]> git.proxmox.com Git - mirror_edk2.git/blob - NetworkPkg/IpSecDxe/Ikev2/Utility.h
projects / mirror_edk2.git / blob
? search:


319b6cb32ca9ecad5d0b93561892e8802ecaf21e
[mirror_edk2.git] / NetworkPkg / IpSecDxe / Ikev2 / Utility.h
1 /** @file
2 The interfaces of IKE/Child session operations and payload related operations
3 used by IKE Exchange Process.
4
5 Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
6
7 This program and the accompanying materials
8 are licensed and made available under the terms and conditions of the BSD License
9 which accompanies this distribution. The full text of the license may be found at
10 http://opensource.org/licenses/bsd-license.php.
11
12 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
13 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
14
15 **/
16
17 #ifndef _IKE_V2_UTILITY_H_
18 #define _IKE_V2_UTILITY_H_
19
20 #include "Ikev2.h"
21 #include "IkeCommon.h"
22 #include "IpSecCryptIo.h"
23
24 #include <Library/PcdLib.h>
25
26 #define IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM 2
27 #define IKEV2_SUPPORT_PRF_ALGORITHM_NUM 1
28 #define IKEV2_SUPPORT_DH_ALGORITHM_NUM 2
29 #define IKEV2_SUPPORT_AUTH_ALGORITHM_NUM 1
30
31 /**
32 Allocate buffer for IKEV2_SA_SESSION and initialize it.
33
34 @param[in] Private Pointer to IPSEC_PRIVATE_DATA.
35 @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.
36
37 @return Pointer to IKEV2_SA_SESSION.
38
39 **/
40 IKEV2_SA_SESSION *
41 Ikev2SaSessionAlloc (
42 IN IPSEC_PRIVATE_DATA *Private,
43 IN IKE_UDP_SERVICE *UdpService
44 );
45
46 /**
47 Register Establish IKEv2 SA into Private->Ikev2EstablishedList.
48
49 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.
50 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
51
52 **/
53 VOID
54 Ikev2SaSessionReg (
55 IN IKEV2_SA_SESSION *IkeSaSession,
56 IN IPSEC_PRIVATE_DATA *Private
57 );
58
59 /**
60 Find a IKEV2_SA_SESSION by the remote peer IP.
61
62 @param[in] SaSessionList SaSession List to be searched.
63 @param[in] RemotePeerIp Pointer to specified IP address.
64
65 @return Pointer to IKEV2_SA_SESSION if find one or NULL.
66
67 **/
68 IKEV2_SA_SESSION *
69 Ikev2SaSessionLookup (
70 IN LIST_ENTRY *SaSessionList,
71 IN EFI_IP_ADDRESS *RemotePeerIp
72 );
73
74 /**
75 Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either
76 Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.
77
78 @param[in] SaSessionList Pointer to list to be inserted into.
79 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.
80 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the
81 unique IKEV2_SA_SESSION.
82
83 **/
84 VOID
85 Ikev2SaSessionInsert (
86 IN LIST_ENTRY *SaSessionList,
87 IN IKEV2_SA_SESSION *IkeSaSession,
88 IN EFI_IP_ADDRESS *RemotePeerIp
89 );
90
91 /**
92 Remove the SA Session by Remote Peer IP.
93
94 @param[in] SaSessionList Pointer to list to be searched.
95 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.
96
97 @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address.
98
99 **/
100 IKEV2_SA_SESSION *
101 Ikev2SaSessionRemove (
102 IN LIST_ENTRY *SaSessionList,
103 IN EFI_IP_ADDRESS *RemotePeerIp
104 );
105
106
107 /**
108 Marking a SA session as on deleting.
109
110 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION.
111
112 @retval EFI_SUCCESS Find the related SA session and marked it.
113
114 **/
115 EFI_STATUS
116 Ikev2SaSessionOnDeleting (
117 IN IKEV2_SA_SESSION *IkeSaSession
118 );
119
120 /**
121 After IKE/Child SA is estiblished, close the time event and free sent packet.
122
123 @param[in] SessionCommon Pointer to a Session Common.
124
125 **/
126 VOID
127 Ikev2SessionCommonRefresh (
128 IN IKEV2_SESSION_COMMON *SessionCommon
129 );
130
131 /**
132 Free specified IKEV2 SA Session.
133
134 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.
135
136 **/
137 VOID
138 Ikev2SaSessionFree (
139 IN IKEV2_SA_SESSION *IkeSaSession
140 );
141
142 /**
143 Free specified Seession Common. The session common would belong to a IKE SA or
144 a Child SA.
145
146 @param[in] SessionCommon Pointer to a Session Common.
147
148 **/
149 VOID
150 Ikev2SaSessionCommonFree (
151 IN IKEV2_SESSION_COMMON *SessionCommon
152 );
153
154 /**
155 Increase the MessageID in IkeSaSession.
156
157 @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.
158
159 **/
160 VOID
161 Ikev2SaSessionIncreaseMessageId (
162 IN IKEV2_SA_SESSION *IkeSaSession
163 );
164
165 /**
166 Allocate Momery for IKEV2 Child SA Session.
167
168 @param[in] UdpService Pointer to IKE_UDP_SERVICE.
169 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
170 Session.
171
172 @retval Pointer of a new created IKEV2 Child SA Session.
173
174 **/
175 IKEV2_CHILD_SA_SESSION *
176 Ikev2ChildSaSessionAlloc (
177 IN IKE_UDP_SERVICE *UdpService,
178 IN IKEV2_SA_SESSION *IkeSaSession
179 );
180
181 /**
182 Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.
183 If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one
184 then register the new one.
185
186 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.
187 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
188
189 **/
190 VOID
191 Ikev2ChildSaSessionReg (
192 IN IKEV2_CHILD_SA_SESSION *ChildSaSession,
193 IN IPSEC_PRIVATE_DATA *Private
194 );
195
196 /**
197 This function find the Child SA by the specified Spi.
198
199 This functin find a ChildSA session by searching the ChildSaSessionlist of
200 the input IKEV2_SA_SESSION by specified MessageID.
201
202 @param[in] SaSessionList Pointer to List to be searched.
203 @param[in] Spi Specified SPI.
204
205 @return Pointer to IKEV2_CHILD_SA_SESSION.
206
207 **/
208 IKEV2_CHILD_SA_SESSION *
209 Ikev2ChildSaSessionLookupBySpi (
210 IN LIST_ENTRY *SaSessionList,
211 IN UINT32 Spi
212 );
213
214 /**
215 Find the ChildSaSession by it's MessagId.
216
217 @param[in] SaSessionList Pointer to a ChildSaSession List.
218 @param[in] Mid The messageId used to search ChildSaSession.
219
220 @return Pointer to IKEV2_CHILD_SA_SESSION.
221
222 **/
223 IKEV2_CHILD_SA_SESSION *
224 Ikev2ChildSaSessionLookupByMid (
225 IN LIST_ENTRY *SaSessionList,
226 IN UINT32 Mid
227 );
228
229 /**
230 Insert a Child SA Session into the specified ChildSa list..
231
232 @param[in] SaSessionList Pointer to list to be inserted in.
233 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.
234
235 **/
236 VOID
237 Ikev2ChildSaSessionInsert (
238 IN LIST_ENTRY *SaSessionList,
239 IN IKEV2_CHILD_SA_SESSION *ChildSaSession
240 );
241
242 /**
243 Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.
244
245 @param[in] SaSessionList The SA Session List to be iterated.
246 @param[in] Spi Spi used to identify the IKEV2_CHILD_SA_SESSION.
247 @param[in] ListType The type of the List to indicate whether it is a
248 Established.
249
250 @return The point to IKEV2_CHILD_SA_SESSION.
251
252 **/
253 IKEV2_CHILD_SA_SESSION *
254 Ikev2ChildSaSessionRemove (
255 IN LIST_ENTRY *SaSessionList,
256 IN UINT32 Spi,
257 IN UINT8 ListType
258 );
259
260 /**
261 Mark a specified Child SA Session as on deleting.
262
263 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
264
265 @retval EFI_SUCCESS Operation is successful.
266
267 **/
268 EFI_STATUS
269 Ikev2ChildSaSessionOnDeleting (
270 IN IKEV2_CHILD_SA_SESSION *ChildSaSession
271 );
272
273 /**
274 Free the memory located for the specified IKEV2_CHILD_SA_SESSION.
275
276 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
277
278 **/
279 VOID
280 Ikev2ChildSaSessionFree (
281 IN IKEV2_CHILD_SA_SESSION *ChildSaSession
282 );
283
284 /**
285 Free the specified DhBuffer.
286
287 @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.
288
289 **/
290 VOID
291 Ikev2DhBufferFree (
292 IN IKEV2_DH_BUFFER *DhBuffer
293 );
294
295 /**
296 Delete the specified established Child SA.
297
298 This function delete the Child SA directly and dont send the Information Packet to
299 remote peer.
300
301 @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.
302 @param[in] Spi SPI used to find the Child SA.
303
304 @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.
305 @retval EFI_NOT_FOUND There is no specified Child SA related with the input
306 SPI under this IKE SA Session.
307 @retval EFI_SUCCESS Delete the Child SA successfully.
308
309 **/
310 EFI_STATUS
311 Ikev2ChildSaSilentDelete (
312 IN IKEV2_SA_SESSION *IkeSaSession,
313 IN UINT32 Spi
314 );
315
316 /**
317 This function is to parse a request IKE packet and return its request type.
318 The request type is one of IKE CHILD SA creation, IKE SA rekeying and
319 IKE CHILD SA rekeying.
320
321 @param[in] IkePacket IKE packet to be prased.
322
323 return the type of the IKE packet.
324
325 **/
326 IKEV2_CREATE_CHILD_REQUEST_TYPE
327 Ikev2ChildExchangeRequestType(
328 IN IKE_PACKET *IkePacket
329 );
330
331 /**
332 This function finds the SPI from Create Child Sa Exchange Packet.
333
334 @param[in] IkePacket Pointer to IKE_PACKET to be searched.
335
336 @retval SPI number.
337
338 **/
339 UINT32
340 Ikev2ChildExchangeRekeySpi(
341 IN IKE_PACKET *IkePacket
342 );
343
344
345 /**
346 Associate a SPD selector to the Child SA Session.
347
348 This function is called when the Child SA is not the first child SA of its
349 IKE SA. It associate a SPD to this Child SA.
350
351 @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to
352 a SPD selector.
353
354 @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.
355 @retval EFI_NOT_FOUND Can't find the related SPD selector.
356
357 **/
358 EFI_STATUS
359 Ikev2ChildSaAssociateSpdEntry (
360 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
361 );
362
363 /**
364 Validate the IKE header of received IKE packet.
365
366 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.
367 @param[in] IkeHdr Pointer to IKE header of received IKE packet.
368
369 @retval TRUE If the IKE header is valid.
370 @retval FALSE If the IKE header is invalid.
371
372 **/
373 BOOLEAN
374 Ikev2ValidateHeader (
375 IN IKEV2_SA_SESSION *IkeSaSession,
376 IN IKE_HEADER *IkeHdr
377 );
378
379 /**
380 Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.
381
382 This function will be only called by the initiator. The responder's IKEV2_SA_DATA
383 will be generated during parsed the initiator packet.
384
385 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.
386
387 @retval a Pointer to a new IKEV2_SA_DATA or NULL.
388
389 **/
390 IKEV2_SA_DATA *
391 Ikev2InitializeSaData (
392 IN IKEV2_SESSION_COMMON *SessionCommon
393 );
394
395 /**
396 Store the SA into SAD.
397
398 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
399
400 **/
401 VOID
402 Ikev2StoreSaData (
403 IN IKEV2_CHILD_SA_SESSION *ChildSaSession
404 );
405
406 /**
407 Routine process before the payload decoding.
408
409 @param[in] SessionCommon Pointer to ChildSa SessionCommon.
410 @param[in] PayloadBuf Pointer to the payload.
411 @param[in] PayloadSize Size of PayloadBuf in byte.
412 @param[in] PayloadType Type of Payload.
413
414 **/
415 VOID
416 Ikev2ChildSaBeforeDecodePayload (
417 IN UINT8 *SessionCommon,
418 IN UINT8 *PayloadBuf,
419 IN UINTN PayloadSize,
420 IN UINT8 PayloadType
421 );
422
423 /**
424 Routine Process after the encode payload.
425
426 @param[in] SessionCommon Pointer to ChildSa SessionCommon.
427 @param[in] PayloadBuf Pointer to the payload.
428 @param[in] PayloadSize Size of PayloadBuf in byte.
429 @param[in] PayloadType Type of Payload.
430
431 **/
432 VOID
433 Ikev2ChildSaAfterEncodePayload (
434 IN UINT8 *SessionCommon,
435 IN UINT8 *PayloadBuf,
436 IN UINTN PayloadSize,
437 IN UINT8 PayloadType
438 );
439
440 /**
441 Generate Ikev2 SA payload according to SessionSaData
442
443 @param[in] SessionSaData The data used in SA payload.
444 @param[in] NextPayload The payload type presented in NextPayload field of
445 SA Payload header.
446 @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or
447 (2) for CHILD_SA or (3) for INFO.
448
449 @retval a Pointer to SA IKE payload.
450
451 **/
452 IKE_PAYLOAD *
453 Ikev2GenerateSaPayload (
454 IN IKEV2_SA_DATA *SessionSaData,
455 IN UINT8 NextPayload,
456 IN IKE_SESSION_TYPE Type
457 );
458
459 /**
460 Generate a ID payload.
461
462 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
463 @param[in] NextPayload The payload type presented in the NextPayload field
464 of ID Payload header.
465
466 @retval Pointer to ID IKE payload.
467
468 **/
469 IKE_PAYLOAD *
470 Ikev2GenerateIdPayload (
471 IN IKEV2_SESSION_COMMON *CommonSession,
472 IN UINT8 NextPayload
473 );
474
475 /**
476 Generate a ID payload.
477
478 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
479 @param[in] NextPayload The payload type presented in the NextPayload field
480 of ID Payload header.
481 @param[in] InCert Pointer to the Certificate which distinguished name
482 will be added into the Id payload.
483 @param[in] CertSize Size of the Certificate.
484
485 @retval Pointer to ID IKE payload.
486
487 **/
488 IKE_PAYLOAD *
489 Ikev2GenerateCertIdPayload (
490 IN IKEV2_SESSION_COMMON *CommonSession,
491 IN UINT8 NextPayload,
492 IN UINT8 *InCert,
493 IN UINTN CertSize
494 );
495
496 /**
497 Generate a Nonce payload contenting the input parameter NonceBuf.
498
499 @param[in] NonceBuf The nonce buffer content the whole Nonce payload block
500 except the payload header.
501 @param[in] NonceSize The buffer size of the NonceBuf
502 @param[in] NextPayload The payload type presented in the NextPayload field
503 of Nonce Payload header.
504
505 @retval Pointer to Nonce IKE paload.
506
507 **/
508 IKE_PAYLOAD *
509 Ikev2GenerateNoncePayload (
510 IN UINT8 *NonceBuf,
511 IN UINTN NonceSize,
512 IN UINT8 NextPayload
513 );
514
515 /**
516 Generate the Notify payload.
517
518 Since the structure of Notify payload which defined in RFC 4306 is simple, so
519 there is no internal data structure for Notify payload. This function generate
520 Notify payload defined in RFC 4306, but all the fields in this payload are still
521 in host order and need call Ikev2EncodePayload() to convert those fields from
522 the host order to network order beforing sending it.
523
524 @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).
525 For IPsec SAs it MUST be neither (2) for AH or (3)
526 for ESP.
527 @param[in] NextPayload The next paylaod type in NextPayload field of
528 the Notify payload.
529 @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.
530 @param[in] MessageType The message type in NotifyMessageType field of the
531 Notify Payload.
532 @param[in] SpiBuf Pointer to buffer contains the SPI value.
533 @param[in] NotifyData Pointer to buffer contains the notification data.
534 @param[in] NotifyDataSize The size of NotifyData in bytes.
535
536
537 @retval Pointer to IKE Notify Payload.
538
539 **/
540 IKE_PAYLOAD *
541 Ikev2GenerateNotifyPayload (
542 IN UINT8 ProtocolId,
543 IN UINT8 NextPayload,
544 IN UINT8 SpiSize,
545 IN UINT16 MessageType,
546 IN UINT8 *SpiBuf,
547 IN UINT8 *NotifyData,
548 IN UINTN NotifyDataSize
549 );
550
551 /**
552 Generate the Delete payload.
553
554 Since the structure of Delete payload which defined in RFC 4306 is simple,
555 there is no internal data structure for Delete payload. This function generate
556 Delete payload defined in RFC 4306, but all the fields in this payload are still
557 in host order and need call Ikev2EncodePayload() to convert those fields from
558 the host order to network order beforing sending it.
559
560 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.
561 @param[in] NextPayload The next paylaod type in NextPayload field of
562 the Delete payload.
563 @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.
564 @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.
565 @param[in] SpiBuf Pointer to buffer contains the SPI value.
566
567 @retval Pointer to IKE Delete Payload.
568
569 **/
570 IKE_PAYLOAD *
571 Ikev2GenerateDeletePayload (
572 IN IKEV2_SA_SESSION *IkeSaSession,
573 IN UINT8 NextPayload,
574 IN UINT8 SpiSize,
575 IN UINT16 SpiNum,
576 IN UINT8 *SpiBuf
577 );
578
579 /**
580 Generate the Configuration payload.
581
582 This function generates a configuration payload defined in RFC 4306, but all the
583 fields in this payload are still in host order and need call Ikev2EncodePayload()
584 to convert those fields from the host order to network order beforing sending it.
585
586 @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload
587 generation.
588 @param[in] NextPayload The next paylaod type in NextPayload field of
589 the Delete payload.
590 @param[in] CfgType The attribute type in the Configuration attribute.
591
592 @retval Pointer to IKE CP Payload.
593
594 **/
595 IKE_PAYLOAD *
596 Ikev2GenerateCpPayload (
597 IN IKEV2_SA_SESSION *IkeSaSession,
598 IN UINT8 NextPayload,
599 IN UINT8 CfgType
600 );
601
602 /**
603 Generate a Authentication Payload.
604
605 This function is used for both Authentication generation and verification. When the
606 IsVerify is TRUE, it create a Auth Data for verification. This function choose the
607 related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type
608 and the value of IsVerify parameter.
609
610 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
611 @param[in] IdPayload Pointer to the ID payload to be used for Authentication
612 payload generation.
613 @param[in] NextPayload The type filled into the Authentication Payload next
614 payload field.
615 @param[in] IsVerify If it is TURE, the Authentication payload is used for
616 verification.
617
618 @return pointer to IKE Authentication payload for pre-shard key method.
619
620 **/
621 IKE_PAYLOAD *
622 Ikev2PskGenerateAuthPayload (
623 IN IKEV2_SA_SESSION *IkeSaSession,
624 IN IKE_PAYLOAD *IdPayload,
625 IN UINT8 NextPayload,
626 IN BOOLEAN IsVerify
627 );
628
629 /**
630 Generate a Authentication Payload for Certificate Auth method.
631
632 This function has two functions. One is creating a local Authentication
633 Payload for sending and other is creating the remote Authentication data
634 for verification when the IsVerify is TURE.
635
636 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
637 @param[in] IdPayload Pointer to the ID payload to be used for Authentication
638 payload generation.
639 @param[in] NextPayload The type filled into the Authentication Payload
640 next payload field.
641 @param[in] IsVerify If it is TURE, the Authentication payload is used
642 for verification.
643 @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when
644 verify the authenticate payload.
645 @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it
646 when verify the authenticate payload.
647 @param[in] UefiKeyPwd Pointer to the password of UEFI private key.
648 Ignore it when verify the authenticate payload.
649 @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when
650 verify the authenticate payload.
651
652 @return pointer to IKE Authentication payload for certification method.
653
654 **/
655 IKE_PAYLOAD *
656 Ikev2CertGenerateAuthPayload (
657 IN IKEV2_SA_SESSION *IkeSaSession,
658 IN IKE_PAYLOAD *IdPayload,
659 IN UINT8 NextPayload,
660 IN BOOLEAN IsVerify,
661 IN UINT8 *UefiPrivateKey,
662 IN UINTN UefiPrivateKeyLen,
663 IN UINT8 *UefiKeyPwd,
664 IN UINTN UefiKeyPwdLen
665 );
666
667 /**
668 Generate TS payload.
669
670 This function generates TSi or TSr payload according to type of next payload.
671 If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate
672 TSr payload
673
674 @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.
675 @param[in] NextPayload The payload type presented in the NextPayload field
676 of ID Payload header.
677 @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.
678 If yes, it means the Tsi and Tsr payload should be with
679 Max port range and address range and protocol is marked
680 as zero.
681
682 @retval Pointer to Ts IKE payload.
683
684 **/
685 IKE_PAYLOAD *
686 Ikev2GenerateTsPayload (
687 IN IKEV2_CHILD_SA_SESSION *ChildSa,
688 IN UINT8 NextPayload,
689 IN BOOLEAN IsTunnel
690 );
691
692 /**
693 Parser the Notify Cookie payload.
694
695 This function parses the Notify Cookie payload.If the Notify ProtocolId is not
696 IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not
697 the COOKIE, return EFI_INVALID_PARAMETER.
698
699 @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the
700 Notify Cookie payload.
701 the Notify payload.
702 @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.
703
704 @retval EFI_SUCCESS The Notify Cookie Payload is valid.
705 @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.
706 @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
707
708 **/
709 EFI_STATUS
710 Ikev2ParserNotifyCookiePayload (
711 IN IKE_PAYLOAD *IkeNCookie,
712 IN OUT IKEV2_SA_SESSION *IkeSaSession
713 );
714
715 /**
716 Generate the Certificate payload or Certificate Request Payload.
717
718 Since the Certificate Payload structure is same with Certificate Request Payload,
719 the only difference is that one contains the Certificate Data, other contains
720 the acceptable certificateion CA. This function generate Certificate payload
721 or Certificate Request Payload defined in RFC 4306, but all the fields
722 in the payload are still in host order and need call Ikev2EncodePayload()
723 to convert those fields from the host order to network order beforing sending it.
724
725 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload
726 generation.
727 @param[in] NextPayload The next paylaod type in NextPayload field of
728 the Delete payload.
729 @param[in] Certificate Pointer of buffer contains the certification data.
730 @param[in] CertificateLen The length of Certificate in byte.
731 @param[in] EncodeType Specified the Certificate Encodeing which is defined
732 in RFC 4306.
733 @param[in] IsRequest To indicate create Certificate Payload or Certificate
734 Request Payload. If it is TURE, create Certificate
735 Request Payload. Otherwise, create Certificate Payload.
736
737 @retval a Pointer to IKE Payload whose payload buffer containing the Certificate
738 payload or Certificated Request payload.
739
740 **/
741 IKE_PAYLOAD *
742 Ikev2GenerateCertificatePayload (
743 IN IKEV2_SA_SESSION *IkeSaSession,
744 IN UINT8 NextPayload,
745 IN UINT8 *Certificate,
746 IN UINTN CertificateLen,
747 IN UINT8 EncodeType,
748 IN BOOLEAN IsRequest
749 );
750
751 /**
752 General interface of payload encoding.
753
754 This function encode the internal data structure into payload which
755 is defined in RFC 4306. The IkePayload->PayloadBuf used to store both the input
756 payload and converted payload. Only the SA payload use the interal structure
757 to store the attribute. Other payload use structure which is same with the RFC
758 defined, for this kind payloads just do host order to network order change of
759 some fields.
760
761 @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.
762 @param[in, out] IkePayload Pointer to IKE payload to be encode as input, and
763 store the encoded result as output.
764
765 @retval EFI_INVALID_PARAMETER Meet error when encode the SA payload.
766 @retval EFI_SUCCESS Encode successfully.
767
768 **/
769 EFI_STATUS
770 Ikev2EncodePayload (
771 IN UINT8 *SessionCommon,
772 IN OUT IKE_PAYLOAD *IkePayload
773 );
774
775 /**
776 The general interface of decode Payload.
777
778 This function convert the received Payload into internal structure.
779
780 @param[in] SessionCommon Pointer to IKE Session Common to use for decoding.
781 @param[in, out] IkePayload Pointer to IKE payload to be decode as input, and
782 store the decoded result as output.
783
784 @retval EFI_INVALID_PARAMETER Meet error when decode the SA payload.
785 @retval EFI_SUCCESS Decode successfully.
786
787 **/
788 EFI_STATUS
789 Ikev2DecodePayload (
790 IN UINT8 *SessionCommon,
791 IN OUT IKE_PAYLOAD *IkePayload
792 );
793
794 /**
795 Decrypt IKE packet.
796
797 This function decrpt the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.
798
799 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
800 some parameter used during decrypting.
801 @param[in, out] IkePacket Point to IKE_PACKET to be decrypted as input,
802 and the decrypted reslult as output.
803 @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
804 IKE_CHILD_TYPE are supportted.
805
806 @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the
807 IKE packet length is not Algorithm Block Size
808 alignment.
809 @retval EFI_SUCCESS Decrypt IKE packet successfully.
810
811 **/
812 EFI_STATUS
813 Ikev2DecryptPacket (
814 IN IKEV2_SESSION_COMMON *SessionCommon,
815 IN OUT IKE_PACKET *IkePacket,
816 IN OUT UINTN IkeType
817 );
818
819 /**
820 Encrypt IKE packet.
821
822 This function encrypt IKE packet before sending it. The Encrypted IKE packet
823 is put in to IKEV2 Encrypted Payload.
824
825 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.
826 @param[in, out] IkePacket Pointer to IKE packet to be encrypted.
827
828 @retval EFI_SUCCESS Operation is successful.
829 @retval Others OPeration is failed.
830
831 **/
832 EFI_STATUS
833 Ikev2EncryptPacket (
834 IN IKEV2_SESSION_COMMON *SessionCommon,
835 IN OUT IKE_PACKET *IkePacket
836 );
837
838 /**
839 Encode the IKE packet.
840
841 This function put all Payloads into one payload then encrypt it if needed.
842
843 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
844 some parameter used during IKE packet encoding.
845 @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,
846 and the encoded reslult as output.
847 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
848 IKE_CHILD_TYPE are supportted.
849
850 @retval EFI_SUCCESS Encode IKE packet successfully.
851 @retval Otherwise Encode IKE packet failed.
852
853 **/
854 EFI_STATUS
855 Ikev2EncodePacket (
856 IN IKEV2_SESSION_COMMON *SessionCommon,
857 IN OUT IKE_PACKET *IkePacket,
858 IN UINTN IkeType
859 );
860
861 /**
862 Decode the IKE packet.
863
864 This function first decrypts the IKE packet if needed , then separats the whole
865 IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.
866
867 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing
868 some parameter used by IKE packet decoding.
869 @param[in, out] IkePacket The IKE Packet to be decoded on input, and
870 the decoded result on return.
871 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
872 IKE_CHILD_TYPE are supportted.
873
874 @retval EFI_SUCCESS The IKE packet is decoded successfull.
875 @retval Otherwise The IKE packet decoding is failed.
876
877 **/
878 EFI_STATUS
879 Ikev2DecodePacket (
880 IN IKEV2_SESSION_COMMON *SessionCommon,
881 IN OUT IKE_PACKET *IkePacket,
882 IN UINTN IkeType
883 );
884
885 /**
886 Save some useful payloads after accepting the Packet.
887
888 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the operation.
889 @param[in] IkePacket Pointer to received IkePacet.
890 @param[in] IkeType The type used to indicate it is in IkeSa or ChildSa or Info
891 exchange.
892
893 **/
894 VOID
895 Ikev2OnPacketAccepted (
896 IN IKEV2_SESSION_COMMON *SessionCommon,
897 IN IKE_PACKET *IkePacket,
898 IN UINT8 IkeType
899 );
900
901 /**
902 Send out IKEV2 packet.
903
904 @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.
905 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.
906 @param[in] IkePacket Pointer to IKE_PACKET to be sent out.
907 @param[in] IkeType The type of IKE to point what's kind of the IKE
908 packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE
909 and IKE_CHILD_TYPE are supportted.
910
911 @retval EFI_SUCCESS The operation complete successfully.
912 @retval Otherwise The operation is failed.
913
914 **/
915 EFI_STATUS
916 Ikev2SendIkePacket (
917 IN IKE_UDP_SERVICE *IkeUdpService,
918 IN UINT8 *SessionCommon,
919 IN IKE_PACKET *IkePacket,
920 IN UINTN IkeType
921 );
922
923 /**
924 Callback function for the IKE life time is over.
925
926 This function will mark the related IKE SA Session as deleting and trigger a
927 Information negotiation.
928
929 @param[in] Event The time out event.
930 @param[in] Context Pointer to data passed by caller.
931
932 **/
933 VOID
934 EFIAPI
935 Ikev2LifetimeNotify (
936 IN EFI_EVENT Event,
937 IN VOID *Context
938 );
939
940 /**
941 This function will be called if the TimeOut Event is signaled.
942
943 @param[in] Event The signaled Event.
944 @param[in] Context The data passed by caller.
945
946 **/
947 VOID
948 EFIAPI
949 Ikev2ResendNotify (
950 IN EFI_EVENT Event,
951 IN VOID *Context
952 );
953
954 /**
955 Generate a Key Exchange payload according to the DH group type and save the
956 public Key into IkeSaSession IkeKey field.
957
958 @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.
959 @param[in] NextPayload The payload type presented in the NextPayload field of Key
960 Exchange Payload header.
961
962 @retval Pointer to Key IKE payload.
963
964 **/
965 IKE_PAYLOAD *
966 Ikev2GenerateKePayload (
967 IN OUT IKEV2_SA_SESSION *IkeSaSession,
968 IN UINT8 NextPayload
969 );
970
971 /**
972 Check if the SPD is related to the input Child SA Session.
973
974 This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call
975 back function of IpSecVisitConfigData().
976
977
978 @param[in] Type Type of the input Config Selector.
979 @param[in] Selector Pointer to the Configure Selector to be checked.
980 @param[in] Data Pointer to the Configure Selector's Data passed
981 from the caller.
982 @param[in] SelectorSize The buffer size of Selector.
983 @param[in] DataSize The buffer size of the Data.
984 @param[in] Context The data passed from the caller. It is a Child
985 SA Session in this context.
986
987 @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.
988 @retval EFI_ABORTED The SPD Selector is related to the Child SA session and
989 set the ChildSaSession->Spd to point to this SPD Selector.
990
991 **/
992 EFI_STATUS
993 Ikev2MatchSpdEntry (
994 IN EFI_IPSEC_CONFIG_DATA_TYPE Type,
995 IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
996 IN VOID *Data,
997 IN UINTN SelectorSize,
998 IN UINTN DataSize,
999 IN VOID *Context
1000 );
1001
1002 /**
1003 Check if the Algorithm ID is supported.
1004
1005 @param[in] AlgorithmId The specified Algorithm ID.
1006 @param[in] Type The type used to indicate the Algorithm is for Encrypt or
1007 Authentication.
1008
1009 @retval TRUE If the Algorithm ID is supported.
1010 @retval FALSE If the Algorithm ID is not supported.
1011
1012 **/
1013 BOOLEAN
1014 Ikev2IsSupportAlg (
1015 IN UINT16 AlgorithmId,
1016 IN UINT8 Type
1017 );
1018
1019 /**
1020 Generate a ChildSa Session and insert it into related IkeSaSession.
1021
1022 @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.
1023 @param[in] UdpService Pointer to related IKE_UDP_SERVICE.
1024
1025 @return pointer of IKEV2_CHILD_SA_SESSION.
1026
1027 **/
1028 IKEV2_CHILD_SA_SESSION *
1029 Ikev2ChildSaSessionCreate (
1030 IN IKEV2_SA_SESSION *IkeSaSession,
1031 IN IKE_UDP_SERVICE *UdpService
1032 ) ;
1033
1034 /**
1035 Parse the received Initial Exchange Packet.
1036
1037 This function parse the SA Payload and Key Payload to find out the cryptographic
1038 suite for the further IKE negotiation and fill it into the IKE SA Session's
1039 CommonSession->SaParams.
1040
1041 @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.
1042 @param[in] SaPayload The received packet.
1043 @param[in] Type The received packet IKE header flag.
1044
1045 @retval TRUE If the SA proposal in Packet is acceptable.
1046 @retval FALSE If the SA proposal in Packet is not acceptable.
1047
1048 **/
1049 BOOLEAN
1050 Ikev2SaParseSaPayload (
1051 IN OUT IKEV2_SA_SESSION *IkeSaSession,
1052 IN IKE_PAYLOAD *SaPayload,
1053 IN UINT8 Type
1054 );
1055
1056 /**
1057 Parse the received Authentication Exchange Packet.
1058
1059 This function parse the SA Payload and Key Payload to find out the cryptographic
1060 suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.
1061
1062 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to
1063 this Authentication Exchange.
1064 @param[in] SaPayload The received packet.
1065 @param[in] Type The IKE header's flag of received packet .
1066
1067 @retval TRUE If the SA proposal in Packet is acceptable.
1068 @retval FALSE If the SA proposal in Packet is not acceptable.
1069
1070 **/
1071 BOOLEAN
1072 Ikev2ChildSaParseSaPayload (
1073 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession,
1074 IN IKE_PAYLOAD *SaPayload,
1075 IN UINT8 Type
1076 );
1077
1078 /**
1079 Generate Key buffer from fragments.
1080
1081 If the digest length of specified HashAlgId is larger than or equal with the
1082 required output key length, derive the key directly. Otherwise, Key Material
1083 needs to be PRF-based concatenation according to 2.13 of RFC 4306:
1084 prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),
1085 T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)
1086 then derive the key from this key material.
1087
1088 @param[in] HashAlgId The Hash Algorithm ID used to generate key.
1089 @param[in] HashKey Pointer to a key buffer which contains hash key.
1090 @param[in] HashKeyLength The length of HashKey in bytes.
1091 @param[in, out] OutputKey Pointer to buffer which is used to receive the
1092 output key.
1093 @param[in] OutputKeyLength The length of OutPutKey buffer.
1094 @param[in] Fragments Pointer to the data to be used to generate key.
1095 @param[in] NumFragments The numbers of the Fragement.
1096
1097 @retval EFI_SUCCESS The operation complete successfully.
1098 @retval EFI_INVALID_PARAMETER If NumFragments is zero.
1099 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
1100 @retval Others The operation is failed.
1101
1102 **/
1103 EFI_STATUS
1104 Ikev2SaGenerateKey (
1105 IN UINT8 HashAlgId,
1106 IN UINT8 *HashKey,
1107 IN UINTN HashKeyLength,
1108 IN OUT UINT8 *OutputKey,
1109 IN UINTN OutputKeyLength,
1110 IN PRF_DATA_FRAGMENT *Fragments,
1111 IN UINTN NumFragments
1112 );
1113
1114 /**
1115 Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.
1116
1117 ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,
1118 the SpdSelector in ChildSaSession is more accurated or the scope is smaller
1119 than the one in ChildSaSession->Spd, especially for the tunnel mode.
1120
1121 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.
1122
1123 @retval EFI_SUCCESS The operation complete successfully.
1124 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
1125
1126 **/
1127 EFI_STATUS
1128 Ikev2ChildSaSessionSpdSelectorCreate (
1129 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
1130 );
1131
1132 extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[];
1133 #endif
1134
EFI Development Kit II mirror for PVE