2 The interfaces of IKE/Child session operations and payload related operations
3 used by IKE Exchange Process.
5 Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
7 SPDX-License-Identifier: BSD-2-Clause-Patent
11 #ifndef _IKE_V2_UTILITY_H_
12 #define _IKE_V2_UTILITY_H_
15 #include "IkeCommon.h"
16 #include "IpSecCryptIo.h"
18 #include <Library/PcdLib.h>
20 #define IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM 2
21 #define IKEV2_SUPPORT_PRF_ALGORITHM_NUM 1
22 #define IKEV2_SUPPORT_DH_ALGORITHM_NUM 2
23 #define IKEV2_SUPPORT_AUTH_ALGORITHM_NUM 1
26 Allocate buffer for IKEV2_SA_SESSION and initialize it.
28 @param[in] Private Pointer to IPSEC_PRIVATE_DATA.
29 @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.
31 @return Pointer to IKEV2_SA_SESSION.
36 IN IPSEC_PRIVATE_DATA
*Private
,
37 IN IKE_UDP_SERVICE
*UdpService
41 Register Establish IKEv2 SA into Private->Ikev2EstablishedList.
43 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.
44 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
49 IN IKEV2_SA_SESSION
*IkeSaSession
,
50 IN IPSEC_PRIVATE_DATA
*Private
54 Find a IKEV2_SA_SESSION by the remote peer IP.
56 @param[in] SaSessionList SaSession List to be searched.
57 @param[in] RemotePeerIp Pointer to specified IP address.
59 @return Pointer to IKEV2_SA_SESSION if find one or NULL.
63 Ikev2SaSessionLookup (
64 IN LIST_ENTRY
*SaSessionList
,
65 IN EFI_IP_ADDRESS
*RemotePeerIp
69 Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either
70 Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.
72 @param[in] SaSessionList Pointer to list to be inserted into.
73 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.
74 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the
75 unique IKEV2_SA_SESSION.
79 Ikev2SaSessionInsert (
80 IN LIST_ENTRY
*SaSessionList
,
81 IN IKEV2_SA_SESSION
*IkeSaSession
,
82 IN EFI_IP_ADDRESS
*RemotePeerIp
86 Remove the SA Session by Remote Peer IP.
88 @param[in] SaSessionList Pointer to list to be searched.
89 @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.
91 @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address.
95 Ikev2SaSessionRemove (
96 IN LIST_ENTRY
*SaSessionList
,
97 IN EFI_IP_ADDRESS
*RemotePeerIp
102 After IKE/Child SA is estiblished, close the time event and free sent packet.
104 @param[in] SessionCommon Pointer to a Session Common.
108 Ikev2SessionCommonRefresh (
109 IN IKEV2_SESSION_COMMON
*SessionCommon
113 Free specified IKEV2 SA Session.
115 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.
120 IN IKEV2_SA_SESSION
*IkeSaSession
124 Free specified Seession Common. The session common would belong to a IKE SA or
127 @param[in] SessionCommon Pointer to a Session Common.
131 Ikev2SaSessionCommonFree (
132 IN IKEV2_SESSION_COMMON
*SessionCommon
136 Increase the MessageID in IkeSaSession.
138 @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.
142 Ikev2SaSessionIncreaseMessageId (
143 IN IKEV2_SA_SESSION
*IkeSaSession
147 Allocate Momery for IKEV2 Child SA Session.
149 @param[in] UdpService Pointer to IKE_UDP_SERVICE.
150 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
153 @retval Pointer of a new created IKEV2 Child SA Session.
156 IKEV2_CHILD_SA_SESSION
*
157 Ikev2ChildSaSessionAlloc (
158 IN IKE_UDP_SERVICE
*UdpService
,
159 IN IKEV2_SA_SESSION
*IkeSaSession
163 Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.
164 If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one
165 then register the new one.
167 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.
168 @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
172 Ikev2ChildSaSessionReg (
173 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
,
174 IN IPSEC_PRIVATE_DATA
*Private
178 This function find the Child SA by the specified Spi.
180 This functin find a ChildSA session by searching the ChildSaSessionlist of
181 the input IKEV2_SA_SESSION by specified MessageID.
183 @param[in] SaSessionList Pointer to List to be searched.
184 @param[in] Spi Specified SPI.
186 @return Pointer to IKEV2_CHILD_SA_SESSION.
189 IKEV2_CHILD_SA_SESSION
*
190 Ikev2ChildSaSessionLookupBySpi (
191 IN LIST_ENTRY
*SaSessionList
,
197 Insert a Child SA Session into the specified ChildSa list..
199 @param[in] SaSessionList Pointer to list to be inserted in.
200 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.
204 Ikev2ChildSaSessionInsert (
205 IN LIST_ENTRY
*SaSessionList
,
206 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
210 Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.
212 @param[in] SaSessionList The SA Session List to be iterated.
213 @param[in] Spi Spi used to identify the IKEV2_CHILD_SA_SESSION.
214 @param[in] ListType The type of the List to indicate whether it is a
217 @return The point to IKEV2_CHILD_SA_SESSION.
220 IKEV2_CHILD_SA_SESSION
*
221 Ikev2ChildSaSessionRemove (
222 IN LIST_ENTRY
*SaSessionList
,
229 Free the memory located for the specified IKEV2_CHILD_SA_SESSION.
231 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
235 Ikev2ChildSaSessionFree (
236 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
240 Free the specified DhBuffer.
242 @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.
247 IN IKEV2_DH_BUFFER
*DhBuffer
251 Delete the specified established Child SA.
253 This function delete the Child SA directly and dont send the Information Packet to
256 @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.
257 @param[in] Spi SPI used to find the Child SA.
259 @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.
260 @retval EFI_NOT_FOUND There is no specified Child SA related with the input
261 SPI under this IKE SA Session.
262 @retval EFI_SUCCESS Delete the Child SA successfully.
266 Ikev2ChildSaSilentDelete (
267 IN IKEV2_SA_SESSION
*IkeSaSession
,
272 This function is to parse a request IKE packet and return its request type.
273 The request type is one of IKE CHILD SA creation, IKE SA rekeying and
274 IKE CHILD SA rekeying.
276 @param[in] IkePacket IKE packet to be prased.
278 return the type of the IKE packet.
281 IKEV2_CREATE_CHILD_REQUEST_TYPE
282 Ikev2ChildExchangeRequestType(
283 IN IKE_PACKET
*IkePacket
288 Associate a SPD selector to the Child SA Session.
290 This function is called when the Child SA is not the first child SA of its
291 IKE SA. It associate a SPD to this Child SA.
293 @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to
296 @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.
297 @retval EFI_NOT_FOUND Can't find the related SPD selector.
301 Ikev2ChildSaAssociateSpdEntry (
302 IN OUT IKEV2_CHILD_SA_SESSION
*ChildSaSession
306 Validate the IKE header of received IKE packet.
308 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.
309 @param[in] IkeHdr Pointer to IKE header of received IKE packet.
311 @retval TRUE If the IKE header is valid.
312 @retval FALSE If the IKE header is invalid.
316 Ikev2ValidateHeader (
317 IN IKEV2_SA_SESSION
*IkeSaSession
,
318 IN IKE_HEADER
*IkeHdr
322 Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.
324 This function will be only called by the initiator. The responder's IKEV2_SA_DATA
325 will be generated during parsed the initiator packet.
327 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.
329 @retval a Pointer to a new IKEV2_SA_DATA or NULL.
333 Ikev2InitializeSaData (
334 IN IKEV2_SESSION_COMMON
*SessionCommon
338 Store the SA into SAD.
340 @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
345 IN IKEV2_CHILD_SA_SESSION
*ChildSaSession
349 Routine process before the payload decoding.
351 @param[in] SessionCommon Pointer to ChildSa SessionCommon.
352 @param[in] PayloadBuf Pointer to the payload.
353 @param[in] PayloadSize Size of PayloadBuf in byte.
354 @param[in] PayloadType Type of Payload.
358 Ikev2ChildSaBeforeDecodePayload (
359 IN UINT8
*SessionCommon
,
360 IN UINT8
*PayloadBuf
,
361 IN UINTN PayloadSize
,
366 Routine Process after the encode payload.
368 @param[in] SessionCommon Pointer to ChildSa SessionCommon.
369 @param[in] PayloadBuf Pointer to the payload.
370 @param[in] PayloadSize Size of PayloadBuf in byte.
371 @param[in] PayloadType Type of Payload.
375 Ikev2ChildSaAfterEncodePayload (
376 IN UINT8
*SessionCommon
,
377 IN UINT8
*PayloadBuf
,
378 IN UINTN PayloadSize
,
383 Generate Ikev2 SA payload according to SessionSaData
385 @param[in] SessionSaData The data used in SA payload.
386 @param[in] NextPayload The payload type presented in NextPayload field of
388 @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or
389 (2) for CHILD_SA or (3) for INFO.
391 @retval a Pointer to SA IKE payload.
395 Ikev2GenerateSaPayload (
396 IN IKEV2_SA_DATA
*SessionSaData
,
397 IN UINT8 NextPayload
,
398 IN IKE_SESSION_TYPE Type
402 Generate a ID payload.
404 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
405 @param[in] NextPayload The payload type presented in the NextPayload field
406 of ID Payload header.
408 @retval Pointer to ID IKE payload.
412 Ikev2GenerateIdPayload (
413 IN IKEV2_SESSION_COMMON
*CommonSession
,
418 Generate a ID payload.
420 @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
421 @param[in] NextPayload The payload type presented in the NextPayload field
422 of ID Payload header.
423 @param[in] InCert Pointer to the Certificate which distinguished name
424 will be added into the Id payload.
425 @param[in] CertSize Size of the Certificate.
427 @retval Pointer to ID IKE payload.
431 Ikev2GenerateCertIdPayload (
432 IN IKEV2_SESSION_COMMON
*CommonSession
,
433 IN UINT8 NextPayload
,
439 Generate a Nonce payload contenting the input parameter NonceBuf.
441 @param[in] NonceBuf The nonce buffer content the whole Nonce payload block
442 except the payload header.
443 @param[in] NonceSize The buffer size of the NonceBuf
444 @param[in] NextPayload The payload type presented in the NextPayload field
445 of Nonce Payload header.
447 @retval Pointer to Nonce IKE paload.
451 Ikev2GenerateNoncePayload (
458 Generate the Notify payload.
460 Since the structure of Notify payload which defined in RFC 4306 is simple, so
461 there is no internal data structure for Notify payload. This function generate
462 Notify payload defined in RFC 4306, but all the fields in this payload are still
463 in host order and need call Ikev2EncodePayload() to convert those fields from
464 the host order to network order beforing sending it.
466 @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).
467 For IPsec SAs it MUST be neither (2) for AH or (3)
469 @param[in] NextPayload The next paylaod type in NextPayload field of
471 @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.
472 @param[in] MessageType The message type in NotifyMessageType field of the
474 @param[in] SpiBuf Pointer to buffer contains the SPI value.
475 @param[in] NotifyData Pointer to buffer contains the notification data.
476 @param[in] NotifyDataSize The size of NotifyData in bytes.
479 @retval Pointer to IKE Notify Payload.
483 Ikev2GenerateNotifyPayload (
485 IN UINT8 NextPayload
,
487 IN UINT16 MessageType
,
489 IN UINT8
*NotifyData
,
490 IN UINTN NotifyDataSize
494 Generate the Delete payload.
496 Since the structure of Delete payload which defined in RFC 4306 is simple,
497 there is no internal data structure for Delete payload. This function generate
498 Delete payload defined in RFC 4306, but all the fields in this payload are still
499 in host order and need call Ikev2EncodePayload() to convert those fields from
500 the host order to network order beforing sending it.
502 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.
503 @param[in] NextPayload The next paylaod type in NextPayload field of
505 @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.
506 @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.
507 @param[in] SpiBuf Pointer to buffer contains the SPI value.
509 @retval Pointer to IKE Delete Payload.
513 Ikev2GenerateDeletePayload (
514 IN IKEV2_SA_SESSION
*IkeSaSession
,
515 IN UINT8 NextPayload
,
522 Generate the Configuration payload.
524 This function generates a configuration payload defined in RFC 4306, but all the
525 fields in this payload are still in host order and need call Ikev2EncodePayload()
526 to convert those fields from the host order to network order beforing sending it.
528 @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload
530 @param[in] NextPayload The next paylaod type in NextPayload field of
532 @param[in] CfgType The attribute type in the Configuration attribute.
534 @retval Pointer to IKE CP Payload.
538 Ikev2GenerateCpPayload (
539 IN IKEV2_SA_SESSION
*IkeSaSession
,
540 IN UINT8 NextPayload
,
545 Generate a Authentication Payload.
547 This function is used for both Authentication generation and verification. When the
548 IsVerify is TRUE, it create a Auth Data for verification. This function choose the
549 related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type
550 and the value of IsVerify parameter.
552 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
553 @param[in] IdPayload Pointer to the ID payload to be used for Authentication
555 @param[in] NextPayload The type filled into the Authentication Payload next
557 @param[in] IsVerify If it is TURE, the Authentication payload is used for
560 @return pointer to IKE Authentication payload for pre-shard key method.
564 Ikev2PskGenerateAuthPayload (
565 IN IKEV2_SA_SESSION
*IkeSaSession
,
566 IN IKE_PAYLOAD
*IdPayload
,
567 IN UINT8 NextPayload
,
572 Generate a Authentication Payload for Certificate Auth method.
574 This function has two functions. One is creating a local Authentication
575 Payload for sending and other is creating the remote Authentication data
576 for verification when the IsVerify is TURE.
578 @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
579 @param[in] IdPayload Pointer to the ID payload to be used for Authentication
581 @param[in] NextPayload The type filled into the Authentication Payload
583 @param[in] IsVerify If it is TURE, the Authentication payload is used
585 @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when
586 verify the authenticate payload.
587 @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it
588 when verify the authenticate payload.
589 @param[in] UefiKeyPwd Pointer to the password of UEFI private key.
590 Ignore it when verify the authenticate payload.
591 @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when
592 verify the authenticate payload.
594 @return pointer to IKE Authentication payload for certification method.
598 Ikev2CertGenerateAuthPayload (
599 IN IKEV2_SA_SESSION
*IkeSaSession
,
600 IN IKE_PAYLOAD
*IdPayload
,
601 IN UINT8 NextPayload
,
603 IN UINT8
*UefiPrivateKey
,
604 IN UINTN UefiPrivateKeyLen
,
605 IN UINT8
*UefiKeyPwd
,
606 IN UINTN UefiKeyPwdLen
612 This function generates TSi or TSr payload according to type of next payload.
613 If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate
616 @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.
617 @param[in] NextPayload The payload type presented in the NextPayload field
618 of ID Payload header.
619 @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.
620 If yes, it means the Tsi and Tsr payload should be with
621 Max port range and address range and protocol is marked
624 @retval Pointer to Ts IKE payload.
628 Ikev2GenerateTsPayload (
629 IN IKEV2_CHILD_SA_SESSION
*ChildSa
,
630 IN UINT8 NextPayload
,
635 Parser the Notify Cookie payload.
637 This function parses the Notify Cookie payload.If the Notify ProtocolId is not
638 IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not
639 the COOKIE, return EFI_INVALID_PARAMETER.
641 @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the
642 Notify Cookie payload.
644 @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.
646 @retval EFI_SUCCESS The Notify Cookie Payload is valid.
647 @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.
648 @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
652 Ikev2ParserNotifyCookiePayload (
653 IN IKE_PAYLOAD
*IkeNCookie
,
654 IN OUT IKEV2_SA_SESSION
*IkeSaSession
658 Generate the Certificate payload or Certificate Request Payload.
660 Since the Certificate Payload structure is same with Certificate Request Payload,
661 the only difference is that one contains the Certificate Data, other contains
662 the acceptable certificateion CA. This function generate Certificate payload
663 or Certificate Request Payload defined in RFC 4306, but all the fields
664 in the payload are still in host order and need call Ikev2EncodePayload()
665 to convert those fields from the host order to network order beforing sending it.
667 @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload
669 @param[in] NextPayload The next paylaod type in NextPayload field of
671 @param[in] Certificate Pointer of buffer contains the certification data.
672 @param[in] CertificateLen The length of Certificate in byte.
673 @param[in] EncodeType Specified the Certificate Encodeing which is defined
675 @param[in] IsRequest To indicate create Certificate Payload or Certificate
676 Request Payload. If it is TURE, create Certificate
677 Request Payload. Otherwise, create Certificate Payload.
679 @retval a Pointer to IKE Payload whose payload buffer containing the Certificate
680 payload or Certificated Request payload.
684 Ikev2GenerateCertificatePayload (
685 IN IKEV2_SA_SESSION
*IkeSaSession
,
686 IN UINT8 NextPayload
,
687 IN UINT8
*Certificate
,
688 IN UINTN CertificateLen
,
694 General interface of payload encoding.
696 This function encode the internal data structure into payload which
697 is defined in RFC 4306. The IkePayload->PayloadBuf used to store both the input
698 payload and converted payload. Only the SA payload use the interal structure
699 to store the attribute. Other payload use structure which is same with the RFC
700 defined, for this kind payloads just do host order to network order change of
703 @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.
704 @param[in, out] IkePayload Pointer to IKE payload to be encode as input, and
705 store the encoded result as output.
707 @retval EFI_INVALID_PARAMETER Meet error when encode the SA payload.
708 @retval EFI_SUCCESS Encode successfully.
713 IN UINT8
*SessionCommon
,
714 IN OUT IKE_PAYLOAD
*IkePayload
718 The general interface of decode Payload.
720 This function convert the received Payload into internal structure.
722 @param[in] SessionCommon Pointer to IKE Session Common to use for decoding.
723 @param[in, out] IkePayload Pointer to IKE payload to be decode as input, and
724 store the decoded result as output.
726 @retval EFI_INVALID_PARAMETER Meet error when decode the SA payload.
727 @retval EFI_SUCCESS Decode successfully.
732 IN UINT8
*SessionCommon
,
733 IN OUT IKE_PAYLOAD
*IkePayload
739 This function decrpt the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.
741 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
742 some parameter used during decrypting.
743 @param[in, out] IkePacket Point to IKE_PACKET to be decrypted as input,
744 and the decrypted reslult as output.
745 @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
746 IKE_CHILD_TYPE are supportted.
748 @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the
749 IKE packet length is not Algorithm Block Size
751 @retval EFI_SUCCESS Decrypt IKE packet successfully.
756 IN IKEV2_SESSION_COMMON
*SessionCommon
,
757 IN OUT IKE_PACKET
*IkePacket
,
764 This function encrypt IKE packet before sending it. The Encrypted IKE packet
765 is put in to IKEV2 Encrypted Payload.
767 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.
768 @param[in, out] IkePacket Pointer to IKE packet to be encrypted.
770 @retval EFI_SUCCESS Operation is successful.
771 @retval Others OPeration is failed.
776 IN IKEV2_SESSION_COMMON
*SessionCommon
,
777 IN OUT IKE_PACKET
*IkePacket
781 Encode the IKE packet.
783 This function put all Payloads into one payload then encrypt it if needed.
785 @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
786 some parameter used during IKE packet encoding.
787 @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,
788 and the encoded reslult as output.
789 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
790 IKE_CHILD_TYPE are supportted.
792 @retval EFI_SUCCESS Encode IKE packet successfully.
793 @retval Otherwise Encode IKE packet failed.
798 IN IKEV2_SESSION_COMMON
*SessionCommon
,
799 IN OUT IKE_PACKET
*IkePacket
,
804 Decode the IKE packet.
806 This function first decrypts the IKE packet if needed , then separats the whole
807 IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.
809 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing
810 some parameter used by IKE packet decoding.
811 @param[in, out] IkePacket The IKE Packet to be decoded on input, and
812 the decoded result on return.
813 @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
814 IKE_CHILD_TYPE are supportted.
816 @retval EFI_SUCCESS The IKE packet is decoded successfull.
817 @retval Otherwise The IKE packet decoding is failed.
822 IN IKEV2_SESSION_COMMON
*SessionCommon
,
823 IN OUT IKE_PACKET
*IkePacket
,
829 Send out IKEV2 packet.
831 @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.
832 @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.
833 @param[in] IkePacket Pointer to IKE_PACKET to be sent out.
834 @param[in] IkeType The type of IKE to point what's kind of the IKE
835 packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE
836 and IKE_CHILD_TYPE are supportted.
838 @retval EFI_SUCCESS The operation complete successfully.
839 @retval Otherwise The operation is failed.
844 IN IKE_UDP_SERVICE
*IkeUdpService
,
845 IN UINT8
*SessionCommon
,
846 IN IKE_PACKET
*IkePacket
,
851 Callback function for the IKE life time is over.
853 This function will mark the related IKE SA Session as deleting and trigger a
854 Information negotiation.
856 @param[in] Event The time out event.
857 @param[in] Context Pointer to data passed by caller.
862 Ikev2LifetimeNotify (
868 This function will be called if the TimeOut Event is signaled.
870 @param[in] Event The signaled Event.
871 @param[in] Context The data passed by caller.
882 Generate a Key Exchange payload according to the DH group type and save the
883 public Key into IkeSaSession IkeKey field.
885 @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.
886 @param[in] NextPayload The payload type presented in the NextPayload field of Key
887 Exchange Payload header.
889 @retval Pointer to Key IKE payload.
893 Ikev2GenerateKePayload (
894 IN OUT IKEV2_SA_SESSION
*IkeSaSession
,
899 Check if the SPD is related to the input Child SA Session.
901 This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call
902 back function of IpSecVisitConfigData().
905 @param[in] Type Type of the input Config Selector.
906 @param[in] Selector Pointer to the Configure Selector to be checked.
907 @param[in] Data Pointer to the Configure Selector's Data passed
909 @param[in] SelectorSize The buffer size of Selector.
910 @param[in] DataSize The buffer size of the Data.
911 @param[in] Context The data passed from the caller. It is a Child
912 SA Session in this context.
914 @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.
915 @retval EFI_ABORTED The SPD Selector is related to the Child SA session and
916 set the ChildSaSession->Spd to point to this SPD Selector.
921 IN EFI_IPSEC_CONFIG_DATA_TYPE Type
,
922 IN EFI_IPSEC_CONFIG_SELECTOR
*Selector
,
924 IN UINTN SelectorSize
,
930 Check if the Algorithm ID is supported.
932 @param[in] AlgorithmId The specified Algorithm ID.
933 @param[in] Type The type used to indicate the Algorithm is for Encrypt or
936 @retval TRUE If the Algorithm ID is supported.
937 @retval FALSE If the Algorithm ID is not supported.
942 IN UINT16 AlgorithmId
,
947 Generate a ChildSa Session and insert it into related IkeSaSession.
949 @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.
950 @param[in] UdpService Pointer to related IKE_UDP_SERVICE.
952 @return pointer of IKEV2_CHILD_SA_SESSION.
955 IKEV2_CHILD_SA_SESSION
*
956 Ikev2ChildSaSessionCreate (
957 IN IKEV2_SA_SESSION
*IkeSaSession
,
958 IN IKE_UDP_SERVICE
*UdpService
962 Parse the received Initial Exchange Packet.
964 This function parse the SA Payload and Key Payload to find out the cryptographic
965 suite for the further IKE negotiation and fill it into the IKE SA Session's
966 CommonSession->SaParams.
968 @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.
969 @param[in] SaPayload The received packet.
970 @param[in] Type The received packet IKE header flag.
972 @retval TRUE If the SA proposal in Packet is acceptable.
973 @retval FALSE If the SA proposal in Packet is not acceptable.
977 Ikev2SaParseSaPayload (
978 IN OUT IKEV2_SA_SESSION
*IkeSaSession
,
979 IN IKE_PAYLOAD
*SaPayload
,
984 Parse the received Authentication Exchange Packet.
986 This function parse the SA Payload and Key Payload to find out the cryptographic
987 suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.
989 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to
990 this Authentication Exchange.
991 @param[in] SaPayload The received packet.
992 @param[in] Type The IKE header's flag of received packet .
994 @retval TRUE If the SA proposal in Packet is acceptable.
995 @retval FALSE If the SA proposal in Packet is not acceptable.
999 Ikev2ChildSaParseSaPayload (
1000 IN OUT IKEV2_CHILD_SA_SESSION
*ChildSaSession
,
1001 IN IKE_PAYLOAD
*SaPayload
,
1006 Generate Key buffer from fragments.
1008 If the digest length of specified HashAlgId is larger than or equal with the
1009 required output key length, derive the key directly. Otherwise, Key Material
1010 needs to be PRF-based concatenation according to 2.13 of RFC 4306:
1011 prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),
1012 T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)
1013 then derive the key from this key material.
1015 @param[in] HashAlgId The Hash Algorithm ID used to generate key.
1016 @param[in] HashKey Pointer to a key buffer which contains hash key.
1017 @param[in] HashKeyLength The length of HashKey in bytes.
1018 @param[in, out] OutputKey Pointer to buffer which is used to receive the
1020 @param[in] OutputKeyLength The length of OutPutKey buffer.
1021 @param[in] Fragments Pointer to the data to be used to generate key.
1022 @param[in] NumFragments The numbers of the Fragement.
1024 @retval EFI_SUCCESS The operation complete successfully.
1025 @retval EFI_INVALID_PARAMETER If NumFragments is zero.
1026 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
1027 @retval Others The operation is failed.
1031 Ikev2SaGenerateKey (
1034 IN UINTN HashKeyLength
,
1035 IN OUT UINT8
*OutputKey
,
1036 IN UINTN OutputKeyLength
,
1037 IN PRF_DATA_FRAGMENT
*Fragments
,
1038 IN UINTN NumFragments
1042 Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.
1044 ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,
1045 the SpdSelector in ChildSaSession is more accurated or the scope is smaller
1046 than the one in ChildSaSession->Spd, especially for the tunnel mode.
1048 @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.
1050 @retval EFI_SUCCESS The operation complete successfully.
1051 @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
1055 Ikev2ChildSaSessionSpdSelectorCreate (
1056 IN OUT IKEV2_CHILD_SA_SESSION
*ChildSaSession
1059 extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo
[];