--- /dev/null
+/** @file\r
+ The implementation of policy entry operation function in IpSecConfig application.\r
+\r
+ Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
+\r
+ This program and the accompanying materials\r
+ are licensed and made available under the terms and conditions of the BSD License\r
+ which accompanies this distribution. The full text of the license may be found at\r
+ http://opensource.org/licenses/bsd-license.php.\r
+\r
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+\r
+**/\r
+\r
+#include "IpSecConfig.h"\r
+#include "Indexer.h"\r
+#include "Match.h"\r
+#include "Helper.h"\r
+#include "ForEach.h"\r
+#include "PolicyEntryOperation.h"\r
+\r
+/**\r
+ Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list.\r
+\r
+ @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.\r
+ @param[in] ParamPackage The pointer to the ParamPackage list.\r
+ @param[in, out] ParamPackage The pointer to the Mask.\r
+\r
+ @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR successfully.\r
+ @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
+\r
+**/\r
+EFI_STATUS\r
+CreateSpdSelector (\r
+ OUT EFI_IPSEC_SPD_SELECTOR *Selector,\r
+ IN LIST_ENTRY *ParamPackage,\r
+ IN OUT UINT32 *Mask\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ EFI_STATUS ReturnStatus;\r
+ CONST CHAR16 *ValueStr;\r
+\r
+ Status = EFI_SUCCESS;\r
+ ReturnStatus = EFI_SUCCESS;\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
+ //\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--local");\r
+ if (ValueStr != NULL) {\r
+ Selector->LocalAddressCount = 1;\r
+ Status = EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->LocalAddress);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--local",\r
+ ValueStr\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ *Mask |= LOCAL;\r
+ }\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
+ //\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--remote");\r
+ if (ValueStr != NULL) {\r
+ Selector->RemoteAddressCount = 1;\r
+ Status = EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->RemoteAddress);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--remote",\r
+ ValueStr\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ *Mask |= REMOTE;\r
+ }\r
+ }\r
+\r
+ Selector->NextLayerProtocol = EFI_IPSEC_ANY_PROTOCOL;\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
+ //\r
+ Status = GetNumber (\r
+ L"--proto",\r
+ (UINT16) -1,\r
+ &Selector->NextLayerProtocol,\r
+ sizeof (UINT16),\r
+ mMapIpProtocol,\r
+ ParamPackage,\r
+ FORMAT_NUMBER | FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= PROTO;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Selector->LocalPort = EFI_IPSEC_ANY_PORT;\r
+ Selector->RemotePort = EFI_IPSEC_ANY_PORT;\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
+ //\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--local-port");\r
+ if (ValueStr != NULL) {\r
+ Status = EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->LocalPort, &Selector->LocalPortRange);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--local-port",\r
+ ValueStr\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ *Mask |= LOCAL_PORT;\r
+ }\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
+ //\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--remote-port");\r
+ if (ValueStr != NULL) {\r
+ Status = EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->RemotePort, &Selector->RemotePortRange);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--remote-port",\r
+ ValueStr\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ *Mask |= REMOTE_PORT;\r
+ }\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
+ //\r
+ Status = GetNumber (\r
+ L"--icmp-type",\r
+ (UINT8) -1,\r
+ &Selector->LocalPort,\r
+ sizeof (UINT16),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= ICMP_TYPE;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
+ //\r
+ Status = GetNumber (\r
+ L"--icmp-code",\r
+ (UINT8) -1,\r
+ &Selector->RemotePort,\r
+ sizeof (UINT16),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= ICMP_CODE;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ return ReturnStatus;\r
+}\r
+\r
+/**\r
+ Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPackage list.\r
+\r
+ @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.\r
+ @param[out] Data The pointer to the EFI_IPSEC_SPD_DATA structure.\r
+ @param[in] ParamPackage The pointer to the ParamPackage list.\r
+ @param[out] Mask The pointer to the Mask.\r
+ @param[in] CreateNew The switch to create new.\r
+\r
+ @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA successfully.\r
+ @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
+\r
+**/\r
+EFI_STATUS\r
+CreateSpdEntry (\r
+ OUT EFI_IPSEC_SPD_SELECTOR **Selector,\r
+ OUT EFI_IPSEC_SPD_DATA **Data,\r
+ IN LIST_ENTRY *ParamPackage,\r
+ OUT UINT32 *Mask,\r
+ IN BOOLEAN CreateNew\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ EFI_STATUS ReturnStatus;\r
+ CONST CHAR16 *ValueStr;\r
+ UINTN DataSize;\r
+\r
+ Status = EFI_SUCCESS;\r
+ *Mask = 0;\r
+\r
+ *Selector = AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR) + 2 * sizeof (EFI_IP_ADDRESS_INFO));\r
+ ASSERT (*Selector != NULL);\r
+\r
+ (*Selector)->LocalAddress = (EFI_IP_ADDRESS_INFO *) (*Selector + 1);\r
+ (*Selector)->RemoteAddress = (*Selector)->LocalAddress + 1;\r
+\r
+ ReturnStatus = CreateSpdSelector (*Selector, ParamPackage, Mask);\r
+\r
+ //\r
+ // SPD DATA\r
+ // NOTE: Allocate enough memory and add padding for different arch.\r
+ //\r
+ DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA));\r
+ DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_PROCESS_POLICY));\r
+ DataSize += sizeof (EFI_IPSEC_TUNNEL_OPTION);\r
+\r
+ *Data = AllocateZeroPool (DataSize);\r
+ ASSERT (*Data != NULL);\r
+\r
+ (*Data)->ProcessingPolicy = (EFI_IPSEC_PROCESS_POLICY *) ALIGN_POINTER (\r
+ (*Data + 1),\r
+ sizeof (UINTN)\r
+ );\r
+ (*Data)->ProcessingPolicy->TunnelOption = (EFI_IPSEC_TUNNEL_OPTION *) ALIGN_POINTER (\r
+ ((*Data)->ProcessingPolicy + 1),\r
+ sizeof (UINTN)\r
+ );\r
+\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the Name in EFI_IPSEC_SPD_DATA.\r
+ //\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--name");\r
+ if (ValueStr != NULL) {\r
+ UnicodeStrToAsciiStr (ValueStr, (CHAR8 *) (*Data)->Name);\r
+ *Mask |= NAME;\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the PackageFlag in EFI_IPSEC_SPD_DATA.\r
+ //\r
+ Status = GetNumber (\r
+ L"--packet-flag",\r
+ (UINT8) -1,\r
+ &(*Data)->PackageFlag,\r
+ sizeof (UINT32),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= PACKET_FLAG;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the Action in EFI_IPSEC_SPD_DATA.\r
+ //\r
+ Status = GetNumber (\r
+ L"--action",\r
+ (UINT8) -1,\r
+ &(*Data)->Action,\r
+ sizeof (UINT32),\r
+ mMapIpSecAction,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= ACTION;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the ExtSeqNum in EFI_IPSEC_SPD_DATA.\r
+ //\r
+ if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence")) {\r
+ (*Data)->ProcessingPolicy->ExtSeqNum = TRUE;\r
+ *Mask |= EXT_SEQUENCE;\r
+ } else if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence-")) {\r
+ (*Data)->ProcessingPolicy->ExtSeqNum = FALSE;\r
+ *Mask |= EXT_SEQUENCE;\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the SeqOverflow in EFI_IPSEC_SPD_DATA.\r
+ //\r
+ if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow")) {\r
+ (*Data)->ProcessingPolicy->SeqOverflow = TRUE;\r
+ *Mask |= SEQUENCE_OVERFLOW;\r
+ } else if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow-")) {\r
+ (*Data)->ProcessingPolicy->SeqOverflow = FALSE;\r
+ *Mask |= SEQUENCE_OVERFLOW;\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the FragCheck in EFI_IPSEC_SPD_DATA.\r
+ //\r
+ if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check")) {\r
+ (*Data)->ProcessingPolicy->FragCheck = TRUE;\r
+ *Mask |= FRAGMENT_CHECK;\r
+ } else if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check-")) {\r
+ (*Data)->ProcessingPolicy->FragCheck = FALSE;\r
+ *Mask |= FRAGMENT_CHECK;\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the ProcessingPolicy in EFI_IPSEC_SPD_DATA.\r
+ //\r
+ Status = GetNumber (\r
+ L"--lifebyte",\r
+ (UINT64) -1,\r
+ &(*Data)->ProcessingPolicy->SaLifetime.ByteCount,\r
+ sizeof (UINT64),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= LIFEBYTE;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = GetNumber (\r
+ L"--lifetime",\r
+ (UINT64) -1,\r
+ &(*Data)->ProcessingPolicy->SaLifetime.HardLifetime,\r
+ sizeof (UINT64),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= LIFETIME;\r
+ }\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = GetNumber (\r
+ L"--lifetime-soft",\r
+ (UINT64) -1,\r
+ &(*Data)->ProcessingPolicy->SaLifetime.SoftLifetime,\r
+ sizeof (UINT64),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= LIFETIME_SOFT;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ (*Data)->ProcessingPolicy->Mode = EfiIPsecTransport;\r
+ Status = GetNumber (\r
+ L"--mode",\r
+ 0,\r
+ &(*Data)->ProcessingPolicy->Mode,\r
+ sizeof (UINT32),\r
+ mMapIpSecMode,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= MODE;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-local");\r
+ if (ValueStr != NULL) {\r
+ Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPolicy->TunnelOption->LocalTunnelAddress);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--tunnel-local",\r
+ ValueStr\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ *Mask |= TUNNEL_LOCAL;\r
+ }\r
+ }\r
+\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-remote");\r
+ if (ValueStr != NULL) {\r
+ Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPolicy->TunnelOption->RemoteTunnelAddress);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--tunnel-remote",\r
+ ValueStr\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ *Mask |= TUNNEL_REMOTE;\r
+ }\r
+ }\r
+\r
+ (*Data)->ProcessingPolicy->TunnelOption->DF = EfiIPsecTunnelCopyDf;\r
+ Status = GetNumber (\r
+ L"--dont-fragment",\r
+ 0,\r
+ &(*Data)->ProcessingPolicy->TunnelOption->DF,\r
+ sizeof (UINT32),\r
+ mMapDfOption,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= DONT_FRAGMENT;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ (*Data)->ProcessingPolicy->Proto = EfiIPsecESP;\r
+ Status = GetNumber (\r
+ L"--ipsec-proto",\r
+ 0,\r
+ &(*Data)->ProcessingPolicy->Proto,\r
+ sizeof (UINT32),\r
+ mMapIpSecProtocol,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= IPSEC_PROTO;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = GetNumber (\r
+ L"--encrypt-algo",\r
+ 0,\r
+ &(*Data)->ProcessingPolicy->EncAlgoId,\r
+ sizeof (UINT8),\r
+ mMapEncAlgo,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= ENCRYPT_ALGO;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = GetNumber (\r
+ L"--auth-algo",\r
+ 0,\r
+ &(*Data)->ProcessingPolicy->AuthAlgoId,\r
+ sizeof (UINT8),\r
+ mMapAuthAlgo,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= AUTH_ALGO;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // Cannot check Mode against EfiIPsecTunnel, because user may want to change tunnel_remote only so the Mode is not set.\r
+ //\r
+ if ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE | DONT_FRAGMENT)) == 0) {\r
+ (*Data)->ProcessingPolicy->TunnelOption = NULL;\r
+ }\r
+\r
+ if ((*Mask & (EXT_SEQUENCE | SEQUENCE_OVERFLOW | FRAGMENT_CHECK | LIFEBYTE |\r
+ LIFETIME_SOFT | LIFETIME | MODE | TUNNEL_LOCAL | TUNNEL_REMOTE |\r
+ DONT_FRAGMENT | IPSEC_PROTO | AUTH_ALGO | ENCRYPT_ALGO)) == 0) {\r
+ if ((*Data)->Action != EfiIPsecActionProtect) {\r
+ //\r
+ // User may not provide additional parameter for Protect action, so we cannot simply set ProcessingPolicy to NULL.\r
+ //\r
+ (*Data)->ProcessingPolicy = NULL;\r
+ }\r
+ }\r
+\r
+ if (CreateNew) {\r
+ if ((*Mask & (LOCAL | REMOTE | PROTO | ACTION)) != (LOCAL | REMOTE | PROTO | ACTION)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--local --remote --proto --action"\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else if (((*Data)->Action == EfiIPsecActionProtect) &&\r
+ ((*Data)->ProcessingPolicy->Mode == EfiIPsecTunnel) &&\r
+ ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE))) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--tunnel-local --tunnel-remote"\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+ }\r
+\r
+ return ReturnStatus;\r
+}\r
+\r
+/**\r
+ Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA through ParamPackage list.\r
+\r
+ @param[out] SaId The pointer to the EFI_IPSEC_SA_ID structure.\r
+ @param[out] Data The pointer to the EFI_IPSEC_SA_DATA structure.\r
+ @param[in] ParamPackage The pointer to the ParamPackage list.\r
+ @param[out] Mask The pointer to the Mask.\r
+ @param[in] CreateNew The switch to create new.\r
+\r
+ @retval EFI_SUCCESS Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA successfully.\r
+ @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
+\r
+**/\r
+EFI_STATUS\r
+CreateSadEntry (\r
+ OUT EFI_IPSEC_SA_ID **SaId,\r
+ OUT EFI_IPSEC_SA_DATA **Data,\r
+ IN LIST_ENTRY *ParamPackage,\r
+ OUT UINT32 *Mask,\r
+ IN BOOLEAN CreateNew\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ EFI_STATUS ReturnStatus;\r
+ UINTN AuthKeyLength;\r
+ UINTN EncKeyLength;\r
+ CONST CHAR16 *ValueStr;\r
+ UINTN DataSize;\r
+\r
+ Status = EFI_SUCCESS;\r
+ ReturnStatus = EFI_SUCCESS;\r
+ *Mask = 0;\r
+ AuthKeyLength = 0;\r
+ EncKeyLength = 0;\r
+\r
+ *SaId = AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID));\r
+ ASSERT (*SaId != NULL);\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the Spi in EFI_IPSEC_SA_ID.\r
+ //\r
+ Status = GetNumber (L"--spi", (UINT32) -1, &(*SaId)->Spi, sizeof (UINT32), NULL, ParamPackage, FORMAT_NUMBER);\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= SPI;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the Proto in EFI_IPSEC_SA_ID.\r
+ //\r
+ Status = GetNumber (\r
+ L"--ipsec-proto",\r
+ 0,\r
+ &(*SaId)->Proto,\r
+ sizeof (EFI_IPSEC_PROTOCOL_TYPE),\r
+ mMapIpSecProtocol,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= IPSEC_PROTO;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.\r
+ //\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--dest");\r
+ if (ValueStr != NULL) {\r
+ Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*SaId)->DestAddress);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--dest",\r
+ ValueStr\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ *Mask |= DEST;\r
+ }\r
+ }\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_DATA.\r
+ //\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-key");\r
+ if (ValueStr != NULL) {\r
+ AuthKeyLength = (StrLen (ValueStr) + 1) * sizeof (CHAR16);\r
+ }\r
+\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--encrypt-key");\r
+ if (ValueStr != NULL) {\r
+ EncKeyLength = (StrLen (ValueStr) + 1) * sizeof (CHAR16);\r
+ }\r
+\r
+ //\r
+ // EFI_IPSEC_SA_DATA:\r
+ // +------------\r
+ // | EFI_IPSEC_SA_DATA\r
+ // +-----------------------\r
+ // | AuthKey\r
+ // +-------------------------\r
+ // | EncKey\r
+ // +-------------------------\r
+ // | SpdSelector\r
+ //\r
+ // Notes: To make sure the address alignment add padding after each data if needed.\r
+ //\r
+ DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA));\r
+ DataSize = ALIGN_VARIABLE (DataSize + AuthKeyLength);\r
+ DataSize = ALIGN_VARIABLE (DataSize + EncKeyLength);\r
+ DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_SPD_SELECTOR));\r
+ DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IP_ADDRESS_INFO));\r
+ DataSize += sizeof (EFI_IP_ADDRESS_INFO);\r
+\r
+\r
+\r
+ *Data = AllocateZeroPool (DataSize);\r
+ ASSERT (*Data != NULL);\r
+\r
+ (*Data)->ManualSet = TRUE;\r
+ (*Data)->AlgoInfo.EspAlgoInfo.AuthKey = (VOID *) ALIGN_POINTER (((*Data) + 1), sizeof (UINTN));\r
+ (*Data)->AlgoInfo.EspAlgoInfo.EncKey = (VOID *) ALIGN_POINTER (\r
+ ((UINT8 *) (*Data)->AlgoInfo.EspAlgoInfo.AuthKey + AuthKeyLength),\r
+ sizeof (UINTN)\r
+ );\r
+ (*Data)->SpdSelector = (EFI_IPSEC_SPD_SELECTOR *) ALIGN_POINTER (\r
+ ((UINT8 *) (*Data)->AlgoInfo.EspAlgoInfo.EncKey + EncKeyLength),\r
+ sizeof (UINTN)\r
+ );\r
+ (*Data)->SpdSelector->LocalAddress = (EFI_IP_ADDRESS_INFO *) ALIGN_POINTER (\r
+ ((UINT8 *) (*Data)->SpdSelector + sizeof (EFI_IPSEC_SPD_SELECTOR)),\r
+ sizeof (UINTN));\r
+ (*Data)->SpdSelector->RemoteAddress = (EFI_IP_ADDRESS_INFO *) ALIGN_POINTER (\r
+ (*Data)->SpdSelector->LocalAddress + 1,\r
+ sizeof (UINTN)\r
+ );\r
+\r
+ (*Data)->Mode = EfiIPsecTransport;\r
+ Status = GetNumber (\r
+ L"--mode",\r
+ 0,\r
+ &(*Data)->Mode,\r
+ sizeof (EFI_IPSEC_MODE),\r
+ mMapIpSecMode,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= MODE;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // According to RFC 4303-3.3.3. The first packet sent using a given SA\r
+ // will contain a sequence number of 1.\r
+ //\r
+ (*Data)->SNCount = 1;\r
+ Status = GetNumber (\r
+ L"--sequence-number",\r
+ (UINT64) -1,\r
+ &(*Data)->SNCount,\r
+ sizeof (UINT64),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= SEQUENCE_NUMBER;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ (*Data)->AntiReplayWindows = 0;\r
+ Status = GetNumber (\r
+ L"--antireplay-window",\r
+ (UINT8) -1,\r
+ &(*Data)->AntiReplayWindows,\r
+ sizeof (UINT8),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= SEQUENCE_NUMBER;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = GetNumber (\r
+ L"--encrypt-algo",\r
+ 0,\r
+ &(*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId,\r
+ sizeof (UINT8),\r
+ mMapEncAlgo,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= ENCRYPT_ALGO;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--encrypt-key");\r
+ if (ValueStr != NULL ) {\r
+ (*Data)->AlgoInfo.EspAlgoInfo.EncKeyLength = EncKeyLength;\r
+ CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.EncKey, ValueStr, EncKeyLength);\r
+ *Mask |= ENCRYPT_KEY;\r
+ } else {\r
+ (*Data)->AlgoInfo.EspAlgoInfo.EncKey = NULL;\r
+ }\r
+\r
+ Status = GetNumber (\r
+ L"--auth-algo",\r
+ 0,\r
+ &(*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId,\r
+ sizeof (UINT8),\r
+ mMapAuthAlgo,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= AUTH_ALGO;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-key");\r
+ if (ValueStr != NULL) {\r
+ (*Data)->AlgoInfo.EspAlgoInfo.AuthKeyLength = AuthKeyLength;\r
+ CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.AuthKey, ValueStr, AuthKeyLength);\r
+ *Mask |= AUTH_KEY;\r
+ } else {\r
+ (*Data)->AlgoInfo.EspAlgoInfo.AuthKey = NULL;\r
+ }\r
+\r
+ Status = GetNumber (\r
+ L"--lifebyte",\r
+ (UINT64) -1,\r
+ &(*Data)->SaLifetime.ByteCount,\r
+ sizeof (UINT64),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= LIFEBYTE;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = GetNumber (\r
+ L"--lifetime",\r
+ (UINT64) -1,\r
+ &(*Data)->SaLifetime.HardLifetime,\r
+ sizeof (UINT64),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= LIFETIME;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = GetNumber (\r
+ L"--lifetime-soft",\r
+ (UINT64) -1,\r
+ &(*Data)->SaLifetime.SoftLifetime,\r
+ sizeof (UINT64),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= LIFETIME_SOFT;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = GetNumber (\r
+ L"--path-mtu",\r
+ (UINT32) -1,\r
+ &(*Data)->PathMTU,\r
+ sizeof (UINT32),\r
+ NULL,\r
+ ParamPackage,\r
+ FORMAT_NUMBER\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= PATH_MTU;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ ReturnStatus = CreateSpdSelector ((*Data)->SpdSelector, ParamPackage, Mask);\r
+\r
+ if (CreateNew) {\r
+ if ((*Mask & (SPI | IPSEC_PROTO | DEST)) != (SPI | IPSEC_PROTO | DEST)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--spi --ipsec-proto --dest"\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ if ((*SaId)->Proto == EfiIPsecAH) {\r
+ if ((*Mask & AUTH_ALGO) == 0) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--auth-algo"\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else if ((*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId != EFI_IPSEC_AALG_NONE && (*Mask & AUTH_KEY) == 0) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--auth-key"\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+ } else {\r
+ if ((*Mask & ENCRYPT_ALGO) == 0) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--encrypt-algo"\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else if ((*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId != EFI_IPSEC_EALG_NONE && (*Mask & ENCRYPT_KEY) == 0) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--encrypt-key"\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+ }\r
+ }\r
+ }\r
+\r
+ return ReturnStatus;\r
+}\r
+\r
+/**\r
+ Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage list.\r
+\r
+ @param[out] PadId The pointer to the EFI_IPSEC_PAD_ID structure.\r
+ @param[out] Data The pointer to the EFI_IPSEC_PAD_DATA structure.\r
+ @param[in] ParamPackage The pointer to the ParamPackage list.\r
+ @param[out] Mask The pointer to the Mask.\r
+ @param[in] CreateNew The switch to create new.\r
+\r
+ @retval EFI_SUCCESS Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA successfully.\r
+ @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
+\r
+**/\r
+EFI_STATUS\r
+CreatePadEntry (\r
+ OUT EFI_IPSEC_PAD_ID **PadId,\r
+ OUT EFI_IPSEC_PAD_DATA **Data,\r
+ IN LIST_ENTRY *ParamPackage,\r
+ OUT UINT32 *Mask,\r
+ IN BOOLEAN CreateNew\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ EFI_STATUS ReturnStatus;\r
+ EFI_FILE_HANDLE FileHandle;\r
+ UINT64 FileSize;\r
+ UINTN AuthDataLength;\r
+ UINTN RevocationDataLength;\r
+ UINTN DataLength;\r
+ UINTN Index;\r
+ CONST CHAR16 *ValueStr;\r
+ UINTN DataSize;\r
+\r
+ Status = EFI_SUCCESS;\r
+ ReturnStatus = EFI_SUCCESS;\r
+ *Mask = 0;\r
+ AuthDataLength = 0;\r
+ RevocationDataLength = 0;\r
+\r
+ *PadId = AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID));\r
+ ASSERT (*PadId != NULL);\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_ID.\r
+ //\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--peer-address");\r
+ if (ValueStr != NULL) {\r
+ (*PadId)->PeerIdValid = FALSE;\r
+ Status = EfiInetAddrRange ((CHAR16 *) ValueStr, &(*PadId)->Id.IpAddress);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--peer-address",\r
+ ValueStr\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ *Mask |= PEER_ADDRESS;\r
+ }\r
+ }\r
+\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--peer-id");\r
+ if (ValueStr != NULL) {\r
+ (*PadId)->PeerIdValid = TRUE;\r
+ StrnCpy ((CHAR16 *) (*PadId)->Id.PeerId, ValueStr, ARRAY_SIZE ((*PadId)->Id.PeerId) - 1);\r
+ *Mask |= PEER_ID;\r
+ }\r
+\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-data");\r
+ if (ValueStr != NULL) {\r
+ if (ValueStr[0] == L'@') {\r
+ //\r
+ // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"\r
+ //\r
+ Status = ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_MODE_READ, 0);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),\r
+ mHiiHandle,\r
+ mAppName,\r
+ &ValueStr[1]\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ Status = ShellGetFileSize (FileHandle, &FileSize);\r
+ ShellCloseFile (&FileHandle);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),\r
+ mHiiHandle,\r
+ mAppName,\r
+ &ValueStr[1]\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else {\r
+ AuthDataLength = (UINTN) FileSize;\r
+ }\r
+ }\r
+ } else {\r
+ AuthDataLength = StrLen (ValueStr);\r
+ }\r
+ }\r
+\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--revocation-data");\r
+ if (ValueStr != NULL) {\r
+ RevocationDataLength = (StrLen (ValueStr) + 1) * sizeof (CHAR16);\r
+ }\r
+\r
+ //\r
+ // Allocate Buffer for Data. Add padding after each struct to make sure the alignment\r
+ // in different Arch.\r
+ //\r
+ DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA));\r
+ DataSize = ALIGN_VARIABLE (DataSize + AuthDataLength);\r
+ DataSize += RevocationDataLength;\r
+\r
+ *Data = AllocateZeroPool (DataSize);\r
+ ASSERT (*Data != NULL);\r
+\r
+ (*Data)->AuthData = (VOID *) ALIGN_POINTER ((*Data + 1), sizeof (UINTN));\r
+ (*Data)->RevocationData = (VOID *) ALIGN_POINTER (((UINT8 *) (*Data + 1) + AuthDataLength), sizeof (UINTN));\r
+ (*Data)->AuthProtocol = EfiIPsecAuthProtocolIKEv1;\r
+\r
+ //\r
+ // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_DATA.\r
+ //\r
+ Status = GetNumber (\r
+ L"--auth-proto",\r
+ 0,\r
+ &(*Data)->AuthProtocol,\r
+ sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE),\r
+ mMapAuthProto,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= AUTH_PROTO;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Status = GetNumber (\r
+ L"--auth-method",\r
+ 0,\r
+ &(*Data)->AuthMethod,\r
+ sizeof (EFI_IPSEC_AUTH_METHOD),\r
+ mMapAuthMethod,\r
+ ParamPackage,\r
+ FORMAT_STRING\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ *Mask |= AUTH_METHOD;\r
+ }\r
+\r
+ if (Status == EFI_INVALID_PARAMETER) {\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id")) {\r
+ (*Data)->IkeIdFlag = TRUE;\r
+ *Mask |= IKE_ID;\r
+ }\r
+\r
+ if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id-")) {\r
+ (*Data)->IkeIdFlag = FALSE;\r
+ *Mask |= IKE_ID;\r
+ }\r
+\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-data");\r
+ if (ValueStr != NULL) {\r
+ if (ValueStr[0] == L'@') {\r
+ //\r
+ // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"\r
+ //\r
+\r
+ Status = ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_MODE_READ, 0);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),\r
+ mHiiHandle,\r
+ mAppName,\r
+ &ValueStr[1]\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ (*Data)->AuthData = NULL;\r
+ } else {\r
+ DataLength = AuthDataLength;\r
+ Status = ShellReadFile (FileHandle, &DataLength, (*Data)->AuthData);\r
+ ShellCloseFile (&FileHandle);\r
+ if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),\r
+ mHiiHandle,\r
+ mAppName,\r
+ &ValueStr[1]\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ (*Data)->AuthData = NULL;\r
+ } else {\r
+ ASSERT (DataLength == AuthDataLength);\r
+ *Mask |= AUTH_DATA;\r
+ }\r
+ }\r
+ } else {\r
+ for (Index = 0; Index < AuthDataLength; Index++) {\r
+ ((CHAR8 *) (*Data)->AuthData)[Index] = (CHAR8) ValueStr[Index];\r
+ }\r
+ (*Data)->AuthDataSize = AuthDataLength;\r
+ *Mask |= AUTH_DATA;\r
+ }\r
+ }\r
+\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"--revocation-data");\r
+ if (ValueStr != NULL) {\r
+ CopyMem ((*Data)->RevocationData, ValueStr, RevocationDataLength);\r
+ (*Data)->RevocationDataSize = RevocationDataLength;\r
+ *Mask |= REVOCATION_DATA;\r
+ } else {\r
+ (*Data)->RevocationData = NULL;\r
+ }\r
+\r
+ if (CreateNew) {\r
+ if ((*Mask & (PEER_ID | PEER_ADDRESS)) == 0) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--peer-id --peer-address"\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ } else if ((*Mask & (AUTH_METHOD | AUTH_DATA)) != (AUTH_METHOD | AUTH_DATA)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--auth-method --auth-data"\r
+ );\r
+ ReturnStatus = EFI_INVALID_PARAMETER;\r
+ }\r
+ }\r
+\r
+ return ReturnStatus;\r
+}\r
+\r
+CREATE_POLICY_ENTRY mCreatePolicyEntry[] = {\r
+ (CREATE_POLICY_ENTRY) CreateSpdEntry,\r
+ (CREATE_POLICY_ENTRY) CreateSadEntry,\r
+ (CREATE_POLICY_ENTRY) CreatePadEntry\r
+};\r
+\r
+/**\r
+ Combine old SPD entry with new SPD entry.\r
+\r
+ @param[in, out] OldSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.\r
+ @param[in, out] OldData The pointer to the EFI_IPSEC_SPD_DATA structure.\r
+ @param[in] NewSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.\r
+ @param[in] NewData The pointer to the EFI_IPSEC_SPD_DATA structure.\r
+ @param[in] Mask The pointer to the Mask.\r
+ @param[out] CreateNew The switch to create new.\r
+\r
+ @retval EFI_SUCCESS Combined successfully.\r
+ @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
+\r
+**/\r
+EFI_STATUS\r
+CombineSpdEntry (\r
+ IN OUT EFI_IPSEC_SPD_SELECTOR *OldSelector,\r
+ IN OUT EFI_IPSEC_SPD_DATA *OldData,\r
+ IN EFI_IPSEC_SPD_SELECTOR *NewSelector,\r
+ IN EFI_IPSEC_SPD_DATA *NewData,\r
+ IN UINT32 Mask,\r
+ OUT BOOLEAN *CreateNew\r
+ )\r
+{\r
+\r
+ //\r
+ // Process Selector\r
+ //\r
+ *CreateNew = FALSE;\r
+ if ((Mask & LOCAL) == 0) {\r
+ NewSelector->LocalAddressCount = OldSelector->LocalAddressCount;\r
+ NewSelector->LocalAddress = OldSelector->LocalAddress;\r
+ } else if ((NewSelector->LocalAddressCount != OldSelector->LocalAddressCount) ||\r
+ (CompareMem (NewSelector->LocalAddress, OldSelector->LocalAddress, NewSelector->LocalAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) != 0)) {\r
+ *CreateNew = TRUE;\r
+ }\r
+\r
+ if ((Mask & REMOTE) == 0) {\r
+ NewSelector->RemoteAddressCount = OldSelector->RemoteAddressCount;\r
+ NewSelector->RemoteAddress = OldSelector->RemoteAddress;\r
+ } else if ((NewSelector->RemoteAddressCount != OldSelector->RemoteAddressCount) ||\r
+ (CompareMem (NewSelector->RemoteAddress, OldSelector->RemoteAddress, NewSelector->RemoteAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) != 0)) {\r
+ *CreateNew = TRUE;\r
+ }\r
+\r
+ if ((Mask & PROTO) == 0) {\r
+ NewSelector->NextLayerProtocol = OldSelector->NextLayerProtocol;\r
+ } else if (NewSelector->NextLayerProtocol != OldSelector->NextLayerProtocol) {\r
+ *CreateNew = TRUE;\r
+ }\r
+\r
+ switch (NewSelector->NextLayerProtocol) {\r
+ case EFI_IP4_PROTO_TCP:\r
+ case EFI_IP4_PROTO_UDP:\r
+ if ((Mask & LOCAL_PORT) == 0) {\r
+ NewSelector->LocalPort = OldSelector->LocalPort;\r
+ NewSelector->LocalPortRange = OldSelector->LocalPortRange;\r
+ } else if ((NewSelector->LocalPort != OldSelector->LocalPort) ||\r
+ (NewSelector->LocalPortRange != OldSelector->LocalPortRange)) {\r
+ *CreateNew = TRUE;\r
+ }\r
+\r
+ if ((Mask & REMOTE_PORT) == 0) {\r
+ NewSelector->RemotePort = OldSelector->RemotePort;\r
+ NewSelector->RemotePortRange = OldSelector->RemotePortRange;\r
+ } else if ((NewSelector->RemotePort != OldSelector->RemotePort) ||\r
+ (NewSelector->RemotePortRange != OldSelector->RemotePortRange)) {\r
+ *CreateNew = TRUE;\r
+ }\r
+ break;\r
+\r
+ case EFI_IP4_PROTO_ICMP:\r
+ if ((Mask & ICMP_TYPE) == 0) {\r
+ NewSelector->LocalPort = OldSelector->LocalPort;\r
+ } else if (NewSelector->LocalPort != OldSelector->LocalPort) {\r
+ *CreateNew = TRUE;\r
+ }\r
+\r
+ if ((Mask & ICMP_CODE) == 0) {\r
+ NewSelector->RemotePort = OldSelector->RemotePort;\r
+ } else if (NewSelector->RemotePort != OldSelector->RemotePort) {\r
+ *CreateNew = TRUE;\r
+ }\r
+ break;\r
+ }\r
+ //\r
+ // Process Data\r
+ //\r
+ if ((Mask & NAME) != 0) {\r
+ AsciiStrCpy ((CHAR8 *) OldData->Name, (CHAR8 *) NewData->Name);\r
+ }\r
+\r
+ if ((Mask & PACKET_FLAG) != 0) {\r
+ OldData->PackageFlag = NewData->PackageFlag;\r
+ }\r
+\r
+ if ((Mask & ACTION) != 0) {\r
+ OldData->Action = NewData->Action;\r
+ }\r
+\r
+ if (OldData->Action != EfiIPsecActionProtect) {\r
+ OldData->ProcessingPolicy = NULL;\r
+ } else {\r
+ //\r
+ // Protect\r
+ //\r
+ if (OldData->ProcessingPolicy == NULL) {\r
+ //\r
+ // Just point to new data if originally NULL.\r
+ //\r
+ OldData->ProcessingPolicy = NewData->ProcessingPolicy;\r
+ if (OldData->ProcessingPolicy->Mode == EfiIPsecTunnel &&\r
+ (Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE)\r
+ ) {\r
+ //\r
+ // Change to Protect action and Tunnel mode, but without providing local/remote tunnel address.\r
+ //\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--tunnel-local --tunnel-remote"\r
+ );\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+ } else {\r
+ //\r
+ // Modify some of the data.\r
+ //\r
+ if ((Mask & EXT_SEQUENCE) != 0) {\r
+ OldData->ProcessingPolicy->ExtSeqNum = NewData->ProcessingPolicy->ExtSeqNum;\r
+ }\r
+\r
+ if ((Mask & SEQUENCE_OVERFLOW) != 0) {\r
+ OldData->ProcessingPolicy->SeqOverflow = NewData->ProcessingPolicy->SeqOverflow;\r
+ }\r
+\r
+ if ((Mask & FRAGMENT_CHECK) != 0) {\r
+ OldData->ProcessingPolicy->FragCheck = NewData->ProcessingPolicy->FragCheck;\r
+ }\r
+\r
+ if ((Mask & LIFEBYTE) != 0) {\r
+ OldData->ProcessingPolicy->SaLifetime.ByteCount = NewData->ProcessingPolicy->SaLifetime.ByteCount;\r
+ }\r
+\r
+ if ((Mask & LIFETIME_SOFT) != 0) {\r
+ OldData->ProcessingPolicy->SaLifetime.SoftLifetime = NewData->ProcessingPolicy->SaLifetime.SoftLifetime;\r
+ }\r
+\r
+ if ((Mask & LIFETIME) != 0) {\r
+ OldData->ProcessingPolicy->SaLifetime.HardLifetime = NewData->ProcessingPolicy->SaLifetime.HardLifetime;\r
+ }\r
+\r
+ if ((Mask & MODE) != 0) {\r
+ OldData->ProcessingPolicy->Mode = NewData->ProcessingPolicy->Mode;\r
+ }\r
+\r
+ if ((Mask & IPSEC_PROTO) != 0) {\r
+ OldData->ProcessingPolicy->Proto = NewData->ProcessingPolicy->Proto;\r
+ }\r
+\r
+ if ((Mask & AUTH_ALGO) != 0) {\r
+ OldData->ProcessingPolicy->AuthAlgoId = NewData->ProcessingPolicy->AuthAlgoId;\r
+ }\r
+\r
+ if ((Mask & ENCRYPT_ALGO) != 0) {\r
+ OldData->ProcessingPolicy->EncAlgoId = NewData->ProcessingPolicy->EncAlgoId;\r
+ }\r
+\r
+ if (OldData->ProcessingPolicy->Mode != EfiIPsecTunnel) {\r
+ OldData->ProcessingPolicy->TunnelOption = NULL;\r
+ } else {\r
+ if (OldData->ProcessingPolicy->TunnelOption == NULL) {\r
+ //\r
+ // Set from Transport mode to Tunnel mode, should ensure TUNNEL_LOCAL & TUNNEL_REMOTE both exists.\r
+ //\r
+ if ((Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--tunnel-local --tunnel-remote"\r
+ );\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ OldData->ProcessingPolicy->TunnelOption = NewData->ProcessingPolicy->TunnelOption;\r
+ } else {\r
+ if ((Mask & TUNNEL_LOCAL) != 0) {\r
+ CopyMem (\r
+ &OldData->ProcessingPolicy->TunnelOption->LocalTunnelAddress,\r
+ &NewData->ProcessingPolicy->TunnelOption->LocalTunnelAddress,\r
+ sizeof (EFI_IP_ADDRESS)\r
+ );\r
+ }\r
+\r
+ if ((Mask & TUNNEL_REMOTE) != 0) {\r
+ CopyMem (\r
+ &OldData->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,\r
+ &NewData->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,\r
+ sizeof (EFI_IP_ADDRESS)\r
+ );\r
+ }\r
+\r
+ if ((Mask & DONT_FRAGMENT) != 0) {\r
+ OldData->ProcessingPolicy->TunnelOption->DF = NewData->ProcessingPolicy->TunnelOption->DF;\r
+ }\r
+ }\r
+ }\r
+ }\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Combine old SAD entry with new SAD entry.\r
+\r
+ @param[in, out] OldSaId The pointer to the EFI_IPSEC_SA_ID structure.\r
+ @param[in, out] OldData The pointer to the EFI_IPSEC_SA_DATA structure.\r
+ @param[in] NewSaId The pointer to the EFI_IPSEC_SA_ID structure.\r
+ @param[in] NewData The pointer to the EFI_IPSEC_SA_DATA structure.\r
+ @param[in] Mask The pointer to the Mask.\r
+ @param[out] CreateNew The switch to create new.\r
+\r
+ @retval EFI_SUCCESS Combined successfully.\r
+ @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
+\r
+**/\r
+EFI_STATUS\r
+CombineSadEntry (\r
+ IN OUT EFI_IPSEC_SA_ID *OldSaId,\r
+ IN OUT EFI_IPSEC_SA_DATA *OldData,\r
+ IN EFI_IPSEC_SA_ID *NewSaId,\r
+ IN EFI_IPSEC_SA_DATA *NewData,\r
+ IN UINT32 Mask,\r
+ OUT BOOLEAN *CreateNew\r
+ )\r
+{\r
+\r
+ *CreateNew = FALSE;\r
+\r
+ if ((Mask & SPI) == 0) {\r
+ NewSaId->Spi = OldSaId->Spi;\r
+ } else if (NewSaId->Spi != OldSaId->Spi) {\r
+ *CreateNew = TRUE;\r
+ }\r
+\r
+ if ((Mask & IPSEC_PROTO) == 0) {\r
+ NewSaId->Proto = OldSaId->Proto;\r
+ } else if (NewSaId->Proto != OldSaId->Proto) {\r
+ *CreateNew = TRUE;\r
+ }\r
+\r
+ if ((Mask & DEST) == 0) {\r
+ CopyMem (&NewSaId->DestAddress, &OldSaId->DestAddress, sizeof (EFI_IP_ADDRESS));\r
+ } else if (CompareMem (&NewSaId->DestAddress, &OldSaId->DestAddress, sizeof (EFI_IP_ADDRESS)) != 0) {\r
+ *CreateNew = TRUE;\r
+ }\r
+\r
+ //\r
+ // Process SA_DATA.\r
+ //\r
+ if ((Mask & MODE) != 0) {\r
+ OldData->Mode = NewData->Mode;\r
+ }\r
+\r
+ if ((Mask & SEQUENCE_NUMBER) != 0) {\r
+ OldData->SNCount = NewData->SNCount;\r
+ }\r
+\r
+ if ((Mask & ANTIREPLAY_WINDOW) != 0) {\r
+ OldData->AntiReplayWindows = NewData->AntiReplayWindows;\r
+ }\r
+\r
+ if ((Mask & AUTH_ALGO) != 0) {\r
+ OldData->AlgoInfo.EspAlgoInfo.AuthAlgoId = NewData->AlgoInfo.EspAlgoInfo.AuthAlgoId;\r
+ }\r
+\r
+ if ((Mask & AUTH_KEY) != 0) {\r
+ OldData->AlgoInfo.EspAlgoInfo.AuthKey = NewData->AlgoInfo.EspAlgoInfo.AuthKey;\r
+ OldData->AlgoInfo.EspAlgoInfo.AuthKeyLength = NewData->AlgoInfo.EspAlgoInfo.AuthKeyLength;\r
+ }\r
+\r
+ if ((Mask & ENCRYPT_ALGO) != 0) {\r
+ OldData->AlgoInfo.EspAlgoInfo.EncAlgoId = NewData->AlgoInfo.EspAlgoInfo.EncAlgoId;\r
+ }\r
+\r
+ if ((Mask & ENCRYPT_KEY) != 0) {\r
+ OldData->AlgoInfo.EspAlgoInfo.EncKey = NewData->AlgoInfo.EspAlgoInfo.EncKey;\r
+ OldData->AlgoInfo.EspAlgoInfo.EncKeyLength = NewData->AlgoInfo.EspAlgoInfo.EncKeyLength;\r
+ }\r
+\r
+ if (NewSaId->Proto == EfiIPsecAH) {\r
+ if ((Mask & (ENCRYPT_ALGO | ENCRYPT_KEY)) != 0) {\r
+ //\r
+ // Should not provide encrypt_* if AH.\r
+ //\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--encrypt-algo --encrypt-key"\r
+ );\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+ }\r
+\r
+ if (NewSaId->Proto == EfiIPsecESP && OldSaId->Proto == EfiIPsecAH) {\r
+ //\r
+ // AH -> ESP\r
+ // Should provide encrypt_algo at least.\r
+ //\r
+ if ((Mask & ENCRYPT_ALGO) == 0) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--encrypt-algo"\r
+ );\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ //\r
+ // Encrypt_key should be provided if algorithm is not NONE.\r
+ //\r
+ if (NewData->AlgoInfo.EspAlgoInfo.EncAlgoId != EFI_IPSEC_EALG_NONE && (Mask & ENCRYPT_KEY) == 0) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--encrypt-algo"\r
+ );\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+ }\r
+\r
+ if ((Mask & LIFEBYTE) != 0) {\r
+ OldData->SaLifetime.ByteCount = NewData->SaLifetime.ByteCount;\r
+ }\r
+\r
+ if ((Mask & LIFETIME_SOFT) != 0) {\r
+ OldData->SaLifetime.SoftLifetime = NewData->SaLifetime.SoftLifetime;\r
+ }\r
+\r
+ if ((Mask & LIFETIME) != 0) {\r
+ OldData->SaLifetime.HardLifetime = NewData->SaLifetime.HardLifetime;\r
+ }\r
+\r
+ if ((Mask & PATH_MTU) != 0) {\r
+ OldData->PathMTU = NewData->PathMTU;\r
+ }\r
+ //\r
+ // Process SpdSelector.\r
+ //\r
+ if (OldData->SpdSelector == NULL) {\r
+ if ((Mask & (LOCAL | REMOTE | PROTO | LOCAL_PORT | REMOTE_PORT | ICMP_TYPE | ICMP_CODE)) != 0) {\r
+ if ((Mask & (LOCAL | REMOTE | PROTO)) != (LOCAL | REMOTE | PROTO)) {\r
+ ShellPrintHiiEx (\r
+ -1,\r
+ -1,\r
+ NULL,\r
+ STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
+ mHiiHandle,\r
+ mAppName,\r
+ L"--local --remote --proto"\r
+ );\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ OldData->SpdSelector = NewData->SpdSelector;\r
+ }\r
+ } else {\r
+ if ((Mask & LOCAL) != 0) {\r
+ OldData->SpdSelector->LocalAddressCount = NewData->SpdSelector->LocalAddressCount;\r
+ OldData->SpdSelector->LocalAddress = NewData->SpdSelector->LocalAddress;\r
+ }\r
+\r
+ if ((Mask & REMOTE) != 0) {\r
+ OldData->SpdSelector->RemoteAddressCount = NewData->SpdSelector->RemoteAddressCount;\r
+ OldData->SpdSelector->RemoteAddress = NewData->SpdSelector->RemoteAddress;\r
+ }\r
+\r
+ if ((Mask & PROTO) != 0) {\r
+ OldData->SpdSelector->NextLayerProtocol = NewData->SpdSelector->NextLayerProtocol;\r
+ }\r
+\r
+ if (OldData->SpdSelector != NULL) {\r
+ switch (OldData->SpdSelector->NextLayerProtocol) {\r
+ case EFI_IP4_PROTO_TCP:\r
+ case EFI_IP4_PROTO_UDP:\r
+ if ((Mask & LOCAL_PORT) != 0) {\r
+ OldData->SpdSelector->LocalPort = NewData->SpdSelector->LocalPort;\r
+ }\r
+\r
+ if ((Mask & REMOTE_PORT) != 0) {\r
+ OldData->SpdSelector->RemotePort = NewData->SpdSelector->RemotePort;\r
+ }\r
+ break;\r
+\r
+ case EFI_IP4_PROTO_ICMP:\r
+ if ((Mask & ICMP_TYPE) != 0) {\r
+ OldData->SpdSelector->LocalPort = (UINT8) NewData->SpdSelector->LocalPort;\r
+ }\r
+\r
+ if ((Mask & ICMP_CODE) != 0) {\r
+ OldData->SpdSelector->RemotePort = (UINT8) NewData->SpdSelector->RemotePort;\r
+ }\r
+ break;\r
+ }\r
+ }\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Combine old PAD entry with new PAD entry.\r
+\r
+ @param[in, out] OldPadId The pointer to the EFI_IPSEC_PAD_ID structure.\r
+ @param[in, out] OldData The pointer to the EFI_IPSEC_PAD_DATA structure.\r
+ @param[in] NewPadId The pointer to the EFI_IPSEC_PAD_ID structure.\r
+ @param[in] NewData The pointer to the EFI_IPSEC_PAD_DATA structure.\r
+ @param[in] Mask The pointer to the Mask.\r
+ @param[out] CreateNew The switch to create new.\r
+\r
+ @retval EFI_SUCCESS Combined successfully.\r
+ @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
+\r
+**/\r
+EFI_STATUS\r
+CombinePadEntry (\r
+ IN OUT EFI_IPSEC_PAD_ID *OldPadId,\r
+ IN OUT EFI_IPSEC_PAD_DATA *OldData,\r
+ IN EFI_IPSEC_PAD_ID *NewPadId,\r
+ IN EFI_IPSEC_PAD_DATA *NewData,\r
+ IN UINT32 Mask,\r
+ OUT BOOLEAN *CreateNew\r
+ )\r
+{\r
+\r
+ *CreateNew = FALSE;\r
+\r
+ if ((Mask & (PEER_ID | PEER_ADDRESS)) == 0) {\r
+ CopyMem (NewPadId, OldPadId, sizeof (EFI_IPSEC_PAD_ID));\r
+ } else {\r
+ if ((Mask & PEER_ID) != 0) {\r
+ if (OldPadId->PeerIdValid) {\r
+ if (StrCmp ((CONST CHAR16 *) OldPadId->Id.PeerId, (CONST CHAR16 *) NewPadId->Id.PeerId) != 0) {\r
+ *CreateNew = TRUE;\r
+ }\r
+ } else {\r
+ *CreateNew = TRUE;\r
+ }\r
+ } else {\r
+ //\r
+ // MASK & PEER_ADDRESS\r
+ //\r
+ if (OldPadId->PeerIdValid) {\r
+ *CreateNew = TRUE;\r
+ } else {\r
+ if ((CompareMem (&OldPadId->Id.IpAddress.Address, &NewPadId->Id.IpAddress.Address, sizeof (EFI_IP_ADDRESS)) != 0) ||\r
+ (OldPadId->Id.IpAddress.PrefixLength != NewPadId->Id.IpAddress.PrefixLength)) {\r
+ *CreateNew = TRUE;\r
+ }\r
+ }\r
+ }\r
+ }\r
+\r
+ if ((Mask & AUTH_PROTO) != 0) {\r
+ OldData->AuthProtocol = NewData->AuthProtocol;\r
+ }\r
+\r
+ if ((Mask & AUTH_METHOD) != 0) {\r
+ OldData->AuthMethod = NewData->AuthMethod;\r
+ }\r
+\r
+ if ((Mask & IKE_ID) != 0) {\r
+ OldData->IkeIdFlag = NewData->IkeIdFlag;\r
+ }\r
+\r
+ if ((Mask & AUTH_DATA) != 0) {\r
+ OldData->AuthDataSize = NewData->AuthDataSize;\r
+ OldData->AuthData = NewData->AuthData;\r
+ }\r
+\r
+ if ((Mask & REVOCATION_DATA) != 0) {\r
+ OldData->RevocationDataSize = NewData->RevocationDataSize;\r
+ OldData->RevocationData = NewData->RevocationData;\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+COMBINE_POLICY_ENTRY mCombinePolicyEntry[] = {\r
+ (COMBINE_POLICY_ENTRY) CombineSpdEntry,\r
+ (COMBINE_POLICY_ENTRY) CombineSadEntry,\r
+ (COMBINE_POLICY_ENTRY) CombinePadEntry\r
+};\r
+\r
+/**\r
+ Edit entry information in the database.\r
+\r
+ @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.\r
+ @param[in] Data The pointer to the data.\r
+ @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.\r
+\r
+ @retval EFI_SUCCESS Continue the iteration.\r
+ @retval EFI_ABORTED Abort the iteration.\r
+**/\r
+EFI_STATUS\r
+EditOperatePolicyEntry (\r
+ IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
+ IN VOID *Data,\r
+ IN EDIT_POLICY_ENTRY_CONTEXT *Context\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ BOOLEAN CreateNew;\r
+\r
+ if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) {\r
+ ASSERT (Context->DataType < 3);\r
+\r
+ Status = mCombinePolicyEntry[Context->DataType] (\r
+ Selector,\r
+ Data,\r
+ Context->Selector,\r
+ Context->Data,\r
+ Context->Mask,\r
+ &CreateNew\r
+ );\r
+ if (!EFI_ERROR (Status)) {\r
+ if (CreateNew) {\r
+ //\r
+ // Insert new entry before old entry\r
+ //\r
+ Status = mIpSecConfig->SetData (\r
+ mIpSecConfig,\r
+ Context->DataType,\r
+ Context->Selector,\r
+ Data,\r
+ Selector\r
+ );\r
+ ASSERT_EFI_ERROR (Status);\r
+ //\r
+ // Delete old entry\r
+ //\r
+ Status = mIpSecConfig->SetData (\r
+ mIpSecConfig,\r
+ Context->DataType,\r
+ Selector,\r
+ NULL,\r
+ NULL\r
+ );\r
+ ASSERT_EFI_ERROR (Status);\r
+ } else {\r
+ Status = mIpSecConfig->SetData (\r
+ mIpSecConfig,\r
+ Context->DataType,\r
+ Context->Selector,\r
+ Data,\r
+ NULL\r
+ );\r
+ }\r
+ }\r
+\r
+ Context->Status = Status;\r
+ return EFI_ABORTED;\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Edit entry information in database according to datatype.\r
+\r
+ @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
+ @param[in] ParamPackage The pointer to the ParamPackage list.\r
+\r
+ @retval EFI_SUCCESS Edit entry information successfully.\r
+ @retval EFI_NOT_FOUND Can't find the specified entry.\r
+ @retval Others Some mistaken case.\r
+**/\r
+EFI_STATUS\r
+EditPolicyEntry (\r
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
+ IN LIST_ENTRY *ParamPackage\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ EDIT_POLICY_ENTRY_CONTEXT Context;\r
+ CONST CHAR16 *ValueStr;\r
+\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");\r
+ if (ValueStr == NULL) {\r
+ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr);\r
+ return EFI_NOT_FOUND;\r
+ }\r
+\r
+ Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage);\r
+ if (!EFI_ERROR (Status)) {\r
+ Context.DataType = DataType;\r
+ Context.Status = EFI_NOT_FOUND;\r
+ Status = mCreatePolicyEntry[DataType] (&Context.Selector, &Context.Data, ParamPackage, &Context.Mask, FALSE);\r
+ if (!EFI_ERROR (Status)) {\r
+ ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) EditOperatePolicyEntry, &Context);\r
+ Status = Context.Status;\r
+ }\r
+\r
+ if (Context.Selector != NULL) {\r
+ gBS->FreePool (Context.Selector);\r
+ }\r
+\r
+ if (Context.Data != NULL) {\r
+ gBS->FreePool (Context.Data);\r
+ }\r
+ }\r
+\r
+ if (Status == EFI_NOT_FOUND) {\r
+ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr);\r
+ } else if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAILED), mHiiHandle, mAppName);\r
+ }\r
+\r
+ return Status;\r
+\r
+}\r
+\r
+/**\r
+ Insert entry information in database.\r
+\r
+ @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.\r
+ @param[in] Data The pointer to the data.\r
+ @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.\r
+\r
+ @retval EFI_SUCCESS Continue the iteration.\r
+ @retval EFI_ABORTED Abort the iteration.\r
+**/\r
+EFI_STATUS\r
+InsertPolicyEntry (\r
+ IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
+ IN VOID *Data,\r
+ IN INSERT_POLICY_ENTRY_CONTEXT *Context\r
+ )\r
+{\r
+ //\r
+ // Found the entry which we want to insert before.\r
+ //\r
+ if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) {\r
+\r
+ Context->Status = mIpSecConfig->SetData (\r
+ mIpSecConfig,\r
+ Context->DataType,\r
+ Context->Selector,\r
+ Context->Data,\r
+ Selector\r
+ );\r
+ //\r
+ // Abort the iteration after the insertion.\r
+ //\r
+ return EFI_ABORTED;\r
+ }\r
+\r
+ return EFI_SUCCESS;\r
+}\r
+\r
+/**\r
+ Insert or add entry information in database according to datatype.\r
+\r
+ @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
+ @param[in] ParamPackage The pointer to the ParamPackage list.\r
+\r
+ @retval EFI_SUCCESS Insert or add entry information successfully.\r
+ @retval EFI_NOT_FOUND Can't find the specified entry.\r
+ @retval EFI_BUFFER_TOO_SMALL The entry already existed.\r
+ @retval EFI_UNSUPPORTED The operation is not supported.\r
+ @retval Others Some mistaken case.\r
+**/\r
+EFI_STATUS\r
+AddOrInsertPolicyEntry (\r
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
+ IN LIST_ENTRY *ParamPackage\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ EFI_IPSEC_CONFIG_SELECTOR *Selector;\r
+ VOID *Data;\r
+ INSERT_POLICY_ENTRY_CONTEXT Context;\r
+ UINT32 Mask;\r
+ UINTN DataSize;\r
+ CONST CHAR16 *ValueStr;\r
+\r
+ Status = mCreatePolicyEntry[DataType] (&Selector, &Data, ParamPackage, &Mask, TRUE);\r
+ if (!EFI_ERROR (Status)) {\r
+ //\r
+ // Find if the Selector to be inserted already exists.\r
+ //\r
+ DataSize = 0;\r
+ Status = mIpSecConfig->GetData (\r
+ mIpSecConfig,\r
+ DataType,\r
+ Selector,\r
+ &DataSize,\r
+ NULL\r
+ );\r
+ if (Status == EFI_BUFFER_TOO_SMALL) {\r
+ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_EXISTS), mHiiHandle, mAppName);\r
+ } else if (ShellCommandLineGetFlag (ParamPackage, L"-a")) {\r
+ Status = mIpSecConfig->SetData (\r
+ mIpSecConfig,\r
+ DataType,\r
+ Selector,\r
+ Data,\r
+ NULL\r
+ );\r
+ } else {\r
+ ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");\r
+ if (ValueStr == NULL) {\r
+ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr);\r
+ return EFI_NOT_FOUND;\r
+ }\r
+\r
+ Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage);\r
+ if (!EFI_ERROR (Status)) {\r
+ Context.DataType = DataType;\r
+ Context.Status = EFI_NOT_FOUND;\r
+ Context.Selector = Selector;\r
+ Context.Data = Data;\r
+\r
+ ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) InsertPolicyEntry, &Context);\r
+ Status = Context.Status;\r
+ if (Status == EFI_NOT_FOUND) {\r
+ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr);\r
+ }\r
+ }\r
+ }\r
+\r
+ gBS->FreePool (Selector);\r
+ gBS->FreePool (Data);\r
+ }\r
+\r
+ if (Status == EFI_UNSUPPORTED) {\r
+ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_UNSUPPORT), mHiiHandle, mAppName);\r
+ } else if (EFI_ERROR (Status)) {\r
+ ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_FAILED), mHiiHandle, mAppName);\r
+ }\r
+\r
+ return Status;\r
+}\r