]> git.proxmox.com Git - mirror_edk2.git/blame - NetworkPkg/IpSecDxe/Ikev2/Utility.h
projects / mirror_edk2.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
NetworkPkg: IpSecDxe: Remove the redundant code.
[mirror_edk2.git] / NetworkPkg / IpSecDxe / Ikev2 / Utility.h
CommitLineData
9166f840 1/** @file\r
f75a7f56 2 The interfaces of IKE/Child session operations and payload related operations\r
9166f840 3 used by IKE Exchange Process.\r
4\r
f75a7f56 5 Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
9166f840 6\r
7 This program and the accompanying materials\r
8 are licensed and made available under the terms and conditions of the BSD License\r
9 which accompanies this distribution. The full text of the license may be found at\r
10 http://opensource.org/licenses/bsd-license.php.\r
11\r
12 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
13 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
14\r
15**/\r
16\r
17#ifndef _IKE_V2_UTILITY_H_\r
18#define _IKE_V2_UTILITY_H_\r
19\r
20#include "Ikev2.h"\r
21#include "IkeCommon.h"\r
22#include "IpSecCryptIo.h"\r
23\r
24#include <Library/PcdLib.h>\r
25\r
26#define IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM 2\r
27#define IKEV2_SUPPORT_PRF_ALGORITHM_NUM 1\r
28#define IKEV2_SUPPORT_DH_ALGORITHM_NUM 2\r
29#define IKEV2_SUPPORT_AUTH_ALGORITHM_NUM 1\r
30\r
31/**\r
32 Allocate buffer for IKEV2_SA_SESSION and initialize it.\r
33\r
34 @param[in] Private Pointer to IPSEC_PRIVATE_DATA.\r
35 @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.\r
36\r
37 @return Pointer to IKEV2_SA_SESSION.\r
38\r
39**/\r
40IKEV2_SA_SESSION *\r
41Ikev2SaSessionAlloc (\r
42 IN IPSEC_PRIVATE_DATA *Private,\r
43 IN IKE_UDP_SERVICE *UdpService\r
44 );\r
45\r
46/**\r
47 Register Establish IKEv2 SA into Private->Ikev2EstablishedList.\r
48\r
49 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.\r
50 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.\r
51\r
52**/\r
53VOID\r
54Ikev2SaSessionReg (\r
55 IN IKEV2_SA_SESSION *IkeSaSession,\r
56 IN IPSEC_PRIVATE_DATA *Private\r
57 );\r
58\r
59/**\r
60 Find a IKEV2_SA_SESSION by the remote peer IP.\r
61\r
62 @param[in] SaSessionList SaSession List to be searched.\r
63 @param[in] RemotePeerIp Pointer to specified IP address.\r
64\r
65 @return Pointer to IKEV2_SA_SESSION if find one or NULL.\r
66\r
67**/\r
68IKEV2_SA_SESSION *\r
69Ikev2SaSessionLookup (\r
70 IN LIST_ENTRY *SaSessionList,\r
71 IN EFI_IP_ADDRESS *RemotePeerIp\r
72 );\r
73\r
74/**\r
75 Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either\r
76 Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.\r
77\r
78 @param[in] SaSessionList Pointer to list to be inserted into.\r
f75a7f56
LG		 79 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.\r
80 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the\r
9166f840 81 unique IKEV2_SA_SESSION.\r
82\r
83**/\r
84VOID\r
85Ikev2SaSessionInsert (\r
86 IN LIST_ENTRY *SaSessionList,\r
87 IN IKEV2_SA_SESSION *IkeSaSession,\r
88 IN EFI_IP_ADDRESS *RemotePeerIp\r
89 );\r
90\r
91/**\r
92 Remove the SA Session by Remote Peer IP.\r
93\r
94 @param[in] SaSessionList Pointer to list to be searched.\r
95 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.\r
96\r
f75a7f56 97 @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address.\r
9166f840 98\r
99**/\r
100IKEV2_SA_SESSION *\r
101Ikev2SaSessionRemove (\r
102 IN LIST_ENTRY *SaSessionList,\r
103 IN EFI_IP_ADDRESS *RemotePeerIp\r
104 );\r
105\r
106\r
9166f840 107/**\r
108 After IKE/Child SA is estiblished, close the time event and free sent packet.\r
109\r
110 @param[in] SessionCommon Pointer to a Session Common.\r
111\r
112**/\r
113VOID\r
114Ikev2SessionCommonRefresh (\r
115 IN IKEV2_SESSION_COMMON *SessionCommon\r
116 );\r
117\r
118/**\r
f75a7f56 119 Free specified IKEV2 SA Session.\r
9166f840 120\r
121 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.\r
122\r
123**/\r
124VOID\r
125Ikev2SaSessionFree (\r
126 IN IKEV2_SA_SESSION *IkeSaSession\r
127 );\r
128\r
129/**\r
f75a7f56 130 Free specified Seession Common. The session common would belong to a IKE SA or\r
9166f840 131 a Child SA.\r
132\r
133 @param[in] SessionCommon Pointer to a Session Common.\r
134\r
135**/\r
136VOID\r
137Ikev2SaSessionCommonFree (\r
138 IN IKEV2_SESSION_COMMON *SessionCommon\r
139 );\r
140\r
141/**\r
142 Increase the MessageID in IkeSaSession.\r
143\r
144 @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.\r
145\r
146**/\r
147VOID\r
148Ikev2SaSessionIncreaseMessageId (\r
149 IN IKEV2_SA_SESSION *IkeSaSession\r
150 );\r
151\r
152/**\r
153 Allocate Momery for IKEV2 Child SA Session.\r
f75a7f56 154\r
9166f840 155 @param[in] UdpService Pointer to IKE_UDP_SERVICE.\r
f75a7f56 156 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA\r
9166f840 157 Session.\r
158\r
159 @retval Pointer of a new created IKEV2 Child SA Session.\r
160\r
161**/\r
162IKEV2_CHILD_SA_SESSION *\r
163Ikev2ChildSaSessionAlloc (\r
164 IN IKE_UDP_SERVICE *UdpService,\r
165 IN IKEV2_SA_SESSION *IkeSaSession\r
166 );\r
167\r
168/**\r
f75a7f56
LG		 169 Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.\r
170 If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one\r
9166f840 171 then register the new one.\r
172\r
173 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.\r
174 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.\r
175\r
176**/\r
177VOID\r
178Ikev2ChildSaSessionReg (\r
179 IN IKEV2_CHILD_SA_SESSION *ChildSaSession,\r
180 IN IPSEC_PRIVATE_DATA *Private\r
181 );\r
182\r
183/**\r
184 This function find the Child SA by the specified Spi.\r
44de1013
HT		 185\r
186 This functin find a ChildSA session by searching the ChildSaSessionlist of\r
9166f840 187 the input IKEV2_SA_SESSION by specified MessageID.\r
f75a7f56 188\r
9166f840 189 @param[in] SaSessionList Pointer to List to be searched.\r
190 @param[in] Spi Specified SPI.\r
44de1013 191\r
9166f840 192 @return Pointer to IKEV2_CHILD_SA_SESSION.\r
193\r
194**/\r
195IKEV2_CHILD_SA_SESSION *\r
196Ikev2ChildSaSessionLookupBySpi (\r
197 IN LIST_ENTRY *SaSessionList,\r
198 IN UINT32 Spi\r
199 );\r
200\r
9166f840 201\r
202/**\r
203 Insert a Child SA Session into the specified ChildSa list..\r
204\r
205 @param[in] SaSessionList Pointer to list to be inserted in.\r
206 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.\r
207\r
208**/\r
209VOID\r
210Ikev2ChildSaSessionInsert (\r
211 IN LIST_ENTRY *SaSessionList,\r
212 IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r
213 );\r
214\r
215/**\r
216 Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.\r
f75a7f56 217\r
9166f840 218 @param[in] SaSessionList The SA Session List to be iterated.\r
219 @param[in] Spi Spi used to identify the IKEV2_CHILD_SA_SESSION.\r
f75a7f56
LG		 220 @param[in] ListType The type of the List to indicate whether it is a\r
221 Established.\r
9166f840 222\r
223 @return The point to IKEV2_CHILD_SA_SESSION.\r
f75a7f56 224\r
9166f840 225**/\r
226IKEV2_CHILD_SA_SESSION *\r
227Ikev2ChildSaSessionRemove (\r
228 IN LIST_ENTRY *SaSessionList,\r
f75a7f56
LG		 229 IN UINT32 Spi,\r
230 IN UINT8 ListType\r
9166f840 231 );\r
232\r
9166f840 233\r
234/**\r
f75a7f56 235 Free the memory located for the specified IKEV2_CHILD_SA_SESSION.\r
9166f840 236\r
237 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.\r
238\r
239**/\r
240VOID\r
241Ikev2ChildSaSessionFree (\r
242 IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r
243 );\r
244\r
245/**\r
246 Free the specified DhBuffer.\r
247\r
248 @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.\r
f75a7f56 249\r
9166f840 250**/\r
251VOID\r
252Ikev2DhBufferFree (\r
253 IN IKEV2_DH_BUFFER *DhBuffer\r
254 );\r
255\r
256/**\r
257 Delete the specified established Child SA.\r
258\r
259 This function delete the Child SA directly and dont send the Information Packet to\r
260 remote peer.\r
261\r
262 @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.\r
263 @param[in] Spi SPI used to find the Child SA.\r
264\r
265 @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.\r
266 @retval EFI_NOT_FOUND There is no specified Child SA related with the input\r
267 SPI under this IKE SA Session.\r
268 @retval EFI_SUCCESS Delete the Child SA successfully.\r
269\r
270**/\r
271EFI_STATUS\r
272Ikev2ChildSaSilentDelete (\r
273 IN IKEV2_SA_SESSION *IkeSaSession,\r
274 IN UINT32 Spi\r
275 );\r
276\r
277/**\r
278 This function is to parse a request IKE packet and return its request type.\r
f75a7f56 279 The request type is one of IKE CHILD SA creation, IKE SA rekeying and\r
9166f840 280 IKE CHILD SA rekeying.\r
281\r
282 @param[in] IkePacket IKE packet to be prased.\r
283\r
284 return the type of the IKE packet.\r
285\r
286**/\r
287IKEV2_CREATE_CHILD_REQUEST_TYPE\r
288Ikev2ChildExchangeRequestType(\r
289 IN IKE_PACKET *IkePacket\r
290 );\r
291\r
9166f840 292\r
293/**\r
294 Associate a SPD selector to the Child SA Session.\r
295\r
f75a7f56 296 This function is called when the Child SA is not the first child SA of its\r
9166f840 297 IKE SA. It associate a SPD to this Child SA.\r
298\r
f75a7f56 299 @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to\r
9166f840 300 a SPD selector.\r
301\r
302 @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.\r
303 @retval EFI_NOT_FOUND Can't find the related SPD selector.\r
304\r
305**/\r
306EFI_STATUS\r
307Ikev2ChildSaAssociateSpdEntry (\r
308 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession\r
309 );\r
310\r
311/**\r
312 Validate the IKE header of received IKE packet.\r
313\r
314 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.\r
315 @param[in] IkeHdr Pointer to IKE header of received IKE packet.\r
316\r
317 @retval TRUE If the IKE header is valid.\r
318 @retval FALSE If the IKE header is invalid.\r
319\r
320**/\r
321BOOLEAN\r
322Ikev2ValidateHeader (\r
323 IN IKEV2_SA_SESSION *IkeSaSession,\r
324 IN IKE_HEADER *IkeHdr\r
325 );\r
326\r
327/**\r
328 Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.\r
329\r
330 This function will be only called by the initiator. The responder's IKEV2_SA_DATA\r
331 will be generated during parsed the initiator packet.\r
332\r
333 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.\r
334\r
335 @retval a Pointer to a new IKEV2_SA_DATA or NULL.\r
336\r
337**/\r
338IKEV2_SA_DATA *\r
339Ikev2InitializeSaData (\r
340 IN IKEV2_SESSION_COMMON *SessionCommon\r
341 );\r
342\r
343/**\r
344 Store the SA into SAD.\r
345\r
346 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.\r
347\r
348**/\r
349VOID\r
350Ikev2StoreSaData (\r
351 IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r
352 );\r
353\r
354/**\r
355 Routine process before the payload decoding.\r
356\r
357 @param[in] SessionCommon Pointer to ChildSa SessionCommon.\r
358 @param[in] PayloadBuf Pointer to the payload.\r
359 @param[in] PayloadSize Size of PayloadBuf in byte.\r
360 @param[in] PayloadType Type of Payload.\r
361\r
362**/\r
363VOID\r
364Ikev2ChildSaBeforeDecodePayload (\r
365 IN UINT8 *SessionCommon,\r
366 IN UINT8 *PayloadBuf,\r
367 IN UINTN PayloadSize,\r
368 IN UINT8 PayloadType\r
369 );\r
370\r
371/**\r
372 Routine Process after the encode payload.\r
373\r
374 @param[in] SessionCommon Pointer to ChildSa SessionCommon.\r
375 @param[in] PayloadBuf Pointer to the payload.\r
376 @param[in] PayloadSize Size of PayloadBuf in byte.\r
377 @param[in] PayloadType Type of Payload.\r
378\r
379**/\r
380VOID\r
381Ikev2ChildSaAfterEncodePayload (\r
382 IN UINT8 *SessionCommon,\r
383 IN UINT8 *PayloadBuf,\r
384 IN UINTN PayloadSize,\r
385 IN UINT8 PayloadType\r
386 );\r
387\r
388/**\r
389 Generate Ikev2 SA payload according to SessionSaData\r
390\r
391 @param[in] SessionSaData The data used in SA payload.\r
f75a7f56 392 @param[in] NextPayload The payload type presented in NextPayload field of\r
9166f840 393 SA Payload header.\r
394 @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or\r
395 (2) for CHILD_SA or (3) for INFO.\r
396\r
397 @retval a Pointer to SA IKE payload.\r
f75a7f56 398\r
9166f840 399**/\r
400IKE_PAYLOAD *\r
401Ikev2GenerateSaPayload (\r
402 IN IKEV2_SA_DATA *SessionSaData,\r
403 IN UINT8 NextPayload,\r
404 IN IKE_SESSION_TYPE Type\r
405 );\r
406\r
407/**\r
408 Generate a ID payload.\r
409\r
410 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r
f75a7f56 411 @param[in] NextPayload The payload type presented in the NextPayload field\r
9166f840 412 of ID Payload header.\r
413\r
414 @retval Pointer to ID IKE payload.\r
415\r
416**/\r
417IKE_PAYLOAD *\r
418Ikev2GenerateIdPayload (\r
419 IN IKEV2_SESSION_COMMON *CommonSession,\r
420 IN UINT8 NextPayload\r
421 );\r
422\r
423/**\r
424 Generate a ID payload.\r
425\r
426 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r
f75a7f56 427 @param[in] NextPayload The payload type presented in the NextPayload field\r
9166f840 428 of ID Payload header.\r
429 @param[in] InCert Pointer to the Certificate which distinguished name\r
430 will be added into the Id payload.\r
431 @param[in] CertSize Size of the Certificate.\r
432\r
433 @retval Pointer to ID IKE payload.\r
434\r
435**/\r
436IKE_PAYLOAD *\r
437Ikev2GenerateCertIdPayload (\r
438 IN IKEV2_SESSION_COMMON *CommonSession,\r
f75a7f56 439 IN UINT8 NextPayload,\r
9166f840 440 IN UINT8 *InCert,\r
441 IN UINTN CertSize\r
442 );\r
443\r
444/**\r
445 Generate a Nonce payload contenting the input parameter NonceBuf.\r
446\r
f75a7f56 447 @param[in] NonceBuf The nonce buffer content the whole Nonce payload block\r
9166f840 448 except the payload header.\r
449 @param[in] NonceSize The buffer size of the NonceBuf\r
f75a7f56 450 @param[in] NextPayload The payload type presented in the NextPayload field\r
9166f840 451 of Nonce Payload header.\r
452\r
453 @retval Pointer to Nonce IKE paload.\r
454\r
455**/\r
456IKE_PAYLOAD *\r
457Ikev2GenerateNoncePayload (\r
458 IN UINT8 *NonceBuf,\r
459 IN UINTN NonceSize,\r
460 IN UINT8 NextPayload\r
461 );\r
462\r
463/**\r
464 Generate the Notify payload.\r
465\r
466 Since the structure of Notify payload which defined in RFC 4306 is simple, so\r
f75a7f56
LG		 467 there is no internal data structure for Notify payload. This function generate\r
468 Notify payload defined in RFC 4306, but all the fields in this payload are still\r
469 in host order and need call Ikev2EncodePayload() to convert those fields from\r
9166f840 470 the host order to network order beforing sending it.\r
471\r
472 @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).\r
473 For IPsec SAs it MUST be neither (2) for AH or (3)\r
474 for ESP.\r
f75a7f56 475 @param[in] NextPayload The next paylaod type in NextPayload field of\r
9166f840 476 the Notify payload.\r
477 @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.\r
f75a7f56 478 @param[in] MessageType The message type in NotifyMessageType field of the\r
9166f840 479 Notify Payload.\r
480 @param[in] SpiBuf Pointer to buffer contains the SPI value.\r
481 @param[in] NotifyData Pointer to buffer contains the notification data.\r
482 @param[in] NotifyDataSize The size of NotifyData in bytes.\r
f75a7f56 483\r
9166f840 484\r
485 @retval Pointer to IKE Notify Payload.\r
486\r
487**/\r
488IKE_PAYLOAD *\r
489Ikev2GenerateNotifyPayload (\r
490 IN UINT8 ProtocolId,\r
491 IN UINT8 NextPayload,\r
492 IN UINT8 SpiSize,\r
493 IN UINT16 MessageType,\r
494 IN UINT8 *SpiBuf,\r
495 IN UINT8 *NotifyData,\r
496 IN UINTN NotifyDataSize\r
497 );\r
498\r
499/**\r
500 Generate the Delete payload.\r
501\r
f75a7f56
LG		 502 Since the structure of Delete payload which defined in RFC 4306 is simple,\r
503 there is no internal data structure for Delete payload. This function generate\r
504 Delete payload defined in RFC 4306, but all the fields in this payload are still\r
505 in host order and need call Ikev2EncodePayload() to convert those fields from\r
9166f840 506 the host order to network order beforing sending it.\r
507\r
508 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.\r
f75a7f56 509 @param[in] NextPayload The next paylaod type in NextPayload field of\r
9166f840 510 the Delete payload.\r
511 @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.\r
512 @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.\r
513 @param[in] SpiBuf Pointer to buffer contains the SPI value.\r
514\r
515 @retval Pointer to IKE Delete Payload.\r
516\r
517**/\r
518IKE_PAYLOAD *\r
519Ikev2GenerateDeletePayload (\r
520 IN IKEV2_SA_SESSION *IkeSaSession,\r
521 IN UINT8 NextPayload,\r
522 IN UINT8 SpiSize,\r
523 IN UINT16 SpiNum,\r
f75a7f56 524 IN UINT8 *SpiBuf\r
9166f840 525 );\r
526\r
527/**\r
528 Generate the Configuration payload.\r
529\r
f75a7f56
LG		 530 This function generates a configuration payload defined in RFC 4306, but all the\r
531 fields in this payload are still in host order and need call Ikev2EncodePayload()\r
9166f840 532 to convert those fields from the host order to network order beforing sending it.\r
533\r
534 @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload\r
535 generation.\r
f75a7f56 536 @param[in] NextPayload The next paylaod type in NextPayload field of\r
9166f840 537 the Delete payload.\r
538 @param[in] CfgType The attribute type in the Configuration attribute.\r
539\r
540 @retval Pointer to IKE CP Payload.\r
541\r
542**/\r
543IKE_PAYLOAD *\r
544Ikev2GenerateCpPayload (\r
545 IN IKEV2_SA_SESSION *IkeSaSession,\r
546 IN UINT8 NextPayload,\r
547 IN UINT8 CfgType\r
548 );\r
549\r
550/**\r
551 Generate a Authentication Payload.\r
552\r
f75a7f56
LG		 553 This function is used for both Authentication generation and verification. When the\r
554 IsVerify is TRUE, it create a Auth Data for verification. This function choose the\r
9166f840 555 related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type\r
556 and the value of IsVerify parameter.\r
557\r
558 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r
f75a7f56 559 @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r
9166f840 560 payload generation.\r
f75a7f56 561 @param[in] NextPayload The type filled into the Authentication Payload next\r
9166f840 562 payload field.\r
563 @param[in] IsVerify If it is TURE, the Authentication payload is used for\r
564 verification.\r
565\r
566 @return pointer to IKE Authentication payload for pre-shard key method.\r
567\r
568**/\r
569IKE_PAYLOAD *\r
570Ikev2PskGenerateAuthPayload (\r
571 IN IKEV2_SA_SESSION *IkeSaSession,\r
572 IN IKE_PAYLOAD *IdPayload,\r
573 IN UINT8 NextPayload,\r
574 IN BOOLEAN IsVerify\r
575 );\r
576\r
577/**\r
f75a7f56 578 Generate a Authentication Payload for Certificate Auth method.\r
9166f840 579\r
f75a7f56
LG		 580 This function has two functions. One is creating a local Authentication\r
581 Payload for sending and other is creating the remote Authentication data\r
9166f840 582 for verification when the IsVerify is TURE.\r
583\r
584 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r
f75a7f56 585 @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r
9166f840 586 payload generation.\r
f75a7f56 587 @param[in] NextPayload The type filled into the Authentication Payload\r
9166f840 588 next payload field.\r
f75a7f56 589 @param[in] IsVerify If it is TURE, the Authentication payload is used\r
9166f840 590 for verification.\r
f75a7f56 591 @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when\r
9166f840 592 verify the authenticate payload.\r
f75a7f56 593 @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it\r
9166f840 594 when verify the authenticate payload.\r
f75a7f56 595 @param[in] UefiKeyPwd Pointer to the password of UEFI private key.\r
9166f840 596 Ignore it when verify the authenticate payload.\r
f75a7f56 597 @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when\r
9166f840 598 verify the authenticate payload.\r
599\r
600 @return pointer to IKE Authentication payload for certification method.\r
601\r
602**/\r
603IKE_PAYLOAD *\r
604Ikev2CertGenerateAuthPayload (\r
605 IN IKEV2_SA_SESSION *IkeSaSession,\r
606 IN IKE_PAYLOAD *IdPayload,\r
607 IN UINT8 NextPayload,\r
608 IN BOOLEAN IsVerify,\r
609 IN UINT8 *UefiPrivateKey,\r
610 IN UINTN UefiPrivateKeyLen,\r
611 IN UINT8 *UefiKeyPwd,\r
612 IN UINTN UefiKeyPwdLen\r
613 );\r
614\r
615/**\r
616 Generate TS payload.\r
617\r
618 This function generates TSi or TSr payload according to type of next payload.\r
619 If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate\r
620 TSr payload\r
f75a7f56 621\r
9166f840 622 @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.\r
f75a7f56 623 @param[in] NextPayload The payload type presented in the NextPayload field\r
9166f840 624 of ID Payload header.\r
625 @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.\r
626 If yes, it means the Tsi and Tsr payload should be with\r
627 Max port range and address range and protocol is marked\r
628 as zero.\r
629\r
630 @retval Pointer to Ts IKE payload.\r
631\r
632**/\r
633IKE_PAYLOAD *\r
634Ikev2GenerateTsPayload (\r
635 IN IKEV2_CHILD_SA_SESSION *ChildSa,\r
636 IN UINT8 NextPayload,\r
637 IN BOOLEAN IsTunnel\r
638 );\r
639\r
640/**\r
641 Parser the Notify Cookie payload.\r
642\r
643 This function parses the Notify Cookie payload.If the Notify ProtocolId is not\r
644 IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not\r
645 the COOKIE, return EFI_INVALID_PARAMETER.\r
646\r
f75a7f56 647 @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the\r
9166f840 648 Notify Cookie payload.\r
649 the Notify payload.\r
650 @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.\r
651\r
652 @retval EFI_SUCCESS The Notify Cookie Payload is valid.\r
653 @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.\r
654 @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.\r
655\r
656**/\r
657EFI_STATUS\r
658Ikev2ParserNotifyCookiePayload (\r
659 IN IKE_PAYLOAD *IkeNCookie,\r
660 IN OUT IKEV2_SA_SESSION *IkeSaSession\r
661 );\r
662\r
663/**\r
664 Generate the Certificate payload or Certificate Request Payload.\r
665\r
f75a7f56 666 Since the Certificate Payload structure is same with Certificate Request Payload,\r
9166f840 667 the only difference is that one contains the Certificate Data, other contains\r
f75a7f56
LG		 668 the acceptable certificateion CA. This function generate Certificate payload\r
669 or Certificate Request Payload defined in RFC 4306, but all the fields\r
670 in the payload are still in host order and need call Ikev2EncodePayload()\r
9166f840 671 to convert those fields from the host order to network order beforing sending it.\r
672\r
f75a7f56 673 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload\r
9166f840 674 generation.\r
f75a7f56 675 @param[in] NextPayload The next paylaod type in NextPayload field of\r
9166f840 676 the Delete payload.\r
677 @param[in] Certificate Pointer of buffer contains the certification data.\r
678 @param[in] CertificateLen The length of Certificate in byte.\r
679 @param[in] EncodeType Specified the Certificate Encodeing which is defined\r
680 in RFC 4306.\r
681 @param[in] IsRequest To indicate create Certificate Payload or Certificate\r
682 Request Payload. If it is TURE, create Certificate\r
683 Request Payload. Otherwise, create Certificate Payload.\r
684\r
685 @retval a Pointer to IKE Payload whose payload buffer containing the Certificate\r
686 payload or Certificated Request payload.\r
687\r
688**/\r
689IKE_PAYLOAD *\r
690Ikev2GenerateCertificatePayload (\r
691 IN IKEV2_SA_SESSION *IkeSaSession,\r
692 IN UINT8 NextPayload,\r
693 IN UINT8 *Certificate,\r
694 IN UINTN CertificateLen,\r
695 IN UINT8 EncodeType,\r
696 IN BOOLEAN IsRequest\r
697 );\r
f75a7f56 698\r
9166f840 699/**\r
700 General interface of payload encoding.\r
701\r
f75a7f56
LG		 702 This function encode the internal data structure into payload which\r
703 is defined in RFC 4306. The IkePayload->PayloadBuf used to store both the input\r
704 payload and converted payload. Only the SA payload use the interal structure\r
705 to store the attribute. Other payload use structure which is same with the RFC\r
706 defined, for this kind payloads just do host order to network order change of\r
9166f840 707 some fields.\r
708\r
709 @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.\r
710 @param[in, out] IkePayload Pointer to IKE payload to be encode as input, and\r
711 store the encoded result as output.\r
712\r
713 @retval EFI_INVALID_PARAMETER Meet error when encode the SA payload.\r
714 @retval EFI_SUCCESS Encode successfully.\r
715\r
716**/\r
717EFI_STATUS\r
718Ikev2EncodePayload (\r
719 IN UINT8 *SessionCommon,\r
720 IN OUT IKE_PAYLOAD *IkePayload\r
721 );\r
722\r
723/**\r
724 The general interface of decode Payload.\r
725\r
726 This function convert the received Payload into internal structure.\r
727\r
728 @param[in] SessionCommon Pointer to IKE Session Common to use for decoding.\r
729 @param[in, out] IkePayload Pointer to IKE payload to be decode as input, and\r
f75a7f56 730 store the decoded result as output.\r
9166f840 731\r
732 @retval EFI_INVALID_PARAMETER Meet error when decode the SA payload.\r
733 @retval EFI_SUCCESS Decode successfully.\r
734\r
735**/\r
736EFI_STATUS\r
737Ikev2DecodePayload (\r
738 IN UINT8 *SessionCommon,\r
739 IN OUT IKE_PAYLOAD *IkePayload\r
740 );\r
741\r
742/**\r
743 Decrypt IKE packet.\r
744\r
745 This function decrpt the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.\r
746\r
f75a7f56 747 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r
9166f840 748 some parameter used during decrypting.\r
f75a7f56 749 @param[in, out] IkePacket Point to IKE_PACKET to be decrypted as input,\r
9166f840 750 and the decrypted reslult as output.\r
751 @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
752 IKE_CHILD_TYPE are supportted.\r
753\r
f75a7f56 754 @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the\r
9166f840 755 IKE packet length is not Algorithm Block Size\r
756 alignment.\r
757 @retval EFI_SUCCESS Decrypt IKE packet successfully.\r
f75a7f56 758\r
9166f840 759**/\r
760EFI_STATUS\r
761Ikev2DecryptPacket (\r
762 IN IKEV2_SESSION_COMMON *SessionCommon,\r
763 IN OUT IKE_PACKET *IkePacket,\r
764 IN OUT UINTN IkeType\r
765 );\r
766\r
767/**\r
768 Encrypt IKE packet.\r
769\r
770 This function encrypt IKE packet before sending it. The Encrypted IKE packet\r
771 is put in to IKEV2 Encrypted Payload.\r
f75a7f56 772\r
9166f840 773 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.\r
774 @param[in, out] IkePacket Pointer to IKE packet to be encrypted.\r
775\r
776 @retval EFI_SUCCESS Operation is successful.\r
777 @retval Others OPeration is failed.\r
778\r
779**/\r
780EFI_STATUS\r
781Ikev2EncryptPacket (\r
782 IN IKEV2_SESSION_COMMON *SessionCommon,\r
783 IN OUT IKE_PACKET *IkePacket\r
784 );\r
785\r
786/**\r
787 Encode the IKE packet.\r
788\r
789 This function put all Payloads into one payload then encrypt it if needed.\r
790\r
f75a7f56 791 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r
9166f840 792 some parameter used during IKE packet encoding.\r
f75a7f56 793 @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,\r
9166f840 794 and the encoded reslult as output.\r
795 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
796 IKE_CHILD_TYPE are supportted.\r
797\r
798 @retval EFI_SUCCESS Encode IKE packet successfully.\r
799 @retval Otherwise Encode IKE packet failed.\r
800\r
801**/\r
802EFI_STATUS\r
803Ikev2EncodePacket (\r
804 IN IKEV2_SESSION_COMMON *SessionCommon,\r
805 IN OUT IKE_PACKET *IkePacket,\r
806 IN UINTN IkeType\r
807 );\r
808\r
809/**\r
810 Decode the IKE packet.\r
811\r
f75a7f56 812 This function first decrypts the IKE packet if needed , then separats the whole\r
9166f840 813 IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.\r
f75a7f56
LG		 814\r
815 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing\r
9166f840 816 some parameter used by IKE packet decoding.\r
f75a7f56 817 @param[in, out] IkePacket The IKE Packet to be decoded on input, and\r
9166f840 818 the decoded result on return.\r
819 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
820 IKE_CHILD_TYPE are supportted.\r
821\r
822 @retval EFI_SUCCESS The IKE packet is decoded successfull.\r
823 @retval Otherwise The IKE packet decoding is failed.\r
824\r
825**/\r
826EFI_STATUS\r
827Ikev2DecodePacket (\r
828 IN IKEV2_SESSION_COMMON *SessionCommon,\r
829 IN OUT IKE_PACKET *IkePacket,\r
830 IN UINTN IkeType\r
831 );\r
832\r
9166f840 833\r
834/**\r
835 Send out IKEV2 packet.\r
836\r
837 @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.\r
838 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.\r
839 @param[in] IkePacket Pointer to IKE_PACKET to be sent out.\r
f75a7f56
LG		 840 @param[in] IkeType The type of IKE to point what's kind of the IKE\r
841 packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE\r
9166f840 842 and IKE_CHILD_TYPE are supportted.\r
843\r
844 @retval EFI_SUCCESS The operation complete successfully.\r
845 @retval Otherwise The operation is failed.\r
846\r
847**/\r
848EFI_STATUS\r
849Ikev2SendIkePacket (\r
850 IN IKE_UDP_SERVICE *IkeUdpService,\r
851 IN UINT8 *SessionCommon,\r
852 IN IKE_PACKET *IkePacket,\r
853 IN UINTN IkeType\r
854 );\r
855\r
856/**\r
857 Callback function for the IKE life time is over.\r
858\r
f75a7f56 859 This function will mark the related IKE SA Session as deleting and trigger a\r
9166f840 860 Information negotiation.\r
861\r
862 @param[in] Event The time out event.\r
863 @param[in] Context Pointer to data passed by caller.\r
f75a7f56 864\r
9166f840 865**/\r
866VOID\r
867EFIAPI\r
868Ikev2LifetimeNotify (\r
869 IN EFI_EVENT Event,\r
870 IN VOID *Context\r
871 );\r
872\r
873/**\r
874 This function will be called if the TimeOut Event is signaled.\r
875\r
876 @param[in] Event The signaled Event.\r
877 @param[in] Context The data passed by caller.\r
878\r
879**/\r
880VOID\r
881EFIAPI\r
882Ikev2ResendNotify (\r
883 IN EFI_EVENT Event,\r
884 IN VOID *Context\r
885 );\r
886\r
887/**\r
f75a7f56 888 Generate a Key Exchange payload according to the DH group type and save the\r
9166f840 889 public Key into IkeSaSession IkeKey field.\r
890\r
891 @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.\r
f75a7f56 892 @param[in] NextPayload The payload type presented in the NextPayload field of Key\r
9166f840 893 Exchange Payload header.\r
894\r
895 @retval Pointer to Key IKE payload.\r
896\r
897**/\r
898IKE_PAYLOAD *\r
899Ikev2GenerateKePayload (\r
f75a7f56
LG		 900 IN OUT IKEV2_SA_SESSION *IkeSaSession,\r
901 IN UINT8 NextPayload\r
9166f840 902 );\r
903\r
904/**\r
905 Check if the SPD is related to the input Child SA Session.\r
906\r
907 This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call\r
f75a7f56
LG		 908 back function of IpSecVisitConfigData().\r
909\r
9166f840 910\r
911 @param[in] Type Type of the input Config Selector.\r
f75a7f56
LG		 912 @param[in] Selector Pointer to the Configure Selector to be checked.\r
913 @param[in] Data Pointer to the Configure Selector's Data passed\r
9166f840 914 from the caller.\r
915 @param[in] SelectorSize The buffer size of Selector.\r
916 @param[in] DataSize The buffer size of the Data.\r
917 @param[in] Context The data passed from the caller. It is a Child\r
918 SA Session in this context.\r
919\r
f75a7f56
LG		 920 @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.\r
921 @retval EFI_ABORTED The SPD Selector is related to the Child SA session and\r
9166f840 922 set the ChildSaSession->Spd to point to this SPD Selector.\r
923\r
924**/\r
925EFI_STATUS\r
926Ikev2MatchSpdEntry (\r
927 IN EFI_IPSEC_CONFIG_DATA_TYPE Type,\r
928 IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
929 IN VOID *Data,\r
930 IN UINTN SelectorSize,\r
931 IN UINTN DataSize,\r
932 IN VOID *Context\r
933 );\r
934\r
935/**\r
936 Check if the Algorithm ID is supported.\r
937\r
938 @param[in] AlgorithmId The specified Algorithm ID.\r
939 @param[in] Type The type used to indicate the Algorithm is for Encrypt or\r
940 Authentication.\r
941\r
942 @retval TRUE If the Algorithm ID is supported.\r
943 @retval FALSE If the Algorithm ID is not supported.\r
944\r
945**/\r
946BOOLEAN\r
947Ikev2IsSupportAlg (\r
948 IN UINT16 AlgorithmId,\r
949 IN UINT8 Type\r
950 );\r
951\r
952/**\r
953 Generate a ChildSa Session and insert it into related IkeSaSession.\r
954\r
955 @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.\r
956 @param[in] UdpService Pointer to related IKE_UDP_SERVICE.\r
957\r
958 @return pointer of IKEV2_CHILD_SA_SESSION.\r
959\r
960**/\r
961IKEV2_CHILD_SA_SESSION *\r
962Ikev2ChildSaSessionCreate (\r
963 IN IKEV2_SA_SESSION *IkeSaSession,\r
964 IN IKE_UDP_SERVICE *UdpService\r
965 ) ;\r
966\r
967/**\r
968 Parse the received Initial Exchange Packet.\r
f75a7f56
LG		 969\r
970 This function parse the SA Payload and Key Payload to find out the cryptographic\r
971 suite for the further IKE negotiation and fill it into the IKE SA Session's\r
9166f840 972 CommonSession->SaParams.\r
973\r
974 @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.\r
975 @param[in] SaPayload The received packet.\r
f75a7f56 976 @param[in] Type The received packet IKE header flag.\r
9166f840 977\r
978 @retval TRUE If the SA proposal in Packet is acceptable.\r
979 @retval FALSE If the SA proposal in Packet is not acceptable.\r
980\r
981**/\r
982BOOLEAN\r
983Ikev2SaParseSaPayload (\r
984 IN OUT IKEV2_SA_SESSION *IkeSaSession,\r
985 IN IKE_PAYLOAD *SaPayload,\r
986 IN UINT8 Type\r
987 );\r
988\r
989/**\r
990 Parse the received Authentication Exchange Packet.\r
f75a7f56 991\r
9166f840 992 This function parse the SA Payload and Key Payload to find out the cryptographic\r
993 suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.\r
f75a7f56
LG		 994\r
995 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to\r
9166f840 996 this Authentication Exchange.\r
997 @param[in] SaPayload The received packet.\r
f75a7f56
LG		 998 @param[in] Type The IKE header's flag of received packet .\r
999\r
9166f840 1000 @retval TRUE If the SA proposal in Packet is acceptable.\r
1001 @retval FALSE If the SA proposal in Packet is not acceptable.\r
1002\r
1003**/\r
1004BOOLEAN\r
1005Ikev2ChildSaParseSaPayload (\r
1006 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession,\r
1007 IN IKE_PAYLOAD *SaPayload,\r
1008 IN UINT8 Type\r
1009 );\r
1010\r
1011/**\r
1012 Generate Key buffer from fragments.\r
1013\r
f75a7f56
LG		 1014 If the digest length of specified HashAlgId is larger than or equal with the\r
1015 required output key length, derive the key directly. Otherwise, Key Material\r
1016 needs to be PRF-based concatenation according to 2.13 of RFC 4306:\r
9166f840 1017 prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),\r
1018 T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)\r
1019 then derive the key from this key material.\r
f75a7f56 1020\r
9166f840 1021 @param[in] HashAlgId The Hash Algorithm ID used to generate key.\r
1022 @param[in] HashKey Pointer to a key buffer which contains hash key.\r
1023 @param[in] HashKeyLength The length of HashKey in bytes.\r
f75a7f56 1024 @param[in, out] OutputKey Pointer to buffer which is used to receive the\r
9166f840 1025 output key.\r
1026 @param[in] OutputKeyLength The length of OutPutKey buffer.\r
1027 @param[in] Fragments Pointer to the data to be used to generate key.\r
1028 @param[in] NumFragments The numbers of the Fragement.\r
1029\r
1030 @retval EFI_SUCCESS The operation complete successfully.\r
1031 @retval EFI_INVALID_PARAMETER If NumFragments is zero.\r
1032 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.\r
1033 @retval Others The operation is failed.\r
1034\r
1035**/\r
1036EFI_STATUS\r
1037Ikev2SaGenerateKey (\r
1038 IN UINT8 HashAlgId,\r
1039 IN UINT8 *HashKey,\r
1040 IN UINTN HashKeyLength,\r
1041 IN OUT UINT8 *OutputKey,\r
1042 IN UINTN OutputKeyLength,\r
1043 IN PRF_DATA_FRAGMENT *Fragments,\r
1044 IN UINTN NumFragments\r
1045 );\r
1046\r
1047/**\r
1048 Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.\r
1049\r
1050 ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,\r
f75a7f56 1051 the SpdSelector in ChildSaSession is more accurated or the scope is smaller\r
9166f840 1052 than the one in ChildSaSession->Spd, especially for the tunnel mode.\r
f75a7f56 1053\r
9166f840 1054 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.\r
6b16c9e7
JW		 1055\r
1056 @retval EFI_SUCCESS The operation complete successfully.\r
1057 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.\r
f75a7f56 1058\r
9166f840 1059**/\r
6b16c9e7 1060EFI_STATUS\r
9166f840 1061Ikev2ChildSaSessionSpdSelectorCreate (\r
1062 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession\r
1063 );\r
1064\r
1065extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[];\r
1066#endif\r
1067\r
EFI Development Kit II mirror for PVE