2 The common definition of IPsec Key Exchange (IKE).
4 Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
6 SPDX-License-Identifier: BSD-2-Clause-Patent
14 #include <Library/UdpIoLib.h>
15 #include <Library/BaseCryptLib.h>
16 #include "IpSecImpl.h"
18 #define IKE_VERSION_MAJOR_MASK 0xf0
19 #define IKE_VERSION_MINOR_MASK 0x0f
21 #define IKE_MAJOR_VERSION(v) (((v) & IKE_VERSION_MAJOR_MASK) >> 4)
22 #define IKE_MINOR_VERSION(v) ((v) & IKE_VERSION_MINOR_MASK)
25 // Protocol Value Use in IKEv1 and IKEv2
27 #define IPSEC_PROTO_ISAKMP 1
28 #define IPSEC_PROTO_IPSEC_AH 2
29 #define IPSEC_PROTO_IPSEC_ESP 3
30 #define IPSEC_PROTO_IPCOMP 4 // For IKEv1 this value is reserved
33 // For Algorithm search in support list.Last two types are for IKEv2 only.
35 #define IKE_ENCRYPT_TYPE 0
36 #define IKE_AUTH_TYPE 1
37 #define IKE_PRF_TYPE 2
41 // Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)
43 #define IPSEC_ESP_DES_IV64 1
44 #define IPSEC_ESP_DES 2
45 #define IPSEC_ESP_3DES 3
46 #define IPSEC_ESP_RC5 4
47 #define IPSEC_ESP_IDEA 5
48 #define IPSEC_ESP_CAST 6
49 #define IPSEC_ESP_BLOWFISH 7
50 #define IPSEC_ESP_3IDEA 8
51 #define IPSEC_ESP_DES_IV32 9
52 #define IPSEC_ESP_RC4 10 // It's reserved in IKEv2
53 #define IPSEC_ESP_NULL 11
54 #define IPSEC_ESP_AES 12
56 #define IKE_XCG_TYPE_NONE 0
57 #define IKE_XCG_TYPE_BASE 1
58 #define IKE_XCG_TYPE_IDENTITY_PROTECT 2
59 #define IKE_XCG_TYPE_AUTH_ONLY 3
60 #define IKE_XCG_TYPE_AGGR 4
61 #define IKE_XCG_TYPE_INFO 5
62 #define IKE_XCG_TYPE_QM 32
63 #define IKE_XCG_TYPE_NGM 33
64 #define IKE_XCG_TYPE_SA_INIT 34
65 #define IKE_XCG_TYPE_AUTH 35
66 #define IKE_XCG_TYPE_CREATE_CHILD_SA 36
67 #define IKE_XCG_TYPE_INFO2 37
69 #define IKE_LIFE_TYPE_SECONDS 1
70 #define IKE_LIFE_TYPE_KILOBYTES 2
73 // Deafult IKE SA lifetime and CHILD SA lifetime
75 #define IKE_SA_DEFAULT_LIFETIME 1200
76 #define CHILD_SA_DEFAULT_LIFETIME 3600
79 // Next payload type presented within Proposal payload
81 #define IKE_PROPOSAL_NEXT_PAYLOAD_MORE 2
82 #define IKE_PROPOSAL_NEXT_PAYLOAD_NONE 0
85 // Next payload type presented within Transform payload
87 #define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3
88 #define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0
91 // Max size of the SA attribute
93 #define MAX_SA_ATTRS_SIZE 48
94 #define SA_ATTR_FORMAT_BIT 0x8000
96 // The definition for Information Message ID.
98 #define INFO_MID_SIGNATURE SIGNATURE_32 ('I', 'N', 'F', 'M')
101 // Type for the IKE SESSION COMMON
105 IkeSessionTypeChildSa
,
111 // The DH Group ID defined RFC3526 and RFC 2409
114 OakleyGroupModp768
= 1,
115 OakleyGroupModp1024
= 2,
116 OakleyGroupGp155
= 3, // Unsupported Now.
117 OakleyGroupGp185
= 4, // Unsupported Now.
118 OakleyGroupModp1536
= 5,
120 OakleyGroupModp2048
= 14,
121 OakleyGroupModp3072
= 15,
122 OakleyGroupModp4096
= 16,
123 OakleyGroupModp6144
= 17,
124 OakleyGroupModp8192
= 18,
133 UINT64 InitiatorCookie
;
134 UINT64 ResponderCookie
;
150 // SA Attribute present in Transform Payload
155 IKE_SA_ATTR_UNION Attr
;
160 // Contains the IKE packet information.
166 BOOLEAN IsPayloadsBufExt
;
167 UINT8
*PayloadsBuf
; // The whole IkePakcet trimed the IKE header.
168 UINTN PayloadTotalSize
;
169 LIST_ENTRY PayloadList
;
170 EFI_IP_ADDRESS RemotePeerIp
;
171 BOOLEAN IsEncoded
; // whether HTON is done when sending the packet
172 UINT32 Spi
; // For the Delete Information Exchange
173 BOOLEAN IsDeleteInfo
; // For the Delete Information Exchange
174 IPSEC_PRIVATE_DATA
*Private
; // For the Delete Information Exchange
178 // The generic structure to all kinds of IKE payloads.
182 BOOLEAN IsPayloadBufExt
;
196 LIST_ENTRY
*ListHead
;
197 EFI_HANDLE NicHandle
;
198 EFI_HANDLE ImageHandle
;
201 EFI_IP_ADDRESS DefaultAddress
;
202 BOOLEAN IsConfigured
;
206 // Each IKE session has its own Key sets for local peer and remote peer.
209 EFI_IPSEC_ALGO_INFO LocalPeerInfo
;
210 EFI_IPSEC_ALGO_INFO RemotePeerInfo
;
214 // Each algorithm has its own Id, Guid, BlockSize and KeyLength.
215 // This struct contains these information for each algorithm. It is generic structure
216 // for both encryption and authentication algorithm.
217 // For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,
222 UINT8 AlgorithmId
; // Encryption or Authentication Id used by ESP/AH
224 UINT8 AlgSize
; // IcvSize or IvSize
227 } IKE_ALG_GUID_INFO
; // For IPsec Authentication and Encryption Algorithm.
231 // Structure used to store the DH group
237 UINTN GroupGenerator
;
241 This is prototype definition of general interface to phase the payloads
242 after/before the decode/encode.
244 @param[in] SessionCommon Point to the SessionCommon
245 @param[in] PayloadBuf Point to the buffer of Payload.
246 @param[in] PayloadSize The size of the PayloadBuf in bytes.
247 @param[in] PayloadType The type of Payload.
252 (*IKE_ON_PAYLOAD_FROM_NET
) (
253 IN UINT8
*SessionCommon
,
254 IN UINT8
*PayloadBuf
,
255 IN UINTN PayloadSize
,