2 The implementation of policy entry operation function in IpSecConfig application.
4 Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
16 #include "IpSecConfig.h"
21 #include "PolicyEntryOperation.h"
24 Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list.
26 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
27 @param[in] ParamPackage The pointer to the ParamPackage list.
28 @param[in, out] ParamPackage The pointer to the Mask.
30 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR successfully.
31 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
36 OUT EFI_IPSEC_SPD_SELECTOR
*Selector
,
37 IN LIST_ENTRY
*ParamPackage
,
42 EFI_STATUS ReturnStatus
;
43 CONST CHAR16
*ValueStr
;
46 ReturnStatus
= EFI_SUCCESS
;
49 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
51 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local");
52 if (ValueStr
!= NULL
) {
53 Selector
->LocalAddressCount
= 1;
54 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->LocalAddress
);
55 if (EFI_ERROR (Status
)) {
60 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
66 ReturnStatus
= EFI_INVALID_PARAMETER
;
73 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
75 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote");
76 if (ValueStr
!= NULL
) {
77 Selector
->RemoteAddressCount
= 1;
78 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, Selector
->RemoteAddress
);
79 if (EFI_ERROR (Status
)) {
84 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
90 ReturnStatus
= EFI_INVALID_PARAMETER
;
96 Selector
->NextLayerProtocol
= EFI_IPSEC_ANY_PROTOCOL
;
99 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
104 &Selector
->NextLayerProtocol
,
108 FORMAT_NUMBER
| FORMAT_STRING
110 if (!EFI_ERROR (Status
)) {
114 if (Status
== EFI_INVALID_PARAMETER
) {
115 ReturnStatus
= EFI_INVALID_PARAMETER
;
118 Selector
->LocalPort
= EFI_IPSEC_ANY_PORT
;
119 Selector
->RemotePort
= EFI_IPSEC_ANY_PORT
;
122 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
124 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--local-port");
125 if (ValueStr
!= NULL
) {
126 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->LocalPort
, &Selector
->LocalPortRange
);
127 if (EFI_ERROR (Status
)) {
132 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
138 ReturnStatus
= EFI_INVALID_PARAMETER
;
145 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
147 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--remote-port");
148 if (ValueStr
!= NULL
) {
149 Status
= EfiInetPortRange ((CHAR16
*) ValueStr
, &Selector
->RemotePort
, &Selector
->RemotePortRange
);
150 if (EFI_ERROR (Status
)) {
155 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
161 ReturnStatus
= EFI_INVALID_PARAMETER
;
163 *Mask
|= REMOTE_PORT
;
168 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
173 &Selector
->LocalPort
,
179 if (!EFI_ERROR (Status
)) {
183 if (Status
== EFI_INVALID_PARAMETER
) {
184 ReturnStatus
= EFI_INVALID_PARAMETER
;
188 // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
193 &Selector
->RemotePort
,
199 if (!EFI_ERROR (Status
)) {
203 if (Status
== EFI_INVALID_PARAMETER
) {
204 ReturnStatus
= EFI_INVALID_PARAMETER
;
211 Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPackage list.
213 @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
214 @param[out] Data The pointer to the EFI_IPSEC_SPD_DATA structure.
215 @param[in] ParamPackage The pointer to the ParamPackage list.
216 @param[out] Mask The pointer to the Mask.
217 @param[in] CreateNew The switch to create new.
219 @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA successfully.
220 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
225 OUT EFI_IPSEC_SPD_SELECTOR
**Selector
,
226 OUT EFI_IPSEC_SPD_DATA
**Data
,
227 IN LIST_ENTRY
*ParamPackage
,
233 EFI_STATUS ReturnStatus
;
234 CONST CHAR16
*ValueStr
;
237 Status
= EFI_SUCCESS
;
240 *Selector
= AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR
) + 2 * sizeof (EFI_IP_ADDRESS_INFO
));
241 ASSERT (*Selector
!= NULL
);
243 (*Selector
)->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) (*Selector
+ 1);
244 (*Selector
)->RemoteAddress
= (*Selector
)->LocalAddress
+ 1;
246 ReturnStatus
= CreateSpdSelector (*Selector
, ParamPackage
, Mask
);
250 // NOTE: Allocate enough memory and add padding for different arch.
252 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA
));
253 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_PROCESS_POLICY
));
254 DataSize
+= sizeof (EFI_IPSEC_TUNNEL_OPTION
);
256 *Data
= AllocateZeroPool (DataSize
);
257 ASSERT (*Data
!= NULL
);
259 (*Data
)->ProcessingPolicy
= (EFI_IPSEC_PROCESS_POLICY
*) ALIGN_POINTER (
263 (*Data
)->ProcessingPolicy
->TunnelOption
= (EFI_IPSEC_TUNNEL_OPTION
*) ALIGN_POINTER (
264 ((*Data
)->ProcessingPolicy
+ 1),
270 // Convert user imput from string to integer, and fill in the Name in EFI_IPSEC_SPD_DATA.
272 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--name");
273 if (ValueStr
!= NULL
) {
274 UnicodeStrToAsciiStr (ValueStr
, (CHAR8
*) (*Data
)->Name
);
279 // Convert user imput from string to integer, and fill in the PackageFlag in EFI_IPSEC_SPD_DATA.
284 &(*Data
)->PackageFlag
,
290 if (!EFI_ERROR (Status
)) {
291 *Mask
|= PACKET_FLAG
;
294 if (Status
== EFI_INVALID_PARAMETER
) {
295 ReturnStatus
= EFI_INVALID_PARAMETER
;
299 // Convert user imput from string to integer, and fill in the Action in EFI_IPSEC_SPD_DATA.
310 if (!EFI_ERROR (Status
)) {
314 if (Status
== EFI_INVALID_PARAMETER
) {
315 ReturnStatus
= EFI_INVALID_PARAMETER
;
319 // Convert user imput from string to integer, and fill in the ExtSeqNum in EFI_IPSEC_SPD_DATA.
321 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence")) {
322 (*Data
)->ProcessingPolicy
->ExtSeqNum
= TRUE
;
323 *Mask
|= EXT_SEQUENCE
;
324 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--ext-sequence-")) {
325 (*Data
)->ProcessingPolicy
->ExtSeqNum
= FALSE
;
326 *Mask
|= EXT_SEQUENCE
;
330 // Convert user imput from string to integer, and fill in the SeqOverflow in EFI_IPSEC_SPD_DATA.
332 if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow")) {
333 (*Data
)->ProcessingPolicy
->SeqOverflow
= TRUE
;
334 *Mask
|= SEQUENCE_OVERFLOW
;
335 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--sequence-overflow-")) {
336 (*Data
)->ProcessingPolicy
->SeqOverflow
= FALSE
;
337 *Mask
|= SEQUENCE_OVERFLOW
;
341 // Convert user imput from string to integer, and fill in the FragCheck in EFI_IPSEC_SPD_DATA.
343 if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check")) {
344 (*Data
)->ProcessingPolicy
->FragCheck
= TRUE
;
345 *Mask
|= FRAGMENT_CHECK
;
346 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"--fragment-check-")) {
347 (*Data
)->ProcessingPolicy
->FragCheck
= FALSE
;
348 *Mask
|= FRAGMENT_CHECK
;
352 // Convert user imput from string to integer, and fill in the ProcessingPolicy in EFI_IPSEC_SPD_DATA.
357 &(*Data
)->ProcessingPolicy
->SaLifetime
.ByteCount
,
363 if (!EFI_ERROR (Status
)) {
367 if (Status
== EFI_INVALID_PARAMETER
) {
368 ReturnStatus
= EFI_INVALID_PARAMETER
;
374 &(*Data
)->ProcessingPolicy
->SaLifetime
.HardLifetime
,
380 if (!EFI_ERROR (Status
)) {
383 if (Status
== EFI_INVALID_PARAMETER
) {
384 ReturnStatus
= EFI_INVALID_PARAMETER
;
390 &(*Data
)->ProcessingPolicy
->SaLifetime
.SoftLifetime
,
396 if (!EFI_ERROR (Status
)) {
397 *Mask
|= LIFETIME_SOFT
;
400 if (Status
== EFI_INVALID_PARAMETER
) {
401 ReturnStatus
= EFI_INVALID_PARAMETER
;
404 (*Data
)->ProcessingPolicy
->Mode
= EfiIPsecTransport
;
408 &(*Data
)->ProcessingPolicy
->Mode
,
414 if (!EFI_ERROR (Status
)) {
418 if (Status
== EFI_INVALID_PARAMETER
) {
419 ReturnStatus
= EFI_INVALID_PARAMETER
;
422 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-local");
423 if (ValueStr
!= NULL
) {
424 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
);
425 if (EFI_ERROR (Status
)) {
430 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
436 ReturnStatus
= EFI_INVALID_PARAMETER
;
438 *Mask
|= TUNNEL_LOCAL
;
442 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--tunnel-remote");
443 if (ValueStr
!= NULL
) {
444 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*Data
)->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
);
445 if (EFI_ERROR (Status
)) {
450 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
456 ReturnStatus
= EFI_INVALID_PARAMETER
;
458 *Mask
|= TUNNEL_REMOTE
;
462 (*Data
)->ProcessingPolicy
->TunnelOption
->DF
= EfiIPsecTunnelCopyDf
;
466 &(*Data
)->ProcessingPolicy
->TunnelOption
->DF
,
472 if (!EFI_ERROR (Status
)) {
473 *Mask
|= DONT_FRAGMENT
;
476 if (Status
== EFI_INVALID_PARAMETER
) {
477 ReturnStatus
= EFI_INVALID_PARAMETER
;
480 (*Data
)->ProcessingPolicy
->Proto
= EfiIPsecESP
;
484 &(*Data
)->ProcessingPolicy
->Proto
,
490 if (!EFI_ERROR (Status
)) {
491 *Mask
|= IPSEC_PROTO
;
494 if (Status
== EFI_INVALID_PARAMETER
) {
495 ReturnStatus
= EFI_INVALID_PARAMETER
;
501 &(*Data
)->ProcessingPolicy
->EncAlgoId
,
507 if (!EFI_ERROR (Status
)) {
508 *Mask
|= ENCRYPT_ALGO
;
511 if (Status
== EFI_INVALID_PARAMETER
) {
512 ReturnStatus
= EFI_INVALID_PARAMETER
;
518 &(*Data
)->ProcessingPolicy
->AuthAlgoId
,
524 if (!EFI_ERROR (Status
)) {
528 if (Status
== EFI_INVALID_PARAMETER
) {
529 ReturnStatus
= EFI_INVALID_PARAMETER
;
533 // Cannot check Mode against EfiIPsecTunnel, because user may want to change tunnel_remote only so the Mode is not set.
535 if ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
| DONT_FRAGMENT
)) == 0) {
536 (*Data
)->ProcessingPolicy
->TunnelOption
= NULL
;
539 if ((*Mask
& (EXT_SEQUENCE
| SEQUENCE_OVERFLOW
| FRAGMENT_CHECK
| LIFEBYTE
|
540 LIFETIME_SOFT
| LIFETIME
| MODE
| TUNNEL_LOCAL
| TUNNEL_REMOTE
|
541 DONT_FRAGMENT
| IPSEC_PROTO
| AUTH_ALGO
| ENCRYPT_ALGO
)) == 0) {
542 if ((*Data
)->Action
!= EfiIPsecActionProtect
) {
544 // User may not provide additional parameter for Protect action, so we cannot simply set ProcessingPolicy to NULL.
546 (*Data
)->ProcessingPolicy
= NULL
;
551 if ((*Mask
& (LOCAL
| REMOTE
| PROTO
| ACTION
)) != (LOCAL
| REMOTE
| PROTO
| ACTION
)) {
556 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
559 L
"--local --remote --proto --action"
561 ReturnStatus
= EFI_INVALID_PARAMETER
;
562 } else if (((*Data
)->Action
== EfiIPsecActionProtect
) &&
563 ((*Data
)->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) &&
564 ((*Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
))) {
569 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
572 L
"--tunnel-local --tunnel-remote"
574 ReturnStatus
= EFI_INVALID_PARAMETER
;
582 Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA through ParamPackage list.
584 @param[out] SaId The pointer to the EFI_IPSEC_SA_ID structure.
585 @param[out] Data The pointer to the EFI_IPSEC_SA_DATA structure.
586 @param[in] ParamPackage The pointer to the ParamPackage list.
587 @param[out] Mask The pointer to the Mask.
588 @param[in] CreateNew The switch to create new.
590 @retval EFI_SUCCESS Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA successfully.
591 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
596 OUT EFI_IPSEC_SA_ID
**SaId
,
597 OUT EFI_IPSEC_SA_DATA
**Data
,
598 IN LIST_ENTRY
*ParamPackage
,
604 EFI_STATUS ReturnStatus
;
607 CONST CHAR16
*ValueStr
;
610 Status
= EFI_SUCCESS
;
611 ReturnStatus
= EFI_SUCCESS
;
616 *SaId
= AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID
));
617 ASSERT (*SaId
!= NULL
);
620 // Convert user imput from string to integer, and fill in the Spi in EFI_IPSEC_SA_ID.
622 Status
= GetNumber (L
"--spi", (UINT32
) -1, &(*SaId
)->Spi
, sizeof (UINT32
), NULL
, ParamPackage
, FORMAT_NUMBER
);
623 if (!EFI_ERROR (Status
)) {
627 if (Status
== EFI_INVALID_PARAMETER
) {
628 ReturnStatus
= EFI_INVALID_PARAMETER
;
632 // Convert user imput from string to integer, and fill in the Proto in EFI_IPSEC_SA_ID.
638 sizeof (EFI_IPSEC_PROTOCOL_TYPE
),
643 if (!EFI_ERROR (Status
)) {
644 *Mask
|= IPSEC_PROTO
;
647 if (Status
== EFI_INVALID_PARAMETER
) {
648 ReturnStatus
= EFI_INVALID_PARAMETER
;
652 // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
654 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--dest");
655 if (ValueStr
!= NULL
) {
656 Status
= EfiInetAddr2 ((CHAR16
*) ValueStr
, &(*SaId
)->DestAddress
);
657 if (EFI_ERROR (Status
)) {
662 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
668 ReturnStatus
= EFI_INVALID_PARAMETER
;
675 // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_DATA.
677 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
678 if (ValueStr
!= NULL
) {
679 AuthKeyLength
= (StrLen (ValueStr
) + 1) * sizeof (CHAR16
);
682 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
683 if (ValueStr
!= NULL
) {
684 EncKeyLength
= (StrLen (ValueStr
) + 1) * sizeof (CHAR16
);
688 // EFI_IPSEC_SA_DATA:
690 // | EFI_IPSEC_SA_DATA
691 // +-----------------------
693 // +-------------------------
695 // +-------------------------
698 // Notes: To make sure the address alignment add padding after each data if needed.
700 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA
));
701 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthKeyLength
);
702 DataSize
= ALIGN_VARIABLE (DataSize
+ EncKeyLength
);
703 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IPSEC_SPD_SELECTOR
));
704 DataSize
= ALIGN_VARIABLE (DataSize
+ sizeof (EFI_IP_ADDRESS_INFO
));
705 DataSize
+= sizeof (EFI_IP_ADDRESS_INFO
);
709 *Data
= AllocateZeroPool (DataSize
);
710 ASSERT (*Data
!= NULL
);
712 (*Data
)->ManualSet
= TRUE
;
713 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= (VOID
*) ALIGN_POINTER (((*Data
) + 1), sizeof (UINTN
));
714 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= (VOID
*) ALIGN_POINTER (
715 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
+ AuthKeyLength
),
718 (*Data
)->SpdSelector
= (EFI_IPSEC_SPD_SELECTOR
*) ALIGN_POINTER (
719 ((UINT8
*) (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
+ EncKeyLength
),
722 (*Data
)->SpdSelector
->LocalAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
723 ((UINT8
*) (*Data
)->SpdSelector
+ sizeof (EFI_IPSEC_SPD_SELECTOR
)),
725 (*Data
)->SpdSelector
->RemoteAddress
= (EFI_IP_ADDRESS_INFO
*) ALIGN_POINTER (
726 (*Data
)->SpdSelector
->LocalAddress
+ 1,
730 (*Data
)->Mode
= EfiIPsecTransport
;
735 sizeof (EFI_IPSEC_MODE
),
740 if (!EFI_ERROR (Status
)) {
744 if (Status
== EFI_INVALID_PARAMETER
) {
745 ReturnStatus
= EFI_INVALID_PARAMETER
;
749 // According to RFC 4303-3.3.3. The first packet sent using a given SA
750 // will contain a sequence number of 1.
752 (*Data
)->SNCount
= 1;
754 L
"--sequence-number",
762 if (!EFI_ERROR (Status
)) {
763 *Mask
|= SEQUENCE_NUMBER
;
766 if (Status
== EFI_INVALID_PARAMETER
) {
767 ReturnStatus
= EFI_INVALID_PARAMETER
;
770 (*Data
)->AntiReplayWindows
= 0;
772 L
"--antireplay-window",
774 &(*Data
)->AntiReplayWindows
,
780 if (!EFI_ERROR (Status
)) {
781 *Mask
|= SEQUENCE_NUMBER
;
784 if (Status
== EFI_INVALID_PARAMETER
) {
785 ReturnStatus
= EFI_INVALID_PARAMETER
;
791 &(*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
,
797 if (!EFI_ERROR (Status
)) {
798 *Mask
|= ENCRYPT_ALGO
;
801 if (Status
== EFI_INVALID_PARAMETER
) {
802 ReturnStatus
= EFI_INVALID_PARAMETER
;
805 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--encrypt-key");
806 if (ValueStr
!= NULL
) {
807 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= EncKeyLength
;
808 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
, ValueStr
, EncKeyLength
);
809 *Mask
|= ENCRYPT_KEY
;
811 (*Data
)->AlgoInfo
.EspAlgoInfo
.EncKey
= NULL
;
817 &(*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
,
823 if (!EFI_ERROR (Status
)) {
827 if (Status
== EFI_INVALID_PARAMETER
) {
828 ReturnStatus
= EFI_INVALID_PARAMETER
;
831 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-key");
832 if (ValueStr
!= NULL
) {
833 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= AuthKeyLength
;
834 CopyMem ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
, ValueStr
, AuthKeyLength
);
837 (*Data
)->AlgoInfo
.EspAlgoInfo
.AuthKey
= NULL
;
843 &(*Data
)->SaLifetime
.ByteCount
,
849 if (!EFI_ERROR (Status
)) {
853 if (Status
== EFI_INVALID_PARAMETER
) {
854 ReturnStatus
= EFI_INVALID_PARAMETER
;
860 &(*Data
)->SaLifetime
.HardLifetime
,
866 if (!EFI_ERROR (Status
)) {
870 if (Status
== EFI_INVALID_PARAMETER
) {
871 ReturnStatus
= EFI_INVALID_PARAMETER
;
877 &(*Data
)->SaLifetime
.SoftLifetime
,
883 if (!EFI_ERROR (Status
)) {
884 *Mask
|= LIFETIME_SOFT
;
887 if (Status
== EFI_INVALID_PARAMETER
) {
888 ReturnStatus
= EFI_INVALID_PARAMETER
;
900 if (!EFI_ERROR (Status
)) {
904 if (Status
== EFI_INVALID_PARAMETER
) {
905 ReturnStatus
= EFI_INVALID_PARAMETER
;
908 ReturnStatus
= CreateSpdSelector ((*Data
)->SpdSelector
, ParamPackage
, Mask
);
911 if ((*Mask
& (SPI
| IPSEC_PROTO
| DEST
)) != (SPI
| IPSEC_PROTO
| DEST
)) {
916 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
919 L
"--spi --ipsec-proto --dest"
921 ReturnStatus
= EFI_INVALID_PARAMETER
;
923 if ((*SaId
)->Proto
== EfiIPsecAH
) {
924 if ((*Mask
& AUTH_ALGO
) == 0) {
929 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
934 ReturnStatus
= EFI_INVALID_PARAMETER
;
935 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
!= IPSEC_AALG_NONE
&& (*Mask
& AUTH_KEY
) == 0) {
940 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
945 ReturnStatus
= EFI_INVALID_PARAMETER
;
948 if ((*Mask
& ENCRYPT_ALGO
) == 0) {
953 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
958 ReturnStatus
= EFI_INVALID_PARAMETER
;
959 } else if ((*Data
)->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (*Mask
& ENCRYPT_KEY
) == 0) {
964 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
969 ReturnStatus
= EFI_INVALID_PARAMETER
;
979 Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage list.
981 @param[out] PadId The pointer to the EFI_IPSEC_PAD_ID structure.
982 @param[out] Data The pointer to the EFI_IPSEC_PAD_DATA structure.
983 @param[in] ParamPackage The pointer to the ParamPackage list.
984 @param[out] Mask The pointer to the Mask.
985 @param[in] CreateNew The switch to create new.
987 @retval EFI_SUCCESS Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA successfully.
988 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
993 OUT EFI_IPSEC_PAD_ID
**PadId
,
994 OUT EFI_IPSEC_PAD_DATA
**Data
,
995 IN LIST_ENTRY
*ParamPackage
,
1001 EFI_STATUS ReturnStatus
;
1002 SHELL_FILE_HANDLE FileHandle
;
1004 UINTN AuthDataLength
;
1005 UINTN RevocationDataLength
;
1008 CONST CHAR16
*ValueStr
;
1011 Status
= EFI_SUCCESS
;
1012 ReturnStatus
= EFI_SUCCESS
;
1015 RevocationDataLength
= 0;
1017 *PadId
= AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID
));
1018 ASSERT (*PadId
!= NULL
);
1021 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_ID.
1023 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-address");
1024 if (ValueStr
!= NULL
) {
1025 (*PadId
)->PeerIdValid
= FALSE
;
1026 Status
= EfiInetAddrRange ((CHAR16
*) ValueStr
, &(*PadId
)->Id
.IpAddress
);
1027 if (EFI_ERROR (Status
)) {
1032 STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE
),
1038 ReturnStatus
= EFI_INVALID_PARAMETER
;
1040 *Mask
|= PEER_ADDRESS
;
1044 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--peer-id");
1045 if (ValueStr
!= NULL
) {
1046 (*PadId
)->PeerIdValid
= TRUE
;
1047 StrnCpy ((CHAR16
*) (*PadId
)->Id
.PeerId
, ValueStr
, ARRAY_SIZE ((*PadId
)->Id
.PeerId
) - 1);
1051 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1052 if (ValueStr
!= NULL
) {
1053 if (ValueStr
[0] == L
'@') {
1055 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1057 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1058 if (EFI_ERROR (Status
)) {
1063 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1068 ReturnStatus
= EFI_INVALID_PARAMETER
;
1070 Status
= ShellGetFileSize (FileHandle
, &FileSize
);
1071 ShellCloseFile (&FileHandle
);
1072 if (EFI_ERROR (Status
)) {
1077 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1082 ReturnStatus
= EFI_INVALID_PARAMETER
;
1084 AuthDataLength
= (UINTN
) FileSize
;
1088 AuthDataLength
= StrLen (ValueStr
);
1092 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1093 if (ValueStr
!= NULL
) {
1094 RevocationDataLength
= (StrLen (ValueStr
) + 1) * sizeof (CHAR16
);
1098 // Allocate Buffer for Data. Add padding after each struct to make sure the alignment
1099 // in different Arch.
1101 DataSize
= ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA
));
1102 DataSize
= ALIGN_VARIABLE (DataSize
+ AuthDataLength
);
1103 DataSize
+= RevocationDataLength
;
1105 *Data
= AllocateZeroPool (DataSize
);
1106 ASSERT (*Data
!= NULL
);
1108 (*Data
)->AuthData
= (VOID
*) ALIGN_POINTER ((*Data
+ 1), sizeof (UINTN
));
1109 (*Data
)->RevocationData
= (VOID
*) ALIGN_POINTER (((UINT8
*) (*Data
+ 1) + AuthDataLength
), sizeof (UINTN
));
1110 (*Data
)->AuthProtocol
= EfiIPsecAuthProtocolIKEv1
;
1113 // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_DATA.
1115 Status
= GetNumber (
1118 &(*Data
)->AuthProtocol
,
1119 sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE
),
1124 if (!EFI_ERROR (Status
)) {
1125 *Mask
|= AUTH_PROTO
;
1128 if (Status
== EFI_INVALID_PARAMETER
) {
1129 ReturnStatus
= EFI_INVALID_PARAMETER
;
1132 Status
= GetNumber (
1135 &(*Data
)->AuthMethod
,
1136 sizeof (EFI_IPSEC_AUTH_METHOD
),
1141 if (!EFI_ERROR (Status
)) {
1142 *Mask
|= AUTH_METHOD
;
1145 if (Status
== EFI_INVALID_PARAMETER
) {
1146 ReturnStatus
= EFI_INVALID_PARAMETER
;
1149 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id")) {
1150 (*Data
)->IkeIdFlag
= TRUE
;
1154 if (ShellCommandLineGetFlag (ParamPackage
, L
"--ike-id-")) {
1155 (*Data
)->IkeIdFlag
= FALSE
;
1159 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--auth-data");
1160 if (ValueStr
!= NULL
) {
1161 if (ValueStr
[0] == L
'@') {
1163 // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
1166 Status
= ShellOpenFileByName (&ValueStr
[1], &FileHandle
, EFI_FILE_MODE_READ
, 0);
1167 if (EFI_ERROR (Status
)) {
1172 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1177 ReturnStatus
= EFI_INVALID_PARAMETER
;
1178 (*Data
)->AuthData
= NULL
;
1180 DataLength
= AuthDataLength
;
1181 Status
= ShellReadFile (FileHandle
, &DataLength
, (*Data
)->AuthData
);
1182 ShellCloseFile (&FileHandle
);
1183 if (EFI_ERROR (Status
)) {
1188 STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED
),
1193 ReturnStatus
= EFI_INVALID_PARAMETER
;
1194 (*Data
)->AuthData
= NULL
;
1196 ASSERT (DataLength
== AuthDataLength
);
1201 for (Index
= 0; Index
< AuthDataLength
; Index
++) {
1202 ((CHAR8
*) (*Data
)->AuthData
)[Index
] = (CHAR8
) ValueStr
[Index
];
1204 (*Data
)->AuthDataSize
= AuthDataLength
;
1209 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"--revocation-data");
1210 if (ValueStr
!= NULL
) {
1211 CopyMem ((*Data
)->RevocationData
, ValueStr
, RevocationDataLength
);
1212 (*Data
)->RevocationDataSize
= RevocationDataLength
;
1213 *Mask
|= REVOCATION_DATA
;
1215 (*Data
)->RevocationData
= NULL
;
1219 if ((*Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1224 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1227 L
"--peer-id --peer-address"
1229 ReturnStatus
= EFI_INVALID_PARAMETER
;
1230 } else if ((*Mask
& (AUTH_METHOD
| AUTH_DATA
)) != (AUTH_METHOD
| AUTH_DATA
)) {
1235 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1238 L
"--auth-method --auth-data"
1240 ReturnStatus
= EFI_INVALID_PARAMETER
;
1244 return ReturnStatus
;
1247 CREATE_POLICY_ENTRY mCreatePolicyEntry
[] = {
1248 (CREATE_POLICY_ENTRY
) CreateSpdEntry
,
1249 (CREATE_POLICY_ENTRY
) CreateSadEntry
,
1250 (CREATE_POLICY_ENTRY
) CreatePadEntry
1254 Combine old SPD entry with new SPD entry.
1256 @param[in, out] OldSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1257 @param[in, out] OldData The pointer to the EFI_IPSEC_SPD_DATA structure.
1258 @param[in] NewSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
1259 @param[in] NewData The pointer to the EFI_IPSEC_SPD_DATA structure.
1260 @param[in] Mask The pointer to the Mask.
1261 @param[out] CreateNew The switch to create new.
1263 @retval EFI_SUCCESS Combined successfully.
1264 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1269 IN OUT EFI_IPSEC_SPD_SELECTOR
*OldSelector
,
1270 IN OUT EFI_IPSEC_SPD_DATA
*OldData
,
1271 IN EFI_IPSEC_SPD_SELECTOR
*NewSelector
,
1272 IN EFI_IPSEC_SPD_DATA
*NewData
,
1274 OUT BOOLEAN
*CreateNew
1282 if ((Mask
& LOCAL
) == 0) {
1283 NewSelector
->LocalAddressCount
= OldSelector
->LocalAddressCount
;
1284 NewSelector
->LocalAddress
= OldSelector
->LocalAddress
;
1285 } else if ((NewSelector
->LocalAddressCount
!= OldSelector
->LocalAddressCount
) ||
1286 (CompareMem (NewSelector
->LocalAddress
, OldSelector
->LocalAddress
, NewSelector
->LocalAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1290 if ((Mask
& REMOTE
) == 0) {
1291 NewSelector
->RemoteAddressCount
= OldSelector
->RemoteAddressCount
;
1292 NewSelector
->RemoteAddress
= OldSelector
->RemoteAddress
;
1293 } else if ((NewSelector
->RemoteAddressCount
!= OldSelector
->RemoteAddressCount
) ||
1294 (CompareMem (NewSelector
->RemoteAddress
, OldSelector
->RemoteAddress
, NewSelector
->RemoteAddressCount
* sizeof (EFI_IP_ADDRESS_INFO
)) != 0)) {
1298 if ((Mask
& PROTO
) == 0) {
1299 NewSelector
->NextLayerProtocol
= OldSelector
->NextLayerProtocol
;
1300 } else if (NewSelector
->NextLayerProtocol
!= OldSelector
->NextLayerProtocol
) {
1304 switch (NewSelector
->NextLayerProtocol
) {
1305 case EFI_IP4_PROTO_TCP
:
1306 case EFI_IP4_PROTO_UDP
:
1307 if ((Mask
& LOCAL_PORT
) == 0) {
1308 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1309 NewSelector
->LocalPortRange
= OldSelector
->LocalPortRange
;
1310 } else if ((NewSelector
->LocalPort
!= OldSelector
->LocalPort
) ||
1311 (NewSelector
->LocalPortRange
!= OldSelector
->LocalPortRange
)) {
1315 if ((Mask
& REMOTE_PORT
) == 0) {
1316 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1317 NewSelector
->RemotePortRange
= OldSelector
->RemotePortRange
;
1318 } else if ((NewSelector
->RemotePort
!= OldSelector
->RemotePort
) ||
1319 (NewSelector
->RemotePortRange
!= OldSelector
->RemotePortRange
)) {
1324 case EFI_IP4_PROTO_ICMP
:
1325 if ((Mask
& ICMP_TYPE
) == 0) {
1326 NewSelector
->LocalPort
= OldSelector
->LocalPort
;
1327 } else if (NewSelector
->LocalPort
!= OldSelector
->LocalPort
) {
1331 if ((Mask
& ICMP_CODE
) == 0) {
1332 NewSelector
->RemotePort
= OldSelector
->RemotePort
;
1333 } else if (NewSelector
->RemotePort
!= OldSelector
->RemotePort
) {
1341 if ((Mask
& NAME
) != 0) {
1342 AsciiStrCpy ((CHAR8
*) OldData
->Name
, (CHAR8
*) NewData
->Name
);
1345 if ((Mask
& PACKET_FLAG
) != 0) {
1346 OldData
->PackageFlag
= NewData
->PackageFlag
;
1349 if ((Mask
& ACTION
) != 0) {
1350 OldData
->Action
= NewData
->Action
;
1353 if (OldData
->Action
!= EfiIPsecActionProtect
) {
1354 OldData
->ProcessingPolicy
= NULL
;
1359 if (OldData
->ProcessingPolicy
== NULL
) {
1361 // Just point to new data if originally NULL.
1363 OldData
->ProcessingPolicy
= NewData
->ProcessingPolicy
;
1364 if (OldData
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
&&
1365 (Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)
1368 // Change to Protect action and Tunnel mode, but without providing local/remote tunnel address.
1374 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1377 L
"--tunnel-local --tunnel-remote"
1379 return EFI_INVALID_PARAMETER
;
1383 // Modify some of the data.
1385 if ((Mask
& EXT_SEQUENCE
) != 0) {
1386 OldData
->ProcessingPolicy
->ExtSeqNum
= NewData
->ProcessingPolicy
->ExtSeqNum
;
1389 if ((Mask
& SEQUENCE_OVERFLOW
) != 0) {
1390 OldData
->ProcessingPolicy
->SeqOverflow
= NewData
->ProcessingPolicy
->SeqOverflow
;
1393 if ((Mask
& FRAGMENT_CHECK
) != 0) {
1394 OldData
->ProcessingPolicy
->FragCheck
= NewData
->ProcessingPolicy
->FragCheck
;
1397 if ((Mask
& LIFEBYTE
) != 0) {
1398 OldData
->ProcessingPolicy
->SaLifetime
.ByteCount
= NewData
->ProcessingPolicy
->SaLifetime
.ByteCount
;
1401 if ((Mask
& LIFETIME_SOFT
) != 0) {
1402 OldData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.SoftLifetime
;
1405 if ((Mask
& LIFETIME
) != 0) {
1406 OldData
->ProcessingPolicy
->SaLifetime
.HardLifetime
= NewData
->ProcessingPolicy
->SaLifetime
.HardLifetime
;
1409 if ((Mask
& MODE
) != 0) {
1410 OldData
->ProcessingPolicy
->Mode
= NewData
->ProcessingPolicy
->Mode
;
1413 if ((Mask
& IPSEC_PROTO
) != 0) {
1414 OldData
->ProcessingPolicy
->Proto
= NewData
->ProcessingPolicy
->Proto
;
1417 if ((Mask
& AUTH_ALGO
) != 0) {
1418 OldData
->ProcessingPolicy
->AuthAlgoId
= NewData
->ProcessingPolicy
->AuthAlgoId
;
1421 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1422 OldData
->ProcessingPolicy
->EncAlgoId
= NewData
->ProcessingPolicy
->EncAlgoId
;
1425 if (OldData
->ProcessingPolicy
->Mode
!= EfiIPsecTunnel
) {
1426 OldData
->ProcessingPolicy
->TunnelOption
= NULL
;
1428 if (OldData
->ProcessingPolicy
->TunnelOption
== NULL
) {
1430 // Set from Transport mode to Tunnel mode, should ensure TUNNEL_LOCAL & TUNNEL_REMOTE both exists.
1432 if ((Mask
& (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) != (TUNNEL_LOCAL
| TUNNEL_REMOTE
)) {
1437 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1440 L
"--tunnel-local --tunnel-remote"
1442 return EFI_INVALID_PARAMETER
;
1445 OldData
->ProcessingPolicy
->TunnelOption
= NewData
->ProcessingPolicy
->TunnelOption
;
1447 if ((Mask
& TUNNEL_LOCAL
) != 0) {
1449 &OldData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1450 &NewData
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1451 sizeof (EFI_IP_ADDRESS
)
1455 if ((Mask
& TUNNEL_REMOTE
) != 0) {
1457 &OldData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1458 &NewData
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1459 sizeof (EFI_IP_ADDRESS
)
1463 if ((Mask
& DONT_FRAGMENT
) != 0) {
1464 OldData
->ProcessingPolicy
->TunnelOption
->DF
= NewData
->ProcessingPolicy
->TunnelOption
->DF
;
1475 Combine old SAD entry with new SAD entry.
1477 @param[in, out] OldSaId The pointer to the EFI_IPSEC_SA_ID structure.
1478 @param[in, out] OldData The pointer to the EFI_IPSEC_SA_DATA structure.
1479 @param[in] NewSaId The pointer to the EFI_IPSEC_SA_ID structure.
1480 @param[in] NewData The pointer to the EFI_IPSEC_SA_DATA structure.
1481 @param[in] Mask The pointer to the Mask.
1482 @param[out] CreateNew The switch to create new.
1484 @retval EFI_SUCCESS Combined successfully.
1485 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1490 IN OUT EFI_IPSEC_SA_ID
*OldSaId
,
1491 IN OUT EFI_IPSEC_SA_DATA
*OldData
,
1492 IN EFI_IPSEC_SA_ID
*NewSaId
,
1493 IN EFI_IPSEC_SA_DATA
*NewData
,
1495 OUT BOOLEAN
*CreateNew
1501 if ((Mask
& SPI
) == 0) {
1502 NewSaId
->Spi
= OldSaId
->Spi
;
1503 } else if (NewSaId
->Spi
!= OldSaId
->Spi
) {
1507 if ((Mask
& IPSEC_PROTO
) == 0) {
1508 NewSaId
->Proto
= OldSaId
->Proto
;
1509 } else if (NewSaId
->Proto
!= OldSaId
->Proto
) {
1513 if ((Mask
& DEST
) == 0) {
1514 CopyMem (&NewSaId
->DestAddress
, &OldSaId
->DestAddress
, sizeof (EFI_IP_ADDRESS
));
1515 } else if (CompareMem (&NewSaId
->DestAddress
, &OldSaId
->DestAddress
, sizeof (EFI_IP_ADDRESS
)) != 0) {
1522 if ((Mask
& MODE
) != 0) {
1523 OldData
->Mode
= NewData
->Mode
;
1526 if ((Mask
& SEQUENCE_NUMBER
) != 0) {
1527 OldData
->SNCount
= NewData
->SNCount
;
1530 if ((Mask
& ANTIREPLAY_WINDOW
) != 0) {
1531 OldData
->AntiReplayWindows
= NewData
->AntiReplayWindows
;
1534 if ((Mask
& AUTH_ALGO
) != 0) {
1535 OldData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthAlgoId
;
1538 if ((Mask
& AUTH_KEY
) != 0) {
1539 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKey
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKey
;
1540 OldData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.AuthKeyLength
;
1543 if ((Mask
& ENCRYPT_ALGO
) != 0) {
1544 OldData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
= NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
;
1547 if ((Mask
& ENCRYPT_KEY
) != 0) {
1548 OldData
->AlgoInfo
.EspAlgoInfo
.EncKey
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKey
;
1549 OldData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
= NewData
->AlgoInfo
.EspAlgoInfo
.EncKeyLength
;
1552 if (NewSaId
->Proto
== EfiIPsecAH
) {
1553 if ((Mask
& (ENCRYPT_ALGO
| ENCRYPT_KEY
)) != 0) {
1555 // Should not provide encrypt_* if AH.
1561 STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER
),
1564 L
"--encrypt-algo --encrypt-key"
1566 return EFI_INVALID_PARAMETER
;
1570 if (NewSaId
->Proto
== EfiIPsecESP
&& OldSaId
->Proto
== EfiIPsecAH
) {
1573 // Should provide encrypt_algo at least.
1575 if ((Mask
& ENCRYPT_ALGO
) == 0) {
1580 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1585 return EFI_INVALID_PARAMETER
;
1589 // Encrypt_key should be provided if algorithm is not NONE.
1591 if (NewData
->AlgoInfo
.EspAlgoInfo
.EncAlgoId
!= IPSEC_EALG_NONE
&& (Mask
& ENCRYPT_KEY
) == 0) {
1596 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER
),
1601 return EFI_INVALID_PARAMETER
;
1605 if ((Mask
& LIFEBYTE
) != 0) {
1606 OldData
->SaLifetime
.ByteCount
= NewData
->SaLifetime
.ByteCount
;
1609 if ((Mask
& LIFETIME_SOFT
) != 0) {
1610 OldData
->SaLifetime
.SoftLifetime
= NewData
->SaLifetime
.SoftLifetime
;
1613 if ((Mask
& LIFETIME
) != 0) {
1614 OldData
->SaLifetime
.HardLifetime
= NewData
->SaLifetime
.HardLifetime
;
1617 if ((Mask
& PATH_MTU
) != 0) {
1618 OldData
->PathMTU
= NewData
->PathMTU
;
1621 // Process SpdSelector.
1623 if (OldData
->SpdSelector
== NULL
) {
1624 if ((Mask
& (LOCAL
| REMOTE
| PROTO
| LOCAL_PORT
| REMOTE_PORT
| ICMP_TYPE
| ICMP_CODE
)) != 0) {
1625 if ((Mask
& (LOCAL
| REMOTE
| PROTO
)) != (LOCAL
| REMOTE
| PROTO
)) {
1630 STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS
),
1633 L
"--local --remote --proto"
1635 return EFI_INVALID_PARAMETER
;
1638 OldData
->SpdSelector
= NewData
->SpdSelector
;
1641 if ((Mask
& LOCAL
) != 0) {
1642 OldData
->SpdSelector
->LocalAddressCount
= NewData
->SpdSelector
->LocalAddressCount
;
1643 OldData
->SpdSelector
->LocalAddress
= NewData
->SpdSelector
->LocalAddress
;
1646 if ((Mask
& REMOTE
) != 0) {
1647 OldData
->SpdSelector
->RemoteAddressCount
= NewData
->SpdSelector
->RemoteAddressCount
;
1648 OldData
->SpdSelector
->RemoteAddress
= NewData
->SpdSelector
->RemoteAddress
;
1651 if ((Mask
& PROTO
) != 0) {
1652 OldData
->SpdSelector
->NextLayerProtocol
= NewData
->SpdSelector
->NextLayerProtocol
;
1655 if (OldData
->SpdSelector
!= NULL
) {
1656 switch (OldData
->SpdSelector
->NextLayerProtocol
) {
1657 case EFI_IP4_PROTO_TCP
:
1658 case EFI_IP4_PROTO_UDP
:
1659 if ((Mask
& LOCAL_PORT
) != 0) {
1660 OldData
->SpdSelector
->LocalPort
= NewData
->SpdSelector
->LocalPort
;
1663 if ((Mask
& REMOTE_PORT
) != 0) {
1664 OldData
->SpdSelector
->RemotePort
= NewData
->SpdSelector
->RemotePort
;
1668 case EFI_IP4_PROTO_ICMP
:
1669 if ((Mask
& ICMP_TYPE
) != 0) {
1670 OldData
->SpdSelector
->LocalPort
= (UINT8
) NewData
->SpdSelector
->LocalPort
;
1673 if ((Mask
& ICMP_CODE
) != 0) {
1674 OldData
->SpdSelector
->RemotePort
= (UINT8
) NewData
->SpdSelector
->RemotePort
;
1685 Combine old PAD entry with new PAD entry.
1687 @param[in, out] OldPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1688 @param[in, out] OldData The pointer to the EFI_IPSEC_PAD_DATA structure.
1689 @param[in] NewPadId The pointer to the EFI_IPSEC_PAD_ID structure.
1690 @param[in] NewData The pointer to the EFI_IPSEC_PAD_DATA structure.
1691 @param[in] Mask The pointer to the Mask.
1692 @param[out] CreateNew The switch to create new.
1694 @retval EFI_SUCCESS Combined successfully.
1695 @retval EFI_INVALID_PARAMETER Invalid user input parameter.
1700 IN OUT EFI_IPSEC_PAD_ID
*OldPadId
,
1701 IN OUT EFI_IPSEC_PAD_DATA
*OldData
,
1702 IN EFI_IPSEC_PAD_ID
*NewPadId
,
1703 IN EFI_IPSEC_PAD_DATA
*NewData
,
1705 OUT BOOLEAN
*CreateNew
1711 if ((Mask
& (PEER_ID
| PEER_ADDRESS
)) == 0) {
1712 CopyMem (NewPadId
, OldPadId
, sizeof (EFI_IPSEC_PAD_ID
));
1714 if ((Mask
& PEER_ID
) != 0) {
1715 if (OldPadId
->PeerIdValid
) {
1716 if (StrCmp ((CONST CHAR16
*) OldPadId
->Id
.PeerId
, (CONST CHAR16
*) NewPadId
->Id
.PeerId
) != 0) {
1724 // MASK & PEER_ADDRESS
1726 if (OldPadId
->PeerIdValid
) {
1729 if ((CompareMem (&OldPadId
->Id
.IpAddress
.Address
, &NewPadId
->Id
.IpAddress
.Address
, sizeof (EFI_IP_ADDRESS
)) != 0) ||
1730 (OldPadId
->Id
.IpAddress
.PrefixLength
!= NewPadId
->Id
.IpAddress
.PrefixLength
)) {
1737 if ((Mask
& AUTH_PROTO
) != 0) {
1738 OldData
->AuthProtocol
= NewData
->AuthProtocol
;
1741 if ((Mask
& AUTH_METHOD
) != 0) {
1742 OldData
->AuthMethod
= NewData
->AuthMethod
;
1745 if ((Mask
& IKE_ID
) != 0) {
1746 OldData
->IkeIdFlag
= NewData
->IkeIdFlag
;
1749 if ((Mask
& AUTH_DATA
) != 0) {
1750 OldData
->AuthDataSize
= NewData
->AuthDataSize
;
1751 OldData
->AuthData
= NewData
->AuthData
;
1754 if ((Mask
& REVOCATION_DATA
) != 0) {
1755 OldData
->RevocationDataSize
= NewData
->RevocationDataSize
;
1756 OldData
->RevocationData
= NewData
->RevocationData
;
1762 COMBINE_POLICY_ENTRY mCombinePolicyEntry
[] = {
1763 (COMBINE_POLICY_ENTRY
) CombineSpdEntry
,
1764 (COMBINE_POLICY_ENTRY
) CombineSadEntry
,
1765 (COMBINE_POLICY_ENTRY
) CombinePadEntry
1769 Edit entry information in the database.
1771 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1772 @param[in] Data The pointer to the data.
1773 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1775 @retval EFI_SUCCESS Continue the iteration.
1776 @retval EFI_ABORTED Abort the iteration.
1779 EditOperatePolicyEntry (
1780 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1782 IN EDIT_POLICY_ENTRY_CONTEXT
*Context
1788 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1789 ASSERT (Context
->DataType
< 3);
1791 Status
= mCombinePolicyEntry
[Context
->DataType
] (
1799 if (!EFI_ERROR (Status
)) {
1802 // Insert new entry before old entry
1804 Status
= mIpSecConfig
->SetData (
1811 ASSERT_EFI_ERROR (Status
);
1815 Status
= mIpSecConfig
->SetData (
1822 ASSERT_EFI_ERROR (Status
);
1824 Status
= mIpSecConfig
->SetData (
1834 Context
->Status
= Status
;
1842 Edit entry information in database according to datatype.
1844 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
1845 @param[in] ParamPackage The pointer to the ParamPackage list.
1847 @retval EFI_SUCCESS Edit entry information successfully.
1848 @retval EFI_NOT_FOUND Can't find the specified entry.
1849 @retval Others Some mistaken case.
1853 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
1854 IN LIST_ENTRY
*ParamPackage
1858 EDIT_POLICY_ENTRY_CONTEXT Context
;
1859 CONST CHAR16
*ValueStr
;
1861 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-e");
1862 if (ValueStr
== NULL
) {
1863 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
1864 return EFI_NOT_FOUND
;
1867 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
1868 if (!EFI_ERROR (Status
)) {
1869 Context
.DataType
= DataType
;
1870 Context
.Status
= EFI_NOT_FOUND
;
1871 Status
= mCreatePolicyEntry
[DataType
] (&Context
.Selector
, &Context
.Data
, ParamPackage
, &Context
.Mask
, FALSE
);
1872 if (!EFI_ERROR (Status
)) {
1873 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) EditOperatePolicyEntry
, &Context
);
1874 Status
= Context
.Status
;
1877 if (Context
.Selector
!= NULL
) {
1878 gBS
->FreePool (Context
.Selector
);
1881 if (Context
.Data
!= NULL
) {
1882 gBS
->FreePool (Context
.Data
);
1886 if (Status
== EFI_NOT_FOUND
) {
1887 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
1888 } else if (EFI_ERROR (Status
)) {
1889 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAILED
), mHiiHandle
, mAppName
);
1897 Insert entry information in database.
1899 @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
1900 @param[in] Data The pointer to the data.
1901 @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
1903 @retval EFI_SUCCESS Continue the iteration.
1904 @retval EFI_ABORTED Abort the iteration.
1908 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1910 IN INSERT_POLICY_ENTRY_CONTEXT
*Context
1914 // Found the entry which we want to insert before.
1916 if (mMatchPolicyEntry
[Context
->DataType
] (Selector
, Data
, &Context
->Indexer
)) {
1918 Context
->Status
= mIpSecConfig
->SetData (
1926 // Abort the iteration after the insertion.
1935 Insert or add entry information in database according to datatype.
1937 @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
1938 @param[in] ParamPackage The pointer to the ParamPackage list.
1940 @retval EFI_SUCCESS Insert or add entry information successfully.
1941 @retval EFI_NOT_FOUND Can't find the specified entry.
1942 @retval EFI_BUFFER_TOO_SMALL The entry already existed.
1943 @retval EFI_UNSUPPORTED The operation is not supported.
1944 @retval Others Some mistaken case.
1947 AddOrInsertPolicyEntry (
1948 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType
,
1949 IN LIST_ENTRY
*ParamPackage
1953 EFI_IPSEC_CONFIG_SELECTOR
*Selector
;
1955 INSERT_POLICY_ENTRY_CONTEXT Context
;
1958 CONST CHAR16
*ValueStr
;
1960 Status
= mCreatePolicyEntry
[DataType
] (&Selector
, &Data
, ParamPackage
, &Mask
, TRUE
);
1961 if (!EFI_ERROR (Status
)) {
1963 // Find if the Selector to be inserted already exists.
1966 Status
= mIpSecConfig
->GetData (
1973 if (Status
== EFI_BUFFER_TOO_SMALL
) {
1974 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_EXISTS
), mHiiHandle
, mAppName
);
1975 } else if (ShellCommandLineGetFlag (ParamPackage
, L
"-a")) {
1976 Status
= mIpSecConfig
->SetData (
1984 ValueStr
= ShellCommandLineGetValue (ParamPackage
, L
"-i");
1985 if (ValueStr
== NULL
) {
1986 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED
), mHiiHandle
, mAppName
, ValueStr
);
1987 return EFI_NOT_FOUND
;
1990 Status
= mConstructPolicyEntryIndexer
[DataType
] (&Context
.Indexer
, ParamPackage
);
1991 if (!EFI_ERROR (Status
)) {
1992 Context
.DataType
= DataType
;
1993 Context
.Status
= EFI_NOT_FOUND
;
1994 Context
.Selector
= Selector
;
1995 Context
.Data
= Data
;
1997 ForeachPolicyEntry (DataType
, (VISIT_POLICY_ENTRY
) InsertPolicyEntry
, &Context
);
1998 Status
= Context
.Status
;
1999 if (Status
== EFI_NOT_FOUND
) {
2000 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND
), mHiiHandle
, mAppName
, ValueStr
);
2005 gBS
->FreePool (Selector
);
2006 gBS
->FreePool (Data
);
2009 if (Status
== EFI_UNSUPPORTED
) {
2010 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_UNSUPPORT
), mHiiHandle
, mAppName
);
2011 } else if (EFI_ERROR (Status
)) {
2012 ShellPrintHiiEx (-1, -1, NULL
, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_FAILED
), mHiiHandle
, mAppName
);