2 The operations for IKEv2 SA.
4 (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
5 Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
7 This program and the accompanying materials
8 are licensed and made available under the terms and conditions of the BSD License
9 which accompanies this distribution. The full text of the license may be found at
10 http://opensource.org/licenses/bsd-license.php.
12 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
13 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
18 #include "IpSecDebug.h"
19 #include "IkeService.h"
25 This generates the DH local public key and store it in the IKEv2 SA Session's GxBuffer.
27 @param[in] IkeSaSession Pointer to related IKE SA Session.
29 @retval EFI_SUCCESS The operation succeeded.
30 @retval Others The operation failed.
34 Ikev2GenerateSaDhPublicKey (
35 IN IKEV2_SA_SESSION
*IkeSaSession
39 Generates the IKEv2 SA key for the furthure IKEv2 exchange.
41 @param[in] IkeSaSession Pointer to IKEv2 SA Session.
42 @param[in] KePayload Pointer to Key payload used to generate the Key.
44 @retval EFI_UNSUPPORTED If the Algorithm Id is not supported.
45 @retval EFI_SUCCESS The operation succeeded.
50 IN IKEV2_SA_SESSION
*IkeSaSession
,
51 IN IKE_PAYLOAD
*KePayload
55 Generates the Keys for the furthure IPsec Protocol.
57 @param[in] ChildSaSession Pointer to IKE Child SA Session.
58 @param[in] KePayload Pointer to Key payload used to generate the Key.
60 @retval EFI_UNSUPPORTED If one or more Algorithm Id is unsupported.
61 @retval EFI_SUCCESS The operation succeeded.
65 Ikev2GenerateChildSaKeys (
66 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
,
67 IN IKE_PAYLOAD
*KePayload
71 Gernerates IKEv2 packet for IKE_SA_INIT exchange.
73 @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
74 @param[in] Context Context Data passed by caller.
76 @retval EFI_SUCCESS The IKEv2 packet generation succeeded.
77 @retval Others The IKEv2 packet generation failed.
81 Ikev2InitPskGenerator (
86 IKE_PACKET
*IkePacket
;
87 IKEV2_SA_SESSION
*IkeSaSession
;
88 IKE_PAYLOAD
*SaPayload
;
89 IKE_PAYLOAD
*KePayload
;
90 IKE_PAYLOAD
*NoncePayload
;
91 IKE_PAYLOAD
*NotifyPayload
;
99 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
102 // 1. Allocate IKE packet
104 IkePacket
= IkePacketAlloc ();
105 if (IkePacket
== NULL
) {
110 // 1.a Fill the IkePacket->Hdr
112 IkePacket
->Header
->ExchangeType
= IKEV2_EXCHANGE_TYPE_INIT
;
113 IkePacket
->Header
->InitiatorCookie
= IkeSaSession
->InitiatorCookie
;
114 IkePacket
->Header
->ResponderCookie
= IkeSaSession
->ResponderCookie
;
115 IkePacket
->Header
->Version
= (UINT8
) (2 << 4);
116 IkePacket
->Header
->MessageId
= 0;
118 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
119 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_INIT
;
121 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_RESPOND
;
125 // If the NCookie is not NULL, this IKE_SA_INIT packet is resent by the NCookie
126 // and the NCookie payload should be the first payload in this packet.
128 if (IkeSaSession
->NCookie
!= NULL
) {
129 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_NOTIFY
;
130 NotifyPayload
= Ikev2GenerateNotifyPayload (
132 IKEV2_PAYLOAD_TYPE_SA
,
134 IKEV2_NOTIFICATION_COOKIE
,
136 IkeSaSession
->NCookie
,
137 IkeSaSession
->NCookieSize
140 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_SA
;
144 // 2. Generate SA Payload according to the SaData & SaParams
146 SaPayload
= Ikev2GenerateSaPayload (
147 IkeSaSession
->SaData
,
148 IKEV2_PAYLOAD_TYPE_KE
,
153 // 3. Generate DH public key.
154 // The DhPrivate Key has been generated in Ikev2InitPskParser, if the
155 // IkeSaSession is responder. If resending IKE_SA_INIT with Cookie Notify
156 // No need to recompute the Public key.
158 if ((IkeSaSession
->SessionCommon
.IsInitiator
) && (IkeSaSession
->NCookie
== NULL
)) {
159 Status
= Ikev2GenerateSaDhPublicKey (IkeSaSession
);
160 if (EFI_ERROR (Status
)) {
166 // 4. Generate KE Payload according to SaParams->DhGroup
168 KePayload
= Ikev2GenerateKePayload (
170 IKEV2_PAYLOAD_TYPE_NONCE
174 // 5. Generate Nonce Payload
175 // If resending IKE_SA_INIT with Cookie Notify paylaod, no need to regenerate
176 // the Nonce Payload.
178 if ((IkeSaSession
->SessionCommon
.IsInitiator
) && (IkeSaSession
->NCookie
== NULL
)) {
179 IkeSaSession
->NiBlkSize
= IKE_NONCE_SIZE
;
180 IkeSaSession
->NiBlock
= IkeGenerateNonce (IKE_NONCE_SIZE
);
181 if (IkeSaSession
->NiBlock
== NULL
) {
186 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
187 NoncePayload
= Ikev2GenerateNoncePayload (
188 IkeSaSession
->NiBlock
,
189 IkeSaSession
->NiBlkSize
,
190 IKEV2_PAYLOAD_TYPE_NONE
194 // The Nonce Payload has been created in Ikev2PskParser if the IkeSaSession is
197 NoncePayload
= Ikev2GenerateNoncePayload (
198 IkeSaSession
->NrBlock
,
199 IkeSaSession
->NrBlkSize
,
200 IKEV2_PAYLOAD_TYPE_NONE
204 if (NotifyPayload
!= NULL
) {
205 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, NotifyPayload
);
207 if (SaPayload
!= NULL
) {
208 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, SaPayload
);
210 if (KePayload
!= NULL
) {
211 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, KePayload
);
213 if (NoncePayload
!= NULL
) {
214 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, NoncePayload
);
220 if (IkePacket
!= NULL
) {
221 IkePacketFree (IkePacket
);
223 if (SaPayload
!= NULL
) {
224 IkePayloadFree (SaPayload
);
230 Parses the IKEv2 packet for IKE_SA_INIT exchange.
232 @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
233 @param[in] IkePacket The received IKE packet to be parsed.
235 @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is
236 saved for furthure communication.
237 @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA proposal is unacceptable.
243 IN IKE_PACKET
*IkePacket
246 IKEV2_SA_SESSION
*IkeSaSession
;
247 IKE_PAYLOAD
*SaPayload
;
248 IKE_PAYLOAD
*KeyPayload
;
249 IKE_PAYLOAD
*IkePayload
;
250 IKE_PAYLOAD
*NoncePayload
;
251 IKE_PAYLOAD
*NotifyPayload
;
257 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
262 NotifyPayload
= NULL
;
265 // Iterate payloads to find the SaPayload and KeyPayload.
267 NET_LIST_FOR_EACH (Entry
, &(IkePacket
)->PayloadList
) {
268 IkePayload
= IKE_PAYLOAD_BY_PACKET (Entry
);
269 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_SA
) {
270 SaPayload
= IkePayload
;
272 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_KE
) {
273 KeyPayload
= IkePayload
;
275 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_NONCE
) {
276 NoncePayload
= IkePayload
;
278 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_NOTIFY
) {
279 NotifyPayload
= IkePayload
;
284 // According to RFC 4306 - 2.6. If the responder responds with the COOKIE Notify
285 // payload with the cookie data, initiator MUST retry the IKE_SA_INIT with a
286 // Notify payload of type COOKIE containing the responder suppplied cookie data
287 // as first payload and all other payloads unchanged.
289 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
290 if (NotifyPayload
!= NULL
) {
291 Status
= Ikev2ParserNotifyCookiePayload (NotifyPayload
, IkeSaSession
);
296 if ((KeyPayload
== NULL
) || (SaPayload
== NULL
) || (NoncePayload
== NULL
)) {
297 return EFI_INVALID_PARAMETER
;
301 // Store NoncePayload for SKEYID computing.
303 NonceSize
= NoncePayload
->PayloadSize
- sizeof (IKEV2_COMMON_PAYLOAD_HEADER
);
304 NonceBuffer
= (UINT8
*) AllocatePool (NonceSize
);
305 if (NonceBuffer
== NULL
) {
306 Status
= EFI_OUT_OF_RESOURCES
;
312 NoncePayload
->PayloadBuf
+ sizeof (IKEV2_COMMON_PAYLOAD_HEADER
),
317 // Check if IkePacket Header matches the state
319 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
321 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND
323 if (IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_RESPOND
) {
324 Status
= EFI_INVALID_PARAMETER
;
329 // 2. Parse the SA Payload and Key Payload to find out the cryptographic
330 // suite and fill in the Sa paramse into CommonSession->SaParams
332 if (!Ikev2SaParseSaPayload (IkeSaSession
, SaPayload
, IkePacket
->Header
->Flags
)) {
333 Status
= EFI_INVALID_PARAMETER
;
338 // 3. If Initiator, the NoncePayload is Nr_b.
340 IKEV2_DUMP_STATE (IkeSaSession
->SessionCommon
.State
, IkeStateAuth
);
341 IkeSaSession
->NrBlock
= NonceBuffer
;
342 IkeSaSession
->NrBlkSize
= NonceSize
;
343 IkeSaSession
->SessionCommon
.State
= IkeStateAuth
;
344 IkeSaSession
->ResponderCookie
= IkePacket
->Header
->ResponderCookie
;
347 // 4. Change the state of IkeSaSession
349 IkeSaSession
->SessionCommon
.State
= IkeStateAuth
;
352 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT
354 if (IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_INIT
) {
355 Status
= EFI_INVALID_PARAMETER
;
360 // 2. Parse the SA payload and find out the perfered one
361 // and fill in the SA parameters into CommonSession->SaParams and SaData into
362 // IkeSaSession for the responder SA payload generation.
364 if (!Ikev2SaParseSaPayload (IkeSaSession
, SaPayload
, IkePacket
->Header
->Flags
)) {
365 Status
= EFI_INVALID_PARAMETER
;
370 // 3. Generat Dh Y parivate Key
372 Status
= Ikev2GenerateSaDhPublicKey (IkeSaSession
);
373 if (EFI_ERROR (Status
)) {
378 // 4. If Responder, the NoncePayload is Ni_b and go to generate Nr_b.
380 IkeSaSession
->NiBlock
= NonceBuffer
;
381 IkeSaSession
->NiBlkSize
= NonceSize
;
386 IkeSaSession
->NrBlock
= IkeGenerateNonce (IKE_NONCE_SIZE
);
387 ASSERT_EFI_ERROR (IkeSaSession
->NrBlock
!= NULL
);
388 IkeSaSession
->NrBlkSize
= IKE_NONCE_SIZE
;
391 // 6. Save the Cookies
393 IkeSaSession
->InitiatorCookie
= IkePacket
->Header
->InitiatorCookie
;
394 IkeSaSession
->ResponderCookie
= IkeGenerateCookie ();
397 if (IkeSaSession
->SessionCommon
.PreferDhGroup
!= ((IKEV2_KEY_EXCHANGE
*)KeyPayload
->PayloadBuf
)->DhGroup
) {
398 Status
= EFI_INVALID_PARAMETER
;
402 // Call Ikev2GenerateSaKeys to create SKEYID, SKEYID_d, SKEYID_a, SKEYID_e.
404 Status
= Ikev2GenerateSaKeys (IkeSaSession
, KeyPayload
);
405 if (EFI_ERROR(Status
)) {
411 if (NonceBuffer
!= NULL
) {
412 FreePool (NonceBuffer
);
419 Generates the IKEv2 packet for IKE_AUTH exchange.
421 @param[in] SaSession Pointer to IKEV2_SA_SESSION.
422 @param[in] Context Context data passed by caller.
424 @retval Pointer to IKE Packet to be sent out.
428 Ikev2AuthPskGenerator (
433 IKE_PACKET
*IkePacket
;
434 IKEV2_SA_SESSION
*IkeSaSession
;
435 IKE_PAYLOAD
*IdPayload
;
436 IKE_PAYLOAD
*AuthPayload
;
437 IKE_PAYLOAD
*SaPayload
;
438 IKE_PAYLOAD
*TsiPayload
;
439 IKE_PAYLOAD
*TsrPayload
;
440 IKE_PAYLOAD
*NotifyPayload
;
441 IKE_PAYLOAD
*CpPayload
;
442 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
445 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
446 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession
->ChildSaSessionList
));
449 NotifyPayload
= NULL
;
452 // 1. Allocate IKE Packet
454 IkePacket
= IkePacketAlloc ();
455 if (IkePacket
== NULL
) {
460 // 1.a Fill the IkePacket Header.
462 IkePacket
->Header
->ExchangeType
= IKEV2_EXCHANGE_TYPE_AUTH
;
463 IkePacket
->Header
->InitiatorCookie
= IkeSaSession
->InitiatorCookie
;
464 IkePacket
->Header
->ResponderCookie
= IkeSaSession
->ResponderCookie
;
465 IkePacket
->Header
->Version
= (UINT8
)(2 << 4);
466 if (ChildSaSession
->SessionCommon
.IsInitiator
) {
467 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_ID_INIT
;
469 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_ID_RSP
;
473 // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should
474 // be always number 0 and 1;
476 IkePacket
->Header
->MessageId
= 1;
478 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
479 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_INIT
;
481 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_RESPOND
;
485 // 2. Generate ID Payload according to IP version and address.
487 IdPayload
= Ikev2GenerateIdPayload (
488 &IkeSaSession
->SessionCommon
,
489 IKEV2_PAYLOAD_TYPE_AUTH
493 // 3. Generate Auth Payload
494 // If it is tunnel mode, should create the configuration payload after the
497 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
499 AuthPayload
= Ikev2PskGenerateAuthPayload (
500 ChildSaSession
->IkeSaSession
,
502 IKEV2_PAYLOAD_TYPE_SA
,
506 AuthPayload
= Ikev2PskGenerateAuthPayload (
507 ChildSaSession
->IkeSaSession
,
509 IKEV2_PAYLOAD_TYPE_CP
,
512 if (IkeSaSession
->SessionCommon
.UdpService
->IpVersion
== IP_VERSION_4
) {
513 CpPayload
= Ikev2GenerateCpPayload (
514 ChildSaSession
->IkeSaSession
,
515 IKEV2_PAYLOAD_TYPE_SA
,
516 IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS
519 CpPayload
= Ikev2GenerateCpPayload (
520 ChildSaSession
->IkeSaSession
,
521 IKEV2_PAYLOAD_TYPE_SA
,
522 IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS
528 // 4. Generate SA Payload according to the SA Data in ChildSaSession
530 SaPayload
= Ikev2GenerateSaPayload (
531 ChildSaSession
->SaData
,
532 IKEV2_PAYLOAD_TYPE_TS_INIT
,
533 IkeSessionTypeChildSa
536 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
538 // Generate Tsi and Tsr.
540 TsiPayload
= Ikev2GenerateTsPayload (
542 IKEV2_PAYLOAD_TYPE_TS_RSP
,
546 TsrPayload
= Ikev2GenerateTsPayload (
548 IKEV2_PAYLOAD_TYPE_NOTIFY
,
553 // Generate Notify Payload. If transport mode, there should have Notify
554 // payload with TRANSPORT_MODE notification.
556 NotifyPayload
= Ikev2GenerateNotifyPayload (
558 IKEV2_PAYLOAD_TYPE_NONE
,
560 IKEV2_NOTIFICATION_USE_TRANSPORT_MODE
,
567 // Generate Tsr for Tunnel mode.
569 TsiPayload
= Ikev2GenerateTsPayload (
571 IKEV2_PAYLOAD_TYPE_TS_RSP
,
574 TsrPayload
= Ikev2GenerateTsPayload (
576 IKEV2_PAYLOAD_TYPE_NONE
,
581 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, IdPayload
);
582 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, AuthPayload
);
583 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) {
584 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, CpPayload
);
586 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, SaPayload
);
587 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, TsiPayload
);
588 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, TsrPayload
);
589 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
590 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, NotifyPayload
);
597 Parses IKE_AUTH packet.
599 @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.
600 @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.
602 @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA
603 proposal is unacceptable.
604 @retval EFI_SUCCESS The IKE packet is acceptable and the
605 relative data is saved for furthure communication.
611 IN IKE_PACKET
*IkePacket
614 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
615 IKEV2_SA_SESSION
*IkeSaSession
;
616 IKE_PAYLOAD
*IkePayload
;
617 IKE_PAYLOAD
*SaPayload
;
618 IKE_PAYLOAD
*IdiPayload
;
619 IKE_PAYLOAD
*IdrPayload
;
620 IKE_PAYLOAD
*AuthPayload
;
621 IKE_PAYLOAD
*TsiPayload
;
622 IKE_PAYLOAD
*TsrPayload
;
623 IKE_PAYLOAD
*VerifiedAuthPayload
;
627 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
628 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession
->ChildSaSessionList
));
638 // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload.
640 NET_LIST_FOR_EACH (Entry
, &(IkePacket
)->PayloadList
) {
641 IkePayload
= IKE_PAYLOAD_BY_PACKET (Entry
);
643 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_ID_INIT
) {
644 IdiPayload
= IkePayload
;
646 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_ID_RSP
) {
647 IdrPayload
= IkePayload
;
649 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_SA
) {
650 SaPayload
= IkePayload
;
652 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_AUTH
) {
653 AuthPayload
= IkePayload
;
655 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_TS_INIT
) {
656 TsiPayload
= IkePayload
;
658 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_TS_RSP
) {
659 TsrPayload
= IkePayload
;
663 if ((SaPayload
== NULL
) || (AuthPayload
== NULL
) || (TsiPayload
== NULL
) || (TsrPayload
== NULL
)) {
664 return EFI_INVALID_PARAMETER
;
666 if ((IdiPayload
== NULL
) && (IdrPayload
== NULL
)) {
667 return EFI_INVALID_PARAMETER
;
671 // Check IkePacket Header is match the state
673 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
676 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND
678 if ((IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_RESPOND
) ||
679 (IkePacket
->Header
->ExchangeType
!= IKEV2_EXCHANGE_TYPE_AUTH
)
681 return EFI_INVALID_PARAMETER
;
686 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT
688 if ((IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_INIT
) ||
689 (IkePacket
->Header
->ExchangeType
!= IKEV2_EXCHANGE_TYPE_AUTH
)
691 return EFI_INVALID_PARAMETER
;
695 // 2. Parse the SA payload and Key Payload and find out the perferable one
696 // and fill in the Sa paramse into CommonSession->SaParams and SaData into
697 // IkeSaSession for the responder SA payload generation.
702 // Verify the Auth Payload.
704 VerifiedAuthPayload
= Ikev2PskGenerateAuthPayload (
706 IkeSaSession
->SessionCommon
.IsInitiator
? IdrPayload
: IdiPayload
,
707 IKEV2_PAYLOAD_TYPE_SA
,
710 if ((VerifiedAuthPayload
!= NULL
) &&
712 VerifiedAuthPayload
->PayloadBuf
+ sizeof (IKEV2_COMMON_PAYLOAD_HEADER
),
713 AuthPayload
->PayloadBuf
+ sizeof (IKEV2_COMMON_PAYLOAD_HEADER
),
714 VerifiedAuthPayload
->PayloadSize
- sizeof (IKEV2_COMMON_PAYLOAD_HEADER
)
716 return EFI_INVALID_PARAMETER
;
720 // 3. Parse the SA Payload to find out the cryptographic suite
721 // and fill in the Sa paramse into CommonSession->SaParams. If no acceptable
722 // porposal found, return EFI_INVALID_PARAMETER.
724 if (!Ikev2ChildSaParseSaPayload (ChildSaSession
, SaPayload
, IkePacket
->Header
->Flags
)) {
725 return EFI_INVALID_PARAMETER
;
729 // 4. Parse TSi, TSr payloads.
731 if ((((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!=
732 ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
) &&
733 (((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!= 0) &&
734 (((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!= 0)
736 return EFI_INVALID_PARAMETER
;
739 if (!IkeSaSession
->SessionCommon
.IsInitiator
) {
741 //TODO:check the Port range. Only support any port and one certain port here.
743 ChildSaSession
->ProtoId
= ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
;
744 ChildSaSession
->LocalPort
= ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
;
745 ChildSaSession
->RemotePort
= ((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
;
747 // Association a SPD with this SA.
749 Status
= Ikev2ChildSaAssociateSpdEntry (ChildSaSession
);
750 if (EFI_ERROR (Status
)) {
751 return EFI_INVALID_PARAMETER
;
754 // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD.
756 if (ChildSaSession
->IkeSaSession
->Spd
== NULL
) {
757 ChildSaSession
->IkeSaSession
->Spd
= ChildSaSession
->Spd
;
758 Status
= Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession
);
759 if (EFI_ERROR (Status
)) {
765 //TODO:check the Port range.
767 if ((((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= 0) &&
768 (((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= ChildSaSession
->RemotePort
)
770 return EFI_INVALID_PARAMETER
;
772 if ((((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= 0) &&
773 (((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= ChildSaSession
->LocalPort
)
775 return EFI_INVALID_PARAMETER
;
778 // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector.
780 if (ChildSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) {
781 if (!ChildSaSession
->IkeSaSession
->SessionCommon
.IsInitiator
) {
783 // If it is tunnel mode, the UEFI part must be the initiator.
785 return EFI_INVALID_PARAMETER
;
788 // Get the Virtual IP address from the Tsi traffic selector.
789 // TODO: check the CFG reply payload
792 &ChildSaSession
->SpdSelector
->LocalAddress
[0].Address
,
793 TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
) + sizeof (TRAFFIC_SELECTOR
),
794 (ChildSaSession
->SessionCommon
.UdpService
->IpVersion
== IP_VERSION_4
) ?
795 sizeof (EFI_IPv4_ADDRESS
) : sizeof (EFI_IPv6_ADDRESS
)
801 // 5. Generate keymats for IPsec protocol.
803 Ikev2GenerateChildSaKeys (ChildSaSession
, NULL
);
804 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
806 // 6. Change the state of IkeSaSession
808 IKEV2_DUMP_STATE (IkeSaSession
->SessionCommon
.State
, IkeStateIkeSaEstablished
);
809 IkeSaSession
->SessionCommon
.State
= IkeStateIkeSaEstablished
;
816 Gernerates IKEv2 packet for IKE_SA_INIT exchange.
818 @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
819 @param[in] Context Context Data passed by caller.
821 @retval EFI_SUCCESS The IKE packet generation succeeded.
822 @retval Others The IKE packet generation failed.
826 Ikev2InitCertGenerator (
831 IKE_PACKET
*IkePacket
;
832 IKE_PAYLOAD
*CertReqPayload
;
834 IKE_PAYLOAD
*NoncePayload
;
836 if (!FeaturePcdGet (PcdIpsecCertificateEnabled
)) {
841 // The first two messages exchange is same between PSK and Cert.
843 IkePacket
= Ikev2InitPskGenerator (SaSession
, Context
);
845 if ((IkePacket
!= NULL
) && (!((IKEV2_SA_SESSION
*)SaSession
)->SessionCommon
.IsInitiator
)) {
847 // Add the Certification Request Payload
849 CertReqPayload
= Ikev2GenerateCertificatePayload (
850 (IKEV2_SA_SESSION
*)SaSession
,
851 IKEV2_PAYLOAD_TYPE_NONE
,
852 (UINT8
*)PcdGetPtr(PcdIpsecUefiCaFile
),
853 PcdGet32(PcdIpsecUefiCaFileSize
),
854 IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT
,
858 // Change Nonce Payload Next payload type.
860 IKE_PACKET_END_PAYLOAD (IkePacket
, Node
);
861 NoncePayload
= IKE_PAYLOAD_BY_PACKET (Node
);
862 ((IKEV2_NONCE
*)NoncePayload
->PayloadBuf
)->Header
.NextPayload
= IKEV2_PAYLOAD_TYPE_CERTREQ
;
865 // Add Certification Request Payload
867 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, CertReqPayload
);
874 Parses the IKEv2 packet for IKE_SA_INIT exchange.
876 @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
877 @param[in] IkePacket The received IKEv2 packet to be parsed.
879 @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is
880 saved for furthure communication.
881 @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA proposal is unacceptable.
882 @retval EFI_UNSUPPORTED The certificate authentication is not supported.
886 Ikev2InitCertParser (
888 IN IKE_PACKET
*IkePacket
891 if (!FeaturePcdGet (PcdIpsecCertificateEnabled
)) {
892 return EFI_UNSUPPORTED
;
896 // The first two messages exchange is same between PSK and Cert.
897 // Todo: Parse Certificate Request from responder Initial Exchange.
899 return Ikev2InitPskParser (SaSession
, IkePacket
);
903 Generates the IKEv2 packet for IKE_AUTH exchange.
905 @param[in] SaSession Pointer to IKEV2_SA_SESSION.
906 @param[in] Context Context data passed by caller.
908 @retval Pointer to IKEv2 Packet to be sent out.
912 Ikev2AuthCertGenerator (
917 IKE_PACKET
*IkePacket
;
918 IKEV2_SA_SESSION
*IkeSaSession
;
919 IKE_PAYLOAD
*IdPayload
;
920 IKE_PAYLOAD
*AuthPayload
;
921 IKE_PAYLOAD
*SaPayload
;
922 IKE_PAYLOAD
*TsiPayload
;
923 IKE_PAYLOAD
*TsrPayload
;
924 IKE_PAYLOAD
*NotifyPayload
;
925 IKE_PAYLOAD
*CpPayload
;
926 IKE_PAYLOAD
*CertPayload
;
927 IKE_PAYLOAD
*CertReqPayload
;
928 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
930 if (!FeaturePcdGet (PcdIpsecCertificateEnabled
)) {
934 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
935 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession
->ChildSaSessionList
));
938 NotifyPayload
= NULL
;
940 CertReqPayload
= NULL
;
943 // 1. Allocate IKE Packet
945 IkePacket
= IkePacketAlloc ();
946 if (IkePacket
== NULL
) {
951 // 1.a Fill the IkePacket Header.
953 IkePacket
->Header
->ExchangeType
= IKEV2_EXCHANGE_TYPE_AUTH
;
954 IkePacket
->Header
->InitiatorCookie
= IkeSaSession
->InitiatorCookie
;
955 IkePacket
->Header
->ResponderCookie
= IkeSaSession
->ResponderCookie
;
956 IkePacket
->Header
->Version
= (UINT8
)(2 << 4);
957 if (ChildSaSession
->SessionCommon
.IsInitiator
) {
958 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_ID_INIT
;
960 IkePacket
->Header
->NextPayload
= IKEV2_PAYLOAD_TYPE_ID_RSP
;
964 // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should
965 // be always number 0 and 1;
967 IkePacket
->Header
->MessageId
= 1;
969 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
970 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_INIT
;
972 IkePacket
->Header
->Flags
= IKE_HEADER_FLAGS_RESPOND
;
976 // 2. Generate ID Payload according to IP version and address.
978 IdPayload
= Ikev2GenerateCertIdPayload (
979 &IkeSaSession
->SessionCommon
,
980 IKEV2_PAYLOAD_TYPE_CERT
,
981 (UINT8
*)PcdGetPtr (PcdIpsecUefiCertificate
),
982 PcdGet32 (PcdIpsecUefiCertificateSize
)
986 // 3. Generate Certificate Payload
988 CertPayload
= Ikev2GenerateCertificatePayload (
990 (UINT8
)(IkeSaSession
->SessionCommon
.IsInitiator
? IKEV2_PAYLOAD_TYPE_CERTREQ
: IKEV2_PAYLOAD_TYPE_AUTH
),
991 (UINT8
*)PcdGetPtr (PcdIpsecUefiCertificate
),
992 PcdGet32 (PcdIpsecUefiCertificateSize
),
993 IKEV2_CERT_ENCODEING_X509_CERT_SIGN
,
996 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
997 CertReqPayload
= Ikev2GenerateCertificatePayload (
999 IKEV2_PAYLOAD_TYPE_AUTH
,
1000 (UINT8
*)PcdGetPtr (PcdIpsecUefiCertificate
),
1001 PcdGet32 (PcdIpsecUefiCertificateSize
),
1002 IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT
,
1008 // 4. Generate Auth Payload
1009 // If it is tunnel mode, should create the configuration payload after the
1012 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
1013 AuthPayload
= Ikev2CertGenerateAuthPayload (
1014 ChildSaSession
->IkeSaSession
,
1016 IKEV2_PAYLOAD_TYPE_SA
,
1018 (UINT8
*)PcdGetPtr (PcdIpsecUefiCertificateKey
),
1019 PcdGet32 (PcdIpsecUefiCertificateKeySize
),
1020 ChildSaSession
->IkeSaSession
->Pad
->Data
->AuthData
,
1021 ChildSaSession
->IkeSaSession
->Pad
->Data
->AuthDataSize
1024 AuthPayload
= Ikev2CertGenerateAuthPayload (
1025 ChildSaSession
->IkeSaSession
,
1027 IKEV2_PAYLOAD_TYPE_CP
,
1029 (UINT8
*)PcdGetPtr (PcdIpsecUefiCertificateKey
),
1030 PcdGet32 (PcdIpsecUefiCertificateKeySize
),
1031 ChildSaSession
->IkeSaSession
->Pad
->Data
->AuthData
,
1032 ChildSaSession
->IkeSaSession
->Pad
->Data
->AuthDataSize
1034 if (IkeSaSession
->SessionCommon
.UdpService
->IpVersion
== IP_VERSION_4
) {
1035 CpPayload
= Ikev2GenerateCpPayload (
1036 ChildSaSession
->IkeSaSession
,
1037 IKEV2_PAYLOAD_TYPE_SA
,
1038 IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS
1041 CpPayload
= Ikev2GenerateCpPayload (
1042 ChildSaSession
->IkeSaSession
,
1043 IKEV2_PAYLOAD_TYPE_SA
,
1044 IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS
1050 // 5. Generate SA Payload according to the Sa Data in ChildSaSession
1052 SaPayload
= Ikev2GenerateSaPayload (
1053 ChildSaSession
->SaData
,
1054 IKEV2_PAYLOAD_TYPE_TS_INIT
,
1055 IkeSessionTypeChildSa
1058 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
1060 // Generate Tsi and Tsr.
1062 TsiPayload
= Ikev2GenerateTsPayload (
1064 IKEV2_PAYLOAD_TYPE_TS_RSP
,
1068 TsrPayload
= Ikev2GenerateTsPayload (
1070 IKEV2_PAYLOAD_TYPE_NOTIFY
,
1075 // Generate Notify Payload. If transport mode, there should have Notify
1076 // payload with TRANSPORT_MODE notification.
1078 NotifyPayload
= Ikev2GenerateNotifyPayload (
1080 IKEV2_PAYLOAD_TYPE_NONE
,
1082 IKEV2_NOTIFICATION_USE_TRANSPORT_MODE
,
1089 // Generate Tsr for Tunnel mode.
1091 TsiPayload
= Ikev2GenerateTsPayload (
1093 IKEV2_PAYLOAD_TYPE_TS_RSP
,
1096 TsrPayload
= Ikev2GenerateTsPayload (
1098 IKEV2_PAYLOAD_TYPE_NONE
,
1103 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, IdPayload
);
1104 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, CertPayload
);
1105 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
1106 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, CertReqPayload
);
1108 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, AuthPayload
);
1109 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) {
1110 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, CpPayload
);
1112 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, SaPayload
);
1113 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, TsiPayload
);
1114 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, TsrPayload
);
1115 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTransport
) {
1116 IKE_PACKET_APPEND_PAYLOAD (IkePacket
, NotifyPayload
);
1123 Parses IKE_AUTH packet.
1125 @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.
1126 @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.
1128 @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA
1129 proposal is unacceptable.
1130 @retval EFI_SUCCESS The IKE packet is acceptable and the
1131 relative data is saved for furthure communication.
1132 @retval EFI_UNSUPPORTED The certificate authentication is not supported.
1136 Ikev2AuthCertParser (
1137 IN UINT8
*SaSession
,
1138 IN IKE_PACKET
*IkePacket
1141 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
1142 IKEV2_SA_SESSION
*IkeSaSession
;
1143 IKE_PAYLOAD
*IkePayload
;
1144 IKE_PAYLOAD
*SaPayload
;
1145 IKE_PAYLOAD
*IdiPayload
;
1146 IKE_PAYLOAD
*IdrPayload
;
1147 IKE_PAYLOAD
*AuthPayload
;
1148 IKE_PAYLOAD
*TsiPayload
;
1149 IKE_PAYLOAD
*TsrPayload
;
1150 IKE_PAYLOAD
*CertPayload
;
1151 IKE_PAYLOAD
*VerifiedAuthPayload
;
1155 if (!FeaturePcdGet (PcdIpsecCertificateEnabled
)) {
1156 return EFI_UNSUPPORTED
;
1159 IkeSaSession
= (IKEV2_SA_SESSION
*) SaSession
;
1160 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession
->ChildSaSessionList
));
1169 VerifiedAuthPayload
= NULL
;
1170 Status
= EFI_INVALID_PARAMETER
;
1173 // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload.
1175 NET_LIST_FOR_EACH (Entry
, &(IkePacket
)->PayloadList
) {
1176 IkePayload
= IKE_PAYLOAD_BY_PACKET (Entry
);
1178 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_ID_INIT
) {
1179 IdiPayload
= IkePayload
;
1181 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_ID_RSP
) {
1182 IdrPayload
= IkePayload
;
1185 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_SA
) {
1186 SaPayload
= IkePayload
;
1188 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_AUTH
) {
1189 AuthPayload
= IkePayload
;
1191 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_TS_INIT
) {
1192 TsiPayload
= IkePayload
;
1194 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_TS_RSP
) {
1195 TsrPayload
= IkePayload
;
1197 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_CERT
) {
1198 CertPayload
= IkePayload
;
1202 if ((SaPayload
== NULL
) || (AuthPayload
== NULL
) || (TsiPayload
== NULL
) ||
1203 (TsrPayload
== NULL
) || (CertPayload
== NULL
)) {
1206 if ((IdiPayload
== NULL
) && (IdrPayload
== NULL
)) {
1211 // Check IkePacket Header is match the state
1213 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
1216 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND
1218 if ((IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_RESPOND
) ||
1219 (IkePacket
->Header
->ExchangeType
!= IKEV2_EXCHANGE_TYPE_AUTH
)) {
1224 // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT
1226 if ((IkePacket
->Header
->Flags
!= IKE_HEADER_FLAGS_INIT
) ||
1227 (IkePacket
->Header
->ExchangeType
!= IKEV2_EXCHANGE_TYPE_AUTH
)) {
1233 // Verify the Auth Payload.
1235 VerifiedAuthPayload
= Ikev2CertGenerateAuthPayload (
1237 IkeSaSession
->SessionCommon
.IsInitiator
? IdrPayload
:IdiPayload
,
1238 IKEV2_PAYLOAD_TYPE_SA
,
1246 if ((VerifiedAuthPayload
!= NULL
) &&
1247 (!IpSecCryptoIoVerifySignDataByCertificate (
1248 CertPayload
->PayloadBuf
+ sizeof (IKEV2_CERT
),
1249 CertPayload
->PayloadSize
- sizeof (IKEV2_CERT
),
1250 (UINT8
*)PcdGetPtr (PcdIpsecUefiCaFile
),
1251 PcdGet32 (PcdIpsecUefiCaFileSize
),
1252 VerifiedAuthPayload
->PayloadBuf
+ sizeof (IKEV2_AUTH
),
1253 VerifiedAuthPayload
->PayloadSize
- sizeof (IKEV2_AUTH
),
1254 AuthPayload
->PayloadBuf
+ sizeof (IKEV2_AUTH
),
1255 AuthPayload
->PayloadSize
- sizeof (IKEV2_AUTH
)
1261 // 3. Parse the SA Payload to find out the cryptographic suite
1262 // and fill in the SA paramse into CommonSession->SaParams. If no acceptable
1263 // porposal found, return EFI_INVALID_PARAMETER.
1265 if (!Ikev2ChildSaParseSaPayload (ChildSaSession
, SaPayload
, IkePacket
->Header
->Flags
)) {
1270 // 4. Parse TSi, TSr payloads.
1272 if ((((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!=
1273 ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
) &&
1274 (((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!= 0) &&
1275 (((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
!= 0)
1280 if (!IkeSaSession
->SessionCommon
.IsInitiator
) {
1282 //Todo:check the Port range. Only support any port and one certain port here.
1284 ChildSaSession
->ProtoId
= ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->IpProtocolId
;
1285 ChildSaSession
->LocalPort
= ((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
;
1286 ChildSaSession
->RemotePort
= ((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
;
1288 // Association a SPD with this SA.
1290 if (EFI_ERROR (Ikev2ChildSaAssociateSpdEntry (ChildSaSession
))) {
1294 // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD.
1296 if (ChildSaSession
->IkeSaSession
->Spd
== NULL
) {
1297 ChildSaSession
->IkeSaSession
->Spd
= ChildSaSession
->Spd
;
1298 Status
= Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession
);
1299 if (EFI_ERROR (Status
)) {
1305 // Todo:check the Port range.
1307 if ((((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= 0) &&
1308 (((TRAFFIC_SELECTOR
*)(TsrPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= ChildSaSession
->RemotePort
)
1312 if ((((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= 0) &&
1313 (((TRAFFIC_SELECTOR
*)(TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
)))->StartPort
!= ChildSaSession
->LocalPort
)
1318 // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector.
1320 if (ChildSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
== EfiIPsecTunnel
) {
1321 if (!ChildSaSession
->IkeSaSession
->SessionCommon
.IsInitiator
) {
1323 // If it is tunnel mode, the UEFI part must be the initiator.
1328 // Get the Virtual IP address from the Tsi traffic selector.
1329 // TODO: check the CFG reply payload
1332 &ChildSaSession
->SpdSelector
->LocalAddress
[0].Address
,
1333 TsiPayload
->PayloadBuf
+ sizeof (IKEV2_TS
) + sizeof (TRAFFIC_SELECTOR
),
1334 (ChildSaSession
->SessionCommon
.UdpService
->IpVersion
== IP_VERSION_4
) ?
1335 sizeof (EFI_IPv4_ADDRESS
) : sizeof (EFI_IPv6_ADDRESS
)
1341 // 5. Generat keymats for IPsec protocol.
1343 Ikev2GenerateChildSaKeys (ChildSaSession
, NULL
);
1344 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
1346 // 6. Change the state of IkeSaSession
1348 IKEV2_DUMP_STATE (IkeSaSession
->SessionCommon
.State
, IkeStateIkeSaEstablished
);
1349 IkeSaSession
->SessionCommon
.State
= IkeStateIkeSaEstablished
;
1352 Status
= EFI_SUCCESS
;
1355 if (VerifiedAuthPayload
!= NULL
) {
1356 IkePayloadFree (VerifiedAuthPayload
);
1362 Generates the DH Public Key.
1364 This generates the DH local public key and store it in the IKE SA Session's GxBuffer.
1366 @param[in] IkeSaSession Pointer to related IKE SA Session.
1368 @retval EFI_SUCCESS The operation succeeded.
1369 @retval Others The operation failed.
1373 Ikev2GenerateSaDhPublicKey (
1374 IN IKEV2_SA_SESSION
*IkeSaSession
1378 IKEV2_SESSION_KEYS
*IkeKeys
;
1380 IkeSaSession
->IkeKeys
= AllocateZeroPool (sizeof (IKEV2_SESSION_KEYS
));
1381 if (IkeSaSession
->IkeKeys
== NULL
) {
1382 return EFI_OUT_OF_RESOURCES
;
1385 IkeKeys
= IkeSaSession
->IkeKeys
;
1386 IkeKeys
->DhBuffer
= AllocateZeroPool (sizeof (IKEV2_DH_BUFFER
));
1387 if (IkeKeys
->DhBuffer
== NULL
) {
1388 FreePool (IkeSaSession
->IkeKeys
);
1389 return EFI_OUT_OF_RESOURCES
;
1393 // Init DH with the certain DH Group Description.
1395 IkeKeys
->DhBuffer
->GxSize
= OakleyModpGroup
[(UINT8
)IkeSaSession
->SessionCommon
.PreferDhGroup
].Size
>> 3;
1396 IkeKeys
->DhBuffer
->GxBuffer
= AllocateZeroPool (IkeKeys
->DhBuffer
->GxSize
);
1397 if (IkeKeys
->DhBuffer
->GxBuffer
== NULL
) {
1398 FreePool (IkeKeys
->DhBuffer
);
1399 FreePool (IkeSaSession
->IkeKeys
);
1400 return EFI_OUT_OF_RESOURCES
;
1406 Status
= IpSecCryptoIoDhGetPublicKey (
1407 &IkeKeys
->DhBuffer
->DhContext
,
1408 OakleyModpGroup
[(UINT8
)IkeSaSession
->SessionCommon
.PreferDhGroup
].GroupGenerator
,
1409 OakleyModpGroup
[(UINT8
)IkeSaSession
->SessionCommon
.PreferDhGroup
].Size
,
1410 OakleyModpGroup
[(UINT8
)IkeSaSession
->SessionCommon
.PreferDhGroup
].Modulus
,
1411 IkeKeys
->DhBuffer
->GxBuffer
,
1412 &IkeKeys
->DhBuffer
->GxSize
1414 if (EFI_ERROR (Status
)) {
1415 DEBUG ((DEBUG_ERROR
, "Error CPLKeyManGetKeyParam X public key error Status = %r\n", Status
));
1417 FreePool (IkeKeys
->DhBuffer
->GxBuffer
);
1419 FreePool (IkeKeys
->DhBuffer
);
1421 FreePool (IkeSaSession
->IkeKeys
);
1426 IPSEC_DUMP_BUF ("DH Public Key (g^x) Dump", IkeKeys
->DhBuffer
->GxBuffer
, IkeKeys
->DhBuffer
->GxSize
);
1432 Computes the DH Shared/Exchange Key.
1434 Given peer's public key, this function computes the exchanged common key and
1435 stores it in the IKEv2 SA Session's GxyBuffer.
1437 @param[in] DhBuffer Pointer to buffer of peer's puliic key.
1438 @param[in] KePayload Pointer to received key payload.
1440 @retval EFI_SUCCESS The operation succeeded.
1441 @retval Otherwise The operation failed.
1445 Ikev2GenerateSaDhComputeKey (
1446 IN IKEV2_DH_BUFFER
*DhBuffer
,
1447 IN IKE_PAYLOAD
*KePayload
1451 IKEV2_KEY_EXCHANGE
*Ke
;
1455 Ke
= (IKEV2_KEY_EXCHANGE
*) KePayload
->PayloadBuf
;
1456 PubKey
= (UINT8
*) (Ke
+ 1);
1457 PubKeySize
= KePayload
->PayloadSize
- sizeof (IKEV2_KEY_EXCHANGE
);
1458 DhBuffer
->GxySize
= DhBuffer
->GxSize
;
1459 DhBuffer
->GxyBuffer
= AllocateZeroPool (DhBuffer
->GxySize
);
1460 if (DhBuffer
->GxyBuffer
== NULL
) {
1461 return EFI_OUT_OF_RESOURCES
;
1467 Status
= IpSecCryptoIoDhComputeKey (
1468 DhBuffer
->DhContext
,
1471 DhBuffer
->GxyBuffer
,
1474 if (EFI_ERROR (Status
)) {
1475 DEBUG ((DEBUG_ERROR
, "Error CPLKeyManGetKeyParam Y session key error Status = %r\n", Status
));
1477 FreePool (DhBuffer
->GxyBuffer
);
1485 DhBuffer
->GySize
= PubKeySize
;
1486 DhBuffer
->GyBuffer
= AllocateZeroPool (DhBuffer
->GySize
);
1487 if (DhBuffer
->GyBuffer
== NULL
) {
1488 FreePool (DhBuffer
->GxyBuffer
);
1493 CopyMem (DhBuffer
->GyBuffer
, PubKey
, DhBuffer
->GySize
);
1495 IPSEC_DUMP_BUF ("DH Public Key (g^y) Dump", DhBuffer
->GyBuffer
, DhBuffer
->GySize
);
1496 IPSEC_DUMP_BUF ("DH Shared Key (g^xy) Dump", DhBuffer
->GxyBuffer
, DhBuffer
->GxySize
);
1502 Generates the IKE SKEYSEED and seven other secrets. SK_d, SK_ai, SK_ar, SK_ei, SK_er,
1503 SK_pi, SK_pr are keys for the furthure IKE exchange.
1505 @param[in] IkeSaSession Pointer to IKE SA Session.
1506 @param[in] KePayload Pointer to Key payload used to generate the Key.
1508 @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported.
1509 @retval EFI_OUT_OF_RESOURCES If there is no enough resource to be allocated to
1510 meet the requirement.
1511 @retval EFI_SUCCESS The operation succeeded.
1515 Ikev2GenerateSaKeys (
1516 IN IKEV2_SA_SESSION
*IkeSaSession
,
1517 IN IKE_PAYLOAD
*KePayload
1521 IKEV2_SA_PARAMS
*SaParams
;
1522 PRF_DATA_FRAGMENT Fragments
[4];
1523 UINT64 InitiatorCookieNet
;
1524 UINT64 ResponderCookieNet
;
1526 UINTN KeyBufferSize
;
1527 UINTN AuthAlgKeyLen
;
1528 UINTN EncryptAlgKeyLen
;
1529 UINTN IntegrityAlgKeyLen
;
1532 UINTN OutputKeyLength
;
1539 Status
= EFI_SUCCESS
;
1544 Ikev2GenerateSaDhComputeKey (IkeSaSession
->IkeKeys
->DhBuffer
, KePayload
);
1547 // Get the key length of Authenticaion, Encryption, PRF, and Integrity.
1549 SaParams
= IkeSaSession
->SessionCommon
.SaParams
;
1550 AuthAlgKeyLen
= IpSecGetHmacDigestLength ((UINT8
)SaParams
->Prf
);
1551 EncryptAlgKeyLen
= IpSecGetEncryptKeyLength ((UINT8
)SaParams
->EncAlgId
);
1552 IntegrityAlgKeyLen
= IpSecGetHmacDigestLength ((UINT8
)SaParams
->IntegAlgId
);
1553 PrfAlgKeyLen
= IpSecGetHmacDigestLength ((UINT8
)SaParams
->Prf
);
1556 // If one or more algorithm is not support, return EFI_UNSUPPORTED.
1558 if (AuthAlgKeyLen
== 0 ||
1559 EncryptAlgKeyLen
== 0 ||
1560 IntegrityAlgKeyLen
== 0 ||
1563 Status
= EFI_UNSUPPORTED
;
1568 // Compute SKEYSEED = prf(Ni | Nr, g^ir)
1570 KeyBufferSize
= IkeSaSession
->NiBlkSize
+ IkeSaSession
->NrBlkSize
;
1571 KeyBuffer
= AllocateZeroPool (KeyBufferSize
);
1572 if (KeyBuffer
== NULL
) {
1573 Status
= EFI_OUT_OF_RESOURCES
;
1577 CopyMem (KeyBuffer
, IkeSaSession
->NiBlock
, IkeSaSession
->NiBlkSize
);
1578 CopyMem (KeyBuffer
+ IkeSaSession
->NiBlkSize
, IkeSaSession
->NrBlock
, IkeSaSession
->NrBlkSize
);
1580 Fragments
[0].Data
= IkeSaSession
->IkeKeys
->DhBuffer
->GxyBuffer
;
1581 Fragments
[0].DataSize
= IkeSaSession
->IkeKeys
->DhBuffer
->GxySize
;
1583 DigestSize
= IpSecGetHmacDigestLength ((UINT8
)SaParams
->Prf
);
1584 Digest
= AllocateZeroPool (DigestSize
);
1586 if (Digest
== NULL
) {
1587 Status
= EFI_OUT_OF_RESOURCES
;
1592 (UINT8
)SaParams
->Prf
,
1595 (HASH_DATA_FRAGMENT
*) Fragments
,
1602 // {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = prf+
1603 // (SKEYSEED, Ni | Nr | SPIi | SPIr )
1605 Fragments
[0].Data
= IkeSaSession
->NiBlock
;
1606 Fragments
[0].DataSize
= IkeSaSession
->NiBlkSize
;
1607 Fragments
[1].Data
= IkeSaSession
->NrBlock
;
1608 Fragments
[1].DataSize
= IkeSaSession
->NrBlkSize
;
1609 InitiatorCookieNet
= HTONLL (IkeSaSession
->InitiatorCookie
);
1610 ResponderCookieNet
= HTONLL (IkeSaSession
->ResponderCookie
);
1611 Fragments
[2].Data
= (UINT8
*)(&InitiatorCookieNet
);
1612 Fragments
[2].DataSize
= sizeof (IkeSaSession
->InitiatorCookie
);
1613 Fragments
[3].Data
= (UINT8
*)(&ResponderCookieNet
);
1614 Fragments
[3].DataSize
= sizeof (IkeSaSession
->ResponderCookie
);
1616 IPSEC_DUMP_BUF (">>> NiBlock", IkeSaSession
->NiBlock
, IkeSaSession
->NiBlkSize
);
1617 IPSEC_DUMP_BUF (">>> NrBlock", IkeSaSession
->NrBlock
, IkeSaSession
->NrBlkSize
);
1618 IPSEC_DUMP_BUF (">>> InitiatorCookie", (UINT8
*)&IkeSaSession
->InitiatorCookie
, sizeof(UINT64
));
1619 IPSEC_DUMP_BUF (">>> ResponderCookie", (UINT8
*)&IkeSaSession
->ResponderCookie
, sizeof(UINT64
));
1621 OutputKeyLength
= PrfAlgKeyLen
+
1622 2 * EncryptAlgKeyLen
+
1624 2 * IntegrityAlgKeyLen
;
1625 OutputKey
= AllocateZeroPool (OutputKeyLength
);
1626 if (OutputKey
== NULL
) {
1627 Status
= EFI_OUT_OF_RESOURCES
;
1632 // Generate Seven Keymates.
1634 Status
= Ikev2SaGenerateKey (
1635 (UINT8
)SaParams
->Prf
,
1643 if (EFI_ERROR(Status
)) {
1648 // Save the seven keys into KeySession.
1651 IkeSaSession
->IkeKeys
->SkdKey
= AllocateZeroPool (PrfAlgKeyLen
);
1652 if (IkeSaSession
->IkeKeys
->SkdKey
== NULL
) {
1653 Status
= EFI_OUT_OF_RESOURCES
;
1656 IkeSaSession
->IkeKeys
->SkdKeySize
= PrfAlgKeyLen
;
1657 CopyMem (IkeSaSession
->IkeKeys
->SkdKey
, OutputKey
, PrfAlgKeyLen
);
1659 IPSEC_DUMP_BUF (">>> SK_D Key", IkeSaSession
->IkeKeys
->SkdKey
, PrfAlgKeyLen
);
1664 IkeSaSession
->IkeKeys
->SkAiKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
1665 if (IkeSaSession
->IkeKeys
->SkAiKey
== NULL
) {
1666 Status
= EFI_OUT_OF_RESOURCES
;
1669 IkeSaSession
->IkeKeys
->SkAiKeySize
= IntegrityAlgKeyLen
;
1670 CopyMem (IkeSaSession
->IkeKeys
->SkAiKey
, OutputKey
+ PrfAlgKeyLen
, IntegrityAlgKeyLen
);
1672 IPSEC_DUMP_BUF (">>> SK_Ai Key", IkeSaSession
->IkeKeys
->SkAiKey
, IkeSaSession
->IkeKeys
->SkAiKeySize
);
1677 IkeSaSession
->IkeKeys
->SkArKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
1678 if (IkeSaSession
->IkeKeys
->SkArKey
== NULL
) {
1679 Status
= EFI_OUT_OF_RESOURCES
;
1682 IkeSaSession
->IkeKeys
->SkArKeySize
= IntegrityAlgKeyLen
;
1684 IkeSaSession
->IkeKeys
->SkArKey
,
1685 OutputKey
+ PrfAlgKeyLen
+ IntegrityAlgKeyLen
,
1689 IPSEC_DUMP_BUF (">>> SK_Ar Key", IkeSaSession
->IkeKeys
->SkArKey
, IkeSaSession
->IkeKeys
->SkArKeySize
);
1694 IkeSaSession
->IkeKeys
->SkEiKey
= AllocateZeroPool (EncryptAlgKeyLen
);
1695 if (IkeSaSession
->IkeKeys
->SkEiKey
== NULL
) {
1696 Status
= EFI_OUT_OF_RESOURCES
;
1699 IkeSaSession
->IkeKeys
->SkEiKeySize
= EncryptAlgKeyLen
;
1702 IkeSaSession
->IkeKeys
->SkEiKey
,
1703 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
,
1708 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
,
1715 IkeSaSession
->IkeKeys
->SkErKey
= AllocateZeroPool (EncryptAlgKeyLen
);
1716 if (IkeSaSession
->IkeKeys
->SkErKey
== NULL
) {
1717 Status
= EFI_OUT_OF_RESOURCES
;
1720 IkeSaSession
->IkeKeys
->SkErKeySize
= EncryptAlgKeyLen
;
1723 IkeSaSession
->IkeKeys
->SkErKey
,
1724 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ EncryptAlgKeyLen
,
1729 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ EncryptAlgKeyLen
,
1736 IkeSaSession
->IkeKeys
->SkPiKey
= AllocateZeroPool (AuthAlgKeyLen
);
1737 if (IkeSaSession
->IkeKeys
->SkPiKey
== NULL
) {
1738 Status
= EFI_OUT_OF_RESOURCES
;
1741 IkeSaSession
->IkeKeys
->SkPiKeySize
= AuthAlgKeyLen
;
1744 IkeSaSession
->IkeKeys
->SkPiKey
,
1745 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ 2 * EncryptAlgKeyLen
,
1750 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ 2 * EncryptAlgKeyLen
,
1757 IkeSaSession
->IkeKeys
->SkPrKey
= AllocateZeroPool (AuthAlgKeyLen
);
1758 if (IkeSaSession
->IkeKeys
->SkPrKey
== NULL
) {
1759 Status
= EFI_OUT_OF_RESOURCES
;
1762 IkeSaSession
->IkeKeys
->SkPrKeySize
= AuthAlgKeyLen
;
1765 IkeSaSession
->IkeKeys
->SkPrKey
,
1766 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ 2 * EncryptAlgKeyLen
+ AuthAlgKeyLen
,
1771 OutputKey
+ AuthAlgKeyLen
+ 2 * IntegrityAlgKeyLen
+ 2 * EncryptAlgKeyLen
+ AuthAlgKeyLen
,
1777 if (Digest
!= NULL
) {
1780 if (KeyBuffer
!= NULL
) {
1781 FreePool (KeyBuffer
);
1783 if (OutputKey
!= NULL
) {
1784 FreePool (OutputKey
);
1787 if (EFI_ERROR(Status
)) {
1788 if (IkeSaSession
->IkeKeys
->SkdKey
!= NULL
) {
1789 FreePool (IkeSaSession
->IkeKeys
->SkdKey
);
1791 if (IkeSaSession
->IkeKeys
->SkAiKey
!= NULL
) {
1792 FreePool (IkeSaSession
->IkeKeys
->SkAiKey
);
1794 if (IkeSaSession
->IkeKeys
->SkArKey
!= NULL
) {
1795 FreePool (IkeSaSession
->IkeKeys
->SkArKey
);
1797 if (IkeSaSession
->IkeKeys
->SkEiKey
!= NULL
) {
1798 FreePool (IkeSaSession
->IkeKeys
->SkEiKey
);
1800 if (IkeSaSession
->IkeKeys
->SkErKey
!= NULL
) {
1801 FreePool (IkeSaSession
->IkeKeys
->SkErKey
);
1803 if (IkeSaSession
->IkeKeys
->SkPiKey
!= NULL
) {
1804 FreePool (IkeSaSession
->IkeKeys
->SkPiKey
);
1806 if (IkeSaSession
->IkeKeys
->SkPrKey
!= NULL
) {
1807 FreePool (IkeSaSession
->IkeKeys
->SkPrKey
);
1816 Generates the Keys for the furthure IPsec Protocol.
1818 @param[in] ChildSaSession Pointer to IKE Child SA Session.
1819 @param[in] KePayload Pointer to Key payload used to generate the Key.
1821 @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported.
1822 @retval EFI_SUCCESS The operation succeeded.
1826 Ikev2GenerateChildSaKeys (
1827 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
,
1828 IN IKE_PAYLOAD
*KePayload
1832 IKEV2_SA_PARAMS
*SaParams
;
1833 PRF_DATA_FRAGMENT Fragments
[3];
1834 UINTN EncryptAlgKeyLen
;
1835 UINTN IntegrityAlgKeyLen
;
1837 UINTN OutputKeyLength
;
1839 Status
= EFI_SUCCESS
;
1842 if (KePayload
!= NULL
) {
1846 Ikev2GenerateSaDhComputeKey (ChildSaSession
->DhBuffer
, KePayload
);
1847 Fragments
[0].Data
= ChildSaSession
->DhBuffer
->GxyBuffer
;
1848 Fragments
[0].DataSize
= ChildSaSession
->DhBuffer
->GxySize
;
1851 Fragments
[1].Data
= ChildSaSession
->NiBlock
;
1852 Fragments
[1].DataSize
= ChildSaSession
->NiBlkSize
;
1853 Fragments
[2].Data
= ChildSaSession
->NrBlock
;
1854 Fragments
[2].DataSize
= ChildSaSession
->NrBlkSize
;
1857 // Get the key length of Authenticaion, Encryption, PRF, and Integrity.
1859 SaParams
= ChildSaSession
->SessionCommon
.SaParams
;
1860 EncryptAlgKeyLen
= IpSecGetEncryptKeyLength ((UINT8
)SaParams
->EncAlgId
);
1861 IntegrityAlgKeyLen
= IpSecGetHmacDigestLength ((UINT8
)SaParams
->IntegAlgId
);
1862 OutputKeyLength
= 2 * EncryptAlgKeyLen
+ 2 * IntegrityAlgKeyLen
;
1864 if ((EncryptAlgKeyLen
== 0) || (IntegrityAlgKeyLen
== 0)) {
1865 Status
= EFI_UNSUPPORTED
;
1871 // If KePayload is not NULL, calculate KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ),
1872 // otherwise, KEYMAT = prf+(SK_d, Ni | Nr )
1874 OutputKey
= AllocateZeroPool (OutputKeyLength
);
1875 if (OutputKey
== NULL
) {
1876 Status
= EFI_OUT_OF_RESOURCES
;
1881 // Derive Key from the SkdKey Buffer.
1883 Status
= Ikev2SaGenerateKey (
1884 (UINT8
)ChildSaSession
->IkeSaSession
->SessionCommon
.SaParams
->Prf
,
1885 ChildSaSession
->IkeSaSession
->IkeKeys
->SkdKey
,
1886 ChildSaSession
->IkeSaSession
->IkeKeys
->SkdKeySize
,
1889 KePayload
== NULL
? &Fragments
[1] : Fragments
,
1890 KePayload
== NULL
? 2 : 3
1893 if (EFI_ERROR (Status
)) {
1898 // Copy KEYMATE (SK_ENCRYPT_i | SK_ENCRYPT_r | SK_INTEG_i | SK_INTEG_r) to
1901 if (!ChildSaSession
->SessionCommon
.IsInitiator
) {
1904 // Initiator Encryption Key
1906 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncAlgoId
= (UINT8
)SaParams
->EncAlgId
;
1907 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKeyLength
= EncryptAlgKeyLen
;
1908 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
= AllocateZeroPool (EncryptAlgKeyLen
);
1909 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
== NULL
) {
1910 Status
= EFI_OUT_OF_RESOURCES
;
1915 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
,
1921 // Initiator Authentication Key
1923 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthAlgoId
= (UINT8
)SaParams
->IntegAlgId
;
1924 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKeyLength
= IntegrityAlgKeyLen
;
1925 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
1926 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
== NULL
) {
1927 Status
= EFI_OUT_OF_RESOURCES
;
1932 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
,
1933 OutputKey
+ EncryptAlgKeyLen
,
1938 // Responder Encrypt Key
1940 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncAlgoId
= (UINT8
)SaParams
->EncAlgId
;
1941 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKeyLength
= EncryptAlgKeyLen
;
1942 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
= AllocateZeroPool (EncryptAlgKeyLen
);
1943 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
== NULL
) {
1944 Status
= EFI_OUT_OF_RESOURCES
;
1949 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
,
1950 OutputKey
+ EncryptAlgKeyLen
+ IntegrityAlgKeyLen
,
1955 // Responder Authentication Key
1957 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthAlgoId
= (UINT8
)SaParams
->IntegAlgId
;
1958 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKeyLength
= IntegrityAlgKeyLen
;
1959 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
1960 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
== NULL
) {
1961 Status
= EFI_OUT_OF_RESOURCES
;
1966 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
,
1967 OutputKey
+ 2 * EncryptAlgKeyLen
+ IntegrityAlgKeyLen
,
1972 // Initiator Encryption Key
1974 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncAlgoId
= (UINT8
)SaParams
->EncAlgId
;
1975 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKeyLength
= EncryptAlgKeyLen
;
1976 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
= AllocateZeroPool (EncryptAlgKeyLen
);
1977 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
== NULL
) {
1978 Status
= EFI_OUT_OF_RESOURCES
;
1983 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
,
1989 // Initiator Authentication Key
1991 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthAlgoId
= (UINT8
)SaParams
->IntegAlgId
;
1992 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKeyLength
= IntegrityAlgKeyLen
;
1993 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
1994 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
== NULL
) {
1995 Status
= EFI_OUT_OF_RESOURCES
;
2000 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
,
2001 OutputKey
+ EncryptAlgKeyLen
,
2006 // Responder Encryption Key
2008 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncAlgoId
= (UINT8
)SaParams
->EncAlgId
;
2009 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKeyLength
= EncryptAlgKeyLen
;
2010 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
= AllocateZeroPool (EncryptAlgKeyLen
);
2011 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
== NULL
) {
2012 Status
= EFI_OUT_OF_RESOURCES
;
2017 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
,
2018 OutputKey
+ EncryptAlgKeyLen
+ IntegrityAlgKeyLen
,
2023 // Responder Authentication Key
2025 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthAlgoId
= (UINT8
)SaParams
->IntegAlgId
;
2026 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKeyLength
= IntegrityAlgKeyLen
;
2027 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
= AllocateZeroPool (IntegrityAlgKeyLen
);
2028 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
== NULL
) {
2029 Status
= EFI_OUT_OF_RESOURCES
;
2034 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
,
2035 OutputKey
+ 2 * EncryptAlgKeyLen
+ IntegrityAlgKeyLen
,
2041 " >>> Local Encryption Key",
2042 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
,
2046 " >>> Remote Encryption Key",
2047 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
,
2051 " >>> Local Authentication Key",
2052 ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
,
2056 " >>> Remote Authentication Key",
2057 ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
,
2064 if (EFI_ERROR (Status
)) {
2065 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
!= NULL
) {
2066 FreePool (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
);
2068 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
!= NULL
) {
2069 FreePool (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
);
2071 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
!= NULL
) {
2072 FreePool (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
);
2074 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
!= NULL
) {
2075 FreePool (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
);
2079 if (OutputKey
!= NULL
) {
2080 FreePool (OutputKey
);
2086 GLOBAL_REMOVE_IF_UNREFERENCED IKEV2_PACKET_HANDLER mIkev2Initial
[][2] = {
2090 Ikev2InitPskGenerator
2094 Ikev2AuthPskGenerator
2099 Ikev2InitCertParser
,
2100 Ikev2InitCertGenerator
2103 Ikev2AuthCertParser
,
2104 Ikev2AuthCertGenerator