFI_SUCCESS The Operation is successful.\r |
368 | @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r | |
6cf9230f | 369 | \r |
9166f840 | 370 | **/\r |
371 | EFI_STATUS\r | |
372 | IkeOpenInputUdp4 (\r | |
373 | IN IPSEC_PRIVATE_DATA *Private,\r | |
6879581d | 374 | IN EFI_HANDLE Controller,\r |
375 | IN EFI_HANDLE ImageHandle\r | |
9166f840 | 376 | )\r |
377 | {\r | |
378 | IKE_UDP_SERVICE *Udp4Srv;\r | |
379 | \r | |
380 | //\r | |
381 | // Check whether udp4 io of the controller has already been opened.\r | |
382 | //\r | |
383 | Udp4Srv = IkeLookupUdp (Private, Controller, IP_VERSION_4);\r | |
384 | \r | |
385 | if (Udp4Srv != NULL) {\r | |
386 | return EFI_ALREADY_STARTED;\r | |
387 | }\r | |
388 | \r | |
389 | Udp4Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));\r | |
390 | \r | |
391 | if (Udp4Srv == NULL) {\r | |
392 | return EFI_OUT_OF_RESOURCES;\r | |
393 | }\r | |
394 | //\r | |
395 | // Create udp4 io for iutput.\r | |
396 | //\r | |
397 | Udp4Srv->Input = UdpIoCreateIo (\r | |
398 | Controller,\r | |
6879581d | 399 | ImageHandle,\r |
9166f840 | 400 | IkeConfigUdp4,\r |
401 | UDP_IO_UDP4_VERSION,\r | |
402 | NULL\r | |
403 | );\r | |
404 | \r | |
405 | if (Udp4Srv->Input == NULL) {\r | |
406 | FreePool (Udp4Srv);\r | |
407 | return EFI_OUT_OF_RESOURCES;\r | |
408 | }\r | |
409 | \r | |
410 | Udp4Srv->NicHandle = Controller;\r | |
6879581d | 411 | Udp4Srv->ImageHandle = ImageHandle;\r |
9166f840 | 412 | Udp4Srv->ListHead = &(Private->Udp4List);\r |
413 | Udp4Srv->IpVersion = UDP_IO_UDP4_VERSION;\r | |
414 | Udp4Srv->IsConfigured = FALSE;\r | |
415 | \r | |
416 | ZeroMem (&Udp4Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));\r | |
417 | \r | |
418 | //\r | |
419 | // Insert the udp4 io into the list and increase the count.\r | |
420 | //\r | |
421 | InsertTailList (&Private->Udp4List, &Udp4Srv->List);\r | |
422 | \r | |
423 | Private->Udp4Num++;\r | |
424 | \r | |
425 | UdpIoRecvDatagram (Udp4Srv->Input, IkeDispatch, Udp4Srv, 0);\r | |
426 | \r | |
427 | return EFI_SUCCESS;\r | |
428 | }\r | |
429 | \r | |
430 | /**\r | |
431 | Open and configure a UDPIO of Udp6 for IKE packet receiving.\r | |
6cf9230f | 432 | \r |
9166f840 | 433 | This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6\r |
434 | IO for each NIC handle.\r | |
6cf9230f | 435 | \r |
9166f840 | 436 | @param[in] Private Point to IPSEC_PRIVATE_DATA\r |
437 | @param[in] Controller Handler for NIC card.\r | |
6879581d | 438 | @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.\r |
6cf9230f | 439 | \r |
9166f840 | 440 | @retval EFI_SUCCESS The Operation is successful.\r |
441 | @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r | |
6cf9230f | 442 | \r |
9166f840 | 443 | **/\r |
444 | EFI_STATUS\r | |
445 | IkeOpenInputUdp6 (\r | |
446 | IN IPSEC_PRIVATE_DATA *Private,\r | |
6879581d | 447 | IN EFI_HANDLE Controller,\r |
448 | IN EFI_HANDLE ImageHandle\r | |
9166f840 | 449 | )\r |
450 | {\r | |
451 | IKE_UDP_SERVICE *Udp6Srv;\r | |
452 | \r | |
453 | Udp6Srv = IkeLookupUdp (Private, Controller, IP_VERSION_6);\r | |
454 | \r | |
455 | if (Udp6Srv != NULL) {\r | |
456 | return EFI_ALREADY_STARTED;\r | |
457 | }\r | |
458 | \r | |
459 | Udp6Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));\r | |
460 | \r | |
461 | if (Udp6Srv == NULL) {\r | |
462 | return EFI_OUT_OF_RESOURCES;\r | |
463 | }\r | |
464 | //\r | |
465 | // Create udp6 io for input.\r | |
466 | //\r | |
467 | Udp6Srv->Input = UdpIoCreateIo (\r | |
468 | Controller,\r | |
6879581d | 469 | ImageHandle,\r |
9166f840 | 470 | IkeConfigUdp6,\r |
471 | UDP_IO_UDP6_VERSION,\r | |
472 | NULL\r | |
473 | );\r | |
474 | \r | |
475 | if (Udp6Srv->Input == NULL) {\r | |
476 | FreePool (Udp6Srv);\r | |
477 | return EFI_OUT_OF_RESOURCES;\r | |
478 | }\r | |
479 | \r | |
480 | Udp6Srv->NicHandle = Controller;\r | |
6879581d | 481 | Udp6Srv->ImageHandle = ImageHandle;\r |
9166f840 | 482 | Udp6Srv->ListHead = &(Private->Udp6List);\r |
483 | Udp6Srv->IpVersion = UDP_IO_UDP6_VERSION;\r | |
484 | Udp6Srv->IsConfigured = FALSE;\r | |
485 | \r | |
486 | ZeroMem (&Udp6Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));\r | |
487 | \r | |
488 | //\r | |
489 | // Insert the udp6 io into the list and increase the count.\r | |
490 | //\r | |
491 | InsertTailList (&Private->Udp6List, &Udp6Srv->List);\r | |
492 | \r | |
493 | Private->Udp6Num++;\r | |
494 | \r | |
495 | UdpIoRecvDatagram (Udp6Srv->Input, IkeDispatch, Udp6Srv, 0);\r | |
496 | \r | |
497 | return EFI_SUCCESS;\r | |
498 | }\r | |
499 | \r | |
500 | /**\r | |
501 | The general interface of starting IPsec Key Exchange.\r | |
6cf9230f | 502 | \r |
9166f840 | 503 | This function is called when a IKE negotiation to start getting a Key.\r |
6cf9230f | 504 | \r |
505 | @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for\r | |
9166f840 | 506 | IKE packet sending.\r |
507 | @param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.\r | |
508 | @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.\r | |
6cf9230f | 509 | \r |
9166f840 | 510 | @retval EFI_SUCCESS The Operation is successful.\r |
511 | @retval EFI_ACCESS_DENIED No related PAD entry was found.\r | |
512 | @retval EFI_INVALID_PARAMETER The IKE version is not supported.\r | |
6cf9230f | 513 | \r |
9166f840 | 514 | **/\r |
515 | EFI_STATUS\r | |
516 | IkeNegotiate (\r | |
517 | IN IKE_UDP_SERVICE *UdpService,\r | |
518 | IN IPSEC_SPD_ENTRY *SpdEntry,\r | |
519 | IN EFI_IP_ADDRESS *RemoteIp\r | |
520 | )\r | |
521 | {\r | |
522 | EFI_STATUS Status;\r | |
523 | UINT8 *IkeSaSession;\r | |
524 | IKE_EXCHANGE_INTERFACE *Exchange;\r | |
525 | IPSEC_PRIVATE_DATA *Private;\r | |
526 | IPSEC_PAD_ENTRY *PadEntry;\r | |
527 | UINT8 IkeVersion;\r | |
528 | \r | |
529 | Private = (UdpService->IpVersion == IP_VERSION_4) ?\r | |
530 | IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r | |
531 | IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r | |
532 | \r | |
533 | //\r | |
534 | // Try to open udp io for output if it hasn't.\r | |
535 | //\r | |
536 | Status = IkeOpenOutputUdp (UdpService, RemoteIp);\r | |
537 | if (EFI_ERROR (Status)) {\r | |
538 | return Status;\r | |
539 | }\r | |
540 | //\r | |
541 | // Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list.\r | |
6cf9230f | 542 | //\r |
543 | IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp);\r | |
9166f840 | 544 | \r |
545 | \r | |
546 | if (IkeSaSession == NULL) {\r | |
547 | //\r | |
548 | // Find the pad entry by the remote ip address.\r | |
549 | //\r | |
550 | PadEntry = IpSecLookupPadEntry (UdpService->IpVersion, RemoteIp);\r | |
551 | if (PadEntry == NULL) {\r | |
552 | return EFI_ACCESS_DENIED;\r | |
553 | }\r | |
554 | //\r | |
555 | // Determine the IKE exchange instance by the auth protocol in pad entry.\r | |
556 | //\r | |
557 | ASSERT (PadEntry->Data->AuthProtocol < EfiIPsecAuthProtocolMaximum);\r | |
558 | if (PadEntry->Data->AuthProtocol == EfiIPsecAuthProtocolIKEv1) {\r | |
559 | return EFI_INVALID_PARAMETER;\r | |
560 | }\r | |
561 | Exchange = mIkeExchange[PadEntry->Data->AuthProtocol];\r | |
562 | //\r | |
563 | // Start the main mode stage to negotiate IKE SA.\r | |
564 | //\r | |
565 | Status = Exchange->NegotiateSa (UdpService, SpdEntry, PadEntry, RemoteIp);\r | |
566 | } else {\r | |
567 | //\r | |
568 | // Determine the IKE exchange instance by the IKE version in IKE SA session.\r | |
569 | //\r | |
570 | IkeVersion = IkeGetVersionFromSession (IkeSaSession);\r | |
571 | if (IkeVersion != 2) {\r | |
572 | return EFI_INVALID_PARAMETER;\r | |
573 | }\r | |
6cf9230f | 574 | \r |
9166f840 | 575 | Exchange = mIkeExchange[IkeVersion - 1];\r |
576 | //\r | |
577 | // Start the quick mode stage to negotiate child SA.\r | |
578 | //\r | |
579 | Status = Exchange->NegotiateChildSa (IkeSaSession, SpdEntry, NULL);\r | |
580 | }\r | |
581 | \r | |
582 | return Status;\r | |
583 | }\r | |
584 | \r | |
585 | /**\r | |
586 | The generic interface when receive a IKE packet.\r | |
6cf9230f | 587 | \r |
9166f840 | 588 | This function is called when UDP IO receives a IKE packet.\r |
6cf9230f | 589 | \r |
9166f840 | 590 | @param[in] Packet Point to received IKE packet.\r |
6cf9230f | 591 | @param[in] EndPoint Point to UDP_END_POINT which contains the information of\r |
9166f840 | 592 | Remote IP and Port.\r |
593 | @param[in] IoStatus The Status of Recieve Token.\r | |
594 | @param[in] Context Point to data passed from the caller.\r | |
6cf9230f | 595 | \r |
9166f840 | 596 | **/\r |
597 | VOID\r | |
1d8fa5e9 | 598 | EFIAPI\r |
9166f840 | 599 | IkeDispatch (\r |
600 | IN NET_BUF *Packet,\r | |
601 | IN UDP_END_POINT *EndPoint,\r | |
602 | IN EFI_STATUS IoStatus,\r | |
603 | IN VOID *Context\r | |
604 | )\r | |
605 | {\r | |
606 | IPSEC_PRIVATE_DATA *Private;\r | |
607 | IKE_PACKET *IkePacket;\r | |
608 | IKE_HEADER *IkeHdr;\r | |
609 | IKE_UDP_SERVICE *UdpService;\r | |
610 | IKE_EXCHANGE_INTERFACE *Exchange;\r | |
611 | EFI_STATUS Status;\r | |
612 | \r | |
613 | UdpService = (IKE_UDP_SERVICE *) Context;\r | |
614 | IkePacket = NULL;\r | |
615 | Private = (UdpService->IpVersion == IP_VERSION_4) ?\r | |
616 | IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r | |
617 | IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r | |
618 | \r | |
619 | if (EFI_ERROR (IoStatus)) {\r | |
620 | goto ON_EXIT;\r | |
621 | }\r | |
622 | //\r | |
623 | // Check whether the ipsec is enabled or not.\r | |
624 | //\r | |
625 | if (Private->IpSec.DisabledFlag == TRUE) {\r | |
626 | goto ON_EXIT;\r | |
627 | }\r | |
628 | \r | |
629 | if (EndPoint->RemotePort != IKE_DEFAULT_PORT) {\r | |
630 | goto ON_EXIT;\r | |
631 | }\r | |
632 | \r | |
633 | //\r | |
634 | // Build IKE packet from the received netbuf.\r | |
635 | //\r | |
636 | IkePacket = IkePacketFromNetbuf (Packet);\r | |
637 | \r | |
638 | if (IkePacket == NULL) {\r | |
639 | goto ON_EXIT;\r | |
640 | }\r | |
641 | //\r | |
642 | // Get the remote address from the IKE packet.\r | |
643 | //\r | |
644 | if (UdpService->IpVersion == IP_VERSION_4) {\r | |
645 | *(UINT32 *) IkePacket->RemotePeerIp.Addr = HTONL ((*(UINT32 *) EndPoint->RemoteAddr.Addr));\r | |
646 | } else {\r | |
647 | CopyMem (\r | |
648 | &IkePacket->RemotePeerIp,\r | |
649 | NTOHLLL (&EndPoint->RemoteAddr.v6),\r | |
650 | sizeof (EFI_IPv6_ADDRESS)\r | |
651 | );\r | |
652 | }\r | |
653 | //\r | |
654 | // Try to open udp io for output if hasn't.\r | |
655 | //\r | |
656 | Status = IkeOpenOutputUdp (UdpService, &IkePacket->RemotePeerIp);\r | |
657 | \r | |
658 | if (EFI_ERROR (Status)) {\r | |
659 | goto ON_EXIT;\r | |
660 | }\r | |
661 | \r | |
662 | IkeHdr = IkePacket->Header;\r | |
663 | \r | |
664 | //\r | |
665 | // Determine the IKE exchange instance by the IKE version in IKE header.\r | |
666 | //\r | |
667 | if (IKE_MAJOR_VERSION (IkeHdr->Version) == 2) {\r | |
668 | Exchange = mIkeExchange[IKE_MAJOR_VERSION (IkeHdr->Version) - 1];\r | |
669 | } else {\r | |
670 | goto ON_EXIT;\r | |
671 | }\r | |
672 | \r | |
673 | switch (IkeHdr->ExchangeType) {\r | |
674 | case IKE_XCG_TYPE_IDENTITY_PROTECT:\r | |
675 | case IKE_XCG_TYPE_SA_INIT:\r | |
676 | case IKE_XCG_TYPE_AUTH:\r | |
677 | Exchange->HandleSa (UdpService, IkePacket);\r | |
678 | break;\r | |
679 | \r | |
680 | case IKE_XCG_TYPE_QM:\r | |
681 | case IKE_XCG_TYPE_CREATE_CHILD_SA:\r | |
682 | Exchange->HandleChildSa (UdpService, IkePacket);\r | |
683 | break;\r | |
684 | \r | |
685 | case IKE_XCG_TYPE_INFO:\r | |
686 | case IKE_XCG_TYPE_INFO2:\r | |
687 | Exchange->HandleInfo (UdpService, IkePacket);\r | |
688 | break;\r | |
689 | \r | |
690 | default:\r | |
691 | break;\r | |
692 | }\r | |
693 | \r | |
694 | ON_EXIT:\r | |
695 | if (IkePacket != NULL) {\r | |
696 | IkePacketFree (IkePacket);\r | |
697 | }\r | |
698 | \r | |
699 | if (Packet != NULL) {\r | |
700 | NetbufFree (Packet);\r | |
701 | }\r | |
702 | \r | |
703 | UdpIoRecvDatagram (UdpService->Input, IkeDispatch, UdpService, 0);\r | |
704 | \r | |
705 | return ;\r | |
706 | }\r | |
707 | \r | |
708 | /**\r | |
709 | Delete all established IKE SAs and related Child SAs.\r | |
6cf9230f | 710 | \r |
711 | This function is the subfunction of the IpSecCleanupAllSa(). It first calls\r | |
712 | IkeDeleteChildSa() to delete all Child SAs then send out the related\r | |
9166f840 | 713 | Information packet.\r |
714 | \r | |
6cf9230f | 715 | @param[in] Private Pointer of the IPSEC_PRIVATE_DATA\r |
4b0f5775 | 716 | @param[in] IsDisableIpsec Indicate whether needs to disable IPsec.\r |
9166f840 | 717 | \r |
718 | **/\r | |
719 | VOID\r | |
720 | IkeDeleteAllSas (\r | |
6cf9230f | 721 | IN IPSEC_PRIVATE_DATA *Private,\r |
722 | IN BOOLEAN IsDisableIpsec\r | |
9166f840 | 723 | )\r |
724 | {\r | |
725 | LIST_ENTRY *Entry;\r | |
726 | LIST_ENTRY *NextEntry;\r | |
727 | IKEV2_SA_SESSION *Ikev2SaSession;\r | |
728 | UINT8 Value;\r | |
729 | EFI_STATUS Status;\r | |
730 | IKE_EXCHANGE_INTERFACE *Exchange;\r | |
731 | UINT8 IkeVersion;\r | |
732 | \r | |
733 | Exchange = NULL;\r | |
734 | \r | |
735 | //\r | |
736 | // If the IKEv1 is supported, first deal with the Ikev1Estatblished list.\r | |
737 | //\r | |
738 | \r | |
739 | //\r | |
740 | // If IKEv2 SAs are under establishing, delete it directly.\r | |
741 | //\r | |
742 | if (!IsListEmpty (&Private->Ikev2SessionList)) {\r | |
743 | NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) {\r | |
6cf9230f | 744 | Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);\r |
9166f840 | 745 | RemoveEntryList (Entry);\r |
746 | Ikev2SaSessionFree (Ikev2SaSession);\r | |
747 | }\r | |
748 | }\r | |
6cf9230f | 749 | \r |
9166f840 | 750 | //\r |
751 | // If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE\r | |
752 | // and turn off the IsIPsecDisabling flag.\r | |
753 | //\r | |
6cf9230f | 754 | if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) {\r |
9166f840 | 755 | Value = IPSEC_STATUS_DISABLED;\r |
756 | Status = gRT->SetVariable (\r | |
757 | IPSECCONFIG_STATUS_NAME,\r | |
758 | &gEfiIpSecConfigProtocolGuid,\r | |
759 | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,\r | |
760 | sizeof (Value),\r | |
761 | &Value\r | |
762 | );\r | |
763 | if (!EFI_ERROR (Status)) {\r | |
764 | Private->IpSec.DisabledFlag = TRUE;\r | |
765 | Private->IsIPsecDisabling = FALSE;\r | |
766 | return ;\r | |
767 | }\r | |
768 | }\r | |
769 | \r | |
770 | //\r | |
771 | // Delete established IKEv2 SAs.\r | |
772 | //\r | |
773 | if (!IsListEmpty (&Private->Ikev2EstablishedList)) {\r | |
774 | for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) {\r | |
775 | Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);\r | |
776 | Entry = Entry->ForwardLink;\r | |
6cf9230f | 777 | \r |
9166f840 | 778 | Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting;\r |
779 | \r | |
780 | //\r | |
781 | // Call for Information Exchange.\r | |
782 | //\r | |
783 | IkeVersion = IkeGetVersionFromSession ((UINT8*)Ikev2SaSession);\r | |
784 | if (IkeVersion == 2) {\r | |
785 | Exchange = mIkeExchange[IkeVersion - 1];\r | |
786 | Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL);\r | |
6cf9230f | 787 | }\r |
9166f840 | 788 | }\r |
789 | }\r | |
6cf9230f | 790 | \r |
9166f840 | 791 | }\r |
792 | \r | |
793 | \r | |
794 | \r |