NetworkPkg/IpSecDxe/Ike.h

   1 /** @file
   2   The common definition of IPsec Key Exchange (IKE).
   3
   4   Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
   5
   6   SPDX-License-Identifier: BSD-2-Clause-Patent
   7
   8
   9 **/
  10
  11 #ifndef _IKE_H_
  12 #define _IKE_H_
  13
  14 #include <Library/UdpIoLib.h>
  15 #include <Library/BaseCryptLib.h>
  16 #include "IpSecImpl.h"
  17
  18 #define IKE_VERSION_MAJOR_MASK  0xf0
  19 #define IKE_VERSION_MINOR_MASK  0x0f
  20
  21 #define IKE_MAJOR_VERSION(v)    (((v) & IKE_VERSION_MAJOR_MASK) >> 4)
  22 #define IKE_MINOR_VERSION(v)    ((v) & IKE_VERSION_MINOR_MASK)
  23
  24 //
  25 // Protocol Value Use in IKEv1 and IKEv2
  26 //
  27 #define IPSEC_PROTO_ISAKMP    1
  28 #define IPSEC_PROTO_IPSEC_AH  2
  29 #define IPSEC_PROTO_IPSEC_ESP 3
  30 #define IPSEC_PROTO_IPCOMP    4 // For IKEv1 this value is reserved
  31
  32 //
  33 //  For Algorithm search in support list.Last two types are for IKEv2 only.
  34 //
  35 #define IKE_ENCRYPT_TYPE      0
  36 #define IKE_AUTH_TYPE         1
  37 #define IKE_PRF_TYPE          2
  38 #define IKE_DH_TYPE           3
  39
  40 //
  41 // Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)
  42 //
  43 #define IPSEC_ESP_DES_IV64            1
  44 #define IPSEC_ESP_DES                 2
  45 #define IPSEC_ESP_3DES                3
  46 #define IPSEC_ESP_RC5                 4
  47 #define IPSEC_ESP_IDEA                5
  48 #define IPSEC_ESP_CAST                6
  49 #define IPSEC_ESP_BLOWFISH            7
  50 #define IPSEC_ESP_3IDEA               8
  51 #define IPSEC_ESP_DES_IV32            9
  52 #define IPSEC_ESP_RC4                 10  // It's reserved in IKEv2
  53 #define IPSEC_ESP_NULL                11
  54 #define IPSEC_ESP_AES                 12
  55
  56 #define IKE_XCG_TYPE_NONE             0
  57 #define IKE_XCG_TYPE_BASE             1
  58 #define IKE_XCG_TYPE_IDENTITY_PROTECT 2
  59 #define IKE_XCG_TYPE_AUTH_ONLY        3
  60 #define IKE_XCG_TYPE_AGGR             4
  61 #define IKE_XCG_TYPE_INFO             5
  62 #define IKE_XCG_TYPE_QM               32
  63 #define IKE_XCG_TYPE_NGM              33
  64 #define IKE_XCG_TYPE_SA_INIT          34
  65 #define IKE_XCG_TYPE_AUTH             35
  66 #define IKE_XCG_TYPE_CREATE_CHILD_SA  36
  67 #define IKE_XCG_TYPE_INFO2            37
  68
  69 #define IKE_LIFE_TYPE_SECONDS         1
  70 #define IKE_LIFE_TYPE_KILOBYTES       2
  71
  72 //
  73 // Deafult IKE SA lifetime and CHILD SA lifetime
  74 //
  75 #define IKE_SA_DEFAULT_LIFETIME       1200
  76 #define CHILD_SA_DEFAULT_LIFETIME     3600
  77
  78 //
  79 // Next payload type presented within Proposal payload
  80 //
  81 #define IKE_PROPOSAL_NEXT_PAYLOAD_MORE  2
  82 #define IKE_PROPOSAL_NEXT_PAYLOAD_NONE  0
  83
  84 //
  85 // Next payload type presented within Transform payload
  86 //
  87 #define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3
  88 #define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0
  89
  90 //
  91 // Max size of the SA attribute
  92 //
  93 #define MAX_SA_ATTRS_SIZE     48
  94 #define SA_ATTR_FORMAT_BIT    0x8000
  95 //
  96 // The definition for Information Message ID.
  97 //
  98 #define INFO_MID_SIGNATURE    SIGNATURE_32 ('I', 'N', 'F', 'M')
  99
 100 //
 101 // Type for the IKE SESSION COMMON
 102 //
 103 typedef enum {
 104   IkeSessionTypeIkeSa,
 105   IkeSessionTypeChildSa,
 106   IkeSessionTypeInfo,
 107   IkeSessionTypeMax
 108 } IKE_SESSION_TYPE;
 109
 110 //
 111 // The DH Group ID defined RFC3526 and RFC 2409
 112 //
 113 typedef enum {
 114   OakleyGroupModp768  = 1,
 115   OakleyGroupModp1024 = 2,
 116   OakleyGroupGp155    = 3,  // Unsupported Now.
 117   OakleyGroupGp185    = 4,  // Unsupported Now.
 118   OakleyGroupModp1536 = 5,
 119
 120   OakleyGroupModp2048 = 14,
 121   OakleyGroupModp3072 = 15,
 122   OakleyGroupModp4096 = 16,
 123   OakleyGroupModp6144 = 17,
 124   OakleyGroupModp8192 = 18,
 125   OakleyGroupMax
 126 } OAKLEY_GROUP_ID;
 127
 128 //
 129 // IKE Header
 130 //
 131 #pragma pack(1)
 132 typedef struct {
 133   UINT64  InitiatorCookie;
 134   UINT64  ResponderCookie;
 135   UINT8   NextPayload;
 136   UINT8   Version;
 137   UINT8   ExchangeType;
 138   UINT8   Flags;
 139   UINT32  MessageId;
 140   UINT32  Length;
 141 } IKE_HEADER;
 142 #pragma pack()
 143
 144 typedef union {
 145   UINT16  AttrLength;
 146   UINT16  AttrValue;
 147 } IKE_SA_ATTR_UNION;
 148
 149 //
 150 // SA Attribute present in Transform Payload
 151 //
 152 #pragma pack(1)
 153 typedef struct {
 154   UINT16            AttrType;
 155   IKE_SA_ATTR_UNION Attr;
 156 } IKE_SA_ATTRIBUTE;
 157 #pragma pack()
 158
 159 //
 160 // Contains the IKE packet information.
 161 //
 162 typedef struct {
 163   UINTN               RefCount;
 164   BOOLEAN             IsHdrExt;
 165   IKE_HEADER          *Header;
 166   BOOLEAN             IsPayloadsBufExt;
 167   UINT8               *PayloadsBuf; // The whole IkePakcet trimed the IKE header.
 168   UINTN               PayloadTotalSize;
 169   LIST_ENTRY          PayloadList;
 170   EFI_IP_ADDRESS      RemotePeerIp;
 171   BOOLEAN             IsEncoded;    // whether HTON is done when sending the packet
 172   UINT32              Spi;          // For the Delete Information Exchange
 173   BOOLEAN             IsDeleteInfo; // For the Delete Information Exchange
 174   IPSEC_PRIVATE_DATA  *Private;     // For the Delete Information Exchange
 175 } IKE_PACKET;
 176
 177 //
 178 // The generic structure to all kinds of IKE payloads.
 179 //
 180 typedef struct {
 181   UINT32      Signature;
 182   BOOLEAN     IsPayloadBufExt;
 183   UINT8       PayloadType;
 184   UINT8       *PayloadBuf;
 185   UINTN       PayloadSize;
 186   LIST_ENTRY  ByPacket;
 187 } IKE_PAYLOAD;
 188
 189 //
 190 // Udp Service
 191 //
 192 typedef struct {
 193   UINT32          Signature;
 194   UINT8           IpVersion;
 195   LIST_ENTRY      List;
 196   LIST_ENTRY      *ListHead;
 197   EFI_HANDLE      NicHandle;
 198   EFI_HANDLE      ImageHandle;
 199   UDP_IO          *Input;
 200   UDP_IO          *Output;
 201   EFI_IP_ADDRESS  DefaultAddress;
 202   BOOLEAN         IsConfigured;
 203 } IKE_UDP_SERVICE;
 204
 205 //
 206 // Each IKE session has its own Key sets for local peer and remote peer.
 207 //
 208 typedef struct {
 209   EFI_IPSEC_ALGO_INFO LocalPeerInfo;
 210   EFI_IPSEC_ALGO_INFO RemotePeerInfo;
 211 } SA_KEYMATS;
 212
 213 //
 214 // Each algorithm has its own Id, Guid, BlockSize and KeyLength.
 215 // This struct contains these information for each algorithm. It is generic structure
 216 // for both encryption and authentication algorithm.
 217 // For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,
 218 // it means IvSize.
 219 //
 220 #pragma pack(1)
 221 typedef struct {
 222   UINT8     AlgorithmId;       // Encryption or Authentication Id used by ESP/AH
 223   EFI_GUID  *AlgGuid;
 224   UINT8     AlgSize;     // IcvSize or IvSize
 225   UINT8     BlockSize;
 226   UINTN     KeyMateLen;
 227 } IKE_ALG_GUID_INFO;   // For IPsec Authentication and Encryption Algorithm.
 228 #pragma pack()
 229
 230 //
 231 // Structure used to store the DH group
 232 //
 233 typedef struct {
 234   UINT8 GroupId;
 235   UINTN Size;
 236   UINT8 *Modulus;
 237   UINTN GroupGenerator;
 238 } MODP_GROUP;
 239
 240 /**
 241   This is prototype definition of general interface to phase the payloads
 242   after/before the decode/encode.
 243
 244   @param[in]  SessionCommon    Point to the SessionCommon
 245   @param[in]  PayloadBuf       Point to the buffer of Payload.
 246   @param[in]  PayloadSize      The size of the PayloadBuf in bytes.
 247   @param[in]  PayloadType      The type of Payload.
 248
 249 **/
 250 typedef
 251 VOID
 252 (*IKE_ON_PAYLOAD_FROM_NET) (
 253   IN UINT8    *SessionCommon,
 254   IN UINT8    *PayloadBuf,
 255   IN UINTN    PayloadSize,
 256   IN UINT8    PayloadType
 257   );
 258
 259 #endif
 260