X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=blobdiff_plain;f=NetworkPkg%2FIpSecDxe%2FIkev2%2FSa.c;fp=NetworkPkg%2FIpSecDxe%2FIkev2%2FSa.c;h=554bcabd4917c7803d02bd335f7015d65ff797f5;hp=f9421ed4e804291c753eda1d2365dda7e80b80fc;hb=f75a7f568e6d0944327970b3f3f2dafd9bba76b1;hpb=9095d37b8fe5bfc3d02adad6ba7fd7359ebc0107
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Sa.c b/NetworkPkg/IpSecDxe/Ikev2/Sa.c
index f9421ed4e8..554bcabd49 100644
--- a/NetworkPkg/IpSecDxe/Ikev2/Sa.c
+++ b/NetworkPkg/IpSecDxe/Ikev2/Sa.c
@@ -2,7 +2,7 @@
The operations for IKEv2 SA.
(C) Copyright 2015 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.
+ Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -23,7 +23,7 @@
Generates the DH Key.
This generates the DH local public key and store it in the IKEv2 SA Session's GxBuffer.
-
+
@param[in] IkeSaSession Pointer to related IKE SA Session.
@retval EFI_SUCCESS The operation succeeded.
@@ -155,7 +155,7 @@ Ikev2InitPskGenerator (
// IkeSaSession is responder. If resending IKE_SA_INIT with Cookie Notify
// No need to recompute the Public key.
//
- if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) {
+ if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) {
Status = Ikev2GenerateSaDhPublicKey (IkeSaSession);
if (EFI_ERROR (Status)) {
goto CheckError;
@@ -166,7 +166,7 @@ Ikev2InitPskGenerator (
// 4. Generate KE Payload according to SaParams->DhGroup
//
KePayload = Ikev2GenerateKePayload (
- IkeSaSession,
+ IkeSaSession,
IKEV2_PAYLOAD_TYPE_NONCE
);
@@ -223,7 +223,7 @@ CheckError:
if (SaPayload != NULL) {
IkePayloadFree (SaPayload);
}
- return NULL;
+ return NULL;
}
/**
@@ -241,7 +241,7 @@ EFI_STATUS
Ikev2InitPskParser (
IN UINT8 *SaSession,
IN IKE_PACKET *IkePacket
- )
+ )
{
IKEV2_SA_SESSION *IkeSaSession;
IKE_PAYLOAD *SaPayload;
@@ -305,7 +305,7 @@ Ikev2InitPskParser (
Status = EFI_OUT_OF_RESOURCES;
goto CheckError;
}
-
+
CopyMem (
NonceBuffer,
NoncePayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),
@@ -410,7 +410,7 @@ CheckError:
if (NonceBuffer != NULL) {
FreePool (NonceBuffer);
}
-
+
return Status;
}
@@ -439,7 +439,7 @@ Ikev2AuthPskGenerator (
IKE_PAYLOAD *NotifyPayload;
IKE_PAYLOAD *CpPayload;
IKEV2_CHILD_SA_SESSION *ChildSaSession;
-
+
IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));
@@ -453,7 +453,7 @@ Ikev2AuthPskGenerator (
NotifyPayload = NULL;
CpPayload = NULL;
NotifyPayload = NULL;
-
+
//
// 1. Allocate IKE Packet
//
@@ -476,7 +476,7 @@ Ikev2AuthPskGenerator (
}
//
- // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should
+ // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should
// be always number 0 and 1;
//
IkePacket->Header->MessageId = 1;
@@ -623,7 +623,7 @@ CheckError:
if (IkePacket != NULL) {
IkePacketFree (IkePacket);
}
-
+
if (IdPayload != NULL) {
IkePayloadFree (IdPayload);
}
@@ -631,7 +631,7 @@ CheckError:
if (AuthPayload != NULL) {
IkePayloadFree (AuthPayload);
}
-
+
if (CpPayload != NULL) {
IkePayloadFree (CpPayload);
}
@@ -639,20 +639,20 @@ CheckError:
if (SaPayload != NULL) {
IkePayloadFree (SaPayload);
}
-
+
if (TsiPayload != NULL) {
IkePayloadFree (TsiPayload);
}
-
+
if (TsrPayload != NULL) {
IkePayloadFree (TsrPayload);
}
-
+
if (NotifyPayload != NULL) {
IkePayloadFree (NotifyPayload);
}
-
- return NULL;
+
+ return NULL;
}
/**
@@ -661,13 +661,13 @@ CheckError:
@param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.
@param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.
- @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA
+ @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA
proposal is unacceptable.
@retval EFI_SUCCESS The IKE packet is acceptable and the
relative data is saved for furthure communication.
**/
-EFI_STATUS
+EFI_STATUS
Ikev2AuthPskParser (
IN UINT8 *SaSession,
IN IKE_PACKET *IkePacket
@@ -733,7 +733,7 @@ Ikev2AuthPskParser (
// Check IkePacket Header is match the state
//
if (IkeSaSession->SessionCommon.IsInitiator) {
-
+
//
// 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND
//
@@ -830,7 +830,7 @@ Ikev2AuthPskParser (
(((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort)
) {
return EFI_INVALID_PARAMETER;
- }
+ }
if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&
(((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort)
) {
@@ -847,7 +847,7 @@ Ikev2AuthPskParser (
return EFI_INVALID_PARAMETER;
}
//
- // Get the Virtual IP address from the Tsi traffic selector.
+ // Get the Virtual IP address from the Tsi traffic selector.
// TODO: check the CFG reply payload
//
CopyMem (
@@ -856,7 +856,7 @@ Ikev2AuthPskParser (
(ChildSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) ?
sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS)
);
- }
+ }
}
//
@@ -866,7 +866,7 @@ Ikev2AuthPskParser (
if (EFI_ERROR (Status)) {
return Status;
}
-
+
if (IkeSaSession->SessionCommon.IsInitiator) {
//
// 6. Change the state of IkeSaSession
@@ -874,7 +874,7 @@ Ikev2AuthPskParser (
IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEstablished);
IkeSaSession->SessionCommon.State = IkeStateIkeSaEstablished;
}
-
+
return EFI_SUCCESS;
}
@@ -892,7 +892,7 @@ IKE_PACKET*
Ikev2InitCertGenerator (
IN UINT8 *SaSession,
IN VOID *Context
- )
+ )
{
IKE_PACKET *IkePacket;
IKE_PAYLOAD *CertReqPayload;
@@ -944,7 +944,7 @@ Ikev2InitCertGenerator (
@retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is
saved for furthure communication.
- @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA proposal is unacceptable.
+ @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA proposal is unacceptable.
@retval EFI_UNSUPPORTED The certificate authentication is not supported.
**/
@@ -956,11 +956,11 @@ Ikev2InitCertParser (
{
if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {
return EFI_UNSUPPORTED;
- }
-
+ }
+
//
// The first two messages exchange is same between PSK and Cert.
- // Todo: Parse Certificate Request from responder Initial Exchange.
+ // Todo: Parse Certificate Request from responder Initial Exchange.
//
return Ikev2InitPskParser (SaSession, IkePacket);
}
@@ -1071,7 +1071,7 @@ Ikev2AuthCertGenerator (
if (CertPayload == NULL) {
goto CheckError;
}
-
+
if (IkeSaSession->SessionCommon.IsInitiator) {
CertReqPayload = Ikev2GenerateCertificatePayload (
IkeSaSession,
@@ -1083,7 +1083,7 @@ Ikev2AuthCertGenerator (
);
if (CertReqPayload == NULL) {
goto CheckError;
- }
+ }
}
//
@@ -1126,15 +1126,15 @@ Ikev2AuthCertGenerator (
IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS
);
}
-
+
if (CpPayload == NULL) {
goto CheckError;
- }
+ }
}
if (AuthPayload == NULL) {
goto CheckError;
- }
+ }
//
// 5. Generate SA Payload according to the Sa Data in ChildSaSession
@@ -1165,7 +1165,7 @@ Ikev2AuthCertGenerator (
);
//
- // Generate Notify Payload. If transport mode, there should have Notify
+ // Generate Notify Payload. If transport mode, there should have Notify
// payload with TRANSPORT_MODE notification.
//
NotifyPayload = Ikev2GenerateNotifyPayload (
@@ -1222,7 +1222,7 @@ CheckError:
if (IkePacket != NULL) {
IkePacketFree (IkePacket);
}
-
+
if (IdPayload != NULL) {
IkePayloadFree (IdPayload);
}
@@ -1230,7 +1230,7 @@ CheckError:
if (CertPayload != NULL) {
IkePayloadFree (CertPayload);
}
-
+
if (CertReqPayload != NULL) {
IkePayloadFree (CertReqPayload);
}
@@ -1242,24 +1242,24 @@ CheckError:
if (CpPayload != NULL) {
IkePayloadFree (CpPayload);
}
-
+
if (SaPayload != NULL) {
IkePayloadFree (SaPayload);
}
-
+
if (TsiPayload != NULL) {
IkePayloadFree (TsiPayload);
}
-
+
if (TsrPayload != NULL) {
IkePayloadFree (TsrPayload);
}
-
+
if (NotifyPayload != NULL) {
IkePayloadFree (NotifyPayload);
}
-
- return NULL;
+
+ return NULL;
}
/**
@@ -1342,7 +1342,7 @@ Ikev2AuthCertParser (
}
}
- if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) ||
+ if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) ||
(TsrPayload == NULL) || (CertPayload == NULL)) {
goto Exit;
}
@@ -1354,7 +1354,7 @@ Ikev2AuthCertParser (
// Check IkePacket Header is match the state
//
if (IkeSaSession->SessionCommon.IsInitiator) {
-
+
//
// 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND
//
@@ -1451,7 +1451,7 @@ Ikev2AuthCertParser (
(((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort)
) {
goto Exit;
- }
+ }
if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&
(((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort)
) {
@@ -1468,7 +1468,7 @@ Ikev2AuthCertParser (
goto Exit;
}
//
- // Get the Virtual IP address from the Tsi traffic selector.
+ // Get the Virtual IP address from the Tsi traffic selector.
// TODO: check the CFG reply payload
//
CopyMem (
@@ -1479,7 +1479,7 @@ Ikev2AuthCertParser (
);
}
}
-
+
//
// 5. Generat keymats for IPsec protocol.
//
@@ -1487,7 +1487,7 @@ Ikev2AuthCertParser (
if (EFI_ERROR (Status)) {
goto Exit;
}
-
+
if (IkeSaSession->SessionCommon.IsInitiator) {
//
// 6. Change the state of IkeSaSession
@@ -1528,7 +1528,7 @@ Ikev2GenerateSaDhPublicKey (
if (IkeSaSession->IkeKeys == NULL) {
return EFI_OUT_OF_RESOURCES;
}
-
+
IkeKeys = IkeSaSession->IkeKeys;
IkeKeys->DhBuffer = AllocateZeroPool (sizeof (IKEV2_DH_BUFFER));
if (IkeKeys->DhBuffer == NULL) {
@@ -1560,13 +1560,13 @@ Ikev2GenerateSaDhPublicKey (
);
if (EFI_ERROR (Status)) {
DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam X public key error Status = %r\n", Status));
-
+
FreePool (IkeKeys->DhBuffer->GxBuffer);
-
+
FreePool (IkeKeys->DhBuffer);
-
+
FreePool (IkeSaSession->IkeKeys);
-
+
return Status;
}
@@ -1583,7 +1583,7 @@ Ikev2GenerateSaDhPublicKey (
@param[in] DhBuffer Pointer to buffer of peer's puliic key.
@param[in] KePayload Pointer to received key payload.
-
+
@retval EFI_SUCCESS The operation succeeded.
@retval Otherwise The operation failed.
@@ -1622,7 +1622,7 @@ Ikev2GenerateSaDhComputeKey (
DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam Y session key error Status = %r\n", Status));
FreePool (DhBuffer->GxyBuffer);
-
+
return Status;
}
@@ -1633,10 +1633,10 @@ Ikev2GenerateSaDhComputeKey (
DhBuffer->GyBuffer = AllocateZeroPool (DhBuffer->GySize);
if (DhBuffer->GyBuffer == NULL) {
FreePool (DhBuffer->GxyBuffer);
-
+
return Status;
}
-
+
CopyMem (DhBuffer->GyBuffer, PubKey, DhBuffer->GySize);
IPSEC_DUMP_BUF ("DH Public Key (g^y) Dump", DhBuffer->GyBuffer, DhBuffer->GySize);
@@ -1705,7 +1705,7 @@ Ikev2GenerateSaKeys (
//
// If one or more algorithm is not support, return EFI_UNSUPPORTED.
//
- if (AuthAlgKeyLen == 0 ||
+ if (AuthAlgKeyLen == 0 ||
EncryptAlgKeyLen == 0 ||
IntegrityAlgKeyLen == 0 ||
PrfAlgKeyLen == 0
@@ -1767,8 +1767,8 @@ Ikev2GenerateSaKeys (
IPSEC_DUMP_BUF (">>> NrBlock", IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);
IPSEC_DUMP_BUF (">>> InitiatorCookie", (UINT8 *)&IkeSaSession->InitiatorCookie, sizeof(UINT64));
IPSEC_DUMP_BUF (">>> ResponderCookie", (UINT8 *)&IkeSaSession->ResponderCookie, sizeof(UINT64));
-
- OutputKeyLength = PrfAlgKeyLen +
+
+ OutputKeyLength = PrfAlgKeyLen +
2 * EncryptAlgKeyLen +
2 * AuthAlgKeyLen +
2 * IntegrityAlgKeyLen;
@@ -1818,7 +1818,7 @@ Ikev2GenerateSaKeys (
}
IkeSaSession->IkeKeys->SkAiKeySize = IntegrityAlgKeyLen;
CopyMem (IkeSaSession->IkeKeys->SkAiKey, OutputKey + PrfAlgKeyLen, IntegrityAlgKeyLen);
-
+
IPSEC_DUMP_BUF (">>> SK_Ai Key", IkeSaSession->IkeKeys->SkAiKey, IkeSaSession->IkeKeys->SkAiKeySize);
//
@@ -1835,7 +1835,7 @@ Ikev2GenerateSaKeys (
OutputKey + PrfAlgKeyLen + IntegrityAlgKeyLen,
IntegrityAlgKeyLen
);
-
+
IPSEC_DUMP_BUF (">>> SK_Ar Key", IkeSaSession->IkeKeys->SkArKey, IkeSaSession->IkeKeys->SkArKeySize);
//
@@ -1847,14 +1847,14 @@ Ikev2GenerateSaKeys (
goto Exit;
}
IkeSaSession->IkeKeys->SkEiKeySize = EncryptAlgKeyLen;
-
+
CopyMem (
IkeSaSession->IkeKeys->SkEiKey,
OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen,
EncryptAlgKeyLen
);
IPSEC_DUMP_BUF (
- ">>> SK_Ei Key",
+ ">>> SK_Ei Key",
OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen,
EncryptAlgKeyLen
);
@@ -1915,7 +1915,7 @@ Ikev2GenerateSaKeys (
IkeSaSession->IkeKeys->SkPrKey,
OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen,
AuthAlgKeyLen
- );
+ );
IPSEC_DUMP_BUF (
">>> SK_Pr Key",
OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen,
@@ -1958,7 +1958,7 @@ Exit:
}
}
-
+
return Status;
}
@@ -1988,16 +1988,16 @@ Ikev2GenerateChildSaKeys (
Status = EFI_SUCCESS;
OutputKey = NULL;
-
+
if (KePayload != NULL) {
//
- // Generate Gxy
+ // Generate Gxy
//
Status = Ikev2GenerateSaDhComputeKey (ChildSaSession->DhBuffer, KePayload);
if (EFI_ERROR (Status)) {
goto Exit;
}
-
+
Fragments[0].Data = ChildSaSession->DhBuffer->GxyBuffer;
Fragments[0].DataSize = ChildSaSession->DhBuffer->GxySize;
}
@@ -2021,7 +2021,7 @@ Ikev2GenerateChildSaKeys (
}
//
- //
+ //
// If KePayload is not NULL, calculate KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ),
// otherwise, KEYMAT = prf+(SK_d, Ni | Nr )
//
@@ -2045,16 +2045,16 @@ Ikev2GenerateChildSaKeys (
);
if (EFI_ERROR (Status)) {
- goto Exit;
+ goto Exit;
}
-
+
//
// Copy KEYMATE (SK_ENCRYPT_i | SK_ENCRYPT_r | SK_INTEG_i | SK_INTEG_r) to
// ChildKeyMates.
- //
+ //
if (!ChildSaSession->SessionCommon.IsInitiator) {
- //
+ //
// Initiator Encryption Key
//
ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;
@@ -2080,8 +2080,8 @@ Ikev2GenerateChildSaKeys (
if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Exit;
- }
-
+ }
+
CopyMem (
ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,
OutputKey + EncryptAlgKeyLen,
@@ -2097,8 +2097,8 @@ Ikev2GenerateChildSaKeys (
if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Exit;
- }
-
+ }
+
CopyMem (
ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,
OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen,
@@ -2114,8 +2114,8 @@ Ikev2GenerateChildSaKeys (
if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Exit;
- }
-
+ }
+
CopyMem (
ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,
OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen,
@@ -2131,8 +2131,8 @@ Ikev2GenerateChildSaKeys (
if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Exit;
- }
-
+ }
+
CopyMem (
ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,
OutputKey,
@@ -2148,8 +2148,8 @@ Ikev2GenerateChildSaKeys (
if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Exit;
- }
-
+ }
+
CopyMem (
ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,
OutputKey + EncryptAlgKeyLen,
@@ -2165,8 +2165,8 @@ Ikev2GenerateChildSaKeys (
if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Exit;
- }
-
+ }
+
CopyMem (
ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey,
OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen,
@@ -2182,8 +2182,8 @@ Ikev2GenerateChildSaKeys (
if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) {
Status = EFI_OUT_OF_RESOURCES;
goto Exit;
- }
-
+ }
+
CopyMem (
ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,
OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen,
@@ -2233,7 +2233,7 @@ Exit:
if (OutputKey != NULL) {
FreePool (OutputKey);
}
-
+
return EFI_SUCCESS;
}