]>
Commit | Line | Data |
---|---|---|
9166f840 | 1 | /** @file\r |
2 | The implementation of Payloads Creation.\r | |
3 | \r | |
4 | Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>\r | |
5 | \r | |
6 | This program and the accompanying materials\r | |
7 | are licensed and made available under the terms and conditions of the BSD License\r | |
8 | which accompanies this distribution. The full text of the license may be found at\r | |
9 | http://opensource.org/licenses/bsd-license.php.\r | |
10 | \r | |
11 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
12 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
13 | \r | |
14 | **/\r | |
15 | \r | |
16 | #include "Utility.h"\r | |
17 | #include "IpSecDebug.h"\r | |
18 | #include "IpSecConfigImpl.h"\r | |
19 | #include "IpSecCryptIo.h"\r | |
20 | \r | |
21 | //\r | |
22 | // The Constant String of "Key Pad for IKEv2" for Authentication Payload generation. \r | |
23 | //\r | |
24 | #define CONSTANT_KEY_SIZE 17\r | |
25 | GLOBAL_REMOVE_IF_UNREFERENCED CHAR8 mConstantKey[CONSTANT_KEY_SIZE] = \r | |
26 | {\r | |
27 | 'K', 'e', 'y', ' ', 'P', 'a', 'd', ' ', 'f', 'o', 'r', ' ', 'I', 'K', 'E', 'v', '2'\r | |
28 | };\r | |
29 | \r | |
30 | /**\r | |
31 | Generate Ikev2 SA payload according to SessionSaData\r | |
32 | \r | |
33 | @param[in] SessionSaData The data used in SA payload.\r | |
34 | @param[in] NextPayload The payload type presented in NextPayload field of \r | |
35 | SA Payload header.\r | |
36 | @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or\r | |
37 | (2) for CHILD_SA or (3) for INFO.\r | |
38 | \r | |
39 | @retval a Pointer to SA IKE payload.\r | |
40 | \r | |
41 | **/\r | |
42 | IKE_PAYLOAD *\r | |
43 | Ikev2GenerateSaPayload (\r | |
44 | IN IKEV2_SA_DATA *SessionSaData,\r | |
45 | IN UINT8 NextPayload,\r | |
46 | IN IKE_SESSION_TYPE Type\r | |
47 | )\r | |
48 | {\r | |
49 | IKE_PAYLOAD *SaPayload;\r | |
50 | IKEV2_SA_DATA *SaData;\r | |
51 | UINTN SaDataSize;\r | |
52 | \r | |
53 | SaPayload = IkePayloadAlloc ();\r | |
54 | ASSERT (SaPayload != NULL);\r | |
55 | //\r | |
56 | // TODO: Get the Proposal Number and Transform Number from IPsec Config,\r | |
57 | // after the Ipsecconfig Application is support it.\r | |
58 | //\r | |
59 | \r | |
60 | if (Type == IkeSessionTypeIkeSa) {\r | |
61 | SaDataSize = sizeof (IKEV2_SA_DATA) + \r | |
62 | SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r | |
63 | sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 4;\r | |
64 | } else {\r | |
65 | SaDataSize = sizeof (IKEV2_SA_DATA) + \r | |
66 | SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r | |
67 | sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 3;\r | |
68 | \r | |
69 | }\r | |
70 | \r | |
71 | SaData = AllocateZeroPool (SaDataSize);\r | |
72 | ASSERT (SaData != NULL);\r | |
73 | \r | |
74 | CopyMem (SaData, SessionSaData, SaDataSize);\r | |
75 | SaData->SaHeader.Header.NextPayload = NextPayload;\r | |
76 | SaPayload->PayloadType = IKEV2_PAYLOAD_TYPE_SA;\r | |
77 | SaPayload->PayloadBuf = (UINT8 *) SaData;\r | |
78 | \r | |
79 | return SaPayload;\r | |
80 | }\r | |
81 | \r | |
82 | /**\r | |
83 | Generate a Nonce payload containing the input parameter NonceBuf.\r | |
84 | \r | |
85 | @param[in] NonceBuf The nonce buffer contains the whole Nonce payload block \r | |
86 | except the payload header.\r | |
87 | @param[in] NonceSize The buffer size of the NonceBuf\r | |
88 | @param[in] NextPayload The payload type presented in the NextPayload field \r | |
89 | of Nonce Payload header.\r | |
90 | \r | |
91 | @retval Pointer to Nonce IKE paload.\r | |
92 | \r | |
93 | **/\r | |
94 | IKE_PAYLOAD *\r | |
95 | Ikev2GenerateNoncePayload (\r | |
96 | IN UINT8 *NonceBuf,\r | |
97 | IN UINTN NonceSize,\r | |
98 | IN UINT8 NextPayload\r | |
99 | )\r | |
100 | {\r | |
101 | IKE_PAYLOAD *NoncePayload;\r | |
102 | IKEV2_NONCE *Nonce;\r | |
103 | UINTN Size;\r | |
104 | UINT8 *NonceBlock;\r | |
105 | \r | |
106 | // 1 2 3\r | |
107 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
108 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
109 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
110 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
111 | // ! !\r | |
112 | // ~ Nonce Data ~\r | |
113 | // ! !\r | |
114 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
115 | //\r | |
116 | Size = sizeof (IKEV2_NONCE) + NonceSize;\r | |
117 | NonceBlock = NonceBuf;\r | |
118 | \r | |
119 | Nonce = AllocateZeroPool (Size);\r | |
120 | ASSERT (Nonce != NULL);\r | |
121 | CopyMem (Nonce + 1, NonceBlock, Size - sizeof (IKEV2_NONCE));\r | |
122 | \r | |
123 | Nonce->Header.NextPayload = NextPayload;\r | |
124 | Nonce->Header.PayloadLength = (UINT16) Size;\r | |
125 | NoncePayload = IkePayloadAlloc ();\r | |
126 | \r | |
127 | ASSERT (NoncePayload != NULL);\r | |
128 | NoncePayload->PayloadType = IKEV2_PAYLOAD_TYPE_NONCE;\r | |
129 | NoncePayload->PayloadBuf = (UINT8 *) Nonce;\r | |
130 | NoncePayload->PayloadSize = Size;\r | |
131 | \r | |
132 | return NoncePayload;\r | |
133 | }\r | |
134 | \r | |
135 | /**\r | |
136 | Generate a Key Exchange payload according to the DH group type and save the \r | |
137 | public Key into IkeSaSession IkeKey field.\r | |
138 | \r | |
139 | @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.\r | |
140 | @param[in] NextPayload The payload type presented in the NextPayload field of Key \r | |
141 | Exchange Payload header.\r | |
142 | \r | |
143 | @retval Pointer to Key IKE payload.\r | |
144 | \r | |
145 | **/\r | |
146 | IKE_PAYLOAD*\r | |
147 | Ikev2GenerateKePayload (\r | |
148 | IN OUT IKEV2_SA_SESSION *IkeSaSession,\r | |
149 | IN UINT8 NextPayload\r | |
150 | )\r | |
151 | {\r | |
152 | IKE_PAYLOAD *KePayload;\r | |
153 | IKEV2_KEY_EXCHANGE *Ke;\r | |
154 | UINTN KeSize;\r | |
155 | IKEV2_SESSION_KEYS *IkeKeys;\r | |
156 | \r | |
157 | //\r | |
158 | // 1 2 3\r | |
159 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
160 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
161 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
162 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
163 | // ! DH Group # ! RESERVED !\r | |
164 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
165 | // ! !\r | |
166 | // ~ Key Exchange Data ~\r | |
167 | // ! !\r | |
168 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
169 | //\r | |
170 | IkeKeys = IkeSaSession->IkeKeys;\r | |
171 | \r | |
172 | if (IkeSaSession->SessionCommon.IsInitiator) {\r | |
173 | KeSize = sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize;\r | |
174 | } else {\r | |
175 | KeSize = sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize;\r | |
176 | }\r | |
177 | \r | |
178 | //\r | |
179 | // Allocate buffer for Key Exchange\r | |
180 | //\r | |
181 | Ke = AllocateZeroPool (KeSize);\r | |
182 | ASSERT (Ke != NULL);\r | |
183 | \r | |
184 | Ke->Header.NextPayload = NextPayload;\r | |
185 | Ke->Header.PayloadLength = (UINT16) KeSize;\r | |
186 | Ke->DhGroup = IkeSaSession->SessionCommon.PreferDhGroup;\r | |
187 | \r | |
188 | CopyMem (Ke + 1, IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize);\r | |
189 | \r | |
190 | //\r | |
191 | // Create IKE_PAYLOAD to point to Key Exchange payload \r | |
192 | // \r | |
193 | KePayload = IkePayloadAlloc ();\r | |
194 | ASSERT (KePayload != NULL);\r | |
195 | \r | |
196 | KePayload->PayloadType = IKEV2_PAYLOAD_TYPE_KE;\r | |
197 | KePayload->PayloadBuf = (UINT8 *) Ke;\r | |
198 | KePayload->PayloadSize = KeSize;\r | |
199 | return KePayload;\r | |
200 | }\r | |
201 | \r | |
202 | /**\r | |
203 | Generate a ID payload.\r | |
204 | \r | |
205 | @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r | |
206 | @param[in] NextPayload The payload type presented in the NextPayload field \r | |
207 | of ID Payload header.\r | |
208 | \r | |
209 | @retval Pointer to ID IKE payload.\r | |
210 | \r | |
211 | **/\r | |
212 | IKE_PAYLOAD *\r | |
213 | Ikev2GenerateIdPayload (\r | |
214 | IN IKEV2_SESSION_COMMON *CommonSession,\r | |
215 | IN UINT8 NextPayload\r | |
216 | )\r | |
217 | {\r | |
218 | IKE_PAYLOAD *IdPayload;\r | |
219 | IKEV2_ID *Id;\r | |
220 | UINTN IdSize;\r | |
221 | UINT8 IpVersion;\r | |
222 | UINT8 AddrSize;\r | |
223 | \r | |
224 | //\r | |
225 | // ID payload\r | |
226 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
227 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
228 | // ! Next Payload ! RESERVED ! Payload Length !\r | |
229 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
230 | // ! ID Type ! RESERVED !\r | |
231 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
232 | // ! !\r | |
233 | // ~ Identification Data ~\r | |
234 | // ! !\r | |
235 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
236 | //\r | |
237 | \r | |
238 | IpVersion = CommonSession->UdpService->IpVersion;\r | |
239 | AddrSize = (UINT8) ((IpVersion == IP_VERSION_4) ? sizeof(EFI_IPv4_ADDRESS) : sizeof(EFI_IPv6_ADDRESS));\r | |
240 | IdSize = sizeof (IKEV2_ID) + AddrSize;\r | |
241 | \r | |
242 | Id = (IKEV2_ID *) AllocateZeroPool (IdSize);\r | |
243 | ASSERT (Id != NULL);\r | |
244 | \r | |
245 | IdPayload = IkePayloadAlloc ();\r | |
246 | ASSERT (IdPayload != NULL);\r | |
247 | \r | |
248 | IdPayload->PayloadType = (UINT8) ((CommonSession->IsInitiator) ? IKEV2_PAYLOAD_TYPE_ID_INIT : IKEV2_PAYLOAD_TYPE_ID_RSP);\r | |
249 | IdPayload->PayloadBuf = (UINT8 *) Id;\r | |
250 | IdPayload->PayloadSize = IdSize;\r | |
251 | \r | |
252 | //\r | |
253 | // Set generic header of identification payload \r | |
254 | //\r | |
255 | Id->Header.NextPayload = NextPayload;\r | |
256 | Id->Header.PayloadLength = (UINT16) IdSize;\r | |
257 | Id->IdType = (UINT8) ((IpVersion == IP_VERSION_4) ? IKEV2_ID_TYPE_IPV4_ADDR : IKEV2_ID_TYPE_IPV6_ADDR);\r | |
258 | CopyMem (Id + 1, &CommonSession->LocalPeerIp, AddrSize);\r | |
259 | \r | |
260 | return IdPayload;\r | |
261 | }\r | |
262 | \r | |
263 | /**\r | |
264 | Generate a ID payload.\r | |
265 | \r | |
266 | @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r | |
267 | @param[in] NextPayload The payload type presented in the NextPayload field \r | |
268 | of ID Payload header.\r | |
269 | @param[in] InCert Pointer to the Certificate which distinguished name\r | |
270 | will be added into the Id payload.\r | |
271 | @param[in] CertSize Size of the Certificate.\r | |
272 | \r | |
273 | @retval Pointer to ID IKE payload.\r | |
274 | \r | |
275 | **/\r | |
276 | IKE_PAYLOAD *\r | |
277 | Ikev2GenerateCertIdPayload (\r | |
278 | IN IKEV2_SESSION_COMMON *CommonSession,\r | |
279 | IN UINT8 NextPayload,\r | |
280 | IN UINT8 *InCert,\r | |
281 | IN UINTN CertSize\r | |
282 | )\r | |
283 | {\r | |
284 | IKE_PAYLOAD *IdPayload;\r | |
285 | IKEV2_ID *Id;\r | |
286 | UINTN IdSize;\r | |
287 | UINT8 IpVersion;\r | |
288 | UINTN SubjectSize;\r | |
289 | UINT8 *CertSubject;\r | |
290 | \r | |
291 | //\r | |
292 | // ID payload\r | |
293 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
294 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
295 | // ! Next Payload ! RESERVED ! Payload Length !\r | |
296 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
297 | // ! ID Type ! RESERVED !\r | |
298 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
299 | // ! !\r | |
300 | // ~ Identification Data ~\r | |
301 | // ! !\r | |
302 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
303 | //\r | |
304 | \r | |
305 | SubjectSize = 0;\r | |
306 | CertSubject = NULL;\r | |
307 | IpVersion = CommonSession->UdpService->IpVersion;\r | |
308 | IpSecCryptoIoGetSubjectFromCert (\r | |
309 | InCert,\r | |
310 | CertSize,\r | |
311 | &CertSubject,\r | |
312 | &SubjectSize\r | |
313 | );\r | |
314 | \r | |
315 | IdSize = sizeof (IKEV2_ID) + SubjectSize;\r | |
316 | \r | |
317 | Id = (IKEV2_ID *) AllocateZeroPool (IdSize);\r | |
318 | ASSERT (Id != NULL);\r | |
319 | \r | |
320 | IdPayload = IkePayloadAlloc ();\r | |
321 | ASSERT (IdPayload != NULL);\r | |
322 | \r | |
323 | IdPayload->PayloadType = (UINT8) ((CommonSession->IsInitiator) ? IKEV2_PAYLOAD_TYPE_ID_INIT : IKEV2_PAYLOAD_TYPE_ID_RSP);\r | |
324 | IdPayload->PayloadBuf = (UINT8 *) Id;\r | |
325 | IdPayload->PayloadSize = IdSize;\r | |
326 | \r | |
327 | //\r | |
328 | // Set generic header of identification payload \r | |
329 | //\r | |
330 | Id->Header.NextPayload = NextPayload;\r | |
331 | Id->Header.PayloadLength = (UINT16) IdSize;\r | |
332 | Id->IdType = 9;\r | |
333 | CopyMem (Id + 1, CertSubject, SubjectSize);\r | |
334 | \r | |
335 | if (CertSubject != NULL) {\r | |
336 | FreePool (CertSubject);\r | |
337 | }\r | |
338 | return IdPayload;\r | |
339 | }\r | |
340 | \r | |
341 | /**\r | |
342 | Generate a Authentication Payload.\r | |
343 | \r | |
344 | This function is used for both Authentication generation and verification. When the \r | |
345 | IsVerify is TRUE, it create a Auth Data for verification. This function choose the \r | |
346 | related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type\r | |
347 | and the value of IsVerify parameter.\r | |
348 | \r | |
349 | @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r | |
350 | @param[in] IdPayload Pointer to the ID payload to be used for Authentication \r | |
351 | payload generation.\r | |
352 | @param[in] NextPayload The type filled into the Authentication Payload next \r | |
353 | payload field.\r | |
354 | @param[in] IsVerify If it is TURE, the Authentication payload is used for\r | |
355 | verification.\r | |
356 | \r | |
357 | @return pointer to IKE Authentication payload for Pre-shared key method.\r | |
358 | \r | |
359 | **/\r | |
360 | IKE_PAYLOAD *\r | |
361 | Ikev2PskGenerateAuthPayload (\r | |
362 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
363 | IN IKE_PAYLOAD *IdPayload,\r | |
364 | IN UINT8 NextPayload,\r | |
365 | IN BOOLEAN IsVerify\r | |
366 | )\r | |
367 | {\r | |
368 | UINT8 *Digest;\r | |
369 | UINTN DigestSize;\r | |
370 | PRF_DATA_FRAGMENT Fragments[3];\r | |
371 | UINT8 *KeyBuf;\r | |
372 | UINTN KeySize;\r | |
373 | IKE_PAYLOAD *AuthPayload;\r | |
374 | IKEV2_AUTH *PayloadBuf;\r | |
375 | EFI_STATUS Status;\r | |
376 | \r | |
377 | //\r | |
378 | // Auth = Prf(Prf(Secret,"Key Pad for IKEv2),IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r | |
379 | //\r | |
380 | // 1 2 3\r | |
381 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
382 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
383 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
384 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
385 | // ! Auth Method ! RESERVED !\r | |
386 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
387 | // ! !\r | |
388 | // ~ Authentication Data ~\r | |
389 | // ! !\r | |
390 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
391 | //\r | |
392 | \r | |
393 | KeyBuf = NULL;\r | |
394 | AuthPayload = NULL;\r | |
395 | Digest = NULL;\r | |
396 | \r | |
397 | DigestSize = IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCommon.SaParams->Prf);\r | |
398 | Digest = AllocateZeroPool (DigestSize);\r | |
399 | \r | |
400 | if (Digest == NULL) {\r | |
401 | return NULL;\r | |
402 | }\r | |
403 | if (IdPayload == NULL) {\r | |
404 | return NULL;\r | |
405 | }\r | |
406 | //\r | |
407 | // Calcualte Prf(Seceret, "Key Pad for IKEv2");\r | |
408 | //\r | |
409 | Fragments[0].Data = (UINT8 *) mConstantKey;\r | |
410 | Fragments[0].DataSize = CONSTANT_KEY_SIZE;\r | |
411 | \r | |
412 | Status = IpSecCryptoIoHmac (\r | |
413 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
414 | IkeSaSession->Pad->Data->AuthData,\r | |
415 | IkeSaSession->Pad->Data->AuthDataSize, \r | |
416 | (HASH_DATA_FRAGMENT *)Fragments,\r | |
417 | 1,\r | |
418 | Digest,\r | |
419 | DigestSize\r | |
420 | );\r | |
421 | if (EFI_ERROR (Status)) {\r | |
422 | goto EXIT;\r | |
423 | }\r | |
424 | \r | |
425 | //\r | |
426 | // Store the AuthKey into KeyBuf\r | |
427 | //\r | |
428 | KeyBuf = AllocateZeroPool (DigestSize);\r | |
429 | ASSERT (KeyBuf != NULL);\r | |
430 | CopyMem (KeyBuf, Digest, DigestSize);\r | |
431 | KeySize = DigestSize;\r | |
432 | \r | |
433 | //\r | |
434 | // Calculate Prf(SK_Pi/r, IDi/r)\r | |
435 | //\r | |
436 | Fragments[0].Data = IdPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r | |
437 | Fragments[0].DataSize = IdPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r | |
438 | \r | |
439 | if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r | |
440 | (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r | |
441 | ) {\r | |
442 | Status = IpSecCryptoIoHmac (\r | |
443 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
444 | IkeSaSession->IkeKeys->SkPrKey,\r | |
445 | IkeSaSession->IkeKeys->SkPrKeySize,\r | |
446 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
447 | 1,\r | |
448 | Digest,\r | |
449 | DigestSize\r | |
450 | );\r | |
451 | } else {\r | |
452 | Status = IpSecCryptoIoHmac (\r | |
453 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
454 | IkeSaSession->IkeKeys->SkPiKey,\r | |
455 | IkeSaSession->IkeKeys->SkPiKeySize,\r | |
456 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
457 | 1,\r | |
458 | Digest,\r | |
459 | DigestSize\r | |
460 | );\r | |
461 | }\r | |
462 | if (EFI_ERROR (Status)) {\r | |
463 | goto EXIT;\r | |
464 | }\r | |
465 | \r | |
466 | //\r | |
467 | // Copy data to Fragments.\r | |
468 | //\r | |
469 | if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r | |
470 | (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r | |
471 | ) {\r | |
472 | Fragments[0].Data = IkeSaSession->RespPacket;\r | |
473 | Fragments[0].DataSize = IkeSaSession->RespPacketSize;\r | |
474 | Fragments[1].Data = IkeSaSession->NiBlock;\r | |
475 | Fragments[1].DataSize = IkeSaSession->NiBlkSize;\r | |
476 | } else {\r | |
477 | Fragments[0].Data = IkeSaSession->InitPacket;\r | |
478 | Fragments[0].DataSize = IkeSaSession->InitPacketSize;\r | |
479 | Fragments[1].Data = IkeSaSession->NrBlock;\r | |
480 | Fragments[1].DataSize = IkeSaSession->NrBlkSize;\r | |
481 | }\r | |
482 | \r | |
483 | //\r | |
484 | // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].\r | |
485 | // \r | |
486 | Fragments[2].Data = AllocateZeroPool (DigestSize);\r | |
487 | Fragments[2].DataSize = DigestSize;\r | |
488 | CopyMem (Fragments[2].Data, Digest, DigestSize);\r | |
489 | \r | |
490 | //\r | |
491 | // Calculate Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r | |
492 | //\r | |
493 | Status = IpSecCryptoIoHmac (\r | |
494 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
495 | KeyBuf,\r | |
496 | KeySize,\r | |
497 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
498 | 3,\r | |
499 | Digest,\r | |
500 | DigestSize\r | |
501 | );\r | |
502 | if (EFI_ERROR (Status)) {\r | |
503 | goto EXIT;\r | |
504 | }\r | |
505 | \r | |
506 | //\r | |
507 | // Allocate buffer for Auth Payload\r | |
508 | //\r | |
509 | AuthPayload = IkePayloadAlloc ();\r | |
510 | ASSERT (AuthPayload != NULL);\r | |
511 | \r | |
512 | AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + DigestSize;\r | |
513 | PayloadBuf = (IKEV2_AUTH *) AllocateZeroPool (AuthPayload->PayloadSize);\r | |
514 | ASSERT (PayloadBuf != NULL);\r | |
515 | //\r | |
516 | // Fill in Auth payload.\r | |
517 | //\r | |
518 | PayloadBuf->Header.NextPayload = NextPayload;\r | |
519 | PayloadBuf->Header.PayloadLength = (UINT16) (AuthPayload->PayloadSize);\r | |
520 | if (IkeSaSession->Pad->Data->AuthMethod == EfiIPsecAuthMethodPreSharedSecret) {\r | |
521 | //\r | |
522 | // Only support Shared Key Message Integrity\r | |
523 | //\r | |
524 | PayloadBuf->AuthMethod = IKEV2_AUTH_METHOD_SKMI;\r | |
525 | } else {\r | |
526 | //\r | |
527 | // Not support other Auth method.\r | |
528 | //\r | |
529 | Status = EFI_UNSUPPORTED;\r | |
530 | goto EXIT;\r | |
531 | }\r | |
532 | \r | |
533 | //\r | |
534 | // Copy the result of Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) to Auth\r | |
535 | // payload block.\r | |
536 | //\r | |
537 | CopyMem (\r | |
538 | PayloadBuf + 1,\r | |
539 | Digest,\r | |
540 | DigestSize\r | |
541 | );\r | |
542 | \r | |
543 | //\r | |
544 | // Fill in IKE_PACKET\r | |
545 | //\r | |
546 | AuthPayload->PayloadBuf = (UINT8 *) PayloadBuf;\r | |
547 | AuthPayload->PayloadType = IKEV2_PAYLOAD_TYPE_AUTH;\r | |
548 | \r | |
549 | EXIT:\r | |
550 | if (KeyBuf != NULL) {\r | |
551 | FreePool (KeyBuf);\r | |
552 | }\r | |
553 | if (Digest != NULL) {\r | |
554 | FreePool (Digest);\r | |
555 | }\r | |
556 | if (Fragments[2].Data != NULL) {\r | |
557 | //\r | |
558 | // Free the buffer which contains the result of Prf(SK_Pr, IDi/r)\r | |
559 | // \r | |
560 | FreePool (Fragments[2].Data);\r | |
561 | }\r | |
562 | \r | |
563 | if (EFI_ERROR (Status)) {\r | |
564 | if (AuthPayload != NULL) {\r | |
565 | IkePayloadFree (AuthPayload);\r | |
566 | }\r | |
567 | return NULL;\r | |
568 | } else {\r | |
569 | return AuthPayload;\r | |
570 | }\r | |
571 | }\r | |
572 | \r | |
573 | /**\r | |
574 | Generate a Authentication Payload for Certificate Auth method. \r | |
575 | \r | |
576 | This function has two functions. One is creating a local Authentication \r | |
577 | Payload for sending and other is creating the remote Authentication data \r | |
578 | for verification when the IsVerify is TURE.\r | |
579 | \r | |
580 | @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r | |
581 | @param[in] IdPayload Pointer to the ID payload to be used for Authentication \r | |
582 | payload generation.\r | |
583 | @param[in] NextPayload The type filled into the Authentication Payload \r | |
584 | next payload field.\r | |
585 | @param[in] IsVerify If it is TURE, the Authentication payload is used \r | |
586 | for verification.\r | |
587 | @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when \r | |
588 | verify the authenticate payload.\r | |
589 | @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it \r | |
590 | when verify the authenticate payload.\r | |
591 | @param[in] UefiKeyPwd Pointer to the password of UEFI private key. \r | |
592 | Ignore it when verify the authenticate payload.\r | |
593 | @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when \r | |
594 | verify the authenticate payload.\r | |
595 | \r | |
596 | @return pointer to IKE Authentication payload for Cerifitcation method.\r | |
597 | \r | |
598 | **/\r | |
599 | IKE_PAYLOAD *\r | |
600 | Ikev2CertGenerateAuthPayload (\r | |
601 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
602 | IN IKE_PAYLOAD *IdPayload,\r | |
603 | IN UINT8 NextPayload,\r | |
604 | IN BOOLEAN IsVerify,\r | |
605 | IN UINT8 *UefiPrivateKey,\r | |
606 | IN UINTN UefiPrivateKeyLen,\r | |
607 | IN UINT8 *UefiKeyPwd,\r | |
608 | IN UINTN UefiKeyPwdLen\r | |
609 | )\r | |
610 | {\r | |
611 | UINT8 *Digest;\r | |
612 | UINTN DigestSize;\r | |
613 | PRF_DATA_FRAGMENT Fragments[3];\r | |
614 | UINT8 *KeyBuf;\r | |
615 | UINTN KeySize;\r | |
616 | IKE_PAYLOAD *AuthPayload;\r | |
617 | IKEV2_AUTH *PayloadBuf;\r | |
618 | EFI_STATUS Status;\r | |
619 | UINT8 *Signature;\r | |
620 | UINTN SigSize;\r | |
621 | \r | |
622 | //\r | |
623 | // Auth = Prf(Scert,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r | |
624 | //\r | |
625 | // 1 2 3\r | |
626 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
627 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
628 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
629 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
630 | // ! Auth Method ! RESERVED !\r | |
631 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
632 | // ! !\r | |
633 | // ~ Authentication Data ~\r | |
634 | // ! !\r | |
635 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
636 | //\r | |
637 | //\r | |
638 | // Initial point\r | |
639 | //\r | |
640 | KeyBuf = NULL;\r | |
641 | AuthPayload = NULL;\r | |
642 | Digest = NULL;\r | |
643 | Signature = NULL;\r | |
644 | SigSize = 0;\r | |
645 | \r | |
646 | if (IdPayload == NULL) {\r | |
647 | return NULL;\r | |
648 | }\r | |
649 | DigestSize = IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCommon.SaParams->Prf);\r | |
650 | Digest = AllocateZeroPool (DigestSize);\r | |
651 | \r | |
652 | if (Digest == NULL) {\r | |
653 | return NULL;\r | |
654 | }\r | |
655 | \r | |
656 | //\r | |
657 | // Store the AuthKey into KeyBuf\r | |
658 | //\r | |
659 | KeyBuf = AllocateZeroPool (DigestSize);\r | |
660 | ASSERT (KeyBuf != NULL);\r | |
661 | \r | |
662 | CopyMem (KeyBuf, Digest, DigestSize);\r | |
663 | KeySize = DigestSize;\r | |
664 | \r | |
665 | //\r | |
666 | // Calculate Prf(SK_Pi/r, IDi/r)\r | |
667 | //\r | |
668 | Fragments[0].Data = IdPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r | |
669 | Fragments[0].DataSize = IdPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r | |
670 | \r | |
671 | IpSecDumpBuf ("RestofIDPayload", Fragments[0].Data, Fragments[0].DataSize);\r | |
672 | \r | |
673 | if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r | |
674 | (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r | |
675 | ) {\r | |
676 | Status = IpSecCryptoIoHmac(\r | |
677 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
678 | IkeSaSession->IkeKeys->SkPrKey,\r | |
679 | IkeSaSession->IkeKeys->SkPrKeySize,\r | |
680 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
681 | 1,\r | |
682 | Digest,\r | |
683 | DigestSize\r | |
684 | );\r | |
685 | IpSecDumpBuf ("MACedIDForR", Digest, DigestSize);\r | |
686 | } else {\r | |
687 | Status = IpSecCryptoIoHmac (\r | |
688 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
689 | IkeSaSession->IkeKeys->SkPiKey,\r | |
690 | IkeSaSession->IkeKeys->SkPiKeySize,\r | |
691 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
692 | 1,\r | |
693 | Digest,\r | |
694 | DigestSize\r | |
695 | );\r | |
696 | IpSecDumpBuf ("MACedIDForI", Digest, DigestSize);\r | |
697 | }\r | |
698 | if (EFI_ERROR (Status)) {\r | |
699 | goto EXIT;\r | |
700 | }\r | |
701 | \r | |
702 | //\r | |
703 | // Copy data to Fragments.\r | |
704 | //\r | |
705 | if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r | |
706 | (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r | |
707 | ) {\r | |
708 | Fragments[0].Data = IkeSaSession->RespPacket;\r | |
709 | Fragments[0].DataSize = IkeSaSession->RespPacketSize;\r | |
710 | Fragments[1].Data = IkeSaSession->NiBlock;\r | |
711 | Fragments[1].DataSize = IkeSaSession->NiBlkSize;\r | |
712 | IpSecDumpBuf ("RealMessage2", Fragments[0].Data, Fragments[0].DataSize);\r | |
713 | IpSecDumpBuf ("NonceIDdata", Fragments[1].Data, Fragments[1].DataSize);\r | |
714 | } else {\r | |
715 | Fragments[0].Data = IkeSaSession->InitPacket;\r | |
716 | Fragments[0].DataSize = IkeSaSession->InitPacketSize;\r | |
717 | Fragments[1].Data = IkeSaSession->NrBlock;\r | |
718 | Fragments[1].DataSize = IkeSaSession->NrBlkSize;\r | |
719 | IpSecDumpBuf ("RealMessage1", Fragments[0].Data, Fragments[0].DataSize);\r | |
720 | IpSecDumpBuf ("NonceRDdata", Fragments[1].Data, Fragments[1].DataSize);\r | |
721 | }\r | |
722 | \r | |
723 | //\r | |
724 | // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].\r | |
725 | // \r | |
726 | Fragments[2].Data = AllocateZeroPool (DigestSize);\r | |
727 | Fragments[2].DataSize = DigestSize;\r | |
728 | CopyMem (Fragments[2].Data, Digest, DigestSize);\r | |
729 | \r | |
730 | //\r | |
731 | // Calculate Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r | |
732 | //\r | |
733 | Status = IpSecCryptoIoHash (\r | |
734 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
735 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
736 | 3,\r | |
737 | Digest,\r | |
738 | DigestSize\r | |
739 | );\r | |
740 | if (EFI_ERROR (Status)) {\r | |
741 | goto EXIT;\r | |
742 | }\r | |
743 | \r | |
744 | IpSecDumpBuf ("HashSignedOctects", Digest, DigestSize);\r | |
745 | //\r | |
746 | // Sign the data by the private Key \r | |
747 | //\r | |
748 | if (!IsVerify) {\r | |
749 | IpSecCryptoIoAuthDataWithCertificate (\r | |
750 | Digest,\r | |
751 | DigestSize,\r | |
752 | UefiPrivateKey,\r | |
753 | UefiPrivateKeyLen,\r | |
754 | UefiKeyPwd,\r | |
755 | UefiKeyPwdLen,\r | |
756 | &Signature,\r | |
757 | &SigSize\r | |
758 | );\r | |
759 | \r | |
760 | if (SigSize == 0) {\r | |
761 | goto EXIT;\r | |
762 | }\r | |
763 | }\r | |
764 | \r | |
765 | //\r | |
766 | // Allocate buffer for Auth Payload\r | |
767 | //\r | |
768 | AuthPayload = IkePayloadAlloc ();\r | |
769 | ASSERT (AuthPayload != NULL);\r | |
770 | \r | |
771 | if (!IsVerify) {\r | |
772 | AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + SigSize;\r | |
773 | } else {\r | |
774 | AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + DigestSize;\r | |
775 | }\r | |
776 | \r | |
777 | PayloadBuf = (IKEV2_AUTH *) AllocateZeroPool (AuthPayload->PayloadSize);\r | |
778 | ASSERT (PayloadBuf != NULL);\r | |
779 | //\r | |
780 | // Fill in Auth payload.\r | |
781 | //\r | |
782 | PayloadBuf->Header.NextPayload = NextPayload;\r | |
783 | PayloadBuf->Header.PayloadLength = (UINT16) (AuthPayload->PayloadSize);\r | |
784 | if (IkeSaSession->Pad->Data->AuthMethod == EfiIPsecAuthMethodCertificates) {\r | |
785 | PayloadBuf->AuthMethod = IKEV2_AUTH_METHOD_RSA;\r | |
786 | } else {\r | |
787 | Status = EFI_INVALID_PARAMETER;\r | |
788 | goto EXIT;\r | |
789 | }\r | |
790 | \r | |
791 | //\r | |
792 | // Copy the result of Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) to Auth\r | |
793 | // payload block.\r | |
794 | //\r | |
795 | if (!IsVerify) {\r | |
796 | CopyMem (PayloadBuf + 1, Signature, SigSize);\r | |
797 | } else {\r | |
798 | CopyMem (PayloadBuf + 1, Digest, DigestSize);\r | |
799 | }\r | |
800 | \r | |
801 | //\r | |
802 | // Fill in IKE_PACKET\r | |
803 | //\r | |
804 | AuthPayload->PayloadBuf = (UINT8 *) PayloadBuf;\r | |
805 | AuthPayload->PayloadType = IKEV2_PAYLOAD_TYPE_AUTH;\r | |
806 | \r | |
807 | EXIT:\r | |
808 | if (KeyBuf != NULL) {\r | |
809 | FreePool (KeyBuf);\r | |
810 | }\r | |
811 | if (Digest != NULL) {\r | |
812 | FreePool (Digest);\r | |
813 | }\r | |
814 | if (Signature != NULL) {\r | |
815 | FreePool (Signature);\r | |
816 | }\r | |
817 | if (Fragments[2].Data != NULL) {\r | |
818 | //\r | |
819 | // Free the buffer which contains the result of Prf(SK_Pr, IDi/r)\r | |
820 | // \r | |
821 | FreePool (Fragments[2].Data);\r | |
822 | }\r | |
823 | \r | |
824 | if (EFI_ERROR (Status)) {\r | |
825 | if (AuthPayload != NULL) {\r | |
826 | IkePayloadFree (AuthPayload);\r | |
827 | }\r | |
828 | return NULL;\r | |
829 | } else {\r | |
830 | return AuthPayload;\r | |
831 | }\r | |
832 | }\r | |
833 | \r | |
834 | /**\r | |
835 | Generate TS payload.\r | |
836 | \r | |
837 | This function generates TSi or TSr payload according to type of next payload.\r | |
838 | If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate\r | |
839 | TSr payload.\r | |
840 | \r | |
841 | @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.\r | |
842 | @param[in] NextPayload The payload type presented in the NextPayload field \r | |
843 | of ID Payload header.\r | |
844 | @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.\r | |
845 | If yes, it means the Tsi and Tsr payload should be with\r | |
846 | Max port range and address range and protocol is marked\r | |
847 | as zero.\r | |
848 | \r | |
849 | @retval Pointer to Ts IKE payload.\r | |
850 | \r | |
851 | **/\r | |
852 | IKE_PAYLOAD *\r | |
853 | Ikev2GenerateTsPayload (\r | |
854 | IN IKEV2_CHILD_SA_SESSION *ChildSa,\r | |
855 | IN UINT8 NextPayload,\r | |
856 | IN BOOLEAN IsTunnel\r | |
857 | )\r | |
858 | {\r | |
859 | IKE_PAYLOAD *TsPayload;\r | |
860 | IKEV2_TS *TsPayloadBuf;\r | |
861 | TRAFFIC_SELECTOR *TsSelector;\r | |
862 | UINTN SelectorSize;\r | |
863 | UINTN TsPayloadSize;\r | |
864 | UINT8 IpVersion;\r | |
865 | UINT8 AddrSize;\r | |
866 | \r | |
867 | //\r | |
868 | // 1 2 3\r | |
869 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
870 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
871 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
872 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
873 | // ! Number of TSs ! RESERVED !\r | |
874 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
875 | // ! !\r | |
876 | // ~ <Traffic Selectors> ~\r | |
877 | // ! !\r | |
878 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
879 | //\r | |
880 | \r | |
881 | TsPayload = IkePayloadAlloc();\r | |
882 | ASSERT (TsPayload != NULL);\r | |
883 | \r | |
884 | IpVersion = ChildSa->SessionCommon.UdpService->IpVersion;\r | |
885 | //\r | |
886 | // The Starting Address and Ending Address is variable length depends on \r | |
887 | // is IPv4 or IPv6\r | |
888 | //\r | |
889 | AddrSize = (UINT8)((IpVersion == IP_VERSION_4) ? sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS));\r | |
890 | SelectorSize = sizeof (TRAFFIC_SELECTOR) + 2 * AddrSize;\r | |
891 | TsPayloadSize = sizeof (IKEV2_TS) + SelectorSize;\r | |
892 | TsPayloadBuf = AllocateZeroPool (TsPayloadSize);\r | |
893 | ASSERT (TsPayloadBuf != NULL);\r | |
894 | \r | |
895 | TsPayload->PayloadBuf = (UINT8 *) TsPayloadBuf;\r | |
896 | TsSelector = (TRAFFIC_SELECTOR*)(TsPayloadBuf + 1);\r | |
897 | \r | |
898 | TsSelector->TSType = (UINT8)((IpVersion == IP_VERSION_4) ? IKEV2_TS_TYPE_IPV4_ADDR_RANGE : IKEV2_TS_TYPS_IPV6_ADDR_RANGE);\r | |
899 | \r | |
900 | //\r | |
901 | // For tunnel mode \r | |
902 | //\r | |
903 | if (IsTunnel) {\r | |
904 | TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;\r | |
905 | TsSelector->SelecorLen = (UINT16) SelectorSize;\r | |
906 | TsSelector->StartPort = 0;\r | |
907 | TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r | |
908 | ZeroMem ((UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR), AddrSize);\r | |
909 | SetMem ((UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize, AddrSize, 0xff);\r | |
910 | \r | |
911 | } else {\r | |
912 | //\r | |
913 | // TODO: Support port range and address range\r | |
914 | //\r | |
915 | if (NextPayload == IKEV2_PAYLOAD_TYPE_TS_RSP){\r | |
916 | //\r | |
917 | // Create initiator Traffic Selector \r | |
918 | // \r | |
919 | TsSelector->SelecorLen = (UINT16)SelectorSize;\r | |
920 | \r | |
921 | //\r | |
922 | // Currently only support the port range from 0~0xffff. Don't support other\r | |
923 | // port range.\r | |
924 | // TODO: support Port range\r | |
925 | //\r | |
926 | if (ChildSa->SessionCommon.IsInitiator) {\r | |
927 | if (ChildSa->Spd->Selector->LocalPort != 0 &&\r | |
928 | ChildSa->Spd->Selector->LocalPortRange == 0) {\r | |
929 | // \r | |
930 | // For not port range.\r | |
931 | //\r | |
932 | TsSelector->StartPort = ChildSa->Spd->Selector->LocalPort;\r | |
933 | TsSelector->EndPort = ChildSa->Spd->Selector->LocalPort;\r | |
934 | } else if (ChildSa->Spd->Selector->LocalPort == 0){\r | |
935 | //\r | |
936 | // For port from 0~0xffff\r | |
937 | //\r | |
938 | TsSelector->StartPort = 0;\r | |
939 | TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r | |
940 | } else {\r | |
941 | //\r | |
942 | // Not support now.\r | |
943 | //\r | |
944 | goto ON_ERROR;\r | |
945 | }\r | |
946 | } else {\r | |
947 | if (ChildSa->Spd->Selector->RemotePort != 0 && \r | |
948 | ChildSa->Spd->Selector->RemotePortRange == 0) {\r | |
949 | //\r | |
950 | // For not port range.\r | |
951 | //\r | |
952 | TsSelector->StartPort = ChildSa->Spd->Selector->RemotePort;\r | |
953 | TsSelector->EndPort = ChildSa->Spd->Selector->RemotePort;\r | |
954 | } else if (ChildSa->Spd->Selector->RemotePort == 0) {\r | |
955 | //\r | |
956 | // For port from 0~0xffff\r | |
957 | //\r | |
958 | TsSelector->StartPort = 0;\r | |
959 | TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r | |
960 | } else {\r | |
961 | //\r | |
962 | // Not support now.\r | |
963 | //\r | |
964 | goto ON_ERROR;\r | |
965 | }\r | |
966 | }\r | |
967 | //\r | |
968 | // Copy Address.Currently the address range is not supported.\r | |
969 | // The Starting address is same as Ending address\r | |
970 | // TODO: Support Address Range. \r | |
971 | //\r | |
972 | CopyMem (\r | |
973 | (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),\r | |
974 | ChildSa->SessionCommon.IsInitiator ?\r | |
975 | ChildSa->Spd->Selector->LocalAddress :\r | |
976 | ChildSa->Spd->Selector->RemoteAddress,\r | |
977 | AddrSize\r | |
978 | );\r | |
979 | CopyMem (\r | |
980 | (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize,\r | |
981 | ChildSa->SessionCommon.IsInitiator ?\r | |
982 | ChildSa->Spd->Selector->LocalAddress :\r | |
983 | ChildSa->Spd->Selector->RemoteAddress,\r | |
984 | AddrSize\r | |
985 | );\r | |
986 | //\r | |
987 | // If the Next Payload is not TS responder, this TS payload type is the TS responder.\r | |
988 | //\r | |
989 | TsPayload->PayloadType = IKEV2_PAYLOAD_TYPE_TS_INIT;\r | |
990 | }else{\r | |
991 | //\r | |
992 | // Create responder Traffic Selector\r | |
993 | // \r | |
994 | TsSelector->SelecorLen = (UINT16)SelectorSize;\r | |
995 | \r | |
996 | //\r | |
997 | // Currently only support the port range from 0~0xffff. Don't support other\r | |
998 | // port range.\r | |
999 | // TODO: support Port range\r | |
1000 | //\r | |
1001 | if (!ChildSa->SessionCommon.IsInitiator) {\r | |
1002 | if (ChildSa->Spd->Selector->LocalPort != 0 &&\r | |
1003 | ChildSa->Spd->Selector->LocalPortRange == 0) {\r | |
1004 | //\r | |
1005 | // For not port range.\r | |
1006 | //\r | |
1007 | TsSelector->StartPort = ChildSa->Spd->Selector->LocalPort;\r | |
1008 | TsSelector->EndPort = ChildSa->Spd->Selector->LocalPort;\r | |
1009 | } else if (ChildSa->Spd->Selector->LocalPort == 0){\r | |
1010 | //\r | |
1011 | // For port from 0~0xffff\r | |
1012 | //\r | |
1013 | TsSelector->StartPort = 0;\r | |
1014 | TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r | |
1015 | } else {\r | |
1016 | //\r | |
1017 | // Not support now.\r | |
1018 | //\r | |
1019 | goto ON_ERROR;\r | |
1020 | }\r | |
1021 | } else {\r | |
1022 | if (ChildSa->Spd->Selector->RemotePort != 0 &&\r | |
1023 | ChildSa->Spd->Selector->RemotePortRange == 0) {\r | |
1024 | //\r | |
1025 | // For not port range.\r | |
1026 | //\r | |
1027 | TsSelector->StartPort = ChildSa->Spd->Selector->RemotePort;\r | |
1028 | TsSelector->EndPort = ChildSa->Spd->Selector->RemotePort;\r | |
1029 | } else if (ChildSa->Spd->Selector->RemotePort == 0){\r | |
1030 | //\r | |
1031 | // For port from 0~0xffff\r | |
1032 | //\r | |
1033 | TsSelector->StartPort = 0;\r | |
1034 | TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r | |
1035 | } else {\r | |
1036 | //\r | |
1037 | // Not support now.\r | |
1038 | //\r | |
1039 | goto ON_ERROR;\r | |
1040 | }\r | |
1041 | }\r | |
1042 | //\r | |
1043 | // Copy Address.Currently the address range is not supported.\r | |
1044 | // The Starting address is same as Ending address\r | |
1045 | // TODO: Support Address Range. \r | |
1046 | //\r | |
1047 | CopyMem (\r | |
1048 | (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),\r | |
1049 | ChildSa->SessionCommon.IsInitiator ?\r | |
1050 | ChildSa->Spd->Selector->RemoteAddress :\r | |
1051 | ChildSa->Spd->Selector->LocalAddress,\r | |
1052 | AddrSize\r | |
1053 | );\r | |
1054 | CopyMem (\r | |
1055 | (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize,\r | |
1056 | ChildSa->SessionCommon.IsInitiator ?\r | |
1057 | ChildSa->Spd->Selector->RemoteAddress :\r | |
1058 | ChildSa->Spd->Selector->LocalAddress,\r | |
1059 | AddrSize\r | |
1060 | );\r | |
1061 | //\r | |
1062 | // If the Next Payload is not TS responder, this TS payload type is the TS responder.\r | |
1063 | //\r | |
1064 | TsPayload->PayloadType = IKEV2_PAYLOAD_TYPE_TS_RSP;\r | |
1065 | }\r | |
1066 | }\r | |
1067 | \r | |
1068 | if (ChildSa->Spd->Selector->NextLayerProtocol != 0xffff) {\r | |
1069 | TsSelector->IpProtocolId = (UINT8)ChildSa->Spd->Selector->NextLayerProtocol;\r | |
1070 | } else {\r | |
1071 | TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;\r | |
1072 | } \r | |
1073 | \r | |
1074 | TsPayloadBuf->Header.NextPayload = NextPayload;\r | |
1075 | TsPayloadBuf->Header.PayloadLength = (UINT16)TsPayloadSize;\r | |
1076 | TsPayloadBuf->TSNumbers = 1;\r | |
1077 | TsPayload->PayloadSize = TsPayloadSize;\r | |
1078 | goto ON_EXIT;\r | |
1079 | \r | |
1080 | ON_ERROR:\r | |
1081 | if (TsPayload != NULL) {\r | |
1082 | IkePayloadFree (TsPayload); \r | |
1083 | TsPayload = NULL;\r | |
1084 | }\r | |
1085 | ON_EXIT: \r | |
1086 | return TsPayload;\r | |
1087 | }\r | |
1088 | \r | |
1089 | /**\r | |
1090 | Generate the Notify payload.\r | |
1091 | \r | |
1092 | Since the structure of Notify payload which defined in RFC 4306 is simple, so\r | |
1093 | there is no internal data structure for Notify payload. This function generate \r | |
1094 | Notify payload defined in RFC 4306, but all the fields in this payload are still \r | |
1095 | in host order and need call Ikev2EncodePayload() to convert those fields from \r | |
1096 | the host order to network order beforing sending it.\r | |
1097 | \r | |
1098 | @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).\r | |
1099 | For IPsec SAs it MUST be neither (2) for AH or (3)\r | |
1100 | for ESP.\r | |
1101 | @param[in] NextPayload The next paylaod type in NextPayload field of \r | |
1102 | the Notify payload.\r | |
1103 | @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload. \r | |
1104 | @param[in] MessageType The message type in NotifyMessageType field of the \r | |
1105 | Notify Payload.\r | |
1106 | @param[in] SpiBuf Pointer to buffer contains the SPI value.\r | |
1107 | @param[in] NotifyData Pointer to buffer contains the notification data.\r | |
1108 | @param[in] NotifyDataSize The size of NotifyData in bytes.\r | |
1109 | \r | |
1110 | \r | |
1111 | @retval Pointer to IKE Notify Payload.\r | |
1112 | \r | |
1113 | **/\r | |
1114 | IKE_PAYLOAD *\r | |
1115 | Ikev2GenerateNotifyPayload (\r | |
1116 | IN UINT8 ProtocolId,\r | |
1117 | IN UINT8 NextPayload,\r | |
1118 | IN UINT8 SpiSize,\r | |
1119 | IN UINT16 MessageType,\r | |
1120 | IN UINT8 *SpiBuf,\r | |
1121 | IN UINT8 *NotifyData,\r | |
1122 | IN UINTN NotifyDataSize\r | |
1123 | )\r | |
1124 | {\r | |
1125 | IKE_PAYLOAD *NotifyPayload;\r | |
1126 | IKEV2_NOTIFY *Notify;\r | |
1127 | UINT16 NotifyPayloadLen;\r | |
1128 | UINT8 *MessageData;\r | |
1129 | \r | |
1130 | // 1 2 3\r | |
1131 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1132 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1133 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
1134 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1135 | // ! Protocol ID ! SPI Size ! Notify Message Type !\r | |
1136 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1137 | // ! !\r | |
1138 | // ~ Security Parameter Index (SPI) ~\r | |
1139 | // ! !\r | |
1140 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1141 | // ! !\r | |
1142 | // ~ Notification Data ~\r | |
1143 | // ! !\r | |
1144 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1145 | //\r | |
1146 | //\r | |
1147 | NotifyPayloadLen = (UINT16) (sizeof (IKEV2_NOTIFY) + NotifyDataSize + SpiSize);\r | |
1148 | Notify = (IKEV2_NOTIFY *) AllocateZeroPool (NotifyPayloadLen);\r | |
1149 | ASSERT (Notify != NULL);\r | |
1150 | \r | |
1151 | //\r | |
1152 | // Set Delete Payload's Generic Header\r | |
1153 | //\r | |
1154 | Notify->Header.NextPayload = NextPayload;\r | |
1155 | Notify->Header.PayloadLength = NotifyPayloadLen;\r | |
1156 | Notify->SpiSize = SpiSize;\r | |
1157 | Notify->ProtocolId = ProtocolId;\r | |
1158 | Notify->MessageType = MessageType;\r | |
1159 | \r | |
1160 | //\r | |
1161 | // Copy Spi , for Cookie Notify, there is no SPI.\r | |
1162 | //\r | |
1163 | if (SpiBuf != NULL && SpiSize != 0 ) {\r | |
1164 | CopyMem (Notify + 1, SpiBuf, SpiSize);\r | |
1165 | }\r | |
1166 | \r | |
1167 | MessageData = ((UINT8 *) (Notify + 1)) + SpiSize;\r | |
1168 | \r | |
1169 | //\r | |
1170 | // Copy Notification Data\r | |
1171 | //\r | |
1172 | if (NotifyDataSize != 0) {\r | |
1173 | CopyMem (MessageData, NotifyData, NotifyDataSize);\r | |
1174 | }\r | |
1175 | \r | |
1176 | //\r | |
1177 | // Create Payload for and set type as IKEV2_PAYLOAD_TYPE_NOTIFY\r | |
1178 | //\r | |
1179 | NotifyPayload = IkePayloadAlloc ();\r | |
1180 | ASSERT (NotifyPayload != NULL);\r | |
1181 | NotifyPayload->PayloadType = IKEV2_PAYLOAD_TYPE_NOTIFY;\r | |
1182 | NotifyPayload->PayloadBuf = (UINT8 *) Notify;\r | |
1183 | NotifyPayload->PayloadSize = NotifyPayloadLen;\r | |
1184 | return NotifyPayload;\r | |
1185 | }\r | |
1186 | \r | |
1187 | /**\r | |
1188 | Generate the Delete payload.\r | |
1189 | \r | |
1190 | Since the structure of Delete payload which defined in RFC 4306 is simple, \r | |
1191 | there is no internal data structure for Delete payload. This function generate \r | |
1192 | Delete payload defined in RFC 4306, but all the fields in this payload are still \r | |
1193 | in host order and need call Ikev2EncodePayload() to convert those fields from \r | |
1194 | the host order to network order beforing sending it.\r | |
1195 | \r | |
1196 | @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.\r | |
1197 | @param[in] NextPayload The next paylaod type in NextPayload field of \r | |
1198 | the Delete payload.\r | |
1199 | @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.\r | |
1200 | @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.\r | |
1201 | @param[in] SpiBuf Pointer to buffer contains the SPI value.\r | |
1202 | \r | |
1203 | @retval a Pointer of IKE Delete Payload.\r | |
1204 | \r | |
1205 | **/\r | |
1206 | IKE_PAYLOAD *\r | |
1207 | Ikev2GenerateDeletePayload (\r | |
1208 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
1209 | IN UINT8 NextPayload,\r | |
1210 | IN UINT8 SpiSize,\r | |
1211 | IN UINT16 SpiNum,\r | |
1212 | IN UINT8 *SpiBuf\r | |
1213 | \r | |
1214 | )\r | |
1215 | {\r | |
1216 | IKE_PAYLOAD *DelPayload;\r | |
1217 | IKEV2_DELETE *Del;\r | |
1218 | UINT16 SpiBufSize;\r | |
1219 | UINT16 DelPayloadLen;\r | |
1220 | \r | |
1221 | // 1 2 3\r | |
1222 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1223 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1224 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
1225 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1226 | // ! Protocol ID ! SPI Size ! # of SPIs !\r | |
1227 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1228 | // ! !\r | |
1229 | // ~ Security Parameter Index(es) (SPI) ~\r | |
1230 | // ! !\r | |
1231 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1232 | //\r | |
1233 | SpiBufSize = (UINT16) (SpiSize * SpiNum);\r | |
1234 | DelPayloadLen = (UINT16) (sizeof (IKEV2_DELETE) + SpiBufSize);\r | |
1235 | \r | |
1236 | Del = AllocateZeroPool (DelPayloadLen);\r | |
1237 | ASSERT (Del != NULL);\r | |
1238 | \r | |
1239 | //\r | |
1240 | // Set Delete Payload's Generic Header\r | |
1241 | //\r | |
1242 | Del->Header.NextPayload = NextPayload;\r | |
1243 | Del->Header.PayloadLength = DelPayloadLen;\r | |
1244 | Del->NumSpis = SpiNum;\r | |
1245 | Del->SpiSize = SpiSize;\r | |
1246 | \r | |
1247 | if (SpiSize == 4) {\r | |
1248 | //\r | |
1249 | // TODO: should consider the AH if needs to support.\r | |
1250 | //\r | |
1251 | Del->ProtocolId = IPSEC_PROTO_IPSEC_ESP;\r | |
1252 | } else {\r | |
1253 | Del->ProtocolId = IPSEC_PROTO_ISAKMP;\r | |
1254 | }\r | |
1255 | \r | |
1256 | //\r | |
1257 | // Set Del Payload's Idntification Data\r | |
1258 | //\r | |
1259 | CopyMem (Del + 1, SpiBuf, SpiBufSize);\r | |
1260 | DelPayload = IkePayloadAlloc ();\r | |
1261 | ASSERT (DelPayload != NULL);\r | |
1262 | DelPayload->PayloadType = IKEV2_PAYLOAD_TYPE_DELETE;\r | |
1263 | DelPayload->PayloadBuf = (UINT8 *) Del;\r | |
1264 | DelPayload->PayloadSize = DelPayloadLen;\r | |
1265 | return DelPayload;\r | |
1266 | }\r | |
1267 | \r | |
1268 | /**\r | |
1269 | Generate the Configuration payload.\r | |
1270 | \r | |
1271 | This function generate configuration payload defined in RFC 4306, but all the \r | |
1272 | fields in this payload are still in host order and need call Ikev2EncodePayload() \r | |
1273 | to convert those fields from the host order to network order beforing sending it.\r | |
1274 | \r | |
1275 | @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload \r | |
1276 | generation.\r | |
1277 | @param[in] NextPayload The next paylaod type in NextPayload field of \r | |
1278 | the Delete payload.\r | |
1279 | @param[in] CfgType The attribute type in the Configuration attribute.\r | |
1280 | \r | |
1281 | @retval Pointer to IKE CP Payload.\r | |
1282 | \r | |
1283 | **/\r | |
1284 | IKE_PAYLOAD *\r | |
1285 | Ikev2GenerateCpPayload (\r | |
1286 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
1287 | IN UINT8 NextPayload,\r | |
1288 | IN UINT8 CfgType\r | |
1289 | )\r | |
1290 | {\r | |
1291 | IKE_PAYLOAD *CpPayload;\r | |
1292 | IKEV2_CFG *Cfg;\r | |
1293 | UINT16 PayloadLen;\r | |
1294 | IKEV2_CFG_ATTRIBUTES *CfgAttributes;\r | |
1295 | \r | |
1296 | //\r | |
1297 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1298 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1299 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
1300 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1301 | // ! CFG Type ! RESERVED !\r | |
1302 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1303 | // ! !\r | |
1304 | // ~ Configuration Attributes ~\r | |
1305 | // ! !\r | |
1306 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1307 | //\r | |
1308 | \r | |
1309 | PayloadLen = (UINT16) (sizeof (IKEV2_CFG) + sizeof (IKEV2_CFG_ATTRIBUTES));\r | |
1310 | Cfg = (IKEV2_CFG *) AllocateZeroPool (PayloadLen);\r | |
1311 | \r | |
1312 | if (Cfg == NULL) {\r | |
1313 | return NULL;\r | |
1314 | }\r | |
1315 | \r | |
1316 | CfgAttributes = (IKEV2_CFG_ATTRIBUTES *)((UINT8 *)Cfg + sizeof (IKEV2_CFG));\r | |
1317 | \r | |
1318 | //\r | |
1319 | // Only generate the configuration payload with an empty INTERNAL_IP4_ADDRESS \r | |
1320 | // or INTERNAL_IP6_ADDRESS. \r | |
1321 | //\r | |
1322 | \r | |
1323 | Cfg->Header.NextPayload = NextPayload;\r | |
1324 | Cfg->Header.PayloadLength = PayloadLen;\r | |
1325 | Cfg->CfgType = IKEV2_CFG_TYPE_REQUEST;\r | |
1326 | \r | |
1327 | CfgAttributes->AttritType = CfgType;\r | |
1328 | CfgAttributes->ValueLength = 0;\r | |
1329 | \r | |
1330 | CpPayload = IkePayloadAlloc ();\r | |
1331 | if (CpPayload == NULL) {\r | |
1332 | if (Cfg != NULL) {\r | |
1333 | FreePool (Cfg);\r | |
1334 | }\r | |
1335 | return NULL;\r | |
1336 | }\r | |
1337 | \r | |
1338 | CpPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CP;\r | |
1339 | CpPayload->PayloadBuf = (UINT8 *) Cfg;\r | |
1340 | CpPayload->PayloadSize = PayloadLen;\r | |
1341 | return CpPayload;\r | |
1342 | }\r | |
1343 | \r | |
1344 | /**\r | |
1345 | Parser the Notify Cookie payload.\r | |
1346 | \r | |
1347 | This function parses the Notify Cookie payload.If the Notify ProtocolId is not\r | |
1348 | IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not\r | |
1349 | the COOKIE, return EFI_INVALID_PARAMETER.\r | |
1350 | \r | |
1351 | @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the \r | |
1352 | Notify Cookie payload.\r | |
1353 | the Notify payload.\r | |
1354 | @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.\r | |
1355 | \r | |
1356 | @retval EFI_SUCCESS The Notify Cookie Payload is valid.\r | |
1357 | @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.\r | |
1358 | @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.\r | |
1359 | \r | |
1360 | **/\r | |
1361 | EFI_STATUS\r | |
1362 | Ikev2ParserNotifyCookiePayload (\r | |
1363 | IN IKE_PAYLOAD *IkeNCookie,\r | |
1364 | IN OUT IKEV2_SA_SESSION *IkeSaSession\r | |
1365 | ) \r | |
1366 | {\r | |
1367 | IKEV2_NOTIFY *NotifyPayload;\r | |
1368 | UINTN NotifyDataSize;\r | |
1369 | \r | |
1370 | NotifyPayload = (IKEV2_NOTIFY *)IkeNCookie->PayloadBuf;\r | |
1371 | \r | |
1372 | if ((NotifyPayload->ProtocolId != IPSEC_PROTO_ISAKMP) || \r | |
1373 | (NotifyPayload->SpiSize != 0) ||\r | |
1374 | (NotifyPayload->MessageType != IKEV2_NOTIFICATION_COOKIE)\r | |
1375 | ) {\r | |
1376 | return EFI_INVALID_PARAMETER;\r | |
1377 | }\r | |
1378 | \r | |
1379 | NotifyDataSize = NotifyPayload->Header.PayloadLength - sizeof (IKEV2_NOTIFY);\r | |
1380 | IkeSaSession->NCookie = AllocateZeroPool (NotifyDataSize);\r | |
1381 | if (IkeSaSession->NCookie == NULL) {\r | |
1382 | return EFI_OUT_OF_RESOURCES;\r | |
1383 | }\r | |
1384 | \r | |
1385 | IkeSaSession->NCookieSize = NotifyDataSize;\r | |
1386 | \r | |
1387 | CopyMem (\r | |
1388 | IkeSaSession->NCookie, \r | |
1389 | NotifyPayload + sizeof (IKEV2_NOTIFY), \r | |
1390 | NotifyDataSize\r | |
1391 | );\r | |
1392 | \r | |
1393 | return EFI_SUCCESS;\r | |
1394 | }\r | |
1395 | \r | |
1396 | \r | |
1397 | /**\r | |
1398 | Generate the Certificate payload or Certificate Request Payload.\r | |
1399 | \r | |
1400 | Since the Certificate Payload structure is same with Certificate Request Payload, \r | |
1401 | the only difference is that one contains the Certificate Data, other contains\r | |
1402 | the acceptable certificateion CA. This function generate Certificate payload \r | |
1403 | or Certificate Request Payload defined in RFC 4306, but all the fields \r | |
1404 | in the payload are still in host order and need call Ikev2EncodePayload() \r | |
1405 | to convert those fields from the host order to network order beforing sending it.\r | |
1406 | \r | |
1407 | @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload \r | |
1408 | generation.\r | |
1409 | @param[in] NextPayload The next paylaod type in NextPayload field of \r | |
1410 | the Delete payload.\r | |
1411 | @param[in] Certificate Pointer of buffer contains the certification data.\r | |
1412 | @param[in] CertificateLen The length of Certificate in byte.\r | |
1413 | @param[in] EncodeType Specified the Certificate Encodeing which is defined\r | |
1414 | in RFC 4306.\r | |
1415 | @param[in] IsRequest To indicate create Certificate Payload or Certificate\r | |
1416 | Request Payload. If it is TURE, create Certificate\r | |
1417 | Payload. Otherwise, create Certificate Request Payload.\r | |
1418 | \r | |
1419 | @retval a Pointer to IKE Payload whose payload buffer containing the Certificate\r | |
1420 | payload or Certificated Request payload.\r | |
1421 | \r | |
1422 | **/\r | |
1423 | IKE_PAYLOAD *\r | |
1424 | Ikev2GenerateCertificatePayload (\r | |
1425 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
1426 | IN UINT8 NextPayload,\r | |
1427 | IN UINT8 *Certificate,\r | |
1428 | IN UINTN CertificateLen,\r | |
1429 | IN UINT8 EncodeType,\r | |
1430 | IN BOOLEAN IsRequest\r | |
1431 | )\r | |
1432 | {\r | |
1433 | IKE_PAYLOAD *CertPayload;\r | |
1434 | IKEV2_CERT *Cert;\r | |
1435 | UINT16 PayloadLen;\r | |
1436 | UINT8 *PublicKey;\r | |
1437 | UINTN PublicKeyLen;\r | |
1438 | HASH_DATA_FRAGMENT Fragment[1];\r | |
1439 | UINT8 *HashData;\r | |
1440 | UINTN HashDataSize;\r | |
1441 | EFI_STATUS Status;\r | |
1442 | \r | |
1443 | //\r | |
1444 | // 1 2 3\r | |
1445 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1446 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1447 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
1448 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1449 | // ! Cert Encoding ! !\r | |
1450 | // +-+-+-+-+-+-+-+-+ !\r | |
1451 | // ~ Certificate Data/Authority ~\r | |
1452 | // ! !\r | |
1453 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1454 | //\r | |
1455 | \r | |
1456 | Status = EFI_SUCCESS;\r | |
1457 | PublicKey = NULL;\r | |
1458 | PublicKeyLen = 0; \r | |
1459 | \r | |
1460 | if (!IsRequest) {\r | |
1461 | PayloadLen = (UINT16) (sizeof (IKEV2_CERT) + CertificateLen);\r | |
1462 | } else {\r | |
1463 | //\r | |
1464 | // SHA1 Hash length is 20.\r | |
1465 | //\r | |
1466 | PayloadLen = (UINT16) (sizeof (IKEV2_CERT) + 20);\r | |
1467 | }\r | |
1468 | \r | |
1469 | Cert = AllocateZeroPool (PayloadLen);\r | |
1470 | if (Cert == NULL) {\r | |
1471 | return NULL;\r | |
1472 | }\r | |
1473 | \r | |
1474 | //\r | |
1475 | // Generate Certificate Payload or Certificate Request Payload.\r | |
1476 | //\r | |
1477 | Cert->Header.NextPayload = NextPayload;\r | |
1478 | Cert->Header.PayloadLength = PayloadLen;\r | |
1479 | Cert->CertEncoding = EncodeType;\r | |
1480 | if (!IsRequest) {\r | |
1481 | CopyMem (\r | |
1482 | ((UINT8 *)Cert) + sizeof (IKEV2_CERT),\r | |
1483 | Certificate,\r | |
1484 | CertificateLen\r | |
1485 | );\r | |
1486 | } else {\r | |
1487 | Status = IpSecCryptoIoGetPublicKeyFromCert (\r | |
1488 | Certificate,\r | |
1489 | CertificateLen,\r | |
1490 | &PublicKey,\r | |
1491 | &PublicKeyLen\r | |
1492 | );\r | |
1493 | if (EFI_ERROR (Status)) {\r | |
1494 | goto ON_EXIT; \r | |
1495 | }\r | |
1496 | \r | |
1497 | Fragment[0].Data = PublicKey;\r | |
1498 | Fragment[0].DataSize = PublicKeyLen;\r | |
1499 | HashDataSize = IpSecGetHmacDigestLength (IKE_AALG_SHA1HMAC);\r | |
1500 | HashData = AllocateZeroPool (HashDataSize);\r | |
1501 | \r | |
1502 | Status = IpSecCryptoIoHash (\r | |
1503 | IKE_AALG_SHA1HMAC,\r | |
1504 | Fragment,\r | |
1505 | 1,\r | |
1506 | HashData,\r | |
1507 | HashDataSize\r | |
1508 | );\r | |
1509 | if (EFI_ERROR (Status)) {\r | |
1510 | goto ON_EXIT;\r | |
1511 | }\r | |
1512 | \r | |
1513 | CopyMem (\r | |
1514 | ((UINT8 *)Cert) + sizeof (IKEV2_CERT),\r | |
1515 | HashData,\r | |
1516 | HashDataSize\r | |
1517 | );\r | |
1518 | }\r | |
1519 | \r | |
1520 | CertPayload = IkePayloadAlloc ();\r | |
1521 | if (CertPayload == NULL) {\r | |
1522 | goto ON_EXIT;\r | |
1523 | }\r | |
1524 | \r | |
1525 | if (!IsRequest) {\r | |
1526 | CertPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CERT;\r | |
1527 | } else {\r | |
1528 | CertPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CERTREQ;\r | |
1529 | }\r | |
1530 | \r | |
1531 | CertPayload->PayloadBuf = (UINT8 *) Cert;\r | |
1532 | CertPayload->PayloadSize = PayloadLen;\r | |
1533 | return CertPayload;\r | |
1534 | \r | |
1535 | ON_EXIT:\r | |
1536 | if (Cert != NULL) {\r | |
1537 | FreePool (Cert);\r | |
1538 | }\r | |
1539 | if (PublicKey != NULL) {\r | |
1540 | FreePool (PublicKey);\r | |
1541 | }\r | |
1542 | return NULL;\r | |
1543 | }\r | |
1544 | \r | |
1545 | /**\r | |
1546 | Remove and free all IkePayloads in the specified IkePacket.\r | |
1547 | \r | |
1548 | @param[in] IkePacket The pointer of IKE_PACKET.\r | |
1549 | \r | |
1550 | **/\r | |
1551 | VOID\r | |
1552 | ClearAllPayloads (\r | |
1553 | IN IKE_PACKET *IkePacket\r | |
1554 | )\r | |
1555 | {\r | |
1556 | LIST_ENTRY *PayloadEntry;\r | |
1557 | IKE_PAYLOAD *IkePayload;\r | |
1558 | //\r | |
1559 | // remove all payloads from list and free each payload.\r | |
1560 | //\r | |
1561 | while (!IsListEmpty (&IkePacket->PayloadList)) {\r | |
1562 | PayloadEntry = IkePacket->PayloadList.ForwardLink;\r | |
1563 | IkePayload = IKE_PAYLOAD_BY_PACKET (PayloadEntry);\r | |
1564 | IKE_PACKET_REMOVE_PAYLOAD (IkePacket, IkePayload);\r | |
1565 | IkePayloadFree (IkePayload);\r | |
1566 | }\r | |
1567 | }\r | |
1568 | \r | |
1569 | /**\r | |
1570 | Transfer the intrnal data structure IKEV2_SA_DATA to IKEV2_SA structure defined in RFC.\r | |
1571 | \r | |
1572 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the SA Session.\r | |
1573 | @param[in] SaData Pointer to IKEV2_SA_DATA to be transfered.\r | |
1574 | \r | |
1575 | @retval return the pointer of IKEV2_SA.\r | |
1576 | \r | |
1577 | **/\r | |
1578 | IKEV2_SA*\r | |
1579 | Ikev2EncodeSa (\r | |
686d4d4a | 1580 | IN IKEV2_SESSION_COMMON *SessionCommon,\r |
1581 | IN IKEV2_SA_DATA *SaData\r | |
9166f840 | 1582 | )\r |
1583 | {\r | |
1584 | IKEV2_SA *Sa;\r | |
1585 | UINTN SaSize;\r | |
1586 | IKEV2_PROPOSAL_DATA *ProposalData;\r | |
1587 | IKEV2_TRANSFORM_DATA *TransformData;\r | |
1588 | UINTN TotalTransforms;\r | |
1589 | UINTN SaAttrsSize;\r | |
1590 | UINTN TransformsSize;\r | |
1591 | UINTN TransformSize;\r | |
1592 | UINTN ProposalsSize;\r | |
1593 | UINTN ProposalSize;\r | |
1594 | UINTN ProposalIndex;\r | |
1595 | UINTN TransformIndex;\r | |
1596 | IKE_SA_ATTRIBUTE *SaAttribute;\r | |
1597 | IKEV2_PROPOSAL *Proposal;\r | |
1598 | IKEV2_PROPOSAL *LastProposal;\r | |
1599 | IKEV2_TRANSFORM *Transform;\r | |
1600 | IKEV2_TRANSFORM *LastTransform;\r | |
1601 | \r | |
1602 | //\r | |
1603 | // Transform IKE_SA_DATA structure to IKE_SA Payload.\r | |
1604 | // Header length is host order.\r | |
1605 | // The returned IKE_SA struct should be freed by caller.\r | |
1606 | //\r | |
1607 | TotalTransforms = 0;\r | |
1608 | //\r | |
1609 | // Caculate the Proposal numbers and Transform numbers.\r | |
1610 | //\r | |
1611 | for (ProposalIndex = 0; ProposalIndex < SaData->NumProposals; ProposalIndex++) {\r | |
1612 | \r | |
1613 | ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1) + ProposalIndex;\r | |
1614 | TotalTransforms += ProposalData->NumTransforms;\r | |
1615 | \r | |
1616 | }\r | |
1617 | SaSize = sizeof (IKEV2_SA) +\r | |
1618 | SaData->NumProposals * sizeof (IKEV2_PROPOSAL) +\r | |
1619 | TotalTransforms * (sizeof (IKEV2_TRANSFORM) + MAX_SA_ATTRS_SIZE);\r | |
1620 | //\r | |
1621 | // Allocate buffer for IKE_SA.\r | |
1622 | //\r | |
1623 | Sa = AllocateZeroPool (SaSize);\r | |
1624 | ASSERT (Sa != NULL);\r | |
1625 | CopyMem (Sa, SaData, sizeof (IKEV2_SA));\r | |
1626 | Sa->Header.PayloadLength = (UINT16) sizeof (IKEV2_SA);\r | |
1627 | ProposalsSize = 0;\r | |
1628 | LastProposal = NULL;\r | |
1629 | Proposal = (IKEV2_PROPOSAL *) (Sa + 1);\r | |
1630 | \r | |
1631 | //\r | |
1632 | // Set IKE_PROPOSAL\r | |
1633 | //\r | |
1634 | ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1);\r | |
1635 | for (ProposalIndex = 0; ProposalIndex < SaData->NumProposals; ProposalIndex++) {\r | |
1636 | Proposal->ProposalIndex = ProposalData->ProposalIndex;\r | |
1637 | Proposal->ProtocolId = ProposalData->ProtocolId;\r | |
1638 | Proposal->NumTransforms = ProposalData->NumTransforms;\r | |
1639 | \r | |
1640 | if (ProposalData->Spi == 0) {\r | |
1641 | Proposal->SpiSize = 0;\r | |
1642 | } else {\r | |
1643 | Proposal->SpiSize = 4;\r | |
1644 | *(UINT32 *) (Proposal + 1) = HTONL (*((UINT32*)ProposalData->Spi));\r | |
1645 | }\r | |
1646 | \r | |
1647 | TransformsSize = 0;\r | |
1648 | LastTransform = NULL;\r | |
1649 | Transform = (IKEV2_TRANSFORM *) ((UINT8 *) (Proposal + 1) + Proposal->SpiSize);\r | |
1650 | \r | |
1651 | //\r | |
1652 | // Set IKE_TRANSFORM\r | |
1653 | //\r | |
1654 | for (TransformIndex = 0; TransformIndex < ProposalData->NumTransforms; TransformIndex++) {\r | |
1655 | TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1) + TransformIndex;\r | |
1656 | Transform->TransformType = TransformData->TransformType;\r | |
1657 | Transform->TransformId = HTONS (TransformData->TransformId);\r | |
1658 | SaAttrsSize = 0;\r | |
1659 | \r | |
1660 | //\r | |
1661 | // If the Encryption Algorithm is variable key length set the key length in attribute.\r | |
1662 | // Note that only a single attribute type (Key Length) is defined and it is fixed length.\r | |
1663 | //\r | |
1664 | if (Transform->TransformType == IKEV2_TRANSFORM_TYPE_ENCR && TransformData->Attribute.Attr.AttrValue != 0) {\r | |
1665 | SaAttribute = (IKE_SA_ATTRIBUTE *) (Transform + 1);\r | |
1666 | SaAttribute->AttrType = HTONS (IKEV2_ATTRIBUTE_TYPE_KEYLEN | SA_ATTR_FORMAT_BIT);\r | |
1667 | SaAttribute->Attr.AttrValue = HTONS (TransformData->Attribute.Attr.AttrValue);\r | |
1668 | SaAttrsSize = sizeof (IKE_SA_ATTRIBUTE);\r | |
1669 | }\r | |
1670 | \r | |
1671 | //\r | |
1672 | // If the Integrity Algorithm is variable key length set the key length in attribute.\r | |
1673 | //\r | |
1674 | if (Transform->TransformType == IKEV2_TRANSFORM_TYPE_INTEG && TransformData->Attribute.Attr.AttrValue != 0) {\r | |
1675 | SaAttribute = (IKE_SA_ATTRIBUTE *) (Transform + 1);\r | |
1676 | SaAttribute->AttrType = HTONS (IKEV2_ATTRIBUTE_TYPE_KEYLEN | SA_ATTR_FORMAT_BIT);\r | |
1677 | SaAttribute->Attr.AttrValue = HTONS (TransformData->Attribute.Attr.AttrValue);\r | |
1678 | SaAttrsSize = sizeof (IKE_SA_ATTRIBUTE);\r | |
1679 | }\r | |
1680 | \r | |
1681 | TransformSize = sizeof (IKEV2_TRANSFORM) + SaAttrsSize;\r | |
1682 | TransformsSize += TransformSize;\r | |
1683 | \r | |
1684 | Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_MORE;\r | |
1685 | Transform->Header.PayloadLength = HTONS ((UINT16)TransformSize);\r | |
1686 | \r | |
1687 | if (TransformIndex == ProposalData->NumTransforms) {\r | |
1688 | LastTransform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_NONE;\r | |
1689 | }\r | |
1690 | \r | |
1691 | Transform = (IKEV2_TRANSFORM *)((UINT8 *) Transform + TransformSize);\r | |
1692 | }\r | |
1693 | \r | |
1694 | //\r | |
1695 | // Set Proposal's Generic Header.\r | |
1696 | //\r | |
1697 | ProposalSize = sizeof (IKEV2_PROPOSAL) + Proposal->SpiSize + TransformsSize;\r | |
1698 | ProposalsSize += ProposalSize;\r | |
1699 | Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_MORE;\r | |
1700 | Proposal->Header.PayloadLength = HTONS ((UINT16)ProposalSize);\r | |
1701 | \r | |
1702 | if (ProposalIndex == SaData->NumProposals) {\r | |
1703 | LastProposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_NONE;\r | |
1704 | }\r | |
1705 | \r | |
1706 | //\r | |
1707 | // Point to next Proposal Payload\r | |
1708 | //\r | |
1709 | Proposal = (IKEV2_PROPOSAL *) ((UINT8 *) Proposal + ProposalSize);\r | |
1710 | ProposalData = (IKEV2_PROPOSAL_DATA *)(((UINT8 *)ProposalData) + sizeof (IKEV2_PROPOSAL_DATA) + (TransformIndex * sizeof (IKEV2_TRANSFORM_DATA)));\r | |
1711 | }\r | |
1712 | //\r | |
1713 | // Set SA's Generic Header.\r | |
1714 | //\r | |
1715 | Sa->Header.PayloadLength = (UINT16) (Sa->Header.PayloadLength + ProposalsSize);\r | |
1716 | return Sa;\r | |
1717 | }\r | |
1718 | \r | |
1719 | /**\r | |
1720 | Decode SA payload.\r | |
1721 | \r | |
1722 | This function converts the received SA payload to internal data structure.\r | |
1723 | \r | |
1724 | @param[in] SessionCommon Pointer to IKE Common Session used to decode the SA \r | |
1725 | Payload.\r | |
1726 | @param[in] Sa Pointer to SA Payload\r | |
1727 | \r | |
1728 | @return a Pointer to internal data structure for SA payload.\r | |
1729 | \r | |
1730 | **/\r | |
1731 | IKEV2_SA_DATA *\r | |
1732 | Ikev2DecodeSa (\r | |
686d4d4a | 1733 | IN IKEV2_SESSION_COMMON *SessionCommon,\r |
1734 | IN IKEV2_SA *Sa\r | |
9166f840 | 1735 | )\r |
1736 | {\r | |
1737 | IKEV2_SA_DATA *SaData;\r | |
1738 | EFI_STATUS Status;\r | |
1739 | IKEV2_PROPOSAL *Proposal;\r | |
1740 | IKEV2_TRANSFORM *Transform;\r | |
1741 | UINTN TotalProposals;\r | |
1742 | UINTN TotalTransforms;\r | |
1743 | UINTN ProposalNextPayloadSum;\r | |
1744 | UINTN ProposalIndex;\r | |
1745 | UINTN TransformIndex;\r | |
1746 | UINTN SaRemaining;\r | |
1747 | UINT16 ProposalSize;\r | |
1748 | UINTN ProposalRemaining;\r | |
1749 | UINT16 TransformSize;\r | |
1750 | UINTN SaAttrRemaining;\r | |
1751 | IKE_SA_ATTRIBUTE *SaAttribute;\r | |
1752 | IKEV2_PROPOSAL_DATA *ProposalData;\r | |
1753 | IKEV2_TRANSFORM_DATA *TransformData;\r | |
1754 | UINT8 *Spi;\r | |
1755 | \r | |
1756 | //\r | |
1757 | // Transfrom from IKE_SA payload to IKE_SA_DATA structure.\r | |
1758 | // Header length NTOH is already done\r | |
1759 | // The returned IKE_SA_DATA should be freed by caller\r | |
1760 | //\r | |
1761 | SaData = NULL;\r | |
1762 | Status = EFI_SUCCESS;\r | |
1763 | \r | |
1764 | //\r | |
1765 | // First round sanity check and size calculae\r | |
1766 | //\r | |
1767 | TotalProposals = 0;\r | |
1768 | TotalTransforms = 0;\r | |
1769 | ProposalNextPayloadSum = 0;\r | |
1770 | SaRemaining = Sa->Header.PayloadLength - sizeof (IKEV2_SA);// Point to current position in SA\r | |
1771 | Proposal = (IKEV2_PROPOSAL *)((IKEV2_SA *)(Sa)+1);\r | |
1772 | \r | |
1773 | //\r | |
1774 | // Caculate the number of Proposal payload and the total numbers of\r | |
1775 | // Transforms payload (the transforms in all proposal payload).\r | |
1776 | //\r | |
1777 | while (SaRemaining > sizeof (IKEV2_PROPOSAL)) {\r | |
1778 | ProposalSize = NTOHS (Proposal->Header.PayloadLength);\r | |
1779 | if (SaRemaining < ProposalSize) {\r | |
1780 | Status = EFI_INVALID_PARAMETER;\r | |
1781 | goto Exit;\r | |
1782 | }\r | |
1783 | \r | |
1784 | if (Proposal->SpiSize != 0 && Proposal->SpiSize != 4) {\r | |
1785 | Status = EFI_INVALID_PARAMETER;\r | |
1786 | goto Exit;\r | |
1787 | }\r | |
1788 | \r | |
1789 | TotalProposals++;\r | |
1790 | TotalTransforms += Proposal->NumTransforms;\r | |
1791 | SaRemaining -= ProposalSize;\r | |
1792 | ProposalNextPayloadSum += Proposal->Header.NextPayload;\r | |
1793 | Proposal = IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize);\r | |
1794 | }\r | |
1795 | \r | |
1796 | //\r | |
1797 | // Check the proposal number. The Proposal Payload type is 2. Nonce Paylod is 0.\r | |
1798 | // SUM(ProposalNextPayload) = Proposal Num * 2 + Noce Payload Type (0).\r | |
1799 | //\r | |
1800 | if (TotalProposals == 0 ||\r | |
1801 | (TotalProposals - 1) * IKE_PROPOSAL_NEXT_PAYLOAD_MORE + IKE_PROPOSAL_NEXT_PAYLOAD_NONE != ProposalNextPayloadSum\r | |
1802 | ) {\r | |
1803 | Status = EFI_INVALID_PARAMETER;\r | |
1804 | goto Exit;\r | |
1805 | }\r | |
1806 | \r | |
1807 | //\r | |
1808 | // Second round sanity check and decode. Transform the SA payload into\r | |
1809 | // a IKE_SA_DATA structure.\r | |
1810 | //\r | |
1811 | SaData = (IKEV2_SA_DATA *) AllocateZeroPool (\r | |
1812 | sizeof (IKEV2_SA_DATA) +\r | |
1813 | TotalProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r | |
1814 | TotalTransforms * sizeof (IKEV2_TRANSFORM_DATA)\r | |
1815 | );\r | |
1816 | ASSERT (SaData != NULL);\r | |
1817 | CopyMem (SaData, Sa, sizeof (IKEV2_SA));\r | |
1818 | SaData->NumProposals = TotalProposals;\r | |
1819 | ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1);\r | |
1820 | \r | |
1821 | //\r | |
1822 | // Proposal Payload\r | |
1823 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1824 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1825 | // ! Next Payload ! RESERVED ! Payload Length !\r | |
1826 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1827 | // ! Proposal # ! Protocol-Id ! SPI Size !# of Transforms!\r | |
1828 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1829 | // ! SPI (variable) !\r | |
1830 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1831 | //\r | |
1832 | for (ProposalIndex = 0, Proposal = IKEV2_SA_FIRST_PROPOSAL (Sa);\r | |
1833 | ProposalIndex < TotalProposals;\r | |
1834 | ProposalIndex++\r | |
1835 | ) {\r | |
1836 | \r | |
1837 | //\r | |
1838 | // TODO: check ProposalId\r | |
1839 | //\r | |
1840 | ProposalData->ProposalIndex = Proposal->ProposalIndex;\r | |
1841 | ProposalData->ProtocolId = Proposal->ProtocolId;\r | |
1842 | if (Proposal->SpiSize == 0) {\r | |
1843 | ProposalData->Spi = 0;\r | |
1844 | } else {\r | |
1845 | //\r | |
1846 | // SpiSize == 4\r | |
1847 | //\r | |
1848 | Spi = AllocateZeroPool (Proposal->SpiSize);\r | |
1849 | ASSERT (Spi != NULL);\r | |
1850 | CopyMem (Spi, (UINT32 *) (Proposal + 1), Proposal->SpiSize);\r | |
1851 | *((UINT32*) Spi) = NTOHL (*((UINT32*) Spi));\r | |
1852 | ProposalData->Spi = Spi;\r | |
1853 | }\r | |
1854 | \r | |
1855 | ProposalData->NumTransforms = Proposal->NumTransforms;\r | |
1856 | ProposalSize = NTOHS (Proposal->Header.PayloadLength);\r | |
1857 | ProposalRemaining = ProposalSize;\r | |
1858 | //\r | |
1859 | // Transform Payload\r | |
1860 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1861 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1862 | // ! Next Payload ! RESERVED ! Payload Length !\r | |
1863 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1864 | // !Transform Type ! RESERVED ! Transform ID !\r | |
1865 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1866 | // ! !\r | |
1867 | // ~ SA Attributes ~\r | |
1868 | // ! !\r | |
1869 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1870 | //\r | |
1871 | Transform = IKEV2_PROPOSAL_FIRST_TRANSFORM (Proposal);\r | |
1872 | for (TransformIndex = 0; TransformIndex < Proposal->NumTransforms; TransformIndex++) {\r | |
1873 | \r | |
1874 | //\r | |
1875 | // Transfer the IKEV2_TRANSFORM structure into internal IKEV2_TRANSFORM_DATA struture.\r | |
1876 | //\r | |
1877 | TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1) + TransformIndex;\r | |
1878 | TransformData->TransformId = NTOHS (Transform->TransformId);\r | |
1879 | TransformData->TransformType = Transform->TransformType;\r | |
1880 | TransformSize = NTOHS (Transform->Header.PayloadLength);\r | |
1881 | //\r | |
1882 | // Check the Proposal Data is correct.\r | |
1883 | //\r | |
1884 | if (ProposalRemaining < TransformSize) {\r | |
1885 | Status = EFI_INVALID_PARAMETER;\r | |
1886 | goto Exit;\r | |
1887 | }\r | |
1888 | \r | |
1889 | //\r | |
1890 | // Check if the Transform payload includes Attribution.\r | |
1891 | //\r | |
1892 | SaAttrRemaining = TransformSize - sizeof (IKEV2_TRANSFORM);\r | |
1893 | \r | |
1894 | //\r | |
1895 | // According to RFC 4603, currently only the Key length attribute type is \r | |
1896 | // supported. For each Transform, there is only one attributeion.\r | |
1897 | //\r | |
1898 | if (SaAttrRemaining > 0) {\r | |
1899 | if (SaAttrRemaining != sizeof (IKE_SA_ATTRIBUTE)) {\r | |
1900 | Status = EFI_INVALID_PARAMETER;\r | |
1901 | goto Exit;\r | |
1902 | }\r | |
1903 | SaAttribute = (IKE_SA_ATTRIBUTE *) ((IKEV2_TRANSFORM *)(Transform) + 1);\r | |
1904 | TransformData->Attribute.AttrType = (UINT16)((NTOHS (SaAttribute->AttrType)) & ~SA_ATTR_FORMAT_BIT);\r | |
1905 | TransformData->Attribute.Attr.AttrValue = NTOHS (SaAttribute->Attr.AttrValue);\r | |
1906 | \r | |
1907 | //\r | |
1908 | // Currently, only supports the Key Length Attribution.\r | |
1909 | //\r | |
1910 | if (TransformData->Attribute.AttrType != IKEV2_ATTRIBUTE_TYPE_KEYLEN) {\r | |
1911 | Status = EFI_INVALID_PARAMETER;\r | |
1912 | goto Exit;\r | |
1913 | } \r | |
1914 | }\r | |
1915 | \r | |
1916 | //\r | |
1917 | // Move to next Transform\r | |
1918 | // \r | |
1919 | Transform = IKEV2_NEXT_TRANSFORM_WITH_SIZE (Transform, TransformSize);\r | |
1920 | }\r | |
1921 | Proposal = IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize);\r | |
1922 | ProposalData = (IKEV2_PROPOSAL_DATA *) ((UINT8 *)(ProposalData + 1) +\r | |
1923 | ProposalData->NumTransforms *\r | |
1924 | sizeof (IKEV2_TRANSFORM_DATA));\r | |
1925 | }\r | |
1926 | \r | |
1927 | Exit:\r | |
1928 | if (EFI_ERROR (Status) && SaData != NULL) {\r | |
1929 | FreePool (SaData);\r | |
1930 | SaData = NULL;\r | |
1931 | }\r | |
1932 | return SaData;\r | |
1933 | }\r | |
1934 | \r | |
1935 | /**\r | |
1936 | General interface of payload encoding.\r | |
1937 | \r | |
1938 | This function encodes the internal data structure into payload which \r | |
1939 | is defined in RFC 4306. The IkePayload->PayloadBuf is used to store both the input\r | |
1940 | payload and converted payload. Only the SA payload use the interal structure\r | |
1941 | to store the attribute. Other payload use structure which is same with the RFC\r | |
1942 | defined, for this kind payloads just do host order to network order change of\r | |
1943 | some fields.\r | |
1944 | \r | |
1945 | @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.\r | |
1946 | @param[in, out] IkePayload Pointer to IKE payload to be encoded as input, and\r | |
1947 | store the encoded result as output.\r | |
1948 | \r | |
1949 | @retval EFI_INVALID_PARAMETER Meet error when encoding the SA payload.\r | |
1950 | @retval EFI_SUCCESS Encoded successfully.\r | |
1951 | \r | |
1952 | **/\r | |
1953 | EFI_STATUS\r | |
1954 | Ikev2EncodePayload (\r | |
1955 | IN UINT8 *SessionCommon,\r | |
1956 | IN OUT IKE_PAYLOAD *IkePayload\r | |
1957 | )\r | |
1958 | {\r | |
1959 | IKEV2_SA_DATA *SaData;\r | |
1960 | IKEV2_SA *SaPayload;\r | |
1961 | IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;\r | |
1962 | IKEV2_NOTIFY *NotifyPayload;\r | |
1963 | IKEV2_DELETE *DeletePayload;\r | |
1964 | IKEV2_KEY_EXCHANGE *KeyPayload;\r | |
1965 | IKEV2_TS *TsPayload;\r | |
1966 | IKEV2_CFG_ATTRIBUTES *CfgAttribute;\r | |
1967 | UINT8 *TsBuffer;\r | |
1968 | UINT8 Index;\r | |
1969 | TRAFFIC_SELECTOR *TrafficSelector;\r | |
1970 | \r | |
1971 | //\r | |
1972 | // Transform the Internal IKE structure to IKE payload.\r | |
1973 | // Only the SA payload use the interal structure to store the attribute.\r | |
1974 | // Other payload use structure which same with the RFC defined, so there is\r | |
1975 | // no need to tranform them to IKE payload.\r | |
1976 | //\r | |
1977 | switch (IkePayload->PayloadType) {\r | |
1978 | case IKEV2_PAYLOAD_TYPE_SA:\r | |
1979 | //\r | |
1980 | // Transform IKE_SA_DATA to IK_SA payload\r | |
1981 | //\r | |
1982 | SaData = (IKEV2_SA_DATA *) IkePayload->PayloadBuf;\r | |
1983 | SaPayload = Ikev2EncodeSa ((IKEV2_SESSION_COMMON *) SessionCommon, SaData);\r | |
1984 | \r | |
1985 | if (SaPayload == NULL) {\r | |
1986 | return EFI_INVALID_PARAMETER;\r | |
1987 | }\r | |
1988 | if (!IkePayload->IsPayloadBufExt) {\r | |
1989 | FreePool (IkePayload->PayloadBuf);\r | |
1990 | }\r | |
1991 | IkePayload->PayloadBuf = (UINT8 *) SaPayload;\r | |
1992 | IkePayload->IsPayloadBufExt = FALSE;\r | |
1993 | break;\r | |
1994 | \r | |
1995 | case IKEV2_PAYLOAD_TYPE_NOTIFY:\r | |
1996 | NotifyPayload = (IKEV2_NOTIFY *) IkePayload->PayloadBuf;\r | |
1997 | NotifyPayload->MessageType = HTONS (NotifyPayload->MessageType);\r | |
1998 | break;\r | |
1999 | \r | |
2000 | case IKEV2_PAYLOAD_TYPE_DELETE:\r | |
2001 | DeletePayload = (IKEV2_DELETE *) IkePayload->PayloadBuf;\r | |
2002 | DeletePayload->NumSpis = HTONS (DeletePayload->NumSpis);\r | |
2003 | break;\r | |
2004 | \r | |
2005 | case IKEV2_PAYLOAD_TYPE_KE:\r | |
2006 | KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;\r | |
2007 | KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);\r | |
2008 | break;\r | |
2009 | \r | |
2010 | case IKEV2_PAYLOAD_TYPE_TS_INIT:\r | |
2011 | case IKEV2_PAYLOAD_TYPE_TS_RSP:\r | |
2012 | TsPayload = (IKEV2_TS *) IkePayload->PayloadBuf;\r | |
2013 | TsBuffer = IkePayload->PayloadBuf + sizeof (IKEV2_TS);\r | |
2014 | \r | |
2015 | for (Index = 0; Index < TsPayload->TSNumbers; Index++) {\r | |
2016 | TrafficSelector = (TRAFFIC_SELECTOR *) TsBuffer;\r | |
2017 | TsBuffer = TsBuffer + TrafficSelector->SelecorLen;\r | |
2018 | //\r | |
2019 | // Host order to network order\r | |
2020 | //\r | |
2021 | TrafficSelector->SelecorLen = HTONS (TrafficSelector->SelecorLen);\r | |
2022 | TrafficSelector->StartPort = HTONS (TrafficSelector->StartPort);\r | |
2023 | TrafficSelector->EndPort = HTONS (TrafficSelector->EndPort);\r | |
2024 | \r | |
2025 | }\r | |
2026 | \r | |
2027 | break;\r | |
2028 | \r | |
2029 | case IKEV2_PAYLOAD_TYPE_CP:\r | |
2030 | CfgAttribute = (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->PayloadBuf) + 1);\r | |
2031 | CfgAttribute->AttritType = HTONS (CfgAttribute->AttritType);\r | |
2032 | CfgAttribute->ValueLength = HTONS (CfgAttribute->ValueLength);\r | |
2033 | \r | |
2034 | case IKEV2_PAYLOAD_TYPE_ID_INIT:\r | |
2035 | case IKEV2_PAYLOAD_TYPE_ID_RSP:\r | |
2036 | case IKEV2_PAYLOAD_TYPE_AUTH:\r | |
2037 | default:\r | |
2038 | break;\r | |
2039 | }\r | |
2040 | \r | |
2041 | PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf;\r | |
2042 | IkePayload->PayloadSize = PayloadHdr->PayloadLength;\r | |
2043 | PayloadHdr->PayloadLength = HTONS (PayloadHdr->PayloadLength);\r | |
2044 | IKEV2_DUMP_PAYLOAD (IkePayload);\r | |
2045 | return EFI_SUCCESS;\r | |
2046 | }\r | |
2047 | \r | |
2048 | /**\r | |
2049 | The general interface for decoding Payload.\r | |
2050 | \r | |
2051 | This function converts the received Payload into internal structure.\r | |
2052 | \r | |
2053 | @param[in] SessionCommon Pointer to IKE Session Common used for decoding.\r | |
2054 | @param[in, out] IkePayload Pointer to IKE payload to be decoded as input, and\r | |
2055 | store the decoded result as output. \r | |
2056 | \r | |
2057 | @retval EFI_INVALID_PARAMETER Meet error when decoding the SA payload.\r | |
2058 | @retval EFI_SUCCESS Decoded successfully.\r | |
2059 | \r | |
2060 | **/\r | |
2061 | EFI_STATUS\r | |
2062 | Ikev2DecodePayload (\r | |
2063 | IN UINT8 *SessionCommon,\r | |
2064 | IN OUT IKE_PAYLOAD *IkePayload\r | |
2065 | )\r | |
2066 | {\r | |
2067 | IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;\r | |
2068 | UINT16 PayloadSize;\r | |
2069 | UINT8 PayloadType;\r | |
2070 | IKEV2_SA_DATA *SaData;\r | |
2071 | EFI_STATUS Status;\r | |
2072 | IKEV2_NOTIFY *NotifyPayload;\r | |
2073 | IKEV2_DELETE *DeletePayload;\r | |
2074 | UINT16 TsTotalSize;\r | |
2075 | TRAFFIC_SELECTOR *TsSelector;\r | |
2076 | IKEV2_TS *TsPayload;\r | |
2077 | IKEV2_KEY_EXCHANGE *KeyPayload;\r | |
2078 | IKEV2_CFG_ATTRIBUTES *CfgAttribute;\r | |
2079 | UINT8 Index;\r | |
2080 | \r | |
2081 | //\r | |
2082 | // Transform the IKE payload to Internal IKE structure.\r | |
2083 | // Only the SA payload and Hash Payload use the interal\r | |
2084 | // structure to store the attribute. Other payloads use\r | |
2085 | // structure which is same with the definitions in RFC, \r | |
2086 | // so there is no need to tranform them to internal IKE \r | |
2087 | // structure.\r | |
2088 | //\r | |
2089 | Status = EFI_SUCCESS;\r | |
2090 | PayloadSize = (UINT16) IkePayload->PayloadSize;\r | |
2091 | PayloadType = IkePayload->PayloadType;\r | |
2092 | PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf;\r | |
2093 | //\r | |
2094 | // The PayloadSize is the size of whole payload.\r | |
2095 | // Replace HTONS operation to assignment statements, since the result is same.\r | |
2096 | //\r | |
2097 | PayloadHdr->PayloadLength = PayloadSize;\r | |
2098 | \r | |
2099 | IKEV2_DUMP_PAYLOAD (IkePayload);\r | |
2100 | switch (PayloadType) {\r | |
2101 | case IKEV2_PAYLOAD_TYPE_SA:\r | |
2102 | if (PayloadSize < sizeof (IKEV2_SA)) {\r | |
2103 | Status = EFI_INVALID_PARAMETER;\r | |
2104 | goto Exit;\r | |
2105 | }\r | |
2106 | \r | |
2107 | SaData = Ikev2DecodeSa ((IKEV2_SESSION_COMMON *) SessionCommon, (IKEV2_SA *) PayloadHdr);\r | |
2108 | if (SaData == NULL) {\r | |
2109 | Status = EFI_INVALID_PARAMETER;\r | |
2110 | goto Exit;\r | |
2111 | }\r | |
2112 | \r | |
2113 | if (!IkePayload->IsPayloadBufExt) {\r | |
2114 | FreePool (IkePayload->PayloadBuf);\r | |
2115 | }\r | |
2116 | \r | |
2117 | IkePayload->PayloadBuf = (UINT8 *) SaData;\r | |
2118 | IkePayload->IsPayloadBufExt = FALSE; \r | |
2119 | break;\r | |
2120 | \r | |
2121 | case IKEV2_PAYLOAD_TYPE_ID_INIT:\r | |
2122 | case IKEV2_PAYLOAD_TYPE_ID_RSP :\r | |
2123 | if (PayloadSize < sizeof (IKEV2_ID)) {\r | |
2124 | Status = EFI_INVALID_PARAMETER;\r | |
2125 | goto Exit;\r | |
2126 | }\r | |
2127 | break;\r | |
2128 | \r | |
2129 | case IKEV2_PAYLOAD_TYPE_NOTIFY:\r | |
2130 | if (PayloadSize < sizeof (IKEV2_NOTIFY)) {\r | |
2131 | Status = EFI_INVALID_PARAMETER;\r | |
2132 | goto Exit;\r | |
2133 | }\r | |
2134 | \r | |
2135 | NotifyPayload = (IKEV2_NOTIFY *) PayloadHdr;\r | |
2136 | NotifyPayload->MessageType = NTOHS (NotifyPayload->MessageType);\r | |
2137 | break;\r | |
2138 | \r | |
2139 | case IKEV2_PAYLOAD_TYPE_DELETE:\r | |
2140 | if (PayloadSize < sizeof (IKEV2_DELETE)) {\r | |
2141 | Status = EFI_INVALID_PARAMETER;\r | |
2142 | goto Exit;\r | |
2143 | }\r | |
2144 | \r | |
2145 | DeletePayload = (IKEV2_DELETE *) PayloadHdr;\r | |
2146 | DeletePayload->NumSpis = NTOHS (DeletePayload->NumSpis);\r | |
2147 | break;\r | |
2148 | \r | |
2149 | case IKEV2_PAYLOAD_TYPE_AUTH:\r | |
2150 | if (PayloadSize < sizeof (IKEV2_AUTH)) {\r | |
2151 | Status = EFI_INVALID_PARAMETER;\r | |
2152 | goto Exit;\r | |
2153 | }\r | |
2154 | break;\r | |
2155 | \r | |
2156 | case IKEV2_PAYLOAD_TYPE_KE:\r | |
2157 | KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;\r | |
2158 | KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);\r | |
2159 | break; \r | |
2160 | \r | |
2161 | case IKEV2_PAYLOAD_TYPE_TS_INIT:\r | |
2162 | case IKEV2_PAYLOAD_TYPE_TS_RSP :\r | |
2163 | TsTotalSize = 0;\r | |
2164 | if (PayloadSize < sizeof (IKEV2_TS)) {\r | |
2165 | Status = EFI_INVALID_PARAMETER;\r | |
2166 | goto Exit;\r | |
2167 | }\r | |
2168 | //\r | |
2169 | // Parse each traffic selector and transfer network-order to host-order\r | |
2170 | //\r | |
2171 | TsPayload = (IKEV2_TS *) IkePayload->PayloadBuf;\r | |
2172 | TsSelector = (TRAFFIC_SELECTOR *) (IkePayload->PayloadBuf + sizeof (IKEV2_TS));\r | |
2173 | \r | |
2174 | for (Index = 0; Index < TsPayload->TSNumbers; Index++) {\r | |
2175 | TsSelector->SelecorLen = NTOHS (TsSelector->SelecorLen);\r | |
2176 | TsSelector->StartPort = NTOHS (TsSelector->StartPort);\r | |
2177 | TsSelector->EndPort = NTOHS (TsSelector->EndPort);\r | |
2178 | \r | |
2179 | TsTotalSize = (UINT16) (TsTotalSize + TsSelector->SelecorLen);\r | |
2180 | TsSelector = (TRAFFIC_SELECTOR *) ((UINT8 *) TsSelector + TsSelector->SelecorLen);\r | |
2181 | }\r | |
2182 | //\r | |
2183 | // Check if the total size of Traffic Selectors is correct.\r | |
2184 | //\r | |
2185 | if (TsTotalSize != PayloadSize - sizeof(IKEV2_TS)) {\r | |
2186 | Status = EFI_INVALID_PARAMETER;\r | |
2187 | }\r | |
2188 | \r | |
2189 | case IKEV2_PAYLOAD_TYPE_CP:\r | |
2190 | CfgAttribute = (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->PayloadBuf) + 1);\r | |
2191 | CfgAttribute->AttritType = NTOHS (CfgAttribute->AttritType);\r | |
2192 | CfgAttribute->ValueLength = NTOHS (CfgAttribute->ValueLength);\r | |
2193 | \r | |
2194 | default:\r | |
2195 | break;\r | |
2196 | }\r | |
2197 | \r | |
2198 | Exit:\r | |
2199 | return Status;\r | |
2200 | }\r | |
2201 | \r | |
2202 | /**\r | |
2203 | Decode the IKE packet.\r | |
2204 | \r | |
2205 | This function first decrypts the IKE packet if needed , then separates the whole \r | |
2206 | IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.\r | |
2207 | \r | |
2208 | @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing \r | |
2209 | some parameter used by IKE packet decoding.\r | |
2210 | @param[in, out] IkePacket The IKE Packet to be decoded on input, and \r | |
2211 | the decoded result on return.\r | |
2212 | @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r | |
2213 | IKE_CHILD_TYPE are supported.\r | |
2214 | \r | |
2215 | @retval EFI_SUCCESS The IKE packet is decoded successfully.\r | |
2216 | @retval Otherwise The IKE packet decoding is failed.\r | |
2217 | \r | |
2218 | **/\r | |
2219 | EFI_STATUS\r | |
2220 | Ikev2DecodePacket (\r | |
2221 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
2222 | IN OUT IKE_PACKET *IkePacket,\r | |
2223 | IN UINTN IkeType\r | |
2224 | )\r | |
2225 | {\r | |
2226 | EFI_STATUS Status;\r | |
2227 | IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;\r | |
2228 | UINT8 PayloadType;\r | |
2229 | UINTN RemainBytes;\r | |
2230 | UINT16 PayloadSize;\r | |
2231 | IKE_PAYLOAD *IkePayload;\r | |
2232 | IKE_HEADER *IkeHeader;\r | |
2233 | IKEV2_SA_SESSION *IkeSaSession;\r | |
2234 | \r | |
2235 | IkeHeader = NULL;\r | |
2236 | \r | |
2237 | //\r | |
2238 | // Check if the IkePacket need decrypt.\r | |
2239 | //\r | |
2240 | if (SessionCommon->State >= IkeStateAuth) {\r | |
2241 | Status = Ikev2DecryptPacket (SessionCommon, IkePacket, IkeType);\r | |
2242 | if (EFI_ERROR (Status)) {\r | |
2243 | return Status;\r | |
2244 | }\r | |
2245 | }\r | |
2246 | \r | |
2247 | Status = EFI_SUCCESS;\r | |
2248 | \r | |
2249 | //\r | |
2250 | // If the IkePacket doesn't contain any payload return invalid parameter.\r | |
2251 | //\r | |
2252 | if (IkePacket->Header->NextPayload == IKEV2_PAYLOAD_TYPE_NONE) {\r | |
2253 | if ((SessionCommon->State >= IkeStateAuth) && \r | |
2254 | (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INFO)\r | |
2255 | ) {\r | |
2256 | //\r | |
2257 | // If it is Liveness check, there will be no payload load in the encrypt payload.\r | |
2258 | //\r | |
2259 | Status = EFI_SUCCESS;\r | |
2260 | } else {\r | |
2261 | Status = EFI_INVALID_PARAMETER;\r | |
2262 | }\r | |
2263 | }\r | |
2264 | \r | |
2265 | //\r | |
2266 | // If the PayloadTotalSize < Header length, return invalid parameter.\r | |
2267 | //\r | |
2268 | RemainBytes = IkePacket->PayloadTotalSize;\r | |
2269 | if (RemainBytes < sizeof (IKEV2_COMMON_PAYLOAD_HEADER)) {\r | |
2270 | Status = EFI_INVALID_PARAMETER;\r | |
2271 | goto Exit;\r | |
2272 | }\r | |
2273 | \r | |
2274 | //\r | |
2275 | // If the packet is first or second message, store whole message in\r | |
2276 | // IkeSa->InitiPacket or IkeSa->RespPacket for following Auth Payload\r | |
2277 | // calculate.\r | |
2278 | //\r | |
2279 | if (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INIT) {\r | |
2280 | IkeHeader = AllocateZeroPool (sizeof (IKE_HEADER));\r | |
2281 | ASSERT (IkeHeader != NULL);\r | |
2282 | CopyMem (IkeHeader, IkePacket->Header, sizeof (IKE_HEADER));\r | |
2283 | \r | |
2284 | //\r | |
2285 | // Before store the whole packet, roll back the host order to network order,\r | |
2286 | // since the header order was changed in the IkePacketFromNetbuf.\r | |
2287 | //\r | |
2288 | IkeHdrNetToHost (IkeHeader);\r | |
2289 | IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
2290 | if (SessionCommon->IsInitiator) {\r | |
2291 | IkeSaSession->RespPacket = AllocateZeroPool (IkePacket->Header->Length);\r | |
2292 | IkeSaSession->RespPacketSize = IkePacket->Header->Length;\r | |
2293 | CopyMem (IkeSaSession->RespPacket, IkeHeader, sizeof (IKE_HEADER));\r | |
2294 | CopyMem (\r | |
2295 | IkeSaSession->RespPacket + sizeof (IKE_HEADER),\r | |
2296 | IkePacket->PayloadsBuf,\r | |
2297 | IkePacket->Header->Length - sizeof (IKE_HEADER)\r | |
2298 | ); \r | |
2299 | } else {\r | |
2300 | IkeSaSession->InitPacket = AllocateZeroPool (IkePacket->Header->Length);\r | |
2301 | IkeSaSession->InitPacketSize = IkePacket->Header->Length;\r | |
2302 | CopyMem (IkeSaSession->InitPacket, IkeHeader, sizeof (IKE_HEADER));\r | |
2303 | CopyMem (\r | |
2304 | IkeSaSession->InitPacket + sizeof (IKE_HEADER),\r | |
2305 | IkePacket->PayloadsBuf,\r | |
2306 | IkePacket->Header->Length - sizeof (IKE_HEADER)\r | |
2307 | );\r | |
2308 | }\r | |
2309 | }\r | |
2310 | \r | |
2311 | //\r | |
2312 | // Point to the first Payload \r | |
2313 | //\r | |
2314 | PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePacket->PayloadsBuf;\r | |
2315 | PayloadType = IkePacket->Header->NextPayload;\r | |
2316 | \r | |
2317 | //\r | |
2318 | // Parse each payload\r | |
2319 | //\r | |
2320 | while (RemainBytes >= sizeof (IKEV2_COMMON_PAYLOAD_HEADER)) {\r | |
2321 | PayloadSize = NTOHS (PayloadHdr->PayloadLength);\r | |
2322 | \r | |
2323 | //\r | |
2324 | //Check the size of the payload is correct.\r | |
2325 | //\r | |
2326 | if (RemainBytes < PayloadSize) {\r | |
2327 | Status = EFI_INVALID_PARAMETER;\r | |
2328 | goto Exit;\r | |
2329 | }\r | |
2330 | \r | |
2331 | //\r | |
2332 | // At certain states, it should save some datas before decoding.\r | |
2333 | //\r | |
2334 | if (SessionCommon->BeforeDecodePayload != NULL) {\r | |
2335 | SessionCommon->BeforeDecodePayload (\r | |
2336 | (UINT8 *) SessionCommon,\r | |
2337 | (UINT8 *) PayloadHdr,\r | |
2338 | PayloadSize,\r | |
2339 | PayloadType\r | |
2340 | );\r | |
2341 | }\r | |
2342 | \r | |
2343 | //\r | |
2344 | // Initial IkePayload\r | |
2345 | //\r | |
2346 | IkePayload = IkePayloadAlloc ();\r | |
2347 | ASSERT (IkePayload != NULL);\r | |
2348 | \r | |
2349 | IkePayload->PayloadType = PayloadType;\r | |
2350 | IkePayload->PayloadBuf = (UINT8 *) PayloadHdr;\r | |
2351 | IkePayload->PayloadSize = PayloadSize;\r | |
2352 | IkePayload->IsPayloadBufExt = TRUE;\r | |
2353 | \r | |
2354 | Status = Ikev2DecodePayload ((UINT8 *) SessionCommon, IkePayload);\r | |
2355 | if (EFI_ERROR (Status)) {\r | |
2356 | goto Exit;\r | |
2357 | }\r | |
2358 | \r | |
2359 | IPSEC_DUMP_BUF ("After Decoding Payload", IkePayload->PayloadBuf, IkePayload->PayloadSize);\r | |
2360 | //\r | |
2361 | // Add each payload into packet\r | |
2362 | // Notice, the IkePacket->Hdr->Lenght still recode the whole IkePacket length\r | |
2363 | // which is before the decoding.\r | |
2364 | //\r | |
2365 | IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload);\r | |
2366 | \r | |
2367 | RemainBytes -= PayloadSize;\r | |
2368 | PayloadType = PayloadHdr->NextPayload;\r | |
2369 | if (PayloadType == IKEV2_PAYLOAD_TYPE_NONE) {\r | |
2370 | break;\r | |
2371 | }\r | |
2372 | \r | |
2373 | PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) ((UINT8 *) PayloadHdr + PayloadSize);\r | |
2374 | }\r | |
2375 | \r | |
2376 | if (PayloadType != IKEV2_PAYLOAD_TYPE_NONE) {\r | |
2377 | Status = EFI_INVALID_PARAMETER;\r | |
2378 | goto Exit;\r | |
2379 | }\r | |
2380 | \r | |
2381 | Exit:\r | |
2382 | if (EFI_ERROR (Status)) {\r | |
2383 | ClearAllPayloads (IkePacket);\r | |
2384 | }\r | |
2385 | \r | |
2386 | if (IkeHeader != NULL) {\r | |
2387 | FreePool (IkeHeader);\r | |
2388 | }\r | |
2389 | return Status;\r | |
2390 | }\r | |
2391 | \r | |
2392 | /**\r | |
2393 | Encode the IKE packet.\r | |
2394 | \r | |
2395 | This function puts all Payloads into one payload then encrypt it if needed.\r | |
2396 | \r | |
2397 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing \r | |
2398 | some parameter used during IKE packet encoding.\r | |
2399 | @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input, \r | |
2400 | and the encoded result as output.\r | |
2401 | @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r | |
2402 | IKE_CHILD_TYPE are supportted.\r | |
2403 | \r | |
2404 | @retval EFI_SUCCESS Encode IKE packet successfully.\r | |
2405 | @retval Otherwise Encode IKE packet failed.\r | |
2406 | \r | |
2407 | **/\r | |
2408 | EFI_STATUS\r | |
2409 | Ikev2EncodePacket (\r | |
2410 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
2411 | IN OUT IKE_PACKET *IkePacket,\r | |
2412 | IN UINTN IkeType\r | |
2413 | )\r | |
2414 | {\r | |
2415 | IKE_PAYLOAD *IkePayload;\r | |
2416 | UINTN PayloadTotalSize;\r | |
2417 | LIST_ENTRY *Entry;\r | |
2418 | EFI_STATUS Status;\r | |
2419 | IKEV2_SA_SESSION *IkeSaSession;\r | |
2420 | \r | |
2421 | PayloadTotalSize = 0;\r | |
2422 | //\r | |
2423 | // Encode each payload\r | |
2424 | //\r | |
2425 | for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {\r | |
2426 | IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r | |
2427 | Entry = Entry->ForwardLink;\r | |
2428 | Status = Ikev2EncodePayload ((UINT8 *) SessionCommon, IkePayload);\r | |
2429 | if (EFI_ERROR (Status)) {\r | |
2430 | return Status;\r | |
2431 | }\r | |
2432 | \r | |
2433 | if (SessionCommon->AfterEncodePayload != NULL) {\r | |
2434 | //\r | |
2435 | // For certain states, save some payload for further calculation\r | |
2436 | //\r | |
2437 | SessionCommon->AfterEncodePayload (\r | |
2438 | (UINT8 *) SessionCommon,\r | |
2439 | IkePayload->PayloadBuf,\r | |
2440 | IkePayload->PayloadSize,\r | |
2441 | IkePayload->PayloadType\r | |
2442 | );\r | |
2443 | }\r | |
2444 | \r | |
2445 | PayloadTotalSize += IkePayload->PayloadSize;\r | |
2446 | }\r | |
2447 | IkePacket->PayloadTotalSize = PayloadTotalSize;\r | |
2448 | \r | |
2449 | Status = EFI_SUCCESS;\r | |
2450 | if (SessionCommon->State >= IkeStateAuth) {\r | |
2451 | //\r | |
2452 | // Encrypt all payload and transfer IKE packet header from Host order to Network order.\r | |
2453 | //\r | |
2454 | Status = Ikev2EncryptPacket (SessionCommon, IkePacket);\r | |
2455 | } else {\r | |
2456 | //\r | |
2457 | // Fill in the lenght into IkePacket header and transfer Host order to Network order.\r | |
2458 | //\r | |
2459 | IkePacket->Header->Length = (UINT32) (sizeof (IKE_HEADER) + IkePacket->PayloadTotalSize);\r | |
2460 | IkeHdrHostToNet (IkePacket->Header);\r | |
2461 | }\r | |
2462 | \r | |
2463 | //\r | |
2464 | // If the packet is first message, store whole message in IkeSa->InitiPacket \r | |
2465 | // for following Auth Payload calculation.\r | |
2466 | //\r | |
2467 | if (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INIT) {\r | |
2468 | IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
2469 | if (SessionCommon->IsInitiator) { \r | |
2470 | IkeSaSession->InitPacketSize = IkePacket->PayloadTotalSize + sizeof (IKE_HEADER);\r | |
2471 | IkeSaSession->InitPacket = AllocateZeroPool (IkeSaSession->InitPacketSize);\r | |
2472 | ASSERT (IkeSaSession->InitPacket != NULL);\r | |
2473 | CopyMem (IkeSaSession->InitPacket, IkePacket->Header, sizeof (IKE_HEADER));\r | |
2474 | PayloadTotalSize = 0;\r | |
2475 | for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {\r | |
2476 | IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r | |
2477 | Entry = Entry->ForwardLink;\r | |
2478 | CopyMem (\r | |
2479 | IkeSaSession->InitPacket + sizeof (IKE_HEADER) + PayloadTotalSize,\r | |
2480 | IkePayload->PayloadBuf,\r | |
2481 | IkePayload->PayloadSize\r | |
2482 | );\r | |
2483 | PayloadTotalSize = PayloadTotalSize + IkePayload->PayloadSize;\r | |
2484 | }\r | |
2485 | } else { \r | |
2486 | IkeSaSession->RespPacketSize = IkePacket->PayloadTotalSize + sizeof(IKE_HEADER);\r | |
2487 | IkeSaSession->RespPacket = AllocateZeroPool (IkeSaSession->RespPacketSize);\r | |
2488 | ASSERT (IkeSaSession->RespPacket != NULL);\r | |
2489 | CopyMem (IkeSaSession->RespPacket, IkePacket->Header, sizeof (IKE_HEADER));\r | |
2490 | PayloadTotalSize = 0;\r | |
2491 | for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {\r | |
2492 | IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r | |
2493 | Entry = Entry->ForwardLink;\r | |
2494 | \r | |
2495 | CopyMem (\r | |
2496 | IkeSaSession->RespPacket + sizeof (IKE_HEADER) + PayloadTotalSize,\r | |
2497 | IkePayload->PayloadBuf,\r | |
2498 | IkePayload->PayloadSize\r | |
2499 | );\r | |
2500 | PayloadTotalSize = PayloadTotalSize + IkePayload->PayloadSize;\r | |
2501 | }\r | |
2502 | }\r | |
2503 | }\r | |
2504 | \r | |
2505 | return Status;\r | |
2506 | }\r | |
2507 | \r | |
2508 | /**\r | |
2509 | Decrypt IKE packet.\r | |
2510 | \r | |
2511 | This function decrypts the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.\r | |
2512 | \r | |
2513 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing \r | |
2514 | some parameter used during decrypting.\r | |
2515 | @param[in, out] IkePacket Pointer to IKE_PACKET to be decrypted as input, \r | |
2516 | and the decrypted result as output.\r | |
2517 | @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r | |
2518 | IKE_CHILD_TYPE are supportted.\r | |
2519 | \r | |
2520 | @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the\r | |
2521 | IKE packet length is not aligned with Algorithm Block Size\r | |
2522 | @retval EFI_SUCCESS Decrypt IKE packet successfully.\r | |
2523 | \r | |
2524 | **/\r | |
2525 | EFI_STATUS\r | |
2526 | Ikev2DecryptPacket (\r | |
2527 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
2528 | IN OUT IKE_PACKET *IkePacket,\r | |
2529 | IN OUT UINTN IkeType\r | |
2530 | )\r | |
2531 | {\r | |
2532 | UINT8 CryptBlockSize; // Encrypt Block Size\r | |
2533 | UINTN DecryptedSize; // Encrypted IKE Payload Size \r | |
2534 | UINT8 *DecryptedBuf; // Encrypted IKE Payload buffer\r | |
2535 | UINTN IntegritySize;\r | |
2536 | UINT8 *IntegrityBuffer;\r | |
2537 | UINTN IvSize; // Iv Size \r | |
2538 | UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth \r | |
2539 | UINT8 *CheckSumData; // Check Sum data\r | |
2540 | IKEV2_SA_SESSION *IkeSaSession;\r | |
2541 | IKEV2_CHILD_SA_SESSION *ChildSaSession;\r | |
2542 | EFI_STATUS Status;\r | |
2543 | UINT8 PadLen;\r | |
2544 | UINTN CryptKeyLength;\r | |
2545 | HASH_DATA_FRAGMENT Fragments[1];\r | |
2546 | \r | |
2547 | IvSize = 0;\r | |
2548 | IkeSaSession = NULL;\r | |
2549 | CryptBlockSize = 0;\r | |
2550 | CheckSumSize = 0;\r | |
2551 | CryptKeyLength = 0;\r | |
2552 | \r | |
2553 | //\r | |
2554 | // Check if the first payload is the Encrypted payload\r | |
2555 | //\r | |
2556 | if (IkePacket->Header->NextPayload != IKEV2_PAYLOAD_TYPE_ENCRYPT) {\r | |
2557 | return EFI_ACCESS_DENIED;\r | |
2558 | }\r | |
2559 | CheckSumData = NULL;\r | |
2560 | DecryptedBuf = NULL;\r | |
2561 | IntegrityBuffer = NULL;\r | |
2562 | \r | |
2563 | //\r | |
2564 | // Get the Block Size\r | |
2565 | //\r | |
2566 | if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r | |
2567 | \r | |
2568 | CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCommon->SaParams->EncAlgId);\r | |
2569 | CryptKeyLength = IpSecGetEncryptKeyLength ((UINT8) SessionCommon->SaParams->EncAlgId);\r | |
2570 | CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->SaParams->IntegAlgId);\r | |
2571 | IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
2572 | \r | |
2573 | } else if (SessionCommon->IkeSessionType == IkeSessionTypeChildSa) {\r | |
2574 | \r | |
2575 | ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
2576 | IkeSaSession = ChildSaSession->IkeSaSession;\r | |
2577 | CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);\r | |
2578 | CryptKeyLength = IpSecGetEncryptKeyLength ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);\r | |
2579 | CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->SessionCommon.SaParams->IntegAlgId);\r | |
2580 | } else {\r | |
2581 | //\r | |
2582 | // The type of SA Session would either be IkeSa or ChildSa.\r | |
2583 | //\r | |
2584 | return EFI_INVALID_PARAMETER;\r | |
2585 | }\r | |
2586 | \r | |
2587 | CheckSumData = AllocateZeroPool (CheckSumSize);\r | |
2588 | ASSERT (CheckSumData != NULL);\r | |
2589 | \r | |
2590 | //\r | |
2591 | // Fill in the Integrity buffer\r | |
2592 | //\r | |
2593 | IntegritySize = IkePacket->PayloadTotalSize + sizeof (IKE_HEADER);\r | |
2594 | IntegrityBuffer = AllocateZeroPool (IntegritySize);\r | |
2595 | ASSERT (IntegrityBuffer != NULL);\r | |
2596 | CopyMem (IntegrityBuffer, IkePacket->Header, sizeof(IKE_HEADER));\r | |
2597 | CopyMem (IntegrityBuffer + sizeof (IKE_HEADER), IkePacket->PayloadsBuf, IkePacket->PayloadTotalSize);\r | |
2598 | \r | |
2599 | //\r | |
2600 | // Change Host order to Network order, since the header order was changed \r | |
2601 | // in the IkePacketFromNetbuf.\r | |
2602 | //\r | |
2603 | IkeHdrHostToNet ((IKE_HEADER *)IntegrityBuffer);\r | |
2604 | \r | |
2605 | //\r | |
2606 | // Calculate the Integrity CheckSum Data\r | |
2607 | //\r | |
2608 | Fragments[0].Data = IntegrityBuffer;\r | |
2609 | Fragments[0].DataSize = IntegritySize - CheckSumSize;\r | |
2610 | \r | |
2611 | if (SessionCommon->IsInitiator) {\r | |
2612 | Status = IpSecCryptoIoHmac (\r | |
2613 | (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r | |
2614 | IkeSaSession->IkeKeys->SkArKey,\r | |
2615 | IkeSaSession->IkeKeys->SkArKeySize,\r | |
2616 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
2617 | 1,\r | |
2618 | CheckSumData,\r | |
2619 | CheckSumSize\r | |
2620 | );\r | |
2621 | } else {\r | |
2622 | Status = IpSecCryptoIoHmac (\r | |
2623 | (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r | |
2624 | IkeSaSession->IkeKeys->SkAiKey,\r | |
2625 | IkeSaSession->IkeKeys->SkAiKeySize,\r | |
2626 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
2627 | 1,\r | |
2628 | CheckSumData,\r | |
2629 | CheckSumSize\r | |
2630 | );\r | |
2631 | }\r | |
2632 | \r | |
2633 | if (EFI_ERROR (Status)) {\r | |
2634 | goto ON_EXIT;\r | |
2635 | }\r | |
2636 | //\r | |
2637 | // Compare the Integrity CheckSum Data with the one in IkePacket\r | |
2638 | //\r | |
2639 | if (CompareMem (\r | |
2640 | IkePacket->PayloadsBuf + IkePacket->PayloadTotalSize - CheckSumSize,\r | |
2641 | CheckSumData,\r | |
2642 | CheckSumSize\r | |
2643 | ) != 0) {\r | |
2644 | DEBUG ((DEBUG_ERROR, "Error auth verify payload\n"));\r | |
2645 | Status = EFI_ACCESS_DENIED;\r | |
2646 | goto ON_EXIT;\r | |
2647 | }\r | |
2648 | \r | |
2649 | IvSize = CryptBlockSize;\r | |
2650 | \r | |
2651 | //\r | |
2652 | // Decrypt the payload with the key.\r | |
2653 | //\r | |
2654 | DecryptedSize = IkePacket->PayloadTotalSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER) - IvSize - CheckSumSize;\r | |
2655 | DecryptedBuf = AllocateZeroPool (DecryptedSize);\r | |
2656 | ASSERT (DecryptedBuf != NULL);\r | |
2657 | \r | |
2658 | CopyMem (\r | |
2659 | DecryptedBuf,\r | |
2660 | IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER) + IvSize,\r | |
2661 | DecryptedSize\r | |
2662 | );\r | |
2663 | \r | |
2664 | if (SessionCommon->IsInitiator) {\r | |
2665 | Status = IpSecCryptoIoDecrypt (\r | |
2666 | (UINT8) SessionCommon->SaParams->EncAlgId,\r | |
2667 | IkeSaSession->IkeKeys->SkErKey,\r | |
2668 | IkeSaSession->IkeKeys->SkErKeySize << 3,\r | |
2669 | IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r | |
2670 | DecryptedBuf,\r | |
2671 | DecryptedSize,\r | |
2672 | DecryptedBuf\r | |
2673 | );\r | |
2674 | } else {\r | |
2675 | Status = IpSecCryptoIoDecrypt (\r | |
2676 | (UINT8) SessionCommon->SaParams->EncAlgId,\r | |
2677 | IkeSaSession->IkeKeys->SkEiKey,\r | |
2678 | IkeSaSession->IkeKeys->SkEiKeySize << 3,\r | |
2679 | IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r | |
2680 | DecryptedBuf,\r | |
2681 | DecryptedSize,\r | |
2682 | DecryptedBuf\r | |
2683 | );\r | |
2684 | }\r | |
2685 | \r | |
2686 | if (EFI_ERROR (Status)) {\r | |
2687 | DEBUG ((DEBUG_ERROR, "Error decrypt buffer with %r\n", Status));\r | |
2688 | goto ON_EXIT;\r | |
2689 | }\r | |
2690 | \r | |
2691 | //\r | |
2692 | // Get the Padding length\r | |
2693 | //\r | |
2694 | //\r | |
2695 | PadLen = (UINT8) (*(DecryptedBuf + DecryptedSize - sizeof (IKEV2_PAD_LEN)));\r | |
2696 | \r | |
2697 | //\r | |
2698 | // Save the next payload of encrypted payload into IkePacket->Hdr->NextPayload\r | |
2699 | //\r | |
2700 | IkePacket->Header->NextPayload = ((IKEV2_ENCRYPTED *) IkePacket->PayloadsBuf)->Header.NextPayload;\r | |
2701 | \r | |
2702 | //\r | |
2703 | // Free old IkePacket->PayloadBuf and point it to decrypted paylaod buffer.\r | |
2704 | //\r | |
2705 | FreePool (IkePacket->PayloadsBuf);\r | |
2706 | IkePacket->PayloadsBuf = DecryptedBuf;\r | |
2707 | IkePacket->PayloadTotalSize = DecryptedSize - PadLen;\r | |
2708 | \r | |
2709 | IPSEC_DUMP_BUF ("Decrypted Buffer", DecryptedBuf, DecryptedSize);\r | |
2710 | \r | |
2711 | \r | |
2712 | ON_EXIT:\r | |
2713 | if (CheckSumData != NULL) {\r | |
2714 | FreePool (CheckSumData);\r | |
2715 | }\r | |
2716 | \r | |
2717 | if (EFI_ERROR (Status) && DecryptedBuf != NULL) {\r | |
2718 | FreePool (DecryptedBuf);\r | |
2719 | }\r | |
2720 | \r | |
2721 | if (IntegrityBuffer != NULL) {\r | |
2722 | FreePool (IntegrityBuffer);\r | |
2723 | }\r | |
2724 | \r | |
2725 | return Status;\r | |
2726 | }\r | |
2727 | \r | |
2728 | /**\r | |
2729 | Encrypt IKE packet.\r | |
2730 | \r | |
2731 | This function encrypt IKE packet before sending it. The Encrypted IKE packet\r | |
2732 | is put in to IKEV2 Encrypted Payload.\r | |
2733 | \r | |
2734 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.\r | |
2735 | @param[in, out] IkePacket Pointer to IKE packet to be encrypted.\r | |
2736 | \r | |
2737 | @retval EFI_SUCCESS Operation is successful.\r | |
2738 | @retval Others Operation is failed.\r | |
2739 | \r | |
2740 | **/\r | |
2741 | EFI_STATUS\r | |
2742 | Ikev2EncryptPacket (\r | |
2743 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
2744 | IN OUT IKE_PACKET *IkePacket\r | |
2745 | )\r | |
2746 | {\r | |
2747 | UINT8 CryptBlockSize; // Encrypt Block Size\r | |
2748 | UINT8 CryptBlockSizeMask; // Block Mask\r | |
2749 | UINTN EncryptedSize; // Encrypted IKE Payload Size \r | |
2750 | UINT8 *EncryptedBuf; // Encrypted IKE Payload buffer\r | |
2751 | UINT8 *EncryptPayloadBuf; // Contain whole Encrypted Payload\r | |
2752 | UINTN EncryptPayloadSize; // Total size of the Encrypted payload\r | |
2753 | UINT8 *IntegrityBuf; // Buffer to be intergity \r | |
2754 | UINT32 IntegrityBufSize; // Buffer size of IntegrityBuf\r | |
2755 | UINT8 *IvBuffer; // Initialization Vector\r | |
2756 | UINT8 IvSize; // Iv Size \r | |
2757 | UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth \r | |
2758 | UINT8 *CheckSumData; // Check Sum data\r | |
2759 | UINTN Index;\r | |
2760 | IKE_PAYLOAD *EncryptPayload;\r | |
2761 | IKEV2_SA_SESSION *IkeSaSession;\r | |
2762 | IKEV2_CHILD_SA_SESSION *ChildSaSession;\r | |
2763 | EFI_STATUS Status;\r | |
2764 | LIST_ENTRY *Entry;\r | |
2765 | IKE_PAYLOAD *IkePayload;\r | |
2766 | UINTN CryptKeyLength;\r | |
2767 | HASH_DATA_FRAGMENT Fragments[1];\r | |
2768 | \r | |
2769 | //\r | |
2770 | // Initial all buffers to NULL.\r | |
2771 | //\r | |
2772 | EncryptedBuf = NULL;\r | |
2773 | EncryptPayloadBuf = NULL;\r | |
2774 | IvBuffer = NULL;\r | |
2775 | CheckSumData = NULL;\r | |
2776 | IkeSaSession = NULL;\r | |
2777 | CryptBlockSize = 0;\r | |
2778 | CheckSumSize = 0;\r | |
2779 | CryptKeyLength = 0;\r | |
2780 | IntegrityBuf = NULL;\r | |
2781 | //\r | |
2782 | // Get the Block Size\r | |
2783 | //\r | |
2784 | if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r | |
2785 | \r | |
2786 | CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCommon->SaParams->EncAlgId);\r | |
2787 | CryptKeyLength = IpSecGetEncryptKeyLength ((UINT8) SessionCommon->SaParams->EncAlgId);\r | |
2788 | CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->SaParams->IntegAlgId);\r | |
2789 | IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
2790 | \r | |
2791 | } else if (SessionCommon->IkeSessionType == IkeSessionTypeChildSa) {\r | |
2792 | \r | |
2793 | ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
2794 | IkeSaSession = ChildSaSession->IkeSaSession;\r | |
2795 | CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);\r | |
2796 | CryptKeyLength = IpSecGetEncryptKeyLength ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);\r | |
2797 | CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->SessionCommon.SaParams->IntegAlgId);\r | |
2798 | }\r | |
2799 | \r | |
2800 | //\r | |
2801 | // Calcualte the EncryptPayloadSize and the PAD length\r | |
2802 | //\r | |
2803 | CryptBlockSizeMask = (UINT8) (CryptBlockSize - 1);\r | |
2804 | EncryptedSize = (IkePacket->PayloadTotalSize + sizeof (IKEV2_PAD_LEN) + CryptBlockSizeMask) & ~CryptBlockSizeMask;\r | |
2805 | EncryptedBuf = (UINT8 *) AllocateZeroPool (EncryptedSize);\r | |
2806 | ASSERT (EncryptedBuf != NULL);\r | |
2807 | \r | |
2808 | //\r | |
2809 | // Copy all payload into EncryptedIkePayload\r | |
2810 | //\r | |
2811 | Index = 0;\r | |
2812 | NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r | |
2813 | IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r | |
2814 | \r | |
2815 | CopyMem (EncryptedBuf + Index, IkePayload->PayloadBuf, IkePayload->PayloadSize);\r | |
2816 | Index += IkePayload->PayloadSize;\r | |
2817 | \r | |
2818 | };\r | |
2819 | \r | |
2820 | //\r | |
2821 | // Fill in the Pading Length\r | |
2822 | //\r | |
2823 | *(EncryptedBuf + EncryptedSize - 1) = (UINT8)(EncryptedSize - IkePacket->PayloadTotalSize - 1);\r | |
2824 | \r | |
2825 | //\r | |
2826 | // The IV size is equal with block size\r | |
2827 | //\r | |
2828 | IvSize = CryptBlockSize;\r | |
2829 | IvBuffer = (UINT8 *) AllocateZeroPool (IvSize);\r | |
2830 | \r | |
2831 | //\r | |
2832 | // Generate IV\r | |
2833 | //\r | |
2834 | IkeGenerateIv (IvBuffer, IvSize);\r | |
2835 | \r | |
2836 | //\r | |
2837 | // Encrypt payload buf\r | |
2838 | //\r | |
2839 | if (SessionCommon->IsInitiator) {\r | |
2840 | Status = IpSecCryptoIoEncrypt (\r | |
2841 | (UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId,\r | |
2842 | IkeSaSession->IkeKeys->SkEiKey,\r | |
2843 | IkeSaSession->IkeKeys->SkEiKeySize << 3,\r | |
2844 | IvBuffer,\r | |
2845 | EncryptedBuf,\r | |
2846 | EncryptedSize,\r | |
2847 | EncryptedBuf\r | |
2848 | );\r | |
2849 | } else {\r | |
2850 | Status = IpSecCryptoIoEncrypt (\r | |
2851 | (UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId,\r | |
2852 | IkeSaSession->IkeKeys->SkErKey,\r | |
2853 | IkeSaSession->IkeKeys->SkErKeySize << 3,\r | |
2854 | IvBuffer,\r | |
2855 | EncryptedBuf,\r | |
2856 | EncryptedSize,\r | |
2857 | EncryptedBuf\r | |
2858 | );\r | |
2859 | }\r | |
2860 | if (EFI_ERROR (Status)) {\r | |
2861 | goto ON_EXIT;\r | |
2862 | }\r | |
2863 | \r | |
2864 | //\r | |
2865 | // Allocate the buffer for the whole IKE payload (Encrypted Payload).\r | |
2866 | //\r | |
2867 | EncryptPayloadSize = sizeof(IKEV2_ENCRYPTED) + IvSize + EncryptedSize + CheckSumSize;\r | |
2868 | EncryptPayloadBuf = AllocateZeroPool (EncryptPayloadSize);\r | |
2869 | ASSERT (EncryptPayloadBuf != NULL);\r | |
2870 | \r | |
2871 | //\r | |
2872 | // Fill in Header of Encrypted Payload\r | |
2873 | //\r | |
2874 | ((IKEV2_ENCRYPTED *) EncryptPayloadBuf)->Header.NextPayload = IkePacket->Header->NextPayload;\r | |
2875 | ((IKEV2_ENCRYPTED *) EncryptPayloadBuf)->Header.PayloadLength = HTONS ((UINT16)EncryptPayloadSize);\r | |
2876 | \r | |
2877 | //\r | |
2878 | // Fill in Iv\r | |
2879 | //\r | |
2880 | CopyMem (EncryptPayloadBuf + sizeof (IKEV2_ENCRYPTED), IvBuffer, IvSize);\r | |
2881 | \r | |
2882 | //\r | |
2883 | // Fill in encrypted data\r | |
2884 | //\r | |
2885 | CopyMem (EncryptPayloadBuf + sizeof (IKEV2_ENCRYPTED) + IvSize, EncryptedBuf, EncryptedSize);\r | |
2886 | \r | |
2887 | //\r | |
2888 | // Fill in the IKE Packet header\r | |
2889 | // \r | |
2890 | IkePacket->PayloadTotalSize = EncryptPayloadSize;\r | |
2891 | IkePacket->Header->Length = (UINT32) (sizeof (IKE_HEADER) + IkePacket->PayloadTotalSize);\r | |
2892 | IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ENCRYPT;\r | |
2893 | \r | |
2894 | IntegrityBuf = AllocateZeroPool (IkePacket->Header->Length);\r | |
2895 | IntegrityBufSize = IkePacket->Header->Length;\r | |
2896 | IkeHdrHostToNet (IkePacket->Header);\r | |
2897 | \r | |
2898 | CopyMem (IntegrityBuf, IkePacket->Header, sizeof (IKE_HEADER));\r | |
2899 | CopyMem (IntegrityBuf + sizeof (IKE_HEADER), EncryptPayloadBuf, EncryptPayloadSize);\r | |
2900 | \r | |
2901 | //\r | |
2902 | // Calcualte Integrity CheckSum\r | |
2903 | //\r | |
2904 | Fragments[0].Data = IntegrityBuf;\r | |
2905 | Fragments[0].DataSize = EncryptPayloadSize + sizeof (IKE_HEADER) - CheckSumSize;\r | |
2906 | \r | |
2907 | CheckSumData = AllocateZeroPool (CheckSumSize);\r | |
2908 | if (SessionCommon->IsInitiator) {\r | |
2909 | \r | |
2910 | IpSecCryptoIoHmac (\r | |
2911 | (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r | |
2912 | IkeSaSession->IkeKeys->SkAiKey,\r | |
2913 | IkeSaSession->IkeKeys->SkAiKeySize,\r | |
2914 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
2915 | 1,\r | |
2916 | CheckSumData,\r | |
2917 | CheckSumSize\r | |
2918 | );\r | |
2919 | } else {\r | |
2920 | \r | |
2921 | IpSecCryptoIoHmac (\r | |
2922 | (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r | |
2923 | IkeSaSession->IkeKeys->SkArKey,\r | |
2924 | IkeSaSession->IkeKeys->SkArKeySize,\r | |
2925 | (HASH_DATA_FRAGMENT *) Fragments, \r | |
2926 | 1,\r | |
2927 | CheckSumData,\r | |
2928 | CheckSumSize\r | |
2929 | );\r | |
2930 | }\r | |
2931 | \r | |
2932 | //\r | |
2933 | // Copy CheckSum into Encrypted Payload\r | |
2934 | //\r | |
2935 | CopyMem (EncryptPayloadBuf + EncryptPayloadSize - CheckSumSize, CheckSumData, CheckSumSize);\r | |
2936 | \r | |
2937 | IPSEC_DUMP_BUF ("Encrypted payload buffer", EncryptPayloadBuf, EncryptPayloadSize);\r | |
2938 | IPSEC_DUMP_BUF ("Integrith CheckSum Data", CheckSumData, CheckSumSize);\r | |
2939 | \r | |
2940 | //\r | |
2941 | // Clean all payload under IkePacket->PayloadList.\r | |
2942 | //\r | |
2943 | ClearAllPayloads (IkePacket);\r | |
2944 | \r | |
2945 | //\r | |
2946 | // Create Encrypted Payload and add into IkePacket->PayloadList\r | |
2947 | //\r | |
2948 | EncryptPayload = IkePayloadAlloc ();\r | |
2949 | ASSERT (EncryptPayload != NULL);\r | |
2950 | \r | |
2951 | //\r | |
2952 | // Fill the encrypted payload into the IKE_PAYLOAD structure.\r | |
2953 | //\r | |
2954 | EncryptPayload->PayloadBuf = EncryptPayloadBuf;\r | |
2955 | EncryptPayload->PayloadSize = EncryptPayloadSize;\r | |
2956 | EncryptPayload->PayloadType = IKEV2_PAYLOAD_TYPE_ENCRYPT;\r | |
2957 | \r | |
2958 | IKE_PACKET_APPEND_PAYLOAD (IkePacket, EncryptPayload);\r | |
2959 | \r | |
2960 | ON_EXIT:\r | |
2961 | if (EncryptedBuf != NULL) {\r | |
2962 | FreePool (EncryptedBuf);\r | |
2963 | }\r | |
2964 | \r | |
2965 | if (EFI_ERROR (Status) && EncryptPayloadBuf != NULL) {\r | |
2966 | FreePool (EncryptPayloadBuf);\r | |
2967 | }\r | |
2968 | \r | |
2969 | if (IvBuffer != NULL) {\r | |
2970 | FreePool (IvBuffer);\r | |
2971 | }\r | |
2972 | \r | |
2973 | if (CheckSumData != NULL) {\r | |
2974 | FreePool (CheckSumData);\r | |
2975 | }\r | |
2976 | \r | |
2977 | if (IntegrityBuf != NULL) {\r | |
2978 | FreePool (IntegrityBuf);\r | |
2979 | }\r | |
2980 | \r | |
2981 | return Status;\r | |
2982 | }\r | |
2983 | \r | |
2984 | /**\r | |
2985 | Save some useful payloads after accepting the Packet.\r | |
2986 | \r | |
2987 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the operation.\r | |
2988 | @param[in] IkePacket Pointer to received IkePacet.\r | |
2989 | @param[in] IkeType The type used to indicate it is in IkeSa or ChildSa or Info\r | |
2990 | exchange.\r | |
2991 | \r | |
2992 | **/\r | |
2993 | VOID\r | |
2994 | Ikev2OnPacketAccepted (\r | |
2995 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
2996 | IN IKE_PACKET *IkePacket,\r | |
2997 | IN UINT8 IkeType\r | |
2998 | )\r | |
2999 | {\r | |
3000 | return;\r | |
3001 | }\r | |
3002 | \r | |
3003 | /**\r | |
3004 | \r | |
3005 | The notification function. It will be called when the related UDP_TX_TOKEN's event\r | |
3006 | is signaled.\r | |
3007 | \r | |
3008 | This function frees the Net Buffer pointed to the input Packet. \r | |
3009 | \r | |
3010 | @param[in] Packet Pointer to Net buffer containing the sending IKE packet.\r | |
3011 | @param[in] EndPoint Pointer to UDP_END_POINT containing the remote and local\r | |
3012 | address information.\r | |
3013 | @param[in] IoStatus The Status of the related UDP_TX_TOKEN.\r | |
3014 | @param[in] Context Pointer to data passed from the caller.\r | |
3015 | \r | |
3016 | **/\r | |
3017 | VOID\r | |
1d8fa5e9 | 3018 | EFIAPI\r |
9166f840 | 3019 | Ikev2OnPacketSent (\r |
3020 | IN NET_BUF *Packet,\r | |
3021 | IN UDP_END_POINT *EndPoint,\r | |
3022 | IN EFI_STATUS IoStatus,\r | |
3023 | IN VOID *Context\r | |
3024 | )\r | |
3025 | {\r | |
3026 | IKE_PACKET *IkePacket;\r | |
3027 | IKEV2_SA_SESSION *IkeSaSession;\r | |
3028 | IKEV2_CHILD_SA_SESSION *ChildSaSession;\r | |
3029 | UINT8 Value;\r | |
3030 | IPSEC_PRIVATE_DATA *Private;\r | |
3031 | EFI_STATUS Status;\r | |
3032 | \r | |
3033 | IkePacket = (IKE_PACKET *) Context;\r | |
3034 | Private = NULL;\r | |
3035 | \r | |
3036 | if (EFI_ERROR (IoStatus)) {\r | |
3037 | DEBUG ((DEBUG_ERROR, "Error send the last packet in IkeSessionTypeIkeSa with %r\n", IoStatus));\r | |
3038 | }\r | |
3039 | \r | |
3040 | NetbufFree (Packet);\r | |
3041 | \r | |
3042 | if (IkePacket->IsDeleteInfo) {\r | |
3043 | //\r | |
3044 | // For each RemotePeerIP, there are only one IKESA.\r | |
3045 | //\r | |
3046 | IkeSaSession = Ikev2SaSessionLookup (\r | |
3047 | &IkePacket->Private->Ikev2EstablishedList,\r | |
3048 | &IkePacket->RemotePeerIp\r | |
3049 | );\r | |
3050 | if (IkeSaSession == NULL) {\r | |
3051 | IkePacketFree (IkePacket);\r | |
3052 | return;\r | |
3053 | }\r | |
1d8fa5e9 | 3054 | \r |
9166f840 | 3055 | Private = IkePacket->Private;\r |
3056 | if (IkePacket->Spi != 0 ) {\r | |
3057 | //\r | |
3058 | // At that time, the established Child SA still in eht ChildSaEstablishSessionList.\r | |
3059 | // And meanwhile, if the Child SA is in the the ChildSa in Delete list, \r | |
3060 | // remove it from delete list and delete it direclty.\r | |
3061 | //\r | |
3062 | ChildSaSession = Ikev2ChildSaSessionLookupBySpi (\r | |
3063 | &IkeSaSession->ChildSaEstablishSessionList,\r | |
3064 | IkePacket->Spi\r | |
3065 | );\r | |
3066 | if (ChildSaSession != NULL) {\r | |
3067 | Ikev2ChildSaSessionRemove (\r | |
3068 | &IkeSaSession->DeleteSaList,\r | |
3069 | ChildSaSession->LocalPeerSpi,\r | |
3070 | IKEV2_DELET_CHILDSA_LIST\r | |
3071 | );\r | |
3072 | \r | |
3073 | //\r | |
3074 | // Delete the Child SA.\r | |
3075 | //\r | |
3076 | Ikev2ChildSaSilentDelete (\r | |
3077 | IkeSaSession,\r | |
3078 | IkePacket->Spi\r | |
3079 | );\r | |
3080 | }\r | |
3081 | \r | |
3082 | } else {\r | |
3083 | //\r | |
3084 | // Delete the IKE SA\r | |
3085 | //\r | |
3086 | DEBUG (\r | |
3087 | (DEBUG_INFO,\r | |
3088 | "\n------ deleted Packet (cookie_i, cookie_r):(0x%lx, 0x%lx)------\n",\r | |
3089 | IkeSaSession->InitiatorCookie,\r | |
3090 | IkeSaSession->ResponderCookie)\r | |
3091 | );\r | |
1d8fa5e9 | 3092 | \r |
9166f840 | 3093 | RemoveEntryList (&IkeSaSession->BySessionTable);\r |
3094 | Ikev2SaSessionFree (IkeSaSession);\r | |
3095 | }\r | |
3096 | }\r | |
3097 | IkePacketFree (IkePacket);\r | |
3098 | \r | |
3099 | //\r | |
3100 | // when all IKE SAs were disabled by calling "IPsecConfig -disable", the IPsec status \r | |
3101 | // should be changed.\r | |
3102 | //\r | |
3103 | if (Private != NULL && Private->IsIPsecDisabling) {\r | |
1d8fa5e9 | 3104 | //\r |
3105 | // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value in\r | |
3106 | // IPsec status variable.\r | |
3107 | //\r | |
9166f840 | 3108 | if (IsListEmpty (&Private->Ikev1EstablishedList) && IsListEmpty (&Private->Ikev2EstablishedList)) {\r |
1d8fa5e9 | 3109 | Value = IPSEC_STATUS_DISABLED;\r |
3110 | Status = gRT->SetVariable (\r | |
3111 | IPSECCONFIG_STATUS_NAME,\r | |
3112 | &gEfiIpSecConfigProtocolGuid,\r | |
3113 | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,\r | |
3114 | sizeof (Value),\r | |
3115 | &Value\r | |
3116 | );\r | |
3117 | if (!EFI_ERROR (Status)) {\r | |
3118 | //\r | |
3119 | // Set the DisabledFlag in Private data.\r | |
3120 | //\r | |
3121 | Private->IpSec.DisabledFlag = TRUE;\r | |
3122 | Private->IsIPsecDisabling = FALSE;\r | |
3123 | }\r | |
3124 | }\r | |
9166f840 | 3125 | }\r |
3126 | }\r | |
3127 | \r | |
3128 | /**\r | |
3129 | Send out IKEV2 packet.\r | |
3130 | \r | |
3131 | @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.\r | |
3132 | @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.\r | |
3133 | @param[in] IkePacket Pointer to IKE_PACKET to be sent out.\r | |
3134 | @param[in] IkeType The type of IKE to point what's kind of the IKE \r | |
3135 | packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE \r | |
3136 | and IKE_CHILD_TYPE are supportted.\r | |
3137 | \r | |
3138 | @retval EFI_SUCCESS The operation complete successfully.\r | |
3139 | @retval Otherwise The operation is failed.\r | |
3140 | \r | |
3141 | **/\r | |
3142 | EFI_STATUS\r | |
3143 | Ikev2SendIkePacket (\r | |
3144 | IN IKE_UDP_SERVICE *IkeUdpService,\r | |
3145 | IN UINT8 *SessionCommon,\r | |
3146 | IN IKE_PACKET *IkePacket,\r | |
3147 | IN UINTN IkeType\r | |
3148 | )\r | |
3149 | {\r | |
3150 | EFI_STATUS Status;\r | |
3151 | NET_BUF *IkePacketNetbuf;\r | |
3152 | UDP_END_POINT EndPoint;\r | |
3153 | IKEV2_SESSION_COMMON *Common;\r | |
3154 | \r | |
3155 | Common = (IKEV2_SESSION_COMMON *) SessionCommon;\r | |
3156 | \r | |
3157 | //\r | |
3158 | // Set the resend interval\r | |
3159 | //\r | |
3160 | if (Common->TimeoutInterval == 0) {\r | |
3161 | Common->TimeoutInterval = IKE_DEFAULT_TIMEOUT_INTERVAL;\r | |
3162 | }\r | |
3163 | \r | |
3164 | //\r | |
3165 | // Retransfer the packet if it is initial packet.\r | |
3166 | //\r | |
3167 | if (IkePacket->Header->Flags == IKE_HEADER_FLAGS_INIT) {\r | |
3168 | //\r | |
3169 | // Set timer for next retry, this will cancel previous timer\r | |
3170 | //\r | |
3171 | Status = gBS->SetTimer (\r | |
3172 | Common->TimeoutEvent,\r | |
3173 | TimerRelative,\r | |
3174 | MultU64x32 (Common->TimeoutInterval, 10000) // ms->100ns\r | |
3175 | );\r | |
3176 | if (EFI_ERROR (Status)) {\r | |
3177 | return Status;\r | |
3178 | }\r | |
3179 | }\r | |
3180 | \r | |
3181 | IKE_PACKET_REF (IkePacket);\r | |
3182 | //\r | |
3183 | // If the last sent packet is same with this round packet, the packet is resent packet. \r | |
3184 | //\r | |
3185 | if (IkePacket != Common->LastSentPacket && Common->LastSentPacket != NULL) {\r | |
3186 | IkePacketFree (Common->LastSentPacket);\r | |
3187 | }\r | |
3188 | \r | |
3189 | Common->LastSentPacket = IkePacket;\r | |
3190 | \r | |
3191 | //\r | |
3192 | // Transform IkePacke to NetBuf\r | |
3193 | //\r | |
3194 | IkePacketNetbuf = IkeNetbufFromPacket ((UINT8 *) SessionCommon, IkePacket, IkeType);\r | |
3195 | ASSERT (IkePacketNetbuf != NULL);\r | |
3196 | \r | |
3197 | ZeroMem (&EndPoint, sizeof (UDP_END_POINT));\r | |
3198 | EndPoint.RemotePort = IKE_DEFAULT_PORT;\r | |
3199 | CopyMem (&IkePacket->RemotePeerIp, &Common->RemotePeerIp, sizeof (EFI_IP_ADDRESS));\r | |
3200 | CopyMem (&EndPoint.RemoteAddr, &Common->RemotePeerIp, sizeof (EFI_IP_ADDRESS));\r | |
3201 | CopyMem (&EndPoint.LocalAddr, &Common->LocalPeerIp, sizeof (EFI_IP_ADDRESS));\r | |
3202 | \r | |
3203 | IPSEC_DUMP_PACKET (IkePacket, EfiIPsecOutBound, IkeUdpService->IpVersion);\r | |
3204 | \r | |
3205 | if (IkeUdpService->IpVersion == IP_VERSION_4) {\r | |
3206 | EndPoint.RemoteAddr.Addr[0] = HTONL (EndPoint.RemoteAddr.Addr[0]);\r | |
3207 | EndPoint.LocalAddr.Addr[0] = HTONL (EndPoint.LocalAddr.Addr[0]);\r | |
3208 | }\r | |
3209 | \r | |
3210 | //\r | |
3211 | // Call UDPIO to send out the IKE packet.\r | |
3212 | //\r | |
3213 | Status = UdpIoSendDatagram (\r | |
3214 | IkeUdpService->Output,\r | |
3215 | IkePacketNetbuf,\r | |
3216 | &EndPoint,\r | |
3217 | NULL,\r | |
3218 | Ikev2OnPacketSent,\r | |
3219 | (VOID*)IkePacket\r | |
3220 | );\r | |
3221 | \r | |
3222 | if (EFI_ERROR (Status)) {\r | |
3223 | DEBUG ((DEBUG_ERROR, "Error send packet with %r\n", Status));\r | |
3224 | }\r | |
3225 | \r | |
3226 | return Status;\r | |
3227 | }\r | |
3228 | \r |