+++ /dev/null
-/** @file\r
- The implementation of delete policy entry function in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecConfig.h"\r
-#include "Indexer.h"\r
-#include "Delete.h"\r
-#include "Match.h"\r
-#include "ForEach.h"\r
-\r
-/**\r
- Private function to delete entry information in database.\r
-\r
- @param[in] Selector The pointer to EFI_IPSEC_CONFIG_SELECTOR structure.\r
- @param[in] Data The pointer to Data.\r
- @param[in] Context The pointer to DELETE_POLICY_ENTRY_CONTEXT.\r
-\r
- @retval EFI_ABORTED Abort the iteration.\r
- @retval EFI_SUCCESS Continue the iteration.\r
-**/\r
-EFI_STATUS\r
-DeletePolicyEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN DELETE_POLICY_ENTRY_CONTEXT *Context\r
- )\r
-{\r
- if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) {\r
- Context->Status = mIpSecConfig->SetData (\r
- mIpSecConfig,\r
- Context->DataType,\r
- Selector,\r
- NULL,\r
- NULL\r
- );\r
- //\r
- // Abort the iteration after the insertion.\r
- //\r
- return EFI_ABORTED;\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Flush or delete entry information in the database according to datatype.\r
-\r
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Delete entry information successfully.\r
- @retval EFI_NOT_FOUND Can't find the specified entry.\r
- @retval Others Some mistaken case.\r
-**/\r
-EFI_STATUS\r
-FlushOrDeletePolicyEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN LIST_ENTRY *ParamPackage\r
- )\r
-{\r
- EFI_STATUS Status;\r
- DELETE_POLICY_ENTRY_CONTEXT Context;\r
- CONST CHAR16 *ValueStr;\r
-\r
- //\r
- // If user wants to remove all.\r
- //\r
- if (ShellCommandLineGetFlag (ParamPackage, L"-f")) {\r
- Status = mIpSecConfig->SetData (\r
- mIpSecConfig,\r
- DataType,\r
- NULL,\r
- NULL,\r
- NULL\r
- );\r
- } else {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");\r
- if (ValueStr == NULL) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr);\r
- return EFI_NOT_FOUND;\r
- }\r
-\r
- Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage);\r
- if (!EFI_ERROR (Status)) {\r
- Context.DataType = DataType;\r
- Context.Status = EFI_NOT_FOUND;\r
- ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) DeletePolicyEntry, &Context);\r
- Status = Context.Status;\r
-\r
- if (Status == EFI_NOT_FOUND) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr);\r
- } else if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DELETE_FAILED), mHiiHandle, mAppName);\r
- }\r
- }\r
- }\r
-\r
- return Status;\r
-}\r
+++ /dev/null
-/** @file\r
- The internal structure and function declaration of delete policy entry function\r
- in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef __DELETE_H_\r
-#define __DELETE_H_\r
-\r
-typedef struct {\r
- EFI_IPSEC_CONFIG_DATA_TYPE DataType;\r
- POLICY_ENTRY_INDEXER Indexer;\r
- EFI_STATUS Status; //Indicate whether deletion succeeds.\r
-} DELETE_POLICY_ENTRY_CONTEXT;\r
-\r
-/**\r
- Flush or delete entry information in the database according to datatype.\r
-\r
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Delete entry information successfully.\r
- @retval EFI_NOT_FOUND Can't find the specified entry.\r
- @retval Others Some mistaken case.\r
-**/\r
-EFI_STATUS\r
-FlushOrDeletePolicyEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN LIST_ENTRY *ParamPackage\r
- );\r
-\r
-#endif\r
+++ /dev/null
-/** @file\r
- The implementation of dump policy entry function in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecConfig.h"\r
-#include "Dump.h"\r
-#include "ForEach.h"\r
-#include "Helper.h"\r
-\r
-/**\r
- Private function called to get the version infomation from an EFI_IP_ADDRESS_INFO structure.\r
-\r
- @param[in] AddressInfo The pointer to the EFI_IP_ADDRESS_INFO structure.\r
-\r
- @return the value of version.\r
-**/\r
-UINTN\r
-GetVerFromAddrInfo (\r
- IN EFI_IP_ADDRESS_INFO *AddressInfo\r
-)\r
-{\r
- if((AddressInfo->PrefixLength <= 32) && (AddressInfo->Address.Addr[1] == 0) &&\r
- (AddressInfo->Address.Addr[2] == 0) && (AddressInfo->Address.Addr[3] == 0)) {\r
- return IP_VERSION_4;\r
- } else {\r
- return IP_VERSION_6;\r
- }\r
-}\r
-\r
-/**\r
- Private function called to get the version information from a EFI_IP_ADDRESS structure.\r
-\r
- @param[in] Address The pointer to the EFI_IP_ADDRESS structure.\r
-\r
- @return The value of the version.\r
-**/\r
-UINTN\r
-GetVerFromIpAddr (\r
- IN EFI_IP_ADDRESS *Address\r
-)\r
-{\r
- if ((Address->Addr[1] == 0) && (Address->Addr[2] == 0) && (Address->Addr[3] == 0)) {\r
- return IP_VERSION_4;\r
- } else {\r
- return IP_VERSION_6;\r
- }\r
-}\r
-\r
-/**\r
- Private function called to print an ASCII string in unicode char format.\r
-\r
- @param[in] Str The pointer to the ASCII string.\r
- @param[in] Length The value of the ASCII string length.\r
-**/\r
-VOID\r
-DumpAsciiString (\r
- IN CHAR8 *Str,\r
- IN UINTN Length\r
- )\r
-{\r
- UINTN Index;\r
- Print (L"\"");\r
- for (Index = 0; Index < Length; Index++) {\r
- Print (L"%c", (CHAR16) Str[Index]);\r
- }\r
- Print (L"\"");\r
-}\r
-\r
-/**\r
- Private function called to print a buffer in Hex format.\r
-\r
- @param[in] Data The pointer to the buffer.\r
- @param[in] Length The size of the buffer.\r
-\r
-**/\r
-VOID\r
-DumpBuf (\r
- IN UINT8 *Data,\r
- IN UINTN Length\r
- )\r
-{\r
- UINTN Index;\r
- for (Index = 0; Index < Length; Index++) {\r
- Print (L"%02x ", Data[Index]);\r
- }\r
-}\r
-\r
-/**\r
- Private function called to print EFI_IP_ADDRESS_INFO content.\r
-\r
- @param[in] AddressInfo The pointer to the EFI_IP_ADDRESS_INFO structure.\r
-**/\r
-VOID\r
-DumpAddressInfo (\r
- IN EFI_IP_ADDRESS_INFO *AddressInfo\r
- )\r
-{\r
- if (IP_VERSION_4 == GetVerFromAddrInfo (AddressInfo)) {\r
- Print (\r
- L"%d.%d.%d.%d",\r
- (UINTN) AddressInfo->Address.v4.Addr[0],\r
- (UINTN) AddressInfo->Address.v4.Addr[1],\r
- (UINTN) AddressInfo->Address.v4.Addr[2],\r
- (UINTN) AddressInfo->Address.v4.Addr[3]\r
- );\r
- if (AddressInfo->PrefixLength != 32) {\r
- Print (L"/%d", (UINTN) AddressInfo->PrefixLength);\r
- }\r
- }\r
-\r
- if (IP_VERSION_6 == GetVerFromAddrInfo (AddressInfo)) {\r
- Print (\r
- L"%x:%x:%x:%x:%x:%x:%x:%x",\r
- (((UINT16) AddressInfo->Address.v6.Addr[0]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[1]),\r
- (((UINT16) AddressInfo->Address.v6.Addr[2]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[3]),\r
- (((UINT16) AddressInfo->Address.v6.Addr[4]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[5]),\r
- (((UINT16) AddressInfo->Address.v6.Addr[6]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[7]),\r
- (((UINT16) AddressInfo->Address.v6.Addr[8]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[9]),\r
- (((UINT16) AddressInfo->Address.v6.Addr[10]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[11]),\r
- (((UINT16) AddressInfo->Address.v6.Addr[12]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[13]),\r
- (((UINT16) AddressInfo->Address.v6.Addr[14]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[15])\r
- );\r
- if (AddressInfo->PrefixLength != 128) {\r
- Print (L"/%d", AddressInfo->PrefixLength);\r
- }\r
- }\r
-}\r
-\r
-/**\r
- Private function called to print EFI_IP_ADDRESS content.\r
-\r
- @param[in] IpAddress The pointer to the EFI_IP_ADDRESS structure.\r
-**/\r
-VOID\r
-DumpIpAddress (\r
- IN EFI_IP_ADDRESS *IpAddress\r
- )\r
-{\r
- if (IP_VERSION_4 == GetVerFromIpAddr (IpAddress)) {\r
- Print (\r
- L"%d.%d.%d.%d",\r
- (UINTN) IpAddress->v4.Addr[0],\r
- (UINTN) IpAddress->v4.Addr[1],\r
- (UINTN) IpAddress->v4.Addr[2],\r
- (UINTN) IpAddress->v4.Addr[3]\r
- );\r
- }\r
-\r
- if (IP_VERSION_6 == GetVerFromIpAddr (IpAddress)) {\r
- Print (\r
- L"%x:%x:%x:%x:%x:%x:%x:%x",\r
- (((UINT16) IpAddress->v6.Addr[0]) << 8) | ((UINT16) IpAddress->v6.Addr[1]),\r
- (((UINT16) IpAddress->v6.Addr[2]) << 8) | ((UINT16) IpAddress->v6.Addr[3]),\r
- (((UINT16) IpAddress->v6.Addr[4]) << 8) | ((UINT16) IpAddress->v6.Addr[5]),\r
- (((UINT16) IpAddress->v6.Addr[6]) << 8) | ((UINT16) IpAddress->v6.Addr[7]),\r
- (((UINT16) IpAddress->v6.Addr[8]) << 8) | ((UINT16) IpAddress->v6.Addr[9]),\r
- (((UINT16) IpAddress->v6.Addr[10]) << 8) | ((UINT16) IpAddress->v6.Addr[11]),\r
- (((UINT16) IpAddress->v6.Addr[12]) << 8) | ((UINT16) IpAddress->v6.Addr[13]),\r
- (((UINT16) IpAddress->v6.Addr[14]) << 8) | ((UINT16) IpAddress->v6.Addr[15])\r
- );\r
- }\r
-\r
-}\r
-\r
-/**\r
- Private function called to print EFI_IPSEC_SPD_SELECTOR content.\r
-\r
- @param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.\r
-**/\r
-VOID\r
-DumpSpdSelector (\r
- IN EFI_IPSEC_SPD_SELECTOR *Selector\r
- )\r
-{\r
- UINT32 Index;\r
- CHAR16 *Str;\r
-\r
- for (Index = 0; Index < Selector->LocalAddressCount; Index++) {\r
- if (Index > 0) {\r
- Print (L",");\r
- }\r
-\r
- DumpAddressInfo (&Selector->LocalAddress[Index]);\r
- }\r
-\r
- if (Index == 0) {\r
- Print (L"localhost");\r
- }\r
-\r
- Print (L" -> ");\r
-\r
- for (Index = 0; Index < Selector->RemoteAddressCount; Index++) {\r
- if (Index > 0) {\r
- Print (L",");\r
- }\r
-\r
- DumpAddressInfo (&Selector->RemoteAddress[Index]);\r
- }\r
-\r
- Str = MapIntegerToString (Selector->NextLayerProtocol, mMapIpProtocol);\r
- if (Str != NULL) {\r
- Print (L" %s", Str);\r
- } else {\r
- Print (L" proto:%d", (UINTN) Selector->NextLayerProtocol);\r
- }\r
-\r
- if ((Selector->NextLayerProtocol == EFI_IP4_PROTO_TCP) || (Selector->NextLayerProtocol == EFI_IP4_PROTO_UDP)) {\r
- Print (L" port:");\r
- if (Selector->LocalPort != EFI_IPSEC_ANY_PORT) {\r
- Print (L"%d", Selector->LocalPort);\r
- if (Selector->LocalPortRange != 0) {\r
- Print (L"~%d", (UINTN) Selector->LocalPort + Selector->LocalPortRange);\r
- }\r
- } else {\r
- Print (L"any");\r
- }\r
-\r
- Print (L" -> ");\r
- if (Selector->RemotePort != EFI_IPSEC_ANY_PORT) {\r
- Print (L"%d", Selector->RemotePort);\r
- if (Selector->RemotePortRange != 0) {\r
- Print (L"~%d", (UINTN) Selector->RemotePort + Selector->RemotePortRange);\r
- }\r
- } else {\r
- Print (L"any");\r
- }\r
- } else if (Selector->NextLayerProtocol == EFI_IP4_PROTO_ICMP) {\r
- Print (L" class/code:");\r
- if (Selector->LocalPort != 0) {\r
- Print (L"%d", (UINTN) (UINT8) Selector->LocalPort);\r
- } else {\r
- Print (L"any");\r
- }\r
-\r
- Print (L"/");\r
- if (Selector->RemotePort != 0) {\r
- Print (L"%d", (UINTN) (UINT8) Selector->RemotePort);\r
- } else {\r
- Print (L"any");\r
- }\r
- }\r
-}\r
-\r
-/**\r
- Print EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA content.\r
-\r
- @param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.\r
- @param[in] Data The pointer to the EFI_IPSEC_SPD_DATA structure.\r
- @param[in] EntryIndex The pointer to the Index in SPD Database.\r
-\r
- @retval EFI_SUCCESS Dump SPD information successfully.\r
-**/\r
-EFI_STATUS\r
-DumpSpdEntry (\r
- IN EFI_IPSEC_SPD_SELECTOR *Selector,\r
- IN EFI_IPSEC_SPD_DATA *Data,\r
- IN UINTN *EntryIndex\r
- )\r
-{\r
- BOOLEAN HasPre;\r
- CHAR16 DataName[128];\r
- CHAR16 *String1;\r
- CHAR16 *String2;\r
- CHAR16 *String3;\r
- UINT8 Index;\r
-\r
- Print (L"%d.", (*EntryIndex)++);\r
-\r
- //\r
- // xxx.xxx.xxx.xxx/yy -> xxx.xxx.xxx.xx/yy proto:23 port:100~300 -> 300~400\r
- // Protect PF:0x34323423 Name:First Entry\r
- // ext-sequence sequence-overflow fragcheck life:[B0,S1024,H3600]\r
- // ESP algo1 algo2 Tunnel [xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx set]\r
- //\r
-\r
- DumpSpdSelector (Selector);\r
- Print (L"\n ");\r
-\r
- Print (L"%s ", MapIntegerToString (Data->Action, mMapIpSecAction));\r
- Print (L"PF:%08x ", Data->PackageFlag);\r
-\r
- Index = 0;\r
- while (Data->Name[Index] != 0) {\r
- DataName[Index] = (CHAR16) Data->Name[Index];\r
- Index++;\r
- ASSERT (Index < 128);\r
- }\r
- DataName[Index] = L'\0';\r
-\r
- Print (L"Name:%s", DataName);\r
-\r
- if (Data->Action == EfiIPsecActionProtect) {\r
- Print (L"\n ");\r
- if (Data->ProcessingPolicy->ExtSeqNum) {\r
- Print (L"ext-sequence ");\r
- }\r
-\r
- if (Data->ProcessingPolicy->SeqOverflow) {\r
- Print (L"sequence-overflow ");\r
- }\r
-\r
- if (Data->ProcessingPolicy->FragCheck) {\r
- Print (L"fragment-check ");\r
- }\r
-\r
- HasPre = FALSE;\r
- if (Data->ProcessingPolicy->SaLifetime.ByteCount != 0) {\r
- Print (HasPre ? L"," : L"life:[");\r
- Print (L"%lxB", Data->ProcessingPolicy->SaLifetime.ByteCount);\r
- HasPre = TRUE;\r
- }\r
-\r
- if (Data->ProcessingPolicy->SaLifetime.SoftLifetime != 0) {\r
- Print (HasPre ? L"," : L"life:[");\r
- Print (L"%lxs", Data->ProcessingPolicy->SaLifetime.SoftLifetime);\r
- HasPre = TRUE;\r
- }\r
-\r
- if (Data->ProcessingPolicy->SaLifetime.HardLifetime != 0) {\r
- Print (HasPre ? L"," : L"life:[");\r
- Print (L"%lxS", Data->ProcessingPolicy->SaLifetime.HardLifetime);\r
- HasPre = TRUE;\r
- }\r
-\r
- if (HasPre) {\r
- Print (L"]");\r
- }\r
-\r
- if (HasPre || Data->ProcessingPolicy->ExtSeqNum ||\r
- Data->ProcessingPolicy->SeqOverflow || Data->ProcessingPolicy->FragCheck) {\r
- Print (L"\n ");\r
- }\r
-\r
- String1 = MapIntegerToString (Data->ProcessingPolicy->Proto, mMapIpSecProtocol);\r
- String2 = MapIntegerToString (Data->ProcessingPolicy->AuthAlgoId, mMapAuthAlgo);\r
- String3 = MapIntegerToString (Data->ProcessingPolicy->EncAlgoId, mMapEncAlgo);\r
- Print (\r
- L"%s Auth:%s Encrypt:%s ",\r
- String1,\r
- String2,\r
- String3\r
- );\r
-\r
- Print (L"%s ", MapIntegerToString (Data->ProcessingPolicy->Mode, mMapIpSecMode));\r
- if (Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- Print (L"[");\r
- DumpIpAddress (&Data->ProcessingPolicy->TunnelOption->LocalTunnelAddress);\r
- Print (L" -> ");\r
- DumpIpAddress (&Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress);\r
- Print (L" %s]", MapIntegerToString (Data->ProcessingPolicy->TunnelOption->DF, mMapDfOption));\r
- }\r
- }\r
-\r
- Print (L"\n");\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Print EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 content.\r
-\r
- @param[in] SaId The pointer to the EFI_IPSEC_SA_ID structure.\r
- @param[in] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.\r
- @param[in] EntryIndex The pointer to the Index in the SAD Database.\r
-\r
- @retval EFI_SUCCESS Dump SAD information successfully.\r
-**/\r
-EFI_STATUS\r
-DumpSadEntry (\r
- IN EFI_IPSEC_SA_ID *SaId,\r
- IN EFI_IPSEC_SA_DATA2 *Data,\r
- IN UINTN *EntryIndex\r
- )\r
-{\r
- BOOLEAN HasPre;\r
- CHAR16 *AuthAlgoStr;\r
- CHAR16 *EncAlgoStr;\r
-\r
- AuthAlgoStr = NULL;\r
- EncAlgoStr = NULL;\r
-\r
- //\r
- // SPI:1234 ESP Destination:xxx.xxx.xxx.xxx\r
- // Mode:Transport SeqNum:134 AntiReplayWin:64 life:[0B,1023s,3400S] PathMTU:34\r
- // Auth:xxxx/password Encrypt:yyyy/password\r
- // xxx.xxx.xxx.xxx/yy -> xxx.xxx.xxx.xx/yy proto:23 port:100~300 -> 300~400\r
- //\r
-\r
- Print (L"%d.", (*EntryIndex)++);\r
- Print (L"0x%x %s ", (UINTN) SaId->Spi, MapIntegerToString (SaId->Proto, mMapIpSecProtocol));\r
- if (Data->Mode == EfiIPsecTunnel) {\r
- Print (L"TunnelSourceAddress:");\r
- DumpIpAddress (&Data->TunnelSourceAddress);\r
- Print (L"\n");\r
- Print (L" TunnelDestination:");\r
- DumpIpAddress (&Data->TunnelDestinationAddress);\r
- Print (L"\n");\r
- }\r
-\r
- Print (\r
- L" Mode:%s SeqNum:%lx AntiReplayWin:%d ",\r
- MapIntegerToString (Data->Mode, mMapIpSecMode),\r
- Data->SNCount,\r
- (UINTN) Data->AntiReplayWindows\r
- );\r
-\r
- HasPre = FALSE;\r
- if (Data->SaLifetime.ByteCount != 0) {\r
- Print (HasPre ? L"," : L"life:[");\r
- Print (L"%lxB", Data->SaLifetime.ByteCount);\r
- HasPre = TRUE;\r
- }\r
-\r
- if (Data->SaLifetime.SoftLifetime != 0) {\r
- Print (HasPre ? L"," : L"life:[");\r
- Print (L"%lxs", Data->SaLifetime.SoftLifetime);\r
- HasPre = TRUE;\r
- }\r
-\r
- if (Data->SaLifetime.HardLifetime != 0) {\r
- Print (HasPre ? L"," : L"life:[");\r
- Print (L"%lxS", Data->SaLifetime.HardLifetime);\r
- HasPre = TRUE;\r
- }\r
-\r
- if (HasPre) {\r
- Print (L"] ");\r
- }\r
-\r
- Print (L"PathMTU:%d\n", (UINTN) Data->PathMTU);\r
-\r
- if (SaId->Proto == EfiIPsecAH) {\r
- Print (\r
- L" Auth:%s/%s\n",\r
- MapIntegerToString (Data->AlgoInfo.AhAlgoInfo.AuthAlgoId, mMapAuthAlgo),\r
- Data->AlgoInfo.AhAlgoInfo.AuthKey\r
- );\r
- } else {\r
- AuthAlgoStr = MapIntegerToString (Data->AlgoInfo.EspAlgoInfo.AuthAlgoId, mMapAuthAlgo);\r
- EncAlgoStr = MapIntegerToString (Data->AlgoInfo.EspAlgoInfo.EncAlgoId, mMapEncAlgo);\r
-\r
- if (Data->ManualSet) {\r
- //\r
- // if the SAD is set manually the key is a Ascii string in most of time.\r
- // Print the Key in Ascii string format.\r
- //\r
- Print (L" Auth:%s/",AuthAlgoStr);\r
- DumpAsciiString (\r
- Data->AlgoInfo.EspAlgoInfo.AuthKey,\r
- Data->AlgoInfo.EspAlgoInfo.AuthKeyLength\r
- );\r
- Print (L"\n Encrypt:%s/",EncAlgoStr);\r
- DumpAsciiString (\r
- Data->AlgoInfo.EspAlgoInfo.EncKey,\r
- Data->AlgoInfo.EspAlgoInfo.EncKeyLength\r
- );\r
- } else {\r
- //\r
- // if the SAD is created by IKE, the key is a set of hex value in buffer.\r
- // Print the Key in Hex format.\r
- //\r
- Print (L" Auth:%s/",AuthAlgoStr);\r
- DumpBuf ((UINT8 *)(Data->AlgoInfo.EspAlgoInfo.AuthKey), Data->AlgoInfo.EspAlgoInfo.AuthKeyLength);\r
-\r
- Print (L"\n Encrypt:%s/",EncAlgoStr);\r
- DumpBuf ((UINT8 *)(Data->AlgoInfo.EspAlgoInfo.EncKey), Data->AlgoInfo.EspAlgoInfo.EncKeyLength);\r
- }\r
- }\r
- Print (L"\n");\r
- if (Data->SpdSelector != NULL) {\r
- Print (L" ");\r
- DumpSpdSelector (Data->SpdSelector);\r
- Print (L"\n");\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Print EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA content.\r
-\r
- @param[in] PadId The pointer to the EFI_IPSEC_PAD_ID structure.\r
- @param[in] Data The pointer to the EFI_IPSEC_PAD_DATA structure.\r
- @param[in] EntryIndex The pointer to the Index in the PAD Database.\r
-\r
- @retval EFI_SUCCESS Dump PAD information successfully.\r
-**/\r
-EFI_STATUS\r
-DumpPadEntry (\r
- IN EFI_IPSEC_PAD_ID *PadId,\r
- IN EFI_IPSEC_PAD_DATA *Data,\r
- IN UINTN *EntryIndex\r
- )\r
-{\r
- CHAR16 *String1;\r
- CHAR16 *String2;\r
-\r
- //\r
- // ADDR:10.23.17.34/15\r
- // IDEv1 PreSharedSecret IKE-ID\r
- // password\r
- //\r
-\r
- Print (L"%d.", (*EntryIndex)++);\r
-\r
- if (PadId->PeerIdValid) {\r
- Print (L"ID:%s", PadId->Id.PeerId);\r
- } else {\r
- Print (L"ADDR:");\r
- DumpAddressInfo (&PadId->Id.IpAddress);\r
- }\r
-\r
- Print (L"\n");\r
-\r
- String1 = MapIntegerToString (Data->AuthProtocol, mMapAuthProto);\r
- String2 = MapIntegerToString (Data->AuthMethod, mMapAuthMethod);\r
- Print (\r
- L" %s %s",\r
- String1,\r
- String2\r
- );\r
-\r
- if (Data->IkeIdFlag) {\r
- Print (L"IKE-ID");\r
- }\r
-\r
- Print (L"\n");\r
-\r
- if (Data->AuthData != NULL) {\r
- DumpAsciiString (Data->AuthData, Data->AuthDataSize);\r
- Print (L"\n");\r
- }\r
-\r
- if (Data->RevocationData != NULL) {\r
- Print (L" %s\n", Data->RevocationData);\r
- }\r
-\r
- return EFI_SUCCESS;\r
-\r
-}\r
-\r
-VISIT_POLICY_ENTRY mDumpPolicyEntry[] = {\r
- (VISIT_POLICY_ENTRY) DumpSpdEntry,\r
- (VISIT_POLICY_ENTRY) DumpSadEntry,\r
- (VISIT_POLICY_ENTRY) DumpPadEntry\r
-};\r
-\r
-/**\r
- Print all entry information in the database according to datatype.\r
-\r
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Dump all information successfully.\r
- @retval Others Some mistaken case.\r
-**/\r
-EFI_STATUS\r
-ListPolicyEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN LIST_ENTRY *ParamPackage\r
- )\r
-{\r
- UINTN EntryIndex;\r
-\r
- EntryIndex = 0;\r
- return ForeachPolicyEntry (DataType, mDumpPolicyEntry[DataType], &EntryIndex);\r
-}\r
-\r
+++ /dev/null
-/** @file\r
- The function declaration of dump policy entry function in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _DUMP_H_\r
-#define _DUMP_H_\r
-\r
-/**\r
- Print all entry information in the database according to datatype.\r
-\r
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Dump all information successfully.\r
- @retval Others Some mistaken case.\r
-**/\r
-EFI_STATUS\r
-ListPolicyEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN LIST_ENTRY *ParamPackage\r
- );\r
-\r
-#endif\r
+++ /dev/null
-/** @file\r
- The implementation to go through each entry in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecConfig.h"\r
-#include "ForEach.h"\r
-\r
-\r
-/**\r
- Enumerate all entries in the database to execute specified operations according to datatype.\r
-\r
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] Routine The pointer to the function of a specified operation.\r
- @param[in] Context The pointer to the context of a function.\r
-\r
- @retval EFI_SUCCESS Execute specified operation successfully.\r
-**/\r
-EFI_STATUS\r
-ForeachPolicyEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN VISIT_POLICY_ENTRY Routine,\r
- IN VOID *Context\r
- )\r
-{\r
- EFI_STATUS GetNextStatus;\r
- EFI_STATUS GetDataStatus;\r
- EFI_IPSEC_CONFIG_SELECTOR *Selector;\r
- VOID *Data;\r
- UINTN SelectorSize;\r
- UINTN DataSize;\r
- BOOLEAN FirstGetNext;\r
-\r
- FirstGetNext = TRUE;\r
- SelectorSize = sizeof (EFI_IPSEC_CONFIG_SELECTOR);\r
- Selector = AllocateZeroPool (SelectorSize);\r
-\r
- DataSize = 0;\r
- Data = NULL;\r
-\r
- while (TRUE) {\r
- GetNextStatus = mIpSecConfig->GetNextSelector (\r
- mIpSecConfig,\r
- DataType,\r
- &SelectorSize,\r
- Selector\r
- );\r
- if (GetNextStatus == EFI_BUFFER_TOO_SMALL) {\r
- gBS->FreePool (Selector);\r
- Selector = FirstGetNext ? AllocateZeroPool (SelectorSize) : AllocatePool (SelectorSize);\r
-\r
- GetNextStatus = mIpSecConfig->GetNextSelector (\r
- mIpSecConfig,\r
- DataType,\r
- &SelectorSize,\r
- Selector\r
- );\r
- }\r
-\r
- if (EFI_ERROR (GetNextStatus)) {\r
- break;\r
- }\r
-\r
- FirstGetNext = FALSE;\r
-\r
- GetDataStatus = mIpSecConfig->GetData (\r
- mIpSecConfig,\r
- DataType,\r
- Selector,\r
- &DataSize,\r
- Data\r
- );\r
- if (GetDataStatus == EFI_BUFFER_TOO_SMALL) {\r
- if (Data != NULL) {\r
- gBS->FreePool (Data);\r
- }\r
-\r
- Data = AllocateZeroPool (DataSize);\r
- GetDataStatus = mIpSecConfig->GetData (\r
- mIpSecConfig,\r
- DataType,\r
- Selector,\r
- &DataSize,\r
- Data\r
- );\r
- }\r
-\r
- ASSERT_EFI_ERROR (GetDataStatus);\r
-\r
- if (EFI_ERROR (Routine (Selector, Data, Context))) {\r
- break;\r
- }\r
- }\r
-\r
- if (Data != NULL) {\r
- gBS->FreePool (Data);\r
- }\r
-\r
- if (Selector != NULL) {\r
- gBS->FreePool (Selector);\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
+++ /dev/null
-/** @file\r
- The internal structure and function declaration of the implementation\r
- to go through each entry in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _FOREACH_H_\r
-#define _FOREACH_H_\r
-\r
-/**\r
- The prototype for the DumpSpdEntry()/DumpSadEntry()/DumpPadEntry().\r
- Print EFI_IPSEC_CONFIG_SELECTOR and corresponding content.\r
-\r
- @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR union.\r
- @param[in] Data The pointer to the corresponding data.\r
- @param[in] Context The pointer to the Index in SPD/SAD/PAD Database.\r
-\r
- @retval EFI_SUCCESS Dump SPD/SAD/PAD information successfully.\r
-**/\r
-typedef\r
-EFI_STATUS\r
-(*VISIT_POLICY_ENTRY) (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN VOID *Context\r
- );\r
-\r
-/**\r
- Enumerate all entry in the database to execute a specified operation according to datatype.\r
-\r
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] Routine The pointer to function of a specified operation.\r
- @param[in] Context The pointer to the context of a function.\r
-\r
- @retval EFI_SUCCESS Execute specified operation successfully.\r
-**/\r
-EFI_STATUS\r
-ForeachPolicyEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN VISIT_POLICY_ENTRY Routine,\r
- IN VOID *Context\r
- );\r
-\r
-#endif\r
+++ /dev/null
-/** @file\r
- The assistant function implementation for IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecConfig.h"\r
-#include "Helper.h"\r
-\r
-/**\r
- Helper function called to change an input parameter in the string format to a number.\r
-\r
- @param[in] FlagStr The pointer to the flag string.\r
- @param[in] Maximum Greatest value number.\r
- @param[in, out] ValuePtr The pointer to the input parameter in string format.\r
- @param[in] ByteCount The valid byte count\r
- @param[in] Map The pointer to the STR2INT table.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
- @param[in] FormatMask The bit mask.\r
- BIT 0 set indicates the value of a flag might be a number.\r
- BIT 1 set indicates the value of a flag might be a string that needs to be looked up.\r
-\r
- @retval EFI_SUCCESS The operation completed successfully.\r
- @retval EFI_NOT_FOUND The input parameter can't be found.\r
- @retval EFI_INVALID_PARAMETER The input parameter is an invalid input.\r
-**/\r
-EFI_STATUS\r
-GetNumber (\r
- IN CHAR16 *FlagStr,\r
- IN UINT64 Maximum,\r
- IN OUT VOID *ValuePtr,\r
- IN UINTN ByteCount,\r
- IN STR2INT *Map,\r
- IN LIST_ENTRY *ParamPackage,\r
- IN UINT32 FormatMask\r
- )\r
-{\r
- EFI_STATUS Status;\r
- UINT64 Value64;\r
- BOOLEAN Converted;\r
- UINTN Index;\r
- CONST CHAR16 *ValueStr;\r
-\r
- ASSERT (FormatMask & (FORMAT_NUMBER | FORMAT_STRING));\r
-\r
- Converted = FALSE;\r
- Value64 = 0;\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, FlagStr);\r
-\r
- if (ValueStr == NULL) {\r
- return EFI_NOT_FOUND;\r
- } else {\r
- //\r
- // Try to convert to integer directly if MaybeNumber is TRUE.\r
- //\r
- if ((FormatMask & FORMAT_NUMBER) != 0) {\r
- Value64 = StrToUInteger (ValueStr, &Status);\r
- if (!EFI_ERROR (Status)) {\r
- //\r
- // Convert successfully.\r
- //\r
- if (Value64 > Maximum) {\r
- //\r
- // But the result is invalid\r
- //\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- FlagStr,\r
- ValueStr\r
- );\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Converted = TRUE;\r
- }\r
- }\r
-\r
- if (!Converted && ((FormatMask & FORMAT_STRING) != 0)) {\r
- //\r
- // Convert falied, so use String->Integer map.\r
- //\r
- ASSERT (Map != NULL);\r
- Value64 = MapStringToInteger (ValueStr, Map);\r
- if (Value64 == (UINT32) -1) {\r
- //\r
- // Cannot find the string in the map.\r
- //\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- FlagStr,\r
- ValueStr\r
- );\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ACCEPT_PARAMETERS), mHiiHandle);\r
- for (Index = 0; Map[Index].String != NULL; Index++) {\r
- Print (L" %s", Map[Index].String);\r
- }\r
-\r
- Print (L"\n");\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- }\r
-\r
- CopyMem (ValuePtr, &Value64, ByteCount);\r
- return EFI_SUCCESS;\r
- }\r
-}\r
-\r
-/**\r
- Helper function called to convert a string containing an Ipv4 or Ipv6 Internet Protocol address\r
- into a proper address for the EFI_IP_ADDRESS structure.\r
-\r
- @param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6 Internet Protocol address.\r
- @param[out] Ip The pointer to the EFI_IP_ADDRESS structure to contain the result.\r
-\r
- @retval EFI_SUCCESS The operation completed successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid parameter.\r
-**/\r
-EFI_STATUS\r
-EfiInetAddr2 (\r
- IN CHAR16 *Ptr,\r
- OUT EFI_IP_ADDRESS *Ip\r
- )\r
-{\r
- EFI_STATUS Status;\r
-\r
- if ((Ptr == NULL) || (Ip == NULL)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Parse the input address as Ipv4 Address first.\r
- //\r
- Status = NetLibStrToIp4 (Ptr, &Ip->v4);\r
- if (!EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- Status = NetLibStrToIp6 (Ptr, &Ip->v6);\r
- return Status;\r
-}\r
-\r
-/**\r
- Helper function called to calculate the prefix length associated with the string\r
- containing an Ipv4 or Ipv6 Internet Protocol address.\r
-\r
- @param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6 Internet Protocol address.\r
- @param[out] Addr The pointer to the EFI_IP_ADDRESS_INFO structure to contain the result.\r
-\r
- @retval EFI_SUCCESS The operation completed successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid parameter.\r
- @retval Others Other mistake case.\r
-**/\r
-EFI_STATUS\r
-EfiInetAddrRange (\r
- IN CHAR16 *Ptr,\r
- OUT EFI_IP_ADDRESS_INFO *Addr\r
- )\r
-{\r
- EFI_STATUS Status;\r
-\r
- if ((Ptr == NULL) || (Addr == NULL)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Status = NetLibStrToIp4 (Ptr, &Addr->Address.v4);\r
- if (!EFI_ERROR (Status)) {\r
- if ((UINT32)(*Addr->Address.v4.Addr) == 0) {\r
- Addr->PrefixLength = 0;\r
- } else {\r
- Addr->PrefixLength = 32;\r
- }\r
- return Status;\r
- }\r
-\r
- Status = NetLibStrToIp6andPrefix (Ptr, &Addr->Address.v6, &Addr->PrefixLength);\r
- if (!EFI_ERROR (Status) && (Addr->PrefixLength == 0xFF)) {\r
- Addr->PrefixLength = 128;\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Helper function called to calculate the port range associated with the string.\r
-\r
- @param[in] Ptr The pointer to the string containing a port and range.\r
- @param[out] Port The pointer to the Port to contain the result.\r
- @param[out] PortRange The pointer to the PortRange to contain the result.\r
-\r
- @retval EFI_SUCCESS The operation completed successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid parameter.\r
- @retval Others Other mistake case.\r
-**/\r
-EFI_STATUS\r
-EfiInetPortRange (\r
- IN CHAR16 *Ptr,\r
- OUT UINT16 *Port,\r
- OUT UINT16 *PortRange\r
- )\r
-{\r
- CHAR16 *BreakPtr;\r
- CHAR16 Ch;\r
- EFI_STATUS Status;\r
-\r
- for (BreakPtr = Ptr; (*BreakPtr != L'\0') && (*BreakPtr != L':'); BreakPtr++) {\r
- ;\r
- }\r
-\r
- Ch = *BreakPtr;\r
- *BreakPtr = L'\0';\r
- *Port = (UINT16) StrToUInteger (Ptr, &Status);\r
- *BreakPtr = Ch;\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- *PortRange = 0;\r
- if (*BreakPtr == L':') {\r
- BreakPtr++;\r
- *PortRange = (UINT16) StrToUInteger (BreakPtr, &Status);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- if (*PortRange < *Port) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- *PortRange = (UINT16) (*PortRange - *Port);\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Helper function called to transfer a string to an unsigned integer.\r
-\r
- @param[in] Str The pointer to the string.\r
- @param[out] Status The operation status.\r
-\r
- @return The integer value of converted Str.\r
-**/\r
-UINT64\r
-StrToUInteger (\r
- IN CONST CHAR16 *Str,\r
- OUT EFI_STATUS *Status\r
- )\r
-{\r
- UINT64 Value;\r
- UINT64 NewValue;\r
- CHAR16 *StrTail;\r
- CHAR16 Char;\r
- UINTN Base;\r
- UINTN Len;\r
-\r
- Base = 10;\r
- Value = 0;\r
- *Status = EFI_ABORTED;\r
-\r
- //\r
- // Skip leading white space.\r
- //\r
- while ((*Str != 0) && (*Str == ' ')) {\r
- Str++;\r
- }\r
- //\r
- // For NULL Str, just return.\r
- //\r
- if (*Str == 0) {\r
- return 0;\r
- }\r
- //\r
- // Skip white space in tail.\r
- //\r
- Len = StrLen (Str);\r
- StrTail = (CHAR16 *) (Str + Len - 1);\r
- while (*StrTail == ' ') {\r
- *StrTail = 0;\r
- StrTail--;\r
- }\r
-\r
- Len = StrTail - Str + 1;\r
-\r
- //\r
- // Check hex prefix '0x'.\r
- //\r
- if ((Len >= 2) && (*Str == '0') && ((*(Str + 1) == 'x') || (*(Str + 1) == 'X'))) {\r
- Str += 2;\r
- Len -= 2;\r
- Base = 16;\r
- }\r
-\r
- if (Len == 0) {\r
- return 0;\r
- }\r
- //\r
- // Convert the string to value.\r
- //\r
- for (; Str <= StrTail; Str++) {\r
-\r
- Char = *Str;\r
-\r
- if (Base == 16) {\r
- if (RShiftU64 (Value, 60) != 0) {\r
- //\r
- // Overflow here x16.\r
- //\r
- return 0;\r
- }\r
-\r
- NewValue = LShiftU64 (Value, 4);\r
- } else {\r
- if (RShiftU64 (Value, 61) != 0) {\r
- //\r
- // Overflow here x8.\r
- //\r
- return 0;\r
- }\r
-\r
- NewValue = LShiftU64 (Value, 3);\r
- Value = LShiftU64 (Value, 1);\r
- NewValue += Value;\r
- if (NewValue < Value) {\r
- //\r
- // Overflow here.\r
- //\r
- return 0;\r
- }\r
- }\r
-\r
- Value = NewValue;\r
-\r
- if ((Base == 16) && (Char >= 'a') && (Char <= 'f')) {\r
- Char = (CHAR16) (Char - 'a' + 'A');\r
- }\r
-\r
- if ((Base == 16) && (Char >= 'A') && (Char <= 'F')) {\r
- Value += (Char - 'A') + 10;\r
- } else if ((Char >= '0') && (Char <= '9')) {\r
- Value += (Char - '0');\r
- } else {\r
- //\r
- // Unexpected Char encountered.\r
- //\r
- return 0;\r
- }\r
- }\r
-\r
- *Status = EFI_SUCCESS;\r
- return Value;\r
-}\r
-\r
-/**\r
- Helper function called to transfer a string to an unsigned integer according to the map table.\r
-\r
- @param[in] Str The pointer to the string.\r
- @param[in] Map The pointer to the map table.\r
-\r
- @return The integer value of converted Str. If not found, then return -1.\r
-**/\r
-UINT32\r
-MapStringToInteger (\r
- IN CONST CHAR16 *Str,\r
- IN STR2INT *Map\r
- )\r
-{\r
- STR2INT *Item;\r
-\r
- for (Item = Map; Item->String != NULL; Item++) {\r
- if (StrCmp (Item->String, Str) == 0) {\r
- return Item->Integer;\r
- }\r
- }\r
-\r
- return (UINT32) -1;\r
-}\r
-\r
-/**\r
- Helper function called to transfer an unsigned integer to a string according to the map table.\r
-\r
- @param[in] Integer The pointer to the string.\r
- @param[in] Map The pointer to the map table.\r
-\r
- @return The converted Str. If not found, then return NULL.\r
-**/\r
-CHAR16 *\r
-MapIntegerToString (\r
- IN UINT32 Integer,\r
- IN STR2INT *Map\r
- )\r
-{\r
- STR2INT *Item;\r
-\r
- for (Item = Map; Item->String != NULL; Item++) {\r
- if (Integer == Item->Integer) {\r
- return Item->String;\r
- }\r
- }\r
-\r
- return NULL;\r
-}\r
+++ /dev/null
-/** @file\r
- The assistant function declaration for IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _HELPER_H_\r
-#define _HELPER_H_\r
-\r
-#define FORMAT_NUMBER 0x1\r
-#define FORMAT_STRING 0x2\r
-\r
-/**\r
- Helper function called to change input parameter in string format to number.\r
-\r
- @param[in] FlagStr The pointer to the flag string.\r
- @param[in] Maximum most value number.\r
- @param[in, out] ValuePtr The pointer to the input parameter in string format.\r
- @param[in] ByteCount The valid byte count\r
- @param[in] Map The pointer to the STR2INT table.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
- @param[in] FormatMask The bit mask.\r
- BIT 0 set indicates the value of flag might be number.\r
- BIT 1 set indicates the value of flag might be a string that needs to be looked up.\r
-\r
- @retval EFI_SUCCESS The operation completed successfully.\r
- @retval EFI_NOT_FOUND The input parameter can't be found.\r
- @retval EFI_INVALID_PARAMETER The input parameter is an invalid input.\r
-**/\r
-EFI_STATUS\r
-GetNumber (\r
- IN CHAR16 *FlagStr,\r
- IN UINT64 Maximum,\r
- IN OUT VOID *ValuePtr,\r
- IN UINTN ByteCount,\r
- IN STR2INT *Map,\r
- IN LIST_ENTRY *ParamPackage,\r
- IN UINT32 FormatMask\r
- );\r
-\r
-/**\r
- Helper function called to convert a string containing an (Ipv4) Internet Protocol dotted address\r
- into a proper address for the EFI_IP_ADDRESS structure.\r
-\r
- @param[in] Ptr The pointer to the string containing an (Ipv4) Internet Protocol dotted address.\r
- @param[out] Ip The pointer to the Ip address structure to contain the result.\r
-\r
- @retval EFI_SUCCESS The operation completed successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid parameter.\r
-**/\r
-EFI_STATUS\r
-EfiInetAddr2 (\r
- IN CHAR16 *Ptr,\r
- OUT EFI_IP_ADDRESS *Ip\r
- );\r
-\r
-/**\r
- Helper function called to calculate the prefix length associated with the string\r
- containing an Ipv4 or Ipv6 Internet Protocol address.\r
-\r
- @param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6 Internet Protocol address.\r
- @param[out] Addr The pointer to the EFI_IP_ADDRESS_INFO structure to contain the result.\r
-\r
- @retval EFI_SUCCESS The operation completed successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid parameter.\r
- @retval Others Other mistake case.\r
-**/\r
-EFI_STATUS\r
-EfiInetAddrRange (\r
- IN CHAR16 *Ptr,\r
- OUT EFI_IP_ADDRESS_INFO *Addr\r
- );\r
-\r
-/**\r
- Helper function called to calculate the port range associated with the string.\r
-\r
- @param[in] Ptr The pointer to the string containing a port and range.\r
- @param[out] Port The pointer to the Port to contain the result.\r
- @param[out] PortRange The pointer to the PortRange to contain the result.\r
-\r
- @retval EFI_SUCCESS The operation completed successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid parameter.\r
- @retval Others Other mistake case.\r
-**/\r
-EFI_STATUS\r
-EfiInetPortRange (\r
- IN CHAR16 *Ptr,\r
- OUT UINT16 *Port,\r
- OUT UINT16 *PortRange\r
- );\r
-\r
-/**\r
- Helper function called to transfer a string to an unsigned integer.\r
-\r
- @param[in] Str The pointer to the string.\r
- @param[out] Status The operation status.\r
-\r
- @return The integer value of a converted str.\r
-**/\r
-UINT64\r
-StrToUInteger (\r
- IN CONST CHAR16 *Str,\r
- OUT EFI_STATUS *Status\r
- );\r
-\r
-/**\r
- Helper function called to transfer a string to an unsigned integer according to the map table.\r
-\r
- @param[in] Str The pointer to the string.\r
- @param[in] Map The pointer to the map table.\r
-\r
- @return The integer value of converted str. If not found, then return -1.\r
-**/\r
-UINT32\r
-MapStringToInteger (\r
- IN CONST CHAR16 *Str,\r
- IN STR2INT *Map\r
- );\r
-\r
-/**\r
- Helper function called to transfer an unsigned integer to a string according to the map table.\r
-\r
- @param[in] Integer The pointer to the string.\r
- @param[in] Map The pointer to the map table.\r
-\r
- @return The converted str. If not found, then return NULL.\r
-**/\r
-CHAR16 *\r
-MapIntegerToString (\r
- IN UINT32 Integer,\r
- IN STR2INT *Map\r
- );\r
-\r
-#endif\r
+++ /dev/null
-/** @file\r
- The implementation of construct ENTRY_INDEXER in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecConfig.h"\r
-#include "Indexer.h"\r
-#include "Helper.h"\r
-\r
-/**\r
- Fill in SPD_ENTRY_INDEXER through ParamPackage list.\r
-\r
- @param[in, out] Indexer The pointer to the SPD_ENTRY_INDEXER structure.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Filled in SPD_ENTRY_INDEXER successfully.\r
-**/\r
-EFI_STATUS\r
-ConstructSpdIndexer (\r
- IN OUT SPD_ENTRY_INDEXER *Indexer,\r
- IN LIST_ENTRY *ParamPackage\r
- )\r
-{\r
- EFI_STATUS Status;\r
- UINT64 Value64;\r
- CONST CHAR16 *ValueStr;\r
-\r
- ValueStr = NULL;\r
-\r
- if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");\r
- } else {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (ValueStr == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Value64 = StrToUInteger (ValueStr, &Status);\r
- if (!EFI_ERROR (Status)) {\r
- Indexer->Index = (UINTN) Value64;\r
- ZeroMem (Indexer->Name, MAX_PEERID_LEN);\r
- } else {\r
- UnicodeStrToAsciiStrS (ValueStr, (CHAR8 *) Indexer->Name, MAX_PEERID_LEN);\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Fill in SAD_ENTRY_INDEXER through ParamPackage list.\r
-\r
- @param[in, out] Indexer The pointer to the SAD_ENTRY_INDEXER structure.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Filled in SPD_ENTRY_INDEXER successfully.\r
- @retval EFI_INVALID_PARAMETER The mistaken user input in ParamPackage list.\r
-**/\r
-EFI_STATUS\r
-ConstructSadIndexer (\r
- IN OUT SAD_ENTRY_INDEXER *Indexer,\r
- IN LIST_ENTRY *ParamPackage\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_STATUS Status1;\r
- UINT64 Value64;\r
- CONST CHAR16 *ValueStr;\r
-\r
- ValueStr = NULL;\r
-\r
- if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");\r
- } else {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (ValueStr == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Value64 = StrToUInteger (ValueStr, &Status);\r
- if (!EFI_ERROR (Status)) {\r
- Indexer->Index = (UINTN) Value64;\r
- ZeroMem (&Indexer->SaId, sizeof (EFI_IPSEC_SA_ID));\r
- } else {\r
- if ((!ShellCommandLineGetFlag (ParamPackage, L"--lookup-spi")) ||\r
- (!ShellCommandLineGetFlag (ParamPackage, L"--lookup-ipsec-proto")) ||\r
- (!ShellCommandLineGetFlag (ParamPackage, L"--lookup-dest"))) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
- mHiiHandle,\r
- mAppName,\r
- L"--lookup-spi --lookup-ipsec-proto --lookup-dest"\r
- );\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--lookup-spi",\r
- (UINT32) -1,\r
- &Indexer->SaId.Spi,\r
- sizeof (UINT32),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- Status1 = GetNumber (\r
- L"--lookup-ipsec-proto",\r
- 0,\r
- &Indexer->SaId.Proto,\r
- sizeof (EFI_IPSEC_PROTOCOL_TYPE),\r
- mMapIpSecProtocol,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
-\r
- if (EFI_ERROR (Status) || EFI_ERROR (Status1)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--lookup-dest");\r
- ASSERT (ValueStr != NULL);\r
-\r
- Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &Indexer->SaId.DestAddress);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- L"--lookup-dest",\r
- ValueStr\r
- );\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Fill in PAD_ENTRY_INDEXER through ParamPackage list.\r
-\r
- @param[in, out] Indexer The pointer to the PAD_ENTRY_INDEXER structure.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Filled in PAD_ENTRY_INDEXER successfully.\r
- @retval EFI_INVALID_PARAMETER The mistaken user input in ParamPackage list.\r
-**/\r
-EFI_STATUS\r
-ConstructPadIndexer (\r
- IN OUT PAD_ENTRY_INDEXER *Indexer,\r
- IN LIST_ENTRY *ParamPackage\r
- )\r
-{\r
- EFI_STATUS Status;\r
- UINT64 Value64;\r
- CONST CHAR16 *ValueStr;\r
-\r
- ValueStr = NULL;\r
-\r
- if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");\r
- } else {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (ValueStr == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Value64 = StrToUInteger (ValueStr, &Status);\r
-\r
- if (!EFI_ERROR (Status)) {\r
- Indexer->Index = (UINTN) Value64;\r
- ZeroMem (&Indexer->PadId, sizeof (EFI_IPSEC_PAD_ID));\r
- } else {\r
-\r
- if (ShellCommandLineGetFlag (ParamPackage, L"--lookup-peer-address")) {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--lookup-peer-address");\r
- ASSERT (ValueStr != NULL);\r
-\r
- Indexer->PadId.PeerIdValid = FALSE;\r
- Status = EfiInetAddrRange ((CHAR16 *) ValueStr, &Indexer->PadId.Id.IpAddress);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- L"--lookup-peer-address",\r
- ValueStr\r
- );\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- } else {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--lookup-peer-id");\r
- if (ValueStr == NULL) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
- mHiiHandle,\r
- mAppName,\r
- L"--lookup-peer-address --lookup-peer-id"\r
- );\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Indexer->PadId.PeerIdValid = TRUE;\r
- ZeroMem (Indexer->PadId.Id.PeerId, MAX_PEERID_LEN);\r
- StrnCpyS ((CHAR16 *) Indexer->PadId.Id.PeerId, MAX_PEERID_LEN / sizeof (CHAR16), ValueStr, MAX_PEERID_LEN / sizeof (CHAR16) - 1);\r
- }\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-CONSTRUCT_POLICY_ENTRY_INDEXER mConstructPolicyEntryIndexer[] = {\r
- (CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructSpdIndexer,\r
- (CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructSadIndexer,\r
- (CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructPadIndexer\r
-};\r
+++ /dev/null
-/** @file\r
- The internal structure and function declaration to construct ENTRY_INDEXER in\r
- IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _INDEXER_H_\r
-#define _INDEXER_H_\r
-\r
-typedef struct {\r
- UINT8 Name[MAX_PEERID_LEN];\r
- UINTN Index; // Used only if Name buffer is filled with zero.\r
-} SPD_ENTRY_INDEXER;\r
-\r
-typedef struct {\r
- EFI_IPSEC_SA_ID SaId;\r
- UINTN Index;\r
-} SAD_ENTRY_INDEXER;\r
-\r
-typedef struct {\r
- EFI_IPSEC_PAD_ID PadId;\r
- UINTN Index;\r
-} PAD_ENTRY_INDEXER;\r
-\r
-typedef union {\r
- SPD_ENTRY_INDEXER Spd;\r
- SAD_ENTRY_INDEXER Sad;\r
- PAD_ENTRY_INDEXER Pad;\r
-} POLICY_ENTRY_INDEXER;\r
-\r
-/**\r
- The prototype for the ConstructSpdIndexer()/ConstructSadIndexer()/ConstructPadIndexer().\r
- Fill in SPD_ENTRY_INDEXER/SAD_ENTRY_INDEXER/PAD_ENTRY_INDEXER through ParamPackage list.\r
-\r
- @param[in, out] Indexer The pointer to the POLICY_ENTRY_INDEXER union.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Filled in POLICY_ENTRY_INDEXER successfully.\r
-**/\r
-typedef\r
-EFI_STATUS\r
-(* CONSTRUCT_POLICY_ENTRY_INDEXER) (\r
- IN POLICY_ENTRY_INDEXER *Indexer,\r
- IN LIST_ENTRY *ParamPackage\r
-);\r
-\r
-extern CONSTRUCT_POLICY_ENTRY_INDEXER mConstructPolicyEntryIndexer[];\r
-#endif\r
+++ /dev/null
-/** @file\r
- The main process for IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include <Library/UefiRuntimeServicesTableLib.h>\r
-#include <Library/HiiLib.h>\r
-\r
-#include <Protocol/IpSec.h>\r
-\r
-#include "IpSecConfig.h"\r
-#include "Dump.h"\r
-#include "Indexer.h"\r
-#include "PolicyEntryOperation.h"\r
-#include "Delete.h"\r
-#include "Helper.h"\r
-\r
-//\r
-// String token ID of IpSecConfig command help message text.\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED EFI_STRING_ID mStringIpSecHelpTokenId = STRING_TOKEN (STR_IPSEC_CONFIG_HELP);\r
-\r
-//\r
-// Used for ShellCommandLineParseEx only\r
-// and to ensure user inputs are in valid format\r
-//\r
-SHELL_PARAM_ITEM mIpSecConfigParamList[] = {\r
- { L"-p", TypeValue },\r
- { L"-a", TypeValue },\r
- { L"-i", TypeValue },\r
- { L"-e", TypeValue },\r
- { L"-d", TypeValue },\r
- { L"-f", TypeFlag },\r
- { L"-l", TypeFlag },\r
- { L"-enable", TypeFlag },\r
- { L"-disable", TypeFlag },\r
- { L"-status", TypeFlag },\r
-\r
- //\r
- // SPD Selector\r
- //\r
- { L"--local", TypeValue },\r
- { L"--remote", TypeValue },\r
- { L"--proto", TypeValue },\r
- { L"--local-port", TypeValue },\r
- { L"--remote-port", TypeValue },\r
- { L"--icmp-type", TypeValue },\r
- { L"--icmp-code", TypeValue },\r
-\r
- //\r
- // SPD Data\r
- //\r
- { L"--name", TypeValue },\r
- { L"--packet-flag", TypeValue },\r
- { L"--action", TypeValue },\r
- { L"--lifebyte", TypeValue },\r
- { L"--lifetime-soft", TypeValue },\r
- { L"--lifetime", TypeValue },\r
- { L"--mode", TypeValue },\r
- { L"--tunnel-local", TypeValue },\r
- { L"--tunnel-remote", TypeValue },\r
- { L"--dont-fragment", TypeValue },\r
- { L"--ipsec-proto", TypeValue },\r
- { L"--auth-algo", TypeValue },\r
- { L"--encrypt-algo", TypeValue },\r
-\r
- { L"--ext-sequence", TypeFlag },\r
- { L"--sequence-overflow", TypeFlag },\r
- { L"--fragment-check", TypeFlag },\r
- { L"--ext-sequence-", TypeFlag },\r
- { L"--sequence-overflow-", TypeFlag },\r
- { L"--fragment-check-", TypeFlag },\r
-\r
- //\r
- // SA ID\r
- // --ipsec-proto\r
- //\r
- { L"--spi", TypeValue },\r
- { L"--tunnel-dest", TypeValue },\r
- { L"--tunnel-source", TypeValue },\r
- { L"--lookup-spi", TypeValue },\r
- { L"--lookup-ipsec-proto", TypeValue },\r
- { L"--lookup-dest", TypeValue },\r
-\r
- //\r
- // SA DATA\r
- // --mode\r
- // --auth-algo\r
- // --encrypt-algo\r
- //\r
- { L"--sequence-number", TypeValue },\r
- { L"--antireplay-window", TypeValue },\r
- { L"--auth-key", TypeValue },\r
- { L"--encrypt-key", TypeValue },\r
- { L"--path-mtu", TypeValue },\r
-\r
- //\r
- // PAD ID\r
- //\r
- { L"--peer-id", TypeValue },\r
- { L"--peer-address", TypeValue },\r
- { L"--auth-proto", TypeValue },\r
- { L"--auth-method", TypeValue },\r
- { L"--ike-id", TypeValue },\r
- { L"--ike-id-", TypeValue },\r
- { L"--auth-data", TypeValue },\r
- { L"--revocation-data", TypeValue },\r
- { L"--lookup-peer-id", TypeValue },\r
- { L"--lookup-peer-address", TypeValue },\r
-\r
- { NULL, TypeMax },\r
-};\r
-\r
-//\r
-// -P\r
-//\r
-STR2INT mMapPolicy[] = {\r
- { L"SPD", IPsecConfigDataTypeSpd },\r
- { L"SAD", IPsecConfigDataTypeSad },\r
- { L"PAD", IPsecConfigDataTypePad },\r
- { NULL, 0 },\r
-};\r
-\r
-//\r
-// --proto\r
-//\r
-STR2INT mMapIpProtocol[] = {\r
- { L"TCP", EFI_IP4_PROTO_TCP },\r
- { L"UDP", EFI_IP4_PROTO_UDP },\r
- { L"ICMP", EFI_IP4_PROTO_ICMP },\r
- { NULL, 0 },\r
-};\r
-\r
-//\r
-// --action\r
-//\r
-STR2INT mMapIpSecAction[] = {\r
- { L"Bypass", EfiIPsecActionBypass },\r
- { L"Discard", EfiIPsecActionDiscard },\r
- { L"Protect", EfiIPsecActionProtect },\r
- { NULL, 0 },\r
-};\r
-\r
-//\r
-// --mode\r
-//\r
-STR2INT mMapIpSecMode[] = {\r
- { L"Transport", EfiIPsecTransport },\r
- { L"Tunnel", EfiIPsecTunnel },\r
- { NULL, 0 },\r
-};\r
-\r
-//\r
-// --dont-fragment\r
-//\r
-STR2INT mMapDfOption[] = {\r
- { L"clear", EfiIPsecTunnelClearDf },\r
- { L"set", EfiIPsecTunnelSetDf },\r
- { L"copy", EfiIPsecTunnelCopyDf },\r
- { NULL, 0 },\r
-};\r
-\r
-//\r
-// --ipsec-proto\r
-//\r
-STR2INT mMapIpSecProtocol[] = {\r
- { L"AH", EfiIPsecAH },\r
- { L"ESP", EfiIPsecESP },\r
- { NULL, 0 },\r
-};\r
-\r
-//\r
-// --auth-algo\r
-//\r
-STR2INT mMapAuthAlgo[] = {\r
- { L"NONE", IPSEC_AALG_NONE },\r
- { L"MD5HMAC", IPSEC_AALG_MD5HMAC },\r
- { L"SHA1HMAC", IPSEC_AALG_SHA1HMAC },\r
- { L"SHA2-256HMAC", IPSEC_AALG_SHA2_256HMAC },\r
- { L"SHA2-384HMAC", IPSEC_AALG_SHA2_384HMAC },\r
- { L"SHA2-512HMAC", IPSEC_AALG_SHA2_512HMAC },\r
- { L"AES-XCBC-MAC", IPSEC_AALG_AES_XCBC_MAC },\r
- { L"NULL", IPSEC_AALG_NULL },\r
- { NULL, 0 },\r
-};\r
-\r
-//\r
-// --encrypt-algo\r
-//\r
-STR2INT mMapEncAlgo[] = {\r
- { L"NONE", IPSEC_EALG_NONE },\r
- { L"DESCBC", IPSEC_EALG_DESCBC },\r
- { L"3DESCBC", IPSEC_EALG_3DESCBC },\r
- { L"CASTCBC", IPSEC_EALG_CASTCBC },\r
- { L"BLOWFISHCBC", IPSEC_EALG_BLOWFISHCBC },\r
- { L"NULL", IPSEC_EALG_NULL },\r
- { L"AESCBC", IPSEC_EALG_AESCBC },\r
- { L"AESCTR", IPSEC_EALG_AESCTR },\r
- { L"AES-CCM-ICV8", IPSEC_EALG_AES_CCM_ICV8 },\r
- { L"AES-CCM-ICV12",IPSEC_EALG_AES_CCM_ICV12 },\r
- { L"AES-CCM-ICV16",IPSEC_EALG_AES_CCM_ICV16 },\r
- { L"AES-GCM-ICV8", IPSEC_EALG_AES_GCM_ICV8 },\r
- { L"AES-GCM-ICV12",IPSEC_EALG_AES_GCM_ICV12 },\r
- { L"AES-GCM-ICV16",IPSEC_EALG_AES_GCM_ICV16 },\r
- { NULL, 0 },\r
-};\r
-\r
-//\r
-// --auth-proto\r
-//\r
-STR2INT mMapAuthProto[] = {\r
- { L"IKEv1", EfiIPsecAuthProtocolIKEv1 },\r
- { L"IKEv2", EfiIPsecAuthProtocolIKEv2 },\r
- { NULL, 0 },\r
-};\r
-\r
-//\r
-// --auth-method\r
-//\r
-STR2INT mMapAuthMethod[] = {\r
- { L"PreSharedSecret", EfiIPsecAuthMethodPreSharedSecret },\r
- { L"Certificates", EfiIPsecAuthMethodCertificates },\r
- { NULL, 0 },\r
-};\r
-\r
-EFI_IPSEC2_PROTOCOL *mIpSec;\r
-EFI_IPSEC_CONFIG_PROTOCOL *mIpSecConfig;\r
-EFI_HII_HANDLE mHiiHandle;\r
-CHAR16 mAppName[] = L"IpSecConfig";\r
-\r
-//\r
-// Used for IpSecConfigRetriveCheckListByName only to check the validation of user input\r
-//\r
-VAR_CHECK_ITEM mIpSecConfigVarCheckList[] = {\r
- { L"-enable", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0), 0 },\r
- { L"-disable", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0), 0 },\r
- { L"-status", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0), 0 },\r
- { L"-p", BIT(1), 0, BIT(2)|BIT(1)|BIT(0), 0 },\r
-\r
- { L"-a", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },\r
- { L"-i", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },\r
- { L"-d", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },\r
- { L"-e", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },\r
- { L"-l", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },\r
- { L"-f", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },\r
-\r
- { L"-?", BIT(0), BIT(0), BIT(2)|BIT(1)|BIT(0), 0 },\r
-\r
- //\r
- // SPD Selector\r
- //\r
- { L"--local", 0, 0, BIT(2)|BIT(1), 0 },\r
- { L"--remote", 0, 0, BIT(2)|BIT(1), 0 },\r
- { L"--proto", 0, 0, BIT(2)|BIT(1), 0 },\r
- { L"--local-port", 0, 0, BIT(2)|BIT(1), BIT(0) },\r
- { L"--remote-port", 0, 0, BIT(2)|BIT(1), BIT(0) },\r
- { L"--icmp-type", 0, 0, BIT(2)|BIT(1), BIT(1) },\r
- { L"--icmp-code", 0, 0, BIT(2)|BIT(1), BIT(1) },\r
-\r
- //\r
- // SPD Data\r
- //\r
- { L"--name", 0, 0, BIT(2), 0 },\r
- { L"--packet-flag", 0, 0, BIT(2), 0 },\r
- { L"--action", 0, 0, BIT(2)|BIT(1), 0 },\r
- { L"--lifebyte", 0, 0, BIT(2)|BIT(1), 0 },\r
- { L"--lifetime-soft", 0, 0, BIT(2)|BIT(1), 0 },\r
- { L"--lifetime", 0, 0, BIT(2)|BIT(1), 0 },\r
- { L"--mode", 0, 0, BIT(2)|BIT(1), 0 },\r
- { L"--tunnel-local", 0, 0, BIT(2), 0 },\r
- { L"--tunnel-remote", 0, 0, BIT(2), 0 },\r
- { L"--dont-fragment", 0, 0, BIT(2), 0 },\r
- { L"--ipsec-proto", 0, 0, BIT(2)|BIT(1), 0 },\r
- { L"--auth-algo", 0, 0, BIT(2)|BIT(1), 0 },\r
- { L"--encrypt-algo", 0, 0, BIT(2)|BIT(1), 0 },\r
-\r
- { L"--ext-sequence", 0, 0, BIT(2), BIT(2) },\r
- { L"--sequence-overflow", 0, 0, BIT(2), BIT(2) },\r
- { L"--fragment-check", 0, 0, BIT(2), BIT(2) },\r
- { L"--ext-sequence-", 0, 0, BIT(2), BIT(3) },\r
- { L"--sequence-overflow-", 0, 0, BIT(2), BIT(3) },\r
- { L"--fragment-check-", 0, 0, BIT(2), BIT(3) },\r
-\r
- //\r
- // SA ID\r
- // --ipsec-proto\r
- //\r
- { L"--spi", 0, 0, BIT(1), 0 },\r
- { L"--tunnel-dest", 0, 0, BIT(1), 0 },\r
- { L"--tunnel-source", 0, 0, BIT(1), 0 },\r
- { L"--lookup-spi", 0, 0, BIT(1), 0 },\r
- { L"--lookup-ipsec-proto", 0, 0, BIT(1), 0 },\r
- { L"--lookup-dest", 0, 0, BIT(1), 0 },\r
-\r
- //\r
- // SA DATA\r
- // --mode\r
- // --auth-algo\r
- // --encrypt-algo\r
- //\r
- { L"--sequence-number", 0, 0, BIT(1), 0 },\r
- { L"--antireplay-window", 0, 0, BIT(1), 0 },\r
- { L"--auth-key", 0, 0, BIT(1), 0 },\r
- { L"--encrypt-key", 0, 0, BIT(1), 0 },\r
- { L"--path-mtu", 0, 0, BIT(1), 0 },\r
-\r
- //\r
- // The example to add a PAD:\r
- // "-A --peer-id Mike [--peer-address 10.23.2.2] --auth-proto IKE1/IKE2\r
- // --auth-method PreSharedSeceret/Certificate --ike-id\r
- // --auth-data 343343 --revocation-data 2342432"\r
- // The example to delete a PAD:\r
- // "-D * --lookup-peer-id Mike [--lookup-peer-address 10.23.2.2]"\r
- // "-D 1"\r
- // The example to edit a PAD:\r
- // "-E * --lookup-peer-id Mike --auth-method Certificate"\r
-\r
- //\r
- // PAD ID\r
- //\r
- { L"--peer-id", 0, 0, BIT(0), BIT(4) },\r
- { L"--peer-address", 0, 0, BIT(0), BIT(5) },\r
- { L"--auth-proto", 0, 0, BIT(0), 0 },\r
- { L"--auth-method", 0, 0, BIT(0), 0 },\r
- { L"--IKE-ID", 0, 0, BIT(0), BIT(6) },\r
- { L"--IKE-ID-", 0, 0, BIT(0), BIT(7) },\r
- { L"--auth-data", 0, 0, BIT(0), 0 },\r
- { L"--revocation-data", 0, 0, BIT(0), 0 },\r
- { L"--lookup-peer-id", 0, 0, BIT(0), BIT(4) },\r
- { L"--lookup-peer-address",0, 0, BIT(0), BIT(5) },\r
-\r
- { NULL, 0, 0, 0, 0 },\r
-};\r
-\r
-/**\r
- The function to allocate the proper sized buffer for various\r
- EFI interfaces.\r
-\r
- @param[in, out] Status Current status.\r
- @param[in, out] Buffer Current allocated buffer, or NULL.\r
- @param[in] BufferSize Current buffer size needed\r
-\r
- @retval TRUE If the buffer was reallocated and the caller should try the API again.\r
- @retval FALSE If the buffer was not reallocated successfully.\r
-**/\r
-BOOLEAN\r
-GrowBuffer (\r
- IN OUT EFI_STATUS *Status,\r
- IN OUT VOID **Buffer,\r
- IN UINTN BufferSize\r
- )\r
-{\r
- BOOLEAN TryAgain;\r
-\r
- ASSERT (Status != NULL);\r
- ASSERT (Buffer != NULL);\r
-\r
- //\r
- // If this is an initial request, buffer will be null with a new buffer size.\r
- //\r
- if ((NULL == *Buffer) && (BufferSize != 0)) {\r
- *Status = EFI_BUFFER_TOO_SMALL;\r
- }\r
-\r
- //\r
- // If the status code is "buffer too small", resize the buffer.\r
- //\r
- TryAgain = FALSE;\r
- if (*Status == EFI_BUFFER_TOO_SMALL) {\r
-\r
- if (*Buffer != NULL) {\r
- FreePool (*Buffer);\r
- }\r
-\r
- *Buffer = AllocateZeroPool (BufferSize);\r
-\r
- if (*Buffer != NULL) {\r
- TryAgain = TRUE;\r
- } else {\r
- *Status = EFI_OUT_OF_RESOURCES;\r
- }\r
- }\r
-\r
- //\r
- // If there's an error, free the buffer.\r
- //\r
- if (!TryAgain && EFI_ERROR (*Status) && (*Buffer != NULL)) {\r
- FreePool (*Buffer);\r
- *Buffer = NULL;\r
- }\r
-\r
- return TryAgain;\r
-}\r
-\r
-/**\r
- Function returns an array of handles that support the requested protocol\r
- in a buffer allocated from a pool.\r
-\r
- @param[in] SearchType Specifies which handle(s) are to be returned.\r
- @param[in] Protocol Provides the protocol to search by.\r
- This parameter is only valid for SearchType ByProtocol.\r
-\r
- @param[in] SearchKey Supplies the search key depending on the SearchType.\r
- @param[in, out] NoHandles The number of handles returned in Buffer.\r
- @param[out] Buffer A pointer to the buffer to return the requested array of\r
- handles that support Protocol.\r
-\r
- @retval EFI_SUCCESS The resulting array of handles was returned.\r
- @retval Others Other mistake case.\r
-**/\r
-EFI_STATUS\r
-LocateHandle (\r
- IN EFI_LOCATE_SEARCH_TYPE SearchType,\r
- IN EFI_GUID *Protocol OPTIONAL,\r
- IN VOID *SearchKey OPTIONAL,\r
- IN OUT UINTN *NoHandles,\r
- OUT EFI_HANDLE **Buffer\r
- )\r
-{\r
- EFI_STATUS Status;\r
- UINTN BufferSize;\r
-\r
- ASSERT (NoHandles != NULL);\r
- ASSERT (Buffer != NULL);\r
-\r
- //\r
- // Initialize for GrowBuffer loop.\r
- //\r
- Status = EFI_SUCCESS;\r
- *Buffer = NULL;\r
- BufferSize = 50 * sizeof (EFI_HANDLE);\r
-\r
- //\r
- // Call the real function.\r
- //\r
- while (GrowBuffer (&Status, (VOID **) Buffer, BufferSize)) {\r
- Status = gBS->LocateHandle (\r
- SearchType,\r
- Protocol,\r
- SearchKey,\r
- &BufferSize,\r
- *Buffer\r
- );\r
- }\r
-\r
- *NoHandles = BufferSize / sizeof (EFI_HANDLE);\r
- if (EFI_ERROR (Status)) {\r
- *NoHandles = 0;\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Find the first instance of this protocol in the system and return its interface.\r
-\r
- @param[in] ProtocolGuid The guid of the protocol.\r
- @param[out] Interface The pointer to the first instance of the protocol.\r
-\r
- @retval EFI_SUCCESS A protocol instance matching ProtocolGuid was found.\r
- @retval Others A protocol instance matching ProtocolGuid was not found.\r
-**/\r
-EFI_STATUS\r
-LocateProtocol (\r
- IN EFI_GUID *ProtocolGuid,\r
- OUT VOID **Interface\r
- )\r
-\r
-{\r
- EFI_STATUS Status;\r
- UINTN NumberHandles;\r
- UINTN Index;\r
- EFI_HANDLE *Handles;\r
-\r
- *Interface = NULL;\r
- Handles = NULL;\r
- NumberHandles = 0;\r
-\r
- Status = LocateHandle (ByProtocol, ProtocolGuid, NULL, &NumberHandles, &Handles);\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((EFI_D_INFO, "LibLocateProtocol: Handle not found\n"));\r
- return Status;\r
- }\r
-\r
- for (Index = 0; Index < NumberHandles; Index++) {\r
- ASSERT (Handles != NULL);\r
- Status = gBS->HandleProtocol (\r
- Handles[Index],\r
- ProtocolGuid,\r
- Interface\r
- );\r
-\r
- if (!EFI_ERROR (Status)) {\r
- break;\r
- }\r
- }\r
-\r
- if (Handles != NULL) {\r
- FreePool (Handles);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Helper function called to check the conflicted flags.\r
-\r
- @param[in] CheckList The pointer to the VAR_CHECK_ITEM table.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS No conflicted flags.\r
- @retval EFI_INVALID_PARAMETER The input parameter is erroroneous or there are some conflicted flags.\r
-**/\r
-EFI_STATUS\r
-IpSecConfigRetriveCheckListByName (\r
- IN VAR_CHECK_ITEM *CheckList,\r
- IN LIST_ENTRY *ParamPackage\r
-)\r
-{\r
-\r
- LIST_ENTRY *Node;\r
- VAR_CHECK_ITEM *Item;\r
- UINT32 Attribute1;\r
- UINT32 Attribute2;\r
- UINT32 Attribute3;\r
- UINT32 Attribute4;\r
- UINT32 Index;\r
-\r
- Attribute1 = 0;\r
- Attribute2 = 0;\r
- Attribute3 = 0;\r
- Attribute4 = 0;\r
- Index = 0;\r
- Item = mIpSecConfigVarCheckList;\r
-\r
- if ((ParamPackage == NULL) || (CheckList == NULL)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Enumerate through the list of parameters that are input by user.\r
- //\r
- for (Node = GetFirstNode (ParamPackage); !IsNull (ParamPackage, Node); Node = GetNextNode (ParamPackage, Node)) {\r
- if (((SHELL_PARAM_PACKAGE *) Node)->Name != NULL) {\r
- //\r
- // Enumerate the check list that defines the conflicted attributes of each flag.\r
- //\r
- for (; Item->VarName != NULL; Item++) {\r
- if (StrCmp (((SHELL_PARAM_PACKAGE *) Node)->Name, Item->VarName) == 0) {\r
- Index++;\r
- if (Index == 1) {\r
- Attribute1 = Item->Attribute1;\r
- Attribute2 = Item->Attribute2;\r
- Attribute3 = Item->Attribute3;\r
- Attribute4 = Item->Attribute4;\r
- } else {\r
- Attribute1 &= Item->Attribute1;\r
- Attribute2 |= Item->Attribute2;\r
- Attribute3 &= Item->Attribute3;\r
- Attribute4 |= Item->Attribute4;\r
- if (Attribute1 != 0) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (Attribute2 != 0) {\r
- if ((Index == 2) && (StrCmp (Item->VarName, L"-p") == 0)) {\r
- continue;\r
- }\r
-\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (Attribute3 == 0) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- if (((Attribute4 & 0xFF) == 0x03) || ((Attribute4 & 0xFF) == 0x0C) ||\r
- ((Attribute4 & 0xFF) == 0x30) || ((Attribute4 & 0xFF) == 0xC0)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- }\r
- break;\r
- }\r
- }\r
-\r
- Item = mIpSecConfigVarCheckList;\r
- }\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- This is the declaration of an EFI image entry point. This entry point is\r
- the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including\r
- both device drivers and bus drivers.\r
-\r
- The entry point for IpSecConfig application that parse the command line input and call an IpSecConfig process.\r
-\r
- @param[in] ImageHandle The image handle of this application.\r
- @param[in] SystemTable The pointer to the EFI System Table.\r
-\r
- @retval EFI_SUCCESS The operation completed successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-InitializeIpSecConfig (\r
- IN EFI_HANDLE ImageHandle,\r
- IN EFI_SYSTEM_TABLE *SystemTable\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_IPSEC_CONFIG_DATA_TYPE DataType;\r
- UINT8 Value;\r
- LIST_ENTRY *ParamPackage;\r
- CONST CHAR16 *ValueStr;\r
- CHAR16 *ProblemParam;\r
- UINTN NonOptionCount;\r
- EFI_HII_PACKAGE_LIST_HEADER *PackageList;\r
-\r
- //\r
- // Retrieve HII package list from ImageHandle\r
- //\r
- Status = gBS->OpenProtocol (\r
- ImageHandle,\r
- &gEfiHiiPackageListProtocolGuid,\r
- (VOID **) &PackageList,\r
- ImageHandle,\r
- NULL,\r
- EFI_OPEN_PROTOCOL_GET_PROTOCOL\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- //\r
- // Publish HII package list to HII Database.\r
- //\r
- Status = gHiiDatabase->NewPackageList (\r
- gHiiDatabase,\r
- PackageList,\r
- NULL,\r
- &mHiiHandle\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- ASSERT (mHiiHandle != NULL);\r
-\r
- Status = ShellCommandLineParseEx (mIpSecConfigParamList, &ParamPackage, &ProblemParam, TRUE, FALSE);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_UNKNOWN_OPERATION), mHiiHandle, ProblemParam);\r
- goto Done;\r
- }\r
-\r
- Status = IpSecConfigRetriveCheckListByName (mIpSecConfigVarCheckList, ParamPackage);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_MISTAKEN_OPTIONS), mHiiHandle);\r
- goto Done;\r
- }\r
-\r
- Status = LocateProtocol (&gEfiIpSecConfigProtocolGuid, (VOID **) &mIpSecConfig);\r
- if (EFI_ERROR (Status) || mIpSecConfig == NULL) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT), mHiiHandle, mAppName);\r
- goto Done;\r
- }\r
-\r
- Status = LocateProtocol (&gEfiIpSec2ProtocolGuid, (VOID **) &mIpSec);\r
- if (EFI_ERROR (Status) || mIpSec == NULL) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT), mHiiHandle, mAppName);\r
- goto Done;\r
- }\r
-\r
- //\r
- // Enable IPsec.\r
- //\r
- if (ShellCommandLineGetFlag (ParamPackage, L"-enable")) {\r
- if (!(mIpSec->DisabledFlag)) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_ENABLE), mHiiHandle, mAppName);\r
- } else {\r
- //\r
- // Set enable flag.\r
- //\r
- Value = IPSEC_STATUS_ENABLED;\r
- Status = gRT->SetVariable (\r
- IPSECCONFIG_STATUS_NAME,\r
- &gEfiIpSecConfigProtocolGuid,\r
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,\r
- sizeof (Value),\r
- &Value\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- mIpSec->DisabledFlag = FALSE;\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ENABLE_SUCCESS), mHiiHandle, mAppName);\r
- } else {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ENABLE_FAILED), mHiiHandle, mAppName);\r
- }\r
- }\r
-\r
- goto Done;\r
- }\r
-\r
- //\r
- // Disable IPsec.\r
- //\r
- if (ShellCommandLineGetFlag (ParamPackage, L"-disable")) {\r
- if (mIpSec->DisabledFlag) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_DISABLE), mHiiHandle, mAppName);\r
- } else {\r
- //\r
- // Set disable flag; however, leave it to be disabled in the callback function of DisabledEvent.\r
- //\r
- gBS->SignalEvent (mIpSec->DisabledEvent);\r
- if (mIpSec->DisabledFlag) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DISABLE_SUCCESS), mHiiHandle, mAppName);\r
- } else {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DISABLE_FAILED), mHiiHandle, mAppName);\r
- }\r
- }\r
-\r
- goto Done;\r
- }\r
-\r
- //\r
- //IPsec Status.\r
- //\r
- if (ShellCommandLineGetFlag (ParamPackage, L"-status")) {\r
- if (mIpSec->DisabledFlag) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_STATUS_DISABLE), mHiiHandle, mAppName);\r
- } else {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_STATUS_ENABLE), mHiiHandle, mAppName);\r
- }\r
- goto Done;\r
- }\r
-\r
- //\r
- // Try to get policy database type.\r
- //\r
- DataType = (EFI_IPSEC_CONFIG_DATA_TYPE) - 1;\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-p");\r
- if (ValueStr != NULL) {\r
- DataType = (EFI_IPSEC_CONFIG_DATA_TYPE) MapStringToInteger (ValueStr, mMapPolicy);\r
- if (DataType == -1) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_DB), mHiiHandle, mAppName, ValueStr);\r
- goto Done;\r
- }\r
- }\r
-\r
- NonOptionCount = ShellCommandLineGetCount (ParamPackage);\r
- if ((NonOptionCount - 1) > 0) {\r
- ValueStr = ShellCommandLineGetRawValue (ParamPackage, (UINT32) (NonOptionCount - 1));\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_REDUNDANCY_MANY), mHiiHandle, mAppName, ValueStr);\r
- goto Done;\r
- }\r
-\r
- if (DataType == -1) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_DB), mHiiHandle, mAppName);\r
- goto Done;\r
- }\r
-\r
- if (ShellCommandLineGetFlag (ParamPackage, L"-a")) {\r
- Status = AddOrInsertPolicyEntry (DataType, ParamPackage);\r
- if (EFI_ERROR (Status)) {\r
- goto Done;\r
- }\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {\r
- Status = AddOrInsertPolicyEntry (DataType, ParamPackage);\r
- if (EFI_ERROR (Status)) {\r
- goto Done;\r
- }\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {\r
- Status = EditPolicyEntry (DataType, ParamPackage);\r
- if (EFI_ERROR (Status)) {\r
- goto Done;\r
- }\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {\r
- Status = FlushOrDeletePolicyEntry (DataType, ParamPackage);\r
- if (EFI_ERROR (Status)) {\r
- goto Done;\r
- }\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-f")) {\r
- Status = FlushOrDeletePolicyEntry (DataType, ParamPackage);\r
- if (EFI_ERROR (Status)) {\r
- goto Done;\r
- }\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-l")) {\r
- Status = ListPolicyEntry (DataType, ParamPackage);\r
- if (EFI_ERROR (Status)) {\r
- goto Done;\r
- }\r
- } else {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_UNKNOWN_OPERATION), mHiiHandle, mAppName);\r
- goto Done;\r
- }\r
-\r
-Done:\r
- ShellCommandLineFreeVarList (ParamPackage);\r
- HiiRemovePackages (mHiiHandle);\r
-\r
- return EFI_SUCCESS;\r
-}\r
+++ /dev/null
-/** @file\r
- The internal structure and function declaration in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _IPSEC_CONFIG_H_\r
-#define _IPSEC_CONFIG_H_\r
-\r
-#include <Library/BaseMemoryLib.h>\r
-#include <Library/UefiLib.h>\r
-#include <Library/ShellLib.h>\r
-#include <Library/DebugLib.h>\r
-#include <Library/MemoryAllocationLib.h>\r
-#include <Library/UefiBootServicesTableLib.h>\r
-#include <Library/UefiHiiServicesLib.h>\r
-#include <Library/NetLib.h>\r
-\r
-#include <Protocol/IpSecConfig.h>\r
-\r
-#define IPSECCONFIG_STATUS_NAME L"IpSecStatus"\r
-\r
-#define BIT(x) (UINT32) (1 << (x))\r
-\r
-#define IPSEC_STATUS_DISABLED 0x0\r
-#define IPSEC_STATUS_ENABLED 0x1\r
-\r
-#define EFI_IP4_PROTO_ICMP 0x1\r
-#define EFI_IP4_PROTO_TCP 0x6\r
-#define EFI_IP4_PROTO_UDP 0x11\r
-\r
-#define EFI_IPSEC_ANY_PROTOCOL 0xFFFF\r
-#define EFI_IPSEC_ANY_PORT 0\r
-\r
-///\r
-/// IPsec Authentication Algorithm Definition\r
-/// The number value definition is aligned to IANA assignment\r
-///\r
-#define IPSEC_AALG_NONE 0x00\r
-#define IPSEC_AALG_MD5HMAC 0x01\r
-#define IPSEC_AALG_SHA1HMAC 0x02\r
-#define IPSEC_AALG_SHA2_256HMAC 0x05\r
-#define IPSEC_AALG_SHA2_384HMAC 0x06\r
-#define IPSEC_AALG_SHA2_512HMAC 0x07\r
-#define IPSEC_AALG_AES_XCBC_MAC 0x09\r
-#define IPSEC_AALG_NULL 0xFB\r
-\r
-///\r
-/// IPsec Encryption Algorithm Definition\r
-/// The number value definition is aligned to IANA assignment\r
-///\r
-#define IPSEC_EALG_NONE 0x00\r
-#define IPSEC_EALG_DESCBC 0x02\r
-#define IPSEC_EALG_3DESCBC 0x03\r
-#define IPSEC_EALG_CASTCBC 0x06\r
-#define IPSEC_EALG_BLOWFISHCBC 0x07\r
-#define IPSEC_EALG_NULL 0x0B\r
-#define IPSEC_EALG_AESCBC 0x0C\r
-#define IPSEC_EALG_AESCTR 0x0D\r
-#define IPSEC_EALG_AES_CCM_ICV8 0x0E\r
-#define IPSEC_EALG_AES_CCM_ICV12 0x0F\r
-#define IPSEC_EALG_AES_CCM_ICV16 0x10\r
-#define IPSEC_EALG_AES_GCM_ICV8 0x12\r
-#define IPSEC_EALG_AES_GCM_ICV12 0x13\r
-#define IPSEC_EALG_AES_GCM_ICV16 0x14\r
-\r
-typedef struct {\r
- CHAR16 *VarName;\r
- UINT32 Attribute1;\r
- UINT32 Attribute2;\r
- UINT32 Attribute3;\r
- UINT32 Attribute4;\r
-} VAR_CHECK_ITEM;\r
-\r
-typedef struct {\r
- LIST_ENTRY Link;\r
- CHAR16 *Name;\r
- SHELL_PARAM_TYPE Type;\r
- CHAR16 *Value;\r
- UINTN OriginalPosition;\r
-} SHELL_PARAM_PACKAGE;\r
-\r
-typedef struct {\r
- CHAR16 *String;\r
- UINT32 Integer;\r
-} STR2INT;\r
-\r
-extern EFI_IPSEC_CONFIG_PROTOCOL *mIpSecConfig;\r
-extern EFI_HII_HANDLE mHiiHandle;\r
-extern CHAR16 mAppName[];\r
-\r
-//\r
-// -P\r
-//\r
-extern STR2INT mMapPolicy[];\r
-\r
-//\r
-// --proto\r
-//\r
-extern STR2INT mMapIpProtocol[];\r
-\r
-//\r
-// --action\r
-//\r
-extern STR2INT mMapIpSecAction[];\r
-\r
-//\r
-// --mode\r
-//\r
-extern STR2INT mMapIpSecMode[];\r
-\r
-//\r
-// --dont-fragment\r
-//\r
-extern STR2INT mMapDfOption[];\r
-\r
-//\r
-// --ipsec-proto\r
-//\r
-extern STR2INT mMapIpSecProtocol[];\r
-//\r
-// --auth-algo\r
-//\r
-extern STR2INT mMapAuthAlgo[];\r
-\r
-//\r
-// --encrypt-algo\r
-//\r
-extern STR2INT mMapEncAlgo[];\r
-//\r
-// --auth-proto\r
-//\r
-extern STR2INT mMapAuthProto[];\r
-\r
-//\r
-// --auth-method\r
-//\r
-extern STR2INT mMapAuthMethod[];\r
-\r
-#endif\r
+++ /dev/null
-## @file\r
-# Shell application IpSecConfig.\r
-#\r
-# This application is used to set and retrieve security and policy related information\r
-# for the EFI IPsec protocol driver.\r
-#\r
-# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-#\r
-# SPDX-License-Identifier: BSD-2-Clause-Patent\r
-#\r
-##\r
-\r
-[Defines]\r
- INF_VERSION = 0x00010006\r
- BASE_NAME = IpSecConfig\r
- FILE_GUID = 0922E604-F5EC-42ef-980D-A35E9A2B1844\r
- MODULE_TYPE = UEFI_APPLICATION\r
- VERSION_STRING = 1.0\r
- ENTRY_POINT = InitializeIpSecConfig\r
- MODULE_UNI_FILE = IpSecConfig.uni\r
-\r
-#\r
-#\r
-# This flag specifies whether HII resource section is generated into PE image.\r
-#\r
- UEFI_HII_RESOURCE_SECTION = TRUE\r
-\r
-[Sources]\r
- IpSecConfigStrings.uni\r
- IpSecConfig.c\r
- IpSecConfig.h\r
- Dump.c\r
- Dump.h\r
- Indexer.c\r
- Indexer.h\r
- Match.c\r
- Match.h\r
- Delete.h\r
- Delete.c\r
- Helper.c\r
- Helper.h\r
- ForEach.c\r
- ForEach.h\r
- PolicyEntryOperation.c\r
- PolicyEntryOperation.h\r
-\r
-[Packages]\r
- MdePkg/MdePkg.dec\r
- MdeModulePkg/MdeModulePkg.dec\r
- ShellPkg/ShellPkg.dec\r
-\r
-[LibraryClasses]\r
- UefiBootServicesTableLib\r
- UefiApplicationEntryPoint\r
- UefiHiiServicesLib\r
- BaseMemoryLib\r
- ShellLib\r
- MemoryAllocationLib\r
- DebugLib\r
- HiiLib\r
- NetLib\r
- UefiLib\r
-\r
-[Protocols]\r
- gEfiIpSec2ProtocolGuid ##CONSUMES\r
- gEfiIpSecConfigProtocolGuid ##CONSUMES\r
- gEfiHiiPackageListProtocolGuid ##CONSUMES\r
-\r
-[UserExtensions.TianoCore."ExtraFiles"]\r
- IpSecConfigExtra.uni\r
+++ /dev/null
-// /** @file\r
-// Shell application IpSecConfig.\r
-//\r
-// This application is used to set and retrieve security and policy related information\r
-// for the EFI IPsec protocol driver.\r
-//\r
-// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-//\r
-// SPDX-License-Identifier: BSD-2-Clause-Patent\r
-//\r
-// **/\r
-\r
-\r
-#string STR_MODULE_ABSTRACT #language en-US "Shell application IpSecConfig"\r
-\r
-#string STR_MODULE_DESCRIPTION #language en-US "This application is used to set and retrieve security and policy related information for the EFI IPsec protocol driver."\r
-\r
+++ /dev/null
-// /** @file\r
-// IpSecConfig Localized Strings and Content\r
-//\r
-// Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
-//\r
-// SPDX-License-Identifier: BSD-2-Clause-Patent\r
-//\r
-// **/\r
-\r
-#string STR_PROPERTIES_MODULE_NAME\r
-#language en-US\r
-"IpSec Config App"\r
-\r
-\r
+++ /dev/null
-/** @file\r
- String definitions for the Shell IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#langdef en-US "English"\r
-\r
-#string STR_IPSEC_CONFIG_UNKNOWN_OPERATION #language en-US "%s: Operation not specified.\n"\r
-\r
-#string STR_IPSEC_CONFIG_INCORRECT_DB #language en-US "%s: Incorrect Database - %s.\n"\r
-\r
-#string STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT #language en-US "%s: IPSEC_CONFIG protocol inexistent.\n"\r
-\r
-#string STR_IPSEC_CONFIG_MISSING_DB #language en-US "%s: Missing Database.\n"\r
-\r
-#string STR_IPSEC_CONFIG_FILE_OPEN_FAILED #language en-US "%s: Open file failed - %s.\n"\r
-\r
-#string STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE #language en-US "%s: Incorrect value of %s - %s.\n"\r
-\r
-#string STR_IPSEC_CONFIG_ACCEPT_PARAMETERS #language en-US " Values could be:"\r
-\r
-#string STR_IPSEC_CONFIG_MISSING_PARAMETER #language en-US "%s: Missing parameter - %s.\n"\r
-\r
-#string STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS #language en-US "%s: Missing one of the parameters - %s.\n"\r
-\r
-#string STR_IPSEC_CONFIG_UNWANTED_PARAMETER #language en-US "%s: Unwanted parameter - %s.\n"\r
-\r
-#string STR_IPSEC_CONFIG_INSERT_FAILED #language en-US "%s: Policy entry insertion failed!\n"\r
-\r
-#string STR_IPSEC_CONFIG_DELETE_FAILED #language en-US "%s: Policy entry deletion failed!\n"\r
-\r
-#string STR_IPSEC_CONFIG_EDIT_FAILED #language en-US "%s: Policy entry edit failed!\n"\r
-\r
-#string STR_IPSEC_CONFIG_ALREADY_EXISTS #language en-US "%s: Policy entry already exists!\n"\r
-\r
-#string STR_IPSEC_CONFIG_INDEX_NOT_FOUND #language en-US "%s: Specified index not found!\n"\r
-\r
-#string STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED #language en-US "%s: Index should be Specified!\n"\r
-\r
-#string STR_IPSEC_CONFIG_INSERT_UNSUPPORT #language en-US "%s: Policy entry insertion not supported!\n"\r
-\r
-#string STR_IPSEC_MISTAKEN_OPTIONS #language en-US "Mistaken Input. Please refer to %H"IpSecConfig -?"%N for more help information.\n"\r
-\r
-#string STR_IPSEC_REDUNDANCY_MANY #language en-US "%s has one redundancy option: %H%s%N\n"\r
-\r
-#string STR_IPSEC_CONFIG_ALREADY_ENABLE #language en-US "IPsec has been already enabled!\n"\r
-\r
-#string STR_IPSEC_CONFIG_ENABLE_SUCCESS #language en-US "Enable IPsec ! \n"\r
-\r
-#string STR_IPSEC_CONFIG_DISABLE_SUCCESS #language en-US "Disable IPsec ! \n"\r
-\r
-#string STR_IPSEC_CONFIG_ALREADY_DISABLE #language en-US "IPsec has been already disabled !\n"\r
-\r
-#string STR_IPSEC_CONFIG_STATUS_ENABLE #language en-US "IPsec Status : Enabled ! \n"\r
-\r
-#string STR_IPSEC_CONFIG_STATUS_DISABLE #language en-US "IPsec Status : Disabled ! \n"\r
-\r
-#string STR_IPSEC_CONFIG_ENABLE_FAILED #language en-US "Error: Enable IPsec failed !\n"\r
-\r
-#string STR_IPSEC_CONFIG_DISABLE_FAILED #language en-US "Error: Disable IPsec failed !\n"\r
-\r
-#string STR_IPSEC_CONFIG_HELP #language en-US ""\r
-".TH IpSecConfig 0 "Displays or modifies the current IPsec configuration."\r\n"\r
-".SH NAME\r\n"\r
-"Displays or modifies the current IPsec configuration.\r\n"\r
-".SH SYNOPSIS\r\n"\r
-" \r\n"\r
-"%HIpSecConfig [-p {SPD|SAD|PAD}] [command] [options[parameters]]\r\n"\r
-".SH OPTIONS\r\n"\r
-" \r\n"\r
-"%H-p (SPD|SAD|PAD)%N required.point to certain policy database.\r\n"\r
-" \r\n"\r
-"%Hcommand%N:\r\n"\r
-" -a [options[parameters]] Add new policy entry.\r\n"\r
-" -i entryid [options[parameters]] Insert new policy entry before the one\r\n"\r
-" matched by the entryid.\r\n"\r
-" It's only supported on SPD policy database.\r\n"\r
-" -d entryid Delete the policy entry matched by the \r\n"\r
-" entryid.\r\n"\r
-" -e entryid [options[parameters]] Edit the policy entry matched by the\r\n"\r
-" entryid.\r\n"\r
-" -f Flush the entire policy database.\r\n"\r
-" -l List all entries for specified database.\r\n"\r
-" -enable Enable IPsec.\r\n"\r
-" -disable Disable IPsec.\r\n"\r
-" -status Show IPsec current status.\r\n"\r
-" \r\n"\r
-"%H[options[parameters]]%N for %HSPD%N:\r\n"\r
-" --local localaddress optional local address\r\n"\r
-" --remote remoteaddress required remote address\r\n"\r
-" --proto (TCP|UDP|ICMP|...) required IP protocol\r\n"\r
-" --local-port port optional local port for tcp/udp protocol\r\n"\r
-" --remote-port port optional remote port for tcp/udp protocol\r\n"\r
-" --name name optional SPD name\r\n"\r
-" --action (Bypass|Discard|Protect) required \r\n"\r
-" required IPsec action\r\n"\r
-" --mode (Transport|Tunnel) optional IPsec mode, transport by default\r\n"\r
-" --ipsec-proto (AH|ESP) optional IPsec protocol, ESP by default\r\n"\r
-" --auth-algo (NONE|SHA1HMAC) optional authentication algorithm\r\n"\r
-" --encrypt-algo(NONE|DESCBC|3DESCBC)optional encryption algorithm\r\n"\r
-" --tunnel-local tunnellocaladdr optional tunnel local address(only for tunnel mode)\r\n"\r
-" --tunnel-remote tunnelremoteaddr optional tunnel remote address(only for tunnel mode)\r\n"\r
-" \r\n"\r
-"%H[options[parameters]]%N for %HSAD%N:\r\n"\r
-" --spi spi required SPI value\r\n"\r
-" --ipsec-proto (AH|ESP) required IPsec protocol\r\n"\r
-" --local localaddress optional local address\r\n"\r
-" --remote remoteaddress required destination address\r\n"\r
-" --auth-algo (NONE|SHA1HMAC) required for AH. authentication algorithm\n"\r
-" --auth-key key required for AH. key for authentication\r\n"\r
-" --encrypt-algo (NONE|DESCBC|3DESCBC) required for ESP. encryption algorithm\r\n"\r
-" --encrypt-key key required for ESP. key for encryption\r\n"\r
-" --mode (Transport|Tunnel) optional IPsec mode, transport by default\r\n"\r
-" --tunnel-dest tunneldestaddr optional tunnel destination address(only for tunnel mode)\r\n"\r
-" --tunnel-source tunnelsourceaddr optional tunnel source address(only for tunnel mode)\r\n"\r
-" \r\n"\r
-"%H[options[parameters]]%N for %HPAD%N:\r\n"\r
-" --peer-address address required peer address\r\n"\r
-" --auth-proto (IKEv1|IKEv2) optional IKE protocol, IKEv1 by\r\n"\r
-" default\r\n"\r
-" --auth-method (PreSharedSecret|Certificates) required authentication method\r\n"\r
-" --auth-data authdata required data for authentication\r\n"\r
-" \r\n"\r
+++ /dev/null
-/** @file\r
- The implementation of match policy entry function in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecConfig.h"\r
-#include "Indexer.h"\r
-#include "Match.h"\r
-\r
-/**\r
- Private function to validate a buffer that should be filled with zero.\r
-\r
- @param[in] Memory The pointer to the buffer.\r
- @param[in] Size The size of the buffer.\r
-\r
- @retval TRUE The memory is filled with zero.\r
- @retval FALSE The memory isn't filled with zero.\r
-**/\r
-BOOLEAN\r
-IsMemoryZero (\r
- IN VOID *Memory,\r
- IN UINTN Size\r
- )\r
-{\r
- UINTN Index;\r
-\r
- for (Index = 0; Index < Size; Index++) {\r
- if (*((UINT8 *) Memory + Index) != 0) {\r
- return FALSE;\r
- }\r
- }\r
-\r
- return TRUE;\r
-}\r
-\r
-/**\r
- Find the matching SPD with Indexer.\r
-\r
- @param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.\r
- @param[in] Data The pointer to the EFI_IPSEC_SPD_DATA structure.\r
- @param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure.\r
-\r
- @retval TRUE The matched SPD is found.\r
- @retval FALSE The matched SPD is not found.\r
-**/\r
-BOOLEAN\r
-MatchSpdEntry (\r
- IN EFI_IPSEC_SPD_SELECTOR *Selector,\r
- IN EFI_IPSEC_SPD_DATA *Data,\r
- IN SPD_ENTRY_INDEXER *Indexer\r
- )\r
-{\r
- BOOLEAN Match;\r
-\r
- Match = FALSE;\r
- if (!IsMemoryZero (Indexer->Name, MAX_PEERID_LEN)) {\r
- if ((Data->Name != NULL) && (AsciiStrCmp ((CHAR8 *) Indexer->Name, (CHAR8 *) Data->Name) == 0)) {\r
- Match = TRUE;\r
- }\r
- } else {\r
- if (Indexer->Index == 0) {\r
- Match = TRUE;\r
- }\r
-\r
- Indexer->Index--;\r
- }\r
-\r
- return Match;\r
-}\r
-\r
-/**\r
- Find the matching SAD with Indexer.\r
-\r
- @param[in] SaId The pointer to the EFI_IPSEC_SA_ID structure.\r
- @param[in] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.\r
- @param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure.\r
-\r
- @retval TRUE The matched SAD is found.\r
- @retval FALSE The matched SAD is not found.\r
-**/\r
-BOOLEAN\r
-MatchSadEntry (\r
- IN EFI_IPSEC_SA_ID *SaId,\r
- IN EFI_IPSEC_SA_DATA2 *Data,\r
- IN SAD_ENTRY_INDEXER *Indexer\r
- )\r
-{\r
- BOOLEAN Match;\r
-\r
- Match = FALSE;\r
- if (!IsMemoryZero (&Indexer->SaId, sizeof (EFI_IPSEC_SA_ID))) {\r
- Match = (BOOLEAN) (CompareMem (&Indexer->SaId, SaId, sizeof (EFI_IPSEC_SA_ID)) == 0);\r
- } else {\r
- if (Indexer->Index == 0) {\r
- Match = TRUE;\r
- }\r
- Indexer->Index--;\r
- }\r
-\r
- return Match;\r
-}\r
-\r
-/**\r
- Find the matching PAD with Indexer.\r
-\r
- @param[in] PadId The pointer to the EFI_IPSEC_PAD_ID structure.\r
- @param[in] Data The pointer to the EFI_IPSEC_PAD_DATA structure.\r
- @param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure.\r
-\r
- @retval TRUE The matched PAD is found.\r
- @retval FALSE The matched PAD is not found.\r
-**/\r
-BOOLEAN\r
-MatchPadEntry (\r
- IN EFI_IPSEC_PAD_ID *PadId,\r
- IN EFI_IPSEC_PAD_DATA *Data,\r
- IN PAD_ENTRY_INDEXER *Indexer\r
- )\r
-{\r
- BOOLEAN Match;\r
-\r
- Match = FALSE;\r
- if (!IsMemoryZero (&Indexer->PadId, sizeof (EFI_IPSEC_PAD_ID))) {\r
- Match = (BOOLEAN) ((Indexer->PadId.PeerIdValid == PadId->PeerIdValid) &&\r
- ((PadId->PeerIdValid &&\r
- (StrCmp (\r
- (CONST CHAR16 *) Indexer->PadId.Id.PeerId,\r
- (CONST CHAR16 *) PadId->Id.PeerId\r
- ) == 0)) ||\r
- ((!PadId->PeerIdValid) &&\r
- (Indexer->PadId.Id.IpAddress.PrefixLength == PadId->Id.IpAddress.PrefixLength) &&\r
- (CompareMem (\r
- &Indexer->PadId.Id.IpAddress.Address,\r
- &PadId->Id.IpAddress.Address,\r
- sizeof (EFI_IP_ADDRESS)\r
- ) == 0))));\r
- } else {\r
- if (Indexer->Index == 0) {\r
- Match = TRUE;\r
- }\r
-\r
- Indexer->Index--;\r
- }\r
-\r
- return Match;\r
-}\r
-\r
-MATCH_POLICY_ENTRY mMatchPolicyEntry[] = {\r
- (MATCH_POLICY_ENTRY) MatchSpdEntry,\r
- (MATCH_POLICY_ENTRY) MatchSadEntry,\r
- (MATCH_POLICY_ENTRY) MatchPadEntry\r
-};\r
-\r
+++ /dev/null
-/** @file\r
- The internal structure and function declaration of\r
- match policy entry function in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _MATCH_H_\r
-#define _MATCH_H_\r
-\r
-/**\r
- The prototype for the MatchSpdEntry()/MatchSadEntry()/MatchPadEntry().\r
- The functionality is to find the matching SPD/SAD/PAD with Indexer.\r
-\r
- @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR union.\r
- @param[in] Data The pointer to corresponding Data.\r
- @param[in] Indexer The pointer to the POLICY_ENTRY_INDEXER union.\r
-\r
- @retval TRUE The matched SPD/SAD/PAD is found.\r
- @retval FALSE The matched SPD/SAD/PAD is not found.\r
-**/\r
-typedef\r
-BOOLEAN\r
-(* MATCH_POLICY_ENTRY) (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN POLICY_ENTRY_INDEXER *Indexer\r
- );\r
-\r
-extern MATCH_POLICY_ENTRY mMatchPolicyEntry[];\r
-\r
-#endif\r
+++ /dev/null
-/** @file\r
- The implementation of policy entry operation function in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecConfig.h"\r
-#include "Indexer.h"\r
-#include "Match.h"\r
-#include "Helper.h"\r
-#include "ForEach.h"\r
-#include "PolicyEntryOperation.h"\r
-\r
-/**\r
- Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list.\r
-\r
- @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
- @param[in, out] Mask The pointer to the Mask.\r
-\r
- @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
-\r
-**/\r
-EFI_STATUS\r
-CreateSpdSelector (\r
- OUT EFI_IPSEC_SPD_SELECTOR *Selector,\r
- IN LIST_ENTRY *ParamPackage,\r
- IN OUT UINT32 *Mask\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_STATUS ReturnStatus;\r
- CONST CHAR16 *ValueStr;\r
-\r
- Status = EFI_SUCCESS;\r
- ReturnStatus = EFI_SUCCESS;\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
- //\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--local");\r
- if (ValueStr != NULL) {\r
- Selector->LocalAddressCount = 1;\r
- Status = EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->LocalAddress);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- L"--local",\r
- ValueStr\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- *Mask |= LOCAL;\r
- }\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
- //\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--remote");\r
- if (ValueStr != NULL) {\r
- Selector->RemoteAddressCount = 1;\r
- Status = EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->RemoteAddress);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- L"--remote",\r
- ValueStr\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- *Mask |= REMOTE;\r
- }\r
- }\r
-\r
- Selector->NextLayerProtocol = EFI_IPSEC_ANY_PROTOCOL;\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
- //\r
- Status = GetNumber (\r
- L"--proto",\r
- (UINT16) -1,\r
- &Selector->NextLayerProtocol,\r
- sizeof (UINT16),\r
- mMapIpProtocol,\r
- ParamPackage,\r
- FORMAT_NUMBER | FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= PROTO;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Selector->LocalPort = EFI_IPSEC_ANY_PORT;\r
- Selector->RemotePort = EFI_IPSEC_ANY_PORT;\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
- //\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--local-port");\r
- if (ValueStr != NULL) {\r
- Status = EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->LocalPort, &Selector->LocalPortRange);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- L"--local-port",\r
- ValueStr\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- *Mask |= LOCAL_PORT;\r
- }\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
- //\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--remote-port");\r
- if (ValueStr != NULL) {\r
- Status = EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->RemotePort, &Selector->RemotePortRange);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- L"--remote-port",\r
- ValueStr\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- *Mask |= REMOTE_PORT;\r
- }\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
- //\r
- Status = GetNumber (\r
- L"--icmp-type",\r
- (UINT8) -1,\r
- &Selector->LocalPort,\r
- sizeof (UINT16),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= ICMP_TYPE;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.\r
- //\r
- Status = GetNumber (\r
- L"--icmp-code",\r
- (UINT8) -1,\r
- &Selector->RemotePort,\r
- sizeof (UINT16),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= ICMP_CODE;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- return ReturnStatus;\r
-}\r
-\r
-/**\r
- Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPackage list.\r
-\r
- @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.\r
- @param[out] Data The pointer to the EFI_IPSEC_SPD_DATA structure.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
- @param[out] Mask The pointer to the Mask.\r
- @param[in] CreateNew The switch to create new.\r
-\r
- @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
-\r
-**/\r
-EFI_STATUS\r
-CreateSpdEntry (\r
- OUT EFI_IPSEC_SPD_SELECTOR **Selector,\r
- OUT EFI_IPSEC_SPD_DATA **Data,\r
- IN LIST_ENTRY *ParamPackage,\r
- OUT UINT32 *Mask,\r
- IN BOOLEAN CreateNew\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_STATUS ReturnStatus;\r
- CONST CHAR16 *ValueStr;\r
- UINTN DataSize;\r
-\r
- Status = EFI_SUCCESS;\r
- *Mask = 0;\r
-\r
- *Selector = AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR) + 2 * sizeof (EFI_IP_ADDRESS_INFO));\r
- ASSERT (*Selector != NULL);\r
-\r
- (*Selector)->LocalAddress = (EFI_IP_ADDRESS_INFO *) (*Selector + 1);\r
- (*Selector)->RemoteAddress = (*Selector)->LocalAddress + 1;\r
-\r
- ReturnStatus = CreateSpdSelector (*Selector, ParamPackage, Mask);\r
-\r
- //\r
- // SPD DATA\r
- // NOTE: Allocate enough memory and add padding for different arch.\r
- //\r
- DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA));\r
- DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_PROCESS_POLICY));\r
- DataSize += sizeof (EFI_IPSEC_TUNNEL_OPTION);\r
-\r
- *Data = AllocateZeroPool (DataSize);\r
- ASSERT (*Data != NULL);\r
-\r
- (*Data)->ProcessingPolicy = (EFI_IPSEC_PROCESS_POLICY *) ALIGN_POINTER (\r
- (*Data + 1),\r
- sizeof (UINTN)\r
- );\r
- (*Data)->ProcessingPolicy->TunnelOption = (EFI_IPSEC_TUNNEL_OPTION *) ALIGN_POINTER (\r
- ((*Data)->ProcessingPolicy + 1),\r
- sizeof (UINTN)\r
- );\r
-\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the Name in EFI_IPSEC_SPD_DATA.\r
- //\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--name");\r
- if (ValueStr != NULL) {\r
- UnicodeStrToAsciiStrS (ValueStr, (CHAR8 *) (*Data)->Name, sizeof ((*Data)->Name));\r
- *Mask |= NAME;\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the PackageFlag in EFI_IPSEC_SPD_DATA.\r
- //\r
- Status = GetNumber (\r
- L"--packet-flag",\r
- (UINT8) -1,\r
- &(*Data)->PackageFlag,\r
- sizeof (UINT32),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= PACKET_FLAG;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the Action in EFI_IPSEC_SPD_DATA.\r
- //\r
- Status = GetNumber (\r
- L"--action",\r
- (UINT8) -1,\r
- &(*Data)->Action,\r
- sizeof (UINT32),\r
- mMapIpSecAction,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= ACTION;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the ExtSeqNum in EFI_IPSEC_SPD_DATA.\r
- //\r
- if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence")) {\r
- (*Data)->ProcessingPolicy->ExtSeqNum = TRUE;\r
- *Mask |= EXT_SEQUENCE;\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence-")) {\r
- (*Data)->ProcessingPolicy->ExtSeqNum = FALSE;\r
- *Mask |= EXT_SEQUENCE;\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the SeqOverflow in EFI_IPSEC_SPD_DATA.\r
- //\r
- if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow")) {\r
- (*Data)->ProcessingPolicy->SeqOverflow = TRUE;\r
- *Mask |= SEQUENCE_OVERFLOW;\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow-")) {\r
- (*Data)->ProcessingPolicy->SeqOverflow = FALSE;\r
- *Mask |= SEQUENCE_OVERFLOW;\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the FragCheck in EFI_IPSEC_SPD_DATA.\r
- //\r
- if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check")) {\r
- (*Data)->ProcessingPolicy->FragCheck = TRUE;\r
- *Mask |= FRAGMENT_CHECK;\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check-")) {\r
- (*Data)->ProcessingPolicy->FragCheck = FALSE;\r
- *Mask |= FRAGMENT_CHECK;\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the ProcessingPolicy in EFI_IPSEC_SPD_DATA.\r
- //\r
- Status = GetNumber (\r
- L"--lifebyte",\r
- (UINT64) -1,\r
- &(*Data)->ProcessingPolicy->SaLifetime.ByteCount,\r
- sizeof (UINT64),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= LIFEBYTE;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--lifetime",\r
- (UINT64) -1,\r
- &(*Data)->ProcessingPolicy->SaLifetime.HardLifetime,\r
- sizeof (UINT64),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= LIFETIME;\r
- }\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--lifetime-soft",\r
- (UINT64) -1,\r
- &(*Data)->ProcessingPolicy->SaLifetime.SoftLifetime,\r
- sizeof (UINT64),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= LIFETIME_SOFT;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- (*Data)->ProcessingPolicy->Mode = EfiIPsecTransport;\r
- Status = GetNumber (\r
- L"--mode",\r
- 0,\r
- &(*Data)->ProcessingPolicy->Mode,\r
- sizeof (UINT32),\r
- mMapIpSecMode,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= MODE;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-local");\r
- if (ValueStr != NULL) {\r
- Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPolicy->TunnelOption->LocalTunnelAddress);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- L"--tunnel-local",\r
- ValueStr\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- *Mask |= TUNNEL_LOCAL;\r
- }\r
- }\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-remote");\r
- if (ValueStr != NULL) {\r
- Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPolicy->TunnelOption->RemoteTunnelAddress);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- L"--tunnel-remote",\r
- ValueStr\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- *Mask |= TUNNEL_REMOTE;\r
- }\r
- }\r
-\r
- (*Data)->ProcessingPolicy->TunnelOption->DF = EfiIPsecTunnelCopyDf;\r
- Status = GetNumber (\r
- L"--dont-fragment",\r
- 0,\r
- &(*Data)->ProcessingPolicy->TunnelOption->DF,\r
- sizeof (UINT32),\r
- mMapDfOption,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= DONT_FRAGMENT;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- (*Data)->ProcessingPolicy->Proto = EfiIPsecESP;\r
- Status = GetNumber (\r
- L"--ipsec-proto",\r
- 0,\r
- &(*Data)->ProcessingPolicy->Proto,\r
- sizeof (UINT32),\r
- mMapIpSecProtocol,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= IPSEC_PROTO;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--encrypt-algo",\r
- 0,\r
- &(*Data)->ProcessingPolicy->EncAlgoId,\r
- sizeof (UINT8),\r
- mMapEncAlgo,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= ENCRYPT_ALGO;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--auth-algo",\r
- 0,\r
- &(*Data)->ProcessingPolicy->AuthAlgoId,\r
- sizeof (UINT8),\r
- mMapAuthAlgo,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= AUTH_ALGO;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Cannot check Mode against EfiIPsecTunnel, because user may want to change tunnel_remote only so the Mode is not set.\r
- //\r
- if ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE | DONT_FRAGMENT)) == 0) {\r
- (*Data)->ProcessingPolicy->TunnelOption = NULL;\r
- }\r
-\r
- if ((*Mask & (EXT_SEQUENCE | SEQUENCE_OVERFLOW | FRAGMENT_CHECK | LIFEBYTE |\r
- LIFETIME_SOFT | LIFETIME | MODE | TUNNEL_LOCAL | TUNNEL_REMOTE |\r
- DONT_FRAGMENT | IPSEC_PROTO | AUTH_ALGO | ENCRYPT_ALGO)) == 0) {\r
- if ((*Data)->Action != EfiIPsecActionProtect) {\r
- //\r
- // User may not provide additional parameter for Protect action, so we cannot simply set ProcessingPolicy to NULL.\r
- //\r
- (*Data)->ProcessingPolicy = NULL;\r
- }\r
- }\r
-\r
- if (CreateNew) {\r
- if ((*Mask & (LOCAL | REMOTE | PROTO | ACTION)) != (LOCAL | REMOTE | PROTO | ACTION)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
- mHiiHandle,\r
- mAppName,\r
- L"--local --remote --proto --action"\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else if (((*Data)->Action == EfiIPsecActionProtect) &&\r
- ((*Data)->ProcessingPolicy->Mode == EfiIPsecTunnel) &&\r
- ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE))) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
- mHiiHandle,\r
- mAppName,\r
- L"--tunnel-local --tunnel-remote"\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
- }\r
-\r
- return ReturnStatus;\r
-}\r
-\r
-/**\r
- Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 through ParamPackage list.\r
-\r
- @param[out] SaId The pointer to the EFI_IPSEC_SA_ID structure.\r
- @param[out] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
- @param[out] Mask The pointer to the Mask.\r
- @param[in] CreateNew The switch to create new.\r
-\r
- @retval EFI_SUCCESS Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
-\r
-**/\r
-EFI_STATUS\r
-CreateSadEntry (\r
- OUT EFI_IPSEC_SA_ID **SaId,\r
- OUT EFI_IPSEC_SA_DATA2 **Data,\r
- IN LIST_ENTRY *ParamPackage,\r
- OUT UINT32 *Mask,\r
- IN BOOLEAN CreateNew\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_STATUS ReturnStatus;\r
- UINTN AuthKeyLength;\r
- UINTN EncKeyLength;\r
- CONST CHAR16 *ValueStr;\r
- CHAR8 *AsciiStr;\r
- UINTN DataSize;\r
-\r
- Status = EFI_SUCCESS;\r
- ReturnStatus = EFI_SUCCESS;\r
- *Mask = 0;\r
- AuthKeyLength = 0;\r
- EncKeyLength = 0;\r
-\r
- *SaId = AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID));\r
- ASSERT (*SaId != NULL);\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the Spi in EFI_IPSEC_SA_ID.\r
- //\r
- Status = GetNumber (L"--spi", (UINT32) -1, &(*SaId)->Spi, sizeof (UINT32), NULL, ParamPackage, FORMAT_NUMBER);\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= SPI;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the Proto in EFI_IPSEC_SA_ID.\r
- //\r
- Status = GetNumber (\r
- L"--ipsec-proto",\r
- 0,\r
- &(*SaId)->Proto,\r
- sizeof (EFI_IPSEC_PROTOCOL_TYPE),\r
- mMapIpSecProtocol,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= IPSEC_PROTO;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_DATA2.\r
- //\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-key");\r
- if (ValueStr != NULL) {\r
- AuthKeyLength = StrLen (ValueStr);\r
- }\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--encrypt-key");\r
- if (ValueStr != NULL) {\r
- EncKeyLength = StrLen (ValueStr);\r
- }\r
-\r
- //\r
- // EFI_IPSEC_SA_DATA2:\r
- // +------------\r
- // | EFI_IPSEC_SA_DATA2\r
- // +-----------------------\r
- // | AuthKey\r
- // +-------------------------\r
- // | EncKey\r
- // +-------------------------\r
- // | SpdSelector\r
- //\r
- // Notes: To make sure the address alignment add padding after each data if needed.\r
- //\r
- DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2));\r
- DataSize = ALIGN_VARIABLE (DataSize + AuthKeyLength);\r
- DataSize = ALIGN_VARIABLE (DataSize + EncKeyLength);\r
- DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_SPD_SELECTOR));\r
- DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IP_ADDRESS_INFO));\r
- DataSize += sizeof (EFI_IP_ADDRESS_INFO);\r
-\r
-\r
-\r
- *Data = AllocateZeroPool (DataSize);\r
- ASSERT (*Data != NULL);\r
-\r
- (*Data)->ManualSet = TRUE;\r
- (*Data)->AlgoInfo.EspAlgoInfo.AuthKey = (VOID *) ALIGN_POINTER (((*Data) + 1), sizeof (UINTN));\r
- (*Data)->AlgoInfo.EspAlgoInfo.EncKey = (VOID *) ALIGN_POINTER (\r
- ((UINT8 *) (*Data)->AlgoInfo.EspAlgoInfo.AuthKey + AuthKeyLength),\r
- sizeof (UINTN)\r
- );\r
- (*Data)->SpdSelector = (EFI_IPSEC_SPD_SELECTOR *) ALIGN_POINTER (\r
- ((UINT8 *) (*Data)->AlgoInfo.EspAlgoInfo.EncKey + EncKeyLength),\r
- sizeof (UINTN)\r
- );\r
- (*Data)->SpdSelector->LocalAddress = (EFI_IP_ADDRESS_INFO *) ALIGN_POINTER (\r
- ((UINT8 *) (*Data)->SpdSelector + sizeof (EFI_IPSEC_SPD_SELECTOR)),\r
- sizeof (UINTN));\r
- (*Data)->SpdSelector->RemoteAddress = (EFI_IP_ADDRESS_INFO *) ALIGN_POINTER (\r
- (*Data)->SpdSelector->LocalAddress + 1,\r
- sizeof (UINTN)\r
- );\r
-\r
- (*Data)->Mode = EfiIPsecTransport;\r
- Status = GetNumber (\r
- L"--mode",\r
- 0,\r
- &(*Data)->Mode,\r
- sizeof (EFI_IPSEC_MODE),\r
- mMapIpSecMode,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= MODE;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // According to RFC 4303-3.3.3. The first packet sent using a given SA\r
- // will contain a sequence number of 1.\r
- //\r
- (*Data)->SNCount = 1;\r
- Status = GetNumber (\r
- L"--sequence-number",\r
- (UINT64) -1,\r
- &(*Data)->SNCount,\r
- sizeof (UINT64),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= SEQUENCE_NUMBER;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- (*Data)->AntiReplayWindows = 0;\r
- Status = GetNumber (\r
- L"--antireplay-window",\r
- (UINT8) -1,\r
- &(*Data)->AntiReplayWindows,\r
- sizeof (UINT8),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= SEQUENCE_NUMBER;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--encrypt-algo",\r
- 0,\r
- &(*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId,\r
- sizeof (UINT8),\r
- mMapEncAlgo,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= ENCRYPT_ALGO;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--encrypt-key");\r
- if (ValueStr != NULL ) {\r
- (*Data)->AlgoInfo.EspAlgoInfo.EncKeyLength = EncKeyLength;\r
- AsciiStr = AllocateZeroPool (EncKeyLength + 1);\r
- ASSERT (AsciiStr != NULL);\r
- UnicodeStrToAsciiStrS (ValueStr, AsciiStr, EncKeyLength + 1);\r
- CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.EncKey, AsciiStr, EncKeyLength);\r
- FreePool (AsciiStr);\r
- *Mask |= ENCRYPT_KEY;\r
- } else {\r
- (*Data)->AlgoInfo.EspAlgoInfo.EncKey = NULL;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--auth-algo",\r
- 0,\r
- &(*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId,\r
- sizeof (UINT8),\r
- mMapAuthAlgo,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= AUTH_ALGO;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-key");\r
- if (ValueStr != NULL) {\r
- (*Data)->AlgoInfo.EspAlgoInfo.AuthKeyLength = AuthKeyLength;\r
- AsciiStr = AllocateZeroPool (AuthKeyLength + 1);\r
- ASSERT (AsciiStr != NULL);\r
- UnicodeStrToAsciiStrS (ValueStr, AsciiStr, AuthKeyLength + 1);\r
- CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.AuthKey, AsciiStr, AuthKeyLength);\r
- FreePool (AsciiStr);\r
- *Mask |= AUTH_KEY;\r
- } else {\r
- (*Data)->AlgoInfo.EspAlgoInfo.AuthKey = NULL;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--lifebyte",\r
- (UINT64) -1,\r
- &(*Data)->SaLifetime.ByteCount,\r
- sizeof (UINT64),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= LIFEBYTE;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--lifetime",\r
- (UINT64) -1,\r
- &(*Data)->SaLifetime.HardLifetime,\r
- sizeof (UINT64),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= LIFETIME;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--lifetime-soft",\r
- (UINT64) -1,\r
- &(*Data)->SaLifetime.SoftLifetime,\r
- sizeof (UINT64),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= LIFETIME_SOFT;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--path-mtu",\r
- (UINT32) -1,\r
- &(*Data)->PathMTU,\r
- sizeof (UINT32),\r
- NULL,\r
- ParamPackage,\r
- FORMAT_NUMBER\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= PATH_MTU;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.\r
- //\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-dest");\r
- if (ValueStr != NULL) {\r
- Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->TunnelDestinationAddress);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- L"--tunnel-dest",\r
- ValueStr\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- *Mask |= DEST;\r
- }\r
- }\r
-\r
- //\r
- // Convert user input from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.\r
- //\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-source");\r
- if (ValueStr != NULL) {\r
- Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->TunnelSourceAddress);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- L"--tunnel-source",\r
- ValueStr\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- *Mask |= SOURCE;\r
- }\r
- }\r
-\r
- //\r
- // If it is TunnelMode, then check if the tunnel-source and --tunnel-dest are set\r
- //\r
- if ((*Data)->Mode == EfiIPsecTunnel) {\r
- if ((*Mask & (DEST|SOURCE)) != (DEST|SOURCE)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
- mHiiHandle,\r
- mAppName,\r
- L"--tunnel-source --tunnel-dest"\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
- }\r
- ReturnStatus = CreateSpdSelector ((*Data)->SpdSelector, ParamPackage, Mask);\r
-\r
- if (CreateNew) {\r
- if ((*Mask & (SPI|IPSEC_PROTO|LOCAL|REMOTE)) != (SPI|IPSEC_PROTO|LOCAL|REMOTE)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
- mHiiHandle,\r
- mAppName,\r
- L"--spi --ipsec-proto --local --remote"\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- if ((*SaId)->Proto == EfiIPsecAH) {\r
- if ((*Mask & AUTH_ALGO) == 0) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
- mHiiHandle,\r
- mAppName,\r
- L"--auth-algo"\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else if ((*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId != IPSEC_AALG_NONE && (*Mask & AUTH_KEY) == 0) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
- mHiiHandle,\r
- mAppName,\r
- L"--auth-key"\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
- } else {\r
- if ((*Mask & (ENCRYPT_ALGO|AUTH_ALGO)) != (ENCRYPT_ALGO|AUTH_ALGO) ) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
- mHiiHandle,\r
- mAppName,\r
- L"--encrypt-algo --auth-algo"\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else if ((*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId != IPSEC_EALG_NONE && (*Mask & ENCRYPT_KEY) == 0) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
- mHiiHandle,\r
- mAppName,\r
- L"--encrypt-key"\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else if ((*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId != IPSEC_AALG_NONE && (*Mask & AUTH_KEY) == 0) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
- mHiiHandle,\r
- mAppName,\r
- L"--auth-key"\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
- }\r
- }\r
- }\r
-\r
- return ReturnStatus;\r
-}\r
-\r
-/**\r
- Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage list.\r
-\r
- @param[out] PadId The pointer to the EFI_IPSEC_PAD_ID structure.\r
- @param[out] Data The pointer to the EFI_IPSEC_PAD_DATA structure.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
- @param[out] Mask The pointer to the Mask.\r
- @param[in] CreateNew The switch to create new.\r
-\r
- @retval EFI_SUCCESS Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
-\r
-**/\r
-EFI_STATUS\r
-CreatePadEntry (\r
- OUT EFI_IPSEC_PAD_ID **PadId,\r
- OUT EFI_IPSEC_PAD_DATA **Data,\r
- IN LIST_ENTRY *ParamPackage,\r
- OUT UINT32 *Mask,\r
- IN BOOLEAN CreateNew\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_STATUS ReturnStatus;\r
- SHELL_FILE_HANDLE FileHandle;\r
- UINT64 FileSize;\r
- UINTN AuthDataLength;\r
- UINTN RevocationDataLength;\r
- UINTN DataLength;\r
- UINTN Index;\r
- CONST CHAR16 *ValueStr;\r
- UINTN DataSize;\r
-\r
- Status = EFI_SUCCESS;\r
- ReturnStatus = EFI_SUCCESS;\r
- *Mask = 0;\r
- AuthDataLength = 0;\r
- RevocationDataLength = 0;\r
-\r
- *PadId = AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID));\r
- ASSERT (*PadId != NULL);\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_ID.\r
- //\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--peer-address");\r
- if (ValueStr != NULL) {\r
- (*PadId)->PeerIdValid = FALSE;\r
- Status = EfiInetAddrRange ((CHAR16 *) ValueStr, &(*PadId)->Id.IpAddress);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),\r
- mHiiHandle,\r
- mAppName,\r
- L"--peer-address",\r
- ValueStr\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- *Mask |= PEER_ADDRESS;\r
- }\r
- }\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--peer-id");\r
- if (ValueStr != NULL) {\r
- (*PadId)->PeerIdValid = TRUE;\r
- StrnCpyS ((CHAR16 *) (*PadId)->Id.PeerId, MAX_PEERID_LEN / sizeof (CHAR16), ValueStr, MAX_PEERID_LEN / sizeof (CHAR16) - 1);\r
- *Mask |= PEER_ID;\r
- }\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-data");\r
- if (ValueStr != NULL) {\r
- if (ValueStr[0] == L'@') {\r
- //\r
- // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"\r
- //\r
- Status = ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_MODE_READ, 0);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),\r
- mHiiHandle,\r
- mAppName,\r
- &ValueStr[1]\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- Status = ShellGetFileSize (FileHandle, &FileSize);\r
- ShellCloseFile (&FileHandle);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),\r
- mHiiHandle,\r
- mAppName,\r
- &ValueStr[1]\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else {\r
- AuthDataLength = (UINTN) FileSize;\r
- }\r
- }\r
- } else {\r
- AuthDataLength = StrLen (ValueStr);\r
- }\r
- }\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--revocation-data");\r
- if (ValueStr != NULL) {\r
- RevocationDataLength = (StrLen (ValueStr) + 1) * sizeof (CHAR16);\r
- }\r
-\r
- //\r
- // Allocate Buffer for Data. Add padding after each struct to make sure the alignment\r
- // in different Arch.\r
- //\r
- DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA));\r
- DataSize = ALIGN_VARIABLE (DataSize + AuthDataLength);\r
- DataSize += RevocationDataLength;\r
-\r
- *Data = AllocateZeroPool (DataSize);\r
- ASSERT (*Data != NULL);\r
-\r
- (*Data)->AuthData = (VOID *) ALIGN_POINTER ((*Data + 1), sizeof (UINTN));\r
- (*Data)->RevocationData = (VOID *) ALIGN_POINTER (((UINT8 *) (*Data + 1) + AuthDataLength), sizeof (UINTN));\r
- (*Data)->AuthProtocol = EfiIPsecAuthProtocolIKEv1;\r
-\r
- //\r
- // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_DATA.\r
- //\r
- Status = GetNumber (\r
- L"--auth-proto",\r
- 0,\r
- &(*Data)->AuthProtocol,\r
- sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE),\r
- mMapAuthProto,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= AUTH_PROTO;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Status = GetNumber (\r
- L"--auth-method",\r
- 0,\r
- &(*Data)->AuthMethod,\r
- sizeof (EFI_IPSEC_AUTH_METHOD),\r
- mMapAuthMethod,\r
- ParamPackage,\r
- FORMAT_STRING\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- *Mask |= AUTH_METHOD;\r
- }\r
-\r
- if (Status == EFI_INVALID_PARAMETER) {\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id")) {\r
- (*Data)->IkeIdFlag = TRUE;\r
- *Mask |= IKE_ID;\r
- }\r
-\r
- if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id-")) {\r
- (*Data)->IkeIdFlag = FALSE;\r
- *Mask |= IKE_ID;\r
- }\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-data");\r
- if (ValueStr != NULL) {\r
- if (ValueStr[0] == L'@') {\r
- //\r
- // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"\r
- //\r
-\r
- Status = ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_MODE_READ, 0);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),\r
- mHiiHandle,\r
- mAppName,\r
- &ValueStr[1]\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- (*Data)->AuthData = NULL;\r
- } else {\r
- DataLength = AuthDataLength;\r
- Status = ShellReadFile (FileHandle, &DataLength, (*Data)->AuthData);\r
- ShellCloseFile (&FileHandle);\r
- if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),\r
- mHiiHandle,\r
- mAppName,\r
- &ValueStr[1]\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- (*Data)->AuthData = NULL;\r
- } else {\r
- ASSERT (DataLength == AuthDataLength);\r
- *Mask |= AUTH_DATA;\r
- }\r
- }\r
- } else {\r
- for (Index = 0; Index < AuthDataLength; Index++) {\r
- ((CHAR8 *) (*Data)->AuthData)[Index] = (CHAR8) ValueStr[Index];\r
- }\r
- (*Data)->AuthDataSize = AuthDataLength;\r
- *Mask |= AUTH_DATA;\r
- }\r
- }\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--revocation-data");\r
- if (ValueStr != NULL) {\r
- CopyMem ((*Data)->RevocationData, ValueStr, RevocationDataLength);\r
- (*Data)->RevocationDataSize = RevocationDataLength;\r
- *Mask |= REVOCATION_DATA;\r
- } else {\r
- (*Data)->RevocationData = NULL;\r
- }\r
-\r
- if (CreateNew) {\r
- if ((*Mask & (PEER_ID | PEER_ADDRESS)) == 0) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
- mHiiHandle,\r
- mAppName,\r
- L"--peer-id --peer-address"\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- } else if ((*Mask & (AUTH_METHOD | AUTH_DATA)) != (AUTH_METHOD | AUTH_DATA)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
- mHiiHandle,\r
- mAppName,\r
- L"--auth-method --auth-data"\r
- );\r
- ReturnStatus = EFI_INVALID_PARAMETER;\r
- }\r
- }\r
-\r
- return ReturnStatus;\r
-}\r
-\r
-CREATE_POLICY_ENTRY mCreatePolicyEntry[] = {\r
- (CREATE_POLICY_ENTRY) CreateSpdEntry,\r
- (CREATE_POLICY_ENTRY) CreateSadEntry,\r
- (CREATE_POLICY_ENTRY) CreatePadEntry\r
-};\r
-\r
-/**\r
- Combine old SPD entry with new SPD entry.\r
-\r
- @param[in, out] OldSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.\r
- @param[in, out] OldData The pointer to the EFI_IPSEC_SPD_DATA structure.\r
- @param[in] NewSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.\r
- @param[in] NewData The pointer to the EFI_IPSEC_SPD_DATA structure.\r
- @param[in] Mask The pointer to the Mask.\r
- @param[out] CreateNew The switch to create new.\r
-\r
- @retval EFI_SUCCESS Combined successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
-\r
-**/\r
-EFI_STATUS\r
-CombineSpdEntry (\r
- IN OUT EFI_IPSEC_SPD_SELECTOR *OldSelector,\r
- IN OUT EFI_IPSEC_SPD_DATA *OldData,\r
- IN EFI_IPSEC_SPD_SELECTOR *NewSelector,\r
- IN EFI_IPSEC_SPD_DATA *NewData,\r
- IN UINT32 Mask,\r
- OUT BOOLEAN *CreateNew\r
- )\r
-{\r
-\r
- //\r
- // Process Selector\r
- //\r
- *CreateNew = FALSE;\r
- if ((Mask & LOCAL) == 0) {\r
- NewSelector->LocalAddressCount = OldSelector->LocalAddressCount;\r
- NewSelector->LocalAddress = OldSelector->LocalAddress;\r
- } else if ((NewSelector->LocalAddressCount != OldSelector->LocalAddressCount) ||\r
- (CompareMem (NewSelector->LocalAddress, OldSelector->LocalAddress, NewSelector->LocalAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) != 0)) {\r
- *CreateNew = TRUE;\r
- }\r
-\r
- if ((Mask & REMOTE) == 0) {\r
- NewSelector->RemoteAddressCount = OldSelector->RemoteAddressCount;\r
- NewSelector->RemoteAddress = OldSelector->RemoteAddress;\r
- } else if ((NewSelector->RemoteAddressCount != OldSelector->RemoteAddressCount) ||\r
- (CompareMem (NewSelector->RemoteAddress, OldSelector->RemoteAddress, NewSelector->RemoteAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) != 0)) {\r
- *CreateNew = TRUE;\r
- }\r
-\r
- if ((Mask & PROTO) == 0) {\r
- NewSelector->NextLayerProtocol = OldSelector->NextLayerProtocol;\r
- } else if (NewSelector->NextLayerProtocol != OldSelector->NextLayerProtocol) {\r
- *CreateNew = TRUE;\r
- }\r
-\r
- switch (NewSelector->NextLayerProtocol) {\r
- case EFI_IP4_PROTO_TCP:\r
- case EFI_IP4_PROTO_UDP:\r
- if ((Mask & LOCAL_PORT) == 0) {\r
- NewSelector->LocalPort = OldSelector->LocalPort;\r
- NewSelector->LocalPortRange = OldSelector->LocalPortRange;\r
- } else if ((NewSelector->LocalPort != OldSelector->LocalPort) ||\r
- (NewSelector->LocalPortRange != OldSelector->LocalPortRange)) {\r
- *CreateNew = TRUE;\r
- }\r
-\r
- if ((Mask & REMOTE_PORT) == 0) {\r
- NewSelector->RemotePort = OldSelector->RemotePort;\r
- NewSelector->RemotePortRange = OldSelector->RemotePortRange;\r
- } else if ((NewSelector->RemotePort != OldSelector->RemotePort) ||\r
- (NewSelector->RemotePortRange != OldSelector->RemotePortRange)) {\r
- *CreateNew = TRUE;\r
- }\r
- break;\r
-\r
- case EFI_IP4_PROTO_ICMP:\r
- if ((Mask & ICMP_TYPE) == 0) {\r
- NewSelector->LocalPort = OldSelector->LocalPort;\r
- } else if (NewSelector->LocalPort != OldSelector->LocalPort) {\r
- *CreateNew = TRUE;\r
- }\r
-\r
- if ((Mask & ICMP_CODE) == 0) {\r
- NewSelector->RemotePort = OldSelector->RemotePort;\r
- } else if (NewSelector->RemotePort != OldSelector->RemotePort) {\r
- *CreateNew = TRUE;\r
- }\r
- break;\r
- }\r
- //\r
- // Process Data\r
- //\r
- OldData->SaIdCount = 0;\r
-\r
- if ((Mask & NAME) != 0) {\r
- AsciiStrCpyS ((CHAR8 *) OldData->Name, MAX_PEERID_LEN, (CHAR8 *) NewData->Name);\r
- }\r
-\r
- if ((Mask & PACKET_FLAG) != 0) {\r
- OldData->PackageFlag = NewData->PackageFlag;\r
- }\r
-\r
- if ((Mask & ACTION) != 0) {\r
- OldData->Action = NewData->Action;\r
- }\r
-\r
- if (OldData->Action != EfiIPsecActionProtect) {\r
- OldData->ProcessingPolicy = NULL;\r
- } else {\r
- //\r
- // Protect\r
- //\r
- if (OldData->ProcessingPolicy == NULL) {\r
- //\r
- // Just point to new data if originally NULL.\r
- //\r
- OldData->ProcessingPolicy = NewData->ProcessingPolicy;\r
- if (OldData->ProcessingPolicy->Mode == EfiIPsecTunnel &&\r
- (Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE)\r
- ) {\r
- //\r
- // Change to Protect action and Tunnel mode, but without providing local/remote tunnel address.\r
- //\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
- mHiiHandle,\r
- mAppName,\r
- L"--tunnel-local --tunnel-remote"\r
- );\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- } else {\r
- //\r
- // Modify some of the data.\r
- //\r
- if ((Mask & EXT_SEQUENCE) != 0) {\r
- OldData->ProcessingPolicy->ExtSeqNum = NewData->ProcessingPolicy->ExtSeqNum;\r
- }\r
-\r
- if ((Mask & SEQUENCE_OVERFLOW) != 0) {\r
- OldData->ProcessingPolicy->SeqOverflow = NewData->ProcessingPolicy->SeqOverflow;\r
- }\r
-\r
- if ((Mask & FRAGMENT_CHECK) != 0) {\r
- OldData->ProcessingPolicy->FragCheck = NewData->ProcessingPolicy->FragCheck;\r
- }\r
-\r
- if ((Mask & LIFEBYTE) != 0) {\r
- OldData->ProcessingPolicy->SaLifetime.ByteCount = NewData->ProcessingPolicy->SaLifetime.ByteCount;\r
- }\r
-\r
- if ((Mask & LIFETIME_SOFT) != 0) {\r
- OldData->ProcessingPolicy->SaLifetime.SoftLifetime = NewData->ProcessingPolicy->SaLifetime.SoftLifetime;\r
- }\r
-\r
- if ((Mask & LIFETIME) != 0) {\r
- OldData->ProcessingPolicy->SaLifetime.HardLifetime = NewData->ProcessingPolicy->SaLifetime.HardLifetime;\r
- }\r
-\r
- if ((Mask & MODE) != 0) {\r
- OldData->ProcessingPolicy->Mode = NewData->ProcessingPolicy->Mode;\r
- }\r
-\r
- if ((Mask & IPSEC_PROTO) != 0) {\r
- OldData->ProcessingPolicy->Proto = NewData->ProcessingPolicy->Proto;\r
- }\r
-\r
- if ((Mask & AUTH_ALGO) != 0) {\r
- OldData->ProcessingPolicy->AuthAlgoId = NewData->ProcessingPolicy->AuthAlgoId;\r
- }\r
-\r
- if ((Mask & ENCRYPT_ALGO) != 0) {\r
- OldData->ProcessingPolicy->EncAlgoId = NewData->ProcessingPolicy->EncAlgoId;\r
- }\r
-\r
- if (OldData->ProcessingPolicy->Mode != EfiIPsecTunnel) {\r
- OldData->ProcessingPolicy->TunnelOption = NULL;\r
- } else {\r
- if (OldData->ProcessingPolicy->TunnelOption == NULL) {\r
- //\r
- // Set from Transport mode to Tunnel mode, should ensure TUNNEL_LOCAL & TUNNEL_REMOTE both exists.\r
- //\r
- if ((Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
- mHiiHandle,\r
- mAppName,\r
- L"--tunnel-local --tunnel-remote"\r
- );\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- OldData->ProcessingPolicy->TunnelOption = NewData->ProcessingPolicy->TunnelOption;\r
- } else {\r
- if ((Mask & TUNNEL_LOCAL) != 0) {\r
- CopyMem (\r
- &OldData->ProcessingPolicy->TunnelOption->LocalTunnelAddress,\r
- &NewData->ProcessingPolicy->TunnelOption->LocalTunnelAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
- }\r
-\r
- if ((Mask & TUNNEL_REMOTE) != 0) {\r
- CopyMem (\r
- &OldData->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,\r
- &NewData->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
- }\r
-\r
- if ((Mask & DONT_FRAGMENT) != 0) {\r
- OldData->ProcessingPolicy->TunnelOption->DF = NewData->ProcessingPolicy->TunnelOption->DF;\r
- }\r
- }\r
- }\r
- }\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Combine old SAD entry with new SAD entry.\r
-\r
- @param[in, out] OldSaId The pointer to the EFI_IPSEC_SA_ID structure.\r
- @param[in, out] OldData The pointer to the EFI_IPSEC_SA_DATA2 structure.\r
- @param[in] NewSaId The pointer to the EFI_IPSEC_SA_ID structure.\r
- @param[in] NewData The pointer to the EFI_IPSEC_SA_DATA2 structure.\r
- @param[in] Mask The pointer to the Mask.\r
- @param[out] CreateNew The switch to create new.\r
-\r
- @retval EFI_SUCCESS Combined successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
-\r
-**/\r
-EFI_STATUS\r
-CombineSadEntry (\r
- IN OUT EFI_IPSEC_SA_ID *OldSaId,\r
- IN OUT EFI_IPSEC_SA_DATA2 *OldData,\r
- IN EFI_IPSEC_SA_ID *NewSaId,\r
- IN EFI_IPSEC_SA_DATA2 *NewData,\r
- IN UINT32 Mask,\r
- OUT BOOLEAN *CreateNew\r
- )\r
-{\r
-\r
- *CreateNew = FALSE;\r
-\r
- if ((Mask & SPI) == 0) {\r
- NewSaId->Spi = OldSaId->Spi;\r
- } else if (NewSaId->Spi != OldSaId->Spi) {\r
- *CreateNew = TRUE;\r
- }\r
-\r
- if ((Mask & IPSEC_PROTO) == 0) {\r
- NewSaId->Proto = OldSaId->Proto;\r
- } else if (NewSaId->Proto != OldSaId->Proto) {\r
- *CreateNew = TRUE;\r
- }\r
-\r
- if ((Mask & DEST) == 0) {\r
- CopyMem (&NewData->TunnelDestinationAddress, &OldData->TunnelDestinationAddress, sizeof (EFI_IP_ADDRESS));\r
- } else if (CompareMem (&NewData->TunnelDestinationAddress, &OldData->TunnelDestinationAddress, sizeof (EFI_IP_ADDRESS)) != 0) {\r
- *CreateNew = TRUE;\r
- }\r
-\r
- if ((Mask & SOURCE) == 0) {\r
- CopyMem (&NewData->TunnelSourceAddress, &OldData->TunnelSourceAddress, sizeof (EFI_IP_ADDRESS));\r
- } else if (CompareMem (&NewData->TunnelSourceAddress, &OldData->TunnelSourceAddress, sizeof (EFI_IP_ADDRESS)) != 0) {\r
- *CreateNew = TRUE;\r
- }\r
- //\r
- // Process SA_DATA.\r
- //\r
- if ((Mask & MODE) != 0) {\r
- OldData->Mode = NewData->Mode;\r
- }\r
-\r
- if ((Mask & SEQUENCE_NUMBER) != 0) {\r
- OldData->SNCount = NewData->SNCount;\r
- }\r
-\r
- if ((Mask & ANTIREPLAY_WINDOW) != 0) {\r
- OldData->AntiReplayWindows = NewData->AntiReplayWindows;\r
- }\r
-\r
- if ((Mask & AUTH_ALGO) != 0) {\r
- OldData->AlgoInfo.EspAlgoInfo.AuthAlgoId = NewData->AlgoInfo.EspAlgoInfo.AuthAlgoId;\r
- }\r
-\r
- if ((Mask & AUTH_KEY) != 0) {\r
- OldData->AlgoInfo.EspAlgoInfo.AuthKey = NewData->AlgoInfo.EspAlgoInfo.AuthKey;\r
- OldData->AlgoInfo.EspAlgoInfo.AuthKeyLength = NewData->AlgoInfo.EspAlgoInfo.AuthKeyLength;\r
- }\r
-\r
- if ((Mask & ENCRYPT_ALGO) != 0) {\r
- OldData->AlgoInfo.EspAlgoInfo.EncAlgoId = NewData->AlgoInfo.EspAlgoInfo.EncAlgoId;\r
- }\r
-\r
- if ((Mask & ENCRYPT_KEY) != 0) {\r
- OldData->AlgoInfo.EspAlgoInfo.EncKey = NewData->AlgoInfo.EspAlgoInfo.EncKey;\r
- OldData->AlgoInfo.EspAlgoInfo.EncKeyLength = NewData->AlgoInfo.EspAlgoInfo.EncKeyLength;\r
- }\r
-\r
- if (NewSaId->Proto == EfiIPsecAH) {\r
- if ((Mask & (ENCRYPT_ALGO | ENCRYPT_KEY)) != 0) {\r
- //\r
- // Should not provide encrypt_* if AH.\r
- //\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER),\r
- mHiiHandle,\r
- mAppName,\r
- L"--encrypt-algo --encrypt-key"\r
- );\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- }\r
-\r
- if (NewSaId->Proto == EfiIPsecESP && OldSaId->Proto == EfiIPsecAH) {\r
- //\r
- // AH -> ESP\r
- // Should provide encrypt_algo at least.\r
- //\r
- if ((Mask & ENCRYPT_ALGO) == 0) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
- mHiiHandle,\r
- mAppName,\r
- L"--encrypt-algo"\r
- );\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Encrypt_key should be provided if algorithm is not NONE.\r
- //\r
- if (NewData->AlgoInfo.EspAlgoInfo.EncAlgoId != IPSEC_EALG_NONE && (Mask & ENCRYPT_KEY) == 0) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),\r
- mHiiHandle,\r
- mAppName,\r
- L"--encrypt-algo"\r
- );\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- }\r
-\r
- if ((Mask & LIFEBYTE) != 0) {\r
- OldData->SaLifetime.ByteCount = NewData->SaLifetime.ByteCount;\r
- }\r
-\r
- if ((Mask & LIFETIME_SOFT) != 0) {\r
- OldData->SaLifetime.SoftLifetime = NewData->SaLifetime.SoftLifetime;\r
- }\r
-\r
- if ((Mask & LIFETIME) != 0) {\r
- OldData->SaLifetime.HardLifetime = NewData->SaLifetime.HardLifetime;\r
- }\r
-\r
- if ((Mask & PATH_MTU) != 0) {\r
- OldData->PathMTU = NewData->PathMTU;\r
- }\r
- //\r
- // Process SpdSelector.\r
- //\r
- if (OldData->SpdSelector == NULL) {\r
- if ((Mask & (LOCAL | REMOTE | PROTO | LOCAL_PORT | REMOTE_PORT | ICMP_TYPE | ICMP_CODE)) != 0) {\r
- if ((Mask & (LOCAL | REMOTE | PROTO)) != (LOCAL | REMOTE | PROTO)) {\r
- ShellPrintHiiEx (\r
- -1,\r
- -1,\r
- NULL,\r
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),\r
- mHiiHandle,\r
- mAppName,\r
- L"--local --remote --proto"\r
- );\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- OldData->SpdSelector = NewData->SpdSelector;\r
- }\r
- } else {\r
- if ((Mask & LOCAL) != 0) {\r
- OldData->SpdSelector->LocalAddressCount = NewData->SpdSelector->LocalAddressCount;\r
- OldData->SpdSelector->LocalAddress = NewData->SpdSelector->LocalAddress;\r
- }\r
-\r
- if ((Mask & REMOTE) != 0) {\r
- OldData->SpdSelector->RemoteAddressCount = NewData->SpdSelector->RemoteAddressCount;\r
- OldData->SpdSelector->RemoteAddress = NewData->SpdSelector->RemoteAddress;\r
- }\r
-\r
- if ((Mask & PROTO) != 0) {\r
- OldData->SpdSelector->NextLayerProtocol = NewData->SpdSelector->NextLayerProtocol;\r
- }\r
-\r
- if (OldData->SpdSelector != NULL) {\r
- switch (OldData->SpdSelector->NextLayerProtocol) {\r
- case EFI_IP4_PROTO_TCP:\r
- case EFI_IP4_PROTO_UDP:\r
- if ((Mask & LOCAL_PORT) != 0) {\r
- OldData->SpdSelector->LocalPort = NewData->SpdSelector->LocalPort;\r
- }\r
-\r
- if ((Mask & REMOTE_PORT) != 0) {\r
- OldData->SpdSelector->RemotePort = NewData->SpdSelector->RemotePort;\r
- }\r
- break;\r
-\r
- case EFI_IP4_PROTO_ICMP:\r
- if ((Mask & ICMP_TYPE) != 0) {\r
- OldData->SpdSelector->LocalPort = (UINT8) NewData->SpdSelector->LocalPort;\r
- }\r
-\r
- if ((Mask & ICMP_CODE) != 0) {\r
- OldData->SpdSelector->RemotePort = (UINT8) NewData->SpdSelector->RemotePort;\r
- }\r
- break;\r
- }\r
- }\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Combine old PAD entry with new PAD entry.\r
-\r
- @param[in, out] OldPadId The pointer to the EFI_IPSEC_PAD_ID structure.\r
- @param[in, out] OldData The pointer to the EFI_IPSEC_PAD_DATA structure.\r
- @param[in] NewPadId The pointer to the EFI_IPSEC_PAD_ID structure.\r
- @param[in] NewData The pointer to the EFI_IPSEC_PAD_DATA structure.\r
- @param[in] Mask The pointer to the Mask.\r
- @param[out] CreateNew The switch to create new.\r
-\r
- @retval EFI_SUCCESS Combined successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
-\r
-**/\r
-EFI_STATUS\r
-CombinePadEntry (\r
- IN OUT EFI_IPSEC_PAD_ID *OldPadId,\r
- IN OUT EFI_IPSEC_PAD_DATA *OldData,\r
- IN EFI_IPSEC_PAD_ID *NewPadId,\r
- IN EFI_IPSEC_PAD_DATA *NewData,\r
- IN UINT32 Mask,\r
- OUT BOOLEAN *CreateNew\r
- )\r
-{\r
-\r
- *CreateNew = FALSE;\r
-\r
- if ((Mask & (PEER_ID | PEER_ADDRESS)) == 0) {\r
- CopyMem (NewPadId, OldPadId, sizeof (EFI_IPSEC_PAD_ID));\r
- } else {\r
- if ((Mask & PEER_ID) != 0) {\r
- if (OldPadId->PeerIdValid) {\r
- if (StrCmp ((CONST CHAR16 *) OldPadId->Id.PeerId, (CONST CHAR16 *) NewPadId->Id.PeerId) != 0) {\r
- *CreateNew = TRUE;\r
- }\r
- } else {\r
- *CreateNew = TRUE;\r
- }\r
- } else {\r
- //\r
- // MASK & PEER_ADDRESS\r
- //\r
- if (OldPadId->PeerIdValid) {\r
- *CreateNew = TRUE;\r
- } else {\r
- if ((CompareMem (&OldPadId->Id.IpAddress.Address, &NewPadId->Id.IpAddress.Address, sizeof (EFI_IP_ADDRESS)) != 0) ||\r
- (OldPadId->Id.IpAddress.PrefixLength != NewPadId->Id.IpAddress.PrefixLength)) {\r
- *CreateNew = TRUE;\r
- }\r
- }\r
- }\r
- }\r
-\r
- if ((Mask & AUTH_PROTO) != 0) {\r
- OldData->AuthProtocol = NewData->AuthProtocol;\r
- }\r
-\r
- if ((Mask & AUTH_METHOD) != 0) {\r
- OldData->AuthMethod = NewData->AuthMethod;\r
- }\r
-\r
- if ((Mask & IKE_ID) != 0) {\r
- OldData->IkeIdFlag = NewData->IkeIdFlag;\r
- }\r
-\r
- if ((Mask & AUTH_DATA) != 0) {\r
- OldData->AuthDataSize = NewData->AuthDataSize;\r
- OldData->AuthData = NewData->AuthData;\r
- }\r
-\r
- if ((Mask & REVOCATION_DATA) != 0) {\r
- OldData->RevocationDataSize = NewData->RevocationDataSize;\r
- OldData->RevocationData = NewData->RevocationData;\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-COMBINE_POLICY_ENTRY mCombinePolicyEntry[] = {\r
- (COMBINE_POLICY_ENTRY) CombineSpdEntry,\r
- (COMBINE_POLICY_ENTRY) CombineSadEntry,\r
- (COMBINE_POLICY_ENTRY) CombinePadEntry\r
-};\r
-\r
-/**\r
- Edit entry information in the database.\r
-\r
- @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.\r
- @param[in] Data The pointer to the data.\r
- @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.\r
-\r
- @retval EFI_SUCCESS Continue the iteration.\r
- @retval EFI_ABORTED Abort the iteration.\r
-**/\r
-EFI_STATUS\r
-EditOperatePolicyEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN EDIT_POLICY_ENTRY_CONTEXT *Context\r
- )\r
-{\r
- EFI_STATUS Status;\r
- BOOLEAN CreateNew;\r
-\r
- if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) {\r
- ASSERT (Context->DataType < 3);\r
-\r
- Status = mCombinePolicyEntry[Context->DataType] (\r
- Selector,\r
- Data,\r
- Context->Selector,\r
- Context->Data,\r
- Context->Mask,\r
- &CreateNew\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- //\r
- // If the Selector already existed, this Entry will be updated by set data.\r
- //\r
- Status = mIpSecConfig->SetData (\r
- mIpSecConfig,\r
- Context->DataType,\r
- Context->Selector, /// New created selector.\r
- Data, /// Old date which has been modified, need to be set data.\r
- Selector\r
- );\r
- ASSERT_EFI_ERROR (Status);\r
-\r
- if (CreateNew) {\r
- //\r
- // Edit the entry to a new one. So, we need delete the old entry.\r
- //\r
- Status = mIpSecConfig->SetData (\r
- mIpSecConfig,\r
- Context->DataType,\r
- Selector, /// Old selector.\r
- NULL, /// NULL means to delete this Entry specified by Selector.\r
- NULL\r
- );\r
- ASSERT_EFI_ERROR (Status);\r
- }\r
- }\r
-\r
- Context->Status = Status;\r
- return EFI_ABORTED;\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Edit entry information in database according to datatype.\r
-\r
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Edit entry information successfully.\r
- @retval EFI_NOT_FOUND Can't find the specified entry.\r
- @retval Others Some mistaken case.\r
-**/\r
-EFI_STATUS\r
-EditPolicyEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN LIST_ENTRY *ParamPackage\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EDIT_POLICY_ENTRY_CONTEXT Context;\r
- CONST CHAR16 *ValueStr;\r
-\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");\r
- if (ValueStr == NULL) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr);\r
- return EFI_NOT_FOUND;\r
- }\r
-\r
- Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage);\r
- if (!EFI_ERROR (Status)) {\r
- Context.DataType = DataType;\r
- Context.Status = EFI_NOT_FOUND;\r
- Status = mCreatePolicyEntry[DataType] (&Context.Selector, &Context.Data, ParamPackage, &Context.Mask, FALSE);\r
- if (!EFI_ERROR (Status)) {\r
- ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) EditOperatePolicyEntry, &Context);\r
- Status = Context.Status;\r
- }\r
-\r
- if (Context.Selector != NULL) {\r
- gBS->FreePool (Context.Selector);\r
- }\r
-\r
- if (Context.Data != NULL) {\r
- gBS->FreePool (Context.Data);\r
- }\r
- }\r
-\r
- if (Status == EFI_NOT_FOUND) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr);\r
- } else if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAILED), mHiiHandle, mAppName);\r
- }\r
-\r
- return Status;\r
-\r
-}\r
-\r
-/**\r
- Insert entry information in database.\r
-\r
- @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.\r
- @param[in] Data The pointer to the data.\r
- @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.\r
-\r
- @retval EFI_SUCCESS Continue the iteration.\r
- @retval EFI_ABORTED Abort the iteration.\r
-**/\r
-EFI_STATUS\r
-InsertPolicyEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN INSERT_POLICY_ENTRY_CONTEXT *Context\r
- )\r
-{\r
- //\r
- // Found the entry which we want to insert before.\r
- //\r
- if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) {\r
-\r
- Context->Status = mIpSecConfig->SetData (\r
- mIpSecConfig,\r
- Context->DataType,\r
- Context->Selector,\r
- Context->Data,\r
- Selector\r
- );\r
- //\r
- // Abort the iteration after the insertion.\r
- //\r
- return EFI_ABORTED;\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Insert or add entry information in database according to datatype.\r
-\r
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Insert or add entry information successfully.\r
- @retval EFI_NOT_FOUND Can't find the specified entry.\r
- @retval EFI_BUFFER_TOO_SMALL The entry already existed.\r
- @retval EFI_UNSUPPORTED The operation is not supported.\r
- @retval Others Some mistaken case.\r
-**/\r
-EFI_STATUS\r
-AddOrInsertPolicyEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN LIST_ENTRY *ParamPackage\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_IPSEC_CONFIG_SELECTOR *Selector;\r
- VOID *Data;\r
- INSERT_POLICY_ENTRY_CONTEXT Context;\r
- UINT32 Mask;\r
- UINTN DataSize;\r
- CONST CHAR16 *ValueStr;\r
-\r
- Status = mCreatePolicyEntry[DataType] (&Selector, &Data, ParamPackage, &Mask, TRUE);\r
- if (!EFI_ERROR (Status)) {\r
- //\r
- // Find if the Selector to be inserted already exists.\r
- //\r
- DataSize = 0;\r
- Status = mIpSecConfig->GetData (\r
- mIpSecConfig,\r
- DataType,\r
- Selector,\r
- &DataSize,\r
- NULL\r
- );\r
- if (Status == EFI_BUFFER_TOO_SMALL) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_EXISTS), mHiiHandle, mAppName);\r
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-a")) {\r
- Status = mIpSecConfig->SetData (\r
- mIpSecConfig,\r
- DataType,\r
- Selector,\r
- Data,\r
- NULL\r
- );\r
- } else {\r
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");\r
- if (ValueStr == NULL) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr);\r
- return EFI_NOT_FOUND;\r
- }\r
-\r
- Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage);\r
- if (!EFI_ERROR (Status)) {\r
- Context.DataType = DataType;\r
- Context.Status = EFI_NOT_FOUND;\r
- Context.Selector = Selector;\r
- Context.Data = Data;\r
-\r
- ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) InsertPolicyEntry, &Context);\r
- Status = Context.Status;\r
- if (Status == EFI_NOT_FOUND) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr);\r
- }\r
- }\r
- }\r
-\r
- gBS->FreePool (Selector);\r
- gBS->FreePool (Data);\r
- }\r
-\r
- if (Status == EFI_UNSUPPORTED) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_UNSUPPORT), mHiiHandle, mAppName);\r
- } else if (EFI_ERROR (Status)) {\r
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_FAILED), mHiiHandle, mAppName);\r
- }\r
-\r
- return Status;\r
-}\r
+++ /dev/null
-/** @file\r
- The function declaration of policy entry operation in IpSecConfig application.\r
-\r
- Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _POLICY_ENTRY_OPERATION_H_\r
-#define _POLICY_ENTRY_OPERATION_H_\r
-\r
-#define LOCAL BIT(0)\r
-#define REMOTE BIT(1)\r
-#define PROTO BIT(2)\r
-#define LOCAL_PORT BIT(3)\r
-#define REMOTE_PORT BIT(4)\r
-#define ICMP_TYPE BIT(5)\r
-#define ICMP_CODE BIT(6)\r
-#define NAME BIT(7)\r
-#define PACKET_FLAG BIT(8)\r
-#define ACTION BIT(9)\r
-#define EXT_SEQUENCE BIT(10)\r
-#define SEQUENCE_OVERFLOW BIT(11)\r
-#define FRAGMENT_CHECK BIT(12)\r
-#define LIFEBYTE BIT(13)\r
-#define LIFETIME_SOFT BIT(14)\r
-#define LIFETIME BIT(15)\r
-#define MODE BIT(16)\r
-#define TUNNEL_LOCAL BIT(17)\r
-#define TUNNEL_REMOTE BIT(18)\r
-#define DONT_FRAGMENT BIT(19)\r
-#define IPSEC_PROTO BIT(20)\r
-#define AUTH_ALGO BIT(21)\r
-#define ENCRYPT_ALGO BIT(22)\r
-#define SPI BIT(23)\r
-#define DEST BIT(24)\r
-#define SEQUENCE_NUMBER BIT(25)\r
-#define ANTIREPLAY_WINDOW BIT(26)\r
-#define AUTH_KEY BIT(27)\r
-#define ENCRYPT_KEY BIT(28)\r
-#define PATH_MTU BIT(29)\r
-#define SOURCE BIT(30)\r
-\r
-#define PEER_ID BIT(0)\r
-#define PEER_ADDRESS BIT(1)\r
-#define AUTH_PROTO BIT(2)\r
-#define AUTH_METHOD BIT(3)\r
-#define IKE_ID BIT(4)\r
-#define AUTH_DATA BIT(5)\r
-#define REVOCATION_DATA BIT(6)\r
-\r
-typedef struct {\r
- EFI_IPSEC_CONFIG_DATA_TYPE DataType;\r
- EFI_IPSEC_CONFIG_SELECTOR *Selector; // Data to be inserted.\r
- VOID *Data;\r
- UINT32 Mask;\r
- POLICY_ENTRY_INDEXER Indexer;\r
- EFI_STATUS Status; // Indicate whether insertion succeeds.\r
-} EDIT_POLICY_ENTRY_CONTEXT;\r
-\r
-typedef struct {\r
- EFI_IPSEC_CONFIG_DATA_TYPE DataType;\r
- EFI_IPSEC_CONFIG_SELECTOR *Selector; // Data to be inserted.\r
- VOID *Data;\r
- POLICY_ENTRY_INDEXER Indexer;\r
- EFI_STATUS Status; // Indicate whether insertion succeeds.\r
-} INSERT_POLICY_ENTRY_CONTEXT;\r
-\r
-/**\r
- The prototype for the CreateSpdEntry()/CreateSadEntry()/CreatePadEntry().\r
- Fill in EFI_IPSEC_CONFIG_SELECTOR and corresponding data thru ParamPackage list.\r
-\r
- @param[out] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR union.\r
- @param[out] Data The pointer to corresponding data.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
- @param[out] Mask The pointer to the Mask.\r
- @param[in] CreateNew The switch to create new.\r
-\r
- @retval EFI_SUCCESS Filled in EFI_IPSEC_CONFIG_SELECTOR and corresponding data successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
-\r
-**/\r
-typedef\r
-EFI_STATUS\r
-(*CREATE_POLICY_ENTRY) (\r
- OUT EFI_IPSEC_CONFIG_SELECTOR **Selector,\r
- OUT VOID **Data,\r
- IN LIST_ENTRY *ParamPackage,\r
- OUT UINT32 *Mask,\r
- IN BOOLEAN CreateNew\r
- );\r
-\r
-/**\r
- The prototype for the CombineSpdEntry()/CombineSadEntry()/CombinePadEntry().\r
- Combine old SPD/SAD/PAD entry with new SPD/SAD/PAD entry.\r
-\r
- @param[in, out] OldSelector The pointer to the old EFI_IPSEC_CONFIG_SELECTOR union.\r
- @param[in, out] OldData The pointer to the corresponding old data.\r
- @param[in] NewSelector The pointer to the new EFI_IPSEC_CONFIG_SELECTOR union.\r
- @param[in] NewData The pointer to the corresponding new data.\r
- @param[in] Mask The pointer to the Mask.\r
- @param[out] CreateNew The switch to create new.\r
-\r
- @retval EFI_SUCCESS Combined successfully.\r
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.\r
-\r
-**/\r
-typedef\r
-EFI_STATUS\r
-(* COMBINE_POLICY_ENTRY) (\r
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *OldSelector,\r
- IN OUT VOID *OldData,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *NewSelector,\r
- IN VOID *NewData,\r
- IN UINT32 Mask,\r
- OUT BOOLEAN *CreateNew\r
- );\r
-\r
-/**\r
- Insert or add entry information in database according to datatype.\r
-\r
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Insert or add entry information successfully.\r
- @retval EFI_NOT_FOUND Can't find the specified entry.\r
- @retval EFI_BUFFER_TOO_SMALL The entry already existed.\r
- @retval EFI_UNSUPPORTED The operation is not supported./\r
- @retval Others Some mistaken case.\r
-**/\r
-EFI_STATUS\r
-AddOrInsertPolicyEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN LIST_ENTRY *ParamPackage\r
- );\r
-\r
-/**\r
- Edit entry information in the database according to datatype.\r
-\r
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] ParamPackage The pointer to the ParamPackage list.\r
-\r
- @retval EFI_SUCCESS Edit entry information successfully.\r
- @retval EFI_NOT_FOUND Can't find the specified entry.\r
- @retval Others Some mistaken case.\r
-**/\r
-EFI_STATUS\r
-EditPolicyEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN LIST_ENTRY *ParamPackage\r
- );\r
-#endif\r
+++ /dev/null
-/** @file\r
- UEFI Component Name(2) protocol implementation for IPsec driver.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecImpl.h"\r
-\r
-//\r
-// EFI Component Name Functions\r
-//\r
-/**\r
- Retrieves a Unicode string that is the user-readable name of the driver.\r
-\r
- This function retrieves the user-readable name of a driver in the form of a\r
- Unicode string. If the driver specified by This has a user-readable name in\r
- the language specified by Language, then a pointer to the driver name is\r
- returned in DriverName, and EFI_SUCCESS is returned. If the driver specified\r
- by This does not support the language specified by Language,\r
- then EFI_UNSUPPORTED is returned.\r
-\r
- @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or\r
- EFI_COMPONENT_NAME_PROTOCOL instance.\r
-\r
- @param[in] Language A pointer to a Null-terminated ASCII string\r
- array indicating the language. This is the\r
- language of the driver name that the caller is\r
- requesting, and it must match one of the\r
- languages specified in SupportedLanguages. The\r
- number of languages supported by a driver is up\r
- to the driver writer. Language is specified\r
- in RFC 4646 or ISO 639-2 language code format.\r
-\r
- @param[out] DriverName A pointer to the Unicode string to return.\r
- This Unicode string is the name of the\r
- driver specified by This in the language\r
- specified by Language.\r
-\r
- @retval EFI_SUCCESS The Unicode string for the Driver specified by\r
- This and the language specified by Language was\r
- returned in DriverName.\r
-\r
- @retval EFI_INVALID_PARAMETER Language is NULL.\r
-\r
- @retval EFI_INVALID_PARAMETER DriverName is NULL.\r
-\r
- @retval EFI_UNSUPPORTED The driver specified by This does not support\r
- the language specified by Language.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSecComponentNameGetDriverName (\r
- IN EFI_COMPONENT_NAME_PROTOCOL *This,\r
- IN CHAR8 *Language,\r
- OUT CHAR16 **DriverName\r
- );\r
-\r
-/**\r
- Retrieves a Unicode string that is the user-readable name of the controller\r
- that is being managed by a driver.\r
-\r
- This function retrieves the user-readable name of the controller specified by\r
- ControllerHandle and ChildHandle in the form of a Unicode string. If the\r
- driver specified by This has a user-readable name in the language specified by\r
- Language, then a pointer to the controller name is returned in ControllerName,\r
- and EFI_SUCCESS is returned. If the driver specified by This is not currently\r
- managing the controller specified by ControllerHandle and ChildHandle,\r
- then EFI_UNSUPPORTED is returned. If the driver specified by This does not\r
- support the language specified by Language, then EFI_UNSUPPORTED is returned.\r
-\r
- @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or\r
- EFI_COMPONENT_NAME_PROTOCOL instance.\r
-\r
- @param[in] ControllerHandle The handle of a controller that the driver\r
- specified by This is managing. This handle\r
- specifies the controller whose name is to be\r
- returned.\r
-\r
- @param[in] ChildHandle The handle of the child controller to retrieve\r
- the name of. This is an optional parameter that\r
- may be NULL. It will be NULL for device\r
- drivers. It will also be NULL for a bus drivers\r
- that wish to retrieve the name of the bus\r
- controller. It will not be NULL for a bus\r
- driver that wishes to retrieve the name of a\r
- child controller.\r
-\r
- @param[in] Language A pointer to a Null-terminated ASCII string\r
- array indicating the language. This is the\r
- language of the driver name that the caller is\r
- requesting, and it must match one of the\r
- languages specified in SupportedLanguages. The\r
- number of languages supported by a driver is up\r
- to the driver writer. Language is specified in\r
- RFC 4646 or ISO 639-2 language code format.\r
-\r
- @param[out] ControllerName A pointer to the Unicode string to return.\r
- This Unicode string is the name of the\r
- controller specified by ControllerHandle and\r
- ChildHandle in the language specified by\r
- Language from the point of view of the driver\r
- specified by This.\r
-\r
- @retval EFI_SUCCESS The Unicode string for the user-readable name in\r
- the language specified by Language for the\r
- driver specified by This was returned in\r
- DriverName.\r
-\r
- @retval EFI_INVALID_PARAMETER ControllerHandle is NULL.\r
-\r
- @retval EFI_INVALID_PARAMETER ChildHandle is not NULL and it is not a valid\r
- EFI_HANDLE.\r
-\r
- @retval EFI_INVALID_PARAMETER Language is NULL.\r
-\r
- @retval EFI_INVALID_PARAMETER ControllerName is NULL.\r
-\r
- @retval EFI_UNSUPPORTED The driver specified by This is not currently\r
- managing the controller specified by\r
- ControllerHandle and ChildHandle.\r
-\r
- @retval EFI_UNSUPPORTED The driver specified by This does not support\r
- the language specified by Language.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSecComponentNameGetControllerName (\r
- IN EFI_COMPONENT_NAME_PROTOCOL *This,\r
- IN EFI_HANDLE ControllerHandle,\r
- IN EFI_HANDLE ChildHandle, OPTIONAL\r
- IN CHAR8 *Language,\r
- OUT CHAR16 **ControllerName\r
- );\r
-\r
-//\r
-// EFI Component Name Protocol\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName = {\r
- IpSecComponentNameGetDriverName,\r
- IpSecComponentNameGetControllerName,\r
- "eng"\r
-};\r
-\r
-//\r
-// EFI Component Name 2 Protocol\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2 = {\r
- (EFI_COMPONENT_NAME2_GET_DRIVER_NAME) IpSecComponentNameGetDriverName,\r
- (EFI_COMPONENT_NAME2_GET_CONTROLLER_NAME) IpSecComponentNameGetControllerName,\r
- "en"\r
-};\r
-\r
-GLOBAL_REMOVE_IF_UNREFERENCED EFI_UNICODE_STRING_TABLE mIpSecDriverNameTable[] = {\r
- {\r
- "eng;en",\r
- L"IpSec Driver"\r
- },\r
- {\r
- NULL,\r
- NULL\r
- }\r
-};\r
-\r
-GLOBAL_REMOVE_IF_UNREFERENCED EFI_UNICODE_STRING_TABLE mIpSecControllerNameTable[] = {\r
- {\r
- "eng;en",\r
- L"IPsec Controller"\r
- },\r
- {\r
- NULL,\r
- NULL\r
- }\r
-};\r
-\r
-/**\r
- Retrieves a Unicode string that is the user-readable name of the driver.\r
-\r
- This function retrieves the user-readable name of a driver in the form of a\r
- Unicode string. If the driver specified by This has a user-readable name in\r
- the language specified by Language, then a pointer to the driver name is\r
- returned in DriverName, and EFI_SUCCESS is returned. If the driver specified\r
- by This does not support the language specified by Language,\r
- then EFI_UNSUPPORTED is returned.\r
-\r
- @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or\r
- EFI_COMPONENT_NAME_PROTOCOL instance.\r
-\r
- @param[in] Language A pointer to a Null-terminated ASCII string\r
- array indicating the language. This is the\r
- language of the driver name that the caller is\r
- requesting, and it must match one of the\r
- languages specified in SupportedLanguages. The\r
- number of languages supported by a driver is up\r
- to the driver writer. Language is specified\r
- in RFC 4646 or ISO 639-2 language code format.\r
-\r
- @param[out] DriverName A pointer to the Unicode string to return.\r
- This Unicode string is the name of the\r
- driver specified by This in the language\r
- specified by Language.\r
-\r
- @retval EFI_SUCCESS The Unicode string for the Driver specified by\r
- This, and the language specified by Language was\r
- returned in DriverName.\r
-\r
- @retval EFI_INVALID_PARAMETER Language is NULL.\r
-\r
- @retval EFI_INVALID_PARAMETER DriverName is NULL.\r
-\r
- @retval EFI_UNSUPPORTED The driver specified by This does not support\r
- the language specified by Language.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSecComponentNameGetDriverName (\r
- IN EFI_COMPONENT_NAME_PROTOCOL *This,\r
- IN CHAR8 *Language,\r
- OUT CHAR16 **DriverName\r
- )\r
-{\r
- return LookupUnicodeString2 (\r
- Language,\r
- This->SupportedLanguages,\r
- mIpSecDriverNameTable,\r
- DriverName,\r
- (BOOLEAN) (This == &gIpSecComponentName)\r
- );\r
-}\r
-\r
-/**\r
- Retrieves a Unicode string that is the user-readable name of the controller\r
- that is being managed by a driver.\r
-\r
- This function retrieves the user-readable name of the controller specified by\r
- ControllerHandle and ChildHandle in the form of a Unicode string. If the\r
- driver specified by This has a user-readable name in the language specified by\r
- Language, then a pointer to the controller name is returned in ControllerName,\r
- and EFI_SUCCESS is returned. If the driver specified by This is not currently\r
- managing the controller specified by ControllerHandle and ChildHandle,\r
- then EFI_UNSUPPORTED is returned. If the driver specified by This does not\r
- support the language specified by Language, then EFI_UNSUPPORTED is returned.\r
-\r
- @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or\r
- EFI_COMPONENT_NAME_PROTOCOL instance.\r
-\r
- @param[in] ControllerHandle The handle of a controller that the driver\r
- specified by This is managing. This handle\r
- specifies the controller whose name is to be\r
- returned.\r
-\r
- @param[in] ChildHandle The handle of the child controller to retrieve\r
- the name of. This is an optional parameter that\r
- may be NULL. It will be NULL for device\r
- drivers. It will also be NULL for a bus drivers\r
- that wish to retrieve the name of the bus\r
- controller. It will not be NULL for a bus\r
- driver that wishes to retrieve the name of a\r
- child controller.\r
-\r
- @param[in] Language A pointer to a Null-terminated ASCII string\r
- array indicating the language. This is the\r
- language of the driver name that the caller is\r
- requesting, and it must match one of the\r
- languages specified in SupportedLanguages. The\r
- number of languages supported by a driver is up\r
- to the driver writer. Language is specified in\r
- RFC 4646 or ISO 639-2 language code format.\r
-\r
- @param[out] ControllerName A pointer to the Unicode string to return.\r
- This Unicode string is the name of the\r
- controller specified by ControllerHandle and\r
- ChildHandle in the language specified by\r
- Language from the point of view of the driver\r
- specified by This.\r
-\r
- @retval EFI_SUCCESS The Unicode string for the user-readable name in\r
- the language specified by Language for the\r
- driver specified by This was returned in\r
- DriverName.\r
-\r
- @retval EFI_INVALID_PARAMETER ControllerHandle is NULL.\r
-\r
- @retval EFI_INVALID_PARAMETER ChildHandle is not NULL, and it is not a valid\r
- EFI_HANDLE.\r
-\r
- @retval EFI_INVALID_PARAMETER Language is NULL.\r
-\r
- @retval EFI_INVALID_PARAMETER ControllerName is NULL.\r
-\r
- @retval EFI_UNSUPPORTED The driver specified by This is not currently\r
- managing the controller specified by\r
- ControllerHandle and ChildHandle.\r
-\r
- @retval EFI_UNSUPPORTED The driver specified by This does not support\r
- the language specified by Language.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSecComponentNameGetControllerName (\r
- IN EFI_COMPONENT_NAME_PROTOCOL *This,\r
- IN EFI_HANDLE ControllerHandle,\r
- IN EFI_HANDLE ChildHandle, OPTIONAL\r
- IN CHAR8 *Language,\r
- OUT CHAR16 **ControllerName\r
- )\r
-{\r
- EFI_STATUS Status;\r
-\r
- //\r
- // ChildHandle must be NULL for a Device Driver\r
- //\r
- if (ChildHandle != NULL) {\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- //\r
- // Make sure this driver is currently managing ControllerHandle\r
- //\r
- Status = gBS->OpenProtocol (\r
- ControllerHandle,\r
- &gEfiIpSec2ProtocolGuid,\r
- NULL,\r
- NULL,\r
- NULL,\r
- EFI_OPEN_PROTOCOL_TEST_PROTOCOL\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- return LookupUnicodeString2 (\r
- Language,\r
- This->SupportedLanguages,\r
- mIpSecControllerNameTable,\r
- ControllerName,\r
- (BOOLEAN) (This == &gIpSecComponentName)\r
- );\r
-}\r
+++ /dev/null
-/** @file\r
- Cryptographic Parameter Constant Definitions from IETF;\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "Ike.h"\r
-\r
-//\r
-// "First Oakley Default Group" from RFC2409, section 6.1.\r
-//\r
-// The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 }\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp768Modulus[] = {\r
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,\r
- 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,\r
- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,\r
- 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,\r
- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,\r
- 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,\r
- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,\r
- 0xA6, 0x3A, 0x36, 0x20, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF\r
- };\r
-\r
-//\r
-// "Second Oakley Default Group" from RFC2409, section 6.2.\r
-//\r
-// The prime is: 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp1024Modulus[] = {\r
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,\r
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,\r
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,\r
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,\r
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,\r
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,\r
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,\r
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,\r
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,\r
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81,\r
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,\r
- };\r
-\r
-//\r
-// "1536-bit MODP Group" from RFC3526, Section 2.\r
-//\r
-// The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp1536Modulus[]={\r
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,\r
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,\r
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,\r
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,\r
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,\r
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,\r
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,\r
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,\r
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,\r
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,\r
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,\r
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,\r
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,\r
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,\r
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,\r
- 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,\r
- };\r
-\r
-//\r
-// "2048-bit MODP Group" from RFC3526, Section 3.\r
-//\r
-// The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp2048Modulus[]={\r
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,\r
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,\r
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,\r
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,\r
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,\r
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,\r
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,\r
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,\r
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,\r
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,\r
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,\r
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,\r
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,\r
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,\r
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,\r
- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,\r
- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,\r
- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,\r
- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,\r
- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,\r
- 0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF,\r
- 0xFF,0xFF,0xFF,0xFF,\r
- };\r
-\r
-//\r
-// "3072-bit MODP Group" from RFC3526, Section 4.\r
-//\r
-// The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp3072Modulus[]={\r
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,\r
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,\r
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,\r
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,\r
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,\r
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,\r
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,\r
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,\r
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,\r
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,\r
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,\r
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,\r
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,\r
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,\r
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,\r
- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,\r
- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,\r
- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,\r
- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,\r
- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,\r
- 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,\r
- 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,\r
- 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,\r
- 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,\r
- 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,\r
- 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,\r
- 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,\r
- 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,\r
- 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,\r
- 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,\r
- 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,\r
- 0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,\r
- };\r
-\r
-//\r
-// "4096-bit MODP Group" from RFC3526, Section 5.\r
-//\r
-// The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp4096Modulus[]={\r
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,\r
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,\r
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,\r
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,\r
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,\r
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,\r
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,\r
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,\r
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,\r
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,\r
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,\r
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,\r
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,\r
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,\r
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,\r
- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,\r
- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,\r
- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,\r
- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,\r
- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,\r
- 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,\r
- 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,\r
- 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,\r
- 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,\r
- 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,\r
- 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,\r
- 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,\r
- 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,\r
- 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,\r
- 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,\r
- 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,\r
- 0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,\r
- 0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,\r
- 0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,\r
- 0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,\r
- 0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,\r
- 0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,\r
- 0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,\r
- 0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,\r
- 0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,\r
- 0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,\r
- 0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,\r
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,\r
- };\r
-\r
-//\r
-// "6144-bit MODP Group" from RFC3526, Section 6.\r
-//\r
-// The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp6144Modulus[]={\r
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,\r
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,\r
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,\r
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,\r
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,\r
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,\r
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,\r
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,\r
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,\r
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,\r
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,\r
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,\r
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,\r
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,\r
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,\r
- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,\r
- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,\r
- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,\r
- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,\r
- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,\r
- 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,\r
- 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,\r
- 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,\r
- 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,\r
- 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,\r
- 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,\r
- 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,\r
- 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,\r
- 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,\r
- 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,\r
- 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,\r
- 0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,\r
- 0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,\r
- 0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,\r
- 0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,\r
- 0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,\r
- 0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,\r
- 0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,\r
- 0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,\r
- 0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,\r
- 0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,\r
- 0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,\r
- 0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2,\r
- 0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,\r
- 0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,\r
- 0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,\r
- 0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB,\r
- 0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,\r
- 0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,\r
- 0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,\r
- 0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15,\r
- 0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,\r
- 0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,\r
- 0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,\r
- 0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7,\r
- 0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,\r
- 0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,\r
- 0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,\r
- 0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D,\r
- 0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,\r
- 0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,\r
- 0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,\r
- 0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E,\r
- 0x6D,0xCC,0x40,0x24,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,\r
- };\r
-\r
-//\r
-// "8192-bit MODP Group" from RFC3526, Section 7.\r
-//\r
-// The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp8192Modulus[]={\r
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,\r
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,\r
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,\r
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,\r
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,\r
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,\r
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,\r
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,\r
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,\r
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,\r
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,\r
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,\r
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,\r
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,\r
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,\r
- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,\r
- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,\r
- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,\r
- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,\r
- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,\r
- 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,\r
- 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,\r
- 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,\r
- 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,\r
- 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,\r
- 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,\r
- 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,\r
- 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,\r
- 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,\r
- 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,\r
- 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,\r
- 0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,\r
- 0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,\r
- 0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,\r
- 0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,\r
- 0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,\r
- 0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,\r
- 0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,\r
- 0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,\r
- 0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,\r
- 0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,\r
- 0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,\r
- 0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2,\r
- 0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,\r
- 0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,\r
- 0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,\r
- 0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB,\r
- 0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,\r
- 0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,\r
- 0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,\r
- 0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15,\r
- 0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,\r
- 0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,\r
- 0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,\r
- 0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7,\r
- 0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,\r
- 0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,\r
- 0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,\r
- 0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D,\r
- 0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,\r
- 0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,\r
- 0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,\r
- 0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E,\r
- 0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4,\r
- 0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0,\r
- 0x73,0xB9,0x31,0xBA,0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00,\r
- 0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,0x25,0x76,0xF6,0x93,\r
- 0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68,\r
- 0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB,\r
- 0xE3,0x9D,0x65,0x2D,0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9,\r
- 0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,0x13,0xEB,0x57,0xA8,\r
- 0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B,\r
- 0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F,\r
- 0xA2,0xC0,0x87,0xE8,0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A,\r
- 0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,0x6D,0x2A,0x13,0xF8,\r
- 0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36,\r
- 0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5,\r
- 0x08,0x46,0x85,0x1D,0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1,\r
- 0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,0xFA,0xF3,0x6B,0xC3,\r
- 0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92,\r
- 0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E,\r
- 0xD5,0xEE,0x38,0x2B,0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47,\r
- 0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,0x9E,0x30,0x50,0xE2,\r
- 0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71,\r
- 0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,\r
- 0xFF,0xFF,0xFF,0xFF,\r
- };\r
-\r
-//\r
-// Pre-defined Oakley MODP Groups\r
-//\r
-#define DH_GENERATOR_2 2\r
-GLOBAL_REMOVE_IF_UNREFERENCED CONST MODP_GROUP OakleyModpGroup[] = {\r
- {0, 0, NULL, 0}, //Undefined\r
- {OakleyGroupModp768, 768, Modp768Modulus, DH_GENERATOR_2},\r
- {OakleyGroupModp1024, 1024, Modp1024Modulus, DH_GENERATOR_2},\r
- {0, 0, NULL, 0}, // For ECC. UnSupported\r
- {0, 0, NULL, 0}, // For ECC. Unsupported\r
- {OakleyGroupModp1536, 1536, Modp1536Modulus, DH_GENERATOR_2},\r
- {0, 0, NULL, 0}, //Undefined\r
- {0, 0, NULL, 0}, //Undefined\r
- {0, 0, NULL, 0}, //Undefined\r
- {0, 0, NULL, 0}, //Undefined\r
- {0, 0, NULL, 0}, //Undefined\r
- {0, 0, NULL, 0}, //Undefined\r
- {0, 0, NULL, 0}, //Undefined\r
- {0, 0, NULL, 0}, //Undefined\r
- {OakleyGroupModp2048, 2048, Modp2048Modulus, DH_GENERATOR_2},\r
- {OakleyGroupModp3072, 3072, Modp3072Modulus, DH_GENERATOR_2},\r
- {OakleyGroupModp4096, 4096, Modp4096Modulus, DH_GENERATOR_2},\r
- {OakleyGroupModp6144, 6144, Modp6144Modulus, DH_GENERATOR_2},\r
- {OakleyGroupModp8192, 8192, Modp8192Modulus, DH_GENERATOR_2},\r
-};\r
+++ /dev/null
-/** @file\r
- The common definition of IPsec Key Exchange (IKE).\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-\r
-**/\r
-\r
-#ifndef _IKE_H_\r
-#define _IKE_H_\r
-\r
-#include <Library/UdpIoLib.h>\r
-#include <Library/BaseCryptLib.h>\r
-#include "IpSecImpl.h"\r
-\r
-#define IKE_VERSION_MAJOR_MASK 0xf0\r
-#define IKE_VERSION_MINOR_MASK 0x0f\r
-\r
-#define IKE_MAJOR_VERSION(v) (((v) & IKE_VERSION_MAJOR_MASK) >> 4)\r
-#define IKE_MINOR_VERSION(v) ((v) & IKE_VERSION_MINOR_MASK)\r
-\r
-//\r
-// Protocol Value Use in IKEv1 and IKEv2\r
-//\r
-#define IPSEC_PROTO_ISAKMP 1\r
-#define IPSEC_PROTO_IPSEC_AH 2\r
-#define IPSEC_PROTO_IPSEC_ESP 3\r
-#define IPSEC_PROTO_IPCOMP 4 // For IKEv1 this value is reserved\r
-\r
-//\r
-// For Algorithm search in support list.Last two types are for IKEv2 only.\r
-//\r
-#define IKE_ENCRYPT_TYPE 0\r
-#define IKE_AUTH_TYPE 1\r
-#define IKE_PRF_TYPE 2\r
-#define IKE_DH_TYPE 3\r
-\r
-//\r
-// Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)\r
-//\r
-#define IPSEC_ESP_DES_IV64 1\r
-#define IPSEC_ESP_DES 2\r
-#define IPSEC_ESP_3DES 3\r
-#define IPSEC_ESP_RC5 4\r
-#define IPSEC_ESP_IDEA 5\r
-#define IPSEC_ESP_CAST 6\r
-#define IPSEC_ESP_BLOWFISH 7\r
-#define IPSEC_ESP_3IDEA 8\r
-#define IPSEC_ESP_DES_IV32 9\r
-#define IPSEC_ESP_RC4 10 // It's reserved in IKEv2\r
-#define IPSEC_ESP_NULL 11\r
-#define IPSEC_ESP_AES 12\r
-\r
-#define IKE_XCG_TYPE_NONE 0\r
-#define IKE_XCG_TYPE_BASE 1\r
-#define IKE_XCG_TYPE_IDENTITY_PROTECT 2\r
-#define IKE_XCG_TYPE_AUTH_ONLY 3\r
-#define IKE_XCG_TYPE_AGGR 4\r
-#define IKE_XCG_TYPE_INFO 5\r
-#define IKE_XCG_TYPE_QM 32\r
-#define IKE_XCG_TYPE_NGM 33\r
-#define IKE_XCG_TYPE_SA_INIT 34\r
-#define IKE_XCG_TYPE_AUTH 35\r
-#define IKE_XCG_TYPE_CREATE_CHILD_SA 36\r
-#define IKE_XCG_TYPE_INFO2 37\r
-\r
-#define IKE_LIFE_TYPE_SECONDS 1\r
-#define IKE_LIFE_TYPE_KILOBYTES 2\r
-\r
-//\r
-// Deafult IKE SA lifetime and CHILD SA lifetime\r
-//\r
-#define IKE_SA_DEFAULT_LIFETIME 1200\r
-#define CHILD_SA_DEFAULT_LIFETIME 3600\r
-\r
-//\r
-// Next payload type presented within Proposal payload\r
-//\r
-#define IKE_PROPOSAL_NEXT_PAYLOAD_MORE 2\r
-#define IKE_PROPOSAL_NEXT_PAYLOAD_NONE 0\r
-\r
-//\r
-// Next payload type presented within Transform payload\r
-//\r
-#define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3\r
-#define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0\r
-\r
-//\r
-// Max size of the SA attribute\r
-//\r
-#define MAX_SA_ATTRS_SIZE 48\r
-#define SA_ATTR_FORMAT_BIT 0x8000\r
-//\r
-// The definition for Information Message ID.\r
-//\r
-#define INFO_MID_SIGNATURE SIGNATURE_32 ('I', 'N', 'F', 'M')\r
-\r
-//\r
-// Type for the IKE SESSION COMMON\r
-//\r
-typedef enum {\r
- IkeSessionTypeIkeSa,\r
- IkeSessionTypeChildSa,\r
- IkeSessionTypeInfo,\r
- IkeSessionTypeMax\r
-} IKE_SESSION_TYPE;\r
-\r
-//\r
-// The DH Group ID defined RFC3526 and RFC 2409\r
-//\r
-typedef enum {\r
- OakleyGroupModp768 = 1,\r
- OakleyGroupModp1024 = 2,\r
- OakleyGroupGp155 = 3, // Unsupported Now.\r
- OakleyGroupGp185 = 4, // Unsupported Now.\r
- OakleyGroupModp1536 = 5,\r
-\r
- OakleyGroupModp2048 = 14,\r
- OakleyGroupModp3072 = 15,\r
- OakleyGroupModp4096 = 16,\r
- OakleyGroupModp6144 = 17,\r
- OakleyGroupModp8192 = 18,\r
- OakleyGroupMax\r
-} OAKLEY_GROUP_ID;\r
-\r
-//\r
-// IKE Header\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- UINT64 InitiatorCookie;\r
- UINT64 ResponderCookie;\r
- UINT8 NextPayload;\r
- UINT8 Version;\r
- UINT8 ExchangeType;\r
- UINT8 Flags;\r
- UINT32 MessageId;\r
- UINT32 Length;\r
-} IKE_HEADER;\r
-#pragma pack()\r
-\r
-typedef union {\r
- UINT16 AttrLength;\r
- UINT16 AttrValue;\r
-} IKE_SA_ATTR_UNION;\r
-\r
-//\r
-// SA Attribute present in Transform Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- UINT16 AttrType;\r
- IKE_SA_ATTR_UNION Attr;\r
-} IKE_SA_ATTRIBUTE;\r
-#pragma pack()\r
-\r
-//\r
-// Contains the IKE packet information.\r
-//\r
-typedef struct {\r
- UINTN RefCount;\r
- BOOLEAN IsHdrExt;\r
- IKE_HEADER *Header;\r
- BOOLEAN IsPayloadsBufExt;\r
- UINT8 *PayloadsBuf; // The whole IkePakcet trimed the IKE header.\r
- UINTN PayloadTotalSize;\r
- LIST_ENTRY PayloadList;\r
- EFI_IP_ADDRESS RemotePeerIp;\r
- BOOLEAN IsEncoded; // whether HTON is done when sending the packet\r
- UINT32 Spi; // For the Delete Information Exchange\r
- BOOLEAN IsDeleteInfo; // For the Delete Information Exchange\r
- IPSEC_PRIVATE_DATA *Private; // For the Delete Information Exchange\r
-} IKE_PACKET;\r
-\r
-//\r
-// The generic structure to all kinds of IKE payloads.\r
-//\r
-typedef struct {\r
- UINT32 Signature;\r
- BOOLEAN IsPayloadBufExt;\r
- UINT8 PayloadType;\r
- UINT8 *PayloadBuf;\r
- UINTN PayloadSize;\r
- LIST_ENTRY ByPacket;\r
-} IKE_PAYLOAD;\r
-\r
-//\r
-// Udp Service\r
-//\r
-typedef struct {\r
- UINT32 Signature;\r
- UINT8 IpVersion;\r
- LIST_ENTRY List;\r
- LIST_ENTRY *ListHead;\r
- EFI_HANDLE NicHandle;\r
- EFI_HANDLE ImageHandle;\r
- UDP_IO *Input;\r
- UDP_IO *Output;\r
- EFI_IP_ADDRESS DefaultAddress;\r
- BOOLEAN IsConfigured;\r
-} IKE_UDP_SERVICE;\r
-\r
-//\r
-// Each IKE session has its own Key sets for local peer and remote peer.\r
-//\r
-typedef struct {\r
- EFI_IPSEC_ALGO_INFO LocalPeerInfo;\r
- EFI_IPSEC_ALGO_INFO RemotePeerInfo;\r
-} SA_KEYMATS;\r
-\r
-//\r
-// Each algorithm has its own Id, Guid, BlockSize and KeyLength.\r
-// This struct contains these information for each algorithm. It is generic structure\r
-// for both encryption and authentication algorithm.\r
-// For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,\r
-// it means IvSize.\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- UINT8 AlgorithmId; // Encryption or Authentication Id used by ESP/AH\r
- EFI_GUID *AlgGuid;\r
- UINT8 AlgSize; // IcvSize or IvSize\r
- UINT8 BlockSize;\r
- UINTN KeyMateLen;\r
-} IKE_ALG_GUID_INFO; // For IPsec Authentication and Encryption Algorithm.\r
-#pragma pack()\r
-\r
-//\r
-// Structure used to store the DH group\r
-//\r
-typedef struct {\r
- UINT8 GroupId;\r
- UINTN Size;\r
- UINT8 *Modulus;\r
- UINTN GroupGenerator;\r
-} MODP_GROUP;\r
-\r
-/**\r
- This is prototype definition of general interface to phase the payloads\r
- after/before the decode/encode.\r
-\r
- @param[in] SessionCommon Point to the SessionCommon\r
- @param[in] PayloadBuf Point to the buffer of Payload.\r
- @param[in] PayloadSize The size of the PayloadBuf in bytes.\r
- @param[in] PayloadType The type of Payload.\r
-\r
-**/\r
-typedef\r
-VOID\r
-(*IKE_ON_PAYLOAD_FROM_NET) (\r
- IN UINT8 *SessionCommon,\r
- IN UINT8 *PayloadBuf,\r
- IN UINTN PayloadSize,\r
- IN UINT8 PayloadType\r
- );\r
-\r
-#endif\r
-\r
+++ /dev/null
-/** @file\r
- Common operation of the IKE\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "Ike.h"\r
-#include "IkeCommon.h"\r
-#include "IpSecConfigImpl.h"\r
-#include "IpSecDebug.h"\r
-\r
-/**\r
- Check whether the new generated Spi has existed.\r
-\r
- @param[in] IkeSaSession Pointer to the Child SA Session.\r
- @param[in] SpiValue SPI Value.\r
-\r
- @retval TRUE This SpiValue has existed in the Child SA Session\r
- @retval FALSE This SpiValue doesn't exist in the Child SA Session.\r
-\r
-**/\r
-BOOLEAN\r
-IkeSpiValueExisted (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN UINT32 SpiValue\r
- )\r
-{\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *Next;\r
- IKEV2_CHILD_SA_SESSION *SaSession;\r
-\r
- Entry = NULL;\r
- Next = NULL;\r
- SaSession = NULL;\r
-\r
- //\r
- // Check whether the SPI value has existed in ChildSaEstablishSessionList.\r
- //\r
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaEstablishSessionList) {\r
- SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
- if (SaSession->LocalPeerSpi == SpiValue) {\r
- return TRUE;\r
- }\r
- }\r
-\r
- //\r
- // Check whether the SPI value has existed in ChildSaSessionList.\r
- //\r
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaSessionList) {\r
- SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
- if (SaSession->LocalPeerSpi == SpiValue) {\r
- return TRUE;\r
- }\r
- }\r
-\r
- return FALSE;\r
-}\r
-\r
-/**\r
- Call Crypto Lib to generate a random value with eight-octet length.\r
-\r
- @return the 64 byte vaule.\r
-\r
-**/\r
-UINT64\r
-IkeGenerateCookie (\r
- VOID\r
- )\r
-{\r
- UINT64 Cookie;\r
- EFI_STATUS Status;\r
-\r
- Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)&Cookie, sizeof (UINT64));\r
- if (EFI_ERROR (Status)) {\r
- return 0;\r
- } else {\r
- return Cookie;\r
- }\r
-}\r
-\r
-/**\r
- Generate the random data for Nonce payload.\r
-\r
- @param[in] NonceSize Size of the data in bytes.\r
-\r
- @return Buffer which contains the random data of the spcified size.\r
-\r
-**/\r
-UINT8 *\r
-IkeGenerateNonce (\r
- IN UINTN NonceSize\r
- )\r
-{\r
- UINT8 *Nonce;\r
- EFI_STATUS Status;\r
-\r
- Nonce = AllocateZeroPool (NonceSize);\r
- if (Nonce == NULL) {\r
- return NULL;\r
- }\r
-\r
- Status = IpSecCryptoIoGenerateRandomBytes (Nonce, NonceSize);\r
- if (EFI_ERROR (Status)) {\r
- FreePool (Nonce);\r
- return NULL;\r
- } else {\r
- return Nonce;\r
- }\r
-}\r
-\r
-/**\r
- Convert the IKE Header from Network order to Host order.\r
-\r
- @param[in, out] Header The pointer of the IKE_HEADER.\r
-\r
-**/\r
-VOID\r
-IkeHdrNetToHost (\r
- IN OUT IKE_HEADER *Header\r
- )\r
-{\r
- Header->InitiatorCookie = NTOHLL (Header->InitiatorCookie);\r
- Header->ResponderCookie = NTOHLL (Header->ResponderCookie);\r
- Header->MessageId = NTOHL (Header->MessageId);\r
- Header->Length = NTOHL (Header->Length);\r
-}\r
-\r
-/**\r
- Convert the IKE Header from Host order to Network order.\r
-\r
- @param[in, out] Header The pointer of the IKE_HEADER.\r
-\r
-**/\r
-VOID\r
-IkeHdrHostToNet (\r
- IN OUT IKE_HEADER *Header\r
- )\r
-{\r
- Header->InitiatorCookie = HTONLL (Header->InitiatorCookie);\r
- Header->ResponderCookie = HTONLL (Header->ResponderCookie);\r
- Header->MessageId = HTONL (Header->MessageId);\r
- Header->Length = HTONL (Header->Length);\r
-}\r
-\r
-/**\r
- Allocate a buffer of IKE_PAYLOAD and set its Signature.\r
-\r
- @return A buffer of IKE_PAYLOAD.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-IkePayloadAlloc (\r
- VOID\r
- )\r
-{\r
- IKE_PAYLOAD *IkePayload;\r
-\r
- IkePayload = (IKE_PAYLOAD *) AllocateZeroPool (sizeof (IKE_PAYLOAD));\r
- if (IkePayload == NULL) {\r
- return NULL;\r
- }\r
-\r
- IkePayload->Signature = IKE_PAYLOAD_SIGNATURE;\r
-\r
- return IkePayload;\r
-}\r
-\r
-/**\r
- Free a specified IKE_PAYLOAD buffer.\r
-\r
- @param[in] IkePayload Pointer of IKE_PAYLOAD to be freed.\r
-\r
-**/\r
-VOID\r
-IkePayloadFree (\r
- IN IKE_PAYLOAD *IkePayload\r
- )\r
-{\r
- if (IkePayload == NULL) {\r
- return;\r
- }\r
- //\r
- // If this IkePayload is not referred by others, free it.\r
- //\r
- if (!IkePayload->IsPayloadBufExt && (IkePayload->PayloadBuf != NULL)) {\r
- FreePool (IkePayload->PayloadBuf);\r
- }\r
-\r
- FreePool (IkePayload);\r
-}\r
-\r
-/**\r
- Generate an new SPI.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA\r
- Session.\r
- @param[in, out] SpiValue Pointer to the new generated SPI value.\r
-\r
- @retval EFI_SUCCESS The operation performs successfully.\r
- @retval Otherwise The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IkeGenerateSpi (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN OUT UINT32 *SpiValue\r
- )\r
-{\r
- EFI_STATUS Status;\r
-\r
- Status = EFI_SUCCESS;\r
-\r
- while (TRUE) {\r
- //\r
- // Generate SPI randomly\r
- //\r
- Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)SpiValue, sizeof (UINT32));\r
- if (EFI_ERROR (Status)) {\r
- break;\r
- }\r
-\r
- //\r
- // The set of SPI values in the range 1 through 255 are reserved by the\r
- // Internet Assigned Numbers Authority (IANA) for future use; a reserved\r
- // SPI value will not normally be assigned by IANA unless the use of the\r
- // assigned SPI value is specified in an RFC.\r
- //\r
- if (*SpiValue < IKE_SPI_BASE) {\r
- *SpiValue += IKE_SPI_BASE;\r
- }\r
-\r
- //\r
- // Check whether the new generated SPI has existed.\r
- //\r
- if (!IkeSpiValueExisted (IkeSaSession, *SpiValue)) {\r
- break;\r
- }\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Generate a random data for IV\r
-\r
- @param[in] IvBuffer The pointer of the IV buffer.\r
- @param[in] IvSize The IV size.\r
-\r
- @retval EFI_SUCCESS Create a random data for IV.\r
- @retval otherwise Failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IkeGenerateIv (\r
- IN UINT8 *IvBuffer,\r
- IN UINTN IvSize\r
- )\r
-{\r
- return IpSecCryptoIoGenerateRandomBytes (IvBuffer, IvSize);\r
-}\r
-\r
-\r
-/**\r
- Find SPD entry by a specified SPD selector.\r
-\r
- @param[in] SpdSel Point to SPD Selector to be searched for.\r
-\r
- @retval Point to SPD Entry if the SPD entry found.\r
- @retval NULL if not found.\r
-\r
-**/\r
-IPSEC_SPD_ENTRY *\r
-IkeSearchSpdEntry (\r
- IN EFI_IPSEC_SPD_SELECTOR *SpdSel\r
- )\r
-{\r
- IPSEC_SPD_ENTRY *SpdEntry;\r
- LIST_ENTRY *SpdList;\r
- LIST_ENTRY *Entry;\r
-\r
- SpdList = &mConfigData[IPsecConfigDataTypeSpd];\r
-\r
- NET_LIST_FOR_EACH (Entry, SpdList) {\r
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);\r
-\r
- //\r
- // Find the required SPD entry\r
- //\r
- if (CompareSpdSelector (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector\r
- )) {\r
- return SpdEntry;\r
- }\r
-\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-/**\r
- Get the IKE Version from the IKE_SA_SESSION.\r
-\r
- @param[in] Session Pointer of the IKE_SA_SESSION.\r
-\r
-**/\r
-UINT8\r
-IkeGetVersionFromSession (\r
- IN UINT8 *Session\r
- )\r
-{\r
- if (*(UINT32 *) Session == IKEV2_SA_SESSION_SIGNATURE) {\r
- return ((IKEV2_SA_SESSION *) Session)->SessionCommon.IkeVer;\r
- } else {\r
- //\r
- // Add IKEv1 support here.\r
- //\r
- return 0;\r
- }\r
-}\r
-\r
+++ /dev/null
-/** @file\r
- Common operation of the IKE.\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _IKE_COMMON_H_\r
-#define _IKE_COMMON_H_\r
-\r
-#include <Protocol/Udp4.h>\r
-#include <Protocol/Udp6.h>\r
-#include <Protocol/Ip4Config2.h>\r
-\r
-#include <Library/BaseLib.h>\r
-#include <Library/BaseMemoryLib.h>\r
-#include <Library/MemoryAllocationLib.h>\r
-#include <Library/UefiRuntimeServicesTableLib.h>\r
-#include <Library/UefiBootServicesTableLib.h>\r
-#include <Library/DebugLib.h>\r
-#include <Library/UdpIoLib.h>\r
-#include <Library/BaseCryptLib.h>\r
-\r
-#include "Ikev2/Ikev2.h"\r
-#include "IpSecImpl.h"\r
-#include "IkePacket.h"\r
-#include "IpSecCryptIo.h"\r
-\r
-\r
-#define IKE_DEFAULT_PORT 500\r
-#define IKE_DEFAULT_TIMEOUT_INTERVAL 10000 // 10s\r
-#define IKE_NONCE_SIZE 16\r
-#define IKE_MAX_RETRY 4\r
-#define IKE_SPI_BASE 0x100\r
-#define IKE_PAYLOAD_SIGNATURE SIGNATURE_32('I','K','E','P')\r
-#define IKE_PAYLOAD_BY_PACKET(a) CR(a,IKE_PAYLOAD,ByPacket,IKE_PAYLOAD_SIGNATURE)\r
-\r
-\r
-#define IKE_PACKET_APPEND_PAYLOAD(IkePacket,IkePayload) \\r
- do { \\r
- InsertTailList(&(IkePacket)->PayloadList, &(IkePayload)->ByPacket); \\r
- } while (0)\r
-\r
-#define IKE_PACKET_REMOVE_PAYLOAD(IkePacket,IkePayload) \\r
- do { \\r
- RemoveEntryList(&(IkePayload)->ByPacket); \\r
- } while (0)\r
-\r
-#define IKE_PACKET_END_PAYLOAD(IkePacket, Node) \\r
- Node = GetFirstNode (&(IkePacket)->PayloadList); \\r
- while (!IsNodeAtEnd (&(IkePacket)->PayloadList, Node)) { \\r
- Node = GetNextNode (&(IkePacket)->PayloadList, Node); \\r
- } \\r
-\r
-/**\r
- Call Crypto Lib to generate a random value with eight-octet length.\r
-\r
- @return the 64 byte vaule.\r
-\r
-**/\r
-UINT64\r
-IkeGenerateCookie (\r
- VOID\r
- );\r
-\r
-/**\r
- Generate the random data for Nonce payload.\r
-\r
- @param[in] NonceSize Size of the data in bytes.\r
-\r
- @return Buffer which contains the random data of the spcified size.\r
-\r
-**/\r
-UINT8 *\r
-IkeGenerateNonce (\r
- IN UINTN NonceSize\r
- );\r
-\r
-/**\r
- Convert the IKE Header from Network order to Host order.\r
-\r
- @param[in, out] Header The pointer of the IKE_HEADER.\r
-\r
-**/\r
-VOID\r
-IkeHdrNetToHost (\r
- IN OUT IKE_HEADER *Header\r
- );\r
-\r
-\r
-/**\r
- Convert the IKE Header from Host order to Network order.\r
-\r
- @param[in, out] Header The pointer of the IKE_HEADER.\r
-\r
-**/\r
-VOID\r
-IkeHdrHostToNet (\r
- IN OUT IKE_HEADER *Header\r
- );\r
-\r
-/**\r
- Allocate a buffer of IKE_PAYLOAD and set its Signature.\r
-\r
- @return A buffer of IKE_PAYLOAD.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-IkePayloadAlloc (\r
- VOID\r
- );\r
-\r
-/**\r
- Free a specified IKE_PAYLOAD buffer.\r
-\r
- @param[in] IkePayload Pointer of IKE_PAYLOAD to be freed.\r
-\r
-**/\r
-VOID\r
-IkePayloadFree (\r
- IN IKE_PAYLOAD *IkePayload\r
- );\r
-\r
-/**\r
- Generate an new SPI.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA\r
- Session.\r
- @param[in, out] SpiValue Pointer to the new generated SPI value.\r
-\r
- @retval EFI_SUCCESS The operation performs successfully.\r
- @retval Otherwise The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IkeGenerateSpi (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN OUT UINT32 *SpiValue\r
- );\r
-\r
-/**\r
- Generate a random data for IV\r
-\r
- @param[in] IvBuffer The pointer of the IV buffer.\r
- @param[in] IvSize The IV size.\r
-\r
- @retval EFI_SUCCESS Create a random data for IV.\r
- @retval otherwise Failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IkeGenerateIv (\r
- IN UINT8 *IvBuffer,\r
- IN UINTN IvSize\r
- );\r
-\r
-/**\r
- Get the IKE Version from the IKE_SA_SESSION.\r
-\r
- @param[in] Session Pointer of the IKE_SA_SESSION.\r
-\r
-**/\r
-UINT8\r
-IkeGetVersionFromSession (\r
- IN UINT8 *Session\r
- );\r
-\r
-/**\r
- Find SPD entry by a specified SPD selector.\r
-\r
- @param[in] SpdSel Point to SPD Selector to be searched for.\r
-\r
- @retval Point to Spd Entry if the SPD entry found.\r
- @retval NULL if not found.\r
-\r
-**/\r
-IPSEC_SPD_ENTRY *\r
-IkeSearchSpdEntry (\r
- IN EFI_IPSEC_SPD_SELECTOR *SpdSel\r
- );\r
-\r
-extern MODP_GROUP OakleyModpGroup[];\r
-extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[];\r
-extern IKE_ALG_GUID_INFO mIPsecAuthAlgInfo[];\r
-\r
-#endif\r
-\r
+++ /dev/null
-/** @file\r
- IKE Packet related operation.\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecDebug.h"\r
-#include "Ikev2/Utility.h"\r
-\r
-/**\r
- Allocate a buffer for the IKE_PACKET and intitalize its Header and payloadlist.\r
-\r
- @return The pointer of the IKE_PACKET.\r
-\r
-**/\r
-IKE_PACKET *\r
-IkePacketAlloc (\r
- VOID\r
- )\r
-{\r
- IKE_PACKET *IkePacket;\r
-\r
- IkePacket = (IKE_PACKET *) AllocateZeroPool (sizeof (IKE_PACKET));\r
- if (IkePacket == NULL) {\r
- return NULL;\r
- }\r
-\r
- IkePacket->RefCount = 1;\r
- InitializeListHead (&IkePacket->PayloadList);\r
-\r
- IkePacket->Header = (IKE_HEADER *) AllocateZeroPool (sizeof (IKE_HEADER));\r
- if (IkePacket->Header == NULL) {\r
- FreePool (IkePacket);\r
- return NULL;\r
- }\r
- return IkePacket;\r
-}\r
-\r
-/**\r
- Free the IkePacket by the specified IKE_PACKET pointer.\r
-\r
- @param[in] IkePacket The pointer of the IKE_PACKET to be freed.\r
-\r
-**/\r
-VOID\r
-IkePacketFree (\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- LIST_ENTRY *Entry;\r
- IKE_PAYLOAD *IkePayload;\r
-\r
- if (IkePacket == NULL) {\r
- return;\r
- }\r
- //\r
- // Check if the Packet is referred by others.\r
- //\r
- if (--IkePacket->RefCount == 0) {\r
- //\r
- // Free IkePacket header\r
- //\r
- if (!IkePacket->IsHdrExt && IkePacket->Header != NULL) {\r
- FreePool (IkePacket->Header);\r
- }\r
- //\r
- // Free the PayloadsBuff\r
- //\r
- if (!IkePacket->IsPayloadsBufExt && IkePacket->PayloadsBuf != NULL) {\r
- FreePool (IkePacket->PayloadsBuf);\r
- }\r
- //\r
- // Iterate payloadlist and free all payloads\r
- //\r
- for (Entry = (IkePacket)->PayloadList.ForwardLink; Entry != &(IkePacket)->PayloadList;) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
- Entry = Entry->ForwardLink;\r
-\r
- IkePayloadFree (IkePayload);\r
- }\r
-\r
- FreePool (IkePacket);\r
- }\r
-}\r
-\r
-/**\r
- Callback funtion of NetbufFromExt()\r
-\r
- @param[in] Arg The data passed from the NetBufFromExe().\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-IkePacketNetbufFree (\r
- IN VOID *Arg\r
- )\r
-{\r
- //\r
- // TODO: add something if need.\r
- //\r
-}\r
-\r
-/**\r
- Copy the NetBuf into a IKE_PACKET sturcture.\r
-\r
- Create a IKE_PACKET and fill the received IKE header into the header of IKE_PACKET\r
- and copy the recieved packet without IKE HEADER to the PayloadBuf of IKE_PACKET.\r
-\r
- @param[in] Netbuf The pointer of the Netbuf which contains the whole received\r
- IKE packet.\r
-\r
- @return The pointer of the IKE_PACKET which contains the received packet.\r
-\r
-**/\r
-IKE_PACKET *\r
-IkePacketFromNetbuf (\r
- IN NET_BUF *Netbuf\r
- )\r
-{\r
- IKE_PACKET *IkePacket;\r
-\r
- IkePacket = NULL;\r
- if (Netbuf->TotalSize < sizeof (IKE_HEADER)) {\r
- goto Error;\r
- }\r
-\r
- IkePacket = IkePacketAlloc ();\r
- if (IkePacket == NULL) {\r
- return NULL;\r
- }\r
- //\r
- // Copy the IKE header from Netbuf to IkePacket->Hdr\r
- //\r
- NetbufCopy (Netbuf, 0, sizeof (IKE_HEADER), (UINT8 *) IkePacket->Header);\r
- //\r
- // Net order to host order\r
- //\r
- IkeHdrNetToHost (IkePacket->Header);\r
- if (IkePacket->Header->Length < Netbuf->TotalSize) {\r
- goto Error;\r
- }\r
-\r
- IkePacket->PayloadTotalSize = IkePacket->Header->Length - sizeof (IKE_HEADER);\r
- IkePacket->PayloadsBuf = (UINT8 *) AllocateZeroPool (IkePacket->PayloadTotalSize);\r
-\r
- if (IkePacket->PayloadsBuf == NULL) {\r
- goto Error;\r
- }\r
- //\r
- // Copy the IKE packet without the header into the IkePacket->PayloadsBuf.\r
- //\r
- NetbufCopy (Netbuf, sizeof (IKE_HEADER), (UINT32) IkePacket->PayloadTotalSize, IkePacket->PayloadsBuf);\r
- return IkePacket;\r
-\r
-Error:\r
- if (IkePacket != NULL) {\r
- IkePacketFree (IkePacket);\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-/**\r
- Convert the format from IKE_PACKET to NetBuf.\r
-\r
- @param[in] SessionCommon Pointer of related IKE_COMMON_SESSION\r
- @param[in] IkePacket Pointer of IKE_PACKET to be copy to NetBuf\r
- @param[in] IkeType The IKE type to pointer the packet is for which IKE\r
- phase. Now it supports IKE_SA_TYPE, IKE_CHILDSA_TYPE,\r
- IKE_INFO_TYPE.\r
-\r
- @return a pointer of Netbuff which contains the IKE_PACKE in network order.\r
-\r
-**/\r
-NET_BUF *\r
-IkeNetbufFromPacket (\r
- IN UINT8 *SessionCommon,\r
- IN IKE_PACKET *IkePacket,\r
- IN UINTN IkeType\r
- )\r
-{\r
- NET_BUF *Netbuf;\r
- NET_FRAGMENT *Fragments;\r
- UINTN Index;\r
- UINTN NumPayloads;\r
- LIST_ENTRY *PacketEntry;\r
- LIST_ENTRY *Entry;\r
- IKE_PAYLOAD *IkePayload;\r
- EFI_STATUS RetStatus;\r
-\r
- RetStatus = EFI_SUCCESS;\r
-\r
- if (!IkePacket->IsEncoded) {\r
- IkePacket->IsEncoded = TRUE;\r
- //\r
- // Convert Host order to Network order for IKE_PACKET header and payloads\r
- // Encryption payloads if needed\r
- //\r
- if (((IKEV2_SESSION_COMMON *) SessionCommon)->IkeVer == 2) {\r
- RetStatus = Ikev2EncodePacket ((IKEV2_SESSION_COMMON *) SessionCommon, IkePacket, IkeType);\r
- if (EFI_ERROR (RetStatus)) {\r
- return NULL;\r
- }\r
-\r
- } else {\r
- //\r
- // If IKEv1 support, check it here.\r
- //\r
- return NULL;\r
- }\r
- }\r
-\r
- NumPayloads = 0;\r
- //\r
- // Get the number of the payloads\r
- //\r
- NET_LIST_FOR_EACH (PacketEntry, &(IkePacket)->PayloadList) {\r
-\r
- NumPayloads++;\r
- }\r
- //\r
- // Allocate the Framgents according to the numbers of the IkePayload\r
- //\r
- Fragments = (NET_FRAGMENT *) AllocateZeroPool ((1 + NumPayloads) * sizeof (NET_FRAGMENT));\r
- if (Fragments == NULL) {\r
- return NULL;\r
- }\r
-\r
- Fragments[0].Bulk = (UINT8 *) IkePacket->Header;\r
- Fragments[0].Len = sizeof (IKE_HEADER);\r
- Index = 0;\r
-\r
- //\r
- // Set payloads to the Framgments.\r
- //\r
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
-\r
- Fragments[Index + 1].Bulk = IkePayload->PayloadBuf;\r
- Fragments[Index + 1].Len = (UINT32) IkePayload->PayloadSize;\r
- Index++;\r
- }\r
-\r
- Netbuf = NetbufFromExt (\r
- Fragments,\r
- (UINT32) (NumPayloads + 1),\r
- 0,\r
- 0,\r
- IkePacketNetbufFree,\r
- NULL\r
- );\r
-\r
- FreePool (Fragments);\r
- return Netbuf;\r
-}\r
-\r
+++ /dev/null
-/** @file\r
- IKE Packet related definitions and function declarations.\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _IKE_V1_PACKET_H_\r
-#define _IKE_V1_PACKET_H_\r
-\r
-#include "Ike.h"\r
-\r
-#define IKE_PACKET_REF(p) ((p)->RefCount++)\r
-\r
-/**\r
- Allocate a buffer for the IKE_PACKET and intitalize its Header and payloadlist.\r
-\r
- @return The pointer of the IKE_PACKET.\r
-\r
-**/\r
-IKE_PACKET *\r
-IkePacketAlloc (\r
- VOID\r
- );\r
-\r
-\r
-/**\r
- Free the IkePacket by the specified IKE_PACKET pointer.\r
-\r
- @param[in] IkePacket The pointer of the IKE_PACKET to be freed.\r
-\r
-**/\r
-VOID\r
-IkePacketFree (\r
- IN IKE_PACKET *IkePacket\r
- );\r
-\r
-\r
-/**\r
- Copy the NetBuf into a IKE_PACKET sturcture.\r
-\r
- Create a IKE_PACKET and fill the received IKE header into the header of IKE_PACKET\r
- and copy the recieved packet without IKE HEADER to the PayloadBuf of IKE_PACKET.\r
-\r
- @param[in] Netbuf The pointer of the Netbuf which contains the whole received\r
- IKE packet.\r
-\r
- @return The pointer of the IKE_PACKET which contains the received packet.\r
-\r
-**/\r
-IKE_PACKET *\r
-IkePacketFromNetbuf (\r
- IN NET_BUF *Netbuf\r
- );\r
-\r
-/**\r
- Convert the format from IKE_PACKET to NetBuf.\r
-\r
- @param[in] SessionCommon Pointer of related IKE_COMMON_SESSION\r
- @param[in] IkePacket Pointer of IKE_PACKET to be copy to NetBuf\r
- @param[in] IkeType The IKE type to pointer the packet is for which IKE\r
- phase. Now it supports IKE_SA_TYPE, IKE_CHILDSA_TYPE,\r
- IKE_INFO_TYPE.\r
-\r
- @return A pointer of Netbuff which contains the contents of the IKE_PACKE in network order.\r
-**/\r
-NET_BUF *\r
-IkeNetbufFromPacket (\r
- IN UINT8 *SessionCommon,\r
- IN IKE_PACKET *IkePacket,\r
- IN UINTN IkeType\r
- );\r
-\r
-#endif\r
+++ /dev/null
-/** @file\r
- Provide IPsec Key Exchange (IKE) service general interfaces.\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IkeService.h"\r
-#include "IpSecConfigImpl.h"\r
-\r
-IKE_EXCHANGE_INTERFACE *mIkeExchange[] = {\r
- &mIkev1Exchange,\r
- &mIkev2Exchange\r
-};\r
-\r
-EFI_UDP4_CONFIG_DATA mUdp4Conf = {\r
- FALSE,\r
- FALSE,\r
- FALSE,\r
- TRUE,\r
- //\r
- // IO parameters\r
- //\r
- 0,\r
- 64,\r
- FALSE,\r
- 0,\r
- 1000000,\r
- FALSE,\r
- {{0,0,0,0}},\r
- {{0,0,0,0}},\r
- IKE_DEFAULT_PORT,\r
- {{0,0,0,0}},\r
- 0\r
-};\r
-\r
-EFI_UDP6_CONFIG_DATA mUdp6Conf = {\r
- FALSE,\r
- FALSE,\r
- TRUE,\r
- //\r
- // IO parameters\r
- //\r
- 0,\r
- 128,\r
- 0,\r
- 1000000,\r
- //Access Point\r
- {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},\r
- IKE_DEFAULT_PORT,\r
- {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},\r
- 0\r
-};\r
-\r
-/**\r
- Check if the NIC handle is binded to a Udp service.\r
-\r
- @param[in] Private Pointer of IPSEC_PRIVATE_DATA.\r
- @param[in] Handle The Handle of the NIC card.\r
- @param[in] IpVersion The version of the IP stack.\r
-\r
- @return a pointer of IKE_UDP_SERVICE.\r
-\r
-**/\r
-IKE_UDP_SERVICE *\r
-IkeLookupUdp (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN EFI_HANDLE Handle,\r
- IN UINT8 IpVersion\r
- )\r
-{\r
- LIST_ENTRY *Head;\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *Next;\r
- IKE_UDP_SERVICE *Udp;\r
-\r
- Udp = NULL;\r
- Head = (IpVersion == IP_VERSION_4) ? &Private->Udp4List : &Private->Udp6List;\r
-\r
- NET_LIST_FOR_EACH_SAFE (Entry, Next, Head) {\r
-\r
- Udp = IPSEC_UDP_SERVICE_FROM_LIST (Entry);\r
- //\r
- // Find the right udp service which installed on the appointed NIC handle.\r
- //\r
- if (Handle == Udp->NicHandle) {\r
- break;\r
- } else {\r
- Udp = NULL;\r
- }\r
- }\r
-\r
- return Udp;\r
-}\r
-\r
-/**\r
- Configure a UDPIO's UDP4 instance.\r
-\r
- This fuction is called by the UdpIoCreateIo() to configures a\r
- UDP4 instance.\r
-\r
- @param[in] UdpIo The UDP_IO to be configured.\r
- @param[in] Context User-defined data when calling UdpIoCreateIo().\r
-\r
- @retval EFI_SUCCESS The configuration succeeded.\r
- @retval Others The UDP4 instance fails to configure.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IkeConfigUdp4 (\r
- IN UDP_IO *UdpIo,\r
- IN VOID *Context\r
- )\r
-{\r
- EFI_UDP4_CONFIG_DATA Udp4Cfg;\r
- EFI_UDP4_PROTOCOL *Udp4;\r
-\r
- ZeroMem (&Udp4Cfg, sizeof (EFI_UDP4_CONFIG_DATA));\r
-\r
- Udp4 = UdpIo->Protocol.Udp4;\r
- CopyMem (\r
- &Udp4Cfg,\r
- &mUdp4Conf,\r
- sizeof (EFI_UDP4_CONFIG_DATA)\r
- );\r
-\r
- if (Context != NULL) {\r
- //\r
- // Configure udp4 io with local default address.\r
- //\r
- Udp4Cfg.UseDefaultAddress = TRUE;\r
- }\r
-\r
- return Udp4->Configure (Udp4, &Udp4Cfg);\r
-}\r
-\r
-/**\r
- Configure a UDPIO's UDP6 instance.\r
-\r
- This fuction is called by the UdpIoCreateIo()to configure a\r
- UDP6 instance.\r
-\r
- @param[in] UdpIo The UDP_IO to be configured.\r
- @param[in] Context User-defined data when calling UdpIoCreateIo().\r
-\r
- @retval EFI_SUCCESS The configuration succeeded.\r
- @retval Others The configuration fails.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IkeConfigUdp6 (\r
- IN UDP_IO *UdpIo,\r
- IN VOID *Context\r
- )\r
-{\r
- EFI_UDP6_PROTOCOL *Udp6;\r
- EFI_UDP6_CONFIG_DATA Udp6Cfg;\r
-\r
- ZeroMem (&Udp6Cfg, sizeof (EFI_UDP6_CONFIG_DATA));\r
-\r
- Udp6 = UdpIo->Protocol.Udp6;\r
- CopyMem (\r
- &Udp6Cfg,\r
- &mUdp6Conf,\r
- sizeof (EFI_UDP6_CONFIG_DATA)\r
- );\r
-\r
- if (Context != NULL) {\r
- //\r
- // Configure instance with a destination address to start source address\r
- // selection, and then get the configure data from the mode data to store\r
- // the source address.\r
- //\r
- CopyMem (\r
- &Udp6Cfg.RemoteAddress,\r
- Context,\r
- sizeof (EFI_IPv6_ADDRESS)\r
- );\r
- }\r
-\r
- return Udp6->Configure (Udp6, &Udp6Cfg);\r
-}\r
-\r
-/**\r
- Open and configure the related output UDPIO for IKE packet sending.\r
-\r
- If the UdpService is not configured, this fuction calls UdpIoCreatIo() to\r
- create UDPIO to bind this UdpService for IKE packet sending. If the UdpService\r
- has already been configured, then return.\r
-\r
- @param[in] UdpService The UDP_IO to be configured.\r
- @param[in] RemoteIp User-defined data when calling UdpIoCreateIo().\r
-\r
- @retval EFI_SUCCESS The configuration is successful.\r
- @retval Others The configuration fails.\r
-\r
-**/\r
-EFI_STATUS\r
-IkeOpenOutputUdp (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN EFI_IP_ADDRESS *RemoteIp\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_IP4_CONFIG2_PROTOCOL *Ip4Cfg2;\r
- EFI_IP4_CONFIG2_INTERFACE_INFO *IfInfo;\r
- UINTN BufSize;\r
- EFI_IP6_MODE_DATA Ip6ModeData;\r
- EFI_UDP6_PROTOCOL *Udp6;\r
-\r
- Status = EFI_SUCCESS;\r
- IfInfo = NULL;\r
- BufSize = 0;\r
-\r
- //\r
- // Check whether the input and output udp io are both configured.\r
- //\r
- if (UdpService->IsConfigured) {\r
- goto ON_EXIT;\r
- }\r
-\r
- if (UdpService->IpVersion == UDP_IO_UDP4_VERSION) {\r
- //\r
- // Handle ip4config protocol to get local default address.\r
- //\r
- Status = gBS->HandleProtocol (\r
- UdpService->NicHandle,\r
- &gEfiIp4Config2ProtocolGuid,\r
- (VOID **) &Ip4Cfg2\r
- );\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Get the interface information size.\r
- //\r
- Status = Ip4Cfg2->GetData (\r
- Ip4Cfg2,\r
- Ip4Config2DataTypeInterfaceInfo,\r
- &BufSize,\r
- NULL\r
- );\r
-\r
- if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) {\r
- goto ON_EXIT;\r
- }\r
-\r
- IfInfo = AllocateZeroPool (BufSize);\r
-\r
- if (IfInfo == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Get the interface info.\r
- //\r
- Status = Ip4Cfg2->GetData (\r
- Ip4Cfg2,\r
- Ip4Config2DataTypeInterfaceInfo,\r
- &BufSize,\r
- IfInfo\r
- );\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
-\r
- CopyMem (\r
- &UdpService->DefaultAddress.v4,\r
- &IfInfo->StationAddress,\r
- sizeof (EFI_IPv4_ADDRESS)\r
- );\r
-\r
- //\r
- // Create udp4 io for output with local default address.\r
- //\r
- UdpService->Output = UdpIoCreateIo (\r
- UdpService->NicHandle,\r
- UdpService->ImageHandle,\r
- IkeConfigUdp4,\r
- UDP_IO_UDP4_VERSION,\r
- &UdpService->DefaultAddress\r
- );\r
-\r
- if (UdpService->Output == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- } else {\r
- //\r
- // Create udp6 io for output with remote address.\r
- //\r
- UdpService->Output = UdpIoCreateIo (\r
- UdpService->NicHandle,\r
- UdpService->ImageHandle,\r
- IkeConfigUdp6,\r
- UDP_IO_UDP6_VERSION,\r
- RemoteIp\r
- );\r
-\r
- if (UdpService->Output == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
- //\r
- // Get ip6 mode data to get the result of source address selection.\r
- //\r
- ZeroMem (&Ip6ModeData, sizeof (EFI_IP6_MODE_DATA));\r
-\r
- Udp6 = UdpService->Output->Protocol.Udp6;\r
- Status = Udp6->GetModeData (Udp6, NULL, &Ip6ModeData, NULL, NULL);\r
-\r
- if (EFI_ERROR (Status)) {\r
- UdpIoFreeIo (UdpService->Output);\r
- goto ON_EXIT;\r
- }\r
-\r
- if (Ip6ModeData.AddressList != NULL) {\r
- FreePool (Ip6ModeData.AddressList);\r
- }\r
-\r
- if (Ip6ModeData.GroupTable != NULL) {\r
- FreePool (Ip6ModeData.GroupTable);\r
- }\r
-\r
- if (Ip6ModeData.RouteTable != NULL) {\r
- FreePool (Ip6ModeData.RouteTable);\r
- }\r
-\r
- if (Ip6ModeData.NeighborCache != NULL) {\r
- FreePool (Ip6ModeData.NeighborCache);\r
- }\r
-\r
- if (Ip6ModeData.PrefixTable != NULL) {\r
- FreePool (Ip6ModeData.PrefixTable);\r
- }\r
-\r
- if (Ip6ModeData.IcmpTypeList != NULL) {\r
- FreePool (Ip6ModeData.IcmpTypeList);\r
- }\r
-\r
- //\r
- // Reconfigure udp6 io without remote address.\r
- //\r
- Udp6->Configure (Udp6, NULL);\r
- Status = IkeConfigUdp6 (UdpService->Output, NULL);\r
-\r
- //\r
- // Record the selected source address for ipsec process later.\r
- //\r
- CopyMem (\r
- &UdpService->DefaultAddress.v6,\r
- &Ip6ModeData.ConfigData.StationAddress,\r
- sizeof (EFI_IPv6_ADDRESS)\r
- );\r
- }\r
-\r
- UdpService->IsConfigured = TRUE;\r
-\r
-ON_EXIT:\r
- if (IfInfo != NULL) {\r
- FreePool (IfInfo);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Open and configure a UDPIO of Udp4 for IKE packet receiving.\r
-\r
- This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and\r
- UDP4 IO for each NIC handle.\r
-\r
- @param[in] Private Point to IPSEC_PRIVATE_DATA\r
- @param[in] Controller Handler for NIC card.\r
- @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.\r
-\r
- @retval EFI_SUCCESS The Operation is successful.\r
- @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-IkeOpenInputUdp4 (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN EFI_HANDLE Controller,\r
- IN EFI_HANDLE ImageHandle\r
- )\r
-{\r
- IKE_UDP_SERVICE *Udp4Srv;\r
-\r
- //\r
- // Check whether udp4 io of the controller has already been opened.\r
- //\r
- Udp4Srv = IkeLookupUdp (Private, Controller, IP_VERSION_4);\r
-\r
- if (Udp4Srv != NULL) {\r
- return EFI_ALREADY_STARTED;\r
- }\r
-\r
- Udp4Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));\r
-\r
- if (Udp4Srv == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // Create udp4 io for iutput.\r
- //\r
- Udp4Srv->Input = UdpIoCreateIo (\r
- Controller,\r
- ImageHandle,\r
- IkeConfigUdp4,\r
- UDP_IO_UDP4_VERSION,\r
- NULL\r
- );\r
-\r
- if (Udp4Srv->Input == NULL) {\r
- FreePool (Udp4Srv);\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- Udp4Srv->NicHandle = Controller;\r
- Udp4Srv->ImageHandle = ImageHandle;\r
- Udp4Srv->ListHead = &(Private->Udp4List);\r
- Udp4Srv->IpVersion = UDP_IO_UDP4_VERSION;\r
- Udp4Srv->IsConfigured = FALSE;\r
-\r
- ZeroMem (&Udp4Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));\r
-\r
- //\r
- // Insert the udp4 io into the list and increase the count.\r
- //\r
- InsertTailList (&Private->Udp4List, &Udp4Srv->List);\r
-\r
- Private->Udp4Num++;\r
-\r
- UdpIoRecvDatagram (Udp4Srv->Input, IkeDispatch, Udp4Srv, 0);\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Open and configure a UDPIO of Udp6 for IKE packet receiving.\r
-\r
- This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6\r
- IO for each NIC handle.\r
-\r
- @param[in] Private Point to IPSEC_PRIVATE_DATA\r
- @param[in] Controller Handler for NIC card.\r
- @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.\r
-\r
- @retval EFI_SUCCESS The Operation is successful.\r
- @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-IkeOpenInputUdp6 (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN EFI_HANDLE Controller,\r
- IN EFI_HANDLE ImageHandle\r
- )\r
-{\r
- IKE_UDP_SERVICE *Udp6Srv;\r
-\r
- Udp6Srv = IkeLookupUdp (Private, Controller, IP_VERSION_6);\r
-\r
- if (Udp6Srv != NULL) {\r
- return EFI_ALREADY_STARTED;\r
- }\r
-\r
- Udp6Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));\r
-\r
- if (Udp6Srv == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // Create udp6 io for input.\r
- //\r
- Udp6Srv->Input = UdpIoCreateIo (\r
- Controller,\r
- ImageHandle,\r
- IkeConfigUdp6,\r
- UDP_IO_UDP6_VERSION,\r
- NULL\r
- );\r
-\r
- if (Udp6Srv->Input == NULL) {\r
- FreePool (Udp6Srv);\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- Udp6Srv->NicHandle = Controller;\r
- Udp6Srv->ImageHandle = ImageHandle;\r
- Udp6Srv->ListHead = &(Private->Udp6List);\r
- Udp6Srv->IpVersion = UDP_IO_UDP6_VERSION;\r
- Udp6Srv->IsConfigured = FALSE;\r
-\r
- ZeroMem (&Udp6Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));\r
-\r
- //\r
- // Insert the udp6 io into the list and increase the count.\r
- //\r
- InsertTailList (&Private->Udp6List, &Udp6Srv->List);\r
-\r
- Private->Udp6Num++;\r
-\r
- UdpIoRecvDatagram (Udp6Srv->Input, IkeDispatch, Udp6Srv, 0);\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- The general interface of starting IPsec Key Exchange.\r
-\r
- This function is called when a IKE negotiation to start getting a Key.\r
-\r
- @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for\r
- IKE packet sending.\r
- @param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.\r
- @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.\r
-\r
- @retval EFI_SUCCESS The Operation is successful.\r
- @retval EFI_ACCESS_DENIED No related PAD entry was found.\r
- @retval EFI_INVALID_PARAMETER The IKE version is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-IkeNegotiate (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN IPSEC_SPD_ENTRY *SpdEntry,\r
- IN EFI_IP_ADDRESS *RemoteIp\r
- )\r
-{\r
- EFI_STATUS Status;\r
- UINT8 *IkeSaSession;\r
- IKE_EXCHANGE_INTERFACE *Exchange;\r
- IPSEC_PRIVATE_DATA *Private;\r
- IPSEC_PAD_ENTRY *PadEntry;\r
- UINT8 IkeVersion;\r
-\r
- Private = (UdpService->IpVersion == IP_VERSION_4) ?\r
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
-\r
- //\r
- // Try to open udp io for output if it hasn't.\r
- //\r
- Status = IkeOpenOutputUdp (UdpService, RemoteIp);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
- //\r
- // Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list.\r
- //\r
- IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp);\r
-\r
-\r
- if (IkeSaSession == NULL) {\r
- //\r
- // Find the pad entry by the remote ip address.\r
- //\r
- PadEntry = IpSecLookupPadEntry (UdpService->IpVersion, RemoteIp);\r
- if (PadEntry == NULL) {\r
- return EFI_ACCESS_DENIED;\r
- }\r
- //\r
- // Determine the IKE exchange instance by the auth protocol in pad entry.\r
- //\r
- ASSERT (PadEntry->Data->AuthProtocol < EfiIPsecAuthProtocolMaximum);\r
- if (PadEntry->Data->AuthProtocol == EfiIPsecAuthProtocolIKEv1) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- Exchange = mIkeExchange[PadEntry->Data->AuthProtocol];\r
- //\r
- // Start the main mode stage to negotiate IKE SA.\r
- //\r
- Status = Exchange->NegotiateSa (UdpService, SpdEntry, PadEntry, RemoteIp);\r
- } else {\r
- //\r
- // Determine the IKE exchange instance by the IKE version in IKE SA session.\r
- //\r
- IkeVersion = IkeGetVersionFromSession (IkeSaSession);\r
- if (IkeVersion != 2) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- Exchange = mIkeExchange[IkeVersion - 1];\r
- //\r
- // Start the quick mode stage to negotiate child SA.\r
- //\r
- Status = Exchange->NegotiateChildSa (IkeSaSession, SpdEntry, NULL);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- The generic interface when receive a IKE packet.\r
-\r
- This function is called when UDP IO receives a IKE packet.\r
-\r
- @param[in] Packet Point to received IKE packet.\r
- @param[in] EndPoint Point to UDP_END_POINT which contains the information of\r
- Remote IP and Port.\r
- @param[in] IoStatus The Status of Recieve Token.\r
- @param[in] Context Point to data passed from the caller.\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-IkeDispatch (\r
- IN NET_BUF *Packet,\r
- IN UDP_END_POINT *EndPoint,\r
- IN EFI_STATUS IoStatus,\r
- IN VOID *Context\r
- )\r
-{\r
- IPSEC_PRIVATE_DATA *Private;\r
- IKE_PACKET *IkePacket;\r
- IKE_HEADER *IkeHdr;\r
- IKE_UDP_SERVICE *UdpService;\r
- IKE_EXCHANGE_INTERFACE *Exchange;\r
- EFI_STATUS Status;\r
-\r
- UdpService = (IKE_UDP_SERVICE *) Context;\r
- IkePacket = NULL;\r
- Private = (UdpService->IpVersion == IP_VERSION_4) ?\r
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
-\r
- if (EFI_ERROR (IoStatus)) {\r
- goto ON_EXIT;\r
- }\r
- //\r
- // Check whether the ipsec is enabled or not.\r
- //\r
- if (Private->IpSec.DisabledFlag == TRUE) {\r
- goto ON_EXIT;\r
- }\r
-\r
- if (EndPoint->RemotePort != IKE_DEFAULT_PORT) {\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Build IKE packet from the received netbuf.\r
- //\r
- IkePacket = IkePacketFromNetbuf (Packet);\r
-\r
- if (IkePacket == NULL) {\r
- goto ON_EXIT;\r
- }\r
- //\r
- // Get the remote address from the IKE packet.\r
- //\r
- if (UdpService->IpVersion == IP_VERSION_4) {\r
- *(UINT32 *) IkePacket->RemotePeerIp.Addr = HTONL ((*(UINT32 *) EndPoint->RemoteAddr.Addr));\r
- } else {\r
- CopyMem (\r
- &IkePacket->RemotePeerIp,\r
- NTOHLLL (&EndPoint->RemoteAddr.v6),\r
- sizeof (EFI_IPv6_ADDRESS)\r
- );\r
- }\r
- //\r
- // Try to open udp io for output if hasn't.\r
- //\r
- Status = IkeOpenOutputUdp (UdpService, &IkePacket->RemotePeerIp);\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
-\r
- IkeHdr = IkePacket->Header;\r
-\r
- //\r
- // Determine the IKE exchange instance by the IKE version in IKE header.\r
- //\r
- if (IKE_MAJOR_VERSION (IkeHdr->Version) == 2) {\r
- Exchange = mIkeExchange[IKE_MAJOR_VERSION (IkeHdr->Version) - 1];\r
- } else {\r
- goto ON_EXIT;\r
- }\r
-\r
- switch (IkeHdr->ExchangeType) {\r
- case IKE_XCG_TYPE_IDENTITY_PROTECT:\r
- case IKE_XCG_TYPE_SA_INIT:\r
- case IKE_XCG_TYPE_AUTH:\r
- Exchange->HandleSa (UdpService, IkePacket);\r
- break;\r
-\r
- case IKE_XCG_TYPE_QM:\r
- case IKE_XCG_TYPE_CREATE_CHILD_SA:\r
- Exchange->HandleChildSa (UdpService, IkePacket);\r
- break;\r
-\r
- case IKE_XCG_TYPE_INFO:\r
- case IKE_XCG_TYPE_INFO2:\r
- Exchange->HandleInfo (UdpService, IkePacket);\r
- break;\r
-\r
- default:\r
- break;\r
- }\r
-\r
-ON_EXIT:\r
- if (IkePacket != NULL) {\r
- IkePacketFree (IkePacket);\r
- }\r
-\r
- if (Packet != NULL) {\r
- NetbufFree (Packet);\r
- }\r
-\r
- UdpIoRecvDatagram (UdpService->Input, IkeDispatch, UdpService, 0);\r
-\r
- return ;\r
-}\r
-\r
-/**\r
- Delete all established IKE SAs and related Child SAs.\r
-\r
- This function is the subfunction of the IpSecCleanupAllSa(). It first calls\r
- IkeDeleteChildSa() to delete all Child SAs then send out the related\r
- Information packet.\r
-\r
- @param[in] Private Pointer of the IPSEC_PRIVATE_DATA\r
- @param[in] IsDisableIpsec Indicate whether needs to disable IPsec.\r
-\r
-**/\r
-VOID\r
-IkeDeleteAllSas (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN BOOLEAN IsDisableIpsec\r
- )\r
-{\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *NextEntry;\r
- IKEV2_SA_SESSION *Ikev2SaSession;\r
- UINT8 Value;\r
- EFI_STATUS Status;\r
- IKE_EXCHANGE_INTERFACE *Exchange;\r
- UINT8 IkeVersion;\r
-\r
- Exchange = NULL;\r
-\r
- //\r
- // If the IKEv1 is supported, first deal with the Ikev1Estatblished list.\r
- //\r
-\r
- //\r
- // If IKEv2 SAs are under establishing, delete it directly.\r
- //\r
- if (!IsListEmpty (&Private->Ikev2SessionList)) {\r
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) {\r
- Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);\r
- RemoveEntryList (Entry);\r
- Ikev2SaSessionFree (Ikev2SaSession);\r
- }\r
- }\r
-\r
- //\r
- // If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE\r
- // and turn off the IsIPsecDisabling flag.\r
- //\r
- if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) {\r
- Value = IPSEC_STATUS_DISABLED;\r
- Status = gRT->SetVariable (\r
- IPSECCONFIG_STATUS_NAME,\r
- &gEfiIpSecConfigProtocolGuid,\r
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,\r
- sizeof (Value),\r
- &Value\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- Private->IpSec.DisabledFlag = TRUE;\r
- Private->IsIPsecDisabling = FALSE;\r
- return ;\r
- }\r
- }\r
-\r
- //\r
- // Delete established IKEv2 SAs.\r
- //\r
- if (!IsListEmpty (&Private->Ikev2EstablishedList)) {\r
- for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) {\r
- Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);\r
- Entry = Entry->ForwardLink;\r
-\r
- Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting;\r
-\r
- //\r
- // Call for Information Exchange.\r
- //\r
- IkeVersion = IkeGetVersionFromSession ((UINT8*)Ikev2SaSession);\r
- if (IkeVersion == 2) {\r
- Exchange = mIkeExchange[IkeVersion - 1];\r
- Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL);\r
- }\r
- }\r
- }\r
-\r
-}\r
-\r
-\r
-\r
+++ /dev/null
-/** @file\r
- Prototypes definitions of IKE service.\r
-\r
- Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _IKE_SERVICE_H_\r
-#define _IKE_SERVICE_H_\r
-\r
-#include "Ike.h"\r
-#include "IpSecImpl.h"\r
-#include "IkeCommon.h"\r
-#include "Ikev2/Utility.h"\r
-\r
-#define IPSEC_CRYPTO_LIB_MEMORY 128 * 1024\r
-\r
-/**\r
- This is prototype definition of general interface to intialize a IKE negotiation.\r
-\r
- @param[in] UdpService Point to Udp Servcie used for the IKE packet sending.\r
- @param[in] SpdEntry Point to SPD entry related to this IKE negotiation.\r
- @param[in] PadEntry Point to PAD entry related to this IKE negotiation.\r
- @param[in] RemoteIp Point to IP Address which the remote peer to negnotiate.\r
-\r
- @retval EFI_SUCCESS The operation is successful.\r
- @return Otherwise The operation is failed.\r
-\r
-**/\r
-typedef\r
-EFI_STATUS\r
-(*IKE_NEGOTIATE_SA) (\r
- IN IKE_UDP_SERVICE * UdpService,\r
- IN IPSEC_SPD_ENTRY * SpdEntry,\r
- IN IPSEC_PAD_ENTRY * PadEntry,\r
- IN EFI_IP_ADDRESS * RemoteIp\r
- );\r
-\r
-/**\r
- This is prototype definition fo general interface to start a IKE negotiation at Quick Mode.\r
-\r
- This function will be called when the related IKE SA is existed and start to\r
- create a Child SA.\r
-\r
- @param[in] IkeSaSession Point to IKE SA Session related to this Negotiation.\r
- @param[in] SpdEntry Point to SPD entry related to this Negotiation.\r
- @param[in] Context Point to data passed from the caller.\r
-\r
- @retval EFI_SUCCESS The operation is successful.\r
- @retval Otherwise The operation is failed.\r
-\r
-**/\r
-typedef\r
-EFI_STATUS\r
-(*IKE_NEGOTIATE_CHILD_SA) (\r
- IN UINT8 *IkeSaSession,\r
- IN IPSEC_SPD_ENTRY *SpdEntry,\r
- IN UINT8 *Context\r
- );\r
-\r
-/**\r
- This is prototype definition of the general interface when initialize a Inforamtion\r
- Exchange.\r
-\r
- @param[in] IkeSaSession Point to IKE SA Session related to.\r
- @param[in] Context Point to data passed from caller.\r
-\r
-**/\r
-typedef\r
-EFI_STATUS\r
-(*IKE_NEGOTIATE_INFO) (\r
- IN UINT8 *IkeSaSession,\r
- IN UINT8 *Context\r
- );\r
-\r
-/**\r
- This is prototype definition of the general interface when recived a IKE Pakcet\r
- for the IKE SA establishing.\r
-\r
- @param[in] UdpService Point to UDP service used to send IKE Packet.\r
- @param[in] IkePacket Point to received IKE packet.\r
-\r
-**/\r
-typedef\r
-VOID\r
-(*IKE_HANDLE_SA) (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN IKE_PACKET *IkePacket\r
- );\r
-\r
-/**\r
- This is prototyp definition of the general interface when recived a IKE Packet\r
- xfor the Child SA establishing.\r
-\r
- @param[in] UdpService Point to UDP service used to send IKE packet.\r
- @param[in] IkePacket Point to received IKE packet.\r
-\r
-**/\r
-typedef\r
-VOID\r
-(*IKE_HANDLE_CHILD_SA) (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN IKE_PACKET *IkePacket\r
- );\r
-\r
-/**\r
- This is prototype definition of the general interface when received a IKE\r
- information Packet.\r
-\r
- @param[in] UdpService Point to UDP service used to send IKE packet.\r
- @param[in] IkePacket Point to received IKE packet.\r
-\r
-**/\r
-typedef\r
-VOID\r
-(*IKE_HANDLE_INFO) (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN IKE_PACKET *IkePacket\r
- );\r
-\r
-typedef struct _IKE_EXCHANGE_INTERFACE {\r
- UINT8 IkeVer;\r
- IKE_NEGOTIATE_SA NegotiateSa;\r
- IKE_NEGOTIATE_CHILD_SA NegotiateChildSa;\r
- IKE_NEGOTIATE_INFO NegotiateInfo;\r
- IKE_HANDLE_SA HandleSa;\r
- IKE_HANDLE_CHILD_SA HandleChildSa;\r
- IKE_HANDLE_INFO HandleInfo;\r
-} IKE_EXCHANGE_INTERFACE;\r
-\r
-/**\r
- Open and configure a UDPIO of Udp4 for IKE packet receiving.\r
-\r
- This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and\r
- a UDP4 IO for each NIC handle.\r
-\r
- @param[in] Private Point to IPSEC_PRIVATE_DATA\r
- @param[in] Controller Handler for NIC card.\r
- @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.\r
-\r
- @retval EFI_SUCCESS The Operation is successful.\r
- @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-IkeOpenInputUdp4 (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN EFI_HANDLE Controller,\r
- IN EFI_HANDLE ImageHandle\r
- );\r
-\r
-/**\r
- Open and configure a UDPIO of Udp6 for IKE packet receiving.\r
-\r
- This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6\r
- IO for each NIC handle.\r
-\r
- @param[in] Private Point to IPSEC_PRIVATE_DATA\r
- @param[in] Controller Handler for NIC card.\r
- @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.\r
-\r
- @retval EFI_SUCCESS The Operation is successful.\r
- @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-IkeOpenInputUdp6 (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN EFI_HANDLE Controller,\r
- IN EFI_HANDLE ImageHandle\r
- );\r
-\r
-/**\r
- The general interface of starting IPsec Key Exchange.\r
-\r
- This function is called when start a IKE negotiation to get a Key.\r
-\r
- @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for\r
- IKE packet sending.\r
- @param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.\r
- @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.\r
-\r
- @retval EFI_SUCCESS The Operation is successful.\r
- @retval EFI_ACCESS_DENIED No related PAD entry was found.\r
-\r
-**/\r
-EFI_STATUS\r
-IkeNegotiate (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN IPSEC_SPD_ENTRY *SpdEntry,\r
- IN EFI_IP_ADDRESS *RemoteIp\r
- );\r
-\r
-/**\r
- The general interface when receive a IKE packet.\r
-\r
- This function is called when UDP IO receives a IKE packet.\r
-\r
- @param[in] Packet Point to received IKE packet.\r
- @param[in] EndPoint Point to UDP_END_POINT which contains the information of\r
- Remote IP and Port.\r
- @param[in] IoStatus The Status of Recieve Token.\r
- @param[in] Context Point to data passed from the caller.\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-IkeDispatch (\r
- IN NET_BUF *Packet,\r
- IN UDP_END_POINT *EndPoint,\r
- IN EFI_STATUS IoStatus,\r
- IN VOID *Context\r
- );\r
-\r
-/**\r
- Check if the NIC handle is binded to a Udp service.\r
-\r
- @param[in] Private Pointer of IPSEC_PRIVATE_DATA\r
- @param[in] Handle The Handle of the NIC card\r
- @param[in] IpVersion The version of the IP stack.\r
-\r
- @return a pointer of IKE_UDP_SERVICE.\r
-\r
-**/\r
-IKE_UDP_SERVICE *\r
-IkeLookupUdp (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN EFI_HANDLE Handle,\r
- IN UINT8 IpVersion\r
- );\r
-\r
-\r
-/**\r
- Delete all established IKE SAs and related Child SAs.\r
-\r
- This function is the subfunction of the IpSecCleanupAllSa(). It first calls\r
- IkeDeleteChildSa() to delete all Child SAs then send out the related\r
- Information packet.\r
-\r
- @param[in] Private Pointer of the IPSEC_PRIVATE_DATA.\r
- @param[in] IsDisableIpsec Indicate whether needs to disable IPsec.\r
-\r
-**/\r
-VOID\r
-IkeDeleteAllSas (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN BOOLEAN IsDisableIpsec\r
- );\r
-\r
-\r
-extern IKE_EXCHANGE_INTERFACE mIkev1Exchange;\r
-extern IKE_EXCHANGE_INTERFACE mIkev2Exchange;\r
-\r
-#endif\r
+++ /dev/null
-/** @file\r
- The operations for Child SA.\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "Utility.h"\r
-\r
-/**\r
- Generate IKE Packet for CREATE_CHILD_SA exchange.\r
-\r
- This IKE Packet would be the packet for creating new CHILD SA, or the packet for\r
- rekeying existing IKE SA, or the packet for existing CHILD SA.\r
-\r
- @param[in] SaSession Pointer to related SA session.\r
- @param[in] Context The data passed by the caller.\r
-\r
- return a pointer of IKE packet.\r
-\r
-**/\r
-IKE_PACKET *\r
-Ikev2CreateChildGenerator (\r
- IN UINT8 *SaSession,\r
- IN VOID *Context\r
- )\r
-{\r
-\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PACKET *IkePacket;\r
- IKE_PAYLOAD *NotifyPayload;\r
- UINT32 *MessageId;\r
-\r
- NotifyPayload = NULL;\r
- MessageId = NULL;\r
-\r
- ChildSaSession = (IKEV2_CHILD_SA_SESSION *) SaSession;\r
- if (ChildSaSession == NULL) {\r
- return NULL;\r
- }\r
-\r
- IkePacket = IkePacketAlloc();\r
- if (IkePacket == NULL) {\r
- return NULL;\r
- }\r
-\r
-\r
- if (Context != NULL) {\r
- MessageId = (UINT32 *) Context;\r
- }\r
-\r
- IkePacket->Header->Version = (UINT8) (2 << 4);\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_NOTIFY;\r
- IkePacket->Header->ExchangeType = IKE_XCG_TYPE_CREATE_CHILD_SA;\r
-\r
- if (ChildSaSession->SessionCommon.IkeSessionType == IkeSessionTypeChildSa) {\r
- //\r
- // 1.a Fill the IkePacket->Hdr\r
- //\r
- IkePacket->Header->InitiatorCookie = ChildSaSession->IkeSaSession->InitiatorCookie;\r
- IkePacket->Header->ResponderCookie = ChildSaSession->IkeSaSession->ResponderCookie;\r
-\r
- if (MessageId != NULL) {\r
- IkePacket->Header->MessageId = *MessageId;\r
- } else {\r
- IkePacket->Header->MessageId = ChildSaSession->MessageId;\r
- }\r
-\r
- if (ChildSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;\r
- }\r
-\r
- } else {\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- //\r
- // 1.a Fill the IkePacket->Hdr\r
- //\r
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;\r
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;\r
-\r
- if (MessageId != NULL) {\r
- IkePacket->Header->MessageId = *MessageId;\r
- } else {\r
- IkePacket->Header->MessageId = IkeSaSession->MessageId;\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;\r
- }\r
- }\r
-\r
- if (MessageId != NULL) {\r
- IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;\r
- }\r
-\r
- //\r
- // According to RFC4306, Chapter 4.\r
- // A minimal implementation may support the CREATE_CHILD_SA exchange only to\r
- // recognize requests and reject them with a Notify payload of type NO_ADDITIONAL_SAS.\r
- //\r
- NotifyPayload = Ikev2GenerateNotifyPayload (\r
- 0,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- 0,\r
- IKEV2_NOTIFICATION_NO_ADDITIONAL_SAS,\r
- NULL,\r
- NULL,\r
- 0\r
- );\r
- if (NotifyPayload == NULL) {\r
- IkePacketFree (IkePacket);\r
- return NULL;\r
- }\r
-\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);\r
- //\r
- // TODO: Support the CREATE_CHILD_SA exchange.\r
- //\r
- return IkePacket;\r
-}\r
-\r
-/**\r
- Parse the IKE packet of CREATE_CHILD_SA exchange.\r
-\r
- This function parse the IKE packet and save the related information to further\r
- calculation.\r
-\r
- @param[in] SaSession Pointer to IKEv2_CHILD_SA_SESSION related to this Exchange.\r
- @param[in] IkePacket Received packet to be parsed.\r
-\r
-\r
- @retval EFI_SUCCESS The IKE Packet is acceptable.\r
- @retval EFI_UNSUPPORTED Not support the CREATE_CHILD_SA request.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2CreateChildParser (\r
- IN UINT8 *SaSession,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- return EFI_UNSUPPORTED;\r
-}\r
-\r
-/**\r
- Routine process before the payload decoding.\r
-\r
- @param[in] SessionCommon Pointer to ChildSa SessionCommon.\r
- @param[in] PayloadBuf Pointer to the payload.\r
- @param[in] PayloadSize Size of PayloadBuf in byte.\r
- @param[in] PayloadType Type of Payload.\r
-\r
-**/\r
-VOID\r
-Ikev2ChildSaBeforeDecodePayload (\r
- IN UINT8 *SessionCommon,\r
- IN UINT8 *PayloadBuf,\r
- IN UINTN PayloadSize,\r
- IN UINT8 PayloadType\r
- )\r
-{\r
-\r
-}\r
-\r
-/**\r
- Routine Process after the payload encoding.\r
-\r
- @param[in] SessionCommon Pointer to ChildSa SessionCommon.\r
- @param[in] PayloadBuf Pointer to the payload.\r
- @param[in] PayloadSize Size of PayloadBuf in byte.\r
- @param[in] PayloadType Type of Payload.\r
-\r
-**/\r
-VOID\r
-Ikev2ChildSaAfterEncodePayload (\r
- IN UINT8 *SessionCommon,\r
- IN UINT8 *PayloadBuf,\r
- IN UINTN PayloadSize,\r
- IN UINT8 PayloadType\r
- )\r
-{\r
-}\r
-\r
-IKEV2_PACKET_HANDLER mIkev2CreateChild = {\r
- //\r
- // Create Child\r
- //\r
- Ikev2CreateChildParser,\r
- Ikev2CreateChildGenerator\r
-};\r
+++ /dev/null
-/** @file\r
- The general interfaces of the IKEv2.\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "Utility.h"\r
-#include "IpSecDebug.h"\r
-#include "IkeService.h"\r
-#include "IpSecConfigImpl.h"\r
-\r
-/**\r
- General interface to intialize a IKEv2 negotiation.\r
-\r
- @param[in] UdpService Point to Udp Servcie used for the IKE packet sending.\r
- @param[in] SpdEntry Point to SPD entry related to this IKE negotiation.\r
- @param[in] PadEntry Point to PAD entry related to this IKE negotiation.\r
- @param[in] RemoteIp Point to IP Address which the remote peer to negnotiate.\r
-\r
- @retval EFI_SUCCESS The operation is successful.\r
- @retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.\r
- @retval EFI_INVALID_PARAMETER If UdpService or RemoteIp is NULL.\r
- @return Others The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2NegotiateSa (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN IPSEC_SPD_ENTRY *SpdEntry,\r
- IN IPSEC_PAD_ENTRY *PadEntry,\r
- IN EFI_IP_ADDRESS *RemoteIp\r
- )\r
-{\r
- IPSEC_PRIVATE_DATA *Private;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKEV2_SESSION_COMMON *SessionCommon;\r
- IKEV2_PACKET_HANDLER Handler;\r
- IKE_PACKET *IkePacket;\r
- EFI_STATUS Status;\r
-\r
- if (UdpService == NULL || RemoteIp == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- IkePacket = NULL;\r
- Private = (UdpService->IpVersion == IP_VERSION_4) ?\r
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
-\r
- //\r
- // Lookup the remote ip address in the processing IKE SA session list.\r
- //\r
- IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2SessionList, RemoteIp);\r
- if (IkeSaSession != NULL) {\r
- //\r
- // Drop the packet if already in process.\r
- //\r
- return EFI_SUCCESS;\r
- }\r
-\r
- //\r
- // Create a new IkeSaSession and initiate the common parameters.\r
- //\r
- IkeSaSession = Ikev2SaSessionAlloc (Private, UdpService);\r
- if (IkeSaSession == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- //\r
- // Set the specific parameters and state(IKE_STATE_INIT).\r
- //\r
- IkeSaSession->Spd = SpdEntry;\r
- IkeSaSession->Pad = PadEntry;\r
- SessionCommon = &IkeSaSession->SessionCommon;\r
- SessionCommon->IsInitiator = TRUE;\r
- SessionCommon->State = IkeStateInit;\r
- //\r
- // TODO: Get the prefer DH Group from the IPsec Configuration, after the IPsecconfig application update\r
- // to support it.\r
- //\r
- SessionCommon->PreferDhGroup = IKEV2_TRANSFORM_ID_DH_1024MODP;\r
-\r
- CopyMem (\r
- &SessionCommon->RemotePeerIp,\r
- RemoteIp,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
-\r
- CopyMem (\r
- &SessionCommon->LocalPeerIp,\r
- &UdpService->DefaultAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
-\r
- IKEV2_DUMP_STATE (SessionCommon->State, IkeStateInit);\r
-\r
- //\r
- // Initiate the SAD data of the IkeSaSession.\r
- //\r
- IkeSaSession->SaData = Ikev2InitializeSaData (SessionCommon);\r
- if (IkeSaSession->SaData == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_ERROR;\r
- }\r
-\r
- //\r
- // Generate an IKE request packet and send it out.\r
- //\r
- Handler = mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][SessionCommon->State];\r
- IkePacket = Handler.Generator ((UINT8 *) IkeSaSession, NULL);\r
- if (IkePacket == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_ERROR;\r
- }\r
-\r
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SessionCommon, IkePacket, 0);\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto ON_ERROR;\r
- }\r
-\r
- //\r
- // Insert the current IkeSaSession into the processing IKE SA list.\r
- //\r
- Ikev2SaSessionInsert (&Private->Ikev2SessionList, IkeSaSession, RemoteIp);\r
-\r
- return EFI_SUCCESS;\r
-\r
-ON_ERROR:\r
-\r
- if (IkePacket != NULL) {\r
- IkePacketFree (IkePacket);\r
- }\r
- Ikev2SaSessionFree (IkeSaSession);\r
- return Status;\r
-}\r
-\r
-/**\r
- It is general interface to negotiate the Child SA.\r
-\r
- There are three situations which will invoke this function. First, create a CHILD\r
- SA if the input Context is NULL. Second, rekeying the existing IKE SA if the Context\r
- is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the context is a\r
- IKEv2_CHILD_SA_SESSION.\r
-\r
- @param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.\r
- @param[in] SpdEntry Pointer to IPSEC_SPD_ENTRY related to this operation.\r
- @param[in] Context The data pass from the caller.\r
-\r
- @retval EFI_SUCCESS The operation is successful.\r
- @retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.\r
- @retval EFI_UNSUPPORTED The condition is not support yet.\r
- @return Others The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2NegotiateChildSa (\r
- IN UINT8 *IkeSaSession,\r
- IN IPSEC_SPD_ENTRY *SpdEntry,\r
- IN UINT8 *Context\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_SA_SESSION *SaSession;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SESSION_COMMON *ChildSaCommon;\r
- IKE_PACKET *IkePacket;\r
- IKE_UDP_SERVICE *UdpService;\r
-\r
- SaSession = (IKEV2_SA_SESSION*) IkeSaSession;\r
- UdpService = SaSession->SessionCommon.UdpService;\r
- IkePacket = NULL;\r
-\r
- //\r
- // 1. Create another child SA session if context is null.\r
- // 2. Rekeying the IKE SA session if the context is IKE SA session.\r
- // 3. Rekeying the child SA session if the context is child SA session.\r
- //\r
- if (Context == NULL) {\r
- //\r
- // Create a new ChildSaSession and initiate the common parameters.\r
- //\r
- ChildSaSession = Ikev2ChildSaSessionAlloc (UdpService, SaSession);\r
-\r
- if (ChildSaSession == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- //\r
- // Set the specific parameters and state as IKE_STATE_CREATE_CHILD.\r
- //\r
- ChildSaSession->Spd = SpdEntry;\r
- ChildSaCommon = &ChildSaSession->SessionCommon;\r
- ChildSaCommon->IsInitiator = TRUE;\r
- ChildSaCommon->State = IkeStateCreateChild;\r
-\r
- IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateCreateChild);\r
-\r
- if (SpdEntry->Selector->NextLayerProtocol != EFI_IPSEC_ANY_PROTOCOL) {\r
- ChildSaSession->ProtoId = SpdEntry->Selector->NextLayerProtocol;\r
- }\r
-\r
- if (SpdEntry->Selector->LocalPort != EFI_IPSEC_ANY_PORT) {\r
- ChildSaSession->LocalPort = SpdEntry->Selector->LocalPort;\r
- }\r
-\r
- if (SpdEntry->Selector->RemotePort != EFI_IPSEC_ANY_PORT) {\r
- ChildSaSession->RemotePort = SpdEntry->Selector->RemotePort;\r
- }\r
- //\r
- // Initiate the SAD data parameters of the ChildSaSession.\r
- //\r
- ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon);\r
- if (ChildSaSession->SaData == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_ERROR;\r
- }\r
- //\r
- // Generate an IKE request packet and send it out.\r
- //\r
- IkePacket = mIkev2CreateChild.Generator ((UINT8 *) ChildSaSession, NULL);\r
-\r
- if (IkePacket == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_ERROR;\r
- }\r
-\r
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) ChildSaCommon, IkePacket, 0);\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto ON_ERROR;\r
- }\r
-\r
- //\r
- // Insert the ChildSaSession into processing child SA list.\r
- //\r
- Ikev2ChildSaSessionInsert (&SaSession->ChildSaSessionList, ChildSaSession);\r
- } else {\r
- //\r
- // TODO: Rekeying IkeSaSession or ChildSaSession, NOT support yet.\r
- //\r
- // Rekey IkeSa, set IkeSaSession->State and pass over IkeSaSession\r
- // Rekey ChildSa, set ChildSaSession->State and pass over ChildSaSession\r
- //\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- return EFI_SUCCESS;\r
-\r
-ON_ERROR:\r
-\r
- if (ChildSaSession->SaData != NULL) {\r
- FreePool (ChildSaSession->SaData);\r
- }\r
-\r
- if (ChildSaSession->SessionCommon.TimeoutEvent != NULL) {\r
- gBS->CloseEvent (ChildSaSession->SessionCommon.TimeoutEvent);\r
- }\r
-\r
- if (IkePacket != NULL) {\r
- IkePacketFree (IkePacket);\r
- }\r
-\r
- Ikev2ChildSaSessionFree (ChildSaSession);\r
- return Status;\r
-}\r
-\r
-/**\r
- It is general interface to start the Information Exchange.\r
-\r
- There are three situations which will invoke this function. First, deliver a Delete Information\r
- to delete the IKE SA if the input Context is NULL and the state of related IkeSaSeesion's is on\r
- deleting.Second, deliver a Notify Information without the contents if the input Context is NULL.\r
- Third, deliver a Notify Information if the input Context is not NULL.\r
-\r
- @param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.\r
- @param[in] Context Data passed by caller.\r
-\r
- @retval EFI_SUCCESS The operation is successful.\r
- @retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.\r
- @retval EFI_UNSUPPORTED The condition is not support yet.\r
- @return Otherwise The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2NegotiateInfo (\r
- IN UINT8 *IkeSaSession,\r
- IN UINT8 *Context\r
- )\r
-{\r
-\r
- EFI_STATUS Status;\r
- IKEV2_SA_SESSION *Ikev2SaSession;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SESSION_COMMON *SaCommon;\r
- IKE_PACKET *IkePacket;\r
- IKE_UDP_SERVICE *UdpService;\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *NextEntry;\r
-\r
- Ikev2SaSession = (IKEV2_SA_SESSION *) IkeSaSession;\r
- UdpService = Ikev2SaSession->SessionCommon.UdpService;\r
- SaCommon = &Ikev2SaSession->SessionCommon;\r
- IkePacket = NULL;\r
- Status = EFI_SUCCESS;\r
-\r
- //\r
- // Delete the IKE SA.\r
- //\r
- if (Ikev2SaSession->SessionCommon.State == IkeStateSaDeleting && Context == NULL) {\r
-\r
- //\r
- // Generate Information Packet which contains the Delete Payload.\r
- //\r
- IkePacket = mIkev2Info.Generator ((UINT8 *) Ikev2SaSession, NULL);\r
- if (IkePacket == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_ERROR;\r
- }\r
-\r
- //\r
- // Send out the Packet\r
- //\r
- if (UdpService != NULL && UdpService->Output != NULL) {\r
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0);\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto ON_ERROR;\r
- }\r
- }\r
- } else if (!IsListEmpty (&Ikev2SaSession->DeleteSaList)) {\r
- //\r
- // Iterate all Deleting Child SAs.\r
- //\r
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Ikev2SaSession->DeleteSaList) {\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_DEL_SA (Entry);\r
- ChildSaSession->SessionCommon.State = IkeStateSaDeleting;\r
-\r
- //\r
- // Generate Information Packet which contains the Child SA Delete Payload.\r
- //\r
- IkePacket = mIkev2Info.Generator ((UINT8 *) ChildSaSession, NULL);\r
- if (IkePacket == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_ERROR;\r
- }\r
-\r
- //\r
- // Send out the Packet\r
- //\r
- if (UdpService != NULL && UdpService->Output != NULL) {\r
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0);\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto ON_ERROR;\r
- }\r
- }\r
- }\r
- } else if (Context == NULL) {\r
- //\r
- // TODO: Deliver null notification message.\r
- //\r
- } else if (Context != NULL) {\r
- //\r
- // TODO: Send out the Information Exchange which contains the Notify Payload.\r
- //\r
- }\r
-ON_ERROR:\r
- if (IkePacket != NULL) {\r
- IkePacketFree (IkePacket);\r
- }\r
- return Status;\r
-\r
-}\r
-\r
-/**\r
- The general interface when received a IKEv2 packet for the IKE SA establishing.\r
-\r
- This function first find the related IKE SA Session according to the IKE packet's\r
- remote IP. Then call the corresponding function to handle this IKE packet according\r
- to the related IKE SA Session's State.\r
-\r
- @param[in] UdpService Pointer of related UDP Service.\r
- @param[in] IkePacket Data passed by caller.\r
-\r
-**/\r
-VOID\r
-Ikev2HandleSa (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SESSION_COMMON *IkeSaCommon;\r
- IKEV2_SESSION_COMMON *ChildSaCommon;\r
- IKEV2_PACKET_HANDLER Handler;\r
- IKE_PACKET *Reply;\r
- IPSEC_PAD_ENTRY *PadEntry;\r
- IPSEC_PRIVATE_DATA *Private;\r
- BOOLEAN IsNewSession;\r
-\r
- Private = (UdpService->IpVersion == IP_VERSION_4) ?\r
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
-\r
- ChildSaSession = NULL;\r
- ChildSaCommon = NULL;\r
-\r
- //\r
- // Lookup the remote ip address in the processing IKE SA session list.\r
- //\r
- IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2SessionList, &IkePacket->RemotePeerIp);\r
- IsNewSession = FALSE;\r
-\r
- if (IkeSaSession == NULL) {\r
- //\r
- // Lookup the remote ip address in the pad.\r
- //\r
- PadEntry = IpSecLookupPadEntry (UdpService->IpVersion, &IkePacket->RemotePeerIp);\r
- if (PadEntry == NULL) {\r
- //\r
- // Drop the packet if no pad entry matched, this is the request from RFC 4301.\r
- //\r
- return ;\r
- }\r
-\r
- //\r
- // Create a new IkeSaSession and initiate the common parameters.\r
- //\r
- IkeSaSession = Ikev2SaSessionAlloc (Private, UdpService);\r
- if (IkeSaSession == NULL) {\r
- return;\r
- }\r
- IkeSaSession->Pad = PadEntry;\r
- IkeSaCommon = &IkeSaSession->SessionCommon;\r
- IkeSaCommon->IsInitiator = FALSE;\r
- IkeSaCommon->State = IkeStateInit;\r
-\r
- IKEV2_DUMP_STATE (IkeSaCommon->State, IkeStateInit);\r
-\r
- CopyMem (\r
- &IkeSaCommon->RemotePeerIp,\r
- &IkePacket->RemotePeerIp,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
-\r
- CopyMem (\r
- &IkeSaCommon->LocalPeerIp,\r
- &UdpService->DefaultAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
-\r
- IsNewSession = TRUE;\r
- }\r
-\r
- //\r
- // Validate the IKE packet header.\r
- //\r
- if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {\r
- //\r
- // Drop the packet if invalid IKE header.\r
- //\r
- goto ON_ERROR;\r
- }\r
-\r
- //\r
- // Decode all the payloads in the IKE packet.\r
- //\r
- IkeSaCommon = &IkeSaSession->SessionCommon;\r
- Status = Ikev2DecodePacket (IkeSaCommon, IkePacket, IkeSessionTypeIkeSa);\r
- if (EFI_ERROR (Status)) {\r
- goto ON_ERROR;\r
- }\r
-\r
- //\r
- // Try to reate the first ChildSa Session of that IkeSaSession.\r
- // If the IkeSaSession is responder, here will create the first ChildSaSession.\r
- //\r
- if (IkeSaCommon->State == IkeStateAuth && IsListEmpty(&IkeSaSession->ChildSaSessionList)) {\r
- //\r
- // Generate a piggyback child SA in IKE_STATE_AUTH state.\r
- //\r
- ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) &&\r
- IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));\r
-\r
- ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);\r
- if (ChildSaSession == NULL) {\r
- goto ON_ERROR;\r
- }\r
-\r
- ChildSaCommon = &ChildSaSession->SessionCommon;\r
- }\r
-\r
- //\r
- // Parse the IKE request packet according to the auth method and current state.\r
- //\r
- Handler = mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][IkeSaCommon->State];\r
- Status = Handler.Parser ((UINT8 *)IkeSaSession, IkePacket);\r
- if (EFI_ERROR (Status)) {\r
- goto ON_ERROR;\r
- }\r
-\r
- //\r
- // Try to reate the first ChildSa Session of that IkeSaSession.\r
- // If the IkeSaSession is initiator, here will create the first ChildSaSession.\r
- //\r
- if (IkeSaCommon->State == IkeStateAuth && IsListEmpty(&IkeSaSession->ChildSaSessionList)) {\r
- //\r
- // Generate a piggyback child SA in IKE_STATE_AUTH state.\r
- //\r
- ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) &&\r
- IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));\r
-\r
- ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);\r
- if (ChildSaSession == NULL) {\r
- goto ON_ERROR;\r
- }\r
-\r
- ChildSaCommon = &ChildSaSession->SessionCommon;\r
-\r
- //\r
- // Initialize the SA data for Child SA.\r
- //\r
- ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon);\r
- }\r
-\r
- //\r
- // Generate the IKE response packet and send it out if not established.\r
- //\r
- if (IkeSaCommon->State != IkeStateIkeSaEstablished) {\r
- Handler = mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][IkeSaCommon->State];\r
- Reply = Handler.Generator ((UINT8 *) IkeSaSession, NULL);\r
- if (Reply == NULL) {\r
- goto ON_ERROR;\r
- }\r
-\r
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) IkeSaCommon, Reply, 0);\r
- if (EFI_ERROR (Status)) {\r
- goto ON_ERROR;\r
- }\r
- if (!IkeSaCommon->IsInitiator) {\r
- IkeSaCommon->State ++;\r
- IKEV2_DUMP_STATE (IkeSaCommon->State - 1, IkeSaCommon->State);\r
- }\r
- }\r
-\r
- //\r
- // Insert the new IkeSaSession into the Private processing IkeSaSession List.\r
- //\r
- if (IsNewSession) {\r
- Ikev2SaSessionInsert (&Private->Ikev2SessionList, IkeSaSession, &IkePacket->RemotePeerIp);\r
- }\r
-\r
- //\r
- // Register the IkeSaSession and remove it from processing list.\r
- //\r
- if (IkeSaCommon->State == IkeStateIkeSaEstablished) {\r
-\r
- //\r
- // Remove the Established IKE SA Session from the IKE SA Session Negotiating list\r
- // and insert it into IKE SA Session Established list.\r
- //\r
- Ikev2SaSessionRemove (&Private->Ikev2SessionList, &IkePacket->RemotePeerIp);\r
- Ikev2SaSessionReg (IkeSaSession, Private);\r
-\r
- //\r
- // Remove the Established Child SA Session from the IkeSaSession->ChildSaSessionList\r
- // ,insert it into IkeSaSession->ChildSaEstablishSessionList and save this Child SA\r
- // into SAD.\r
- //\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (IkeSaSession->ChildSaSessionList.BackLink);\r
- Ikev2ChildSaSessionRemove (\r
- &IkeSaSession->ChildSaSessionList,\r
- ChildSaSession->LocalPeerSpi,\r
- IKEV2_ESTABLISHING_CHILDSA_LIST\r
- );\r
- Ikev2ChildSaSessionReg (ChildSaSession, Private);\r
- }\r
-\r
- return ;\r
-\r
-ON_ERROR:\r
- if (ChildSaSession != NULL) {\r
- //\r
- // Remove the ChildSa from the list (Established list or Negotiating list).\r
- //\r
- RemoveEntryList (&ChildSaSession->ByIkeSa);\r
- Ikev2ChildSaSessionFree (ChildSaSession);\r
- }\r
-\r
- if (IsNewSession && IkeSaSession != NULL) {\r
- //\r
- // Remove the IkeSa from the list (Established list or Negotiating list).\r
- //\r
- if ((&IkeSaSession->BySessionTable)->ForwardLink != NULL &&\r
- !IsListEmpty (&IkeSaSession->BySessionTable\r
- )){\r
- RemoveEntryList (&IkeSaSession->BySessionTable);\r
- }\r
- Ikev2SaSessionFree (IkeSaSession);\r
- }\r
-\r
- return ;\r
-}\r
-\r
-/**\r
-\r
- The general interface when received a IKEv2 packet for the IKE Child SA establishing\r
- or IKE SA/CHILD SA rekeying.\r
-\r
- This function first find the related IKE SA Session according to the IKE packet's\r
- remote IP. Then call the corresponding function to handle this IKE packet according\r
- to the related IKE Child Session's State.\r
-\r
- @param[in] UdpService Pointer of related UDP Service.\r
- @param[in] IkePacket Data passed by caller.\r
-\r
-**/\r
-VOID\r
-Ikev2HandleChildSa (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKEV2_CREATE_CHILD_REQUEST_TYPE RequestType;\r
- IKE_PACKET *Reply;\r
- IPSEC_PRIVATE_DATA *Private;\r
-\r
- Private = (UdpService->IpVersion == IP_VERSION_4) ?\r
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
-\r
- Reply = NULL;\r
-\r
- //\r
- // Lookup the remote ip address in the processing IKE SA session list.\r
- //\r
- IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp);\r
-\r
- if (IkeSaSession == NULL) {\r
- //\r
- // Drop the packet if no IKE SA associated.\r
- //\r
- return ;\r
- }\r
-\r
- //\r
- // Validate the IKE packet header.\r
- //\r
- if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {\r
- //\r
- // Drop the packet if invalid IKE header.\r
- //\r
- return;\r
- }\r
-\r
- //\r
- // Decode all the payloads in the IKE packet.\r
- //\r
- Status = Ikev2DecodePacket (&IkeSaSession->SessionCommon, IkePacket, IkeSessionTypeIkeSa);\r
- if (EFI_ERROR (Status)) {\r
- return;\r
- }\r
-\r
- //\r
- // Get the request type: CreateChildSa/RekeyChildSa/RekeyIkeSa.\r
- //\r
- RequestType = Ikev2ChildExchangeRequestType (IkePacket);\r
-\r
- switch (RequestType) {\r
- case IkeRequestTypeCreateChildSa:\r
- case IkeRequestTypeRekeyChildSa:\r
- case IkeRequestTypeRekeyIkeSa:\r
- //\r
- // Parse the IKE request packet. Not support CREATE_CHILD_SA exchange yet, so\r
- // only EFI_UNSUPPORTED will be returned and that will trigger a reply with a\r
- // Notify payload of type NO_ADDITIONAL_SAS.\r
- //\r
- Status = mIkev2CreateChild.Parser ((UINT8 *) IkeSaSession, IkePacket);\r
- if (EFI_ERROR (Status)) {\r
- goto ON_REPLY;\r
- }\r
-\r
- default:\r
- //\r
- // No support.\r
- //\r
- return ;\r
- }\r
-\r
-ON_REPLY:\r
- //\r
- // Generate the reply packet if needed and send it out.\r
- //\r
- if (!(IkePacket->Header->Flags & IKE_HEADER_FLAGS_RESPOND)) {\r
- Reply = mIkev2CreateChild.Generator ((UINT8 *) IkeSaSession, &IkePacket->Header->MessageId);\r
- if (Reply != NULL) {\r
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &(IkeSaSession->SessionCommon), Reply, 0);\r
- if (EFI_ERROR (Status)) {\r
- //\r
- // Delete Reply payload.\r
- //\r
- if (Reply != NULL) {\r
- IkePacketFree (Reply);\r
- }\r
- }\r
- }\r
- }\r
- return ;\r
-}\r
-\r
-/**\r
-\r
- It is general interface to handle IKEv2 information Exchange.\r
-\r
- @param[in] UdpService Point to IKE UPD Service related to this information exchange.\r
- @param[in] IkePacket The IKE packet to be parsed.\r
-\r
-**/\r
-VOID\r
-Ikev2HandleInfo (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_SESSION_COMMON *SessionCommon;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IPSEC_PRIVATE_DATA *Private;\r
-\r
- Private = (UdpService->IpVersion == IP_VERSION_4) ?\r
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :\r
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);\r
-\r
- //\r
- // Lookup the remote ip address in the processing IKE SA session list.\r
- //\r
- IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp);\r
-\r
- if (IkeSaSession == NULL) {\r
- //\r
- // Drop the packet if no IKE SA associated.\r
- //\r
- return ;\r
- }\r
- //\r
- // Validate the IKE packet header.\r
- //\r
- if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {\r
-\r
- //\r
- // Drop the packet if invalid IKE header.\r
- //\r
- return;\r
- }\r
-\r
- SessionCommon = &IkeSaSession->SessionCommon;\r
-\r
- //\r
- // Decode all the payloads in the IKE packet.\r
- //\r
- Status = Ikev2DecodePacket (SessionCommon, IkePacket, IkeSessionTypeIkeSa);\r
- if (EFI_ERROR (Status)) {\r
- return;\r
- }\r
-\r
- Status = mIkev2Info.Parser ((UINT8 *)IkeSaSession, IkePacket);\r
-\r
- if (EFI_ERROR (Status)) {\r
- //\r
- // Drop the packet if fail to parse.\r
- //\r
- return;\r
- }\r
-}\r
-\r
-IKE_EXCHANGE_INTERFACE mIkev1Exchange = {\r
- 1,\r
- NULL, //Ikev1NegotiateSa\r
- NULL, //Ikev1NegotiateChildSa\r
- NULL,\r
- NULL, //Ikev1HandleSa,\r
- NULL, //Ikev1HandleChildSa\r
- NULL, //Ikev1HandleInfo\r
-};\r
-\r
-IKE_EXCHANGE_INTERFACE mIkev2Exchange = {\r
- 2,\r
- Ikev2NegotiateSa,\r
- Ikev2NegotiateChildSa,\r
- Ikev2NegotiateInfo,\r
- Ikev2HandleSa,\r
- Ikev2HandleChildSa,\r
- Ikev2HandleInfo\r
-};\r
-\r
+++ /dev/null
-/** @file\r
- IKEv2 related definitions.\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-#ifndef _IKE_V2_H_\r
-#define _IKE_V2_H_\r
-\r
-#include "Ike.h"\r
-#include "Payload.h"\r
-\r
-#define IKEV2_TS_ANY_PORT 0xffff\r
-#define IKEV2_TS_ANY_PROTOCOL 0\r
-\r
-#define IKEV2_DELET_CHILDSA_LIST 0\r
-#define IKEV2_ESTABLISHING_CHILDSA_LIST 1\r
-#define IKEV2_ESTABLISHED_CHILDSA_LIST 2\r
-\r
-#define IKEV2_SA_SESSION_SIGNATURE SIGNATURE_32 ('I', 'K', 'E', 'I')\r
-#define IKEV2_SA_SESSION_FROM_COMMON(a) CR (a, IKEV2_SA_SESSION, SessionCommon, IKEV2_SA_SESSION_SIGNATURE)\r
-#define IKEV2_SA_SESSION_BY_SESSION(a) CR (a, IKEV2_SA_SESSION, BySessionTable, IKEV2_SA_SESSION_SIGNATURE)\r
-#define IKEV2_SA_SESSION_BY_ESTABLISHED(a) CR (a, IKEV2_SA_SESSION, ByEstablishedTable, IKEV2_SA_SESSION_SIGNATURE)\r
-\r
-#define IKEV2_CHILD_SA_SESSION_SIGNATURE SIGNATURE_32 ('I', 'K', 'E', 'C')\r
-#define IKEV2_CHILD_SA_SESSION_FROM_COMMON(a) CR (a, IKEV2_CHILD_SA_SESSION, SessionCommon, IKEV2_CHILD_SA_SESSION_SIGNATURE)\r
-#define IKEV2_CHILD_SA_SESSION_BY_IKE_SA(a) CR (a, IKEV2_CHILD_SA_SESSION, ByIkeSa, IKEV2_CHILD_SA_SESSION_SIGNATURE)\r
-#define IKEV2_CHILD_SA_SESSION_BY_DEL_SA(a) CR (a, IKEV2_CHILD_SA_SESSION, ByDelete, IKEV2_CHILD_SA_SESSION_SIGNATURE)\r
-\r
-#define IS_IKEV2_SA_SESSION(s) ((s)->Common.IkeSessionType == IkeSessionTypeIkeSa)\r
-#define IKEV2_SA_FIRST_PROPOSAL(Sa) (IKEV2_PROPOSAL *)((IKEV2_SA *)(Sa)+1)\r
-#define IKEV2_NEXT_TRANSFORM_WITH_SIZE(Transform,TransformSize) \\r
- (IKEV2_TRANSFORM *) ((UINT8 *)(Transform) + (TransformSize))\r
-\r
-#define IKEV2_NEXT_PROPOSAL_WITH_SIZE(Proposal, ProposalSize) \\r
- (IKEV2_PROPOSAL *) ((UINT8 *)(Proposal) + (ProposalSize))\r
-\r
-#define IKEV2_PROPOSAL_FIRST_TRANSFORM(Proposal) \\r
- (IKEV2_TRANSFORM *)((UINT8 *)((IKEV2_PROPOSAL *)(Proposal)+1) + \\r
- (((IKEV2_PROPOSAL *)(Proposal))->SpiSize))\r
-#define IKEV2_PROPOSAL_FIRST_TRANSFORM(Proposal) \\r
- (IKEV2_TRANSFORM *)((UINT8 *)((IKEV2_PROPOSAL *)(Proposal)+1) + \\r
- (((IKEV2_PROPOSAL *)(Proposal))->SpiSize))\r
-\r
-typedef enum {\r
- IkeStateInit,\r
- IkeStateAuth,\r
- IkeStateIkeSaEstablished,\r
- IkeStateCreateChild,\r
- IkeStateSaRekeying,\r
- IkeStateChildSaEstablished,\r
- IkeStateSaDeleting,\r
- IkeStateMaximum\r
-} IKEV2_SESSION_STATE;\r
-\r
-typedef enum {\r
- IkeRequestTypeCreateChildSa,\r
- IkeRequestTypeRekeyChildSa,\r
- IkeRequestTypeRekeyIkeSa,\r
- IkeRequestTypeMaximum\r
-} IKEV2_CREATE_CHILD_REQUEST_TYPE;\r
-\r
-typedef struct {\r
- UINT8 *GxBuffer;\r
- UINTN GxSize;\r
- UINT8 *GyBuffer;\r
- UINTN GySize;\r
- UINT8 *GxyBuffer;\r
- UINTN GxySize;\r
- UINT8 *DhContext;\r
-} IKEV2_DH_BUFFER;\r
-\r
-typedef struct {\r
- IKEV2_DH_BUFFER *DhBuffer;\r
- UINT8 *SkdKey;\r
- UINTN SkdKeySize;\r
- UINT8 *SkAiKey;\r
- UINTN SkAiKeySize;\r
- UINT8 *SkArKey;\r
- UINTN SkArKeySize;\r
- UINT8 *SkEiKey;\r
- UINTN SkEiKeySize;\r
- UINT8 *SkErKey;\r
- UINTN SkErKeySize;\r
- UINT8 *SkPiKey;\r
- UINTN SkPiKeySize;\r
- UINT8 *SkPrKey;\r
- UINTN SkPrKeySize;\r
-} IKEV2_SESSION_KEYS;\r
-\r
-typedef struct {\r
- UINT16 LifeType;\r
- UINT64 LifeDuration;\r
- UINT16 EncAlgId;\r
- UINTN EnckeyLen;\r
- UINT16 Prf;\r
- UINT16 IntegAlgId;\r
- UINTN IntegKeyLen;\r
- UINT16 DhGroup;\r
- UINT8 ExtSeq;\r
-} IKEV2_SA_PARAMS;\r
-\r
-//\r
-// Internal Payload\r
-//\r
-typedef struct {\r
- IKEV2_SA SaHeader;\r
- UINTN NumProposals;\r
- //\r
- // IKE_PROPOSAL_DATA Proposals[1];\r
- //\r
-} IKEV2_SA_DATA;\r
-\r
-typedef struct {\r
- UINT8 ProposalIndex;\r
- UINT8 ProtocolId;\r
- UINT8 *Spi;\r
- UINT8 NumTransforms;\r
- //\r
- // IKE_TRANSFORM_DATA Transforms[1];\r
- //\r
-} IKEV2_PROPOSAL_DATA;\r
-\r
-typedef struct {\r
- UINT8 TransformIndex;\r
- UINT8 TransformType;\r
- UINT16 TransformId;\r
- IKE_SA_ATTRIBUTE Attribute;\r
-} IKEV2_TRANSFORM_DATA;\r
-\r
-typedef struct {\r
- UINT8 IkeVer;\r
- IKE_SESSION_TYPE IkeSessionType;\r
- BOOLEAN IsInitiator;\r
- BOOLEAN IsOnDeleting; // Flag to indicate whether the SA is on deleting.\r
- IKEV2_SESSION_STATE State;\r
- EFI_EVENT TimeoutEvent;\r
- UINT64 TimeoutInterval;\r
- UINTN RetryCount;\r
- IKE_PACKET *LastSentPacket;\r
- IKEV2_SA_PARAMS *SaParams;\r
- UINT16 PreferDhGroup;\r
- EFI_IP_ADDRESS RemotePeerIp;\r
- EFI_IP_ADDRESS LocalPeerIp;\r
- IKE_ON_PAYLOAD_FROM_NET BeforeDecodePayload;\r
- IKE_ON_PAYLOAD_FROM_NET AfterEncodePayload;\r
- IKE_UDP_SERVICE *UdpService;\r
- IPSEC_PRIVATE_DATA *Private;\r
-} IKEV2_SESSION_COMMON;\r
-\r
-typedef struct {\r
- UINT32 Signature;\r
- IKEV2_SESSION_COMMON SessionCommon;\r
- UINT64 InitiatorCookie;\r
- UINT64 ResponderCookie;\r
- //\r
- // Initiator: SA proposals to be sent\r
- // Responder: SA proposals to be matched\r
- //\r
- IKEV2_SA_DATA *SaData; // SA Private struct used for SA payload generation\r
- IKEV2_SESSION_KEYS *IkeKeys;\r
- UINT8 *NiBlock;\r
- UINTN NiBlkSize;\r
- UINT8 *NrBlock;\r
- UINTN NrBlkSize;\r
- UINT8 *NCookie; // Buffer Contains the Notify Cookie\r
- UINTN NCookieSize; // Size of NCookie\r
- IPSEC_PAD_ENTRY *Pad;\r
- IPSEC_SPD_ENTRY *Spd; // SPD that requested the negotiation, TODO: better use SPD selector\r
- LIST_ENTRY ChildSaSessionList;\r
- LIST_ENTRY ChildSaEstablishSessionList; // For Establish Child SA.\r
- LIST_ENTRY InfoMIDList; // For Information MID\r
- LIST_ENTRY DeleteSaList; // For deteling Child SA.\r
- UINT8 *InitPacket;\r
- UINTN InitPacketSize;\r
- UINT8 *RespPacket;\r
- UINTN RespPacketSize;\r
- UINT32 MessageId;\r
- LIST_ENTRY BySessionTable; // Use for all IkeSaSession Links\r
-} IKEV2_SA_SESSION;\r
-\r
-typedef struct {\r
- UINT32 Signature;\r
- IKEV2_SESSION_COMMON SessionCommon;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- UINT32 MessageId;\r
- IKEV2_SA_DATA *SaData;\r
- UINT8 IpsecProtocol;\r
- UINT32 LocalPeerSpi;\r
- UINT32 RemotePeerSpi;\r
- UINT8 *NiBlock;\r
- UINTN NiBlkSize;\r
- UINT8 *NrBlock;\r
- UINTN NrBlkSize;\r
- SA_KEYMATS ChildKeymats;\r
- IKEV2_DH_BUFFER *DhBuffer; //New DH exchnaged by CREATE_CHILD_SA\r
- IPSEC_SPD_ENTRY *Spd;\r
- EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
- UINT16 ProtoId;\r
- UINT16 RemotePort;\r
- UINT16 LocalPort;\r
- LIST_ENTRY ByIkeSa;\r
- LIST_ENTRY ByDelete;\r
-} IKEV2_CHILD_SA_SESSION;\r
-\r
-typedef enum {\r
- Ikev2InfoNotify,\r
- Ikev2InfoDelete,\r
- Ikev2InfoLiveCheck\r
-} IKEV2_INFO_TYPE;\r
-\r
-//\r
-// This struct is used to pass the detail infromation to the InfoGenerator() for\r
-// the response Information Exchange Message creatation.\r
-//\r
-typedef struct {\r
- UINT32 MessageId;\r
- IKEV2_INFO_TYPE InfoType;\r
-} IKEV2_INFO_EXCHANGE_CONTEXT;\r
-\r
-typedef struct {\r
- UINTN DataSize;\r
- UINT8 *Data;\r
-} PRF_DATA_FRAGMENT;\r
-\r
-typedef\r
-IKE_PACKET *\r
-(*IKEV2_PACKET_GENERATOR) (\r
- IN UINT8 *SaSession,\r
- IN VOID *Context\r
-);\r
-\r
-typedef\r
-EFI_STATUS\r
-(*IKEV2_PACKET_PARSER) (\r
- IN UINT8 *SaSession,\r
- IN IKE_PACKET *IkePacket\r
-);\r
-\r
-typedef struct {\r
- IKEV2_PACKET_PARSER Parser;\r
- IKEV2_PACKET_GENERATOR Generator;\r
-} IKEV2_PACKET_HANDLER;\r
-\r
-extern IKEV2_PACKET_HANDLER mIkev2Initial[][2];\r
-extern IKEV2_PACKET_HANDLER mIkev2CreateChild;\r
-extern IKEV2_PACKET_HANDLER mIkev2Info;\r
-\r
-#endif\r
-\r
+++ /dev/null
-/** @file\r
- The Implementations for Information Exchange.\r
-\r
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "Utility.h"\r
-#include "IpSecDebug.h"\r
-#include "IpSecConfigImpl.h"\r
-\r
-/**\r
- Generate Information Packet.\r
-\r
- The information Packet may contain one Delete Payload, or Notify Payload, which\r
- dependes on the Context's parameters.\r
-\r
- @param[in] SaSession Pointer to IKE SA Session or Child SA Session which is\r
- related to the information Exchange.\r
- @param[in] Context The Data passed from the caller. If the Context is not NULL\r
- it should contain the information for Notification Data.\r
-\r
- @retval Pointer of IKE_PACKET generated.\r
-\r
-**/\r
-IKE_PACKET *\r
-Ikev2InfoGenerator (\r
- IN UINT8 *SaSession,\r
- IN VOID *Context\r
- )\r
-{\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKE_PACKET *IkePacket;\r
- IKE_PAYLOAD *IkePayload;\r
- IKEV2_INFO_EXCHANGE_CONTEXT *InfoContext;\r
-\r
- InfoContext = NULL;\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- IkePacket = IkePacketAlloc ();\r
- if (IkePacket == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // Fill IkePacket Header.\r
- //\r
- IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_INFO;\r
- IkePacket->Header->Version = (UINT8) (2 << 4);\r
-\r
- if (Context != NULL) {\r
- InfoContext = (IKEV2_INFO_EXCHANGE_CONTEXT *) Context;\r
- }\r
-\r
- //\r
- // For Liveness Check\r
- //\r
- if (InfoContext != NULL &&\r
- (InfoContext->InfoType == Ikev2InfoLiveCheck || InfoContext->InfoType == Ikev2InfoNotify)\r
- ) {\r
- IkePacket->Header->MessageId = InfoContext->MessageId;\r
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;\r
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_NONE;\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;\r
- //\r
- // TODO: add Notify Payload for Notification Information.\r
- //\r
- return IkePacket;\r
- }\r
-\r
- //\r
- // For delete SAs\r
- //\r
- if (IkeSaSession->SessionCommon.IkeSessionType == IkeSessionTypeIkeSa) {\r
-\r
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;\r
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;\r
-\r
- //\r
- // If the information message is response message,the MessageId should\r
- // be same as the request MessageId which passed through the Context.\r
- //\r
- if (InfoContext != NULL) {\r
- IkePacket->Header->MessageId = InfoContext->MessageId;\r
- } else {\r
- IkePacket->Header->MessageId = IkeSaSession->MessageId;\r
- Ikev2SaSessionIncreaseMessageId (IkeSaSession);\r
- }\r
- //\r
- // If the state is on deleting generate a Delete Payload for it.\r
- //\r
- if (IkeSaSession->SessionCommon.State == IkeStateSaDeleting ) {\r
- IkePayload = Ikev2GenerateDeletePayload (\r
- IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- 0,\r
- 0,\r
- NULL\r
- );\r
- if (IkePayload == NULL) {\r
- goto ERROR_EXIT;\r
- }\r
- //\r
- // Fill the next payload in IkePacket's Header.\r
- //\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_DELETE;\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload);\r
- IkePacket->Private = IkeSaSession->SessionCommon.Private;\r
- IkePacket->Spi = 0;\r
- IkePacket->IsDeleteInfo = TRUE;\r
-\r
- } else if (Context != NULL) {\r
- //\r
- // TODO: If contest is not NULL Generate a Notify Payload.\r
- //\r
- } else {\r
- //\r
- // The input parameter is not correct.\r
- //\r
- goto ERROR_EXIT;\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;\r
- }\r
- } else {\r
- //\r
- // Delete the Child SA Information Exchagne\r
- //\r
- ChildSaSession = (IKEV2_CHILD_SA_SESSION *) SaSession;\r
- IkeSaSession = ChildSaSession->IkeSaSession;\r
- IkePacket->Header->InitiatorCookie = ChildSaSession->IkeSaSession->InitiatorCookie;\r
- IkePacket->Header->ResponderCookie = ChildSaSession->IkeSaSession->ResponderCookie;\r
-\r
- //\r
- // If the information message is response message,the MessageId should\r
- // be same as the request MessageId which passed through the Context.\r
- //\r
- if (InfoContext != NULL && InfoContext->MessageId != 0) {\r
- IkePacket->Header->MessageId = InfoContext->MessageId;\r
- } else {\r
- IkePacket->Header->MessageId = ChildSaSession->IkeSaSession->MessageId;\r
- Ikev2SaSessionIncreaseMessageId (IkeSaSession);\r
- }\r
-\r
- IkePayload = Ikev2GenerateDeletePayload (\r
- ChildSaSession->IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_DELETE,\r
- 4,\r
- 1,\r
- (UINT8 *)&ChildSaSession->LocalPeerSpi\r
- );\r
- if (IkePayload == NULL) {\r
- goto ERROR_EXIT;\r
- }\r
- //\r
- // Fill the Next Payload in IkePacket's Header.\r
- //\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_DELETE;\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload);\r
-\r
- IkePacket->Private = IkeSaSession->SessionCommon.Private;\r
- IkePacket->Spi = ChildSaSession->LocalPeerSpi;\r
- IkePacket->IsDeleteInfo = TRUE;\r
-\r
- if (!ChildSaSession->SessionCommon.IsInitiator) {\r
- //\r
- // If responder, use the MessageId fromt the initiator.\r
- //\r
- IkePacket->Header->MessageId = ChildSaSession->MessageId;\r
- }\r
-\r
- //\r
- // Change the IsOnDeleting Flag\r
- //\r
- ChildSaSession->SessionCommon.IsOnDeleting = TRUE;\r
-\r
- if (ChildSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;\r
- }\r
- }\r
-\r
- if (InfoContext != NULL) {\r
- IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;\r
- }\r
-\r
- return IkePacket;\r
-\r
-ERROR_EXIT:\r
- if (IkePacket != NULL) {\r
- FreePool (IkePacket);\r
- }\r
- return NULL;\r
-\r
-}\r
-\r
-/**\r
- Parse the Info Exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION.\r
- @param[in] IkePacket Pointer to IkePacket related to the Information Exchange.\r
-\r
- @retval EFI_SUCCESS The operation finised successed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2InfoParser (\r
- IN UINT8 *SaSession,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *DeletePayload;\r
- IKE_PAYLOAD *IkePayload;\r
- IKEV2_DELETE *Delete;\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *ListEntry;\r
- UINT8 Index;\r
- UINT32 Spi;\r
- UINT8 *SpiBuffer;\r
- IPSEC_PRIVATE_DATA *Private;\r
- UINT8 Value;\r
- EFI_STATUS Status;\r
- IKE_PACKET *RespondPacket;\r
-\r
- IKEV2_INFO_EXCHANGE_CONTEXT Context;\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
-\r
- DeletePayload = NULL;\r
- Private = NULL;\r
- RespondPacket = NULL;\r
- Status = EFI_SUCCESS;\r
-\r
- //\r
- // For Liveness Check\r
- //\r
- if (IkePacket->Header->NextPayload == IKEV2_PAYLOAD_TYPE_NONE &&\r
- (IkePacket->PayloadTotalSize == 0)\r
- ) {\r
- if (IkePacket->Header->Flags == IKE_HEADER_FLAGS_INIT) {\r
- //\r
- // If it is Liveness check request, reply it.\r
- //\r
- Context.InfoType = Ikev2InfoLiveCheck;\r
- Context.MessageId = IkePacket->Header->MessageId;\r
- RespondPacket = Ikev2InfoGenerator ((UINT8 *)IkeSaSession, &Context);\r
-\r
- if (RespondPacket == NULL) {\r
- Status = EFI_INVALID_PARAMETER;\r
- return Status;\r
- }\r
- Status = Ikev2SendIkePacket (\r
- IkeSaSession->SessionCommon.UdpService,\r
- (UINT8 *)(&IkeSaSession->SessionCommon),\r
- RespondPacket,\r
- 0\r
- );\r
-\r
- } else {\r
- //\r
- // Todo: verify the liveness check response packet.\r
- //\r
- }\r
- return Status;\r
- }\r
-\r
- //\r
- // For SA Delete\r
- //\r
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r
-\r
- //\r
- // Iterate payloads to find the Delete/Notify Payload.\r
- //\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
-\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_DELETE) {\r
- DeletePayload = IkePayload;\r
- Delete = (IKEV2_DELETE *)DeletePayload->PayloadBuf;\r
-\r
- if (Delete->SpiSize == 0) {\r
- //\r
- // Delete IKE SA.\r
- //\r
- if (IkeSaSession->SessionCommon.State == IkeStateSaDeleting) {\r
- RemoveEntryList (&IkeSaSession->BySessionTable);\r
- Ikev2SaSessionFree (IkeSaSession);\r
- //\r
- // Checking the Private status.\r
- //\r
- //\r
- // when all IKE SAs were disabled by calling "IPsecConfig -disable", the IPsec\r
- // status should be changed.\r
- //\r
- Private = IkeSaSession->SessionCommon.Private;\r
- if (Private != NULL && Private->IsIPsecDisabling) {\r
- //\r
- // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value in\r
- // IPsec status variable.\r
- //\r
- if (IsListEmpty (&Private->Ikev1EstablishedList) &&\r
- (IsListEmpty (&Private->Ikev2EstablishedList))\r
- ) {\r
- Value = IPSEC_STATUS_DISABLED;\r
- Status = gRT->SetVariable (\r
- IPSECCONFIG_STATUS_NAME,\r
- &gEfiIpSecConfigProtocolGuid,\r
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,\r
- sizeof (Value),\r
- &Value\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- //\r
- // Set the DisabledFlag in Private data.\r
- //\r
- Private->IpSec.DisabledFlag = TRUE;\r
- Private->IsIPsecDisabling = FALSE;\r
- }\r
- }\r
- }\r
- } else {\r
- IkeSaSession->SessionCommon.State = IkeStateSaDeleting;\r
- Context.InfoType = Ikev2InfoDelete;\r
- Context.MessageId = IkePacket->Header->MessageId;\r
-\r
- RespondPacket = Ikev2InfoGenerator ((UINT8 *)IkeSaSession, &Context);\r
- if (RespondPacket == NULL) {\r
- Status = EFI_INVALID_PARAMETER;\r
- return Status;\r
- }\r
- Status = Ikev2SendIkePacket (\r
- IkeSaSession->SessionCommon.UdpService,\r
- (UINT8 *)(&IkeSaSession->SessionCommon),\r
- RespondPacket,\r
- 0\r
- );\r
- }\r
- } else if (Delete->SpiSize == 4) {\r
- //\r
- // Move the Child SAs to DeleteList\r
- //\r
- SpiBuffer = (UINT8 *)(Delete + 1);\r
- for (Index = 0; Index < Delete->NumSpis; Index++) {\r
- Spi = ReadUnaligned32 ((UINT32 *)SpiBuffer);\r
- for (ListEntry = IkeSaSession->ChildSaEstablishSessionList.ForwardLink;\r
- ListEntry != &IkeSaSession->ChildSaEstablishSessionList;\r
- ) {\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (ListEntry);\r
- ListEntry = ListEntry->ForwardLink;\r
-\r
- if (ChildSaSession->RemotePeerSpi == HTONL(Spi)) {\r
- if (ChildSaSession->SessionCommon.State != IkeStateSaDeleting) {\r
-\r
- //\r
- // Insert the ChildSa Session into Delete List.\r
- //\r
- InsertTailList (&IkeSaSession->DeleteSaList, &ChildSaSession->ByDelete);\r
- ChildSaSession->SessionCommon.State = IkeStateSaDeleting;\r
- ChildSaSession->SessionCommon.IsInitiator = FALSE;\r
- ChildSaSession->MessageId = IkePacket->Header->MessageId;\r
-\r
- Context.InfoType = Ikev2InfoDelete;\r
- Context.MessageId = IkePacket->Header->MessageId;\r
-\r
- RespondPacket = Ikev2InfoGenerator ((UINT8 *)ChildSaSession, &Context);\r
- if (RespondPacket == NULL) {\r
- Status = EFI_INVALID_PARAMETER;\r
- return Status;\r
- }\r
- Status = Ikev2SendIkePacket (\r
- ChildSaSession->SessionCommon.UdpService,\r
- (UINT8 *)(&ChildSaSession->SessionCommon),\r
- RespondPacket,\r
- 0\r
- );\r
- } else {\r
- //\r
- // Delete the Child SA.\r
- //\r
- Ikev2ChildSaSilentDelete (IkeSaSession, Spi);\r
- RemoveEntryList (&ChildSaSession->ByDelete);\r
- }\r
- }\r
- }\r
- SpiBuffer = SpiBuffer + sizeof (Spi);\r
- }\r
- }\r
- }\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-GLOBAL_REMOVE_IF_UNREFERENCED IKEV2_PACKET_HANDLER mIkev2Info = {\r
- Ikev2InfoParser,\r
- Ikev2InfoGenerator\r
-};\r
+++ /dev/null
-/** @file\r
- The implementation of Payloads Creation.\r
-\r
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "Utility.h"\r
-#include "IpSecDebug.h"\r
-#include "IpSecConfigImpl.h"\r
-#include "IpSecCryptIo.h"\r
-\r
-//\r
-// The Constant String of "Key Pad for IKEv2" for Authentication Payload generation.\r
-//\r
-#define CONSTANT_KEY_SIZE 17\r
-GLOBAL_REMOVE_IF_UNREFERENCED CHAR8 mConstantKey[CONSTANT_KEY_SIZE] =\r
-{\r
- 'K', 'e', 'y', ' ', 'P', 'a', 'd', ' ', 'f', 'o', 'r', ' ', 'I', 'K', 'E', 'v', '2'\r
-};\r
-\r
-/**\r
- Generate Ikev2 SA payload according to SessionSaData\r
-\r
- @param[in] SessionSaData The data used in SA payload.\r
- @param[in] NextPayload The payload type presented in NextPayload field of\r
- SA Payload header.\r
- @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or\r
- (2) for CHILD_SA or (3) for INFO.\r
-\r
- @retval a Pointer to SA IKE payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateSaPayload (\r
- IN IKEV2_SA_DATA *SessionSaData,\r
- IN UINT8 NextPayload,\r
- IN IKE_SESSION_TYPE Type\r
- )\r
-{\r
- IKE_PAYLOAD *SaPayload;\r
- IKEV2_SA_DATA *SaData;\r
- UINTN SaDataSize;\r
-\r
- SaPayload = IkePayloadAlloc ();\r
- if (SaPayload == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // TODO: Get the Proposal Number and Transform Number from IPsec Config,\r
- // after the Ipsecconfig Application is support it.\r
- //\r
-\r
- if (Type == IkeSessionTypeIkeSa) {\r
- SaDataSize = sizeof (IKEV2_SA_DATA) +\r
- SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r
- sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 4;\r
- } else {\r
- SaDataSize = sizeof (IKEV2_SA_DATA) +\r
- SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r
- sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 3;\r
-\r
- }\r
-\r
- SaData = AllocateZeroPool (SaDataSize);\r
- if (SaData == NULL) {\r
- IkePayloadFree (SaPayload);\r
- return NULL;\r
- }\r
-\r
- CopyMem (SaData, SessionSaData, SaDataSize);\r
- SaData->SaHeader.Header.NextPayload = NextPayload;\r
- SaPayload->PayloadType = IKEV2_PAYLOAD_TYPE_SA;\r
- SaPayload->PayloadBuf = (UINT8 *) SaData;\r
-\r
- return SaPayload;\r
-}\r
-\r
-/**\r
- Generate a Nonce payload containing the input parameter NonceBuf.\r
-\r
- @param[in] NonceBuf The nonce buffer contains the whole Nonce payload block\r
- except the payload header.\r
- @param[in] NonceSize The buffer size of the NonceBuf\r
- @param[in] NextPayload The payload type presented in the NextPayload field\r
- of Nonce Payload header.\r
-\r
- @retval Pointer to Nonce IKE paload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateNoncePayload (\r
- IN UINT8 *NonceBuf,\r
- IN UINTN NonceSize,\r
- IN UINT8 NextPayload\r
- )\r
-{\r
- IKE_PAYLOAD *NoncePayload;\r
- IKEV2_NONCE *Nonce;\r
- UINTN Size;\r
- UINT8 *NonceBlock;\r
-\r
- // 1 2 3\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload !C! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ Nonce Data ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
- Size = sizeof (IKEV2_NONCE) + NonceSize;\r
- NonceBlock = NonceBuf;\r
-\r
- Nonce = AllocateZeroPool (Size);\r
- if (Nonce == NULL) {\r
- return NULL;\r
- }\r
-\r
- CopyMem (Nonce + 1, NonceBlock, Size - sizeof (IKEV2_NONCE));\r
-\r
- Nonce->Header.NextPayload = NextPayload;\r
- Nonce->Header.PayloadLength = (UINT16) Size;\r
- NoncePayload = IkePayloadAlloc ();\r
- if (NoncePayload == NULL) {\r
- FreePool (Nonce);\r
- return NULL;\r
- }\r
-\r
- NoncePayload->PayloadType = IKEV2_PAYLOAD_TYPE_NONCE;\r
- NoncePayload->PayloadBuf = (UINT8 *) Nonce;\r
- NoncePayload->PayloadSize = Size;\r
-\r
- return NoncePayload;\r
-}\r
-\r
-/**\r
- Generate a Key Exchange payload according to the DH group type and save the\r
- public Key into IkeSaSession IkeKey field.\r
-\r
- @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.\r
- @param[in] NextPayload The payload type presented in the NextPayload field of Key\r
- Exchange Payload header.\r
-\r
- @retval Pointer to Key IKE payload.\r
-\r
-**/\r
-IKE_PAYLOAD*\r
-Ikev2GenerateKePayload (\r
- IN OUT IKEV2_SA_SESSION *IkeSaSession,\r
- IN UINT8 NextPayload\r
- )\r
-{\r
- IKE_PAYLOAD *KePayload;\r
- IKEV2_KEY_EXCHANGE *Ke;\r
- UINTN KeSize;\r
- IKEV2_SESSION_KEYS *IkeKeys;\r
-\r
- //\r
- // 1 2 3\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload !C! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! DH Group # ! RESERVED !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ Key Exchange Data ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
- IkeKeys = IkeSaSession->IkeKeys;\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- KeSize = sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize;\r
- } else {\r
- KeSize = sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize;\r
- }\r
-\r
- //\r
- // Allocate buffer for Key Exchange\r
- //\r
- Ke = AllocateZeroPool (KeSize);\r
- if (Ke == NULL) {\r
- return NULL;\r
- }\r
-\r
- Ke->Header.NextPayload = NextPayload;\r
- Ke->Header.PayloadLength = (UINT16) KeSize;\r
- Ke->DhGroup = IkeSaSession->SessionCommon.PreferDhGroup;\r
-\r
- CopyMem (Ke + 1, IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize);\r
-\r
- //\r
- // Create IKE_PAYLOAD to point to Key Exchange payload\r
- //\r
- KePayload = IkePayloadAlloc ();\r
- if (KePayload == NULL) {\r
- FreePool (Ke);\r
- return NULL;\r
- }\r
-\r
- KePayload->PayloadType = IKEV2_PAYLOAD_TYPE_KE;\r
- KePayload->PayloadBuf = (UINT8 *) Ke;\r
- KePayload->PayloadSize = KeSize;\r
- return KePayload;\r
-}\r
-\r
-/**\r
- Generate a ID payload.\r
-\r
- @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r
- @param[in] NextPayload The payload type presented in the NextPayload field\r
- of ID Payload header.\r
-\r
- @retval Pointer to ID IKE payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateIdPayload (\r
- IN IKEV2_SESSION_COMMON *CommonSession,\r
- IN UINT8 NextPayload\r
- )\r
-{\r
- IKE_PAYLOAD *IdPayload;\r
- IKEV2_ID *Id;\r
- UINTN IdSize;\r
- UINT8 IpVersion;\r
- UINT8 AddrSize;\r
-\r
- //\r
- // ID payload\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload ! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! ID Type ! RESERVED !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ Identification Data ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
-\r
- IpVersion = CommonSession->UdpService->IpVersion;\r
- AddrSize = (UINT8) ((IpVersion == IP_VERSION_4) ? sizeof(EFI_IPv4_ADDRESS) : sizeof(EFI_IPv6_ADDRESS));\r
- IdSize = sizeof (IKEV2_ID) + AddrSize;\r
-\r
- Id = (IKEV2_ID *) AllocateZeroPool (IdSize);\r
- if (Id == NULL) {\r
- return NULL;\r
- }\r
-\r
- IdPayload = IkePayloadAlloc ();\r
- if (IdPayload == NULL) {\r
- FreePool (Id);\r
- return NULL;\r
- }\r
-\r
- IdPayload->PayloadType = (UINT8) ((CommonSession->IsInitiator) ? IKEV2_PAYLOAD_TYPE_ID_INIT : IKEV2_PAYLOAD_TYPE_ID_RSP);\r
- IdPayload->PayloadBuf = (UINT8 *) Id;\r
- IdPayload->PayloadSize = IdSize;\r
-\r
- //\r
- // Set generic header of identification payload\r
- //\r
- Id->Header.NextPayload = NextPayload;\r
- Id->Header.PayloadLength = (UINT16) IdSize;\r
- Id->IdType = (UINT8) ((IpVersion == IP_VERSION_4) ? IKEV2_ID_TYPE_IPV4_ADDR : IKEV2_ID_TYPE_IPV6_ADDR);\r
- CopyMem (Id + 1, &CommonSession->LocalPeerIp, AddrSize);\r
-\r
- return IdPayload;\r
-}\r
-\r
-/**\r
- Generate a ID payload.\r
-\r
- @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r
- @param[in] NextPayload The payload type presented in the NextPayload field\r
- of ID Payload header.\r
- @param[in] InCert Pointer to the Certificate which distinguished name\r
- will be added into the Id payload.\r
- @param[in] CertSize Size of the Certificate.\r
-\r
- @retval Pointer to ID IKE payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateCertIdPayload (\r
- IN IKEV2_SESSION_COMMON *CommonSession,\r
- IN UINT8 NextPayload,\r
- IN UINT8 *InCert,\r
- IN UINTN CertSize\r
- )\r
-{\r
- IKE_PAYLOAD *IdPayload;\r
- IKEV2_ID *Id;\r
- UINTN IdSize;\r
- UINTN SubjectSize;\r
- UINT8 *CertSubject;\r
-\r
- //\r
- // ID payload\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload ! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! ID Type ! RESERVED !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ Identification Data ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
-\r
- SubjectSize = 0;\r
- CertSubject = NULL;\r
- IpSecCryptoIoGetSubjectFromCert (\r
- InCert,\r
- CertSize,\r
- &CertSubject,\r
- &SubjectSize\r
- );\r
- if (SubjectSize != 0) {\r
- ASSERT (CertSubject != NULL);\r
- }\r
-\r
- IdSize = sizeof (IKEV2_ID) + SubjectSize;\r
-\r
- Id = (IKEV2_ID *) AllocateZeroPool (IdSize);\r
- if (Id == NULL) {\r
- return NULL;\r
- }\r
-\r
- IdPayload = IkePayloadAlloc ();\r
- if (IdPayload == NULL) {\r
- FreePool (Id);\r
- return NULL;\r
- }\r
-\r
- IdPayload->PayloadType = (UINT8) ((CommonSession->IsInitiator) ? IKEV2_PAYLOAD_TYPE_ID_INIT : IKEV2_PAYLOAD_TYPE_ID_RSP);\r
- IdPayload->PayloadBuf = (UINT8 *) Id;\r
- IdPayload->PayloadSize = IdSize;\r
-\r
- //\r
- // Set generic header of identification payload\r
- //\r
- Id->Header.NextPayload = NextPayload;\r
- Id->Header.PayloadLength = (UINT16) IdSize;\r
- Id->IdType = 9;\r
- CopyMem (Id + 1, CertSubject, SubjectSize);\r
-\r
- if (CertSubject != NULL) {\r
- FreePool (CertSubject);\r
- }\r
- return IdPayload;\r
-}\r
-\r
-/**\r
- Generate a Authentication Payload.\r
-\r
- This function is used for both Authentication generation and verification. When the\r
- IsVerify is TRUE, it create a Auth Data for verification. This function choose the\r
- related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type\r
- and the value of IsVerify parameter.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r
- @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r
- payload generation.\r
- @param[in] NextPayload The type filled into the Authentication Payload next\r
- payload field.\r
- @param[in] IsVerify If it is TURE, the Authentication payload is used for\r
- verification.\r
-\r
- @return pointer to IKE Authentication payload for Pre-shared key method.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2PskGenerateAuthPayload (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_PAYLOAD *IdPayload,\r
- IN UINT8 NextPayload,\r
- IN BOOLEAN IsVerify\r
- )\r
-{\r
- UINT8 *Digest;\r
- UINTN DigestSize;\r
- PRF_DATA_FRAGMENT Fragments[3];\r
- UINT8 *KeyBuf;\r
- UINTN KeySize;\r
- IKE_PAYLOAD *AuthPayload;\r
- IKEV2_AUTH *PayloadBuf;\r
- EFI_STATUS Status;\r
-\r
- //\r
- // Auth = Prf(Prf(Secret,"Key Pad for IKEv2),IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r
- //\r
- // 1 2 3\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload !C! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Auth Method ! RESERVED !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ Authentication Data ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
-\r
- KeyBuf = NULL;\r
- AuthPayload = NULL;\r
- Digest = NULL;\r
-\r
- DigestSize = IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCommon.SaParams->Prf);\r
- Digest = AllocateZeroPool (DigestSize);\r
- if (Digest == NULL) {\r
- return NULL;\r
- }\r
-\r
- if (IdPayload == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // Calcualte Prf(Seceret, "Key Pad for IKEv2");\r
- //\r
- Fragments[0].Data = (UINT8 *) mConstantKey;\r
- Fragments[0].DataSize = CONSTANT_KEY_SIZE;\r
-\r
- Status = IpSecCryptoIoHmac (\r
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r
- IkeSaSession->Pad->Data->AuthData,\r
- IkeSaSession->Pad->Data->AuthDataSize,\r
- (HASH_DATA_FRAGMENT *)Fragments,\r
- 1,\r
- Digest,\r
- DigestSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto EXIT;\r
- }\r
-\r
- //\r
- // Store the AuthKey into KeyBuf\r
- //\r
- KeyBuf = AllocateZeroPool (DigestSize);\r
- if (KeyBuf == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto EXIT;\r
- }\r
-\r
- CopyMem (KeyBuf, Digest, DigestSize);\r
- KeySize = DigestSize;\r
-\r
- //\r
- // Calculate Prf(SK_Pi/r, IDi/r)\r
- //\r
- Fragments[0].Data = IdPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r
- Fragments[0].DataSize = IdPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r
-\r
- if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r
- (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r
- ) {\r
- Status = IpSecCryptoIoHmac (\r
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r
- IkeSaSession->IkeKeys->SkPrKey,\r
- IkeSaSession->IkeKeys->SkPrKeySize,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 1,\r
- Digest,\r
- DigestSize\r
- );\r
- } else {\r
- Status = IpSecCryptoIoHmac (\r
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r
- IkeSaSession->IkeKeys->SkPiKey,\r
- IkeSaSession->IkeKeys->SkPiKeySize,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 1,\r
- Digest,\r
- DigestSize\r
- );\r
- }\r
- if (EFI_ERROR (Status)) {\r
- goto EXIT;\r
- }\r
-\r
- //\r
- // Copy data to Fragments.\r
- //\r
- if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r
- (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r
- ) {\r
- Fragments[0].Data = IkeSaSession->RespPacket;\r
- Fragments[0].DataSize = IkeSaSession->RespPacketSize;\r
- Fragments[1].Data = IkeSaSession->NiBlock;\r
- Fragments[1].DataSize = IkeSaSession->NiBlkSize;\r
- } else {\r
- Fragments[0].Data = IkeSaSession->InitPacket;\r
- Fragments[0].DataSize = IkeSaSession->InitPacketSize;\r
- Fragments[1].Data = IkeSaSession->NrBlock;\r
- Fragments[1].DataSize = IkeSaSession->NrBlkSize;\r
- }\r
-\r
- //\r
- // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].\r
- //\r
- Fragments[2].Data = AllocateZeroPool (DigestSize);\r
- if (Fragments[2].Data == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto EXIT;\r
- }\r
-\r
- Fragments[2].DataSize = DigestSize;\r
- CopyMem (Fragments[2].Data, Digest, DigestSize);\r
-\r
- //\r
- // Calculate Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r
- //\r
- Status = IpSecCryptoIoHmac (\r
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r
- KeyBuf,\r
- KeySize,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 3,\r
- Digest,\r
- DigestSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto EXIT;\r
- }\r
-\r
- //\r
- // Allocate buffer for Auth Payload\r
- //\r
- AuthPayload = IkePayloadAlloc ();\r
- if (AuthPayload == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto EXIT;\r
- }\r
-\r
- AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + DigestSize;\r
- PayloadBuf = (IKEV2_AUTH *) AllocateZeroPool (AuthPayload->PayloadSize);\r
- if (PayloadBuf == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto EXIT;\r
- }\r
-\r
- //\r
- // Fill in Auth payload.\r
- //\r
- PayloadBuf->Header.NextPayload = NextPayload;\r
- PayloadBuf->Header.PayloadLength = (UINT16) (AuthPayload->PayloadSize);\r
- if (IkeSaSession->Pad->Data->AuthMethod == EfiIPsecAuthMethodPreSharedSecret) {\r
- //\r
- // Only support Shared Key Message Integrity\r
- //\r
- PayloadBuf->AuthMethod = IKEV2_AUTH_METHOD_SKMI;\r
- } else {\r
- //\r
- // Not support other Auth method.\r
- //\r
- Status = EFI_UNSUPPORTED;\r
- goto EXIT;\r
- }\r
-\r
- //\r
- // Copy the result of Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) to Auth\r
- // payload block.\r
- //\r
- CopyMem (\r
- PayloadBuf + 1,\r
- Digest,\r
- DigestSize\r
- );\r
-\r
- //\r
- // Fill in IKE_PACKET\r
- //\r
- AuthPayload->PayloadBuf = (UINT8 *) PayloadBuf;\r
- AuthPayload->PayloadType = IKEV2_PAYLOAD_TYPE_AUTH;\r
-\r
-EXIT:\r
- if (KeyBuf != NULL) {\r
- FreePool (KeyBuf);\r
- }\r
- if (Digest != NULL) {\r
- FreePool (Digest);\r
- }\r
- if (Fragments[2].Data != NULL) {\r
- //\r
- // Free the buffer which contains the result of Prf(SK_Pr, IDi/r)\r
- //\r
- FreePool (Fragments[2].Data);\r
- }\r
-\r
- if (EFI_ERROR (Status)) {\r
- if (AuthPayload != NULL) {\r
- IkePayloadFree (AuthPayload);\r
- }\r
- return NULL;\r
- } else {\r
- return AuthPayload;\r
- }\r
-}\r
-\r
-/**\r
- Generate a Authentication Payload for Certificate Auth method.\r
-\r
- This function has two functions. One is creating a local Authentication\r
- Payload for sending and other is creating the remote Authentication data\r
- for verification when the IsVerify is TURE.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r
- @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r
- payload generation.\r
- @param[in] NextPayload The type filled into the Authentication Payload\r
- next payload field.\r
- @param[in] IsVerify If it is TURE, the Authentication payload is used\r
- for verification.\r
- @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when\r
- verify the authenticate payload.\r
- @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it\r
- when verify the authenticate payload.\r
- @param[in] UefiKeyPwd Pointer to the password of UEFI private key.\r
- Ignore it when verify the authenticate payload.\r
- @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when\r
- verify the authenticate payload.\r
-\r
- @return pointer to IKE Authentication payload for Cerifitcation method.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2CertGenerateAuthPayload (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_PAYLOAD *IdPayload,\r
- IN UINT8 NextPayload,\r
- IN BOOLEAN IsVerify,\r
- IN UINT8 *UefiPrivateKey,\r
- IN UINTN UefiPrivateKeyLen,\r
- IN UINT8 *UefiKeyPwd,\r
- IN UINTN UefiKeyPwdLen\r
- )\r
-{\r
- UINT8 *Digest;\r
- UINTN DigestSize;\r
- PRF_DATA_FRAGMENT Fragments[3];\r
- IKE_PAYLOAD *AuthPayload;\r
- IKEV2_AUTH *PayloadBuf;\r
- EFI_STATUS Status;\r
- UINT8 *Signature;\r
- UINTN SigSize;\r
-\r
- //\r
- // Auth = Prf(Scert,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r
- //\r
- // 1 2 3\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload !C! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Auth Method ! RESERVED !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ Authentication Data ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
- //\r
- // Initial point\r
- //\r
- AuthPayload = NULL;\r
- Digest = NULL;\r
- Signature = NULL;\r
- SigSize = 0;\r
-\r
- if (IdPayload == NULL) {\r
- return NULL;\r
- }\r
- DigestSize = IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCommon.SaParams->Prf);\r
- Digest = AllocateZeroPool (DigestSize);\r
- if (Digest == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // Calculate Prf(SK_Pi/r, IDi/r)\r
- //\r
- Fragments[0].Data = IdPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r
- Fragments[0].DataSize = IdPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r
-\r
- IpSecDumpBuf ("RestofIDPayload", Fragments[0].Data, Fragments[0].DataSize);\r
-\r
- if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r
- (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r
- ) {\r
- Status = IpSecCryptoIoHmac(\r
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r
- IkeSaSession->IkeKeys->SkPrKey,\r
- IkeSaSession->IkeKeys->SkPrKeySize,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 1,\r
- Digest,\r
- DigestSize\r
- );\r
- IpSecDumpBuf ("MACedIDForR", Digest, DigestSize);\r
- } else {\r
- Status = IpSecCryptoIoHmac (\r
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r
- IkeSaSession->IkeKeys->SkPiKey,\r
- IkeSaSession->IkeKeys->SkPiKeySize,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 1,\r
- Digest,\r
- DigestSize\r
- );\r
- IpSecDumpBuf ("MACedIDForI", Digest, DigestSize);\r
- }\r
- if (EFI_ERROR (Status)) {\r
- goto EXIT;\r
- }\r
-\r
- //\r
- // Copy data to Fragments.\r
- //\r
- if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||\r
- (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)\r
- ) {\r
- Fragments[0].Data = IkeSaSession->RespPacket;\r
- Fragments[0].DataSize = IkeSaSession->RespPacketSize;\r
- Fragments[1].Data = IkeSaSession->NiBlock;\r
- Fragments[1].DataSize = IkeSaSession->NiBlkSize;\r
- IpSecDumpBuf ("RealMessage2", Fragments[0].Data, Fragments[0].DataSize);\r
- IpSecDumpBuf ("NonceIDdata", Fragments[1].Data, Fragments[1].DataSize);\r
- } else {\r
- Fragments[0].Data = IkeSaSession->InitPacket;\r
- Fragments[0].DataSize = IkeSaSession->InitPacketSize;\r
- Fragments[1].Data = IkeSaSession->NrBlock;\r
- Fragments[1].DataSize = IkeSaSession->NrBlkSize;\r
- IpSecDumpBuf ("RealMessage1", Fragments[0].Data, Fragments[0].DataSize);\r
- IpSecDumpBuf ("NonceRDdata", Fragments[1].Data, Fragments[1].DataSize);\r
- }\r
-\r
- //\r
- // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].\r
- //\r
- Fragments[2].Data = AllocateZeroPool (DigestSize);\r
- if (Fragments[2].Data == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto EXIT;\r
- }\r
-\r
- Fragments[2].DataSize = DigestSize;\r
- CopyMem (Fragments[2].Data, Digest, DigestSize);\r
-\r
- //\r
- // Calculate Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))\r
- //\r
- Status = IpSecCryptoIoHash (\r
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 3,\r
- Digest,\r
- DigestSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto EXIT;\r
- }\r
-\r
- IpSecDumpBuf ("HashSignedOctects", Digest, DigestSize);\r
- //\r
- // Sign the data by the private Key\r
- //\r
- if (!IsVerify) {\r
- IpSecCryptoIoAuthDataWithCertificate (\r
- Digest,\r
- DigestSize,\r
- UefiPrivateKey,\r
- UefiPrivateKeyLen,\r
- UefiKeyPwd,\r
- UefiKeyPwdLen,\r
- &Signature,\r
- &SigSize\r
- );\r
-\r
- if (SigSize == 0 || Signature == NULL) {\r
- goto EXIT;\r
- }\r
- }\r
-\r
- //\r
- // Allocate buffer for Auth Payload\r
- //\r
- AuthPayload = IkePayloadAlloc ();\r
- if (AuthPayload == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto EXIT;\r
- }\r
-\r
- if (!IsVerify) {\r
- AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + SigSize;\r
- } else {\r
- AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + DigestSize;\r
- }\r
-\r
- PayloadBuf = (IKEV2_AUTH *) AllocateZeroPool (AuthPayload->PayloadSize);\r
- if (PayloadBuf == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto EXIT;\r
- }\r
-\r
- //\r
- // Fill in Auth payload.\r
- //\r
- PayloadBuf->Header.NextPayload = NextPayload;\r
- PayloadBuf->Header.PayloadLength = (UINT16) (AuthPayload->PayloadSize);\r
- if (IkeSaSession->Pad->Data->AuthMethod == EfiIPsecAuthMethodCertificates) {\r
- PayloadBuf->AuthMethod = IKEV2_AUTH_METHOD_RSA;\r
- } else {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto EXIT;\r
- }\r
-\r
- //\r
- // Copy the result of Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) to Auth\r
- // payload block.\r
- //\r
- if (!IsVerify) {\r
- CopyMem (PayloadBuf + 1, Signature, SigSize);\r
- } else {\r
- CopyMem (PayloadBuf + 1, Digest, DigestSize);\r
- }\r
-\r
- //\r
- // Fill in IKE_PACKET\r
- //\r
- AuthPayload->PayloadBuf = (UINT8 *) PayloadBuf;\r
- AuthPayload->PayloadType = IKEV2_PAYLOAD_TYPE_AUTH;\r
-\r
-EXIT:\r
- if (Digest != NULL) {\r
- FreePool (Digest);\r
- }\r
- if (Signature != NULL) {\r
- FreePool (Signature);\r
- }\r
- if (Fragments[2].Data != NULL) {\r
- //\r
- // Free the buffer which contains the result of Prf(SK_Pr, IDi/r)\r
- //\r
- FreePool (Fragments[2].Data);\r
- }\r
-\r
- if (EFI_ERROR (Status)) {\r
- if (AuthPayload != NULL) {\r
- IkePayloadFree (AuthPayload);\r
- }\r
- return NULL;\r
- } else {\r
- return AuthPayload;\r
- }\r
-}\r
-\r
-/**\r
- Generate TS payload.\r
-\r
- This function generates TSi or TSr payload according to type of next payload.\r
- If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate\r
- TSr payload.\r
-\r
- @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.\r
- @param[in] NextPayload The payload type presented in the NextPayload field\r
- of ID Payload header.\r
- @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.\r
- If yes, it means the Tsi and Tsr payload should be with\r
- Max port range and address range and protocol is marked\r
- as zero.\r
-\r
- @retval Pointer to Ts IKE payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateTsPayload (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSa,\r
- IN UINT8 NextPayload,\r
- IN BOOLEAN IsTunnel\r
- )\r
-{\r
- IKE_PAYLOAD *TsPayload;\r
- IKEV2_TS *TsPayloadBuf;\r
- TRAFFIC_SELECTOR *TsSelector;\r
- UINTN SelectorSize;\r
- UINTN TsPayloadSize;\r
- UINT8 IpVersion;\r
- UINT8 AddrSize;\r
-\r
- //\r
- // 1 2 3\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload !C! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Number of TSs ! RESERVED !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ <Traffic Selectors> ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
-\r
- TsPayload = IkePayloadAlloc();\r
- if (TsPayload == NULL) {\r
- return NULL;\r
- }\r
-\r
- IpVersion = ChildSa->SessionCommon.UdpService->IpVersion;\r
- //\r
- // The Starting Address and Ending Address is variable length depends on\r
- // is IPv4 or IPv6\r
- //\r
- AddrSize = (UINT8)((IpVersion == IP_VERSION_4) ? sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS));\r
- SelectorSize = sizeof (TRAFFIC_SELECTOR) + 2 * AddrSize;\r
- TsPayloadSize = sizeof (IKEV2_TS) + SelectorSize;\r
- TsPayloadBuf = AllocateZeroPool (TsPayloadSize);\r
- if (TsPayloadBuf == NULL) {\r
- goto ON_ERROR;\r
- }\r
-\r
- TsPayload->PayloadBuf = (UINT8 *) TsPayloadBuf;\r
- TsSelector = (TRAFFIC_SELECTOR*)(TsPayloadBuf + 1);\r
-\r
- TsSelector->TSType = (UINT8)((IpVersion == IP_VERSION_4) ? IKEV2_TS_TYPE_IPV4_ADDR_RANGE : IKEV2_TS_TYPS_IPV6_ADDR_RANGE);\r
-\r
- //\r
- // For tunnel mode\r
- //\r
- if (IsTunnel) {\r
- TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;\r
- TsSelector->SelecorLen = (UINT16) SelectorSize;\r
- TsSelector->StartPort = 0;\r
- TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r
- ZeroMem ((UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR), AddrSize);\r
- SetMem ((UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize, AddrSize, 0xff);\r
-\r
- } else {\r
- //\r
- // TODO: Support port range and address range\r
- //\r
- if (NextPayload == IKEV2_PAYLOAD_TYPE_TS_RSP){\r
- //\r
- // Create initiator Traffic Selector\r
- //\r
- TsSelector->SelecorLen = (UINT16)SelectorSize;\r
-\r
- //\r
- // Currently only support the port range from 0~0xffff. Don't support other\r
- // port range.\r
- // TODO: support Port range\r
- //\r
- if (ChildSa->SessionCommon.IsInitiator) {\r
- if (ChildSa->Spd->Selector->LocalPort != 0 &&\r
- ChildSa->Spd->Selector->LocalPortRange == 0) {\r
- //\r
- // For not port range.\r
- //\r
- TsSelector->StartPort = ChildSa->Spd->Selector->LocalPort;\r
- TsSelector->EndPort = ChildSa->Spd->Selector->LocalPort;\r
- } else if (ChildSa->Spd->Selector->LocalPort == 0){\r
- //\r
- // For port from 0~0xffff\r
- //\r
- TsSelector->StartPort = 0;\r
- TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r
- } else {\r
- //\r
- // Not support now.\r
- //\r
- goto ON_ERROR;\r
- }\r
- } else {\r
- if (ChildSa->Spd->Selector->RemotePort != 0 &&\r
- ChildSa->Spd->Selector->RemotePortRange == 0) {\r
- //\r
- // For not port range.\r
- //\r
- TsSelector->StartPort = ChildSa->Spd->Selector->RemotePort;\r
- TsSelector->EndPort = ChildSa->Spd->Selector->RemotePort;\r
- } else if (ChildSa->Spd->Selector->RemotePort == 0) {\r
- //\r
- // For port from 0~0xffff\r
- //\r
- TsSelector->StartPort = 0;\r
- TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r
- } else {\r
- //\r
- // Not support now.\r
- //\r
- goto ON_ERROR;\r
- }\r
- }\r
- //\r
- // Copy Address.Currently the address range is not supported.\r
- // The Starting address is same as Ending address\r
- // TODO: Support Address Range.\r
- //\r
- CopyMem (\r
- (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),\r
- ChildSa->SessionCommon.IsInitiator ?\r
- ChildSa->Spd->Selector->LocalAddress :\r
- ChildSa->Spd->Selector->RemoteAddress,\r
- AddrSize\r
- );\r
- CopyMem (\r
- (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize,\r
- ChildSa->SessionCommon.IsInitiator ?\r
- ChildSa->Spd->Selector->LocalAddress :\r
- ChildSa->Spd->Selector->RemoteAddress,\r
- AddrSize\r
- );\r
- //\r
- // If the Next Payload is not TS responder, this TS payload type is the TS responder.\r
- //\r
- TsPayload->PayloadType = IKEV2_PAYLOAD_TYPE_TS_INIT;\r
- }else{\r
- //\r
- // Create responder Traffic Selector\r
- //\r
- TsSelector->SelecorLen = (UINT16)SelectorSize;\r
-\r
- //\r
- // Currently only support the port range from 0~0xffff. Don't support other\r
- // port range.\r
- // TODO: support Port range\r
- //\r
- if (!ChildSa->SessionCommon.IsInitiator) {\r
- if (ChildSa->Spd->Selector->LocalPort != 0 &&\r
- ChildSa->Spd->Selector->LocalPortRange == 0) {\r
- //\r
- // For not port range.\r
- //\r
- TsSelector->StartPort = ChildSa->Spd->Selector->LocalPort;\r
- TsSelector->EndPort = ChildSa->Spd->Selector->LocalPort;\r
- } else if (ChildSa->Spd->Selector->LocalPort == 0){\r
- //\r
- // For port from 0~0xffff\r
- //\r
- TsSelector->StartPort = 0;\r
- TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r
- } else {\r
- //\r
- // Not support now.\r
- //\r
- goto ON_ERROR;\r
- }\r
- } else {\r
- if (ChildSa->Spd->Selector->RemotePort != 0 &&\r
- ChildSa->Spd->Selector->RemotePortRange == 0) {\r
- //\r
- // For not port range.\r
- //\r
- TsSelector->StartPort = ChildSa->Spd->Selector->RemotePort;\r
- TsSelector->EndPort = ChildSa->Spd->Selector->RemotePort;\r
- } else if (ChildSa->Spd->Selector->RemotePort == 0){\r
- //\r
- // For port from 0~0xffff\r
- //\r
- TsSelector->StartPort = 0;\r
- TsSelector->EndPort = IKEV2_TS_ANY_PORT;\r
- } else {\r
- //\r
- // Not support now.\r
- //\r
- goto ON_ERROR;\r
- }\r
- }\r
- //\r
- // Copy Address.Currently the address range is not supported.\r
- // The Starting address is same as Ending address\r
- // TODO: Support Address Range.\r
- //\r
- CopyMem (\r
- (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),\r
- ChildSa->SessionCommon.IsInitiator ?\r
- ChildSa->Spd->Selector->RemoteAddress :\r
- ChildSa->Spd->Selector->LocalAddress,\r
- AddrSize\r
- );\r
- CopyMem (\r
- (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize,\r
- ChildSa->SessionCommon.IsInitiator ?\r
- ChildSa->Spd->Selector->RemoteAddress :\r
- ChildSa->Spd->Selector->LocalAddress,\r
- AddrSize\r
- );\r
- //\r
- // If the Next Payload is not TS responder, this TS payload type is the TS responder.\r
- //\r
- TsPayload->PayloadType = IKEV2_PAYLOAD_TYPE_TS_RSP;\r
- }\r
- }\r
-\r
- if (ChildSa->Spd->Selector->NextLayerProtocol != 0xffff) {\r
- TsSelector->IpProtocolId = (UINT8)ChildSa->Spd->Selector->NextLayerProtocol;\r
- } else {\r
- TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;\r
- }\r
-\r
- TsPayloadBuf->Header.NextPayload = NextPayload;\r
- TsPayloadBuf->Header.PayloadLength = (UINT16)TsPayloadSize;\r
- TsPayloadBuf->TSNumbers = 1;\r
- TsPayload->PayloadSize = TsPayloadSize;\r
- goto ON_EXIT;\r
-\r
-ON_ERROR:\r
- if (TsPayload != NULL) {\r
- IkePayloadFree (TsPayload);\r
- TsPayload = NULL;\r
- }\r
-ON_EXIT:\r
- return TsPayload;\r
-}\r
-\r
-/**\r
- Generate the Notify payload.\r
-\r
- Since the structure of Notify payload which defined in RFC 4306 is simple, so\r
- there is no internal data structure for Notify payload. This function generate\r
- Notify payload defined in RFC 4306, but all the fields in this payload are still\r
- in host order and need call Ikev2EncodePayload() to convert those fields from\r
- the host order to network order beforing sending it.\r
-\r
- @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).\r
- For IPsec SAs it MUST be neither (2) for AH or (3)\r
- for ESP.\r
- @param[in] NextPayload The next paylaod type in NextPayload field of\r
- the Notify payload.\r
- @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.\r
- @param[in] MessageType The message type in NotifyMessageType field of the\r
- Notify Payload.\r
- @param[in] SpiBuf Pointer to buffer contains the SPI value.\r
- @param[in] NotifyData Pointer to buffer contains the notification data.\r
- @param[in] NotifyDataSize The size of NotifyData in bytes.\r
-\r
-\r
- @retval Pointer to IKE Notify Payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateNotifyPayload (\r
- IN UINT8 ProtocolId,\r
- IN UINT8 NextPayload,\r
- IN UINT8 SpiSize,\r
- IN UINT16 MessageType,\r
- IN UINT8 *SpiBuf,\r
- IN UINT8 *NotifyData,\r
- IN UINTN NotifyDataSize\r
- )\r
-{\r
- IKE_PAYLOAD *NotifyPayload;\r
- IKEV2_NOTIFY *Notify;\r
- UINT16 NotifyPayloadLen;\r
- UINT8 *MessageData;\r
-\r
- // 1 2 3\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload !C! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Protocol ID ! SPI Size ! Notify Message Type !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ Security Parameter Index (SPI) ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ Notification Data ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
- //\r
- NotifyPayloadLen = (UINT16) (sizeof (IKEV2_NOTIFY) + NotifyDataSize + SpiSize);\r
- Notify = (IKEV2_NOTIFY *) AllocateZeroPool (NotifyPayloadLen);\r
- if (Notify == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // Set Delete Payload's Generic Header\r
- //\r
- Notify->Header.NextPayload = NextPayload;\r
- Notify->Header.PayloadLength = NotifyPayloadLen;\r
- Notify->SpiSize = SpiSize;\r
- Notify->ProtocolId = ProtocolId;\r
- Notify->MessageType = MessageType;\r
-\r
- //\r
- // Copy Spi , for Cookie Notify, there is no SPI.\r
- //\r
- if (SpiBuf != NULL && SpiSize != 0 ) {\r
- CopyMem (Notify + 1, SpiBuf, SpiSize);\r
- }\r
-\r
- MessageData = ((UINT8 *) (Notify + 1)) + SpiSize;\r
-\r
- //\r
- // Copy Notification Data\r
- //\r
- if (NotifyDataSize != 0) {\r
- CopyMem (MessageData, NotifyData, NotifyDataSize);\r
- }\r
-\r
- //\r
- // Create Payload for and set type as IKEV2_PAYLOAD_TYPE_NOTIFY\r
- //\r
- NotifyPayload = IkePayloadAlloc ();\r
- if (NotifyPayload == NULL) {\r
- FreePool (Notify);\r
- return NULL;\r
- }\r
-\r
- NotifyPayload->PayloadType = IKEV2_PAYLOAD_TYPE_NOTIFY;\r
- NotifyPayload->PayloadBuf = (UINT8 *) Notify;\r
- NotifyPayload->PayloadSize = NotifyPayloadLen;\r
- return NotifyPayload;\r
-}\r
-\r
-/**\r
- Generate the Delete payload.\r
-\r
- Since the structure of Delete payload which defined in RFC 4306 is simple,\r
- there is no internal data structure for Delete payload. This function generate\r
- Delete payload defined in RFC 4306, but all the fields in this payload are still\r
- in host order and need call Ikev2EncodePayload() to convert those fields from\r
- the host order to network order beforing sending it.\r
-\r
- @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.\r
- @param[in] NextPayload The next paylaod type in NextPayload field of\r
- the Delete payload.\r
- @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.\r
- @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.\r
- @param[in] SpiBuf Pointer to buffer contains the SPI value.\r
-\r
- @retval a Pointer of IKE Delete Payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateDeletePayload (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN UINT8 NextPayload,\r
- IN UINT8 SpiSize,\r
- IN UINT16 SpiNum,\r
- IN UINT8 *SpiBuf\r
-\r
- )\r
-{\r
- IKE_PAYLOAD *DelPayload;\r
- IKEV2_DELETE *Del;\r
- UINT16 SpiBufSize;\r
- UINT16 DelPayloadLen;\r
-\r
- // 1 2 3\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload !C! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Protocol ID ! SPI Size ! # of SPIs !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ Security Parameter Index(es) (SPI) ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
- SpiBufSize = (UINT16) (SpiSize * SpiNum);\r
- if (SpiBufSize != 0 && SpiBuf == NULL) {\r
- return NULL;\r
- }\r
-\r
- DelPayloadLen = (UINT16) (sizeof (IKEV2_DELETE) + SpiBufSize);\r
-\r
- Del = AllocateZeroPool (DelPayloadLen);\r
- if (Del == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // Set Delete Payload's Generic Header\r
- //\r
- Del->Header.NextPayload = NextPayload;\r
- Del->Header.PayloadLength = DelPayloadLen;\r
- Del->NumSpis = SpiNum;\r
- Del->SpiSize = SpiSize;\r
-\r
- if (SpiSize == 4) {\r
- //\r
- // TODO: should consider the AH if needs to support.\r
- //\r
- Del->ProtocolId = IPSEC_PROTO_IPSEC_ESP;\r
- } else {\r
- Del->ProtocolId = IPSEC_PROTO_ISAKMP;\r
- }\r
-\r
- //\r
- // Set Del Payload's Idntification Data\r
- //\r
- CopyMem (Del + 1, SpiBuf, SpiBufSize);\r
- DelPayload = IkePayloadAlloc ();\r
- if (DelPayload == NULL) {\r
- FreePool (Del);\r
- return NULL;\r
- }\r
-\r
- DelPayload->PayloadType = IKEV2_PAYLOAD_TYPE_DELETE;\r
- DelPayload->PayloadBuf = (UINT8 *) Del;\r
- DelPayload->PayloadSize = DelPayloadLen;\r
- return DelPayload;\r
-}\r
-\r
-/**\r
- Generate the Configuration payload.\r
-\r
- This function generate configuration payload defined in RFC 4306, but all the\r
- fields in this payload are still in host order and need call Ikev2EncodePayload()\r
- to convert those fields from the host order to network order beforing sending it.\r
-\r
- @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload\r
- generation.\r
- @param[in] NextPayload The next paylaod type in NextPayload field of\r
- the Delete payload.\r
- @param[in] CfgType The attribute type in the Configuration attribute.\r
-\r
- @retval Pointer to IKE CP Payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateCpPayload (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN UINT8 NextPayload,\r
- IN UINT8 CfgType\r
- )\r
-{\r
- IKE_PAYLOAD *CpPayload;\r
- IKEV2_CFG *Cfg;\r
- UINT16 PayloadLen;\r
- IKEV2_CFG_ATTRIBUTES *CfgAttributes;\r
-\r
- //\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload !C! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! CFG Type ! RESERVED !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ Configuration Attributes ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
-\r
- PayloadLen = (UINT16) (sizeof (IKEV2_CFG) + sizeof (IKEV2_CFG_ATTRIBUTES));\r
- Cfg = (IKEV2_CFG *) AllocateZeroPool (PayloadLen);\r
-\r
- if (Cfg == NULL) {\r
- return NULL;\r
- }\r
-\r
- CfgAttributes = (IKEV2_CFG_ATTRIBUTES *)((UINT8 *)Cfg + sizeof (IKEV2_CFG));\r
-\r
- //\r
- // Only generate the configuration payload with an empty INTERNAL_IP4_ADDRESS\r
- // or INTERNAL_IP6_ADDRESS.\r
- //\r
-\r
- Cfg->Header.NextPayload = NextPayload;\r
- Cfg->Header.PayloadLength = PayloadLen;\r
- Cfg->CfgType = IKEV2_CFG_TYPE_REQUEST;\r
-\r
- CfgAttributes->AttritType = CfgType;\r
- CfgAttributes->ValueLength = 0;\r
-\r
- CpPayload = IkePayloadAlloc ();\r
- if (CpPayload == NULL) {\r
- if (Cfg != NULL) {\r
- FreePool (Cfg);\r
- }\r
- return NULL;\r
- }\r
-\r
- CpPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CP;\r
- CpPayload->PayloadBuf = (UINT8 *) Cfg;\r
- CpPayload->PayloadSize = PayloadLen;\r
- return CpPayload;\r
-}\r
-\r
-/**\r
- Parser the Notify Cookie payload.\r
-\r
- This function parses the Notify Cookie payload.If the Notify ProtocolId is not\r
- IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not\r
- the COOKIE, return EFI_INVALID_PARAMETER.\r
-\r
- @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the\r
- Notify Cookie payload.\r
- the Notify payload.\r
- @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.\r
-\r
- @retval EFI_SUCCESS The Notify Cookie Payload is valid.\r
- @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.\r
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2ParserNotifyCookiePayload (\r
- IN IKE_PAYLOAD *IkeNCookie,\r
- IN OUT IKEV2_SA_SESSION *IkeSaSession\r
- )\r
-{\r
- IKEV2_NOTIFY *NotifyPayload;\r
- UINTN NotifyDataSize;\r
-\r
- NotifyPayload = (IKEV2_NOTIFY *)IkeNCookie->PayloadBuf;\r
-\r
- if ((NotifyPayload->ProtocolId != IPSEC_PROTO_ISAKMP) ||\r
- (NotifyPayload->SpiSize != 0) ||\r
- (NotifyPayload->MessageType != IKEV2_NOTIFICATION_COOKIE)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- NotifyDataSize = NotifyPayload->Header.PayloadLength - sizeof (IKEV2_NOTIFY);\r
- IkeSaSession->NCookie = AllocateZeroPool (NotifyDataSize);\r
- if (IkeSaSession->NCookie == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- IkeSaSession->NCookieSize = NotifyDataSize;\r
-\r
- CopyMem (\r
- IkeSaSession->NCookie,\r
- (UINT8 *)NotifyPayload + sizeof (IKEV2_NOTIFY),\r
- NotifyDataSize\r
- );\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-\r
-/**\r
- Generate the Certificate payload or Certificate Request Payload.\r
-\r
- Since the Certificate Payload structure is same with Certificate Request Payload,\r
- the only difference is that one contains the Certificate Data, other contains\r
- the acceptable certificateion CA. This function generate Certificate payload\r
- or Certificate Request Payload defined in RFC 4306, but all the fields\r
- in the payload are still in host order and need call Ikev2EncodePayload()\r
- to convert those fields from the host order to network order beforing sending it.\r
-\r
- @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload\r
- generation.\r
- @param[in] NextPayload The next paylaod type in NextPayload field of\r
- the Delete payload.\r
- @param[in] Certificate Pointer of buffer contains the certification data.\r
- @param[in] CertificateLen The length of Certificate in byte.\r
- @param[in] EncodeType Specified the Certificate Encodeing which is defined\r
- in RFC 4306.\r
- @param[in] IsRequest To indicate create Certificate Payload or Certificate\r
- Request Payload. If it is TURE, create Certificate\r
- Request Payload. Otherwise, create Certificate Payload.\r
-\r
- @retval a Pointer to IKE Payload whose payload buffer containing the Certificate\r
- payload or Certificated Request payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateCertificatePayload (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN UINT8 NextPayload,\r
- IN UINT8 *Certificate,\r
- IN UINTN CertificateLen,\r
- IN UINT8 EncodeType,\r
- IN BOOLEAN IsRequest\r
- )\r
-{\r
- IKE_PAYLOAD *CertPayload;\r
- IKEV2_CERT *Cert;\r
- UINT16 PayloadLen;\r
- UINT8 *PublicKey;\r
- UINTN PublicKeyLen;\r
- HASH_DATA_FRAGMENT Fragment[1];\r
- UINT8 *HashData;\r
- UINTN HashDataSize;\r
- EFI_STATUS Status;\r
-\r
- //\r
- // 1 2 3\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload !C! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Cert Encoding ! !\r
- // +-+-+-+-+-+-+-+-+ !\r
- // ~ Certificate Data/Authority ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
-\r
- Status = EFI_SUCCESS;\r
- PublicKey = NULL;\r
- PublicKeyLen = 0;\r
-\r
- if (!IsRequest) {\r
- PayloadLen = (UINT16) (sizeof (IKEV2_CERT) + CertificateLen);\r
- } else {\r
- //\r
- // SHA1 Hash length is 20.\r
- //\r
- PayloadLen = (UINT16) (sizeof (IKEV2_CERT) + 20);\r
- }\r
-\r
- Cert = AllocateZeroPool (PayloadLen);\r
- if (Cert == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // Generate Certificate Payload or Certificate Request Payload.\r
- //\r
- Cert->Header.NextPayload = NextPayload;\r
- Cert->Header.PayloadLength = PayloadLen;\r
- Cert->CertEncoding = EncodeType;\r
- if (!IsRequest) {\r
- CopyMem (\r
- ((UINT8 *)Cert) + sizeof (IKEV2_CERT),\r
- Certificate,\r
- CertificateLen\r
- );\r
- } else {\r
- Status = IpSecCryptoIoGetPublicKeyFromCert (\r
- Certificate,\r
- CertificateLen,\r
- &PublicKey,\r
- &PublicKeyLen\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
-\r
- Fragment[0].Data = PublicKey;\r
- Fragment[0].DataSize = PublicKeyLen;\r
- HashDataSize = IpSecGetHmacDigestLength (IKE_AALG_SHA1HMAC);\r
- HashData = AllocateZeroPool (HashDataSize);\r
- if (HashData == NULL) {\r
- goto ON_EXIT;\r
- }\r
-\r
- Status = IpSecCryptoIoHash (\r
- IKE_AALG_SHA1HMAC,\r
- Fragment,\r
- 1,\r
- HashData,\r
- HashDataSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
-\r
- CopyMem (\r
- ((UINT8 *)Cert) + sizeof (IKEV2_CERT),\r
- HashData,\r
- HashDataSize\r
- );\r
- }\r
-\r
- CertPayload = IkePayloadAlloc ();\r
- if (CertPayload == NULL) {\r
- goto ON_EXIT;\r
- }\r
-\r
- if (!IsRequest) {\r
- CertPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CERT;\r
- } else {\r
- CertPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CERTREQ;\r
- }\r
-\r
- CertPayload->PayloadBuf = (UINT8 *) Cert;\r
- CertPayload->PayloadSize = PayloadLen;\r
- return CertPayload;\r
-\r
-ON_EXIT:\r
- if (Cert != NULL) {\r
- FreePool (Cert);\r
- }\r
- if (PublicKey != NULL) {\r
- FreePool (PublicKey);\r
- }\r
- return NULL;\r
-}\r
-\r
-/**\r
- Remove and free all IkePayloads in the specified IkePacket.\r
-\r
- @param[in] IkePacket The pointer of IKE_PACKET.\r
-\r
-**/\r
-VOID\r
-ClearAllPayloads (\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- LIST_ENTRY *PayloadEntry;\r
- IKE_PAYLOAD *IkePayload;\r
- //\r
- // remove all payloads from list and free each payload.\r
- //\r
- while (!IsListEmpty (&IkePacket->PayloadList)) {\r
- PayloadEntry = IkePacket->PayloadList.ForwardLink;\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (PayloadEntry);\r
- IKE_PACKET_REMOVE_PAYLOAD (IkePacket, IkePayload);\r
- IkePayloadFree (IkePayload);\r
- }\r
-}\r
-\r
-/**\r
- Transfer the intrnal data structure IKEV2_SA_DATA to IKEV2_SA structure defined in RFC.\r
-\r
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the SA Session.\r
- @param[in] SaData Pointer to IKEV2_SA_DATA to be transfered.\r
-\r
- @retval return the pointer of IKEV2_SA.\r
-\r
-**/\r
-IKEV2_SA*\r
-Ikev2EncodeSa (\r
- IN IKEV2_SESSION_COMMON *SessionCommon,\r
- IN IKEV2_SA_DATA *SaData\r
- )\r
-{\r
- IKEV2_SA *Sa;\r
- UINTN SaSize;\r
- IKEV2_PROPOSAL_DATA *ProposalData;\r
- IKEV2_TRANSFORM_DATA *TransformData;\r
- UINTN TotalTransforms;\r
- UINTN SaAttrsSize;\r
- UINTN TransformsSize;\r
- UINTN TransformSize;\r
- UINTN ProposalsSize;\r
- UINTN ProposalSize;\r
- UINTN ProposalIndex;\r
- UINTN TransformIndex;\r
- IKE_SA_ATTRIBUTE *SaAttribute;\r
- IKEV2_PROPOSAL *Proposal;\r
- IKEV2_TRANSFORM *Transform;\r
-\r
- //\r
- // Transform IKE_SA_DATA structure to IKE_SA Payload.\r
- // Header length is host order.\r
- // The returned IKE_SA struct should be freed by caller.\r
- //\r
- TotalTransforms = 0;\r
- //\r
- // Calculate the Proposal numbers and Transform numbers.\r
- //\r
- for (ProposalIndex = 0; ProposalIndex < SaData->NumProposals; ProposalIndex++) {\r
-\r
- ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1) + ProposalIndex;\r
- TotalTransforms += ProposalData->NumTransforms;\r
-\r
- }\r
- SaSize = sizeof (IKEV2_SA) +\r
- SaData->NumProposals * sizeof (IKEV2_PROPOSAL) +\r
- TotalTransforms * (sizeof (IKEV2_TRANSFORM) + MAX_SA_ATTRS_SIZE);\r
- //\r
- // Allocate buffer for IKE_SA.\r
- //\r
- Sa = AllocateZeroPool (SaSize);\r
- if (Sa == NULL) {\r
- return NULL;\r
- }\r
-\r
- CopyMem (Sa, SaData, sizeof (IKEV2_SA));\r
- Sa->Header.PayloadLength = (UINT16) sizeof (IKEV2_SA);\r
- ProposalsSize = 0;\r
- Proposal = (IKEV2_PROPOSAL *) (Sa + 1);\r
-\r
- //\r
- // Set IKE_PROPOSAL\r
- //\r
- ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1);\r
- for (ProposalIndex = 0; ProposalIndex < SaData->NumProposals; ProposalIndex++) {\r
- Proposal->ProposalIndex = ProposalData->ProposalIndex;\r
- Proposal->ProtocolId = ProposalData->ProtocolId;\r
- Proposal->NumTransforms = ProposalData->NumTransforms;\r
-\r
- if (ProposalData->Spi == 0) {\r
- Proposal->SpiSize = 0;\r
- } else {\r
- Proposal->SpiSize = 4;\r
- *(UINT32 *) (Proposal + 1) = HTONL (*((UINT32*)ProposalData->Spi));\r
- }\r
-\r
- TransformsSize = 0;\r
- Transform = (IKEV2_TRANSFORM *) ((UINT8 *) (Proposal + 1) + Proposal->SpiSize);\r
-\r
- //\r
- // Set IKE_TRANSFORM\r
- //\r
- for (TransformIndex = 0; TransformIndex < ProposalData->NumTransforms; TransformIndex++) {\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1) + TransformIndex;\r
- Transform->TransformType = TransformData->TransformType;\r
- Transform->TransformId = HTONS (TransformData->TransformId);\r
- SaAttrsSize = 0;\r
-\r
- //\r
- // If the Encryption Algorithm is variable key length set the key length in attribute.\r
- // Note that only a single attribute type (Key Length) is defined and it is fixed length.\r
- //\r
- if (Transform->TransformType == IKEV2_TRANSFORM_TYPE_ENCR && TransformData->Attribute.Attr.AttrValue != 0) {\r
- SaAttribute = (IKE_SA_ATTRIBUTE *) (Transform + 1);\r
- SaAttribute->AttrType = HTONS (IKEV2_ATTRIBUTE_TYPE_KEYLEN | SA_ATTR_FORMAT_BIT);\r
- SaAttribute->Attr.AttrValue = HTONS (TransformData->Attribute.Attr.AttrValue);\r
- SaAttrsSize = sizeof (IKE_SA_ATTRIBUTE);\r
- }\r
-\r
- //\r
- // If the Integrity Algorithm is variable key length set the key length in attribute.\r
- //\r
- if (Transform->TransformType == IKEV2_TRANSFORM_TYPE_INTEG && TransformData->Attribute.Attr.AttrValue != 0) {\r
- SaAttribute = (IKE_SA_ATTRIBUTE *) (Transform + 1);\r
- SaAttribute->AttrType = HTONS (IKEV2_ATTRIBUTE_TYPE_KEYLEN | SA_ATTR_FORMAT_BIT);\r
- SaAttribute->Attr.AttrValue = HTONS (TransformData->Attribute.Attr.AttrValue);\r
- SaAttrsSize = sizeof (IKE_SA_ATTRIBUTE);\r
- }\r
-\r
- TransformSize = sizeof (IKEV2_TRANSFORM) + SaAttrsSize;\r
- TransformsSize += TransformSize;\r
-\r
- Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_MORE;\r
- Transform->Header.PayloadLength = HTONS ((UINT16)TransformSize);\r
-\r
- if (TransformIndex == ((UINT32)ProposalData->NumTransforms - 1)) {\r
- Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_NONE;\r
- }\r
-\r
- Transform = (IKEV2_TRANSFORM *)((UINT8 *) Transform + TransformSize);\r
- }\r
-\r
- //\r
- // Set Proposal's Generic Header.\r
- //\r
- ProposalSize = sizeof (IKEV2_PROPOSAL) + Proposal->SpiSize + TransformsSize;\r
- ProposalsSize += ProposalSize;\r
- Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_MORE;\r
- Proposal->Header.PayloadLength = HTONS ((UINT16)ProposalSize);\r
-\r
- if (ProposalIndex == (UINTN)(SaData->NumProposals - 1)) {\r
- Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_NONE;\r
- }\r
-\r
- //\r
- // Point to next Proposal Payload\r
- //\r
- Proposal = (IKEV2_PROPOSAL *) ((UINT8 *) Proposal + ProposalSize);\r
- ProposalData = (IKEV2_PROPOSAL_DATA *)(((UINT8 *)ProposalData) + sizeof (IKEV2_PROPOSAL_DATA) + (TransformIndex * sizeof (IKEV2_TRANSFORM_DATA)));\r
- }\r
- //\r
- // Set SA's Generic Header.\r
- //\r
- Sa->Header.PayloadLength = (UINT16) (Sa->Header.PayloadLength + ProposalsSize);\r
- return Sa;\r
-}\r
-\r
-/**\r
- Decode SA payload.\r
-\r
- This function converts the received SA payload to internal data structure.\r
-\r
- @param[in] SessionCommon Pointer to IKE Common Session used to decode the SA\r
- Payload.\r
- @param[in] Sa Pointer to SA Payload\r
-\r
- @return a Pointer to internal data structure for SA payload.\r
-\r
-**/\r
-IKEV2_SA_DATA *\r
-Ikev2DecodeSa (\r
- IN IKEV2_SESSION_COMMON *SessionCommon,\r
- IN IKEV2_SA *Sa\r
- )\r
-{\r
- IKEV2_SA_DATA *SaData;\r
- EFI_STATUS Status;\r
- IKEV2_PROPOSAL *Proposal;\r
- IKEV2_TRANSFORM *Transform;\r
- UINTN TotalProposals;\r
- UINTN TotalTransforms;\r
- UINTN ProposalNextPayloadSum;\r
- UINTN ProposalIndex;\r
- UINTN TransformIndex;\r
- UINTN SaRemaining;\r
- UINT16 ProposalSize;\r
- UINTN ProposalRemaining;\r
- UINT16 TransformSize;\r
- UINTN SaAttrRemaining;\r
- IKE_SA_ATTRIBUTE *SaAttribute;\r
- IKEV2_PROPOSAL_DATA *ProposalData;\r
- IKEV2_TRANSFORM_DATA *TransformData;\r
- UINT8 *Spi;\r
-\r
- //\r
- // Transfrom from IKE_SA payload to IKE_SA_DATA structure.\r
- // Header length NTOH is already done\r
- // The returned IKE_SA_DATA should be freed by caller\r
- //\r
- SaData = NULL;\r
- Status = EFI_SUCCESS;\r
-\r
- //\r
- // First round sanity check and size calculae\r
- //\r
- TotalProposals = 0;\r
- TotalTransforms = 0;\r
- ProposalNextPayloadSum = 0;\r
- SaRemaining = Sa->Header.PayloadLength - sizeof (IKEV2_SA);// Point to current position in SA\r
- Proposal = (IKEV2_PROPOSAL *)((IKEV2_SA *)(Sa)+1);\r
-\r
- //\r
- // Calculate the number of Proposal payload and the total numbers of\r
- // Transforms payload (the transforms in all proposal payload).\r
- //\r
- while (SaRemaining > sizeof (IKEV2_PROPOSAL)) {\r
- ProposalSize = NTOHS (Proposal->Header.PayloadLength);\r
- if (SaRemaining < ProposalSize) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
- if (Proposal->SpiSize != 0 && Proposal->SpiSize != 4) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
- TotalProposals++;\r
- TotalTransforms += Proposal->NumTransforms;\r
- SaRemaining -= ProposalSize;\r
- ProposalNextPayloadSum += Proposal->Header.NextPayload;\r
- Proposal = IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize);\r
- }\r
-\r
- //\r
- // Check the proposal number.\r
- // The proposal Substructure, the NextPayLoad field indicates : 0 (last) or 2 (more)\r
- // which Specifies whether this is the last Proposal Substructure in the SA.\r
- // Here suming all Proposal NextPayLoad field to check the proposal number is correct\r
- // or not.\r
- //\r
- if (TotalProposals == 0 ||\r
- (TotalProposals - 1) * IKE_PROPOSAL_NEXT_PAYLOAD_MORE != ProposalNextPayloadSum\r
- ) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Second round sanity check and decode. Transform the SA payload into\r
- // a IKE_SA_DATA structure.\r
- //\r
- SaData = (IKEV2_SA_DATA *) AllocateZeroPool (\r
- sizeof (IKEV2_SA_DATA) +\r
- TotalProposals * sizeof (IKEV2_PROPOSAL_DATA) +\r
- TotalTransforms * sizeof (IKEV2_TRANSFORM_DATA)\r
- );\r
- if (SaData == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (SaData, Sa, sizeof (IKEV2_SA));\r
- SaData->NumProposals = TotalProposals;\r
- ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1);\r
-\r
- //\r
- // Proposal Payload\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload ! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Proposal # ! Protocol-Id ! SPI Size !# of Transforms!\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! SPI (variable) !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
- for (ProposalIndex = 0, Proposal = IKEV2_SA_FIRST_PROPOSAL (Sa);\r
- ProposalIndex < TotalProposals;\r
- ProposalIndex++\r
- ) {\r
-\r
- //\r
- // TODO: check ProposalId\r
- //\r
- ProposalData->ProposalIndex = Proposal->ProposalIndex;\r
- ProposalData->ProtocolId = Proposal->ProtocolId;\r
- if (Proposal->SpiSize == 0) {\r
- ProposalData->Spi = 0;\r
- } else {\r
- //\r
- // SpiSize == 4\r
- //\r
- Spi = AllocateZeroPool (Proposal->SpiSize);\r
- if (Spi == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (Spi, (UINT32 *) (Proposal + 1), Proposal->SpiSize);\r
- *((UINT32*) Spi) = NTOHL (*((UINT32*) Spi));\r
- ProposalData->Spi = Spi;\r
- }\r
-\r
- ProposalData->NumTransforms = Proposal->NumTransforms;\r
- ProposalSize = NTOHS (Proposal->Header.PayloadLength);\r
- ProposalRemaining = ProposalSize;\r
- //\r
- // Transform Payload\r
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! Next Payload ! RESERVED ! Payload Length !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // !Transform Type ! RESERVED ! Transform ID !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- // ! !\r
- // ~ SA Attributes ~\r
- // ! !\r
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r
- //\r
- Transform = IKEV2_PROPOSAL_FIRST_TRANSFORM (Proposal);\r
- for (TransformIndex = 0; TransformIndex < Proposal->NumTransforms; TransformIndex++) {\r
-\r
- //\r
- // Transfer the IKEV2_TRANSFORM structure into internal IKEV2_TRANSFORM_DATA struture.\r
- //\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1) + TransformIndex;\r
- TransformData->TransformId = NTOHS (Transform->TransformId);\r
- TransformData->TransformType = Transform->TransformType;\r
- TransformSize = NTOHS (Transform->Header.PayloadLength);\r
- //\r
- // Check the Proposal Data is correct.\r
- //\r
- if (ProposalRemaining < TransformSize) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Check if the Transform payload includes Attribution.\r
- //\r
- SaAttrRemaining = TransformSize - sizeof (IKEV2_TRANSFORM);\r
-\r
- //\r
- // According to RFC 4603, currently only the Key length attribute type is\r
- // supported. For each Transform, there is only one attributeion.\r
- //\r
- if (SaAttrRemaining > 0) {\r
- if (SaAttrRemaining != sizeof (IKE_SA_ATTRIBUTE)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
- SaAttribute = (IKE_SA_ATTRIBUTE *) ((IKEV2_TRANSFORM *)(Transform) + 1);\r
- TransformData->Attribute.AttrType = (UINT16)((NTOHS (SaAttribute->AttrType)) & ~SA_ATTR_FORMAT_BIT);\r
- TransformData->Attribute.Attr.AttrValue = NTOHS (SaAttribute->Attr.AttrValue);\r
-\r
- //\r
- // Currently, only supports the Key Length Attribution.\r
- //\r
- if (TransformData->Attribute.AttrType != IKEV2_ATTRIBUTE_TYPE_KEYLEN) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
- }\r
-\r
- //\r
- // Move to next Transform\r
- //\r
- Transform = IKEV2_NEXT_TRANSFORM_WITH_SIZE (Transform, TransformSize);\r
- }\r
- Proposal = IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize);\r
- ProposalData = (IKEV2_PROPOSAL_DATA *) ((UINT8 *)(ProposalData + 1) +\r
- ProposalData->NumTransforms *\r
- sizeof (IKEV2_TRANSFORM_DATA));\r
- }\r
-\r
-Exit:\r
- if (EFI_ERROR (Status) && SaData != NULL) {\r
- FreePool (SaData);\r
- SaData = NULL;\r
- }\r
- return SaData;\r
-}\r
-\r
-/**\r
- General interface of payload encoding.\r
-\r
- This function encodes the internal data structure into payload which\r
- is defined in RFC 4306. The IkePayload->PayloadBuf is used to store both the input\r
- payload and converted payload. Only the SA payload use the interal structure\r
- to store the attribute. Other payload use structure which is same with the RFC\r
- defined, for this kind payloads just do host order to network order change of\r
- some fields.\r
-\r
- @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.\r
- @param[in, out] IkePayload Pointer to IKE payload to be encoded as input, and\r
- store the encoded result as output.\r
-\r
- @retval EFI_INVALID_PARAMETER Meet error when encoding the SA payload.\r
- @retval EFI_SUCCESS Encoded successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2EncodePayload (\r
- IN UINT8 *SessionCommon,\r
- IN OUT IKE_PAYLOAD *IkePayload\r
- )\r
-{\r
- IKEV2_SA_DATA *SaData;\r
- IKEV2_SA *SaPayload;\r
- IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;\r
- IKEV2_NOTIFY *NotifyPayload;\r
- IKEV2_DELETE *DeletePayload;\r
- IKEV2_KEY_EXCHANGE *KeyPayload;\r
- IKEV2_TS *TsPayload;\r
- IKEV2_CFG_ATTRIBUTES *CfgAttribute;\r
- UINT8 *TsBuffer;\r
- UINT8 Index;\r
- TRAFFIC_SELECTOR *TrafficSelector;\r
-\r
- //\r
- // Transform the Internal IKE structure to IKE payload.\r
- // Only the SA payload use the interal structure to store the attribute.\r
- // Other payload use structure which same with the RFC defined, so there is\r
- // no need to tranform them to IKE payload.\r
- //\r
- switch (IkePayload->PayloadType) {\r
- case IKEV2_PAYLOAD_TYPE_SA:\r
- //\r
- // Transform IKE_SA_DATA to IK_SA payload\r
- //\r
- SaData = (IKEV2_SA_DATA *) IkePayload->PayloadBuf;\r
- SaPayload = Ikev2EncodeSa ((IKEV2_SESSION_COMMON *) SessionCommon, SaData);\r
-\r
- if (SaPayload == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- if (!IkePayload->IsPayloadBufExt) {\r
- FreePool (IkePayload->PayloadBuf);\r
- }\r
- IkePayload->PayloadBuf = (UINT8 *) SaPayload;\r
- IkePayload->IsPayloadBufExt = FALSE;\r
- break;\r
-\r
- case IKEV2_PAYLOAD_TYPE_NOTIFY:\r
- NotifyPayload = (IKEV2_NOTIFY *) IkePayload->PayloadBuf;\r
- NotifyPayload->MessageType = HTONS (NotifyPayload->MessageType);\r
- break;\r
-\r
- case IKEV2_PAYLOAD_TYPE_DELETE:\r
- DeletePayload = (IKEV2_DELETE *) IkePayload->PayloadBuf;\r
- DeletePayload->NumSpis = HTONS (DeletePayload->NumSpis);\r
- break;\r
-\r
- case IKEV2_PAYLOAD_TYPE_KE:\r
- KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;\r
- KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);\r
- break;\r
-\r
- case IKEV2_PAYLOAD_TYPE_TS_INIT:\r
- case IKEV2_PAYLOAD_TYPE_TS_RSP:\r
- TsPayload = (IKEV2_TS *) IkePayload->PayloadBuf;\r
- TsBuffer = IkePayload->PayloadBuf + sizeof (IKEV2_TS);\r
-\r
- for (Index = 0; Index < TsPayload->TSNumbers; Index++) {\r
- TrafficSelector = (TRAFFIC_SELECTOR *) TsBuffer;\r
- TsBuffer = TsBuffer + TrafficSelector->SelecorLen;\r
- //\r
- // Host order to network order\r
- //\r
- TrafficSelector->SelecorLen = HTONS (TrafficSelector->SelecorLen);\r
- TrafficSelector->StartPort = HTONS (TrafficSelector->StartPort);\r
- TrafficSelector->EndPort = HTONS (TrafficSelector->EndPort);\r
-\r
- }\r
-\r
- break;\r
-\r
- case IKEV2_PAYLOAD_TYPE_CP:\r
- CfgAttribute = (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->PayloadBuf) + 1);\r
- CfgAttribute->AttritType = HTONS (CfgAttribute->AttritType);\r
- CfgAttribute->ValueLength = HTONS (CfgAttribute->ValueLength);\r
-\r
- case IKEV2_PAYLOAD_TYPE_ID_INIT:\r
- case IKEV2_PAYLOAD_TYPE_ID_RSP:\r
- case IKEV2_PAYLOAD_TYPE_AUTH:\r
- default:\r
- break;\r
- }\r
-\r
- PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf;\r
- IkePayload->PayloadSize = PayloadHdr->PayloadLength;\r
- PayloadHdr->PayloadLength = HTONS (PayloadHdr->PayloadLength);\r
- IKEV2_DUMP_PAYLOAD (IkePayload);\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- The general interface for decoding Payload.\r
-\r
- This function converts the received Payload into internal structure.\r
-\r
- @param[in] SessionCommon Pointer to IKE Session Common used for decoding.\r
- @param[in, out] IkePayload Pointer to IKE payload to be decoded as input, and\r
- store the decoded result as output.\r
-\r
- @retval EFI_INVALID_PARAMETER Meet error when decoding the SA payload.\r
- @retval EFI_SUCCESS Decoded successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2DecodePayload (\r
- IN UINT8 *SessionCommon,\r
- IN OUT IKE_PAYLOAD *IkePayload\r
- )\r
-{\r
- IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;\r
- UINT16 PayloadSize;\r
- UINT8 PayloadType;\r
- IKEV2_SA_DATA *SaData;\r
- EFI_STATUS Status;\r
- IKEV2_NOTIFY *NotifyPayload;\r
- IKEV2_DELETE *DeletePayload;\r
- UINT16 TsTotalSize;\r
- TRAFFIC_SELECTOR *TsSelector;\r
- IKEV2_TS *TsPayload;\r
- IKEV2_KEY_EXCHANGE *KeyPayload;\r
- IKEV2_CFG_ATTRIBUTES *CfgAttribute;\r
- UINT8 Index;\r
-\r
- //\r
- // Transform the IKE payload to Internal IKE structure.\r
- // Only the SA payload and Hash Payload use the interal\r
- // structure to store the attribute. Other payloads use\r
- // structure which is same with the definitions in RFC,\r
- // so there is no need to tranform them to internal IKE\r
- // structure.\r
- //\r
- Status = EFI_SUCCESS;\r
- PayloadSize = (UINT16) IkePayload->PayloadSize;\r
- PayloadType = IkePayload->PayloadType;\r
- PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf;\r
- //\r
- // The PayloadSize is the size of whole payload.\r
- // Replace HTONS operation to assignment statements, since the result is same.\r
- //\r
- PayloadHdr->PayloadLength = PayloadSize;\r
-\r
- IKEV2_DUMP_PAYLOAD (IkePayload);\r
- switch (PayloadType) {\r
- case IKEV2_PAYLOAD_TYPE_SA:\r
- if (PayloadSize < sizeof (IKEV2_SA)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
- SaData = Ikev2DecodeSa ((IKEV2_SESSION_COMMON *) SessionCommon, (IKEV2_SA *) PayloadHdr);\r
- if (SaData == NULL) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
- if (!IkePayload->IsPayloadBufExt) {\r
- FreePool (IkePayload->PayloadBuf);\r
- }\r
-\r
- IkePayload->PayloadBuf = (UINT8 *) SaData;\r
- IkePayload->IsPayloadBufExt = FALSE;\r
- break;\r
-\r
- case IKEV2_PAYLOAD_TYPE_ID_INIT:\r
- case IKEV2_PAYLOAD_TYPE_ID_RSP :\r
- if (PayloadSize < sizeof (IKEV2_ID)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
- break;\r
-\r
- case IKEV2_PAYLOAD_TYPE_NOTIFY:\r
- if (PayloadSize < sizeof (IKEV2_NOTIFY)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
- NotifyPayload = (IKEV2_NOTIFY *) PayloadHdr;\r
- NotifyPayload->MessageType = NTOHS (NotifyPayload->MessageType);\r
- break;\r
-\r
- case IKEV2_PAYLOAD_TYPE_DELETE:\r
- if (PayloadSize < sizeof (IKEV2_DELETE)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
- DeletePayload = (IKEV2_DELETE *) PayloadHdr;\r
- DeletePayload->NumSpis = NTOHS (DeletePayload->NumSpis);\r
- break;\r
-\r
- case IKEV2_PAYLOAD_TYPE_AUTH:\r
- if (PayloadSize < sizeof (IKEV2_AUTH)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
- break;\r
-\r
- case IKEV2_PAYLOAD_TYPE_KE:\r
- KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;\r
- KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);\r
- break;\r
-\r
- case IKEV2_PAYLOAD_TYPE_TS_INIT:\r
- case IKEV2_PAYLOAD_TYPE_TS_RSP :\r
- TsTotalSize = 0;\r
- if (PayloadSize < sizeof (IKEV2_TS)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
- //\r
- // Parse each traffic selector and transfer network-order to host-order\r
- //\r
- TsPayload = (IKEV2_TS *) IkePayload->PayloadBuf;\r
- TsSelector = (TRAFFIC_SELECTOR *) (IkePayload->PayloadBuf + sizeof (IKEV2_TS));\r
-\r
- for (Index = 0; Index < TsPayload->TSNumbers; Index++) {\r
- TsSelector->SelecorLen = NTOHS (TsSelector->SelecorLen);\r
- TsSelector->StartPort = NTOHS (TsSelector->StartPort);\r
- TsSelector->EndPort = NTOHS (TsSelector->EndPort);\r
-\r
- TsTotalSize = (UINT16) (TsTotalSize + TsSelector->SelecorLen);\r
- TsSelector = (TRAFFIC_SELECTOR *) ((UINT8 *) TsSelector + TsSelector->SelecorLen);\r
- }\r
- //\r
- // Check if the total size of Traffic Selectors is correct.\r
- //\r
- if (TsTotalSize != PayloadSize - sizeof(IKEV2_TS)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- case IKEV2_PAYLOAD_TYPE_CP:\r
- CfgAttribute = (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->PayloadBuf) + 1);\r
- CfgAttribute->AttritType = NTOHS (CfgAttribute->AttritType);\r
- CfgAttribute->ValueLength = NTOHS (CfgAttribute->ValueLength);\r
-\r
- default:\r
- break;\r
- }\r
-\r
- Exit:\r
- return Status;\r
-}\r
-\r
-/**\r
- Decode the IKE packet.\r
-\r
- This function first decrypts the IKE packet if needed , then separates the whole\r
- IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.\r
-\r
- @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing\r
- some parameter used by IKE packet decoding.\r
- @param[in, out] IkePacket The IKE Packet to be decoded on input, and\r
- the decoded result on return.\r
- @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
- IKE_CHILD_TYPE are supported.\r
-\r
- @retval EFI_SUCCESS The IKE packet is decoded successfully.\r
- @retval Otherwise The IKE packet decoding is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2DecodePacket (\r
- IN IKEV2_SESSION_COMMON *SessionCommon,\r
- IN OUT IKE_PACKET *IkePacket,\r
- IN UINTN IkeType\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;\r
- UINT8 PayloadType;\r
- UINTN RemainBytes;\r
- UINT16 PayloadSize;\r
- IKE_PAYLOAD *IkePayload;\r
- IKE_HEADER *IkeHeader;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
-\r
- IkeHeader = NULL;\r
-\r
- //\r
- // Check if the IkePacket need decrypt.\r
- //\r
- if (SessionCommon->State >= IkeStateAuth) {\r
- Status = Ikev2DecryptPacket (SessionCommon, IkePacket, IkeType);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
- }\r
-\r
- Status = EFI_SUCCESS;\r
-\r
- //\r
- // If the IkePacket doesn't contain any payload return invalid parameter.\r
- //\r
- if (IkePacket->Header->NextPayload == IKEV2_PAYLOAD_TYPE_NONE) {\r
- if ((SessionCommon->State >= IkeStateAuth) &&\r
- (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INFO)\r
- ) {\r
- //\r
- // If it is Liveness check, there will be no payload load in the encrypt payload.\r
- //\r
- Status = EFI_SUCCESS;\r
- } else {\r
- Status = EFI_INVALID_PARAMETER;\r
- }\r
- }\r
-\r
- //\r
- // If the PayloadTotalSize < Header length, return invalid parameter.\r
- //\r
- RemainBytes = IkePacket->PayloadTotalSize;\r
- if (RemainBytes < sizeof (IKEV2_COMMON_PAYLOAD_HEADER)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // If the packet is first or second message, store whole message in\r
- // IkeSa->InitiPacket or IkeSa->RespPacket for following Auth Payload\r
- // calculate.\r
- //\r
- if (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INIT) {\r
- IkeHeader = AllocateZeroPool (sizeof (IKE_HEADER));\r
- if (IkeHeader == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (IkeHeader, IkePacket->Header, sizeof (IKE_HEADER));\r
-\r
- //\r
- // Before store the whole packet, roll back the host order to network order,\r
- // since the header order was changed in the IkePacketFromNetbuf.\r
- //\r
- IkeHdrNetToHost (IkeHeader);\r
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r
- if (SessionCommon->IsInitiator) {\r
- IkeSaSession->RespPacket = AllocateZeroPool (IkePacket->Header->Length);\r
- if (IkeSaSession->RespPacket == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->RespPacketSize = IkePacket->Header->Length;\r
- CopyMem (IkeSaSession->RespPacket, IkeHeader, sizeof (IKE_HEADER));\r
- CopyMem (\r
- IkeSaSession->RespPacket + sizeof (IKE_HEADER),\r
- IkePacket->PayloadsBuf,\r
- IkePacket->Header->Length - sizeof (IKE_HEADER)\r
- );\r
- } else {\r
- IkeSaSession->InitPacket = AllocateZeroPool (IkePacket->Header->Length);\r
- if (IkeSaSession->InitPacket == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->InitPacketSize = IkePacket->Header->Length;\r
- CopyMem (IkeSaSession->InitPacket, IkeHeader, sizeof (IKE_HEADER));\r
- CopyMem (\r
- IkeSaSession->InitPacket + sizeof (IKE_HEADER),\r
- IkePacket->PayloadsBuf,\r
- IkePacket->Header->Length - sizeof (IKE_HEADER)\r
- );\r
- }\r
- }\r
-\r
- //\r
- // Point to the first Payload\r
- //\r
- PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePacket->PayloadsBuf;\r
- PayloadType = IkePacket->Header->NextPayload;\r
-\r
- //\r
- // Parse each payload\r
- //\r
- while (RemainBytes >= sizeof (IKEV2_COMMON_PAYLOAD_HEADER)) {\r
- PayloadSize = NTOHS (PayloadHdr->PayloadLength);\r
-\r
- //\r
- //Check the size of the payload is correct.\r
- //\r
- if (RemainBytes < PayloadSize) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // At certain states, it should save some datas before decoding.\r
- //\r
- if (SessionCommon->BeforeDecodePayload != NULL) {\r
- SessionCommon->BeforeDecodePayload (\r
- (UINT8 *) SessionCommon,\r
- (UINT8 *) PayloadHdr,\r
- PayloadSize,\r
- PayloadType\r
- );\r
- }\r
-\r
- //\r
- // Initial IkePayload\r
- //\r
- IkePayload = IkePayloadAlloc ();\r
- if (IkePayload == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- IkePayload->PayloadType = PayloadType;\r
- IkePayload->PayloadBuf = (UINT8 *) PayloadHdr;\r
- IkePayload->PayloadSize = PayloadSize;\r
- IkePayload->IsPayloadBufExt = TRUE;\r
-\r
- Status = Ikev2DecodePayload ((UINT8 *) SessionCommon, IkePayload);\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
-\r
- IPSEC_DUMP_BUF ("After Decoding Payload", IkePayload->PayloadBuf, IkePayload->PayloadSize);\r
- //\r
- // Add each payload into packet\r
- // Notice, the IkePacket->Hdr->Lenght still recode the whole IkePacket length\r
- // which is before the decoding.\r
- //\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload);\r
-\r
- RemainBytes -= PayloadSize;\r
- PayloadType = PayloadHdr->NextPayload;\r
- if (PayloadType == IKEV2_PAYLOAD_TYPE_NONE) {\r
- break;\r
- }\r
-\r
- PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) ((UINT8 *) PayloadHdr + PayloadSize);\r
- }\r
-\r
- if (PayloadType != IKEV2_PAYLOAD_TYPE_NONE) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
-Exit:\r
- if (EFI_ERROR (Status)) {\r
- ClearAllPayloads (IkePacket);\r
- }\r
-\r
- if (IkeHeader != NULL) {\r
- FreePool (IkeHeader);\r
- }\r
- return Status;\r
-}\r
-\r
-/**\r
- Encode the IKE packet.\r
-\r
- This function puts all Payloads into one payload then encrypt it if needed.\r
-\r
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r
- some parameter used during IKE packet encoding.\r
- @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,\r
- and the encoded result as output.\r
- @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
- IKE_CHILD_TYPE are supportted.\r
-\r
- @retval EFI_SUCCESS Encode IKE packet successfully.\r
- @retval Otherwise Encode IKE packet failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2EncodePacket (\r
- IN IKEV2_SESSION_COMMON *SessionCommon,\r
- IN OUT IKE_PACKET *IkePacket,\r
- IN UINTN IkeType\r
- )\r
-{\r
- IKE_PAYLOAD *IkePayload;\r
- UINTN PayloadTotalSize;\r
- LIST_ENTRY *Entry;\r
- EFI_STATUS Status;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
-\r
- PayloadTotalSize = 0;\r
- //\r
- // Encode each payload\r
- //\r
- for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
- Entry = Entry->ForwardLink;\r
- Status = Ikev2EncodePayload ((UINT8 *) SessionCommon, IkePayload);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- if (SessionCommon->AfterEncodePayload != NULL) {\r
- //\r
- // For certain states, save some payload for further calculation\r
- //\r
- SessionCommon->AfterEncodePayload (\r
- (UINT8 *) SessionCommon,\r
- IkePayload->PayloadBuf,\r
- IkePayload->PayloadSize,\r
- IkePayload->PayloadType\r
- );\r
- }\r
-\r
- PayloadTotalSize += IkePayload->PayloadSize;\r
- }\r
- IkePacket->PayloadTotalSize = PayloadTotalSize;\r
-\r
- Status = EFI_SUCCESS;\r
- if (SessionCommon->State >= IkeStateAuth) {\r
- //\r
- // Encrypt all payload and transfer IKE packet header from Host order to Network order.\r
- //\r
- Status = Ikev2EncryptPacket (SessionCommon, IkePacket);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
- } else {\r
- //\r
- // Fill in the lenght into IkePacket header and transfer Host order to Network order.\r
- //\r
- IkePacket->Header->Length = (UINT32) (sizeof (IKE_HEADER) + IkePacket->PayloadTotalSize);\r
- IkeHdrHostToNet (IkePacket->Header);\r
- }\r
-\r
- //\r
- // If the packet is first message, store whole message in IkeSa->InitiPacket\r
- // for following Auth Payload calculation.\r
- //\r
- if (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INIT) {\r
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r
- if (SessionCommon->IsInitiator) {\r
- IkeSaSession->InitPacketSize = IkePacket->PayloadTotalSize + sizeof (IKE_HEADER);\r
- IkeSaSession->InitPacket = AllocateZeroPool (IkeSaSession->InitPacketSize);\r
- if (IkeSaSession->InitPacket == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- CopyMem (IkeSaSession->InitPacket, IkePacket->Header, sizeof (IKE_HEADER));\r
- PayloadTotalSize = 0;\r
- for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
- Entry = Entry->ForwardLink;\r
- CopyMem (\r
- IkeSaSession->InitPacket + sizeof (IKE_HEADER) + PayloadTotalSize,\r
- IkePayload->PayloadBuf,\r
- IkePayload->PayloadSize\r
- );\r
- PayloadTotalSize = PayloadTotalSize + IkePayload->PayloadSize;\r
- }\r
- } else {\r
- IkeSaSession->RespPacketSize = IkePacket->PayloadTotalSize + sizeof(IKE_HEADER);\r
- IkeSaSession->RespPacket = AllocateZeroPool (IkeSaSession->RespPacketSize);\r
- if (IkeSaSession->RespPacket == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- CopyMem (IkeSaSession->RespPacket, IkePacket->Header, sizeof (IKE_HEADER));\r
- PayloadTotalSize = 0;\r
- for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
- Entry = Entry->ForwardLink;\r
-\r
- CopyMem (\r
- IkeSaSession->RespPacket + sizeof (IKE_HEADER) + PayloadTotalSize,\r
- IkePayload->PayloadBuf,\r
- IkePayload->PayloadSize\r
- );\r
- PayloadTotalSize = PayloadTotalSize + IkePayload->PayloadSize;\r
- }\r
- }\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Decrypt IKE packet.\r
-\r
- This function decrypts the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.\r
-\r
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r
- some parameter used during decrypting.\r
- @param[in, out] IkePacket Pointer to IKE_PACKET to be decrypted as input,\r
- and the decrypted result as output.\r
- @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
- IKE_CHILD_TYPE are supportted.\r
-\r
- @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the\r
- IKE packet length is not aligned with Algorithm Block Size\r
- @retval EFI_SUCCESS Decrypt IKE packet successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2DecryptPacket (\r
- IN IKEV2_SESSION_COMMON *SessionCommon,\r
- IN OUT IKE_PACKET *IkePacket,\r
- IN OUT UINTN IkeType\r
- )\r
-{\r
- UINT8 CryptBlockSize; // Encrypt Block Size\r
- UINTN DecryptedSize; // Encrypted IKE Payload Size\r
- UINT8 *DecryptedBuf; // Encrypted IKE Payload buffer\r
- UINTN IntegritySize;\r
- UINT8 *IntegrityBuffer;\r
- UINTN IvSize; // Iv Size\r
- UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth\r
- UINT8 *CheckSumData; // Check Sum data\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- EFI_STATUS Status;\r
- UINT8 PadLen;\r
- HASH_DATA_FRAGMENT Fragments[1];\r
-\r
- IvSize = 0;\r
- IkeSaSession = NULL;\r
- CryptBlockSize = 0;\r
- CheckSumSize = 0;\r
-\r
- //\r
- // Check if the first payload is the Encrypted payload\r
- //\r
- if (IkePacket->Header->NextPayload != IKEV2_PAYLOAD_TYPE_ENCRYPT) {\r
- return EFI_ACCESS_DENIED;\r
- }\r
- CheckSumData = NULL;\r
- DecryptedBuf = NULL;\r
- IntegrityBuffer = NULL;\r
-\r
- //\r
- // Get the Block Size\r
- //\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
-\r
- CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCommon->SaParams->EncAlgId);\r
-\r
- CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->SaParams->IntegAlgId);\r
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r
-\r
- } else if (SessionCommon->IkeSessionType == IkeSessionTypeChildSa) {\r
-\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);\r
- IkeSaSession = ChildSaSession->IkeSaSession;\r
- CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);\r
- CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->SessionCommon.SaParams->IntegAlgId);\r
- } else {\r
- //\r
- // The type of SA Session would either be IkeSa or ChildSa.\r
- //\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- CheckSumData = AllocateZeroPool (CheckSumSize);\r
- if (CheckSumData == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Fill in the Integrity buffer\r
- //\r
- IntegritySize = IkePacket->PayloadTotalSize + sizeof (IKE_HEADER);\r
- IntegrityBuffer = AllocateZeroPool (IntegritySize);\r
- if (IntegrityBuffer == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- CopyMem (IntegrityBuffer, IkePacket->Header, sizeof(IKE_HEADER));\r
- CopyMem (IntegrityBuffer + sizeof (IKE_HEADER), IkePacket->PayloadsBuf, IkePacket->PayloadTotalSize);\r
-\r
- //\r
- // Change Host order to Network order, since the header order was changed\r
- // in the IkePacketFromNetbuf.\r
- //\r
- IkeHdrHostToNet ((IKE_HEADER *)IntegrityBuffer);\r
-\r
- //\r
- // Calculate the Integrity CheckSum Data\r
- //\r
- Fragments[0].Data = IntegrityBuffer;\r
- Fragments[0].DataSize = IntegritySize - CheckSumSize;\r
-\r
- if (SessionCommon->IsInitiator) {\r
- Status = IpSecCryptoIoHmac (\r
- (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r
- IkeSaSession->IkeKeys->SkArKey,\r
- IkeSaSession->IkeKeys->SkArKeySize,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 1,\r
- CheckSumData,\r
- CheckSumSize\r
- );\r
- } else {\r
- Status = IpSecCryptoIoHmac (\r
- (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r
- IkeSaSession->IkeKeys->SkAiKey,\r
- IkeSaSession->IkeKeys->SkAiKeySize,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 1,\r
- CheckSumData,\r
- CheckSumSize\r
- );\r
- }\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
- //\r
- // Compare the Integrity CheckSum Data with the one in IkePacket\r
- //\r
- if (CompareMem (\r
- IkePacket->PayloadsBuf + IkePacket->PayloadTotalSize - CheckSumSize,\r
- CheckSumData,\r
- CheckSumSize\r
- ) != 0) {\r
- DEBUG ((DEBUG_ERROR, "Error auth verify payload\n"));\r
- Status = EFI_ACCESS_DENIED;\r
- goto ON_EXIT;\r
- }\r
-\r
- IvSize = CryptBlockSize;\r
-\r
- //\r
- // Decrypt the payload with the key.\r
- //\r
- DecryptedSize = IkePacket->PayloadTotalSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER) - IvSize - CheckSumSize;\r
- DecryptedBuf = AllocateZeroPool (DecryptedSize);\r
- if (DecryptedBuf == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- CopyMem (\r
- DecryptedBuf,\r
- IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER) + IvSize,\r
- DecryptedSize\r
- );\r
-\r
- if (SessionCommon->IsInitiator) {\r
- Status = IpSecCryptoIoDecrypt (\r
- (UINT8) SessionCommon->SaParams->EncAlgId,\r
- IkeSaSession->IkeKeys->SkErKey,\r
- IkeSaSession->IkeKeys->SkErKeySize << 3,\r
- IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r
- DecryptedBuf,\r
- DecryptedSize,\r
- DecryptedBuf\r
- );\r
- } else {\r
- Status = IpSecCryptoIoDecrypt (\r
- (UINT8) SessionCommon->SaParams->EncAlgId,\r
- IkeSaSession->IkeKeys->SkEiKey,\r
- IkeSaSession->IkeKeys->SkEiKeySize << 3,\r
- IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r
- DecryptedBuf,\r
- DecryptedSize,\r
- DecryptedBuf\r
- );\r
- }\r
-\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_ERROR, "Error decrypt buffer with %r\n", Status));\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Get the Padding length\r
- //\r
- //\r
- PadLen = (UINT8) (*(DecryptedBuf + DecryptedSize - sizeof (IKEV2_PAD_LEN)));\r
-\r
- //\r
- // Save the next payload of encrypted payload into IkePacket->Hdr->NextPayload\r
- //\r
- IkePacket->Header->NextPayload = ((IKEV2_ENCRYPTED *) IkePacket->PayloadsBuf)->Header.NextPayload;\r
-\r
- //\r
- // Free old IkePacket->PayloadBuf and point it to decrypted paylaod buffer.\r
- //\r
- FreePool (IkePacket->PayloadsBuf);\r
- IkePacket->PayloadsBuf = DecryptedBuf;\r
- IkePacket->PayloadTotalSize = DecryptedSize - PadLen;\r
-\r
- IPSEC_DUMP_BUF ("Decrypted Buffer", DecryptedBuf, DecryptedSize);\r
-\r
-\r
-ON_EXIT:\r
- if (CheckSumData != NULL) {\r
- FreePool (CheckSumData);\r
- }\r
-\r
- if (EFI_ERROR (Status) && DecryptedBuf != NULL) {\r
- FreePool (DecryptedBuf);\r
- }\r
-\r
- if (IntegrityBuffer != NULL) {\r
- FreePool (IntegrityBuffer);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Encrypt IKE packet.\r
-\r
- This function encrypt IKE packet before sending it. The Encrypted IKE packet\r
- is put in to IKEV2 Encrypted Payload.\r
-\r
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.\r
- @param[in, out] IkePacket Pointer to IKE packet to be encrypted.\r
-\r
- @retval EFI_SUCCESS Operation is successful.\r
- @retval Others Operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2EncryptPacket (\r
- IN IKEV2_SESSION_COMMON *SessionCommon,\r
- IN OUT IKE_PACKET *IkePacket\r
- )\r
-{\r
- UINT8 CryptBlockSize; // Encrypt Block Size\r
- UINT8 CryptBlockSizeMask; // Block Mask\r
- UINTN EncryptedSize; // Encrypted IKE Payload Size\r
- UINT8 *EncryptedBuf; // Encrypted IKE Payload buffer\r
- UINT8 *EncryptPayloadBuf; // Contain whole Encrypted Payload\r
- UINTN EncryptPayloadSize; // Total size of the Encrypted payload\r
- UINT8 *IntegrityBuf; // Buffer to be intergity\r
- UINT8 *IvBuffer; // Initialization Vector\r
- UINT8 IvSize; // Iv Size\r
- UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth\r
- UINT8 *CheckSumData; // Check Sum data\r
- UINTN Index;\r
- IKE_PAYLOAD *EncryptPayload;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- EFI_STATUS Status;\r
- LIST_ENTRY *Entry;\r
- IKE_PAYLOAD *IkePayload;\r
- HASH_DATA_FRAGMENT Fragments[1];\r
-\r
- Status = EFI_SUCCESS;\r
-\r
- //\r
- // Initial all buffers to NULL.\r
- //\r
- EncryptedBuf = NULL;\r
- EncryptPayloadBuf = NULL;\r
- IvBuffer = NULL;\r
- CheckSumData = NULL;\r
- IkeSaSession = NULL;\r
- CryptBlockSize = 0;\r
- CheckSumSize = 0;\r
- IntegrityBuf = NULL;\r
- //\r
- // Get the Block Size\r
- //\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
-\r
- CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCommon->SaParams->EncAlgId);\r
- CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->SaParams->IntegAlgId);\r
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r
-\r
- } else if (SessionCommon->IkeSessionType == IkeSessionTypeChildSa) {\r
-\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);\r
- IkeSaSession = ChildSaSession->IkeSaSession;\r
- CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);\r
- CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->SessionCommon.SaParams->IntegAlgId);\r
- }\r
-\r
- //\r
- // Calcualte the EncryptPayloadSize and the PAD length\r
- //\r
- CryptBlockSizeMask = (UINT8) (CryptBlockSize - 1);\r
- EncryptedSize = (IkePacket->PayloadTotalSize + sizeof (IKEV2_PAD_LEN) + CryptBlockSizeMask) & ~CryptBlockSizeMask;\r
- EncryptedBuf = (UINT8 *) AllocateZeroPool (EncryptedSize);\r
- if (EncryptedBuf == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Copy all payload into EncryptedIkePayload\r
- //\r
- Index = 0;\r
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
-\r
- CopyMem (EncryptedBuf + Index, IkePayload->PayloadBuf, IkePayload->PayloadSize);\r
- Index += IkePayload->PayloadSize;\r
-\r
- };\r
-\r
- //\r
- // Fill in the Pading Length\r
- //\r
- *(EncryptedBuf + EncryptedSize - 1) = (UINT8)(EncryptedSize - IkePacket->PayloadTotalSize - 1);\r
-\r
- //\r
- // The IV size is equal with block size\r
- //\r
- IvSize = CryptBlockSize;\r
- IvBuffer = (UINT8 *) AllocateZeroPool (IvSize);\r
- if (IvBuffer == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Generate IV\r
- //\r
- IkeGenerateIv (IvBuffer, IvSize);\r
-\r
- //\r
- // Encrypt payload buf\r
- //\r
- if (SessionCommon->IsInitiator) {\r
- Status = IpSecCryptoIoEncrypt (\r
- (UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId,\r
- IkeSaSession->IkeKeys->SkEiKey,\r
- IkeSaSession->IkeKeys->SkEiKeySize << 3,\r
- IvBuffer,\r
- EncryptedBuf,\r
- EncryptedSize,\r
- EncryptedBuf\r
- );\r
- } else {\r
- Status = IpSecCryptoIoEncrypt (\r
- (UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId,\r
- IkeSaSession->IkeKeys->SkErKey,\r
- IkeSaSession->IkeKeys->SkErKeySize << 3,\r
- IvBuffer,\r
- EncryptedBuf,\r
- EncryptedSize,\r
- EncryptedBuf\r
- );\r
- }\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Allocate the buffer for the whole IKE payload (Encrypted Payload).\r
- //\r
- EncryptPayloadSize = sizeof(IKEV2_ENCRYPTED) + IvSize + EncryptedSize + CheckSumSize;\r
- EncryptPayloadBuf = AllocateZeroPool (EncryptPayloadSize);\r
- if (EncryptPayloadBuf == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Fill in Header of Encrypted Payload\r
- //\r
- ((IKEV2_ENCRYPTED *) EncryptPayloadBuf)->Header.NextPayload = IkePacket->Header->NextPayload;\r
- ((IKEV2_ENCRYPTED *) EncryptPayloadBuf)->Header.PayloadLength = HTONS ((UINT16)EncryptPayloadSize);\r
-\r
- //\r
- // Fill in Iv\r
- //\r
- CopyMem (EncryptPayloadBuf + sizeof (IKEV2_ENCRYPTED), IvBuffer, IvSize);\r
-\r
- //\r
- // Fill in encrypted data\r
- //\r
- CopyMem (EncryptPayloadBuf + sizeof (IKEV2_ENCRYPTED) + IvSize, EncryptedBuf, EncryptedSize);\r
-\r
- //\r
- // Fill in the IKE Packet header\r
- //\r
- IkePacket->PayloadTotalSize = EncryptPayloadSize;\r
- IkePacket->Header->Length = (UINT32) (sizeof (IKE_HEADER) + IkePacket->PayloadTotalSize);\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ENCRYPT;\r
-\r
- IntegrityBuf = AllocateZeroPool (IkePacket->Header->Length);\r
- if (IntegrityBuf == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
- IkeHdrHostToNet (IkePacket->Header);\r
-\r
- CopyMem (IntegrityBuf, IkePacket->Header, sizeof (IKE_HEADER));\r
- CopyMem (IntegrityBuf + sizeof (IKE_HEADER), EncryptPayloadBuf, EncryptPayloadSize);\r
-\r
- //\r
- // Calcualte Integrity CheckSum\r
- //\r
- Fragments[0].Data = IntegrityBuf;\r
- Fragments[0].DataSize = EncryptPayloadSize + sizeof (IKE_HEADER) - CheckSumSize;\r
-\r
- CheckSumData = AllocateZeroPool (CheckSumSize);\r
- if (CheckSumData == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
- if (SessionCommon->IsInitiator) {\r
-\r
- IpSecCryptoIoHmac (\r
- (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r
- IkeSaSession->IkeKeys->SkAiKey,\r
- IkeSaSession->IkeKeys->SkAiKeySize,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 1,\r
- CheckSumData,\r
- CheckSumSize\r
- );\r
- } else {\r
-\r
- IpSecCryptoIoHmac (\r
- (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,\r
- IkeSaSession->IkeKeys->SkArKey,\r
- IkeSaSession->IkeKeys->SkArKeySize,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 1,\r
- CheckSumData,\r
- CheckSumSize\r
- );\r
- }\r
-\r
- //\r
- // Copy CheckSum into Encrypted Payload\r
- //\r
- CopyMem (EncryptPayloadBuf + EncryptPayloadSize - CheckSumSize, CheckSumData, CheckSumSize);\r
-\r
- IPSEC_DUMP_BUF ("Encrypted payload buffer", EncryptPayloadBuf, EncryptPayloadSize);\r
- IPSEC_DUMP_BUF ("Integrith CheckSum Data", CheckSumData, CheckSumSize);\r
-\r
- //\r
- // Clean all payload under IkePacket->PayloadList.\r
- //\r
- ClearAllPayloads (IkePacket);\r
-\r
- //\r
- // Create Encrypted Payload and add into IkePacket->PayloadList\r
- //\r
- EncryptPayload = IkePayloadAlloc ();\r
- if (EncryptPayload == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Fill the encrypted payload into the IKE_PAYLOAD structure.\r
- //\r
- EncryptPayload->PayloadBuf = EncryptPayloadBuf;\r
- EncryptPayload->PayloadSize = EncryptPayloadSize;\r
- EncryptPayload->PayloadType = IKEV2_PAYLOAD_TYPE_ENCRYPT;\r
-\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, EncryptPayload);\r
-\r
-ON_EXIT:\r
- if (EncryptedBuf != NULL) {\r
- FreePool (EncryptedBuf);\r
- }\r
-\r
- if (EFI_ERROR (Status) && EncryptPayloadBuf != NULL) {\r
- FreePool (EncryptPayloadBuf);\r
- }\r
-\r
- if (IvBuffer != NULL) {\r
- FreePool (IvBuffer);\r
- }\r
-\r
- if (CheckSumData != NULL) {\r
- FreePool (CheckSumData);\r
- }\r
-\r
- if (IntegrityBuf != NULL) {\r
- FreePool (IntegrityBuf);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-\r
-/**\r
-\r
- The notification function. It will be called when the related UDP_TX_TOKEN's event\r
- is signaled.\r
-\r
- This function frees the Net Buffer pointed to the input Packet.\r
-\r
- @param[in] Packet Pointer to Net buffer containing the sending IKE packet.\r
- @param[in] EndPoint Pointer to UDP_END_POINT containing the remote and local\r
- address information.\r
- @param[in] IoStatus The Status of the related UDP_TX_TOKEN.\r
- @param[in] Context Pointer to data passed from the caller.\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-Ikev2OnPacketSent (\r
- IN NET_BUF *Packet,\r
- IN UDP_END_POINT *EndPoint,\r
- IN EFI_STATUS IoStatus,\r
- IN VOID *Context\r
- )\r
-{\r
- IKE_PACKET *IkePacket;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- UINT8 Value;\r
- IPSEC_PRIVATE_DATA *Private;\r
- EFI_STATUS Status;\r
-\r
- IkePacket = (IKE_PACKET *) Context;\r
- Private = NULL;\r
-\r
- if (EFI_ERROR (IoStatus)) {\r
- DEBUG ((DEBUG_ERROR, "Error send the last packet in IkeSessionTypeIkeSa with %r\n", IoStatus));\r
- }\r
-\r
- NetbufFree (Packet);\r
-\r
- if (IkePacket->IsDeleteInfo) {\r
- //\r
- // For each RemotePeerIP, there are only one IKESA.\r
- //\r
- IkeSaSession = Ikev2SaSessionLookup (\r
- &IkePacket->Private->Ikev2EstablishedList,\r
- &IkePacket->RemotePeerIp\r
- );\r
- if (IkeSaSession == NULL) {\r
- IkePacketFree (IkePacket);\r
- return;\r
- }\r
-\r
- Private = IkePacket->Private;\r
- if (IkePacket->Spi != 0 ) {\r
- //\r
- // At that time, the established Child SA still in eht ChildSaEstablishSessionList.\r
- // And meanwhile, if the Child SA is in the the ChildSa in Delete list,\r
- // remove it from delete list and delete it direclty.\r
- //\r
- ChildSaSession = Ikev2ChildSaSessionLookupBySpi (\r
- &IkeSaSession->ChildSaEstablishSessionList,\r
- IkePacket->Spi\r
- );\r
- if (ChildSaSession != NULL) {\r
- Ikev2ChildSaSessionRemove (\r
- &IkeSaSession->DeleteSaList,\r
- ChildSaSession->LocalPeerSpi,\r
- IKEV2_DELET_CHILDSA_LIST\r
- );\r
-\r
- //\r
- // Delete the Child SA.\r
- //\r
- Ikev2ChildSaSilentDelete (\r
- IkeSaSession,\r
- IkePacket->Spi\r
- );\r
- }\r
-\r
- } else {\r
- //\r
- // Delete the IKE SA\r
- //\r
- DEBUG (\r
- (DEBUG_INFO,\r
- "\n------ deleted Packet (cookie_i, cookie_r):(0x%lx, 0x%lx)------\n",\r
- IkeSaSession->InitiatorCookie,\r
- IkeSaSession->ResponderCookie)\r
- );\r
-\r
- RemoveEntryList (&IkeSaSession->BySessionTable);\r
- Ikev2SaSessionFree (IkeSaSession);\r
- }\r
- }\r
- IkePacketFree (IkePacket);\r
-\r
- //\r
- // when all IKE SAs were disabled by calling "IPsecConfig -disable", the IPsec status\r
- // should be changed.\r
- //\r
- if (Private != NULL && Private->IsIPsecDisabling) {\r
- //\r
- // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value in\r
- // IPsec status variable.\r
- //\r
- if (IsListEmpty (&Private->Ikev1EstablishedList) && IsListEmpty (&Private->Ikev2EstablishedList)) {\r
- Value = IPSEC_STATUS_DISABLED;\r
- Status = gRT->SetVariable (\r
- IPSECCONFIG_STATUS_NAME,\r
- &gEfiIpSecConfigProtocolGuid,\r
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,\r
- sizeof (Value),\r
- &Value\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- //\r
- // Set the DisabledFlag in Private data.\r
- //\r
- Private->IpSec.DisabledFlag = TRUE;\r
- Private->IsIPsecDisabling = FALSE;\r
- }\r
- }\r
- }\r
-}\r
-\r
-/**\r
- Send out IKEV2 packet.\r
-\r
- @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.\r
- @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.\r
- @param[in] IkePacket Pointer to IKE_PACKET to be sent out.\r
- @param[in] IkeType The type of IKE to point what's kind of the IKE\r
- packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE\r
- and IKE_CHILD_TYPE are supportted.\r
-\r
- @retval EFI_SUCCESS The operation complete successfully.\r
- @retval Otherwise The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2SendIkePacket (\r
- IN IKE_UDP_SERVICE *IkeUdpService,\r
- IN UINT8 *SessionCommon,\r
- IN IKE_PACKET *IkePacket,\r
- IN UINTN IkeType\r
- )\r
-{\r
- EFI_STATUS Status;\r
- NET_BUF *IkePacketNetbuf;\r
- UDP_END_POINT EndPoint;\r
- IKEV2_SESSION_COMMON *Common;\r
-\r
- Common = (IKEV2_SESSION_COMMON *) SessionCommon;\r
-\r
- //\r
- // Set the resend interval\r
- //\r
- if (Common->TimeoutInterval == 0) {\r
- Common->TimeoutInterval = IKE_DEFAULT_TIMEOUT_INTERVAL;\r
- }\r
-\r
- //\r
- // Retransfer the packet if it is initial packet.\r
- //\r
- if (IkePacket->Header->Flags == IKE_HEADER_FLAGS_INIT) {\r
- //\r
- // Set timer for next retry, this will cancel previous timer\r
- //\r
- Status = gBS->SetTimer (\r
- Common->TimeoutEvent,\r
- TimerRelative,\r
- MultU64x32 (Common->TimeoutInterval, 10000) // ms->100ns\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
- }\r
-\r
- IKE_PACKET_REF (IkePacket);\r
- //\r
- // If the last sent packet is same with this round packet, the packet is resent packet.\r
- //\r
- if (IkePacket != Common->LastSentPacket && Common->LastSentPacket != NULL) {\r
- IkePacketFree (Common->LastSentPacket);\r
- }\r
-\r
- Common->LastSentPacket = IkePacket;\r
-\r
- //\r
- // Transform IkePacke to NetBuf\r
- //\r
- IkePacketNetbuf = IkeNetbufFromPacket ((UINT8 *) SessionCommon, IkePacket, IkeType);\r
- if (IkePacketNetbuf == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- ZeroMem (&EndPoint, sizeof (UDP_END_POINT));\r
- EndPoint.RemotePort = IKE_DEFAULT_PORT;\r
- CopyMem (&IkePacket->RemotePeerIp, &Common->RemotePeerIp, sizeof (EFI_IP_ADDRESS));\r
- CopyMem (&EndPoint.RemoteAddr, &Common->RemotePeerIp, sizeof (EFI_IP_ADDRESS));\r
- CopyMem (&EndPoint.LocalAddr, &Common->LocalPeerIp, sizeof (EFI_IP_ADDRESS));\r
-\r
- IPSEC_DUMP_PACKET (IkePacket, EfiIPsecOutBound, IkeUdpService->IpVersion);\r
-\r
- if (IkeUdpService->IpVersion == IP_VERSION_4) {\r
- EndPoint.RemoteAddr.Addr[0] = HTONL (EndPoint.RemoteAddr.Addr[0]);\r
- EndPoint.LocalAddr.Addr[0] = HTONL (EndPoint.LocalAddr.Addr[0]);\r
- }\r
-\r
- //\r
- // Call UDPIO to send out the IKE packet.\r
- //\r
- Status = UdpIoSendDatagram (\r
- IkeUdpService->Output,\r
- IkePacketNetbuf,\r
- &EndPoint,\r
- NULL,\r
- Ikev2OnPacketSent,\r
- (VOID*)IkePacket\r
- );\r
-\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_ERROR, "Error send packet with %r\n", Status));\r
- }\r
-\r
- return Status;\r
-}\r
-\r
+++ /dev/null
-/** @file\r
- The Definitions related to IKEv2 payload.\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-#ifndef _IKE_V2_PAYLOAD_H_\r
-#define _IKE_V2_PAYLOAD_H_\r
-\r
-//\r
-// Payload Type for IKEv2\r
-//\r
-#define IKEV2_PAYLOAD_TYPE_NONE 0\r
-#define IKEV2_PAYLOAD_TYPE_SA 33\r
-#define IKEV2_PAYLOAD_TYPE_KE 34\r
-#define IKEV2_PAYLOAD_TYPE_ID_INIT 35\r
-#define IKEV2_PAYLOAD_TYPE_ID_RSP 36\r
-#define IKEV2_PAYLOAD_TYPE_CERT 37\r
-#define IKEV2_PAYLOAD_TYPE_CERTREQ 38\r
-#define IKEV2_PAYLOAD_TYPE_AUTH 39\r
-#define IKEV2_PAYLOAD_TYPE_NONCE 40\r
-#define IKEV2_PAYLOAD_TYPE_NOTIFY 41\r
-#define IKEV2_PAYLOAD_TYPE_DELETE 42\r
-#define IKEV2_PAYLOAD_TYPE_VENDOR 43\r
-#define IKEV2_PAYLOAD_TYPE_TS_INIT 44\r
-#define IKEV2_PAYLOAD_TYPE_TS_RSP 45\r
-#define IKEV2_PAYLOAD_TYPE_ENCRYPT 46\r
-#define IKEV2_PAYLOAD_TYPE_CP 47\r
-#define IKEV2_PAYLOAD_TYPE_EAP 48\r
-\r
-//\r
-// IKE header Flag (1 octet) for IKEv2, defined in RFC 4306 section 3.1\r
-//\r
-// I(nitiator) (bit 3 of Flags, 0x08) - This bit MUST be set in messages sent by the\r
-// original initiator of the IKE_SA\r
-//\r
-// R(esponse) (bit 5 of Flags, 0x20) - This bit indicates that this message is a response to\r
-// a message containing the same message ID.\r
-//\r
-#define IKE_HEADER_FLAGS_INIT 0x08\r
-#define IKE_HEADER_FLAGS_RESPOND 0x20\r
-\r
-//\r
-// IKE Header Exchange Type for IKEv2\r
-//\r
-#define IKEV2_EXCHANGE_TYPE_INIT 34\r
-#define IKEV2_EXCHANGE_TYPE_AUTH 35\r
-#define IKEV2_EXCHANGE_TYPE_CREATE_CHILD 36\r
-#define IKEV2_EXCHANGE_TYPE_INFO 37\r
-\r
-#pragma pack(1)\r
-typedef struct {\r
- UINT8 NextPayload;\r
- UINT8 Reserved;\r
- UINT16 PayloadLength;\r
-} IKEV2_COMMON_PAYLOAD_HEADER;\r
-#pragma pack()\r
-\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- //\r
- // Proposals\r
- //\r
-} IKEV2_SA;\r
-#pragma pack()\r
-\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- UINT8 ProposalIndex;\r
- UINT8 ProtocolId;\r
- UINT8 SpiSize;\r
- UINT8 NumTransforms;\r
-} IKEV2_PROPOSAL;\r
-#pragma pack()\r
-\r
-//\r
-// IKEv2 Transform Type Values presented within Transform Payload\r
-//\r
-#define IKEV2_TRANSFORM_TYPE_ENCR 1 // Encryption Algorithm\r
-#define IKEV2_TRANSFORM_TYPE_PRF 2 // Pseduo-Random Func\r
-#define IKEV2_TRANSFORM_TYPE_INTEG 3 // Integrity Algorithm\r
-#define IKEV2_TRANSFORM_TYPE_DH 4 // DH Group\r
-#define IKEV2_TRANSFORM_TYPE_ESN 5 // Extended Sequence Number\r
-\r
-//\r
-// IKEv2 Transform ID for Encrypt Algorithm (ENCR)\r
-//\r
-#define IKEV2_TRANSFORM_ID_ENCR_DES_IV64 1\r
-#define IKEV2_TRANSFORM_ID_ENCR_DES 2\r
-#define IKEV2_TRANSFORM_ID_ENCR_3DES 3\r
-#define IKEV2_TRANSFORM_ID_ENCR_RC5 4\r
-#define IKEV2_TRANSFORM_ID_ENCR_IDEA 5\r
-#define IKEV2_TRANSFORM_ID_ENCR_CAST 6\r
-#define IKEV2_TRANSFORM_ID_ENCR_BLOWFISH 7\r
-#define IKEV2_TRANSFORM_ID_ENCR_3IDEA 8\r
-#define IKEV2_TRANSFORM_ID_ENCR_DES_IV32 9\r
-#define IKEV2_TRANSFORM_ID_ENCR_NULL 11\r
-#define IKEV2_TRANSFORM_ID_ENCR_AES_CBC 12\r
-#define IKEV2_TRANSFORM_ID_ENCR_AES_CTR 13\r
-\r
-//\r
-// IKEv2 Transform ID for Pseudo-Random Function (PRF)\r
-//\r
-#define IKEV2_TRANSFORM_ID_PRF_HMAC_MD5 1\r
-#define IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1 2\r
-#define IKEV2_TRANSFORM_ID_PRF_HMAC_TIGER 3\r
-#define IKEV2_TRANSFORM_ID_PRF_AES128_XCBC 4\r
-\r
-//\r
-// IKEv2 Transform ID for Integrity Algorithm (INTEG)\r
-//\r
-#define IKEV2_TRANSFORM_ID_AUTH_NONE 0\r
-#define IKEV2_TRANSFORM_ID_AUTH_HMAC_MD5_96 1\r
-#define IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96 2\r
-#define IKEV2_TRANSFORM_ID_AUTH_HMAC_DES_MAC 3\r
-#define IKEV2_TRANSFORM_ID_AUTH_HMAC_KPDK_MD5 4\r
-#define IKEV2_TRANSFORM_ID_AUTH_HMAC_AES_XCBC_96 5\r
-\r
-//\r
-// IKEv2 Transform ID for Diffie-Hellman Group (DH)\r
-//\r
-#define IKEV2_TRANSFORM_ID_DH_768MODP 1\r
-#define IKEV2_TRANSFORM_ID_DH_1024MODP 2\r
-#define IKEV2_TRANSFORM_ID_DH_2048MODP 14\r
-\r
-//\r
-// IKEv2 Attribute Type Values\r
-//\r
-#define IKEV2_ATTRIBUTE_TYPE_KEYLEN 14\r
-\r
-//\r
-// Transform Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- UINT8 TransformType;\r
- UINT8 Reserved;\r
- UINT16 TransformId;\r
- //\r
- // SA Attributes\r
- //\r
-} IKEV2_TRANSFORM;\r
-#pragma pack()\r
-\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- UINT16 DhGroup;\r
- UINT16 Reserved;\r
- //\r
- // Remaining part contains the key exchanged\r
- //\r
-} IKEV2_KEY_EXCHANGE;\r
-#pragma pack()\r
-\r
-//\r
-// Identification Type Values presented within Ikev2 ID payload\r
-//\r
-#define IKEV2_ID_TYPE_IPV4_ADDR 1\r
-#define IKEV2_ID_TYPE_FQDN 2\r
-#define IKEV2_ID_TYPE_RFC822_ADDR 3\r
-#define IKEV2_ID_TYPE_IPV6_ADDR 5\r
-#define IKEV2_ID_TYPE_DER_ASN1_DN 9\r
-#define IKEV2_ID_TYPE_DER_ASN1_GN 10\r
-#define IKEV2_ID_TYPE_KEY_ID 11\r
-\r
-//\r
-// Identification Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- UINT8 IdType;\r
- UINT8 Reserver1;\r
- UINT16 Reserver2;\r
- //\r
- // Identification Data\r
- //\r
-} IKEV2_ID;\r
-#pragma pack()\r
-\r
-//\r
-// Encoding Type presented in IKEV2 Cert Payload\r
-//\r
-#define IKEV2_CERT_ENCODEING_RESERVED 0\r
-#define IKEV2_CERT_ENCODEING_X509_CERT_WRAP 1\r
-#define IKEV2_CERT_ENCODEING_PGP_CERT 2\r
-#define IKEV2_CERT_ENCODEING_DNS_SIGN_KEY 3\r
-#define IKEV2_CERT_ENCODEING_X509_CERT_SIGN 4\r
-#define IKEV2_CERT_ENCODEING_KERBEROS_TOKEN 6\r
-#define IKEV2_CERT_ENCODEING_REVOCATION_LIST_CERT 7\r
-#define IKEV2_CERT_ENCODEING_AUTH_REVOCATION_LIST 8\r
-#define IKEV2_CERT_ENCODEING_SPKI_CERT 9\r
-#define IKEV2_CERT_ENCODEING_X509_CERT_ATTRIBUTE 10\r
-#define IKEV2_CERT_ENCODEING_RAW_RSA_KEY 11\r
-#define IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT 12\r
-\r
-//\r
-// IKEV2 Certificate Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- UINT8 CertEncoding;\r
- //\r
- // Cert Data\r
- //\r
-} IKEV2_CERT;\r
-#pragma pack()\r
-\r
-//\r
-// IKEV2 Certificate Request Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- UINT8 CertEncoding;\r
- //\r
- // Cert Authority\r
- //\r
-} IKEV2_CERT_REQ;\r
-#pragma pack()\r
-\r
-//\r
-// Authentication Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- UINT8 AuthMethod;\r
- UINT8 Reserved1;\r
- UINT16 Reserved2;\r
- //\r
- // Auth Data\r
- //\r
-} IKEV2_AUTH;\r
-#pragma pack()\r
-\r
-//\r
-// Authmethod in Authentication Payload\r
-//\r
-#define IKEV2_AUTH_METHOD_RSA 1; // RSA Digital Signature\r
-#define IKEV2_AUTH_METHOD_SKMI 2; // Shared Key Message Integrity\r
-#define IKEV2_AUTH_METHOD_DSS 3; // DSS Digital Signature\r
-\r
-//\r
-// IKEv2 Nonce Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- //\r
- // Nonce Data\r
- //\r
-} IKEV2_NONCE;\r
-#pragma pack()\r
-\r
-//\r
-// Notification Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- UINT8 ProtocolId;\r
- UINT8 SpiSize;\r
- UINT16 MessageType;\r
- //\r
- // SPI and Notification Data\r
- //\r
-} IKEV2_NOTIFY;\r
-#pragma pack()\r
-\r
-//\r
-// Notify Message Types presented within IKEv2 Notify Payload\r
-//\r
-#define IKEV2_NOTIFICATION_UNSUPPORT_CRITICAL_PAYLOAD 1\r
-#define IKEV2_NOTIFICATION_INVALID_IKE_SPI 4\r
-#define IKEV2_NOTIFICATION_INVALID_MAJOR_VERSION 5\r
-#define IKEV2_NOTIFICATION_INVALID_SYNTAX 7\r
-#define IKEV2_NOTIFICATION_INVALID_MESSAGE_ID 9\r
-#define IKEV2_NOTIFICATION_INVALID_SPI 11\r
-#define IKEV2_NOTIFICATION_NO_PROPOSAL_CHOSEN 14\r
-#define IKEV2_NOTIFICATION_INVALID_KEY_PAYLOAD 17\r
-#define IKEV2_NOTIFICATION_AUTHENTICATION_FAILED 24\r
-#define IKEV2_NOTIFICATION_SINGLE_PAIR_REQUIRED 34\r
-#define IKEV2_NOTIFICATION_NO_ADDITIONAL_SAS 35\r
-#define IKEV2_NOTIFICATION_INTERNAL_ADDRESS_FAILURE 36\r
-#define IKEV2_NOTIFICATION_FAILED_CP_REQUIRED 37\r
-#define IKEV2_NOTIFICATION_TS_UNCCEPTABLE 38\r
-#define IKEV2_NOTIFICATION_INVALID_SELECTORS 39\r
-#define IKEV2_NOTIFICATION_COOKIE 16390\r
-#define IKEV2_NOTIFICATION_USE_TRANSPORT_MODE 16391\r
-#define IKEV2_NOTIFICATION_REKEY_SA 16393\r
-\r
-//\r
-// IKEv2 Protocol ID\r
-//\r
-//\r
-// IKEv2 Delete Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- UINT8 ProtocolId;\r
- UINT8 SpiSize;\r
- UINT16 NumSpis;\r
- //\r
- // SPIs\r
- //\r
-} IKEV2_DELETE;\r
-#pragma pack()\r
-\r
-//\r
-// Traffic Selector Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- UINT8 TSNumbers;\r
- UINT8 Reserved1;\r
- UINT16 Reserved2;\r
- //\r
- // Traffic Selector\r
- //\r
-} IKEV2_TS;\r
-#pragma pack()\r
-\r
-//\r
-// Traffic Selector\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- UINT8 TSType;\r
- UINT8 IpProtocolId;\r
- UINT16 SelecorLen;\r
- UINT16 StartPort;\r
- UINT16 EndPort;\r
- //\r
- // Starting Address && Ending Address\r
- //\r
-} TRAFFIC_SELECTOR;\r
-#pragma pack()\r
-\r
-//\r
-// Ts Type in Traffic Selector\r
-//\r
-#define IKEV2_TS_TYPE_IPV4_ADDR_RANGE 7\r
-#define IKEV2_TS_TYPS_IPV6_ADDR_RANGE 8\r
-\r
-//\r
-// Vendor Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- //\r
- // Vendor ID\r
- //\r
-} IKEV2_VENDOR;\r
-#pragma pack()\r
-\r
-//\r
-// Encrypted Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- //\r
- // IV, Encrypted IKE Payloads, Padding, PAD length, Integrity CheckSum\r
- //\r
-} IKEV2_ENCRYPTED;\r
-#pragma pack()\r
-\r
-#pragma pack(1)\r
-typedef struct {\r
- UINT8 PadLength;\r
-} IKEV2_PAD_LEN;\r
-#pragma pack()\r
-\r
-//\r
-// Configuration Payload\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- IKEV2_COMMON_PAYLOAD_HEADER Header;\r
- UINT8 CfgType;\r
- UINT8 Reserve1;\r
- UINT16 Reserve2;\r
- //\r
- // Configuration Attributes\r
- //\r
-} IKEV2_CFG;\r
-#pragma pack()\r
-\r
-//\r
-// Configuration Payload CPG type\r
-//\r
-#define IKEV2_CFG_TYPE_REQUEST 1\r
-#define IKEV2_CFG_TYPE_REPLY 2\r
-#define IKEV2_CFG_TYPE_SET 3\r
-#define IKEV2_CFG_TYPE_ACK 4\r
-\r
-//\r
-// Configuration Attributes\r
-//\r
-#pragma pack(1)\r
-typedef struct {\r
- UINT16 AttritType;\r
- UINT16 ValueLength;\r
-} IKEV2_CFG_ATTRIBUTES;\r
-#pragma pack()\r
-\r
-//\r
-// Configuration Attributes\r
-//\r
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS 1\r
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_NBTMASK 2\r
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_DNS 3\r
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_NBNS 4\r
-#define IKEV2_CFG_ATTR_INTERNA_ADDRESS_BXPIRY 5\r
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_DHCP 6\r
-#define IKEV2_CFG_ATTR_APPLICATION_VERSION 7\r
-#define IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS 8\r
-#define IKEV2_CFG_ATTR_INTERNAL_IP6_DNS 10\r
-#define IKEV2_CFG_ATTR_INTERNAL_IP6_NBNS 11\r
-#define IKEV2_CFG_ATTR_INTERNAL_IP6_DHCP 12\r
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_SUBNET 13\r
-#define IKEV2_CFG_ATTR_SUPPORTED_ATTRIBUTES 14\r
-#define IKEV2_CFG_ATTR_IP6_SUBNET 15\r
-\r
-#endif\r
-\r
+++ /dev/null
-/** @file\r
- The operations for IKEv2 SA.\r
-\r
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "Utility.h"\r
-#include "IpSecDebug.h"\r
-#include "IkeService.h"\r
-#include "Ikev2.h"\r
-\r
-/**\r
- Generates the DH Key.\r
-\r
- This generates the DH local public key and store it in the IKEv2 SA Session's GxBuffer.\r
-\r
- @param[in] IkeSaSession Pointer to related IKE SA Session.\r
-\r
- @retval EFI_SUCCESS The operation succeeded.\r
- @retval Others The operation failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateSaDhPublicKey (\r
- IN IKEV2_SA_SESSION *IkeSaSession\r
- );\r
-\r
-/**\r
- Generates the IKEv2 SA key for the furthure IKEv2 exchange.\r
-\r
- @param[in] IkeSaSession Pointer to IKEv2 SA Session.\r
- @param[in] KePayload Pointer to Key payload used to generate the Key.\r
-\r
- @retval EFI_UNSUPPORTED If the Algorithm Id is not supported.\r
- @retval EFI_SUCCESS The operation succeeded.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateSaKeys (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_PAYLOAD *KePayload\r
- );\r
-\r
-/**\r
- Generates the Keys for the furthure IPsec Protocol.\r
-\r
- @param[in] ChildSaSession Pointer to IKE Child SA Session.\r
- @param[in] KePayload Pointer to Key payload used to generate the Key.\r
-\r
- @retval EFI_UNSUPPORTED If one or more Algorithm Id is unsupported.\r
- @retval EFI_SUCCESS The operation succeeded.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateChildSaKeys (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession,\r
- IN IKE_PAYLOAD *KePayload\r
- );\r
-\r
-/**\r
- Gernerates IKEv2 packet for IKE_SA_INIT exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.\r
- @param[in] Context Context Data passed by caller.\r
-\r
- @retval EFI_SUCCESS The IKEv2 packet generation succeeded.\r
- @retval Others The IKEv2 packet generation failed.\r
-\r
-**/\r
-IKE_PACKET *\r
-Ikev2InitPskGenerator (\r
- IN UINT8 *SaSession,\r
- IN VOID *Context\r
- )\r
-{\r
- IKE_PACKET *IkePacket;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *KePayload;\r
- IKE_PAYLOAD *NoncePayload;\r
- IKE_PAYLOAD *NotifyPayload;\r
- EFI_STATUS Status;\r
-\r
- SaPayload = NULL;\r
- KePayload = NULL;\r
- NoncePayload = NULL;\r
- NotifyPayload = NULL;\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
-\r
- //\r
- // 1. Allocate IKE packet\r
- //\r
- IkePacket = IkePacketAlloc ();\r
- if (IkePacket == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 1.a Fill the IkePacket->Hdr\r
- //\r
- IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_INIT;\r
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;\r
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;\r
- IkePacket->Header->Version = (UINT8) (2 << 4);\r
- IkePacket->Header->MessageId = 0;\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;\r
- } else {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;\r
- }\r
-\r
- //\r
- // If the NCookie is not NULL, this IKE_SA_INIT packet is resent by the NCookie\r
- // and the NCookie payload should be the first payload in this packet.\r
- //\r
- if (IkeSaSession->NCookie != NULL) {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_NOTIFY;\r
- NotifyPayload = Ikev2GenerateNotifyPayload (\r
- IPSEC_PROTO_ISAKMP,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- 0,\r
- IKEV2_NOTIFICATION_COOKIE,\r
- NULL,\r
- IkeSaSession->NCookie,\r
- IkeSaSession->NCookieSize\r
- );\r
- } else {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_SA;\r
- }\r
-\r
- //\r
- // 2. Generate SA Payload according to the SaData & SaParams\r
- //\r
- SaPayload = Ikev2GenerateSaPayload (\r
- IkeSaSession->SaData,\r
- IKEV2_PAYLOAD_TYPE_KE,\r
- IkeSessionTypeIkeSa\r
- );\r
-\r
- //\r
- // 3. Generate DH public key.\r
- // The DhPrivate Key has been generated in Ikev2InitPskParser, if the\r
- // IkeSaSession is responder. If resending IKE_SA_INIT with Cookie Notify\r
- // No need to recompute the Public key.\r
- //\r
- if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) {\r
- Status = Ikev2GenerateSaDhPublicKey (IkeSaSession);\r
- if (EFI_ERROR (Status)) {\r
- goto CheckError;\r
- }\r
- }\r
-\r
- //\r
- // 4. Generate KE Payload according to SaParams->DhGroup\r
- //\r
- KePayload = Ikev2GenerateKePayload (\r
- IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_NONCE\r
- );\r
-\r
- //\r
- // 5. Generate Nonce Payload\r
- // If resending IKE_SA_INIT with Cookie Notify paylaod, no need to regenerate\r
- // the Nonce Payload.\r
- //\r
- if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) {\r
- IkeSaSession->NiBlkSize = IKE_NONCE_SIZE;\r
- IkeSaSession->NiBlock = IkeGenerateNonce (IKE_NONCE_SIZE);\r
- if (IkeSaSession->NiBlock == NULL) {\r
- goto CheckError;\r
- }\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- NoncePayload = Ikev2GenerateNoncePayload (\r
- IkeSaSession->NiBlock,\r
- IkeSaSession->NiBlkSize,\r
- IKEV2_PAYLOAD_TYPE_NONE\r
- );\r
- } else {\r
- //\r
- // The Nonce Payload has been created in Ikev2PskParser if the IkeSaSession is\r
- // responder.\r
- //\r
- NoncePayload = Ikev2GenerateNoncePayload (\r
- IkeSaSession->NrBlock,\r
- IkeSaSession->NrBlkSize,\r
- IKEV2_PAYLOAD_TYPE_NONE\r
- );\r
- }\r
-\r
- if (NotifyPayload != NULL) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);\r
- }\r
- if (SaPayload != NULL) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload);\r
- }\r
- if (KePayload != NULL) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, KePayload);\r
- }\r
- if (NoncePayload != NULL) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NoncePayload);\r
- }\r
-\r
- return IkePacket;\r
-\r
-CheckError:\r
- if (IkePacket != NULL) {\r
- IkePacketFree (IkePacket);\r
- }\r
- if (SaPayload != NULL) {\r
- IkePayloadFree (SaPayload);\r
- }\r
- return NULL;\r
-}\r
-\r
-/**\r
- Parses the IKEv2 packet for IKE_SA_INIT exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.\r
- @param[in] IkePacket The received IKE packet to be parsed.\r
-\r
- @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is\r
- saved for furthure communication.\r
- @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA proposal is unacceptable.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2InitPskParser (\r
- IN UINT8 *SaSession,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *KeyPayload;\r
- IKE_PAYLOAD *IkePayload;\r
- IKE_PAYLOAD *NoncePayload;\r
- IKE_PAYLOAD *NotifyPayload;\r
- UINT8 *NonceBuffer;\r
- UINTN NonceSize;\r
- LIST_ENTRY *Entry;\r
- EFI_STATUS Status;\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- KeyPayload = NULL;\r
- SaPayload = NULL;\r
- NoncePayload = NULL;\r
- IkePayload = NULL;\r
- NotifyPayload = NULL;\r
-\r
- //\r
- // Iterate payloads to find the SaPayload and KeyPayload.\r
- //\r
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) {\r
- SaPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_KE) {\r
- KeyPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NONCE) {\r
- NoncePayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NOTIFY) {\r
- NotifyPayload = IkePayload;\r
- }\r
- }\r
-\r
- //\r
- // According to RFC 4306 - 2.6. If the responder responds with the COOKIE Notify\r
- // payload with the cookie data, initiator MUST retry the IKE_SA_INIT with a\r
- // Notify payload of type COOKIE containing the responder suppplied cookie data\r
- // as first payload and all other payloads unchanged.\r
- //\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- if (NotifyPayload != NULL && !EFI_ERROR(Ikev2ParserNotifyCookiePayload (NotifyPayload, IkeSaSession))) {\r
- return EFI_SUCCESS;\r
- }\r
- }\r
-\r
- if ((KeyPayload == NULL) || (SaPayload == NULL) || (NoncePayload == NULL)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Store NoncePayload for SKEYID computing.\r
- //\r
- NonceSize = NoncePayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER);\r
- NonceBuffer = (UINT8 *) AllocatePool (NonceSize);\r
- if (NonceBuffer == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto CheckError;\r
- }\r
-\r
- CopyMem (\r
- NonceBuffer,\r
- NoncePayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r
- NonceSize\r
- );\r
-\r
- //\r
- // Check if IkePacket Header matches the state\r
- //\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND\r
- //\r
- if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 2. Parse the SA Payload and Key Payload to find out the cryptographic\r
- // suite and fill in the Sa paramse into CommonSession->SaParams\r
- //\r
- if (!Ikev2SaParseSaPayload (IkeSaSession, SaPayload, IkePacket->Header->Flags)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 3. If Initiator, the NoncePayload is Nr_b.\r
- //\r
- IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateAuth);\r
- IkeSaSession->NrBlock = NonceBuffer;\r
- IkeSaSession->NrBlkSize = NonceSize;\r
- IkeSaSession->SessionCommon.State = IkeStateAuth;\r
- IkeSaSession->ResponderCookie = IkePacket->Header->ResponderCookie;\r
-\r
- //\r
- // 4. Change the state of IkeSaSession\r
- //\r
- IkeSaSession->SessionCommon.State = IkeStateAuth;\r
- } else {\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT\r
- //\r
- if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 2. Parse the SA payload and find out the perfered one\r
- // and fill in the SA parameters into CommonSession->SaParams and SaData into\r
- // IkeSaSession for the responder SA payload generation.\r
- //\r
- if (!Ikev2SaParseSaPayload (IkeSaSession, SaPayload, IkePacket->Header->Flags)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 3. Generat Dh Y parivate Key\r
- //\r
- Status = Ikev2GenerateSaDhPublicKey (IkeSaSession);\r
- if (EFI_ERROR (Status)) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 4. If Responder, the NoncePayload is Ni_b and go to generate Nr_b.\r
- //\r
- IkeSaSession->NiBlock = NonceBuffer;\r
- IkeSaSession->NiBlkSize = NonceSize;\r
-\r
- //\r
- // 5. Generate Nr_b\r
- //\r
- IkeSaSession->NrBlock = IkeGenerateNonce (IKE_NONCE_SIZE);\r
- ASSERT (IkeSaSession->NrBlock != NULL);\r
- IkeSaSession->NrBlkSize = IKE_NONCE_SIZE;\r
-\r
- //\r
- // 6. Save the Cookies\r
- //\r
- IkeSaSession->InitiatorCookie = IkePacket->Header->InitiatorCookie;\r
- IkeSaSession->ResponderCookie = IkeGenerateCookie ();\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.PreferDhGroup != ((IKEV2_KEY_EXCHANGE *)KeyPayload->PayloadBuf)->DhGroup) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto CheckError;\r
- }\r
- //\r
- // Call Ikev2GenerateSaKeys to create SKEYID, SKEYID_d, SKEYID_a, SKEYID_e.\r
- //\r
- Status = Ikev2GenerateSaKeys (IkeSaSession, KeyPayload);\r
- if (EFI_ERROR(Status)) {\r
- goto CheckError;\r
- }\r
- return EFI_SUCCESS;\r
-\r
-CheckError:\r
- if (NonceBuffer != NULL) {\r
- FreePool (NonceBuffer);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Generates the IKEv2 packet for IKE_AUTH exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION.\r
- @param[in] Context Context data passed by caller.\r
-\r
- @retval Pointer to IKE Packet to be sent out.\r
-\r
-**/\r
-IKE_PACKET *\r
-Ikev2AuthPskGenerator (\r
- IN UINT8 *SaSession,\r
- IN VOID *Context\r
- )\r
-{\r
- IKE_PACKET *IkePacket;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *IdPayload;\r
- IKE_PAYLOAD *AuthPayload;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *TsiPayload;\r
- IKE_PAYLOAD *TsrPayload;\r
- IKE_PAYLOAD *NotifyPayload;\r
- IKE_PAYLOAD *CpPayload;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
-\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));\r
-\r
- IkePacket = NULL;\r
- IdPayload = NULL;\r
- AuthPayload = NULL;\r
- SaPayload = NULL;\r
- TsiPayload = NULL;\r
- TsrPayload = NULL;\r
- NotifyPayload = NULL;\r
- CpPayload = NULL;\r
- NotifyPayload = NULL;\r
-\r
- //\r
- // 1. Allocate IKE Packet\r
- //\r
- IkePacket= IkePacketAlloc ();\r
- if (IkePacket == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // 1.a Fill the IkePacket Header.\r
- //\r
- IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_AUTH;\r
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;\r
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;\r
- IkePacket->Header->Version = (UINT8)(2 << 4);\r
- if (ChildSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_INIT;\r
- } else {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_RSP;\r
- }\r
-\r
- //\r
- // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should\r
- // be always number 0 and 1;\r
- //\r
- IkePacket->Header->MessageId = 1;\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;\r
- } else {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;\r
- }\r
-\r
- //\r
- // 2. Generate ID Payload according to IP version and address.\r
- //\r
- IdPayload = Ikev2GenerateIdPayload (\r
- &IkeSaSession->SessionCommon,\r
- IKEV2_PAYLOAD_TYPE_AUTH\r
- );\r
- if (IdPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 3. Generate Auth Payload\r
- // If it is tunnel mode, should create the configuration payload after the\r
- // Auth payload.\r
- //\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
-\r
- AuthPayload = Ikev2PskGenerateAuthPayload (\r
- ChildSaSession->IkeSaSession,\r
- IdPayload,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- FALSE\r
- );\r
- } else {\r
- AuthPayload = Ikev2PskGenerateAuthPayload (\r
- ChildSaSession->IkeSaSession,\r
- IdPayload,\r
- IKEV2_PAYLOAD_TYPE_CP,\r
- FALSE\r
- );\r
- if (IkeSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) {\r
- CpPayload = Ikev2GenerateCpPayload (\r
- ChildSaSession->IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS\r
- );\r
- } else {\r
- CpPayload = Ikev2GenerateCpPayload (\r
- ChildSaSession->IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS\r
- );\r
- }\r
-\r
- if (CpPayload == NULL) {\r
- goto CheckError;\r
- }\r
- }\r
-\r
- if (AuthPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 4. Generate SA Payload according to the SA Data in ChildSaSession\r
- //\r
- SaPayload = Ikev2GenerateSaPayload (\r
- ChildSaSession->SaData,\r
- IKEV2_PAYLOAD_TYPE_TS_INIT,\r
- IkeSessionTypeChildSa\r
- );\r
- if (SaPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
- //\r
- // Generate Tsi and Tsr.\r
- //\r
- TsiPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_TS_RSP,\r
- FALSE\r
- );\r
-\r
- TsrPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_NOTIFY,\r
- FALSE\r
- );\r
-\r
- //\r
- // Generate Notify Payload. If transport mode, there should have Notify\r
- // payload with TRANSPORT_MODE notification.\r
- //\r
- NotifyPayload = Ikev2GenerateNotifyPayload (\r
- 0,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- 0,\r
- IKEV2_NOTIFICATION_USE_TRANSPORT_MODE,\r
- NULL,\r
- NULL,\r
- 0\r
- );\r
- if (NotifyPayload == NULL) {\r
- goto CheckError;\r
- }\r
- } else {\r
- //\r
- // Generate Tsr for Tunnel mode.\r
- //\r
- TsiPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_TS_RSP,\r
- TRUE\r
- );\r
- TsrPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- FALSE\r
- );\r
- }\r
-\r
- if (TsiPayload == NULL || TsrPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, AuthPayload);\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CpPayload);\r
- }\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsiPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsrPayload);\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);\r
- }\r
-\r
- return IkePacket;\r
-\r
-CheckError:\r
- if (IkePacket != NULL) {\r
- IkePacketFree (IkePacket);\r
- }\r
-\r
- if (IdPayload != NULL) {\r
- IkePayloadFree (IdPayload);\r
- }\r
-\r
- if (AuthPayload != NULL) {\r
- IkePayloadFree (AuthPayload);\r
- }\r
-\r
- if (CpPayload != NULL) {\r
- IkePayloadFree (CpPayload);\r
- }\r
-\r
- if (SaPayload != NULL) {\r
- IkePayloadFree (SaPayload);\r
- }\r
-\r
- if (TsiPayload != NULL) {\r
- IkePayloadFree (TsiPayload);\r
- }\r
-\r
- if (TsrPayload != NULL) {\r
- IkePayloadFree (TsrPayload);\r
- }\r
-\r
- if (NotifyPayload != NULL) {\r
- IkePayloadFree (NotifyPayload);\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-/**\r
- Parses IKE_AUTH packet.\r
-\r
- @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.\r
- @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.\r
-\r
- @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA\r
- proposal is unacceptable.\r
- @retval EFI_SUCCESS The IKE packet is acceptable and the\r
- relative data is saved for furthure communication.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2AuthPskParser (\r
- IN UINT8 *SaSession,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *IkePayload;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *IdiPayload;\r
- IKE_PAYLOAD *IdrPayload;\r
- IKE_PAYLOAD *AuthPayload;\r
- IKE_PAYLOAD *TsiPayload;\r
- IKE_PAYLOAD *TsrPayload;\r
- IKE_PAYLOAD *VerifiedAuthPayload;\r
- LIST_ENTRY *Entry;\r
- EFI_STATUS Status;\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));\r
-\r
- SaPayload = NULL;\r
- IdiPayload = NULL;\r
- IdrPayload = NULL;\r
- AuthPayload = NULL;\r
- TsiPayload = NULL;\r
- TsrPayload = NULL;\r
-\r
- //\r
- // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload.\r
- //\r
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
-\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_INIT) {\r
- IdiPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_RSP) {\r
- IdrPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) {\r
- SaPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_AUTH) {\r
- AuthPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_INIT) {\r
- TsiPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_RSP) {\r
- TsrPayload = IkePayload;\r
- }\r
- }\r
-\r
- if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) || (TsrPayload == NULL)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- if ((IdiPayload == NULL) && (IdrPayload == NULL)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // Check IkePacket Header is match the state\r
- //\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
-\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND\r
- //\r
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) ||\r
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- } else {\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT\r
- //\r
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) ||\r
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // 2. Parse the SA payload and Key Payload and find out the perferable one\r
- // and fill in the Sa paramse into CommonSession->SaParams and SaData into\r
- // IkeSaSession for the responder SA payload generation.\r
- //\r
- }\r
-\r
- //\r
- // Verify the Auth Payload.\r
- //\r
- VerifiedAuthPayload = Ikev2PskGenerateAuthPayload (\r
- IkeSaSession,\r
- IkeSaSession->SessionCommon.IsInitiator ? IdrPayload : IdiPayload,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- TRUE\r
- );\r
- if ((VerifiedAuthPayload != NULL) &&\r
- (0 != CompareMem (\r
- VerifiedAuthPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r
- AuthPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),\r
- VerifiedAuthPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER)\r
- ))) {\r
- return EFI_INVALID_PARAMETER;\r
- };\r
-\r
- //\r
- // 3. Parse the SA Payload to find out the cryptographic suite\r
- // and fill in the Sa paramse into CommonSession->SaParams. If no acceptable\r
- // porposal found, return EFI_INVALID_PARAMETER.\r
- //\r
- if (!Ikev2ChildSaParseSaPayload (ChildSaSession, SaPayload, IkePacket->Header->Flags)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- //\r
- // 4. Parse TSi, TSr payloads.\r
- //\r
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId !=\r
- ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId) &&\r
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (!IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- //TODO:check the Port range. Only support any port and one certain port here.\r
- //\r
- ChildSaSession->ProtoId = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId;\r
- ChildSaSession->LocalPort = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;\r
- ChildSaSession->RemotePort = ((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;\r
- //\r
- // Association a SPD with this SA.\r
- //\r
- Status = Ikev2ChildSaAssociateSpdEntry (ChildSaSession);\r
- if (EFI_ERROR (Status)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- //\r
- // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD.\r
- //\r
- if (ChildSaSession->IkeSaSession->Spd == NULL) {\r
- ChildSaSession->IkeSaSession->Spd = ChildSaSession->Spd;\r
- Status = Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
- }\r
- } else {\r
- //\r
- //TODO:check the Port range.\r
- //\r
- if ((((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- //\r
- // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector.\r
- //\r
- if (ChildSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- if (!ChildSaSession->IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- // If it is tunnel mode, the UEFI part must be the initiator.\r
- //\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- //\r
- // Get the Virtual IP address from the Tsi traffic selector.\r
- // TODO: check the CFG reply payload\r
- //\r
- CopyMem (\r
- &ChildSaSession->SpdSelector->LocalAddress[0].Address,\r
- TsiPayload->PayloadBuf + sizeof (IKEV2_TS) + sizeof (TRAFFIC_SELECTOR),\r
- (ChildSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) ?\r
- sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS)\r
- );\r
- }\r
- }\r
-\r
- //\r
- // 5. Generate keymats for IPsec protocol.\r
- //\r
- Status = Ikev2GenerateChildSaKeys (ChildSaSession, NULL);\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- // 6. Change the state of IkeSaSession\r
- //\r
- IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEstablished);\r
- IkeSaSession->SessionCommon.State = IkeStateIkeSaEstablished;\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Gernerates IKEv2 packet for IKE_SA_INIT exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.\r
- @param[in] Context Context Data passed by caller.\r
-\r
- @retval EFI_SUCCESS The IKE packet generation succeeded.\r
- @retval Others The IKE packet generation failed.\r
-\r
-**/\r
-IKE_PACKET*\r
-Ikev2InitCertGenerator (\r
- IN UINT8 *SaSession,\r
- IN VOID *Context\r
- )\r
-{\r
- IKE_PACKET *IkePacket;\r
- IKE_PAYLOAD *CertReqPayload;\r
- LIST_ENTRY *Node;\r
- IKE_PAYLOAD *NoncePayload;\r
-\r
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // The first two messages exchange is same between PSK and Cert.\r
- //\r
- IkePacket = Ikev2InitPskGenerator (SaSession, Context);\r
-\r
- if ((IkePacket != NULL) && (!((IKEV2_SA_SESSION *)SaSession)->SessionCommon.IsInitiator)) {\r
- //\r
- // Add the Certification Request Payload\r
- //\r
- CertReqPayload = Ikev2GenerateCertificatePayload (\r
- (IKEV2_SA_SESSION *)SaSession,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- (UINT8*)PcdGetPtr(PcdIpsecUefiCaFile),\r
- PcdGet32(PcdIpsecUefiCaFileSize),\r
- IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT,\r
- TRUE\r
- );\r
- //\r
- // Change Nonce Payload Next payload type.\r
- //\r
- IKE_PACKET_END_PAYLOAD (IkePacket, Node);\r
- NoncePayload = IKE_PAYLOAD_BY_PACKET (Node);\r
- ((IKEV2_NONCE *)NoncePayload->PayloadBuf)->Header.NextPayload = IKEV2_PAYLOAD_TYPE_CERTREQ;\r
-\r
- //\r
- // Add Certification Request Payload\r
- //\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertReqPayload);\r
- }\r
-\r
- return IkePacket;\r
-}\r
-\r
-/**\r
- Parses the IKEv2 packet for IKE_SA_INIT exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.\r
- @param[in] IkePacket The received IKEv2 packet to be parsed.\r
-\r
- @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is\r
- saved for furthure communication.\r
- @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA proposal is unacceptable.\r
- @retval EFI_UNSUPPORTED The certificate authentication is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2InitCertParser (\r
- IN UINT8 *SaSession,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- //\r
- // The first two messages exchange is same between PSK and Cert.\r
- // Todo: Parse Certificate Request from responder Initial Exchange.\r
- //\r
- return Ikev2InitPskParser (SaSession, IkePacket);\r
-}\r
-\r
-/**\r
- Generates the IKEv2 packet for IKE_AUTH exchange.\r
-\r
- @param[in] SaSession Pointer to IKEV2_SA_SESSION.\r
- @param[in] Context Context data passed by caller.\r
-\r
- @retval Pointer to IKEv2 Packet to be sent out.\r
-\r
-**/\r
-IKE_PACKET *\r
-Ikev2AuthCertGenerator (\r
- IN UINT8 *SaSession,\r
- IN VOID *Context\r
- )\r
-{\r
- IKE_PACKET *IkePacket;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *IdPayload;\r
- IKE_PAYLOAD *AuthPayload;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *TsiPayload;\r
- IKE_PAYLOAD *TsrPayload;\r
- IKE_PAYLOAD *NotifyPayload;\r
- IKE_PAYLOAD *CpPayload;\r
- IKE_PAYLOAD *CertPayload;\r
- IKE_PAYLOAD *CertReqPayload;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
-\r
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {\r
- return NULL;\r
- }\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));\r
-\r
- IkePacket = NULL;\r
- IdPayload = NULL;\r
- AuthPayload = NULL;\r
- CpPayload = NULL;\r
- SaPayload = NULL;\r
- TsiPayload = NULL;\r
- TsrPayload = NULL;\r
- NotifyPayload = NULL;\r
- CertPayload = NULL;\r
- CertReqPayload = NULL;\r
-\r
- //\r
- // 1. Allocate IKE Packet\r
- //\r
- IkePacket= IkePacketAlloc ();\r
- if (IkePacket == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // 1.a Fill the IkePacket Header.\r
- //\r
- IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_AUTH;\r
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;\r
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;\r
- IkePacket->Header->Version = (UINT8)(2 << 4);\r
- if (ChildSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_INIT;\r
- } else {\r
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_RSP;\r
- }\r
-\r
- //\r
- // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should\r
- // be always number 0 and 1;\r
- //\r
- IkePacket->Header->MessageId = 1;\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;\r
- } else {\r
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;\r
- }\r
-\r
- //\r
- // 2. Generate ID Payload according to IP version and address.\r
- //\r
- IdPayload = Ikev2GenerateCertIdPayload (\r
- &IkeSaSession->SessionCommon,\r
- IKEV2_PAYLOAD_TYPE_CERT,\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate),\r
- PcdGet32 (PcdIpsecUefiCertificateSize)\r
- );\r
- if (IdPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 3. Generate Certificate Payload\r
- //\r
- CertPayload = Ikev2GenerateCertificatePayload (\r
- IkeSaSession,\r
- (UINT8)(IkeSaSession->SessionCommon.IsInitiator ? IKEV2_PAYLOAD_TYPE_CERTREQ : IKEV2_PAYLOAD_TYPE_AUTH),\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate),\r
- PcdGet32 (PcdIpsecUefiCertificateSize),\r
- IKEV2_CERT_ENCODEING_X509_CERT_SIGN,\r
- FALSE\r
- );\r
- if (CertPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- CertReqPayload = Ikev2GenerateCertificatePayload (\r
- IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_AUTH,\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate),\r
- PcdGet32 (PcdIpsecUefiCertificateSize),\r
- IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT,\r
- TRUE\r
- );\r
- if (CertReqPayload == NULL) {\r
- goto CheckError;\r
- }\r
- }\r
-\r
- //\r
- // 4. Generate Auth Payload\r
- // If it is tunnel mode, should create the configuration payload after the\r
- // Auth payload.\r
- //\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
- AuthPayload = Ikev2CertGenerateAuthPayload (\r
- ChildSaSession->IkeSaSession,\r
- IdPayload,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- FALSE,\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificateKey),\r
- PcdGet32 (PcdIpsecUefiCertificateKeySize),\r
- ChildSaSession->IkeSaSession->Pad->Data->AuthData,\r
- ChildSaSession->IkeSaSession->Pad->Data->AuthDataSize\r
- );\r
- } else {\r
- AuthPayload = Ikev2CertGenerateAuthPayload (\r
- ChildSaSession->IkeSaSession,\r
- IdPayload,\r
- IKEV2_PAYLOAD_TYPE_CP,\r
- FALSE,\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificateKey),\r
- PcdGet32 (PcdIpsecUefiCertificateKeySize),\r
- ChildSaSession->IkeSaSession->Pad->Data->AuthData,\r
- ChildSaSession->IkeSaSession->Pad->Data->AuthDataSize\r
- );\r
- if (IkeSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) {\r
- CpPayload = Ikev2GenerateCpPayload (\r
- ChildSaSession->IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS\r
- );\r
- } else {\r
- CpPayload = Ikev2GenerateCpPayload (\r
- ChildSaSession->IkeSaSession,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS\r
- );\r
- }\r
-\r
- if (CpPayload == NULL) {\r
- goto CheckError;\r
- }\r
- }\r
-\r
- if (AuthPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- //\r
- // 5. Generate SA Payload according to the Sa Data in ChildSaSession\r
- //\r
- SaPayload = Ikev2GenerateSaPayload (\r
- ChildSaSession->SaData,\r
- IKEV2_PAYLOAD_TYPE_TS_INIT,\r
- IkeSessionTypeChildSa\r
- );\r
- if (SaPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
- //\r
- // Generate Tsi and Tsr.\r
- //\r
- TsiPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_TS_RSP,\r
- FALSE\r
- );\r
-\r
- TsrPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_NOTIFY,\r
- FALSE\r
- );\r
-\r
- //\r
- // Generate Notify Payload. If transport mode, there should have Notify\r
- // payload with TRANSPORT_MODE notification.\r
- //\r
- NotifyPayload = Ikev2GenerateNotifyPayload (\r
- 0,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- 0,\r
- IKEV2_NOTIFICATION_USE_TRANSPORT_MODE,\r
- NULL,\r
- NULL,\r
- 0\r
- );\r
- if (NotifyPayload == NULL) {\r
- goto CheckError;\r
- }\r
- } else {\r
- //\r
- // Generate Tsr for Tunnel mode.\r
- //\r
- TsiPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_TS_RSP,\r
- TRUE\r
- );\r
- TsrPayload = Ikev2GenerateTsPayload (\r
- ChildSaSession,\r
- IKEV2_PAYLOAD_TYPE_NONE,\r
- FALSE\r
- );\r
- }\r
-\r
- if (TsiPayload == NULL || TsrPayload == NULL) {\r
- goto CheckError;\r
- }\r
-\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertPayload);\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertReqPayload);\r
- }\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, AuthPayload);\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CpPayload);\r
- }\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsiPayload);\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsrPayload);\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {\r
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);\r
- }\r
-\r
- return IkePacket;\r
-\r
-CheckError:\r
- if (IkePacket != NULL) {\r
- IkePacketFree (IkePacket);\r
- }\r
-\r
- if (IdPayload != NULL) {\r
- IkePayloadFree (IdPayload);\r
- }\r
-\r
- if (CertPayload != NULL) {\r
- IkePayloadFree (CertPayload);\r
- }\r
-\r
- if (CertReqPayload != NULL) {\r
- IkePayloadFree (CertReqPayload);\r
- }\r
-\r
- if (AuthPayload != NULL) {\r
- IkePayloadFree (AuthPayload);\r
- }\r
-\r
- if (CpPayload != NULL) {\r
- IkePayloadFree (CpPayload);\r
- }\r
-\r
- if (SaPayload != NULL) {\r
- IkePayloadFree (SaPayload);\r
- }\r
-\r
- if (TsiPayload != NULL) {\r
- IkePayloadFree (TsiPayload);\r
- }\r
-\r
- if (TsrPayload != NULL) {\r
- IkePayloadFree (TsrPayload);\r
- }\r
-\r
- if (NotifyPayload != NULL) {\r
- IkePayloadFree (NotifyPayload);\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-/**\r
- Parses IKE_AUTH packet.\r
-\r
- @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.\r
- @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.\r
-\r
- @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA\r
- proposal is unacceptable.\r
- @retval EFI_SUCCESS The IKE packet is acceptable and the\r
- relative data is saved for furthure communication.\r
- @retval EFI_UNSUPPORTED The certificate authentication is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2AuthCertParser (\r
- IN UINT8 *SaSession,\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKE_PAYLOAD *IkePayload;\r
- IKE_PAYLOAD *SaPayload;\r
- IKE_PAYLOAD *IdiPayload;\r
- IKE_PAYLOAD *IdrPayload;\r
- IKE_PAYLOAD *AuthPayload;\r
- IKE_PAYLOAD *TsiPayload;\r
- IKE_PAYLOAD *TsrPayload;\r
- IKE_PAYLOAD *CertPayload;\r
- IKE_PAYLOAD *VerifiedAuthPayload;\r
- LIST_ENTRY *Entry;\r
- EFI_STATUS Status;\r
-\r
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));\r
-\r
- SaPayload = NULL;\r
- IdiPayload = NULL;\r
- IdrPayload = NULL;\r
- AuthPayload = NULL;\r
- TsiPayload = NULL;\r
- TsrPayload = NULL;\r
- CertPayload = NULL;\r
- VerifiedAuthPayload = NULL;\r
- Status = EFI_INVALID_PARAMETER;\r
-\r
- //\r
- // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload.\r
- //\r
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
-\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_INIT) {\r
- IdiPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_RSP) {\r
- IdrPayload = IkePayload;\r
- }\r
-\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) {\r
- SaPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_AUTH) {\r
- AuthPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_INIT) {\r
- TsiPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_RSP) {\r
- TsrPayload = IkePayload;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_CERT) {\r
- CertPayload = IkePayload;\r
- }\r
- }\r
-\r
- if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) ||\r
- (TsrPayload == NULL) || (CertPayload == NULL)) {\r
- goto Exit;\r
- }\r
- if ((IdiPayload == NULL) && (IdrPayload == NULL)) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Check IkePacket Header is match the state\r
- //\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
-\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND\r
- //\r
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) ||\r
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)) {\r
- goto Exit;\r
- }\r
- } else {\r
- //\r
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT\r
- //\r
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) ||\r
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)) {\r
- goto Exit;\r
- }\r
- }\r
-\r
- //\r
- // Verify the Auth Payload.\r
- //\r
- VerifiedAuthPayload = Ikev2CertGenerateAuthPayload (\r
- IkeSaSession,\r
- IkeSaSession->SessionCommon.IsInitiator ? IdrPayload:IdiPayload,\r
- IKEV2_PAYLOAD_TYPE_SA,\r
- TRUE,\r
- NULL,\r
- 0,\r
- NULL,\r
- 0\r
- );\r
-\r
- if ((VerifiedAuthPayload != NULL) &&\r
- (!IpSecCryptoIoVerifySignDataByCertificate (\r
- CertPayload->PayloadBuf + sizeof (IKEV2_CERT),\r
- CertPayload->PayloadSize - sizeof (IKEV2_CERT),\r
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCaFile),\r
- PcdGet32 (PcdIpsecUefiCaFileSize),\r
- VerifiedAuthPayload->PayloadBuf + sizeof (IKEV2_AUTH),\r
- VerifiedAuthPayload->PayloadSize - sizeof (IKEV2_AUTH),\r
- AuthPayload->PayloadBuf + sizeof (IKEV2_AUTH),\r
- AuthPayload->PayloadSize - sizeof (IKEV2_AUTH)\r
- ))) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // 3. Parse the SA Payload to find out the cryptographic suite\r
- // and fill in the SA paramse into CommonSession->SaParams. If no acceptable\r
- // porposal found, return EFI_INVALID_PARAMETER.\r
- //\r
- if (!Ikev2ChildSaParseSaPayload (ChildSaSession, SaPayload, IkePacket->Header->Flags)) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // 4. Parse TSi, TSr payloads.\r
- //\r
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId !=\r
- ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId) &&\r
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0)\r
- ) {\r
- goto Exit;\r
- }\r
-\r
- if (!IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- //Todo:check the Port range. Only support any port and one certain port here.\r
- //\r
- ChildSaSession->ProtoId = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId;\r
- ChildSaSession->LocalPort = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;\r
- ChildSaSession->RemotePort = ((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;\r
- //\r
- // Association a SPD with this SA.\r
- //\r
- if (EFI_ERROR (Ikev2ChildSaAssociateSpdEntry (ChildSaSession))) {\r
- goto Exit;\r
- }\r
- //\r
- // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD.\r
- //\r
- if (ChildSaSession->IkeSaSession->Spd == NULL) {\r
- ChildSaSession->IkeSaSession->Spd = ChildSaSession->Spd;\r
- Status = Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession);\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
- }\r
- } else {\r
- //\r
- // Todo:check the Port range.\r
- //\r
- if ((((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort)\r
- ) {\r
- goto Exit;\r
- }\r
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&\r
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort)\r
- ) {\r
- goto Exit;\r
- }\r
- //\r
- // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector.\r
- //\r
- if (ChildSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- if (!ChildSaSession->IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- // If it is tunnel mode, the UEFI part must be the initiator.\r
- //\r
- goto Exit;\r
- }\r
- //\r
- // Get the Virtual IP address from the Tsi traffic selector.\r
- // TODO: check the CFG reply payload\r
- //\r
- CopyMem (\r
- &ChildSaSession->SpdSelector->LocalAddress[0].Address,\r
- TsiPayload->PayloadBuf + sizeof (IKEV2_TS) + sizeof (TRAFFIC_SELECTOR),\r
- (ChildSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) ?\r
- sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS)\r
- );\r
- }\r
- }\r
-\r
- //\r
- // 5. Generat keymats for IPsec protocol.\r
- //\r
- Status = Ikev2GenerateChildSaKeys (ChildSaSession, NULL);\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
-\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- //\r
- // 6. Change the state of IkeSaSession\r
- //\r
- IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEstablished);\r
- IkeSaSession->SessionCommon.State = IkeStateIkeSaEstablished;\r
- }\r
-\r
- Status = EFI_SUCCESS;\r
-\r
-Exit:\r
- if (VerifiedAuthPayload != NULL) {\r
- IkePayloadFree (VerifiedAuthPayload);\r
- }\r
- return Status;\r
-}\r
-\r
-/**\r
- Generates the DH Public Key.\r
-\r
- This generates the DH local public key and store it in the IKE SA Session's GxBuffer.\r
-\r
- @param[in] IkeSaSession Pointer to related IKE SA Session.\r
-\r
- @retval EFI_SUCCESS The operation succeeded.\r
- @retval Others The operation failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateSaDhPublicKey (\r
- IN IKEV2_SA_SESSION *IkeSaSession\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_SESSION_KEYS *IkeKeys;\r
-\r
- IkeSaSession->IkeKeys = AllocateZeroPool (sizeof (IKEV2_SESSION_KEYS));\r
- if (IkeSaSession->IkeKeys == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- IkeKeys = IkeSaSession->IkeKeys;\r
- IkeKeys->DhBuffer = AllocateZeroPool (sizeof (IKEV2_DH_BUFFER));\r
- if (IkeKeys->DhBuffer == NULL) {\r
- FreePool (IkeSaSession->IkeKeys);\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- //\r
- // Init DH with the certain DH Group Description.\r
- //\r
- IkeKeys->DhBuffer->GxSize = OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Size >> 3;\r
- IkeKeys->DhBuffer->GxBuffer = AllocateZeroPool (IkeKeys->DhBuffer->GxSize);\r
- if (IkeKeys->DhBuffer->GxBuffer == NULL) {\r
- FreePool (IkeKeys->DhBuffer);\r
- FreePool (IkeSaSession->IkeKeys);\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- //\r
- // Get X PublicKey\r
- //\r
- Status = IpSecCryptoIoDhGetPublicKey (\r
- &IkeKeys->DhBuffer->DhContext,\r
- OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].GroupGenerator,\r
- OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Size,\r
- OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Modulus,\r
- IkeKeys->DhBuffer->GxBuffer,\r
- &IkeKeys->DhBuffer->GxSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam X public key error Status = %r\n", Status));\r
-\r
- FreePool (IkeKeys->DhBuffer->GxBuffer);\r
-\r
- FreePool (IkeKeys->DhBuffer);\r
-\r
- FreePool (IkeSaSession->IkeKeys);\r
-\r
- return Status;\r
- }\r
-\r
- IPSEC_DUMP_BUF ("DH Public Key (g^x) Dump", IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize);\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Computes the DH Shared/Exchange Key.\r
-\r
- Given peer's public key, this function computes the exchanged common key and\r
- stores it in the IKEv2 SA Session's GxyBuffer.\r
-\r
- @param[in] DhBuffer Pointer to buffer of peer's puliic key.\r
- @param[in] KePayload Pointer to received key payload.\r
-\r
- @retval EFI_SUCCESS The operation succeeded.\r
- @retval Otherwise The operation failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateSaDhComputeKey (\r
- IN IKEV2_DH_BUFFER *DhBuffer,\r
- IN IKE_PAYLOAD *KePayload\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_KEY_EXCHANGE *Ke;\r
- UINT8 *PubKey;\r
- UINTN PubKeySize;\r
-\r
- Ke = (IKEV2_KEY_EXCHANGE *) KePayload->PayloadBuf;\r
- PubKey = (UINT8 *) (Ke + 1);\r
- PubKeySize = KePayload->PayloadSize - sizeof (IKEV2_KEY_EXCHANGE);\r
- DhBuffer->GxySize = DhBuffer->GxSize;\r
- DhBuffer->GxyBuffer = AllocateZeroPool (DhBuffer->GxySize);\r
- if (DhBuffer->GxyBuffer == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- //\r
- // Get GxyBuf\r
- //\r
- Status = IpSecCryptoIoDhComputeKey (\r
- DhBuffer->DhContext,\r
- PubKey,\r
- PubKeySize,\r
- DhBuffer->GxyBuffer,\r
- &DhBuffer->GxySize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam Y session key error Status = %r\n", Status));\r
-\r
- FreePool (DhBuffer->GxyBuffer);\r
-\r
- return Status;\r
- }\r
-\r
- //\r
- // Create GxyBuf.\r
- //\r
- DhBuffer->GySize = PubKeySize;\r
- DhBuffer->GyBuffer = AllocateZeroPool (DhBuffer->GySize);\r
- if (DhBuffer->GyBuffer == NULL) {\r
- FreePool (DhBuffer->GxyBuffer);\r
-\r
- return Status;\r
- }\r
-\r
- CopyMem (DhBuffer->GyBuffer, PubKey, DhBuffer->GySize);\r
-\r
- IPSEC_DUMP_BUF ("DH Public Key (g^y) Dump", DhBuffer->GyBuffer, DhBuffer->GySize);\r
- IPSEC_DUMP_BUF ("DH Shared Key (g^xy) Dump", DhBuffer->GxyBuffer, DhBuffer->GxySize);\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Generates the IKE SKEYSEED and seven other secrets. SK_d, SK_ai, SK_ar, SK_ei, SK_er,\r
- SK_pi, SK_pr are keys for the furthure IKE exchange.\r
-\r
- @param[in] IkeSaSession Pointer to IKE SA Session.\r
- @param[in] KePayload Pointer to Key payload used to generate the Key.\r
-\r
- @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported.\r
- @retval EFI_OUT_OF_RESOURCES If there is no enough resource to be allocated to\r
- meet the requirement.\r
- @retval EFI_SUCCESS The operation succeeded.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateSaKeys (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_PAYLOAD *KePayload\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_SA_PARAMS *SaParams;\r
- PRF_DATA_FRAGMENT Fragments[4];\r
- UINT64 InitiatorCookieNet;\r
- UINT64 ResponderCookieNet;\r
- UINT8 *KeyBuffer;\r
- UINTN KeyBufferSize;\r
- UINTN AuthAlgKeyLen;\r
- UINTN EncryptAlgKeyLen;\r
- UINTN IntegrityAlgKeyLen;\r
- UINTN PrfAlgKeyLen;\r
- UINT8 *OutputKey;\r
- UINTN OutputKeyLength;\r
- UINT8 *Digest;\r
- UINTN DigestSize;\r
-\r
- Digest = NULL;\r
- OutputKey = NULL;\r
- KeyBuffer = NULL;\r
- Status = EFI_SUCCESS;\r
-\r
- //\r
- // Generate Gxy\r
- //\r
- Status = Ikev2GenerateSaDhComputeKey (IkeSaSession->IkeKeys->DhBuffer, KePayload);\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Get the key length of Authenticaion, Encryption, PRF, and Integrity.\r
- //\r
- SaParams = IkeSaSession->SessionCommon.SaParams;\r
- AuthAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf);\r
- EncryptAlgKeyLen = IpSecGetEncryptKeyLength ((UINT8)SaParams->EncAlgId);\r
- IntegrityAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->IntegAlgId);\r
- PrfAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf);\r
-\r
- //\r
- // If one or more algorithm is not support, return EFI_UNSUPPORTED.\r
- //\r
- if (AuthAlgKeyLen == 0 ||\r
- EncryptAlgKeyLen == 0 ||\r
- IntegrityAlgKeyLen == 0 ||\r
- PrfAlgKeyLen == 0\r
- ) {\r
- Status = EFI_UNSUPPORTED;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Compute SKEYSEED = prf(Ni | Nr, g^ir)\r
- //\r
- KeyBufferSize = IkeSaSession->NiBlkSize + IkeSaSession->NrBlkSize;\r
- KeyBuffer = AllocateZeroPool (KeyBufferSize);\r
- if (KeyBuffer == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (KeyBuffer, IkeSaSession->NiBlock, IkeSaSession->NiBlkSize);\r
- CopyMem (KeyBuffer + IkeSaSession->NiBlkSize, IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);\r
-\r
- Fragments[0].Data = IkeSaSession->IkeKeys->DhBuffer->GxyBuffer;\r
- Fragments[0].DataSize = IkeSaSession->IkeKeys->DhBuffer->GxySize;\r
-\r
- DigestSize = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf);\r
- Digest = AllocateZeroPool (DigestSize);\r
-\r
- if (Digest == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- IpSecCryptoIoHmac (\r
- (UINT8)SaParams->Prf,\r
- KeyBuffer,\r
- KeyBufferSize,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- 1,\r
- Digest,\r
- DigestSize\r
- );\r
-\r
- //\r
- // {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = prf+\r
- // (SKEYSEED, Ni | Nr | SPIi | SPIr )\r
- //\r
- Fragments[0].Data = IkeSaSession->NiBlock;\r
- Fragments[0].DataSize = IkeSaSession->NiBlkSize;\r
- Fragments[1].Data = IkeSaSession->NrBlock;\r
- Fragments[1].DataSize = IkeSaSession->NrBlkSize;\r
- InitiatorCookieNet = HTONLL (IkeSaSession->InitiatorCookie);\r
- ResponderCookieNet = HTONLL (IkeSaSession->ResponderCookie);\r
- Fragments[2].Data = (UINT8 *)(&InitiatorCookieNet);\r
- Fragments[2].DataSize = sizeof (IkeSaSession->InitiatorCookie);\r
- Fragments[3].Data = (UINT8 *)(&ResponderCookieNet);\r
- Fragments[3].DataSize = sizeof (IkeSaSession->ResponderCookie);\r
-\r
- IPSEC_DUMP_BUF (">>> NiBlock", IkeSaSession->NiBlock, IkeSaSession->NiBlkSize);\r
- IPSEC_DUMP_BUF (">>> NrBlock", IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);\r
- IPSEC_DUMP_BUF (">>> InitiatorCookie", (UINT8 *)&IkeSaSession->InitiatorCookie, sizeof(UINT64));\r
- IPSEC_DUMP_BUF (">>> ResponderCookie", (UINT8 *)&IkeSaSession->ResponderCookie, sizeof(UINT64));\r
-\r
- OutputKeyLength = PrfAlgKeyLen +\r
- 2 * EncryptAlgKeyLen +\r
- 2 * AuthAlgKeyLen +\r
- 2 * IntegrityAlgKeyLen;\r
- OutputKey = AllocateZeroPool (OutputKeyLength);\r
- if (OutputKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Generate Seven Keymates.\r
- //\r
- Status = Ikev2SaGenerateKey (\r
- (UINT8)SaParams->Prf,\r
- Digest,\r
- DigestSize,\r
- OutputKey,\r
- OutputKeyLength,\r
- Fragments,\r
- 4\r
- );\r
- if (EFI_ERROR(Status)) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Save the seven keys into KeySession.\r
- // First, SK_d\r
- //\r
- IkeSaSession->IkeKeys->SkdKey = AllocateZeroPool (PrfAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkdKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkdKeySize = PrfAlgKeyLen;\r
- CopyMem (IkeSaSession->IkeKeys->SkdKey, OutputKey, PrfAlgKeyLen);\r
-\r
- IPSEC_DUMP_BUF (">>> SK_D Key", IkeSaSession->IkeKeys->SkdKey, PrfAlgKeyLen);\r
-\r
- //\r
- // Second, Sk_ai\r
- //\r
- IkeSaSession->IkeKeys->SkAiKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkAiKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkAiKeySize = IntegrityAlgKeyLen;\r
- CopyMem (IkeSaSession->IkeKeys->SkAiKey, OutputKey + PrfAlgKeyLen, IntegrityAlgKeyLen);\r
-\r
- IPSEC_DUMP_BUF (">>> SK_Ai Key", IkeSaSession->IkeKeys->SkAiKey, IkeSaSession->IkeKeys->SkAiKeySize);\r
-\r
- //\r
- // Third, Sk_ar\r
- //\r
- IkeSaSession->IkeKeys->SkArKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkArKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkArKeySize = IntegrityAlgKeyLen;\r
- CopyMem (\r
- IkeSaSession->IkeKeys->SkArKey,\r
- OutputKey + PrfAlgKeyLen + IntegrityAlgKeyLen,\r
- IntegrityAlgKeyLen\r
- );\r
-\r
- IPSEC_DUMP_BUF (">>> SK_Ar Key", IkeSaSession->IkeKeys->SkArKey, IkeSaSession->IkeKeys->SkArKeySize);\r
-\r
- //\r
- // Fourth, Sk_ei\r
- //\r
- IkeSaSession->IkeKeys->SkEiKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkEiKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkEiKeySize = EncryptAlgKeyLen;\r
-\r
- CopyMem (\r
- IkeSaSession->IkeKeys->SkEiKey,\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- ">>> SK_Ei Key",\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Fifth, Sk_er\r
- //\r
- IkeSaSession->IkeKeys->SkErKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkErKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkErKeySize = EncryptAlgKeyLen;\r
-\r
- CopyMem (\r
- IkeSaSession->IkeKeys->SkErKey,\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + EncryptAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- ">>> SK_Er Key",\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + EncryptAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Sixth, Sk_pi\r
- //\r
- IkeSaSession->IkeKeys->SkPiKey = AllocateZeroPool (AuthAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkPiKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkPiKeySize = AuthAlgKeyLen;\r
-\r
- CopyMem (\r
- IkeSaSession->IkeKeys->SkPiKey,\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen,\r
- AuthAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- ">>> SK_Pi Key",\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen,\r
- AuthAlgKeyLen\r
- );\r
-\r
- //\r
- // Seventh, Sk_pr\r
- //\r
- IkeSaSession->IkeKeys->SkPrKey = AllocateZeroPool (AuthAlgKeyLen);\r
- if (IkeSaSession->IkeKeys->SkPrKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
- IkeSaSession->IkeKeys->SkPrKeySize = AuthAlgKeyLen;\r
-\r
- CopyMem (\r
- IkeSaSession->IkeKeys->SkPrKey,\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen,\r
- AuthAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- ">>> SK_Pr Key",\r
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen,\r
- AuthAlgKeyLen\r
- );\r
-\r
-\r
-Exit:\r
- if (Digest != NULL) {\r
- FreePool (Digest);\r
- }\r
- if (KeyBuffer != NULL) {\r
- FreePool (KeyBuffer);\r
- }\r
- if (OutputKey != NULL) {\r
- FreePool (OutputKey);\r
- }\r
-\r
- if (EFI_ERROR(Status)) {\r
- if (IkeSaSession->IkeKeys->SkdKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkdKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkAiKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkAiKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkArKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkArKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkEiKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkEiKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkErKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkErKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkPiKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkPiKey);\r
- }\r
- if (IkeSaSession->IkeKeys->SkPrKey != NULL) {\r
- FreePool (IkeSaSession->IkeKeys->SkPrKey);\r
- }\r
- }\r
-\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Generates the Keys for the furthure IPsec Protocol.\r
-\r
- @param[in] ChildSaSession Pointer to IKE Child SA Session.\r
- @param[in] KePayload Pointer to Key payload used to generate the Key.\r
-\r
- @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported.\r
- @retval EFI_SUCCESS The operation succeeded.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2GenerateChildSaKeys (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession,\r
- IN IKE_PAYLOAD *KePayload\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_SA_PARAMS *SaParams;\r
- PRF_DATA_FRAGMENT Fragments[3];\r
- UINTN EncryptAlgKeyLen;\r
- UINTN IntegrityAlgKeyLen;\r
- UINT8* OutputKey;\r
- UINTN OutputKeyLength;\r
-\r
- Status = EFI_SUCCESS;\r
- OutputKey = NULL;\r
-\r
- if (KePayload != NULL) {\r
- //\r
- // Generate Gxy\r
- //\r
- Status = Ikev2GenerateSaDhComputeKey (ChildSaSession->DhBuffer, KePayload);\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
-\r
- Fragments[0].Data = ChildSaSession->DhBuffer->GxyBuffer;\r
- Fragments[0].DataSize = ChildSaSession->DhBuffer->GxySize;\r
- }\r
-\r
- Fragments[1].Data = ChildSaSession->NiBlock;\r
- Fragments[1].DataSize = ChildSaSession->NiBlkSize;\r
- Fragments[2].Data = ChildSaSession->NrBlock;\r
- Fragments[2].DataSize = ChildSaSession->NrBlkSize;\r
-\r
- //\r
- // Get the key length of Authenticaion, Encryption, PRF, and Integrity.\r
- //\r
- SaParams = ChildSaSession->SessionCommon.SaParams;\r
- EncryptAlgKeyLen = IpSecGetEncryptKeyLength ((UINT8)SaParams->EncAlgId);\r
- IntegrityAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->IntegAlgId);\r
- OutputKeyLength = 2 * EncryptAlgKeyLen + 2 * IntegrityAlgKeyLen;\r
-\r
- if ((EncryptAlgKeyLen == 0) || (IntegrityAlgKeyLen == 0)) {\r
- Status = EFI_UNSUPPORTED;\r
- goto Exit;\r
- }\r
-\r
- //\r
- //\r
- // If KePayload is not NULL, calculate KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ),\r
- // otherwise, KEYMAT = prf+(SK_d, Ni | Nr )\r
- //\r
- OutputKey = AllocateZeroPool (OutputKeyLength);\r
- if (OutputKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Derive Key from the SkdKey Buffer.\r
- //\r
- Status = Ikev2SaGenerateKey (\r
- (UINT8)ChildSaSession->IkeSaSession->SessionCommon.SaParams->Prf,\r
- ChildSaSession->IkeSaSession->IkeKeys->SkdKey,\r
- ChildSaSession->IkeSaSession->IkeKeys->SkdKeySize,\r
- OutputKey,\r
- OutputKeyLength,\r
- KePayload == NULL ? &Fragments[1] : Fragments,\r
- KePayload == NULL ? 2 : 3\r
- );\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Copy KEYMATE (SK_ENCRYPT_i | SK_ENCRYPT_r | SK_INTEG_i | SK_INTEG_r) to\r
- // ChildKeyMates.\r
- //\r
- if (!ChildSaSession->SessionCommon.IsInitiator) {\r
-\r
- //\r
- // Initiator Encryption Key\r
- //\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey,\r
- OutputKey,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Initiator Authentication Key\r
- //\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,\r
- OutputKey + EncryptAlgKeyLen,\r
- IntegrityAlgKeyLen\r
- );\r
-\r
- //\r
- // Responder Encrypt Key\r
- //\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,\r
- OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Responder Authentication Key\r
- //\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,\r
- OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
- IntegrityAlgKeyLen\r
- );\r
- } else {\r
- //\r
- // Initiator Encryption Key\r
- //\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,\r
- OutputKey,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Initiator Authentication Key\r
- //\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,\r
- OutputKey + EncryptAlgKeyLen,\r
- IntegrityAlgKeyLen\r
- );\r
-\r
- //\r
- // Responder Encryption Key\r
- //\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey,\r
- OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
- EncryptAlgKeyLen\r
- );\r
-\r
- //\r
- // Responder Authentication Key\r
- //\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- CopyMem (\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,\r
- OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen,\r
- IntegrityAlgKeyLen\r
- );\r
- }\r
-\r
- IPSEC_DUMP_BUF (\r
- " >>> Local Encryption Key",\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey,\r
- EncryptAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- " >>> Remote Encryption Key",\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,\r
- EncryptAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- " >>> Local Authentication Key",\r
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,\r
- IntegrityAlgKeyLen\r
- );\r
- IPSEC_DUMP_BUF (\r
- " >>> Remote Authentication Key",\r
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,\r
- IntegrityAlgKeyLen\r
- );\r
-\r
-\r
-\r
-Exit:\r
- if (EFI_ERROR (Status)) {\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey);\r
- }\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey);\r
- }\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey);\r
- }\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey);\r
- }\r
- }\r
-\r
- if (OutputKey != NULL) {\r
- FreePool (OutputKey);\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-GLOBAL_REMOVE_IF_UNREFERENCED IKEV2_PACKET_HANDLER mIkev2Initial[][2] = {\r
- { //PSK\r
- { // IKEV2_INIT\r
- Ikev2InitPskParser,\r
- Ikev2InitPskGenerator\r
- },\r
- { //IKEV2_AUTH\r
- Ikev2AuthPskParser,\r
- Ikev2AuthPskGenerator\r
- }\r
- },\r
- { // CERT\r
- { // IKEV2_INIT\r
- Ikev2InitCertParser,\r
- Ikev2InitCertGenerator\r
- },\r
- { // IKEV2_AUTH\r
- Ikev2AuthCertParser,\r
- Ikev2AuthCertGenerator\r
- },\r
- },\r
-};\r
+++ /dev/null
-/** @file\r
- The Common operations used by IKE Exchange Process.\r
-\r
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "Utility.h"\r
-#include "IpSecDebug.h"\r
-#include "IkeService.h"\r
-#include "IpSecConfigImpl.h"\r
-\r
-UINT16 mIkev2EncryptAlgorithmList[IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM] = {\r
- IKEV2_TRANSFORM_ID_ENCR_3DES,\r
- IKEV2_TRANSFORM_ID_ENCR_AES_CBC,\r
-};\r
-\r
-UINT16 mIkev2PrfAlgorithmList[IKEV2_SUPPORT_PRF_ALGORITHM_NUM] = {\r
- IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1,\r
-};\r
-\r
-UINT16 mIkev2DhGroupAlgorithmList[IKEV2_SUPPORT_DH_ALGORITHM_NUM] = {\r
- IKEV2_TRANSFORM_ID_DH_1024MODP,\r
- IKEV2_TRANSFORM_ID_DH_2048MODP,\r
-};\r
-\r
-UINT16 mIkev2AuthAlgorithmList[IKEV2_SUPPORT_AUTH_ALGORITHM_NUM] = {\r
- IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96,\r
-};\r
-\r
-/**\r
- Allocate buffer for IKEV2_SA_SESSION and initialize it.\r
-\r
- @param[in] Private Pointer to IPSEC_PRIVATE_DATA.\r
- @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.\r
-\r
- @return Pointer to IKEV2_SA_SESSION or NULL.\r
-\r
-**/\r
-IKEV2_SA_SESSION *\r
-Ikev2SaSessionAlloc (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN IKE_UDP_SERVICE *UdpService\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_SESSION_COMMON *SessionCommon;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
-\r
- IkeSaSession = AllocateZeroPool (sizeof (IKEV2_SA_SESSION));\r
- if (IkeSaSession == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // Initialize the fields of IkeSaSession and its SessionCommon.\r
- //\r
- IkeSaSession->NCookie = NULL;\r
- IkeSaSession->Signature = IKEV2_SA_SESSION_SIGNATURE;\r
- IkeSaSession->InitiatorCookie = IkeGenerateCookie ();\r
- IkeSaSession->ResponderCookie = 0;\r
- //\r
- // BUGBUG: Message ID starts from 2 is to match the OpenSwan requirement, but it\r
- // might not match the IPv6 Logo. In its test specification, it mentions that\r
- // the Message ID should start from zero after the IKE_SA_INIT exchange.\r
- //\r
- IkeSaSession->MessageId = 2;\r
- SessionCommon = &IkeSaSession->SessionCommon;\r
- SessionCommon->UdpService = UdpService;\r
- SessionCommon->Private = Private;\r
- SessionCommon->IkeSessionType = IkeSessionTypeIkeSa;\r
- SessionCommon->IkeVer = 2;\r
- SessionCommon->AfterEncodePayload = NULL;\r
- SessionCommon->BeforeDecodePayload = NULL;\r
-\r
- //\r
- // Create a resend notfiy event for retry.\r
- //\r
- Status = gBS->CreateEvent (\r
- EVT_TIMER | EVT_NOTIFY_SIGNAL,\r
- TPL_CALLBACK,\r
- Ikev2ResendNotify,\r
- SessionCommon,\r
- &SessionCommon->TimeoutEvent\r
- );\r
-\r
- if (EFI_ERROR (Status)) {\r
- FreePool (IkeSaSession);\r
- return NULL;\r
- }\r
-\r
- //\r
- // Initialize the lists in IkeSaSession.\r
- //\r
- InitializeListHead (&IkeSaSession->ChildSaSessionList);\r
- InitializeListHead (&IkeSaSession->ChildSaEstablishSessionList);\r
- InitializeListHead (&IkeSaSession->InfoMIDList);\r
- InitializeListHead (&IkeSaSession->DeleteSaList);\r
-\r
- return IkeSaSession;\r
-}\r
-\r
-/**\r
- Register the established IKEv2 SA into Private->Ikev2EstablishedList. If there is\r
- IKEV2_SA_SESSION with same remote peer IP, remove the old one then register the\r
- new one.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.\r
- @param[in] Private Pointer to IPSEC_PRAVATE_DATA.\r
-\r
-**/\r
-VOID\r
-Ikev2SaSessionReg (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IPSEC_PRIVATE_DATA *Private\r
- )\r
-{\r
- IKEV2_SESSION_COMMON *SessionCommon;\r
- IKEV2_SA_SESSION *OldIkeSaSession;\r
- EFI_STATUS Status;\r
- UINT64 Lifetime;\r
-\r
- //\r
- // Keep IKE SA exclusive to remote ip address.\r
- //\r
- SessionCommon = &IkeSaSession->SessionCommon;\r
- OldIkeSaSession = Ikev2SaSessionRemove (&Private->Ikev2EstablishedList, &SessionCommon->RemotePeerIp);\r
- if (OldIkeSaSession != NULL) {\r
- //\r
- // TODO: It should delete all child SAs if rekey the IKE SA.\r
- //\r
- Ikev2SaSessionFree (OldIkeSaSession);\r
- }\r
-\r
- //\r
- // Cleanup the fields of SessionCommon for processing.\r
- //\r
- Ikev2SessionCommonRefresh (SessionCommon);\r
-\r
- //\r
- // Insert the ready IKE SA session into established list.\r
- //\r
- Ikev2SaSessionInsert (&Private->Ikev2EstablishedList, IkeSaSession, &SessionCommon->RemotePeerIp);\r
-\r
- //\r
- // Create a notfiy event for the IKE SA life time counting.\r
- //\r
- Status = gBS->CreateEvent (\r
- EVT_TIMER | EVT_NOTIFY_SIGNAL,\r
- TPL_CALLBACK,\r
- Ikev2LifetimeNotify,\r
- SessionCommon,\r
- &SessionCommon->TimeoutEvent\r
- );\r
- if (EFI_ERROR(Status)){\r
- //\r
- // If TimerEvent creation failed, the SA will be alive untill user disable it or\r
- // receiving a Delete Payload from peer.\r
- //\r
- return;\r
- }\r
-\r
- //\r
- // Start to count the lifetime of the IKE SA.\r
- //\r
- if (IkeSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime == 0) {\r
- Lifetime = IKE_SA_DEFAULT_LIFETIME;\r
- } else {\r
- Lifetime = IkeSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime;\r
- }\r
-\r
- Status = gBS->SetTimer (\r
- SessionCommon->TimeoutEvent,\r
- TimerRelative,\r
- MultU64x32(Lifetime, 10000000) // ms->100ns\r
- );\r
- if (EFI_ERROR(Status)){\r
- //\r
- // If SetTimer failed, the SA will be alive untill user disable it or\r
- // receiving a Delete Payload from peer.\r
- //\r
- return ;\r
- }\r
-\r
- DEBUG ((\r
- DEBUG_INFO,\r
- "\n------IkeSa established and start to count down %d seconds lifetime\n",\r
- Lifetime\r
- ));\r
-\r
- return ;\r
-}\r
-\r
-/**\r
- Find a IKEV2_SA_SESSION by the remote peer IP.\r
-\r
- @param[in] SaSessionList SaSession List to be searched.\r
- @param[in] RemotePeerIp Pointer to specified IP address.\r
-\r
- @return Pointer to IKEV2_SA_SESSION if find one or NULL.\r
-\r
-**/\r
-IKEV2_SA_SESSION *\r
-Ikev2SaSessionLookup (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN EFI_IP_ADDRESS *RemotePeerIp\r
- )\r
-{\r
- LIST_ENTRY *Entry;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
-\r
- NET_LIST_FOR_EACH (Entry, SaSessionList) {\r
- IkeSaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);\r
-\r
- if (CompareMem (\r
- &IkeSaSession->SessionCommon.RemotePeerIp,\r
- RemotePeerIp,\r
- sizeof (EFI_IP_ADDRESS)\r
- ) == 0) {\r
-\r
- return IkeSaSession;\r
- }\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-/**\r
- Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either\r
- Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.\r
-\r
- @param[in] SaSessionList Pointer to list to be inserted into.\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.\r
- @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the\r
- unique IKEV2_SA_SESSION.\r
-\r
-**/\r
-VOID\r
-Ikev2SaSessionInsert (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN EFI_IP_ADDRESS *RemotePeerIp\r
- )\r
-{\r
- Ikev2SaSessionRemove (SaSessionList, RemotePeerIp);\r
- InsertTailList (SaSessionList, &IkeSaSession->BySessionTable);\r
-}\r
-\r
-/**\r
- Remove the SA Session by Remote Peer IP.\r
-\r
- @param[in] SaSessionList Pointer to list to be searched.\r
- @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.\r
-\r
- @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address or NULL.\r
-\r
-**/\r
-IKEV2_SA_SESSION *\r
-Ikev2SaSessionRemove (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN EFI_IP_ADDRESS *RemotePeerIp\r
- )\r
-{\r
- LIST_ENTRY *Entry;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
-\r
- NET_LIST_FOR_EACH (Entry, SaSessionList) {\r
- IkeSaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);\r
-\r
- if (CompareMem (\r
- &IkeSaSession->SessionCommon.RemotePeerIp,\r
- RemotePeerIp,\r
- sizeof (EFI_IP_ADDRESS)\r
- ) == 0) {\r
-\r
- RemoveEntryList (Entry);\r
- return IkeSaSession;\r
- }\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-\r
-/**\r
- Free specified Seession Common. The session common would belong to a IKE SA or\r
- a Child SA.\r
-\r
- @param[in] SessionCommon Pointer to a Session Common.\r
-\r
-**/\r
-VOID\r
-Ikev2SaSessionCommonFree (\r
- IN IKEV2_SESSION_COMMON *SessionCommon\r
- )\r
-{\r
-\r
- ASSERT (SessionCommon != NULL);\r
-\r
- if (SessionCommon->LastSentPacket != NULL) {\r
- IkePacketFree (SessionCommon->LastSentPacket);\r
- }\r
-\r
- if (SessionCommon->SaParams != NULL) {\r
- FreePool (SessionCommon->SaParams);\r
- }\r
- if (SessionCommon->TimeoutEvent != NULL) {\r
- gBS->CloseEvent (SessionCommon->TimeoutEvent);\r
- }\r
-}\r
-\r
-/**\r
- After IKE/Child SA is estiblished, close the time event and free sent packet.\r
-\r
- @param[in] SessionCommon Pointer to a Session Common.\r
-\r
-**/\r
-VOID\r
-Ikev2SessionCommonRefresh (\r
- IN IKEV2_SESSION_COMMON *SessionCommon\r
- )\r
-{\r
- ASSERT (SessionCommon != NULL);\r
-\r
- gBS->CloseEvent (SessionCommon->TimeoutEvent);\r
- SessionCommon->TimeoutEvent = NULL;\r
- SessionCommon->TimeoutInterval = 0;\r
- SessionCommon->RetryCount = 0;\r
- if (SessionCommon->LastSentPacket != NULL) {\r
- IkePacketFree (SessionCommon->LastSentPacket);\r
- SessionCommon->LastSentPacket = NULL;\r
- }\r
-\r
- return ;\r
-}\r
-/**\r
- Free specified IKEV2 SA Session.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.\r
-\r
-**/\r
-VOID\r
-Ikev2SaSessionFree (\r
- IN IKEV2_SA_SESSION *IkeSaSession\r
- )\r
-{\r
- IKEV2_SESSION_KEYS *IkeKeys;\r
- LIST_ENTRY *Entry;\r
- IKEV2_CHILD_SA_SESSION *ChildSa;\r
- IKEV2_DH_BUFFER *DhBuffer;\r
-\r
- ASSERT (IkeSaSession != NULL);\r
-\r
- //\r
- // Delete Common Session\r
- //\r
- Ikev2SaSessionCommonFree (&IkeSaSession->SessionCommon);\r
-\r
- //\r
- // Delete ChildSaEstablish List and SAD\r
- //\r
- for (Entry = IkeSaSession->ChildSaEstablishSessionList.ForwardLink;\r
- Entry != &IkeSaSession->ChildSaEstablishSessionList;\r
- ) {\r
-\r
- ChildSa = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
- Entry = Entry->ForwardLink;\r
- Ikev2ChildSaSilentDelete (ChildSa->IkeSaSession, ChildSa->LocalPeerSpi);\r
-\r
- }\r
-\r
- //\r
- // Delete ChildSaSessionList\r
- //\r
- for ( Entry = IkeSaSession->ChildSaSessionList.ForwardLink;\r
- Entry != &IkeSaSession->ChildSaSessionList;\r
- ){\r
- ChildSa = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
- Entry = Entry->ForwardLink;\r
- RemoveEntryList (Entry->BackLink);\r
- Ikev2ChildSaSessionFree (ChildSa);\r
- }\r
-\r
- //\r
- // Delete DhBuffer and Keys\r
- //\r
- if (IkeSaSession->IkeKeys != NULL) {\r
- IkeKeys = IkeSaSession->IkeKeys;\r
- DhBuffer = IkeKeys->DhBuffer;\r
-\r
- //\r
- // Delete DhBuffer\r
- //\r
- Ikev2DhBufferFree (DhBuffer);\r
-\r
- //\r
- // Delete Keys\r
- //\r
- if (IkeKeys->SkAiKey != NULL) {\r
- FreePool (IkeKeys->SkAiKey);\r
- }\r
- if (IkeKeys->SkArKey != NULL) {\r
- FreePool (IkeKeys->SkArKey);\r
- }\r
- if (IkeKeys->SkdKey != NULL) {\r
- FreePool (IkeKeys->SkdKey);\r
- }\r
- if (IkeKeys->SkEiKey != NULL) {\r
- FreePool (IkeKeys->SkEiKey);\r
- }\r
- if (IkeKeys->SkErKey != NULL) {\r
- FreePool (IkeKeys->SkErKey);\r
- }\r
- if (IkeKeys->SkPiKey != NULL) {\r
- FreePool (IkeKeys->SkPiKey);\r
- }\r
- if (IkeKeys->SkPrKey != NULL) {\r
- FreePool (IkeKeys->SkPrKey);\r
- }\r
- FreePool (IkeKeys);\r
- }\r
-\r
- if (IkeSaSession->SaData != NULL) {\r
- FreePool (IkeSaSession->SaData);\r
- }\r
-\r
- if (IkeSaSession->NiBlock != NULL) {\r
- FreePool (IkeSaSession->NiBlock);\r
- }\r
-\r
- if (IkeSaSession->NrBlock != NULL) {\r
- FreePool (IkeSaSession->NrBlock);\r
- }\r
-\r
- if (IkeSaSession->NCookie != NULL) {\r
- FreePool (IkeSaSession->NCookie);\r
- }\r
-\r
- if (IkeSaSession->InitPacket != NULL) {\r
- FreePool (IkeSaSession->InitPacket);\r
- }\r
-\r
- if (IkeSaSession->RespPacket != NULL) {\r
- FreePool (IkeSaSession->RespPacket);\r
- }\r
-\r
- FreePool (IkeSaSession);\r
-\r
- return ;\r
-}\r
-\r
-/**\r
- Increase the MessageID in IkeSaSession.\r
-\r
- @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.\r
-\r
-**/\r
-VOID\r
-Ikev2SaSessionIncreaseMessageId (\r
- IN IKEV2_SA_SESSION *IkeSaSession\r
- )\r
-{\r
- if (IkeSaSession->MessageId < 0xffffffff) {\r
- IkeSaSession->MessageId ++;\r
- } else {\r
- //\r
- // TODO: Trigger Rekey process.\r
- //\r
- }\r
-}\r
-\r
-/**\r
- Allocate memory for IKEV2 Child SA Session.\r
-\r
- @param[in] UdpService Pointer to IKE_UDP_SERVICE.\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA\r
- Session.\r
-\r
- @retval Pointer of a new created IKEV2 Child SA Session or NULL.\r
-\r
-**/\r
-IKEV2_CHILD_SA_SESSION *\r
-Ikev2ChildSaSessionAlloc (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN IKEV2_SA_SESSION *IkeSaSession\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SESSION_COMMON *ChildSaCommon;\r
- IKEV2_SESSION_COMMON *SaCommon;\r
-\r
- ChildSaSession = AllocateZeroPool (sizeof (IKEV2_CHILD_SA_SESSION));\r
- if (ChildSaSession == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // Initialize the fields of ChildSaSession and its SessionCommon.\r
- //\r
- ChildSaSession->Signature = IKEV2_CHILD_SA_SESSION_SIGNATURE;\r
- ChildSaSession->IkeSaSession = IkeSaSession;\r
- ChildSaSession->MessageId = IkeSaSession->MessageId;\r
-\r
- //\r
- // Generate an new SPI.\r
- //\r
- Status = IkeGenerateSpi (IkeSaSession, &(ChildSaSession->LocalPeerSpi));\r
- if (EFI_ERROR (Status)) {\r
- FreePool (ChildSaSession);\r
- return NULL;\r
- }\r
-\r
- ChildSaCommon = &ChildSaSession->SessionCommon;\r
- ChildSaCommon->UdpService = UdpService;\r
- ChildSaCommon->Private = IkeSaSession->SessionCommon.Private;\r
- ChildSaCommon->IkeSessionType = IkeSessionTypeChildSa;\r
- ChildSaCommon->IkeVer = 2;\r
- ChildSaCommon->AfterEncodePayload = Ikev2ChildSaAfterEncodePayload;\r
- ChildSaCommon->BeforeDecodePayload = Ikev2ChildSaBeforeDecodePayload;\r
- SaCommon = &ChildSaSession->IkeSaSession->SessionCommon;\r
-\r
- //\r
- // Create a resend notfiy event for retry.\r
- //\r
- Status = gBS->CreateEvent (\r
- EVT_TIMER | EVT_NOTIFY_SIGNAL,\r
- TPL_CALLBACK,\r
- Ikev2ResendNotify,\r
- ChildSaCommon,\r
- &ChildSaCommon->TimeoutEvent\r
- );\r
- if (EFI_ERROR (Status)) {\r
- FreePool (ChildSaSession);\r
- return NULL;\r
- }\r
-\r
- CopyMem (&ChildSaCommon->LocalPeerIp, &SaCommon->LocalPeerIp, sizeof (EFI_IP_ADDRESS));\r
- CopyMem (&ChildSaCommon->RemotePeerIp, &SaCommon->RemotePeerIp, sizeof (EFI_IP_ADDRESS));\r
-\r
- return ChildSaSession;\r
-}\r
-\r
-/**\r
- Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.\r
- If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one\r
- then register the new one.\r
-\r
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.\r
- @param[in] Private Pointer to IPSEC_PRAVATE_DATA.\r
-\r
-**/\r
-VOID\r
-Ikev2ChildSaSessionReg (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession,\r
- IN IPSEC_PRIVATE_DATA *Private\r
- )\r
-{\r
- IKEV2_SESSION_COMMON *SessionCommon;\r
- IKEV2_CHILD_SA_SESSION *OldChildSaSession;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- EFI_STATUS Status;\r
- UINT64 Lifetime;\r
-\r
- //\r
- // Keep the IKE SA exclusive.\r
- //\r
- SessionCommon = &ChildSaSession->SessionCommon;\r
- IkeSaSession = ChildSaSession->IkeSaSession;\r
- OldChildSaSession = Ikev2ChildSaSessionRemove (\r
- &IkeSaSession->ChildSaEstablishSessionList,\r
- ChildSaSession->LocalPeerSpi,\r
- IKEV2_ESTABLISHED_CHILDSA_LIST\r
- );\r
- if (OldChildSaSession != NULL) {\r
- //\r
- // Free the old one.\r
- //\r
- Ikev2ChildSaSessionFree (OldChildSaSession);\r
- }\r
-\r
- //\r
- // Store the ready child SA into SAD.\r
- //\r
- Ikev2StoreSaData (ChildSaSession);\r
-\r
- //\r
- // Cleanup the fields of SessionCommon for processing.\r
- //\r
- Ikev2SessionCommonRefresh (SessionCommon);\r
-\r
- //\r
- // Insert the ready child SA session into established list.\r
- //\r
- Ikev2ChildSaSessionInsert (&IkeSaSession->ChildSaEstablishSessionList, ChildSaSession);\r
-\r
- //\r
- // Create a Notify event for the IKE SA life time counting.\r
- //\r
- Status = gBS->CreateEvent (\r
- EVT_TIMER | EVT_NOTIFY_SIGNAL,\r
- TPL_CALLBACK,\r
- Ikev2LifetimeNotify,\r
- SessionCommon,\r
- &SessionCommon->TimeoutEvent\r
- );\r
- if (EFI_ERROR(Status)){\r
- return ;\r
- }\r
-\r
- //\r
- // Start to count the lifetime of the IKE SA.\r
- //\r
- if (ChildSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime != 0){\r
- Lifetime = ChildSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime;\r
- } else {\r
- Lifetime = CHILD_SA_DEFAULT_LIFETIME;\r
- }\r
-\r
- Status = gBS->SetTimer (\r
- SessionCommon->TimeoutEvent,\r
- TimerRelative,\r
- MultU64x32(Lifetime, 10000000) // ms->100ns\r
- );\r
- if (EFI_ERROR(Status)){\r
- return ;\r
- }\r
-\r
- DEBUG ((\r
- DEBUG_INFO,\r
- "\n------ChildSa established and start to count down %d seconds lifetime\n",\r
- Lifetime\r
- ));\r
-\r
- return ;\r
-}\r
-\r
-\r
-/**\r
- This function find the Child SA by the specified SPI.\r
-\r
- This functin find a ChildSA session by searching the ChildSaSessionlist of\r
- the input IKEV2_SA_SESSION by specified MessageID.\r
-\r
- @param[in] SaSessionList Pointer to List to be searched.\r
- @param[in] Spi Specified SPI.\r
-\r
- @return Pointer to IKEV2_CHILD_SA_SESSION or NULL.\r
-\r
-**/\r
-IKEV2_CHILD_SA_SESSION *\r
-Ikev2ChildSaSessionLookupBySpi (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN UINT32 Spi\r
- )\r
-{\r
- LIST_ENTRY *Entry;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
-\r
- NET_LIST_FOR_EACH (Entry, SaSessionList) {\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
-\r
- if (ChildSaSession->RemotePeerSpi == Spi || ChildSaSession->LocalPeerSpi == Spi) {\r
- return ChildSaSession;\r
- }\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-/**\r
- Insert a Child SA Session into the specified ChildSa list.\r
-\r
- @param[in] SaSessionList Pointer to list to be inserted in.\r
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.\r
-\r
-**/\r
-VOID\r
-Ikev2ChildSaSessionInsert (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- )\r
-{\r
- InsertTailList (SaSessionList, &ChildSaSession->ByIkeSa);\r
-}\r
-\r
-/**\r
- Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.\r
-\r
- @param[in] SaSessionList The SA Session List to be iterated.\r
- @param[in] Spi Spi used to identified the IKEV2_CHILD_SA_SESSION.\r
- @param[in] ListType The type of the List to indicate whether it is a\r
- Established.\r
-\r
- @return The point to IKEV2_CHILD_SA_SESSION or NULL.\r
-\r
-**/\r
-IKEV2_CHILD_SA_SESSION *\r
-Ikev2ChildSaSessionRemove (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN UINT32 Spi,\r
- IN UINT8 ListType\r
- )\r
-{\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *NextEntry;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
-\r
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, SaSessionList) {\r
-\r
- if (ListType == IKEV2_ESTABLISHED_CHILDSA_LIST || ListType == IKEV2_ESTABLISHING_CHILDSA_LIST) {\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);\r
- } else if (ListType == IKEV2_DELET_CHILDSA_LIST) {\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_DEL_SA (Entry);\r
- } else {\r
- return NULL;\r
- }\r
-\r
- if (ChildSaSession->RemotePeerSpi == Spi || ChildSaSession->LocalPeerSpi == Spi) {\r
- RemoveEntryList (Entry);\r
- return ChildSaSession;\r
- }\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-/**\r
- Free the memory located for the specified IKEV2_CHILD_SA_SESSION.\r
-\r
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.\r
-\r
-**/\r
-VOID\r
-Ikev2ChildSaSessionFree (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- )\r
-{\r
- IKEV2_SESSION_COMMON *SessionCommon;\r
-\r
- SessionCommon = &ChildSaSession->SessionCommon;\r
- if (ChildSaSession->SaData != NULL) {\r
- FreePool (ChildSaSession->SaData);\r
- }\r
-\r
- if (ChildSaSession->NiBlock != NULL) {\r
- FreePool (ChildSaSession->NiBlock);\r
- }\r
-\r
- if (ChildSaSession->NrBlock != NULL) {\r
- FreePool (ChildSaSession->NrBlock);\r
- }\r
-\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey);\r
- }\r
-\r
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey);\r
- }\r
-\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey);\r
- }\r
-\r
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey != NULL) {\r
- FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey);\r
- }\r
-\r
- //\r
- // Delete DhBuffer\r
- //\r
- Ikev2DhBufferFree (ChildSaSession->DhBuffer);\r
-\r
- //\r
- // Delete SpdSelector\r
- //\r
- if (ChildSaSession->SpdSelector != NULL) {\r
- if (ChildSaSession->SpdSelector->LocalAddress != NULL) {\r
- FreePool (ChildSaSession->SpdSelector->LocalAddress);\r
- }\r
- if (ChildSaSession->SpdSelector->RemoteAddress != NULL) {\r
- FreePool (ChildSaSession->SpdSelector->RemoteAddress);\r
- }\r
- FreePool (ChildSaSession->SpdSelector);\r
- }\r
- Ikev2SaSessionCommonFree (SessionCommon);\r
- FreePool (ChildSaSession);\r
-\r
- return ;\r
-}\r
-\r
-/**\r
- Delete the specified established Child SA.\r
-\r
- This function delete the Child SA directly and don't send the Information Packet to\r
- remote peer.\r
-\r
- @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.\r
- @param[in] Spi SPI used to find the Child SA.\r
-\r
- @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.\r
- @retval EFI_NOT_FOUND There is no specified Child SA related with the input\r
- SPI under this IKE SA Session.\r
- @retval EFI_SUCCESS Delete the Child SA successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2ChildSaSilentDelete (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN UINT32 Spi\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_IPSEC_CONFIG_SELECTOR *Selector;\r
- UINTN SelectorSize;\r
- BOOLEAN IsLocalFound;\r
- BOOLEAN IsRemoteFound;\r
- UINT32 LocalSpi;\r
- UINT32 RemoteSpi;\r
- IKEV2_CHILD_SA_SESSION *ChildSession;\r
- EFI_IPSEC_CONFIG_SELECTOR *LocalSelector;\r
- EFI_IPSEC_CONFIG_SELECTOR *RemoteSelector;\r
- IPSEC_PRIVATE_DATA *Private;\r
-\r
- if (IkeSaSession == NULL) {\r
- return EFI_NOT_FOUND;\r
- }\r
-\r
- IsLocalFound = FALSE;\r
- IsRemoteFound = FALSE;\r
- ChildSession = NULL;\r
- LocalSelector = NULL;\r
- RemoteSelector = NULL;\r
-\r
- Private = IkeSaSession->SessionCommon.Private;\r
-\r
- //\r
- // Remove the Established SA from ChildSaEstablishlist.\r
- //\r
- ChildSession = Ikev2ChildSaSessionRemove(\r
- &(IkeSaSession->ChildSaEstablishSessionList),\r
- Spi,\r
- IKEV2_ESTABLISHED_CHILDSA_LIST\r
- );\r
- if (ChildSession == NULL) {\r
- return EFI_NOT_FOUND;\r
- }\r
-\r
- LocalSpi = ChildSession->LocalPeerSpi;\r
- RemoteSpi = ChildSession->RemotePeerSpi;\r
-\r
- SelectorSize = sizeof (EFI_IPSEC_CONFIG_SELECTOR);\r
- Selector = AllocateZeroPool (SelectorSize);\r
- if (Selector == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- while (1) {\r
- Status = EfiIpSecConfigGetNextSelector (\r
- &Private->IpSecConfig,\r
- IPsecConfigDataTypeSad,\r
- &SelectorSize,\r
- Selector\r
- );\r
- if (Status == EFI_BUFFER_TOO_SMALL) {\r
- FreePool (Selector);\r
-\r
- Selector = AllocateZeroPool (SelectorSize);\r
- if (Selector == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- break;\r
- }\r
-\r
- Status = EfiIpSecConfigGetNextSelector (\r
- &Private->IpSecConfig,\r
- IPsecConfigDataTypeSad,\r
- &SelectorSize,\r
- Selector\r
- );\r
- }\r
-\r
- if (EFI_ERROR (Status)) {\r
- break;\r
- }\r
-\r
- if (Selector->SaId.Spi == RemoteSpi) {\r
- //\r
- // SPI is unique. There is only one SAD whose SPI is\r
- // same with RemoteSpi.\r
- //\r
- IsRemoteFound = TRUE;\r
- RemoteSelector = AllocateZeroPool (SelectorSize);\r
- if (RemoteSelector == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- break;\r
- }\r
-\r
- CopyMem (RemoteSelector, Selector, SelectorSize);\r
- }\r
-\r
- if (Selector->SaId.Spi == LocalSpi) {\r
- //\r
- // SPI is unique. There is only one SAD whose SPI is\r
- // same with LocalSpi.\r
- //\r
- IsLocalFound = TRUE;\r
- LocalSelector = AllocateZeroPool (SelectorSize);\r
- if (LocalSelector == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- break;\r
- }\r
-\r
- CopyMem (LocalSelector, Selector, SelectorSize);\r
- }\r
- }\r
- //\r
- // Delete SA from the Variable.\r
- //\r
- if (IsLocalFound) {\r
- Status = EfiIpSecConfigSetData (\r
- &Private->IpSecConfig,\r
- IPsecConfigDataTypeSad,\r
- LocalSelector,\r
- NULL,\r
- NULL\r
- );\r
- }\r
-\r
- if (IsRemoteFound) {\r
- Status = EfiIpSecConfigSetData (\r
- &Private->IpSecConfig,\r
- IPsecConfigDataTypeSad,\r
- RemoteSelector,\r
- NULL,\r
- NULL\r
- );\r
-\r
- }\r
-\r
- DEBUG (\r
- (DEBUG_INFO,\r
- "\n------IKEV2 deleted ChildSa(local spi, remote spi):(0x%x, 0x%x)------\n",\r
- LocalSpi,\r
- RemoteSpi)\r
- );\r
- Ikev2ChildSaSessionFree (ChildSession);\r
-\r
- if (RemoteSelector != NULL) {\r
- FreePool (RemoteSelector);\r
- }\r
-\r
- if (LocalSelector != NULL) {\r
- FreePool (LocalSelector);\r
- }\r
-\r
- if (Selector != NULL) {\r
- FreePool (Selector);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Free the specified DhBuffer.\r
-\r
- @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.\r
-\r
-**/\r
-VOID\r
-Ikev2DhBufferFree (\r
- IKEV2_DH_BUFFER *DhBuffer\r
-)\r
-{\r
- if (DhBuffer != NULL) {\r
- if (DhBuffer->GxBuffer != NULL) {\r
- FreePool (DhBuffer->GxBuffer);\r
- }\r
- if (DhBuffer->GyBuffer != NULL) {\r
- FreePool (DhBuffer->GyBuffer);\r
- }\r
- if (DhBuffer->GxyBuffer != NULL) {\r
- FreePool (DhBuffer->GxyBuffer);\r
- }\r
- if (DhBuffer->DhContext != NULL) {\r
- IpSecCryptoIoFreeDh (&DhBuffer->DhContext);\r
- }\r
- FreePool (DhBuffer);\r
- }\r
-}\r
-\r
-/**\r
- This function is to parse a request IKE packet and return its request type.\r
- The request type is one of IKE CHILD SA creation, IKE SA rekeying and\r
- IKE CHILD SA rekeying.\r
-\r
- @param[in] IkePacket IKE packet to be prased.\r
-\r
- return the type of the IKE packet.\r
-\r
-**/\r
-IKEV2_CREATE_CHILD_REQUEST_TYPE\r
-Ikev2ChildExchangeRequestType(\r
- IN IKE_PACKET *IkePacket\r
- )\r
-{\r
- BOOLEAN Flag;\r
- LIST_ENTRY *Entry;\r
- IKE_PAYLOAD *IkePayload;\r
-\r
- Flag = FALSE;\r
-\r
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {\r
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_INIT) {\r
- //\r
- // Packet with Ts Payload means it is for either CHILD_SA_CREATE or CHILD_SA_REKEY.\r
- //\r
- Flag = TRUE;\r
- }\r
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NOTIFY) {\r
- if (((IKEV2_NOTIFY*)IkePayload)->MessageType == IKEV2_NOTIFICATION_REKEY_SA) {\r
- //\r
- // If notify payload with REKEY_SA message type, the IkePacket is for\r
- // rekeying Child SA.\r
- //\r
- return IkeRequestTypeRekeyChildSa;\r
- }\r
- }\r
- };\r
-\r
- if (!Flag){\r
- //\r
- // The Create Child Exchange is for IKE SA rekeying.\r
- //\r
- return IkeRequestTypeRekeyIkeSa;\r
- } else {\r
- //\r
- // If the Notify payloaad with transport mode message type, the IkePacket is\r
- // for create Child SA.\r
- //\r
- return IkeRequestTypeCreateChildSa;\r
- }\r
-}\r
-\r
-/**\r
- Associate a SPD selector to the Child SA Session.\r
-\r
- This function is called when the Child SA is not the first child SA of its\r
- IKE SA. It associate a SPD to this Child SA.\r
-\r
- @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to\r
- a SPD selector.\r
-\r
- @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.\r
- @retval EFI_NOT_FOUND Can't find the related SPD selector.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2ChildSaAssociateSpdEntry (\r
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- )\r
-{\r
- IpSecVisitConfigData (IPsecConfigDataTypeSpd, Ikev2MatchSpdEntry, ChildSaSession);\r
- if (ChildSaSession->Spd != NULL) {\r
- return EFI_SUCCESS;\r
- } else {\r
- return EFI_NOT_FOUND;\r
- }\r
-}\r
-\r
-\r
-\r
-/**\r
- Validate the IKE header of received IKE packet.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.\r
- @param[in] IkeHdr Pointer to IKE header of received IKE packet.\r
-\r
- @retval TRUE If the IKE header is valid.\r
- @retval FALSE If the IKE header is invalid.\r
-\r
-**/\r
-BOOLEAN\r
-Ikev2ValidateHeader (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_HEADER *IkeHdr\r
- )\r
-{\r
-\r
- IKEV2_SESSION_STATE State;\r
-\r
- State = IkeSaSession->SessionCommon.State;\r
- if (State == IkeStateInit) {\r
- //\r
- // For the IKE Initial Exchange, the MessagId should be zero.\r
- //\r
- if (IkeHdr->MessageId != 0) {\r
- return FALSE;\r
- }\r
- } else {\r
- if (State == IkeStateAuth) {\r
- if (IkeHdr->MessageId != 1) {\r
- return FALSE;\r
- }\r
- }\r
- if (IkeHdr->InitiatorCookie != IkeSaSession->InitiatorCookie ||\r
- IkeHdr->ResponderCookie != IkeSaSession->ResponderCookie\r
- ) {\r
- //\r
- // TODO: send notification INVALID-COOKIE\r
- //\r
- return FALSE;\r
- }\r
- }\r
-\r
- //\r
- // Information Exchagne and Create Child Exchange can be started from each part.\r
- //\r
- if (IkeHdr->ExchangeType != IKEV2_EXCHANGE_TYPE_INFO &&\r
- IkeHdr->ExchangeType != IKEV2_EXCHANGE_TYPE_CREATE_CHILD\r
- ) {\r
- if (IkeSaSession->SessionCommon.IsInitiator) {\r
- if (IkeHdr->InitiatorCookie != IkeSaSession->InitiatorCookie) {\r
- //\r
- // TODO: send notification INVALID-COOKIE\r
- //\r
- return FALSE;\r
- }\r
- if (IkeHdr->Flags != IKE_HEADER_FLAGS_RESPOND) {\r
- return FALSE;\r
- }\r
- } else {\r
- if (IkeHdr->Flags != IKE_HEADER_FLAGS_INIT) {\r
- return FALSE;\r
- }\r
- }\r
- }\r
-\r
- return TRUE;\r
-}\r
-\r
-/**\r
- Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.\r
-\r
- This function will be only called by the initiator. The responder's IKEV2_SA_DATA\r
- will be generated during parsed the initiator packet.\r
-\r
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.\r
-\r
- @retval a Pointer to a new IKEV2_SA_DATA or NULL.\r
-\r
-**/\r
-IKEV2_SA_DATA *\r
-Ikev2InitializeSaData (\r
- IN IKEV2_SESSION_COMMON *SessionCommon\r
- )\r
-{\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SA_DATA *SaData;\r
- IKEV2_PROPOSAL_DATA *ProposalData;\r
- IKEV2_TRANSFORM_DATA *TransformData;\r
- IKE_SA_ATTRIBUTE *Attribute;\r
-\r
- ASSERT (SessionCommon != NULL);\r
- //\r
- // TODO: Remove the hard code of the support Alogrithm. Those data should be\r
- // get from the SPD/PAD data.\r
- //\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
- SaData = AllocateZeroPool (\r
- sizeof (IKEV2_SA_DATA) +\r
- sizeof (IKEV2_PROPOSAL_DATA) * 2 +\r
- sizeof (IKEV2_TRANSFORM_DATA) * 4 * 2\r
- );\r
- } else {\r
- SaData = AllocateZeroPool (\r
- sizeof (IKEV2_SA_DATA) +\r
- sizeof (IKEV2_PROPOSAL_DATA) * 2 +\r
- sizeof (IKEV2_TRANSFORM_DATA) * 3 * 2\r
- );\r
- }\r
- if (SaData == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // First proposal payload: 3DES + SHA1 + DH\r
- //\r
- SaData->NumProposals = 2;\r
- ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1);\r
- ProposalData->ProposalIndex = 1;\r
-\r
- //\r
- // If SA data for IKE_SA_INIT exchage, contains 4 transforms. If SA data for\r
- // IKE_AUTH exchange contains 3 transforms.\r
- //\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
- ProposalData->NumTransforms = 4;\r
- } else {\r
- ProposalData->NumTransforms = 3;\r
- }\r
-\r
-\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
- ProposalData->ProtocolId = IPSEC_PROTO_ISAKMP;\r
- } else {\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);\r
- ProposalData->ProtocolId = IPSEC_PROTO_IPSEC_ESP;\r
- ProposalData->Spi = AllocateZeroPool (sizeof (ChildSaSession->LocalPeerSpi));\r
- if (ProposalData->Spi == NULL) {\r
- FreePool (SaData);\r
- return NULL;\r
- }\r
-\r
- CopyMem (\r
- ProposalData->Spi,\r
- &ChildSaSession->LocalPeerSpi,\r
- sizeof(ChildSaSession->LocalPeerSpi)\r
- );\r
- }\r
-\r
- //\r
- // Set transform attribute for Encryption Algorithm - 3DES\r
- //\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1);\r
- TransformData->TransformIndex = 0;\r
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ENCR;\r
- TransformData->TransformId = IKEV2_TRANSFORM_ID_ENCR_3DES;\r
-\r
- //\r
- // Set transform attribute for Integrity Algorithm - SHA1_96\r
- //\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);\r
- TransformData->TransformIndex = 1;\r
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_INTEG;\r
- TransformData->TransformId = IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96;\r
-\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
- //\r
- // Set transform attribute for Pseduo-Random Function - HAMC_SHA1\r
- //\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);\r
- TransformData->TransformIndex = 2;\r
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_PRF;\r
- TransformData->TransformId = IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1;\r
- }\r
-\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
- //\r
- // Set transform attribute for DH Group - DH 1024\r
- //\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);\r
- TransformData->TransformIndex = 3;\r
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_DH;\r
- TransformData->TransformId = IKEV2_TRANSFORM_ID_DH_1024MODP;\r
- } else {\r
- //\r
- // Transform type for Extended Sequence Numbers. Currently not support Extended\r
- // Sequence Number.\r
- //\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);\r
- TransformData->TransformIndex = 2;\r
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ESN;\r
- TransformData->TransformId = 0;\r
- }\r
-\r
- //\r
- // Second proposal payload: 3DES + SHA1 + DH\r
- //\r
- ProposalData = (IKEV2_PROPOSAL_DATA *) (TransformData + 1);\r
- ProposalData->ProposalIndex = 2;\r
-\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
- ProposalData->ProtocolId = IPSEC_PROTO_ISAKMP;\r
- ProposalData->NumTransforms = 4;\r
- } else {\r
-\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);\r
- ProposalData->ProtocolId = IPSEC_PROTO_IPSEC_ESP;\r
- ProposalData->NumTransforms = 3;\r
- ProposalData->Spi = AllocateZeroPool (sizeof (ChildSaSession->LocalPeerSpi));\r
- if (ProposalData->Spi == NULL) {\r
- FreePool (((IKEV2_PROPOSAL_DATA *) (SaData + 1))->Spi);\r
- FreePool (SaData);\r
- return NULL;\r
- }\r
-\r
- CopyMem (\r
- ProposalData->Spi,\r
- &ChildSaSession->LocalPeerSpi,\r
- sizeof(ChildSaSession->LocalPeerSpi)\r
- );\r
- }\r
-\r
- //\r
- // Set transform attribute for Encryption Algorithm - AES-CBC\r
- //\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1);\r
- TransformData->TransformIndex = 0;\r
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ENCR;\r
- TransformData->TransformId = IKEV2_TRANSFORM_ID_ENCR_AES_CBC;\r
- Attribute = &TransformData->Attribute;\r
- Attribute->AttrType = IKEV2_ATTRIBUTE_TYPE_KEYLEN;\r
- Attribute->Attr.AttrLength = (UINT16) (8 * IpSecGetEncryptKeyLength (IKEV2_TRANSFORM_ID_ENCR_AES_CBC));\r
-\r
- //\r
- // Set transform attribute for Integrity Algorithm - SHA1_96\r
- //\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);\r
- TransformData->TransformIndex = 1;\r
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_INTEG;\r
- TransformData->TransformId = IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96;\r
-\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
- //\r
- // Set transform attribute for Pseduo-Random Function - HAMC_SHA1\r
- //\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);\r
- TransformData->TransformIndex = 2;\r
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_PRF;\r
- TransformData->TransformId = IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1;\r
- }\r
-\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
- //\r
- // Set transform attrbiute for DH Group - DH-1024\r
- //\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);\r
- TransformData->TransformIndex = 3;\r
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_DH;\r
- TransformData->TransformId = IKEV2_TRANSFORM_ID_DH_1024MODP;\r
- } else {\r
- //\r
- // Transform type for Extended Sequence Numbers. Currently not support Extended\r
- // Sequence Number.\r
- //\r
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);\r
- TransformData->TransformIndex = 2;\r
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ESN;\r
- TransformData->TransformId = 0;\r
- }\r
-\r
- return SaData;\r
-}\r
-\r
-/**\r
- Store the SA into SAD.\r
-\r
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.\r
-\r
-**/\r
-VOID\r
-Ikev2StoreSaData (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_IPSEC_SA_ID SaId;\r
- EFI_IPSEC_SA_DATA2 SaData;\r
- IKEV2_SESSION_COMMON *SessionCommon;\r
- IPSEC_PRIVATE_DATA *Private;\r
- UINT32 TempAddressCount;\r
- EFI_IP_ADDRESS_INFO *TempAddressInfo;\r
-\r
- SessionCommon = &ChildSaSession->SessionCommon;\r
- Private = SessionCommon->Private;\r
-\r
- ZeroMem (&SaId, sizeof (EFI_IPSEC_SA_ID));\r
- ZeroMem (&SaData, sizeof (EFI_IPSEC_SA_DATA2));\r
-\r
- //\r
- // Create a SpdSelector. In this implementation, one SPD represents\r
- // 2 direction traffic, so in here, there needs to reverse the local address\r
- // and remote address for Remote Peer's SA, then reverse again for the locate\r
- // SA.\r
- //\r
- TempAddressCount = ChildSaSession->SpdSelector->LocalAddressCount;\r
- TempAddressInfo = ChildSaSession->SpdSelector->LocalAddress;\r
-\r
- ChildSaSession->SpdSelector->LocalAddressCount = ChildSaSession->SpdSelector->RemoteAddressCount;\r
- ChildSaSession->SpdSelector->LocalAddress = ChildSaSession->SpdSelector->RemoteAddress;\r
-\r
- ChildSaSession->SpdSelector->RemoteAddress = TempAddressInfo;\r
- ChildSaSession->SpdSelector->RemoteAddressCount= TempAddressCount;\r
-\r
- //\r
- // Set the SaId and SaData.\r
- //\r
- SaId.Spi = ChildSaSession->LocalPeerSpi;\r
- SaId.Proto = EfiIPsecESP;\r
- SaData.AntiReplayWindows = 16;\r
- SaData.SNCount = 0;\r
- SaData.Mode = ChildSaSession->Spd->Data->ProcessingPolicy->Mode;\r
-\r
- //\r
- // If it is tunnel mode, should add the TunnelDest and TunnelSource for SaData.\r
- //\r
- if (SaData.Mode == EfiIPsecTunnel) {\r
- CopyMem (\r
- &SaData.TunnelSourceAddress,\r
- &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
- CopyMem (\r
- &SaData.TunnelDestinationAddress,\r
- &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->LocalTunnelAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
- }\r
-\r
- CopyMem (&SaId.DestAddress, &ChildSaSession->SessionCommon.LocalPeerIp, sizeof (EFI_IP_ADDRESS));\r
- CopyMem (&SaData.AlgoInfo, &ChildSaSession->ChildKeymats.LocalPeerInfo, sizeof (EFI_IPSEC_ALGO_INFO));\r
- SaData.SpdSelector = ChildSaSession->SpdSelector;\r
-\r
- //\r
- // Store the remote SA into SAD.\r
- //\r
- Status = EfiIpSecConfigSetData (\r
- &Private->IpSecConfig,\r
- IPsecConfigDataTypeSad,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) &SaId,\r
- &SaData,\r
- NULL\r
- );\r
- ASSERT_EFI_ERROR (Status);\r
-\r
- //\r
- // Store the local SA into SAD.\r
- //\r
- ChildSaSession->SpdSelector->RemoteAddressCount = ChildSaSession->SpdSelector->LocalAddressCount;\r
- ChildSaSession->SpdSelector->RemoteAddress = ChildSaSession->SpdSelector->LocalAddress;\r
-\r
- ChildSaSession->SpdSelector->LocalAddress = TempAddressInfo;\r
- ChildSaSession->SpdSelector->LocalAddressCount = TempAddressCount;\r
-\r
- SaId.Spi = ChildSaSession->RemotePeerSpi;\r
-\r
- CopyMem (&SaId.DestAddress, &ChildSaSession->SessionCommon.RemotePeerIp, sizeof (EFI_IP_ADDRESS));\r
- CopyMem (&SaData.AlgoInfo, &ChildSaSession->ChildKeymats.RemotePeerInfo, sizeof (EFI_IPSEC_ALGO_INFO));\r
- SaData.SpdSelector = ChildSaSession->SpdSelector;\r
-\r
- //\r
- // If it is tunnel mode, should add the TunnelDest and TunnelSource for SaData.\r
- //\r
- if (SaData.Mode == EfiIPsecTunnel) {\r
- CopyMem (\r
- &SaData.TunnelSourceAddress,\r
- &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->LocalTunnelAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
- CopyMem (\r
- &SaData.TunnelDestinationAddress,\r
- &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
- }\r
-\r
- Status = EfiIpSecConfigSetData (\r
- &Private->IpSecConfig,\r
- IPsecConfigDataTypeSad,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) &SaId,\r
- &SaData,\r
- NULL\r
- );\r
-\r
- ASSERT_EFI_ERROR (Status);\r
-}\r
-\r
-/**\r
- Call back function of the IKE life time is over.\r
-\r
- This function will mark the related IKE SA Session as deleting and trigger a\r
- Information negotiation.\r
-\r
- @param[in] Event The signaled Event.\r
- @param[in] Context Pointer to data passed by caller.\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-Ikev2LifetimeNotify (\r
- IN EFI_EVENT Event,\r
- IN VOID *Context\r
- )\r
-{\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SESSION_COMMON *SessionCommon;\r
-\r
- ASSERT (Context != NULL);\r
- SessionCommon = (IKEV2_SESSION_COMMON *) Context;\r
-\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r
- DEBUG ((\r
- DEBUG_INFO,\r
- "\n---IkeSa Lifetime is out(cookie_i, cookie_r):(0x%lx, 0x%lx)---\n",\r
- IkeSaSession->InitiatorCookie,\r
- IkeSaSession->ResponderCookie\r
- ));\r
-\r
- //\r
- // Change the IKE SA Session's State to IKE_STATE_SA_DELETING.\r
- //\r
- IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateSaDeleting);\r
- IkeSaSession->SessionCommon.State = IkeStateSaDeleting;\r
-\r
- } else {\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);\r
- IkeSaSession = ChildSaSession->IkeSaSession;\r
-\r
- //\r
- // Link the timeout child SA to the DeleteSaList.\r
- //\r
- InsertTailList (&IkeSaSession->DeleteSaList, &ChildSaSession->ByDelete);\r
-\r
- //\r
- // Change the Child SA Session's State to IKE_STATE_SA_DELETING.\r
- //\r
- DEBUG ((\r
- DEBUG_INFO,\r
- "\n------ChildSa Lifetime is out(SPI):(0x%x)------\n",\r
- ChildSaSession->LocalPeerSpi\r
- ));\r
- }\r
-\r
- //\r
- // TODO: Send the delete info packet or delete silently\r
- //\r
- mIkev2Exchange.NegotiateInfo ((UINT8 *) IkeSaSession, NULL);\r
-}\r
-\r
-/**\r
- This function will be called if the TimeOut Event is signaled.\r
-\r
- @param[in] Event The signaled Event.\r
- @param[in] Context The data passed by caller.\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-Ikev2ResendNotify (\r
- IN EFI_EVENT Event,\r
- IN VOID *Context\r
- )\r
-{\r
- IPSEC_PRIVATE_DATA *Private;\r
- IKEV2_SA_SESSION *IkeSaSession;\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SESSION_COMMON *SessionCommon;\r
- LIST_ENTRY *ChildSaEntry;\r
- UINT8 Value;\r
- EFI_STATUS Status;\r
-\r
- ASSERT (Context != NULL);\r
- IkeSaSession = NULL;\r
- ChildSaSession = NULL;\r
- SessionCommon = (IKEV2_SESSION_COMMON *) Context;\r
- Private = SessionCommon->Private;\r
-\r
- //\r
- // Remove the SA session from the processing list if exceed the max retry.\r
- //\r
- if (SessionCommon->RetryCount > IKE_MAX_RETRY) {\r
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {\r
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);\r
- if (IkeSaSession->SessionCommon.State == IkeStateSaDeleting) {\r
-\r
- //\r
- // If the IkeSaSession is initiator, delete all its Child SAs before removing IKE SA.\r
- // If the IkesaSession is responder, all ChildSa has been remove in Ikev2HandleInfo();\r
- //\r
- for (ChildSaEntry = IkeSaSession->ChildSaEstablishSessionList.ForwardLink;\r
- ChildSaEntry != &IkeSaSession->ChildSaEstablishSessionList;\r
- ) {\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (ChildSaEntry);\r
- //\r
- // Move to next ChildSa Entry.\r
- //\r
- ChildSaEntry = ChildSaEntry->ForwardLink;\r
- //\r
- // Delete LocalSpi & RemoteSpi and remove the ChildSaSession from the\r
- // EstablishedChildSaList.\r
- //\r
- Ikev2ChildSaSilentDelete (IkeSaSession, ChildSaSession->LocalPeerSpi);\r
- }\r
-\r
- //\r
- // If the IKE SA Delete Payload wasn't sent out successfully, Delete it from the EstablishedList.\r
- //\r
- Ikev2SaSessionRemove (&Private->Ikev2EstablishedList, &SessionCommon->RemotePeerIp);\r
-\r
- if (Private != NULL && Private->IsIPsecDisabling) {\r
- //\r
- // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value in\r
- // IPsec status variable.\r
- //\r
- if (IsListEmpty (&Private->Ikev1EstablishedList) && IsListEmpty (&Private->Ikev2EstablishedList)) {\r
- Value = IPSEC_STATUS_DISABLED;\r
- Status = gRT->SetVariable (\r
- IPSECCONFIG_STATUS_NAME,\r
- &gEfiIpSecConfigProtocolGuid,\r
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,\r
- sizeof (Value),\r
- &Value\r
- );\r
- if (!EFI_ERROR (Status)) {\r
- //\r
- // Set the Disabled Flag in Private data.\r
- //\r
- Private->IpSec.DisabledFlag = TRUE;\r
- Private->IsIPsecDisabling = FALSE;\r
- }\r
- }\r
- }\r
- } else {\r
- Ikev2SaSessionRemove (&Private->Ikev2SessionList, &SessionCommon->RemotePeerIp);\r
- }\r
- Ikev2SaSessionFree (IkeSaSession);\r
-\r
- } else {\r
-\r
- //\r
- // If the packet sent by Child SA.\r
- //\r
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);\r
- IkeSaSession = ChildSaSession->IkeSaSession;\r
- if (ChildSaSession->SessionCommon.State == IkeStateSaDeleting) {\r
-\r
- //\r
- // Established Child SA should be remove from the SAD entry and\r
- // DeleteList. The function of Ikev2DeleteChildSaSilent() will remove\r
- // the childSA from the IkeSaSession->ChildSaEstablishedList. So there\r
- // is no need to remove it here.\r
- //\r
- Ikev2ChildSaSilentDelete (IkeSaSession, ChildSaSession->LocalPeerSpi);\r
- Ikev2ChildSaSessionRemove (\r
- &IkeSaSession->DeleteSaList,\r
- ChildSaSession->LocalPeerSpi,\r
- IKEV2_DELET_CHILDSA_LIST\r
- );\r
- } else {\r
- Ikev2ChildSaSessionRemove (\r
- &IkeSaSession->ChildSaSessionList,\r
- ChildSaSession->LocalPeerSpi,\r
- IKEV2_ESTABLISHING_CHILDSA_LIST\r
- );\r
- }\r
-\r
- Ikev2ChildSaSessionFree (ChildSaSession);\r
- }\r
- return ;\r
- }\r
-\r
- //\r
- // Increase the retry count.\r
- //\r
- SessionCommon->RetryCount++;\r
- DEBUG ((DEBUG_INFO, ">>>Resending the last packet ...\n"));\r
-\r
- //\r
- // Resend the last packet.\r
- //\r
- Ikev2SendIkePacket (\r
- SessionCommon->UdpService,\r
- (UINT8*)SessionCommon,\r
- SessionCommon->LastSentPacket,\r
- 0\r
- );\r
-}\r
-\r
-/**\r
- Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.\r
-\r
- ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,\r
- the SpdSelector in ChildSaSession is more accurated or the scope is smaller\r
- than the one in ChildSaSession->Spd, especially for the tunnel mode.\r
-\r
- @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.\r
-\r
- @retval EFI_SUCCESS The operation complete successfully.\r
- @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2ChildSaSessionSpdSelectorCreate (\r
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- )\r
-{\r
- EFI_STATUS Status;\r
-\r
- Status = EFI_SUCCESS;\r
-\r
- if (ChildSaSession->Spd != NULL && ChildSaSession->Spd->Selector != NULL) {\r
- if (ChildSaSession->SpdSelector == NULL) {\r
- ChildSaSession->SpdSelector = AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR));\r
- if (ChildSaSession->SpdSelector == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- return Status;\r
- }\r
- }\r
- CopyMem (\r
- ChildSaSession->SpdSelector,\r
- ChildSaSession->Spd->Selector,\r
- sizeof (EFI_IPSEC_SPD_SELECTOR)\r
- );\r
- ChildSaSession->SpdSelector->RemoteAddress = AllocateCopyPool (\r
- ChildSaSession->Spd->Selector->RemoteAddressCount *\r
- sizeof (EFI_IP_ADDRESS_INFO),\r
- ChildSaSession->Spd->Selector->RemoteAddress\r
- );\r
- if (ChildSaSession->SpdSelector->RemoteAddress == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
-\r
- FreePool (ChildSaSession->SpdSelector);\r
-\r
- return Status;\r
- }\r
-\r
- ChildSaSession->SpdSelector->LocalAddress = AllocateCopyPool (\r
- ChildSaSession->Spd->Selector->LocalAddressCount *\r
- sizeof (EFI_IP_ADDRESS_INFO),\r
- ChildSaSession->Spd->Selector->LocalAddress\r
- );\r
- if (ChildSaSession->SpdSelector->LocalAddress == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
-\r
- FreePool (ChildSaSession->SpdSelector->RemoteAddress);\r
-\r
- FreePool (ChildSaSession->SpdSelector);\r
-\r
- return Status;\r
- }\r
-\r
- ChildSaSession->SpdSelector->RemoteAddressCount = ChildSaSession->Spd->Selector->RemoteAddressCount;\r
- ChildSaSession->SpdSelector->LocalAddressCount = ChildSaSession->Spd->Selector->LocalAddressCount;\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Generate a ChildSa Session and insert it into related IkeSaSession.\r
-\r
- @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.\r
- @param[in] UdpService Pointer to related IKE_UDP_SERVICE.\r
-\r
- @return pointer of IKEV2_CHILD_SA_SESSION.\r
-\r
-**/\r
-IKEV2_CHILD_SA_SESSION *\r
-Ikev2ChildSaSessionCreate (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_UDP_SERVICE *UdpService\r
- )\r
-{\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- IKEV2_SESSION_COMMON *ChildSaCommon;\r
-\r
- //\r
- // Create a new ChildSaSession.Insert it into processing list and initiate the common parameters.\r
- //\r
- ChildSaSession = Ikev2ChildSaSessionAlloc (UdpService, IkeSaSession);\r
- if (ChildSaSession == NULL) {\r
- return NULL;\r
- }\r
-\r
- //\r
- // Set the specific parameters.\r
- //\r
- ChildSaSession->Spd = IkeSaSession->Spd;\r
- ChildSaCommon = &ChildSaSession->SessionCommon;\r
- ChildSaCommon->IsInitiator = IkeSaSession->SessionCommon.IsInitiator;\r
- if (IkeSaSession->SessionCommon.State == IkeStateAuth) {\r
- ChildSaCommon->State = IkeStateAuth;\r
- IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateAuth);\r
- } else {\r
- ChildSaCommon->State = IkeStateCreateChild;\r
- IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateCreateChild);\r
- }\r
-\r
- //\r
- // If SPD->Selector is not NULL, copy it to the ChildSaSession->SpdSelector.\r
- // The ChildSaSession->SpdSelector might be changed after the traffic selector\r
- // negoniation and it will be copied into the SAData after ChildSA established.\r
- //\r
- if (EFI_ERROR (Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession))) {\r
- Ikev2ChildSaSessionFree (ChildSaSession);\r
- return NULL;\r
- }\r
-\r
- //\r
- // Copy first NiBlock and NrBlock to ChildSa Session\r
- //\r
- ChildSaSession->NiBlock = AllocateZeroPool (IkeSaSession->NiBlkSize);\r
- if (ChildSaSession->NiBlock == NULL) {\r
- Ikev2ChildSaSessionFree (ChildSaSession);\r
- return NULL;\r
- }\r
-\r
- ChildSaSession->NiBlkSize = IkeSaSession->NiBlkSize;\r
- CopyMem (ChildSaSession->NiBlock, IkeSaSession->NiBlock, IkeSaSession->NiBlkSize);\r
-\r
- ChildSaSession->NrBlock = AllocateZeroPool (IkeSaSession->NrBlkSize);\r
- if (ChildSaSession->NrBlock == NULL) {\r
- Ikev2ChildSaSessionFree (ChildSaSession);\r
- return NULL;\r
- }\r
-\r
- ChildSaSession->NrBlkSize = IkeSaSession->NrBlkSize;\r
- CopyMem (ChildSaSession->NrBlock, IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);\r
-\r
- //\r
- // Only if the Create Child SA is called for the IKE_INIT Exchange and\r
- // IkeSaSession is initiator (Only Initiator's SPD is not NULL), Set the\r
- // Traffic Selectors related information here.\r
- //\r
- if (IkeSaSession->SessionCommon.State == IkeStateAuth && IkeSaSession->Spd != NULL) {\r
- ChildSaSession->ProtoId = IkeSaSession->Spd->Selector->NextLayerProtocol;\r
- ChildSaSession->LocalPort = IkeSaSession->Spd->Selector->LocalPort;\r
- ChildSaSession->RemotePort = IkeSaSession->Spd->Selector->RemotePort;\r
- }\r
-\r
- //\r
- // Insert the new ChildSaSession into processing child SA list.\r
- //\r
- Ikev2ChildSaSessionInsert (&IkeSaSession->ChildSaSessionList, ChildSaSession);\r
- return ChildSaSession;\r
-}\r
-\r
-/**\r
- Check if the SPD is related to the input Child SA Session.\r
-\r
- This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call\r
- back function of IpSecVisitConfigData().\r
-\r
-\r
- @param[in] Type Type of the input Config Selector.\r
- @param[in] Selector Pointer to the Configure Selector to be checked.\r
- @param[in] Data Pointer to the Configure Selector's Data passed\r
- from the caller.\r
- @param[in] SelectorSize The buffer size of Selector.\r
- @param[in] DataSize The buffer size of the Data.\r
- @param[in] Context The data passed from the caller. It is a Child\r
- SA Session in this context.\r
-\r
- @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.\r
- @retval EFI_ABORTED The SPD Selector is related to the Child SA session and\r
- set the ChildSaSession->Spd to point to this SPD Selector.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2MatchSpdEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE Type,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN UINTN SelectorSize,\r
- IN UINTN DataSize,\r
- IN VOID *Context\r
- )\r
-{\r
- IKEV2_CHILD_SA_SESSION *ChildSaSession;\r
- EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
- EFI_IPSEC_SPD_DATA *SpdData;\r
- BOOLEAN IsMatch;\r
- UINT8 IpVersion;\r
-\r
- ASSERT (Type == IPsecConfigDataTypeSpd);\r
- SpdData = (EFI_IPSEC_SPD_DATA *) Data;\r
- //\r
- // Bypass all non-protect SPD entry first\r
- //\r
- if (SpdData->Action != EfiIPsecActionProtect) {\r
- return EFI_SUCCESS;\r
- }\r
-\r
- ChildSaSession = (IKEV2_CHILD_SA_SESSION *) Context;\r
- IpVersion = ChildSaSession->SessionCommon.UdpService->IpVersion;\r
- SpdSelector = (EFI_IPSEC_SPD_SELECTOR *) Selector;\r
- IsMatch = TRUE;\r
-\r
- if (SpdSelector->NextLayerProtocol == EFI_IP_PROTO_UDP &&\r
- SpdSelector->LocalPort == IKE_DEFAULT_PORT &&\r
- SpdSelector->LocalPortRange == 0 &&\r
- SpdSelector->RemotePort == IKE_DEFAULT_PORT &&\r
- SpdSelector->RemotePortRange == 0\r
- ) {\r
- //\r
- // TODO: Skip IKE Policy here or set a SPD entry?\r
- //\r
- return EFI_SUCCESS;\r
- }\r
-\r
- if (SpdSelector->NextLayerProtocol != EFI_IPSEC_ANY_PROTOCOL &&\r
- SpdSelector->NextLayerProtocol != ChildSaSession->ProtoId\r
- ) {\r
- IsMatch = FALSE;\r
- }\r
-\r
- if (SpdSelector->LocalPort != EFI_IPSEC_ANY_PORT && SpdSelector->LocalPort != ChildSaSession->LocalPort) {\r
- IsMatch = FALSE;\r
- }\r
-\r
- if (SpdSelector->RemotePort != EFI_IPSEC_ANY_PORT && SpdSelector->RemotePort != ChildSaSession->RemotePort) {\r
- IsMatch = FALSE;\r
- }\r
-\r
- IsMatch = (BOOLEAN) (IsMatch &&\r
- IpSecMatchIpAddress (\r
- IpVersion,\r
- &ChildSaSession->SessionCommon.LocalPeerIp,\r
- SpdSelector->LocalAddress,\r
- SpdSelector->LocalAddressCount\r
- ));\r
-\r
- IsMatch = (BOOLEAN) (IsMatch &&\r
- IpSecMatchIpAddress (\r
- IpVersion,\r
- &ChildSaSession->SessionCommon.RemotePeerIp,\r
- SpdSelector->RemoteAddress,\r
- SpdSelector->RemoteAddressCount\r
- ));\r
-\r
- if (IsMatch) {\r
- ChildSaSession->Spd = IkeSearchSpdEntry (SpdSelector);\r
- return EFI_ABORTED;\r
- } else {\r
- return EFI_SUCCESS;\r
- }\r
-}\r
-\r
-/**\r
- Check if the Algorithm ID is supported.\r
-\r
- @param[in] AlgorithmId The specified Algorithm ID.\r
- @param[in] Type The type used to indicate the Algorithm is for Encrypt or\r
- Authentication.\r
-\r
- @retval TRUE If the Algorithm ID is supported.\r
- @retval FALSE If the Algorithm ID is not supported.\r
-\r
-**/\r
-BOOLEAN\r
-Ikev2IsSupportAlg (\r
- IN UINT16 AlgorithmId,\r
- IN UINT8 Type\r
- )\r
-{\r
- UINT8 Index;\r
- switch (Type) {\r
- case IKE_ENCRYPT_TYPE :\r
- for (Index = 0; Index < IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM; Index++) {\r
- if (mIkev2EncryptAlgorithmList[Index] == AlgorithmId) {\r
- return TRUE;\r
- }\r
- }\r
- break;\r
-\r
- case IKE_AUTH_TYPE :\r
- for (Index = 0; Index < IKEV2_SUPPORT_AUTH_ALGORITHM_NUM; Index++) {\r
- if (mIkev2AuthAlgorithmList[Index] == AlgorithmId) {\r
- return TRUE;\r
- }\r
- }\r
- break;\r
-\r
- case IKE_DH_TYPE :\r
- for (Index = 0; Index < IKEV2_SUPPORT_DH_ALGORITHM_NUM; Index++) {\r
- if (mIkev2DhGroupAlgorithmList[Index] == AlgorithmId) {\r
- return TRUE;\r
- }\r
- }\r
- break;\r
-\r
- case IKE_PRF_TYPE :\r
- for (Index = 0; Index < IKEV2_SUPPORT_PRF_ALGORITHM_NUM; Index++) {\r
- if (mIkev2PrfAlgorithmList[Index] == AlgorithmId) {\r
- return TRUE;\r
- }\r
- }\r
- }\r
- return FALSE;\r
-}\r
-\r
-/**\r
- Get the preferred algorithm types from ProposalData.\r
-\r
- @param[in] ProposalData Pointer to related IKEV2_PROPOSAL_DATA.\r
- @param[in, out] PreferEncryptAlgorithm Pointer to buffer which is used to store the\r
- preferred encrypt algorithm.\r
- Input value shall be initialized to zero that\r
- indicates to be parsed from ProposalData.\r
- Output of preferred encrypt algorithm.\r
- @param[in, out] PreferIntegrityAlgorithm Pointer to buffer which is used to store the\r
- preferred integrity algorithm.\r
- Input value shall be initialized to zero that\r
- indicates to be parsed from ProposalData.\r
- Output of preferred integrity algorithm.\r
- @param[in, out] PreferPrfAlgorithm Pointer to buffer which is used to store the\r
- preferred PRF algorithm.\r
- Input value shall be initialized to zero that\r
- indicates to be parsed from ProposalData.\r
- Output of preferred PRF algorithm. Only\r
- for IKE SA.\r
- @param[in, out] PreferDhGroup Pointer to buffer which is used to store the\r
- preferred DH group.\r
- Input value shall be initialized to zero that\r
- indicates to be parsed from ProposalData.\r
- Output of preferred DH group. Only for\r
- IKE SA.\r
- @param[out] PreferEncryptKeylength Pointer to buffer which is used to store the\r
- preferred encrypt key length in bytes.\r
- @param[out] IsSupportEsn Pointer to buffer which is used to store the\r
- value about the Extented Sequence Number is\r
- support or not. Only for Child SA.\r
- @param[in] IsChildSa If it is ture, the ProposalData is for IKE\r
- SA. Otherwise the proposalData is for Child SA.\r
-\r
-**/\r
-VOID\r
-Ikev2ParseProposalData (\r
- IN IKEV2_PROPOSAL_DATA *ProposalData,\r
- IN OUT UINT16 *PreferEncryptAlgorithm,\r
- IN OUT UINT16 *PreferIntegrityAlgorithm,\r
- IN OUT UINT16 *PreferPrfAlgorithm,\r
- IN OUT UINT16 *PreferDhGroup,\r
- OUT UINTN *PreferEncryptKeylength,\r
- OUT BOOLEAN *IsSupportEsn,\r
- IN BOOLEAN IsChildSa\r
-)\r
-{\r
- IKEV2_TRANSFORM_DATA *TransformData;\r
- UINT8 TransformIndex;\r
-\r
- //\r
- // Check input parameters.\r
- //\r
- if (ProposalData == NULL ||\r
- PreferEncryptAlgorithm == NULL ||\r
- PreferIntegrityAlgorithm == NULL ||\r
- PreferEncryptKeylength == NULL\r
- ) {\r
- return;\r
- }\r
-\r
- if (IsChildSa) {\r
- if (IsSupportEsn == NULL) {\r
- return;\r
- }\r
- } else {\r
- if (PreferPrfAlgorithm == NULL || PreferDhGroup == NULL) {\r
- return;\r
- }\r
- }\r
-\r
- TransformData = (IKEV2_TRANSFORM_DATA *)(ProposalData + 1);\r
- for (TransformIndex = 0; TransformIndex < ProposalData->NumTransforms; TransformIndex++) {\r
- switch (TransformData->TransformType) {\r
- //\r
- // For IKE SA there are four algorithm types. Encryption Algorithm, Pseudo-random Function,\r
- // Integrity Algorithm, Diffie-Hellman Group. For Child SA, there are three algorithm types.\r
- // Encryption Algorithm, Integrity Algorithm, Extended Sequence Number.\r
- //\r
- case IKEV2_TRANSFORM_TYPE_ENCR:\r
- if (*PreferEncryptAlgorithm == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_ENCRYPT_TYPE)) {\r
- //\r
- // Check the attribute value. According to RFC, only Keylength is support.\r
- //\r
- if (TransformData->Attribute.AttrType == IKEV2_ATTRIBUTE_TYPE_KEYLEN) {\r
- //\r
- // If the Keylength is not support, continue to check the next one.\r
- //\r
- if (IpSecGetEncryptKeyLength ((UINT8)TransformData->TransformId) != (UINTN)(TransformData->Attribute.Attr.AttrValue >> 3)){\r
- break;\r
- } else {\r
- *PreferEncryptKeylength = TransformData->Attribute.Attr.AttrValue;\r
- }\r
- }\r
- *PreferEncryptAlgorithm = TransformData->TransformId;\r
- }\r
- break;\r
-\r
- case IKEV2_TRANSFORM_TYPE_PRF :\r
- if (!IsChildSa) {\r
- if (*PreferPrfAlgorithm == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_PRF_TYPE)) {\r
- *PreferPrfAlgorithm = TransformData->TransformId;\r
- }\r
- }\r
- break;\r
-\r
- case IKEV2_TRANSFORM_TYPE_INTEG :\r
- if (*PreferIntegrityAlgorithm == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_AUTH_TYPE)) {\r
- *PreferIntegrityAlgorithm = TransformData->TransformId;\r
- }\r
- break;\r
-\r
- case IKEV2_TRANSFORM_TYPE_DH :\r
- if (!IsChildSa) {\r
- if (*PreferDhGroup == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_DH_TYPE)) {\r
- *PreferDhGroup = TransformData->TransformId;\r
- }\r
- }\r
- break;\r
-\r
- case IKEV2_TRANSFORM_TYPE_ESN :\r
- if (IsChildSa) {\r
- if (TransformData->TransformId != 0) {\r
- *IsSupportEsn = TRUE;\r
- }\r
- }\r
- break;\r
-\r
- default:\r
- break;\r
- }\r
- TransformData = (IKEV2_TRANSFORM_DATA *)(TransformData + 1);\r
- }\r
-}\r
-\r
-/**\r
- Parse the received Initial Exchange Packet.\r
-\r
- This function parse the SA Payload and Key Payload to find out the cryptographic\r
- suite for the further IKE negotiation and fill it into the IKE SA Session's\r
- CommonSession->SaParams.\r
-\r
- @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.\r
- @param[in] SaPayload The received packet.\r
- @param[in] Type The received packet IKE header flag.\r
-\r
- @retval TRUE If the SA proposal in Packet is acceptable.\r
- @retval FALSE If the SA proposal in Packet is not acceptable.\r
-\r
-**/\r
-BOOLEAN\r
-Ikev2SaParseSaPayload (\r
- IN OUT IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_PAYLOAD *SaPayload,\r
- IN UINT8 Type\r
- )\r
-{\r
- IKEV2_PROPOSAL_DATA *ProposalData;\r
- UINT8 ProposalIndex;\r
- UINT16 PreferEncryptAlgorithm;\r
- UINT16 PreferIntegrityAlgorithm;\r
- UINT16 PreferPrfAlgorithm;\r
- UINT16 PreferDhGroup;\r
- UINTN PreferEncryptKeylength;\r
- UINT16 EncryptAlgorithm;\r
- UINT16 IntegrityAlgorithm;\r
- UINT16 PrfAlgorithm;\r
- UINT16 DhGroup;\r
- UINTN EncryptKeylength;\r
- BOOLEAN IsMatch;\r
- UINTN SaDataSize;\r
-\r
- PreferPrfAlgorithm = 0;\r
- PreferIntegrityAlgorithm = 0;\r
- PreferDhGroup = 0;\r
- PreferEncryptAlgorithm = 0;\r
- PreferEncryptKeylength = 0;\r
- PrfAlgorithm = 0;\r
- IntegrityAlgorithm = 0;\r
- DhGroup = 0;\r
- EncryptAlgorithm = 0;\r
- EncryptKeylength = 0;\r
- IsMatch = FALSE;\r
-\r
- if (Type == IKE_HEADER_FLAGS_INIT) {\r
- ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->PayloadBuf + 1);\r
- for (ProposalIndex = 0; ProposalIndex < ((IKEV2_SA_DATA *)SaPayload->PayloadBuf)->NumProposals; ProposalIndex++) {\r
- //\r
- // Iterate each proposal to find the perfered one.\r
- //\r
- if (ProposalData->ProtocolId == IPSEC_PROTO_ISAKMP && ProposalData->NumTransforms >= 4) {\r
- //\r
- // Get the preferred algorithms.\r
- //\r
- Ikev2ParseProposalData (\r
- ProposalData,\r
- &PreferEncryptAlgorithm,\r
- &PreferIntegrityAlgorithm,\r
- &PreferPrfAlgorithm,\r
- &PreferDhGroup,\r
- &PreferEncryptKeylength,\r
- NULL,\r
- FALSE\r
- );\r
-\r
- if (PreferEncryptAlgorithm != 0 &&\r
- PreferIntegrityAlgorithm != 0 &&\r
- PreferPrfAlgorithm != 0 &&\r
- PreferDhGroup != 0\r
- ) {\r
- //\r
- // Find the matched one.\r
- //\r
- IkeSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));\r
- if (IkeSaSession->SessionCommon.SaParams == NULL) {\r
- return FALSE;\r
- }\r
-\r
- IkeSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;\r
- IkeSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;\r
- IkeSaSession->SessionCommon.SaParams->DhGroup = PreferDhGroup;\r
- IkeSaSession->SessionCommon.SaParams->Prf = PreferPrfAlgorithm;\r
- IkeSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;\r
- IkeSaSession->SessionCommon.PreferDhGroup = PreferDhGroup;\r
-\r
- //\r
- // Save the matched one in IKEV2_SA_DATA for furthure calculation.\r
- //\r
- SaDataSize = sizeof (IKEV2_SA_DATA) +\r
- sizeof (IKEV2_PROPOSAL_DATA) +\r
- sizeof (IKEV2_TRANSFORM_DATA) * 4;\r
- IkeSaSession->SaData = AllocateZeroPool (SaDataSize);\r
- if (IkeSaSession->SaData == NULL) {\r
- FreePool (IkeSaSession->SessionCommon.SaParams);\r
- return FALSE;\r
- }\r
-\r
- IkeSaSession->SaData->NumProposals = 1;\r
-\r
- //\r
- // BUGBUG: Suppose the matched proposal only has 4 transforms. If\r
- // The matched Proposal has more than 4 transforms means it contains\r
- // one than one transform with same type.\r
- //\r
- CopyMem (\r
- (IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1),\r
- ProposalData,\r
- SaDataSize - sizeof (IKEV2_SA_DATA)\r
- );\r
-\r
- ((IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1))->ProposalIndex = 1;\r
-\r
- return TRUE;\r
- } else {\r
- PreferEncryptAlgorithm = 0;\r
- PreferIntegrityAlgorithm = 0;\r
- PreferPrfAlgorithm = 0;\r
- PreferDhGroup = 0;\r
- PreferEncryptKeylength = 0;\r
- }\r
- }\r
- //\r
- // Point to next Proposal.\r
- //\r
- ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +\r
- ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));\r
- }\r
- } else if (Type == IKE_HEADER_FLAGS_RESPOND) {\r
- //\r
- // First check the SA proposal's ProtoctolID and Transform Numbers. Since it is\r
- // the responded SA proposal, suppose it only has one proposal and the transform Numbers\r
- // is 4.\r
- //\r
- ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *) SaPayload->PayloadBuf + 1);\r
- if (ProposalData->ProtocolId != IPSEC_PROTO_ISAKMP || ProposalData->NumTransforms != 4) {\r
- return FALSE;\r
- }\r
- //\r
- // Get the preferred algorithms.\r
- //\r
- Ikev2ParseProposalData (\r
- ProposalData,\r
- &PreferEncryptAlgorithm,\r
- &PreferIntegrityAlgorithm,\r
- &PreferPrfAlgorithm,\r
- &PreferDhGroup,\r
- &PreferEncryptKeylength,\r
- NULL,\r
- FALSE\r
- );\r
- //\r
- // Check if the Sa proposal data from received packet is in the IkeSaSession->SaData.\r
- //\r
- ProposalData = (IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1);\r
-\r
- for (ProposalIndex = 0; ProposalIndex < IkeSaSession->SaData->NumProposals && (!IsMatch); ProposalIndex++) {\r
- Ikev2ParseProposalData (\r
- ProposalData,\r
- &EncryptAlgorithm,\r
- &IntegrityAlgorithm,\r
- &PrfAlgorithm,\r
- &DhGroup,\r
- &EncryptKeylength,\r
- NULL,\r
- FALSE\r
- );\r
- if (EncryptAlgorithm == PreferEncryptAlgorithm &&\r
- EncryptKeylength == PreferEncryptKeylength &&\r
- IntegrityAlgorithm == PreferIntegrityAlgorithm &&\r
- PrfAlgorithm == PreferPrfAlgorithm &&\r
- DhGroup == PreferDhGroup\r
- ) {\r
- IsMatch = TRUE;\r
- } else {\r
- EncryptAlgorithm = 0;\r
- IntegrityAlgorithm = 0;\r
- PrfAlgorithm = 0;\r
- DhGroup = 0;\r
- EncryptKeylength = 0;\r
- }\r
-\r
- ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +\r
- ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));\r
- }\r
-\r
- if (IsMatch) {\r
- IkeSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));\r
- if (IkeSaSession->SessionCommon.SaParams == NULL) {\r
- return FALSE;\r
- }\r
-\r
- IkeSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;\r
- IkeSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;\r
- IkeSaSession->SessionCommon.SaParams->DhGroup = PreferDhGroup;\r
- IkeSaSession->SessionCommon.SaParams->Prf = PreferPrfAlgorithm;\r
- IkeSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;\r
- IkeSaSession->SessionCommon.PreferDhGroup = PreferDhGroup;\r
-\r
- return TRUE;\r
- }\r
- }\r
-\r
- return FALSE;\r
-}\r
-\r
-/**\r
- Parse the received Authentication Exchange Packet.\r
-\r
- This function parse the SA Payload and Key Payload to find out the cryptographic\r
- suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.\r
-\r
- @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to\r
- this Authentication Exchange.\r
- @param[in] SaPayload The received packet.\r
- @param[in] Type The IKE header's flag of received packet .\r
-\r
- @retval TRUE If the SA proposal in Packet is acceptable.\r
- @retval FALSE If the SA proposal in Packet is not acceptable.\r
-\r
-**/\r
-BOOLEAN\r
-Ikev2ChildSaParseSaPayload (\r
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession,\r
- IN IKE_PAYLOAD *SaPayload,\r
- IN UINT8 Type\r
- )\r
-{\r
- IKEV2_PROPOSAL_DATA *ProposalData;\r
- UINT8 ProposalIndex;\r
- UINT16 PreferEncryptAlgorithm;\r
- UINT16 PreferIntegrityAlgorithm;\r
- UINTN PreferEncryptKeylength;\r
- BOOLEAN PreferIsSupportEsn;\r
- UINT16 EncryptAlgorithm;\r
- UINT16 IntegrityAlgorithm;\r
- UINTN EncryptKeylength;\r
- BOOLEAN IsSupportEsn;\r
- BOOLEAN IsMatch;\r
- UINTN SaDataSize;\r
-\r
-\r
- PreferIntegrityAlgorithm = 0;\r
- PreferEncryptAlgorithm = 0;\r
- PreferEncryptKeylength = 0;\r
- IntegrityAlgorithm = 0;\r
- EncryptAlgorithm = 0;\r
- EncryptKeylength = 0;\r
- IsMatch = FALSE;\r
- IsSupportEsn = FALSE;\r
- PreferIsSupportEsn = FALSE;\r
-\r
- if (Type == IKE_HEADER_FLAGS_INIT) {\r
- ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *) SaPayload->PayloadBuf + 1);\r
- for (ProposalIndex = 0; ProposalIndex < ((IKEV2_SA_DATA *) SaPayload->PayloadBuf)->NumProposals; ProposalIndex++) {\r
- //\r
- // Iterate each proposal to find the preferred one.\r
- //\r
- if (ProposalData->ProtocolId == IPSEC_PROTO_IPSEC_ESP && ProposalData->NumTransforms >= 3) {\r
- //\r
- // Get the preferred algorithm.\r
- //\r
- Ikev2ParseProposalData (\r
- ProposalData,\r
- &PreferEncryptAlgorithm,\r
- &PreferIntegrityAlgorithm,\r
- NULL,\r
- NULL,\r
- &PreferEncryptKeylength,\r
- &IsSupportEsn,\r
- TRUE\r
- );\r
- //\r
- // Don't support the ESN now.\r
- //\r
- if (PreferEncryptAlgorithm != 0 &&\r
- PreferIntegrityAlgorithm != 0 &&\r
- !IsSupportEsn\r
- ) {\r
- //\r
- // Find the matched one.\r
- //\r
- ChildSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));\r
- if (ChildSaSession->SessionCommon.SaParams == NULL) {\r
- return FALSE;\r
- }\r
-\r
- ChildSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;\r
- ChildSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;\r
- ChildSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;\r
- CopyMem (&ChildSaSession->RemotePeerSpi, ProposalData->Spi, sizeof (ChildSaSession->RemotePeerSpi));\r
-\r
- //\r
- // Save the matched one in IKEV2_SA_DATA for furthure calculation.\r
- //\r
- SaDataSize = sizeof (IKEV2_SA_DATA) +\r
- sizeof (IKEV2_PROPOSAL_DATA) +\r
- sizeof (IKEV2_TRANSFORM_DATA) * 4;\r
-\r
- ChildSaSession->SaData = AllocateZeroPool (SaDataSize);\r
- if (ChildSaSession->SaData == NULL) {\r
- FreePool (ChildSaSession->SessionCommon.SaParams);\r
- return FALSE;\r
- }\r
-\r
- ChildSaSession->SaData->NumProposals = 1;\r
-\r
- //\r
- // BUGBUG: Suppose there are 4 transforms in the matched proposal. If\r
- // the matched Proposal has more than 4 transforms that means there\r
- // are more than one transform with same type.\r
- //\r
- CopyMem (\r
- (IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1),\r
- ProposalData,\r
- SaDataSize - sizeof (IKEV2_SA_DATA)\r
- );\r
-\r
- ((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->ProposalIndex = 1;\r
-\r
- ((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->Spi = AllocateCopyPool (\r
- sizeof (ChildSaSession->LocalPeerSpi),\r
- &ChildSaSession->LocalPeerSpi\r
- );\r
- if (((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->Spi == NULL) {\r
- FreePool (ChildSaSession->SessionCommon.SaParams);\r
-\r
- FreePool (ChildSaSession->SaData );\r
-\r
- return FALSE;\r
- }\r
-\r
- return TRUE;\r
-\r
- } else {\r
- PreferEncryptAlgorithm = 0;\r
- PreferIntegrityAlgorithm = 0;\r
- IsSupportEsn = TRUE;\r
- }\r
- }\r
- //\r
- // Point to next Proposal\r
- //\r
- ProposalData = (IKEV2_PROPOSAL_DATA *)((UINT8 *)(ProposalData + 1) +\r
- ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));\r
- }\r
- } else if (Type == IKE_HEADER_FLAGS_RESPOND) {\r
- //\r
- // First check the SA proposal's ProtoctolID and Transform Numbers. Since it is\r
- // the responded SA proposal, suppose it only has one proposal and the transform Numbers\r
- // is 3.\r
- //\r
- ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->PayloadBuf + 1);\r
- if (ProposalData->ProtocolId != IPSEC_PROTO_IPSEC_ESP || ProposalData->NumTransforms != 3) {\r
- return FALSE;\r
- }\r
- //\r
- // Get the preferred algorithms.\r
- //\r
- Ikev2ParseProposalData (\r
- ProposalData,\r
- &PreferEncryptAlgorithm,\r
- &PreferIntegrityAlgorithm,\r
- NULL,\r
- NULL,\r
- &PreferEncryptKeylength,\r
- &PreferIsSupportEsn,\r
- TRUE\r
- );\r
-\r
- ProposalData = (IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1);\r
-\r
- for (ProposalIndex = 0; ProposalIndex < ChildSaSession->SaData->NumProposals && (!IsMatch); ProposalIndex++) {\r
- Ikev2ParseProposalData (\r
- ProposalData,\r
- &EncryptAlgorithm,\r
- &IntegrityAlgorithm,\r
- NULL,\r
- NULL,\r
- &EncryptKeylength,\r
- &IsSupportEsn,\r
- TRUE\r
- );\r
- if (EncryptAlgorithm == PreferEncryptAlgorithm &&\r
- EncryptKeylength == PreferEncryptKeylength &&\r
- IntegrityAlgorithm == PreferIntegrityAlgorithm &&\r
- IsSupportEsn == PreferIsSupportEsn\r
- ) {\r
- IsMatch = TRUE;\r
- } else {\r
- IntegrityAlgorithm = 0;\r
- EncryptAlgorithm = 0;\r
- EncryptKeylength = 0;\r
- IsSupportEsn = FALSE;\r
- }\r
- ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +\r
- ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));\r
- }\r
-\r
- ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->PayloadBuf + 1);\r
- if (IsMatch) {\r
- ChildSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));\r
- if (ChildSaSession->SessionCommon.SaParams == NULL) {\r
- return FALSE;\r
- }\r
-\r
- ChildSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;\r
- ChildSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;\r
- ChildSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;\r
- CopyMem (&ChildSaSession->RemotePeerSpi, ProposalData->Spi, sizeof (ChildSaSession->RemotePeerSpi));\r
-\r
- return TRUE;\r
- }\r
- }\r
- return FALSE;\r
-}\r
-\r
-/**\r
- Generate Key buffer from fragments.\r
-\r
- If the digest length of specified HashAlgId is larger than or equal with the\r
- required output key length, derive the key directly. Otherwise, Key Material\r
- needs to be PRF-based concatenation according to 2.13 of RFC 4306:\r
- prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),\r
- T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)\r
- then derive the key from this key material.\r
-\r
- @param[in] HashAlgId The Hash Algorithm ID used to generate key.\r
- @param[in] HashKey Pointer to a key buffer which contains hash key.\r
- @param[in] HashKeyLength The length of HashKey in bytes.\r
- @param[in, out] OutputKey Pointer to buffer which is used to receive the\r
- output key.\r
- @param[in] OutputKeyLength The length of OutPutKey buffer.\r
- @param[in] Fragments Pointer to the data to be used to generate key.\r
- @param[in] NumFragments The numbers of the Fragement.\r
-\r
- @retval EFI_SUCCESS The operation complete successfully.\r
- @retval EFI_INVALID_PARAMETER If NumFragments is zero.\r
- If the authentication algorithm given by HashAlgId\r
- cannot be found.\r
- @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.\r
- @retval Others The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2SaGenerateKey (\r
- IN UINT8 HashAlgId,\r
- IN UINT8 *HashKey,\r
- IN UINTN HashKeyLength,\r
- IN OUT UINT8 *OutputKey,\r
- IN UINTN OutputKeyLength,\r
- IN PRF_DATA_FRAGMENT *Fragments,\r
- IN UINTN NumFragments\r
- )\r
-{\r
- EFI_STATUS Status;\r
- PRF_DATA_FRAGMENT LocalFragments[3];\r
- UINT8 *Digest;\r
- UINTN DigestSize;\r
- UINTN Round;\r
- UINTN Index;\r
- UINTN AuthKeyLength;\r
- UINTN FragmentsSize;\r
- UINT8 TailData;\r
-\r
- Status = EFI_SUCCESS;\r
-\r
- if (NumFragments == 0) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- LocalFragments[0].Data = NULL;\r
- LocalFragments[1].Data = NULL;\r
- LocalFragments[2].Data = NULL;\r
-\r
- AuthKeyLength = IpSecGetHmacDigestLength (HashAlgId);\r
- if (AuthKeyLength == 0) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- DigestSize = AuthKeyLength;\r
- Digest = AllocateZeroPool (AuthKeyLength);\r
-\r
- if (Digest == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // If the required output key length is less than the digest size,\r
- // copy the digest into OutputKey.\r
- //\r
- if (OutputKeyLength <= DigestSize) {\r
- Status = IpSecCryptoIoHmac (\r
- HashAlgId,\r
- HashKey,\r
- HashKeyLength,\r
- (HASH_DATA_FRAGMENT *) Fragments,\r
- NumFragments,\r
- Digest,\r
- DigestSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto Exit;\r
- }\r
-\r
- CopyMem (OutputKey, Digest, OutputKeyLength);\r
- goto Exit;\r
- }\r
-\r
- //\r
- //Otherwise, Key Material need to be PRF-based concatenation according to 2.13\r
- //of RFC 4306: prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),\r
- //T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)\r
- //then derive the key from this key material.\r
- //\r
- FragmentsSize = 0;\r
- for (Index = 0; Index < NumFragments; Index++) {\r
- FragmentsSize = FragmentsSize + Fragments[Index].DataSize;\r
- }\r
-\r
- LocalFragments[1].Data = AllocateZeroPool (FragmentsSize);\r
- if (LocalFragments[1].Data == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- LocalFragments[1].DataSize = FragmentsSize;\r
-\r
- //\r
- // Copy all input fragments into LocalFragments[1];\r
- //\r
- FragmentsSize = 0;\r
- for (Index = 0; Index < NumFragments; Index++) {\r
- CopyMem (\r
- LocalFragments[1].Data + FragmentsSize,\r
- Fragments[Index].Data,\r
- Fragments[Index].DataSize\r
- );\r
- FragmentsSize = FragmentsSize + Fragments[Index].DataSize;\r
- }\r
-\r
- //\r
- // Prepare 0x01 as the first tail data.\r
- //\r
- TailData = 0x01;\r
- LocalFragments[2].Data = &TailData;\r
- LocalFragments[2].DataSize = sizeof (TailData);\r
- //\r
- // Allocate buffer for the first fragment\r
- //\r
- LocalFragments[0].Data = AllocateZeroPool (AuthKeyLength);\r
- if (LocalFragments[0].Data == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- LocalFragments[0].DataSize = AuthKeyLength;\r
-\r
- Round = (OutputKeyLength - 1) / AuthKeyLength + 1;\r
- for (Index = 0; Index < Round; Index++) {\r
- Status = IpSecCryptoIoHmac (\r
- HashAlgId,\r
- HashKey,\r
- HashKeyLength,\r
- (HASH_DATA_FRAGMENT *)(Index == 0 ? &LocalFragments[1] : LocalFragments),\r
- Index == 0 ? 2 : 3,\r
- Digest,\r
- DigestSize\r
- );\r
- if (EFI_ERROR(Status)) {\r
- goto Exit;\r
- }\r
- CopyMem (\r
- LocalFragments[0].Data,\r
- Digest,\r
- DigestSize\r
- );\r
- if (OutputKeyLength > DigestSize * (Index + 1)) {\r
- CopyMem (\r
- OutputKey + Index * DigestSize,\r
- Digest,\r
- DigestSize\r
- );\r
- LocalFragments[0].DataSize = DigestSize;\r
- TailData ++;\r
- } else {\r
- //\r
- // The last round\r
- //\r
- CopyMem (\r
- OutputKey + Index * DigestSize,\r
- Digest,\r
- OutputKeyLength - Index * DigestSize\r
- );\r
- }\r
- }\r
-\r
-Exit:\r
- //\r
- // Only First and second Framgement Data need to be freed.\r
- //\r
- for (Index = 0 ; Index < 2; Index++) {\r
- if (LocalFragments[Index].Data != NULL) {\r
- FreePool (LocalFragments[Index].Data);\r
- }\r
- }\r
- if (Digest != NULL) {\r
- FreePool (Digest);\r
- }\r
- return Status;\r
-}\r
-\r
+++ /dev/null
-/** @file\r
- The interfaces of IKE/Child session operations and payload related operations\r
- used by IKE Exchange Process.\r
-\r
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _IKE_V2_UTILITY_H_\r
-#define _IKE_V2_UTILITY_H_\r
-\r
-#include "Ikev2.h"\r
-#include "IkeCommon.h"\r
-#include "IpSecCryptIo.h"\r
-\r
-#include <Library/PcdLib.h>\r
-\r
-#define IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM 2\r
-#define IKEV2_SUPPORT_PRF_ALGORITHM_NUM 1\r
-#define IKEV2_SUPPORT_DH_ALGORITHM_NUM 2\r
-#define IKEV2_SUPPORT_AUTH_ALGORITHM_NUM 1\r
-\r
-/**\r
- Allocate buffer for IKEV2_SA_SESSION and initialize it.\r
-\r
- @param[in] Private Pointer to IPSEC_PRIVATE_DATA.\r
- @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.\r
-\r
- @return Pointer to IKEV2_SA_SESSION.\r
-\r
-**/\r
-IKEV2_SA_SESSION *\r
-Ikev2SaSessionAlloc (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN IKE_UDP_SERVICE *UdpService\r
- );\r
-\r
-/**\r
- Register Establish IKEv2 SA into Private->Ikev2EstablishedList.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.\r
- @param[in] Private Pointer to IPSEC_PRAVATE_DATA.\r
-\r
-**/\r
-VOID\r
-Ikev2SaSessionReg (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IPSEC_PRIVATE_DATA *Private\r
- );\r
-\r
-/**\r
- Find a IKEV2_SA_SESSION by the remote peer IP.\r
-\r
- @param[in] SaSessionList SaSession List to be searched.\r
- @param[in] RemotePeerIp Pointer to specified IP address.\r
-\r
- @return Pointer to IKEV2_SA_SESSION if find one or NULL.\r
-\r
-**/\r
-IKEV2_SA_SESSION *\r
-Ikev2SaSessionLookup (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN EFI_IP_ADDRESS *RemotePeerIp\r
- );\r
-\r
-/**\r
- Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either\r
- Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.\r
-\r
- @param[in] SaSessionList Pointer to list to be inserted into.\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.\r
- @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the\r
- unique IKEV2_SA_SESSION.\r
-\r
-**/\r
-VOID\r
-Ikev2SaSessionInsert (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN EFI_IP_ADDRESS *RemotePeerIp\r
- );\r
-\r
-/**\r
- Remove the SA Session by Remote Peer IP.\r
-\r
- @param[in] SaSessionList Pointer to list to be searched.\r
- @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.\r
-\r
- @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address.\r
-\r
-**/\r
-IKEV2_SA_SESSION *\r
-Ikev2SaSessionRemove (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN EFI_IP_ADDRESS *RemotePeerIp\r
- );\r
-\r
-\r
-/**\r
- After IKE/Child SA is estiblished, close the time event and free sent packet.\r
-\r
- @param[in] SessionCommon Pointer to a Session Common.\r
-\r
-**/\r
-VOID\r
-Ikev2SessionCommonRefresh (\r
- IN IKEV2_SESSION_COMMON *SessionCommon\r
- );\r
-\r
-/**\r
- Free specified IKEV2 SA Session.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.\r
-\r
-**/\r
-VOID\r
-Ikev2SaSessionFree (\r
- IN IKEV2_SA_SESSION *IkeSaSession\r
- );\r
-\r
-/**\r
- Free specified Seession Common. The session common would belong to a IKE SA or\r
- a Child SA.\r
-\r
- @param[in] SessionCommon Pointer to a Session Common.\r
-\r
-**/\r
-VOID\r
-Ikev2SaSessionCommonFree (\r
- IN IKEV2_SESSION_COMMON *SessionCommon\r
- );\r
-\r
-/**\r
- Increase the MessageID in IkeSaSession.\r
-\r
- @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.\r
-\r
-**/\r
-VOID\r
-Ikev2SaSessionIncreaseMessageId (\r
- IN IKEV2_SA_SESSION *IkeSaSession\r
- );\r
-\r
-/**\r
- Allocate Momery for IKEV2 Child SA Session.\r
-\r
- @param[in] UdpService Pointer to IKE_UDP_SERVICE.\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA\r
- Session.\r
-\r
- @retval Pointer of a new created IKEV2 Child SA Session.\r
-\r
-**/\r
-IKEV2_CHILD_SA_SESSION *\r
-Ikev2ChildSaSessionAlloc (\r
- IN IKE_UDP_SERVICE *UdpService,\r
- IN IKEV2_SA_SESSION *IkeSaSession\r
- );\r
-\r
-/**\r
- Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.\r
- If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one\r
- then register the new one.\r
-\r
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.\r
- @param[in] Private Pointer to IPSEC_PRAVATE_DATA.\r
-\r
-**/\r
-VOID\r
-Ikev2ChildSaSessionReg (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession,\r
- IN IPSEC_PRIVATE_DATA *Private\r
- );\r
-\r
-/**\r
- This function find the Child SA by the specified Spi.\r
-\r
- This functin find a ChildSA session by searching the ChildSaSessionlist of\r
- the input IKEV2_SA_SESSION by specified MessageID.\r
-\r
- @param[in] SaSessionList Pointer to List to be searched.\r
- @param[in] Spi Specified SPI.\r
-\r
- @return Pointer to IKEV2_CHILD_SA_SESSION.\r
-\r
-**/\r
-IKEV2_CHILD_SA_SESSION *\r
-Ikev2ChildSaSessionLookupBySpi (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN UINT32 Spi\r
- );\r
-\r
-\r
-/**\r
- Insert a Child SA Session into the specified ChildSa list..\r
-\r
- @param[in] SaSessionList Pointer to list to be inserted in.\r
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.\r
-\r
-**/\r
-VOID\r
-Ikev2ChildSaSessionInsert (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- );\r
-\r
-/**\r
- Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.\r
-\r
- @param[in] SaSessionList The SA Session List to be iterated.\r
- @param[in] Spi Spi used to identify the IKEV2_CHILD_SA_SESSION.\r
- @param[in] ListType The type of the List to indicate whether it is a\r
- Established.\r
-\r
- @return The point to IKEV2_CHILD_SA_SESSION.\r
-\r
-**/\r
-IKEV2_CHILD_SA_SESSION *\r
-Ikev2ChildSaSessionRemove (\r
- IN LIST_ENTRY *SaSessionList,\r
- IN UINT32 Spi,\r
- IN UINT8 ListType\r
- );\r
-\r
-\r
-/**\r
- Free the memory located for the specified IKEV2_CHILD_SA_SESSION.\r
-\r
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.\r
-\r
-**/\r
-VOID\r
-Ikev2ChildSaSessionFree (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- );\r
-\r
-/**\r
- Free the specified DhBuffer.\r
-\r
- @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.\r
-\r
-**/\r
-VOID\r
-Ikev2DhBufferFree (\r
- IN IKEV2_DH_BUFFER *DhBuffer\r
- );\r
-\r
-/**\r
- Delete the specified established Child SA.\r
-\r
- This function delete the Child SA directly and dont send the Information Packet to\r
- remote peer.\r
-\r
- @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.\r
- @param[in] Spi SPI used to find the Child SA.\r
-\r
- @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.\r
- @retval EFI_NOT_FOUND There is no specified Child SA related with the input\r
- SPI under this IKE SA Session.\r
- @retval EFI_SUCCESS Delete the Child SA successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2ChildSaSilentDelete (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN UINT32 Spi\r
- );\r
-\r
-/**\r
- This function is to parse a request IKE packet and return its request type.\r
- The request type is one of IKE CHILD SA creation, IKE SA rekeying and\r
- IKE CHILD SA rekeying.\r
-\r
- @param[in] IkePacket IKE packet to be prased.\r
-\r
- return the type of the IKE packet.\r
-\r
-**/\r
-IKEV2_CREATE_CHILD_REQUEST_TYPE\r
-Ikev2ChildExchangeRequestType(\r
- IN IKE_PACKET *IkePacket\r
- );\r
-\r
-\r
-/**\r
- Associate a SPD selector to the Child SA Session.\r
-\r
- This function is called when the Child SA is not the first child SA of its\r
- IKE SA. It associate a SPD to this Child SA.\r
-\r
- @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to\r
- a SPD selector.\r
-\r
- @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.\r
- @retval EFI_NOT_FOUND Can't find the related SPD selector.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2ChildSaAssociateSpdEntry (\r
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- );\r
-\r
-/**\r
- Validate the IKE header of received IKE packet.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.\r
- @param[in] IkeHdr Pointer to IKE header of received IKE packet.\r
-\r
- @retval TRUE If the IKE header is valid.\r
- @retval FALSE If the IKE header is invalid.\r
-\r
-**/\r
-BOOLEAN\r
-Ikev2ValidateHeader (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_HEADER *IkeHdr\r
- );\r
-\r
-/**\r
- Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.\r
-\r
- This function will be only called by the initiator. The responder's IKEV2_SA_DATA\r
- will be generated during parsed the initiator packet.\r
-\r
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.\r
-\r
- @retval a Pointer to a new IKEV2_SA_DATA or NULL.\r
-\r
-**/\r
-IKEV2_SA_DATA *\r
-Ikev2InitializeSaData (\r
- IN IKEV2_SESSION_COMMON *SessionCommon\r
- );\r
-\r
-/**\r
- Store the SA into SAD.\r
-\r
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.\r
-\r
-**/\r
-VOID\r
-Ikev2StoreSaData (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- );\r
-\r
-/**\r
- Routine process before the payload decoding.\r
-\r
- @param[in] SessionCommon Pointer to ChildSa SessionCommon.\r
- @param[in] PayloadBuf Pointer to the payload.\r
- @param[in] PayloadSize Size of PayloadBuf in byte.\r
- @param[in] PayloadType Type of Payload.\r
-\r
-**/\r
-VOID\r
-Ikev2ChildSaBeforeDecodePayload (\r
- IN UINT8 *SessionCommon,\r
- IN UINT8 *PayloadBuf,\r
- IN UINTN PayloadSize,\r
- IN UINT8 PayloadType\r
- );\r
-\r
-/**\r
- Routine Process after the encode payload.\r
-\r
- @param[in] SessionCommon Pointer to ChildSa SessionCommon.\r
- @param[in] PayloadBuf Pointer to the payload.\r
- @param[in] PayloadSize Size of PayloadBuf in byte.\r
- @param[in] PayloadType Type of Payload.\r
-\r
-**/\r
-VOID\r
-Ikev2ChildSaAfterEncodePayload (\r
- IN UINT8 *SessionCommon,\r
- IN UINT8 *PayloadBuf,\r
- IN UINTN PayloadSize,\r
- IN UINT8 PayloadType\r
- );\r
-\r
-/**\r
- Generate Ikev2 SA payload according to SessionSaData\r
-\r
- @param[in] SessionSaData The data used in SA payload.\r
- @param[in] NextPayload The payload type presented in NextPayload field of\r
- SA Payload header.\r
- @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or\r
- (2) for CHILD_SA or (3) for INFO.\r
-\r
- @retval a Pointer to SA IKE payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateSaPayload (\r
- IN IKEV2_SA_DATA *SessionSaData,\r
- IN UINT8 NextPayload,\r
- IN IKE_SESSION_TYPE Type\r
- );\r
-\r
-/**\r
- Generate a ID payload.\r
-\r
- @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r
- @param[in] NextPayload The payload type presented in the NextPayload field\r
- of ID Payload header.\r
-\r
- @retval Pointer to ID IKE payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateIdPayload (\r
- IN IKEV2_SESSION_COMMON *CommonSession,\r
- IN UINT8 NextPayload\r
- );\r
-\r
-/**\r
- Generate a ID payload.\r
-\r
- @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.\r
- @param[in] NextPayload The payload type presented in the NextPayload field\r
- of ID Payload header.\r
- @param[in] InCert Pointer to the Certificate which distinguished name\r
- will be added into the Id payload.\r
- @param[in] CertSize Size of the Certificate.\r
-\r
- @retval Pointer to ID IKE payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateCertIdPayload (\r
- IN IKEV2_SESSION_COMMON *CommonSession,\r
- IN UINT8 NextPayload,\r
- IN UINT8 *InCert,\r
- IN UINTN CertSize\r
- );\r
-\r
-/**\r
- Generate a Nonce payload contenting the input parameter NonceBuf.\r
-\r
- @param[in] NonceBuf The nonce buffer content the whole Nonce payload block\r
- except the payload header.\r
- @param[in] NonceSize The buffer size of the NonceBuf\r
- @param[in] NextPayload The payload type presented in the NextPayload field\r
- of Nonce Payload header.\r
-\r
- @retval Pointer to Nonce IKE paload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateNoncePayload (\r
- IN UINT8 *NonceBuf,\r
- IN UINTN NonceSize,\r
- IN UINT8 NextPayload\r
- );\r
-\r
-/**\r
- Generate the Notify payload.\r
-\r
- Since the structure of Notify payload which defined in RFC 4306 is simple, so\r
- there is no internal data structure for Notify payload. This function generate\r
- Notify payload defined in RFC 4306, but all the fields in this payload are still\r
- in host order and need call Ikev2EncodePayload() to convert those fields from\r
- the host order to network order beforing sending it.\r
-\r
- @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).\r
- For IPsec SAs it MUST be neither (2) for AH or (3)\r
- for ESP.\r
- @param[in] NextPayload The next paylaod type in NextPayload field of\r
- the Notify payload.\r
- @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.\r
- @param[in] MessageType The message type in NotifyMessageType field of the\r
- Notify Payload.\r
- @param[in] SpiBuf Pointer to buffer contains the SPI value.\r
- @param[in] NotifyData Pointer to buffer contains the notification data.\r
- @param[in] NotifyDataSize The size of NotifyData in bytes.\r
-\r
-\r
- @retval Pointer to IKE Notify Payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateNotifyPayload (\r
- IN UINT8 ProtocolId,\r
- IN UINT8 NextPayload,\r
- IN UINT8 SpiSize,\r
- IN UINT16 MessageType,\r
- IN UINT8 *SpiBuf,\r
- IN UINT8 *NotifyData,\r
- IN UINTN NotifyDataSize\r
- );\r
-\r
-/**\r
- Generate the Delete payload.\r
-\r
- Since the structure of Delete payload which defined in RFC 4306 is simple,\r
- there is no internal data structure for Delete payload. This function generate\r
- Delete payload defined in RFC 4306, but all the fields in this payload are still\r
- in host order and need call Ikev2EncodePayload() to convert those fields from\r
- the host order to network order beforing sending it.\r
-\r
- @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.\r
- @param[in] NextPayload The next paylaod type in NextPayload field of\r
- the Delete payload.\r
- @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.\r
- @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.\r
- @param[in] SpiBuf Pointer to buffer contains the SPI value.\r
-\r
- @retval Pointer to IKE Delete Payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateDeletePayload (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN UINT8 NextPayload,\r
- IN UINT8 SpiSize,\r
- IN UINT16 SpiNum,\r
- IN UINT8 *SpiBuf\r
- );\r
-\r
-/**\r
- Generate the Configuration payload.\r
-\r
- This function generates a configuration payload defined in RFC 4306, but all the\r
- fields in this payload are still in host order and need call Ikev2EncodePayload()\r
- to convert those fields from the host order to network order beforing sending it.\r
-\r
- @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload\r
- generation.\r
- @param[in] NextPayload The next paylaod type in NextPayload field of\r
- the Delete payload.\r
- @param[in] CfgType The attribute type in the Configuration attribute.\r
-\r
- @retval Pointer to IKE CP Payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateCpPayload (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN UINT8 NextPayload,\r
- IN UINT8 CfgType\r
- );\r
-\r
-/**\r
- Generate a Authentication Payload.\r
-\r
- This function is used for both Authentication generation and verification. When the\r
- IsVerify is TRUE, it create a Auth Data for verification. This function choose the\r
- related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type\r
- and the value of IsVerify parameter.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r
- @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r
- payload generation.\r
- @param[in] NextPayload The type filled into the Authentication Payload next\r
- payload field.\r
- @param[in] IsVerify If it is TURE, the Authentication payload is used for\r
- verification.\r
-\r
- @return pointer to IKE Authentication payload for pre-shard key method.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2PskGenerateAuthPayload (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_PAYLOAD *IdPayload,\r
- IN UINT8 NextPayload,\r
- IN BOOLEAN IsVerify\r
- );\r
-\r
-/**\r
- Generate a Authentication Payload for Certificate Auth method.\r
-\r
- This function has two functions. One is creating a local Authentication\r
- Payload for sending and other is creating the remote Authentication data\r
- for verification when the IsVerify is TURE.\r
-\r
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.\r
- @param[in] IdPayload Pointer to the ID payload to be used for Authentication\r
- payload generation.\r
- @param[in] NextPayload The type filled into the Authentication Payload\r
- next payload field.\r
- @param[in] IsVerify If it is TURE, the Authentication payload is used\r
- for verification.\r
- @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when\r
- verify the authenticate payload.\r
- @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it\r
- when verify the authenticate payload.\r
- @param[in] UefiKeyPwd Pointer to the password of UEFI private key.\r
- Ignore it when verify the authenticate payload.\r
- @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when\r
- verify the authenticate payload.\r
-\r
- @return pointer to IKE Authentication payload for certification method.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2CertGenerateAuthPayload (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_PAYLOAD *IdPayload,\r
- IN UINT8 NextPayload,\r
- IN BOOLEAN IsVerify,\r
- IN UINT8 *UefiPrivateKey,\r
- IN UINTN UefiPrivateKeyLen,\r
- IN UINT8 *UefiKeyPwd,\r
- IN UINTN UefiKeyPwdLen\r
- );\r
-\r
-/**\r
- Generate TS payload.\r
-\r
- This function generates TSi or TSr payload according to type of next payload.\r
- If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate\r
- TSr payload\r
-\r
- @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.\r
- @param[in] NextPayload The payload type presented in the NextPayload field\r
- of ID Payload header.\r
- @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.\r
- If yes, it means the Tsi and Tsr payload should be with\r
- Max port range and address range and protocol is marked\r
- as zero.\r
-\r
- @retval Pointer to Ts IKE payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateTsPayload (\r
- IN IKEV2_CHILD_SA_SESSION *ChildSa,\r
- IN UINT8 NextPayload,\r
- IN BOOLEAN IsTunnel\r
- );\r
-\r
-/**\r
- Parser the Notify Cookie payload.\r
-\r
- This function parses the Notify Cookie payload.If the Notify ProtocolId is not\r
- IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not\r
- the COOKIE, return EFI_INVALID_PARAMETER.\r
-\r
- @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the\r
- Notify Cookie payload.\r
- the Notify payload.\r
- @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.\r
-\r
- @retval EFI_SUCCESS The Notify Cookie Payload is valid.\r
- @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.\r
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2ParserNotifyCookiePayload (\r
- IN IKE_PAYLOAD *IkeNCookie,\r
- IN OUT IKEV2_SA_SESSION *IkeSaSession\r
- );\r
-\r
-/**\r
- Generate the Certificate payload or Certificate Request Payload.\r
-\r
- Since the Certificate Payload structure is same with Certificate Request Payload,\r
- the only difference is that one contains the Certificate Data, other contains\r
- the acceptable certificateion CA. This function generate Certificate payload\r
- or Certificate Request Payload defined in RFC 4306, but all the fields\r
- in the payload are still in host order and need call Ikev2EncodePayload()\r
- to convert those fields from the host order to network order beforing sending it.\r
-\r
- @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload\r
- generation.\r
- @param[in] NextPayload The next paylaod type in NextPayload field of\r
- the Delete payload.\r
- @param[in] Certificate Pointer of buffer contains the certification data.\r
- @param[in] CertificateLen The length of Certificate in byte.\r
- @param[in] EncodeType Specified the Certificate Encodeing which is defined\r
- in RFC 4306.\r
- @param[in] IsRequest To indicate create Certificate Payload or Certificate\r
- Request Payload. If it is TURE, create Certificate\r
- Request Payload. Otherwise, create Certificate Payload.\r
-\r
- @retval a Pointer to IKE Payload whose payload buffer containing the Certificate\r
- payload or Certificated Request payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateCertificatePayload (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN UINT8 NextPayload,\r
- IN UINT8 *Certificate,\r
- IN UINTN CertificateLen,\r
- IN UINT8 EncodeType,\r
- IN BOOLEAN IsRequest\r
- );\r
-\r
-/**\r
- General interface of payload encoding.\r
-\r
- This function encode the internal data structure into payload which\r
- is defined in RFC 4306. The IkePayload->PayloadBuf used to store both the input\r
- payload and converted payload. Only the SA payload use the interal structure\r
- to store the attribute. Other payload use structure which is same with the RFC\r
- defined, for this kind payloads just do host order to network order change of\r
- some fields.\r
-\r
- @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.\r
- @param[in, out] IkePayload Pointer to IKE payload to be encode as input, and\r
- store the encoded result as output.\r
-\r
- @retval EFI_INVALID_PARAMETER Meet error when encode the SA payload.\r
- @retval EFI_SUCCESS Encode successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2EncodePayload (\r
- IN UINT8 *SessionCommon,\r
- IN OUT IKE_PAYLOAD *IkePayload\r
- );\r
-\r
-/**\r
- The general interface of decode Payload.\r
-\r
- This function convert the received Payload into internal structure.\r
-\r
- @param[in] SessionCommon Pointer to IKE Session Common to use for decoding.\r
- @param[in, out] IkePayload Pointer to IKE payload to be decode as input, and\r
- store the decoded result as output.\r
-\r
- @retval EFI_INVALID_PARAMETER Meet error when decode the SA payload.\r
- @retval EFI_SUCCESS Decode successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2DecodePayload (\r
- IN UINT8 *SessionCommon,\r
- IN OUT IKE_PAYLOAD *IkePayload\r
- );\r
-\r
-/**\r
- Decrypt IKE packet.\r
-\r
- This function decrpt the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.\r
-\r
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r
- some parameter used during decrypting.\r
- @param[in, out] IkePacket Point to IKE_PACKET to be decrypted as input,\r
- and the decrypted reslult as output.\r
- @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
- IKE_CHILD_TYPE are supportted.\r
-\r
- @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the\r
- IKE packet length is not Algorithm Block Size\r
- alignment.\r
- @retval EFI_SUCCESS Decrypt IKE packet successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2DecryptPacket (\r
- IN IKEV2_SESSION_COMMON *SessionCommon,\r
- IN OUT IKE_PACKET *IkePacket,\r
- IN OUT UINTN IkeType\r
- );\r
-\r
-/**\r
- Encrypt IKE packet.\r
-\r
- This function encrypt IKE packet before sending it. The Encrypted IKE packet\r
- is put in to IKEV2 Encrypted Payload.\r
-\r
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.\r
- @param[in, out] IkePacket Pointer to IKE packet to be encrypted.\r
-\r
- @retval EFI_SUCCESS Operation is successful.\r
- @retval Others OPeration is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2EncryptPacket (\r
- IN IKEV2_SESSION_COMMON *SessionCommon,\r
- IN OUT IKE_PACKET *IkePacket\r
- );\r
-\r
-/**\r
- Encode the IKE packet.\r
-\r
- This function put all Payloads into one payload then encrypt it if needed.\r
-\r
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing\r
- some parameter used during IKE packet encoding.\r
- @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,\r
- and the encoded reslult as output.\r
- @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
- IKE_CHILD_TYPE are supportted.\r
-\r
- @retval EFI_SUCCESS Encode IKE packet successfully.\r
- @retval Otherwise Encode IKE packet failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2EncodePacket (\r
- IN IKEV2_SESSION_COMMON *SessionCommon,\r
- IN OUT IKE_PACKET *IkePacket,\r
- IN UINTN IkeType\r
- );\r
-\r
-/**\r
- Decode the IKE packet.\r
-\r
- This function first decrypts the IKE packet if needed , then separats the whole\r
- IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.\r
-\r
- @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing\r
- some parameter used by IKE packet decoding.\r
- @param[in, out] IkePacket The IKE Packet to be decoded on input, and\r
- the decoded result on return.\r
- @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and\r
- IKE_CHILD_TYPE are supportted.\r
-\r
- @retval EFI_SUCCESS The IKE packet is decoded successfull.\r
- @retval Otherwise The IKE packet decoding is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2DecodePacket (\r
- IN IKEV2_SESSION_COMMON *SessionCommon,\r
- IN OUT IKE_PACKET *IkePacket,\r
- IN UINTN IkeType\r
- );\r
-\r
-\r
-/**\r
- Send out IKEV2 packet.\r
-\r
- @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.\r
- @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.\r
- @param[in] IkePacket Pointer to IKE_PACKET to be sent out.\r
- @param[in] IkeType The type of IKE to point what's kind of the IKE\r
- packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE\r
- and IKE_CHILD_TYPE are supportted.\r
-\r
- @retval EFI_SUCCESS The operation complete successfully.\r
- @retval Otherwise The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2SendIkePacket (\r
- IN IKE_UDP_SERVICE *IkeUdpService,\r
- IN UINT8 *SessionCommon,\r
- IN IKE_PACKET *IkePacket,\r
- IN UINTN IkeType\r
- );\r
-\r
-/**\r
- Callback function for the IKE life time is over.\r
-\r
- This function will mark the related IKE SA Session as deleting and trigger a\r
- Information negotiation.\r
-\r
- @param[in] Event The time out event.\r
- @param[in] Context Pointer to data passed by caller.\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-Ikev2LifetimeNotify (\r
- IN EFI_EVENT Event,\r
- IN VOID *Context\r
- );\r
-\r
-/**\r
- This function will be called if the TimeOut Event is signaled.\r
-\r
- @param[in] Event The signaled Event.\r
- @param[in] Context The data passed by caller.\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-Ikev2ResendNotify (\r
- IN EFI_EVENT Event,\r
- IN VOID *Context\r
- );\r
-\r
-/**\r
- Generate a Key Exchange payload according to the DH group type and save the\r
- public Key into IkeSaSession IkeKey field.\r
-\r
- @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.\r
- @param[in] NextPayload The payload type presented in the NextPayload field of Key\r
- Exchange Payload header.\r
-\r
- @retval Pointer to Key IKE payload.\r
-\r
-**/\r
-IKE_PAYLOAD *\r
-Ikev2GenerateKePayload (\r
- IN OUT IKEV2_SA_SESSION *IkeSaSession,\r
- IN UINT8 NextPayload\r
- );\r
-\r
-/**\r
- Check if the SPD is related to the input Child SA Session.\r
-\r
- This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call\r
- back function of IpSecVisitConfigData().\r
-\r
-\r
- @param[in] Type Type of the input Config Selector.\r
- @param[in] Selector Pointer to the Configure Selector to be checked.\r
- @param[in] Data Pointer to the Configure Selector's Data passed\r
- from the caller.\r
- @param[in] SelectorSize The buffer size of Selector.\r
- @param[in] DataSize The buffer size of the Data.\r
- @param[in] Context The data passed from the caller. It is a Child\r
- SA Session in this context.\r
-\r
- @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.\r
- @retval EFI_ABORTED The SPD Selector is related to the Child SA session and\r
- set the ChildSaSession->Spd to point to this SPD Selector.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2MatchSpdEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE Type,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN UINTN SelectorSize,\r
- IN UINTN DataSize,\r
- IN VOID *Context\r
- );\r
-\r
-/**\r
- Check if the Algorithm ID is supported.\r
-\r
- @param[in] AlgorithmId The specified Algorithm ID.\r
- @param[in] Type The type used to indicate the Algorithm is for Encrypt or\r
- Authentication.\r
-\r
- @retval TRUE If the Algorithm ID is supported.\r
- @retval FALSE If the Algorithm ID is not supported.\r
-\r
-**/\r
-BOOLEAN\r
-Ikev2IsSupportAlg (\r
- IN UINT16 AlgorithmId,\r
- IN UINT8 Type\r
- );\r
-\r
-/**\r
- Generate a ChildSa Session and insert it into related IkeSaSession.\r
-\r
- @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.\r
- @param[in] UdpService Pointer to related IKE_UDP_SERVICE.\r
-\r
- @return pointer of IKEV2_CHILD_SA_SESSION.\r
-\r
-**/\r
-IKEV2_CHILD_SA_SESSION *\r
-Ikev2ChildSaSessionCreate (\r
- IN IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_UDP_SERVICE *UdpService\r
- ) ;\r
-\r
-/**\r
- Parse the received Initial Exchange Packet.\r
-\r
- This function parse the SA Payload and Key Payload to find out the cryptographic\r
- suite for the further IKE negotiation and fill it into the IKE SA Session's\r
- CommonSession->SaParams.\r
-\r
- @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.\r
- @param[in] SaPayload The received packet.\r
- @param[in] Type The received packet IKE header flag.\r
-\r
- @retval TRUE If the SA proposal in Packet is acceptable.\r
- @retval FALSE If the SA proposal in Packet is not acceptable.\r
-\r
-**/\r
-BOOLEAN\r
-Ikev2SaParseSaPayload (\r
- IN OUT IKEV2_SA_SESSION *IkeSaSession,\r
- IN IKE_PAYLOAD *SaPayload,\r
- IN UINT8 Type\r
- );\r
-\r
-/**\r
- Parse the received Authentication Exchange Packet.\r
-\r
- This function parse the SA Payload and Key Payload to find out the cryptographic\r
- suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.\r
-\r
- @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to\r
- this Authentication Exchange.\r
- @param[in] SaPayload The received packet.\r
- @param[in] Type The IKE header's flag of received packet .\r
-\r
- @retval TRUE If the SA proposal in Packet is acceptable.\r
- @retval FALSE If the SA proposal in Packet is not acceptable.\r
-\r
-**/\r
-BOOLEAN\r
-Ikev2ChildSaParseSaPayload (\r
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession,\r
- IN IKE_PAYLOAD *SaPayload,\r
- IN UINT8 Type\r
- );\r
-\r
-/**\r
- Generate Key buffer from fragments.\r
-\r
- If the digest length of specified HashAlgId is larger than or equal with the\r
- required output key length, derive the key directly. Otherwise, Key Material\r
- needs to be PRF-based concatenation according to 2.13 of RFC 4306:\r
- prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),\r
- T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)\r
- then derive the key from this key material.\r
-\r
- @param[in] HashAlgId The Hash Algorithm ID used to generate key.\r
- @param[in] HashKey Pointer to a key buffer which contains hash key.\r
- @param[in] HashKeyLength The length of HashKey in bytes.\r
- @param[in, out] OutputKey Pointer to buffer which is used to receive the\r
- output key.\r
- @param[in] OutputKeyLength The length of OutPutKey buffer.\r
- @param[in] Fragments Pointer to the data to be used to generate key.\r
- @param[in] NumFragments The numbers of the Fragement.\r
-\r
- @retval EFI_SUCCESS The operation complete successfully.\r
- @retval EFI_INVALID_PARAMETER If NumFragments is zero.\r
- @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.\r
- @retval Others The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2SaGenerateKey (\r
- IN UINT8 HashAlgId,\r
- IN UINT8 *HashKey,\r
- IN UINTN HashKeyLength,\r
- IN OUT UINT8 *OutputKey,\r
- IN UINTN OutputKeyLength,\r
- IN PRF_DATA_FRAGMENT *Fragments,\r
- IN UINTN NumFragments\r
- );\r
-\r
-/**\r
- Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.\r
-\r
- ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,\r
- the SpdSelector in ChildSaSession is more accurated or the scope is smaller\r
- than the one in ChildSaSession->Spd, especially for the tunnel mode.\r
-\r
- @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.\r
-\r
- @retval EFI_SUCCESS The operation complete successfully.\r
- @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-Ikev2ChildSaSessionSpdSelectorCreate (\r
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession\r
- );\r
-\r
-extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[];\r
-#endif\r
-\r
+++ /dev/null
-/** @file\r
- The implementation of IPSEC_CONFIG_PROTOCOL.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecConfigImpl.h"\r
-#include "IpSecDebug.h"\r
-\r
-LIST_ENTRY mConfigData[IPsecConfigDataTypeMaximum];\r
-BOOLEAN mSetBySelf = FALSE;\r
-\r
-//\r
-// Common CompareSelector routine entry for SPD/SAD/PAD.\r
-//\r
-IPSEC_COMPARE_SELECTOR mCompareSelector[] = {\r
- (IPSEC_COMPARE_SELECTOR) CompareSpdSelector,\r
- (IPSEC_COMPARE_SELECTOR) CompareSaId,\r
- (IPSEC_COMPARE_SELECTOR) ComparePadId\r
-};\r
-\r
-//\r
-// Common IsZeroSelector routine entry for SPD/SAD/PAD.\r
-//\r
-IPSEC_IS_ZERO_SELECTOR mIsZeroSelector[] = {\r
- (IPSEC_IS_ZERO_SELECTOR) IsZeroSpdSelector,\r
- (IPSEC_IS_ZERO_SELECTOR) IsZeroSaId,\r
- (IPSEC_IS_ZERO_SELECTOR) IsZeroPadId\r
-};\r
-\r
-//\r
-// Common DuplicateSelector routine entry for SPD/SAD/PAD.\r
-//\r
-IPSEC_DUPLICATE_SELECTOR mDuplicateSelector[] = {\r
- (IPSEC_DUPLICATE_SELECTOR) DuplicateSpdSelector,\r
- (IPSEC_DUPLICATE_SELECTOR) DuplicateSaId,\r
- (IPSEC_DUPLICATE_SELECTOR) DuplicatePadId\r
-};\r
-\r
-//\r
-// Common FixPolicyEntry routine entry for SPD/SAD/PAD.\r
-//\r
-IPSEC_FIX_POLICY_ENTRY mFixPolicyEntry[] = {\r
- (IPSEC_FIX_POLICY_ENTRY) FixSpdEntry,\r
- (IPSEC_FIX_POLICY_ENTRY) FixSadEntry,\r
- (IPSEC_FIX_POLICY_ENTRY) FixPadEntry\r
-};\r
-\r
-//\r
-// Common UnfixPolicyEntry routine entry for SPD/SAD/PAD.\r
-//\r
-IPSEC_FIX_POLICY_ENTRY mUnfixPolicyEntry[] = {\r
- (IPSEC_FIX_POLICY_ENTRY) UnfixSpdEntry,\r
- (IPSEC_FIX_POLICY_ENTRY) UnfixSadEntry,\r
- (IPSEC_FIX_POLICY_ENTRY) UnfixPadEntry\r
-};\r
-\r
-//\r
-// Common SetPolicyEntry routine entry for SPD/SAD/PAD.\r
-//\r
-IPSEC_SET_POLICY_ENTRY mSetPolicyEntry[] = {\r
- (IPSEC_SET_POLICY_ENTRY) SetSpdEntry,\r
- (IPSEC_SET_POLICY_ENTRY) SetSadEntry,\r
- (IPSEC_SET_POLICY_ENTRY) SetPadEntry\r
-};\r
-\r
-//\r
-// Common GetPolicyEntry routine entry for SPD/SAD/PAD.\r
-//\r
-IPSEC_GET_POLICY_ENTRY mGetPolicyEntry[] = {\r
- (IPSEC_GET_POLICY_ENTRY) GetSpdEntry,\r
- (IPSEC_GET_POLICY_ENTRY) GetSadEntry,\r
- (IPSEC_GET_POLICY_ENTRY) GetPadEntry\r
-};\r
-\r
-//\r
-// Routine entry for IpSecConfig protocol.\r
-//\r
-EFI_IPSEC_CONFIG_PROTOCOL mIpSecConfigInstance = {\r
- EfiIpSecConfigSetData,\r
- EfiIpSecConfigGetData,\r
- EfiIpSecConfigGetNextSelector,\r
- EfiIpSecConfigRegisterNotify,\r
- EfiIpSecConfigUnregisterNotify\r
-};\r
-\r
-/**\r
- Get the all IPSec configuration variables and store those variables\r
- to the internal data structure.\r
-\r
- This founction is called by IpSecConfigInitialize() that is to intialize the\r
- IPsecConfiguration Protocol.\r
-\r
- @param[in] Private Point to IPSEC_PRIVATE_DATA.\r
-\r
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.\r
- @retval EFI_SUCCESS Restore the IPsec Configuration successfully.\r
- @retval others Other errors is found during the variable getting.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecConfigRestore (\r
- IN IPSEC_PRIVATE_DATA *Private\r
- );\r
-\r
-/**\r
- Check if the specified EFI_IP_ADDRESS_INFO is in EFI_IP_ADDRESS_INFO list.\r
-\r
- @param[in] AddressInfo Pointer of IP_ADDRESS_INFO to be search in AddressInfo list.\r
- @param[in] AddressInfoList A list that contains IP_ADDRESS_INFOs.\r
- @param[in] AddressCount Point out how many IP_ADDRESS_INFO in the list.\r
-\r
- @retval TRUE The specified AddressInfo is in the AddressInfoList.\r
- @retval FALSE The specified AddressInfo is not in the AddressInfoList.\r
-\r
-**/\r
-BOOLEAN\r
-IsInAddressInfoList(\r
- IN EFI_IP_ADDRESS_INFO *AddressInfo,\r
- IN EFI_IP_ADDRESS_INFO *AddressInfoList,\r
- IN UINT32 AddressCount\r
- )\r
-{\r
- UINT8 Index;\r
- EFI_IP_ADDRESS ZeroAddress;\r
-\r
- ZeroMem(&ZeroAddress, sizeof (EFI_IP_ADDRESS));\r
-\r
- //\r
- // Zero Address means any address is matched.\r
- //\r
- if (AddressCount == 1) {\r
- if (CompareMem (\r
- &AddressInfoList[0].Address,\r
- &ZeroAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- ) == 0) {\r
- return TRUE;\r
- }\r
- }\r
- for (Index = 0; Index < AddressCount ; Index++) {\r
- if (CompareMem (\r
- AddressInfo,\r
- &AddressInfoList[Index].Address,\r
- sizeof (EFI_IP_ADDRESS)\r
- ) == 0 &&\r
- AddressInfo->PrefixLength == AddressInfoList[Index].PrefixLength\r
- ) {\r
- return TRUE;\r
- }\r
- }\r
- return FALSE;\r
-}\r
-\r
-/**\r
- Compare two SPD Selectors.\r
-\r
- Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddressCount/\r
- NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange and the\r
- Local Addresses and remote Addresses.\r
-\r
- @param[in] Selector1 Pointer of first SPD Selector.\r
- @param[in] Selector2 Pointer of second SPD Selector.\r
-\r
- @retval TRUE This two Selector have the same value in above fields.\r
- @retval FALSE Not all above fields have the same value in these two Selectors.\r
-\r
-**/\r
-BOOLEAN\r
-CompareSpdSelector (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2\r
- )\r
-{\r
- EFI_IPSEC_SPD_SELECTOR *SpdSel1;\r
- EFI_IPSEC_SPD_SELECTOR *SpdSel2;\r
- BOOLEAN IsMatch;\r
- UINTN Index;\r
-\r
- SpdSel1 = &Selector1->SpdSelector;\r
- SpdSel2 = &Selector2->SpdSelector;\r
- IsMatch = TRUE;\r
-\r
- //\r
- // Compare the LocalAddressCount/RemoteAddressCount/NextLayerProtocol/\r
- // LocalPort/LocalPortRange/RemotePort/RemotePortRange fields in the\r
- // two Spdselectors. Since the SPD supports two directions, it needs to\r
- // compare two directions.\r
- //\r
- if ((SpdSel1->LocalAddressCount != SpdSel2->LocalAddressCount &&\r
- SpdSel1->LocalAddressCount != SpdSel2->RemoteAddressCount) ||\r
- (SpdSel1->RemoteAddressCount != SpdSel2->RemoteAddressCount &&\r
- SpdSel1->RemoteAddressCount != SpdSel2->LocalAddressCount) ||\r
- SpdSel1->NextLayerProtocol != SpdSel2->NextLayerProtocol ||\r
- SpdSel1->LocalPort != SpdSel2->LocalPort ||\r
- SpdSel1->LocalPortRange != SpdSel2->LocalPortRange ||\r
- SpdSel1->RemotePort != SpdSel2->RemotePort ||\r
- SpdSel1->RemotePortRange != SpdSel2->RemotePortRange\r
- ) {\r
- IsMatch = FALSE;\r
- return IsMatch;\r
- }\r
-\r
- //\r
- // Compare the all LocalAddress and RemoteAddress fields in the two Spdselectors.\r
- // First, SpdSel1->LocalAddress to SpdSel2->LocalAddress && Compare\r
- // SpdSel1->RemoteAddress to SpdSel2->RemoteAddress. If all match, return\r
- // TRUE.\r
- //\r
- for (Index = 0; Index < SpdSel1->LocalAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel1->LocalAddress[Index],\r
- SpdSel2->LocalAddress,\r
- SpdSel2->LocalAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
- if (IsMatch) {\r
- for (Index = 0; Index < SpdSel2->LocalAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel2->LocalAddress[Index],\r
- SpdSel1->LocalAddress,\r
- SpdSel1->LocalAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
- }\r
- if (IsMatch) {\r
- for (Index = 0; Index < SpdSel1->RemoteAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel1->RemoteAddress[Index],\r
- SpdSel2->RemoteAddress,\r
- SpdSel2->RemoteAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
- }\r
- if (IsMatch) {\r
- for (Index = 0; Index < SpdSel2->RemoteAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel2->RemoteAddress[Index],\r
- SpdSel1->RemoteAddress,\r
- SpdSel1->RemoteAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
- }\r
- //\r
- // Finish the one direction compare. If it is matched, return; otherwise,\r
- // compare the other direction.\r
- //\r
- if (IsMatch) {\r
- return IsMatch;\r
- }\r
- //\r
- // Secondly, the SpdSel1->LocalAddress doesn't equal to SpdSel2->LocalAddress and\r
- // SpdSel1->RemoteAddress doesn't equal to SpdSel2->RemoteAddress. Try to compare\r
- // the RemoteAddress to LocalAddress.\r
- //\r
- IsMatch = TRUE;\r
- for (Index = 0; Index < SpdSel1->RemoteAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel1->RemoteAddress[Index],\r
- SpdSel2->LocalAddress,\r
- SpdSel2->LocalAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
- if (IsMatch) {\r
- for (Index = 0; Index < SpdSel2->RemoteAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel2->RemoteAddress[Index],\r
- SpdSel1->LocalAddress,\r
- SpdSel1->LocalAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
- }\r
- if (IsMatch) {\r
- for (Index = 0; Index < SpdSel1->LocalAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel1->LocalAddress[Index],\r
- SpdSel2->RemoteAddress,\r
- SpdSel2->RemoteAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
- }\r
- if (IsMatch) {\r
- for (Index = 0; Index < SpdSel2->LocalAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel2->LocalAddress[Index],\r
- SpdSel1->RemoteAddress,\r
- SpdSel1->RemoteAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
- }\r
- return IsMatch;\r
-}\r
-\r
-/**\r
- Find if the two SPD Selectors has subordinative.\r
-\r
- Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddressCount/\r
- NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange and the\r
- Local Addresses and remote Addresses.\r
-\r
- @param[in] Selector1 Pointer of first SPD Selector.\r
- @param[in] Selector2 Pointer of second SPD Selector.\r
-\r
- @retval TRUE The first SPD Selector is subordinate Selector of second SPD Selector.\r
- @retval FALSE The first SPD Selector is not subordinate Selector of second\r
- SPD Selector.\r
-\r
-**/\r
-BOOLEAN\r
-IsSubSpdSelector (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2\r
- )\r
-{\r
- EFI_IPSEC_SPD_SELECTOR *SpdSel1;\r
- EFI_IPSEC_SPD_SELECTOR *SpdSel2;\r
- BOOLEAN IsMatch;\r
- UINTN Index;\r
-\r
- SpdSel1 = &Selector1->SpdSelector;\r
- SpdSel2 = &Selector2->SpdSelector;\r
- IsMatch = TRUE;\r
-\r
- //\r
- // Compare the LocalAddressCount/RemoteAddressCount/NextLayerProtocol/\r
- // LocalPort/LocalPortRange/RemotePort/RemotePortRange fields in the\r
- // two Spdselectors. Since the SPD supports two directions, it needs to\r
- // compare two directions.\r
- //\r
- if (SpdSel1->LocalAddressCount > SpdSel2->LocalAddressCount ||\r
- SpdSel1->RemoteAddressCount > SpdSel2->RemoteAddressCount ||\r
- (SpdSel1->NextLayerProtocol != SpdSel2->NextLayerProtocol && SpdSel2->NextLayerProtocol != 0xffff) ||\r
- (SpdSel1->LocalPort > SpdSel2->LocalPort && SpdSel2->LocalPort != 0)||\r
- (SpdSel1->LocalPortRange > SpdSel2->LocalPortRange && SpdSel1->LocalPort != 0)||\r
- (SpdSel1->RemotePort > SpdSel2->RemotePort && SpdSel2->RemotePort != 0) ||\r
- (SpdSel1->RemotePortRange > SpdSel2->RemotePortRange && SpdSel2->RemotePort != 0)\r
- ) {\r
- IsMatch = FALSE;\r
- }\r
-\r
- //\r
- // Compare the all LocalAddress and RemoteAddress fields in the two Spdselectors.\r
- // First, SpdSel1->LocalAddress to SpdSel2->LocalAddress && Compare\r
- // SpdSel1->RemoteAddress to SpdSel2->RemoteAddress. If all match, return\r
- // TRUE.\r
- //\r
- if (IsMatch) {\r
- for (Index = 0; Index < SpdSel1->LocalAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel1->LocalAddress[Index],\r
- SpdSel2->LocalAddress,\r
- SpdSel2->LocalAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
-\r
- if (IsMatch) {\r
- for (Index = 0; Index < SpdSel1->RemoteAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel1->RemoteAddress[Index],\r
- SpdSel2->RemoteAddress,\r
- SpdSel2->RemoteAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
- }\r
- }\r
- if (IsMatch) {\r
- return IsMatch;\r
- }\r
-\r
- //\r
- //\r
- // The SPD selector in SPD entry is two way.\r
- //\r
- // Compare the LocalAddressCount/RemoteAddressCount/NextLayerProtocol/\r
- // LocalPort/LocalPortRange/RemotePort/RemotePortRange fields in the\r
- // two Spdselectors. Since the SPD supports two directions, it needs to\r
- // compare two directions.\r
- //\r
- IsMatch = TRUE;\r
- if (SpdSel1->LocalAddressCount > SpdSel2->RemoteAddressCount ||\r
- SpdSel1->RemoteAddressCount > SpdSel2->LocalAddressCount ||\r
- (SpdSel1->NextLayerProtocol != SpdSel2->NextLayerProtocol && SpdSel2->NextLayerProtocol != 0xffff) ||\r
- (SpdSel1->LocalPort > SpdSel2->RemotePort && SpdSel2->RemotePort != 0)||\r
- (SpdSel1->LocalPortRange > SpdSel2->RemotePortRange && SpdSel1->RemotePort != 0)||\r
- (SpdSel1->RemotePort > SpdSel2->LocalPort && SpdSel2->LocalPort != 0) ||\r
- (SpdSel1->RemotePortRange > SpdSel2->LocalPortRange && SpdSel2->LocalPort != 0)\r
- ) {\r
- IsMatch = FALSE;\r
- return IsMatch;\r
- }\r
-\r
- //\r
- // Compare the all LocalAddress and RemoteAddress fields in the two Spdselectors.\r
- // First, SpdSel1->LocalAddress to SpdSel2->RemoteAddress && Compare\r
- // SpdSel1->RemoteAddress to SpdSel2->LocalAddress. If all match, return\r
- // TRUE.\r
- //\r
- for (Index = 0; Index < SpdSel1->LocalAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel1->LocalAddress[Index],\r
- SpdSel2->RemoteAddress,\r
- SpdSel2->RemoteAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
-\r
- if (IsMatch) {\r
- for (Index = 0; Index < SpdSel1->RemoteAddressCount; Index++) {\r
- if (!IsInAddressInfoList (\r
- &SpdSel1->RemoteAddress[Index],\r
- SpdSel2->LocalAddress,\r
- SpdSel2->LocalAddressCount\r
- )) {\r
- IsMatch = FALSE;\r
- break;\r
- }\r
- }\r
- }\r
- return IsMatch;\r
-\r
-}\r
-\r
-/**\r
- Compare two SA IDs.\r
-\r
- @param[in] Selector1 Pointer of first SA ID.\r
- @param[in] Selector2 Pointer of second SA ID.\r
-\r
- @retval TRUE This two Selectors have the same SA ID.\r
- @retval FALSE This two Selecotrs don't have the same SA ID.\r
-\r
-**/\r
-BOOLEAN\r
-CompareSaId (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2\r
- )\r
-{\r
- EFI_IPSEC_SA_ID *SaId1;\r
- EFI_IPSEC_SA_ID *SaId2;\r
- BOOLEAN IsMatch;\r
-\r
- SaId1 = &Selector1->SaId;\r
- SaId2 = &Selector2->SaId;\r
- IsMatch = TRUE;\r
-\r
- if (CompareMem (SaId1, SaId2, sizeof (EFI_IPSEC_SA_ID)) != 0) {\r
- IsMatch = FALSE;\r
- }\r
-\r
- return IsMatch;\r
-}\r
-\r
-/**\r
- Compare two PAD IDs.\r
-\r
- @param[in] Selector1 Pointer of first PAD ID.\r
- @param[in] Selector2 Pointer of second PAD ID.\r
-\r
- @retval TRUE This two Selectors have the same PAD ID.\r
- @retval FALSE This two Selecotrs don't have the same PAD ID.\r
-\r
-**/\r
-BOOLEAN\r
-ComparePadId (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2\r
- )\r
-{\r
- EFI_IPSEC_PAD_ID *PadId1;\r
- EFI_IPSEC_PAD_ID *PadId2;\r
- BOOLEAN IsMatch;\r
-\r
- PadId1 = &Selector1->PadId;\r
- PadId2 = &Selector2->PadId;\r
- IsMatch = TRUE;\r
-\r
- //\r
- // Compare the PeerIdValid fields in PadId.\r
- //\r
- if (PadId1->PeerIdValid != PadId2->PeerIdValid) {\r
- IsMatch = FALSE;\r
- }\r
- //\r
- // Compare the PeerId fields in PadId if PeerIdValid is true.\r
- //\r
- if (IsMatch &&\r
- PadId1->PeerIdValid &&\r
- AsciiStriCmp ((CONST CHAR8 *) PadId1->Id.PeerId, (CONST CHAR8 *) PadId2->Id.PeerId) != 0\r
- ) {\r
- IsMatch = FALSE;\r
- }\r
- //\r
- // Compare the IpAddress fields in PadId if PeerIdValid is false.\r
- //\r
- if (IsMatch &&\r
- !PadId1->PeerIdValid &&\r
- (PadId1->Id.IpAddress.PrefixLength != PadId2->Id.IpAddress.PrefixLength ||\r
- CompareMem (&PadId1->Id.IpAddress.Address, &PadId2->Id.IpAddress.Address, sizeof (EFI_IP_ADDRESS)) != 0)\r
- ) {\r
- IsMatch = FALSE;\r
- }\r
-\r
- return IsMatch;\r
-}\r
-\r
-/**\r
- Check if the SPD Selector is Zero by its LocalAddressCount and RemoteAddressCount\r
- fields.\r
-\r
- @param[in] Selector Pointer of the SPD Selector.\r
-\r
- @retval TRUE If the SPD Selector is Zero.\r
- @retval FALSE If the SPD Selector is not Zero.\r
-\r
-**/\r
-BOOLEAN\r
-IsZeroSpdSelector (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector\r
- )\r
-{\r
- EFI_IPSEC_SPD_SELECTOR *SpdSel;\r
- BOOLEAN IsZero;\r
-\r
- SpdSel = &Selector->SpdSelector;\r
- IsZero = FALSE;\r
-\r
- if (SpdSel->LocalAddressCount == 0 && SpdSel->RemoteAddressCount == 0) {\r
- IsZero = TRUE;\r
- }\r
-\r
- return IsZero;\r
-}\r
-\r
-/**\r
- Check if the SA ID is Zero by its DestAddress.\r
-\r
- @param[in] Selector Pointer of the SA ID.\r
-\r
- @retval TRUE If the SA ID is Zero.\r
- @retval FALSE If the SA ID is not Zero.\r
-\r
-**/\r
-BOOLEAN\r
-IsZeroSaId (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector\r
- )\r
-{\r
- BOOLEAN IsZero;\r
- EFI_IPSEC_CONFIG_SELECTOR ZeroSelector;\r
-\r
- IsZero = FALSE;\r
-\r
- ZeroMem (&ZeroSelector, sizeof (EFI_IPSEC_CONFIG_SELECTOR));\r
-\r
- if (CompareMem (&ZeroSelector, Selector, sizeof (EFI_IPSEC_CONFIG_SELECTOR)) == 0) {\r
- IsZero = TRUE;\r
- }\r
-\r
- return IsZero;\r
-}\r
-\r
-/**\r
- Check if the PAD ID is Zero.\r
-\r
- @param[in] Selector Pointer of the PAD ID.\r
-\r
- @retval TRUE If the PAD ID is Zero.\r
- @retval FALSE If the PAD ID is not Zero.\r
-\r
-**/\r
-BOOLEAN\r
-IsZeroPadId (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector\r
- )\r
-{\r
- EFI_IPSEC_PAD_ID *PadId;\r
- EFI_IPSEC_PAD_ID ZeroId;\r
- BOOLEAN IsZero;\r
-\r
- PadId = &Selector->PadId;\r
- IsZero = FALSE;\r
-\r
- ZeroMem (&ZeroId, sizeof (EFI_IPSEC_PAD_ID));\r
-\r
- if (CompareMem (PadId, &ZeroId, sizeof (EFI_IPSEC_PAD_ID)) == 0) {\r
- IsZero = TRUE;\r
- }\r
-\r
- return IsZero;\r
-}\r
-\r
-/**\r
- Copy Source SPD Selector to the Destination SPD Selector.\r
-\r
- @param[in, out] DstSel Pointer of Destination SPD Selector.\r
- @param[in] SrcSel Pointer of Source SPD Selector.\r
- @param[in, out] Size The size of the Destination SPD Selector. If it\r
- not NULL and its value less than the size of\r
- Source SPD Selector, the value of Source SPD\r
- Selector's size will be passed to caller by this\r
- parameter.\r
-\r
- @retval EFI_INVALID_PARAMETER If the Destination or Source SPD Selector is NULL\r
- @retval EFI_BUFFER_TOO_SMALL If the input Size is less than size of the Source SPD Selector.\r
- @retval EFI_SUCCESS Copy Source SPD Selector to the Destination SPD\r
- Selector successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-DuplicateSpdSelector (\r
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,\r
- IN OUT UINTN *Size\r
- )\r
-{\r
- EFI_IPSEC_SPD_SELECTOR *Dst;\r
- EFI_IPSEC_SPD_SELECTOR *Src;\r
-\r
- Dst = &DstSel->SpdSelector;\r
- Src = &SrcSel->SpdSelector;\r
-\r
- if (Dst == NULL || Src == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (Size != NULL && (*Size) < SIZE_OF_SPD_SELECTOR (Src)) {\r
- *Size = SIZE_OF_SPD_SELECTOR (Src);\r
- return EFI_BUFFER_TOO_SMALL;\r
- }\r
- //\r
- // Copy the base structure of SPD selector.\r
- //\r
- CopyMem (Dst, Src, sizeof (EFI_IPSEC_SPD_SELECTOR));\r
-\r
- //\r
- // Copy the local address array of SPD selector.\r
- //\r
- Dst->LocalAddress = (EFI_IP_ADDRESS_INFO *) (Dst + 1);\r
- CopyMem (\r
- Dst->LocalAddress,\r
- Src->LocalAddress,\r
- sizeof (EFI_IP_ADDRESS_INFO) * Dst->LocalAddressCount\r
- );\r
-\r
- //\r
- // Copy the remote address array of SPD selector.\r
- //\r
- Dst->RemoteAddress = Dst->LocalAddress + Dst->LocalAddressCount;\r
- CopyMem (\r
- Dst->RemoteAddress,\r
- Src->RemoteAddress,\r
- sizeof (EFI_IP_ADDRESS_INFO) * Dst->RemoteAddressCount\r
- );\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Copy Source SA ID to the Destination SA ID.\r
-\r
- @param[in, out] DstSel Pointer of Destination SA ID.\r
- @param[in] SrcSel Pointer of Source SA ID.\r
- @param[in, out] Size The size of the Destination SA ID. If it\r
- not NULL and its value less than the size of\r
- Source SA ID, the value of Source SA ID's size\r
- will be passed to caller by this parameter.\r
-\r
- @retval EFI_INVALID_PARAMETER If the Destination or Source SA ID is NULL.\r
- @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of source SA ID.\r
- @retval EFI_SUCCESS Copy Source SA ID to the Destination SA ID successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-DuplicateSaId (\r
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,\r
- IN OUT UINTN *Size\r
- )\r
-{\r
- EFI_IPSEC_SA_ID *Dst;\r
- EFI_IPSEC_SA_ID *Src;\r
-\r
- Dst = &DstSel->SaId;\r
- Src = &SrcSel->SaId;\r
-\r
- if (Dst == NULL || Src == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (Size != NULL && *Size < sizeof (EFI_IPSEC_SA_ID)) {\r
- *Size = sizeof (EFI_IPSEC_SA_ID);\r
- return EFI_BUFFER_TOO_SMALL;\r
- }\r
-\r
- CopyMem (Dst, Src, sizeof (EFI_IPSEC_SA_ID));\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Copy Source PAD ID to the Destination PAD ID.\r
-\r
- @param[in, out] DstSel Pointer of Destination PAD ID.\r
- @param[in] SrcSel Pointer of Source PAD ID.\r
- @param[in, out] Size The size of the Destination PAD ID. If it\r
- not NULL and its value less than the size of\r
- Source PAD ID, the value of Source PAD ID's size\r
- will be passed to caller by this parameter.\r
-\r
- @retval EFI_INVALID_PARAMETER If the Destination or Source PAD ID is NULL.\r
- @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of source PAD ID .\r
- @retval EFI_SUCCESS Copy Source PAD ID to the Destination PAD ID successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-DuplicatePadId (\r
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,\r
- IN OUT UINTN *Size\r
- )\r
-{\r
- EFI_IPSEC_PAD_ID *Dst;\r
- EFI_IPSEC_PAD_ID *Src;\r
-\r
- Dst = &DstSel->PadId;\r
- Src = &SrcSel->PadId;\r
-\r
- if (Dst == NULL || Src == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (Size != NULL && *Size < sizeof (EFI_IPSEC_PAD_ID)) {\r
- *Size = sizeof (EFI_IPSEC_PAD_ID);\r
- return EFI_BUFFER_TOO_SMALL;\r
- }\r
-\r
- CopyMem (Dst, Src, sizeof (EFI_IPSEC_PAD_ID));\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Fix the value of some members of SPD Selector.\r
-\r
- This function is called by IpSecCopyPolicyEntry()which copy the Policy\r
- Entry into the Variable. Since some members in SPD Selector are pointers,\r
- a physical address to relative address convertion is required before copying\r
- this SPD entry into the variable.\r
-\r
- @param[in] Selector Pointer of SPD Selector.\r
- @param[in, out] Data Pointer of SPD Data.\r
-\r
-**/\r
-VOID\r
-FixSpdEntry (\r
- IN EFI_IPSEC_SPD_SELECTOR *Selector,\r
- IN OUT EFI_IPSEC_SPD_DATA *Data\r
- )\r
-{\r
- //\r
- // It assumes that all ref buffers in SPD selector and data are\r
- // stored in the continous memory and close to the base structure.\r
- //\r
- FIX_REF_BUF_ADDR (Selector->LocalAddress, Selector);\r
- FIX_REF_BUF_ADDR (Selector->RemoteAddress, Selector);\r
-\r
- if (Data->ProcessingPolicy != NULL) {\r
- if (Data->ProcessingPolicy->TunnelOption != NULL) {\r
- FIX_REF_BUF_ADDR (Data->ProcessingPolicy->TunnelOption, Data);\r
- }\r
-\r
- FIX_REF_BUF_ADDR (Data->ProcessingPolicy, Data);\r
- }\r
-\r
-}\r
-\r
-/**\r
- Fix the value of some members of SA ID.\r
-\r
- This function is called by IpSecCopyPolicyEntry()which copy the Policy\r
- Entry into the Variable. Since some members in SA ID are pointers,\r
- a physical address to relative address conversion is required before copying\r
- this SAD into the variable.\r
-\r
- @param[in] SaId Pointer of SA ID\r
- @param[in, out] Data Pointer of SA Data.\r
-\r
-**/\r
-VOID\r
-FixSadEntry (\r
- IN EFI_IPSEC_SA_ID *SaId,\r
- IN OUT EFI_IPSEC_SA_DATA2 *Data\r
- )\r
-{\r
- //\r
- // It assumes that all ref buffers in SAD selector and data are\r
- // stored in the continous memory and close to the base structure.\r
- //\r
- if (Data->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {\r
- FIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.AuthKey, Data);\r
- }\r
-\r
- if (SaId->Proto == EfiIPsecESP && Data->AlgoInfo.EspAlgoInfo.EncKey != NULL) {\r
- FIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.EncKey, Data);\r
- }\r
-\r
- if (Data->SpdSelector != NULL) {\r
- if (Data->SpdSelector->LocalAddress != NULL) {\r
- FIX_REF_BUF_ADDR (Data->SpdSelector->LocalAddress, Data);\r
- }\r
-\r
- FIX_REF_BUF_ADDR (Data->SpdSelector->RemoteAddress, Data);\r
- FIX_REF_BUF_ADDR (Data->SpdSelector, Data);\r
- }\r
-\r
-}\r
-\r
-/**\r
- Fix the value of some members of PAD ID.\r
-\r
- This function is called by IpSecCopyPolicyEntry()which copy the Policy\r
- Entry into the Variable. Since some members in PAD ID are pointers,\r
- a physical address to relative address conversion is required before copying\r
- this PAD into the variable.\r
-\r
- @param[in] PadId Pointer of PAD ID.\r
- @param[in, out] Data Pointer of PAD Data.\r
-\r
-**/\r
-VOID\r
-FixPadEntry (\r
- IN EFI_IPSEC_PAD_ID *PadId,\r
- IN OUT EFI_IPSEC_PAD_DATA *Data\r
- )\r
-{\r
- //\r
- // It assumes that all ref buffers in pad selector and data are\r
- // stored in the continous memory and close to the base structure.\r
- //\r
- if (Data->AuthData != NULL) {\r
- FIX_REF_BUF_ADDR (Data->AuthData, Data);\r
- }\r
-\r
- if (Data->RevocationData != NULL) {\r
- FIX_REF_BUF_ADDR (Data->RevocationData, Data);\r
- }\r
-\r
-}\r
-\r
-/**\r
- Recover the value of some members of SPD Selector.\r
-\r
- This function is corresponding to FixSpdEntry(). It recovers the value of members\r
- of SPD Selector that are fixed by FixSpdEntry().\r
-\r
- @param[in, out] Selector Pointer of SPD Selector.\r
- @param[in, out] Data Pointer of SPD Data.\r
-\r
-**/\r
-VOID\r
-UnfixSpdEntry (\r
- IN OUT EFI_IPSEC_SPD_SELECTOR *Selector,\r
- IN OUT EFI_IPSEC_SPD_DATA *Data\r
- )\r
-{\r
- //\r
- // It assumes that all ref buffers in SPD selector and data are\r
- // stored in the continous memory and close to the base structure.\r
- //\r
- UNFIX_REF_BUF_ADDR (Selector->LocalAddress, Selector);\r
- UNFIX_REF_BUF_ADDR (Selector->RemoteAddress, Selector);\r
-\r
- if (Data->ProcessingPolicy != NULL) {\r
- UNFIX_REF_BUF_ADDR (Data->ProcessingPolicy, Data);\r
- if (Data->ProcessingPolicy->TunnelOption != NULL) {\r
- UNFIX_REF_BUF_ADDR (Data->ProcessingPolicy->TunnelOption, Data);\r
- }\r
- }\r
-\r
-}\r
-\r
-/**\r
- Recover the value of some members of SA ID.\r
-\r
- This function is corresponding to FixSadEntry(). It recovers the value of members\r
- of SAD ID that are fixed by FixSadEntry().\r
-\r
- @param[in, out] SaId Pointer of SAD ID.\r
- @param[in, out] Data Pointer of SAD Data.\r
-\r
-**/\r
-VOID\r
-UnfixSadEntry (\r
- IN OUT EFI_IPSEC_SA_ID *SaId,\r
- IN OUT EFI_IPSEC_SA_DATA2 *Data\r
- )\r
-{\r
- //\r
- // It assumes that all ref buffers in SAD selector and data are\r
- // stored in the continous memory and close to the base structure.\r
- //\r
- if (Data->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {\r
- UNFIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.AuthKey, Data);\r
- }\r
-\r
- if (SaId->Proto == EfiIPsecESP && Data->AlgoInfo.EspAlgoInfo.EncKey != NULL) {\r
- UNFIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.EncKey, Data);\r
- }\r
-\r
- if (Data->SpdSelector != NULL) {\r
- UNFIX_REF_BUF_ADDR (Data->SpdSelector, Data);\r
- if (Data->SpdSelector->LocalAddress != NULL) {\r
- UNFIX_REF_BUF_ADDR (Data->SpdSelector->LocalAddress, Data);\r
- }\r
-\r
- UNFIX_REF_BUF_ADDR (Data->SpdSelector->RemoteAddress, Data);\r
- }\r
-\r
-}\r
-\r
-/**\r
- Recover the value of some members of PAD ID.\r
-\r
- This function is corresponding to FixPadEntry(). It recovers the value of members\r
- of PAD ID that are fixed by FixPadEntry().\r
-\r
- @param[in] PadId Pointer of PAD ID.\r
- @param[in, out] Data Pointer of PAD Data.\r
-\r
-**/\r
-VOID\r
-UnfixPadEntry (\r
- IN EFI_IPSEC_PAD_ID *PadId,\r
- IN OUT EFI_IPSEC_PAD_DATA *Data\r
- )\r
-{\r
- //\r
- // It assumes that all ref buffers in pad selector and data are\r
- // stored in the continous memory and close to the base structure.\r
- //\r
- if (Data->AuthData != NULL) {\r
- UNFIX_REF_BUF_ADDR (Data->AuthData, Data);\r
- }\r
-\r
- if (Data->RevocationData != NULL) {\r
- UNFIX_REF_BUF_ADDR (Data->RevocationData, Data);\r
- }\r
-\r
-}\r
-\r
-/**\r
- Set the security policy information for the EFI IPsec driver.\r
-\r
- The IPsec configuration data has a unique selector/identifier separately to\r
- identify a data entry.\r
-\r
- @param[in] Selector Pointer to an entry selector on operated\r
- configuration data specified by DataType.\r
- A NULL Selector causes the entire specified-type\r
- configuration information to be flushed.\r
- @param[in] Data The data buffer to be set. The structure\r
- of the data buffer should be EFI_IPSEC_SPD_DATA.\r
- @param[in] Context Pointer to one entry selector that describes\r
- the expected position the new data entry will\r
- be added. If Context is NULL, the new entry will\r
- be appended the end of database.\r
-\r
- @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:\r
- - Selector is not NULL and its LocalAddress\r
- is NULL or its RemoteAddress is NULL.\r
- - Data is not NULL and its Action is Protected\r
- and its plolicy is NULL.\r
- - Data is not NULL, its Action is not protected,\r
- and its policy is not NULL.\r
- - The Action of Data is Protected, its policy\r
- mode is Tunnel, and its tunnel option is NULL.\r
- - The Action of Data is protected and its policy\r
- mode is not Tunnel and it tunnel option is not NULL.\r
- - SadEntry requied to be set into new SpdEntry's Sas has\r
- been found but it is invalid.\r
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-SetSpdEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN VOID *Context OPTIONAL\r
- )\r
-{\r
- EFI_IPSEC_SPD_SELECTOR *SpdSel;\r
- EFI_IPSEC_SPD_DATA *SpdData;\r
- EFI_IPSEC_SPD_SELECTOR *InsertBefore;\r
- LIST_ENTRY *SpdList;\r
- LIST_ENTRY *SadList;\r
- LIST_ENTRY *SpdSas;\r
- LIST_ENTRY *EntryInsertBefore;\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *Entry2;\r
- LIST_ENTRY *NextEntry;\r
- LIST_ENTRY *NextEntry2;\r
- IPSEC_SPD_ENTRY *SpdEntry;\r
- IPSEC_SAD_ENTRY *SadEntry;\r
- UINTN SpdEntrySize;\r
- UINTN Index;\r
-\r
- SpdSel = (Selector == NULL) ? NULL : &Selector->SpdSelector;\r
- SpdData = (Data == NULL) ? NULL : (EFI_IPSEC_SPD_DATA *) Data;\r
- InsertBefore = (Context == NULL) ? NULL : &((EFI_IPSEC_CONFIG_SELECTOR *) Context)->SpdSelector;\r
- SpdList = &mConfigData[IPsecConfigDataTypeSpd];\r
-\r
- if (SpdSel != NULL) {\r
- if (SpdSel->LocalAddress == NULL || SpdSel->RemoteAddress == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- }\r
-\r
- if (SpdData != NULL) {\r
- if ((SpdData->Action == EfiIPsecActionProtect && SpdData->ProcessingPolicy == NULL) ||\r
- (SpdData->Action != EfiIPsecActionProtect && SpdData->ProcessingPolicy != NULL)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (SpdData->Action == EfiIPsecActionProtect) {\r
- if ((SpdData->ProcessingPolicy->Mode == EfiIPsecTunnel && SpdData->ProcessingPolicy->TunnelOption == NULL) ||\r
- (SpdData->ProcessingPolicy->Mode != EfiIPsecTunnel && SpdData->ProcessingPolicy->TunnelOption != NULL)\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- }\r
- }\r
- //\r
- // The default behavior is to insert the node ahead of the header.\r
- //\r
- EntryInsertBefore = SpdList;\r
-\r
- //\r
- // Remove the existed SPD entry.\r
- //\r
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, SpdList) {\r
-\r
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);\r
-\r
- if (SpdSel == NULL ||\r
- CompareSpdSelector ((EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector, (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel)\r
- ) {\r
- //\r
- // Record the existed entry position to keep the original order.\r
- //\r
- EntryInsertBefore = SpdEntry->List.ForwardLink;\r
- RemoveEntryList (&SpdEntry->List);\r
-\r
- //\r
- // Update the reverse ref of SAD entry in the SPD.sas list.\r
- //\r
- SpdSas = &SpdEntry->Data->Sas;\r
-\r
- //\r
- // Remove the related SAs from Sas(SadEntry->BySpd). If the SA entry is established by\r
- // IKE, remove from mConfigData list(SadEntry->List) and then free it directly since its\r
- // SpdEntry will be freed later.\r
- //\r
- NET_LIST_FOR_EACH_SAFE (Entry2, NextEntry2, SpdSas) {\r
- SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry2);\r
-\r
- if (SadEntry->Data->SpdEntry != NULL) {\r
- RemoveEntryList (&SadEntry->BySpd);\r
- SadEntry->Data->SpdEntry = NULL;\r
- }\r
-\r
- if (!(SadEntry->Data->ManualSet)) {\r
- RemoveEntryList (&SadEntry->List);\r
- FreePool (SadEntry);\r
- }\r
- }\r
-\r
- //\r
- // Free the existed SPD entry\r
- //\r
- FreePool (SpdEntry);\r
- }\r
- }\r
- //\r
- // Return success here if only want to remove the SPD entry.\r
- //\r
- if (SpdData == NULL || SpdSel == NULL) {\r
- return EFI_SUCCESS;\r
- }\r
- //\r
- // Search the appointed entry position if InsertBefore is not NULL.\r
- //\r
- if (InsertBefore != NULL) {\r
-\r
- NET_LIST_FOR_EACH (Entry, SpdList) {\r
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);\r
-\r
- if (CompareSpdSelector (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) InsertBefore\r
- )) {\r
- EntryInsertBefore = Entry;\r
- break;\r
- }\r
- }\r
- }\r
-\r
- //\r
- // Do Padding for the different Arch.\r
- //\r
- SpdEntrySize = ALIGN_VARIABLE (sizeof (IPSEC_SPD_ENTRY));\r
- SpdEntrySize = ALIGN_VARIABLE (SpdEntrySize + SIZE_OF_SPD_SELECTOR (SpdSel));\r
- SpdEntrySize += IpSecGetSizeOfEfiSpdData (SpdData);\r
-\r
- SpdEntry = AllocateZeroPool (SpdEntrySize);\r
-\r
- if (SpdEntry == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // Fix the address of Selector and Data buffer and copy them, which is\r
- // continous memory and close to the base structure of SPD entry.\r
- //\r
- SpdEntry->Selector = (EFI_IPSEC_SPD_SELECTOR *) ALIGN_POINTER ((SpdEntry + 1), sizeof (UINTN));\r
- SpdEntry->Data = (IPSEC_SPD_DATA *) ALIGN_POINTER (\r
- ((UINT8 *) SpdEntry->Selector + SIZE_OF_SPD_SELECTOR (SpdSel)),\r
- sizeof (UINTN)\r
- );\r
-\r
- DuplicateSpdSelector (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel,\r
- NULL\r
- );\r
-\r
- CopyMem (\r
- SpdEntry->Data->Name,\r
- SpdData->Name,\r
- sizeof (SpdData->Name)\r
- );\r
- SpdEntry->Data->PackageFlag = SpdData->PackageFlag;\r
- SpdEntry->Data->TrafficDirection = SpdData->TrafficDirection;\r
- SpdEntry->Data->Action = SpdData->Action;\r
-\r
- //\r
- // Fix the address of ProcessingPolicy and copy it if need, which is continous\r
- // memory and close to the base structure of SAD data.\r
- //\r
- if (SpdData->Action != EfiIPsecActionProtect) {\r
- SpdEntry->Data->ProcessingPolicy = NULL;\r
- } else {\r
- SpdEntry->Data->ProcessingPolicy = (EFI_IPSEC_PROCESS_POLICY *) ALIGN_POINTER (\r
- SpdEntry->Data + 1,\r
- sizeof (UINTN)\r
- );\r
- IpSecDuplicateProcessPolicy (SpdEntry->Data->ProcessingPolicy, SpdData->ProcessingPolicy);\r
- }\r
- //\r
- // Update the sas list of the new SPD entry.\r
- //\r
- InitializeListHead (&SpdEntry->Data->Sas);\r
-\r
- SadList = &mConfigData[IPsecConfigDataTypeSad];\r
-\r
- NET_LIST_FOR_EACH (Entry, SadList) {\r
- SadEntry = IPSEC_SAD_ENTRY_FROM_LIST (Entry);\r
-\r
- for (Index = 0; Index < SpdData->SaIdCount; Index++) {\r
- if (CompareSaId (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) &SpdData->SaId[Index],\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id\r
- )) {\r
- //\r
- // Check whether the found SadEntry is vaild.\r
- //\r
- if (IsSubSpdSelector (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Data->SpdSelector,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector\r
- )) {\r
- if (SadEntry->Data->SpdEntry != NULL) {\r
- RemoveEntryList (&SadEntry->BySpd);\r
- }\r
- InsertTailList (&SpdEntry->Data->Sas, &SadEntry->BySpd);\r
- SadEntry->Data->SpdEntry = SpdEntry;\r
- } else {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- }\r
- }\r
- }\r
-\r
- //\r
- // Insert the new SPD entry.\r
- //\r
- InsertTailList (EntryInsertBefore, &SpdEntry->List);\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Set the security association information for the EFI IPsec driver.\r
-\r
- The IPsec configuration data has a unique selector/identifier separately to\r
- identify a data entry.\r
-\r
- @param[in] Selector Pointer to an entry selector on operated\r
- configuration data specified by DataType.\r
- A NULL Selector causes the entire specified-type\r
- configuration information to be flushed.\r
- @param[in] Data The data buffer to be set. The structure\r
- of the data buffer should be EFI_IPSEC_SA_DATA.\r
- @param[in] Context Pointer to one entry selector which describes\r
- the expected position the new data entry will\r
- be added. If Context is NULL,the new entry will\r
- be appended the end of database.\r
-\r
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-SetSadEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN VOID *Context OPTIONAL\r
- )\r
-{\r
- IPSEC_SAD_ENTRY *SadEntry;\r
- IPSEC_SPD_ENTRY *SpdEntry;\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *NextEntry;\r
- LIST_ENTRY *SadList;\r
- LIST_ENTRY *SpdList;\r
- EFI_IPSEC_SA_ID *SaId;\r
- EFI_IPSEC_SA_DATA2 *SaData;\r
- EFI_IPSEC_SA_ID *InsertBefore;\r
- LIST_ENTRY *EntryInsertBefore;\r
- UINTN SadEntrySize;\r
-\r
- SaId = (Selector == NULL) ? NULL : &Selector->SaId;\r
- SaData = (Data == NULL) ? NULL : (EFI_IPSEC_SA_DATA2 *) Data;\r
- InsertBefore = (Context == NULL) ? NULL : &((EFI_IPSEC_CONFIG_SELECTOR *) Context)->SaId;\r
- SadList = &mConfigData[IPsecConfigDataTypeSad];\r
-\r
- //\r
- // The default behavior is to insert the node ahead of the header.\r
- //\r
- EntryInsertBefore = SadList;\r
-\r
- //\r
- // Remove the existed SAD entry.\r
- //\r
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, SadList) {\r
-\r
- SadEntry = IPSEC_SAD_ENTRY_FROM_LIST (Entry);\r
-\r
- if (SaId == NULL ||\r
- CompareSaId (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SaId\r
- )) {\r
- //\r
- // Record the existed entry position to keep the original order.\r
- //\r
- EntryInsertBefore = SadEntry->List.ForwardLink;\r
-\r
- //\r
- // Update the related SAD.byspd field.\r
- //\r
- if (SadEntry->Data->SpdEntry != NULL) {\r
- RemoveEntryList (&SadEntry->BySpd);\r
- }\r
-\r
- RemoveEntryList (&SadEntry->List);\r
- FreePool (SadEntry);\r
- }\r
- }\r
- //\r
- // Return success here if only want to remove the SAD entry\r
- //\r
- if (SaData == NULL || SaId == NULL) {\r
- return EFI_SUCCESS;\r
- }\r
- //\r
- // Search the appointed entry position if InsertBefore is not NULL.\r
- //\r
- if (InsertBefore != NULL) {\r
-\r
- NET_LIST_FOR_EACH (Entry, SadList) {\r
- SadEntry = IPSEC_SAD_ENTRY_FROM_LIST (Entry);\r
-\r
- if (CompareSaId (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) InsertBefore\r
- )) {\r
- EntryInsertBefore = Entry;\r
- break;\r
- }\r
- }\r
- }\r
-\r
- //\r
- // Do Padding for different Arch.\r
- //\r
- SadEntrySize = ALIGN_VARIABLE (sizeof (IPSEC_SAD_ENTRY));\r
- SadEntrySize = ALIGN_VARIABLE (SadEntrySize + sizeof (EFI_IPSEC_SA_ID));\r
- SadEntrySize = ALIGN_VARIABLE (SadEntrySize + sizeof (IPSEC_SAD_DATA));\r
-\r
- if (SaId->Proto == EfiIPsecAH) {\r
- SadEntrySize += SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength;\r
- } else {\r
- SadEntrySize = ALIGN_VARIABLE (SadEntrySize + SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength);\r
- SadEntrySize += ALIGN_VARIABLE (SaData->AlgoInfo.EspAlgoInfo.EncKeyLength);\r
- }\r
-\r
- if (SaData->SpdSelector != NULL) {\r
- SadEntrySize += SadEntrySize + SIZE_OF_SPD_SELECTOR (SaData->SpdSelector);\r
- }\r
- SadEntry = AllocateZeroPool (SadEntrySize);\r
-\r
- if (SadEntry == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // Fix the address of Id and Data buffer and copy them, which is\r
- // continous memory and close to the base structure of SAD entry.\r
- //\r
- SadEntry->Id = (EFI_IPSEC_SA_ID *) ALIGN_POINTER ((SadEntry + 1), sizeof (UINTN));\r
- SadEntry->Data = (IPSEC_SAD_DATA *) ALIGN_POINTER ((SadEntry->Id + 1), sizeof (UINTN));\r
-\r
- CopyMem (SadEntry->Id, SaId, sizeof (EFI_IPSEC_SA_ID));\r
-\r
- SadEntry->Data->Mode = SaData->Mode;\r
- SadEntry->Data->SequenceNumber = SaData->SNCount;\r
- SadEntry->Data->AntiReplayWindowSize = SaData->AntiReplayWindows;\r
-\r
- ZeroMem (\r
- &SadEntry->Data->AntiReplayBitmap,\r
- sizeof (SadEntry->Data->AntiReplayBitmap)\r
- );\r
-\r
- ZeroMem (\r
- &SadEntry->Data->AlgoInfo,\r
- sizeof (EFI_IPSEC_ALGO_INFO)\r
- );\r
-\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId = SaData->AlgoInfo.EspAlgoInfo.AuthAlgoId;\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength = SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength;\r
-\r
- if (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength != 0) {\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey = (VOID *) ALIGN_POINTER ((SadEntry->Data + 1), sizeof (UINTN));\r
- CopyMem (\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,\r
- SaData->AlgoInfo.EspAlgoInfo.AuthKey,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength\r
- );\r
- }\r
-\r
- if (SaId->Proto == EfiIPsecESP) {\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId = SaData->AlgoInfo.EspAlgoInfo.EncAlgoId;\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength = SaData->AlgoInfo.EspAlgoInfo.EncKeyLength;\r
-\r
- if (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength != 0) {\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey = (VOID *) ALIGN_POINTER (\r
- ((UINT8 *) (SadEntry->Data + 1) +\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength),\r
- sizeof (UINTN)\r
- );\r
- CopyMem (\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey,\r
- SaData->AlgoInfo.EspAlgoInfo.EncKey,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength\r
- );\r
- }\r
- }\r
-\r
- CopyMem (\r
- &SadEntry->Data->SaLifetime,\r
- &SaData->SaLifetime,\r
- sizeof (EFI_IPSEC_SA_LIFETIME)\r
- );\r
-\r
- SadEntry->Data->PathMTU = SaData->PathMTU;\r
- SadEntry->Data->SpdSelector = NULL;\r
- SadEntry->Data->ESNEnabled = FALSE;\r
- SadEntry->Data->ManualSet = SaData->ManualSet;\r
-\r
- //\r
- // Copy Tunnel Source/Destination Address\r
- //\r
- if (SaData->Mode == EfiIPsecTunnel) {\r
- CopyMem (\r
- &SadEntry->Data->TunnelDestAddress,\r
- &SaData->TunnelDestinationAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
- CopyMem (\r
- &SadEntry->Data->TunnelSourceAddress,\r
- &SaData->TunnelSourceAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
- }\r
- //\r
- // Update the spd.sas list of the spd entry specified by SAD selector\r
- //\r
- SpdList = &mConfigData[IPsecConfigDataTypeSpd];\r
-\r
- for (Entry = SpdList->ForwardLink; Entry != SpdList && SaData->SpdSelector != NULL; Entry = Entry->ForwardLink) {\r
-\r
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);\r
- if (IsSubSpdSelector (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SaData->SpdSelector,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector\r
- ) && SpdEntry->Data->Action == EfiIPsecActionProtect) {\r
- SadEntry->Data->SpdEntry = SpdEntry;\r
- SadEntry->Data->SpdSelector = (EFI_IPSEC_SPD_SELECTOR *)((UINT8 *)SadEntry +\r
- SadEntrySize -\r
- SIZE_OF_SPD_SELECTOR (SaData->SpdSelector)\r
- );\r
- DuplicateSpdSelector (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Data->SpdSelector,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SaData->SpdSelector,\r
- NULL\r
- );\r
- InsertTailList (&SpdEntry->Data->Sas, &SadEntry->BySpd);\r
- }\r
- }\r
- //\r
- // Insert the new SAD entry.\r
- //\r
- InsertTailList (EntryInsertBefore, &SadEntry->List);\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Set the peer authorization configuration information for the EFI IPsec driver.\r
-\r
- The IPsec configuration data has a unique selector/identifier separately to\r
- identify a data entry.\r
-\r
- @param[in] Selector Pointer to an entry selector on operated\r
- configuration data specified by DataType.\r
- A NULL Selector causes the entire specified-type\r
- configuration information to be flushed.\r
- @param[in] Data The data buffer to be set. The structure\r
- of the data buffer should be EFI_IPSEC_PAD_DATA.\r
- @param[in] Context Pointer to one entry selector that describes\r
- the expected position the new data entry will\r
- be added. If Context is NULL, the new entry will\r
- be appended the end of database.\r
-\r
- @retval EFI_OUT_OF_RESOURCES The required system resources could not be allocated.\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-SetPadEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN VOID *Context OPTIONAL\r
- )\r
-{\r
- IPSEC_PAD_ENTRY *PadEntry;\r
- EFI_IPSEC_PAD_ID *PadId;\r
- EFI_IPSEC_PAD_DATA *PadData;\r
- LIST_ENTRY *PadList;\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *NextEntry;\r
- EFI_IPSEC_PAD_ID *InsertBefore;\r
- LIST_ENTRY *EntryInsertBefore;\r
- UINTN PadEntrySize;\r
-\r
- PadId = (Selector == NULL) ? NULL : &Selector->PadId;\r
- PadData = (Data == NULL) ? NULL : (EFI_IPSEC_PAD_DATA *) Data;\r
- InsertBefore = (Context == NULL) ? NULL : &((EFI_IPSEC_CONFIG_SELECTOR *) Context)->PadId;\r
- PadList = &mConfigData[IPsecConfigDataTypePad];\r
-\r
- //\r
- // The default behavior is to insert the node ahead of the header.\r
- //\r
- EntryInsertBefore = PadList;\r
-\r
- //\r
- // Remove the existed pad entry.\r
- //\r
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, PadList) {\r
-\r
- PadEntry = IPSEC_PAD_ENTRY_FROM_LIST (Entry);\r
-\r
- if (PadId == NULL ||\r
- ComparePadId ((EFI_IPSEC_CONFIG_SELECTOR *) PadEntry->Id, (EFI_IPSEC_CONFIG_SELECTOR *) PadId)\r
- ) {\r
- //\r
- // Record the existed entry position to keep the original order.\r
- //\r
- EntryInsertBefore = PadEntry->List.ForwardLink;\r
- RemoveEntryList (&PadEntry->List);\r
-\r
- FreePool (PadEntry);\r
- }\r
- }\r
- //\r
- // Return success here if only want to remove the pad entry\r
- //\r
- if (PadData == NULL || PadId == NULL) {\r
- return EFI_SUCCESS;\r
- }\r
- //\r
- // Search the appointed entry position if InsertBefore is not NULL.\r
- //\r
- if (InsertBefore != NULL) {\r
-\r
- NET_LIST_FOR_EACH (Entry, PadList) {\r
- PadEntry = IPSEC_PAD_ENTRY_FROM_LIST (Entry);\r
-\r
- if (ComparePadId (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) PadEntry->Id,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) InsertBefore\r
- )) {\r
- EntryInsertBefore = Entry;\r
- break;\r
- }\r
- }\r
- }\r
-\r
- //\r
- // Do PADDING for different arch.\r
- //\r
- PadEntrySize = ALIGN_VARIABLE (sizeof (IPSEC_PAD_ENTRY));\r
- PadEntrySize = ALIGN_VARIABLE (PadEntrySize + sizeof (EFI_IPSEC_PAD_ID));\r
- PadEntrySize = ALIGN_VARIABLE (PadEntrySize + sizeof (EFI_IPSEC_PAD_DATA));\r
- PadEntrySize = ALIGN_VARIABLE (PadEntrySize + (PadData->AuthData != NULL ? PadData->AuthDataSize : 0));\r
- PadEntrySize += PadData->RevocationData != NULL ? PadData->RevocationDataSize : 0;\r
-\r
- PadEntry = AllocateZeroPool (PadEntrySize);\r
-\r
- if (PadEntry == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // Fix the address of Id and Data buffer and copy them, which is\r
- // continous memory and close to the base structure of pad entry.\r
- //\r
- PadEntry->Id = (EFI_IPSEC_PAD_ID *) ALIGN_POINTER ((PadEntry + 1), sizeof (UINTN));\r
- PadEntry->Data = (EFI_IPSEC_PAD_DATA *) ALIGN_POINTER ((PadEntry->Id + 1), sizeof (UINTN));\r
-\r
- CopyMem (PadEntry->Id, PadId, sizeof (EFI_IPSEC_PAD_ID));\r
-\r
- PadEntry->Data->AuthProtocol = PadData->AuthProtocol;\r
- PadEntry->Data->AuthMethod = PadData->AuthMethod;\r
- PadEntry->Data->IkeIdFlag = PadData->IkeIdFlag;\r
-\r
- if (PadData->AuthData != NULL) {\r
- PadEntry->Data->AuthDataSize = PadData->AuthDataSize;\r
- PadEntry->Data->AuthData = (VOID *) ALIGN_POINTER (PadEntry->Data + 1, sizeof (UINTN));\r
- CopyMem (\r
- PadEntry->Data->AuthData,\r
- PadData->AuthData,\r
- PadData->AuthDataSize\r
- );\r
- } else {\r
- PadEntry->Data->AuthDataSize = 0;\r
- PadEntry->Data->AuthData = NULL;\r
- }\r
-\r
- if (PadData->RevocationData != NULL) {\r
- PadEntry->Data->RevocationDataSize = PadData->RevocationDataSize;\r
- PadEntry->Data->RevocationData = (VOID *) ALIGN_POINTER (\r
- ((UINT8 *) (PadEntry->Data + 1) + PadData->AuthDataSize),\r
- sizeof (UINTN)\r
- );\r
- CopyMem (\r
- PadEntry->Data->RevocationData,\r
- PadData->RevocationData,\r
- PadData->RevocationDataSize\r
- );\r
- } else {\r
- PadEntry->Data->RevocationDataSize = 0;\r
- PadEntry->Data->RevocationData = NULL;\r
- }\r
- //\r
- // Insert the new pad entry.\r
- //\r
- InsertTailList (EntryInsertBefore, &PadEntry->List);\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- This function lookup the data entry from IPsec SPD. Return the configuration\r
- value of the specified SPD Entry.\r
-\r
- @param[in] Selector Pointer to an entry selector which is an identifier\r
- of the SPD entry.\r
- @param[in, out] DataSize On output the size of data returned in Data.\r
- @param[out] Data The buffer to return the contents of the IPsec\r
- configuration data. The type of the data buffer\r
- is associated with the DataType.\r
-\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
- @retval EFI_INVALID_PARAMETER Data is NULL and *DataSize is not zero.\r
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r
- updated with the size needed to complete the request.\r
-\r
-**/\r
-EFI_STATUS\r
-GetSpdEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN OUT UINTN *DataSize,\r
- OUT VOID *Data\r
- )\r
-{\r
- IPSEC_SPD_ENTRY *SpdEntry;\r
- IPSEC_SAD_ENTRY *SadEntry;\r
- EFI_IPSEC_SPD_SELECTOR *SpdSel;\r
- EFI_IPSEC_SPD_DATA *SpdData;\r
- LIST_ENTRY *SpdList;\r
- LIST_ENTRY *SpdSas;\r
- LIST_ENTRY *Entry;\r
- UINTN RequiredSize;\r
-\r
- SpdSel = &Selector->SpdSelector;\r
- SpdData = (EFI_IPSEC_SPD_DATA *) Data;\r
- SpdList = &mConfigData[IPsecConfigDataTypeSpd];\r
-\r
- NET_LIST_FOR_EACH (Entry, SpdList) {\r
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);\r
-\r
- //\r
- // Find the required SPD entry\r
- //\r
- if (CompareSpdSelector (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector\r
- )) {\r
-\r
- RequiredSize = IpSecGetSizeOfSpdData (SpdEntry->Data);\r
- if (*DataSize < RequiredSize) {\r
- *DataSize = RequiredSize;\r
- return EFI_BUFFER_TOO_SMALL;\r
- }\r
-\r
- if (SpdData == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- *DataSize = RequiredSize;\r
-\r
- //\r
- // Extract and fill all SaId array from the SPD.sas list\r
- //\r
- SpdSas = &SpdEntry->Data->Sas;\r
- SpdData->SaIdCount = 0;\r
-\r
- NET_LIST_FOR_EACH (Entry, SpdSas) {\r
- SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry);\r
- CopyMem (\r
- &SpdData->SaId[SpdData->SaIdCount++],\r
- SadEntry->Id,\r
- sizeof (EFI_IPSEC_SA_ID)\r
- );\r
- }\r
- //\r
- // Fill the other fields in SPD data.\r
- //\r
- CopyMem (SpdData->Name, SpdEntry->Data->Name, sizeof (SpdData->Name));\r
-\r
- SpdData->PackageFlag = SpdEntry->Data->PackageFlag;\r
- SpdData->TrafficDirection = SpdEntry->Data->TrafficDirection;\r
- SpdData->Action = SpdEntry->Data->Action;\r
-\r
- if (SpdData->Action != EfiIPsecActionProtect) {\r
- SpdData->ProcessingPolicy = NULL;\r
- } else {\r
- SpdData->ProcessingPolicy = (EFI_IPSEC_PROCESS_POLICY *) ((UINT8 *) SpdData + sizeof (EFI_IPSEC_SPD_DATA) + (SpdData->SaIdCount - 1) * sizeof (EFI_IPSEC_SA_ID));\r
-\r
- IpSecDuplicateProcessPolicy (\r
- SpdData->ProcessingPolicy,\r
- SpdEntry->Data->ProcessingPolicy\r
- );\r
- }\r
-\r
- return EFI_SUCCESS;\r
- }\r
- }\r
-\r
- return EFI_NOT_FOUND;\r
-}\r
-\r
-/**\r
- This function lookup the data entry from IPsec SAD. Return the configuration\r
- value of the specified SAD Entry.\r
-\r
- @param[in] Selector Pointer to an entry selector which is an identifier\r
- of the SAD entry.\r
- @param[in, out] DataSize On output, the size of data returned in Data.\r
- @param[out] Data The buffer to return the contents of the IPsec\r
- configuration data. The type of the data buffer\r
- is associated with the DataType.\r
-\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r
- updated with the size needed to complete the request.\r
-\r
-**/\r
-EFI_STATUS\r
-GetSadEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN OUT UINTN *DataSize,\r
- OUT VOID *Data\r
- )\r
-{\r
- IPSEC_SAD_ENTRY *SadEntry;\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *SadList;\r
- EFI_IPSEC_SA_ID *SaId;\r
- EFI_IPSEC_SA_DATA2 *SaData;\r
- UINTN RequiredSize;\r
-\r
- SaId = &Selector->SaId;\r
- SaData = (EFI_IPSEC_SA_DATA2 *) Data;\r
- SadList = &mConfigData[IPsecConfigDataTypeSad];\r
-\r
- NET_LIST_FOR_EACH (Entry, SadList) {\r
- SadEntry = IPSEC_SAD_ENTRY_FROM_LIST (Entry);\r
-\r
- //\r
- // Find the required SAD entry.\r
- //\r
- if (CompareSaId (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SaId,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id\r
- )) {\r
- //\r
- // Calculate the required size of the SAD entry.\r
- // Data Layout is follows:\r
- // |EFI_IPSEC_SA_DATA\r
- // |AuthKey\r
- // |EncryptKey (Optional)\r
- // |SpdSelector (Optional)\r
- //\r
- RequiredSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2));\r
-\r
- if (SaId->Proto == EfiIPsecAH) {\r
- RequiredSize = ALIGN_VARIABLE (RequiredSize + SadEntry->Data->AlgoInfo.AhAlgoInfo.AuthKeyLength);\r
- } else {\r
- RequiredSize = ALIGN_VARIABLE (RequiredSize + SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength);\r
- RequiredSize = ALIGN_VARIABLE (RequiredSize + SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength);\r
- }\r
-\r
- if (SadEntry->Data->SpdSelector != NULL) {\r
- RequiredSize += SIZE_OF_SPD_SELECTOR (SadEntry->Data->SpdSelector);\r
- }\r
-\r
- if (*DataSize < RequiredSize) {\r
- *DataSize = RequiredSize;\r
- return EFI_BUFFER_TOO_SMALL;\r
- }\r
-\r
- //\r
- // Fill the data fields of SAD entry.\r
- //\r
- *DataSize = RequiredSize;\r
- SaData->Mode = SadEntry->Data->Mode;\r
- SaData->SNCount = SadEntry->Data->SequenceNumber;\r
- SaData->AntiReplayWindows = SadEntry->Data->AntiReplayWindowSize;\r
-\r
- CopyMem (\r
- &SaData->SaLifetime,\r
- &SadEntry->Data->SaLifetime,\r
- sizeof (EFI_IPSEC_SA_LIFETIME)\r
- );\r
-\r
- ZeroMem (\r
- &SaData->AlgoInfo,\r
- sizeof (EFI_IPSEC_ALGO_INFO)\r
- );\r
-\r
- if (SaId->Proto == EfiIPsecAH) {\r
- //\r
- // Copy AH alogrithm INFO to SaData\r
- //\r
- SaData->AlgoInfo.AhAlgoInfo.AuthAlgoId = SadEntry->Data->AlgoInfo.AhAlgoInfo.AuthAlgoId;\r
- SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength = SadEntry->Data->AlgoInfo.AhAlgoInfo.AuthKeyLength;\r
- if (SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength != 0) {\r
- SaData->AlgoInfo.AhAlgoInfo.AuthKey = (VOID *) ALIGN_POINTER ((SaData + 1), sizeof (UINTN));\r
- CopyMem (\r
- SaData->AlgoInfo.AhAlgoInfo.AuthKey,\r
- SadEntry->Data->AlgoInfo.AhAlgoInfo.AuthKey,\r
- SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength\r
- );\r
- }\r
- } else if (SaId->Proto == EfiIPsecESP) {\r
- //\r
- // Copy ESP alogrithem INFO to SaData\r
- //\r
- SaData->AlgoInfo.EspAlgoInfo.AuthAlgoId = SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId;\r
- SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength = SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength;\r
- if (SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength != 0) {\r
- SaData->AlgoInfo.EspAlgoInfo.AuthKey = (VOID *) ALIGN_POINTER ((SaData + 1), sizeof (UINTN));\r
- CopyMem (\r
- SaData->AlgoInfo.EspAlgoInfo.AuthKey,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,\r
- SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength\r
- );\r
- }\r
-\r
- SaData->AlgoInfo.EspAlgoInfo.EncAlgoId = SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId;\r
- SaData->AlgoInfo.EspAlgoInfo.EncKeyLength = SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength;\r
-\r
- if (SaData->AlgoInfo.EspAlgoInfo.EncKeyLength != 0) {\r
- SaData->AlgoInfo.EspAlgoInfo.EncKey = (VOID *) ALIGN_POINTER (\r
- ((UINT8 *) (SaData + 1) +\r
- SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength),\r
- sizeof (UINTN)\r
- );\r
- CopyMem (\r
- SaData->AlgoInfo.EspAlgoInfo.EncKey,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey,\r
- SaData->AlgoInfo.EspAlgoInfo.EncKeyLength\r
- );\r
- }\r
- }\r
-\r
- SaData->PathMTU = SadEntry->Data->PathMTU;\r
-\r
- //\r
- // Fill Tunnel Address if it is Tunnel Mode\r
- //\r
- if (SadEntry->Data->Mode == EfiIPsecTunnel) {\r
- CopyMem (\r
- &SaData->TunnelDestinationAddress,\r
- &SadEntry->Data->TunnelDestAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
- CopyMem (\r
- &SaData->TunnelSourceAddress,\r
- &SadEntry->Data->TunnelSourceAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
- }\r
- //\r
- // Fill the spd selector field of SAD data\r
- //\r
- if (SadEntry->Data->SpdSelector != NULL) {\r
-\r
- SaData->SpdSelector = (EFI_IPSEC_SPD_SELECTOR *) (\r
- (UINT8 *)SaData +\r
- RequiredSize -\r
- SIZE_OF_SPD_SELECTOR (SadEntry->Data->SpdSelector)\r
- );\r
-\r
- DuplicateSpdSelector (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SaData->SpdSelector,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Data->SpdSelector,\r
- NULL\r
- );\r
-\r
- } else {\r
-\r
- SaData->SpdSelector = NULL;\r
- }\r
-\r
- SaData->ManualSet = SadEntry->Data->ManualSet;\r
-\r
- return EFI_SUCCESS;\r
- }\r
- }\r
-\r
- return EFI_NOT_FOUND;\r
-}\r
-\r
-/**\r
- This function lookup the data entry from IPsec PAD. Return the configuration\r
- value of the specified PAD Entry.\r
-\r
- @param[in] Selector Pointer to an entry selector which is an identifier\r
- of the PAD entry.\r
- @param[in, out] DataSize On output the size of data returned in Data.\r
- @param[out] Data The buffer to return the contents of the IPsec\r
- configuration data. The type of the data buffer\r
- is associated with the DataType.\r
-\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r
- updated with the size needed to complete the request.\r
-\r
-**/\r
-EFI_STATUS\r
-GetPadEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN OUT UINTN *DataSize,\r
- OUT VOID *Data\r
- )\r
-{\r
- IPSEC_PAD_ENTRY *PadEntry;\r
- LIST_ENTRY *PadList;\r
- LIST_ENTRY *Entry;\r
- EFI_IPSEC_PAD_ID *PadId;\r
- EFI_IPSEC_PAD_DATA *PadData;\r
- UINTN RequiredSize;\r
-\r
- PadId = &Selector->PadId;\r
- PadData = (EFI_IPSEC_PAD_DATA *) Data;\r
- PadList = &mConfigData[IPsecConfigDataTypePad];\r
-\r
- NET_LIST_FOR_EACH (Entry, PadList) {\r
- PadEntry = IPSEC_PAD_ENTRY_FROM_LIST (Entry);\r
-\r
- //\r
- // Find the required pad entry.\r
- //\r
- if (ComparePadId (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) PadId,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) PadEntry->Id\r
- )) {\r
- //\r
- // Calculate the required size of the pad entry.\r
- //\r
- RequiredSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA));\r
- RequiredSize = ALIGN_VARIABLE (RequiredSize + PadEntry->Data->AuthDataSize);\r
- RequiredSize += PadEntry->Data->RevocationDataSize;\r
-\r
- if (*DataSize < RequiredSize) {\r
- *DataSize = RequiredSize;\r
- return EFI_BUFFER_TOO_SMALL;\r
- }\r
- //\r
- // Fill the data fields of pad entry\r
- //\r
- *DataSize = RequiredSize;\r
- PadData->AuthProtocol = PadEntry->Data->AuthProtocol;\r
- PadData->AuthMethod = PadEntry->Data->AuthMethod;\r
- PadData->IkeIdFlag = PadEntry->Data->IkeIdFlag;\r
-\r
- //\r
- // Copy Authentication data.\r
- //\r
- if (PadEntry->Data->AuthData != NULL) {\r
-\r
- PadData->AuthDataSize = PadEntry->Data->AuthDataSize;\r
- PadData->AuthData = (VOID *) ALIGN_POINTER ((PadData + 1), sizeof (UINTN));\r
- CopyMem (\r
- PadData->AuthData,\r
- PadEntry->Data->AuthData,\r
- PadData->AuthDataSize\r
- );\r
- } else {\r
-\r
- PadData->AuthDataSize = 0;\r
- PadData->AuthData = NULL;\r
- }\r
- //\r
- // Copy Revocation Data.\r
- //\r
- if (PadEntry->Data->RevocationData != NULL) {\r
-\r
- PadData->RevocationDataSize = PadEntry->Data->RevocationDataSize;\r
- PadData->RevocationData = (VOID *) ALIGN_POINTER (\r
- ((UINT8 *) (PadData + 1) + PadData->AuthDataSize),\r
- sizeof (UINTN)\r
- );\r
- CopyMem (\r
- PadData->RevocationData,\r
- PadEntry->Data->RevocationData,\r
- PadData->RevocationDataSize\r
- );\r
- } else {\r
-\r
- PadData->RevocationDataSize = 0;\r
- PadData->RevocationData = NULL;\r
- }\r
-\r
- return EFI_SUCCESS;\r
- }\r
- }\r
-\r
- return EFI_NOT_FOUND;\r
-}\r
-\r
-/**\r
- Copy Source Process Policy to the Destination Process Policy.\r
-\r
- @param[in] Dst Pointer to the Source Process Policy.\r
- @param[in] Src Pointer to the Destination Process Policy.\r
-\r
-**/\r
-VOID\r
-IpSecDuplicateProcessPolicy (\r
- IN EFI_IPSEC_PROCESS_POLICY *Dst,\r
- IN EFI_IPSEC_PROCESS_POLICY *Src\r
- )\r
-{\r
- //\r
- // Firstly copy the structure content itself.\r
- //\r
- CopyMem (Dst, Src, sizeof (EFI_IPSEC_PROCESS_POLICY));\r
-\r
- //\r
- // Recursively copy the tunnel option if needed.\r
- //\r
- if (Dst->Mode != EfiIPsecTunnel) {\r
- ASSERT (Dst->TunnelOption == NULL);\r
- } else {\r
- Dst->TunnelOption = (EFI_IPSEC_TUNNEL_OPTION *) ALIGN_POINTER ((Dst + 1), sizeof (UINTN));\r
- CopyMem (\r
- Dst->TunnelOption,\r
- Src->TunnelOption,\r
- sizeof (EFI_IPSEC_TUNNEL_OPTION)\r
- );\r
- }\r
-}\r
-\r
-/**\r
- Calculate the a whole size of EFI_IPSEC_SPD_DATA, which includes the buffer size pointed\r
- to by the pointer members.\r
-\r
- @param[in] SpdData Pointer to a specified EFI_IPSEC_SPD_DATA.\r
-\r
- @return the whole size the specified EFI_IPSEC_SPD_DATA.\r
-\r
-**/\r
-UINTN\r
-IpSecGetSizeOfEfiSpdData (\r
- IN EFI_IPSEC_SPD_DATA *SpdData\r
- )\r
-{\r
- UINTN Size;\r
-\r
- Size = ALIGN_VARIABLE (sizeof (IPSEC_SPD_DATA));\r
-\r
- if (SpdData->Action == EfiIPsecActionProtect) {\r
- Size = ALIGN_VARIABLE (Size + sizeof (EFI_IPSEC_PROCESS_POLICY));\r
-\r
- if (SpdData->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- Size = ALIGN_VARIABLE (Size + sizeof (EFI_IPSEC_TUNNEL_OPTION));\r
- }\r
- }\r
-\r
- return Size;\r
-}\r
-\r
-/**\r
- Calculate the a whole size of IPSEC_SPD_DATA which includes the buffer size pointed\r
- to by the pointer members and the buffer size used by the Sa List.\r
-\r
- @param[in] SpdData Pointer to the specified IPSEC_SPD_DATA.\r
-\r
- @return the whole size of IPSEC_SPD_DATA.\r
-\r
-**/\r
-UINTN\r
-IpSecGetSizeOfSpdData (\r
- IN IPSEC_SPD_DATA *SpdData\r
- )\r
-{\r
- UINTN Size;\r
- LIST_ENTRY *Link;\r
-\r
- Size = sizeof (EFI_IPSEC_SPD_DATA) - sizeof (EFI_IPSEC_SA_ID);\r
-\r
- if (SpdData->Action == EfiIPsecActionProtect) {\r
- Size += sizeof (EFI_IPSEC_PROCESS_POLICY);\r
-\r
- if (SpdData->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- Size += sizeof (EFI_IPSEC_TUNNEL_OPTION);\r
- }\r
- }\r
-\r
- NET_LIST_FOR_EACH (Link, &SpdData->Sas) {\r
- Size += sizeof (EFI_IPSEC_SA_ID);\r
- }\r
-\r
- return Size;\r
-}\r
-\r
-/**\r
- Get the IPsec Variable.\r
-\r
- Get the all variables which start with the string contained in VaraiableName.\r
- Since all IPsec related variable store in continual space, those kinds of\r
- variable can be searched by the EfiGetNextVariableName. Those variables also are\r
- returned in a continual buffer.\r
-\r
- @param[in] VariableName Pointer to a specified Variable Name.\r
- @param[in] VendorGuid Pointer to a specified Vendor Guid.\r
- @param[in] Attributes Point to memory location to return the attributes\r
- of variable. If the point is NULL, the parameter\r
- would be ignored.\r
- @param[in, out] DataSize As input, point to the maximum size of return\r
- Data-Buffer. As output, point to the actual\r
- size of the returned Data-Buffer.\r
- @param[in] Data Point to return Data-Buffer.\r
-\r
- @retval EFI_ABORTED If the Variable size which contained in the variable\r
- structure doesn't match the variable size obtained\r
- from the EFIGetVariable.\r
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has\r
- been updated with the size needed to complete the request.\r
- @retval EFI_SUCCESS The function completed successfully.\r
- @retval others Other errors found during the variable getting.\r
-**/\r
-EFI_STATUS\r
-IpSecGetVariable (\r
- IN CHAR16 *VariableName,\r
- IN EFI_GUID *VendorGuid,\r
- IN UINT32 *Attributes, OPTIONAL\r
- IN OUT UINTN *DataSize,\r
- IN VOID *Data\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_GUID VendorGuidI;\r
- UINTN VariableNameLength;\r
- CHAR16 *VariableNameI;\r
- UINTN VariableNameISize;\r
- UINTN VariableNameISizeNew;\r
- UINTN VariableIndex;\r
- UINTN VariableCount;\r
- IP_SEC_VARIABLE_INFO IpSecVariableInfo;\r
- UINTN DataSizeI;\r
-\r
- //\r
- // The variable name constructor is "VariableName + Info/0001/0002/... + NULL".\r
- // So the varialbe name is like "VariableNameInfo", "VariableName0001", ...\r
- // "VariableNameNULL".\r
- //\r
- VariableNameLength = StrLen (VariableName);\r
- VariableNameISize = (VariableNameLength + 5) * sizeof (CHAR16);\r
- VariableNameI = AllocateZeroPool (VariableNameISize);\r
- if (VariableNameI == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Construct the varible name of ipsecconfig meta data.\r
- //\r
- UnicodeSPrint (VariableNameI, VariableNameISize, L"%s%s", VariableName, L"Info");\r
-\r
- DataSizeI = sizeof (IpSecVariableInfo);\r
-\r
- Status = gRT->GetVariable (\r
- VariableNameI,\r
- VendorGuid,\r
- Attributes,\r
- &DataSizeI,\r
- &IpSecVariableInfo\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
-\r
- if (*DataSize < IpSecVariableInfo.VariableSize) {\r
- *DataSize = IpSecVariableInfo.VariableSize;\r
- Status = EFI_BUFFER_TOO_SMALL;\r
- goto ON_EXIT;\r
- }\r
-\r
- VariableCount = IpSecVariableInfo.VariableCount;\r
- VariableNameI[0] = L'\0';\r
-\r
- while (VariableCount != 0) {\r
- //\r
- // Get the variable name one by one in the variable database.\r
- //\r
- VariableNameISizeNew = VariableNameISize;\r
- Status = gRT->GetNextVariableName (\r
- &VariableNameISizeNew,\r
- VariableNameI,\r
- &VendorGuidI\r
- );\r
- if (Status == EFI_BUFFER_TOO_SMALL) {\r
- VariableNameI = ReallocatePool (\r
- VariableNameISize,\r
- VariableNameISizeNew,\r
- VariableNameI\r
- );\r
- if (VariableNameI == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- break;\r
- }\r
- VariableNameISize = VariableNameISizeNew;\r
-\r
- Status = gRT->GetNextVariableName (\r
- &VariableNameISizeNew,\r
- VariableNameI,\r
- &VendorGuidI\r
- );\r
- }\r
-\r
- if (EFI_ERROR (Status)) {\r
- break;\r
- }\r
- //\r
- // Check whether the current variable is the required "ipsecconfig".\r
- //\r
- if (StrnCmp (VariableNameI, VariableName, VariableNameLength) == 0 ||\r
- CompareGuid (VendorGuid, &VendorGuidI)\r
- ) {\r
- //\r
- // Parse the variable count of the current ipsecconfig data.\r
- //\r
- VariableIndex = StrDecimalToUintn (VariableNameI + VariableNameLength);\r
- if (VariableIndex!= 0 && VariableIndex <= IpSecVariableInfo.VariableCount) {\r
- //\r
- // Get the variable size of the current ipsecconfig data.\r
- //\r
- DataSizeI = 0;\r
- Status = gRT->GetVariable (\r
- VariableNameI,\r
- VendorGuid,\r
- Attributes,\r
- &DataSizeI,\r
- NULL\r
- );\r
- ASSERT (Status == EFI_BUFFER_TOO_SMALL);\r
- //\r
- // Validate the variable count and variable size.\r
- //\r
- if (VariableIndex != IpSecVariableInfo.VariableCount) {\r
- //\r
- // If the varaibe is not the last one, its size should be the max\r
- // size of the single variable.\r
- //\r
- if (DataSizeI != IpSecVariableInfo.SingleVariableSize) {\r
- return EFI_ABORTED;\r
- }\r
- } else {\r
- if (DataSizeI != IpSecVariableInfo.VariableSize % IpSecVariableInfo.SingleVariableSize) {\r
- return EFI_ABORTED;\r
- }\r
- }\r
- //\r
- // Get the variable data of the current ipsecconfig data and\r
- // store it into user buffer continously.\r
- //\r
- Status = gRT->GetVariable (\r
- VariableNameI,\r
- VendorGuid,\r
- Attributes,\r
- &DataSizeI,\r
- (UINT8 *) Data + (VariableIndex - 1) * IpSecVariableInfo.SingleVariableSize\r
- );\r
- ASSERT_EFI_ERROR (Status);\r
- VariableCount--;\r
- }\r
- }\r
- }\r
- //\r
- // The VariableCount in "VariableNameInfo" varaible should have the correct\r
- // numbers of variables which name starts with VariableName.\r
- //\r
- if (VariableCount != 0) {\r
- Status = EFI_ABORTED;\r
- }\r
-\r
-ON_EXIT:\r
- if (VariableNameI != NULL) {\r
- FreePool (VariableNameI);\r
- }\r
- return Status;\r
-}\r
-\r
-/**\r
- Set the IPsec variables.\r
-\r
- Set all IPsec variables which start with the specified variable name. Those variables\r
- are set one by one.\r
-\r
- @param[in] VariableName The name of the vendor's variable. It is a\r
- Null-Terminated Unicode String.\r
- @param[in] VendorGuid Unify identifier for vendor.\r
- @param[in] Attributes Point to memory location to return the attributes of\r
- variable. If the point is NULL, the parameter would be ignored.\r
- @param[in] DataSize The size in bytes of Data-Buffer.\r
- @param[in] Data Points to the content of the variable.\r
-\r
- @retval EFI_SUCCESS The firmware successfully stored the variable and its data, as\r
- defined by the Attributes.\r
- @retval others Storing the variables failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecSetVariable (\r
- IN CHAR16 *VariableName,\r
- IN EFI_GUID *VendorGuid,\r
- IN UINT32 Attributes,\r
- IN UINTN DataSize,\r
- IN VOID *Data\r
- )\r
-{\r
- EFI_STATUS Status;\r
- CHAR16 *VariableNameI;\r
- UINTN VariableNameSize;\r
- UINTN VariableIndex;\r
- IP_SEC_VARIABLE_INFO IpSecVariableInfo;\r
- UINT64 MaximumVariableStorageSize;\r
- UINT64 RemainingVariableStorageSize;\r
- UINT64 MaximumVariableSize;\r
-\r
- Status = gRT->QueryVariableInfo (\r
- Attributes,\r
- &MaximumVariableStorageSize,\r
- &RemainingVariableStorageSize,\r
- &MaximumVariableSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- //\r
- // "VariableName + Info/0001/0002/... + NULL"\r
- //\r
- VariableNameSize = (StrLen (VariableName) + 5) * sizeof (CHAR16);\r
- VariableNameI = AllocateZeroPool (VariableNameSize);\r
-\r
- if (VariableNameI == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
- //\r
- // Construct the variable of ipsecconfig general information. Like the total\r
- // numbers of the Ipsecconfig variables, the total size of all ipsecconfig variables.\r
- //\r
- UnicodeSPrint (VariableNameI, VariableNameSize, L"%s%s", VariableName, L"Info");\r
- MaximumVariableSize -= VariableNameSize;\r
-\r
- IpSecVariableInfo.VariableCount = (UINT32) ((DataSize + (UINTN) MaximumVariableSize - 1) / (UINTN) MaximumVariableSize);\r
- IpSecVariableInfo.VariableSize = (UINT32) DataSize;\r
- IpSecVariableInfo.SingleVariableSize = (UINT32) MaximumVariableSize;\r
-\r
- //\r
- // Set the variable of ipsecconfig general information.\r
- //\r
- Status = gRT->SetVariable (\r
- VariableNameI,\r
- VendorGuid,\r
- Attributes,\r
- sizeof (IpSecVariableInfo),\r
- &IpSecVariableInfo\r
- );\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_ERROR, "Error set ipsecconfig meta data with %r\n", Status));\r
- goto ON_EXIT;\r
- }\r
-\r
- for (VariableIndex = 0; VariableIndex < IpSecVariableInfo.VariableCount; VariableIndex++) {\r
- //\r
- // Construct and set the variable of ipsecconfig data one by one.\r
- // The index of variable name begin from 0001, and the varaible name\r
- // likes "VariableName0001", "VaraiableName0002"....\r
- //\r
- UnicodeSPrint (VariableNameI, VariableNameSize, L"%s%04d", VariableName, VariableIndex + 1);\r
- Status = gRT->SetVariable (\r
- VariableNameI,\r
- VendorGuid,\r
- Attributes,\r
- (VariableIndex == IpSecVariableInfo.VariableCount - 1) ?\r
- (DataSize % (UINTN) MaximumVariableSize) :\r
- (UINTN) MaximumVariableSize,\r
- (UINT8 *) Data + VariableIndex * (UINTN) MaximumVariableSize\r
- );\r
-\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_ERROR, "Error set ipsecconfig variable data with %r\n", Status));\r
- goto ON_EXIT;\r
- }\r
- }\r
-\r
-ON_EXIT:\r
- if (VariableNameI != NULL) {\r
- FreePool (VariableNameI);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Return the configuration value for the EFI IPsec driver.\r
-\r
- This function lookup the data entry from IPsec database or IKEv2 configuration\r
- information. The expected data type and unique identification are described in\r
- DataType and Selector parameters.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
- @param[in] DataType The type of data to retrieve.\r
- @param[in] Selector Pointer to an entry selector that is an identifier of the IPsec\r
- configuration data entry.\r
- @param[in, out] DataSize On output the size of data returned in Data.\r
- @param[out] Data The buffer to return the contents of the IPsec configuration data.\r
- The type of the data buffer associated with the DataType.\r
-\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
- @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r
- - This is NULL.\r
- - Selector is NULL.\r
- - DataSize is NULL.\r
- - Data is NULL and *DataSize is not zero\r
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r
- @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r
- updated with the size needed to complete the request.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-EfiIpSecConfigGetData (\r
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN OUT UINTN *DataSize,\r
- OUT VOID *Data\r
- )\r
-{\r
- if (This == NULL || Selector == NULL || DataSize == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (*DataSize != 0 && Data == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (DataType >= IPsecConfigDataTypeMaximum) {\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- return mGetPolicyEntry[DataType](Selector, DataSize, Data);\r
-}\r
-\r
-/**\r
- Set the security association, security policy and peer authorization configuration\r
- information for the EFI IPsec driver.\r
-\r
- This function is used to set the IPsec configuration information of type DataType for\r
- the EFI IPsec driver.\r
- The IPsec configuration data has a unique selector/identifier separately to identify\r
- a data entry. The selector structure depends on DataType's definition.\r
- Using SetData() with a Data of NULL causes the IPsec configuration data entry identified\r
- by DataType and Selector to be deleted.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
- @param[in] DataType The type of data to be set.\r
- @param[in] Selector Pointer to an entry selector on operated configuration data\r
- specified by DataType. A NULL Selector causes the entire\r
- specified-type configuration information to be flushed.\r
- @param[in] Data The data buffer to be set. The structure of the data buffer is\r
- associated with the DataType.\r
- @param[in] InsertBefore Pointer to one entry selector which describes the expected\r
- position the new data entry will be added. If InsertBefore is NULL,\r
- the new entry will be appended to the end of the database.\r
-\r
- @retval EFI_SUCCESS The specified configuration entry data was set successfully.\r
- @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:\r
- - This is NULL.\r
- @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-EfiIpSecConfigSetData (\r
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL\r
- )\r
-{\r
- EFI_STATUS Status;\r
-\r
- if (This == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (DataType >= IPsecConfigDataTypeMaximum) {\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- Status = mSetPolicyEntry[DataType](Selector, Data, InsertBefore);\r
-\r
- if (!EFI_ERROR (Status) && !mSetBySelf) {\r
- //\r
- // Save the updated config data into variable.\r
- //\r
- IpSecConfigSave ();\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Enumerates the current selector for IPsec configuration data entry.\r
-\r
- This function is called multiple times to retrieve the entry Selector in IPsec\r
- configuration database. On each call to GetNextSelector(), the next entry\r
- Selector are retrieved into the output interface.\r
-\r
- If the entire IPsec configuration database has been iterated, the error\r
- EFI_NOT_FOUND is returned.\r
- If the Selector buffer is too small for the next Selector copy, an\r
- EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect\r
- the size of buffer needed.\r
-\r
- On the initial call to GetNextSelector() to start the IPsec configuration database\r
- search, a pointer to the buffer with all zero value is passed in Selector. Calls\r
- to SetData() between calls to GetNextSelector may produce unpredictable results.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
- @param[in] DataType The type of IPsec configuration data to retrieve.\r
- @param[in, out] SelectorSize The size of the Selector buffer.\r
- @param[in, out] Selector On input, supplies the pointer to last Selector that was\r
- returned by GetNextSelector().\r
- On output, returns one copy of the current entry Selector\r
- of a given DataType.\r
-\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
- @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r
- - This is NULL.\r
- - SelectorSize is NULL.\r
- - Selector is NULL.\r
- @retval EFI_NOT_FOUND The next configuration data entry was not found.\r
- @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
- @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter\r
- has been updated with the size needed to complete the search\r
- request.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-EfiIpSecConfigGetNextSelector (\r
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN OUT UINTN *SelectorSize,\r
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector\r
- )\r
-{\r
- LIST_ENTRY *Link;\r
- IPSEC_COMMON_POLICY_ENTRY *CommonEntry;\r
- BOOLEAN IsFound;\r
-\r
- if (This == NULL || Selector == NULL || SelectorSize == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- if (DataType >= IPsecConfigDataTypeMaximum) {\r
- return EFI_UNSUPPORTED;\r
- }\r
-\r
- IsFound = FALSE;\r
-\r
- NET_LIST_FOR_EACH (Link, &mConfigData[DataType]) {\r
- CommonEntry = BASE_CR (Link, IPSEC_COMMON_POLICY_ENTRY, List);\r
-\r
- if (IsFound || (BOOLEAN)(mIsZeroSelector[DataType](Selector))) {\r
- //\r
- // If found the appointed entry, then duplicate the next one and return,\r
- // or if the appointed entry is zero, then return the first one directly.\r
- //\r
- return mDuplicateSelector[DataType](Selector, CommonEntry->Selector, SelectorSize);\r
- } else {\r
- //\r
- // Set the flag if find the appointed entry.\r
- //\r
- IsFound = mCompareSelector[DataType](Selector, CommonEntry->Selector);\r
- }\r
- }\r
-\r
- return EFI_NOT_FOUND;\r
-}\r
-\r
-/**\r
- Register an event that is to be signaled whenever a configuration process on the\r
- specified IPsec configuration information is done.\r
-\r
- The register function is not surpport now and always returns EFI_UNSUPPORTED.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
- @param[in] DataType The type of data to be registered the event for.\r
- @param[in] Event The event to be registered.\r
-\r
- @retval EFI_SUCCESS The event is registered successfully.\r
- @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r
- @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.\r
- @retval EFI_UNSUPPORTED The notify registration is unsupported, or the specified\r
- DataType is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-EfiIpSecConfigRegisterNotify (\r
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN EFI_EVENT Event\r
- )\r
-{\r
- return EFI_UNSUPPORTED;\r
-}\r
-\r
-/**\r
- Remove the specified event that was previously registered on the specified IPsec\r
- configuration data.\r
-\r
- This function is not support now and alwasy return EFI_UNSUPPORTED.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
- @param[in] DataType The configuration data type to remove the registered event for.\r
- @param[in] Event The event to be unregistered.\r
-\r
- @retval EFI_SUCCESS The event was removed successfully.\r
- @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the\r
- database.\r
- @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r
- @retval EFI_UNSUPPORTED The notify registration is unsupported, or the specified\r
- DataType is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-EfiIpSecConfigUnregisterNotify (\r
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN EFI_EVENT Event\r
- )\r
-{\r
- return EFI_UNSUPPORTED;\r
-}\r
-\r
-/**\r
- Copy whole data in specified EFI_SIPEC_CONFIG_SELECTOR and the Data to a buffer.\r
-\r
- This function is a caller defined function, and it is called by the IpSecVisitConfigData().\r
- The orignal caller is IpSecConfigSave(), which calls the IpsecVisitConfigData() to\r
- copy all types of IPsec Config datas into one buffer and store this buffer into firmware in\r
- the form of several variables.\r
-\r
- @param[in] Type A specified IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] Selector Points to a EFI_IPSEC_CONFIG_SELECTOR to be copied\r
- to the buffer.\r
- @param[in] Data Points to data to be copied to the buffer. The\r
- Data type is related to the Type.\r
- @param[in] SelectorSize The size of the Selector.\r
- @param[in] DataSize The size of the Data.\r
- @param[in, out] Buffer The buffer to store the Selector and Data.\r
-\r
- @retval EFI_SUCCESS Copy the Selector and Data to a buffer successfully.\r
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCopyPolicyEntry (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE Type,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN UINTN SelectorSize,\r
- IN UINTN DataSize,\r
- IN OUT IPSEC_VARIABLE_BUFFER *Buffer\r
- )\r
-{\r
- IPSEC_VAR_ITEM_HEADER SelectorHeader;\r
- IPSEC_VAR_ITEM_HEADER DataHeader;\r
- UINTN EntrySize;\r
- UINT8 *TempPoint;\r
-\r
- if (Type == IPsecConfigDataTypeSad) {\r
- //\r
- // Don't save automatically-generated SA entry into variable.\r
- //\r
- if (((EFI_IPSEC_SA_DATA2 *) Data)->ManualSet == FALSE) {\r
- return EFI_SUCCESS;\r
- }\r
- }\r
- //\r
- // Increase the capacity size of the buffer if needed.\r
- //\r
- EntrySize = ALIGN_VARIABLE (sizeof (SelectorHeader));\r
- EntrySize = ALIGN_VARIABLE (EntrySize + SelectorSize);\r
- EntrySize = ALIGN_VARIABLE (EntrySize + sizeof (SelectorHeader));\r
- EntrySize = ALIGN_VARIABLE (EntrySize + DataSize);\r
-\r
- //EntrySize = SelectorSize + DataSize + 2 * sizeof (SelectorHeader);\r
- if (Buffer->Capacity - Buffer->Size < EntrySize) {\r
- //\r
- // Calculate the required buffer\r
- //\r
- Buffer->Capacity += EntrySize;\r
- TempPoint = AllocatePool (Buffer->Capacity);\r
-\r
- if (TempPoint == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // Copy the old Buffer to new buffer and free the old one.\r
- //\r
- CopyMem (TempPoint, Buffer->Ptr, Buffer->Size);\r
- FreePool (Buffer->Ptr);\r
-\r
- Buffer->Ptr = TempPoint;\r
- }\r
-\r
- mFixPolicyEntry[Type](Selector, Data);\r
-\r
- //\r
- // Fill the selector header and copy it into buffer.\r
- //\r
- SelectorHeader.Type = (UINT8) (Type | IPSEC_VAR_ITEM_HEADER_LOGO_BIT);\r
- SelectorHeader.Size = (UINT16) SelectorSize;\r
-\r
- CopyMem (\r
- Buffer->Ptr + Buffer->Size,\r
- &SelectorHeader,\r
- sizeof (SelectorHeader)\r
- );\r
- Buffer->Size = ALIGN_VARIABLE (Buffer->Size + sizeof (SelectorHeader));\r
-\r
- //\r
- // Copy the selector into buffer.\r
- //\r
- CopyMem (\r
- Buffer->Ptr + Buffer->Size,\r
- Selector,\r
- SelectorSize\r
- );\r
- Buffer->Size = ALIGN_VARIABLE (Buffer->Size + SelectorSize);\r
-\r
- //\r
- // Fill the data header and copy it into buffer.\r
- //\r
- DataHeader.Type = (UINT8) Type;\r
- DataHeader.Size = (UINT16) DataSize;\r
-\r
- CopyMem (\r
- Buffer->Ptr + Buffer->Size,\r
- &DataHeader,\r
- sizeof (DataHeader)\r
- );\r
- Buffer->Size = ALIGN_VARIABLE (Buffer->Size + sizeof (DataHeader));\r
- //\r
- // Copy the data into buffer.\r
- //\r
- CopyMem (\r
- Buffer->Ptr + Buffer->Size,\r
- Data,\r
- DataSize\r
- );\r
- Buffer->Size = ALIGN_VARIABLE (Buffer->Size + DataSize);\r
-\r
- mUnfixPolicyEntry[Type](Selector, Data);\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Visit all IPsec Configurations of specified Type and call the caller defined\r
- interface.\r
-\r
- @param[in] DataType The specified IPsec Config Data Type.\r
- @param[in] Routine The function defined by the caller.\r
- @param[in] Context The data passed to the Routine.\r
-\r
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated\r
- @retval EFI_SUCCESS This function completed successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecVisitConfigData (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN IPSEC_COPY_POLICY_ENTRY Routine,\r
- IN VOID *Context\r
- )\r
-{\r
- EFI_STATUS GetNextStatus;\r
- EFI_STATUS GetDataStatus;\r
- EFI_STATUS RoutineStatus;\r
- EFI_IPSEC_CONFIG_SELECTOR *Selector;\r
- VOID *Data;\r
- UINTN SelectorSize;\r
- UINTN DataSize;\r
- UINTN SelectorBufferSize;\r
- UINTN DataBufferSize;\r
- BOOLEAN FirstGetNext;\r
-\r
- FirstGetNext = TRUE;\r
- DataBufferSize = 0;\r
- Data = NULL;\r
- SelectorBufferSize = sizeof (EFI_IPSEC_CONFIG_SELECTOR);\r
- Selector = AllocateZeroPool (SelectorBufferSize);\r
-\r
- if (Selector == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- while (TRUE) {\r
- //\r
- // Get the real size of the selector.\r
- //\r
- SelectorSize = SelectorBufferSize;\r
- GetNextStatus = EfiIpSecConfigGetNextSelector (\r
- &mIpSecConfigInstance,\r
- DataType,\r
- &SelectorSize,\r
- Selector\r
- );\r
- if (GetNextStatus == EFI_BUFFER_TOO_SMALL) {\r
- FreePool (Selector);\r
- SelectorBufferSize = SelectorSize;\r
- //\r
- // Allocate zero pool for the first selector, while store the last\r
- // selector content for the other selectors.\r
- //\r
- if (FirstGetNext) {\r
- Selector = AllocateZeroPool (SelectorBufferSize);\r
- } else {\r
- Selector = AllocateCopyPool (SelectorBufferSize, Selector);\r
- }\r
-\r
- if (Selector == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // Get the content of the selector.\r
- //\r
- GetNextStatus = EfiIpSecConfigGetNextSelector (\r
- &mIpSecConfigInstance,\r
- DataType,\r
- &SelectorSize,\r
- Selector\r
- );\r
- }\r
-\r
- if (EFI_ERROR (GetNextStatus)) {\r
- break;\r
- }\r
-\r
- FirstGetNext = FALSE;\r
-\r
- //\r
- // Get the real size of the policy entry according to the selector.\r
- //\r
- DataSize = DataBufferSize;\r
- GetDataStatus = EfiIpSecConfigGetData (\r
- &mIpSecConfigInstance,\r
- DataType,\r
- Selector,\r
- &DataSize,\r
- Data\r
- );\r
- if (GetDataStatus == EFI_BUFFER_TOO_SMALL) {\r
- if (Data != NULL) {\r
- FreePool (Data);\r
- }\r
-\r
- DataBufferSize = DataSize;\r
- Data = AllocateZeroPool (DataBufferSize);\r
-\r
- if (Data == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // Get the content of the policy entry according to the selector.\r
- //\r
- GetDataStatus = EfiIpSecConfigGetData (\r
- &mIpSecConfigInstance,\r
- DataType,\r
- Selector,\r
- &DataSize,\r
- Data\r
- );\r
- }\r
-\r
- if (EFI_ERROR (GetDataStatus)) {\r
- break;\r
- }\r
- //\r
- // Prepare the buffer of updated policy entry, which is stored in\r
- // the continous memory, and then save into variable later.\r
- //\r
- RoutineStatus = Routine (\r
- DataType,\r
- Selector,\r
- Data,\r
- SelectorSize,\r
- DataSize,\r
- Context\r
- );\r
- if (EFI_ERROR (RoutineStatus)) {\r
- break;\r
- }\r
- }\r
-\r
- if (Data != NULL) {\r
- FreePool (Data);\r
- }\r
-\r
- if (Selector != NULL) {\r
- FreePool (Selector);\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- This function is the subfunction of EFIIpSecConfigSetData.\r
-\r
- This function call IpSecSetVaraible to set the IPsec Configuration into the firmware.\r
-\r
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.\r
- @retval EFI_SUCCESS Saved the configration successfully.\r
- @retval Others Other errors were found while obtaining the variable.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecConfigSave (\r
- VOID\r
- )\r
-{\r
- IPSEC_VARIABLE_BUFFER Buffer;\r
- EFI_STATUS Status;\r
- EFI_IPSEC_CONFIG_DATA_TYPE Type;\r
-\r
- Buffer.Size = 0;\r
- Buffer.Capacity = IPSEC_DEFAULT_VARIABLE_SIZE;\r
- Buffer.Ptr = AllocateZeroPool (Buffer.Capacity);\r
-\r
- if (Buffer.Ptr == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // For each policy database, prepare the contious buffer to save into variable.\r
- //\r
- for (Type = IPsecConfigDataTypeSpd; Type < IPsecConfigDataTypeMaximum; Type++) {\r
- IpSecVisitConfigData (\r
- Type,\r
- (IPSEC_COPY_POLICY_ENTRY) IpSecCopyPolicyEntry,\r
- &Buffer\r
- );\r
- }\r
- //\r
- // Save the updated policy database into variable.\r
- //\r
- Status = IpSecSetVariable (\r
- IPSECCONFIG_VARIABLE_NAME,\r
- &gEfiIpSecConfigProtocolGuid,\r
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,\r
- Buffer.Size,\r
- Buffer.Ptr\r
- );\r
-\r
- FreePool (Buffer.Ptr);\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Get the all IPSec configuration variables and store those variables\r
- to the internal data structure.\r
-\r
- This founction is called by IpSecConfigInitialize() which is to intialize the\r
- IPsecConfiguration Protocol.\r
-\r
- @param[in] Private Point to IPSEC_PRIVATE_DATA.\r
-\r
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated\r
- @retval EFI_SUCCESS Restore the IPsec Configuration successfully.\r
- @retval others Other errors is found while obtaining the variable.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecConfigRestore (\r
- IN IPSEC_PRIVATE_DATA *Private\r
- )\r
-{\r
- EFI_STATUS Status;\r
- UINTN BufferSize;\r
- UINT8 *Buffer;\r
- IPSEC_VAR_ITEM_HEADER *Header;\r
- UINT8 *Ptr;\r
- EFI_IPSEC_CONFIG_SELECTOR *Selector;\r
- EFI_IPSEC_CONFIG_DATA_TYPE Type;\r
- VOID *Data;\r
- UINT8 Value;\r
- UINTN Size;\r
-\r
- Value = 0;\r
- Size = sizeof (Value);\r
- BufferSize = 0;\r
- Buffer = NULL;\r
-\r
- Status = gRT->GetVariable (\r
- IPSECCONFIG_STATUS_NAME,\r
- &gEfiIpSecConfigProtocolGuid,\r
- NULL,\r
- &Size,\r
- &Value\r
- );\r
-\r
- if (!EFI_ERROR (Status) && Value == IPSEC_STATUS_ENABLED) {\r
- Private->IpSec.DisabledFlag = FALSE;\r
- }\r
- //\r
- // Get the real size of policy database in variable.\r
- //\r
- Status = IpSecGetVariable (\r
- IPSECCONFIG_VARIABLE_NAME,\r
- &gEfiIpSecConfigProtocolGuid,\r
- NULL,\r
- &BufferSize,\r
- Buffer\r
- );\r
- if (Status == EFI_BUFFER_TOO_SMALL) {\r
-\r
- Buffer = AllocateZeroPool (BufferSize);\r
- if (Buffer == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // Get the content of policy database in variable.\r
- //\r
- Status = IpSecGetVariable (\r
- IPSECCONFIG_VARIABLE_NAME,\r
- &gEfiIpSecConfigProtocolGuid,\r
- NULL,\r
- &BufferSize,\r
- Buffer\r
- );\r
- if (EFI_ERROR (Status)) {\r
- FreePool (Buffer);\r
- return Status;\r
- }\r
-\r
- for (Ptr = Buffer; Ptr < Buffer + BufferSize;) {\r
-\r
- Header = (IPSEC_VAR_ITEM_HEADER *) Ptr;\r
- Type = (EFI_IPSEC_CONFIG_DATA_TYPE) (Header->Type & IPSEC_VAR_ITEM_HEADER_CONTENT_BIT);\r
- ASSERT (((Header->Type & 0x80) == IPSEC_VAR_ITEM_HEADER_LOGO_BIT) && (Type < IPsecConfigDataTypeMaximum));\r
-\r
- Selector = (EFI_IPSEC_CONFIG_SELECTOR *) ALIGN_POINTER (Header + 1, sizeof (UINTN));\r
- Header = (IPSEC_VAR_ITEM_HEADER *) ALIGN_POINTER (\r
- (UINT8 *) Selector + Header->Size,\r
- sizeof (UINTN)\r
- );\r
- ASSERT (Header->Type == Type);\r
-\r
- Data = ALIGN_POINTER (Header + 1, sizeof (UINTN));\r
-\r
- mUnfixPolicyEntry[Type](Selector, Data);\r
-\r
- //\r
- // Update each policy entry according to the content in variable.\r
- //\r
- mSetBySelf = TRUE;\r
- Status = EfiIpSecConfigSetData (\r
- &Private->IpSecConfig,\r
- Type,\r
- Selector,\r
- Data,\r
- NULL\r
- );\r
- mSetBySelf = FALSE;\r
-\r
- if (EFI_ERROR (Status)) {\r
- FreePool (Buffer);\r
- return Status;\r
- }\r
-\r
- Ptr = ALIGN_POINTER ((UINT8 *) Data + Header->Size, sizeof (UINTN));\r
- }\r
-\r
- FreePool (Buffer);\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Install and Initialize IPsecConfig protocol\r
-\r
- @param[in, out] Private Pointer to IPSEC_PRIVATE_DATA. After this function finish,\r
- the pointer of IPsecConfig Protocol implementation will copy\r
- into its IPsecConfig member.\r
-\r
- @retval EFI_SUCCESS Initialized the IPsecConfig Protocol successfully.\r
- @retval Others Initializing the IPsecConfig Protocol failed.\r
-**/\r
-EFI_STATUS\r
-IpSecConfigInitialize (\r
- IN OUT IPSEC_PRIVATE_DATA *Private\r
- )\r
-{\r
- EFI_IPSEC_CONFIG_DATA_TYPE Type;\r
-\r
- CopyMem (\r
- &Private->IpSecConfig,\r
- &mIpSecConfigInstance,\r
- sizeof (EFI_IPSEC_CONFIG_PROTOCOL)\r
- );\r
-\r
- //\r
- // Initialize the list head of policy database.\r
- //\r
- for (Type = IPsecConfigDataTypeSpd; Type < IPsecConfigDataTypeMaximum; Type++) {\r
- InitializeListHead (&mConfigData[Type]);\r
- }\r
- //\r
- // Restore the content of policy database according to the variable.\r
- //\r
- IpSecConfigRestore (Private);\r
-\r
- return gBS->InstallMultipleProtocolInterfaces (\r
- &Private->Handle,\r
- &gEfiIpSecConfigProtocolGuid,\r
- &Private->IpSecConfig,\r
- NULL\r
- );\r
-}\r
+++ /dev/null
-/** @file\r
- Definitions related to IPSEC_CONFIG_PROTOCOL implementations.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _IPSEC_CONFIG_IMPL_H_\r
-#define _IPSEC_CONFIG_IMPL_H_\r
-\r
-#include <Protocol/IpSec.h>\r
-#include <Protocol/IpSecConfig.h>\r
-\r
-#include <Library/BaseLib.h>\r
-#include <Library/BaseMemoryLib.h>\r
-#include <Library/PrintLib.h>\r
-#include <Library/MemoryAllocationLib.h>\r
-#include <Library/UefiRuntimeServicesTableLib.h>\r
-#include <Library/UefiBootServicesTableLib.h>\r
-#include <Library/DebugLib.h>\r
-\r
-#include "IpSecImpl.h"\r
-\r
-#define EFI_IPSEC_ANY_PROTOCOL 0xFFFF\r
-#define EFI_IPSEC_ANY_PORT 0\r
-\r
-#define IPSEC_VAR_ITEM_HEADER_LOGO_BIT 0x80\r
-#define IPSEC_VAR_ITEM_HEADER_CONTENT_BIT 0x7F\r
-\r
-#define IPSECCONFIG_VARIABLE_NAME L"IpSecConfig"\r
-#define IPSECCONFIG_STATUS_NAME L"IpSecStatus"\r
-\r
-#define SIZE_OF_SPD_SELECTOR(x) (sizeof (EFI_IPSEC_SPD_SELECTOR) \\r
- + sizeof (EFI_IP_ADDRESS_INFO) * ((x)->LocalAddressCount + (x)->RemoteAddressCount))\r
-\r
-#define FIX_REF_BUF_ADDR(addr, base) addr = (VOID *) ((UINTN) (addr) - (UINTN) (base))\r
-#define UNFIX_REF_BUF_ADDR(addr, base) addr = (VOID *) ((UINTN) (addr) + (UINTN) (base))\r
-\r
-//\r
-// The data structure used to store the genernall information of IPsec configuration.\r
-//\r
-typedef struct {\r
- UINT32 VariableCount; // the total number of the IPsecConfig variables.\r
- UINT32 VariableSize; // The total size of all IpsecConfig variables.\r
- UINT32 SingleVariableSize; // The max size of single variable\r
-} IP_SEC_VARIABLE_INFO;\r
-\r
-typedef struct {\r
- EFI_IPSEC_CONFIG_SELECTOR *Selector;\r
- VOID *Data;\r
- LIST_ENTRY List;\r
-} IPSEC_COMMON_POLICY_ENTRY;\r
-\r
-typedef struct {\r
- UINT8 *Ptr;\r
- UINTN Size;\r
- UINTN Capacity;\r
-} IPSEC_VARIABLE_BUFFER;\r
-\r
-#pragma pack(1)\r
-typedef struct {\r
- UINT8 Type;\r
- UINT16 Size;\r
-} IPSEC_VAR_ITEM_HEADER;\r
-#pragma pack()\r
-\r
-/**\r
- The prototype of Copy Source Selector to the Destination Selector.\r
-\r
- @param[in, out] DstSel Pointer of Destination Selector. It would be\r
- SPD Selector, or SAD Selector or PAD Selector.\r
- @param[in] SrcSel Pointer of Source Selector. It would be\r
- SPD Selector, or SAD Selector or PAD Selector.\r
- @param[in, out] Size The size of the Destination Selector. If it\r
- is not NULL and its value is less than the size of\r
- Source Selector, the value of Source Selector's\r
- size will be passed to the caller by this parameter.\r
-\r
- @retval EFI_INVALID_PARAMETER If the Destination or Source Selector is NULL.\r
- @retval EFI_BUFFER_TOO_SMALL If the input Size is less than size of Source Selector.\r
- @retval EFI_SUCCESS Copy Source Selector to the Destination\r
- Selector successfully.\r
-\r
-**/\r
-typedef\r
-EFI_STATUS\r
-(*IPSEC_DUPLICATE_SELECTOR) (\r
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,\r
- IN OUT UINTN *Size\r
- );\r
-\r
-/**\r
- It is prototype of compare two Selectors. The Selector would be SPD Selector,\r
- or SAD Selector, or PAD selector.\r
-\r
- @param[in] Selector1 Pointer of the first Selector.\r
- @param[in] Selector2 Pointer of the second Selector.\r
-\r
- @retval TRUE These two Selectors have the same value in certain fields.\r
- @retval FALSE Not all fields have the same value in these two Selectors.\r
-\r
-**/\r
-typedef\r
-BOOLEAN\r
-(*IPSEC_COMPARE_SELECTOR) (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2\r
- );\r
-\r
-/**\r
- The prototype of a function to check if the Selector is Zero by its certain fields.\r
-\r
- @param[in] Selector Pointer of the Selector.\r
-\r
- @retval TRUE If the Selector is Zero.\r
- @retval FALSE If the Selector is not Zero.\r
-\r
-**/\r
-typedef\r
-BOOLEAN\r
-(*IPSEC_IS_ZERO_SELECTOR) (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector\r
- );\r
-\r
-/**\r
- The prototype of a function to fix the value of particular members of the Selector.\r
-\r
- @param[in] Selector Pointer of Selector.\r
- @param[in] Data Pointer of Data.\r
-\r
-**/\r
-typedef\r
-VOID\r
-(*IPSEC_FIX_POLICY_ENTRY) (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data\r
- );\r
-\r
-/**\r
- It is prototype function to define a routine function by the caller of IpSecVisitConfigData().\r
-\r
- @param[in] Type A specified IPSEC_CONFIG_DATA_TYPE.\r
- @param[in] Selector Points to EFI_IPSEC_CONFIG_SELECTOR to be copied\r
- to the buffer.\r
- @param[in] Data Points to data to be copied to the buffer. The\r
- Data type is related to the Type.\r
- @param[in] SelectorSize The size of the Selector.\r
- @param[in] DataSize The size of the Data.\r
- @param[in, out] Buffer The buffer to store the Selector and Data.\r
-\r
- @retval EFI_SUCCESS Copied the Selector and Data to a buffer successfully.\r
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.\r
-\r
-**/\r
-typedef\r
-EFI_STATUS\r
-(*IPSEC_COPY_POLICY_ENTRY) (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE Type,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN UINTN SelectorSize,\r
- IN UINTN DataSize,\r
- IN OUT VOID *Context\r
- );\r
-\r
-/**\r
- Set the security policy information for the EFI IPsec driver.\r
-\r
- The IPsec configuration data has a unique selector/identifier separately to\r
- identify a data entry.\r
-\r
- @param[in] Selector Pointer to an entry selector on operated\r
- configuration data specified by DataType.\r
- A NULL Selector causes the entire specified-type\r
- configuration information to be flushed.\r
- @param[in] Data The data buffer to be set.\r
- @param[in] Context Pointer to one entry selector that describes\r
- the expected position the new data entry will\r
- be added. If Context is NULL, the new entry will\r
- be appended to the end of the database.\r
-\r
- @retval EFI_INVALID_PARAMETER Certain Parameters are not correct. The Parameter\r
- requiring a check depends on the Selector type.\r
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
-\r
-**/\r
-typedef\r
-EFI_STATUS\r
-(*IPSEC_SET_POLICY_ENTRY) (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN VOID *Context OPTIONAL\r
- );\r
-\r
-/**\r
- A prototype function definition to lookup the data entry from IPsec. Return the configuration\r
- value of the specified Entry.\r
-\r
- @param[in] Selector Pointer to an entry selector that is an identifier\r
- of the entry.\r
- @param[in, out] DataSize On output, the size of data returned in Data.\r
- @param[out] Data The buffer to return the contents of the IPsec\r
- configuration data. The type of the data buffer\r
- is associated with the DataType.\r
-\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
- @retval EFI_INVALID_PARAMETER Data is NULL and *DataSize is not zero.\r
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r
- updated with the size needed to complete the request.\r
-\r
-**/\r
-typedef\r
-EFI_STATUS\r
-(*IPSEC_GET_POLICY_ENTRY) (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN OUT UINTN *DataSize,\r
- IN VOID *Data\r
- );\r
-\r
-/**\r
- Compare two SPD Selectors.\r
-\r
- Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddressCount/\r
- NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange and the\r
- Local Addresses and remote Addresses.\r
-\r
- @param[in] Selector1 Pointer of the first SPD Selector.\r
- @param[in] Selector2 Pointer of the second SPD Selector.\r
-\r
- @retval TRUE These two Selectors have the same value in above fields.\r
- @retval FALSE Not all of the above fields have the same value in these two Selectors.\r
-\r
-**/\r
-BOOLEAN\r
-CompareSpdSelector (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2\r
- );\r
-\r
-\r
-/**\r
- Visit all IPsec Configurations of specified Type and call the caller defined\r
- interface.\r
-\r
- @param[in] DataType The specified IPsec Config Data Type.\r
- @param[in] Routine The function caller defined.\r
- @param[in] Context The data passed to the Routine.\r
-\r
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.\r
- @retval EFI_SUCCESS This function complete successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecVisitConfigData (\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN IPSEC_COPY_POLICY_ENTRY Routine,\r
- IN VOID *Context\r
- );\r
-\r
-\r
-/**\r
- This function is the subfunction of the EFIIpSecConfigSetData.\r
-\r
- This function call IpSecSetVaraible to set the IPsec Configuration into the firmware.\r
-\r
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.\r
- @retval EFI_SUCCESS Saved the configration successfully.\r
- @retval Others Other errors were found while obtaining the variable.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecConfigSave (\r
- VOID\r
- );\r
-\r
-/**\r
- Initialize IPsecConfig protocol\r
-\r
- @param[in, out] Private Pointer to IPSEC_PRIVATE_DATA. After this function finish,\r
- the pointer of IPsecConfig Protocol implementation will copy\r
- into its IPsecConfig member.\r
-\r
- @retval EFI_SUCCESS Initialized the IPsecConfig Protocol successfully.\r
- @retval Others Initializing the IPsecConfig Protocol failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecConfigInitialize (\r
- IN OUT IPSEC_PRIVATE_DATA *Private\r
- );\r
-\r
-/**\r
- Calculate the entire size of EFI_IPSEC_SPD_DATA, which includes the buffer size pointed\r
- by the pointer members.\r
-\r
- @param[in] SpdData Pointer to a specified EFI_IPSEC_SPD_DATA.\r
-\r
- @return The entire size of the specified EFI_IPSEC_SPD_DATA.\r
-\r
-**/\r
-UINTN\r
-IpSecGetSizeOfEfiSpdData (\r
- IN EFI_IPSEC_SPD_DATA *SpdData\r
- );\r
-\r
-/**\r
- Calculate the a entire size of IPSEC_SPD_DATA, which includes the buffer size pointed\r
- by the pointer members and the buffer size used by Sa List.\r
-\r
- @param[in] SpdData Pointer to the specified IPSEC_SPD_DATA.\r
-\r
- @return The entire size of IPSEC_SPD_DATA.\r
-\r
-**/\r
-UINTN\r
-IpSecGetSizeOfSpdData (\r
- IN IPSEC_SPD_DATA *SpdData\r
- );\r
-\r
-/**\r
- Copy Source Process Policy to the Destination Process Policy.\r
-\r
- @param[in] Dst Pointer to the Source Process Policy.\r
- @param[in] Src Pointer to the Destination Process Policy.\r
-\r
-**/\r
-VOID\r
-IpSecDuplicateProcessPolicy (\r
- IN EFI_IPSEC_PROCESS_POLICY *Dst,\r
- IN EFI_IPSEC_PROCESS_POLICY *Src\r
- );\r
-\r
-/**\r
- Find if the two SPD Selectors has subordinative.\r
-\r
- Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddressCount/\r
- NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange and the\r
- Local Addresses and remote Addresses.\r
-\r
- @param[in] Selector1 Pointer of first SPD Selector.\r
- @param[in] Selector2 Pointer of second SPD Selector.\r
-\r
- @retval TRUE The first SPD Selector is subordinate Selector of second SPD Selector.\r
- @retval FALSE The first SPD Selector is not subordinate Selector of second\r
- SPD Selector.\r
-\r
-**/\r
-BOOLEAN\r
-IsSubSpdSelector (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2\r
- );\r
-\r
-/**\r
- Compare two SA IDs.\r
-\r
- @param[in] Selector1 Pointer of the first SA ID.\r
- @param[in] Selector2 Pointer of the second SA ID.\r
-\r
- @retval TRUE This two Selectors have the same SA ID.\r
- @retval FALSE This two Selecotrs don't have the same SA ID.\r
-\r
-**/\r
-BOOLEAN\r
-CompareSaId (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2\r
- );\r
-\r
-/**\r
- Compare two PAD IDs.\r
-\r
- @param[in] Selector1 Pointer of the first PAD ID.\r
- @param[in] Selector2 Pointer of the second PAD ID.\r
-\r
- @retval TRUE This two Selectors have the same PAD ID.\r
- @retval FALSE This two Selecotrs don't have the same PAD ID.\r
-\r
-**/\r
-BOOLEAN\r
-ComparePadId (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2\r
- );\r
-\r
-/**\r
- Check if the SPD Selector is Zero by its LocalAddressCount and RemoteAddressCount\r
- fields.\r
-\r
- @param[in] Selector Pointer of the SPD Selector.\r
-\r
- @retval TRUE If the SPD Selector is Zero.\r
- @retval FALSE If the SPD Selector is not Zero.\r
-\r
-**/\r
-BOOLEAN\r
-IsZeroSpdSelector (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector\r
- );\r
-\r
-/**\r
- Check if the SA ID is Zero by its DestAddress.\r
-\r
- @param[in] Selector Pointer of the SA ID.\r
-\r
- @retval TRUE If the SA ID is Zero.\r
- @retval FALSE If the SA ID is not Zero.\r
-\r
-**/\r
-BOOLEAN\r
-IsZeroSaId (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector\r
- );\r
-\r
-/**\r
- Check if the PAD ID is Zero.\r
-\r
- @param[in] Selector Pointer of the PAD ID.\r
-\r
- @retval TRUE If the PAD ID is Zero.\r
- @retval FALSE If the PAD ID is not Zero.\r
-\r
-**/\r
-BOOLEAN\r
-IsZeroPadId (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector\r
- );\r
-\r
-/**\r
- Copy Source SPD Selector to the Destination SPD Selector.\r
-\r
- @param[in, out] DstSel Pointer of Destination SPD Selector.\r
- @param[in] SrcSel Pointer of Source SPD Selector.\r
- @param[in, out] Size The size of the Destination SPD Selector. If\r
- it is not NULL and its value is less than the\r
- size of Source SPD Selector, the value of\r
- Source SPD Selector's size will be passed to\r
- the caller by this parameter.\r
-\r
- @retval EFI_INVALID_PARAMETER If the Destination or Source SPD Selector is NULL.\r
- @retval EFI_BUFFER_TOO_SMALL If the input Size is less than size of Source SPD Selector.\r
- @retval EFI_SUCCESS Copy Source SPD Selector to the Destination SPD\r
- Selector successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-DuplicateSpdSelector (\r
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,\r
- IN OUT UINTN *Size\r
- );\r
-\r
-/**\r
- Copy Source SA ID to the Destination SA ID.\r
-\r
- @param[in, out] DstSel Pointer of the Destination SA ID.\r
- @param[in] SrcSel Pointer of the Source SA ID.\r
- @param[in, out] Size The size of the Destination SA ID. If it\r
- not NULL, and its value is less than the size of\r
- Source SA ID, the value of Source SA ID's size\r
- will be passed to the caller by this parameter.\r
-\r
- @retval EFI_INVALID_PARAMETER If the Destination or Source SA ID is NULL.\r
- @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of source SA ID.\r
- @retval EFI_SUCCESS Copied Source SA ID to the Destination SA ID successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-DuplicateSaId (\r
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,\r
- IN OUT UINTN *Size\r
- );\r
-\r
-/**\r
- Copy Source PAD ID to the Destination PAD ID.\r
-\r
- @param[in, out] DstSel Pointer of Destination PAD ID.\r
- @param[in] SrcSel Pointer of Source PAD ID.\r
- @param[in, out] Size The size of the Destination PAD ID. If it\r
- not NULL, and its value less than the size of\r
- Source PAD ID, the value of Source PAD ID's size\r
- will be passed to the caller by this parameter.\r
-\r
- @retval EFI_INVALID_PARAMETER If the Destination or Source PAD ID is NULL.\r
- @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of source PAD ID.\r
- @retval EFI_SUCCESS Copied Source PAD ID to the Destination PAD ID successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-DuplicatePadId (\r
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,\r
- IN OUT UINTN *Size\r
- );\r
-\r
-/**\r
- Fix the value of some members of the SPD Selector.\r
-\r
- This function is called by IpSecCopyPolicyEntry(), which copies the Policy\r
- Entry into the Variable. Since some members in SPD Selector are pointers,\r
- a physical address to relative address conversion is required before copying\r
- this SPD entry into the variable.\r
-\r
- @param[in] Selector Pointer of SPD Selector.\r
- @param[in, out] Data Pointer of SPD Data.\r
-\r
-**/\r
-VOID\r
-FixSpdEntry (\r
- IN EFI_IPSEC_SPD_SELECTOR *Selector,\r
- IN OUT EFI_IPSEC_SPD_DATA *Data\r
- );\r
-\r
-/**\r
- Fix the value of some members of SA ID.\r
-\r
- This function is called by IpSecCopyPolicyEntry(), which copies the Policy\r
- Entry into the Variable. Since some members in SA ID are pointers,\r
- a physical address to relative address conversion is required before copying\r
- this SAD into the variable.\r
-\r
- @param[in] SaId Pointer of SA ID.\r
- @param[in, out] Data Pointer of SA Data.\r
-\r
-**/\r
-VOID\r
-FixSadEntry (\r
- IN EFI_IPSEC_SA_ID *SaId,\r
- IN OUT EFI_IPSEC_SA_DATA2 *Data\r
- );\r
-\r
-/**\r
- Fix the value of some members of PAD ID.\r
-\r
- This function is called by IpSecCopyPolicyEntry(), which copy the Policy\r
- Entry into the Variable. Since some members in PAD ID are pointers,\r
- a physical address to relative address conversion is required before copying\r
- this PAD into the variable.\r
-\r
- @param[in] PadId Pointer of PAD ID.\r
- @param[in, out] Data Pointer of PAD Data.\r
-\r
-**/\r
-VOID\r
-FixPadEntry (\r
- IN EFI_IPSEC_PAD_ID *PadId,\r
- IN OUT EFI_IPSEC_PAD_DATA *Data\r
- );\r
-\r
-/**\r
- Recover the value of some members of SPD Selector.\r
-\r
- This function is corresponding to FixSpdEntry(). It recovers the value of members\r
- of SPD Selector which fix by the FixSpdEntry().\r
-\r
- @param[in, out] Selector Pointer of SPD Selector.\r
- @param[in, out] Data Pointer of SPD Data.\r
-\r
-**/\r
-VOID\r
-UnfixSpdEntry (\r
- IN OUT EFI_IPSEC_SPD_SELECTOR *Selector,\r
- IN OUT EFI_IPSEC_SPD_DATA *Data\r
- );\r
-\r
-\r
-/**\r
- Recover the value of some members of SA ID.\r
-\r
- This function is corresponding to FixSadEntry(). It recovers the value of members\r
- of SAD ID which fix by the FixSadEntry().\r
-\r
- @param[in, out] SaId Pointer of SAD ID\r
- @param[in, out] Data Pointer of SAD Data.\r
-\r
-**/\r
-VOID\r
-UnfixSadEntry (\r
- IN OUT EFI_IPSEC_SA_ID *SaId,\r
- IN OUT EFI_IPSEC_SA_DATA2 *Data\r
- );\r
-\r
-/**\r
- Recover the value of some members of PAD ID.\r
-\r
- This function is corresponding to FixPadEntry(). It recovers the value of members\r
- of PAD ID which fix by the FixPadEntry().\r
-\r
- @param[in] PadId Pointer of PAD ID\r
- @param[in, out] Data Pointer of PAD Data.\r
-\r
-**/\r
-VOID\r
-UnfixPadEntry (\r
- IN EFI_IPSEC_PAD_ID *PadId,\r
- IN OUT EFI_IPSEC_PAD_DATA *Data\r
- );\r
-\r
-/**\r
- Set the security policy information for the EFI IPsec driver.\r
-\r
- The IPsec configuration data has a unique selector/identifier separately to\r
- identify a data entry.\r
-\r
- @param[in] Selector Pointer to an entry selector on operated\r
- configuration data specified by DataType.\r
- A NULL Selector causes the entire specified-type\r
- configuration information to be flushed.\r
- @param[in] Data The data buffer to be set. The structure\r
- of the data buffer should be EFI_IPSEC_SPD_DATA.\r
- @param[in] Context Pointer to one entry selector that describes\r
- the expected position the new data entry will\r
- be added. If Context is NULL,the new entry will\r
- be appended the end of database.\r
-\r
- @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:\r
- - Selector is not NULL and its LocalAddress\r
- is NULL or its RemoteAddress is NULL.\r
- - Data is not NULL, its Action is Protected,\r
- and its policy is NULL.\r
- - Data is not NULL and its Action is not protected\r
- and its policy is not NULL.\r
- - The Action of Data is Protected, its policy\r
- mode is Tunnel, and its tunnel option is NULL.\r
- - The Action of Data is protected, its policy\r
- mode is not Tunnel, and it tunnel option is not NULL.\r
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-SetSpdEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN VOID *Context OPTIONAL\r
- );\r
-\r
-/**\r
- Set the security association information for the EFI IPsec driver.\r
-\r
- The IPsec configuration data has a unique selector/identifier separately to\r
- identify a data entry.\r
-\r
- @param[in] Selector Pointer to an entry selector on operated\r
- configuration data specified by DataType.\r
- A NULL Selector causes the entire specified-type\r
- configuration information to be flushed.\r
- @param[in] Data The data buffer to be set. The structure\r
- of the data buffer should be EFI_IPSEC_SA_DATA.\r
- @param[in] Context Pointer to one entry selector which describes\r
- the expected position the new data entry will\r
- be added. If Context is NULL,the new entry will\r
- be appended to the end of database.\r
-\r
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-SetSadEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN VOID *Context OPTIONAL\r
- );\r
-\r
-/**\r
- Set the peer authorization configuration information for the EFI IPsec driver.\r
-\r
- The IPsec configuration data has a unique selector/identifier separately to\r
- identify a data entry.\r
-\r
- @param[in] Selector Pointer to an entry selector on operated\r
- configuration data specified by DataType.\r
- A NULL Selector causes the entire specified-type\r
- configuration information to be flushed.\r
- @param[in] Data The data buffer to be set. The structure\r
- of the data buffer should be EFI_IPSEC_PAD_DATA.\r
- @param[in] Context Pointer to one entry selector that describes\r
- the expected position where the new data entry will\r
- be added. If Context is NULL, the new entry will\r
- be appended the end of database.\r
-\r
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-SetPadEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN VOID *Context OPTIONAL\r
- );\r
-\r
-/**\r
- This function looks up the data entry from IPsec SPD, and returns the configuration\r
- value of the specified SPD Entry.\r
-\r
- @param[in] Selector Pointer to an entry selector which is an identifier\r
- of the SPD entry.\r
- @param[in, out] DataSize On output the size of data returned in Data.\r
- @param[out] Data The buffer to return the contents of the IPsec\r
- configuration data. The type of the data buffer\r
- is associated with the DataType.\r
-\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
- @retval EFI_INVALID_PARAMETER Data is NULL and *DataSize is not zero.\r
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r
- updated with the size needed to complete the request.\r
-\r
-**/\r
-EFI_STATUS\r
-GetSpdEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN OUT UINTN *DataSize,\r
- OUT VOID *Data\r
- );\r
-\r
-/**\r
- This function looks up the data entry from IPsec SAD and returns the configuration\r
- value of the specified SAD Entry.\r
-\r
- @param[in] Selector Pointer to an entry selector that is an identifier\r
- of the SAD entry.\r
- @param[in, out] DataSize On output, the size of data returned in Data.\r
- @param[out] Data The buffer to return the contents of the IPsec\r
- configuration data. This type of the data buffer\r
- is associated with the DataType.\r
-\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r
- updated with the size needed to complete the request.\r
-\r
-**/\r
-EFI_STATUS\r
-GetSadEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN OUT UINTN *DataSize,\r
- OUT VOID *Data\r
- );\r
-\r
-/**\r
- This function looks up the data entry from IPsec PADand returns the configuration\r
- value of the specified PAD Entry.\r
-\r
- @param[in] Selector Pointer to an entry selector that is an identifier\r
- of the PAD entry.\r
- @param[in, out] DataSize On output the size of data returned in Data.\r
- @param[out] Data The buffer to return the contents of the IPsec\r
- configuration data. This type of the data buffer\r
- is associated with the DataType.\r
-\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r
- updated with the size needed to complete the request.\r
-\r
-**/\r
-EFI_STATUS\r
-GetPadEntry (\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN OUT UINTN *DataSize,\r
- OUT VOID *Data\r
- );\r
-\r
-/**\r
- Return the configuration value for the EFI IPsec driver.\r
-\r
- This function lookup the data entry from IPsec database or IKEv2 configuration\r
- information. The expected data type and unique identification are described in\r
- DataType and Selector parameters.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
- @param[in] DataType The type of data to retrieve.\r
- @param[in] Selector Pointer to an entry selector that is an identifier of the IPsec\r
- configuration data entry.\r
- @param[in, out] DataSize On output the size of data returned in Data.\r
- @param[out] Data The buffer to return the contents of the IPsec configuration data.\r
- The type of the data buffer is associated with the DataType.\r
-\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
- @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r
- - This is NULL.\r
- - Selector is NULL.\r
- - DataSize is NULL.\r
- - Data is NULL and *DataSize is not zero\r
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r
- @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r
- updated with the size needed to complete the request.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-EfiIpSecConfigGetData (\r
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN OUT UINTN *DataSize,\r
- OUT VOID *Data\r
- );\r
-\r
-/**\r
- Set the security association, security policy and peer authorization configuration\r
- information for the EFI IPsec driver.\r
-\r
- This function is used to set the IPsec configuration information of type DataType for\r
- the EFI IPsec driver.\r
- The IPsec configuration data has a unique selector/identifier separately to identify\r
- a data entry. The selector structure depends on DataType's definition.\r
- Using SetData() with a Data of NULL causes the IPsec configuration data entry identified\r
- by DataType and Selector to be deleted.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
- @param[in] DataType The type of data to be set.\r
- @param[in] Selector Pointer to an entry selector on operated configuration data\r
- specified by DataType. A NULL Selector causes the entire\r
- specified-type configuration information to be flushed.\r
- @param[in] Data The data buffer to be set. The structure of the data buffer is\r
- associated with the DataType.\r
- @param[in] InsertBefore Pointer to one entry selector which describes the expected\r
- position the new data entry will be added. If InsertBefore is NULL,\r
- the new entry will be appended the end of database.\r
-\r
- @retval EFI_SUCCESS The specified configuration entry data was set successfully.\r
- @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:\r
- - This is NULL.\r
- @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-EfiIpSecConfigSetData (\r
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
- IN VOID *Data,\r
- IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL\r
- );\r
-\r
-/**\r
- Enumerates the current selector for IPsec configuration data entry.\r
-\r
- This function is called multiple times to retrieve the entry Selector in IPsec\r
- configuration database. On each call to GetNextSelector(), the next entry\r
- Selector are retrieved into the output interface.\r
-\r
- If the entire IPsec configuration database has been iterated, the error\r
- EFI_NOT_FOUND is returned.\r
- If the Selector buffer is too small for the next Selector copy, an\r
- EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect\r
- the size of buffer needed.\r
-\r
- On the initial call to GetNextSelector() to start the IPsec configuration database\r
- search, a pointer to the buffer with all zero value is passed in Selector. Calls\r
- to SetData() between calls to GetNextSelector may produce unpredictable results.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
- @param[in] DataType The type of IPsec configuration data to retrieve.\r
- @param[in, out] SelectorSize The size of the Selector buffer.\r
- @param[in, out] Selector On input, supplies the pointer to last Selector that was\r
- returned by GetNextSelector().\r
- On output, returns one copy of the current entry Selector\r
- of a given DataType.\r
-\r
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.\r
- @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r
- - This is NULL.\r
- - SelectorSize is NULL.\r
- - Selector is NULL.\r
- @retval EFI_NOT_FOUND The next configuration data entry was not found.\r
- @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
- @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter\r
- has been updated with the size needed to complete the search\r
- request.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-EfiIpSecConfigGetNextSelector (\r
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN OUT UINTN *SelectorSize,\r
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector\r
- );\r
-\r
-/**\r
- Register an event that is to be signaled whenever a configuration process on the\r
- specified IPsec configuration information is done.\r
-\r
- The register function is not surpport now and always returns EFI_UNSUPPORTED.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
- @param[in] DataType The type of data to be registered the event for.\r
- @param[in] Event The event to be registered.\r
-\r
- @retval EFI_SUCCESS The event is registered successfully.\r
- @retval EFI_INVALID_PARAMETER This is NULL, or Event is NULL.\r
- @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.\r
- @retval EFI_UNSUPPORTED The notify registration unsupported, or the specified\r
- DataType is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-EfiIpSecConfigRegisterNotify (\r
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN EFI_EVENT Event\r
- );\r
-\r
-\r
-/**\r
- Remove the specified event that was previously registered on the specified IPsec\r
- configuration data.\r
-\r
- This function is not supported now and always returns EFI_UNSUPPORTED.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
- @param[in] DataType The configuration data type to remove the registered event for.\r
- @param[in] Event The event to be unregistered.\r
-\r
- @retval EFI_SUCCESS The event was removed successfully.\r
- @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the\r
- database.\r
- @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r
- @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r
- DataType is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-EfiIpSecConfigUnregisterNotify (\r
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
- IN EFI_EVENT Event\r
- );\r
-\r
-extern LIST_ENTRY mConfigData[IPsecConfigDataTypeMaximum];\r
-\r
-#endif\r
+++ /dev/null
-/** @file\r
- Common interfaces to call Security library.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecCryptIo.h"\r
-//\r
-// The informations for the supported Encrypt/Decrpt Alogrithm.\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED ENCRYPT_ALGORITHM mIpsecEncryptAlgorithmList[IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE] = {\r
- {IKE_EALG_NULL, 0, 0, 1, NULL, NULL, NULL, NULL},\r
- {IKE_EALG_NONE, 0, 0, 1, NULL, NULL, NULL, NULL},\r
- {IKE_EALG_3DESCBC, 24, 8, 8, TdesGetContextSize, TdesInit, TdesCbcEncrypt, TdesCbcDecrypt},\r
- {IKE_EALG_AESCBC, 16, 16, 16, AesGetContextSize, AesInit, AesCbcEncrypt, AesCbcDecrypt}\r
-};\r
-\r
-//\r
-// The informations for the supported Authentication algorithm\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED AUTH_ALGORITHM mIpsecAuthAlgorithmList[IPSEC_AUTH_ALGORITHM_LIST_SIZE] = {\r
- {IKE_AALG_NONE, 0, 0, 0, NULL, NULL, NULL, NULL},\r
- {IKE_AALG_NULL, 0, 0, 0, NULL, NULL, NULL, NULL},\r
- {IKE_AALG_SHA1HMAC, 20, 12, 64, HmacSha1GetContextSize, HmacSha1Init, HmacSha1Update, HmacSha1Final}\r
-};\r
-\r
-//\r
-// The information for the supported Hash aglorithm\r
-//\r
-GLOBAL_REMOVE_IF_UNREFERENCED HASH_ALGORITHM mIpsecHashAlgorithmList[IPSEC_HASH_ALGORITHM_LIST_SIZE] = {\r
- {IKE_AALG_NONE, 0, 0, 0, NULL, NULL, NULL, NULL},\r
- {IKE_AALG_NULL, 0, 0, 0, NULL, NULL, NULL, NULL},\r
- {IKE_AALG_SHA1HMAC, 20, 12, 64, Sha1GetContextSize, Sha1Init, Sha1Update, Sha1Final}\r
-};\r
-\r
-BOOLEAN mInitialRandomSeed = FALSE;\r
-\r
-/**\r
- Get the block size of specified encryption algorithm.\r
-\r
- @param[in] AlgorithmId The encryption algorithm ID.\r
-\r
- @return The value of block size.\r
-\r
-**/\r
-UINTN\r
-IpSecGetEncryptBlockSize (\r
- IN UINT8 AlgorithmId\r
- )\r
-{\r
- UINT8 Index;\r
-\r
- for (Index = 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) {\r
- if (AlgorithmId == mIpsecEncryptAlgorithmList[Index].AlgorithmId) {\r
- return mIpsecEncryptAlgorithmList[Index].BlockSize;\r
- }\r
- }\r
-\r
- return (UINTN) -1;\r
-}\r
-\r
-/**\r
- Get the key length of the specified encryption algorithm.\r
-\r
- @param[in] AlgorithmId The encryption algorithm ID.\r
-\r
- @return The value of key length.\r
-\r
-**/\r
-UINTN\r
-IpSecGetEncryptKeyLength (\r
- IN UINT8 AlgorithmId\r
- )\r
-{\r
- UINT8 Index;\r
-\r
- for (Index = 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) {\r
- if (AlgorithmId == mIpsecEncryptAlgorithmList[Index].AlgorithmId) {\r
- return mIpsecEncryptAlgorithmList[Index].KeyLength;\r
- }\r
- }\r
-\r
- return (UINTN) -1;\r
-}\r
-\r
-/**\r
- Get the IV size of the specified encryption algorithm.\r
-\r
- @param[in] AlgorithmId The encryption algorithm ID.\r
-\r
- @return The value of IV size.\r
-\r
-**/\r
-UINTN\r
-IpSecGetEncryptIvLength (\r
- IN UINT8 AlgorithmId\r
- )\r
-{\r
- UINT8 Index;\r
-\r
- for (Index = 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) {\r
- if (AlgorithmId == mIpsecEncryptAlgorithmList[Index].AlgorithmId) {\r
- return mIpsecEncryptAlgorithmList[Index].IvLength;\r
- }\r
- }\r
-\r
- return (UINTN) -1;\r
-}\r
-\r
-/**\r
- Get the HMAC digest length by the specified Algorithm ID.\r
-\r
- @param[in] AlgorithmId The specified Alogrithm ID.\r
-\r
- @return The digest length of the specified Authentication Algorithm ID.\r
-\r
-**/\r
-UINTN\r
-IpSecGetHmacDigestLength (\r
- IN UINT8 AlgorithmId\r
- )\r
-{\r
- UINT8 Index;\r
-\r
- for (Index = 0; Index < IPSEC_AUTH_ALGORITHM_LIST_SIZE; Index++) {\r
- if (mIpsecAuthAlgorithmList[Index].AlgorithmId == AlgorithmId) {\r
- //\r
- // Return the Digest Length of the Algorithm.\r
- //\r
- return mIpsecAuthAlgorithmList[Index].DigestLength;\r
- }\r
- }\r
-\r
- return 0;\r
-}\r
-\r
-/**\r
- Get the ICV size of the specified Authenticaion algorithm.\r
-\r
- @param[in] AlgorithmId The Authentication algorithm ID.\r
-\r
- @return The value of ICV size.\r
-\r
-**/\r
-UINTN\r
-IpSecGetIcvLength (\r
- IN UINT8 AlgorithmId\r
- )\r
-{\r
- UINT8 Index;\r
-\r
- for (Index = 0; Index < IPSEC_AUTH_ALGORITHM_LIST_SIZE; Index++) {\r
- if (AlgorithmId == mIpsecAuthAlgorithmList[Index].AlgorithmId) {\r
- return mIpsecAuthAlgorithmList[Index].IcvLength;\r
- }\r
- }\r
-\r
- return (UINTN) -1;\r
-}\r
-\r
-/**\r
- Generate a random data for IV. If the IvSize is zero, not needed to create\r
- IV and return EFI_SUCCESS.\r
-\r
- @param[in] IvBuffer The pointer of the IV buffer.\r
- @param[in] IvSize The IV size in bytes.\r
-\r
- @retval EFI_SUCCESS Create a random data for IV.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecGenerateIv (\r
- IN UINT8 *IvBuffer,\r
- IN UINTN IvSize\r
- )\r
-{\r
- if (IvSize != 0) {\r
- return IpSecCryptoIoGenerateRandomBytes (IvBuffer, IvSize);\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Get index of the specified encryption algorithm from the mIpsecEncryptAlgorithmList.\r
-\r
- @param[in] AlgorithmId The encryption algorithm ID.\r
-\r
- @return the index.\r
-\r
-**/\r
-UINTN\r
-IpSecGetIndexFromEncList (\r
- IN UINT8 AlgorithmId\r
- )\r
-{\r
- UINT8 Index;\r
-\r
- for (Index = 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) {\r
- if (AlgorithmId == mIpsecEncryptAlgorithmList[Index].AlgorithmId) {\r
- return Index;\r
- }\r
- }\r
-\r
- return (UINTN) -1;\r
-}\r
-\r
-/**\r
- Get index of the specified encryption algorithm from the mIpsecAuthAlgorithmList.\r
-\r
- @param[in] AlgorithmId The encryption algorithm ID.\r
-\r
- @return the index.\r
-\r
-**/\r
-UINTN\r
-IpSecGetIndexFromAuthList (\r
- IN UINT8 AlgorithmId\r
- )\r
-{\r
- UINT8 Index;\r
-\r
- for (Index = 0; Index < IPSEC_AUTH_ALGORITHM_LIST_SIZE; Index++) {\r
- if (AlgorithmId == mIpsecAuthAlgorithmList[Index].AlgorithmId) {\r
- //\r
- // The BlockSize is same with IvSize.\r
- //\r
- return Index;\r
- }\r
- }\r
-\r
- return (UINTN) -1;\r
-}\r
-\r
-/**\r
- Encrypt the buffer.\r
-\r
- This function calls relevant encryption interface from CryptoLib according to\r
- the input algorithm ID. The InData should be multiple of block size. This function\r
- doesn't perform the padding. If it has the Ivec data, the length of it should be\r
- same with the block size. The block size is different from the different algorithm.\r
-\r
- @param[in] AlgorithmId The Algorithm identification defined in RFC.\r
- @param[in] Key Pointer to the buffer containing encrypting key.\r
- @param[in] KeyBits The length of the key in bits.\r
- @param[in] Ivec Point to the buffer containing the Initialization\r
- Vector (IV) data.\r
- @param[in] InData Point to the buffer containing the data to be\r
- encrypted.\r
- @param[in] InDataLength The length of InData in Bytes.\r
- @param[out] OutData Point to the buffer that receives the encryption\r
- output.\r
-\r
- @retval EFI_UNSUPPORTED The input Algorithm is not supported.\r
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.\r
- @retval EFI_SUCCESS The operation completed successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoEncrypt (\r
- IN CONST UINT8 AlgorithmId,\r
- IN CONST UINT8 *Key,\r
- IN CONST UINTN KeyBits,\r
- IN CONST UINT8 *Ivec, OPTIONAL\r
- IN UINT8 *InData,\r
- IN UINTN InDataLength,\r
- OUT UINT8 *OutData\r
- )\r
-{\r
- UINTN Index;\r
- UINTN ContextSize;\r
- UINT8 *Context;\r
- EFI_STATUS Status;\r
-\r
- Status = EFI_UNSUPPORTED;\r
-\r
- switch (AlgorithmId) {\r
-\r
- case IKE_EALG_NULL:\r
- case IKE_EALG_NONE:\r
- CopyMem (OutData, InData, InDataLength);\r
- return EFI_SUCCESS;\r
-\r
- case IKE_EALG_3DESCBC:\r
- case IKE_EALG_AESCBC:\r
- Index = IpSecGetIndexFromEncList (AlgorithmId);\r
- if (Index == -1) {\r
- return Status;\r
- }\r
- //\r
- // Get Context Size\r
- //\r
- ContextSize = mIpsecEncryptAlgorithmList[Index].CipherGetContextSize ();\r
- Context = AllocateZeroPool (ContextSize);\r
-\r
- if (Context == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
- //\r
- // Initiate Context\r
- //\r
- if (mIpsecEncryptAlgorithmList[Index].CipherInitiate (Context, Key, KeyBits)) {\r
- if (mIpsecEncryptAlgorithmList[Index].CipherEncrypt (Context, InData, InDataLength, Ivec, OutData)) {\r
- Status = EFI_SUCCESS;\r
- }\r
- }\r
- break;\r
-\r
- default:\r
- return Status;\r
-\r
- }\r
-\r
- if (Context != NULL) {\r
- FreePool (Context);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Decrypts the buffer.\r
-\r
- This function calls relevant Decryption interface from CryptoLib according to\r
- the input algorithm ID. The InData should be multiple of block size. This function\r
- doesn't perform the padding. If it has the Ivec data, the length of it should be\r
- same with the block size. The block size is different from the different algorithm.\r
-\r
- @param[in] AlgorithmId The Algorithm identification defined in RFC.\r
- @param[in] Key Pointer to the buffer containing encrypting key.\r
- @param[in] KeyBits The length of the key in bits.\r
- @param[in] Ivec Point to the buffer containing the Initialization\r
- Vector (IV) data.\r
- @param[in] InData Point to the buffer containing the data to be\r
- decrypted.\r
- @param[in] InDataLength The length of InData in Bytes.\r
- @param[out] OutData Pointer to the buffer that receives the decryption\r
- output.\r
-\r
- @retval EFI_UNSUPPORTED The input Algorithm is not supported.\r
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.\r
- @retval EFI_SUCCESS The operation completed successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoDecrypt (\r
- IN CONST UINT8 AlgorithmId,\r
- IN CONST UINT8 *Key,\r
- IN CONST UINTN KeyBits,\r
- IN CONST UINT8 *Ivec, OPTIONAL\r
- IN UINT8 *InData,\r
- IN UINTN InDataLength,\r
- OUT UINT8 *OutData\r
- )\r
-{\r
- UINTN Index;\r
- UINTN ContextSize;\r
- UINT8 *Context;\r
- EFI_STATUS Status;\r
-\r
- Status = EFI_UNSUPPORTED;\r
-\r
- switch (AlgorithmId) {\r
-\r
- case IKE_EALG_NULL:\r
- case IKE_EALG_NONE:\r
- CopyMem (OutData, InData, InDataLength);\r
- return EFI_SUCCESS;\r
-\r
- case IKE_EALG_3DESCBC:\r
- case IKE_EALG_AESCBC:\r
- Index = IpSecGetIndexFromEncList(AlgorithmId);\r
- if (Index == -1) {\r
- return Status;\r
- }\r
-\r
- //\r
- // Get Context Size\r
- //\r
- ContextSize = mIpsecEncryptAlgorithmList[Index].CipherGetContextSize();\r
- Context = AllocateZeroPool (ContextSize);\r
- if (Context == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- //\r
- // Initiate Context\r
- //\r
- if (mIpsecEncryptAlgorithmList[Index].CipherInitiate (Context, Key, KeyBits)) {\r
- if (mIpsecEncryptAlgorithmList[Index].CipherDecrypt (Context, InData, InDataLength, Ivec, OutData)) {\r
- Status = EFI_SUCCESS;\r
- }\r
- }\r
- break;\r
-\r
- default:\r
- return Status;\r
- }\r
-\r
- if (Context != NULL) {\r
- FreePool (Context);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Digests the Payload with key and store the result into the OutData.\r
-\r
- This function calls relevant Hmac interface from CryptoLib according to\r
- the input algorithm ID. It computes all datas from InDataFragment and output\r
- the result into the OutData buffer. If the OutDataSize is larger than the related\r
- HMAC algorithm output size, return EFI_INVALID_PARAMETER.\r
-\r
- @param[in] AlgorithmId The authentication Identification.\r
- @param[in] Key Pointer of the authentication key.\r
- @param[in] KeyLength The length of the Key in bytes.\r
- @param[in] InDataFragment The list contains all data to be authenticated.\r
- @param[in] FragmentCount The size of the InDataFragment.\r
- @param[out] OutData For in, the buffer to receive the output data.\r
- For out, the buffer contains the authenticated data.\r
- @param[in] OutDataSize The size of the buffer of OutData.\r
-\r
- @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list.\r
- @retval EFI_INVALID_PARAMETER The OutData buffer size is larger than algorithm digest size.\r
- @retval EFI_SUCCESS Authenticate the payload successfully.\r
- @retval otherwise Authentication of the payload fails.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoHmac (\r
- IN CONST UINT8 AlgorithmId,\r
- IN CONST UINT8 *Key,\r
- IN UINTN KeyLength,\r
- IN HASH_DATA_FRAGMENT *InDataFragment,\r
- IN UINTN FragmentCount,\r
- OUT UINT8 *OutData,\r
- IN UINTN OutDataSize\r
- )\r
-{\r
- UINTN ContextSize;\r
- UINTN Index;\r
- UINT8 FragmentIndex;\r
- UINT8 *HashContext;\r
- EFI_STATUS Status;\r
- UINT8 *OutHashData;\r
- UINTN OutHashSize;\r
-\r
- Status = EFI_UNSUPPORTED;\r
- OutHashData = NULL;\r
-\r
- OutHashSize = IpSecGetHmacDigestLength (AlgorithmId);\r
- //\r
- // If the expected hash data size is larger than the related Hash algorithm\r
- // output length, return EFI_INVALID_PARAMETER.\r
- //\r
- if (OutDataSize > OutHashSize) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- OutHashData = AllocatePool (OutHashSize);\r
-\r
- if (OutHashData == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- switch (AlgorithmId) {\r
-\r
- case IKE_AALG_NONE :\r
- case IKE_AALG_NULL :\r
- return EFI_SUCCESS;\r
-\r
- case IKE_AALG_SHA1HMAC:\r
- Index = IpSecGetIndexFromAuthList (AlgorithmId);\r
- if (Index == -1) {\r
- return Status;\r
- }\r
-\r
- //\r
- // Get Context Size\r
- //\r
- ContextSize = mIpsecAuthAlgorithmList[Index].HmacGetContextSize();\r
- HashContext = AllocateZeroPool (ContextSize);\r
-\r
- if (HashContext == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Initiate HMAC context and hash the input data.\r
- //\r
- if (mIpsecAuthAlgorithmList[Index].HmacInitiate(HashContext, Key, KeyLength)) {\r
- for (FragmentIndex = 0; FragmentIndex < FragmentCount; FragmentIndex++) {\r
- if (!mIpsecAuthAlgorithmList[Index].HmacUpdate (\r
- HashContext,\r
- InDataFragment[FragmentIndex].Data,\r
- InDataFragment[FragmentIndex].DataSize\r
- )\r
- ) {\r
- goto Exit;\r
- }\r
- }\r
- if (mIpsecAuthAlgorithmList[Index].HmacFinal (HashContext, OutHashData)) {\r
- //\r
- // In some cases, like the Icv computing, the Icv size might be less than\r
- // the key length size, so copy the part of hash data to the OutData.\r
- //\r
- CopyMem (OutData, OutHashData, OutDataSize);\r
- Status = EFI_SUCCESS;\r
- }\r
-\r
- goto Exit;\r
- }\r
-\r
- default:\r
- return Status;\r
- }\r
-\r
-Exit:\r
- if (HashContext != NULL) {\r
- FreePool (HashContext);\r
- }\r
- if (OutHashData != NULL) {\r
- FreePool (OutHashData);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Digests the Payload and store the result into the OutData.\r
-\r
- This function calls relevant Hash interface from CryptoLib according to\r
- the input algorithm ID. It computes all datas from InDataFragment and output\r
- the result into the OutData buffer. If the OutDataSize is larger than the related\r
- Hash algorithm output size, return EFI_INVALID_PARAMETER.\r
-\r
- @param[in] AlgorithmId The authentication Identification.\r
- @param[in] InDataFragment A list contains all data to be authenticated.\r
- @param[in] FragmentCount The size of the InDataFragment.\r
- @param[out] OutData For in, the buffer to receive the output data.\r
- For out, the buffer contains the authenticated data.\r
- @param[in] OutDataSize The size of the buffer of OutData.\r
-\r
- @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list.\r
- @retval EFI_SUCCESS Authenticated the payload successfully.\r
- @retval EFI_INVALID_PARAMETER If the OutDataSize is larger than the related Hash\r
- algorithm could handle.\r
- @retval otherwise Authentication of the payload failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoHash (\r
- IN CONST UINT8 AlgorithmId,\r
- IN HASH_DATA_FRAGMENT *InDataFragment,\r
- IN UINTN FragmentCount,\r
- OUT UINT8 *OutData,\r
- IN UINTN OutDataSize\r
- )\r
-{\r
- UINTN ContextSize;\r
- UINTN Index;\r
- UINT8 FragmentIndex;\r
- UINT8 *HashContext;\r
- EFI_STATUS Status;\r
- UINT8 *OutHashData;\r
- UINTN OutHashSize;\r
-\r
- Status = EFI_UNSUPPORTED;\r
- OutHashData = NULL;\r
-\r
- OutHashSize = IpSecGetHmacDigestLength (AlgorithmId);\r
- //\r
- // If the expected hash data size is larger than the related Hash algorithm\r
- // output length, return EFI_INVALID_PARAMETER.\r
- //\r
- if (OutDataSize > OutHashSize) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- OutHashData = AllocatePool (OutHashSize);\r
- if (OutHashData == NULL) {\r
- return EFI_OUT_OF_RESOURCES;\r
- }\r
-\r
- switch (AlgorithmId) {\r
-\r
- case IKE_AALG_NONE:\r
- case IKE_AALG_NULL:\r
- return EFI_SUCCESS;\r
-\r
- case IKE_AALG_SHA1HMAC:\r
- Index = IpSecGetIndexFromAuthList (AlgorithmId);\r
- if (Index == -1) {\r
- return Status;\r
- }\r
- //\r
- // Get Context Size\r
- //\r
- ContextSize = mIpsecHashAlgorithmList[Index].HashGetContextSize();\r
- HashContext = AllocateZeroPool (ContextSize);\r
- if (HashContext == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto Exit;\r
- }\r
-\r
- //\r
- // Initiate Hash context and hash the input data.\r
- //\r
- if (mIpsecHashAlgorithmList[Index].HashInitiate(HashContext)) {\r
- for (FragmentIndex = 0; FragmentIndex < FragmentCount; FragmentIndex++) {\r
- if (!mIpsecHashAlgorithmList[Index].HashUpdate (\r
- HashContext,\r
- InDataFragment[FragmentIndex].Data,\r
- InDataFragment[FragmentIndex].DataSize\r
- )\r
- ) {\r
- goto Exit;\r
- }\r
- }\r
- if (mIpsecHashAlgorithmList[Index].HashFinal (HashContext, OutHashData)) {\r
- //\r
- // In some cases, like the Icv computing, the Icv size might be less than\r
- // the key length size, so copy the part of hash data to the OutData.\r
- //\r
- CopyMem (OutData, OutHashData, OutDataSize);\r
- Status = EFI_SUCCESS;\r
- }\r
-\r
- goto Exit;\r
- }\r
-\r
- default:\r
- return Status;\r
- }\r
-\r
-Exit:\r
- if (HashContext != NULL) {\r
- FreePool (HashContext);\r
- }\r
- if (OutHashData != NULL) {\r
- FreePool (OutHashData);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Generates the Diffie-Hellman public key.\r
-\r
- This function first initiate a DHContext, then call the DhSetParameter() to set\r
- the prime and primelength, at end call the DhGenerateKey() to generates random\r
- secret exponent, and computes the public key. The output returned via parameter\r
- PublicKey and PublicKeySize. DH context is updated accordingly. If the PublicKey\r
- buffer is too small to hold the public key, EFI_INVALID_PARAMETER is returned\r
- and PublicKeySize is set to the required buffer size to obtain the public key.\r
-\r
- @param[in, out] DhContext Pointer to the DH context.\r
- @param[in] Generator Value of generator.\r
- @param[in] PrimeLength Length in bits of prime to be generated.\r
- @param[in] Prime Pointer to the buffer to receive the generated\r
- prime number.\r
- @param[out] PublicKey Pointer to the buffer to receive generated public key.\r
- @param[in, out] PublicKeySize For in, the size of PublicKey buffer in bytes.\r
- For out, the size of data returned in PublicKey\r
- buffer in bytes.\r
-\r
- @retval EFI_SUCCESS The operation performs successfully.\r
- @retval Otherwise The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoDhGetPublicKey (\r
- IN OUT UINT8 **DhContext,\r
- IN UINTN Generator,\r
- IN UINTN PrimeLength,\r
- IN CONST UINT8 *Prime,\r
- OUT UINT8 *PublicKey,\r
- IN OUT UINTN *PublicKeySize\r
- )\r
-{\r
- EFI_STATUS Status;\r
-\r
- *DhContext = DhNew ();\r
- ASSERT (*DhContext != NULL);\r
- if (!DhSetParameter (*DhContext, Generator, PrimeLength, Prime)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
-\r
- if (!DhGenerateKey (*DhContext, PublicKey, PublicKeySize)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto Exit;\r
- }\r
- return EFI_SUCCESS;\r
-\r
-Exit:\r
- if (*DhContext != NULL) {\r
- DhFree (*DhContext);\r
- DhContext = NULL;\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Generates exchanged common key.\r
-\r
- Given peer's public key, this function computes the exchanged common key, based\r
- on its own context including value of prime modulus and random secret exponent.\r
-\r
- @param[in, out] DhContext Pointer to the DH context.\r
- @param[in] PeerPublicKey Pointer to the peer's Public Key.\r
- @param[in] PeerPublicKeySize Size of peer's public key in bytes.\r
- @param[out] Key Pointer to the buffer to receive generated key.\r
- @param[in, out] KeySize For in, the size of Key buffer in bytes.\r
- For out, the size of data returned in Key\r
- buffer in bytes.\r
-\r
- @retval EFI_SUCCESS The operation performs successfully.\r
- @retval Otherwise The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoDhComputeKey (\r
- IN OUT UINT8 *DhContext,\r
- IN CONST UINT8 *PeerPublicKey,\r
- IN UINTN PeerPublicKeySize,\r
- OUT UINT8 *Key,\r
- IN OUT UINTN *KeySize\r
- )\r
-{\r
- if (!DhComputeKey (DhContext, PeerPublicKey, PeerPublicKeySize, Key, KeySize)) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Releases the DH context. If DhContext is NULL, return EFI_INVALID_PARAMETER.\r
-\r
- @param[in, out] DhContext Pointer to the DH context to be freed.\r
-\r
- @retval EFI_SUCCESS The operation performs successfully.\r
- @retval EFI_INVALID_PARAMETER The DhContext is NULL.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoFreeDh (\r
- IN OUT UINT8 **DhContext\r
- )\r
-{\r
- if (*DhContext == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- DhFree (*DhContext);\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Generates random numbers of specified size.\r
-\r
- If the Random Generator wasn't initiated, initiate it first, then call RandomBytes.\r
-\r
- @param[out] OutBuffer Pointer to buffer to receive random value.\r
- @param[in] Bytes Size of random bytes to generate.\r
-\r
- @retval EFI_SUCCESS The operation performs successfully.\r
- @retval Otherwise The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoGenerateRandomBytes (\r
- OUT UINT8* OutBuffer,\r
- IN UINTN Bytes\r
- )\r
-{\r
- if (!mInitialRandomSeed) {\r
- RandomSeed (NULL, 0);\r
- mInitialRandomSeed = TRUE;\r
- }\r
- if (RandomBytes (OutBuffer, Bytes)) {\r
- return EFI_SUCCESS;\r
- } else {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-}\r
-\r
-/**\r
- Authenticate data with the certificate.\r
-\r
- @param[in] InData Pointer to the Data to be signed.\r
- @param[in] InDataSize InData size in bytes.\r
- @param[in] PrivateKey Pointer to the private key.\r
- @param[in] PrivateKeySize The size of Private Key in bytes.\r
- @param[in] KeyPassWord Pointer to the password for retrieving private key.\r
- @param[in] KeyPwdSize The size of Key Password in bytes.\r
- @param[out] OutData The pointer to the signed data.\r
- @param[in, out] OutDataSize Pointer to contain the size of out data.\r
-\r
-**/\r
-VOID\r
-IpSecCryptoIoAuthDataWithCertificate (\r
- IN UINT8 *InData,\r
- IN UINTN InDataSize,\r
- IN UINT8 *PrivateKey,\r
- IN UINTN PrivateKeySize,\r
- IN UINT8 *KeyPassWord,\r
- IN UINTN KeyPwdSize,\r
- OUT UINT8 **OutData,\r
- IN OUT UINTN *OutDataSize\r
- )\r
-{\r
- UINT8 *RsaContext;\r
- UINT8 *Signature;\r
- UINTN SigSize;\r
-\r
- SigSize = 0;\r
- RsaContext = NULL;\r
-\r
- //\r
- // Retrieve RSA Private Key from password-protected PEM data\r
- //\r
- RsaGetPrivateKeyFromPem (\r
- (CONST UINT8 *)PrivateKey,\r
- PrivateKeySize,\r
- (CONST CHAR8 *)KeyPassWord,\r
- (VOID **) &RsaContext\r
- );\r
- if (RsaContext == NULL) {\r
- return;\r
- }\r
-\r
- //\r
- // Sign data\r
- //\r
- Signature = NULL;\r
- if (!RsaPkcs1Sign (RsaContext, InData, InDataSize, Signature, &SigSize)) {\r
- Signature = AllocateZeroPool (SigSize);\r
- } else {\r
- return;\r
- }\r
-\r
- RsaPkcs1Sign (RsaContext, InData, InDataSize, Signature, &SigSize);\r
-\r
- *OutData = Signature;\r
- *OutDataSize = SigSize;\r
-\r
- if (RsaContext != NULL) {\r
- RsaFree (RsaContext);\r
- }\r
-}\r
-\r
-/**\r
- Verify the singed data with the public key which is contained in a certificate.\r
-\r
- @param[in] InCert Pointer to the Certificate which contains the\r
- public key.\r
- @param[in] CertLen The size of Certificate in bytes.\r
- @param[in] InCa Pointer to the CA certificate\r
- @param[in] CaLen The size of CA certificate in bytes.\r
- @param[in] InData Pointer to octet message hash to be checked.\r
- @param[in] InDataSize Size of the message hash in bytes.\r
- @param[in] Singnature The pointer to the RSA PKCS1-V1_5 signature to be verified.\r
- @param[in] SigSize Size of signature in bytes.\r
-\r
- @retval TRUE Valid signature encoded in PKCS1-v1_5.\r
- @retval FALSE Invalid signature or invalid RSA context.\r
-\r
-**/\r
-BOOLEAN\r
-IpSecCryptoIoVerifySignDataByCertificate (\r
- IN UINT8 *InCert,\r
- IN UINTN CertLen,\r
- IN UINT8 *InCa,\r
- IN UINTN CaLen,\r
- IN UINT8 *InData,\r
- IN UINTN InDataSize,\r
- IN UINT8 *Singnature,\r
- IN UINTN SigSize\r
- )\r
-{\r
- UINT8 *RsaContext;\r
- BOOLEAN Status;\r
-\r
- //\r
- // Create the RSA Context\r
- //\r
- RsaContext = RsaNew ();\r
- if (RsaContext == NULL) {\r
- return FALSE;\r
- }\r
-\r
- //\r
- // Verify the validity of X509 Certificate\r
- //\r
- if (!X509VerifyCert (InCert, CertLen, InCa, CaLen)) {\r
- return FALSE;\r
- }\r
-\r
- //\r
- // Retrieve the RSA public Key from Certificate\r
- //\r
- RsaGetPublicKeyFromX509 ((CONST UINT8 *)InCert, CertLen, (VOID **)&RsaContext);\r
-\r
- //\r
- // Verify data\r
- //\r
- Status = RsaPkcs1Verify (RsaContext, InData, InDataSize, Singnature, SigSize);\r
-\r
- if (RsaContext != NULL) {\r
- RsaFree (RsaContext);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Retrieves the RSA Public Key from one X509 certificate (DER format only).\r
-\r
- @param[in] InCert Pointer to the certificate.\r
- @param[in] CertLen The size of the certificate in bytes.\r
- @param[out] PublicKey Pointer to the retrieved public key.\r
- @param[out] PublicKeyLen Size of Public Key in bytes.\r
-\r
- @retval EFI_SUCCESS Successfully get the public Key.\r
- @retval EFI_INVALID_PARAMETER The certificate is malformed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoGetPublicKeyFromCert (\r
- IN UINT8 *InCert,\r
- IN UINTN CertLen,\r
- OUT UINT8 **PublicKey,\r
- OUT UINTN *PublicKeyLen\r
- )\r
-{\r
- UINT8 *RsaContext;\r
- EFI_STATUS Status;\r
-\r
- Status = EFI_SUCCESS;\r
-\r
- //\r
- // Create the RSA Context\r
- //\r
- RsaContext = RsaNew ();\r
-\r
- //\r
- // Retrieve the RSA public key from CA Certificate\r
- //\r
- if (!RsaGetPublicKeyFromX509 ((CONST UINT8 *)InCert, CertLen, (VOID **) &RsaContext)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- goto EXIT;\r
- }\r
-\r
- *PublicKeyLen = 0;\r
-\r
- RsaGetKey (RsaContext, RsaKeyN, NULL, PublicKeyLen);\r
-\r
- *PublicKey = AllocateZeroPool (*PublicKeyLen);\r
- if (*PublicKey == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto EXIT;\r
- }\r
-\r
- if (!RsaGetKey (RsaContext, RsaKeyN, *PublicKey, PublicKeyLen)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- }\r
-\r
-EXIT:\r
- if (RsaContext != NULL) {\r
- RsaFree (RsaContext);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- Retrieves the subject name from one X509 certificate (DER format only).\r
-\r
- @param[in] InCert Pointer to the X509 certificate.\r
- @param[in] CertSize The size of the X509 certificate in bytes.\r
- @param[out] CertSubject Pointer to the retrieved certificate subject.\r
- @param[out] SubjectSize The size of Certificate Subject in bytes.\r
-\r
- @retval EFI_SUCCESS Retrieved the certificate subject successfully.\r
- @retval EFI_INVALID_PARAMETER The certificate is malformed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoGetSubjectFromCert (\r
- IN UINT8 *InCert,\r
- IN UINTN CertSize,\r
- OUT UINT8 **CertSubject,\r
- OUT UINTN *SubjectSize\r
- )\r
-{\r
- EFI_STATUS Status;\r
-\r
- Status = EFI_SUCCESS;\r
-\r
- *SubjectSize = 0;\r
- X509GetSubjectName (InCert, CertSize, *CertSubject, SubjectSize);\r
-\r
- *CertSubject = AllocateZeroPool (*SubjectSize);\r
- if (!X509GetSubjectName (InCert, CertSize, *CertSubject, SubjectSize)) {\r
- Status = EFI_INVALID_PARAMETER;\r
- }\r
-\r
- return Status;\r
-}\r
+++ /dev/null
-/** @file\r
- Definitions related to the Cryptographic Operations in IPsec.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-#ifndef _EFI_IPSEC_CRYPTIO_H_\r
-#define _EFI_IPSEC_CRYPTIO_H_\r
-\r
-#include <Protocol/IpSecConfig.h>\r
-#include <Library/DebugLib.h>\r
-#include <Library/BaseCryptLib.h>\r
-#include <Library/BaseMemoryLib.h>\r
-#include <Library/MemoryAllocationLib.h>\r
-\r
-#include "IpSecImpl.h"\r
-#include "IkeCommon.h"\r
-\r
-#define IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE 4\r
-#define IPSEC_AUTH_ALGORITHM_LIST_SIZE 3\r
-#define IPSEC_HASH_ALGORITHM_LIST_SIZE 3\r
-\r
-///\r
-/// Authentication Algorithm Definition\r
-/// The number value definition is aligned to IANA assignment\r
-///\r
-#define IKE_AALG_NONE 0x00\r
-#define IKE_AALG_SHA1HMAC 0x02\r
-#define IKE_AALG_NULL 0xFB\r
-\r
-///\r
-/// Encryption Algorithm Definition\r
-/// The number value definition is aligned to IANA assignment\r
-///\r
-#define IKE_EALG_NONE 0x00\r
-#define IKE_EALG_3DESCBC 0x03\r
-#define IKE_EALG_NULL 0x0B\r
-#define IKE_EALG_AESCBC 0x0C\r
-\r
-/**\r
- Prototype of HMAC GetContextSize.\r
-\r
- Retrieves the size, in bytes, of the context buffer required.\r
-\r
- @return The size, in bytes, of the context buffer required.\r
-\r
-**/\r
-typedef\r
-UINTN\r
-(EFIAPI *CRYPTO_HMAC_GETCONTEXTSIZE)(\r
- VOID\r
- );\r
-\r
-/**\r
- Prototype of HMAC Operation Initiating.\r
-\r
- Initialization with a new context.\r
-\r
- @param[out] Context Input Context.\r
- @param[in] Key Pointer to the key for HMAC.\r
- @param[in] KeySize The length of the Key in bytes.\r
-\r
- @retval TRUE Initialization Successfully.\r
-\r
-**/\r
-typedef\r
-BOOLEAN\r
-(EFIAPI *CRYPTO_HMAC_INIT)(\r
- OUT VOID *Context,\r
- IN CONST UINT8 *Key,\r
- IN UINTN KeySize\r
- );\r
-\r
-/**\r
- Prototype of HMAC update.\r
- HMAC update operation. Continue an HMAC message digest operation, processing\r
- another message block, and updating the HMAC context.\r
-\r
- If Context is NULL, then ASSERT().\r
- If Data is NULL, then ASSERT().\r
-\r
- @param[in,out] Context The Specified Context.\r
- @param[in,out] Data The Input Data to be digested.\r
- @param[in] DataLength The length, in bytes, of Data.\r
-\r
- @retval TRUE Update data successfully.\r
- @retval FALSE The Context has been finalized.\r
-\r
-**/\r
-typedef\r
-BOOLEAN\r
-(EFIAPI *CRYPTO_HMAC_UPDATE)(\r
- IN OUT VOID *Context,\r
- IN CONST VOID *Data,\r
- IN UINTN DataLength\r
- );\r
-\r
-/**\r
- Prototype of HMAC finalization.\r
- Terminate a HMAC message digest operation and output the message digest.\r
-\r
- If Context is NULL, then ASSERT().\r
- If HashValue is NULL, then ASSERT().\r
-\r
- @param[in,out] Context The specified Context.\r
- @param[out] HmacValue Pointer to a 16-byte message digest output buffer.\r
-\r
- @retval TRUE Finalized successfully.\r
-\r
-**/\r
-typedef\r
-BOOLEAN\r
-(EFIAPI *CRYPTO_HMAC_FINAL)(\r
- IN OUT VOID *Context,\r
- OUT UINT8 *HmacValue\r
- );\r
-\r
-/**\r
- Prototype of Block Cipher GetContextSize.\r
-\r
- Retrieves the size, in bytes, of the context buffer required.\r
-\r
- @return The size, in bytes, of the context buffer required.\r
-\r
-**/\r
-typedef\r
-UINTN\r
-(EFIAPI *CRYPTO_CIPHER_GETCONTEXTSIZE)(\r
- VOID\r
- );\r
-\r
-/**\r
- Prototype of Block Cipher initiation.\r
- Initializes the user-supplied key as the specified context (key materials) for both\r
- encryption and decryption operations.\r
-\r
- If Context is NULL, then ASSERT().\r
- If Key is NULL, then generate random key for usage.\r
-\r
- @param[in,out] Context The specified Context.\r
- @param[in] Key User-supplied cipher key.\r
- @param[in] KeyBits Key length in bits.\r
-\r
- @retval TRUE Block Cipher Initialization was successful.\r
-\r
-**/\r
-typedef\r
-BOOLEAN\r
-(EFIAPI *CRYPTO_CIPHER_INIT)(\r
- IN OUT VOID *Context,\r
- IN CONST UINT8 *Key,\r
- IN UINTN KeyBits\r
- );\r
-\r
-/**\r
- Prototype of Cipher encryption.\r
- Encrypts plaintext message with the specified cipher.\r
-\r
- If Context is NULL, then ASSERT().\r
- If InData is NULL, then ASSERT().\r
- If Size of input data is not multiple of Cipher algorithm related block size,\r
- then ASSERT().\r
-\r
- @param[in] Context The specified Context.\r
- @param[in] InData The input plaintext data to be encrypted.\r
- @param[in] InputSize The size of input data.\r
- @param[in] Ivec Pointer to Initial Vector data for encryption.\r
- @param[out] OutData The resultant encrypted ciphertext.\r
-\r
- @retval TRUE Encryption successful.\r
-\r
-**/\r
-typedef\r
-BOOLEAN\r
-(EFIAPI *CRYPTO_CIPHER_ENCRYPT)(\r
- IN VOID *Context,\r
- IN CONST UINT8 *InData,\r
- IN UINTN InputSize,\r
- IN CONST UINT8 *Ivec,\r
- OUT UINT8 *OutData\r
- );\r
-\r
-/**\r
- Prototype of Cipher decryption.\r
- Decrypts cipher message with specified cipher.\r
-\r
- If Context is NULL, then ASSERT().\r
- If InData is NULL, then ASSERT().\r
- If Size of input data is not a multiple of a certaion block size , then ASSERT().\r
-\r
- @param[in] Context The specified Context.\r
- @param[in] InData The input ciphertext data to be decrypted.\r
- @param[in] InputSize The InData size.\r
- @param[in] Ivec Pointer to the Initial Vector data for decryption.\r
- @param[out] OutData The resultant decrypted plaintext.\r
-\r
- @retval TRUE Decryption successful.\r
-\r
-**/\r
-typedef\r
-BOOLEAN\r
-(EFIAPI *CRYPTO_CIPHER_DECRYPT)(\r
- IN VOID *Context,\r
- IN CONST UINT8 *InData,\r
- IN UINTN InputSize,\r
- IN CONST UINT8 *Ivec,\r
- OUT UINT8 *OutData\r
- );\r
-\r
-/**\r
- Prototype of Hash ContextSize.\r
-\r
- Retrieves the size, in bytes, of the context buffer required for specified hash operations.\r
-\r
- @return The size, in bytes, of the context buffer required for certain hash operations.\r
-\r
-**/\r
-typedef\r
-UINTN\r
-(EFIAPI *CRYPTO_HASH_GETCONTEXTSIZE)(\r
- VOID\r
- );\r
-\r
-/**\r
- Prototype of Hash Initiate.\r
-\r
- Initializes user-supplied memory pointed by Context as specified hash context for\r
- subsequent use.\r
-\r
- If Context is NULL, then ASSERT().\r
-\r
- @param[out] Context Pointer to specified context being initialized.\r
-\r
- @retval TRUE context initialization succeeded.\r
- @retval FALSE context initialization failed.\r
-\r
-**/\r
-typedef\r
-BOOLEAN\r
-(EFIAPI *CRYPTO_HASH_INIT)(\r
- OUT VOID *Context\r
- );\r
-\r
-/**\r
- Prototype of Hash Update\r
-\r
- Digests the input data and updates hash context.\r
-\r
- This function performs digest on a data buffer of the specified size.\r
- It can be called multiple times to compute the digest of long or discontinuous data streams.\r
- Context should be already correctly initialized by HashInit(), and should not be finalized\r
- by HashFinal(). Behavior with invalid context is undefined.\r
-\r
- If Context is NULL, then ASSERT().\r
-\r
- @param[in, out] Context Pointer to the specified context.\r
- @param[in] Data Pointer to the buffer containing the data to be hashed.\r
- @param[in] DataSize Size of Data buffer in bytes.\r
-\r
- @retval TRUE data digest succeeded.\r
- @retval FALSE data digest failed.\r
-\r
-**/\r
-typedef\r
-BOOLEAN\r
-(EFIAPI *CRYPTO_HASH_UPDATE)(\r
- IN OUT VOID *Context,\r
- IN CONST VOID *Data,\r
- IN UINTN DataSize\r
- );\r
-\r
-/**\r
- Prototype of Hash Finalization.\r
-\r
- Completes computation of the digest value.\r
-\r
- This function completes hash computation and retrieves the digest value into\r
- the specified memory. After this function has been called, the context cannot\r
- be used again.\r
- context should be already correctly initialized by HashInit(), and should not be\r
- finalized by HashFinal(). Behavior with invalid context is undefined.\r
-\r
- If Context is NULL, then ASSERT().\r
- If HashValue is NULL, then ASSERT().\r
-\r
- @param[in, out] Context Pointer to the specified context.\r
- @param[out] HashValue Pointer to a buffer that receives the digest\r
- value.\r
-\r
- @retval TRUE digest computation succeeded.\r
- @retval FALSE digest computation failed.\r
-\r
-**/\r
-typedef\r
-BOOLEAN\r
-(EFIAPI *CRYPTO_HASH_FINAL)(\r
- IN OUT VOID *Context,\r
- OUT UINT8 *HashValue\r
- );\r
-\r
-//\r
-// The struct used to store the information and operation of Block Cipher algorithm.\r
-//\r
-typedef struct _ENCRYPT_ALGORITHM {\r
- //\r
- // The ID of the Algorithm\r
- //\r
- UINT8 AlgorithmId;\r
- //\r
- // The Key length of the Algorithm\r
- //\r
- UINTN KeyLength;\r
- //\r
- // Iv Size of the Algorithm\r
- //\r
- UINTN IvLength;\r
- //\r
- // The Block Size of the Algorithm\r
- //\r
- UINTN BlockSize;\r
- //\r
- // The Function pointer of GetContextSize.\r
- //\r
- CRYPTO_CIPHER_GETCONTEXTSIZE CipherGetContextSize;\r
- //\r
- // The Function pointer of Cipher initiation.\r
- //\r
- CRYPTO_CIPHER_INIT CipherInitiate;\r
- //\r
- // The Function pointer of Cipher Encryption.\r
- //\r
- CRYPTO_CIPHER_ENCRYPT CipherEncrypt;\r
- //\r
- // The Function pointer of Cipher Decryption.\r
- //\r
- CRYPTO_CIPHER_DECRYPT CipherDecrypt;\r
-} ENCRYPT_ALGORITHM;\r
-\r
-//\r
-// The struct used to store the information and operation of Authentication algorithm.\r
-//\r
-typedef struct _AUTH_ALGORITHM {\r
- //\r
- // ID of the Algorithm\r
- //\r
- UINT8 AlgorithmId;\r
- //\r
- // The Key length of the Algorithm\r
- //\r
- UINTN DigestLength;\r
- //\r
- // The ICV length of the Algorithm\r
- //\r
- UINTN IcvLength;\r
- //\r
- // The block size of the Algorithm\r
- //\r
- UINTN BlockSize;\r
- //\r
- // The function pointer of GetContextSize.\r
- //\r
- CRYPTO_HMAC_GETCONTEXTSIZE HmacGetContextSize;\r
- //\r
- // The function pointer of Initiation\r
- //\r
- CRYPTO_HMAC_INIT HmacInitiate;\r
- //\r
- // The function pointer of HMAC Update.\r
- //\r
- CRYPTO_HMAC_UPDATE HmacUpdate;\r
- //\r
- // The fucntion pointer of HMAC Final\r
- //\r
- CRYPTO_HMAC_FINAL HmacFinal;\r
-} AUTH_ALGORITHM;\r
-\r
-//\r
-// The struct used to store the information and operation of Hash algorithm.\r
-//\r
-typedef struct _HASH_ALGORITHM {\r
- //\r
- // ID of the Algorithm\r
- //\r
- UINT8 AlgorithmId;\r
- //\r
- // The Key length of the Algorithm\r
- //\r
- UINTN DigestLength;\r
- //\r
- // The ICV length of the Algorithm\r
- //\r
- UINTN IcvLength;\r
- //\r
- // The block size of the Algorithm\r
- //\r
- UINTN BlockSize;\r
- //\r
- // The function pointer of GetContextSize\r
- //\r
- CRYPTO_HASH_GETCONTEXTSIZE HashGetContextSize;\r
- //\r
- // The function pointer of Initiation\r
- //\r
- CRYPTO_HASH_INIT HashInitiate;\r
- //\r
- // The function pointer of Hash Update\r
- //\r
- CRYPTO_HASH_UPDATE HashUpdate;\r
- //\r
- // The fucntion pointer of Hash Final\r
- //\r
- CRYPTO_HASH_FINAL HashFinal;\r
-} HASH_ALGORITHM;\r
-\r
-/**\r
- Get the IV size of specified encryption algorithm.\r
-\r
- @param[in] AlgorithmId The encryption algorithm ID.\r
-\r
- @return The value of IV size.\r
-\r
-**/\r
-UINTN\r
-IpSecGetEncryptIvLength (\r
- IN UINT8 AlgorithmId\r
- );\r
-\r
-/**\r
- Get the block size of specified encryption algorithm.\r
-\r
- @param[in] AlgorithmId The encryption algorithm ID.\r
-\r
- @return The value of block size.\r
-\r
-**/\r
-UINTN\r
-IpSecGetEncryptBlockSize (\r
- IN UINT8 AlgorithmId\r
- );\r
-\r
-/**\r
- Get the required key length of the specified encryption algorithm.\r
-\r
- @param[in] AlgorithmId The encryption algorithm ID.\r
-\r
- @return The value of key length.\r
-\r
-**/\r
-UINTN\r
-IpSecGetEncryptKeyLength (\r
- IN UINT8 AlgorithmId\r
- );\r
-\r
-/**\r
- Get the ICV size of the specified Authentication algorithm.\r
-\r
- @param[in] AlgorithmId The Authentication algorithm ID.\r
-\r
- @return The value of ICV size.\r
-\r
-**/\r
-UINTN\r
-IpSecGetIcvLength (\r
- IN UINT8 AlgorithmId\r
- );\r
-\r
-/**\r
- Get the HMAC digest length by the specified Algorithm ID.\r
-\r
- @param[in] AlgorithmId The specified Algorithm ID.\r
-\r
- @return The digest length of the specified Authentication Algorithm ID.\r
-\r
-**/\r
-UINTN\r
-IpSecGetHmacDigestLength (\r
- IN UINT8 AlgorithmId\r
- );\r
-\r
-/**\r
- Generate a random data for IV. If the IvSize is zero, not needed to create\r
- IV and return EFI_SUCCESS.\r
-\r
- @param[in] IvBuffer The pointer of the IV buffer.\r
- @param[in] IvSize The IV size in bytes.\r
-\r
- @retval EFI_SUCCESS Create random data for IV.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecGenerateIv (\r
- IN UINT8 *IvBuffer,\r
- IN UINTN IvSize\r
- );\r
-\r
-/**\r
- Encrypt the buffer.\r
-\r
- This function calls relevant encryption interface from CryptoLib according to\r
- the input algorithm ID. The InData should be multiple of block size. This function\r
- doesn't perform the padding. If it has the Ivec data, the length of it should be\r
- same with the block size. The block size is different from the different algorithm.\r
-\r
- @param[in] AlgorithmId The Algorithm identification defined in RFC.\r
- @param[in] Key Pointer to the buffer containing encrypting key.\r
- @param[in] KeyBits The length of the key in bits.\r
- @param[in] Ivec Point to the buffer containing the Initialization\r
- Vector (IV) data.\r
- @param[in] InData Point to the buffer containing the data to be\r
- encrypted.\r
- @param[in] InDataLength The length of InData in Bytes.\r
- @param[out] OutData Point to the buffer that receives the encryption\r
- output.\r
-\r
- @retval EFI_UNSUPPORTED The input Algorithm is not supported.\r
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.\r
- @retval EFI_SUCCESS The operation completed successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoEncrypt (\r
- IN CONST UINT8 AlgorithmId,\r
- IN CONST UINT8 *Key,\r
- IN CONST UINTN KeyBits,\r
- IN CONST UINT8 *Ivec, OPTIONAL\r
- IN UINT8 *InData,\r
- IN UINTN InDataLength,\r
- OUT UINT8 *OutData\r
- );\r
-\r
-/**\r
- Decrypts the buffer.\r
-\r
- This function calls relevant Decryption interface from CryptoLib according to\r
- the input algorithm ID. The InData should be multiple of block size. This function\r
- doesn't perform the padding. If it has the Ivec data, the length of it should be\r
- same with the block size. The block size is different from the different algorithm.\r
-\r
- @param[in] AlgorithmId The Algorithm identification defined in RFC.\r
- @param[in] Key Pointer to the buffer containing encrypting key.\r
- @param[in] KeyBits The length of the key in bits.\r
- @param[in] Ivec Point to the buffer containing the Initialization\r
- Vector (IV) data.\r
- @param[in] InData Point to the buffer containing the data to be\r
- decrypted.\r
- @param[in] InDataLength The length of InData in Bytes.\r
- @param[out] OutData Pointer to the buffer that receives the decryption\r
- output.\r
-\r
- @retval EFI_UNSUPPORTED The input Algorithm is not supported.\r
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.\r
- @retval EFI_SUCCESS The operation completed successfully.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoDecrypt (\r
- IN CONST UINT8 AlgorithmId,\r
- IN CONST UINT8 *Key,\r
- IN CONST UINTN KeyBits,\r
- IN CONST UINT8 *Ivec, OPTIONAL\r
- IN UINT8 *InData,\r
- IN UINTN InDataLength,\r
- OUT UINT8 *OutData\r
- );\r
-\r
-/**\r
- Digests the Payload with key and store the result into the OutData.\r
-\r
- This function calls relevant Hmac interface from CryptoLib according to\r
- the input algorithm ID. It computes all datas from InDataFragment and output\r
- the result into the OutData buffer. If the OutDataSize is larger than the related\r
- HMAC algorithm output size, return EFI_INVALID_PARAMETER.\r
-\r
- @param[in] AlgorithmId The authentication Identification.\r
- @param[in] Key Pointer of the authentication key.\r
- @param[in] KeyLength The length of the Key in bytes.\r
- @param[in] InDataFragment The list contains all data to be authenticated.\r
- @param[in] FragmentCount The size of the InDataFragment.\r
- @param[out] OutData For in, the buffer to receive the output data.\r
- For out, the buffer contains the authenticated data.\r
- @param[in] OutDataSize The size of the buffer of OutData.\r
-\r
- @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list.\r
- @retval EFI_INVALID_PARAMETER The OutData buffer size is larger than algorithm digest size.\r
- @retval EFI_SUCCESS Authenticate the payload successfully.\r
- @retval otherwise Authentication of the payload fails.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoHmac (\r
- IN CONST UINT8 AlgorithmId,\r
- IN CONST UINT8 *Key,\r
- IN UINTN KeyLength,\r
- IN HASH_DATA_FRAGMENT *InDataFragment,\r
- IN UINTN FragmentCount,\r
- OUT UINT8 *OutData,\r
- IN UINTN OutDataSize\r
- );\r
-\r
-/**\r
- Digests the Payload and store the result into the OutData.\r
-\r
- This function calls relevant Hash interface from CryptoLib according to\r
- the input algorithm ID. It computes all datas from InDataFragment and output\r
- the result into the OutData buffer. If the OutDataSize is larger than the related\r
- Hash algorithm output size, return EFI_INVALID_PARAMETER.\r
-\r
- @param[in] AlgorithmId The authentication Identification.\r
- @param[in] InDataFragment A list contains all data to be authenticated.\r
- @param[in] FragmentCount The size of the InDataFragment.\r
- @param[out] OutData For in, the buffer to receive the output data.\r
- For out, the buffer contains the authenticated data.\r
- @param[in] OutDataSize The size of the buffer of OutData.\r
-\r
- @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list.\r
- @retval EFI_SUCCESS Authenticated the payload successfully.\r
- @retval EFI_INVALID_PARAMETER If the OutDataSize is larger than the related Hash\r
- algorithm could handle.\r
- @retval otherwise Authentication of the payload failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoHash (\r
- IN CONST UINT8 AlgorithmId,\r
- IN HASH_DATA_FRAGMENT *InDataFragment,\r
- IN UINTN FragmentCount,\r
- OUT UINT8 *OutData,\r
- IN UINTN OutDataSize\r
- );\r
-\r
-/**\r
- Generates the Diffie-Hellman public key.\r
-\r
- This function first initiate a DHContext, then call the DhSetParameter() to set\r
- the prime and primelength, at end call the DhGenerateKey() to generates random\r
- secret exponent, and computes the public key. The output returned via parameter\r
- PublicKey and PublicKeySize. DH context is updated accordingly. If the PublicKey\r
- buffer is too small to hold the public key, EFI_INVALID_PARAMETER is returned\r
- and PublicKeySize is set to the required buffer size to obtain the public key.\r
-\r
- @param[in, out] DhContext Pointer to the DH context.\r
- @param[in] Generator Value of generator.\r
- @param[in] PrimeLength Length in bits of prime to be generated.\r
- @param[in] Prime Pointer to the buffer to receive the generated\r
- prime number.\r
- @param[out] PublicKey Pointer to the buffer to receive generated public key.\r
- @param[in, out] PublicKeySize For in, the size of PublicKey buffer in bytes.\r
- For out, the size of data returned in PublicKey\r
- buffer in bytes.\r
-\r
- @retval EFI_SUCCESS The operation performs successfully.\r
- @retval Otherwise The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoDhGetPublicKey (\r
- IN OUT UINT8 **DhContext,\r
- IN UINTN Generator,\r
- IN UINTN PrimeLength,\r
- IN CONST UINT8 *Prime,\r
- OUT UINT8 *PublicKey,\r
- IN OUT UINTN *PublicKeySize\r
- );\r
-\r
-/**\r
- Generates exchanged common key.\r
-\r
- Given peer's public key, this function computes the exchanged common key, based\r
- on its own context including value of prime modulus and random secret exponent.\r
-\r
- @param[in, out] DhContext Pointer to the DH context.\r
- @param[in] PeerPublicKey Pointer to the peer's Public Key.\r
- @param[in] PeerPublicKeySize Size of peer's public key in bytes.\r
- @param[out] Key Pointer to the buffer to receive generated key.\r
- @param[in, out] KeySize For in, the size of Key buffer in bytes.\r
- For out, the size of data returned in Key\r
- buffer in bytes.\r
-\r
- @retval EFI_SUCCESS The operation performs successfully.\r
- @retval Otherwise The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoDhComputeKey (\r
- IN OUT UINT8 *DhContext,\r
- IN CONST UINT8 *PeerPublicKey,\r
- IN UINTN PeerPublicKeySize,\r
- OUT UINT8 *Key,\r
- IN OUT UINTN *KeySize\r
- );\r
-\r
-/**\r
- Releases the DH context. If DhContext is NULL, return EFI_INVALID_PARAMETER.\r
-\r
- @param[in, out] DhContext Pointer to the DH context to be freed.\r
-\r
- @retval EFI_SUCCESS The operation performs successfully.\r
- @retval EFI_INVALID_PARAMETER The DhContext is NULL.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoFreeDh (\r
- IN OUT UINT8 **DhContext\r
- );\r
-\r
-/**\r
- Generates random numbers of specified size.\r
-\r
- If the Random Generator wasn't initiated, initiate it first, then call RandomBytes.\r
-\r
- @param[out] OutBuffer Pointer to buffer to receive random value.\r
- @param[in] Bytes Size of random bytes to generate.\r
-\r
- @retval EFI_SUCCESS The operation performs successfully.\r
- @retval Otherwise The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoGenerateRandomBytes (\r
- OUT UINT8* OutBuffer,\r
- IN UINTN Bytes\r
- );\r
-\r
-/**\r
- Authenticate data with the certificate.\r
-\r
- @param[in] InData Pointer to the Data to be signed.\r
- @param[in] InDataSize InData size in bytes.\r
- @param[in] PrivateKey Pointer to the private key.\r
- @param[in] PrivateKeySize The size of Private Key in bytes.\r
- @param[in] KeyPassWord Pointer to the password for retrieving private key.\r
- @param[in] KeyPwdSize The size of Key Password in bytes.\r
- @param[out] OutData The pointer to the signed data.\r
- @param[in, out] OutDataSize Pointer to contain the size of out data.\r
-\r
-**/\r
-VOID\r
-IpSecCryptoIoAuthDataWithCertificate (\r
- IN UINT8 *InData,\r
- IN UINTN InDataSize,\r
- IN UINT8 *PrivateKey,\r
- IN UINTN PrivateKeySize,\r
- IN UINT8 *KeyPassWord,\r
- IN UINTN KeyPwdSize,\r
- OUT UINT8 **OutData,\r
- IN OUT UINTN *OutDataSize\r
- );\r
-\r
-/**\r
- Verify the singed data with the public key which is contained in a certificate.\r
-\r
- @param[in] InCert Pointer to the Certificate which contains the\r
- public key.\r
- @param[in] CertLen The size of Certificate in bytes.\r
- @param[in] InCa Pointer to the CA certificate\r
- @param[in] CaLen The size of CA certificate in bytes.\r
- @param[in] InData Pointer to octet message hash to be checked.\r
- @param[in] InDataSize Size of the message hash in bytes.\r
- @param[in] Singnature The pointer to the RSA PKCS1-V1_5 signature to be verified.\r
- @param[in] SigSize Size of signature in bytes.\r
-\r
- @retval TRUE Valid signature encoded in PKCS1-v1_5.\r
- @retval FALSE Invalid signature or invalid RSA context.\r
-\r
-**/\r
-BOOLEAN\r
-IpSecCryptoIoVerifySignDataByCertificate (\r
- IN UINT8 *InCert,\r
- IN UINTN CertLen,\r
- IN UINT8 *InCa,\r
- IN UINTN CaLen,\r
- IN UINT8 *InData,\r
- IN UINTN InDataSize,\r
- IN UINT8 *Singnature,\r
- IN UINTN SigSize\r
- );\r
-\r
-/**\r
- Retrieves the RSA Public Key from one X509 certificate (DER format only).\r
-\r
- @param[in] InCert Pointer to the certificate.\r
- @param[in] CertLen The size of the certificate in bytes.\r
- @param[out] PublicKey Pointer to the retrieved public key.\r
- @param[out] PublicKeyLen Size of Public Key in bytes.\r
-\r
- @retval EFI_SUCCESS Successfully get the public Key.\r
- @retval EFI_INVALID_PARAMETER The CA certificate is malformed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoGetPublicKeyFromCert (\r
- IN UINT8 *InCert,\r
- IN UINTN CertLen,\r
- OUT UINT8 **PublicKey,\r
- OUT UINTN *PublicKeyLen\r
- );\r
-\r
-/**\r
- Retrieves the subject name from one X509 certificate (DER format only).\r
-\r
- @param[in] InCert Pointer to the X509 certificate.\r
- @param[in] CertSize The size of the X509 certificate in bytes.\r
- @param[out] CertSubject Pointer to the retrieved certificate subject.\r
- @param[out] SubjectSize The size of Certificate Subject in bytes.\r
-\r
- @retval EFI_SUCCESS Retrieved the certificate subject successfully.\r
- @retval EFI_INVALID_PARAMETER The certificate is malformed.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecCryptoIoGetSubjectFromCert (\r
- IN UINT8 *InCert,\r
- IN UINTN CertSize,\r
- OUT UINT8 **CertSubject,\r
- OUT UINTN *SubjectSize\r
- );\r
-\r
-#endif\r
-\r
+++ /dev/null
-/** @file\r
- The Interfaces of IPsec debug information printing.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecImpl.h"\r
-#include "IpSecDebug.h"\r
-\r
-//\r
-// The print title for IKEv1 variety phase.\r
-//\r
-CHAR8 *mIkev1StateStr[IKE_STATE_NUM] = {\r
- "IKEv1_MAIN_1",\r
- "IKEv1_MAIN_2",\r
- "IKEv1_MAIN_3",\r
- "IKEv1_MAIN_ESTABLISHED",\r
- "IKEv1_QUICK_1",\r
- "IKEv1_QUICK_2",\r
- "IKEv1_QUICK_ESTABLISHED"\r
-};\r
-\r
-//\r
-// The print title for IKEv2 variety phase.\r
-//\r
-CHAR8 *mIkev2StateStr[IKE_STATE_NUM] = {\r
- "IKEv2_STATE_INIT",\r
- "IKEv2_STATE_AUTH",\r
- "IKEv2_STATE_SA_ESTABLISH",\r
- "IKEv2_STATE_CREATE_CHILD",\r
- "IKEv2_STATE_SA_REKEYING",\r
- "IKEv2_STATE_CHILD_SA_ESTABLISHED",\r
- "IKEv2_STATE_SA_DELETING"\r
-};\r
-\r
-//\r
-// The print title for IKEv1 variety Exchagne.\r
-//\r
-CHAR8 *mExchangeStr[] = {\r
- "IKEv1 Main Exchange",\r
- "IKEv1 Info Exchange",\r
- "IKEv1 Quick Exchange",\r
- "IKEv2 Initial Exchange",\r
- "IKEv2 Auth Exchange",\r
- "IKEv2 Create Child Exchange",\r
- "IKEv2 Info Exchange",\r
- "IKE Unknow Exchange"\r
-};\r
-\r
-//\r
-// The print title for IKEv1 variety Payload.\r
-//\r
-CHAR8 *mIkev1PayloadStr[] = {\r
- "IKEv1 None Payload",\r
- "IKEv1 SA Payload",\r
- "IKEv1 Proposal Payload",\r
- "IKEv1 Transform Payload",\r
- "IKEv1 KE Payload",\r
- "IKEv1 ID Payload",\r
- "IKEv1 Certificate Payload",\r
- "IKEv1 Certificate Request Payload",\r
- "IKEv1 Hash Payload",\r
- "IKEv1 Signature Payload",\r
- "IKEv1 Nonce Payload",\r
- "IKEv1 Notify Payload",\r
- "IKEv1 Delete Payload",\r
- "IKEv1 Vendor Payload"\r
-};\r
-\r
-//\r
-// The print title for IKEv2 variety Payload.\r
-//\r
-CHAR8* mIkev2PayloadStr[] = {\r
- "IKEv2 SA Payload",\r
- "IKEv2 Key Payload",\r
- "IKEv2 Identity Initial Payload",\r
- "IKEv2 Identity Respond Payload",\r
- "IKEv2 Certificate Payload",\r
- "IKEv2 Certificate Request Payload",\r
- "IKEv2 Auth Payload",\r
- "IKEv2 Nonce Payload",\r
- "IKEv2 Notify Payload",\r
- "IKEv2 Delet Payload",\r
- "IKEv2 Vendor Payload",\r
- "IKEv2 Traffic Selector Initiator Payload",\r
- "IKEv2 Traffic Selector Respond Payload",\r
- "IKEv2 Encrypt Payload",\r
- "IKEv2 Configuration Payload",\r
- "IKEv2 Extensible Authentication Payload"\r
-};\r
-\r
-/**\r
- Print the IP address.\r
-\r
- @param[in] Level Debug print error level. Pass to DEBUG().\r
- @param[in] Ip Point to a specified IP address.\r
- @param[in] IpVersion The IP Version.\r
-\r
-**/\r
-VOID\r
-IpSecDumpAddress (\r
- IN UINTN Level,\r
- IN EFI_IP_ADDRESS *Ip,\r
- IN UINT8 IpVersion\r
- )\r
-{\r
- if (IpVersion == IP_VERSION_6) {\r
- DEBUG (\r
- (Level,\r
- "%x%x:%x%x:%x%x:%x%x",\r
- Ip->v6.Addr[0],\r
- Ip->v6.Addr[1],\r
- Ip->v6.Addr[2],\r
- Ip->v6.Addr[3],\r
- Ip->v6.Addr[4],\r
- Ip->v6.Addr[5],\r
- Ip->v6.Addr[6],\r
- Ip->v6.Addr[7])\r
- );\r
- DEBUG (\r
- (Level,\r
- ":%x%x:%x%x:%x%x:%x%x\n",\r
- Ip->v6.Addr[8],\r
- Ip->v6.Addr[9],\r
- Ip->v6.Addr[10],\r
- Ip->v6.Addr[11],\r
- Ip->v6.Addr[12],\r
- Ip->v6.Addr[13],\r
- Ip->v6.Addr[14],\r
- Ip->v6.Addr[15])\r
- );\r
- } else {\r
- DEBUG (\r
- (Level,\r
- "%d.%d.%d.%d\n",\r
- Ip->v4.Addr[0],\r
- Ip->v4.Addr[1],\r
- Ip->v4.Addr[2],\r
- Ip->v4.Addr[3])\r
- );\r
- }\r
-\r
-}\r
-\r
-/**\r
- Print IKE Current states.\r
-\r
- @param[in] Previous The Previous state of IKE.\r
- @param[in] Current The current state of IKE.\r
- @param[in] IkeVersion The version of IKE.\r
-\r
-**/\r
-VOID\r
-IkeDumpState (\r
- IN UINT32 Previous,\r
- IN UINT32 Current,\r
- IN UINT8 IkeVersion\r
- )\r
-{\r
- if (Previous >= IKE_STATE_NUM || Current >= IKE_STATE_NUM) {\r
- return;\r
- }\r
-\r
- if (Previous == Current) {\r
- if (IkeVersion == 1) {\r
- DEBUG ((DEBUG_INFO, "\n****Current state is %a\n", mIkev1StateStr[Previous]));\r
- } else if (IkeVersion == 2) {\r
- DEBUG ((DEBUG_INFO, "\n****Current state is %a\n", mIkev2StateStr[Previous]));\r
- }\r
- } else {\r
- if (IkeVersion == 1) {\r
- DEBUG ((DEBUG_INFO, "\n****Change state from %a to %a\n", mIkev1StateStr[Previous], mIkev1StateStr[Current]));\r
- } else {\r
- DEBUG ((DEBUG_INFO, "\n****Change state from %a to %a\n", mIkev2StateStr[Previous], mIkev2StateStr[Current]));\r
- }\r
- }\r
-}\r
-\r
-/**\r
- Print the IKE Packet.\r
-\r
- @param[in] Packet Point to IKE packet to be printed.\r
- @param[in] Direction Point to the IKE packet is inbound or outbound.\r
- @param[in] IpVersion Specified IP Version.\r
-\r
-**/\r
-VOID\r
-IpSecDumpPacket (\r
- IN IKE_PACKET *Packet,\r
- IN EFI_IPSEC_TRAFFIC_DIR Direction,\r
- IN UINT8 IpVersion\r
- )\r
-{\r
- CHAR8 *TypeStr;\r
- UINTN PacketSize;\r
- UINT64 InitCookie;\r
- UINT64 RespCookie;\r
-\r
- ASSERT (Packet != NULL);\r
-\r
- PacketSize = Packet->PayloadTotalSize + sizeof (IKE_HEADER);\r
- InitCookie = (Direction == EfiIPsecOutBound) ? HTONLL (Packet->Header->InitiatorCookie) : Packet->Header->InitiatorCookie;\r
- RespCookie = (Direction == EfiIPsecOutBound) ? HTONLL (Packet->Header->ResponderCookie) : Packet->Header->ResponderCookie;\r
-\r
- switch (Packet->Header->ExchangeType) {\r
- case IKE_XCG_TYPE_IDENTITY_PROTECT:\r
- TypeStr = mExchangeStr[0];\r
- break;\r
-\r
- case IKE_XCG_TYPE_INFO:\r
- TypeStr = mExchangeStr[1];\r
- break;\r
-\r
- case IKE_XCG_TYPE_QM:\r
- TypeStr = mExchangeStr[2];\r
- break;\r
-\r
- case IKE_XCG_TYPE_SA_INIT:\r
- TypeStr = mExchangeStr[3];\r
- break;\r
-\r
- case IKE_XCG_TYPE_AUTH:\r
- TypeStr = mExchangeStr[4];\r
- break;\r
-\r
- case IKE_XCG_TYPE_CREATE_CHILD_SA:\r
- TypeStr = mExchangeStr[5];\r
- break;\r
-\r
- case IKE_XCG_TYPE_INFO2:\r
- TypeStr = mExchangeStr[6];\r
- break;\r
-\r
- default:\r
- TypeStr = mExchangeStr[7];\r
- break;\r
- }\r
-\r
- if (Direction == EfiIPsecOutBound) {\r
- DEBUG ((DEBUG_INFO, "\n>>>Sending %d bytes %a to ", PacketSize, TypeStr));\r
- } else {\r
- DEBUG ((DEBUG_INFO, "\n>>>Receiving %d bytes %a from ", PacketSize, TypeStr));\r
- }\r
-\r
- IpSecDumpAddress (DEBUG_INFO, &Packet->RemotePeerIp, IpVersion);\r
-\r
- DEBUG ((DEBUG_INFO, " InitiatorCookie:0x%lx ResponderCookie:0x%lx\n", InitCookie, RespCookie));\r
- DEBUG (\r
- (DEBUG_INFO,\r
- " Version: 0x%x Flags:0x%x ExchangeType:0x%x\n",\r
- Packet->Header->Version,\r
- Packet->Header->Flags,\r
- Packet->Header->ExchangeType)\r
- );\r
- DEBUG (\r
- (DEBUG_INFO,\r
- " MessageId:0x%x NextPayload:0x%x\n",\r
- Packet->Header->MessageId,\r
- Packet->Header->NextPayload)\r
- );\r
-\r
-}\r
-\r
-/**\r
- Print the IKE Paylolad.\r
-\r
- @param[in] IkePayload Point to payload to be printed.\r
- @param[in] IkeVersion The specified version of IKE.\r
-\r
-**/\r
-VOID\r
-IpSecDumpPayload (\r
- IN IKE_PAYLOAD *IkePayload,\r
- IN UINT8 IkeVersion\r
- )\r
-{\r
- if (IkeVersion == 1) {\r
- DEBUG ((DEBUG_INFO, "+%a\n", mIkev1PayloadStr[IkePayload->PayloadType]));\r
- } else {\r
- //\r
- // For IKEV2 the first Payload type is started from 33.\r
- //\r
- DEBUG ((DEBUG_INFO, "+%a\n", mIkev2PayloadStr[IkePayload->PayloadType - 33]));\r
- }\r
- IpSecDumpBuf ("Payload data", IkePayload->PayloadBuf, IkePayload->PayloadSize);\r
-}\r
-\r
-/**\r
- Print the buffer in form of Hex.\r
-\r
- @param[in] Title The strings to be printed before the data of the buffer.\r
- @param[in] Data Points to buffer to be printed.\r
- @param[in] DataSize The size of the buffer to be printed.\r
-\r
-**/\r
-VOID\r
-IpSecDumpBuf (\r
- IN CHAR8 *Title,\r
- IN UINT8 *Data,\r
- IN UINTN DataSize\r
- )\r
-{\r
- UINTN Index;\r
- UINTN DataIndex;\r
- UINTN BytesRemaining;\r
- UINTN BytesToPrint;\r
-\r
- DataIndex = 0;\r
- BytesRemaining = DataSize;\r
-\r
- DEBUG ((DEBUG_INFO, "==%a %d bytes==\n", Title, DataSize));\r
-\r
- while (BytesRemaining > 0) {\r
-\r
- BytesToPrint = (BytesRemaining > IPSEC_DEBUG_BYTE_PER_LINE) ? IPSEC_DEBUG_BYTE_PER_LINE : BytesRemaining;\r
-\r
- for (Index = 0; Index < BytesToPrint; Index++) {\r
- DEBUG ((DEBUG_INFO, " 0x%02x,", Data[DataIndex++]));\r
- }\r
-\r
- DEBUG ((DEBUG_INFO, "\n"));\r
- BytesRemaining -= BytesToPrint;\r
- }\r
-\r
-}\r
+++ /dev/null
-/** @file\r
- The definition of functions and MACROs used for IPsec debug information printting.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-#ifndef _EFI_IPSEC_DEBUG_H_\r
-#define _EFI_IPSEC_DEBUG_H_\r
-\r
-#include "IkeCommon.h"\r
-#include "IkePacket.h"\r
-\r
-#define IPSEC_DUMP_ADDRESS(Level, Ip, Version) IpSecDumpAddress (Level, Ip, Version)\r
-#define IKEV1_DUMP_STATE(Previous, Current) IkeDumpState (Previous, Current, 1)\r
-#define IKEV2_DUMP_STATE(Previous, Current) IkeDumpState (Previous, Current, 2)\r
-#define IPSEC_DUMP_PACKET(Packet, Direction, IpVersion) IpSecDumpPacket (Packet, Direction, IpVersion)\r
-#define IPSEC_DUMP_PAYLOAD(IkePayload) IpSecDumpPayload (IkePayload, 1)\r
-#define IKEV2_DUMP_PAYLOAD(IkePayload) IpSecDumpPayload (IkePayload, 2)\r
-#define IPSEC_DUMP_BUF(Title, Data, DataSize) IpSecDumpBuf (Title, Data, DataSize)\r
-\r
-#define IPSEC_DEBUG_BYTE_PER_LINE 8\r
-#define IKE_STATE_NUM 7\r
-\r
-\r
-\r
-/**\r
- Print the IP address.\r
-\r
- @param[in] Level Debug print error level. Pass to DEBUG().\r
- @param[in] Ip Point to specified IP address.\r
- @param[in] IpVersion The IP Version.\r
-\r
-**/\r
-VOID\r
-IpSecDumpAddress (\r
- IN UINTN Level,\r
- IN EFI_IP_ADDRESS *Ip,\r
- IN UINT8 IpVersion\r
- );\r
-\r
-/**\r
- Print IKE Current states.\r
-\r
- @param[in] Previous The Previous state of IKE.\r
- @param[in] Current The current state of IKE.\r
- @param[in] IkeVersion The version of IKE.\r
-\r
-**/\r
-VOID\r
-IkeDumpState (\r
- IN UINT32 Previous,\r
- IN UINT32 Current,\r
- IN UINT8 IkeVersion\r
- );\r
-\r
-/**\r
- Print the IKE Packet.\r
-\r
- @param[in] Packet Point to IKE packet to be printed.\r
- @param[in] Direction Point to the IKE packet is inbound or outbound.\r
- @param[in] IpVersion Specified IP Version.\r
-\r
-**/\r
-VOID\r
-IpSecDumpPacket (\r
- IN IKE_PACKET *Packet,\r
- IN EFI_IPSEC_TRAFFIC_DIR Direction,\r
- IN UINT8 IpVersion\r
- );\r
-\r
-/**\r
- Print the IKE Paylolad.\r
-\r
- @param[in] IkePayload Point to payload to be printed.\r
- @param[in] IkeVersion The specified version of IKE.\r
-\r
-**/\r
-VOID\r
-IpSecDumpPayload (\r
- IN IKE_PAYLOAD *IkePayload,\r
- IN UINT8 IkeVersion\r
- );\r
-\r
-/**\r
- Print the buffer in form of Hex.\r
-\r
- @param[in] Title The strings to be printed before the data of the buffer.\r
- @param[in] Data Point to buffer to be printed.\r
- @param[in] DataSize The size of the buffer to be printed.\r
-\r
-**/\r
-VOID\r
-IpSecDumpBuf (\r
- IN CHAR8 *Title,\r
- IN UINT8 *Data,\r
- IN UINTN DataSize\r
- );\r
-\r
-#endif\r
+++ /dev/null
-/** @file\r
- Driver Binding Protocol for IPsec Driver.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include <Library/BaseCryptLib.h>\r
-\r
-#include "IpSecConfigImpl.h"\r
-#include "IkeService.h"\r
-#include "IpSecDebug.h"\r
-\r
-/**\r
- Test to see if this driver supports ControllerHandle. This is the worker function\r
- for IpSec4(6)DriverbindingSupported.\r
-\r
- @param[in] This Protocol instance pointer.\r
- @param[in] ControllerHandle Handle of device to test.\r
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child\r
- device to start.\r
- @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.\r
-\r
- @retval EFI_SUCCES This driver supports this device.\r
- @retval EFI_ALREADY_STARTED This driver is already running on this device.\r
- @retval other This driver does not support this device.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSecSupported (\r
- IN EFI_DRIVER_BINDING_PROTOCOL *This,\r
- IN EFI_HANDLE ControllerHandle,\r
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL,\r
- IN UINT8 IpVersion\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_GUID *UdpServiceBindingGuid;\r
-\r
- if (IpVersion == IP_VERSION_4) {\r
- UdpServiceBindingGuid = &gEfiUdp4ServiceBindingProtocolGuid;\r
- } else {\r
- UdpServiceBindingGuid = &gEfiUdp6ServiceBindingProtocolGuid;\r
- }\r
-\r
- Status = gBS->OpenProtocol (\r
- ControllerHandle,\r
- UdpServiceBindingGuid,\r
- NULL,\r
- This->DriverBindingHandle,\r
- ControllerHandle,\r
- EFI_OPEN_PROTOCOL_TEST_PROTOCOL\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return EFI_UNSUPPORTED;\r
- }\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Start this driver on ControllerHandle. This is the worker function\r
- for IpSec4(6)DriverbindingStart.\r
-\r
- @param[in] This Protocol instance pointer.\r
- @param[in] ControllerHandle Handle of device to bind driver to.\r
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child\r
- device to start.\r
- @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.\r
-\r
- @retval EFI_SUCCES This driver is added to ControllerHandle\r
- @retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle\r
- @retval EFI_DEVICE_ERROR The device could not be started due to a device error.\r
- Currently not implemented.\r
- @retval other This driver does not support this device\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSecStart (\r
- IN EFI_DRIVER_BINDING_PROTOCOL *This,\r
- IN EFI_HANDLE ControllerHandle,\r
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL,\r
- IN UINT8 IpVersion\r
- )\r
-{\r
- EFI_IPSEC2_PROTOCOL *IpSec;\r
- EFI_STATUS Status;\r
- IPSEC_PRIVATE_DATA *Private;\r
-\r
- //\r
- // Ipsec protocol should be installed when load image.\r
- //\r
- Status = gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **) &IpSec);\r
-\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec);\r
-\r
- if (IpVersion == IP_VERSION_4) {\r
- //\r
- // Try to open a udp4 io for input.\r
- //\r
- Status = gBS->OpenProtocol (\r
- ControllerHandle,\r
- &gEfiUdp4ServiceBindingProtocolGuid,\r
- NULL,\r
- This->DriverBindingHandle,\r
- ControllerHandle,\r
- EFI_OPEN_PROTOCOL_TEST_PROTOCOL\r
- );\r
-\r
- if (!EFI_ERROR (Status)) {\r
- Status = IkeOpenInputUdp4 (Private, ControllerHandle, This->DriverBindingHandle);\r
- }\r
- } else {\r
- //\r
- // Try to open a udp6 io for input.\r
- //\r
- Status = gBS->OpenProtocol (\r
- ControllerHandle,\r
- &gEfiUdp6ServiceBindingProtocolGuid,\r
- NULL,\r
- This->DriverBindingHandle,\r
- ControllerHandle,\r
- EFI_OPEN_PROTOCOL_TEST_PROTOCOL\r
- );\r
-\r
- if (!EFI_ERROR (Status)) {\r
- Status = IkeOpenInputUdp6 (Private, ControllerHandle, This->DriverBindingHandle);\r
- }\r
- }\r
-\r
- if (EFI_ERROR (Status)) {\r
- return EFI_DEVICE_ERROR;\r
- }\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Stop this driver on ControllerHandle. This is the worker function\r
- for IpSec4(6)DriverbindingStop.\r
-\r
- @param[in] This Protocol instance pointer.\r
- @param[in] ControllerHandle Handle of a device to stop the driver on.\r
- @param[in] NumberOfChildren Number of Handles in ChildHandleBuffer. If the number of\r
- children is zero, stop the entire bus driver.\r
- @param[in] ChildHandleBuffer List of Child Handles to Stop.\r
- @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.\r
-\r
- @retval EFI_SUCCES This driver removed ControllerHandle.\r
- @retval other This driver was not removed from this device.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSecStop (\r
- IN EFI_DRIVER_BINDING_PROTOCOL *This,\r
- IN EFI_HANDLE ControllerHandle,\r
- IN UINTN NumberOfChildren,\r
- IN EFI_HANDLE *ChildHandleBuffer,\r
- IN UINT8 IpVersion\r
- )\r
-{\r
- EFI_IPSEC2_PROTOCOL *IpSec;\r
- EFI_STATUS Status;\r
- IPSEC_PRIVATE_DATA *Private;\r
- IKE_UDP_SERVICE *UdpSrv;\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *Next;\r
- IKEV2_SA_SESSION *Ikev2SaSession;\r
-\r
- //\r
- // Locate ipsec protocol to get private data.\r
- //\r
- Status = gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **) &IpSec);\r
-\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec);\r
-\r
- //\r
- // The SAs are shared by both IP4 and IP6 stack. So we skip the cleanup\r
- // and leave the SAs unchanged if the other IP stack is still running.\r
- //\r
- if ((IpVersion == IP_VERSION_4 && Private->Udp6Num ==0) ||\r
- (IpVersion == IP_VERSION_6 && Private->Udp4Num ==0)) {\r
- //\r
- // If IKEv2 SAs are under establishing, delete it directly.\r
- //\r
- if (!IsListEmpty (&Private->Ikev2SessionList)) {\r
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Ikev2SessionList) {\r
- Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);\r
- RemoveEntryList (&Ikev2SaSession->BySessionTable);\r
- Ikev2SaSessionFree (Ikev2SaSession);\r
- }\r
- }\r
-\r
- //\r
- // Delete established IKEv2 SAs.\r
- //\r
- if (!IsListEmpty (&Private->Ikev2EstablishedList)) {\r
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Ikev2EstablishedList) {\r
- Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);\r
- RemoveEntryList (&Ikev2SaSession->BySessionTable);\r
- Ikev2SaSessionFree (Ikev2SaSession);\r
- }\r
- }\r
- }\r
-\r
- if (IpVersion == IP_VERSION_4) {\r
- //\r
- // If has udp4 io opened on the controller, close and free it.\r
- //\r
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Udp4List) {\r
-\r
- UdpSrv = IPSEC_UDP_SERVICE_FROM_LIST (Entry);\r
- //\r
- // Find the right udp service which installed on the appointed nic handle.\r
- //\r
- if (UdpSrv->Input != NULL && ControllerHandle == UdpSrv->Input->UdpHandle) {\r
- UdpIoFreeIo (UdpSrv->Input);\r
- UdpSrv->Input = NULL;\r
- }\r
-\r
- if (UdpSrv->Output != NULL && ControllerHandle == UdpSrv->Output->UdpHandle) {\r
- UdpIoFreeIo (UdpSrv->Output);\r
- UdpSrv->Output = NULL;\r
- }\r
-\r
- if (UdpSrv->Input == NULL && UdpSrv->Output == NULL) {\r
- RemoveEntryList (&UdpSrv->List);\r
- FreePool (UdpSrv);\r
- ASSERT (Private->Udp4Num > 0);\r
- Private->Udp4Num--;\r
- }\r
- }\r
- } else {\r
- //\r
- // If has udp6 io opened on the controller, close and free it.\r
- //\r
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Udp6List) {\r
-\r
- UdpSrv = IPSEC_UDP_SERVICE_FROM_LIST (Entry);\r
- //\r
- // Find the right udp service which installed on the appointed nic handle.\r
- //\r
- if (UdpSrv->Input != NULL && ControllerHandle == UdpSrv->Input->UdpHandle) {\r
- UdpIoFreeIo (UdpSrv->Input);\r
- UdpSrv->Input = NULL;\r
- }\r
-\r
- if (UdpSrv->Output != NULL && ControllerHandle == UdpSrv->Output->UdpHandle) {\r
- UdpIoFreeIo (UdpSrv->Output);\r
- UdpSrv->Output = NULL;\r
- }\r
-\r
- if (UdpSrv->Input == NULL && UdpSrv->Output == NULL) {\r
- RemoveEntryList (&UdpSrv->List);\r
- FreePool (UdpSrv);\r
- ASSERT (Private->Udp6Num > 0);\r
- Private->Udp6Num--;\r
- }\r
- }\r
- }\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Test to see if this driver supports ControllerHandle.\r
-\r
- @param[in] This Protocol instance pointer.\r
- @param[in] ControllerHandle Handle of device to test.\r
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child\r
- device to start.\r
-\r
- @retval EFI_SUCCES This driver supports this device.\r
- @retval EFI_ALREADY_STARTED This driver is already running on this device.\r
- @retval other This driver does not support this device.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSec4DriverBindingSupported (\r
- IN EFI_DRIVER_BINDING_PROTOCOL *This,\r
- IN EFI_HANDLE ControllerHandle,\r
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL\r
- )\r
-{\r
- return IpSecSupported (\r
- This,\r
- ControllerHandle,\r
- RemainingDevicePath,\r
- IP_VERSION_4\r
- );\r
-}\r
-\r
-/**\r
- Start this driver on ControllerHandle.\r
-\r
- @param[in] This Protocol instance pointer.\r
- @param[in] ControllerHandle Handle of device to bind driver to.\r
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child\r
- device to start.\r
-\r
- @retval EFI_SUCCES This driver is added to ControllerHandle\r
- @retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle\r
- @retval EFI_DEVICE_ERROR The device could not be started due to a device error.\r
- Currently not implemented.\r
- @retval other This driver does not support this device\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSec4DriverBindingStart (\r
- IN EFI_DRIVER_BINDING_PROTOCOL *This,\r
- IN EFI_HANDLE ControllerHandle,\r
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL\r
- )\r
-{\r
- return IpSecStart (\r
- This,\r
- ControllerHandle,\r
- RemainingDevicePath,\r
- IP_VERSION_4\r
- );\r
-}\r
-\r
-/**\r
- Stop this driver on ControllerHandle.\r
-\r
- @param[in] This Protocol instance pointer.\r
- @param[in] ControllerHandle Handle of a device to stop the driver on.\r
- @param[in] NumberOfChildren Number of Handles in ChildHandleBuffer. If the number of\r
- children is zero, stop the entire bus driver.\r
- @param[in] ChildHandleBuffer List of Child Handles to Stop.\r
-\r
- @retval EFI_SUCCES This driver removed ControllerHandle.\r
- @retval other This driver was not removed from this device.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSec4DriverBindingStop (\r
- IN EFI_DRIVER_BINDING_PROTOCOL *This,\r
- IN EFI_HANDLE ControllerHandle,\r
- IN UINTN NumberOfChildren,\r
- IN EFI_HANDLE *ChildHandleBuffer\r
- )\r
-{\r
- return IpSecStop (\r
- This,\r
- ControllerHandle,\r
- NumberOfChildren,\r
- ChildHandleBuffer,\r
- IP_VERSION_4\r
- );\r
-}\r
-\r
-/**\r
- Test to see if this driver supports ControllerHandle.\r
-\r
- @param[in] This Protocol instance pointer.\r
- @param[in] ControllerHandle Handle of device to test.\r
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child\r
- device to start.\r
-\r
- @retval EFI_SUCCES This driver supports this device.\r
- @retval EFI_ALREADY_STARTED This driver is already running on this device.\r
- @retval other This driver does not support this device.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSec6DriverBindingSupported (\r
- IN EFI_DRIVER_BINDING_PROTOCOL *This,\r
- IN EFI_HANDLE ControllerHandle,\r
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL\r
- )\r
-{\r
- return IpSecSupported (\r
- This,\r
- ControllerHandle,\r
- RemainingDevicePath,\r
- IP_VERSION_6\r
- );\r
-}\r
-\r
-/**\r
- Start this driver on ControllerHandle.\r
-\r
- @param[in] This Protocol instance pointer.\r
- @param[in] ControllerHandle Handle of device to bind driver to.\r
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child\r
- device to start.\r
-\r
- @retval EFI_SUCCES This driver is added to ControllerHandle\r
- @retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle\r
- @retval EFI_DEVICE_ERROR The device could not be started due to a device error.\r
- Currently not implemented.\r
- @retval other This driver does not support this device\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSec6DriverBindingStart (\r
- IN EFI_DRIVER_BINDING_PROTOCOL *This,\r
- IN EFI_HANDLE ControllerHandle,\r
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL\r
- )\r
-{\r
- return IpSecStart (\r
- This,\r
- ControllerHandle,\r
- RemainingDevicePath,\r
- IP_VERSION_6\r
- );\r
-}\r
-\r
-/**\r
- Stop this driver on ControllerHandle.\r
-\r
- @param[in] This Protocol instance pointer.\r
- @param[in] ControllerHandle Handle of a device to stop the driver on.\r
- @param[in] NumberOfChildren Number of Handles in ChildHandleBuffer. If the number of\r
- children is zero, stop the entire bus driver.\r
- @param[in] ChildHandleBuffer List of Child Handles to Stop.\r
-\r
- @retval EFI_SUCCES This driver removed ControllerHandle.\r
- @retval other This driver was not removed from this device.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSec6DriverBindingStop (\r
- IN EFI_DRIVER_BINDING_PROTOCOL *This,\r
- IN EFI_HANDLE ControllerHandle,\r
- IN UINTN NumberOfChildren,\r
- IN EFI_HANDLE *ChildHandleBuffer\r
- )\r
-{\r
- return IpSecStop (\r
- This,\r
- ControllerHandle,\r
- NumberOfChildren,\r
- ChildHandleBuffer,\r
- IP_VERSION_6\r
- );\r
-}\r
-\r
-EFI_DRIVER_BINDING_PROTOCOL gIpSec4DriverBinding = {\r
- IpSec4DriverBindingSupported,\r
- IpSec4DriverBindingStart,\r
- IpSec4DriverBindingStop,\r
- 0xa,\r
- NULL,\r
- NULL\r
-};\r
-\r
-EFI_DRIVER_BINDING_PROTOCOL gIpSec6DriverBinding = {\r
- IpSec6DriverBindingSupported,\r
- IpSec6DriverBindingStart,\r
- IpSec6DriverBindingStop,\r
- 0xa,\r
- NULL,\r
- NULL\r
-};\r
-\r
-/**\r
- This is a callback function when the mIpSecInstance.DisabledEvent is signaled.\r
-\r
- @param[in] Event Event whose notification function is being invoked.\r
- @param[in] Context Pointer to the notification function's context.\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-IpSecCleanupAllSa (\r
- IN EFI_EVENT Event,\r
- IN VOID *Context\r
- )\r
-{\r
- IPSEC_PRIVATE_DATA *Private;\r
- Private = (IPSEC_PRIVATE_DATA *) Context;\r
- Private->IsIPsecDisabling = TRUE;\r
- IkeDeleteAllSas (Private, TRUE);\r
-}\r
-\r
-/**\r
- This is the declaration of an EFI image entry point. This entry point is\r
- the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including\r
- both device drivers and bus drivers.\r
-\r
- The entry point for IPsec driver which installs the driver binding,\r
- component name protocol, IPsec Config protcolon, and IPsec protocol in\r
- its ImageHandle.\r
-\r
- @param[in] ImageHandle The firmware allocated handle for the UEFI image.\r
- @param[in] SystemTable A pointer to the EFI System Table.\r
-\r
- @retval EFI_SUCCESS The operation completed successfully.\r
- @retval EFI_ALREADY_STARTED The IPsec driver has been already loaded.\r
- @retval EFI_OUT_OF_RESOURCES The request could not be completed due to a lack of resources.\r
- @retval Others The operation is failed.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSecDriverEntryPoint (\r
- IN EFI_HANDLE ImageHandle,\r
- IN EFI_SYSTEM_TABLE *SystemTable\r
- )\r
-{\r
- EFI_STATUS Status;\r
- IPSEC_PRIVATE_DATA *Private;\r
- EFI_IPSEC2_PROTOCOL *IpSec;\r
-\r
- //\r
- // Check whether ipsec protocol has already been installed.\r
- //\r
- Status = gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **) &IpSec);\r
-\r
- if (!EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_WARN, "_ModuleEntryPoint: IpSec has been already loaded\n"));\r
- Status = EFI_ALREADY_STARTED;\r
- goto ON_EXIT;\r
- }\r
-\r
- Status = gBS->LocateProtocol (&gEfiDpcProtocolGuid, NULL, (VOID **) &mDpc);\r
-\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to locate EfiDpcProtocol\n"));\r
- goto ON_EXIT;\r
- }\r
-\r
- Private = AllocateZeroPool (sizeof (IPSEC_PRIVATE_DATA));\r
-\r
- if (Private == NULL) {\r
- DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to allocate private data\n"));\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
- //\r
- // Create disable event to cleanup all SA when ipsec disabled by user.\r
- //\r
- Status = gBS->CreateEvent (\r
- EVT_NOTIFY_SIGNAL,\r
- TPL_CALLBACK,\r
- IpSecCleanupAllSa,\r
- Private,\r
- &mIpSecInstance.DisabledEvent\r
- );\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to create disable event\n"));\r
- goto ON_FREE_PRIVATE;\r
- }\r
-\r
- Private->Signature = IPSEC_PRIVATE_DATA_SIGNATURE;\r
- Private->ImageHandle = ImageHandle;\r
- CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL));\r
-\r
- //\r
- // Initilize Private's members. Thess members is used for IKE.\r
- //\r
- InitializeListHead (&Private->Udp4List);\r
- InitializeListHead (&Private->Udp6List);\r
- InitializeListHead (&Private->Ikev1SessionList);\r
- InitializeListHead (&Private->Ikev1EstablishedList);\r
- InitializeListHead (&Private->Ikev2SessionList);\r
- InitializeListHead (&Private->Ikev2EstablishedList);\r
-\r
- RandomSeed (NULL, 0);\r
- //\r
- // Initialize the ipsec config data and restore it from variable.\r
- //\r
- Status = IpSecConfigInitialize (Private);\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to initialize IpSecConfig\n"));\r
- goto ON_CLOSE_EVENT;\r
- }\r
- //\r
- // Install ipsec protocol which is used by ip driver to process ipsec header.\r
- //\r
- Status = gBS->InstallMultipleProtocolInterfaces (\r
- &Private->Handle,\r
- &gEfiIpSec2ProtocolGuid,\r
- &Private->IpSec,\r
- NULL\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_UNINSTALL_CONFIG;\r
- }\r
-\r
- Status = EfiLibInstallDriverBindingComponentName2 (\r
- ImageHandle,\r
- SystemTable,\r
- &gIpSec4DriverBinding,\r
- ImageHandle,\r
- &gIpSecComponentName,\r
- &gIpSecComponentName2\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_UNINSTALL_IPSEC;\r
- }\r
-\r
- Status = EfiLibInstallDriverBindingComponentName2 (\r
- ImageHandle,\r
- SystemTable,\r
- &gIpSec6DriverBinding,\r
- NULL,\r
- &gIpSecComponentName,\r
- &gIpSecComponentName2\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_UNINSTALL_IPSEC4_DB;\r
- }\r
-\r
- return Status;\r
-\r
-ON_UNINSTALL_IPSEC4_DB:\r
- EfiLibUninstallDriverBindingComponentName2 (\r
- &gIpSec4DriverBinding,\r
- &gIpSecComponentName,\r
- &gIpSecComponentName2\r
- );\r
-\r
-ON_UNINSTALL_IPSEC:\r
- gBS->UninstallProtocolInterface (\r
- Private->Handle,\r
- &gEfiIpSec2ProtocolGuid,\r
- &Private->IpSec\r
- );\r
-ON_UNINSTALL_CONFIG:\r
- gBS->UninstallProtocolInterface (\r
- Private->Handle,\r
- &gEfiIpSecConfigProtocolGuid,\r
- &Private->IpSecConfig\r
- );\r
-ON_CLOSE_EVENT:\r
- gBS->CloseEvent (mIpSecInstance.DisabledEvent);\r
- mIpSecInstance.DisabledEvent = NULL;\r
-ON_FREE_PRIVATE:\r
- FreePool (Private);\r
-ON_EXIT:\r
- return Status;\r
-}\r
-\r
+++ /dev/null
-## @file\r
-# Packet-level security for IP datagram.\r
-#\r
-# This driver provides EFI IPsec2 Protocol which is used to abstract the ability\r
-# to deal with the individual packets sent and received by the host and provide\r
-# packet-level security for IP datagram. It provides the IP packet protection via\r
-# ESP and it supports IKEv2 for key negotiation.\r
-#\r
-# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-#\r
-# SPDX-License-Identifier: BSD-2-Clause-Patent\r
-#\r
-##\r
-\r
-[Defines]\r
- INF_VERSION = 0x00010005\r
- BASE_NAME = IpSecDxe\r
- FILE_GUID = EE8367C0-A1D6-4565-8F89-EF628547B722\r
- MODULE_TYPE = UEFI_DRIVER\r
- VERSION_STRING = 1.0\r
-\r
- ENTRY_POINT = IpSecDriverEntryPoint\r
- MODULE_UNI_FILE = IpSecDxe.uni\r
-\r
-#\r
-# The following information is for reference only and not required by the build tools.\r
-#\r
-# VALID_ARCHITECTURES = IA32 X64 EBC\r
-#\r
-\r
-[Sources]\r
- IpSecConfigImpl.c\r
- IpSecConfigImpl.h\r
- IpSecCryptIo.h\r
- IpSecCryptIo.c\r
- IpSecDebug.h\r
- ComponentName.c\r
- IkeCommon.h\r
- IpSecImpl.c\r
- IkeService.c\r
- Ike.h\r
- IkePacket.h\r
- IkePacket.c\r
- IpSecDebug.c\r
- IpSecMain.c\r
- IpSecDriver.c\r
- IkeCommon.c\r
- IetfConstants.c\r
- IpSecImpl.h\r
- IkeService.h\r
- Ikev2/Ikev2.h\r
- Ikev2/Payload.h\r
- Ikev2/Utility.h\r
- Ikev2/Utility.c\r
- Ikev2/Sa.c\r
- Ikev2/ChildSa.c\r
- Ikev2/Info.c\r
- Ikev2/Payload.c\r
- Ikev2/Exchange.c\r
-\r
-\r
-\r
-[Packages]\r
- MdePkg/MdePkg.dec\r
- MdeModulePkg/MdeModulePkg.dec\r
- CryptoPkg/CryptoPkg.dec\r
- NetworkPkg/NetworkPkg.dec\r
-\r
-[LibraryClasses]\r
- MemoryAllocationLib\r
- BaseLib\r
- UefiLib\r
- UefiBootServicesTableLib\r
- UefiRuntimeServicesTableLib\r
- UefiDriverEntryPoint\r
- BaseMemoryLib\r
- DebugLib\r
- PrintLib\r
- BaseCryptLib\r
- DpcLib\r
- UdpIoLib\r
- NetLib\r
- PcdLib\r
-\r
-[Protocols]\r
- gEfiIp4Config2ProtocolGuid ## SOMETIMES_CONSUMES\r
- gEfiUdp4ServiceBindingProtocolGuid ## SOMETIMES_CONSUMES\r
- gEfiUdp4ProtocolGuid ## SOMETIMES_CONSUMES\r
- gEfiUdp6ServiceBindingProtocolGuid ## SOMETIMES_CONSUMES\r
- gEfiUdp6ProtocolGuid ## SOMETIMES_CONSUMES\r
- gEfiIpSecConfigProtocolGuid ## PRODUCES\r
- gEfiIpSec2ProtocolGuid ## PRODUCES\r
-\r
-[Pcd]\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecCertificateEnabled ## SOMETIMES_CONSUMES\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFile ## SOMETIMES_CONSUMES\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFileSize ## SOMETIMES_CONSUMES\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificate ## SOMETIMES_CONSUMES\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateSize ## SOMETIMES_CONSUMES\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKey ## SOMETIMES_CONSUMES\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKeySize ## SOMETIMES_CONSUMES\r
-\r
-[UserExtensions.TianoCore."ExtraFiles"]\r
- IpSecDxeExtra.uni\r
+++ /dev/null
-// /** @file\r
-// Packet-level security for IP datagram.\r
-//\r
-// This driver provides EFI IPsec2 Protocol which is used to abstract the ability\r
-// to deal with the individual packets sent and received by the host and provide\r
-// packet-level security for IP datagram. It provides the IP packet protection via\r
-// ESP and it supports IKEv2 for key negotiation.\r
-//\r
-// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-//\r
-// SPDX-License-Identifier: BSD-2-Clause-Patent\r
-//\r
-// **/\r
-\r
-\r
-#string STR_MODULE_ABSTRACT #language en-US "Packet-level security for IP datagram"\r
-\r
-#string STR_MODULE_DESCRIPTION #language en-US "This driver provides EFI IPsec2 Protocol which is used to abstract the ability to deal with the individual packets sent and received by the host and provide packet-level security for IP datagram. It provides the IP packet protection via ESP and it supports IKEv2 for key negotiation."\r
-\r
+++ /dev/null
-// /** @file\r
-// IpSecDxe Localized Strings and Content\r
-//\r
-// Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
-//\r
-// SPDX-License-Identifier: BSD-2-Clause-Patent\r
-//\r
-// **/\r
-\r
-#string STR_PROPERTIES_MODULE_NAME\r
-#language en-US\r
-"IpSec DXE"\r
-\r
-\r
+++ /dev/null
-/** @file\r
- The implementation of IPsec.\r
-\r
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecImpl.h"\r
-#include "IkeService.h"\r
-#include "IpSecDebug.h"\r
-#include "IpSecCryptIo.h"\r
-#include "IpSecConfigImpl.h"\r
-\r
-/**\r
- Check if the specified Address is the Valid Address Range.\r
-\r
- This function checks if the bytes after prefixed length are all Zero in this\r
- Address. This Address is supposed to point to a range address. That means it\r
- should gives the correct prefixed address and the bytes outside the prefixed are\r
- zero.\r
-\r
- @param[in] IpVersion The IP version.\r
- @param[in] Address Points to EFI_IP_ADDRESS to be checked.\r
- @param[in] PrefixLength The PrefixeLength of this address.\r
-\r
- @retval TRUE The address is a vaild address range.\r
- @retval FALSE The address is not a vaild address range.\r
-\r
-**/\r
-BOOLEAN\r
-IpSecValidAddressRange (\r
- IN UINT8 IpVersion,\r
- IN EFI_IP_ADDRESS *Address,\r
- IN UINT8 PrefixLength\r
- )\r
-{\r
- UINT8 Div;\r
- UINT8 Mod;\r
- UINT8 Mask;\r
- UINT8 AddrLen;\r
- UINT8 *Addr;\r
- EFI_IP_ADDRESS ZeroAddr;\r
-\r
- if (PrefixLength == 0) {\r
- return TRUE;\r
- }\r
-\r
- AddrLen = (UINT8) ((IpVersion == IP_VERSION_4) ? 32 : 128);\r
-\r
- if (AddrLen <= PrefixLength) {\r
- return FALSE;\r
- }\r
-\r
- Div = (UINT8) (PrefixLength / 8);\r
- Mod = (UINT8) (PrefixLength % 8);\r
- Addr = (UINT8 *) Address;\r
- ZeroMem (&ZeroAddr, sizeof (EFI_IP_ADDRESS));\r
-\r
- //\r
- // Check whether the mod part of host scope is zero or not.\r
- //\r
- if (Mod > 0) {\r
- Mask = (UINT8) (0xFF << (8 - Mod));\r
-\r
- if ((Addr[Div] | Mask) != Mask) {\r
- return FALSE;\r
- }\r
-\r
- Div++;\r
- }\r
- //\r
- // Check whether the div part of host scope is zero or not.\r
- //\r
- if (CompareMem (\r
- &Addr[Div],\r
- &ZeroAddr,\r
- sizeof (EFI_IP_ADDRESS) - Div\r
- ) != 0) {\r
- return FALSE;\r
- }\r
-\r
- return TRUE;\r
-}\r
-\r
-/**\r
- Extrct the Address Range from a Address.\r
-\r
- This function keep the prefix address and zero other part address.\r
-\r
- @param[in] Address Point to a specified address.\r
- @param[in] PrefixLength The prefix length.\r
- @param[out] Range Contain the return Address Range.\r
-\r
-**/\r
-VOID\r
-IpSecExtractAddressRange (\r
- IN EFI_IP_ADDRESS *Address,\r
- IN UINT8 PrefixLength,\r
- OUT EFI_IP_ADDRESS *Range\r
- )\r
-{\r
- UINT8 Div;\r
- UINT8 Mod;\r
- UINT8 Mask;\r
- UINT8 *Addr;\r
-\r
- if (PrefixLength == 0) {\r
- return ;\r
- }\r
-\r
- Div = (UINT8) (PrefixLength / 8);\r
- Mod = (UINT8) (PrefixLength % 8);\r
- Addr = (UINT8 *) Range;\r
-\r
- CopyMem (Range, Address, sizeof (EFI_IP_ADDRESS));\r
-\r
- //\r
- // Zero the mod part of host scope.\r
- //\r
- if (Mod > 0) {\r
- Mask = (UINT8) (0xFF << (8 - Mod));\r
- Addr[Div] = (UINT8) (Addr[Div] & Mask);\r
- Div++;\r
- }\r
- //\r
- // Zero the div part of host scope.\r
- //\r
- ZeroMem (&Addr[Div], sizeof (EFI_IP_ADDRESS) - Div);\r
-\r
-}\r
-\r
-/**\r
- Checks if the IP Address in the address range of AddressInfos specified.\r
-\r
- @param[in] IpVersion The IP version.\r
- @param[in] IpAddr Point to EFI_IP_ADDRESS to be check.\r
- @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check\r
- the IP Address is matched.\r
- @param[in] AddressCount The total numbers of the AddressInfo.\r
-\r
- @retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.\r
- @retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.\r
-\r
-**/\r
-BOOLEAN\r
-IpSecMatchIpAddress (\r
- IN UINT8 IpVersion,\r
- IN EFI_IP_ADDRESS *IpAddr,\r
- IN EFI_IP_ADDRESS_INFO *AddressInfo,\r
- IN UINT32 AddressCount\r
- )\r
-{\r
- EFI_IP_ADDRESS Range;\r
- UINT32 Index;\r
- BOOLEAN IsMatch;\r
-\r
- IsMatch = FALSE;\r
-\r
- for (Index = 0; Index < AddressCount; Index++) {\r
- //\r
- // Check whether the target address is in the address range\r
- // if it's a valid range of address.\r
- //\r
- if (IpSecValidAddressRange (\r
- IpVersion,\r
- &AddressInfo[Index].Address,\r
- AddressInfo[Index].PrefixLength\r
- )) {\r
- //\r
- // Get the range of the target address belongs to.\r
- //\r
- ZeroMem (&Range, sizeof (EFI_IP_ADDRESS));\r
- IpSecExtractAddressRange (\r
- IpAddr,\r
- AddressInfo[Index].PrefixLength,\r
- &Range\r
- );\r
-\r
- if (CompareMem (\r
- &Range,\r
- &AddressInfo[Index].Address,\r
- sizeof (EFI_IP_ADDRESS)\r
- ) == 0) {\r
- //\r
- // The target address is in the address range.\r
- //\r
- IsMatch = TRUE;\r
- break;\r
- }\r
- }\r
-\r
- if (CompareMem (\r
- IpAddr,\r
- &AddressInfo[Index].Address,\r
- sizeof (EFI_IP_ADDRESS)\r
- ) == 0) {\r
- //\r
- // The target address is exact same as the address.\r
- //\r
- IsMatch = TRUE;\r
- break;\r
- }\r
- }\r
- return IsMatch;\r
-}\r
-\r
-/**\r
- Check if the specified Protocol and Prot is supported by the specified SPD Entry.\r
-\r
- This function is the subfunction of IPsecLookUpSpdEntry() that is used to\r
- check if the sent/received IKE packet has the related SPD entry support.\r
-\r
- @param[in] Protocol The Protocol to be checked.\r
- @param[in] IpPayload Point to IP Payload to be check.\r
- @param[in] SpdProtocol The Protocol supported by SPD.\r
- @param[in] SpdLocalPort The Local Port in SPD.\r
- @param[in] SpdRemotePort The Remote Port in SPD.\r
- @param[in] IsOutbound Flag to indicate the is for IKE Packet sending or recieving.\r
-\r
- @retval TRUE The Protocol and Port are supported by the SPD Entry.\r
- @retval FALSE The Protocol and Port are not supported by the SPD Entry.\r
-\r
-**/\r
-BOOLEAN\r
-IpSecMatchNextLayerProtocol (\r
- IN UINT8 Protocol,\r
- IN UINT8 *IpPayload,\r
- IN UINT16 SpdProtocol,\r
- IN UINT16 SpdLocalPort,\r
- IN UINT16 SpdRemotePort,\r
- IN BOOLEAN IsOutbound\r
- )\r
-{\r
- BOOLEAN IsMatch;\r
-\r
- if (SpdProtocol == EFI_IPSEC_ANY_PROTOCOL) {\r
- return TRUE;\r
- }\r
-\r
- IsMatch = FALSE;\r
-\r
- if (SpdProtocol == Protocol) {\r
- switch (Protocol) {\r
- case EFI_IP_PROTO_UDP:\r
- case EFI_IP_PROTO_TCP:\r
- //\r
- // For udp and tcp, (0, 0) means no need to check local and remote\r
- // port. The payload is passed from upper level, which means it should\r
- // be in network order.\r
- //\r
- IsMatch = (BOOLEAN) (SpdLocalPort == 0 && SpdRemotePort == 0);\r
- IsMatch = (BOOLEAN) (IsMatch ||\r
- (IsOutbound &&\r
- (BOOLEAN)(\r
- NTOHS (((EFI_UDP_HEADER *) IpPayload)->SrcPort) == SpdLocalPort &&\r
- NTOHS (((EFI_UDP_HEADER *) IpPayload)->DstPort) == SpdRemotePort\r
- )\r
- ));\r
-\r
- IsMatch = (BOOLEAN) (IsMatch ||\r
- (!IsOutbound &&\r
- (BOOLEAN)(\r
- NTOHS (((EFI_UDP_HEADER *) IpPayload)->DstPort) == SpdLocalPort &&\r
- NTOHS (((EFI_UDP_HEADER *) IpPayload)->SrcPort) == SpdRemotePort\r
- )\r
- ));\r
- break;\r
-\r
- case EFI_IP_PROTO_ICMP:\r
- //\r
- // For icmpv4, type code is replaced with local port and remote port,\r
- // and (0, 0) means no need to check.\r
- //\r
- IsMatch = (BOOLEAN) (SpdLocalPort == 0 && SpdRemotePort == 0);\r
- IsMatch = (BOOLEAN) (IsMatch ||\r
- (BOOLEAN) (((IP4_ICMP_HEAD *) IpPayload)->Type == SpdLocalPort &&\r
- ((IP4_ICMP_HEAD *) IpPayload)->Code == SpdRemotePort\r
- )\r
- );\r
- break;\r
-\r
- case IP6_ICMP:\r
- //\r
- // For icmpv6, type code is replaced with local port and remote port,\r
- // and (0, 0) means no need to check.\r
- //\r
- IsMatch = (BOOLEAN) (SpdLocalPort == 0 && SpdRemotePort == 0);\r
-\r
- IsMatch = (BOOLEAN) (IsMatch ||\r
- (BOOLEAN) (((IP6_ICMP_HEAD *) IpPayload)->Type == SpdLocalPort &&\r
- ((IP6_ICMP_HEAD *) IpPayload)->Code == SpdRemotePort\r
- )\r
- );\r
- break;\r
-\r
- default:\r
- IsMatch = TRUE;\r
- break;\r
- }\r
- }\r
-\r
- return IsMatch;\r
-}\r
-\r
-/**\r
- Find the SAD through a specified SPD's SAD list.\r
-\r
- @param[in] SadList SAD list related to a specified SPD entry.\r
- @param[in] DestAddress The destination address used to find the SAD entry.\r
- @param[in] IpVersion The IP version. Ip4 or Ip6.\r
-\r
- @return The pointer to a certain SAD entry.\r
-\r
-**/\r
-IPSEC_SAD_ENTRY *\r
-IpSecLookupSadBySpd (\r
- IN LIST_ENTRY *SadList,\r
- IN EFI_IP_ADDRESS *DestAddress,\r
- IN UINT8 IpVersion\r
- )\r
-{\r
- LIST_ENTRY *Entry;\r
- IPSEC_SAD_ENTRY *SadEntry;\r
-\r
- NET_LIST_FOR_EACH (Entry, SadList) {\r
-\r
- SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry);\r
- //\r
- // Find the right SAD entry which contains the appointed dest address.\r
- //\r
- if (IpSecMatchIpAddress (\r
- IpVersion,\r
- DestAddress,\r
- SadEntry->Data->SpdSelector->RemoteAddress,\r
- SadEntry->Data->SpdSelector->RemoteAddressCount\r
- )){\r
- return SadEntry;\r
- }\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-/**\r
- Find the SAD through whole SAD list.\r
-\r
- @param[in] Spi The SPI used to search the SAD entry.\r
- @param[in] DestAddress The destination used to search the SAD entry.\r
- @param[in] IpVersion The IP version. Ip4 or Ip6.\r
-\r
- @return the pointer to a certain SAD entry.\r
-\r
-**/\r
-IPSEC_SAD_ENTRY *\r
-IpSecLookupSadBySpi (\r
- IN UINT32 Spi,\r
- IN EFI_IP_ADDRESS *DestAddress,\r
- IN UINT8 IpVersion\r
- )\r
-{\r
- LIST_ENTRY *Entry;\r
- LIST_ENTRY *SadList;\r
- IPSEC_SAD_ENTRY *SadEntry;\r
-\r
- SadList = &mConfigData[IPsecConfigDataTypeSad];\r
-\r
- NET_LIST_FOR_EACH (Entry, SadList) {\r
-\r
- SadEntry = IPSEC_SAD_ENTRY_FROM_LIST (Entry);\r
-\r
- //\r
- // Find the right SAD entry which contain the appointed spi and dest addr.\r
- //\r
- if (SadEntry->Id->Spi == Spi) {\r
- if (SadEntry->Data->Mode == EfiIPsecTunnel) {\r
- if (CompareMem (\r
- &DestAddress,\r
- &SadEntry->Data->TunnelDestAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- )) {\r
- return SadEntry;\r
- }\r
- } else {\r
- if (SadEntry->Data->SpdSelector != NULL &&\r
- IpSecMatchIpAddress (\r
- IpVersion,\r
- DestAddress,\r
- SadEntry->Data->SpdSelector->RemoteAddress,\r
- SadEntry->Data->SpdSelector->RemoteAddressCount\r
- )\r
- ) {\r
- return SadEntry;\r
- }\r
- }\r
- }\r
- }\r
- return NULL;\r
-}\r
-\r
-/**\r
- Look up if there is existing SAD entry for specified IP packet sending.\r
-\r
- This function is called by the IPsecProcess when there is some IP packet needed to\r
- send out. This function checks if there is an existing SAD entry that can be serviced\r
- to this IP packet sending. If no existing SAD entry could be used, this\r
- function will invoke an IPsec Key Exchange Negotiation.\r
-\r
- @param[in] Private Points to private data.\r
- @param[in] NicHandle Points to a NIC handle.\r
- @param[in] IpVersion The version of IP.\r
- @param[in] IpHead The IP Header of packet to be sent out.\r
- @param[in] IpPayload The IP Payload to be sent out.\r
- @param[in] OldLastHead The Last protocol of the IP packet.\r
- @param[in] SpdEntry Points to a related SPD entry.\r
- @param[out] SadEntry Contains the Point of a related SAD entry.\r
-\r
- @retval EFI_DEVICE_ERROR One of following conditions is TRUE:\r
- - If don't find related UDP service.\r
- - Sequence Number is used up.\r
- - Extension Sequence Number is used up.\r
- @retval EFI_NOT_READY No existing SAD entry could be used.\r
- @retval EFI_SUCCESS Find the related SAD entry.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecLookupSadEntry (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN EFI_HANDLE NicHandle,\r
- IN UINT8 IpVersion,\r
- IN VOID *IpHead,\r
- IN UINT8 *IpPayload,\r
- IN UINT8 OldLastHead,\r
- IN IPSEC_SPD_ENTRY *SpdEntry,\r
- OUT IPSEC_SAD_ENTRY **SadEntry\r
- )\r
-{\r
- IKE_UDP_SERVICE *UdpService;\r
- IPSEC_SAD_ENTRY *Entry;\r
- IPSEC_SAD_DATA *Data;\r
- EFI_IP_ADDRESS DestIp;\r
- UINT32 SeqNum32;\r
-\r
- *SadEntry = NULL;\r
- UdpService = IkeLookupUdp (Private, NicHandle, IpVersion);\r
-\r
- if (UdpService == NULL) {\r
- return EFI_DEVICE_ERROR;\r
- }\r
- //\r
- // Parse the destination address from ip header.\r
- //\r
- ZeroMem (&DestIp, sizeof (EFI_IP_ADDRESS));\r
- if (IpVersion == IP_VERSION_4) {\r
- CopyMem (\r
- &DestIp,\r
- &((IP4_HEAD *) IpHead)->Dst,\r
- sizeof (IP4_ADDR)\r
- );\r
- } else {\r
- CopyMem (\r
- &DestIp,\r
- &((EFI_IP6_HEADER *) IpHead)->DestinationAddress,\r
- sizeof (EFI_IP_ADDRESS)\r
- );\r
- }\r
-\r
- //\r
- // Find the SAD entry in the spd.sas list according to the dest address.\r
- //\r
- Entry = IpSecLookupSadBySpd (&SpdEntry->Data->Sas, &DestIp, IpVersion);\r
-\r
- if (Entry == NULL) {\r
- if (OldLastHead != IP6_ICMP ||\r
- (OldLastHead == IP6_ICMP && *IpPayload == ICMP_V6_ECHO_REQUEST)\r
- ) {\r
- //\r
- // Start ike negotiation process except the request packet of ping.\r
- //\r
- if (SpdEntry->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {\r
- IkeNegotiate (\r
- UdpService,\r
- SpdEntry,\r
- &SpdEntry->Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress\r
- );\r
- } else {\r
- IkeNegotiate (\r
- UdpService,\r
- SpdEntry,\r
- &DestIp\r
- );\r
- }\r
-\r
- }\r
-\r
- return EFI_NOT_READY;\r
- }\r
-\r
- Data = Entry->Data;\r
-\r
- if (!Data->ManualSet) {\r
- if (Data->ESNEnabled) {\r
- //\r
- // Validate the 64bit sn number if 64bit sn enabled.\r
- //\r
- if ((UINT64) (Data->SequenceNumber + 1) == 0) {\r
- //\r
- // TODO: Re-negotiate SA\r
- //\r
- return EFI_DEVICE_ERROR;\r
- }\r
- } else {\r
- //\r
- // Validate the 32bit sn number if 64bit sn disabled.\r
- //\r
- SeqNum32 = (UINT32) Data->SequenceNumber;\r
- if ((UINT32) (SeqNum32 + 1) == 0) {\r
- //\r
- // TODO: Re-negotiate SA\r
- //\r
- return EFI_DEVICE_ERROR;\r
- }\r
- }\r
- }\r
-\r
- *SadEntry = Entry;\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Find a PAD entry according to a remote IP address.\r
-\r
- @param[in] IpVersion The version of IP.\r
- @param[in] IpAddr Points to remote IP address.\r
-\r
- @return the pointer of related PAD entry.\r
-\r
-**/\r
-IPSEC_PAD_ENTRY *\r
-IpSecLookupPadEntry (\r
- IN UINT8 IpVersion,\r
- IN EFI_IP_ADDRESS *IpAddr\r
- )\r
-{\r
- LIST_ENTRY *PadList;\r
- LIST_ENTRY *Entry;\r
- EFI_IP_ADDRESS_INFO *IpAddrInfo;\r
- IPSEC_PAD_ENTRY *PadEntry;\r
-\r
- PadList = &mConfigData[IPsecConfigDataTypePad];\r
-\r
- for (Entry = PadList->ForwardLink; Entry != PadList; Entry = Entry->ForwardLink) {\r
-\r
- PadEntry = IPSEC_PAD_ENTRY_FROM_LIST (Entry);\r
- IpAddrInfo = &PadEntry->Id->Id.IpAddress;\r
- //\r
- // Find the right pad entry which contain the appointed dest addr.\r
- //\r
- if (IpSecMatchIpAddress (IpVersion, IpAddr, IpAddrInfo, 1)) {\r
- return PadEntry;\r
- }\r
- }\r
-\r
- return NULL;\r
-}\r
-\r
-/**\r
- Check if the specified IP packet can be serviced by this SPD entry.\r
-\r
- @param[in] SpdEntry Point to SPD entry.\r
- @param[in] IpVersion Version of IP.\r
- @param[in] IpHead Point to IP header.\r
- @param[in] IpPayload Point to IP payload.\r
- @param[in] Protocol The Last protocol of IP packet.\r
- @param[in] IsOutbound Traffic direction.\r
- @param[out] Action The support action of SPD entry.\r
-\r
- @retval EFI_SUCCESS Find the related SPD.\r
- @retval EFI_NOT_FOUND Not find the related SPD entry;\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecLookupSpdEntry (\r
- IN IPSEC_SPD_ENTRY *SpdEntry,\r
- IN UINT8 IpVersion,\r
- IN VOID *IpHead,\r
- IN UINT8 *IpPayload,\r
- IN UINT8 Protocol,\r
- IN BOOLEAN IsOutbound,\r
- OUT EFI_IPSEC_ACTION *Action\r
- )\r
-{\r
- EFI_IPSEC_SPD_SELECTOR *SpdSel;\r
- IP4_HEAD *Ip4;\r
- EFI_IP6_HEADER *Ip6;\r
- EFI_IP_ADDRESS SrcAddr;\r
- EFI_IP_ADDRESS DstAddr;\r
- BOOLEAN SpdMatch;\r
-\r
- ASSERT (SpdEntry != NULL);\r
- SpdSel = SpdEntry->Selector;\r
- Ip4 = (IP4_HEAD *) IpHead;\r
- Ip6 = (EFI_IP6_HEADER *) IpHead;\r
-\r
- ZeroMem (&SrcAddr, sizeof (EFI_IP_ADDRESS));\r
- ZeroMem (&DstAddr, sizeof (EFI_IP_ADDRESS));\r
-\r
- //\r
- // Parse the source and destination address from ip header.\r
- //\r
- if (IpVersion == IP_VERSION_4) {\r
- CopyMem (&SrcAddr, &Ip4->Src, sizeof (IP4_ADDR));\r
- CopyMem (&DstAddr, &Ip4->Dst, sizeof (IP4_ADDR));\r
- } else {\r
- CopyMem (&SrcAddr, &Ip6->SourceAddress, sizeof (EFI_IPv6_ADDRESS));\r
- CopyMem (&DstAddr, &Ip6->DestinationAddress, sizeof (EFI_IPv6_ADDRESS));\r
- }\r
- //\r
- // Check the local and remote addresses for outbound traffic\r
- //\r
- SpdMatch = (BOOLEAN)(IsOutbound &&\r
- IpSecMatchIpAddress (\r
- IpVersion,\r
- &SrcAddr,\r
- SpdSel->LocalAddress,\r
- SpdSel->LocalAddressCount\r
- ) &&\r
- IpSecMatchIpAddress (\r
- IpVersion,\r
- &DstAddr,\r
- SpdSel->RemoteAddress,\r
- SpdSel->RemoteAddressCount\r
- )\r
- );\r
-\r
- //\r
- // Check the local and remote addresses for inbound traffic\r
- //\r
- SpdMatch = (BOOLEAN) (SpdMatch ||\r
- (!IsOutbound &&\r
- IpSecMatchIpAddress (\r
- IpVersion,\r
- &DstAddr,\r
- SpdSel->LocalAddress,\r
- SpdSel->LocalAddressCount\r
- ) &&\r
- IpSecMatchIpAddress (\r
- IpVersion,\r
- &SrcAddr,\r
- SpdSel->RemoteAddress,\r
- SpdSel->RemoteAddressCount\r
- )\r
- ));\r
-\r
- //\r
- // Check the next layer protocol and local and remote ports.\r
- //\r
- SpdMatch = (BOOLEAN) (SpdMatch &&\r
- IpSecMatchNextLayerProtocol (\r
- Protocol,\r
- IpPayload,\r
- SpdSel->NextLayerProtocol,\r
- SpdSel->LocalPort,\r
- SpdSel->RemotePort,\r
- IsOutbound\r
- )\r
- );\r
-\r
- if (SpdMatch) {\r
- //\r
- // Find the right SPD entry if match the 5 key elements.\r
- //\r
- *Action = SpdEntry->Data->Action;\r
- return EFI_SUCCESS;\r
- }\r
-\r
- return EFI_NOT_FOUND;\r
-}\r
-\r
-/**\r
- The call back function of NetbufFromExt.\r
-\r
- @param[in] Arg The argument passed from the caller.\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-IpSecOnRecyclePacket (\r
- IN VOID *Arg\r
- )\r
-{\r
-}\r
-\r
-/**\r
- This is a Notification function. It is called when the related IP6_TXTOKEN_WRAP\r
- is released.\r
-\r
- @param[in] Event The related event.\r
- @param[in] Context The data passed by the caller.\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-IpSecRecycleCallback (\r
- IN EFI_EVENT Event,\r
- IN VOID *Context\r
- )\r
-{\r
- IPSEC_RECYCLE_CONTEXT *RecycleContext;\r
-\r
- RecycleContext = (IPSEC_RECYCLE_CONTEXT *) Context;\r
-\r
- if (RecycleContext->FragmentTable != NULL) {\r
- FreePool (RecycleContext->FragmentTable);\r
- }\r
-\r
- if (RecycleContext->PayloadBuffer != NULL) {\r
- FreePool (RecycleContext->PayloadBuffer);\r
- }\r
-\r
- FreePool (RecycleContext);\r
- gBS->CloseEvent (Event);\r
-\r
-}\r
-\r
-/**\r
- Calculate the extension hader of IP. The return length only doesn't contain\r
- the fixed IP header length.\r
-\r
- @param[in] IpHead Points to an IP head to be calculated.\r
- @param[in] LastHead Points to the last header of the IP header.\r
-\r
- @return The length of the extension header.\r
-\r
-**/\r
-UINT16\r
-IpSecGetPlainExtHeadSize (\r
- IN VOID *IpHead,\r
- IN UINT8 *LastHead\r
- )\r
-{\r
- UINT16 Size;\r
-\r
- Size = (UINT16) (LastHead - (UINT8 *) IpHead);\r
-\r
- if (Size > sizeof (EFI_IP6_HEADER)) {\r
- //\r
- // * (LastHead+1) point the last header's length but not include the first\r
- // 8 octers, so this formluation add 8 at the end.\r
- //\r
- Size = (UINT16) (Size - sizeof (EFI_IP6_HEADER) + *(LastHead + 1) + 8);\r
- } else {\r
- Size = 0;\r
- }\r
-\r
- return Size;\r
-}\r
-\r
-/**\r
- Verify if the Authentication payload is correct.\r
-\r
- @param[in] EspBuffer Points to the ESP wrapped buffer.\r
- @param[in] EspSize The size of the ESP wrapped buffer.\r
- @param[in] SadEntry The related SAD entry to store the authentication\r
- algorithm key.\r
- @param[in] IcvSize The length of ICV.\r
-\r
- @retval EFI_SUCCESS The authentication data is correct.\r
- @retval EFI_ACCESS_DENIED The authentication data is not correct.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecEspAuthVerifyPayload (\r
- IN UINT8 *EspBuffer,\r
- IN UINTN EspSize,\r
- IN IPSEC_SAD_ENTRY *SadEntry,\r
- IN UINTN IcvSize\r
- )\r
-{\r
- EFI_STATUS Status;\r
- UINTN AuthSize;\r
- UINT8 IcvBuffer[12];\r
- HASH_DATA_FRAGMENT HashFragment[1];\r
-\r
- //\r
- // Calculate the size of authentication payload.\r
- //\r
- AuthSize = EspSize - IcvSize;\r
-\r
- //\r
- // Calculate the icv buffer and size of the payload.\r
- //\r
- HashFragment[0].Data = EspBuffer;\r
- HashFragment[0].DataSize = AuthSize;\r
-\r
- Status = IpSecCryptoIoHmac (\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength,\r
- HashFragment,\r
- 1,\r
- IcvBuffer,\r
- IcvSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return Status;\r
- }\r
-\r
- //\r
- // Compare the calculated icv and the appended original icv.\r
- //\r
- if (CompareMem (EspBuffer + AuthSize, IcvBuffer, IcvSize) == 0) {\r
- return EFI_SUCCESS;\r
- }\r
-\r
- DEBUG ((DEBUG_ERROR, "Error auth verify payload\n"));\r
- return EFI_ACCESS_DENIED;\r
-}\r
-\r
-/**\r
- Search the related SAD entry by the input .\r
-\r
- @param[in] IpHead The pointer to IP header.\r
- @param[in] IpVersion The version of IP (IP4 or IP6).\r
- @param[in] Spi The SPI used to search the related SAD entry.\r
-\r
-\r
- @retval NULL Not find the related SAD entry.\r
- @retval IPSEC_SAD_ENTRY Return the related SAD entry.\r
-\r
-**/\r
-IPSEC_SAD_ENTRY *\r
-IpSecFoundSadFromInboundPacket (\r
- UINT8 *IpHead,\r
- UINT8 IpVersion,\r
- UINT32 Spi\r
- )\r
-{\r
- EFI_IP_ADDRESS DestIp;\r
-\r
- //\r
- // Parse destination address from ip header.\r
- //\r
- ZeroMem (&DestIp, sizeof (EFI_IP_ADDRESS));\r
- if (IpVersion == IP_VERSION_4) {\r
- CopyMem (\r
- &DestIp,\r
- &((IP4_HEAD *) IpHead)->Dst,\r
- sizeof (IP4_ADDR)\r
- );\r
- } else {\r
- CopyMem (\r
- &DestIp,\r
- &((EFI_IP6_HEADER *) IpHead)->DestinationAddress,\r
- sizeof (EFI_IPv6_ADDRESS)\r
- );\r
- }\r
-\r
- //\r
- // Lookup SAD entry according to the spi and dest address.\r
- //\r
- return IpSecLookupSadBySpi (Spi, &DestIp, IpVersion);\r
-}\r
-\r
-/**\r
- Validate the IP6 extension header format for both the packets we received\r
- and that we will transmit.\r
-\r
- @param[in] NextHeader The next header field in IPv6 basic header.\r
- @param[in] ExtHdrs The first bye of the option.\r
- @param[in] ExtHdrsLen The length of the whole option.\r
- @param[out] LastHeader The pointer of NextHeader of the last extension\r
- header processed by IP6.\r
- @param[out] RealExtsLen The length of extension headers processed by IP6 layer.\r
- This is an optional parameter that may be NULL.\r
-\r
- @retval TRUE The option is properly formated.\r
- @retval FALSE The option is malformated.\r
-\r
-**/\r
-BOOLEAN\r
-IpSecIsIp6ExtsValid (\r
- IN UINT8 *NextHeader,\r
- IN UINT8 *ExtHdrs,\r
- IN UINT32 ExtHdrsLen,\r
- OUT UINT8 **LastHeader,\r
- OUT UINT32 *RealExtsLen OPTIONAL\r
- )\r
-{\r
- UINT32 Pointer;\r
- UINT8 *Option;\r
- UINT8 OptionLen;\r
- UINT8 CountD;\r
- UINT8 CountF;\r
- UINT8 CountA;\r
-\r
- if (RealExtsLen != NULL) {\r
- *RealExtsLen = 0;\r
- }\r
-\r
- *LastHeader = NextHeader;\r
-\r
- if (ExtHdrs == NULL && ExtHdrsLen == 0) {\r
- return TRUE;\r
- }\r
-\r
- if ((ExtHdrs == NULL && ExtHdrsLen != 0) || (ExtHdrs != NULL && ExtHdrsLen == 0)) {\r
- return FALSE;\r
- }\r
-\r
- Pointer = 0;\r
- CountD = 0;\r
- CountF = 0;\r
- CountA = 0;\r
-\r
- while (Pointer <= ExtHdrsLen) {\r
-\r
- switch (*NextHeader) {\r
- case IP6_HOP_BY_HOP:\r
- if (Pointer != 0) {\r
- return FALSE;\r
- }\r
-\r
- //\r
- // Fall through\r
- //\r
- case IP6_DESTINATION:\r
- if (*NextHeader == IP6_DESTINATION) {\r
- CountD++;\r
- }\r
-\r
- if (CountD > 2) {\r
- return FALSE;\r
- }\r
-\r
- NextHeader = ExtHdrs + Pointer;\r
-\r
- Pointer++;\r
- Option = ExtHdrs + Pointer;\r
- OptionLen = (UINT8) ((*Option + 1) * 8 - 2);\r
- Option++;\r
- Pointer++;\r
-\r
- Pointer = Pointer + OptionLen;\r
- break;\r
-\r
- case IP6_FRAGMENT:\r
- if (++CountF > 1) {\r
- return FALSE;\r
- }\r
- //\r
- // RFC2402, AH header should after fragment header.\r
- //\r
- if (CountA > 1) {\r
- return FALSE;\r
- }\r
-\r
- NextHeader = ExtHdrs + Pointer;\r
- Pointer = Pointer + 8;\r
- break;\r
-\r
- case IP6_AH:\r
- if (++CountA > 1) {\r
- return FALSE;\r
- }\r
-\r
- Option = ExtHdrs + Pointer;\r
- NextHeader = Option;\r
- Option++;\r
- //\r
- // RFC2402, Payload length is specified in 32-bit words, minus "2".\r
- //\r
- OptionLen = (UINT8) ((*Option + 2) * 4);\r
- Pointer = Pointer + OptionLen;\r
- break;\r
-\r
- default:\r
- *LastHeader = NextHeader;\r
- if (RealExtsLen != NULL) {\r
- *RealExtsLen = Pointer;\r
- }\r
-\r
- return TRUE;\r
- }\r
- }\r
-\r
- *LastHeader = NextHeader;\r
-\r
- if (RealExtsLen != NULL) {\r
- *RealExtsLen = Pointer;\r
- }\r
-\r
- return TRUE;\r
-}\r
-\r
-/**\r
- The actual entry to process the tunnel header and inner header for tunnel mode\r
- outbound traffic.\r
-\r
- This function is the subfunction of IpSecEspInboundPacket(). It change the destination\r
- Ip address to the station address and recalculate the uplayyer's checksum.\r
-\r
-\r
- @param[in, out] IpHead Points to the IP header containing the ESP header\r
- to be trimed on input, and without ESP header\r
- on return.\r
- @param[in] IpPayload The decrypted Ip payload. It start from the inner\r
- header.\r
- @param[in] IpVersion The version of IP.\r
- @param[in] SadData Pointer of the relevant SAD.\r
- @param[in, out] LastHead The Last Header in IP header on return.\r
-\r
-**/\r
-VOID\r
-IpSecTunnelInboundPacket (\r
- IN OUT UINT8 *IpHead,\r
- IN UINT8 *IpPayload,\r
- IN UINT8 IpVersion,\r
- IN IPSEC_SAD_DATA *SadData,\r
- IN OUT UINT8 *LastHead\r
- )\r
-{\r
- EFI_UDP_HEADER *UdpHeader;\r
- TCP_HEAD *TcpHeader;\r
- UINT16 *Checksum;\r
- UINT16 PseudoChecksum;\r
- UINT16 PacketChecksum;\r
- UINT32 OptionLen;\r
- IP6_ICMP_HEAD *Icmp6Head;\r
-\r
- Checksum = NULL;\r
-\r
- if (IpVersion == IP_VERSION_4) {\r
- //\r
- // Zero OutIP header use this to indicate the input packet is under\r
- // IPsec Tunnel protected.\r
- //\r
- ZeroMem (\r
- (IP4_HEAD *)IpHead,\r
- sizeof (IP4_HEAD)\r
- );\r
- CopyMem (\r
- &((IP4_HEAD *)IpPayload)->Dst,\r
- &SadData->TunnelDestAddress.v4,\r
- sizeof (EFI_IPv4_ADDRESS)\r
- );\r
-\r
- //\r
- // Recalculate IpHeader Checksum\r
- //\r
- if (((IP4_HEAD *)(IpPayload))->Checksum != 0 ) {\r
- ((IP4_HEAD *)(IpPayload))->Checksum = 0;\r
- ((IP4_HEAD *)(IpPayload))->Checksum = (UINT16) (~NetblockChecksum (\r
- (UINT8 *)IpPayload,\r
- ((IP4_HEAD *)IpPayload)->HeadLen << 2\r
- ));\r
-\r
-\r
- }\r
-\r
- //\r
- // Recalcualte PseudoChecksum\r
- //\r
- switch (((IP4_HEAD *)IpPayload)->Protocol) {\r
- case EFI_IP_PROTO_UDP :\r
- UdpHeader = (EFI_UDP_HEADER *)((UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2));\r
- Checksum = & UdpHeader->Checksum;\r
- *Checksum = 0;\r
- break;\r
-\r
- case EFI_IP_PROTO_TCP:\r
- TcpHeader = (TCP_HEAD *) ((UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2));\r
- Checksum = &TcpHeader->Checksum;\r
- *Checksum = 0;\r
- break;\r
-\r
- default:\r
- break;\r
- }\r
- PacketChecksum = NetblockChecksum (\r
- (UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2),\r
- NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)\r
- );\r
- PseudoChecksum = NetPseudoHeadChecksum (\r
- ((IP4_HEAD *)IpPayload)->Src,\r
- ((IP4_HEAD *)IpPayload)->Dst,\r
- ((IP4_HEAD *)IpPayload)->Protocol,\r
- 0\r
- );\r
-\r
- if (Checksum != NULL) {\r
- *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);\r
- *Checksum = (UINT16) ~(NetAddChecksum (*Checksum, HTONS((UINT16)(NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)))));\r
- }\r
- }else {\r
- //\r
- // Zero OutIP header use this to indicate the input packet is under\r
- // IPsec Tunnel protected.\r
- //\r
- ZeroMem (\r
- IpHead,\r
- sizeof (EFI_IP6_HEADER)\r
- );\r
- CopyMem (\r
- &((EFI_IP6_HEADER*)IpPayload)->DestinationAddress,\r
- &SadData->TunnelDestAddress.v6,\r
- sizeof (EFI_IPv6_ADDRESS)\r
- );\r
-\r
- //\r
- // Get the Extension Header and Header length.\r
- //\r
- IpSecIsIp6ExtsValid (\r
- &((EFI_IP6_HEADER *)IpPayload)->NextHeader,\r
- IpPayload + sizeof (EFI_IP6_HEADER),\r
- ((EFI_IP6_HEADER *)IpPayload)->PayloadLength,\r
- &LastHead,\r
- &OptionLen\r
- );\r
-\r
- //\r
- // Recalcualte PseudoChecksum\r
- //\r
- switch (*LastHead) {\r
- case EFI_IP_PROTO_UDP:\r
- UdpHeader = (EFI_UDP_HEADER *)((UINT8 *)IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen);\r
- Checksum = &UdpHeader->Checksum;\r
- *Checksum = 0;\r
- break;\r
-\r
- case EFI_IP_PROTO_TCP:\r
- TcpHeader = (TCP_HEAD *)(IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen);\r
- Checksum = &TcpHeader->Checksum;\r
- *Checksum = 0;\r
- break;\r
-\r
- case IP6_ICMP:\r
- Icmp6Head = (IP6_ICMP_HEAD *) (IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen);\r
- Checksum = &Icmp6Head->Checksum;\r
- *Checksum = 0;\r
- break;\r
- }\r
- PacketChecksum = NetblockChecksum (\r
- IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen,\r
- NTOHS(((EFI_IP6_HEADER *)IpPayload)->PayloadLength) - OptionLen\r
- );\r
- PseudoChecksum = NetIp6PseudoHeadChecksum (\r
- &((EFI_IP6_HEADER *)IpPayload)->SourceAddress,\r
- &((EFI_IP6_HEADER *)IpPayload)->DestinationAddress,\r
- *LastHead,\r
- 0\r
- );\r
-\r
- if (Checksum != NULL) {\r
- *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);\r
- *Checksum = (UINT16) ~(NetAddChecksum (\r
- *Checksum,\r
- HTONS ((UINT16)((NTOHS (((EFI_IP6_HEADER *)(IpPayload))->PayloadLength)) - OptionLen))\r
- ));\r
- }\r
- }\r
-}\r
-\r
-/**\r
- The actual entry to create inner header for tunnel mode inbound traffic.\r
-\r
- This function is the subfunction of IpSecEspOutboundPacket(). It create\r
- the sending packet by encrypting its payload and inserting ESP header in the orginal\r
- IP header, then return the IpHeader and IPsec protected Fragmentable.\r
-\r
- @param[in, out] IpHead Points to IP header containing the orginal IP header\r
- to be processed on input, and inserted ESP header\r
- on return.\r
- @param[in] IpVersion The version of IP.\r
- @param[in] SadData The related SAD data.\r
- @param[in, out] LastHead The Last Header in IP header.\r
- @param[in] OptionsBuffer Pointer to the options buffer.\r
- @param[in] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments to be protected by\r
- IPsec on input, and with IPsec protected\r
- on return.\r
- @param[in] FragmentCount The number of fragments.\r
-\r
-**/\r
-UINT8 *\r
-IpSecTunnelOutboundPacket (\r
- IN OUT UINT8 *IpHead,\r
- IN UINT8 IpVersion,\r
- IN IPSEC_SAD_DATA *SadData,\r
- IN OUT UINT8 *LastHead,\r
- IN VOID **OptionsBuffer,\r
- IN UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN UINT32 *FragmentCount\r
- )\r
-{\r
- UINT8 *InnerHead;\r
- NET_BUF *Packet;\r
- UINT16 PacketChecksum;\r
- UINT16 *Checksum;\r
- UINT16 PseudoChecksum;\r
- IP6_ICMP_HEAD *IcmpHead;\r
-\r
- Checksum = NULL;\r
- if (OptionsLength == NULL) {\r
- return NULL;\r
- }\r
-\r
- if (IpVersion == IP_VERSION_4) {\r
- InnerHead = AllocateZeroPool (sizeof (IP4_HEAD) + *OptionsLength);\r
- if (InnerHead == NULL) {\r
- return NULL;\r
- }\r
-\r
- CopyMem (\r
- InnerHead,\r
- IpHead,\r
- sizeof (IP4_HEAD)\r
- );\r
- CopyMem (\r
- InnerHead + sizeof (IP4_HEAD),\r
- *OptionsBuffer,\r
- *OptionsLength\r
- );\r
- } else {\r
- InnerHead = AllocateZeroPool (sizeof (EFI_IP6_HEADER) + *OptionsLength);\r
- if (InnerHead == NULL) {\r
- return NULL;\r
- }\r
-\r
- CopyMem (\r
- InnerHead,\r
- IpHead,\r
- sizeof (EFI_IP6_HEADER)\r
- );\r
- CopyMem (\r
- InnerHead + sizeof (EFI_IP6_HEADER),\r
- *OptionsBuffer,\r
- *OptionsLength\r
- );\r
- }\r
- if (OptionsBuffer != NULL) {\r
- if (*OptionsLength != 0) {\r
-\r
- *OptionsBuffer = NULL;\r
- *OptionsLength = 0;\r
- }\r
- }\r
-\r
- //\r
- // 2. Reassamlbe Fragment into Packet\r
- //\r
- Packet = NetbufFromExt (\r
- (NET_FRAGMENT *)(*FragmentTable),\r
- *FragmentCount,\r
- 0,\r
- 0,\r
- IpSecOnRecyclePacket,\r
- NULL\r
- );\r
- if (Packet == NULL) {\r
- FreePool (InnerHead);\r
- return NULL;\r
- }\r
-\r
- //\r
- // 3. Check the Last Header, if it is TCP, UDP or ICMP recalcualate its pesudo\r
- // CheckSum.\r
- //\r
- switch (*LastHead) {\r
- case EFI_IP_PROTO_UDP:\r
- Packet->Udp = (EFI_UDP_HEADER *) NetbufGetByte (Packet, 0, 0);\r
- ASSERT (Packet->Udp != NULL);\r
- Checksum = &Packet->Udp->Checksum;\r
- *Checksum = 0;\r
- break;\r
-\r
- case EFI_IP_PROTO_TCP:\r
- Packet->Tcp = (TCP_HEAD *) NetbufGetByte (Packet, 0, 0);\r
- ASSERT (Packet->Tcp != NULL);\r
- Checksum = &Packet->Tcp->Checksum;\r
- *Checksum = 0;\r
- break;\r
-\r
- case IP6_ICMP:\r
- IcmpHead = (IP6_ICMP_HEAD *) NetbufGetByte (Packet, 0, NULL);\r
- ASSERT (IcmpHead != NULL);\r
- Checksum = &IcmpHead->Checksum;\r
- *Checksum = 0;\r
- break;\r
-\r
- default:\r
- break;\r
- }\r
-\r
- PacketChecksum = NetbufChecksum (Packet);\r
-\r
- if (IpVersion == IP_VERSION_4) {\r
- //\r
- // Replace the source address of Inner Header.\r
- //\r
- CopyMem (\r
- &((IP4_HEAD *)InnerHead)->Src,\r
- &SadData->SpdSelector->LocalAddress[0].Address.v4,\r
- sizeof (EFI_IPv4_ADDRESS)\r
- );\r
-\r
- PacketChecksum = NetbufChecksum (Packet);\r
- PseudoChecksum = NetPseudoHeadChecksum (\r
- ((IP4_HEAD *)InnerHead)->Src,\r
- ((IP4_HEAD *)InnerHead)->Dst,\r
- *LastHead,\r
- 0\r
- );\r
-\r
- } else {\r
- //\r
- // Replace the source address of Inner Header.\r
- //\r
- CopyMem (\r
- &((EFI_IP6_HEADER *)InnerHead)->SourceAddress,\r
- &(SadData->SpdSelector->LocalAddress[0].Address.v6),\r
- sizeof (EFI_IPv6_ADDRESS)\r
- );\r
- PacketChecksum = NetbufChecksum (Packet);\r
- PseudoChecksum = NetIp6PseudoHeadChecksum (\r
- &((EFI_IP6_HEADER *)InnerHead)->SourceAddress,\r
- &((EFI_IP6_HEADER *)InnerHead)->DestinationAddress,\r
- *LastHead,\r
- 0\r
- );\r
-\r
- }\r
- if (Checksum != NULL) {\r
- *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);\r
- *Checksum = (UINT16) ~(NetAddChecksum ((UINT16)*Checksum, HTONS ((UINT16) Packet->TotalSize)));\r
- }\r
-\r
- if (Packet != NULL) {\r
- NetbufFree (Packet);\r
- }\r
- return InnerHead;\r
-}\r
-\r
-/**\r
- The actual entry to relative function processes the inbound traffic of ESP header.\r
-\r
- This function is the subfunction of IpSecProtectInboundPacket(). It checks the\r
- received packet security property and trim the ESP header and then returns without\r
- an IPsec protected IP Header and FramgmentTable.\r
-\r
- @param[in] IpVersion The version of IP.\r
- @param[in, out] IpHead Points to the IP header containing the ESP header\r
- to be trimed on input, and without ESP header\r
- on return.\r
- @param[out] LastHead The Last Header in IP header on return.\r
- @param[in, out] OptionsBuffer Pointer to the options buffer.\r
- @param[in, out] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec\r
- protected on input, and without IPsec protected\r
- on return.\r
- @param[in, out] FragmentCount The number of fragments.\r
- @param[out] SpdSelector Pointer to contain the address of SPD selector on return.\r
- @param[out] RecycleEvent The event for recycling of resources.\r
-\r
- @retval EFI_SUCCESS The operation was successful.\r
- @retval EFI_ACCESS_DENIED One or more following conditions is TRUE:\r
- - ESP header was not found or mal-format.\r
- - The related SAD entry was not found.\r
- - The related SAD entry does not support the ESP protocol.\r
- @retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecEspInboundPacket (\r
- IN UINT8 IpVersion,\r
- IN OUT VOID *IpHead,\r
- OUT UINT8 *LastHead,\r
- IN OUT VOID **OptionsBuffer,\r
- IN OUT UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN OUT UINT32 *FragmentCount,\r
- OUT EFI_IPSEC_SPD_SELECTOR **SpdSelector,\r
- OUT EFI_EVENT *RecycleEvent\r
- )\r
-{\r
- EFI_STATUS Status;\r
- NET_BUF *Payload;\r
- UINTN EspSize;\r
- UINTN IvSize;\r
- UINTN BlockSize;\r
- UINTN MiscSize;\r
- UINTN PlainPayloadSize;\r
- UINTN PaddingSize;\r
- UINTN IcvSize;\r
- UINT8 *ProcessBuffer;\r
- EFI_ESP_HEADER *EspHeader;\r
- EFI_ESP_TAIL *EspTail;\r
- EFI_IPSEC_SA_ID *SaId;\r
- IPSEC_SAD_DATA *SadData;\r
- IPSEC_SAD_ENTRY *SadEntry;\r
- IPSEC_RECYCLE_CONTEXT *RecycleContext;\r
- UINT8 NextHeader;\r
- UINT16 IpSecHeadSize;\r
- UINT8 *InnerHead;\r
-\r
- Status = EFI_SUCCESS;\r
- Payload = NULL;\r
- ProcessBuffer = NULL;\r
- RecycleContext = NULL;\r
- *RecycleEvent = NULL;\r
- PlainPayloadSize = 0;\r
- NextHeader = 0;\r
-\r
- //\r
- // Build netbuf from fragment table first.\r
- //\r
- Payload = NetbufFromExt (\r
- (NET_FRAGMENT *) *FragmentTable,\r
- *FragmentCount,\r
- 0,\r
- sizeof (EFI_ESP_HEADER),\r
- IpSecOnRecyclePacket,\r
- NULL\r
- );\r
- if (Payload == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Get the esp size and esp header from netbuf.\r
- //\r
- EspSize = Payload->TotalSize;\r
- EspHeader = (EFI_ESP_HEADER *) NetbufGetByte (Payload, 0, NULL);\r
-\r
- if (EspHeader == NULL) {\r
- Status = EFI_ACCESS_DENIED;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Parse destination address from ip header and found the related SAD Entry.\r
- //\r
- SadEntry = IpSecFoundSadFromInboundPacket (\r
- IpHead,\r
- IpVersion,\r
- NTOHL (EspHeader->Spi)\r
- );\r
-\r
- if (SadEntry == NULL) {\r
- Status = EFI_ACCESS_DENIED;\r
- goto ON_EXIT;\r
- }\r
-\r
- SaId = SadEntry->Id;\r
- SadData = SadEntry->Data;\r
-\r
- //\r
- // Only support esp protocol currently.\r
- //\r
- if (SaId->Proto != EfiIPsecESP) {\r
- Status = EFI_ACCESS_DENIED;\r
- goto ON_EXIT;\r
- }\r
-\r
- if (!SadData->ManualSet) {\r
- //\r
- // TODO: Check SA lifetime and sequence number\r
- //\r
- }\r
-\r
- //\r
- // Allocate buffer for decryption and authentication.\r
- //\r
- ProcessBuffer = AllocateZeroPool (EspSize);\r
- if (ProcessBuffer == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- NetbufCopy (Payload, 0, (UINT32) EspSize, ProcessBuffer);\r
-\r
- //\r
- // Get the IcvSize for authentication and BlockSize/IvSize for Decryption.\r
- //\r
- IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId);\r
- IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);\r
- BlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);\r
-\r
- //\r
- // Make sure the ESP packet is not mal-formt.\r
- // 1. Check whether the Espsize is larger than ESP header + IvSize + EspTail + IcvSize.\r
- // 2. Check whether the left payload size is multiple of IvSize.\r
- //\r
- MiscSize = sizeof (EFI_ESP_HEADER) + IvSize + IcvSize;\r
- if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL))) {\r
- Status = EFI_ACCESS_DENIED;\r
- goto ON_EXIT;\r
- }\r
- if ((EspSize - MiscSize) % BlockSize != 0) {\r
- Status = EFI_ACCESS_DENIED;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Authenticate the ESP packet.\r
- //\r
- if (SadData->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {\r
- Status = IpSecEspAuthVerifyPayload (\r
- ProcessBuffer,\r
- EspSize,\r
- SadEntry,\r
- IcvSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
- }\r
- //\r
- // Decrypt the payload by the SAD entry if it has decrypt key.\r
- //\r
- if (SadData->AlgoInfo.EspAlgoInfo.EncKey != NULL) {\r
- Status = IpSecCryptoIoDecrypt (\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength << 3,\r
- ProcessBuffer + sizeof (EFI_ESP_HEADER),\r
- ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize,\r
- EspSize - sizeof (EFI_ESP_HEADER) - IvSize - IcvSize,\r
- ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
- }\r
-\r
- //\r
- // Parse EspTail and compute the plain payload size.\r
- //\r
- EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL));\r
- PaddingSize = EspTail->PaddingLength;\r
- NextHeader = EspTail->NextHeader;\r
-\r
- if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL) + PaddingSize)) {\r
- Status = EFI_ACCESS_DENIED;\r
- goto ON_EXIT;\r
- }\r
- PlainPayloadSize = EspSize - MiscSize - sizeof (EFI_ESP_TAIL) - PaddingSize;\r
-\r
- //\r
- // TODO: handle anti-replay window\r
- //\r
- //\r
- // Decryption and authentication with esp has been done, so it's time to\r
- // reload the new packet, create recycle event and fixup ip header.\r
- //\r
- RecycleContext = AllocateZeroPool (sizeof (IPSEC_RECYCLE_CONTEXT));\r
- if (RecycleContext == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- Status = gBS->CreateEvent (\r
- EVT_NOTIFY_SIGNAL,\r
- TPL_NOTIFY,\r
- IpSecRecycleCallback,\r
- RecycleContext,\r
- RecycleEvent\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // The caller will take responsible to handle the original fragment table\r
- //\r
- *FragmentTable = AllocateZeroPool (sizeof (EFI_IPSEC_FRAGMENT_DATA));\r
- if (*FragmentTable == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- RecycleContext->PayloadBuffer = ProcessBuffer;\r
- RecycleContext->FragmentTable = *FragmentTable;\r
-\r
- //\r
- // If Tunnel, recalculate upper-layyer PesudoCheckSum and trim the out\r
- //\r
- if (SadData->Mode == EfiIPsecTunnel) {\r
- InnerHead = ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize;\r
- IpSecTunnelInboundPacket (\r
- IpHead,\r
- InnerHead,\r
- IpVersion,\r
- SadData,\r
- LastHead\r
- );\r
-\r
- if (IpVersion == IP_VERSION_4) {\r
- (*FragmentTable)[0].FragmentBuffer = InnerHead ;\r
- (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;\r
-\r
- }else {\r
- (*FragmentTable)[0].FragmentBuffer = InnerHead;\r
- (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;\r
- }\r
- } else {\r
- (*FragmentTable)[0].FragmentBuffer = ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize;\r
- (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;\r
- }\r
-\r
- *FragmentCount = 1;\r
-\r
- //\r
- // Update the total length field in ip header since processed by esp.\r
- //\r
- if (SadData->Mode != EfiIPsecTunnel) {\r
- if (IpVersion == IP_VERSION_4) {\r
- ((IP4_HEAD *) IpHead)->TotalLen = HTONS ((UINT16) ((((IP4_HEAD *) IpHead)->HeadLen << 2) + PlainPayloadSize));\r
- } else {\r
- IpSecHeadSize = IpSecGetPlainExtHeadSize (IpHead, LastHead);\r
- ((EFI_IP6_HEADER *) IpHead)->PayloadLength = HTONS ((UINT16)(IpSecHeadSize + PlainPayloadSize));\r
- }\r
- //\r
- // Update the next layer field in ip header since esp header inserted.\r
- //\r
- *LastHead = NextHeader;\r
- }\r
-\r
-\r
- //\r
- // Update the SPD association of the SAD entry.\r
- //\r
- *SpdSelector = SadData->SpdSelector;\r
-\r
-ON_EXIT:\r
- if (Payload != NULL) {\r
- NetbufFree (Payload);\r
- }\r
-\r
- if (EFI_ERROR (Status)) {\r
- if (ProcessBuffer != NULL) {\r
- FreePool (ProcessBuffer);\r
- }\r
-\r
- if (RecycleContext != NULL) {\r
- FreePool (RecycleContext);\r
- }\r
-\r
- if (*RecycleEvent != NULL) {\r
- gBS->CloseEvent (*RecycleEvent);\r
- }\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- The actual entry to the relative function processes the output traffic using the ESP protocol.\r
-\r
- This function is the subfunction of IpSecProtectOutboundPacket(). It protected\r
- the sending packet by encrypting its payload and inserting ESP header in the orginal\r
- IP header, then return the IpHeader and IPsec protected Fragmentable.\r
-\r
- @param[in] IpVersion The version of IP.\r
- @param[in, out] IpHead Points to IP header containing the orginal IP header\r
- to be processed on input, and inserted ESP header\r
- on return.\r
- @param[in, out] LastHead The Last Header in IP header.\r
- @param[in, out] OptionsBuffer Pointer to the options buffer.\r
- @param[in, out] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments to be protected by\r
- IPsec on input, and with IPsec protected\r
- on return.\r
- @param[in, out] FragmentCount The number of fragments.\r
- @param[in] SadEntry The related SAD entry.\r
- @param[out] RecycleEvent The event for recycling of resources.\r
-\r
- @retval EFI_SUCCESS The operation was successful.\r
- @retval EFI_OUT_OF_RESOURCES The required system resources can't be allocated.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecEspOutboundPacket (\r
- IN UINT8 IpVersion,\r
- IN OUT VOID *IpHead,\r
- IN OUT UINT8 *LastHead,\r
- IN OUT VOID **OptionsBuffer,\r
- IN OUT UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN OUT UINT32 *FragmentCount,\r
- IN IPSEC_SAD_ENTRY *SadEntry,\r
- OUT EFI_EVENT *RecycleEvent\r
- )\r
-{\r
- EFI_STATUS Status;\r
- UINTN Index;\r
- EFI_IPSEC_SA_ID *SaId;\r
- IPSEC_SAD_DATA *SadData;\r
- IPSEC_RECYCLE_CONTEXT *RecycleContext;\r
- UINT8 *ProcessBuffer;\r
- UINTN BytesCopied;\r
- INTN EncryptBlockSize;// Size of encryption block, 4 bytes aligned and >= 4\r
- UINTN EspSize; // Total size of esp wrapped ip payload\r
- UINTN IvSize; // Size of IV, optional, might be 0\r
- UINTN PlainPayloadSize;// Original IP payload size\r
- UINTN PaddingSize; // Size of padding\r
- UINTN EncryptSize; // Size of data to be encrypted, start after IV and\r
- // stop before ICV\r
- UINTN IcvSize; // Size of ICV, optional, might be 0\r
- UINT8 *RestOfPayload; // Start of Payload after IV\r
- UINT8 *Padding; // Start address of padding\r
- EFI_ESP_HEADER *EspHeader; // Start address of ESP frame\r
- EFI_ESP_TAIL *EspTail; // Address behind padding\r
- UINT8 *InnerHead;\r
- HASH_DATA_FRAGMENT HashFragment[1];\r
-\r
- Status = EFI_ACCESS_DENIED;\r
- SaId = SadEntry->Id;\r
- SadData = SadEntry->Data;\r
- ProcessBuffer = NULL;\r
- RecycleContext = NULL;\r
- *RecycleEvent = NULL;\r
- InnerHead = NULL;\r
-\r
- if (!SadData->ManualSet &&\r
- SadData->AlgoInfo.EspAlgoInfo.EncKey == NULL &&\r
- SadData->AlgoInfo.EspAlgoInfo.AuthKey == NULL\r
- ) {\r
- //\r
- // Invalid manual SAD entry configuration.\r
- //\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Create OutHeader according to Inner Header\r
- //\r
- if (SadData->Mode == EfiIPsecTunnel) {\r
- InnerHead = IpSecTunnelOutboundPacket (\r
- IpHead,\r
- IpVersion,\r
- SadData,\r
- LastHead,\r
- OptionsBuffer,\r
- OptionsLength,\r
- FragmentTable,\r
- FragmentCount\r
- );\r
-\r
- if (InnerHead == NULL) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
-\r
- }\r
-\r
- //\r
- // Calculate enctrypt block size, need iv by default and 4 bytes alignment.\r
- //\r
- EncryptBlockSize = 4;\r
-\r
- if (SadData->AlgoInfo.EspAlgoInfo.EncKey != NULL) {\r
- EncryptBlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);\r
-\r
- if (EncryptBlockSize < 0 || (EncryptBlockSize != 1 && EncryptBlockSize % 4 != 0)) {\r
- goto ON_EXIT;\r
- }\r
- }\r
-\r
- //\r
- // Calculate the plain payload size according to the fragment table.\r
- //\r
- PlainPayloadSize = 0;\r
- for (Index = 0; Index < *FragmentCount; Index++) {\r
- PlainPayloadSize += (*FragmentTable)[Index].FragmentLength;\r
- }\r
-\r
- //\r
- // Add IPHeader size for Tunnel Mode\r
- //\r
- if (SadData->Mode == EfiIPsecTunnel) {\r
- if (IpVersion == IP_VERSION_4) {\r
- PlainPayloadSize += sizeof (IP4_HEAD);\r
- } else {\r
- PlainPayloadSize += sizeof (EFI_IP6_HEADER);\r
- }\r
- //\r
- // OPtions should be encryption into it\r
- //\r
- PlainPayloadSize += *OptionsLength;\r
- }\r
-\r
-\r
- //\r
- // Calculate icv size, optional by default and 4 bytes alignment.\r
- //\r
- IcvSize = 0;\r
- if (SadData->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {\r
- IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId);\r
- if (IcvSize % 4 != 0) {\r
- goto ON_EXIT;\r
- }\r
- }\r
-\r
- //\r
- // Calcuate the total size of esp wrapped ip payload.\r
- //\r
- IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);\r
- EncryptSize = (PlainPayloadSize + sizeof (EFI_ESP_TAIL) + EncryptBlockSize - 1) / EncryptBlockSize * EncryptBlockSize;\r
- PaddingSize = EncryptSize - PlainPayloadSize - sizeof (EFI_ESP_TAIL);\r
- EspSize = sizeof (EFI_ESP_HEADER) + IvSize + EncryptSize + IcvSize;\r
-\r
- ProcessBuffer = AllocateZeroPool (EspSize);\r
- if (ProcessBuffer == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Calculate esp header and esp tail including header, payload and padding.\r
- //\r
- EspHeader = (EFI_ESP_HEADER *) ProcessBuffer;\r
- RestOfPayload = (UINT8 *) (EspHeader + 1) + IvSize;\r
- Padding = RestOfPayload + PlainPayloadSize;\r
- EspTail = (EFI_ESP_TAIL *) (Padding + PaddingSize);\r
-\r
- //\r
- // Fill the sn and spi fields in esp header.\r
- //\r
- EspHeader->SequenceNumber = HTONL ((UINT32) SadData->SequenceNumber + 1);\r
- //EspHeader->SequenceNumber = HTONL ((UINT32) SadData->SequenceNumber);\r
- EspHeader->Spi = HTONL (SaId->Spi);\r
-\r
- //\r
- // Copy the rest of payload (after iv) from the original fragment buffer.\r
- //\r
- BytesCopied = 0;\r
-\r
- //\r
- // For Tunnel Mode\r
- //\r
- if (SadData->Mode == EfiIPsecTunnel) {\r
- if (IpVersion == IP_VERSION_4) {\r
- //\r
- // HeadLen, Total Length\r
- //\r
- ((IP4_HEAD *)InnerHead)->HeadLen = (UINT8) ((sizeof (IP4_HEAD) + *OptionsLength) >> 2);\r
- ((IP4_HEAD *)InnerHead)->TotalLen = HTONS ((UINT16) PlainPayloadSize);\r
- ((IP4_HEAD *)InnerHead)->Checksum = 0;\r
- ((IP4_HEAD *)InnerHead)->Checksum = (UINT16) (~NetblockChecksum (\r
- (UINT8 *)InnerHead,\r
- sizeof(IP4_HEAD)\r
- ));\r
- CopyMem (\r
- RestOfPayload + BytesCopied,\r
- InnerHead,\r
- sizeof (IP4_HEAD) + *OptionsLength\r
- );\r
- BytesCopied += sizeof (IP4_HEAD) + *OptionsLength;\r
-\r
- } else {\r
- ((EFI_IP6_HEADER *)InnerHead)->PayloadLength = HTONS ((UINT16) (PlainPayloadSize - sizeof (EFI_IP6_HEADER)));\r
- CopyMem (\r
- RestOfPayload + BytesCopied,\r
- InnerHead,\r
- sizeof (EFI_IP6_HEADER) + *OptionsLength\r
- );\r
- BytesCopied += sizeof (EFI_IP6_HEADER) + *OptionsLength;\r
- }\r
- }\r
-\r
- for (Index = 0; Index < *FragmentCount; Index++) {\r
- CopyMem (\r
- (RestOfPayload + BytesCopied),\r
- (*FragmentTable)[Index].FragmentBuffer,\r
- (*FragmentTable)[Index].FragmentLength\r
- );\r
- BytesCopied += (*FragmentTable)[Index].FragmentLength;\r
- }\r
- //\r
- // Fill the padding buffer by natural number sequence.\r
- //\r
- for (Index = 0; Index < PaddingSize; Index++) {\r
- Padding[Index] = (UINT8) (Index + 1);\r
- }\r
- //\r
- // Fill the padding length and next header fields in esp tail.\r
- //\r
- EspTail->PaddingLength = (UINT8) PaddingSize;\r
- EspTail->NextHeader = *LastHead;\r
-\r
- //\r
- // Fill the next header for Tunnel mode.\r
- //\r
- if (SadData->Mode == EfiIPsecTunnel) {\r
- if (IpVersion == IP_VERSION_4) {\r
- EspTail->NextHeader = 4;\r
- } else {\r
- EspTail->NextHeader = 41;\r
- }\r
- }\r
-\r
- //\r
- // Generate iv at random by crypt library.\r
- //\r
- Status = IpSecGenerateIv (\r
- (UINT8 *) (EspHeader + 1),\r
- IvSize\r
- );\r
-\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
-\r
- //\r
- // Encryption the payload (after iv) by the SAD entry if has encrypt key.\r
- //\r
- if (SadData->AlgoInfo.EspAlgoInfo.EncKey != NULL) {\r
- Status = IpSecCryptoIoEncrypt (\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength << 3,\r
- (UINT8 *)(EspHeader + 1),\r
- RestOfPayload,\r
- EncryptSize,\r
- RestOfPayload\r
- );\r
-\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
- }\r
-\r
- //\r
- // Authenticate the esp wrapped buffer by the SAD entry if it has auth key.\r
- //\r
- if (SadData->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {\r
-\r
- HashFragment[0].Data = ProcessBuffer;\r
- HashFragment[0].DataSize = EspSize - IcvSize;\r
- Status = IpSecCryptoIoHmac (\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,\r
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength,\r
- HashFragment,\r
- 1,\r
- ProcessBuffer + EspSize - IcvSize,\r
- IcvSize\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
- }\r
-\r
- //\r
- // Encryption and authentication with esp has been done, so it's time to\r
- // reload the new packet, create recycle event and fixup ip header.\r
- //\r
- RecycleContext = AllocateZeroPool (sizeof (IPSEC_RECYCLE_CONTEXT));\r
- if (RecycleContext == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- Status = gBS->CreateEvent (\r
- EVT_NOTIFY_SIGNAL,\r
- TPL_NOTIFY,\r
- IpSecRecycleCallback,\r
- RecycleContext,\r
- RecycleEvent\r
- );\r
- if (EFI_ERROR (Status)) {\r
- goto ON_EXIT;\r
- }\r
- //\r
- // Caller take responsible to handle the original fragment table.\r
- //\r
- *FragmentTable = AllocateZeroPool (sizeof (EFI_IPSEC_FRAGMENT_DATA));\r
- if (*FragmentTable == NULL) {\r
- Status = EFI_OUT_OF_RESOURCES;\r
- goto ON_EXIT;\r
- }\r
-\r
- RecycleContext->FragmentTable = *FragmentTable;\r
- RecycleContext->PayloadBuffer = ProcessBuffer;\r
- (*FragmentTable)[0].FragmentBuffer = ProcessBuffer;\r
- (*FragmentTable)[0].FragmentLength = (UINT32) EspSize;\r
- *FragmentCount = 1;\r
-\r
- //\r
- // Update the total length field in ip header since processed by esp.\r
- //\r
- if (IpVersion == IP_VERSION_4) {\r
- ((IP4_HEAD *) IpHead)->TotalLen = HTONS ((UINT16) ((((IP4_HEAD *) IpHead)->HeadLen << 2) + EspSize));\r
- } else {\r
- ((EFI_IP6_HEADER *) IpHead)->PayloadLength = (UINT16) (IpSecGetPlainExtHeadSize (IpHead, LastHead) + EspSize);\r
- }\r
-\r
- //\r
- // If tunnel mode, it should change the outer Ip header with tunnel source address\r
- // and destination tunnel address.\r
- //\r
- if (SadData->Mode == EfiIPsecTunnel) {\r
- if (IpVersion == IP_VERSION_4) {\r
- CopyMem (\r
- &((IP4_HEAD *) IpHead)->Src,\r
- &SadData->TunnelSourceAddress.v4,\r
- sizeof (EFI_IPv4_ADDRESS)\r
- );\r
- CopyMem (\r
- &((IP4_HEAD *) IpHead)->Dst,\r
- &SadData->TunnelDestAddress.v4,\r
- sizeof (EFI_IPv4_ADDRESS)\r
- );\r
- } else {\r
- CopyMem (\r
- &((EFI_IP6_HEADER *) IpHead)->SourceAddress,\r
- &SadData->TunnelSourceAddress.v6,\r
- sizeof (EFI_IPv6_ADDRESS)\r
- );\r
- CopyMem (\r
- &((EFI_IP6_HEADER *) IpHead)->DestinationAddress,\r
- &SadData->TunnelDestAddress.v6,\r
- sizeof (EFI_IPv6_ADDRESS)\r
- );\r
- }\r
- }\r
-\r
- //\r
- // Update the next layer field in ip header since esp header inserted.\r
- //\r
- *LastHead = IPSEC_ESP_PROTOCOL;\r
-\r
- //\r
- // Increase the sn number in SAD entry according to rfc4303.\r
- //\r
- SadData->SequenceNumber++;\r
-\r
-ON_EXIT:\r
- if (EFI_ERROR (Status)) {\r
- if (ProcessBuffer != NULL) {\r
- FreePool (ProcessBuffer);\r
- }\r
-\r
- if (RecycleContext != NULL) {\r
- FreePool (RecycleContext);\r
- }\r
-\r
- if (*RecycleEvent != NULL) {\r
- gBS->CloseEvent (*RecycleEvent);\r
- }\r
- }\r
-\r
- return Status;\r
-}\r
-\r
-/**\r
- This function processes the inbound traffic with IPsec.\r
-\r
- It checks the received packet security property, trims the ESP/AH header, and then\r
- returns without an IPsec protected IP Header and FragmentTable.\r
-\r
- @param[in] IpVersion The version of IP.\r
- @param[in, out] IpHead Points to IP header containing the ESP/AH header\r
- to be trimed on input, and without ESP/AH header\r
- on return.\r
- @param[in, out] LastHead The Last Header in IP header on return.\r
- @param[in, out] OptionsBuffer Pointer to the options buffer.\r
- @param[in, out] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec\r
- protected on input, and without IPsec protected\r
- on return.\r
- @param[in, out] FragmentCount The number of fragments.\r
- @param[out] SpdEntry Pointer to contain the address of SPD entry on return.\r
- @param[out] RecycleEvent The event for recycling of resources.\r
-\r
- @retval EFI_SUCCESS The operation was successful.\r
- @retval EFI_UNSUPPORTED The IPSEC protocol is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecProtectInboundPacket (\r
- IN UINT8 IpVersion,\r
- IN OUT VOID *IpHead,\r
- IN OUT UINT8 *LastHead,\r
- IN OUT VOID **OptionsBuffer,\r
- IN OUT UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN OUT UINT32 *FragmentCount,\r
- OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry,\r
- OUT EFI_EVENT *RecycleEvent\r
- )\r
-{\r
- if (*LastHead == IPSEC_ESP_PROTOCOL) {\r
- //\r
- // Process the esp ipsec header of the inbound traffic.\r
- //\r
- return IpSecEspInboundPacket (\r
- IpVersion,\r
- IpHead,\r
- LastHead,\r
- OptionsBuffer,\r
- OptionsLength,\r
- FragmentTable,\r
- FragmentCount,\r
- SpdEntry,\r
- RecycleEvent\r
- );\r
- }\r
- //\r
- // The other protocols are not supported.\r
- //\r
- return EFI_UNSUPPORTED;\r
-}\r
-\r
-/**\r
- This fucntion processes the output traffic with IPsec.\r
-\r
- It protected the sending packet by encrypting it payload and inserting ESP/AH header\r
- in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.\r
-\r
- @param[in] IpVersion The version of IP.\r
- @param[in, out] IpHead Point to IP header containing the orginal IP header\r
- to be processed on input, and inserted ESP/AH header\r
- on return.\r
- @param[in, out] LastHead The Last Header in IP header.\r
- @param[in, out] OptionsBuffer Pointer to the options buffer.\r
- @param[in, out] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments to be protected by\r
- IPsec on input, and with IPsec protected\r
- on return.\r
- @param[in, out] FragmentCount Number of fragments.\r
- @param[in] SadEntry Related SAD entry.\r
- @param[out] RecycleEvent Event for recycling of resources.\r
-\r
- @retval EFI_SUCCESS The operation is successful.\r
- @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecProtectOutboundPacket (\r
- IN UINT8 IpVersion,\r
- IN OUT VOID *IpHead,\r
- IN OUT UINT8 *LastHead,\r
- IN OUT VOID **OptionsBuffer,\r
- IN OUT UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN OUT UINT32 *FragmentCount,\r
- IN IPSEC_SAD_ENTRY *SadEntry,\r
- OUT EFI_EVENT *RecycleEvent\r
- )\r
-{\r
- if (SadEntry->Id->Proto == EfiIPsecESP) {\r
- //\r
- // Process the esp ipsec header of the outbound traffic.\r
- //\r
- return IpSecEspOutboundPacket (\r
- IpVersion,\r
- IpHead,\r
- LastHead,\r
- OptionsBuffer,\r
- OptionsLength,\r
- FragmentTable,\r
- FragmentCount,\r
- SadEntry,\r
- RecycleEvent\r
- );\r
- }\r
- //\r
- // The other protocols are not supported.\r
- //\r
- return EFI_UNSUPPORTED;\r
-}\r
+++ /dev/null
-/** @file\r
- The definitions related to IPsec protocol implementation.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#ifndef _IP_SEC_IMPL_H_\r
-#define _IP_SEC_IMPL_H_\r
-\r
-#include <Uefi.h>\r
-#include <Library/UefiLib.h>\r
-#include <Library/NetLib.h>\r
-#include <Library/BaseMemoryLib.h>\r
-#include <Library/UefiBootServicesTableLib.h>\r
-#include <Library/MemoryAllocationLib.h>\r
-#include <Protocol/IpSec.h>\r
-#include <Protocol/IpSecConfig.h>\r
-#include <Protocol/Dpc.h>\r
-#include <Protocol/ComponentName.h>\r
-#include <Protocol/ComponentName2.h>\r
-\r
-typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA;\r
-typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY;\r
-typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY;\r
-typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA;\r
-\r
-#define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')\r
-\r
-#define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)\r
-#define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)\r
-#define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)\r
-#define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)\r
-#define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)\r
-#define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)\r
-#define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)\r
-#define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)\r
-\r
-#define IPSEC_STATUS_DISABLED 0\r
-#define IPSEC_STATUS_ENABLED 1\r
-#define IPSEC_ESP_PROTOCOL 50\r
-#define IPSEC_AH_PROTOCOL 51\r
-#define IPSEC_DEFAULT_VARIABLE_SIZE 0x100\r
-\r
-//\r
-// Internal Structure Definition\r
-//\r
-#pragma pack(1)\r
-typedef struct _EFI_AH_HEADER {\r
- UINT8 NextHeader;\r
- UINT8 PayloadLen;\r
- UINT16 Reserved;\r
- UINT32 Spi;\r
- UINT32 SequenceNumber;\r
-} EFI_AH_HEADER;\r
-\r
-typedef struct _EFI_ESP_HEADER {\r
- UINT32 Spi;\r
- UINT32 SequenceNumber;\r
-} EFI_ESP_HEADER;\r
-\r
-typedef struct _EFI_ESP_TAIL {\r
- UINT8 PaddingLength;\r
- UINT8 NextHeader;\r
-} EFI_ESP_TAIL;\r
-#pragma pack()\r
-\r
-struct _IPSEC_SPD_DATA {\r
- CHAR16 Name[100];\r
- UINT32 PackageFlag;\r
- EFI_IPSEC_TRAFFIC_DIR TrafficDirection;\r
- EFI_IPSEC_ACTION Action;\r
- EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;\r
- LIST_ENTRY Sas;\r
-};\r
-\r
-struct _IPSEC_SPD_ENTRY {\r
- EFI_IPSEC_SPD_SELECTOR *Selector;\r
- IPSEC_SPD_DATA *Data;\r
- LIST_ENTRY List;\r
-};\r
-\r
-typedef struct _IPSEC_SAD_DATA {\r
- EFI_IPSEC_MODE Mode;\r
- UINT64 SequenceNumber;\r
- UINT8 AntiReplayWindowSize;\r
- UINT64 AntiReplayBitmap[4]; // bitmap for received packet\r
- EFI_IPSEC_ALGO_INFO AlgoInfo;\r
- EFI_IPSEC_SA_LIFETIME SaLifetime;\r
- UINT32 PathMTU;\r
- IPSEC_SPD_ENTRY *SpdEntry;\r
- EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
- BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled\r
- BOOLEAN ManualSet;\r
- EFI_IP_ADDRESS TunnelDestAddress;\r
- EFI_IP_ADDRESS TunnelSourceAddress;\r
-} IPSEC_SAD_DATA;\r
-\r
-typedef struct _IPSEC_SAD_ENTRY {\r
- EFI_IPSEC_SA_ID *Id;\r
- IPSEC_SAD_DATA *Data;\r
- LIST_ENTRY List;\r
- LIST_ENTRY BySpd; // Linked on IPSEC_SPD_DATA.Sas\r
-} IPSEC_SAD_ENTRY;\r
-\r
-struct _IPSEC_PAD_ENTRY {\r
- EFI_IPSEC_PAD_ID *Id;\r
- EFI_IPSEC_PAD_DATA *Data;\r
- LIST_ENTRY List;\r
-};\r
-\r
-typedef struct _IPSEC_RECYCLE_CONTEXT {\r
- EFI_IPSEC_FRAGMENT_DATA *FragmentTable;\r
- UINT8 *PayloadBuffer;\r
-} IPSEC_RECYCLE_CONTEXT;\r
-\r
-//\r
-// Struct used to store the Hash and its data.\r
-//\r
-typedef struct {\r
- UINTN DataSize;\r
- UINT8 *Data;\r
-} HASH_DATA_FRAGMENT;\r
-\r
-struct _IPSEC_PRIVATE_DATA {\r
- UINT32 Signature;\r
- EFI_HANDLE Handle; // Virtual handle to install private prtocol\r
- EFI_HANDLE ImageHandle;\r
- EFI_IPSEC2_PROTOCOL IpSec;\r
- EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;\r
- BOOLEAN SetBySelf;\r
- LIST_ENTRY Udp4List;\r
- UINTN Udp4Num;\r
- LIST_ENTRY Udp6List;\r
- UINTN Udp6Num;\r
- LIST_ENTRY Ikev1SessionList;\r
- LIST_ENTRY Ikev1EstablishedList;\r
- LIST_ENTRY Ikev2SessionList;\r
- LIST_ENTRY Ikev2EstablishedList;\r
- BOOLEAN IsIPsecDisabling;\r
-};\r
-\r
-/**\r
- This function processes the inbound traffic with IPsec.\r
-\r
- It checks the received packet security property, trims the ESP/AH header, and then\r
- returns without an IPsec protected IP Header and FragmentTable.\r
-\r
- @param[in] IpVersion The version of IP.\r
- @param[in, out] IpHead Points to IP header containing the ESP/AH header\r
- to be trimed on input, and without ESP/AH header\r
- on return.\r
- @param[in, out] LastHead The Last Header in IP header on return.\r
- @param[in, out] OptionsBuffer Pointer to the options buffer.\r
- @param[in, out] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec\r
- protected on input, and without IPsec protected\r
- on return.\r
- @param[in, out] FragmentCount The number of fragments.\r
- @param[out] SpdEntry Pointer to contain the address of SPD entry on return.\r
- @param[out] RecycleEvent The event for recycling of resources.\r
-\r
- @retval EFI_SUCCESS The operation was successful.\r
- @retval EFI_UNSUPPORTED The IPSEC protocol is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecProtectInboundPacket (\r
- IN UINT8 IpVersion,\r
- IN OUT VOID *IpHead,\r
- IN OUT UINT8 *LastHead,\r
- IN OUT VOID **OptionsBuffer,\r
- IN OUT UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN OUT UINT32 *FragmentCount,\r
- OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry,\r
- OUT EFI_EVENT *RecycleEvent\r
- );\r
-\r
-\r
-/**\r
- This fucntion processes the output traffic with IPsec.\r
-\r
- It protected the sending packet by encrypting it payload and inserting ESP/AH header\r
- in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.\r
-\r
- @param[in] IpVersion The version of IP.\r
- @param[in, out] IpHead Point to IP header containing the orginal IP header\r
- to be processed on input, and inserted ESP/AH header\r
- on return.\r
- @param[in, out] LastHead The Last Header in IP header.\r
- @param[in, out] OptionsBuffer Pointer to the options buffer.\r
- @param[in, out] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments to be protected by\r
- IPsec on input, and with IPsec protected\r
- on return.\r
- @param[in, out] FragmentCount Number of fragments.\r
- @param[in] SadEntry Related SAD entry.\r
- @param[out] RecycleEvent Event for recycling of resources.\r
-\r
- @retval EFI_SUCCESS The operation is successful.\r
- @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecProtectOutboundPacket (\r
- IN UINT8 IpVersion,\r
- IN OUT VOID *IpHead,\r
- IN OUT UINT8 *LastHead,\r
- IN OUT VOID **OptionsBuffer,\r
- IN OUT UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN OUT UINT32 *FragmentCount,\r
- IN IPSEC_SAD_ENTRY *SadEntry,\r
- OUT EFI_EVENT *RecycleEvent\r
- );\r
-\r
-/**\r
- Check if the IP Address in the address range of AddressInfos specified.\r
-\r
- @param[in] IpVersion The IP version.\r
- @param[in] IpAddr Points to EFI_IP_ADDRESS to be check.\r
- @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check\r
- the IP Address is matched.\r
- @param[in] AddressCount The total numbers of the AddressInfo.\r
-\r
- @retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.\r
- @retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.\r
-\r
-**/\r
-BOOLEAN\r
-IpSecMatchIpAddress (\r
- IN UINT8 IpVersion,\r
- IN EFI_IP_ADDRESS *IpAddr,\r
- IN EFI_IP_ADDRESS_INFO *AddressInfo,\r
- IN UINT32 AddressCount\r
- );\r
-\r
-/**\r
- Find a PAD entry according to remote IP address.\r
-\r
- @param[in] IpVersion The version of IP.\r
- @param[in] IpAddr Point to remote IP address.\r
-\r
- @return The pointer of related PAD entry.\r
-\r
-**/\r
-IPSEC_PAD_ENTRY *\r
-IpSecLookupPadEntry (\r
- IN UINT8 IpVersion,\r
- IN EFI_IP_ADDRESS *IpAddr\r
- );\r
-\r
-/**\r
- Check if the specified IP packet can be serviced by this SPD entry.\r
-\r
- @param[in] SpdEntry Point to SPD entry.\r
- @param[in] IpVersion Version of IP.\r
- @param[in] IpHead Point to IP header.\r
- @param[in] IpPayload Point to IP payload.\r
- @param[in] Protocol The Last protocol of IP packet.\r
- @param[in] IsOutbound Traffic direction.\r
- @param[out] Action The support action of SPD entry.\r
-\r
- @retval EFI_SUCCESS Find the related SPD.\r
- @retval EFI_NOT_FOUND Not find the related SPD entry;\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecLookupSpdEntry (\r
- IN IPSEC_SPD_ENTRY *SpdEntry,\r
- IN UINT8 IpVersion,\r
- IN VOID *IpHead,\r
- IN UINT8 *IpPayload,\r
- IN UINT8 Protocol,\r
- IN BOOLEAN IsOutbound,\r
- OUT EFI_IPSEC_ACTION *Action\r
- );\r
-\r
-/**\r
- Look up if there is existing SAD entry for specified IP packet sending.\r
-\r
- This function is called by the IPsecProcess when there is some IP packet needed to\r
- send out. This function checks if there is an existing SAD entry that can be serviced\r
- to this IP packet sending. If no existing SAD entry could be used, this\r
- function will invoke an IPsec Key Exchange Negotiation.\r
-\r
- @param[in] Private Points to private data.\r
- @param[in] NicHandle Points to a NIC handle.\r
- @param[in] IpVersion The version of IP.\r
- @param[in] IpHead The IP Header of packet to be sent out.\r
- @param[in] IpPayload The IP Payload to be sent out.\r
- @param[in] OldLastHead The Last protocol of the IP packet.\r
- @param[in] SpdEntry Points to a related SPD entry.\r
- @param[out] SadEntry Contains the Point of a related SAD entry.\r
-\r
- @retval EFI_DEVICE_ERROR One of following conditions is TRUE:\r
- - If don't find related UDP service.\r
- - Sequence Number is used up.\r
- - Extension Sequence Number is used up.\r
- @retval EFI_NOT_READY No existing SAD entry could be used.\r
- @retval EFI_SUCCESS Find the related SAD entry.\r
-\r
-**/\r
-EFI_STATUS\r
-IpSecLookupSadEntry (\r
- IN IPSEC_PRIVATE_DATA *Private,\r
- IN EFI_HANDLE NicHandle,\r
- IN UINT8 IpVersion,\r
- IN VOID *IpHead,\r
- IN UINT8 *IpPayload,\r
- IN UINT8 OldLastHead,\r
- IN IPSEC_SPD_ENTRY *SpdEntry,\r
- OUT IPSEC_SAD_ENTRY **SadEntry\r
- );\r
-\r
-/**\r
- Find the SAD through whole SAD list.\r
-\r
- @param[in] Spi The SPI used to search the SAD entry.\r
- @param[in] DestAddress The destination used to search the SAD entry.\r
- @param[in] IpVersion The IP version. Ip4 or Ip6.\r
-\r
- @return The pointer to a certain SAD entry.\r
-\r
-**/\r
-IPSEC_SAD_ENTRY *\r
-IpSecLookupSadBySpi (\r
- IN UINT32 Spi,\r
- IN EFI_IP_ADDRESS *DestAddress,\r
- IN UINT8 IpVersion\r
- )\r
-;\r
-\r
-/**\r
- Handles IPsec packet processing for inbound and outbound IP packets.\r
-\r
- The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r
- The behavior is that it can perform one of the following actions:\r
- bypass the packet, discard the packet, or protect the packet.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r
- @param[in] NicHandle Instance of the network interface.\r
- @param[in] IpVersion IPV4 or IPV6.\r
- @param[in, out] IpHead Pointer to the IP Header.\r
- @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.\r
- @param[in, out] OptionsBuffer Pointer to the options buffer.\r
- @param[in, out] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments.\r
- @param[in, out] FragmentCount Number of fragments.\r
- @param[in] TrafficDirection Traffic direction.\r
- @param[out] RecycleSignal Event for recycling of resources.\r
-\r
- @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.\r
- @retval EFI_SUCCESS The packet was protected.\r
- @retval EFI_ACCESS_DENIED The packet was discarded.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSecProcess (\r
- IN EFI_IPSEC2_PROTOCOL *This,\r
- IN EFI_HANDLE NicHandle,\r
- IN UINT8 IpVersion,\r
- IN OUT VOID *IpHead,\r
- IN OUT UINT8 *LastHead,\r
- IN OUT VOID **OptionsBuffer,\r
- IN OUT UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN OUT UINT32 *FragmentCount,\r
- IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r
- OUT EFI_EVENT *RecycleSignal\r
- );\r
-\r
-extern EFI_DPC_PROTOCOL *mDpc;\r
-extern EFI_IPSEC2_PROTOCOL mIpSecInstance;\r
-\r
-extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;\r
-extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;\r
-\r
-\r
-#endif\r
+++ /dev/null
-/** @file\r
- The mian interface of IPsec Protocol.\r
-\r
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
-\r
- SPDX-License-Identifier: BSD-2-Clause-Patent\r
-\r
-**/\r
-\r
-#include "IpSecConfigImpl.h"\r
-#include "IpSecImpl.h"\r
-\r
-EFI_IPSEC2_PROTOCOL mIpSecInstance = { IpSecProcess, NULL, TRUE };\r
-\r
-/**\r
- Handles IPsec packet processing for inbound and outbound IP packets.\r
-\r
- The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r
- The behavior is that it can perform one of the following actions:\r
- bypass the packet, discard the packet, or protect the packet.\r
-\r
- @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r
- @param[in] NicHandle Instance of the network interface.\r
- @param[in] IpVersion IPV4 or IPV6.\r
- @param[in, out] IpHead Pointer to the IP Header.\r
- @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.\r
- @param[in, out] OptionsBuffer Pointer to the options buffer.\r
- @param[in, out] OptionsLength Length of the options buffer.\r
- @param[in, out] FragmentTable Pointer to a list of fragments.\r
- @param[in, out] FragmentCount Number of fragments.\r
- @param[in] TrafficDirection Traffic direction.\r
- @param[out] RecycleSignal Event for recycling of resources.\r
-\r
- @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.\r
- @retval EFI_SUCCESS The packet was protected.\r
- @retval EFI_ACCESS_DENIED The packet was discarded.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-IpSecProcess (\r
- IN EFI_IPSEC2_PROTOCOL *This,\r
- IN EFI_HANDLE NicHandle,\r
- IN UINT8 IpVersion,\r
- IN OUT VOID *IpHead,\r
- IN OUT UINT8 *LastHead,\r
- IN OUT VOID **OptionsBuffer,\r
- IN OUT UINT32 *OptionsLength,\r
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r
- IN OUT UINT32 *FragmentCount,\r
- IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r
- OUT EFI_EVENT *RecycleSignal\r
- )\r
-{\r
- IPSEC_PRIVATE_DATA *Private;\r
- IPSEC_SPD_ENTRY *SpdEntry;\r
- EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
- IPSEC_SAD_ENTRY *SadEntry;\r
- LIST_ENTRY *SpdList;\r
- LIST_ENTRY *Entry;\r
- EFI_IPSEC_ACTION Action;\r
- EFI_STATUS Status;\r
- UINT8 *IpPayload;\r
- UINT8 OldLastHead;\r
- BOOLEAN IsOutbound;\r
-\r
- if (OptionsBuffer == NULL ||\r
- OptionsLength == NULL ||\r
- FragmentTable == NULL ||\r
- FragmentCount == NULL\r
- ) {\r
- return EFI_INVALID_PARAMETER;\r
- }\r
- Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (This);\r
- IpPayload = (*FragmentTable)[0].FragmentBuffer;\r
- IsOutbound = (BOOLEAN) ((TrafficDirection == EfiIPsecOutBound) ? TRUE : FALSE);\r
- OldLastHead = *LastHead;\r
- *RecycleSignal = NULL;\r
- SpdList = &mConfigData[IPsecConfigDataTypeSpd];\r
-\r
- if (!IsOutbound) {\r
- //\r
- // For inbound traffic, process the ipsec header of the packet.\r
- //\r
- Status = IpSecProtectInboundPacket (\r
- IpVersion,\r
- IpHead,\r
- LastHead,\r
- OptionsBuffer,\r
- OptionsLength,\r
- FragmentTable,\r
- FragmentCount,\r
- &SpdSelector,\r
- RecycleSignal\r
- );\r
-\r
- if (Status == EFI_ACCESS_DENIED || Status == EFI_OUT_OF_RESOURCES) {\r
- //\r
- // The packet is denied to access.\r
- //\r
- goto ON_EXIT;\r
- }\r
-\r
- if (Status == EFI_SUCCESS) {\r
-\r
- //\r
- // Check the spd entry if the packet is accessible.\r
- //\r
- if (SpdSelector == NULL) {\r
- Status = EFI_ACCESS_DENIED;\r
- goto ON_EXIT;\r
- }\r
-\r
- Status = EFI_ACCESS_DENIED;\r
- NET_LIST_FOR_EACH (Entry, SpdList) {\r
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);\r
- if (IsSubSpdSelector (\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdSelector,\r
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector\r
- )) {\r
- Status = EFI_SUCCESS;\r
- }\r
- }\r
- goto ON_EXIT;\r
- }\r
- }\r
-\r
- Status = EFI_ACCESS_DENIED;\r
-\r
- NET_LIST_FOR_EACH (Entry, SpdList) {\r
- //\r
- // For outbound and non-ipsec Inbound traffic: check the spd entry.\r
- //\r
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);\r
-\r
- if (EFI_ERROR (IpSecLookupSpdEntry (\r
- SpdEntry,\r
- IpVersion,\r
- IpHead,\r
- IpPayload,\r
- OldLastHead,\r
- IsOutbound,\r
- &Action\r
- ))) {\r
- //\r
- // If the related SPD not find\r
- //\r
- continue;\r
- }\r
-\r
- switch (Action) {\r
-\r
- case EfiIPsecActionProtect:\r
-\r
- if (IsOutbound) {\r
- //\r
- // For outbound traffic, lookup the sad entry.\r
- //\r
- Status = IpSecLookupSadEntry (\r
- Private,\r
- NicHandle,\r
- IpVersion,\r
- IpHead,\r
- IpPayload,\r
- OldLastHead,\r
- SpdEntry,\r
- &SadEntry\r
- );\r
-\r
- if (SadEntry != NULL) {\r
- //\r
- // Process the packet by the found sad entry.\r
- //\r
- Status = IpSecProtectOutboundPacket (\r
- IpVersion,\r
- IpHead,\r
- LastHead,\r
- OptionsBuffer,\r
- OptionsLength,\r
- FragmentTable,\r
- FragmentCount,\r
- SadEntry,\r
- RecycleSignal\r
- );\r
-\r
- } else if (OldLastHead == IP6_ICMP && *IpPayload != ICMP_V6_ECHO_REQUEST) {\r
- //\r
- // TODO: if no need return not ready to upper layer, change here.\r
- //\r
- Status = EFI_SUCCESS;\r
- }\r
- } else if (OldLastHead == IP6_ICMP && *IpPayload != ICMP_V6_ECHO_REQUEST) {\r
- //\r
- // For inbound icmpv6 traffic except ping request, accept the packet\r
- // although no sad entry associated with protect spd entry.\r
- //\r
- Status = IpSecLookupSadEntry (\r
- Private,\r
- NicHandle,\r
- IpVersion,\r
- IpHead,\r
- IpPayload,\r
- OldLastHead,\r
- SpdEntry,\r
- &SadEntry\r
- );\r
- if (SadEntry == NULL) {\r
- Status = EFI_SUCCESS;\r
- }\r
- }\r
-\r
- goto ON_EXIT;\r
-\r
- case EfiIPsecActionBypass:\r
- Status = EFI_SUCCESS;\r
- goto ON_EXIT;\r
-\r
- case EfiIPsecActionDiscard:\r
- goto ON_EXIT;\r
- }\r
- }\r
-\r
- //\r
- // If don't find the related SPD entry, return the EFI_ACCESS_DENIED and discard it.\r
- // But it the packet is NS/NA, it should be by passed even not find the related SPD entry.\r
- //\r
- if (OldLastHead == IP6_ICMP &&\r
- (*IpPayload == ICMP_V6_NEIGHBOR_SOLICIT || *IpPayload == ICMP_V6_NEIGHBOR_ADVERTISE)\r
- ){\r
- Status = EFI_SUCCESS;\r
- }\r
-\r
-ON_EXIT:\r
- return Status;\r
-}\r
-\r
# @Prompt Max attempt number.\r
gEfiNetworkPkgTokenSpaceGuid.PcdMaxIScsiAttemptNumber|0x08|UINT8|0x0000000D\r
\r
-[PcdsFeatureFlag]\r
- ## Indicates if the IPsec IKEv2 Certificate Authentication feature is enabled or not.<BR><BR>\r
- # TRUE - Certificate Authentication feature is enabled.<BR>\r
- # FALSE - Does not support Certificate Authentication.<BR>\r
- # @Prompt Enable IPsec IKEv2 Certificate Authentication.\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecCertificateEnabled|TRUE|BOOLEAN|0x00000007\r
-\r
[PcdsFixedAtBuild, PcdsPatchableInModule]\r
- ## CA certificate used by IPsec.\r
- # @Prompt CA file.\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFile|{0x30, 0x82, 0x02, 0x76, 0x30, 0x82, 0x01, 0xDF, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x80, 0x1D, 0xB9, 0x63, 0x93, 0x7C, 0x9D, 0xE0, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0A, 0x4D, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x48, 0x5A, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x0D, 0x74, 0x65, 0x73, 0x74, 0x40, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x1C, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x30, 0x31, 0x31, 0x30, 0x31, 0x30, 0x31, 0x35, 0x33, 0x33, 0x37, 0x5A, 0x17, 0x0D, 0x31, 0x31, 0x31, 0x31, 0x30, 0x31, 0x30, 0x31, 0x35, 0x33, 0x33, 0x37, 0x5A, 0x30, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0A, 0x4D, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x48, 0x5A, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x0D, 0x74, 0x65, 0x73, 0x74, 0x40, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x1C, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xFC, 0x80, 0x5D, 0x32, 0x55, 0xC7, 0x4C, 0xC6, 0xA8, 0x2F, 0xF7, 0xEC, 0x1F, 0x75, 0x48, 0x02, 0x79, 0xEB, 0xDF, 0x17, 0x1B, 0x08, 0xBA, 0x21, 0xDD, 0xE5, 0x43, 0x06, 0xE8, 0x81, 0xC5, 0x50, 0x3C, 0x18, 0xDD, 0x53, 0xF4, 0xC9, 0xC9, 0xE1, 0x7A, 0xD3, 0xB3, 0x99, 0xA7, 0xC6, 0x43, 0x2A, 0x51, 0x65, 0x10, 0x93, 0xBA, 0x5F, 0x48, 0xAC, 0x54, 0x12, 0x70, 0x9E, 0xF2, 0x9E, 0x7D, 0xF7, 0x22, 0xAA, 0xB7, 0x19, 0xDE, 0xA9, 0x4D, 0x55, 0xAA, 0x41, 0x8F, 0x08, 0xBD, 0x74, 0xFA, 0xE5, 0x57, 0x13, 0xB4, 0x30, 0x9A, 0xBA, 0x56, 0x01, 0x55, 0x8A, 0x9B, 0x5B, 0x50, 0x29, 0x82, 0xF9, 0x00, 0x69, 0x7E, 0x7B, 0x91, 0xA7, 0x2D, 0x48, 0x1A, 0x93, 0x7C, 0xA2, 0xF9, 0x06, 0x64, 0x4B, 0x80, 0xF8, 0x47, 0x58, 0x45, 0x90, 0x09, 0xEA, 0xD6, 0x7B, 0x85, 0x49, 0x2A, 0x4E, 0xB6, 0x71, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x10, 0x30, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0xEF, 0x38, 0x6A, 0x43, 0x1C, 0x1D, 0x37, 0xBD, 0xF7, 0xCF, 0x15, 0x6A, 0x99, 0x44, 0xE1, 0xFC, 0x68, 0x6E, 0x91, 0x31, 0x9C, 0x1E, 0x8C, 0x1F, 0x72, 0x4B, 0x93, 0x16, 0x1F, 0x06, 0xFE, 0x94, 0xA9, 0x41, 0x64, 0x81, 0xFD, 0xFF, 0xE7, 0x27, 0x4D, 0xE7, 0x59, 0x55, 0xE1, 0x20, 0x14, 0x07, 0x3C, 0x26, 0x78, 0xB0, 0x72, 0x48, 0x76, 0x0C, 0x8B, 0x3F, 0x08, 0xD0, 0x75, 0x7D, 0x76, 0xA4, 0xB5, 0x56, 0xA6, 0xC9, 0x88, 0x17, 0x27, 0x95, 0x85, 0xEE, 0x42, 0x1E, 0x15, 0x0B, 0x05, 0xDC, 0x2F, 0x97, 0x7B, 0x26, 0x82, 0x62, 0x23, 0xDF, 0xBF, 0x55, 0x09, 0xBF, 0x5E, 0x28, 0x1A, 0xCA, 0x1B, 0xEC, 0xA4, 0x81, 0xB7, 0x9D, 0x91, 0xC9, 0x60, 0x5B, 0x29, 0x2B, 0x4C, 0x6F, 0x8B, 0xCC, 0x17, 0xA8, 0xD6, 0x5D, 0x6B, 0xBC, 0x0D, 0x03, 0x31, 0xB0, 0x57, 0xC9, 0xF8, 0x59, 0x88, 0x3D}|VOID*|0x00000001\r
-\r
- ## CA certificate file's size.\r
- # @Prompt CA file's size.\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFileSize|0x0000027A|UINT32|0x00000002\r
-\r
- ## X509 certificate as Public Key which is used by IPsec (DER format)\r
- # @Prompt Pubic Key for remote peer.\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificate|{0x30, 0x82, 0x02, 0x4D, 0x30, 0x82, 0x01, 0xB6, 0x02, 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0A, 0x4D, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x48, 0x5A, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x0D, 0x74, 0x65, 0x73, 0x74, 0x40, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x1C, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x30, 0x31, 0x31, 0x30, 0x31, 0x30, 0x32, 0x30, 0x34, 0x35, 0x39, 0x5A, 0x17, 0x0D, 0x31, 0x31, 0x31, 0x31, 0x30, 0x31, 0x30, 0x32, 0x30, 0x34, 0x35, 0x39, 0x5A, 0x30, 0x6A, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x55, 0x45, 0x46, 0x49, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x53, 0x48, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x23, 0x30, 0x21, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x14, 0x75, 0x65, 0x66, 0x69, 0x2E, 0x74, 0x69, 0x61, 0x6E, 0x6F, 0x40, 0x69, 0x6E, 0x74, 0x65, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x03, 0x53, 0x53, 0x47, 0x31, 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x03, 0x53, 0x53, 0x47, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xE9, 0x90, 0x47, 0x0D, 0x79, 0x93, 0xED, 0xF5, 0xBD, 0xC9, 0x56, 0x03, 0xDF, 0xE2, 0x71, 0xA9, 0x42, 0x3B, 0x20, 0x1E, 0xAF, 0x88, 0x9D, 0x3F, 0xE1, 0xDE, 0x61, 0xEE, 0x83, 0xC4, 0x2E, 0x48, 0x7A, 0x1F, 0x86, 0x54, 0xD2, 0xD5, 0x61, 0x94, 0xE1, 0x15, 0x79, 0x65, 0xCB, 0x39, 0xEE, 0x78, 0x68, 0x3D, 0x2C, 0xEB, 0xE4, 0x7A, 0x8D, 0x98, 0x14, 0x28, 0x7E, 0x6B, 0xFD, 0xC5, 0xF5, 0x1B, 0x62, 0xB9, 0x86, 0x7C, 0xA1, 0x7C, 0xE9, 0x8F, 0xC8, 0xF4, 0xF3, 0x95, 0x5A, 0xAF, 0x0C, 0x21, 0x39, 0xEA, 0x47, 0x5A, 0x1E, 0xBD, 0xBE, 0x7F, 0x1B, 0x0F, 0x31, 0xFB, 0xBD, 0x57, 0xAE, 0xD7, 0xCB, 0x46, 0x83, 0x8B, 0x16, 0x19, 0x74, 0xD9, 0x9E, 0x2D, 0x18, 0xE6, 0xA4, 0x5F, 0x90, 0x90, 0x54, 0xE1, 0x4B, 0x7B, 0x57, 0x76, 0xBD, 0xF4, 0xC0, 0x4D, 0x79, 0x5F, 0x64, 0x6C, 0x0D, 0x2D, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x5A, 0x80, 0x5F, 0xD3, 0x3C, 0x93, 0x81, 0xB9, 0x1B, 0xAA, 0x08, 0x1F, 0x47, 0x9C, 0x88, 0xF3, 0x1E, 0xE6, 0x6B, 0xBB, 0x99, 0xE6, 0x23, 0x1A, 0xCB, 0x25, 0x81, 0x54, 0x51, 0x88, 0xDF, 0x9B, 0xC6, 0xBF, 0x60, 0xDB, 0x6C, 0x5D, 0x69, 0xB1, 0x3A, 0xDE, 0x94, 0xEE, 0xD7, 0x6C, 0xF2, 0x2D, 0x63, 0xD3, 0xB3, 0xAB, 0xE6, 0xB5, 0x0A, 0xBF, 0xCE, 0x61, 0xC0, 0xD3, 0x73, 0x9E, 0x80, 0xB5, 0x0C, 0xC0, 0x03, 0x57, 0xA9, 0x56, 0x59, 0x1B, 0xA2, 0x99, 0x03, 0xA6, 0xA3, 0xC4, 0x59, 0xB3, 0xD9, 0x14, 0xA1, 0x34, 0x18, 0xF3, 0x73, 0xB8, 0x54, 0xAA, 0xED, 0x7D, 0x31, 0x3E, 0x23, 0xAD, 0xF1, 0x86, 0xF7, 0xE6, 0xD9, 0x01, 0x0D, 0x68, 0xC6, 0xC5, 0x95, 0x18, 0xD2, 0x89, 0xB7, 0x06, 0x96, 0xC9, 0x11, 0xB9, 0xF0, 0xDA, 0xD9, 0x02, 0x25, 0xC4, 0xB9, 0x72, 0xF8, 0x6D, 0xC5, 0x5B}|VOID*|0x00000003\r
-\r
- ## X509 certificate as Public Key's size.\r
- # @Prompt Pubic Key's size.\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateSize|0x251|UINT32|0x00000004\r
-\r
- ## Private Key used by IPsec (PEM format).\r
- # @Prompt Private Key.\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKey|{0x2D, 0x2D, 0x2D, 0x2D, 0x2D, 0x42, 0x45, 0x47, 0x49, 0x4E, 0x20, 0x52, 0x53, 0x41, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x20, 0x4B, 0x45, 0x59, 0x2D, 0x2D, 0x2D, 0x2D, 0x2D, 0x0A, 0x50, 0x72, 0x6F, 0x63, 0x2D, 0x54, 0x79, 0x70, 0x65, 0x3A, 0x20, 0x34, 0x2C, 0x45, 0x4E, 0x43, 0x52, 0x59, 0x50, 0x54, 0x45, 0x44, 0x0A, 0x44, 0x45, 0x4B, 0x2D, 0x49, 0x6E, 0x66, 0x6F, 0x3A, 0x20, 0x44, 0x45, 0x53, 0x2D, 0x45, 0x44, 0x45, 0x33, 0x2D, 0x43, 0x42, 0x43, 0x2C, 0x32, 0x42, 0x31, 0x46, 0x42, 0x41, 0x43, 0x41, 0x38, 0x36, 0x32, 0x36, 0x33, 0x34, 0x41, 0x37, 0x0A, 0x0A, 0x61, 0x52, 0x78, 0x49, 0x58, 0x33, 0x59, 0x4D, 0x68, 0x49, 0x50, 0x41, 0x73, 0x59, 0x79, 0x6F, 0x6A, 0x49, 0x76, 0x46, 0x7A, 0x42, 0x75, 0x6B, 0x74, 0x6B, 0x4A, 0x47, 0x5A, 0x38, 0x4D, 0x64, 0x33, 0x5A, 0x53, 0x73, 0x39, 0x41, 0x2B, 0x52, 0x2B, 0x57, 0x45, 0x59, 0x41, 0x70, 0x34, 0x63, 0x4F, 0x55, 0x43, 0x4A, 0x78, 0x51, 0x2F, 0x66, 0x4A, 0x38, 0x58, 0x4F, 0x45, 0x64, 0x58, 0x38, 0x0A, 0x31, 0x63, 0x4E, 0x66, 0x4B, 0x2B, 0x49, 0x62, 0x76, 0x4B, 0x4D, 0x68, 0x55, 0x67, 0x30, 0x4B, 0x4E, 0x35, 0x38, 0x37, 0x71, 0x66, 0x2F, 0x4C, 0x31, 0x76, 0x57, 0x58, 0x6F, 0x31, 0x74, 0x5A, 0x6B, 0x59, 0x2B, 0x5A, 0x53, 0x4E, 0x63, 0x46, 0x45, 0x41, 0x76, 0x37, 0x43, 0x43, 0x50, 0x51, 0x6B, 0x64, 0x4A, 0x42, 0x48, 0x35, 0x65, 0x6B, 0x35, 0x44, 0x51, 0x2F, 0x37, 0x6D, 0x71, 0x55, 0x0A, 0x6B, 0x76, 0x78, 0x48, 0x53, 0x50, 0x70, 0x34, 0x66, 0x41, 0x71, 0x47, 0x61, 0x68, 0x54, 0x31, 0x75, 0x37, 0x37, 0x56, 0x66, 0x4E, 0x66, 0x31, 0x53, 0x74, 0x61, 0x73, 0x31, 0x6E, 0x4F, 0x67, 0x6A, 0x50, 0x31, 0x41, 0x6C, 0x7A, 0x6E, 0x6B, 0x6A, 0x57, 0x61, 0x72, 0x6A, 0x51, 0x4F, 0x73, 0x48, 0x46, 0x33, 0x41, 0x46, 0x31, 0x62, 0x61, 0x51, 0x4A, 0x50, 0x5A, 0x31, 0x6A, 0x71, 0x4C, 0x0A, 0x61, 0x30, 0x49, 0x45, 0x6E, 0x30, 0x6C, 0x59, 0x6C, 0x78, 0x35, 0x79, 0x4D, 0x6D, 0x78, 0x54, 0x47, 0x57, 0x79, 0x52, 0x35, 0x70, 0x57, 0x51, 0x35, 0x71, 0x66, 0x78, 0x2B, 0x62, 0x37, 0x64, 0x37, 0x75, 0x71, 0x67, 0x47, 0x69, 0x66, 0x36, 0x6A, 0x44, 0x47, 0x4D, 0x37, 0x68, 0x38, 0x43, 0x78, 0x2F, 0x74, 0x67, 0x2B, 0x61, 0x62, 0x45, 0x31, 0x34, 0x30, 0x2F, 0x50, 0x66, 0x6C, 0x33, 0x0A, 0x33, 0x6A, 0x50, 0x6C, 0x52, 0x75, 0x73, 0x57, 0x6F, 0x6F, 0x63, 0x49, 0x41, 0x76, 0x49, 0x74, 0x79, 0x51, 0x6D, 0x39, 0x39, 0x71, 0x74, 0x34, 0x64, 0x6E, 0x74, 0x6E, 0x74, 0x6F, 0x4A, 0x43, 0x6D, 0x4F, 0x53, 0x79, 0x71, 0x67, 0x4D, 0x6E, 0x76, 0x2F, 0x76, 0x2B, 0x51, 0x48, 0x74, 0x79, 0x4D, 0x73, 0x42, 0x64, 0x38, 0x34, 0x78, 0x45, 0x57, 0x46, 0x36, 0x72, 0x58, 0x4D, 0x52, 0x63, 0x0A, 0x53, 0x2B, 0x66, 0x68, 0x54, 0x71, 0x58, 0x74, 0x54, 0x38, 0x44, 0x50, 0x65, 0x70, 0x2F, 0x56, 0x44, 0x66, 0x65, 0x78, 0x6B, 0x41, 0x63, 0x6D, 0x63, 0x75, 0x41, 0x69, 0x6F, 0x2B, 0x79, 0x64, 0x51, 0x75, 0x49, 0x31, 0x32, 0x7A, 0x50, 0x70, 0x45, 0x68, 0x50, 0x45, 0x68, 0x31, 0x44, 0x50, 0x58, 0x73, 0x64, 0x58, 0x67, 0x64, 0x77, 0x39, 0x75, 0x46, 0x47, 0x6D, 0x63, 0x35, 0x68, 0x52, 0x0A, 0x35, 0x31, 0x57, 0x41, 0x31, 0x65, 0x63, 0x44, 0x48, 0x6A, 0x31, 0x58, 0x32, 0x45, 0x72, 0x36, 0x39, 0x59, 0x70, 0x31, 0x50, 0x69, 0x43, 0x37, 0x49, 0x47, 0x79, 0x6F, 0x71, 0x57, 0x43, 0x37, 0x69, 0x2F, 0x71, 0x6D, 0x6D, 0x72, 0x49, 0x66, 0x6F, 0x41, 0x54, 0x74, 0x39, 0x58, 0x34, 0x30, 0x54, 0x56, 0x63, 0x37, 0x42, 0x63, 0x6A, 0x34, 0x63, 0x54, 0x31, 0x78, 0x37, 0x6B, 0x70, 0x4F, 0x0A, 0x4C, 0x71, 0x67, 0x33, 0x6C, 0x50, 0x78, 0x33, 0x2B, 0x4A, 0x63, 0x33, 0x43, 0x67, 0x34, 0x79, 0x5A, 0x54, 0x66, 0x6E, 0x4A, 0x5A, 0x37, 0x48, 0x76, 0x36, 0x64, 0x68, 0x67, 0x45, 0x6D, 0x70, 0x4D, 0x73, 0x74, 0x46, 0x65, 0x35, 0x34, 0x49, 0x53, 0x76, 0x74, 0x38, 0x37, 0x59, 0x4E, 0x77, 0x74, 0x4C, 0x65, 0x6C, 0x34, 0x67, 0x50, 0x4A, 0x79, 0x53, 0x42, 0x30, 0x4B, 0x76, 0x37, 0x69, 0x0A, 0x33, 0x32, 0x74, 0x37, 0x67, 0x4F, 0x30, 0x79, 0x6D, 0x73, 0x62, 0x71, 0x4A, 0x55, 0x75, 0x79, 0x41, 0x68, 0x47, 0x64, 0x33, 0x63, 0x2B, 0x78, 0x4C, 0x46, 0x2F, 0x63, 0x63, 0x4F, 0x57, 0x44, 0x52, 0x34, 0x79, 0x72, 0x30, 0x6A, 0x79, 0x64, 0x74, 0x70, 0x79, 0x69, 0x64, 0x52, 0x45, 0x66, 0x56, 0x46, 0x66, 0x53, 0x6C, 0x39, 0x54, 0x30, 0x6D, 0x53, 0x72, 0x4E, 0x76, 0x43, 0x71, 0x45, 0x0A, 0x52, 0x52, 0x5A, 0x6E, 0x42, 0x56, 0x76, 0x37, 0x50, 0x66, 0x6C, 0x75, 0x72, 0x31, 0x59, 0x35, 0x70, 0x2F, 0x65, 0x78, 0x54, 0x63, 0x56, 0x34, 0x72, 0x4B, 0x52, 0x69, 0x6C, 0x35, 0x58, 0x6A, 0x2F, 0x39, 0x59, 0x56, 0x31, 0x4E, 0x6E, 0x6D, 0x4E, 0x2B, 0x2F, 0x31, 0x31, 0x74, 0x36, 0x58, 0x74, 0x6A, 0x72, 0x75, 0x52, 0x62, 0x33, 0x79, 0x70, 0x38, 0x76, 0x64, 0x6C, 0x61, 0x65, 0x5A, 0x0A, 0x6C, 0x67, 0x45, 0x69, 0x73, 0x30, 0x42, 0x7A, 0x4B, 0x59, 0x39, 0x59, 0x64, 0x58, 0x48, 0x64, 0x46, 0x58, 0x57, 0x59, 0x4F, 0x41, 0x71, 0x50, 0x48, 0x45, 0x65, 0x4B, 0x57, 0x79, 0x61, 0x59, 0x5A, 0x56, 0x79, 0x43, 0x70, 0x51, 0x65, 0x43, 0x53, 0x71, 0x4F, 0x71, 0x48, 0x38, 0x67, 0x42, 0x6B, 0x4F, 0x62, 0x43, 0x69, 0x72, 0x41, 0x6A, 0x65, 0x56, 0x70, 0x35, 0x7A, 0x37, 0x6B, 0x31, 0x0A, 0x64, 0x4F, 0x2F, 0x6D, 0x56, 0x74, 0x49, 0x2B, 0x57, 0x47, 0x30, 0x48, 0x72, 0x37, 0x5A, 0x4C, 0x53, 0x52, 0x78, 0x6F, 0x61, 0x44, 0x47, 0x42, 0x33, 0x4E, 0x35, 0x38, 0x4B, 0x56, 0x45, 0x4F, 0x34, 0x65, 0x46, 0x56, 0x75, 0x6E, 0x59, 0x77, 0x51, 0x42, 0x54, 0x7A, 0x4F, 0x65, 0x57, 0x39, 0x6C, 0x4B, 0x79, 0x49, 0x38, 0x67, 0x4D, 0x45, 0x57, 0x6C, 0x62, 0x4B, 0x72, 0x41, 0x45, 0x49, 0x0A, 0x46, 0x4B, 0x38, 0x7A, 0x58, 0x6F, 0x44, 0x74, 0x39, 0x6A, 0x7A, 0x54, 0x37, 0x67, 0x68, 0x6A, 0x79, 0x45, 0x54, 0x67, 0x44, 0x6C, 0x69, 0x50, 0x53, 0x49, 0x46, 0x6A, 0x79, 0x31, 0x64, 0x6B, 0x6A, 0x6D, 0x68, 0x53, 0x78, 0x79, 0x6A, 0x67, 0x62, 0x71, 0x45, 0x3D, 0x0A, 0x2D, 0x2D, 0x2D, 0x2D, 0x2D, 0x45, 0x4E, 0x44, 0x20, 0x52, 0x53, 0x41, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x20, 0x4B, 0x45, 0x59, 0x2D, 0x2D, 0x2D, 0x2D, 0x2D, 0x0A}|VOID*|0x00000005\r
-\r
- ## Private Key's size.\r
- # @Prompt Private Key's size.\r
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKeySize|0x3d5|UINT32|0x00000006\r
-\r
## Indicates whether HTTP connections (i.e., unsecured) are permitted or not.\r
# TRUE - HTTP connections are allowed. Both the "https://" and "http://" URI schemes are permitted.\r
# FALSE - HTTP connections are denied. Only the "https://" URI scheme is permitted.\r
NetworkPkg/HttpBootDxe/HttpBootDxe.inf\r
NetworkPkg/WifiConnectionManagerDxe/WifiConnectionManagerDxe.inf\r
\r
- NetworkPkg/Application/IpsecConfig/IpSecConfig.inf\r
NetworkPkg/Application/VConfig/VConfig.inf\r
\r
[Components.IA32, Components.X64]\r
- NetworkPkg/IpSecDxe/IpSecDxe.inf\r
NetworkPkg/IScsiDxe/IScsiDxe.inf\r
NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf\r
NetworkPkg/TlsDxe/TlsDxe.inf\r