2 The implementation of policy entry operation function in IpSecConfig application.
4 Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
16 #include "IpSecConfig.h"
21 #include "PolicyEntryOperation.h"
24 Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list.
26 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
27 @param[in] ParamPackage The pointer to the ParamPackage list.
28 @param[in, out] Mask The pointer to the Mask.
30 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR successfully.
31 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
36 OUT EFI_IPSEC_SPD_SELECTOR
*Selector
,
37 IN LIST_ENTRY
*ParamPackage
,
42 EFI_STATUS ReturnStatus
;
43 CONST CHAR16
*ValueStr
;
46 ReturnStatus
= EFI_SUCCESS
;
49 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
51 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local");
52 if (ValueStr
!= NULL
) {
53 Selector
->LocalAddressCount
= 1;
54 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->LocalAddress
);
55 if (EFI_ERROR (Status
)) {
60 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
66 ReturnStatus
= EFI_INVALID_PARAMETER
;
73 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
75 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote");
76 if (ValueStr
!= NULL
) {
77 Selector
->RemoteAddressCount
= 1;
78 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->RemoteAddress
);
79 if (EFI_ERROR (Status
)) {
84 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
90 ReturnStatus
= EFI_INVALID_PARAMETER
;
96 Selector
->NextLayerProtocol
= EFI_IPSEC_ANY_PROTOCOL
;
99 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
104 &Selector
->NextLayerProtocol
,
108 FORMAT_NUMBER
| FORMAT_STRING
110 if (!EFI_ERROR (Status
)) {
114 if (Status
== EFI_INVALID_PARAMETER
) {
115 ReturnStatus
= EFI_INVALID_PARAMETER
;
118 Selector
->LocalPort
= EFI_IPSEC_ANY_PORT
;
119 Selector
->RemotePort
= EFI_IPSEC_ANY_PORT
;
122 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
124 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local-port");
125 if (ValueStr
!= NULL
) {
126 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->LocalPort
, &Selector
->LocalPortRange
);
127 if (EFI_ERROR (Status
)) {
132 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
138 ReturnStatus
= EFI_INVALID_PARAMETER
;
145 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
147 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote-port");
148 if (ValueStr
!= NULL
) {
149 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->RemotePort
, &Selector
->RemotePortRange
);
150 if (EFI_ERROR (Status
)) {
155 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
161 ReturnStatus
= EFI_INVALID_PARAMETER
;
163 *Mask
|= REMOTE_PORT
;
168 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
173 &Selector
->LocalPort
,
179 if (!EFI_ERROR (Status
)) {
183 if (Status
== EFI_INVALID_PARAMETER
) {
184 ReturnStatus
= EFI_INVALID_PARAMETER
;
188 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
193 &Selector
->RemotePort
,
199 if (!EFI_ERROR (Status
)) {
203 if (Status
== EFI_INVALID_PARAMETER
) {
204 ReturnStatus
= EFI_INVALID_PARAMETER
;
211 Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPackage list.
213 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
214 @param[out] Data The pointer to the EFI_IPSEC_SPD_DATA structure.
215 @param[in] ParamPackage The pointer to the ParamPackage list.
216 @param[out] Mask The pointer to the Mask.
217 @param[in] CreateNew The switch to create new.
219 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA successfully.
220 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
225 OUT EFI_IPSEC_SPD_SELECTOR
**Selector
,
226 OUT EFI_IPSEC_SPD_DATA
**Data
,
227 IN LIST_ENTRY
*ParamPackage
,
233 EFI_STATUS ReturnStatus
;
234 CONST CHAR16
*ValueStr
;
237 Status
= EFI_SUCCESS
;
240 *Selector
= AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR
) + 2 * sizeof (EFI_IP_ADDRESS_INFO
));
241 ASSERT (*Selector
!= NULL
);
243 (*Selector
)->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) (*Selector
+ 1);
244 (*Selector
)->RemoteAddress
= (*Selector
)->LocalAddress
+ 1;
246 ReturnStatus
= CreateSpdSelector (*Selector
, ParamPackage
, Mask
);
250 // NOTE: Allocate enough memory and add padding for different arch.
252 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA
));
253 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_PROCESS_POLICY
));
254 DataSize
+= sizeof (EFI_IPSEC_TUNNEL_OPTION
);
256 *Data
= AllocateZeroPool (DataSize
);
257 ASSERT (*Data
!= NULL
);
259 (*Data
)->ProcessingPolicy
= (EFI_IPSEC_PROCESS_POLICY
*) ALIGN_POINTER (
263 (*Data
)->ProcessingPolicy
->TunnelOption
= (EFI_IPSEC_TUNNEL_OPTION
*) ALIGN_POINTER (
264 ((*Data
)->ProcessingPolicy
+ 1),
270 // Convert user imput from string to integer, and fill in the Name in EFI_IPSEC_SPD_DATA.
272 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--name");
273 if (ValueStr
!= NULL
) {
274 UnicodeStrToAsciiStr (ValueStr
, (CHAR8
*) (*Data
)->Name
);
279 // Convert user imput from string to integer, and fill in the PackageFlag in EFI_IPSEC_SPD_DATA.
284 &(*Data
)->PackageFlag
,
290 if (!EFI_ERROR (Status
)) {
291 *Mask
|= PACKET_FLAG
;
294 if (Status
== EFI_INVALID_PARAMETER
) {
295 ReturnStatus
= EFI_INVALID_PARAMETER
;
299 // Convert user imput from string to integer, and fill in the Action in EFI_IPSEC_SPD_DATA.
310 if (!EFI_ERROR (Status
)) {
314 if (Status
== EFI_INVALID_PARAMETER
) {
315 ReturnStatus
= EFI_INVALID_PARAMETER
;
319 // Convert user imput from string to integer, and fill in the ExtSeqNum in EFI_IPSEC_SPD_DATA.
321 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence")) {
322 (*Data
)->ProcessingPolicy
->ExtSeqNum
= TRUE
;
323 *Mask
|= EXT_SEQUENCE
;
324 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence-")) {
325 (*Data
)->ProcessingPolicy
->ExtSeqNum
= FALSE
;
326 *Mask
|= EXT_SEQUENCE
;
330 // Convert user imput from string to integer, and fill in the SeqOverflow in EFI_IPSEC_SPD_DATA.
332 if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow")) {
333 (*Data
)->ProcessingPolicy
->SeqOverflow
= TRUE
;
334 *Mask
|= SEQUENCE_OVERFLOW
;
335 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow-")) {
336 (*Data
)->ProcessingPolicy
->SeqOverflow
= FALSE
;
337 *Mask
|= SEQUENCE_OVERFLOW
;
341 // Convert user imput from string to integer, and fill in the FragCheck in EFI_IPSEC_SPD_DATA.
343 if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check")) {
344 (*Data
)->ProcessingPolicy
->FragCheck
= TRUE
;
345 *Mask
|= FRAGMENT_CHECK
;
346 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check-")) {
347 (*Data
)->ProcessingPolicy
->FragCheck
= FALSE
;
348 *Mask
|= FRAGMENT_CHECK
;
352 // Convert user imput from string to integer, and fill in the ProcessingPolicy in EFI_IPSEC_SPD_DATA.
357 &(*Data
)->ProcessingPolicy
->SaLifetime
.ByteCount
,
363 if (!EFI_ERROR (Status
)) {
367 if (Status
== EFI_INVALID_PARAMETER
) {
368 ReturnStatus
= EFI_INVALID_PARAMETER
;
374 &(*Data
)->ProcessingPolicy
->SaLifetime
.HardLifetime
,
380 if (!EFI_ERROR (Status
)) {
383 if (Status
== EFI_INVALID_PARAMETER
) {
384 ReturnStatus
= EFI_INVALID_PARAMETER
;
390 &(*Data
)->ProcessingPolicy
->SaLifetime
.SoftLifetime
,
396 if (!EFI_ERROR (Status
)) {
397 *Mask
|= LIFETIME_SOFT
;
400 if (Status
== EFI_INVALID_PARAMETER
) {
401 ReturnStatus
= EFI_INVALID_PARAMETER
;
404 (*Data
)->ProcessingPolicy
->Mode
= EfiIPsecTransport
;
408 &(*Data
)->ProcessingPolicy
->Mode
,
414 if (!EFI_ERROR (Status
)) {
418 if (Status
== EFI_INVALID_PARAMETER
) {
419 ReturnStatus
= EFI_INVALID_PARAMETER
;
422 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-local");
423 if (ValueStr
!= NULL
) {
424 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
);
425 if (EFI_ERROR (Status
)) {
430 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
436 ReturnStatus
= EFI_INVALID_PARAMETER
;
438 *Mask
|= TUNNEL_LOCAL
;
442 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-remote");
443 if (ValueStr
!= NULL
) {
444 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
);
445 if (EFI_ERROR (Status
)) {
450 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
456 ReturnStatus
= EFI_INVALID_PARAMETER
;
458 *Mask
|= TUNNEL_REMOTE
;
462 (*Data
)->ProcessingPolicy
->TunnelOption
->DF
= EfiIPsecTunnelCopyDf
;
466 &(*Data
)->ProcessingPolicy
->TunnelOption
->DF
,
472 if (!EFI_ERROR (Status
)) {
473 *Mask
|= DONT_FRAGMENT
;
476 if (Status
== EFI_INVALID_PARAMETER
) {
477 ReturnStatus
= EFI_INVALID_PARAMETER
;
480 (*Data
)->ProcessingPolicy
->Proto
= EfiIPsecESP
;
484 &(*Data
)->ProcessingPolicy
->Proto
,
490 if (!EFI_ERROR (Status
)) {
491 *Mask
|= IPSEC_PROTO
;
494 if (Status
== EFI_INVALID_PARAMETER
) {
495 ReturnStatus
= EFI_INVALID_PARAMETER
;
501 &(*Data
)->ProcessingPolicy
->EncAlgoId
,
507 if (!EFI_ERROR (Status
)) {
508 *Mask
|= ENCRYPT_ALGO
;
511 if (Status
== EFI_INVALID_PARAMETER
) {
512 ReturnStatus
= EFI_INVALID_PARAMETER
;
518 &(*Data
)->ProcessingPolicy
->AuthAlgoId
,
524 if (!EFI_ERROR (Status
)) {
528 if (Status
== EFI_INVALID_PARAMETER
) {
529 ReturnStatus
= EFI_INVALID_PARAMETER
;
533 // Cannot check Mode against EfiIPsecTunnel, because user may want to change tunnel_remote only so the Mode is not set.
535 if ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
| DONT_FRAGMENT
)) == 0) {
536 (*Data
)->ProcessingPolicy
->TunnelOption
= NULL
;
539 if ((*Mask
& (EXT_SEQUENCE
| SEQUENCE_OVERFLOW
| FRAGMENT_CHECK
| LIFEBYTE
|
540 LIFETIME_SOFT
| LIFETIME
| MODE
| TUNNEL_LOCAL
| TUNNEL_REMOTE
|
541 DONT_FRAGMENT
| IPSEC_PROTO
| AUTH_ALGO
| ENCRYPT_ALGO
)) == 0) {
542 if ((*Data
)->Action
!= EfiIPsecActionProtect
) {
544 // User may not provide additional parameter for Protect action, so we cannot simply set ProcessingPolicy to NULL.
546 (*Data
)->ProcessingPolicy
= NULL
;
551 if ((*Mask
& (LOCAL
| REMOTE
| PROTO
| ACTION
)) != (LOCAL
| REMOTE
| PROTO
| ACTION
)) {
556 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
559 L
"--local --remote --proto --action"
561 ReturnStatus
= EFI_INVALID_PARAMETER
;
562 } else if (((*Data
)->Action
== EfiIPsecActionProtect
) &&
563 ((*Data
)->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) &&
564 ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
))) {
569 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
572 L
"--tunnel-local --tunnel-remote"
574 ReturnStatus
= EFI_INVALID_PARAMETER
;
582 Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 through ParamPackage list.
584 @param[out] SaId The pointer to the EFI_IPSEC_SA_ID structure.
585 @param[out] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.
586 @param[in] ParamPackage The pointer to the ParamPackage list.
587 @param[out] Mask The pointer to the Mask.
588 @param[in] CreateNew The switch to create new.
590 @retval EFI_SUCCESS Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 successfully.
591 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
596 OUT EFI_IPSEC_SA_ID
**SaId
,
597 OUT EFI_IPSEC_SA_DATA2
**Data
,
598 IN LIST_ENTRY
*ParamPackage
,
604 EFI_STATUS ReturnStatus
;
607 CONST CHAR16
*ValueStr
;
611 Status
= EFI_SUCCESS
;
612 ReturnStatus
= EFI_SUCCESS
;
617 *SaId
= AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID
));
618 ASSERT (*SaId
!= NULL
);
621 // Convert user imput from string to integer, and fill in the Spi in EFI_IPSEC_SA_ID.
623 Status
= GetNumber (L
"--spi", (UINT32
) -1, &(*SaId
)->Spi
, sizeof (UINT32
), NULL
, ParamPackage
, FORMAT_NUMBER
);
624 if (!EFI_ERROR (Status
)) {
628 if (Status
== EFI_INVALID_PARAMETER
) {
629 ReturnStatus
= EFI_INVALID_PARAMETER
;
633 // Convert user imput from string to integer, and fill in the Proto in EFI_IPSEC_SA_ID.
639 sizeof (EFI_IPSEC_PROTOCOL_TYPE
),
644 if (!EFI_ERROR (Status
)) {
645 *Mask
|= IPSEC_PROTO
;
648 if (Status
== EFI_INVALID_PARAMETER
) {
649 ReturnStatus
= EFI_INVALID_PARAMETER
;
653 // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_DATA2.
655 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
656 if (ValueStr
!= NULL
) {
657 AuthKeyLength
= StrLen (ValueStr
);
660 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
661 if (ValueStr
!= NULL
) {
662 EncKeyLength
= StrLen (ValueStr
);
666 // EFI_IPSEC_SA_DATA2:
668 // | EFI_IPSEC_SA_DATA2
669 // +-----------------------
671 // +-------------------------
673 // +-------------------------
676 // Notes: To make sure the address alignment add padding after each data if needed.
678 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2
));
679 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthKeyLength
);
680 DataSize
= ALIGN_VARIABLE (DataSize
+ EncKeyLength
);
681 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_SPD_SELECTOR
));
682 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IP_ADDRESS_INFO
));
683 DataSize
+= sizeof (EFI_IP_ADDRESS_INFO
);
687 *Data
= AllocateZeroPool (DataSize
);
688 ASSERT (*Data
!= NULL
);
690 (*Data
)->ManualSet
= TRUE
;
691 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= (VOID
*) ALIGN_POINTER (((*Data
) + 1), sizeof (UINTN
));
692 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= (VOID
*) ALIGN_POINTER (
693 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
+ AuthKeyLength
),
696 (*Data
)->SpdSelector
= (EFI_IPSEC_SPD_SELECTOR
*) ALIGN_POINTER (
697 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
+ EncKeyLength
),
700 (*Data
)->SpdSelector
->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
701 ((UINT8
*) (*Data
)->SpdSelector
+ sizeof (EFI_IPSEC_SPD_SELECTOR
)),
703 (*Data
)->SpdSelector
->RemoteAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
704 (*Data
)->SpdSelector
->LocalAddress
+ 1,
708 (*Data
)->Mode
= EfiIPsecTransport
;
713 sizeof (EFI_IPSEC_MODE
),
718 if (!EFI_ERROR (Status
)) {
722 if (Status
== EFI_INVALID_PARAMETER
) {
723 ReturnStatus
= EFI_INVALID_PARAMETER
;
727 // According to RFC 4303-3.3.3. The first packet sent using a given SA
728 // will contain a sequence number of 1.
730 (*Data
)->SNCount
= 1;
732 L
"--sequence-number",
740 if (!EFI_ERROR (Status
)) {
741 *Mask
|= SEQUENCE_NUMBER
;
744 if (Status
== EFI_INVALID_PARAMETER
) {
745 ReturnStatus
= EFI_INVALID_PARAMETER
;
748 (*Data
)->AntiReplayWindows
= 0;
750 L
"--antireplay-window",
752 &(*Data
)->AntiReplayWindows
,
758 if (!EFI_ERROR (Status
)) {
759 *Mask
|= SEQUENCE_NUMBER
;
762 if (Status
== EFI_INVALID_PARAMETER
) {
763 ReturnStatus
= EFI_INVALID_PARAMETER
;
769 &(*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
,
775 if (!EFI_ERROR (Status
)) {
776 *Mask
|= ENCRYPT_ALGO
;
779 if (Status
== EFI_INVALID_PARAMETER
) {
780 ReturnStatus
= EFI_INVALID_PARAMETER
;
783 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
784 if (ValueStr
!= NULL
) {
785 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= EncKeyLength
;
786 AsciiStr
= AllocateZeroPool (EncKeyLength
+ 1);
787 ASSERT (AsciiStr
!= NULL
);
788 UnicodeStrToAsciiStr (ValueStr
, AsciiStr
);
789 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
, AsciiStr
, EncKeyLength
);
791 *Mask
|= ENCRYPT_KEY
;
793 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= NULL
;
799 &(*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
,
805 if (!EFI_ERROR (Status
)) {
809 if (Status
== EFI_INVALID_PARAMETER
) {
810 ReturnStatus
= EFI_INVALID_PARAMETER
;
813 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
814 if (ValueStr
!= NULL
) {
815 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= AuthKeyLength
;
816 AsciiStr
= AllocateZeroPool (AuthKeyLength
+ 1);
817 UnicodeStrToAsciiStr (ValueStr
, AsciiStr
);
818 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
, AsciiStr
, AuthKeyLength
);
822 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= NULL
;
828 &(*Data
)->SaLifetime
.ByteCount
,
834 if (!EFI_ERROR (Status
)) {
838 if (Status
== EFI_INVALID_PARAMETER
) {
839 ReturnStatus
= EFI_INVALID_PARAMETER
;
845 &(*Data
)->SaLifetime
.HardLifetime
,
851 if (!EFI_ERROR (Status
)) {
855 if (Status
== EFI_INVALID_PARAMETER
) {
856 ReturnStatus
= EFI_INVALID_PARAMETER
;
862 &(*Data
)->SaLifetime
.SoftLifetime
,
868 if (!EFI_ERROR (Status
)) {
869 *Mask
|= LIFETIME_SOFT
;
872 if (Status
== EFI_INVALID_PARAMETER
) {
873 ReturnStatus
= EFI_INVALID_PARAMETER
;
885 if (!EFI_ERROR (Status
)) {
889 if (Status
== EFI_INVALID_PARAMETER
) {
890 ReturnStatus
= EFI_INVALID_PARAMETER
;
894 // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
896 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-dest");
897 if (ValueStr
!= NULL
) {
898 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->TunnelDestinationAddress
);
899 if (EFI_ERROR (Status
)) {
904 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
910 ReturnStatus
= EFI_INVALID_PARAMETER
;
917 // Convert user input from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
919 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-source");
920 if (ValueStr
!= NULL
) {
921 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->TunnelSourceAddress
);
922 if (EFI_ERROR (Status
)) {
927 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
933 ReturnStatus
= EFI_INVALID_PARAMETER
;
940 // If it is TunnelMode, then check if the tunnel-source and --tunnel-dest are set
942 if ((*Data
)->Mode
== EfiIPsecTunnel
) {
943 if ((*Mask
& (DEST
|SOURCE
)) != (DEST
|SOURCE
)) {
948 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
951 L
"--tunnel-source --tunnel-dest"
953 ReturnStatus
= EFI_INVALID_PARAMETER
;
956 ReturnStatus
= CreateSpdSelector ((*Data
)->SpdSelector
, ParamPackage
, Mask
);
959 if ((*Mask
& (SPI
|IPSEC_PROTO
|LOCAL
|REMOTE
)) != (SPI
|IPSEC_PROTO
|LOCAL
|REMOTE
)) {
964 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
967 L
"--spi --ipsec-proto --local --remote"
969 ReturnStatus
= EFI_INVALID_PARAMETER
;
971 if ((*SaId
)->Proto
== EfiIPsecAH
) {
972 if ((*Mask
& AUTH_ALGO
) == 0) {
977 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
982 ReturnStatus
= EFI_INVALID_PARAMETER
;
983 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
!= IPSEC_AALG_NONE
&& (*Mask
& AUTH_KEY
) == 0) {
988 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
993 ReturnStatus
= EFI_INVALID_PARAMETER
;
996 if ((*Mask
& (ENCRYPT_ALGO
|AUTH_ALGO
)) != (ENCRYPT_ALGO
|AUTH_ALGO
) ) {
1001 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1004 L
"--encrypt-algo --auth-algo"
1006 ReturnStatus
= EFI_INVALID_PARAMETER
;
1007 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (*Mask
& ENCRYPT_KEY
) == 0) {
1012 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1017 ReturnStatus
= EFI_INVALID_PARAMETER
;
1018 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
!= IPSEC_AALG_NONE
&& (*Mask
& AUTH_KEY
) == 0) {
1023 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1028 ReturnStatus
= EFI_INVALID_PARAMETER
;
1034 return ReturnStatus
;
1038 Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage list.
1040 @param[out] PadId The pointer to the EFI_IPSEC_PAD_ID structure.
1041 @param[out] Data The pointer to the EFI_IPSEC_PAD_DATA structure.
1042 @param[in] ParamPackage The pointer to the ParamPackage list.
1043 @param[out] Mask The pointer to the Mask.
1044 @param[in] CreateNew The switch to create new.
1046 @retval EFI_SUCCESS Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA successfully.
1047 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1052 OUT EFI_IPSEC_PAD_ID
**PadId
,
1053 OUT EFI_IPSEC_PAD_DATA
**Data
,
1054 IN LIST_ENTRY
*ParamPackage
,
1056 IN BOOLEAN CreateNew
1060 EFI_STATUS ReturnStatus
;
1061 SHELL_FILE_HANDLE FileHandle
;
1063 UINTN AuthDataLength
;
1064 UINTN RevocationDataLength
;
1067 CONST CHAR16
*ValueStr
;
1070 Status
= EFI_SUCCESS
;
1071 ReturnStatus
= EFI_SUCCESS
;
1074 RevocationDataLength
= 0;
1076 *PadId
= AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID
));
1077 ASSERT (*PadId
!= NULL
);
1080 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_ID.
1082 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-address");
1083 if (ValueStr
!= NULL
) {
1084 (*PadId
)->PeerIdValid
= FALSE
;
1085 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, &(*PadId
)->Id
.IpAddress
);
1086 if (EFI_ERROR (Status
)) {
1091 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
1097 ReturnStatus
= EFI_INVALID_PARAMETER
;
1099 *Mask
|= PEER_ADDRESS
;
1103 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-id");
1104 if (ValueStr
!= NULL
) {
1105 (*PadId
)->PeerIdValid
= TRUE
;
1106 StrnCpy ((CHAR16
*) (*PadId
)->Id
.PeerId
, ValueStr
, ARRAY_SIZE ((*PadId
)->Id
.PeerId
) - 1);
1110 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1111 if (ValueStr
!= NULL
) {
1112 if (ValueStr
[0] == L
'@') {
1114 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1116 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1117 if (EFI_ERROR (Status
)) {
1122 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1127 ReturnStatus
= EFI_INVALID_PARAMETER
;
1129 Status
= ShellGetFileSize (FileHandle
, &FileSize
);
1130 ShellCloseFile (&FileHandle
);
1131 if (EFI_ERROR (Status
)) {
1136 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1141 ReturnStatus
= EFI_INVALID_PARAMETER
;
1143 AuthDataLength
= (UINTN
) FileSize
;
1147 AuthDataLength
= StrLen (ValueStr
);
1151 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1152 if (ValueStr
!= NULL
) {
1153 RevocationDataLength
= (StrLen (ValueStr
) + 1) * sizeof (CHAR16
);
1157 // Allocate Buffer for Data. Add padding after each struct to make sure the alignment
1158 // in different Arch.
1160 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA
));
1161 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthDataLength
);
1162 DataSize
+= RevocationDataLength
;
1164 *Data
= AllocateZeroPool (DataSize
);
1165 ASSERT (*Data
!= NULL
);
1167 (*Data
)->AuthData
= (VOID
*) ALIGN_POINTER ((*Data
+ 1), sizeof (UINTN
));
1168 (*Data
)->RevocationData
= (VOID
*) ALIGN_POINTER (((UINT8
*) (*Data
+ 1) + AuthDataLength
), sizeof (UINTN
));
1169 (*Data
)->AuthProtocol
= EfiIPsecAuthProtocolIKEv1
;
1172 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_DATA.
1174 Status
= GetNumber (
1177 &(*Data
)->AuthProtocol
,
1178 sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE
),
1183 if (!EFI_ERROR (Status
)) {
1184 *Mask
|= AUTH_PROTO
;
1187 if (Status
== EFI_INVALID_PARAMETER
) {
1188 ReturnStatus
= EFI_INVALID_PARAMETER
;
1191 Status
= GetNumber (
1194 &(*Data
)->AuthMethod
,
1195 sizeof (EFI_IPSEC_AUTH_METHOD
),
1200 if (!EFI_ERROR (Status
)) {
1201 *Mask
|= AUTH_METHOD
;
1204 if (Status
== EFI_INVALID_PARAMETER
) {
1205 ReturnStatus
= EFI_INVALID_PARAMETER
;
1208 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id")) {
1209 (*Data
)->IkeIdFlag
= TRUE
;
1213 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id-")) {
1214 (*Data
)->IkeIdFlag
= FALSE
;
1218 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1219 if (ValueStr
!= NULL
) {
1220 if (ValueStr
[0] == L
'@') {
1222 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1225 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1226 if (EFI_ERROR (Status
)) {
1231 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1236 ReturnStatus
= EFI_INVALID_PARAMETER
;
1237 (*Data
)->AuthData
= NULL
;
1239 DataLength
= AuthDataLength
;
1240 Status
= ShellReadFile (FileHandle
, &DataLength
, (*Data
)->AuthData
);
1241 ShellCloseFile (&FileHandle
);
1242 if (EFI_ERROR (Status
)) {
1247 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1252 ReturnStatus
= EFI_INVALID_PARAMETER
;
1253 (*Data
)->AuthData
= NULL
;
1255 ASSERT (DataLength
== AuthDataLength
);
1260 for (Index
= 0; Index
< AuthDataLength
; Index
++) {
1261 ((CHAR8
*) (*Data
)->AuthData
)[Index
] = (CHAR8
) ValueStr
[Index
];
1263 (*Data
)->AuthDataSize
= AuthDataLength
;
1268 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1269 if (ValueStr
!= NULL
) {
1270 CopyMem ((*Data
)->RevocationData
, ValueStr
, RevocationDataLength
);
1271 (*Data
)->RevocationDataSize
= RevocationDataLength
;
1272 *Mask
|= REVOCATION_DATA
;
1274 (*Data
)->RevocationData
= NULL
;
1278 if ((*Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1283 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1286 L
"--peer-id --peer-address"
1288 ReturnStatus
= EFI_INVALID_PARAMETER
;
1289 } else if ((*Mask
& (AUTH_METHOD
| AUTH_DATA
)) != (AUTH_METHOD
| AUTH_DATA
)) {
1294 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1297 L
"--auth-method --auth-data"
1299 ReturnStatus
= EFI_INVALID_PARAMETER
;
1303 return ReturnStatus
;
1306 CREATE_POLICY_ENTRY mCreatePolicyEntry
[] = {
1307 (CREATE_POLICY_ENTRY
) CreateSpdEntry
,
1308 (CREATE_POLICY_ENTRY
) CreateSadEntry
,
1309 (CREATE_POLICY_ENTRY
) CreatePadEntry
1313 Combine old SPD entry with new SPD entry.
1315 @param[in, out] OldSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1316 @param[in, out] OldData The pointer to the EFI_IPSEC_SPD_DATA structure.
1317 @param[in] NewSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1318 @param[in] NewData The pointer to the EFI_IPSEC_SPD_DATA structure.
1319 @param[in] Mask The pointer to the Mask.
1320 @param[out] CreateNew The switch to create new.
1322 @retval EFI_SUCCESS Combined successfully.
1323 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1328 IN OUT EFI_IPSEC_SPD_SELECTOR
*OldSelector
,
1329 IN OUT EFI_IPSEC_SPD_DATA
*OldData
,
1330 IN EFI_IPSEC_SPD_SELECTOR
*NewSelector
,
1331 IN EFI_IPSEC_SPD_DATA
*NewData
,
1333 OUT BOOLEAN
*CreateNew
1341 if ((Mask
& LOCAL
) == 0) {
1342 NewSelector
->LocalAddressCount
= OldSelector
->LocalAddressCount
;
1343 NewSelector
->LocalAddress
= OldSelector
->LocalAddress
;
1344 } else if ((NewSelector
->LocalAddressCount
!= OldSelector
->LocalAddressCount
) ||
1345 (CompareMem (NewSelector
->LocalAddress
, OldSelector
->LocalAddress
, NewSelector
->LocalAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1349 if ((Mask
& REMOTE
) == 0) {
1350 NewSelector
->RemoteAddressCount
= OldSelector
->RemoteAddressCount
;
1351 NewSelector
->RemoteAddress
= OldSelector
->RemoteAddress
;
1352 } else if ((NewSelector
->RemoteAddressCount
!= OldSelector
->RemoteAddressCount
) ||
1353 (CompareMem (NewSelector
->RemoteAddress
, OldSelector
->RemoteAddress
, NewSelector
->RemoteAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1357 if ((Mask
& PROTO
) == 0) {
1358 NewSelector
->NextLayerProtocol
= OldSelector
->NextLayerProtocol
;
1359 } else if (NewSelector
->NextLayerProtocol
!= OldSelector
->NextLayerProtocol
) {
1363 switch (NewSelector
->NextLayerProtocol
) {
1364 case EFI_IP4_PROTO_TCP
:
1365 case EFI_IP4_PROTO_UDP
:
1366 if ((Mask
& LOCAL_PORT
) == 0) {
1367 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1368 NewSelector
->LocalPortRange
= OldSelector
->LocalPortRange
;
1369 } else if ((NewSelector
->LocalPort
!= OldSelector
->LocalPort
) ||
1370 (NewSelector
->LocalPortRange
!= OldSelector
->LocalPortRange
)) {
1374 if ((Mask
& REMOTE_PORT
) == 0) {
1375 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1376 NewSelector
->RemotePortRange
= OldSelector
->RemotePortRange
;
1377 } else if ((NewSelector
->RemotePort
!= OldSelector
->RemotePort
) ||
1378 (NewSelector
->RemotePortRange
!= OldSelector
->RemotePortRange
)) {
1383 case EFI_IP4_PROTO_ICMP
:
1384 if ((Mask
& ICMP_TYPE
) == 0) {
1385 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1386 } else if (NewSelector
->LocalPort
!= OldSelector
->LocalPort
) {
1390 if ((Mask
& ICMP_CODE
) == 0) {
1391 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1392 } else if (NewSelector
->RemotePort
!= OldSelector
->RemotePort
) {
1400 if ((Mask
& NAME
) != 0) {
1401 AsciiStrCpy ((CHAR8
*) OldData
->Name
, (CHAR8
*) NewData
->Name
);
1404 if ((Mask
& PACKET_FLAG
) != 0) {
1405 OldData
->PackageFlag
= NewData
->PackageFlag
;
1408 if ((Mask
& ACTION
) != 0) {
1409 OldData
->Action
= NewData
->Action
;
1412 if (OldData
->Action
!= EfiIPsecActionProtect
) {
1413 OldData
->ProcessingPolicy
= NULL
;
1418 if (OldData
->ProcessingPolicy
== NULL
) {
1420 // Just point to new data if originally NULL.
1422 OldData
->ProcessingPolicy
= NewData
->ProcessingPolicy
;
1423 if (OldData
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
&&
1424 (Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)
1427 // Change to Protect action and Tunnel mode, but without providing local/remote tunnel address.
1433 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1436 L
"--tunnel-local --tunnel-remote"
1438 return EFI_INVALID_PARAMETER
;
1442 // Modify some of the data.
1444 if ((Mask
& EXT_SEQUENCE
) != 0) {
1445 OldData
->ProcessingPolicy
->ExtSeqNum
= NewData
->ProcessingPolicy
->ExtSeqNum
;
1448 if ((Mask
& SEQUENCE_OVERFLOW
) != 0) {
1449 OldData
->ProcessingPolicy
->SeqOverflow
= NewData
->ProcessingPolicy
->SeqOverflow
;
1452 if ((Mask
& FRAGMENT_CHECK
) != 0) {
1453 OldData
->ProcessingPolicy
->FragCheck
= NewData
->ProcessingPolicy
->FragCheck
;
1456 if ((Mask
& LIFEBYTE
) != 0) {
1457 OldData
->ProcessingPolicy
->SaLifetime
.ByteCount
= NewData
->ProcessingPolicy
->SaLifetime
.ByteCount
;
1460 if ((Mask
& LIFETIME_SOFT
) != 0) {
1461 OldData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
;
1464 if ((Mask
& LIFETIME
) != 0) {
1465 OldData
->ProcessingPolicy
->SaLifetime
.HardLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.HardLifetime
;
1468 if ((Mask
& MODE
) != 0) {
1469 OldData
->ProcessingPolicy
->Mode
= NewData
->ProcessingPolicy
->Mode
;
1472 if ((Mask
& IPSEC_PROTO
) != 0) {
1473 OldData
->ProcessingPolicy
->Proto
= NewData
->ProcessingPolicy
->Proto
;
1476 if ((Mask
& AUTH_ALGO
) != 0) {
1477 OldData
->ProcessingPolicy
->AuthAlgoId
= NewData
->ProcessingPolicy
->AuthAlgoId
;
1480 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1481 OldData
->ProcessingPolicy
->EncAlgoId
= NewData
->ProcessingPolicy
->EncAlgoId
;
1484 if (OldData
->ProcessingPolicy
->Mode
!= EfiIPsecTunnel
) {
1485 OldData
->ProcessingPolicy
->TunnelOption
= NULL
;
1487 if (OldData
->ProcessingPolicy
->TunnelOption
== NULL
) {
1489 // Set from Transport mode to Tunnel mode, should ensure TUNNEL_LOCAL & TUNNEL_REMOTE both exists.
1491 if ((Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) {
1496 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1499 L
"--tunnel-local --tunnel-remote"
1501 return EFI_INVALID_PARAMETER
;
1504 OldData
->ProcessingPolicy
->TunnelOption
= NewData
->ProcessingPolicy
->TunnelOption
;
1506 if ((Mask
& TUNNEL_LOCAL
) != 0) {
1508 &OldData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1509 &NewData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1510 sizeof (EFI_IP_ADDRESS
)
1514 if ((Mask
& TUNNEL_REMOTE
) != 0) {
1516 &OldData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1517 &NewData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1518 sizeof (EFI_IP_ADDRESS
)
1522 if ((Mask
& DONT_FRAGMENT
) != 0) {
1523 OldData
->ProcessingPolicy
->TunnelOption
->DF
= NewData
->ProcessingPolicy
->TunnelOption
->DF
;
1534 Combine old SAD entry with new SAD entry.
1536 @param[in, out] OldSaId The pointer to the EFI_IPSEC_SA_ID structure.
1537 @param[in, out] OldData The pointer to the EFI_IPSEC_SA_DATA2 structure.
1538 @param[in] NewSaId The pointer to the EFI_IPSEC_SA_ID structure.
1539 @param[in] NewData The pointer to the EFI_IPSEC_SA_DATA2 structure.
1540 @param[in] Mask The pointer to the Mask.
1541 @param[out] CreateNew The switch to create new.
1543 @retval EFI_SUCCESS Combined successfully.
1544 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1549 IN OUT EFI_IPSEC_SA_ID
*OldSaId
,
1550 IN OUT EFI_IPSEC_SA_DATA2
*OldData
,
1551 IN EFI_IPSEC_SA_ID
*NewSaId
,
1552 IN EFI_IPSEC_SA_DATA2
*NewData
,
1554 OUT BOOLEAN
*CreateNew
1560 if ((Mask
& SPI
) == 0) {
1561 NewSaId
->Spi
= OldSaId
->Spi
;
1562 } else if (NewSaId
->Spi
!= OldSaId
->Spi
) {
1566 if ((Mask
& IPSEC_PROTO
) == 0) {
1567 NewSaId
->Proto
= OldSaId
->Proto
;
1568 } else if (NewSaId
->Proto
!= OldSaId
->Proto
) {
1572 if ((Mask
& DEST
) == 0) {
1573 CopyMem (&NewData
->TunnelDestinationAddress
, &OldData
->TunnelDestinationAddress
, sizeof (EFI_IP_ADDRESS
));
1574 } else if (CompareMem (&NewData
->TunnelDestinationAddress
, &OldData
->TunnelDestinationAddress
, sizeof (EFI_IP_ADDRESS
)) != 0) {
1578 if ((Mask
& SOURCE
) == 0) {
1579 CopyMem (&NewData
->TunnelSourceAddress
, &OldData
->TunnelSourceAddress
, sizeof (EFI_IP_ADDRESS
));
1580 } else if (CompareMem (&NewData
->TunnelSourceAddress
, &OldData
->TunnelSourceAddress
, sizeof (EFI_IP_ADDRESS
)) != 0) {
1586 if ((Mask
& MODE
) != 0) {
1587 OldData
->Mode
= NewData
->Mode
;
1590 if ((Mask
& SEQUENCE_NUMBER
) != 0) {
1591 OldData
->SNCount
= NewData
->SNCount
;
1594 if ((Mask
& ANTIREPLAY_WINDOW
) != 0) {
1595 OldData
->AntiReplayWindows
= NewData
->AntiReplayWindows
;
1598 if ((Mask
& AUTH_ALGO
) != 0) {
1599 OldData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
;
1602 if ((Mask
& AUTH_KEY
) != 0) {
1603 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKey
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKey
;
1604 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
;
1607 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1608 OldData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
;
1611 if ((Mask
& ENCRYPT_KEY
) != 0) {
1612 OldData
->AlgoInfo
.EspAlgoInfo
.EncKey
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKey
;
1613 OldData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
;
1616 if (NewSaId
->Proto
== EfiIPsecAH
) {
1617 if ((Mask
& (ENCRYPT_ALGO
| ENCRYPT_KEY
)) != 0) {
1619 // Should not provide encrypt_* if AH.
1625 STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER
),
1628 L
"--encrypt-algo --encrypt-key"
1630 return EFI_INVALID_PARAMETER
;
1634 if (NewSaId
->Proto
== EfiIPsecESP
&& OldSaId
->Proto
== EfiIPsecAH
) {
1637 // Should provide encrypt_algo at least.
1639 if ((Mask
& ENCRYPT_ALGO
) == 0) {
1644 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1649 return EFI_INVALID_PARAMETER
;
1653 // Encrypt_key should be provided if algorithm is not NONE.
1655 if (NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (Mask
& ENCRYPT_KEY
) == 0) {
1660 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1665 return EFI_INVALID_PARAMETER
;
1669 if ((Mask
& LIFEBYTE
) != 0) {
1670 OldData
->SaLifetime
.ByteCount
= NewData
->SaLifetime
.ByteCount
;
1673 if ((Mask
& LIFETIME_SOFT
) != 0) {
1674 OldData
->SaLifetime
.SoftLifetime
= NewData
->SaLifetime
.SoftLifetime
;
1677 if ((Mask
& LIFETIME
) != 0) {
1678 OldData
->SaLifetime
.HardLifetime
= NewData
->SaLifetime
.HardLifetime
;
1681 if ((Mask
& PATH_MTU
) != 0) {
1682 OldData
->PathMTU
= NewData
->PathMTU
;
1685 // Process SpdSelector.
1687 if (OldData
->SpdSelector
== NULL
) {
1688 if ((Mask
& (LOCAL
| REMOTE
| PROTO
| LOCAL_PORT
| REMOTE_PORT
| ICMP_TYPE
| ICMP_CODE
)) != 0) {
1689 if ((Mask
& (LOCAL
| REMOTE
| PROTO
)) != (LOCAL
| REMOTE
| PROTO
)) {
1694 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1697 L
"--local --remote --proto"
1699 return EFI_INVALID_PARAMETER
;
1702 OldData
->SpdSelector
= NewData
->SpdSelector
;
1705 if ((Mask
& LOCAL
) != 0) {
1706 OldData
->SpdSelector
->LocalAddressCount
= NewData
->SpdSelector
->LocalAddressCount
;
1707 OldData
->SpdSelector
->LocalAddress
= NewData
->SpdSelector
->LocalAddress
;
1710 if ((Mask
& REMOTE
) != 0) {
1711 OldData
->SpdSelector
->RemoteAddressCount
= NewData
->SpdSelector
->RemoteAddressCount
;
1712 OldData
->SpdSelector
->RemoteAddress
= NewData
->SpdSelector
->RemoteAddress
;
1715 if ((Mask
& PROTO
) != 0) {
1716 OldData
->SpdSelector
->NextLayerProtocol
= NewData
->SpdSelector
->NextLayerProtocol
;
1719 if (OldData
->SpdSelector
!= NULL
) {
1720 switch (OldData
->SpdSelector
->NextLayerProtocol
) {
1721 case EFI_IP4_PROTO_TCP
:
1722 case EFI_IP4_PROTO_UDP
:
1723 if ((Mask
& LOCAL_PORT
) != 0) {
1724 OldData
->SpdSelector
->LocalPort
= NewData
->SpdSelector
->LocalPort
;
1727 if ((Mask
& REMOTE_PORT
) != 0) {
1728 OldData
->SpdSelector
->RemotePort
= NewData
->SpdSelector
->RemotePort
;
1732 case EFI_IP4_PROTO_ICMP
:
1733 if ((Mask
& ICMP_TYPE
) != 0) {
1734 OldData
->SpdSelector
->LocalPort
= (UINT8
) NewData
->SpdSelector
->LocalPort
;
1737 if ((Mask
& ICMP_CODE
) != 0) {
1738 OldData
->SpdSelector
->RemotePort
= (UINT8
) NewData
->SpdSelector
->RemotePort
;
1749 Combine old PAD entry with new PAD entry.
1751 @param[in, out] OldPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1752 @param[in, out] OldData The pointer to the EFI_IPSEC_PAD_DATA structure.
1753 @param[in] NewPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1754 @param[in] NewData The pointer to the EFI_IPSEC_PAD_DATA structure.
1755 @param[in] Mask The pointer to the Mask.
1756 @param[out] CreateNew The switch to create new.
1758 @retval EFI_SUCCESS Combined successfully.
1759 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1764 IN OUT EFI_IPSEC_PAD_ID
*OldPadId
,
1765 IN OUT EFI_IPSEC_PAD_DATA
*OldData
,
1766 IN EFI_IPSEC_PAD_ID
*NewPadId
,
1767 IN EFI_IPSEC_PAD_DATA
*NewData
,
1769 OUT BOOLEAN
*CreateNew
1775 if ((Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1776 CopyMem (NewPadId
, OldPadId
, sizeof (EFI_IPSEC_PAD_ID
));
1778 if ((Mask
& PEER_ID
) != 0) {
1779 if (OldPadId
->PeerIdValid
) {
1780 if (StrCmp ((CONST CHAR16
*) OldPadId
->Id
.PeerId
, (CONST CHAR16
*) NewPadId
->Id
.PeerId
) != 0) {
1788 // MASK & PEER_ADDRESS
1790 if (OldPadId
->PeerIdValid
) {
1793 if ((CompareMem (&OldPadId
->Id
.IpAddress
.Address
, &NewPadId
->Id
.IpAddress
.Address
, sizeof (EFI_IP_ADDRESS
)) != 0) ||
1794 (OldPadId
->Id
.IpAddress
.PrefixLength
!= NewPadId
->Id
.IpAddress
.PrefixLength
)) {
1801 if ((Mask
& AUTH_PROTO
) != 0) {
1802 OldData
->AuthProtocol
= NewData
->AuthProtocol
;
1805 if ((Mask
& AUTH_METHOD
) != 0) {
1806 OldData
->AuthMethod
= NewData
->AuthMethod
;
1809 if ((Mask
& IKE_ID
) != 0) {
1810 OldData
->IkeIdFlag
= NewData
->IkeIdFlag
;
1813 if ((Mask
& AUTH_DATA
) != 0) {
1814 OldData
->AuthDataSize
= NewData
->AuthDataSize
;
1815 OldData
->AuthData
= NewData
->AuthData
;
1818 if ((Mask
& REVOCATION_DATA
) != 0) {
1819 OldData
->RevocationDataSize
= NewData
->RevocationDataSize
;
1820 OldData
->RevocationData
= NewData
->RevocationData
;
1826 COMBINE_POLICY_ENTRY mCombinePolicyEntry
[] = {
1827 (COMBINE_POLICY_ENTRY
) CombineSpdEntry
,
1828 (COMBINE_POLICY_ENTRY
) CombineSadEntry
,
1829 (COMBINE_POLICY_ENTRY
) CombinePadEntry
1833 Edit entry information in the database.
1835 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1836 @param[in] Data The pointer to the data.
1837 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1839 @retval EFI_SUCCESS Continue the iteration.
1840 @retval EFI_ABORTED Abort the iteration.
1843 EditOperatePolicyEntry (
1844 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1846 IN EDIT_POLICY_ENTRY_CONTEXT
*Context
1852 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1853 ASSERT (Context
->DataType
< 3);
1855 Status
= mCombinePolicyEntry
[Context
->DataType
] (
1863 if (!EFI_ERROR (Status
)) {
1866 // Insert new entry before old entry
1868 Status
= mIpSecConfig
->SetData (
1875 ASSERT_EFI_ERROR (Status
);
1879 Status
= mIpSecConfig
->SetData (
1886 ASSERT_EFI_ERROR (Status
);
1888 Status
= mIpSecConfig
->SetData (
1898 Context
->Status
= Status
;
1906 Edit entry information in database according to datatype.
1908 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
1909 @param[in] ParamPackage The pointer to the ParamPackage list.
1911 @retval EFI_SUCCESS Edit entry information successfully.
1912 @retval EFI_NOT_FOUND Can't find the specified entry.
1913 @retval Others Some mistaken case.
1917 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
1918 IN LIST_ENTRY
*ParamPackage
1922 EDIT_POLICY_ENTRY_CONTEXT Context
;
1923 CONST CHAR16
*ValueStr
;
1925 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-e");
1926 if (ValueStr
== NULL
) {
1927 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
1928 return EFI_NOT_FOUND
;
1931 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
1932 if (!EFI_ERROR (Status
)) {
1933 Context
.DataType
= DataType
;
1934 Context
.Status
= EFI_NOT_FOUND
;
1935 Status
= mCreatePolicyEntry
[DataType
] (&Context
.Selector
, &Context
.Data
, ParamPackage
, &Context
.Mask
, FALSE
);
1936 if (!EFI_ERROR (Status
)) {
1937 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) EditOperatePolicyEntry
, &Context
);
1938 Status
= Context
.Status
;
1941 if (Context
.Selector
!= NULL
) {
1942 gBS
->FreePool (Context
.Selector
);
1945 if (Context
.Data
!= NULL
) {
1946 gBS
->FreePool (Context
.Data
);
1950 if (Status
== EFI_NOT_FOUND
) {
1951 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
1952 } else if (EFI_ERROR (Status
)) {
1953 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAILED
), mHiiHandle
, mAppName
);
1961 Insert entry information in database.
1963 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1964 @param[in] Data The pointer to the data.
1965 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1967 @retval EFI_SUCCESS Continue the iteration.
1968 @retval EFI_ABORTED Abort the iteration.
1972 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1974 IN INSERT_POLICY_ENTRY_CONTEXT
*Context
1978 // Found the entry which we want to insert before.
1980 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1982 Context
->Status
= mIpSecConfig
->SetData (
1990 // Abort the iteration after the insertion.
1999 Insert or add entry information in database according to datatype.
2001 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
2002 @param[in] ParamPackage The pointer to the ParamPackage list.
2004 @retval EFI_SUCCESS Insert or add entry information successfully.
2005 @retval EFI_NOT_FOUND Can't find the specified entry.
2006 @retval EFI_BUFFER_TOO_SMALL The entry already existed.
2007 @retval EFI_UNSUPPORTED The operation is not supported.
2008 @retval Others Some mistaken case.
2011 AddOrInsertPolicyEntry (
2012 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
2013 IN LIST_ENTRY
*ParamPackage
2017 EFI_IPSEC_CONFIG_SELECTOR
*Selector
;
2019 INSERT_POLICY_ENTRY_CONTEXT Context
;
2022 CONST CHAR16
*ValueStr
;
2024 Status
= mCreatePolicyEntry
[DataType
] (&Selector
, &Data
, ParamPackage
, &Mask
, TRUE
);
2025 if (!EFI_ERROR (Status
)) {
2027 // Find if the Selector to be inserted already exists.
2030 Status
= mIpSecConfig
->GetData (
2037 if (Status
== EFI_BUFFER_TOO_SMALL
) {
2038 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_EXISTS
), mHiiHandle
, mAppName
);
2039 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"-a")) {
2040 Status
= mIpSecConfig
->SetData (
2048 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-i");
2049 if (ValueStr
== NULL
) {
2050 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
2051 return EFI_NOT_FOUND
;
2054 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
2055 if (!EFI_ERROR (Status
)) {
2056 Context
.DataType
= DataType
;
2057 Context
.Status
= EFI_NOT_FOUND
;
2058 Context
.Selector
= Selector
;
2059 Context
.Data
= Data
;
2061 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) InsertPolicyEntry
, &Context
);
2062 Status
= Context
.Status
;
2063 if (Status
== EFI_NOT_FOUND
) {
2064 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
2069 gBS
->FreePool (Selector
);
2070 gBS
->FreePool (Data
);
2073 if (Status
== EFI_UNSUPPORTED
) {
2074 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_UNSUPPORT
), mHiiHandle
, mAppName
);
2075 } else if (EFI_ERROR (Status
)) {
2076 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_FAILED
), mHiiHandle
, mAppName
);