]> git.proxmox.com Git - mirror_edk2.git/blob - NetworkPkg/IpSecDxe/Ikev2/Utility.h
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
NetworkPkg: Replace BSD License with BSD+Patent License
[mirror_edk2.git] / NetworkPkg / IpSecDxe / Ikev2 / Utility.h
1 /** @file
2 The interfaces of IKE/Child session operations and payload related operations
3 used by IKE Exchange Process.
4
5 Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
6
7 SPDX-License-Identifier: BSD-2-Clause-Patent
8
9 **/
10
11 #ifndef _IKE_V2_UTILITY_H_
12 #define _IKE_V2_UTILITY_H_
13
14 #include "Ikev2.h"
15 #include "IkeCommon.h"
16 #include "IpSecCryptIo.h"
17
18 #include <Library/PcdLib.h>
19
20 #define IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM 2
21 #define IKEV2_SUPPORT_PRF_ALGORITHM_NUM 1
22 #define IKEV2_SUPPORT_DH_ALGORITHM_NUM 2
23 #define IKEV2_SUPPORT_AUTH_ALGORITHM_NUM 1
24
25 /**
26 Allocate buffer for IKEV2_SA_SESSION and initialize it.
27
28 @param[in] Private Pointer to IPSEC_PRIVATE_DATA.
29 @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.
30
31 @return Pointer to IKEV2_SA_SESSION.
32
33 **/
34 IKEV2_SA_SESSION *
35 Ikev2SaSessionAlloc (
36 IN IPSEC_PRIVATE_DATA *Private,
37 IN IKE_UDP_SERVICE *UdpService
38 );
39
40 /**
41 Register Establish IKEv2 SA into Private->Ikev2EstablishedList.
42
43 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.
44 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
45
46 **/
47 VOID
48 Ikev2SaSessionReg (
49 IN IKEV2_SA_SESSION *IkeSaSession,
50 IN IPSEC_PRIVATE_DATA *Private
51 );
52
53 /**
54 Find a IKEV2_SA_SESSION by the remote peer IP.
55
56 @param[in] SaSessionList SaSession List to be searched.
57 @param[in] RemotePeerIp Pointer to specified IP address.
58
59 @return Pointer to IKEV2_SA_SESSION if find one or NULL.
60
61 **/
62 IKEV2_SA_SESSION *
63 Ikev2SaSessionLookup (
64 IN LIST_ENTRY *SaSessionList,
65 IN EFI_IP_ADDRESS *RemotePeerIp
66 );
67
68 /**
69 Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either
70 Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.
71
72 @param[in] SaSessionList Pointer to list to be inserted into.
73 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.
74 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the
75 unique IKEV2_SA_SESSION.
76
77 **/
78 VOID
79 Ikev2SaSessionInsert (
80 IN LIST_ENTRY *SaSessionList,
81 IN IKEV2_SA_SESSION *IkeSaSession,
82 IN EFI_IP_ADDRESS *RemotePeerIp
83 );
84
85 /**
86 Remove the SA Session by Remote Peer IP.
87
88 @param[in] SaSessionList Pointer to list to be searched.
89 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.
90
91 @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address.
92
93 **/
94 IKEV2_SA_SESSION *
95 Ikev2SaSessionRemove (
96 IN LIST_ENTRY *SaSessionList,
97 IN EFI_IP_ADDRESS *RemotePeerIp
98 );
99
100
101 /**
102 After IKE/Child SA is estiblished, close the time event and free sent packet.
103
104 @param[in] SessionCommon Pointer to a Session Common.
105
106 **/
107 VOID
108 Ikev2SessionCommonRefresh (
109 IN IKEV2_SESSION_COMMON *SessionCommon
110 );
111
112 /**
113 Free specified IKEV2 SA Session.
114
115 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.
116
117 **/
118 VOID
119 Ikev2SaSessionFree (
120 IN IKEV2_SA_SESSION *IkeSaSession
121 );
122
123 /**
124 Free specified Seession Common. The session common would belong to a IKE SA or
125 a Child SA.
126
127 @param[in] SessionCommon Pointer to a Session Common.
128
129 **/
130 VOID
131 Ikev2SaSessionCommonFree (
132 IN IKEV2_SESSION_COMMON *SessionCommon
133 );
134
135 /**
136 Increase the MessageID in IkeSaSession.
137
138 @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.
139
140 **/
141 VOID
142 Ikev2SaSessionIncreaseMessageId (
143 IN IKEV2_SA_SESSION *IkeSaSession
144 );
145
146 /**
147 Allocate Momery for IKEV2 Child SA Session.
148
149 @param[in] UdpService Pointer to IKE_UDP_SERVICE.
150 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
151 Session.
152
153 @retval Pointer of a new created IKEV2 Child SA Session.
154
155 **/
156 IKEV2_CHILD_SA_SESSION *
157 Ikev2ChildSaSessionAlloc (
158 IN IKE_UDP_SERVICE *UdpService,
159 IN IKEV2_SA_SESSION *IkeSaSession
160 );
161
162 /**
163 Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.
164 If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one
165 then register the new one.
166
167 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.
168 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
169
170 **/
171 VOID
172 Ikev2ChildSaSessionReg (
173 IN IKEV2_CHILD_SA_SESSION *ChildSaSession,
174 IN IPSEC_PRIVATE_DATA *Private
175 );
176
177 /**
178 This function find the Child SA by the specified Spi.
179
180 This functin find a ChildSA session by searching the ChildSaSessionlist of
181 the input IKEV2_SA_SESSION by specified MessageID.
182
183 @param[in] SaSessionList Pointer to List to be searched.
184 @param[in] Spi Specified SPI.
185
186 @return Pointer to IKEV2_CHILD_SA_SESSION.
187
188 **/
189 IKEV2_CHILD_SA_SESSION *
190 Ikev2ChildSaSessionLookupBySpi (
191 IN LIST_ENTRY *SaSessionList,
192 IN UINT32 Spi
193 );
194
195
196 /**
197 Insert a Child SA Session into the specified ChildSa list..
198
199 @param[in] SaSessionList Pointer to list to be inserted in.
200 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.
201
202 **/
203 VOID
204 Ikev2ChildSaSessionInsert (
205 IN LIST_ENTRY *SaSessionList,
206 IN IKEV2_CHILD_SA_SESSION *ChildSaSession
207 );
208
209 /**
210 Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.
211
212 @param[in] SaSessionList The SA Session List to be iterated.
213 @param[in] Spi Spi used to identify the IKEV2_CHILD_SA_SESSION.
214 @param[in] ListType The type of the List to indicate whether it is a
215 Established.
216
217 @return The point to IKEV2_CHILD_SA_SESSION.
218
219 **/
220 IKEV2_CHILD_SA_SESSION *
221 Ikev2ChildSaSessionRemove (
222 IN LIST_ENTRY *SaSessionList,
223 IN UINT32 Spi,
224 IN UINT8 ListType
225 );
226
227
228 /**
229 Free the memory located for the specified IKEV2_CHILD_SA_SESSION.
230
231 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
232
233 **/
234 VOID
235 Ikev2ChildSaSessionFree (
236 IN IKEV2_CHILD_SA_SESSION *ChildSaSession
237 );
238
239 /**
240 Free the specified DhBuffer.
241
242 @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.
243
244 **/
245 VOID
246 Ikev2DhBufferFree (
247 IN IKEV2_DH_BUFFER *DhBuffer
248 );
249
250 /**
251 Delete the specified established Child SA.
252
253 This function delete the Child SA directly and dont send the Information Packet to
254 remote peer.
255
256 @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.
257 @param[in] Spi SPI used to find the Child SA.
258
259 @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.
260 @retval EFI_NOT_FOUND There is no specified Child SA related with the input
261 SPI under this IKE SA Session.
262 @retval EFI_SUCCESS Delete the Child SA successfully.
263
264 **/
265 EFI_STATUS
266 Ikev2ChildSaSilentDelete (
267 IN IKEV2_SA_SESSION *IkeSaSession,
268 IN UINT32 Spi
269 );
270
271 /**
272 This function is to parse a request IKE packet and return its request type.
273 The request type is one of IKE CHILD SA creation, IKE SA rekeying and
274 IKE CHILD SA rekeying.
275
276 @param[in] IkePacket IKE packet to be prased.
277
278 return the type of the IKE packet.
279
280 **/
281 IKEV2_CREATE_CHILD_REQUEST_TYPE
282 Ikev2ChildExchangeRequestType(
283 IN IKE_PACKET *IkePacket
284 );
285
286
287 /**
288 Associate a SPD selector to the Child SA Session.
289
290 This function is called when the Child SA is not the first child SA of its
291 IKE SA. It associate a SPD to this Child SA.
292
293 @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to
294 a SPD selector.
295
296 @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.
297 @retval EFI_NOT_FOUND Can't find the related SPD selector.
298
299 **/
300 EFI_STATUS
301 Ikev2ChildSaAssociateSpdEntry (
302 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
303 );
304
305 /**
306 Validate the IKE header of received IKE packet.
307
308 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.
309 @param[in] IkeHdr Pointer to IKE header of received IKE packet.
310
311 @retval TRUE If the IKE header is valid.
312 @retval FALSE If the IKE header is invalid.
313
314 **/
315 BOOLEAN
316 Ikev2ValidateHeader (
317 IN IKEV2_SA_SESSION *IkeSaSession,
318 IN IKE_HEADER *IkeHdr
319 );
320
321 /**
322 Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.
323
324 This function will be only called by the initiator. The responder's IKEV2_SA_DATA
325 will be generated during parsed the initiator packet.
326
327 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.
328
329 @retval a Pointer to a new IKEV2_SA_DATA or NULL.
330
331 **/
332 IKEV2_SA_DATA *
333 Ikev2InitializeSaData (
334 IN IKEV2_SESSION_COMMON *SessionCommon
335 );
336
337 /**
338 Store the SA into SAD.
339
340 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
341
342 **/
343 VOID
344 Ikev2StoreSaData (
345 IN IKEV2_CHILD_SA_SESSION *ChildSaSession
346 );
347
348 /**
349 Routine process before the payload decoding.
350
351 @param[in] SessionCommon Pointer to ChildSa SessionCommon.
352 @param[in] PayloadBuf Pointer to the payload.
353 @param[in] PayloadSize Size of PayloadBuf in byte.
354 @param[in] PayloadType Type of Payload.
355
356 **/
357 VOID
358 Ikev2ChildSaBeforeDecodePayload (
359 IN UINT8 *SessionCommon,
360 IN UINT8 *PayloadBuf,
361 IN UINTN PayloadSize,
362 IN UINT8 PayloadType
363 );
364
365 /**
366 Routine Process after the encode payload.
367
368 @param[in] SessionCommon Pointer to ChildSa SessionCommon.
369 @param[in] PayloadBuf Pointer to the payload.
370 @param[in] PayloadSize Size of PayloadBuf in byte.
371 @param[in] PayloadType Type of Payload.
372
373 **/
374 VOID
375 Ikev2ChildSaAfterEncodePayload (
376 IN UINT8 *SessionCommon,
377 IN UINT8 *PayloadBuf,
378 IN UINTN PayloadSize,
379 IN UINT8 PayloadType
380 );
381
382 /**
383 Generate Ikev2 SA payload according to SessionSaData
384
385 @param[in] SessionSaData The data used in SA payload.
386 @param[in] NextPayload The payload type presented in NextPayload field of
387 SA Payload header.
388 @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or
389 (2) for CHILD_SA or (3) for INFO.
390
391 @retval a Pointer to SA IKE payload.
392
393 **/
394 IKE_PAYLOAD *
395 Ikev2GenerateSaPayload (
396 IN IKEV2_SA_DATA *SessionSaData,
397 IN UINT8 NextPayload,
398 IN IKE_SESSION_TYPE Type
399 );
400
401 /**
402 Generate a ID payload.
403
404 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
405 @param[in] NextPayload The payload type presented in the NextPayload field
406 of ID Payload header.
407
408 @retval Pointer to ID IKE payload.
409
410 **/
411 IKE_PAYLOAD *
412 Ikev2GenerateIdPayload (
413 IN IKEV2_SESSION_COMMON *CommonSession,
414 IN UINT8 NextPayload
415 );
416
417 /**
418 Generate a ID payload.
419
420 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
421 @param[in] NextPayload The payload type presented in the NextPayload field
422 of ID Payload header.
423 @param[in] InCert Pointer to the Certificate which distinguished name
424 will be added into the Id payload.
425 @param[in] CertSize Size of the Certificate.
426
427 @retval Pointer to ID IKE payload.
428
429 **/
430 IKE_PAYLOAD *
431 Ikev2GenerateCertIdPayload (
432 IN IKEV2_SESSION_COMMON *CommonSession,
433 IN UINT8 NextPayload,
434 IN UINT8 *InCert,
435 IN UINTN CertSize
436 );
437
438 /**
439 Generate a Nonce payload contenting the input parameter NonceBuf.
440
441 @param[in] NonceBuf The nonce buffer content the whole Nonce payload block
442 except the payload header.
443 @param[in] NonceSize The buffer size of the NonceBuf
444 @param[in] NextPayload The payload type presented in the NextPayload field
445 of Nonce Payload header.
446
447 @retval Pointer to Nonce IKE paload.
448
449 **/
450 IKE_PAYLOAD *
451 Ikev2GenerateNoncePayload (
452 IN UINT8 *NonceBuf,
453 IN UINTN NonceSize,
454 IN UINT8 NextPayload
455 );
456
457 /**
458 Generate the Notify payload.
459
460 Since the structure of Notify payload which defined in RFC 4306 is simple, so
461 there is no internal data structure for Notify payload. This function generate
462 Notify payload defined in RFC 4306, but all the fields in this payload are still
463 in host order and need call Ikev2EncodePayload() to convert those fields from
464 the host order to network order beforing sending it.
465
466 @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).
467 For IPsec SAs it MUST be neither (2) for AH or (3)
468 for ESP.
469 @param[in] NextPayload The next paylaod type in NextPayload field of
470 the Notify payload.
471 @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.
472 @param[in] MessageType The message type in NotifyMessageType field of the
473 Notify Payload.
474 @param[in] SpiBuf Pointer to buffer contains the SPI value.
475 @param[in] NotifyData Pointer to buffer contains the notification data.
476 @param[in] NotifyDataSize The size of NotifyData in bytes.
477
478
479 @retval Pointer to IKE Notify Payload.
480
481 **/
482 IKE_PAYLOAD *
483 Ikev2GenerateNotifyPayload (
484 IN UINT8 ProtocolId,
485 IN UINT8 NextPayload,
486 IN UINT8 SpiSize,
487 IN UINT16 MessageType,
488 IN UINT8 *SpiBuf,
489 IN UINT8 *NotifyData,
490 IN UINTN NotifyDataSize
491 );
492
493 /**
494 Generate the Delete payload.
495
496 Since the structure of Delete payload which defined in RFC 4306 is simple,
497 there is no internal data structure for Delete payload. This function generate
498 Delete payload defined in RFC 4306, but all the fields in this payload are still
499 in host order and need call Ikev2EncodePayload() to convert those fields from
500 the host order to network order beforing sending it.
501
502 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.
503 @param[in] NextPayload The next paylaod type in NextPayload field of
504 the Delete payload.
505 @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.
506 @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.
507 @param[in] SpiBuf Pointer to buffer contains the SPI value.
508
509 @retval Pointer to IKE Delete Payload.
510
511 **/
512 IKE_PAYLOAD *
513 Ikev2GenerateDeletePayload (
514 IN IKEV2_SA_SESSION *IkeSaSession,
515 IN UINT8 NextPayload,
516 IN UINT8 SpiSize,
517 IN UINT16 SpiNum,
518 IN UINT8 *SpiBuf
519 );
520
521 /**
522 Generate the Configuration payload.
523
524 This function generates a configuration payload defined in RFC 4306, but all the
525 fields in this payload are still in host order and need call Ikev2EncodePayload()
526 to convert those fields from the host order to network order beforing sending it.
527
528 @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload
529 generation.
530 @param[in] NextPayload The next paylaod type in NextPayload field of
531 the Delete payload.
532 @param[in] CfgType The attribute type in the Configuration attribute.
533
534 @retval Pointer to IKE CP Payload.
535
536 **/
537 IKE_PAYLOAD *
538 Ikev2GenerateCpPayload (
539 IN IKEV2_SA_SESSION *IkeSaSession,
540 IN UINT8 NextPayload,
541 IN UINT8 CfgType
542 );
543
544 /**
545 Generate a Authentication Payload.
546
547 This function is used for both Authentication generation and verification. When the
548 IsVerify is TRUE, it create a Auth Data for verification. This function choose the
549 related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type
550 and the value of IsVerify parameter.
551
552 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
553 @param[in] IdPayload Pointer to the ID payload to be used for Authentication
554 payload generation.
555 @param[in] NextPayload The type filled into the Authentication Payload next
556 payload field.
557 @param[in] IsVerify If it is TURE, the Authentication payload is used for
558 verification.
559
560 @return pointer to IKE Authentication payload for pre-shard key method.
561
562 **/
563 IKE_PAYLOAD *
564 Ikev2PskGenerateAuthPayload (
565 IN IKEV2_SA_SESSION *IkeSaSession,
566 IN IKE_PAYLOAD *IdPayload,
567 IN UINT8 NextPayload,
568 IN BOOLEAN IsVerify
569 );
570
571 /**
572 Generate a Authentication Payload for Certificate Auth method.
573
574 This function has two functions. One is creating a local Authentication
575 Payload for sending and other is creating the remote Authentication data
576 for verification when the IsVerify is TURE.
577
578 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
579 @param[in] IdPayload Pointer to the ID payload to be used for Authentication
580 payload generation.
581 @param[in] NextPayload The type filled into the Authentication Payload
582 next payload field.
583 @param[in] IsVerify If it is TURE, the Authentication payload is used
584 for verification.
585 @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when
586 verify the authenticate payload.
587 @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it
588 when verify the authenticate payload.
589 @param[in] UefiKeyPwd Pointer to the password of UEFI private key.
590 Ignore it when verify the authenticate payload.
591 @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when
592 verify the authenticate payload.
593
594 @return pointer to IKE Authentication payload for certification method.
595
596 **/
597 IKE_PAYLOAD *
598 Ikev2CertGenerateAuthPayload (
599 IN IKEV2_SA_SESSION *IkeSaSession,
600 IN IKE_PAYLOAD *IdPayload,
601 IN UINT8 NextPayload,
602 IN BOOLEAN IsVerify,
603 IN UINT8 *UefiPrivateKey,
604 IN UINTN UefiPrivateKeyLen,
605 IN UINT8 *UefiKeyPwd,
606 IN UINTN UefiKeyPwdLen
607 );
608
609 /**
610 Generate TS payload.
611
612 This function generates TSi or TSr payload according to type of next payload.
613 If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate
614 TSr payload
615
616 @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.
617 @param[in] NextPayload The payload type presented in the NextPayload field
618 of ID Payload header.
619 @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.
620 If yes, it means the Tsi and Tsr payload should be with
621 Max port range and address range and protocol is marked
622 as zero.
623
624 @retval Pointer to Ts IKE payload.
625
626 **/
627 IKE_PAYLOAD *
628 Ikev2GenerateTsPayload (
629 IN IKEV2_CHILD_SA_SESSION *ChildSa,
630 IN UINT8 NextPayload,
631 IN BOOLEAN IsTunnel
632 );
633
634 /**
635 Parser the Notify Cookie payload.
636
637 This function parses the Notify Cookie payload.If the Notify ProtocolId is not
638 IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not
639 the COOKIE, return EFI_INVALID_PARAMETER.
640
641 @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the
642 Notify Cookie payload.
643 the Notify payload.
644 @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.
645
646 @retval EFI_SUCCESS The Notify Cookie Payload is valid.
647 @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.
648 @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
649
650 **/
651 EFI_STATUS
652 Ikev2ParserNotifyCookiePayload (
653 IN IKE_PAYLOAD *IkeNCookie,
654 IN OUT IKEV2_SA_SESSION *IkeSaSession
655 );
656
657 /**
658 Generate the Certificate payload or Certificate Request Payload.
659
660 Since the Certificate Payload structure is same with Certificate Request Payload,
661 the only difference is that one contains the Certificate Data, other contains
662 the acceptable certificateion CA. This function generate Certificate payload
663 or Certificate Request Payload defined in RFC 4306, but all the fields
664 in the payload are still in host order and need call Ikev2EncodePayload()
665 to convert those fields from the host order to network order beforing sending it.
666
667 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload
668 generation.
669 @param[in] NextPayload The next paylaod type in NextPayload field of
670 the Delete payload.
671 @param[in] Certificate Pointer of buffer contains the certification data.
672 @param[in] CertificateLen The length of Certificate in byte.
673 @param[in] EncodeType Specified the Certificate Encodeing which is defined
674 in RFC 4306.
675 @param[in] IsRequest To indicate create Certificate Payload or Certificate
676 Request Payload. If it is TURE, create Certificate
677 Request Payload. Otherwise, create Certificate Payload.
678
679 @retval a Pointer to IKE Payload whose payload buffer containing the Certificate
680 payload or Certificated Request payload.
681
682 **/
683 IKE_PAYLOAD *
684 Ikev2GenerateCertificatePayload (
685 IN IKEV2_SA_SESSION *IkeSaSession,
686 IN UINT8 NextPayload,
687 IN UINT8 *Certificate,
688 IN UINTN CertificateLen,
689 IN UINT8 EncodeType,
690 IN BOOLEAN IsRequest
691 );
692
693 /**
694 General interface of payload encoding.
695
696 This function encode the internal data structure into payload which
697 is defined in RFC 4306. The IkePayload->PayloadBuf used to store both the input
698 payload and converted payload. Only the SA payload use the interal structure
699 to store the attribute. Other payload use structure which is same with the RFC
700 defined, for this kind payloads just do host order to network order change of
701 some fields.
702
703 @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.
704 @param[in, out] IkePayload Pointer to IKE payload to be encode as input, and
705 store the encoded result as output.
706
707 @retval EFI_INVALID_PARAMETER Meet error when encode the SA payload.
708 @retval EFI_SUCCESS Encode successfully.
709
710 **/
711 EFI_STATUS
712 Ikev2EncodePayload (
713 IN UINT8 *SessionCommon,
714 IN OUT IKE_PAYLOAD *IkePayload
715 );
716
717 /**
718 The general interface of decode Payload.
719
720 This function convert the received Payload into internal structure.
721
722 @param[in] SessionCommon Pointer to IKE Session Common to use for decoding.
723 @param[in, out] IkePayload Pointer to IKE payload to be decode as input, and
724 store the decoded result as output.
725
726 @retval EFI_INVALID_PARAMETER Meet error when decode the SA payload.
727 @retval EFI_SUCCESS Decode successfully.
728
729 **/
730 EFI_STATUS
731 Ikev2DecodePayload (
732 IN UINT8 *SessionCommon,
733 IN OUT IKE_PAYLOAD *IkePayload
734 );
735
736 /**
737 Decrypt IKE packet.
738
739 This function decrpt the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.
740
741 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
742 some parameter used during decrypting.
743 @param[in, out] IkePacket Point to IKE_PACKET to be decrypted as input,
744 and the decrypted reslult as output.
745 @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
746 IKE_CHILD_TYPE are supportted.
747
748 @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the
749 IKE packet length is not Algorithm Block Size
750 alignment.
751 @retval EFI_SUCCESS Decrypt IKE packet successfully.
752
753 **/
754 EFI_STATUS
755 Ikev2DecryptPacket (
756 IN IKEV2_SESSION_COMMON *SessionCommon,
757 IN OUT IKE_PACKET *IkePacket,
758 IN OUT UINTN IkeType
759 );
760
761 /**
762 Encrypt IKE packet.
763
764 This function encrypt IKE packet before sending it. The Encrypted IKE packet
765 is put in to IKEV2 Encrypted Payload.
766
767 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.
768 @param[in, out] IkePacket Pointer to IKE packet to be encrypted.
769
770 @retval EFI_SUCCESS Operation is successful.
771 @retval Others OPeration is failed.
772
773 **/
774 EFI_STATUS
775 Ikev2EncryptPacket (
776 IN IKEV2_SESSION_COMMON *SessionCommon,
777 IN OUT IKE_PACKET *IkePacket
778 );
779
780 /**
781 Encode the IKE packet.
782
783 This function put all Payloads into one payload then encrypt it if needed.
784
785 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
786 some parameter used during IKE packet encoding.
787 @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,
788 and the encoded reslult as output.
789 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
790 IKE_CHILD_TYPE are supportted.
791
792 @retval EFI_SUCCESS Encode IKE packet successfully.
793 @retval Otherwise Encode IKE packet failed.
794
795 **/
796 EFI_STATUS
797 Ikev2EncodePacket (
798 IN IKEV2_SESSION_COMMON *SessionCommon,
799 IN OUT IKE_PACKET *IkePacket,
800 IN UINTN IkeType
801 );
802
803 /**
804 Decode the IKE packet.
805
806 This function first decrypts the IKE packet if needed , then separats the whole
807 IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.
808
809 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing
810 some parameter used by IKE packet decoding.
811 @param[in, out] IkePacket The IKE Packet to be decoded on input, and
812 the decoded result on return.
813 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
814 IKE_CHILD_TYPE are supportted.
815
816 @retval EFI_SUCCESS The IKE packet is decoded successfull.
817 @retval Otherwise The IKE packet decoding is failed.
818
819 **/
820 EFI_STATUS
821 Ikev2DecodePacket (
822 IN IKEV2_SESSION_COMMON *SessionCommon,
823 IN OUT IKE_PACKET *IkePacket,
824 IN UINTN IkeType
825 );
826
827
828 /**
829 Send out IKEV2 packet.
830
831 @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.
832 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.
833 @param[in] IkePacket Pointer to IKE_PACKET to be sent out.
834 @param[in] IkeType The type of IKE to point what's kind of the IKE
835 packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE
836 and IKE_CHILD_TYPE are supportted.
837
838 @retval EFI_SUCCESS The operation complete successfully.
839 @retval Otherwise The operation is failed.
840
841 **/
842 EFI_STATUS
843 Ikev2SendIkePacket (
844 IN IKE_UDP_SERVICE *IkeUdpService,
845 IN UINT8 *SessionCommon,
846 IN IKE_PACKET *IkePacket,
847 IN UINTN IkeType
848 );
849
850 /**
851 Callback function for the IKE life time is over.
852
853 This function will mark the related IKE SA Session as deleting and trigger a
854 Information negotiation.
855
856 @param[in] Event The time out event.
857 @param[in] Context Pointer to data passed by caller.
858
859 **/
860 VOID
861 EFIAPI
862 Ikev2LifetimeNotify (
863 IN EFI_EVENT Event,
864 IN VOID *Context
865 );
866
867 /**
868 This function will be called if the TimeOut Event is signaled.
869
870 @param[in] Event The signaled Event.
871 @param[in] Context The data passed by caller.
872
873 **/
874 VOID
875 EFIAPI
876 Ikev2ResendNotify (
877 IN EFI_EVENT Event,
878 IN VOID *Context
879 );
880
881 /**
882 Generate a Key Exchange payload according to the DH group type and save the
883 public Key into IkeSaSession IkeKey field.
884
885 @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.
886 @param[in] NextPayload The payload type presented in the NextPayload field of Key
887 Exchange Payload header.
888
889 @retval Pointer to Key IKE payload.
890
891 **/
892 IKE_PAYLOAD *
893 Ikev2GenerateKePayload (
894 IN OUT IKEV2_SA_SESSION *IkeSaSession,
895 IN UINT8 NextPayload
896 );
897
898 /**
899 Check if the SPD is related to the input Child SA Session.
900
901 This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call
902 back function of IpSecVisitConfigData().
903
904
905 @param[in] Type Type of the input Config Selector.
906 @param[in] Selector Pointer to the Configure Selector to be checked.
907 @param[in] Data Pointer to the Configure Selector's Data passed
908 from the caller.
909 @param[in] SelectorSize The buffer size of Selector.
910 @param[in] DataSize The buffer size of the Data.
911 @param[in] Context The data passed from the caller. It is a Child
912 SA Session in this context.
913
914 @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.
915 @retval EFI_ABORTED The SPD Selector is related to the Child SA session and
916 set the ChildSaSession->Spd to point to this SPD Selector.
917
918 **/
919 EFI_STATUS
920 Ikev2MatchSpdEntry (
921 IN EFI_IPSEC_CONFIG_DATA_TYPE Type,
922 IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
923 IN VOID *Data,
924 IN UINTN SelectorSize,
925 IN UINTN DataSize,
926 IN VOID *Context
927 );
928
929 /**
930 Check if the Algorithm ID is supported.
931
932 @param[in] AlgorithmId The specified Algorithm ID.
933 @param[in] Type The type used to indicate the Algorithm is for Encrypt or
934 Authentication.
935
936 @retval TRUE If the Algorithm ID is supported.
937 @retval FALSE If the Algorithm ID is not supported.
938
939 **/
940 BOOLEAN
941 Ikev2IsSupportAlg (
942 IN UINT16 AlgorithmId,
943 IN UINT8 Type
944 );
945
946 /**
947 Generate a ChildSa Session and insert it into related IkeSaSession.
948
949 @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.
950 @param[in] UdpService Pointer to related IKE_UDP_SERVICE.
951
952 @return pointer of IKEV2_CHILD_SA_SESSION.
953
954 **/
955 IKEV2_CHILD_SA_SESSION *
956 Ikev2ChildSaSessionCreate (
957 IN IKEV2_SA_SESSION *IkeSaSession,
958 IN IKE_UDP_SERVICE *UdpService
959 ) ;
960
961 /**
962 Parse the received Initial Exchange Packet.
963
964 This function parse the SA Payload and Key Payload to find out the cryptographic
965 suite for the further IKE negotiation and fill it into the IKE SA Session's
966 CommonSession->SaParams.
967
968 @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.
969 @param[in] SaPayload The received packet.
970 @param[in] Type The received packet IKE header flag.
971
972 @retval TRUE If the SA proposal in Packet is acceptable.
973 @retval FALSE If the SA proposal in Packet is not acceptable.
974
975 **/
976 BOOLEAN
977 Ikev2SaParseSaPayload (
978 IN OUT IKEV2_SA_SESSION *IkeSaSession,
979 IN IKE_PAYLOAD *SaPayload,
980 IN UINT8 Type
981 );
982
983 /**
984 Parse the received Authentication Exchange Packet.
985
986 This function parse the SA Payload and Key Payload to find out the cryptographic
987 suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.
988
989 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to
990 this Authentication Exchange.
991 @param[in] SaPayload The received packet.
992 @param[in] Type The IKE header's flag of received packet .
993
994 @retval TRUE If the SA proposal in Packet is acceptable.
995 @retval FALSE If the SA proposal in Packet is not acceptable.
996
997 **/
998 BOOLEAN
999 Ikev2ChildSaParseSaPayload (
1000 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession,
1001 IN IKE_PAYLOAD *SaPayload,
1002 IN UINT8 Type
1003 );
1004
1005 /**
1006 Generate Key buffer from fragments.
1007
1008 If the digest length of specified HashAlgId is larger than or equal with the
1009 required output key length, derive the key directly. Otherwise, Key Material
1010 needs to be PRF-based concatenation according to 2.13 of RFC 4306:
1011 prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),
1012 T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)
1013 then derive the key from this key material.
1014
1015 @param[in] HashAlgId The Hash Algorithm ID used to generate key.
1016 @param[in] HashKey Pointer to a key buffer which contains hash key.
1017 @param[in] HashKeyLength The length of HashKey in bytes.
1018 @param[in, out] OutputKey Pointer to buffer which is used to receive the
1019 output key.
1020 @param[in] OutputKeyLength The length of OutPutKey buffer.
1021 @param[in] Fragments Pointer to the data to be used to generate key.
1022 @param[in] NumFragments The numbers of the Fragement.
1023
1024 @retval EFI_SUCCESS The operation complete successfully.
1025 @retval EFI_INVALID_PARAMETER If NumFragments is zero.
1026 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
1027 @retval Others The operation is failed.
1028
1029 **/
1030 EFI_STATUS
1031 Ikev2SaGenerateKey (
1032 IN UINT8 HashAlgId,
1033 IN UINT8 *HashKey,
1034 IN UINTN HashKeyLength,
1035 IN OUT UINT8 *OutputKey,
1036 IN UINTN OutputKeyLength,
1037 IN PRF_DATA_FRAGMENT *Fragments,
1038 IN UINTN NumFragments
1039 );
1040
1041 /**
1042 Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.
1043
1044 ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,
1045 the SpdSelector in ChildSaSession is more accurated or the scope is smaller
1046 than the one in ChildSaSession->Spd, especially for the tunnel mode.
1047
1048 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.
1049
1050 @retval EFI_SUCCESS The operation complete successfully.
1051 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
1052
1053 **/
1054 EFI_STATUS
1055 Ikev2ChildSaSessionSpdSelectorCreate (
1056 IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
1057 );
1058
1059 extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[];
1060 #endif
1061
EFI Development Kit II mirror for PVE