]> git.proxmox.com Git - mirror_edk2.git/blob - NetworkPkg/IpSecDxe/Ikev2/Utility.h
projects / mirror_edk2.git / blob
? search:


79def7740d21989825de0554185902dfefa3f6a0
[mirror_edk2.git] / NetworkPkg / IpSecDxe / Ikev2 / Utility.h
1 /** @file
2 The interfaces of IKE/Child session operations and payload related operations
3 used by IKE Exchange Process.
4
5 Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
6
7 This program and the accompanying materials
8 are licensed and made available under the terms and conditions of the BSD License
9 which accompanies this distribution. The full text of the license may be found at
10 http://opensource.org/licenses/bsd-license.php.
11
12 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
13 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
14
15 **/
16
17 #ifndef _IKE_V2_UTILITY_H_
18 #define _IKE_V2_UTILITY_H_
19
20 #include "Ikev2.h"
21 #include "IkeCommon.h"
22 #include "IpSecCryptIo.h"
23
24 #include <Library/PcdLib.h>
25
26 #define IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM 2
27 #define IKEV2_SUPPORT_PRF_ALGORITHM_NUM 1
28 #define IKEV2_SUPPORT_DH_ALGORITHM_NUM 2
29 #define IKEV2_SUPPORT_AUTH_ALGORITHM_NUM 1
30
31 /**
32 Allocate buffer for IKEV2_SA_SESSION and initialize it.
33
34 @param[in] Private Pointer to IPSEC_PRIVATE_DATA.
35 @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.
36
37 @return Pointer to IKEV2_SA_SESSION.
38
39 **/
40 IKEV2_SA_SESSION *
41 Ikev2SaSessionAlloc (
42 IN IPSEC_PRIVATE_DATA *Private,
43 IN IKE_UDP_SERVICE *UdpService
44 );
45
46 /**
47 Register Establish IKEv2 SA into Private->Ikev2EstablishedList.
48
49 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.
50 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
51
52 **/
53 VOID
54 Ikev2SaSessionReg (
55 IN IKEV2_SA_SESSION *IkeSaSession,
56 IN IPSEC_PRIVATE_DATA *Private
57 );
58
59 /**
60 Find a IKEV2_SA_SESSION by the remote peer IP.
61
62 @param[in] SaSessionList SaSession List to be searched.
63 @param[in] RemotePeerIp Pointer to specified IP address.
64
65 @return Pointer to IKEV2_SA_SESSION if find one or NULL.
66
67 **/
68 IKEV2_SA_SESSION *
69 Ikev2SaSessionLookup (
70 IN LIST_ENTRY *SaSessionList,
71 IN EFI_IP_ADDRESS *RemotePeerIp
72 );
73
74 /**
75 Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either
76 Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.
77
78 @param[in] SaSessionList Pointer to list to be inserted into.
79 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.
80 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the
81 unique IKEV2_SA_SESSION.
82
83 **/
84 VOID
85 Ikev2SaSessionInsert (
86 IN LIST_ENTRY *SaSessionList,
87 IN IKEV2_SA_SESSION *IkeSaSession,
88 IN EFI_IP_ADDRESS *RemotePeerIp
89 );
90
91 /**
92 Remove the SA Session by Remote Peer IP.
93
94 @param[in] SaSessionList Pointer to list to be searched.
95 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.
96
97 @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address.
98
99 **/
100 IKEV2_SA_SESSION *
101 Ikev2SaSessionRemove (
102 IN LIST_ENTRY *SaSessionList,
103 IN EFI_IP_ADDRESS *RemotePeerIp
104 );
105
106
107 /**
108 After IKE/Child SA is estiblished, close the time event and free sent packet.
109
110 @param[in] SessionCommon Pointer to a Session Common.
111
112 **/
113 VOID
114 Ikev2SessionCommonRefresh (
115 IN IKEV2_SESSION_COMMON *SessionCommon
116 );
117
118 /**
119 Free specified IKEV2 SA Session.
120
121 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.
122
123 **/
124 VOID
125 Ikev2SaSessionFree (
126 IN IKEV2_SA_SESSION *IkeSaSession
127 );
128
129 /**
130 Free specified Seession Common. The session common would belong to a IKE SA or
131 a Child SA.
132
133 @param[in] SessionCommon Pointer to a Session Common.
134
135 **/
136 VOID
137 Ikev2SaSessionCommonFree (
138 IN IKEV2_SESSION_COMMON *SessionCommon
139 );
140
141 /**
142 Increase the MessageID in IkeSaSession.
143
144 @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.
145
146 **/
147 VOID
148 Ikev2SaSessionIncreaseMessageId (
149 IN IKEV2_SA_SESSION *IkeSaSession
150 );
151
152 /**
153 Allocate Momery for IKEV2 Child SA Session.
154
155 @param[in] UdpService Pointer to IKE_UDP_SERVICE.
156 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
157 Session.
158
159 @retval Pointer of a new created IKEV2 Child SA Session.
160
161 **/
162 IKEV2_CHILD_SA_SESSION *
163 Ikev2ChildSaSessionAlloc (
164 IN IKE_UDP_SERVICE *UdpService,
165 IN IKEV2_SA_SESSION *IkeSaSession
166 );
167
168 /**
169 Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.
170 If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one
171 then register the new one.
172
173 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.
174 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
175
176 **/
177 VOID
178 Ikev2ChildSaSessionReg (
179 IN IKEV2_CHILD_SA_SESSION *ChildSaSession,
180 IN IPSEC_PRIVATE_DATA *Private
181 );
182
183 /**
184 This function find the Child SA by the specified Spi.
185
186 This functin find a ChildSA session by searching the ChildSaSessionlist of
187 the input IKEV2_SA_SESSION by specified MessageID.
188
189 @param[in] SaSessionList Pointer to List to be searched.
190 @param[in] Spi Specified SPI.
191
192 @return Pointer to IKEV2_CHILD_SA_SESSION.
193
194 **/
195 IKEV2_CHILD_SA_SESSION *
196 Ikev2ChildSaSessionLookupBySpi (
197 IN LIST_ENTRY *SaSessionList,
198 IN UINT32 Spi
199 );
200
201
202 /**
203 Insert a Child SA Session into the specified ChildSa list..
204
205 @param[in] SaSessionList Pointer to list to be inserted in.
206 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.
207
208 **/
209 VOID
210 Ikev2ChildSaSessionInsert (
211 IN LIST_ENTRY *SaSessionList,
212 IN IKEV2_CHILD_SA_SESSION *ChildSaSession
213 );
214
215 /**
216 Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.
217
218 @param[in] SaSessionList The SA Session List to be iterated.
219 @param[in] Spi Spi used to identify the IKEV2_CHILD_SA_SESSION.
220 @param[in] ListType The type of the List to indicate whether it is a
221 Established.
222
223 @return The point to IKEV2_CHILD_SA_SESSION.
224
225 **/
226 IKEV2_CHILD_SA_SESSION *
227 Ikev2ChildSaSessionRemove (
228 IN LIST_ENTRY *SaSessionList,
229 IN UINT32 Spi,
230 IN UINT8 ListType
231 );
232
233
234 /**
235 Free the memory located for the specified IKEV2_CHILD_SA_SESSION.
236
237 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
238
239 **/
240 VOID
241 Ikev2ChildSaSessionFree (
242 IN IKEV2_CHILD_SA_SESSION *ChildSaSession
243 );
244
245 /**
246 Free the specified DhBuffer.
247
248 @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.
249
250 **/
251 VOID
252 Ikev2DhBufferFree (
253 IN IKEV2_DH_BUFFER *DhBuffer
254 );
255
256 /**
257 Delete the specified established Child SA.
258
259 This function delete the Child SA directly and dont send the Information Packet to
260 remote peer.
261
262 @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.
263 @param[in] Spi SPI used to find the Child SA.
264
265 @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.
266 @retval EFI_NOT_FOUND There is no specified Child SA related with the input
267 SPI under this IKE SA Session.
268 @retval EFI_SUCCESS Delete the Child SA successfully.
269
270 **/
271 EFI_STATUS
272 Ikev2ChildSaSilentDelete (
273 IN IKEV2_SA_SESSION *IkeSaSession,
274 IN UINT32 Spi
275 );
276
277 /**
278 This function is to parse a request IKE packet and return its request type.
279 The request type is one of IKE CHILD SA creation, IKE SA rekeying and
280 IKE CHILD SA rekeying.
281
282 @param[in] IkePacket IKE packet to be prased.
283
284 return the type of the IKE packet.
285
286 **/
287 IKEV2_CREATE_CHILD_REQUEST_TYPE
288 Ikev2ChildExchangeRequestType(
289 IN IKE_PACKET *IkePacket
290 );
291
292
293 /**
294 Associate a SPD selector to the Child SA Session.
295
296 This function is called when the Child SA is not the first child SA of its
297 IKE SA. It associate a SPD to this Child SA.
298
299 @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to
300 a SPD selector.
301
302 @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.
303 @retval EFI_NOT_FOUND Can't find the related SPD selector.
304
305 **/
306 EFI_STATUS
307 Ikev2ChildSaAssociateSpdEntry (
308 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
309 );
310
311 /**
312 Validate the IKE header of received IKE packet.
313
314 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.
315 @param[in] IkeHdr Pointer to IKE header of received IKE packet.
316
317 @retval TRUE If the IKE header is valid.
318 @retval FALSE If the IKE header is invalid.
319
320 **/
321 BOOLEAN
322 Ikev2ValidateHeader (
323 IN IKEV2_SA_SESSION *IkeSaSession,
324 IN IKE_HEADER *IkeHdr
325 );
326
327 /**
328 Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.
329
330 This function will be only called by the initiator. The responder's IKEV2_SA_DATA
331 will be generated during parsed the initiator packet.
332
333 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.
334
335 @retval a Pointer to a new IKEV2_SA_DATA or NULL.
336
337 **/
338 IKEV2_SA_DATA *
339 Ikev2InitializeSaData (
340 IN IKEV2_SESSION_COMMON *SessionCommon
341 );
342
343 /**
344 Store the SA into SAD.
345
346 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
347
348 **/
349 VOID
350 Ikev2StoreSaData (
351 IN IKEV2_CHILD_SA_SESSION *ChildSaSession
352 );
353
354 /**
355 Routine process before the payload decoding.
356
357 @param[in] SessionCommon Pointer to ChildSa SessionCommon.
358 @param[in] PayloadBuf Pointer to the payload.
359 @param[in] PayloadSize Size of PayloadBuf in byte.
360 @param[in] PayloadType Type of Payload.
361
362 **/
363 VOID
364 Ikev2ChildSaBeforeDecodePayload (
365 IN UINT8 *SessionCommon,
366 IN UINT8 *PayloadBuf,
367 IN UINTN PayloadSize,
368 IN UINT8 PayloadType
369 );
370
371 /**
372 Routine Process after the encode payload.
373
374 @param[in] SessionCommon Pointer to ChildSa SessionCommon.
375 @param[in] PayloadBuf Pointer to the payload.
376 @param[in] PayloadSize Size of PayloadBuf in byte.
377 @param[in] PayloadType Type of Payload.
378
379 **/
380 VOID
381 Ikev2ChildSaAfterEncodePayload (
382 IN UINT8 *SessionCommon,
383 IN UINT8 *PayloadBuf,
384 IN UINTN PayloadSize,
385 IN UINT8 PayloadType
386 );
387
388 /**
389 Generate Ikev2 SA payload according to SessionSaData
390
391 @param[in] SessionSaData The data used in SA payload.
392 @param[in] NextPayload The payload type presented in NextPayload field of
393 SA Payload header.
394 @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or
395 (2) for CHILD_SA or (3) for INFO.
396
397 @retval a Pointer to SA IKE payload.
398
399 **/
400 IKE_PAYLOAD *
401 Ikev2GenerateSaPayload (
402 IN IKEV2_SA_DATA *SessionSaData,
403 IN UINT8 NextPayload,
404 IN IKE_SESSION_TYPE Type
405 );
406
407 /**
408 Generate a ID payload.
409
410 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
411 @param[in] NextPayload The payload type presented in the NextPayload field
412 of ID Payload header.
413
414 @retval Pointer to ID IKE payload.
415
416 **/
417 IKE_PAYLOAD *
418 Ikev2GenerateIdPayload (
419 IN IKEV2_SESSION_COMMON *CommonSession,
420 IN UINT8 NextPayload
421 );
422
423 /**
424 Generate a ID payload.
425
426 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
427 @param[in] NextPayload The payload type presented in the NextPayload field
428 of ID Payload header.
429 @param[in] InCert Pointer to the Certificate which distinguished name
430 will be added into the Id payload.
431 @param[in] CertSize Size of the Certificate.
432
433 @retval Pointer to ID IKE payload.
434
435 **/
436 IKE_PAYLOAD *
437 Ikev2GenerateCertIdPayload (
438 IN IKEV2_SESSION_COMMON *CommonSession,
439 IN UINT8 NextPayload,
440 IN UINT8 *InCert,
441 IN UINTN CertSize
442 );
443
444 /**
445 Generate a Nonce payload contenting the input parameter NonceBuf.
446
447 @param[in] NonceBuf The nonce buffer content the whole Nonce payload block
448 except the payload header.
449 @param[in] NonceSize The buffer size of the NonceBuf
450 @param[in] NextPayload The payload type presented in the NextPayload field
451 of Nonce Payload header.
452
453 @retval Pointer to Nonce IKE paload.
454
455 **/
456 IKE_PAYLOAD *
457 Ikev2GenerateNoncePayload (
458 IN UINT8 *NonceBuf,
459 IN UINTN NonceSize,
460 IN UINT8 NextPayload
461 );
462
463 /**
464 Generate the Notify payload.
465
466 Since the structure of Notify payload which defined in RFC 4306 is simple, so
467 there is no internal data structure for Notify payload. This function generate
468 Notify payload defined in RFC 4306, but all the fields in this payload are still
469 in host order and need call Ikev2EncodePayload() to convert those fields from
470 the host order to network order beforing sending it.
471
472 @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).
473 For IPsec SAs it MUST be neither (2) for AH or (3)
474 for ESP.
475 @param[in] NextPayload The next paylaod type in NextPayload field of
476 the Notify payload.
477 @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.
478 @param[in] MessageType The message type in NotifyMessageType field of the
479 Notify Payload.
480 @param[in] SpiBuf Pointer to buffer contains the SPI value.
481 @param[in] NotifyData Pointer to buffer contains the notification data.
482 @param[in] NotifyDataSize The size of NotifyData in bytes.
483
484
485 @retval Pointer to IKE Notify Payload.
486
487 **/
488 IKE_PAYLOAD *
489 Ikev2GenerateNotifyPayload (
490 IN UINT8 ProtocolId,
491 IN UINT8 NextPayload,
492 IN UINT8 SpiSize,
493 IN UINT16 MessageType,
494 IN UINT8 *SpiBuf,
495 IN UINT8 *NotifyData,
496 IN UINTN NotifyDataSize
497 );
498
499 /**
500 Generate the Delete payload.
501
502 Since the structure of Delete payload which defined in RFC 4306 is simple,
503 there is no internal data structure for Delete payload. This function generate
504 Delete payload defined in RFC 4306, but all the fields in this payload are still
505 in host order and need call Ikev2EncodePayload() to convert those fields from
506 the host order to network order beforing sending it.
507
508 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.
509 @param[in] NextPayload The next paylaod type in NextPayload field of
510 the Delete payload.
511 @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.
512 @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.
513 @param[in] SpiBuf Pointer to buffer contains the SPI value.
514
515 @retval Pointer to IKE Delete Payload.
516
517 **/
518 IKE_PAYLOAD *
519 Ikev2GenerateDeletePayload (
520 IN IKEV2_SA_SESSION *IkeSaSession,
521 IN UINT8 NextPayload,
522 IN UINT8 SpiSize,
523 IN UINT16 SpiNum,
524 IN UINT8 *SpiBuf
525 );
526
527 /**
528 Generate the Configuration payload.
529
530 This function generates a configuration payload defined in RFC 4306, but all the
531 fields in this payload are still in host order and need call Ikev2EncodePayload()
532 to convert those fields from the host order to network order beforing sending it.
533
534 @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload
535 generation.
536 @param[in] NextPayload The next paylaod type in NextPayload field of
537 the Delete payload.
538 @param[in] CfgType The attribute type in the Configuration attribute.
539
540 @retval Pointer to IKE CP Payload.
541
542 **/
543 IKE_PAYLOAD *
544 Ikev2GenerateCpPayload (
545 IN IKEV2_SA_SESSION *IkeSaSession,
546 IN UINT8 NextPayload,
547 IN UINT8 CfgType
548 );
549
550 /**
551 Generate a Authentication Payload.
552
553 This function is used for both Authentication generation and verification. When the
554 IsVerify is TRUE, it create a Auth Data for verification. This function choose the
555 related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type
556 and the value of IsVerify parameter.
557
558 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
559 @param[in] IdPayload Pointer to the ID payload to be used for Authentication
560 payload generation.
561 @param[in] NextPayload The type filled into the Authentication Payload next
562 payload field.
563 @param[in] IsVerify If it is TURE, the Authentication payload is used for
564 verification.
565
566 @return pointer to IKE Authentication payload for pre-shard key method.
567
568 **/
569 IKE_PAYLOAD *
570 Ikev2PskGenerateAuthPayload (
571 IN IKEV2_SA_SESSION *IkeSaSession,
572 IN IKE_PAYLOAD *IdPayload,
573 IN UINT8 NextPayload,
574 IN BOOLEAN IsVerify
575 );
576
577 /**
578 Generate a Authentication Payload for Certificate Auth method.
579
580 This function has two functions. One is creating a local Authentication
581 Payload for sending and other is creating the remote Authentication data
582 for verification when the IsVerify is TURE.
583
584 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
585 @param[in] IdPayload Pointer to the ID payload to be used for Authentication
586 payload generation.
587 @param[in] NextPayload The type filled into the Authentication Payload
588 next payload field.
589 @param[in] IsVerify If it is TURE, the Authentication payload is used
590 for verification.
591 @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when
592 verify the authenticate payload.
593 @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it
594 when verify the authenticate payload.
595 @param[in] UefiKeyPwd Pointer to the password of UEFI private key.
596 Ignore it when verify the authenticate payload.
597 @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when
598 verify the authenticate payload.
599
600 @return pointer to IKE Authentication payload for certification method.
601
602 **/
603 IKE_PAYLOAD *
604 Ikev2CertGenerateAuthPayload (
605 IN IKEV2_SA_SESSION *IkeSaSession,
606 IN IKE_PAYLOAD *IdPayload,
607 IN UINT8 NextPayload,
608 IN BOOLEAN IsVerify,
609 IN UINT8 *UefiPrivateKey,
610 IN UINTN UefiPrivateKeyLen,
611 IN UINT8 *UefiKeyPwd,
612 IN UINTN UefiKeyPwdLen
613 );
614
615 /**
616 Generate TS payload.
617
618 This function generates TSi or TSr payload according to type of next payload.
619 If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate
620 TSr payload
621
622 @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.
623 @param[in] NextPayload The payload type presented in the NextPayload field
624 of ID Payload header.
625 @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.
626 If yes, it means the Tsi and Tsr payload should be with
627 Max port range and address range and protocol is marked
628 as zero.
629
630 @retval Pointer to Ts IKE payload.
631
632 **/
633 IKE_PAYLOAD *
634 Ikev2GenerateTsPayload (
635 IN IKEV2_CHILD_SA_SESSION *ChildSa,
636 IN UINT8 NextPayload,
637 IN BOOLEAN IsTunnel
638 );
639
640 /**
641 Parser the Notify Cookie payload.
642
643 This function parses the Notify Cookie payload.If the Notify ProtocolId is not
644 IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not
645 the COOKIE, return EFI_INVALID_PARAMETER.
646
647 @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the
648 Notify Cookie payload.
649 the Notify payload.
650 @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.
651
652 @retval EFI_SUCCESS The Notify Cookie Payload is valid.
653 @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.
654 @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
655
656 **/
657 EFI_STATUS
658 Ikev2ParserNotifyCookiePayload (
659 IN IKE_PAYLOAD *IkeNCookie,
660 IN OUT IKEV2_SA_SESSION *IkeSaSession
661 );
662
663 /**
664 Generate the Certificate payload or Certificate Request Payload.
665
666 Since the Certificate Payload structure is same with Certificate Request Payload,
667 the only difference is that one contains the Certificate Data, other contains
668 the acceptable certificateion CA. This function generate Certificate payload
669 or Certificate Request Payload defined in RFC 4306, but all the fields
670 in the payload are still in host order and need call Ikev2EncodePayload()
671 to convert those fields from the host order to network order beforing sending it.
672
673 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload
674 generation.
675 @param[in] NextPayload The next paylaod type in NextPayload field of
676 the Delete payload.
677 @param[in] Certificate Pointer of buffer contains the certification data.
678 @param[in] CertificateLen The length of Certificate in byte.
679 @param[in] EncodeType Specified the Certificate Encodeing which is defined
680 in RFC 4306.
681 @param[in] IsRequest To indicate create Certificate Payload or Certificate
682 Request Payload. If it is TURE, create Certificate
683 Request Payload. Otherwise, create Certificate Payload.
684
685 @retval a Pointer to IKE Payload whose payload buffer containing the Certificate
686 payload or Certificated Request payload.
687
688 **/
689 IKE_PAYLOAD *
690 Ikev2GenerateCertificatePayload (
691 IN IKEV2_SA_SESSION *IkeSaSession,
692 IN UINT8 NextPayload,
693 IN UINT8 *Certificate,
694 IN UINTN CertificateLen,
695 IN UINT8 EncodeType,
696 IN BOOLEAN IsRequest
697 );
698
699 /**
700 General interface of payload encoding.
701
702 This function encode the internal data structure into payload which
703 is defined in RFC 4306. The IkePayload->PayloadBuf used to store both the input
704 payload and converted payload. Only the SA payload use the interal structure
705 to store the attribute. Other payload use structure which is same with the RFC
706 defined, for this kind payloads just do host order to network order change of
707 some fields.
708
709 @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.
710 @param[in, out] IkePayload Pointer to IKE payload to be encode as input, and
711 store the encoded result as output.
712
713 @retval EFI_INVALID_PARAMETER Meet error when encode the SA payload.
714 @retval EFI_SUCCESS Encode successfully.
715
716 **/
717 EFI_STATUS
718 Ikev2EncodePayload (
719 IN UINT8 *SessionCommon,
720 IN OUT IKE_PAYLOAD *IkePayload
721 );
722
723 /**
724 The general interface of decode Payload.
725
726 This function convert the received Payload into internal structure.
727
728 @param[in] SessionCommon Pointer to IKE Session Common to use for decoding.
729 @param[in, out] IkePayload Pointer to IKE payload to be decode as input, and
730 store the decoded result as output.
731
732 @retval EFI_INVALID_PARAMETER Meet error when decode the SA payload.
733 @retval EFI_SUCCESS Decode successfully.
734
735 **/
736 EFI_STATUS
737 Ikev2DecodePayload (
738 IN UINT8 *SessionCommon,
739 IN OUT IKE_PAYLOAD *IkePayload
740 );
741
742 /**
743 Decrypt IKE packet.
744
745 This function decrpt the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.
746
747 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
748 some parameter used during decrypting.
749 @param[in, out] IkePacket Point to IKE_PACKET to be decrypted as input,
750 and the decrypted reslult as output.
751 @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
752 IKE_CHILD_TYPE are supportted.
753
754 @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the
755 IKE packet length is not Algorithm Block Size
756 alignment.
757 @retval EFI_SUCCESS Decrypt IKE packet successfully.
758
759 **/
760 EFI_STATUS
761 Ikev2DecryptPacket (
762 IN IKEV2_SESSION_COMMON *SessionCommon,
763 IN OUT IKE_PACKET *IkePacket,
764 IN OUT UINTN IkeType
765 );
766
767 /**
768 Encrypt IKE packet.
769
770 This function encrypt IKE packet before sending it. The Encrypted IKE packet
771 is put in to IKEV2 Encrypted Payload.
772
773 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.
774 @param[in, out] IkePacket Pointer to IKE packet to be encrypted.
775
776 @retval EFI_SUCCESS Operation is successful.
777 @retval Others OPeration is failed.
778
779 **/
780 EFI_STATUS
781 Ikev2EncryptPacket (
782 IN IKEV2_SESSION_COMMON *SessionCommon,
783 IN OUT IKE_PACKET *IkePacket
784 );
785
786 /**
787 Encode the IKE packet.
788
789 This function put all Payloads into one payload then encrypt it if needed.
790
791 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
792 some parameter used during IKE packet encoding.
793 @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,
794 and the encoded reslult as output.
795 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
796 IKE_CHILD_TYPE are supportted.
797
798 @retval EFI_SUCCESS Encode IKE packet successfully.
799 @retval Otherwise Encode IKE packet failed.
800
801 **/
802 EFI_STATUS
803 Ikev2EncodePacket (
804 IN IKEV2_SESSION_COMMON *SessionCommon,
805 IN OUT IKE_PACKET *IkePacket,
806 IN UINTN IkeType
807 );
808
809 /**
810 Decode the IKE packet.
811
812 This function first decrypts the IKE packet if needed , then separats the whole
813 IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.
814
815 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing
816 some parameter used by IKE packet decoding.
817 @param[in, out] IkePacket The IKE Packet to be decoded on input, and
818 the decoded result on return.
819 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
820 IKE_CHILD_TYPE are supportted.
821
822 @retval EFI_SUCCESS The IKE packet is decoded successfull.
823 @retval Otherwise The IKE packet decoding is failed.
824
825 **/
826 EFI_STATUS
827 Ikev2DecodePacket (
828 IN IKEV2_SESSION_COMMON *SessionCommon,
829 IN OUT IKE_PACKET *IkePacket,
830 IN UINTN IkeType
831 );
832
833
834 /**
835 Send out IKEV2 packet.
836
837 @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.
838 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.
839 @param[in] IkePacket Pointer to IKE_PACKET to be sent out.
840 @param[in] IkeType The type of IKE to point what's kind of the IKE
841 packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE
842 and IKE_CHILD_TYPE are supportted.
843
844 @retval EFI_SUCCESS The operation complete successfully.
845 @retval Otherwise The operation is failed.
846
847 **/
848 EFI_STATUS
849 Ikev2SendIkePacket (
850 IN IKE_UDP_SERVICE *IkeUdpService,
851 IN UINT8 *SessionCommon,
852 IN IKE_PACKET *IkePacket,
853 IN UINTN IkeType
854 );
855
856 /**
857 Callback function for the IKE life time is over.
858
859 This function will mark the related IKE SA Session as deleting and trigger a
860 Information negotiation.
861
862 @param[in] Event The time out event.
863 @param[in] Context Pointer to data passed by caller.
864
865 **/
866 VOID
867 EFIAPI
868 Ikev2LifetimeNotify (
869 IN EFI_EVENT Event,
870 IN VOID *Context
871 );
872
873 /**
874 This function will be called if the TimeOut Event is signaled.
875
876 @param[in] Event The signaled Event.
877 @param[in] Context The data passed by caller.
878
879 **/
880 VOID
881 EFIAPI
882 Ikev2ResendNotify (
883 IN EFI_EVENT Event,
884 IN VOID *Context
885 );
886
887 /**
888 Generate a Key Exchange payload according to the DH group type and save the
889 public Key into IkeSaSession IkeKey field.
890
891 @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.
892 @param[in] NextPayload The payload type presented in the NextPayload field of Key
893 Exchange Payload header.
894
895 @retval Pointer to Key IKE payload.
896
897 **/
898 IKE_PAYLOAD *
899 Ikev2GenerateKePayload (
900 IN OUT IKEV2_SA_SESSION *IkeSaSession,
901 IN UINT8 NextPayload
902 );
903
904 /**
905 Check if the SPD is related to the input Child SA Session.
906
907 This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call
908 back function of IpSecVisitConfigData().
909
910
911 @param[in] Type Type of the input Config Selector.
912 @param[in] Selector Pointer to the Configure Selector to be checked.
913 @param[in] Data Pointer to the Configure Selector's Data passed
914 from the caller.
915 @param[in] SelectorSize The buffer size of Selector.
916 @param[in] DataSize The buffer size of the Data.
917 @param[in] Context The data passed from the caller. It is a Child
918 SA Session in this context.
919
920 @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.
921 @retval EFI_ABORTED The SPD Selector is related to the Child SA session and
922 set the ChildSaSession->Spd to point to this SPD Selector.
923
924 **/
925 EFI_STATUS
926 Ikev2MatchSpdEntry (
927 IN EFI_IPSEC_CONFIG_DATA_TYPE Type,
928 IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
929 IN VOID *Data,
930 IN UINTN SelectorSize,
931 IN UINTN DataSize,
932 IN VOID *Context
933 );
934
935 /**
936 Check if the Algorithm ID is supported.
937
938 @param[in] AlgorithmId The specified Algorithm ID.
939 @param[in] Type The type used to indicate the Algorithm is for Encrypt or
940 Authentication.
941
942 @retval TRUE If the Algorithm ID is supported.
943 @retval FALSE If the Algorithm ID is not supported.
944
945 **/
946 BOOLEAN
947 Ikev2IsSupportAlg (
948 IN UINT16 AlgorithmId,
949 IN UINT8 Type
950 );
951
952 /**
953 Generate a ChildSa Session and insert it into related IkeSaSession.
954
955 @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.
956 @param[in] UdpService Pointer to related IKE_UDP_SERVICE.
957
958 @return pointer of IKEV2_CHILD_SA_SESSION.
959
960 **/
961 IKEV2_CHILD_SA_SESSION *
962 Ikev2ChildSaSessionCreate (
963 IN IKEV2_SA_SESSION *IkeSaSession,
964 IN IKE_UDP_SERVICE *UdpService
965 ) ;
966
967 /**
968 Parse the received Initial Exchange Packet.
969
970 This function parse the SA Payload and Key Payload to find out the cryptographic
971 suite for the further IKE negotiation and fill it into the IKE SA Session's
972 CommonSession->SaParams.
973
974 @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.
975 @param[in] SaPayload The received packet.
976 @param[in] Type The received packet IKE header flag.
977
978 @retval TRUE If the SA proposal in Packet is acceptable.
979 @retval FALSE If the SA proposal in Packet is not acceptable.
980
981 **/
982 BOOLEAN
983 Ikev2SaParseSaPayload (
984 IN OUT IKEV2_SA_SESSION *IkeSaSession,
985 IN IKE_PAYLOAD *SaPayload,
986 IN UINT8 Type
987 );
988
989 /**
990 Parse the received Authentication Exchange Packet.
991
992 This function parse the SA Payload and Key Payload to find out the cryptographic
993 suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.
994
995 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to
996 this Authentication Exchange.
997 @param[in] SaPayload The received packet.
998 @param[in] Type The IKE header's flag of received packet .
999
1000 @retval TRUE If the SA proposal in Packet is acceptable.
1001 @retval FALSE If the SA proposal in Packet is not acceptable.
1002
1003 **/
1004 BOOLEAN
1005 Ikev2ChildSaParseSaPayload (
1006 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession,
1007 IN IKE_PAYLOAD *SaPayload,
1008 IN UINT8 Type
1009 );
1010
1011 /**
1012 Generate Key buffer from fragments.
1013
1014 If the digest length of specified HashAlgId is larger than or equal with the
1015 required output key length, derive the key directly. Otherwise, Key Material
1016 needs to be PRF-based concatenation according to 2.13 of RFC 4306:
1017 prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),
1018 T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)
1019 then derive the key from this key material.
1020
1021 @param[in] HashAlgId The Hash Algorithm ID used to generate key.
1022 @param[in] HashKey Pointer to a key buffer which contains hash key.
1023 @param[in] HashKeyLength The length of HashKey in bytes.
1024 @param[in, out] OutputKey Pointer to buffer which is used to receive the
1025 output key.
1026 @param[in] OutputKeyLength The length of OutPutKey buffer.
1027 @param[in] Fragments Pointer to the data to be used to generate key.
1028 @param[in] NumFragments The numbers of the Fragement.
1029
1030 @retval EFI_SUCCESS The operation complete successfully.
1031 @retval EFI_INVALID_PARAMETER If NumFragments is zero.
1032 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
1033 @retval Others The operation is failed.
1034
1035 **/
1036 EFI_STATUS
1037 Ikev2SaGenerateKey (
1038 IN UINT8 HashAlgId,
1039 IN UINT8 *HashKey,
1040 IN UINTN HashKeyLength,
1041 IN OUT UINT8 *OutputKey,
1042 IN UINTN OutputKeyLength,
1043 IN PRF_DATA_FRAGMENT *Fragments,
1044 IN UINTN NumFragments
1045 );
1046
1047 /**
1048 Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.
1049
1050 ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,
1051 the SpdSelector in ChildSaSession is more accurated or the scope is smaller
1052 than the one in ChildSaSession->Spd, especially for the tunnel mode.
1053
1054 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.
1055
1056 @retval EFI_SUCCESS The operation complete successfully.
1057 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
1058
1059 **/
1060 EFI_STATUS
1061 Ikev2ChildSaSessionSpdSelectorCreate (
1062 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
1063 );
1064
1065 extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[];
1066 #endif
1067
EFI Development Kit II mirror for PVE