2 The implementation of policy entry operation function in IpSecConfig application.
4 Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
16 #include "IpSecConfig.h"
21 #include "PolicyEntryOperation.h"
24 Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list.
26 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
27 @param[in] ParamPackage The pointer to the ParamPackage list.
28 @param[in, out] Mask The pointer to the Mask.
30 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR successfully.
31 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
36 OUT EFI_IPSEC_SPD_SELECTOR
*Selector
,
37 IN LIST_ENTRY
*ParamPackage
,
42 EFI_STATUS ReturnStatus
;
43 CONST CHAR16
*ValueStr
;
46 ReturnStatus
= EFI_SUCCESS
;
49 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
51 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local");
52 if (ValueStr
!= NULL
) {
53 Selector
->LocalAddressCount
= 1;
54 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->LocalAddress
);
55 if (EFI_ERROR (Status
)) {
60 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
66 ReturnStatus
= EFI_INVALID_PARAMETER
;
73 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
75 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote");
76 if (ValueStr
!= NULL
) {
77 Selector
->RemoteAddressCount
= 1;
78 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->RemoteAddress
);
79 if (EFI_ERROR (Status
)) {
84 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
90 ReturnStatus
= EFI_INVALID_PARAMETER
;
96 Selector
->NextLayerProtocol
= EFI_IPSEC_ANY_PROTOCOL
;
99 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
104 &Selector
->NextLayerProtocol
,
108 FORMAT_NUMBER
| FORMAT_STRING
110 if (!EFI_ERROR (Status
)) {
114 if (Status
== EFI_INVALID_PARAMETER
) {
115 ReturnStatus
= EFI_INVALID_PARAMETER
;
118 Selector
->LocalPort
= EFI_IPSEC_ANY_PORT
;
119 Selector
->RemotePort
= EFI_IPSEC_ANY_PORT
;
122 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
124 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local-port");
125 if (ValueStr
!= NULL
) {
126 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->LocalPort
, &Selector
->LocalPortRange
);
127 if (EFI_ERROR (Status
)) {
132 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
138 ReturnStatus
= EFI_INVALID_PARAMETER
;
145 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
147 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote-port");
148 if (ValueStr
!= NULL
) {
149 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->RemotePort
, &Selector
->RemotePortRange
);
150 if (EFI_ERROR (Status
)) {
155 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
161 ReturnStatus
= EFI_INVALID_PARAMETER
;
163 *Mask
|= REMOTE_PORT
;
168 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
173 &Selector
->LocalPort
,
179 if (!EFI_ERROR (Status
)) {
183 if (Status
== EFI_INVALID_PARAMETER
) {
184 ReturnStatus
= EFI_INVALID_PARAMETER
;
188 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
193 &Selector
->RemotePort
,
199 if (!EFI_ERROR (Status
)) {
203 if (Status
== EFI_INVALID_PARAMETER
) {
204 ReturnStatus
= EFI_INVALID_PARAMETER
;
211 Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPackage list.
213 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
214 @param[out] Data The pointer to the EFI_IPSEC_SPD_DATA structure.
215 @param[in] ParamPackage The pointer to the ParamPackage list.
216 @param[out] Mask The pointer to the Mask.
217 @param[in] CreateNew The switch to create new.
219 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA successfully.
220 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
225 OUT EFI_IPSEC_SPD_SELECTOR
**Selector
,
226 OUT EFI_IPSEC_SPD_DATA
**Data
,
227 IN LIST_ENTRY
*ParamPackage
,
233 EFI_STATUS ReturnStatus
;
234 CONST CHAR16
*ValueStr
;
237 Status
= EFI_SUCCESS
;
240 *Selector
= AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR
) + 2 * sizeof (EFI_IP_ADDRESS_INFO
));
241 ASSERT (*Selector
!= NULL
);
243 (*Selector
)->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) (*Selector
+ 1);
244 (*Selector
)->RemoteAddress
= (*Selector
)->LocalAddress
+ 1;
246 ReturnStatus
= CreateSpdSelector (*Selector
, ParamPackage
, Mask
);
250 // NOTE: Allocate enough memory and add padding for different arch.
252 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA
));
253 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_PROCESS_POLICY
));
254 DataSize
+= sizeof (EFI_IPSEC_TUNNEL_OPTION
);
256 *Data
= AllocateZeroPool (DataSize
);
257 ASSERT (*Data
!= NULL
);
259 (*Data
)->ProcessingPolicy
= (EFI_IPSEC_PROCESS_POLICY
*) ALIGN_POINTER (
263 (*Data
)->ProcessingPolicy
->TunnelOption
= (EFI_IPSEC_TUNNEL_OPTION
*) ALIGN_POINTER (
264 ((*Data
)->ProcessingPolicy
+ 1),
270 // Convert user imput from string to integer, and fill in the Name in EFI_IPSEC_SPD_DATA.
272 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--name");
273 if (ValueStr
!= NULL
) {
274 UnicodeStrToAsciiStr (ValueStr
, (CHAR8
*) (*Data
)->Name
);
279 // Convert user imput from string to integer, and fill in the PackageFlag in EFI_IPSEC_SPD_DATA.
284 &(*Data
)->PackageFlag
,
290 if (!EFI_ERROR (Status
)) {
291 *Mask
|= PACKET_FLAG
;
294 if (Status
== EFI_INVALID_PARAMETER
) {
295 ReturnStatus
= EFI_INVALID_PARAMETER
;
299 // Convert user imput from string to integer, and fill in the Action in EFI_IPSEC_SPD_DATA.
310 if (!EFI_ERROR (Status
)) {
314 if (Status
== EFI_INVALID_PARAMETER
) {
315 ReturnStatus
= EFI_INVALID_PARAMETER
;
319 // Convert user imput from string to integer, and fill in the ExtSeqNum in EFI_IPSEC_SPD_DATA.
321 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence")) {
322 (*Data
)->ProcessingPolicy
->ExtSeqNum
= TRUE
;
323 *Mask
|= EXT_SEQUENCE
;
324 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence-")) {
325 (*Data
)->ProcessingPolicy
->ExtSeqNum
= FALSE
;
326 *Mask
|= EXT_SEQUENCE
;
330 // Convert user imput from string to integer, and fill in the SeqOverflow in EFI_IPSEC_SPD_DATA.
332 if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow")) {
333 (*Data
)->ProcessingPolicy
->SeqOverflow
= TRUE
;
334 *Mask
|= SEQUENCE_OVERFLOW
;
335 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow-")) {
336 (*Data
)->ProcessingPolicy
->SeqOverflow
= FALSE
;
337 *Mask
|= SEQUENCE_OVERFLOW
;
341 // Convert user imput from string to integer, and fill in the FragCheck in EFI_IPSEC_SPD_DATA.
343 if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check")) {
344 (*Data
)->ProcessingPolicy
->FragCheck
= TRUE
;
345 *Mask
|= FRAGMENT_CHECK
;
346 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check-")) {
347 (*Data
)->ProcessingPolicy
->FragCheck
= FALSE
;
348 *Mask
|= FRAGMENT_CHECK
;
352 // Convert user imput from string to integer, and fill in the ProcessingPolicy in EFI_IPSEC_SPD_DATA.
357 &(*Data
)->ProcessingPolicy
->SaLifetime
.ByteCount
,
363 if (!EFI_ERROR (Status
)) {
367 if (Status
== EFI_INVALID_PARAMETER
) {
368 ReturnStatus
= EFI_INVALID_PARAMETER
;
374 &(*Data
)->ProcessingPolicy
->SaLifetime
.HardLifetime
,
380 if (!EFI_ERROR (Status
)) {
383 if (Status
== EFI_INVALID_PARAMETER
) {
384 ReturnStatus
= EFI_INVALID_PARAMETER
;
390 &(*Data
)->ProcessingPolicy
->SaLifetime
.SoftLifetime
,
396 if (!EFI_ERROR (Status
)) {
397 *Mask
|= LIFETIME_SOFT
;
400 if (Status
== EFI_INVALID_PARAMETER
) {
401 ReturnStatus
= EFI_INVALID_PARAMETER
;
404 (*Data
)->ProcessingPolicy
->Mode
= EfiIPsecTransport
;
408 &(*Data
)->ProcessingPolicy
->Mode
,
414 if (!EFI_ERROR (Status
)) {
418 if (Status
== EFI_INVALID_PARAMETER
) {
419 ReturnStatus
= EFI_INVALID_PARAMETER
;
422 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-local");
423 if (ValueStr
!= NULL
) {
424 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
);
425 if (EFI_ERROR (Status
)) {
430 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
436 ReturnStatus
= EFI_INVALID_PARAMETER
;
438 *Mask
|= TUNNEL_LOCAL
;
442 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-remote");
443 if (ValueStr
!= NULL
) {
444 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
);
445 if (EFI_ERROR (Status
)) {
450 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
456 ReturnStatus
= EFI_INVALID_PARAMETER
;
458 *Mask
|= TUNNEL_REMOTE
;
462 (*Data
)->ProcessingPolicy
->TunnelOption
->DF
= EfiIPsecTunnelCopyDf
;
466 &(*Data
)->ProcessingPolicy
->TunnelOption
->DF
,
472 if (!EFI_ERROR (Status
)) {
473 *Mask
|= DONT_FRAGMENT
;
476 if (Status
== EFI_INVALID_PARAMETER
) {
477 ReturnStatus
= EFI_INVALID_PARAMETER
;
480 (*Data
)->ProcessingPolicy
->Proto
= EfiIPsecESP
;
484 &(*Data
)->ProcessingPolicy
->Proto
,
490 if (!EFI_ERROR (Status
)) {
491 *Mask
|= IPSEC_PROTO
;
494 if (Status
== EFI_INVALID_PARAMETER
) {
495 ReturnStatus
= EFI_INVALID_PARAMETER
;
501 &(*Data
)->ProcessingPolicy
->EncAlgoId
,
507 if (!EFI_ERROR (Status
)) {
508 *Mask
|= ENCRYPT_ALGO
;
511 if (Status
== EFI_INVALID_PARAMETER
) {
512 ReturnStatus
= EFI_INVALID_PARAMETER
;
518 &(*Data
)->ProcessingPolicy
->AuthAlgoId
,
524 if (!EFI_ERROR (Status
)) {
528 if (Status
== EFI_INVALID_PARAMETER
) {
529 ReturnStatus
= EFI_INVALID_PARAMETER
;
533 // Cannot check Mode against EfiIPsecTunnel, because user may want to change tunnel_remote only so the Mode is not set.
535 if ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
| DONT_FRAGMENT
)) == 0) {
536 (*Data
)->ProcessingPolicy
->TunnelOption
= NULL
;
539 if ((*Mask
& (EXT_SEQUENCE
| SEQUENCE_OVERFLOW
| FRAGMENT_CHECK
| LIFEBYTE
|
540 LIFETIME_SOFT
| LIFETIME
| MODE
| TUNNEL_LOCAL
| TUNNEL_REMOTE
|
541 DONT_FRAGMENT
| IPSEC_PROTO
| AUTH_ALGO
| ENCRYPT_ALGO
)) == 0) {
542 if ((*Data
)->Action
!= EfiIPsecActionProtect
) {
544 // User may not provide additional parameter for Protect action, so we cannot simply set ProcessingPolicy to NULL.
546 (*Data
)->ProcessingPolicy
= NULL
;
551 if ((*Mask
& (LOCAL
| REMOTE
| PROTO
| ACTION
)) != (LOCAL
| REMOTE
| PROTO
| ACTION
)) {
556 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
559 L
"--local --remote --proto --action"
561 ReturnStatus
= EFI_INVALID_PARAMETER
;
562 } else if (((*Data
)->Action
== EfiIPsecActionProtect
) &&
563 ((*Data
)->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) &&
564 ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
))) {
569 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
572 L
"--tunnel-local --tunnel-remote"
574 ReturnStatus
= EFI_INVALID_PARAMETER
;
582 Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 through ParamPackage list.
584 @param[out] SaId The pointer to the EFI_IPSEC_SA_ID structure.
585 @param[out] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.
586 @param[in] ParamPackage The pointer to the ParamPackage list.
587 @param[out] Mask The pointer to the Mask.
588 @param[in] CreateNew The switch to create new.
590 @retval EFI_SUCCESS Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 successfully.
591 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
596 OUT EFI_IPSEC_SA_ID
**SaId
,
597 OUT EFI_IPSEC_SA_DATA2
**Data
,
598 IN LIST_ENTRY
*ParamPackage
,
604 EFI_STATUS ReturnStatus
;
607 CONST CHAR16
*ValueStr
;
611 Status
= EFI_SUCCESS
;
612 ReturnStatus
= EFI_SUCCESS
;
617 *SaId
= AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID
));
618 ASSERT (*SaId
!= NULL
);
621 // Convert user imput from string to integer, and fill in the Spi in EFI_IPSEC_SA_ID.
623 Status
= GetNumber (L
"--spi", (UINT32
) -1, &(*SaId
)->Spi
, sizeof (UINT32
), NULL
, ParamPackage
, FORMAT_NUMBER
);
624 if (!EFI_ERROR (Status
)) {
628 if (Status
== EFI_INVALID_PARAMETER
) {
629 ReturnStatus
= EFI_INVALID_PARAMETER
;
633 // Convert user imput from string to integer, and fill in the Proto in EFI_IPSEC_SA_ID.
639 sizeof (EFI_IPSEC_PROTOCOL_TYPE
),
644 if (!EFI_ERROR (Status
)) {
645 *Mask
|= IPSEC_PROTO
;
648 if (Status
== EFI_INVALID_PARAMETER
) {
649 ReturnStatus
= EFI_INVALID_PARAMETER
;
653 // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_DATA2.
655 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
656 if (ValueStr
!= NULL
) {
657 AuthKeyLength
= StrLen (ValueStr
);
660 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
661 if (ValueStr
!= NULL
) {
662 EncKeyLength
= StrLen (ValueStr
);
666 // EFI_IPSEC_SA_DATA2:
668 // | EFI_IPSEC_SA_DATA2
669 // +-----------------------
671 // +-------------------------
673 // +-------------------------
676 // Notes: To make sure the address alignment add padding after each data if needed.
678 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2
));
679 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthKeyLength
);
680 DataSize
= ALIGN_VARIABLE (DataSize
+ EncKeyLength
);
681 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_SPD_SELECTOR
));
682 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IP_ADDRESS_INFO
));
683 DataSize
+= sizeof (EFI_IP_ADDRESS_INFO
);
687 *Data
= AllocateZeroPool (DataSize
);
688 ASSERT (*Data
!= NULL
);
690 (*Data
)->ManualSet
= TRUE
;
691 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= (VOID
*) ALIGN_POINTER (((*Data
) + 1), sizeof (UINTN
));
692 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= (VOID
*) ALIGN_POINTER (
693 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
+ AuthKeyLength
),
696 (*Data
)->SpdSelector
= (EFI_IPSEC_SPD_SELECTOR
*) ALIGN_POINTER (
697 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
+ EncKeyLength
),
700 (*Data
)->SpdSelector
->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
701 ((UINT8
*) (*Data
)->SpdSelector
+ sizeof (EFI_IPSEC_SPD_SELECTOR
)),
703 (*Data
)->SpdSelector
->RemoteAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
704 (*Data
)->SpdSelector
->LocalAddress
+ 1,
708 (*Data
)->Mode
= EfiIPsecTransport
;
713 sizeof (EFI_IPSEC_MODE
),
718 if (!EFI_ERROR (Status
)) {
722 if (Status
== EFI_INVALID_PARAMETER
) {
723 ReturnStatus
= EFI_INVALID_PARAMETER
;
727 // According to RFC 4303-3.3.3. The first packet sent using a given SA
728 // will contain a sequence number of 1.
730 (*Data
)->SNCount
= 1;
732 L
"--sequence-number",
740 if (!EFI_ERROR (Status
)) {
741 *Mask
|= SEQUENCE_NUMBER
;
744 if (Status
== EFI_INVALID_PARAMETER
) {
745 ReturnStatus
= EFI_INVALID_PARAMETER
;
748 (*Data
)->AntiReplayWindows
= 0;
750 L
"--antireplay-window",
752 &(*Data
)->AntiReplayWindows
,
758 if (!EFI_ERROR (Status
)) {
759 *Mask
|= SEQUENCE_NUMBER
;
762 if (Status
== EFI_INVALID_PARAMETER
) {
763 ReturnStatus
= EFI_INVALID_PARAMETER
;
769 &(*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
,
775 if (!EFI_ERROR (Status
)) {
776 *Mask
|= ENCRYPT_ALGO
;
779 if (Status
== EFI_INVALID_PARAMETER
) {
780 ReturnStatus
= EFI_INVALID_PARAMETER
;
783 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
784 if (ValueStr
!= NULL
) {
785 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= EncKeyLength
;
786 AsciiStr
= AllocateZeroPool (EncKeyLength
+ 1);
787 UnicodeStrToAsciiStr (ValueStr
, AsciiStr
);
788 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
, AsciiStr
, EncKeyLength
);
790 *Mask
|= ENCRYPT_KEY
;
792 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= NULL
;
798 &(*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
,
804 if (!EFI_ERROR (Status
)) {
808 if (Status
== EFI_INVALID_PARAMETER
) {
809 ReturnStatus
= EFI_INVALID_PARAMETER
;
812 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
813 if (ValueStr
!= NULL
) {
814 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= AuthKeyLength
;
815 AsciiStr
= AllocateZeroPool (AuthKeyLength
+ 1);
816 UnicodeStrToAsciiStr (ValueStr
, AsciiStr
);
817 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
, AsciiStr
, AuthKeyLength
);
821 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= NULL
;
827 &(*Data
)->SaLifetime
.ByteCount
,
833 if (!EFI_ERROR (Status
)) {
837 if (Status
== EFI_INVALID_PARAMETER
) {
838 ReturnStatus
= EFI_INVALID_PARAMETER
;
844 &(*Data
)->SaLifetime
.HardLifetime
,
850 if (!EFI_ERROR (Status
)) {
854 if (Status
== EFI_INVALID_PARAMETER
) {
855 ReturnStatus
= EFI_INVALID_PARAMETER
;
861 &(*Data
)->SaLifetime
.SoftLifetime
,
867 if (!EFI_ERROR (Status
)) {
868 *Mask
|= LIFETIME_SOFT
;
871 if (Status
== EFI_INVALID_PARAMETER
) {
872 ReturnStatus
= EFI_INVALID_PARAMETER
;
884 if (!EFI_ERROR (Status
)) {
888 if (Status
== EFI_INVALID_PARAMETER
) {
889 ReturnStatus
= EFI_INVALID_PARAMETER
;
893 // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
895 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-dest");
896 if (ValueStr
!= NULL
) {
897 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->TunnelDestinationAddress
);
898 if (EFI_ERROR (Status
)) {
903 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
909 ReturnStatus
= EFI_INVALID_PARAMETER
;
916 // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
918 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-source");
919 if (ValueStr
!= NULL
) {
920 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->TunnelSourceAddress
);
921 if (EFI_ERROR (Status
)) {
926 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
932 ReturnStatus
= EFI_INVALID_PARAMETER
;
937 ReturnStatus
= CreateSpdSelector ((*Data
)->SpdSelector
, ParamPackage
, Mask
);
940 if ((*Mask
& (SPI
| IPSEC_PROTO
)) != (SPI
| IPSEC_PROTO
)) {
945 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
948 L
"--spi --ipsec-proto --dest"
950 ReturnStatus
= EFI_INVALID_PARAMETER
;
952 if ((*SaId
)->Proto
== EfiIPsecAH
) {
953 if ((*Mask
& AUTH_ALGO
) == 0) {
958 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
963 ReturnStatus
= EFI_INVALID_PARAMETER
;
964 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
!= IPSEC_AALG_NONE
&& (*Mask
& AUTH_KEY
) == 0) {
969 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
974 ReturnStatus
= EFI_INVALID_PARAMETER
;
977 if ((*Mask
& ENCRYPT_ALGO
) == 0) {
982 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
987 ReturnStatus
= EFI_INVALID_PARAMETER
;
988 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (*Mask
& ENCRYPT_KEY
) == 0) {
993 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
998 ReturnStatus
= EFI_INVALID_PARAMETER
;
1004 return ReturnStatus
;
1008 Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage list.
1010 @param[out] PadId The pointer to the EFI_IPSEC_PAD_ID structure.
1011 @param[out] Data The pointer to the EFI_IPSEC_PAD_DATA structure.
1012 @param[in] ParamPackage The pointer to the ParamPackage list.
1013 @param[out] Mask The pointer to the Mask.
1014 @param[in] CreateNew The switch to create new.
1016 @retval EFI_SUCCESS Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA successfully.
1017 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1022 OUT EFI_IPSEC_PAD_ID
**PadId
,
1023 OUT EFI_IPSEC_PAD_DATA
**Data
,
1024 IN LIST_ENTRY
*ParamPackage
,
1026 IN BOOLEAN CreateNew
1030 EFI_STATUS ReturnStatus
;
1031 SHELL_FILE_HANDLE FileHandle
;
1033 UINTN AuthDataLength
;
1034 UINTN RevocationDataLength
;
1037 CONST CHAR16
*ValueStr
;
1040 Status
= EFI_SUCCESS
;
1041 ReturnStatus
= EFI_SUCCESS
;
1044 RevocationDataLength
= 0;
1046 *PadId
= AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID
));
1047 ASSERT (*PadId
!= NULL
);
1050 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_ID.
1052 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-address");
1053 if (ValueStr
!= NULL
) {
1054 (*PadId
)->PeerIdValid
= FALSE
;
1055 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, &(*PadId
)->Id
.IpAddress
);
1056 if (EFI_ERROR (Status
)) {
1061 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
1067 ReturnStatus
= EFI_INVALID_PARAMETER
;
1069 *Mask
|= PEER_ADDRESS
;
1073 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-id");
1074 if (ValueStr
!= NULL
) {
1075 (*PadId
)->PeerIdValid
= TRUE
;
1076 StrnCpy ((CHAR16
*) (*PadId
)->Id
.PeerId
, ValueStr
, ARRAY_SIZE ((*PadId
)->Id
.PeerId
) - 1);
1080 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1081 if (ValueStr
!= NULL
) {
1082 if (ValueStr
[0] == L
'@') {
1084 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1086 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1087 if (EFI_ERROR (Status
)) {
1092 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1097 ReturnStatus
= EFI_INVALID_PARAMETER
;
1099 Status
= ShellGetFileSize (FileHandle
, &FileSize
);
1100 ShellCloseFile (&FileHandle
);
1101 if (EFI_ERROR (Status
)) {
1106 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1111 ReturnStatus
= EFI_INVALID_PARAMETER
;
1113 AuthDataLength
= (UINTN
) FileSize
;
1117 AuthDataLength
= StrLen (ValueStr
);
1121 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1122 if (ValueStr
!= NULL
) {
1123 RevocationDataLength
= (StrLen (ValueStr
) + 1) * sizeof (CHAR16
);
1127 // Allocate Buffer for Data. Add padding after each struct to make sure the alignment
1128 // in different Arch.
1130 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA
));
1131 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthDataLength
);
1132 DataSize
+= RevocationDataLength
;
1134 *Data
= AllocateZeroPool (DataSize
);
1135 ASSERT (*Data
!= NULL
);
1137 (*Data
)->AuthData
= (VOID
*) ALIGN_POINTER ((*Data
+ 1), sizeof (UINTN
));
1138 (*Data
)->RevocationData
= (VOID
*) ALIGN_POINTER (((UINT8
*) (*Data
+ 1) + AuthDataLength
), sizeof (UINTN
));
1139 (*Data
)->AuthProtocol
= EfiIPsecAuthProtocolIKEv1
;
1142 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_DATA.
1144 Status
= GetNumber (
1147 &(*Data
)->AuthProtocol
,
1148 sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE
),
1153 if (!EFI_ERROR (Status
)) {
1154 *Mask
|= AUTH_PROTO
;
1157 if (Status
== EFI_INVALID_PARAMETER
) {
1158 ReturnStatus
= EFI_INVALID_PARAMETER
;
1161 Status
= GetNumber (
1164 &(*Data
)->AuthMethod
,
1165 sizeof (EFI_IPSEC_AUTH_METHOD
),
1170 if (!EFI_ERROR (Status
)) {
1171 *Mask
|= AUTH_METHOD
;
1174 if (Status
== EFI_INVALID_PARAMETER
) {
1175 ReturnStatus
= EFI_INVALID_PARAMETER
;
1178 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id")) {
1179 (*Data
)->IkeIdFlag
= TRUE
;
1183 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id-")) {
1184 (*Data
)->IkeIdFlag
= FALSE
;
1188 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1189 if (ValueStr
!= NULL
) {
1190 if (ValueStr
[0] == L
'@') {
1192 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1195 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1196 if (EFI_ERROR (Status
)) {
1201 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1206 ReturnStatus
= EFI_INVALID_PARAMETER
;
1207 (*Data
)->AuthData
= NULL
;
1209 DataLength
= AuthDataLength
;
1210 Status
= ShellReadFile (FileHandle
, &DataLength
, (*Data
)->AuthData
);
1211 ShellCloseFile (&FileHandle
);
1212 if (EFI_ERROR (Status
)) {
1217 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1222 ReturnStatus
= EFI_INVALID_PARAMETER
;
1223 (*Data
)->AuthData
= NULL
;
1225 ASSERT (DataLength
== AuthDataLength
);
1230 for (Index
= 0; Index
< AuthDataLength
; Index
++) {
1231 ((CHAR8
*) (*Data
)->AuthData
)[Index
] = (CHAR8
) ValueStr
[Index
];
1233 (*Data
)->AuthDataSize
= AuthDataLength
;
1238 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1239 if (ValueStr
!= NULL
) {
1240 CopyMem ((*Data
)->RevocationData
, ValueStr
, RevocationDataLength
);
1241 (*Data
)->RevocationDataSize
= RevocationDataLength
;
1242 *Mask
|= REVOCATION_DATA
;
1244 (*Data
)->RevocationData
= NULL
;
1248 if ((*Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1253 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1256 L
"--peer-id --peer-address"
1258 ReturnStatus
= EFI_INVALID_PARAMETER
;
1259 } else if ((*Mask
& (AUTH_METHOD
| AUTH_DATA
)) != (AUTH_METHOD
| AUTH_DATA
)) {
1264 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1267 L
"--auth-method --auth-data"
1269 ReturnStatus
= EFI_INVALID_PARAMETER
;
1273 return ReturnStatus
;
1276 CREATE_POLICY_ENTRY mCreatePolicyEntry
[] = {
1277 (CREATE_POLICY_ENTRY
) CreateSpdEntry
,
1278 (CREATE_POLICY_ENTRY
) CreateSadEntry
,
1279 (CREATE_POLICY_ENTRY
) CreatePadEntry
1283 Combine old SPD entry with new SPD entry.
1285 @param[in, out] OldSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1286 @param[in, out] OldData The pointer to the EFI_IPSEC_SPD_DATA structure.
1287 @param[in] NewSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1288 @param[in] NewData The pointer to the EFI_IPSEC_SPD_DATA structure.
1289 @param[in] Mask The pointer to the Mask.
1290 @param[out] CreateNew The switch to create new.
1292 @retval EFI_SUCCESS Combined successfully.
1293 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1298 IN OUT EFI_IPSEC_SPD_SELECTOR
*OldSelector
,
1299 IN OUT EFI_IPSEC_SPD_DATA
*OldData
,
1300 IN EFI_IPSEC_SPD_SELECTOR
*NewSelector
,
1301 IN EFI_IPSEC_SPD_DATA
*NewData
,
1303 OUT BOOLEAN
*CreateNew
1311 if ((Mask
& LOCAL
) == 0) {
1312 NewSelector
->LocalAddressCount
= OldSelector
->LocalAddressCount
;
1313 NewSelector
->LocalAddress
= OldSelector
->LocalAddress
;
1314 } else if ((NewSelector
->LocalAddressCount
!= OldSelector
->LocalAddressCount
) ||
1315 (CompareMem (NewSelector
->LocalAddress
, OldSelector
->LocalAddress
, NewSelector
->LocalAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1319 if ((Mask
& REMOTE
) == 0) {
1320 NewSelector
->RemoteAddressCount
= OldSelector
->RemoteAddressCount
;
1321 NewSelector
->RemoteAddress
= OldSelector
->RemoteAddress
;
1322 } else if ((NewSelector
->RemoteAddressCount
!= OldSelector
->RemoteAddressCount
) ||
1323 (CompareMem (NewSelector
->RemoteAddress
, OldSelector
->RemoteAddress
, NewSelector
->RemoteAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1327 if ((Mask
& PROTO
) == 0) {
1328 NewSelector
->NextLayerProtocol
= OldSelector
->NextLayerProtocol
;
1329 } else if (NewSelector
->NextLayerProtocol
!= OldSelector
->NextLayerProtocol
) {
1333 switch (NewSelector
->NextLayerProtocol
) {
1334 case EFI_IP4_PROTO_TCP
:
1335 case EFI_IP4_PROTO_UDP
:
1336 if ((Mask
& LOCAL_PORT
) == 0) {
1337 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1338 NewSelector
->LocalPortRange
= OldSelector
->LocalPortRange
;
1339 } else if ((NewSelector
->LocalPort
!= OldSelector
->LocalPort
) ||
1340 (NewSelector
->LocalPortRange
!= OldSelector
->LocalPortRange
)) {
1344 if ((Mask
& REMOTE_PORT
) == 0) {
1345 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1346 NewSelector
->RemotePortRange
= OldSelector
->RemotePortRange
;
1347 } else if ((NewSelector
->RemotePort
!= OldSelector
->RemotePort
) ||
1348 (NewSelector
->RemotePortRange
!= OldSelector
->RemotePortRange
)) {
1353 case EFI_IP4_PROTO_ICMP
:
1354 if ((Mask
& ICMP_TYPE
) == 0) {
1355 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1356 } else if (NewSelector
->LocalPort
!= OldSelector
->LocalPort
) {
1360 if ((Mask
& ICMP_CODE
) == 0) {
1361 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1362 } else if (NewSelector
->RemotePort
!= OldSelector
->RemotePort
) {
1370 if ((Mask
& NAME
) != 0) {
1371 AsciiStrCpy ((CHAR8
*) OldData
->Name
, (CHAR8
*) NewData
->Name
);
1374 if ((Mask
& PACKET_FLAG
) != 0) {
1375 OldData
->PackageFlag
= NewData
->PackageFlag
;
1378 if ((Mask
& ACTION
) != 0) {
1379 OldData
->Action
= NewData
->Action
;
1382 if (OldData
->Action
!= EfiIPsecActionProtect
) {
1383 OldData
->ProcessingPolicy
= NULL
;
1388 if (OldData
->ProcessingPolicy
== NULL
) {
1390 // Just point to new data if originally NULL.
1392 OldData
->ProcessingPolicy
= NewData
->ProcessingPolicy
;
1393 if (OldData
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
&&
1394 (Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)
1397 // Change to Protect action and Tunnel mode, but without providing local/remote tunnel address.
1403 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1406 L
"--tunnel-local --tunnel-remote"
1408 return EFI_INVALID_PARAMETER
;
1412 // Modify some of the data.
1414 if ((Mask
& EXT_SEQUENCE
) != 0) {
1415 OldData
->ProcessingPolicy
->ExtSeqNum
= NewData
->ProcessingPolicy
->ExtSeqNum
;
1418 if ((Mask
& SEQUENCE_OVERFLOW
) != 0) {
1419 OldData
->ProcessingPolicy
->SeqOverflow
= NewData
->ProcessingPolicy
->SeqOverflow
;
1422 if ((Mask
& FRAGMENT_CHECK
) != 0) {
1423 OldData
->ProcessingPolicy
->FragCheck
= NewData
->ProcessingPolicy
->FragCheck
;
1426 if ((Mask
& LIFEBYTE
) != 0) {
1427 OldData
->ProcessingPolicy
->SaLifetime
.ByteCount
= NewData
->ProcessingPolicy
->SaLifetime
.ByteCount
;
1430 if ((Mask
& LIFETIME_SOFT
) != 0) {
1431 OldData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
;
1434 if ((Mask
& LIFETIME
) != 0) {
1435 OldData
->ProcessingPolicy
->SaLifetime
.HardLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.HardLifetime
;
1438 if ((Mask
& MODE
) != 0) {
1439 OldData
->ProcessingPolicy
->Mode
= NewData
->ProcessingPolicy
->Mode
;
1442 if ((Mask
& IPSEC_PROTO
) != 0) {
1443 OldData
->ProcessingPolicy
->Proto
= NewData
->ProcessingPolicy
->Proto
;
1446 if ((Mask
& AUTH_ALGO
) != 0) {
1447 OldData
->ProcessingPolicy
->AuthAlgoId
= NewData
->ProcessingPolicy
->AuthAlgoId
;
1450 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1451 OldData
->ProcessingPolicy
->EncAlgoId
= NewData
->ProcessingPolicy
->EncAlgoId
;
1454 if (OldData
->ProcessingPolicy
->Mode
!= EfiIPsecTunnel
) {
1455 OldData
->ProcessingPolicy
->TunnelOption
= NULL
;
1457 if (OldData
->ProcessingPolicy
->TunnelOption
== NULL
) {
1459 // Set from Transport mode to Tunnel mode, should ensure TUNNEL_LOCAL & TUNNEL_REMOTE both exists.
1461 if ((Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) {
1466 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1469 L
"--tunnel-local --tunnel-remote"
1471 return EFI_INVALID_PARAMETER
;
1474 OldData
->ProcessingPolicy
->TunnelOption
= NewData
->ProcessingPolicy
->TunnelOption
;
1476 if ((Mask
& TUNNEL_LOCAL
) != 0) {
1478 &OldData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1479 &NewData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1480 sizeof (EFI_IP_ADDRESS
)
1484 if ((Mask
& TUNNEL_REMOTE
) != 0) {
1486 &OldData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1487 &NewData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1488 sizeof (EFI_IP_ADDRESS
)
1492 if ((Mask
& DONT_FRAGMENT
) != 0) {
1493 OldData
->ProcessingPolicy
->TunnelOption
->DF
= NewData
->ProcessingPolicy
->TunnelOption
->DF
;
1504 Combine old SAD entry with new SAD entry.
1506 @param[in, out] OldSaId The pointer to the EFI_IPSEC_SA_ID structure.
1507 @param[in, out] OldData The pointer to the EFI_IPSEC_SA_DATA2 structure.
1508 @param[in] NewSaId The pointer to the EFI_IPSEC_SA_ID structure.
1509 @param[in] NewData The pointer to the EFI_IPSEC_SA_DATA2 structure.
1510 @param[in] Mask The pointer to the Mask.
1511 @param[out] CreateNew The switch to create new.
1513 @retval EFI_SUCCESS Combined successfully.
1514 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1519 IN OUT EFI_IPSEC_SA_ID
*OldSaId
,
1520 IN OUT EFI_IPSEC_SA_DATA2
*OldData
,
1521 IN EFI_IPSEC_SA_ID
*NewSaId
,
1522 IN EFI_IPSEC_SA_DATA2
*NewData
,
1524 OUT BOOLEAN
*CreateNew
1530 if ((Mask
& SPI
) == 0) {
1531 NewSaId
->Spi
= OldSaId
->Spi
;
1532 } else if (NewSaId
->Spi
!= OldSaId
->Spi
) {
1536 if ((Mask
& IPSEC_PROTO
) == 0) {
1537 NewSaId
->Proto
= OldSaId
->Proto
;
1538 } else if (NewSaId
->Proto
!= OldSaId
->Proto
) {
1542 if ((Mask
& DEST
) == 0) {
1543 CopyMem (&NewData
->TunnelDestinationAddress
, &OldData
->TunnelDestinationAddress
, sizeof (EFI_IP_ADDRESS
));
1544 } else if (CompareMem (&NewData
->TunnelDestinationAddress
, &OldData
->TunnelDestinationAddress
, sizeof (EFI_IP_ADDRESS
)) != 0) {
1548 if ((Mask
& SOURCE
) == 0) {
1549 CopyMem (&NewData
->TunnelSourceAddress
, &OldData
->TunnelSourceAddress
, sizeof (EFI_IP_ADDRESS
));
1550 } else if (CompareMem (&NewData
->TunnelSourceAddress
, &OldData
->TunnelSourceAddress
, sizeof (EFI_IP_ADDRESS
)) != 0) {
1556 if ((Mask
& MODE
) != 0) {
1557 OldData
->Mode
= NewData
->Mode
;
1560 if ((Mask
& SEQUENCE_NUMBER
) != 0) {
1561 OldData
->SNCount
= NewData
->SNCount
;
1564 if ((Mask
& ANTIREPLAY_WINDOW
) != 0) {
1565 OldData
->AntiReplayWindows
= NewData
->AntiReplayWindows
;
1568 if ((Mask
& AUTH_ALGO
) != 0) {
1569 OldData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
;
1572 if ((Mask
& AUTH_KEY
) != 0) {
1573 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKey
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKey
;
1574 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
;
1577 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1578 OldData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
;
1581 if ((Mask
& ENCRYPT_KEY
) != 0) {
1582 OldData
->AlgoInfo
.EspAlgoInfo
.EncKey
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKey
;
1583 OldData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
;
1586 if (NewSaId
->Proto
== EfiIPsecAH
) {
1587 if ((Mask
& (ENCRYPT_ALGO
| ENCRYPT_KEY
)) != 0) {
1589 // Should not provide encrypt_* if AH.
1595 STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER
),
1598 L
"--encrypt-algo --encrypt-key"
1600 return EFI_INVALID_PARAMETER
;
1604 if (NewSaId
->Proto
== EfiIPsecESP
&& OldSaId
->Proto
== EfiIPsecAH
) {
1607 // Should provide encrypt_algo at least.
1609 if ((Mask
& ENCRYPT_ALGO
) == 0) {
1614 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1619 return EFI_INVALID_PARAMETER
;
1623 // Encrypt_key should be provided if algorithm is not NONE.
1625 if (NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (Mask
& ENCRYPT_KEY
) == 0) {
1630 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1635 return EFI_INVALID_PARAMETER
;
1639 if ((Mask
& LIFEBYTE
) != 0) {
1640 OldData
->SaLifetime
.ByteCount
= NewData
->SaLifetime
.ByteCount
;
1643 if ((Mask
& LIFETIME_SOFT
) != 0) {
1644 OldData
->SaLifetime
.SoftLifetime
= NewData
->SaLifetime
.SoftLifetime
;
1647 if ((Mask
& LIFETIME
) != 0) {
1648 OldData
->SaLifetime
.HardLifetime
= NewData
->SaLifetime
.HardLifetime
;
1651 if ((Mask
& PATH_MTU
) != 0) {
1652 OldData
->PathMTU
= NewData
->PathMTU
;
1655 // Process SpdSelector.
1657 if (OldData
->SpdSelector
== NULL
) {
1658 if ((Mask
& (LOCAL
| REMOTE
| PROTO
| LOCAL_PORT
| REMOTE_PORT
| ICMP_TYPE
| ICMP_CODE
)) != 0) {
1659 if ((Mask
& (LOCAL
| REMOTE
| PROTO
)) != (LOCAL
| REMOTE
| PROTO
)) {
1664 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1667 L
"--local --remote --proto"
1669 return EFI_INVALID_PARAMETER
;
1672 OldData
->SpdSelector
= NewData
->SpdSelector
;
1675 if ((Mask
& LOCAL
) != 0) {
1676 OldData
->SpdSelector
->LocalAddressCount
= NewData
->SpdSelector
->LocalAddressCount
;
1677 OldData
->SpdSelector
->LocalAddress
= NewData
->SpdSelector
->LocalAddress
;
1680 if ((Mask
& REMOTE
) != 0) {
1681 OldData
->SpdSelector
->RemoteAddressCount
= NewData
->SpdSelector
->RemoteAddressCount
;
1682 OldData
->SpdSelector
->RemoteAddress
= NewData
->SpdSelector
->RemoteAddress
;
1685 if ((Mask
& PROTO
) != 0) {
1686 OldData
->SpdSelector
->NextLayerProtocol
= NewData
->SpdSelector
->NextLayerProtocol
;
1689 if (OldData
->SpdSelector
!= NULL
) {
1690 switch (OldData
->SpdSelector
->NextLayerProtocol
) {
1691 case EFI_IP4_PROTO_TCP
:
1692 case EFI_IP4_PROTO_UDP
:
1693 if ((Mask
& LOCAL_PORT
) != 0) {
1694 OldData
->SpdSelector
->LocalPort
= NewData
->SpdSelector
->LocalPort
;
1697 if ((Mask
& REMOTE_PORT
) != 0) {
1698 OldData
->SpdSelector
->RemotePort
= NewData
->SpdSelector
->RemotePort
;
1702 case EFI_IP4_PROTO_ICMP
:
1703 if ((Mask
& ICMP_TYPE
) != 0) {
1704 OldData
->SpdSelector
->LocalPort
= (UINT8
) NewData
->SpdSelector
->LocalPort
;
1707 if ((Mask
& ICMP_CODE
) != 0) {
1708 OldData
->SpdSelector
->RemotePort
= (UINT8
) NewData
->SpdSelector
->RemotePort
;
1719 Combine old PAD entry with new PAD entry.
1721 @param[in, out] OldPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1722 @param[in, out] OldData The pointer to the EFI_IPSEC_PAD_DATA structure.
1723 @param[in] NewPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1724 @param[in] NewData The pointer to the EFI_IPSEC_PAD_DATA structure.
1725 @param[in] Mask The pointer to the Mask.
1726 @param[out] CreateNew The switch to create new.
1728 @retval EFI_SUCCESS Combined successfully.
1729 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1734 IN OUT EFI_IPSEC_PAD_ID
*OldPadId
,
1735 IN OUT EFI_IPSEC_PAD_DATA
*OldData
,
1736 IN EFI_IPSEC_PAD_ID
*NewPadId
,
1737 IN EFI_IPSEC_PAD_DATA
*NewData
,
1739 OUT BOOLEAN
*CreateNew
1745 if ((Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1746 CopyMem (NewPadId
, OldPadId
, sizeof (EFI_IPSEC_PAD_ID
));
1748 if ((Mask
& PEER_ID
) != 0) {
1749 if (OldPadId
->PeerIdValid
) {
1750 if (StrCmp ((CONST CHAR16
*) OldPadId
->Id
.PeerId
, (CONST CHAR16
*) NewPadId
->Id
.PeerId
) != 0) {
1758 // MASK & PEER_ADDRESS
1760 if (OldPadId
->PeerIdValid
) {
1763 if ((CompareMem (&OldPadId
->Id
.IpAddress
.Address
, &NewPadId
->Id
.IpAddress
.Address
, sizeof (EFI_IP_ADDRESS
)) != 0) ||
1764 (OldPadId
->Id
.IpAddress
.PrefixLength
!= NewPadId
->Id
.IpAddress
.PrefixLength
)) {
1771 if ((Mask
& AUTH_PROTO
) != 0) {
1772 OldData
->AuthProtocol
= NewData
->AuthProtocol
;
1775 if ((Mask
& AUTH_METHOD
) != 0) {
1776 OldData
->AuthMethod
= NewData
->AuthMethod
;
1779 if ((Mask
& IKE_ID
) != 0) {
1780 OldData
->IkeIdFlag
= NewData
->IkeIdFlag
;
1783 if ((Mask
& AUTH_DATA
) != 0) {
1784 OldData
->AuthDataSize
= NewData
->AuthDataSize
;
1785 OldData
->AuthData
= NewData
->AuthData
;
1788 if ((Mask
& REVOCATION_DATA
) != 0) {
1789 OldData
->RevocationDataSize
= NewData
->RevocationDataSize
;
1790 OldData
->RevocationData
= NewData
->RevocationData
;
1796 COMBINE_POLICY_ENTRY mCombinePolicyEntry
[] = {
1797 (COMBINE_POLICY_ENTRY
) CombineSpdEntry
,
1798 (COMBINE_POLICY_ENTRY
) CombineSadEntry
,
1799 (COMBINE_POLICY_ENTRY
) CombinePadEntry
1803 Edit entry information in the database.
1805 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1806 @param[in] Data The pointer to the data.
1807 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1809 @retval EFI_SUCCESS Continue the iteration.
1810 @retval EFI_ABORTED Abort the iteration.
1813 EditOperatePolicyEntry (
1814 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1816 IN EDIT_POLICY_ENTRY_CONTEXT
*Context
1822 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1823 ASSERT (Context
->DataType
< 3);
1825 Status
= mCombinePolicyEntry
[Context
->DataType
] (
1833 if (!EFI_ERROR (Status
)) {
1836 // Insert new entry before old entry
1838 Status
= mIpSecConfig
->SetData (
1845 ASSERT_EFI_ERROR (Status
);
1849 Status
= mIpSecConfig
->SetData (
1856 ASSERT_EFI_ERROR (Status
);
1858 Status
= mIpSecConfig
->SetData (
1868 Context
->Status
= Status
;
1876 Edit entry information in database according to datatype.
1878 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
1879 @param[in] ParamPackage The pointer to the ParamPackage list.
1881 @retval EFI_SUCCESS Edit entry information successfully.
1882 @retval EFI_NOT_FOUND Can't find the specified entry.
1883 @retval Others Some mistaken case.
1887 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
1888 IN LIST_ENTRY
*ParamPackage
1892 EDIT_POLICY_ENTRY_CONTEXT Context
;
1893 CONST CHAR16
*ValueStr
;
1895 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-e");
1896 if (ValueStr
== NULL
) {
1897 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
1898 return EFI_NOT_FOUND
;
1901 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
1902 if (!EFI_ERROR (Status
)) {
1903 Context
.DataType
= DataType
;
1904 Context
.Status
= EFI_NOT_FOUND
;
1905 Status
= mCreatePolicyEntry
[DataType
] (&Context
.Selector
, &Context
.Data
, ParamPackage
, &Context
.Mask
, FALSE
);
1906 if (!EFI_ERROR (Status
)) {
1907 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) EditOperatePolicyEntry
, &Context
);
1908 Status
= Context
.Status
;
1911 if (Context
.Selector
!= NULL
) {
1912 gBS
->FreePool (Context
.Selector
);
1915 if (Context
.Data
!= NULL
) {
1916 gBS
->FreePool (Context
.Data
);
1920 if (Status
== EFI_NOT_FOUND
) {
1921 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
1922 } else if (EFI_ERROR (Status
)) {
1923 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAILED
), mHiiHandle
, mAppName
);
1931 Insert entry information in database.
1933 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1934 @param[in] Data The pointer to the data.
1935 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1937 @retval EFI_SUCCESS Continue the iteration.
1938 @retval EFI_ABORTED Abort the iteration.
1942 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1944 IN INSERT_POLICY_ENTRY_CONTEXT
*Context
1948 // Found the entry which we want to insert before.
1950 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1952 Context
->Status
= mIpSecConfig
->SetData (
1960 // Abort the iteration after the insertion.
1969 Insert or add entry information in database according to datatype.
1971 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
1972 @param[in] ParamPackage The pointer to the ParamPackage list.
1974 @retval EFI_SUCCESS Insert or add entry information successfully.
1975 @retval EFI_NOT_FOUND Can't find the specified entry.
1976 @retval EFI_BUFFER_TOO_SMALL The entry already existed.
1977 @retval EFI_UNSUPPORTED The operation is not supported.
1978 @retval Others Some mistaken case.
1981 AddOrInsertPolicyEntry (
1982 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
1983 IN LIST_ENTRY
*ParamPackage
1987 EFI_IPSEC_CONFIG_SELECTOR
*Selector
;
1989 INSERT_POLICY_ENTRY_CONTEXT Context
;
1992 CONST CHAR16
*ValueStr
;
1994 Status
= mCreatePolicyEntry
[DataType
] (&Selector
, &Data
, ParamPackage
, &Mask
, TRUE
);
1995 if (!EFI_ERROR (Status
)) {
1997 // Find if the Selector to be inserted already exists.
2000 Status
= mIpSecConfig
->GetData (
2007 if (Status
== EFI_BUFFER_TOO_SMALL
) {
2008 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_EXISTS
), mHiiHandle
, mAppName
);
2009 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"-a")) {
2010 Status
= mIpSecConfig
->SetData (
2018 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-i");
2019 if (ValueStr
== NULL
) {
2020 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
2021 return EFI_NOT_FOUND
;
2024 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
2025 if (!EFI_ERROR (Status
)) {
2026 Context
.DataType
= DataType
;
2027 Context
.Status
= EFI_NOT_FOUND
;
2028 Context
.Selector
= Selector
;
2029 Context
.Data
= Data
;
2031 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) InsertPolicyEntry
, &Context
);
2032 Status
= Context
.Status
;
2033 if (Status
== EFI_NOT_FOUND
) {
2034 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
2039 gBS
->FreePool (Selector
);
2040 gBS
->FreePool (Data
);
2043 if (Status
== EFI_UNSUPPORTED
) {
2044 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_UNSUPPORT
), mHiiHandle
, mAppName
);
2045 } else if (EFI_ERROR (Status
)) {
2046 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_FAILED
), mHiiHandle
, mAppName
);