2 The implementation of policy entry operation function in IpSecConfig application.
4 Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
16 #include "IpSecConfig.h"
21 #include "PolicyEntryOperation.h"
24 Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list.
26 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
27 @param[in] ParamPackage The pointer to the ParamPackage list.
28 @param[in, out] Mask The pointer to the Mask.
30 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR successfully.
31 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
36 OUT EFI_IPSEC_SPD_SELECTOR
*Selector
,
37 IN LIST_ENTRY
*ParamPackage
,
42 EFI_STATUS ReturnStatus
;
43 CONST CHAR16
*ValueStr
;
46 ReturnStatus
= EFI_SUCCESS
;
49 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
51 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local");
52 if (ValueStr
!= NULL
) {
53 Selector
->LocalAddressCount
= 1;
54 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->LocalAddress
);
55 if (EFI_ERROR (Status
)) {
60 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
66 ReturnStatus
= EFI_INVALID_PARAMETER
;
73 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
75 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote");
76 if (ValueStr
!= NULL
) {
77 Selector
->RemoteAddressCount
= 1;
78 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->RemoteAddress
);
79 if (EFI_ERROR (Status
)) {
84 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
90 ReturnStatus
= EFI_INVALID_PARAMETER
;
96 Selector
->NextLayerProtocol
= EFI_IPSEC_ANY_PROTOCOL
;
99 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
104 &Selector
->NextLayerProtocol
,
108 FORMAT_NUMBER
| FORMAT_STRING
110 if (!EFI_ERROR (Status
)) {
114 if (Status
== EFI_INVALID_PARAMETER
) {
115 ReturnStatus
= EFI_INVALID_PARAMETER
;
118 Selector
->LocalPort
= EFI_IPSEC_ANY_PORT
;
119 Selector
->RemotePort
= EFI_IPSEC_ANY_PORT
;
122 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
124 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local-port");
125 if (ValueStr
!= NULL
) {
126 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->LocalPort
, &Selector
->LocalPortRange
);
127 if (EFI_ERROR (Status
)) {
132 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
138 ReturnStatus
= EFI_INVALID_PARAMETER
;
145 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
147 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote-port");
148 if (ValueStr
!= NULL
) {
149 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->RemotePort
, &Selector
->RemotePortRange
);
150 if (EFI_ERROR (Status
)) {
155 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
161 ReturnStatus
= EFI_INVALID_PARAMETER
;
163 *Mask
|= REMOTE_PORT
;
168 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
173 &Selector
->LocalPort
,
179 if (!EFI_ERROR (Status
)) {
183 if (Status
== EFI_INVALID_PARAMETER
) {
184 ReturnStatus
= EFI_INVALID_PARAMETER
;
188 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
193 &Selector
->RemotePort
,
199 if (!EFI_ERROR (Status
)) {
203 if (Status
== EFI_INVALID_PARAMETER
) {
204 ReturnStatus
= EFI_INVALID_PARAMETER
;
211 Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPackage list.
213 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
214 @param[out] Data The pointer to the EFI_IPSEC_SPD_DATA structure.
215 @param[in] ParamPackage The pointer to the ParamPackage list.
216 @param[out] Mask The pointer to the Mask.
217 @param[in] CreateNew The switch to create new.
219 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA successfully.
220 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
225 OUT EFI_IPSEC_SPD_SELECTOR
**Selector
,
226 OUT EFI_IPSEC_SPD_DATA
**Data
,
227 IN LIST_ENTRY
*ParamPackage
,
233 EFI_STATUS ReturnStatus
;
234 CONST CHAR16
*ValueStr
;
237 Status
= EFI_SUCCESS
;
240 *Selector
= AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR
) + 2 * sizeof (EFI_IP_ADDRESS_INFO
));
241 ASSERT (*Selector
!= NULL
);
243 (*Selector
)->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) (*Selector
+ 1);
244 (*Selector
)->RemoteAddress
= (*Selector
)->LocalAddress
+ 1;
246 ReturnStatus
= CreateSpdSelector (*Selector
, ParamPackage
, Mask
);
250 // NOTE: Allocate enough memory and add padding for different arch.
252 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA
));
253 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_PROCESS_POLICY
));
254 DataSize
+= sizeof (EFI_IPSEC_TUNNEL_OPTION
);
256 *Data
= AllocateZeroPool (DataSize
);
257 ASSERT (*Data
!= NULL
);
259 (*Data
)->ProcessingPolicy
= (EFI_IPSEC_PROCESS_POLICY
*) ALIGN_POINTER (
263 (*Data
)->ProcessingPolicy
->TunnelOption
= (EFI_IPSEC_TUNNEL_OPTION
*) ALIGN_POINTER (
264 ((*Data
)->ProcessingPolicy
+ 1),
270 // Convert user imput from string to integer, and fill in the Name in EFI_IPSEC_SPD_DATA.
272 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--name");
273 if (ValueStr
!= NULL
) {
274 UnicodeStrToAsciiStr (ValueStr
, (CHAR8
*) (*Data
)->Name
);
279 // Convert user imput from string to integer, and fill in the PackageFlag in EFI_IPSEC_SPD_DATA.
284 &(*Data
)->PackageFlag
,
290 if (!EFI_ERROR (Status
)) {
291 *Mask
|= PACKET_FLAG
;
294 if (Status
== EFI_INVALID_PARAMETER
) {
295 ReturnStatus
= EFI_INVALID_PARAMETER
;
299 // Convert user imput from string to integer, and fill in the Action in EFI_IPSEC_SPD_DATA.
310 if (!EFI_ERROR (Status
)) {
314 if (Status
== EFI_INVALID_PARAMETER
) {
315 ReturnStatus
= EFI_INVALID_PARAMETER
;
319 // Convert user imput from string to integer, and fill in the ExtSeqNum in EFI_IPSEC_SPD_DATA.
321 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence")) {
322 (*Data
)->ProcessingPolicy
->ExtSeqNum
= TRUE
;
323 *Mask
|= EXT_SEQUENCE
;
324 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence-")) {
325 (*Data
)->ProcessingPolicy
->ExtSeqNum
= FALSE
;
326 *Mask
|= EXT_SEQUENCE
;
330 // Convert user imput from string to integer, and fill in the SeqOverflow in EFI_IPSEC_SPD_DATA.
332 if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow")) {
333 (*Data
)->ProcessingPolicy
->SeqOverflow
= TRUE
;
334 *Mask
|= SEQUENCE_OVERFLOW
;
335 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow-")) {
336 (*Data
)->ProcessingPolicy
->SeqOverflow
= FALSE
;
337 *Mask
|= SEQUENCE_OVERFLOW
;
341 // Convert user imput from string to integer, and fill in the FragCheck in EFI_IPSEC_SPD_DATA.
343 if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check")) {
344 (*Data
)->ProcessingPolicy
->FragCheck
= TRUE
;
345 *Mask
|= FRAGMENT_CHECK
;
346 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check-")) {
347 (*Data
)->ProcessingPolicy
->FragCheck
= FALSE
;
348 *Mask
|= FRAGMENT_CHECK
;
352 // Convert user imput from string to integer, and fill in the ProcessingPolicy in EFI_IPSEC_SPD_DATA.
357 &(*Data
)->ProcessingPolicy
->SaLifetime
.ByteCount
,
363 if (!EFI_ERROR (Status
)) {
367 if (Status
== EFI_INVALID_PARAMETER
) {
368 ReturnStatus
= EFI_INVALID_PARAMETER
;
374 &(*Data
)->ProcessingPolicy
->SaLifetime
.HardLifetime
,
380 if (!EFI_ERROR (Status
)) {
383 if (Status
== EFI_INVALID_PARAMETER
) {
384 ReturnStatus
= EFI_INVALID_PARAMETER
;
390 &(*Data
)->ProcessingPolicy
->SaLifetime
.SoftLifetime
,
396 if (!EFI_ERROR (Status
)) {
397 *Mask
|= LIFETIME_SOFT
;
400 if (Status
== EFI_INVALID_PARAMETER
) {
401 ReturnStatus
= EFI_INVALID_PARAMETER
;
404 (*Data
)->ProcessingPolicy
->Mode
= EfiIPsecTransport
;
408 &(*Data
)->ProcessingPolicy
->Mode
,
414 if (!EFI_ERROR (Status
)) {
418 if (Status
== EFI_INVALID_PARAMETER
) {
419 ReturnStatus
= EFI_INVALID_PARAMETER
;
422 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-local");
423 if (ValueStr
!= NULL
) {
424 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
);
425 if (EFI_ERROR (Status
)) {
430 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
436 ReturnStatus
= EFI_INVALID_PARAMETER
;
438 *Mask
|= TUNNEL_LOCAL
;
442 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-remote");
443 if (ValueStr
!= NULL
) {
444 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
);
445 if (EFI_ERROR (Status
)) {
450 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
456 ReturnStatus
= EFI_INVALID_PARAMETER
;
458 *Mask
|= TUNNEL_REMOTE
;
462 (*Data
)->ProcessingPolicy
->TunnelOption
->DF
= EfiIPsecTunnelCopyDf
;
466 &(*Data
)->ProcessingPolicy
->TunnelOption
->DF
,
472 if (!EFI_ERROR (Status
)) {
473 *Mask
|= DONT_FRAGMENT
;
476 if (Status
== EFI_INVALID_PARAMETER
) {
477 ReturnStatus
= EFI_INVALID_PARAMETER
;
480 (*Data
)->ProcessingPolicy
->Proto
= EfiIPsecESP
;
484 &(*Data
)->ProcessingPolicy
->Proto
,
490 if (!EFI_ERROR (Status
)) {
491 *Mask
|= IPSEC_PROTO
;
494 if (Status
== EFI_INVALID_PARAMETER
) {
495 ReturnStatus
= EFI_INVALID_PARAMETER
;
501 &(*Data
)->ProcessingPolicy
->EncAlgoId
,
507 if (!EFI_ERROR (Status
)) {
508 *Mask
|= ENCRYPT_ALGO
;
511 if (Status
== EFI_INVALID_PARAMETER
) {
512 ReturnStatus
= EFI_INVALID_PARAMETER
;
518 &(*Data
)->ProcessingPolicy
->AuthAlgoId
,
524 if (!EFI_ERROR (Status
)) {
528 if (Status
== EFI_INVALID_PARAMETER
) {
529 ReturnStatus
= EFI_INVALID_PARAMETER
;
533 // Cannot check Mode against EfiIPsecTunnel, because user may want to change tunnel_remote only so the Mode is not set.
535 if ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
| DONT_FRAGMENT
)) == 0) {
536 (*Data
)->ProcessingPolicy
->TunnelOption
= NULL
;
539 if ((*Mask
& (EXT_SEQUENCE
| SEQUENCE_OVERFLOW
| FRAGMENT_CHECK
| LIFEBYTE
|
540 LIFETIME_SOFT
| LIFETIME
| MODE
| TUNNEL_LOCAL
| TUNNEL_REMOTE
|
541 DONT_FRAGMENT
| IPSEC_PROTO
| AUTH_ALGO
| ENCRYPT_ALGO
)) == 0) {
542 if ((*Data
)->Action
!= EfiIPsecActionProtect
) {
544 // User may not provide additional parameter for Protect action, so we cannot simply set ProcessingPolicy to NULL.
546 (*Data
)->ProcessingPolicy
= NULL
;
551 if ((*Mask
& (LOCAL
| REMOTE
| PROTO
| ACTION
)) != (LOCAL
| REMOTE
| PROTO
| ACTION
)) {
556 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
559 L
"--local --remote --proto --action"
561 ReturnStatus
= EFI_INVALID_PARAMETER
;
562 } else if (((*Data
)->Action
== EfiIPsecActionProtect
) &&
563 ((*Data
)->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) &&
564 ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
))) {
569 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
572 L
"--tunnel-local --tunnel-remote"
574 ReturnStatus
= EFI_INVALID_PARAMETER
;
582 Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 through ParamPackage list.
584 @param[out] SaId The pointer to the EFI_IPSEC_SA_ID structure.
585 @param[out] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.
586 @param[in] ParamPackage The pointer to the ParamPackage list.
587 @param[out] Mask The pointer to the Mask.
588 @param[in] CreateNew The switch to create new.
590 @retval EFI_SUCCESS Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 successfully.
591 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
596 OUT EFI_IPSEC_SA_ID
**SaId
,
597 OUT EFI_IPSEC_SA_DATA2
**Data
,
598 IN LIST_ENTRY
*ParamPackage
,
604 EFI_STATUS ReturnStatus
;
607 CONST CHAR16
*ValueStr
;
611 Status
= EFI_SUCCESS
;
612 ReturnStatus
= EFI_SUCCESS
;
617 *SaId
= AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID
));
618 ASSERT (*SaId
!= NULL
);
621 // Convert user imput from string to integer, and fill in the Spi in EFI_IPSEC_SA_ID.
623 Status
= GetNumber (L
"--spi", (UINT32
) -1, &(*SaId
)->Spi
, sizeof (UINT32
), NULL
, ParamPackage
, FORMAT_NUMBER
);
624 if (!EFI_ERROR (Status
)) {
628 if (Status
== EFI_INVALID_PARAMETER
) {
629 ReturnStatus
= EFI_INVALID_PARAMETER
;
633 // Convert user imput from string to integer, and fill in the Proto in EFI_IPSEC_SA_ID.
639 sizeof (EFI_IPSEC_PROTOCOL_TYPE
),
644 if (!EFI_ERROR (Status
)) {
645 *Mask
|= IPSEC_PROTO
;
648 if (Status
== EFI_INVALID_PARAMETER
) {
649 ReturnStatus
= EFI_INVALID_PARAMETER
;
653 // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_DATA2.
655 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
656 if (ValueStr
!= NULL
) {
657 AuthKeyLength
= StrLen (ValueStr
);
660 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
661 if (ValueStr
!= NULL
) {
662 EncKeyLength
= StrLen (ValueStr
);
666 // EFI_IPSEC_SA_DATA2:
668 // | EFI_IPSEC_SA_DATA2
669 // +-----------------------
671 // +-------------------------
673 // +-------------------------
676 // Notes: To make sure the address alignment add padding after each data if needed.
678 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2
));
679 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthKeyLength
);
680 DataSize
= ALIGN_VARIABLE (DataSize
+ EncKeyLength
);
681 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_SPD_SELECTOR
));
682 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IP_ADDRESS_INFO
));
683 DataSize
+= sizeof (EFI_IP_ADDRESS_INFO
);
687 *Data
= AllocateZeroPool (DataSize
);
688 ASSERT (*Data
!= NULL
);
690 (*Data
)->ManualSet
= TRUE
;
691 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= (VOID
*) ALIGN_POINTER (((*Data
) + 1), sizeof (UINTN
));
692 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= (VOID
*) ALIGN_POINTER (
693 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
+ AuthKeyLength
),
696 (*Data
)->SpdSelector
= (EFI_IPSEC_SPD_SELECTOR
*) ALIGN_POINTER (
697 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
+ EncKeyLength
),
700 (*Data
)->SpdSelector
->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
701 ((UINT8
*) (*Data
)->SpdSelector
+ sizeof (EFI_IPSEC_SPD_SELECTOR
)),
703 (*Data
)->SpdSelector
->RemoteAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
704 (*Data
)->SpdSelector
->LocalAddress
+ 1,
708 (*Data
)->Mode
= EfiIPsecTransport
;
713 sizeof (EFI_IPSEC_MODE
),
718 if (!EFI_ERROR (Status
)) {
722 if (Status
== EFI_INVALID_PARAMETER
) {
723 ReturnStatus
= EFI_INVALID_PARAMETER
;
727 // According to RFC 4303-3.3.3. The first packet sent using a given SA
728 // will contain a sequence number of 1.
730 (*Data
)->SNCount
= 1;
732 L
"--sequence-number",
740 if (!EFI_ERROR (Status
)) {
741 *Mask
|= SEQUENCE_NUMBER
;
744 if (Status
== EFI_INVALID_PARAMETER
) {
745 ReturnStatus
= EFI_INVALID_PARAMETER
;
748 (*Data
)->AntiReplayWindows
= 0;
750 L
"--antireplay-window",
752 &(*Data
)->AntiReplayWindows
,
758 if (!EFI_ERROR (Status
)) {
759 *Mask
|= SEQUENCE_NUMBER
;
762 if (Status
== EFI_INVALID_PARAMETER
) {
763 ReturnStatus
= EFI_INVALID_PARAMETER
;
769 &(*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
,
775 if (!EFI_ERROR (Status
)) {
776 *Mask
|= ENCRYPT_ALGO
;
779 if (Status
== EFI_INVALID_PARAMETER
) {
780 ReturnStatus
= EFI_INVALID_PARAMETER
;
783 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
784 if (ValueStr
!= NULL
) {
785 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= EncKeyLength
;
786 AsciiStr
= AllocateZeroPool (EncKeyLength
+ 1);
787 UnicodeStrToAsciiStr (ValueStr
, AsciiStr
);
788 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
, AsciiStr
, EncKeyLength
);
790 *Mask
|= ENCRYPT_KEY
;
792 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= NULL
;
798 &(*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
,
804 if (!EFI_ERROR (Status
)) {
808 if (Status
== EFI_INVALID_PARAMETER
) {
809 ReturnStatus
= EFI_INVALID_PARAMETER
;
812 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
813 if (ValueStr
!= NULL
) {
814 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= AuthKeyLength
;
815 AsciiStr
= AllocateZeroPool (AuthKeyLength
+ 1);
816 UnicodeStrToAsciiStr (ValueStr
, AsciiStr
);
817 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
, AsciiStr
, AuthKeyLength
);
821 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= NULL
;
827 &(*Data
)->SaLifetime
.ByteCount
,
833 if (!EFI_ERROR (Status
)) {
837 if (Status
== EFI_INVALID_PARAMETER
) {
838 ReturnStatus
= EFI_INVALID_PARAMETER
;
844 &(*Data
)->SaLifetime
.HardLifetime
,
850 if (!EFI_ERROR (Status
)) {
854 if (Status
== EFI_INVALID_PARAMETER
) {
855 ReturnStatus
= EFI_INVALID_PARAMETER
;
861 &(*Data
)->SaLifetime
.SoftLifetime
,
867 if (!EFI_ERROR (Status
)) {
868 *Mask
|= LIFETIME_SOFT
;
871 if (Status
== EFI_INVALID_PARAMETER
) {
872 ReturnStatus
= EFI_INVALID_PARAMETER
;
884 if (!EFI_ERROR (Status
)) {
888 if (Status
== EFI_INVALID_PARAMETER
) {
889 ReturnStatus
= EFI_INVALID_PARAMETER
;
893 // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
895 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-dest");
896 if (ValueStr
!= NULL
) {
897 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->TunnelDestinationAddress
);
898 if (EFI_ERROR (Status
)) {
903 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
909 ReturnStatus
= EFI_INVALID_PARAMETER
;
916 // Convert user input from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
918 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-source");
919 if (ValueStr
!= NULL
) {
920 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->TunnelSourceAddress
);
921 if (EFI_ERROR (Status
)) {
926 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
932 ReturnStatus
= EFI_INVALID_PARAMETER
;
939 // If it is TunnelMode, then check if the tunnel-source and --tunnel-dest are set
941 if ((*Data
)->Mode
== EfiIPsecTunnel
) {
942 if ((*Mask
& (DEST
|SOURCE
)) != (DEST
|SOURCE
)) {
947 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
950 L
"--tunnel-source --tunnel-dest"
952 ReturnStatus
= EFI_INVALID_PARAMETER
;
955 ReturnStatus
= CreateSpdSelector ((*Data
)->SpdSelector
, ParamPackage
, Mask
);
958 if ((*Mask
& (SPI
|IPSEC_PROTO
|LOCAL
|REMOTE
)) != (SPI
|IPSEC_PROTO
|LOCAL
|REMOTE
)) {
963 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
966 L
"--spi --ipsec-proto --local --remote"
968 ReturnStatus
= EFI_INVALID_PARAMETER
;
970 if ((*SaId
)->Proto
== EfiIPsecAH
) {
971 if ((*Mask
& AUTH_ALGO
) == 0) {
976 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
981 ReturnStatus
= EFI_INVALID_PARAMETER
;
982 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
!= IPSEC_AALG_NONE
&& (*Mask
& AUTH_KEY
) == 0) {
987 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
992 ReturnStatus
= EFI_INVALID_PARAMETER
;
995 if ((*Mask
& (ENCRYPT_ALGO
|AUTH_ALGO
)) != (ENCRYPT_ALGO
|AUTH_ALGO
) ) {
1000 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1003 L
"--encrypt-algo --auth-algo"
1005 ReturnStatus
= EFI_INVALID_PARAMETER
;
1006 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (*Mask
& ENCRYPT_KEY
) == 0) {
1011 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1016 ReturnStatus
= EFI_INVALID_PARAMETER
;
1017 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
!= IPSEC_AALG_NONE
&& (*Mask
& AUTH_KEY
) == 0) {
1022 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1027 ReturnStatus
= EFI_INVALID_PARAMETER
;
1033 return ReturnStatus
;
1037 Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage list.
1039 @param[out] PadId The pointer to the EFI_IPSEC_PAD_ID structure.
1040 @param[out] Data The pointer to the EFI_IPSEC_PAD_DATA structure.
1041 @param[in] ParamPackage The pointer to the ParamPackage list.
1042 @param[out] Mask The pointer to the Mask.
1043 @param[in] CreateNew The switch to create new.
1045 @retval EFI_SUCCESS Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA successfully.
1046 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1051 OUT EFI_IPSEC_PAD_ID
**PadId
,
1052 OUT EFI_IPSEC_PAD_DATA
**Data
,
1053 IN LIST_ENTRY
*ParamPackage
,
1055 IN BOOLEAN CreateNew
1059 EFI_STATUS ReturnStatus
;
1060 SHELL_FILE_HANDLE FileHandle
;
1062 UINTN AuthDataLength
;
1063 UINTN RevocationDataLength
;
1066 CONST CHAR16
*ValueStr
;
1069 Status
= EFI_SUCCESS
;
1070 ReturnStatus
= EFI_SUCCESS
;
1073 RevocationDataLength
= 0;
1075 *PadId
= AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID
));
1076 ASSERT (*PadId
!= NULL
);
1079 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_ID.
1081 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-address");
1082 if (ValueStr
!= NULL
) {
1083 (*PadId
)->PeerIdValid
= FALSE
;
1084 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, &(*PadId
)->Id
.IpAddress
);
1085 if (EFI_ERROR (Status
)) {
1090 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
1096 ReturnStatus
= EFI_INVALID_PARAMETER
;
1098 *Mask
|= PEER_ADDRESS
;
1102 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-id");
1103 if (ValueStr
!= NULL
) {
1104 (*PadId
)->PeerIdValid
= TRUE
;
1105 StrnCpy ((CHAR16
*) (*PadId
)->Id
.PeerId
, ValueStr
, ARRAY_SIZE ((*PadId
)->Id
.PeerId
) - 1);
1109 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1110 if (ValueStr
!= NULL
) {
1111 if (ValueStr
[0] == L
'@') {
1113 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1115 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1116 if (EFI_ERROR (Status
)) {
1121 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1126 ReturnStatus
= EFI_INVALID_PARAMETER
;
1128 Status
= ShellGetFileSize (FileHandle
, &FileSize
);
1129 ShellCloseFile (&FileHandle
);
1130 if (EFI_ERROR (Status
)) {
1135 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1140 ReturnStatus
= EFI_INVALID_PARAMETER
;
1142 AuthDataLength
= (UINTN
) FileSize
;
1146 AuthDataLength
= StrLen (ValueStr
);
1150 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1151 if (ValueStr
!= NULL
) {
1152 RevocationDataLength
= (StrLen (ValueStr
) + 1) * sizeof (CHAR16
);
1156 // Allocate Buffer for Data. Add padding after each struct to make sure the alignment
1157 // in different Arch.
1159 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA
));
1160 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthDataLength
);
1161 DataSize
+= RevocationDataLength
;
1163 *Data
= AllocateZeroPool (DataSize
);
1164 ASSERT (*Data
!= NULL
);
1166 (*Data
)->AuthData
= (VOID
*) ALIGN_POINTER ((*Data
+ 1), sizeof (UINTN
));
1167 (*Data
)->RevocationData
= (VOID
*) ALIGN_POINTER (((UINT8
*) (*Data
+ 1) + AuthDataLength
), sizeof (UINTN
));
1168 (*Data
)->AuthProtocol
= EfiIPsecAuthProtocolIKEv1
;
1171 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_DATA.
1173 Status
= GetNumber (
1176 &(*Data
)->AuthProtocol
,
1177 sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE
),
1182 if (!EFI_ERROR (Status
)) {
1183 *Mask
|= AUTH_PROTO
;
1186 if (Status
== EFI_INVALID_PARAMETER
) {
1187 ReturnStatus
= EFI_INVALID_PARAMETER
;
1190 Status
= GetNumber (
1193 &(*Data
)->AuthMethod
,
1194 sizeof (EFI_IPSEC_AUTH_METHOD
),
1199 if (!EFI_ERROR (Status
)) {
1200 *Mask
|= AUTH_METHOD
;
1203 if (Status
== EFI_INVALID_PARAMETER
) {
1204 ReturnStatus
= EFI_INVALID_PARAMETER
;
1207 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id")) {
1208 (*Data
)->IkeIdFlag
= TRUE
;
1212 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id-")) {
1213 (*Data
)->IkeIdFlag
= FALSE
;
1217 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1218 if (ValueStr
!= NULL
) {
1219 if (ValueStr
[0] == L
'@') {
1221 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1224 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1225 if (EFI_ERROR (Status
)) {
1230 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1235 ReturnStatus
= EFI_INVALID_PARAMETER
;
1236 (*Data
)->AuthData
= NULL
;
1238 DataLength
= AuthDataLength
;
1239 Status
= ShellReadFile (FileHandle
, &DataLength
, (*Data
)->AuthData
);
1240 ShellCloseFile (&FileHandle
);
1241 if (EFI_ERROR (Status
)) {
1246 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1251 ReturnStatus
= EFI_INVALID_PARAMETER
;
1252 (*Data
)->AuthData
= NULL
;
1254 ASSERT (DataLength
== AuthDataLength
);
1259 for (Index
= 0; Index
< AuthDataLength
; Index
++) {
1260 ((CHAR8
*) (*Data
)->AuthData
)[Index
] = (CHAR8
) ValueStr
[Index
];
1262 (*Data
)->AuthDataSize
= AuthDataLength
;
1267 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1268 if (ValueStr
!= NULL
) {
1269 CopyMem ((*Data
)->RevocationData
, ValueStr
, RevocationDataLength
);
1270 (*Data
)->RevocationDataSize
= RevocationDataLength
;
1271 *Mask
|= REVOCATION_DATA
;
1273 (*Data
)->RevocationData
= NULL
;
1277 if ((*Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1282 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1285 L
"--peer-id --peer-address"
1287 ReturnStatus
= EFI_INVALID_PARAMETER
;
1288 } else if ((*Mask
& (AUTH_METHOD
| AUTH_DATA
)) != (AUTH_METHOD
| AUTH_DATA
)) {
1293 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1296 L
"--auth-method --auth-data"
1298 ReturnStatus
= EFI_INVALID_PARAMETER
;
1302 return ReturnStatus
;
1305 CREATE_POLICY_ENTRY mCreatePolicyEntry
[] = {
1306 (CREATE_POLICY_ENTRY
) CreateSpdEntry
,
1307 (CREATE_POLICY_ENTRY
) CreateSadEntry
,
1308 (CREATE_POLICY_ENTRY
) CreatePadEntry
1312 Combine old SPD entry with new SPD entry.
1314 @param[in, out] OldSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1315 @param[in, out] OldData The pointer to the EFI_IPSEC_SPD_DATA structure.
1316 @param[in] NewSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1317 @param[in] NewData The pointer to the EFI_IPSEC_SPD_DATA structure.
1318 @param[in] Mask The pointer to the Mask.
1319 @param[out] CreateNew The switch to create new.
1321 @retval EFI_SUCCESS Combined successfully.
1322 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1327 IN OUT EFI_IPSEC_SPD_SELECTOR
*OldSelector
,
1328 IN OUT EFI_IPSEC_SPD_DATA
*OldData
,
1329 IN EFI_IPSEC_SPD_SELECTOR
*NewSelector
,
1330 IN EFI_IPSEC_SPD_DATA
*NewData
,
1332 OUT BOOLEAN
*CreateNew
1340 if ((Mask
& LOCAL
) == 0) {
1341 NewSelector
->LocalAddressCount
= OldSelector
->LocalAddressCount
;
1342 NewSelector
->LocalAddress
= OldSelector
->LocalAddress
;
1343 } else if ((NewSelector
->LocalAddressCount
!= OldSelector
->LocalAddressCount
) ||
1344 (CompareMem (NewSelector
->LocalAddress
, OldSelector
->LocalAddress
, NewSelector
->LocalAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1348 if ((Mask
& REMOTE
) == 0) {
1349 NewSelector
->RemoteAddressCount
= OldSelector
->RemoteAddressCount
;
1350 NewSelector
->RemoteAddress
= OldSelector
->RemoteAddress
;
1351 } else if ((NewSelector
->RemoteAddressCount
!= OldSelector
->RemoteAddressCount
) ||
1352 (CompareMem (NewSelector
->RemoteAddress
, OldSelector
->RemoteAddress
, NewSelector
->RemoteAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1356 if ((Mask
& PROTO
) == 0) {
1357 NewSelector
->NextLayerProtocol
= OldSelector
->NextLayerProtocol
;
1358 } else if (NewSelector
->NextLayerProtocol
!= OldSelector
->NextLayerProtocol
) {
1362 switch (NewSelector
->NextLayerProtocol
) {
1363 case EFI_IP4_PROTO_TCP
:
1364 case EFI_IP4_PROTO_UDP
:
1365 if ((Mask
& LOCAL_PORT
) == 0) {
1366 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1367 NewSelector
->LocalPortRange
= OldSelector
->LocalPortRange
;
1368 } else if ((NewSelector
->LocalPort
!= OldSelector
->LocalPort
) ||
1369 (NewSelector
->LocalPortRange
!= OldSelector
->LocalPortRange
)) {
1373 if ((Mask
& REMOTE_PORT
) == 0) {
1374 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1375 NewSelector
->RemotePortRange
= OldSelector
->RemotePortRange
;
1376 } else if ((NewSelector
->RemotePort
!= OldSelector
->RemotePort
) ||
1377 (NewSelector
->RemotePortRange
!= OldSelector
->RemotePortRange
)) {
1382 case EFI_IP4_PROTO_ICMP
:
1383 if ((Mask
& ICMP_TYPE
) == 0) {
1384 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1385 } else if (NewSelector
->LocalPort
!= OldSelector
->LocalPort
) {
1389 if ((Mask
& ICMP_CODE
) == 0) {
1390 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1391 } else if (NewSelector
->RemotePort
!= OldSelector
->RemotePort
) {
1399 if ((Mask
& NAME
) != 0) {
1400 AsciiStrCpy ((CHAR8
*) OldData
->Name
, (CHAR8
*) NewData
->Name
);
1403 if ((Mask
& PACKET_FLAG
) != 0) {
1404 OldData
->PackageFlag
= NewData
->PackageFlag
;
1407 if ((Mask
& ACTION
) != 0) {
1408 OldData
->Action
= NewData
->Action
;
1411 if (OldData
->Action
!= EfiIPsecActionProtect
) {
1412 OldData
->ProcessingPolicy
= NULL
;
1417 if (OldData
->ProcessingPolicy
== NULL
) {
1419 // Just point to new data if originally NULL.
1421 OldData
->ProcessingPolicy
= NewData
->ProcessingPolicy
;
1422 if (OldData
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
&&
1423 (Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)
1426 // Change to Protect action and Tunnel mode, but without providing local/remote tunnel address.
1432 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1435 L
"--tunnel-local --tunnel-remote"
1437 return EFI_INVALID_PARAMETER
;
1441 // Modify some of the data.
1443 if ((Mask
& EXT_SEQUENCE
) != 0) {
1444 OldData
->ProcessingPolicy
->ExtSeqNum
= NewData
->ProcessingPolicy
->ExtSeqNum
;
1447 if ((Mask
& SEQUENCE_OVERFLOW
) != 0) {
1448 OldData
->ProcessingPolicy
->SeqOverflow
= NewData
->ProcessingPolicy
->SeqOverflow
;
1451 if ((Mask
& FRAGMENT_CHECK
) != 0) {
1452 OldData
->ProcessingPolicy
->FragCheck
= NewData
->ProcessingPolicy
->FragCheck
;
1455 if ((Mask
& LIFEBYTE
) != 0) {
1456 OldData
->ProcessingPolicy
->SaLifetime
.ByteCount
= NewData
->ProcessingPolicy
->SaLifetime
.ByteCount
;
1459 if ((Mask
& LIFETIME_SOFT
) != 0) {
1460 OldData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
;
1463 if ((Mask
& LIFETIME
) != 0) {
1464 OldData
->ProcessingPolicy
->SaLifetime
.HardLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.HardLifetime
;
1467 if ((Mask
& MODE
) != 0) {
1468 OldData
->ProcessingPolicy
->Mode
= NewData
->ProcessingPolicy
->Mode
;
1471 if ((Mask
& IPSEC_PROTO
) != 0) {
1472 OldData
->ProcessingPolicy
->Proto
= NewData
->ProcessingPolicy
->Proto
;
1475 if ((Mask
& AUTH_ALGO
) != 0) {
1476 OldData
->ProcessingPolicy
->AuthAlgoId
= NewData
->ProcessingPolicy
->AuthAlgoId
;
1479 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1480 OldData
->ProcessingPolicy
->EncAlgoId
= NewData
->ProcessingPolicy
->EncAlgoId
;
1483 if (OldData
->ProcessingPolicy
->Mode
!= EfiIPsecTunnel
) {
1484 OldData
->ProcessingPolicy
->TunnelOption
= NULL
;
1486 if (OldData
->ProcessingPolicy
->TunnelOption
== NULL
) {
1488 // Set from Transport mode to Tunnel mode, should ensure TUNNEL_LOCAL & TUNNEL_REMOTE both exists.
1490 if ((Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) {
1495 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1498 L
"--tunnel-local --tunnel-remote"
1500 return EFI_INVALID_PARAMETER
;
1503 OldData
->ProcessingPolicy
->TunnelOption
= NewData
->ProcessingPolicy
->TunnelOption
;
1505 if ((Mask
& TUNNEL_LOCAL
) != 0) {
1507 &OldData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1508 &NewData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1509 sizeof (EFI_IP_ADDRESS
)
1513 if ((Mask
& TUNNEL_REMOTE
) != 0) {
1515 &OldData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1516 &NewData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1517 sizeof (EFI_IP_ADDRESS
)
1521 if ((Mask
& DONT_FRAGMENT
) != 0) {
1522 OldData
->ProcessingPolicy
->TunnelOption
->DF
= NewData
->ProcessingPolicy
->TunnelOption
->DF
;
1533 Combine old SAD entry with new SAD entry.
1535 @param[in, out] OldSaId The pointer to the EFI_IPSEC_SA_ID structure.
1536 @param[in, out] OldData The pointer to the EFI_IPSEC_SA_DATA2 structure.
1537 @param[in] NewSaId The pointer to the EFI_IPSEC_SA_ID structure.
1538 @param[in] NewData The pointer to the EFI_IPSEC_SA_DATA2 structure.
1539 @param[in] Mask The pointer to the Mask.
1540 @param[out] CreateNew The switch to create new.
1542 @retval EFI_SUCCESS Combined successfully.
1543 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1548 IN OUT EFI_IPSEC_SA_ID
*OldSaId
,
1549 IN OUT EFI_IPSEC_SA_DATA2
*OldData
,
1550 IN EFI_IPSEC_SA_ID
*NewSaId
,
1551 IN EFI_IPSEC_SA_DATA2
*NewData
,
1553 OUT BOOLEAN
*CreateNew
1559 if ((Mask
& SPI
) == 0) {
1560 NewSaId
->Spi
= OldSaId
->Spi
;
1561 } else if (NewSaId
->Spi
!= OldSaId
->Spi
) {
1565 if ((Mask
& IPSEC_PROTO
) == 0) {
1566 NewSaId
->Proto
= OldSaId
->Proto
;
1567 } else if (NewSaId
->Proto
!= OldSaId
->Proto
) {
1571 if ((Mask
& DEST
) == 0) {
1572 CopyMem (&NewData
->TunnelDestinationAddress
, &OldData
->TunnelDestinationAddress
, sizeof (EFI_IP_ADDRESS
));
1573 } else if (CompareMem (&NewData
->TunnelDestinationAddress
, &OldData
->TunnelDestinationAddress
, sizeof (EFI_IP_ADDRESS
)) != 0) {
1577 if ((Mask
& SOURCE
) == 0) {
1578 CopyMem (&NewData
->TunnelSourceAddress
, &OldData
->TunnelSourceAddress
, sizeof (EFI_IP_ADDRESS
));
1579 } else if (CompareMem (&NewData
->TunnelSourceAddress
, &OldData
->TunnelSourceAddress
, sizeof (EFI_IP_ADDRESS
)) != 0) {
1585 if ((Mask
& MODE
) != 0) {
1586 OldData
->Mode
= NewData
->Mode
;
1589 if ((Mask
& SEQUENCE_NUMBER
) != 0) {
1590 OldData
->SNCount
= NewData
->SNCount
;
1593 if ((Mask
& ANTIREPLAY_WINDOW
) != 0) {
1594 OldData
->AntiReplayWindows
= NewData
->AntiReplayWindows
;
1597 if ((Mask
& AUTH_ALGO
) != 0) {
1598 OldData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
;
1601 if ((Mask
& AUTH_KEY
) != 0) {
1602 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKey
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKey
;
1603 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
;
1606 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1607 OldData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
;
1610 if ((Mask
& ENCRYPT_KEY
) != 0) {
1611 OldData
->AlgoInfo
.EspAlgoInfo
.EncKey
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKey
;
1612 OldData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
;
1615 if (NewSaId
->Proto
== EfiIPsecAH
) {
1616 if ((Mask
& (ENCRYPT_ALGO
| ENCRYPT_KEY
)) != 0) {
1618 // Should not provide encrypt_* if AH.
1624 STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER
),
1627 L
"--encrypt-algo --encrypt-key"
1629 return EFI_INVALID_PARAMETER
;
1633 if (NewSaId
->Proto
== EfiIPsecESP
&& OldSaId
->Proto
== EfiIPsecAH
) {
1636 // Should provide encrypt_algo at least.
1638 if ((Mask
& ENCRYPT_ALGO
) == 0) {
1643 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1648 return EFI_INVALID_PARAMETER
;
1652 // Encrypt_key should be provided if algorithm is not NONE.
1654 if (NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (Mask
& ENCRYPT_KEY
) == 0) {
1659 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1664 return EFI_INVALID_PARAMETER
;
1668 if ((Mask
& LIFEBYTE
) != 0) {
1669 OldData
->SaLifetime
.ByteCount
= NewData
->SaLifetime
.ByteCount
;
1672 if ((Mask
& LIFETIME_SOFT
) != 0) {
1673 OldData
->SaLifetime
.SoftLifetime
= NewData
->SaLifetime
.SoftLifetime
;
1676 if ((Mask
& LIFETIME
) != 0) {
1677 OldData
->SaLifetime
.HardLifetime
= NewData
->SaLifetime
.HardLifetime
;
1680 if ((Mask
& PATH_MTU
) != 0) {
1681 OldData
->PathMTU
= NewData
->PathMTU
;
1684 // Process SpdSelector.
1686 if (OldData
->SpdSelector
== NULL
) {
1687 if ((Mask
& (LOCAL
| REMOTE
| PROTO
| LOCAL_PORT
| REMOTE_PORT
| ICMP_TYPE
| ICMP_CODE
)) != 0) {
1688 if ((Mask
& (LOCAL
| REMOTE
| PROTO
)) != (LOCAL
| REMOTE
| PROTO
)) {
1693 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1696 L
"--local --remote --proto"
1698 return EFI_INVALID_PARAMETER
;
1701 OldData
->SpdSelector
= NewData
->SpdSelector
;
1704 if ((Mask
& LOCAL
) != 0) {
1705 OldData
->SpdSelector
->LocalAddressCount
= NewData
->SpdSelector
->LocalAddressCount
;
1706 OldData
->SpdSelector
->LocalAddress
= NewData
->SpdSelector
->LocalAddress
;
1709 if ((Mask
& REMOTE
) != 0) {
1710 OldData
->SpdSelector
->RemoteAddressCount
= NewData
->SpdSelector
->RemoteAddressCount
;
1711 OldData
->SpdSelector
->RemoteAddress
= NewData
->SpdSelector
->RemoteAddress
;
1714 if ((Mask
& PROTO
) != 0) {
1715 OldData
->SpdSelector
->NextLayerProtocol
= NewData
->SpdSelector
->NextLayerProtocol
;
1718 if (OldData
->SpdSelector
!= NULL
) {
1719 switch (OldData
->SpdSelector
->NextLayerProtocol
) {
1720 case EFI_IP4_PROTO_TCP
:
1721 case EFI_IP4_PROTO_UDP
:
1722 if ((Mask
& LOCAL_PORT
) != 0) {
1723 OldData
->SpdSelector
->LocalPort
= NewData
->SpdSelector
->LocalPort
;
1726 if ((Mask
& REMOTE_PORT
) != 0) {
1727 OldData
->SpdSelector
->RemotePort
= NewData
->SpdSelector
->RemotePort
;
1731 case EFI_IP4_PROTO_ICMP
:
1732 if ((Mask
& ICMP_TYPE
) != 0) {
1733 OldData
->SpdSelector
->LocalPort
= (UINT8
) NewData
->SpdSelector
->LocalPort
;
1736 if ((Mask
& ICMP_CODE
) != 0) {
1737 OldData
->SpdSelector
->RemotePort
= (UINT8
) NewData
->SpdSelector
->RemotePort
;
1748 Combine old PAD entry with new PAD entry.
1750 @param[in, out] OldPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1751 @param[in, out] OldData The pointer to the EFI_IPSEC_PAD_DATA structure.
1752 @param[in] NewPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1753 @param[in] NewData The pointer to the EFI_IPSEC_PAD_DATA structure.
1754 @param[in] Mask The pointer to the Mask.
1755 @param[out] CreateNew The switch to create new.
1757 @retval EFI_SUCCESS Combined successfully.
1758 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1763 IN OUT EFI_IPSEC_PAD_ID
*OldPadId
,
1764 IN OUT EFI_IPSEC_PAD_DATA
*OldData
,
1765 IN EFI_IPSEC_PAD_ID
*NewPadId
,
1766 IN EFI_IPSEC_PAD_DATA
*NewData
,
1768 OUT BOOLEAN
*CreateNew
1774 if ((Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1775 CopyMem (NewPadId
, OldPadId
, sizeof (EFI_IPSEC_PAD_ID
));
1777 if ((Mask
& PEER_ID
) != 0) {
1778 if (OldPadId
->PeerIdValid
) {
1779 if (StrCmp ((CONST CHAR16
*) OldPadId
->Id
.PeerId
, (CONST CHAR16
*) NewPadId
->Id
.PeerId
) != 0) {
1787 // MASK & PEER_ADDRESS
1789 if (OldPadId
->PeerIdValid
) {
1792 if ((CompareMem (&OldPadId
->Id
.IpAddress
.Address
, &NewPadId
->Id
.IpAddress
.Address
, sizeof (EFI_IP_ADDRESS
)) != 0) ||
1793 (OldPadId
->Id
.IpAddress
.PrefixLength
!= NewPadId
->Id
.IpAddress
.PrefixLength
)) {
1800 if ((Mask
& AUTH_PROTO
) != 0) {
1801 OldData
->AuthProtocol
= NewData
->AuthProtocol
;
1804 if ((Mask
& AUTH_METHOD
) != 0) {
1805 OldData
->AuthMethod
= NewData
->AuthMethod
;
1808 if ((Mask
& IKE_ID
) != 0) {
1809 OldData
->IkeIdFlag
= NewData
->IkeIdFlag
;
1812 if ((Mask
& AUTH_DATA
) != 0) {
1813 OldData
->AuthDataSize
= NewData
->AuthDataSize
;
1814 OldData
->AuthData
= NewData
->AuthData
;
1817 if ((Mask
& REVOCATION_DATA
) != 0) {
1818 OldData
->RevocationDataSize
= NewData
->RevocationDataSize
;
1819 OldData
->RevocationData
= NewData
->RevocationData
;
1825 COMBINE_POLICY_ENTRY mCombinePolicyEntry
[] = {
1826 (COMBINE_POLICY_ENTRY
) CombineSpdEntry
,
1827 (COMBINE_POLICY_ENTRY
) CombineSadEntry
,
1828 (COMBINE_POLICY_ENTRY
) CombinePadEntry
1832 Edit entry information in the database.
1834 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1835 @param[in] Data The pointer to the data.
1836 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1838 @retval EFI_SUCCESS Continue the iteration.
1839 @retval EFI_ABORTED Abort the iteration.
1842 EditOperatePolicyEntry (
1843 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1845 IN EDIT_POLICY_ENTRY_CONTEXT
*Context
1851 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1852 ASSERT (Context
->DataType
< 3);
1854 Status
= mCombinePolicyEntry
[Context
->DataType
] (
1862 if (!EFI_ERROR (Status
)) {
1865 // Insert new entry before old entry
1867 Status
= mIpSecConfig
->SetData (
1874 ASSERT_EFI_ERROR (Status
);
1878 Status
= mIpSecConfig
->SetData (
1885 ASSERT_EFI_ERROR (Status
);
1887 Status
= mIpSecConfig
->SetData (
1897 Context
->Status
= Status
;
1905 Edit entry information in database according to datatype.
1907 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
1908 @param[in] ParamPackage The pointer to the ParamPackage list.
1910 @retval EFI_SUCCESS Edit entry information successfully.
1911 @retval EFI_NOT_FOUND Can't find the specified entry.
1912 @retval Others Some mistaken case.
1916 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
1917 IN LIST_ENTRY
*ParamPackage
1921 EDIT_POLICY_ENTRY_CONTEXT Context
;
1922 CONST CHAR16
*ValueStr
;
1924 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-e");
1925 if (ValueStr
== NULL
) {
1926 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
1927 return EFI_NOT_FOUND
;
1930 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
1931 if (!EFI_ERROR (Status
)) {
1932 Context
.DataType
= DataType
;
1933 Context
.Status
= EFI_NOT_FOUND
;
1934 Status
= mCreatePolicyEntry
[DataType
] (&Context
.Selector
, &Context
.Data
, ParamPackage
, &Context
.Mask
, FALSE
);
1935 if (!EFI_ERROR (Status
)) {
1936 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) EditOperatePolicyEntry
, &Context
);
1937 Status
= Context
.Status
;
1940 if (Context
.Selector
!= NULL
) {
1941 gBS
->FreePool (Context
.Selector
);
1944 if (Context
.Data
!= NULL
) {
1945 gBS
->FreePool (Context
.Data
);
1949 if (Status
== EFI_NOT_FOUND
) {
1950 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
1951 } else if (EFI_ERROR (Status
)) {
1952 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAILED
), mHiiHandle
, mAppName
);
1960 Insert entry information in database.
1962 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1963 @param[in] Data The pointer to the data.
1964 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1966 @retval EFI_SUCCESS Continue the iteration.
1967 @retval EFI_ABORTED Abort the iteration.
1971 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1973 IN INSERT_POLICY_ENTRY_CONTEXT
*Context
1977 // Found the entry which we want to insert before.
1979 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1981 Context
->Status
= mIpSecConfig
->SetData (
1989 // Abort the iteration after the insertion.
1998 Insert or add entry information in database according to datatype.
2000 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
2001 @param[in] ParamPackage The pointer to the ParamPackage list.
2003 @retval EFI_SUCCESS Insert or add entry information successfully.
2004 @retval EFI_NOT_FOUND Can't find the specified entry.
2005 @retval EFI_BUFFER_TOO_SMALL The entry already existed.
2006 @retval EFI_UNSUPPORTED The operation is not supported.
2007 @retval Others Some mistaken case.
2010 AddOrInsertPolicyEntry (
2011 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
2012 IN LIST_ENTRY
*ParamPackage
2016 EFI_IPSEC_CONFIG_SELECTOR
*Selector
;
2018 INSERT_POLICY_ENTRY_CONTEXT Context
;
2021 CONST CHAR16
*ValueStr
;
2023 Status
= mCreatePolicyEntry
[DataType
] (&Selector
, &Data
, ParamPackage
, &Mask
, TRUE
);
2024 if (!EFI_ERROR (Status
)) {
2026 // Find if the Selector to be inserted already exists.
2029 Status
= mIpSecConfig
->GetData (
2036 if (Status
== EFI_BUFFER_TOO_SMALL
) {
2037 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_EXISTS
), mHiiHandle
, mAppName
);
2038 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"-a")) {
2039 Status
= mIpSecConfig
->SetData (
2047 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-i");
2048 if (ValueStr
== NULL
) {
2049 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
2050 return EFI_NOT_FOUND
;
2053 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
2054 if (!EFI_ERROR (Status
)) {
2055 Context
.DataType
= DataType
;
2056 Context
.Status
= EFI_NOT_FOUND
;
2057 Context
.Selector
= Selector
;
2058 Context
.Data
= Data
;
2060 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) InsertPolicyEntry
, &Context
);
2061 Status
= Context
.Status
;
2062 if (Status
== EFI_NOT_FOUND
) {
2063 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
2068 gBS
->FreePool (Selector
);
2069 gBS
->FreePool (Data
);
2072 if (Status
== EFI_UNSUPPORTED
) {
2073 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_UNSUPPORT
), mHiiHandle
, mAppName
);
2074 } else if (EFI_ERROR (Status
)) {
2075 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_FAILED
), mHiiHandle
, mAppName
);