2 The operations for IKEv2 SA.
4 Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
17 #include "IpSecDebug.h"
18 #include "IkeService.h"
24 This generates the DH local public key and store it in the IKEv2 SA Session's GxBuffer.
26 @param[in] IkeSaSession Pointer to related IKE SA Session.
28 @retval EFI_SUCCESS The operation succeeded.
29 @retval Others The operation failed.
33 Ikev2GenerateSaDhPublicKey (
34 IN IKEV2_SA_SESSION
*IkeSaSession
38 Generates the IKEv2 SA key for the furthure IKEv2 exchange.
40 @param[in] IkeSaSession Pointer to IKEv2 SA Session.
41 @param[in] KePayload Pointer to Key payload used to generate the Key.
43 @retval EFI_UNSUPPORTED If the Algorithm Id is not supported.
44 @retval EFI_SUCCESS The operation succeeded.
49 IN IKEV2_SA_SESSION
*IkeSaSession
,
50 IN IKE_PAYLOAD
*KePayload
54 Generates the Keys for the furthure IPsec Protocol.
56 @param[in] ChildSaSession Pointer to IKE Child SA Session.
57 @param[in] KePayload Pointer to Key payload used to generate the Key.
59 @retval EFI_UNSUPPORTED If one or more Algorithm Id is unsupported.
60 @retval EFI_SUCCESS The operation succeeded.
64 Ikev2GenerateChildSaKeys (
65 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
,
66 IN IKE_PAYLOAD
*KePayload
70 Gernerates IKEv2 packet for IKE_SA_INIT exchange.
72 @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
73 @param[in] Context Context Data passed by caller.
75 @retval EFI_SUCCESS The IKEv2 packet generation succeeded.
76 @retval Others The IKEv2 packet generation failed.
80 Ikev2InitPskGenerator (
85 IKE_PACKET
*IkePacket
;
86 IKEV2_SA_SESSION
*IkeSaSession
;
87 IKE_PAYLOAD
*SaPayload
;
88 IKE_PAYLOAD
*KePayload
;
89 IKE_PAYLOAD
*NoncePayload
;
90 IKE_PAYLOAD
*NotifyPayload
;
98 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
101 // 1. Allocate IKE packet
103 IkePacket
= IkePacketAlloc ();
104 ASSERT (IkePacket
!= NULL
);
107 // 1.a Fill the IkePacket->Hdr
109 IkePacket
->Header
->ExchangeType
= IKEV2_EXCHANGE_TYPE_INIT
;
110 IkePacket
->Header
->InitiatorCookie
= IkeSaSession
->InitiatorCookie
;
111 IkePacket
->Header
->ResponderCookie
= IkeSaSession
->ResponderCookie
;
112 IkePacket
->Header
->Version
= (UINT8
) (2 << 4);
113 IkePacket
->Header
->MessageId
= 0;
115 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
116 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_INIT
;
118 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_RESPOND
;
122 // If the NCookie is not NULL, this IKE_SA_INIT packet is resent by the NCookie
123 // and the NCookie payload should be the first payload in this packet.
125 if (IkeSaSession
->NCookie
!= NULL
) {
126 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_NOTIFY
;
127 NotifyPayload
= Ikev2GenerateNotifyPayload (
129 IKEV2_PAYLOAD_TYPE_SA
,
131 IKEV2_NOTIFICATION_COOKIE
,
133 IkeSaSession
->NCookie
,
134 IkeSaSession
->NCookieSize
137 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_SA
;
141 // 2. Generate SA Payload according to the SaData & SaParams
143 SaPayload
= Ikev2GenerateSaPayload (
144 IkeSaSession
->SaData
,
145 IKEV2_PAYLOAD_TYPE_KE
,
150 // 3. Generate DH public key.
151 // The DhPrivate Key has been generated in Ikev2InitPskParser, if the
152 // IkeSaSession is responder. If resending IKE_SA_INIT with Cookie Notify
153 // No need to recompute the Public key.
155 if ((IkeSaSession
->SessionCommon
.IsInitiator
) && (IkeSaSession
->NCookie
== NULL
)) {
156 Status
= Ikev2GenerateSaDhPublicKey (IkeSaSession
);
157 if (EFI_ERROR (Status
)) {
163 // 4. Generate KE Payload according to SaParams->DhGroup
165 KePayload
= Ikev2GenerateKePayload (
167 IKEV2_PAYLOAD_TYPE_NONCE
171 // 5. Generate Nonce Payload
172 // If resending IKE_SA_INIT with Cookie Notify paylaod, no need to regenerate
173 // the Nonce Payload.
175 if ((IkeSaSession
->SessionCommon
.IsInitiator
) && (IkeSaSession
->NCookie
== NULL
)) {
176 IkeSaSession
->NiBlkSize
= IKE_NONCE_SIZE
;
177 IkeSaSession
->NiBlock
= IkeGenerateNonce (IKE_NONCE_SIZE
);
178 ASSERT (IkeSaSession
->NiBlock
!= NULL
);
181 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
182 NoncePayload
= Ikev2GenerateNoncePayload (
183 IkeSaSession
->NiBlock
,
184 IkeSaSession
->NiBlkSize
,
185 IKEV2_PAYLOAD_TYPE_NONE
189 // The Nonce Payload has been created in Ikev2PskParser if the IkeSaSession is
192 NoncePayload
= Ikev2GenerateNoncePayload (
193 IkeSaSession
->NrBlock
,
194 IkeSaSession
->NrBlkSize
,
195 IKEV2_PAYLOAD_TYPE_NONE
199 if (NotifyPayload
!= NULL
) {
200 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, NotifyPayload
);
202 if (SaPayload
!= NULL
) {
203 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, SaPayload
);
205 if (KePayload
!= NULL
) {
206 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, KePayload
);
208 if (NoncePayload
!= NULL
) {
209 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, NoncePayload
);
215 if (IkePacket
!= NULL
) {
216 IkePacketFree (IkePacket
);
218 if (SaPayload
!= NULL
) {
219 IkePayloadFree (SaPayload
);
225 Parses the IKEv2 packet for IKE_SA_INIT exchange.
227 @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
228 @param[in] IkePacket The received IKE packet to be parsed.
230 @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is
231 saved for furthure communication.
232 @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA proposal is unacceptable.
238 IN IKE_PACKET
*IkePacket
241 IKEV2_SA_SESSION
*IkeSaSession
;
242 IKE_PAYLOAD
*SaPayload
;
243 IKE_PAYLOAD
*KeyPayload
;
244 IKE_PAYLOAD
*IkePayload
;
245 IKE_PAYLOAD
*NoncePayload
;
246 IKE_PAYLOAD
*NotifyPayload
;
252 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
257 NotifyPayload
= NULL
;
260 // Iterate payloads to find the SaPayload and KeyPayload.
262 NET_LIST_FOR_EACH (Entry
, &(IkePacket
)->PayloadList
) {
263 IkePayload
= IKE_PAYLOAD_BY_PACKET (Entry
);
264 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_SA
) {
265 SaPayload
= IkePayload
;
267 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_KE
) {
268 KeyPayload
= IkePayload
;
270 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_NONCE
) {
271 NoncePayload
= IkePayload
;
273 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_NOTIFY
) {
274 NotifyPayload
= IkePayload
;
279 // According to RFC 4306 - 2.6. If the responder responds with the COOKIE Notify
280 // payload with the cookie data, initiator MUST retry the IKE_SA_INIT with a
281 // Notify payload of type COOKIE containing the responder suppplied cookie data
282 // as first payload and all other payloads unchanged.
284 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
285 if (NotifyPayload
!= NULL
) {
286 Status
= Ikev2ParserNotifyCookiePayload (NotifyPayload
, IkeSaSession
);
291 if ((KeyPayload
== NULL
) || (SaPayload
== NULL
) || (NoncePayload
== NULL
)) {
292 return EFI_INVALID_PARAMETER
;
296 // Store NoncePayload for SKEYID computing.
298 NonceSize
= NoncePayload
->PayloadSize
- sizeof (IKEV2_COMMON_PAYLOAD_HEADER
);
299 NonceBuffer
= (UINT8
*) AllocatePool (NonceSize
);
300 ASSERT (NonceBuffer
!= NULL
);
303 NoncePayload
->PayloadBuf
+ sizeof (IKEV2_COMMON_PAYLOAD_HEADER
),
308 // Check if IkePacket Header matches the state
310 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
312 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND
314 if (IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_RESPOND
) {
315 Status
= EFI_INVALID_PARAMETER
;
320 // 2. Parse the SA Payload and Key Payload to find out the cryptographic
321 // suite and fill in the Sa paramse into CommonSession->SaParams
323 if (!Ikev2SaParseSaPayload (IkeSaSession
, SaPayload
, IkePacket
->Header
->Flags
)) {
324 Status
= EFI_INVALID_PARAMETER
;
329 // 3. If Initiator, the NoncePayload is Nr_b.
331 IKEV2_DUMP_STATE (IkeSaSession
->SessionCommon
.State
, IkeStateAuth
);
332 IkeSaSession
->NrBlock
= NonceBuffer
;
333 IkeSaSession
->NrBlkSize
= NonceSize
;
334 IkeSaSession
->SessionCommon
.State
= IkeStateAuth
;
335 IkeSaSession
->ResponderCookie
= IkePacket
->Header
->ResponderCookie
;
338 // 4. Change the state of IkeSaSession
340 IkeSaSession
->SessionCommon
.State
= IkeStateAuth
;
343 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT
345 if (IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_INIT
) {
346 Status
= EFI_INVALID_PARAMETER
;
351 // 2. Parse the SA payload and find out the perfered one
352 // and fill in the SA parameters into CommonSession->SaParams and SaData into
353 // IkeSaSession for the responder SA payload generation.
355 if (!Ikev2SaParseSaPayload (IkeSaSession
, SaPayload
, IkePacket
->Header
->Flags
)) {
356 Status
= EFI_INVALID_PARAMETER
;
361 // 3. Generat Dh Y parivate Key
363 Status
= Ikev2GenerateSaDhPublicKey (IkeSaSession
);
364 if (EFI_ERROR (Status
)) {
369 // 4. If Responder, the NoncePayload is Ni_b and go to generate Nr_b.
371 IkeSaSession
->NiBlock
= NonceBuffer
;
372 IkeSaSession
->NiBlkSize
= NonceSize
;
377 IkeSaSession
->NrBlock
= IkeGenerateNonce (IKE_NONCE_SIZE
);
378 ASSERT_EFI_ERROR (IkeSaSession
->NrBlock
!= NULL
);
379 IkeSaSession
->NrBlkSize
= IKE_NONCE_SIZE
;
382 // 6. Save the Cookies
384 IkeSaSession
->InitiatorCookie
= IkePacket
->Header
->InitiatorCookie
;
385 IkeSaSession
->ResponderCookie
= IkeGenerateCookie ();
388 if (IkeSaSession
->SessionCommon
.PreferDhGroup
!= ((IKEV2_KEY_EXCHANGE
*)KeyPayload
->PayloadBuf
)->DhGroup
) {
389 Status
= EFI_INVALID_PARAMETER
;
393 // Call Ikev2GenerateSaKeys to create SKEYID, SKEYID_d, SKEYID_a, SKEYID_e.
395 Status
= Ikev2GenerateSaKeys (IkeSaSession
, KeyPayload
);
396 if (EFI_ERROR(Status
)) {
402 if (NonceBuffer
!= NULL
) {
403 FreePool (NonceBuffer
);
410 Generates the IKEv2 packet for IKE_AUTH exchange.
412 @param[in] SaSession Pointer to IKEV2_SA_SESSION.
413 @param[in] Context Context data passed by caller.
415 @retval Pointer to IKE Packet to be sent out.
419 Ikev2AuthPskGenerator (
424 IKE_PACKET
*IkePacket
;
425 IKEV2_SA_SESSION
*IkeSaSession
;
426 IKE_PAYLOAD
*IdPayload
;
427 IKE_PAYLOAD
*AuthPayload
;
428 IKE_PAYLOAD
*SaPayload
;
429 IKE_PAYLOAD
*TsiPayload
;
430 IKE_PAYLOAD
*TsrPayload
;
431 IKE_PAYLOAD
*NotifyPayload
;
432 IKE_PAYLOAD
*CpPayload
;
433 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
436 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
437 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession
->ChildSaSessionList
));
440 NotifyPayload
= NULL
;
443 // 1. Allocate IKE Packet
445 IkePacket
= IkePacketAlloc ();
446 ASSERT (IkePacket
!= NULL
);
449 // 1.a Fill the IkePacket Header.
451 IkePacket
->Header
->ExchangeType
= IKEV2_EXCHANGE_TYPE_AUTH
;
452 IkePacket
->Header
->InitiatorCookie
= IkeSaSession
->InitiatorCookie
;
453 IkePacket
->Header
->ResponderCookie
= IkeSaSession
->ResponderCookie
;
454 IkePacket
->Header
->Version
= (UINT8
)(2 << 4);
455 if (ChildSaSession
->SessionCommon
.IsInitiator
) {
456 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_ID_INIT
;
458 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_ID_RSP
;
462 // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should
463 // be always number 0 and 1;
465 IkePacket
->Header
->MessageId
= 1;
467 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
468 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_INIT
;
470 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_RESPOND
;
474 // 2. Generate ID Payload according to IP version and address.
476 IdPayload
= Ikev2GenerateIdPayload (
477 &IkeSaSession
->SessionCommon
,
478 IKEV2_PAYLOAD_TYPE_AUTH
482 // 3. Generate Auth Payload
483 // If it is tunnel mode, should create the configuration payload after the
486 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
488 AuthPayload
= Ikev2PskGenerateAuthPayload (
489 ChildSaSession
->IkeSaSession
,
491 IKEV2_PAYLOAD_TYPE_SA
,
495 AuthPayload
= Ikev2PskGenerateAuthPayload (
496 ChildSaSession
->IkeSaSession
,
498 IKEV2_PAYLOAD_TYPE_CP
,
501 if (IkeSaSession
->SessionCommon
.UdpService
->IpVersion
== IP_VERSION_4
) {
502 CpPayload
= Ikev2GenerateCpPayload (
503 ChildSaSession
->IkeSaSession
,
504 IKEV2_PAYLOAD_TYPE_SA
,
505 IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS
508 CpPayload
= Ikev2GenerateCpPayload (
509 ChildSaSession
->IkeSaSession
,
510 IKEV2_PAYLOAD_TYPE_SA
,
511 IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS
517 // 4. Generate SA Payload according to the SA Data in ChildSaSession
519 SaPayload
= Ikev2GenerateSaPayload (
520 ChildSaSession
->SaData
,
521 IKEV2_PAYLOAD_TYPE_TS_INIT
,
522 IkeSessionTypeChildSa
525 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
527 // Generate Tsi and Tsr.
529 TsiPayload
= Ikev2GenerateTsPayload (
531 IKEV2_PAYLOAD_TYPE_TS_RSP
,
535 TsrPayload
= Ikev2GenerateTsPayload (
537 IKEV2_PAYLOAD_TYPE_NOTIFY
,
542 // Generate Notify Payload. If transport mode, there should have Notify
543 // payload with TRANSPORT_MODE notification.
545 NotifyPayload
= Ikev2GenerateNotifyPayload (
547 IKEV2_PAYLOAD_TYPE_NONE
,
549 IKEV2_NOTIFICATION_USE_TRANSPORT_MODE
,
556 // Generate Tsr for Tunnel mode.
558 TsiPayload
= Ikev2GenerateTsPayload (
560 IKEV2_PAYLOAD_TYPE_TS_RSP
,
563 TsrPayload
= Ikev2GenerateTsPayload (
565 IKEV2_PAYLOAD_TYPE_NONE
,
570 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, IdPayload
);
571 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, AuthPayload
);
572 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) {
573 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, CpPayload
);
575 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, SaPayload
);
576 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, TsiPayload
);
577 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, TsrPayload
);
578 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
579 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, NotifyPayload
);
586 Parses IKE_AUTH packet.
588 @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.
589 @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.
591 @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA
592 proposal is unacceptable.
593 @retval EFI_SUCCESS The IKE packet is acceptable and the
594 relative data is saved for furthure communication.
600 IN IKE_PACKET
*IkePacket
603 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
604 IKEV2_SA_SESSION
*IkeSaSession
;
605 IKE_PAYLOAD
*IkePayload
;
606 IKE_PAYLOAD
*SaPayload
;
607 IKE_PAYLOAD
*IdiPayload
;
608 IKE_PAYLOAD
*IdrPayload
;
609 IKE_PAYLOAD
*AuthPayload
;
610 IKE_PAYLOAD
*TsiPayload
;
611 IKE_PAYLOAD
*TsrPayload
;
612 IKE_PAYLOAD
*VerifiedAuthPayload
;
616 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
617 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession
->ChildSaSessionList
));
627 // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload.
629 NET_LIST_FOR_EACH (Entry
, &(IkePacket
)->PayloadList
) {
630 IkePayload
= IKE_PAYLOAD_BY_PACKET (Entry
);
632 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_ID_INIT
) {
633 IdiPayload
= IkePayload
;
635 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_ID_RSP
) {
636 IdrPayload
= IkePayload
;
638 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_SA
) {
639 SaPayload
= IkePayload
;
641 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_AUTH
) {
642 AuthPayload
= IkePayload
;
644 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_TS_INIT
) {
645 TsiPayload
= IkePayload
;
647 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_TS_RSP
) {
648 TsrPayload
= IkePayload
;
652 if ((SaPayload
== NULL
) || (AuthPayload
== NULL
) || (TsiPayload
== NULL
) || (TsrPayload
== NULL
)) {
653 return EFI_INVALID_PARAMETER
;
655 if ((IdiPayload
== NULL
) && (IdrPayload
== NULL
)) {
656 return EFI_INVALID_PARAMETER
;
660 // Check IkePacket Header is match the state
662 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
665 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND
667 if ((IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_RESPOND
) ||
668 (IkePacket
->Header
->ExchangeType
!= IKEV2_EXCHANGE_TYPE_AUTH
)
670 return EFI_INVALID_PARAMETER
;
675 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT
677 if ((IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_INIT
) ||
678 (IkePacket
->Header
->ExchangeType
!= IKEV2_EXCHANGE_TYPE_AUTH
)
680 return EFI_INVALID_PARAMETER
;
684 // 2. Parse the SA payload and Key Payload and find out the perferable one
685 // and fill in the Sa paramse into CommonSession->SaParams and SaData into
686 // IkeSaSession for the responder SA payload generation.
691 // Verify the Auth Payload.
693 VerifiedAuthPayload
= Ikev2PskGenerateAuthPayload (
695 IkeSaSession
->SessionCommon
.IsInitiator
? IdrPayload
: IdiPayload
,
696 IKEV2_PAYLOAD_TYPE_SA
,
699 if ((VerifiedAuthPayload
!= NULL
) &&
701 VerifiedAuthPayload
->PayloadBuf
+ sizeof (IKEV2_COMMON_PAYLOAD_HEADER
),
702 AuthPayload
->PayloadBuf
+ sizeof (IKEV2_COMMON_PAYLOAD_HEADER
),
703 VerifiedAuthPayload
->PayloadSize
- sizeof (IKEV2_COMMON_PAYLOAD_HEADER
)
705 return EFI_INVALID_PARAMETER
;
709 // 3. Parse the SA Payload to find out the cryptographic suite
710 // and fill in the Sa paramse into CommonSession->SaParams. If no acceptable
711 // porposal found, return EFI_INVALID_PARAMETER.
713 if (!Ikev2ChildSaParseSaPayload (ChildSaSession
, SaPayload
, IkePacket
->Header
->Flags
)) {
714 return EFI_INVALID_PARAMETER
;
718 // 4. Parse TSi, TSr payloads.
720 if ((((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!=
721 ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
) &&
722 (((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!= 0) &&
723 (((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!= 0)
725 return EFI_INVALID_PARAMETER
;
728 if (!IkeSaSession
->SessionCommon
.IsInitiator
) {
730 //TODO:check the Port range. Only support any port and one certain port here.
732 ChildSaSession
->ProtoId
= ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
;
733 ChildSaSession
->LocalPort
= ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
;
734 ChildSaSession
->RemotePort
= ((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
;
736 // Association a SPD with this SA.
738 Status
= Ikev2ChildSaAssociateSpdEntry (ChildSaSession
);
739 if (EFI_ERROR (Status
)) {
740 return EFI_INVALID_PARAMETER
;
743 // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD.
745 if (ChildSaSession
->IkeSaSession
->Spd
== NULL
) {
746 ChildSaSession
->IkeSaSession
->Spd
= ChildSaSession
->Spd
;
747 Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession
);
751 //TODO:check the Port range.
753 if ((((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= 0) &&
754 (((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= ChildSaSession
->RemotePort
)
756 return EFI_INVALID_PARAMETER
;
758 if ((((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= 0) &&
759 (((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= ChildSaSession
->LocalPort
)
761 return EFI_INVALID_PARAMETER
;
764 // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector.
766 if (ChildSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) {
767 if (!ChildSaSession
->IkeSaSession
->SessionCommon
.IsInitiator
) {
769 // If it is tunnel mode, the UEFI part must be the initiator.
771 return EFI_INVALID_PARAMETER
;
774 // Get the Virtual IP address from the Tsi traffic selector.
775 // TODO: check the CFG reply payload
778 &ChildSaSession
->SpdSelector
->LocalAddress
[0].Address
,
779 TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
) + sizeof (TRAFFIC_SELECTOR
),
780 (ChildSaSession
->SessionCommon
.UdpService
->IpVersion
== IP_VERSION_4
) ?
781 sizeof (EFI_IPv4_ADDRESS
) : sizeof (EFI_IPv6_ADDRESS
)
787 // 5. Generate keymats for IPsec protocol.
789 Ikev2GenerateChildSaKeys (ChildSaSession
, NULL
);
790 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
792 // 6. Change the state of IkeSaSession
794 IKEV2_DUMP_STATE (IkeSaSession
->SessionCommon
.State
, IkeStateIkeSaEstablished
);
795 IkeSaSession
->SessionCommon
.State
= IkeStateIkeSaEstablished
;
802 Gernerates IKEv2 packet for IKE_SA_INIT exchange.
804 @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
805 @param[in] Context Context Data passed by caller.
807 @retval EFI_SUCCESS The IKE packet generation succeeded.
808 @retval Others The IKE packet generation failed.
812 Ikev2InitCertGenerator (
817 IKE_PACKET
*IkePacket
;
818 IKE_PAYLOAD
*CertReqPayload
;
820 IKE_PAYLOAD
*NoncePayload
;
822 if (!FeaturePcdGet (PcdIpsecCertificateEnabled
)) {
827 // The first two messages exchange is same between PSK and Cert.
829 IkePacket
= Ikev2InitPskGenerator (SaSession
, Context
);
831 if ((IkePacket
!= NULL
) && (!((IKEV2_SA_SESSION
*)SaSession
)->SessionCommon
.IsInitiator
)) {
833 // Add the Certification Request Payload
835 CertReqPayload
= Ikev2GenerateCertificatePayload (
836 (IKEV2_SA_SESSION
*)SaSession
,
837 IKEV2_PAYLOAD_TYPE_NONE
,
838 (UINT8
*)PcdGetPtr(PcdIpsecUefiCaFile
),
839 PcdGet32(PcdIpsecUefiCaFileSize
),
840 IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT
,
844 // Change Nonce Payload Next payload type.
846 IKE_PACKET_END_PAYLOAD (IkePacket
, Node
);
847 NoncePayload
= IKE_PAYLOAD_BY_PACKET (Node
);
848 ((IKEV2_NONCE
*)NoncePayload
->PayloadBuf
)->Header
.NextPayload
= IKEV2_PAYLOAD_TYPE_CERTREQ
;
851 // Add Certification Request Payload
853 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, CertReqPayload
);
860 Parses the IKEv2 packet for IKE_SA_INIT exchange.
862 @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
863 @param[in] IkePacket The received IKEv2 packet to be parsed.
865 @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is
866 saved for furthure communication.
867 @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA proposal is unacceptable.
868 @retval EFI_UNSUPPORTED The certificate authentication is not supported.
872 Ikev2InitCertParser (
874 IN IKE_PACKET
*IkePacket
877 if (!FeaturePcdGet (PcdIpsecCertificateEnabled
)) {
878 return EFI_UNSUPPORTED
;
882 // The first two messages exchange is same between PSK and Cert.
883 // Todo: Parse Certificate Request from responder Initial Exchange.
885 return Ikev2InitPskParser (SaSession
, IkePacket
);
889 Generates the IKEv2 packet for IKE_AUTH exchange.
891 @param[in] SaSession Pointer to IKEV2_SA_SESSION.
892 @param[in] Context Context data passed by caller.
894 @retval Pointer to IKEv2 Packet to be sent out.
898 Ikev2AuthCertGenerator (
903 IKE_PACKET
*IkePacket
;
904 IKEV2_SA_SESSION
*IkeSaSession
;
905 IKE_PAYLOAD
*IdPayload
;
906 IKE_PAYLOAD
*AuthPayload
;
907 IKE_PAYLOAD
*SaPayload
;
908 IKE_PAYLOAD
*TsiPayload
;
909 IKE_PAYLOAD
*TsrPayload
;
910 IKE_PAYLOAD
*NotifyPayload
;
911 IKE_PAYLOAD
*CpPayload
;
912 IKE_PAYLOAD
*CertPayload
;
913 IKE_PAYLOAD
*CertReqPayload
;
914 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
916 if (!FeaturePcdGet (PcdIpsecCertificateEnabled
)) {
920 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
921 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession
->ChildSaSessionList
));
924 NotifyPayload
= NULL
;
926 CertReqPayload
= NULL
;
929 // 1. Allocate IKE Packet
931 IkePacket
= IkePacketAlloc ();
932 ASSERT (IkePacket
!= NULL
);
935 // 1.a Fill the IkePacket Header.
937 IkePacket
->Header
->ExchangeType
= IKEV2_EXCHANGE_TYPE_AUTH
;
938 IkePacket
->Header
->InitiatorCookie
= IkeSaSession
->InitiatorCookie
;
939 IkePacket
->Header
->ResponderCookie
= IkeSaSession
->ResponderCookie
;
940 IkePacket
->Header
->Version
= (UINT8
)(2 << 4);
941 if (ChildSaSession
->SessionCommon
.IsInitiator
) {
942 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_ID_INIT
;
944 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_ID_RSP
;
948 // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should
949 // be always number 0 and 1;
951 IkePacket
->Header
->MessageId
= 1;
953 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
954 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_INIT
;
956 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_RESPOND
;
960 // 2. Generate ID Payload according to IP version and address.
962 IdPayload
= Ikev2GenerateCertIdPayload (
963 &IkeSaSession
->SessionCommon
,
964 IKEV2_PAYLOAD_TYPE_CERT
,
965 (UINT8
*)PcdGetPtr (PcdIpsecUefiCertificate
),
966 PcdGet32 (PcdIpsecUefiCertificateSize
)
970 // 3. Generate Certificate Payload
972 CertPayload
= Ikev2GenerateCertificatePayload (
974 (UINT8
)(IkeSaSession
->SessionCommon
.IsInitiator
? IKEV2_PAYLOAD_TYPE_CERTREQ
: IKEV2_PAYLOAD_TYPE_AUTH
),
975 (UINT8
*)PcdGetPtr (PcdIpsecUefiCertificate
),
976 PcdGet32 (PcdIpsecUefiCertificateSize
),
977 IKEV2_CERT_ENCODEING_X509_CERT_SIGN
,
980 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
981 CertReqPayload
= Ikev2GenerateCertificatePayload (
983 IKEV2_PAYLOAD_TYPE_AUTH
,
984 (UINT8
*)PcdGetPtr (PcdIpsecUefiCertificate
),
985 PcdGet32 (PcdIpsecUefiCertificateSize
),
986 IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT
,
992 // 4. Generate Auth Payload
993 // If it is tunnel mode, should create the configuration payload after the
996 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
997 AuthPayload
= Ikev2CertGenerateAuthPayload (
998 ChildSaSession
->IkeSaSession
,
1000 IKEV2_PAYLOAD_TYPE_SA
,
1002 (UINT8
*)PcdGetPtr (PcdIpsecUefiCertificateKey
),
1003 PcdGet32 (PcdIpsecUefiCertificateKeySize
),
1004 ChildSaSession
->IkeSaSession
->Pad
->Data
->AuthData
,
1005 ChildSaSession
->IkeSaSession
->Pad
->Data
->AuthDataSize
1008 AuthPayload
= Ikev2CertGenerateAuthPayload (
1009 ChildSaSession
->IkeSaSession
,
1011 IKEV2_PAYLOAD_TYPE_CP
,
1013 (UINT8
*)PcdGetPtr (PcdIpsecUefiCertificateKey
),
1014 PcdGet32 (PcdIpsecUefiCertificateKeySize
),
1015 ChildSaSession
->IkeSaSession
->Pad
->Data
->AuthData
,
1016 ChildSaSession
->IkeSaSession
->Pad
->Data
->AuthDataSize
1018 if (IkeSaSession
->SessionCommon
.UdpService
->IpVersion
== IP_VERSION_4
) {
1019 CpPayload
= Ikev2GenerateCpPayload (
1020 ChildSaSession
->IkeSaSession
,
1021 IKEV2_PAYLOAD_TYPE_SA
,
1022 IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS
1025 CpPayload
= Ikev2GenerateCpPayload (
1026 ChildSaSession
->IkeSaSession
,
1027 IKEV2_PAYLOAD_TYPE_SA
,
1028 IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS
1034 // 5. Generate SA Payload according to the Sa Data in ChildSaSession
1036 SaPayload
= Ikev2GenerateSaPayload (
1037 ChildSaSession
->SaData
,
1038 IKEV2_PAYLOAD_TYPE_TS_INIT
,
1039 IkeSessionTypeChildSa
1042 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
1044 // Generate Tsi and Tsr.
1046 TsiPayload
= Ikev2GenerateTsPayload (
1048 IKEV2_PAYLOAD_TYPE_TS_RSP
,
1052 TsrPayload
= Ikev2GenerateTsPayload (
1054 IKEV2_PAYLOAD_TYPE_NOTIFY
,
1059 // Generate Notify Payload. If transport mode, there should have Notify
1060 // payload with TRANSPORT_MODE notification.
1062 NotifyPayload
= Ikev2GenerateNotifyPayload (
1064 IKEV2_PAYLOAD_TYPE_NONE
,
1066 IKEV2_NOTIFICATION_USE_TRANSPORT_MODE
,
1073 // Generate Tsr for Tunnel mode.
1075 TsiPayload
= Ikev2GenerateTsPayload (
1077 IKEV2_PAYLOAD_TYPE_TS_RSP
,
1080 TsrPayload
= Ikev2GenerateTsPayload (
1082 IKEV2_PAYLOAD_TYPE_NONE
,
1087 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, IdPayload
);
1088 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, CertPayload
);
1089 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
1090 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, CertReqPayload
);
1092 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, AuthPayload
);
1093 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) {
1094 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, CpPayload
);
1096 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, SaPayload
);
1097 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, TsiPayload
);
1098 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, TsrPayload
);
1099 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
1100 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, NotifyPayload
);
1107 Parses IKE_AUTH packet.
1109 @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.
1110 @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.
1112 @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA
1113 proposal is unacceptable.
1114 @retval EFI_SUCCESS The IKE packet is acceptable and the
1115 relative data is saved for furthure communication.
1116 @retval EFI_UNSUPPORTED The certificate authentication is not supported.
1120 Ikev2AuthCertParser (
1121 IN UINT8
*SaSession
,
1122 IN IKE_PACKET
*IkePacket
1125 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
1126 IKEV2_SA_SESSION
*IkeSaSession
;
1127 IKE_PAYLOAD
*IkePayload
;
1128 IKE_PAYLOAD
*SaPayload
;
1129 IKE_PAYLOAD
*IdiPayload
;
1130 IKE_PAYLOAD
*IdrPayload
;
1131 IKE_PAYLOAD
*AuthPayload
;
1132 IKE_PAYLOAD
*TsiPayload
;
1133 IKE_PAYLOAD
*TsrPayload
;
1134 IKE_PAYLOAD
*CertPayload
;
1135 IKE_PAYLOAD
*CertReqPayload
;
1136 IKE_PAYLOAD
*VerifiedAuthPayload
;
1140 if (!FeaturePcdGet (PcdIpsecCertificateEnabled
)) {
1141 return EFI_UNSUPPORTED
;
1144 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
1145 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession
->ChildSaSessionList
));
1154 CertReqPayload
= NULL
;
1155 VerifiedAuthPayload
= NULL
;
1156 Status
= EFI_INVALID_PARAMETER
;
1159 // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload.
1161 NET_LIST_FOR_EACH (Entry
, &(IkePacket
)->PayloadList
) {
1162 IkePayload
= IKE_PAYLOAD_BY_PACKET (Entry
);
1164 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_ID_INIT
) {
1165 IdiPayload
= IkePayload
;
1167 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_ID_RSP
) {
1168 IdrPayload
= IkePayload
;
1171 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_SA
) {
1172 SaPayload
= IkePayload
;
1174 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_AUTH
) {
1175 AuthPayload
= IkePayload
;
1177 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_TS_INIT
) {
1178 TsiPayload
= IkePayload
;
1180 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_TS_RSP
) {
1181 TsrPayload
= IkePayload
;
1183 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_CERT
) {
1184 CertPayload
= IkePayload
;
1186 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_CERTREQ
) {
1187 CertReqPayload
= IkePayload
;
1191 if ((SaPayload
== NULL
) || (AuthPayload
== NULL
) || (TsiPayload
== NULL
) ||
1192 (TsrPayload
== NULL
) || (CertPayload
== NULL
)) {
1195 if ((IdiPayload
== NULL
) && (IdrPayload
== NULL
)) {
1200 // Check IkePacket Header is match the state
1202 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
1205 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND
1207 if ((IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_RESPOND
) ||
1208 (IkePacket
->Header
->ExchangeType
!= IKEV2_EXCHANGE_TYPE_AUTH
)) {
1213 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT
1215 if ((IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_INIT
) ||
1216 (IkePacket
->Header
->ExchangeType
!= IKEV2_EXCHANGE_TYPE_AUTH
)) {
1222 // Verify the Auth Payload.
1224 VerifiedAuthPayload
= Ikev2CertGenerateAuthPayload (
1226 IkeSaSession
->SessionCommon
.IsInitiator
? IdrPayload
:IdiPayload
,
1227 IKEV2_PAYLOAD_TYPE_SA
,
1235 if ((VerifiedAuthPayload
!= NULL
) &&
1236 (!IpSecCryptoIoVerifySignDataByCertificate (
1237 CertPayload
->PayloadBuf
+ sizeof (IKEV2_CERT
),
1238 CertPayload
->PayloadSize
- sizeof (IKEV2_CERT
),
1239 (UINT8
*)PcdGetPtr (PcdIpsecUefiCaFile
),
1240 PcdGet32 (PcdIpsecUefiCaFileSize
),
1241 VerifiedAuthPayload
->PayloadBuf
+ sizeof (IKEV2_AUTH
),
1242 VerifiedAuthPayload
->PayloadSize
- sizeof (IKEV2_AUTH
),
1243 AuthPayload
->PayloadBuf
+ sizeof (IKEV2_AUTH
),
1244 AuthPayload
->PayloadSize
- sizeof (IKEV2_AUTH
)
1250 // 3. Parse the SA Payload to find out the cryptographic suite
1251 // and fill in the SA paramse into CommonSession->SaParams. If no acceptable
1252 // porposal found, return EFI_INVALID_PARAMETER.
1254 if (!Ikev2ChildSaParseSaPayload (ChildSaSession
, SaPayload
, IkePacket
->Header
->Flags
)) {
1259 // 4. Parse TSi, TSr payloads.
1261 if ((((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!=
1262 ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
) &&
1263 (((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!= 0) &&
1264 (((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!= 0)
1269 if (!IkeSaSession
->SessionCommon
.IsInitiator
) {
1271 //Todo:check the Port range. Only support any port and one certain port here.
1273 ChildSaSession
->ProtoId
= ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
;
1274 ChildSaSession
->LocalPort
= ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
;
1275 ChildSaSession
->RemotePort
= ((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
;
1277 // Association a SPD with this SA.
1279 if (EFI_ERROR (Ikev2ChildSaAssociateSpdEntry (ChildSaSession
))) {
1283 // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD.
1285 if (ChildSaSession
->IkeSaSession
->Spd
== NULL
) {
1286 ChildSaSession
->IkeSaSession
->Spd
= ChildSaSession
->Spd
;
1287 Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession
);
1291 // Todo:check the Port range.
1293 if ((((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= 0) &&
1294 (((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= ChildSaSession
->RemotePort
)
1298 if ((((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= 0) &&
1299 (((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= ChildSaSession
->LocalPort
)
1304 // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector.
1306 if (ChildSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) {
1307 if (!ChildSaSession
->IkeSaSession
->SessionCommon
.IsInitiator
) {
1309 // If it is tunnel mode, the UEFI part must be the initiator.
1314 // Get the Virtual IP address from the Tsi traffic selector.
1315 // TODO: check the CFG reply payload
1318 &ChildSaSession
->SpdSelector
->LocalAddress
[0].Address
,
1319 TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
) + sizeof (TRAFFIC_SELECTOR
),
1320 (ChildSaSession
->SessionCommon
.UdpService
->IpVersion
== IP_VERSION_4
) ?
1321 sizeof (EFI_IPv4_ADDRESS
) : sizeof (EFI_IPv6_ADDRESS
)
1327 // 5. Generat keymats for IPsec protocol.
1329 Ikev2GenerateChildSaKeys (ChildSaSession
, NULL
);
1330 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
1332 // 6. Change the state of IkeSaSession
1334 IKEV2_DUMP_STATE (IkeSaSession
->SessionCommon
.State
, IkeStateIkeSaEstablished
);
1335 IkeSaSession
->SessionCommon
.State
= IkeStateIkeSaEstablished
;
1338 Status
= EFI_SUCCESS
;
1341 if (VerifiedAuthPayload
!= NULL
) {
1342 IkePayloadFree (VerifiedAuthPayload
);
1348 Generates the DH Public Key.
1350 This generates the DH local public key and store it in the IKE SA Session's GxBuffer.
1352 @param[in] IkeSaSession Pointer to related IKE SA Session.
1354 @retval EFI_SUCCESS The operation succeeded.
1355 @retval Others The operation failed.
1359 Ikev2GenerateSaDhPublicKey (
1360 IN IKEV2_SA_SESSION
*IkeSaSession
1364 IKEV2_SESSION_KEYS
*IkeKeys
;
1366 IkeSaSession
->IkeKeys
= AllocateZeroPool (sizeof (IKEV2_SESSION_KEYS
));
1367 ASSERT (IkeSaSession
->IkeKeys
!= NULL
);
1368 IkeKeys
= IkeSaSession
->IkeKeys
;
1369 IkeKeys
->DhBuffer
= AllocateZeroPool (sizeof (IKEV2_DH_BUFFER
));
1370 ASSERT (IkeKeys
->DhBuffer
!= NULL
);
1373 // Init DH with the certain DH Group Description.
1375 IkeKeys
->DhBuffer
->GxSize
= OakleyModpGroup
[(UINT8
)IkeSaSession
->SessionCommon
.PreferDhGroup
].Size
>> 3;
1376 IkeKeys
->DhBuffer
->GxBuffer
= AllocateZeroPool (IkeKeys
->DhBuffer
->GxSize
);
1377 ASSERT (IkeKeys
->DhBuffer
->GxBuffer
!= NULL
);
1382 Status
= IpSecCryptoIoDhGetPublicKey (
1383 &IkeKeys
->DhBuffer
->DhContext
,
1384 OakleyModpGroup
[(UINT8
)IkeSaSession
->SessionCommon
.PreferDhGroup
].GroupGenerator
,
1385 OakleyModpGroup
[(UINT8
)IkeSaSession
->SessionCommon
.PreferDhGroup
].Size
,
1386 OakleyModpGroup
[(UINT8
)IkeSaSession
->SessionCommon
.PreferDhGroup
].Modulus
,
1387 IkeKeys
->DhBuffer
->GxBuffer
,
1388 &IkeKeys
->DhBuffer
->GxSize
1390 if (EFI_ERROR (Status
)) {
1391 DEBUG ((DEBUG_ERROR
, "Error CPLKeyManGetKeyParam X public key error Status = %r\n", Status
));
1395 IPSEC_DUMP_BUF ("DH Public Key (g^x) Dump", IkeKeys
->DhBuffer
->GxBuffer
, IkeKeys
->DhBuffer
->GxSize
);
1401 Computes the DH Shared/Exchange Key.
1403 Given peer's public key, this function computes the exchanged common key and
1404 stores it in the IKEv2 SA Session's GxyBuffer.
1406 @param[in] DhBuffer Pointer to buffer of peer's puliic key.
1407 @param[in] KePayload Pointer to received key payload.
1409 @retval EFI_SUCCESS The operation succeeded.
1410 @retval Otherwise The operation failed.
1414 Ikev2GenerateSaDhComputeKey (
1415 IN IKEV2_DH_BUFFER
*DhBuffer
,
1416 IN IKE_PAYLOAD
*KePayload
1420 IKEV2_KEY_EXCHANGE
*Ke
;
1424 Ke
= (IKEV2_KEY_EXCHANGE
*) KePayload
->PayloadBuf
;
1425 PubKey
= (UINT8
*) (Ke
+ 1);
1426 PubKeySize
= KePayload
->PayloadSize
- sizeof (IKEV2_KEY_EXCHANGE
);
1427 DhBuffer
->GxySize
= DhBuffer
->GxSize
;
1428 DhBuffer
->GxyBuffer
= AllocateZeroPool (DhBuffer
->GxySize
);
1429 ASSERT (DhBuffer
->GxyBuffer
!= NULL
);
1434 Status
= IpSecCryptoIoDhComputeKey (
1435 DhBuffer
->DhContext
,
1438 DhBuffer
->GxyBuffer
,
1441 if (EFI_ERROR (Status
)) {
1442 DEBUG ((DEBUG_ERROR
, "Error CPLKeyManGetKeyParam Y session key error Status = %r\n", Status
));
1449 DhBuffer
->GySize
= PubKeySize
;
1450 DhBuffer
->GyBuffer
= AllocateZeroPool (DhBuffer
->GySize
);
1451 ASSERT (DhBuffer
->GyBuffer
!= NULL
);
1452 CopyMem (DhBuffer
->GyBuffer
, PubKey
, DhBuffer
->GySize
);
1454 IPSEC_DUMP_BUF ("DH Public Key (g^y) Dump", DhBuffer
->GyBuffer
, DhBuffer
->GySize
);
1455 IPSEC_DUMP_BUF ("DH Shared Key (g^xy) Dump", DhBuffer
->GxyBuffer
, DhBuffer
->GxySize
);
1461 Generates the IKE SKEYSEED and seven other secrets. SK_d, SK_ai, SK_ar, SK_ei, SK_er,
1462 SK_pi, SK_pr are keys for the furthure IKE exchange.
1464 @param[in] IkeSaSession Pointer to IKE SA Session.
1465 @param[in] KePayload Pointer to Key payload used to generate the Key.
1467 @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported.
1468 @retval EFI_OUT_OF_RESOURCES If there is no enough resource to be allocated to
1469 meet the requirement.
1470 @retval EFI_SUCCESS The operation succeeded.
1474 Ikev2GenerateSaKeys (
1475 IN IKEV2_SA_SESSION
*IkeSaSession
,
1476 IN IKE_PAYLOAD
*KePayload
1480 IKEV2_SA_PARAMS
*SaParams
;
1481 IPSEC_PAD_ENTRY
*Pad
;
1482 PRF_DATA_FRAGMENT Fragments
[4];
1483 UINT64 InitiatorCookieNet
;
1484 UINT64 ResponderCookieNet
;
1486 UINTN KeyBufferSize
;
1487 UINTN AuthAlgKeyLen
;
1488 UINTN EncryptAlgKeyLen
;
1489 UINTN IntegrityAlgKeyLen
;
1492 UINTN OutputKeyLength
;
1499 Status
= EFI_SUCCESS
;
1504 Ikev2GenerateSaDhComputeKey (IkeSaSession
->IkeKeys
->DhBuffer
, KePayload
);
1506 Pad
= IkeSaSession
->Pad
;
1509 // Get the key length of Authenticaion, Encryption, PRF, and Integrity.
1511 SaParams
= IkeSaSession
->SessionCommon
.SaParams
;
1512 AuthAlgKeyLen
= IpSecGetHmacDigestLength ((UINT8
)SaParams
->Prf
);
1513 EncryptAlgKeyLen
= IpSecGetEncryptKeyLength ((UINT8
)SaParams
->EncAlgId
);
1514 IntegrityAlgKeyLen
= IpSecGetHmacDigestLength ((UINT8
)SaParams
->IntegAlgId
);
1515 PrfAlgKeyLen
= IpSecGetHmacDigestLength ((UINT8
)SaParams
->Prf
);
1518 // If one or more algorithm is not support, return EFI_UNSUPPORTED.
1520 if (AuthAlgKeyLen
== 0 ||
1521 EncryptAlgKeyLen
== 0 ||
1522 IntegrityAlgKeyLen
== 0 ||
1525 Status
= EFI_UNSUPPORTED
;
1530 // Compute SKEYSEED = prf(Ni | Nr, g^ir)
1532 KeyBufferSize
= IkeSaSession
->NiBlkSize
+ IkeSaSession
->NrBlkSize
;
1533 KeyBuffer
= AllocateZeroPool (KeyBufferSize
);
1534 ASSERT (KeyBuffer
!= NULL
);
1536 CopyMem (KeyBuffer
, IkeSaSession
->NiBlock
, IkeSaSession
->NiBlkSize
);
1537 CopyMem (KeyBuffer
+ IkeSaSession
->NiBlkSize
, IkeSaSession
->NrBlock
, IkeSaSession
->NrBlkSize
);
1539 Fragments
[0].Data
= IkeSaSession
->IkeKeys
->DhBuffer
->GxyBuffer
;
1540 Fragments
[0].DataSize
= IkeSaSession
->IkeKeys
->DhBuffer
->GxySize
;
1542 DigestSize
= IpSecGetHmacDigestLength ((UINT8
)SaParams
->Prf
);
1543 Digest
= AllocateZeroPool (DigestSize
);
1545 if (Digest
== NULL
) {
1546 Status
= EFI_OUT_OF_RESOURCES
;
1551 (UINT8
)SaParams
->Prf
,
1554 (HASH_DATA_FRAGMENT
*) Fragments
,
1561 // {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = prf+
1562 // (SKEYSEED, Ni | Nr | SPIi | SPIr )
1564 Fragments
[0].Data
= IkeSaSession
->NiBlock
;
1565 Fragments
[0].DataSize
= IkeSaSession
->NiBlkSize
;
1566 Fragments
[1].Data
= IkeSaSession
->NrBlock
;
1567 Fragments
[1].DataSize
= IkeSaSession
->NrBlkSize
;
1568 InitiatorCookieNet
= HTONLL (IkeSaSession
->InitiatorCookie
);
1569 ResponderCookieNet
= HTONLL (IkeSaSession
->ResponderCookie
);
1570 Fragments
[2].Data
= (UINT8
*)(&InitiatorCookieNet
);
1571 Fragments
[2].DataSize
= sizeof (IkeSaSession
->InitiatorCookie
);
1572 Fragments
[3].Data
= (UINT8
*)(&ResponderCookieNet
);
1573 Fragments
[3].DataSize
= sizeof (IkeSaSession
->ResponderCookie
);
1575 IPSEC_DUMP_BUF (">>> NiBlock", IkeSaSession
->NiBlock
, IkeSaSession
->NiBlkSize
);
1576 IPSEC_DUMP_BUF (">>> NrBlock", IkeSaSession
->NrBlock
, IkeSaSession
->NrBlkSize
);
1577 IPSEC_DUMP_BUF (">>> InitiatorCookie", (UINT8
*)&IkeSaSession
->InitiatorCookie
, sizeof(UINT64
));
1578 IPSEC_DUMP_BUF (">>> ResponderCookie", (UINT8
*)&IkeSaSession
->ResponderCookie
, sizeof(UINT64
));
1580 OutputKeyLength
= PrfAlgKeyLen
+
1581 2 * EncryptAlgKeyLen
+
1583 2 * IntegrityAlgKeyLen
;
1584 OutputKey
= AllocateZeroPool (OutputKeyLength
);
1585 if (OutputKey
== NULL
) {
1586 Status
= EFI_OUT_OF_RESOURCES
;
1591 // Generate Seven Keymates.
1593 Status
= Ikev2SaGenerateKey (
1594 (UINT8
)SaParams
->Prf
,
1602 if (EFI_ERROR(Status
)) {
1607 // Save the seven keys into KeySession.
1610 IkeSaSession
->IkeKeys
->SkdKey
= AllocateZeroPool (PrfAlgKeyLen
);
1611 if (IkeSaSession
->IkeKeys
->SkdKey
== NULL
) {
1612 Status
= EFI_OUT_OF_RESOURCES
;
1615 IkeSaSession
->IkeKeys
->SkdKeySize
= PrfAlgKeyLen
;
1616 CopyMem (IkeSaSession
->IkeKeys
->SkdKey
, OutputKey
, PrfAlgKeyLen
);
1618 IPSEC_DUMP_BUF (">>> SK_D Key", IkeSaSession
->IkeKeys
->SkdKey
, PrfAlgKeyLen
);
1623 IkeSaSession
->IkeKeys
->SkAiKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
1624 if (IkeSaSession
->IkeKeys
->SkAiKey
== NULL
) {
1625 Status
= EFI_OUT_OF_RESOURCES
;
1628 IkeSaSession
->IkeKeys
->SkAiKeySize
= IntegrityAlgKeyLen
;
1629 CopyMem (IkeSaSession
->IkeKeys
->SkAiKey
, OutputKey
+ PrfAlgKeyLen
, IntegrityAlgKeyLen
);
1631 IPSEC_DUMP_BUF (">>> SK_Ai Key", IkeSaSession
->IkeKeys
->SkAiKey
, IkeSaSession
->IkeKeys
->SkAiKeySize
);
1636 IkeSaSession
->IkeKeys
->SkArKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
1637 if (IkeSaSession
->IkeKeys
->SkArKey
== NULL
) {
1638 Status
= EFI_OUT_OF_RESOURCES
;
1641 IkeSaSession
->IkeKeys
->SkArKeySize
= IntegrityAlgKeyLen
;
1643 IkeSaSession
->IkeKeys
->SkArKey
,
1644 OutputKey
+ PrfAlgKeyLen
+ IntegrityAlgKeyLen
,
1648 IPSEC_DUMP_BUF (">>> SK_Ar Key", IkeSaSession
->IkeKeys
->SkArKey
, IkeSaSession
->IkeKeys
->SkArKeySize
);
1653 IkeSaSession
->IkeKeys
->SkEiKey
= AllocateZeroPool (EncryptAlgKeyLen
);
1654 if (IkeSaSession
->IkeKeys
->SkEiKey
== NULL
) {
1655 Status
= EFI_OUT_OF_RESOURCES
;
1658 IkeSaSession
->IkeKeys
->SkEiKeySize
= EncryptAlgKeyLen
;
1661 IkeSaSession
->IkeKeys
->SkEiKey
,
1662 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
,
1667 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
,
1674 IkeSaSession
->IkeKeys
->SkErKey
= AllocateZeroPool (EncryptAlgKeyLen
);
1675 if (IkeSaSession
->IkeKeys
->SkErKey
== NULL
) {
1676 Status
= EFI_OUT_OF_RESOURCES
;
1679 IkeSaSession
->IkeKeys
->SkErKeySize
= EncryptAlgKeyLen
;
1682 IkeSaSession
->IkeKeys
->SkErKey
,
1683 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ EncryptAlgKeyLen
,
1688 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ EncryptAlgKeyLen
,
1695 IkeSaSession
->IkeKeys
->SkPiKey
= AllocateZeroPool (AuthAlgKeyLen
);
1696 if (IkeSaSession
->IkeKeys
->SkPiKey
== NULL
) {
1697 Status
= EFI_OUT_OF_RESOURCES
;
1700 IkeSaSession
->IkeKeys
->SkPiKeySize
= AuthAlgKeyLen
;
1703 IkeSaSession
->IkeKeys
->SkPiKey
,
1704 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ 2 * EncryptAlgKeyLen
,
1709 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ 2 * EncryptAlgKeyLen
,
1716 IkeSaSession
->IkeKeys
->SkPrKey
= AllocateZeroPool (AuthAlgKeyLen
);
1717 if (IkeSaSession
->IkeKeys
->SkPrKey
== NULL
) {
1718 Status
= EFI_OUT_OF_RESOURCES
;
1721 IkeSaSession
->IkeKeys
->SkPrKeySize
= AuthAlgKeyLen
;
1724 IkeSaSession
->IkeKeys
->SkPrKey
,
1725 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ 2 * EncryptAlgKeyLen
+ AuthAlgKeyLen
,
1730 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ 2 * EncryptAlgKeyLen
+ AuthAlgKeyLen
,
1736 if (Digest
!= NULL
) {
1739 if (KeyBuffer
!= NULL
) {
1740 FreePool (KeyBuffer
);
1742 if (OutputKey
!= NULL
) {
1743 FreePool (OutputKey
);
1746 if (EFI_ERROR(Status
)) {
1747 if (IkeSaSession
->IkeKeys
->SkdKey
!= NULL
) {
1748 FreePool (IkeSaSession
->IkeKeys
->SkdKey
);
1750 if (IkeSaSession
->IkeKeys
->SkAiKey
!= NULL
) {
1751 FreePool (IkeSaSession
->IkeKeys
->SkAiKey
);
1753 if (IkeSaSession
->IkeKeys
->SkArKey
!= NULL
) {
1754 FreePool (IkeSaSession
->IkeKeys
->SkArKey
);
1756 if (IkeSaSession
->IkeKeys
->SkEiKey
!= NULL
) {
1757 FreePool (IkeSaSession
->IkeKeys
->SkEiKey
);
1759 if (IkeSaSession
->IkeKeys
->SkErKey
!= NULL
) {
1760 FreePool (IkeSaSession
->IkeKeys
->SkErKey
);
1762 if (IkeSaSession
->IkeKeys
->SkPiKey
!= NULL
) {
1763 FreePool (IkeSaSession
->IkeKeys
->SkPiKey
);
1765 if (IkeSaSession
->IkeKeys
->SkPrKey
!= NULL
) {
1766 FreePool (IkeSaSession
->IkeKeys
->SkPrKey
);
1775 Generates the Keys for the furthure IPsec Protocol.
1777 @param[in] ChildSaSession Pointer to IKE Child SA Session.
1778 @param[in] KePayload Pointer to Key payload used to generate the Key.
1780 @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported.
1781 @retval EFI_SUCCESS The operation succeeded.
1785 Ikev2GenerateChildSaKeys (
1786 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
,
1787 IN IKE_PAYLOAD
*KePayload
1791 IKEV2_SA_PARAMS
*SaParams
;
1792 PRF_DATA_FRAGMENT Fragments
[3];
1793 UINTN EncryptAlgKeyLen
;
1794 UINTN IntegrityAlgKeyLen
;
1796 UINTN OutputKeyLength
;
1798 Status
= EFI_SUCCESS
;
1801 if (KePayload
!= NULL
) {
1805 Ikev2GenerateSaDhComputeKey (ChildSaSession
->DhBuffer
, KePayload
);
1806 Fragments
[0].Data
= ChildSaSession
->DhBuffer
->GxyBuffer
;
1807 Fragments
[0].DataSize
= ChildSaSession
->DhBuffer
->GxySize
;
1810 Fragments
[1].Data
= ChildSaSession
->NiBlock
;
1811 Fragments
[1].DataSize
= ChildSaSession
->NiBlkSize
;
1812 Fragments
[2].Data
= ChildSaSession
->NrBlock
;
1813 Fragments
[2].DataSize
= ChildSaSession
->NrBlkSize
;
1816 // Get the key length of Authenticaion, Encryption, PRF, and Integrity.
1818 SaParams
= ChildSaSession
->SessionCommon
.SaParams
;
1819 EncryptAlgKeyLen
= IpSecGetEncryptKeyLength ((UINT8
)SaParams
->EncAlgId
);
1820 IntegrityAlgKeyLen
= IpSecGetHmacDigestLength ((UINT8
)SaParams
->IntegAlgId
);
1821 OutputKeyLength
= 2 * EncryptAlgKeyLen
+ 2 * IntegrityAlgKeyLen
;
1823 if ((EncryptAlgKeyLen
== 0) || (IntegrityAlgKeyLen
== 0)) {
1824 Status
= EFI_UNSUPPORTED
;
1830 // If KePayload is not NULL, calculate KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ),
1831 // otherwise, KEYMAT = prf+(SK_d, Ni | Nr )
1833 OutputKey
= AllocateZeroPool (OutputKeyLength
);
1834 if (OutputKey
== NULL
) {
1835 Status
= EFI_OUT_OF_RESOURCES
;
1840 // Derive Key from the SkdKey Buffer.
1842 Status
= Ikev2SaGenerateKey (
1843 (UINT8
)ChildSaSession
->IkeSaSession
->SessionCommon
.SaParams
->Prf
,
1844 ChildSaSession
->IkeSaSession
->IkeKeys
->SkdKey
,
1845 ChildSaSession
->IkeSaSession
->IkeKeys
->SkdKeySize
,
1848 KePayload
== NULL
? &Fragments
[1] : Fragments
,
1849 KePayload
== NULL
? 2 : 3
1852 if (EFI_ERROR (Status
)) {
1857 // Copy KEYMATE (SK_ENCRYPT_i | SK_ENCRYPT_r | SK_INTEG_i | SK_INTEG_r) to
1860 if (!ChildSaSession
->SessionCommon
.IsInitiator
) {
1863 // Initiator Encryption Key
1865 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncAlgoId
= (UINT8
)SaParams
->EncAlgId
;
1866 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKeyLength
= EncryptAlgKeyLen
;
1867 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
= AllocateZeroPool (EncryptAlgKeyLen
);
1868 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
== NULL
) {
1869 Status
= EFI_OUT_OF_RESOURCES
;
1874 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
,
1880 // Initiator Authentication Key
1882 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthAlgoId
= (UINT8
)SaParams
->IntegAlgId
;
1883 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKeyLength
= IntegrityAlgKeyLen
;
1884 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
1885 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
== NULL
) {
1886 Status
= EFI_OUT_OF_RESOURCES
;
1891 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
,
1892 OutputKey
+ EncryptAlgKeyLen
,
1897 // Responder Encrypt Key
1899 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncAlgoId
= (UINT8
)SaParams
->EncAlgId
;
1900 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKeyLength
= EncryptAlgKeyLen
;
1901 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
= AllocateZeroPool (EncryptAlgKeyLen
);
1902 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
== NULL
) {
1903 Status
= EFI_OUT_OF_RESOURCES
;
1908 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
,
1909 OutputKey
+ EncryptAlgKeyLen
+ IntegrityAlgKeyLen
,
1914 // Responder Authentication Key
1916 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthAlgoId
= (UINT8
)SaParams
->IntegAlgId
;
1917 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKeyLength
= IntegrityAlgKeyLen
;
1918 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
1919 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
== NULL
) {
1920 Status
= EFI_OUT_OF_RESOURCES
;
1925 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
,
1926 OutputKey
+ 2 * EncryptAlgKeyLen
+ IntegrityAlgKeyLen
,
1931 // Initiator Encryption Key
1933 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncAlgoId
= (UINT8
)SaParams
->EncAlgId
;
1934 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKeyLength
= EncryptAlgKeyLen
;
1935 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
= AllocateZeroPool (EncryptAlgKeyLen
);
1936 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
== NULL
) {
1937 Status
= EFI_OUT_OF_RESOURCES
;
1942 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
,
1948 // Initiator Authentication Key
1950 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthAlgoId
= (UINT8
)SaParams
->IntegAlgId
;
1951 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKeyLength
= IntegrityAlgKeyLen
;
1952 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
1953 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
== NULL
) {
1954 Status
= EFI_OUT_OF_RESOURCES
;
1959 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
,
1960 OutputKey
+ EncryptAlgKeyLen
,
1965 // Responder Encryption Key
1967 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncAlgoId
= (UINT8
)SaParams
->EncAlgId
;
1968 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKeyLength
= EncryptAlgKeyLen
;
1969 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
= AllocateZeroPool (EncryptAlgKeyLen
);
1970 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
== NULL
) {
1971 Status
= EFI_OUT_OF_RESOURCES
;
1976 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
,
1977 OutputKey
+ EncryptAlgKeyLen
+ IntegrityAlgKeyLen
,
1982 // Responder Authentication Key
1984 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthAlgoId
= (UINT8
)SaParams
->IntegAlgId
;
1985 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKeyLength
= IntegrityAlgKeyLen
;
1986 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
1987 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
== NULL
) {
1988 Status
= EFI_OUT_OF_RESOURCES
;
1993 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
,
1994 OutputKey
+ 2 * EncryptAlgKeyLen
+ IntegrityAlgKeyLen
,
2000 " >>> Local Encryption Key",
2001 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
,
2005 " >>> Remote Encryption Key",
2006 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
,
2010 " >>> Local Authentication Key",
2011 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
,
2015 " >>> Remote Authentication Key",
2016 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
,
2023 if (EFI_ERROR (Status
)) {
2024 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
!= NULL
) {
2025 FreePool (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
);
2027 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
!= NULL
) {
2028 FreePool (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
);
2030 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
!= NULL
) {
2031 FreePool (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
);
2033 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
!= NULL
) {
2034 FreePool (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
);
2038 if (OutputKey
!= NULL
) {
2039 FreePool (OutputKey
);
2045 GLOBAL_REMOVE_IF_UNREFERENCED IKEV2_PACKET_HANDLER mIkev2Initial
[][2] = {
2049 Ikev2InitPskGenerator
2053 Ikev2AuthPskGenerator
2058 Ikev2InitCertParser
,
2059 Ikev2InitCertGenerator
2062 Ikev2AuthCertParser
,
2063 Ikev2AuthCertGenerator