diff options
author | Jiaxin Wu <jiaxin.wu@intel.com> | 2016-08-15 11:49:56 +0800 |
---|---|---|
committer | Jiaxin Wu <jiaxin.wu@intel.com> | 2016-08-18 16:53:28 +0800 |
commit | 7822a1d91d53e80525f571183a24d54488f5437f (patch) | |
tree | f1a871e7d2b35f8fd6c4c8511511990219b7973e /NetworkPkg/IpSecDxe | |
parent | 40b83d6114f55ed975d9d632f0cd9679781c64e0 (diff) | |
download | edk2-7822a1d91d53e80525f571183a24d54488f5437f.tar.gz edk2-7822a1d91d53e80525f571183a24d54488f5437f.tar.bz2 edk2-7822a1d91d53e80525f571183a24d54488f5437f.zip |
NetworkPkg/IpSecDxe: Fix wrong IKE header "FLAG" update
*v2: update the commit log and refine the code comments.
There are three kinds of IKE Exchange process:
#1. Initial Exchange
#2. CREATE_CHILD_SA_Exchange
#3. Information Exchange
The IKE header "FLAG" update is incorrect in #2 and #3 exchange,
which may cause the continue session failure. This patch is used
to correct the updates of IKE header "FLAG" according the RFC4306
section 3.1.
Cc: Ye Ting <ting.ye@intel.com>
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Zhang Lubo <lubo.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiaxin Wu <jiaxin.wu@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
Diffstat (limited to 'NetworkPkg/IpSecDxe')
-rw-r--r-- | NetworkPkg/IpSecDxe/Ikev2/ChildSa.c | 14 | ||||
-rw-r--r-- | NetworkPkg/IpSecDxe/Ikev2/Exchange.c | 2 | ||||
-rw-r--r-- | NetworkPkg/IpSecDxe/Ikev2/Info.c | 17 | ||||
-rw-r--r-- | NetworkPkg/IpSecDxe/Ikev2/Payload.h | 11 |
4 files changed, 28 insertions, 16 deletions
diff --git a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c b/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c index 1f0199b22d..eaccad2086 100644 --- a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c +++ b/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c @@ -76,9 +76,7 @@ Ikev2CreateChildGenerator ( }
if (ChildSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_CHILD_INIT;
- } else {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
+ IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
}
} else {
@@ -96,11 +94,13 @@ Ikev2CreateChildGenerator ( }
if (IkeSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_CHILD_INIT;
- } else {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
+ IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
}
- }
+ }
+
+ if (MessageId != NULL) {
+ IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;
+ }
//
// According to RFC4306, Chapter 4.
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c index 1eddbfbcf1..5609964fa4 100644 --- a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c +++ b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c @@ -705,7 +705,7 @@ ON_REPLY: //
// Generate the reply packet if needed and send it out.
//
- if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) {
+ if (!(IkePacket->Header->Flags & IKE_HEADER_FLAGS_RESPOND)) {
Reply = mIkev2CreateChild.Generator ((UINT8 *) IkeSaSession, &IkePacket->Header->MessageId);
if (Reply != NULL) {
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &(IkeSaSession->SessionCommon), Reply, 0);
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Info.c b/NetworkPkg/IpSecDxe/Ikev2/Info.c index 23e47ceea8..0d2b290817 100644 --- a/NetworkPkg/IpSecDxe/Ikev2/Info.c +++ b/NetworkPkg/IpSecDxe/Ikev2/Info.c @@ -128,7 +128,11 @@ Ikev2InfoGenerator ( // The input parameter is not correct.
//
goto ERROR_EXIT;
- }
+ }
+
+ if (IkeSaSession->SessionCommon.IsInitiator) {
+ IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;
+ }
} else {
//
// Delete the Child SA Information Exchagne
@@ -180,13 +184,16 @@ Ikev2InfoGenerator ( // Change the IsOnDeleting Flag
//
ChildSaSession->SessionCommon.IsOnDeleting = TRUE;
+
+ if (ChildSaSession->SessionCommon.IsInitiator) {
+ IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;
+ }
}
- if (InfoContext == NULL) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
- } else {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
+ if (InfoContext != NULL) {
+ IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;
}
+
return IkePacket;
ERROR_EXIT:
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Payload.h b/NetworkPkg/IpSecDxe/Ikev2/Payload.h index 6096a3ba77..7a85792ed7 100644 --- a/NetworkPkg/IpSecDxe/Ikev2/Payload.h +++ b/NetworkPkg/IpSecDxe/Ikev2/Payload.h @@ -1,7 +1,7 @@ /** @file
The Definitions related to IKEv2 payload.
- Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
+ Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@@ -37,11 +37,16 @@ #define IKEV2_PAYLOAD_TYPE_EAP 48
//
-// IKE header Flag for IKEv2
+// IKE header Flag (1 octet) for IKEv2, defined in RFC 4306 section 3.1
+//
+// I(nitiator) (bit 3 of Flags, 0x08) - This bit MUST be set in messages sent by the
+// original initiator of the IKE_SA
+//
+// R(esponse) (bit 5 of Flags, 0x20) - This bit indicates that this message is a response to
+// a message containing the same message ID.
//
#define IKE_HEADER_FLAGS_INIT 0x08
#define IKE_HEADER_FLAGS_RESPOND 0x20
-#define IKE_HEADER_FLAGS_CHILD_INIT 0
//
// IKE Header Exchange Type for IKEv2
|