The operations for IKEv2 SA.\r
\r
(C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>\r
- Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>\r
+ Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
Generates the DH Key.\r
\r
This generates the DH local public key and store it in the IKEv2 SA Session's GxBuffer.\r
- \r
+\r
@param[in] IkeSaSession Pointer to related IKE SA Session.\r
\r
@retval EFI_SUCCESS The operation succeeded.\r
// IkeSaSession is responder. If resending IKE_SA_INIT with Cookie Notify\r
// No need to recompute the Public key.\r
//\r
- if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) { \r
+ if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) {\r
Status = Ikev2GenerateSaDhPublicKey (IkeSaSession);\r
if (EFI_ERROR (Status)) {\r
goto CheckError;\r
// 4. Generate KE Payload according to SaParams->DhGroup\r
//\r
KePayload = Ikev2GenerateKePayload (\r
- IkeSaSession, \r
+ IkeSaSession,\r
IKEV2_PAYLOAD_TYPE_NONCE\r
);\r
\r
if (SaPayload != NULL) {\r
IkePayloadFree (SaPayload);\r
}\r
- return NULL; \r
+ return NULL;\r
}\r
\r
/**\r
Ikev2InitPskParser (\r
IN UINT8 *SaSession,\r
IN IKE_PACKET *IkePacket\r
- ) \r
+ )\r
{\r
IKEV2_SA_SESSION *IkeSaSession;\r
IKE_PAYLOAD *SaPayload;\r
Status = EFI_OUT_OF_RESOURCES;\r
goto CheckError;\r
}\r
- \r
+\r
CopyMem (\r
NonceBuffer,\r
NoncePayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r
if (NonceBuffer != NULL) {\r
FreePool (NonceBuffer);\r
}\r
- \r
+\r
return Status;\r
}\r
\r
IKE_PAYLOAD *NotifyPayload;\r
IKE_PAYLOAD *CpPayload;\r
IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- \r
+\r
\r
IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));\r
NotifyPayload = NULL;\r
CpPayload = NULL;\r
NotifyPayload = NULL;\r
- \r
+\r
//\r
// 1. Allocate IKE Packet\r
//\r
}\r
\r
//\r
- // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should \r
+ // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should\r
// be always number 0 and 1;\r
//\r
IkePacket->Header->MessageId = 1;\r
if (IkePacket != NULL) {\r
IkePacketFree (IkePacket);\r
}\r
- \r
+\r
if (IdPayload != NULL) {\r
IkePayloadFree (IdPayload);\r
}\r
if (AuthPayload != NULL) {\r
IkePayloadFree (AuthPayload);\r
}\r
- \r
+\r
if (CpPayload != NULL) {\r
IkePayloadFree (CpPayload);\r
}\r
if (SaPayload != NULL) {\r
IkePayloadFree (SaPayload);\r
}\r
- \r
+\r
if (TsiPayload != NULL) {\r
IkePayloadFree (TsiPayload);\r
}\r
- \r
+\r
if (TsrPayload != NULL) {\r
IkePayloadFree (TsrPayload);\r
}\r
- \r
+\r
if (NotifyPayload != NULL) {\r
IkePayloadFree (NotifyPayload);\r
}\r
- \r
- return NULL; \r
+\r
+ return NULL;\r
}\r
\r
/**\r
@param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.\r
@param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.\r
\r
- @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA \r
+ @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA\r
proposal is unacceptable.\r
@retval EFI_SUCCESS The IKE packet is acceptable and the\r
relative data is saved for furthure communication.\r
\r
**/\r
-EFI_STATUS \r
+EFI_STATUS\r
Ikev2AuthPskParser (\r
IN UINT8 *SaSession,\r
IN IKE_PACKET *IkePacket\r
// Check IkePacket Header is match the state\r
//\r
if (IkeSaSession->SessionCommon.IsInitiator) {\r
- \r
+\r
//\r
// 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND\r
//\r
(((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort)\r
) {\r
return EFI_INVALID_PARAMETER;\r
- } \r
+ }\r
if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&\r
(((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort)\r
) {\r
return EFI_INVALID_PARAMETER;\r
}\r
//\r
- // Get the Virtual IP address from the Tsi traffic selector. \r
+ // Get the Virtual IP address from the Tsi traffic selector.\r
// TODO: check the CFG reply payload\r
//\r
CopyMem (\r
(ChildSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) ?\r
sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS)\r
);\r
- } \r
+ }\r
}\r
\r
//\r
if (EFI_ERROR (Status)) {\r
return Status;\r
}\r
- \r
+\r
if (IkeSaSession->SessionCommon.IsInitiator) {\r
//\r
// 6. Change the state of IkeSaSession\r
IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEstablished);\r
IkeSaSession->SessionCommon.State = IkeStateIkeSaEstablished;\r
}\r
- \r
+\r
return EFI_SUCCESS;\r
}\r
\r
Ikev2InitCertGenerator (\r
IN UINT8 *SaSession,\r
IN VOID *Context\r
- ) \r
+ )\r
{\r
IKE_PACKET *IkePacket;\r
IKE_PAYLOAD *CertReqPayload;\r
\r
@retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is\r
saved for furthure communication.\r
- @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA proposal is unacceptable. \r
+ @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA proposal is unacceptable.\r
@retval EFI_UNSUPPORTED The certificate authentication is not supported.\r
\r
**/\r
{\r
if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {\r
return EFI_UNSUPPORTED;\r
- } \r
- \r
+ }\r
+\r
//\r
// The first two messages exchange is same between PSK and Cert.\r
- // Todo: Parse Certificate Request from responder Initial Exchange. \r
+ // Todo: Parse Certificate Request from responder Initial Exchange.\r
//\r
return Ikev2InitPskParser (SaSession, IkePacket);\r
}\r
if (CertPayload == NULL) {\r
goto CheckError;\r
}\r
- \r
+\r
if (IkeSaSession->SessionCommon.IsInitiator) {\r
CertReqPayload = Ikev2GenerateCertificatePayload (\r
IkeSaSession,\r
);\r
if (CertReqPayload == NULL) {\r
goto CheckError;\r
- } \r
+ }\r
}\r
\r
//\r
IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS\r
);\r
}\r
- \r
+\r
if (CpPayload == NULL) {\r
goto CheckError;\r
- } \r
+ }\r
}\r
\r
if (AuthPayload == NULL) {\r
goto CheckError;\r
- } \r
+ }\r
\r
//\r
// 5. Generate SA Payload according to the Sa Data in ChildSaSession\r
);\r
\r
//\r
- // Generate Notify Payload. If transport mode, there should have Notify \r
+ // Generate Notify Payload. If transport mode, there should have Notify\r
// payload with TRANSPORT_MODE notification.\r
//\r
NotifyPayload = Ikev2GenerateNotifyPayload (\r
if (IkePacket != NULL) {\r
IkePacketFree (IkePacket);\r
}\r
- \r
+\r
if (IdPayload != NULL) {\r
IkePayloadFree (IdPayload);\r
}\r
if (CertPayload != NULL) {\r
IkePayloadFree (CertPayload);\r
}\r
- \r
+\r
if (CertReqPayload != NULL) {\r
IkePayloadFree (CertReqPayload);\r
}\r
if (CpPayload != NULL) {\r
IkePayloadFree (CpPayload);\r
}\r
- \r
+\r
if (SaPayload != NULL) {\r
IkePayloadFree (SaPayload);\r
}\r
- \r
+\r
if (TsiPayload != NULL) {\r
IkePayloadFree (TsiPayload);\r
}\r
- \r
+\r
if (TsrPayload != NULL) {\r
IkePayloadFree (TsrPayload);\r
}\r
- \r
+\r
if (NotifyPayload != NULL) {\r
IkePayloadFree (NotifyPayload);\r
}\r
- \r
- return NULL; \r
+\r
+ return NULL;\r
}\r
\r
/**\r
}\r
}\r
\r
- if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) || \r
+ if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) ||\r
(TsrPayload == NULL) || (CertPayload == NULL)) {\r
goto Exit;\r
}\r
// Check IkePacket Header is match the state\r
//\r
if (IkeSaSession->SessionCommon.IsInitiator) {\r
- \r
+\r
//\r
// 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND\r
//\r
(((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort)\r
) {\r
goto Exit;\r
- } \r
+ }\r
if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&\r
(((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort)\r
) {\r
goto Exit;\r
}\r
//\r
- // Get the Virtual IP address from the Tsi traffic selector. \r
+ // Get the Virtual IP address from the Tsi traffic selector.\r
// TODO: check the CFG reply payload\r
//\r
CopyMem (\r
);\r
}\r
}\r
- \r
+\r
//\r
// 5. Generat keymats for IPsec protocol.\r
//\r
if (EFI_ERROR (Status)) {\r
goto Exit;\r
}\r
- \r
+\r
if (IkeSaSession->SessionCommon.IsInitiator) {\r
//\r
// 6. Change the state of IkeSaSession\r
if (IkeSaSession->IkeKeys == NULL) {\r
return EFI_OUT_OF_RESOURCES;\r
}\r
- \r
+\r
IkeKeys = IkeSaSession->IkeKeys;\r
IkeKeys->DhBuffer = AllocateZeroPool (sizeof (IKEV2_DH_BUFFER));\r
if (IkeKeys->DhBuffer == NULL) {\r
);\r
if (EFI_ERROR (Status)) {\r
DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam X public key error Status = %r\n", Status));\r
- \r
+\r
FreePool (IkeKeys->DhBuffer->GxBuffer);\r
- \r
+\r
FreePool (IkeKeys->DhBuffer);\r
- \r
+\r
FreePool (IkeSaSession->IkeKeys);\r
- \r
+\r
return Status;\r
}\r
\r
\r
@param[in] DhBuffer Pointer to buffer of peer's puliic key.\r
@param[in] KePayload Pointer to received key payload.\r
- \r
+\r
@retval EFI_SUCCESS The operation succeeded.\r
@retval Otherwise The operation failed.\r
\r
DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam Y session key error Status = %r\n", Status));\r
\r
FreePool (DhBuffer->GxyBuffer);\r
- \r
+\r
return Status;\r
}\r
\r
DhBuffer->GyBuffer = AllocateZeroPool (DhBuffer->GySize);\r
if (DhBuffer->GyBuffer == NULL) {\r
FreePool (DhBuffer->GxyBuffer);\r
- \r
+\r
return Status;\r
}\r
- \r
+\r
CopyMem (DhBuffer->GyBuffer, PubKey, DhBuffer->GySize);\r
\r
IPSEC_DUMP_BUF ("DH Public Key (g^y) Dump", DhBuffer->GyBuffer, DhBuffer->GySize);\r
//\r
// If one or more algorithm is not support, return EFI_UNSUPPORTED.\r
//\r
- if (AuthAlgKeyLen == 0 || \r
+ if (AuthAlgKeyLen == 0 ||\r
EncryptAlgKeyLen == 0 ||\r
IntegrityAlgKeyLen == 0 ||\r
PrfAlgKeyLen == 0\r
IPSEC_DUMP_BUF (">>> NrBlock", IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);\r
IPSEC_DUMP_BUF (">>> InitiatorCookie", (UINT8 *)&IkeSaSession->InitiatorCookie, sizeof(UINT64));\r
IPSEC_DUMP_BUF (">>> ResponderCookie", (UINT8 *)&IkeSaSession->ResponderCookie, sizeof(UINT64));\r
- \r
- OutputKeyLength = PrfAlgKeyLen + \r
+\r
+ OutputKeyLength = PrfAlgKeyLen +\r
2 * EncryptAlgKeyLen +\r
2 * AuthAlgKeyLen +\r
2 * IntegrityAlgKeyLen;\r
}\r
IkeSaSession->IkeKeys->SkAiKeySize = IntegrityAlgKeyLen;\r
CopyMem (IkeSaSession->IkeKeys->SkAiKey, OutputKey + PrfAlgKeyLen, IntegrityAlgKeyLen);\r
- \r
+\r
IPSEC_DUMP_BUF (">>> SK_Ai Key", IkeSaSession->IkeKeys->SkAiKey, IkeSaSession->IkeKeys->SkAiKeySize);\r
\r
//\r
OutputKey + PrfAlgKeyLen + IntegrityAlgKeyLen,\r
IntegrityAlgKeyLen\r
);\r
- \r
+\r
IPSEC_DUMP_BUF (">>> SK_Ar Key", IkeSaSession->IkeKeys->SkArKey, IkeSaSession->IkeKeys->SkArKeySize);\r
\r
//\r
goto Exit;\r
}\r
IkeSaSession->IkeKeys->SkEiKeySize = EncryptAlgKeyLen;\r
- \r
+\r
CopyMem (\r
IkeSaSession->IkeKeys->SkEiKey,\r
OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen,\r
EncryptAlgKeyLen\r
);\r
IPSEC_DUMP_BUF (\r
- ">>> SK_Ei Key", \r
+ ">>> SK_Ei Key",\r
OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen,\r
EncryptAlgKeyLen\r
);\r
IkeSaSession->IkeKeys->SkPrKey,\r
OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen,\r
AuthAlgKeyLen\r
- ); \r
+ );\r
IPSEC_DUMP_BUF (\r
">>> SK_Pr Key",\r
OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen,\r
}\r
}\r
\r
- \r
+\r
return Status;\r
}\r
\r
\r
Status = EFI_SUCCESS;\r
OutputKey = NULL;\r
- \r
+\r
if (KePayload != NULL) {\r
//\r
- // Generate Gxy \r
+ // Generate Gxy\r
//\r
Status = Ikev2GenerateSaDhComputeKey (ChildSaSession->DhBuffer, KePayload);\r
if (EFI_ERROR (Status)) {\r
goto Exit;\r
}\r
- \r
+\r
Fragments[0].Data = ChildSaSession->DhBuffer->GxyBuffer;\r
Fragments[0].DataSize = ChildSaSession->DhBuffer->GxySize;\r
}\r
}\r
\r
//\r
- // \r
+ //\r
// If KePayload is not NULL, calculate KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ),\r
// otherwise, KEYMAT = prf+(SK_d, Ni | Nr )\r
//\r
);\r
\r
if (EFI_ERROR (Status)) {\r
- goto Exit; \r
+ goto Exit;\r
}\r
- \r
+\r
//\r
// Copy KEYMATE (SK_ENCRYPT_i | SK_ENCRYPT_r | SK_INTEG_i | SK_INTEG_r) to\r
// ChildKeyMates.\r
- // \r
+ //\r
if (!ChildSaSession->SessionCommon.IsInitiator) {\r
\r
- // \r
+ //\r
// Initiator Encryption Key\r
//\r
ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;\r
if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
goto Exit;\r
- } \r
- \r
+ }\r
+\r
CopyMem (\r
ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,\r
OutputKey + EncryptAlgKeyLen,\r
if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
goto Exit;\r
- } \r
- \r
+ }\r
+\r
CopyMem (\r
ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,\r
OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
goto Exit;\r
- } \r
- \r
+ }\r
+\r
CopyMem (\r
ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,\r
OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
goto Exit;\r
- } \r
- \r
+ }\r
+\r
CopyMem (\r
ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,\r
OutputKey,\r
if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
goto Exit;\r
- } \r
- \r
+ }\r
+\r
CopyMem (\r
ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,\r
OutputKey + EncryptAlgKeyLen,\r
if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
goto Exit;\r
- } \r
- \r
+ }\r
+\r
CopyMem (\r
ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey,\r
OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
goto Exit;\r
- } \r
- \r
+ }\r
+\r
CopyMem (\r
ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,\r
OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
if (OutputKey != NULL) {\r
FreePool (OutputKey);\r
}\r
- \r
+\r
return EFI_SUCCESS;\r
}\r
\r