2 The Common operations used by IKE Exchange Process.
4 Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
6 This program and the accompanying materials
7 are licensed and made available under the terms and conditions of the BSD License
8 which accompanies this distribution. The full text of the license may be found at
9 http://opensource.org/licenses/bsd-license.php.
11 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
12 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
17 #include "IpSecDebug.h"
18 #include "IkeService.h"
19 #include "IpSecConfigImpl.h"
21 UINT16 mIkev2EncryptAlgorithmList
[IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM
] = {
22 IKEV2_TRANSFORM_ID_ENCR_3DES
,
23 IKEV2_TRANSFORM_ID_ENCR_AES_CBC
,
26 UINT16 mIkev2PrfAlgorithmList
[IKEV2_SUPPORT_PRF_ALGORITHM_NUM
] = {
27 IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1
,
30 UINT16 mIkev2DhGroupAlgorithmList
[IKEV2_SUPPORT_DH_ALGORITHM_NUM
] = {
31 IKEV2_TRANSFORM_ID_DH_1024MODP
,
32 IKEV2_TRANSFORM_ID_DH_2048MODP
,
35 UINT16 mIkev2AuthAlgorithmList
[IKEV2_SUPPORT_AUTH_ALGORITHM_NUM
] = {
36 IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96
,
40 Allocate buffer for IKEV2_SA_SESSION and initialize it.
42 @param[in] Private Pointer to IPSEC_PRIVATE_DATA.
43 @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.
45 @return Pointer to IKEV2_SA_SESSION or NULL.
50 IN IPSEC_PRIVATE_DATA
*Private
,
51 IN IKE_UDP_SERVICE
*UdpService
55 IKEV2_SESSION_COMMON
*SessionCommon
;
56 IKEV2_SA_SESSION
*IkeSaSession
;
58 IkeSaSession
= AllocateZeroPool (sizeof (IKEV2_SA_SESSION
));
59 ASSERT (IkeSaSession
!= NULL
);
62 // Initialize the fields of IkeSaSession and its SessionCommon.
64 IkeSaSession
->NCookie
= NULL
;
65 IkeSaSession
->Signature
= IKEV2_SA_SESSION_SIGNATURE
;
66 IkeSaSession
->InitiatorCookie
= IkeGenerateCookie ();
67 IkeSaSession
->ResponderCookie
= 0;
69 // BUGBUG: Message ID starts from 2 is to match the OpenSwan requirement, but it
70 // might not match the IPv6 Logo. In its test specification, it mentions that
71 // the Message ID should start from zero after the IKE_SA_INIT exchange.
73 IkeSaSession
->MessageId
= 2;
74 SessionCommon
= &IkeSaSession
->SessionCommon
;
75 SessionCommon
->UdpService
= UdpService
;
76 SessionCommon
->Private
= Private
;
77 SessionCommon
->IkeSessionType
= IkeSessionTypeIkeSa
;
78 SessionCommon
->IkeVer
= 2;
79 SessionCommon
->AfterEncodePayload
= NULL
;
80 SessionCommon
->BeforeDecodePayload
= NULL
;
83 // Create a resend notfiy event for retry.
85 Status
= gBS
->CreateEvent (
86 EVT_TIMER
| EVT_NOTIFY_SIGNAL
,
90 &SessionCommon
->TimeoutEvent
93 if (EFI_ERROR (Status
)) {
94 FreePool (IkeSaSession
);
99 // Initialize the lists in IkeSaSession.
101 InitializeListHead (&IkeSaSession
->ChildSaSessionList
);
102 InitializeListHead (&IkeSaSession
->ChildSaEstablishSessionList
);
103 InitializeListHead (&IkeSaSession
->InfoMIDList
);
104 InitializeListHead (&IkeSaSession
->DeleteSaList
);
110 Register the established IKEv2 SA into Private->Ikev2EstablishedList. If there is
111 IKEV2_SA_SESSION with same remote peer IP, remove the old one then register the
114 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.
115 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
120 IN IKEV2_SA_SESSION
*IkeSaSession
,
121 IN IPSEC_PRIVATE_DATA
*Private
124 IKEV2_SESSION_COMMON
*SessionCommon
;
125 IKEV2_SA_SESSION
*OldIkeSaSession
;
130 // Keep IKE SA exclusive to remote ip address.
132 SessionCommon
= &IkeSaSession
->SessionCommon
;
133 OldIkeSaSession
= Ikev2SaSessionRemove (&Private
->Ikev2EstablishedList
, &SessionCommon
->RemotePeerIp
);
134 if (OldIkeSaSession
!= NULL
) {
136 // TODO: It should delete all child SAs if rekey the IKE SA.
138 Ikev2SaSessionFree (OldIkeSaSession
);
142 // Cleanup the fields of SessionCommon for processing.
144 Ikev2SessionCommonRefresh (SessionCommon
);
147 // Insert the ready IKE SA session into established list.
149 Ikev2SaSessionInsert (&Private
->Ikev2EstablishedList
, IkeSaSession
, &SessionCommon
->RemotePeerIp
);
152 // Create a notfiy event for the IKE SA life time counting.
154 Status
= gBS
->CreateEvent (
155 EVT_TIMER
| EVT_NOTIFY_SIGNAL
,
159 &SessionCommon
->TimeoutEvent
161 if (EFI_ERROR(Status
)){
163 // If TimerEvent creation failed, the SA will be alive untill user disable it or
164 // receiving a Delete Payload from peer.
170 // Start to count the lifetime of the IKE SA.
172 if (IkeSaSession
->Spd
->Data
->ProcessingPolicy
->SaLifetime
.HardLifetime
== 0) {
173 Lifetime
= IKE_SA_DEFAULT_LIFETIME
;
175 Lifetime
= IkeSaSession
->Spd
->Data
->ProcessingPolicy
->SaLifetime
.HardLifetime
;
178 Status
= gBS
->SetTimer (
179 SessionCommon
->TimeoutEvent
,
181 MultU64x32(Lifetime
, 10000000) // ms->100ns
183 if (EFI_ERROR(Status
)){
185 // If SetTimer failed, the SA will be alive untill user disable it or
186 // receiving a Delete Payload from peer.
193 "\n------IkeSa established and start to count down %d seconds lifetime\n",
201 Find a IKEV2_SA_SESSION by the remote peer IP.
203 @param[in] SaSessionList SaSession List to be searched.
204 @param[in] RemotePeerIp Pointer to specified IP address.
206 @return Pointer to IKEV2_SA_SESSION if find one or NULL.
210 Ikev2SaSessionLookup (
211 IN LIST_ENTRY
*SaSessionList
,
212 IN EFI_IP_ADDRESS
*RemotePeerIp
216 IKEV2_SA_SESSION
*IkeSaSession
;
218 NET_LIST_FOR_EACH (Entry
, SaSessionList
) {
219 IkeSaSession
= IKEV2_SA_SESSION_BY_SESSION (Entry
);
222 &IkeSaSession
->SessionCommon
.RemotePeerIp
,
224 sizeof (EFI_IP_ADDRESS
)
235 Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either
236 Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.
238 @param[in] SaSessionList Pointer to list to be inserted into.
239 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.
240 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the
241 unique IKEV2_SA_SESSION.
245 Ikev2SaSessionInsert (
246 IN LIST_ENTRY
*SaSessionList
,
247 IN IKEV2_SA_SESSION
*IkeSaSession
,
248 IN EFI_IP_ADDRESS
*RemotePeerIp
251 Ikev2SaSessionRemove (SaSessionList
, RemotePeerIp
);
252 InsertTailList (SaSessionList
, &IkeSaSession
->BySessionTable
);
256 Remove the SA Session by Remote Peer IP.
258 @param[in] SaSessionList Pointer to list to be searched.
259 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.
261 @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address or NULL.
265 Ikev2SaSessionRemove (
266 IN LIST_ENTRY
*SaSessionList
,
267 IN EFI_IP_ADDRESS
*RemotePeerIp
271 IKEV2_SA_SESSION
*IkeSaSession
;
273 NET_LIST_FOR_EACH (Entry
, SaSessionList
) {
274 IkeSaSession
= IKEV2_SA_SESSION_BY_SESSION (Entry
);
277 &IkeSaSession
->SessionCommon
.RemotePeerIp
,
279 sizeof (EFI_IP_ADDRESS
)
282 RemoveEntryList (Entry
);
291 Marking a SA session as on deleting.
293 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION.
295 @retval EFI_SUCCESS Find the related SA session and marked it.
299 Ikev2SaSessionOnDeleting (
300 IN IKEV2_SA_SESSION
*IkeSaSession
307 Free specified Seession Common. The session common would belong to a IKE SA or
310 @param[in] SessionCommon Pointer to a Session Common.
314 Ikev2SaSessionCommonFree (
315 IN IKEV2_SESSION_COMMON
*SessionCommon
319 ASSERT (SessionCommon
!= NULL
);
321 if (SessionCommon
->LastSentPacket
!= NULL
) {
322 IkePacketFree (SessionCommon
->LastSentPacket
);
325 if (SessionCommon
->SaParams
!= NULL
) {
326 FreePool (SessionCommon
->SaParams
);
328 if (SessionCommon
->TimeoutEvent
!= NULL
) {
329 gBS
->CloseEvent (SessionCommon
->TimeoutEvent
);
334 After IKE/Child SA is estiblished, close the time event and free sent packet.
336 @param[in] SessionCommon Pointer to a Session Common.
340 Ikev2SessionCommonRefresh (
341 IN IKEV2_SESSION_COMMON
*SessionCommon
344 ASSERT (SessionCommon
!= NULL
);
346 gBS
->CloseEvent (SessionCommon
->TimeoutEvent
);
347 SessionCommon
->TimeoutEvent
= NULL
;
348 SessionCommon
->TimeoutInterval
= 0;
349 SessionCommon
->RetryCount
= 0;
350 if (SessionCommon
->LastSentPacket
!= NULL
) {
351 IkePacketFree (SessionCommon
->LastSentPacket
);
352 SessionCommon
->LastSentPacket
= NULL
;
358 Free specified IKEV2 SA Session.
360 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.
365 IN IKEV2_SA_SESSION
*IkeSaSession
368 IKEV2_SESSION_KEYS
*IkeKeys
;
370 IKEV2_CHILD_SA_SESSION
*ChildSa
;
371 IKEV2_DH_BUFFER
*DhBuffer
;
373 ASSERT (IkeSaSession
!= NULL
);
376 // Delete Common Session
378 Ikev2SaSessionCommonFree (&IkeSaSession
->SessionCommon
);
381 // Delete ChildSaEstablish List and SAD
383 for (Entry
= IkeSaSession
->ChildSaEstablishSessionList
.ForwardLink
;
384 Entry
!= &IkeSaSession
->ChildSaEstablishSessionList
;
387 ChildSa
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry
);
388 Entry
= Entry
->ForwardLink
;
389 Ikev2ChildSaSilentDelete (ChildSa
->IkeSaSession
, ChildSa
->LocalPeerSpi
);
394 // Delete ChildSaSessionList
396 for ( Entry
= IkeSaSession
->ChildSaSessionList
.ForwardLink
;
397 Entry
!= &IkeSaSession
->ChildSaSessionList
;
399 ChildSa
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry
);
400 Entry
= Entry
->ForwardLink
;
401 RemoveEntryList (Entry
->BackLink
);
402 Ikev2ChildSaSessionFree (ChildSa
);
406 // Delete DhBuffer and Keys
408 if (IkeSaSession
->IkeKeys
!= NULL
) {
409 IkeKeys
= IkeSaSession
->IkeKeys
;
410 DhBuffer
= IkeKeys
->DhBuffer
;
415 Ikev2DhBufferFree (DhBuffer
);
420 if (IkeKeys
->SkAiKey
!= NULL
) {
421 FreePool (IkeKeys
->SkAiKey
);
423 if (IkeKeys
->SkArKey
!= NULL
) {
424 FreePool (IkeKeys
->SkArKey
);
426 if (IkeKeys
->SkdKey
!= NULL
) {
427 FreePool (IkeKeys
->SkdKey
);
429 if (IkeKeys
->SkEiKey
!= NULL
) {
430 FreePool (IkeKeys
->SkEiKey
);
432 if (IkeKeys
->SkErKey
!= NULL
) {
433 FreePool (IkeKeys
->SkErKey
);
435 if (IkeKeys
->SkPiKey
!= NULL
) {
436 FreePool (IkeKeys
->SkPiKey
);
438 if (IkeKeys
->SkPrKey
!= NULL
) {
439 FreePool (IkeKeys
->SkPrKey
);
444 if (IkeSaSession
->SaData
!= NULL
) {
445 FreePool (IkeSaSession
->SaData
);
448 if (IkeSaSession
->NiBlock
!= NULL
) {
449 FreePool (IkeSaSession
->NiBlock
);
452 if (IkeSaSession
->NrBlock
!= NULL
) {
453 FreePool (IkeSaSession
->NrBlock
);
456 if (IkeSaSession
->NCookie
!= NULL
) {
457 FreePool (IkeSaSession
->NCookie
);
460 if (IkeSaSession
->InitPacket
!= NULL
) {
461 FreePool (IkeSaSession
->InitPacket
);
464 if (IkeSaSession
->RespPacket
!= NULL
) {
465 FreePool (IkeSaSession
->RespPacket
);
468 FreePool (IkeSaSession
);
474 Increase the MessageID in IkeSaSession.
476 @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.
480 Ikev2SaSessionIncreaseMessageId (
481 IN IKEV2_SA_SESSION
*IkeSaSession
484 if (IkeSaSession
->MessageId
< 0xffffffff) {
485 IkeSaSession
->MessageId
++;
488 // TODO: Trigger Rekey process.
494 Allocate memory for IKEV2 Child SA Session.
496 @param[in] UdpService Pointer to IKE_UDP_SERVICE.
497 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
500 @retval Pointer of a new created IKEV2 Child SA Session or NULL.
503 IKEV2_CHILD_SA_SESSION
*
504 Ikev2ChildSaSessionAlloc (
505 IN IKE_UDP_SERVICE
*UdpService
,
506 IN IKEV2_SA_SESSION
*IkeSaSession
510 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
511 IKEV2_SESSION_COMMON
*ChildSaCommon
;
512 IKEV2_SESSION_COMMON
*SaCommon
;
514 ChildSaSession
= AllocateZeroPool (sizeof (IKEV2_CHILD_SA_SESSION
));
515 if (ChildSaSession
== NULL
) {
520 // Initialize the fields of ChildSaSession and its SessionCommon.
522 ChildSaSession
->Signature
= IKEV2_CHILD_SA_SESSION_SIGNATURE
;
523 ChildSaSession
->IkeSaSession
= IkeSaSession
;
524 ChildSaSession
->MessageId
= IkeSaSession
->MessageId
;
525 ChildSaSession
->LocalPeerSpi
= IkeGenerateSpi ();
526 ChildSaCommon
= &ChildSaSession
->SessionCommon
;
527 ChildSaCommon
->UdpService
= UdpService
;
528 ChildSaCommon
->Private
= IkeSaSession
->SessionCommon
.Private
;
529 ChildSaCommon
->IkeSessionType
= IkeSessionTypeChildSa
;
530 ChildSaCommon
->IkeVer
= 2;
531 ChildSaCommon
->AfterEncodePayload
= Ikev2ChildSaAfterEncodePayload
;
532 ChildSaCommon
->BeforeDecodePayload
= Ikev2ChildSaBeforeDecodePayload
;
533 SaCommon
= &ChildSaSession
->IkeSaSession
->SessionCommon
;
536 // Create a resend notfiy event for retry.
538 Status
= gBS
->CreateEvent (
539 EVT_TIMER
| EVT_NOTIFY_SIGNAL
,
543 &ChildSaCommon
->TimeoutEvent
545 if (EFI_ERROR (Status
)) {
546 FreePool (ChildSaSession
);
550 CopyMem (&ChildSaCommon
->LocalPeerIp
, &SaCommon
->LocalPeerIp
, sizeof (EFI_IP_ADDRESS
));
551 CopyMem (&ChildSaCommon
->RemotePeerIp
, &SaCommon
->RemotePeerIp
, sizeof (EFI_IP_ADDRESS
));
553 return ChildSaSession
;
557 Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.
558 If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one
559 then register the new one.
561 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.
562 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
566 Ikev2ChildSaSessionReg (
567 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
,
568 IN IPSEC_PRIVATE_DATA
*Private
571 IKEV2_SESSION_COMMON
*SessionCommon
;
572 IKEV2_CHILD_SA_SESSION
*OldChildSaSession
;
573 IKEV2_SA_SESSION
*IkeSaSession
;
574 IKEV2_SA_PARAMS
*SaParams
;
579 // Keep the IKE SA exclusive.
581 SessionCommon
= &ChildSaSession
->SessionCommon
;
582 IkeSaSession
= ChildSaSession
->IkeSaSession
;
583 OldChildSaSession
= Ikev2ChildSaSessionRemove (
584 &IkeSaSession
->ChildSaEstablishSessionList
,
585 ChildSaSession
->LocalPeerSpi
,
586 IKEV2_ESTABLISHED_CHILDSA_LIST
588 if (OldChildSaSession
!= NULL
) {
592 Ikev2ChildSaSessionFree (OldChildSaSession
);
596 // Store the ready child SA into SAD.
598 Ikev2StoreSaData (ChildSaSession
);
601 // Cleanup the fields of SessionCommon for processing.
603 Ikev2SessionCommonRefresh (SessionCommon
);
606 // Insert the ready child SA session into established list.
608 Ikev2ChildSaSessionInsert (&IkeSaSession
->ChildSaEstablishSessionList
, ChildSaSession
);
611 // Create a Notify event for the IKE SA life time counting.
613 Status
= gBS
->CreateEvent (
614 EVT_TIMER
| EVT_NOTIFY_SIGNAL
,
618 &SessionCommon
->TimeoutEvent
620 if (EFI_ERROR(Status
)){
625 // Start to count the lifetime of the IKE SA.
627 SaParams
= SessionCommon
->SaParams
;
628 if (ChildSaSession
->Spd
->Data
->ProcessingPolicy
->SaLifetime
.HardLifetime
!= 0){
629 Lifetime
= ChildSaSession
->Spd
->Data
->ProcessingPolicy
->SaLifetime
.HardLifetime
;
631 Lifetime
= CHILD_SA_DEFAULT_LIFETIME
;
634 Status
= gBS
->SetTimer (
635 SessionCommon
->TimeoutEvent
,
637 MultU64x32(Lifetime
, 10000000) // ms->100ns
639 if (EFI_ERROR(Status
)){
645 "\n------ChildSa established and start to count down %d seconds lifetime\n",
653 Find the ChildSaSession by it's MessagId.
655 @param[in] SaSessionList Pointer to a ChildSaSession List.
656 @param[in] Mid The messageId used to search ChildSaSession.
658 @return Pointer to IKEV2_CHILD_SA_SESSION or NULL.
661 IKEV2_CHILD_SA_SESSION
*
662 Ikev2ChildSaSessionLookupByMid (
663 IN LIST_ENTRY
*SaSessionList
,
668 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
670 NET_LIST_FOR_EACH (Entry
, SaSessionList
) {
671 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry
);
673 if (ChildSaSession
->MessageId
== Mid
) {
674 return ChildSaSession
;
681 This function find the Child SA by the specified SPI.
683 This functin find a ChildSA session by searching the ChildSaSessionlist of
684 the input IKEV2_SA_SESSION by specified MessageID.
686 @param[in] SaSessionList Pointer to List to be searched.
687 @param[in] Spi Specified SPI.
689 @return Pointer to IKEV2_CHILD_SA_SESSION or NULL.
692 IKEV2_CHILD_SA_SESSION
*
693 Ikev2ChildSaSessionLookupBySpi (
694 IN LIST_ENTRY
*SaSessionList
,
699 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
701 NET_LIST_FOR_EACH (Entry
, SaSessionList
) {
702 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry
);
704 if (ChildSaSession
->RemotePeerSpi
== Spi
|| ChildSaSession
->LocalPeerSpi
== Spi
) {
705 return ChildSaSession
;
713 Insert a Child SA Session into the specified ChildSa list.
715 @param[in] SaSessionList Pointer to list to be inserted in.
716 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.
720 Ikev2ChildSaSessionInsert (
721 IN LIST_ENTRY
*SaSessionList
,
722 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
725 InsertTailList (SaSessionList
, &ChildSaSession
->ByIkeSa
);
729 Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.
731 @param[in] SaSessionList The SA Session List to be iterated.
732 @param[in] Spi Spi used to identified the IKEV2_CHILD_SA_SESSION.
733 @param[in] ListType The type of the List to indicate whether it is a
736 @return The point to IKEV2_CHILD_SA_SESSION or NULL.
739 IKEV2_CHILD_SA_SESSION
*
740 Ikev2ChildSaSessionRemove (
741 IN LIST_ENTRY
*SaSessionList
,
747 LIST_ENTRY
*NextEntry
;
748 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
750 NET_LIST_FOR_EACH_SAFE (Entry
, NextEntry
, SaSessionList
) {
752 if (ListType
== IKEV2_ESTABLISHED_CHILDSA_LIST
|| ListType
== IKEV2_ESTABLISHING_CHILDSA_LIST
) {
753 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry
);
754 } else if (ListType
== IKEV2_DELET_CHILDSA_LIST
) {
755 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_DEL_SA (Entry
);
760 if (ChildSaSession
->RemotePeerSpi
== Spi
|| ChildSaSession
->LocalPeerSpi
== Spi
) {
761 RemoveEntryList (Entry
);
762 return ChildSaSession
;
770 Mark a specified Child SA Session as on deleting.
772 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
774 @retval EFI_SUCCESS Operation is successful.
778 Ikev2ChildSaSessionOnDeleting (
779 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
786 Free the memory located for the specified IKEV2_CHILD_SA_SESSION.
788 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
792 Ikev2ChildSaSessionFree (
793 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
796 IKEV2_SESSION_COMMON
*SessionCommon
;
798 SessionCommon
= &ChildSaSession
->SessionCommon
;
799 if (ChildSaSession
->SaData
!= NULL
) {
800 FreePool (ChildSaSession
->SaData
);
803 if (ChildSaSession
->NiBlock
!= NULL
) {
804 FreePool (ChildSaSession
->NiBlock
);
807 if (ChildSaSession
->NrBlock
!= NULL
) {
808 FreePool (ChildSaSession
->NrBlock
);
811 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
!= NULL
) {
812 FreePool (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.AuthKey
);
815 if (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
!= NULL
) {
816 FreePool (ChildSaSession
->ChildKeymats
.LocalPeerInfo
.EspAlgoInfo
.EncKey
);
819 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
!= NULL
) {
820 FreePool (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.AuthKey
);
823 if (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
!= NULL
) {
824 FreePool (ChildSaSession
->ChildKeymats
.RemotePeerInfo
.EspAlgoInfo
.EncKey
);
830 Ikev2DhBufferFree (ChildSaSession
->DhBuffer
);
833 // Delete SpdSelector
835 if (ChildSaSession
->SpdSelector
!= NULL
) {
836 if (ChildSaSession
->SpdSelector
->LocalAddress
!= NULL
) {
837 FreePool (ChildSaSession
->SpdSelector
->LocalAddress
);
839 if (ChildSaSession
->SpdSelector
->RemoteAddress
!= NULL
) {
840 FreePool (ChildSaSession
->SpdSelector
->RemoteAddress
);
842 FreePool (ChildSaSession
->SpdSelector
);
844 Ikev2SaSessionCommonFree (SessionCommon
);
845 FreePool (ChildSaSession
);
851 Delete the specified established Child SA.
853 This function delete the Child SA directly and don't send the Information Packet to
856 @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.
857 @param[in] Spi SPI used to find the Child SA.
859 @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.
860 @retval EFI_NOT_FOUND There is no specified Child SA related with the input
861 SPI under this IKE SA Session.
862 @retval EFI_SUCCESS Delete the Child SA successfully.
866 Ikev2ChildSaSilentDelete (
867 IN IKEV2_SA_SESSION
*IkeSaSession
,
872 EFI_IPSEC_CONFIG_SELECTOR
*Selector
;
874 BOOLEAN IsLocalFound
;
875 BOOLEAN IsRemoteFound
;
878 IKEV2_CHILD_SA_SESSION
*ChildSession
;
879 EFI_IPSEC_CONFIG_SELECTOR
*LocalSelector
;
880 EFI_IPSEC_CONFIG_SELECTOR
*RemoteSelector
;
881 IKE_UDP_SERVICE
*UdpService
;
882 IPSEC_PRIVATE_DATA
*Private
;
884 if (IkeSaSession
== NULL
) {
885 return EFI_NOT_FOUND
;
888 IsLocalFound
= FALSE
;
889 IsRemoteFound
= FALSE
;
891 LocalSelector
= NULL
;
892 RemoteSelector
= NULL
;
893 UdpService
= IkeSaSession
->SessionCommon
.UdpService
;
895 Private
= (UdpService
->IpVersion
== IP_VERSION_4
) ?
896 IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService
->ListHead
) :
897 IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService
->ListHead
);
900 // Remove the Established SA from ChildSaEstablishlist.
902 ChildSession
= Ikev2ChildSaSessionRemove(
903 &(IkeSaSession
->ChildSaEstablishSessionList
),
905 IKEV2_ESTABLISHED_CHILDSA_LIST
907 if (ChildSession
== NULL
) {
908 return EFI_NOT_FOUND
;
911 LocalSpi
= ChildSession
->LocalPeerSpi
;
912 RemoteSpi
= ChildSession
->RemotePeerSpi
;
914 SelectorSize
= sizeof (EFI_IPSEC_CONFIG_SELECTOR
);
915 Selector
= AllocateZeroPool (SelectorSize
);
916 ASSERT (Selector
!= NULL
);
921 Status
= EfiIpSecConfigGetNextSelector (
922 &Private
->IpSecConfig
,
923 IPsecConfigDataTypeSad
,
927 if (Status
== EFI_BUFFER_TOO_SMALL
) {
930 Selector
= AllocateZeroPool (SelectorSize
);
931 ASSERT (Selector
!= NULL
);
932 Status
= EfiIpSecConfigGetNextSelector (
933 &Private
->IpSecConfig
,
934 IPsecConfigDataTypeSad
,
940 if (EFI_ERROR (Status
)) {
944 if (Selector
->SaId
.Spi
== RemoteSpi
) {
946 // SPI is unique. There is only one SAD whose SPI is
947 // same with RemoteSpi.
949 IsRemoteFound
= TRUE
;
950 RemoteSelector
= AllocateZeroPool (SelectorSize
);
951 ASSERT (RemoteSelector
!= NULL
);
952 CopyMem (RemoteSelector
, Selector
, SelectorSize
);
955 if (Selector
->SaId
.Spi
== LocalSpi
) {
957 // SPI is unique. There is only one SAD whose SPI is
958 // same with LocalSpi.
961 LocalSelector
= AllocateZeroPool (SelectorSize
);
962 ASSERT (LocalSelector
!= NULL
);
963 CopyMem (LocalSelector
, Selector
, SelectorSize
);
967 // Delete SA from the Variable.
970 Status
= EfiIpSecConfigSetData (
971 &Private
->IpSecConfig
,
972 IPsecConfigDataTypeSad
,
980 Status
= EfiIpSecConfigSetData (
981 &Private
->IpSecConfig
,
982 IPsecConfigDataTypeSad
,
992 "\n------IKEV2 deleted ChildSa(local spi, remote spi):(0x%x, 0x%x)------\n",
996 Ikev2ChildSaSessionFree (ChildSession
);
998 if (RemoteSelector
!= NULL
) {
999 FreePool (RemoteSelector
);
1002 if (LocalSelector
!= NULL
) {
1003 FreePool (LocalSelector
);
1006 if (Selector
!= NULL
) {
1007 FreePool (Selector
);
1014 Free the specified DhBuffer.
1016 @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.
1021 IKEV2_DH_BUFFER
*DhBuffer
1024 if (DhBuffer
!= NULL
) {
1025 if (DhBuffer
->GxBuffer
!= NULL
) {
1026 FreePool (DhBuffer
->GxBuffer
);
1028 if (DhBuffer
->GyBuffer
!= NULL
) {
1029 FreePool (DhBuffer
->GyBuffer
);
1031 if (DhBuffer
->GxyBuffer
!= NULL
) {
1032 FreePool (DhBuffer
->GxyBuffer
);
1034 if (DhBuffer
->DhContext
!= NULL
) {
1035 IpSecCryptoIoFreeDh (&DhBuffer
->DhContext
);
1037 FreePool (DhBuffer
);
1042 This function is to parse a request IKE packet and return its request type.
1043 The request type is one of IKE CHILD SA creation, IKE SA rekeying and
1044 IKE CHILD SA rekeying.
1046 @param[in] IkePacket IKE packet to be prased.
1048 return the type of the IKE packet.
1051 IKEV2_CREATE_CHILD_REQUEST_TYPE
1052 Ikev2ChildExchangeRequestType(
1053 IN IKE_PACKET
*IkePacket
1058 IKE_PAYLOAD
*IkePayload
;
1062 NET_LIST_FOR_EACH (Entry
, &(IkePacket
)->PayloadList
) {
1063 IkePayload
= IKE_PAYLOAD_BY_PACKET (Entry
);
1064 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_TS_INIT
) {
1066 // Packet with Ts Payload means it is for either CHILD_SA_CREATE or CHILD_SA_REKEY.
1070 if (IkePayload
->PayloadType
== IKEV2_PAYLOAD_TYPE_NOTIFY
) {
1071 if (((IKEV2_NOTIFY
*)IkePayload
)->MessageType
== IKEV2_NOTIFICATION_REKEY_SA
) {
1073 // If notify payload with REKEY_SA message type, the IkePacket is for
1074 // rekeying Child SA.
1076 return IkeRequestTypeRekeyChildSa
;
1083 // The Create Child Exchange is for IKE SA rekeying.
1085 return IkeRequestTypeRekeyIkeSa
;
1088 // If the Notify payloaad with transport mode message type, the IkePacket is
1089 // for create Child SA.
1091 return IkeRequestTypeCreateChildSa
;
1096 Associate a SPD selector to the Child SA Session.
1098 This function is called when the Child SA is not the first child SA of its
1099 IKE SA. It associate a SPD to this Child SA.
1101 @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to
1104 @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.
1105 @retval EFI_NOT_FOUND Can't find the related SPD selector.
1109 Ikev2ChildSaAssociateSpdEntry (
1110 IN OUT IKEV2_CHILD_SA_SESSION
*ChildSaSession
1113 IpSecVisitConfigData (IPsecConfigDataTypeSpd
, Ikev2MatchSpdEntry
, ChildSaSession
);
1114 if (ChildSaSession
->Spd
!= NULL
) {
1117 return EFI_NOT_FOUND
;
1123 This function finds the SPI from Create Child SA Exchange Packet.
1125 @param[in] IkePacket Pointer to IKE_PACKET to be searched.
1127 @retval SPI number or 0 if it is not supported.
1131 Ikev2ChildExchangeRekeySpi (
1132 IN IKE_PACKET
*IkePacket
1142 Validate the IKE header of received IKE packet.
1144 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.
1145 @param[in] IkeHdr Pointer to IKE header of received IKE packet.
1147 @retval TRUE If the IKE header is valid.
1148 @retval FALSE If the IKE header is invalid.
1152 Ikev2ValidateHeader (
1153 IN IKEV2_SA_SESSION
*IkeSaSession
,
1154 IN IKE_HEADER
*IkeHdr
1158 IKEV2_SESSION_STATE State
;
1160 State
= IkeSaSession
->SessionCommon
.State
;
1161 if (State
== IkeStateInit
) {
1163 // For the IKE Initial Exchange, the MessagId should be zero.
1165 if (IkeHdr
->MessageId
!= 0) {
1169 if (State
== IkeStateAuth
) {
1170 if (IkeHdr
->MessageId
!= 1) {
1174 if (IkeHdr
->InitiatorCookie
!= IkeSaSession
->InitiatorCookie
||
1175 IkeHdr
->ResponderCookie
!= IkeSaSession
->ResponderCookie
1178 // TODO: send notification INVALID-COOKIE
1185 // Information Exchagne and Create Child Exchange can be started from each part.
1187 if (IkeHdr
->ExchangeType
!= IKEV2_EXCHANGE_TYPE_INFO
&&
1188 IkeHdr
->ExchangeType
!= IKEV2_EXCHANGE_TYPE_CREATE_CHILD
1190 if (IkeSaSession
->SessionCommon
.IsInitiator
) {
1191 if (IkeHdr
->InitiatorCookie
!= IkeSaSession
->InitiatorCookie
) {
1193 // TODO: send notification INVALID-COOKIE
1197 if (IkeHdr
->Flags
!= IKE_HEADER_FLAGS_RESPOND
) {
1201 if (IkeHdr
->Flags
!= IKE_HEADER_FLAGS_INIT
) {
1211 Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.
1213 This function will be only called by the initiator. The responder's IKEV2_SA_DATA
1214 will be generated during parsed the initiator packet.
1216 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.
1218 @retval a Pointer to a new IKEV2_SA_DATA or NULL.
1222 Ikev2InitializeSaData (
1223 IN IKEV2_SESSION_COMMON
*SessionCommon
1226 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
1227 IKEV2_SA_DATA
*SaData
;
1228 IKEV2_PROPOSAL_DATA
*ProposalData
;
1229 IKEV2_TRANSFORM_DATA
*TransformData
;
1230 IKE_SA_ATTRIBUTE
*Attribute
;
1232 ASSERT (SessionCommon
!= NULL
);
1234 // TODO: Remove the hard code of the support Alogrithm. Those data should be
1235 // get from the SPD/PAD data.
1237 if (SessionCommon
->IkeSessionType
== IkeSessionTypeIkeSa
) {
1238 SaData
= AllocateZeroPool (
1239 sizeof (IKEV2_SA_DATA
) +
1240 sizeof (IKEV2_PROPOSAL_DATA
) * 2 +
1241 sizeof (IKEV2_TRANSFORM_DATA
) * 4 * 2
1244 SaData
= AllocateZeroPool (
1245 sizeof (IKEV2_SA_DATA
) +
1246 sizeof (IKEV2_PROPOSAL_DATA
) * 2 +
1247 sizeof (IKEV2_TRANSFORM_DATA
) * 3 * 2
1250 if (SaData
== NULL
) {
1255 // First proposal payload: 3DES + SHA1 + DH
1257 SaData
->NumProposals
= 2;
1258 ProposalData
= (IKEV2_PROPOSAL_DATA
*) (SaData
+ 1);
1259 ProposalData
->ProposalIndex
= 1;
1262 // If SA data for IKE_SA_INIT exchage, contains 4 transforms. If SA data for
1263 // IKE_AUTH exchange contains 3 transforms.
1265 if (SessionCommon
->IkeSessionType
== IkeSessionTypeIkeSa
) {
1266 ProposalData
->NumTransforms
= 4;
1268 ProposalData
->NumTransforms
= 3;
1272 if (SessionCommon
->IkeSessionType
== IkeSessionTypeIkeSa
) {
1273 ProposalData
->ProtocolId
= IPSEC_PROTO_ISAKMP
;
1275 ChildSaSession
= IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon
);
1276 ProposalData
->ProtocolId
= IPSEC_PROTO_IPSEC_ESP
;
1277 ProposalData
->Spi
= AllocateZeroPool (sizeof (ChildSaSession
->LocalPeerSpi
));
1278 ASSERT (ProposalData
->Spi
!= NULL
);
1281 &ChildSaSession
->LocalPeerSpi
,
1282 sizeof(ChildSaSession
->LocalPeerSpi
)
1287 // Set transform attribute for Encryption Algorithm - 3DES
1289 TransformData
= (IKEV2_TRANSFORM_DATA
*) (ProposalData
+ 1);
1290 TransformData
->TransformIndex
= 0;
1291 TransformData
->TransformType
= IKEV2_TRANSFORM_TYPE_ENCR
;
1292 TransformData
->TransformId
= IKEV2_TRANSFORM_ID_ENCR_3DES
;
1295 // Set transform attribute for Integrity Algorithm - SHA1_96
1297 TransformData
= (IKEV2_TRANSFORM_DATA
*) (TransformData
+ 1);
1298 TransformData
->TransformIndex
= 1;
1299 TransformData
->TransformType
= IKEV2_TRANSFORM_TYPE_INTEG
;
1300 TransformData
->TransformId
= IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96
;
1302 if (SessionCommon
->IkeSessionType
== IkeSessionTypeIkeSa
) {
1304 // Set transform attribute for Pseduo-Random Function - HAMC_SHA1
1306 TransformData
= (IKEV2_TRANSFORM_DATA
*) (TransformData
+ 1);
1307 TransformData
->TransformIndex
= 2;
1308 TransformData
->TransformType
= IKEV2_TRANSFORM_TYPE_PRF
;
1309 TransformData
->TransformId
= IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1
;
1312 if (SessionCommon
->IkeSessionType
== IkeSessionTypeIkeSa
) {
1314 // Set transform attribute for DH Group - DH 1024
1316 TransformData
= (IKEV2_TRANSFORM_DATA
*) (TransformData
+ 1);
1317 TransformData
->TransformIndex
= 3;
1318 TransformData
->TransformType
= IKEV2_TRANSFORM_TYPE_DH
;
1319 TransformData
->TransformId
= IKEV2_TRANSFORM_ID_DH_1024MODP
;
1322 // Transform type for Extended Sequence Numbers. Currently not support Extended
1325 TransformData
= (IKEV2_TRANSFORM_DATA
*) (TransformData
+ 1);
1326 TransformData
->TransformIndex
= 2;
1327 TransformData
->TransformType
= IKEV2_TRANSFORM_TYPE_ESN
;
1328 TransformData
->TransformId
= 0;
1332 // Second proposal payload: 3DES + SHA1 + DH
1334 ProposalData
= (IKEV2_PROPOSAL_DATA
*) (TransformData
+ 1);
1335 ProposalData
->ProposalIndex
= 2;
1337 if (SessionCommon
->IkeSessionType
== IkeSessionTypeIkeSa
) {
1338 ProposalData
->ProtocolId
= IPSEC_PROTO_ISAKMP
;
1339 ProposalData
->NumTransforms
= 4;
1342 ChildSaSession
= IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon
);
1343 ProposalData
->ProtocolId
= IPSEC_PROTO_IPSEC_ESP
;
1344 ProposalData
->NumTransforms
= 3;
1345 ProposalData
->Spi
= AllocateZeroPool (sizeof (ChildSaSession
->LocalPeerSpi
));
1346 ASSERT (ProposalData
->Spi
!= NULL
);
1349 &ChildSaSession
->LocalPeerSpi
,
1350 sizeof(ChildSaSession
->LocalPeerSpi
)
1355 // Set transform attribute for Encryption Algorithm - AES-CBC
1357 TransformData
= (IKEV2_TRANSFORM_DATA
*) (ProposalData
+ 1);
1358 TransformData
->TransformIndex
= 0;
1359 TransformData
->TransformType
= IKEV2_TRANSFORM_TYPE_ENCR
;
1360 TransformData
->TransformId
= IKEV2_TRANSFORM_ID_ENCR_AES_CBC
;
1361 Attribute
= &TransformData
->Attribute
;
1362 Attribute
->AttrType
= IKEV2_ATTRIBUTE_TYPE_KEYLEN
;
1363 Attribute
->Attr
.AttrLength
= (UINT16
) (8 * IpSecGetEncryptKeyLength (IKEV2_TRANSFORM_ID_ENCR_AES_CBC
));
1366 // Set transform attribute for Integrity Algorithm - SHA1_96
1368 TransformData
= (IKEV2_TRANSFORM_DATA
*) (TransformData
+ 1);
1369 TransformData
->TransformIndex
= 1;
1370 TransformData
->TransformType
= IKEV2_TRANSFORM_TYPE_INTEG
;
1371 TransformData
->TransformId
= IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96
;
1373 if (SessionCommon
->IkeSessionType
== IkeSessionTypeIkeSa
) {
1375 // Set transform attribute for Pseduo-Random Function - HAMC_SHA1
1377 TransformData
= (IKEV2_TRANSFORM_DATA
*) (TransformData
+ 1);
1378 TransformData
->TransformIndex
= 2;
1379 TransformData
->TransformType
= IKEV2_TRANSFORM_TYPE_PRF
;
1380 TransformData
->TransformId
= IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1
;
1383 if (SessionCommon
->IkeSessionType
== IkeSessionTypeIkeSa
) {
1385 // Set transform attrbiute for DH Group - DH-1024
1387 TransformData
= (IKEV2_TRANSFORM_DATA
*) (TransformData
+ 1);
1388 TransformData
->TransformIndex
= 3;
1389 TransformData
->TransformType
= IKEV2_TRANSFORM_TYPE_DH
;
1390 TransformData
->TransformId
= IKEV2_TRANSFORM_ID_DH_1024MODP
;
1393 // Transform type for Extended Sequence Numbers. Currently not support Extended
1396 TransformData
= (IKEV2_TRANSFORM_DATA
*) (TransformData
+ 1);
1397 TransformData
->TransformIndex
= 2;
1398 TransformData
->TransformType
= IKEV2_TRANSFORM_TYPE_ESN
;
1399 TransformData
->TransformId
= 0;
1406 Store the SA into SAD.
1408 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
1413 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
1417 EFI_IPSEC_SA_ID SaId
;
1418 EFI_IPSEC_SA_DATA2 SaData
;
1419 IKEV2_SESSION_COMMON
*SessionCommon
;
1420 IPSEC_PRIVATE_DATA
*Private
;
1421 UINT32 TempAddressCount
;
1422 EFI_IP_ADDRESS_INFO
*TempAddressInfo
;
1424 SessionCommon
= &ChildSaSession
->SessionCommon
;
1425 Private
= SessionCommon
->Private
;
1427 ZeroMem (&SaId
, sizeof (EFI_IPSEC_SA_ID
));
1428 ZeroMem (&SaData
, sizeof (EFI_IPSEC_SA_DATA2
));
1431 // Create a SpdSelector. In this implementation, one SPD represents
1432 // 2 direction traffic, so in here, there needs to reverse the local address
1433 // and remote address for Remote Peer's SA, then reverse again for the locate
1436 TempAddressCount
= ChildSaSession
->SpdSelector
->LocalAddressCount
;
1437 TempAddressInfo
= ChildSaSession
->SpdSelector
->LocalAddress
;
1439 ChildSaSession
->SpdSelector
->LocalAddressCount
= ChildSaSession
->SpdSelector
->RemoteAddressCount
;
1440 ChildSaSession
->SpdSelector
->LocalAddress
= ChildSaSession
->SpdSelector
->RemoteAddress
;
1442 ChildSaSession
->SpdSelector
->RemoteAddress
= TempAddressInfo
;
1443 ChildSaSession
->SpdSelector
->RemoteAddressCount
= TempAddressCount
;
1446 // Set the SaId and SaData.
1448 SaId
.Spi
= ChildSaSession
->LocalPeerSpi
;
1449 SaId
.Proto
= EfiIPsecESP
;
1450 SaData
.AntiReplayWindows
= 16;
1452 SaData
.Mode
= ChildSaSession
->Spd
->Data
->ProcessingPolicy
->Mode
;
1455 // If it is tunnel mode, should add the TunnelDest and TunnelSource for SaData.
1457 if (SaData
.Mode
== EfiIPsecTunnel
) {
1459 &SaData
.TunnelSourceAddress
,
1460 &ChildSaSession
->Spd
->Data
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1461 sizeof (EFI_IP_ADDRESS
)
1464 &SaData
.TunnelDestinationAddress
,
1465 &ChildSaSession
->Spd
->Data
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1466 sizeof (EFI_IP_ADDRESS
)
1470 CopyMem (&SaId
.DestAddress
, &ChildSaSession
->SessionCommon
.LocalPeerIp
, sizeof (EFI_IP_ADDRESS
));
1471 CopyMem (&SaData
.AlgoInfo
, &ChildSaSession
->ChildKeymats
.LocalPeerInfo
, sizeof (EFI_IPSEC_ALGO_INFO
));
1472 SaData
.SpdSelector
= ChildSaSession
->SpdSelector
;
1475 // Store the remote SA into SAD.
1477 Status
= EfiIpSecConfigSetData (
1478 &Private
->IpSecConfig
,
1479 IPsecConfigDataTypeSad
,
1480 (EFI_IPSEC_CONFIG_SELECTOR
*) &SaId
,
1484 ASSERT_EFI_ERROR (Status
);
1487 // Store the local SA into SAD.
1489 ChildSaSession
->SpdSelector
->RemoteAddressCount
= ChildSaSession
->SpdSelector
->LocalAddressCount
;
1490 ChildSaSession
->SpdSelector
->RemoteAddress
= ChildSaSession
->SpdSelector
->LocalAddress
;
1492 ChildSaSession
->SpdSelector
->LocalAddress
= TempAddressInfo
;
1493 ChildSaSession
->SpdSelector
->LocalAddressCount
= TempAddressCount
;
1495 SaId
.Spi
= ChildSaSession
->RemotePeerSpi
;
1497 CopyMem (&SaId
.DestAddress
, &ChildSaSession
->SessionCommon
.RemotePeerIp
, sizeof (EFI_IP_ADDRESS
));
1498 CopyMem (&SaData
.AlgoInfo
, &ChildSaSession
->ChildKeymats
.RemotePeerInfo
, sizeof (EFI_IPSEC_ALGO_INFO
));
1499 SaData
.SpdSelector
= ChildSaSession
->SpdSelector
;
1502 // If it is tunnel mode, should add the TunnelDest and TunnelSource for SaData.
1504 if (SaData
.Mode
== EfiIPsecTunnel
) {
1506 &SaData
.TunnelSourceAddress
,
1507 &ChildSaSession
->Spd
->Data
->ProcessingPolicy
->TunnelOption
->LocalTunnelAddress
,
1508 sizeof (EFI_IP_ADDRESS
)
1511 &SaData
.TunnelDestinationAddress
,
1512 &ChildSaSession
->Spd
->Data
->ProcessingPolicy
->TunnelOption
->RemoteTunnelAddress
,
1513 sizeof (EFI_IP_ADDRESS
)
1517 Status
= EfiIpSecConfigSetData (
1518 &Private
->IpSecConfig
,
1519 IPsecConfigDataTypeSad
,
1520 (EFI_IPSEC_CONFIG_SELECTOR
*) &SaId
,
1525 ASSERT_EFI_ERROR (Status
);
1529 Call back function of the IKE life time is over.
1531 This function will mark the related IKE SA Session as deleting and trigger a
1532 Information negotiation.
1534 @param[in] Event The signaled Event.
1535 @param[in] Context Pointer to data passed by caller.
1540 Ikev2LifetimeNotify (
1545 IKEV2_SA_SESSION
*IkeSaSession
;
1546 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
1547 IKEV2_SESSION_COMMON
*SessionCommon
;
1549 ASSERT (Context
!= NULL
);
1550 SessionCommon
= (IKEV2_SESSION_COMMON
*) Context
;
1552 if (SessionCommon
->IkeSessionType
== IkeSessionTypeIkeSa
) {
1553 IkeSaSession
= IKEV2_SA_SESSION_FROM_COMMON (SessionCommon
);
1556 "\n---IkeSa Lifetime is out(cookie_i, cookie_r):(0x%lx, 0x%lx)---\n",
1557 IkeSaSession
->InitiatorCookie
,
1558 IkeSaSession
->ResponderCookie
1562 // Change the IKE SA Session's State to IKE_STATE_SA_DELETING.
1564 IKEV2_DUMP_STATE (IkeSaSession
->SessionCommon
.State
, IkeStateSaDeleting
);
1565 IkeSaSession
->SessionCommon
.State
= IkeStateSaDeleting
;
1568 ChildSaSession
= IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon
);
1569 IkeSaSession
= ChildSaSession
->IkeSaSession
;
1572 // Link the timeout child SA to the DeleteSaList.
1574 InsertTailList (&IkeSaSession
->DeleteSaList
, &ChildSaSession
->ByDelete
);
1577 // Change the Child SA Session's State to IKE_STATE_SA_DELETING.
1581 "\n------ChildSa Lifetime is out(SPI):(0x%x)------\n",
1582 ChildSaSession
->LocalPeerSpi
1587 // TODO: Send the delete info packet or delete silently
1589 mIkev2Exchange
.NegotiateInfo ((UINT8
*) IkeSaSession
, NULL
);
1593 This function will be called if the TimeOut Event is signaled.
1595 @param[in] Event The signaled Event.
1596 @param[in] Context The data passed by caller.
1606 IPSEC_PRIVATE_DATA
*Private
;
1607 IKEV2_SA_SESSION
*IkeSaSession
;
1608 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
1609 IKEV2_SESSION_COMMON
*SessionCommon
;
1610 LIST_ENTRY
*ChildSaEntry
;
1614 ASSERT (Context
!= NULL
);
1615 IkeSaSession
= NULL
;
1616 ChildSaSession
= NULL
;
1617 SessionCommon
= (IKEV2_SESSION_COMMON
*) Context
;
1618 Private
= SessionCommon
->Private
;
1621 // Remove the SA session from the processing list if exceed the max retry.
1623 if (SessionCommon
->RetryCount
> IKE_MAX_RETRY
) {
1624 if (SessionCommon
->IkeSessionType
== IkeSessionTypeIkeSa
) {
1625 IkeSaSession
= IKEV2_SA_SESSION_FROM_COMMON (SessionCommon
);
1626 if (IkeSaSession
->SessionCommon
.State
== IkeStateSaDeleting
) {
1629 // If the IkeSaSession is initiator, delete all its Child SAs before removing IKE SA.
1630 // If the IkesaSession is responder, all ChildSa has been remove in Ikev2HandleInfo();
1632 for (ChildSaEntry
= IkeSaSession
->ChildSaEstablishSessionList
.ForwardLink
;
1633 ChildSaEntry
!= &IkeSaSession
->ChildSaEstablishSessionList
;
1635 ChildSaSession
= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (ChildSaEntry
);
1637 // Move to next ChildSa Entry.
1639 ChildSaEntry
= ChildSaEntry
->ForwardLink
;
1641 // Delete LocalSpi & RemoteSpi and remove the ChildSaSession from the
1642 // EstablishedChildSaList.
1644 Ikev2ChildSaSilentDelete (IkeSaSession
, ChildSaSession
->LocalPeerSpi
);
1648 // If the IKE SA Delete Payload wasn't sent out successfully, Delete it from the EstablishedList.
1650 Ikev2SaSessionRemove (&Private
->Ikev2EstablishedList
, &SessionCommon
->RemotePeerIp
);
1652 if (Private
!= NULL
&& Private
->IsIPsecDisabling
) {
1654 // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value in
1655 // IPsec status variable.
1657 if (IsListEmpty (&Private
->Ikev1EstablishedList
) && IsListEmpty (&Private
->Ikev2EstablishedList
)) {
1658 Value
= IPSEC_STATUS_DISABLED
;
1659 Status
= gRT
->SetVariable (
1660 IPSECCONFIG_STATUS_NAME
,
1661 &gEfiIpSecConfigProtocolGuid
,
1662 EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_NON_VOLATILE
,
1666 if (!EFI_ERROR (Status
)) {
1668 // Set the Disabled Flag in Private data.
1670 Private
->IpSec
.DisabledFlag
= TRUE
;
1671 Private
->IsIPsecDisabling
= FALSE
;
1676 Ikev2SaSessionRemove (&Private
->Ikev2SessionList
, &SessionCommon
->RemotePeerIp
);
1678 Ikev2SaSessionFree (IkeSaSession
);
1683 // If the packet sent by Child SA.
1685 ChildSaSession
= IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon
);
1686 IkeSaSession
= ChildSaSession
->IkeSaSession
;
1687 if (ChildSaSession
->SessionCommon
.State
== IkeStateSaDeleting
) {
1690 // Established Child SA should be remove from the SAD entry and
1691 // DeleteList. The function of Ikev2DeleteChildSaSilent() will remove
1692 // the childSA from the IkeSaSession->ChildSaEstablishedList. So there
1693 // is no need to remove it here.
1695 Ikev2ChildSaSilentDelete (IkeSaSession
, ChildSaSession
->LocalPeerSpi
);
1696 Ikev2ChildSaSessionRemove (
1697 &IkeSaSession
->DeleteSaList
,
1698 ChildSaSession
->LocalPeerSpi
,
1699 IKEV2_DELET_CHILDSA_LIST
1702 Ikev2ChildSaSessionRemove (
1703 &IkeSaSession
->ChildSaSessionList
,
1704 ChildSaSession
->LocalPeerSpi
,
1705 IKEV2_ESTABLISHING_CHILDSA_LIST
1709 Ikev2ChildSaSessionFree (ChildSaSession
);
1715 // Increase the retry count.
1717 SessionCommon
->RetryCount
++;
1718 DEBUG ((DEBUG_INFO
, ">>>Resending the last packet ...\n"));
1721 // Resend the last packet.
1723 Ikev2SendIkePacket (
1724 SessionCommon
->UdpService
,
1725 (UINT8
*)SessionCommon
,
1726 SessionCommon
->LastSentPacket
,
1732 Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.
1734 ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,
1735 the SpdSelector in ChildSaSession is more accurated or the scope is smaller
1736 than the one in ChildSaSession->Spd, especially for the tunnel mode.
1738 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.
1742 Ikev2ChildSaSessionSpdSelectorCreate (
1743 IN OUT IKEV2_CHILD_SA_SESSION
*ChildSaSession
1746 if (ChildSaSession
->Spd
!= NULL
&& ChildSaSession
->Spd
->Selector
!= NULL
) {
1747 if (ChildSaSession
->SpdSelector
== NULL
) {
1748 ChildSaSession
->SpdSelector
= AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR
));
1749 ASSERT (ChildSaSession
->SpdSelector
!= NULL
);
1752 ChildSaSession
->SpdSelector
,
1753 ChildSaSession
->Spd
->Selector
,
1754 sizeof (EFI_IPSEC_SPD_SELECTOR
)
1756 ChildSaSession
->SpdSelector
->RemoteAddress
= AllocateCopyPool (
1757 ChildSaSession
->Spd
->Selector
->RemoteAddressCount
*
1758 sizeof (EFI_IP_ADDRESS_INFO
),
1759 ChildSaSession
->Spd
->Selector
->RemoteAddress
1761 ChildSaSession
->SpdSelector
->LocalAddress
= AllocateCopyPool (
1762 ChildSaSession
->Spd
->Selector
->LocalAddressCount
*
1763 sizeof (EFI_IP_ADDRESS_INFO
),
1764 ChildSaSession
->Spd
->Selector
->LocalAddress
1767 ASSERT (ChildSaSession
->SpdSelector
->LocalAddress
!= NULL
);
1768 ASSERT (ChildSaSession
->SpdSelector
->RemoteAddress
!= NULL
);
1770 ChildSaSession
->SpdSelector
->RemoteAddressCount
= ChildSaSession
->Spd
->Selector
->RemoteAddressCount
;
1771 ChildSaSession
->SpdSelector
->LocalAddressCount
= ChildSaSession
->Spd
->Selector
->LocalAddressCount
;
1776 Generate a ChildSa Session and insert it into related IkeSaSession.
1778 @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.
1779 @param[in] UdpService Pointer to related IKE_UDP_SERVICE.
1781 @return pointer of IKEV2_CHILD_SA_SESSION.
1784 IKEV2_CHILD_SA_SESSION
*
1785 Ikev2ChildSaSessionCreate (
1786 IN IKEV2_SA_SESSION
*IkeSaSession
,
1787 IN IKE_UDP_SERVICE
*UdpService
1790 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
1791 IKEV2_SESSION_COMMON
*ChildSaCommon
;
1794 // Create a new ChildSaSession.Insert it into processing list and initiate the common parameters.
1796 ChildSaSession
= Ikev2ChildSaSessionAlloc (UdpService
, IkeSaSession
);
1797 ASSERT (ChildSaSession
!= NULL
);
1800 // Set the specific parameters.
1802 ChildSaSession
->Spd
= IkeSaSession
->Spd
;
1803 ChildSaCommon
= &ChildSaSession
->SessionCommon
;
1804 ChildSaCommon
->IsInitiator
= IkeSaSession
->SessionCommon
.IsInitiator
;
1805 if (IkeSaSession
->SessionCommon
.State
== IkeStateAuth
) {
1806 ChildSaCommon
->State
= IkeStateAuth
;
1807 IKEV2_DUMP_STATE (ChildSaCommon
->State
, IkeStateAuth
);
1809 ChildSaCommon
->State
= IkeStateCreateChild
;
1810 IKEV2_DUMP_STATE (ChildSaCommon
->State
, IkeStateCreateChild
);
1814 // If SPD->Selector is not NULL, copy it to the ChildSaSession->SpdSelector.
1815 // The ChildSaSession->SpdSelector might be changed after the traffic selector
1816 // negoniation and it will be copied into the SAData after ChildSA established.
1818 Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession
);
1821 // Copy first NiBlock and NrBlock to ChildSa Session
1823 ChildSaSession
->NiBlock
= AllocateZeroPool (IkeSaSession
->NiBlkSize
);
1824 ASSERT (ChildSaSession
->NiBlock
!= NULL
);
1825 ChildSaSession
->NiBlkSize
= IkeSaSession
->NiBlkSize
;
1826 CopyMem (ChildSaSession
->NiBlock
, IkeSaSession
->NiBlock
, IkeSaSession
->NiBlkSize
);
1828 ChildSaSession
->NrBlock
= AllocateZeroPool (IkeSaSession
->NrBlkSize
);
1829 ASSERT (ChildSaSession
->NrBlock
!= NULL
);
1830 ChildSaSession
->NrBlkSize
= IkeSaSession
->NrBlkSize
;
1831 CopyMem (ChildSaSession
->NrBlock
, IkeSaSession
->NrBlock
, IkeSaSession
->NrBlkSize
);
1834 // Only if the Create Child SA is called for the IKE_INIT Exchange and
1835 // IkeSaSession is initiator (Only Initiator's SPD is not NULL), Set the
1836 // Traffic Selectors related information here.
1838 if (IkeSaSession
->SessionCommon
.State
== IkeStateAuth
&& IkeSaSession
->Spd
!= NULL
) {
1839 ChildSaSession
->ProtoId
= IkeSaSession
->Spd
->Selector
->NextLayerProtocol
;
1840 ChildSaSession
->LocalPort
= IkeSaSession
->Spd
->Selector
->LocalPort
;
1841 ChildSaSession
->RemotePort
= IkeSaSession
->Spd
->Selector
->RemotePort
;
1845 // Insert the new ChildSaSession into processing child SA list.
1847 Ikev2ChildSaSessionInsert (&IkeSaSession
->ChildSaSessionList
, ChildSaSession
);
1848 return ChildSaSession
;
1852 Check if the SPD is related to the input Child SA Session.
1854 This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call
1855 back function of IpSecVisitConfigData().
1858 @param[in] Type Type of the input Config Selector.
1859 @param[in] Selector Pointer to the Configure Selector to be checked.
1860 @param[in] Data Pointer to the Configure Selector's Data passed
1862 @param[in] SelectorSize The buffer size of Selector.
1863 @param[in] DataSize The buffer size of the Data.
1864 @param[in] Context The data passed from the caller. It is a Child
1865 SA Session in this context.
1867 @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.
1868 @retval EFI_ABORTED The SPD Selector is related to the Child SA session and
1869 set the ChildSaSession->Spd to point to this SPD Selector.
1873 Ikev2MatchSpdEntry (
1874 IN EFI_IPSEC_CONFIG_DATA_TYPE Type
,
1875 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
1877 IN UINTN SelectorSize
,
1882 IKEV2_CHILD_SA_SESSION
*ChildSaSession
;
1883 EFI_IPSEC_SPD_SELECTOR
*SpdSelector
;
1884 EFI_IPSEC_SPD_DATA
*SpdData
;
1888 ASSERT (Type
== IPsecConfigDataTypeSpd
);
1889 SpdData
= (EFI_IPSEC_SPD_DATA
*) Data
;
1891 // Bypass all non-protect SPD entry first
1893 if (SpdData
->Action
!= EfiIPsecActionProtect
) {
1897 ChildSaSession
= (IKEV2_CHILD_SA_SESSION
*) Context
;
1898 IpVersion
= ChildSaSession
->SessionCommon
.UdpService
->IpVersion
;
1899 SpdSelector
= (EFI_IPSEC_SPD_SELECTOR
*) Selector
;
1902 if (SpdSelector
->NextLayerProtocol
== EFI_IP_PROTO_UDP
&&
1903 SpdSelector
->LocalPort
== IKE_DEFAULT_PORT
&&
1904 SpdSelector
->LocalPortRange
== 0 &&
1905 SpdSelector
->RemotePort
== IKE_DEFAULT_PORT
&&
1906 SpdSelector
->RemotePortRange
== 0
1909 // TODO: Skip IKE Policy here or set a SPD entry?
1914 if (SpdSelector
->NextLayerProtocol
!= EFI_IPSEC_ANY_PROTOCOL
&&
1915 SpdSelector
->NextLayerProtocol
!= ChildSaSession
->ProtoId
1920 if (SpdSelector
->LocalPort
!= EFI_IPSEC_ANY_PORT
&& SpdSelector
->LocalPort
!= ChildSaSession
->LocalPort
) {
1924 if (SpdSelector
->RemotePort
!= EFI_IPSEC_ANY_PORT
&& SpdSelector
->RemotePort
!= ChildSaSession
->RemotePort
) {
1928 IsMatch
= (BOOLEAN
) (IsMatch
&&
1929 IpSecMatchIpAddress (
1931 &ChildSaSession
->SessionCommon
.LocalPeerIp
,
1932 SpdSelector
->LocalAddress
,
1933 SpdSelector
->LocalAddressCount
1936 IsMatch
= (BOOLEAN
) (IsMatch
&&
1937 IpSecMatchIpAddress (
1939 &ChildSaSession
->SessionCommon
.RemotePeerIp
,
1940 SpdSelector
->RemoteAddress
,
1941 SpdSelector
->RemoteAddressCount
1945 ChildSaSession
->Spd
= IkeSearchSpdEntry (SpdSelector
);
1953 Check if the Algorithm ID is supported.
1955 @param[in] AlgorithmId The specified Algorithm ID.
1956 @param[in] Type The type used to indicate the Algorithm is for Encrypt or
1959 @retval TRUE If the Algorithm ID is supported.
1960 @retval FALSE If the Algorithm ID is not supported.
1965 IN UINT16 AlgorithmId
,
1971 case IKE_ENCRYPT_TYPE
:
1972 for (Index
= 0; Index
< IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM
; Index
++) {
1973 if (mIkev2EncryptAlgorithmList
[Index
] == AlgorithmId
) {
1979 case IKE_AUTH_TYPE
:
1980 for (Index
= 0; Index
< IKEV2_SUPPORT_AUTH_ALGORITHM_NUM
; Index
++) {
1981 if (mIkev2AuthAlgorithmList
[Index
] == AlgorithmId
) {
1988 for (Index
= 0; Index
< IKEV2_SUPPORT_DH_ALGORITHM_NUM
; Index
++) {
1989 if (mIkev2DhGroupAlgorithmList
[Index
] == AlgorithmId
) {
1996 for (Index
= 0; Index
< IKEV2_SUPPORT_PRF_ALGORITHM_NUM
; Index
++) {
1997 if (mIkev2PrfAlgorithmList
[Index
] == AlgorithmId
) {
2006 Get the preferred algorithm types from ProposalData.
2008 @param[in] ProposalData Pointer to related IKEV2_PROPOSAL_DATA.
2009 @param[out] PreferEncryptAlgorithm Output of preferred encrypt algorithm.
2010 @param[out] PreferIntegrityAlgorithm Output of preferred integrity algorithm.
2011 @param[out] PreferPrfAlgorithm Output of preferred PRF algorithm. Only
2013 @param[out] PreferDhGroup Output of preferred DH group. Only for
2015 @param[out] PreferEncryptKeylength Output of preferred encrypt key length
2017 @param[out] IsSupportEsn Output of value about the Extented Sequence
2018 Number is support or not. Only for Child SA.
2019 @param[in] IsChildSa If it is ture, the ProposalData is for IKE
2020 SA. Otherwise the proposalData is for Child SA.
2024 Ikev2ParseProposalData (
2025 IN IKEV2_PROPOSAL_DATA
*ProposalData
,
2026 OUT UINT16
*PreferEncryptAlgorithm
,
2027 OUT UINT16
*PreferIntegrityAlgorithm
,
2028 OUT UINT16
*PreferPrfAlgorithm
,
2029 OUT UINT16
*PreferDhGroup
,
2030 OUT UINTN
*PreferEncryptKeylength
,
2031 OUT BOOLEAN
*IsSupportEsn
,
2032 IN BOOLEAN IsChildSa
2035 IKEV2_TRANSFORM_DATA
*TransformData
;
2036 UINT8 TransformIndex
;
2039 // Check input parameters.
2041 if (ProposalData
== NULL
||
2042 PreferEncryptAlgorithm
== NULL
||
2043 PreferIntegrityAlgorithm
== NULL
||
2044 PreferEncryptKeylength
== NULL
2050 if (IsSupportEsn
== NULL
) {
2054 if (PreferPrfAlgorithm
== NULL
|| PreferDhGroup
== NULL
) {
2059 TransformData
= (IKEV2_TRANSFORM_DATA
*)(ProposalData
+ 1);
2060 for (TransformIndex
= 0; TransformIndex
< ProposalData
->NumTransforms
; TransformIndex
++) {
2061 switch (TransformData
->TransformType
) {
2063 // For IKE SA there are four algorithm types. Encryption Algorithm, Pseudo-random Function,
2064 // Integrity Algorithm, Diffie-Hellman Group. For Child SA, there are three algorithm types.
2065 // Encryption Algorithm, Integrity Algorithm, Extended Sequence Number.
2067 case IKEV2_TRANSFORM_TYPE_ENCR
:
2068 if (*PreferEncryptAlgorithm
== 0 && Ikev2IsSupportAlg (TransformData
->TransformId
, IKE_ENCRYPT_TYPE
)) {
2070 // Check the attribute value. According to RFC, only Keylength is support.
2072 if (TransformData
->Attribute
.AttrType
== IKEV2_ATTRIBUTE_TYPE_KEYLEN
) {
2074 // If the Keylength is not support, continue to check the next one.
2076 if (IpSecGetEncryptKeyLength ((UINT8
)TransformData
->TransformId
) != (UINTN
)(TransformData
->Attribute
.Attr
.AttrValue
>> 3)){
2079 *PreferEncryptKeylength
= TransformData
->Attribute
.Attr
.AttrValue
;
2082 *PreferEncryptAlgorithm
= TransformData
->TransformId
;
2086 case IKEV2_TRANSFORM_TYPE_PRF
:
2088 if (*PreferPrfAlgorithm
== 0 && Ikev2IsSupportAlg (TransformData
->TransformId
, IKE_PRF_TYPE
)) {
2089 *PreferPrfAlgorithm
= TransformData
->TransformId
;
2094 case IKEV2_TRANSFORM_TYPE_INTEG
:
2095 if (*PreferIntegrityAlgorithm
== 0 && Ikev2IsSupportAlg (TransformData
->TransformId
, IKE_AUTH_TYPE
)) {
2096 *PreferIntegrityAlgorithm
= TransformData
->TransformId
;
2100 case IKEV2_TRANSFORM_TYPE_DH
:
2102 if (*PreferDhGroup
== 0 && Ikev2IsSupportAlg (TransformData
->TransformId
, IKE_DH_TYPE
)) {
2103 *PreferDhGroup
= TransformData
->TransformId
;
2108 case IKEV2_TRANSFORM_TYPE_ESN
:
2110 if (TransformData
->TransformId
!= 0) {
2111 *IsSupportEsn
= TRUE
;
2119 TransformData
= (IKEV2_TRANSFORM_DATA
*)(TransformData
+ 1);
2124 Parse the received Initial Exchange Packet.
2126 This function parse the SA Payload and Key Payload to find out the cryptographic
2127 suite for the further IKE negotiation and fill it into the IKE SA Session's
2128 CommonSession->SaParams.
2130 @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.
2131 @param[in] SaPayload The received packet.
2132 @param[in] Type The received packet IKE header flag.
2134 @retval TRUE If the SA proposal in Packet is acceptable.
2135 @retval FALSE If the SA proposal in Packet is not acceptable.
2139 Ikev2SaParseSaPayload (
2140 IN OUT IKEV2_SA_SESSION
*IkeSaSession
,
2141 IN IKE_PAYLOAD
*SaPayload
,
2145 IKEV2_PROPOSAL_DATA
*ProposalData
;
2146 UINT8 ProposalIndex
;
2147 UINT16 PreferEncryptAlgorithm
;
2148 UINT16 PreferIntegrityAlgorithm
;
2149 UINT16 PreferPrfAlgorithm
;
2150 UINT16 PreferDhGroup
;
2151 UINTN PreferEncryptKeylength
;
2152 UINT16 EncryptAlgorithm
;
2153 UINT16 IntegrityAlgorithm
;
2154 UINT16 PrfAlgorithm
;
2156 UINTN EncryptKeylength
;
2160 PreferPrfAlgorithm
= 0;
2161 PreferIntegrityAlgorithm
= 0;
2163 PreferEncryptAlgorithm
= 0;
2164 PreferEncryptKeylength
= 0;
2166 IntegrityAlgorithm
= 0;
2168 EncryptAlgorithm
= 0;
2169 EncryptKeylength
= 0;
2172 if (Type
== IKE_HEADER_FLAGS_INIT
) {
2173 ProposalData
= (IKEV2_PROPOSAL_DATA
*)((IKEV2_SA_DATA
*)SaPayload
->PayloadBuf
+ 1);
2174 for (ProposalIndex
= 0; ProposalIndex
< ((IKEV2_SA_DATA
*)SaPayload
->PayloadBuf
)->NumProposals
; ProposalIndex
++) {
2176 // Iterate each proposal to find the perfered one.
2178 if (ProposalData
->ProtocolId
== IPSEC_PROTO_ISAKMP
&& ProposalData
->NumTransforms
>= 4) {
2180 // Get the preferred algorithms.
2182 Ikev2ParseProposalData (
2184 &PreferEncryptAlgorithm
,
2185 &PreferIntegrityAlgorithm
,
2186 &PreferPrfAlgorithm
,
2188 &PreferEncryptKeylength
,
2193 if (PreferEncryptAlgorithm
!= 0 &&
2194 PreferIntegrityAlgorithm
!= 0 &&
2195 PreferPrfAlgorithm
!= 0 &&
2199 // Find the matched one.
2201 IkeSaSession
->SessionCommon
.SaParams
= AllocateZeroPool (sizeof (IKEV2_SA_PARAMS
));
2202 ASSERT (IkeSaSession
->SessionCommon
.SaParams
!= NULL
);
2203 IkeSaSession
->SessionCommon
.SaParams
->EncAlgId
= PreferEncryptAlgorithm
;
2204 IkeSaSession
->SessionCommon
.SaParams
->EnckeyLen
= PreferEncryptKeylength
;
2205 IkeSaSession
->SessionCommon
.SaParams
->DhGroup
= PreferDhGroup
;
2206 IkeSaSession
->SessionCommon
.SaParams
->Prf
= PreferPrfAlgorithm
;
2207 IkeSaSession
->SessionCommon
.SaParams
->IntegAlgId
= PreferIntegrityAlgorithm
;
2208 IkeSaSession
->SessionCommon
.PreferDhGroup
= PreferDhGroup
;
2211 // Save the matched one in IKEV2_SA_DATA for furthure calculation.
2213 SaDataSize
= sizeof (IKEV2_SA_DATA
) +
2214 sizeof (IKEV2_PROPOSAL_DATA
) +
2215 sizeof (IKEV2_TRANSFORM_DATA
) * 4;
2216 IkeSaSession
->SaData
= AllocateZeroPool (SaDataSize
);
2217 ASSERT (IkeSaSession
->SaData
!= NULL
);
2219 IkeSaSession
->SaData
->NumProposals
= 1;
2222 // BUGBUG: Suppose the matched proposal only has 4 transforms. If
2223 // The matched Proposal has more than 4 transforms means it contains
2224 // one than one transform with same type.
2227 (IKEV2_PROPOSAL_DATA
*) (IkeSaSession
->SaData
+ 1),
2229 SaDataSize
- sizeof (IKEV2_SA_DATA
)
2232 ((IKEV2_PROPOSAL_DATA
*) (IkeSaSession
->SaData
+ 1))->ProposalIndex
= 1;
2235 PreferEncryptAlgorithm
= 0;
2236 PreferIntegrityAlgorithm
= 0;
2237 PreferPrfAlgorithm
= 0;
2239 PreferEncryptKeylength
= 0;
2243 // Point to next Proposal.
2245 ProposalData
= (IKEV2_PROPOSAL_DATA
*)((UINT8
*)(ProposalData
+ 1) +
2246 ProposalData
->NumTransforms
* sizeof (IKEV2_TRANSFORM_DATA
));
2248 } else if (Type
== IKE_HEADER_FLAGS_RESPOND
) {
2250 // First check the SA proposal's ProtoctolID and Transform Numbers. Since it is
2251 // the responded SA proposal, suppose it only has one proposal and the transform Numbers
2254 ProposalData
= (IKEV2_PROPOSAL_DATA
*)((IKEV2_SA_DATA
*) SaPayload
->PayloadBuf
+ 1);
2255 if (ProposalData
->ProtocolId
!= IPSEC_PROTO_ISAKMP
|| ProposalData
->NumTransforms
!= 4) {
2259 // Get the preferred algorithms.
2261 Ikev2ParseProposalData (
2263 &PreferEncryptAlgorithm
,
2264 &PreferIntegrityAlgorithm
,
2265 &PreferPrfAlgorithm
,
2267 &PreferEncryptKeylength
,
2272 // Check if the Sa proposal data from received packet is in the IkeSaSession->SaData.
2274 ProposalData
= (IKEV2_PROPOSAL_DATA
*) (IkeSaSession
->SaData
+ 1);
2276 for (ProposalIndex
= 0; ProposalIndex
< IkeSaSession
->SaData
->NumProposals
&& (!IsMatch
); ProposalIndex
++) {
2277 Ikev2ParseProposalData (
2280 &IntegrityAlgorithm
,
2287 if (EncryptAlgorithm
== PreferEncryptAlgorithm
&&
2288 EncryptKeylength
== PreferEncryptKeylength
&&
2289 IntegrityAlgorithm
== PreferIntegrityAlgorithm
&&
2290 PrfAlgorithm
== PreferPrfAlgorithm
&&
2291 DhGroup
== PreferDhGroup
2295 EncryptAlgorithm
= 0;
2296 IntegrityAlgorithm
= 0;
2299 EncryptKeylength
= 0;
2302 ProposalData
= (IKEV2_PROPOSAL_DATA
*)((UINT8
*)(ProposalData
+ 1) +
2303 ProposalData
->NumTransforms
* sizeof (IKEV2_TRANSFORM_DATA
));
2307 IkeSaSession
->SessionCommon
.SaParams
= AllocateZeroPool (sizeof (IKEV2_SA_PARAMS
));
2308 ASSERT (IkeSaSession
->SessionCommon
.SaParams
!= NULL
);
2309 IkeSaSession
->SessionCommon
.SaParams
->EncAlgId
= PreferEncryptAlgorithm
;
2310 IkeSaSession
->SessionCommon
.SaParams
->EnckeyLen
= PreferEncryptKeylength
;
2311 IkeSaSession
->SessionCommon
.SaParams
->DhGroup
= PreferDhGroup
;
2312 IkeSaSession
->SessionCommon
.SaParams
->Prf
= PreferPrfAlgorithm
;
2313 IkeSaSession
->SessionCommon
.SaParams
->IntegAlgId
= PreferIntegrityAlgorithm
;
2314 IkeSaSession
->SessionCommon
.PreferDhGroup
= PreferDhGroup
;
2323 Parse the received Authentication Exchange Packet.
2325 This function parse the SA Payload and Key Payload to find out the cryptographic
2326 suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.
2328 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to
2329 this Authentication Exchange.
2330 @param[in] SaPayload The received packet.
2331 @param[in] Type The IKE header's flag of received packet .
2333 @retval TRUE If the SA proposal in Packet is acceptable.
2334 @retval FALSE If the SA proposal in Packet is not acceptable.
2338 Ikev2ChildSaParseSaPayload (
2339 IN OUT IKEV2_CHILD_SA_SESSION
*ChildSaSession
,
2340 IN IKE_PAYLOAD
*SaPayload
,
2344 IKEV2_PROPOSAL_DATA
*ProposalData
;
2345 UINT8 ProposalIndex
;
2346 UINT16 PreferEncryptAlgorithm
;
2347 UINT16 PreferIntegrityAlgorithm
;
2348 UINTN PreferEncryptKeylength
;
2349 BOOLEAN PreferIsSupportEsn
;
2350 UINT16 EncryptAlgorithm
;
2351 UINT16 IntegrityAlgorithm
;
2352 UINTN EncryptKeylength
;
2353 BOOLEAN IsSupportEsn
;
2358 PreferIntegrityAlgorithm
= 0;
2359 PreferEncryptAlgorithm
= 0;
2360 PreferEncryptKeylength
= 0;
2361 IntegrityAlgorithm
= 0;
2362 EncryptAlgorithm
= 0;
2363 EncryptKeylength
= 0;
2365 IsSupportEsn
= FALSE
;
2366 PreferIsSupportEsn
= FALSE
;
2368 if (Type
== IKE_HEADER_FLAGS_INIT
) {
2369 ProposalData
= (IKEV2_PROPOSAL_DATA
*)((IKEV2_SA_DATA
*) SaPayload
->PayloadBuf
+ 1);
2370 for (ProposalIndex
= 0; ProposalIndex
< ((IKEV2_SA_DATA
*) SaPayload
->PayloadBuf
)->NumProposals
; ProposalIndex
++) {
2372 // Iterate each proposal to find the preferred one.
2374 if (ProposalData
->ProtocolId
== IPSEC_PROTO_IPSEC_ESP
&& ProposalData
->NumTransforms
>= 3) {
2376 // Get the preferred algorithm.
2378 Ikev2ParseProposalData (
2380 &PreferEncryptAlgorithm
,
2381 &PreferIntegrityAlgorithm
,
2384 &PreferEncryptKeylength
,
2389 // Don't support the ESN now.
2391 if (PreferEncryptAlgorithm
!= 0 &&
2392 PreferIntegrityAlgorithm
!= 0 &&
2396 // Find the matched one.
2398 ChildSaSession
->SessionCommon
.SaParams
= AllocateZeroPool (sizeof (IKEV2_SA_PARAMS
));
2399 ASSERT (ChildSaSession
->SessionCommon
.SaParams
!= NULL
);
2400 ChildSaSession
->SessionCommon
.SaParams
->EncAlgId
= PreferEncryptAlgorithm
;
2401 ChildSaSession
->SessionCommon
.SaParams
->EnckeyLen
= PreferEncryptKeylength
;
2402 ChildSaSession
->SessionCommon
.SaParams
->IntegAlgId
= PreferIntegrityAlgorithm
;
2403 CopyMem (&ChildSaSession
->RemotePeerSpi
, ProposalData
->Spi
, sizeof (ChildSaSession
->RemotePeerSpi
));
2406 // Save the matched one in IKEV2_SA_DATA for furthure calculation.
2408 SaDataSize
= sizeof (IKEV2_SA_DATA
) +
2409 sizeof (IKEV2_PROPOSAL_DATA
) +
2410 sizeof (IKEV2_TRANSFORM_DATA
) * 4;
2412 ChildSaSession
->SaData
= AllocateZeroPool (SaDataSize
);
2413 ASSERT (ChildSaSession
->SaData
!= NULL
);
2415 ChildSaSession
->SaData
->NumProposals
= 1;
2418 // BUGBUG: Suppose there are 4 transforms in the matched proposal. If
2419 // the matched Proposal has more than 4 transforms that means there
2420 // are more than one transform with same type.
2423 (IKEV2_PROPOSAL_DATA
*) (ChildSaSession
->SaData
+ 1),
2425 SaDataSize
- sizeof (IKEV2_SA_DATA
)
2428 ((IKEV2_PROPOSAL_DATA
*) (ChildSaSession
->SaData
+ 1))->ProposalIndex
= 1;
2430 ((IKEV2_PROPOSAL_DATA
*) (ChildSaSession
->SaData
+ 1))->Spi
= AllocateCopyPool (
2431 sizeof (ChildSaSession
->LocalPeerSpi
),
2432 &ChildSaSession
->LocalPeerSpi
2434 ASSERT (((IKEV2_PROPOSAL_DATA
*) (ChildSaSession
->SaData
+ 1))->Spi
!= NULL
);
2438 PreferEncryptAlgorithm
= 0;
2439 PreferIntegrityAlgorithm
= 0;
2440 IsSupportEsn
= TRUE
;
2444 // Point to next Proposal
2446 ProposalData
= (IKEV2_PROPOSAL_DATA
*)((UINT8
*)(ProposalData
+ 1) +
2447 ProposalData
->NumTransforms
* sizeof (IKEV2_TRANSFORM_DATA
));
2449 } else if (Type
== IKE_HEADER_FLAGS_RESPOND
) {
2451 // First check the SA proposal's ProtoctolID and Transform Numbers. Since it is
2452 // the responded SA proposal, suppose it only has one proposal and the transform Numbers
2455 ProposalData
= (IKEV2_PROPOSAL_DATA
*)((IKEV2_SA_DATA
*)SaPayload
->PayloadBuf
+ 1);
2456 if (ProposalData
->ProtocolId
!= IPSEC_PROTO_IPSEC_ESP
|| ProposalData
->NumTransforms
!= 3) {
2460 // Get the preferred algorithms.
2462 Ikev2ParseProposalData (
2464 &PreferEncryptAlgorithm
,
2465 &PreferIntegrityAlgorithm
,
2468 &PreferEncryptKeylength
,
2469 &PreferIsSupportEsn
,
2473 ProposalData
= (IKEV2_PROPOSAL_DATA
*) (ChildSaSession
->SaData
+ 1);
2475 for (ProposalIndex
= 0; ProposalIndex
< ChildSaSession
->SaData
->NumProposals
&& (!IsMatch
); ProposalIndex
++) {
2476 Ikev2ParseProposalData (
2479 &IntegrityAlgorithm
,
2486 if (EncryptAlgorithm
== PreferEncryptAlgorithm
&&
2487 EncryptKeylength
== PreferEncryptKeylength
&&
2488 IntegrityAlgorithm
== PreferIntegrityAlgorithm
&&
2489 IsSupportEsn
== PreferIsSupportEsn
2493 PreferEncryptAlgorithm
= 0;
2494 PreferIntegrityAlgorithm
= 0;
2495 IsSupportEsn
= TRUE
;
2497 ProposalData
= (IKEV2_PROPOSAL_DATA
*)((UINT8
*)(ProposalData
+ 1) +
2498 ProposalData
->NumTransforms
* sizeof (IKEV2_TRANSFORM_DATA
));
2501 ProposalData
= (IKEV2_PROPOSAL_DATA
*)((IKEV2_SA_DATA
*)SaPayload
->PayloadBuf
+ 1);
2503 ChildSaSession
->SessionCommon
.SaParams
= AllocateZeroPool (sizeof (IKEV2_SA_PARAMS
));
2504 ASSERT (ChildSaSession
->SessionCommon
.SaParams
!= NULL
);
2505 ChildSaSession
->SessionCommon
.SaParams
->EncAlgId
= PreferEncryptAlgorithm
;
2506 ChildSaSession
->SessionCommon
.SaParams
->EnckeyLen
= PreferEncryptKeylength
;
2507 ChildSaSession
->SessionCommon
.SaParams
->IntegAlgId
= PreferIntegrityAlgorithm
;
2508 CopyMem (&ChildSaSession
->RemotePeerSpi
, ProposalData
->Spi
, sizeof (ChildSaSession
->RemotePeerSpi
));
2517 Generate Key buffer from fragments.
2519 If the digest length of specified HashAlgId is larger than or equal with the
2520 required output key length, derive the key directly. Otherwise, Key Material
2521 needs to be PRF-based concatenation according to 2.13 of RFC 4306:
2522 prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),
2523 T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)
2524 then derive the key from this key material.
2526 @param[in] HashAlgId The Hash Algorithm ID used to generate key.
2527 @param[in] HashKey Pointer to a key buffer which contains hash key.
2528 @param[in] HashKeyLength The length of HashKey in bytes.
2529 @param[in, out] OutputKey Pointer to buffer which is used to receive the
2531 @param[in] OutputKeyLength The length of OutPutKey buffer.
2532 @param[in] Fragments Pointer to the data to be used to generate key.
2533 @param[in] NumFragments The numbers of the Fragement.
2535 @retval EFI_SUCCESS The operation complete successfully.
2536 @retval EFI_INVALID_PARAMETER If NumFragments is zero.
2537 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
2538 @retval Others The operation is failed.
2542 Ikev2SaGenerateKey (
2545 IN UINTN HashKeyLength
,
2546 IN OUT UINT8
*OutputKey
,
2547 IN UINTN OutputKeyLength
,
2548 IN PRF_DATA_FRAGMENT
*Fragments
,
2549 IN UINTN NumFragments
2553 PRF_DATA_FRAGMENT LocalFragments
[3];
2558 UINTN AuthKeyLength
;
2559 UINTN FragmentsSize
;
2562 Status
= EFI_SUCCESS
;
2564 if (NumFragments
== 0) {
2565 return EFI_INVALID_PARAMETER
;
2568 LocalFragments
[0].Data
= NULL
;
2569 LocalFragments
[1].Data
= NULL
;
2570 LocalFragments
[2].Data
= NULL
;
2572 AuthKeyLength
= IpSecGetHmacDigestLength (HashAlgId
);
2573 DigestSize
= AuthKeyLength
;
2574 Digest
= AllocateZeroPool (AuthKeyLength
);
2576 if (Digest
== NULL
) {
2577 return EFI_OUT_OF_RESOURCES
;
2580 // If the required output key length is less than the digest size,
2581 // copy the digest into OutputKey.
2583 if (OutputKeyLength
<= DigestSize
) {
2584 Status
= IpSecCryptoIoHmac (
2588 (HASH_DATA_FRAGMENT
*) Fragments
,
2593 if (EFI_ERROR (Status
)) {
2597 CopyMem (OutputKey
, Digest
, OutputKeyLength
);
2602 //Otherwise, Key Material need to be PRF-based concatenation according to 2.13
2603 //of RFC 4306: prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),
2604 //T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)
2605 //then derive the key from this key material.
2608 for (Index
= 0; Index
< NumFragments
; Index
++) {
2609 FragmentsSize
= FragmentsSize
+ Fragments
[Index
].DataSize
;
2612 LocalFragments
[1].Data
= AllocateZeroPool (FragmentsSize
);
2613 ASSERT (LocalFragments
[1].Data
!= NULL
);
2614 LocalFragments
[1].DataSize
= FragmentsSize
;
2617 // Copy all input fragments into LocalFragments[1];
2620 for (Index
= 0; Index
< NumFragments
; Index
++) {
2622 LocalFragments
[1].Data
+ FragmentsSize
,
2623 Fragments
[Index
].Data
,
2624 Fragments
[Index
].DataSize
2626 FragmentsSize
= FragmentsSize
+ Fragments
[Index
].DataSize
;
2630 // Prepare 0x01 as the first tail data.
2633 LocalFragments
[2].Data
= &TailData
;
2634 LocalFragments
[2].DataSize
= sizeof (TailData
);
2636 // Allocate buffer for the first fragment
2638 LocalFragments
[0].Data
= AllocateZeroPool (AuthKeyLength
);
2639 ASSERT (LocalFragments
[0].Data
!= NULL
);
2640 LocalFragments
[0].DataSize
= AuthKeyLength
;
2642 Round
= (OutputKeyLength
- 1) / AuthKeyLength
+ 1;
2643 for (Index
= 0; Index
< Round
; Index
++) {
2644 Status
= IpSecCryptoIoHmac (
2648 (HASH_DATA_FRAGMENT
*)(Index
== 0 ? &LocalFragments
[1] : LocalFragments
),
2653 if (EFI_ERROR(Status
)) {
2657 LocalFragments
[0].Data
,
2661 if (OutputKeyLength
> DigestSize
* (Index
+ 1)) {
2663 OutputKey
+ Index
* DigestSize
,
2667 LocalFragments
[0].DataSize
= DigestSize
;
2674 OutputKey
+ Index
* DigestSize
,
2676 OutputKeyLength
- Index
* DigestSize
2683 // Only First and second Framgement Data need to be freed.
2685 for (Index
= 0 ; Index
< 2; Index
++) {
2686 if (LocalFragments
[Index
].Data
!= NULL
) {
2687 FreePool (LocalFragments
[Index
].Data
);
2690 if (Digest
!= NULL
) {