2.Delete all SAs in the IPsec->Stop().
Signed-off-by: qianouyang
Reviewed-by: sfu5
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12768
6f19259b-4bc3-4df7-8a09-
765794883524
/** @file\r
Provide IPsec Key Exchange (IKE) service general interfaces.\r
/** @file\r
Provide IPsec Key Exchange (IKE) service general interfaces.\r
Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>\r
\r
This program and the accompanying materials\r
Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>\r
\r
This program and the accompanying materials\r
\r
/**\r
Configure a UDPIO's UDP4 instance.\r
\r
/**\r
Configure a UDPIO's UDP4 instance.\r
- \r
- This fuction is called by the UdpIoCreateIo() to configures a \r
+\r
+ This fuction is called by the UdpIoCreateIo() to configures a\r
@param[in] UdpIo The UDP_IO to be configured.\r
@param[in] Context User-defined data when calling UdpIoCreateIo().\r
@param[in] UdpIo The UDP_IO to be configured.\r
@param[in] Context User-defined data when calling UdpIoCreateIo().\r
@retval EFI_SUCCESS The configuration succeeded.\r
@retval Others The UDP4 instance fails to configure.\r
\r
@retval EFI_SUCCESS The configuration succeeded.\r
@retval Others The UDP4 instance fails to configure.\r
\r
\r
/**\r
Configure a UDPIO's UDP6 instance.\r
\r
/**\r
Configure a UDPIO's UDP6 instance.\r
- \r
- This fuction is called by the UdpIoCreateIo()to configure a \r
+\r
+ This fuction is called by the UdpIoCreateIo()to configure a\r
@param[in] UdpIo The UDP_IO to be configured.\r
@param[in] Context User-defined data when calling UdpIoCreateIo().\r
@param[in] UdpIo The UDP_IO to be configured.\r
@param[in] Context User-defined data when calling UdpIoCreateIo().\r
@retval EFI_SUCCESS The configuration succeeded.\r
@retval Others The configuration fails.\r
\r
@retval EFI_SUCCESS The configuration succeeded.\r
@retval Others The configuration fails.\r
\r
\r
/**\r
Open and configure the related output UDPIO for IKE packet sending.\r
\r
/**\r
Open and configure the related output UDPIO for IKE packet sending.\r
- \r
- If the UdpService is not configured, this fuction calls UdpIoCreatIo() to \r
+\r
+ If the UdpService is not configured, this fuction calls UdpIoCreatIo() to\r
create UDPIO to bind this UdpService for IKE packet sending. If the UdpService\r
has already been configured, then return.\r
create UDPIO to bind this UdpService for IKE packet sending. If the UdpService\r
has already been configured, then return.\r
@param[in] UdpService The UDP_IO to be configured.\r
@param[in] RemoteIp User-defined data when calling UdpIoCreateIo().\r
@param[in] UdpService The UDP_IO to be configured.\r
@param[in] RemoteIp User-defined data when calling UdpIoCreateIo().\r
@retval EFI_SUCCESS The configuration is successful.\r
@retval Others The configuration fails.\r
\r
@retval EFI_SUCCESS The configuration is successful.\r
@retval Others The configuration fails.\r
\r
\r
/**\r
Open and configure a UDPIO of Udp4 for IKE packet receiving.\r
\r
/**\r
Open and configure a UDPIO of Udp4 for IKE packet receiving.\r
- \r
- This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and \r
+\r
+ This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and\r
UDP4 IO for each NIC handle.\r
UDP4 IO for each NIC handle.\r
@param[in] Private Point to IPSEC_PRIVATE_DATA\r
@param[in] Controller Handler for NIC card.\r
@param[in] Private Point to IPSEC_PRIVATE_DATA\r
@param[in] Controller Handler for NIC card.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
**/\r
EFI_STATUS\r
IkeOpenInputUdp4 (\r
**/\r
EFI_STATUS\r
IkeOpenInputUdp4 (\r
\r
/**\r
Open and configure a UDPIO of Udp6 for IKE packet receiving.\r
\r
/**\r
Open and configure a UDPIO of Udp6 for IKE packet receiving.\r
This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6\r
IO for each NIC handle.\r
This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6\r
IO for each NIC handle.\r
@param[in] Private Point to IPSEC_PRIVATE_DATA\r
@param[in] Controller Handler for NIC card.\r
@param[in] Private Point to IPSEC_PRIVATE_DATA\r
@param[in] Controller Handler for NIC card.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
**/\r
EFI_STATUS\r
IkeOpenInputUdp6 (\r
**/\r
EFI_STATUS\r
IkeOpenInputUdp6 (\r
\r
/**\r
The general interface of starting IPsec Key Exchange.\r
\r
/**\r
The general interface of starting IPsec Key Exchange.\r
This function is called when a IKE negotiation to start getting a Key.\r
This function is called when a IKE negotiation to start getting a Key.\r
- \r
- @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for \r
+\r
+ @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for\r
IKE packet sending.\r
@param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.\r
@param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.\r
IKE packet sending.\r
@param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.\r
@param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_ACCESS_DENIED No related PAD entry was found.\r
@retval EFI_INVALID_PARAMETER The IKE version is not supported.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_ACCESS_DENIED No related PAD entry was found.\r
@retval EFI_INVALID_PARAMETER The IKE version is not supported.\r
**/\r
EFI_STATUS\r
IkeNegotiate (\r
**/\r
EFI_STATUS\r
IkeNegotiate (\r
}\r
//\r
// Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list.\r
}\r
//\r
// Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list.\r
- // \r
- IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp); \r
+ //\r
+ IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp);\r
\r
\r
if (IkeSaSession == NULL) {\r
\r
\r
if (IkeSaSession == NULL) {\r
if (IkeVersion != 2) {\r
return EFI_INVALID_PARAMETER;\r
}\r
if (IkeVersion != 2) {\r
return EFI_INVALID_PARAMETER;\r
}\r
Exchange = mIkeExchange[IkeVersion - 1];\r
//\r
// Start the quick mode stage to negotiate child SA.\r
Exchange = mIkeExchange[IkeVersion - 1];\r
//\r
// Start the quick mode stage to negotiate child SA.\r
\r
/**\r
The generic interface when receive a IKE packet.\r
\r
/**\r
The generic interface when receive a IKE packet.\r
This function is called when UDP IO receives a IKE packet.\r
This function is called when UDP IO receives a IKE packet.\r
@param[in] Packet Point to received IKE packet.\r
@param[in] Packet Point to received IKE packet.\r
- @param[in] EndPoint Point to UDP_END_POINT which contains the information of \r
+ @param[in] EndPoint Point to UDP_END_POINT which contains the information of\r
Remote IP and Port.\r
@param[in] IoStatus The Status of Recieve Token.\r
@param[in] Context Point to data passed from the caller.\r
Remote IP and Port.\r
@param[in] IoStatus The Status of Recieve Token.\r
@param[in] Context Point to data passed from the caller.\r
\r
/**\r
Delete all established IKE SAs and related Child SAs.\r
\r
/**\r
Delete all established IKE SAs and related Child SAs.\r
- \r
- This function is the subfunction of the IpSecCleanupAllSa(). It first calls \r
- IkeDeleteChildSa() to delete all Child SAs then send out the related \r
+\r
+ This function is the subfunction of the IpSecCleanupAllSa(). It first calls\r
+ IkeDeleteChildSa() to delete all Child SAs then send out the related\r
- @param[in] Private Pointer of the IPSEC_PRIVATE_DATA\r
+ @param[in] Private Pointer of the IPSEC_PRIVATE_DATA\r
+ @param[in] IsDisableIPsec Indicate whether needs to disable IPsec.\r
\r
**/\r
VOID\r
IkeDeleteAllSas (\r
\r
**/\r
VOID\r
IkeDeleteAllSas (\r
- IN IPSEC_PRIVATE_DATA *Private\r
+ IN IPSEC_PRIVATE_DATA *Private,\r
+ IN BOOLEAN IsDisableIpsec\r
)\r
{\r
LIST_ENTRY *Entry;\r
)\r
{\r
LIST_ENTRY *Entry;\r
//\r
if (!IsListEmpty (&Private->Ikev2SessionList)) {\r
NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) {\r
//\r
if (!IsListEmpty (&Private->Ikev2SessionList)) {\r
NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) {\r
- Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry); \r
+ Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);\r
RemoveEntryList (Entry);\r
Ikev2SaSessionFree (Ikev2SaSession);\r
}\r
}\r
RemoveEntryList (Entry);\r
Ikev2SaSessionFree (Ikev2SaSession);\r
}\r
}\r
//\r
// If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE\r
// and turn off the IsIPsecDisabling flag.\r
//\r
//\r
// If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE\r
// and turn off the IsIPsecDisabling flag.\r
//\r
- if (IsListEmpty (&Private->Ikev2EstablishedList)) {\r
+ if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) {\r
Value = IPSEC_STATUS_DISABLED;\r
Status = gRT->SetVariable (\r
IPSECCONFIG_STATUS_NAME,\r
Value = IPSEC_STATUS_DISABLED;\r
Status = gRT->SetVariable (\r
IPSECCONFIG_STATUS_NAME,\r
for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) {\r
Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);\r
Entry = Entry->ForwardLink;\r
for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) {\r
Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);\r
Entry = Entry->ForwardLink;\r
Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting;\r
\r
//\r
Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting;\r
\r
//\r
if (IkeVersion == 2) {\r
Exchange = mIkeExchange[IkeVersion - 1];\r
Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL);\r
if (IkeVersion == 2) {\r
Exchange = mIkeExchange[IkeVersion - 1];\r
Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL);\r
/** @file\r
Prototypes definitions of IKE service.\r
/** @file\r
Prototypes definitions of IKE service.\r
Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>\r
\r
This program and the accompanying materials\r
Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>\r
\r
This program and the accompanying materials\r
- This is prototype definition fo general interface to start a IKE negotiation at Quick Mode. \r
+ This is prototype definition fo general interface to start a IKE negotiation at Quick Mode.\r
\r
This function will be called when the related IKE SA is existed and start to\r
create a Child SA.\r
\r
This function will be called when the related IKE SA is existed and start to\r
create a Child SA.\r
- This is prototype definition of the general interface when recived a IKE Pakcet \r
+ This is prototype definition of the general interface when recived a IKE Pakcet\r
for the IKE SA establishing.\r
\r
@param[in] UdpService Point to UDP service used to send IKE Packet.\r
for the IKE SA establishing.\r
\r
@param[in] UdpService Point to UDP service used to send IKE Packet.\r
\r
/**\r
This is prototyp definition of the general interface when recived a IKE Packet\r
\r
/**\r
This is prototyp definition of the general interface when recived a IKE Packet\r
- xfor the Child SA establishing. \r
- \r
+ xfor the Child SA establishing.\r
+\r
@param[in] UdpService Point to UDP service used to send IKE packet.\r
@param[in] IkePacket Point to received IKE packet.\r
\r
@param[in] UdpService Point to UDP service used to send IKE packet.\r
@param[in] IkePacket Point to received IKE packet.\r
\r
- This is prototype definition of the general interface when received a IKE \r
+ This is prototype definition of the general interface when received a IKE\r
information Packet.\r
\r
@param[in] UdpService Point to UDP service used to send IKE packet.\r
information Packet.\r
\r
@param[in] UdpService Point to UDP service used to send IKE packet.\r
\r
/**\r
Open and configure a UDPIO of Udp4 for IKE packet receiving.\r
\r
/**\r
Open and configure a UDPIO of Udp4 for IKE packet receiving.\r
- \r
- This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and \r
+\r
+ This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and\r
a UDP4 IO for each NIC handle.\r
a UDP4 IO for each NIC handle.\r
@param[in] Private Point to IPSEC_PRIVATE_DATA\r
@param[in] Controller Handler for NIC card.\r
@param[in] Private Point to IPSEC_PRIVATE_DATA\r
@param[in] Controller Handler for NIC card.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
**/\r
EFI_STATUS\r
IkeOpenInputUdp4 (\r
**/\r
EFI_STATUS\r
IkeOpenInputUdp4 (\r
\r
/**\r
Open and configure a UDPIO of Udp6 for IKE packet receiving.\r
\r
/**\r
Open and configure a UDPIO of Udp6 for IKE packet receiving.\r
This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6\r
IO for each NIC handle.\r
This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6\r
IO for each NIC handle.\r
@param[in] Private Point to IPSEC_PRIVATE_DATA\r
@param[in] Controller Handler for NIC card.\r
@param[in] Private Point to IPSEC_PRIVATE_DATA\r
@param[in] Controller Handler for NIC card.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
**/\r
EFI_STATUS\r
IkeOpenInputUdp6 (\r
**/\r
EFI_STATUS\r
IkeOpenInputUdp6 (\r
\r
/**\r
The general interface of starting IPsec Key Exchange.\r
\r
/**\r
The general interface of starting IPsec Key Exchange.\r
This function is called when start a IKE negotiation to get a Key.\r
This function is called when start a IKE negotiation to get a Key.\r
- \r
- @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for \r
+\r
+ @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for\r
IKE packet sending.\r
@param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.\r
@param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.\r
IKE packet sending.\r
@param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.\r
@param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_ACCESS_DENIED No related PAD entry was found.\r
@retval EFI_SUCCESS The Operation is successful.\r
@retval EFI_ACCESS_DENIED No related PAD entry was found.\r
**/\r
EFI_STATUS\r
IkeNegotiate (\r
**/\r
EFI_STATUS\r
IkeNegotiate (\r
\r
/**\r
The general interface when receive a IKE packet.\r
\r
/**\r
The general interface when receive a IKE packet.\r
This function is called when UDP IO receives a IKE packet.\r
This function is called when UDP IO receives a IKE packet.\r
@param[in] Packet Point to received IKE packet.\r
@param[in] Packet Point to received IKE packet.\r
- @param[in] EndPoint Point to UDP_END_POINT which contains the information of \r
+ @param[in] EndPoint Point to UDP_END_POINT which contains the information of\r
Remote IP and Port.\r
@param[in] IoStatus The Status of Recieve Token.\r
@param[in] Context Point to data passed from the caller.\r
Remote IP and Port.\r
@param[in] IoStatus The Status of Recieve Token.\r
@param[in] Context Point to data passed from the caller.\r
\r
/**\r
Delete all established IKE SAs and related Child SAs.\r
\r
/**\r
Delete all established IKE SAs and related Child SAs.\r
- \r
- This function is the subfunction of the IpSecCleanupAllSa(). It first calls \r
- IkeDeleteChildSa() to delete all Child SAs then send out the related \r
+\r
+ This function is the subfunction of the IpSecCleanupAllSa(). It first calls\r
+ IkeDeleteChildSa() to delete all Child SAs then send out the related\r
- @param[in] Private Pointer of the IPSEC_PRIVATE_DATA.\r
+ @param[in] Private Pointer of the IPSEC_PRIVATE_DATA.\r
+ @param[in] IsDisableIPsec Indicate whether needs to disable IPsec.\r
\r
**/\r
VOID\r
IkeDeleteAllSas (\r
\r
**/\r
VOID\r
IkeDeleteAllSas (\r
- IN IPSEC_PRIVATE_DATA *Private\r
+ IN IPSEC_PRIVATE_DATA *Private,\r
+ IN BOOLEAN IsDisableIpsec\r
/** @file\r
The general interfaces of the IKEv2.\r
\r
/** @file\r
The general interfaces of the IKEv2.\r
\r
- Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>\r
+ Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>\r
\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
IKEV2_PACKET_HANDLER Handler;\r
IKE_PACKET *IkePacket;\r
EFI_STATUS Status;\r
IKEV2_PACKET_HANDLER Handler;\r
IKE_PACKET *IkePacket;\r
EFI_STATUS Status;\r
if (UdpService == NULL || RemoteIp == NULL) {\r
return EFI_INVALID_PARAMETER;\r
}\r
if (UdpService == NULL || RemoteIp == NULL) {\r
return EFI_INVALID_PARAMETER;\r
}\r
//\r
return EFI_SUCCESS;\r
}\r
//\r
return EFI_SUCCESS;\r
}\r
//\r
// Create a new IkeSaSession and initiate the common parameters.\r
//\r
//\r
// Create a new IkeSaSession and initiate the common parameters.\r
//\r
// Set the specific parameters and state(IKE_STATE_INIT).\r
//\r
IkeSaSession->Spd = SpdEntry;\r
// Set the specific parameters and state(IKE_STATE_INIT).\r
//\r
IkeSaSession->Spd = SpdEntry;\r
- IkeSaSession->Pad = PadEntry; \r
+ IkeSaSession->Pad = PadEntry;\r
SessionCommon = &IkeSaSession->SessionCommon;\r
SessionCommon->IsInitiator = TRUE;\r
SessionCommon->State = IkeStateInit;\r
SessionCommon = &IkeSaSession->SessionCommon;\r
SessionCommon->IsInitiator = TRUE;\r
SessionCommon->State = IkeStateInit;\r
// to support it.\r
//\r
SessionCommon->PreferDhGroup = IKEV2_TRANSFORM_ID_DH_1024MODP;\r
// to support it.\r
//\r
SessionCommon->PreferDhGroup = IKEV2_TRANSFORM_ID_DH_1024MODP;\r
CopyMem (\r
&SessionCommon->RemotePeerIp,\r
RemoteIp,\r
sizeof (EFI_IP_ADDRESS)\r
);\r
CopyMem (\r
&SessionCommon->RemotePeerIp,\r
RemoteIp,\r
sizeof (EFI_IP_ADDRESS)\r
);\r
CopyMem (\r
&SessionCommon->LocalPeerIp,\r
&UdpService->DefaultAddress,\r
CopyMem (\r
&SessionCommon->LocalPeerIp,\r
&UdpService->DefaultAddress,\r
/**\r
It is general interface to negotiate the Child SA.\r
\r
/**\r
It is general interface to negotiate the Child SA.\r
\r
- There are three situations which will invoke this function. First, create a CHILD \r
- SA if the input Context is NULL. Second, rekeying the existing IKE SA if the Context \r
- is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the context is a \r
+ There are three situations which will invoke this function. First, create a CHILD\r
+ SA if the input Context is NULL. Second, rekeying the existing IKE SA if the Context\r
+ is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the context is a\r
IKEv2_CHILD_SA_SESSION.\r
\r
@param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.\r
@param[in] SpdEntry Pointer to IPSEC_SPD_ENTRY related to this operation.\r
@param[in] Context The data pass from the caller.\r
IKEv2_CHILD_SA_SESSION.\r
\r
@param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.\r
@param[in] SpdEntry Pointer to IPSEC_SPD_ENTRY related to this operation.\r
@param[in] Context The data pass from the caller.\r
@retval EFI_SUCCESS The operation is successful.\r
@retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.\r
@retval EFI_UNSUPPORTED The condition is not support yet.\r
@retval EFI_SUCCESS The operation is successful.\r
@retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.\r
@retval EFI_UNSUPPORTED The condition is not support yet.\r
if (EFI_ERROR (Status)) {\r
goto ON_ERROR;\r
}\r
if (EFI_ERROR (Status)) {\r
goto ON_ERROR;\r
}\r
//\r
// Insert the ChildSaSession into processing child SA list.\r
//\r
//\r
// Insert the ChildSaSession into processing child SA list.\r
//\r
It is general interface to start the Information Exchange.\r
\r
There are three situations which will invoke this function. First, deliver a Delete Information\r
It is general interface to start the Information Exchange.\r
\r
There are three situations which will invoke this function. First, deliver a Delete Information\r
- to delete the IKE SA if the input Context is NULL and the state of related IkeSaSeesion's is on \r
- deleting.Second, deliver a Notify Information without the contents if the input Context is NULL. \r
+ to delete the IKE SA if the input Context is NULL and the state of related IkeSaSeesion's is on\r
+ deleting.Second, deliver a Notify Information without the contents if the input Context is NULL.\r
Third, deliver a Notify Information if the input Context is not NULL.\r
\r
@param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.\r
Third, deliver a Notify Information if the input Context is not NULL.\r
\r
@param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.\r
IN UINT8 *Context\r
)\r
{\r
IN UINT8 *Context\r
)\r
{\r
EFI_STATUS Status;\r
IKEV2_SA_SESSION *Ikev2SaSession;\r
IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
EFI_STATUS Status;\r
IKEV2_SA_SESSION *Ikev2SaSession;\r
IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
//\r
if (Ikev2SaSession->SessionCommon.State == IkeStateSaDeleting && Context == NULL) {\r
\r
//\r
if (Ikev2SaSession->SessionCommon.State == IkeStateSaDeleting && Context == NULL) {\r
\r
- //\r
- // The IKE SA Session should be initiator if it triggers the deleting.\r
- //\r
- Ikev2SaSession->SessionCommon.IsInitiator = TRUE;\r
-\r
//\r
// Generate Information Packet which contains the Delete Payload.\r
//\r
//\r
// Generate Information Packet which contains the Delete Payload.\r
//\r
//\r
// Send out the Packet\r
//\r
//\r
// Send out the Packet\r
//\r
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0);\r
+ if (UdpService != NULL) {\r
+ Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0);\r
- if (EFI_ERROR (Status)) {\r
- goto ON_ERROR;\r
+ if (EFI_ERROR (Status)) {\r
+ goto ON_ERROR;\r
+ }\r
}\r
} else if (!IsListEmpty (&Ikev2SaSession->DeleteSaList)) {\r
//\r
}\r
} else if (!IsListEmpty (&Ikev2SaSession->DeleteSaList)) {\r
//\r
//\r
// Send out the Packet\r
//\r
//\r
// Send out the Packet\r
//\r
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0);\r
+ if (UdpService != NULL) {\r
+ Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0);\r
- if (EFI_ERROR (Status)) {\r
- goto ON_ERROR;\r
+ if (EFI_ERROR (Status)) {\r
+ goto ON_ERROR;\r
+ }\r
}\r
}\r
} else if (Context == NULL) {\r
}\r
}\r
} else if (Context == NULL) {\r
/**\r
The general interface when received a IKEv2 packet for the IKE SA establishing.\r
\r
/**\r
The general interface when received a IKEv2 packet for the IKE SA establishing.\r
\r
- This function first find the related IKE SA Session according to the IKE packet's \r
+ This function first find the related IKE SA Session according to the IKE packet's\r
remote IP. Then call the corresponding function to handle this IKE packet according\r
remote IP. Then call the corresponding function to handle this IKE packet according\r
- to the related IKE SA Session's State. \r
+ to the related IKE SA Session's State.\r
\r
@param[in] UdpService Pointer of related UDP Service.\r
@param[in] IkePacket Data passed by caller.\r
\r
@param[in] UdpService Pointer of related UDP Service.\r
@param[in] IkePacket Data passed by caller.\r
IPSEC_PRIVATE_DATA *Private;\r
BOOLEAN IsNewSession;\r
\r
IPSEC_PRIVATE_DATA *Private;\r
BOOLEAN IsNewSession;\r
\r
- Private = (UdpService->IpVersion == IP_VERSION_4) ? \r
+ Private = (UdpService->IpVersion == IP_VERSION_4) ?\r
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
\r
ChildSaSession = NULL;\r
ChildSaCommon = NULL;\r
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
\r
ChildSaSession = NULL;\r
ChildSaCommon = NULL;\r
//\r
// Lookup the remote ip address in the processing IKE SA session list.\r
//\r
//\r
// Lookup the remote ip address in the processing IKE SA session list.\r
//\r
&UdpService->DefaultAddress,\r
sizeof (EFI_IP_ADDRESS)\r
);\r
&UdpService->DefaultAddress,\r
sizeof (EFI_IP_ADDRESS)\r
);\r
IsNewSession = TRUE;\r
}\r
\r
IsNewSession = TRUE;\r
}\r
\r
//\r
// Generate a piggyback child SA in IKE_STATE_AUTH state.\r
//\r
//\r
// Generate a piggyback child SA in IKE_STATE_AUTH state.\r
//\r
- ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) && \r
+ ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) &&\r
IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));\r
IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));\r
ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);\r
ChildSaCommon = &ChildSaSession->SessionCommon;\r
\r
//\r
// Initialize the SA data for Child SA.\r
ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);\r
ChildSaCommon = &ChildSaSession->SessionCommon;\r
\r
//\r
// Initialize the SA data for Child SA.\r
ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon);\r
}\r
\r
ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon);\r
}\r
\r
\r
//\r
// Remove the Established Child SA Session from the IkeSaSession->ChildSaSessionList\r
\r
//\r
// Remove the Established Child SA Session from the IkeSaSession->ChildSaSessionList\r
- // ,insert it into IkeSaSession->ChildSaEstablishSessionList and save this Child SA \r
+ // ,insert it into IkeSaSession->ChildSaEstablishSessionList and save this Child SA\r
// into SAD.\r
//\r
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (IkeSaSession->ChildSaSessionList.BackLink);\r
// into SAD.\r
//\r
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (IkeSaSession->ChildSaSessionList.BackLink);\r
- The general interface when received a IKEv2 packet for the IKE Child SA establishing \r
+ The general interface when received a IKEv2 packet for the IKE Child SA establishing\r
or IKE SA/CHILD SA rekeying.\r
\r
or IKE SA/CHILD SA rekeying.\r
\r
- This function first find the related IKE SA Session according to the IKE packet's \r
+ This function first find the related IKE SA Session according to the IKE packet's\r
remote IP. Then call the corresponding function to handle this IKE packet according\r
remote IP. Then call the corresponding function to handle this IKE packet according\r
- to the related IKE Child Session's State. \r
+ to the related IKE Child Session's State.\r
\r
@param[in] UdpService Pointer of related UDP Service.\r
@param[in] IkePacket Data passed by caller.\r
\r
@param[in] UdpService Pointer of related UDP Service.\r
@param[in] IkePacket Data passed by caller.\r
IKEV2_CREATE_CHILD_REQUEST_TYPE RequestType;\r
IKE_PACKET *Reply;\r
IPSEC_PRIVATE_DATA *Private;\r
IKEV2_CREATE_CHILD_REQUEST_TYPE RequestType;\r
IKE_PACKET *Reply;\r
IPSEC_PRIVATE_DATA *Private;\r
- \r
- Private = (UdpService->IpVersion == IP_VERSION_4) ? \r
+\r
+ Private = (UdpService->IpVersion == IP_VERSION_4) ?\r
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
\r
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
\r
\r
//\r
// Get the request type: CreateChildSa/RekeyChildSa/RekeyIkeSa.\r
\r
//\r
// Get the request type: CreateChildSa/RekeyChildSa/RekeyIkeSa.\r
RequestType = Ikev2ChildExchangeRequestType (IkePacket);\r
\r
switch (RequestType) {\r
case IkeRequestTypeCreateChildSa:\r
RequestType = Ikev2ChildExchangeRequestType (IkePacket);\r
\r
switch (RequestType) {\r
case IkeRequestTypeCreateChildSa:\r
- case IkeRequestTypeRekeyChildSa: \r
- case IkeRequestTypeRekeyIkeSa: \r
+ case IkeRequestTypeRekeyChildSa:\r
+ case IkeRequestTypeRekeyIkeSa:\r
//\r
// Parse the IKE request packet. Not support CREATE_CHILD_SA exchange yet, so\r
//\r
// Parse the IKE request packet. Not support CREATE_CHILD_SA exchange yet, so\r
- // only EFI_UNSUPPORTED will be returned and that will trigger a reply with a \r
+ // only EFI_UNSUPPORTED will be returned and that will trigger a reply with a\r
// Notify payload of type NO_ADDITIONAL_SAS.\r
//\r
Status = mIkev2CreateChild.Parser ((UINT8 *) IkeSaSession, IkePacket);\r
// Notify payload of type NO_ADDITIONAL_SAS.\r
//\r
Status = mIkev2CreateChild.Parser ((UINT8 *) IkeSaSession, IkePacket);\r
- if (EFI_ERROR (Status)) { \r
+ if (EFI_ERROR (Status)) {\r
ON_REPLY:\r
//\r
// Generate the reply packet if needed and send it out.\r
ON_REPLY:\r
//\r
// Generate the reply packet if needed and send it out.\r
return ;\r
}\r
\r
/**\r
\r
It is general interface to handle IKEv2 information Exchange.\r
return ;\r
}\r
\r
/**\r
\r
It is general interface to handle IKEv2 information Exchange.\r
- \r
- @param[in] UdpService Point to IKE UPD Service related to this information exchange. \r
+\r
+ @param[in] UdpService Point to IKE UPD Service related to this information exchange.\r
@param[in] IkePacket The IKE packet to be parsed.\r
\r
**/\r
@param[in] IkePacket The IKE packet to be parsed.\r
\r
**/\r
IKEV2_SA_SESSION *IkeSaSession;\r
IPSEC_PRIVATE_DATA *Private;\r
\r
IKEV2_SA_SESSION *IkeSaSession;\r
IPSEC_PRIVATE_DATA *Private;\r
\r
- Private = (UdpService->IpVersion == IP_VERSION_4) ? \r
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : \r
+ Private = (UdpService->IpVersion == IP_VERSION_4) ?\r
+ IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
\r
//\r
// Lookup the remote ip address in the processing IKE SA session list.\r
//\r
IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp);\r
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
\r
//\r
// Lookup the remote ip address in the processing IKE SA session list.\r
//\r
IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp);\r
if (IkeSaSession == NULL) {\r
//\r
// Drop the packet if no IKE SA associated.\r
if (IkeSaSession == NULL) {\r
//\r
// Drop the packet if no IKE SA associated.\r
// Validate the IKE packet header.\r
//\r
if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {\r
// Validate the IKE packet header.\r
//\r
if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {\r
//\r
// Drop the packet if invalid IKE header.\r
//\r
return;\r
//\r
// Drop the packet if invalid IKE header.\r
//\r
return;\r
\r
SessionCommon = &IkeSaSession->SessionCommon;\r
\r
\r
SessionCommon = &IkeSaSession->SessionCommon;\r
\r
// Drop the packet if fail to parse.\r
//\r
return;\r
// Drop the packet if fail to parse.\r
//\r
return;\r
}\r
\r
IKE_EXCHANGE_INTERFACE mIkev1Exchange = {
}\r
\r
IKE_EXCHANGE_INTERFACE mIkev1Exchange = {
#include "IpSecCryptIo.h"\r
\r
//\r
#include "IpSecCryptIo.h"\r
\r
//\r
-// The Constant String of "Key Pad for IKEv2" for Authentication Payload generation. \r
+// The Constant String of "Key Pad for IKEv2" for Authentication Payload generation.\r
//\r
#define CONSTANT_KEY_SIZE 17\r
//\r
#define CONSTANT_KEY_SIZE 17\r
-GLOBAL_REMOVE_IF_UNREFERENCED CHAR8 mConstantKey[CONSTANT_KEY_SIZE] = \r
+GLOBAL_REMOVE_IF_UNREFERENCED CHAR8 mConstantKey[CONSTANT_KEY_SIZE] =\r
{\r
'K', 'e', 'y', ' ', 'P', 'a', 'd', ' ', 'f', 'o', 'r', ' ', 'I', 'K', 'E', 'v', '2'\r
};\r
{\r
'K', 'e', 'y', ' ', 'P', 'a', 'd', ' ', 'f', 'o', 'r', ' ', 'I', 'K', 'E', 'v', '2'\r
};\r
Generate Ikev2 SA payload according to SessionSaData\r
\r
@param[in] SessionSaData The data used in SA payload.\r
Generate Ikev2 SA payload according to SessionSaData\r
\r
@param[in] SessionSaData The data used in SA payload.\r
- @param[in] NextPayload The payload type presented in NextPayload field of \r
+ @param[in] NextPayload The payload type presented in NextPayload field of\r
SA Payload header.\r
@param[in] Type The SA type. It MUST be neither (1) for IKE_SA or\r
(2) for CHILD_SA or (3) for INFO.\r
\r
@retval a Pointer to SA IKE payload.\r
SA Payload header.\r
@param[in] Type The SA type. It MUST be neither (1) for IKE_SA or\r
(2) for CHILD_SA or (3) for INFO.\r
\r
@retval a Pointer to SA IKE payload.\r
**/\r
IKE_PAYLOAD *\r
Ikev2GenerateSaPayload (\r
**/\r
IKE_PAYLOAD *\r
Ikev2GenerateSaPayload (\r
// TODO: Get the Proposal Number and Transform Number from IPsec Config,\r
// after the Ipsecconfig Application is support it.\r
//\r
// TODO: Get the Proposal Number and Transform Number from IPsec Config,\r
// after the Ipsecconfig Application is support it.\r
//\r
if (Type == IkeSessionTypeIkeSa) {\r
if (Type == IkeSessionTypeIkeSa) {\r
- SaDataSize = sizeof (IKEV2_SA_DATA) + \r
+ SaDataSize = sizeof (IKEV2_SA_DATA) +\r
SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r
sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 4;\r
} else {\r
SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r
sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 4;\r
} else {\r
- SaDataSize = sizeof (IKEV2_SA_DATA) + \r
+ SaDataSize = sizeof (IKEV2_SA_DATA) +\r
SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r
sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 3;\r
SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r
sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 3;\r
}\r
\r
SaData = AllocateZeroPool (SaDataSize);\r
}\r
\r
SaData = AllocateZeroPool (SaDataSize);\r
/**\r
Generate a Nonce payload containing the input parameter NonceBuf.\r
\r
/**\r
Generate a Nonce payload containing the input parameter NonceBuf.\r
\r
- @param[in] NonceBuf The nonce buffer contains the whole Nonce payload block \r
+ @param[in] NonceBuf The nonce buffer contains the whole Nonce payload block\r
except the payload header.\r
@param[in] NonceSize The buffer size of the NonceBuf\r
except the payload header.\r
@param[in] NonceSize The buffer size of the NonceBuf\r
- @param[in] NextPayload The payload type presented in the NextPayload field \r
+ @param[in] NextPayload The payload type presented in the NextPayload field\r
of Nonce Payload header.\r
\r
@retval Pointer to Nonce IKE paload.\r
of Nonce Payload header.\r
\r
@retval Pointer to Nonce IKE paload.\r
- Generate a Key Exchange payload according to the DH group type and save the \r
+ Generate a Key Exchange payload according to the DH group type and save the\r
public Key into IkeSaSession IkeKey field.\r
\r
@param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.\r
public Key into IkeSaSession IkeKey field.\r
\r
@param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.\r
- @param[in] NextPayload The payload type presented in the NextPayload field of Key \r
+ @param[in] NextPayload The payload type presented in the NextPayload field of Key\r
Exchange Payload header.\r
\r
@retval Pointer to Key IKE payload.\r
Exchange Payload header.\r
\r
@retval Pointer to Key IKE payload.\r
} else {\r
KeSize = sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize;\r
}\r
} else {\r
KeSize = sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize;\r
}\r
//\r
// Allocate buffer for Key Exchange\r
//\r
//\r
// Allocate buffer for Key Exchange\r
//\r
Ke->DhGroup = IkeSaSession->SessionCommon.PreferDhGroup;\r
\r
CopyMem (Ke + 1, IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize);\r
Ke->DhGroup = IkeSaSession->SessionCommon.PreferDhGroup;\r
\r
CopyMem (Ke + 1, IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize);\r
+\r
+ //\r
+ // Create IKE_PAYLOAD to point to Key Exchange payload\r
- // Create IKE_PAYLOAD to point to Key Exchange payload \r
- // \r
KePayload = IkePayloadAlloc ();\r
ASSERT (KePayload != NULL);\r
KePayload = IkePayloadAlloc ();\r
ASSERT (KePayload != NULL);\r
KePayload->PayloadType = IKEV2_PAYLOAD_TYPE_KE;\r
KePayload->PayloadBuf = (UINT8 *) Ke;\r
KePayload->PayloadSize = KeSize;\r
KePayload->PayloadType = IKEV2_PAYLOAD_TYPE_KE;\r
KePayload->PayloadBuf = (UINT8 *) Ke;\r
KePayload->PayloadSize = KeSize;\r
Generate a ID payload.\r
\r
@param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r
Generate a ID payload.\r
\r
@param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r
- @param[in] NextPayload The payload type presented in the NextPayload field \r
+ @param[in] NextPayload The payload type presented in the NextPayload field\r
of ID Payload header.\r
\r
@retval Pointer to ID IKE payload.\r
of ID Payload header.\r
\r
@retval Pointer to ID IKE payload.\r
// ! !\r
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
//\r
// ! !\r
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
//\r
IpVersion = CommonSession->UdpService->IpVersion;\r
AddrSize = (UINT8) ((IpVersion == IP_VERSION_4) ? sizeof(EFI_IPv4_ADDRESS) : sizeof(EFI_IPv6_ADDRESS));\r
IdSize = sizeof (IKEV2_ID) + AddrSize;\r
IpVersion = CommonSession->UdpService->IpVersion;\r
AddrSize = (UINT8) ((IpVersion == IP_VERSION_4) ? sizeof(EFI_IPv4_ADDRESS) : sizeof(EFI_IPv6_ADDRESS));\r
IdSize = sizeof (IKEV2_ID) + AddrSize;\r
IdPayload->PayloadSize = IdSize;\r
\r
//\r
IdPayload->PayloadSize = IdSize;\r
\r
//\r
- // Set generic header of identification payload \r
+ // Set generic header of identification payload\r
//\r
Id->Header.NextPayload = NextPayload;\r
Id->Header.PayloadLength = (UINT16) IdSize;\r
//\r
Id->Header.NextPayload = NextPayload;\r
Id->Header.PayloadLength = (UINT16) IdSize;\r
Generate a ID payload.\r
\r
@param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r
Generate a ID payload.\r
\r
@param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r
- @param[in] NextPayload The payload type presented in the NextPayload field \r
+ @param[in] NextPayload The payload type presented in the NextPayload field\r
of ID Payload header.\r
@param[in] InCert Pointer to the Certificate which distinguished name\r
will be added into the Id payload.\r
of ID Payload header.\r
@param[in] InCert Pointer to the Certificate which distinguished name\r
will be added into the Id payload.\r
UINT8 IpVersion;\r
UINTN SubjectSize;\r
UINT8 *CertSubject;\r
UINT8 IpVersion;\r
UINTN SubjectSize;\r
UINT8 *CertSubject;\r
//\r
// ID payload\r
// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
//\r
// ID payload\r
// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
IdPayload->PayloadSize = IdSize;\r
\r
//\r
IdPayload->PayloadSize = IdSize;\r
\r
//\r
- // Set generic header of identification payload \r
+ // Set generic header of identification payload\r
//\r
Id->Header.NextPayload = NextPayload;\r
Id->Header.PayloadLength = (UINT16) IdSize;\r
//\r
Id->Header.NextPayload = NextPayload;\r
Id->Header.PayloadLength = (UINT16) IdSize;\r
/**\r
Generate a Authentication Payload.\r
\r
/**\r
Generate a Authentication Payload.\r
\r
- This function is used for both Authentication generation and verification. When the \r
- IsVerify is TRUE, it create a Auth Data for verification. This function choose the \r
+ This function is used for both Authentication generation and verification. When the\r
+ IsVerify is TRUE, it create a Auth Data for verification. This function choose the\r
related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type\r
and the value of IsVerify parameter.\r
\r
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r
related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type\r
and the value of IsVerify parameter.\r
\r
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r
- @param[in] IdPayload Pointer to the ID payload to be used for Authentication \r
+ @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r
- @param[in] NextPayload The type filled into the Authentication Payload next \r
+ @param[in] NextPayload The type filled into the Authentication Payload next\r
payload field.\r
@param[in] IsVerify If it is TURE, the Authentication payload is used for\r
verification.\r
payload field.\r
@param[in] IsVerify If it is TURE, the Authentication payload is used for\r
verification.\r
// ! !\r
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
//\r
// ! !\r
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
//\r
KeyBuf = NULL;\r
AuthPayload = NULL;\r
Digest = NULL;\r
KeyBuf = NULL;\r
AuthPayload = NULL;\r
Digest = NULL;\r
DigestSize = IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCommon.SaParams->Prf);\r
Digest = AllocateZeroPool (DigestSize);\r
\r
DigestSize = IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCommon.SaParams->Prf);\r
Digest = AllocateZeroPool (DigestSize);\r
\r
Status = IpSecCryptoIoHmac (\r
(UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r
IkeSaSession->Pad->Data->AuthData,\r
Status = IpSecCryptoIoHmac (\r
(UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r
IkeSaSession->Pad->Data->AuthData,\r
- IkeSaSession->Pad->Data->AuthDataSize, \r
+ IkeSaSession->Pad->Data->AuthDataSize,\r
(HASH_DATA_FRAGMENT *)Fragments,\r
1,\r
Digest,\r
(HASH_DATA_FRAGMENT *)Fragments,\r
1,\r
Digest,\r
\r
//\r
// Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].\r
\r
//\r
// Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].\r
Fragments[2].Data = AllocateZeroPool (DigestSize);\r
Fragments[2].DataSize = DigestSize;\r
CopyMem (Fragments[2].Data, Digest, DigestSize);\r
Fragments[2].Data = AllocateZeroPool (DigestSize);\r
Fragments[2].DataSize = DigestSize;\r
CopyMem (Fragments[2].Data, Digest, DigestSize);\r
Digest,\r
DigestSize\r
);\r
Digest,\r
DigestSize\r
);\r
//\r
// Fill in IKE_PACKET\r
//\r
//\r
// Fill in IKE_PACKET\r
//\r
if (Fragments[2].Data != NULL) {\r
//\r
// Free the buffer which contains the result of Prf(SK_Pr, IDi/r)\r
if (Fragments[2].Data != NULL) {\r
//\r
// Free the buffer which contains the result of Prf(SK_Pr, IDi/r)\r
FreePool (Fragments[2].Data);\r
}\r
\r
FreePool (Fragments[2].Data);\r
}\r
\r
- Generate a Authentication Payload for Certificate Auth method. \r
+ Generate a Authentication Payload for Certificate Auth method.\r
- This function has two functions. One is creating a local Authentication \r
- Payload for sending and other is creating the remote Authentication data \r
+ This function has two functions. One is creating a local Authentication\r
+ Payload for sending and other is creating the remote Authentication data\r
for verification when the IsVerify is TURE.\r
\r
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r
for verification when the IsVerify is TURE.\r
\r
@param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r
- @param[in] IdPayload Pointer to the ID payload to be used for Authentication \r
+ @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r
- @param[in] NextPayload The type filled into the Authentication Payload \r
+ @param[in] NextPayload The type filled into the Authentication Payload\r
- @param[in] IsVerify If it is TURE, the Authentication payload is used \r
+ @param[in] IsVerify If it is TURE, the Authentication payload is used\r
- @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when \r
+ @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when\r
verify the authenticate payload.\r
verify the authenticate payload.\r
- @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it \r
+ @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it\r
when verify the authenticate payload.\r
when verify the authenticate payload.\r
- @param[in] UefiKeyPwd Pointer to the password of UEFI private key. \r
+ @param[in] UefiKeyPwd Pointer to the password of UEFI private key.\r
Ignore it when verify the authenticate payload.\r
Ignore it when verify the authenticate payload.\r
- @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when \r
+ @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when\r
verify the authenticate payload.\r
\r
@return pointer to IKE Authentication payload for Cerifitcation method.\r
verify the authenticate payload.\r
\r
@return pointer to IKE Authentication payload for Cerifitcation method.\r
IpSecDumpBuf ("RealMessage1", Fragments[0].Data, Fragments[0].DataSize);\r
IpSecDumpBuf ("NonceRDdata", Fragments[1].Data, Fragments[1].DataSize);\r
}\r
IpSecDumpBuf ("RealMessage1", Fragments[0].Data, Fragments[0].DataSize);\r
IpSecDumpBuf ("NonceRDdata", Fragments[1].Data, Fragments[1].DataSize);\r
}\r
//\r
// Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].\r
//\r
// Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].\r
Fragments[2].Data = AllocateZeroPool (DigestSize);\r
Fragments[2].DataSize = DigestSize;\r
CopyMem (Fragments[2].Data, Digest, DigestSize);\r
Fragments[2].Data = AllocateZeroPool (DigestSize);\r
Fragments[2].DataSize = DigestSize;\r
CopyMem (Fragments[2].Data, Digest, DigestSize);\r
\r
IpSecDumpBuf ("HashSignedOctects", Digest, DigestSize);\r
//\r
\r
IpSecDumpBuf ("HashSignedOctects", Digest, DigestSize);\r
//\r
- // Sign the data by the private Key \r
+ // Sign the data by the private Key\r
//\r
if (!IsVerify) {\r
IpSecCryptoIoAuthDataWithCertificate (\r
//\r
if (!IsVerify) {\r
IpSecCryptoIoAuthDataWithCertificate (\r
if (Fragments[2].Data != NULL) {\r
//\r
// Free the buffer which contains the result of Prf(SK_Pr, IDi/r)\r
if (Fragments[2].Data != NULL) {\r
//\r
// Free the buffer which contains the result of Prf(SK_Pr, IDi/r)\r
FreePool (Fragments[2].Data);\r
}\r
\r
FreePool (Fragments[2].Data);\r
}\r
\r
This function generates TSi or TSr payload according to type of next payload.\r
If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate\r
TSr payload.\r
This function generates TSi or TSr payload according to type of next payload.\r
If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate\r
TSr payload.\r
@param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.\r
@param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.\r
- @param[in] NextPayload The payload type presented in the NextPayload field \r
+ @param[in] NextPayload The payload type presented in the NextPayload field\r
of ID Payload header.\r
@param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.\r
If yes, it means the Tsi and Tsr payload should be with\r
of ID Payload header.\r
@param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.\r
If yes, it means the Tsi and Tsr payload should be with\r
\r
IpVersion = ChildSa->SessionCommon.UdpService->IpVersion;\r
//\r
\r
IpVersion = ChildSa->SessionCommon.UdpService->IpVersion;\r
//\r
- // The Starting Address and Ending Address is variable length depends on \r
+ // The Starting Address and Ending Address is variable length depends on\r
// is IPv4 or IPv6\r
//\r
AddrSize = (UINT8)((IpVersion == IP_VERSION_4) ? sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS));\r
// is IPv4 or IPv6\r
//\r
AddrSize = (UINT8)((IpVersion == IP_VERSION_4) ? sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS));\r
TsSelector->TSType = (UINT8)((IpVersion == IP_VERSION_4) ? IKEV2_TS_TYPE_IPV4_ADDR_RANGE : IKEV2_TS_TYPS_IPV6_ADDR_RANGE);\r
\r
//\r
TsSelector->TSType = (UINT8)((IpVersion == IP_VERSION_4) ? IKEV2_TS_TYPE_IPV4_ADDR_RANGE : IKEV2_TS_TYPS_IPV6_ADDR_RANGE);\r
\r
//\r
//\r
if (IsTunnel) {\r
TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;\r
//\r
if (IsTunnel) {\r
TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;\r
//\r
if (NextPayload == IKEV2_PAYLOAD_TYPE_TS_RSP){\r
//\r
//\r
if (NextPayload == IKEV2_PAYLOAD_TYPE_TS_RSP){\r
//\r
- // Create initiator Traffic Selector \r
- // \r
+ // Create initiator Traffic Selector\r
+ //\r
TsSelector->SelecorLen = (UINT16)SelectorSize;\r
\r
//\r
TsSelector->SelecorLen = (UINT16)SelectorSize;\r
\r
//\r
if (ChildSa->SessionCommon.IsInitiator) {\r
if (ChildSa->Spd->Selector->LocalPort != 0 &&\r
ChildSa->Spd->Selector->LocalPortRange == 0) {\r
if (ChildSa->SessionCommon.IsInitiator) {\r
if (ChildSa->Spd->Selector->LocalPort != 0 &&\r
ChildSa->Spd->Selector->LocalPortRange == 0) {\r
// For not port range.\r
//\r
TsSelector->StartPort = ChildSa->Spd->Selector->LocalPort;\r
// For not port range.\r
//\r
TsSelector->StartPort = ChildSa->Spd->Selector->LocalPort;\r
goto ON_ERROR;\r
}\r
} else {\r
goto ON_ERROR;\r
}\r
} else {\r
- if (ChildSa->Spd->Selector->RemotePort != 0 && \r
+ if (ChildSa->Spd->Selector->RemotePort != 0 &&\r
ChildSa->Spd->Selector->RemotePortRange == 0) {\r
//\r
// For not port range.\r
ChildSa->Spd->Selector->RemotePortRange == 0) {\r
//\r
// For not port range.\r
//\r
// Copy Address.Currently the address range is not supported.\r
// The Starting address is same as Ending address\r
//\r
// Copy Address.Currently the address range is not supported.\r
// The Starting address is same as Ending address\r
- // TODO: Support Address Range. \r
+ // TODO: Support Address Range.\r
//\r
CopyMem (\r
(UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),\r
//\r
CopyMem (\r
(UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),\r
}else{\r
//\r
// Create responder Traffic Selector\r
}else{\r
//\r
// Create responder Traffic Selector\r
TsSelector->SelecorLen = (UINT16)SelectorSize;\r
TsSelector->SelecorLen = (UINT16)SelectorSize;\r
//\r
// Currently only support the port range from 0~0xffff. Don't support other\r
// port range.\r
//\r
// Currently only support the port range from 0~0xffff. Don't support other\r
// port range.\r
//\r
// Copy Address.Currently the address range is not supported.\r
// The Starting address is same as Ending address\r
//\r
// Copy Address.Currently the address range is not supported.\r
// The Starting address is same as Ending address\r
- // TODO: Support Address Range. \r
+ // TODO: Support Address Range.\r
//\r
CopyMem (\r
(UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),\r
//\r
CopyMem (\r
(UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),\r
TsSelector->IpProtocolId = (UINT8)ChildSa->Spd->Selector->NextLayerProtocol;\r
} else {\r
TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;\r
TsSelector->IpProtocolId = (UINT8)ChildSa->Spd->Selector->NextLayerProtocol;\r
} else {\r
TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;\r
TsPayloadBuf->Header.NextPayload = NextPayload;\r
TsPayloadBuf->Header.PayloadLength = (UINT16)TsPayloadSize;\r
TsPayloadBuf->TSNumbers = 1;\r
TsPayloadBuf->Header.NextPayload = NextPayload;\r
TsPayloadBuf->Header.PayloadLength = (UINT16)TsPayloadSize;\r
TsPayloadBuf->TSNumbers = 1;\r
\r
ON_ERROR:\r
if (TsPayload != NULL) {\r
\r
ON_ERROR:\r
if (TsPayload != NULL) {\r
- IkePayloadFree (TsPayload); \r
+ IkePayloadFree (TsPayload);\r
return TsPayload;\r
}\r
\r
return TsPayload;\r
}\r
\r
Generate the Notify payload.\r
\r
Since the structure of Notify payload which defined in RFC 4306 is simple, so\r
Generate the Notify payload.\r
\r
Since the structure of Notify payload which defined in RFC 4306 is simple, so\r
- there is no internal data structure for Notify payload. This function generate \r
- Notify payload defined in RFC 4306, but all the fields in this payload are still \r
- in host order and need call Ikev2EncodePayload() to convert those fields from \r
+ there is no internal data structure for Notify payload. This function generate\r
+ Notify payload defined in RFC 4306, but all the fields in this payload are still\r
+ in host order and need call Ikev2EncodePayload() to convert those fields from\r
the host order to network order beforing sending it.\r
\r
@param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).\r
For IPsec SAs it MUST be neither (2) for AH or (3)\r
for ESP.\r
the host order to network order beforing sending it.\r
\r
@param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).\r
For IPsec SAs it MUST be neither (2) for AH or (3)\r
for ESP.\r
- @param[in] NextPayload The next paylaod type in NextPayload field of \r
+ @param[in] NextPayload The next paylaod type in NextPayload field of\r
- @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload. \r
- @param[in] MessageType The message type in NotifyMessageType field of the \r
+ @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.\r
+ @param[in] MessageType The message type in NotifyMessageType field of the\r
Notify Payload.\r
@param[in] SpiBuf Pointer to buffer contains the SPI value.\r
@param[in] NotifyData Pointer to buffer contains the notification data.\r
@param[in] NotifyDataSize The size of NotifyData in bytes.\r
Notify Payload.\r
@param[in] SpiBuf Pointer to buffer contains the SPI value.\r
@param[in] NotifyData Pointer to buffer contains the notification data.\r
@param[in] NotifyDataSize The size of NotifyData in bytes.\r
\r
@retval Pointer to IKE Notify Payload.\r
\r
\r
@retval Pointer to IKE Notify Payload.\r
\r
/**\r
Generate the Delete payload.\r
\r
/**\r
Generate the Delete payload.\r
\r
- Since the structure of Delete payload which defined in RFC 4306 is simple, \r
- there is no internal data structure for Delete payload. This function generate \r
- Delete payload defined in RFC 4306, but all the fields in this payload are still \r
- in host order and need call Ikev2EncodePayload() to convert those fields from \r
+ Since the structure of Delete payload which defined in RFC 4306 is simple,\r
+ there is no internal data structure for Delete payload. This function generate\r
+ Delete payload defined in RFC 4306, but all the fields in this payload are still\r
+ in host order and need call Ikev2EncodePayload() to convert those fields from\r
the host order to network order beforing sending it.\r
\r
@param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.\r
the host order to network order beforing sending it.\r
\r
@param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.\r
- @param[in] NextPayload The next paylaod type in NextPayload field of \r
+ @param[in] NextPayload The next paylaod type in NextPayload field of\r
the Delete payload.\r
@param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.\r
@param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.\r
the Delete payload.\r
@param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.\r
@param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.\r
IN UINT8 SpiSize,\r
IN UINT16 SpiNum,\r
IN UINT8 *SpiBuf\r
IN UINT8 SpiSize,\r
IN UINT16 SpiNum,\r
IN UINT8 *SpiBuf\r
)\r
{\r
IKE_PAYLOAD *DelPayload;\r
)\r
{\r
IKE_PAYLOAD *DelPayload;\r
if (SpiBufSize != 0 && SpiBuf == NULL) {\r
return NULL;\r
}\r
if (SpiBufSize != 0 && SpiBuf == NULL) {\r
return NULL;\r
}\r
DelPayloadLen = (UINT16) (sizeof (IKEV2_DELETE) + SpiBufSize);\r
\r
Del = AllocateZeroPool (DelPayloadLen);\r
ASSERT (Del != NULL);\r
DelPayloadLen = (UINT16) (sizeof (IKEV2_DELETE) + SpiBufSize);\r
\r
Del = AllocateZeroPool (DelPayloadLen);\r
ASSERT (Del != NULL);\r
//\r
// Set Delete Payload's Generic Header\r
//\r
//\r
// Set Delete Payload's Generic Header\r
//\r
/**\r
Generate the Configuration payload.\r
\r
/**\r
Generate the Configuration payload.\r
\r
- This function generate configuration payload defined in RFC 4306, but all the \r
- fields in this payload are still in host order and need call Ikev2EncodePayload() \r
+ This function generate configuration payload defined in RFC 4306, but all the\r
+ fields in this payload are still in host order and need call Ikev2EncodePayload()\r
to convert those fields from the host order to network order beforing sending it.\r
\r
to convert those fields from the host order to network order beforing sending it.\r
\r
- @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload \r
+ @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload\r
- @param[in] NextPayload The next paylaod type in NextPayload field of \r
+ @param[in] NextPayload The next paylaod type in NextPayload field of\r
the Delete payload.\r
@param[in] CfgType The attribute type in the Configuration attribute.\r
\r
the Delete payload.\r
@param[in] CfgType The attribute type in the Configuration attribute.\r
\r
CfgAttributes = (IKEV2_CFG_ATTRIBUTES *)((UINT8 *)Cfg + sizeof (IKEV2_CFG));\r
\r
//\r
CfgAttributes = (IKEV2_CFG_ATTRIBUTES *)((UINT8 *)Cfg + sizeof (IKEV2_CFG));\r
\r
//\r
- // Only generate the configuration payload with an empty INTERNAL_IP4_ADDRESS \r
- // or INTERNAL_IP6_ADDRESS. \r
+ // Only generate the configuration payload with an empty INTERNAL_IP4_ADDRESS\r
+ // or INTERNAL_IP6_ADDRESS.\r
//\r
\r
Cfg->Header.NextPayload = NextPayload;\r
//\r
\r
Cfg->Header.NextPayload = NextPayload;\r
IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not\r
the COOKIE, return EFI_INVALID_PARAMETER.\r
\r
IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not\r
the COOKIE, return EFI_INVALID_PARAMETER.\r
\r
- @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the \r
+ @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the\r
Notify Cookie payload.\r
the Notify payload.\r
@param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.\r
Notify Cookie payload.\r
the Notify payload.\r
@param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.\r
Ikev2ParserNotifyCookiePayload (\r
IN IKE_PAYLOAD *IkeNCookie,\r
IN OUT IKEV2_SA_SESSION *IkeSaSession\r
Ikev2ParserNotifyCookiePayload (\r
IN IKE_PAYLOAD *IkeNCookie,\r
IN OUT IKEV2_SA_SESSION *IkeSaSession\r
{\r
IKEV2_NOTIFY *NotifyPayload;\r
UINTN NotifyDataSize;\r
\r
NotifyPayload = (IKEV2_NOTIFY *)IkeNCookie->PayloadBuf;\r
\r
{\r
IKEV2_NOTIFY *NotifyPayload;\r
UINTN NotifyDataSize;\r
\r
NotifyPayload = (IKEV2_NOTIFY *)IkeNCookie->PayloadBuf;\r
\r
- if ((NotifyPayload->ProtocolId != IPSEC_PROTO_ISAKMP) || \r
+ if ((NotifyPayload->ProtocolId != IPSEC_PROTO_ISAKMP) ||\r
(NotifyPayload->SpiSize != 0) ||\r
(NotifyPayload->MessageType != IKEV2_NOTIFICATION_COOKIE)\r
) {\r
(NotifyPayload->SpiSize != 0) ||\r
(NotifyPayload->MessageType != IKEV2_NOTIFICATION_COOKIE)\r
) {\r
IkeSaSession->NCookieSize = NotifyDataSize;\r
\r
CopyMem (\r
IkeSaSession->NCookieSize = NotifyDataSize;\r
\r
CopyMem (\r
- IkeSaSession->NCookie, \r
- NotifyPayload + sizeof (IKEV2_NOTIFY), \r
+ IkeSaSession->NCookie,\r
+ NotifyPayload + sizeof (IKEV2_NOTIFY),\r
/**\r
Generate the Certificate payload or Certificate Request Payload.\r
\r
/**\r
Generate the Certificate payload or Certificate Request Payload.\r
\r
- Since the Certificate Payload structure is same with Certificate Request Payload, \r
+ Since the Certificate Payload structure is same with Certificate Request Payload,\r
the only difference is that one contains the Certificate Data, other contains\r
the only difference is that one contains the Certificate Data, other contains\r
- the acceptable certificateion CA. This function generate Certificate payload \r
- or Certificate Request Payload defined in RFC 4306, but all the fields \r
- in the payload are still in host order and need call Ikev2EncodePayload() \r
+ the acceptable certificateion CA. This function generate Certificate payload\r
+ or Certificate Request Payload defined in RFC 4306, but all the fields\r
+ in the payload are still in host order and need call Ikev2EncodePayload()\r
to convert those fields from the host order to network order beforing sending it.\r
\r
to convert those fields from the host order to network order beforing sending it.\r
\r
- @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload \r
+ @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload\r
- @param[in] NextPayload The next paylaod type in NextPayload field of \r
+ @param[in] NextPayload The next paylaod type in NextPayload field of\r
the Delete payload.\r
@param[in] Certificate Pointer of buffer contains the certification data.\r
@param[in] CertificateLen The length of Certificate in byte.\r
the Delete payload.\r
@param[in] Certificate Pointer of buffer contains the certification data.\r
@param[in] CertificateLen The length of Certificate in byte.\r
\r
Status = EFI_SUCCESS;\r
PublicKey = NULL;\r
\r
Status = EFI_SUCCESS;\r
PublicKey = NULL;\r
\r
if (!IsRequest) {\r
PayloadLen = (UINT16) (sizeof (IKEV2_CERT) + CertificateLen);\r
\r
if (!IsRequest) {\r
PayloadLen = (UINT16) (sizeof (IKEV2_CERT) + CertificateLen);\r
if (Cert == NULL) {\r
return NULL;\r
}\r
if (Cert == NULL) {\r
return NULL;\r
}\r
//\r
// Generate Certificate Payload or Certificate Request Payload.\r
//\r
//\r
// Generate Certificate Payload or Certificate Request Payload.\r
//\r
&PublicKeyLen\r
);\r
if (EFI_ERROR (Status)) {\r
&PublicKeyLen\r
);\r
if (EFI_ERROR (Status)) {\r
}\r
\r
Fragment[0].Data = PublicKey;\r
}\r
\r
Fragment[0].Data = PublicKey;\r
if (HashData == NULL) {\r
goto ON_EXIT;\r
}\r
if (HashData == NULL) {\r
goto ON_EXIT;\r
}\r
Status = IpSecCryptoIoHash (\r
IKE_AALG_SHA1HMAC,\r
Fragment,\r
Status = IpSecCryptoIoHash (\r
IKE_AALG_SHA1HMAC,\r
Fragment,\r
if (EFI_ERROR (Status)) {\r
goto ON_EXIT;\r
}\r
if (EFI_ERROR (Status)) {\r
goto ON_EXIT;\r
}\r
CopyMem (\r
((UINT8 *)Cert) + sizeof (IKEV2_CERT),\r
HashData,\r
CopyMem (\r
((UINT8 *)Cert) + sizeof (IKEV2_CERT),\r
HashData,\r
if (CertPayload == NULL) {\r
goto ON_EXIT;\r
}\r
if (CertPayload == NULL) {\r
goto ON_EXIT;\r
}\r
if (!IsRequest) {\r
CertPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CERT;\r
} else {\r
if (!IsRequest) {\r
CertPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CERT;\r
} else {\r
@param[in] SaData Pointer to IKEV2_SA_DATA to be transfered.\r
\r
@retval return the pointer of IKEV2_SA.\r
@param[in] SaData Pointer to IKEV2_SA_DATA to be transfered.\r
\r
@retval return the pointer of IKEV2_SA.\r
**/\r
IKEV2_SA*\r
Ikev2EncodeSa (\r
**/\r
IKEV2_SA*\r
Ikev2EncodeSa (\r
UINTN TransformIndex;\r
IKE_SA_ATTRIBUTE *SaAttribute;\r
IKEV2_PROPOSAL *Proposal;\r
UINTN TransformIndex;\r
IKE_SA_ATTRIBUTE *SaAttribute;\r
IKEV2_PROPOSAL *Proposal;\r
- IKEV2_PROPOSAL *LastProposal;\r
IKEV2_TRANSFORM *Transform;\r
IKEV2_TRANSFORM *Transform;\r
- IKEV2_TRANSFORM *LastTransform;\r
- \r
//\r
// Transform IKE_SA_DATA structure to IKE_SA Payload.\r
// Header length is host order.\r
//\r
// Transform IKE_SA_DATA structure to IKE_SA Payload.\r
// Header length is host order.\r
CopyMem (Sa, SaData, sizeof (IKEV2_SA));\r
Sa->Header.PayloadLength = (UINT16) sizeof (IKEV2_SA);\r
ProposalsSize = 0;\r
CopyMem (Sa, SaData, sizeof (IKEV2_SA));\r
Sa->Header.PayloadLength = (UINT16) sizeof (IKEV2_SA);\r
ProposalsSize = 0;\r
Proposal = (IKEV2_PROPOSAL *) (Sa + 1);\r
\r
//\r
Proposal = (IKEV2_PROPOSAL *) (Sa + 1);\r
\r
//\r
}\r
\r
TransformsSize = 0;\r
}\r
\r
TransformsSize = 0;\r
- LastTransform = NULL;\r
Transform = (IKEV2_TRANSFORM *) ((UINT8 *) (Proposal + 1) + Proposal->SpiSize);\r
\r
//\r
Transform = (IKEV2_TRANSFORM *) ((UINT8 *) (Proposal + 1) + Proposal->SpiSize);\r
\r
//\r
\r
TransformSize = sizeof (IKEV2_TRANSFORM) + SaAttrsSize;\r
TransformsSize += TransformSize;\r
\r
TransformSize = sizeof (IKEV2_TRANSFORM) + SaAttrsSize;\r
TransformsSize += TransformSize;\r
Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_MORE;\r
Transform->Header.PayloadLength = HTONS ((UINT16)TransformSize);\r
Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_MORE;\r
Transform->Header.PayloadLength = HTONS ((UINT16)TransformSize);\r
- \r
- if (TransformIndex == ProposalData->NumTransforms) {\r
- LastTransform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_NONE;\r
+\r
+ if (TransformIndex == (UINTN)(ProposalData->NumTransforms - 1)) {\r
+ Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_NONE;\r
}\r
\r
Transform = (IKEV2_TRANSFORM *)((UINT8 *) Transform + TransformSize);\r
}\r
}\r
\r
Transform = (IKEV2_TRANSFORM *)((UINT8 *) Transform + TransformSize);\r
}\r
//\r
// Set Proposal's Generic Header.\r
//\r
//\r
// Set Proposal's Generic Header.\r
//\r
ProposalsSize += ProposalSize;\r
Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_MORE;\r
Proposal->Header.PayloadLength = HTONS ((UINT16)ProposalSize);\r
ProposalsSize += ProposalSize;\r
Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_MORE;\r
Proposal->Header.PayloadLength = HTONS ((UINT16)ProposalSize);\r
- \r
- if (ProposalIndex == SaData->NumProposals) {\r
- LastProposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_NONE;\r
+\r
+ if (ProposalIndex == (UINTN)(SaData->NumProposals - 1)) {\r
+ Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_NONE;\r
\r
This function converts the received SA payload to internal data structure.\r
\r
\r
This function converts the received SA payload to internal data structure.\r
\r
- @param[in] SessionCommon Pointer to IKE Common Session used to decode the SA \r
+ @param[in] SessionCommon Pointer to IKE Common Session used to decode the SA\r
Payload.\r
@param[in] Sa Pointer to SA Payload\r
\r
Payload.\r
@param[in] Sa Pointer to SA Payload\r
\r
- // Check the proposal number. The Proposal Payload type is 2. Nonce Paylod is 0.\r
- // SUM(ProposalNextPayload) = Proposal Num * 2 + Noce Payload Type (0).\r
+ // Check the proposal number.\r
+ // The proposal Substructure, the NextPayLoad field indicates : 0 (last) or 2 (more)\r
+ // which Specifies whether this is the last Proposal Substructure in the SA.\r
+ // Here suming all Proposal NextPayLoad field to check the proposal number is correct\r
+ // or not.\r
//\r
if (TotalProposals == 0 ||\r
//\r
if (TotalProposals == 0 ||\r
- (TotalProposals - 1) * IKE_PROPOSAL_NEXT_PAYLOAD_MORE + IKE_PROPOSAL_NEXT_PAYLOAD_NONE != ProposalNextPayloadSum\r
+ (TotalProposals - 1) * IKE_PROPOSAL_NEXT_PAYLOAD_MORE != ProposalNextPayloadSum\r
) {\r
Status = EFI_INVALID_PARAMETER;\r
goto Exit;\r
) {\r
Status = EFI_INVALID_PARAMETER;\r
goto Exit;\r
ProposalIndex < TotalProposals;\r
ProposalIndex++\r
) {\r
ProposalIndex < TotalProposals;\r
ProposalIndex++\r
) {\r
//\r
// TODO: check ProposalId\r
//\r
//\r
// TODO: check ProposalId\r
//\r
SaAttrRemaining = TransformSize - sizeof (IKEV2_TRANSFORM);\r
\r
//\r
SaAttrRemaining = TransformSize - sizeof (IKEV2_TRANSFORM);\r
\r
//\r
- // According to RFC 4603, currently only the Key length attribute type is \r
+ // According to RFC 4603, currently only the Key length attribute type is\r
// supported. For each Transform, there is only one attributeion.\r
//\r
if (SaAttrRemaining > 0) {\r
// supported. For each Transform, there is only one attributeion.\r
//\r
if (SaAttrRemaining > 0) {\r
if (TransformData->Attribute.AttrType != IKEV2_ATTRIBUTE_TYPE_KEYLEN) {\r
Status = EFI_INVALID_PARAMETER;\r
goto Exit;\r
if (TransformData->Attribute.AttrType != IKEV2_ATTRIBUTE_TYPE_KEYLEN) {\r
Status = EFI_INVALID_PARAMETER;\r
goto Exit;\r
}\r
\r
//\r
// Move to next Transform\r
}\r
\r
//\r
// Move to next Transform\r
Transform = IKEV2_NEXT_TRANSFORM_WITH_SIZE (Transform, TransformSize);\r
}\r
Proposal = IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize);\r
Transform = IKEV2_NEXT_TRANSFORM_WITH_SIZE (Transform, TransformSize);\r
}\r
Proposal = IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize);\r
/**\r
General interface of payload encoding.\r
\r
/**\r
General interface of payload encoding.\r
\r
- This function encodes the internal data structure into payload which \r
+ This function encodes the internal data structure into payload which\r
is defined in RFC 4306. The IkePayload->PayloadBuf is used to store both the input\r
payload and converted payload. Only the SA payload use the interal structure\r
to store the attribute. Other payload use structure which is same with the RFC\r
is defined in RFC 4306. The IkePayload->PayloadBuf is used to store both the input\r
payload and converted payload. Only the SA payload use the interal structure\r
to store the attribute. Other payload use structure which is same with the RFC\r
NotifyPayload = (IKEV2_NOTIFY *) IkePayload->PayloadBuf;\r
NotifyPayload->MessageType = HTONS (NotifyPayload->MessageType);\r
break;\r
NotifyPayload = (IKEV2_NOTIFY *) IkePayload->PayloadBuf;\r
NotifyPayload->MessageType = HTONS (NotifyPayload->MessageType);\r
break;\r
case IKEV2_PAYLOAD_TYPE_DELETE:\r
DeletePayload = (IKEV2_DELETE *) IkePayload->PayloadBuf;\r
DeletePayload->NumSpis = HTONS (DeletePayload->NumSpis);\r
break;\r
case IKEV2_PAYLOAD_TYPE_DELETE:\r
DeletePayload = (IKEV2_DELETE *) IkePayload->PayloadBuf;\r
DeletePayload->NumSpis = HTONS (DeletePayload->NumSpis);\r
break;\r
case IKEV2_PAYLOAD_TYPE_KE:\r
KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;\r
KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);\r
break;\r
case IKEV2_PAYLOAD_TYPE_KE:\r
KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;\r
KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);\r
break;\r
case IKEV2_PAYLOAD_TYPE_TS_INIT:\r
case IKEV2_PAYLOAD_TYPE_TS_RSP:\r
TsPayload = (IKEV2_TS *) IkePayload->PayloadBuf;\r
case IKEV2_PAYLOAD_TYPE_TS_INIT:\r
case IKEV2_PAYLOAD_TYPE_TS_RSP:\r
TsPayload = (IKEV2_TS *) IkePayload->PayloadBuf;\r
TrafficSelector->SelecorLen = HTONS (TrafficSelector->SelecorLen);\r
TrafficSelector->StartPort = HTONS (TrafficSelector->StartPort);\r
TrafficSelector->EndPort = HTONS (TrafficSelector->EndPort);\r
TrafficSelector->SelecorLen = HTONS (TrafficSelector->SelecorLen);\r
TrafficSelector->StartPort = HTONS (TrafficSelector->StartPort);\r
TrafficSelector->EndPort = HTONS (TrafficSelector->EndPort);\r
CfgAttribute = (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->PayloadBuf) + 1);\r
CfgAttribute->AttritType = HTONS (CfgAttribute->AttritType);\r
CfgAttribute->ValueLength = HTONS (CfgAttribute->ValueLength);\r
CfgAttribute = (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->PayloadBuf) + 1);\r
CfgAttribute->AttritType = HTONS (CfgAttribute->AttritType);\r
CfgAttribute->ValueLength = HTONS (CfgAttribute->ValueLength);\r
case IKEV2_PAYLOAD_TYPE_ID_INIT:\r
case IKEV2_PAYLOAD_TYPE_ID_RSP:\r
case IKEV2_PAYLOAD_TYPE_AUTH:\r
default:\r
break;\r
}\r
case IKEV2_PAYLOAD_TYPE_ID_INIT:\r
case IKEV2_PAYLOAD_TYPE_ID_RSP:\r
case IKEV2_PAYLOAD_TYPE_AUTH:\r
default:\r
break;\r
}\r
PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf;\r
IkePayload->PayloadSize = PayloadHdr->PayloadLength;\r
PayloadHdr->PayloadLength = HTONS (PayloadHdr->PayloadLength);\r
PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf;\r
IkePayload->PayloadSize = PayloadHdr->PayloadLength;\r
PayloadHdr->PayloadLength = HTONS (PayloadHdr->PayloadLength);\r
\r
@param[in] SessionCommon Pointer to IKE Session Common used for decoding.\r
@param[in, out] IkePayload Pointer to IKE payload to be decoded as input, and\r
\r
@param[in] SessionCommon Pointer to IKE Session Common used for decoding.\r
@param[in, out] IkePayload Pointer to IKE payload to be decoded as input, and\r
- store the decoded result as output. \r
+ store the decoded result as output.\r
\r
@retval EFI_INVALID_PARAMETER Meet error when decoding the SA payload.\r
@retval EFI_SUCCESS Decoded successfully.\r
\r
@retval EFI_INVALID_PARAMETER Meet error when decoding the SA payload.\r
@retval EFI_SUCCESS Decoded successfully.\r
// Transform the IKE payload to Internal IKE structure.\r
// Only the SA payload and Hash Payload use the interal\r
// structure to store the attribute. Other payloads use\r
// Transform the IKE payload to Internal IKE structure.\r
// Only the SA payload and Hash Payload use the interal\r
// structure to store the attribute. Other payloads use\r
- // structure which is same with the definitions in RFC, \r
- // so there is no need to tranform them to internal IKE \r
+ // structure which is same with the definitions in RFC,\r
+ // so there is no need to tranform them to internal IKE\r
// structure.\r
//\r
Status = EFI_SUCCESS;\r
// structure.\r
//\r
Status = EFI_SUCCESS;\r
if (!IkePayload->IsPayloadBufExt) {\r
FreePool (IkePayload->PayloadBuf);\r
}\r
if (!IkePayload->IsPayloadBufExt) {\r
FreePool (IkePayload->PayloadBuf);\r
}\r
IkePayload->PayloadBuf = (UINT8 *) SaData;\r
IkePayload->PayloadBuf = (UINT8 *) SaData;\r
- IkePayload->IsPayloadBufExt = FALSE; \r
+ IkePayload->IsPayloadBufExt = FALSE;\r
break;\r
\r
case IKEV2_PAYLOAD_TYPE_ID_INIT:\r
break;\r
\r
case IKEV2_PAYLOAD_TYPE_ID_INIT:\r
NotifyPayload = (IKEV2_NOTIFY *) PayloadHdr;\r
NotifyPayload->MessageType = NTOHS (NotifyPayload->MessageType);\r
break;\r
NotifyPayload = (IKEV2_NOTIFY *) PayloadHdr;\r
NotifyPayload->MessageType = NTOHS (NotifyPayload->MessageType);\r
break;\r
case IKEV2_PAYLOAD_TYPE_DELETE:\r
if (PayloadSize < sizeof (IKEV2_DELETE)) {\r
Status = EFI_INVALID_PARAMETER;\r
case IKEV2_PAYLOAD_TYPE_DELETE:\r
if (PayloadSize < sizeof (IKEV2_DELETE)) {\r
Status = EFI_INVALID_PARAMETER;\r
DeletePayload = (IKEV2_DELETE *) PayloadHdr;\r
DeletePayload->NumSpis = NTOHS (DeletePayload->NumSpis);\r
break;\r
DeletePayload = (IKEV2_DELETE *) PayloadHdr;\r
DeletePayload->NumSpis = NTOHS (DeletePayload->NumSpis);\r
break;\r
case IKEV2_PAYLOAD_TYPE_AUTH:\r
if (PayloadSize < sizeof (IKEV2_AUTH)) {\r
Status = EFI_INVALID_PARAMETER;\r
case IKEV2_PAYLOAD_TYPE_AUTH:\r
if (PayloadSize < sizeof (IKEV2_AUTH)) {\r
Status = EFI_INVALID_PARAMETER;\r
case IKEV2_PAYLOAD_TYPE_KE:\r
KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;\r
KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);\r
case IKEV2_PAYLOAD_TYPE_KE:\r
KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;\r
KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);\r
\r
case IKEV2_PAYLOAD_TYPE_TS_INIT:\r
case IKEV2_PAYLOAD_TYPE_TS_RSP :\r
\r
case IKEV2_PAYLOAD_TYPE_TS_INIT:\r
case IKEV2_PAYLOAD_TYPE_TS_RSP :\r
/**\r
Decode the IKE packet.\r
\r
/**\r
Decode the IKE packet.\r
\r
- This function first decrypts the IKE packet if needed , then separates the whole \r
+ This function first decrypts the IKE packet if needed , then separates the whole\r
IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.\r
IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.\r
- \r
- @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing \r
+\r
+ @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing\r
some parameter used by IKE packet decoding.\r
some parameter used by IKE packet decoding.\r
- @param[in, out] IkePacket The IKE Packet to be decoded on input, and \r
+ @param[in, out] IkePacket The IKE Packet to be decoded on input, and\r
the decoded result on return.\r
@param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
IKE_CHILD_TYPE are supported.\r
the decoded result on return.\r
@param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
IKE_CHILD_TYPE are supported.\r
IKEV2_SA_SESSION *IkeSaSession;\r
\r
IkeHeader = NULL;\r
IKEV2_SA_SESSION *IkeSaSession;\r
\r
IkeHeader = NULL;\r
//\r
// Check if the IkePacket need decrypt.\r
//\r
//\r
// Check if the IkePacket need decrypt.\r
//\r
// If the IkePacket doesn't contain any payload return invalid parameter.\r
//\r
if (IkePacket->Header->NextPayload == IKEV2_PAYLOAD_TYPE_NONE) {\r
// If the IkePacket doesn't contain any payload return invalid parameter.\r
//\r
if (IkePacket->Header->NextPayload == IKEV2_PAYLOAD_TYPE_NONE) {\r
- if ((SessionCommon->State >= IkeStateAuth) && \r
+ if ((SessionCommon->State >= IkeStateAuth) &&\r
(IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INFO)\r
) {\r
//\r
(IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INFO)\r
) {\r
//\r
IkeSaSession->RespPacket = AllocateZeroPool (IkePacket->Header->Length);\r
if (IkeSaSession->RespPacket == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
IkeSaSession->RespPacket = AllocateZeroPool (IkePacket->Header->Length);\r
if (IkeSaSession->RespPacket == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
}\r
IkeSaSession->RespPacketSize = IkePacket->Header->Length;\r
CopyMem (IkeSaSession->RespPacket, IkeHeader, sizeof (IKE_HEADER));\r
}\r
IkeSaSession->RespPacketSize = IkePacket->Header->Length;\r
CopyMem (IkeSaSession->RespPacket, IkeHeader, sizeof (IKE_HEADER));\r
IkeSaSession->RespPacket + sizeof (IKE_HEADER),\r
IkePacket->PayloadsBuf,\r
IkePacket->Header->Length - sizeof (IKE_HEADER)\r
IkeSaSession->RespPacket + sizeof (IKE_HEADER),\r
IkePacket->PayloadsBuf,\r
IkePacket->Header->Length - sizeof (IKE_HEADER)\r
} else {\r
IkeSaSession->InitPacket = AllocateZeroPool (IkePacket->Header->Length);\r
if (IkeSaSession->InitPacket == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
} else {\r
IkeSaSession->InitPacket = AllocateZeroPool (IkePacket->Header->Length);\r
if (IkeSaSession->InitPacket == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
}\r
IkeSaSession->InitPacketSize = IkePacket->Header->Length;\r
CopyMem (IkeSaSession->InitPacket, IkeHeader, sizeof (IKE_HEADER));\r
}\r
IkeSaSession->InitPacketSize = IkePacket->Header->Length;\r
CopyMem (IkeSaSession->InitPacket, IkeHeader, sizeof (IKE_HEADER));\r
- // Point to the first Payload \r
+ // Point to the first Payload\r
//\r
PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePacket->PayloadsBuf;\r
PayloadType = IkePacket->Header->NextPayload;\r
//\r
PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePacket->PayloadsBuf;\r
PayloadType = IkePacket->Header->NextPayload;\r
\r
This function puts all Payloads into one payload then encrypt it if needed.\r
\r
\r
This function puts all Payloads into one payload then encrypt it if needed.\r
\r
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing \r
+ @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r
some parameter used during IKE packet encoding.\r
some parameter used during IKE packet encoding.\r
- @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input, \r
+ @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,\r
and the encoded result as output.\r
@param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
IKE_CHILD_TYPE are supportted.\r
and the encoded result as output.\r
@param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
IKE_CHILD_TYPE are supportted.\r
- // If the packet is first message, store whole message in IkeSa->InitiPacket \r
+ // If the packet is first message, store whole message in IkeSa->InitiPacket\r
// for following Auth Payload calculation.\r
//\r
if (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INIT) {\r
IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r
// for following Auth Payload calculation.\r
//\r
if (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INIT) {\r
IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r
- if (SessionCommon->IsInitiator) { \r
+ if (SessionCommon->IsInitiator) {\r
IkeSaSession->InitPacketSize = IkePacket->PayloadTotalSize + sizeof (IKE_HEADER);\r
IkeSaSession->InitPacket = AllocateZeroPool (IkeSaSession->InitPacketSize);\r
ASSERT (IkeSaSession->InitPacket != NULL);\r
IkeSaSession->InitPacketSize = IkePacket->PayloadTotalSize + sizeof (IKE_HEADER);\r
IkeSaSession->InitPacket = AllocateZeroPool (IkeSaSession->InitPacketSize);\r
ASSERT (IkeSaSession->InitPacket != NULL);\r
);\r
PayloadTotalSize = PayloadTotalSize + IkePayload->PayloadSize;\r
}\r
);\r
PayloadTotalSize = PayloadTotalSize + IkePayload->PayloadSize;\r
}\r
IkeSaSession->RespPacketSize = IkePacket->PayloadTotalSize + sizeof(IKE_HEADER);\r
IkeSaSession->RespPacket = AllocateZeroPool (IkeSaSession->RespPacketSize);\r
ASSERT (IkeSaSession->RespPacket != NULL);\r
IkeSaSession->RespPacketSize = IkePacket->PayloadTotalSize + sizeof(IKE_HEADER);\r
IkeSaSession->RespPacket = AllocateZeroPool (IkeSaSession->RespPacketSize);\r
ASSERT (IkeSaSession->RespPacket != NULL);\r
\r
This function decrypts the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.\r
\r
\r
This function decrypts the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.\r
\r
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing \r
+ @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r
some parameter used during decrypting.\r
some parameter used during decrypting.\r
- @param[in, out] IkePacket Pointer to IKE_PACKET to be decrypted as input, \r
+ @param[in, out] IkePacket Pointer to IKE_PACKET to be decrypted as input,\r
and the decrypted result as output.\r
@param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
IKE_CHILD_TYPE are supportted.\r
and the decrypted result as output.\r
@param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
IKE_CHILD_TYPE are supportted.\r
@retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the\r
IKE packet length is not aligned with Algorithm Block Size\r
@retval EFI_SUCCESS Decrypt IKE packet successfully.\r
@retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the\r
IKE packet length is not aligned with Algorithm Block Size\r
@retval EFI_SUCCESS Decrypt IKE packet successfully.\r
**/\r
EFI_STATUS\r
Ikev2DecryptPacket (\r
**/\r
EFI_STATUS\r
Ikev2DecryptPacket (\r
)\r
{\r
UINT8 CryptBlockSize; // Encrypt Block Size\r
)\r
{\r
UINT8 CryptBlockSize; // Encrypt Block Size\r
- UINTN DecryptedSize; // Encrypted IKE Payload Size \r
+ UINTN DecryptedSize; // Encrypted IKE Payload Size\r
UINT8 *DecryptedBuf; // Encrypted IKE Payload buffer\r
UINTN IntegritySize;\r
UINT8 *IntegrityBuffer;\r
UINT8 *DecryptedBuf; // Encrypted IKE Payload buffer\r
UINTN IntegritySize;\r
UINT8 *IntegrityBuffer;\r
- UINTN IvSize; // Iv Size \r
- UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth \r
+ UINTN IvSize; // Iv Size\r
+ UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth\r
UINT8 *CheckSumData; // Check Sum data\r
IKEV2_SA_SESSION *IkeSaSession;\r
IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
UINT8 *CheckSumData; // Check Sum data\r
IKEV2_SA_SESSION *IkeSaSession;\r
IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
// Get the Block Size\r
//\r
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
// Get the Block Size\r
//\r
if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCommon->SaParams->EncAlgId);\r
CryptKeyLength = IpSecGetEncryptKeyLength ((UINT8) SessionCommon->SaParams->EncAlgId);\r
CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->SaParams->IntegAlgId);\r
CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCommon->SaParams->EncAlgId);\r
CryptKeyLength = IpSecGetEncryptKeyLength ((UINT8) SessionCommon->SaParams->EncAlgId);\r
CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->SaParams->IntegAlgId);\r
CopyMem (IntegrityBuffer + sizeof (IKE_HEADER), IkePacket->PayloadsBuf, IkePacket->PayloadTotalSize);\r
\r
//\r
CopyMem (IntegrityBuffer + sizeof (IKE_HEADER), IkePacket->PayloadsBuf, IkePacket->PayloadTotalSize);\r
\r
//\r
- // Change Host order to Network order, since the header order was changed \r
+ // Change Host order to Network order, since the header order was changed\r
// in the IkePacketFromNetbuf.\r
//\r
IkeHdrHostToNet ((IKE_HEADER *)IntegrityBuffer);\r
// in the IkePacketFromNetbuf.\r
//\r
IkeHdrHostToNet ((IKE_HEADER *)IntegrityBuffer);\r
Status = EFI_ACCESS_DENIED;\r
goto ON_EXIT;\r
}\r
Status = EFI_ACCESS_DENIED;\r
goto ON_EXIT;\r
}\r
IvSize = CryptBlockSize;\r
IvSize = CryptBlockSize;\r
//\r
// Decrypt the payload with the key.\r
//\r
//\r
// Decrypt the payload with the key.\r
//\r
// Save the next payload of encrypted payload into IkePacket->Hdr->NextPayload\r
//\r
IkePacket->Header->NextPayload = ((IKEV2_ENCRYPTED *) IkePacket->PayloadsBuf)->Header.NextPayload;\r
// Save the next payload of encrypted payload into IkePacket->Hdr->NextPayload\r
//\r
IkePacket->Header->NextPayload = ((IKEV2_ENCRYPTED *) IkePacket->PayloadsBuf)->Header.NextPayload;\r
//\r
// Free old IkePacket->PayloadBuf and point it to decrypted paylaod buffer.\r
//\r
//\r
// Free old IkePacket->PayloadBuf and point it to decrypted paylaod buffer.\r
//\r
IkePacket->PayloadTotalSize = DecryptedSize - PadLen;\r
\r
IPSEC_DUMP_BUF ("Decrypted Buffer", DecryptedBuf, DecryptedSize);\r
IkePacket->PayloadTotalSize = DecryptedSize - PadLen;\r
\r
IPSEC_DUMP_BUF ("Decrypted Buffer", DecryptedBuf, DecryptedSize);\r
\r
ON_EXIT:\r
if (CheckSumData != NULL) {\r
\r
ON_EXIT:\r
if (CheckSumData != NULL) {\r
if (IntegrityBuffer != NULL) {\r
FreePool (IntegrityBuffer);\r
}\r
if (IntegrityBuffer != NULL) {\r
FreePool (IntegrityBuffer);\r
}\r
\r
This function encrypt IKE packet before sending it. The Encrypted IKE packet\r
is put in to IKEV2 Encrypted Payload.\r
\r
This function encrypt IKE packet before sending it. The Encrypted IKE packet\r
is put in to IKEV2 Encrypted Payload.\r
@param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.\r
@param[in, out] IkePacket Pointer to IKE packet to be encrypted.\r
\r
@param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.\r
@param[in, out] IkePacket Pointer to IKE packet to be encrypted.\r
\r
{\r
UINT8 CryptBlockSize; // Encrypt Block Size\r
UINT8 CryptBlockSizeMask; // Block Mask\r
{\r
UINT8 CryptBlockSize; // Encrypt Block Size\r
UINT8 CryptBlockSizeMask; // Block Mask\r
- UINTN EncryptedSize; // Encrypted IKE Payload Size \r
+ UINTN EncryptedSize; // Encrypted IKE Payload Size\r
UINT8 *EncryptedBuf; // Encrypted IKE Payload buffer\r
UINT8 *EncryptPayloadBuf; // Contain whole Encrypted Payload\r
UINTN EncryptPayloadSize; // Total size of the Encrypted payload\r
UINT8 *EncryptedBuf; // Encrypted IKE Payload buffer\r
UINT8 *EncryptPayloadBuf; // Contain whole Encrypted Payload\r
UINTN EncryptPayloadSize; // Total size of the Encrypted payload\r
- UINT8 *IntegrityBuf; // Buffer to be intergity \r
+ UINT8 *IntegrityBuf; // Buffer to be intergity\r
UINT32 IntegrityBufSize; // Buffer size of IntegrityBuf\r
UINT8 *IvBuffer; // Initialization Vector\r
UINT32 IntegrityBufSize; // Buffer size of IntegrityBuf\r
UINT8 *IvBuffer; // Initialization Vector\r
- UINT8 IvSize; // Iv Size \r
- UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth \r
+ UINT8 IvSize; // Iv Size\r
+ UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth\r
UINT8 *CheckSumData; // Check Sum data\r
UINTN Index;\r
IKE_PAYLOAD *EncryptPayload;\r
UINT8 *CheckSumData; // Check Sum data\r
UINTN Index;\r
IKE_PAYLOAD *EncryptPayload;\r
CryptKeyLength = IpSecGetEncryptKeyLength ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);\r
CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->SessionCommon.SaParams->IntegAlgId);\r
}\r
CryptKeyLength = IpSecGetEncryptKeyLength ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);\r
CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->SessionCommon.SaParams->IntegAlgId);\r
}\r
//\r
// Calcualte the EncryptPayloadSize and the PAD length\r
//\r
//\r
// Calcualte the EncryptPayloadSize and the PAD length\r
//\r
\r
//\r
// Fill in the IKE Packet header\r
\r
//\r
// Fill in the IKE Packet header\r
IkePacket->PayloadTotalSize = EncryptPayloadSize;\r
IkePacket->Header->Length = (UINT32) (sizeof (IKE_HEADER) + IkePacket->PayloadTotalSize);\r
IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ENCRYPT;\r
IkePacket->PayloadTotalSize = EncryptPayloadSize;\r
IkePacket->Header->Length = (UINT32) (sizeof (IKE_HEADER) + IkePacket->PayloadTotalSize);\r
IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ENCRYPT;\r
IntegrityBuf = AllocateZeroPool (IkePacket->Header->Length);\r
if (IntegrityBuf == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
IntegrityBuf = AllocateZeroPool (IkePacket->Header->Length);\r
if (IntegrityBuf == NULL) {\r
Status = EFI_OUT_OF_RESOURCES;\r
(UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r
IkeSaSession->IkeKeys->SkArKey,\r
IkeSaSession->IkeKeys->SkArKeySize,\r
(UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r
IkeSaSession->IkeKeys->SkArKey,\r
IkeSaSession->IkeKeys->SkArKeySize,\r
- (HASH_DATA_FRAGMENT *) Fragments, \r
+ (HASH_DATA_FRAGMENT *) Fragments,\r
1,\r
CheckSumData,\r
CheckSumSize\r
1,\r
CheckSumData,\r
CheckSumSize\r
EncryptPayload->PayloadBuf = EncryptPayloadBuf;\r
EncryptPayload->PayloadSize = EncryptPayloadSize;\r
EncryptPayload->PayloadType = IKEV2_PAYLOAD_TYPE_ENCRYPT;\r
EncryptPayload->PayloadBuf = EncryptPayloadBuf;\r
EncryptPayload->PayloadSize = EncryptPayloadSize;\r
EncryptPayload->PayloadType = IKEV2_PAYLOAD_TYPE_ENCRYPT;\r
IKE_PACKET_APPEND_PAYLOAD (IkePacket, EncryptPayload);\r
\r
ON_EXIT:\r
IKE_PACKET_APPEND_PAYLOAD (IkePacket, EncryptPayload);\r
\r
ON_EXIT:\r
The notification function. It will be called when the related UDP_TX_TOKEN's event\r
is signaled.\r
\r
The notification function. It will be called when the related UDP_TX_TOKEN's event\r
is signaled.\r
\r
- This function frees the Net Buffer pointed to the input Packet. \r
- \r
+ This function frees the Net Buffer pointed to the input Packet.\r
+\r
@param[in] Packet Pointer to Net buffer containing the sending IKE packet.\r
@param[in] EndPoint Pointer to UDP_END_POINT containing the remote and local\r
address information.\r
@param[in] Packet Pointer to Net buffer containing the sending IKE packet.\r
@param[in] EndPoint Pointer to UDP_END_POINT containing the remote and local\r
address information.\r
\r
IkePacket = (IKE_PACKET *) Context;\r
Private = NULL;\r
\r
IkePacket = (IKE_PACKET *) Context;\r
Private = NULL;\r
if (EFI_ERROR (IoStatus)) {\r
DEBUG ((DEBUG_ERROR, "Error send the last packet in IkeSessionTypeIkeSa with %r\n", IoStatus));\r
}\r
if (EFI_ERROR (IoStatus)) {\r
DEBUG ((DEBUG_ERROR, "Error send the last packet in IkeSessionTypeIkeSa with %r\n", IoStatus));\r
}\r
NetbufFree (Packet);\r
\r
if (IkePacket->IsDeleteInfo) {\r
NetbufFree (Packet);\r
\r
if (IkePacket->IsDeleteInfo) {\r
if (IkePacket->Spi != 0 ) {\r
//\r
// At that time, the established Child SA still in eht ChildSaEstablishSessionList.\r
if (IkePacket->Spi != 0 ) {\r
//\r
// At that time, the established Child SA still in eht ChildSaEstablishSessionList.\r
- // And meanwhile, if the Child SA is in the the ChildSa in Delete list, \r
+ // And meanwhile, if the Child SA is in the the ChildSa in Delete list,\r
// remove it from delete list and delete it direclty.\r
//\r
ChildSaSession = Ikev2ChildSaSessionLookupBySpi (\r
// remove it from delete list and delete it direclty.\r
//\r
ChildSaSession = Ikev2ChildSaSessionLookupBySpi (\r
IkePacketFree (IkePacket);\r
\r
//\r
IkePacketFree (IkePacket);\r
\r
//\r
- // when all IKE SAs were disabled by calling "IPsecConfig -disable", the IPsec status \r
+ // when all IKE SAs were disabled by calling "IPsecConfig -disable", the IPsec status\r
// should be changed.\r
//\r
if (Private != NULL && Private->IsIPsecDisabling) {\r
// should be changed.\r
//\r
if (Private != NULL && Private->IsIPsecDisabling) {\r
@param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.\r
@param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.\r
@param[in] IkePacket Pointer to IKE_PACKET to be sent out.\r
@param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.\r
@param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.\r
@param[in] IkePacket Pointer to IKE_PACKET to be sent out.\r
- @param[in] IkeType The type of IKE to point what's kind of the IKE \r
- packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE \r
+ @param[in] IkeType The type of IKE to point what's kind of the IKE\r
+ packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE\r
and IKE_CHILD_TYPE are supportted.\r
\r
@retval EFI_SUCCESS The operation complete successfully.\r
and IKE_CHILD_TYPE are supportted.\r
\r
@retval EFI_SUCCESS The operation complete successfully.\r
IKEV2_SESSION_COMMON *Common;\r
\r
Common = (IKEV2_SESSION_COMMON *) SessionCommon;\r
IKEV2_SESSION_COMMON *Common;\r
\r
Common = (IKEV2_SESSION_COMMON *) SessionCommon;\r
//\r
// Set the resend interval\r
//\r
//\r
// Set the resend interval\r
//\r
\r
IKE_PACKET_REF (IkePacket);\r
//\r
\r
IKE_PACKET_REF (IkePacket);\r
//\r
- // If the last sent packet is same with this round packet, the packet is resent packet. \r
+ // If the last sent packet is same with this round packet, the packet is resent packet.\r
//\r
if (IkePacket != Common->LastSentPacket && Common->LastSentPacket != NULL) {\r
IkePacketFree (Common->LastSentPacket);\r
//\r
if (IkePacket != Common->LastSentPacket && Common->LastSentPacket != NULL) {\r
IkePacketFree (Common->LastSentPacket);\r
/** @file\r
Driver Binding Protocol for IPsec Driver.\r
\r
/** @file\r
Driver Binding Protocol for IPsec Driver.\r
\r
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
+ Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>\r
\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
\r
@retval EFI_SUCCES This driver is added to ControllerHandle\r
@retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle\r
\r
@retval EFI_SUCCES This driver is added to ControllerHandle\r
@retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle\r
- @retval EFI_DEVICE_ERROR The device could not be started due to a device error. \r
+ @retval EFI_DEVICE_ERROR The device could not be started due to a device error.\r
Currently not implemented.\r
@retval other This driver does not support this device\r
\r
Currently not implemented.\r
@retval other This driver does not support this device\r
\r
\r
Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec);\r
\r
\r
Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec);\r
\r
+ //\r
+ // Delete all SAs before stop Ipsec.\r
+ //\r
+ IkeDeleteAllSas (Private, FALSE);\r
//\r
// If has udp4 io opened on the controller, close and free it.\r
//\r
//\r
// If has udp4 io opened on the controller, close and free it.\r
//\r
\r
/**\r
This is a callback function when the mIpSecInstance.DisabledEvent is signaled.\r
\r
/**\r
This is a callback function when the mIpSecInstance.DisabledEvent is signaled.\r
@param[in] Event Event whose notification function is being invoked.\r
@param[in] Event Event whose notification function is being invoked.\r
- @param[in] Context Pointer to the notification function's context. \r
+ @param[in] Context Pointer to the notification function's context.\r
IPSEC_PRIVATE_DATA *Private;\r
Private = (IPSEC_PRIVATE_DATA *) Context;\r
Private->IsIPsecDisabling = TRUE;\r
IPSEC_PRIVATE_DATA *Private;\r
Private = (IPSEC_PRIVATE_DATA *) Context;\r
Private->IsIPsecDisabling = TRUE;\r
- IkeDeleteAllSas (Private);\r
+ IkeDeleteAllSas (Private, TRUE);\r
}\r
\r
/**\r
This is the declaration of an EFI image entry point. This entry point is\r
the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including\r
both device drivers and bus drivers.\r
}\r
\r
/**\r
This is the declaration of an EFI image entry point. This entry point is\r
the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including\r
both device drivers and bus drivers.\r
- \r
- The entry point for IPsec driver which installs the driver binding, \r
+\r
+ The entry point for IPsec driver which installs the driver binding,\r
component name protocol, IPsec Config protcolon, and IPsec protocol in\r
its ImageHandle.\r
\r
component name protocol, IPsec Config protcolon, and IPsec protocol in\r
its ImageHandle.\r
\r
@retval EFI_SUCCESS The operation completed successfully.\r
@retval EFI_ALREADY_STARTED The IPsec driver has been already loaded.\r
@retval EFI_OUT_OF_RESOURCES The request could not be completed due to a lack of resources.\r
@retval EFI_SUCCESS The operation completed successfully.\r
@retval EFI_ALREADY_STARTED The IPsec driver has been already loaded.\r
@retval EFI_OUT_OF_RESOURCES The request could not be completed due to a lack of resources.\r
- @retval Others The operation is failed. \r
+ @retval Others The operation is failed.\r
Private->Signature = IPSEC_PRIVATE_DATA_SIGNATURE;\r
Private->ImageHandle = ImageHandle;\r
CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL));\r
Private->Signature = IPSEC_PRIVATE_DATA_SIGNATURE;\r
Private->ImageHandle = ImageHandle;\r
CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL));\r
//\r
// Initilize Private's members. Thess members is used for IKE.\r
//\r
//\r
// Initilize Private's members. Thess members is used for IKE.\r
//\r
InitializeListHead (&Private->Ikev1EstablishedList);\r
InitializeListHead (&Private->Ikev2SessionList);\r
InitializeListHead (&Private->Ikev2EstablishedList);\r
InitializeListHead (&Private->Ikev1EstablishedList);\r
InitializeListHead (&Private->Ikev2SessionList);\r
InitializeListHead (&Private->Ikev2EstablishedList);\r
RandomSeed (NULL, 0);\r
//\r
// Initialize the ipsec config data and restore it from variable.\r
RandomSeed (NULL, 0);\r
//\r
// Initialize the ipsec config data and restore it from variable.\r
if (EFI_ERROR (Status)) {\r
goto ON_UNINSTALL_IPSEC;\r
}\r
if (EFI_ERROR (Status)) {\r
goto ON_UNINSTALL_IPSEC;\r
}\r
return Status;\r
\r
ON_UNINSTALL_IPSEC:\r
return Status;\r
\r
ON_UNINSTALL_IPSEC:\r
Check if the specified Address is the Valid Address Range.\r
\r
This function checks if the bytes after prefixed length are all Zero in this\r
Check if the specified Address is the Valid Address Range.\r
\r
This function checks if the bytes after prefixed length are all Zero in this\r
- Address. This Address is supposed to point to a range address. That means it \r
+ Address. This Address is supposed to point to a range address. That means it\r
should gives the correct prefixed address and the bytes outside the prefixed are\r
zero.\r
\r
should gives the correct prefixed address and the bytes outside the prefixed are\r
zero.\r
\r
{\r
LIST_ENTRY *Entry;\r
IPSEC_SAD_ENTRY *SadEntry;\r
{\r
LIST_ENTRY *Entry;\r
IPSEC_SAD_ENTRY *SadEntry;\r
NET_LIST_FOR_EACH (Entry, SadList) {\r
\r
SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry);\r
NET_LIST_FOR_EACH (Entry, SadList) {\r
\r
SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry);\r
DestAddress,\r
SadEntry->Data->SpdSelector->RemoteAddress,\r
SadEntry->Data->SpdSelector->RemoteAddressCount\r
DestAddress,\r
SadEntry->Data->SpdSelector->RemoteAddress,\r
SadEntry->Data->SpdSelector->RemoteAddressCount\r
return SadEntry;\r
}\r
}\r
return SadEntry;\r
}\r
}\r
if (SadEntry->Id->Spi == Spi) {\r
if (SadEntry->Data->Mode == EfiIPsecTunnel) {\r
if (CompareMem (\r
if (SadEntry->Id->Spi == Spi) {\r
if (SadEntry->Data->Mode == EfiIPsecTunnel) {\r
if (CompareMem (\r
&SadEntry->Data->TunnelDestAddress,\r
sizeof (EFI_IP_ADDRESS)\r
)) {\r
&SadEntry->Data->TunnelDestAddress,\r
sizeof (EFI_IP_ADDRESS)\r
)) {\r
} else {\r
if (SadEntry->Data->SpdSelector != NULL &&\r
IpSecMatchIpAddress (\r
} else {\r
if (SadEntry->Data->SpdSelector != NULL &&\r
IpSecMatchIpAddress (\r
- IpVersion, \r
- DestAddress, \r
+ IpVersion,\r
+ DestAddress,\r
SadEntry->Data->SpdSelector->RemoteAddress,\r
SadEntry->Data->SpdSelector->RemoteAddressCount\r
)\r
) {\r
return SadEntry;\r
SadEntry->Data->SpdSelector->RemoteAddress,\r
SadEntry->Data->SpdSelector->RemoteAddressCount\r
)\r
) {\r
return SadEntry;\r
sizeof (EFI_IP_ADDRESS)\r
);\r
}\r
sizeof (EFI_IP_ADDRESS)\r
);\r
}\r
//\r
// Find the SAD entry in the spd.sas list according to the dest address.\r
//\r
Entry = IpSecLookupSadBySpd (&SpdEntry->Data->Sas, &DestIp, IpVersion);\r
\r
if (Entry == NULL) {\r
//\r
// Find the SAD entry in the spd.sas list according to the dest address.\r
//\r
Entry = IpSecLookupSadBySpd (&SpdEntry->Data->Sas, &DestIp, IpVersion);\r
\r
if (Entry == NULL) {\r
if (OldLastHead != IP6_ICMP ||\r
(OldLastHead == IP6_ICMP && *IpPayload == ICMP_V6_ECHO_REQUEST)\r
) {\r
if (OldLastHead != IP6_ICMP ||\r
(OldLastHead == IP6_ICMP && *IpPayload == ICMP_V6_ECHO_REQUEST)\r
) {\r
}\r
\r
return EFI_NOT_READY;\r
}\r
\r
return EFI_NOT_READY;\r
IN VOID *IpHead,\r
IN UINT8 *IpPayload,\r
IN UINT8 Protocol,\r
IN VOID *IpHead,\r
IN UINT8 *IpPayload,\r
IN UINT8 Protocol,\r
- IN BOOLEAN IsOutbound, \r
+ IN BOOLEAN IsOutbound,\r
OUT EFI_IPSEC_ACTION *Action\r
)\r
{\r
OUT EFI_IPSEC_ACTION *Action\r
)\r
{\r
- Calculate the extension hader of IP. The return length only doesn't contain \r
+ Calculate the extension hader of IP. The return length only doesn't contain\r
the fixed IP header length.\r
\r
@param[in] IpHead Points to an IP head to be calculated.\r
the fixed IP header length.\r
\r
@param[in] IpHead Points to an IP head to be calculated.\r
//\r
HashFragment[0].Data = EspBuffer;\r
HashFragment[0].DataSize = AuthSize;\r
//\r
HashFragment[0].Data = EspBuffer;\r
HashFragment[0].DataSize = AuthSize;\r
Status = IpSecCryptoIoHmac (\r
SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId,\r
SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,\r
Status = IpSecCryptoIoHmac (\r
SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId,\r
SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,\r
if (EFI_ERROR (Status)) {\r
return Status;\r
}\r
if (EFI_ERROR (Status)) {\r
return Status;\r
}\r
//\r
// Compare the calculated icv and the appended original icv.\r
//\r
//\r
// Compare the calculated icv and the appended original icv.\r
//\r
@param[in] IpHead The pointer to IP header.\r
@param[in] IpVersion The version of IP (IP4 or IP6).\r
@param[in] Spi The SPI used to search the related SAD entry.\r
@param[in] IpHead The pointer to IP header.\r
@param[in] IpVersion The version of IP (IP4 or IP6).\r
@param[in] Spi The SPI used to search the related SAD entry.\r
\r
@retval NULL Not find the related SAD entry.\r
\r
@retval NULL Not find the related SAD entry.\r
- @retval IPSEC_SAD_ENTRY Return the related SAD entry. \r
+ @retval IPSEC_SAD_ENTRY Return the related SAD entry.\r
\r
**/\r
IPSEC_SAD_ENTRY *\r
\r
**/\r
IPSEC_SAD_ENTRY *\r
UINT8 *IpHead,\r
UINT8 IpVersion,\r
UINT32 Spi\r
UINT8 *IpHead,\r
UINT8 IpVersion,\r
UINT32 Spi\r
{\r
EFI_IP_ADDRESS DestIp;\r
{\r
EFI_IP_ADDRESS DestIp;\r
//\r
// Parse destination address from ip header.\r
//\r
//\r
// Parse destination address from ip header.\r
//\r
sizeof (EFI_IPv6_ADDRESS)\r
);\r
}\r
sizeof (EFI_IPv6_ADDRESS)\r
);\r
}\r
//\r
// Lookup SAD entry according to the spi and dest address.\r
//\r
// Lookup SAD entry according to the spi and dest address.\r
return IpSecLookupSadBySpi (Spi, &DestIp, IpVersion);\r
}\r
\r
return IpSecLookupSadBySpi (Spi, &DestIp, IpVersion);\r
}\r
\r
}\r
\r
*LastHeader = NextHeader;\r
}\r
\r
*LastHeader = NextHeader;\r
- The actual entry to process the tunnel header and inner header for tunnel mode \r
+ The actual entry to process the tunnel header and inner header for tunnel mode\r
- This function is the subfunction of IpSecEspInboundPacket(). It change the destination \r
+ This function is the subfunction of IpSecEspInboundPacket(). It change the destination\r
Ip address to the station address and recalculate the uplayyer's checksum.\r
Ip address to the station address and recalculate the uplayyer's checksum.\r
- @param[in, out] IpHead Points to the IP header containing the ESP header \r
+\r
+ @param[in, out] IpHead Points to the IP header containing the ESP header\r
to be trimed on input, and without ESP header\r
on return.\r
@param[in] IpPayload The decrypted Ip payload. It start from the inner\r
to be trimed on input, and without ESP header\r
on return.\r
@param[in] IpPayload The decrypted Ip payload. It start from the inner\r
IP6_ICMP_HEAD *Icmp6Head;\r
\r
Checksum = NULL;\r
IP6_ICMP_HEAD *Icmp6Head;\r
\r
Checksum = NULL;\r
if (IpVersion == IP_VERSION_4) {\r
//\r
if (IpVersion == IP_VERSION_4) {\r
//\r
- // Zero OutIP header use this to indicate the input packet is under \r
+ // Zero OutIP header use this to indicate the input packet is under\r
// IPsec Tunnel protected.\r
//\r
ZeroMem (\r
// IPsec Tunnel protected.\r
//\r
ZeroMem (\r
&SadData->TunnelDestAddress.v4,\r
sizeof (EFI_IPv4_ADDRESS)\r
);\r
&SadData->TunnelDestAddress.v4,\r
sizeof (EFI_IPv4_ADDRESS)\r
);\r
//\r
// Recalculate IpHeader Checksum\r
//\r
if (((IP4_HEAD *)(IpPayload))->Checksum != 0 ) {\r
((IP4_HEAD *)(IpPayload))->Checksum = 0;\r
((IP4_HEAD *)(IpPayload))->Checksum = (UINT16) (~NetblockChecksum (\r
//\r
// Recalculate IpHeader Checksum\r
//\r
if (((IP4_HEAD *)(IpPayload))->Checksum != 0 ) {\r
((IP4_HEAD *)(IpPayload))->Checksum = 0;\r
((IP4_HEAD *)(IpPayload))->Checksum = (UINT16) (~NetblockChecksum (\r
((IP4_HEAD *)IpPayload)->HeadLen << 2\r
));\r
\r
\r
}\r
((IP4_HEAD *)IpPayload)->HeadLen << 2\r
));\r
\r
\r
}\r
//\r
// Recalcualte PseudoChecksum\r
//\r
//\r
// Recalcualte PseudoChecksum\r
//\r
break;\r
}\r
PacketChecksum = NetblockChecksum (\r
break;\r
}\r
PacketChecksum = NetblockChecksum (\r
- (UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2), \r
+ (UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2),\r
NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)\r
);\r
PseudoChecksum = NetPseudoHeadChecksum (\r
NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)\r
);\r
PseudoChecksum = NetPseudoHeadChecksum (\r
((IP4_HEAD *)IpPayload)->Protocol,\r
0\r
);\r
((IP4_HEAD *)IpPayload)->Protocol,\r
0\r
);\r
if (Checksum != NULL) {\r
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);\r
*Checksum = (UINT16) ~(NetAddChecksum (*Checksum, HTONS((UINT16)(NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)))));\r
}\r
}else {\r
//\r
if (Checksum != NULL) {\r
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);\r
*Checksum = (UINT16) ~(NetAddChecksum (*Checksum, HTONS((UINT16)(NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)))));\r
}\r
}else {\r
//\r
- // Zero OutIP header use this to indicate the input packet is under \r
+ // Zero OutIP header use this to indicate the input packet is under\r
// IPsec Tunnel protected.\r
//\r
ZeroMem (\r
// IPsec Tunnel protected.\r
//\r
ZeroMem (\r
&SadData->TunnelDestAddress.v6,\r
sizeof (EFI_IPv6_ADDRESS)\r
);\r
&SadData->TunnelDestAddress.v6,\r
sizeof (EFI_IPv6_ADDRESS)\r
);\r
//\r
// Get the Extension Header and Header length.\r
//\r
//\r
// Get the Extension Header and Header length.\r
//\r
&LastHead,\r
&OptionLen\r
);\r
&LastHead,\r
&OptionLen\r
);\r
//\r
// Recalcualte PseudoChecksum\r
//\r
//\r
// Recalcualte PseudoChecksum\r
//\r
break;\r
}\r
PacketChecksum = NetblockChecksum (\r
break;\r
}\r
PacketChecksum = NetblockChecksum (\r
- IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen, \r
+ IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen,\r
NTOHS(((EFI_IP6_HEADER *)IpPayload)->PayloadLength) - OptionLen\r
);\r
PseudoChecksum = NetIp6PseudoHeadChecksum (\r
NTOHS(((EFI_IP6_HEADER *)IpPayload)->PayloadLength) - OptionLen\r
);\r
PseudoChecksum = NetIp6PseudoHeadChecksum (\r
if (Checksum != NULL) {\r
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);\r
*Checksum = (UINT16) ~(NetAddChecksum (\r
if (Checksum != NULL) {\r
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);\r
*Checksum = (UINT16) ~(NetAddChecksum (\r
HTONS ((UINT16)((NTOHS (((EFI_IP6_HEADER *)(IpPayload))->PayloadLength)) - OptionLen))\r
));\r
}\r
HTONS ((UINT16)((NTOHS (((EFI_IP6_HEADER *)(IpPayload))->PayloadLength)) - OptionLen))\r
));\r
}\r
}\r
\r
/**\r
The actual entry to create inner header for tunnel mode inbound traffic.\r
\r
}\r
\r
/**\r
The actual entry to create inner header for tunnel mode inbound traffic.\r
\r
- This function is the subfunction of IpSecEspOutboundPacket(). It create \r
- the sending packet by encrypting its payload and inserting ESP header in the orginal \r
+ This function is the subfunction of IpSecEspOutboundPacket(). It create\r
+ the sending packet by encrypting its payload and inserting ESP header in the orginal\r
IP header, then return the IpHeader and IPsec protected Fragmentable.\r
IP header, then return the IpHeader and IPsec protected Fragmentable.\r
- \r
- @param[in, out] IpHead Points to IP header containing the orginal IP header \r
+\r
+ @param[in, out] IpHead Points to IP header containing the orginal IP header\r
to be processed on input, and inserted ESP header\r
on return.\r
@param[in] IpVersion The version of IP.\r
@param[in] SadData The related SAD data.\r
to be processed on input, and inserted ESP header\r
on return.\r
@param[in] IpVersion The version of IP.\r
@param[in] SadData The related SAD data.\r
- @param[in, out] LastHead The Last Header in IP header. \r
+ @param[in, out] LastHead The Last Header in IP header.\r
@param[in] OptionsBuffer Pointer to the options buffer.\r
@param[in] OptionsLength Length of the options buffer.\r
@param[in, out] FragmentTable Pointer to a list of fragments to be protected by\r
@param[in] OptionsBuffer Pointer to the options buffer.\r
@param[in] OptionsLength Length of the options buffer.\r
@param[in, out] FragmentTable Pointer to a list of fragments to be protected by\r
if (OptionsLength == NULL) {\r
return NULL;\r
}\r
if (OptionsLength == NULL) {\r
return NULL;\r
}\r
if (IpVersion == IP_VERSION_4) {\r
InnerHead = AllocateZeroPool (sizeof (IP4_HEAD) + *OptionsLength);\r
ASSERT (InnerHead != NULL);\r
if (IpVersion == IP_VERSION_4) {\r
InnerHead = AllocateZeroPool (sizeof (IP4_HEAD) + *OptionsLength);\r
ASSERT (InnerHead != NULL);\r
*OptionsLength = 0;\r
}\r
}\r
*OptionsLength = 0;\r
}\r
}\r
//\r
// 2. Reassamlbe Fragment into Packet\r
//\r
//\r
// 2. Reassamlbe Fragment into Packet\r
//\r
Checksum = &IcmpHead->Checksum;\r
*Checksum = 0;\r
break;\r
Checksum = &IcmpHead->Checksum;\r
*Checksum = 0;\r
break;\r
break;\r
}\r
\r
PacketChecksum = NetbufChecksum (Packet);\r
break;\r
}\r
\r
PacketChecksum = NetbufChecksum (Packet);\r
if (IpVersion == IP_VERSION_4) {\r
//\r
// Replace the source address of Inner Header.\r
if (IpVersion == IP_VERSION_4) {\r
//\r
// Replace the source address of Inner Header.\r
} else {\r
//\r
// Replace the source address of Inner Header.\r
} else {\r
//\r
// Replace the source address of Inner Header.\r
}\r
if (Checksum != NULL) {\r
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);\r
}\r
if (Checksum != NULL) {\r
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);\r
/**\r
The actual entry to relative function processes the inbound traffic of ESP header.\r
\r
/**\r
The actual entry to relative function processes the inbound traffic of ESP header.\r
\r
- This function is the subfunction of IpSecProtectInboundPacket(). It checks the \r
+ This function is the subfunction of IpSecProtectInboundPacket(). It checks the\r
received packet security property and trim the ESP header and then returns without\r
an IPsec protected IP Header and FramgmentTable.\r
received packet security property and trim the ESP header and then returns without\r
an IPsec protected IP Header and FramgmentTable.\r
@param[in] IpVersion The version of IP.\r
@param[in] IpVersion The version of IP.\r
- @param[in, out] IpHead Points to the IP header containing the ESP header \r
+ @param[in, out] IpHead Points to the IP header containing the ESP header\r
to be trimed on input, and without ESP header\r
on return.\r
@param[out] LastHead The Last Header in IP header on return.\r
to be trimed on input, and without ESP header\r
on return.\r
@param[out] LastHead The Last Header in IP header on return.\r
*RecycleEvent = NULL;\r
PlainPayloadSize = 0;\r
NextHeader = 0;\r
*RecycleEvent = NULL;\r
PlainPayloadSize = 0;\r
NextHeader = 0;\r
//\r
// Build netbuf from fragment table first.\r
//\r
//\r
// Build netbuf from fragment table first.\r
//\r
Status = EFI_OUT_OF_RESOURCES;\r
goto ON_EXIT;\r
}\r
Status = EFI_OUT_OF_RESOURCES;\r
goto ON_EXIT;\r
}\r
//\r
// Get the esp size and esp header from netbuf.\r
//\r
EspSize = Payload->TotalSize;\r
EspHeader = (EFI_ESP_HEADER *) NetbufGetByte (Payload, 0, NULL);\r
//\r
// Get the esp size and esp header from netbuf.\r
//\r
EspSize = Payload->TotalSize;\r
EspHeader = (EFI_ESP_HEADER *) NetbufGetByte (Payload, 0, NULL);\r
if (EspHeader == NULL) {\r
Status = EFI_ACCESS_DENIED;\r
goto ON_EXIT;\r
}\r
if (EspHeader == NULL) {\r
Status = EFI_ACCESS_DENIED;\r
goto ON_EXIT;\r
}\r
//\r
// Parse destination address from ip header and found the related SAD Entry.\r
//\r
SadEntry = IpSecFoundSadFromInboundPacket (\r
//\r
// Parse destination address from ip header and found the related SAD Entry.\r
//\r
SadEntry = IpSecFoundSadFromInboundPacket (\r
IpVersion,\r
NTOHL (EspHeader->Spi)\r
);\r
IpVersion,\r
NTOHL (EspHeader->Spi)\r
);\r
if (SadEntry == NULL) {\r
Status = EFI_ACCESS_DENIED;\r
goto ON_EXIT;\r
if (SadEntry == NULL) {\r
Status = EFI_ACCESS_DENIED;\r
goto ON_EXIT;\r
// TODO: Check SA lifetime and sequence number\r
//\r
}\r
// TODO: Check SA lifetime and sequence number\r
//\r
}\r
//\r
// Allocate buffer for decryption and authentication.\r
//\r
//\r
// Allocate buffer for decryption and authentication.\r
//\r
IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId);\r
IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);\r
BlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);\r
IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId);\r
IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);\r
BlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);\r
//\r
// Make sure the ESP packet is not mal-formt.\r
// 1. Check whether the Espsize is larger than ESP header + IvSize + EspTail + IcvSize.\r
//\r
// Make sure the ESP packet is not mal-formt.\r
// 1. Check whether the Espsize is larger than ESP header + IvSize + EspTail + IcvSize.\r
//\r
// Parse EspTail and compute the plain payload size.\r
//\r
EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL));\r
PaddingSize = EspTail->PaddingLength;\r
NextHeader = EspTail->NextHeader;\r
//\r
// Parse EspTail and compute the plain payload size.\r
//\r
EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL));\r
PaddingSize = EspTail->PaddingLength;\r
NextHeader = EspTail->NextHeader;\r
if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL) + PaddingSize)) {\r
Status = EFI_ACCESS_DENIED;\r
goto ON_EXIT;\r
}\r
PlainPayloadSize = EspSize - MiscSize - sizeof (EFI_ESP_TAIL) - PaddingSize;\r
if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL) + PaddingSize)) {\r
Status = EFI_ACCESS_DENIED;\r
goto ON_EXIT;\r
}\r
PlainPayloadSize = EspSize - MiscSize - sizeof (EFI_ESP_TAIL) - PaddingSize;\r
//\r
// TODO: handle anti-replay window\r
//\r
//\r
// TODO: handle anti-replay window\r
//\r
if (EFI_ERROR (Status)) {\r
goto ON_EXIT;\r
}\r
if (EFI_ERROR (Status)) {\r
goto ON_EXIT;\r
}\r
//\r
// The caller will take responsible to handle the original fragment table\r
//\r
//\r
// The caller will take responsible to handle the original fragment table\r
//\r
\r
RecycleContext->PayloadBuffer = ProcessBuffer;\r
RecycleContext->FragmentTable = *FragmentTable;\r
\r
RecycleContext->PayloadBuffer = ProcessBuffer;\r
RecycleContext->FragmentTable = *FragmentTable;\r
//\r
// If Tunnel, recalculate upper-layyer PesudoCheckSum and trim the out\r
//\r
//\r
// If Tunnel, recalculate upper-layyer PesudoCheckSum and trim the out\r
//\r
SadData,\r
LastHead\r
);\r
SadData,\r
LastHead\r
);\r
if (IpVersion == IP_VERSION_4) {\r
(*FragmentTable)[0].FragmentBuffer = InnerHead ;\r
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;\r
if (IpVersion == IP_VERSION_4) {\r
(*FragmentTable)[0].FragmentBuffer = InnerHead ;\r
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;\r
(*FragmentTable)[0].FragmentBuffer = InnerHead;\r
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;\r
(*FragmentTable)[0].FragmentBuffer = InnerHead;\r
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;\r
} else {\r
(*FragmentTable)[0].FragmentBuffer = ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize;\r
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;\r
}\r
} else {\r
(*FragmentTable)[0].FragmentBuffer = ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize;\r
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;\r
}\r
*FragmentCount = 1;\r
\r
//\r
*FragmentCount = 1;\r
\r
//\r
//\r
*LastHead = NextHeader;\r
}\r
//\r
*LastHead = NextHeader;\r
}\r
\r
//\r
// Update the SPD association of the SAD entry.\r
\r
//\r
// Update the SPD association of the SAD entry.\r
EFI_ESP_TAIL *EspTail; // Address behind padding\r
UINT8 *InnerHead;\r
HASH_DATA_FRAGMENT HashFragment[1];\r
EFI_ESP_TAIL *EspTail; // Address behind padding\r
UINT8 *InnerHead;\r
HASH_DATA_FRAGMENT HashFragment[1];\r
Status = EFI_ACCESS_DENIED;\r
SaId = SadEntry->Id;\r
SadData = SadEntry->Data;\r
Status = EFI_ACCESS_DENIED;\r
SaId = SadEntry->Id;\r
SadData = SadEntry->Data;\r
FragmentTable,\r
FragmentCount\r
);\r
FragmentTable,\r
FragmentCount\r
);\r
if (InnerHead == NULL) {\r
return EFI_INVALID_PARAMETER;\r
}\r
if (InnerHead == NULL) {\r
return EFI_INVALID_PARAMETER;\r
}\r
//\r
// OPtions should be encryption into it\r
//\r
//\r
// OPtions should be encryption into it\r
//\r
- PlainPayloadSize += *OptionsLength; \r
+ PlainPayloadSize += *OptionsLength;\r
// HeadLen, Total Length\r
//\r
((IP4_HEAD *)InnerHead)->HeadLen = (UINT8) ((sizeof (IP4_HEAD) + *OptionsLength) >> 2);\r
// HeadLen, Total Length\r
//\r
((IP4_HEAD *)InnerHead)->HeadLen = (UINT8) ((sizeof (IP4_HEAD) + *OptionsLength) >> 2);\r
- ((IP4_HEAD *)InnerHead)->TotalLen = HTONS ((UINT16) PlainPayloadSize); \r
+ ((IP4_HEAD *)InnerHead)->TotalLen = HTONS ((UINT16) PlainPayloadSize);\r
((IP4_HEAD *)InnerHead)->Checksum = 0;\r
((IP4_HEAD *)InnerHead)->Checksum = (UINT16) (~NetblockChecksum (\r
(UINT8 *)InnerHead,\r
((IP4_HEAD *)InnerHead)->Checksum = 0;\r
((IP4_HEAD *)InnerHead)->Checksum = (UINT16) (~NetblockChecksum (\r
(UINT8 *)InnerHead,\r
EspTail->NextHeader = 4;\r
} else {\r
EspTail->NextHeader = 41;\r
EspTail->NextHeader = 4;\r
} else {\r
EspTail->NextHeader = 41;\r
(UINT8 *) (EspHeader + 1),\r
IvSize\r
);\r
(UINT8 *) (EspHeader + 1),\r
IvSize\r
);\r
if (EFI_ERROR (Status)) {\r
goto ON_EXIT;\r
}\r
if (EFI_ERROR (Status)) {\r
goto ON_EXIT;\r
}\r
if (SadData->Mode == EfiIPsecTunnel) {\r
if (IpVersion == IP_VERSION_4) {\r
CopyMem (\r
if (SadData->Mode == EfiIPsecTunnel) {\r
if (IpVersion == IP_VERSION_4) {\r
CopyMem (\r
- &((IP4_HEAD *) IpHead)->Src, \r
+ &((IP4_HEAD *) IpHead)->Src,\r
&SadData->TunnelSourceAddress.v4,\r
sizeof (EFI_IPv4_ADDRESS)\r
&SadData->TunnelSourceAddress.v4,\r
sizeof (EFI_IPv4_ADDRESS)\r
CopyMem (\r
&((IP4_HEAD *) IpHead)->Dst,\r
&SadData->TunnelDestAddress.v4,\r
CopyMem (\r
&((IP4_HEAD *) IpHead)->Dst,\r
&SadData->TunnelDestAddress.v4,\r
/**\r
This function processes the inbound traffic with IPsec.\r
\r
/**\r
This function processes the inbound traffic with IPsec.\r
\r
- It checks the received packet security property, trims the ESP/AH header, and then \r
+ It checks the received packet security property, trims the ESP/AH header, and then\r
returns without an IPsec protected IP Header and FragmentTable.\r
returns without an IPsec protected IP Header and FragmentTable.\r
@param[in] IpVersion The version of IP.\r
@param[in] IpVersion The version of IP.\r
- @param[in, out] IpHead Points to IP header containing the ESP/AH header \r
+ @param[in, out] IpHead Points to IP header containing the ESP/AH header\r
to be trimed on input, and without ESP/AH header\r
on return.\r
@param[in, out] LastHead The Last Header in IP header on return.\r
to be trimed on input, and without ESP/AH header\r
on return.\r
@param[in, out] LastHead The Last Header in IP header on return.\r