]>
Commit | Line | Data |
---|---|---|
9166f840 | 1 | /** @file\r |
f75a7f56 | 2 | The interfaces of IKE/Child session operations and payload related operations\r |
9166f840 | 3 | used by IKE Exchange Process.\r |
4 | \r | |
f75a7f56 | 5 | Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r |
9166f840 | 6 | \r |
7 | This program and the accompanying materials\r | |
8 | are licensed and made available under the terms and conditions of the BSD License\r | |
9 | which accompanies this distribution. The full text of the license may be found at\r | |
10 | http://opensource.org/licenses/bsd-license.php.\r | |
11 | \r | |
12 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
13 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
14 | \r | |
15 | **/\r | |
16 | \r | |
17 | #ifndef _IKE_V2_UTILITY_H_\r | |
18 | #define _IKE_V2_UTILITY_H_\r | |
19 | \r | |
20 | #include "Ikev2.h"\r | |
21 | #include "IkeCommon.h"\r | |
22 | #include "IpSecCryptIo.h"\r | |
23 | \r | |
24 | #include <Library/PcdLib.h>\r | |
25 | \r | |
26 | #define IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM 2\r | |
27 | #define IKEV2_SUPPORT_PRF_ALGORITHM_NUM 1\r | |
28 | #define IKEV2_SUPPORT_DH_ALGORITHM_NUM 2\r | |
29 | #define IKEV2_SUPPORT_AUTH_ALGORITHM_NUM 1\r | |
30 | \r | |
31 | /**\r | |
32 | Allocate buffer for IKEV2_SA_SESSION and initialize it.\r | |
33 | \r | |
34 | @param[in] Private Pointer to IPSEC_PRIVATE_DATA.\r | |
35 | @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.\r | |
36 | \r | |
37 | @return Pointer to IKEV2_SA_SESSION.\r | |
38 | \r | |
39 | **/\r | |
40 | IKEV2_SA_SESSION *\r | |
41 | Ikev2SaSessionAlloc (\r | |
42 | IN IPSEC_PRIVATE_DATA *Private,\r | |
43 | IN IKE_UDP_SERVICE *UdpService\r | |
44 | );\r | |
45 | \r | |
46 | /**\r | |
47 | Register Establish IKEv2 SA into Private->Ikev2EstablishedList.\r | |
48 | \r | |
49 | @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.\r | |
50 | @param[in] Private Pointer to IPSEC_PRAVATE_DATA.\r | |
51 | \r | |
52 | **/\r | |
53 | VOID\r | |
54 | Ikev2SaSessionReg (\r | |
55 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
56 | IN IPSEC_PRIVATE_DATA *Private\r | |
57 | );\r | |
58 | \r | |
59 | /**\r | |
60 | Find a IKEV2_SA_SESSION by the remote peer IP.\r | |
61 | \r | |
62 | @param[in] SaSessionList SaSession List to be searched.\r | |
63 | @param[in] RemotePeerIp Pointer to specified IP address.\r | |
64 | \r | |
65 | @return Pointer to IKEV2_SA_SESSION if find one or NULL.\r | |
66 | \r | |
67 | **/\r | |
68 | IKEV2_SA_SESSION *\r | |
69 | Ikev2SaSessionLookup (\r | |
70 | IN LIST_ENTRY *SaSessionList,\r | |
71 | IN EFI_IP_ADDRESS *RemotePeerIp\r | |
72 | );\r | |
73 | \r | |
74 | /**\r | |
75 | Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either\r | |
76 | Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.\r | |
77 | \r | |
78 | @param[in] SaSessionList Pointer to list to be inserted into.\r | |
f75a7f56 LG |
79 | @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.\r |
80 | @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the\r | |
9166f840 | 81 | unique IKEV2_SA_SESSION.\r |
82 | \r | |
83 | **/\r | |
84 | VOID\r | |
85 | Ikev2SaSessionInsert (\r | |
86 | IN LIST_ENTRY *SaSessionList,\r | |
87 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
88 | IN EFI_IP_ADDRESS *RemotePeerIp\r | |
89 | );\r | |
90 | \r | |
91 | /**\r | |
92 | Remove the SA Session by Remote Peer IP.\r | |
93 | \r | |
94 | @param[in] SaSessionList Pointer to list to be searched.\r | |
95 | @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.\r | |
96 | \r | |
f75a7f56 | 97 | @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address.\r |
9166f840 | 98 | \r |
99 | **/\r | |
100 | IKEV2_SA_SESSION *\r | |
101 | Ikev2SaSessionRemove (\r | |
102 | IN LIST_ENTRY *SaSessionList,\r | |
103 | IN EFI_IP_ADDRESS *RemotePeerIp\r | |
104 | );\r | |
105 | \r | |
106 | \r | |
9166f840 | 107 | /**\r |
108 | After IKE/Child SA is estiblished, close the time event and free sent packet.\r | |
109 | \r | |
110 | @param[in] SessionCommon Pointer to a Session Common.\r | |
111 | \r | |
112 | **/\r | |
113 | VOID\r | |
114 | Ikev2SessionCommonRefresh (\r | |
115 | IN IKEV2_SESSION_COMMON *SessionCommon\r | |
116 | );\r | |
117 | \r | |
118 | /**\r | |
f75a7f56 | 119 | Free specified IKEV2 SA Session.\r |
9166f840 | 120 | \r |
121 | @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.\r | |
122 | \r | |
123 | **/\r | |
124 | VOID\r | |
125 | Ikev2SaSessionFree (\r | |
126 | IN IKEV2_SA_SESSION *IkeSaSession\r | |
127 | );\r | |
128 | \r | |
129 | /**\r | |
f75a7f56 | 130 | Free specified Seession Common. The session common would belong to a IKE SA or\r |
9166f840 | 131 | a Child SA.\r |
132 | \r | |
133 | @param[in] SessionCommon Pointer to a Session Common.\r | |
134 | \r | |
135 | **/\r | |
136 | VOID\r | |
137 | Ikev2SaSessionCommonFree (\r | |
138 | IN IKEV2_SESSION_COMMON *SessionCommon\r | |
139 | );\r | |
140 | \r | |
141 | /**\r | |
142 | Increase the MessageID in IkeSaSession.\r | |
143 | \r | |
144 | @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.\r | |
145 | \r | |
146 | **/\r | |
147 | VOID\r | |
148 | Ikev2SaSessionIncreaseMessageId (\r | |
149 | IN IKEV2_SA_SESSION *IkeSaSession\r | |
150 | );\r | |
151 | \r | |
152 | /**\r | |
153 | Allocate Momery for IKEV2 Child SA Session.\r | |
f75a7f56 | 154 | \r |
9166f840 | 155 | @param[in] UdpService Pointer to IKE_UDP_SERVICE.\r |
f75a7f56 | 156 | @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA\r |
9166f840 | 157 | Session.\r |
158 | \r | |
159 | @retval Pointer of a new created IKEV2 Child SA Session.\r | |
160 | \r | |
161 | **/\r | |
162 | IKEV2_CHILD_SA_SESSION *\r | |
163 | Ikev2ChildSaSessionAlloc (\r | |
164 | IN IKE_UDP_SERVICE *UdpService,\r | |
165 | IN IKEV2_SA_SESSION *IkeSaSession\r | |
166 | );\r | |
167 | \r | |
168 | /**\r | |
f75a7f56 LG |
169 | Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.\r |
170 | If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one\r | |
9166f840 | 171 | then register the new one.\r |
172 | \r | |
173 | @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.\r | |
174 | @param[in] Private Pointer to IPSEC_PRAVATE_DATA.\r | |
175 | \r | |
176 | **/\r | |
177 | VOID\r | |
178 | Ikev2ChildSaSessionReg (\r | |
179 | IN IKEV2_CHILD_SA_SESSION *ChildSaSession,\r | |
180 | IN IPSEC_PRIVATE_DATA *Private\r | |
181 | );\r | |
182 | \r | |
183 | /**\r | |
184 | This function find the Child SA by the specified Spi.\r | |
44de1013 HT |
185 | \r |
186 | This functin find a ChildSA session by searching the ChildSaSessionlist of\r | |
9166f840 | 187 | the input IKEV2_SA_SESSION by specified MessageID.\r |
f75a7f56 | 188 | \r |
9166f840 | 189 | @param[in] SaSessionList Pointer to List to be searched.\r |
190 | @param[in] Spi Specified SPI.\r | |
44de1013 | 191 | \r |
9166f840 | 192 | @return Pointer to IKEV2_CHILD_SA_SESSION.\r |
193 | \r | |
194 | **/\r | |
195 | IKEV2_CHILD_SA_SESSION *\r | |
196 | Ikev2ChildSaSessionLookupBySpi (\r | |
197 | IN LIST_ENTRY *SaSessionList,\r | |
198 | IN UINT32 Spi\r | |
199 | );\r | |
200 | \r | |
9166f840 | 201 | \r |
202 | /**\r | |
203 | Insert a Child SA Session into the specified ChildSa list..\r | |
204 | \r | |
205 | @param[in] SaSessionList Pointer to list to be inserted in.\r | |
206 | @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.\r | |
207 | \r | |
208 | **/\r | |
209 | VOID\r | |
210 | Ikev2ChildSaSessionInsert (\r | |
211 | IN LIST_ENTRY *SaSessionList,\r | |
212 | IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r | |
213 | );\r | |
214 | \r | |
215 | /**\r | |
216 | Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.\r | |
f75a7f56 | 217 | \r |
9166f840 | 218 | @param[in] SaSessionList The SA Session List to be iterated.\r |
219 | @param[in] Spi Spi used to identify the IKEV2_CHILD_SA_SESSION.\r | |
f75a7f56 LG |
220 | @param[in] ListType The type of the List to indicate whether it is a\r |
221 | Established.\r | |
9166f840 | 222 | \r |
223 | @return The point to IKEV2_CHILD_SA_SESSION.\r | |
f75a7f56 | 224 | \r |
9166f840 | 225 | **/\r |
226 | IKEV2_CHILD_SA_SESSION *\r | |
227 | Ikev2ChildSaSessionRemove (\r | |
228 | IN LIST_ENTRY *SaSessionList,\r | |
f75a7f56 LG |
229 | IN UINT32 Spi,\r |
230 | IN UINT8 ListType\r | |
9166f840 | 231 | );\r |
232 | \r | |
9166f840 | 233 | \r |
234 | /**\r | |
f75a7f56 | 235 | Free the memory located for the specified IKEV2_CHILD_SA_SESSION.\r |
9166f840 | 236 | \r |
237 | @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.\r | |
238 | \r | |
239 | **/\r | |
240 | VOID\r | |
241 | Ikev2ChildSaSessionFree (\r | |
242 | IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r | |
243 | );\r | |
244 | \r | |
245 | /**\r | |
246 | Free the specified DhBuffer.\r | |
247 | \r | |
248 | @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.\r | |
f75a7f56 | 249 | \r |
9166f840 | 250 | **/\r |
251 | VOID\r | |
252 | Ikev2DhBufferFree (\r | |
253 | IN IKEV2_DH_BUFFER *DhBuffer\r | |
254 | );\r | |
255 | \r | |
256 | /**\r | |
257 | Delete the specified established Child SA.\r | |
258 | \r | |
259 | This function delete the Child SA directly and dont send the Information Packet to\r | |
260 | remote peer.\r | |
261 | \r | |
262 | @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.\r | |
263 | @param[in] Spi SPI used to find the Child SA.\r | |
264 | \r | |
265 | @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.\r | |
266 | @retval EFI_NOT_FOUND There is no specified Child SA related with the input\r | |
267 | SPI under this IKE SA Session.\r | |
268 | @retval EFI_SUCCESS Delete the Child SA successfully.\r | |
269 | \r | |
270 | **/\r | |
271 | EFI_STATUS\r | |
272 | Ikev2ChildSaSilentDelete (\r | |
273 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
274 | IN UINT32 Spi\r | |
275 | );\r | |
276 | \r | |
277 | /**\r | |
278 | This function is to parse a request IKE packet and return its request type.\r | |
f75a7f56 | 279 | The request type is one of IKE CHILD SA creation, IKE SA rekeying and\r |
9166f840 | 280 | IKE CHILD SA rekeying.\r |
281 | \r | |
282 | @param[in] IkePacket IKE packet to be prased.\r | |
283 | \r | |
284 | return the type of the IKE packet.\r | |
285 | \r | |
286 | **/\r | |
287 | IKEV2_CREATE_CHILD_REQUEST_TYPE\r | |
288 | Ikev2ChildExchangeRequestType(\r | |
289 | IN IKE_PACKET *IkePacket\r | |
290 | );\r | |
291 | \r | |
9166f840 | 292 | \r |
293 | /**\r | |
294 | Associate a SPD selector to the Child SA Session.\r | |
295 | \r | |
f75a7f56 | 296 | This function is called when the Child SA is not the first child SA of its\r |
9166f840 | 297 | IKE SA. It associate a SPD to this Child SA.\r |
298 | \r | |
f75a7f56 | 299 | @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to\r |
9166f840 | 300 | a SPD selector.\r |
301 | \r | |
302 | @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.\r | |
303 | @retval EFI_NOT_FOUND Can't find the related SPD selector.\r | |
304 | \r | |
305 | **/\r | |
306 | EFI_STATUS\r | |
307 | Ikev2ChildSaAssociateSpdEntry (\r | |
308 | IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession\r | |
309 | );\r | |
310 | \r | |
311 | /**\r | |
312 | Validate the IKE header of received IKE packet.\r | |
313 | \r | |
314 | @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.\r | |
315 | @param[in] IkeHdr Pointer to IKE header of received IKE packet.\r | |
316 | \r | |
317 | @retval TRUE If the IKE header is valid.\r | |
318 | @retval FALSE If the IKE header is invalid.\r | |
319 | \r | |
320 | **/\r | |
321 | BOOLEAN\r | |
322 | Ikev2ValidateHeader (\r | |
323 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
324 | IN IKE_HEADER *IkeHdr\r | |
325 | );\r | |
326 | \r | |
327 | /**\r | |
328 | Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.\r | |
329 | \r | |
330 | This function will be only called by the initiator. The responder's IKEV2_SA_DATA\r | |
331 | will be generated during parsed the initiator packet.\r | |
332 | \r | |
333 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.\r | |
334 | \r | |
335 | @retval a Pointer to a new IKEV2_SA_DATA or NULL.\r | |
336 | \r | |
337 | **/\r | |
338 | IKEV2_SA_DATA *\r | |
339 | Ikev2InitializeSaData (\r | |
340 | IN IKEV2_SESSION_COMMON *SessionCommon\r | |
341 | );\r | |
342 | \r | |
343 | /**\r | |
344 | Store the SA into SAD.\r | |
345 | \r | |
346 | @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.\r | |
347 | \r | |
348 | **/\r | |
349 | VOID\r | |
350 | Ikev2StoreSaData (\r | |
351 | IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r | |
352 | );\r | |
353 | \r | |
354 | /**\r | |
355 | Routine process before the payload decoding.\r | |
356 | \r | |
357 | @param[in] SessionCommon Pointer to ChildSa SessionCommon.\r | |
358 | @param[in] PayloadBuf Pointer to the payload.\r | |
359 | @param[in] PayloadSize Size of PayloadBuf in byte.\r | |
360 | @param[in] PayloadType Type of Payload.\r | |
361 | \r | |
362 | **/\r | |
363 | VOID\r | |
364 | Ikev2ChildSaBeforeDecodePayload (\r | |
365 | IN UINT8 *SessionCommon,\r | |
366 | IN UINT8 *PayloadBuf,\r | |
367 | IN UINTN PayloadSize,\r | |
368 | IN UINT8 PayloadType\r | |
369 | );\r | |
370 | \r | |
371 | /**\r | |
372 | Routine Process after the encode payload.\r | |
373 | \r | |
374 | @param[in] SessionCommon Pointer to ChildSa SessionCommon.\r | |
375 | @param[in] PayloadBuf Pointer to the payload.\r | |
376 | @param[in] PayloadSize Size of PayloadBuf in byte.\r | |
377 | @param[in] PayloadType Type of Payload.\r | |
378 | \r | |
379 | **/\r | |
380 | VOID\r | |
381 | Ikev2ChildSaAfterEncodePayload (\r | |
382 | IN UINT8 *SessionCommon,\r | |
383 | IN UINT8 *PayloadBuf,\r | |
384 | IN UINTN PayloadSize,\r | |
385 | IN UINT8 PayloadType\r | |
386 | );\r | |
387 | \r | |
388 | /**\r | |
389 | Generate Ikev2 SA payload according to SessionSaData\r | |
390 | \r | |
391 | @param[in] SessionSaData The data used in SA payload.\r | |
f75a7f56 | 392 | @param[in] NextPayload The payload type presented in NextPayload field of\r |
9166f840 | 393 | SA Payload header.\r |
394 | @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or\r | |
395 | (2) for CHILD_SA or (3) for INFO.\r | |
396 | \r | |
397 | @retval a Pointer to SA IKE payload.\r | |
f75a7f56 | 398 | \r |
9166f840 | 399 | **/\r |
400 | IKE_PAYLOAD *\r | |
401 | Ikev2GenerateSaPayload (\r | |
402 | IN IKEV2_SA_DATA *SessionSaData,\r | |
403 | IN UINT8 NextPayload,\r | |
404 | IN IKE_SESSION_TYPE Type\r | |
405 | );\r | |
406 | \r | |
407 | /**\r | |
408 | Generate a ID payload.\r | |
409 | \r | |
410 | @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r | |
f75a7f56 | 411 | @param[in] NextPayload The payload type presented in the NextPayload field\r |
9166f840 | 412 | of ID Payload header.\r |
413 | \r | |
414 | @retval Pointer to ID IKE payload.\r | |
415 | \r | |
416 | **/\r | |
417 | IKE_PAYLOAD *\r | |
418 | Ikev2GenerateIdPayload (\r | |
419 | IN IKEV2_SESSION_COMMON *CommonSession,\r | |
420 | IN UINT8 NextPayload\r | |
421 | );\r | |
422 | \r | |
423 | /**\r | |
424 | Generate a ID payload.\r | |
425 | \r | |
426 | @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r | |
f75a7f56 | 427 | @param[in] NextPayload The payload type presented in the NextPayload field\r |
9166f840 | 428 | of ID Payload header.\r |
429 | @param[in] InCert Pointer to the Certificate which distinguished name\r | |
430 | will be added into the Id payload.\r | |
431 | @param[in] CertSize Size of the Certificate.\r | |
432 | \r | |
433 | @retval Pointer to ID IKE payload.\r | |
434 | \r | |
435 | **/\r | |
436 | IKE_PAYLOAD *\r | |
437 | Ikev2GenerateCertIdPayload (\r | |
438 | IN IKEV2_SESSION_COMMON *CommonSession,\r | |
f75a7f56 | 439 | IN UINT8 NextPayload,\r |
9166f840 | 440 | IN UINT8 *InCert,\r |
441 | IN UINTN CertSize\r | |
442 | );\r | |
443 | \r | |
444 | /**\r | |
445 | Generate a Nonce payload contenting the input parameter NonceBuf.\r | |
446 | \r | |
f75a7f56 | 447 | @param[in] NonceBuf The nonce buffer content the whole Nonce payload block\r |
9166f840 | 448 | except the payload header.\r |
449 | @param[in] NonceSize The buffer size of the NonceBuf\r | |
f75a7f56 | 450 | @param[in] NextPayload The payload type presented in the NextPayload field\r |
9166f840 | 451 | of Nonce Payload header.\r |
452 | \r | |
453 | @retval Pointer to Nonce IKE paload.\r | |
454 | \r | |
455 | **/\r | |
456 | IKE_PAYLOAD *\r | |
457 | Ikev2GenerateNoncePayload (\r | |
458 | IN UINT8 *NonceBuf,\r | |
459 | IN UINTN NonceSize,\r | |
460 | IN UINT8 NextPayload\r | |
461 | );\r | |
462 | \r | |
463 | /**\r | |
464 | Generate the Notify payload.\r | |
465 | \r | |
466 | Since the structure of Notify payload which defined in RFC 4306 is simple, so\r | |
f75a7f56 LG |
467 | there is no internal data structure for Notify payload. This function generate\r |
468 | Notify payload defined in RFC 4306, but all the fields in this payload are still\r | |
469 | in host order and need call Ikev2EncodePayload() to convert those fields from\r | |
9166f840 | 470 | the host order to network order beforing sending it.\r |
471 | \r | |
472 | @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).\r | |
473 | For IPsec SAs it MUST be neither (2) for AH or (3)\r | |
474 | for ESP.\r | |
f75a7f56 | 475 | @param[in] NextPayload The next paylaod type in NextPayload field of\r |
9166f840 | 476 | the Notify payload.\r |
477 | @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.\r | |
f75a7f56 | 478 | @param[in] MessageType The message type in NotifyMessageType field of the\r |
9166f840 | 479 | Notify Payload.\r |
480 | @param[in] SpiBuf Pointer to buffer contains the SPI value.\r | |
481 | @param[in] NotifyData Pointer to buffer contains the notification data.\r | |
482 | @param[in] NotifyDataSize The size of NotifyData in bytes.\r | |
f75a7f56 | 483 | \r |
9166f840 | 484 | \r |
485 | @retval Pointer to IKE Notify Payload.\r | |
486 | \r | |
487 | **/\r | |
488 | IKE_PAYLOAD *\r | |
489 | Ikev2GenerateNotifyPayload (\r | |
490 | IN UINT8 ProtocolId,\r | |
491 | IN UINT8 NextPayload,\r | |
492 | IN UINT8 SpiSize,\r | |
493 | IN UINT16 MessageType,\r | |
494 | IN UINT8 *SpiBuf,\r | |
495 | IN UINT8 *NotifyData,\r | |
496 | IN UINTN NotifyDataSize\r | |
497 | );\r | |
498 | \r | |
499 | /**\r | |
500 | Generate the Delete payload.\r | |
501 | \r | |
f75a7f56 LG |
502 | Since the structure of Delete payload which defined in RFC 4306 is simple,\r |
503 | there is no internal data structure for Delete payload. This function generate\r | |
504 | Delete payload defined in RFC 4306, but all the fields in this payload are still\r | |
505 | in host order and need call Ikev2EncodePayload() to convert those fields from\r | |
9166f840 | 506 | the host order to network order beforing sending it.\r |
507 | \r | |
508 | @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.\r | |
f75a7f56 | 509 | @param[in] NextPayload The next paylaod type in NextPayload field of\r |
9166f840 | 510 | the Delete payload.\r |
511 | @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.\r | |
512 | @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.\r | |
513 | @param[in] SpiBuf Pointer to buffer contains the SPI value.\r | |
514 | \r | |
515 | @retval Pointer to IKE Delete Payload.\r | |
516 | \r | |
517 | **/\r | |
518 | IKE_PAYLOAD *\r | |
519 | Ikev2GenerateDeletePayload (\r | |
520 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
521 | IN UINT8 NextPayload,\r | |
522 | IN UINT8 SpiSize,\r | |
523 | IN UINT16 SpiNum,\r | |
f75a7f56 | 524 | IN UINT8 *SpiBuf\r |
9166f840 | 525 | );\r |
526 | \r | |
527 | /**\r | |
528 | Generate the Configuration payload.\r | |
529 | \r | |
f75a7f56 LG |
530 | This function generates a configuration payload defined in RFC 4306, but all the\r |
531 | fields in this payload are still in host order and need call Ikev2EncodePayload()\r | |
9166f840 | 532 | to convert those fields from the host order to network order beforing sending it.\r |
533 | \r | |
534 | @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload\r | |
535 | generation.\r | |
f75a7f56 | 536 | @param[in] NextPayload The next paylaod type in NextPayload field of\r |
9166f840 | 537 | the Delete payload.\r |
538 | @param[in] CfgType The attribute type in the Configuration attribute.\r | |
539 | \r | |
540 | @retval Pointer to IKE CP Payload.\r | |
541 | \r | |
542 | **/\r | |
543 | IKE_PAYLOAD *\r | |
544 | Ikev2GenerateCpPayload (\r | |
545 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
546 | IN UINT8 NextPayload,\r | |
547 | IN UINT8 CfgType\r | |
548 | );\r | |
549 | \r | |
550 | /**\r | |
551 | Generate a Authentication Payload.\r | |
552 | \r | |
f75a7f56 LG |
553 | This function is used for both Authentication generation and verification. When the\r |
554 | IsVerify is TRUE, it create a Auth Data for verification. This function choose the\r | |
9166f840 | 555 | related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type\r |
556 | and the value of IsVerify parameter.\r | |
557 | \r | |
558 | @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r | |
f75a7f56 | 559 | @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r |
9166f840 | 560 | payload generation.\r |
f75a7f56 | 561 | @param[in] NextPayload The type filled into the Authentication Payload next\r |
9166f840 | 562 | payload field.\r |
563 | @param[in] IsVerify If it is TURE, the Authentication payload is used for\r | |
564 | verification.\r | |
565 | \r | |
566 | @return pointer to IKE Authentication payload for pre-shard key method.\r | |
567 | \r | |
568 | **/\r | |
569 | IKE_PAYLOAD *\r | |
570 | Ikev2PskGenerateAuthPayload (\r | |
571 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
572 | IN IKE_PAYLOAD *IdPayload,\r | |
573 | IN UINT8 NextPayload,\r | |
574 | IN BOOLEAN IsVerify\r | |
575 | );\r | |
576 | \r | |
577 | /**\r | |
f75a7f56 | 578 | Generate a Authentication Payload for Certificate Auth method.\r |
9166f840 | 579 | \r |
f75a7f56 LG |
580 | This function has two functions. One is creating a local Authentication\r |
581 | Payload for sending and other is creating the remote Authentication data\r | |
9166f840 | 582 | for verification when the IsVerify is TURE.\r |
583 | \r | |
584 | @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r | |
f75a7f56 | 585 | @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r |
9166f840 | 586 | payload generation.\r |
f75a7f56 | 587 | @param[in] NextPayload The type filled into the Authentication Payload\r |
9166f840 | 588 | next payload field.\r |
f75a7f56 | 589 | @param[in] IsVerify If it is TURE, the Authentication payload is used\r |
9166f840 | 590 | for verification.\r |
f75a7f56 | 591 | @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when\r |
9166f840 | 592 | verify the authenticate payload.\r |
f75a7f56 | 593 | @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it\r |
9166f840 | 594 | when verify the authenticate payload.\r |
f75a7f56 | 595 | @param[in] UefiKeyPwd Pointer to the password of UEFI private key.\r |
9166f840 | 596 | Ignore it when verify the authenticate payload.\r |
f75a7f56 | 597 | @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when\r |
9166f840 | 598 | verify the authenticate payload.\r |
599 | \r | |
600 | @return pointer to IKE Authentication payload for certification method.\r | |
601 | \r | |
602 | **/\r | |
603 | IKE_PAYLOAD *\r | |
604 | Ikev2CertGenerateAuthPayload (\r | |
605 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
606 | IN IKE_PAYLOAD *IdPayload,\r | |
607 | IN UINT8 NextPayload,\r | |
608 | IN BOOLEAN IsVerify,\r | |
609 | IN UINT8 *UefiPrivateKey,\r | |
610 | IN UINTN UefiPrivateKeyLen,\r | |
611 | IN UINT8 *UefiKeyPwd,\r | |
612 | IN UINTN UefiKeyPwdLen\r | |
613 | );\r | |
614 | \r | |
615 | /**\r | |
616 | Generate TS payload.\r | |
617 | \r | |
618 | This function generates TSi or TSr payload according to type of next payload.\r | |
619 | If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate\r | |
620 | TSr payload\r | |
f75a7f56 | 621 | \r |
9166f840 | 622 | @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.\r |
f75a7f56 | 623 | @param[in] NextPayload The payload type presented in the NextPayload field\r |
9166f840 | 624 | of ID Payload header.\r |
625 | @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.\r | |
626 | If yes, it means the Tsi and Tsr payload should be with\r | |
627 | Max port range and address range and protocol is marked\r | |
628 | as zero.\r | |
629 | \r | |
630 | @retval Pointer to Ts IKE payload.\r | |
631 | \r | |
632 | **/\r | |
633 | IKE_PAYLOAD *\r | |
634 | Ikev2GenerateTsPayload (\r | |
635 | IN IKEV2_CHILD_SA_SESSION *ChildSa,\r | |
636 | IN UINT8 NextPayload,\r | |
637 | IN BOOLEAN IsTunnel\r | |
638 | );\r | |
639 | \r | |
640 | /**\r | |
641 | Parser the Notify Cookie payload.\r | |
642 | \r | |
643 | This function parses the Notify Cookie payload.If the Notify ProtocolId is not\r | |
644 | IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not\r | |
645 | the COOKIE, return EFI_INVALID_PARAMETER.\r | |
646 | \r | |
f75a7f56 | 647 | @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the\r |
9166f840 | 648 | Notify Cookie payload.\r |
649 | the Notify payload.\r | |
650 | @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.\r | |
651 | \r | |
652 | @retval EFI_SUCCESS The Notify Cookie Payload is valid.\r | |
653 | @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.\r | |
654 | @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.\r | |
655 | \r | |
656 | **/\r | |
657 | EFI_STATUS\r | |
658 | Ikev2ParserNotifyCookiePayload (\r | |
659 | IN IKE_PAYLOAD *IkeNCookie,\r | |
660 | IN OUT IKEV2_SA_SESSION *IkeSaSession\r | |
661 | );\r | |
662 | \r | |
663 | /**\r | |
664 | Generate the Certificate payload or Certificate Request Payload.\r | |
665 | \r | |
f75a7f56 | 666 | Since the Certificate Payload structure is same with Certificate Request Payload,\r |
9166f840 | 667 | the only difference is that one contains the Certificate Data, other contains\r |
f75a7f56 LG |
668 | the acceptable certificateion CA. This function generate Certificate payload\r |
669 | or Certificate Request Payload defined in RFC 4306, but all the fields\r | |
670 | in the payload are still in host order and need call Ikev2EncodePayload()\r | |
9166f840 | 671 | to convert those fields from the host order to network order beforing sending it.\r |
672 | \r | |
f75a7f56 | 673 | @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload\r |
9166f840 | 674 | generation.\r |
f75a7f56 | 675 | @param[in] NextPayload The next paylaod type in NextPayload field of\r |
9166f840 | 676 | the Delete payload.\r |
677 | @param[in] Certificate Pointer of buffer contains the certification data.\r | |
678 | @param[in] CertificateLen The length of Certificate in byte.\r | |
679 | @param[in] EncodeType Specified the Certificate Encodeing which is defined\r | |
680 | in RFC 4306.\r | |
681 | @param[in] IsRequest To indicate create Certificate Payload or Certificate\r | |
682 | Request Payload. If it is TURE, create Certificate\r | |
683 | Request Payload. Otherwise, create Certificate Payload.\r | |
684 | \r | |
685 | @retval a Pointer to IKE Payload whose payload buffer containing the Certificate\r | |
686 | payload or Certificated Request payload.\r | |
687 | \r | |
688 | **/\r | |
689 | IKE_PAYLOAD *\r | |
690 | Ikev2GenerateCertificatePayload (\r | |
691 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
692 | IN UINT8 NextPayload,\r | |
693 | IN UINT8 *Certificate,\r | |
694 | IN UINTN CertificateLen,\r | |
695 | IN UINT8 EncodeType,\r | |
696 | IN BOOLEAN IsRequest\r | |
697 | );\r | |
f75a7f56 | 698 | \r |
9166f840 | 699 | /**\r |
700 | General interface of payload encoding.\r | |
701 | \r | |
f75a7f56 LG |
702 | This function encode the internal data structure into payload which\r |
703 | is defined in RFC 4306. The IkePayload->PayloadBuf used to store both the input\r | |
704 | payload and converted payload. Only the SA payload use the interal structure\r | |
705 | to store the attribute. Other payload use structure which is same with the RFC\r | |
706 | defined, for this kind payloads just do host order to network order change of\r | |
9166f840 | 707 | some fields.\r |
708 | \r | |
709 | @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.\r | |
710 | @param[in, out] IkePayload Pointer to IKE payload to be encode as input, and\r | |
711 | store the encoded result as output.\r | |
712 | \r | |
713 | @retval EFI_INVALID_PARAMETER Meet error when encode the SA payload.\r | |
714 | @retval EFI_SUCCESS Encode successfully.\r | |
715 | \r | |
716 | **/\r | |
717 | EFI_STATUS\r | |
718 | Ikev2EncodePayload (\r | |
719 | IN UINT8 *SessionCommon,\r | |
720 | IN OUT IKE_PAYLOAD *IkePayload\r | |
721 | );\r | |
722 | \r | |
723 | /**\r | |
724 | The general interface of decode Payload.\r | |
725 | \r | |
726 | This function convert the received Payload into internal structure.\r | |
727 | \r | |
728 | @param[in] SessionCommon Pointer to IKE Session Common to use for decoding.\r | |
729 | @param[in, out] IkePayload Pointer to IKE payload to be decode as input, and\r | |
f75a7f56 | 730 | store the decoded result as output.\r |
9166f840 | 731 | \r |
732 | @retval EFI_INVALID_PARAMETER Meet error when decode the SA payload.\r | |
733 | @retval EFI_SUCCESS Decode successfully.\r | |
734 | \r | |
735 | **/\r | |
736 | EFI_STATUS\r | |
737 | Ikev2DecodePayload (\r | |
738 | IN UINT8 *SessionCommon,\r | |
739 | IN OUT IKE_PAYLOAD *IkePayload\r | |
740 | );\r | |
741 | \r | |
742 | /**\r | |
743 | Decrypt IKE packet.\r | |
744 | \r | |
745 | This function decrpt the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.\r | |
746 | \r | |
f75a7f56 | 747 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r |
9166f840 | 748 | some parameter used during decrypting.\r |
f75a7f56 | 749 | @param[in, out] IkePacket Point to IKE_PACKET to be decrypted as input,\r |
9166f840 | 750 | and the decrypted reslult as output.\r |
751 | @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r | |
752 | IKE_CHILD_TYPE are supportted.\r | |
753 | \r | |
f75a7f56 | 754 | @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the\r |
9166f840 | 755 | IKE packet length is not Algorithm Block Size\r |
756 | alignment.\r | |
757 | @retval EFI_SUCCESS Decrypt IKE packet successfully.\r | |
f75a7f56 | 758 | \r |
9166f840 | 759 | **/\r |
760 | EFI_STATUS\r | |
761 | Ikev2DecryptPacket (\r | |
762 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
763 | IN OUT IKE_PACKET *IkePacket,\r | |
764 | IN OUT UINTN IkeType\r | |
765 | );\r | |
766 | \r | |
767 | /**\r | |
768 | Encrypt IKE packet.\r | |
769 | \r | |
770 | This function encrypt IKE packet before sending it. The Encrypted IKE packet\r | |
771 | is put in to IKEV2 Encrypted Payload.\r | |
f75a7f56 | 772 | \r |
9166f840 | 773 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.\r |
774 | @param[in, out] IkePacket Pointer to IKE packet to be encrypted.\r | |
775 | \r | |
776 | @retval EFI_SUCCESS Operation is successful.\r | |
777 | @retval Others OPeration is failed.\r | |
778 | \r | |
779 | **/\r | |
780 | EFI_STATUS\r | |
781 | Ikev2EncryptPacket (\r | |
782 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
783 | IN OUT IKE_PACKET *IkePacket\r | |
784 | );\r | |
785 | \r | |
786 | /**\r | |
787 | Encode the IKE packet.\r | |
788 | \r | |
789 | This function put all Payloads into one payload then encrypt it if needed.\r | |
790 | \r | |
f75a7f56 | 791 | @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r |
9166f840 | 792 | some parameter used during IKE packet encoding.\r |
f75a7f56 | 793 | @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,\r |
9166f840 | 794 | and the encoded reslult as output.\r |
795 | @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r | |
796 | IKE_CHILD_TYPE are supportted.\r | |
797 | \r | |
798 | @retval EFI_SUCCESS Encode IKE packet successfully.\r | |
799 | @retval Otherwise Encode IKE packet failed.\r | |
800 | \r | |
801 | **/\r | |
802 | EFI_STATUS\r | |
803 | Ikev2EncodePacket (\r | |
804 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
805 | IN OUT IKE_PACKET *IkePacket,\r | |
806 | IN UINTN IkeType\r | |
807 | );\r | |
808 | \r | |
809 | /**\r | |
810 | Decode the IKE packet.\r | |
811 | \r | |
f75a7f56 | 812 | This function first decrypts the IKE packet if needed , then separats the whole\r |
9166f840 | 813 | IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.\r |
f75a7f56 LG |
814 | \r |
815 | @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing\r | |
9166f840 | 816 | some parameter used by IKE packet decoding.\r |
f75a7f56 | 817 | @param[in, out] IkePacket The IKE Packet to be decoded on input, and\r |
9166f840 | 818 | the decoded result on return.\r |
819 | @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r | |
820 | IKE_CHILD_TYPE are supportted.\r | |
821 | \r | |
822 | @retval EFI_SUCCESS The IKE packet is decoded successfull.\r | |
823 | @retval Otherwise The IKE packet decoding is failed.\r | |
824 | \r | |
825 | **/\r | |
826 | EFI_STATUS\r | |
827 | Ikev2DecodePacket (\r | |
828 | IN IKEV2_SESSION_COMMON *SessionCommon,\r | |
829 | IN OUT IKE_PACKET *IkePacket,\r | |
830 | IN UINTN IkeType\r | |
831 | );\r | |
832 | \r | |
9166f840 | 833 | \r |
834 | /**\r | |
835 | Send out IKEV2 packet.\r | |
836 | \r | |
837 | @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.\r | |
838 | @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.\r | |
839 | @param[in] IkePacket Pointer to IKE_PACKET to be sent out.\r | |
f75a7f56 LG |
840 | @param[in] IkeType The type of IKE to point what's kind of the IKE\r |
841 | packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE\r | |
9166f840 | 842 | and IKE_CHILD_TYPE are supportted.\r |
843 | \r | |
844 | @retval EFI_SUCCESS The operation complete successfully.\r | |
845 | @retval Otherwise The operation is failed.\r | |
846 | \r | |
847 | **/\r | |
848 | EFI_STATUS\r | |
849 | Ikev2SendIkePacket (\r | |
850 | IN IKE_UDP_SERVICE *IkeUdpService,\r | |
851 | IN UINT8 *SessionCommon,\r | |
852 | IN IKE_PACKET *IkePacket,\r | |
853 | IN UINTN IkeType\r | |
854 | );\r | |
855 | \r | |
856 | /**\r | |
857 | Callback function for the IKE life time is over.\r | |
858 | \r | |
f75a7f56 | 859 | This function will mark the related IKE SA Session as deleting and trigger a\r |
9166f840 | 860 | Information negotiation.\r |
861 | \r | |
862 | @param[in] Event The time out event.\r | |
863 | @param[in] Context Pointer to data passed by caller.\r | |
f75a7f56 | 864 | \r |
9166f840 | 865 | **/\r |
866 | VOID\r | |
867 | EFIAPI\r | |
868 | Ikev2LifetimeNotify (\r | |
869 | IN EFI_EVENT Event,\r | |
870 | IN VOID *Context\r | |
871 | );\r | |
872 | \r | |
873 | /**\r | |
874 | This function will be called if the TimeOut Event is signaled.\r | |
875 | \r | |
876 | @param[in] Event The signaled Event.\r | |
877 | @param[in] Context The data passed by caller.\r | |
878 | \r | |
879 | **/\r | |
880 | VOID\r | |
881 | EFIAPI\r | |
882 | Ikev2ResendNotify (\r | |
883 | IN EFI_EVENT Event,\r | |
884 | IN VOID *Context\r | |
885 | );\r | |
886 | \r | |
887 | /**\r | |
f75a7f56 | 888 | Generate a Key Exchange payload according to the DH group type and save the\r |
9166f840 | 889 | public Key into IkeSaSession IkeKey field.\r |
890 | \r | |
891 | @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.\r | |
f75a7f56 | 892 | @param[in] NextPayload The payload type presented in the NextPayload field of Key\r |
9166f840 | 893 | Exchange Payload header.\r |
894 | \r | |
895 | @retval Pointer to Key IKE payload.\r | |
896 | \r | |
897 | **/\r | |
898 | IKE_PAYLOAD *\r | |
899 | Ikev2GenerateKePayload (\r | |
f75a7f56 LG |
900 | IN OUT IKEV2_SA_SESSION *IkeSaSession,\r |
901 | IN UINT8 NextPayload\r | |
9166f840 | 902 | );\r |
903 | \r | |
904 | /**\r | |
905 | Check if the SPD is related to the input Child SA Session.\r | |
906 | \r | |
907 | This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call\r | |
f75a7f56 LG |
908 | back function of IpSecVisitConfigData().\r |
909 | \r | |
9166f840 | 910 | \r |
911 | @param[in] Type Type of the input Config Selector.\r | |
f75a7f56 LG |
912 | @param[in] Selector Pointer to the Configure Selector to be checked.\r |
913 | @param[in] Data Pointer to the Configure Selector's Data passed\r | |
9166f840 | 914 | from the caller.\r |
915 | @param[in] SelectorSize The buffer size of Selector.\r | |
916 | @param[in] DataSize The buffer size of the Data.\r | |
917 | @param[in] Context The data passed from the caller. It is a Child\r | |
918 | SA Session in this context.\r | |
919 | \r | |
f75a7f56 LG |
920 | @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.\r |
921 | @retval EFI_ABORTED The SPD Selector is related to the Child SA session and\r | |
9166f840 | 922 | set the ChildSaSession->Spd to point to this SPD Selector.\r |
923 | \r | |
924 | **/\r | |
925 | EFI_STATUS\r | |
926 | Ikev2MatchSpdEntry (\r | |
927 | IN EFI_IPSEC_CONFIG_DATA_TYPE Type,\r | |
928 | IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r | |
929 | IN VOID *Data,\r | |
930 | IN UINTN SelectorSize,\r | |
931 | IN UINTN DataSize,\r | |
932 | IN VOID *Context\r | |
933 | );\r | |
934 | \r | |
935 | /**\r | |
936 | Check if the Algorithm ID is supported.\r | |
937 | \r | |
938 | @param[in] AlgorithmId The specified Algorithm ID.\r | |
939 | @param[in] Type The type used to indicate the Algorithm is for Encrypt or\r | |
940 | Authentication.\r | |
941 | \r | |
942 | @retval TRUE If the Algorithm ID is supported.\r | |
943 | @retval FALSE If the Algorithm ID is not supported.\r | |
944 | \r | |
945 | **/\r | |
946 | BOOLEAN\r | |
947 | Ikev2IsSupportAlg (\r | |
948 | IN UINT16 AlgorithmId,\r | |
949 | IN UINT8 Type\r | |
950 | );\r | |
951 | \r | |
952 | /**\r | |
953 | Generate a ChildSa Session and insert it into related IkeSaSession.\r | |
954 | \r | |
955 | @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.\r | |
956 | @param[in] UdpService Pointer to related IKE_UDP_SERVICE.\r | |
957 | \r | |
958 | @return pointer of IKEV2_CHILD_SA_SESSION.\r | |
959 | \r | |
960 | **/\r | |
961 | IKEV2_CHILD_SA_SESSION *\r | |
962 | Ikev2ChildSaSessionCreate (\r | |
963 | IN IKEV2_SA_SESSION *IkeSaSession,\r | |
964 | IN IKE_UDP_SERVICE *UdpService\r | |
965 | ) ;\r | |
966 | \r | |
967 | /**\r | |
968 | Parse the received Initial Exchange Packet.\r | |
f75a7f56 LG |
969 | \r |
970 | This function parse the SA Payload and Key Payload to find out the cryptographic\r | |
971 | suite for the further IKE negotiation and fill it into the IKE SA Session's\r | |
9166f840 | 972 | CommonSession->SaParams.\r |
973 | \r | |
974 | @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.\r | |
975 | @param[in] SaPayload The received packet.\r | |
f75a7f56 | 976 | @param[in] Type The received packet IKE header flag.\r |
9166f840 | 977 | \r |
978 | @retval TRUE If the SA proposal in Packet is acceptable.\r | |
979 | @retval FALSE If the SA proposal in Packet is not acceptable.\r | |
980 | \r | |
981 | **/\r | |
982 | BOOLEAN\r | |
983 | Ikev2SaParseSaPayload (\r | |
984 | IN OUT IKEV2_SA_SESSION *IkeSaSession,\r | |
985 | IN IKE_PAYLOAD *SaPayload,\r | |
986 | IN UINT8 Type\r | |
987 | );\r | |
988 | \r | |
989 | /**\r | |
990 | Parse the received Authentication Exchange Packet.\r | |
f75a7f56 | 991 | \r |
9166f840 | 992 | This function parse the SA Payload and Key Payload to find out the cryptographic\r |
993 | suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.\r | |
f75a7f56 LG |
994 | \r |
995 | @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to\r | |
9166f840 | 996 | this Authentication Exchange.\r |
997 | @param[in] SaPayload The received packet.\r | |
f75a7f56 LG |
998 | @param[in] Type The IKE header's flag of received packet .\r |
999 | \r | |
9166f840 | 1000 | @retval TRUE If the SA proposal in Packet is acceptable.\r |
1001 | @retval FALSE If the SA proposal in Packet is not acceptable.\r | |
1002 | \r | |
1003 | **/\r | |
1004 | BOOLEAN\r | |
1005 | Ikev2ChildSaParseSaPayload (\r | |
1006 | IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession,\r | |
1007 | IN IKE_PAYLOAD *SaPayload,\r | |
1008 | IN UINT8 Type\r | |
1009 | );\r | |
1010 | \r | |
1011 | /**\r | |
1012 | Generate Key buffer from fragments.\r | |
1013 | \r | |
f75a7f56 LG |
1014 | If the digest length of specified HashAlgId is larger than or equal with the\r |
1015 | required output key length, derive the key directly. Otherwise, Key Material\r | |
1016 | needs to be PRF-based concatenation according to 2.13 of RFC 4306:\r | |
9166f840 | 1017 | prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),\r |
1018 | T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)\r | |
1019 | then derive the key from this key material.\r | |
f75a7f56 | 1020 | \r |
9166f840 | 1021 | @param[in] HashAlgId The Hash Algorithm ID used to generate key.\r |
1022 | @param[in] HashKey Pointer to a key buffer which contains hash key.\r | |
1023 | @param[in] HashKeyLength The length of HashKey in bytes.\r | |
f75a7f56 | 1024 | @param[in, out] OutputKey Pointer to buffer which is used to receive the\r |
9166f840 | 1025 | output key.\r |
1026 | @param[in] OutputKeyLength The length of OutPutKey buffer.\r | |
1027 | @param[in] Fragments Pointer to the data to be used to generate key.\r | |
1028 | @param[in] NumFragments The numbers of the Fragement.\r | |
1029 | \r | |
1030 | @retval EFI_SUCCESS The operation complete successfully.\r | |
1031 | @retval EFI_INVALID_PARAMETER If NumFragments is zero.\r | |
1032 | @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.\r | |
1033 | @retval Others The operation is failed.\r | |
1034 | \r | |
1035 | **/\r | |
1036 | EFI_STATUS\r | |
1037 | Ikev2SaGenerateKey (\r | |
1038 | IN UINT8 HashAlgId,\r | |
1039 | IN UINT8 *HashKey,\r | |
1040 | IN UINTN HashKeyLength,\r | |
1041 | IN OUT UINT8 *OutputKey,\r | |
1042 | IN UINTN OutputKeyLength,\r | |
1043 | IN PRF_DATA_FRAGMENT *Fragments,\r | |
1044 | IN UINTN NumFragments\r | |
1045 | );\r | |
1046 | \r | |
1047 | /**\r | |
1048 | Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.\r | |
1049 | \r | |
1050 | ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,\r | |
f75a7f56 | 1051 | the SpdSelector in ChildSaSession is more accurated or the scope is smaller\r |
9166f840 | 1052 | than the one in ChildSaSession->Spd, especially for the tunnel mode.\r |
f75a7f56 | 1053 | \r |
9166f840 | 1054 | @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.\r |
6b16c9e7 JW |
1055 | \r |
1056 | @retval EFI_SUCCESS The operation complete successfully.\r | |
1057 | @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.\r | |
f75a7f56 | 1058 | \r |
9166f840 | 1059 | **/\r |
6b16c9e7 | 1060 | EFI_STATUS\r |
9166f840 | 1061 | Ikev2ChildSaSessionSpdSelectorCreate (\r |
1062 | IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession\r | |
1063 | );\r | |
1064 | \r | |
1065 | extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[];\r | |
1066 | #endif\r | |
1067 | \r |