2 The implementation of policy entry operation function in IpSecConfig application.
4 Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
6 SPDX-License-Identifier: BSD-2-Clause-Patent
10 #include "IpSecConfig.h"
15 #include "PolicyEntryOperation.h"
18 Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list.
20 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
21 @param[in] ParamPackage The pointer to the ParamPackage list.
22 @param[in, out] Mask The pointer to the Mask.
24 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR successfully.
25 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
30 OUT EFI_IPSEC_SPD_SELECTOR
*Selector
,
31 IN LIST_ENTRY
*ParamPackage
,
36 EFI_STATUS ReturnStatus
;
37 CONST CHAR16
*ValueStr
;
40 ReturnStatus
= EFI_SUCCESS
;
43 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
45 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local");
46 if (ValueStr
!= NULL
) {
47 Selector
->LocalAddressCount
= 1;
48 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->LocalAddress
);
49 if (EFI_ERROR (Status
)) {
54 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
60 ReturnStatus
= EFI_INVALID_PARAMETER
;
67 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
69 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote");
70 if (ValueStr
!= NULL
) {
71 Selector
->RemoteAddressCount
= 1;
72 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->RemoteAddress
);
73 if (EFI_ERROR (Status
)) {
78 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
84 ReturnStatus
= EFI_INVALID_PARAMETER
;
90 Selector
->NextLayerProtocol
= EFI_IPSEC_ANY_PROTOCOL
;
93 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
98 &Selector
->NextLayerProtocol
,
102 FORMAT_NUMBER
| FORMAT_STRING
104 if (!EFI_ERROR (Status
)) {
108 if (Status
== EFI_INVALID_PARAMETER
) {
109 ReturnStatus
= EFI_INVALID_PARAMETER
;
112 Selector
->LocalPort
= EFI_IPSEC_ANY_PORT
;
113 Selector
->RemotePort
= EFI_IPSEC_ANY_PORT
;
116 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
118 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local-port");
119 if (ValueStr
!= NULL
) {
120 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->LocalPort
, &Selector
->LocalPortRange
);
121 if (EFI_ERROR (Status
)) {
126 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
132 ReturnStatus
= EFI_INVALID_PARAMETER
;
139 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
141 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote-port");
142 if (ValueStr
!= NULL
) {
143 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->RemotePort
, &Selector
->RemotePortRange
);
144 if (EFI_ERROR (Status
)) {
149 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
155 ReturnStatus
= EFI_INVALID_PARAMETER
;
157 *Mask
|= REMOTE_PORT
;
162 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
167 &Selector
->LocalPort
,
173 if (!EFI_ERROR (Status
)) {
177 if (Status
== EFI_INVALID_PARAMETER
) {
178 ReturnStatus
= EFI_INVALID_PARAMETER
;
182 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
187 &Selector
->RemotePort
,
193 if (!EFI_ERROR (Status
)) {
197 if (Status
== EFI_INVALID_PARAMETER
) {
198 ReturnStatus
= EFI_INVALID_PARAMETER
;
205 Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPackage list.
207 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
208 @param[out] Data The pointer to the EFI_IPSEC_SPD_DATA structure.
209 @param[in] ParamPackage The pointer to the ParamPackage list.
210 @param[out] Mask The pointer to the Mask.
211 @param[in] CreateNew The switch to create new.
213 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA successfully.
214 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
219 OUT EFI_IPSEC_SPD_SELECTOR
**Selector
,
220 OUT EFI_IPSEC_SPD_DATA
**Data
,
221 IN LIST_ENTRY
*ParamPackage
,
227 EFI_STATUS ReturnStatus
;
228 CONST CHAR16
*ValueStr
;
231 Status
= EFI_SUCCESS
;
234 *Selector
= AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR
) + 2 * sizeof (EFI_IP_ADDRESS_INFO
));
235 ASSERT (*Selector
!= NULL
);
237 (*Selector
)->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) (*Selector
+ 1);
238 (*Selector
)->RemoteAddress
= (*Selector
)->LocalAddress
+ 1;
240 ReturnStatus
= CreateSpdSelector (*Selector
, ParamPackage
, Mask
);
244 // NOTE: Allocate enough memory and add padding for different arch.
246 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA
));
247 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_PROCESS_POLICY
));
248 DataSize
+= sizeof (EFI_IPSEC_TUNNEL_OPTION
);
250 *Data
= AllocateZeroPool (DataSize
);
251 ASSERT (*Data
!= NULL
);
253 (*Data
)->ProcessingPolicy
= (EFI_IPSEC_PROCESS_POLICY
*) ALIGN_POINTER (
257 (*Data
)->ProcessingPolicy
->TunnelOption
= (EFI_IPSEC_TUNNEL_OPTION
*) ALIGN_POINTER (
258 ((*Data
)->ProcessingPolicy
+ 1),
264 // Convert user imput from string to integer, and fill in the Name in EFI_IPSEC_SPD_DATA.
266 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--name");
267 if (ValueStr
!= NULL
) {
268 UnicodeStrToAsciiStrS (ValueStr
, (CHAR8
*) (*Data
)->Name
, sizeof ((*Data
)->Name
));
273 // Convert user imput from string to integer, and fill in the PackageFlag in EFI_IPSEC_SPD_DATA.
278 &(*Data
)->PackageFlag
,
284 if (!EFI_ERROR (Status
)) {
285 *Mask
|= PACKET_FLAG
;
288 if (Status
== EFI_INVALID_PARAMETER
) {
289 ReturnStatus
= EFI_INVALID_PARAMETER
;
293 // Convert user imput from string to integer, and fill in the Action in EFI_IPSEC_SPD_DATA.
304 if (!EFI_ERROR (Status
)) {
308 if (Status
== EFI_INVALID_PARAMETER
) {
309 ReturnStatus
= EFI_INVALID_PARAMETER
;
313 // Convert user imput from string to integer, and fill in the ExtSeqNum in EFI_IPSEC_SPD_DATA.
315 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence")) {
316 (*Data
)->ProcessingPolicy
->ExtSeqNum
= TRUE
;
317 *Mask
|= EXT_SEQUENCE
;
318 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence-")) {
319 (*Data
)->ProcessingPolicy
->ExtSeqNum
= FALSE
;
320 *Mask
|= EXT_SEQUENCE
;
324 // Convert user imput from string to integer, and fill in the SeqOverflow in EFI_IPSEC_SPD_DATA.
326 if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow")) {
327 (*Data
)->ProcessingPolicy
->SeqOverflow
= TRUE
;
328 *Mask
|= SEQUENCE_OVERFLOW
;
329 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow-")) {
330 (*Data
)->ProcessingPolicy
->SeqOverflow
= FALSE
;
331 *Mask
|= SEQUENCE_OVERFLOW
;
335 // Convert user imput from string to integer, and fill in the FragCheck in EFI_IPSEC_SPD_DATA.
337 if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check")) {
338 (*Data
)->ProcessingPolicy
->FragCheck
= TRUE
;
339 *Mask
|= FRAGMENT_CHECK
;
340 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check-")) {
341 (*Data
)->ProcessingPolicy
->FragCheck
= FALSE
;
342 *Mask
|= FRAGMENT_CHECK
;
346 // Convert user imput from string to integer, and fill in the ProcessingPolicy in EFI_IPSEC_SPD_DATA.
351 &(*Data
)->ProcessingPolicy
->SaLifetime
.ByteCount
,
357 if (!EFI_ERROR (Status
)) {
361 if (Status
== EFI_INVALID_PARAMETER
) {
362 ReturnStatus
= EFI_INVALID_PARAMETER
;
368 &(*Data
)->ProcessingPolicy
->SaLifetime
.HardLifetime
,
374 if (!EFI_ERROR (Status
)) {
377 if (Status
== EFI_INVALID_PARAMETER
) {
378 ReturnStatus
= EFI_INVALID_PARAMETER
;
384 &(*Data
)->ProcessingPolicy
->SaLifetime
.SoftLifetime
,
390 if (!EFI_ERROR (Status
)) {
391 *Mask
|= LIFETIME_SOFT
;
394 if (Status
== EFI_INVALID_PARAMETER
) {
395 ReturnStatus
= EFI_INVALID_PARAMETER
;
398 (*Data
)->ProcessingPolicy
->Mode
= EfiIPsecTransport
;
402 &(*Data
)->ProcessingPolicy
->Mode
,
408 if (!EFI_ERROR (Status
)) {
412 if (Status
== EFI_INVALID_PARAMETER
) {
413 ReturnStatus
= EFI_INVALID_PARAMETER
;
416 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-local");
417 if (ValueStr
!= NULL
) {
418 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
);
419 if (EFI_ERROR (Status
)) {
424 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
430 ReturnStatus
= EFI_INVALID_PARAMETER
;
432 *Mask
|= TUNNEL_LOCAL
;
436 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-remote");
437 if (ValueStr
!= NULL
) {
438 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
);
439 if (EFI_ERROR (Status
)) {
444 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
450 ReturnStatus
= EFI_INVALID_PARAMETER
;
452 *Mask
|= TUNNEL_REMOTE
;
456 (*Data
)->ProcessingPolicy
->TunnelOption
->DF
= EfiIPsecTunnelCopyDf
;
460 &(*Data
)->ProcessingPolicy
->TunnelOption
->DF
,
466 if (!EFI_ERROR (Status
)) {
467 *Mask
|= DONT_FRAGMENT
;
470 if (Status
== EFI_INVALID_PARAMETER
) {
471 ReturnStatus
= EFI_INVALID_PARAMETER
;
474 (*Data
)->ProcessingPolicy
->Proto
= EfiIPsecESP
;
478 &(*Data
)->ProcessingPolicy
->Proto
,
484 if (!EFI_ERROR (Status
)) {
485 *Mask
|= IPSEC_PROTO
;
488 if (Status
== EFI_INVALID_PARAMETER
) {
489 ReturnStatus
= EFI_INVALID_PARAMETER
;
495 &(*Data
)->ProcessingPolicy
->EncAlgoId
,
501 if (!EFI_ERROR (Status
)) {
502 *Mask
|= ENCRYPT_ALGO
;
505 if (Status
== EFI_INVALID_PARAMETER
) {
506 ReturnStatus
= EFI_INVALID_PARAMETER
;
512 &(*Data
)->ProcessingPolicy
->AuthAlgoId
,
518 if (!EFI_ERROR (Status
)) {
522 if (Status
== EFI_INVALID_PARAMETER
) {
523 ReturnStatus
= EFI_INVALID_PARAMETER
;
527 // Cannot check Mode against EfiIPsecTunnel, because user may want to change tunnel_remote only so the Mode is not set.
529 if ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
| DONT_FRAGMENT
)) == 0) {
530 (*Data
)->ProcessingPolicy
->TunnelOption
= NULL
;
533 if ((*Mask
& (EXT_SEQUENCE
| SEQUENCE_OVERFLOW
| FRAGMENT_CHECK
| LIFEBYTE
|
534 LIFETIME_SOFT
| LIFETIME
| MODE
| TUNNEL_LOCAL
| TUNNEL_REMOTE
|
535 DONT_FRAGMENT
| IPSEC_PROTO
| AUTH_ALGO
| ENCRYPT_ALGO
)) == 0) {
536 if ((*Data
)->Action
!= EfiIPsecActionProtect
) {
538 // User may not provide additional parameter for Protect action, so we cannot simply set ProcessingPolicy to NULL.
540 (*Data
)->ProcessingPolicy
= NULL
;
545 if ((*Mask
& (LOCAL
| REMOTE
| PROTO
| ACTION
)) != (LOCAL
| REMOTE
| PROTO
| ACTION
)) {
550 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
553 L
"--local --remote --proto --action"
555 ReturnStatus
= EFI_INVALID_PARAMETER
;
556 } else if (((*Data
)->Action
== EfiIPsecActionProtect
) &&
557 ((*Data
)->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) &&
558 ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
))) {
563 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
566 L
"--tunnel-local --tunnel-remote"
568 ReturnStatus
= EFI_INVALID_PARAMETER
;
576 Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 through ParamPackage list.
578 @param[out] SaId The pointer to the EFI_IPSEC_SA_ID structure.
579 @param[out] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.
580 @param[in] ParamPackage The pointer to the ParamPackage list.
581 @param[out] Mask The pointer to the Mask.
582 @param[in] CreateNew The switch to create new.
584 @retval EFI_SUCCESS Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 successfully.
585 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
590 OUT EFI_IPSEC_SA_ID
**SaId
,
591 OUT EFI_IPSEC_SA_DATA2
**Data
,
592 IN LIST_ENTRY
*ParamPackage
,
598 EFI_STATUS ReturnStatus
;
601 CONST CHAR16
*ValueStr
;
605 Status
= EFI_SUCCESS
;
606 ReturnStatus
= EFI_SUCCESS
;
611 *SaId
= AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID
));
612 ASSERT (*SaId
!= NULL
);
615 // Convert user imput from string to integer, and fill in the Spi in EFI_IPSEC_SA_ID.
617 Status
= GetNumber (L
"--spi", (UINT32
) -1, &(*SaId
)->Spi
, sizeof (UINT32
), NULL
, ParamPackage
, FORMAT_NUMBER
);
618 if (!EFI_ERROR (Status
)) {
622 if (Status
== EFI_INVALID_PARAMETER
) {
623 ReturnStatus
= EFI_INVALID_PARAMETER
;
627 // Convert user imput from string to integer, and fill in the Proto in EFI_IPSEC_SA_ID.
633 sizeof (EFI_IPSEC_PROTOCOL_TYPE
),
638 if (!EFI_ERROR (Status
)) {
639 *Mask
|= IPSEC_PROTO
;
642 if (Status
== EFI_INVALID_PARAMETER
) {
643 ReturnStatus
= EFI_INVALID_PARAMETER
;
647 // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_DATA2.
649 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
650 if (ValueStr
!= NULL
) {
651 AuthKeyLength
= StrLen (ValueStr
);
654 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
655 if (ValueStr
!= NULL
) {
656 EncKeyLength
= StrLen (ValueStr
);
660 // EFI_IPSEC_SA_DATA2:
662 // | EFI_IPSEC_SA_DATA2
663 // +-----------------------
665 // +-------------------------
667 // +-------------------------
670 // Notes: To make sure the address alignment add padding after each data if needed.
672 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2
));
673 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthKeyLength
);
674 DataSize
= ALIGN_VARIABLE (DataSize
+ EncKeyLength
);
675 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_SPD_SELECTOR
));
676 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IP_ADDRESS_INFO
));
677 DataSize
+= sizeof (EFI_IP_ADDRESS_INFO
);
681 *Data
= AllocateZeroPool (DataSize
);
682 ASSERT (*Data
!= NULL
);
684 (*Data
)->ManualSet
= TRUE
;
685 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= (VOID
*) ALIGN_POINTER (((*Data
) + 1), sizeof (UINTN
));
686 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= (VOID
*) ALIGN_POINTER (
687 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
+ AuthKeyLength
),
690 (*Data
)->SpdSelector
= (EFI_IPSEC_SPD_SELECTOR
*) ALIGN_POINTER (
691 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
+ EncKeyLength
),
694 (*Data
)->SpdSelector
->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
695 ((UINT8
*) (*Data
)->SpdSelector
+ sizeof (EFI_IPSEC_SPD_SELECTOR
)),
697 (*Data
)->SpdSelector
->RemoteAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
698 (*Data
)->SpdSelector
->LocalAddress
+ 1,
702 (*Data
)->Mode
= EfiIPsecTransport
;
707 sizeof (EFI_IPSEC_MODE
),
712 if (!EFI_ERROR (Status
)) {
716 if (Status
== EFI_INVALID_PARAMETER
) {
717 ReturnStatus
= EFI_INVALID_PARAMETER
;
721 // According to RFC 4303-3.3.3. The first packet sent using a given SA
722 // will contain a sequence number of 1.
724 (*Data
)->SNCount
= 1;
726 L
"--sequence-number",
734 if (!EFI_ERROR (Status
)) {
735 *Mask
|= SEQUENCE_NUMBER
;
738 if (Status
== EFI_INVALID_PARAMETER
) {
739 ReturnStatus
= EFI_INVALID_PARAMETER
;
742 (*Data
)->AntiReplayWindows
= 0;
744 L
"--antireplay-window",
746 &(*Data
)->AntiReplayWindows
,
752 if (!EFI_ERROR (Status
)) {
753 *Mask
|= SEQUENCE_NUMBER
;
756 if (Status
== EFI_INVALID_PARAMETER
) {
757 ReturnStatus
= EFI_INVALID_PARAMETER
;
763 &(*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
,
769 if (!EFI_ERROR (Status
)) {
770 *Mask
|= ENCRYPT_ALGO
;
773 if (Status
== EFI_INVALID_PARAMETER
) {
774 ReturnStatus
= EFI_INVALID_PARAMETER
;
777 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
778 if (ValueStr
!= NULL
) {
779 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= EncKeyLength
;
780 AsciiStr
= AllocateZeroPool (EncKeyLength
+ 1);
781 ASSERT (AsciiStr
!= NULL
);
782 UnicodeStrToAsciiStrS (ValueStr
, AsciiStr
, EncKeyLength
+ 1);
783 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
, AsciiStr
, EncKeyLength
);
785 *Mask
|= ENCRYPT_KEY
;
787 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= NULL
;
793 &(*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
,
799 if (!EFI_ERROR (Status
)) {
803 if (Status
== EFI_INVALID_PARAMETER
) {
804 ReturnStatus
= EFI_INVALID_PARAMETER
;
807 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
808 if (ValueStr
!= NULL
) {
809 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= AuthKeyLength
;
810 AsciiStr
= AllocateZeroPool (AuthKeyLength
+ 1);
811 ASSERT (AsciiStr
!= NULL
);
812 UnicodeStrToAsciiStrS (ValueStr
, AsciiStr
, AuthKeyLength
+ 1);
813 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
, AsciiStr
, AuthKeyLength
);
817 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= NULL
;
823 &(*Data
)->SaLifetime
.ByteCount
,
829 if (!EFI_ERROR (Status
)) {
833 if (Status
== EFI_INVALID_PARAMETER
) {
834 ReturnStatus
= EFI_INVALID_PARAMETER
;
840 &(*Data
)->SaLifetime
.HardLifetime
,
846 if (!EFI_ERROR (Status
)) {
850 if (Status
== EFI_INVALID_PARAMETER
) {
851 ReturnStatus
= EFI_INVALID_PARAMETER
;
857 &(*Data
)->SaLifetime
.SoftLifetime
,
863 if (!EFI_ERROR (Status
)) {
864 *Mask
|= LIFETIME_SOFT
;
867 if (Status
== EFI_INVALID_PARAMETER
) {
868 ReturnStatus
= EFI_INVALID_PARAMETER
;
880 if (!EFI_ERROR (Status
)) {
884 if (Status
== EFI_INVALID_PARAMETER
) {
885 ReturnStatus
= EFI_INVALID_PARAMETER
;
889 // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
891 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-dest");
892 if (ValueStr
!= NULL
) {
893 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->TunnelDestinationAddress
);
894 if (EFI_ERROR (Status
)) {
899 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
905 ReturnStatus
= EFI_INVALID_PARAMETER
;
912 // Convert user input from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
914 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-source");
915 if (ValueStr
!= NULL
) {
916 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->TunnelSourceAddress
);
917 if (EFI_ERROR (Status
)) {
922 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
928 ReturnStatus
= EFI_INVALID_PARAMETER
;
935 // If it is TunnelMode, then check if the tunnel-source and --tunnel-dest are set
937 if ((*Data
)->Mode
== EfiIPsecTunnel
) {
938 if ((*Mask
& (DEST
|SOURCE
)) != (DEST
|SOURCE
)) {
943 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
946 L
"--tunnel-source --tunnel-dest"
948 ReturnStatus
= EFI_INVALID_PARAMETER
;
951 ReturnStatus
= CreateSpdSelector ((*Data
)->SpdSelector
, ParamPackage
, Mask
);
954 if ((*Mask
& (SPI
|IPSEC_PROTO
|LOCAL
|REMOTE
)) != (SPI
|IPSEC_PROTO
|LOCAL
|REMOTE
)) {
959 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
962 L
"--spi --ipsec-proto --local --remote"
964 ReturnStatus
= EFI_INVALID_PARAMETER
;
966 if ((*SaId
)->Proto
== EfiIPsecAH
) {
967 if ((*Mask
& AUTH_ALGO
) == 0) {
972 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
977 ReturnStatus
= EFI_INVALID_PARAMETER
;
978 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
!= IPSEC_AALG_NONE
&& (*Mask
& AUTH_KEY
) == 0) {
983 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
988 ReturnStatus
= EFI_INVALID_PARAMETER
;
991 if ((*Mask
& (ENCRYPT_ALGO
|AUTH_ALGO
)) != (ENCRYPT_ALGO
|AUTH_ALGO
) ) {
996 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
999 L
"--encrypt-algo --auth-algo"
1001 ReturnStatus
= EFI_INVALID_PARAMETER
;
1002 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (*Mask
& ENCRYPT_KEY
) == 0) {
1007 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1012 ReturnStatus
= EFI_INVALID_PARAMETER
;
1013 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
!= IPSEC_AALG_NONE
&& (*Mask
& AUTH_KEY
) == 0) {
1018 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1023 ReturnStatus
= EFI_INVALID_PARAMETER
;
1029 return ReturnStatus
;
1033 Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage list.
1035 @param[out] PadId The pointer to the EFI_IPSEC_PAD_ID structure.
1036 @param[out] Data The pointer to the EFI_IPSEC_PAD_DATA structure.
1037 @param[in] ParamPackage The pointer to the ParamPackage list.
1038 @param[out] Mask The pointer to the Mask.
1039 @param[in] CreateNew The switch to create new.
1041 @retval EFI_SUCCESS Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA successfully.
1042 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1047 OUT EFI_IPSEC_PAD_ID
**PadId
,
1048 OUT EFI_IPSEC_PAD_DATA
**Data
,
1049 IN LIST_ENTRY
*ParamPackage
,
1051 IN BOOLEAN CreateNew
1055 EFI_STATUS ReturnStatus
;
1056 SHELL_FILE_HANDLE FileHandle
;
1058 UINTN AuthDataLength
;
1059 UINTN RevocationDataLength
;
1062 CONST CHAR16
*ValueStr
;
1065 Status
= EFI_SUCCESS
;
1066 ReturnStatus
= EFI_SUCCESS
;
1069 RevocationDataLength
= 0;
1071 *PadId
= AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID
));
1072 ASSERT (*PadId
!= NULL
);
1075 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_ID.
1077 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-address");
1078 if (ValueStr
!= NULL
) {
1079 (*PadId
)->PeerIdValid
= FALSE
;
1080 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, &(*PadId
)->Id
.IpAddress
);
1081 if (EFI_ERROR (Status
)) {
1086 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
1092 ReturnStatus
= EFI_INVALID_PARAMETER
;
1094 *Mask
|= PEER_ADDRESS
;
1098 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-id");
1099 if (ValueStr
!= NULL
) {
1100 (*PadId
)->PeerIdValid
= TRUE
;
1101 StrnCpyS ((CHAR16
*) (*PadId
)->Id
.PeerId
, MAX_PEERID_LEN
/ sizeof (CHAR16
), ValueStr
, MAX_PEERID_LEN
/ sizeof (CHAR16
) - 1);
1105 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1106 if (ValueStr
!= NULL
) {
1107 if (ValueStr
[0] == L
'@') {
1109 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1111 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1112 if (EFI_ERROR (Status
)) {
1117 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1122 ReturnStatus
= EFI_INVALID_PARAMETER
;
1124 Status
= ShellGetFileSize (FileHandle
, &FileSize
);
1125 ShellCloseFile (&FileHandle
);
1126 if (EFI_ERROR (Status
)) {
1131 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1136 ReturnStatus
= EFI_INVALID_PARAMETER
;
1138 AuthDataLength
= (UINTN
) FileSize
;
1142 AuthDataLength
= StrLen (ValueStr
);
1146 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1147 if (ValueStr
!= NULL
) {
1148 RevocationDataLength
= (StrLen (ValueStr
) + 1) * sizeof (CHAR16
);
1152 // Allocate Buffer for Data. Add padding after each struct to make sure the alignment
1153 // in different Arch.
1155 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA
));
1156 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthDataLength
);
1157 DataSize
+= RevocationDataLength
;
1159 *Data
= AllocateZeroPool (DataSize
);
1160 ASSERT (*Data
!= NULL
);
1162 (*Data
)->AuthData
= (VOID
*) ALIGN_POINTER ((*Data
+ 1), sizeof (UINTN
));
1163 (*Data
)->RevocationData
= (VOID
*) ALIGN_POINTER (((UINT8
*) (*Data
+ 1) + AuthDataLength
), sizeof (UINTN
));
1164 (*Data
)->AuthProtocol
= EfiIPsecAuthProtocolIKEv1
;
1167 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_DATA.
1169 Status
= GetNumber (
1172 &(*Data
)->AuthProtocol
,
1173 sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE
),
1178 if (!EFI_ERROR (Status
)) {
1179 *Mask
|= AUTH_PROTO
;
1182 if (Status
== EFI_INVALID_PARAMETER
) {
1183 ReturnStatus
= EFI_INVALID_PARAMETER
;
1186 Status
= GetNumber (
1189 &(*Data
)->AuthMethod
,
1190 sizeof (EFI_IPSEC_AUTH_METHOD
),
1195 if (!EFI_ERROR (Status
)) {
1196 *Mask
|= AUTH_METHOD
;
1199 if (Status
== EFI_INVALID_PARAMETER
) {
1200 ReturnStatus
= EFI_INVALID_PARAMETER
;
1203 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id")) {
1204 (*Data
)->IkeIdFlag
= TRUE
;
1208 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id-")) {
1209 (*Data
)->IkeIdFlag
= FALSE
;
1213 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1214 if (ValueStr
!= NULL
) {
1215 if (ValueStr
[0] == L
'@') {
1217 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1220 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1221 if (EFI_ERROR (Status
)) {
1226 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1231 ReturnStatus
= EFI_INVALID_PARAMETER
;
1232 (*Data
)->AuthData
= NULL
;
1234 DataLength
= AuthDataLength
;
1235 Status
= ShellReadFile (FileHandle
, &DataLength
, (*Data
)->AuthData
);
1236 ShellCloseFile (&FileHandle
);
1237 if (EFI_ERROR (Status
)) {
1242 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1247 ReturnStatus
= EFI_INVALID_PARAMETER
;
1248 (*Data
)->AuthData
= NULL
;
1250 ASSERT (DataLength
== AuthDataLength
);
1255 for (Index
= 0; Index
< AuthDataLength
; Index
++) {
1256 ((CHAR8
*) (*Data
)->AuthData
)[Index
] = (CHAR8
) ValueStr
[Index
];
1258 (*Data
)->AuthDataSize
= AuthDataLength
;
1263 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1264 if (ValueStr
!= NULL
) {
1265 CopyMem ((*Data
)->RevocationData
, ValueStr
, RevocationDataLength
);
1266 (*Data
)->RevocationDataSize
= RevocationDataLength
;
1267 *Mask
|= REVOCATION_DATA
;
1269 (*Data
)->RevocationData
= NULL
;
1273 if ((*Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1278 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1281 L
"--peer-id --peer-address"
1283 ReturnStatus
= EFI_INVALID_PARAMETER
;
1284 } else if ((*Mask
& (AUTH_METHOD
| AUTH_DATA
)) != (AUTH_METHOD
| AUTH_DATA
)) {
1289 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1292 L
"--auth-method --auth-data"
1294 ReturnStatus
= EFI_INVALID_PARAMETER
;
1298 return ReturnStatus
;
1301 CREATE_POLICY_ENTRY mCreatePolicyEntry
[] = {
1302 (CREATE_POLICY_ENTRY
) CreateSpdEntry
,
1303 (CREATE_POLICY_ENTRY
) CreateSadEntry
,
1304 (CREATE_POLICY_ENTRY
) CreatePadEntry
1308 Combine old SPD entry with new SPD entry.
1310 @param[in, out] OldSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1311 @param[in, out] OldData The pointer to the EFI_IPSEC_SPD_DATA structure.
1312 @param[in] NewSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1313 @param[in] NewData The pointer to the EFI_IPSEC_SPD_DATA structure.
1314 @param[in] Mask The pointer to the Mask.
1315 @param[out] CreateNew The switch to create new.
1317 @retval EFI_SUCCESS Combined successfully.
1318 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1323 IN OUT EFI_IPSEC_SPD_SELECTOR
*OldSelector
,
1324 IN OUT EFI_IPSEC_SPD_DATA
*OldData
,
1325 IN EFI_IPSEC_SPD_SELECTOR
*NewSelector
,
1326 IN EFI_IPSEC_SPD_DATA
*NewData
,
1328 OUT BOOLEAN
*CreateNew
1336 if ((Mask
& LOCAL
) == 0) {
1337 NewSelector
->LocalAddressCount
= OldSelector
->LocalAddressCount
;
1338 NewSelector
->LocalAddress
= OldSelector
->LocalAddress
;
1339 } else if ((NewSelector
->LocalAddressCount
!= OldSelector
->LocalAddressCount
) ||
1340 (CompareMem (NewSelector
->LocalAddress
, OldSelector
->LocalAddress
, NewSelector
->LocalAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1344 if ((Mask
& REMOTE
) == 0) {
1345 NewSelector
->RemoteAddressCount
= OldSelector
->RemoteAddressCount
;
1346 NewSelector
->RemoteAddress
= OldSelector
->RemoteAddress
;
1347 } else if ((NewSelector
->RemoteAddressCount
!= OldSelector
->RemoteAddressCount
) ||
1348 (CompareMem (NewSelector
->RemoteAddress
, OldSelector
->RemoteAddress
, NewSelector
->RemoteAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1352 if ((Mask
& PROTO
) == 0) {
1353 NewSelector
->NextLayerProtocol
= OldSelector
->NextLayerProtocol
;
1354 } else if (NewSelector
->NextLayerProtocol
!= OldSelector
->NextLayerProtocol
) {
1358 switch (NewSelector
->NextLayerProtocol
) {
1359 case EFI_IP4_PROTO_TCP
:
1360 case EFI_IP4_PROTO_UDP
:
1361 if ((Mask
& LOCAL_PORT
) == 0) {
1362 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1363 NewSelector
->LocalPortRange
= OldSelector
->LocalPortRange
;
1364 } else if ((NewSelector
->LocalPort
!= OldSelector
->LocalPort
) ||
1365 (NewSelector
->LocalPortRange
!= OldSelector
->LocalPortRange
)) {
1369 if ((Mask
& REMOTE_PORT
) == 0) {
1370 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1371 NewSelector
->RemotePortRange
= OldSelector
->RemotePortRange
;
1372 } else if ((NewSelector
->RemotePort
!= OldSelector
->RemotePort
) ||
1373 (NewSelector
->RemotePortRange
!= OldSelector
->RemotePortRange
)) {
1378 case EFI_IP4_PROTO_ICMP
:
1379 if ((Mask
& ICMP_TYPE
) == 0) {
1380 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1381 } else if (NewSelector
->LocalPort
!= OldSelector
->LocalPort
) {
1385 if ((Mask
& ICMP_CODE
) == 0) {
1386 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1387 } else if (NewSelector
->RemotePort
!= OldSelector
->RemotePort
) {
1395 OldData
->SaIdCount
= 0;
1397 if ((Mask
& NAME
) != 0) {
1398 AsciiStrCpyS ((CHAR8
*) OldData
->Name
, MAX_PEERID_LEN
, (CHAR8
*) NewData
->Name
);
1401 if ((Mask
& PACKET_FLAG
) != 0) {
1402 OldData
->PackageFlag
= NewData
->PackageFlag
;
1405 if ((Mask
& ACTION
) != 0) {
1406 OldData
->Action
= NewData
->Action
;
1409 if (OldData
->Action
!= EfiIPsecActionProtect
) {
1410 OldData
->ProcessingPolicy
= NULL
;
1415 if (OldData
->ProcessingPolicy
== NULL
) {
1417 // Just point to new data if originally NULL.
1419 OldData
->ProcessingPolicy
= NewData
->ProcessingPolicy
;
1420 if (OldData
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
&&
1421 (Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)
1424 // Change to Protect action and Tunnel mode, but without providing local/remote tunnel address.
1430 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1433 L
"--tunnel-local --tunnel-remote"
1435 return EFI_INVALID_PARAMETER
;
1439 // Modify some of the data.
1441 if ((Mask
& EXT_SEQUENCE
) != 0) {
1442 OldData
->ProcessingPolicy
->ExtSeqNum
= NewData
->ProcessingPolicy
->ExtSeqNum
;
1445 if ((Mask
& SEQUENCE_OVERFLOW
) != 0) {
1446 OldData
->ProcessingPolicy
->SeqOverflow
= NewData
->ProcessingPolicy
->SeqOverflow
;
1449 if ((Mask
& FRAGMENT_CHECK
) != 0) {
1450 OldData
->ProcessingPolicy
->FragCheck
= NewData
->ProcessingPolicy
->FragCheck
;
1453 if ((Mask
& LIFEBYTE
) != 0) {
1454 OldData
->ProcessingPolicy
->SaLifetime
.ByteCount
= NewData
->ProcessingPolicy
->SaLifetime
.ByteCount
;
1457 if ((Mask
& LIFETIME_SOFT
) != 0) {
1458 OldData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
;
1461 if ((Mask
& LIFETIME
) != 0) {
1462 OldData
->ProcessingPolicy
->SaLifetime
.HardLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.HardLifetime
;
1465 if ((Mask
& MODE
) != 0) {
1466 OldData
->ProcessingPolicy
->Mode
= NewData
->ProcessingPolicy
->Mode
;
1469 if ((Mask
& IPSEC_PROTO
) != 0) {
1470 OldData
->ProcessingPolicy
->Proto
= NewData
->ProcessingPolicy
->Proto
;
1473 if ((Mask
& AUTH_ALGO
) != 0) {
1474 OldData
->ProcessingPolicy
->AuthAlgoId
= NewData
->ProcessingPolicy
->AuthAlgoId
;
1477 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1478 OldData
->ProcessingPolicy
->EncAlgoId
= NewData
->ProcessingPolicy
->EncAlgoId
;
1481 if (OldData
->ProcessingPolicy
->Mode
!= EfiIPsecTunnel
) {
1482 OldData
->ProcessingPolicy
->TunnelOption
= NULL
;
1484 if (OldData
->ProcessingPolicy
->TunnelOption
== NULL
) {
1486 // Set from Transport mode to Tunnel mode, should ensure TUNNEL_LOCAL & TUNNEL_REMOTE both exists.
1488 if ((Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) {
1493 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1496 L
"--tunnel-local --tunnel-remote"
1498 return EFI_INVALID_PARAMETER
;
1501 OldData
->ProcessingPolicy
->TunnelOption
= NewData
->ProcessingPolicy
->TunnelOption
;
1503 if ((Mask
& TUNNEL_LOCAL
) != 0) {
1505 &OldData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1506 &NewData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1507 sizeof (EFI_IP_ADDRESS
)
1511 if ((Mask
& TUNNEL_REMOTE
) != 0) {
1513 &OldData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1514 &NewData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1515 sizeof (EFI_IP_ADDRESS
)
1519 if ((Mask
& DONT_FRAGMENT
) != 0) {
1520 OldData
->ProcessingPolicy
->TunnelOption
->DF
= NewData
->ProcessingPolicy
->TunnelOption
->DF
;
1531 Combine old SAD entry with new SAD entry.
1533 @param[in, out] OldSaId The pointer to the EFI_IPSEC_SA_ID structure.
1534 @param[in, out] OldData The pointer to the EFI_IPSEC_SA_DATA2 structure.
1535 @param[in] NewSaId The pointer to the EFI_IPSEC_SA_ID structure.
1536 @param[in] NewData The pointer to the EFI_IPSEC_SA_DATA2 structure.
1537 @param[in] Mask The pointer to the Mask.
1538 @param[out] CreateNew The switch to create new.
1540 @retval EFI_SUCCESS Combined successfully.
1541 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1546 IN OUT EFI_IPSEC_SA_ID
*OldSaId
,
1547 IN OUT EFI_IPSEC_SA_DATA2
*OldData
,
1548 IN EFI_IPSEC_SA_ID
*NewSaId
,
1549 IN EFI_IPSEC_SA_DATA2
*NewData
,
1551 OUT BOOLEAN
*CreateNew
1557 if ((Mask
& SPI
) == 0) {
1558 NewSaId
->Spi
= OldSaId
->Spi
;
1559 } else if (NewSaId
->Spi
!= OldSaId
->Spi
) {
1563 if ((Mask
& IPSEC_PROTO
) == 0) {
1564 NewSaId
->Proto
= OldSaId
->Proto
;
1565 } else if (NewSaId
->Proto
!= OldSaId
->Proto
) {
1569 if ((Mask
& DEST
) == 0) {
1570 CopyMem (&NewData
->TunnelDestinationAddress
, &OldData
->TunnelDestinationAddress
, sizeof (EFI_IP_ADDRESS
));
1571 } else if (CompareMem (&NewData
->TunnelDestinationAddress
, &OldData
->TunnelDestinationAddress
, sizeof (EFI_IP_ADDRESS
)) != 0) {
1575 if ((Mask
& SOURCE
) == 0) {
1576 CopyMem (&NewData
->TunnelSourceAddress
, &OldData
->TunnelSourceAddress
, sizeof (EFI_IP_ADDRESS
));
1577 } else if (CompareMem (&NewData
->TunnelSourceAddress
, &OldData
->TunnelSourceAddress
, sizeof (EFI_IP_ADDRESS
)) != 0) {
1583 if ((Mask
& MODE
) != 0) {
1584 OldData
->Mode
= NewData
->Mode
;
1587 if ((Mask
& SEQUENCE_NUMBER
) != 0) {
1588 OldData
->SNCount
= NewData
->SNCount
;
1591 if ((Mask
& ANTIREPLAY_WINDOW
) != 0) {
1592 OldData
->AntiReplayWindows
= NewData
->AntiReplayWindows
;
1595 if ((Mask
& AUTH_ALGO
) != 0) {
1596 OldData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
;
1599 if ((Mask
& AUTH_KEY
) != 0) {
1600 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKey
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKey
;
1601 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
;
1604 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1605 OldData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
;
1608 if ((Mask
& ENCRYPT_KEY
) != 0) {
1609 OldData
->AlgoInfo
.EspAlgoInfo
.EncKey
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKey
;
1610 OldData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
;
1613 if (NewSaId
->Proto
== EfiIPsecAH
) {
1614 if ((Mask
& (ENCRYPT_ALGO
| ENCRYPT_KEY
)) != 0) {
1616 // Should not provide encrypt_* if AH.
1622 STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER
),
1625 L
"--encrypt-algo --encrypt-key"
1627 return EFI_INVALID_PARAMETER
;
1631 if (NewSaId
->Proto
== EfiIPsecESP
&& OldSaId
->Proto
== EfiIPsecAH
) {
1634 // Should provide encrypt_algo at least.
1636 if ((Mask
& ENCRYPT_ALGO
) == 0) {
1641 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1646 return EFI_INVALID_PARAMETER
;
1650 // Encrypt_key should be provided if algorithm is not NONE.
1652 if (NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (Mask
& ENCRYPT_KEY
) == 0) {
1657 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1662 return EFI_INVALID_PARAMETER
;
1666 if ((Mask
& LIFEBYTE
) != 0) {
1667 OldData
->SaLifetime
.ByteCount
= NewData
->SaLifetime
.ByteCount
;
1670 if ((Mask
& LIFETIME_SOFT
) != 0) {
1671 OldData
->SaLifetime
.SoftLifetime
= NewData
->SaLifetime
.SoftLifetime
;
1674 if ((Mask
& LIFETIME
) != 0) {
1675 OldData
->SaLifetime
.HardLifetime
= NewData
->SaLifetime
.HardLifetime
;
1678 if ((Mask
& PATH_MTU
) != 0) {
1679 OldData
->PathMTU
= NewData
->PathMTU
;
1682 // Process SpdSelector.
1684 if (OldData
->SpdSelector
== NULL
) {
1685 if ((Mask
& (LOCAL
| REMOTE
| PROTO
| LOCAL_PORT
| REMOTE_PORT
| ICMP_TYPE
| ICMP_CODE
)) != 0) {
1686 if ((Mask
& (LOCAL
| REMOTE
| PROTO
)) != (LOCAL
| REMOTE
| PROTO
)) {
1691 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1694 L
"--local --remote --proto"
1696 return EFI_INVALID_PARAMETER
;
1699 OldData
->SpdSelector
= NewData
->SpdSelector
;
1702 if ((Mask
& LOCAL
) != 0) {
1703 OldData
->SpdSelector
->LocalAddressCount
= NewData
->SpdSelector
->LocalAddressCount
;
1704 OldData
->SpdSelector
->LocalAddress
= NewData
->SpdSelector
->LocalAddress
;
1707 if ((Mask
& REMOTE
) != 0) {
1708 OldData
->SpdSelector
->RemoteAddressCount
= NewData
->SpdSelector
->RemoteAddressCount
;
1709 OldData
->SpdSelector
->RemoteAddress
= NewData
->SpdSelector
->RemoteAddress
;
1712 if ((Mask
& PROTO
) != 0) {
1713 OldData
->SpdSelector
->NextLayerProtocol
= NewData
->SpdSelector
->NextLayerProtocol
;
1716 if (OldData
->SpdSelector
!= NULL
) {
1717 switch (OldData
->SpdSelector
->NextLayerProtocol
) {
1718 case EFI_IP4_PROTO_TCP
:
1719 case EFI_IP4_PROTO_UDP
:
1720 if ((Mask
& LOCAL_PORT
) != 0) {
1721 OldData
->SpdSelector
->LocalPort
= NewData
->SpdSelector
->LocalPort
;
1724 if ((Mask
& REMOTE_PORT
) != 0) {
1725 OldData
->SpdSelector
->RemotePort
= NewData
->SpdSelector
->RemotePort
;
1729 case EFI_IP4_PROTO_ICMP
:
1730 if ((Mask
& ICMP_TYPE
) != 0) {
1731 OldData
->SpdSelector
->LocalPort
= (UINT8
) NewData
->SpdSelector
->LocalPort
;
1734 if ((Mask
& ICMP_CODE
) != 0) {
1735 OldData
->SpdSelector
->RemotePort
= (UINT8
) NewData
->SpdSelector
->RemotePort
;
1746 Combine old PAD entry with new PAD entry.
1748 @param[in, out] OldPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1749 @param[in, out] OldData The pointer to the EFI_IPSEC_PAD_DATA structure.
1750 @param[in] NewPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1751 @param[in] NewData The pointer to the EFI_IPSEC_PAD_DATA structure.
1752 @param[in] Mask The pointer to the Mask.
1753 @param[out] CreateNew The switch to create new.
1755 @retval EFI_SUCCESS Combined successfully.
1756 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1761 IN OUT EFI_IPSEC_PAD_ID
*OldPadId
,
1762 IN OUT EFI_IPSEC_PAD_DATA
*OldData
,
1763 IN EFI_IPSEC_PAD_ID
*NewPadId
,
1764 IN EFI_IPSEC_PAD_DATA
*NewData
,
1766 OUT BOOLEAN
*CreateNew
1772 if ((Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1773 CopyMem (NewPadId
, OldPadId
, sizeof (EFI_IPSEC_PAD_ID
));
1775 if ((Mask
& PEER_ID
) != 0) {
1776 if (OldPadId
->PeerIdValid
) {
1777 if (StrCmp ((CONST CHAR16
*) OldPadId
->Id
.PeerId
, (CONST CHAR16
*) NewPadId
->Id
.PeerId
) != 0) {
1785 // MASK & PEER_ADDRESS
1787 if (OldPadId
->PeerIdValid
) {
1790 if ((CompareMem (&OldPadId
->Id
.IpAddress
.Address
, &NewPadId
->Id
.IpAddress
.Address
, sizeof (EFI_IP_ADDRESS
)) != 0) ||
1791 (OldPadId
->Id
.IpAddress
.PrefixLength
!= NewPadId
->Id
.IpAddress
.PrefixLength
)) {
1798 if ((Mask
& AUTH_PROTO
) != 0) {
1799 OldData
->AuthProtocol
= NewData
->AuthProtocol
;
1802 if ((Mask
& AUTH_METHOD
) != 0) {
1803 OldData
->AuthMethod
= NewData
->AuthMethod
;
1806 if ((Mask
& IKE_ID
) != 0) {
1807 OldData
->IkeIdFlag
= NewData
->IkeIdFlag
;
1810 if ((Mask
& AUTH_DATA
) != 0) {
1811 OldData
->AuthDataSize
= NewData
->AuthDataSize
;
1812 OldData
->AuthData
= NewData
->AuthData
;
1815 if ((Mask
& REVOCATION_DATA
) != 0) {
1816 OldData
->RevocationDataSize
= NewData
->RevocationDataSize
;
1817 OldData
->RevocationData
= NewData
->RevocationData
;
1823 COMBINE_POLICY_ENTRY mCombinePolicyEntry
[] = {
1824 (COMBINE_POLICY_ENTRY
) CombineSpdEntry
,
1825 (COMBINE_POLICY_ENTRY
) CombineSadEntry
,
1826 (COMBINE_POLICY_ENTRY
) CombinePadEntry
1830 Edit entry information in the database.
1832 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1833 @param[in] Data The pointer to the data.
1834 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1836 @retval EFI_SUCCESS Continue the iteration.
1837 @retval EFI_ABORTED Abort the iteration.
1840 EditOperatePolicyEntry (
1841 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1843 IN EDIT_POLICY_ENTRY_CONTEXT
*Context
1849 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1850 ASSERT (Context
->DataType
< 3);
1852 Status
= mCombinePolicyEntry
[Context
->DataType
] (
1860 if (!EFI_ERROR (Status
)) {
1862 // If the Selector already existed, this Entry will be updated by set data.
1864 Status
= mIpSecConfig
->SetData (
1867 Context
->Selector
, /// New created selector.
1868 Data
, /// Old date which has been modified, need to be set data.
1871 ASSERT_EFI_ERROR (Status
);
1875 // Edit the entry to a new one. So, we need delete the old entry.
1877 Status
= mIpSecConfig
->SetData (
1880 Selector
, /// Old selector.
1881 NULL
, /// NULL means to delete this Entry specified by Selector.
1884 ASSERT_EFI_ERROR (Status
);
1888 Context
->Status
= Status
;
1896 Edit entry information in database according to datatype.
1898 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
1899 @param[in] ParamPackage The pointer to the ParamPackage list.
1901 @retval EFI_SUCCESS Edit entry information successfully.
1902 @retval EFI_NOT_FOUND Can't find the specified entry.
1903 @retval Others Some mistaken case.
1907 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
1908 IN LIST_ENTRY
*ParamPackage
1912 EDIT_POLICY_ENTRY_CONTEXT Context
;
1913 CONST CHAR16
*ValueStr
;
1915 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-e");
1916 if (ValueStr
== NULL
) {
1917 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
1918 return EFI_NOT_FOUND
;
1921 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
1922 if (!EFI_ERROR (Status
)) {
1923 Context
.DataType
= DataType
;
1924 Context
.Status
= EFI_NOT_FOUND
;
1925 Status
= mCreatePolicyEntry
[DataType
] (&Context
.Selector
, &Context
.Data
, ParamPackage
, &Context
.Mask
, FALSE
);
1926 if (!EFI_ERROR (Status
)) {
1927 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) EditOperatePolicyEntry
, &Context
);
1928 Status
= Context
.Status
;
1931 if (Context
.Selector
!= NULL
) {
1932 gBS
->FreePool (Context
.Selector
);
1935 if (Context
.Data
!= NULL
) {
1936 gBS
->FreePool (Context
.Data
);
1940 if (Status
== EFI_NOT_FOUND
) {
1941 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
1942 } else if (EFI_ERROR (Status
)) {
1943 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAILED
), mHiiHandle
, mAppName
);
1951 Insert entry information in database.
1953 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1954 @param[in] Data The pointer to the data.
1955 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1957 @retval EFI_SUCCESS Continue the iteration.
1958 @retval EFI_ABORTED Abort the iteration.
1962 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1964 IN INSERT_POLICY_ENTRY_CONTEXT
*Context
1968 // Found the entry which we want to insert before.
1970 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1972 Context
->Status
= mIpSecConfig
->SetData (
1980 // Abort the iteration after the insertion.
1989 Insert or add entry information in database according to datatype.
1991 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
1992 @param[in] ParamPackage The pointer to the ParamPackage list.
1994 @retval EFI_SUCCESS Insert or add entry information successfully.
1995 @retval EFI_NOT_FOUND Can't find the specified entry.
1996 @retval EFI_BUFFER_TOO_SMALL The entry already existed.
1997 @retval EFI_UNSUPPORTED The operation is not supported.
1998 @retval Others Some mistaken case.
2001 AddOrInsertPolicyEntry (
2002 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
2003 IN LIST_ENTRY
*ParamPackage
2007 EFI_IPSEC_CONFIG_SELECTOR
*Selector
;
2009 INSERT_POLICY_ENTRY_CONTEXT Context
;
2012 CONST CHAR16
*ValueStr
;
2014 Status
= mCreatePolicyEntry
[DataType
] (&Selector
, &Data
, ParamPackage
, &Mask
, TRUE
);
2015 if (!EFI_ERROR (Status
)) {
2017 // Find if the Selector to be inserted already exists.
2020 Status
= mIpSecConfig
->GetData (
2027 if (Status
== EFI_BUFFER_TOO_SMALL
) {
2028 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_EXISTS
), mHiiHandle
, mAppName
);
2029 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"-a")) {
2030 Status
= mIpSecConfig
->SetData (
2038 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-i");
2039 if (ValueStr
== NULL
) {
2040 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
2041 return EFI_NOT_FOUND
;
2044 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
2045 if (!EFI_ERROR (Status
)) {
2046 Context
.DataType
= DataType
;
2047 Context
.Status
= EFI_NOT_FOUND
;
2048 Context
.Selector
= Selector
;
2049 Context
.Data
= Data
;
2051 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) InsertPolicyEntry
, &Context
);
2052 Status
= Context
.Status
;
2053 if (Status
== EFI_NOT_FOUND
) {
2054 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
2059 gBS
->FreePool (Selector
);
2060 gBS
->FreePool (Data
);
2063 if (Status
== EFI_UNSUPPORTED
) {
2064 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_UNSUPPORT
), mHiiHandle
, mAppName
);
2065 } else if (EFI_ERROR (Status
)) {
2066 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_FAILED
), mHiiHandle
, mAppName
);