]>
Commit | Line | Data |
---|---|---|
9166f840 | 1 | /** @file\r |
2 | The implementation of Payloads Creation.\r | |
3 | \r | |
e8837edd | 4 | (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>\r |
f75a7f56 | 5 | Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r |
9166f840 | 6 | \r |
ecf98fbc | 7 | SPDX-License-Identifier: BSD-2-Clause-Patent\r |
9166f840 | 8 | \r |
9 | **/\r | |
10 | \r | |
11 | #include "Utility.h"\r | |
12 | #include "IpSecDebug.h"\r | |
13 | #include "IpSecConfigImpl.h"\r | |
14 | #include "IpSecCryptIo.h"\r | |
15 | \r | |
16 | //\r | |
6cf9230f | 17 | // The Constant String of "Key Pad for IKEv2" for Authentication Payload generation.\r |
9166f840 | 18 | //\r |
19 | #define CONSTANT_KEY_SIZE 17\r | |
6cf9230f | 20 | GLOBAL_REMOVE_IF_UNREFERENCED CHAR8 mConstantKey[CONSTANT_KEY_SIZE] =\r |
9166f840 | 21 | {\r |
22 | 'K', 'e', 'y', ' ', 'P', 'a', 'd', ' ', 'f', 'o', 'r', ' ', 'I', 'K', 'E', 'v', '2'\r | |
23 | };\r | |
24 | \r | |
25 | /**\r | |
26 | Generate Ikev2 SA payload according to SessionSaData\r | |
27 | \r | |
28 | @param[in] SessionSaData The data used in SA payload.\r | |
6cf9230f | 29 | @param[in] NextPayload The payload type presented in NextPayload field of\r |
9166f840 | 30 | SA Payload header.\r |
31 | @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or\r | |
32 | (2) for CHILD_SA or (3) for INFO.\r | |
33 | \r | |
34 | @retval a Pointer to SA IKE payload.\r | |
6cf9230f | 35 | \r |
9166f840 | 36 | **/\r |
37 | IKE_PAYLOAD *\r | |
38 | Ikev2GenerateSaPayload (\r | |
39 | IN IKEV2_SA_DATA *SessionSaData,\r | |
40 | IN UINT8 NextPayload,\r | |
41 | IN IKE_SESSION_TYPE Type\r | |
42 | )\r | |
43 | {\r | |
44 | IKE_PAYLOAD *SaPayload;\r | |
45 | IKEV2_SA_DATA *SaData;\r | |
46 | UINTN SaDataSize;\r | |
47 | \r | |
48 | SaPayload = IkePayloadAlloc ();\r | |
6b16c9e7 JW |
49 | if (SaPayload == NULL) {\r |
50 | return NULL;\r | |
51 | }\r | |
f75a7f56 | 52 | \r |
9166f840 | 53 | //\r |
54 | // TODO: Get the Proposal Number and Transform Number from IPsec Config,\r | |
55 | // after the Ipsecconfig Application is support it.\r | |
56 | //\r | |
6cf9230f | 57 | \r |
9166f840 | 58 | if (Type == IkeSessionTypeIkeSa) {\r |
6cf9230f | 59 | SaDataSize = sizeof (IKEV2_SA_DATA) +\r |
9166f840 | 60 | SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r |
61 | sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 4;\r | |
62 | } else {\r | |
6cf9230f | 63 | SaDataSize = sizeof (IKEV2_SA_DATA) +\r |
9166f840 | 64 | SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r |
65 | sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 3;\r | |
6cf9230f | 66 | \r |
9166f840 | 67 | }\r |
68 | \r | |
69 | SaData = AllocateZeroPool (SaDataSize);\r | |
6b16c9e7 JW |
70 | if (SaData == NULL) {\r |
71 | IkePayloadFree (SaPayload);\r | |
72 | return NULL;\r | |
73 | }\r | |
9166f840 | 74 | \r |
75 | CopyMem (SaData, SessionSaData, SaDataSize);\r | |
76 | SaData->SaHeader.Header.NextPayload = NextPayload;\r | |
77 | SaPayload->PayloadType = IKEV2_PAYLOAD_TYPE_SA;\r | |
78 | SaPayload->PayloadBuf = (UINT8 *) SaData;\r | |
79 | \r | |
80 | return SaPayload;\r | |
81 | }\r | |
82 | \r | |
83 | /**\r | |
84 | Generate a Nonce payload containing the input parameter NonceBuf.\r | |
85 | \r | |
6cf9230f | 86 | @param[in] NonceBuf The nonce buffer contains the whole Nonce payload block\r |
9166f840 | 87 | except the payload header.\r |
88 | @param[in] NonceSize The buffer size of the NonceBuf\r | |
6cf9230f | 89 | @param[in] NextPayload The payload type presented in the NextPayload field\r |
9166f840 | 90 | of Nonce Payload header.\r |
91 | \r | |
92 | @retval Pointer to Nonce IKE paload.\r | |
93 | \r | |
94 | **/\r | |
95 | IKE_PAYLOAD *\r | |
96 | Ikev2GenerateNoncePayload (\r | |
97 | IN UINT8 *NonceBuf,\r | |
98 | IN UINTN NonceSize,\r | |
99 | IN UINT8 NextPayload\r | |
100 | )\r | |
101 | {\r | |
102 | IKE_PAYLOAD *NoncePayload;\r | |
103 | IKEV2_NONCE *Nonce;\r | |
104 | UINTN Size;\r | |
105 | UINT8 *NonceBlock;\r | |
106 | \r | |
107 | // 1 2 3\r | |
108 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
109 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
110 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
111 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
112 | // ! !\r | |
113 | // ~ Nonce Data ~\r | |
114 | // ! !\r | |
115 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
116 | //\r | |
117 | Size = sizeof (IKEV2_NONCE) + NonceSize;\r | |
118 | NonceBlock = NonceBuf;\r | |
119 | \r | |
120 | Nonce = AllocateZeroPool (Size);\r | |
6b16c9e7 JW |
121 | if (Nonce == NULL) {\r |
122 | return NULL;\r | |
123 | }\r | |
f75a7f56 | 124 | \r |
9166f840 | 125 | CopyMem (Nonce + 1, NonceBlock, Size - sizeof (IKEV2_NONCE));\r |
126 | \r | |
127 | Nonce->Header.NextPayload = NextPayload;\r | |
128 | Nonce->Header.PayloadLength = (UINT16) Size;\r | |
129 | NoncePayload = IkePayloadAlloc ();\r | |
6b16c9e7 JW |
130 | if (NoncePayload == NULL) {\r |
131 | FreePool (Nonce);\r | |
132 | return NULL;\r | |
133 | }\r | |
f75a7f56 | 134 | \r |
9166f840 | 135 | NoncePayload->PayloadType = IKEV2_PAYLOAD_TYPE_NONCE;\r |
136 | NoncePayload->PayloadBuf = (UINT8 *) Nonce;\r | |
137 | NoncePayload->PayloadSize = Size;\r | |
138 | \r | |
139 | return NoncePayload;\r | |
140 | }\r | |
141 | \r | |
142 | /**\r | |
6cf9230f | 143 | Generate a Key Exchange payload according to the DH group type and save the\r |
9166f840 | 144 | public Key into IkeSaSession IkeKey field.\r |
145 | \r | |
146 | @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.\r | |
6cf9230f | 147 | @param[in] NextPayload The payload type presented in the NextPayload field of Key\r |
9166f840 | 148 | Exchange Payload header.\r |
149 | \r | |
150 | @retval Pointer to Key IKE payload.\r | |
151 | \r | |
152 | **/\r | |
153 | IKE_PAYLOAD*\r | |
154 | Ikev2GenerateKePayload (\r | |
155 | IN OUT IKEV2_SA_SESSION *IkeSaSession,\r | |
156 | IN UINT8 NextPayload\r | |
157 | )\r | |
158 | {\r | |
159 | IKE_PAYLOAD *KePayload;\r | |
160 | IKEV2_KEY_EXCHANGE *Ke;\r | |
161 | UINTN KeSize;\r | |
162 | IKEV2_SESSION_KEYS *IkeKeys;\r | |
163 | \r | |
164 | //\r | |
165 | // 1 2 3\r | |
166 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
167 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
168 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
169 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
170 | // ! DH Group # ! RESERVED !\r | |
171 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
172 | // ! !\r | |
173 | // ~ Key Exchange Data ~\r | |
174 | // ! !\r | |
175 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
176 | //\r | |
177 | IkeKeys = IkeSaSession->IkeKeys;\r | |
178 | \r | |
179 | if (IkeSaSession->SessionCommon.IsInitiator) {\r | |
180 | KeSize = sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize;\r | |
181 | } else {\r | |
182 | KeSize = sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize;\r | |
183 | }\r | |
6cf9230f | 184 | \r |
9166f840 | 185 | //\r |
186 | // Allocate buffer for Key Exchange\r | |
187 | //\r | |
188 | Ke = AllocateZeroPool (KeSize);\r | |
6b16c9e7 JW |
189 | if (Ke == NULL) {\r |
190 | return NULL;\r | |
191 | }\r | |
9166f840 | 192 | \r |
193 | Ke->Header.NextPayload = NextPayload;\r | |
194 | Ke->Header.PayloadLength = (UINT16) KeSize;\r | |
195 | Ke->DhGroup = IkeSaSession->SessionCommon.PreferDhGroup;\r | |
196 | \r | |
197 | CopyMem (Ke + 1, IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize);\r | |
6cf9230f | 198 | \r |
199 | //\r | |
200 | // Create IKE_PAYLOAD to point to Key Exchange payload\r | |
9166f840 | 201 | //\r |
9166f840 | 202 | KePayload = IkePayloadAlloc ();\r |
6b16c9e7 JW |
203 | if (KePayload == NULL) {\r |
204 | FreePool (Ke);\r | |
205 | return NULL;\r | |
206 | }\r | |
6cf9230f | 207 | \r |
9166f840 | 208 | KePayload->PayloadType = IKEV2_PAYLOAD_TYPE_KE;\r |
209 | KePayload->PayloadBuf = (UINT8 *) Ke;\r | |
210 | KePayload->PayloadSize = KeSize;\r | |
211 | return KePayload;\r | |
212 | }\r | |
213 | \r | |
214 | /**\r | |
215 | Generate a ID payload.\r | |
216 | \r | |
217 | @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r | |
6cf9230f | 218 | @param[in] NextPayload The payload type presented in the NextPayload field\r |
9166f840 | 219 | of ID Payload header.\r |
220 | \r | |
221 | @retval Pointer to ID IKE payload.\r | |
222 | \r | |
223 | **/\r | |
224 | IKE_PAYLOAD *\r | |
225 | Ikev2GenerateIdPayload (\r | |
226 | IN IKEV2_SESSION_COMMON *CommonSession,\r | |
227 | IN UINT8 NextPayload\r | |
228 | )\r | |
229 | {\r | |
230 | IKE_PAYLOAD *IdPayload;\r | |
231 | IKEV2_ID *Id;\r | |
232 | UINTN IdSize;\r | |
233 | UINT8 IpVersion;\r | |
234 | UINT8 AddrSize;\r | |
235 | \r | |
236 | //\r | |
237 | // ID payload\r | |
238 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
239 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
240 | // ! Next Payload ! RESERVED ! Payload Length !\r | |
241 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
242 | // ! ID Type ! RESERVED !\r | |
243 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
244 | // ! !\r | |
245 | // ~ Identification Data ~\r | |
246 | // ! !\r | |
247 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
248 | //\r | |
6cf9230f | 249 | \r |
9166f840 | 250 | IpVersion = CommonSession->UdpService->IpVersion;\r |
251 | AddrSize = (UINT8) ((IpVersion == IP_VERSION_4) ? sizeof(EFI_IPv4_ADDRESS) : sizeof(EFI_IPv6_ADDRESS));\r | |
252 | IdSize = sizeof (IKEV2_ID) + AddrSize;\r | |
253 | \r | |
254 | Id = (IKEV2_ID *) AllocateZeroPool (IdSize);\r | |
6b16c9e7 JW |
255 | if (Id == NULL) {\r |
256 | return NULL;\r | |
257 | }\r | |
9166f840 | 258 | \r |
259 | IdPayload = IkePayloadAlloc ();\r | |
6b16c9e7 JW |
260 | if (IdPayload == NULL) {\r |
261 | FreePool (Id);\r | |
262 | return NULL;\r | |
263 | }\r | |
9166f840 | 264 | \r |
265 | IdPayload->PayloadType = (UINT8) ((CommonSession->IsInitiator) ? IKEV2_PAYLOAD_TYPE_ID_INIT : IKEV2_PAYLOAD_TYPE_ID_RSP);\r | |
266 | IdPayload->PayloadBuf = (UINT8 *) Id;\r | |
267 | IdPayload->PayloadSize = IdSize;\r | |
268 | \r | |
269 | //\r | |
6cf9230f | 270 | // Set generic header of identification payload\r |
9166f840 | 271 | //\r |
272 | Id->Header.NextPayload = NextPayload;\r | |
273 | Id->Header.PayloadLength = (UINT16) IdSize;\r | |
274 | Id->IdType = (UINT8) ((IpVersion == IP_VERSION_4) ? IKEV2_ID_TYPE_IPV4_ADDR : IKEV2_ID_TYPE_IPV6_ADDR);\r | |
275 | CopyMem (Id + 1, &CommonSession->LocalPeerIp, AddrSize);\r | |
276 | \r | |
277 | return IdPayload;\r | |
278 | }\r | |
279 | \r | |
280 | /**\r | |
281 | Generate a ID payload.\r | |
282 | \r | |
283 | @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r | |
6cf9230f | 284 | @param[in] NextPayload The payload type presented in the NextPayload field\r |
9166f840 | 285 | of ID Payload header.\r |
286 | @param[in] InCert Pointer to the Certificate which distinguished name\r | |
287 | will be added into the Id payload.\r | |
288 | @param[in] CertSize Size of the Certificate.\r | |
289 | \r | |
290 | @retval Pointer to ID IKE payload.\r | |
291 | \r | |
292 | **/\r | |
293 | IKE_PAYLOAD *\r | |
294 | Ikev2GenerateCertIdPayload (\r | |
295 | IN IKEV2_SESSION_COMMON *CommonSession,\r | |
296 | IN UINT8 NextPayload,\r | |
297 | IN UINT8 *InCert,\r | |
298 | IN UINTN CertSize\r | |
299 | )\r | |
300 | {\r | |
301 | IKE_PAYLOAD *IdPayload;\r | |
302 | IKEV2_ID *Id;\r | |
303 | UINTN IdSize;\r | |
9166f840 | 304 | UINTN SubjectSize;\r |
305 | UINT8 *CertSubject;\r | |
6cf9230f | 306 | \r |
9166f840 | 307 | //\r |
308 | // ID payload\r | |
309 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
310 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
311 | // ! Next Payload ! RESERVED ! Payload Length !\r | |
312 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
313 | // ! ID Type ! RESERVED !\r | |
314 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
315 | // ! !\r | |
316 | // ~ Identification Data ~\r | |
317 | // ! !\r | |
318 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
319 | //\r | |
320 | \r | |
321 | SubjectSize = 0;\r | |
322 | CertSubject = NULL;\r | |
9166f840 | 323 | IpSecCryptoIoGetSubjectFromCert (\r |
324 | InCert,\r | |
325 | CertSize,\r | |
326 | &CertSubject,\r | |
327 | &SubjectSize\r | |
328 | );\r | |
02a758cb | 329 | if (SubjectSize != 0) {\r |
330 | ASSERT (CertSubject != NULL);\r | |
331 | }\r | |
9166f840 | 332 | \r |
333 | IdSize = sizeof (IKEV2_ID) + SubjectSize;\r | |
334 | \r | |
335 | Id = (IKEV2_ID *) AllocateZeroPool (IdSize);\r | |
6b16c9e7 JW |
336 | if (Id == NULL) {\r |
337 | return NULL;\r | |
338 | }\r | |
9166f840 | 339 | \r |
340 | IdPayload = IkePayloadAlloc ();\r | |
6b16c9e7 JW |
341 | if (IdPayload == NULL) {\r |
342 | FreePool (Id);\r | |
343 | return NULL;\r | |
344 | }\r | |
9166f840 | 345 | \r |
346 | IdPayload->PayloadType = (UINT8) ((CommonSession->IsInitiator) ? IKEV2_PAYLOAD_TYPE_ID_INIT : IKEV2_PAYLOAD_TYPE_ID_RSP);\r | |
347 | IdPayload->PayloadBuf = (UINT8 *) Id;\r | |
348 | IdPayload->PayloadSize = IdSize;\r | |
349 | \r | |
350 | //\r | |
6cf9230f | 351 | // Set generic header of identification payload\r |
9166f840 | 352 | //\r |
353 | Id->Header.NextPayload = NextPayload;\r | |
354 | Id->Header.PayloadLength = (UINT16) IdSize;\r | |
355 | Id->IdType = 9;\r | |
356 | CopyMem (Id + 1, CertSubject, SubjectSize);\r | |
357 | \r | |
358 | if (CertSubject != NULL) {\r | |
359 | FreePool (CertSubject);\r | |
360 | }\r | |
361 | return IdPayload;\r | |
362 | }\r | |
363 | \r | |
364 | /**\r | |
365 | Generate a Authentication Payload.\r | |
366 | \r | |
6cf9230f | 367 | This function is used for both Authentication generation and verification. When the\r |
368 | IsVerify is TRUE, it create a Auth Data for verification. This function choose the\r | |
9166f840 | 369 | related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type\r |
370 | and the value of IsVerify parameter.\r | |
371 | \r | |
372 | @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r | |
6cf9230f | 373 | @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r |
9166f840 | 374 | payload generation.\r |
6cf9230f | 375 | @param[in] NextPayload The type filled into the Authentication Payload next\r |
9166f840 | 376 | payload field.\r |
377 | @param[in] IsVerify If it is TURE, the Authentication payload is used for\r | |
378 | verification.\r | |
379 | \r | |
380 | @return pointer to IKE Authentication payload for Pre-shared key method.\r | |
381 | \r | |
382 | **/\r | |
383 | IKE_PAYLOAD *\r | |
384 | Ikev2PskGenerateAuthPayload (\r | |
385 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
386 | IN IKE_PAYLOAD *IdPayload,\r | |
387 | IN UINT8 NextPayload,\r | |
388 | IN BOOLEAN IsVerify\r | |
389 | )\r | |
390 | {\r | |
391 | UINT8 *Digest;\r | |
392 | UINTN DigestSize;\r | |
393 | PRF_DATA_FRAGMENT Fragments[3];\r | |
394 | UINT8 *KeyBuf;\r | |
395 | UINTN KeySize;\r | |
396 | IKE_PAYLOAD *AuthPayload;\r | |
397 | IKEV2_AUTH *PayloadBuf;\r | |
398 | EFI_STATUS Status;\r | |
399 | \r | |
400 | //\r | |
401 | // Auth = Prf(Prf(Secret,"Key Pad for IKEv2),IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r | |
402 | //\r | |
403 | // 1 2 3\r | |
404 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
405 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
406 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
407 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
408 | // ! Auth Method ! RESERVED !\r | |
409 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
410 | // ! !\r | |
411 | // ~ Authentication Data ~\r | |
412 | // ! !\r | |
413 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
414 | //\r | |
6cf9230f | 415 | \r |
9166f840 | 416 | KeyBuf = NULL;\r |
417 | AuthPayload = NULL;\r | |
418 | Digest = NULL;\r | |
6cf9230f | 419 | \r |
9166f840 | 420 | DigestSize = IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCommon.SaParams->Prf);\r |
421 | Digest = AllocateZeroPool (DigestSize);\r | |
9166f840 | 422 | if (Digest == NULL) {\r |
423 | return NULL;\r | |
424 | }\r | |
f75a7f56 | 425 | \r |
9166f840 | 426 | if (IdPayload == NULL) {\r |
427 | return NULL;\r | |
428 | }\r | |
f75a7f56 | 429 | \r |
9166f840 | 430 | //\r |
431 | // Calcualte Prf(Seceret, "Key Pad for IKEv2");\r | |
432 | //\r | |
433 | Fragments[0].Data = (UINT8 *) mConstantKey;\r | |
434 | Fragments[0].DataSize = CONSTANT_KEY_SIZE;\r | |
435 | \r | |
436 | Status = IpSecCryptoIoHmac (\r | |
437 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
438 | IkeSaSession->Pad->Data->AuthData,\r | |
6cf9230f | 439 | IkeSaSession->Pad->Data->AuthDataSize,\r |
9166f840 | 440 | (HASH_DATA_FRAGMENT *)Fragments,\r |
441 | 1,\r | |
442 | Digest,\r | |
443 | DigestSize\r | |
444 | );\r | |
445 | if (EFI_ERROR (Status)) {\r | |
446 | goto EXIT;\r | |
447 | }\r | |
448 | \r | |
449 | //\r | |
450 | // Store the AuthKey into KeyBuf\r | |
451 | //\r | |
452 | KeyBuf = AllocateZeroPool (DigestSize);\r | |
6b16c9e7 JW |
453 | if (KeyBuf == NULL) {\r |
454 | Status = EFI_OUT_OF_RESOURCES;\r | |
455 | goto EXIT;\r | |
456 | }\r | |
f75a7f56 | 457 | \r |
9166f840 | 458 | CopyMem (KeyBuf, Digest, DigestSize);\r |
459 | KeySize = DigestSize;\r | |
460 | \r | |
461 | //\r | |
462 | // Calculate Prf(SK_Pi/r, IDi/r)\r | |
463 | //\r | |
464 | Fragments[0].Data = IdPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r | |
465 | Fragments[0].DataSize = IdPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r | |
466 | \r | |
467 | if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r | |
468 | (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r | |
469 | ) {\r | |
470 | Status = IpSecCryptoIoHmac (\r | |
471 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
472 | IkeSaSession->IkeKeys->SkPrKey,\r | |
473 | IkeSaSession->IkeKeys->SkPrKeySize,\r | |
474 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
475 | 1,\r | |
476 | Digest,\r | |
477 | DigestSize\r | |
478 | );\r | |
479 | } else {\r | |
480 | Status = IpSecCryptoIoHmac (\r | |
481 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
482 | IkeSaSession->IkeKeys->SkPiKey,\r | |
483 | IkeSaSession->IkeKeys->SkPiKeySize,\r | |
484 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
485 | 1,\r | |
486 | Digest,\r | |
487 | DigestSize\r | |
488 | );\r | |
489 | }\r | |
490 | if (EFI_ERROR (Status)) {\r | |
491 | goto EXIT;\r | |
492 | }\r | |
493 | \r | |
494 | //\r | |
495 | // Copy data to Fragments.\r | |
496 | //\r | |
497 | if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r | |
498 | (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r | |
499 | ) {\r | |
500 | Fragments[0].Data = IkeSaSession->RespPacket;\r | |
501 | Fragments[0].DataSize = IkeSaSession->RespPacketSize;\r | |
502 | Fragments[1].Data = IkeSaSession->NiBlock;\r | |
503 | Fragments[1].DataSize = IkeSaSession->NiBlkSize;\r | |
504 | } else {\r | |
505 | Fragments[0].Data = IkeSaSession->InitPacket;\r | |
506 | Fragments[0].DataSize = IkeSaSession->InitPacketSize;\r | |
507 | Fragments[1].Data = IkeSaSession->NrBlock;\r | |
508 | Fragments[1].DataSize = IkeSaSession->NrBlkSize;\r | |
509 | }\r | |
510 | \r | |
511 | //\r | |
512 | // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].\r | |
6cf9230f | 513 | //\r |
9166f840 | 514 | Fragments[2].Data = AllocateZeroPool (DigestSize);\r |
6b16c9e7 JW |
515 | if (Fragments[2].Data == NULL) {\r |
516 | Status = EFI_OUT_OF_RESOURCES;\r | |
517 | goto EXIT;\r | |
518 | }\r | |
f75a7f56 | 519 | \r |
9166f840 | 520 | Fragments[2].DataSize = DigestSize;\r |
521 | CopyMem (Fragments[2].Data, Digest, DigestSize);\r | |
522 | \r | |
523 | //\r | |
524 | // Calculate Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r | |
525 | //\r | |
526 | Status = IpSecCryptoIoHmac (\r | |
527 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
528 | KeyBuf,\r | |
529 | KeySize,\r | |
530 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
531 | 3,\r | |
532 | Digest,\r | |
533 | DigestSize\r | |
534 | );\r | |
535 | if (EFI_ERROR (Status)) {\r | |
536 | goto EXIT;\r | |
537 | }\r | |
538 | \r | |
539 | //\r | |
540 | // Allocate buffer for Auth Payload\r | |
541 | //\r | |
542 | AuthPayload = IkePayloadAlloc ();\r | |
6b16c9e7 JW |
543 | if (AuthPayload == NULL) {\r |
544 | Status = EFI_OUT_OF_RESOURCES;\r | |
545 | goto EXIT;\r | |
546 | }\r | |
9166f840 | 547 | \r |
548 | AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + DigestSize;\r | |
549 | PayloadBuf = (IKEV2_AUTH *) AllocateZeroPool (AuthPayload->PayloadSize);\r | |
6b16c9e7 JW |
550 | if (PayloadBuf == NULL) {\r |
551 | Status = EFI_OUT_OF_RESOURCES;\r | |
552 | goto EXIT;\r | |
553 | }\r | |
f75a7f56 | 554 | \r |
9166f840 | 555 | //\r |
556 | // Fill in Auth payload.\r | |
557 | //\r | |
558 | PayloadBuf->Header.NextPayload = NextPayload;\r | |
559 | PayloadBuf->Header.PayloadLength = (UINT16) (AuthPayload->PayloadSize);\r | |
560 | if (IkeSaSession->Pad->Data->AuthMethod == EfiIPsecAuthMethodPreSharedSecret) {\r | |
561 | //\r | |
562 | // Only support Shared Key Message Integrity\r | |
563 | //\r | |
564 | PayloadBuf->AuthMethod = IKEV2_AUTH_METHOD_SKMI;\r | |
565 | } else {\r | |
566 | //\r | |
567 | // Not support other Auth method.\r | |
568 | //\r | |
569 | Status = EFI_UNSUPPORTED;\r | |
570 | goto EXIT;\r | |
571 | }\r | |
572 | \r | |
573 | //\r | |
574 | // Copy the result of Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) to Auth\r | |
575 | // payload block.\r | |
576 | //\r | |
577 | CopyMem (\r | |
578 | PayloadBuf + 1,\r | |
579 | Digest,\r | |
580 | DigestSize\r | |
581 | );\r | |
6cf9230f | 582 | \r |
9166f840 | 583 | //\r |
584 | // Fill in IKE_PACKET\r | |
585 | //\r | |
586 | AuthPayload->PayloadBuf = (UINT8 *) PayloadBuf;\r | |
587 | AuthPayload->PayloadType = IKEV2_PAYLOAD_TYPE_AUTH;\r | |
588 | \r | |
589 | EXIT:\r | |
590 | if (KeyBuf != NULL) {\r | |
591 | FreePool (KeyBuf);\r | |
592 | }\r | |
593 | if (Digest != NULL) {\r | |
594 | FreePool (Digest);\r | |
595 | }\r | |
596 | if (Fragments[2].Data != NULL) {\r | |
597 | //\r | |
598 | // Free the buffer which contains the result of Prf(SK_Pr, IDi/r)\r | |
6cf9230f | 599 | //\r |
9166f840 | 600 | FreePool (Fragments[2].Data);\r |
601 | }\r | |
602 | \r | |
603 | if (EFI_ERROR (Status)) {\r | |
604 | if (AuthPayload != NULL) {\r | |
605 | IkePayloadFree (AuthPayload);\r | |
606 | }\r | |
607 | return NULL;\r | |
608 | } else {\r | |
609 | return AuthPayload;\r | |
610 | }\r | |
611 | }\r | |
612 | \r | |
613 | /**\r | |
6cf9230f | 614 | Generate a Authentication Payload for Certificate Auth method.\r |
9166f840 | 615 | \r |
6cf9230f | 616 | This function has two functions. One is creating a local Authentication\r |
617 | Payload for sending and other is creating the remote Authentication data\r | |
9166f840 | 618 | for verification when the IsVerify is TURE.\r |
619 | \r | |
620 | @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r | |
6cf9230f | 621 | @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r |
9166f840 | 622 | payload generation.\r |
6cf9230f | 623 | @param[in] NextPayload The type filled into the Authentication Payload\r |
9166f840 | 624 | next payload field.\r |
6cf9230f | 625 | @param[in] IsVerify If it is TURE, the Authentication payload is used\r |
9166f840 | 626 | for verification.\r |
6cf9230f | 627 | @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when\r |
9166f840 | 628 | verify the authenticate payload.\r |
6cf9230f | 629 | @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it\r |
9166f840 | 630 | when verify the authenticate payload.\r |
6cf9230f | 631 | @param[in] UefiKeyPwd Pointer to the password of UEFI private key.\r |
9166f840 | 632 | Ignore it when verify the authenticate payload.\r |
6cf9230f | 633 | @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when\r |
9166f840 | 634 | verify the authenticate payload.\r |
635 | \r | |
636 | @return pointer to IKE Authentication payload for Cerifitcation method.\r | |
637 | \r | |
638 | **/\r | |
639 | IKE_PAYLOAD *\r | |
640 | Ikev2CertGenerateAuthPayload (\r | |
641 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
642 | IN IKE_PAYLOAD *IdPayload,\r | |
643 | IN UINT8 NextPayload,\r | |
644 | IN BOOLEAN IsVerify,\r | |
645 | IN UINT8 *UefiPrivateKey,\r | |
646 | IN UINTN UefiPrivateKeyLen,\r | |
647 | IN UINT8 *UefiKeyPwd,\r | |
648 | IN UINTN UefiKeyPwdLen\r | |
649 | )\r | |
650 | {\r | |
651 | UINT8 *Digest;\r | |
652 | UINTN DigestSize;\r | |
653 | PRF_DATA_FRAGMENT Fragments[3];\r | |
9166f840 | 654 | IKE_PAYLOAD *AuthPayload;\r |
655 | IKEV2_AUTH *PayloadBuf;\r | |
656 | EFI_STATUS Status;\r | |
657 | UINT8 *Signature;\r | |
658 | UINTN SigSize;\r | |
659 | \r | |
660 | //\r | |
661 | // Auth = Prf(Scert,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r | |
662 | //\r | |
663 | // 1 2 3\r | |
664 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
665 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
666 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
667 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
668 | // ! Auth Method ! RESERVED !\r | |
669 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
670 | // ! !\r | |
671 | // ~ Authentication Data ~\r | |
672 | // ! !\r | |
673 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
674 | //\r | |
675 | //\r | |
676 | // Initial point\r | |
677 | //\r | |
9166f840 | 678 | AuthPayload = NULL;\r |
679 | Digest = NULL;\r | |
680 | Signature = NULL;\r | |
681 | SigSize = 0;\r | |
682 | \r | |
683 | if (IdPayload == NULL) {\r | |
684 | return NULL;\r | |
685 | }\r | |
686 | DigestSize = IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCommon.SaParams->Prf);\r | |
687 | Digest = AllocateZeroPool (DigestSize);\r | |
9166f840 | 688 | if (Digest == NULL) {\r |
689 | return NULL;\r | |
690 | }\r | |
691 | \r | |
9166f840 | 692 | //\r |
693 | // Calculate Prf(SK_Pi/r, IDi/r)\r | |
694 | //\r | |
695 | Fragments[0].Data = IdPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r | |
696 | Fragments[0].DataSize = IdPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r | |
697 | \r | |
698 | IpSecDumpBuf ("RestofIDPayload", Fragments[0].Data, Fragments[0].DataSize);\r | |
699 | \r | |
700 | if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r | |
701 | (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r | |
702 | ) {\r | |
703 | Status = IpSecCryptoIoHmac(\r | |
704 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
705 | IkeSaSession->IkeKeys->SkPrKey,\r | |
706 | IkeSaSession->IkeKeys->SkPrKeySize,\r | |
707 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
708 | 1,\r | |
709 | Digest,\r | |
710 | DigestSize\r | |
711 | );\r | |
712 | IpSecDumpBuf ("MACedIDForR", Digest, DigestSize);\r | |
713 | } else {\r | |
714 | Status = IpSecCryptoIoHmac (\r | |
715 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
716 | IkeSaSession->IkeKeys->SkPiKey,\r | |
717 | IkeSaSession->IkeKeys->SkPiKeySize,\r | |
718 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
719 | 1,\r | |
720 | Digest,\r | |
721 | DigestSize\r | |
722 | );\r | |
723 | IpSecDumpBuf ("MACedIDForI", Digest, DigestSize);\r | |
724 | }\r | |
725 | if (EFI_ERROR (Status)) {\r | |
726 | goto EXIT;\r | |
727 | }\r | |
728 | \r | |
729 | //\r | |
730 | // Copy data to Fragments.\r | |
731 | //\r | |
732 | if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r | |
733 | (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r | |
734 | ) {\r | |
735 | Fragments[0].Data = IkeSaSession->RespPacket;\r | |
736 | Fragments[0].DataSize = IkeSaSession->RespPacketSize;\r | |
737 | Fragments[1].Data = IkeSaSession->NiBlock;\r | |
738 | Fragments[1].DataSize = IkeSaSession->NiBlkSize;\r | |
739 | IpSecDumpBuf ("RealMessage2", Fragments[0].Data, Fragments[0].DataSize);\r | |
740 | IpSecDumpBuf ("NonceIDdata", Fragments[1].Data, Fragments[1].DataSize);\r | |
741 | } else {\r | |
742 | Fragments[0].Data = IkeSaSession->InitPacket;\r | |
743 | Fragments[0].DataSize = IkeSaSession->InitPacketSize;\r | |
744 | Fragments[1].Data = IkeSaSession->NrBlock;\r | |
745 | Fragments[1].DataSize = IkeSaSession->NrBlkSize;\r | |
746 | IpSecDumpBuf ("RealMessage1", Fragments[0].Data, Fragments[0].DataSize);\r | |
747 | IpSecDumpBuf ("NonceRDdata", Fragments[1].Data, Fragments[1].DataSize);\r | |
748 | }\r | |
6cf9230f | 749 | \r |
9166f840 | 750 | //\r |
751 | // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].\r | |
6cf9230f | 752 | //\r |
9166f840 | 753 | Fragments[2].Data = AllocateZeroPool (DigestSize);\r |
6b16c9e7 JW |
754 | if (Fragments[2].Data == NULL) {\r |
755 | Status = EFI_OUT_OF_RESOURCES;\r | |
756 | goto EXIT;\r | |
757 | }\r | |
f75a7f56 | 758 | \r |
9166f840 | 759 | Fragments[2].DataSize = DigestSize;\r |
760 | CopyMem (Fragments[2].Data, Digest, DigestSize);\r | |
761 | \r | |
762 | //\r | |
763 | // Calculate Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r | |
764 | //\r | |
765 | Status = IpSecCryptoIoHash (\r | |
766 | (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r | |
767 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
768 | 3,\r | |
769 | Digest,\r | |
770 | DigestSize\r | |
771 | );\r | |
772 | if (EFI_ERROR (Status)) {\r | |
773 | goto EXIT;\r | |
774 | }\r | |
775 | \r | |
776 | IpSecDumpBuf ("HashSignedOctects", Digest, DigestSize);\r | |
777 | //\r | |
6cf9230f | 778 | // Sign the data by the private Key\r |
9166f840 | 779 | //\r |
780 | if (!IsVerify) {\r | |
781 | IpSecCryptoIoAuthDataWithCertificate (\r | |
782 | Digest,\r | |
783 | DigestSize,\r | |
784 | UefiPrivateKey,\r | |
785 | UefiPrivateKeyLen,\r | |
786 | UefiKeyPwd,\r | |
787 | UefiKeyPwdLen,\r | |
788 | &Signature,\r | |
789 | &SigSize\r | |
790 | );\r | |
791 | \r | |
02a758cb | 792 | if (SigSize == 0 || Signature == NULL) {\r |
9166f840 | 793 | goto EXIT;\r |
794 | }\r | |
795 | }\r | |
796 | \r | |
797 | //\r | |
798 | // Allocate buffer for Auth Payload\r | |
799 | //\r | |
800 | AuthPayload = IkePayloadAlloc ();\r | |
6b16c9e7 JW |
801 | if (AuthPayload == NULL) {\r |
802 | Status = EFI_OUT_OF_RESOURCES;\r | |
803 | goto EXIT;\r | |
804 | }\r | |
9166f840 | 805 | \r |
806 | if (!IsVerify) {\r | |
807 | AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + SigSize;\r | |
808 | } else {\r | |
809 | AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + DigestSize;\r | |
810 | }\r | |
811 | \r | |
812 | PayloadBuf = (IKEV2_AUTH *) AllocateZeroPool (AuthPayload->PayloadSize);\r | |
6b16c9e7 JW |
813 | if (PayloadBuf == NULL) {\r |
814 | Status = EFI_OUT_OF_RESOURCES;\r | |
815 | goto EXIT;\r | |
816 | }\r | |
f75a7f56 | 817 | \r |
9166f840 | 818 | //\r |
819 | // Fill in Auth payload.\r | |
820 | //\r | |
821 | PayloadBuf->Header.NextPayload = NextPayload;\r | |
822 | PayloadBuf->Header.PayloadLength = (UINT16) (AuthPayload->PayloadSize);\r | |
823 | if (IkeSaSession->Pad->Data->AuthMethod == EfiIPsecAuthMethodCertificates) {\r | |
824 | PayloadBuf->AuthMethod = IKEV2_AUTH_METHOD_RSA;\r | |
825 | } else {\r | |
826 | Status = EFI_INVALID_PARAMETER;\r | |
827 | goto EXIT;\r | |
828 | }\r | |
829 | \r | |
830 | //\r | |
831 | // Copy the result of Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) to Auth\r | |
832 | // payload block.\r | |
833 | //\r | |
834 | if (!IsVerify) {\r | |
835 | CopyMem (PayloadBuf + 1, Signature, SigSize);\r | |
836 | } else {\r | |
837 | CopyMem (PayloadBuf + 1, Digest, DigestSize);\r | |
838 | }\r | |
839 | \r | |
840 | //\r | |
841 | // Fill in IKE_PACKET\r | |
842 | //\r | |
843 | AuthPayload->PayloadBuf = (UINT8 *) PayloadBuf;\r | |
844 | AuthPayload->PayloadType = IKEV2_PAYLOAD_TYPE_AUTH;\r | |
845 | \r | |
846 | EXIT:\r | |
9166f840 | 847 | if (Digest != NULL) {\r |
848 | FreePool (Digest);\r | |
849 | }\r | |
850 | if (Signature != NULL) {\r | |
851 | FreePool (Signature);\r | |
852 | }\r | |
853 | if (Fragments[2].Data != NULL) {\r | |
854 | //\r | |
855 | // Free the buffer which contains the result of Prf(SK_Pr, IDi/r)\r | |
6cf9230f | 856 | //\r |
9166f840 | 857 | FreePool (Fragments[2].Data);\r |
858 | }\r | |
859 | \r | |
860 | if (EFI_ERROR (Status)) {\r | |
861 | if (AuthPayload != NULL) {\r | |
862 | IkePayloadFree (AuthPayload);\r | |
863 | }\r | |
864 | return NULL;\r | |
865 | } else {\r | |
866 | return AuthPayload;\r | |
867 | }\r | |
868 | }\r | |
869 | \r | |
870 | /**\r | |
871 | Generate TS payload.\r | |
872 | \r | |
873 | This function generates TSi or TSr payload according to type of next payload.\r | |
874 | If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate\r | |
875 | TSr payload.\r | |
6cf9230f | 876 | \r |
9166f840 | 877 | @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.\r |
6cf9230f | 878 | @param[in] NextPayload The payload type presented in the NextPayload field\r |
9166f840 | 879 | of ID Payload header.\r |
880 | @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.\r | |
881 | If yes, it means the Tsi and Tsr payload should be with\r | |
882 | Max port range and address range and protocol is marked\r | |
883 | as zero.\r | |
884 | \r | |
885 | @retval Pointer to Ts IKE payload.\r | |
886 | \r | |
887 | **/\r | |
888 | IKE_PAYLOAD *\r | |
889 | Ikev2GenerateTsPayload (\r | |
890 | IN IKEV2_CHILD_SA_SESSION *ChildSa,\r | |
891 | IN UINT8 NextPayload,\r | |
892 | IN BOOLEAN IsTunnel\r | |
893 | )\r | |
894 | {\r | |
895 | IKE_PAYLOAD *TsPayload;\r | |
896 | IKEV2_TS *TsPayloadBuf;\r | |
897 | TRAFFIC_SELECTOR *TsSelector;\r | |
898 | UINTN SelectorSize;\r | |
899 | UINTN TsPayloadSize;\r | |
900 | UINT8 IpVersion;\r | |
901 | UINT8 AddrSize;\r | |
902 | \r | |
903 | //\r | |
904 | // 1 2 3\r | |
905 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
906 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
907 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
908 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
909 | // ! Number of TSs ! RESERVED !\r | |
910 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
911 | // ! !\r | |
912 | // ~ <Traffic Selectors> ~\r | |
913 | // ! !\r | |
914 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
915 | //\r | |
916 | \r | |
917 | TsPayload = IkePayloadAlloc();\r | |
6b16c9e7 JW |
918 | if (TsPayload == NULL) {\r |
919 | return NULL;\r | |
920 | }\r | |
9166f840 | 921 | \r |
922 | IpVersion = ChildSa->SessionCommon.UdpService->IpVersion;\r | |
923 | //\r | |
6cf9230f | 924 | // The Starting Address and Ending Address is variable length depends on\r |
9166f840 | 925 | // is IPv4 or IPv6\r |
926 | //\r | |
927 | AddrSize = (UINT8)((IpVersion == IP_VERSION_4) ? sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS));\r | |
928 | SelectorSize = sizeof (TRAFFIC_SELECTOR) + 2 * AddrSize;\r | |
929 | TsPayloadSize = sizeof (IKEV2_TS) + SelectorSize;\r | |
930 | TsPayloadBuf = AllocateZeroPool (TsPayloadSize);\r | |
6b16c9e7 JW |
931 | if (TsPayloadBuf == NULL) {\r |
932 | goto ON_ERROR;\r | |
933 | }\r | |
9166f840 | 934 | \r |
935 | TsPayload->PayloadBuf = (UINT8 *) TsPayloadBuf;\r | |
936 | TsSelector = (TRAFFIC_SELECTOR*)(TsPayloadBuf + 1);\r | |
937 | \r | |
938 | TsSelector->TSType = (UINT8)((IpVersion == IP_VERSION_4) ? IKEV2_TS_TYPE_IPV4_ADDR_RANGE : IKEV2_TS_TYPS_IPV6_ADDR_RANGE);\r | |
939 | \r | |
940 | //\r | |
6cf9230f | 941 | // For tunnel mode\r |
9166f840 | 942 | //\r |
943 | if (IsTunnel) {\r | |
944 | TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;\r | |
945 | TsSelector->SelecorLen = (UINT16) SelectorSize;\r | |
946 | TsSelector->StartPort = 0;\r | |
947 | TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r | |
948 | ZeroMem ((UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR), AddrSize);\r | |
949 | SetMem ((UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize, AddrSize, 0xff);\r | |
950 | \r | |
951 | } else {\r | |
952 | //\r | |
953 | // TODO: Support port range and address range\r | |
954 | //\r | |
955 | if (NextPayload == IKEV2_PAYLOAD_TYPE_TS_RSP){\r | |
956 | //\r | |
6cf9230f | 957 | // Create initiator Traffic Selector\r |
958 | //\r | |
9166f840 | 959 | TsSelector->SelecorLen = (UINT16)SelectorSize;\r |
960 | \r | |
961 | //\r | |
962 | // Currently only support the port range from 0~0xffff. Don't support other\r | |
963 | // port range.\r | |
964 | // TODO: support Port range\r | |
965 | //\r | |
966 | if (ChildSa->SessionCommon.IsInitiator) {\r | |
967 | if (ChildSa->Spd->Selector->LocalPort != 0 &&\r | |
968 | ChildSa->Spd->Selector->LocalPortRange == 0) {\r | |
6cf9230f | 969 | //\r |
9166f840 | 970 | // For not port range.\r |
971 | //\r | |
972 | TsSelector->StartPort = ChildSa->Spd->Selector->LocalPort;\r | |
973 | TsSelector->EndPort = ChildSa->Spd->Selector->LocalPort;\r | |
974 | } else if (ChildSa->Spd->Selector->LocalPort == 0){\r | |
975 | //\r | |
976 | // For port from 0~0xffff\r | |
977 | //\r | |
978 | TsSelector->StartPort = 0;\r | |
979 | TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r | |
980 | } else {\r | |
981 | //\r | |
982 | // Not support now.\r | |
983 | //\r | |
984 | goto ON_ERROR;\r | |
985 | }\r | |
986 | } else {\r | |
6cf9230f | 987 | if (ChildSa->Spd->Selector->RemotePort != 0 &&\r |
9166f840 | 988 | ChildSa->Spd->Selector->RemotePortRange == 0) {\r |
989 | //\r | |
990 | // For not port range.\r | |
991 | //\r | |
992 | TsSelector->StartPort = ChildSa->Spd->Selector->RemotePort;\r | |
993 | TsSelector->EndPort = ChildSa->Spd->Selector->RemotePort;\r | |
994 | } else if (ChildSa->Spd->Selector->RemotePort == 0) {\r | |
995 | //\r | |
996 | // For port from 0~0xffff\r | |
997 | //\r | |
998 | TsSelector->StartPort = 0;\r | |
999 | TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r | |
1000 | } else {\r | |
1001 | //\r | |
1002 | // Not support now.\r | |
1003 | //\r | |
1004 | goto ON_ERROR;\r | |
1005 | }\r | |
1006 | }\r | |
1007 | //\r | |
1008 | // Copy Address.Currently the address range is not supported.\r | |
1009 | // The Starting address is same as Ending address\r | |
6cf9230f | 1010 | // TODO: Support Address Range.\r |
9166f840 | 1011 | //\r |
1012 | CopyMem (\r | |
1013 | (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),\r | |
1014 | ChildSa->SessionCommon.IsInitiator ?\r | |
1015 | ChildSa->Spd->Selector->LocalAddress :\r | |
1016 | ChildSa->Spd->Selector->RemoteAddress,\r | |
1017 | AddrSize\r | |
1018 | );\r | |
1019 | CopyMem (\r | |
1020 | (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize,\r | |
1021 | ChildSa->SessionCommon.IsInitiator ?\r | |
1022 | ChildSa->Spd->Selector->LocalAddress :\r | |
1023 | ChildSa->Spd->Selector->RemoteAddress,\r | |
1024 | AddrSize\r | |
1025 | );\r | |
1026 | //\r | |
1027 | // If the Next Payload is not TS responder, this TS payload type is the TS responder.\r | |
1028 | //\r | |
1029 | TsPayload->PayloadType = IKEV2_PAYLOAD_TYPE_TS_INIT;\r | |
1030 | }else{\r | |
1031 | //\r | |
1032 | // Create responder Traffic Selector\r | |
6cf9230f | 1033 | //\r |
9166f840 | 1034 | TsSelector->SelecorLen = (UINT16)SelectorSize;\r |
6cf9230f | 1035 | \r |
9166f840 | 1036 | //\r |
1037 | // Currently only support the port range from 0~0xffff. Don't support other\r | |
1038 | // port range.\r | |
1039 | // TODO: support Port range\r | |
1040 | //\r | |
1041 | if (!ChildSa->SessionCommon.IsInitiator) {\r | |
1042 | if (ChildSa->Spd->Selector->LocalPort != 0 &&\r | |
1043 | ChildSa->Spd->Selector->LocalPortRange == 0) {\r | |
1044 | //\r | |
1045 | // For not port range.\r | |
1046 | //\r | |
1047 | TsSelector->StartPort = ChildSa->Spd->Selector->LocalPort;\r | |
1048 | TsSelector->EndPort = ChildSa->Spd->Selector->LocalPort;\r | |
1049 | } else if (ChildSa->Spd->Selector->LocalPort == 0){\r | |
1050 | //\r | |
1051 | // For port from 0~0xffff\r | |
1052 | //\r | |
1053 | TsSelector->StartPort = 0;\r | |
1054 | TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r | |
1055 | } else {\r | |
1056 | //\r | |
1057 | // Not support now.\r | |
1058 | //\r | |
1059 | goto ON_ERROR;\r | |
1060 | }\r | |
1061 | } else {\r | |
1062 | if (ChildSa->Spd->Selector->RemotePort != 0 &&\r | |
1063 | ChildSa->Spd->Selector->RemotePortRange == 0) {\r | |
1064 | //\r | |
1065 | // For not port range.\r | |
1066 | //\r | |
1067 | TsSelector->StartPort = ChildSa->Spd->Selector->RemotePort;\r | |
1068 | TsSelector->EndPort = ChildSa->Spd->Selector->RemotePort;\r | |
1069 | } else if (ChildSa->Spd->Selector->RemotePort == 0){\r | |
1070 | //\r | |
1071 | // For port from 0~0xffff\r | |
1072 | //\r | |
1073 | TsSelector->StartPort = 0;\r | |
1074 | TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r | |
1075 | } else {\r | |
1076 | //\r | |
1077 | // Not support now.\r | |
1078 | //\r | |
1079 | goto ON_ERROR;\r | |
1080 | }\r | |
1081 | }\r | |
1082 | //\r | |
1083 | // Copy Address.Currently the address range is not supported.\r | |
1084 | // The Starting address is same as Ending address\r | |
6cf9230f | 1085 | // TODO: Support Address Range.\r |
9166f840 | 1086 | //\r |
1087 | CopyMem (\r | |
1088 | (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),\r | |
1089 | ChildSa->SessionCommon.IsInitiator ?\r | |
1090 | ChildSa->Spd->Selector->RemoteAddress :\r | |
1091 | ChildSa->Spd->Selector->LocalAddress,\r | |
1092 | AddrSize\r | |
1093 | );\r | |
1094 | CopyMem (\r | |
1095 | (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize,\r | |
1096 | ChildSa->SessionCommon.IsInitiator ?\r | |
1097 | ChildSa->Spd->Selector->RemoteAddress :\r | |
1098 | ChildSa->Spd->Selector->LocalAddress,\r | |
1099 | AddrSize\r | |
1100 | );\r | |
1101 | //\r | |
1102 | // If the Next Payload is not TS responder, this TS payload type is the TS responder.\r | |
1103 | //\r | |
1104 | TsPayload->PayloadType = IKEV2_PAYLOAD_TYPE_TS_RSP;\r | |
1105 | }\r | |
1106 | }\r | |
1107 | \r | |
1108 | if (ChildSa->Spd->Selector->NextLayerProtocol != 0xffff) {\r | |
1109 | TsSelector->IpProtocolId = (UINT8)ChildSa->Spd->Selector->NextLayerProtocol;\r | |
1110 | } else {\r | |
1111 | TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;\r | |
6cf9230f | 1112 | }\r |
1113 | \r | |
9166f840 | 1114 | TsPayloadBuf->Header.NextPayload = NextPayload;\r |
1115 | TsPayloadBuf->Header.PayloadLength = (UINT16)TsPayloadSize;\r | |
1116 | TsPayloadBuf->TSNumbers = 1;\r | |
1117 | TsPayload->PayloadSize = TsPayloadSize;\r | |
1118 | goto ON_EXIT;\r | |
1119 | \r | |
1120 | ON_ERROR:\r | |
1121 | if (TsPayload != NULL) {\r | |
6cf9230f | 1122 | IkePayloadFree (TsPayload);\r |
9166f840 | 1123 | TsPayload = NULL;\r |
1124 | }\r | |
6cf9230f | 1125 | ON_EXIT:\r |
9166f840 | 1126 | return TsPayload;\r |
1127 | }\r | |
1128 | \r | |
1129 | /**\r | |
1130 | Generate the Notify payload.\r | |
1131 | \r | |
1132 | Since the structure of Notify payload which defined in RFC 4306 is simple, so\r | |
6cf9230f | 1133 | there is no internal data structure for Notify payload. This function generate\r |
1134 | Notify payload defined in RFC 4306, but all the fields in this payload are still\r | |
1135 | in host order and need call Ikev2EncodePayload() to convert those fields from\r | |
9166f840 | 1136 | the host order to network order beforing sending it.\r |
1137 | \r | |
1138 | @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).\r | |
1139 | For IPsec SAs it MUST be neither (2) for AH or (3)\r | |
1140 | for ESP.\r | |
6cf9230f | 1141 | @param[in] NextPayload The next paylaod type in NextPayload field of\r |
9166f840 | 1142 | the Notify payload.\r |
6cf9230f | 1143 | @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.\r |
1144 | @param[in] MessageType The message type in NotifyMessageType field of the\r | |
9166f840 | 1145 | Notify Payload.\r |
1146 | @param[in] SpiBuf Pointer to buffer contains the SPI value.\r | |
1147 | @param[in] NotifyData Pointer to buffer contains the notification data.\r | |
1148 | @param[in] NotifyDataSize The size of NotifyData in bytes.\r | |
6cf9230f | 1149 | \r |
9166f840 | 1150 | \r |
1151 | @retval Pointer to IKE Notify Payload.\r | |
1152 | \r | |
1153 | **/\r | |
1154 | IKE_PAYLOAD *\r | |
1155 | Ikev2GenerateNotifyPayload (\r | |
1156 | IN UINT8 ProtocolId,\r | |
1157 | IN UINT8 NextPayload,\r | |
1158 | IN UINT8 SpiSize,\r | |
1159 | IN UINT16 MessageType,\r | |
1160 | IN UINT8 *SpiBuf,\r | |
1161 | IN UINT8 *NotifyData,\r | |
1162 | IN UINTN NotifyDataSize\r | |
1163 | )\r | |
1164 | {\r | |
1165 | IKE_PAYLOAD *NotifyPayload;\r | |
1166 | IKEV2_NOTIFY *Notify;\r | |
1167 | UINT16 NotifyPayloadLen;\r | |
1168 | UINT8 *MessageData;\r | |
1169 | \r | |
1170 | // 1 2 3\r | |
1171 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1172 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1173 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
1174 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1175 | // ! Protocol ID ! SPI Size ! Notify Message Type !\r | |
1176 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1177 | // ! !\r | |
1178 | // ~ Security Parameter Index (SPI) ~\r | |
1179 | // ! !\r | |
1180 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1181 | // ! !\r | |
1182 | // ~ Notification Data ~\r | |
1183 | // ! !\r | |
1184 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1185 | //\r | |
1186 | //\r | |
1187 | NotifyPayloadLen = (UINT16) (sizeof (IKEV2_NOTIFY) + NotifyDataSize + SpiSize);\r | |
1188 | Notify = (IKEV2_NOTIFY *) AllocateZeroPool (NotifyPayloadLen);\r | |
6b16c9e7 JW |
1189 | if (Notify == NULL) {\r |
1190 | return NULL;\r | |
1191 | }\r | |
9166f840 | 1192 | \r |
1193 | //\r | |
1194 | // Set Delete Payload's Generic Header\r | |
1195 | //\r | |
1196 | Notify->Header.NextPayload = NextPayload;\r | |
1197 | Notify->Header.PayloadLength = NotifyPayloadLen;\r | |
1198 | Notify->SpiSize = SpiSize;\r | |
1199 | Notify->ProtocolId = ProtocolId;\r | |
1200 | Notify->MessageType = MessageType;\r | |
1201 | \r | |
1202 | //\r | |
1203 | // Copy Spi , for Cookie Notify, there is no SPI.\r | |
1204 | //\r | |
1205 | if (SpiBuf != NULL && SpiSize != 0 ) {\r | |
1206 | CopyMem (Notify + 1, SpiBuf, SpiSize);\r | |
1207 | }\r | |
1208 | \r | |
1209 | MessageData = ((UINT8 *) (Notify + 1)) + SpiSize;\r | |
1210 | \r | |
1211 | //\r | |
1212 | // Copy Notification Data\r | |
1213 | //\r | |
1214 | if (NotifyDataSize != 0) {\r | |
1215 | CopyMem (MessageData, NotifyData, NotifyDataSize);\r | |
1216 | }\r | |
1217 | \r | |
1218 | //\r | |
1219 | // Create Payload for and set type as IKEV2_PAYLOAD_TYPE_NOTIFY\r | |
1220 | //\r | |
1221 | NotifyPayload = IkePayloadAlloc ();\r | |
6b16c9e7 JW |
1222 | if (NotifyPayload == NULL) {\r |
1223 | FreePool (Notify);\r | |
1224 | return NULL;\r | |
1225 | }\r | |
f75a7f56 | 1226 | \r |
9166f840 | 1227 | NotifyPayload->PayloadType = IKEV2_PAYLOAD_TYPE_NOTIFY;\r |
1228 | NotifyPayload->PayloadBuf = (UINT8 *) Notify;\r | |
1229 | NotifyPayload->PayloadSize = NotifyPayloadLen;\r | |
1230 | return NotifyPayload;\r | |
1231 | }\r | |
1232 | \r | |
1233 | /**\r | |
1234 | Generate the Delete payload.\r | |
1235 | \r | |
6cf9230f | 1236 | Since the structure of Delete payload which defined in RFC 4306 is simple,\r |
1237 | there is no internal data structure for Delete payload. This function generate\r | |
1238 | Delete payload defined in RFC 4306, but all the fields in this payload are still\r | |
1239 | in host order and need call Ikev2EncodePayload() to convert those fields from\r | |
9166f840 | 1240 | the host order to network order beforing sending it.\r |
1241 | \r | |
1242 | @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.\r | |
6cf9230f | 1243 | @param[in] NextPayload The next paylaod type in NextPayload field of\r |
9166f840 | 1244 | the Delete payload.\r |
1245 | @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.\r | |
1246 | @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.\r | |
1247 | @param[in] SpiBuf Pointer to buffer contains the SPI value.\r | |
1248 | \r | |
1249 | @retval a Pointer of IKE Delete Payload.\r | |
1250 | \r | |
1251 | **/\r | |
1252 | IKE_PAYLOAD *\r | |
1253 | Ikev2GenerateDeletePayload (\r | |
1254 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
1255 | IN UINT8 NextPayload,\r | |
1256 | IN UINT8 SpiSize,\r | |
1257 | IN UINT16 SpiNum,\r | |
1258 | IN UINT8 *SpiBuf\r | |
6cf9230f | 1259 | \r |
9166f840 | 1260 | )\r |
1261 | {\r | |
1262 | IKE_PAYLOAD *DelPayload;\r | |
1263 | IKEV2_DELETE *Del;\r | |
1264 | UINT16 SpiBufSize;\r | |
1265 | UINT16 DelPayloadLen;\r | |
1266 | \r | |
1267 | // 1 2 3\r | |
1268 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1269 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1270 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
1271 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1272 | // ! Protocol ID ! SPI Size ! # of SPIs !\r | |
1273 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1274 | // ! !\r | |
1275 | // ~ Security Parameter Index(es) (SPI) ~\r | |
1276 | // ! !\r | |
1277 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1278 | //\r | |
1279 | SpiBufSize = (UINT16) (SpiSize * SpiNum);\r | |
02a758cb | 1280 | if (SpiBufSize != 0 && SpiBuf == NULL) {\r |
1281 | return NULL;\r | |
1282 | }\r | |
6cf9230f | 1283 | \r |
9166f840 | 1284 | DelPayloadLen = (UINT16) (sizeof (IKEV2_DELETE) + SpiBufSize);\r |
1285 | \r | |
1286 | Del = AllocateZeroPool (DelPayloadLen);\r | |
6b16c9e7 JW |
1287 | if (Del == NULL) {\r |
1288 | return NULL;\r | |
1289 | }\r | |
6cf9230f | 1290 | \r |
9166f840 | 1291 | //\r |
1292 | // Set Delete Payload's Generic Header\r | |
1293 | //\r | |
1294 | Del->Header.NextPayload = NextPayload;\r | |
1295 | Del->Header.PayloadLength = DelPayloadLen;\r | |
1296 | Del->NumSpis = SpiNum;\r | |
1297 | Del->SpiSize = SpiSize;\r | |
1298 | \r | |
1299 | if (SpiSize == 4) {\r | |
1300 | //\r | |
1301 | // TODO: should consider the AH if needs to support.\r | |
1302 | //\r | |
1303 | Del->ProtocolId = IPSEC_PROTO_IPSEC_ESP;\r | |
1304 | } else {\r | |
1305 | Del->ProtocolId = IPSEC_PROTO_ISAKMP;\r | |
1306 | }\r | |
1307 | \r | |
1308 | //\r | |
1309 | // Set Del Payload's Idntification Data\r | |
1310 | //\r | |
1311 | CopyMem (Del + 1, SpiBuf, SpiBufSize);\r | |
1312 | DelPayload = IkePayloadAlloc ();\r | |
6b16c9e7 JW |
1313 | if (DelPayload == NULL) {\r |
1314 | FreePool (Del);\r | |
1315 | return NULL;\r | |
1316 | }\r | |
f75a7f56 | 1317 | \r |
9166f840 | 1318 | DelPayload->PayloadType = IKEV2_PAYLOAD_TYPE_DELETE;\r |
1319 | DelPayload->PayloadBuf = (UINT8 *) Del;\r | |
1320 | DelPayload->PayloadSize = DelPayloadLen;\r | |
1321 | return DelPayload;\r | |
1322 | }\r | |
1323 | \r | |
1324 | /**\r | |
1325 | Generate the Configuration payload.\r | |
1326 | \r | |
6cf9230f | 1327 | This function generate configuration payload defined in RFC 4306, but all the\r |
1328 | fields in this payload are still in host order and need call Ikev2EncodePayload()\r | |
9166f840 | 1329 | to convert those fields from the host order to network order beforing sending it.\r |
1330 | \r | |
6cf9230f | 1331 | @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload\r |
9166f840 | 1332 | generation.\r |
6cf9230f | 1333 | @param[in] NextPayload The next paylaod type in NextPayload field of\r |
9166f840 | 1334 | the Delete payload.\r |
1335 | @param[in] CfgType The attribute type in the Configuration attribute.\r | |
1336 | \r | |
1337 | @retval Pointer to IKE CP Payload.\r | |
1338 | \r | |
1339 | **/\r | |
1340 | IKE_PAYLOAD *\r | |
1341 | Ikev2GenerateCpPayload (\r | |
1342 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
1343 | IN UINT8 NextPayload,\r | |
1344 | IN UINT8 CfgType\r | |
1345 | )\r | |
1346 | {\r | |
1347 | IKE_PAYLOAD *CpPayload;\r | |
1348 | IKEV2_CFG *Cfg;\r | |
1349 | UINT16 PayloadLen;\r | |
1350 | IKEV2_CFG_ATTRIBUTES *CfgAttributes;\r | |
1351 | \r | |
1352 | //\r | |
1353 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1354 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1355 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
1356 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1357 | // ! CFG Type ! RESERVED !\r | |
1358 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1359 | // ! !\r | |
1360 | // ~ Configuration Attributes ~\r | |
1361 | // ! !\r | |
1362 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1363 | //\r | |
1364 | \r | |
1365 | PayloadLen = (UINT16) (sizeof (IKEV2_CFG) + sizeof (IKEV2_CFG_ATTRIBUTES));\r | |
1366 | Cfg = (IKEV2_CFG *) AllocateZeroPool (PayloadLen);\r | |
1367 | \r | |
1368 | if (Cfg == NULL) {\r | |
1369 | return NULL;\r | |
1370 | }\r | |
1371 | \r | |
1372 | CfgAttributes = (IKEV2_CFG_ATTRIBUTES *)((UINT8 *)Cfg + sizeof (IKEV2_CFG));\r | |
1373 | \r | |
1374 | //\r | |
6cf9230f | 1375 | // Only generate the configuration payload with an empty INTERNAL_IP4_ADDRESS\r |
1376 | // or INTERNAL_IP6_ADDRESS.\r | |
9166f840 | 1377 | //\r |
1378 | \r | |
1379 | Cfg->Header.NextPayload = NextPayload;\r | |
1380 | Cfg->Header.PayloadLength = PayloadLen;\r | |
1381 | Cfg->CfgType = IKEV2_CFG_TYPE_REQUEST;\r | |
1382 | \r | |
1383 | CfgAttributes->AttritType = CfgType;\r | |
1384 | CfgAttributes->ValueLength = 0;\r | |
1385 | \r | |
1386 | CpPayload = IkePayloadAlloc ();\r | |
1387 | if (CpPayload == NULL) {\r | |
1388 | if (Cfg != NULL) {\r | |
1389 | FreePool (Cfg);\r | |
1390 | }\r | |
1391 | return NULL;\r | |
1392 | }\r | |
1393 | \r | |
1394 | CpPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CP;\r | |
1395 | CpPayload->PayloadBuf = (UINT8 *) Cfg;\r | |
1396 | CpPayload->PayloadSize = PayloadLen;\r | |
1397 | return CpPayload;\r | |
1398 | }\r | |
1399 | \r | |
1400 | /**\r | |
1401 | Parser the Notify Cookie payload.\r | |
1402 | \r | |
1403 | This function parses the Notify Cookie payload.If the Notify ProtocolId is not\r | |
1404 | IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not\r | |
1405 | the COOKIE, return EFI_INVALID_PARAMETER.\r | |
1406 | \r | |
6cf9230f | 1407 | @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the\r |
9166f840 | 1408 | Notify Cookie payload.\r |
1409 | the Notify payload.\r | |
1410 | @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.\r | |
1411 | \r | |
1412 | @retval EFI_SUCCESS The Notify Cookie Payload is valid.\r | |
1413 | @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.\r | |
1414 | @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.\r | |
1415 | \r | |
1416 | **/\r | |
1417 | EFI_STATUS\r | |
1418 | Ikev2ParserNotifyCookiePayload (\r | |
1419 | IN IKE_PAYLOAD *IkeNCookie,\r | |
1420 | IN OUT IKEV2_SA_SESSION *IkeSaSession\r | |
6cf9230f | 1421 | )\r |
9166f840 | 1422 | {\r |
1423 | IKEV2_NOTIFY *NotifyPayload;\r | |
1424 | UINTN NotifyDataSize;\r | |
1425 | \r | |
1426 | NotifyPayload = (IKEV2_NOTIFY *)IkeNCookie->PayloadBuf;\r | |
1427 | \r | |
6cf9230f | 1428 | if ((NotifyPayload->ProtocolId != IPSEC_PROTO_ISAKMP) ||\r |
9166f840 | 1429 | (NotifyPayload->SpiSize != 0) ||\r |
1430 | (NotifyPayload->MessageType != IKEV2_NOTIFICATION_COOKIE)\r | |
1431 | ) {\r | |
1432 | return EFI_INVALID_PARAMETER;\r | |
1433 | }\r | |
1434 | \r | |
1435 | NotifyDataSize = NotifyPayload->Header.PayloadLength - sizeof (IKEV2_NOTIFY);\r | |
1436 | IkeSaSession->NCookie = AllocateZeroPool (NotifyDataSize);\r | |
1437 | if (IkeSaSession->NCookie == NULL) {\r | |
1438 | return EFI_OUT_OF_RESOURCES;\r | |
1439 | }\r | |
1440 | \r | |
1441 | IkeSaSession->NCookieSize = NotifyDataSize;\r | |
1442 | \r | |
1443 | CopyMem (\r | |
6cf9230f | 1444 | IkeSaSession->NCookie,\r |
2922e29a | 1445 | (UINT8 *)NotifyPayload + sizeof (IKEV2_NOTIFY),\r |
9166f840 | 1446 | NotifyDataSize\r |
1447 | );\r | |
1448 | \r | |
1449 | return EFI_SUCCESS;\r | |
1450 | }\r | |
1451 | \r | |
1452 | \r | |
1453 | /**\r | |
1454 | Generate the Certificate payload or Certificate Request Payload.\r | |
1455 | \r | |
6cf9230f | 1456 | Since the Certificate Payload structure is same with Certificate Request Payload,\r |
9166f840 | 1457 | the only difference is that one contains the Certificate Data, other contains\r |
6cf9230f | 1458 | the acceptable certificateion CA. This function generate Certificate payload\r |
1459 | or Certificate Request Payload defined in RFC 4306, but all the fields\r | |
1460 | in the payload are still in host order and need call Ikev2EncodePayload()\r | |
9166f840 | 1461 | to convert those fields from the host order to network order beforing sending it.\r |
1462 | \r | |
6cf9230f | 1463 | @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload\r |
9166f840 | 1464 | generation.\r |
6cf9230f | 1465 | @param[in] NextPayload The next paylaod type in NextPayload field of\r |
9166f840 | 1466 | the Delete payload.\r |
1467 | @param[in] Certificate Pointer of buffer contains the certification data.\r | |
1468 | @param[in] CertificateLen The length of Certificate in byte.\r | |
1469 | @param[in] EncodeType Specified the Certificate Encodeing which is defined\r | |
1470 | in RFC 4306.\r | |
1471 | @param[in] IsRequest To indicate create Certificate Payload or Certificate\r | |
1472 | Request Payload. If it is TURE, create Certificate\r | |
aa63a866 | 1473 | Request Payload. Otherwise, create Certificate Payload.\r |
9166f840 | 1474 | \r |
1475 | @retval a Pointer to IKE Payload whose payload buffer containing the Certificate\r | |
1476 | payload or Certificated Request payload.\r | |
1477 | \r | |
1478 | **/\r | |
1479 | IKE_PAYLOAD *\r | |
1480 | Ikev2GenerateCertificatePayload (\r | |
1481 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
1482 | IN UINT8 NextPayload,\r | |
1483 | IN UINT8 *Certificate,\r | |
1484 | IN UINTN CertificateLen,\r | |
1485 | IN UINT8 EncodeType,\r | |
1486 | IN BOOLEAN IsRequest\r | |
1487 | )\r | |
1488 | {\r | |
1489 | IKE_PAYLOAD *CertPayload;\r | |
1490 | IKEV2_CERT *Cert;\r | |
1491 | UINT16 PayloadLen;\r | |
1492 | UINT8 *PublicKey;\r | |
1493 | UINTN PublicKeyLen;\r | |
1494 | HASH_DATA_FRAGMENT Fragment[1];\r | |
1495 | UINT8 *HashData;\r | |
1496 | UINTN HashDataSize;\r | |
1497 | EFI_STATUS Status;\r | |
1498 | \r | |
1499 | //\r | |
1500 | // 1 2 3\r | |
1501 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1502 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1503 | // ! Next Payload !C! RESERVED ! Payload Length !\r | |
1504 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1505 | // ! Cert Encoding ! !\r | |
1506 | // +-+-+-+-+-+-+-+-+ !\r | |
1507 | // ~ Certificate Data/Authority ~\r | |
1508 | // ! !\r | |
1509 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1510 | //\r | |
1511 | \r | |
1512 | Status = EFI_SUCCESS;\r | |
1513 | PublicKey = NULL;\r | |
6cf9230f | 1514 | PublicKeyLen = 0;\r |
9166f840 | 1515 | \r |
1516 | if (!IsRequest) {\r | |
1517 | PayloadLen = (UINT16) (sizeof (IKEV2_CERT) + CertificateLen);\r | |
1518 | } else {\r | |
1519 | //\r | |
1520 | // SHA1 Hash length is 20.\r | |
1521 | //\r | |
1522 | PayloadLen = (UINT16) (sizeof (IKEV2_CERT) + 20);\r | |
1523 | }\r | |
1524 | \r | |
1525 | Cert = AllocateZeroPool (PayloadLen);\r | |
1526 | if (Cert == NULL) {\r | |
1527 | return NULL;\r | |
1528 | }\r | |
6cf9230f | 1529 | \r |
9166f840 | 1530 | //\r |
1531 | // Generate Certificate Payload or Certificate Request Payload.\r | |
1532 | //\r | |
1533 | Cert->Header.NextPayload = NextPayload;\r | |
1534 | Cert->Header.PayloadLength = PayloadLen;\r | |
1535 | Cert->CertEncoding = EncodeType;\r | |
1536 | if (!IsRequest) {\r | |
1537 | CopyMem (\r | |
1538 | ((UINT8 *)Cert) + sizeof (IKEV2_CERT),\r | |
1539 | Certificate,\r | |
1540 | CertificateLen\r | |
1541 | );\r | |
1542 | } else {\r | |
1543 | Status = IpSecCryptoIoGetPublicKeyFromCert (\r | |
1544 | Certificate,\r | |
1545 | CertificateLen,\r | |
1546 | &PublicKey,\r | |
1547 | &PublicKeyLen\r | |
1548 | );\r | |
1549 | if (EFI_ERROR (Status)) {\r | |
6cf9230f | 1550 | goto ON_EXIT;\r |
9166f840 | 1551 | }\r |
1552 | \r | |
1553 | Fragment[0].Data = PublicKey;\r | |
1554 | Fragment[0].DataSize = PublicKeyLen;\r | |
1555 | HashDataSize = IpSecGetHmacDigestLength (IKE_AALG_SHA1HMAC);\r | |
1556 | HashData = AllocateZeroPool (HashDataSize);\r | |
02a758cb | 1557 | if (HashData == NULL) {\r |
1558 | goto ON_EXIT;\r | |
1559 | }\r | |
6cf9230f | 1560 | \r |
9166f840 | 1561 | Status = IpSecCryptoIoHash (\r |
1562 | IKE_AALG_SHA1HMAC,\r | |
1563 | Fragment,\r | |
1564 | 1,\r | |
1565 | HashData,\r | |
1566 | HashDataSize\r | |
1567 | );\r | |
1568 | if (EFI_ERROR (Status)) {\r | |
1569 | goto ON_EXIT;\r | |
1570 | }\r | |
6cf9230f | 1571 | \r |
9166f840 | 1572 | CopyMem (\r |
1573 | ((UINT8 *)Cert) + sizeof (IKEV2_CERT),\r | |
1574 | HashData,\r | |
1575 | HashDataSize\r | |
1576 | );\r | |
1577 | }\r | |
1578 | \r | |
1579 | CertPayload = IkePayloadAlloc ();\r | |
1580 | if (CertPayload == NULL) {\r | |
1581 | goto ON_EXIT;\r | |
1582 | }\r | |
6cf9230f | 1583 | \r |
9166f840 | 1584 | if (!IsRequest) {\r |
1585 | CertPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CERT;\r | |
1586 | } else {\r | |
1587 | CertPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CERTREQ;\r | |
1588 | }\r | |
1589 | \r | |
1590 | CertPayload->PayloadBuf = (UINT8 *) Cert;\r | |
1591 | CertPayload->PayloadSize = PayloadLen;\r | |
1592 | return CertPayload;\r | |
1593 | \r | |
1594 | ON_EXIT:\r | |
1595 | if (Cert != NULL) {\r | |
1596 | FreePool (Cert);\r | |
1597 | }\r | |
1598 | if (PublicKey != NULL) {\r | |
1599 | FreePool (PublicKey);\r | |
1600 | }\r | |
1601 | return NULL;\r | |
1602 | }\r | |
1603 | \r | |
1604 | /**\r | |
1605 | Remove and free all IkePayloads in the specified IkePacket.\r | |
1606 | \r | |
1607 | @param[in] IkePacket The pointer of IKE_PACKET.\r | |
1608 | \r | |
1609 | **/\r | |
1610 | VOID\r | |
1611 | ClearAllPayloads (\r | |
1612 | IN IKE_PACKET *IkePacket\r | |
1613 | )\r | |
1614 | {\r | |
1615 | LIST_ENTRY *PayloadEntry;\r | |
1616 | IKE_PAYLOAD *IkePayload;\r | |
1617 | //\r | |
1618 | // remove all payloads from list and free each payload.\r | |
1619 | //\r | |
1620 | while (!IsListEmpty (&IkePacket->PayloadList)) {\r | |
1621 | PayloadEntry = IkePacket->PayloadList.ForwardLink;\r | |
1622 | IkePayload = IKE_PAYLOAD_BY_PACKET (PayloadEntry);\r | |
1623 | IKE_PACKET_REMOVE_PAYLOAD (IkePacket, IkePayload);\r | |
1624 | IkePayloadFree (IkePayload);\r | |
1625 | }\r | |
1626 | }\r | |
1627 | \r | |
1628 | /**\r | |
1629 | Transfer the intrnal data structure IKEV2_SA_DATA to IKEV2_SA structure defined in RFC.\r | |
1630 | \r | |
1631 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the SA Session.\r | |
1632 | @param[in] SaData Pointer to IKEV2_SA_DATA to be transfered.\r | |
1633 | \r | |
1634 | @retval return the pointer of IKEV2_SA.\r | |
6cf9230f | 1635 | \r |
9166f840 | 1636 | **/\r |
1637 | IKEV2_SA*\r | |
1638 | Ikev2EncodeSa (\r | |
686d4d4a | 1639 | IN IKEV2_SESSION_COMMON *SessionCommon,\r |
1640 | IN IKEV2_SA_DATA *SaData\r | |
9166f840 | 1641 | )\r |
1642 | {\r | |
1643 | IKEV2_SA *Sa;\r | |
1644 | UINTN SaSize;\r | |
1645 | IKEV2_PROPOSAL_DATA *ProposalData;\r | |
1646 | IKEV2_TRANSFORM_DATA *TransformData;\r | |
1647 | UINTN TotalTransforms;\r | |
1648 | UINTN SaAttrsSize;\r | |
1649 | UINTN TransformsSize;\r | |
1650 | UINTN TransformSize;\r | |
1651 | UINTN ProposalsSize;\r | |
1652 | UINTN ProposalSize;\r | |
1653 | UINTN ProposalIndex;\r | |
1654 | UINTN TransformIndex;\r | |
1655 | IKE_SA_ATTRIBUTE *SaAttribute;\r | |
1656 | IKEV2_PROPOSAL *Proposal;\r | |
9166f840 | 1657 | IKEV2_TRANSFORM *Transform;\r |
6cf9230f | 1658 | \r |
9166f840 | 1659 | //\r |
1660 | // Transform IKE_SA_DATA structure to IKE_SA Payload.\r | |
1661 | // Header length is host order.\r | |
1662 | // The returned IKE_SA struct should be freed by caller.\r | |
1663 | //\r | |
1664 | TotalTransforms = 0;\r | |
1665 | //\r | |
5edac28e | 1666 | // Calculate the Proposal numbers and Transform numbers.\r |
9166f840 | 1667 | //\r |
1668 | for (ProposalIndex = 0; ProposalIndex < SaData->NumProposals; ProposalIndex++) {\r | |
1669 | \r | |
1670 | ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1) + ProposalIndex;\r | |
1671 | TotalTransforms += ProposalData->NumTransforms;\r | |
1672 | \r | |
1673 | }\r | |
1674 | SaSize = sizeof (IKEV2_SA) +\r | |
1675 | SaData->NumProposals * sizeof (IKEV2_PROPOSAL) +\r | |
1676 | TotalTransforms * (sizeof (IKEV2_TRANSFORM) + MAX_SA_ATTRS_SIZE);\r | |
1677 | //\r | |
1678 | // Allocate buffer for IKE_SA.\r | |
1679 | //\r | |
1680 | Sa = AllocateZeroPool (SaSize);\r | |
6b16c9e7 JW |
1681 | if (Sa == NULL) {\r |
1682 | return NULL;\r | |
1683 | }\r | |
f75a7f56 | 1684 | \r |
9166f840 | 1685 | CopyMem (Sa, SaData, sizeof (IKEV2_SA));\r |
1686 | Sa->Header.PayloadLength = (UINT16) sizeof (IKEV2_SA);\r | |
1687 | ProposalsSize = 0;\r | |
9166f840 | 1688 | Proposal = (IKEV2_PROPOSAL *) (Sa + 1);\r |
1689 | \r | |
1690 | //\r | |
1691 | // Set IKE_PROPOSAL\r | |
1692 | //\r | |
1693 | ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1);\r | |
1694 | for (ProposalIndex = 0; ProposalIndex < SaData->NumProposals; ProposalIndex++) {\r | |
1695 | Proposal->ProposalIndex = ProposalData->ProposalIndex;\r | |
1696 | Proposal->ProtocolId = ProposalData->ProtocolId;\r | |
1697 | Proposal->NumTransforms = ProposalData->NumTransforms;\r | |
1698 | \r | |
1699 | if (ProposalData->Spi == 0) {\r | |
1700 | Proposal->SpiSize = 0;\r | |
1701 | } else {\r | |
1702 | Proposal->SpiSize = 4;\r | |
1703 | *(UINT32 *) (Proposal + 1) = HTONL (*((UINT32*)ProposalData->Spi));\r | |
1704 | }\r | |
1705 | \r | |
1706 | TransformsSize = 0;\r | |
9166f840 | 1707 | Transform = (IKEV2_TRANSFORM *) ((UINT8 *) (Proposal + 1) + Proposal->SpiSize);\r |
1708 | \r | |
1709 | //\r | |
1710 | // Set IKE_TRANSFORM\r | |
1711 | //\r | |
1712 | for (TransformIndex = 0; TransformIndex < ProposalData->NumTransforms; TransformIndex++) {\r | |
1713 | TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1) + TransformIndex;\r | |
1714 | Transform->TransformType = TransformData->TransformType;\r | |
1715 | Transform->TransformId = HTONS (TransformData->TransformId);\r | |
1716 | SaAttrsSize = 0;\r | |
1717 | \r | |
1718 | //\r | |
1719 | // If the Encryption Algorithm is variable key length set the key length in attribute.\r | |
1720 | // Note that only a single attribute type (Key Length) is defined and it is fixed length.\r | |
1721 | //\r | |
1722 | if (Transform->TransformType == IKEV2_TRANSFORM_TYPE_ENCR && TransformData->Attribute.Attr.AttrValue != 0) {\r | |
1723 | SaAttribute = (IKE_SA_ATTRIBUTE *) (Transform + 1);\r | |
1724 | SaAttribute->AttrType = HTONS (IKEV2_ATTRIBUTE_TYPE_KEYLEN | SA_ATTR_FORMAT_BIT);\r | |
1725 | SaAttribute->Attr.AttrValue = HTONS (TransformData->Attribute.Attr.AttrValue);\r | |
1726 | SaAttrsSize = sizeof (IKE_SA_ATTRIBUTE);\r | |
1727 | }\r | |
1728 | \r | |
1729 | //\r | |
1730 | // If the Integrity Algorithm is variable key length set the key length in attribute.\r | |
1731 | //\r | |
1732 | if (Transform->TransformType == IKEV2_TRANSFORM_TYPE_INTEG && TransformData->Attribute.Attr.AttrValue != 0) {\r | |
1733 | SaAttribute = (IKE_SA_ATTRIBUTE *) (Transform + 1);\r | |
1734 | SaAttribute->AttrType = HTONS (IKEV2_ATTRIBUTE_TYPE_KEYLEN | SA_ATTR_FORMAT_BIT);\r | |
1735 | SaAttribute->Attr.AttrValue = HTONS (TransformData->Attribute.Attr.AttrValue);\r | |
1736 | SaAttrsSize = sizeof (IKE_SA_ATTRIBUTE);\r | |
1737 | }\r | |
1738 | \r | |
1739 | TransformSize = sizeof (IKEV2_TRANSFORM) + SaAttrsSize;\r | |
1740 | TransformsSize += TransformSize;\r | |
6cf9230f | 1741 | \r |
9166f840 | 1742 | Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_MORE;\r |
1743 | Transform->Header.PayloadLength = HTONS ((UINT16)TransformSize);\r | |
6cf9230f | 1744 | \r |
ce5c3273 | 1745 | if (TransformIndex == ((UINT32)ProposalData->NumTransforms - 1)) {\r |
6cf9230f | 1746 | Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_NONE;\r |
9166f840 | 1747 | }\r |
1748 | \r | |
1749 | Transform = (IKEV2_TRANSFORM *)((UINT8 *) Transform + TransformSize);\r | |
1750 | }\r | |
6cf9230f | 1751 | \r |
9166f840 | 1752 | //\r |
1753 | // Set Proposal's Generic Header.\r | |
1754 | //\r | |
1755 | ProposalSize = sizeof (IKEV2_PROPOSAL) + Proposal->SpiSize + TransformsSize;\r | |
1756 | ProposalsSize += ProposalSize;\r | |
1757 | Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_MORE;\r | |
1758 | Proposal->Header.PayloadLength = HTONS ((UINT16)ProposalSize);\r | |
6cf9230f | 1759 | \r |
1760 | if (ProposalIndex == (UINTN)(SaData->NumProposals - 1)) {\r | |
1761 | Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_NONE;\r | |
9166f840 | 1762 | }\r |
1763 | \r | |
1764 | //\r | |
1765 | // Point to next Proposal Payload\r | |
1766 | //\r | |
1767 | Proposal = (IKEV2_PROPOSAL *) ((UINT8 *) Proposal + ProposalSize);\r | |
1768 | ProposalData = (IKEV2_PROPOSAL_DATA *)(((UINT8 *)ProposalData) + sizeof (IKEV2_PROPOSAL_DATA) + (TransformIndex * sizeof (IKEV2_TRANSFORM_DATA)));\r | |
1769 | }\r | |
1770 | //\r | |
1771 | // Set SA's Generic Header.\r | |
1772 | //\r | |
1773 | Sa->Header.PayloadLength = (UINT16) (Sa->Header.PayloadLength + ProposalsSize);\r | |
1774 | return Sa;\r | |
1775 | }\r | |
1776 | \r | |
1777 | /**\r | |
1778 | Decode SA payload.\r | |
1779 | \r | |
1780 | This function converts the received SA payload to internal data structure.\r | |
1781 | \r | |
6cf9230f | 1782 | @param[in] SessionCommon Pointer to IKE Common Session used to decode the SA\r |
9166f840 | 1783 | Payload.\r |
1784 | @param[in] Sa Pointer to SA Payload\r | |
1785 | \r | |
1786 | @return a Pointer to internal data structure for SA payload.\r | |
1787 | \r | |
1788 | **/\r | |
1789 | IKEV2_SA_DATA *\r | |
1790 | Ikev2DecodeSa (\r | |
686d4d4a | 1791 | IN IKEV2_SESSION_COMMON *SessionCommon,\r |
1792 | IN IKEV2_SA *Sa\r | |
9166f840 | 1793 | )\r |
1794 | {\r | |
1795 | IKEV2_SA_DATA *SaData;\r | |
1796 | EFI_STATUS Status;\r | |
1797 | IKEV2_PROPOSAL *Proposal;\r | |
1798 | IKEV2_TRANSFORM *Transform;\r | |
1799 | UINTN TotalProposals;\r | |
1800 | UINTN TotalTransforms;\r | |
1801 | UINTN ProposalNextPayloadSum;\r | |
1802 | UINTN ProposalIndex;\r | |
1803 | UINTN TransformIndex;\r | |
1804 | UINTN SaRemaining;\r | |
1805 | UINT16 ProposalSize;\r | |
1806 | UINTN ProposalRemaining;\r | |
1807 | UINT16 TransformSize;\r | |
1808 | UINTN SaAttrRemaining;\r | |
1809 | IKE_SA_ATTRIBUTE *SaAttribute;\r | |
1810 | IKEV2_PROPOSAL_DATA *ProposalData;\r | |
1811 | IKEV2_TRANSFORM_DATA *TransformData;\r | |
1812 | UINT8 *Spi;\r | |
1813 | \r | |
1814 | //\r | |
1815 | // Transfrom from IKE_SA payload to IKE_SA_DATA structure.\r | |
1816 | // Header length NTOH is already done\r | |
1817 | // The returned IKE_SA_DATA should be freed by caller\r | |
1818 | //\r | |
1819 | SaData = NULL;\r | |
1820 | Status = EFI_SUCCESS;\r | |
1821 | \r | |
1822 | //\r | |
1823 | // First round sanity check and size calculae\r | |
1824 | //\r | |
1825 | TotalProposals = 0;\r | |
1826 | TotalTransforms = 0;\r | |
1827 | ProposalNextPayloadSum = 0;\r | |
1828 | SaRemaining = Sa->Header.PayloadLength - sizeof (IKEV2_SA);// Point to current position in SA\r | |
1829 | Proposal = (IKEV2_PROPOSAL *)((IKEV2_SA *)(Sa)+1);\r | |
1830 | \r | |
1831 | //\r | |
5edac28e | 1832 | // Calculate the number of Proposal payload and the total numbers of\r |
9166f840 | 1833 | // Transforms payload (the transforms in all proposal payload).\r |
1834 | //\r | |
1835 | while (SaRemaining > sizeof (IKEV2_PROPOSAL)) {\r | |
1836 | ProposalSize = NTOHS (Proposal->Header.PayloadLength);\r | |
1837 | if (SaRemaining < ProposalSize) {\r | |
1838 | Status = EFI_INVALID_PARAMETER;\r | |
1839 | goto Exit;\r | |
1840 | }\r | |
1841 | \r | |
1842 | if (Proposal->SpiSize != 0 && Proposal->SpiSize != 4) {\r | |
1843 | Status = EFI_INVALID_PARAMETER;\r | |
1844 | goto Exit;\r | |
1845 | }\r | |
1846 | \r | |
1847 | TotalProposals++;\r | |
1848 | TotalTransforms += Proposal->NumTransforms;\r | |
1849 | SaRemaining -= ProposalSize;\r | |
1850 | ProposalNextPayloadSum += Proposal->Header.NextPayload;\r | |
1851 | Proposal = IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize);\r | |
1852 | }\r | |
1853 | \r | |
1854 | //\r | |
6cf9230f | 1855 | // Check the proposal number.\r |
1856 | // The proposal Substructure, the NextPayLoad field indicates : 0 (last) or 2 (more)\r | |
1857 | // which Specifies whether this is the last Proposal Substructure in the SA.\r | |
1858 | // Here suming all Proposal NextPayLoad field to check the proposal number is correct\r | |
1859 | // or not.\r | |
9166f840 | 1860 | //\r |
1861 | if (TotalProposals == 0 ||\r | |
6cf9230f | 1862 | (TotalProposals - 1) * IKE_PROPOSAL_NEXT_PAYLOAD_MORE != ProposalNextPayloadSum\r |
9166f840 | 1863 | ) {\r |
1864 | Status = EFI_INVALID_PARAMETER;\r | |
1865 | goto Exit;\r | |
1866 | }\r | |
1867 | \r | |
1868 | //\r | |
1869 | // Second round sanity check and decode. Transform the SA payload into\r | |
1870 | // a IKE_SA_DATA structure.\r | |
1871 | //\r | |
1872 | SaData = (IKEV2_SA_DATA *) AllocateZeroPool (\r | |
1873 | sizeof (IKEV2_SA_DATA) +\r | |
1874 | TotalProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r | |
1875 | TotalTransforms * sizeof (IKEV2_TRANSFORM_DATA)\r | |
1876 | );\r | |
6b16c9e7 JW |
1877 | if (SaData == NULL) {\r |
1878 | Status = EFI_OUT_OF_RESOURCES;\r | |
1879 | goto Exit;\r | |
1880 | }\r | |
f75a7f56 | 1881 | \r |
9166f840 | 1882 | CopyMem (SaData, Sa, sizeof (IKEV2_SA));\r |
1883 | SaData->NumProposals = TotalProposals;\r | |
1884 | ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1);\r | |
1885 | \r | |
1886 | //\r | |
1887 | // Proposal Payload\r | |
1888 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1889 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1890 | // ! Next Payload ! RESERVED ! Payload Length !\r | |
1891 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1892 | // ! Proposal # ! Protocol-Id ! SPI Size !# of Transforms!\r | |
1893 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1894 | // ! SPI (variable) !\r | |
1895 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1896 | //\r | |
1897 | for (ProposalIndex = 0, Proposal = IKEV2_SA_FIRST_PROPOSAL (Sa);\r | |
1898 | ProposalIndex < TotalProposals;\r | |
1899 | ProposalIndex++\r | |
1900 | ) {\r | |
6cf9230f | 1901 | \r |
9166f840 | 1902 | //\r |
1903 | // TODO: check ProposalId\r | |
1904 | //\r | |
1905 | ProposalData->ProposalIndex = Proposal->ProposalIndex;\r | |
1906 | ProposalData->ProtocolId = Proposal->ProtocolId;\r | |
1907 | if (Proposal->SpiSize == 0) {\r | |
1908 | ProposalData->Spi = 0;\r | |
1909 | } else {\r | |
1910 | //\r | |
1911 | // SpiSize == 4\r | |
1912 | //\r | |
1913 | Spi = AllocateZeroPool (Proposal->SpiSize);\r | |
6b16c9e7 JW |
1914 | if (Spi == NULL) {\r |
1915 | Status = EFI_OUT_OF_RESOURCES;\r | |
1916 | goto Exit;\r | |
1917 | }\r | |
f75a7f56 | 1918 | \r |
9166f840 | 1919 | CopyMem (Spi, (UINT32 *) (Proposal + 1), Proposal->SpiSize);\r |
1920 | *((UINT32*) Spi) = NTOHL (*((UINT32*) Spi));\r | |
1921 | ProposalData->Spi = Spi;\r | |
1922 | }\r | |
1923 | \r | |
1924 | ProposalData->NumTransforms = Proposal->NumTransforms;\r | |
1925 | ProposalSize = NTOHS (Proposal->Header.PayloadLength);\r | |
1926 | ProposalRemaining = ProposalSize;\r | |
1927 | //\r | |
1928 | // Transform Payload\r | |
1929 | // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r | |
1930 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1931 | // ! Next Payload ! RESERVED ! Payload Length !\r | |
1932 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1933 | // !Transform Type ! RESERVED ! Transform ID !\r | |
1934 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1935 | // ! !\r | |
1936 | // ~ SA Attributes ~\r | |
1937 | // ! !\r | |
1938 | // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r | |
1939 | //\r | |
1940 | Transform = IKEV2_PROPOSAL_FIRST_TRANSFORM (Proposal);\r | |
1941 | for (TransformIndex = 0; TransformIndex < Proposal->NumTransforms; TransformIndex++) {\r | |
1942 | \r | |
1943 | //\r | |
1944 | // Transfer the IKEV2_TRANSFORM structure into internal IKEV2_TRANSFORM_DATA struture.\r | |
1945 | //\r | |
1946 | TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1) + TransformIndex;\r | |
1947 | TransformData->TransformId = NTOHS (Transform->TransformId);\r | |
1948 | TransformData->TransformType = Transform->TransformType;\r | |
1949 | TransformSize = NTOHS (Transform->Header.PayloadLength);\r | |
1950 | //\r | |
1951 | // Check the Proposal Data is correct.\r | |
1952 | //\r | |
1953 | if (ProposalRemaining < TransformSize) {\r | |
1954 | Status = EFI_INVALID_PARAMETER;\r | |
1955 | goto Exit;\r | |
1956 | }\r | |
1957 | \r | |
1958 | //\r | |
1959 | // Check if the Transform payload includes Attribution.\r | |
1960 | //\r | |
1961 | SaAttrRemaining = TransformSize - sizeof (IKEV2_TRANSFORM);\r | |
1962 | \r | |
1963 | //\r | |
6cf9230f | 1964 | // According to RFC 4603, currently only the Key length attribute type is\r |
9166f840 | 1965 | // supported. For each Transform, there is only one attributeion.\r |
1966 | //\r | |
1967 | if (SaAttrRemaining > 0) {\r | |
1968 | if (SaAttrRemaining != sizeof (IKE_SA_ATTRIBUTE)) {\r | |
1969 | Status = EFI_INVALID_PARAMETER;\r | |
1970 | goto Exit;\r | |
1971 | }\r | |
1972 | SaAttribute = (IKE_SA_ATTRIBUTE *) ((IKEV2_TRANSFORM *)(Transform) + 1);\r | |
1973 | TransformData->Attribute.AttrType = (UINT16)((NTOHS (SaAttribute->AttrType)) & ~SA_ATTR_FORMAT_BIT);\r | |
1974 | TransformData->Attribute.Attr.AttrValue = NTOHS (SaAttribute->Attr.AttrValue);\r | |
1975 | \r | |
1976 | //\r | |
1977 | // Currently, only supports the Key Length Attribution.\r | |
1978 | //\r | |
1979 | if (TransformData->Attribute.AttrType != IKEV2_ATTRIBUTE_TYPE_KEYLEN) {\r | |
1980 | Status = EFI_INVALID_PARAMETER;\r | |
1981 | goto Exit;\r | |
6cf9230f | 1982 | }\r |
9166f840 | 1983 | }\r |
1984 | \r | |
1985 | //\r | |
1986 | // Move to next Transform\r | |
6cf9230f | 1987 | //\r |
9166f840 | 1988 | Transform = IKEV2_NEXT_TRANSFORM_WITH_SIZE (Transform, TransformSize);\r |
1989 | }\r | |
1990 | Proposal = IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize);\r | |
1991 | ProposalData = (IKEV2_PROPOSAL_DATA *) ((UINT8 *)(ProposalData + 1) +\r | |
1992 | ProposalData->NumTransforms *\r | |
1993 | sizeof (IKEV2_TRANSFORM_DATA));\r | |
1994 | }\r | |
1995 | \r | |
1996 | Exit:\r | |
1997 | if (EFI_ERROR (Status) && SaData != NULL) {\r | |
1998 | FreePool (SaData);\r | |
1999 | SaData = NULL;\r | |
2000 | }\r | |
2001 | return SaData;\r | |
2002 | }\r | |
2003 | \r | |
2004 | /**\r | |
2005 | General interface of payload encoding.\r | |
2006 | \r | |
6cf9230f | 2007 | This function encodes the internal data structure into payload which\r |
9166f840 | 2008 | is defined in RFC 4306. The IkePayload->PayloadBuf is used to store both the input\r |
2009 | payload and converted payload. Only the SA payload use the interal structure\r | |
2010 | to store the attribute. Other payload use structure which is same with the RFC\r | |
2011 | defined, for this kind payloads just do host order to network order change of\r | |
2012 | some fields.\r | |
2013 | \r | |
2014 | @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.\r | |
2015 | @param[in, out] IkePayload Pointer to IKE payload to be encoded as input, and\r | |
2016 | store the encoded result as output.\r | |
2017 | \r | |
2018 | @retval EFI_INVALID_PARAMETER Meet error when encoding the SA payload.\r | |
2019 | @retval EFI_SUCCESS Encoded successfully.\r | |
2020 | \r | |
2021 | **/\r | |
2022 | EFI_STATUS\r | |
2023 | Ikev2EncodePayload (\r | |
2024 | IN UINT8 *SessionCommon,\r | |
2025 | IN OUT IKE_PAYLOAD *IkePayload\r | |
2026 | )\r | |
2027 | {\r | |
2028 | IKEV2_SA_DATA *SaData;\r | |
2029 | IKEV2_SA *SaPayload;\r | |
2030 | IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;\r | |
2031 | IKEV2_NOTIFY *NotifyPayload;\r | |
2032 | IKEV2_DELETE *DeletePayload;\r | |
2033 | IKEV2_KEY_EXCHANGE *KeyPayload;\r | |
2034 | IKEV2_TS *TsPayload;\r | |
2035 | IKEV2_CFG_ATTRIBUTES *CfgAttribute;\r | |
2036 | UINT8 *TsBuffer;\r | |
2037 | UINT8 Index;\r | |
2038 | TRAFFIC_SELECTOR *TrafficSelector;\r | |
2039 | \r | |
2040 | //\r | |
2041 | // Transform the Internal IKE structure to IKE payload.\r | |
2042 | // Only the SA payload use the interal structure to store the attribute.\r | |
2043 | // Other payload use structure which same with the RFC defined, so there is\r | |
2044 | // no need to tranform them to IKE payload.\r | |
2045 | //\r | |
2046 | switch (IkePayload->PayloadType) {\r | |
2047 | case IKEV2_PAYLOAD_TYPE_SA:\r | |
2048 | //\r | |
2049 | // Transform IKE_SA_DATA to IK_SA payload\r | |
2050 | //\r | |
2051 | SaData = (IKEV2_SA_DATA *) IkePayload->PayloadBuf;\r | |
2052 | SaPayload = Ikev2EncodeSa ((IKEV2_SESSION_COMMON *) SessionCommon, SaData);\r | |
2053 | \r | |
2054 | if (SaPayload == NULL) {\r | |
2055 | return EFI_INVALID_PARAMETER;\r | |
2056 | }\r | |
2057 | if (!IkePayload->IsPayloadBufExt) {\r | |
2058 | FreePool (IkePayload->PayloadBuf);\r | |
2059 | }\r | |
2060 | IkePayload->PayloadBuf = (UINT8 *) SaPayload;\r | |
2061 | IkePayload->IsPayloadBufExt = FALSE;\r | |
2062 | break;\r | |
2063 | \r | |
2064 | case IKEV2_PAYLOAD_TYPE_NOTIFY:\r | |
2065 | NotifyPayload = (IKEV2_NOTIFY *) IkePayload->PayloadBuf;\r | |
2066 | NotifyPayload->MessageType = HTONS (NotifyPayload->MessageType);\r | |
2067 | break;\r | |
6cf9230f | 2068 | \r |
9166f840 | 2069 | case IKEV2_PAYLOAD_TYPE_DELETE:\r |
2070 | DeletePayload = (IKEV2_DELETE *) IkePayload->PayloadBuf;\r | |
2071 | DeletePayload->NumSpis = HTONS (DeletePayload->NumSpis);\r | |
2072 | break;\r | |
6cf9230f | 2073 | \r |
9166f840 | 2074 | case IKEV2_PAYLOAD_TYPE_KE:\r |
2075 | KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;\r | |
2076 | KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);\r | |
2077 | break;\r | |
6cf9230f | 2078 | \r |
9166f840 | 2079 | case IKEV2_PAYLOAD_TYPE_TS_INIT:\r |
2080 | case IKEV2_PAYLOAD_TYPE_TS_RSP:\r | |
2081 | TsPayload = (IKEV2_TS *) IkePayload->PayloadBuf;\r | |
2082 | TsBuffer = IkePayload->PayloadBuf + sizeof (IKEV2_TS);\r | |
2083 | \r | |
2084 | for (Index = 0; Index < TsPayload->TSNumbers; Index++) {\r | |
2085 | TrafficSelector = (TRAFFIC_SELECTOR *) TsBuffer;\r | |
2086 | TsBuffer = TsBuffer + TrafficSelector->SelecorLen;\r | |
2087 | //\r | |
2088 | // Host order to network order\r | |
2089 | //\r | |
2090 | TrafficSelector->SelecorLen = HTONS (TrafficSelector->SelecorLen);\r | |
2091 | TrafficSelector->StartPort = HTONS (TrafficSelector->StartPort);\r | |
2092 | TrafficSelector->EndPort = HTONS (TrafficSelector->EndPort);\r | |
6cf9230f | 2093 | \r |
9166f840 | 2094 | }\r |
2095 | \r | |
2096 | break;\r | |
2097 | \r | |
2098 | case IKEV2_PAYLOAD_TYPE_CP:\r | |
2099 | CfgAttribute = (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->PayloadBuf) + 1);\r | |
2100 | CfgAttribute->AttritType = HTONS (CfgAttribute->AttritType);\r | |
2101 | CfgAttribute->ValueLength = HTONS (CfgAttribute->ValueLength);\r | |
6cf9230f | 2102 | \r |
9166f840 | 2103 | case IKEV2_PAYLOAD_TYPE_ID_INIT:\r |
2104 | case IKEV2_PAYLOAD_TYPE_ID_RSP:\r | |
2105 | case IKEV2_PAYLOAD_TYPE_AUTH:\r | |
2106 | default:\r | |
2107 | break;\r | |
2108 | }\r | |
6cf9230f | 2109 | \r |
9166f840 | 2110 | PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf;\r |
2111 | IkePayload->PayloadSize = PayloadHdr->PayloadLength;\r | |
2112 | PayloadHdr->PayloadLength = HTONS (PayloadHdr->PayloadLength);\r | |
2113 | IKEV2_DUMP_PAYLOAD (IkePayload);\r | |
2114 | return EFI_SUCCESS;\r | |
2115 | }\r | |
2116 | \r | |
2117 | /**\r | |
2118 | The general interface for decoding Payload.\r | |
2119 | \r | |
2120 | This function converts the received Payload into internal structure.\r | |
2121 | \r | |
2122 | @param[in] SessionCommon Pointer to IKE Session Common used for decoding.\r | |
2123 | @param[in, out] IkePayload Pointer to IKE payload to be decoded as input, and\r | |
6cf9230f | 2124 | store the decoded result as output.\r |
9166f840 | 2125 | \r |
2126 | @retval EFI_INVALID_PARAMETER Meet error when decoding the SA payload.\r | |
2127 | @retval EFI_SUCCESS Decoded successfully.\r | |
2128 | \r | |
2129 | **/\r | |
2130 | EFI_STATUS\r | |
2131 | Ikev2DecodePayload (\r | |
2132 | IN UINT8 *SessionCommon,\r | |
2133 | IN OUT IKE_PAYLOAD *IkePayload\r | |
2134 | )\r | |
2135 | {\r | |
2136 | IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;\r | |
2137 | UINT16 PayloadSize;\r | |
2138 | UINT8 PayloadType;\r | |
2139 | IKEV2_SA_DATA *SaData;\r | |
2140 | EFI_STATUS Status;\r | |
2141 | IKEV2_NOTIFY *NotifyPayload;\r | |
2142 | IKEV2_DELETE *DeletePayload;\r | |
2143 | UINT16 TsTotalSize;\r | |
2144 | TRAFFIC_SELECTOR *TsSelector;\r | |
2145 | IKEV2_TS *TsPayload;\r | |
2146 | IKEV2_KEY_EXCHANGE *KeyPayload;\r | |
2147 | IKEV2_CFG_ATTRIBUTES *CfgAttribute;\r | |
2148 | UINT8 Index;\r | |
2149 | \r | |
2150 | //\r | |
2151 | // Transform the IKE payload to Internal IKE structure.\r | |
2152 | // Only the SA payload and Hash Payload use the interal\r | |
2153 | // structure to store the attribute. Other payloads use\r | |
6cf9230f | 2154 | // structure which is same with the definitions in RFC,\r |
2155 | // so there is no need to tranform them to internal IKE\r | |
9166f840 | 2156 | // structure.\r |
2157 | //\r | |
2158 | Status = EFI_SUCCESS;\r | |
2159 | PayloadSize = (UINT16) IkePayload->PayloadSize;\r | |
2160 | PayloadType = IkePayload->PayloadType;\r | |
2161 | PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf;\r | |
2162 | //\r | |
2163 | // The PayloadSize is the size of whole payload.\r | |
2164 | // Replace HTONS operation to assignment statements, since the result is same.\r | |
2165 | //\r | |
2166 | PayloadHdr->PayloadLength = PayloadSize;\r | |
2167 | \r | |
2168 | IKEV2_DUMP_PAYLOAD (IkePayload);\r | |
2169 | switch (PayloadType) {\r | |
2170 | case IKEV2_PAYLOAD_TYPE_SA:\r | |
2171 | if (PayloadSize < sizeof (IKEV2_SA)) {\r | |
2172 | Status = EFI_INVALID_PARAMETER;\r | |
2173 | goto Exit;\r | |
2174 | }\r | |
2175 | \r | |
2176 | SaData = Ikev2DecodeSa ((IKEV2_SESSION_COMMON *) SessionCommon, (IKEV2_SA *) PayloadHdr);\r | |
2177 | if (SaData == NULL) {\r | |
2178 | Status = EFI_INVALID_PARAMETER;\r | |
2179 | goto Exit;\r | |
2180 | }\r | |
2181 | \r | |
2182 | if (!IkePayload->IsPayloadBufExt) {\r | |
2183 | FreePool (IkePayload->PayloadBuf);\r | |
2184 | }\r | |
6cf9230f | 2185 | \r |
9166f840 | 2186 | IkePayload->PayloadBuf = (UINT8 *) SaData;\r |
6cf9230f | 2187 | IkePayload->IsPayloadBufExt = FALSE;\r |
9166f840 | 2188 | break;\r |
2189 | \r | |
2190 | case IKEV2_PAYLOAD_TYPE_ID_INIT:\r | |
2191 | case IKEV2_PAYLOAD_TYPE_ID_RSP :\r | |
2192 | if (PayloadSize < sizeof (IKEV2_ID)) {\r | |
2193 | Status = EFI_INVALID_PARAMETER;\r | |
2194 | goto Exit;\r | |
2195 | }\r | |
2196 | break;\r | |
2197 | \r | |
2198 | case IKEV2_PAYLOAD_TYPE_NOTIFY:\r | |
2199 | if (PayloadSize < sizeof (IKEV2_NOTIFY)) {\r | |
2200 | Status = EFI_INVALID_PARAMETER;\r | |
2201 | goto Exit;\r | |
2202 | }\r | |
2203 | \r | |
2204 | NotifyPayload = (IKEV2_NOTIFY *) PayloadHdr;\r | |
2205 | NotifyPayload->MessageType = NTOHS (NotifyPayload->MessageType);\r | |
2206 | break;\r | |
6cf9230f | 2207 | \r |
9166f840 | 2208 | case IKEV2_PAYLOAD_TYPE_DELETE:\r |
2209 | if (PayloadSize < sizeof (IKEV2_DELETE)) {\r | |
2210 | Status = EFI_INVALID_PARAMETER;\r | |
2211 | goto Exit;\r | |
2212 | }\r | |
2213 | \r | |
2214 | DeletePayload = (IKEV2_DELETE *) PayloadHdr;\r | |
2215 | DeletePayload->NumSpis = NTOHS (DeletePayload->NumSpis);\r | |
2216 | break;\r | |
6cf9230f | 2217 | \r |
9166f840 | 2218 | case IKEV2_PAYLOAD_TYPE_AUTH:\r |
2219 | if (PayloadSize < sizeof (IKEV2_AUTH)) {\r | |
2220 | Status = EFI_INVALID_PARAMETER;\r | |
2221 | goto Exit;\r | |
2222 | }\r | |
2223 | break;\r | |
2224 | \r | |
2225 | case IKEV2_PAYLOAD_TYPE_KE:\r | |
2226 | KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;\r | |
2227 | KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);\r | |
6cf9230f | 2228 | break;\r |
9166f840 | 2229 | \r |
2230 | case IKEV2_PAYLOAD_TYPE_TS_INIT:\r | |
2231 | case IKEV2_PAYLOAD_TYPE_TS_RSP :\r | |
2232 | TsTotalSize = 0;\r | |
2233 | if (PayloadSize < sizeof (IKEV2_TS)) {\r | |
2234 | Status = EFI_INVALID_PARAMETER;\r | |
2235 | goto Exit;\r | |
2236 | }\r | |
2237 | //\r | |
2238 | // Parse each traffic selector and transfer network-order to host-order\r | |
2239 | //\r | |
2240 | TsPayload = (IKEV2_TS *) IkePayload->PayloadBuf;\r | |
2241 | TsSelector = (TRAFFIC_SELECTOR *) (IkePayload->PayloadBuf + sizeof (IKEV2_TS));\r | |
2242 | \r | |
2243 | for (Index = 0; Index < TsPayload->TSNumbers; Index++) {\r | |
2244 | TsSelector->SelecorLen = NTOHS (TsSelector->SelecorLen);\r | |
2245 | TsSelector->StartPort = NTOHS (TsSelector->StartPort);\r | |
2246 | TsSelector->EndPort = NTOHS (TsSelector->EndPort);\r | |
2247 | \r | |
2248 | TsTotalSize = (UINT16) (TsTotalSize + TsSelector->SelecorLen);\r | |
2249 | TsSelector = (TRAFFIC_SELECTOR *) ((UINT8 *) TsSelector + TsSelector->SelecorLen);\r | |
2250 | }\r | |
2251 | //\r | |
2252 | // Check if the total size of Traffic Selectors is correct.\r | |
2253 | //\r | |
2254 | if (TsTotalSize != PayloadSize - sizeof(IKEV2_TS)) {\r | |
2255 | Status = EFI_INVALID_PARAMETER;\r | |
2256 | }\r | |
2257 | \r | |
2258 | case IKEV2_PAYLOAD_TYPE_CP:\r | |
2259 | CfgAttribute = (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->PayloadBuf) + 1);\r | |
2260 | CfgAttribute->AttritType = NTOHS (CfgAttribute->AttritType);\r | |
2261 | CfgAttribute->ValueLength = NTOHS (CfgAttribute->ValueLength);\r | |
2262 | \r | |
2263 | default:\r | |
2264 | break;\r | |
2265 | }\r | |
2266 | \r | |
2267 | Exit:\r | |
2268 | return Status;\r | |
2269 | }\r | |
2270 | \r | |
2271 | /**\r | |
2272 | Decode the IKE packet.\r | |
2273 | \r | |
6cf9230f | 2274 | This function first decrypts the IKE packet if needed , then separates the whole\r |
9166f840 | 2275 | IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.\r |
6cf9230f | 2276 | \r |
2277 | @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing\r | |
9166f840 | 2278 | some parameter used by IKE packet decoding.\r |
6cf9230f | 2279 | @param[in, out] IkePacket The IKE Packet to be decoded on input, and\r |
9166f840 | 2280 | the decoded result on return.\r |
2281 | @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r | |
2282 | IKE_CHILD_TYPE are supported.\r | |
2283 | \r | |
2284 | @retval EFI_SUCCESS The IKE packet is decoded successfully.\r | |
2285 | @retval Otherwise The IKE packet decoding is failed.\r | |
2286 | \r | |
2287 | **/\r | |
2288 | EFI_STATUS\r | |
2289 | Ikev2DecodePacket (\r | |
2290 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
2291 | IN OUT IKE_PACKET *IkePacket,\r | |
2292 | IN UINTN IkeType\r | |
2293 | )\r | |
2294 | {\r | |
2295 | EFI_STATUS Status;\r | |
2296 | IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;\r | |
2297 | UINT8 PayloadType;\r | |
2298 | UINTN RemainBytes;\r | |
2299 | UINT16 PayloadSize;\r | |
2300 | IKE_PAYLOAD *IkePayload;\r | |
2301 | IKE_HEADER *IkeHeader;\r | |
2302 | IKEV2_SA_SESSION *IkeSaSession;\r | |
2303 | \r | |
2304 | IkeHeader = NULL;\r | |
6cf9230f | 2305 | \r |
9166f840 | 2306 | //\r |
2307 | // Check if the IkePacket need decrypt.\r | |
2308 | //\r | |
2309 | if (SessionCommon->State >= IkeStateAuth) {\r | |
2310 | Status = Ikev2DecryptPacket (SessionCommon, IkePacket, IkeType);\r | |
2311 | if (EFI_ERROR (Status)) {\r | |
2312 | return Status;\r | |
2313 | }\r | |
2314 | }\r | |
2315 | \r | |
2316 | Status = EFI_SUCCESS;\r | |
2317 | \r | |
2318 | //\r | |
2319 | // If the IkePacket doesn't contain any payload return invalid parameter.\r | |
2320 | //\r | |
2321 | if (IkePacket->Header->NextPayload == IKEV2_PAYLOAD_TYPE_NONE) {\r | |
6cf9230f | 2322 | if ((SessionCommon->State >= IkeStateAuth) &&\r |
9166f840 | 2323 | (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INFO)\r |
2324 | ) {\r | |
2325 | //\r | |
2326 | // If it is Liveness check, there will be no payload load in the encrypt payload.\r | |
2327 | //\r | |
2328 | Status = EFI_SUCCESS;\r | |
2329 | } else {\r | |
2330 | Status = EFI_INVALID_PARAMETER;\r | |
2331 | }\r | |
2332 | }\r | |
2333 | \r | |
2334 | //\r | |
2335 | // If the PayloadTotalSize < Header length, return invalid parameter.\r | |
2336 | //\r | |
2337 | RemainBytes = IkePacket->PayloadTotalSize;\r | |
2338 | if (RemainBytes < sizeof (IKEV2_COMMON_PAYLOAD_HEADER)) {\r | |
2339 | Status = EFI_INVALID_PARAMETER;\r | |
2340 | goto Exit;\r | |
2341 | }\r | |
2342 | \r | |
2343 | //\r | |
2344 | // If the packet is first or second message, store whole message in\r | |
2345 | // IkeSa->InitiPacket or IkeSa->RespPacket for following Auth Payload\r | |
2346 | // calculate.\r | |
2347 | //\r | |
2348 | if (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INIT) {\r | |
2349 | IkeHeader = AllocateZeroPool (sizeof (IKE_HEADER));\r | |
6b16c9e7 JW |
2350 | if (IkeHeader == NULL) {\r |
2351 | Status = EFI_OUT_OF_RESOURCES;\r | |
2352 | goto Exit;\r | |
2353 | }\r | |
f75a7f56 | 2354 | \r |
9166f840 | 2355 | CopyMem (IkeHeader, IkePacket->Header, sizeof (IKE_HEADER));\r |
2356 | \r | |
2357 | //\r | |
2358 | // Before store the whole packet, roll back the host order to network order,\r | |
2359 | // since the header order was changed in the IkePacketFromNetbuf.\r | |
2360 | //\r | |
2361 | IkeHdrNetToHost (IkeHeader);\r | |
2362 | IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
2363 | if (SessionCommon->IsInitiator) {\r | |
2364 | IkeSaSession->RespPacket = AllocateZeroPool (IkePacket->Header->Length);\r | |
02a758cb | 2365 | if (IkeSaSession->RespPacket == NULL) {\r |
2366 | Status = EFI_OUT_OF_RESOURCES;\r | |
6cf9230f | 2367 | goto Exit;\r |
02a758cb | 2368 | }\r |
9166f840 | 2369 | IkeSaSession->RespPacketSize = IkePacket->Header->Length;\r |
2370 | CopyMem (IkeSaSession->RespPacket, IkeHeader, sizeof (IKE_HEADER));\r | |
2371 | CopyMem (\r | |
2372 | IkeSaSession->RespPacket + sizeof (IKE_HEADER),\r | |
2373 | IkePacket->PayloadsBuf,\r | |
2374 | IkePacket->Header->Length - sizeof (IKE_HEADER)\r | |
6cf9230f | 2375 | );\r |
9166f840 | 2376 | } else {\r |
2377 | IkeSaSession->InitPacket = AllocateZeroPool (IkePacket->Header->Length);\r | |
02a758cb | 2378 | if (IkeSaSession->InitPacket == NULL) {\r |
2379 | Status = EFI_OUT_OF_RESOURCES;\r | |
6cf9230f | 2380 | goto Exit;\r |
02a758cb | 2381 | }\r |
9166f840 | 2382 | IkeSaSession->InitPacketSize = IkePacket->Header->Length;\r |
2383 | CopyMem (IkeSaSession->InitPacket, IkeHeader, sizeof (IKE_HEADER));\r | |
2384 | CopyMem (\r | |
2385 | IkeSaSession->InitPacket + sizeof (IKE_HEADER),\r | |
2386 | IkePacket->PayloadsBuf,\r | |
2387 | IkePacket->Header->Length - sizeof (IKE_HEADER)\r | |
2388 | );\r | |
2389 | }\r | |
2390 | }\r | |
2391 | \r | |
2392 | //\r | |
6cf9230f | 2393 | // Point to the first Payload\r |
9166f840 | 2394 | //\r |
2395 | PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePacket->PayloadsBuf;\r | |
2396 | PayloadType = IkePacket->Header->NextPayload;\r | |
2397 | \r | |
2398 | //\r | |
2399 | // Parse each payload\r | |
2400 | //\r | |
2401 | while (RemainBytes >= sizeof (IKEV2_COMMON_PAYLOAD_HEADER)) {\r | |
2402 | PayloadSize = NTOHS (PayloadHdr->PayloadLength);\r | |
2403 | \r | |
2404 | //\r | |
2405 | //Check the size of the payload is correct.\r | |
2406 | //\r | |
2407 | if (RemainBytes < PayloadSize) {\r | |
2408 | Status = EFI_INVALID_PARAMETER;\r | |
2409 | goto Exit;\r | |
2410 | }\r | |
2411 | \r | |
2412 | //\r | |
2413 | // At certain states, it should save some datas before decoding.\r | |
2414 | //\r | |
2415 | if (SessionCommon->BeforeDecodePayload != NULL) {\r | |
2416 | SessionCommon->BeforeDecodePayload (\r | |
2417 | (UINT8 *) SessionCommon,\r | |
2418 | (UINT8 *) PayloadHdr,\r | |
2419 | PayloadSize,\r | |
2420 | PayloadType\r | |
2421 | );\r | |
2422 | }\r | |
2423 | \r | |
2424 | //\r | |
2425 | // Initial IkePayload\r | |
2426 | //\r | |
2427 | IkePayload = IkePayloadAlloc ();\r | |
6b16c9e7 JW |
2428 | if (IkePayload == NULL) {\r |
2429 | Status = EFI_OUT_OF_RESOURCES;\r | |
2430 | goto Exit;\r | |
2431 | }\r | |
9166f840 | 2432 | \r |
2433 | IkePayload->PayloadType = PayloadType;\r | |
2434 | IkePayload->PayloadBuf = (UINT8 *) PayloadHdr;\r | |
2435 | IkePayload->PayloadSize = PayloadSize;\r | |
2436 | IkePayload->IsPayloadBufExt = TRUE;\r | |
2437 | \r | |
2438 | Status = Ikev2DecodePayload ((UINT8 *) SessionCommon, IkePayload);\r | |
2439 | if (EFI_ERROR (Status)) {\r | |
2440 | goto Exit;\r | |
2441 | }\r | |
2442 | \r | |
2443 | IPSEC_DUMP_BUF ("After Decoding Payload", IkePayload->PayloadBuf, IkePayload->PayloadSize);\r | |
2444 | //\r | |
2445 | // Add each payload into packet\r | |
2446 | // Notice, the IkePacket->Hdr->Lenght still recode the whole IkePacket length\r | |
2447 | // which is before the decoding.\r | |
2448 | //\r | |
2449 | IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload);\r | |
2450 | \r | |
2451 | RemainBytes -= PayloadSize;\r | |
2452 | PayloadType = PayloadHdr->NextPayload;\r | |
2453 | if (PayloadType == IKEV2_PAYLOAD_TYPE_NONE) {\r | |
2454 | break;\r | |
2455 | }\r | |
2456 | \r | |
2457 | PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) ((UINT8 *) PayloadHdr + PayloadSize);\r | |
2458 | }\r | |
2459 | \r | |
2460 | if (PayloadType != IKEV2_PAYLOAD_TYPE_NONE) {\r | |
2461 | Status = EFI_INVALID_PARAMETER;\r | |
2462 | goto Exit;\r | |
2463 | }\r | |
2464 | \r | |
2465 | Exit:\r | |
2466 | if (EFI_ERROR (Status)) {\r | |
2467 | ClearAllPayloads (IkePacket);\r | |
2468 | }\r | |
2469 | \r | |
2470 | if (IkeHeader != NULL) {\r | |
2471 | FreePool (IkeHeader);\r | |
2472 | }\r | |
2473 | return Status;\r | |
2474 | }\r | |
2475 | \r | |
2476 | /**\r | |
2477 | Encode the IKE packet.\r | |
2478 | \r | |
2479 | This function puts all Payloads into one payload then encrypt it if needed.\r | |
2480 | \r | |
6cf9230f | 2481 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r |
9166f840 | 2482 | some parameter used during IKE packet encoding.\r |
6cf9230f | 2483 | @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,\r |
9166f840 | 2484 | and the encoded result as output.\r |
2485 | @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r | |
2486 | IKE_CHILD_TYPE are supportted.\r | |
2487 | \r | |
2488 | @retval EFI_SUCCESS Encode IKE packet successfully.\r | |
2489 | @retval Otherwise Encode IKE packet failed.\r | |
2490 | \r | |
2491 | **/\r | |
2492 | EFI_STATUS\r | |
2493 | Ikev2EncodePacket (\r | |
2494 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
2495 | IN OUT IKE_PACKET *IkePacket,\r | |
2496 | IN UINTN IkeType\r | |
2497 | )\r | |
2498 | {\r | |
2499 | IKE_PAYLOAD *IkePayload;\r | |
2500 | UINTN PayloadTotalSize;\r | |
2501 | LIST_ENTRY *Entry;\r | |
2502 | EFI_STATUS Status;\r | |
2503 | IKEV2_SA_SESSION *IkeSaSession;\r | |
2504 | \r | |
2505 | PayloadTotalSize = 0;\r | |
2506 | //\r | |
2507 | // Encode each payload\r | |
2508 | //\r | |
2509 | for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {\r | |
2510 | IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r | |
2511 | Entry = Entry->ForwardLink;\r | |
2512 | Status = Ikev2EncodePayload ((UINT8 *) SessionCommon, IkePayload);\r | |
2513 | if (EFI_ERROR (Status)) {\r | |
2514 | return Status;\r | |
2515 | }\r | |
2516 | \r | |
2517 | if (SessionCommon->AfterEncodePayload != NULL) {\r | |
2518 | //\r | |
2519 | // For certain states, save some payload for further calculation\r | |
2520 | //\r | |
2521 | SessionCommon->AfterEncodePayload (\r | |
2522 | (UINT8 *) SessionCommon,\r | |
2523 | IkePayload->PayloadBuf,\r | |
2524 | IkePayload->PayloadSize,\r | |
2525 | IkePayload->PayloadType\r | |
2526 | );\r | |
2527 | }\r | |
2528 | \r | |
2529 | PayloadTotalSize += IkePayload->PayloadSize;\r | |
2530 | }\r | |
2531 | IkePacket->PayloadTotalSize = PayloadTotalSize;\r | |
2532 | \r | |
2533 | Status = EFI_SUCCESS;\r | |
2534 | if (SessionCommon->State >= IkeStateAuth) {\r | |
2535 | //\r | |
2536 | // Encrypt all payload and transfer IKE packet header from Host order to Network order.\r | |
2537 | //\r | |
2538 | Status = Ikev2EncryptPacket (SessionCommon, IkePacket);\r | |
6771c1d6 JW |
2539 | if (EFI_ERROR (Status)) {\r |
2540 | return Status;\r | |
2541 | }\r | |
9166f840 | 2542 | } else {\r |
2543 | //\r | |
2544 | // Fill in the lenght into IkePacket header and transfer Host order to Network order.\r | |
2545 | //\r | |
2546 | IkePacket->Header->Length = (UINT32) (sizeof (IKE_HEADER) + IkePacket->PayloadTotalSize);\r | |
2547 | IkeHdrHostToNet (IkePacket->Header);\r | |
2548 | }\r | |
2549 | \r | |
2550 | //\r | |
6cf9230f | 2551 | // If the packet is first message, store whole message in IkeSa->InitiPacket\r |
9166f840 | 2552 | // for following Auth Payload calculation.\r |
2553 | //\r | |
2554 | if (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INIT) {\r | |
2555 | IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
6cf9230f | 2556 | if (SessionCommon->IsInitiator) {\r |
9166f840 | 2557 | IkeSaSession->InitPacketSize = IkePacket->PayloadTotalSize + sizeof (IKE_HEADER);\r |
2558 | IkeSaSession->InitPacket = AllocateZeroPool (IkeSaSession->InitPacketSize);\r | |
6b16c9e7 JW |
2559 | if (IkeSaSession->InitPacket == NULL) {\r |
2560 | return EFI_OUT_OF_RESOURCES;\r | |
2561 | }\r | |
f75a7f56 | 2562 | \r |
9166f840 | 2563 | CopyMem (IkeSaSession->InitPacket, IkePacket->Header, sizeof (IKE_HEADER));\r |
2564 | PayloadTotalSize = 0;\r | |
2565 | for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {\r | |
2566 | IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r | |
2567 | Entry = Entry->ForwardLink;\r | |
2568 | CopyMem (\r | |
2569 | IkeSaSession->InitPacket + sizeof (IKE_HEADER) + PayloadTotalSize,\r | |
2570 | IkePayload->PayloadBuf,\r | |
2571 | IkePayload->PayloadSize\r | |
2572 | );\r | |
2573 | PayloadTotalSize = PayloadTotalSize + IkePayload->PayloadSize;\r | |
2574 | }\r | |
6cf9230f | 2575 | } else {\r |
9166f840 | 2576 | IkeSaSession->RespPacketSize = IkePacket->PayloadTotalSize + sizeof(IKE_HEADER);\r |
2577 | IkeSaSession->RespPacket = AllocateZeroPool (IkeSaSession->RespPacketSize);\r | |
6b16c9e7 JW |
2578 | if (IkeSaSession->RespPacket == NULL) {\r |
2579 | return EFI_OUT_OF_RESOURCES;\r | |
2580 | }\r | |
f75a7f56 | 2581 | \r |
9166f840 | 2582 | CopyMem (IkeSaSession->RespPacket, IkePacket->Header, sizeof (IKE_HEADER));\r |
2583 | PayloadTotalSize = 0;\r | |
2584 | for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {\r | |
2585 | IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r | |
2586 | Entry = Entry->ForwardLink;\r | |
2587 | \r | |
2588 | CopyMem (\r | |
2589 | IkeSaSession->RespPacket + sizeof (IKE_HEADER) + PayloadTotalSize,\r | |
2590 | IkePayload->PayloadBuf,\r | |
2591 | IkePayload->PayloadSize\r | |
2592 | );\r | |
2593 | PayloadTotalSize = PayloadTotalSize + IkePayload->PayloadSize;\r | |
2594 | }\r | |
2595 | }\r | |
2596 | }\r | |
2597 | \r | |
2598 | return Status;\r | |
2599 | }\r | |
2600 | \r | |
2601 | /**\r | |
2602 | Decrypt IKE packet.\r | |
2603 | \r | |
2604 | This function decrypts the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.\r | |
2605 | \r | |
6cf9230f | 2606 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r |
9166f840 | 2607 | some parameter used during decrypting.\r |
6cf9230f | 2608 | @param[in, out] IkePacket Pointer to IKE_PACKET to be decrypted as input,\r |
9166f840 | 2609 | and the decrypted result as output.\r |
2610 | @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r | |
2611 | IKE_CHILD_TYPE are supportted.\r | |
2612 | \r | |
2613 | @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the\r | |
2614 | IKE packet length is not aligned with Algorithm Block Size\r | |
2615 | @retval EFI_SUCCESS Decrypt IKE packet successfully.\r | |
6cf9230f | 2616 | \r |
9166f840 | 2617 | **/\r |
2618 | EFI_STATUS\r | |
2619 | Ikev2DecryptPacket (\r | |
2620 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
2621 | IN OUT IKE_PACKET *IkePacket,\r | |
2622 | IN OUT UINTN IkeType\r | |
2623 | )\r | |
2624 | {\r | |
2625 | UINT8 CryptBlockSize; // Encrypt Block Size\r | |
6cf9230f | 2626 | UINTN DecryptedSize; // Encrypted IKE Payload Size\r |
9166f840 | 2627 | UINT8 *DecryptedBuf; // Encrypted IKE Payload buffer\r |
2628 | UINTN IntegritySize;\r | |
2629 | UINT8 *IntegrityBuffer;\r | |
6cf9230f | 2630 | UINTN IvSize; // Iv Size\r |
2631 | UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth\r | |
9166f840 | 2632 | UINT8 *CheckSumData; // Check Sum data\r |
2633 | IKEV2_SA_SESSION *IkeSaSession;\r | |
2634 | IKEV2_CHILD_SA_SESSION *ChildSaSession;\r | |
2635 | EFI_STATUS Status;\r | |
2636 | UINT8 PadLen;\r | |
9166f840 | 2637 | HASH_DATA_FRAGMENT Fragments[1];\r |
2638 | \r | |
2639 | IvSize = 0;\r | |
2640 | IkeSaSession = NULL;\r | |
2641 | CryptBlockSize = 0;\r | |
2642 | CheckSumSize = 0;\r | |
9166f840 | 2643 | \r |
2644 | //\r | |
2645 | // Check if the first payload is the Encrypted payload\r | |
2646 | //\r | |
2647 | if (IkePacket->Header->NextPayload != IKEV2_PAYLOAD_TYPE_ENCRYPT) {\r | |
2648 | return EFI_ACCESS_DENIED;\r | |
2649 | }\r | |
2650 | CheckSumData = NULL;\r | |
2651 | DecryptedBuf = NULL;\r | |
2652 | IntegrityBuffer = NULL;\r | |
2653 | \r | |
2654 | //\r | |
2655 | // Get the Block Size\r | |
2656 | //\r | |
2657 | if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r | |
6cf9230f | 2658 | \r |
9166f840 | 2659 | CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCommon->SaParams->EncAlgId);\r |
e8837edd | 2660 | \r |
9166f840 | 2661 | CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->SaParams->IntegAlgId);\r |
2662 | IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
2663 | \r | |
2664 | } else if (SessionCommon->IkeSessionType == IkeSessionTypeChildSa) {\r | |
2665 | \r | |
2666 | ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
2667 | IkeSaSession = ChildSaSession->IkeSaSession;\r | |
2668 | CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);\r | |
9166f840 | 2669 | CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->SessionCommon.SaParams->IntegAlgId);\r |
2670 | } else {\r | |
2671 | //\r | |
2672 | // The type of SA Session would either be IkeSa or ChildSa.\r | |
2673 | //\r | |
2674 | return EFI_INVALID_PARAMETER;\r | |
2675 | }\r | |
2676 | \r | |
2677 | CheckSumData = AllocateZeroPool (CheckSumSize);\r | |
6b16c9e7 JW |
2678 | if (CheckSumData == NULL) {\r |
2679 | Status = EFI_OUT_OF_RESOURCES;\r | |
2680 | goto ON_EXIT;\r | |
2681 | }\r | |
9166f840 | 2682 | \r |
2683 | //\r | |
2684 | // Fill in the Integrity buffer\r | |
2685 | //\r | |
2686 | IntegritySize = IkePacket->PayloadTotalSize + sizeof (IKE_HEADER);\r | |
2687 | IntegrityBuffer = AllocateZeroPool (IntegritySize);\r | |
6b16c9e7 JW |
2688 | if (IntegrityBuffer == NULL) {\r |
2689 | Status = EFI_OUT_OF_RESOURCES;\r | |
2690 | goto ON_EXIT;\r | |
2691 | }\r | |
f75a7f56 | 2692 | \r |
9166f840 | 2693 | CopyMem (IntegrityBuffer, IkePacket->Header, sizeof(IKE_HEADER));\r |
2694 | CopyMem (IntegrityBuffer + sizeof (IKE_HEADER), IkePacket->PayloadsBuf, IkePacket->PayloadTotalSize);\r | |
2695 | \r | |
2696 | //\r | |
6cf9230f | 2697 | // Change Host order to Network order, since the header order was changed\r |
9166f840 | 2698 | // in the IkePacketFromNetbuf.\r |
2699 | //\r | |
2700 | IkeHdrHostToNet ((IKE_HEADER *)IntegrityBuffer);\r | |
2701 | \r | |
2702 | //\r | |
2703 | // Calculate the Integrity CheckSum Data\r | |
2704 | //\r | |
2705 | Fragments[0].Data = IntegrityBuffer;\r | |
2706 | Fragments[0].DataSize = IntegritySize - CheckSumSize;\r | |
2707 | \r | |
2708 | if (SessionCommon->IsInitiator) {\r | |
2709 | Status = IpSecCryptoIoHmac (\r | |
2710 | (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r | |
2711 | IkeSaSession->IkeKeys->SkArKey,\r | |
2712 | IkeSaSession->IkeKeys->SkArKeySize,\r | |
2713 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
2714 | 1,\r | |
2715 | CheckSumData,\r | |
2716 | CheckSumSize\r | |
2717 | );\r | |
2718 | } else {\r | |
2719 | Status = IpSecCryptoIoHmac (\r | |
2720 | (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r | |
2721 | IkeSaSession->IkeKeys->SkAiKey,\r | |
2722 | IkeSaSession->IkeKeys->SkAiKeySize,\r | |
2723 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
2724 | 1,\r | |
2725 | CheckSumData,\r | |
2726 | CheckSumSize\r | |
2727 | );\r | |
2728 | }\r | |
2729 | \r | |
2730 | if (EFI_ERROR (Status)) {\r | |
2731 | goto ON_EXIT;\r | |
2732 | }\r | |
2733 | //\r | |
2734 | // Compare the Integrity CheckSum Data with the one in IkePacket\r | |
2735 | //\r | |
2736 | if (CompareMem (\r | |
2737 | IkePacket->PayloadsBuf + IkePacket->PayloadTotalSize - CheckSumSize,\r | |
2738 | CheckSumData,\r | |
2739 | CheckSumSize\r | |
2740 | ) != 0) {\r | |
2741 | DEBUG ((DEBUG_ERROR, "Error auth verify payload\n"));\r | |
2742 | Status = EFI_ACCESS_DENIED;\r | |
2743 | goto ON_EXIT;\r | |
2744 | }\r | |
6cf9230f | 2745 | \r |
9166f840 | 2746 | IvSize = CryptBlockSize;\r |
6cf9230f | 2747 | \r |
9166f840 | 2748 | //\r |
2749 | // Decrypt the payload with the key.\r | |
2750 | //\r | |
2751 | DecryptedSize = IkePacket->PayloadTotalSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER) - IvSize - CheckSumSize;\r | |
2752 | DecryptedBuf = AllocateZeroPool (DecryptedSize);\r | |
6b16c9e7 JW |
2753 | if (DecryptedBuf == NULL) {\r |
2754 | Status = EFI_OUT_OF_RESOURCES;\r | |
2755 | goto ON_EXIT;\r | |
2756 | }\r | |
9166f840 | 2757 | \r |
2758 | CopyMem (\r | |
2759 | DecryptedBuf,\r | |
2760 | IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER) + IvSize,\r | |
2761 | DecryptedSize\r | |
2762 | );\r | |
2763 | \r | |
2764 | if (SessionCommon->IsInitiator) {\r | |
2765 | Status = IpSecCryptoIoDecrypt (\r | |
2766 | (UINT8) SessionCommon->SaParams->EncAlgId,\r | |
2767 | IkeSaSession->IkeKeys->SkErKey,\r | |
2768 | IkeSaSession->IkeKeys->SkErKeySize << 3,\r | |
2769 | IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r | |
2770 | DecryptedBuf,\r | |
2771 | DecryptedSize,\r | |
2772 | DecryptedBuf\r | |
2773 | );\r | |
2774 | } else {\r | |
2775 | Status = IpSecCryptoIoDecrypt (\r | |
2776 | (UINT8) SessionCommon->SaParams->EncAlgId,\r | |
2777 | IkeSaSession->IkeKeys->SkEiKey,\r | |
2778 | IkeSaSession->IkeKeys->SkEiKeySize << 3,\r | |
2779 | IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r | |
2780 | DecryptedBuf,\r | |
2781 | DecryptedSize,\r | |
2782 | DecryptedBuf\r | |
2783 | );\r | |
2784 | }\r | |
2785 | \r | |
2786 | if (EFI_ERROR (Status)) {\r | |
2787 | DEBUG ((DEBUG_ERROR, "Error decrypt buffer with %r\n", Status));\r | |
2788 | goto ON_EXIT;\r | |
2789 | }\r | |
2790 | \r | |
2791 | //\r | |
2792 | // Get the Padding length\r | |
2793 | //\r | |
2794 | //\r | |
2795 | PadLen = (UINT8) (*(DecryptedBuf + DecryptedSize - sizeof (IKEV2_PAD_LEN)));\r | |
2796 | \r | |
2797 | //\r | |
2798 | // Save the next payload of encrypted payload into IkePacket->Hdr->NextPayload\r | |
2799 | //\r | |
2800 | IkePacket->Header->NextPayload = ((IKEV2_ENCRYPTED *) IkePacket->PayloadsBuf)->Header.NextPayload;\r | |
6cf9230f | 2801 | \r |
9166f840 | 2802 | //\r |
2803 | // Free old IkePacket->PayloadBuf and point it to decrypted paylaod buffer.\r | |
2804 | //\r | |
2805 | FreePool (IkePacket->PayloadsBuf);\r | |
2806 | IkePacket->PayloadsBuf = DecryptedBuf;\r | |
2807 | IkePacket->PayloadTotalSize = DecryptedSize - PadLen;\r | |
2808 | \r | |
2809 | IPSEC_DUMP_BUF ("Decrypted Buffer", DecryptedBuf, DecryptedSize);\r | |
6cf9230f | 2810 | \r |
9166f840 | 2811 | \r |
2812 | ON_EXIT:\r | |
2813 | if (CheckSumData != NULL) {\r | |
2814 | FreePool (CheckSumData);\r | |
2815 | }\r | |
2816 | \r | |
2817 | if (EFI_ERROR (Status) && DecryptedBuf != NULL) {\r | |
2818 | FreePool (DecryptedBuf);\r | |
2819 | }\r | |
2820 | \r | |
2821 | if (IntegrityBuffer != NULL) {\r | |
2822 | FreePool (IntegrityBuffer);\r | |
2823 | }\r | |
6cf9230f | 2824 | \r |
9166f840 | 2825 | return Status;\r |
2826 | }\r | |
2827 | \r | |
2828 | /**\r | |
2829 | Encrypt IKE packet.\r | |
2830 | \r | |
2831 | This function encrypt IKE packet before sending it. The Encrypted IKE packet\r | |
2832 | is put in to IKEV2 Encrypted Payload.\r | |
6cf9230f | 2833 | \r |
9166f840 | 2834 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.\r |
2835 | @param[in, out] IkePacket Pointer to IKE packet to be encrypted.\r | |
2836 | \r | |
2837 | @retval EFI_SUCCESS Operation is successful.\r | |
2838 | @retval Others Operation is failed.\r | |
2839 | \r | |
2840 | **/\r | |
2841 | EFI_STATUS\r | |
2842 | Ikev2EncryptPacket (\r | |
2843 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
2844 | IN OUT IKE_PACKET *IkePacket\r | |
2845 | )\r | |
2846 | {\r | |
2847 | UINT8 CryptBlockSize; // Encrypt Block Size\r | |
2848 | UINT8 CryptBlockSizeMask; // Block Mask\r | |
6cf9230f | 2849 | UINTN EncryptedSize; // Encrypted IKE Payload Size\r |
9166f840 | 2850 | UINT8 *EncryptedBuf; // Encrypted IKE Payload buffer\r |
2851 | UINT8 *EncryptPayloadBuf; // Contain whole Encrypted Payload\r | |
2852 | UINTN EncryptPayloadSize; // Total size of the Encrypted payload\r | |
6cf9230f | 2853 | UINT8 *IntegrityBuf; // Buffer to be intergity\r |
9166f840 | 2854 | UINT8 *IvBuffer; // Initialization Vector\r |
6cf9230f | 2855 | UINT8 IvSize; // Iv Size\r |
2856 | UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth\r | |
9166f840 | 2857 | UINT8 *CheckSumData; // Check Sum data\r |
2858 | UINTN Index;\r | |
2859 | IKE_PAYLOAD *EncryptPayload;\r | |
2860 | IKEV2_SA_SESSION *IkeSaSession;\r | |
2861 | IKEV2_CHILD_SA_SESSION *ChildSaSession;\r | |
2862 | EFI_STATUS Status;\r | |
2863 | LIST_ENTRY *Entry;\r | |
2864 | IKE_PAYLOAD *IkePayload;\r | |
9166f840 | 2865 | HASH_DATA_FRAGMENT Fragments[1];\r |
2866 | \r | |
02a758cb | 2867 | Status = EFI_SUCCESS;\r |
2868 | \r | |
9166f840 | 2869 | //\r |
2870 | // Initial all buffers to NULL.\r | |
2871 | //\r | |
2872 | EncryptedBuf = NULL;\r | |
2873 | EncryptPayloadBuf = NULL;\r | |
2874 | IvBuffer = NULL;\r | |
2875 | CheckSumData = NULL;\r | |
2876 | IkeSaSession = NULL;\r | |
2877 | CryptBlockSize = 0;\r | |
2878 | CheckSumSize = 0;\r | |
9166f840 | 2879 | IntegrityBuf = NULL;\r |
2880 | //\r | |
2881 | // Get the Block Size\r | |
2882 | //\r | |
2883 | if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r | |
2884 | \r | |
2885 | CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCommon->SaParams->EncAlgId);\r | |
9166f840 | 2886 | CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->SaParams->IntegAlgId);\r |
2887 | IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
2888 | \r | |
2889 | } else if (SessionCommon->IkeSessionType == IkeSessionTypeChildSa) {\r | |
2890 | \r | |
2891 | ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);\r | |
2892 | IkeSaSession = ChildSaSession->IkeSaSession;\r | |
2893 | CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);\r | |
9166f840 | 2894 | CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->SessionCommon.SaParams->IntegAlgId);\r |
2895 | }\r | |
6cf9230f | 2896 | \r |
9166f840 | 2897 | //\r |
2898 | // Calcualte the EncryptPayloadSize and the PAD length\r | |
2899 | //\r | |
2900 | CryptBlockSizeMask = (UINT8) (CryptBlockSize - 1);\r | |
2901 | EncryptedSize = (IkePacket->PayloadTotalSize + sizeof (IKEV2_PAD_LEN) + CryptBlockSizeMask) & ~CryptBlockSizeMask;\r | |
2902 | EncryptedBuf = (UINT8 *) AllocateZeroPool (EncryptedSize);\r | |
6b16c9e7 JW |
2903 | if (EncryptedBuf == NULL) {\r |
2904 | Status = EFI_OUT_OF_RESOURCES;\r | |
2905 | goto ON_EXIT;\r | |
2906 | }\r | |
f75a7f56 | 2907 | \r |
9166f840 | 2908 | //\r |
2909 | // Copy all payload into EncryptedIkePayload\r | |
2910 | //\r | |
2911 | Index = 0;\r | |
2912 | NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r | |
2913 | IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r | |
2914 | \r | |
2915 | CopyMem (EncryptedBuf + Index, IkePayload->PayloadBuf, IkePayload->PayloadSize);\r | |
2916 | Index += IkePayload->PayloadSize;\r | |
2917 | \r | |
2918 | };\r | |
2919 | \r | |
2920 | //\r | |
2921 | // Fill in the Pading Length\r | |
2922 | //\r | |
2923 | *(EncryptedBuf + EncryptedSize - 1) = (UINT8)(EncryptedSize - IkePacket->PayloadTotalSize - 1);\r | |
2924 | \r | |
2925 | //\r | |
2926 | // The IV size is equal with block size\r | |
2927 | //\r | |
2928 | IvSize = CryptBlockSize;\r | |
2929 | IvBuffer = (UINT8 *) AllocateZeroPool (IvSize);\r | |
02a758cb | 2930 | if (IvBuffer == NULL) {\r |
2931 | Status = EFI_OUT_OF_RESOURCES;\r | |
2932 | goto ON_EXIT;\r | |
2933 | }\r | |
9166f840 | 2934 | \r |
2935 | //\r | |
2936 | // Generate IV\r | |
2937 | //\r | |
2938 | IkeGenerateIv (IvBuffer, IvSize);\r | |
2939 | \r | |
2940 | //\r | |
2941 | // Encrypt payload buf\r | |
2942 | //\r | |
2943 | if (SessionCommon->IsInitiator) {\r | |
2944 | Status = IpSecCryptoIoEncrypt (\r | |
2945 | (UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId,\r | |
2946 | IkeSaSession->IkeKeys->SkEiKey,\r | |
2947 | IkeSaSession->IkeKeys->SkEiKeySize << 3,\r | |
2948 | IvBuffer,\r | |
2949 | EncryptedBuf,\r | |
2950 | EncryptedSize,\r | |
2951 | EncryptedBuf\r | |
2952 | );\r | |
2953 | } else {\r | |
2954 | Status = IpSecCryptoIoEncrypt (\r | |
2955 | (UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId,\r | |
2956 | IkeSaSession->IkeKeys->SkErKey,\r | |
2957 | IkeSaSession->IkeKeys->SkErKeySize << 3,\r | |
2958 | IvBuffer,\r | |
2959 | EncryptedBuf,\r | |
2960 | EncryptedSize,\r | |
2961 | EncryptedBuf\r | |
2962 | );\r | |
2963 | }\r | |
2964 | if (EFI_ERROR (Status)) {\r | |
2965 | goto ON_EXIT;\r | |
2966 | }\r | |
2967 | \r | |
2968 | //\r | |
2969 | // Allocate the buffer for the whole IKE payload (Encrypted Payload).\r | |
2970 | //\r | |
2971 | EncryptPayloadSize = sizeof(IKEV2_ENCRYPTED) + IvSize + EncryptedSize + CheckSumSize;\r | |
2972 | EncryptPayloadBuf = AllocateZeroPool (EncryptPayloadSize);\r | |
6b16c9e7 JW |
2973 | if (EncryptPayloadBuf == NULL) {\r |
2974 | Status = EFI_OUT_OF_RESOURCES;\r | |
2975 | goto ON_EXIT;\r | |
2976 | }\r | |
9166f840 | 2977 | \r |
2978 | //\r | |
2979 | // Fill in Header of Encrypted Payload\r | |
2980 | //\r | |
2981 | ((IKEV2_ENCRYPTED *) EncryptPayloadBuf)->Header.NextPayload = IkePacket->Header->NextPayload;\r | |
2982 | ((IKEV2_ENCRYPTED *) EncryptPayloadBuf)->Header.PayloadLength = HTONS ((UINT16)EncryptPayloadSize);\r | |
2983 | \r | |
2984 | //\r | |
2985 | // Fill in Iv\r | |
2986 | //\r | |
2987 | CopyMem (EncryptPayloadBuf + sizeof (IKEV2_ENCRYPTED), IvBuffer, IvSize);\r | |
2988 | \r | |
2989 | //\r | |
2990 | // Fill in encrypted data\r | |
2991 | //\r | |
2992 | CopyMem (EncryptPayloadBuf + sizeof (IKEV2_ENCRYPTED) + IvSize, EncryptedBuf, EncryptedSize);\r | |
2993 | \r | |
2994 | //\r | |
2995 | // Fill in the IKE Packet header\r | |
6cf9230f | 2996 | //\r |
9166f840 | 2997 | IkePacket->PayloadTotalSize = EncryptPayloadSize;\r |
2998 | IkePacket->Header->Length = (UINT32) (sizeof (IKE_HEADER) + IkePacket->PayloadTotalSize);\r | |
2999 | IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ENCRYPT;\r | |
6cf9230f | 3000 | \r |
9166f840 | 3001 | IntegrityBuf = AllocateZeroPool (IkePacket->Header->Length);\r |
02a758cb | 3002 | if (IntegrityBuf == NULL) {\r |
3003 | Status = EFI_OUT_OF_RESOURCES;\r | |
3004 | goto ON_EXIT;\r | |
3005 | }\r | |
9166f840 | 3006 | IkeHdrHostToNet (IkePacket->Header);\r |
3007 | \r | |
3008 | CopyMem (IntegrityBuf, IkePacket->Header, sizeof (IKE_HEADER));\r | |
3009 | CopyMem (IntegrityBuf + sizeof (IKE_HEADER), EncryptPayloadBuf, EncryptPayloadSize);\r | |
3010 | \r | |
3011 | //\r | |
3012 | // Calcualte Integrity CheckSum\r | |
3013 | //\r | |
3014 | Fragments[0].Data = IntegrityBuf;\r | |
3015 | Fragments[0].DataSize = EncryptPayloadSize + sizeof (IKE_HEADER) - CheckSumSize;\r | |
3016 | \r | |
3017 | CheckSumData = AllocateZeroPool (CheckSumSize);\r | |
02a758cb | 3018 | if (CheckSumData == NULL) {\r |
3019 | Status = EFI_OUT_OF_RESOURCES;\r | |
3020 | goto ON_EXIT;\r | |
3021 | }\r | |
9166f840 | 3022 | if (SessionCommon->IsInitiator) {\r |
3023 | \r | |
3024 | IpSecCryptoIoHmac (\r | |
3025 | (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r | |
3026 | IkeSaSession->IkeKeys->SkAiKey,\r | |
3027 | IkeSaSession->IkeKeys->SkAiKeySize,\r | |
3028 | (HASH_DATA_FRAGMENT *) Fragments,\r | |
3029 | 1,\r | |
3030 | CheckSumData,\r | |
3031 | CheckSumSize\r | |
3032 | );\r | |
3033 | } else {\r | |
3034 | \r | |
3035 | IpSecCryptoIoHmac (\r | |
3036 | (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r | |
3037 | IkeSaSession->IkeKeys->SkArKey,\r | |
3038 | IkeSaSession->IkeKeys->SkArKeySize,\r | |
6cf9230f | 3039 | (HASH_DATA_FRAGMENT *) Fragments,\r |
9166f840 | 3040 | 1,\r |
3041 | CheckSumData,\r | |
3042 | CheckSumSize\r | |
3043 | );\r | |
3044 | }\r | |
3045 | \r | |
3046 | //\r | |
3047 | // Copy CheckSum into Encrypted Payload\r | |
3048 | //\r | |
3049 | CopyMem (EncryptPayloadBuf + EncryptPayloadSize - CheckSumSize, CheckSumData, CheckSumSize);\r | |
3050 | \r | |
3051 | IPSEC_DUMP_BUF ("Encrypted payload buffer", EncryptPayloadBuf, EncryptPayloadSize);\r | |
3052 | IPSEC_DUMP_BUF ("Integrith CheckSum Data", CheckSumData, CheckSumSize);\r | |
3053 | \r | |
3054 | //\r | |
3055 | // Clean all payload under IkePacket->PayloadList.\r | |
3056 | //\r | |
3057 | ClearAllPayloads (IkePacket);\r | |
3058 | \r | |
3059 | //\r | |
3060 | // Create Encrypted Payload and add into IkePacket->PayloadList\r | |
3061 | //\r | |
3062 | EncryptPayload = IkePayloadAlloc ();\r | |
6b16c9e7 JW |
3063 | if (EncryptPayload == NULL) {\r |
3064 | Status = EFI_OUT_OF_RESOURCES;\r | |
3065 | goto ON_EXIT;\r | |
3066 | }\r | |
9166f840 | 3067 | \r |
3068 | //\r | |
3069 | // Fill the encrypted payload into the IKE_PAYLOAD structure.\r | |
3070 | //\r | |
3071 | EncryptPayload->PayloadBuf = EncryptPayloadBuf;\r | |
3072 | EncryptPayload->PayloadSize = EncryptPayloadSize;\r | |
3073 | EncryptPayload->PayloadType = IKEV2_PAYLOAD_TYPE_ENCRYPT;\r | |
6cf9230f | 3074 | \r |
9166f840 | 3075 | IKE_PACKET_APPEND_PAYLOAD (IkePacket, EncryptPayload);\r |
3076 | \r | |
3077 | ON_EXIT:\r | |
3078 | if (EncryptedBuf != NULL) {\r | |
3079 | FreePool (EncryptedBuf);\r | |
3080 | }\r | |
3081 | \r | |
3082 | if (EFI_ERROR (Status) && EncryptPayloadBuf != NULL) {\r | |
3083 | FreePool (EncryptPayloadBuf);\r | |
3084 | }\r | |
3085 | \r | |
3086 | if (IvBuffer != NULL) {\r | |
3087 | FreePool (IvBuffer);\r | |
3088 | }\r | |
3089 | \r | |
3090 | if (CheckSumData != NULL) {\r | |
3091 | FreePool (CheckSumData);\r | |
3092 | }\r | |
3093 | \r | |
3094 | if (IntegrityBuf != NULL) {\r | |
3095 | FreePool (IntegrityBuf);\r | |
3096 | }\r | |
3097 | \r | |
3098 | return Status;\r | |
3099 | }\r | |
3100 | \r | |
9166f840 | 3101 | \r |
3102 | /**\r | |
3103 | \r | |
3104 | The notification function. It will be called when the related UDP_TX_TOKEN's event\r | |
3105 | is signaled.\r | |
3106 | \r | |
6cf9230f | 3107 | This function frees the Net Buffer pointed to the input Packet.\r |
3108 | \r | |
9166f840 | 3109 | @param[in] Packet Pointer to Net buffer containing the sending IKE packet.\r |
3110 | @param[in] EndPoint Pointer to UDP_END_POINT containing the remote and local\r | |
3111 | address information.\r | |
3112 | @param[in] IoStatus The Status of the related UDP_TX_TOKEN.\r | |
3113 | @param[in] Context Pointer to data passed from the caller.\r | |
3114 | \r | |
3115 | **/\r | |
3116 | VOID\r | |
1d8fa5e9 | 3117 | EFIAPI\r |
9166f840 | 3118 | Ikev2OnPacketSent (\r |
3119 | IN NET_BUF *Packet,\r | |
3120 | IN UDP_END_POINT *EndPoint,\r | |
3121 | IN EFI_STATUS IoStatus,\r | |
3122 | IN VOID *Context\r | |
3123 | )\r | |
3124 | {\r | |
3125 | IKE_PACKET *IkePacket;\r | |
3126 | IKEV2_SA_SESSION *IkeSaSession;\r | |
3127 | IKEV2_CHILD_SA_SESSION *ChildSaSession;\r | |
3128 | UINT8 Value;\r | |
3129 | IPSEC_PRIVATE_DATA *Private;\r | |
3130 | EFI_STATUS Status;\r | |
3131 | \r | |
3132 | IkePacket = (IKE_PACKET *) Context;\r | |
3133 | Private = NULL;\r | |
6cf9230f | 3134 | \r |
9166f840 | 3135 | if (EFI_ERROR (IoStatus)) {\r |
3136 | DEBUG ((DEBUG_ERROR, "Error send the last packet in IkeSessionTypeIkeSa with %r\n", IoStatus));\r | |
3137 | }\r | |
6cf9230f | 3138 | \r |
9166f840 | 3139 | NetbufFree (Packet);\r |
3140 | \r | |
3141 | if (IkePacket->IsDeleteInfo) {\r | |
3142 | //\r | |
3143 | // For each RemotePeerIP, there are only one IKESA.\r | |
3144 | //\r | |
3145 | IkeSaSession = Ikev2SaSessionLookup (\r | |
3146 | &IkePacket->Private->Ikev2EstablishedList,\r | |
3147 | &IkePacket->RemotePeerIp\r | |
3148 | );\r | |
3149 | if (IkeSaSession == NULL) {\r | |
3150 | IkePacketFree (IkePacket);\r | |
3151 | return;\r | |
3152 | }\r | |
1d8fa5e9 | 3153 | \r |
9166f840 | 3154 | Private = IkePacket->Private;\r |
3155 | if (IkePacket->Spi != 0 ) {\r | |
3156 | //\r | |
3157 | // At that time, the established Child SA still in eht ChildSaEstablishSessionList.\r | |
6cf9230f | 3158 | // And meanwhile, if the Child SA is in the the ChildSa in Delete list,\r |
9166f840 | 3159 | // remove it from delete list and delete it direclty.\r |
3160 | //\r | |
3161 | ChildSaSession = Ikev2ChildSaSessionLookupBySpi (\r | |
3162 | &IkeSaSession->ChildSaEstablishSessionList,\r | |
3163 | IkePacket->Spi\r | |
3164 | );\r | |
3165 | if (ChildSaSession != NULL) {\r | |
3166 | Ikev2ChildSaSessionRemove (\r | |
3167 | &IkeSaSession->DeleteSaList,\r | |
3168 | ChildSaSession->LocalPeerSpi,\r | |
3169 | IKEV2_DELET_CHILDSA_LIST\r | |
3170 | );\r | |
3171 | \r | |
3172 | //\r | |
3173 | // Delete the Child SA.\r | |
3174 | //\r | |
3175 | Ikev2ChildSaSilentDelete (\r | |
3176 | IkeSaSession,\r | |
3177 | IkePacket->Spi\r | |
3178 | );\r | |
3179 | }\r | |
3180 | \r | |
3181 | } else {\r | |
3182 | //\r | |
3183 | // Delete the IKE SA\r | |
3184 | //\r | |
3185 | DEBUG (\r | |
3186 | (DEBUG_INFO,\r | |
3187 | "\n------ deleted Packet (cookie_i, cookie_r):(0x%lx, 0x%lx)------\n",\r | |
3188 | IkeSaSession->InitiatorCookie,\r | |
3189 | IkeSaSession->ResponderCookie)\r | |
3190 | );\r | |
1d8fa5e9 | 3191 | \r |
9166f840 | 3192 | RemoveEntryList (&IkeSaSession->BySessionTable);\r |
3193 | Ikev2SaSessionFree (IkeSaSession);\r | |
3194 | }\r | |
3195 | }\r | |
3196 | IkePacketFree (IkePacket);\r | |
3197 | \r | |
3198 | //\r | |
6cf9230f | 3199 | // when all IKE SAs were disabled by calling "IPsecConfig -disable", the IPsec status\r |
9166f840 | 3200 | // should be changed.\r |
3201 | //\r | |
3202 | if (Private != NULL && Private->IsIPsecDisabling) {\r | |
1d8fa5e9 | 3203 | //\r |
3204 | // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value in\r | |
3205 | // IPsec status variable.\r | |
3206 | //\r | |
9166f840 | 3207 | if (IsListEmpty (&Private->Ikev1EstablishedList) && IsListEmpty (&Private->Ikev2EstablishedList)) {\r |
1d8fa5e9 | 3208 | Value = IPSEC_STATUS_DISABLED;\r |
3209 | Status = gRT->SetVariable (\r | |
3210 | IPSECCONFIG_STATUS_NAME,\r | |
3211 | &gEfiIpSecConfigProtocolGuid,\r | |
3212 | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,\r | |
3213 | sizeof (Value),\r | |
3214 | &Value\r | |
3215 | );\r | |
3216 | if (!EFI_ERROR (Status)) {\r | |
3217 | //\r | |
3218 | // Set the DisabledFlag in Private data.\r | |
3219 | //\r | |
3220 | Private->IpSec.DisabledFlag = TRUE;\r | |
3221 | Private->IsIPsecDisabling = FALSE;\r | |
3222 | }\r | |
3223 | }\r | |
9166f840 | 3224 | }\r |
3225 | }\r | |
3226 | \r | |
3227 | /**\r | |
3228 | Send out IKEV2 packet.\r | |
3229 | \r | |
3230 | @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.\r | |
3231 | @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.\r | |
3232 | @param[in] IkePacket Pointer to IKE_PACKET to be sent out.\r | |
6cf9230f | 3233 | @param[in] IkeType The type of IKE to point what's kind of the IKE\r |
3234 | packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE\r | |
9166f840 | 3235 | and IKE_CHILD_TYPE are supportted.\r |
3236 | \r | |
3237 | @retval EFI_SUCCESS The operation complete successfully.\r | |
3238 | @retval Otherwise The operation is failed.\r | |
3239 | \r | |
3240 | **/\r | |
3241 | EFI_STATUS\r | |
3242 | Ikev2SendIkePacket (\r | |
3243 | IN IKE_UDP_SERVICE *IkeUdpService,\r | |
3244 | IN UINT8 *SessionCommon,\r | |
3245 | IN IKE_PACKET *IkePacket,\r | |
3246 | IN UINTN IkeType\r | |
3247 | )\r | |
3248 | {\r | |
3249 | EFI_STATUS Status;\r | |
3250 | NET_BUF *IkePacketNetbuf;\r | |
3251 | UDP_END_POINT EndPoint;\r | |
3252 | IKEV2_SESSION_COMMON *Common;\r | |
3253 | \r | |
3254 | Common = (IKEV2_SESSION_COMMON *) SessionCommon;\r | |
6cf9230f | 3255 | \r |
9166f840 | 3256 | //\r |
3257 | // Set the resend interval\r | |
3258 | //\r | |
3259 | if (Common->TimeoutInterval == 0) {\r | |
3260 | Common->TimeoutInterval = IKE_DEFAULT_TIMEOUT_INTERVAL;\r | |
3261 | }\r | |
3262 | \r | |
3263 | //\r | |
3264 | // Retransfer the packet if it is initial packet.\r | |
3265 | //\r | |
3266 | if (IkePacket->Header->Flags == IKE_HEADER_FLAGS_INIT) {\r | |
3267 | //\r | |
3268 | // Set timer for next retry, this will cancel previous timer\r | |
3269 | //\r | |
3270 | Status = gBS->SetTimer (\r | |
3271 | Common->TimeoutEvent,\r | |
3272 | TimerRelative,\r | |
3273 | MultU64x32 (Common->TimeoutInterval, 10000) // ms->100ns\r | |
3274 | );\r | |
3275 | if (EFI_ERROR (Status)) {\r | |
3276 | return Status;\r | |
3277 | }\r | |
3278 | }\r | |
3279 | \r | |
3280 | IKE_PACKET_REF (IkePacket);\r | |
3281 | //\r | |
6cf9230f | 3282 | // If the last sent packet is same with this round packet, the packet is resent packet.\r |
9166f840 | 3283 | //\r |
3284 | if (IkePacket != Common->LastSentPacket && Common->LastSentPacket != NULL) {\r | |
3285 | IkePacketFree (Common->LastSentPacket);\r | |
3286 | }\r | |
3287 | \r | |
3288 | Common->LastSentPacket = IkePacket;\r | |
3289 | \r | |
3290 | //\r | |
3291 | // Transform IkePacke to NetBuf\r | |
3292 | //\r | |
3293 | IkePacketNetbuf = IkeNetbufFromPacket ((UINT8 *) SessionCommon, IkePacket, IkeType);\r | |
6b16c9e7 JW |
3294 | if (IkePacketNetbuf == NULL) {\r |
3295 | return EFI_OUT_OF_RESOURCES;\r | |
3296 | }\r | |
9166f840 | 3297 | \r |
3298 | ZeroMem (&EndPoint, sizeof (UDP_END_POINT));\r | |
3299 | EndPoint.RemotePort = IKE_DEFAULT_PORT;\r | |
3300 | CopyMem (&IkePacket->RemotePeerIp, &Common->RemotePeerIp, sizeof (EFI_IP_ADDRESS));\r | |
3301 | CopyMem (&EndPoint.RemoteAddr, &Common->RemotePeerIp, sizeof (EFI_IP_ADDRESS));\r | |
3302 | CopyMem (&EndPoint.LocalAddr, &Common->LocalPeerIp, sizeof (EFI_IP_ADDRESS));\r | |
3303 | \r | |
3304 | IPSEC_DUMP_PACKET (IkePacket, EfiIPsecOutBound, IkeUdpService->IpVersion);\r | |
3305 | \r | |
3306 | if (IkeUdpService->IpVersion == IP_VERSION_4) {\r | |
3307 | EndPoint.RemoteAddr.Addr[0] = HTONL (EndPoint.RemoteAddr.Addr[0]);\r | |
3308 | EndPoint.LocalAddr.Addr[0] = HTONL (EndPoint.LocalAddr.Addr[0]);\r | |
3309 | }\r | |
3310 | \r | |
3311 | //\r | |
3312 | // Call UDPIO to send out the IKE packet.\r | |
3313 | //\r | |
3314 | Status = UdpIoSendDatagram (\r | |
3315 | IkeUdpService->Output,\r | |
3316 | IkePacketNetbuf,\r | |
3317 | &EndPoint,\r | |
3318 | NULL,\r | |
3319 | Ikev2OnPacketSent,\r | |
3320 | (VOID*)IkePacket\r | |
3321 | );\r | |
3322 | \r | |
3323 | if (EFI_ERROR (Status)) {\r | |
3324 | DEBUG ((DEBUG_ERROR, "Error send packet with %r\n", Status));\r | |
3325 | }\r | |
3326 | \r | |
3327 | return Status;\r | |
3328 | }\r | |
3329 | \r |