summaryrefslogtreecommitdiffstats
path: root/NetworkPkg/Application
diff options
context:
space:
mode:
authorJiaxin Wu <jiaxin.wu@intel.com>2016-01-18 01:59:41 +0000
committerjiaxinwu <jiaxinwu@Edk2>2016-01-18 01:59:41 +0000
commita51896e475cd62e742d54f1a0addd699237a24c2 (patch)
treefc1e268255bca43da5a5e17b49aae70572996bf7 /NetworkPkg/Application
parent4991eeffcd86e1dc0bf2b15655b986b932551854 (diff)
downloadedk2-a51896e475cd62e742d54f1a0addd699237a24c2.tar.gz
edk2-a51896e475cd62e742d54f1a0addd699237a24c2.tar.bz2
edk2-a51896e475cd62e742d54f1a0addd699237a24c2.zip
NetworkPkg: Fix SPD entry edit policy issue in IPSecConfig.
The current implementation doesn't handle the relationship between SPD and SAD well, which may introduce some security and connection issue after SPD updated. For SPD entry edit policy, if one SPD entry is edited/updated, the original SAs list should be discard. Current IPSecConfig tool does not dealt properly with those rules. Cc: Ye Ting <ting.ye@intel.com> Cc: Fu Siyuan <siyuan.fu@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Fu Siyuan <siyuan.fu@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@19653 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'NetworkPkg/Application')
-rw-r--r--NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c41
1 files changed, 18 insertions, 23 deletions
diff --git a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c b/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c
index 970caa16ca..9bbc11490c 100644
--- a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c
+++ b/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c
@@ -1,7 +1,7 @@
/** @file
The implementation of policy entry operation function in IpSecConfig application.
- Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -1398,6 +1398,8 @@ CombineSpdEntry (
//
// Process Data
//
+ OldData->SaIdCount = 0;
+
if ((Mask & NAME) != 0) {
AsciiStrCpyS ((CHAR8 *) OldData->Name, MAX_PEERID_LEN, (CHAR8 *) NewData->Name);
}
@@ -1862,37 +1864,30 @@ EditOperatePolicyEntry (
&CreateNew
);
if (!EFI_ERROR (Status)) {
+ //
+ // If the Selector already existed, this Entry will be updated by set data.
+ //
+ Status = mIpSecConfig->SetData (
+ mIpSecConfig,
+ Context->DataType,
+ Context->Selector, /// New created selector.
+ Data, /// Old date which has been modified, need to be set data.
+ Selector
+ );
+ ASSERT_EFI_ERROR (Status);
+
if (CreateNew) {
//
- // Insert new entry before old entry
+ // Edit the entry to a new one. So, we need delete the old entry.
//
Status = mIpSecConfig->SetData (
mIpSecConfig,
Context->DataType,
- Context->Selector,
- Data,
- Selector
- );
- ASSERT_EFI_ERROR (Status);
- //
- // Delete old entry
- //
- Status = mIpSecConfig->SetData (
- mIpSecConfig,
- Context->DataType,
- Selector,
- NULL,
+ Selector, /// Old selector.
+ NULL, /// NULL means to delete this Entry specified by Selector.
NULL
);
ASSERT_EFI_ERROR (Status);
- } else {
- Status = mIpSecConfig->SetData (
- mIpSecConfig,
- Context->DataType,
- Context->Selector,
- Data,
- NULL
- );
}
}