From 6cf9230ff23d7b856692b86da5ceea20183141a2 Mon Sep 17 00:00:00 2001 From: qianouyang Date: Wed, 23 Nov 2011 10:31:04 +0000 Subject: [PATCH] =?utf8?q?1.Update=20IPsec=20driver=20to=20set=20the=20Tra?= =?utf8?q?nsform=20structure=E2=80=99s=20Next=20Payload=20field=20to=20be?= =?utf8?q?=20zero=20when=20it=20is=20the=20last=20transform=20structure=20?= =?utf8?q?in=20a=20proposal.=20The=20same=20as=20Proposal=20Structure?= =?utf8?q?=E2=80=99s=20Next=20Payload=20filed,=20it=20also=20should=20be?= =?utf8?q?=20zero=20when=20it=20is=20the=20last=20proposal=20in=20the=20SA?= =?utf8?q?.=202.Delete=20all=20SAs=20in=20the=20IPsec->Stop().?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: qianouyang Reviewed-by: sfu5 git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12768 6f19259b-4bc3-4df7-8a09-765794883524 --- NetworkPkg/IpSecDxe/IkeService.c | 92 +++---- NetworkPkg/IpSecDxe/IkeService.h | 60 ++--- NetworkPkg/IpSecDxe/Ikev2/Exchange.c | 107 ++++---- NetworkPkg/IpSecDxe/Ikev2/Payload.c | 371 +++++++++++++-------------- NetworkPkg/IpSecDxe/IpSecDriver.c | 26 +- NetworkPkg/IpSecDxe/IpSecImpl.c | 167 ++++++------ 6 files changed, 414 insertions(+), 409 deletions(-) diff --git a/NetworkPkg/IpSecDxe/IkeService.c b/NetworkPkg/IpSecDxe/IkeService.c index 8def212dae..2ea5962537 100644 --- a/NetworkPkg/IpSecDxe/IkeService.c +++ b/NetworkPkg/IpSecDxe/IkeService.c @@ -1,6 +1,6 @@ /** @file Provide IPsec Key Exchange (IKE) service general interfaces. - + Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.
This program and the accompanying materials @@ -104,13 +104,13 @@ IkeLookupUdp ( /** Configure a UDPIO's UDP4 instance. - - This fuction is called by the UdpIoCreateIo() to configures a + + This fuction is called by the UdpIoCreateIo() to configures a UDP4 instance. - + @param[in] UdpIo The UDP_IO to be configured. @param[in] Context User-defined data when calling UdpIoCreateIo(). - + @retval EFI_SUCCESS The configuration succeeded. @retval Others The UDP4 instance fails to configure. @@ -146,13 +146,13 @@ IkeConfigUdp4 ( /** Configure a UDPIO's UDP6 instance. - - This fuction is called by the UdpIoCreateIo()to configure a + + This fuction is called by the UdpIoCreateIo()to configure a UDP6 instance. - + @param[in] UdpIo The UDP_IO to be configured. @param[in] Context User-defined data when calling UdpIoCreateIo(). - + @retval EFI_SUCCESS The configuration succeeded. @retval Others The configuration fails. @@ -194,14 +194,14 @@ IkeConfigUdp6 ( /** Open and configure the related output UDPIO for IKE packet sending. - - If the UdpService is not configured, this fuction calls UdpIoCreatIo() to + + If the UdpService is not configured, this fuction calls UdpIoCreatIo() to create UDPIO to bind this UdpService for IKE packet sending. If the UdpService has already been configured, then return. - + @param[in] UdpService The UDP_IO to be configured. @param[in] RemoteIp User-defined data when calling UdpIoCreateIo(). - + @retval EFI_SUCCESS The configuration is successful. @retval Others The configuration fails. @@ -340,16 +340,16 @@ ON_EXIT: /** Open and configure a UDPIO of Udp4 for IKE packet receiving. - - This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and + + This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and UDP4 IO for each NIC handle. - + @param[in] Private Point to IPSEC_PRIVATE_DATA @param[in] Controller Handler for NIC card. - + @retval EFI_SUCCESS The Operation is successful. @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated. - + **/ EFI_STATUS IkeOpenInputUdp4 ( @@ -411,16 +411,16 @@ IkeOpenInputUdp4 ( /** Open and configure a UDPIO of Udp6 for IKE packet receiving. - + This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6 IO for each NIC handle. - + @param[in] Private Point to IPSEC_PRIVATE_DATA @param[in] Controller Handler for NIC card. - + @retval EFI_SUCCESS The Operation is successful. @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated. - + **/ EFI_STATUS IkeOpenInputUdp6 ( @@ -479,18 +479,18 @@ IkeOpenInputUdp6 ( /** The general interface of starting IPsec Key Exchange. - + This function is called when a IKE negotiation to start getting a Key. - - @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for + + @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for IKE packet sending. @param[in] SpdEntry Point to the SPD entry related to the IKE negotiation. @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation. - + @retval EFI_SUCCESS The Operation is successful. @retval EFI_ACCESS_DENIED No related PAD entry was found. @retval EFI_INVALID_PARAMETER The IKE version is not supported. - + **/ EFI_STATUS IkeNegotiate ( @@ -519,8 +519,8 @@ IkeNegotiate ( } // // Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list. - // - IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp); + // + IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp); if (IkeSaSession == NULL) { @@ -551,7 +551,7 @@ IkeNegotiate ( if (IkeVersion != 2) { return EFI_INVALID_PARAMETER; } - + Exchange = mIkeExchange[IkeVersion - 1]; // // Start the quick mode stage to negotiate child SA. @@ -564,15 +564,15 @@ IkeNegotiate ( /** The generic interface when receive a IKE packet. - + This function is called when UDP IO receives a IKE packet. - + @param[in] Packet Point to received IKE packet. - @param[in] EndPoint Point to UDP_END_POINT which contains the information of + @param[in] EndPoint Point to UDP_END_POINT which contains the information of Remote IP and Port. @param[in] IoStatus The Status of Recieve Token. @param[in] Context Point to data passed from the caller. - + **/ VOID EFIAPI @@ -687,17 +687,19 @@ ON_EXIT: /** Delete all established IKE SAs and related Child SAs. - - This function is the subfunction of the IpSecCleanupAllSa(). It first calls - IkeDeleteChildSa() to delete all Child SAs then send out the related + + This function is the subfunction of the IpSecCleanupAllSa(). It first calls + IkeDeleteChildSa() to delete all Child SAs then send out the related Information packet. - @param[in] Private Pointer of the IPSEC_PRIVATE_DATA + @param[in] Private Pointer of the IPSEC_PRIVATE_DATA + @param[in] IsDisableIPsec Indicate whether needs to disable IPsec. **/ VOID IkeDeleteAllSas ( - IN IPSEC_PRIVATE_DATA *Private + IN IPSEC_PRIVATE_DATA *Private, + IN BOOLEAN IsDisableIpsec ) { LIST_ENTRY *Entry; @@ -719,17 +721,17 @@ IkeDeleteAllSas ( // if (!IsListEmpty (&Private->Ikev2SessionList)) { NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) { - Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry); + Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry); RemoveEntryList (Entry); Ikev2SaSessionFree (Ikev2SaSession); } } - + // // If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE // and turn off the IsIPsecDisabling flag. // - if (IsListEmpty (&Private->Ikev2EstablishedList)) { + if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) { Value = IPSEC_STATUS_DISABLED; Status = gRT->SetVariable ( IPSECCONFIG_STATUS_NAME, @@ -752,7 +754,7 @@ IkeDeleteAllSas ( for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) { Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry); Entry = Entry->ForwardLink; - + Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting; // @@ -762,10 +764,10 @@ IkeDeleteAllSas ( if (IkeVersion == 2) { Exchange = mIkeExchange[IkeVersion - 1]; Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL); - } + } } } - + } diff --git a/NetworkPkg/IpSecDxe/IkeService.h b/NetworkPkg/IpSecDxe/IkeService.h index 215fb93fdd..d1ac103dd4 100644 --- a/NetworkPkg/IpSecDxe/IkeService.h +++ b/NetworkPkg/IpSecDxe/IkeService.h @@ -1,6 +1,6 @@ /** @file Prototypes definitions of IKE service. - + Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.
This program and the accompanying materials @@ -44,7 +44,7 @@ EFI_STATUS ); /** - This is prototype definition fo general interface to start a IKE negotiation at Quick Mode. + This is prototype definition fo general interface to start a IKE negotiation at Quick Mode. This function will be called when the related IKE SA is existed and start to create a Child SA. @@ -81,7 +81,7 @@ EFI_STATUS ); /** - This is prototype definition of the general interface when recived a IKE Pakcet + This is prototype definition of the general interface when recived a IKE Pakcet for the IKE SA establishing. @param[in] UdpService Point to UDP service used to send IKE Packet. @@ -97,8 +97,8 @@ VOID /** This is prototyp definition of the general interface when recived a IKE Packet - xfor the Child SA establishing. - + xfor the Child SA establishing. + @param[in] UdpService Point to UDP service used to send IKE packet. @param[in] IkePacket Point to received IKE packet. @@ -111,7 +111,7 @@ VOID ); /** - This is prototype definition of the general interface when received a IKE + This is prototype definition of the general interface when received a IKE information Packet. @param[in] UdpService Point to UDP service used to send IKE packet. @@ -137,16 +137,16 @@ typedef struct _IKE_EXCHANGE_INTERFACE { /** Open and configure a UDPIO of Udp4 for IKE packet receiving. - - This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and + + This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and a UDP4 IO for each NIC handle. - + @param[in] Private Point to IPSEC_PRIVATE_DATA @param[in] Controller Handler for NIC card. - + @retval EFI_SUCCESS The Operation is successful. @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated. - + **/ EFI_STATUS IkeOpenInputUdp4 ( @@ -156,16 +156,16 @@ IkeOpenInputUdp4 ( /** Open and configure a UDPIO of Udp6 for IKE packet receiving. - + This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6 IO for each NIC handle. - + @param[in] Private Point to IPSEC_PRIVATE_DATA @param[in] Controller Handler for NIC card. - + @retval EFI_SUCCESS The Operation is successful. @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated. - + **/ EFI_STATUS IkeOpenInputUdp6 ( @@ -175,17 +175,17 @@ IkeOpenInputUdp6 ( /** The general interface of starting IPsec Key Exchange. - + This function is called when start a IKE negotiation to get a Key. - - @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for + + @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for IKE packet sending. @param[in] SpdEntry Point to the SPD entry related to the IKE negotiation. @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation. - + @retval EFI_SUCCESS The Operation is successful. @retval EFI_ACCESS_DENIED No related PAD entry was found. - + **/ EFI_STATUS IkeNegotiate ( @@ -196,15 +196,15 @@ IkeNegotiate ( /** The general interface when receive a IKE packet. - + This function is called when UDP IO receives a IKE packet. - + @param[in] Packet Point to received IKE packet. - @param[in] EndPoint Point to UDP_END_POINT which contains the information of + @param[in] EndPoint Point to UDP_END_POINT which contains the information of Remote IP and Port. @param[in] IoStatus The Status of Recieve Token. @param[in] Context Point to data passed from the caller. - + **/ VOID EFIAPI @@ -235,17 +235,19 @@ IkeLookupUdp ( /** Delete all established IKE SAs and related Child SAs. - - This function is the subfunction of the IpSecCleanupAllSa(). It first calls - IkeDeleteChildSa() to delete all Child SAs then send out the related + + This function is the subfunction of the IpSecCleanupAllSa(). It first calls + IkeDeleteChildSa() to delete all Child SAs then send out the related Information packet. - @param[in] Private Pointer of the IPSEC_PRIVATE_DATA. + @param[in] Private Pointer of the IPSEC_PRIVATE_DATA. + @param[in] IsDisableIPsec Indicate whether needs to disable IPsec. **/ VOID IkeDeleteAllSas ( - IN IPSEC_PRIVATE_DATA *Private + IN IPSEC_PRIVATE_DATA *Private, + IN BOOLEAN IsDisableIpsec ); diff --git a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c index 94bdd86d90..ffa53824d0 100644 --- a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c +++ b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c @@ -1,7 +1,7 @@ /** @file The general interfaces of the IKEv2. - Copyright (c) 2010, Intel Corporation. All rights reserved.
+ Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -46,7 +46,7 @@ Ikev2NegotiateSa ( IKEV2_PACKET_HANDLER Handler; IKE_PACKET *IkePacket; EFI_STATUS Status; - + if (UdpService == NULL || RemoteIp == NULL) { return EFI_INVALID_PARAMETER; } @@ -66,7 +66,7 @@ Ikev2NegotiateSa ( // return EFI_SUCCESS; } - + // // Create a new IkeSaSession and initiate the common parameters. // @@ -79,7 +79,7 @@ Ikev2NegotiateSa ( // Set the specific parameters and state(IKE_STATE_INIT). // IkeSaSession->Spd = SpdEntry; - IkeSaSession->Pad = PadEntry; + IkeSaSession->Pad = PadEntry; SessionCommon = &IkeSaSession->SessionCommon; SessionCommon->IsInitiator = TRUE; SessionCommon->State = IkeStateInit; @@ -88,13 +88,13 @@ Ikev2NegotiateSa ( // to support it. // SessionCommon->PreferDhGroup = IKEV2_TRANSFORM_ID_DH_1024MODP; - + CopyMem ( &SessionCommon->RemotePeerIp, RemoteIp, sizeof (EFI_IP_ADDRESS) ); - + CopyMem ( &SessionCommon->LocalPeerIp, &UdpService->DefaultAddress, @@ -147,15 +147,15 @@ ON_ERROR: /** It is general interface to negotiate the Child SA. - There are three situations which will invoke this function. First, create a CHILD - SA if the input Context is NULL. Second, rekeying the existing IKE SA if the Context - is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the context is a + There are three situations which will invoke this function. First, create a CHILD + SA if the input Context is NULL. Second, rekeying the existing IKE SA if the Context + is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the context is a IKEv2_CHILD_SA_SESSION. @param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation. @param[in] SpdEntry Pointer to IPSEC_SPD_ENTRY related to this operation. @param[in] Context The data pass from the caller. - + @retval EFI_SUCCESS The operation is successful. @retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated. @retval EFI_UNSUPPORTED The condition is not support yet. @@ -239,7 +239,7 @@ Ikev2NegotiateChildSa ( if (EFI_ERROR (Status)) { goto ON_ERROR; } - + // // Insert the ChildSaSession into processing child SA list. // @@ -278,8 +278,8 @@ ON_ERROR: It is general interface to start the Information Exchange. There are three situations which will invoke this function. First, deliver a Delete Information - to delete the IKE SA if the input Context is NULL and the state of related IkeSaSeesion's is on - deleting.Second, deliver a Notify Information without the contents if the input Context is NULL. + to delete the IKE SA if the input Context is NULL and the state of related IkeSaSeesion's is on + deleting.Second, deliver a Notify Information without the contents if the input Context is NULL. Third, deliver a Notify Information if the input Context is not NULL. @param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation. @@ -297,7 +297,7 @@ Ikev2NegotiateInfo ( IN UINT8 *Context ) { - + EFI_STATUS Status; IKEV2_SA_SESSION *Ikev2SaSession; IKEV2_CHILD_SA_SESSION *ChildSaSession; @@ -318,11 +318,6 @@ Ikev2NegotiateInfo ( // if (Ikev2SaSession->SessionCommon.State == IkeStateSaDeleting && Context == NULL) { - // - // The IKE SA Session should be initiator if it triggers the deleting. - // - Ikev2SaSession->SessionCommon.IsInitiator = TRUE; - // // Generate Information Packet which contains the Delete Payload. // @@ -335,10 +330,12 @@ Ikev2NegotiateInfo ( // // Send out the Packet // - Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0); + if (UdpService != NULL) { + Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0); - if (EFI_ERROR (Status)) { - goto ON_ERROR; + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } } else if (!IsListEmpty (&Ikev2SaSession->DeleteSaList)) { // @@ -360,10 +357,12 @@ Ikev2NegotiateInfo ( // // Send out the Packet // - Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0); + if (UdpService != NULL) { + Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0); - if (EFI_ERROR (Status)) { - goto ON_ERROR; + if (EFI_ERROR (Status)) { + goto ON_ERROR; + } } } } else if (Context == NULL) { @@ -386,9 +385,9 @@ ON_ERROR: /** The general interface when received a IKEv2 packet for the IKE SA establishing. - This function first find the related IKE SA Session according to the IKE packet's + This function first find the related IKE SA Session according to the IKE packet's remote IP. Then call the corresponding function to handle this IKE packet according - to the related IKE SA Session's State. + to the related IKE SA Session's State. @param[in] UdpService Pointer of related UDP Service. @param[in] IkePacket Data passed by caller. @@ -411,13 +410,13 @@ Ikev2HandleSa ( IPSEC_PRIVATE_DATA *Private; BOOLEAN IsNewSession; - Private = (UdpService->IpVersion == IP_VERSION_4) ? + Private = (UdpService->IpVersion == IP_VERSION_4) ? IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); ChildSaSession = NULL; ChildSaCommon = NULL; - + // // Lookup the remote ip address in the processing IKE SA session list. // @@ -461,7 +460,7 @@ Ikev2HandleSa ( &UdpService->DefaultAddress, sizeof (EFI_IP_ADDRESS) ); - + IsNewSession = TRUE; } @@ -517,15 +516,15 @@ Ikev2HandleSa ( // // Generate a piggyback child SA in IKE_STATE_AUTH state. // - ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) && + ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) && IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList)); - + ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService); ChildSaCommon = &ChildSaSession->SessionCommon; // // Initialize the SA data for Child SA. - // + // ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon); } @@ -570,7 +569,7 @@ Ikev2HandleSa ( // // Remove the Established Child SA Session from the IkeSaSession->ChildSaSessionList - // ,insert it into IkeSaSession->ChildSaEstablishSessionList and save this Child SA + // ,insert it into IkeSaSession->ChildSaEstablishSessionList and save this Child SA // into SAD. // ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (IkeSaSession->ChildSaSessionList.BackLink); @@ -610,12 +609,12 @@ ON_ERROR: /** - The general interface when received a IKEv2 packet for the IKE Child SA establishing + The general interface when received a IKEv2 packet for the IKE Child SA establishing or IKE SA/CHILD SA rekeying. - This function first find the related IKE SA Session according to the IKE packet's + This function first find the related IKE SA Session according to the IKE packet's remote IP. Then call the corresponding function to handle this IKE packet according - to the related IKE Child Session's State. + to the related IKE Child Session's State. @param[in] UdpService Pointer of related UDP Service. @param[in] IkePacket Data passed by caller. @@ -632,8 +631,8 @@ Ikev2HandleChildSa ( IKEV2_CREATE_CHILD_REQUEST_TYPE RequestType; IKE_PACKET *Reply; IPSEC_PRIVATE_DATA *Private; - - Private = (UdpService->IpVersion == IP_VERSION_4) ? + + Private = (UdpService->IpVersion == IP_VERSION_4) ? IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); @@ -671,20 +670,20 @@ Ikev2HandleChildSa ( // // Get the request type: CreateChildSa/RekeyChildSa/RekeyIkeSa. - // + // RequestType = Ikev2ChildExchangeRequestType (IkePacket); switch (RequestType) { case IkeRequestTypeCreateChildSa: - case IkeRequestTypeRekeyChildSa: - case IkeRequestTypeRekeyIkeSa: + case IkeRequestTypeRekeyChildSa: + case IkeRequestTypeRekeyIkeSa: // // Parse the IKE request packet. Not support CREATE_CHILD_SA exchange yet, so - // only EFI_UNSUPPORTED will be returned and that will trigger a reply with a + // only EFI_UNSUPPORTED will be returned and that will trigger a reply with a // Notify payload of type NO_ADDITIONAL_SAS. // Status = mIkev2CreateChild.Parser ((UINT8 *) IkeSaSession, IkePacket); - if (EFI_ERROR (Status)) { + if (EFI_ERROR (Status)) { goto ON_REPLY; } @@ -694,7 +693,7 @@ Ikev2HandleChildSa ( // return ; } - + ON_REPLY: // // Generate the reply packet if needed and send it out. @@ -712,15 +711,15 @@ ON_REPLY: } } } - } + } return ; } /** It is general interface to handle IKEv2 information Exchange. - - @param[in] UdpService Point to IKE UPD Service related to this information exchange. + + @param[in] UdpService Point to IKE UPD Service related to this information exchange. @param[in] IkePacket The IKE packet to be parsed. **/ @@ -735,15 +734,15 @@ Ikev2HandleInfo ( IKEV2_SA_SESSION *IkeSaSession; IPSEC_PRIVATE_DATA *Private; - Private = (UdpService->IpVersion == IP_VERSION_4) ? - IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : + Private = (UdpService->IpVersion == IP_VERSION_4) ? + IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); // // Lookup the remote ip address in the processing IKE SA session list. // IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp); - + if (IkeSaSession == NULL) { // // Drop the packet if no IKE SA associated. @@ -754,12 +753,12 @@ Ikev2HandleInfo ( // Validate the IKE packet header. // if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) { - + // // Drop the packet if invalid IKE header. // return; - } + } SessionCommon = &IkeSaSession->SessionCommon; @@ -778,7 +777,7 @@ Ikev2HandleInfo ( // Drop the packet if fail to parse. // return; - } + } } IKE_EXCHANGE_INTERFACE mIkev1Exchange = { diff --git a/NetworkPkg/IpSecDxe/Ikev2/Payload.c b/NetworkPkg/IpSecDxe/Ikev2/Payload.c index 333074d260..c1e134804c 100644 --- a/NetworkPkg/IpSecDxe/Ikev2/Payload.c +++ b/NetworkPkg/IpSecDxe/Ikev2/Payload.c @@ -19,10 +19,10 @@ #include "IpSecCryptIo.h" // -// The Constant String of "Key Pad for IKEv2" for Authentication Payload generation. +// The Constant String of "Key Pad for IKEv2" for Authentication Payload generation. // #define CONSTANT_KEY_SIZE 17 -GLOBAL_REMOVE_IF_UNREFERENCED CHAR8 mConstantKey[CONSTANT_KEY_SIZE] = +GLOBAL_REMOVE_IF_UNREFERENCED CHAR8 mConstantKey[CONSTANT_KEY_SIZE] = { 'K', 'e', 'y', ' ', 'P', 'a', 'd', ' ', 'f', 'o', 'r', ' ', 'I', 'K', 'E', 'v', '2' }; @@ -31,13 +31,13 @@ GLOBAL_REMOVE_IF_UNREFERENCED CHAR8 mConstantKey[CONSTANT_KEY_SIZE] = Generate Ikev2 SA payload according to SessionSaData @param[in] SessionSaData The data used in SA payload. - @param[in] NextPayload The payload type presented in NextPayload field of + @param[in] NextPayload The payload type presented in NextPayload field of SA Payload header. @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or (2) for CHILD_SA or (3) for INFO. @retval a Pointer to SA IKE payload. - + **/ IKE_PAYLOAD * Ikev2GenerateSaPayload ( @@ -56,16 +56,16 @@ Ikev2GenerateSaPayload ( // TODO: Get the Proposal Number and Transform Number from IPsec Config, // after the Ipsecconfig Application is support it. // - + if (Type == IkeSessionTypeIkeSa) { - SaDataSize = sizeof (IKEV2_SA_DATA) + + SaDataSize = sizeof (IKEV2_SA_DATA) + SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) + sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 4; } else { - SaDataSize = sizeof (IKEV2_SA_DATA) + + SaDataSize = sizeof (IKEV2_SA_DATA) + SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) + sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 3; - + } SaData = AllocateZeroPool (SaDataSize); @@ -82,10 +82,10 @@ Ikev2GenerateSaPayload ( /** Generate a Nonce payload containing the input parameter NonceBuf. - @param[in] NonceBuf The nonce buffer contains the whole Nonce payload block + @param[in] NonceBuf The nonce buffer contains the whole Nonce payload block except the payload header. @param[in] NonceSize The buffer size of the NonceBuf - @param[in] NextPayload The payload type presented in the NextPayload field + @param[in] NextPayload The payload type presented in the NextPayload field of Nonce Payload header. @retval Pointer to Nonce IKE paload. @@ -133,11 +133,11 @@ Ikev2GenerateNoncePayload ( } /** - Generate a Key Exchange payload according to the DH group type and save the + Generate a Key Exchange payload according to the DH group type and save the public Key into IkeSaSession IkeKey field. @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION. - @param[in] NextPayload The payload type presented in the NextPayload field of Key + @param[in] NextPayload The payload type presented in the NextPayload field of Key Exchange Payload header. @retval Pointer to Key IKE payload. @@ -174,7 +174,7 @@ Ikev2GenerateKePayload ( } else { KeSize = sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize; } - + // // Allocate buffer for Key Exchange // @@ -186,13 +186,13 @@ Ikev2GenerateKePayload ( Ke->DhGroup = IkeSaSession->SessionCommon.PreferDhGroup; CopyMem (Ke + 1, IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize); - + + // + // Create IKE_PAYLOAD to point to Key Exchange payload // - // Create IKE_PAYLOAD to point to Key Exchange payload - // KePayload = IkePayloadAlloc (); ASSERT (KePayload != NULL); - + KePayload->PayloadType = IKEV2_PAYLOAD_TYPE_KE; KePayload->PayloadBuf = (UINT8 *) Ke; KePayload->PayloadSize = KeSize; @@ -203,7 +203,7 @@ Ikev2GenerateKePayload ( Generate a ID payload. @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload. - @param[in] NextPayload The payload type presented in the NextPayload field + @param[in] NextPayload The payload type presented in the NextPayload field of ID Payload header. @retval Pointer to ID IKE payload. @@ -234,7 +234,7 @@ Ikev2GenerateIdPayload ( // ! ! // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // - + IpVersion = CommonSession->UdpService->IpVersion; AddrSize = (UINT8) ((IpVersion == IP_VERSION_4) ? sizeof(EFI_IPv4_ADDRESS) : sizeof(EFI_IPv6_ADDRESS)); IdSize = sizeof (IKEV2_ID) + AddrSize; @@ -250,7 +250,7 @@ Ikev2GenerateIdPayload ( IdPayload->PayloadSize = IdSize; // - // Set generic header of identification payload + // Set generic header of identification payload // Id->Header.NextPayload = NextPayload; Id->Header.PayloadLength = (UINT16) IdSize; @@ -264,7 +264,7 @@ Ikev2GenerateIdPayload ( Generate a ID payload. @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload. - @param[in] NextPayload The payload type presented in the NextPayload field + @param[in] NextPayload The payload type presented in the NextPayload field of ID Payload header. @param[in] InCert Pointer to the Certificate which distinguished name will be added into the Id payload. @@ -287,7 +287,7 @@ Ikev2GenerateCertIdPayload ( UINT8 IpVersion; UINTN SubjectSize; UINT8 *CertSubject; - + // // ID payload // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 @@ -328,7 +328,7 @@ Ikev2GenerateCertIdPayload ( IdPayload->PayloadSize = IdSize; // - // Set generic header of identification payload + // Set generic header of identification payload // Id->Header.NextPayload = NextPayload; Id->Header.PayloadLength = (UINT16) IdSize; @@ -344,15 +344,15 @@ Ikev2GenerateCertIdPayload ( /** Generate a Authentication Payload. - This function is used for both Authentication generation and verification. When the - IsVerify is TRUE, it create a Auth Data for verification. This function choose the + This function is used for both Authentication generation and verification. When the + IsVerify is TRUE, it create a Auth Data for verification. This function choose the related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type and the value of IsVerify parameter. @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to. - @param[in] IdPayload Pointer to the ID payload to be used for Authentication + @param[in] IdPayload Pointer to the ID payload to be used for Authentication payload generation. - @param[in] NextPayload The type filled into the Authentication Payload next + @param[in] NextPayload The type filled into the Authentication Payload next payload field. @param[in] IsVerify If it is TURE, the Authentication payload is used for verification. @@ -392,11 +392,11 @@ Ikev2PskGenerateAuthPayload ( // ! ! // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ // - + KeyBuf = NULL; AuthPayload = NULL; Digest = NULL; - + DigestSize = IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCommon.SaParams->Prf); Digest = AllocateZeroPool (DigestSize); @@ -415,7 +415,7 @@ Ikev2PskGenerateAuthPayload ( Status = IpSecCryptoIoHmac ( (UINT8)IkeSaSession->SessionCommon.SaParams->Prf, IkeSaSession->Pad->Data->AuthData, - IkeSaSession->Pad->Data->AuthDataSize, + IkeSaSession->Pad->Data->AuthDataSize, (HASH_DATA_FRAGMENT *)Fragments, 1, Digest, @@ -485,7 +485,7 @@ Ikev2PskGenerateAuthPayload ( // // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2]. - // + // Fragments[2].Data = AllocateZeroPool (DigestSize); Fragments[2].DataSize = DigestSize; CopyMem (Fragments[2].Data, Digest, DigestSize); @@ -542,7 +542,7 @@ Ikev2PskGenerateAuthPayload ( Digest, DigestSize ); - + // // Fill in IKE_PACKET // @@ -559,7 +559,7 @@ EXIT: if (Fragments[2].Data != NULL) { // // Free the buffer which contains the result of Prf(SK_Pr, IDi/r) - // + // FreePool (Fragments[2].Data); } @@ -574,26 +574,26 @@ EXIT: } /** - Generate a Authentication Payload for Certificate Auth method. + Generate a Authentication Payload for Certificate Auth method. - This function has two functions. One is creating a local Authentication - Payload for sending and other is creating the remote Authentication data + This function has two functions. One is creating a local Authentication + Payload for sending and other is creating the remote Authentication data for verification when the IsVerify is TURE. @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to. - @param[in] IdPayload Pointer to the ID payload to be used for Authentication + @param[in] IdPayload Pointer to the ID payload to be used for Authentication payload generation. - @param[in] NextPayload The type filled into the Authentication Payload + @param[in] NextPayload The type filled into the Authentication Payload next payload field. - @param[in] IsVerify If it is TURE, the Authentication payload is used + @param[in] IsVerify If it is TURE, the Authentication payload is used for verification. - @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when + @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when verify the authenticate payload. - @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it + @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it when verify the authenticate payload. - @param[in] UefiKeyPwd Pointer to the password of UEFI private key. + @param[in] UefiKeyPwd Pointer to the password of UEFI private key. Ignore it when verify the authenticate payload. - @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when + @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when verify the authenticate payload. @return pointer to IKE Authentication payload for Cerifitcation method. @@ -722,10 +722,10 @@ Ikev2CertGenerateAuthPayload ( IpSecDumpBuf ("RealMessage1", Fragments[0].Data, Fragments[0].DataSize); IpSecDumpBuf ("NonceRDdata", Fragments[1].Data, Fragments[1].DataSize); } - + // // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2]. - // + // Fragments[2].Data = AllocateZeroPool (DigestSize); Fragments[2].DataSize = DigestSize; CopyMem (Fragments[2].Data, Digest, DigestSize); @@ -746,7 +746,7 @@ Ikev2CertGenerateAuthPayload ( IpSecDumpBuf ("HashSignedOctects", Digest, DigestSize); // - // Sign the data by the private Key + // Sign the data by the private Key // if (!IsVerify) { IpSecCryptoIoAuthDataWithCertificate ( @@ -820,7 +820,7 @@ EXIT: if (Fragments[2].Data != NULL) { // // Free the buffer which contains the result of Prf(SK_Pr, IDi/r) - // + // FreePool (Fragments[2].Data); } @@ -840,9 +840,9 @@ EXIT: This function generates TSi or TSr payload according to type of next payload. If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate TSr payload. - + @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload. - @param[in] NextPayload The payload type presented in the NextPayload field + @param[in] NextPayload The payload type presented in the NextPayload field of ID Payload header. @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload. If yes, it means the Tsi and Tsr payload should be with @@ -886,7 +886,7 @@ Ikev2GenerateTsPayload ( IpVersion = ChildSa->SessionCommon.UdpService->IpVersion; // - // The Starting Address and Ending Address is variable length depends on + // The Starting Address and Ending Address is variable length depends on // is IPv4 or IPv6 // AddrSize = (UINT8)((IpVersion == IP_VERSION_4) ? sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS)); @@ -901,7 +901,7 @@ Ikev2GenerateTsPayload ( TsSelector->TSType = (UINT8)((IpVersion == IP_VERSION_4) ? IKEV2_TS_TYPE_IPV4_ADDR_RANGE : IKEV2_TS_TYPS_IPV6_ADDR_RANGE); // - // For tunnel mode + // For tunnel mode // if (IsTunnel) { TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL; @@ -917,8 +917,8 @@ Ikev2GenerateTsPayload ( // if (NextPayload == IKEV2_PAYLOAD_TYPE_TS_RSP){ // - // Create initiator Traffic Selector - // + // Create initiator Traffic Selector + // TsSelector->SelecorLen = (UINT16)SelectorSize; // @@ -929,7 +929,7 @@ Ikev2GenerateTsPayload ( if (ChildSa->SessionCommon.IsInitiator) { if (ChildSa->Spd->Selector->LocalPort != 0 && ChildSa->Spd->Selector->LocalPortRange == 0) { - // + // // For not port range. // TsSelector->StartPort = ChildSa->Spd->Selector->LocalPort; @@ -947,7 +947,7 @@ Ikev2GenerateTsPayload ( goto ON_ERROR; } } else { - if (ChildSa->Spd->Selector->RemotePort != 0 && + if (ChildSa->Spd->Selector->RemotePort != 0 && ChildSa->Spd->Selector->RemotePortRange == 0) { // // For not port range. @@ -970,7 +970,7 @@ Ikev2GenerateTsPayload ( // // Copy Address.Currently the address range is not supported. // The Starting address is same as Ending address - // TODO: Support Address Range. + // TODO: Support Address Range. // CopyMem ( (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR), @@ -993,9 +993,9 @@ Ikev2GenerateTsPayload ( }else{ // // Create responder Traffic Selector - // + // TsSelector->SelecorLen = (UINT16)SelectorSize; - + // // Currently only support the port range from 0~0xffff. Don't support other // port range. @@ -1045,7 +1045,7 @@ Ikev2GenerateTsPayload ( // // Copy Address.Currently the address range is not supported. // The Starting address is same as Ending address - // TODO: Support Address Range. + // TODO: Support Address Range. // CopyMem ( (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR), @@ -1072,8 +1072,8 @@ Ikev2GenerateTsPayload ( TsSelector->IpProtocolId = (UINT8)ChildSa->Spd->Selector->NextLayerProtocol; } else { TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL; - } - + } + TsPayloadBuf->Header.NextPayload = NextPayload; TsPayloadBuf->Header.PayloadLength = (UINT16)TsPayloadSize; TsPayloadBuf->TSNumbers = 1; @@ -1082,10 +1082,10 @@ Ikev2GenerateTsPayload ( ON_ERROR: if (TsPayload != NULL) { - IkePayloadFree (TsPayload); + IkePayloadFree (TsPayload); TsPayload = NULL; } -ON_EXIT: +ON_EXIT: return TsPayload; } @@ -1093,23 +1093,23 @@ ON_EXIT: Generate the Notify payload. Since the structure of Notify payload which defined in RFC 4306 is simple, so - there is no internal data structure for Notify payload. This function generate - Notify payload defined in RFC 4306, but all the fields in this payload are still - in host order and need call Ikev2EncodePayload() to convert those fields from + there is no internal data structure for Notify payload. This function generate + Notify payload defined in RFC 4306, but all the fields in this payload are still + in host order and need call Ikev2EncodePayload() to convert those fields from the host order to network order beforing sending it. @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1). For IPsec SAs it MUST be neither (2) for AH or (3) for ESP. - @param[in] NextPayload The next paylaod type in NextPayload field of + @param[in] NextPayload The next paylaod type in NextPayload field of the Notify payload. - @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload. - @param[in] MessageType The message type in NotifyMessageType field of the + @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload. + @param[in] MessageType The message type in NotifyMessageType field of the Notify Payload. @param[in] SpiBuf Pointer to buffer contains the SPI value. @param[in] NotifyData Pointer to buffer contains the notification data. @param[in] NotifyDataSize The size of NotifyData in bytes. - + @retval Pointer to IKE Notify Payload. @@ -1190,14 +1190,14 @@ Ikev2GenerateNotifyPayload ( /** Generate the Delete payload. - Since the structure of Delete payload which defined in RFC 4306 is simple, - there is no internal data structure for Delete payload. This function generate - Delete payload defined in RFC 4306, but all the fields in this payload are still - in host order and need call Ikev2EncodePayload() to convert those fields from + Since the structure of Delete payload which defined in RFC 4306 is simple, + there is no internal data structure for Delete payload. This function generate + Delete payload defined in RFC 4306, but all the fields in this payload are still + in host order and need call Ikev2EncodePayload() to convert those fields from the host order to network order beforing sending it. @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation. - @param[in] NextPayload The next paylaod type in NextPayload field of + @param[in] NextPayload The next paylaod type in NextPayload field of the Delete payload. @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload. @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload. @@ -1213,7 +1213,7 @@ Ikev2GenerateDeletePayload ( IN UINT8 SpiSize, IN UINT16 SpiNum, IN UINT8 *SpiBuf - + ) { IKE_PAYLOAD *DelPayload; @@ -1237,12 +1237,12 @@ Ikev2GenerateDeletePayload ( if (SpiBufSize != 0 && SpiBuf == NULL) { return NULL; } - + DelPayloadLen = (UINT16) (sizeof (IKEV2_DELETE) + SpiBufSize); Del = AllocateZeroPool (DelPayloadLen); ASSERT (Del != NULL); - + // // Set Delete Payload's Generic Header // @@ -1275,13 +1275,13 @@ Ikev2GenerateDeletePayload ( /** Generate the Configuration payload. - This function generate configuration payload defined in RFC 4306, but all the - fields in this payload are still in host order and need call Ikev2EncodePayload() + This function generate configuration payload defined in RFC 4306, but all the + fields in this payload are still in host order and need call Ikev2EncodePayload() to convert those fields from the host order to network order beforing sending it. - @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload + @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload generation. - @param[in] NextPayload The next paylaod type in NextPayload field of + @param[in] NextPayload The next paylaod type in NextPayload field of the Delete payload. @param[in] CfgType The attribute type in the Configuration attribute. @@ -1323,8 +1323,8 @@ Ikev2GenerateCpPayload ( CfgAttributes = (IKEV2_CFG_ATTRIBUTES *)((UINT8 *)Cfg + sizeof (IKEV2_CFG)); // - // Only generate the configuration payload with an empty INTERNAL_IP4_ADDRESS - // or INTERNAL_IP6_ADDRESS. + // Only generate the configuration payload with an empty INTERNAL_IP4_ADDRESS + // or INTERNAL_IP6_ADDRESS. // Cfg->Header.NextPayload = NextPayload; @@ -1355,7 +1355,7 @@ Ikev2GenerateCpPayload ( IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not the COOKIE, return EFI_INVALID_PARAMETER. - @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the + @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the Notify Cookie payload. the Notify payload. @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session. @@ -1369,14 +1369,14 @@ EFI_STATUS Ikev2ParserNotifyCookiePayload ( IN IKE_PAYLOAD *IkeNCookie, IN OUT IKEV2_SA_SESSION *IkeSaSession - ) + ) { IKEV2_NOTIFY *NotifyPayload; UINTN NotifyDataSize; NotifyPayload = (IKEV2_NOTIFY *)IkeNCookie->PayloadBuf; - if ((NotifyPayload->ProtocolId != IPSEC_PROTO_ISAKMP) || + if ((NotifyPayload->ProtocolId != IPSEC_PROTO_ISAKMP) || (NotifyPayload->SpiSize != 0) || (NotifyPayload->MessageType != IKEV2_NOTIFICATION_COOKIE) ) { @@ -1392,8 +1392,8 @@ Ikev2ParserNotifyCookiePayload ( IkeSaSession->NCookieSize = NotifyDataSize; CopyMem ( - IkeSaSession->NCookie, - NotifyPayload + sizeof (IKEV2_NOTIFY), + IkeSaSession->NCookie, + NotifyPayload + sizeof (IKEV2_NOTIFY), NotifyDataSize ); @@ -1404,16 +1404,16 @@ Ikev2ParserNotifyCookiePayload ( /** Generate the Certificate payload or Certificate Request Payload. - Since the Certificate Payload structure is same with Certificate Request Payload, + Since the Certificate Payload structure is same with Certificate Request Payload, the only difference is that one contains the Certificate Data, other contains - the acceptable certificateion CA. This function generate Certificate payload - or Certificate Request Payload defined in RFC 4306, but all the fields - in the payload are still in host order and need call Ikev2EncodePayload() + the acceptable certificateion CA. This function generate Certificate payload + or Certificate Request Payload defined in RFC 4306, but all the fields + in the payload are still in host order and need call Ikev2EncodePayload() to convert those fields from the host order to network order beforing sending it. - @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload + @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation. - @param[in] NextPayload The next paylaod type in NextPayload field of + @param[in] NextPayload The next paylaod type in NextPayload field of the Delete payload. @param[in] Certificate Pointer of buffer contains the certification data. @param[in] CertificateLen The length of Certificate in byte. @@ -1462,7 +1462,7 @@ Ikev2GenerateCertificatePayload ( Status = EFI_SUCCESS; PublicKey = NULL; - PublicKeyLen = 0; + PublicKeyLen = 0; if (!IsRequest) { PayloadLen = (UINT16) (sizeof (IKEV2_CERT) + CertificateLen); @@ -1477,7 +1477,7 @@ Ikev2GenerateCertificatePayload ( if (Cert == NULL) { return NULL; } - + // // Generate Certificate Payload or Certificate Request Payload. // @@ -1498,7 +1498,7 @@ Ikev2GenerateCertificatePayload ( &PublicKeyLen ); if (EFI_ERROR (Status)) { - goto ON_EXIT; + goto ON_EXIT; } Fragment[0].Data = PublicKey; @@ -1508,7 +1508,7 @@ Ikev2GenerateCertificatePayload ( if (HashData == NULL) { goto ON_EXIT; } - + Status = IpSecCryptoIoHash ( IKE_AALG_SHA1HMAC, Fragment, @@ -1519,7 +1519,7 @@ Ikev2GenerateCertificatePayload ( if (EFI_ERROR (Status)) { goto ON_EXIT; } - + CopyMem ( ((UINT8 *)Cert) + sizeof (IKEV2_CERT), HashData, @@ -1531,7 +1531,7 @@ Ikev2GenerateCertificatePayload ( if (CertPayload == NULL) { goto ON_EXIT; } - + if (!IsRequest) { CertPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CERT; } else { @@ -1583,7 +1583,7 @@ ClearAllPayloads ( @param[in] SaData Pointer to IKEV2_SA_DATA to be transfered. @retval return the pointer of IKEV2_SA. - + **/ IKEV2_SA* Ikev2EncodeSa ( @@ -1605,10 +1605,8 @@ Ikev2EncodeSa ( UINTN TransformIndex; IKE_SA_ATTRIBUTE *SaAttribute; IKEV2_PROPOSAL *Proposal; - IKEV2_PROPOSAL *LastProposal; IKEV2_TRANSFORM *Transform; - IKEV2_TRANSFORM *LastTransform; - + // // Transform IKE_SA_DATA structure to IKE_SA Payload. // Header length is host order. @@ -1635,7 +1633,6 @@ Ikev2EncodeSa ( CopyMem (Sa, SaData, sizeof (IKEV2_SA)); Sa->Header.PayloadLength = (UINT16) sizeof (IKEV2_SA); ProposalsSize = 0; - LastProposal = NULL; Proposal = (IKEV2_PROPOSAL *) (Sa + 1); // @@ -1655,7 +1652,6 @@ Ikev2EncodeSa ( } TransformsSize = 0; - LastTransform = NULL; Transform = (IKEV2_TRANSFORM *) ((UINT8 *) (Proposal + 1) + Proposal->SpiSize); // @@ -1690,17 +1686,17 @@ Ikev2EncodeSa ( TransformSize = sizeof (IKEV2_TRANSFORM) + SaAttrsSize; TransformsSize += TransformSize; - + Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_MORE; Transform->Header.PayloadLength = HTONS ((UINT16)TransformSize); - - if (TransformIndex == ProposalData->NumTransforms) { - LastTransform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_NONE; + + if (TransformIndex == (UINTN)(ProposalData->NumTransforms - 1)) { + Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_NONE; } Transform = (IKEV2_TRANSFORM *)((UINT8 *) Transform + TransformSize); } - + // // Set Proposal's Generic Header. // @@ -1708,9 +1704,9 @@ Ikev2EncodeSa ( ProposalsSize += ProposalSize; Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_MORE; Proposal->Header.PayloadLength = HTONS ((UINT16)ProposalSize); - - if (ProposalIndex == SaData->NumProposals) { - LastProposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_NONE; + + if (ProposalIndex == (UINTN)(SaData->NumProposals - 1)) { + Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_NONE; } // @@ -1731,7 +1727,7 @@ Ikev2EncodeSa ( This function converts the received SA payload to internal data structure. - @param[in] SessionCommon Pointer to IKE Common Session used to decode the SA + @param[in] SessionCommon Pointer to IKE Common Session used to decode the SA Payload. @param[in] Sa Pointer to SA Payload @@ -1804,11 +1800,14 @@ Ikev2DecodeSa ( } // - // Check the proposal number. The Proposal Payload type is 2. Nonce Paylod is 0. - // SUM(ProposalNextPayload) = Proposal Num * 2 + Noce Payload Type (0). + // Check the proposal number. + // The proposal Substructure, the NextPayLoad field indicates : 0 (last) or 2 (more) + // which Specifies whether this is the last Proposal Substructure in the SA. + // Here suming all Proposal NextPayLoad field to check the proposal number is correct + // or not. // if (TotalProposals == 0 || - (TotalProposals - 1) * IKE_PROPOSAL_NEXT_PAYLOAD_MORE + IKE_PROPOSAL_NEXT_PAYLOAD_NONE != ProposalNextPayloadSum + (TotalProposals - 1) * IKE_PROPOSAL_NEXT_PAYLOAD_MORE != ProposalNextPayloadSum ) { Status = EFI_INVALID_PARAMETER; goto Exit; @@ -1843,7 +1842,7 @@ Ikev2DecodeSa ( ProposalIndex < TotalProposals; ProposalIndex++ ) { - + // // TODO: check ProposalId // @@ -1902,7 +1901,7 @@ Ikev2DecodeSa ( SaAttrRemaining = TransformSize - sizeof (IKEV2_TRANSFORM); // - // According to RFC 4603, currently only the Key length attribute type is + // According to RFC 4603, currently only the Key length attribute type is // supported. For each Transform, there is only one attributeion. // if (SaAttrRemaining > 0) { @@ -1920,12 +1919,12 @@ Ikev2DecodeSa ( if (TransformData->Attribute.AttrType != IKEV2_ATTRIBUTE_TYPE_KEYLEN) { Status = EFI_INVALID_PARAMETER; goto Exit; - } + } } // // Move to next Transform - // + // Transform = IKEV2_NEXT_TRANSFORM_WITH_SIZE (Transform, TransformSize); } Proposal = IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize); @@ -1945,7 +1944,7 @@ Exit: /** General interface of payload encoding. - This function encodes the internal data structure into payload which + This function encodes the internal data structure into payload which is defined in RFC 4306. The IkePayload->PayloadBuf is used to store both the input payload and converted payload. Only the SA payload use the interal structure to store the attribute. Other payload use structure which is same with the RFC @@ -2006,17 +2005,17 @@ Ikev2EncodePayload ( NotifyPayload = (IKEV2_NOTIFY *) IkePayload->PayloadBuf; NotifyPayload->MessageType = HTONS (NotifyPayload->MessageType); break; - + case IKEV2_PAYLOAD_TYPE_DELETE: DeletePayload = (IKEV2_DELETE *) IkePayload->PayloadBuf; DeletePayload->NumSpis = HTONS (DeletePayload->NumSpis); break; - + case IKEV2_PAYLOAD_TYPE_KE: KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf; KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup); break; - + case IKEV2_PAYLOAD_TYPE_TS_INIT: case IKEV2_PAYLOAD_TYPE_TS_RSP: TsPayload = (IKEV2_TS *) IkePayload->PayloadBuf; @@ -2031,7 +2030,7 @@ Ikev2EncodePayload ( TrafficSelector->SelecorLen = HTONS (TrafficSelector->SelecorLen); TrafficSelector->StartPort = HTONS (TrafficSelector->StartPort); TrafficSelector->EndPort = HTONS (TrafficSelector->EndPort); - + } break; @@ -2040,14 +2039,14 @@ Ikev2EncodePayload ( CfgAttribute = (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->PayloadBuf) + 1); CfgAttribute->AttritType = HTONS (CfgAttribute->AttritType); CfgAttribute->ValueLength = HTONS (CfgAttribute->ValueLength); - + case IKEV2_PAYLOAD_TYPE_ID_INIT: case IKEV2_PAYLOAD_TYPE_ID_RSP: case IKEV2_PAYLOAD_TYPE_AUTH: default: break; } - + PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf; IkePayload->PayloadSize = PayloadHdr->PayloadLength; PayloadHdr->PayloadLength = HTONS (PayloadHdr->PayloadLength); @@ -2062,7 +2061,7 @@ Ikev2EncodePayload ( @param[in] SessionCommon Pointer to IKE Session Common used for decoding. @param[in, out] IkePayload Pointer to IKE payload to be decoded as input, and - store the decoded result as output. + store the decoded result as output. @retval EFI_INVALID_PARAMETER Meet error when decoding the SA payload. @retval EFI_SUCCESS Decoded successfully. @@ -2092,8 +2091,8 @@ Ikev2DecodePayload ( // Transform the IKE payload to Internal IKE structure. // Only the SA payload and Hash Payload use the interal // structure to store the attribute. Other payloads use - // structure which is same with the definitions in RFC, - // so there is no need to tranform them to internal IKE + // structure which is same with the definitions in RFC, + // so there is no need to tranform them to internal IKE // structure. // Status = EFI_SUCCESS; @@ -2123,9 +2122,9 @@ Ikev2DecodePayload ( if (!IkePayload->IsPayloadBufExt) { FreePool (IkePayload->PayloadBuf); } - + IkePayload->PayloadBuf = (UINT8 *) SaData; - IkePayload->IsPayloadBufExt = FALSE; + IkePayload->IsPayloadBufExt = FALSE; break; case IKEV2_PAYLOAD_TYPE_ID_INIT: @@ -2145,7 +2144,7 @@ Ikev2DecodePayload ( NotifyPayload = (IKEV2_NOTIFY *) PayloadHdr; NotifyPayload->MessageType = NTOHS (NotifyPayload->MessageType); break; - + case IKEV2_PAYLOAD_TYPE_DELETE: if (PayloadSize < sizeof (IKEV2_DELETE)) { Status = EFI_INVALID_PARAMETER; @@ -2155,7 +2154,7 @@ Ikev2DecodePayload ( DeletePayload = (IKEV2_DELETE *) PayloadHdr; DeletePayload->NumSpis = NTOHS (DeletePayload->NumSpis); break; - + case IKEV2_PAYLOAD_TYPE_AUTH: if (PayloadSize < sizeof (IKEV2_AUTH)) { Status = EFI_INVALID_PARAMETER; @@ -2166,7 +2165,7 @@ Ikev2DecodePayload ( case IKEV2_PAYLOAD_TYPE_KE: KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf; KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup); - break; + break; case IKEV2_PAYLOAD_TYPE_TS_INIT: case IKEV2_PAYLOAD_TYPE_TS_RSP : @@ -2212,12 +2211,12 @@ Ikev2DecodePayload ( /** Decode the IKE packet. - This function first decrypts the IKE packet if needed , then separates the whole + This function first decrypts the IKE packet if needed , then separates the whole IKE packet from the IkePacket->PayloadBuf into IkePacket payload list. - - @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing + + @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing some parameter used by IKE packet decoding. - @param[in, out] IkePacket The IKE Packet to be decoded on input, and + @param[in, out] IkePacket The IKE Packet to be decoded on input, and the decoded result on return. @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and IKE_CHILD_TYPE are supported. @@ -2243,7 +2242,7 @@ Ikev2DecodePacket ( IKEV2_SA_SESSION *IkeSaSession; IkeHeader = NULL; - + // // Check if the IkePacket need decrypt. // @@ -2260,7 +2259,7 @@ Ikev2DecodePacket ( // If the IkePacket doesn't contain any payload return invalid parameter. // if (IkePacket->Header->NextPayload == IKEV2_PAYLOAD_TYPE_NONE) { - if ((SessionCommon->State >= IkeStateAuth) && + if ((SessionCommon->State >= IkeStateAuth) && (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INFO) ) { // @@ -2301,7 +2300,7 @@ Ikev2DecodePacket ( IkeSaSession->RespPacket = AllocateZeroPool (IkePacket->Header->Length); if (IkeSaSession->RespPacket == NULL) { Status = EFI_OUT_OF_RESOURCES; - goto Exit; + goto Exit; } IkeSaSession->RespPacketSize = IkePacket->Header->Length; CopyMem (IkeSaSession->RespPacket, IkeHeader, sizeof (IKE_HEADER)); @@ -2309,12 +2308,12 @@ Ikev2DecodePacket ( IkeSaSession->RespPacket + sizeof (IKE_HEADER), IkePacket->PayloadsBuf, IkePacket->Header->Length - sizeof (IKE_HEADER) - ); + ); } else { IkeSaSession->InitPacket = AllocateZeroPool (IkePacket->Header->Length); if (IkeSaSession->InitPacket == NULL) { Status = EFI_OUT_OF_RESOURCES; - goto Exit; + goto Exit; } IkeSaSession->InitPacketSize = IkePacket->Header->Length; CopyMem (IkeSaSession->InitPacket, IkeHeader, sizeof (IKE_HEADER)); @@ -2327,7 +2326,7 @@ Ikev2DecodePacket ( } // - // Point to the first Payload + // Point to the first Payload // PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePacket->PayloadsBuf; PayloadType = IkePacket->Header->NextPayload; @@ -2412,9 +2411,9 @@ Exit: This function puts all Payloads into one payload then encrypt it if needed. - @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing + @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing some parameter used during IKE packet encoding. - @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input, + @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input, and the encoded result as output. @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and IKE_CHILD_TYPE are supportted. @@ -2479,12 +2478,12 @@ Ikev2EncodePacket ( } // - // If the packet is first message, store whole message in IkeSa->InitiPacket + // If the packet is first message, store whole message in IkeSa->InitiPacket // for following Auth Payload calculation. // if (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INIT) { IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon); - if (SessionCommon->IsInitiator) { + if (SessionCommon->IsInitiator) { IkeSaSession->InitPacketSize = IkePacket->PayloadTotalSize + sizeof (IKE_HEADER); IkeSaSession->InitPacket = AllocateZeroPool (IkeSaSession->InitPacketSize); ASSERT (IkeSaSession->InitPacket != NULL); @@ -2500,7 +2499,7 @@ Ikev2EncodePacket ( ); PayloadTotalSize = PayloadTotalSize + IkePayload->PayloadSize; } - } else { + } else { IkeSaSession->RespPacketSize = IkePacket->PayloadTotalSize + sizeof(IKE_HEADER); IkeSaSession->RespPacket = AllocateZeroPool (IkeSaSession->RespPacketSize); ASSERT (IkeSaSession->RespPacket != NULL); @@ -2528,9 +2527,9 @@ Ikev2EncodePacket ( This function decrypts the Encrypted IKE packet and put the result into IkePacket->PayloadBuf. - @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing + @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing some parameter used during decrypting. - @param[in, out] IkePacket Pointer to IKE_PACKET to be decrypted as input, + @param[in, out] IkePacket Pointer to IKE_PACKET to be decrypted as input, and the decrypted result as output. @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and IKE_CHILD_TYPE are supportted. @@ -2538,7 +2537,7 @@ Ikev2EncodePacket ( @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the IKE packet length is not aligned with Algorithm Block Size @retval EFI_SUCCESS Decrypt IKE packet successfully. - + **/ EFI_STATUS Ikev2DecryptPacket ( @@ -2548,12 +2547,12 @@ Ikev2DecryptPacket ( ) { UINT8 CryptBlockSize; // Encrypt Block Size - UINTN DecryptedSize; // Encrypted IKE Payload Size + UINTN DecryptedSize; // Encrypted IKE Payload Size UINT8 *DecryptedBuf; // Encrypted IKE Payload buffer UINTN IntegritySize; UINT8 *IntegrityBuffer; - UINTN IvSize; // Iv Size - UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth + UINTN IvSize; // Iv Size + UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth UINT8 *CheckSumData; // Check Sum data IKEV2_SA_SESSION *IkeSaSession; IKEV2_CHILD_SA_SESSION *ChildSaSession; @@ -2582,7 +2581,7 @@ Ikev2DecryptPacket ( // Get the Block Size // if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) { - + CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCommon->SaParams->EncAlgId); CryptKeyLength = IpSecGetEncryptKeyLength ((UINT8) SessionCommon->SaParams->EncAlgId); CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->SaParams->IntegAlgId); @@ -2615,7 +2614,7 @@ Ikev2DecryptPacket ( CopyMem (IntegrityBuffer + sizeof (IKE_HEADER), IkePacket->PayloadsBuf, IkePacket->PayloadTotalSize); // - // Change Host order to Network order, since the header order was changed + // Change Host order to Network order, since the header order was changed // in the IkePacketFromNetbuf. // IkeHdrHostToNet ((IKE_HEADER *)IntegrityBuffer); @@ -2663,9 +2662,9 @@ Ikev2DecryptPacket ( Status = EFI_ACCESS_DENIED; goto ON_EXIT; } - + IvSize = CryptBlockSize; - + // // Decrypt the payload with the key. // @@ -2716,7 +2715,7 @@ Ikev2DecryptPacket ( // Save the next payload of encrypted payload into IkePacket->Hdr->NextPayload // IkePacket->Header->NextPayload = ((IKEV2_ENCRYPTED *) IkePacket->PayloadsBuf)->Header.NextPayload; - + // // Free old IkePacket->PayloadBuf and point it to decrypted paylaod buffer. // @@ -2725,7 +2724,7 @@ Ikev2DecryptPacket ( IkePacket->PayloadTotalSize = DecryptedSize - PadLen; IPSEC_DUMP_BUF ("Decrypted Buffer", DecryptedBuf, DecryptedSize); - + ON_EXIT: if (CheckSumData != NULL) { @@ -2739,7 +2738,7 @@ ON_EXIT: if (IntegrityBuffer != NULL) { FreePool (IntegrityBuffer); } - + return Status; } @@ -2748,7 +2747,7 @@ ON_EXIT: This function encrypt IKE packet before sending it. The Encrypted IKE packet is put in to IKEV2 Encrypted Payload. - + @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet. @param[in, out] IkePacket Pointer to IKE packet to be encrypted. @@ -2764,15 +2763,15 @@ Ikev2EncryptPacket ( { UINT8 CryptBlockSize; // Encrypt Block Size UINT8 CryptBlockSizeMask; // Block Mask - UINTN EncryptedSize; // Encrypted IKE Payload Size + UINTN EncryptedSize; // Encrypted IKE Payload Size UINT8 *EncryptedBuf; // Encrypted IKE Payload buffer UINT8 *EncryptPayloadBuf; // Contain whole Encrypted Payload UINTN EncryptPayloadSize; // Total size of the Encrypted payload - UINT8 *IntegrityBuf; // Buffer to be intergity + UINT8 *IntegrityBuf; // Buffer to be intergity UINT32 IntegrityBufSize; // Buffer size of IntegrityBuf UINT8 *IvBuffer; // Initialization Vector - UINT8 IvSize; // Iv Size - UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth + UINT8 IvSize; // Iv Size + UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth UINT8 *CheckSumData; // Check Sum data UINTN Index; IKE_PAYLOAD *EncryptPayload; @@ -2816,7 +2815,7 @@ Ikev2EncryptPacket ( CryptKeyLength = IpSecGetEncryptKeyLength ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId); CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->SessionCommon.SaParams->IntegAlgId); } - + // // Calcualte the EncryptPayloadSize and the PAD length // @@ -2910,11 +2909,11 @@ Ikev2EncryptPacket ( // // Fill in the IKE Packet header - // + // IkePacket->PayloadTotalSize = EncryptPayloadSize; IkePacket->Header->Length = (UINT32) (sizeof (IKE_HEADER) + IkePacket->PayloadTotalSize); IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ENCRYPT; - + IntegrityBuf = AllocateZeroPool (IkePacket->Header->Length); if (IntegrityBuf == NULL) { Status = EFI_OUT_OF_RESOURCES; @@ -2954,7 +2953,7 @@ Ikev2EncryptPacket ( (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId, IkeSaSession->IkeKeys->SkArKey, IkeSaSession->IkeKeys->SkArKeySize, - (HASH_DATA_FRAGMENT *) Fragments, + (HASH_DATA_FRAGMENT *) Fragments, 1, CheckSumData, CheckSumSize @@ -2986,7 +2985,7 @@ Ikev2EncryptPacket ( EncryptPayload->PayloadBuf = EncryptPayloadBuf; EncryptPayload->PayloadSize = EncryptPayloadSize; EncryptPayload->PayloadType = IKEV2_PAYLOAD_TYPE_ENCRYPT; - + IKE_PACKET_APPEND_PAYLOAD (IkePacket, EncryptPayload); ON_EXIT: @@ -3037,8 +3036,8 @@ Ikev2OnPacketAccepted ( The notification function. It will be called when the related UDP_TX_TOKEN's event is signaled. - This function frees the Net Buffer pointed to the input Packet. - + This function frees the Net Buffer pointed to the input Packet. + @param[in] Packet Pointer to Net buffer containing the sending IKE packet. @param[in] EndPoint Pointer to UDP_END_POINT containing the remote and local address information. @@ -3064,11 +3063,11 @@ Ikev2OnPacketSent ( IkePacket = (IKE_PACKET *) Context; Private = NULL; - + if (EFI_ERROR (IoStatus)) { DEBUG ((DEBUG_ERROR, "Error send the last packet in IkeSessionTypeIkeSa with %r\n", IoStatus)); } - + NetbufFree (Packet); if (IkePacket->IsDeleteInfo) { @@ -3088,7 +3087,7 @@ Ikev2OnPacketSent ( if (IkePacket->Spi != 0 ) { // // At that time, the established Child SA still in eht ChildSaEstablishSessionList. - // And meanwhile, if the Child SA is in the the ChildSa in Delete list, + // And meanwhile, if the Child SA is in the the ChildSa in Delete list, // remove it from delete list and delete it direclty. // ChildSaSession = Ikev2ChildSaSessionLookupBySpi ( @@ -3129,7 +3128,7 @@ Ikev2OnPacketSent ( IkePacketFree (IkePacket); // - // when all IKE SAs were disabled by calling "IPsecConfig -disable", the IPsec status + // when all IKE SAs were disabled by calling "IPsecConfig -disable", the IPsec status // should be changed. // if (Private != NULL && Private->IsIPsecDisabling) { @@ -3163,8 +3162,8 @@ Ikev2OnPacketSent ( @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet. @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet. @param[in] IkePacket Pointer to IKE_PACKET to be sent out. - @param[in] IkeType The type of IKE to point what's kind of the IKE - packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE + @param[in] IkeType The type of IKE to point what's kind of the IKE + packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE and IKE_CHILD_TYPE are supportted. @retval EFI_SUCCESS The operation complete successfully. @@ -3185,7 +3184,7 @@ Ikev2SendIkePacket ( IKEV2_SESSION_COMMON *Common; Common = (IKEV2_SESSION_COMMON *) SessionCommon; - + // // Set the resend interval // @@ -3212,7 +3211,7 @@ Ikev2SendIkePacket ( IKE_PACKET_REF (IkePacket); // - // If the last sent packet is same with this round packet, the packet is resent packet. + // If the last sent packet is same with this round packet, the packet is resent packet. // if (IkePacket != Common->LastSentPacket && Common->LastSentPacket != NULL) { IkePacketFree (Common->LastSentPacket); diff --git a/NetworkPkg/IpSecDxe/IpSecDriver.c b/NetworkPkg/IpSecDxe/IpSecDriver.c index bd12aa2e07..753c70db54 100644 --- a/NetworkPkg/IpSecDxe/IpSecDriver.c +++ b/NetworkPkg/IpSecDxe/IpSecDriver.c @@ -1,7 +1,7 @@ /** @file Driver Binding Protocol for IPsec Driver. - Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
+ Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -81,7 +81,7 @@ IpSecDriverBindingSupported ( @retval EFI_SUCCES This driver is added to ControllerHandle @retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle - @retval EFI_DEVICE_ERROR The device could not be started due to a device error. + @retval EFI_DEVICE_ERROR The device could not be started due to a device error. Currently not implemented. @retval other This driver does not support this device @@ -189,6 +189,10 @@ IpSecDriverBindingStop ( Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec); + // + // Delete all SAs before stop Ipsec. + // + IkeDeleteAllSas (Private, FALSE); // // If has udp4 io opened on the controller, close and free it. // @@ -256,9 +260,9 @@ EFI_DRIVER_BINDING_PROTOCOL gIpSecDriverBinding = { /** This is a callback function when the mIpSecInstance.DisabledEvent is signaled. - + @param[in] Event Event whose notification function is being invoked. - @param[in] Context Pointer to the notification function's context. + @param[in] Context Pointer to the notification function's context. **/ VOID @@ -271,15 +275,15 @@ IpSecCleanupAllSa ( IPSEC_PRIVATE_DATA *Private; Private = (IPSEC_PRIVATE_DATA *) Context; Private->IsIPsecDisabling = TRUE; - IkeDeleteAllSas (Private); + IkeDeleteAllSas (Private, TRUE); } /** This is the declaration of an EFI image entry point. This entry point is the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including both device drivers and bus drivers. - - The entry point for IPsec driver which installs the driver binding, + + The entry point for IPsec driver which installs the driver binding, component name protocol, IPsec Config protcolon, and IPsec protocol in its ImageHandle. @@ -289,7 +293,7 @@ IpSecCleanupAllSa ( @retval EFI_SUCCESS The operation completed successfully. @retval EFI_ALREADY_STARTED The IPsec driver has been already loaded. @retval EFI_OUT_OF_RESOURCES The request could not be completed due to a lack of resources. - @retval Others The operation is failed. + @retval Others The operation is failed. **/ EFI_STATUS @@ -346,7 +350,7 @@ IpSecDriverEntryPoint ( Private->Signature = IPSEC_PRIVATE_DATA_SIGNATURE; Private->ImageHandle = ImageHandle; CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL)); - + // // Initilize Private's members. Thess members is used for IKE. // @@ -356,7 +360,7 @@ IpSecDriverEntryPoint ( InitializeListHead (&Private->Ikev1EstablishedList); InitializeListHead (&Private->Ikev2SessionList); InitializeListHead (&Private->Ikev2EstablishedList); - + RandomSeed (NULL, 0); // // Initialize the ipsec config data and restore it from variable. @@ -390,7 +394,7 @@ IpSecDriverEntryPoint ( if (EFI_ERROR (Status)) { goto ON_UNINSTALL_IPSEC; } - + return Status; ON_UNINSTALL_IPSEC: diff --git a/NetworkPkg/IpSecDxe/IpSecImpl.c b/NetworkPkg/IpSecDxe/IpSecImpl.c index 50cd4d8540..347bdd994e 100644 --- a/NetworkPkg/IpSecDxe/IpSecImpl.c +++ b/NetworkPkg/IpSecDxe/IpSecImpl.c @@ -23,7 +23,7 @@ Check if the specified Address is the Valid Address Range. This function checks if the bytes after prefixed length are all Zero in this - Address. This Address is supposed to point to a range address. That means it + Address. This Address is supposed to point to a range address. That means it should gives the correct prefixed address and the bytes outside the prefixed are zero. @@ -329,7 +329,7 @@ IpSecLookupSadBySpd ( { LIST_ENTRY *Entry; IPSEC_SAD_ENTRY *SadEntry; - + NET_LIST_FOR_EACH (Entry, SadList) { SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry); @@ -341,7 +341,7 @@ IpSecLookupSadBySpd ( DestAddress, SadEntry->Data->SpdSelector->RemoteAddress, SadEntry->Data->SpdSelector->RemoteAddressCount - )){ + )){ return SadEntry; } } @@ -382,7 +382,7 @@ IpSecLookupSadBySpi ( if (SadEntry->Id->Spi == Spi) { if (SadEntry->Data->Mode == EfiIPsecTunnel) { if (CompareMem ( - &DestAddress, + &DestAddress, &SadEntry->Data->TunnelDestAddress, sizeof (EFI_IP_ADDRESS) )) { @@ -391,14 +391,14 @@ IpSecLookupSadBySpi ( } else { if (SadEntry->Data->SpdSelector != NULL && IpSecMatchIpAddress ( - IpVersion, - DestAddress, + IpVersion, + DestAddress, SadEntry->Data->SpdSelector->RemoteAddress, SadEntry->Data->SpdSelector->RemoteAddressCount ) ) { return SadEntry; - } + } } } } @@ -471,14 +471,13 @@ IpSecLookupSadEntry ( sizeof (EFI_IP_ADDRESS) ); } - + // // Find the SAD entry in the spd.sas list according to the dest address. // Entry = IpSecLookupSadBySpd (&SpdEntry->Data->Sas, &DestIp, IpVersion); if (Entry == NULL) { - if (OldLastHead != IP6_ICMP || (OldLastHead == IP6_ICMP && *IpPayload == ICMP_V6_ECHO_REQUEST) ) { @@ -498,7 +497,7 @@ IpSecLookupSadEntry ( &DestIp ); } - + } return EFI_NOT_READY; @@ -595,7 +594,7 @@ IpSecLookupSpdEntry ( IN VOID *IpHead, IN UINT8 *IpPayload, IN UINT8 Protocol, - IN BOOLEAN IsOutbound, + IN BOOLEAN IsOutbound, OUT EFI_IPSEC_ACTION *Action ) { @@ -733,7 +732,7 @@ IpSecRecycleCallback ( } /** - Calculate the extension hader of IP. The return length only doesn't contain + Calculate the extension hader of IP. The return length only doesn't contain the fixed IP header length. @param[in] IpHead Points to an IP head to be calculated. @@ -801,7 +800,7 @@ IpSecEspAuthVerifyPayload ( // HashFragment[0].Data = EspBuffer; HashFragment[0].DataSize = AuthSize; - + Status = IpSecCryptoIoHmac ( SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId, SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey, @@ -814,7 +813,7 @@ IpSecEspAuthVerifyPayload ( if (EFI_ERROR (Status)) { return Status; } - + // // Compare the calculated icv and the appended original icv. // @@ -832,10 +831,10 @@ IpSecEspAuthVerifyPayload ( @param[in] IpHead The pointer to IP header. @param[in] IpVersion The version of IP (IP4 or IP6). @param[in] Spi The SPI used to search the related SAD entry. - + @retval NULL Not find the related SAD entry. - @retval IPSEC_SAD_ENTRY Return the related SAD entry. + @retval IPSEC_SAD_ENTRY Return the related SAD entry. **/ IPSEC_SAD_ENTRY * @@ -843,10 +842,10 @@ IpSecFoundSadFromInboundPacket ( UINT8 *IpHead, UINT8 IpVersion, UINT32 Spi - ) + ) { EFI_IP_ADDRESS DestIp; - + // // Parse destination address from ip header. // @@ -864,10 +863,10 @@ IpSecFoundSadFromInboundPacket ( sizeof (EFI_IPv6_ADDRESS) ); } - + // // Lookup SAD entry according to the spi and dest address. - // + // return IpSecLookupSadBySpi (Spi, &DestIp, IpVersion); } @@ -994,7 +993,7 @@ IpSecIsIp6ExtsValid ( } return TRUE; - } + } } *LastHeader = NextHeader; @@ -1007,14 +1006,14 @@ IpSecIsIp6ExtsValid ( } /** - The actual entry to process the tunnel header and inner header for tunnel mode + The actual entry to process the tunnel header and inner header for tunnel mode outbound traffic. - This function is the subfunction of IpSecEspInboundPacket(). It change the destination + This function is the subfunction of IpSecEspInboundPacket(). It change the destination Ip address to the station address and recalculate the uplayyer's checksum. - - @param[in, out] IpHead Points to the IP header containing the ESP header + + @param[in, out] IpHead Points to the IP header containing the ESP header to be trimed on input, and without ESP header on return. @param[in] IpPayload The decrypted Ip payload. It start from the inner @@ -1042,10 +1041,10 @@ IpSecTunnelInboundPacket ( IP6_ICMP_HEAD *Icmp6Head; Checksum = NULL; - + if (IpVersion == IP_VERSION_4) { // - // Zero OutIP header use this to indicate the input packet is under + // Zero OutIP header use this to indicate the input packet is under // IPsec Tunnel protected. // ZeroMem ( @@ -1057,20 +1056,20 @@ IpSecTunnelInboundPacket ( &SadData->TunnelDestAddress.v4, sizeof (EFI_IPv4_ADDRESS) ); - + // // Recalculate IpHeader Checksum // if (((IP4_HEAD *)(IpPayload))->Checksum != 0 ) { ((IP4_HEAD *)(IpPayload))->Checksum = 0; ((IP4_HEAD *)(IpPayload))->Checksum = (UINT16) (~NetblockChecksum ( - (UINT8 *)IpPayload, + (UINT8 *)IpPayload, ((IP4_HEAD *)IpPayload)->HeadLen << 2 )); } - + // // Recalcualte PseudoChecksum // @@ -1091,7 +1090,7 @@ IpSecTunnelInboundPacket ( break; } PacketChecksum = NetblockChecksum ( - (UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2), + (UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2), NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2) ); PseudoChecksum = NetPseudoHeadChecksum ( @@ -1100,14 +1099,14 @@ IpSecTunnelInboundPacket ( ((IP4_HEAD *)IpPayload)->Protocol, 0 ); - + if (Checksum != NULL) { *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum); *Checksum = (UINT16) ~(NetAddChecksum (*Checksum, HTONS((UINT16)(NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2))))); } }else { // - // Zero OutIP header use this to indicate the input packet is under + // Zero OutIP header use this to indicate the input packet is under // IPsec Tunnel protected. // ZeroMem ( @@ -1119,7 +1118,7 @@ IpSecTunnelInboundPacket ( &SadData->TunnelDestAddress.v6, sizeof (EFI_IPv6_ADDRESS) ); - + // // Get the Extension Header and Header length. // @@ -1130,7 +1129,7 @@ IpSecTunnelInboundPacket ( &LastHead, &OptionLen ); - + // // Recalcualte PseudoChecksum // @@ -1154,7 +1153,7 @@ IpSecTunnelInboundPacket ( break; } PacketChecksum = NetblockChecksum ( - IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen, + IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen, NTOHS(((EFI_IP6_HEADER *)IpPayload)->PayloadLength) - OptionLen ); PseudoChecksum = NetIp6PseudoHeadChecksum ( @@ -1163,7 +1162,7 @@ IpSecTunnelInboundPacket ( *LastHead, 0 ); - + if (Checksum != NULL) { *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum); *Checksum = (UINT16) ~(NetAddChecksum ( @@ -1171,22 +1170,22 @@ IpSecTunnelInboundPacket ( HTONS ((UINT16)((NTOHS (((EFI_IP6_HEADER *)(IpPayload))->PayloadLength)) - OptionLen)) )); } - } + } } /** The actual entry to create inner header for tunnel mode inbound traffic. - This function is the subfunction of IpSecEspOutboundPacket(). It create - the sending packet by encrypting its payload and inserting ESP header in the orginal + This function is the subfunction of IpSecEspOutboundPacket(). It create + the sending packet by encrypting its payload and inserting ESP header in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable. - - @param[in, out] IpHead Points to IP header containing the orginal IP header + + @param[in, out] IpHead Points to IP header containing the orginal IP header to be processed on input, and inserted ESP header on return. @param[in] IpVersion The version of IP. @param[in] SadData The related SAD data. - @param[in, out] LastHead The Last Header in IP header. + @param[in, out] LastHead The Last Header in IP header. @param[in] OptionsBuffer Pointer to the options buffer. @param[in] OptionsLength Length of the options buffer. @param[in, out] FragmentTable Pointer to a list of fragments to be protected by @@ -1221,7 +1220,7 @@ IpSecTunnelOutboundPacket ( if (OptionsLength == NULL) { return NULL; } - + if (IpVersion == IP_VERSION_4) { InnerHead = AllocateZeroPool (sizeof (IP4_HEAD) + *OptionsLength); ASSERT (InnerHead != NULL); @@ -1256,7 +1255,7 @@ IpSecTunnelOutboundPacket ( *OptionsLength = 0; } } - + // // 2. Reassamlbe Fragment into Packet // @@ -1294,13 +1293,13 @@ IpSecTunnelOutboundPacket ( Checksum = &IcmpHead->Checksum; *Checksum = 0; break; - - default: + + default: break; } PacketChecksum = NetbufChecksum (Packet); - + if (IpVersion == IP_VERSION_4) { // // Replace the source address of Inner Header. @@ -1318,7 +1317,7 @@ IpSecTunnelOutboundPacket ( *LastHead, 0 ); - + } else { // // Replace the source address of Inner Header. @@ -1335,7 +1334,7 @@ IpSecTunnelOutboundPacket ( *LastHead, 0 ); - + } if (Checksum != NULL) { *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum); @@ -1351,12 +1350,12 @@ IpSecTunnelOutboundPacket ( /** The actual entry to relative function processes the inbound traffic of ESP header. - This function is the subfunction of IpSecProtectInboundPacket(). It checks the + This function is the subfunction of IpSecProtectInboundPacket(). It checks the received packet security property and trim the ESP header and then returns without an IPsec protected IP Header and FramgmentTable. - + @param[in] IpVersion The version of IP. - @param[in, out] IpHead Points to the IP header containing the ESP header + @param[in, out] IpHead Points to the IP header containing the ESP header to be trimed on input, and without ESP header on return. @param[out] LastHead The Last Header in IP header on return. @@ -1417,7 +1416,7 @@ IpSecEspInboundPacket ( *RecycleEvent = NULL; PlainPayloadSize = 0; NextHeader = 0; - + // // Build netbuf from fragment table first. // @@ -1433,27 +1432,27 @@ IpSecEspInboundPacket ( Status = EFI_OUT_OF_RESOURCES; goto ON_EXIT; } - + // // Get the esp size and esp header from netbuf. // EspSize = Payload->TotalSize; EspHeader = (EFI_ESP_HEADER *) NetbufGetByte (Payload, 0, NULL); - + if (EspHeader == NULL) { Status = EFI_ACCESS_DENIED; goto ON_EXIT; } - + // // Parse destination address from ip header and found the related SAD Entry. // SadEntry = IpSecFoundSadFromInboundPacket ( - IpHead, + IpHead, IpVersion, NTOHL (EspHeader->Spi) ); - + if (SadEntry == NULL) { Status = EFI_ACCESS_DENIED; goto ON_EXIT; @@ -1475,7 +1474,7 @@ IpSecEspInboundPacket ( // TODO: Check SA lifetime and sequence number // } - + // // Allocate buffer for decryption and authentication. // @@ -1493,7 +1492,7 @@ IpSecEspInboundPacket ( IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId); IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId); BlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId); - + // // Make sure the ESP packet is not mal-formt. // 1. Check whether the Espsize is larger than ESP header + IvSize + EspTail + IcvSize. @@ -1540,20 +1539,20 @@ IpSecEspInboundPacket ( goto ON_EXIT; } } - + // // Parse EspTail and compute the plain payload size. // EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL)); PaddingSize = EspTail->PaddingLength; NextHeader = EspTail->NextHeader; - + if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL) + PaddingSize)) { Status = EFI_ACCESS_DENIED; goto ON_EXIT; } PlainPayloadSize = EspSize - MiscSize - sizeof (EFI_ESP_TAIL) - PaddingSize; - + // // TODO: handle anti-replay window // @@ -1577,7 +1576,7 @@ IpSecEspInboundPacket ( if (EFI_ERROR (Status)) { goto ON_EXIT; } - + // // The caller will take responsible to handle the original fragment table // @@ -1589,7 +1588,7 @@ IpSecEspInboundPacket ( RecycleContext->PayloadBuffer = ProcessBuffer; RecycleContext->FragmentTable = *FragmentTable; - + // // If Tunnel, recalculate upper-layyer PesudoCheckSum and trim the out // @@ -1602,20 +1601,20 @@ IpSecEspInboundPacket ( SadData, LastHead ); - + if (IpVersion == IP_VERSION_4) { (*FragmentTable)[0].FragmentBuffer = InnerHead ; (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize; - - }else { + + }else { (*FragmentTable)[0].FragmentBuffer = InnerHead; (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize; - } + } } else { (*FragmentTable)[0].FragmentBuffer = ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize; (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize; } - + *FragmentCount = 1; // @@ -1633,7 +1632,7 @@ IpSecEspInboundPacket ( // *LastHead = NextHeader; } - + // // Update the SPD association of the SAD entry. @@ -1721,7 +1720,7 @@ IpSecEspOutboundPacket ( EFI_ESP_TAIL *EspTail; // Address behind padding UINT8 *InnerHead; HASH_DATA_FRAGMENT HashFragment[1]; - + Status = EFI_ACCESS_DENIED; SaId = SadEntry->Id; SadData = SadEntry->Data; @@ -1754,7 +1753,7 @@ IpSecEspOutboundPacket ( FragmentTable, FragmentCount ); - + if (InnerHead == NULL) { return EFI_INVALID_PARAMETER; } @@ -1794,7 +1793,7 @@ IpSecEspOutboundPacket ( // // OPtions should be encryption into it // - PlainPayloadSize += *OptionsLength; + PlainPayloadSize += *OptionsLength; } @@ -1852,7 +1851,7 @@ IpSecEspOutboundPacket ( // HeadLen, Total Length // ((IP4_HEAD *)InnerHead)->HeadLen = (UINT8) ((sizeof (IP4_HEAD) + *OptionsLength) >> 2); - ((IP4_HEAD *)InnerHead)->TotalLen = HTONS ((UINT16) PlainPayloadSize); + ((IP4_HEAD *)InnerHead)->TotalLen = HTONS ((UINT16) PlainPayloadSize); ((IP4_HEAD *)InnerHead)->Checksum = 0; ((IP4_HEAD *)InnerHead)->Checksum = (UINT16) (~NetblockChecksum ( (UINT8 *)InnerHead, @@ -1904,7 +1903,7 @@ IpSecEspOutboundPacket ( EspTail->NextHeader = 4; } else { EspTail->NextHeader = 41; - } + } } // @@ -1914,8 +1913,8 @@ IpSecEspOutboundPacket ( (UINT8 *) (EspHeader + 1), IvSize ); - - + + if (EFI_ERROR (Status)) { goto ON_EXIT; } @@ -2011,10 +2010,10 @@ IpSecEspOutboundPacket ( if (SadData->Mode == EfiIPsecTunnel) { if (IpVersion == IP_VERSION_4) { CopyMem ( - &((IP4_HEAD *) IpHead)->Src, + &((IP4_HEAD *) IpHead)->Src, &SadData->TunnelSourceAddress.v4, sizeof (EFI_IPv4_ADDRESS) - ); + ); CopyMem ( &((IP4_HEAD *) IpHead)->Dst, &SadData->TunnelDestAddress.v4, @@ -2065,11 +2064,11 @@ ON_EXIT: /** This function processes the inbound traffic with IPsec. - It checks the received packet security property, trims the ESP/AH header, and then + It checks the received packet security property, trims the ESP/AH header, and then returns without an IPsec protected IP Header and FragmentTable. - + @param[in] IpVersion The version of IP. - @param[in, out] IpHead Points to IP header containing the ESP/AH header + @param[in, out] IpHead Points to IP header containing the ESP/AH header to be trimed on input, and without ESP/AH header on return. @param[in, out] LastHead The Last Header in IP header on return. -- 2.39.2