diff options
| author | Wang, Fan <fan.wang@intel.com> | 2019-04-23 11:16:50 +0800 |
|---|---|---|
| committer | Fu Siyuan <siyuan.fu@intel.com> | 2019-04-29 08:43:17 +0800 |
| commit | d55d9d0664366efe731db461e14c6fc380fca776 (patch) | |
| tree | 09df5249c7ae984220199febea0714923518ac46 /NetworkPkg | |
| parent | af51cb48a22d4135db48ed784dbb6bbbea9c15b5 (diff) | |
| download | edk2-d55d9d0664366efe731db461e14c6fc380fca776.tar.gz edk2-d55d9d0664366efe731db461e14c6fc380fca776.tar.bz2 edk2-d55d9d0664366efe731db461e14c6fc380fca776.zip | |
NetworkPkg: Remove IpSec driver and application
* REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1697
The IpSec driver in NetworkPkg is not really used by platforms
but has security risks. So it is scheduled to be removed from
edk2, also include IpSecConfig application.
Cc: Fu Siyuan <siyuan.fu@intel.com>
Cc: Wu Jiaxin <jiaxin.wu@intel.com>
Signed-off-by: Wang Fan <fan.wang@intel.com>
Reviewed-by: Siyuan Fu <siyuan.fu@intel.com>
Diffstat (limited to 'NetworkPkg')
53 files changed, 0 insertions, 29709 deletions
diff --git a/NetworkPkg/Application/IpsecConfig/Delete.c b/NetworkPkg/Application/IpsecConfig/Delete.c deleted file mode 100644 index cd37efdf49..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Delete.c +++ /dev/null @@ -1,104 +0,0 @@ -/** @file
- The implementation of delete policy entry function in IpSecConfig application.
-
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecConfig.h"
-#include "Indexer.h"
-#include "Delete.h"
-#include "Match.h"
-#include "ForEach.h"
-
-/**
- Private function to delete entry information in database.
-
- @param[in] Selector The pointer to EFI_IPSEC_CONFIG_SELECTOR structure.
- @param[in] Data The pointer to Data.
- @param[in] Context The pointer to DELETE_POLICY_ENTRY_CONTEXT.
-
- @retval EFI_ABORTED Abort the iteration.
- @retval EFI_SUCCESS Continue the iteration.
-**/
-EFI_STATUS
-DeletePolicyEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN DELETE_POLICY_ENTRY_CONTEXT *Context
- )
-{
- if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) {
- Context->Status = mIpSecConfig->SetData (
- mIpSecConfig,
- Context->DataType,
- Selector,
- NULL,
- NULL
- );
- //
- // Abort the iteration after the insertion.
- //
- return EFI_ABORTED;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Flush or delete entry information in the database according to datatype.
-
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Delete entry information successfully.
- @retval EFI_NOT_FOUND Can't find the specified entry.
- @retval Others Some mistaken case.
-**/
-EFI_STATUS
-FlushOrDeletePolicyEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN LIST_ENTRY *ParamPackage
- )
-{
- EFI_STATUS Status;
- DELETE_POLICY_ENTRY_CONTEXT Context;
- CONST CHAR16 *ValueStr;
-
- //
- // If user wants to remove all.
- //
- if (ShellCommandLineGetFlag (ParamPackage, L"-f")) {
- Status = mIpSecConfig->SetData (
- mIpSecConfig,
- DataType,
- NULL,
- NULL,
- NULL
- );
- } else {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");
- if (ValueStr == NULL) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr);
- return EFI_NOT_FOUND;
- }
-
- Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage);
- if (!EFI_ERROR (Status)) {
- Context.DataType = DataType;
- Context.Status = EFI_NOT_FOUND;
- ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) DeletePolicyEntry, &Context);
- Status = Context.Status;
-
- if (Status == EFI_NOT_FOUND) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr);
- } else if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DELETE_FAILED), mHiiHandle, mAppName);
- }
- }
- }
-
- return Status;
-}
diff --git a/NetworkPkg/Application/IpsecConfig/Delete.h b/NetworkPkg/Application/IpsecConfig/Delete.h deleted file mode 100644 index 35665b87d4..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Delete.h +++ /dev/null @@ -1,36 +0,0 @@ -/** @file
- The internal structure and function declaration of delete policy entry function
- in IpSecConfig application.
-
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef __DELETE_H_
-#define __DELETE_H_
-
-typedef struct {
- EFI_IPSEC_CONFIG_DATA_TYPE DataType;
- POLICY_ENTRY_INDEXER Indexer;
- EFI_STATUS Status; //Indicate whether deletion succeeds.
-} DELETE_POLICY_ENTRY_CONTEXT;
-
-/**
- Flush or delete entry information in the database according to datatype.
-
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Delete entry information successfully.
- @retval EFI_NOT_FOUND Can't find the specified entry.
- @retval Others Some mistaken case.
-**/
-EFI_STATUS
-FlushOrDeletePolicyEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN LIST_ENTRY *ParamPackage
- );
-
-#endif
diff --git a/NetworkPkg/Application/IpsecConfig/Dump.c b/NetworkPkg/Application/IpsecConfig/Dump.c deleted file mode 100644 index cc88cf36e5..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Dump.c +++ /dev/null @@ -1,573 +0,0 @@ -/** @file
- The implementation of dump policy entry function in IpSecConfig application.
-
- Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecConfig.h"
-#include "Dump.h"
-#include "ForEach.h"
-#include "Helper.h"
-
-/**
- Private function called to get the version infomation from an EFI_IP_ADDRESS_INFO structure.
-
- @param[in] AddressInfo The pointer to the EFI_IP_ADDRESS_INFO structure.
-
- @return the value of version.
-**/
-UINTN
-GetVerFromAddrInfo (
- IN EFI_IP_ADDRESS_INFO *AddressInfo
-)
-{
- if((AddressInfo->PrefixLength <= 32) && (AddressInfo->Address.Addr[1] == 0) &&
- (AddressInfo->Address.Addr[2] == 0) && (AddressInfo->Address.Addr[3] == 0)) {
- return IP_VERSION_4;
- } else {
- return IP_VERSION_6;
- }
-}
-
-/**
- Private function called to get the version information from a EFI_IP_ADDRESS structure.
-
- @param[in] Address The pointer to the EFI_IP_ADDRESS structure.
-
- @return The value of the version.
-**/
-UINTN
-GetVerFromIpAddr (
- IN EFI_IP_ADDRESS *Address
-)
-{
- if ((Address->Addr[1] == 0) && (Address->Addr[2] == 0) && (Address->Addr[3] == 0)) {
- return IP_VERSION_4;
- } else {
- return IP_VERSION_6;
- }
-}
-
-/**
- Private function called to print an ASCII string in unicode char format.
-
- @param[in] Str The pointer to the ASCII string.
- @param[in] Length The value of the ASCII string length.
-**/
-VOID
-DumpAsciiString (
- IN CHAR8 *Str,
- IN UINTN Length
- )
-{
- UINTN Index;
- Print (L"\"");
- for (Index = 0; Index < Length; Index++) {
- Print (L"%c", (CHAR16) Str[Index]);
- }
- Print (L"\"");
-}
-
-/**
- Private function called to print a buffer in Hex format.
-
- @param[in] Data The pointer to the buffer.
- @param[in] Length The size of the buffer.
-
-**/
-VOID
-DumpBuf (
- IN UINT8 *Data,
- IN UINTN Length
- )
-{
- UINTN Index;
- for (Index = 0; Index < Length; Index++) {
- Print (L"%02x ", Data[Index]);
- }
-}
-
-/**
- Private function called to print EFI_IP_ADDRESS_INFO content.
-
- @param[in] AddressInfo The pointer to the EFI_IP_ADDRESS_INFO structure.
-**/
-VOID
-DumpAddressInfo (
- IN EFI_IP_ADDRESS_INFO *AddressInfo
- )
-{
- if (IP_VERSION_4 == GetVerFromAddrInfo (AddressInfo)) {
- Print (
- L"%d.%d.%d.%d",
- (UINTN) AddressInfo->Address.v4.Addr[0],
- (UINTN) AddressInfo->Address.v4.Addr[1],
- (UINTN) AddressInfo->Address.v4.Addr[2],
- (UINTN) AddressInfo->Address.v4.Addr[3]
- );
- if (AddressInfo->PrefixLength != 32) {
- Print (L"/%d", (UINTN) AddressInfo->PrefixLength);
- }
- }
-
- if (IP_VERSION_6 == GetVerFromAddrInfo (AddressInfo)) {
- Print (
- L"%x:%x:%x:%x:%x:%x:%x:%x",
- (((UINT16) AddressInfo->Address.v6.Addr[0]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[1]),
- (((UINT16) AddressInfo->Address.v6.Addr[2]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[3]),
- (((UINT16) AddressInfo->Address.v6.Addr[4]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[5]),
- (((UINT16) AddressInfo->Address.v6.Addr[6]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[7]),
- (((UINT16) AddressInfo->Address.v6.Addr[8]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[9]),
- (((UINT16) AddressInfo->Address.v6.Addr[10]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[11]),
- (((UINT16) AddressInfo->Address.v6.Addr[12]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[13]),
- (((UINT16) AddressInfo->Address.v6.Addr[14]) << 8) | ((UINT16) AddressInfo->Address.v6.Addr[15])
- );
- if (AddressInfo->PrefixLength != 128) {
- Print (L"/%d", AddressInfo->PrefixLength);
- }
- }
-}
-
-/**
- Private function called to print EFI_IP_ADDRESS content.
-
- @param[in] IpAddress The pointer to the EFI_IP_ADDRESS structure.
-**/
-VOID
-DumpIpAddress (
- IN EFI_IP_ADDRESS *IpAddress
- )
-{
- if (IP_VERSION_4 == GetVerFromIpAddr (IpAddress)) {
- Print (
- L"%d.%d.%d.%d",
- (UINTN) IpAddress->v4.Addr[0],
- (UINTN) IpAddress->v4.Addr[1],
- (UINTN) IpAddress->v4.Addr[2],
- (UINTN) IpAddress->v4.Addr[3]
- );
- }
-
- if (IP_VERSION_6 == GetVerFromIpAddr (IpAddress)) {
- Print (
- L"%x:%x:%x:%x:%x:%x:%x:%x",
- (((UINT16) IpAddress->v6.Addr[0]) << 8) | ((UINT16) IpAddress->v6.Addr[1]),
- (((UINT16) IpAddress->v6.Addr[2]) << 8) | ((UINT16) IpAddress->v6.Addr[3]),
- (((UINT16) IpAddress->v6.Addr[4]) << 8) | ((UINT16) IpAddress->v6.Addr[5]),
- (((UINT16) IpAddress->v6.Addr[6]) << 8) | ((UINT16) IpAddress->v6.Addr[7]),
- (((UINT16) IpAddress->v6.Addr[8]) << 8) | ((UINT16) IpAddress->v6.Addr[9]),
- (((UINT16) IpAddress->v6.Addr[10]) << 8) | ((UINT16) IpAddress->v6.Addr[11]),
- (((UINT16) IpAddress->v6.Addr[12]) << 8) | ((UINT16) IpAddress->v6.Addr[13]),
- (((UINT16) IpAddress->v6.Addr[14]) << 8) | ((UINT16) IpAddress->v6.Addr[15])
- );
- }
-
-}
-
-/**
- Private function called to print EFI_IPSEC_SPD_SELECTOR content.
-
- @param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
-**/
-VOID
-DumpSpdSelector (
- IN EFI_IPSEC_SPD_SELECTOR *Selector
- )
-{
- UINT32 Index;
- CHAR16 *Str;
-
- for (Index = 0; Index < Selector->LocalAddressCount; Index++) {
- if (Index > 0) {
- Print (L",");
- }
-
- DumpAddressInfo (&Selector->LocalAddress[Index]);
- }
-
- if (Index == 0) {
- Print (L"localhost");
- }
-
- Print (L" -> ");
-
- for (Index = 0; Index < Selector->RemoteAddressCount; Index++) {
- if (Index > 0) {
- Print (L",");
- }
-
- DumpAddressInfo (&Selector->RemoteAddress[Index]);
- }
-
- Str = MapIntegerToString (Selector->NextLayerProtocol, mMapIpProtocol);
- if (Str != NULL) {
- Print (L" %s", Str);
- } else {
- Print (L" proto:%d", (UINTN) Selector->NextLayerProtocol);
- }
-
- if ((Selector->NextLayerProtocol == EFI_IP4_PROTO_TCP) || (Selector->NextLayerProtocol == EFI_IP4_PROTO_UDP)) {
- Print (L" port:");
- if (Selector->LocalPort != EFI_IPSEC_ANY_PORT) {
- Print (L"%d", Selector->LocalPort);
- if (Selector->LocalPortRange != 0) {
- Print (L"~%d", (UINTN) Selector->LocalPort + Selector->LocalPortRange);
- }
- } else {
- Print (L"any");
- }
-
- Print (L" -> ");
- if (Selector->RemotePort != EFI_IPSEC_ANY_PORT) {
- Print (L"%d", Selector->RemotePort);
- if (Selector->RemotePortRange != 0) {
- Print (L"~%d", (UINTN) Selector->RemotePort + Selector->RemotePortRange);
- }
- } else {
- Print (L"any");
- }
- } else if (Selector->NextLayerProtocol == EFI_IP4_PROTO_ICMP) {
- Print (L" class/code:");
- if (Selector->LocalPort != 0) {
- Print (L"%d", (UINTN) (UINT8) Selector->LocalPort);
- } else {
- Print (L"any");
- }
-
- Print (L"/");
- if (Selector->RemotePort != 0) {
- Print (L"%d", (UINTN) (UINT8) Selector->RemotePort);
- } else {
- Print (L"any");
- }
- }
-}
-
-/**
- Print EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA content.
-
- @param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
- @param[in] Data The pointer to the EFI_IPSEC_SPD_DATA structure.
- @param[in] EntryIndex The pointer to the Index in SPD Database.
-
- @retval EFI_SUCCESS Dump SPD information successfully.
-**/
-EFI_STATUS
-DumpSpdEntry (
- IN EFI_IPSEC_SPD_SELECTOR *Selector,
- IN EFI_IPSEC_SPD_DATA *Data,
- IN UINTN *EntryIndex
- )
-{
- BOOLEAN HasPre;
- CHAR16 DataName[128];
- CHAR16 *String1;
- CHAR16 *String2;
- CHAR16 *String3;
- UINT8 Index;
-
- Print (L"%d.", (*EntryIndex)++);
-
- //
- // xxx.xxx.xxx.xxx/yy -> xxx.xxx.xxx.xx/yy proto:23 port:100~300 -> 300~400
- // Protect PF:0x34323423 Name:First Entry
- // ext-sequence sequence-overflow fragcheck life:[B0,S1024,H3600]
- // ESP algo1 algo2 Tunnel [xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx set]
- //
-
- DumpSpdSelector (Selector);
- Print (L"\n ");
-
- Print (L"%s ", MapIntegerToString (Data->Action, mMapIpSecAction));
- Print (L"PF:%08x ", Data->PackageFlag);
-
- Index = 0;
- while (Data->Name[Index] != 0) {
- DataName[Index] = (CHAR16) Data->Name[Index];
- Index++;
- ASSERT (Index < 128);
- }
- DataName[Index] = L'\0';
-
- Print (L"Name:%s", DataName);
-
- if (Data->Action == EfiIPsecActionProtect) {
- Print (L"\n ");
- if (Data->ProcessingPolicy->ExtSeqNum) {
- Print (L"ext-sequence ");
- }
-
- if (Data->ProcessingPolicy->SeqOverflow) {
- Print (L"sequence-overflow ");
- }
-
- if (Data->ProcessingPolicy->FragCheck) {
- Print (L"fragment-check ");
- }
-
- HasPre = FALSE;
- if (Data->ProcessingPolicy->SaLifetime.ByteCount != 0) {
- Print (HasPre ? L"," : L"life:[");
- Print (L"%lxB", Data->ProcessingPolicy->SaLifetime.ByteCount);
- HasPre = TRUE;
- }
-
- if (Data->ProcessingPolicy->SaLifetime.SoftLifetime != 0) {
- Print (HasPre ? L"," : L"life:[");
- Print (L"%lxs", Data->ProcessingPolicy->SaLifetime.SoftLifetime);
- HasPre = TRUE;
- }
-
- if (Data->ProcessingPolicy->SaLifetime.HardLifetime != 0) {
- Print (HasPre ? L"," : L"life:[");
- Print (L"%lxS", Data->ProcessingPolicy->SaLifetime.HardLifetime);
- HasPre = TRUE;
- }
-
- if (HasPre) {
- Print (L"]");
- }
-
- if (HasPre || Data->ProcessingPolicy->ExtSeqNum ||
- Data->ProcessingPolicy->SeqOverflow || Data->ProcessingPolicy->FragCheck) {
- Print (L"\n ");
- }
-
- String1 = MapIntegerToString (Data->ProcessingPolicy->Proto, mMapIpSecProtocol);
- String2 = MapIntegerToString (Data->ProcessingPolicy->AuthAlgoId, mMapAuthAlgo);
- String3 = MapIntegerToString (Data->ProcessingPolicy->EncAlgoId, mMapEncAlgo);
- Print (
- L"%s Auth:%s Encrypt:%s ",
- String1,
- String2,
- String3
- );
-
- Print (L"%s ", MapIntegerToString (Data->ProcessingPolicy->Mode, mMapIpSecMode));
- if (Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {
- Print (L"[");
- DumpIpAddress (&Data->ProcessingPolicy->TunnelOption->LocalTunnelAddress);
- Print (L" -> ");
- DumpIpAddress (&Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress);
- Print (L" %s]", MapIntegerToString (Data->ProcessingPolicy->TunnelOption->DF, mMapDfOption));
- }
- }
-
- Print (L"\n");
-
- return EFI_SUCCESS;
-}
-
-/**
- Print EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 content.
-
- @param[in] SaId The pointer to the EFI_IPSEC_SA_ID structure.
- @param[in] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.
- @param[in] EntryIndex The pointer to the Index in the SAD Database.
-
- @retval EFI_SUCCESS Dump SAD information successfully.
-**/
-EFI_STATUS
-DumpSadEntry (
- IN EFI_IPSEC_SA_ID *SaId,
- IN EFI_IPSEC_SA_DATA2 *Data,
- IN UINTN *EntryIndex
- )
-{
- BOOLEAN HasPre;
- CHAR16 *AuthAlgoStr;
- CHAR16 *EncAlgoStr;
-
- AuthAlgoStr = NULL;
- EncAlgoStr = NULL;
-
- //
- // SPI:1234 ESP Destination:xxx.xxx.xxx.xxx
- // Mode:Transport SeqNum:134 AntiReplayWin:64 life:[0B,1023s,3400S] PathMTU:34
- // Auth:xxxx/password Encrypt:yyyy/password
- // xxx.xxx.xxx.xxx/yy -> xxx.xxx.xxx.xx/yy proto:23 port:100~300 -> 300~400
- //
-
- Print (L"%d.", (*EntryIndex)++);
- Print (L"0x%x %s ", (UINTN) SaId->Spi, MapIntegerToString (SaId->Proto, mMapIpSecProtocol));
- if (Data->Mode == EfiIPsecTunnel) {
- Print (L"TunnelSourceAddress:");
- DumpIpAddress (&Data->TunnelSourceAddress);
- Print (L"\n");
- Print (L" TunnelDestination:");
- DumpIpAddress (&Data->TunnelDestinationAddress);
- Print (L"\n");
- }
-
- Print (
- L" Mode:%s SeqNum:%lx AntiReplayWin:%d ",
- MapIntegerToString (Data->Mode, mMapIpSecMode),
- Data->SNCount,
- (UINTN) Data->AntiReplayWindows
- );
-
- HasPre = FALSE;
- if (Data->SaLifetime.ByteCount != 0) {
- Print (HasPre ? L"," : L"life:[");
- Print (L"%lxB", Data->SaLifetime.ByteCount);
- HasPre = TRUE;
- }
-
- if (Data->SaLifetime.SoftLifetime != 0) {
- Print (HasPre ? L"," : L"life:[");
- Print (L"%lxs", Data->SaLifetime.SoftLifetime);
- HasPre = TRUE;
- }
-
- if (Data->SaLifetime.HardLifetime != 0) {
- Print (HasPre ? L"," : L"life:[");
- Print (L"%lxS", Data->SaLifetime.HardLifetime);
- HasPre = TRUE;
- }
-
- if (HasPre) {
- Print (L"] ");
- }
-
- Print (L"PathMTU:%d\n", (UINTN) Data->PathMTU);
-
- if (SaId->Proto == EfiIPsecAH) {
- Print (
- L" Auth:%s/%s\n",
- MapIntegerToString (Data->AlgoInfo.AhAlgoInfo.AuthAlgoId, mMapAuthAlgo),
- Data->AlgoInfo.AhAlgoInfo.AuthKey
- );
- } else {
- AuthAlgoStr = MapIntegerToString (Data->AlgoInfo.EspAlgoInfo.AuthAlgoId, mMapAuthAlgo);
- EncAlgoStr = MapIntegerToString (Data->AlgoInfo.EspAlgoInfo.EncAlgoId, mMapEncAlgo);
-
- if (Data->ManualSet) {
- //
- // if the SAD is set manually the key is a Ascii string in most of time.
- // Print the Key in Ascii string format.
- //
- Print (L" Auth:%s/",AuthAlgoStr);
- DumpAsciiString (
- Data->AlgoInfo.EspAlgoInfo.AuthKey,
- Data->AlgoInfo.EspAlgoInfo.AuthKeyLength
- );
- Print (L"\n Encrypt:%s/",EncAlgoStr);
- DumpAsciiString (
- Data->AlgoInfo.EspAlgoInfo.EncKey,
- Data->AlgoInfo.EspAlgoInfo.EncKeyLength
- );
- } else {
- //
- // if the SAD is created by IKE, the key is a set of hex value in buffer.
- // Print the Key in Hex format.
- //
- Print (L" Auth:%s/",AuthAlgoStr);
- DumpBuf ((UINT8 *)(Data->AlgoInfo.EspAlgoInfo.AuthKey), Data->AlgoInfo.EspAlgoInfo.AuthKeyLength);
-
- Print (L"\n Encrypt:%s/",EncAlgoStr);
- DumpBuf ((UINT8 *)(Data->AlgoInfo.EspAlgoInfo.EncKey), Data->AlgoInfo.EspAlgoInfo.EncKeyLength);
- }
- }
- Print (L"\n");
- if (Data->SpdSelector != NULL) {
- Print (L" ");
- DumpSpdSelector (Data->SpdSelector);
- Print (L"\n");
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Print EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA content.
-
- @param[in] PadId The pointer to the EFI_IPSEC_PAD_ID structure.
- @param[in] Data The pointer to the EFI_IPSEC_PAD_DATA structure.
- @param[in] EntryIndex The pointer to the Index in the PAD Database.
-
- @retval EFI_SUCCESS Dump PAD information successfully.
-**/
-EFI_STATUS
-DumpPadEntry (
- IN EFI_IPSEC_PAD_ID *PadId,
- IN EFI_IPSEC_PAD_DATA *Data,
- IN UINTN *EntryIndex
- )
-{
- CHAR16 *String1;
- CHAR16 *String2;
-
- //
- // ADDR:10.23.17.34/15
- // IDEv1 PreSharedSecret IKE-ID
- // password
- //
-
- Print (L"%d.", (*EntryIndex)++);
-
- if (PadId->PeerIdValid) {
- Print (L"ID:%s", PadId->Id.PeerId);
- } else {
- Print (L"ADDR:");
- DumpAddressInfo (&PadId->Id.IpAddress);
- }
-
- Print (L"\n");
-
- String1 = MapIntegerToString (Data->AuthProtocol, mMapAuthProto);
- String2 = MapIntegerToString (Data->AuthMethod, mMapAuthMethod);
- Print (
- L" %s %s",
- String1,
- String2
- );
-
- if (Data->IkeIdFlag) {
- Print (L"IKE-ID");
- }
-
- Print (L"\n");
-
- if (Data->AuthData != NULL) {
- DumpAsciiString (Data->AuthData, Data->AuthDataSize);
- Print (L"\n");
- }
-
- if (Data->RevocationData != NULL) {
- Print (L" %s\n", Data->RevocationData);
- }
-
- return EFI_SUCCESS;
-
-}
-
-VISIT_POLICY_ENTRY mDumpPolicyEntry[] = {
- (VISIT_POLICY_ENTRY) DumpSpdEntry,
- (VISIT_POLICY_ENTRY) DumpSadEntry,
- (VISIT_POLICY_ENTRY) DumpPadEntry
-};
-
-/**
- Print all entry information in the database according to datatype.
-
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Dump all information successfully.
- @retval Others Some mistaken case.
-**/
-EFI_STATUS
-ListPolicyEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN LIST_ENTRY *ParamPackage
- )
-{
- UINTN EntryIndex;
-
- EntryIndex = 0;
- return ForeachPolicyEntry (DataType, mDumpPolicyEntry[DataType], &EntryIndex);
-}
-
diff --git a/NetworkPkg/Application/IpsecConfig/Dump.h b/NetworkPkg/Application/IpsecConfig/Dump.h deleted file mode 100644 index 44ed7aa6e9..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Dump.h +++ /dev/null @@ -1,28 +0,0 @@ -/** @file
- The function declaration of dump policy entry function in IpSecConfig application.
-
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _DUMP_H_
-#define _DUMP_H_
-
-/**
- Print all entry information in the database according to datatype.
-
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Dump all information successfully.
- @retval Others Some mistaken case.
-**/
-EFI_STATUS
-ListPolicyEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN LIST_ENTRY *ParamPackage
- );
-
-#endif
diff --git a/NetworkPkg/Application/IpsecConfig/ForEach.c b/NetworkPkg/Application/IpsecConfig/ForEach.c deleted file mode 100644 index 6d82ee292b..0000000000 --- a/NetworkPkg/Application/IpsecConfig/ForEach.c +++ /dev/null @@ -1,109 +0,0 @@ -/** @file
- The implementation to go through each entry in IpSecConfig application.
-
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecConfig.h"
-#include "ForEach.h"
-
-
-/**
- Enumerate all entries in the database to execute specified operations according to datatype.
-
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
- @param[in] Routine The pointer to the function of a specified operation.
- @param[in] Context The pointer to the context of a function.
-
- @retval EFI_SUCCESS Execute specified operation successfully.
-**/
-EFI_STATUS
-ForeachPolicyEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN VISIT_POLICY_ENTRY Routine,
- IN VOID *Context
- )
-{
- EFI_STATUS GetNextStatus;
- EFI_STATUS GetDataStatus;
- EFI_IPSEC_CONFIG_SELECTOR *Selector;
- VOID *Data;
- UINTN SelectorSize;
- UINTN DataSize;
- BOOLEAN FirstGetNext;
-
- FirstGetNext = TRUE;
- SelectorSize = sizeof (EFI_IPSEC_CONFIG_SELECTOR);
- Selector = AllocateZeroPool (SelectorSize);
-
- DataSize = 0;
- Data = NULL;
-
- while (TRUE) {
- GetNextStatus = mIpSecConfig->GetNextSelector (
- mIpSecConfig,
- DataType,
- &SelectorSize,
- Selector
- );
- if (GetNextStatus == EFI_BUFFER_TOO_SMALL) {
- gBS->FreePool (Selector);
- Selector = FirstGetNext ? AllocateZeroPool (SelectorSize) : AllocatePool (SelectorSize);
-
- GetNextStatus = mIpSecConfig->GetNextSelector (
- mIpSecConfig,
- DataType,
- &SelectorSize,
- Selector
- );
- }
-
- if (EFI_ERROR (GetNextStatus)) {
- break;
- }
-
- FirstGetNext = FALSE;
-
- GetDataStatus = mIpSecConfig->GetData (
- mIpSecConfig,
- DataType,
- Selector,
- &DataSize,
- Data
- );
- if (GetDataStatus == EFI_BUFFER_TOO_SMALL) {
- if (Data != NULL) {
- gBS->FreePool (Data);
- }
-
- Data = AllocateZeroPool (DataSize);
- GetDataStatus = mIpSecConfig->GetData (
- mIpSecConfig,
- DataType,
- Selector,
- &DataSize,
- Data
- );
- }
-
- ASSERT_EFI_ERROR (GetDataStatus);
-
- if (EFI_ERROR (Routine (Selector, Data, Context))) {
- break;
- }
- }
-
- if (Data != NULL) {
- gBS->FreePool (Data);
- }
-
- if (Selector != NULL) {
- gBS->FreePool (Selector);
- }
-
- return EFI_SUCCESS;
-}
-
diff --git a/NetworkPkg/Application/IpsecConfig/ForEach.h b/NetworkPkg/Application/IpsecConfig/ForEach.h deleted file mode 100644 index a69dd35619..0000000000 --- a/NetworkPkg/Application/IpsecConfig/ForEach.h +++ /dev/null @@ -1,48 +0,0 @@ -/** @file
- The internal structure and function declaration of the implementation
- to go through each entry in IpSecConfig application.
-
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _FOREACH_H_
-#define _FOREACH_H_
-
-/**
- The prototype for the DumpSpdEntry()/DumpSadEntry()/DumpPadEntry().
- Print EFI_IPSEC_CONFIG_SELECTOR and corresponding content.
-
- @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR union.
- @param[in] Data The pointer to the corresponding data.
- @param[in] Context The pointer to the Index in SPD/SAD/PAD Database.
-
- @retval EFI_SUCCESS Dump SPD/SAD/PAD information successfully.
-**/
-typedef
-EFI_STATUS
-(*VISIT_POLICY_ENTRY) (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN VOID *Context
- );
-
-/**
- Enumerate all entry in the database to execute a specified operation according to datatype.
-
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
- @param[in] Routine The pointer to function of a specified operation.
- @param[in] Context The pointer to the context of a function.
-
- @retval EFI_SUCCESS Execute specified operation successfully.
-**/
-EFI_STATUS
-ForeachPolicyEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN VISIT_POLICY_ENTRY Routine,
- IN VOID *Context
- );
-
-#endif
diff --git a/NetworkPkg/Application/IpsecConfig/Helper.c b/NetworkPkg/Application/IpsecConfig/Helper.c deleted file mode 100644 index 51718cbbbc..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Helper.c +++ /dev/null @@ -1,414 +0,0 @@ -/** @file
- The assistant function implementation for IpSecConfig application.
-
- Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecConfig.h"
-#include "Helper.h"
-
-/**
- Helper function called to change an input parameter in the string format to a number.
-
- @param[in] FlagStr The pointer to the flag string.
- @param[in] Maximum Greatest value number.
- @param[in, out] ValuePtr The pointer to the input parameter in string format.
- @param[in] ByteCount The valid byte count
- @param[in] Map The pointer to the STR2INT table.
- @param[in] ParamPackage The pointer to the ParamPackage list.
- @param[in] FormatMask The bit mask.
- BIT 0 set indicates the value of a flag might be a number.
- BIT 1 set indicates the value of a flag might be a string that needs to be looked up.
-
- @retval EFI_SUCCESS The operation completed successfully.
- @retval EFI_NOT_FOUND The input parameter can't be found.
- @retval EFI_INVALID_PARAMETER The input parameter is an invalid input.
-**/
-EFI_STATUS
-GetNumber (
- IN CHAR16 *FlagStr,
- IN UINT64 Maximum,
- IN OUT VOID *ValuePtr,
- IN UINTN ByteCount,
- IN STR2INT *Map,
- IN LIST_ENTRY *ParamPackage,
- IN UINT32 FormatMask
- )
-{
- EFI_STATUS Status;
- UINT64 Value64;
- BOOLEAN Converted;
- UINTN Index;
- CONST CHAR16 *ValueStr;
-
- ASSERT (FormatMask & (FORMAT_NUMBER | FORMAT_STRING));
-
- Converted = FALSE;
- Value64 = 0;
- ValueStr = ShellCommandLineGetValue (ParamPackage, FlagStr);
-
- if (ValueStr == NULL) {
- return EFI_NOT_FOUND;
- } else {
- //
- // Try to convert to integer directly if MaybeNumber is TRUE.
- //
- if ((FormatMask & FORMAT_NUMBER) != 0) {
- Value64 = StrToUInteger (ValueStr, &Status);
- if (!EFI_ERROR (Status)) {
- //
- // Convert successfully.
- //
- if (Value64 > Maximum) {
- //
- // But the result is invalid
- //
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- FlagStr,
- ValueStr
- );
- return EFI_INVALID_PARAMETER;
- }
-
- Converted = TRUE;
- }
- }
-
- if (!Converted && ((FormatMask & FORMAT_STRING) != 0)) {
- //
- // Convert falied, so use String->Integer map.
- //
- ASSERT (Map != NULL);
- Value64 = MapStringToInteger (ValueStr, Map);
- if (Value64 == (UINT32) -1) {
- //
- // Cannot find the string in the map.
- //
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- FlagStr,
- ValueStr
- );
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ACCEPT_PARAMETERS), mHiiHandle);
- for (Index = 0; Map[Index].String != NULL; Index++) {
- Print (L" %s", Map[Index].String);
- }
-
- Print (L"\n");
- return EFI_INVALID_PARAMETER;
- }
- }
-
- CopyMem (ValuePtr, &Value64, ByteCount);
- return EFI_SUCCESS;
- }
-}
-
-/**
- Helper function called to convert a string containing an Ipv4 or Ipv6 Internet Protocol address
- into a proper address for the EFI_IP_ADDRESS structure.
-
- @param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6 Internet Protocol address.
- @param[out] Ip The pointer to the EFI_IP_ADDRESS structure to contain the result.
-
- @retval EFI_SUCCESS The operation completed successfully.
- @retval EFI_INVALID_PARAMETER Invalid parameter.
-**/
-EFI_STATUS
-EfiInetAddr2 (
- IN CHAR16 *Ptr,
- OUT EFI_IP_ADDRESS *Ip
- )
-{
- EFI_STATUS Status;
-
- if ((Ptr == NULL) || (Ip == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Parse the input address as Ipv4 Address first.
- //
- Status = NetLibStrToIp4 (Ptr, &Ip->v4);
- if (!EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = NetLibStrToIp6 (Ptr, &Ip->v6);
- return Status;
-}
-
-/**
- Helper function called to calculate the prefix length associated with the string
- containing an Ipv4 or Ipv6 Internet Protocol address.
-
- @param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6 Internet Protocol address.
- @param[out] Addr The pointer to the EFI_IP_ADDRESS_INFO structure to contain the result.
-
- @retval EFI_SUCCESS The operation completed successfully.
- @retval EFI_INVALID_PARAMETER Invalid parameter.
- @retval Others Other mistake case.
-**/
-EFI_STATUS
-EfiInetAddrRange (
- IN CHAR16 *Ptr,
- OUT EFI_IP_ADDRESS_INFO *Addr
- )
-{
- EFI_STATUS Status;
-
- if ((Ptr == NULL) || (Addr == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- Status = NetLibStrToIp4 (Ptr, &Addr->Address.v4);
- if (!EFI_ERROR (Status)) {
- if ((UINT32)(*Addr->Address.v4.Addr) == 0) {
- Addr->PrefixLength = 0;
- } else {
- Addr->PrefixLength = 32;
- }
- return Status;
- }
-
- Status = NetLibStrToIp6andPrefix (Ptr, &Addr->Address.v6, &Addr->PrefixLength);
- if (!EFI_ERROR (Status) && (Addr->PrefixLength == 0xFF)) {
- Addr->PrefixLength = 128;
- }
-
- return Status;
-}
-
-/**
- Helper function called to calculate the port range associated with the string.
-
- @param[in] Ptr The pointer to the string containing a port and range.
- @param[out] Port The pointer to the Port to contain the result.
- @param[out] PortRange The pointer to the PortRange to contain the result.
-
- @retval EFI_SUCCESS The operation completed successfully.
- @retval EFI_INVALID_PARAMETER Invalid parameter.
- @retval Others Other mistake case.
-**/
-EFI_STATUS
-EfiInetPortRange (
- IN CHAR16 *Ptr,
- OUT UINT16 *Port,
- OUT UINT16 *PortRange
- )
-{
- CHAR16 *BreakPtr;
- CHAR16 Ch;
- EFI_STATUS Status;
-
- for (BreakPtr = Ptr; (*BreakPtr != L'\0') && (*BreakPtr != L':'); BreakPtr++) {
- ;
- }
-
- Ch = *BreakPtr;
- *BreakPtr = L'\0';
- *Port = (UINT16) StrToUInteger (Ptr, &Status);
- *BreakPtr = Ch;
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- *PortRange = 0;
- if (*BreakPtr == L':') {
- BreakPtr++;
- *PortRange = (UINT16) StrToUInteger (BreakPtr, &Status);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- if (*PortRange < *Port) {
- return EFI_INVALID_PARAMETER;
- }
-
- *PortRange = (UINT16) (*PortRange - *Port);
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Helper function called to transfer a string to an unsigned integer.
-
- @param[in] Str The pointer to the string.
- @param[out] Status The operation status.
-
- @return The integer value of converted Str.
-**/
-UINT64
-StrToUInteger (
- IN CONST CHAR16 *Str,
- OUT EFI_STATUS *Status
- )
-{
- UINT64 Value;
- UINT64 NewValue;
- CHAR16 *StrTail;
- CHAR16 Char;
- UINTN Base;
- UINTN Len;
-
- Base = 10;
- Value = 0;
- *Status = EFI_ABORTED;
-
- //
- // Skip leading white space.
- //
- while ((*Str != 0) && (*Str == ' ')) {
- Str++;
- }
- //
- // For NULL Str, just return.
- //
- if (*Str == 0) {
- return 0;
- }
- //
- // Skip white space in tail.
- //
- Len = StrLen (Str);
- StrTail = (CHAR16 *) (Str + Len - 1);
- while (*StrTail == ' ') {
- *StrTail = 0;
- StrTail--;
- }
-
- Len = StrTail - Str + 1;
-
- //
- // Check hex prefix '0x'.
- //
- if ((Len >= 2) && (*Str == '0') && ((*(Str + 1) == 'x') || (*(Str + 1) == 'X'))) {
- Str += 2;
- Len -= 2;
- Base = 16;
- }
-
- if (Len == 0) {
- return 0;
- }
- //
- // Convert the string to value.
- //
- for (; Str <= StrTail; Str++) {
-
- Char = *Str;
-
- if (Base == 16) {
- if (RShiftU64 (Value, 60) != 0) {
- //
- // Overflow here x16.
- //
- return 0;
- }
-
- NewValue = LShiftU64 (Value, 4);
- } else {
- if (RShiftU64 (Value, 61) != 0) {
- //
- // Overflow here x8.
- //
- return 0;
- }
-
- NewValue = LShiftU64 (Value, 3);
- Value = LShiftU64 (Value, 1);
- NewValue += Value;
- if (NewValue < Value) {
- //
- // Overflow here.
- //
- return 0;
- }
- }
-
- Value = NewValue;
-
- if ((Base == 16) && (Char >= 'a') && (Char <= 'f')) {
- Char = (CHAR16) (Char - 'a' + 'A');
- }
-
- if ((Base == 16) && (Char >= 'A') && (Char <= 'F')) {
- Value += (Char - 'A') + 10;
- } else if ((Char >= '0') && (Char <= '9')) {
- Value += (Char - '0');
- } else {
- //
- // Unexpected Char encountered.
- //
- return 0;
- }
- }
-
- *Status = EFI_SUCCESS;
- return Value;
-}
-
-/**
- Helper function called to transfer a string to an unsigned integer according to the map table.
-
- @param[in] Str The pointer to the string.
- @param[in] Map The pointer to the map table.
-
- @return The integer value of converted Str. If not found, then return -1.
-**/
-UINT32
-MapStringToInteger (
- IN CONST CHAR16 *Str,
- IN STR2INT *Map
- )
-{
- STR2INT *Item;
-
- for (Item = Map; Item->String != NULL; Item++) {
- if (StrCmp (Item->String, Str) == 0) {
- return Item->Integer;
- }
- }
-
- return (UINT32) -1;
-}
-
-/**
- Helper function called to transfer an unsigned integer to a string according to the map table.
-
- @param[in] Integer The pointer to the string.
- @param[in] Map The pointer to the map table.
-
- @return The converted Str. If not found, then return NULL.
-**/
-CHAR16 *
-MapIntegerToString (
- IN UINT32 Integer,
- IN STR2INT *Map
- )
-{
- STR2INT *Item;
-
- for (Item = Map; Item->String != NULL; Item++) {
- if (Integer == Item->Integer) {
- return Item->String;
- }
- }
-
- return NULL;
-}
diff --git a/NetworkPkg/Application/IpsecConfig/Helper.h b/NetworkPkg/Application/IpsecConfig/Helper.h deleted file mode 100644 index a610bd8515..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Helper.h +++ /dev/null @@ -1,137 +0,0 @@ -/** @file
- The assistant function declaration for IpSecConfig application.
-
- Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _HELPER_H_
-#define _HELPER_H_
-
-#define FORMAT_NUMBER 0x1
-#define FORMAT_STRING 0x2
-
-/**
- Helper function called to change input parameter in string format to number.
-
- @param[in] FlagStr The pointer to the flag string.
- @param[in] Maximum most value number.
- @param[in, out] ValuePtr The pointer to the input parameter in string format.
- @param[in] ByteCount The valid byte count
- @param[in] Map The pointer to the STR2INT table.
- @param[in] ParamPackage The pointer to the ParamPackage list.
- @param[in] FormatMask The bit mask.
- BIT 0 set indicates the value of flag might be number.
- BIT 1 set indicates the value of flag might be a string that needs to be looked up.
-
- @retval EFI_SUCCESS The operation completed successfully.
- @retval EFI_NOT_FOUND The input parameter can't be found.
- @retval EFI_INVALID_PARAMETER The input parameter is an invalid input.
-**/
-EFI_STATUS
-GetNumber (
- IN CHAR16 *FlagStr,
- IN UINT64 Maximum,
- IN OUT VOID *ValuePtr,
- IN UINTN ByteCount,
- IN STR2INT *Map,
- IN LIST_ENTRY *ParamPackage,
- IN UINT32 FormatMask
- );
-
-/**
- Helper function called to convert a string containing an (Ipv4) Internet Protocol dotted address
- into a proper address for the EFI_IP_ADDRESS structure.
-
- @param[in] Ptr The pointer to the string containing an (Ipv4) Internet Protocol dotted address.
- @param[out] Ip The pointer to the Ip address structure to contain the result.
-
- @retval EFI_SUCCESS The operation completed successfully.
- @retval EFI_INVALID_PARAMETER Invalid parameter.
-**/
-EFI_STATUS
-EfiInetAddr2 (
- IN CHAR16 *Ptr,
- OUT EFI_IP_ADDRESS *Ip
- );
-
-/**
- Helper function called to calculate the prefix length associated with the string
- containing an Ipv4 or Ipv6 Internet Protocol address.
-
- @param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6 Internet Protocol address.
- @param[out] Addr The pointer to the EFI_IP_ADDRESS_INFO structure to contain the result.
-
- @retval EFI_SUCCESS The operation completed successfully.
- @retval EFI_INVALID_PARAMETER Invalid parameter.
- @retval Others Other mistake case.
-**/
-EFI_STATUS
-EfiInetAddrRange (
- IN CHAR16 *Ptr,
- OUT EFI_IP_ADDRESS_INFO *Addr
- );
-
-/**
- Helper function called to calculate the port range associated with the string.
-
- @param[in] Ptr The pointer to the string containing a port and range.
- @param[out] Port The pointer to the Port to contain the result.
- @param[out] PortRange The pointer to the PortRange to contain the result.
-
- @retval EFI_SUCCESS The operation completed successfully.
- @retval EFI_INVALID_PARAMETER Invalid parameter.
- @retval Others Other mistake case.
-**/
-EFI_STATUS
-EfiInetPortRange (
- IN CHAR16 *Ptr,
- OUT UINT16 *Port,
- OUT UINT16 *PortRange
- );
-
-/**
- Helper function called to transfer a string to an unsigned integer.
-
- @param[in] Str The pointer to the string.
- @param[out] Status The operation status.
-
- @return The integer value of a converted str.
-**/
-UINT64
-StrToUInteger (
- IN CONST CHAR16 *Str,
- OUT EFI_STATUS *Status
- );
-
-/**
- Helper function called to transfer a string to an unsigned integer according to the map table.
-
- @param[in] Str The pointer to the string.
- @param[in] Map The pointer to the map table.
-
- @return The integer value of converted str. If not found, then return -1.
-**/
-UINT32
-MapStringToInteger (
- IN CONST CHAR16 *Str,
- IN STR2INT *Map
- );
-
-/**
- Helper function called to transfer an unsigned integer to a string according to the map table.
-
- @param[in] Integer The pointer to the string.
- @param[in] Map The pointer to the map table.
-
- @return The converted str. If not found, then return NULL.
-**/
-CHAR16 *
-MapIntegerToString (
- IN UINT32 Integer,
- IN STR2INT *Map
- );
-
-#endif
diff --git a/NetworkPkg/Application/IpsecConfig/Indexer.c b/NetworkPkg/Application/IpsecConfig/Indexer.c deleted file mode 100644 index 37524b0d66..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Indexer.c +++ /dev/null @@ -1,249 +0,0 @@ -/** @file
- The implementation of construct ENTRY_INDEXER in IpSecConfig application.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecConfig.h"
-#include "Indexer.h"
-#include "Helper.h"
-
-/**
- Fill in SPD_ENTRY_INDEXER through ParamPackage list.
-
- @param[in, out] Indexer The pointer to the SPD_ENTRY_INDEXER structure.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Filled in SPD_ENTRY_INDEXER successfully.
-**/
-EFI_STATUS
-ConstructSpdIndexer (
- IN OUT SPD_ENTRY_INDEXER *Indexer,
- IN LIST_ENTRY *ParamPackage
- )
-{
- EFI_STATUS Status;
- UINT64 Value64;
- CONST CHAR16 *ValueStr;
-
- ValueStr = NULL;
-
- if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");
- } else {
- return EFI_INVALID_PARAMETER;
- }
-
- if (ValueStr == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- Value64 = StrToUInteger (ValueStr, &Status);
- if (!EFI_ERROR (Status)) {
- Indexer->Index = (UINTN) Value64;
- ZeroMem (Indexer->Name, MAX_PEERID_LEN);
- } else {
- UnicodeStrToAsciiStrS (ValueStr, (CHAR8 *) Indexer->Name, MAX_PEERID_LEN);
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Fill in SAD_ENTRY_INDEXER through ParamPackage list.
-
- @param[in, out] Indexer The pointer to the SAD_ENTRY_INDEXER structure.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Filled in SPD_ENTRY_INDEXER successfully.
- @retval EFI_INVALID_PARAMETER The mistaken user input in ParamPackage list.
-**/
-EFI_STATUS
-ConstructSadIndexer (
- IN OUT SAD_ENTRY_INDEXER *Indexer,
- IN LIST_ENTRY *ParamPackage
- )
-{
- EFI_STATUS Status;
- EFI_STATUS Status1;
- UINT64 Value64;
- CONST CHAR16 *ValueStr;
-
- ValueStr = NULL;
-
- if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");
- } else {
- return EFI_INVALID_PARAMETER;
- }
-
- if (ValueStr == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- Value64 = StrToUInteger (ValueStr, &Status);
- if (!EFI_ERROR (Status)) {
- Indexer->Index = (UINTN) Value64;
- ZeroMem (&Indexer->SaId, sizeof (EFI_IPSEC_SA_ID));
- } else {
- if ((!ShellCommandLineGetFlag (ParamPackage, L"--lookup-spi")) ||
- (!ShellCommandLineGetFlag (ParamPackage, L"--lookup-ipsec-proto")) ||
- (!ShellCommandLineGetFlag (ParamPackage, L"--lookup-dest"))) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
- mHiiHandle,
- mAppName,
- L"--lookup-spi --lookup-ipsec-proto --lookup-dest"
- );
- return EFI_INVALID_PARAMETER;
- }
-
- Status = GetNumber (
- L"--lookup-spi",
- (UINT32) -1,
- &Indexer->SaId.Spi,
- sizeof (UINT32),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- Status1 = GetNumber (
- L"--lookup-ipsec-proto",
- 0,
- &Indexer->SaId.Proto,
- sizeof (EFI_IPSEC_PROTOCOL_TYPE),
- mMapIpSecProtocol,
- ParamPackage,
- FORMAT_STRING
- );
-
- if (EFI_ERROR (Status) || EFI_ERROR (Status1)) {
- return EFI_INVALID_PARAMETER;
- }
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--lookup-dest");
- ASSERT (ValueStr != NULL);
-
- Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &Indexer->SaId.DestAddress);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- L"--lookup-dest",
- ValueStr
- );
- return EFI_INVALID_PARAMETER;
- }
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Fill in PAD_ENTRY_INDEXER through ParamPackage list.
-
- @param[in, out] Indexer The pointer to the PAD_ENTRY_INDEXER structure.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Filled in PAD_ENTRY_INDEXER successfully.
- @retval EFI_INVALID_PARAMETER The mistaken user input in ParamPackage list.
-**/
-EFI_STATUS
-ConstructPadIndexer (
- IN OUT PAD_ENTRY_INDEXER *Indexer,
- IN LIST_ENTRY *ParamPackage
- )
-{
- EFI_STATUS Status;
- UINT64 Value64;
- CONST CHAR16 *ValueStr;
-
- ValueStr = NULL;
-
- if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-d");
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");
- } else {
- return EFI_INVALID_PARAMETER;
- }
-
- if (ValueStr == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- Value64 = StrToUInteger (ValueStr, &Status);
-
- if (!EFI_ERROR (Status)) {
- Indexer->Index = (UINTN) Value64;
- ZeroMem (&Indexer->PadId, sizeof (EFI_IPSEC_PAD_ID));
- } else {
-
- if (ShellCommandLineGetFlag (ParamPackage, L"--lookup-peer-address")) {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--lookup-peer-address");
- ASSERT (ValueStr != NULL);
-
- Indexer->PadId.PeerIdValid = FALSE;
- Status = EfiInetAddrRange ((CHAR16 *) ValueStr, &Indexer->PadId.Id.IpAddress);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- L"--lookup-peer-address",
- ValueStr
- );
- return EFI_INVALID_PARAMETER;
- }
- } else {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--lookup-peer-id");
- if (ValueStr == NULL) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
- mHiiHandle,
- mAppName,
- L"--lookup-peer-address --lookup-peer-id"
- );
- return EFI_INVALID_PARAMETER;
- }
-
- Indexer->PadId.PeerIdValid = TRUE;
- ZeroMem (Indexer->PadId.Id.PeerId, MAX_PEERID_LEN);
- StrnCpyS ((CHAR16 *) Indexer->PadId.Id.PeerId, MAX_PEERID_LEN / sizeof (CHAR16), ValueStr, MAX_PEERID_LEN / sizeof (CHAR16) - 1);
- }
- }
-
- return EFI_SUCCESS;
-}
-
-CONSTRUCT_POLICY_ENTRY_INDEXER mConstructPolicyEntryIndexer[] = {
- (CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructSpdIndexer,
- (CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructSadIndexer,
- (CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructPadIndexer
-};
diff --git a/NetworkPkg/Application/IpsecConfig/Indexer.h b/NetworkPkg/Application/IpsecConfig/Indexer.h deleted file mode 100644 index b26e931c73..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Indexer.h +++ /dev/null @@ -1,52 +0,0 @@ -/** @file
- The internal structure and function declaration to construct ENTRY_INDEXER in
- IpSecConfig application.
-
- Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _INDEXER_H_
-#define _INDEXER_H_
-
-typedef struct {
- UINT8 Name[MAX_PEERID_LEN];
- UINTN Index; // Used only if Name buffer is filled with zero.
-} SPD_ENTRY_INDEXER;
-
-typedef struct {
- EFI_IPSEC_SA_ID SaId;
- UINTN Index;
-} SAD_ENTRY_INDEXER;
-
-typedef struct {
- EFI_IPSEC_PAD_ID PadId;
- UINTN Index;
-} PAD_ENTRY_INDEXER;
-
-typedef union {
- SPD_ENTRY_INDEXER Spd;
- SAD_ENTRY_INDEXER Sad;
- PAD_ENTRY_INDEXER Pad;
-} POLICY_ENTRY_INDEXER;
-
-/**
- The prototype for the ConstructSpdIndexer()/ConstructSadIndexer()/ConstructPadIndexer().
- Fill in SPD_ENTRY_INDEXER/SAD_ENTRY_INDEXER/PAD_ENTRY_INDEXER through ParamPackage list.
-
- @param[in, out] Indexer The pointer to the POLICY_ENTRY_INDEXER union.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Filled in POLICY_ENTRY_INDEXER successfully.
-**/
-typedef
-EFI_STATUS
-(* CONSTRUCT_POLICY_ENTRY_INDEXER) (
- IN POLICY_ENTRY_INDEXER *Indexer,
- IN LIST_ENTRY *ParamPackage
-);
-
-extern CONSTRUCT_POLICY_ENTRY_INDEXER mConstructPolicyEntryIndexer[];
-#endif
diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfig.c b/NetworkPkg/Application/IpsecConfig/IpSecConfig.c deleted file mode 100644 index c10394fce5..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfig.c +++ /dev/null @@ -1,806 +0,0 @@ -/** @file
- The main process for IpSecConfig application.
-
- Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include <Library/UefiRuntimeServicesTableLib.h>
-#include <Library/HiiLib.h>
-
-#include <Protocol/IpSec.h>
-
-#include "IpSecConfig.h"
-#include "Dump.h"
-#include "Indexer.h"
-#include "PolicyEntryOperation.h"
-#include "Delete.h"
-#include "Helper.h"
-
-//
-// String token ID of IpSecConfig command help message text.
-//
-GLOBAL_REMOVE_IF_UNREFERENCED EFI_STRING_ID mStringIpSecHelpTokenId = STRING_TOKEN (STR_IPSEC_CONFIG_HELP);
-
-//
-// Used for ShellCommandLineParseEx only
-// and to ensure user inputs are in valid format
-//
-SHELL_PARAM_ITEM mIpSecConfigParamList[] = {
- { L"-p", TypeValue },
- { L"-a", TypeValue },
- { L"-i", TypeValue },
- { L"-e", TypeValue },
- { L"-d", TypeValue },
- { L"-f", TypeFlag },
- { L"-l", TypeFlag },
- { L"-enable", TypeFlag },
- { L"-disable", TypeFlag },
- { L"-status", TypeFlag },
-
- //
- // SPD Selector
- //
- { L"--local", TypeValue },
- { L"--remote", TypeValue },
- { L"--proto", TypeValue },
- { L"--local-port", TypeValue },
- { L"--remote-port", TypeValue },
- { L"--icmp-type", TypeValue },
- { L"--icmp-code", TypeValue },
-
- //
- // SPD Data
- //
- { L"--name", TypeValue },
- { L"--packet-flag", TypeValue },
- { L"--action", TypeValue },
- { L"--lifebyte", TypeValue },
- { L"--lifetime-soft", TypeValue },
- { L"--lifetime", TypeValue },
- { L"--mode", TypeValue },
- { L"--tunnel-local", TypeValue },
- { L"--tunnel-remote", TypeValue },
- { L"--dont-fragment", TypeValue },
- { L"--ipsec-proto", TypeValue },
- { L"--auth-algo", TypeValue },
- { L"--encrypt-algo", TypeValue },
-
- { L"--ext-sequence", TypeFlag },
- { L"--sequence-overflow", TypeFlag },
- { L"--fragment-check", TypeFlag },
- { L"--ext-sequence-", TypeFlag },
- { L"--sequence-overflow-", TypeFlag },
- { L"--fragment-check-", TypeFlag },
-
- //
- // SA ID
- // --ipsec-proto
- //
- { L"--spi", TypeValue },
- { L"--tunnel-dest", TypeValue },
- { L"--tunnel-source", TypeValue },
- { L"--lookup-spi", TypeValue },
- { L"--lookup-ipsec-proto", TypeValue },
- { L"--lookup-dest", TypeValue },
-
- //
- // SA DATA
- // --mode
- // --auth-algo
- // --encrypt-algo
- //
- { L"--sequence-number", TypeValue },
- { L"--antireplay-window", TypeValue },
- { L"--auth-key", TypeValue },
- { L"--encrypt-key", TypeValue },
- { L"--path-mtu", TypeValue },
-
- //
- // PAD ID
- //
- { L"--peer-id", TypeValue },
- { L"--peer-address", TypeValue },
- { L"--auth-proto", TypeValue },
- { L"--auth-method", TypeValue },
- { L"--ike-id", TypeValue },
- { L"--ike-id-", TypeValue },
- { L"--auth-data", TypeValue },
- { L"--revocation-data", TypeValue },
- { L"--lookup-peer-id", TypeValue },
- { L"--lookup-peer-address", TypeValue },
-
- { NULL, TypeMax },
-};
-
-//
-// -P
-//
-STR2INT mMapPolicy[] = {
- { L"SPD", IPsecConfigDataTypeSpd },
- { L"SAD", IPsecConfigDataTypeSad },
- { L"PAD", IPsecConfigDataTypePad },
- { NULL, 0 },
-};
-
-//
-// --proto
-//
-STR2INT mMapIpProtocol[] = {
- { L"TCP", EFI_IP4_PROTO_TCP },
- { L"UDP", EFI_IP4_PROTO_UDP },
- { L"ICMP", EFI_IP4_PROTO_ICMP },
- { NULL, 0 },
-};
-
-//
-// --action
-//
-STR2INT mMapIpSecAction[] = {
- { L"Bypass", EfiIPsecActionBypass },
- { L"Discard", EfiIPsecActionDiscard },
- { L"Protect", EfiIPsecActionProtect },
- { NULL, 0 },
-};
-
-//
-// --mode
-//
-STR2INT mMapIpSecMode[] = {
- { L"Transport", EfiIPsecTransport },
- { L"Tunnel", EfiIPsecTunnel },
- { NULL, 0 },
-};
-
-//
-// --dont-fragment
-//
-STR2INT mMapDfOption[] = {
- { L"clear", EfiIPsecTunnelClearDf },
- { L"set", EfiIPsecTunnelSetDf },
- { L"copy", EfiIPsecTunnelCopyDf },
- { NULL, 0 },
-};
-
-//
-// --ipsec-proto
-//
-STR2INT mMapIpSecProtocol[] = {
- { L"AH", EfiIPsecAH },
- { L"ESP", EfiIPsecESP },
- { NULL, 0 },
-};
-
-//
-// --auth-algo
-//
-STR2INT mMapAuthAlgo[] = {
- { L"NONE", IPSEC_AALG_NONE },
- { L"MD5HMAC", IPSEC_AALG_MD5HMAC },
- { L"SHA1HMAC", IPSEC_AALG_SHA1HMAC },
- { L"SHA2-256HMAC", IPSEC_AALG_SHA2_256HMAC },
- { L"SHA2-384HMAC", IPSEC_AALG_SHA2_384HMAC },
- { L"SHA2-512HMAC", IPSEC_AALG_SHA2_512HMAC },
- { L"AES-XCBC-MAC", IPSEC_AALG_AES_XCBC_MAC },
- { L"NULL", IPSEC_AALG_NULL },
- { NULL, 0 },
-};
-
-//
-// --encrypt-algo
-//
-STR2INT mMapEncAlgo[] = {
- { L"NONE", IPSEC_EALG_NONE },
- { L"DESCBC", IPSEC_EALG_DESCBC },
- { L"3DESCBC", IPSEC_EALG_3DESCBC },
- { L"CASTCBC", IPSEC_EALG_CASTCBC },
- { L"BLOWFISHCBC", IPSEC_EALG_BLOWFISHCBC },
- { L"NULL", IPSEC_EALG_NULL },
- { L"AESCBC", IPSEC_EALG_AESCBC },
- { L"AESCTR", IPSEC_EALG_AESCTR },
- { L"AES-CCM-ICV8", IPSEC_EALG_AES_CCM_ICV8 },
- { L"AES-CCM-ICV12",IPSEC_EALG_AES_CCM_ICV12 },
- { L"AES-CCM-ICV16",IPSEC_EALG_AES_CCM_ICV16 },
- { L"AES-GCM-ICV8", IPSEC_EALG_AES_GCM_ICV8 },
- { L"AES-GCM-ICV12",IPSEC_EALG_AES_GCM_ICV12 },
- { L"AES-GCM-ICV16",IPSEC_EALG_AES_GCM_ICV16 },
- { NULL, 0 },
-};
-
-//
-// --auth-proto
-//
-STR2INT mMapAuthProto[] = {
- { L"IKEv1", EfiIPsecAuthProtocolIKEv1 },
- { L"IKEv2", EfiIPsecAuthProtocolIKEv2 },
- { NULL, 0 },
-};
-
-//
-// --auth-method
-//
-STR2INT mMapAuthMethod[] = {
- { L"PreSharedSecret", EfiIPsecAuthMethodPreSharedSecret },
- { L"Certificates", EfiIPsecAuthMethodCertificates },
- { NULL, 0 },
-};
-
-EFI_IPSEC2_PROTOCOL *mIpSec;
-EFI_IPSEC_CONFIG_PROTOCOL *mIpSecConfig;
-EFI_HII_HANDLE mHiiHandle;
-CHAR16 mAppName[] = L"IpSecConfig";
-
-//
-// Used for IpSecConfigRetriveCheckListByName only to check the validation of user input
-//
-VAR_CHECK_ITEM mIpSecConfigVarCheckList[] = {
- { L"-enable", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0), 0 },
- { L"-disable", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0), 0 },
- { L"-status", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0), 0 },
- { L"-p", BIT(1), 0, BIT(2)|BIT(1)|BIT(0), 0 },
-
- { L"-a", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
- { L"-i", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
- { L"-d", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
- { L"-e", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
- { L"-l", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
- { L"-f", BIT(0), 0, BIT(2)|BIT(1)|BIT(0), 0 },
-
- { L"-?", BIT(0), BIT(0), BIT(2)|BIT(1)|BIT(0), 0 },
-
- //
- // SPD Selector
- //
- { L"--local", 0, 0, BIT(2)|BIT(1), 0 },
- { L"--remote", 0, 0, BIT(2)|BIT(1), 0 },
- { L"--proto", 0, 0, BIT(2)|BIT(1), 0 },
- { L"--local-port", 0, 0, BIT(2)|BIT(1), BIT(0) },
- { L"--remote-port", 0, 0, BIT(2)|BIT(1), BIT(0) },
- { L"--icmp-type", 0, 0, BIT(2)|BIT(1), BIT(1) },
- { L"--icmp-code", 0, 0, BIT(2)|BIT(1), BIT(1) },
-
- //
- // SPD Data
- //
- { L"--name", 0, 0, BIT(2), 0 },
- { L"--packet-flag", 0, 0, BIT(2), 0 },
- { L"--action", 0, 0, BIT(2)|BIT(1), 0 },
- { L"--lifebyte", 0, 0, BIT(2)|BIT(1), 0 },
- { L"--lifetime-soft", 0, 0, BIT(2)|BIT(1), 0 },
- { L"--lifetime", 0, 0, BIT(2)|BIT(1), 0 },
- { L"--mode", 0, 0, BIT(2)|BIT(1), 0 },
- { L"--tunnel-local", 0, 0, BIT(2), 0 },
- { L"--tunnel-remote", 0, 0, BIT(2), 0 },
- { L"--dont-fragment", 0, 0, BIT(2), 0 },
- { L"--ipsec-proto", 0, 0, BIT(2)|BIT(1), 0 },
- { L"--auth-algo", 0, 0, BIT(2)|BIT(1), 0 },
- { L"--encrypt-algo", 0, 0, BIT(2)|BIT(1), 0 },
-
- { L"--ext-sequence", 0, 0, BIT(2), BIT(2) },
- { L"--sequence-overflow", 0, 0, BIT(2), BIT(2) },
- { L"--fragment-check", 0, 0, BIT(2), BIT(2) },
- { L"--ext-sequence-", 0, 0, BIT(2), BIT(3) },
- { L"--sequence-overflow-", 0, 0, BIT(2), BIT(3) },
- { L"--fragment-check-", 0, 0, BIT(2), BIT(3) },
-
- //
- // SA ID
- // --ipsec-proto
- //
- { L"--spi", 0, 0, BIT(1), 0 },
- { L"--tunnel-dest", 0, 0, BIT(1), 0 },
- { L"--tunnel-source", 0, 0, BIT(1), 0 },
- { L"--lookup-spi", 0, 0, BIT(1), 0 },
- { L"--lookup-ipsec-proto", 0, 0, BIT(1), 0 },
- { L"--lookup-dest", 0, 0, BIT(1), 0 },
-
- //
- // SA DATA
- // --mode
- // --auth-algo
- // --encrypt-algo
- //
- { L"--sequence-number", 0, 0, BIT(1), 0 },
- { L"--antireplay-window", 0, 0, BIT(1), 0 },
- { L"--auth-key", 0, 0, BIT(1), 0 },
- { L"--encrypt-key", 0, 0, BIT(1), 0 },
- { L"--path-mtu", 0, 0, BIT(1), 0 },
-
- //
- // The example to add a PAD:
- // "-A --peer-id Mike [--peer-address 10.23.2.2] --auth-proto IKE1/IKE2
- // --auth-method PreSharedSeceret/Certificate --ike-id
- // --auth-data 343343 --revocation-data 2342432"
- // The example to delete a PAD:
- // "-D * --lookup-peer-id Mike [--lookup-peer-address 10.23.2.2]"
- // "-D 1"
- // The example to edit a PAD:
- // "-E * --lookup-peer-id Mike --auth-method Certificate"
-
- //
- // PAD ID
- //
- { L"--peer-id", 0, 0, BIT(0), BIT(4) },
- { L"--peer-address", 0, 0, BIT(0), BIT(5) },
- { L"--auth-proto", 0, 0, BIT(0), 0 },
- { L"--auth-method", 0, 0, BIT(0), 0 },
- { L"--IKE-ID", 0, 0, BIT(0), BIT(6) },
- { L"--IKE-ID-", 0, 0, BIT(0), BIT(7) },
- { L"--auth-data", 0, 0, BIT(0), 0 },
- { L"--revocation-data", 0, 0, BIT(0), 0 },
- { L"--lookup-peer-id", 0, 0, BIT(0), BIT(4) },
- { L"--lookup-peer-address",0, 0, BIT(0), BIT(5) },
-
- { NULL, 0, 0, 0, 0 },
-};
-
-/**
- The function to allocate the proper sized buffer for various
- EFI interfaces.
-
- @param[in, out] Status Current status.
- @param[in, out] Buffer Current allocated buffer, or NULL.
- @param[in] BufferSize Current buffer size needed
-
- @retval TRUE If the buffer was reallocated and the caller should try the API again.
- @retval FALSE If the buffer was not reallocated successfully.
-**/
-BOOLEAN
-GrowBuffer (
- IN OUT EFI_STATUS *Status,
- IN OUT VOID **Buffer,
- IN UINTN BufferSize
- )
-{
- BOOLEAN TryAgain;
-
- ASSERT (Status != NULL);
- ASSERT (Buffer != NULL);
-
- //
- // If this is an initial request, buffer will be null with a new buffer size.
- //
- if ((NULL == *Buffer) && (BufferSize != 0)) {
- *Status = EFI_BUFFER_TOO_SMALL;
- }
-
- //
- // If the status code is "buffer too small", resize the buffer.
- //
- TryAgain = FALSE;
- if (*Status == EFI_BUFFER_TOO_SMALL) {
-
- if (*Buffer != NULL) {
- FreePool (*Buffer);
- }
-
- *Buffer = AllocateZeroPool (BufferSize);
-
- if (*Buffer != NULL) {
- TryAgain = TRUE;
- } else {
- *Status = EFI_OUT_OF_RESOURCES;
- }
- }
-
- //
- // If there's an error, free the buffer.
- //
- if (!TryAgain && EFI_ERROR (*Status) && (*Buffer != NULL)) {
- FreePool (*Buffer);
- *Buffer = NULL;
- }
-
- return TryAgain;
-}
-
-/**
- Function returns an array of handles that support the requested protocol
- in a buffer allocated from a pool.
-
- @param[in] SearchType Specifies which handle(s) are to be returned.
- @param[in] Protocol Provides the protocol to search by.
- This parameter is only valid for SearchType ByProtocol.
-
- @param[in] SearchKey Supplies the search key depending on the SearchType.
- @param[in, out] NoHandles The number of handles returned in Buffer.
- @param[out] Buffer A pointer to the buffer to return the requested array of
- handles that support Protocol.
-
- @retval EFI_SUCCESS The resulting array of handles was returned.
- @retval Others Other mistake case.
-**/
-EFI_STATUS
-LocateHandle (
- IN EFI_LOCATE_SEARCH_TYPE SearchType,
- IN EFI_GUID *Protocol OPTIONAL,
- IN VOID *SearchKey OPTIONAL,
- IN OUT UINTN *NoHandles,
- OUT EFI_HANDLE **Buffer
- )
-{
- EFI_STATUS Status;
- UINTN BufferSize;
-
- ASSERT (NoHandles != NULL);
- ASSERT (Buffer != NULL);
-
- //
- // Initialize for GrowBuffer loop.
- //
- Status = EFI_SUCCESS;
- *Buffer = NULL;
- BufferSize = 50 * sizeof (EFI_HANDLE);
-
- //
- // Call the real function.
- //
- while (GrowBuffer (&Status, (VOID **) Buffer, BufferSize)) {
- Status = gBS->LocateHandle (
- SearchType,
- Protocol,
- SearchKey,
- &BufferSize,
- *Buffer
- );
- }
-
- *NoHandles = BufferSize / sizeof (EFI_HANDLE);
- if (EFI_ERROR (Status)) {
- *NoHandles = 0;
- }
-
- return Status;
-}
-
-/**
- Find the first instance of this protocol in the system and return its interface.
-
- @param[in] ProtocolGuid The guid of the protocol.
- @param[out] Interface The pointer to the first instance of the protocol.
-
- @retval EFI_SUCCESS A protocol instance matching ProtocolGuid was found.
- @retval Others A protocol instance matching ProtocolGuid was not found.
-**/
-EFI_STATUS
-LocateProtocol (
- IN EFI_GUID *ProtocolGuid,
- OUT VOID **Interface
- )
-
-{
- EFI_STATUS Status;
- UINTN NumberHandles;
- UINTN Index;
- EFI_HANDLE *Handles;
-
- *Interface = NULL;
- Handles = NULL;
- NumberHandles = 0;
-
- Status = LocateHandle (ByProtocol, ProtocolGuid, NULL, &NumberHandles, &Handles);
- if (EFI_ERROR (Status)) {
- DEBUG ((EFI_D_INFO, "LibLocateProtocol: Handle not found\n"));
- return Status;
- }
-
- for (Index = 0; Index < NumberHandles; Index++) {
- ASSERT (Handles != NULL);
- Status = gBS->HandleProtocol (
- Handles[Index],
- ProtocolGuid,
- Interface
- );
-
- if (!EFI_ERROR (Status)) {
- break;
- }
- }
-
- if (Handles != NULL) {
- FreePool (Handles);
- }
-
- return Status;
-}
-
-/**
- Helper function called to check the conflicted flags.
-
- @param[in] CheckList The pointer to the VAR_CHECK_ITEM table.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS No conflicted flags.
- @retval EFI_INVALID_PARAMETER The input parameter is erroroneous or there are some conflicted flags.
-**/
-EFI_STATUS
-IpSecConfigRetriveCheckListByName (
- IN VAR_CHECK_ITEM *CheckList,
- IN LIST_ENTRY *ParamPackage
-)
-{
-
- LIST_ENTRY *Node;
- VAR_CHECK_ITEM *Item;
- UINT32 Attribute1;
- UINT32 Attribute2;
- UINT32 Attribute3;
- UINT32 Attribute4;
- UINT32 Index;
-
- Attribute1 = 0;
- Attribute2 = 0;
- Attribute3 = 0;
- Attribute4 = 0;
- Index = 0;
- Item = mIpSecConfigVarCheckList;
-
- if ((ParamPackage == NULL) || (CheckList == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Enumerate through the list of parameters that are input by user.
- //
- for (Node = GetFirstNode (ParamPackage); !IsNull (ParamPackage, Node); Node = GetNextNode (ParamPackage, Node)) {
- if (((SHELL_PARAM_PACKAGE *) Node)->Name != NULL) {
- //
- // Enumerate the check list that defines the conflicted attributes of each flag.
- //
- for (; Item->VarName != NULL; Item++) {
- if (StrCmp (((SHELL_PARAM_PACKAGE *) Node)->Name, Item->VarName) == 0) {
- Index++;
- if (Index == 1) {
- Attribute1 = Item->Attribute1;
- Attribute2 = Item->Attribute2;
- Attribute3 = Item->Attribute3;
- Attribute4 = Item->Attribute4;
- } else {
- Attribute1 &= Item->Attribute1;
- Attribute2 |= Item->Attribute2;
- Attribute3 &= Item->Attribute3;
- Attribute4 |= Item->Attribute4;
- if (Attribute1 != 0) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (Attribute2 != 0) {
- if ((Index == 2) && (StrCmp (Item->VarName, L"-p") == 0)) {
- continue;
- }
-
- return EFI_INVALID_PARAMETER;
- }
-
- if (Attribute3 == 0) {
- return EFI_INVALID_PARAMETER;
- }
- if (((Attribute4 & 0xFF) == 0x03) || ((Attribute4 & 0xFF) == 0x0C) ||
- ((Attribute4 & 0xFF) == 0x30) || ((Attribute4 & 0xFF) == 0xC0)) {
- return EFI_INVALID_PARAMETER;
- }
- }
- break;
- }
- }
-
- Item = mIpSecConfigVarCheckList;
- }
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- This is the declaration of an EFI image entry point. This entry point is
- the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including
- both device drivers and bus drivers.
-
- The entry point for IpSecConfig application that parse the command line input and call an IpSecConfig process.
-
- @param[in] ImageHandle The image handle of this application.
- @param[in] SystemTable The pointer to the EFI System Table.
-
- @retval EFI_SUCCESS The operation completed successfully.
-
-**/
-EFI_STATUS
-EFIAPI
-InitializeIpSecConfig (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
- )
-{
- EFI_STATUS Status;
- EFI_IPSEC_CONFIG_DATA_TYPE DataType;
- UINT8 Value;
- LIST_ENTRY *ParamPackage;
- CONST CHAR16 *ValueStr;
- CHAR16 *ProblemParam;
- UINTN NonOptionCount;
- EFI_HII_PACKAGE_LIST_HEADER *PackageList;
-
- //
- // Retrieve HII package list from ImageHandle
- //
- Status = gBS->OpenProtocol (
- ImageHandle,
- &gEfiHiiPackageListProtocolGuid,
- (VOID **) &PackageList,
- ImageHandle,
- NULL,
- EFI_OPEN_PROTOCOL_GET_PROTOCOL
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- //
- // Publish HII package list to HII Database.
- //
- Status = gHiiDatabase->NewPackageList (
- gHiiDatabase,
- PackageList,
- NULL,
- &mHiiHandle
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- ASSERT (mHiiHandle != NULL);
-
- Status = ShellCommandLineParseEx (mIpSecConfigParamList, &ParamPackage, &ProblemParam, TRUE, FALSE);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_UNKNOWN_OPERATION), mHiiHandle, ProblemParam);
- goto Done;
- }
-
- Status = IpSecConfigRetriveCheckListByName (mIpSecConfigVarCheckList, ParamPackage);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_MISTAKEN_OPTIONS), mHiiHandle);
- goto Done;
- }
-
- Status = LocateProtocol (&gEfiIpSecConfigProtocolGuid, (VOID **) &mIpSecConfig);
- if (EFI_ERROR (Status) || mIpSecConfig == NULL) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT), mHiiHandle, mAppName);
- goto Done;
- }
-
- Status = LocateProtocol (&gEfiIpSec2ProtocolGuid, (VOID **) &mIpSec);
- if (EFI_ERROR (Status) || mIpSec == NULL) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT), mHiiHandle, mAppName);
- goto Done;
- }
-
- //
- // Enable IPsec.
- //
- if (ShellCommandLineGetFlag (ParamPackage, L"-enable")) {
- if (!(mIpSec->DisabledFlag)) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_ENABLE), mHiiHandle, mAppName);
- } else {
- //
- // Set enable flag.
- //
- Value = IPSEC_STATUS_ENABLED;
- Status = gRT->SetVariable (
- IPSECCONFIG_STATUS_NAME,
- &gEfiIpSecConfigProtocolGuid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
- sizeof (Value),
- &Value
- );
- if (!EFI_ERROR (Status)) {
- mIpSec->DisabledFlag = FALSE;
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ENABLE_SUCCESS), mHiiHandle, mAppName);
- } else {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ENABLE_FAILED), mHiiHandle, mAppName);
- }
- }
-
- goto Done;
- }
-
- //
- // Disable IPsec.
- //
- if (ShellCommandLineGetFlag (ParamPackage, L"-disable")) {
- if (mIpSec->DisabledFlag) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_DISABLE), mHiiHandle, mAppName);
- } else {
- //
- // Set disable flag; however, leave it to be disabled in the callback function of DisabledEvent.
- //
- gBS->SignalEvent (mIpSec->DisabledEvent);
- if (mIpSec->DisabledFlag) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DISABLE_SUCCESS), mHiiHandle, mAppName);
- } else {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DISABLE_FAILED), mHiiHandle, mAppName);
- }
- }
-
- goto Done;
- }
-
- //
- //IPsec Status.
- //
- if (ShellCommandLineGetFlag (ParamPackage, L"-status")) {
- if (mIpSec->DisabledFlag) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_STATUS_DISABLE), mHiiHandle, mAppName);
- } else {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_STATUS_ENABLE), mHiiHandle, mAppName);
- }
- goto Done;
- }
-
- //
- // Try to get policy database type.
- //
- DataType = (EFI_IPSEC_CONFIG_DATA_TYPE) - 1;
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-p");
- if (ValueStr != NULL) {
- DataType = (EFI_IPSEC_CONFIG_DATA_TYPE) MapStringToInteger (ValueStr, mMapPolicy);
- if (DataType == -1) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_DB), mHiiHandle, mAppName, ValueStr);
- goto Done;
- }
- }
-
- NonOptionCount = ShellCommandLineGetCount (ParamPackage);
- if ((NonOptionCount - 1) > 0) {
- ValueStr = ShellCommandLineGetRawValue (ParamPackage, (UINT32) (NonOptionCount - 1));
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_REDUNDANCY_MANY), mHiiHandle, mAppName, ValueStr);
- goto Done;
- }
-
- if (DataType == -1) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_DB), mHiiHandle, mAppName);
- goto Done;
- }
-
- if (ShellCommandLineGetFlag (ParamPackage, L"-a")) {
- Status = AddOrInsertPolicyEntry (DataType, ParamPackage);
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-i")) {
- Status = AddOrInsertPolicyEntry (DataType, ParamPackage);
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) {
- Status = EditPolicyEntry (DataType, ParamPackage);
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) {
- Status = FlushOrDeletePolicyEntry (DataType, ParamPackage);
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-f")) {
- Status = FlushOrDeletePolicyEntry (DataType, ParamPackage);
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-l")) {
- Status = ListPolicyEntry (DataType, ParamPackage);
- if (EFI_ERROR (Status)) {
- goto Done;
- }
- } else {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_UNKNOWN_OPERATION), mHiiHandle, mAppName);
- goto Done;
- }
-
-Done:
- ShellCommandLineFreeVarList (ParamPackage);
- HiiRemovePackages (mHiiHandle);
-
- return EFI_SUCCESS;
-}
diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfig.h b/NetworkPkg/Application/IpsecConfig/IpSecConfig.h deleted file mode 100644 index e37f8aae80..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfig.h +++ /dev/null @@ -1,143 +0,0 @@ -/** @file
- The internal structure and function declaration in IpSecConfig application.
-
- Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _IPSEC_CONFIG_H_
-#define _IPSEC_CONFIG_H_
-
-#include <Library/BaseMemoryLib.h>
-#include <Library/UefiLib.h>
-#include <Library/ShellLib.h>
-#include <Library/DebugLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/UefiBootServicesTableLib.h>
-#include <Library/UefiHiiServicesLib.h>
-#include <Library/NetLib.h>
-
-#include <Protocol/IpSecConfig.h>
-
-#define IPSECCONFIG_STATUS_NAME L"IpSecStatus"
-
-#define BIT(x) (UINT32) (1 << (x))
-
-#define IPSEC_STATUS_DISABLED 0x0
-#define IPSEC_STATUS_ENABLED 0x1
-
-#define EFI_IP4_PROTO_ICMP 0x1
-#define EFI_IP4_PROTO_TCP 0x6
-#define EFI_IP4_PROTO_UDP 0x11
-
-#define EFI_IPSEC_ANY_PROTOCOL 0xFFFF
-#define EFI_IPSEC_ANY_PORT 0
-
-///
-/// IPsec Authentication Algorithm Definition
-/// The number value definition is aligned to IANA assignment
-///
-#define IPSEC_AALG_NONE 0x00
-#define IPSEC_AALG_MD5HMAC 0x01
-#define IPSEC_AALG_SHA1HMAC 0x02
-#define IPSEC_AALG_SHA2_256HMAC 0x05
-#define IPSEC_AALG_SHA2_384HMAC 0x06
-#define IPSEC_AALG_SHA2_512HMAC 0x07
-#define IPSEC_AALG_AES_XCBC_MAC 0x09
-#define IPSEC_AALG_NULL 0xFB
-
-///
-/// IPsec Encryption Algorithm Definition
-/// The number value definition is aligned to IANA assignment
-///
-#define IPSEC_EALG_NONE 0x00
-#define IPSEC_EALG_DESCBC 0x02
-#define IPSEC_EALG_3DESCBC 0x03
-#define IPSEC_EALG_CASTCBC 0x06
-#define IPSEC_EALG_BLOWFISHCBC 0x07
-#define IPSEC_EALG_NULL 0x0B
-#define IPSEC_EALG_AESCBC 0x0C
-#define IPSEC_EALG_AESCTR 0x0D
-#define IPSEC_EALG_AES_CCM_ICV8 0x0E
-#define IPSEC_EALG_AES_CCM_ICV12 0x0F
-#define IPSEC_EALG_AES_CCM_ICV16 0x10
-#define IPSEC_EALG_AES_GCM_ICV8 0x12
-#define IPSEC_EALG_AES_GCM_ICV12 0x13
-#define IPSEC_EALG_AES_GCM_ICV16 0x14
-
-typedef struct {
- CHAR16 *VarName;
- UINT32 Attribute1;
- UINT32 Attribute2;
- UINT32 Attribute3;
- UINT32 Attribute4;
-} VAR_CHECK_ITEM;
-
-typedef struct {
- LIST_ENTRY Link;
- CHAR16 *Name;
- SHELL_PARAM_TYPE Type;
- CHAR16 *Value;
- UINTN OriginalPosition;
-} SHELL_PARAM_PACKAGE;
-
-typedef struct {
- CHAR16 *String;
- UINT32 Integer;
-} STR2INT;
-
-extern EFI_IPSEC_CONFIG_PROTOCOL *mIpSecConfig;
-extern EFI_HII_HANDLE mHiiHandle;
-extern CHAR16 mAppName[];
-
-//
-// -P
-//
-extern STR2INT mMapPolicy[];
-
-//
-// --proto
-//
-extern STR2INT mMapIpProtocol[];
-
-//
-// --action
-//
-extern STR2INT mMapIpSecAction[];
-
-//
-// --mode
-//
-extern STR2INT mMapIpSecMode[];
-
-//
-// --dont-fragment
-//
-extern STR2INT mMapDfOption[];
-
-//
-// --ipsec-proto
-//
-extern STR2INT mMapIpSecProtocol[];
-//
-// --auth-algo
-//
-extern STR2INT mMapAuthAlgo[];
-
-//
-// --encrypt-algo
-//
-extern STR2INT mMapEncAlgo[];
-//
-// --auth-proto
-//
-extern STR2INT mMapAuthProto[];
-
-//
-// --auth-method
-//
-extern STR2INT mMapAuthMethod[];
-
-#endif
diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfig.inf b/NetworkPkg/Application/IpsecConfig/IpSecConfig.inf deleted file mode 100644 index 7ad6b5627f..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfig.inf +++ /dev/null @@ -1,70 +0,0 @@ -## @file
-# Shell application IpSecConfig.
-#
-# This application is used to set and retrieve security and policy related information
-# for the EFI IPsec protocol driver.
-#
-# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-#
-# SPDX-License-Identifier: BSD-2-Clause-Patent
-#
-##
-
-[Defines]
- INF_VERSION = 0x00010006
- BASE_NAME = IpSecConfig
- FILE_GUID = 0922E604-F5EC-42ef-980D-A35E9A2B1844
- MODULE_TYPE = UEFI_APPLICATION
- VERSION_STRING = 1.0
- ENTRY_POINT = InitializeIpSecConfig
- MODULE_UNI_FILE = IpSecConfig.uni
-
-#
-#
-# This flag specifies whether HII resource section is generated into PE image.
-#
- UEFI_HII_RESOURCE_SECTION = TRUE
-
-[Sources]
- IpSecConfigStrings.uni
- IpSecConfig.c
- IpSecConfig.h
- Dump.c
- Dump.h
- Indexer.c
- Indexer.h
- Match.c
- Match.h
- Delete.h
- Delete.c
- Helper.c
- Helper.h
- ForEach.c
- ForEach.h
- PolicyEntryOperation.c
- PolicyEntryOperation.h
-
-[Packages]
- MdePkg/MdePkg.dec
- MdeModulePkg/MdeModulePkg.dec
- ShellPkg/ShellPkg.dec
-
-[LibraryClasses]
- UefiBootServicesTableLib
- UefiApplicationEntryPoint
- UefiHiiServicesLib
- BaseMemoryLib
- ShellLib
- MemoryAllocationLib
- DebugLib
- HiiLib
- NetLib
- UefiLib
-
-[Protocols]
- gEfiIpSec2ProtocolGuid ##CONSUMES
- gEfiIpSecConfigProtocolGuid ##CONSUMES
- gEfiHiiPackageListProtocolGuid ##CONSUMES
-
-[UserExtensions.TianoCore."ExtraFiles"]
- IpSecConfigExtra.uni
diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfig.uni b/NetworkPkg/Application/IpsecConfig/IpSecConfig.uni deleted file mode 100644 index 3d01977ffd..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfig.uni +++ /dev/null @@ -1,17 +0,0 @@ -// /** @file
-// Shell application IpSecConfig.
-//
-// This application is used to set and retrieve security and policy related information
-// for the EFI IPsec protocol driver.
-//
-// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-//
-// SPDX-License-Identifier: BSD-2-Clause-Patent
-//
-// **/
-
-
-#string STR_MODULE_ABSTRACT #language en-US "Shell application IpSecConfig"
-
-#string STR_MODULE_DESCRIPTION #language en-US "This application is used to set and retrieve security and policy related information for the EFI IPsec protocol driver."
-
diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfigExtra.uni b/NetworkPkg/Application/IpsecConfig/IpSecConfigExtra.uni deleted file mode 100644 index 2fef5f4b31..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfigExtra.uni +++ /dev/null @@ -1,14 +0,0 @@ -// /** @file
-// IpSecConfig Localized Strings and Content
-//
-// Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
-//
-// SPDX-License-Identifier: BSD-2-Clause-Patent
-//
-// **/
-
-#string STR_PROPERTIES_MODULE_NAME
-#language en-US
-"IpSec Config App"
-
-
diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfigStrings.uni b/NetworkPkg/Application/IpsecConfig/IpSecConfigStrings.uni deleted file mode 100644 index 9a854464a8..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfigStrings.uni +++ /dev/null @@ -1,127 +0,0 @@ -/** @file
- String definitions for the Shell IpSecConfig application.
-
- Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#langdef en-US "English"
-
-#string STR_IPSEC_CONFIG_UNKNOWN_OPERATION #language en-US "%s: Operation not specified.\n"
-
-#string STR_IPSEC_CONFIG_INCORRECT_DB #language en-US "%s: Incorrect Database - %s.\n"
-
-#string STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT #language en-US "%s: IPSEC_CONFIG protocol inexistent.\n"
-
-#string STR_IPSEC_CONFIG_MISSING_DB #language en-US "%s: Missing Database.\n"
-
-#string STR_IPSEC_CONFIG_FILE_OPEN_FAILED #language en-US "%s: Open file failed - %s.\n"
-
-#string STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE #language en-US "%s: Incorrect value of %s - %s.\n"
-
-#string STR_IPSEC_CONFIG_ACCEPT_PARAMETERS #language en-US " Values could be:"
-
-#string STR_IPSEC_CONFIG_MISSING_PARAMETER #language en-US "%s: Missing parameter - %s.\n"
-
-#string STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS #language en-US "%s: Missing one of the parameters - %s.\n"
-
-#string STR_IPSEC_CONFIG_UNWANTED_PARAMETER #language en-US "%s: Unwanted parameter - %s.\n"
-
-#string STR_IPSEC_CONFIG_INSERT_FAILED #language en-US "%s: Policy entry insertion failed!\n"
-
-#string STR_IPSEC_CONFIG_DELETE_FAILED #language en-US "%s: Policy entry deletion failed!\n"
-
-#string STR_IPSEC_CONFIG_EDIT_FAILED #language en-US "%s: Policy entry edit failed!\n"
-
-#string STR_IPSEC_CONFIG_ALREADY_EXISTS #language en-US "%s: Policy entry already exists!\n"
-
-#string STR_IPSEC_CONFIG_INDEX_NOT_FOUND #language en-US "%s: Specified index not found!\n"
-
-#string STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED #language en-US "%s: Index should be Specified!\n"
-
-#string STR_IPSEC_CONFIG_INSERT_UNSUPPORT #language en-US "%s: Policy entry insertion not supported!\n"
-
-#string STR_IPSEC_MISTAKEN_OPTIONS #language en-US "Mistaken Input. Please refer to %H"IpSecConfig -?"%N for more help information.\n"
-
-#string STR_IPSEC_REDUNDANCY_MANY #language en-US "%s has one redundancy option: %H%s%N\n"
-
-#string STR_IPSEC_CONFIG_ALREADY_ENABLE #language en-US "IPsec has been already enabled!\n"
-
-#string STR_IPSEC_CONFIG_ENABLE_SUCCESS #language en-US "Enable IPsec ! \n"
-
-#string STR_IPSEC_CONFIG_DISABLE_SUCCESS #language en-US "Disable IPsec ! \n"
-
-#string STR_IPSEC_CONFIG_ALREADY_DISABLE #language en-US "IPsec has been already disabled !\n"
-
-#string STR_IPSEC_CONFIG_STATUS_ENABLE #language en-US "IPsec Status : Enabled ! \n"
-
-#string STR_IPSEC_CONFIG_STATUS_DISABLE #language en-US "IPsec Status : Disabled ! \n"
-
-#string STR_IPSEC_CONFIG_ENABLE_FAILED #language en-US "Error: Enable IPsec failed !\n"
-
-#string STR_IPSEC_CONFIG_DISABLE_FAILED #language en-US "Error: Disable IPsec failed !\n"
-
-#string STR_IPSEC_CONFIG_HELP #language en-US ""
-".TH IpSecConfig 0 "Displays or modifies the current IPsec configuration."\r\n"
-".SH NAME\r\n"
-"Displays or modifies the current IPsec configuration.\r\n"
-".SH SYNOPSIS\r\n"
-" \r\n"
-"%HIpSecConfig [-p {SPD|SAD|PAD}] [command] [options[parameters]]\r\n"
-".SH OPTIONS\r\n"
-" \r\n"
-"%H-p (SPD|SAD|PAD)%N required.point to certain policy database.\r\n"
-" \r\n"
-"%Hcommand%N:\r\n"
-" -a [options[parameters]] Add new policy entry.\r\n"
-" -i entryid [options[parameters]] Insert new policy entry before the one\r\n"
-" matched by the entryid.\r\n"
-" It's only supported on SPD policy database.\r\n"
-" -d entryid Delete the policy entry matched by the \r\n"
-" entryid.\r\n"
-" -e entryid [options[parameters]] Edit the policy entry matched by the\r\n"
-" entryid.\r\n"
-" -f Flush the entire policy database.\r\n"
-" -l List all entries for specified database.\r\n"
-" -enable Enable IPsec.\r\n"
-" -disable Disable IPsec.\r\n"
-" -status Show IPsec current status.\r\n"
-" \r\n"
-"%H[options[parameters]]%N for %HSPD%N:\r\n"
-" --local localaddress optional local address\r\n"
-" --remote remoteaddress required remote address\r\n"
-" --proto (TCP|UDP|ICMP|...) required IP protocol\r\n"
-" --local-port port optional local port for tcp/udp protocol\r\n"
-" --remote-port port optional remote port for tcp/udp protocol\r\n"
-" --name name optional SPD name\r\n"
-" --action (Bypass|Discard|Protect) required \r\n"
-" required IPsec action\r\n"
-" --mode (Transport|Tunnel) optional IPsec mode, transport by default\r\n"
-" --ipsec-proto (AH|ESP) optional IPsec protocol, ESP by default\r\n"
-" --auth-algo (NONE|SHA1HMAC) optional authentication algorithm\r\n"
-" --encrypt-algo(NONE|DESCBC|3DESCBC)optional encryption algorithm\r\n"
-" --tunnel-local tunnellocaladdr optional tunnel local address(only for tunnel mode)\r\n"
-" --tunnel-remote tunnelremoteaddr optional tunnel remote address(only for tunnel mode)\r\n"
-" \r\n"
-"%H[options[parameters]]%N for %HSAD%N:\r\n"
-" --spi spi required SPI value\r\n"
-" --ipsec-proto (AH|ESP) required IPsec protocol\r\n"
-" --local localaddress optional local address\r\n"
-" --remote remoteaddress required destination address\r\n"
-" --auth-algo (NONE|SHA1HMAC) required for AH. authentication algorithm\n"
-" --auth-key key required for AH. key for authentication\r\n"
-" --encrypt-algo (NONE|DESCBC|3DESCBC) required for ESP. encryption algorithm\r\n"
-" --encrypt-key key required for ESP. key for encryption\r\n"
-" --mode (Transport|Tunnel) optional IPsec mode, transport by default\r\n"
-" --tunnel-dest tunneldestaddr optional tunnel destination address(only for tunnel mode)\r\n"
-" --tunnel-source tunnelsourceaddr optional tunnel source address(only for tunnel mode)\r\n"
-" \r\n"
-"%H[options[parameters]]%N for %HPAD%N:\r\n"
-" --peer-address address required peer address\r\n"
-" --auth-proto (IKEv1|IKEv2) optional IKE protocol, IKEv1 by\r\n"
-" default\r\n"
-" --auth-method (PreSharedSecret|Certificates) required authentication method\r\n"
-" --auth-data authdata required data for authentication\r\n"
-" \r\n"
diff --git a/NetworkPkg/Application/IpsecConfig/Match.c b/NetworkPkg/Application/IpsecConfig/Match.c deleted file mode 100644 index 9d5a81c4ac..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Match.c +++ /dev/null @@ -1,157 +0,0 @@ -/** @file
- The implementation of match policy entry function in IpSecConfig application.
-
- Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecConfig.h"
-#include "Indexer.h"
-#include "Match.h"
-
-/**
- Private function to validate a buffer that should be filled with zero.
-
- @param[in] Memory The pointer to the buffer.
- @param[in] Size The size of the buffer.
-
- @retval TRUE The memory is filled with zero.
- @retval FALSE The memory isn't filled with zero.
-**/
-BOOLEAN
-IsMemoryZero (
- IN VOID *Memory,
- IN UINTN Size
- )
-{
- UINTN Index;
-
- for (Index = 0; Index < Size; Index++) {
- if (*((UINT8 *) Memory + Index) != 0) {
- return FALSE;
- }
- }
-
- return TRUE;
-}
-
-/**
- Find the matching SPD with Indexer.
-
- @param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
- @param[in] Data The pointer to the EFI_IPSEC_SPD_DATA structure.
- @param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure.
-
- @retval TRUE The matched SPD is found.
- @retval FALSE The matched SPD is not found.
-**/
-BOOLEAN
-MatchSpdEntry (
- IN EFI_IPSEC_SPD_SELECTOR *Selector,
- IN EFI_IPSEC_SPD_DATA *Data,
- IN SPD_ENTRY_INDEXER *Indexer
- )
-{
- BOOLEAN Match;
-
- Match = FALSE;
- if (!IsMemoryZero (Indexer->Name, MAX_PEERID_LEN)) {
- if ((Data->Name != NULL) && (AsciiStrCmp ((CHAR8 *) Indexer->Name, (CHAR8 *) Data->Name) == 0)) {
- Match = TRUE;
- }
- } else {
- if (Indexer->Index == 0) {
- Match = TRUE;
- }
-
- Indexer->Index--;
- }
-
- return Match;
-}
-
-/**
- Find the matching SAD with Indexer.
-
- @param[in] SaId The pointer to the EFI_IPSEC_SA_ID structure.
- @param[in] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.
- @param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure.
-
- @retval TRUE The matched SAD is found.
- @retval FALSE The matched SAD is not found.
-**/
-BOOLEAN
-MatchSadEntry (
- IN EFI_IPSEC_SA_ID *SaId,
- IN EFI_IPSEC_SA_DATA2 *Data,
- IN SAD_ENTRY_INDEXER *Indexer
- )
-{
- BOOLEAN Match;
-
- Match = FALSE;
- if (!IsMemoryZero (&Indexer->SaId, sizeof (EFI_IPSEC_SA_ID))) {
- Match = (BOOLEAN) (CompareMem (&Indexer->SaId, SaId, sizeof (EFI_IPSEC_SA_ID)) == 0);
- } else {
- if (Indexer->Index == 0) {
- Match = TRUE;
- }
- Indexer->Index--;
- }
-
- return Match;
-}
-
-/**
- Find the matching PAD with Indexer.
-
- @param[in] PadId The pointer to the EFI_IPSEC_PAD_ID structure.
- @param[in] Data The pointer to the EFI_IPSEC_PAD_DATA structure.
- @param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure.
-
- @retval TRUE The matched PAD is found.
- @retval FALSE The matched PAD is not found.
-**/
-BOOLEAN
-MatchPadEntry (
- IN EFI_IPSEC_PAD_ID *PadId,
- IN EFI_IPSEC_PAD_DATA *Data,
- IN PAD_ENTRY_INDEXER *Indexer
- )
-{
- BOOLEAN Match;
-
- Match = FALSE;
- if (!IsMemoryZero (&Indexer->PadId, sizeof (EFI_IPSEC_PAD_ID))) {
- Match = (BOOLEAN) ((Indexer->PadId.PeerIdValid == PadId->PeerIdValid) &&
- ((PadId->PeerIdValid &&
- (StrCmp (
- (CONST CHAR16 *) Indexer->PadId.Id.PeerId,
- (CONST CHAR16 *) PadId->Id.PeerId
- ) == 0)) ||
- ((!PadId->PeerIdValid) &&
- (Indexer->PadId.Id.IpAddress.PrefixLength == PadId->Id.IpAddress.PrefixLength) &&
- (CompareMem (
- &Indexer->PadId.Id.IpAddress.Address,
- &PadId->Id.IpAddress.Address,
- sizeof (EFI_IP_ADDRESS)
- ) == 0))));
- } else {
- if (Indexer->Index == 0) {
- Match = TRUE;
- }
-
- Indexer->Index--;
- }
-
- return Match;
-}
-
-MATCH_POLICY_ENTRY mMatchPolicyEntry[] = {
- (MATCH_POLICY_ENTRY) MatchSpdEntry,
- (MATCH_POLICY_ENTRY) MatchSadEntry,
- (MATCH_POLICY_ENTRY) MatchPadEntry
-};
-
diff --git a/NetworkPkg/Application/IpsecConfig/Match.h b/NetworkPkg/Application/IpsecConfig/Match.h deleted file mode 100644 index 2e0b31b8b9..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Match.h +++ /dev/null @@ -1,35 +0,0 @@ -/** @file
- The internal structure and function declaration of
- match policy entry function in IpSecConfig application.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _MATCH_H_
-#define _MATCH_H_
-
-/**
- The prototype for the MatchSpdEntry()/MatchSadEntry()/MatchPadEntry().
- The functionality is to find the matching SPD/SAD/PAD with Indexer.
-
- @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR union.
- @param[in] Data The pointer to corresponding Data.
- @param[in] Indexer The pointer to the POLICY_ENTRY_INDEXER union.
-
- @retval TRUE The matched SPD/SAD/PAD is found.
- @retval FALSE The matched SPD/SAD/PAD is not found.
-**/
-typedef
-BOOLEAN
-(* MATCH_POLICY_ENTRY) (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN POLICY_ENTRY_INDEXER *Indexer
- );
-
-extern MATCH_POLICY_ENTRY mMatchPolicyEntry[];
-
-#endif
diff --git a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c b/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c deleted file mode 100644 index 16f3590977..0000000000 --- a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c +++ /dev/null @@ -1,2070 +0,0 @@ -/** @file
- The implementation of policy entry operation function in IpSecConfig application.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecConfig.h"
-#include "Indexer.h"
-#include "Match.h"
-#include "Helper.h"
-#include "ForEach.h"
-#include "PolicyEntryOperation.h"
-
-/**
- Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list.
-
- @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
- @param[in] ParamPackage The pointer to the ParamPackage list.
- @param[in, out] Mask The pointer to the Mask.
-
- @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR successfully.
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.
-
-**/
-EFI_STATUS
-CreateSpdSelector (
- OUT EFI_IPSEC_SPD_SELECTOR *Selector,
- IN LIST_ENTRY *ParamPackage,
- IN OUT UINT32 *Mask
- )
-{
- EFI_STATUS Status;
- EFI_STATUS ReturnStatus;
- CONST CHAR16 *ValueStr;
-
- Status = EFI_SUCCESS;
- ReturnStatus = EFI_SUCCESS;
-
- //
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
- //
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--local");
- if (ValueStr != NULL) {
- Selector->LocalAddressCount = 1;
- Status = EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->LocalAddress);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- L"--local",
- ValueStr
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- *Mask |= LOCAL;
- }
- }
-
- //
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
- //
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--remote");
- if (ValueStr != NULL) {
- Selector->RemoteAddressCount = 1;
- Status = EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->RemoteAddress);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- L"--remote",
- ValueStr
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- *Mask |= REMOTE;
- }
- }
-
- Selector->NextLayerProtocol = EFI_IPSEC_ANY_PROTOCOL;
-
- //
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
- //
- Status = GetNumber (
- L"--proto",
- (UINT16) -1,
- &Selector->NextLayerProtocol,
- sizeof (UINT16),
- mMapIpProtocol,
- ParamPackage,
- FORMAT_NUMBER | FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= PROTO;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- Selector->LocalPort = EFI_IPSEC_ANY_PORT;
- Selector->RemotePort = EFI_IPSEC_ANY_PORT;
-
- //
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
- //
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--local-port");
- if (ValueStr != NULL) {
- Status = EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->LocalPort, &Selector->LocalPortRange);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- L"--local-port",
- ValueStr
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- *Mask |= LOCAL_PORT;
- }
- }
-
- //
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
- //
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--remote-port");
- if (ValueStr != NULL) {
- Status = EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->RemotePort, &Selector->RemotePortRange);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- L"--remote-port",
- ValueStr
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- *Mask |= REMOTE_PORT;
- }
- }
-
- //
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
- //
- Status = GetNumber (
- L"--icmp-type",
- (UINT8) -1,
- &Selector->LocalPort,
- sizeof (UINT16),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= ICMP_TYPE;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- //
- // Convert user imput from string to integer, and fill in the member in EFI_IPSEC_SPD_SELECTOR.
- //
- Status = GetNumber (
- L"--icmp-code",
- (UINT8) -1,
- &Selector->RemotePort,
- sizeof (UINT16),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= ICMP_CODE;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- return ReturnStatus;
-}
-
-/**
- Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPackage list.
-
- @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
- @param[out] Data The pointer to the EFI_IPSEC_SPD_DATA structure.
- @param[in] ParamPackage The pointer to the ParamPackage list.
- @param[out] Mask The pointer to the Mask.
- @param[in] CreateNew The switch to create new.
-
- @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA successfully.
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.
-
-**/
-EFI_STATUS
-CreateSpdEntry (
- OUT EFI_IPSEC_SPD_SELECTOR **Selector,
- OUT EFI_IPSEC_SPD_DATA **Data,
- IN LIST_ENTRY *ParamPackage,
- OUT UINT32 *Mask,
- IN BOOLEAN CreateNew
- )
-{
- EFI_STATUS Status;
- EFI_STATUS ReturnStatus;
- CONST CHAR16 *ValueStr;
- UINTN DataSize;
-
- Status = EFI_SUCCESS;
- *Mask = 0;
-
- *Selector = AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR) + 2 * sizeof (EFI_IP_ADDRESS_INFO));
- ASSERT (*Selector != NULL);
-
- (*Selector)->LocalAddress = (EFI_IP_ADDRESS_INFO *) (*Selector + 1);
- (*Selector)->RemoteAddress = (*Selector)->LocalAddress + 1;
-
- ReturnStatus = CreateSpdSelector (*Selector, ParamPackage, Mask);
-
- //
- // SPD DATA
- // NOTE: Allocate enough memory and add padding for different arch.
- //
- DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA));
- DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_PROCESS_POLICY));
- DataSize += sizeof (EFI_IPSEC_TUNNEL_OPTION);
-
- *Data = AllocateZeroPool (DataSize);
- ASSERT (*Data != NULL);
-
- (*Data)->ProcessingPolicy = (EFI_IPSEC_PROCESS_POLICY *) ALIGN_POINTER (
- (*Data + 1),
- sizeof (UINTN)
- );
- (*Data)->ProcessingPolicy->TunnelOption = (EFI_IPSEC_TUNNEL_OPTION *) ALIGN_POINTER (
- ((*Data)->ProcessingPolicy + 1),
- sizeof (UINTN)
- );
-
-
- //
- // Convert user imput from string to integer, and fill in the Name in EFI_IPSEC_SPD_DATA.
- //
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--name");
- if (ValueStr != NULL) {
- UnicodeStrToAsciiStrS (ValueStr, (CHAR8 *) (*Data)->Name, sizeof ((*Data)->Name));
- *Mask |= NAME;
- }
-
- //
- // Convert user imput from string to integer, and fill in the PackageFlag in EFI_IPSEC_SPD_DATA.
- //
- Status = GetNumber (
- L"--packet-flag",
- (UINT8) -1,
- &(*Data)->PackageFlag,
- sizeof (UINT32),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= PACKET_FLAG;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- //
- // Convert user imput from string to integer, and fill in the Action in EFI_IPSEC_SPD_DATA.
- //
- Status = GetNumber (
- L"--action",
- (UINT8) -1,
- &(*Data)->Action,
- sizeof (UINT32),
- mMapIpSecAction,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= ACTION;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- //
- // Convert user imput from string to integer, and fill in the ExtSeqNum in EFI_IPSEC_SPD_DATA.
- //
- if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence")) {
- (*Data)->ProcessingPolicy->ExtSeqNum = TRUE;
- *Mask |= EXT_SEQUENCE;
- } else if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence-")) {
- (*Data)->ProcessingPolicy->ExtSeqNum = FALSE;
- *Mask |= EXT_SEQUENCE;
- }
-
- //
- // Convert user imput from string to integer, and fill in the SeqOverflow in EFI_IPSEC_SPD_DATA.
- //
- if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow")) {
- (*Data)->ProcessingPolicy->SeqOverflow = TRUE;
- *Mask |= SEQUENCE_OVERFLOW;
- } else if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow-")) {
- (*Data)->ProcessingPolicy->SeqOverflow = FALSE;
- *Mask |= SEQUENCE_OVERFLOW;
- }
-
- //
- // Convert user imput from string to integer, and fill in the FragCheck in EFI_IPSEC_SPD_DATA.
- //
- if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check")) {
- (*Data)->ProcessingPolicy->FragCheck = TRUE;
- *Mask |= FRAGMENT_CHECK;
- } else if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check-")) {
- (*Data)->ProcessingPolicy->FragCheck = FALSE;
- *Mask |= FRAGMENT_CHECK;
- }
-
- //
- // Convert user imput from string to integer, and fill in the ProcessingPolicy in EFI_IPSEC_SPD_DATA.
- //
- Status = GetNumber (
- L"--lifebyte",
- (UINT64) -1,
- &(*Data)->ProcessingPolicy->SaLifetime.ByteCount,
- sizeof (UINT64),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= LIFEBYTE;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- Status = GetNumber (
- L"--lifetime",
- (UINT64) -1,
- &(*Data)->ProcessingPolicy->SaLifetime.HardLifetime,
- sizeof (UINT64),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= LIFETIME;
- }
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- Status = GetNumber (
- L"--lifetime-soft",
- (UINT64) -1,
- &(*Data)->ProcessingPolicy->SaLifetime.SoftLifetime,
- sizeof (UINT64),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= LIFETIME_SOFT;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- (*Data)->ProcessingPolicy->Mode = EfiIPsecTransport;
- Status = GetNumber (
- L"--mode",
- 0,
- &(*Data)->ProcessingPolicy->Mode,
- sizeof (UINT32),
- mMapIpSecMode,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= MODE;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-local");
- if (ValueStr != NULL) {
- Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPolicy->TunnelOption->LocalTunnelAddress);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- L"--tunnel-local",
- ValueStr
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- *Mask |= TUNNEL_LOCAL;
- }
- }
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-remote");
- if (ValueStr != NULL) {
- Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPolicy->TunnelOption->RemoteTunnelAddress);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- L"--tunnel-remote",
- ValueStr
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- *Mask |= TUNNEL_REMOTE;
- }
- }
-
- (*Data)->ProcessingPolicy->TunnelOption->DF = EfiIPsecTunnelCopyDf;
- Status = GetNumber (
- L"--dont-fragment",
- 0,
- &(*Data)->ProcessingPolicy->TunnelOption->DF,
- sizeof (UINT32),
- mMapDfOption,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= DONT_FRAGMENT;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- (*Data)->ProcessingPolicy->Proto = EfiIPsecESP;
- Status = GetNumber (
- L"--ipsec-proto",
- 0,
- &(*Data)->ProcessingPolicy->Proto,
- sizeof (UINT32),
- mMapIpSecProtocol,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= IPSEC_PROTO;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- Status = GetNumber (
- L"--encrypt-algo",
- 0,
- &(*Data)->ProcessingPolicy->EncAlgoId,
- sizeof (UINT8),
- mMapEncAlgo,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= ENCRYPT_ALGO;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- Status = GetNumber (
- L"--auth-algo",
- 0,
- &(*Data)->ProcessingPolicy->AuthAlgoId,
- sizeof (UINT8),
- mMapAuthAlgo,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= AUTH_ALGO;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- //
- // Cannot check Mode against EfiIPsecTunnel, because user may want to change tunnel_remote only so the Mode is not set.
- //
- if ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE | DONT_FRAGMENT)) == 0) {
- (*Data)->ProcessingPolicy->TunnelOption = NULL;
- }
-
- if ((*Mask & (EXT_SEQUENCE | SEQUENCE_OVERFLOW | FRAGMENT_CHECK | LIFEBYTE |
- LIFETIME_SOFT | LIFETIME | MODE | TUNNEL_LOCAL | TUNNEL_REMOTE |
- DONT_FRAGMENT | IPSEC_PROTO | AUTH_ALGO | ENCRYPT_ALGO)) == 0) {
- if ((*Data)->Action != EfiIPsecActionProtect) {
- //
- // User may not provide additional parameter for Protect action, so we cannot simply set ProcessingPolicy to NULL.
- //
- (*Data)->ProcessingPolicy = NULL;
- }
- }
-
- if (CreateNew) {
- if ((*Mask & (LOCAL | REMOTE | PROTO | ACTION)) != (LOCAL | REMOTE | PROTO | ACTION)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
- mHiiHandle,
- mAppName,
- L"--local --remote --proto --action"
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else if (((*Data)->Action == EfiIPsecActionProtect) &&
- ((*Data)->ProcessingPolicy->Mode == EfiIPsecTunnel) &&
- ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE))) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
- mHiiHandle,
- mAppName,
- L"--tunnel-local --tunnel-remote"
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
- }
-
- return ReturnStatus;
-}
-
-/**
- Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 through ParamPackage list.
-
- @param[out] SaId The pointer to the EFI_IPSEC_SA_ID structure.
- @param[out] Data The pointer to the EFI_IPSEC_SA_DATA2 structure.
- @param[in] ParamPackage The pointer to the ParamPackage list.
- @param[out] Mask The pointer to the Mask.
- @param[in] CreateNew The switch to create new.
-
- @retval EFI_SUCCESS Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 successfully.
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.
-
-**/
-EFI_STATUS
-CreateSadEntry (
- OUT EFI_IPSEC_SA_ID **SaId,
- OUT EFI_IPSEC_SA_DATA2 **Data,
- IN LIST_ENTRY *ParamPackage,
- OUT UINT32 *Mask,
- IN BOOLEAN CreateNew
- )
-{
- EFI_STATUS Status;
- EFI_STATUS ReturnStatus;
- UINTN AuthKeyLength;
- UINTN EncKeyLength;
- CONST CHAR16 *ValueStr;
- CHAR8 *AsciiStr;
- UINTN DataSize;
-
- Status = EFI_SUCCESS;
- ReturnStatus = EFI_SUCCESS;
- *Mask = 0;
- AuthKeyLength = 0;
- EncKeyLength = 0;
-
- *SaId = AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID));
- ASSERT (*SaId != NULL);
-
- //
- // Convert user imput from string to integer, and fill in the Spi in EFI_IPSEC_SA_ID.
- //
- Status = GetNumber (L"--spi", (UINT32) -1, &(*SaId)->Spi, sizeof (UINT32), NULL, ParamPackage, FORMAT_NUMBER);
- if (!EFI_ERROR (Status)) {
- *Mask |= SPI;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- //
- // Convert user imput from string to integer, and fill in the Proto in EFI_IPSEC_SA_ID.
- //
- Status = GetNumber (
- L"--ipsec-proto",
- 0,
- &(*SaId)->Proto,
- sizeof (EFI_IPSEC_PROTOCOL_TYPE),
- mMapIpSecProtocol,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= IPSEC_PROTO;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- //
- // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_DATA2.
- //
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-key");
- if (ValueStr != NULL) {
- AuthKeyLength = StrLen (ValueStr);
- }
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--encrypt-key");
- if (ValueStr != NULL) {
- EncKeyLength = StrLen (ValueStr);
- }
-
- //
- // EFI_IPSEC_SA_DATA2:
- // +------------
- // | EFI_IPSEC_SA_DATA2
- // +-----------------------
- // | AuthKey
- // +-------------------------
- // | EncKey
- // +-------------------------
- // | SpdSelector
- //
- // Notes: To make sure the address alignment add padding after each data if needed.
- //
- DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2));
- DataSize = ALIGN_VARIABLE (DataSize + AuthKeyLength);
- DataSize = ALIGN_VARIABLE (DataSize + EncKeyLength);
- DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_SPD_SELECTOR));
- DataSize = ALIGN_VARIABLE (DataSize + sizeof (EFI_IP_ADDRESS_INFO));
- DataSize += sizeof (EFI_IP_ADDRESS_INFO);
-
-
-
- *Data = AllocateZeroPool (DataSize);
- ASSERT (*Data != NULL);
-
- (*Data)->ManualSet = TRUE;
- (*Data)->AlgoInfo.EspAlgoInfo.AuthKey = (VOID *) ALIGN_POINTER (((*Data) + 1), sizeof (UINTN));
- (*Data)->AlgoInfo.EspAlgoInfo.EncKey = (VOID *) ALIGN_POINTER (
- ((UINT8 *) (*Data)->AlgoInfo.EspAlgoInfo.AuthKey + AuthKeyLength),
- sizeof (UINTN)
- );
- (*Data)->SpdSelector = (EFI_IPSEC_SPD_SELECTOR *) ALIGN_POINTER (
- ((UINT8 *) (*Data)->AlgoInfo.EspAlgoInfo.EncKey + EncKeyLength),
- sizeof (UINTN)
- );
- (*Data)->SpdSelector->LocalAddress = (EFI_IP_ADDRESS_INFO *) ALIGN_POINTER (
- ((UINT8 *) (*Data)->SpdSelector + sizeof (EFI_IPSEC_SPD_SELECTOR)),
- sizeof (UINTN));
- (*Data)->SpdSelector->RemoteAddress = (EFI_IP_ADDRESS_INFO *) ALIGN_POINTER (
- (*Data)->SpdSelector->LocalAddress + 1,
- sizeof (UINTN)
- );
-
- (*Data)->Mode = EfiIPsecTransport;
- Status = GetNumber (
- L"--mode",
- 0,
- &(*Data)->Mode,
- sizeof (EFI_IPSEC_MODE),
- mMapIpSecMode,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= MODE;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- //
- // According to RFC 4303-3.3.3. The first packet sent using a given SA
- // will contain a sequence number of 1.
- //
- (*Data)->SNCount = 1;
- Status = GetNumber (
- L"--sequence-number",
- (UINT64) -1,
- &(*Data)->SNCount,
- sizeof (UINT64),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= SEQUENCE_NUMBER;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- (*Data)->AntiReplayWindows = 0;
- Status = GetNumber (
- L"--antireplay-window",
- (UINT8) -1,
- &(*Data)->AntiReplayWindows,
- sizeof (UINT8),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= SEQUENCE_NUMBER;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- Status = GetNumber (
- L"--encrypt-algo",
- 0,
- &(*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId,
- sizeof (UINT8),
- mMapEncAlgo,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= ENCRYPT_ALGO;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--encrypt-key");
- if (ValueStr != NULL ) {
- (*Data)->AlgoInfo.EspAlgoInfo.EncKeyLength = EncKeyLength;
- AsciiStr = AllocateZeroPool (EncKeyLength + 1);
- ASSERT (AsciiStr != NULL);
- UnicodeStrToAsciiStrS (ValueStr, AsciiStr, EncKeyLength + 1);
- CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.EncKey, AsciiStr, EncKeyLength);
- FreePool (AsciiStr);
- *Mask |= ENCRYPT_KEY;
- } else {
- (*Data)->AlgoInfo.EspAlgoInfo.EncKey = NULL;
- }
-
- Status = GetNumber (
- L"--auth-algo",
- 0,
- &(*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId,
- sizeof (UINT8),
- mMapAuthAlgo,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= AUTH_ALGO;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-key");
- if (ValueStr != NULL) {
- (*Data)->AlgoInfo.EspAlgoInfo.AuthKeyLength = AuthKeyLength;
- AsciiStr = AllocateZeroPool (AuthKeyLength + 1);
- ASSERT (AsciiStr != NULL);
- UnicodeStrToAsciiStrS (ValueStr, AsciiStr, AuthKeyLength + 1);
- CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.AuthKey, AsciiStr, AuthKeyLength);
- FreePool (AsciiStr);
- *Mask |= AUTH_KEY;
- } else {
- (*Data)->AlgoInfo.EspAlgoInfo.AuthKey = NULL;
- }
-
- Status = GetNumber (
- L"--lifebyte",
- (UINT64) -1,
- &(*Data)->SaLifetime.ByteCount,
- sizeof (UINT64),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= LIFEBYTE;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- Status = GetNumber (
- L"--lifetime",
- (UINT64) -1,
- &(*Data)->SaLifetime.HardLifetime,
- sizeof (UINT64),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= LIFETIME;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- Status = GetNumber (
- L"--lifetime-soft",
- (UINT64) -1,
- &(*Data)->SaLifetime.SoftLifetime,
- sizeof (UINT64),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= LIFETIME_SOFT;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- Status = GetNumber (
- L"--path-mtu",
- (UINT32) -1,
- &(*Data)->PathMTU,
- sizeof (UINT32),
- NULL,
- ParamPackage,
- FORMAT_NUMBER
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= PATH_MTU;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- //
- // Convert user imput from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
- //
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-dest");
- if (ValueStr != NULL) {
- Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->TunnelDestinationAddress);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- L"--tunnel-dest",
- ValueStr
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- *Mask |= DEST;
- }
- }
-
- //
- // Convert user input from string to integer, and fill in the DestAddress in EFI_IPSEC_SA_ID.
- //
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--tunnel-source");
- if (ValueStr != NULL) {
- Status = EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->TunnelSourceAddress);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- L"--tunnel-source",
- ValueStr
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- *Mask |= SOURCE;
- }
- }
-
- //
- // If it is TunnelMode, then check if the tunnel-source and --tunnel-dest are set
- //
- if ((*Data)->Mode == EfiIPsecTunnel) {
- if ((*Mask & (DEST|SOURCE)) != (DEST|SOURCE)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
- mHiiHandle,
- mAppName,
- L"--tunnel-source --tunnel-dest"
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
- }
- ReturnStatus = CreateSpdSelector ((*Data)->SpdSelector, ParamPackage, Mask);
-
- if (CreateNew) {
- if ((*Mask & (SPI|IPSEC_PROTO|LOCAL|REMOTE)) != (SPI|IPSEC_PROTO|LOCAL|REMOTE)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
- mHiiHandle,
- mAppName,
- L"--spi --ipsec-proto --local --remote"
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- if ((*SaId)->Proto == EfiIPsecAH) {
- if ((*Mask & AUTH_ALGO) == 0) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
- mHiiHandle,
- mAppName,
- L"--auth-algo"
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else if ((*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId != IPSEC_AALG_NONE && (*Mask & AUTH_KEY) == 0) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
- mHiiHandle,
- mAppName,
- L"--auth-key"
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
- } else {
- if ((*Mask & (ENCRYPT_ALGO|AUTH_ALGO)) != (ENCRYPT_ALGO|AUTH_ALGO) ) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
- mHiiHandle,
- mAppName,
- L"--encrypt-algo --auth-algo"
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else if ((*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId != IPSEC_EALG_NONE && (*Mask & ENCRYPT_KEY) == 0) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
- mHiiHandle,
- mAppName,
- L"--encrypt-key"
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else if ((*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId != IPSEC_AALG_NONE && (*Mask & AUTH_KEY) == 0) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
- mHiiHandle,
- mAppName,
- L"--auth-key"
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
- }
- }
- }
-
- return ReturnStatus;
-}
-
-/**
- Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage list.
-
- @param[out] PadId The pointer to the EFI_IPSEC_PAD_ID structure.
- @param[out] Data The pointer to the EFI_IPSEC_PAD_DATA structure.
- @param[in] ParamPackage The pointer to the ParamPackage list.
- @param[out] Mask The pointer to the Mask.
- @param[in] CreateNew The switch to create new.
-
- @retval EFI_SUCCESS Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA successfully.
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.
-
-**/
-EFI_STATUS
-CreatePadEntry (
- OUT EFI_IPSEC_PAD_ID **PadId,
- OUT EFI_IPSEC_PAD_DATA **Data,
- IN LIST_ENTRY *ParamPackage,
- OUT UINT32 *Mask,
- IN BOOLEAN CreateNew
- )
-{
- EFI_STATUS Status;
- EFI_STATUS ReturnStatus;
- SHELL_FILE_HANDLE FileHandle;
- UINT64 FileSize;
- UINTN AuthDataLength;
- UINTN RevocationDataLength;
- UINTN DataLength;
- UINTN Index;
- CONST CHAR16 *ValueStr;
- UINTN DataSize;
-
- Status = EFI_SUCCESS;
- ReturnStatus = EFI_SUCCESS;
- *Mask = 0;
- AuthDataLength = 0;
- RevocationDataLength = 0;
-
- *PadId = AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID));
- ASSERT (*PadId != NULL);
-
- //
- // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_ID.
- //
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--peer-address");
- if (ValueStr != NULL) {
- (*PadId)->PeerIdValid = FALSE;
- Status = EfiInetAddrRange ((CHAR16 *) ValueStr, &(*PadId)->Id.IpAddress);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE),
- mHiiHandle,
- mAppName,
- L"--peer-address",
- ValueStr
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- *Mask |= PEER_ADDRESS;
- }
- }
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--peer-id");
- if (ValueStr != NULL) {
- (*PadId)->PeerIdValid = TRUE;
- StrnCpyS ((CHAR16 *) (*PadId)->Id.PeerId, MAX_PEERID_LEN / sizeof (CHAR16), ValueStr, MAX_PEERID_LEN / sizeof (CHAR16) - 1);
- *Mask |= PEER_ID;
- }
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-data");
- if (ValueStr != NULL) {
- if (ValueStr[0] == L'@') {
- //
- // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
- //
- Status = ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_MODE_READ, 0);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),
- mHiiHandle,
- mAppName,
- &ValueStr[1]
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- Status = ShellGetFileSize (FileHandle, &FileSize);
- ShellCloseFile (&FileHandle);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),
- mHiiHandle,
- mAppName,
- &ValueStr[1]
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else {
- AuthDataLength = (UINTN) FileSize;
- }
- }
- } else {
- AuthDataLength = StrLen (ValueStr);
- }
- }
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--revocation-data");
- if (ValueStr != NULL) {
- RevocationDataLength = (StrLen (ValueStr) + 1) * sizeof (CHAR16);
- }
-
- //
- // Allocate Buffer for Data. Add padding after each struct to make sure the alignment
- // in different Arch.
- //
- DataSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA));
- DataSize = ALIGN_VARIABLE (DataSize + AuthDataLength);
- DataSize += RevocationDataLength;
-
- *Data = AllocateZeroPool (DataSize);
- ASSERT (*Data != NULL);
-
- (*Data)->AuthData = (VOID *) ALIGN_POINTER ((*Data + 1), sizeof (UINTN));
- (*Data)->RevocationData = (VOID *) ALIGN_POINTER (((UINT8 *) (*Data + 1) + AuthDataLength), sizeof (UINTN));
- (*Data)->AuthProtocol = EfiIPsecAuthProtocolIKEv1;
-
- //
- // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_DATA.
- //
- Status = GetNumber (
- L"--auth-proto",
- 0,
- &(*Data)->AuthProtocol,
- sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE),
- mMapAuthProto,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= AUTH_PROTO;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- Status = GetNumber (
- L"--auth-method",
- 0,
- &(*Data)->AuthMethod,
- sizeof (EFI_IPSEC_AUTH_METHOD),
- mMapAuthMethod,
- ParamPackage,
- FORMAT_STRING
- );
- if (!EFI_ERROR (Status)) {
- *Mask |= AUTH_METHOD;
- }
-
- if (Status == EFI_INVALID_PARAMETER) {
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
-
- if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id")) {
- (*Data)->IkeIdFlag = TRUE;
- *Mask |= IKE_ID;
- }
-
- if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id-")) {
- (*Data)->IkeIdFlag = FALSE;
- *Mask |= IKE_ID;
- }
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--auth-data");
- if (ValueStr != NULL) {
- if (ValueStr[0] == L'@') {
- //
- // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat"
- //
-
- Status = ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_MODE_READ, 0);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),
- mHiiHandle,
- mAppName,
- &ValueStr[1]
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- (*Data)->AuthData = NULL;
- } else {
- DataLength = AuthDataLength;
- Status = ShellReadFile (FileHandle, &DataLength, (*Data)->AuthData);
- ShellCloseFile (&FileHandle);
- if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED),
- mHiiHandle,
- mAppName,
- &ValueStr[1]
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- (*Data)->AuthData = NULL;
- } else {
- ASSERT (DataLength == AuthDataLength);
- *Mask |= AUTH_DATA;
- }
- }
- } else {
- for (Index = 0; Index < AuthDataLength; Index++) {
- ((CHAR8 *) (*Data)->AuthData)[Index] = (CHAR8) ValueStr[Index];
- }
- (*Data)->AuthDataSize = AuthDataLength;
- *Mask |= AUTH_DATA;
- }
- }
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"--revocation-data");
- if (ValueStr != NULL) {
- CopyMem ((*Data)->RevocationData, ValueStr, RevocationDataLength);
- (*Data)->RevocationDataSize = RevocationDataLength;
- *Mask |= REVOCATION_DATA;
- } else {
- (*Data)->RevocationData = NULL;
- }
-
- if (CreateNew) {
- if ((*Mask & (PEER_ID | PEER_ADDRESS)) == 0) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
- mHiiHandle,
- mAppName,
- L"--peer-id --peer-address"
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- } else if ((*Mask & (AUTH_METHOD | AUTH_DATA)) != (AUTH_METHOD | AUTH_DATA)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
- mHiiHandle,
- mAppName,
- L"--auth-method --auth-data"
- );
- ReturnStatus = EFI_INVALID_PARAMETER;
- }
- }
-
- return ReturnStatus;
-}
-
-CREATE_POLICY_ENTRY mCreatePolicyEntry[] = {
- (CREATE_POLICY_ENTRY) CreateSpdEntry,
- (CREATE_POLICY_ENTRY) CreateSadEntry,
- (CREATE_POLICY_ENTRY) CreatePadEntry
-};
-
-/**
- Combine old SPD entry with new SPD entry.
-
- @param[in, out] OldSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
- @param[in, out] OldData The pointer to the EFI_IPSEC_SPD_DATA structure.
- @param[in] NewSelector The pointer to the EFI_IPSEC_SPD_SELECTOR structure.
- @param[in] NewData The pointer to the EFI_IPSEC_SPD_DATA structure.
- @param[in] Mask The pointer to the Mask.
- @param[out] CreateNew The switch to create new.
-
- @retval EFI_SUCCESS Combined successfully.
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.
-
-**/
-EFI_STATUS
-CombineSpdEntry (
- IN OUT EFI_IPSEC_SPD_SELECTOR *OldSelector,
- IN OUT EFI_IPSEC_SPD_DATA *OldData,
- IN EFI_IPSEC_SPD_SELECTOR *NewSelector,
- IN EFI_IPSEC_SPD_DATA *NewData,
- IN UINT32 Mask,
- OUT BOOLEAN *CreateNew
- )
-{
-
- //
- // Process Selector
- //
- *CreateNew = FALSE;
- if ((Mask & LOCAL) == 0) {
- NewSelector->LocalAddressCount = OldSelector->LocalAddressCount;
- NewSelector->LocalAddress = OldSelector->LocalAddress;
- } else if ((NewSelector->LocalAddressCount != OldSelector->LocalAddressCount) ||
- (CompareMem (NewSelector->LocalAddress, OldSelector->LocalAddress, NewSelector->LocalAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) != 0)) {
- *CreateNew = TRUE;
- }
-
- if ((Mask & REMOTE) == 0) {
- NewSelector->RemoteAddressCount = OldSelector->RemoteAddressCount;
- NewSelector->RemoteAddress = OldSelector->RemoteAddress;
- } else if ((NewSelector->RemoteAddressCount != OldSelector->RemoteAddressCount) ||
- (CompareMem (NewSelector->RemoteAddress, OldSelector->RemoteAddress, NewSelector->RemoteAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) != 0)) {
- *CreateNew = TRUE;
- }
-
- if ((Mask & PROTO) == 0) {
- NewSelector->NextLayerProtocol = OldSelector->NextLayerProtocol;
- } else if (NewSelector->NextLayerProtocol != OldSelector->NextLayerProtocol) {
- *CreateNew = TRUE;
- }
-
- switch (NewSelector->NextLayerProtocol) {
- case EFI_IP4_PROTO_TCP:
- case EFI_IP4_PROTO_UDP:
- if ((Mask & LOCAL_PORT) == 0) {
- NewSelector->LocalPort = OldSelector->LocalPort;
- NewSelector->LocalPortRange = OldSelector->LocalPortRange;
- } else if ((NewSelector->LocalPort != OldSelector->LocalPort) ||
- (NewSelector->LocalPortRange != OldSelector->LocalPortRange)) {
- *CreateNew = TRUE;
- }
-
- if ((Mask & REMOTE_PORT) == 0) {
- NewSelector->RemotePort = OldSelector->RemotePort;
- NewSelector->RemotePortRange = OldSelector->RemotePortRange;
- } else if ((NewSelector->RemotePort != OldSelector->RemotePort) ||
- (NewSelector->RemotePortRange != OldSelector->RemotePortRange)) {
- *CreateNew = TRUE;
- }
- break;
-
- case EFI_IP4_PROTO_ICMP:
- if ((Mask & ICMP_TYPE) == 0) {
- NewSelector->LocalPort = OldSelector->LocalPort;
- } else if (NewSelector->LocalPort != OldSelector->LocalPort) {
- *CreateNew = TRUE;
- }
-
- if ((Mask & ICMP_CODE) == 0) {
- NewSelector->RemotePort = OldSelector->RemotePort;
- } else if (NewSelector->RemotePort != OldSelector->RemotePort) {
- *CreateNew = TRUE;
- }
- break;
- }
- //
- // Process Data
- //
- OldData->SaIdCount = 0;
-
- if ((Mask & NAME) != 0) {
- AsciiStrCpyS ((CHAR8 *) OldData->Name, MAX_PEERID_LEN, (CHAR8 *) NewData->Name);
- }
-
- if ((Mask & PACKET_FLAG) != 0) {
- OldData->PackageFlag = NewData->PackageFlag;
- }
-
- if ((Mask & ACTION) != 0) {
- OldData->Action = NewData->Action;
- }
-
- if (OldData->Action != EfiIPsecActionProtect) {
- OldData->ProcessingPolicy = NULL;
- } else {
- //
- // Protect
- //
- if (OldData->ProcessingPolicy == NULL) {
- //
- // Just point to new data if originally NULL.
- //
- OldData->ProcessingPolicy = NewData->ProcessingPolicy;
- if (OldData->ProcessingPolicy->Mode == EfiIPsecTunnel &&
- (Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE)
- ) {
- //
- // Change to Protect action and Tunnel mode, but without providing local/remote tunnel address.
- //
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
- mHiiHandle,
- mAppName,
- L"--tunnel-local --tunnel-remote"
- );
- return EFI_INVALID_PARAMETER;
- }
- } else {
- //
- // Modify some of the data.
- //
- if ((Mask & EXT_SEQUENCE) != 0) {
- OldData->ProcessingPolicy->ExtSeqNum = NewData->ProcessingPolicy->ExtSeqNum;
- }
-
- if ((Mask & SEQUENCE_OVERFLOW) != 0) {
- OldData->ProcessingPolicy->SeqOverflow = NewData->ProcessingPolicy->SeqOverflow;
- }
-
- if ((Mask & FRAGMENT_CHECK) != 0) {
- OldData->ProcessingPolicy->FragCheck = NewData->ProcessingPolicy->FragCheck;
- }
-
- if ((Mask & LIFEBYTE) != 0) {
- OldData->ProcessingPolicy->SaLifetime.ByteCount = NewData->ProcessingPolicy->SaLifetime.ByteCount;
- }
-
- if ((Mask & LIFETIME_SOFT) != 0) {
- OldData->ProcessingPolicy->SaLifetime.SoftLifetime = NewData->ProcessingPolicy->SaLifetime.SoftLifetime;
- }
-
- if ((Mask & LIFETIME) != 0) {
- OldData->ProcessingPolicy->SaLifetime.HardLifetime = NewData->ProcessingPolicy->SaLifetime.HardLifetime;
- }
-
- if ((Mask & MODE) != 0) {
- OldData->ProcessingPolicy->Mode = NewData->ProcessingPolicy->Mode;
- }
-
- if ((Mask & IPSEC_PROTO) != 0) {
- OldData->ProcessingPolicy->Proto = NewData->ProcessingPolicy->Proto;
- }
-
- if ((Mask & AUTH_ALGO) != 0) {
- OldData->ProcessingPolicy->AuthAlgoId = NewData->ProcessingPolicy->AuthAlgoId;
- }
-
- if ((Mask & ENCRYPT_ALGO) != 0) {
- OldData->ProcessingPolicy->EncAlgoId = NewData->ProcessingPolicy->EncAlgoId;
- }
-
- if (OldData->ProcessingPolicy->Mode != EfiIPsecTunnel) {
- OldData->ProcessingPolicy->TunnelOption = NULL;
- } else {
- if (OldData->ProcessingPolicy->TunnelOption == NULL) {
- //
- // Set from Transport mode to Tunnel mode, should ensure TUNNEL_LOCAL & TUNNEL_REMOTE both exists.
- //
- if ((Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) != (TUNNEL_LOCAL | TUNNEL_REMOTE)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
- mHiiHandle,
- mAppName,
- L"--tunnel-local --tunnel-remote"
- );
- return EFI_INVALID_PARAMETER;
- }
-
- OldData->ProcessingPolicy->TunnelOption = NewData->ProcessingPolicy->TunnelOption;
- } else {
- if ((Mask & TUNNEL_LOCAL) != 0) {
- CopyMem (
- &OldData->ProcessingPolicy->TunnelOption->LocalTunnelAddress,
- &NewData->ProcessingPolicy->TunnelOption->LocalTunnelAddress,
- sizeof (EFI_IP_ADDRESS)
- );
- }
-
- if ((Mask & TUNNEL_REMOTE) != 0) {
- CopyMem (
- &OldData->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,
- &NewData->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,
- sizeof (EFI_IP_ADDRESS)
- );
- }
-
- if ((Mask & DONT_FRAGMENT) != 0) {
- OldData->ProcessingPolicy->TunnelOption->DF = NewData->ProcessingPolicy->TunnelOption->DF;
- }
- }
- }
- }
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Combine old SAD entry with new SAD entry.
-
- @param[in, out] OldSaId The pointer to the EFI_IPSEC_SA_ID structure.
- @param[in, out] OldData The pointer to the EFI_IPSEC_SA_DATA2 structure.
- @param[in] NewSaId The pointer to the EFI_IPSEC_SA_ID structure.
- @param[in] NewData The pointer to the EFI_IPSEC_SA_DATA2 structure.
- @param[in] Mask The pointer to the Mask.
- @param[out] CreateNew The switch to create new.
-
- @retval EFI_SUCCESS Combined successfully.
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.
-
-**/
-EFI_STATUS
-CombineSadEntry (
- IN OUT EFI_IPSEC_SA_ID *OldSaId,
- IN OUT EFI_IPSEC_SA_DATA2 *OldData,
- IN EFI_IPSEC_SA_ID *NewSaId,
- IN EFI_IPSEC_SA_DATA2 *NewData,
- IN UINT32 Mask,
- OUT BOOLEAN *CreateNew
- )
-{
-
- *CreateNew = FALSE;
-
- if ((Mask & SPI) == 0) {
- NewSaId->Spi = OldSaId->Spi;
- } else if (NewSaId->Spi != OldSaId->Spi) {
- *CreateNew = TRUE;
- }
-
- if ((Mask & IPSEC_PROTO) == 0) {
- NewSaId->Proto = OldSaId->Proto;
- } else if (NewSaId->Proto != OldSaId->Proto) {
- *CreateNew = TRUE;
- }
-
- if ((Mask & DEST) == 0) {
- CopyMem (&NewData->TunnelDestinationAddress, &OldData->TunnelDestinationAddress, sizeof (EFI_IP_ADDRESS));
- } else if (CompareMem (&NewData->TunnelDestinationAddress, &OldData->TunnelDestinationAddress, sizeof (EFI_IP_ADDRESS)) != 0) {
- *CreateNew = TRUE;
- }
-
- if ((Mask & SOURCE) == 0) {
- CopyMem (&NewData->TunnelSourceAddress, &OldData->TunnelSourceAddress, sizeof (EFI_IP_ADDRESS));
- } else if (CompareMem (&NewData->TunnelSourceAddress, &OldData->TunnelSourceAddress, sizeof (EFI_IP_ADDRESS)) != 0) {
- *CreateNew = TRUE;
- }
- //
- // Process SA_DATA.
- //
- if ((Mask & MODE) != 0) {
- OldData->Mode = NewData->Mode;
- }
-
- if ((Mask & SEQUENCE_NUMBER) != 0) {
- OldData->SNCount = NewData->SNCount;
- }
-
- if ((Mask & ANTIREPLAY_WINDOW) != 0) {
- OldData->AntiReplayWindows = NewData->AntiReplayWindows;
- }
-
- if ((Mask & AUTH_ALGO) != 0) {
- OldData->AlgoInfo.EspAlgoInfo.AuthAlgoId = NewData->AlgoInfo.EspAlgoInfo.AuthAlgoId;
- }
-
- if ((Mask & AUTH_KEY) != 0) {
- OldData->AlgoInfo.EspAlgoInfo.AuthKey = NewData->AlgoInfo.EspAlgoInfo.AuthKey;
- OldData->AlgoInfo.EspAlgoInfo.AuthKeyLength = NewData->AlgoInfo.EspAlgoInfo.AuthKeyLength;
- }
-
- if ((Mask & ENCRYPT_ALGO) != 0) {
- OldData->AlgoInfo.EspAlgoInfo.EncAlgoId = NewData->AlgoInfo.EspAlgoInfo.EncAlgoId;
- }
-
- if ((Mask & ENCRYPT_KEY) != 0) {
- OldData->AlgoInfo.EspAlgoInfo.EncKey = NewData->AlgoInfo.EspAlgoInfo.EncKey;
- OldData->AlgoInfo.EspAlgoInfo.EncKeyLength = NewData->AlgoInfo.EspAlgoInfo.EncKeyLength;
- }
-
- if (NewSaId->Proto == EfiIPsecAH) {
- if ((Mask & (ENCRYPT_ALGO | ENCRYPT_KEY)) != 0) {
- //
- // Should not provide encrypt_* if AH.
- //
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER),
- mHiiHandle,
- mAppName,
- L"--encrypt-algo --encrypt-key"
- );
- return EFI_INVALID_PARAMETER;
- }
- }
-
- if (NewSaId->Proto == EfiIPsecESP && OldSaId->Proto == EfiIPsecAH) {
- //
- // AH -> ESP
- // Should provide encrypt_algo at least.
- //
- if ((Mask & ENCRYPT_ALGO) == 0) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
- mHiiHandle,
- mAppName,
- L"--encrypt-algo"
- );
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Encrypt_key should be provided if algorithm is not NONE.
- //
- if (NewData->AlgoInfo.EspAlgoInfo.EncAlgoId != IPSEC_EALG_NONE && (Mask & ENCRYPT_KEY) == 0) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER),
- mHiiHandle,
- mAppName,
- L"--encrypt-algo"
- );
- return EFI_INVALID_PARAMETER;
- }
- }
-
- if ((Mask & LIFEBYTE) != 0) {
- OldData->SaLifetime.ByteCount = NewData->SaLifetime.ByteCount;
- }
-
- if ((Mask & LIFETIME_SOFT) != 0) {
- OldData->SaLifetime.SoftLifetime = NewData->SaLifetime.SoftLifetime;
- }
-
- if ((Mask & LIFETIME) != 0) {
- OldData->SaLifetime.HardLifetime = NewData->SaLifetime.HardLifetime;
- }
-
- if ((Mask & PATH_MTU) != 0) {
- OldData->PathMTU = NewData->PathMTU;
- }
- //
- // Process SpdSelector.
- //
- if (OldData->SpdSelector == NULL) {
- if ((Mask & (LOCAL | REMOTE | PROTO | LOCAL_PORT | REMOTE_PORT | ICMP_TYPE | ICMP_CODE)) != 0) {
- if ((Mask & (LOCAL | REMOTE | PROTO)) != (LOCAL | REMOTE | PROTO)) {
- ShellPrintHiiEx (
- -1,
- -1,
- NULL,
- STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS),
- mHiiHandle,
- mAppName,
- L"--local --remote --proto"
- );
- return EFI_INVALID_PARAMETER;
- }
-
- OldData->SpdSelector = NewData->SpdSelector;
- }
- } else {
- if ((Mask & LOCAL) != 0) {
- OldData->SpdSelector->LocalAddressCount = NewData->SpdSelector->LocalAddressCount;
- OldData->SpdSelector->LocalAddress = NewData->SpdSelector->LocalAddress;
- }
-
- if ((Mask & REMOTE) != 0) {
- OldData->SpdSelector->RemoteAddressCount = NewData->SpdSelector->RemoteAddressCount;
- OldData->SpdSelector->RemoteAddress = NewData->SpdSelector->RemoteAddress;
- }
-
- if ((Mask & PROTO) != 0) {
- OldData->SpdSelector->NextLayerProtocol = NewData->SpdSelector->NextLayerProtocol;
- }
-
- if (OldData->SpdSelector != NULL) {
- switch (OldData->SpdSelector->NextLayerProtocol) {
- case EFI_IP4_PROTO_TCP:
- case EFI_IP4_PROTO_UDP:
- if ((Mask & LOCAL_PORT) != 0) {
- OldData->SpdSelector->LocalPort = NewData->SpdSelector->LocalPort;
- }
-
- if ((Mask & REMOTE_PORT) != 0) {
- OldData->SpdSelector->RemotePort = NewData->SpdSelector->RemotePort;
- }
- break;
-
- case EFI_IP4_PROTO_ICMP:
- if ((Mask & ICMP_TYPE) != 0) {
- OldData->SpdSelector->LocalPort = (UINT8) NewData->SpdSelector->LocalPort;
- }
-
- if ((Mask & ICMP_CODE) != 0) {
- OldData->SpdSelector->RemotePort = (UINT8) NewData->SpdSelector->RemotePort;
- }
- break;
- }
- }
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Combine old PAD entry with new PAD entry.
-
- @param[in, out] OldPadId The pointer to the EFI_IPSEC_PAD_ID structure.
- @param[in, out] OldData The pointer to the EFI_IPSEC_PAD_DATA structure.
- @param[in] NewPadId The pointer to the EFI_IPSEC_PAD_ID structure.
- @param[in] NewData The pointer to the EFI_IPSEC_PAD_DATA structure.
- @param[in] Mask The pointer to the Mask.
- @param[out] CreateNew The switch to create new.
-
- @retval EFI_SUCCESS Combined successfully.
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.
-
-**/
-EFI_STATUS
-CombinePadEntry (
- IN OUT EFI_IPSEC_PAD_ID *OldPadId,
- IN OUT EFI_IPSEC_PAD_DATA *OldData,
- IN EFI_IPSEC_PAD_ID *NewPadId,
- IN EFI_IPSEC_PAD_DATA *NewData,
- IN UINT32 Mask,
- OUT BOOLEAN *CreateNew
- )
-{
-
- *CreateNew = FALSE;
-
- if ((Mask & (PEER_ID | PEER_ADDRESS)) == 0) {
- CopyMem (NewPadId, OldPadId, sizeof (EFI_IPSEC_PAD_ID));
- } else {
- if ((Mask & PEER_ID) != 0) {
- if (OldPadId->PeerIdValid) {
- if (StrCmp ((CONST CHAR16 *) OldPadId->Id.PeerId, (CONST CHAR16 *) NewPadId->Id.PeerId) != 0) {
- *CreateNew = TRUE;
- }
- } else {
- *CreateNew = TRUE;
- }
- } else {
- //
- // MASK & PEER_ADDRESS
- //
- if (OldPadId->PeerIdValid) {
- *CreateNew = TRUE;
- } else {
- if ((CompareMem (&OldPadId->Id.IpAddress.Address, &NewPadId->Id.IpAddress.Address, sizeof (EFI_IP_ADDRESS)) != 0) ||
- (OldPadId->Id.IpAddress.PrefixLength != NewPadId->Id.IpAddress.PrefixLength)) {
- *CreateNew = TRUE;
- }
- }
- }
- }
-
- if ((Mask & AUTH_PROTO) != 0) {
- OldData->AuthProtocol = NewData->AuthProtocol;
- }
-
- if ((Mask & AUTH_METHOD) != 0) {
- OldData->AuthMethod = NewData->AuthMethod;
- }
-
- if ((Mask & IKE_ID) != 0) {
- OldData->IkeIdFlag = NewData->IkeIdFlag;
- }
-
- if ((Mask & AUTH_DATA) != 0) {
- OldData->AuthDataSize = NewData->AuthDataSize;
- OldData->AuthData = NewData->AuthData;
- }
-
- if ((Mask & REVOCATION_DATA) != 0) {
- OldData->RevocationDataSize = NewData->RevocationDataSize;
- OldData->RevocationData = NewData->RevocationData;
- }
-
- return EFI_SUCCESS;
-}
-
-COMBINE_POLICY_ENTRY mCombinePolicyEntry[] = {
- (COMBINE_POLICY_ENTRY) CombineSpdEntry,
- (COMBINE_POLICY_ENTRY) CombineSadEntry,
- (COMBINE_POLICY_ENTRY) CombinePadEntry
-};
-
-/**
- Edit entry information in the database.
-
- @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
- @param[in] Data The pointer to the data.
- @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
-
- @retval EFI_SUCCESS Continue the iteration.
- @retval EFI_ABORTED Abort the iteration.
-**/
-EFI_STATUS
-EditOperatePolicyEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN EDIT_POLICY_ENTRY_CONTEXT *Context
- )
-{
- EFI_STATUS Status;
- BOOLEAN CreateNew;
-
- if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) {
- ASSERT (Context->DataType < 3);
-
- Status = mCombinePolicyEntry[Context->DataType] (
- Selector,
- Data,
- Context->Selector,
- Context->Data,
- Context->Mask,
- &CreateNew
- );
- if (!EFI_ERROR (Status)) {
- //
- // If the Selector already existed, this Entry will be updated by set data.
- //
- Status = mIpSecConfig->SetData (
- mIpSecConfig,
- Context->DataType,
- Context->Selector, /// New created selector.
- Data, /// Old date which has been modified, need to be set data.
- Selector
- );
- ASSERT_EFI_ERROR (Status);
-
- if (CreateNew) {
- //
- // Edit the entry to a new one. So, we need delete the old entry.
- //
- Status = mIpSecConfig->SetData (
- mIpSecConfig,
- Context->DataType,
- Selector, /// Old selector.
- NULL, /// NULL means to delete this Entry specified by Selector.
- NULL
- );
- ASSERT_EFI_ERROR (Status);
- }
- }
-
- Context->Status = Status;
- return EFI_ABORTED;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Edit entry information in database according to datatype.
-
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Edit entry information successfully.
- @retval EFI_NOT_FOUND Can't find the specified entry.
- @retval Others Some mistaken case.
-**/
-EFI_STATUS
-EditPolicyEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN LIST_ENTRY *ParamPackage
- )
-{
- EFI_STATUS Status;
- EDIT_POLICY_ENTRY_CONTEXT Context;
- CONST CHAR16 *ValueStr;
-
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-e");
- if (ValueStr == NULL) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr);
- return EFI_NOT_FOUND;
- }
-
- Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage);
- if (!EFI_ERROR (Status)) {
- Context.DataType = DataType;
- Context.Status = EFI_NOT_FOUND;
- Status = mCreatePolicyEntry[DataType] (&Context.Selector, &Context.Data, ParamPackage, &Context.Mask, FALSE);
- if (!EFI_ERROR (Status)) {
- ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) EditOperatePolicyEntry, &Context);
- Status = Context.Status;
- }
-
- if (Context.Selector != NULL) {
- gBS->FreePool (Context.Selector);
- }
-
- if (Context.Data != NULL) {
- gBS->FreePool (Context.Data);
- }
- }
-
- if (Status == EFI_NOT_FOUND) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr);
- } else if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAILED), mHiiHandle, mAppName);
- }
-
- return Status;
-
-}
-
-/**
- Insert entry information in database.
-
- @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR structure.
- @param[in] Data The pointer to the data.
- @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT structure.
-
- @retval EFI_SUCCESS Continue the iteration.
- @retval EFI_ABORTED Abort the iteration.
-**/
-EFI_STATUS
-InsertPolicyEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN INSERT_POLICY_ENTRY_CONTEXT *Context
- )
-{
- //
- // Found the entry which we want to insert before.
- //
- if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Indexer)) {
-
- Context->Status = mIpSecConfig->SetData (
- mIpSecConfig,
- Context->DataType,
- Context->Selector,
- Context->Data,
- Selector
- );
- //
- // Abort the iteration after the insertion.
- //
- return EFI_ABORTED;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Insert or add entry information in database according to datatype.
-
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Insert or add entry information successfully.
- @retval EFI_NOT_FOUND Can't find the specified entry.
- @retval EFI_BUFFER_TOO_SMALL The entry already existed.
- @retval EFI_UNSUPPORTED The operation is not supported.
- @retval Others Some mistaken case.
-**/
-EFI_STATUS
-AddOrInsertPolicyEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN LIST_ENTRY *ParamPackage
- )
-{
- EFI_STATUS Status;
- EFI_IPSEC_CONFIG_SELECTOR *Selector;
- VOID *Data;
- INSERT_POLICY_ENTRY_CONTEXT Context;
- UINT32 Mask;
- UINTN DataSize;
- CONST CHAR16 *ValueStr;
-
- Status = mCreatePolicyEntry[DataType] (&Selector, &Data, ParamPackage, &Mask, TRUE);
- if (!EFI_ERROR (Status)) {
- //
- // Find if the Selector to be inserted already exists.
- //
- DataSize = 0;
- Status = mIpSecConfig->GetData (
- mIpSecConfig,
- DataType,
- Selector,
- &DataSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREADY_EXISTS), mHiiHandle, mAppName);
- } else if (ShellCommandLineGetFlag (ParamPackage, L"-a")) {
- Status = mIpSecConfig->SetData (
- mIpSecConfig,
- DataType,
- Selector,
- Data,
- NULL
- );
- } else {
- ValueStr = ShellCommandLineGetValue (ParamPackage, L"-i");
- if (ValueStr == NULL) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr);
- return EFI_NOT_FOUND;
- }
-
- Status = mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, ParamPackage);
- if (!EFI_ERROR (Status)) {
- Context.DataType = DataType;
- Context.Status = EFI_NOT_FOUND;
- Context.Selector = Selector;
- Context.Data = Data;
-
- ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) InsertPolicyEntry, &Context);
- Status = Context.Status;
- if (Status == EFI_NOT_FOUND) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr);
- }
- }
- }
-
- gBS->FreePool (Selector);
- gBS->FreePool (Data);
- }
-
- if (Status == EFI_UNSUPPORTED) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_UNSUPPORT), mHiiHandle, mAppName);
- } else if (EFI_ERROR (Status)) {
- ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_FAILED), mHiiHandle, mAppName);
- }
-
- return Status;
-}
diff --git a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.h b/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.h deleted file mode 100644 index 3384774f6a..0000000000 --- a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.h +++ /dev/null @@ -1,153 +0,0 @@ -/** @file
- The function declaration of policy entry operation in IpSecConfig application.
-
- Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _POLICY_ENTRY_OPERATION_H_
-#define _POLICY_ENTRY_OPERATION_H_
-
-#define LOCAL BIT(0)
-#define REMOTE BIT(1)
-#define PROTO BIT(2)
-#define LOCAL_PORT BIT(3)
-#define REMOTE_PORT BIT(4)
-#define ICMP_TYPE BIT(5)
-#define ICMP_CODE BIT(6)
-#define NAME BIT(7)
-#define PACKET_FLAG BIT(8)
-#define ACTION BIT(9)
-#define EXT_SEQUENCE BIT(10)
-#define SEQUENCE_OVERFLOW BIT(11)
-#define FRAGMENT_CHECK BIT(12)
-#define LIFEBYTE BIT(13)
-#define LIFETIME_SOFT BIT(14)
-#define LIFETIME BIT(15)
-#define MODE BIT(16)
-#define TUNNEL_LOCAL BIT(17)
-#define TUNNEL_REMOTE BIT(18)
-#define DONT_FRAGMENT BIT(19)
-#define IPSEC_PROTO BIT(20)
-#define AUTH_ALGO BIT(21)
-#define ENCRYPT_ALGO BIT(22)
-#define SPI BIT(23)
-#define DEST BIT(24)
-#define SEQUENCE_NUMBER BIT(25)
-#define ANTIREPLAY_WINDOW BIT(26)
-#define AUTH_KEY BIT(27)
-#define ENCRYPT_KEY BIT(28)
-#define PATH_MTU BIT(29)
-#define SOURCE BIT(30)
-
-#define PEER_ID BIT(0)
-#define PEER_ADDRESS BIT(1)
-#define AUTH_PROTO BIT(2)
-#define AUTH_METHOD BIT(3)
-#define IKE_ID BIT(4)
-#define AUTH_DATA BIT(5)
-#define REVOCATION_DATA BIT(6)
-
-typedef struct {
- EFI_IPSEC_CONFIG_DATA_TYPE DataType;
- EFI_IPSEC_CONFIG_SELECTOR *Selector; // Data to be inserted.
- VOID *Data;
- UINT32 Mask;
- POLICY_ENTRY_INDEXER Indexer;
- EFI_STATUS Status; // Indicate whether insertion succeeds.
-} EDIT_POLICY_ENTRY_CONTEXT;
-
-typedef struct {
- EFI_IPSEC_CONFIG_DATA_TYPE DataType;
- EFI_IPSEC_CONFIG_SELECTOR *Selector; // Data to be inserted.
- VOID *Data;
- POLICY_ENTRY_INDEXER Indexer;
- EFI_STATUS Status; // Indicate whether insertion succeeds.
-} INSERT_POLICY_ENTRY_CONTEXT;
-
-/**
- The prototype for the CreateSpdEntry()/CreateSadEntry()/CreatePadEntry().
- Fill in EFI_IPSEC_CONFIG_SELECTOR and corresponding data thru ParamPackage list.
-
- @param[out] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR union.
- @param[out] Data The pointer to corresponding data.
- @param[in] ParamPackage The pointer to the ParamPackage list.
- @param[out] Mask The pointer to the Mask.
- @param[in] CreateNew The switch to create new.
-
- @retval EFI_SUCCESS Filled in EFI_IPSEC_CONFIG_SELECTOR and corresponding data successfully.
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.
-
-**/
-typedef
-EFI_STATUS
-(*CREATE_POLICY_ENTRY) (
- OUT EFI_IPSEC_CONFIG_SELECTOR **Selector,
- OUT VOID **Data,
- IN LIST_ENTRY *ParamPackage,
- OUT UINT32 *Mask,
- IN BOOLEAN CreateNew
- );
-
-/**
- The prototype for the CombineSpdEntry()/CombineSadEntry()/CombinePadEntry().
- Combine old SPD/SAD/PAD entry with new SPD/SAD/PAD entry.
-
- @param[in, out] OldSelector The pointer to the old EFI_IPSEC_CONFIG_SELECTOR union.
- @param[in, out] OldData The pointer to the corresponding old data.
- @param[in] NewSelector The pointer to the new EFI_IPSEC_CONFIG_SELECTOR union.
- @param[in] NewData The pointer to the corresponding new data.
- @param[in] Mask The pointer to the Mask.
- @param[out] CreateNew The switch to create new.
-
- @retval EFI_SUCCESS Combined successfully.
- @retval EFI_INVALID_PARAMETER Invalid user input parameter.
-
-**/
-typedef
-EFI_STATUS
-(* COMBINE_POLICY_ENTRY) (
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *OldSelector,
- IN OUT VOID *OldData,
- IN EFI_IPSEC_CONFIG_SELECTOR *NewSelector,
- IN VOID *NewData,
- IN UINT32 Mask,
- OUT BOOLEAN *CreateNew
- );
-
-/**
- Insert or add entry information in database according to datatype.
-
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Insert or add entry information successfully.
- @retval EFI_NOT_FOUND Can't find the specified entry.
- @retval EFI_BUFFER_TOO_SMALL The entry already existed.
- @retval EFI_UNSUPPORTED The operation is not supported./
- @retval Others Some mistaken case.
-**/
-EFI_STATUS
-AddOrInsertPolicyEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN LIST_ENTRY *ParamPackage
- );
-
-/**
- Edit entry information in the database according to datatype.
-
- @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE.
- @param[in] ParamPackage The pointer to the ParamPackage list.
-
- @retval EFI_SUCCESS Edit entry information successfully.
- @retval EFI_NOT_FOUND Can't find the specified entry.
- @retval Others Some mistaken case.
-**/
-EFI_STATUS
-EditPolicyEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN LIST_ENTRY *ParamPackage
- );
-#endif
diff --git a/NetworkPkg/IpSecDxe/ComponentName.c b/NetworkPkg/IpSecDxe/ComponentName.c deleted file mode 100644 index 6fbc35a25c..0000000000 --- a/NetworkPkg/IpSecDxe/ComponentName.c +++ /dev/null @@ -1,345 +0,0 @@ -/** @file
- UEFI Component Name(2) protocol implementation for IPsec driver.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecImpl.h"
-
-//
-// EFI Component Name Functions
-//
-/**
- Retrieves a Unicode string that is the user-readable name of the driver.
-
- This function retrieves the user-readable name of a driver in the form of a
- Unicode string. If the driver specified by This has a user-readable name in
- the language specified by Language, then a pointer to the driver name is
- returned in DriverName, and EFI_SUCCESS is returned. If the driver specified
- by This does not support the language specified by Language,
- then EFI_UNSUPPORTED is returned.
-
- @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or
- EFI_COMPONENT_NAME_PROTOCOL instance.
-
- @param[in] Language A pointer to a Null-terminated ASCII string
- array indicating the language. This is the
- language of the driver name that the caller is
- requesting, and it must match one of the
- languages specified in SupportedLanguages. The
- number of languages supported by a driver is up
- to the driver writer. Language is specified
- in RFC 4646 or ISO 639-2 language code format.
-
- @param[out] DriverName A pointer to the Unicode string to return.
- This Unicode string is the name of the
- driver specified by This in the language
- specified by Language.
-
- @retval EFI_SUCCESS The Unicode string for the Driver specified by
- This and the language specified by Language was
- returned in DriverName.
-
- @retval EFI_INVALID_PARAMETER Language is NULL.
-
- @retval EFI_INVALID_PARAMETER DriverName is NULL.
-
- @retval EFI_UNSUPPORTED The driver specified by This does not support
- the language specified by Language.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSecComponentNameGetDriverName (
- IN EFI_COMPONENT_NAME_PROTOCOL *This,
- IN CHAR8 *Language,
- OUT CHAR16 **DriverName
- );
-
-/**
- Retrieves a Unicode string that is the user-readable name of the controller
- that is being managed by a driver.
-
- This function retrieves the user-readable name of the controller specified by
- ControllerHandle and ChildHandle in the form of a Unicode string. If the
- driver specified by This has a user-readable name in the language specified by
- Language, then a pointer to the controller name is returned in ControllerName,
- and EFI_SUCCESS is returned. If the driver specified by This is not currently
- managing the controller specified by ControllerHandle and ChildHandle,
- then EFI_UNSUPPORTED is returned. If the driver specified by This does not
- support the language specified by Language, then EFI_UNSUPPORTED is returned.
-
- @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or
- EFI_COMPONENT_NAME_PROTOCOL instance.
-
- @param[in] ControllerHandle The handle of a controller that the driver
- specified by This is managing. This handle
- specifies the controller whose name is to be
- returned.
-
- @param[in] ChildHandle The handle of the child controller to retrieve
- the name of. This is an optional parameter that
- may be NULL. It will be NULL for device
- drivers. It will also be NULL for a bus drivers
- that wish to retrieve the name of the bus
- controller. It will not be NULL for a bus
- driver that wishes to retrieve the name of a
- child controller.
-
- @param[in] Language A pointer to a Null-terminated ASCII string
- array indicating the language. This is the
- language of the driver name that the caller is
- requesting, and it must match one of the
- languages specified in SupportedLanguages. The
- number of languages supported by a driver is up
- to the driver writer. Language is specified in
- RFC 4646 or ISO 639-2 language code format.
-
- @param[out] ControllerName A pointer to the Unicode string to return.
- This Unicode string is the name of the
- controller specified by ControllerHandle and
- ChildHandle in the language specified by
- Language from the point of view of the driver
- specified by This.
-
- @retval EFI_SUCCESS The Unicode string for the user-readable name in
- the language specified by Language for the
- driver specified by This was returned in
- DriverName.
-
- @retval EFI_INVALID_PARAMETER ControllerHandle is NULL.
-
- @retval EFI_INVALID_PARAMETER ChildHandle is not NULL and it is not a valid
- EFI_HANDLE.
-
- @retval EFI_INVALID_PARAMETER Language is NULL.
-
- @retval EFI_INVALID_PARAMETER ControllerName is NULL.
-
- @retval EFI_UNSUPPORTED The driver specified by This is not currently
- managing the controller specified by
- ControllerHandle and ChildHandle.
-
- @retval EFI_UNSUPPORTED The driver specified by This does not support
- the language specified by Language.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSecComponentNameGetControllerName (
- IN EFI_COMPONENT_NAME_PROTOCOL *This,
- IN EFI_HANDLE ControllerHandle,
- IN EFI_HANDLE ChildHandle, OPTIONAL
- IN CHAR8 *Language,
- OUT CHAR16 **ControllerName
- );
-
-//
-// EFI Component Name Protocol
-//
-GLOBAL_REMOVE_IF_UNREFERENCED EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName = {
- IpSecComponentNameGetDriverName,
- IpSecComponentNameGetControllerName,
- "eng"
-};
-
-//
-// EFI Component Name 2 Protocol
-//
-GLOBAL_REMOVE_IF_UNREFERENCED EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2 = {
- (EFI_COMPONENT_NAME2_GET_DRIVER_NAME) IpSecComponentNameGetDriverName,
- (EFI_COMPONENT_NAME2_GET_CONTROLLER_NAME) IpSecComponentNameGetControllerName,
- "en"
-};
-
-GLOBAL_REMOVE_IF_UNREFERENCED EFI_UNICODE_STRING_TABLE mIpSecDriverNameTable[] = {
- {
- "eng;en",
- L"IpSec Driver"
- },
- {
- NULL,
- NULL
- }
-};
-
-GLOBAL_REMOVE_IF_UNREFERENCED EFI_UNICODE_STRING_TABLE mIpSecControllerNameTable[] = {
- {
- "eng;en",
- L"IPsec Controller"
- },
- {
- NULL,
- NULL
- }
-};
-
-/**
- Retrieves a Unicode string that is the user-readable name of the driver.
-
- This function retrieves the user-readable name of a driver in the form of a
- Unicode string. If the driver specified by This has a user-readable name in
- the language specified by Language, then a pointer to the driver name is
- returned in DriverName, and EFI_SUCCESS is returned. If the driver specified
- by This does not support the language specified by Language,
- then EFI_UNSUPPORTED is returned.
-
- @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or
- EFI_COMPONENT_NAME_PROTOCOL instance.
-
- @param[in] Language A pointer to a Null-terminated ASCII string
- array indicating the language. This is the
- language of the driver name that the caller is
- requesting, and it must match one of the
- languages specified in SupportedLanguages. The
- number of languages supported by a driver is up
- to the driver writer. Language is specified
- in RFC 4646 or ISO 639-2 language code format.
-
- @param[out] DriverName A pointer to the Unicode string to return.
- This Unicode string is the name of the
- driver specified by This in the language
- specified by Language.
-
- @retval EFI_SUCCESS The Unicode string for the Driver specified by
- This, and the language specified by Language was
- returned in DriverName.
-
- @retval EFI_INVALID_PARAMETER Language is NULL.
-
- @retval EFI_INVALID_PARAMETER DriverName is NULL.
-
- @retval EFI_UNSUPPORTED The driver specified by This does not support
- the language specified by Language.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSecComponentNameGetDriverName (
- IN EFI_COMPONENT_NAME_PROTOCOL *This,
- IN CHAR8 *Language,
- OUT CHAR16 **DriverName
- )
-{
- return LookupUnicodeString2 (
- Language,
- This->SupportedLanguages,
- mIpSecDriverNameTable,
- DriverName,
- (BOOLEAN) (This == &gIpSecComponentName)
- );
-}
-
-/**
- Retrieves a Unicode string that is the user-readable name of the controller
- that is being managed by a driver.
-
- This function retrieves the user-readable name of the controller specified by
- ControllerHandle and ChildHandle in the form of a Unicode string. If the
- driver specified by This has a user-readable name in the language specified by
- Language, then a pointer to the controller name is returned in ControllerName,
- and EFI_SUCCESS is returned. If the driver specified by This is not currently
- managing the controller specified by ControllerHandle and ChildHandle,
- then EFI_UNSUPPORTED is returned. If the driver specified by This does not
- support the language specified by Language, then EFI_UNSUPPORTED is returned.
-
- @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTOCOL or
- EFI_COMPONENT_NAME_PROTOCOL instance.
-
- @param[in] ControllerHandle The handle of a controller that the driver
- specified by This is managing. This handle
- specifies the controller whose name is to be
- returned.
-
- @param[in] ChildHandle The handle of the child controller to retrieve
- the name of. This is an optional parameter that
- may be NULL. It will be NULL for device
- drivers. It will also be NULL for a bus drivers
- that wish to retrieve the name of the bus
- controller. It will not be NULL for a bus
- driver that wishes to retrieve the name of a
- child controller.
-
- @param[in] Language A pointer to a Null-terminated ASCII string
- array indicating the language. This is the
- language of the driver name that the caller is
- requesting, and it must match one of the
- languages specified in SupportedLanguages. The
- number of languages supported by a driver is up
- to the driver writer. Language is specified in
- RFC 4646 or ISO 639-2 language code format.
-
- @param[out] ControllerName A pointer to the Unicode string to return.
- This Unicode string is the name of the
- controller specified by ControllerHandle and
- ChildHandle in the language specified by
- Language from the point of view of the driver
- specified by This.
-
- @retval EFI_SUCCESS The Unicode string for the user-readable name in
- the language specified by Language for the
- driver specified by This was returned in
- DriverName.
-
- @retval EFI_INVALID_PARAMETER ControllerHandle is NULL.
-
- @retval EFI_INVALID_PARAMETER ChildHandle is not NULL, and it is not a valid
- EFI_HANDLE.
-
- @retval EFI_INVALID_PARAMETER Language is NULL.
-
- @retval EFI_INVALID_PARAMETER ControllerName is NULL.
-
- @retval EFI_UNSUPPORTED The driver specified by This is not currently
- managing the controller specified by
- ControllerHandle and ChildHandle.
-
- @retval EFI_UNSUPPORTED The driver specified by This does not support
- the language specified by Language.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSecComponentNameGetControllerName (
- IN EFI_COMPONENT_NAME_PROTOCOL *This,
- IN EFI_HANDLE ControllerHandle,
- IN EFI_HANDLE ChildHandle, OPTIONAL
- IN CHAR8 *Language,
- OUT CHAR16 **ControllerName
- )
-{
- EFI_STATUS Status;
-
- //
- // ChildHandle must be NULL for a Device Driver
- //
- if (ChildHandle != NULL) {
- return EFI_UNSUPPORTED;
- }
-
- //
- // Make sure this driver is currently managing ControllerHandle
- //
- Status = gBS->OpenProtocol (
- ControllerHandle,
- &gEfiIpSec2ProtocolGuid,
- NULL,
- NULL,
- NULL,
- EFI_OPEN_PROTOCOL_TEST_PROTOCOL
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- return LookupUnicodeString2 (
- Language,
- This->SupportedLanguages,
- mIpSecControllerNameTable,
- ControllerName,
- (BOOLEAN) (This == &gIpSecComponentName)
- );
-}
diff --git a/NetworkPkg/IpSecDxe/IetfConstants.c b/NetworkPkg/IpSecDxe/IetfConstants.c deleted file mode 100644 index 36cc1b69d5..0000000000 --- a/NetworkPkg/IpSecDxe/IetfConstants.c +++ /dev/null @@ -1,382 +0,0 @@ -/** @file
- Cryptographic Parameter Constant Definitions from IETF;
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "Ike.h"
-
-//
-// "First Oakley Default Group" from RFC2409, section 6.1.
-//
-// The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 }
-//
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp768Modulus[] = {
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
- 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
- 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
- 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
- 0xA6, 0x3A, 0x36, 0x20, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
- };
-
-//
-// "Second Oakley Default Group" from RFC2409, section 6.2.
-//
-// The prime is: 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
-//
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp1024Modulus[] = {
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- };
-
-//
-// "1536-bit MODP Group" from RFC3526, Section 2.
-//
-// The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }
-//
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp1536Modulus[]={
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
- 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- };
-
-//
-// "2048-bit MODP Group" from RFC3526, Section 3.
-//
-// The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }
-//
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp2048Modulus[]={
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
- 0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,
- };
-
-//
-// "3072-bit MODP Group" from RFC3526, Section 4.
-//
-// The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }
-//
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp3072Modulus[]={
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
- 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
- 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
- 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
- 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
- 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
- 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
- 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
- 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
- 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
- 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
- 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
- 0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- };
-
-//
-// "4096-bit MODP Group" from RFC3526, Section 5.
-//
-// The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }
-//
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp4096Modulus[]={
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
- 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
- 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
- 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
- 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
- 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
- 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
- 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
- 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
- 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
- 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
- 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
- 0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
- 0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
- 0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
- 0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
- 0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
- 0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
- 0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
- 0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
- 0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
- 0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
- 0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- };
-
-//
-// "6144-bit MODP Group" from RFC3526, Section 6.
-//
-// The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }
-//
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp6144Modulus[]={
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
- 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
- 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
- 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
- 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
- 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
- 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
- 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
- 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
- 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
- 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
- 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
- 0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
- 0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
- 0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
- 0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
- 0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
- 0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
- 0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
- 0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
- 0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
- 0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
- 0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,
- 0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2,
- 0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
- 0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,
- 0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,
- 0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB,
- 0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
- 0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,
- 0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,
- 0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15,
- 0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
- 0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,
- 0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,
- 0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7,
- 0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
- 0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,
- 0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,
- 0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D,
- 0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
- 0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,
- 0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,
- 0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E,
- 0x6D,0xCC,0x40,0x24,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
- };
-
-//
-// "8192-bit MODP Group" from RFC3526, Section 7.
-//
-// The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }
-//
-GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp8192Modulus[]={
- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
- 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
- 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
- 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
- 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
- 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
- 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
- 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
- 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
- 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
- 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
- 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
- 0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
- 0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
- 0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
- 0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
- 0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
- 0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
- 0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
- 0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
- 0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
- 0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
- 0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,
- 0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2,
- 0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
- 0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,
- 0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,
- 0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB,
- 0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
- 0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,
- 0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,
- 0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15,
- 0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
- 0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,
- 0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,
- 0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7,
- 0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
- 0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,
- 0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,
- 0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D,
- 0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
- 0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,
- 0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,
- 0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E,
- 0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4,
- 0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0,
- 0x73,0xB9,0x31,0xBA,0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00,
- 0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,0x25,0x76,0xF6,0x93,
- 0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68,
- 0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB,
- 0xE3,0x9D,0x65,0x2D,0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9,
- 0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,0x13,0xEB,0x57,0xA8,
- 0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B,
- 0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F,
- 0xA2,0xC0,0x87,0xE8,0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A,
- 0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,0x6D,0x2A,0x13,0xF8,
- 0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36,
- 0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5,
- 0x08,0x46,0x85,0x1D,0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1,
- 0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,0xFA,0xF3,0x6B,0xC3,
- 0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92,
- 0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E,
- 0xD5,0xEE,0x38,0x2B,0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47,
- 0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,0x9E,0x30,0x50,0xE2,
- 0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71,
- 0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,
- 0xFF,0xFF,0xFF,0xFF,
- };
-
-//
-// Pre-defined Oakley MODP Groups
-//
-#define DH_GENERATOR_2 2
-GLOBAL_REMOVE_IF_UNREFERENCED CONST MODP_GROUP OakleyModpGroup[] = {
- {0, 0, NULL, 0}, //Undefined
- {OakleyGroupModp768, 768, Modp768Modulus, DH_GENERATOR_2},
- {OakleyGroupModp1024, 1024, Modp1024Modulus, DH_GENERATOR_2},
- {0, 0, NULL, 0}, // For ECC. UnSupported
- {0, 0, NULL, 0}, // For ECC. Unsupported
- {OakleyGroupModp1536, 1536, Modp1536Modulus, DH_GENERATOR_2},
- {0, 0, NULL, 0}, //Undefined
- {0, 0, NULL, 0}, //Undefined
- {0, 0, NULL, 0}, //Undefined
- {0, 0, NULL, 0}, //Undefined
- {0, 0, NULL, 0}, //Undefined
- {0, 0, NULL, 0}, //Undefined
- {0, 0, NULL, 0}, //Undefined
- {0, 0, NULL, 0}, //Undefined
- {OakleyGroupModp2048, 2048, Modp2048Modulus, DH_GENERATOR_2},
- {OakleyGroupModp3072, 3072, Modp3072Modulus, DH_GENERATOR_2},
- {OakleyGroupModp4096, 4096, Modp4096Modulus, DH_GENERATOR_2},
- {OakleyGroupModp6144, 6144, Modp6144Modulus, DH_GENERATOR_2},
- {OakleyGroupModp8192, 8192, Modp8192Modulus, DH_GENERATOR_2},
-};
diff --git a/NetworkPkg/IpSecDxe/Ike.h b/NetworkPkg/IpSecDxe/Ike.h deleted file mode 100644 index 191f95e9fe..0000000000 --- a/NetworkPkg/IpSecDxe/Ike.h +++ /dev/null @@ -1,260 +0,0 @@ -/** @file
- The common definition of IPsec Key Exchange (IKE).
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-
-**/
-
-#ifndef _IKE_H_
-#define _IKE_H_
-
-#include <Library/UdpIoLib.h>
-#include <Library/BaseCryptLib.h>
-#include "IpSecImpl.h"
-
-#define IKE_VERSION_MAJOR_MASK 0xf0
-#define IKE_VERSION_MINOR_MASK 0x0f
-
-#define IKE_MAJOR_VERSION(v) (((v) & IKE_VERSION_MAJOR_MASK) >> 4)
-#define IKE_MINOR_VERSION(v) ((v) & IKE_VERSION_MINOR_MASK)
-
-//
-// Protocol Value Use in IKEv1 and IKEv2
-//
-#define IPSEC_PROTO_ISAKMP 1
-#define IPSEC_PROTO_IPSEC_AH 2
-#define IPSEC_PROTO_IPSEC_ESP 3
-#define IPSEC_PROTO_IPCOMP 4 // For IKEv1 this value is reserved
-
-//
-// For Algorithm search in support list.Last two types are for IKEv2 only.
-//
-#define IKE_ENCRYPT_TYPE 0
-#define IKE_AUTH_TYPE 1
-#define IKE_PRF_TYPE 2
-#define IKE_DH_TYPE 3
-
-//
-// Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform payload (Transform Type 1)
-//
-#define IPSEC_ESP_DES_IV64 1
-#define IPSEC_ESP_DES 2
-#define IPSEC_ESP_3DES 3
-#define IPSEC_ESP_RC5 4
-#define IPSEC_ESP_IDEA 5
-#define IPSEC_ESP_CAST 6
-#define IPSEC_ESP_BLOWFISH 7
-#define IPSEC_ESP_3IDEA 8
-#define IPSEC_ESP_DES_IV32 9
-#define IPSEC_ESP_RC4 10 // It's reserved in IKEv2
-#define IPSEC_ESP_NULL 11
-#define IPSEC_ESP_AES 12
-
-#define IKE_XCG_TYPE_NONE 0
-#define IKE_XCG_TYPE_BASE 1
-#define IKE_XCG_TYPE_IDENTITY_PROTECT 2
-#define IKE_XCG_TYPE_AUTH_ONLY 3
-#define IKE_XCG_TYPE_AGGR 4
-#define IKE_XCG_TYPE_INFO 5
-#define IKE_XCG_TYPE_QM 32
-#define IKE_XCG_TYPE_NGM 33
-#define IKE_XCG_TYPE_SA_INIT 34
-#define IKE_XCG_TYPE_AUTH 35
-#define IKE_XCG_TYPE_CREATE_CHILD_SA 36
-#define IKE_XCG_TYPE_INFO2 37
-
-#define IKE_LIFE_TYPE_SECONDS 1
-#define IKE_LIFE_TYPE_KILOBYTES 2
-
-//
-// Deafult IKE SA lifetime and CHILD SA lifetime
-//
-#define IKE_SA_DEFAULT_LIFETIME 1200
-#define CHILD_SA_DEFAULT_LIFETIME 3600
-
-//
-// Next payload type presented within Proposal payload
-//
-#define IKE_PROPOSAL_NEXT_PAYLOAD_MORE 2
-#define IKE_PROPOSAL_NEXT_PAYLOAD_NONE 0
-
-//
-// Next payload type presented within Transform payload
-//
-#define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3
-#define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0
-
-//
-// Max size of the SA attribute
-//
-#define MAX_SA_ATTRS_SIZE 48
-#define SA_ATTR_FORMAT_BIT 0x8000
-//
-// The definition for Information Message ID.
-//
-#define INFO_MID_SIGNATURE SIGNATURE_32 ('I', 'N', 'F', 'M')
-
-//
-// Type for the IKE SESSION COMMON
-//
-typedef enum {
- IkeSessionTypeIkeSa,
- IkeSessionTypeChildSa,
- IkeSessionTypeInfo,
- IkeSessionTypeMax
-} IKE_SESSION_TYPE;
-
-//
-// The DH Group ID defined RFC3526 and RFC 2409
-//
-typedef enum {
- OakleyGroupModp768 = 1,
- OakleyGroupModp1024 = 2,
- OakleyGroupGp155 = 3, // Unsupported Now.
- OakleyGroupGp185 = 4, // Unsupported Now.
- OakleyGroupModp1536 = 5,
-
- OakleyGroupModp2048 = 14,
- OakleyGroupModp3072 = 15,
- OakleyGroupModp4096 = 16,
- OakleyGroupModp6144 = 17,
- OakleyGroupModp8192 = 18,
- OakleyGroupMax
-} OAKLEY_GROUP_ID;
-
-//
-// IKE Header
-//
-#pragma pack(1)
-typedef struct {
- UINT64 InitiatorCookie;
- UINT64 ResponderCookie;
- UINT8 NextPayload;
- UINT8 Version;
- UINT8 ExchangeType;
- UINT8 Flags;
- UINT32 MessageId;
- UINT32 Length;
-} IKE_HEADER;
-#pragma pack()
-
-typedef union {
- UINT16 AttrLength;
- UINT16 AttrValue;
-} IKE_SA_ATTR_UNION;
-
-//
-// SA Attribute present in Transform Payload
-//
-#pragma pack(1)
-typedef struct {
- UINT16 AttrType;
- IKE_SA_ATTR_UNION Attr;
-} IKE_SA_ATTRIBUTE;
-#pragma pack()
-
-//
-// Contains the IKE packet information.
-//
-typedef struct {
- UINTN RefCount;
- BOOLEAN IsHdrExt;
- IKE_HEADER *Header;
- BOOLEAN IsPayloadsBufExt;
- UINT8 *PayloadsBuf; // The whole IkePakcet trimed the IKE header.
- UINTN PayloadTotalSize;
- LIST_ENTRY PayloadList;
- EFI_IP_ADDRESS RemotePeerIp;
- BOOLEAN IsEncoded; // whether HTON is done when sending the packet
- UINT32 Spi; // For the Delete Information Exchange
- BOOLEAN IsDeleteInfo; // For the Delete Information Exchange
- IPSEC_PRIVATE_DATA *Private; // For the Delete Information Exchange
-} IKE_PACKET;
-
-//
-// The generic structure to all kinds of IKE payloads.
-//
-typedef struct {
- UINT32 Signature;
- BOOLEAN IsPayloadBufExt;
- UINT8 PayloadType;
- UINT8 *PayloadBuf;
- UINTN PayloadSize;
- LIST_ENTRY ByPacket;
-} IKE_PAYLOAD;
-
-//
-// Udp Service
-//
-typedef struct {
- UINT32 Signature;
- UINT8 IpVersion;
- LIST_ENTRY List;
- LIST_ENTRY *ListHead;
- EFI_HANDLE NicHandle;
- EFI_HANDLE ImageHandle;
- UDP_IO *Input;
- UDP_IO *Output;
- EFI_IP_ADDRESS DefaultAddress;
- BOOLEAN IsConfigured;
-} IKE_UDP_SERVICE;
-
-//
-// Each IKE session has its own Key sets for local peer and remote peer.
-//
-typedef struct {
- EFI_IPSEC_ALGO_INFO LocalPeerInfo;
- EFI_IPSEC_ALGO_INFO RemotePeerInfo;
-} SA_KEYMATS;
-
-//
-// Each algorithm has its own Id, Guid, BlockSize and KeyLength.
-// This struct contains these information for each algorithm. It is generic structure
-// for both encryption and authentication algorithm.
-// For authentication algorithm, the AlgSize means IcvSize. For encryption algorithm,
-// it means IvSize.
-//
-#pragma pack(1)
-typedef struct {
- UINT8 AlgorithmId; // Encryption or Authentication Id used by ESP/AH
- EFI_GUID *AlgGuid;
- UINT8 AlgSize; // IcvSize or IvSize
- UINT8 BlockSize;
- UINTN KeyMateLen;
-} IKE_ALG_GUID_INFO; // For IPsec Authentication and Encryption Algorithm.
-#pragma pack()
-
-//
-// Structure used to store the DH group
-//
-typedef struct {
- UINT8 GroupId;
- UINTN Size;
- UINT8 *Modulus;
- UINTN GroupGenerator;
-} MODP_GROUP;
-
-/**
- This is prototype definition of general interface to phase the payloads
- after/before the decode/encode.
-
- @param[in] SessionCommon Point to the SessionCommon
- @param[in] PayloadBuf Point to the buffer of Payload.
- @param[in] PayloadSize The size of the PayloadBuf in bytes.
- @param[in] PayloadType The type of Payload.
-
-**/
-typedef
-VOID
-(*IKE_ON_PAYLOAD_FROM_NET) (
- IN UINT8 *SessionCommon,
- IN UINT8 *PayloadBuf,
- IN UINTN PayloadSize,
- IN UINT8 PayloadType
- );
-
-#endif
-
diff --git a/NetworkPkg/IpSecDxe/IkeCommon.c b/NetworkPkg/IpSecDxe/IkeCommon.c deleted file mode 100644 index f5e058dbc9..0000000000 --- a/NetworkPkg/IpSecDxe/IkeCommon.c +++ /dev/null @@ -1,324 +0,0 @@ -/** @file
- Common operation of the IKE
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "Ike.h"
-#include "IkeCommon.h"
-#include "IpSecConfigImpl.h"
-#include "IpSecDebug.h"
-
-/**
- Check whether the new generated Spi has existed.
-
- @param[in] IkeSaSession Pointer to the Child SA Session.
- @param[in] SpiValue SPI Value.
-
- @retval TRUE This SpiValue has existed in the Child SA Session
- @retval FALSE This SpiValue doesn't exist in the Child SA Session.
-
-**/
-BOOLEAN
-IkeSpiValueExisted (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN UINT32 SpiValue
- )
-{
- LIST_ENTRY *Entry;
- LIST_ENTRY *Next;
- IKEV2_CHILD_SA_SESSION *SaSession;
-
- Entry = NULL;
- Next = NULL;
- SaSession = NULL;
-
- //
- // Check whether the SPI value has existed in ChildSaEstablishSessionList.
- //
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaEstablishSessionList) {
- SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
- if (SaSession->LocalPeerSpi == SpiValue) {
- return TRUE;
- }
- }
-
- //
- // Check whether the SPI value has existed in ChildSaSessionList.
- //
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaSessionList) {
- SaSession= IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
- if (SaSession->LocalPeerSpi == SpiValue) {
- return TRUE;
- }
- }
-
- return FALSE;
-}
-
-/**
- Call Crypto Lib to generate a random value with eight-octet length.
-
- @return the 64 byte vaule.
-
-**/
-UINT64
-IkeGenerateCookie (
- VOID
- )
-{
- UINT64 Cookie;
- EFI_STATUS Status;
-
- Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)&Cookie, sizeof (UINT64));
- if (EFI_ERROR (Status)) {
- return 0;
- } else {
- return Cookie;
- }
-}
-
-/**
- Generate the random data for Nonce payload.
-
- @param[in] NonceSize Size of the data in bytes.
-
- @return Buffer which contains the random data of the spcified size.
-
-**/
-UINT8 *
-IkeGenerateNonce (
- IN UINTN NonceSize
- )
-{
- UINT8 *Nonce;
- EFI_STATUS Status;
-
- Nonce = AllocateZeroPool (NonceSize);
- if (Nonce == NULL) {
- return NULL;
- }
-
- Status = IpSecCryptoIoGenerateRandomBytes (Nonce, NonceSize);
- if (EFI_ERROR (Status)) {
- FreePool (Nonce);
- return NULL;
- } else {
- return Nonce;
- }
-}
-
-/**
- Convert the IKE Header from Network order to Host order.
-
- @param[in, out] Header The pointer of the IKE_HEADER.
-
-**/
-VOID
-IkeHdrNetToHost (
- IN OUT IKE_HEADER *Header
- )
-{
- Header->InitiatorCookie = NTOHLL (Header->InitiatorCookie);
- Header->ResponderCookie = NTOHLL (Header->ResponderCookie);
- Header->MessageId = NTOHL (Header->MessageId);
- Header->Length = NTOHL (Header->Length);
-}
-
-/**
- Convert the IKE Header from Host order to Network order.
-
- @param[in, out] Header The pointer of the IKE_HEADER.
-
-**/
-VOID
-IkeHdrHostToNet (
- IN OUT IKE_HEADER *Header
- )
-{
- Header->InitiatorCookie = HTONLL (Header->InitiatorCookie);
- Header->ResponderCookie = HTONLL (Header->ResponderCookie);
- Header->MessageId = HTONL (Header->MessageId);
- Header->Length = HTONL (Header->Length);
-}
-
-/**
- Allocate a buffer of IKE_PAYLOAD and set its Signature.
-
- @return A buffer of IKE_PAYLOAD.
-
-**/
-IKE_PAYLOAD *
-IkePayloadAlloc (
- VOID
- )
-{
- IKE_PAYLOAD *IkePayload;
-
- IkePayload = (IKE_PAYLOAD *) AllocateZeroPool (sizeof (IKE_PAYLOAD));
- if (IkePayload == NULL) {
- return NULL;
- }
-
- IkePayload->Signature = IKE_PAYLOAD_SIGNATURE;
-
- return IkePayload;
-}
-
-/**
- Free a specified IKE_PAYLOAD buffer.
-
- @param[in] IkePayload Pointer of IKE_PAYLOAD to be freed.
-
-**/
-VOID
-IkePayloadFree (
- IN IKE_PAYLOAD *IkePayload
- )
-{
- if (IkePayload == NULL) {
- return;
- }
- //
- // If this IkePayload is not referred by others, free it.
- //
- if (!IkePayload->IsPayloadBufExt && (IkePayload->PayloadBuf != NULL)) {
- FreePool (IkePayload->PayloadBuf);
- }
-
- FreePool (IkePayload);
-}
-
-/**
- Generate an new SPI.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
- Session.
- @param[in, out] SpiValue Pointer to the new generated SPI value.
-
- @retval EFI_SUCCESS The operation performs successfully.
- @retval Otherwise The operation is failed.
-
-**/
-EFI_STATUS
-IkeGenerateSpi (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN OUT UINT32 *SpiValue
- )
-{
- EFI_STATUS Status;
-
- Status = EFI_SUCCESS;
-
- while (TRUE) {
- //
- // Generate SPI randomly
- //
- Status = IpSecCryptoIoGenerateRandomBytes ((UINT8 *)SpiValue, sizeof (UINT32));
- if (EFI_ERROR (Status)) {
- break;
- }
-
- //
- // The set of SPI values in the range 1 through 255 are reserved by the
- // Internet Assigned Numbers Authority (IANA) for future use; a reserved
- // SPI value will not normally be assigned by IANA unless the use of the
- // assigned SPI value is specified in an RFC.
- //
- if (*SpiValue < IKE_SPI_BASE) {
- *SpiValue += IKE_SPI_BASE;
- }
-
- //
- // Check whether the new generated SPI has existed.
- //
- if (!IkeSpiValueExisted (IkeSaSession, *SpiValue)) {
- break;
- }
- }
-
- return Status;
-}
-
-/**
- Generate a random data for IV
-
- @param[in] IvBuffer The pointer of the IV buffer.
- @param[in] IvSize The IV size.
-
- @retval EFI_SUCCESS Create a random data for IV.
- @retval otherwise Failed.
-
-**/
-EFI_STATUS
-IkeGenerateIv (
- IN UINT8 *IvBuffer,
- IN UINTN IvSize
- )
-{
- return IpSecCryptoIoGenerateRandomBytes (IvBuffer, IvSize);
-}
-
-
-/**
- Find SPD entry by a specified SPD selector.
-
- @param[in] SpdSel Point to SPD Selector to be searched for.
-
- @retval Point to SPD Entry if the SPD entry found.
- @retval NULL if not found.
-
-**/
-IPSEC_SPD_ENTRY *
-IkeSearchSpdEntry (
- IN EFI_IPSEC_SPD_SELECTOR *SpdSel
- )
-{
- IPSEC_SPD_ENTRY *SpdEntry;
- LIST_ENTRY *SpdList;
- LIST_ENTRY *Entry;
-
- SpdList = &mConfigData[IPsecConfigDataTypeSpd];
-
- NET_LIST_FOR_EACH (Entry, SpdList) {
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);
-
- //
- // Find the required SPD entry
- //
- if (CompareSpdSelector (
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel,
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector
- )) {
- return SpdEntry;
- }
-
- }
-
- return NULL;
-}
-
-/**
- Get the IKE Version from the IKE_SA_SESSION.
-
- @param[in] Session Pointer of the IKE_SA_SESSION.
-
-**/
-UINT8
-IkeGetVersionFromSession (
- IN UINT8 *Session
- )
-{
- if (*(UINT32 *) Session == IKEV2_SA_SESSION_SIGNATURE) {
- return ((IKEV2_SA_SESSION *) Session)->SessionCommon.IkeVer;
- } else {
- //
- // Add IKEv1 support here.
- //
- return 0;
- }
-}
-
diff --git a/NetworkPkg/IpSecDxe/IkeCommon.h b/NetworkPkg/IpSecDxe/IkeCommon.h deleted file mode 100644 index abdbbf173f..0000000000 --- a/NetworkPkg/IpSecDxe/IkeCommon.h +++ /dev/null @@ -1,189 +0,0 @@ -/** @file
- Common operation of the IKE.
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _IKE_COMMON_H_
-#define _IKE_COMMON_H_
-
-#include <Protocol/Udp4.h>
-#include <Protocol/Udp6.h>
-#include <Protocol/Ip4Config2.h>
-
-#include <Library/BaseLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
-#include <Library/UefiBootServicesTableLib.h>
-#include <Library/DebugLib.h>
-#include <Library/UdpIoLib.h>
-#include <Library/BaseCryptLib.h>
-
-#include "Ikev2/Ikev2.h"
-#include "IpSecImpl.h"
-#include "IkePacket.h"
-#include "IpSecCryptIo.h"
-
-
-#define IKE_DEFAULT_PORT 500
-#define IKE_DEFAULT_TIMEOUT_INTERVAL 10000 // 10s
-#define IKE_NONCE_SIZE 16
-#define IKE_MAX_RETRY 4
-#define IKE_SPI_BASE 0x100
-#define IKE_PAYLOAD_SIGNATURE SIGNATURE_32('I','K','E','P')
-#define IKE_PAYLOAD_BY_PACKET(a) CR(a,IKE_PAYLOAD,ByPacket,IKE_PAYLOAD_SIGNATURE)
-
-
-#define IKE_PACKET_APPEND_PAYLOAD(IkePacket,IkePayload) \
- do { \
- InsertTailList(&(IkePacket)->PayloadList, &(IkePayload)->ByPacket); \
- } while (0)
-
-#define IKE_PACKET_REMOVE_PAYLOAD(IkePacket,IkePayload) \
- do { \
- RemoveEntryList(&(IkePayload)->ByPacket); \
- } while (0)
-
-#define IKE_PACKET_END_PAYLOAD(IkePacket, Node) \
- Node = GetFirstNode (&(IkePacket)->PayloadList); \
- while (!IsNodeAtEnd (&(IkePacket)->PayloadList, Node)) { \
- Node = GetNextNode (&(IkePacket)->PayloadList, Node); \
- } \
-
-/**
- Call Crypto Lib to generate a random value with eight-octet length.
-
- @return the 64 byte vaule.
-
-**/
-UINT64
-IkeGenerateCookie (
- VOID
- );
-
-/**
- Generate the random data for Nonce payload.
-
- @param[in] NonceSize Size of the data in bytes.
-
- @return Buffer which contains the random data of the spcified size.
-
-**/
-UINT8 *
-IkeGenerateNonce (
- IN UINTN NonceSize
- );
-
-/**
- Convert the IKE Header from Network order to Host order.
-
- @param[in, out] Header The pointer of the IKE_HEADER.
-
-**/
-VOID
-IkeHdrNetToHost (
- IN OUT IKE_HEADER *Header
- );
-
-
-/**
- Convert the IKE Header from Host order to Network order.
-
- @param[in, out] Header The pointer of the IKE_HEADER.
-
-**/
-VOID
-IkeHdrHostToNet (
- IN OUT IKE_HEADER *Header
- );
-
-/**
- Allocate a buffer of IKE_PAYLOAD and set its Signature.
-
- @return A buffer of IKE_PAYLOAD.
-
-**/
-IKE_PAYLOAD *
-IkePayloadAlloc (
- VOID
- );
-
-/**
- Free a specified IKE_PAYLOAD buffer.
-
- @param[in] IkePayload Pointer of IKE_PAYLOAD to be freed.
-
-**/
-VOID
-IkePayloadFree (
- IN IKE_PAYLOAD *IkePayload
- );
-
-/**
- Generate an new SPI.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
- Session.
- @param[in, out] SpiValue Pointer to the new generated SPI value.
-
- @retval EFI_SUCCESS The operation performs successfully.
- @retval Otherwise The operation is failed.
-
-**/
-EFI_STATUS
-IkeGenerateSpi (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN OUT UINT32 *SpiValue
- );
-
-/**
- Generate a random data for IV
-
- @param[in] IvBuffer The pointer of the IV buffer.
- @param[in] IvSize The IV size.
-
- @retval EFI_SUCCESS Create a random data for IV.
- @retval otherwise Failed.
-
-**/
-EFI_STATUS
-IkeGenerateIv (
- IN UINT8 *IvBuffer,
- IN UINTN IvSize
- );
-
-/**
- Get the IKE Version from the IKE_SA_SESSION.
-
- @param[in] Session Pointer of the IKE_SA_SESSION.
-
-**/
-UINT8
-IkeGetVersionFromSession (
- IN UINT8 *Session
- );
-
-/**
- Find SPD entry by a specified SPD selector.
-
- @param[in] SpdSel Point to SPD Selector to be searched for.
-
- @retval Point to Spd Entry if the SPD entry found.
- @retval NULL if not found.
-
-**/
-IPSEC_SPD_ENTRY *
-IkeSearchSpdEntry (
- IN EFI_IPSEC_SPD_SELECTOR *SpdSel
- );
-
-extern MODP_GROUP OakleyModpGroup[];
-extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[];
-extern IKE_ALG_GUID_INFO mIPsecAuthAlgInfo[];
-
-#endif
-
diff --git a/NetworkPkg/IpSecDxe/IkePacket.c b/NetworkPkg/IpSecDxe/IkePacket.c deleted file mode 100644 index a4f67ac9be..0000000000 --- a/NetworkPkg/IpSecDxe/IkePacket.c +++ /dev/null @@ -1,259 +0,0 @@ -/** @file
- IKE Packet related operation.
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecDebug.h"
-#include "Ikev2/Utility.h"
-
-/**
- Allocate a buffer for the IKE_PACKET and intitalize its Header and payloadlist.
-
- @return The pointer of the IKE_PACKET.
-
-**/
-IKE_PACKET *
-IkePacketAlloc (
- VOID
- )
-{
- IKE_PACKET *IkePacket;
-
- IkePacket = (IKE_PACKET *) AllocateZeroPool (sizeof (IKE_PACKET));
- if (IkePacket == NULL) {
- return NULL;
- }
-
- IkePacket->RefCount = 1;
- InitializeListHead (&IkePacket->PayloadList);
-
- IkePacket->Header = (IKE_HEADER *) AllocateZeroPool (sizeof (IKE_HEADER));
- if (IkePacket->Header == NULL) {
- FreePool (IkePacket);
- return NULL;
- }
- return IkePacket;
-}
-
-/**
- Free the IkePacket by the specified IKE_PACKET pointer.
-
- @param[in] IkePacket The pointer of the IKE_PACKET to be freed.
-
-**/
-VOID
-IkePacketFree (
- IN IKE_PACKET *IkePacket
- )
-{
- LIST_ENTRY *Entry;
- IKE_PAYLOAD *IkePayload;
-
- if (IkePacket == NULL) {
- return;
- }
- //
- // Check if the Packet is referred by others.
- //
- if (--IkePacket->RefCount == 0) {
- //
- // Free IkePacket header
- //
- if (!IkePacket->IsHdrExt && IkePacket->Header != NULL) {
- FreePool (IkePacket->Header);
- }
- //
- // Free the PayloadsBuff
- //
- if (!IkePacket->IsPayloadsBufExt && IkePacket->PayloadsBuf != NULL) {
- FreePool (IkePacket->PayloadsBuf);
- }
- //
- // Iterate payloadlist and free all payloads
- //
- for (Entry = (IkePacket)->PayloadList.ForwardLink; Entry != &(IkePacket)->PayloadList;) {
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
- Entry = Entry->ForwardLink;
-
- IkePayloadFree (IkePayload);
- }
-
- FreePool (IkePacket);
- }
-}
-
-/**
- Callback funtion of NetbufFromExt()
-
- @param[in] Arg The data passed from the NetBufFromExe().
-
-**/
-VOID
-EFIAPI
-IkePacketNetbufFree (
- IN VOID *Arg
- )
-{
- //
- // TODO: add something if need.
- //
-}
-
-/**
- Copy the NetBuf into a IKE_PACKET sturcture.
-
- Create a IKE_PACKET and fill the received IKE header into the header of IKE_PACKET
- and copy the recieved packet without IKE HEADER to the PayloadBuf of IKE_PACKET.
-
- @param[in] Netbuf The pointer of the Netbuf which contains the whole received
- IKE packet.
-
- @return The pointer of the IKE_PACKET which contains the received packet.
-
-**/
-IKE_PACKET *
-IkePacketFromNetbuf (
- IN NET_BUF *Netbuf
- )
-{
- IKE_PACKET *IkePacket;
-
- IkePacket = NULL;
- if (Netbuf->TotalSize < sizeof (IKE_HEADER)) {
- goto Error;
- }
-
- IkePacket = IkePacketAlloc ();
- if (IkePacket == NULL) {
- return NULL;
- }
- //
- // Copy the IKE header from Netbuf to IkePacket->Hdr
- //
- NetbufCopy (Netbuf, 0, sizeof (IKE_HEADER), (UINT8 *) IkePacket->Header);
- //
- // Net order to host order
- //
- IkeHdrNetToHost (IkePacket->Header);
- if (IkePacket->Header->Length < Netbuf->TotalSize) {
- goto Error;
- }
-
- IkePacket->PayloadTotalSize = IkePacket->Header->Length - sizeof (IKE_HEADER);
- IkePacket->PayloadsBuf = (UINT8 *) AllocateZeroPool (IkePacket->PayloadTotalSize);
-
- if (IkePacket->PayloadsBuf == NULL) {
- goto Error;
- }
- //
- // Copy the IKE packet without the header into the IkePacket->PayloadsBuf.
- //
- NetbufCopy (Netbuf, sizeof (IKE_HEADER), (UINT32) IkePacket->PayloadTotalSize, IkePacket->PayloadsBuf);
- return IkePacket;
-
-Error:
- if (IkePacket != NULL) {
- IkePacketFree (IkePacket);
- }
-
- return NULL;
-}
-
-/**
- Convert the format from IKE_PACKET to NetBuf.
-
- @param[in] SessionCommon Pointer of related IKE_COMMON_SESSION
- @param[in] IkePacket Pointer of IKE_PACKET to be copy to NetBuf
- @param[in] IkeType The IKE type to pointer the packet is for which IKE
- phase. Now it supports IKE_SA_TYPE, IKE_CHILDSA_TYPE,
- IKE_INFO_TYPE.
-
- @return a pointer of Netbuff which contains the IKE_PACKE in network order.
-
-**/
-NET_BUF *
-IkeNetbufFromPacket (
- IN UINT8 *SessionCommon,
- IN IKE_PACKET *IkePacket,
- IN UINTN IkeType
- )
-{
- NET_BUF *Netbuf;
- NET_FRAGMENT *Fragments;
- UINTN Index;
- UINTN NumPayloads;
- LIST_ENTRY *PacketEntry;
- LIST_ENTRY *Entry;
- IKE_PAYLOAD *IkePayload;
- EFI_STATUS RetStatus;
-
- RetStatus = EFI_SUCCESS;
-
- if (!IkePacket->IsEncoded) {
- IkePacket->IsEncoded = TRUE;
- //
- // Convert Host order to Network order for IKE_PACKET header and payloads
- // Encryption payloads if needed
- //
- if (((IKEV2_SESSION_COMMON *) SessionCommon)->IkeVer == 2) {
- RetStatus = Ikev2EncodePacket ((IKEV2_SESSION_COMMON *) SessionCommon, IkePacket, IkeType);
- if (EFI_ERROR (RetStatus)) {
- return NULL;
- }
-
- } else {
- //
- // If IKEv1 support, check it here.
- //
- return NULL;
- }
- }
-
- NumPayloads = 0;
- //
- // Get the number of the payloads
- //
- NET_LIST_FOR_EACH (PacketEntry, &(IkePacket)->PayloadList) {
-
- NumPayloads++;
- }
- //
- // Allocate the Framgents according to the numbers of the IkePayload
- //
- Fragments = (NET_FRAGMENT *) AllocateZeroPool ((1 + NumPayloads) * sizeof (NET_FRAGMENT));
- if (Fragments == NULL) {
- return NULL;
- }
-
- Fragments[0].Bulk = (UINT8 *) IkePacket->Header;
- Fragments[0].Len = sizeof (IKE_HEADER);
- Index = 0;
-
- //
- // Set payloads to the Framgments.
- //
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
-
- Fragments[Index + 1].Bulk = IkePayload->PayloadBuf;
- Fragments[Index + 1].Len = (UINT32) IkePayload->PayloadSize;
- Index++;
- }
-
- Netbuf = NetbufFromExt (
- Fragments,
- (UINT32) (NumPayloads + 1),
- 0,
- 0,
- IkePacketNetbufFree,
- NULL
- );
-
- FreePool (Fragments);
- return Netbuf;
-}
-
diff --git a/NetworkPkg/IpSecDxe/IkePacket.h b/NetworkPkg/IpSecDxe/IkePacket.h deleted file mode 100644 index 3bc4b7a567..0000000000 --- a/NetworkPkg/IpSecDxe/IkePacket.h +++ /dev/null @@ -1,76 +0,0 @@ -/** @file
- IKE Packet related definitions and function declarations.
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _IKE_V1_PACKET_H_
-#define _IKE_V1_PACKET_H_
-
-#include "Ike.h"
-
-#define IKE_PACKET_REF(p) ((p)->RefCount++)
-
-/**
- Allocate a buffer for the IKE_PACKET and intitalize its Header and payloadlist.
-
- @return The pointer of the IKE_PACKET.
-
-**/
-IKE_PACKET *
-IkePacketAlloc (
- VOID
- );
-
-
-/**
- Free the IkePacket by the specified IKE_PACKET pointer.
-
- @param[in] IkePacket The pointer of the IKE_PACKET to be freed.
-
-**/
-VOID
-IkePacketFree (
- IN IKE_PACKET *IkePacket
- );
-
-
-/**
- Copy the NetBuf into a IKE_PACKET sturcture.
-
- Create a IKE_PACKET and fill the received IKE header into the header of IKE_PACKET
- and copy the recieved packet without IKE HEADER to the PayloadBuf of IKE_PACKET.
-
- @param[in] Netbuf The pointer of the Netbuf which contains the whole received
- IKE packet.
-
- @return The pointer of the IKE_PACKET which contains the received packet.
-
-**/
-IKE_PACKET *
-IkePacketFromNetbuf (
- IN NET_BUF *Netbuf
- );
-
-/**
- Convert the format from IKE_PACKET to NetBuf.
-
- @param[in] SessionCommon Pointer of related IKE_COMMON_SESSION
- @param[in] IkePacket Pointer of IKE_PACKET to be copy to NetBuf
- @param[in] IkeType The IKE type to pointer the packet is for which IKE
- phase. Now it supports IKE_SA_TYPE, IKE_CHILDSA_TYPE,
- IKE_INFO_TYPE.
-
- @return A pointer of Netbuff which contains the contents of the IKE_PACKE in network order.
-**/
-NET_BUF *
-IkeNetbufFromPacket (
- IN UINT8 *SessionCommon,
- IN IKE_PACKET *IkePacket,
- IN UINTN IkeType
- );
-
-#endif
diff --git a/NetworkPkg/IpSecDxe/IkeService.c b/NetworkPkg/IpSecDxe/IkeService.c deleted file mode 100644 index c5ca86b5b0..0000000000 --- a/NetworkPkg/IpSecDxe/IkeService.c +++ /dev/null @@ -1,813 +0,0 @@ -/** @file
- Provide IPsec Key Exchange (IKE) service general interfaces.
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IkeService.h"
-#include "IpSecConfigImpl.h"
-
-IKE_EXCHANGE_INTERFACE *mIkeExchange[] = {
- &mIkev1Exchange,
- &mIkev2Exchange
-};
-
-EFI_UDP4_CONFIG_DATA mUdp4Conf = {
- FALSE,
- FALSE,
- FALSE,
- TRUE,
- //
- // IO parameters
- //
- 0,
- 64,
- FALSE,
- 0,
- 1000000,
- FALSE,
- {{0,0,0,0}},
- {{0,0,0,0}},
- IKE_DEFAULT_PORT,
- {{0,0,0,0}},
- 0
-};
-
-EFI_UDP6_CONFIG_DATA mUdp6Conf = {
- FALSE,
- FALSE,
- TRUE,
- //
- // IO parameters
- //
- 0,
- 128,
- 0,
- 1000000,
- //Access Point
- {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
- IKE_DEFAULT_PORT,
- {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
- 0
-};
-
-/**
- Check if the NIC handle is binded to a Udp service.
-
- @param[in] Private Pointer of IPSEC_PRIVATE_DATA.
- @param[in] Handle The Handle of the NIC card.
- @param[in] IpVersion The version of the IP stack.
-
- @return a pointer of IKE_UDP_SERVICE.
-
-**/
-IKE_UDP_SERVICE *
-IkeLookupUdp (
- IN IPSEC_PRIVATE_DATA *Private,
- IN EFI_HANDLE Handle,
- IN UINT8 IpVersion
- )
-{
- LIST_ENTRY *Head;
- LIST_ENTRY *Entry;
- LIST_ENTRY *Next;
- IKE_UDP_SERVICE *Udp;
-
- Udp = NULL;
- Head = (IpVersion == IP_VERSION_4) ? &Private->Udp4List : &Private->Udp6List;
-
- NET_LIST_FOR_EACH_SAFE (Entry, Next, Head) {
-
- Udp = IPSEC_UDP_SERVICE_FROM_LIST (Entry);
- //
- // Find the right udp service which installed on the appointed NIC handle.
- //
- if (Handle == Udp->NicHandle) {
- break;
- } else {
- Udp = NULL;
- }
- }
-
- return Udp;
-}
-
-/**
- Configure a UDPIO's UDP4 instance.
-
- This fuction is called by the UdpIoCreateIo() to configures a
- UDP4 instance.
-
- @param[in] UdpIo The UDP_IO to be configured.
- @param[in] Context User-defined data when calling UdpIoCreateIo().
-
- @retval EFI_SUCCESS The configuration succeeded.
- @retval Others The UDP4 instance fails to configure.
-
-**/
-EFI_STATUS
-EFIAPI
-IkeConfigUdp4 (
- IN UDP_IO *UdpIo,
- IN VOID *Context
- )
-{
- EFI_UDP4_CONFIG_DATA Udp4Cfg;
- EFI_UDP4_PROTOCOL *Udp4;
-
- ZeroMem (&Udp4Cfg, sizeof (EFI_UDP4_CONFIG_DATA));
-
- Udp4 = UdpIo->Protocol.Udp4;
- CopyMem (
- &Udp4Cfg,
- &mUdp4Conf,
- sizeof (EFI_UDP4_CONFIG_DATA)
- );
-
- if (Context != NULL) {
- //
- // Configure udp4 io with local default address.
- //
- Udp4Cfg.UseDefaultAddress = TRUE;
- }
-
- return Udp4->Configure (Udp4, &Udp4Cfg);
-}
-
-/**
- Configure a UDPIO's UDP6 instance.
-
- This fuction is called by the UdpIoCreateIo()to configure a
- UDP6 instance.
-
- @param[in] UdpIo The UDP_IO to be configured.
- @param[in] Context User-defined data when calling UdpIoCreateIo().
-
- @retval EFI_SUCCESS The configuration succeeded.
- @retval Others The configuration fails.
-
-**/
-EFI_STATUS
-EFIAPI
-IkeConfigUdp6 (
- IN UDP_IO *UdpIo,
- IN VOID *Context
- )
-{
- EFI_UDP6_PROTOCOL *Udp6;
- EFI_UDP6_CONFIG_DATA Udp6Cfg;
-
- ZeroMem (&Udp6Cfg, sizeof (EFI_UDP6_CONFIG_DATA));
-
- Udp6 = UdpIo->Protocol.Udp6;
- CopyMem (
- &Udp6Cfg,
- &mUdp6Conf,
- sizeof (EFI_UDP6_CONFIG_DATA)
- );
-
- if (Context != NULL) {
- //
- // Configure instance with a destination address to start source address
- // selection, and then get the configure data from the mode data to store
- // the source address.
- //
- CopyMem (
- &Udp6Cfg.RemoteAddress,
- Context,
- sizeof (EFI_IPv6_ADDRESS)
- );
- }
-
- return Udp6->Configure (Udp6, &Udp6Cfg);
-}
-
-/**
- Open and configure the related output UDPIO for IKE packet sending.
-
- If the UdpService is not configured, this fuction calls UdpIoCreatIo() to
- create UDPIO to bind this UdpService for IKE packet sending. If the UdpService
- has already been configured, then return.
-
- @param[in] UdpService The UDP_IO to be configured.
- @param[in] RemoteIp User-defined data when calling UdpIoCreateIo().
-
- @retval EFI_SUCCESS The configuration is successful.
- @retval Others The configuration fails.
-
-**/
-EFI_STATUS
-IkeOpenOutputUdp (
- IN IKE_UDP_SERVICE *UdpService,
- IN EFI_IP_ADDRESS *RemoteIp
- )
-{
- EFI_STATUS Status;
- EFI_IP4_CONFIG2_PROTOCOL *Ip4Cfg2;
- EFI_IP4_CONFIG2_INTERFACE_INFO *IfInfo;
- UINTN BufSize;
- EFI_IP6_MODE_DATA Ip6ModeData;
- EFI_UDP6_PROTOCOL *Udp6;
-
- Status = EFI_SUCCESS;
- IfInfo = NULL;
- BufSize = 0;
-
- //
- // Check whether the input and output udp io are both configured.
- //
- if (UdpService->IsConfigured) {
- goto ON_EXIT;
- }
-
- if (UdpService->IpVersion == UDP_IO_UDP4_VERSION) {
- //
- // Handle ip4config protocol to get local default address.
- //
- Status = gBS->HandleProtocol (
- UdpService->NicHandle,
- &gEfiIp4Config2ProtocolGuid,
- (VOID **) &Ip4Cfg2
- );
-
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- //
- // Get the interface information size.
- //
- Status = Ip4Cfg2->GetData (
- Ip4Cfg2,
- Ip4Config2DataTypeInterfaceInfo,
- &BufSize,
- NULL
- );
-
- if (EFI_ERROR (Status) && Status != EFI_BUFFER_TOO_SMALL) {
- goto ON_EXIT;
- }
-
- IfInfo = AllocateZeroPool (BufSize);
-
- if (IfInfo == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Get the interface info.
- //
- Status = Ip4Cfg2->GetData (
- Ip4Cfg2,
- Ip4Config2DataTypeInterfaceInfo,
- &BufSize,
- IfInfo
- );
-
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- CopyMem (
- &UdpService->DefaultAddress.v4,
- &IfInfo->StationAddress,
- sizeof (EFI_IPv4_ADDRESS)
- );
-
- //
- // Create udp4 io for output with local default address.
- //
- UdpService->Output = UdpIoCreateIo (
- UdpService->NicHandle,
- UdpService->ImageHandle,
- IkeConfigUdp4,
- UDP_IO_UDP4_VERSION,
- &UdpService->DefaultAddress
- );
-
- if (UdpService->Output == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- } else {
- //
- // Create udp6 io for output with remote address.
- //
- UdpService->Output = UdpIoCreateIo (
- UdpService->NicHandle,
- UdpService->ImageHandle,
- IkeConfigUdp6,
- UDP_IO_UDP6_VERSION,
- RemoteIp
- );
-
- if (UdpService->Output == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
- //
- // Get ip6 mode data to get the result of source address selection.
- //
- ZeroMem (&Ip6ModeData, sizeof (EFI_IP6_MODE_DATA));
-
- Udp6 = UdpService->Output->Protocol.Udp6;
- Status = Udp6->GetModeData (Udp6, NULL, &Ip6ModeData, NULL, NULL);
-
- if (EFI_ERROR (Status)) {
- UdpIoFreeIo (UdpService->Output);
- goto ON_EXIT;
- }
-
- if (Ip6ModeData.AddressList != NULL) {
- FreePool (Ip6ModeData.AddressList);
- }
-
- if (Ip6ModeData.GroupTable != NULL) {
- FreePool (Ip6ModeData.GroupTable);
- }
-
- if (Ip6ModeData.RouteTable != NULL) {
- FreePool (Ip6ModeData.RouteTable);
- }
-
- if (Ip6ModeData.NeighborCache != NULL) {
- FreePool (Ip6ModeData.NeighborCache);
- }
-
- if (Ip6ModeData.PrefixTable != NULL) {
- FreePool (Ip6ModeData.PrefixTable);
- }
-
- if (Ip6ModeData.IcmpTypeList != NULL) {
- FreePool (Ip6ModeData.IcmpTypeList);
- }
-
- //
- // Reconfigure udp6 io without remote address.
- //
- Udp6->Configure (Udp6, NULL);
- Status = IkeConfigUdp6 (UdpService->Output, NULL);
-
- //
- // Record the selected source address for ipsec process later.
- //
- CopyMem (
- &UdpService->DefaultAddress.v6,
- &Ip6ModeData.ConfigData.StationAddress,
- sizeof (EFI_IPv6_ADDRESS)
- );
- }
-
- UdpService->IsConfigured = TRUE;
-
-ON_EXIT:
- if (IfInfo != NULL) {
- FreePool (IfInfo);
- }
-
- return Status;
-}
-
-/**
- Open and configure a UDPIO of Udp4 for IKE packet receiving.
-
- This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
- UDP4 IO for each NIC handle.
-
- @param[in] Private Point to IPSEC_PRIVATE_DATA
- @param[in] Controller Handler for NIC card.
- @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.
-
- @retval EFI_SUCCESS The Operation is successful.
- @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
-
-**/
-EFI_STATUS
-IkeOpenInputUdp4 (
- IN IPSEC_PRIVATE_DATA *Private,
- IN EFI_HANDLE Controller,
- IN EFI_HANDLE ImageHandle
- )
-{
- IKE_UDP_SERVICE *Udp4Srv;
-
- //
- // Check whether udp4 io of the controller has already been opened.
- //
- Udp4Srv = IkeLookupUdp (Private, Controller, IP_VERSION_4);
-
- if (Udp4Srv != NULL) {
- return EFI_ALREADY_STARTED;
- }
-
- Udp4Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));
-
- if (Udp4Srv == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // Create udp4 io for iutput.
- //
- Udp4Srv->Input = UdpIoCreateIo (
- Controller,
- ImageHandle,
- IkeConfigUdp4,
- UDP_IO_UDP4_VERSION,
- NULL
- );
-
- if (Udp4Srv->Input == NULL) {
- FreePool (Udp4Srv);
- return EFI_OUT_OF_RESOURCES;
- }
-
- Udp4Srv->NicHandle = Controller;
- Udp4Srv->ImageHandle = ImageHandle;
- Udp4Srv->ListHead = &(Private->Udp4List);
- Udp4Srv->IpVersion = UDP_IO_UDP4_VERSION;
- Udp4Srv->IsConfigured = FALSE;
-
- ZeroMem (&Udp4Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));
-
- //
- // Insert the udp4 io into the list and increase the count.
- //
- InsertTailList (&Private->Udp4List, &Udp4Srv->List);
-
- Private->Udp4Num++;
-
- UdpIoRecvDatagram (Udp4Srv->Input, IkeDispatch, Udp4Srv, 0);
-
- return EFI_SUCCESS;
-}
-
-/**
- Open and configure a UDPIO of Udp6 for IKE packet receiving.
-
- This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6
- IO for each NIC handle.
-
- @param[in] Private Point to IPSEC_PRIVATE_DATA
- @param[in] Controller Handler for NIC card.
- @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.
-
- @retval EFI_SUCCESS The Operation is successful.
- @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
-
-**/
-EFI_STATUS
-IkeOpenInputUdp6 (
- IN IPSEC_PRIVATE_DATA *Private,
- IN EFI_HANDLE Controller,
- IN EFI_HANDLE ImageHandle
- )
-{
- IKE_UDP_SERVICE *Udp6Srv;
-
- Udp6Srv = IkeLookupUdp (Private, Controller, IP_VERSION_6);
-
- if (Udp6Srv != NULL) {
- return EFI_ALREADY_STARTED;
- }
-
- Udp6Srv = AllocateZeroPool (sizeof (IKE_UDP_SERVICE));
-
- if (Udp6Srv == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // Create udp6 io for input.
- //
- Udp6Srv->Input = UdpIoCreateIo (
- Controller,
- ImageHandle,
- IkeConfigUdp6,
- UDP_IO_UDP6_VERSION,
- NULL
- );
-
- if (Udp6Srv->Input == NULL) {
- FreePool (Udp6Srv);
- return EFI_OUT_OF_RESOURCES;
- }
-
- Udp6Srv->NicHandle = Controller;
- Udp6Srv->ImageHandle = ImageHandle;
- Udp6Srv->ListHead = &(Private->Udp6List);
- Udp6Srv->IpVersion = UDP_IO_UDP6_VERSION;
- Udp6Srv->IsConfigured = FALSE;
-
- ZeroMem (&Udp6Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS));
-
- //
- // Insert the udp6 io into the list and increase the count.
- //
- InsertTailList (&Private->Udp6List, &Udp6Srv->List);
-
- Private->Udp6Num++;
-
- UdpIoRecvDatagram (Udp6Srv->Input, IkeDispatch, Udp6Srv, 0);
-
- return EFI_SUCCESS;
-}
-
-/**
- The general interface of starting IPsec Key Exchange.
-
- This function is called when a IKE negotiation to start getting a Key.
-
- @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for
- IKE packet sending.
- @param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.
- @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.
-
- @retval EFI_SUCCESS The Operation is successful.
- @retval EFI_ACCESS_DENIED No related PAD entry was found.
- @retval EFI_INVALID_PARAMETER The IKE version is not supported.
-
-**/
-EFI_STATUS
-IkeNegotiate (
- IN IKE_UDP_SERVICE *UdpService,
- IN IPSEC_SPD_ENTRY *SpdEntry,
- IN EFI_IP_ADDRESS *RemoteIp
- )
-{
- EFI_STATUS Status;
- UINT8 *IkeSaSession;
- IKE_EXCHANGE_INTERFACE *Exchange;
- IPSEC_PRIVATE_DATA *Private;
- IPSEC_PAD_ENTRY *PadEntry;
- UINT8 IkeVersion;
-
- Private = (UdpService->IpVersion == IP_VERSION_4) ?
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
-
- //
- // Try to open udp io for output if it hasn't.
- //
- Status = IkeOpenOutputUdp (UdpService, RemoteIp);
- if (EFI_ERROR (Status)) {
- return Status;
- }
- //
- // Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list.
- //
- IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp);
-
-
- if (IkeSaSession == NULL) {
- //
- // Find the pad entry by the remote ip address.
- //
- PadEntry = IpSecLookupPadEntry (UdpService->IpVersion, RemoteIp);
- if (PadEntry == NULL) {
- return EFI_ACCESS_DENIED;
- }
- //
- // Determine the IKE exchange instance by the auth protocol in pad entry.
- //
- ASSERT (PadEntry->Data->AuthProtocol < EfiIPsecAuthProtocolMaximum);
- if (PadEntry->Data->AuthProtocol == EfiIPsecAuthProtocolIKEv1) {
- return EFI_INVALID_PARAMETER;
- }
- Exchange = mIkeExchange[PadEntry->Data->AuthProtocol];
- //
- // Start the main mode stage to negotiate IKE SA.
- //
- Status = Exchange->NegotiateSa (UdpService, SpdEntry, PadEntry, RemoteIp);
- } else {
- //
- // Determine the IKE exchange instance by the IKE version in IKE SA session.
- //
- IkeVersion = IkeGetVersionFromSession (IkeSaSession);
- if (IkeVersion != 2) {
- return EFI_INVALID_PARAMETER;
- }
-
- Exchange = mIkeExchange[IkeVersion - 1];
- //
- // Start the quick mode stage to negotiate child SA.
- //
- Status = Exchange->NegotiateChildSa (IkeSaSession, SpdEntry, NULL);
- }
-
- return Status;
-}
-
-/**
- The generic interface when receive a IKE packet.
-
- This function is called when UDP IO receives a IKE packet.
-
- @param[in] Packet Point to received IKE packet.
- @param[in] EndPoint Point to UDP_END_POINT which contains the information of
- Remote IP and Port.
- @param[in] IoStatus The Status of Recieve Token.
- @param[in] Context Point to data passed from the caller.
-
-**/
-VOID
-EFIAPI
-IkeDispatch (
- IN NET_BUF *Packet,
- IN UDP_END_POINT *EndPoint,
- IN EFI_STATUS IoStatus,
- IN VOID *Context
- )
-{
- IPSEC_PRIVATE_DATA *Private;
- IKE_PACKET *IkePacket;
- IKE_HEADER *IkeHdr;
- IKE_UDP_SERVICE *UdpService;
- IKE_EXCHANGE_INTERFACE *Exchange;
- EFI_STATUS Status;
-
- UdpService = (IKE_UDP_SERVICE *) Context;
- IkePacket = NULL;
- Private = (UdpService->IpVersion == IP_VERSION_4) ?
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
-
- if (EFI_ERROR (IoStatus)) {
- goto ON_EXIT;
- }
- //
- // Check whether the ipsec is enabled or not.
- //
- if (Private->IpSec.DisabledFlag == TRUE) {
- goto ON_EXIT;
- }
-
- if (EndPoint->RemotePort != IKE_DEFAULT_PORT) {
- goto ON_EXIT;
- }
-
- //
- // Build IKE packet from the received netbuf.
- //
- IkePacket = IkePacketFromNetbuf (Packet);
-
- if (IkePacket == NULL) {
- goto ON_EXIT;
- }
- //
- // Get the remote address from the IKE packet.
- //
- if (UdpService->IpVersion == IP_VERSION_4) {
- *(UINT32 *) IkePacket->RemotePeerIp.Addr = HTONL ((*(UINT32 *) EndPoint->RemoteAddr.Addr));
- } else {
- CopyMem (
- &IkePacket->RemotePeerIp,
- NTOHLLL (&EndPoint->RemoteAddr.v6),
- sizeof (EFI_IPv6_ADDRESS)
- );
- }
- //
- // Try to open udp io for output if hasn't.
- //
- Status = IkeOpenOutputUdp (UdpService, &IkePacket->RemotePeerIp);
-
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- IkeHdr = IkePacket->Header;
-
- //
- // Determine the IKE exchange instance by the IKE version in IKE header.
- //
- if (IKE_MAJOR_VERSION (IkeHdr->Version) == 2) {
- Exchange = mIkeExchange[IKE_MAJOR_VERSION (IkeHdr->Version) - 1];
- } else {
- goto ON_EXIT;
- }
-
- switch (IkeHdr->ExchangeType) {
- case IKE_XCG_TYPE_IDENTITY_PROTECT:
- case IKE_XCG_TYPE_SA_INIT:
- case IKE_XCG_TYPE_AUTH:
- Exchange->HandleSa (UdpService, IkePacket);
- break;
-
- case IKE_XCG_TYPE_QM:
- case IKE_XCG_TYPE_CREATE_CHILD_SA:
- Exchange->HandleChildSa (UdpService, IkePacket);
- break;
-
- case IKE_XCG_TYPE_INFO:
- case IKE_XCG_TYPE_INFO2:
- Exchange->HandleInfo (UdpService, IkePacket);
- break;
-
- default:
- break;
- }
-
-ON_EXIT:
- if (IkePacket != NULL) {
- IkePacketFree (IkePacket);
- }
-
- if (Packet != NULL) {
- NetbufFree (Packet);
- }
-
- UdpIoRecvDatagram (UdpService->Input, IkeDispatch, UdpService, 0);
-
- return ;
-}
-
-/**
- Delete all established IKE SAs and related Child SAs.
-
- This function is the subfunction of the IpSecCleanupAllSa(). It first calls
- IkeDeleteChildSa() to delete all Child SAs then send out the related
- Information packet.
-
- @param[in] Private Pointer of the IPSEC_PRIVATE_DATA
- @param[in] IsDisableIpsec Indicate whether needs to disable IPsec.
-
-**/
-VOID
-IkeDeleteAllSas (
- IN IPSEC_PRIVATE_DATA *Private,
- IN BOOLEAN IsDisableIpsec
- )
-{
- LIST_ENTRY *Entry;
- LIST_ENTRY *NextEntry;
- IKEV2_SA_SESSION *Ikev2SaSession;
- UINT8 Value;
- EFI_STATUS Status;
- IKE_EXCHANGE_INTERFACE *Exchange;
- UINT8 IkeVersion;
-
- Exchange = NULL;
-
- //
- // If the IKEv1 is supported, first deal with the Ikev1Estatblished list.
- //
-
- //
- // If IKEv2 SAs are under establishing, delete it directly.
- //
- if (!IsListEmpty (&Private->Ikev2SessionList)) {
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) {
- Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
- RemoveEntryList (Entry);
- Ikev2SaSessionFree (Ikev2SaSession);
- }
- }
-
- //
- // If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE
- // and turn off the IsIPsecDisabling flag.
- //
- if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) {
- Value = IPSEC_STATUS_DISABLED;
- Status = gRT->SetVariable (
- IPSECCONFIG_STATUS_NAME,
- &gEfiIpSecConfigProtocolGuid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
- sizeof (Value),
- &Value
- );
- if (!EFI_ERROR (Status)) {
- Private->IpSec.DisabledFlag = TRUE;
- Private->IsIPsecDisabling = FALSE;
- return ;
- }
- }
-
- //
- // Delete established IKEv2 SAs.
- //
- if (!IsListEmpty (&Private->Ikev2EstablishedList)) {
- for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) {
- Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
- Entry = Entry->ForwardLink;
-
- Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting;
-
- //
- // Call for Information Exchange.
- //
- IkeVersion = IkeGetVersionFromSession ((UINT8*)Ikev2SaSession);
- if (IkeVersion == 2) {
- Exchange = mIkeExchange[IkeVersion - 1];
- Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL);
- }
- }
- }
-
-}
-
-
-
diff --git a/NetworkPkg/IpSecDxe/IkeService.h b/NetworkPkg/IpSecDxe/IkeService.h deleted file mode 100644 index 36c925bdd2..0000000000 --- a/NetworkPkg/IpSecDxe/IkeService.h +++ /dev/null @@ -1,256 +0,0 @@ -/** @file
- Prototypes definitions of IKE service.
-
- Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _IKE_SERVICE_H_
-#define _IKE_SERVICE_H_
-
-#include "Ike.h"
-#include "IpSecImpl.h"
-#include "IkeCommon.h"
-#include "Ikev2/Utility.h"
-
-#define IPSEC_CRYPTO_LIB_MEMORY 128 * 1024
-
-/**
- This is prototype definition of general interface to intialize a IKE negotiation.
-
- @param[in] UdpService Point to Udp Servcie used for the IKE packet sending.
- @param[in] SpdEntry Point to SPD entry related to this IKE negotiation.
- @param[in] PadEntry Point to PAD entry related to this IKE negotiation.
- @param[in] RemoteIp Point to IP Address which the remote peer to negnotiate.
-
- @retval EFI_SUCCESS The operation is successful.
- @return Otherwise The operation is failed.
-
-**/
-typedef
-EFI_STATUS
-(*IKE_NEGOTIATE_SA) (
- IN IKE_UDP_SERVICE * UdpService,
- IN IPSEC_SPD_ENTRY * SpdEntry,
- IN IPSEC_PAD_ENTRY * PadEntry,
- IN EFI_IP_ADDRESS * RemoteIp
- );
-
-/**
- This is prototype definition fo general interface to start a IKE negotiation at Quick Mode.
-
- This function will be called when the related IKE SA is existed and start to
- create a Child SA.
-
- @param[in] IkeSaSession Point to IKE SA Session related to this Negotiation.
- @param[in] SpdEntry Point to SPD entry related to this Negotiation.
- @param[in] Context Point to data passed from the caller.
-
- @retval EFI_SUCCESS The operation is successful.
- @retval Otherwise The operation is failed.
-
-**/
-typedef
-EFI_STATUS
-(*IKE_NEGOTIATE_CHILD_SA) (
- IN UINT8 *IkeSaSession,
- IN IPSEC_SPD_ENTRY *SpdEntry,
- IN UINT8 *Context
- );
-
-/**
- This is prototype definition of the general interface when initialize a Inforamtion
- Exchange.
-
- @param[in] IkeSaSession Point to IKE SA Session related to.
- @param[in] Context Point to data passed from caller.
-
-**/
-typedef
-EFI_STATUS
-(*IKE_NEGOTIATE_INFO) (
- IN UINT8 *IkeSaSession,
- IN UINT8 *Context
- );
-
-/**
- This is prototype definition of the general interface when recived a IKE Pakcet
- for the IKE SA establishing.
-
- @param[in] UdpService Point to UDP service used to send IKE Packet.
- @param[in] IkePacket Point to received IKE packet.
-
-**/
-typedef
-VOID
-(*IKE_HANDLE_SA) (
- IN IKE_UDP_SERVICE *UdpService,
- IN IKE_PACKET *IkePacket
- );
-
-/**
- This is prototyp definition of the general interface when recived a IKE Packet
- xfor the Child SA establishing.
-
- @param[in] UdpService Point to UDP service used to send IKE packet.
- @param[in] IkePacket Point to received IKE packet.
-
-**/
-typedef
-VOID
-(*IKE_HANDLE_CHILD_SA) (
- IN IKE_UDP_SERVICE *UdpService,
- IN IKE_PACKET *IkePacket
- );
-
-/**
- This is prototype definition of the general interface when received a IKE
- information Packet.
-
- @param[in] UdpService Point to UDP service used to send IKE packet.
- @param[in] IkePacket Point to received IKE packet.
-
-**/
-typedef
-VOID
-(*IKE_HANDLE_INFO) (
- IN IKE_UDP_SERVICE *UdpService,
- IN IKE_PACKET *IkePacket
- );
-
-typedef struct _IKE_EXCHANGE_INTERFACE {
- UINT8 IkeVer;
- IKE_NEGOTIATE_SA NegotiateSa;
- IKE_NEGOTIATE_CHILD_SA NegotiateChildSa;
- IKE_NEGOTIATE_INFO NegotiateInfo;
- IKE_HANDLE_SA HandleSa;
- IKE_HANDLE_CHILD_SA HandleChildSa;
- IKE_HANDLE_INFO HandleInfo;
-} IKE_EXCHANGE_INTERFACE;
-
-/**
- Open and configure a UDPIO of Udp4 for IKE packet receiving.
-
- This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
- a UDP4 IO for each NIC handle.
-
- @param[in] Private Point to IPSEC_PRIVATE_DATA
- @param[in] Controller Handler for NIC card.
- @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.
-
- @retval EFI_SUCCESS The Operation is successful.
- @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
-
-**/
-EFI_STATUS
-IkeOpenInputUdp4 (
- IN IPSEC_PRIVATE_DATA *Private,
- IN EFI_HANDLE Controller,
- IN EFI_HANDLE ImageHandle
- );
-
-/**
- Open and configure a UDPIO of Udp6 for IKE packet receiving.
-
- This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6
- IO for each NIC handle.
-
- @param[in] Private Point to IPSEC_PRIVATE_DATA
- @param[in] Controller Handler for NIC card.
- @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDING_PROTOCOL instance.
-
- @retval EFI_SUCCESS The Operation is successful.
- @retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
-
-**/
-EFI_STATUS
-IkeOpenInputUdp6 (
- IN IPSEC_PRIVATE_DATA *Private,
- IN EFI_HANDLE Controller,
- IN EFI_HANDLE ImageHandle
- );
-
-/**
- The general interface of starting IPsec Key Exchange.
-
- This function is called when start a IKE negotiation to get a Key.
-
- @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for
- IKE packet sending.
- @param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.
- @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.
-
- @retval EFI_SUCCESS The Operation is successful.
- @retval EFI_ACCESS_DENIED No related PAD entry was found.
-
-**/
-EFI_STATUS
-IkeNegotiate (
- IN IKE_UDP_SERVICE *UdpService,
- IN IPSEC_SPD_ENTRY *SpdEntry,
- IN EFI_IP_ADDRESS *RemoteIp
- );
-
-/**
- The general interface when receive a IKE packet.
-
- This function is called when UDP IO receives a IKE packet.
-
- @param[in] Packet Point to received IKE packet.
- @param[in] EndPoint Point to UDP_END_POINT which contains the information of
- Remote IP and Port.
- @param[in] IoStatus The Status of Recieve Token.
- @param[in] Context Point to data passed from the caller.
-
-**/
-VOID
-EFIAPI
-IkeDispatch (
- IN NET_BUF *Packet,
- IN UDP_END_POINT *EndPoint,
- IN EFI_STATUS IoStatus,
- IN VOID *Context
- );
-
-/**
- Check if the NIC handle is binded to a Udp service.
-
- @param[in] Private Pointer of IPSEC_PRIVATE_DATA
- @param[in] Handle The Handle of the NIC card
- @param[in] IpVersion The version of the IP stack.
-
- @return a pointer of IKE_UDP_SERVICE.
-
-**/
-IKE_UDP_SERVICE *
-IkeLookupUdp (
- IN IPSEC_PRIVATE_DATA *Private,
- IN EFI_HANDLE Handle,
- IN UINT8 IpVersion
- );
-
-
-/**
- Delete all established IKE SAs and related Child SAs.
-
- This function is the subfunction of the IpSecCleanupAllSa(). It first calls
- IkeDeleteChildSa() to delete all Child SAs then send out the related
- Information packet.
-
- @param[in] Private Pointer of the IPSEC_PRIVATE_DATA.
- @param[in] IsDisableIpsec Indicate whether needs to disable IPsec.
-
-**/
-VOID
-IkeDeleteAllSas (
- IN IPSEC_PRIVATE_DATA *Private,
- IN BOOLEAN IsDisableIpsec
- );
-
-
-extern IKE_EXCHANGE_INTERFACE mIkev1Exchange;
-extern IKE_EXCHANGE_INTERFACE mIkev2Exchange;
-
-#endif
diff --git a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c b/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c deleted file mode 100644 index 4cca34e9d3..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c +++ /dev/null @@ -1,193 +0,0 @@ -/** @file
- The operations for Child SA.
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "Utility.h"
-
-/**
- Generate IKE Packet for CREATE_CHILD_SA exchange.
-
- This IKE Packet would be the packet for creating new CHILD SA, or the packet for
- rekeying existing IKE SA, or the packet for existing CHILD SA.
-
- @param[in] SaSession Pointer to related SA session.
- @param[in] Context The data passed by the caller.
-
- return a pointer of IKE packet.
-
-**/
-IKE_PACKET *
-Ikev2CreateChildGenerator (
- IN UINT8 *SaSession,
- IN VOID *Context
- )
-{
-
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SA_SESSION *IkeSaSession;
- IKE_PACKET *IkePacket;
- IKE_PAYLOAD *NotifyPayload;
- UINT32 *MessageId;
-
- NotifyPayload = NULL;
- MessageId = NULL;
-
- ChildSaSession = (IKEV2_CHILD_SA_SESSION *) SaSession;
- if (ChildSaSession == NULL) {
- return NULL;
- }
-
- IkePacket = IkePacketAlloc();
- if (IkePacket == NULL) {
- return NULL;
- }
-
-
- if (Context != NULL) {
- MessageId = (UINT32 *) Context;
- }
-
- IkePacket->Header->Version = (UINT8) (2 << 4);
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_NOTIFY;
- IkePacket->Header->ExchangeType = IKE_XCG_TYPE_CREATE_CHILD_SA;
-
- if (ChildSaSession->SessionCommon.IkeSessionType == IkeSessionTypeChildSa) {
- //
- // 1.a Fill the IkePacket->Hdr
- //
- IkePacket->Header->InitiatorCookie = ChildSaSession->IkeSaSession->InitiatorCookie;
- IkePacket->Header->ResponderCookie = ChildSaSession->IkeSaSession->ResponderCookie;
-
- if (MessageId != NULL) {
- IkePacket->Header->MessageId = *MessageId;
- } else {
- IkePacket->Header->MessageId = ChildSaSession->MessageId;
- }
-
- if (ChildSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
- }
-
- } else {
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
- //
- // 1.a Fill the IkePacket->Hdr
- //
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;
-
- if (MessageId != NULL) {
- IkePacket->Header->MessageId = *MessageId;
- } else {
- IkePacket->Header->MessageId = IkeSaSession->MessageId;
- }
-
- if (IkeSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
- }
- }
-
- if (MessageId != NULL) {
- IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;
- }
-
- //
- // According to RFC4306, Chapter 4.
- // A minimal implementation may support the CREATE_CHILD_SA exchange only to
- // recognize requests and reject them with a Notify payload of type NO_ADDITIONAL_SAS.
- //
- NotifyPayload = Ikev2GenerateNotifyPayload (
- 0,
- IKEV2_PAYLOAD_TYPE_NONE,
- 0,
- IKEV2_NOTIFICATION_NO_ADDITIONAL_SAS,
- NULL,
- NULL,
- 0
- );
- if (NotifyPayload == NULL) {
- IkePacketFree (IkePacket);
- return NULL;
- }
-
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);
- //
- // TODO: Support the CREATE_CHILD_SA exchange.
- //
- return IkePacket;
-}
-
-/**
- Parse the IKE packet of CREATE_CHILD_SA exchange.
-
- This function parse the IKE packet and save the related information to further
- calculation.
-
- @param[in] SaSession Pointer to IKEv2_CHILD_SA_SESSION related to this Exchange.
- @param[in] IkePacket Received packet to be parsed.
-
-
- @retval EFI_SUCCESS The IKE Packet is acceptable.
- @retval EFI_UNSUPPORTED Not support the CREATE_CHILD_SA request.
-
-**/
-EFI_STATUS
-Ikev2CreateChildParser (
- IN UINT8 *SaSession,
- IN IKE_PACKET *IkePacket
- )
-{
- return EFI_UNSUPPORTED;
-}
-
-/**
- Routine process before the payload decoding.
-
- @param[in] SessionCommon Pointer to ChildSa SessionCommon.
- @param[in] PayloadBuf Pointer to the payload.
- @param[in] PayloadSize Size of PayloadBuf in byte.
- @param[in] PayloadType Type of Payload.
-
-**/
-VOID
-Ikev2ChildSaBeforeDecodePayload (
- IN UINT8 *SessionCommon,
- IN UINT8 *PayloadBuf,
- IN UINTN PayloadSize,
- IN UINT8 PayloadType
- )
-{
-
-}
-
-/**
- Routine Process after the payload encoding.
-
- @param[in] SessionCommon Pointer to ChildSa SessionCommon.
- @param[in] PayloadBuf Pointer to the payload.
- @param[in] PayloadSize Size of PayloadBuf in byte.
- @param[in] PayloadType Type of Payload.
-
-**/
-VOID
-Ikev2ChildSaAfterEncodePayload (
- IN UINT8 *SessionCommon,
- IN UINT8 *PayloadBuf,
- IN UINTN PayloadSize,
- IN UINT8 PayloadType
- )
-{
-}
-
-IKEV2_PACKET_HANDLER mIkev2CreateChild = {
- //
- // Create Child
- //
- Ikev2CreateChildParser,
- Ikev2CreateChildGenerator
-};
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c b/NetworkPkg/IpSecDxe/Ikev2/Exchange.c deleted file mode 100644 index dc219c5353..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c +++ /dev/null @@ -1,803 +0,0 @@ -/** @file
- The general interfaces of the IKEv2.
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "Utility.h"
-#include "IpSecDebug.h"
-#include "IkeService.h"
-#include "IpSecConfigImpl.h"
-
-/**
- General interface to intialize a IKEv2 negotiation.
-
- @param[in] UdpService Point to Udp Servcie used for the IKE packet sending.
- @param[in] SpdEntry Point to SPD entry related to this IKE negotiation.
- @param[in] PadEntry Point to PAD entry related to this IKE negotiation.
- @param[in] RemoteIp Point to IP Address which the remote peer to negnotiate.
-
- @retval EFI_SUCCESS The operation is successful.
- @retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
- @retval EFI_INVALID_PARAMETER If UdpService or RemoteIp is NULL.
- @return Others The operation is failed.
-
-**/
-EFI_STATUS
-Ikev2NegotiateSa (
- IN IKE_UDP_SERVICE *UdpService,
- IN IPSEC_SPD_ENTRY *SpdEntry,
- IN IPSEC_PAD_ENTRY *PadEntry,
- IN EFI_IP_ADDRESS *RemoteIp
- )
-{
- IPSEC_PRIVATE_DATA *Private;
- IKEV2_SA_SESSION *IkeSaSession;
- IKEV2_SESSION_COMMON *SessionCommon;
- IKEV2_PACKET_HANDLER Handler;
- IKE_PACKET *IkePacket;
- EFI_STATUS Status;
-
- if (UdpService == NULL || RemoteIp == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- IkePacket = NULL;
- Private = (UdpService->IpVersion == IP_VERSION_4) ?
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
-
- //
- // Lookup the remote ip address in the processing IKE SA session list.
- //
- IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2SessionList, RemoteIp);
- if (IkeSaSession != NULL) {
- //
- // Drop the packet if already in process.
- //
- return EFI_SUCCESS;
- }
-
- //
- // Create a new IkeSaSession and initiate the common parameters.
- //
- IkeSaSession = Ikev2SaSessionAlloc (Private, UdpService);
- if (IkeSaSession == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Set the specific parameters and state(IKE_STATE_INIT).
- //
- IkeSaSession->Spd = SpdEntry;
- IkeSaSession->Pad = PadEntry;
- SessionCommon = &IkeSaSession->SessionCommon;
- SessionCommon->IsInitiator = TRUE;
- SessionCommon->State = IkeStateInit;
- //
- // TODO: Get the prefer DH Group from the IPsec Configuration, after the IPsecconfig application update
- // to support it.
- //
- SessionCommon->PreferDhGroup = IKEV2_TRANSFORM_ID_DH_1024MODP;
-
- CopyMem (
- &SessionCommon->RemotePeerIp,
- RemoteIp,
- sizeof (EFI_IP_ADDRESS)
- );
-
- CopyMem (
- &SessionCommon->LocalPeerIp,
- &UdpService->DefaultAddress,
- sizeof (EFI_IP_ADDRESS)
- );
-
- IKEV2_DUMP_STATE (SessionCommon->State, IkeStateInit);
-
- //
- // Initiate the SAD data of the IkeSaSession.
- //
- IkeSaSession->SaData = Ikev2InitializeSaData (SessionCommon);
- if (IkeSaSession->SaData == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_ERROR;
- }
-
- //
- // Generate an IKE request packet and send it out.
- //
- Handler = mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][SessionCommon->State];
- IkePacket = Handler.Generator ((UINT8 *) IkeSaSession, NULL);
- if (IkePacket == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_ERROR;
- }
-
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SessionCommon, IkePacket, 0);
-
- if (EFI_ERROR (Status)) {
- goto ON_ERROR;
- }
-
- //
- // Insert the current IkeSaSession into the processing IKE SA list.
- //
- Ikev2SaSessionInsert (&Private->Ikev2SessionList, IkeSaSession, RemoteIp);
-
- return EFI_SUCCESS;
-
-ON_ERROR:
-
- if (IkePacket != NULL) {
- IkePacketFree (IkePacket);
- }
- Ikev2SaSessionFree (IkeSaSession);
- return Status;
-}
-
-/**
- It is general interface to negotiate the Child SA.
-
- There are three situations which will invoke this function. First, create a CHILD
- SA if the input Context is NULL. Second, rekeying the existing IKE SA if the Context
- is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the context is a
- IKEv2_CHILD_SA_SESSION.
-
- @param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.
- @param[in] SpdEntry Pointer to IPSEC_SPD_ENTRY related to this operation.
- @param[in] Context The data pass from the caller.
-
- @retval EFI_SUCCESS The operation is successful.
- @retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
- @retval EFI_UNSUPPORTED The condition is not support yet.
- @return Others The operation is failed.
-
-**/
-EFI_STATUS
-Ikev2NegotiateChildSa (
- IN UINT8 *IkeSaSession,
- IN IPSEC_SPD_ENTRY *SpdEntry,
- IN UINT8 *Context
- )
-{
- EFI_STATUS Status;
- IKEV2_SA_SESSION *SaSession;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SESSION_COMMON *ChildSaCommon;
- IKE_PACKET *IkePacket;
- IKE_UDP_SERVICE *UdpService;
-
- SaSession = (IKEV2_SA_SESSION*) IkeSaSession;
- UdpService = SaSession->SessionCommon.UdpService;
- IkePacket = NULL;
-
- //
- // 1. Create another child SA session if context is null.
- // 2. Rekeying the IKE SA session if the context is IKE SA session.
- // 3. Rekeying the child SA session if the context is child SA session.
- //
- if (Context == NULL) {
- //
- // Create a new ChildSaSession and initiate the common parameters.
- //
- ChildSaSession = Ikev2ChildSaSessionAlloc (UdpService, SaSession);
-
- if (ChildSaSession == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Set the specific parameters and state as IKE_STATE_CREATE_CHILD.
- //
- ChildSaSession->Spd = SpdEntry;
- ChildSaCommon = &ChildSaSession->SessionCommon;
- ChildSaCommon->IsInitiator = TRUE;
- ChildSaCommon->State = IkeStateCreateChild;
-
- IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateCreateChild);
-
- if (SpdEntry->Selector->NextLayerProtocol != EFI_IPSEC_ANY_PROTOCOL) {
- ChildSaSession->ProtoId = SpdEntry->Selector->NextLayerProtocol;
- }
-
- if (SpdEntry->Selector->LocalPort != EFI_IPSEC_ANY_PORT) {
- ChildSaSession->LocalPort = SpdEntry->Selector->LocalPort;
- }
-
- if (SpdEntry->Selector->RemotePort != EFI_IPSEC_ANY_PORT) {
- ChildSaSession->RemotePort = SpdEntry->Selector->RemotePort;
- }
- //
- // Initiate the SAD data parameters of the ChildSaSession.
- //
- ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon);
- if (ChildSaSession->SaData == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_ERROR;
- }
- //
- // Generate an IKE request packet and send it out.
- //
- IkePacket = mIkev2CreateChild.Generator ((UINT8 *) ChildSaSession, NULL);
-
- if (IkePacket == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_ERROR;
- }
-
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) ChildSaCommon, IkePacket, 0);
-
- if (EFI_ERROR (Status)) {
- goto ON_ERROR;
- }
-
- //
- // Insert the ChildSaSession into processing child SA list.
- //
- Ikev2ChildSaSessionInsert (&SaSession->ChildSaSessionList, ChildSaSession);
- } else {
- //
- // TODO: Rekeying IkeSaSession or ChildSaSession, NOT support yet.
- //
- // Rekey IkeSa, set IkeSaSession->State and pass over IkeSaSession
- // Rekey ChildSa, set ChildSaSession->State and pass over ChildSaSession
- //
- return EFI_UNSUPPORTED;
- }
-
- return EFI_SUCCESS;
-
-ON_ERROR:
-
- if (ChildSaSession->SaData != NULL) {
- FreePool (ChildSaSession->SaData);
- }
-
- if (ChildSaSession->SessionCommon.TimeoutEvent != NULL) {
- gBS->CloseEvent (ChildSaSession->SessionCommon.TimeoutEvent);
- }
-
- if (IkePacket != NULL) {
- IkePacketFree (IkePacket);
- }
-
- Ikev2ChildSaSessionFree (ChildSaSession);
- return Status;
-}
-
-/**
- It is general interface to start the Information Exchange.
-
- There are three situations which will invoke this function. First, deliver a Delete Information
- to delete the IKE SA if the input Context is NULL and the state of related IkeSaSeesion's is on
- deleting.Second, deliver a Notify Information without the contents if the input Context is NULL.
- Third, deliver a Notify Information if the input Context is not NULL.
-
- @param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.
- @param[in] Context Data passed by caller.
-
- @retval EFI_SUCCESS The operation is successful.
- @retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
- @retval EFI_UNSUPPORTED The condition is not support yet.
- @return Otherwise The operation is failed.
-
-**/
-EFI_STATUS
-Ikev2NegotiateInfo (
- IN UINT8 *IkeSaSession,
- IN UINT8 *Context
- )
-{
-
- EFI_STATUS Status;
- IKEV2_SA_SESSION *Ikev2SaSession;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SESSION_COMMON *SaCommon;
- IKE_PACKET *IkePacket;
- IKE_UDP_SERVICE *UdpService;
- LIST_ENTRY *Entry;
- LIST_ENTRY *NextEntry;
-
- Ikev2SaSession = (IKEV2_SA_SESSION *) IkeSaSession;
- UdpService = Ikev2SaSession->SessionCommon.UdpService;
- SaCommon = &Ikev2SaSession->SessionCommon;
- IkePacket = NULL;
- Status = EFI_SUCCESS;
-
- //
- // Delete the IKE SA.
- //
- if (Ikev2SaSession->SessionCommon.State == IkeStateSaDeleting && Context == NULL) {
-
- //
- // Generate Information Packet which contains the Delete Payload.
- //
- IkePacket = mIkev2Info.Generator ((UINT8 *) Ikev2SaSession, NULL);
- if (IkePacket == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_ERROR;
- }
-
- //
- // Send out the Packet
- //
- if (UdpService != NULL && UdpService->Output != NULL) {
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0);
-
- if (EFI_ERROR (Status)) {
- goto ON_ERROR;
- }
- }
- } else if (!IsListEmpty (&Ikev2SaSession->DeleteSaList)) {
- //
- // Iterate all Deleting Child SAs.
- //
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Ikev2SaSession->DeleteSaList) {
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_DEL_SA (Entry);
- ChildSaSession->SessionCommon.State = IkeStateSaDeleting;
-
- //
- // Generate Information Packet which contains the Child SA Delete Payload.
- //
- IkePacket = mIkev2Info.Generator ((UINT8 *) ChildSaSession, NULL);
- if (IkePacket == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_ERROR;
- }
-
- //
- // Send out the Packet
- //
- if (UdpService != NULL && UdpService->Output != NULL) {
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0);
-
- if (EFI_ERROR (Status)) {
- goto ON_ERROR;
- }
- }
- }
- } else if (Context == NULL) {
- //
- // TODO: Deliver null notification message.
- //
- } else if (Context != NULL) {
- //
- // TODO: Send out the Information Exchange which contains the Notify Payload.
- //
- }
-ON_ERROR:
- if (IkePacket != NULL) {
- IkePacketFree (IkePacket);
- }
- return Status;
-
-}
-
-/**
- The general interface when received a IKEv2 packet for the IKE SA establishing.
-
- This function first find the related IKE SA Session according to the IKE packet's
- remote IP. Then call the corresponding function to handle this IKE packet according
- to the related IKE SA Session's State.
-
- @param[in] UdpService Pointer of related UDP Service.
- @param[in] IkePacket Data passed by caller.
-
-**/
-VOID
-Ikev2HandleSa (
- IN IKE_UDP_SERVICE *UdpService,
- IN IKE_PACKET *IkePacket
- )
-{
- EFI_STATUS Status;
- IKEV2_SA_SESSION *IkeSaSession;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SESSION_COMMON *IkeSaCommon;
- IKEV2_SESSION_COMMON *ChildSaCommon;
- IKEV2_PACKET_HANDLER Handler;
- IKE_PACKET *Reply;
- IPSEC_PAD_ENTRY *PadEntry;
- IPSEC_PRIVATE_DATA *Private;
- BOOLEAN IsNewSession;
-
- Private = (UdpService->IpVersion == IP_VERSION_4) ?
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
-
- ChildSaSession = NULL;
- ChildSaCommon = NULL;
-
- //
- // Lookup the remote ip address in the processing IKE SA session list.
- //
- IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2SessionList, &IkePacket->RemotePeerIp);
- IsNewSession = FALSE;
-
- if (IkeSaSession == NULL) {
- //
- // Lookup the remote ip address in the pad.
- //
- PadEntry = IpSecLookupPadEntry (UdpService->IpVersion, &IkePacket->RemotePeerIp);
- if (PadEntry == NULL) {
- //
- // Drop the packet if no pad entry matched, this is the request from RFC 4301.
- //
- return ;
- }
-
- //
- // Create a new IkeSaSession and initiate the common parameters.
- //
- IkeSaSession = Ikev2SaSessionAlloc (Private, UdpService);
- if (IkeSaSession == NULL) {
- return;
- }
- IkeSaSession->Pad = PadEntry;
- IkeSaCommon = &IkeSaSession->SessionCommon;
- IkeSaCommon->IsInitiator = FALSE;
- IkeSaCommon->State = IkeStateInit;
-
- IKEV2_DUMP_STATE (IkeSaCommon->State, IkeStateInit);
-
- CopyMem (
- &IkeSaCommon->RemotePeerIp,
- &IkePacket->RemotePeerIp,
- sizeof (EFI_IP_ADDRESS)
- );
-
- CopyMem (
- &IkeSaCommon->LocalPeerIp,
- &UdpService->DefaultAddress,
- sizeof (EFI_IP_ADDRESS)
- );
-
- IsNewSession = TRUE;
- }
-
- //
- // Validate the IKE packet header.
- //
- if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {
- //
- // Drop the packet if invalid IKE header.
- //
- goto ON_ERROR;
- }
-
- //
- // Decode all the payloads in the IKE packet.
- //
- IkeSaCommon = &IkeSaSession->SessionCommon;
- Status = Ikev2DecodePacket (IkeSaCommon, IkePacket, IkeSessionTypeIkeSa);
- if (EFI_ERROR (Status)) {
- goto ON_ERROR;
- }
-
- //
- // Try to reate the first ChildSa Session of that IkeSaSession.
- // If the IkeSaSession is responder, here will create the first ChildSaSession.
- //
- if (IkeSaCommon->State == IkeStateAuth && IsListEmpty(&IkeSaSession->ChildSaSessionList)) {
- //
- // Generate a piggyback child SA in IKE_STATE_AUTH state.
- //
- ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) &&
- IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));
-
- ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);
- if (ChildSaSession == NULL) {
- goto ON_ERROR;
- }
-
- ChildSaCommon = &ChildSaSession->SessionCommon;
- }
-
- //
- // Parse the IKE request packet according to the auth method and current state.
- //
- Handler = mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][IkeSaCommon->State];
- Status = Handler.Parser ((UINT8 *)IkeSaSession, IkePacket);
- if (EFI_ERROR (Status)) {
- goto ON_ERROR;
- }
-
- //
- // Try to reate the first ChildSa Session of that IkeSaSession.
- // If the IkeSaSession is initiator, here will create the first ChildSaSession.
- //
- if (IkeSaCommon->State == IkeStateAuth && IsListEmpty(&IkeSaSession->ChildSaSessionList)) {
- //
- // Generate a piggyback child SA in IKE_STATE_AUTH state.
- //
- ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) &&
- IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));
-
- ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);
- if (ChildSaSession == NULL) {
- goto ON_ERROR;
- }
-
- ChildSaCommon = &ChildSaSession->SessionCommon;
-
- //
- // Initialize the SA data for Child SA.
- //
- ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon);
- }
-
- //
- // Generate the IKE response packet and send it out if not established.
- //
- if (IkeSaCommon->State != IkeStateIkeSaEstablished) {
- Handler = mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][IkeSaCommon->State];
- Reply = Handler.Generator ((UINT8 *) IkeSaSession, NULL);
- if (Reply == NULL) {
- goto ON_ERROR;
- }
-
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) IkeSaCommon, Reply, 0);
- if (EFI_ERROR (Status)) {
- goto ON_ERROR;
- }
- if (!IkeSaCommon->IsInitiator) {
- IkeSaCommon->State ++;
- IKEV2_DUMP_STATE (IkeSaCommon->State - 1, IkeSaCommon->State);
- }
- }
-
- //
- // Insert the new IkeSaSession into the Private processing IkeSaSession List.
- //
- if (IsNewSession) {
- Ikev2SaSessionInsert (&Private->Ikev2SessionList, IkeSaSession, &IkePacket->RemotePeerIp);
- }
-
- //
- // Register the IkeSaSession and remove it from processing list.
- //
- if (IkeSaCommon->State == IkeStateIkeSaEstablished) {
-
- //
- // Remove the Established IKE SA Session from the IKE SA Session Negotiating list
- // and insert it into IKE SA Session Established list.
- //
- Ikev2SaSessionRemove (&Private->Ikev2SessionList, &IkePacket->RemotePeerIp);
- Ikev2SaSessionReg (IkeSaSession, Private);
-
- //
- // Remove the Established Child SA Session from the IkeSaSession->ChildSaSessionList
- // ,insert it into IkeSaSession->ChildSaEstablishSessionList and save this Child SA
- // into SAD.
- //
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (IkeSaSession->ChildSaSessionList.BackLink);
- Ikev2ChildSaSessionRemove (
- &IkeSaSession->ChildSaSessionList,
- ChildSaSession->LocalPeerSpi,
- IKEV2_ESTABLISHING_CHILDSA_LIST
- );
- Ikev2ChildSaSessionReg (ChildSaSession, Private);
- }
-
- return ;
-
-ON_ERROR:
- if (ChildSaSession != NULL) {
- //
- // Remove the ChildSa from the list (Established list or Negotiating list).
- //
- RemoveEntryList (&ChildSaSession->ByIkeSa);
- Ikev2ChildSaSessionFree (ChildSaSession);
- }
-
- if (IsNewSession && IkeSaSession != NULL) {
- //
- // Remove the IkeSa from the list (Established list or Negotiating list).
- //
- if ((&IkeSaSession->BySessionTable)->ForwardLink != NULL &&
- !IsListEmpty (&IkeSaSession->BySessionTable
- )){
- RemoveEntryList (&IkeSaSession->BySessionTable);
- }
- Ikev2SaSessionFree (IkeSaSession);
- }
-
- return ;
-}
-
-/**
-
- The general interface when received a IKEv2 packet for the IKE Child SA establishing
- or IKE SA/CHILD SA rekeying.
-
- This function first find the related IKE SA Session according to the IKE packet's
- remote IP. Then call the corresponding function to handle this IKE packet according
- to the related IKE Child Session's State.
-
- @param[in] UdpService Pointer of related UDP Service.
- @param[in] IkePacket Data passed by caller.
-
-**/
-VOID
-Ikev2HandleChildSa (
- IN IKE_UDP_SERVICE *UdpService,
- IN IKE_PACKET *IkePacket
- )
-{
- EFI_STATUS Status;
- IKEV2_SA_SESSION *IkeSaSession;
- IKEV2_CREATE_CHILD_REQUEST_TYPE RequestType;
- IKE_PACKET *Reply;
- IPSEC_PRIVATE_DATA *Private;
-
- Private = (UdpService->IpVersion == IP_VERSION_4) ?
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
-
- Reply = NULL;
-
- //
- // Lookup the remote ip address in the processing IKE SA session list.
- //
- IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp);
-
- if (IkeSaSession == NULL) {
- //
- // Drop the packet if no IKE SA associated.
- //
- return ;
- }
-
- //
- // Validate the IKE packet header.
- //
- if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {
- //
- // Drop the packet if invalid IKE header.
- //
- return;
- }
-
- //
- // Decode all the payloads in the IKE packet.
- //
- Status = Ikev2DecodePacket (&IkeSaSession->SessionCommon, IkePacket, IkeSessionTypeIkeSa);
- if (EFI_ERROR (Status)) {
- return;
- }
-
- //
- // Get the request type: CreateChildSa/RekeyChildSa/RekeyIkeSa.
- //
- RequestType = Ikev2ChildExchangeRequestType (IkePacket);
-
- switch (RequestType) {
- case IkeRequestTypeCreateChildSa:
- case IkeRequestTypeRekeyChildSa:
- case IkeRequestTypeRekeyIkeSa:
- //
- // Parse the IKE request packet. Not support CREATE_CHILD_SA exchange yet, so
- // only EFI_UNSUPPORTED will be returned and that will trigger a reply with a
- // Notify payload of type NO_ADDITIONAL_SAS.
- //
- Status = mIkev2CreateChild.Parser ((UINT8 *) IkeSaSession, IkePacket);
- if (EFI_ERROR (Status)) {
- goto ON_REPLY;
- }
-
- default:
- //
- // No support.
- //
- return ;
- }
-
-ON_REPLY:
- //
- // Generate the reply packet if needed and send it out.
- //
- if (!(IkePacket->Header->Flags & IKE_HEADER_FLAGS_RESPOND)) {
- Reply = mIkev2CreateChild.Generator ((UINT8 *) IkeSaSession, &IkePacket->Header->MessageId);
- if (Reply != NULL) {
- Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &(IkeSaSession->SessionCommon), Reply, 0);
- if (EFI_ERROR (Status)) {
- //
- // Delete Reply payload.
- //
- if (Reply != NULL) {
- IkePacketFree (Reply);
- }
- }
- }
- }
- return ;
-}
-
-/**
-
- It is general interface to handle IKEv2 information Exchange.
-
- @param[in] UdpService Point to IKE UPD Service related to this information exchange.
- @param[in] IkePacket The IKE packet to be parsed.
-
-**/
-VOID
-Ikev2HandleInfo (
- IN IKE_UDP_SERVICE *UdpService,
- IN IKE_PACKET *IkePacket
- )
-{
- EFI_STATUS Status;
- IKEV2_SESSION_COMMON *SessionCommon;
- IKEV2_SA_SESSION *IkeSaSession;
- IPSEC_PRIVATE_DATA *Private;
-
- Private = (UdpService->IpVersion == IP_VERSION_4) ?
- IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
- IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
-
- //
- // Lookup the remote ip address in the processing IKE SA session list.
- //
- IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp);
-
- if (IkeSaSession == NULL) {
- //
- // Drop the packet if no IKE SA associated.
- //
- return ;
- }
- //
- // Validate the IKE packet header.
- //
- if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {
-
- //
- // Drop the packet if invalid IKE header.
- //
- return;
- }
-
- SessionCommon = &IkeSaSession->SessionCommon;
-
- //
- // Decode all the payloads in the IKE packet.
- //
- Status = Ikev2DecodePacket (SessionCommon, IkePacket, IkeSessionTypeIkeSa);
- if (EFI_ERROR (Status)) {
- return;
- }
-
- Status = mIkev2Info.Parser ((UINT8 *)IkeSaSession, IkePacket);
-
- if (EFI_ERROR (Status)) {
- //
- // Drop the packet if fail to parse.
- //
- return;
- }
-}
-
-IKE_EXCHANGE_INTERFACE mIkev1Exchange = {
- 1,
- NULL, //Ikev1NegotiateSa
- NULL, //Ikev1NegotiateChildSa
- NULL,
- NULL, //Ikev1HandleSa,
- NULL, //Ikev1HandleChildSa
- NULL, //Ikev1HandleInfo
-};
-
-IKE_EXCHANGE_INTERFACE mIkev2Exchange = {
- 2,
- Ikev2NegotiateSa,
- Ikev2NegotiateChildSa,
- Ikev2NegotiateInfo,
- Ikev2HandleSa,
- Ikev2HandleChildSa,
- Ikev2HandleInfo
-};
-
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Ikev2.h b/NetworkPkg/IpSecDxe/Ikev2/Ikev2.h deleted file mode 100644 index 83d1efdd3e..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Ikev2.h +++ /dev/null @@ -1,252 +0,0 @@ -/** @file
- IKEv2 related definitions.
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-#ifndef _IKE_V2_H_
-#define _IKE_V2_H_
-
-#include "Ike.h"
-#include "Payload.h"
-
-#define IKEV2_TS_ANY_PORT 0xffff
-#define IKEV2_TS_ANY_PROTOCOL 0
-
-#define IKEV2_DELET_CHILDSA_LIST 0
-#define IKEV2_ESTABLISHING_CHILDSA_LIST 1
-#define IKEV2_ESTABLISHED_CHILDSA_LIST 2
-
-#define IKEV2_SA_SESSION_SIGNATURE SIGNATURE_32 ('I', 'K', 'E', 'I')
-#define IKEV2_SA_SESSION_FROM_COMMON(a) CR (a, IKEV2_SA_SESSION, SessionCommon, IKEV2_SA_SESSION_SIGNATURE)
-#define IKEV2_SA_SESSION_BY_SESSION(a) CR (a, IKEV2_SA_SESSION, BySessionTable, IKEV2_SA_SESSION_SIGNATURE)
-#define IKEV2_SA_SESSION_BY_ESTABLISHED(a) CR (a, IKEV2_SA_SESSION, ByEstablishedTable, IKEV2_SA_SESSION_SIGNATURE)
-
-#define IKEV2_CHILD_SA_SESSION_SIGNATURE SIGNATURE_32 ('I', 'K', 'E', 'C')
-#define IKEV2_CHILD_SA_SESSION_FROM_COMMON(a) CR (a, IKEV2_CHILD_SA_SESSION, SessionCommon, IKEV2_CHILD_SA_SESSION_SIGNATURE)
-#define IKEV2_CHILD_SA_SESSION_BY_IKE_SA(a) CR (a, IKEV2_CHILD_SA_SESSION, ByIkeSa, IKEV2_CHILD_SA_SESSION_SIGNATURE)
-#define IKEV2_CHILD_SA_SESSION_BY_DEL_SA(a) CR (a, IKEV2_CHILD_SA_SESSION, ByDelete, IKEV2_CHILD_SA_SESSION_SIGNATURE)
-
-#define IS_IKEV2_SA_SESSION(s) ((s)->Common.IkeSessionType == IkeSessionTypeIkeSa)
-#define IKEV2_SA_FIRST_PROPOSAL(Sa) (IKEV2_PROPOSAL *)((IKEV2_SA *)(Sa)+1)
-#define IKEV2_NEXT_TRANSFORM_WITH_SIZE(Transform,TransformSize) \
- (IKEV2_TRANSFORM *) ((UINT8 *)(Transform) + (TransformSize))
-
-#define IKEV2_NEXT_PROPOSAL_WITH_SIZE(Proposal, ProposalSize) \
- (IKEV2_PROPOSAL *) ((UINT8 *)(Proposal) + (ProposalSize))
-
-#define IKEV2_PROPOSAL_FIRST_TRANSFORM(Proposal) \
- (IKEV2_TRANSFORM *)((UINT8 *)((IKEV2_PROPOSAL *)(Proposal)+1) + \
- (((IKEV2_PROPOSAL *)(Proposal))->SpiSize))
-#define IKEV2_PROPOSAL_FIRST_TRANSFORM(Proposal) \
- (IKEV2_TRANSFORM *)((UINT8 *)((IKEV2_PROPOSAL *)(Proposal)+1) + \
- (((IKEV2_PROPOSAL *)(Proposal))->SpiSize))
-
-typedef enum {
- IkeStateInit,
- IkeStateAuth,
- IkeStateIkeSaEstablished,
- IkeStateCreateChild,
- IkeStateSaRekeying,
- IkeStateChildSaEstablished,
- IkeStateSaDeleting,
- IkeStateMaximum
-} IKEV2_SESSION_STATE;
-
-typedef enum {
- IkeRequestTypeCreateChildSa,
- IkeRequestTypeRekeyChildSa,
- IkeRequestTypeRekeyIkeSa,
- IkeRequestTypeMaximum
-} IKEV2_CREATE_CHILD_REQUEST_TYPE;
-
-typedef struct {
- UINT8 *GxBuffer;
- UINTN GxSize;
- UINT8 *GyBuffer;
- UINTN GySize;
- UINT8 *GxyBuffer;
- UINTN GxySize;
- UINT8 *DhContext;
-} IKEV2_DH_BUFFER;
-
-typedef struct {
- IKEV2_DH_BUFFER *DhBuffer;
- UINT8 *SkdKey;
- UINTN SkdKeySize;
- UINT8 *SkAiKey;
- UINTN SkAiKeySize;
- UINT8 *SkArKey;
- UINTN SkArKeySize;
- UINT8 *SkEiKey;
- UINTN SkEiKeySize;
- UINT8 *SkErKey;
- UINTN SkErKeySize;
- UINT8 *SkPiKey;
- UINTN SkPiKeySize;
- UINT8 *SkPrKey;
- UINTN SkPrKeySize;
-} IKEV2_SESSION_KEYS;
-
-typedef struct {
- UINT16 LifeType;
- UINT64 LifeDuration;
- UINT16 EncAlgId;
- UINTN EnckeyLen;
- UINT16 Prf;
- UINT16 IntegAlgId;
- UINTN IntegKeyLen;
- UINT16 DhGroup;
- UINT8 ExtSeq;
-} IKEV2_SA_PARAMS;
-
-//
-// Internal Payload
-//
-typedef struct {
- IKEV2_SA SaHeader;
- UINTN NumProposals;
- //
- // IKE_PROPOSAL_DATA Proposals[1];
- //
-} IKEV2_SA_DATA;
-
-typedef struct {
- UINT8 ProposalIndex;
- UINT8 ProtocolId;
- UINT8 *Spi;
- UINT8 NumTransforms;
- //
- // IKE_TRANSFORM_DATA Transforms[1];
- //
-} IKEV2_PROPOSAL_DATA;
-
-typedef struct {
- UINT8 TransformIndex;
- UINT8 TransformType;
- UINT16 TransformId;
- IKE_SA_ATTRIBUTE Attribute;
-} IKEV2_TRANSFORM_DATA;
-
-typedef struct {
- UINT8 IkeVer;
- IKE_SESSION_TYPE IkeSessionType;
- BOOLEAN IsInitiator;
- BOOLEAN IsOnDeleting; // Flag to indicate whether the SA is on deleting.
- IKEV2_SESSION_STATE State;
- EFI_EVENT TimeoutEvent;
- UINT64 TimeoutInterval;
- UINTN RetryCount;
- IKE_PACKET *LastSentPacket;
- IKEV2_SA_PARAMS *SaParams;
- UINT16 PreferDhGroup;
- EFI_IP_ADDRESS RemotePeerIp;
- EFI_IP_ADDRESS LocalPeerIp;
- IKE_ON_PAYLOAD_FROM_NET BeforeDecodePayload;
- IKE_ON_PAYLOAD_FROM_NET AfterEncodePayload;
- IKE_UDP_SERVICE *UdpService;
- IPSEC_PRIVATE_DATA *Private;
-} IKEV2_SESSION_COMMON;
-
-typedef struct {
- UINT32 Signature;
- IKEV2_SESSION_COMMON SessionCommon;
- UINT64 InitiatorCookie;
- UINT64 ResponderCookie;
- //
- // Initiator: SA proposals to be sent
- // Responder: SA proposals to be matched
- //
- IKEV2_SA_DATA *SaData; // SA Private struct used for SA payload generation
- IKEV2_SESSION_KEYS *IkeKeys;
- UINT8 *NiBlock;
- UINTN NiBlkSize;
- UINT8 *NrBlock;
- UINTN NrBlkSize;
- UINT8 *NCookie; // Buffer Contains the Notify Cookie
- UINTN NCookieSize; // Size of NCookie
- IPSEC_PAD_ENTRY *Pad;
- IPSEC_SPD_ENTRY *Spd; // SPD that requested the negotiation, TODO: better use SPD selector
- LIST_ENTRY ChildSaSessionList;
- LIST_ENTRY ChildSaEstablishSessionList; // For Establish Child SA.
- LIST_ENTRY InfoMIDList; // For Information MID
- LIST_ENTRY DeleteSaList; // For deteling Child SA.
- UINT8 *InitPacket;
- UINTN InitPacketSize;
- UINT8 *RespPacket;
- UINTN RespPacketSize;
- UINT32 MessageId;
- LIST_ENTRY BySessionTable; // Use for all IkeSaSession Links
-} IKEV2_SA_SESSION;
-
-typedef struct {
- UINT32 Signature;
- IKEV2_SESSION_COMMON SessionCommon;
- IKEV2_SA_SESSION *IkeSaSession;
- UINT32 MessageId;
- IKEV2_SA_DATA *SaData;
- UINT8 IpsecProtocol;
- UINT32 LocalPeerSpi;
- UINT32 RemotePeerSpi;
- UINT8 *NiBlock;
- UINTN NiBlkSize;
- UINT8 *NrBlock;
- UINTN NrBlkSize;
- SA_KEYMATS ChildKeymats;
- IKEV2_DH_BUFFER *DhBuffer; //New DH exchnaged by CREATE_CHILD_SA
- IPSEC_SPD_ENTRY *Spd;
- EFI_IPSEC_SPD_SELECTOR *SpdSelector;
- UINT16 ProtoId;
- UINT16 RemotePort;
- UINT16 LocalPort;
- LIST_ENTRY ByIkeSa;
- LIST_ENTRY ByDelete;
-} IKEV2_CHILD_SA_SESSION;
-
-typedef enum {
- Ikev2InfoNotify,
- Ikev2InfoDelete,
- Ikev2InfoLiveCheck
-} IKEV2_INFO_TYPE;
-
-//
-// This struct is used to pass the detail infromation to the InfoGenerator() for
-// the response Information Exchange Message creatation.
-//
-typedef struct {
- UINT32 MessageId;
- IKEV2_INFO_TYPE InfoType;
-} IKEV2_INFO_EXCHANGE_CONTEXT;
-
-typedef struct {
- UINTN DataSize;
- UINT8 *Data;
-} PRF_DATA_FRAGMENT;
-
-typedef
-IKE_PACKET *
-(*IKEV2_PACKET_GENERATOR) (
- IN UINT8 *SaSession,
- IN VOID *Context
-);
-
-typedef
-EFI_STATUS
-(*IKEV2_PACKET_PARSER) (
- IN UINT8 *SaSession,
- IN IKE_PACKET *IkePacket
-);
-
-typedef struct {
- IKEV2_PACKET_PARSER Parser;
- IKEV2_PACKET_GENERATOR Generator;
-} IKEV2_PACKET_HANDLER;
-
-extern IKEV2_PACKET_HANDLER mIkev2Initial[][2];
-extern IKEV2_PACKET_HANDLER mIkev2CreateChild;
-extern IKEV2_PACKET_HANDLER mIkev2Info;
-
-#endif
-
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Info.c b/NetworkPkg/IpSecDxe/Ikev2/Info.c deleted file mode 100644 index 40320740d4..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Info.c +++ /dev/null @@ -1,403 +0,0 @@ -/** @file
- The Implementations for Information Exchange.
-
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "Utility.h"
-#include "IpSecDebug.h"
-#include "IpSecConfigImpl.h"
-
-/**
- Generate Information Packet.
-
- The information Packet may contain one Delete Payload, or Notify Payload, which
- dependes on the Context's parameters.
-
- @param[in] SaSession Pointer to IKE SA Session or Child SA Session which is
- related to the information Exchange.
- @param[in] Context The Data passed from the caller. If the Context is not NULL
- it should contain the information for Notification Data.
-
- @retval Pointer of IKE_PACKET generated.
-
-**/
-IKE_PACKET *
-Ikev2InfoGenerator (
- IN UINT8 *SaSession,
- IN VOID *Context
- )
-{
- IKEV2_SA_SESSION *IkeSaSession;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKE_PACKET *IkePacket;
- IKE_PAYLOAD *IkePayload;
- IKEV2_INFO_EXCHANGE_CONTEXT *InfoContext;
-
- InfoContext = NULL;
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
- IkePacket = IkePacketAlloc ();
- if (IkePacket == NULL) {
- return NULL;
- }
-
- //
- // Fill IkePacket Header.
- //
- IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_INFO;
- IkePacket->Header->Version = (UINT8) (2 << 4);
-
- if (Context != NULL) {
- InfoContext = (IKEV2_INFO_EXCHANGE_CONTEXT *) Context;
- }
-
- //
- // For Liveness Check
- //
- if (InfoContext != NULL &&
- (InfoContext->InfoType == Ikev2InfoLiveCheck || InfoContext->InfoType == Ikev2InfoNotify)
- ) {
- IkePacket->Header->MessageId = InfoContext->MessageId;
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_NONE;
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
- //
- // TODO: add Notify Payload for Notification Information.
- //
- return IkePacket;
- }
-
- //
- // For delete SAs
- //
- if (IkeSaSession->SessionCommon.IkeSessionType == IkeSessionTypeIkeSa) {
-
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;
-
- //
- // If the information message is response message,the MessageId should
- // be same as the request MessageId which passed through the Context.
- //
- if (InfoContext != NULL) {
- IkePacket->Header->MessageId = InfoContext->MessageId;
- } else {
- IkePacket->Header->MessageId = IkeSaSession->MessageId;
- Ikev2SaSessionIncreaseMessageId (IkeSaSession);
- }
- //
- // If the state is on deleting generate a Delete Payload for it.
- //
- if (IkeSaSession->SessionCommon.State == IkeStateSaDeleting ) {
- IkePayload = Ikev2GenerateDeletePayload (
- IkeSaSession,
- IKEV2_PAYLOAD_TYPE_NONE,
- 0,
- 0,
- NULL
- );
- if (IkePayload == NULL) {
- goto ERROR_EXIT;
- }
- //
- // Fill the next payload in IkePacket's Header.
- //
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_DELETE;
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload);
- IkePacket->Private = IkeSaSession->SessionCommon.Private;
- IkePacket->Spi = 0;
- IkePacket->IsDeleteInfo = TRUE;
-
- } else if (Context != NULL) {
- //
- // TODO: If contest is not NULL Generate a Notify Payload.
- //
- } else {
- //
- // The input parameter is not correct.
- //
- goto ERROR_EXIT;
- }
-
- if (IkeSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;
- }
- } else {
- //
- // Delete the Child SA Information Exchagne
- //
- ChildSaSession = (IKEV2_CHILD_SA_SESSION *) SaSession;
- IkeSaSession = ChildSaSession->IkeSaSession;
- IkePacket->Header->InitiatorCookie = ChildSaSession->IkeSaSession->InitiatorCookie;
- IkePacket->Header->ResponderCookie = ChildSaSession->IkeSaSession->ResponderCookie;
-
- //
- // If the information message is response message,the MessageId should
- // be same as the request MessageId which passed through the Context.
- //
- if (InfoContext != NULL && InfoContext->MessageId != 0) {
- IkePacket->Header->MessageId = InfoContext->MessageId;
- } else {
- IkePacket->Header->MessageId = ChildSaSession->IkeSaSession->MessageId;
- Ikev2SaSessionIncreaseMessageId (IkeSaSession);
- }
-
- IkePayload = Ikev2GenerateDeletePayload (
- ChildSaSession->IkeSaSession,
- IKEV2_PAYLOAD_TYPE_DELETE,
- 4,
- 1,
- (UINT8 *)&ChildSaSession->LocalPeerSpi
- );
- if (IkePayload == NULL) {
- goto ERROR_EXIT;
- }
- //
- // Fill the Next Payload in IkePacket's Header.
- //
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_DELETE;
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload);
-
- IkePacket->Private = IkeSaSession->SessionCommon.Private;
- IkePacket->Spi = ChildSaSession->LocalPeerSpi;
- IkePacket->IsDeleteInfo = TRUE;
-
- if (!ChildSaSession->SessionCommon.IsInitiator) {
- //
- // If responder, use the MessageId fromt the initiator.
- //
- IkePacket->Header->MessageId = ChildSaSession->MessageId;
- }
-
- //
- // Change the IsOnDeleting Flag
- //
- ChildSaSession->SessionCommon.IsOnDeleting = TRUE;
-
- if (ChildSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT ;
- }
- }
-
- if (InfoContext != NULL) {
- IkePacket->Header->Flags |= IKE_HEADER_FLAGS_RESPOND;
- }
-
- return IkePacket;
-
-ERROR_EXIT:
- if (IkePacket != NULL) {
- FreePool (IkePacket);
- }
- return NULL;
-
-}
-
-/**
- Parse the Info Exchange.
-
- @param[in] SaSession Pointer to IKEV2_SA_SESSION.
- @param[in] IkePacket Pointer to IkePacket related to the Information Exchange.
-
- @retval EFI_SUCCESS The operation finised successed.
-
-**/
-EFI_STATUS
-Ikev2InfoParser (
- IN UINT8 *SaSession,
- IN IKE_PACKET *IkePacket
- )
-{
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SA_SESSION *IkeSaSession;
- IKE_PAYLOAD *DeletePayload;
- IKE_PAYLOAD *IkePayload;
- IKEV2_DELETE *Delete;
- LIST_ENTRY *Entry;
- LIST_ENTRY *ListEntry;
- UINT8 Index;
- UINT32 Spi;
- UINT8 *SpiBuffer;
- IPSEC_PRIVATE_DATA *Private;
- UINT8 Value;
- EFI_STATUS Status;
- IKE_PACKET *RespondPacket;
-
- IKEV2_INFO_EXCHANGE_CONTEXT Context;
-
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
-
- DeletePayload = NULL;
- Private = NULL;
- RespondPacket = NULL;
- Status = EFI_SUCCESS;
-
- //
- // For Liveness Check
- //
- if (IkePacket->Header->NextPayload == IKEV2_PAYLOAD_TYPE_NONE &&
- (IkePacket->PayloadTotalSize == 0)
- ) {
- if (IkePacket->Header->Flags == IKE_HEADER_FLAGS_INIT) {
- //
- // If it is Liveness check request, reply it.
- //
- Context.InfoType = Ikev2InfoLiveCheck;
- Context.MessageId = IkePacket->Header->MessageId;
- RespondPacket = Ikev2InfoGenerator ((UINT8 *)IkeSaSession, &Context);
-
- if (RespondPacket == NULL) {
- Status = EFI_INVALID_PARAMETER;
- return Status;
- }
- Status = Ikev2SendIkePacket (
- IkeSaSession->SessionCommon.UdpService,
- (UINT8 *)(&IkeSaSession->SessionCommon),
- RespondPacket,
- 0
- );
-
- } else {
- //
- // Todo: verify the liveness check response packet.
- //
- }
- return Status;
- }
-
- //
- // For SA Delete
- //
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {
-
- //
- // Iterate payloads to find the Delete/Notify Payload.
- //
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
-
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_DELETE) {
- DeletePayload = IkePayload;
- Delete = (IKEV2_DELETE *)DeletePayload->PayloadBuf;
-
- if (Delete->SpiSize == 0) {
- //
- // Delete IKE SA.
- //
- if (IkeSaSession->SessionCommon.State == IkeStateSaDeleting) {
- RemoveEntryList (&IkeSaSession->BySessionTable);
- Ikev2SaSessionFree (IkeSaSession);
- //
- // Checking the Private status.
- //
- //
- // when all IKE SAs were disabled by calling "IPsecConfig -disable", the IPsec
- // status should be changed.
- //
- Private = IkeSaSession->SessionCommon.Private;
- if (Private != NULL && Private->IsIPsecDisabling) {
- //
- // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value in
- // IPsec status variable.
- //
- if (IsListEmpty (&Private->Ikev1EstablishedList) &&
- (IsListEmpty (&Private->Ikev2EstablishedList))
- ) {
- Value = IPSEC_STATUS_DISABLED;
- Status = gRT->SetVariable (
- IPSECCONFIG_STATUS_NAME,
- &gEfiIpSecConfigProtocolGuid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
- sizeof (Value),
- &Value
- );
- if (!EFI_ERROR (Status)) {
- //
- // Set the DisabledFlag in Private data.
- //
- Private->IpSec.DisabledFlag = TRUE;
- Private->IsIPsecDisabling = FALSE;
- }
- }
- }
- } else {
- IkeSaSession->SessionCommon.State = IkeStateSaDeleting;
- Context.InfoType = Ikev2InfoDelete;
- Context.MessageId = IkePacket->Header->MessageId;
-
- RespondPacket = Ikev2InfoGenerator ((UINT8 *)IkeSaSession, &Context);
- if (RespondPacket == NULL) {
- Status = EFI_INVALID_PARAMETER;
- return Status;
- }
- Status = Ikev2SendIkePacket (
- IkeSaSession->SessionCommon.UdpService,
- (UINT8 *)(&IkeSaSession->SessionCommon),
- RespondPacket,
- 0
- );
- }
- } else if (Delete->SpiSize == 4) {
- //
- // Move the Child SAs to DeleteList
- //
- SpiBuffer = (UINT8 *)(Delete + 1);
- for (Index = 0; Index < Delete->NumSpis; Index++) {
- Spi = ReadUnaligned32 ((UINT32 *)SpiBuffer);
- for (ListEntry = IkeSaSession->ChildSaEstablishSessionList.ForwardLink;
- ListEntry != &IkeSaSession->ChildSaEstablishSessionList;
- ) {
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (ListEntry);
- ListEntry = ListEntry->ForwardLink;
-
- if (ChildSaSession->RemotePeerSpi == HTONL(Spi)) {
- if (ChildSaSession->SessionCommon.State != IkeStateSaDeleting) {
-
- //
- // Insert the ChildSa Session into Delete List.
- //
- InsertTailList (&IkeSaSession->DeleteSaList, &ChildSaSession->ByDelete);
- ChildSaSession->SessionCommon.State = IkeStateSaDeleting;
- ChildSaSession->SessionCommon.IsInitiator = FALSE;
- ChildSaSession->MessageId = IkePacket->Header->MessageId;
-
- Context.InfoType = Ikev2InfoDelete;
- Context.MessageId = IkePacket->Header->MessageId;
-
- RespondPacket = Ikev2InfoGenerator ((UINT8 *)ChildSaSession, &Context);
- if (RespondPacket == NULL) {
- Status = EFI_INVALID_PARAMETER;
- return Status;
- }
- Status = Ikev2SendIkePacket (
- ChildSaSession->SessionCommon.UdpService,
- (UINT8 *)(&ChildSaSession->SessionCommon),
- RespondPacket,
- 0
- );
- } else {
- //
- // Delete the Child SA.
- //
- Ikev2ChildSaSilentDelete (IkeSaSession, Spi);
- RemoveEntryList (&ChildSaSession->ByDelete);
- }
- }
- }
- SpiBuffer = SpiBuffer + sizeof (Spi);
- }
- }
- }
- }
-
- return Status;
-}
-
-GLOBAL_REMOVE_IF_UNREFERENCED IKEV2_PACKET_HANDLER mIkev2Info = {
- Ikev2InfoParser,
- Ikev2InfoGenerator
-};
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Payload.c b/NetworkPkg/IpSecDxe/Ikev2/Payload.c deleted file mode 100644 index 56869e2db4..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Payload.c +++ /dev/null @@ -1,3329 +0,0 @@ -/** @file
- The implementation of Payloads Creation.
-
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "Utility.h"
-#include "IpSecDebug.h"
-#include "IpSecConfigImpl.h"
-#include "IpSecCryptIo.h"
-
-//
-// The Constant String of "Key Pad for IKEv2" for Authentication Payload generation.
-//
-#define CONSTANT_KEY_SIZE 17
-GLOBAL_REMOVE_IF_UNREFERENCED CHAR8 mConstantKey[CONSTANT_KEY_SIZE] =
-{
- 'K', 'e', 'y', ' ', 'P', 'a', 'd', ' ', 'f', 'o', 'r', ' ', 'I', 'K', 'E', 'v', '2'
-};
-
-/**
- Generate Ikev2 SA payload according to SessionSaData
-
- @param[in] SessionSaData The data used in SA payload.
- @param[in] NextPayload The payload type presented in NextPayload field of
- SA Payload header.
- @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or
- (2) for CHILD_SA or (3) for INFO.
-
- @retval a Pointer to SA IKE payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateSaPayload (
- IN IKEV2_SA_DATA *SessionSaData,
- IN UINT8 NextPayload,
- IN IKE_SESSION_TYPE Type
- )
-{
- IKE_PAYLOAD *SaPayload;
- IKEV2_SA_DATA *SaData;
- UINTN SaDataSize;
-
- SaPayload = IkePayloadAlloc ();
- if (SaPayload == NULL) {
- return NULL;
- }
-
- //
- // TODO: Get the Proposal Number and Transform Number from IPsec Config,
- // after the Ipsecconfig Application is support it.
- //
-
- if (Type == IkeSessionTypeIkeSa) {
- SaDataSize = sizeof (IKEV2_SA_DATA) +
- SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +
- sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 4;
- } else {
- SaDataSize = sizeof (IKEV2_SA_DATA) +
- SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA) +
- sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposals * 3;
-
- }
-
- SaData = AllocateZeroPool (SaDataSize);
- if (SaData == NULL) {
- IkePayloadFree (SaPayload);
- return NULL;
- }
-
- CopyMem (SaData, SessionSaData, SaDataSize);
- SaData->SaHeader.Header.NextPayload = NextPayload;
- SaPayload->PayloadType = IKEV2_PAYLOAD_TYPE_SA;
- SaPayload->PayloadBuf = (UINT8 *) SaData;
-
- return SaPayload;
-}
-
-/**
- Generate a Nonce payload containing the input parameter NonceBuf.
-
- @param[in] NonceBuf The nonce buffer contains the whole Nonce payload block
- except the payload header.
- @param[in] NonceSize The buffer size of the NonceBuf
- @param[in] NextPayload The payload type presented in the NextPayload field
- of Nonce Payload header.
-
- @retval Pointer to Nonce IKE paload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateNoncePayload (
- IN UINT8 *NonceBuf,
- IN UINTN NonceSize,
- IN UINT8 NextPayload
- )
-{
- IKE_PAYLOAD *NoncePayload;
- IKEV2_NONCE *Nonce;
- UINTN Size;
- UINT8 *NonceBlock;
-
- // 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload !C! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ Nonce Data ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
- Size = sizeof (IKEV2_NONCE) + NonceSize;
- NonceBlock = NonceBuf;
-
- Nonce = AllocateZeroPool (Size);
- if (Nonce == NULL) {
- return NULL;
- }
-
- CopyMem (Nonce + 1, NonceBlock, Size - sizeof (IKEV2_NONCE));
-
- Nonce->Header.NextPayload = NextPayload;
- Nonce->Header.PayloadLength = (UINT16) Size;
- NoncePayload = IkePayloadAlloc ();
- if (NoncePayload == NULL) {
- FreePool (Nonce);
- return NULL;
- }
-
- NoncePayload->PayloadType = IKEV2_PAYLOAD_TYPE_NONCE;
- NoncePayload->PayloadBuf = (UINT8 *) Nonce;
- NoncePayload->PayloadSize = Size;
-
- return NoncePayload;
-}
-
-/**
- Generate a Key Exchange payload according to the DH group type and save the
- public Key into IkeSaSession IkeKey field.
-
- @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.
- @param[in] NextPayload The payload type presented in the NextPayload field of Key
- Exchange Payload header.
-
- @retval Pointer to Key IKE payload.
-
-**/
-IKE_PAYLOAD*
-Ikev2GenerateKePayload (
- IN OUT IKEV2_SA_SESSION *IkeSaSession,
- IN UINT8 NextPayload
- )
-{
- IKE_PAYLOAD *KePayload;
- IKEV2_KEY_EXCHANGE *Ke;
- UINTN KeSize;
- IKEV2_SESSION_KEYS *IkeKeys;
-
- //
- // 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload !C! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! DH Group # ! RESERVED !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ Key Exchange Data ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
- IkeKeys = IkeSaSession->IkeKeys;
-
- if (IkeSaSession->SessionCommon.IsInitiator) {
- KeSize = sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize;
- } else {
- KeSize = sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize;
- }
-
- //
- // Allocate buffer for Key Exchange
- //
- Ke = AllocateZeroPool (KeSize);
- if (Ke == NULL) {
- return NULL;
- }
-
- Ke->Header.NextPayload = NextPayload;
- Ke->Header.PayloadLength = (UINT16) KeSize;
- Ke->DhGroup = IkeSaSession->SessionCommon.PreferDhGroup;
-
- CopyMem (Ke + 1, IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize);
-
- //
- // Create IKE_PAYLOAD to point to Key Exchange payload
- //
- KePayload = IkePayloadAlloc ();
- if (KePayload == NULL) {
- FreePool (Ke);
- return NULL;
- }
-
- KePayload->PayloadType = IKEV2_PAYLOAD_TYPE_KE;
- KePayload->PayloadBuf = (UINT8 *) Ke;
- KePayload->PayloadSize = KeSize;
- return KePayload;
-}
-
-/**
- Generate a ID payload.
-
- @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
- @param[in] NextPayload The payload type presented in the NextPayload field
- of ID Payload header.
-
- @retval Pointer to ID IKE payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateIdPayload (
- IN IKEV2_SESSION_COMMON *CommonSession,
- IN UINT8 NextPayload
- )
-{
- IKE_PAYLOAD *IdPayload;
- IKEV2_ID *Id;
- UINTN IdSize;
- UINT8 IpVersion;
- UINT8 AddrSize;
-
- //
- // ID payload
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload ! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! ID Type ! RESERVED !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ Identification Data ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
-
- IpVersion = CommonSession->UdpService->IpVersion;
- AddrSize = (UINT8) ((IpVersion == IP_VERSION_4) ? sizeof(EFI_IPv4_ADDRESS) : sizeof(EFI_IPv6_ADDRESS));
- IdSize = sizeof (IKEV2_ID) + AddrSize;
-
- Id = (IKEV2_ID *) AllocateZeroPool (IdSize);
- if (Id == NULL) {
- return NULL;
- }
-
- IdPayload = IkePayloadAlloc ();
- if (IdPayload == NULL) {
- FreePool (Id);
- return NULL;
- }
-
- IdPayload->PayloadType = (UINT8) ((CommonSession->IsInitiator) ? IKEV2_PAYLOAD_TYPE_ID_INIT : IKEV2_PAYLOAD_TYPE_ID_RSP);
- IdPayload->PayloadBuf = (UINT8 *) Id;
- IdPayload->PayloadSize = IdSize;
-
- //
- // Set generic header of identification payload
- //
- Id->Header.NextPayload = NextPayload;
- Id->Header.PayloadLength = (UINT16) IdSize;
- Id->IdType = (UINT8) ((IpVersion == IP_VERSION_4) ? IKEV2_ID_TYPE_IPV4_ADDR : IKEV2_ID_TYPE_IPV6_ADDR);
- CopyMem (Id + 1, &CommonSession->LocalPeerIp, AddrSize);
-
- return IdPayload;
-}
-
-/**
- Generate a ID payload.
-
- @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
- @param[in] NextPayload The payload type presented in the NextPayload field
- of ID Payload header.
- @param[in] InCert Pointer to the Certificate which distinguished name
- will be added into the Id payload.
- @param[in] CertSize Size of the Certificate.
-
- @retval Pointer to ID IKE payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateCertIdPayload (
- IN IKEV2_SESSION_COMMON *CommonSession,
- IN UINT8 NextPayload,
- IN UINT8 *InCert,
- IN UINTN CertSize
- )
-{
- IKE_PAYLOAD *IdPayload;
- IKEV2_ID *Id;
- UINTN IdSize;
- UINTN SubjectSize;
- UINT8 *CertSubject;
-
- //
- // ID payload
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload ! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! ID Type ! RESERVED !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ Identification Data ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
-
- SubjectSize = 0;
- CertSubject = NULL;
- IpSecCryptoIoGetSubjectFromCert (
- InCert,
- CertSize,
- &CertSubject,
- &SubjectSize
- );
- if (SubjectSize != 0) {
- ASSERT (CertSubject != NULL);
- }
-
- IdSize = sizeof (IKEV2_ID) + SubjectSize;
-
- Id = (IKEV2_ID *) AllocateZeroPool (IdSize);
- if (Id == NULL) {
- return NULL;
- }
-
- IdPayload = IkePayloadAlloc ();
- if (IdPayload == NULL) {
- FreePool (Id);
- return NULL;
- }
-
- IdPayload->PayloadType = (UINT8) ((CommonSession->IsInitiator) ? IKEV2_PAYLOAD_TYPE_ID_INIT : IKEV2_PAYLOAD_TYPE_ID_RSP);
- IdPayload->PayloadBuf = (UINT8 *) Id;
- IdPayload->PayloadSize = IdSize;
-
- //
- // Set generic header of identification payload
- //
- Id->Header.NextPayload = NextPayload;
- Id->Header.PayloadLength = (UINT16) IdSize;
- Id->IdType = 9;
- CopyMem (Id + 1, CertSubject, SubjectSize);
-
- if (CertSubject != NULL) {
- FreePool (CertSubject);
- }
- return IdPayload;
-}
-
-/**
- Generate a Authentication Payload.
-
- This function is used for both Authentication generation and verification. When the
- IsVerify is TRUE, it create a Auth Data for verification. This function choose the
- related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type
- and the value of IsVerify parameter.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
- @param[in] IdPayload Pointer to the ID payload to be used for Authentication
- payload generation.
- @param[in] NextPayload The type filled into the Authentication Payload next
- payload field.
- @param[in] IsVerify If it is TURE, the Authentication payload is used for
- verification.
-
- @return pointer to IKE Authentication payload for Pre-shared key method.
-
-**/
-IKE_PAYLOAD *
-Ikev2PskGenerateAuthPayload (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_PAYLOAD *IdPayload,
- IN UINT8 NextPayload,
- IN BOOLEAN IsVerify
- )
-{
- UINT8 *Digest;
- UINTN DigestSize;
- PRF_DATA_FRAGMENT Fragments[3];
- UINT8 *KeyBuf;
- UINTN KeySize;
- IKE_PAYLOAD *AuthPayload;
- IKEV2_AUTH *PayloadBuf;
- EFI_STATUS Status;
-
- //
- // Auth = Prf(Prf(Secret,"Key Pad for IKEv2),IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))
- //
- // 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload !C! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Auth Method ! RESERVED !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ Authentication Data ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
-
- KeyBuf = NULL;
- AuthPayload = NULL;
- Digest = NULL;
-
- DigestSize = IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCommon.SaParams->Prf);
- Digest = AllocateZeroPool (DigestSize);
- if (Digest == NULL) {
- return NULL;
- }
-
- if (IdPayload == NULL) {
- return NULL;
- }
-
- //
- // Calcualte Prf(Seceret, "Key Pad for IKEv2");
- //
- Fragments[0].Data = (UINT8 *) mConstantKey;
- Fragments[0].DataSize = CONSTANT_KEY_SIZE;
-
- Status = IpSecCryptoIoHmac (
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,
- IkeSaSession->Pad->Data->AuthData,
- IkeSaSession->Pad->Data->AuthDataSize,
- (HASH_DATA_FRAGMENT *)Fragments,
- 1,
- Digest,
- DigestSize
- );
- if (EFI_ERROR (Status)) {
- goto EXIT;
- }
-
- //
- // Store the AuthKey into KeyBuf
- //
- KeyBuf = AllocateZeroPool (DigestSize);
- if (KeyBuf == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto EXIT;
- }
-
- CopyMem (KeyBuf, Digest, DigestSize);
- KeySize = DigestSize;
-
- //
- // Calculate Prf(SK_Pi/r, IDi/r)
- //
- Fragments[0].Data = IdPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER);
- Fragments[0].DataSize = IdPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER);
-
- if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||
- (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)
- ) {
- Status = IpSecCryptoIoHmac (
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,
- IkeSaSession->IkeKeys->SkPrKey,
- IkeSaSession->IkeKeys->SkPrKeySize,
- (HASH_DATA_FRAGMENT *) Fragments,
- 1,
- Digest,
- DigestSize
- );
- } else {
- Status = IpSecCryptoIoHmac (
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,
- IkeSaSession->IkeKeys->SkPiKey,
- IkeSaSession->IkeKeys->SkPiKeySize,
- (HASH_DATA_FRAGMENT *) Fragments,
- 1,
- Digest,
- DigestSize
- );
- }
- if (EFI_ERROR (Status)) {
- goto EXIT;
- }
-
- //
- // Copy data to Fragments.
- //
- if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||
- (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)
- ) {
- Fragments[0].Data = IkeSaSession->RespPacket;
- Fragments[0].DataSize = IkeSaSession->RespPacketSize;
- Fragments[1].Data = IkeSaSession->NiBlock;
- Fragments[1].DataSize = IkeSaSession->NiBlkSize;
- } else {
- Fragments[0].Data = IkeSaSession->InitPacket;
- Fragments[0].DataSize = IkeSaSession->InitPacketSize;
- Fragments[1].Data = IkeSaSession->NrBlock;
- Fragments[1].DataSize = IkeSaSession->NrBlkSize;
- }
-
- //
- // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].
- //
- Fragments[2].Data = AllocateZeroPool (DigestSize);
- if (Fragments[2].Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto EXIT;
- }
-
- Fragments[2].DataSize = DigestSize;
- CopyMem (Fragments[2].Data, Digest, DigestSize);
-
- //
- // Calculate Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))
- //
- Status = IpSecCryptoIoHmac (
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,
- KeyBuf,
- KeySize,
- (HASH_DATA_FRAGMENT *) Fragments,
- 3,
- Digest,
- DigestSize
- );
- if (EFI_ERROR (Status)) {
- goto EXIT;
- }
-
- //
- // Allocate buffer for Auth Payload
- //
- AuthPayload = IkePayloadAlloc ();
- if (AuthPayload == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto EXIT;
- }
-
- AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + DigestSize;
- PayloadBuf = (IKEV2_AUTH *) AllocateZeroPool (AuthPayload->PayloadSize);
- if (PayloadBuf == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto EXIT;
- }
-
- //
- // Fill in Auth payload.
- //
- PayloadBuf->Header.NextPayload = NextPayload;
- PayloadBuf->Header.PayloadLength = (UINT16) (AuthPayload->PayloadSize);
- if (IkeSaSession->Pad->Data->AuthMethod == EfiIPsecAuthMethodPreSharedSecret) {
- //
- // Only support Shared Key Message Integrity
- //
- PayloadBuf->AuthMethod = IKEV2_AUTH_METHOD_SKMI;
- } else {
- //
- // Not support other Auth method.
- //
- Status = EFI_UNSUPPORTED;
- goto EXIT;
- }
-
- //
- // Copy the result of Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) to Auth
- // payload block.
- //
- CopyMem (
- PayloadBuf + 1,
- Digest,
- DigestSize
- );
-
- //
- // Fill in IKE_PACKET
- //
- AuthPayload->PayloadBuf = (UINT8 *) PayloadBuf;
- AuthPayload->PayloadType = IKEV2_PAYLOAD_TYPE_AUTH;
-
-EXIT:
- if (KeyBuf != NULL) {
- FreePool (KeyBuf);
- }
- if (Digest != NULL) {
- FreePool (Digest);
- }
- if (Fragments[2].Data != NULL) {
- //
- // Free the buffer which contains the result of Prf(SK_Pr, IDi/r)
- //
- FreePool (Fragments[2].Data);
- }
-
- if (EFI_ERROR (Status)) {
- if (AuthPayload != NULL) {
- IkePayloadFree (AuthPayload);
- }
- return NULL;
- } else {
- return AuthPayload;
- }
-}
-
-/**
- Generate a Authentication Payload for Certificate Auth method.
-
- This function has two functions. One is creating a local Authentication
- Payload for sending and other is creating the remote Authentication data
- for verification when the IsVerify is TURE.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
- @param[in] IdPayload Pointer to the ID payload to be used for Authentication
- payload generation.
- @param[in] NextPayload The type filled into the Authentication Payload
- next payload field.
- @param[in] IsVerify If it is TURE, the Authentication payload is used
- for verification.
- @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when
- verify the authenticate payload.
- @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it
- when verify the authenticate payload.
- @param[in] UefiKeyPwd Pointer to the password of UEFI private key.
- Ignore it when verify the authenticate payload.
- @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when
- verify the authenticate payload.
-
- @return pointer to IKE Authentication payload for Cerifitcation method.
-
-**/
-IKE_PAYLOAD *
-Ikev2CertGenerateAuthPayload (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_PAYLOAD *IdPayload,
- IN UINT8 NextPayload,
- IN BOOLEAN IsVerify,
- IN UINT8 *UefiPrivateKey,
- IN UINTN UefiPrivateKeyLen,
- IN UINT8 *UefiKeyPwd,
- IN UINTN UefiKeyPwdLen
- )
-{
- UINT8 *Digest;
- UINTN DigestSize;
- PRF_DATA_FRAGMENT Fragments[3];
- IKE_PAYLOAD *AuthPayload;
- IKEV2_AUTH *PayloadBuf;
- EFI_STATUS Status;
- UINT8 *Signature;
- UINTN SigSize;
-
- //
- // Auth = Prf(Scert,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))
- //
- // 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload !C! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Auth Method ! RESERVED !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ Authentication Data ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
- //
- // Initial point
- //
- AuthPayload = NULL;
- Digest = NULL;
- Signature = NULL;
- SigSize = 0;
-
- if (IdPayload == NULL) {
- return NULL;
- }
- DigestSize = IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCommon.SaParams->Prf);
- Digest = AllocateZeroPool (DigestSize);
- if (Digest == NULL) {
- return NULL;
- }
-
- //
- // Calculate Prf(SK_Pi/r, IDi/r)
- //
- Fragments[0].Data = IdPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER);
- Fragments[0].DataSize = IdPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER);
-
- IpSecDumpBuf ("RestofIDPayload", Fragments[0].Data, Fragments[0].DataSize);
-
- if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||
- (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)
- ) {
- Status = IpSecCryptoIoHmac(
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,
- IkeSaSession->IkeKeys->SkPrKey,
- IkeSaSession->IkeKeys->SkPrKeySize,
- (HASH_DATA_FRAGMENT *) Fragments,
- 1,
- Digest,
- DigestSize
- );
- IpSecDumpBuf ("MACedIDForR", Digest, DigestSize);
- } else {
- Status = IpSecCryptoIoHmac (
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,
- IkeSaSession->IkeKeys->SkPiKey,
- IkeSaSession->IkeKeys->SkPiKeySize,
- (HASH_DATA_FRAGMENT *) Fragments,
- 1,
- Digest,
- DigestSize
- );
- IpSecDumpBuf ("MACedIDForI", Digest, DigestSize);
- }
- if (EFI_ERROR (Status)) {
- goto EXIT;
- }
-
- //
- // Copy data to Fragments.
- //
- if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) ||
- (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify)
- ) {
- Fragments[0].Data = IkeSaSession->RespPacket;
- Fragments[0].DataSize = IkeSaSession->RespPacketSize;
- Fragments[1].Data = IkeSaSession->NiBlock;
- Fragments[1].DataSize = IkeSaSession->NiBlkSize;
- IpSecDumpBuf ("RealMessage2", Fragments[0].Data, Fragments[0].DataSize);
- IpSecDumpBuf ("NonceIDdata", Fragments[1].Data, Fragments[1].DataSize);
- } else {
- Fragments[0].Data = IkeSaSession->InitPacket;
- Fragments[0].DataSize = IkeSaSession->InitPacketSize;
- Fragments[1].Data = IkeSaSession->NrBlock;
- Fragments[1].DataSize = IkeSaSession->NrBlkSize;
- IpSecDumpBuf ("RealMessage1", Fragments[0].Data, Fragments[0].DataSize);
- IpSecDumpBuf ("NonceRDdata", Fragments[1].Data, Fragments[1].DataSize);
- }
-
- //
- // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2].
- //
- Fragments[2].Data = AllocateZeroPool (DigestSize);
- if (Fragments[2].Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto EXIT;
- }
-
- Fragments[2].DataSize = DigestSize;
- CopyMem (Fragments[2].Data, Digest, DigestSize);
-
- //
- // Calculate Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r))
- //
- Status = IpSecCryptoIoHash (
- (UINT8)IkeSaSession->SessionCommon.SaParams->Prf,
- (HASH_DATA_FRAGMENT *) Fragments,
- 3,
- Digest,
- DigestSize
- );
- if (EFI_ERROR (Status)) {
- goto EXIT;
- }
-
- IpSecDumpBuf ("HashSignedOctects", Digest, DigestSize);
- //
- // Sign the data by the private Key
- //
- if (!IsVerify) {
- IpSecCryptoIoAuthDataWithCertificate (
- Digest,
- DigestSize,
- UefiPrivateKey,
- UefiPrivateKeyLen,
- UefiKeyPwd,
- UefiKeyPwdLen,
- &Signature,
- &SigSize
- );
-
- if (SigSize == 0 || Signature == NULL) {
- goto EXIT;
- }
- }
-
- //
- // Allocate buffer for Auth Payload
- //
- AuthPayload = IkePayloadAlloc ();
- if (AuthPayload == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto EXIT;
- }
-
- if (!IsVerify) {
- AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + SigSize;
- } else {
- AuthPayload->PayloadSize = sizeof (IKEV2_AUTH) + DigestSize;
- }
-
- PayloadBuf = (IKEV2_AUTH *) AllocateZeroPool (AuthPayload->PayloadSize);
- if (PayloadBuf == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto EXIT;
- }
-
- //
- // Fill in Auth payload.
- //
- PayloadBuf->Header.NextPayload = NextPayload;
- PayloadBuf->Header.PayloadLength = (UINT16) (AuthPayload->PayloadSize);
- if (IkeSaSession->Pad->Data->AuthMethod == EfiIPsecAuthMethodCertificates) {
- PayloadBuf->AuthMethod = IKEV2_AUTH_METHOD_RSA;
- } else {
- Status = EFI_INVALID_PARAMETER;
- goto EXIT;
- }
-
- //
- // Copy the result of Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) to Auth
- // payload block.
- //
- if (!IsVerify) {
- CopyMem (PayloadBuf + 1, Signature, SigSize);
- } else {
- CopyMem (PayloadBuf + 1, Digest, DigestSize);
- }
-
- //
- // Fill in IKE_PACKET
- //
- AuthPayload->PayloadBuf = (UINT8 *) PayloadBuf;
- AuthPayload->PayloadType = IKEV2_PAYLOAD_TYPE_AUTH;
-
-EXIT:
- if (Digest != NULL) {
- FreePool (Digest);
- }
- if (Signature != NULL) {
- FreePool (Signature);
- }
- if (Fragments[2].Data != NULL) {
- //
- // Free the buffer which contains the result of Prf(SK_Pr, IDi/r)
- //
- FreePool (Fragments[2].Data);
- }
-
- if (EFI_ERROR (Status)) {
- if (AuthPayload != NULL) {
- IkePayloadFree (AuthPayload);
- }
- return NULL;
- } else {
- return AuthPayload;
- }
-}
-
-/**
- Generate TS payload.
-
- This function generates TSi or TSr payload according to type of next payload.
- If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate
- TSr payload.
-
- @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.
- @param[in] NextPayload The payload type presented in the NextPayload field
- of ID Payload header.
- @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.
- If yes, it means the Tsi and Tsr payload should be with
- Max port range and address range and protocol is marked
- as zero.
-
- @retval Pointer to Ts IKE payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateTsPayload (
- IN IKEV2_CHILD_SA_SESSION *ChildSa,
- IN UINT8 NextPayload,
- IN BOOLEAN IsTunnel
- )
-{
- IKE_PAYLOAD *TsPayload;
- IKEV2_TS *TsPayloadBuf;
- TRAFFIC_SELECTOR *TsSelector;
- UINTN SelectorSize;
- UINTN TsPayloadSize;
- UINT8 IpVersion;
- UINT8 AddrSize;
-
- //
- // 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload !C! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Number of TSs ! RESERVED !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ <Traffic Selectors> ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
-
- TsPayload = IkePayloadAlloc();
- if (TsPayload == NULL) {
- return NULL;
- }
-
- IpVersion = ChildSa->SessionCommon.UdpService->IpVersion;
- //
- // The Starting Address and Ending Address is variable length depends on
- // is IPv4 or IPv6
- //
- AddrSize = (UINT8)((IpVersion == IP_VERSION_4) ? sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS));
- SelectorSize = sizeof (TRAFFIC_SELECTOR) + 2 * AddrSize;
- TsPayloadSize = sizeof (IKEV2_TS) + SelectorSize;
- TsPayloadBuf = AllocateZeroPool (TsPayloadSize);
- if (TsPayloadBuf == NULL) {
- goto ON_ERROR;
- }
-
- TsPayload->PayloadBuf = (UINT8 *) TsPayloadBuf;
- TsSelector = (TRAFFIC_SELECTOR*)(TsPayloadBuf + 1);
-
- TsSelector->TSType = (UINT8)((IpVersion == IP_VERSION_4) ? IKEV2_TS_TYPE_IPV4_ADDR_RANGE : IKEV2_TS_TYPS_IPV6_ADDR_RANGE);
-
- //
- // For tunnel mode
- //
- if (IsTunnel) {
- TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;
- TsSelector->SelecorLen = (UINT16) SelectorSize;
- TsSelector->StartPort = 0;
- TsSelector->EndPort = IKEV2_TS_ANY_PORT;
- ZeroMem ((UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR), AddrSize);
- SetMem ((UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize, AddrSize, 0xff);
-
- } else {
- //
- // TODO: Support port range and address range
- //
- if (NextPayload == IKEV2_PAYLOAD_TYPE_TS_RSP){
- //
- // Create initiator Traffic Selector
- //
- TsSelector->SelecorLen = (UINT16)SelectorSize;
-
- //
- // Currently only support the port range from 0~0xffff. Don't support other
- // port range.
- // TODO: support Port range
- //
- if (ChildSa->SessionCommon.IsInitiator) {
- if (ChildSa->Spd->Selector->LocalPort != 0 &&
- ChildSa->Spd->Selector->LocalPortRange == 0) {
- //
- // For not port range.
- //
- TsSelector->StartPort = ChildSa->Spd->Selector->LocalPort;
- TsSelector->EndPort = ChildSa->Spd->Selector->LocalPort;
- } else if (ChildSa->Spd->Selector->LocalPort == 0){
- //
- // For port from 0~0xffff
- //
- TsSelector->StartPort = 0;
- TsSelector->EndPort = IKEV2_TS_ANY_PORT;
- } else {
- //
- // Not support now.
- //
- goto ON_ERROR;
- }
- } else {
- if (ChildSa->Spd->Selector->RemotePort != 0 &&
- ChildSa->Spd->Selector->RemotePortRange == 0) {
- //
- // For not port range.
- //
- TsSelector->StartPort = ChildSa->Spd->Selector->RemotePort;
- TsSelector->EndPort = ChildSa->Spd->Selector->RemotePort;
- } else if (ChildSa->Spd->Selector->RemotePort == 0) {
- //
- // For port from 0~0xffff
- //
- TsSelector->StartPort = 0;
- TsSelector->EndPort = IKEV2_TS_ANY_PORT;
- } else {
- //
- // Not support now.
- //
- goto ON_ERROR;
- }
- }
- //
- // Copy Address.Currently the address range is not supported.
- // The Starting address is same as Ending address
- // TODO: Support Address Range.
- //
- CopyMem (
- (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),
- ChildSa->SessionCommon.IsInitiator ?
- ChildSa->Spd->Selector->LocalAddress :
- ChildSa->Spd->Selector->RemoteAddress,
- AddrSize
- );
- CopyMem (
- (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize,
- ChildSa->SessionCommon.IsInitiator ?
- ChildSa->Spd->Selector->LocalAddress :
- ChildSa->Spd->Selector->RemoteAddress,
- AddrSize
- );
- //
- // If the Next Payload is not TS responder, this TS payload type is the TS responder.
- //
- TsPayload->PayloadType = IKEV2_PAYLOAD_TYPE_TS_INIT;
- }else{
- //
- // Create responder Traffic Selector
- //
- TsSelector->SelecorLen = (UINT16)SelectorSize;
-
- //
- // Currently only support the port range from 0~0xffff. Don't support other
- // port range.
- // TODO: support Port range
- //
- if (!ChildSa->SessionCommon.IsInitiator) {
- if (ChildSa->Spd->Selector->LocalPort != 0 &&
- ChildSa->Spd->Selector->LocalPortRange == 0) {
- //
- // For not port range.
- //
- TsSelector->StartPort = ChildSa->Spd->Selector->LocalPort;
- TsSelector->EndPort = ChildSa->Spd->Selector->LocalPort;
- } else if (ChildSa->Spd->Selector->LocalPort == 0){
- //
- // For port from 0~0xffff
- //
- TsSelector->StartPort = 0;
- TsSelector->EndPort = IKEV2_TS_ANY_PORT;
- } else {
- //
- // Not support now.
- //
- goto ON_ERROR;
- }
- } else {
- if (ChildSa->Spd->Selector->RemotePort != 0 &&
- ChildSa->Spd->Selector->RemotePortRange == 0) {
- //
- // For not port range.
- //
- TsSelector->StartPort = ChildSa->Spd->Selector->RemotePort;
- TsSelector->EndPort = ChildSa->Spd->Selector->RemotePort;
- } else if (ChildSa->Spd->Selector->RemotePort == 0){
- //
- // For port from 0~0xffff
- //
- TsSelector->StartPort = 0;
- TsSelector->EndPort = IKEV2_TS_ANY_PORT;
- } else {
- //
- // Not support now.
- //
- goto ON_ERROR;
- }
- }
- //
- // Copy Address.Currently the address range is not supported.
- // The Starting address is same as Ending address
- // TODO: Support Address Range.
- //
- CopyMem (
- (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR),
- ChildSa->SessionCommon.IsInitiator ?
- ChildSa->Spd->Selector->RemoteAddress :
- ChildSa->Spd->Selector->LocalAddress,
- AddrSize
- );
- CopyMem (
- (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize,
- ChildSa->SessionCommon.IsInitiator ?
- ChildSa->Spd->Selector->RemoteAddress :
- ChildSa->Spd->Selector->LocalAddress,
- AddrSize
- );
- //
- // If the Next Payload is not TS responder, this TS payload type is the TS responder.
- //
- TsPayload->PayloadType = IKEV2_PAYLOAD_TYPE_TS_RSP;
- }
- }
-
- if (ChildSa->Spd->Selector->NextLayerProtocol != 0xffff) {
- TsSelector->IpProtocolId = (UINT8)ChildSa->Spd->Selector->NextLayerProtocol;
- } else {
- TsSelector->IpProtocolId = IKEV2_TS_ANY_PROTOCOL;
- }
-
- TsPayloadBuf->Header.NextPayload = NextPayload;
- TsPayloadBuf->Header.PayloadLength = (UINT16)TsPayloadSize;
- TsPayloadBuf->TSNumbers = 1;
- TsPayload->PayloadSize = TsPayloadSize;
- goto ON_EXIT;
-
-ON_ERROR:
- if (TsPayload != NULL) {
- IkePayloadFree (TsPayload);
- TsPayload = NULL;
- }
-ON_EXIT:
- return TsPayload;
-}
-
-/**
- Generate the Notify payload.
-
- Since the structure of Notify payload which defined in RFC 4306 is simple, so
- there is no internal data structure for Notify payload. This function generate
- Notify payload defined in RFC 4306, but all the fields in this payload are still
- in host order and need call Ikev2EncodePayload() to convert those fields from
- the host order to network order beforing sending it.
-
- @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).
- For IPsec SAs it MUST be neither (2) for AH or (3)
- for ESP.
- @param[in] NextPayload The next paylaod type in NextPayload field of
- the Notify payload.
- @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.
- @param[in] MessageType The message type in NotifyMessageType field of the
- Notify Payload.
- @param[in] SpiBuf Pointer to buffer contains the SPI value.
- @param[in] NotifyData Pointer to buffer contains the notification data.
- @param[in] NotifyDataSize The size of NotifyData in bytes.
-
-
- @retval Pointer to IKE Notify Payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateNotifyPayload (
- IN UINT8 ProtocolId,
- IN UINT8 NextPayload,
- IN UINT8 SpiSize,
- IN UINT16 MessageType,
- IN UINT8 *SpiBuf,
- IN UINT8 *NotifyData,
- IN UINTN NotifyDataSize
- )
-{
- IKE_PAYLOAD *NotifyPayload;
- IKEV2_NOTIFY *Notify;
- UINT16 NotifyPayloadLen;
- UINT8 *MessageData;
-
- // 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload !C! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Protocol ID ! SPI Size ! Notify Message Type !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ Security Parameter Index (SPI) ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ Notification Data ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
- //
- NotifyPayloadLen = (UINT16) (sizeof (IKEV2_NOTIFY) + NotifyDataSize + SpiSize);
- Notify = (IKEV2_NOTIFY *) AllocateZeroPool (NotifyPayloadLen);
- if (Notify == NULL) {
- return NULL;
- }
-
- //
- // Set Delete Payload's Generic Header
- //
- Notify->Header.NextPayload = NextPayload;
- Notify->Header.PayloadLength = NotifyPayloadLen;
- Notify->SpiSize = SpiSize;
- Notify->ProtocolId = ProtocolId;
- Notify->MessageType = MessageType;
-
- //
- // Copy Spi , for Cookie Notify, there is no SPI.
- //
- if (SpiBuf != NULL && SpiSize != 0 ) {
- CopyMem (Notify + 1, SpiBuf, SpiSize);
- }
-
- MessageData = ((UINT8 *) (Notify + 1)) + SpiSize;
-
- //
- // Copy Notification Data
- //
- if (NotifyDataSize != 0) {
- CopyMem (MessageData, NotifyData, NotifyDataSize);
- }
-
- //
- // Create Payload for and set type as IKEV2_PAYLOAD_TYPE_NOTIFY
- //
- NotifyPayload = IkePayloadAlloc ();
- if (NotifyPayload == NULL) {
- FreePool (Notify);
- return NULL;
- }
-
- NotifyPayload->PayloadType = IKEV2_PAYLOAD_TYPE_NOTIFY;
- NotifyPayload->PayloadBuf = (UINT8 *) Notify;
- NotifyPayload->PayloadSize = NotifyPayloadLen;
- return NotifyPayload;
-}
-
-/**
- Generate the Delete payload.
-
- Since the structure of Delete payload which defined in RFC 4306 is simple,
- there is no internal data structure for Delete payload. This function generate
- Delete payload defined in RFC 4306, but all the fields in this payload are still
- in host order and need call Ikev2EncodePayload() to convert those fields from
- the host order to network order beforing sending it.
-
- @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.
- @param[in] NextPayload The next paylaod type in NextPayload field of
- the Delete payload.
- @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.
- @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.
- @param[in] SpiBuf Pointer to buffer contains the SPI value.
-
- @retval a Pointer of IKE Delete Payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateDeletePayload (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN UINT8 NextPayload,
- IN UINT8 SpiSize,
- IN UINT16 SpiNum,
- IN UINT8 *SpiBuf
-
- )
-{
- IKE_PAYLOAD *DelPayload;
- IKEV2_DELETE *Del;
- UINT16 SpiBufSize;
- UINT16 DelPayloadLen;
-
- // 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload !C! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Protocol ID ! SPI Size ! # of SPIs !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ Security Parameter Index(es) (SPI) ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
- SpiBufSize = (UINT16) (SpiSize * SpiNum);
- if (SpiBufSize != 0 && SpiBuf == NULL) {
- return NULL;
- }
-
- DelPayloadLen = (UINT16) (sizeof (IKEV2_DELETE) + SpiBufSize);
-
- Del = AllocateZeroPool (DelPayloadLen);
- if (Del == NULL) {
- return NULL;
- }
-
- //
- // Set Delete Payload's Generic Header
- //
- Del->Header.NextPayload = NextPayload;
- Del->Header.PayloadLength = DelPayloadLen;
- Del->NumSpis = SpiNum;
- Del->SpiSize = SpiSize;
-
- if (SpiSize == 4) {
- //
- // TODO: should consider the AH if needs to support.
- //
- Del->ProtocolId = IPSEC_PROTO_IPSEC_ESP;
- } else {
- Del->ProtocolId = IPSEC_PROTO_ISAKMP;
- }
-
- //
- // Set Del Payload's Idntification Data
- //
- CopyMem (Del + 1, SpiBuf, SpiBufSize);
- DelPayload = IkePayloadAlloc ();
- if (DelPayload == NULL) {
- FreePool (Del);
- return NULL;
- }
-
- DelPayload->PayloadType = IKEV2_PAYLOAD_TYPE_DELETE;
- DelPayload->PayloadBuf = (UINT8 *) Del;
- DelPayload->PayloadSize = DelPayloadLen;
- return DelPayload;
-}
-
-/**
- Generate the Configuration payload.
-
- This function generate configuration payload defined in RFC 4306, but all the
- fields in this payload are still in host order and need call Ikev2EncodePayload()
- to convert those fields from the host order to network order beforing sending it.
-
- @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload
- generation.
- @param[in] NextPayload The next paylaod type in NextPayload field of
- the Delete payload.
- @param[in] CfgType The attribute type in the Configuration attribute.
-
- @retval Pointer to IKE CP Payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateCpPayload (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN UINT8 NextPayload,
- IN UINT8 CfgType
- )
-{
- IKE_PAYLOAD *CpPayload;
- IKEV2_CFG *Cfg;
- UINT16 PayloadLen;
- IKEV2_CFG_ATTRIBUTES *CfgAttributes;
-
- //
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload !C! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! CFG Type ! RESERVED !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ Configuration Attributes ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
-
- PayloadLen = (UINT16) (sizeof (IKEV2_CFG) + sizeof (IKEV2_CFG_ATTRIBUTES));
- Cfg = (IKEV2_CFG *) AllocateZeroPool (PayloadLen);
-
- if (Cfg == NULL) {
- return NULL;
- }
-
- CfgAttributes = (IKEV2_CFG_ATTRIBUTES *)((UINT8 *)Cfg + sizeof (IKEV2_CFG));
-
- //
- // Only generate the configuration payload with an empty INTERNAL_IP4_ADDRESS
- // or INTERNAL_IP6_ADDRESS.
- //
-
- Cfg->Header.NextPayload = NextPayload;
- Cfg->Header.PayloadLength = PayloadLen;
- Cfg->CfgType = IKEV2_CFG_TYPE_REQUEST;
-
- CfgAttributes->AttritType = CfgType;
- CfgAttributes->ValueLength = 0;
-
- CpPayload = IkePayloadAlloc ();
- if (CpPayload == NULL) {
- if (Cfg != NULL) {
- FreePool (Cfg);
- }
- return NULL;
- }
-
- CpPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CP;
- CpPayload->PayloadBuf = (UINT8 *) Cfg;
- CpPayload->PayloadSize = PayloadLen;
- return CpPayload;
-}
-
-/**
- Parser the Notify Cookie payload.
-
- This function parses the Notify Cookie payload.If the Notify ProtocolId is not
- IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not
- the COOKIE, return EFI_INVALID_PARAMETER.
-
- @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the
- Notify Cookie payload.
- the Notify payload.
- @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.
-
- @retval EFI_SUCCESS The Notify Cookie Payload is valid.
- @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
-
-**/
-EFI_STATUS
-Ikev2ParserNotifyCookiePayload (
- IN IKE_PAYLOAD *IkeNCookie,
- IN OUT IKEV2_SA_SESSION *IkeSaSession
- )
-{
- IKEV2_NOTIFY *NotifyPayload;
- UINTN NotifyDataSize;
-
- NotifyPayload = (IKEV2_NOTIFY *)IkeNCookie->PayloadBuf;
-
- if ((NotifyPayload->ProtocolId != IPSEC_PROTO_ISAKMP) ||
- (NotifyPayload->SpiSize != 0) ||
- (NotifyPayload->MessageType != IKEV2_NOTIFICATION_COOKIE)
- ) {
- return EFI_INVALID_PARAMETER;
- }
-
- NotifyDataSize = NotifyPayload->Header.PayloadLength - sizeof (IKEV2_NOTIFY);
- IkeSaSession->NCookie = AllocateZeroPool (NotifyDataSize);
- if (IkeSaSession->NCookie == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- IkeSaSession->NCookieSize = NotifyDataSize;
-
- CopyMem (
- IkeSaSession->NCookie,
- (UINT8 *)NotifyPayload + sizeof (IKEV2_NOTIFY),
- NotifyDataSize
- );
-
- return EFI_SUCCESS;
-}
-
-
-/**
- Generate the Certificate payload or Certificate Request Payload.
-
- Since the Certificate Payload structure is same with Certificate Request Payload,
- the only difference is that one contains the Certificate Data, other contains
- the acceptable certificateion CA. This function generate Certificate payload
- or Certificate Request Payload defined in RFC 4306, but all the fields
- in the payload are still in host order and need call Ikev2EncodePayload()
- to convert those fields from the host order to network order beforing sending it.
-
- @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload
- generation.
- @param[in] NextPayload The next paylaod type in NextPayload field of
- the Delete payload.
- @param[in] Certificate Pointer of buffer contains the certification data.
- @param[in] CertificateLen The length of Certificate in byte.
- @param[in] EncodeType Specified the Certificate Encodeing which is defined
- in RFC 4306.
- @param[in] IsRequest To indicate create Certificate Payload or Certificate
- Request Payload. If it is TURE, create Certificate
- Request Payload. Otherwise, create Certificate Payload.
-
- @retval a Pointer to IKE Payload whose payload buffer containing the Certificate
- payload or Certificated Request payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateCertificatePayload (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN UINT8 NextPayload,
- IN UINT8 *Certificate,
- IN UINTN CertificateLen,
- IN UINT8 EncodeType,
- IN BOOLEAN IsRequest
- )
-{
- IKE_PAYLOAD *CertPayload;
- IKEV2_CERT *Cert;
- UINT16 PayloadLen;
- UINT8 *PublicKey;
- UINTN PublicKeyLen;
- HASH_DATA_FRAGMENT Fragment[1];
- UINT8 *HashData;
- UINTN HashDataSize;
- EFI_STATUS Status;
-
- //
- // 1 2 3
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload !C! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Cert Encoding ! !
- // +-+-+-+-+-+-+-+-+ !
- // ~ Certificate Data/Authority ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
-
- Status = EFI_SUCCESS;
- PublicKey = NULL;
- PublicKeyLen = 0;
-
- if (!IsRequest) {
- PayloadLen = (UINT16) (sizeof (IKEV2_CERT) + CertificateLen);
- } else {
- //
- // SHA1 Hash length is 20.
- //
- PayloadLen = (UINT16) (sizeof (IKEV2_CERT) + 20);
- }
-
- Cert = AllocateZeroPool (PayloadLen);
- if (Cert == NULL) {
- return NULL;
- }
-
- //
- // Generate Certificate Payload or Certificate Request Payload.
- //
- Cert->Header.NextPayload = NextPayload;
- Cert->Header.PayloadLength = PayloadLen;
- Cert->CertEncoding = EncodeType;
- if (!IsRequest) {
- CopyMem (
- ((UINT8 *)Cert) + sizeof (IKEV2_CERT),
- Certificate,
- CertificateLen
- );
- } else {
- Status = IpSecCryptoIoGetPublicKeyFromCert (
- Certificate,
- CertificateLen,
- &PublicKey,
- &PublicKeyLen
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- Fragment[0].Data = PublicKey;
- Fragment[0].DataSize = PublicKeyLen;
- HashDataSize = IpSecGetHmacDigestLength (IKE_AALG_SHA1HMAC);
- HashData = AllocateZeroPool (HashDataSize);
- if (HashData == NULL) {
- goto ON_EXIT;
- }
-
- Status = IpSecCryptoIoHash (
- IKE_AALG_SHA1HMAC,
- Fragment,
- 1,
- HashData,
- HashDataSize
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- CopyMem (
- ((UINT8 *)Cert) + sizeof (IKEV2_CERT),
- HashData,
- HashDataSize
- );
- }
-
- CertPayload = IkePayloadAlloc ();
- if (CertPayload == NULL) {
- goto ON_EXIT;
- }
-
- if (!IsRequest) {
- CertPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CERT;
- } else {
- CertPayload->PayloadType = IKEV2_PAYLOAD_TYPE_CERTREQ;
- }
-
- CertPayload->PayloadBuf = (UINT8 *) Cert;
- CertPayload->PayloadSize = PayloadLen;
- return CertPayload;
-
-ON_EXIT:
- if (Cert != NULL) {
- FreePool (Cert);
- }
- if (PublicKey != NULL) {
- FreePool (PublicKey);
- }
- return NULL;
-}
-
-/**
- Remove and free all IkePayloads in the specified IkePacket.
-
- @param[in] IkePacket The pointer of IKE_PACKET.
-
-**/
-VOID
-ClearAllPayloads (
- IN IKE_PACKET *IkePacket
- )
-{
- LIST_ENTRY *PayloadEntry;
- IKE_PAYLOAD *IkePayload;
- //
- // remove all payloads from list and free each payload.
- //
- while (!IsListEmpty (&IkePacket->PayloadList)) {
- PayloadEntry = IkePacket->PayloadList.ForwardLink;
- IkePayload = IKE_PAYLOAD_BY_PACKET (PayloadEntry);
- IKE_PACKET_REMOVE_PAYLOAD (IkePacket, IkePayload);
- IkePayloadFree (IkePayload);
- }
-}
-
-/**
- Transfer the intrnal data structure IKEV2_SA_DATA to IKEV2_SA structure defined in RFC.
-
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the SA Session.
- @param[in] SaData Pointer to IKEV2_SA_DATA to be transfered.
-
- @retval return the pointer of IKEV2_SA.
-
-**/
-IKEV2_SA*
-Ikev2EncodeSa (
- IN IKEV2_SESSION_COMMON *SessionCommon,
- IN IKEV2_SA_DATA *SaData
- )
-{
- IKEV2_SA *Sa;
- UINTN SaSize;
- IKEV2_PROPOSAL_DATA *ProposalData;
- IKEV2_TRANSFORM_DATA *TransformData;
- UINTN TotalTransforms;
- UINTN SaAttrsSize;
- UINTN TransformsSize;
- UINTN TransformSize;
- UINTN ProposalsSize;
- UINTN ProposalSize;
- UINTN ProposalIndex;
- UINTN TransformIndex;
- IKE_SA_ATTRIBUTE *SaAttribute;
- IKEV2_PROPOSAL *Proposal;
- IKEV2_TRANSFORM *Transform;
-
- //
- // Transform IKE_SA_DATA structure to IKE_SA Payload.
- // Header length is host order.
- // The returned IKE_SA struct should be freed by caller.
- //
- TotalTransforms = 0;
- //
- // Calculate the Proposal numbers and Transform numbers.
- //
- for (ProposalIndex = 0; ProposalIndex < SaData->NumProposals; ProposalIndex++) {
-
- ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1) + ProposalIndex;
- TotalTransforms += ProposalData->NumTransforms;
-
- }
- SaSize = sizeof (IKEV2_SA) +
- SaData->NumProposals * sizeof (IKEV2_PROPOSAL) +
- TotalTransforms * (sizeof (IKEV2_TRANSFORM) + MAX_SA_ATTRS_SIZE);
- //
- // Allocate buffer for IKE_SA.
- //
- Sa = AllocateZeroPool (SaSize);
- if (Sa == NULL) {
- return NULL;
- }
-
- CopyMem (Sa, SaData, sizeof (IKEV2_SA));
- Sa->Header.PayloadLength = (UINT16) sizeof (IKEV2_SA);
- ProposalsSize = 0;
- Proposal = (IKEV2_PROPOSAL *) (Sa + 1);
-
- //
- // Set IKE_PROPOSAL
- //
- ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1);
- for (ProposalIndex = 0; ProposalIndex < SaData->NumProposals; ProposalIndex++) {
- Proposal->ProposalIndex = ProposalData->ProposalIndex;
- Proposal->ProtocolId = ProposalData->ProtocolId;
- Proposal->NumTransforms = ProposalData->NumTransforms;
-
- if (ProposalData->Spi == 0) {
- Proposal->SpiSize = 0;
- } else {
- Proposal->SpiSize = 4;
- *(UINT32 *) (Proposal + 1) = HTONL (*((UINT32*)ProposalData->Spi));
- }
-
- TransformsSize = 0;
- Transform = (IKEV2_TRANSFORM *) ((UINT8 *) (Proposal + 1) + Proposal->SpiSize);
-
- //
- // Set IKE_TRANSFORM
- //
- for (TransformIndex = 0; TransformIndex < ProposalData->NumTransforms; TransformIndex++) {
- TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1) + TransformIndex;
- Transform->TransformType = TransformData->TransformType;
- Transform->TransformId = HTONS (TransformData->TransformId);
- SaAttrsSize = 0;
-
- //
- // If the Encryption Algorithm is variable key length set the key length in attribute.
- // Note that only a single attribute type (Key Length) is defined and it is fixed length.
- //
- if (Transform->TransformType == IKEV2_TRANSFORM_TYPE_ENCR && TransformData->Attribute.Attr.AttrValue != 0) {
- SaAttribute = (IKE_SA_ATTRIBUTE *) (Transform + 1);
- SaAttribute->AttrType = HTONS (IKEV2_ATTRIBUTE_TYPE_KEYLEN | SA_ATTR_FORMAT_BIT);
- SaAttribute->Attr.AttrValue = HTONS (TransformData->Attribute.Attr.AttrValue);
- SaAttrsSize = sizeof (IKE_SA_ATTRIBUTE);
- }
-
- //
- // If the Integrity Algorithm is variable key length set the key length in attribute.
- //
- if (Transform->TransformType == IKEV2_TRANSFORM_TYPE_INTEG && TransformData->Attribute.Attr.AttrValue != 0) {
- SaAttribute = (IKE_SA_ATTRIBUTE *) (Transform + 1);
- SaAttribute->AttrType = HTONS (IKEV2_ATTRIBUTE_TYPE_KEYLEN | SA_ATTR_FORMAT_BIT);
- SaAttribute->Attr.AttrValue = HTONS (TransformData->Attribute.Attr.AttrValue);
- SaAttrsSize = sizeof (IKE_SA_ATTRIBUTE);
- }
-
- TransformSize = sizeof (IKEV2_TRANSFORM) + SaAttrsSize;
- TransformsSize += TransformSize;
-
- Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_MORE;
- Transform->Header.PayloadLength = HTONS ((UINT16)TransformSize);
-
- if (TransformIndex == ((UINT32)ProposalData->NumTransforms - 1)) {
- Transform->Header.NextPayload = IKE_TRANSFORM_NEXT_PAYLOAD_NONE;
- }
-
- Transform = (IKEV2_TRANSFORM *)((UINT8 *) Transform + TransformSize);
- }
-
- //
- // Set Proposal's Generic Header.
- //
- ProposalSize = sizeof (IKEV2_PROPOSAL) + Proposal->SpiSize + TransformsSize;
- ProposalsSize += ProposalSize;
- Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_MORE;
- Proposal->Header.PayloadLength = HTONS ((UINT16)ProposalSize);
-
- if (ProposalIndex == (UINTN)(SaData->NumProposals - 1)) {
- Proposal->Header.NextPayload = IKE_PROPOSAL_NEXT_PAYLOAD_NONE;
- }
-
- //
- // Point to next Proposal Payload
- //
- Proposal = (IKEV2_PROPOSAL *) ((UINT8 *) Proposal + ProposalSize);
- ProposalData = (IKEV2_PROPOSAL_DATA *)(((UINT8 *)ProposalData) + sizeof (IKEV2_PROPOSAL_DATA) + (TransformIndex * sizeof (IKEV2_TRANSFORM_DATA)));
- }
- //
- // Set SA's Generic Header.
- //
- Sa->Header.PayloadLength = (UINT16) (Sa->Header.PayloadLength + ProposalsSize);
- return Sa;
-}
-
-/**
- Decode SA payload.
-
- This function converts the received SA payload to internal data structure.
-
- @param[in] SessionCommon Pointer to IKE Common Session used to decode the SA
- Payload.
- @param[in] Sa Pointer to SA Payload
-
- @return a Pointer to internal data structure for SA payload.
-
-**/
-IKEV2_SA_DATA *
-Ikev2DecodeSa (
- IN IKEV2_SESSION_COMMON *SessionCommon,
- IN IKEV2_SA *Sa
- )
-{
- IKEV2_SA_DATA *SaData;
- EFI_STATUS Status;
- IKEV2_PROPOSAL *Proposal;
- IKEV2_TRANSFORM *Transform;
- UINTN TotalProposals;
- UINTN TotalTransforms;
- UINTN ProposalNextPayloadSum;
- UINTN ProposalIndex;
- UINTN TransformIndex;
- UINTN SaRemaining;
- UINT16 ProposalSize;
- UINTN ProposalRemaining;
- UINT16 TransformSize;
- UINTN SaAttrRemaining;
- IKE_SA_ATTRIBUTE *SaAttribute;
- IKEV2_PROPOSAL_DATA *ProposalData;
- IKEV2_TRANSFORM_DATA *TransformData;
- UINT8 *Spi;
-
- //
- // Transfrom from IKE_SA payload to IKE_SA_DATA structure.
- // Header length NTOH is already done
- // The returned IKE_SA_DATA should be freed by caller
- //
- SaData = NULL;
- Status = EFI_SUCCESS;
-
- //
- // First round sanity check and size calculae
- //
- TotalProposals = 0;
- TotalTransforms = 0;
- ProposalNextPayloadSum = 0;
- SaRemaining = Sa->Header.PayloadLength - sizeof (IKEV2_SA);// Point to current position in SA
- Proposal = (IKEV2_PROPOSAL *)((IKEV2_SA *)(Sa)+1);
-
- //
- // Calculate the number of Proposal payload and the total numbers of
- // Transforms payload (the transforms in all proposal payload).
- //
- while (SaRemaining > sizeof (IKEV2_PROPOSAL)) {
- ProposalSize = NTOHS (Proposal->Header.PayloadLength);
- if (SaRemaining < ProposalSize) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
- if (Proposal->SpiSize != 0 && Proposal->SpiSize != 4) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
- TotalProposals++;
- TotalTransforms += Proposal->NumTransforms;
- SaRemaining -= ProposalSize;
- ProposalNextPayloadSum += Proposal->Header.NextPayload;
- Proposal = IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize);
- }
-
- //
- // Check the proposal number.
- // The proposal Substructure, the NextPayLoad field indicates : 0 (last) or 2 (more)
- // which Specifies whether this is the last Proposal Substructure in the SA.
- // Here suming all Proposal NextPayLoad field to check the proposal number is correct
- // or not.
- //
- if (TotalProposals == 0 ||
- (TotalProposals - 1) * IKE_PROPOSAL_NEXT_PAYLOAD_MORE != ProposalNextPayloadSum
- ) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
- //
- // Second round sanity check and decode. Transform the SA payload into
- // a IKE_SA_DATA structure.
- //
- SaData = (IKEV2_SA_DATA *) AllocateZeroPool (
- sizeof (IKEV2_SA_DATA) +
- TotalProposals * sizeof (IKEV2_PROPOSAL_DATA) +
- TotalTransforms * sizeof (IKEV2_TRANSFORM_DATA)
- );
- if (SaData == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (SaData, Sa, sizeof (IKEV2_SA));
- SaData->NumProposals = TotalProposals;
- ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1);
-
- //
- // Proposal Payload
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload ! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Proposal # ! Protocol-Id ! SPI Size !# of Transforms!
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! SPI (variable) !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
- for (ProposalIndex = 0, Proposal = IKEV2_SA_FIRST_PROPOSAL (Sa);
- ProposalIndex < TotalProposals;
- ProposalIndex++
- ) {
-
- //
- // TODO: check ProposalId
- //
- ProposalData->ProposalIndex = Proposal->ProposalIndex;
- ProposalData->ProtocolId = Proposal->ProtocolId;
- if (Proposal->SpiSize == 0) {
- ProposalData->Spi = 0;
- } else {
- //
- // SpiSize == 4
- //
- Spi = AllocateZeroPool (Proposal->SpiSize);
- if (Spi == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (Spi, (UINT32 *) (Proposal + 1), Proposal->SpiSize);
- *((UINT32*) Spi) = NTOHL (*((UINT32*) Spi));
- ProposalData->Spi = Spi;
- }
-
- ProposalData->NumTransforms = Proposal->NumTransforms;
- ProposalSize = NTOHS (Proposal->Header.PayloadLength);
- ProposalRemaining = ProposalSize;
- //
- // Transform Payload
- // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! Next Payload ! RESERVED ! Payload Length !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // !Transform Type ! RESERVED ! Transform ID !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- // ! !
- // ~ SA Attributes ~
- // ! !
- // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- //
- Transform = IKEV2_PROPOSAL_FIRST_TRANSFORM (Proposal);
- for (TransformIndex = 0; TransformIndex < Proposal->NumTransforms; TransformIndex++) {
-
- //
- // Transfer the IKEV2_TRANSFORM structure into internal IKEV2_TRANSFORM_DATA struture.
- //
- TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1) + TransformIndex;
- TransformData->TransformId = NTOHS (Transform->TransformId);
- TransformData->TransformType = Transform->TransformType;
- TransformSize = NTOHS (Transform->Header.PayloadLength);
- //
- // Check the Proposal Data is correct.
- //
- if (ProposalRemaining < TransformSize) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
- //
- // Check if the Transform payload includes Attribution.
- //
- SaAttrRemaining = TransformSize - sizeof (IKEV2_TRANSFORM);
-
- //
- // According to RFC 4603, currently only the Key length attribute type is
- // supported. For each Transform, there is only one attributeion.
- //
- if (SaAttrRemaining > 0) {
- if (SaAttrRemaining != sizeof (IKE_SA_ATTRIBUTE)) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
- SaAttribute = (IKE_SA_ATTRIBUTE *) ((IKEV2_TRANSFORM *)(Transform) + 1);
- TransformData->Attribute.AttrType = (UINT16)((NTOHS (SaAttribute->AttrType)) & ~SA_ATTR_FORMAT_BIT);
- TransformData->Attribute.Attr.AttrValue = NTOHS (SaAttribute->Attr.AttrValue);
-
- //
- // Currently, only supports the Key Length Attribution.
- //
- if (TransformData->Attribute.AttrType != IKEV2_ATTRIBUTE_TYPE_KEYLEN) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
- }
-
- //
- // Move to next Transform
- //
- Transform = IKEV2_NEXT_TRANSFORM_WITH_SIZE (Transform, TransformSize);
- }
- Proposal = IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize);
- ProposalData = (IKEV2_PROPOSAL_DATA *) ((UINT8 *)(ProposalData + 1) +
- ProposalData->NumTransforms *
- sizeof (IKEV2_TRANSFORM_DATA));
- }
-
-Exit:
- if (EFI_ERROR (Status) && SaData != NULL) {
- FreePool (SaData);
- SaData = NULL;
- }
- return SaData;
-}
-
-/**
- General interface of payload encoding.
-
- This function encodes the internal data structure into payload which
- is defined in RFC 4306. The IkePayload->PayloadBuf is used to store both the input
- payload and converted payload. Only the SA payload use the interal structure
- to store the attribute. Other payload use structure which is same with the RFC
- defined, for this kind payloads just do host order to network order change of
- some fields.
-
- @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.
- @param[in, out] IkePayload Pointer to IKE payload to be encoded as input, and
- store the encoded result as output.
-
- @retval EFI_INVALID_PARAMETER Meet error when encoding the SA payload.
- @retval EFI_SUCCESS Encoded successfully.
-
-**/
-EFI_STATUS
-Ikev2EncodePayload (
- IN UINT8 *SessionCommon,
- IN OUT IKE_PAYLOAD *IkePayload
- )
-{
- IKEV2_SA_DATA *SaData;
- IKEV2_SA *SaPayload;
- IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;
- IKEV2_NOTIFY *NotifyPayload;
- IKEV2_DELETE *DeletePayload;
- IKEV2_KEY_EXCHANGE *KeyPayload;
- IKEV2_TS *TsPayload;
- IKEV2_CFG_ATTRIBUTES *CfgAttribute;
- UINT8 *TsBuffer;
- UINT8 Index;
- TRAFFIC_SELECTOR *TrafficSelector;
-
- //
- // Transform the Internal IKE structure to IKE payload.
- // Only the SA payload use the interal structure to store the attribute.
- // Other payload use structure which same with the RFC defined, so there is
- // no need to tranform them to IKE payload.
- //
- switch (IkePayload->PayloadType) {
- case IKEV2_PAYLOAD_TYPE_SA:
- //
- // Transform IKE_SA_DATA to IK_SA payload
- //
- SaData = (IKEV2_SA_DATA *) IkePayload->PayloadBuf;
- SaPayload = Ikev2EncodeSa ((IKEV2_SESSION_COMMON *) SessionCommon, SaData);
-
- if (SaPayload == NULL) {
- return EFI_INVALID_PARAMETER;
- }
- if (!IkePayload->IsPayloadBufExt) {
- FreePool (IkePayload->PayloadBuf);
- }
- IkePayload->PayloadBuf = (UINT8 *) SaPayload;
- IkePayload->IsPayloadBufExt = FALSE;
- break;
-
- case IKEV2_PAYLOAD_TYPE_NOTIFY:
- NotifyPayload = (IKEV2_NOTIFY *) IkePayload->PayloadBuf;
- NotifyPayload->MessageType = HTONS (NotifyPayload->MessageType);
- break;
-
- case IKEV2_PAYLOAD_TYPE_DELETE:
- DeletePayload = (IKEV2_DELETE *) IkePayload->PayloadBuf;
- DeletePayload->NumSpis = HTONS (DeletePayload->NumSpis);
- break;
-
- case IKEV2_PAYLOAD_TYPE_KE:
- KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;
- KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);
- break;
-
- case IKEV2_PAYLOAD_TYPE_TS_INIT:
- case IKEV2_PAYLOAD_TYPE_TS_RSP:
- TsPayload = (IKEV2_TS *) IkePayload->PayloadBuf;
- TsBuffer = IkePayload->PayloadBuf + sizeof (IKEV2_TS);
-
- for (Index = 0; Index < TsPayload->TSNumbers; Index++) {
- TrafficSelector = (TRAFFIC_SELECTOR *) TsBuffer;
- TsBuffer = TsBuffer + TrafficSelector->SelecorLen;
- //
- // Host order to network order
- //
- TrafficSelector->SelecorLen = HTONS (TrafficSelector->SelecorLen);
- TrafficSelector->StartPort = HTONS (TrafficSelector->StartPort);
- TrafficSelector->EndPort = HTONS (TrafficSelector->EndPort);
-
- }
-
- break;
-
- case IKEV2_PAYLOAD_TYPE_CP:
- CfgAttribute = (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->PayloadBuf) + 1);
- CfgAttribute->AttritType = HTONS (CfgAttribute->AttritType);
- CfgAttribute->ValueLength = HTONS (CfgAttribute->ValueLength);
-
- case IKEV2_PAYLOAD_TYPE_ID_INIT:
- case IKEV2_PAYLOAD_TYPE_ID_RSP:
- case IKEV2_PAYLOAD_TYPE_AUTH:
- default:
- break;
- }
-
- PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf;
- IkePayload->PayloadSize = PayloadHdr->PayloadLength;
- PayloadHdr->PayloadLength = HTONS (PayloadHdr->PayloadLength);
- IKEV2_DUMP_PAYLOAD (IkePayload);
- return EFI_SUCCESS;
-}
-
-/**
- The general interface for decoding Payload.
-
- This function converts the received Payload into internal structure.
-
- @param[in] SessionCommon Pointer to IKE Session Common used for decoding.
- @param[in, out] IkePayload Pointer to IKE payload to be decoded as input, and
- store the decoded result as output.
-
- @retval EFI_INVALID_PARAMETER Meet error when decoding the SA payload.
- @retval EFI_SUCCESS Decoded successfully.
-
-**/
-EFI_STATUS
-Ikev2DecodePayload (
- IN UINT8 *SessionCommon,
- IN OUT IKE_PAYLOAD *IkePayload
- )
-{
- IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;
- UINT16 PayloadSize;
- UINT8 PayloadType;
- IKEV2_SA_DATA *SaData;
- EFI_STATUS Status;
- IKEV2_NOTIFY *NotifyPayload;
- IKEV2_DELETE *DeletePayload;
- UINT16 TsTotalSize;
- TRAFFIC_SELECTOR *TsSelector;
- IKEV2_TS *TsPayload;
- IKEV2_KEY_EXCHANGE *KeyPayload;
- IKEV2_CFG_ATTRIBUTES *CfgAttribute;
- UINT8 Index;
-
- //
- // Transform the IKE payload to Internal IKE structure.
- // Only the SA payload and Hash Payload use the interal
- // structure to store the attribute. Other payloads use
- // structure which is same with the definitions in RFC,
- // so there is no need to tranform them to internal IKE
- // structure.
- //
- Status = EFI_SUCCESS;
- PayloadSize = (UINT16) IkePayload->PayloadSize;
- PayloadType = IkePayload->PayloadType;
- PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf;
- //
- // The PayloadSize is the size of whole payload.
- // Replace HTONS operation to assignment statements, since the result is same.
- //
- PayloadHdr->PayloadLength = PayloadSize;
-
- IKEV2_DUMP_PAYLOAD (IkePayload);
- switch (PayloadType) {
- case IKEV2_PAYLOAD_TYPE_SA:
- if (PayloadSize < sizeof (IKEV2_SA)) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
- SaData = Ikev2DecodeSa ((IKEV2_SESSION_COMMON *) SessionCommon, (IKEV2_SA *) PayloadHdr);
- if (SaData == NULL) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
- if (!IkePayload->IsPayloadBufExt) {
- FreePool (IkePayload->PayloadBuf);
- }
-
- IkePayload->PayloadBuf = (UINT8 *) SaData;
- IkePayload->IsPayloadBufExt = FALSE;
- break;
-
- case IKEV2_PAYLOAD_TYPE_ID_INIT:
- case IKEV2_PAYLOAD_TYPE_ID_RSP :
- if (PayloadSize < sizeof (IKEV2_ID)) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
- break;
-
- case IKEV2_PAYLOAD_TYPE_NOTIFY:
- if (PayloadSize < sizeof (IKEV2_NOTIFY)) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
- NotifyPayload = (IKEV2_NOTIFY *) PayloadHdr;
- NotifyPayload->MessageType = NTOHS (NotifyPayload->MessageType);
- break;
-
- case IKEV2_PAYLOAD_TYPE_DELETE:
- if (PayloadSize < sizeof (IKEV2_DELETE)) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
- DeletePayload = (IKEV2_DELETE *) PayloadHdr;
- DeletePayload->NumSpis = NTOHS (DeletePayload->NumSpis);
- break;
-
- case IKEV2_PAYLOAD_TYPE_AUTH:
- if (PayloadSize < sizeof (IKEV2_AUTH)) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
- break;
-
- case IKEV2_PAYLOAD_TYPE_KE:
- KeyPayload = (IKEV2_KEY_EXCHANGE *) IkePayload->PayloadBuf;
- KeyPayload->DhGroup = HTONS (KeyPayload->DhGroup);
- break;
-
- case IKEV2_PAYLOAD_TYPE_TS_INIT:
- case IKEV2_PAYLOAD_TYPE_TS_RSP :
- TsTotalSize = 0;
- if (PayloadSize < sizeof (IKEV2_TS)) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
- //
- // Parse each traffic selector and transfer network-order to host-order
- //
- TsPayload = (IKEV2_TS *) IkePayload->PayloadBuf;
- TsSelector = (TRAFFIC_SELECTOR *) (IkePayload->PayloadBuf + sizeof (IKEV2_TS));
-
- for (Index = 0; Index < TsPayload->TSNumbers; Index++) {
- TsSelector->SelecorLen = NTOHS (TsSelector->SelecorLen);
- TsSelector->StartPort = NTOHS (TsSelector->StartPort);
- TsSelector->EndPort = NTOHS (TsSelector->EndPort);
-
- TsTotalSize = (UINT16) (TsTotalSize + TsSelector->SelecorLen);
- TsSelector = (TRAFFIC_SELECTOR *) ((UINT8 *) TsSelector + TsSelector->SelecorLen);
- }
- //
- // Check if the total size of Traffic Selectors is correct.
- //
- if (TsTotalSize != PayloadSize - sizeof(IKEV2_TS)) {
- Status = EFI_INVALID_PARAMETER;
- }
-
- case IKEV2_PAYLOAD_TYPE_CP:
- CfgAttribute = (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->PayloadBuf) + 1);
- CfgAttribute->AttritType = NTOHS (CfgAttribute->AttritType);
- CfgAttribute->ValueLength = NTOHS (CfgAttribute->ValueLength);
-
- default:
- break;
- }
-
- Exit:
- return Status;
-}
-
-/**
- Decode the IKE packet.
-
- This function first decrypts the IKE packet if needed , then separates the whole
- IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.
-
- @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing
- some parameter used by IKE packet decoding.
- @param[in, out] IkePacket The IKE Packet to be decoded on input, and
- the decoded result on return.
- @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
- IKE_CHILD_TYPE are supported.
-
- @retval EFI_SUCCESS The IKE packet is decoded successfully.
- @retval Otherwise The IKE packet decoding is failed.
-
-**/
-EFI_STATUS
-Ikev2DecodePacket (
- IN IKEV2_SESSION_COMMON *SessionCommon,
- IN OUT IKE_PACKET *IkePacket,
- IN UINTN IkeType
- )
-{
- EFI_STATUS Status;
- IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr;
- UINT8 PayloadType;
- UINTN RemainBytes;
- UINT16 PayloadSize;
- IKE_PAYLOAD *IkePayload;
- IKE_HEADER *IkeHeader;
- IKEV2_SA_SESSION *IkeSaSession;
-
- IkeHeader = NULL;
-
- //
- // Check if the IkePacket need decrypt.
- //
- if (SessionCommon->State >= IkeStateAuth) {
- Status = Ikev2DecryptPacket (SessionCommon, IkePacket, IkeType);
- if (EFI_ERROR (Status)) {
- return Status;
- }
- }
-
- Status = EFI_SUCCESS;
-
- //
- // If the IkePacket doesn't contain any payload return invalid parameter.
- //
- if (IkePacket->Header->NextPayload == IKEV2_PAYLOAD_TYPE_NONE) {
- if ((SessionCommon->State >= IkeStateAuth) &&
- (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INFO)
- ) {
- //
- // If it is Liveness check, there will be no payload load in the encrypt payload.
- //
- Status = EFI_SUCCESS;
- } else {
- Status = EFI_INVALID_PARAMETER;
- }
- }
-
- //
- // If the PayloadTotalSize < Header length, return invalid parameter.
- //
- RemainBytes = IkePacket->PayloadTotalSize;
- if (RemainBytes < sizeof (IKEV2_COMMON_PAYLOAD_HEADER)) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
- //
- // If the packet is first or second message, store whole message in
- // IkeSa->InitiPacket or IkeSa->RespPacket for following Auth Payload
- // calculate.
- //
- if (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INIT) {
- IkeHeader = AllocateZeroPool (sizeof (IKE_HEADER));
- if (IkeHeader == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (IkeHeader, IkePacket->Header, sizeof (IKE_HEADER));
-
- //
- // Before store the whole packet, roll back the host order to network order,
- // since the header order was changed in the IkePacketFromNetbuf.
- //
- IkeHdrNetToHost (IkeHeader);
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);
- if (SessionCommon->IsInitiator) {
- IkeSaSession->RespPacket = AllocateZeroPool (IkePacket->Header->Length);
- if (IkeSaSession->RespPacket == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
- IkeSaSession->RespPacketSize = IkePacket->Header->Length;
- CopyMem (IkeSaSession->RespPacket, IkeHeader, sizeof (IKE_HEADER));
- CopyMem (
- IkeSaSession->RespPacket + sizeof (IKE_HEADER),
- IkePacket->PayloadsBuf,
- IkePacket->Header->Length - sizeof (IKE_HEADER)
- );
- } else {
- IkeSaSession->InitPacket = AllocateZeroPool (IkePacket->Header->Length);
- if (IkeSaSession->InitPacket == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
- IkeSaSession->InitPacketSize = IkePacket->Header->Length;
- CopyMem (IkeSaSession->InitPacket, IkeHeader, sizeof (IKE_HEADER));
- CopyMem (
- IkeSaSession->InitPacket + sizeof (IKE_HEADER),
- IkePacket->PayloadsBuf,
- IkePacket->Header->Length - sizeof (IKE_HEADER)
- );
- }
- }
-
- //
- // Point to the first Payload
- //
- PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) IkePacket->PayloadsBuf;
- PayloadType = IkePacket->Header->NextPayload;
-
- //
- // Parse each payload
- //
- while (RemainBytes >= sizeof (IKEV2_COMMON_PAYLOAD_HEADER)) {
- PayloadSize = NTOHS (PayloadHdr->PayloadLength);
-
- //
- //Check the size of the payload is correct.
- //
- if (RemainBytes < PayloadSize) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
- //
- // At certain states, it should save some datas before decoding.
- //
- if (SessionCommon->BeforeDecodePayload != NULL) {
- SessionCommon->BeforeDecodePayload (
- (UINT8 *) SessionCommon,
- (UINT8 *) PayloadHdr,
- PayloadSize,
- PayloadType
- );
- }
-
- //
- // Initial IkePayload
- //
- IkePayload = IkePayloadAlloc ();
- if (IkePayload == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- IkePayload->PayloadType = PayloadType;
- IkePayload->PayloadBuf = (UINT8 *) PayloadHdr;
- IkePayload->PayloadSize = PayloadSize;
- IkePayload->IsPayloadBufExt = TRUE;
-
- Status = Ikev2DecodePayload ((UINT8 *) SessionCommon, IkePayload);
- if (EFI_ERROR (Status)) {
- goto Exit;
- }
-
- IPSEC_DUMP_BUF ("After Decoding Payload", IkePayload->PayloadBuf, IkePayload->PayloadSize);
- //
- // Add each payload into packet
- // Notice, the IkePacket->Hdr->Lenght still recode the whole IkePacket length
- // which is before the decoding.
- //
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload);
-
- RemainBytes -= PayloadSize;
- PayloadType = PayloadHdr->NextPayload;
- if (PayloadType == IKEV2_PAYLOAD_TYPE_NONE) {
- break;
- }
-
- PayloadHdr = (IKEV2_COMMON_PAYLOAD_HEADER *) ((UINT8 *) PayloadHdr + PayloadSize);
- }
-
- if (PayloadType != IKEV2_PAYLOAD_TYPE_NONE) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
-Exit:
- if (EFI_ERROR (Status)) {
- ClearAllPayloads (IkePacket);
- }
-
- if (IkeHeader != NULL) {
- FreePool (IkeHeader);
- }
- return Status;
-}
-
-/**
- Encode the IKE packet.
-
- This function puts all Payloads into one payload then encrypt it if needed.
-
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
- some parameter used during IKE packet encoding.
- @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,
- and the encoded result as output.
- @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
- IKE_CHILD_TYPE are supportted.
-
- @retval EFI_SUCCESS Encode IKE packet successfully.
- @retval Otherwise Encode IKE packet failed.
-
-**/
-EFI_STATUS
-Ikev2EncodePacket (
- IN IKEV2_SESSION_COMMON *SessionCommon,
- IN OUT IKE_PACKET *IkePacket,
- IN UINTN IkeType
- )
-{
- IKE_PAYLOAD *IkePayload;
- UINTN PayloadTotalSize;
- LIST_ENTRY *Entry;
- EFI_STATUS Status;
- IKEV2_SA_SESSION *IkeSaSession;
-
- PayloadTotalSize = 0;
- //
- // Encode each payload
- //
- for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
- Entry = Entry->ForwardLink;
- Status = Ikev2EncodePayload ((UINT8 *) SessionCommon, IkePayload);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- if (SessionCommon->AfterEncodePayload != NULL) {
- //
- // For certain states, save some payload for further calculation
- //
- SessionCommon->AfterEncodePayload (
- (UINT8 *) SessionCommon,
- IkePayload->PayloadBuf,
- IkePayload->PayloadSize,
- IkePayload->PayloadType
- );
- }
-
- PayloadTotalSize += IkePayload->PayloadSize;
- }
- IkePacket->PayloadTotalSize = PayloadTotalSize;
-
- Status = EFI_SUCCESS;
- if (SessionCommon->State >= IkeStateAuth) {
- //
- // Encrypt all payload and transfer IKE packet header from Host order to Network order.
- //
- Status = Ikev2EncryptPacket (SessionCommon, IkePacket);
- if (EFI_ERROR (Status)) {
- return Status;
- }
- } else {
- //
- // Fill in the lenght into IkePacket header and transfer Host order to Network order.
- //
- IkePacket->Header->Length = (UINT32) (sizeof (IKE_HEADER) + IkePacket->PayloadTotalSize);
- IkeHdrHostToNet (IkePacket->Header);
- }
-
- //
- // If the packet is first message, store whole message in IkeSa->InitiPacket
- // for following Auth Payload calculation.
- //
- if (IkePacket->Header->ExchangeType == IKEV2_EXCHANGE_TYPE_INIT) {
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);
- if (SessionCommon->IsInitiator) {
- IkeSaSession->InitPacketSize = IkePacket->PayloadTotalSize + sizeof (IKE_HEADER);
- IkeSaSession->InitPacket = AllocateZeroPool (IkeSaSession->InitPacketSize);
- if (IkeSaSession->InitPacket == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- CopyMem (IkeSaSession->InitPacket, IkePacket->Header, sizeof (IKE_HEADER));
- PayloadTotalSize = 0;
- for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
- Entry = Entry->ForwardLink;
- CopyMem (
- IkeSaSession->InitPacket + sizeof (IKE_HEADER) + PayloadTotalSize,
- IkePayload->PayloadBuf,
- IkePayload->PayloadSize
- );
- PayloadTotalSize = PayloadTotalSize + IkePayload->PayloadSize;
- }
- } else {
- IkeSaSession->RespPacketSize = IkePacket->PayloadTotalSize + sizeof(IKE_HEADER);
- IkeSaSession->RespPacket = AllocateZeroPool (IkeSaSession->RespPacketSize);
- if (IkeSaSession->RespPacket == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- CopyMem (IkeSaSession->RespPacket, IkePacket->Header, sizeof (IKE_HEADER));
- PayloadTotalSize = 0;
- for (Entry = IkePacket->PayloadList.ForwardLink; Entry != &(IkePacket->PayloadList);) {
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
- Entry = Entry->ForwardLink;
-
- CopyMem (
- IkeSaSession->RespPacket + sizeof (IKE_HEADER) + PayloadTotalSize,
- IkePayload->PayloadBuf,
- IkePayload->PayloadSize
- );
- PayloadTotalSize = PayloadTotalSize + IkePayload->PayloadSize;
- }
- }
- }
-
- return Status;
-}
-
-/**
- Decrypt IKE packet.
-
- This function decrypts the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.
-
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
- some parameter used during decrypting.
- @param[in, out] IkePacket Pointer to IKE_PACKET to be decrypted as input,
- and the decrypted result as output.
- @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
- IKE_CHILD_TYPE are supportted.
-
- @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the
- IKE packet length is not aligned with Algorithm Block Size
- @retval EFI_SUCCESS Decrypt IKE packet successfully.
-
-**/
-EFI_STATUS
-Ikev2DecryptPacket (
- IN IKEV2_SESSION_COMMON *SessionCommon,
- IN OUT IKE_PACKET *IkePacket,
- IN OUT UINTN IkeType
- )
-{
- UINT8 CryptBlockSize; // Encrypt Block Size
- UINTN DecryptedSize; // Encrypted IKE Payload Size
- UINT8 *DecryptedBuf; // Encrypted IKE Payload buffer
- UINTN IntegritySize;
- UINT8 *IntegrityBuffer;
- UINTN IvSize; // Iv Size
- UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth
- UINT8 *CheckSumData; // Check Sum data
- IKEV2_SA_SESSION *IkeSaSession;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- EFI_STATUS Status;
- UINT8 PadLen;
- HASH_DATA_FRAGMENT Fragments[1];
-
- IvSize = 0;
- IkeSaSession = NULL;
- CryptBlockSize = 0;
- CheckSumSize = 0;
-
- //
- // Check if the first payload is the Encrypted payload
- //
- if (IkePacket->Header->NextPayload != IKEV2_PAYLOAD_TYPE_ENCRYPT) {
- return EFI_ACCESS_DENIED;
- }
- CheckSumData = NULL;
- DecryptedBuf = NULL;
- IntegrityBuffer = NULL;
-
- //
- // Get the Block Size
- //
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
-
- CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCommon->SaParams->EncAlgId);
-
- CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->SaParams->IntegAlgId);
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);
-
- } else if (SessionCommon->IkeSessionType == IkeSessionTypeChildSa) {
-
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);
- IkeSaSession = ChildSaSession->IkeSaSession;
- CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);
- CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->SessionCommon.SaParams->IntegAlgId);
- } else {
- //
- // The type of SA Session would either be IkeSa or ChildSa.
- //
- return EFI_INVALID_PARAMETER;
- }
-
- CheckSumData = AllocateZeroPool (CheckSumSize);
- if (CheckSumData == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Fill in the Integrity buffer
- //
- IntegritySize = IkePacket->PayloadTotalSize + sizeof (IKE_HEADER);
- IntegrityBuffer = AllocateZeroPool (IntegritySize);
- if (IntegrityBuffer == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- CopyMem (IntegrityBuffer, IkePacket->Header, sizeof(IKE_HEADER));
- CopyMem (IntegrityBuffer + sizeof (IKE_HEADER), IkePacket->PayloadsBuf, IkePacket->PayloadTotalSize);
-
- //
- // Change Host order to Network order, since the header order was changed
- // in the IkePacketFromNetbuf.
- //
- IkeHdrHostToNet ((IKE_HEADER *)IntegrityBuffer);
-
- //
- // Calculate the Integrity CheckSum Data
- //
- Fragments[0].Data = IntegrityBuffer;
- Fragments[0].DataSize = IntegritySize - CheckSumSize;
-
- if (SessionCommon->IsInitiator) {
- Status = IpSecCryptoIoHmac (
- (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,
- IkeSaSession->IkeKeys->SkArKey,
- IkeSaSession->IkeKeys->SkArKeySize,
- (HASH_DATA_FRAGMENT *) Fragments,
- 1,
- CheckSumData,
- CheckSumSize
- );
- } else {
- Status = IpSecCryptoIoHmac (
- (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,
- IkeSaSession->IkeKeys->SkAiKey,
- IkeSaSession->IkeKeys->SkAiKeySize,
- (HASH_DATA_FRAGMENT *) Fragments,
- 1,
- CheckSumData,
- CheckSumSize
- );
- }
-
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- //
- // Compare the Integrity CheckSum Data with the one in IkePacket
- //
- if (CompareMem (
- IkePacket->PayloadsBuf + IkePacket->PayloadTotalSize - CheckSumSize,
- CheckSumData,
- CheckSumSize
- ) != 0) {
- DEBUG ((DEBUG_ERROR, "Error auth verify payload\n"));
- Status = EFI_ACCESS_DENIED;
- goto ON_EXIT;
- }
-
- IvSize = CryptBlockSize;
-
- //
- // Decrypt the payload with the key.
- //
- DecryptedSize = IkePacket->PayloadTotalSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER) - IvSize - CheckSumSize;
- DecryptedBuf = AllocateZeroPool (DecryptedSize);
- if (DecryptedBuf == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- CopyMem (
- DecryptedBuf,
- IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER) + IvSize,
- DecryptedSize
- );
-
- if (SessionCommon->IsInitiator) {
- Status = IpSecCryptoIoDecrypt (
- (UINT8) SessionCommon->SaParams->EncAlgId,
- IkeSaSession->IkeKeys->SkErKey,
- IkeSaSession->IkeKeys->SkErKeySize << 3,
- IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),
- DecryptedBuf,
- DecryptedSize,
- DecryptedBuf
- );
- } else {
- Status = IpSecCryptoIoDecrypt (
- (UINT8) SessionCommon->SaParams->EncAlgId,
- IkeSaSession->IkeKeys->SkEiKey,
- IkeSaSession->IkeKeys->SkEiKeySize << 3,
- IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),
- DecryptedBuf,
- DecryptedSize,
- DecryptedBuf
- );
- }
-
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Error decrypt buffer with %r\n", Status));
- goto ON_EXIT;
- }
-
- //
- // Get the Padding length
- //
- //
- PadLen = (UINT8) (*(DecryptedBuf + DecryptedSize - sizeof (IKEV2_PAD_LEN)));
-
- //
- // Save the next payload of encrypted payload into IkePacket->Hdr->NextPayload
- //
- IkePacket->Header->NextPayload = ((IKEV2_ENCRYPTED *) IkePacket->PayloadsBuf)->Header.NextPayload;
-
- //
- // Free old IkePacket->PayloadBuf and point it to decrypted paylaod buffer.
- //
- FreePool (IkePacket->PayloadsBuf);
- IkePacket->PayloadsBuf = DecryptedBuf;
- IkePacket->PayloadTotalSize = DecryptedSize - PadLen;
-
- IPSEC_DUMP_BUF ("Decrypted Buffer", DecryptedBuf, DecryptedSize);
-
-
-ON_EXIT:
- if (CheckSumData != NULL) {
- FreePool (CheckSumData);
- }
-
- if (EFI_ERROR (Status) && DecryptedBuf != NULL) {
- FreePool (DecryptedBuf);
- }
-
- if (IntegrityBuffer != NULL) {
- FreePool (IntegrityBuffer);
- }
-
- return Status;
-}
-
-/**
- Encrypt IKE packet.
-
- This function encrypt IKE packet before sending it. The Encrypted IKE packet
- is put in to IKEV2 Encrypted Payload.
-
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.
- @param[in, out] IkePacket Pointer to IKE packet to be encrypted.
-
- @retval EFI_SUCCESS Operation is successful.
- @retval Others Operation is failed.
-
-**/
-EFI_STATUS
-Ikev2EncryptPacket (
- IN IKEV2_SESSION_COMMON *SessionCommon,
- IN OUT IKE_PACKET *IkePacket
- )
-{
- UINT8 CryptBlockSize; // Encrypt Block Size
- UINT8 CryptBlockSizeMask; // Block Mask
- UINTN EncryptedSize; // Encrypted IKE Payload Size
- UINT8 *EncryptedBuf; // Encrypted IKE Payload buffer
- UINT8 *EncryptPayloadBuf; // Contain whole Encrypted Payload
- UINTN EncryptPayloadSize; // Total size of the Encrypted payload
- UINT8 *IntegrityBuf; // Buffer to be intergity
- UINT8 *IvBuffer; // Initialization Vector
- UINT8 IvSize; // Iv Size
- UINT8 CheckSumSize; // Integrity Check Sum Size depends on intergrity Auth
- UINT8 *CheckSumData; // Check Sum data
- UINTN Index;
- IKE_PAYLOAD *EncryptPayload;
- IKEV2_SA_SESSION *IkeSaSession;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- EFI_STATUS Status;
- LIST_ENTRY *Entry;
- IKE_PAYLOAD *IkePayload;
- HASH_DATA_FRAGMENT Fragments[1];
-
- Status = EFI_SUCCESS;
-
- //
- // Initial all buffers to NULL.
- //
- EncryptedBuf = NULL;
- EncryptPayloadBuf = NULL;
- IvBuffer = NULL;
- CheckSumData = NULL;
- IkeSaSession = NULL;
- CryptBlockSize = 0;
- CheckSumSize = 0;
- IntegrityBuf = NULL;
- //
- // Get the Block Size
- //
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
-
- CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCommon->SaParams->EncAlgId);
- CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->SaParams->IntegAlgId);
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);
-
- } else if (SessionCommon->IkeSessionType == IkeSessionTypeChildSa) {
-
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);
- IkeSaSession = ChildSaSession->IkeSaSession;
- CryptBlockSize = (UINT8) IpSecGetEncryptBlockSize ((UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId);
- CheckSumSize = (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->SessionCommon.SaParams->IntegAlgId);
- }
-
- //
- // Calcualte the EncryptPayloadSize and the PAD length
- //
- CryptBlockSizeMask = (UINT8) (CryptBlockSize - 1);
- EncryptedSize = (IkePacket->PayloadTotalSize + sizeof (IKEV2_PAD_LEN) + CryptBlockSizeMask) & ~CryptBlockSizeMask;
- EncryptedBuf = (UINT8 *) AllocateZeroPool (EncryptedSize);
- if (EncryptedBuf == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Copy all payload into EncryptedIkePayload
- //
- Index = 0;
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
-
- CopyMem (EncryptedBuf + Index, IkePayload->PayloadBuf, IkePayload->PayloadSize);
- Index += IkePayload->PayloadSize;
-
- };
-
- //
- // Fill in the Pading Length
- //
- *(EncryptedBuf + EncryptedSize - 1) = (UINT8)(EncryptedSize - IkePacket->PayloadTotalSize - 1);
-
- //
- // The IV size is equal with block size
- //
- IvSize = CryptBlockSize;
- IvBuffer = (UINT8 *) AllocateZeroPool (IvSize);
- if (IvBuffer == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Generate IV
- //
- IkeGenerateIv (IvBuffer, IvSize);
-
- //
- // Encrypt payload buf
- //
- if (SessionCommon->IsInitiator) {
- Status = IpSecCryptoIoEncrypt (
- (UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId,
- IkeSaSession->IkeKeys->SkEiKey,
- IkeSaSession->IkeKeys->SkEiKeySize << 3,
- IvBuffer,
- EncryptedBuf,
- EncryptedSize,
- EncryptedBuf
- );
- } else {
- Status = IpSecCryptoIoEncrypt (
- (UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId,
- IkeSaSession->IkeKeys->SkErKey,
- IkeSaSession->IkeKeys->SkErKeySize << 3,
- IvBuffer,
- EncryptedBuf,
- EncryptedSize,
- EncryptedBuf
- );
- }
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- //
- // Allocate the buffer for the whole IKE payload (Encrypted Payload).
- //
- EncryptPayloadSize = sizeof(IKEV2_ENCRYPTED) + IvSize + EncryptedSize + CheckSumSize;
- EncryptPayloadBuf = AllocateZeroPool (EncryptPayloadSize);
- if (EncryptPayloadBuf == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Fill in Header of Encrypted Payload
- //
- ((IKEV2_ENCRYPTED *) EncryptPayloadBuf)->Header.NextPayload = IkePacket->Header->NextPayload;
- ((IKEV2_ENCRYPTED *) EncryptPayloadBuf)->Header.PayloadLength = HTONS ((UINT16)EncryptPayloadSize);
-
- //
- // Fill in Iv
- //
- CopyMem (EncryptPayloadBuf + sizeof (IKEV2_ENCRYPTED), IvBuffer, IvSize);
-
- //
- // Fill in encrypted data
- //
- CopyMem (EncryptPayloadBuf + sizeof (IKEV2_ENCRYPTED) + IvSize, EncryptedBuf, EncryptedSize);
-
- //
- // Fill in the IKE Packet header
- //
- IkePacket->PayloadTotalSize = EncryptPayloadSize;
- IkePacket->Header->Length = (UINT32) (sizeof (IKE_HEADER) + IkePacket->PayloadTotalSize);
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ENCRYPT;
-
- IntegrityBuf = AllocateZeroPool (IkePacket->Header->Length);
- if (IntegrityBuf == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
- IkeHdrHostToNet (IkePacket->Header);
-
- CopyMem (IntegrityBuf, IkePacket->Header, sizeof (IKE_HEADER));
- CopyMem (IntegrityBuf + sizeof (IKE_HEADER), EncryptPayloadBuf, EncryptPayloadSize);
-
- //
- // Calcualte Integrity CheckSum
- //
- Fragments[0].Data = IntegrityBuf;
- Fragments[0].DataSize = EncryptPayloadSize + sizeof (IKE_HEADER) - CheckSumSize;
-
- CheckSumData = AllocateZeroPool (CheckSumSize);
- if (CheckSumData == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
- if (SessionCommon->IsInitiator) {
-
- IpSecCryptoIoHmac (
- (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,
- IkeSaSession->IkeKeys->SkAiKey,
- IkeSaSession->IkeKeys->SkAiKeySize,
- (HASH_DATA_FRAGMENT *) Fragments,
- 1,
- CheckSumData,
- CheckSumSize
- );
- } else {
-
- IpSecCryptoIoHmac (
- (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId,
- IkeSaSession->IkeKeys->SkArKey,
- IkeSaSession->IkeKeys->SkArKeySize,
- (HASH_DATA_FRAGMENT *) Fragments,
- 1,
- CheckSumData,
- CheckSumSize
- );
- }
-
- //
- // Copy CheckSum into Encrypted Payload
- //
- CopyMem (EncryptPayloadBuf + EncryptPayloadSize - CheckSumSize, CheckSumData, CheckSumSize);
-
- IPSEC_DUMP_BUF ("Encrypted payload buffer", EncryptPayloadBuf, EncryptPayloadSize);
- IPSEC_DUMP_BUF ("Integrith CheckSum Data", CheckSumData, CheckSumSize);
-
- //
- // Clean all payload under IkePacket->PayloadList.
- //
- ClearAllPayloads (IkePacket);
-
- //
- // Create Encrypted Payload and add into IkePacket->PayloadList
- //
- EncryptPayload = IkePayloadAlloc ();
- if (EncryptPayload == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Fill the encrypted payload into the IKE_PAYLOAD structure.
- //
- EncryptPayload->PayloadBuf = EncryptPayloadBuf;
- EncryptPayload->PayloadSize = EncryptPayloadSize;
- EncryptPayload->PayloadType = IKEV2_PAYLOAD_TYPE_ENCRYPT;
-
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, EncryptPayload);
-
-ON_EXIT:
- if (EncryptedBuf != NULL) {
- FreePool (EncryptedBuf);
- }
-
- if (EFI_ERROR (Status) && EncryptPayloadBuf != NULL) {
- FreePool (EncryptPayloadBuf);
- }
-
- if (IvBuffer != NULL) {
- FreePool (IvBuffer);
- }
-
- if (CheckSumData != NULL) {
- FreePool (CheckSumData);
- }
-
- if (IntegrityBuf != NULL) {
- FreePool (IntegrityBuf);
- }
-
- return Status;
-}
-
-
-/**
-
- The notification function. It will be called when the related UDP_TX_TOKEN's event
- is signaled.
-
- This function frees the Net Buffer pointed to the input Packet.
-
- @param[in] Packet Pointer to Net buffer containing the sending IKE packet.
- @param[in] EndPoint Pointer to UDP_END_POINT containing the remote and local
- address information.
- @param[in] IoStatus The Status of the related UDP_TX_TOKEN.
- @param[in] Context Pointer to data passed from the caller.
-
-**/
-VOID
-EFIAPI
-Ikev2OnPacketSent (
- IN NET_BUF *Packet,
- IN UDP_END_POINT *EndPoint,
- IN EFI_STATUS IoStatus,
- IN VOID *Context
- )
-{
- IKE_PACKET *IkePacket;
- IKEV2_SA_SESSION *IkeSaSession;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- UINT8 Value;
- IPSEC_PRIVATE_DATA *Private;
- EFI_STATUS Status;
-
- IkePacket = (IKE_PACKET *) Context;
- Private = NULL;
-
- if (EFI_ERROR (IoStatus)) {
- DEBUG ((DEBUG_ERROR, "Error send the last packet in IkeSessionTypeIkeSa with %r\n", IoStatus));
- }
-
- NetbufFree (Packet);
-
- if (IkePacket->IsDeleteInfo) {
- //
- // For each RemotePeerIP, there are only one IKESA.
- //
- IkeSaSession = Ikev2SaSessionLookup (
- &IkePacket->Private->Ikev2EstablishedList,
- &IkePacket->RemotePeerIp
- );
- if (IkeSaSession == NULL) {
- IkePacketFree (IkePacket);
- return;
- }
-
- Private = IkePacket->Private;
- if (IkePacket->Spi != 0 ) {
- //
- // At that time, the established Child SA still in eht ChildSaEstablishSessionList.
- // And meanwhile, if the Child SA is in the the ChildSa in Delete list,
- // remove it from delete list and delete it direclty.
- //
- ChildSaSession = Ikev2ChildSaSessionLookupBySpi (
- &IkeSaSession->ChildSaEstablishSessionList,
- IkePacket->Spi
- );
- if (ChildSaSession != NULL) {
- Ikev2ChildSaSessionRemove (
- &IkeSaSession->DeleteSaList,
- ChildSaSession->LocalPeerSpi,
- IKEV2_DELET_CHILDSA_LIST
- );
-
- //
- // Delete the Child SA.
- //
- Ikev2ChildSaSilentDelete (
- IkeSaSession,
- IkePacket->Spi
- );
- }
-
- } else {
- //
- // Delete the IKE SA
- //
- DEBUG (
- (DEBUG_INFO,
- "\n------ deleted Packet (cookie_i, cookie_r):(0x%lx, 0x%lx)------\n",
- IkeSaSession->InitiatorCookie,
- IkeSaSession->ResponderCookie)
- );
-
- RemoveEntryList (&IkeSaSession->BySessionTable);
- Ikev2SaSessionFree (IkeSaSession);
- }
- }
- IkePacketFree (IkePacket);
-
- //
- // when all IKE SAs were disabled by calling "IPsecConfig -disable", the IPsec status
- // should be changed.
- //
- if (Private != NULL && Private->IsIPsecDisabling) {
- //
- // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value in
- // IPsec status variable.
- //
- if (IsListEmpty (&Private->Ikev1EstablishedList) && IsListEmpty (&Private->Ikev2EstablishedList)) {
- Value = IPSEC_STATUS_DISABLED;
- Status = gRT->SetVariable (
- IPSECCONFIG_STATUS_NAME,
- &gEfiIpSecConfigProtocolGuid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
- sizeof (Value),
- &Value
- );
- if (!EFI_ERROR (Status)) {
- //
- // Set the DisabledFlag in Private data.
- //
- Private->IpSec.DisabledFlag = TRUE;
- Private->IsIPsecDisabling = FALSE;
- }
- }
- }
-}
-
-/**
- Send out IKEV2 packet.
-
- @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.
- @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.
- @param[in] IkePacket Pointer to IKE_PACKET to be sent out.
- @param[in] IkeType The type of IKE to point what's kind of the IKE
- packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE
- and IKE_CHILD_TYPE are supportted.
-
- @retval EFI_SUCCESS The operation complete successfully.
- @retval Otherwise The operation is failed.
-
-**/
-EFI_STATUS
-Ikev2SendIkePacket (
- IN IKE_UDP_SERVICE *IkeUdpService,
- IN UINT8 *SessionCommon,
- IN IKE_PACKET *IkePacket,
- IN UINTN IkeType
- )
-{
- EFI_STATUS Status;
- NET_BUF *IkePacketNetbuf;
- UDP_END_POINT EndPoint;
- IKEV2_SESSION_COMMON *Common;
-
- Common = (IKEV2_SESSION_COMMON *) SessionCommon;
-
- //
- // Set the resend interval
- //
- if (Common->TimeoutInterval == 0) {
- Common->TimeoutInterval = IKE_DEFAULT_TIMEOUT_INTERVAL;
- }
-
- //
- // Retransfer the packet if it is initial packet.
- //
- if (IkePacket->Header->Flags == IKE_HEADER_FLAGS_INIT) {
- //
- // Set timer for next retry, this will cancel previous timer
- //
- Status = gBS->SetTimer (
- Common->TimeoutEvent,
- TimerRelative,
- MultU64x32 (Common->TimeoutInterval, 10000) // ms->100ns
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
- }
-
- IKE_PACKET_REF (IkePacket);
- //
- // If the last sent packet is same with this round packet, the packet is resent packet.
- //
- if (IkePacket != Common->LastSentPacket && Common->LastSentPacket != NULL) {
- IkePacketFree (Common->LastSentPacket);
- }
-
- Common->LastSentPacket = IkePacket;
-
- //
- // Transform IkePacke to NetBuf
- //
- IkePacketNetbuf = IkeNetbufFromPacket ((UINT8 *) SessionCommon, IkePacket, IkeType);
- if (IkePacketNetbuf == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- ZeroMem (&EndPoint, sizeof (UDP_END_POINT));
- EndPoint.RemotePort = IKE_DEFAULT_PORT;
- CopyMem (&IkePacket->RemotePeerIp, &Common->RemotePeerIp, sizeof (EFI_IP_ADDRESS));
- CopyMem (&EndPoint.RemoteAddr, &Common->RemotePeerIp, sizeof (EFI_IP_ADDRESS));
- CopyMem (&EndPoint.LocalAddr, &Common->LocalPeerIp, sizeof (EFI_IP_ADDRESS));
-
- IPSEC_DUMP_PACKET (IkePacket, EfiIPsecOutBound, IkeUdpService->IpVersion);
-
- if (IkeUdpService->IpVersion == IP_VERSION_4) {
- EndPoint.RemoteAddr.Addr[0] = HTONL (EndPoint.RemoteAddr.Addr[0]);
- EndPoint.LocalAddr.Addr[0] = HTONL (EndPoint.LocalAddr.Addr[0]);
- }
-
- //
- // Call UDPIO to send out the IKE packet.
- //
- Status = UdpIoSendDatagram (
- IkeUdpService->Output,
- IkePacketNetbuf,
- &EndPoint,
- NULL,
- Ikev2OnPacketSent,
- (VOID*)IkePacket
- );
-
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Error send packet with %r\n", Status));
- }
-
- return Status;
-}
-
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Payload.h b/NetworkPkg/IpSecDxe/Ikev2/Payload.h deleted file mode 100644 index 1f3cc328bd..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Payload.h +++ /dev/null @@ -1,437 +0,0 @@ -/** @file
- The Definitions related to IKEv2 payload.
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-#ifndef _IKE_V2_PAYLOAD_H_
-#define _IKE_V2_PAYLOAD_H_
-
-//
-// Payload Type for IKEv2
-//
-#define IKEV2_PAYLOAD_TYPE_NONE 0
-#define IKEV2_PAYLOAD_TYPE_SA 33
-#define IKEV2_PAYLOAD_TYPE_KE 34
-#define IKEV2_PAYLOAD_TYPE_ID_INIT 35
-#define IKEV2_PAYLOAD_TYPE_ID_RSP 36
-#define IKEV2_PAYLOAD_TYPE_CERT 37
-#define IKEV2_PAYLOAD_TYPE_CERTREQ 38
-#define IKEV2_PAYLOAD_TYPE_AUTH 39
-#define IKEV2_PAYLOAD_TYPE_NONCE 40
-#define IKEV2_PAYLOAD_TYPE_NOTIFY 41
-#define IKEV2_PAYLOAD_TYPE_DELETE 42
-#define IKEV2_PAYLOAD_TYPE_VENDOR 43
-#define IKEV2_PAYLOAD_TYPE_TS_INIT 44
-#define IKEV2_PAYLOAD_TYPE_TS_RSP 45
-#define IKEV2_PAYLOAD_TYPE_ENCRYPT 46
-#define IKEV2_PAYLOAD_TYPE_CP 47
-#define IKEV2_PAYLOAD_TYPE_EAP 48
-
-//
-// IKE header Flag (1 octet) for IKEv2, defined in RFC 4306 section 3.1
-//
-// I(nitiator) (bit 3 of Flags, 0x08) - This bit MUST be set in messages sent by the
-// original initiator of the IKE_SA
-//
-// R(esponse) (bit 5 of Flags, 0x20) - This bit indicates that this message is a response to
-// a message containing the same message ID.
-//
-#define IKE_HEADER_FLAGS_INIT 0x08
-#define IKE_HEADER_FLAGS_RESPOND 0x20
-
-//
-// IKE Header Exchange Type for IKEv2
-//
-#define IKEV2_EXCHANGE_TYPE_INIT 34
-#define IKEV2_EXCHANGE_TYPE_AUTH 35
-#define IKEV2_EXCHANGE_TYPE_CREATE_CHILD 36
-#define IKEV2_EXCHANGE_TYPE_INFO 37
-
-#pragma pack(1)
-typedef struct {
- UINT8 NextPayload;
- UINT8 Reserved;
- UINT16 PayloadLength;
-} IKEV2_COMMON_PAYLOAD_HEADER;
-#pragma pack()
-
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- //
- // Proposals
- //
-} IKEV2_SA;
-#pragma pack()
-
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- UINT8 ProposalIndex;
- UINT8 ProtocolId;
- UINT8 SpiSize;
- UINT8 NumTransforms;
-} IKEV2_PROPOSAL;
-#pragma pack()
-
-//
-// IKEv2 Transform Type Values presented within Transform Payload
-//
-#define IKEV2_TRANSFORM_TYPE_ENCR 1 // Encryption Algorithm
-#define IKEV2_TRANSFORM_TYPE_PRF 2 // Pseduo-Random Func
-#define IKEV2_TRANSFORM_TYPE_INTEG 3 // Integrity Algorithm
-#define IKEV2_TRANSFORM_TYPE_DH 4 // DH Group
-#define IKEV2_TRANSFORM_TYPE_ESN 5 // Extended Sequence Number
-
-//
-// IKEv2 Transform ID for Encrypt Algorithm (ENCR)
-//
-#define IKEV2_TRANSFORM_ID_ENCR_DES_IV64 1
-#define IKEV2_TRANSFORM_ID_ENCR_DES 2
-#define IKEV2_TRANSFORM_ID_ENCR_3DES 3
-#define IKEV2_TRANSFORM_ID_ENCR_RC5 4
-#define IKEV2_TRANSFORM_ID_ENCR_IDEA 5
-#define IKEV2_TRANSFORM_ID_ENCR_CAST 6
-#define IKEV2_TRANSFORM_ID_ENCR_BLOWFISH 7
-#define IKEV2_TRANSFORM_ID_ENCR_3IDEA 8
-#define IKEV2_TRANSFORM_ID_ENCR_DES_IV32 9
-#define IKEV2_TRANSFORM_ID_ENCR_NULL 11
-#define IKEV2_TRANSFORM_ID_ENCR_AES_CBC 12
-#define IKEV2_TRANSFORM_ID_ENCR_AES_CTR 13
-
-//
-// IKEv2 Transform ID for Pseudo-Random Function (PRF)
-//
-#define IKEV2_TRANSFORM_ID_PRF_HMAC_MD5 1
-#define IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1 2
-#define IKEV2_TRANSFORM_ID_PRF_HMAC_TIGER 3
-#define IKEV2_TRANSFORM_ID_PRF_AES128_XCBC 4
-
-//
-// IKEv2 Transform ID for Integrity Algorithm (INTEG)
-//
-#define IKEV2_TRANSFORM_ID_AUTH_NONE 0
-#define IKEV2_TRANSFORM_ID_AUTH_HMAC_MD5_96 1
-#define IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96 2
-#define IKEV2_TRANSFORM_ID_AUTH_HMAC_DES_MAC 3
-#define IKEV2_TRANSFORM_ID_AUTH_HMAC_KPDK_MD5 4
-#define IKEV2_TRANSFORM_ID_AUTH_HMAC_AES_XCBC_96 5
-
-//
-// IKEv2 Transform ID for Diffie-Hellman Group (DH)
-//
-#define IKEV2_TRANSFORM_ID_DH_768MODP 1
-#define IKEV2_TRANSFORM_ID_DH_1024MODP 2
-#define IKEV2_TRANSFORM_ID_DH_2048MODP 14
-
-//
-// IKEv2 Attribute Type Values
-//
-#define IKEV2_ATTRIBUTE_TYPE_KEYLEN 14
-
-//
-// Transform Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- UINT8 TransformType;
- UINT8 Reserved;
- UINT16 TransformId;
- //
- // SA Attributes
- //
-} IKEV2_TRANSFORM;
-#pragma pack()
-
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- UINT16 DhGroup;
- UINT16 Reserved;
- //
- // Remaining part contains the key exchanged
- //
-} IKEV2_KEY_EXCHANGE;
-#pragma pack()
-
-//
-// Identification Type Values presented within Ikev2 ID payload
-//
-#define IKEV2_ID_TYPE_IPV4_ADDR 1
-#define IKEV2_ID_TYPE_FQDN 2
-#define IKEV2_ID_TYPE_RFC822_ADDR 3
-#define IKEV2_ID_TYPE_IPV6_ADDR 5
-#define IKEV2_ID_TYPE_DER_ASN1_DN 9
-#define IKEV2_ID_TYPE_DER_ASN1_GN 10
-#define IKEV2_ID_TYPE_KEY_ID 11
-
-//
-// Identification Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- UINT8 IdType;
- UINT8 Reserver1;
- UINT16 Reserver2;
- //
- // Identification Data
- //
-} IKEV2_ID;
-#pragma pack()
-
-//
-// Encoding Type presented in IKEV2 Cert Payload
-//
-#define IKEV2_CERT_ENCODEING_RESERVED 0
-#define IKEV2_CERT_ENCODEING_X509_CERT_WRAP 1
-#define IKEV2_CERT_ENCODEING_PGP_CERT 2
-#define IKEV2_CERT_ENCODEING_DNS_SIGN_KEY 3
-#define IKEV2_CERT_ENCODEING_X509_CERT_SIGN 4
-#define IKEV2_CERT_ENCODEING_KERBEROS_TOKEN 6
-#define IKEV2_CERT_ENCODEING_REVOCATION_LIST_CERT 7
-#define IKEV2_CERT_ENCODEING_AUTH_REVOCATION_LIST 8
-#define IKEV2_CERT_ENCODEING_SPKI_CERT 9
-#define IKEV2_CERT_ENCODEING_X509_CERT_ATTRIBUTE 10
-#define IKEV2_CERT_ENCODEING_RAW_RSA_KEY 11
-#define IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT 12
-
-//
-// IKEV2 Certificate Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- UINT8 CertEncoding;
- //
- // Cert Data
- //
-} IKEV2_CERT;
-#pragma pack()
-
-//
-// IKEV2 Certificate Request Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- UINT8 CertEncoding;
- //
- // Cert Authority
- //
-} IKEV2_CERT_REQ;
-#pragma pack()
-
-//
-// Authentication Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- UINT8 AuthMethod;
- UINT8 Reserved1;
- UINT16 Reserved2;
- //
- // Auth Data
- //
-} IKEV2_AUTH;
-#pragma pack()
-
-//
-// Authmethod in Authentication Payload
-//
-#define IKEV2_AUTH_METHOD_RSA 1; // RSA Digital Signature
-#define IKEV2_AUTH_METHOD_SKMI 2; // Shared Key Message Integrity
-#define IKEV2_AUTH_METHOD_DSS 3; // DSS Digital Signature
-
-//
-// IKEv2 Nonce Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- //
- // Nonce Data
- //
-} IKEV2_NONCE;
-#pragma pack()
-
-//
-// Notification Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- UINT8 ProtocolId;
- UINT8 SpiSize;
- UINT16 MessageType;
- //
- // SPI and Notification Data
- //
-} IKEV2_NOTIFY;
-#pragma pack()
-
-//
-// Notify Message Types presented within IKEv2 Notify Payload
-//
-#define IKEV2_NOTIFICATION_UNSUPPORT_CRITICAL_PAYLOAD 1
-#define IKEV2_NOTIFICATION_INVALID_IKE_SPI 4
-#define IKEV2_NOTIFICATION_INVALID_MAJOR_VERSION 5
-#define IKEV2_NOTIFICATION_INVALID_SYNTAX 7
-#define IKEV2_NOTIFICATION_INVALID_MESSAGE_ID 9
-#define IKEV2_NOTIFICATION_INVALID_SPI 11
-#define IKEV2_NOTIFICATION_NO_PROPOSAL_CHOSEN 14
-#define IKEV2_NOTIFICATION_INVALID_KEY_PAYLOAD 17
-#define IKEV2_NOTIFICATION_AUTHENTICATION_FAILED 24
-#define IKEV2_NOTIFICATION_SINGLE_PAIR_REQUIRED 34
-#define IKEV2_NOTIFICATION_NO_ADDITIONAL_SAS 35
-#define IKEV2_NOTIFICATION_INTERNAL_ADDRESS_FAILURE 36
-#define IKEV2_NOTIFICATION_FAILED_CP_REQUIRED 37
-#define IKEV2_NOTIFICATION_TS_UNCCEPTABLE 38
-#define IKEV2_NOTIFICATION_INVALID_SELECTORS 39
-#define IKEV2_NOTIFICATION_COOKIE 16390
-#define IKEV2_NOTIFICATION_USE_TRANSPORT_MODE 16391
-#define IKEV2_NOTIFICATION_REKEY_SA 16393
-
-//
-// IKEv2 Protocol ID
-//
-//
-// IKEv2 Delete Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- UINT8 ProtocolId;
- UINT8 SpiSize;
- UINT16 NumSpis;
- //
- // SPIs
- //
-} IKEV2_DELETE;
-#pragma pack()
-
-//
-// Traffic Selector Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- UINT8 TSNumbers;
- UINT8 Reserved1;
- UINT16 Reserved2;
- //
- // Traffic Selector
- //
-} IKEV2_TS;
-#pragma pack()
-
-//
-// Traffic Selector
-//
-#pragma pack(1)
-typedef struct {
- UINT8 TSType;
- UINT8 IpProtocolId;
- UINT16 SelecorLen;
- UINT16 StartPort;
- UINT16 EndPort;
- //
- // Starting Address && Ending Address
- //
-} TRAFFIC_SELECTOR;
-#pragma pack()
-
-//
-// Ts Type in Traffic Selector
-//
-#define IKEV2_TS_TYPE_IPV4_ADDR_RANGE 7
-#define IKEV2_TS_TYPS_IPV6_ADDR_RANGE 8
-
-//
-// Vendor Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- //
- // Vendor ID
- //
-} IKEV2_VENDOR;
-#pragma pack()
-
-//
-// Encrypted Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- //
- // IV, Encrypted IKE Payloads, Padding, PAD length, Integrity CheckSum
- //
-} IKEV2_ENCRYPTED;
-#pragma pack()
-
-#pragma pack(1)
-typedef struct {
- UINT8 PadLength;
-} IKEV2_PAD_LEN;
-#pragma pack()
-
-//
-// Configuration Payload
-//
-#pragma pack(1)
-typedef struct {
- IKEV2_COMMON_PAYLOAD_HEADER Header;
- UINT8 CfgType;
- UINT8 Reserve1;
- UINT16 Reserve2;
- //
- // Configuration Attributes
- //
-} IKEV2_CFG;
-#pragma pack()
-
-//
-// Configuration Payload CPG type
-//
-#define IKEV2_CFG_TYPE_REQUEST 1
-#define IKEV2_CFG_TYPE_REPLY 2
-#define IKEV2_CFG_TYPE_SET 3
-#define IKEV2_CFG_TYPE_ACK 4
-
-//
-// Configuration Attributes
-//
-#pragma pack(1)
-typedef struct {
- UINT16 AttritType;
- UINT16 ValueLength;
-} IKEV2_CFG_ATTRIBUTES;
-#pragma pack()
-
-//
-// Configuration Attributes
-//
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS 1
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_NBTMASK 2
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_DNS 3
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_NBNS 4
-#define IKEV2_CFG_ATTR_INTERNA_ADDRESS_BXPIRY 5
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_DHCP 6
-#define IKEV2_CFG_ATTR_APPLICATION_VERSION 7
-#define IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS 8
-#define IKEV2_CFG_ATTR_INTERNAL_IP6_DNS 10
-#define IKEV2_CFG_ATTR_INTERNAL_IP6_NBNS 11
-#define IKEV2_CFG_ATTR_INTERNAL_IP6_DHCP 12
-#define IKEV2_CFG_ATTR_INTERNAL_IP4_SUBNET 13
-#define IKEV2_CFG_ATTR_SUPPORTED_ATTRIBUTES 14
-#define IKEV2_CFG_ATTR_IP6_SUBNET 15
-
-#endif
-
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Sa.c b/NetworkPkg/IpSecDxe/Ikev2/Sa.c deleted file mode 100644 index d833f06a58..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Sa.c +++ /dev/null @@ -1,2255 +0,0 @@ -/** @file
- The operations for IKEv2 SA.
-
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "Utility.h"
-#include "IpSecDebug.h"
-#include "IkeService.h"
-#include "Ikev2.h"
-
-/**
- Generates the DH Key.
-
- This generates the DH local public key and store it in the IKEv2 SA Session's GxBuffer.
-
- @param[in] IkeSaSession Pointer to related IKE SA Session.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval Others The operation failed.
-
-**/
-EFI_STATUS
-Ikev2GenerateSaDhPublicKey (
- IN IKEV2_SA_SESSION *IkeSaSession
- );
-
-/**
- Generates the IKEv2 SA key for the furthure IKEv2 exchange.
-
- @param[in] IkeSaSession Pointer to IKEv2 SA Session.
- @param[in] KePayload Pointer to Key payload used to generate the Key.
-
- @retval EFI_UNSUPPORTED If the Algorithm Id is not supported.
- @retval EFI_SUCCESS The operation succeeded.
-
-**/
-EFI_STATUS
-Ikev2GenerateSaKeys (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_PAYLOAD *KePayload
- );
-
-/**
- Generates the Keys for the furthure IPsec Protocol.
-
- @param[in] ChildSaSession Pointer to IKE Child SA Session.
- @param[in] KePayload Pointer to Key payload used to generate the Key.
-
- @retval EFI_UNSUPPORTED If one or more Algorithm Id is unsupported.
- @retval EFI_SUCCESS The operation succeeded.
-
-**/
-EFI_STATUS
-Ikev2GenerateChildSaKeys (
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession,
- IN IKE_PAYLOAD *KePayload
- );
-
-/**
- Gernerates IKEv2 packet for IKE_SA_INIT exchange.
-
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
- @param[in] Context Context Data passed by caller.
-
- @retval EFI_SUCCESS The IKEv2 packet generation succeeded.
- @retval Others The IKEv2 packet generation failed.
-
-**/
-IKE_PACKET *
-Ikev2InitPskGenerator (
- IN UINT8 *SaSession,
- IN VOID *Context
- )
-{
- IKE_PACKET *IkePacket;
- IKEV2_SA_SESSION *IkeSaSession;
- IKE_PAYLOAD *SaPayload;
- IKE_PAYLOAD *KePayload;
- IKE_PAYLOAD *NoncePayload;
- IKE_PAYLOAD *NotifyPayload;
- EFI_STATUS Status;
-
- SaPayload = NULL;
- KePayload = NULL;
- NoncePayload = NULL;
- NotifyPayload = NULL;
-
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
-
- //
- // 1. Allocate IKE packet
- //
- IkePacket = IkePacketAlloc ();
- if (IkePacket == NULL) {
- goto CheckError;
- }
-
- //
- // 1.a Fill the IkePacket->Hdr
- //
- IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_INIT;
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;
- IkePacket->Header->Version = (UINT8) (2 << 4);
- IkePacket->Header->MessageId = 0;
-
- if (IkeSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
- } else {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
- }
-
- //
- // If the NCookie is not NULL, this IKE_SA_INIT packet is resent by the NCookie
- // and the NCookie payload should be the first payload in this packet.
- //
- if (IkeSaSession->NCookie != NULL) {
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_NOTIFY;
- NotifyPayload = Ikev2GenerateNotifyPayload (
- IPSEC_PROTO_ISAKMP,
- IKEV2_PAYLOAD_TYPE_SA,
- 0,
- IKEV2_NOTIFICATION_COOKIE,
- NULL,
- IkeSaSession->NCookie,
- IkeSaSession->NCookieSize
- );
- } else {
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_SA;
- }
-
- //
- // 2. Generate SA Payload according to the SaData & SaParams
- //
- SaPayload = Ikev2GenerateSaPayload (
- IkeSaSession->SaData,
- IKEV2_PAYLOAD_TYPE_KE,
- IkeSessionTypeIkeSa
- );
-
- //
- // 3. Generate DH public key.
- // The DhPrivate Key has been generated in Ikev2InitPskParser, if the
- // IkeSaSession is responder. If resending IKE_SA_INIT with Cookie Notify
- // No need to recompute the Public key.
- //
- if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) {
- Status = Ikev2GenerateSaDhPublicKey (IkeSaSession);
- if (EFI_ERROR (Status)) {
- goto CheckError;
- }
- }
-
- //
- // 4. Generate KE Payload according to SaParams->DhGroup
- //
- KePayload = Ikev2GenerateKePayload (
- IkeSaSession,
- IKEV2_PAYLOAD_TYPE_NONCE
- );
-
- //
- // 5. Generate Nonce Payload
- // If resending IKE_SA_INIT with Cookie Notify paylaod, no need to regenerate
- // the Nonce Payload.
- //
- if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) {
- IkeSaSession->NiBlkSize = IKE_NONCE_SIZE;
- IkeSaSession->NiBlock = IkeGenerateNonce (IKE_NONCE_SIZE);
- if (IkeSaSession->NiBlock == NULL) {
- goto CheckError;
- }
- }
-
- if (IkeSaSession->SessionCommon.IsInitiator) {
- NoncePayload = Ikev2GenerateNoncePayload (
- IkeSaSession->NiBlock,
- IkeSaSession->NiBlkSize,
- IKEV2_PAYLOAD_TYPE_NONE
- );
- } else {
- //
- // The Nonce Payload has been created in Ikev2PskParser if the IkeSaSession is
- // responder.
- //
- NoncePayload = Ikev2GenerateNoncePayload (
- IkeSaSession->NrBlock,
- IkeSaSession->NrBlkSize,
- IKEV2_PAYLOAD_TYPE_NONE
- );
- }
-
- if (NotifyPayload != NULL) {
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);
- }
- if (SaPayload != NULL) {
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload);
- }
- if (KePayload != NULL) {
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, KePayload);
- }
- if (NoncePayload != NULL) {
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NoncePayload);
- }
-
- return IkePacket;
-
-CheckError:
- if (IkePacket != NULL) {
- IkePacketFree (IkePacket);
- }
- if (SaPayload != NULL) {
- IkePayloadFree (SaPayload);
- }
- return NULL;
-}
-
-/**
- Parses the IKEv2 packet for IKE_SA_INIT exchange.
-
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
- @param[in] IkePacket The received IKE packet to be parsed.
-
- @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is
- saved for furthure communication.
- @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA proposal is unacceptable.
-
-**/
-EFI_STATUS
-Ikev2InitPskParser (
- IN UINT8 *SaSession,
- IN IKE_PACKET *IkePacket
- )
-{
- IKEV2_SA_SESSION *IkeSaSession;
- IKE_PAYLOAD *SaPayload;
- IKE_PAYLOAD *KeyPayload;
- IKE_PAYLOAD *IkePayload;
- IKE_PAYLOAD *NoncePayload;
- IKE_PAYLOAD *NotifyPayload;
- UINT8 *NonceBuffer;
- UINTN NonceSize;
- LIST_ENTRY *Entry;
- EFI_STATUS Status;
-
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
- KeyPayload = NULL;
- SaPayload = NULL;
- NoncePayload = NULL;
- IkePayload = NULL;
- NotifyPayload = NULL;
-
- //
- // Iterate payloads to find the SaPayload and KeyPayload.
- //
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) {
- SaPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_KE) {
- KeyPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NONCE) {
- NoncePayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NOTIFY) {
- NotifyPayload = IkePayload;
- }
- }
-
- //
- // According to RFC 4306 - 2.6. If the responder responds with the COOKIE Notify
- // payload with the cookie data, initiator MUST retry the IKE_SA_INIT with a
- // Notify payload of type COOKIE containing the responder suppplied cookie data
- // as first payload and all other payloads unchanged.
- //
- if (IkeSaSession->SessionCommon.IsInitiator) {
- if (NotifyPayload != NULL && !EFI_ERROR(Ikev2ParserNotifyCookiePayload (NotifyPayload, IkeSaSession))) {
- return EFI_SUCCESS;
- }
- }
-
- if ((KeyPayload == NULL) || (SaPayload == NULL) || (NoncePayload == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Store NoncePayload for SKEYID computing.
- //
- NonceSize = NoncePayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER);
- NonceBuffer = (UINT8 *) AllocatePool (NonceSize);
- if (NonceBuffer == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto CheckError;
- }
-
- CopyMem (
- NonceBuffer,
- NoncePayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),
- NonceSize
- );
-
- //
- // Check if IkePacket Header matches the state
- //
- if (IkeSaSession->SessionCommon.IsInitiator) {
- //
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND
- //
- if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) {
- Status = EFI_INVALID_PARAMETER;
- goto CheckError;
- }
-
- //
- // 2. Parse the SA Payload and Key Payload to find out the cryptographic
- // suite and fill in the Sa paramse into CommonSession->SaParams
- //
- if (!Ikev2SaParseSaPayload (IkeSaSession, SaPayload, IkePacket->Header->Flags)) {
- Status = EFI_INVALID_PARAMETER;
- goto CheckError;
- }
-
- //
- // 3. If Initiator, the NoncePayload is Nr_b.
- //
- IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateAuth);
- IkeSaSession->NrBlock = NonceBuffer;
- IkeSaSession->NrBlkSize = NonceSize;
- IkeSaSession->SessionCommon.State = IkeStateAuth;
- IkeSaSession->ResponderCookie = IkePacket->Header->ResponderCookie;
-
- //
- // 4. Change the state of IkeSaSession
- //
- IkeSaSession->SessionCommon.State = IkeStateAuth;
- } else {
- //
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT
- //
- if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) {
- Status = EFI_INVALID_PARAMETER;
- goto CheckError;
- }
-
- //
- // 2. Parse the SA payload and find out the perfered one
- // and fill in the SA parameters into CommonSession->SaParams and SaData into
- // IkeSaSession for the responder SA payload generation.
- //
- if (!Ikev2SaParseSaPayload (IkeSaSession, SaPayload, IkePacket->Header->Flags)) {
- Status = EFI_INVALID_PARAMETER;
- goto CheckError;
- }
-
- //
- // 3. Generat Dh Y parivate Key
- //
- Status = Ikev2GenerateSaDhPublicKey (IkeSaSession);
- if (EFI_ERROR (Status)) {
- goto CheckError;
- }
-
- //
- // 4. If Responder, the NoncePayload is Ni_b and go to generate Nr_b.
- //
- IkeSaSession->NiBlock = NonceBuffer;
- IkeSaSession->NiBlkSize = NonceSize;
-
- //
- // 5. Generate Nr_b
- //
- IkeSaSession->NrBlock = IkeGenerateNonce (IKE_NONCE_SIZE);
- ASSERT (IkeSaSession->NrBlock != NULL);
- IkeSaSession->NrBlkSize = IKE_NONCE_SIZE;
-
- //
- // 6. Save the Cookies
- //
- IkeSaSession->InitiatorCookie = IkePacket->Header->InitiatorCookie;
- IkeSaSession->ResponderCookie = IkeGenerateCookie ();
- }
-
- if (IkeSaSession->SessionCommon.PreferDhGroup != ((IKEV2_KEY_EXCHANGE *)KeyPayload->PayloadBuf)->DhGroup) {
- Status = EFI_INVALID_PARAMETER;
- goto CheckError;
- }
- //
- // Call Ikev2GenerateSaKeys to create SKEYID, SKEYID_d, SKEYID_a, SKEYID_e.
- //
- Status = Ikev2GenerateSaKeys (IkeSaSession, KeyPayload);
- if (EFI_ERROR(Status)) {
- goto CheckError;
- }
- return EFI_SUCCESS;
-
-CheckError:
- if (NonceBuffer != NULL) {
- FreePool (NonceBuffer);
- }
-
- return Status;
-}
-
-/**
- Generates the IKEv2 packet for IKE_AUTH exchange.
-
- @param[in] SaSession Pointer to IKEV2_SA_SESSION.
- @param[in] Context Context data passed by caller.
-
- @retval Pointer to IKE Packet to be sent out.
-
-**/
-IKE_PACKET *
-Ikev2AuthPskGenerator (
- IN UINT8 *SaSession,
- IN VOID *Context
- )
-{
- IKE_PACKET *IkePacket;
- IKEV2_SA_SESSION *IkeSaSession;
- IKE_PAYLOAD *IdPayload;
- IKE_PAYLOAD *AuthPayload;
- IKE_PAYLOAD *SaPayload;
- IKE_PAYLOAD *TsiPayload;
- IKE_PAYLOAD *TsrPayload;
- IKE_PAYLOAD *NotifyPayload;
- IKE_PAYLOAD *CpPayload;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
-
-
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));
-
- IkePacket = NULL;
- IdPayload = NULL;
- AuthPayload = NULL;
- SaPayload = NULL;
- TsiPayload = NULL;
- TsrPayload = NULL;
- NotifyPayload = NULL;
- CpPayload = NULL;
- NotifyPayload = NULL;
-
- //
- // 1. Allocate IKE Packet
- //
- IkePacket= IkePacketAlloc ();
- if (IkePacket == NULL) {
- return NULL;
- }
-
- //
- // 1.a Fill the IkePacket Header.
- //
- IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_AUTH;
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;
- IkePacket->Header->Version = (UINT8)(2 << 4);
- if (ChildSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_INIT;
- } else {
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_RSP;
- }
-
- //
- // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should
- // be always number 0 and 1;
- //
- IkePacket->Header->MessageId = 1;
-
- if (IkeSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
- } else {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
- }
-
- //
- // 2. Generate ID Payload according to IP version and address.
- //
- IdPayload = Ikev2GenerateIdPayload (
- &IkeSaSession->SessionCommon,
- IKEV2_PAYLOAD_TYPE_AUTH
- );
- if (IdPayload == NULL) {
- goto CheckError;
- }
-
- //
- // 3. Generate Auth Payload
- // If it is tunnel mode, should create the configuration payload after the
- // Auth payload.
- //
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {
-
- AuthPayload = Ikev2PskGenerateAuthPayload (
- ChildSaSession->IkeSaSession,
- IdPayload,
- IKEV2_PAYLOAD_TYPE_SA,
- FALSE
- );
- } else {
- AuthPayload = Ikev2PskGenerateAuthPayload (
- ChildSaSession->IkeSaSession,
- IdPayload,
- IKEV2_PAYLOAD_TYPE_CP,
- FALSE
- );
- if (IkeSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) {
- CpPayload = Ikev2GenerateCpPayload (
- ChildSaSession->IkeSaSession,
- IKEV2_PAYLOAD_TYPE_SA,
- IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS
- );
- } else {
- CpPayload = Ikev2GenerateCpPayload (
- ChildSaSession->IkeSaSession,
- IKEV2_PAYLOAD_TYPE_SA,
- IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS
- );
- }
-
- if (CpPayload == NULL) {
- goto CheckError;
- }
- }
-
- if (AuthPayload == NULL) {
- goto CheckError;
- }
-
- //
- // 4. Generate SA Payload according to the SA Data in ChildSaSession
- //
- SaPayload = Ikev2GenerateSaPayload (
- ChildSaSession->SaData,
- IKEV2_PAYLOAD_TYPE_TS_INIT,
- IkeSessionTypeChildSa
- );
- if (SaPayload == NULL) {
- goto CheckError;
- }
-
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {
- //
- // Generate Tsi and Tsr.
- //
- TsiPayload = Ikev2GenerateTsPayload (
- ChildSaSession,
- IKEV2_PAYLOAD_TYPE_TS_RSP,
- FALSE
- );
-
- TsrPayload = Ikev2GenerateTsPayload (
- ChildSaSession,
- IKEV2_PAYLOAD_TYPE_NOTIFY,
- FALSE
- );
-
- //
- // Generate Notify Payload. If transport mode, there should have Notify
- // payload with TRANSPORT_MODE notification.
- //
- NotifyPayload = Ikev2GenerateNotifyPayload (
- 0,
- IKEV2_PAYLOAD_TYPE_NONE,
- 0,
- IKEV2_NOTIFICATION_USE_TRANSPORT_MODE,
- NULL,
- NULL,
- 0
- );
- if (NotifyPayload == NULL) {
- goto CheckError;
- }
- } else {
- //
- // Generate Tsr for Tunnel mode.
- //
- TsiPayload = Ikev2GenerateTsPayload (
- ChildSaSession,
- IKEV2_PAYLOAD_TYPE_TS_RSP,
- TRUE
- );
- TsrPayload = Ikev2GenerateTsPayload (
- ChildSaSession,
- IKEV2_PAYLOAD_TYPE_NONE,
- FALSE
- );
- }
-
- if (TsiPayload == NULL || TsrPayload == NULL) {
- goto CheckError;
- }
-
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload);
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, AuthPayload);
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CpPayload);
- }
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload);
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsiPayload);
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsrPayload);
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);
- }
-
- return IkePacket;
-
-CheckError:
- if (IkePacket != NULL) {
- IkePacketFree (IkePacket);
- }
-
- if (IdPayload != NULL) {
- IkePayloadFree (IdPayload);
- }
-
- if (AuthPayload != NULL) {
- IkePayloadFree (AuthPayload);
- }
-
- if (CpPayload != NULL) {
- IkePayloadFree (CpPayload);
- }
-
- if (SaPayload != NULL) {
- IkePayloadFree (SaPayload);
- }
-
- if (TsiPayload != NULL) {
- IkePayloadFree (TsiPayload);
- }
-
- if (TsrPayload != NULL) {
- IkePayloadFree (TsrPayload);
- }
-
- if (NotifyPayload != NULL) {
- IkePayloadFree (NotifyPayload);
- }
-
- return NULL;
-}
-
-/**
- Parses IKE_AUTH packet.
-
- @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.
- @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.
-
- @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA
- proposal is unacceptable.
- @retval EFI_SUCCESS The IKE packet is acceptable and the
- relative data is saved for furthure communication.
-
-**/
-EFI_STATUS
-Ikev2AuthPskParser (
- IN UINT8 *SaSession,
- IN IKE_PACKET *IkePacket
- )
-{
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SA_SESSION *IkeSaSession;
- IKE_PAYLOAD *IkePayload;
- IKE_PAYLOAD *SaPayload;
- IKE_PAYLOAD *IdiPayload;
- IKE_PAYLOAD *IdrPayload;
- IKE_PAYLOAD *AuthPayload;
- IKE_PAYLOAD *TsiPayload;
- IKE_PAYLOAD *TsrPayload;
- IKE_PAYLOAD *VerifiedAuthPayload;
- LIST_ENTRY *Entry;
- EFI_STATUS Status;
-
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));
-
- SaPayload = NULL;
- IdiPayload = NULL;
- IdrPayload = NULL;
- AuthPayload = NULL;
- TsiPayload = NULL;
- TsrPayload = NULL;
-
- //
- // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload.
- //
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
-
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_INIT) {
- IdiPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_RSP) {
- IdrPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) {
- SaPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_AUTH) {
- AuthPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_INIT) {
- TsiPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_RSP) {
- TsrPayload = IkePayload;
- }
- }
-
- if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) || (TsrPayload == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
- if ((IdiPayload == NULL) && (IdrPayload == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // Check IkePacket Header is match the state
- //
- if (IkeSaSession->SessionCommon.IsInitiator) {
-
- //
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND
- //
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) ||
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)
- ) {
- return EFI_INVALID_PARAMETER;
- }
-
- } else {
- //
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT
- //
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) ||
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)
- ) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // 2. Parse the SA payload and Key Payload and find out the perferable one
- // and fill in the Sa paramse into CommonSession->SaParams and SaData into
- // IkeSaSession for the responder SA payload generation.
- //
- }
-
- //
- // Verify the Auth Payload.
- //
- VerifiedAuthPayload = Ikev2PskGenerateAuthPayload (
- IkeSaSession,
- IkeSaSession->SessionCommon.IsInitiator ? IdrPayload : IdiPayload,
- IKEV2_PAYLOAD_TYPE_SA,
- TRUE
- );
- if ((VerifiedAuthPayload != NULL) &&
- (0 != CompareMem (
- VerifiedAuthPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),
- AuthPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER),
- VerifiedAuthPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER)
- ))) {
- return EFI_INVALID_PARAMETER;
- };
-
- //
- // 3. Parse the SA Payload to find out the cryptographic suite
- // and fill in the Sa paramse into CommonSession->SaParams. If no acceptable
- // porposal found, return EFI_INVALID_PARAMETER.
- //
- if (!Ikev2ChildSaParseSaPayload (ChildSaSession, SaPayload, IkePacket->Header->Flags)) {
- return EFI_INVALID_PARAMETER;
- }
-
- //
- // 4. Parse TSi, TSr payloads.
- //
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId !=
- ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId) &&
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0) &&
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0)
- ) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (!IkeSaSession->SessionCommon.IsInitiator) {
- //
- //TODO:check the Port range. Only support any port and one certain port here.
- //
- ChildSaSession->ProtoId = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId;
- ChildSaSession->LocalPort = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;
- ChildSaSession->RemotePort = ((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;
- //
- // Association a SPD with this SA.
- //
- Status = Ikev2ChildSaAssociateSpdEntry (ChildSaSession);
- if (EFI_ERROR (Status)) {
- return EFI_INVALID_PARAMETER;
- }
- //
- // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD.
- //
- if (ChildSaSession->IkeSaSession->Spd == NULL) {
- ChildSaSession->IkeSaSession->Spd = ChildSaSession->Spd;
- Status = Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession);
- if (EFI_ERROR (Status)) {
- return Status;
- }
- }
- } else {
- //
- //TODO:check the Port range.
- //
- if ((((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort)
- ) {
- return EFI_INVALID_PARAMETER;
- }
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort)
- ) {
- return EFI_INVALID_PARAMETER;
- }
- //
- // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector.
- //
- if (ChildSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {
- if (!ChildSaSession->IkeSaSession->SessionCommon.IsInitiator) {
- //
- // If it is tunnel mode, the UEFI part must be the initiator.
- //
- return EFI_INVALID_PARAMETER;
- }
- //
- // Get the Virtual IP address from the Tsi traffic selector.
- // TODO: check the CFG reply payload
- //
- CopyMem (
- &ChildSaSession->SpdSelector->LocalAddress[0].Address,
- TsiPayload->PayloadBuf + sizeof (IKEV2_TS) + sizeof (TRAFFIC_SELECTOR),
- (ChildSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) ?
- sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS)
- );
- }
- }
-
- //
- // 5. Generate keymats for IPsec protocol.
- //
- Status = Ikev2GenerateChildSaKeys (ChildSaSession, NULL);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- if (IkeSaSession->SessionCommon.IsInitiator) {
- //
- // 6. Change the state of IkeSaSession
- //
- IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEstablished);
- IkeSaSession->SessionCommon.State = IkeStateIkeSaEstablished;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Gernerates IKEv2 packet for IKE_SA_INIT exchange.
-
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
- @param[in] Context Context Data passed by caller.
-
- @retval EFI_SUCCESS The IKE packet generation succeeded.
- @retval Others The IKE packet generation failed.
-
-**/
-IKE_PACKET*
-Ikev2InitCertGenerator (
- IN UINT8 *SaSession,
- IN VOID *Context
- )
-{
- IKE_PACKET *IkePacket;
- IKE_PAYLOAD *CertReqPayload;
- LIST_ENTRY *Node;
- IKE_PAYLOAD *NoncePayload;
-
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {
- return NULL;
- }
-
- //
- // The first two messages exchange is same between PSK and Cert.
- //
- IkePacket = Ikev2InitPskGenerator (SaSession, Context);
-
- if ((IkePacket != NULL) && (!((IKEV2_SA_SESSION *)SaSession)->SessionCommon.IsInitiator)) {
- //
- // Add the Certification Request Payload
- //
- CertReqPayload = Ikev2GenerateCertificatePayload (
- (IKEV2_SA_SESSION *)SaSession,
- IKEV2_PAYLOAD_TYPE_NONE,
- (UINT8*)PcdGetPtr(PcdIpsecUefiCaFile),
- PcdGet32(PcdIpsecUefiCaFileSize),
- IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT,
- TRUE
- );
- //
- // Change Nonce Payload Next payload type.
- //
- IKE_PACKET_END_PAYLOAD (IkePacket, Node);
- NoncePayload = IKE_PAYLOAD_BY_PACKET (Node);
- ((IKEV2_NONCE *)NoncePayload->PayloadBuf)->Header.NextPayload = IKEV2_PAYLOAD_TYPE_CERTREQ;
-
- //
- // Add Certification Request Payload
- //
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertReqPayload);
- }
-
- return IkePacket;
-}
-
-/**
- Parses the IKEv2 packet for IKE_SA_INIT exchange.
-
- @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange.
- @param[in] IkePacket The received IKEv2 packet to be parsed.
-
- @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is
- saved for furthure communication.
- @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA proposal is unacceptable.
- @retval EFI_UNSUPPORTED The certificate authentication is not supported.
-
-**/
-EFI_STATUS
-Ikev2InitCertParser (
- IN UINT8 *SaSession,
- IN IKE_PACKET *IkePacket
- )
-{
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {
- return EFI_UNSUPPORTED;
- }
-
- //
- // The first two messages exchange is same between PSK and Cert.
- // Todo: Parse Certificate Request from responder Initial Exchange.
- //
- return Ikev2InitPskParser (SaSession, IkePacket);
-}
-
-/**
- Generates the IKEv2 packet for IKE_AUTH exchange.
-
- @param[in] SaSession Pointer to IKEV2_SA_SESSION.
- @param[in] Context Context data passed by caller.
-
- @retval Pointer to IKEv2 Packet to be sent out.
-
-**/
-IKE_PACKET *
-Ikev2AuthCertGenerator (
- IN UINT8 *SaSession,
- IN VOID *Context
- )
-{
- IKE_PACKET *IkePacket;
- IKEV2_SA_SESSION *IkeSaSession;
- IKE_PAYLOAD *IdPayload;
- IKE_PAYLOAD *AuthPayload;
- IKE_PAYLOAD *SaPayload;
- IKE_PAYLOAD *TsiPayload;
- IKE_PAYLOAD *TsrPayload;
- IKE_PAYLOAD *NotifyPayload;
- IKE_PAYLOAD *CpPayload;
- IKE_PAYLOAD *CertPayload;
- IKE_PAYLOAD *CertReqPayload;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
-
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {
- return NULL;
- }
-
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));
-
- IkePacket = NULL;
- IdPayload = NULL;
- AuthPayload = NULL;
- CpPayload = NULL;
- SaPayload = NULL;
- TsiPayload = NULL;
- TsrPayload = NULL;
- NotifyPayload = NULL;
- CertPayload = NULL;
- CertReqPayload = NULL;
-
- //
- // 1. Allocate IKE Packet
- //
- IkePacket= IkePacketAlloc ();
- if (IkePacket == NULL) {
- return NULL;
- }
-
- //
- // 1.a Fill the IkePacket Header.
- //
- IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_AUTH;
- IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie;
- IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie;
- IkePacket->Header->Version = (UINT8)(2 << 4);
- if (ChildSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_INIT;
- } else {
- IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_RSP;
- }
-
- //
- // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should
- // be always number 0 and 1;
- //
- IkePacket->Header->MessageId = 1;
-
- if (IkeSaSession->SessionCommon.IsInitiator) {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT;
- } else {
- IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND;
- }
-
- //
- // 2. Generate ID Payload according to IP version and address.
- //
- IdPayload = Ikev2GenerateCertIdPayload (
- &IkeSaSession->SessionCommon,
- IKEV2_PAYLOAD_TYPE_CERT,
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate),
- PcdGet32 (PcdIpsecUefiCertificateSize)
- );
- if (IdPayload == NULL) {
- goto CheckError;
- }
-
- //
- // 3. Generate Certificate Payload
- //
- CertPayload = Ikev2GenerateCertificatePayload (
- IkeSaSession,
- (UINT8)(IkeSaSession->SessionCommon.IsInitiator ? IKEV2_PAYLOAD_TYPE_CERTREQ : IKEV2_PAYLOAD_TYPE_AUTH),
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate),
- PcdGet32 (PcdIpsecUefiCertificateSize),
- IKEV2_CERT_ENCODEING_X509_CERT_SIGN,
- FALSE
- );
- if (CertPayload == NULL) {
- goto CheckError;
- }
-
- if (IkeSaSession->SessionCommon.IsInitiator) {
- CertReqPayload = Ikev2GenerateCertificatePayload (
- IkeSaSession,
- IKEV2_PAYLOAD_TYPE_AUTH,
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate),
- PcdGet32 (PcdIpsecUefiCertificateSize),
- IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT,
- TRUE
- );
- if (CertReqPayload == NULL) {
- goto CheckError;
- }
- }
-
- //
- // 4. Generate Auth Payload
- // If it is tunnel mode, should create the configuration payload after the
- // Auth payload.
- //
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {
- AuthPayload = Ikev2CertGenerateAuthPayload (
- ChildSaSession->IkeSaSession,
- IdPayload,
- IKEV2_PAYLOAD_TYPE_SA,
- FALSE,
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificateKey),
- PcdGet32 (PcdIpsecUefiCertificateKeySize),
- ChildSaSession->IkeSaSession->Pad->Data->AuthData,
- ChildSaSession->IkeSaSession->Pad->Data->AuthDataSize
- );
- } else {
- AuthPayload = Ikev2CertGenerateAuthPayload (
- ChildSaSession->IkeSaSession,
- IdPayload,
- IKEV2_PAYLOAD_TYPE_CP,
- FALSE,
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificateKey),
- PcdGet32 (PcdIpsecUefiCertificateKeySize),
- ChildSaSession->IkeSaSession->Pad->Data->AuthData,
- ChildSaSession->IkeSaSession->Pad->Data->AuthDataSize
- );
- if (IkeSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) {
- CpPayload = Ikev2GenerateCpPayload (
- ChildSaSession->IkeSaSession,
- IKEV2_PAYLOAD_TYPE_SA,
- IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS
- );
- } else {
- CpPayload = Ikev2GenerateCpPayload (
- ChildSaSession->IkeSaSession,
- IKEV2_PAYLOAD_TYPE_SA,
- IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS
- );
- }
-
- if (CpPayload == NULL) {
- goto CheckError;
- }
- }
-
- if (AuthPayload == NULL) {
- goto CheckError;
- }
-
- //
- // 5. Generate SA Payload according to the Sa Data in ChildSaSession
- //
- SaPayload = Ikev2GenerateSaPayload (
- ChildSaSession->SaData,
- IKEV2_PAYLOAD_TYPE_TS_INIT,
- IkeSessionTypeChildSa
- );
- if (SaPayload == NULL) {
- goto CheckError;
- }
-
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {
- //
- // Generate Tsi and Tsr.
- //
- TsiPayload = Ikev2GenerateTsPayload (
- ChildSaSession,
- IKEV2_PAYLOAD_TYPE_TS_RSP,
- FALSE
- );
-
- TsrPayload = Ikev2GenerateTsPayload (
- ChildSaSession,
- IKEV2_PAYLOAD_TYPE_NOTIFY,
- FALSE
- );
-
- //
- // Generate Notify Payload. If transport mode, there should have Notify
- // payload with TRANSPORT_MODE notification.
- //
- NotifyPayload = Ikev2GenerateNotifyPayload (
- 0,
- IKEV2_PAYLOAD_TYPE_NONE,
- 0,
- IKEV2_NOTIFICATION_USE_TRANSPORT_MODE,
- NULL,
- NULL,
- 0
- );
- if (NotifyPayload == NULL) {
- goto CheckError;
- }
- } else {
- //
- // Generate Tsr for Tunnel mode.
- //
- TsiPayload = Ikev2GenerateTsPayload (
- ChildSaSession,
- IKEV2_PAYLOAD_TYPE_TS_RSP,
- TRUE
- );
- TsrPayload = Ikev2GenerateTsPayload (
- ChildSaSession,
- IKEV2_PAYLOAD_TYPE_NONE,
- FALSE
- );
- }
-
- if (TsiPayload == NULL || TsrPayload == NULL) {
- goto CheckError;
- }
-
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload);
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertPayload);
- if (IkeSaSession->SessionCommon.IsInitiator) {
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertReqPayload);
- }
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, AuthPayload);
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, CpPayload);
- }
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload);
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsiPayload);
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsrPayload);
- if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) {
- IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload);
- }
-
- return IkePacket;
-
-CheckError:
- if (IkePacket != NULL) {
- IkePacketFree (IkePacket);
- }
-
- if (IdPayload != NULL) {
- IkePayloadFree (IdPayload);
- }
-
- if (CertPayload != NULL) {
- IkePayloadFree (CertPayload);
- }
-
- if (CertReqPayload != NULL) {
- IkePayloadFree (CertReqPayload);
- }
-
- if (AuthPayload != NULL) {
- IkePayloadFree (AuthPayload);
- }
-
- if (CpPayload != NULL) {
- IkePayloadFree (CpPayload);
- }
-
- if (SaPayload != NULL) {
- IkePayloadFree (SaPayload);
- }
-
- if (TsiPayload != NULL) {
- IkePayloadFree (TsiPayload);
- }
-
- if (TsrPayload != NULL) {
- IkePayloadFree (TsrPayload);
- }
-
- if (NotifyPayload != NULL) {
- IkePayloadFree (NotifyPayload);
- }
-
- return NULL;
-}
-
-/**
- Parses IKE_AUTH packet.
-
- @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet.
- @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered.
-
- @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA
- proposal is unacceptable.
- @retval EFI_SUCCESS The IKE packet is acceptable and the
- relative data is saved for furthure communication.
- @retval EFI_UNSUPPORTED The certificate authentication is not supported.
-
-**/
-EFI_STATUS
-Ikev2AuthCertParser (
- IN UINT8 *SaSession,
- IN IKE_PACKET *IkePacket
- )
-{
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SA_SESSION *IkeSaSession;
- IKE_PAYLOAD *IkePayload;
- IKE_PAYLOAD *SaPayload;
- IKE_PAYLOAD *IdiPayload;
- IKE_PAYLOAD *IdrPayload;
- IKE_PAYLOAD *AuthPayload;
- IKE_PAYLOAD *TsiPayload;
- IKE_PAYLOAD *TsrPayload;
- IKE_PAYLOAD *CertPayload;
- IKE_PAYLOAD *VerifiedAuthPayload;
- LIST_ENTRY *Entry;
- EFI_STATUS Status;
-
- if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) {
- return EFI_UNSUPPORTED;
- }
-
- IkeSaSession = (IKEV2_SA_SESSION *) SaSession;
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList));
-
- SaPayload = NULL;
- IdiPayload = NULL;
- IdrPayload = NULL;
- AuthPayload = NULL;
- TsiPayload = NULL;
- TsrPayload = NULL;
- CertPayload = NULL;
- VerifiedAuthPayload = NULL;
- Status = EFI_INVALID_PARAMETER;
-
- //
- // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload.
- //
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
-
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_INIT) {
- IdiPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_RSP) {
- IdrPayload = IkePayload;
- }
-
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) {
- SaPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_AUTH) {
- AuthPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_INIT) {
- TsiPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_RSP) {
- TsrPayload = IkePayload;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_CERT) {
- CertPayload = IkePayload;
- }
- }
-
- if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) ||
- (TsrPayload == NULL) || (CertPayload == NULL)) {
- goto Exit;
- }
- if ((IdiPayload == NULL) && (IdrPayload == NULL)) {
- goto Exit;
- }
-
- //
- // Check IkePacket Header is match the state
- //
- if (IkeSaSession->SessionCommon.IsInitiator) {
-
- //
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND
- //
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) ||
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)) {
- goto Exit;
- }
- } else {
- //
- // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT
- //
- if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) ||
- (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)) {
- goto Exit;
- }
- }
-
- //
- // Verify the Auth Payload.
- //
- VerifiedAuthPayload = Ikev2CertGenerateAuthPayload (
- IkeSaSession,
- IkeSaSession->SessionCommon.IsInitiator ? IdrPayload:IdiPayload,
- IKEV2_PAYLOAD_TYPE_SA,
- TRUE,
- NULL,
- 0,
- NULL,
- 0
- );
-
- if ((VerifiedAuthPayload != NULL) &&
- (!IpSecCryptoIoVerifySignDataByCertificate (
- CertPayload->PayloadBuf + sizeof (IKEV2_CERT),
- CertPayload->PayloadSize - sizeof (IKEV2_CERT),
- (UINT8 *)PcdGetPtr (PcdIpsecUefiCaFile),
- PcdGet32 (PcdIpsecUefiCaFileSize),
- VerifiedAuthPayload->PayloadBuf + sizeof (IKEV2_AUTH),
- VerifiedAuthPayload->PayloadSize - sizeof (IKEV2_AUTH),
- AuthPayload->PayloadBuf + sizeof (IKEV2_AUTH),
- AuthPayload->PayloadSize - sizeof (IKEV2_AUTH)
- ))) {
- goto Exit;
- }
-
- //
- // 3. Parse the SA Payload to find out the cryptographic suite
- // and fill in the SA paramse into CommonSession->SaParams. If no acceptable
- // porposal found, return EFI_INVALID_PARAMETER.
- //
- if (!Ikev2ChildSaParseSaPayload (ChildSaSession, SaPayload, IkePacket->Header->Flags)) {
- goto Exit;
- }
-
- //
- // 4. Parse TSi, TSr payloads.
- //
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId !=
- ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId) &&
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0) &&
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0)
- ) {
- goto Exit;
- }
-
- if (!IkeSaSession->SessionCommon.IsInitiator) {
- //
- //Todo:check the Port range. Only support any port and one certain port here.
- //
- ChildSaSession->ProtoId = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId;
- ChildSaSession->LocalPort = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;
- ChildSaSession->RemotePort = ((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort;
- //
- // Association a SPD with this SA.
- //
- if (EFI_ERROR (Ikev2ChildSaAssociateSpdEntry (ChildSaSession))) {
- goto Exit;
- }
- //
- // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD.
- //
- if (ChildSaSession->IkeSaSession->Spd == NULL) {
- ChildSaSession->IkeSaSession->Spd = ChildSaSession->Spd;
- Status = Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession);
- if (EFI_ERROR (Status)) {
- goto Exit;
- }
- }
- } else {
- //
- // Todo:check the Port range.
- //
- if ((((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&
- (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort)
- ) {
- goto Exit;
- }
- if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) &&
- (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort)
- ) {
- goto Exit;
- }
- //
- // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector.
- //
- if (ChildSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {
- if (!ChildSaSession->IkeSaSession->SessionCommon.IsInitiator) {
- //
- // If it is tunnel mode, the UEFI part must be the initiator.
- //
- goto Exit;
- }
- //
- // Get the Virtual IP address from the Tsi traffic selector.
- // TODO: check the CFG reply payload
- //
- CopyMem (
- &ChildSaSession->SpdSelector->LocalAddress[0].Address,
- TsiPayload->PayloadBuf + sizeof (IKEV2_TS) + sizeof (TRAFFIC_SELECTOR),
- (ChildSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) ?
- sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS)
- );
- }
- }
-
- //
- // 5. Generat keymats for IPsec protocol.
- //
- Status = Ikev2GenerateChildSaKeys (ChildSaSession, NULL);
- if (EFI_ERROR (Status)) {
- goto Exit;
- }
-
- if (IkeSaSession->SessionCommon.IsInitiator) {
- //
- // 6. Change the state of IkeSaSession
- //
- IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEstablished);
- IkeSaSession->SessionCommon.State = IkeStateIkeSaEstablished;
- }
-
- Status = EFI_SUCCESS;
-
-Exit:
- if (VerifiedAuthPayload != NULL) {
- IkePayloadFree (VerifiedAuthPayload);
- }
- return Status;
-}
-
-/**
- Generates the DH Public Key.
-
- This generates the DH local public key and store it in the IKE SA Session's GxBuffer.
-
- @param[in] IkeSaSession Pointer to related IKE SA Session.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval Others The operation failed.
-
-**/
-EFI_STATUS
-Ikev2GenerateSaDhPublicKey (
- IN IKEV2_SA_SESSION *IkeSaSession
- )
-{
- EFI_STATUS Status;
- IKEV2_SESSION_KEYS *IkeKeys;
-
- IkeSaSession->IkeKeys = AllocateZeroPool (sizeof (IKEV2_SESSION_KEYS));
- if (IkeSaSession->IkeKeys == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- IkeKeys = IkeSaSession->IkeKeys;
- IkeKeys->DhBuffer = AllocateZeroPool (sizeof (IKEV2_DH_BUFFER));
- if (IkeKeys->DhBuffer == NULL) {
- FreePool (IkeSaSession->IkeKeys);
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Init DH with the certain DH Group Description.
- //
- IkeKeys->DhBuffer->GxSize = OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Size >> 3;
- IkeKeys->DhBuffer->GxBuffer = AllocateZeroPool (IkeKeys->DhBuffer->GxSize);
- if (IkeKeys->DhBuffer->GxBuffer == NULL) {
- FreePool (IkeKeys->DhBuffer);
- FreePool (IkeSaSession->IkeKeys);
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Get X PublicKey
- //
- Status = IpSecCryptoIoDhGetPublicKey (
- &IkeKeys->DhBuffer->DhContext,
- OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].GroupGenerator,
- OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Size,
- OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Modulus,
- IkeKeys->DhBuffer->GxBuffer,
- &IkeKeys->DhBuffer->GxSize
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam X public key error Status = %r\n", Status));
-
- FreePool (IkeKeys->DhBuffer->GxBuffer);
-
- FreePool (IkeKeys->DhBuffer);
-
- FreePool (IkeSaSession->IkeKeys);
-
- return Status;
- }
-
- IPSEC_DUMP_BUF ("DH Public Key (g^x) Dump", IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize);
-
- return EFI_SUCCESS;
-}
-
-/**
- Computes the DH Shared/Exchange Key.
-
- Given peer's public key, this function computes the exchanged common key and
- stores it in the IKEv2 SA Session's GxyBuffer.
-
- @param[in] DhBuffer Pointer to buffer of peer's puliic key.
- @param[in] KePayload Pointer to received key payload.
-
- @retval EFI_SUCCESS The operation succeeded.
- @retval Otherwise The operation failed.
-
-**/
-EFI_STATUS
-Ikev2GenerateSaDhComputeKey (
- IN IKEV2_DH_BUFFER *DhBuffer,
- IN IKE_PAYLOAD *KePayload
- )
-{
- EFI_STATUS Status;
- IKEV2_KEY_EXCHANGE *Ke;
- UINT8 *PubKey;
- UINTN PubKeySize;
-
- Ke = (IKEV2_KEY_EXCHANGE *) KePayload->PayloadBuf;
- PubKey = (UINT8 *) (Ke + 1);
- PubKeySize = KePayload->PayloadSize - sizeof (IKEV2_KEY_EXCHANGE);
- DhBuffer->GxySize = DhBuffer->GxSize;
- DhBuffer->GxyBuffer = AllocateZeroPool (DhBuffer->GxySize);
- if (DhBuffer->GxyBuffer == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Get GxyBuf
- //
- Status = IpSecCryptoIoDhComputeKey (
- DhBuffer->DhContext,
- PubKey,
- PubKeySize,
- DhBuffer->GxyBuffer,
- &DhBuffer->GxySize
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam Y session key error Status = %r\n", Status));
-
- FreePool (DhBuffer->GxyBuffer);
-
- return Status;
- }
-
- //
- // Create GxyBuf.
- //
- DhBuffer->GySize = PubKeySize;
- DhBuffer->GyBuffer = AllocateZeroPool (DhBuffer->GySize);
- if (DhBuffer->GyBuffer == NULL) {
- FreePool (DhBuffer->GxyBuffer);
-
- return Status;
- }
-
- CopyMem (DhBuffer->GyBuffer, PubKey, DhBuffer->GySize);
-
- IPSEC_DUMP_BUF ("DH Public Key (g^y) Dump", DhBuffer->GyBuffer, DhBuffer->GySize);
- IPSEC_DUMP_BUF ("DH Shared Key (g^xy) Dump", DhBuffer->GxyBuffer, DhBuffer->GxySize);
-
- return EFI_SUCCESS;
-}
-
-/**
- Generates the IKE SKEYSEED and seven other secrets. SK_d, SK_ai, SK_ar, SK_ei, SK_er,
- SK_pi, SK_pr are keys for the furthure IKE exchange.
-
- @param[in] IkeSaSession Pointer to IKE SA Session.
- @param[in] KePayload Pointer to Key payload used to generate the Key.
-
- @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported.
- @retval EFI_OUT_OF_RESOURCES If there is no enough resource to be allocated to
- meet the requirement.
- @retval EFI_SUCCESS The operation succeeded.
-
-**/
-EFI_STATUS
-Ikev2GenerateSaKeys (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_PAYLOAD *KePayload
- )
-{
- EFI_STATUS Status;
- IKEV2_SA_PARAMS *SaParams;
- PRF_DATA_FRAGMENT Fragments[4];
- UINT64 InitiatorCookieNet;
- UINT64 ResponderCookieNet;
- UINT8 *KeyBuffer;
- UINTN KeyBufferSize;
- UINTN AuthAlgKeyLen;
- UINTN EncryptAlgKeyLen;
- UINTN IntegrityAlgKeyLen;
- UINTN PrfAlgKeyLen;
- UINT8 *OutputKey;
- UINTN OutputKeyLength;
- UINT8 *Digest;
- UINTN DigestSize;
-
- Digest = NULL;
- OutputKey = NULL;
- KeyBuffer = NULL;
- Status = EFI_SUCCESS;
-
- //
- // Generate Gxy
- //
- Status = Ikev2GenerateSaDhComputeKey (IkeSaSession->IkeKeys->DhBuffer, KePayload);
- if (EFI_ERROR (Status)) {
- goto Exit;
- }
-
- //
- // Get the key length of Authenticaion, Encryption, PRF, and Integrity.
- //
- SaParams = IkeSaSession->SessionCommon.SaParams;
- AuthAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf);
- EncryptAlgKeyLen = IpSecGetEncryptKeyLength ((UINT8)SaParams->EncAlgId);
- IntegrityAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->IntegAlgId);
- PrfAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf);
-
- //
- // If one or more algorithm is not support, return EFI_UNSUPPORTED.
- //
- if (AuthAlgKeyLen == 0 ||
- EncryptAlgKeyLen == 0 ||
- IntegrityAlgKeyLen == 0 ||
- PrfAlgKeyLen == 0
- ) {
- Status = EFI_UNSUPPORTED;
- goto Exit;
- }
-
- //
- // Compute SKEYSEED = prf(Ni | Nr, g^ir)
- //
- KeyBufferSize = IkeSaSession->NiBlkSize + IkeSaSession->NrBlkSize;
- KeyBuffer = AllocateZeroPool (KeyBufferSize);
- if (KeyBuffer == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (KeyBuffer, IkeSaSession->NiBlock, IkeSaSession->NiBlkSize);
- CopyMem (KeyBuffer + IkeSaSession->NiBlkSize, IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);
-
- Fragments[0].Data = IkeSaSession->IkeKeys->DhBuffer->GxyBuffer;
- Fragments[0].DataSize = IkeSaSession->IkeKeys->DhBuffer->GxySize;
-
- DigestSize = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf);
- Digest = AllocateZeroPool (DigestSize);
-
- if (Digest == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- IpSecCryptoIoHmac (
- (UINT8)SaParams->Prf,
- KeyBuffer,
- KeyBufferSize,
- (HASH_DATA_FRAGMENT *) Fragments,
- 1,
- Digest,
- DigestSize
- );
-
- //
- // {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = prf+
- // (SKEYSEED, Ni | Nr | SPIi | SPIr )
- //
- Fragments[0].Data = IkeSaSession->NiBlock;
- Fragments[0].DataSize = IkeSaSession->NiBlkSize;
- Fragments[1].Data = IkeSaSession->NrBlock;
- Fragments[1].DataSize = IkeSaSession->NrBlkSize;
- InitiatorCookieNet = HTONLL (IkeSaSession->InitiatorCookie);
- ResponderCookieNet = HTONLL (IkeSaSession->ResponderCookie);
- Fragments[2].Data = (UINT8 *)(&InitiatorCookieNet);
- Fragments[2].DataSize = sizeof (IkeSaSession->InitiatorCookie);
- Fragments[3].Data = (UINT8 *)(&ResponderCookieNet);
- Fragments[3].DataSize = sizeof (IkeSaSession->ResponderCookie);
-
- IPSEC_DUMP_BUF (">>> NiBlock", IkeSaSession->NiBlock, IkeSaSession->NiBlkSize);
- IPSEC_DUMP_BUF (">>> NrBlock", IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);
- IPSEC_DUMP_BUF (">>> InitiatorCookie", (UINT8 *)&IkeSaSession->InitiatorCookie, sizeof(UINT64));
- IPSEC_DUMP_BUF (">>> ResponderCookie", (UINT8 *)&IkeSaSession->ResponderCookie, sizeof(UINT64));
-
- OutputKeyLength = PrfAlgKeyLen +
- 2 * EncryptAlgKeyLen +
- 2 * AuthAlgKeyLen +
- 2 * IntegrityAlgKeyLen;
- OutputKey = AllocateZeroPool (OutputKeyLength);
- if (OutputKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- //
- // Generate Seven Keymates.
- //
- Status = Ikev2SaGenerateKey (
- (UINT8)SaParams->Prf,
- Digest,
- DigestSize,
- OutputKey,
- OutputKeyLength,
- Fragments,
- 4
- );
- if (EFI_ERROR(Status)) {
- goto Exit;
- }
-
- //
- // Save the seven keys into KeySession.
- // First, SK_d
- //
- IkeSaSession->IkeKeys->SkdKey = AllocateZeroPool (PrfAlgKeyLen);
- if (IkeSaSession->IkeKeys->SkdKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
- IkeSaSession->IkeKeys->SkdKeySize = PrfAlgKeyLen;
- CopyMem (IkeSaSession->IkeKeys->SkdKey, OutputKey, PrfAlgKeyLen);
-
- IPSEC_DUMP_BUF (">>> SK_D Key", IkeSaSession->IkeKeys->SkdKey, PrfAlgKeyLen);
-
- //
- // Second, Sk_ai
- //
- IkeSaSession->IkeKeys->SkAiKey = AllocateZeroPool (IntegrityAlgKeyLen);
- if (IkeSaSession->IkeKeys->SkAiKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
- IkeSaSession->IkeKeys->SkAiKeySize = IntegrityAlgKeyLen;
- CopyMem (IkeSaSession->IkeKeys->SkAiKey, OutputKey + PrfAlgKeyLen, IntegrityAlgKeyLen);
-
- IPSEC_DUMP_BUF (">>> SK_Ai Key", IkeSaSession->IkeKeys->SkAiKey, IkeSaSession->IkeKeys->SkAiKeySize);
-
- //
- // Third, Sk_ar
- //
- IkeSaSession->IkeKeys->SkArKey = AllocateZeroPool (IntegrityAlgKeyLen);
- if (IkeSaSession->IkeKeys->SkArKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
- IkeSaSession->IkeKeys->SkArKeySize = IntegrityAlgKeyLen;
- CopyMem (
- IkeSaSession->IkeKeys->SkArKey,
- OutputKey + PrfAlgKeyLen + IntegrityAlgKeyLen,
- IntegrityAlgKeyLen
- );
-
- IPSEC_DUMP_BUF (">>> SK_Ar Key", IkeSaSession->IkeKeys->SkArKey, IkeSaSession->IkeKeys->SkArKeySize);
-
- //
- // Fourth, Sk_ei
- //
- IkeSaSession->IkeKeys->SkEiKey = AllocateZeroPool (EncryptAlgKeyLen);
- if (IkeSaSession->IkeKeys->SkEiKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
- IkeSaSession->IkeKeys->SkEiKeySize = EncryptAlgKeyLen;
-
- CopyMem (
- IkeSaSession->IkeKeys->SkEiKey,
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen,
- EncryptAlgKeyLen
- );
- IPSEC_DUMP_BUF (
- ">>> SK_Ei Key",
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen,
- EncryptAlgKeyLen
- );
-
- //
- // Fifth, Sk_er
- //
- IkeSaSession->IkeKeys->SkErKey = AllocateZeroPool (EncryptAlgKeyLen);
- if (IkeSaSession->IkeKeys->SkErKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
- IkeSaSession->IkeKeys->SkErKeySize = EncryptAlgKeyLen;
-
- CopyMem (
- IkeSaSession->IkeKeys->SkErKey,
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + EncryptAlgKeyLen,
- EncryptAlgKeyLen
- );
- IPSEC_DUMP_BUF (
- ">>> SK_Er Key",
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + EncryptAlgKeyLen,
- EncryptAlgKeyLen
- );
-
- //
- // Sixth, Sk_pi
- //
- IkeSaSession->IkeKeys->SkPiKey = AllocateZeroPool (AuthAlgKeyLen);
- if (IkeSaSession->IkeKeys->SkPiKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
- IkeSaSession->IkeKeys->SkPiKeySize = AuthAlgKeyLen;
-
- CopyMem (
- IkeSaSession->IkeKeys->SkPiKey,
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen,
- AuthAlgKeyLen
- );
- IPSEC_DUMP_BUF (
- ">>> SK_Pi Key",
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen,
- AuthAlgKeyLen
- );
-
- //
- // Seventh, Sk_pr
- //
- IkeSaSession->IkeKeys->SkPrKey = AllocateZeroPool (AuthAlgKeyLen);
- if (IkeSaSession->IkeKeys->SkPrKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
- IkeSaSession->IkeKeys->SkPrKeySize = AuthAlgKeyLen;
-
- CopyMem (
- IkeSaSession->IkeKeys->SkPrKey,
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen,
- AuthAlgKeyLen
- );
- IPSEC_DUMP_BUF (
- ">>> SK_Pr Key",
- OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen,
- AuthAlgKeyLen
- );
-
-
-Exit:
- if (Digest != NULL) {
- FreePool (Digest);
- }
- if (KeyBuffer != NULL) {
- FreePool (KeyBuffer);
- }
- if (OutputKey != NULL) {
- FreePool (OutputKey);
- }
-
- if (EFI_ERROR(Status)) {
- if (IkeSaSession->IkeKeys->SkdKey != NULL) {
- FreePool (IkeSaSession->IkeKeys->SkdKey);
- }
- if (IkeSaSession->IkeKeys->SkAiKey != NULL) {
- FreePool (IkeSaSession->IkeKeys->SkAiKey);
- }
- if (IkeSaSession->IkeKeys->SkArKey != NULL) {
- FreePool (IkeSaSession->IkeKeys->SkArKey);
- }
- if (IkeSaSession->IkeKeys->SkEiKey != NULL) {
- FreePool (IkeSaSession->IkeKeys->SkEiKey);
- }
- if (IkeSaSession->IkeKeys->SkErKey != NULL) {
- FreePool (IkeSaSession->IkeKeys->SkErKey);
- }
- if (IkeSaSession->IkeKeys->SkPiKey != NULL) {
- FreePool (IkeSaSession->IkeKeys->SkPiKey);
- }
- if (IkeSaSession->IkeKeys->SkPrKey != NULL) {
- FreePool (IkeSaSession->IkeKeys->SkPrKey);
- }
- }
-
-
- return Status;
-}
-
-/**
- Generates the Keys for the furthure IPsec Protocol.
-
- @param[in] ChildSaSession Pointer to IKE Child SA Session.
- @param[in] KePayload Pointer to Key payload used to generate the Key.
-
- @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported.
- @retval EFI_SUCCESS The operation succeeded.
-
-**/
-EFI_STATUS
-Ikev2GenerateChildSaKeys (
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession,
- IN IKE_PAYLOAD *KePayload
- )
-{
- EFI_STATUS Status;
- IKEV2_SA_PARAMS *SaParams;
- PRF_DATA_FRAGMENT Fragments[3];
- UINTN EncryptAlgKeyLen;
- UINTN IntegrityAlgKeyLen;
- UINT8* OutputKey;
- UINTN OutputKeyLength;
-
- Status = EFI_SUCCESS;
- OutputKey = NULL;
-
- if (KePayload != NULL) {
- //
- // Generate Gxy
- //
- Status = Ikev2GenerateSaDhComputeKey (ChildSaSession->DhBuffer, KePayload);
- if (EFI_ERROR (Status)) {
- goto Exit;
- }
-
- Fragments[0].Data = ChildSaSession->DhBuffer->GxyBuffer;
- Fragments[0].DataSize = ChildSaSession->DhBuffer->GxySize;
- }
-
- Fragments[1].Data = ChildSaSession->NiBlock;
- Fragments[1].DataSize = ChildSaSession->NiBlkSize;
- Fragments[2].Data = ChildSaSession->NrBlock;
- Fragments[2].DataSize = ChildSaSession->NrBlkSize;
-
- //
- // Get the key length of Authenticaion, Encryption, PRF, and Integrity.
- //
- SaParams = ChildSaSession->SessionCommon.SaParams;
- EncryptAlgKeyLen = IpSecGetEncryptKeyLength ((UINT8)SaParams->EncAlgId);
- IntegrityAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->IntegAlgId);
- OutputKeyLength = 2 * EncryptAlgKeyLen + 2 * IntegrityAlgKeyLen;
-
- if ((EncryptAlgKeyLen == 0) || (IntegrityAlgKeyLen == 0)) {
- Status = EFI_UNSUPPORTED;
- goto Exit;
- }
-
- //
- //
- // If KePayload is not NULL, calculate KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ),
- // otherwise, KEYMAT = prf+(SK_d, Ni | Nr )
- //
- OutputKey = AllocateZeroPool (OutputKeyLength);
- if (OutputKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- //
- // Derive Key from the SkdKey Buffer.
- //
- Status = Ikev2SaGenerateKey (
- (UINT8)ChildSaSession->IkeSaSession->SessionCommon.SaParams->Prf,
- ChildSaSession->IkeSaSession->IkeKeys->SkdKey,
- ChildSaSession->IkeSaSession->IkeKeys->SkdKeySize,
- OutputKey,
- OutputKeyLength,
- KePayload == NULL ? &Fragments[1] : Fragments,
- KePayload == NULL ? 2 : 3
- );
-
- if (EFI_ERROR (Status)) {
- goto Exit;
- }
-
- //
- // Copy KEYMATE (SK_ENCRYPT_i | SK_ENCRYPT_r | SK_INTEG_i | SK_INTEG_r) to
- // ChildKeyMates.
- //
- if (!ChildSaSession->SessionCommon.IsInitiator) {
-
- //
- // Initiator Encryption Key
- //
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey,
- OutputKey,
- EncryptAlgKeyLen
- );
-
- //
- // Initiator Authentication Key
- //
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,
- OutputKey + EncryptAlgKeyLen,
- IntegrityAlgKeyLen
- );
-
- //
- // Responder Encrypt Key
- //
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,
- OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen,
- EncryptAlgKeyLen
- );
-
- //
- // Responder Authentication Key
- //
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,
- OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen,
- IntegrityAlgKeyLen
- );
- } else {
- //
- // Initiator Encryption Key
- //
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,
- OutputKey,
- EncryptAlgKeyLen
- );
-
- //
- // Initiator Authentication Key
- //
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,
- OutputKey + EncryptAlgKeyLen,
- IntegrityAlgKeyLen
- );
-
- //
- // Responder Encryption Key
- //
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId;
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen;
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen);
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey,
- OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen,
- EncryptAlgKeyLen
- );
-
- //
- // Responder Authentication Key
- //
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId;
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen;
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen);
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- CopyMem (
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,
- OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen,
- IntegrityAlgKeyLen
- );
- }
-
- IPSEC_DUMP_BUF (
- " >>> Local Encryption Key",
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey,
- EncryptAlgKeyLen
- );
- IPSEC_DUMP_BUF (
- " >>> Remote Encryption Key",
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey,
- EncryptAlgKeyLen
- );
- IPSEC_DUMP_BUF (
- " >>> Local Authentication Key",
- ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey,
- IntegrityAlgKeyLen
- );
- IPSEC_DUMP_BUF (
- " >>> Remote Authentication Key",
- ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey,
- IntegrityAlgKeyLen
- );
-
-
-
-Exit:
- if (EFI_ERROR (Status)) {
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey != NULL) {
- FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey);
- }
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey != NULL) {
- FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey);
- }
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey != NULL) {
- FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey);
- }
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey != NULL) {
- FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey);
- }
- }
-
- if (OutputKey != NULL) {
- FreePool (OutputKey);
- }
-
- return EFI_SUCCESS;
-}
-
-GLOBAL_REMOVE_IF_UNREFERENCED IKEV2_PACKET_HANDLER mIkev2Initial[][2] = {
- { //PSK
- { // IKEV2_INIT
- Ikev2InitPskParser,
- Ikev2InitPskGenerator
- },
- { //IKEV2_AUTH
- Ikev2AuthPskParser,
- Ikev2AuthPskGenerator
- }
- },
- { // CERT
- { // IKEV2_INIT
- Ikev2InitCertParser,
- Ikev2InitCertGenerator
- },
- { // IKEV2_AUTH
- Ikev2AuthCertParser,
- Ikev2AuthCertGenerator
- },
- },
-};
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Utility.c b/NetworkPkg/IpSecDxe/Ikev2/Utility.c deleted file mode 100644 index 87ec0bf5c8..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Utility.c +++ /dev/null @@ -1,2738 +0,0 @@ -/** @file
- The Common operations used by IKE Exchange Process.
-
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "Utility.h"
-#include "IpSecDebug.h"
-#include "IkeService.h"
-#include "IpSecConfigImpl.h"
-
-UINT16 mIkev2EncryptAlgorithmList[IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM] = {
- IKEV2_TRANSFORM_ID_ENCR_3DES,
- IKEV2_TRANSFORM_ID_ENCR_AES_CBC,
-};
-
-UINT16 mIkev2PrfAlgorithmList[IKEV2_SUPPORT_PRF_ALGORITHM_NUM] = {
- IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1,
-};
-
-UINT16 mIkev2DhGroupAlgorithmList[IKEV2_SUPPORT_DH_ALGORITHM_NUM] = {
- IKEV2_TRANSFORM_ID_DH_1024MODP,
- IKEV2_TRANSFORM_ID_DH_2048MODP,
-};
-
-UINT16 mIkev2AuthAlgorithmList[IKEV2_SUPPORT_AUTH_ALGORITHM_NUM] = {
- IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96,
-};
-
-/**
- Allocate buffer for IKEV2_SA_SESSION and initialize it.
-
- @param[in] Private Pointer to IPSEC_PRIVATE_DATA.
- @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.
-
- @return Pointer to IKEV2_SA_SESSION or NULL.
-
-**/
-IKEV2_SA_SESSION *
-Ikev2SaSessionAlloc (
- IN IPSEC_PRIVATE_DATA *Private,
- IN IKE_UDP_SERVICE *UdpService
- )
-{
- EFI_STATUS Status;
- IKEV2_SESSION_COMMON *SessionCommon;
- IKEV2_SA_SESSION *IkeSaSession;
-
- IkeSaSession = AllocateZeroPool (sizeof (IKEV2_SA_SESSION));
- if (IkeSaSession == NULL) {
- return NULL;
- }
-
- //
- // Initialize the fields of IkeSaSession and its SessionCommon.
- //
- IkeSaSession->NCookie = NULL;
- IkeSaSession->Signature = IKEV2_SA_SESSION_SIGNATURE;
- IkeSaSession->InitiatorCookie = IkeGenerateCookie ();
- IkeSaSession->ResponderCookie = 0;
- //
- // BUGBUG: Message ID starts from 2 is to match the OpenSwan requirement, but it
- // might not match the IPv6 Logo. In its test specification, it mentions that
- // the Message ID should start from zero after the IKE_SA_INIT exchange.
- //
- IkeSaSession->MessageId = 2;
- SessionCommon = &IkeSaSession->SessionCommon;
- SessionCommon->UdpService = UdpService;
- SessionCommon->Private = Private;
- SessionCommon->IkeSessionType = IkeSessionTypeIkeSa;
- SessionCommon->IkeVer = 2;
- SessionCommon->AfterEncodePayload = NULL;
- SessionCommon->BeforeDecodePayload = NULL;
-
- //
- // Create a resend notfiy event for retry.
- //
- Status = gBS->CreateEvent (
- EVT_TIMER | EVT_NOTIFY_SIGNAL,
- TPL_CALLBACK,
- Ikev2ResendNotify,
- SessionCommon,
- &SessionCommon->TimeoutEvent
- );
-
- if (EFI_ERROR (Status)) {
- FreePool (IkeSaSession);
- return NULL;
- }
-
- //
- // Initialize the lists in IkeSaSession.
- //
- InitializeListHead (&IkeSaSession->ChildSaSessionList);
- InitializeListHead (&IkeSaSession->ChildSaEstablishSessionList);
- InitializeListHead (&IkeSaSession->InfoMIDList);
- InitializeListHead (&IkeSaSession->DeleteSaList);
-
- return IkeSaSession;
-}
-
-/**
- Register the established IKEv2 SA into Private->Ikev2EstablishedList. If there is
- IKEV2_SA_SESSION with same remote peer IP, remove the old one then register the
- new one.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.
- @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
-
-**/
-VOID
-Ikev2SaSessionReg (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IPSEC_PRIVATE_DATA *Private
- )
-{
- IKEV2_SESSION_COMMON *SessionCommon;
- IKEV2_SA_SESSION *OldIkeSaSession;
- EFI_STATUS Status;
- UINT64 Lifetime;
-
- //
- // Keep IKE SA exclusive to remote ip address.
- //
- SessionCommon = &IkeSaSession->SessionCommon;
- OldIkeSaSession = Ikev2SaSessionRemove (&Private->Ikev2EstablishedList, &SessionCommon->RemotePeerIp);
- if (OldIkeSaSession != NULL) {
- //
- // TODO: It should delete all child SAs if rekey the IKE SA.
- //
- Ikev2SaSessionFree (OldIkeSaSession);
- }
-
- //
- // Cleanup the fields of SessionCommon for processing.
- //
- Ikev2SessionCommonRefresh (SessionCommon);
-
- //
- // Insert the ready IKE SA session into established list.
- //
- Ikev2SaSessionInsert (&Private->Ikev2EstablishedList, IkeSaSession, &SessionCommon->RemotePeerIp);
-
- //
- // Create a notfiy event for the IKE SA life time counting.
- //
- Status = gBS->CreateEvent (
- EVT_TIMER | EVT_NOTIFY_SIGNAL,
- TPL_CALLBACK,
- Ikev2LifetimeNotify,
- SessionCommon,
- &SessionCommon->TimeoutEvent
- );
- if (EFI_ERROR(Status)){
- //
- // If TimerEvent creation failed, the SA will be alive untill user disable it or
- // receiving a Delete Payload from peer.
- //
- return;
- }
-
- //
- // Start to count the lifetime of the IKE SA.
- //
- if (IkeSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime == 0) {
- Lifetime = IKE_SA_DEFAULT_LIFETIME;
- } else {
- Lifetime = IkeSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime;
- }
-
- Status = gBS->SetTimer (
- SessionCommon->TimeoutEvent,
- TimerRelative,
- MultU64x32(Lifetime, 10000000) // ms->100ns
- );
- if (EFI_ERROR(Status)){
- //
- // If SetTimer failed, the SA will be alive untill user disable it or
- // receiving a Delete Payload from peer.
- //
- return ;
- }
-
- DEBUG ((
- DEBUG_INFO,
- "\n------IkeSa established and start to count down %d seconds lifetime\n",
- Lifetime
- ));
-
- return ;
-}
-
-/**
- Find a IKEV2_SA_SESSION by the remote peer IP.
-
- @param[in] SaSessionList SaSession List to be searched.
- @param[in] RemotePeerIp Pointer to specified IP address.
-
- @return Pointer to IKEV2_SA_SESSION if find one or NULL.
-
-**/
-IKEV2_SA_SESSION *
-Ikev2SaSessionLookup (
- IN LIST_ENTRY *SaSessionList,
- IN EFI_IP_ADDRESS *RemotePeerIp
- )
-{
- LIST_ENTRY *Entry;
- IKEV2_SA_SESSION *IkeSaSession;
-
- NET_LIST_FOR_EACH (Entry, SaSessionList) {
- IkeSaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
-
- if (CompareMem (
- &IkeSaSession->SessionCommon.RemotePeerIp,
- RemotePeerIp,
- sizeof (EFI_IP_ADDRESS)
- ) == 0) {
-
- return IkeSaSession;
- }
- }
-
- return NULL;
-}
-
-/**
- Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either
- Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.
-
- @param[in] SaSessionList Pointer to list to be inserted into.
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.
- @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the
- unique IKEV2_SA_SESSION.
-
-**/
-VOID
-Ikev2SaSessionInsert (
- IN LIST_ENTRY *SaSessionList,
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN EFI_IP_ADDRESS *RemotePeerIp
- )
-{
- Ikev2SaSessionRemove (SaSessionList, RemotePeerIp);
- InsertTailList (SaSessionList, &IkeSaSession->BySessionTable);
-}
-
-/**
- Remove the SA Session by Remote Peer IP.
-
- @param[in] SaSessionList Pointer to list to be searched.
- @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.
-
- @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address or NULL.
-
-**/
-IKEV2_SA_SESSION *
-Ikev2SaSessionRemove (
- IN LIST_ENTRY *SaSessionList,
- IN EFI_IP_ADDRESS *RemotePeerIp
- )
-{
- LIST_ENTRY *Entry;
- IKEV2_SA_SESSION *IkeSaSession;
-
- NET_LIST_FOR_EACH (Entry, SaSessionList) {
- IkeSaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
-
- if (CompareMem (
- &IkeSaSession->SessionCommon.RemotePeerIp,
- RemotePeerIp,
- sizeof (EFI_IP_ADDRESS)
- ) == 0) {
-
- RemoveEntryList (Entry);
- return IkeSaSession;
- }
- }
-
- return NULL;
-}
-
-
-/**
- Free specified Seession Common. The session common would belong to a IKE SA or
- a Child SA.
-
- @param[in] SessionCommon Pointer to a Session Common.
-
-**/
-VOID
-Ikev2SaSessionCommonFree (
- IN IKEV2_SESSION_COMMON *SessionCommon
- )
-{
-
- ASSERT (SessionCommon != NULL);
-
- if (SessionCommon->LastSentPacket != NULL) {
- IkePacketFree (SessionCommon->LastSentPacket);
- }
-
- if (SessionCommon->SaParams != NULL) {
- FreePool (SessionCommon->SaParams);
- }
- if (SessionCommon->TimeoutEvent != NULL) {
- gBS->CloseEvent (SessionCommon->TimeoutEvent);
- }
-}
-
-/**
- After IKE/Child SA is estiblished, close the time event and free sent packet.
-
- @param[in] SessionCommon Pointer to a Session Common.
-
-**/
-VOID
-Ikev2SessionCommonRefresh (
- IN IKEV2_SESSION_COMMON *SessionCommon
- )
-{
- ASSERT (SessionCommon != NULL);
-
- gBS->CloseEvent (SessionCommon->TimeoutEvent);
- SessionCommon->TimeoutEvent = NULL;
- SessionCommon->TimeoutInterval = 0;
- SessionCommon->RetryCount = 0;
- if (SessionCommon->LastSentPacket != NULL) {
- IkePacketFree (SessionCommon->LastSentPacket);
- SessionCommon->LastSentPacket = NULL;
- }
-
- return ;
-}
-/**
- Free specified IKEV2 SA Session.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.
-
-**/
-VOID
-Ikev2SaSessionFree (
- IN IKEV2_SA_SESSION *IkeSaSession
- )
-{
- IKEV2_SESSION_KEYS *IkeKeys;
- LIST_ENTRY *Entry;
- IKEV2_CHILD_SA_SESSION *ChildSa;
- IKEV2_DH_BUFFER *DhBuffer;
-
- ASSERT (IkeSaSession != NULL);
-
- //
- // Delete Common Session
- //
- Ikev2SaSessionCommonFree (&IkeSaSession->SessionCommon);
-
- //
- // Delete ChildSaEstablish List and SAD
- //
- for (Entry = IkeSaSession->ChildSaEstablishSessionList.ForwardLink;
- Entry != &IkeSaSession->ChildSaEstablishSessionList;
- ) {
-
- ChildSa = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
- Entry = Entry->ForwardLink;
- Ikev2ChildSaSilentDelete (ChildSa->IkeSaSession, ChildSa->LocalPeerSpi);
-
- }
-
- //
- // Delete ChildSaSessionList
- //
- for ( Entry = IkeSaSession->ChildSaSessionList.ForwardLink;
- Entry != &IkeSaSession->ChildSaSessionList;
- ){
- ChildSa = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
- Entry = Entry->ForwardLink;
- RemoveEntryList (Entry->BackLink);
- Ikev2ChildSaSessionFree (ChildSa);
- }
-
- //
- // Delete DhBuffer and Keys
- //
- if (IkeSaSession->IkeKeys != NULL) {
- IkeKeys = IkeSaSession->IkeKeys;
- DhBuffer = IkeKeys->DhBuffer;
-
- //
- // Delete DhBuffer
- //
- Ikev2DhBufferFree (DhBuffer);
-
- //
- // Delete Keys
- //
- if (IkeKeys->SkAiKey != NULL) {
- FreePool (IkeKeys->SkAiKey);
- }
- if (IkeKeys->SkArKey != NULL) {
- FreePool (IkeKeys->SkArKey);
- }
- if (IkeKeys->SkdKey != NULL) {
- FreePool (IkeKeys->SkdKey);
- }
- if (IkeKeys->SkEiKey != NULL) {
- FreePool (IkeKeys->SkEiKey);
- }
- if (IkeKeys->SkErKey != NULL) {
- FreePool (IkeKeys->SkErKey);
- }
- if (IkeKeys->SkPiKey != NULL) {
- FreePool (IkeKeys->SkPiKey);
- }
- if (IkeKeys->SkPrKey != NULL) {
- FreePool (IkeKeys->SkPrKey);
- }
- FreePool (IkeKeys);
- }
-
- if (IkeSaSession->SaData != NULL) {
- FreePool (IkeSaSession->SaData);
- }
-
- if (IkeSaSession->NiBlock != NULL) {
- FreePool (IkeSaSession->NiBlock);
- }
-
- if (IkeSaSession->NrBlock != NULL) {
- FreePool (IkeSaSession->NrBlock);
- }
-
- if (IkeSaSession->NCookie != NULL) {
- FreePool (IkeSaSession->NCookie);
- }
-
- if (IkeSaSession->InitPacket != NULL) {
- FreePool (IkeSaSession->InitPacket);
- }
-
- if (IkeSaSession->RespPacket != NULL) {
- FreePool (IkeSaSession->RespPacket);
- }
-
- FreePool (IkeSaSession);
-
- return ;
-}
-
-/**
- Increase the MessageID in IkeSaSession.
-
- @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.
-
-**/
-VOID
-Ikev2SaSessionIncreaseMessageId (
- IN IKEV2_SA_SESSION *IkeSaSession
- )
-{
- if (IkeSaSession->MessageId < 0xffffffff) {
- IkeSaSession->MessageId ++;
- } else {
- //
- // TODO: Trigger Rekey process.
- //
- }
-}
-
-/**
- Allocate memory for IKEV2 Child SA Session.
-
- @param[in] UdpService Pointer to IKE_UDP_SERVICE.
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
- Session.
-
- @retval Pointer of a new created IKEV2 Child SA Session or NULL.
-
-**/
-IKEV2_CHILD_SA_SESSION *
-Ikev2ChildSaSessionAlloc (
- IN IKE_UDP_SERVICE *UdpService,
- IN IKEV2_SA_SESSION *IkeSaSession
- )
-{
- EFI_STATUS Status;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SESSION_COMMON *ChildSaCommon;
- IKEV2_SESSION_COMMON *SaCommon;
-
- ChildSaSession = AllocateZeroPool (sizeof (IKEV2_CHILD_SA_SESSION));
- if (ChildSaSession == NULL) {
- return NULL;
- }
-
- //
- // Initialize the fields of ChildSaSession and its SessionCommon.
- //
- ChildSaSession->Signature = IKEV2_CHILD_SA_SESSION_SIGNATURE;
- ChildSaSession->IkeSaSession = IkeSaSession;
- ChildSaSession->MessageId = IkeSaSession->MessageId;
-
- //
- // Generate an new SPI.
- //
- Status = IkeGenerateSpi (IkeSaSession, &(ChildSaSession->LocalPeerSpi));
- if (EFI_ERROR (Status)) {
- FreePool (ChildSaSession);
- return NULL;
- }
-
- ChildSaCommon = &ChildSaSession->SessionCommon;
- ChildSaCommon->UdpService = UdpService;
- ChildSaCommon->Private = IkeSaSession->SessionCommon.Private;
- ChildSaCommon->IkeSessionType = IkeSessionTypeChildSa;
- ChildSaCommon->IkeVer = 2;
- ChildSaCommon->AfterEncodePayload = Ikev2ChildSaAfterEncodePayload;
- ChildSaCommon->BeforeDecodePayload = Ikev2ChildSaBeforeDecodePayload;
- SaCommon = &ChildSaSession->IkeSaSession->SessionCommon;
-
- //
- // Create a resend notfiy event for retry.
- //
- Status = gBS->CreateEvent (
- EVT_TIMER | EVT_NOTIFY_SIGNAL,
- TPL_CALLBACK,
- Ikev2ResendNotify,
- ChildSaCommon,
- &ChildSaCommon->TimeoutEvent
- );
- if (EFI_ERROR (Status)) {
- FreePool (ChildSaSession);
- return NULL;
- }
-
- CopyMem (&ChildSaCommon->LocalPeerIp, &SaCommon->LocalPeerIp, sizeof (EFI_IP_ADDRESS));
- CopyMem (&ChildSaCommon->RemotePeerIp, &SaCommon->RemotePeerIp, sizeof (EFI_IP_ADDRESS));
-
- return ChildSaSession;
-}
-
-/**
- Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.
- If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one
- then register the new one.
-
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.
- @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
-
-**/
-VOID
-Ikev2ChildSaSessionReg (
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession,
- IN IPSEC_PRIVATE_DATA *Private
- )
-{
- IKEV2_SESSION_COMMON *SessionCommon;
- IKEV2_CHILD_SA_SESSION *OldChildSaSession;
- IKEV2_SA_SESSION *IkeSaSession;
- EFI_STATUS Status;
- UINT64 Lifetime;
-
- //
- // Keep the IKE SA exclusive.
- //
- SessionCommon = &ChildSaSession->SessionCommon;
- IkeSaSession = ChildSaSession->IkeSaSession;
- OldChildSaSession = Ikev2ChildSaSessionRemove (
- &IkeSaSession->ChildSaEstablishSessionList,
- ChildSaSession->LocalPeerSpi,
- IKEV2_ESTABLISHED_CHILDSA_LIST
- );
- if (OldChildSaSession != NULL) {
- //
- // Free the old one.
- //
- Ikev2ChildSaSessionFree (OldChildSaSession);
- }
-
- //
- // Store the ready child SA into SAD.
- //
- Ikev2StoreSaData (ChildSaSession);
-
- //
- // Cleanup the fields of SessionCommon for processing.
- //
- Ikev2SessionCommonRefresh (SessionCommon);
-
- //
- // Insert the ready child SA session into established list.
- //
- Ikev2ChildSaSessionInsert (&IkeSaSession->ChildSaEstablishSessionList, ChildSaSession);
-
- //
- // Create a Notify event for the IKE SA life time counting.
- //
- Status = gBS->CreateEvent (
- EVT_TIMER | EVT_NOTIFY_SIGNAL,
- TPL_CALLBACK,
- Ikev2LifetimeNotify,
- SessionCommon,
- &SessionCommon->TimeoutEvent
- );
- if (EFI_ERROR(Status)){
- return ;
- }
-
- //
- // Start to count the lifetime of the IKE SA.
- //
- if (ChildSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime != 0){
- Lifetime = ChildSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime;
- } else {
- Lifetime = CHILD_SA_DEFAULT_LIFETIME;
- }
-
- Status = gBS->SetTimer (
- SessionCommon->TimeoutEvent,
- TimerRelative,
- MultU64x32(Lifetime, 10000000) // ms->100ns
- );
- if (EFI_ERROR(Status)){
- return ;
- }
-
- DEBUG ((
- DEBUG_INFO,
- "\n------ChildSa established and start to count down %d seconds lifetime\n",
- Lifetime
- ));
-
- return ;
-}
-
-
-/**
- This function find the Child SA by the specified SPI.
-
- This functin find a ChildSA session by searching the ChildSaSessionlist of
- the input IKEV2_SA_SESSION by specified MessageID.
-
- @param[in] SaSessionList Pointer to List to be searched.
- @param[in] Spi Specified SPI.
-
- @return Pointer to IKEV2_CHILD_SA_SESSION or NULL.
-
-**/
-IKEV2_CHILD_SA_SESSION *
-Ikev2ChildSaSessionLookupBySpi (
- IN LIST_ENTRY *SaSessionList,
- IN UINT32 Spi
- )
-{
- LIST_ENTRY *Entry;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
-
- NET_LIST_FOR_EACH (Entry, SaSessionList) {
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
-
- if (ChildSaSession->RemotePeerSpi == Spi || ChildSaSession->LocalPeerSpi == Spi) {
- return ChildSaSession;
- }
- }
-
- return NULL;
-}
-
-/**
- Insert a Child SA Session into the specified ChildSa list.
-
- @param[in] SaSessionList Pointer to list to be inserted in.
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.
-
-**/
-VOID
-Ikev2ChildSaSessionInsert (
- IN LIST_ENTRY *SaSessionList,
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession
- )
-{
- InsertTailList (SaSessionList, &ChildSaSession->ByIkeSa);
-}
-
-/**
- Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.
-
- @param[in] SaSessionList The SA Session List to be iterated.
- @param[in] Spi Spi used to identified the IKEV2_CHILD_SA_SESSION.
- @param[in] ListType The type of the List to indicate whether it is a
- Established.
-
- @return The point to IKEV2_CHILD_SA_SESSION or NULL.
-
-**/
-IKEV2_CHILD_SA_SESSION *
-Ikev2ChildSaSessionRemove (
- IN LIST_ENTRY *SaSessionList,
- IN UINT32 Spi,
- IN UINT8 ListType
- )
-{
- LIST_ENTRY *Entry;
- LIST_ENTRY *NextEntry;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
-
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, SaSessionList) {
-
- if (ListType == IKEV2_ESTABLISHED_CHILDSA_LIST || ListType == IKEV2_ESTABLISHING_CHILDSA_LIST) {
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry);
- } else if (ListType == IKEV2_DELET_CHILDSA_LIST) {
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_DEL_SA (Entry);
- } else {
- return NULL;
- }
-
- if (ChildSaSession->RemotePeerSpi == Spi || ChildSaSession->LocalPeerSpi == Spi) {
- RemoveEntryList (Entry);
- return ChildSaSession;
- }
- }
-
- return NULL;
-}
-
-/**
- Free the memory located for the specified IKEV2_CHILD_SA_SESSION.
-
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
-
-**/
-VOID
-Ikev2ChildSaSessionFree (
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession
- )
-{
- IKEV2_SESSION_COMMON *SessionCommon;
-
- SessionCommon = &ChildSaSession->SessionCommon;
- if (ChildSaSession->SaData != NULL) {
- FreePool (ChildSaSession->SaData);
- }
-
- if (ChildSaSession->NiBlock != NULL) {
- FreePool (ChildSaSession->NiBlock);
- }
-
- if (ChildSaSession->NrBlock != NULL) {
- FreePool (ChildSaSession->NrBlock);
- }
-
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey != NULL) {
- FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey);
- }
-
- if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey != NULL) {
- FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey);
- }
-
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey != NULL) {
- FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey);
- }
-
- if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey != NULL) {
- FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey);
- }
-
- //
- // Delete DhBuffer
- //
- Ikev2DhBufferFree (ChildSaSession->DhBuffer);
-
- //
- // Delete SpdSelector
- //
- if (ChildSaSession->SpdSelector != NULL) {
- if (ChildSaSession->SpdSelector->LocalAddress != NULL) {
- FreePool (ChildSaSession->SpdSelector->LocalAddress);
- }
- if (ChildSaSession->SpdSelector->RemoteAddress != NULL) {
- FreePool (ChildSaSession->SpdSelector->RemoteAddress);
- }
- FreePool (ChildSaSession->SpdSelector);
- }
- Ikev2SaSessionCommonFree (SessionCommon);
- FreePool (ChildSaSession);
-
- return ;
-}
-
-/**
- Delete the specified established Child SA.
-
- This function delete the Child SA directly and don't send the Information Packet to
- remote peer.
-
- @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.
- @param[in] Spi SPI used to find the Child SA.
-
- @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.
- @retval EFI_NOT_FOUND There is no specified Child SA related with the input
- SPI under this IKE SA Session.
- @retval EFI_SUCCESS Delete the Child SA successfully.
-
-**/
-EFI_STATUS
-Ikev2ChildSaSilentDelete (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN UINT32 Spi
- )
-{
- EFI_STATUS Status;
- EFI_IPSEC_CONFIG_SELECTOR *Selector;
- UINTN SelectorSize;
- BOOLEAN IsLocalFound;
- BOOLEAN IsRemoteFound;
- UINT32 LocalSpi;
- UINT32 RemoteSpi;
- IKEV2_CHILD_SA_SESSION *ChildSession;
- EFI_IPSEC_CONFIG_SELECTOR *LocalSelector;
- EFI_IPSEC_CONFIG_SELECTOR *RemoteSelector;
- IPSEC_PRIVATE_DATA *Private;
-
- if (IkeSaSession == NULL) {
- return EFI_NOT_FOUND;
- }
-
- IsLocalFound = FALSE;
- IsRemoteFound = FALSE;
- ChildSession = NULL;
- LocalSelector = NULL;
- RemoteSelector = NULL;
-
- Private = IkeSaSession->SessionCommon.Private;
-
- //
- // Remove the Established SA from ChildSaEstablishlist.
- //
- ChildSession = Ikev2ChildSaSessionRemove(
- &(IkeSaSession->ChildSaEstablishSessionList),
- Spi,
- IKEV2_ESTABLISHED_CHILDSA_LIST
- );
- if (ChildSession == NULL) {
- return EFI_NOT_FOUND;
- }
-
- LocalSpi = ChildSession->LocalPeerSpi;
- RemoteSpi = ChildSession->RemotePeerSpi;
-
- SelectorSize = sizeof (EFI_IPSEC_CONFIG_SELECTOR);
- Selector = AllocateZeroPool (SelectorSize);
- if (Selector == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- while (1) {
- Status = EfiIpSecConfigGetNextSelector (
- &Private->IpSecConfig,
- IPsecConfigDataTypeSad,
- &SelectorSize,
- Selector
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- FreePool (Selector);
-
- Selector = AllocateZeroPool (SelectorSize);
- if (Selector == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- break;
- }
-
- Status = EfiIpSecConfigGetNextSelector (
- &Private->IpSecConfig,
- IPsecConfigDataTypeSad,
- &SelectorSize,
- Selector
- );
- }
-
- if (EFI_ERROR (Status)) {
- break;
- }
-
- if (Selector->SaId.Spi == RemoteSpi) {
- //
- // SPI is unique. There is only one SAD whose SPI is
- // same with RemoteSpi.
- //
- IsRemoteFound = TRUE;
- RemoteSelector = AllocateZeroPool (SelectorSize);
- if (RemoteSelector == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- break;
- }
-
- CopyMem (RemoteSelector, Selector, SelectorSize);
- }
-
- if (Selector->SaId.Spi == LocalSpi) {
- //
- // SPI is unique. There is only one SAD whose SPI is
- // same with LocalSpi.
- //
- IsLocalFound = TRUE;
- LocalSelector = AllocateZeroPool (SelectorSize);
- if (LocalSelector == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- break;
- }
-
- CopyMem (LocalSelector, Selector, SelectorSize);
- }
- }
- //
- // Delete SA from the Variable.
- //
- if (IsLocalFound) {
- Status = EfiIpSecConfigSetData (
- &Private->IpSecConfig,
- IPsecConfigDataTypeSad,
- LocalSelector,
- NULL,
- NULL
- );
- }
-
- if (IsRemoteFound) {
- Status = EfiIpSecConfigSetData (
- &Private->IpSecConfig,
- IPsecConfigDataTypeSad,
- RemoteSelector,
- NULL,
- NULL
- );
-
- }
-
- DEBUG (
- (DEBUG_INFO,
- "\n------IKEV2 deleted ChildSa(local spi, remote spi):(0x%x, 0x%x)------\n",
- LocalSpi,
- RemoteSpi)
- );
- Ikev2ChildSaSessionFree (ChildSession);
-
- if (RemoteSelector != NULL) {
- FreePool (RemoteSelector);
- }
-
- if (LocalSelector != NULL) {
- FreePool (LocalSelector);
- }
-
- if (Selector != NULL) {
- FreePool (Selector);
- }
-
- return Status;
-}
-
-/**
- Free the specified DhBuffer.
-
- @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.
-
-**/
-VOID
-Ikev2DhBufferFree (
- IKEV2_DH_BUFFER *DhBuffer
-)
-{
- if (DhBuffer != NULL) {
- if (DhBuffer->GxBuffer != NULL) {
- FreePool (DhBuffer->GxBuffer);
- }
- if (DhBuffer->GyBuffer != NULL) {
- FreePool (DhBuffer->GyBuffer);
- }
- if (DhBuffer->GxyBuffer != NULL) {
- FreePool (DhBuffer->GxyBuffer);
- }
- if (DhBuffer->DhContext != NULL) {
- IpSecCryptoIoFreeDh (&DhBuffer->DhContext);
- }
- FreePool (DhBuffer);
- }
-}
-
-/**
- This function is to parse a request IKE packet and return its request type.
- The request type is one of IKE CHILD SA creation, IKE SA rekeying and
- IKE CHILD SA rekeying.
-
- @param[in] IkePacket IKE packet to be prased.
-
- return the type of the IKE packet.
-
-**/
-IKEV2_CREATE_CHILD_REQUEST_TYPE
-Ikev2ChildExchangeRequestType(
- IN IKE_PACKET *IkePacket
- )
-{
- BOOLEAN Flag;
- LIST_ENTRY *Entry;
- IKE_PAYLOAD *IkePayload;
-
- Flag = FALSE;
-
- NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) {
- IkePayload = IKE_PAYLOAD_BY_PACKET (Entry);
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_INIT) {
- //
- // Packet with Ts Payload means it is for either CHILD_SA_CREATE or CHILD_SA_REKEY.
- //
- Flag = TRUE;
- }
- if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NOTIFY) {
- if (((IKEV2_NOTIFY*)IkePayload)->MessageType == IKEV2_NOTIFICATION_REKEY_SA) {
- //
- // If notify payload with REKEY_SA message type, the IkePacket is for
- // rekeying Child SA.
- //
- return IkeRequestTypeRekeyChildSa;
- }
- }
- };
-
- if (!Flag){
- //
- // The Create Child Exchange is for IKE SA rekeying.
- //
- return IkeRequestTypeRekeyIkeSa;
- } else {
- //
- // If the Notify payloaad with transport mode message type, the IkePacket is
- // for create Child SA.
- //
- return IkeRequestTypeCreateChildSa;
- }
-}
-
-/**
- Associate a SPD selector to the Child SA Session.
-
- This function is called when the Child SA is not the first child SA of its
- IKE SA. It associate a SPD to this Child SA.
-
- @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to
- a SPD selector.
-
- @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.
- @retval EFI_NOT_FOUND Can't find the related SPD selector.
-
-**/
-EFI_STATUS
-Ikev2ChildSaAssociateSpdEntry (
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
- )
-{
- IpSecVisitConfigData (IPsecConfigDataTypeSpd, Ikev2MatchSpdEntry, ChildSaSession);
- if (ChildSaSession->Spd != NULL) {
- return EFI_SUCCESS;
- } else {
- return EFI_NOT_FOUND;
- }
-}
-
-
-
-/**
- Validate the IKE header of received IKE packet.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.
- @param[in] IkeHdr Pointer to IKE header of received IKE packet.
-
- @retval TRUE If the IKE header is valid.
- @retval FALSE If the IKE header is invalid.
-
-**/
-BOOLEAN
-Ikev2ValidateHeader (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_HEADER *IkeHdr
- )
-{
-
- IKEV2_SESSION_STATE State;
-
- State = IkeSaSession->SessionCommon.State;
- if (State == IkeStateInit) {
- //
- // For the IKE Initial Exchange, the MessagId should be zero.
- //
- if (IkeHdr->MessageId != 0) {
- return FALSE;
- }
- } else {
- if (State == IkeStateAuth) {
- if (IkeHdr->MessageId != 1) {
- return FALSE;
- }
- }
- if (IkeHdr->InitiatorCookie != IkeSaSession->InitiatorCookie ||
- IkeHdr->ResponderCookie != IkeSaSession->ResponderCookie
- ) {
- //
- // TODO: send notification INVALID-COOKIE
- //
- return FALSE;
- }
- }
-
- //
- // Information Exchagne and Create Child Exchange can be started from each part.
- //
- if (IkeHdr->ExchangeType != IKEV2_EXCHANGE_TYPE_INFO &&
- IkeHdr->ExchangeType != IKEV2_EXCHANGE_TYPE_CREATE_CHILD
- ) {
- if (IkeSaSession->SessionCommon.IsInitiator) {
- if (IkeHdr->InitiatorCookie != IkeSaSession->InitiatorCookie) {
- //
- // TODO: send notification INVALID-COOKIE
- //
- return FALSE;
- }
- if (IkeHdr->Flags != IKE_HEADER_FLAGS_RESPOND) {
- return FALSE;
- }
- } else {
- if (IkeHdr->Flags != IKE_HEADER_FLAGS_INIT) {
- return FALSE;
- }
- }
- }
-
- return TRUE;
-}
-
-/**
- Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.
-
- This function will be only called by the initiator. The responder's IKEV2_SA_DATA
- will be generated during parsed the initiator packet.
-
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.
-
- @retval a Pointer to a new IKEV2_SA_DATA or NULL.
-
-**/
-IKEV2_SA_DATA *
-Ikev2InitializeSaData (
- IN IKEV2_SESSION_COMMON *SessionCommon
- )
-{
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SA_DATA *SaData;
- IKEV2_PROPOSAL_DATA *ProposalData;
- IKEV2_TRANSFORM_DATA *TransformData;
- IKE_SA_ATTRIBUTE *Attribute;
-
- ASSERT (SessionCommon != NULL);
- //
- // TODO: Remove the hard code of the support Alogrithm. Those data should be
- // get from the SPD/PAD data.
- //
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
- SaData = AllocateZeroPool (
- sizeof (IKEV2_SA_DATA) +
- sizeof (IKEV2_PROPOSAL_DATA) * 2 +
- sizeof (IKEV2_TRANSFORM_DATA) * 4 * 2
- );
- } else {
- SaData = AllocateZeroPool (
- sizeof (IKEV2_SA_DATA) +
- sizeof (IKEV2_PROPOSAL_DATA) * 2 +
- sizeof (IKEV2_TRANSFORM_DATA) * 3 * 2
- );
- }
- if (SaData == NULL) {
- return NULL;
- }
-
- //
- // First proposal payload: 3DES + SHA1 + DH
- //
- SaData->NumProposals = 2;
- ProposalData = (IKEV2_PROPOSAL_DATA *) (SaData + 1);
- ProposalData->ProposalIndex = 1;
-
- //
- // If SA data for IKE_SA_INIT exchage, contains 4 transforms. If SA data for
- // IKE_AUTH exchange contains 3 transforms.
- //
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
- ProposalData->NumTransforms = 4;
- } else {
- ProposalData->NumTransforms = 3;
- }
-
-
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
- ProposalData->ProtocolId = IPSEC_PROTO_ISAKMP;
- } else {
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);
- ProposalData->ProtocolId = IPSEC_PROTO_IPSEC_ESP;
- ProposalData->Spi = AllocateZeroPool (sizeof (ChildSaSession->LocalPeerSpi));
- if (ProposalData->Spi == NULL) {
- FreePool (SaData);
- return NULL;
- }
-
- CopyMem (
- ProposalData->Spi,
- &ChildSaSession->LocalPeerSpi,
- sizeof(ChildSaSession->LocalPeerSpi)
- );
- }
-
- //
- // Set transform attribute for Encryption Algorithm - 3DES
- //
- TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1);
- TransformData->TransformIndex = 0;
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ENCR;
- TransformData->TransformId = IKEV2_TRANSFORM_ID_ENCR_3DES;
-
- //
- // Set transform attribute for Integrity Algorithm - SHA1_96
- //
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
- TransformData->TransformIndex = 1;
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_INTEG;
- TransformData->TransformId = IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96;
-
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
- //
- // Set transform attribute for Pseduo-Random Function - HAMC_SHA1
- //
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
- TransformData->TransformIndex = 2;
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_PRF;
- TransformData->TransformId = IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1;
- }
-
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
- //
- // Set transform attribute for DH Group - DH 1024
- //
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
- TransformData->TransformIndex = 3;
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_DH;
- TransformData->TransformId = IKEV2_TRANSFORM_ID_DH_1024MODP;
- } else {
- //
- // Transform type for Extended Sequence Numbers. Currently not support Extended
- // Sequence Number.
- //
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
- TransformData->TransformIndex = 2;
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ESN;
- TransformData->TransformId = 0;
- }
-
- //
- // Second proposal payload: 3DES + SHA1 + DH
- //
- ProposalData = (IKEV2_PROPOSAL_DATA *) (TransformData + 1);
- ProposalData->ProposalIndex = 2;
-
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
- ProposalData->ProtocolId = IPSEC_PROTO_ISAKMP;
- ProposalData->NumTransforms = 4;
- } else {
-
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);
- ProposalData->ProtocolId = IPSEC_PROTO_IPSEC_ESP;
- ProposalData->NumTransforms = 3;
- ProposalData->Spi = AllocateZeroPool (sizeof (ChildSaSession->LocalPeerSpi));
- if (ProposalData->Spi == NULL) {
- FreePool (((IKEV2_PROPOSAL_DATA *) (SaData + 1))->Spi);
- FreePool (SaData);
- return NULL;
- }
-
- CopyMem (
- ProposalData->Spi,
- &ChildSaSession->LocalPeerSpi,
- sizeof(ChildSaSession->LocalPeerSpi)
- );
- }
-
- //
- // Set transform attribute for Encryption Algorithm - AES-CBC
- //
- TransformData = (IKEV2_TRANSFORM_DATA *) (ProposalData + 1);
- TransformData->TransformIndex = 0;
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ENCR;
- TransformData->TransformId = IKEV2_TRANSFORM_ID_ENCR_AES_CBC;
- Attribute = &TransformData->Attribute;
- Attribute->AttrType = IKEV2_ATTRIBUTE_TYPE_KEYLEN;
- Attribute->Attr.AttrLength = (UINT16) (8 * IpSecGetEncryptKeyLength (IKEV2_TRANSFORM_ID_ENCR_AES_CBC));
-
- //
- // Set transform attribute for Integrity Algorithm - SHA1_96
- //
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
- TransformData->TransformIndex = 1;
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_INTEG;
- TransformData->TransformId = IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96;
-
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
- //
- // Set transform attribute for Pseduo-Random Function - HAMC_SHA1
- //
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
- TransformData->TransformIndex = 2;
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_PRF;
- TransformData->TransformId = IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1;
- }
-
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
- //
- // Set transform attrbiute for DH Group - DH-1024
- //
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
- TransformData->TransformIndex = 3;
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_DH;
- TransformData->TransformId = IKEV2_TRANSFORM_ID_DH_1024MODP;
- } else {
- //
- // Transform type for Extended Sequence Numbers. Currently not support Extended
- // Sequence Number.
- //
- TransformData = (IKEV2_TRANSFORM_DATA *) (TransformData + 1);
- TransformData->TransformIndex = 2;
- TransformData->TransformType = IKEV2_TRANSFORM_TYPE_ESN;
- TransformData->TransformId = 0;
- }
-
- return SaData;
-}
-
-/**
- Store the SA into SAD.
-
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
-
-**/
-VOID
-Ikev2StoreSaData (
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession
- )
-{
- EFI_STATUS Status;
- EFI_IPSEC_SA_ID SaId;
- EFI_IPSEC_SA_DATA2 SaData;
- IKEV2_SESSION_COMMON *SessionCommon;
- IPSEC_PRIVATE_DATA *Private;
- UINT32 TempAddressCount;
- EFI_IP_ADDRESS_INFO *TempAddressInfo;
-
- SessionCommon = &ChildSaSession->SessionCommon;
- Private = SessionCommon->Private;
-
- ZeroMem (&SaId, sizeof (EFI_IPSEC_SA_ID));
- ZeroMem (&SaData, sizeof (EFI_IPSEC_SA_DATA2));
-
- //
- // Create a SpdSelector. In this implementation, one SPD represents
- // 2 direction traffic, so in here, there needs to reverse the local address
- // and remote address for Remote Peer's SA, then reverse again for the locate
- // SA.
- //
- TempAddressCount = ChildSaSession->SpdSelector->LocalAddressCount;
- TempAddressInfo = ChildSaSession->SpdSelector->LocalAddress;
-
- ChildSaSession->SpdSelector->LocalAddressCount = ChildSaSession->SpdSelector->RemoteAddressCount;
- ChildSaSession->SpdSelector->LocalAddress = ChildSaSession->SpdSelector->RemoteAddress;
-
- ChildSaSession->SpdSelector->RemoteAddress = TempAddressInfo;
- ChildSaSession->SpdSelector->RemoteAddressCount= TempAddressCount;
-
- //
- // Set the SaId and SaData.
- //
- SaId.Spi = ChildSaSession->LocalPeerSpi;
- SaId.Proto = EfiIPsecESP;
- SaData.AntiReplayWindows = 16;
- SaData.SNCount = 0;
- SaData.Mode = ChildSaSession->Spd->Data->ProcessingPolicy->Mode;
-
- //
- // If it is tunnel mode, should add the TunnelDest and TunnelSource for SaData.
- //
- if (SaData.Mode == EfiIPsecTunnel) {
- CopyMem (
- &SaData.TunnelSourceAddress,
- &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,
- sizeof (EFI_IP_ADDRESS)
- );
- CopyMem (
- &SaData.TunnelDestinationAddress,
- &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->LocalTunnelAddress,
- sizeof (EFI_IP_ADDRESS)
- );
- }
-
- CopyMem (&SaId.DestAddress, &ChildSaSession->SessionCommon.LocalPeerIp, sizeof (EFI_IP_ADDRESS));
- CopyMem (&SaData.AlgoInfo, &ChildSaSession->ChildKeymats.LocalPeerInfo, sizeof (EFI_IPSEC_ALGO_INFO));
- SaData.SpdSelector = ChildSaSession->SpdSelector;
-
- //
- // Store the remote SA into SAD.
- //
- Status = EfiIpSecConfigSetData (
- &Private->IpSecConfig,
- IPsecConfigDataTypeSad,
- (EFI_IPSEC_CONFIG_SELECTOR *) &SaId,
- &SaData,
- NULL
- );
- ASSERT_EFI_ERROR (Status);
-
- //
- // Store the local SA into SAD.
- //
- ChildSaSession->SpdSelector->RemoteAddressCount = ChildSaSession->SpdSelector->LocalAddressCount;
- ChildSaSession->SpdSelector->RemoteAddress = ChildSaSession->SpdSelector->LocalAddress;
-
- ChildSaSession->SpdSelector->LocalAddress = TempAddressInfo;
- ChildSaSession->SpdSelector->LocalAddressCount = TempAddressCount;
-
- SaId.Spi = ChildSaSession->RemotePeerSpi;
-
- CopyMem (&SaId.DestAddress, &ChildSaSession->SessionCommon.RemotePeerIp, sizeof (EFI_IP_ADDRESS));
- CopyMem (&SaData.AlgoInfo, &ChildSaSession->ChildKeymats.RemotePeerInfo, sizeof (EFI_IPSEC_ALGO_INFO));
- SaData.SpdSelector = ChildSaSession->SpdSelector;
-
- //
- // If it is tunnel mode, should add the TunnelDest and TunnelSource for SaData.
- //
- if (SaData.Mode == EfiIPsecTunnel) {
- CopyMem (
- &SaData.TunnelSourceAddress,
- &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->LocalTunnelAddress,
- sizeof (EFI_IP_ADDRESS)
- );
- CopyMem (
- &SaData.TunnelDestinationAddress,
- &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress,
- sizeof (EFI_IP_ADDRESS)
- );
- }
-
- Status = EfiIpSecConfigSetData (
- &Private->IpSecConfig,
- IPsecConfigDataTypeSad,
- (EFI_IPSEC_CONFIG_SELECTOR *) &SaId,
- &SaData,
- NULL
- );
-
- ASSERT_EFI_ERROR (Status);
-}
-
-/**
- Call back function of the IKE life time is over.
-
- This function will mark the related IKE SA Session as deleting and trigger a
- Information negotiation.
-
- @param[in] Event The signaled Event.
- @param[in] Context Pointer to data passed by caller.
-
-**/
-VOID
-EFIAPI
-Ikev2LifetimeNotify (
- IN EFI_EVENT Event,
- IN VOID *Context
- )
-{
- IKEV2_SA_SESSION *IkeSaSession;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SESSION_COMMON *SessionCommon;
-
- ASSERT (Context != NULL);
- SessionCommon = (IKEV2_SESSION_COMMON *) Context;
-
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);
- DEBUG ((
- DEBUG_INFO,
- "\n---IkeSa Lifetime is out(cookie_i, cookie_r):(0x%lx, 0x%lx)---\n",
- IkeSaSession->InitiatorCookie,
- IkeSaSession->ResponderCookie
- ));
-
- //
- // Change the IKE SA Session's State to IKE_STATE_SA_DELETING.
- //
- IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateSaDeleting);
- IkeSaSession->SessionCommon.State = IkeStateSaDeleting;
-
- } else {
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);
- IkeSaSession = ChildSaSession->IkeSaSession;
-
- //
- // Link the timeout child SA to the DeleteSaList.
- //
- InsertTailList (&IkeSaSession->DeleteSaList, &ChildSaSession->ByDelete);
-
- //
- // Change the Child SA Session's State to IKE_STATE_SA_DELETING.
- //
- DEBUG ((
- DEBUG_INFO,
- "\n------ChildSa Lifetime is out(SPI):(0x%x)------\n",
- ChildSaSession->LocalPeerSpi
- ));
- }
-
- //
- // TODO: Send the delete info packet or delete silently
- //
- mIkev2Exchange.NegotiateInfo ((UINT8 *) IkeSaSession, NULL);
-}
-
-/**
- This function will be called if the TimeOut Event is signaled.
-
- @param[in] Event The signaled Event.
- @param[in] Context The data passed by caller.
-
-**/
-VOID
-EFIAPI
-Ikev2ResendNotify (
- IN EFI_EVENT Event,
- IN VOID *Context
- )
-{
- IPSEC_PRIVATE_DATA *Private;
- IKEV2_SA_SESSION *IkeSaSession;
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SESSION_COMMON *SessionCommon;
- LIST_ENTRY *ChildSaEntry;
- UINT8 Value;
- EFI_STATUS Status;
-
- ASSERT (Context != NULL);
- IkeSaSession = NULL;
- ChildSaSession = NULL;
- SessionCommon = (IKEV2_SESSION_COMMON *) Context;
- Private = SessionCommon->Private;
-
- //
- // Remove the SA session from the processing list if exceed the max retry.
- //
- if (SessionCommon->RetryCount > IKE_MAX_RETRY) {
- if (SessionCommon->IkeSessionType == IkeSessionTypeIkeSa) {
- IkeSaSession = IKEV2_SA_SESSION_FROM_COMMON (SessionCommon);
- if (IkeSaSession->SessionCommon.State == IkeStateSaDeleting) {
-
- //
- // If the IkeSaSession is initiator, delete all its Child SAs before removing IKE SA.
- // If the IkesaSession is responder, all ChildSa has been remove in Ikev2HandleInfo();
- //
- for (ChildSaEntry = IkeSaSession->ChildSaEstablishSessionList.ForwardLink;
- ChildSaEntry != &IkeSaSession->ChildSaEstablishSessionList;
- ) {
- ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (ChildSaEntry);
- //
- // Move to next ChildSa Entry.
- //
- ChildSaEntry = ChildSaEntry->ForwardLink;
- //
- // Delete LocalSpi & RemoteSpi and remove the ChildSaSession from the
- // EstablishedChildSaList.
- //
- Ikev2ChildSaSilentDelete (IkeSaSession, ChildSaSession->LocalPeerSpi);
- }
-
- //
- // If the IKE SA Delete Payload wasn't sent out successfully, Delete it from the EstablishedList.
- //
- Ikev2SaSessionRemove (&Private->Ikev2EstablishedList, &SessionCommon->RemotePeerIp);
-
- if (Private != NULL && Private->IsIPsecDisabling) {
- //
- // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value in
- // IPsec status variable.
- //
- if (IsListEmpty (&Private->Ikev1EstablishedList) && IsListEmpty (&Private->Ikev2EstablishedList)) {
- Value = IPSEC_STATUS_DISABLED;
- Status = gRT->SetVariable (
- IPSECCONFIG_STATUS_NAME,
- &gEfiIpSecConfigProtocolGuid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
- sizeof (Value),
- &Value
- );
- if (!EFI_ERROR (Status)) {
- //
- // Set the Disabled Flag in Private data.
- //
- Private->IpSec.DisabledFlag = TRUE;
- Private->IsIPsecDisabling = FALSE;
- }
- }
- }
- } else {
- Ikev2SaSessionRemove (&Private->Ikev2SessionList, &SessionCommon->RemotePeerIp);
- }
- Ikev2SaSessionFree (IkeSaSession);
-
- } else {
-
- //
- // If the packet sent by Child SA.
- //
- ChildSaSession = IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon);
- IkeSaSession = ChildSaSession->IkeSaSession;
- if (ChildSaSession->SessionCommon.State == IkeStateSaDeleting) {
-
- //
- // Established Child SA should be remove from the SAD entry and
- // DeleteList. The function of Ikev2DeleteChildSaSilent() will remove
- // the childSA from the IkeSaSession->ChildSaEstablishedList. So there
- // is no need to remove it here.
- //
- Ikev2ChildSaSilentDelete (IkeSaSession, ChildSaSession->LocalPeerSpi);
- Ikev2ChildSaSessionRemove (
- &IkeSaSession->DeleteSaList,
- ChildSaSession->LocalPeerSpi,
- IKEV2_DELET_CHILDSA_LIST
- );
- } else {
- Ikev2ChildSaSessionRemove (
- &IkeSaSession->ChildSaSessionList,
- ChildSaSession->LocalPeerSpi,
- IKEV2_ESTABLISHING_CHILDSA_LIST
- );
- }
-
- Ikev2ChildSaSessionFree (ChildSaSession);
- }
- return ;
- }
-
- //
- // Increase the retry count.
- //
- SessionCommon->RetryCount++;
- DEBUG ((DEBUG_INFO, ">>>Resending the last packet ...\n"));
-
- //
- // Resend the last packet.
- //
- Ikev2SendIkePacket (
- SessionCommon->UdpService,
- (UINT8*)SessionCommon,
- SessionCommon->LastSentPacket,
- 0
- );
-}
-
-/**
- Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.
-
- ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,
- the SpdSelector in ChildSaSession is more accurated or the scope is smaller
- than the one in ChildSaSession->Spd, especially for the tunnel mode.
-
- @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.
-
- @retval EFI_SUCCESS The operation complete successfully.
- @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
-
-**/
-EFI_STATUS
-Ikev2ChildSaSessionSpdSelectorCreate (
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
- )
-{
- EFI_STATUS Status;
-
- Status = EFI_SUCCESS;
-
- if (ChildSaSession->Spd != NULL && ChildSaSession->Spd->Selector != NULL) {
- if (ChildSaSession->SpdSelector == NULL) {
- ChildSaSession->SpdSelector = AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR));
- if (ChildSaSession->SpdSelector == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- return Status;
- }
- }
- CopyMem (
- ChildSaSession->SpdSelector,
- ChildSaSession->Spd->Selector,
- sizeof (EFI_IPSEC_SPD_SELECTOR)
- );
- ChildSaSession->SpdSelector->RemoteAddress = AllocateCopyPool (
- ChildSaSession->Spd->Selector->RemoteAddressCount *
- sizeof (EFI_IP_ADDRESS_INFO),
- ChildSaSession->Spd->Selector->RemoteAddress
- );
- if (ChildSaSession->SpdSelector->RemoteAddress == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
-
- FreePool (ChildSaSession->SpdSelector);
-
- return Status;
- }
-
- ChildSaSession->SpdSelector->LocalAddress = AllocateCopyPool (
- ChildSaSession->Spd->Selector->LocalAddressCount *
- sizeof (EFI_IP_ADDRESS_INFO),
- ChildSaSession->Spd->Selector->LocalAddress
- );
- if (ChildSaSession->SpdSelector->LocalAddress == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
-
- FreePool (ChildSaSession->SpdSelector->RemoteAddress);
-
- FreePool (ChildSaSession->SpdSelector);
-
- return Status;
- }
-
- ChildSaSession->SpdSelector->RemoteAddressCount = ChildSaSession->Spd->Selector->RemoteAddressCount;
- ChildSaSession->SpdSelector->LocalAddressCount = ChildSaSession->Spd->Selector->LocalAddressCount;
- }
-
- return Status;
-}
-
-/**
- Generate a ChildSa Session and insert it into related IkeSaSession.
-
- @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.
- @param[in] UdpService Pointer to related IKE_UDP_SERVICE.
-
- @return pointer of IKEV2_CHILD_SA_SESSION.
-
-**/
-IKEV2_CHILD_SA_SESSION *
-Ikev2ChildSaSessionCreate (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_UDP_SERVICE *UdpService
- )
-{
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- IKEV2_SESSION_COMMON *ChildSaCommon;
-
- //
- // Create a new ChildSaSession.Insert it into processing list and initiate the common parameters.
- //
- ChildSaSession = Ikev2ChildSaSessionAlloc (UdpService, IkeSaSession);
- if (ChildSaSession == NULL) {
- return NULL;
- }
-
- //
- // Set the specific parameters.
- //
- ChildSaSession->Spd = IkeSaSession->Spd;
- ChildSaCommon = &ChildSaSession->SessionCommon;
- ChildSaCommon->IsInitiator = IkeSaSession->SessionCommon.IsInitiator;
- if (IkeSaSession->SessionCommon.State == IkeStateAuth) {
- ChildSaCommon->State = IkeStateAuth;
- IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateAuth);
- } else {
- ChildSaCommon->State = IkeStateCreateChild;
- IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateCreateChild);
- }
-
- //
- // If SPD->Selector is not NULL, copy it to the ChildSaSession->SpdSelector.
- // The ChildSaSession->SpdSelector might be changed after the traffic selector
- // negoniation and it will be copied into the SAData after ChildSA established.
- //
- if (EFI_ERROR (Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession))) {
- Ikev2ChildSaSessionFree (ChildSaSession);
- return NULL;
- }
-
- //
- // Copy first NiBlock and NrBlock to ChildSa Session
- //
- ChildSaSession->NiBlock = AllocateZeroPool (IkeSaSession->NiBlkSize);
- if (ChildSaSession->NiBlock == NULL) {
- Ikev2ChildSaSessionFree (ChildSaSession);
- return NULL;
- }
-
- ChildSaSession->NiBlkSize = IkeSaSession->NiBlkSize;
- CopyMem (ChildSaSession->NiBlock, IkeSaSession->NiBlock, IkeSaSession->NiBlkSize);
-
- ChildSaSession->NrBlock = AllocateZeroPool (IkeSaSession->NrBlkSize);
- if (ChildSaSession->NrBlock == NULL) {
- Ikev2ChildSaSessionFree (ChildSaSession);
- return NULL;
- }
-
- ChildSaSession->NrBlkSize = IkeSaSession->NrBlkSize;
- CopyMem (ChildSaSession->NrBlock, IkeSaSession->NrBlock, IkeSaSession->NrBlkSize);
-
- //
- // Only if the Create Child SA is called for the IKE_INIT Exchange and
- // IkeSaSession is initiator (Only Initiator's SPD is not NULL), Set the
- // Traffic Selectors related information here.
- //
- if (IkeSaSession->SessionCommon.State == IkeStateAuth && IkeSaSession->Spd != NULL) {
- ChildSaSession->ProtoId = IkeSaSession->Spd->Selector->NextLayerProtocol;
- ChildSaSession->LocalPort = IkeSaSession->Spd->Selector->LocalPort;
- ChildSaSession->RemotePort = IkeSaSession->Spd->Selector->RemotePort;
- }
-
- //
- // Insert the new ChildSaSession into processing child SA list.
- //
- Ikev2ChildSaSessionInsert (&IkeSaSession->ChildSaSessionList, ChildSaSession);
- return ChildSaSession;
-}
-
-/**
- Check if the SPD is related to the input Child SA Session.
-
- This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call
- back function of IpSecVisitConfigData().
-
-
- @param[in] Type Type of the input Config Selector.
- @param[in] Selector Pointer to the Configure Selector to be checked.
- @param[in] Data Pointer to the Configure Selector's Data passed
- from the caller.
- @param[in] SelectorSize The buffer size of Selector.
- @param[in] DataSize The buffer size of the Data.
- @param[in] Context The data passed from the caller. It is a Child
- SA Session in this context.
-
- @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.
- @retval EFI_ABORTED The SPD Selector is related to the Child SA session and
- set the ChildSaSession->Spd to point to this SPD Selector.
-
-**/
-EFI_STATUS
-Ikev2MatchSpdEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE Type,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN UINTN SelectorSize,
- IN UINTN DataSize,
- IN VOID *Context
- )
-{
- IKEV2_CHILD_SA_SESSION *ChildSaSession;
- EFI_IPSEC_SPD_SELECTOR *SpdSelector;
- EFI_IPSEC_SPD_DATA *SpdData;
- BOOLEAN IsMatch;
- UINT8 IpVersion;
-
- ASSERT (Type == IPsecConfigDataTypeSpd);
- SpdData = (EFI_IPSEC_SPD_DATA *) Data;
- //
- // Bypass all non-protect SPD entry first
- //
- if (SpdData->Action != EfiIPsecActionProtect) {
- return EFI_SUCCESS;
- }
-
- ChildSaSession = (IKEV2_CHILD_SA_SESSION *) Context;
- IpVersion = ChildSaSession->SessionCommon.UdpService->IpVersion;
- SpdSelector = (EFI_IPSEC_SPD_SELECTOR *) Selector;
- IsMatch = TRUE;
-
- if (SpdSelector->NextLayerProtocol == EFI_IP_PROTO_UDP &&
- SpdSelector->LocalPort == IKE_DEFAULT_PORT &&
- SpdSelector->LocalPortRange == 0 &&
- SpdSelector->RemotePort == IKE_DEFAULT_PORT &&
- SpdSelector->RemotePortRange == 0
- ) {
- //
- // TODO: Skip IKE Policy here or set a SPD entry?
- //
- return EFI_SUCCESS;
- }
-
- if (SpdSelector->NextLayerProtocol != EFI_IPSEC_ANY_PROTOCOL &&
- SpdSelector->NextLayerProtocol != ChildSaSession->ProtoId
- ) {
- IsMatch = FALSE;
- }
-
- if (SpdSelector->LocalPort != EFI_IPSEC_ANY_PORT && SpdSelector->LocalPort != ChildSaSession->LocalPort) {
- IsMatch = FALSE;
- }
-
- if (SpdSelector->RemotePort != EFI_IPSEC_ANY_PORT && SpdSelector->RemotePort != ChildSaSession->RemotePort) {
- IsMatch = FALSE;
- }
-
- IsMatch = (BOOLEAN) (IsMatch &&
- IpSecMatchIpAddress (
- IpVersion,
- &ChildSaSession->SessionCommon.LocalPeerIp,
- SpdSelector->LocalAddress,
- SpdSelector->LocalAddressCount
- ));
-
- IsMatch = (BOOLEAN) (IsMatch &&
- IpSecMatchIpAddress (
- IpVersion,
- &ChildSaSession->SessionCommon.RemotePeerIp,
- SpdSelector->RemoteAddress,
- SpdSelector->RemoteAddressCount
- ));
-
- if (IsMatch) {
- ChildSaSession->Spd = IkeSearchSpdEntry (SpdSelector);
- return EFI_ABORTED;
- } else {
- return EFI_SUCCESS;
- }
-}
-
-/**
- Check if the Algorithm ID is supported.
-
- @param[in] AlgorithmId The specified Algorithm ID.
- @param[in] Type The type used to indicate the Algorithm is for Encrypt or
- Authentication.
-
- @retval TRUE If the Algorithm ID is supported.
- @retval FALSE If the Algorithm ID is not supported.
-
-**/
-BOOLEAN
-Ikev2IsSupportAlg (
- IN UINT16 AlgorithmId,
- IN UINT8 Type
- )
-{
- UINT8 Index;
- switch (Type) {
- case IKE_ENCRYPT_TYPE :
- for (Index = 0; Index < IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM; Index++) {
- if (mIkev2EncryptAlgorithmList[Index] == AlgorithmId) {
- return TRUE;
- }
- }
- break;
-
- case IKE_AUTH_TYPE :
- for (Index = 0; Index < IKEV2_SUPPORT_AUTH_ALGORITHM_NUM; Index++) {
- if (mIkev2AuthAlgorithmList[Index] == AlgorithmId) {
- return TRUE;
- }
- }
- break;
-
- case IKE_DH_TYPE :
- for (Index = 0; Index < IKEV2_SUPPORT_DH_ALGORITHM_NUM; Index++) {
- if (mIkev2DhGroupAlgorithmList[Index] == AlgorithmId) {
- return TRUE;
- }
- }
- break;
-
- case IKE_PRF_TYPE :
- for (Index = 0; Index < IKEV2_SUPPORT_PRF_ALGORITHM_NUM; Index++) {
- if (mIkev2PrfAlgorithmList[Index] == AlgorithmId) {
- return TRUE;
- }
- }
- }
- return FALSE;
-}
-
-/**
- Get the preferred algorithm types from ProposalData.
-
- @param[in] ProposalData Pointer to related IKEV2_PROPOSAL_DATA.
- @param[in, out] PreferEncryptAlgorithm Pointer to buffer which is used to store the
- preferred encrypt algorithm.
- Input value shall be initialized to zero that
- indicates to be parsed from ProposalData.
- Output of preferred encrypt algorithm.
- @param[in, out] PreferIntegrityAlgorithm Pointer to buffer which is used to store the
- preferred integrity algorithm.
- Input value shall be initialized to zero that
- indicates to be parsed from ProposalData.
- Output of preferred integrity algorithm.
- @param[in, out] PreferPrfAlgorithm Pointer to buffer which is used to store the
- preferred PRF algorithm.
- Input value shall be initialized to zero that
- indicates to be parsed from ProposalData.
- Output of preferred PRF algorithm. Only
- for IKE SA.
- @param[in, out] PreferDhGroup Pointer to buffer which is used to store the
- preferred DH group.
- Input value shall be initialized to zero that
- indicates to be parsed from ProposalData.
- Output of preferred DH group. Only for
- IKE SA.
- @param[out] PreferEncryptKeylength Pointer to buffer which is used to store the
- preferred encrypt key length in bytes.
- @param[out] IsSupportEsn Pointer to buffer which is used to store the
- value about the Extented Sequence Number is
- support or not. Only for Child SA.
- @param[in] IsChildSa If it is ture, the ProposalData is for IKE
- SA. Otherwise the proposalData is for Child SA.
-
-**/
-VOID
-Ikev2ParseProposalData (
- IN IKEV2_PROPOSAL_DATA *ProposalData,
- IN OUT UINT16 *PreferEncryptAlgorithm,
- IN OUT UINT16 *PreferIntegrityAlgorithm,
- IN OUT UINT16 *PreferPrfAlgorithm,
- IN OUT UINT16 *PreferDhGroup,
- OUT UINTN *PreferEncryptKeylength,
- OUT BOOLEAN *IsSupportEsn,
- IN BOOLEAN IsChildSa
-)
-{
- IKEV2_TRANSFORM_DATA *TransformData;
- UINT8 TransformIndex;
-
- //
- // Check input parameters.
- //
- if (ProposalData == NULL ||
- PreferEncryptAlgorithm == NULL ||
- PreferIntegrityAlgorithm == NULL ||
- PreferEncryptKeylength == NULL
- ) {
- return;
- }
-
- if (IsChildSa) {
- if (IsSupportEsn == NULL) {
- return;
- }
- } else {
- if (PreferPrfAlgorithm == NULL || PreferDhGroup == NULL) {
- return;
- }
- }
-
- TransformData = (IKEV2_TRANSFORM_DATA *)(ProposalData + 1);
- for (TransformIndex = 0; TransformIndex < ProposalData->NumTransforms; TransformIndex++) {
- switch (TransformData->TransformType) {
- //
- // For IKE SA there are four algorithm types. Encryption Algorithm, Pseudo-random Function,
- // Integrity Algorithm, Diffie-Hellman Group. For Child SA, there are three algorithm types.
- // Encryption Algorithm, Integrity Algorithm, Extended Sequence Number.
- //
- case IKEV2_TRANSFORM_TYPE_ENCR:
- if (*PreferEncryptAlgorithm == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_ENCRYPT_TYPE)) {
- //
- // Check the attribute value. According to RFC, only Keylength is support.
- //
- if (TransformData->Attribute.AttrType == IKEV2_ATTRIBUTE_TYPE_KEYLEN) {
- //
- // If the Keylength is not support, continue to check the next one.
- //
- if (IpSecGetEncryptKeyLength ((UINT8)TransformData->TransformId) != (UINTN)(TransformData->Attribute.Attr.AttrValue >> 3)){
- break;
- } else {
- *PreferEncryptKeylength = TransformData->Attribute.Attr.AttrValue;
- }
- }
- *PreferEncryptAlgorithm = TransformData->TransformId;
- }
- break;
-
- case IKEV2_TRANSFORM_TYPE_PRF :
- if (!IsChildSa) {
- if (*PreferPrfAlgorithm == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_PRF_TYPE)) {
- *PreferPrfAlgorithm = TransformData->TransformId;
- }
- }
- break;
-
- case IKEV2_TRANSFORM_TYPE_INTEG :
- if (*PreferIntegrityAlgorithm == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_AUTH_TYPE)) {
- *PreferIntegrityAlgorithm = TransformData->TransformId;
- }
- break;
-
- case IKEV2_TRANSFORM_TYPE_DH :
- if (!IsChildSa) {
- if (*PreferDhGroup == 0 && Ikev2IsSupportAlg (TransformData->TransformId, IKE_DH_TYPE)) {
- *PreferDhGroup = TransformData->TransformId;
- }
- }
- break;
-
- case IKEV2_TRANSFORM_TYPE_ESN :
- if (IsChildSa) {
- if (TransformData->TransformId != 0) {
- *IsSupportEsn = TRUE;
- }
- }
- break;
-
- default:
- break;
- }
- TransformData = (IKEV2_TRANSFORM_DATA *)(TransformData + 1);
- }
-}
-
-/**
- Parse the received Initial Exchange Packet.
-
- This function parse the SA Payload and Key Payload to find out the cryptographic
- suite for the further IKE negotiation and fill it into the IKE SA Session's
- CommonSession->SaParams.
-
- @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.
- @param[in] SaPayload The received packet.
- @param[in] Type The received packet IKE header flag.
-
- @retval TRUE If the SA proposal in Packet is acceptable.
- @retval FALSE If the SA proposal in Packet is not acceptable.
-
-**/
-BOOLEAN
-Ikev2SaParseSaPayload (
- IN OUT IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_PAYLOAD *SaPayload,
- IN UINT8 Type
- )
-{
- IKEV2_PROPOSAL_DATA *ProposalData;
- UINT8 ProposalIndex;
- UINT16 PreferEncryptAlgorithm;
- UINT16 PreferIntegrityAlgorithm;
- UINT16 PreferPrfAlgorithm;
- UINT16 PreferDhGroup;
- UINTN PreferEncryptKeylength;
- UINT16 EncryptAlgorithm;
- UINT16 IntegrityAlgorithm;
- UINT16 PrfAlgorithm;
- UINT16 DhGroup;
- UINTN EncryptKeylength;
- BOOLEAN IsMatch;
- UINTN SaDataSize;
-
- PreferPrfAlgorithm = 0;
- PreferIntegrityAlgorithm = 0;
- PreferDhGroup = 0;
- PreferEncryptAlgorithm = 0;
- PreferEncryptKeylength = 0;
- PrfAlgorithm = 0;
- IntegrityAlgorithm = 0;
- DhGroup = 0;
- EncryptAlgorithm = 0;
- EncryptKeylength = 0;
- IsMatch = FALSE;
-
- if (Type == IKE_HEADER_FLAGS_INIT) {
- ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->PayloadBuf + 1);
- for (ProposalIndex = 0; ProposalIndex < ((IKEV2_SA_DATA *)SaPayload->PayloadBuf)->NumProposals; ProposalIndex++) {
- //
- // Iterate each proposal to find the perfered one.
- //
- if (ProposalData->ProtocolId == IPSEC_PROTO_ISAKMP && ProposalData->NumTransforms >= 4) {
- //
- // Get the preferred algorithms.
- //
- Ikev2ParseProposalData (
- ProposalData,
- &PreferEncryptAlgorithm,
- &PreferIntegrityAlgorithm,
- &PreferPrfAlgorithm,
- &PreferDhGroup,
- &PreferEncryptKeylength,
- NULL,
- FALSE
- );
-
- if (PreferEncryptAlgorithm != 0 &&
- PreferIntegrityAlgorithm != 0 &&
- PreferPrfAlgorithm != 0 &&
- PreferDhGroup != 0
- ) {
- //
- // Find the matched one.
- //
- IkeSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));
- if (IkeSaSession->SessionCommon.SaParams == NULL) {
- return FALSE;
- }
-
- IkeSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;
- IkeSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;
- IkeSaSession->SessionCommon.SaParams->DhGroup = PreferDhGroup;
- IkeSaSession->SessionCommon.SaParams->Prf = PreferPrfAlgorithm;
- IkeSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;
- IkeSaSession->SessionCommon.PreferDhGroup = PreferDhGroup;
-
- //
- // Save the matched one in IKEV2_SA_DATA for furthure calculation.
- //
- SaDataSize = sizeof (IKEV2_SA_DATA) +
- sizeof (IKEV2_PROPOSAL_DATA) +
- sizeof (IKEV2_TRANSFORM_DATA) * 4;
- IkeSaSession->SaData = AllocateZeroPool (SaDataSize);
- if (IkeSaSession->SaData == NULL) {
- FreePool (IkeSaSession->SessionCommon.SaParams);
- return FALSE;
- }
-
- IkeSaSession->SaData->NumProposals = 1;
-
- //
- // BUGBUG: Suppose the matched proposal only has 4 transforms. If
- // The matched Proposal has more than 4 transforms means it contains
- // one than one transform with same type.
- //
- CopyMem (
- (IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1),
- ProposalData,
- SaDataSize - sizeof (IKEV2_SA_DATA)
- );
-
- ((IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1))->ProposalIndex = 1;
-
- return TRUE;
- } else {
- PreferEncryptAlgorithm = 0;
- PreferIntegrityAlgorithm = 0;
- PreferPrfAlgorithm = 0;
- PreferDhGroup = 0;
- PreferEncryptKeylength = 0;
- }
- }
- //
- // Point to next Proposal.
- //
- ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +
- ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));
- }
- } else if (Type == IKE_HEADER_FLAGS_RESPOND) {
- //
- // First check the SA proposal's ProtoctolID and Transform Numbers. Since it is
- // the responded SA proposal, suppose it only has one proposal and the transform Numbers
- // is 4.
- //
- ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *) SaPayload->PayloadBuf + 1);
- if (ProposalData->ProtocolId != IPSEC_PROTO_ISAKMP || ProposalData->NumTransforms != 4) {
- return FALSE;
- }
- //
- // Get the preferred algorithms.
- //
- Ikev2ParseProposalData (
- ProposalData,
- &PreferEncryptAlgorithm,
- &PreferIntegrityAlgorithm,
- &PreferPrfAlgorithm,
- &PreferDhGroup,
- &PreferEncryptKeylength,
- NULL,
- FALSE
- );
- //
- // Check if the Sa proposal data from received packet is in the IkeSaSession->SaData.
- //
- ProposalData = (IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1);
-
- for (ProposalIndex = 0; ProposalIndex < IkeSaSession->SaData->NumProposals && (!IsMatch); ProposalIndex++) {
- Ikev2ParseProposalData (
- ProposalData,
- &EncryptAlgorithm,
- &IntegrityAlgorithm,
- &PrfAlgorithm,
- &DhGroup,
- &EncryptKeylength,
- NULL,
- FALSE
- );
- if (EncryptAlgorithm == PreferEncryptAlgorithm &&
- EncryptKeylength == PreferEncryptKeylength &&
- IntegrityAlgorithm == PreferIntegrityAlgorithm &&
- PrfAlgorithm == PreferPrfAlgorithm &&
- DhGroup == PreferDhGroup
- ) {
- IsMatch = TRUE;
- } else {
- EncryptAlgorithm = 0;
- IntegrityAlgorithm = 0;
- PrfAlgorithm = 0;
- DhGroup = 0;
- EncryptKeylength = 0;
- }
-
- ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +
- ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));
- }
-
- if (IsMatch) {
- IkeSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));
- if (IkeSaSession->SessionCommon.SaParams == NULL) {
- return FALSE;
- }
-
- IkeSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;
- IkeSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;
- IkeSaSession->SessionCommon.SaParams->DhGroup = PreferDhGroup;
- IkeSaSession->SessionCommon.SaParams->Prf = PreferPrfAlgorithm;
- IkeSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;
- IkeSaSession->SessionCommon.PreferDhGroup = PreferDhGroup;
-
- return TRUE;
- }
- }
-
- return FALSE;
-}
-
-/**
- Parse the received Authentication Exchange Packet.
-
- This function parse the SA Payload and Key Payload to find out the cryptographic
- suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.
-
- @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to
- this Authentication Exchange.
- @param[in] SaPayload The received packet.
- @param[in] Type The IKE header's flag of received packet .
-
- @retval TRUE If the SA proposal in Packet is acceptable.
- @retval FALSE If the SA proposal in Packet is not acceptable.
-
-**/
-BOOLEAN
-Ikev2ChildSaParseSaPayload (
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession,
- IN IKE_PAYLOAD *SaPayload,
- IN UINT8 Type
- )
-{
- IKEV2_PROPOSAL_DATA *ProposalData;
- UINT8 ProposalIndex;
- UINT16 PreferEncryptAlgorithm;
- UINT16 PreferIntegrityAlgorithm;
- UINTN PreferEncryptKeylength;
- BOOLEAN PreferIsSupportEsn;
- UINT16 EncryptAlgorithm;
- UINT16 IntegrityAlgorithm;
- UINTN EncryptKeylength;
- BOOLEAN IsSupportEsn;
- BOOLEAN IsMatch;
- UINTN SaDataSize;
-
-
- PreferIntegrityAlgorithm = 0;
- PreferEncryptAlgorithm = 0;
- PreferEncryptKeylength = 0;
- IntegrityAlgorithm = 0;
- EncryptAlgorithm = 0;
- EncryptKeylength = 0;
- IsMatch = FALSE;
- IsSupportEsn = FALSE;
- PreferIsSupportEsn = FALSE;
-
- if (Type == IKE_HEADER_FLAGS_INIT) {
- ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *) SaPayload->PayloadBuf + 1);
- for (ProposalIndex = 0; ProposalIndex < ((IKEV2_SA_DATA *) SaPayload->PayloadBuf)->NumProposals; ProposalIndex++) {
- //
- // Iterate each proposal to find the preferred one.
- //
- if (ProposalData->ProtocolId == IPSEC_PROTO_IPSEC_ESP && ProposalData->NumTransforms >= 3) {
- //
- // Get the preferred algorithm.
- //
- Ikev2ParseProposalData (
- ProposalData,
- &PreferEncryptAlgorithm,
- &PreferIntegrityAlgorithm,
- NULL,
- NULL,
- &PreferEncryptKeylength,
- &IsSupportEsn,
- TRUE
- );
- //
- // Don't support the ESN now.
- //
- if (PreferEncryptAlgorithm != 0 &&
- PreferIntegrityAlgorithm != 0 &&
- !IsSupportEsn
- ) {
- //
- // Find the matched one.
- //
- ChildSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));
- if (ChildSaSession->SessionCommon.SaParams == NULL) {
- return FALSE;
- }
-
- ChildSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;
- ChildSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;
- ChildSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;
- CopyMem (&ChildSaSession->RemotePeerSpi, ProposalData->Spi, sizeof (ChildSaSession->RemotePeerSpi));
-
- //
- // Save the matched one in IKEV2_SA_DATA for furthure calculation.
- //
- SaDataSize = sizeof (IKEV2_SA_DATA) +
- sizeof (IKEV2_PROPOSAL_DATA) +
- sizeof (IKEV2_TRANSFORM_DATA) * 4;
-
- ChildSaSession->SaData = AllocateZeroPool (SaDataSize);
- if (ChildSaSession->SaData == NULL) {
- FreePool (ChildSaSession->SessionCommon.SaParams);
- return FALSE;
- }
-
- ChildSaSession->SaData->NumProposals = 1;
-
- //
- // BUGBUG: Suppose there are 4 transforms in the matched proposal. If
- // the matched Proposal has more than 4 transforms that means there
- // are more than one transform with same type.
- //
- CopyMem (
- (IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1),
- ProposalData,
- SaDataSize - sizeof (IKEV2_SA_DATA)
- );
-
- ((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->ProposalIndex = 1;
-
- ((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->Spi = AllocateCopyPool (
- sizeof (ChildSaSession->LocalPeerSpi),
- &ChildSaSession->LocalPeerSpi
- );
- if (((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->Spi == NULL) {
- FreePool (ChildSaSession->SessionCommon.SaParams);
-
- FreePool (ChildSaSession->SaData );
-
- return FALSE;
- }
-
- return TRUE;
-
- } else {
- PreferEncryptAlgorithm = 0;
- PreferIntegrityAlgorithm = 0;
- IsSupportEsn = TRUE;
- }
- }
- //
- // Point to next Proposal
- //
- ProposalData = (IKEV2_PROPOSAL_DATA *)((UINT8 *)(ProposalData + 1) +
- ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));
- }
- } else if (Type == IKE_HEADER_FLAGS_RESPOND) {
- //
- // First check the SA proposal's ProtoctolID and Transform Numbers. Since it is
- // the responded SA proposal, suppose it only has one proposal and the transform Numbers
- // is 3.
- //
- ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->PayloadBuf + 1);
- if (ProposalData->ProtocolId != IPSEC_PROTO_IPSEC_ESP || ProposalData->NumTransforms != 3) {
- return FALSE;
- }
- //
- // Get the preferred algorithms.
- //
- Ikev2ParseProposalData (
- ProposalData,
- &PreferEncryptAlgorithm,
- &PreferIntegrityAlgorithm,
- NULL,
- NULL,
- &PreferEncryptKeylength,
- &PreferIsSupportEsn,
- TRUE
- );
-
- ProposalData = (IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1);
-
- for (ProposalIndex = 0; ProposalIndex < ChildSaSession->SaData->NumProposals && (!IsMatch); ProposalIndex++) {
- Ikev2ParseProposalData (
- ProposalData,
- &EncryptAlgorithm,
- &IntegrityAlgorithm,
- NULL,
- NULL,
- &EncryptKeylength,
- &IsSupportEsn,
- TRUE
- );
- if (EncryptAlgorithm == PreferEncryptAlgorithm &&
- EncryptKeylength == PreferEncryptKeylength &&
- IntegrityAlgorithm == PreferIntegrityAlgorithm &&
- IsSupportEsn == PreferIsSupportEsn
- ) {
- IsMatch = TRUE;
- } else {
- IntegrityAlgorithm = 0;
- EncryptAlgorithm = 0;
- EncryptKeylength = 0;
- IsSupportEsn = FALSE;
- }
- ProposalData = (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) +
- ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM_DATA));
- }
-
- ProposalData = (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->PayloadBuf + 1);
- if (IsMatch) {
- ChildSaSession->SessionCommon.SaParams = AllocateZeroPool (sizeof (IKEV2_SA_PARAMS));
- if (ChildSaSession->SessionCommon.SaParams == NULL) {
- return FALSE;
- }
-
- ChildSaSession->SessionCommon.SaParams->EncAlgId = PreferEncryptAlgorithm;
- ChildSaSession->SessionCommon.SaParams->EnckeyLen = PreferEncryptKeylength;
- ChildSaSession->SessionCommon.SaParams->IntegAlgId = PreferIntegrityAlgorithm;
- CopyMem (&ChildSaSession->RemotePeerSpi, ProposalData->Spi, sizeof (ChildSaSession->RemotePeerSpi));
-
- return TRUE;
- }
- }
- return FALSE;
-}
-
-/**
- Generate Key buffer from fragments.
-
- If the digest length of specified HashAlgId is larger than or equal with the
- required output key length, derive the key directly. Otherwise, Key Material
- needs to be PRF-based concatenation according to 2.13 of RFC 4306:
- prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),
- T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)
- then derive the key from this key material.
-
- @param[in] HashAlgId The Hash Algorithm ID used to generate key.
- @param[in] HashKey Pointer to a key buffer which contains hash key.
- @param[in] HashKeyLength The length of HashKey in bytes.
- @param[in, out] OutputKey Pointer to buffer which is used to receive the
- output key.
- @param[in] OutputKeyLength The length of OutPutKey buffer.
- @param[in] Fragments Pointer to the data to be used to generate key.
- @param[in] NumFragments The numbers of the Fragement.
-
- @retval EFI_SUCCESS The operation complete successfully.
- @retval EFI_INVALID_PARAMETER If NumFragments is zero.
- If the authentication algorithm given by HashAlgId
- cannot be found.
- @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
- @retval Others The operation is failed.
-
-**/
-EFI_STATUS
-Ikev2SaGenerateKey (
- IN UINT8 HashAlgId,
- IN UINT8 *HashKey,
- IN UINTN HashKeyLength,
- IN OUT UINT8 *OutputKey,
- IN UINTN OutputKeyLength,
- IN PRF_DATA_FRAGMENT *Fragments,
- IN UINTN NumFragments
- )
-{
- EFI_STATUS Status;
- PRF_DATA_FRAGMENT LocalFragments[3];
- UINT8 *Digest;
- UINTN DigestSize;
- UINTN Round;
- UINTN Index;
- UINTN AuthKeyLength;
- UINTN FragmentsSize;
- UINT8 TailData;
-
- Status = EFI_SUCCESS;
-
- if (NumFragments == 0) {
- return EFI_INVALID_PARAMETER;
- }
-
- LocalFragments[0].Data = NULL;
- LocalFragments[1].Data = NULL;
- LocalFragments[2].Data = NULL;
-
- AuthKeyLength = IpSecGetHmacDigestLength (HashAlgId);
- if (AuthKeyLength == 0) {
- return EFI_INVALID_PARAMETER;
- }
-
- DigestSize = AuthKeyLength;
- Digest = AllocateZeroPool (AuthKeyLength);
-
- if (Digest == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // If the required output key length is less than the digest size,
- // copy the digest into OutputKey.
- //
- if (OutputKeyLength <= DigestSize) {
- Status = IpSecCryptoIoHmac (
- HashAlgId,
- HashKey,
- HashKeyLength,
- (HASH_DATA_FRAGMENT *) Fragments,
- NumFragments,
- Digest,
- DigestSize
- );
- if (EFI_ERROR (Status)) {
- goto Exit;
- }
-
- CopyMem (OutputKey, Digest, OutputKeyLength);
- goto Exit;
- }
-
- //
- //Otherwise, Key Material need to be PRF-based concatenation according to 2.13
- //of RFC 4306: prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),
- //T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)
- //then derive the key from this key material.
- //
- FragmentsSize = 0;
- for (Index = 0; Index < NumFragments; Index++) {
- FragmentsSize = FragmentsSize + Fragments[Index].DataSize;
- }
-
- LocalFragments[1].Data = AllocateZeroPool (FragmentsSize);
- if (LocalFragments[1].Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- LocalFragments[1].DataSize = FragmentsSize;
-
- //
- // Copy all input fragments into LocalFragments[1];
- //
- FragmentsSize = 0;
- for (Index = 0; Index < NumFragments; Index++) {
- CopyMem (
- LocalFragments[1].Data + FragmentsSize,
- Fragments[Index].Data,
- Fragments[Index].DataSize
- );
- FragmentsSize = FragmentsSize + Fragments[Index].DataSize;
- }
-
- //
- // Prepare 0x01 as the first tail data.
- //
- TailData = 0x01;
- LocalFragments[2].Data = &TailData;
- LocalFragments[2].DataSize = sizeof (TailData);
- //
- // Allocate buffer for the first fragment
- //
- LocalFragments[0].Data = AllocateZeroPool (AuthKeyLength);
- if (LocalFragments[0].Data == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- LocalFragments[0].DataSize = AuthKeyLength;
-
- Round = (OutputKeyLength - 1) / AuthKeyLength + 1;
- for (Index = 0; Index < Round; Index++) {
- Status = IpSecCryptoIoHmac (
- HashAlgId,
- HashKey,
- HashKeyLength,
- (HASH_DATA_FRAGMENT *)(Index == 0 ? &LocalFragments[1] : LocalFragments),
- Index == 0 ? 2 : 3,
- Digest,
- DigestSize
- );
- if (EFI_ERROR(Status)) {
- goto Exit;
- }
- CopyMem (
- LocalFragments[0].Data,
- Digest,
- DigestSize
- );
- if (OutputKeyLength > DigestSize * (Index + 1)) {
- CopyMem (
- OutputKey + Index * DigestSize,
- Digest,
- DigestSize
- );
- LocalFragments[0].DataSize = DigestSize;
- TailData ++;
- } else {
- //
- // The last round
- //
- CopyMem (
- OutputKey + Index * DigestSize,
- Digest,
- OutputKeyLength - Index * DigestSize
- );
- }
- }
-
-Exit:
- //
- // Only First and second Framgement Data need to be freed.
- //
- for (Index = 0 ; Index < 2; Index++) {
- if (LocalFragments[Index].Data != NULL) {
- FreePool (LocalFragments[Index].Data);
- }
- }
- if (Digest != NULL) {
- FreePool (Digest);
- }
- return Status;
-}
-
diff --git a/NetworkPkg/IpSecDxe/Ikev2/Utility.h b/NetworkPkg/IpSecDxe/Ikev2/Utility.h deleted file mode 100644 index ee466c05ac..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Utility.h +++ /dev/null @@ -1,1061 +0,0 @@ -/** @file
- The interfaces of IKE/Child session operations and payload related operations
- used by IKE Exchange Process.
-
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _IKE_V2_UTILITY_H_
-#define _IKE_V2_UTILITY_H_
-
-#include "Ikev2.h"
-#include "IkeCommon.h"
-#include "IpSecCryptIo.h"
-
-#include <Library/PcdLib.h>
-
-#define IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM 2
-#define IKEV2_SUPPORT_PRF_ALGORITHM_NUM 1
-#define IKEV2_SUPPORT_DH_ALGORITHM_NUM 2
-#define IKEV2_SUPPORT_AUTH_ALGORITHM_NUM 1
-
-/**
- Allocate buffer for IKEV2_SA_SESSION and initialize it.
-
- @param[in] Private Pointer to IPSEC_PRIVATE_DATA.
- @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE SA Session.
-
- @return Pointer to IKEV2_SA_SESSION.
-
-**/
-IKEV2_SA_SESSION *
-Ikev2SaSessionAlloc (
- IN IPSEC_PRIVATE_DATA *Private,
- IN IKE_UDP_SERVICE *UdpService
- );
-
-/**
- Register Establish IKEv2 SA into Private->Ikev2EstablishedList.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered.
- @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
-
-**/
-VOID
-Ikev2SaSessionReg (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IPSEC_PRIVATE_DATA *Private
- );
-
-/**
- Find a IKEV2_SA_SESSION by the remote peer IP.
-
- @param[in] SaSessionList SaSession List to be searched.
- @param[in] RemotePeerIp Pointer to specified IP address.
-
- @return Pointer to IKEV2_SA_SESSION if find one or NULL.
-
-**/
-IKEV2_SA_SESSION *
-Ikev2SaSessionLookup (
- IN LIST_ENTRY *SaSessionList,
- IN EFI_IP_ADDRESS *RemotePeerIp
- );
-
-/**
- Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is either
- Private->Ikev2SaSession list or Private->Ikev2EstablishedList list.
-
- @param[in] SaSessionList Pointer to list to be inserted into.
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted.
- @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the
- unique IKEV2_SA_SESSION.
-
-**/
-VOID
-Ikev2SaSessionInsert (
- IN LIST_ENTRY *SaSessionList,
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN EFI_IP_ADDRESS *RemotePeerIp
- );
-
-/**
- Remove the SA Session by Remote Peer IP.
-
- @param[in] SaSessionList Pointer to list to be searched.
- @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Session search.
-
- @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address.
-
-**/
-IKEV2_SA_SESSION *
-Ikev2SaSessionRemove (
- IN LIST_ENTRY *SaSessionList,
- IN EFI_IP_ADDRESS *RemotePeerIp
- );
-
-
-/**
- After IKE/Child SA is estiblished, close the time event and free sent packet.
-
- @param[in] SessionCommon Pointer to a Session Common.
-
-**/
-VOID
-Ikev2SessionCommonRefresh (
- IN IKEV2_SESSION_COMMON *SessionCommon
- );
-
-/**
- Free specified IKEV2 SA Session.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed.
-
-**/
-VOID
-Ikev2SaSessionFree (
- IN IKEV2_SA_SESSION *IkeSaSession
- );
-
-/**
- Free specified Seession Common. The session common would belong to a IKE SA or
- a Child SA.
-
- @param[in] SessionCommon Pointer to a Session Common.
-
-**/
-VOID
-Ikev2SaSessionCommonFree (
- IN IKEV2_SESSION_COMMON *SessionCommon
- );
-
-/**
- Increase the MessageID in IkeSaSession.
-
- @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION.
-
-**/
-VOID
-Ikev2SaSessionIncreaseMessageId (
- IN IKEV2_SA_SESSION *IkeSaSession
- );
-
-/**
- Allocate Momery for IKEV2 Child SA Session.
-
- @param[in] UdpService Pointer to IKE_UDP_SERVICE.
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this Child SA
- Session.
-
- @retval Pointer of a new created IKEV2 Child SA Session.
-
-**/
-IKEV2_CHILD_SA_SESSION *
-Ikev2ChildSaSessionAlloc (
- IN IKE_UDP_SERVICE *UdpService,
- IN IKEV2_SA_SESSION *IkeSaSession
- );
-
-/**
- Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablishSessionList.
- If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove the old one
- then register the new one.
-
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be registered.
- @param[in] Private Pointer to IPSEC_PRAVATE_DATA.
-
-**/
-VOID
-Ikev2ChildSaSessionReg (
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession,
- IN IPSEC_PRIVATE_DATA *Private
- );
-
-/**
- This function find the Child SA by the specified Spi.
-
- This functin find a ChildSA session by searching the ChildSaSessionlist of
- the input IKEV2_SA_SESSION by specified MessageID.
-
- @param[in] SaSessionList Pointer to List to be searched.
- @param[in] Spi Specified SPI.
-
- @return Pointer to IKEV2_CHILD_SA_SESSION.
-
-**/
-IKEV2_CHILD_SA_SESSION *
-Ikev2ChildSaSessionLookupBySpi (
- IN LIST_ENTRY *SaSessionList,
- IN UINT32 Spi
- );
-
-
-/**
- Insert a Child SA Session into the specified ChildSa list..
-
- @param[in] SaSessionList Pointer to list to be inserted in.
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inserted.
-
-**/
-VOID
-Ikev2ChildSaSessionInsert (
- IN LIST_ENTRY *SaSessionList,
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession
- );
-
-/**
- Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList.
-
- @param[in] SaSessionList The SA Session List to be iterated.
- @param[in] Spi Spi used to identify the IKEV2_CHILD_SA_SESSION.
- @param[in] ListType The type of the List to indicate whether it is a
- Established.
-
- @return The point to IKEV2_CHILD_SA_SESSION.
-
-**/
-IKEV2_CHILD_SA_SESSION *
-Ikev2ChildSaSessionRemove (
- IN LIST_ENTRY *SaSessionList,
- IN UINT32 Spi,
- IN UINT8 ListType
- );
-
-
-/**
- Free the memory located for the specified IKEV2_CHILD_SA_SESSION.
-
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
-
-**/
-VOID
-Ikev2ChildSaSessionFree (
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession
- );
-
-/**
- Free the specified DhBuffer.
-
- @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed.
-
-**/
-VOID
-Ikev2DhBufferFree (
- IN IKEV2_DH_BUFFER *DhBuffer
- );
-
-/**
- Delete the specified established Child SA.
-
- This function delete the Child SA directly and dont send the Information Packet to
- remote peer.
-
- @param[in] IkeSaSession Pointer to a IKE SA Session used to be searched for.
- @param[in] Spi SPI used to find the Child SA.
-
- @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL.
- @retval EFI_NOT_FOUND There is no specified Child SA related with the input
- SPI under this IKE SA Session.
- @retval EFI_SUCCESS Delete the Child SA successfully.
-
-**/
-EFI_STATUS
-Ikev2ChildSaSilentDelete (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN UINT32 Spi
- );
-
-/**
- This function is to parse a request IKE packet and return its request type.
- The request type is one of IKE CHILD SA creation, IKE SA rekeying and
- IKE CHILD SA rekeying.
-
- @param[in] IkePacket IKE packet to be prased.
-
- return the type of the IKE packet.
-
-**/
-IKEV2_CREATE_CHILD_REQUEST_TYPE
-Ikev2ChildExchangeRequestType(
- IN IKE_PACKET *IkePacket
- );
-
-
-/**
- Associate a SPD selector to the Child SA Session.
-
- This function is called when the Child SA is not the first child SA of its
- IKE SA. It associate a SPD to this Child SA.
-
- @param[in, out] ChildSaSession Pointer to the Child SA Session to be associated to
- a SPD selector.
-
- @retval EFI_SUCCESS Associate one SPD selector to this Child SA Session successfully.
- @retval EFI_NOT_FOUND Can't find the related SPD selector.
-
-**/
-EFI_STATUS
-Ikev2ChildSaAssociateSpdEntry (
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
- );
-
-/**
- Validate the IKE header of received IKE packet.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this IKE packet.
- @param[in] IkeHdr Pointer to IKE header of received IKE packet.
-
- @retval TRUE If the IKE header is valid.
- @retval FALSE If the IKE header is invalid.
-
-**/
-BOOLEAN
-Ikev2ValidateHeader (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_HEADER *IkeHdr
- );
-
-/**
- Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON.
-
- This function will be only called by the initiator. The responder's IKEV2_SA_DATA
- will be generated during parsed the initiator packet.
-
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to.
-
- @retval a Pointer to a new IKEV2_SA_DATA or NULL.
-
-**/
-IKEV2_SA_DATA *
-Ikev2InitializeSaData (
- IN IKEV2_SESSION_COMMON *SessionCommon
- );
-
-/**
- Store the SA into SAD.
-
- @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION.
-
-**/
-VOID
-Ikev2StoreSaData (
- IN IKEV2_CHILD_SA_SESSION *ChildSaSession
- );
-
-/**
- Routine process before the payload decoding.
-
- @param[in] SessionCommon Pointer to ChildSa SessionCommon.
- @param[in] PayloadBuf Pointer to the payload.
- @param[in] PayloadSize Size of PayloadBuf in byte.
- @param[in] PayloadType Type of Payload.
-
-**/
-VOID
-Ikev2ChildSaBeforeDecodePayload (
- IN UINT8 *SessionCommon,
- IN UINT8 *PayloadBuf,
- IN UINTN PayloadSize,
- IN UINT8 PayloadType
- );
-
-/**
- Routine Process after the encode payload.
-
- @param[in] SessionCommon Pointer to ChildSa SessionCommon.
- @param[in] PayloadBuf Pointer to the payload.
- @param[in] PayloadSize Size of PayloadBuf in byte.
- @param[in] PayloadType Type of Payload.
-
-**/
-VOID
-Ikev2ChildSaAfterEncodePayload (
- IN UINT8 *SessionCommon,
- IN UINT8 *PayloadBuf,
- IN UINTN PayloadSize,
- IN UINT8 PayloadType
- );
-
-/**
- Generate Ikev2 SA payload according to SessionSaData
-
- @param[in] SessionSaData The data used in SA payload.
- @param[in] NextPayload The payload type presented in NextPayload field of
- SA Payload header.
- @param[in] Type The SA type. It MUST be neither (1) for IKE_SA or
- (2) for CHILD_SA or (3) for INFO.
-
- @retval a Pointer to SA IKE payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateSaPayload (
- IN IKEV2_SA_DATA *SessionSaData,
- IN UINT8 NextPayload,
- IN IKE_SESSION_TYPE Type
- );
-
-/**
- Generate a ID payload.
-
- @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
- @param[in] NextPayload The payload type presented in the NextPayload field
- of ID Payload header.
-
- @retval Pointer to ID IKE payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateIdPayload (
- IN IKEV2_SESSION_COMMON *CommonSession,
- IN UINT8 NextPayload
- );
-
-/**
- Generate a ID payload.
-
- @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID payload.
- @param[in] NextPayload The payload type presented in the NextPayload field
- of ID Payload header.
- @param[in] InCert Pointer to the Certificate which distinguished name
- will be added into the Id payload.
- @param[in] CertSize Size of the Certificate.
-
- @retval Pointer to ID IKE payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateCertIdPayload (
- IN IKEV2_SESSION_COMMON *CommonSession,
- IN UINT8 NextPayload,
- IN UINT8 *InCert,
- IN UINTN CertSize
- );
-
-/**
- Generate a Nonce payload contenting the input parameter NonceBuf.
-
- @param[in] NonceBuf The nonce buffer content the whole Nonce payload block
- except the payload header.
- @param[in] NonceSize The buffer size of the NonceBuf
- @param[in] NextPayload The payload type presented in the NextPayload field
- of Nonce Payload header.
-
- @retval Pointer to Nonce IKE paload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateNoncePayload (
- IN UINT8 *NonceBuf,
- IN UINTN NonceSize,
- IN UINT8 NextPayload
- );
-
-/**
- Generate the Notify payload.
-
- Since the structure of Notify payload which defined in RFC 4306 is simple, so
- there is no internal data structure for Notify payload. This function generate
- Notify payload defined in RFC 4306, but all the fields in this payload are still
- in host order and need call Ikev2EncodePayload() to convert those fields from
- the host order to network order beforing sending it.
-
- @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST be one (1).
- For IPsec SAs it MUST be neither (2) for AH or (3)
- for ESP.
- @param[in] NextPayload The next paylaod type in NextPayload field of
- the Notify payload.
- @param[in] SpiSize Size of the SPI in SPI size field of the Notify Payload.
- @param[in] MessageType The message type in NotifyMessageType field of the
- Notify Payload.
- @param[in] SpiBuf Pointer to buffer contains the SPI value.
- @param[in] NotifyData Pointer to buffer contains the notification data.
- @param[in] NotifyDataSize The size of NotifyData in bytes.
-
-
- @retval Pointer to IKE Notify Payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateNotifyPayload (
- IN UINT8 ProtocolId,
- IN UINT8 NextPayload,
- IN UINT8 SpiSize,
- IN UINT16 MessageType,
- IN UINT8 *SpiBuf,
- IN UINT8 *NotifyData,
- IN UINTN NotifyDataSize
- );
-
-/**
- Generate the Delete payload.
-
- Since the structure of Delete payload which defined in RFC 4306 is simple,
- there is no internal data structure for Delete payload. This function generate
- Delete payload defined in RFC 4306, but all the fields in this payload are still
- in host order and need call Ikev2EncodePayload() to convert those fields from
- the host order to network order beforing sending it.
-
- @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload generation.
- @param[in] NextPayload The next paylaod type in NextPayload field of
- the Delete payload.
- @param[in] SpiSize Size of the SPI in SPI size field of the Delete Payload.
- @param[in] SpiNum Number of SPI in NumofSPIs field of the Delete Payload.
- @param[in] SpiBuf Pointer to buffer contains the SPI value.
-
- @retval Pointer to IKE Delete Payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateDeletePayload (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN UINT8 NextPayload,
- IN UINT8 SpiSize,
- IN UINT16 SpiNum,
- IN UINT8 *SpiBuf
- );
-
-/**
- Generate the Configuration payload.
-
- This function generates a configuration payload defined in RFC 4306, but all the
- fields in this payload are still in host order and need call Ikev2EncodePayload()
- to convert those fields from the host order to network order beforing sending it.
-
- @param[in] IkeSaSession Pointer to IKE SA Session to be used for Delete payload
- generation.
- @param[in] NextPayload The next paylaod type in NextPayload field of
- the Delete payload.
- @param[in] CfgType The attribute type in the Configuration attribute.
-
- @retval Pointer to IKE CP Payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateCpPayload (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN UINT8 NextPayload,
- IN UINT8 CfgType
- );
-
-/**
- Generate a Authentication Payload.
-
- This function is used for both Authentication generation and verification. When the
- IsVerify is TRUE, it create a Auth Data for verification. This function choose the
- related IKE_SA_INIT Message for Auth data creation according to the IKE Session's type
- and the value of IsVerify parameter.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
- @param[in] IdPayload Pointer to the ID payload to be used for Authentication
- payload generation.
- @param[in] NextPayload The type filled into the Authentication Payload next
- payload field.
- @param[in] IsVerify If it is TURE, the Authentication payload is used for
- verification.
-
- @return pointer to IKE Authentication payload for pre-shard key method.
-
-**/
-IKE_PAYLOAD *
-Ikev2PskGenerateAuthPayload (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_PAYLOAD *IdPayload,
- IN UINT8 NextPayload,
- IN BOOLEAN IsVerify
- );
-
-/**
- Generate a Authentication Payload for Certificate Auth method.
-
- This function has two functions. One is creating a local Authentication
- Payload for sending and other is creating the remote Authentication data
- for verification when the IsVerify is TURE.
-
- @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to.
- @param[in] IdPayload Pointer to the ID payload to be used for Authentication
- payload generation.
- @param[in] NextPayload The type filled into the Authentication Payload
- next payload field.
- @param[in] IsVerify If it is TURE, the Authentication payload is used
- for verification.
- @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it when
- verify the authenticate payload.
- @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignore it
- when verify the authenticate payload.
- @param[in] UefiKeyPwd Pointer to the password of UEFI private key.
- Ignore it when verify the authenticate payload.
- @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it when
- verify the authenticate payload.
-
- @return pointer to IKE Authentication payload for certification method.
-
-**/
-IKE_PAYLOAD *
-Ikev2CertGenerateAuthPayload (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_PAYLOAD *IdPayload,
- IN UINT8 NextPayload,
- IN BOOLEAN IsVerify,
- IN UINT8 *UefiPrivateKey,
- IN UINTN UefiPrivateKeyLen,
- IN UINT8 *UefiKeyPwd,
- IN UINTN UefiKeyPwdLen
- );
-
-/**
- Generate TS payload.
-
- This function generates TSi or TSr payload according to type of next payload.
- If the next payload is Responder TS, gereate TSi Payload. Otherwise, generate
- TSr payload
-
- @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to this TS payload.
- @param[in] NextPayload The payload type presented in the NextPayload field
- of ID Payload header.
- @param[in] IsTunnel It indicates that if the Ts Payload is after the CP payload.
- If yes, it means the Tsi and Tsr payload should be with
- Max port range and address range and protocol is marked
- as zero.
-
- @retval Pointer to Ts IKE payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateTsPayload (
- IN IKEV2_CHILD_SA_SESSION *ChildSa,
- IN UINT8 NextPayload,
- IN BOOLEAN IsTunnel
- );
-
-/**
- Parser the Notify Cookie payload.
-
- This function parses the Notify Cookie payload.If the Notify ProtocolId is not
- IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType is not
- the COOKIE, return EFI_INVALID_PARAMETER.
-
- @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians the
- Notify Cookie payload.
- the Notify payload.
- @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session.
-
- @retval EFI_SUCCESS The Notify Cookie Payload is valid.
- @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid.
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
-
-**/
-EFI_STATUS
-Ikev2ParserNotifyCookiePayload (
- IN IKE_PAYLOAD *IkeNCookie,
- IN OUT IKEV2_SA_SESSION *IkeSaSession
- );
-
-/**
- Generate the Certificate payload or Certificate Request Payload.
-
- Since the Certificate Payload structure is same with Certificate Request Payload,
- the only difference is that one contains the Certificate Data, other contains
- the acceptable certificateion CA. This function generate Certificate payload
- or Certificate Request Payload defined in RFC 4306, but all the fields
- in the payload are still in host order and need call Ikev2EncodePayload()
- to convert those fields from the host order to network order beforing sending it.
-
- @param[in] IkeSaSession Pointer to IKE SA Session to be used of Delete payload
- generation.
- @param[in] NextPayload The next paylaod type in NextPayload field of
- the Delete payload.
- @param[in] Certificate Pointer of buffer contains the certification data.
- @param[in] CertificateLen The length of Certificate in byte.
- @param[in] EncodeType Specified the Certificate Encodeing which is defined
- in RFC 4306.
- @param[in] IsRequest To indicate create Certificate Payload or Certificate
- Request Payload. If it is TURE, create Certificate
- Request Payload. Otherwise, create Certificate Payload.
-
- @retval a Pointer to IKE Payload whose payload buffer containing the Certificate
- payload or Certificated Request payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateCertificatePayload (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN UINT8 NextPayload,
- IN UINT8 *Certificate,
- IN UINTN CertificateLen,
- IN UINT8 EncodeType,
- IN BOOLEAN IsRequest
- );
-
-/**
- General interface of payload encoding.
-
- This function encode the internal data structure into payload which
- is defined in RFC 4306. The IkePayload->PayloadBuf used to store both the input
- payload and converted payload. Only the SA payload use the interal structure
- to store the attribute. Other payload use structure which is same with the RFC
- defined, for this kind payloads just do host order to network order change of
- some fields.
-
- @param[in] SessionCommon Pointer to IKE Session Common used to encode the payload.
- @param[in, out] IkePayload Pointer to IKE payload to be encode as input, and
- store the encoded result as output.
-
- @retval EFI_INVALID_PARAMETER Meet error when encode the SA payload.
- @retval EFI_SUCCESS Encode successfully.
-
-**/
-EFI_STATUS
-Ikev2EncodePayload (
- IN UINT8 *SessionCommon,
- IN OUT IKE_PAYLOAD *IkePayload
- );
-
-/**
- The general interface of decode Payload.
-
- This function convert the received Payload into internal structure.
-
- @param[in] SessionCommon Pointer to IKE Session Common to use for decoding.
- @param[in, out] IkePayload Pointer to IKE payload to be decode as input, and
- store the decoded result as output.
-
- @retval EFI_INVALID_PARAMETER Meet error when decode the SA payload.
- @retval EFI_SUCCESS Decode successfully.
-
-**/
-EFI_STATUS
-Ikev2DecodePayload (
- IN UINT8 *SessionCommon,
- IN OUT IKE_PAYLOAD *IkePayload
- );
-
-/**
- Decrypt IKE packet.
-
- This function decrpt the Encrypted IKE packet and put the result into IkePacket->PayloadBuf.
-
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
- some parameter used during decrypting.
- @param[in, out] IkePacket Point to IKE_PACKET to be decrypted as input,
- and the decrypted reslult as output.
- @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
- IKE_CHILD_TYPE are supportted.
-
- @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or the
- IKE packet length is not Algorithm Block Size
- alignment.
- @retval EFI_SUCCESS Decrypt IKE packet successfully.
-
-**/
-EFI_STATUS
-Ikev2DecryptPacket (
- IN IKEV2_SESSION_COMMON *SessionCommon,
- IN OUT IKE_PACKET *IkePacket,
- IN OUT UINTN IkeType
- );
-
-/**
- Encrypt IKE packet.
-
- This function encrypt IKE packet before sending it. The Encrypted IKE packet
- is put in to IKEV2 Encrypted Payload.
-
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the IKE packet.
- @param[in, out] IkePacket Pointer to IKE packet to be encrypted.
-
- @retval EFI_SUCCESS Operation is successful.
- @retval Others OPeration is failed.
-
-**/
-EFI_STATUS
-Ikev2EncryptPacket (
- IN IKEV2_SESSION_COMMON *SessionCommon,
- IN OUT IKE_PACKET *IkePacket
- );
-
-/**
- Encode the IKE packet.
-
- This function put all Payloads into one payload then encrypt it if needed.
-
- @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON containing
- some parameter used during IKE packet encoding.
- @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded as input,
- and the encoded reslult as output.
- @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
- IKE_CHILD_TYPE are supportted.
-
- @retval EFI_SUCCESS Encode IKE packet successfully.
- @retval Otherwise Encode IKE packet failed.
-
-**/
-EFI_STATUS
-Ikev2EncodePacket (
- IN IKEV2_SESSION_COMMON *SessionCommon,
- IN OUT IKE_PACKET *IkePacket,
- IN UINTN IkeType
- );
-
-/**
- Decode the IKE packet.
-
- This function first decrypts the IKE packet if needed , then separats the whole
- IKE packet from the IkePacket->PayloadBuf into IkePacket payload list.
-
- @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON containing
- some parameter used by IKE packet decoding.
- @param[in, out] IkePacket The IKE Packet to be decoded on input, and
- the decoded result on return.
- @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INFO_TYPE and
- IKE_CHILD_TYPE are supportted.
-
- @retval EFI_SUCCESS The IKE packet is decoded successfull.
- @retval Otherwise The IKE packet decoding is failed.
-
-**/
-EFI_STATUS
-Ikev2DecodePacket (
- IN IKEV2_SESSION_COMMON *SessionCommon,
- IN OUT IKE_PACKET *IkePacket,
- IN UINTN IkeType
- );
-
-
-/**
- Send out IKEV2 packet.
-
- @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send the IKE packet.
- @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to the IKE packet.
- @param[in] IkePacket Pointer to IKE_PACKET to be sent out.
- @param[in] IkeType The type of IKE to point what's kind of the IKE
- packet is to be sent out. IKE_SA_TYPE, IKE_INFO_TYPE
- and IKE_CHILD_TYPE are supportted.
-
- @retval EFI_SUCCESS The operation complete successfully.
- @retval Otherwise The operation is failed.
-
-**/
-EFI_STATUS
-Ikev2SendIkePacket (
- IN IKE_UDP_SERVICE *IkeUdpService,
- IN UINT8 *SessionCommon,
- IN IKE_PACKET *IkePacket,
- IN UINTN IkeType
- );
-
-/**
- Callback function for the IKE life time is over.
-
- This function will mark the related IKE SA Session as deleting and trigger a
- Information negotiation.
-
- @param[in] Event The time out event.
- @param[in] Context Pointer to data passed by caller.
-
-**/
-VOID
-EFIAPI
-Ikev2LifetimeNotify (
- IN EFI_EVENT Event,
- IN VOID *Context
- );
-
-/**
- This function will be called if the TimeOut Event is signaled.
-
- @param[in] Event The signaled Event.
- @param[in] Context The data passed by caller.
-
-**/
-VOID
-EFIAPI
-Ikev2ResendNotify (
- IN EFI_EVENT Event,
- IN VOID *Context
- );
-
-/**
- Generate a Key Exchange payload according to the DH group type and save the
- public Key into IkeSaSession IkeKey field.
-
- @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION.
- @param[in] NextPayload The payload type presented in the NextPayload field of Key
- Exchange Payload header.
-
- @retval Pointer to Key IKE payload.
-
-**/
-IKE_PAYLOAD *
-Ikev2GenerateKePayload (
- IN OUT IKEV2_SA_SESSION *IkeSaSession,
- IN UINT8 NextPayload
- );
-
-/**
- Check if the SPD is related to the input Child SA Session.
-
- This function is the subfunction of Ikev1AssociateSpdEntry(). It is the call
- back function of IpSecVisitConfigData().
-
-
- @param[in] Type Type of the input Config Selector.
- @param[in] Selector Pointer to the Configure Selector to be checked.
- @param[in] Data Pointer to the Configure Selector's Data passed
- from the caller.
- @param[in] SelectorSize The buffer size of Selector.
- @param[in] DataSize The buffer size of the Data.
- @param[in] Context The data passed from the caller. It is a Child
- SA Session in this context.
-
- @retval EFI_SUCCESS The SPD Selector is not related to the Child SA Session.
- @retval EFI_ABORTED The SPD Selector is related to the Child SA session and
- set the ChildSaSession->Spd to point to this SPD Selector.
-
-**/
-EFI_STATUS
-Ikev2MatchSpdEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE Type,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN UINTN SelectorSize,
- IN UINTN DataSize,
- IN VOID *Context
- );
-
-/**
- Check if the Algorithm ID is supported.
-
- @param[in] AlgorithmId The specified Algorithm ID.
- @param[in] Type The type used to indicate the Algorithm is for Encrypt or
- Authentication.
-
- @retval TRUE If the Algorithm ID is supported.
- @retval FALSE If the Algorithm ID is not supported.
-
-**/
-BOOLEAN
-Ikev2IsSupportAlg (
- IN UINT16 AlgorithmId,
- IN UINT8 Type
- );
-
-/**
- Generate a ChildSa Session and insert it into related IkeSaSession.
-
- @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION.
- @param[in] UdpService Pointer to related IKE_UDP_SERVICE.
-
- @return pointer of IKEV2_CHILD_SA_SESSION.
-
-**/
-IKEV2_CHILD_SA_SESSION *
-Ikev2ChildSaSessionCreate (
- IN IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_UDP_SERVICE *UdpService
- ) ;
-
-/**
- Parse the received Initial Exchange Packet.
-
- This function parse the SA Payload and Key Payload to find out the cryptographic
- suite for the further IKE negotiation and fill it into the IKE SA Session's
- CommonSession->SaParams.
-
- @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION.
- @param[in] SaPayload The received packet.
- @param[in] Type The received packet IKE header flag.
-
- @retval TRUE If the SA proposal in Packet is acceptable.
- @retval FALSE If the SA proposal in Packet is not acceptable.
-
-**/
-BOOLEAN
-Ikev2SaParseSaPayload (
- IN OUT IKEV2_SA_SESSION *IkeSaSession,
- IN IKE_PAYLOAD *SaPayload,
- IN UINT8 Type
- );
-
-/**
- Parse the received Authentication Exchange Packet.
-
- This function parse the SA Payload and Key Payload to find out the cryptographic
- suite for the ESP and fill it into the Child SA Session's CommonSession->SaParams.
-
- @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to
- this Authentication Exchange.
- @param[in] SaPayload The received packet.
- @param[in] Type The IKE header's flag of received packet .
-
- @retval TRUE If the SA proposal in Packet is acceptable.
- @retval FALSE If the SA proposal in Packet is not acceptable.
-
-**/
-BOOLEAN
-Ikev2ChildSaParseSaPayload (
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession,
- IN IKE_PAYLOAD *SaPayload,
- IN UINT8 Type
- );
-
-/**
- Generate Key buffer from fragments.
-
- If the digest length of specified HashAlgId is larger than or equal with the
- required output key length, derive the key directly. Otherwise, Key Material
- needs to be PRF-based concatenation according to 2.13 of RFC 4306:
- prf+ (K,S) = T1 | T2 | T3 | T4 | ..., T1 = prf (K, S | 0x01),
- T2 = prf (K, T1 | S | 0x02), T3 = prf (K, T2 | S | 0x03),T4 = prf (K, T3 | S | 0x04)
- then derive the key from this key material.
-
- @param[in] HashAlgId The Hash Algorithm ID used to generate key.
- @param[in] HashKey Pointer to a key buffer which contains hash key.
- @param[in] HashKeyLength The length of HashKey in bytes.
- @param[in, out] OutputKey Pointer to buffer which is used to receive the
- output key.
- @param[in] OutputKeyLength The length of OutPutKey buffer.
- @param[in] Fragments Pointer to the data to be used to generate key.
- @param[in] NumFragments The numbers of the Fragement.
-
- @retval EFI_SUCCESS The operation complete successfully.
- @retval EFI_INVALID_PARAMETER If NumFragments is zero.
- @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
- @retval Others The operation is failed.
-
-**/
-EFI_STATUS
-Ikev2SaGenerateKey (
- IN UINT8 HashAlgId,
- IN UINT8 *HashKey,
- IN UINTN HashKeyLength,
- IN OUT UINT8 *OutputKey,
- IN UINTN OutputKeyLength,
- IN PRF_DATA_FRAGMENT *Fragments,
- IN UINTN NumFragments
- );
-
-/**
- Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector.
-
- ChildSaSession->SpdSelector stores the real Spdselector for its SA. Sometime,
- the SpdSelector in ChildSaSession is more accurated or the scope is smaller
- than the one in ChildSaSession->Spd, especially for the tunnel mode.
-
- @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION related to.
-
- @retval EFI_SUCCESS The operation complete successfully.
- @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocated.
-
-**/
-EFI_STATUS
-Ikev2ChildSaSessionSpdSelectorCreate (
- IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession
- );
-
-extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[];
-#endif
-
diff --git a/NetworkPkg/IpSecDxe/IpSecConfigImpl.c b/NetworkPkg/IpSecDxe/IpSecConfigImpl.c deleted file mode 100644 index 74745519a0..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecConfigImpl.c +++ /dev/null @@ -1,3156 +0,0 @@ -/** @file
- The implementation of IPSEC_CONFIG_PROTOCOL.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecConfigImpl.h"
-#include "IpSecDebug.h"
-
-LIST_ENTRY mConfigData[IPsecConfigDataTypeMaximum];
-BOOLEAN mSetBySelf = FALSE;
-
-//
-// Common CompareSelector routine entry for SPD/SAD/PAD.
-//
-IPSEC_COMPARE_SELECTOR mCompareSelector[] = {
- (IPSEC_COMPARE_SELECTOR) CompareSpdSelector,
- (IPSEC_COMPARE_SELECTOR) CompareSaId,
- (IPSEC_COMPARE_SELECTOR) ComparePadId
-};
-
-//
-// Common IsZeroSelector routine entry for SPD/SAD/PAD.
-//
-IPSEC_IS_ZERO_SELECTOR mIsZeroSelector[] = {
- (IPSEC_IS_ZERO_SELECTOR) IsZeroSpdSelector,
- (IPSEC_IS_ZERO_SELECTOR) IsZeroSaId,
- (IPSEC_IS_ZERO_SELECTOR) IsZeroPadId
-};
-
-//
-// Common DuplicateSelector routine entry for SPD/SAD/PAD.
-//
-IPSEC_DUPLICATE_SELECTOR mDuplicateSelector[] = {
- (IPSEC_DUPLICATE_SELECTOR) DuplicateSpdSelector,
- (IPSEC_DUPLICATE_SELECTOR) DuplicateSaId,
- (IPSEC_DUPLICATE_SELECTOR) DuplicatePadId
-};
-
-//
-// Common FixPolicyEntry routine entry for SPD/SAD/PAD.
-//
-IPSEC_FIX_POLICY_ENTRY mFixPolicyEntry[] = {
- (IPSEC_FIX_POLICY_ENTRY) FixSpdEntry,
- (IPSEC_FIX_POLICY_ENTRY) FixSadEntry,
- (IPSEC_FIX_POLICY_ENTRY) FixPadEntry
-};
-
-//
-// Common UnfixPolicyEntry routine entry for SPD/SAD/PAD.
-//
-IPSEC_FIX_POLICY_ENTRY mUnfixPolicyEntry[] = {
- (IPSEC_FIX_POLICY_ENTRY) UnfixSpdEntry,
- (IPSEC_FIX_POLICY_ENTRY) UnfixSadEntry,
- (IPSEC_FIX_POLICY_ENTRY) UnfixPadEntry
-};
-
-//
-// Common SetPolicyEntry routine entry for SPD/SAD/PAD.
-//
-IPSEC_SET_POLICY_ENTRY mSetPolicyEntry[] = {
- (IPSEC_SET_POLICY_ENTRY) SetSpdEntry,
- (IPSEC_SET_POLICY_ENTRY) SetSadEntry,
- (IPSEC_SET_POLICY_ENTRY) SetPadEntry
-};
-
-//
-// Common GetPolicyEntry routine entry for SPD/SAD/PAD.
-//
-IPSEC_GET_POLICY_ENTRY mGetPolicyEntry[] = {
- (IPSEC_GET_POLICY_ENTRY) GetSpdEntry,
- (IPSEC_GET_POLICY_ENTRY) GetSadEntry,
- (IPSEC_GET_POLICY_ENTRY) GetPadEntry
-};
-
-//
-// Routine entry for IpSecConfig protocol.
-//
-EFI_IPSEC_CONFIG_PROTOCOL mIpSecConfigInstance = {
- EfiIpSecConfigSetData,
- EfiIpSecConfigGetData,
- EfiIpSecConfigGetNextSelector,
- EfiIpSecConfigRegisterNotify,
- EfiIpSecConfigUnregisterNotify
-};
-
-/**
- Get the all IPSec configuration variables and store those variables
- to the internal data structure.
-
- This founction is called by IpSecConfigInitialize() that is to intialize the
- IPsecConfiguration Protocol.
-
- @param[in] Private Point to IPSEC_PRIVATE_DATA.
-
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.
- @retval EFI_SUCCESS Restore the IPsec Configuration successfully.
- @retval others Other errors is found during the variable getting.
-
-**/
-EFI_STATUS
-IpSecConfigRestore (
- IN IPSEC_PRIVATE_DATA *Private
- );
-
-/**
- Check if the specified EFI_IP_ADDRESS_INFO is in EFI_IP_ADDRESS_INFO list.
-
- @param[in] AddressInfo Pointer of IP_ADDRESS_INFO to be search in AddressInfo list.
- @param[in] AddressInfoList A list that contains IP_ADDRESS_INFOs.
- @param[in] AddressCount Point out how many IP_ADDRESS_INFO in the list.
-
- @retval TRUE The specified AddressInfo is in the AddressInfoList.
- @retval FALSE The specified AddressInfo is not in the AddressInfoList.
-
-**/
-BOOLEAN
-IsInAddressInfoList(
- IN EFI_IP_ADDRESS_INFO *AddressInfo,
- IN EFI_IP_ADDRESS_INFO *AddressInfoList,
- IN UINT32 AddressCount
- )
-{
- UINT8 Index;
- EFI_IP_ADDRESS ZeroAddress;
-
- ZeroMem(&ZeroAddress, sizeof (EFI_IP_ADDRESS));
-
- //
- // Zero Address means any address is matched.
- //
- if (AddressCount == 1) {
- if (CompareMem (
- &AddressInfoList[0].Address,
- &ZeroAddress,
- sizeof (EFI_IP_ADDRESS)
- ) == 0) {
- return TRUE;
- }
- }
- for (Index = 0; Index < AddressCount ; Index++) {
- if (CompareMem (
- AddressInfo,
- &AddressInfoList[Index].Address,
- sizeof (EFI_IP_ADDRESS)
- ) == 0 &&
- AddressInfo->PrefixLength == AddressInfoList[Index].PrefixLength
- ) {
- return TRUE;
- }
- }
- return FALSE;
-}
-
-/**
- Compare two SPD Selectors.
-
- Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddressCount/
- NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange and the
- Local Addresses and remote Addresses.
-
- @param[in] Selector1 Pointer of first SPD Selector.
- @param[in] Selector2 Pointer of second SPD Selector.
-
- @retval TRUE This two Selector have the same value in above fields.
- @retval FALSE Not all above fields have the same value in these two Selectors.
-
-**/
-BOOLEAN
-CompareSpdSelector (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
- )
-{
- EFI_IPSEC_SPD_SELECTOR *SpdSel1;
- EFI_IPSEC_SPD_SELECTOR *SpdSel2;
- BOOLEAN IsMatch;
- UINTN Index;
-
- SpdSel1 = &Selector1->SpdSelector;
- SpdSel2 = &Selector2->SpdSelector;
- IsMatch = TRUE;
-
- //
- // Compare the LocalAddressCount/RemoteAddressCount/NextLayerProtocol/
- // LocalPort/LocalPortRange/RemotePort/RemotePortRange fields in the
- // two Spdselectors. Since the SPD supports two directions, it needs to
- // compare two directions.
- //
- if ((SpdSel1->LocalAddressCount != SpdSel2->LocalAddressCount &&
- SpdSel1->LocalAddressCount != SpdSel2->RemoteAddressCount) ||
- (SpdSel1->RemoteAddressCount != SpdSel2->RemoteAddressCount &&
- SpdSel1->RemoteAddressCount != SpdSel2->LocalAddressCount) ||
- SpdSel1->NextLayerProtocol != SpdSel2->NextLayerProtocol ||
- SpdSel1->LocalPort != SpdSel2->LocalPort ||
- SpdSel1->LocalPortRange != SpdSel2->LocalPortRange ||
- SpdSel1->RemotePort != SpdSel2->RemotePort ||
- SpdSel1->RemotePortRange != SpdSel2->RemotePortRange
- ) {
- IsMatch = FALSE;
- return IsMatch;
- }
-
- //
- // Compare the all LocalAddress and RemoteAddress fields in the two Spdselectors.
- // First, SpdSel1->LocalAddress to SpdSel2->LocalAddress && Compare
- // SpdSel1->RemoteAddress to SpdSel2->RemoteAddress. If all match, return
- // TRUE.
- //
- for (Index = 0; Index < SpdSel1->LocalAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel1->LocalAddress[Index],
- SpdSel2->LocalAddress,
- SpdSel2->LocalAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
- if (IsMatch) {
- for (Index = 0; Index < SpdSel2->LocalAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel2->LocalAddress[Index],
- SpdSel1->LocalAddress,
- SpdSel1->LocalAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
- }
- if (IsMatch) {
- for (Index = 0; Index < SpdSel1->RemoteAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel1->RemoteAddress[Index],
- SpdSel2->RemoteAddress,
- SpdSel2->RemoteAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
- }
- if (IsMatch) {
- for (Index = 0; Index < SpdSel2->RemoteAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel2->RemoteAddress[Index],
- SpdSel1->RemoteAddress,
- SpdSel1->RemoteAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
- }
- //
- // Finish the one direction compare. If it is matched, return; otherwise,
- // compare the other direction.
- //
- if (IsMatch) {
- return IsMatch;
- }
- //
- // Secondly, the SpdSel1->LocalAddress doesn't equal to SpdSel2->LocalAddress and
- // SpdSel1->RemoteAddress doesn't equal to SpdSel2->RemoteAddress. Try to compare
- // the RemoteAddress to LocalAddress.
- //
- IsMatch = TRUE;
- for (Index = 0; Index < SpdSel1->RemoteAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel1->RemoteAddress[Index],
- SpdSel2->LocalAddress,
- SpdSel2->LocalAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
- if (IsMatch) {
- for (Index = 0; Index < SpdSel2->RemoteAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel2->RemoteAddress[Index],
- SpdSel1->LocalAddress,
- SpdSel1->LocalAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
- }
- if (IsMatch) {
- for (Index = 0; Index < SpdSel1->LocalAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel1->LocalAddress[Index],
- SpdSel2->RemoteAddress,
- SpdSel2->RemoteAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
- }
- if (IsMatch) {
- for (Index = 0; Index < SpdSel2->LocalAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel2->LocalAddress[Index],
- SpdSel1->RemoteAddress,
- SpdSel1->RemoteAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
- }
- return IsMatch;
-}
-
-/**
- Find if the two SPD Selectors has subordinative.
-
- Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddressCount/
- NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange and the
- Local Addresses and remote Addresses.
-
- @param[in] Selector1 Pointer of first SPD Selector.
- @param[in] Selector2 Pointer of second SPD Selector.
-
- @retval TRUE The first SPD Selector is subordinate Selector of second SPD Selector.
- @retval FALSE The first SPD Selector is not subordinate Selector of second
- SPD Selector.
-
-**/
-BOOLEAN
-IsSubSpdSelector (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
- )
-{
- EFI_IPSEC_SPD_SELECTOR *SpdSel1;
- EFI_IPSEC_SPD_SELECTOR *SpdSel2;
- BOOLEAN IsMatch;
- UINTN Index;
-
- SpdSel1 = &Selector1->SpdSelector;
- SpdSel2 = &Selector2->SpdSelector;
- IsMatch = TRUE;
-
- //
- // Compare the LocalAddressCount/RemoteAddressCount/NextLayerProtocol/
- // LocalPort/LocalPortRange/RemotePort/RemotePortRange fields in the
- // two Spdselectors. Since the SPD supports two directions, it needs to
- // compare two directions.
- //
- if (SpdSel1->LocalAddressCount > SpdSel2->LocalAddressCount ||
- SpdSel1->RemoteAddressCount > SpdSel2->RemoteAddressCount ||
- (SpdSel1->NextLayerProtocol != SpdSel2->NextLayerProtocol && SpdSel2->NextLayerProtocol != 0xffff) ||
- (SpdSel1->LocalPort > SpdSel2->LocalPort && SpdSel2->LocalPort != 0)||
- (SpdSel1->LocalPortRange > SpdSel2->LocalPortRange && SpdSel1->LocalPort != 0)||
- (SpdSel1->RemotePort > SpdSel2->RemotePort && SpdSel2->RemotePort != 0) ||
- (SpdSel1->RemotePortRange > SpdSel2->RemotePortRange && SpdSel2->RemotePort != 0)
- ) {
- IsMatch = FALSE;
- }
-
- //
- // Compare the all LocalAddress and RemoteAddress fields in the two Spdselectors.
- // First, SpdSel1->LocalAddress to SpdSel2->LocalAddress && Compare
- // SpdSel1->RemoteAddress to SpdSel2->RemoteAddress. If all match, return
- // TRUE.
- //
- if (IsMatch) {
- for (Index = 0; Index < SpdSel1->LocalAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel1->LocalAddress[Index],
- SpdSel2->LocalAddress,
- SpdSel2->LocalAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
-
- if (IsMatch) {
- for (Index = 0; Index < SpdSel1->RemoteAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel1->RemoteAddress[Index],
- SpdSel2->RemoteAddress,
- SpdSel2->RemoteAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
- }
- }
- if (IsMatch) {
- return IsMatch;
- }
-
- //
- //
- // The SPD selector in SPD entry is two way.
- //
- // Compare the LocalAddressCount/RemoteAddressCount/NextLayerProtocol/
- // LocalPort/LocalPortRange/RemotePort/RemotePortRange fields in the
- // two Spdselectors. Since the SPD supports two directions, it needs to
- // compare two directions.
- //
- IsMatch = TRUE;
- if (SpdSel1->LocalAddressCount > SpdSel2->RemoteAddressCount ||
- SpdSel1->RemoteAddressCount > SpdSel2->LocalAddressCount ||
- (SpdSel1->NextLayerProtocol != SpdSel2->NextLayerProtocol && SpdSel2->NextLayerProtocol != 0xffff) ||
- (SpdSel1->LocalPort > SpdSel2->RemotePort && SpdSel2->RemotePort != 0)||
- (SpdSel1->LocalPortRange > SpdSel2->RemotePortRange && SpdSel1->RemotePort != 0)||
- (SpdSel1->RemotePort > SpdSel2->LocalPort && SpdSel2->LocalPort != 0) ||
- (SpdSel1->RemotePortRange > SpdSel2->LocalPortRange && SpdSel2->LocalPort != 0)
- ) {
- IsMatch = FALSE;
- return IsMatch;
- }
-
- //
- // Compare the all LocalAddress and RemoteAddress fields in the two Spdselectors.
- // First, SpdSel1->LocalAddress to SpdSel2->RemoteAddress && Compare
- // SpdSel1->RemoteAddress to SpdSel2->LocalAddress. If all match, return
- // TRUE.
- //
- for (Index = 0; Index < SpdSel1->LocalAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel1->LocalAddress[Index],
- SpdSel2->RemoteAddress,
- SpdSel2->RemoteAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
-
- if (IsMatch) {
- for (Index = 0; Index < SpdSel1->RemoteAddressCount; Index++) {
- if (!IsInAddressInfoList (
- &SpdSel1->RemoteAddress[Index],
- SpdSel2->LocalAddress,
- SpdSel2->LocalAddressCount
- )) {
- IsMatch = FALSE;
- break;
- }
- }
- }
- return IsMatch;
-
-}
-
-/**
- Compare two SA IDs.
-
- @param[in] Selector1 Pointer of first SA ID.
- @param[in] Selector2 Pointer of second SA ID.
-
- @retval TRUE This two Selectors have the same SA ID.
- @retval FALSE This two Selecotrs don't have the same SA ID.
-
-**/
-BOOLEAN
-CompareSaId (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
- )
-{
- EFI_IPSEC_SA_ID *SaId1;
- EFI_IPSEC_SA_ID *SaId2;
- BOOLEAN IsMatch;
-
- SaId1 = &Selector1->SaId;
- SaId2 = &Selector2->SaId;
- IsMatch = TRUE;
-
- if (CompareMem (SaId1, SaId2, sizeof (EFI_IPSEC_SA_ID)) != 0) {
- IsMatch = FALSE;
- }
-
- return IsMatch;
-}
-
-/**
- Compare two PAD IDs.
-
- @param[in] Selector1 Pointer of first PAD ID.
- @param[in] Selector2 Pointer of second PAD ID.
-
- @retval TRUE This two Selectors have the same PAD ID.
- @retval FALSE This two Selecotrs don't have the same PAD ID.
-
-**/
-BOOLEAN
-ComparePadId (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
- )
-{
- EFI_IPSEC_PAD_ID *PadId1;
- EFI_IPSEC_PAD_ID *PadId2;
- BOOLEAN IsMatch;
-
- PadId1 = &Selector1->PadId;
- PadId2 = &Selector2->PadId;
- IsMatch = TRUE;
-
- //
- // Compare the PeerIdValid fields in PadId.
- //
- if (PadId1->PeerIdValid != PadId2->PeerIdValid) {
- IsMatch = FALSE;
- }
- //
- // Compare the PeerId fields in PadId if PeerIdValid is true.
- //
- if (IsMatch &&
- PadId1->PeerIdValid &&
- AsciiStriCmp ((CONST CHAR8 *) PadId1->Id.PeerId, (CONST CHAR8 *) PadId2->Id.PeerId) != 0
- ) {
- IsMatch = FALSE;
- }
- //
- // Compare the IpAddress fields in PadId if PeerIdValid is false.
- //
- if (IsMatch &&
- !PadId1->PeerIdValid &&
- (PadId1->Id.IpAddress.PrefixLength != PadId2->Id.IpAddress.PrefixLength ||
- CompareMem (&PadId1->Id.IpAddress.Address, &PadId2->Id.IpAddress.Address, sizeof (EFI_IP_ADDRESS)) != 0)
- ) {
- IsMatch = FALSE;
- }
-
- return IsMatch;
-}
-
-/**
- Check if the SPD Selector is Zero by its LocalAddressCount and RemoteAddressCount
- fields.
-
- @param[in] Selector Pointer of the SPD Selector.
-
- @retval TRUE If the SPD Selector is Zero.
- @retval FALSE If the SPD Selector is not Zero.
-
-**/
-BOOLEAN
-IsZeroSpdSelector (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector
- )
-{
- EFI_IPSEC_SPD_SELECTOR *SpdSel;
- BOOLEAN IsZero;
-
- SpdSel = &Selector->SpdSelector;
- IsZero = FALSE;
-
- if (SpdSel->LocalAddressCount == 0 && SpdSel->RemoteAddressCount == 0) {
- IsZero = TRUE;
- }
-
- return IsZero;
-}
-
-/**
- Check if the SA ID is Zero by its DestAddress.
-
- @param[in] Selector Pointer of the SA ID.
-
- @retval TRUE If the SA ID is Zero.
- @retval FALSE If the SA ID is not Zero.
-
-**/
-BOOLEAN
-IsZeroSaId (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector
- )
-{
- BOOLEAN IsZero;
- EFI_IPSEC_CONFIG_SELECTOR ZeroSelector;
-
- IsZero = FALSE;
-
- ZeroMem (&ZeroSelector, sizeof (EFI_IPSEC_CONFIG_SELECTOR));
-
- if (CompareMem (&ZeroSelector, Selector, sizeof (EFI_IPSEC_CONFIG_SELECTOR)) == 0) {
- IsZero = TRUE;
- }
-
- return IsZero;
-}
-
-/**
- Check if the PAD ID is Zero.
-
- @param[in] Selector Pointer of the PAD ID.
-
- @retval TRUE If the PAD ID is Zero.
- @retval FALSE If the PAD ID is not Zero.
-
-**/
-BOOLEAN
-IsZeroPadId (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector
- )
-{
- EFI_IPSEC_PAD_ID *PadId;
- EFI_IPSEC_PAD_ID ZeroId;
- BOOLEAN IsZero;
-
- PadId = &Selector->PadId;
- IsZero = FALSE;
-
- ZeroMem (&ZeroId, sizeof (EFI_IPSEC_PAD_ID));
-
- if (CompareMem (PadId, &ZeroId, sizeof (EFI_IPSEC_PAD_ID)) == 0) {
- IsZero = TRUE;
- }
-
- return IsZero;
-}
-
-/**
- Copy Source SPD Selector to the Destination SPD Selector.
-
- @param[in, out] DstSel Pointer of Destination SPD Selector.
- @param[in] SrcSel Pointer of Source SPD Selector.
- @param[in, out] Size The size of the Destination SPD Selector. If it
- not NULL and its value less than the size of
- Source SPD Selector, the value of Source SPD
- Selector's size will be passed to caller by this
- parameter.
-
- @retval EFI_INVALID_PARAMETER If the Destination or Source SPD Selector is NULL
- @retval EFI_BUFFER_TOO_SMALL If the input Size is less than size of the Source SPD Selector.
- @retval EFI_SUCCESS Copy Source SPD Selector to the Destination SPD
- Selector successfully.
-
-**/
-EFI_STATUS
-DuplicateSpdSelector (
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,
- IN OUT UINTN *Size
- )
-{
- EFI_IPSEC_SPD_SELECTOR *Dst;
- EFI_IPSEC_SPD_SELECTOR *Src;
-
- Dst = &DstSel->SpdSelector;
- Src = &SrcSel->SpdSelector;
-
- if (Dst == NULL || Src == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (Size != NULL && (*Size) < SIZE_OF_SPD_SELECTOR (Src)) {
- *Size = SIZE_OF_SPD_SELECTOR (Src);
- return EFI_BUFFER_TOO_SMALL;
- }
- //
- // Copy the base structure of SPD selector.
- //
- CopyMem (Dst, Src, sizeof (EFI_IPSEC_SPD_SELECTOR));
-
- //
- // Copy the local address array of SPD selector.
- //
- Dst->LocalAddress = (EFI_IP_ADDRESS_INFO *) (Dst + 1);
- CopyMem (
- Dst->LocalAddress,
- Src->LocalAddress,
- sizeof (EFI_IP_ADDRESS_INFO) * Dst->LocalAddressCount
- );
-
- //
- // Copy the remote address array of SPD selector.
- //
- Dst->RemoteAddress = Dst->LocalAddress + Dst->LocalAddressCount;
- CopyMem (
- Dst->RemoteAddress,
- Src->RemoteAddress,
- sizeof (EFI_IP_ADDRESS_INFO) * Dst->RemoteAddressCount
- );
-
- return EFI_SUCCESS;
-}
-
-/**
- Copy Source SA ID to the Destination SA ID.
-
- @param[in, out] DstSel Pointer of Destination SA ID.
- @param[in] SrcSel Pointer of Source SA ID.
- @param[in, out] Size The size of the Destination SA ID. If it
- not NULL and its value less than the size of
- Source SA ID, the value of Source SA ID's size
- will be passed to caller by this parameter.
-
- @retval EFI_INVALID_PARAMETER If the Destination or Source SA ID is NULL.
- @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of source SA ID.
- @retval EFI_SUCCESS Copy Source SA ID to the Destination SA ID successfully.
-
-**/
-EFI_STATUS
-DuplicateSaId (
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,
- IN OUT UINTN *Size
- )
-{
- EFI_IPSEC_SA_ID *Dst;
- EFI_IPSEC_SA_ID *Src;
-
- Dst = &DstSel->SaId;
- Src = &SrcSel->SaId;
-
- if (Dst == NULL || Src == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (Size != NULL && *Size < sizeof (EFI_IPSEC_SA_ID)) {
- *Size = sizeof (EFI_IPSEC_SA_ID);
- return EFI_BUFFER_TOO_SMALL;
- }
-
- CopyMem (Dst, Src, sizeof (EFI_IPSEC_SA_ID));
-
- return EFI_SUCCESS;
-}
-
-/**
- Copy Source PAD ID to the Destination PAD ID.
-
- @param[in, out] DstSel Pointer of Destination PAD ID.
- @param[in] SrcSel Pointer of Source PAD ID.
- @param[in, out] Size The size of the Destination PAD ID. If it
- not NULL and its value less than the size of
- Source PAD ID, the value of Source PAD ID's size
- will be passed to caller by this parameter.
-
- @retval EFI_INVALID_PARAMETER If the Destination or Source PAD ID is NULL.
- @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of source PAD ID .
- @retval EFI_SUCCESS Copy Source PAD ID to the Destination PAD ID successfully.
-
-**/
-EFI_STATUS
-DuplicatePadId (
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,
- IN OUT UINTN *Size
- )
-{
- EFI_IPSEC_PAD_ID *Dst;
- EFI_IPSEC_PAD_ID *Src;
-
- Dst = &DstSel->PadId;
- Src = &SrcSel->PadId;
-
- if (Dst == NULL || Src == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (Size != NULL && *Size < sizeof (EFI_IPSEC_PAD_ID)) {
- *Size = sizeof (EFI_IPSEC_PAD_ID);
- return EFI_BUFFER_TOO_SMALL;
- }
-
- CopyMem (Dst, Src, sizeof (EFI_IPSEC_PAD_ID));
-
- return EFI_SUCCESS;
-}
-
-/**
- Fix the value of some members of SPD Selector.
-
- This function is called by IpSecCopyPolicyEntry()which copy the Policy
- Entry into the Variable. Since some members in SPD Selector are pointers,
- a physical address to relative address convertion is required before copying
- this SPD entry into the variable.
-
- @param[in] Selector Pointer of SPD Selector.
- @param[in, out] Data Pointer of SPD Data.
-
-**/
-VOID
-FixSpdEntry (
- IN EFI_IPSEC_SPD_SELECTOR *Selector,
- IN OUT EFI_IPSEC_SPD_DATA *Data
- )
-{
- //
- // It assumes that all ref buffers in SPD selector and data are
- // stored in the continous memory and close to the base structure.
- //
- FIX_REF_BUF_ADDR (Selector->LocalAddress, Selector);
- FIX_REF_BUF_ADDR (Selector->RemoteAddress, Selector);
-
- if (Data->ProcessingPolicy != NULL) {
- if (Data->ProcessingPolicy->TunnelOption != NULL) {
- FIX_REF_BUF_ADDR (Data->ProcessingPolicy->TunnelOption, Data);
- }
-
- FIX_REF_BUF_ADDR (Data->ProcessingPolicy, Data);
- }
-
-}
-
-/**
- Fix the value of some members of SA ID.
-
- This function is called by IpSecCopyPolicyEntry()which copy the Policy
- Entry into the Variable. Since some members in SA ID are pointers,
- a physical address to relative address conversion is required before copying
- this SAD into the variable.
-
- @param[in] SaId Pointer of SA ID
- @param[in, out] Data Pointer of SA Data.
-
-**/
-VOID
-FixSadEntry (
- IN EFI_IPSEC_SA_ID *SaId,
- IN OUT EFI_IPSEC_SA_DATA2 *Data
- )
-{
- //
- // It assumes that all ref buffers in SAD selector and data are
- // stored in the continous memory and close to the base structure.
- //
- if (Data->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {
- FIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.AuthKey, Data);
- }
-
- if (SaId->Proto == EfiIPsecESP && Data->AlgoInfo.EspAlgoInfo.EncKey != NULL) {
- FIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.EncKey, Data);
- }
-
- if (Data->SpdSelector != NULL) {
- if (Data->SpdSelector->LocalAddress != NULL) {
- FIX_REF_BUF_ADDR (Data->SpdSelector->LocalAddress, Data);
- }
-
- FIX_REF_BUF_ADDR (Data->SpdSelector->RemoteAddress, Data);
- FIX_REF_BUF_ADDR (Data->SpdSelector, Data);
- }
-
-}
-
-/**
- Fix the value of some members of PAD ID.
-
- This function is called by IpSecCopyPolicyEntry()which copy the Policy
- Entry into the Variable. Since some members in PAD ID are pointers,
- a physical address to relative address conversion is required before copying
- this PAD into the variable.
-
- @param[in] PadId Pointer of PAD ID.
- @param[in, out] Data Pointer of PAD Data.
-
-**/
-VOID
-FixPadEntry (
- IN EFI_IPSEC_PAD_ID *PadId,
- IN OUT EFI_IPSEC_PAD_DATA *Data
- )
-{
- //
- // It assumes that all ref buffers in pad selector and data are
- // stored in the continous memory and close to the base structure.
- //
- if (Data->AuthData != NULL) {
- FIX_REF_BUF_ADDR (Data->AuthData, Data);
- }
-
- if (Data->RevocationData != NULL) {
- FIX_REF_BUF_ADDR (Data->RevocationData, Data);
- }
-
-}
-
-/**
- Recover the value of some members of SPD Selector.
-
- This function is corresponding to FixSpdEntry(). It recovers the value of members
- of SPD Selector that are fixed by FixSpdEntry().
-
- @param[in, out] Selector Pointer of SPD Selector.
- @param[in, out] Data Pointer of SPD Data.
-
-**/
-VOID
-UnfixSpdEntry (
- IN OUT EFI_IPSEC_SPD_SELECTOR *Selector,
- IN OUT EFI_IPSEC_SPD_DATA *Data
- )
-{
- //
- // It assumes that all ref buffers in SPD selector and data are
- // stored in the continous memory and close to the base structure.
- //
- UNFIX_REF_BUF_ADDR (Selector->LocalAddress, Selector);
- UNFIX_REF_BUF_ADDR (Selector->RemoteAddress, Selector);
-
- if (Data->ProcessingPolicy != NULL) {
- UNFIX_REF_BUF_ADDR (Data->ProcessingPolicy, Data);
- if (Data->ProcessingPolicy->TunnelOption != NULL) {
- UNFIX_REF_BUF_ADDR (Data->ProcessingPolicy->TunnelOption, Data);
- }
- }
-
-}
-
-/**
- Recover the value of some members of SA ID.
-
- This function is corresponding to FixSadEntry(). It recovers the value of members
- of SAD ID that are fixed by FixSadEntry().
-
- @param[in, out] SaId Pointer of SAD ID.
- @param[in, out] Data Pointer of SAD Data.
-
-**/
-VOID
-UnfixSadEntry (
- IN OUT EFI_IPSEC_SA_ID *SaId,
- IN OUT EFI_IPSEC_SA_DATA2 *Data
- )
-{
- //
- // It assumes that all ref buffers in SAD selector and data are
- // stored in the continous memory and close to the base structure.
- //
- if (Data->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {
- UNFIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.AuthKey, Data);
- }
-
- if (SaId->Proto == EfiIPsecESP && Data->AlgoInfo.EspAlgoInfo.EncKey != NULL) {
- UNFIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.EncKey, Data);
- }
-
- if (Data->SpdSelector != NULL) {
- UNFIX_REF_BUF_ADDR (Data->SpdSelector, Data);
- if (Data->SpdSelector->LocalAddress != NULL) {
- UNFIX_REF_BUF_ADDR (Data->SpdSelector->LocalAddress, Data);
- }
-
- UNFIX_REF_BUF_ADDR (Data->SpdSelector->RemoteAddress, Data);
- }
-
-}
-
-/**
- Recover the value of some members of PAD ID.
-
- This function is corresponding to FixPadEntry(). It recovers the value of members
- of PAD ID that are fixed by FixPadEntry().
-
- @param[in] PadId Pointer of PAD ID.
- @param[in, out] Data Pointer of PAD Data.
-
-**/
-VOID
-UnfixPadEntry (
- IN EFI_IPSEC_PAD_ID *PadId,
- IN OUT EFI_IPSEC_PAD_DATA *Data
- )
-{
- //
- // It assumes that all ref buffers in pad selector and data are
- // stored in the continous memory and close to the base structure.
- //
- if (Data->AuthData != NULL) {
- UNFIX_REF_BUF_ADDR (Data->AuthData, Data);
- }
-
- if (Data->RevocationData != NULL) {
- UNFIX_REF_BUF_ADDR (Data->RevocationData, Data);
- }
-
-}
-
-/**
- Set the security policy information for the EFI IPsec driver.
-
- The IPsec configuration data has a unique selector/identifier separately to
- identify a data entry.
-
- @param[in] Selector Pointer to an entry selector on operated
- configuration data specified by DataType.
- A NULL Selector causes the entire specified-type
- configuration information to be flushed.
- @param[in] Data The data buffer to be set. The structure
- of the data buffer should be EFI_IPSEC_SPD_DATA.
- @param[in] Context Pointer to one entry selector that describes
- the expected position the new data entry will
- be added. If Context is NULL, the new entry will
- be appended the end of database.
-
- @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:
- - Selector is not NULL and its LocalAddress
- is NULL or its RemoteAddress is NULL.
- - Data is not NULL and its Action is Protected
- and its plolicy is NULL.
- - Data is not NULL, its Action is not protected,
- and its policy is not NULL.
- - The Action of Data is Protected, its policy
- mode is Tunnel, and its tunnel option is NULL.
- - The Action of Data is protected and its policy
- mode is not Tunnel and it tunnel option is not NULL.
- - SadEntry requied to be set into new SpdEntry's Sas has
- been found but it is invalid.
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
-
-**/
-EFI_STATUS
-SetSpdEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN VOID *Context OPTIONAL
- )
-{
- EFI_IPSEC_SPD_SELECTOR *SpdSel;
- EFI_IPSEC_SPD_DATA *SpdData;
- EFI_IPSEC_SPD_SELECTOR *InsertBefore;
- LIST_ENTRY *SpdList;
- LIST_ENTRY *SadList;
- LIST_ENTRY *SpdSas;
- LIST_ENTRY *EntryInsertBefore;
- LIST_ENTRY *Entry;
- LIST_ENTRY *Entry2;
- LIST_ENTRY *NextEntry;
- LIST_ENTRY *NextEntry2;
- IPSEC_SPD_ENTRY *SpdEntry;
- IPSEC_SAD_ENTRY *SadEntry;
- UINTN SpdEntrySize;
- UINTN Index;
-
- SpdSel = (Selector == NULL) ? NULL : &Selector->SpdSelector;
- SpdData = (Data == NULL) ? NULL : (EFI_IPSEC_SPD_DATA *) Data;
- InsertBefore = (Context == NULL) ? NULL : &((EFI_IPSEC_CONFIG_SELECTOR *) Context)->SpdSelector;
- SpdList = &mConfigData[IPsecConfigDataTypeSpd];
-
- if (SpdSel != NULL) {
- if (SpdSel->LocalAddress == NULL || SpdSel->RemoteAddress == NULL) {
- return EFI_INVALID_PARAMETER;
- }
- }
-
- if (SpdData != NULL) {
- if ((SpdData->Action == EfiIPsecActionProtect && SpdData->ProcessingPolicy == NULL) ||
- (SpdData->Action != EfiIPsecActionProtect && SpdData->ProcessingPolicy != NULL)
- ) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (SpdData->Action == EfiIPsecActionProtect) {
- if ((SpdData->ProcessingPolicy->Mode == EfiIPsecTunnel && SpdData->ProcessingPolicy->TunnelOption == NULL) ||
- (SpdData->ProcessingPolicy->Mode != EfiIPsecTunnel && SpdData->ProcessingPolicy->TunnelOption != NULL)
- ) {
- return EFI_INVALID_PARAMETER;
- }
- }
- }
- //
- // The default behavior is to insert the node ahead of the header.
- //
- EntryInsertBefore = SpdList;
-
- //
- // Remove the existed SPD entry.
- //
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, SpdList) {
-
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);
-
- if (SpdSel == NULL ||
- CompareSpdSelector ((EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector, (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel)
- ) {
- //
- // Record the existed entry position to keep the original order.
- //
- EntryInsertBefore = SpdEntry->List.ForwardLink;
- RemoveEntryList (&SpdEntry->List);
-
- //
- // Update the reverse ref of SAD entry in the SPD.sas list.
- //
- SpdSas = &SpdEntry->Data->Sas;
-
- //
- // Remove the related SAs from Sas(SadEntry->BySpd). If the SA entry is established by
- // IKE, remove from mConfigData list(SadEntry->List) and then free it directly since its
- // SpdEntry will be freed later.
- //
- NET_LIST_FOR_EACH_SAFE (Entry2, NextEntry2, SpdSas) {
- SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry2);
-
- if (SadEntry->Data->SpdEntry != NULL) {
- RemoveEntryList (&SadEntry->BySpd);
- SadEntry->Data->SpdEntry = NULL;
- }
-
- if (!(SadEntry->Data->ManualSet)) {
- RemoveEntryList (&SadEntry->List);
- FreePool (SadEntry);
- }
- }
-
- //
- // Free the existed SPD entry
- //
- FreePool (SpdEntry);
- }
- }
- //
- // Return success here if only want to remove the SPD entry.
- //
- if (SpdData == NULL || SpdSel == NULL) {
- return EFI_SUCCESS;
- }
- //
- // Search the appointed entry position if InsertBefore is not NULL.
- //
- if (InsertBefore != NULL) {
-
- NET_LIST_FOR_EACH (Entry, SpdList) {
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);
-
- if (CompareSpdSelector (
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector,
- (EFI_IPSEC_CONFIG_SELECTOR *) InsertBefore
- )) {
- EntryInsertBefore = Entry;
- break;
- }
- }
- }
-
- //
- // Do Padding for the different Arch.
- //
- SpdEntrySize = ALIGN_VARIABLE (sizeof (IPSEC_SPD_ENTRY));
- SpdEntrySize = ALIGN_VARIABLE (SpdEntrySize + SIZE_OF_SPD_SELECTOR (SpdSel));
- SpdEntrySize += IpSecGetSizeOfEfiSpdData (SpdData);
-
- SpdEntry = AllocateZeroPool (SpdEntrySize);
-
- if (SpdEntry == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // Fix the address of Selector and Data buffer and copy them, which is
- // continous memory and close to the base structure of SPD entry.
- //
- SpdEntry->Selector = (EFI_IPSEC_SPD_SELECTOR *) ALIGN_POINTER ((SpdEntry + 1), sizeof (UINTN));
- SpdEntry->Data = (IPSEC_SPD_DATA *) ALIGN_POINTER (
- ((UINT8 *) SpdEntry->Selector + SIZE_OF_SPD_SELECTOR (SpdSel)),
- sizeof (UINTN)
- );
-
- DuplicateSpdSelector (
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector,
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel,
- NULL
- );
-
- CopyMem (
- SpdEntry->Data->Name,
- SpdData->Name,
- sizeof (SpdData->Name)
- );
- SpdEntry->Data->PackageFlag = SpdData->PackageFlag;
- SpdEntry->Data->TrafficDirection = SpdData->TrafficDirection;
- SpdEntry->Data->Action = SpdData->Action;
-
- //
- // Fix the address of ProcessingPolicy and copy it if need, which is continous
- // memory and close to the base structure of SAD data.
- //
- if (SpdData->Action != EfiIPsecActionProtect) {
- SpdEntry->Data->ProcessingPolicy = NULL;
- } else {
- SpdEntry->Data->ProcessingPolicy = (EFI_IPSEC_PROCESS_POLICY *) ALIGN_POINTER (
- SpdEntry->Data + 1,
- sizeof (UINTN)
- );
- IpSecDuplicateProcessPolicy (SpdEntry->Data->ProcessingPolicy, SpdData->ProcessingPolicy);
- }
- //
- // Update the sas list of the new SPD entry.
- //
- InitializeListHead (&SpdEntry->Data->Sas);
-
- SadList = &mConfigData[IPsecConfigDataTypeSad];
-
- NET_LIST_FOR_EACH (Entry, SadList) {
- SadEntry = IPSEC_SAD_ENTRY_FROM_LIST (Entry);
-
- for (Index = 0; Index < SpdData->SaIdCount; Index++) {
- if (CompareSaId (
- (EFI_IPSEC_CONFIG_SELECTOR *) &SpdData->SaId[Index],
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id
- )) {
- //
- // Check whether the found SadEntry is vaild.
- //
- if (IsSubSpdSelector (
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Data->SpdSelector,
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector
- )) {
- if (SadEntry->Data->SpdEntry != NULL) {
- RemoveEntryList (&SadEntry->BySpd);
- }
- InsertTailList (&SpdEntry->Data->Sas, &SadEntry->BySpd);
- SadEntry->Data->SpdEntry = SpdEntry;
- } else {
- return EFI_INVALID_PARAMETER;
- }
- }
- }
- }
-
- //
- // Insert the new SPD entry.
- //
- InsertTailList (EntryInsertBefore, &SpdEntry->List);
-
- return EFI_SUCCESS;
-}
-
-/**
- Set the security association information for the EFI IPsec driver.
-
- The IPsec configuration data has a unique selector/identifier separately to
- identify a data entry.
-
- @param[in] Selector Pointer to an entry selector on operated
- configuration data specified by DataType.
- A NULL Selector causes the entire specified-type
- configuration information to be flushed.
- @param[in] Data The data buffer to be set. The structure
- of the data buffer should be EFI_IPSEC_SA_DATA.
- @param[in] Context Pointer to one entry selector which describes
- the expected position the new data entry will
- be added. If Context is NULL,the new entry will
- be appended the end of database.
-
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
-
-**/
-EFI_STATUS
-SetSadEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN VOID *Context OPTIONAL
- )
-{
- IPSEC_SAD_ENTRY *SadEntry;
- IPSEC_SPD_ENTRY *SpdEntry;
- LIST_ENTRY *Entry;
- LIST_ENTRY *NextEntry;
- LIST_ENTRY *SadList;
- LIST_ENTRY *SpdList;
- EFI_IPSEC_SA_ID *SaId;
- EFI_IPSEC_SA_DATA2 *SaData;
- EFI_IPSEC_SA_ID *InsertBefore;
- LIST_ENTRY *EntryInsertBefore;
- UINTN SadEntrySize;
-
- SaId = (Selector == NULL) ? NULL : &Selector->SaId;
- SaData = (Data == NULL) ? NULL : (EFI_IPSEC_SA_DATA2 *) Data;
- InsertBefore = (Context == NULL) ? NULL : &((EFI_IPSEC_CONFIG_SELECTOR *) Context)->SaId;
- SadList = &mConfigData[IPsecConfigDataTypeSad];
-
- //
- // The default behavior is to insert the node ahead of the header.
- //
- EntryInsertBefore = SadList;
-
- //
- // Remove the existed SAD entry.
- //
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, SadList) {
-
- SadEntry = IPSEC_SAD_ENTRY_FROM_LIST (Entry);
-
- if (SaId == NULL ||
- CompareSaId (
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id,
- (EFI_IPSEC_CONFIG_SELECTOR *) SaId
- )) {
- //
- // Record the existed entry position to keep the original order.
- //
- EntryInsertBefore = SadEntry->List.ForwardLink;
-
- //
- // Update the related SAD.byspd field.
- //
- if (SadEntry->Data->SpdEntry != NULL) {
- RemoveEntryList (&SadEntry->BySpd);
- }
-
- RemoveEntryList (&SadEntry->List);
- FreePool (SadEntry);
- }
- }
- //
- // Return success here if only want to remove the SAD entry
- //
- if (SaData == NULL || SaId == NULL) {
- return EFI_SUCCESS;
- }
- //
- // Search the appointed entry position if InsertBefore is not NULL.
- //
- if (InsertBefore != NULL) {
-
- NET_LIST_FOR_EACH (Entry, SadList) {
- SadEntry = IPSEC_SAD_ENTRY_FROM_LIST (Entry);
-
- if (CompareSaId (
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id,
- (EFI_IPSEC_CONFIG_SELECTOR *) InsertBefore
- )) {
- EntryInsertBefore = Entry;
- break;
- }
- }
- }
-
- //
- // Do Padding for different Arch.
- //
- SadEntrySize = ALIGN_VARIABLE (sizeof (IPSEC_SAD_ENTRY));
- SadEntrySize = ALIGN_VARIABLE (SadEntrySize + sizeof (EFI_IPSEC_SA_ID));
- SadEntrySize = ALIGN_VARIABLE (SadEntrySize + sizeof (IPSEC_SAD_DATA));
-
- if (SaId->Proto == EfiIPsecAH) {
- SadEntrySize += SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength;
- } else {
- SadEntrySize = ALIGN_VARIABLE (SadEntrySize + SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength);
- SadEntrySize += ALIGN_VARIABLE (SaData->AlgoInfo.EspAlgoInfo.EncKeyLength);
- }
-
- if (SaData->SpdSelector != NULL) {
- SadEntrySize += SadEntrySize + SIZE_OF_SPD_SELECTOR (SaData->SpdSelector);
- }
- SadEntry = AllocateZeroPool (SadEntrySize);
-
- if (SadEntry == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // Fix the address of Id and Data buffer and copy them, which is
- // continous memory and close to the base structure of SAD entry.
- //
- SadEntry->Id = (EFI_IPSEC_SA_ID *) ALIGN_POINTER ((SadEntry + 1), sizeof (UINTN));
- SadEntry->Data = (IPSEC_SAD_DATA *) ALIGN_POINTER ((SadEntry->Id + 1), sizeof (UINTN));
-
- CopyMem (SadEntry->Id, SaId, sizeof (EFI_IPSEC_SA_ID));
-
- SadEntry->Data->Mode = SaData->Mode;
- SadEntry->Data->SequenceNumber = SaData->SNCount;
- SadEntry->Data->AntiReplayWindowSize = SaData->AntiReplayWindows;
-
- ZeroMem (
- &SadEntry->Data->AntiReplayBitmap,
- sizeof (SadEntry->Data->AntiReplayBitmap)
- );
-
- ZeroMem (
- &SadEntry->Data->AlgoInfo,
- sizeof (EFI_IPSEC_ALGO_INFO)
- );
-
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId = SaData->AlgoInfo.EspAlgoInfo.AuthAlgoId;
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength = SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength;
-
- if (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength != 0) {
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey = (VOID *) ALIGN_POINTER ((SadEntry->Data + 1), sizeof (UINTN));
- CopyMem (
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,
- SaData->AlgoInfo.EspAlgoInfo.AuthKey,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength
- );
- }
-
- if (SaId->Proto == EfiIPsecESP) {
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId = SaData->AlgoInfo.EspAlgoInfo.EncAlgoId;
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength = SaData->AlgoInfo.EspAlgoInfo.EncKeyLength;
-
- if (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength != 0) {
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey = (VOID *) ALIGN_POINTER (
- ((UINT8 *) (SadEntry->Data + 1) +
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength),
- sizeof (UINTN)
- );
- CopyMem (
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey,
- SaData->AlgoInfo.EspAlgoInfo.EncKey,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength
- );
- }
- }
-
- CopyMem (
- &SadEntry->Data->SaLifetime,
- &SaData->SaLifetime,
- sizeof (EFI_IPSEC_SA_LIFETIME)
- );
-
- SadEntry->Data->PathMTU = SaData->PathMTU;
- SadEntry->Data->SpdSelector = NULL;
- SadEntry->Data->ESNEnabled = FALSE;
- SadEntry->Data->ManualSet = SaData->ManualSet;
-
- //
- // Copy Tunnel Source/Destination Address
- //
- if (SaData->Mode == EfiIPsecTunnel) {
- CopyMem (
- &SadEntry->Data->TunnelDestAddress,
- &SaData->TunnelDestinationAddress,
- sizeof (EFI_IP_ADDRESS)
- );
- CopyMem (
- &SadEntry->Data->TunnelSourceAddress,
- &SaData->TunnelSourceAddress,
- sizeof (EFI_IP_ADDRESS)
- );
- }
- //
- // Update the spd.sas list of the spd entry specified by SAD selector
- //
- SpdList = &mConfigData[IPsecConfigDataTypeSpd];
-
- for (Entry = SpdList->ForwardLink; Entry != SpdList && SaData->SpdSelector != NULL; Entry = Entry->ForwardLink) {
-
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);
- if (IsSubSpdSelector (
- (EFI_IPSEC_CONFIG_SELECTOR *) SaData->SpdSelector,
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector
- ) && SpdEntry->Data->Action == EfiIPsecActionProtect) {
- SadEntry->Data->SpdEntry = SpdEntry;
- SadEntry->Data->SpdSelector = (EFI_IPSEC_SPD_SELECTOR *)((UINT8 *)SadEntry +
- SadEntrySize -
- SIZE_OF_SPD_SELECTOR (SaData->SpdSelector)
- );
- DuplicateSpdSelector (
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Data->SpdSelector,
- (EFI_IPSEC_CONFIG_SELECTOR *) SaData->SpdSelector,
- NULL
- );
- InsertTailList (&SpdEntry->Data->Sas, &SadEntry->BySpd);
- }
- }
- //
- // Insert the new SAD entry.
- //
- InsertTailList (EntryInsertBefore, &SadEntry->List);
-
- return EFI_SUCCESS;
-}
-
-/**
- Set the peer authorization configuration information for the EFI IPsec driver.
-
- The IPsec configuration data has a unique selector/identifier separately to
- identify a data entry.
-
- @param[in] Selector Pointer to an entry selector on operated
- configuration data specified by DataType.
- A NULL Selector causes the entire specified-type
- configuration information to be flushed.
- @param[in] Data The data buffer to be set. The structure
- of the data buffer should be EFI_IPSEC_PAD_DATA.
- @param[in] Context Pointer to one entry selector that describes
- the expected position the new data entry will
- be added. If Context is NULL, the new entry will
- be appended the end of database.
-
- @retval EFI_OUT_OF_RESOURCES The required system resources could not be allocated.
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
-
-**/
-EFI_STATUS
-SetPadEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN VOID *Context OPTIONAL
- )
-{
- IPSEC_PAD_ENTRY *PadEntry;
- EFI_IPSEC_PAD_ID *PadId;
- EFI_IPSEC_PAD_DATA *PadData;
- LIST_ENTRY *PadList;
- LIST_ENTRY *Entry;
- LIST_ENTRY *NextEntry;
- EFI_IPSEC_PAD_ID *InsertBefore;
- LIST_ENTRY *EntryInsertBefore;
- UINTN PadEntrySize;
-
- PadId = (Selector == NULL) ? NULL : &Selector->PadId;
- PadData = (Data == NULL) ? NULL : (EFI_IPSEC_PAD_DATA *) Data;
- InsertBefore = (Context == NULL) ? NULL : &((EFI_IPSEC_CONFIG_SELECTOR *) Context)->PadId;
- PadList = &mConfigData[IPsecConfigDataTypePad];
-
- //
- // The default behavior is to insert the node ahead of the header.
- //
- EntryInsertBefore = PadList;
-
- //
- // Remove the existed pad entry.
- //
- NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, PadList) {
-
- PadEntry = IPSEC_PAD_ENTRY_FROM_LIST (Entry);
-
- if (PadId == NULL ||
- ComparePadId ((EFI_IPSEC_CONFIG_SELECTOR *) PadEntry->Id, (EFI_IPSEC_CONFIG_SELECTOR *) PadId)
- ) {
- //
- // Record the existed entry position to keep the original order.
- //
- EntryInsertBefore = PadEntry->List.ForwardLink;
- RemoveEntryList (&PadEntry->List);
-
- FreePool (PadEntry);
- }
- }
- //
- // Return success here if only want to remove the pad entry
- //
- if (PadData == NULL || PadId == NULL) {
- return EFI_SUCCESS;
- }
- //
- // Search the appointed entry position if InsertBefore is not NULL.
- //
- if (InsertBefore != NULL) {
-
- NET_LIST_FOR_EACH (Entry, PadList) {
- PadEntry = IPSEC_PAD_ENTRY_FROM_LIST (Entry);
-
- if (ComparePadId (
- (EFI_IPSEC_CONFIG_SELECTOR *) PadEntry->Id,
- (EFI_IPSEC_CONFIG_SELECTOR *) InsertBefore
- )) {
- EntryInsertBefore = Entry;
- break;
- }
- }
- }
-
- //
- // Do PADDING for different arch.
- //
- PadEntrySize = ALIGN_VARIABLE (sizeof (IPSEC_PAD_ENTRY));
- PadEntrySize = ALIGN_VARIABLE (PadEntrySize + sizeof (EFI_IPSEC_PAD_ID));
- PadEntrySize = ALIGN_VARIABLE (PadEntrySize + sizeof (EFI_IPSEC_PAD_DATA));
- PadEntrySize = ALIGN_VARIABLE (PadEntrySize + (PadData->AuthData != NULL ? PadData->AuthDataSize : 0));
- PadEntrySize += PadData->RevocationData != NULL ? PadData->RevocationDataSize : 0;
-
- PadEntry = AllocateZeroPool (PadEntrySize);
-
- if (PadEntry == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // Fix the address of Id and Data buffer and copy them, which is
- // continous memory and close to the base structure of pad entry.
- //
- PadEntry->Id = (EFI_IPSEC_PAD_ID *) ALIGN_POINTER ((PadEntry + 1), sizeof (UINTN));
- PadEntry->Data = (EFI_IPSEC_PAD_DATA *) ALIGN_POINTER ((PadEntry->Id + 1), sizeof (UINTN));
-
- CopyMem (PadEntry->Id, PadId, sizeof (EFI_IPSEC_PAD_ID));
-
- PadEntry->Data->AuthProtocol = PadData->AuthProtocol;
- PadEntry->Data->AuthMethod = PadData->AuthMethod;
- PadEntry->Data->IkeIdFlag = PadData->IkeIdFlag;
-
- if (PadData->AuthData != NULL) {
- PadEntry->Data->AuthDataSize = PadData->AuthDataSize;
- PadEntry->Data->AuthData = (VOID *) ALIGN_POINTER (PadEntry->Data + 1, sizeof (UINTN));
- CopyMem (
- PadEntry->Data->AuthData,
- PadData->AuthData,
- PadData->AuthDataSize
- );
- } else {
- PadEntry->Data->AuthDataSize = 0;
- PadEntry->Data->AuthData = NULL;
- }
-
- if (PadData->RevocationData != NULL) {
- PadEntry->Data->RevocationDataSize = PadData->RevocationDataSize;
- PadEntry->Data->RevocationData = (VOID *) ALIGN_POINTER (
- ((UINT8 *) (PadEntry->Data + 1) + PadData->AuthDataSize),
- sizeof (UINTN)
- );
- CopyMem (
- PadEntry->Data->RevocationData,
- PadData->RevocationData,
- PadData->RevocationDataSize
- );
- } else {
- PadEntry->Data->RevocationDataSize = 0;
- PadEntry->Data->RevocationData = NULL;
- }
- //
- // Insert the new pad entry.
- //
- InsertTailList (EntryInsertBefore, &PadEntry->List);
-
- return EFI_SUCCESS;
-}
-
-/**
- This function lookup the data entry from IPsec SPD. Return the configuration
- value of the specified SPD Entry.
-
- @param[in] Selector Pointer to an entry selector which is an identifier
- of the SPD entry.
- @param[in, out] DataSize On output the size of data returned in Data.
- @param[out] Data The buffer to return the contents of the IPsec
- configuration data. The type of the data buffer
- is associated with the DataType.
-
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
- @retval EFI_INVALID_PARAMETER Data is NULL and *DataSize is not zero.
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
- updated with the size needed to complete the request.
-
-**/
-EFI_STATUS
-GetSpdEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN OUT UINTN *DataSize,
- OUT VOID *Data
- )
-{
- IPSEC_SPD_ENTRY *SpdEntry;
- IPSEC_SAD_ENTRY *SadEntry;
- EFI_IPSEC_SPD_SELECTOR *SpdSel;
- EFI_IPSEC_SPD_DATA *SpdData;
- LIST_ENTRY *SpdList;
- LIST_ENTRY *SpdSas;
- LIST_ENTRY *Entry;
- UINTN RequiredSize;
-
- SpdSel = &Selector->SpdSelector;
- SpdData = (EFI_IPSEC_SPD_DATA *) Data;
- SpdList = &mConfigData[IPsecConfigDataTypeSpd];
-
- NET_LIST_FOR_EACH (Entry, SpdList) {
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);
-
- //
- // Find the required SPD entry
- //
- if (CompareSpdSelector (
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel,
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector
- )) {
-
- RequiredSize = IpSecGetSizeOfSpdData (SpdEntry->Data);
- if (*DataSize < RequiredSize) {
- *DataSize = RequiredSize;
- return EFI_BUFFER_TOO_SMALL;
- }
-
- if (SpdData == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- *DataSize = RequiredSize;
-
- //
- // Extract and fill all SaId array from the SPD.sas list
- //
- SpdSas = &SpdEntry->Data->Sas;
- SpdData->SaIdCount = 0;
-
- NET_LIST_FOR_EACH (Entry, SpdSas) {
- SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry);
- CopyMem (
- &SpdData->SaId[SpdData->SaIdCount++],
- SadEntry->Id,
- sizeof (EFI_IPSEC_SA_ID)
- );
- }
- //
- // Fill the other fields in SPD data.
- //
- CopyMem (SpdData->Name, SpdEntry->Data->Name, sizeof (SpdData->Name));
-
- SpdData->PackageFlag = SpdEntry->Data->PackageFlag;
- SpdData->TrafficDirection = SpdEntry->Data->TrafficDirection;
- SpdData->Action = SpdEntry->Data->Action;
-
- if (SpdData->Action != EfiIPsecActionProtect) {
- SpdData->ProcessingPolicy = NULL;
- } else {
- SpdData->ProcessingPolicy = (EFI_IPSEC_PROCESS_POLICY *) ((UINT8 *) SpdData + sizeof (EFI_IPSEC_SPD_DATA) + (SpdData->SaIdCount - 1) * sizeof (EFI_IPSEC_SA_ID));
-
- IpSecDuplicateProcessPolicy (
- SpdData->ProcessingPolicy,
- SpdEntry->Data->ProcessingPolicy
- );
- }
-
- return EFI_SUCCESS;
- }
- }
-
- return EFI_NOT_FOUND;
-}
-
-/**
- This function lookup the data entry from IPsec SAD. Return the configuration
- value of the specified SAD Entry.
-
- @param[in] Selector Pointer to an entry selector which is an identifier
- of the SAD entry.
- @param[in, out] DataSize On output, the size of data returned in Data.
- @param[out] Data The buffer to return the contents of the IPsec
- configuration data. The type of the data buffer
- is associated with the DataType.
-
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
- updated with the size needed to complete the request.
-
-**/
-EFI_STATUS
-GetSadEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN OUT UINTN *DataSize,
- OUT VOID *Data
- )
-{
- IPSEC_SAD_ENTRY *SadEntry;
- LIST_ENTRY *Entry;
- LIST_ENTRY *SadList;
- EFI_IPSEC_SA_ID *SaId;
- EFI_IPSEC_SA_DATA2 *SaData;
- UINTN RequiredSize;
-
- SaId = &Selector->SaId;
- SaData = (EFI_IPSEC_SA_DATA2 *) Data;
- SadList = &mConfigData[IPsecConfigDataTypeSad];
-
- NET_LIST_FOR_EACH (Entry, SadList) {
- SadEntry = IPSEC_SAD_ENTRY_FROM_LIST (Entry);
-
- //
- // Find the required SAD entry.
- //
- if (CompareSaId (
- (EFI_IPSEC_CONFIG_SELECTOR *) SaId,
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id
- )) {
- //
- // Calculate the required size of the SAD entry.
- // Data Layout is follows:
- // |EFI_IPSEC_SA_DATA
- // |AuthKey
- // |EncryptKey (Optional)
- // |SpdSelector (Optional)
- //
- RequiredSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2));
-
- if (SaId->Proto == EfiIPsecAH) {
- RequiredSize = ALIGN_VARIABLE (RequiredSize + SadEntry->Data->AlgoInfo.AhAlgoInfo.AuthKeyLength);
- } else {
- RequiredSize = ALIGN_VARIABLE (RequiredSize + SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength);
- RequiredSize = ALIGN_VARIABLE (RequiredSize + SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength);
- }
-
- if (SadEntry->Data->SpdSelector != NULL) {
- RequiredSize += SIZE_OF_SPD_SELECTOR (SadEntry->Data->SpdSelector);
- }
-
- if (*DataSize < RequiredSize) {
- *DataSize = RequiredSize;
- return EFI_BUFFER_TOO_SMALL;
- }
-
- //
- // Fill the data fields of SAD entry.
- //
- *DataSize = RequiredSize;
- SaData->Mode = SadEntry->Data->Mode;
- SaData->SNCount = SadEntry->Data->SequenceNumber;
- SaData->AntiReplayWindows = SadEntry->Data->AntiReplayWindowSize;
-
- CopyMem (
- &SaData->SaLifetime,
- &SadEntry->Data->SaLifetime,
- sizeof (EFI_IPSEC_SA_LIFETIME)
- );
-
- ZeroMem (
- &SaData->AlgoInfo,
- sizeof (EFI_IPSEC_ALGO_INFO)
- );
-
- if (SaId->Proto == EfiIPsecAH) {
- //
- // Copy AH alogrithm INFO to SaData
- //
- SaData->AlgoInfo.AhAlgoInfo.AuthAlgoId = SadEntry->Data->AlgoInfo.AhAlgoInfo.AuthAlgoId;
- SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength = SadEntry->Data->AlgoInfo.AhAlgoInfo.AuthKeyLength;
- if (SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength != 0) {
- SaData->AlgoInfo.AhAlgoInfo.AuthKey = (VOID *) ALIGN_POINTER ((SaData + 1), sizeof (UINTN));
- CopyMem (
- SaData->AlgoInfo.AhAlgoInfo.AuthKey,
- SadEntry->Data->AlgoInfo.AhAlgoInfo.AuthKey,
- SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength
- );
- }
- } else if (SaId->Proto == EfiIPsecESP) {
- //
- // Copy ESP alogrithem INFO to SaData
- //
- SaData->AlgoInfo.EspAlgoInfo.AuthAlgoId = SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId;
- SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength = SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength;
- if (SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength != 0) {
- SaData->AlgoInfo.EspAlgoInfo.AuthKey = (VOID *) ALIGN_POINTER ((SaData + 1), sizeof (UINTN));
- CopyMem (
- SaData->AlgoInfo.EspAlgoInfo.AuthKey,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,
- SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength
- );
- }
-
- SaData->AlgoInfo.EspAlgoInfo.EncAlgoId = SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId;
- SaData->AlgoInfo.EspAlgoInfo.EncKeyLength = SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength;
-
- if (SaData->AlgoInfo.EspAlgoInfo.EncKeyLength != 0) {
- SaData->AlgoInfo.EspAlgoInfo.EncKey = (VOID *) ALIGN_POINTER (
- ((UINT8 *) (SaData + 1) +
- SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength),
- sizeof (UINTN)
- );
- CopyMem (
- SaData->AlgoInfo.EspAlgoInfo.EncKey,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey,
- SaData->AlgoInfo.EspAlgoInfo.EncKeyLength
- );
- }
- }
-
- SaData->PathMTU = SadEntry->Data->PathMTU;
-
- //
- // Fill Tunnel Address if it is Tunnel Mode
- //
- if (SadEntry->Data->Mode == EfiIPsecTunnel) {
- CopyMem (
- &SaData->TunnelDestinationAddress,
- &SadEntry->Data->TunnelDestAddress,
- sizeof (EFI_IP_ADDRESS)
- );
- CopyMem (
- &SaData->TunnelSourceAddress,
- &SadEntry->Data->TunnelSourceAddress,
- sizeof (EFI_IP_ADDRESS)
- );
- }
- //
- // Fill the spd selector field of SAD data
- //
- if (SadEntry->Data->SpdSelector != NULL) {
-
- SaData->SpdSelector = (EFI_IPSEC_SPD_SELECTOR *) (
- (UINT8 *)SaData +
- RequiredSize -
- SIZE_OF_SPD_SELECTOR (SadEntry->Data->SpdSelector)
- );
-
- DuplicateSpdSelector (
- (EFI_IPSEC_CONFIG_SELECTOR *) SaData->SpdSelector,
- (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Data->SpdSelector,
- NULL
- );
-
- } else {
-
- SaData->SpdSelector = NULL;
- }
-
- SaData->ManualSet = SadEntry->Data->ManualSet;
-
- return EFI_SUCCESS;
- }
- }
-
- return EFI_NOT_FOUND;
-}
-
-/**
- This function lookup the data entry from IPsec PAD. Return the configuration
- value of the specified PAD Entry.
-
- @param[in] Selector Pointer to an entry selector which is an identifier
- of the PAD entry.
- @param[in, out] DataSize On output the size of data returned in Data.
- @param[out] Data The buffer to return the contents of the IPsec
- configuration data. The type of the data buffer
- is associated with the DataType.
-
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
- updated with the size needed to complete the request.
-
-**/
-EFI_STATUS
-GetPadEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN OUT UINTN *DataSize,
- OUT VOID *Data
- )
-{
- IPSEC_PAD_ENTRY *PadEntry;
- LIST_ENTRY *PadList;
- LIST_ENTRY *Entry;
- EFI_IPSEC_PAD_ID *PadId;
- EFI_IPSEC_PAD_DATA *PadData;
- UINTN RequiredSize;
-
- PadId = &Selector->PadId;
- PadData = (EFI_IPSEC_PAD_DATA *) Data;
- PadList = &mConfigData[IPsecConfigDataTypePad];
-
- NET_LIST_FOR_EACH (Entry, PadList) {
- PadEntry = IPSEC_PAD_ENTRY_FROM_LIST (Entry);
-
- //
- // Find the required pad entry.
- //
- if (ComparePadId (
- (EFI_IPSEC_CONFIG_SELECTOR *) PadId,
- (EFI_IPSEC_CONFIG_SELECTOR *) PadEntry->Id
- )) {
- //
- // Calculate the required size of the pad entry.
- //
- RequiredSize = ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA));
- RequiredSize = ALIGN_VARIABLE (RequiredSize + PadEntry->Data->AuthDataSize);
- RequiredSize += PadEntry->Data->RevocationDataSize;
-
- if (*DataSize < RequiredSize) {
- *DataSize = RequiredSize;
- return EFI_BUFFER_TOO_SMALL;
- }
- //
- // Fill the data fields of pad entry
- //
- *DataSize = RequiredSize;
- PadData->AuthProtocol = PadEntry->Data->AuthProtocol;
- PadData->AuthMethod = PadEntry->Data->AuthMethod;
- PadData->IkeIdFlag = PadEntry->Data->IkeIdFlag;
-
- //
- // Copy Authentication data.
- //
- if (PadEntry->Data->AuthData != NULL) {
-
- PadData->AuthDataSize = PadEntry->Data->AuthDataSize;
- PadData->AuthData = (VOID *) ALIGN_POINTER ((PadData + 1), sizeof (UINTN));
- CopyMem (
- PadData->AuthData,
- PadEntry->Data->AuthData,
- PadData->AuthDataSize
- );
- } else {
-
- PadData->AuthDataSize = 0;
- PadData->AuthData = NULL;
- }
- //
- // Copy Revocation Data.
- //
- if (PadEntry->Data->RevocationData != NULL) {
-
- PadData->RevocationDataSize = PadEntry->Data->RevocationDataSize;
- PadData->RevocationData = (VOID *) ALIGN_POINTER (
- ((UINT8 *) (PadData + 1) + PadData->AuthDataSize),
- sizeof (UINTN)
- );
- CopyMem (
- PadData->RevocationData,
- PadEntry->Data->RevocationData,
- PadData->RevocationDataSize
- );
- } else {
-
- PadData->RevocationDataSize = 0;
- PadData->RevocationData = NULL;
- }
-
- return EFI_SUCCESS;
- }
- }
-
- return EFI_NOT_FOUND;
-}
-
-/**
- Copy Source Process Policy to the Destination Process Policy.
-
- @param[in] Dst Pointer to the Source Process Policy.
- @param[in] Src Pointer to the Destination Process Policy.
-
-**/
-VOID
-IpSecDuplicateProcessPolicy (
- IN EFI_IPSEC_PROCESS_POLICY *Dst,
- IN EFI_IPSEC_PROCESS_POLICY *Src
- )
-{
- //
- // Firstly copy the structure content itself.
- //
- CopyMem (Dst, Src, sizeof (EFI_IPSEC_PROCESS_POLICY));
-
- //
- // Recursively copy the tunnel option if needed.
- //
- if (Dst->Mode != EfiIPsecTunnel) {
- ASSERT (Dst->TunnelOption == NULL);
- } else {
- Dst->TunnelOption = (EFI_IPSEC_TUNNEL_OPTION *) ALIGN_POINTER ((Dst + 1), sizeof (UINTN));
- CopyMem (
- Dst->TunnelOption,
- Src->TunnelOption,
- sizeof (EFI_IPSEC_TUNNEL_OPTION)
- );
- }
-}
-
-/**
- Calculate the a whole size of EFI_IPSEC_SPD_DATA, which includes the buffer size pointed
- to by the pointer members.
-
- @param[in] SpdData Pointer to a specified EFI_IPSEC_SPD_DATA.
-
- @return the whole size the specified EFI_IPSEC_SPD_DATA.
-
-**/
-UINTN
-IpSecGetSizeOfEfiSpdData (
- IN EFI_IPSEC_SPD_DATA *SpdData
- )
-{
- UINTN Size;
-
- Size = ALIGN_VARIABLE (sizeof (IPSEC_SPD_DATA));
-
- if (SpdData->Action == EfiIPsecActionProtect) {
- Size = ALIGN_VARIABLE (Size + sizeof (EFI_IPSEC_PROCESS_POLICY));
-
- if (SpdData->ProcessingPolicy->Mode == EfiIPsecTunnel) {
- Size = ALIGN_VARIABLE (Size + sizeof (EFI_IPSEC_TUNNEL_OPTION));
- }
- }
-
- return Size;
-}
-
-/**
- Calculate the a whole size of IPSEC_SPD_DATA which includes the buffer size pointed
- to by the pointer members and the buffer size used by the Sa List.
-
- @param[in] SpdData Pointer to the specified IPSEC_SPD_DATA.
-
- @return the whole size of IPSEC_SPD_DATA.
-
-**/
-UINTN
-IpSecGetSizeOfSpdData (
- IN IPSEC_SPD_DATA *SpdData
- )
-{
- UINTN Size;
- LIST_ENTRY *Link;
-
- Size = sizeof (EFI_IPSEC_SPD_DATA) - sizeof (EFI_IPSEC_SA_ID);
-
- if (SpdData->Action == EfiIPsecActionProtect) {
- Size += sizeof (EFI_IPSEC_PROCESS_POLICY);
-
- if (SpdData->ProcessingPolicy->Mode == EfiIPsecTunnel) {
- Size += sizeof (EFI_IPSEC_TUNNEL_OPTION);
- }
- }
-
- NET_LIST_FOR_EACH (Link, &SpdData->Sas) {
- Size += sizeof (EFI_IPSEC_SA_ID);
- }
-
- return Size;
-}
-
-/**
- Get the IPsec Variable.
-
- Get the all variables which start with the string contained in VaraiableName.
- Since all IPsec related variable store in continual space, those kinds of
- variable can be searched by the EfiGetNextVariableName. Those variables also are
- returned in a continual buffer.
-
- @param[in] VariableName Pointer to a specified Variable Name.
- @param[in] VendorGuid Pointer to a specified Vendor Guid.
- @param[in] Attributes Point to memory location to return the attributes
- of variable. If the point is NULL, the parameter
- would be ignored.
- @param[in, out] DataSize As input, point to the maximum size of return
- Data-Buffer. As output, point to the actual
- size of the returned Data-Buffer.
- @param[in] Data Point to return Data-Buffer.
-
- @retval EFI_ABORTED If the Variable size which contained in the variable
- structure doesn't match the variable size obtained
- from the EFIGetVariable.
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has
- been updated with the size needed to complete the request.
- @retval EFI_SUCCESS The function completed successfully.
- @retval others Other errors found during the variable getting.
-**/
-EFI_STATUS
-IpSecGetVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT32 *Attributes, OPTIONAL
- IN OUT UINTN *DataSize,
- IN VOID *Data
- )
-{
- EFI_STATUS Status;
- EFI_GUID VendorGuidI;
- UINTN VariableNameLength;
- CHAR16 *VariableNameI;
- UINTN VariableNameISize;
- UINTN VariableNameISizeNew;
- UINTN VariableIndex;
- UINTN VariableCount;
- IP_SEC_VARIABLE_INFO IpSecVariableInfo;
- UINTN DataSizeI;
-
- //
- // The variable name constructor is "VariableName + Info/0001/0002/... + NULL".
- // So the varialbe name is like "VariableNameInfo", "VariableName0001", ...
- // "VariableNameNULL".
- //
- VariableNameLength = StrLen (VariableName);
- VariableNameISize = (VariableNameLength + 5) * sizeof (CHAR16);
- VariableNameI = AllocateZeroPool (VariableNameISize);
- if (VariableNameI == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Construct the varible name of ipsecconfig meta data.
- //
- UnicodeSPrint (VariableNameI, VariableNameISize, L"%s%s", VariableName, L"Info");
-
- DataSizeI = sizeof (IpSecVariableInfo);
-
- Status = gRT->GetVariable (
- VariableNameI,
- VendorGuid,
- Attributes,
- &DataSizeI,
- &IpSecVariableInfo
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- if (*DataSize < IpSecVariableInfo.VariableSize) {
- *DataSize = IpSecVariableInfo.VariableSize;
- Status = EFI_BUFFER_TOO_SMALL;
- goto ON_EXIT;
- }
-
- VariableCount = IpSecVariableInfo.VariableCount;
- VariableNameI[0] = L'\0';
-
- while (VariableCount != 0) {
- //
- // Get the variable name one by one in the variable database.
- //
- VariableNameISizeNew = VariableNameISize;
- Status = gRT->GetNextVariableName (
- &VariableNameISizeNew,
- VariableNameI,
- &VendorGuidI
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- VariableNameI = ReallocatePool (
- VariableNameISize,
- VariableNameISizeNew,
- VariableNameI
- );
- if (VariableNameI == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- break;
- }
- VariableNameISize = VariableNameISizeNew;
-
- Status = gRT->GetNextVariableName (
- &VariableNameISizeNew,
- VariableNameI,
- &VendorGuidI
- );
- }
-
- if (EFI_ERROR (Status)) {
- break;
- }
- //
- // Check whether the current variable is the required "ipsecconfig".
- //
- if (StrnCmp (VariableNameI, VariableName, VariableNameLength) == 0 ||
- CompareGuid (VendorGuid, &VendorGuidI)
- ) {
- //
- // Parse the variable count of the current ipsecconfig data.
- //
- VariableIndex = StrDecimalToUintn (VariableNameI + VariableNameLength);
- if (VariableIndex!= 0 && VariableIndex <= IpSecVariableInfo.VariableCount) {
- //
- // Get the variable size of the current ipsecconfig data.
- //
- DataSizeI = 0;
- Status = gRT->GetVariable (
- VariableNameI,
- VendorGuid,
- Attributes,
- &DataSizeI,
- NULL
- );
- ASSERT (Status == EFI_BUFFER_TOO_SMALL);
- //
- // Validate the variable count and variable size.
- //
- if (VariableIndex != IpSecVariableInfo.VariableCount) {
- //
- // If the varaibe is not the last one, its size should be the max
- // size of the single variable.
- //
- if (DataSizeI != IpSecVariableInfo.SingleVariableSize) {
- return EFI_ABORTED;
- }
- } else {
- if (DataSizeI != IpSecVariableInfo.VariableSize % IpSecVariableInfo.SingleVariableSize) {
- return EFI_ABORTED;
- }
- }
- //
- // Get the variable data of the current ipsecconfig data and
- // store it into user buffer continously.
- //
- Status = gRT->GetVariable (
- VariableNameI,
- VendorGuid,
- Attributes,
- &DataSizeI,
- (UINT8 *) Data + (VariableIndex - 1) * IpSecVariableInfo.SingleVariableSize
- );
- ASSERT_EFI_ERROR (Status);
- VariableCount--;
- }
- }
- }
- //
- // The VariableCount in "VariableNameInfo" varaible should have the correct
- // numbers of variables which name starts with VariableName.
- //
- if (VariableCount != 0) {
- Status = EFI_ABORTED;
- }
-
-ON_EXIT:
- if (VariableNameI != NULL) {
- FreePool (VariableNameI);
- }
- return Status;
-}
-
-/**
- Set the IPsec variables.
-
- Set all IPsec variables which start with the specified variable name. Those variables
- are set one by one.
-
- @param[in] VariableName The name of the vendor's variable. It is a
- Null-Terminated Unicode String.
- @param[in] VendorGuid Unify identifier for vendor.
- @param[in] Attributes Point to memory location to return the attributes of
- variable. If the point is NULL, the parameter would be ignored.
- @param[in] DataSize The size in bytes of Data-Buffer.
- @param[in] Data Points to the content of the variable.
-
- @retval EFI_SUCCESS The firmware successfully stored the variable and its data, as
- defined by the Attributes.
- @retval others Storing the variables failed.
-
-**/
-EFI_STATUS
-IpSecSetVariable (
- IN CHAR16 *VariableName,
- IN EFI_GUID *VendorGuid,
- IN UINT32 Attributes,
- IN UINTN DataSize,
- IN VOID *Data
- )
-{
- EFI_STATUS Status;
- CHAR16 *VariableNameI;
- UINTN VariableNameSize;
- UINTN VariableIndex;
- IP_SEC_VARIABLE_INFO IpSecVariableInfo;
- UINT64 MaximumVariableStorageSize;
- UINT64 RemainingVariableStorageSize;
- UINT64 MaximumVariableSize;
-
- Status = gRT->QueryVariableInfo (
- Attributes,
- &MaximumVariableStorageSize,
- &RemainingVariableStorageSize,
- &MaximumVariableSize
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- //
- // "VariableName + Info/0001/0002/... + NULL"
- //
- VariableNameSize = (StrLen (VariableName) + 5) * sizeof (CHAR16);
- VariableNameI = AllocateZeroPool (VariableNameSize);
-
- if (VariableNameI == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
- //
- // Construct the variable of ipsecconfig general information. Like the total
- // numbers of the Ipsecconfig variables, the total size of all ipsecconfig variables.
- //
- UnicodeSPrint (VariableNameI, VariableNameSize, L"%s%s", VariableName, L"Info");
- MaximumVariableSize -= VariableNameSize;
-
- IpSecVariableInfo.VariableCount = (UINT32) ((DataSize + (UINTN) MaximumVariableSize - 1) / (UINTN) MaximumVariableSize);
- IpSecVariableInfo.VariableSize = (UINT32) DataSize;
- IpSecVariableInfo.SingleVariableSize = (UINT32) MaximumVariableSize;
-
- //
- // Set the variable of ipsecconfig general information.
- //
- Status = gRT->SetVariable (
- VariableNameI,
- VendorGuid,
- Attributes,
- sizeof (IpSecVariableInfo),
- &IpSecVariableInfo
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Error set ipsecconfig meta data with %r\n", Status));
- goto ON_EXIT;
- }
-
- for (VariableIndex = 0; VariableIndex < IpSecVariableInfo.VariableCount; VariableIndex++) {
- //
- // Construct and set the variable of ipsecconfig data one by one.
- // The index of variable name begin from 0001, and the varaible name
- // likes "VariableName0001", "VaraiableName0002"....
- //
- UnicodeSPrint (VariableNameI, VariableNameSize, L"%s%04d", VariableName, VariableIndex + 1);
- Status = gRT->SetVariable (
- VariableNameI,
- VendorGuid,
- Attributes,
- (VariableIndex == IpSecVariableInfo.VariableCount - 1) ?
- (DataSize % (UINTN) MaximumVariableSize) :
- (UINTN) MaximumVariableSize,
- (UINT8 *) Data + VariableIndex * (UINTN) MaximumVariableSize
- );
-
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "Error set ipsecconfig variable data with %r\n", Status));
- goto ON_EXIT;
- }
- }
-
-ON_EXIT:
- if (VariableNameI != NULL) {
- FreePool (VariableNameI);
- }
-
- return Status;
-}
-
-/**
- Return the configuration value for the EFI IPsec driver.
-
- This function lookup the data entry from IPsec database or IKEv2 configuration
- information. The expected data type and unique identification are described in
- DataType and Selector parameters.
-
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
- @param[in] DataType The type of data to retrieve.
- @param[in] Selector Pointer to an entry selector that is an identifier of the IPsec
- configuration data entry.
- @param[in, out] DataSize On output the size of data returned in Data.
- @param[out] Data The buffer to return the contents of the IPsec configuration data.
- The type of the data buffer associated with the DataType.
-
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
- @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
- - This is NULL.
- - Selector is NULL.
- - DataSize is NULL.
- - Data is NULL and *DataSize is not zero
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
- @retval EFI_UNSUPPORTED The specified DataType is not supported.
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
- updated with the size needed to complete the request.
-
-**/
-EFI_STATUS
-EFIAPI
-EfiIpSecConfigGetData (
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN OUT UINTN *DataSize,
- OUT VOID *Data
- )
-{
- if (This == NULL || Selector == NULL || DataSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (*DataSize != 0 && Data == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (DataType >= IPsecConfigDataTypeMaximum) {
- return EFI_UNSUPPORTED;
- }
-
- return mGetPolicyEntry[DataType](Selector, DataSize, Data);
-}
-
-/**
- Set the security association, security policy and peer authorization configuration
- information for the EFI IPsec driver.
-
- This function is used to set the IPsec configuration information of type DataType for
- the EFI IPsec driver.
- The IPsec configuration data has a unique selector/identifier separately to identify
- a data entry. The selector structure depends on DataType's definition.
- Using SetData() with a Data of NULL causes the IPsec configuration data entry identified
- by DataType and Selector to be deleted.
-
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
- @param[in] DataType The type of data to be set.
- @param[in] Selector Pointer to an entry selector on operated configuration data
- specified by DataType. A NULL Selector causes the entire
- specified-type configuration information to be flushed.
- @param[in] Data The data buffer to be set. The structure of the data buffer is
- associated with the DataType.
- @param[in] InsertBefore Pointer to one entry selector which describes the expected
- position the new data entry will be added. If InsertBefore is NULL,
- the new entry will be appended to the end of the database.
-
- @retval EFI_SUCCESS The specified configuration entry data was set successfully.
- @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:
- - This is NULL.
- @retval EFI_UNSUPPORTED The specified DataType is not supported.
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
-
-**/
-EFI_STATUS
-EFIAPI
-EfiIpSecConfigSetData (
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL
- )
-{
- EFI_STATUS Status;
-
- if (This == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (DataType >= IPsecConfigDataTypeMaximum) {
- return EFI_UNSUPPORTED;
- }
-
- Status = mSetPolicyEntry[DataType](Selector, Data, InsertBefore);
-
- if (!EFI_ERROR (Status) && !mSetBySelf) {
- //
- // Save the updated config data into variable.
- //
- IpSecConfigSave ();
- }
-
- return Status;
-}
-
-/**
- Enumerates the current selector for IPsec configuration data entry.
-
- This function is called multiple times to retrieve the entry Selector in IPsec
- configuration database. On each call to GetNextSelector(), the next entry
- Selector are retrieved into the output interface.
-
- If the entire IPsec configuration database has been iterated, the error
- EFI_NOT_FOUND is returned.
- If the Selector buffer is too small for the next Selector copy, an
- EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect
- the size of buffer needed.
-
- On the initial call to GetNextSelector() to start the IPsec configuration database
- search, a pointer to the buffer with all zero value is passed in Selector. Calls
- to SetData() between calls to GetNextSelector may produce unpredictable results.
-
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
- @param[in] DataType The type of IPsec configuration data to retrieve.
- @param[in, out] SelectorSize The size of the Selector buffer.
- @param[in, out] Selector On input, supplies the pointer to last Selector that was
- returned by GetNextSelector().
- On output, returns one copy of the current entry Selector
- of a given DataType.
-
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
- @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
- - This is NULL.
- - SelectorSize is NULL.
- - Selector is NULL.
- @retval EFI_NOT_FOUND The next configuration data entry was not found.
- @retval EFI_UNSUPPORTED The specified DataType is not supported.
- @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter
- has been updated with the size needed to complete the search
- request.
-
-**/
-EFI_STATUS
-EFIAPI
-EfiIpSecConfigGetNextSelector (
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN OUT UINTN *SelectorSize,
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector
- )
-{
- LIST_ENTRY *Link;
- IPSEC_COMMON_POLICY_ENTRY *CommonEntry;
- BOOLEAN IsFound;
-
- if (This == NULL || Selector == NULL || SelectorSize == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (DataType >= IPsecConfigDataTypeMaximum) {
- return EFI_UNSUPPORTED;
- }
-
- IsFound = FALSE;
-
- NET_LIST_FOR_EACH (Link, &mConfigData[DataType]) {
- CommonEntry = BASE_CR (Link, IPSEC_COMMON_POLICY_ENTRY, List);
-
- if (IsFound || (BOOLEAN)(mIsZeroSelector[DataType](Selector))) {
- //
- // If found the appointed entry, then duplicate the next one and return,
- // or if the appointed entry is zero, then return the first one directly.
- //
- return mDuplicateSelector[DataType](Selector, CommonEntry->Selector, SelectorSize);
- } else {
- //
- // Set the flag if find the appointed entry.
- //
- IsFound = mCompareSelector[DataType](Selector, CommonEntry->Selector);
- }
- }
-
- return EFI_NOT_FOUND;
-}
-
-/**
- Register an event that is to be signaled whenever a configuration process on the
- specified IPsec configuration information is done.
-
- The register function is not surpport now and always returns EFI_UNSUPPORTED.
-
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
- @param[in] DataType The type of data to be registered the event for.
- @param[in] Event The event to be registered.
-
- @retval EFI_SUCCESS The event is registered successfully.
- @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
- @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.
- @retval EFI_UNSUPPORTED The notify registration is unsupported, or the specified
- DataType is not supported.
-
-**/
-EFI_STATUS
-EFIAPI
-EfiIpSecConfigRegisterNotify (
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN EFI_EVENT Event
- )
-{
- return EFI_UNSUPPORTED;
-}
-
-/**
- Remove the specified event that was previously registered on the specified IPsec
- configuration data.
-
- This function is not support now and alwasy return EFI_UNSUPPORTED.
-
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
- @param[in] DataType The configuration data type to remove the registered event for.
- @param[in] Event The event to be unregistered.
-
- @retval EFI_SUCCESS The event was removed successfully.
- @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the
- database.
- @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
- @retval EFI_UNSUPPORTED The notify registration is unsupported, or the specified
- DataType is not supported.
-
-**/
-EFI_STATUS
-EFIAPI
-EfiIpSecConfigUnregisterNotify (
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN EFI_EVENT Event
- )
-{
- return EFI_UNSUPPORTED;
-}
-
-/**
- Copy whole data in specified EFI_SIPEC_CONFIG_SELECTOR and the Data to a buffer.
-
- This function is a caller defined function, and it is called by the IpSecVisitConfigData().
- The orignal caller is IpSecConfigSave(), which calls the IpsecVisitConfigData() to
- copy all types of IPsec Config datas into one buffer and store this buffer into firmware in
- the form of several variables.
-
- @param[in] Type A specified IPSEC_CONFIG_DATA_TYPE.
- @param[in] Selector Points to a EFI_IPSEC_CONFIG_SELECTOR to be copied
- to the buffer.
- @param[in] Data Points to data to be copied to the buffer. The
- Data type is related to the Type.
- @param[in] SelectorSize The size of the Selector.
- @param[in] DataSize The size of the Data.
- @param[in, out] Buffer The buffer to store the Selector and Data.
-
- @retval EFI_SUCCESS Copy the Selector and Data to a buffer successfully.
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.
-
-**/
-EFI_STATUS
-IpSecCopyPolicyEntry (
- IN EFI_IPSEC_CONFIG_DATA_TYPE Type,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN UINTN SelectorSize,
- IN UINTN DataSize,
- IN OUT IPSEC_VARIABLE_BUFFER *Buffer
- )
-{
- IPSEC_VAR_ITEM_HEADER SelectorHeader;
- IPSEC_VAR_ITEM_HEADER DataHeader;
- UINTN EntrySize;
- UINT8 *TempPoint;
-
- if (Type == IPsecConfigDataTypeSad) {
- //
- // Don't save automatically-generated SA entry into variable.
- //
- if (((EFI_IPSEC_SA_DATA2 *) Data)->ManualSet == FALSE) {
- return EFI_SUCCESS;
- }
- }
- //
- // Increase the capacity size of the buffer if needed.
- //
- EntrySize = ALIGN_VARIABLE (sizeof (SelectorHeader));
- EntrySize = ALIGN_VARIABLE (EntrySize + SelectorSize);
- EntrySize = ALIGN_VARIABLE (EntrySize + sizeof (SelectorHeader));
- EntrySize = ALIGN_VARIABLE (EntrySize + DataSize);
-
- //EntrySize = SelectorSize + DataSize + 2 * sizeof (SelectorHeader);
- if (Buffer->Capacity - Buffer->Size < EntrySize) {
- //
- // Calculate the required buffer
- //
- Buffer->Capacity += EntrySize;
- TempPoint = AllocatePool (Buffer->Capacity);
-
- if (TempPoint == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // Copy the old Buffer to new buffer and free the old one.
- //
- CopyMem (TempPoint, Buffer->Ptr, Buffer->Size);
- FreePool (Buffer->Ptr);
-
- Buffer->Ptr = TempPoint;
- }
-
- mFixPolicyEntry[Type](Selector, Data);
-
- //
- // Fill the selector header and copy it into buffer.
- //
- SelectorHeader.Type = (UINT8) (Type | IPSEC_VAR_ITEM_HEADER_LOGO_BIT);
- SelectorHeader.Size = (UINT16) SelectorSize;
-
- CopyMem (
- Buffer->Ptr + Buffer->Size,
- &SelectorHeader,
- sizeof (SelectorHeader)
- );
- Buffer->Size = ALIGN_VARIABLE (Buffer->Size + sizeof (SelectorHeader));
-
- //
- // Copy the selector into buffer.
- //
- CopyMem (
- Buffer->Ptr + Buffer->Size,
- Selector,
- SelectorSize
- );
- Buffer->Size = ALIGN_VARIABLE (Buffer->Size + SelectorSize);
-
- //
- // Fill the data header and copy it into buffer.
- //
- DataHeader.Type = (UINT8) Type;
- DataHeader.Size = (UINT16) DataSize;
-
- CopyMem (
- Buffer->Ptr + Buffer->Size,
- &DataHeader,
- sizeof (DataHeader)
- );
- Buffer->Size = ALIGN_VARIABLE (Buffer->Size + sizeof (DataHeader));
- //
- // Copy the data into buffer.
- //
- CopyMem (
- Buffer->Ptr + Buffer->Size,
- Data,
- DataSize
- );
- Buffer->Size = ALIGN_VARIABLE (Buffer->Size + DataSize);
-
- mUnfixPolicyEntry[Type](Selector, Data);
-
- return EFI_SUCCESS;
-}
-
-/**
- Visit all IPsec Configurations of specified Type and call the caller defined
- interface.
-
- @param[in] DataType The specified IPsec Config Data Type.
- @param[in] Routine The function defined by the caller.
- @param[in] Context The data passed to the Routine.
-
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated
- @retval EFI_SUCCESS This function completed successfully.
-
-**/
-EFI_STATUS
-IpSecVisitConfigData (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN IPSEC_COPY_POLICY_ENTRY Routine,
- IN VOID *Context
- )
-{
- EFI_STATUS GetNextStatus;
- EFI_STATUS GetDataStatus;
- EFI_STATUS RoutineStatus;
- EFI_IPSEC_CONFIG_SELECTOR *Selector;
- VOID *Data;
- UINTN SelectorSize;
- UINTN DataSize;
- UINTN SelectorBufferSize;
- UINTN DataBufferSize;
- BOOLEAN FirstGetNext;
-
- FirstGetNext = TRUE;
- DataBufferSize = 0;
- Data = NULL;
- SelectorBufferSize = sizeof (EFI_IPSEC_CONFIG_SELECTOR);
- Selector = AllocateZeroPool (SelectorBufferSize);
-
- if (Selector == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- while (TRUE) {
- //
- // Get the real size of the selector.
- //
- SelectorSize = SelectorBufferSize;
- GetNextStatus = EfiIpSecConfigGetNextSelector (
- &mIpSecConfigInstance,
- DataType,
- &SelectorSize,
- Selector
- );
- if (GetNextStatus == EFI_BUFFER_TOO_SMALL) {
- FreePool (Selector);
- SelectorBufferSize = SelectorSize;
- //
- // Allocate zero pool for the first selector, while store the last
- // selector content for the other selectors.
- //
- if (FirstGetNext) {
- Selector = AllocateZeroPool (SelectorBufferSize);
- } else {
- Selector = AllocateCopyPool (SelectorBufferSize, Selector);
- }
-
- if (Selector == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // Get the content of the selector.
- //
- GetNextStatus = EfiIpSecConfigGetNextSelector (
- &mIpSecConfigInstance,
- DataType,
- &SelectorSize,
- Selector
- );
- }
-
- if (EFI_ERROR (GetNextStatus)) {
- break;
- }
-
- FirstGetNext = FALSE;
-
- //
- // Get the real size of the policy entry according to the selector.
- //
- DataSize = DataBufferSize;
- GetDataStatus = EfiIpSecConfigGetData (
- &mIpSecConfigInstance,
- DataType,
- Selector,
- &DataSize,
- Data
- );
- if (GetDataStatus == EFI_BUFFER_TOO_SMALL) {
- if (Data != NULL) {
- FreePool (Data);
- }
-
- DataBufferSize = DataSize;
- Data = AllocateZeroPool (DataBufferSize);
-
- if (Data == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // Get the content of the policy entry according to the selector.
- //
- GetDataStatus = EfiIpSecConfigGetData (
- &mIpSecConfigInstance,
- DataType,
- Selector,
- &DataSize,
- Data
- );
- }
-
- if (EFI_ERROR (GetDataStatus)) {
- break;
- }
- //
- // Prepare the buffer of updated policy entry, which is stored in
- // the continous memory, and then save into variable later.
- //
- RoutineStatus = Routine (
- DataType,
- Selector,
- Data,
- SelectorSize,
- DataSize,
- Context
- );
- if (EFI_ERROR (RoutineStatus)) {
- break;
- }
- }
-
- if (Data != NULL) {
- FreePool (Data);
- }
-
- if (Selector != NULL) {
- FreePool (Selector);
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- This function is the subfunction of EFIIpSecConfigSetData.
-
- This function call IpSecSetVaraible to set the IPsec Configuration into the firmware.
-
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.
- @retval EFI_SUCCESS Saved the configration successfully.
- @retval Others Other errors were found while obtaining the variable.
-
-**/
-EFI_STATUS
-IpSecConfigSave (
- VOID
- )
-{
- IPSEC_VARIABLE_BUFFER Buffer;
- EFI_STATUS Status;
- EFI_IPSEC_CONFIG_DATA_TYPE Type;
-
- Buffer.Size = 0;
- Buffer.Capacity = IPSEC_DEFAULT_VARIABLE_SIZE;
- Buffer.Ptr = AllocateZeroPool (Buffer.Capacity);
-
- if (Buffer.Ptr == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // For each policy database, prepare the contious buffer to save into variable.
- //
- for (Type = IPsecConfigDataTypeSpd; Type < IPsecConfigDataTypeMaximum; Type++) {
- IpSecVisitConfigData (
- Type,
- (IPSEC_COPY_POLICY_ENTRY) IpSecCopyPolicyEntry,
- &Buffer
- );
- }
- //
- // Save the updated policy database into variable.
- //
- Status = IpSecSetVariable (
- IPSECCONFIG_VARIABLE_NAME,
- &gEfiIpSecConfigProtocolGuid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
- Buffer.Size,
- Buffer.Ptr
- );
-
- FreePool (Buffer.Ptr);
-
- return Status;
-}
-
-/**
- Get the all IPSec configuration variables and store those variables
- to the internal data structure.
-
- This founction is called by IpSecConfigInitialize() which is to intialize the
- IPsecConfiguration Protocol.
-
- @param[in] Private Point to IPSEC_PRIVATE_DATA.
-
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated
- @retval EFI_SUCCESS Restore the IPsec Configuration successfully.
- @retval others Other errors is found while obtaining the variable.
-
-**/
-EFI_STATUS
-IpSecConfigRestore (
- IN IPSEC_PRIVATE_DATA *Private
- )
-{
- EFI_STATUS Status;
- UINTN BufferSize;
- UINT8 *Buffer;
- IPSEC_VAR_ITEM_HEADER *Header;
- UINT8 *Ptr;
- EFI_IPSEC_CONFIG_SELECTOR *Selector;
- EFI_IPSEC_CONFIG_DATA_TYPE Type;
- VOID *Data;
- UINT8 Value;
- UINTN Size;
-
- Value = 0;
- Size = sizeof (Value);
- BufferSize = 0;
- Buffer = NULL;
-
- Status = gRT->GetVariable (
- IPSECCONFIG_STATUS_NAME,
- &gEfiIpSecConfigProtocolGuid,
- NULL,
- &Size,
- &Value
- );
-
- if (!EFI_ERROR (Status) && Value == IPSEC_STATUS_ENABLED) {
- Private->IpSec.DisabledFlag = FALSE;
- }
- //
- // Get the real size of policy database in variable.
- //
- Status = IpSecGetVariable (
- IPSECCONFIG_VARIABLE_NAME,
- &gEfiIpSecConfigProtocolGuid,
- NULL,
- &BufferSize,
- Buffer
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
-
- Buffer = AllocateZeroPool (BufferSize);
- if (Buffer == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // Get the content of policy database in variable.
- //
- Status = IpSecGetVariable (
- IPSECCONFIG_VARIABLE_NAME,
- &gEfiIpSecConfigProtocolGuid,
- NULL,
- &BufferSize,
- Buffer
- );
- if (EFI_ERROR (Status)) {
- FreePool (Buffer);
- return Status;
- }
-
- for (Ptr = Buffer; Ptr < Buffer + BufferSize;) {
-
- Header = (IPSEC_VAR_ITEM_HEADER *) Ptr;
- Type = (EFI_IPSEC_CONFIG_DATA_TYPE) (Header->Type & IPSEC_VAR_ITEM_HEADER_CONTENT_BIT);
- ASSERT (((Header->Type & 0x80) == IPSEC_VAR_ITEM_HEADER_LOGO_BIT) && (Type < IPsecConfigDataTypeMaximum));
-
- Selector = (EFI_IPSEC_CONFIG_SELECTOR *) ALIGN_POINTER (Header + 1, sizeof (UINTN));
- Header = (IPSEC_VAR_ITEM_HEADER *) ALIGN_POINTER (
- (UINT8 *) Selector + Header->Size,
- sizeof (UINTN)
- );
- ASSERT (Header->Type == Type);
-
- Data = ALIGN_POINTER (Header + 1, sizeof (UINTN));
-
- mUnfixPolicyEntry[Type](Selector, Data);
-
- //
- // Update each policy entry according to the content in variable.
- //
- mSetBySelf = TRUE;
- Status = EfiIpSecConfigSetData (
- &Private->IpSecConfig,
- Type,
- Selector,
- Data,
- NULL
- );
- mSetBySelf = FALSE;
-
- if (EFI_ERROR (Status)) {
- FreePool (Buffer);
- return Status;
- }
-
- Ptr = ALIGN_POINTER ((UINT8 *) Data + Header->Size, sizeof (UINTN));
- }
-
- FreePool (Buffer);
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Install and Initialize IPsecConfig protocol
-
- @param[in, out] Private Pointer to IPSEC_PRIVATE_DATA. After this function finish,
- the pointer of IPsecConfig Protocol implementation will copy
- into its IPsecConfig member.
-
- @retval EFI_SUCCESS Initialized the IPsecConfig Protocol successfully.
- @retval Others Initializing the IPsecConfig Protocol failed.
-**/
-EFI_STATUS
-IpSecConfigInitialize (
- IN OUT IPSEC_PRIVATE_DATA *Private
- )
-{
- EFI_IPSEC_CONFIG_DATA_TYPE Type;
-
- CopyMem (
- &Private->IpSecConfig,
- &mIpSecConfigInstance,
- sizeof (EFI_IPSEC_CONFIG_PROTOCOL)
- );
-
- //
- // Initialize the list head of policy database.
- //
- for (Type = IPsecConfigDataTypeSpd; Type < IPsecConfigDataTypeMaximum; Type++) {
- InitializeListHead (&mConfigData[Type]);
- }
- //
- // Restore the content of policy database according to the variable.
- //
- IpSecConfigRestore (Private);
-
- return gBS->InstallMultipleProtocolInterfaces (
- &Private->Handle,
- &gEfiIpSecConfigProtocolGuid,
- &Private->IpSecConfig,
- NULL
- );
-}
diff --git a/NetworkPkg/IpSecDxe/IpSecConfigImpl.h b/NetworkPkg/IpSecDxe/IpSecConfigImpl.h deleted file mode 100644 index c3c1d37935..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecConfigImpl.h +++ /dev/null @@ -1,949 +0,0 @@ -/** @file
- Definitions related to IPSEC_CONFIG_PROTOCOL implementations.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _IPSEC_CONFIG_IMPL_H_
-#define _IPSEC_CONFIG_IMPL_H_
-
-#include <Protocol/IpSec.h>
-#include <Protocol/IpSecConfig.h>
-
-#include <Library/BaseLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/PrintLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
-#include <Library/UefiBootServicesTableLib.h>
-#include <Library/DebugLib.h>
-
-#include "IpSecImpl.h"
-
-#define EFI_IPSEC_ANY_PROTOCOL 0xFFFF
-#define EFI_IPSEC_ANY_PORT 0
-
-#define IPSEC_VAR_ITEM_HEADER_LOGO_BIT 0x80
-#define IPSEC_VAR_ITEM_HEADER_CONTENT_BIT 0x7F
-
-#define IPSECCONFIG_VARIABLE_NAME L"IpSecConfig"
-#define IPSECCONFIG_STATUS_NAME L"IpSecStatus"
-
-#define SIZE_OF_SPD_SELECTOR(x) (sizeof (EFI_IPSEC_SPD_SELECTOR) \
- + sizeof (EFI_IP_ADDRESS_INFO) * ((x)->LocalAddressCount + (x)->RemoteAddressCount))
-
-#define FIX_REF_BUF_ADDR(addr, base) addr = (VOID *) ((UINTN) (addr) - (UINTN) (base))
-#define UNFIX_REF_BUF_ADDR(addr, base) addr = (VOID *) ((UINTN) (addr) + (UINTN) (base))
-
-//
-// The data structure used to store the genernall information of IPsec configuration.
-//
-typedef struct {
- UINT32 VariableCount; // the total number of the IPsecConfig variables.
- UINT32 VariableSize; // The total size of all IpsecConfig variables.
- UINT32 SingleVariableSize; // The max size of single variable
-} IP_SEC_VARIABLE_INFO;
-
-typedef struct {
- EFI_IPSEC_CONFIG_SELECTOR *Selector;
- VOID *Data;
- LIST_ENTRY List;
-} IPSEC_COMMON_POLICY_ENTRY;
-
-typedef struct {
- UINT8 *Ptr;
- UINTN Size;
- UINTN Capacity;
-} IPSEC_VARIABLE_BUFFER;
-
-#pragma pack(1)
-typedef struct {
- UINT8 Type;
- UINT16 Size;
-} IPSEC_VAR_ITEM_HEADER;
-#pragma pack()
-
-/**
- The prototype of Copy Source Selector to the Destination Selector.
-
- @param[in, out] DstSel Pointer of Destination Selector. It would be
- SPD Selector, or SAD Selector or PAD Selector.
- @param[in] SrcSel Pointer of Source Selector. It would be
- SPD Selector, or SAD Selector or PAD Selector.
- @param[in, out] Size The size of the Destination Selector. If it
- is not NULL and its value is less than the size of
- Source Selector, the value of Source Selector's
- size will be passed to the caller by this parameter.
-
- @retval EFI_INVALID_PARAMETER If the Destination or Source Selector is NULL.
- @retval EFI_BUFFER_TOO_SMALL If the input Size is less than size of Source Selector.
- @retval EFI_SUCCESS Copy Source Selector to the Destination
- Selector successfully.
-
-**/
-typedef
-EFI_STATUS
-(*IPSEC_DUPLICATE_SELECTOR) (
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,
- IN OUT UINTN *Size
- );
-
-/**
- It is prototype of compare two Selectors. The Selector would be SPD Selector,
- or SAD Selector, or PAD selector.
-
- @param[in] Selector1 Pointer of the first Selector.
- @param[in] Selector2 Pointer of the second Selector.
-
- @retval TRUE These two Selectors have the same value in certain fields.
- @retval FALSE Not all fields have the same value in these two Selectors.
-
-**/
-typedef
-BOOLEAN
-(*IPSEC_COMPARE_SELECTOR) (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
- );
-
-/**
- The prototype of a function to check if the Selector is Zero by its certain fields.
-
- @param[in] Selector Pointer of the Selector.
-
- @retval TRUE If the Selector is Zero.
- @retval FALSE If the Selector is not Zero.
-
-**/
-typedef
-BOOLEAN
-(*IPSEC_IS_ZERO_SELECTOR) (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector
- );
-
-/**
- The prototype of a function to fix the value of particular members of the Selector.
-
- @param[in] Selector Pointer of Selector.
- @param[in] Data Pointer of Data.
-
-**/
-typedef
-VOID
-(*IPSEC_FIX_POLICY_ENTRY) (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data
- );
-
-/**
- It is prototype function to define a routine function by the caller of IpSecVisitConfigData().
-
- @param[in] Type A specified IPSEC_CONFIG_DATA_TYPE.
- @param[in] Selector Points to EFI_IPSEC_CONFIG_SELECTOR to be copied
- to the buffer.
- @param[in] Data Points to data to be copied to the buffer. The
- Data type is related to the Type.
- @param[in] SelectorSize The size of the Selector.
- @param[in] DataSize The size of the Data.
- @param[in, out] Buffer The buffer to store the Selector and Data.
-
- @retval EFI_SUCCESS Copied the Selector and Data to a buffer successfully.
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.
-
-**/
-typedef
-EFI_STATUS
-(*IPSEC_COPY_POLICY_ENTRY) (
- IN EFI_IPSEC_CONFIG_DATA_TYPE Type,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN UINTN SelectorSize,
- IN UINTN DataSize,
- IN OUT VOID *Context
- );
-
-/**
- Set the security policy information for the EFI IPsec driver.
-
- The IPsec configuration data has a unique selector/identifier separately to
- identify a data entry.
-
- @param[in] Selector Pointer to an entry selector on operated
- configuration data specified by DataType.
- A NULL Selector causes the entire specified-type
- configuration information to be flushed.
- @param[in] Data The data buffer to be set.
- @param[in] Context Pointer to one entry selector that describes
- the expected position the new data entry will
- be added. If Context is NULL, the new entry will
- be appended to the end of the database.
-
- @retval EFI_INVALID_PARAMETER Certain Parameters are not correct. The Parameter
- requiring a check depends on the Selector type.
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
-
-**/
-typedef
-EFI_STATUS
-(*IPSEC_SET_POLICY_ENTRY) (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN VOID *Context OPTIONAL
- );
-
-/**
- A prototype function definition to lookup the data entry from IPsec. Return the configuration
- value of the specified Entry.
-
- @param[in] Selector Pointer to an entry selector that is an identifier
- of the entry.
- @param[in, out] DataSize On output, the size of data returned in Data.
- @param[out] Data The buffer to return the contents of the IPsec
- configuration data. The type of the data buffer
- is associated with the DataType.
-
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
- @retval EFI_INVALID_PARAMETER Data is NULL and *DataSize is not zero.
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
- updated with the size needed to complete the request.
-
-**/
-typedef
-EFI_STATUS
-(*IPSEC_GET_POLICY_ENTRY) (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN OUT UINTN *DataSize,
- IN VOID *Data
- );
-
-/**
- Compare two SPD Selectors.
-
- Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddressCount/
- NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange and the
- Local Addresses and remote Addresses.
-
- @param[in] Selector1 Pointer of the first SPD Selector.
- @param[in] Selector2 Pointer of the second SPD Selector.
-
- @retval TRUE These two Selectors have the same value in above fields.
- @retval FALSE Not all of the above fields have the same value in these two Selectors.
-
-**/
-BOOLEAN
-CompareSpdSelector (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
- );
-
-
-/**
- Visit all IPsec Configurations of specified Type and call the caller defined
- interface.
-
- @param[in] DataType The specified IPsec Config Data Type.
- @param[in] Routine The function caller defined.
- @param[in] Context The data passed to the Routine.
-
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.
- @retval EFI_SUCCESS This function complete successfully.
-
-**/
-EFI_STATUS
-IpSecVisitConfigData (
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN IPSEC_COPY_POLICY_ENTRY Routine,
- IN VOID *Context
- );
-
-
-/**
- This function is the subfunction of the EFIIpSecConfigSetData.
-
- This function call IpSecSetVaraible to set the IPsec Configuration into the firmware.
-
- @retval EFI_OUT_OF_RESOURCES The required system resource could not be allocated.
- @retval EFI_SUCCESS Saved the configration successfully.
- @retval Others Other errors were found while obtaining the variable.
-
-**/
-EFI_STATUS
-IpSecConfigSave (
- VOID
- );
-
-/**
- Initialize IPsecConfig protocol
-
- @param[in, out] Private Pointer to IPSEC_PRIVATE_DATA. After this function finish,
- the pointer of IPsecConfig Protocol implementation will copy
- into its IPsecConfig member.
-
- @retval EFI_SUCCESS Initialized the IPsecConfig Protocol successfully.
- @retval Others Initializing the IPsecConfig Protocol failed.
-
-**/
-EFI_STATUS
-IpSecConfigInitialize (
- IN OUT IPSEC_PRIVATE_DATA *Private
- );
-
-/**
- Calculate the entire size of EFI_IPSEC_SPD_DATA, which includes the buffer size pointed
- by the pointer members.
-
- @param[in] SpdData Pointer to a specified EFI_IPSEC_SPD_DATA.
-
- @return The entire size of the specified EFI_IPSEC_SPD_DATA.
-
-**/
-UINTN
-IpSecGetSizeOfEfiSpdData (
- IN EFI_IPSEC_SPD_DATA *SpdData
- );
-
-/**
- Calculate the a entire size of IPSEC_SPD_DATA, which includes the buffer size pointed
- by the pointer members and the buffer size used by Sa List.
-
- @param[in] SpdData Pointer to the specified IPSEC_SPD_DATA.
-
- @return The entire size of IPSEC_SPD_DATA.
-
-**/
-UINTN
-IpSecGetSizeOfSpdData (
- IN IPSEC_SPD_DATA *SpdData
- );
-
-/**
- Copy Source Process Policy to the Destination Process Policy.
-
- @param[in] Dst Pointer to the Source Process Policy.
- @param[in] Src Pointer to the Destination Process Policy.
-
-**/
-VOID
-IpSecDuplicateProcessPolicy (
- IN EFI_IPSEC_PROCESS_POLICY *Dst,
- IN EFI_IPSEC_PROCESS_POLICY *Src
- );
-
-/**
- Find if the two SPD Selectors has subordinative.
-
- Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddressCount/
- NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange and the
- Local Addresses and remote Addresses.
-
- @param[in] Selector1 Pointer of first SPD Selector.
- @param[in] Selector2 Pointer of second SPD Selector.
-
- @retval TRUE The first SPD Selector is subordinate Selector of second SPD Selector.
- @retval FALSE The first SPD Selector is not subordinate Selector of second
- SPD Selector.
-
-**/
-BOOLEAN
-IsSubSpdSelector (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
- );
-
-/**
- Compare two SA IDs.
-
- @param[in] Selector1 Pointer of the first SA ID.
- @param[in] Selector2 Pointer of the second SA ID.
-
- @retval TRUE This two Selectors have the same SA ID.
- @retval FALSE This two Selecotrs don't have the same SA ID.
-
-**/
-BOOLEAN
-CompareSaId (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
- );
-
-/**
- Compare two PAD IDs.
-
- @param[in] Selector1 Pointer of the first PAD ID.
- @param[in] Selector2 Pointer of the second PAD ID.
-
- @retval TRUE This two Selectors have the same PAD ID.
- @retval FALSE This two Selecotrs don't have the same PAD ID.
-
-**/
-BOOLEAN
-ComparePadId (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector1,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector2
- );
-
-/**
- Check if the SPD Selector is Zero by its LocalAddressCount and RemoteAddressCount
- fields.
-
- @param[in] Selector Pointer of the SPD Selector.
-
- @retval TRUE If the SPD Selector is Zero.
- @retval FALSE If the SPD Selector is not Zero.
-
-**/
-BOOLEAN
-IsZeroSpdSelector (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector
- );
-
-/**
- Check if the SA ID is Zero by its DestAddress.
-
- @param[in] Selector Pointer of the SA ID.
-
- @retval TRUE If the SA ID is Zero.
- @retval FALSE If the SA ID is not Zero.
-
-**/
-BOOLEAN
-IsZeroSaId (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector
- );
-
-/**
- Check if the PAD ID is Zero.
-
- @param[in] Selector Pointer of the PAD ID.
-
- @retval TRUE If the PAD ID is Zero.
- @retval FALSE If the PAD ID is not Zero.
-
-**/
-BOOLEAN
-IsZeroPadId (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector
- );
-
-/**
- Copy Source SPD Selector to the Destination SPD Selector.
-
- @param[in, out] DstSel Pointer of Destination SPD Selector.
- @param[in] SrcSel Pointer of Source SPD Selector.
- @param[in, out] Size The size of the Destination SPD Selector. If
- it is not NULL and its value is less than the
- size of Source SPD Selector, the value of
- Source SPD Selector's size will be passed to
- the caller by this parameter.
-
- @retval EFI_INVALID_PARAMETER If the Destination or Source SPD Selector is NULL.
- @retval EFI_BUFFER_TOO_SMALL If the input Size is less than size of Source SPD Selector.
- @retval EFI_SUCCESS Copy Source SPD Selector to the Destination SPD
- Selector successfully.
-
-**/
-EFI_STATUS
-DuplicateSpdSelector (
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,
- IN OUT UINTN *Size
- );
-
-/**
- Copy Source SA ID to the Destination SA ID.
-
- @param[in, out] DstSel Pointer of the Destination SA ID.
- @param[in] SrcSel Pointer of the Source SA ID.
- @param[in, out] Size The size of the Destination SA ID. If it
- not NULL, and its value is less than the size of
- Source SA ID, the value of Source SA ID's size
- will be passed to the caller by this parameter.
-
- @retval EFI_INVALID_PARAMETER If the Destination or Source SA ID is NULL.
- @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of source SA ID.
- @retval EFI_SUCCESS Copied Source SA ID to the Destination SA ID successfully.
-
-**/
-EFI_STATUS
-DuplicateSaId (
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,
- IN OUT UINTN *Size
- );
-
-/**
- Copy Source PAD ID to the Destination PAD ID.
-
- @param[in, out] DstSel Pointer of Destination PAD ID.
- @param[in] SrcSel Pointer of Source PAD ID.
- @param[in, out] Size The size of the Destination PAD ID. If it
- not NULL, and its value less than the size of
- Source PAD ID, the value of Source PAD ID's size
- will be passed to the caller by this parameter.
-
- @retval EFI_INVALID_PARAMETER If the Destination or Source PAD ID is NULL.
- @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of source PAD ID.
- @retval EFI_SUCCESS Copied Source PAD ID to the Destination PAD ID successfully.
-
-**/
-EFI_STATUS
-DuplicatePadId (
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel,
- IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel,
- IN OUT UINTN *Size
- );
-
-/**
- Fix the value of some members of the SPD Selector.
-
- This function is called by IpSecCopyPolicyEntry(), which copies the Policy
- Entry into the Variable. Since some members in SPD Selector are pointers,
- a physical address to relative address conversion is required before copying
- this SPD entry into the variable.
-
- @param[in] Selector Pointer of SPD Selector.
- @param[in, out] Data Pointer of SPD Data.
-
-**/
-VOID
-FixSpdEntry (
- IN EFI_IPSEC_SPD_SELECTOR *Selector,
- IN OUT EFI_IPSEC_SPD_DATA *Data
- );
-
-/**
- Fix the value of some members of SA ID.
-
- This function is called by IpSecCopyPolicyEntry(), which copies the Policy
- Entry into the Variable. Since some members in SA ID are pointers,
- a physical address to relative address conversion is required before copying
- this SAD into the variable.
-
- @param[in] SaId Pointer of SA ID.
- @param[in, out] Data Pointer of SA Data.
-
-**/
-VOID
-FixSadEntry (
- IN EFI_IPSEC_SA_ID *SaId,
- IN OUT EFI_IPSEC_SA_DATA2 *Data
- );
-
-/**
- Fix the value of some members of PAD ID.
-
- This function is called by IpSecCopyPolicyEntry(), which copy the Policy
- Entry into the Variable. Since some members in PAD ID are pointers,
- a physical address to relative address conversion is required before copying
- this PAD into the variable.
-
- @param[in] PadId Pointer of PAD ID.
- @param[in, out] Data Pointer of PAD Data.
-
-**/
-VOID
-FixPadEntry (
- IN EFI_IPSEC_PAD_ID *PadId,
- IN OUT EFI_IPSEC_PAD_DATA *Data
- );
-
-/**
- Recover the value of some members of SPD Selector.
-
- This function is corresponding to FixSpdEntry(). It recovers the value of members
- of SPD Selector which fix by the FixSpdEntry().
-
- @param[in, out] Selector Pointer of SPD Selector.
- @param[in, out] Data Pointer of SPD Data.
-
-**/
-VOID
-UnfixSpdEntry (
- IN OUT EFI_IPSEC_SPD_SELECTOR *Selector,
- IN OUT EFI_IPSEC_SPD_DATA *Data
- );
-
-
-/**
- Recover the value of some members of SA ID.
-
- This function is corresponding to FixSadEntry(). It recovers the value of members
- of SAD ID which fix by the FixSadEntry().
-
- @param[in, out] SaId Pointer of SAD ID
- @param[in, out] Data Pointer of SAD Data.
-
-**/
-VOID
-UnfixSadEntry (
- IN OUT EFI_IPSEC_SA_ID *SaId,
- IN OUT EFI_IPSEC_SA_DATA2 *Data
- );
-
-/**
- Recover the value of some members of PAD ID.
-
- This function is corresponding to FixPadEntry(). It recovers the value of members
- of PAD ID which fix by the FixPadEntry().
-
- @param[in] PadId Pointer of PAD ID
- @param[in, out] Data Pointer of PAD Data.
-
-**/
-VOID
-UnfixPadEntry (
- IN EFI_IPSEC_PAD_ID *PadId,
- IN OUT EFI_IPSEC_PAD_DATA *Data
- );
-
-/**
- Set the security policy information for the EFI IPsec driver.
-
- The IPsec configuration data has a unique selector/identifier separately to
- identify a data entry.
-
- @param[in] Selector Pointer to an entry selector on operated
- configuration data specified by DataType.
- A NULL Selector causes the entire specified-type
- configuration information to be flushed.
- @param[in] Data The data buffer to be set. The structure
- of the data buffer should be EFI_IPSEC_SPD_DATA.
- @param[in] Context Pointer to one entry selector that describes
- the expected position the new data entry will
- be added. If Context is NULL,the new entry will
- be appended the end of database.
-
- @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:
- - Selector is not NULL and its LocalAddress
- is NULL or its RemoteAddress is NULL.
- - Data is not NULL, its Action is Protected,
- and its policy is NULL.
- - Data is not NULL and its Action is not protected
- and its policy is not NULL.
- - The Action of Data is Protected, its policy
- mode is Tunnel, and its tunnel option is NULL.
- - The Action of Data is protected, its policy
- mode is not Tunnel, and it tunnel option is not NULL.
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
-
-**/
-EFI_STATUS
-SetSpdEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN VOID *Context OPTIONAL
- );
-
-/**
- Set the security association information for the EFI IPsec driver.
-
- The IPsec configuration data has a unique selector/identifier separately to
- identify a data entry.
-
- @param[in] Selector Pointer to an entry selector on operated
- configuration data specified by DataType.
- A NULL Selector causes the entire specified-type
- configuration information to be flushed.
- @param[in] Data The data buffer to be set. The structure
- of the data buffer should be EFI_IPSEC_SA_DATA.
- @param[in] Context Pointer to one entry selector which describes
- the expected position the new data entry will
- be added. If Context is NULL,the new entry will
- be appended to the end of database.
-
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
-
-**/
-EFI_STATUS
-SetSadEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN VOID *Context OPTIONAL
- );
-
-/**
- Set the peer authorization configuration information for the EFI IPsec driver.
-
- The IPsec configuration data has a unique selector/identifier separately to
- identify a data entry.
-
- @param[in] Selector Pointer to an entry selector on operated
- configuration data specified by DataType.
- A NULL Selector causes the entire specified-type
- configuration information to be flushed.
- @param[in] Data The data buffer to be set. The structure
- of the data buffer should be EFI_IPSEC_PAD_DATA.
- @param[in] Context Pointer to one entry selector that describes
- the expected position where the new data entry will
- be added. If Context is NULL, the new entry will
- be appended the end of database.
-
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
-
-**/
-EFI_STATUS
-SetPadEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN VOID *Context OPTIONAL
- );
-
-/**
- This function looks up the data entry from IPsec SPD, and returns the configuration
- value of the specified SPD Entry.
-
- @param[in] Selector Pointer to an entry selector which is an identifier
- of the SPD entry.
- @param[in, out] DataSize On output the size of data returned in Data.
- @param[out] Data The buffer to return the contents of the IPsec
- configuration data. The type of the data buffer
- is associated with the DataType.
-
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
- @retval EFI_INVALID_PARAMETER Data is NULL and *DataSize is not zero.
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
- updated with the size needed to complete the request.
-
-**/
-EFI_STATUS
-GetSpdEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN OUT UINTN *DataSize,
- OUT VOID *Data
- );
-
-/**
- This function looks up the data entry from IPsec SAD and returns the configuration
- value of the specified SAD Entry.
-
- @param[in] Selector Pointer to an entry selector that is an identifier
- of the SAD entry.
- @param[in, out] DataSize On output, the size of data returned in Data.
- @param[out] Data The buffer to return the contents of the IPsec
- configuration data. This type of the data buffer
- is associated with the DataType.
-
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
- updated with the size needed to complete the request.
-
-**/
-EFI_STATUS
-GetSadEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN OUT UINTN *DataSize,
- OUT VOID *Data
- );
-
-/**
- This function looks up the data entry from IPsec PADand returns the configuration
- value of the specified PAD Entry.
-
- @param[in] Selector Pointer to an entry selector that is an identifier
- of the PAD entry.
- @param[in, out] DataSize On output the size of data returned in Data.
- @param[out] Data The buffer to return the contents of the IPsec
- configuration data. This type of the data buffer
- is associated with the DataType.
-
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
- updated with the size needed to complete the request.
-
-**/
-EFI_STATUS
-GetPadEntry (
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN OUT UINTN *DataSize,
- OUT VOID *Data
- );
-
-/**
- Return the configuration value for the EFI IPsec driver.
-
- This function lookup the data entry from IPsec database or IKEv2 configuration
- information. The expected data type and unique identification are described in
- DataType and Selector parameters.
-
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
- @param[in] DataType The type of data to retrieve.
- @param[in] Selector Pointer to an entry selector that is an identifier of the IPsec
- configuration data entry.
- @param[in, out] DataSize On output the size of data returned in Data.
- @param[out] Data The buffer to return the contents of the IPsec configuration data.
- The type of the data buffer is associated with the DataType.
-
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
- @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
- - This is NULL.
- - Selector is NULL.
- - DataSize is NULL.
- - Data is NULL and *DataSize is not zero
- @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
- @retval EFI_UNSUPPORTED The specified DataType is not supported.
- @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
- updated with the size needed to complete the request.
-
-**/
-EFI_STATUS
-EFIAPI
-EfiIpSecConfigGetData (
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN OUT UINTN *DataSize,
- OUT VOID *Data
- );
-
-/**
- Set the security association, security policy and peer authorization configuration
- information for the EFI IPsec driver.
-
- This function is used to set the IPsec configuration information of type DataType for
- the EFI IPsec driver.
- The IPsec configuration data has a unique selector/identifier separately to identify
- a data entry. The selector structure depends on DataType's definition.
- Using SetData() with a Data of NULL causes the IPsec configuration data entry identified
- by DataType and Selector to be deleted.
-
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
- @param[in] DataType The type of data to be set.
- @param[in] Selector Pointer to an entry selector on operated configuration data
- specified by DataType. A NULL Selector causes the entire
- specified-type configuration information to be flushed.
- @param[in] Data The data buffer to be set. The structure of the data buffer is
- associated with the DataType.
- @param[in] InsertBefore Pointer to one entry selector which describes the expected
- position the new data entry will be added. If InsertBefore is NULL,
- the new entry will be appended the end of database.
-
- @retval EFI_SUCCESS The specified configuration entry data was set successfully.
- @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:
- - This is NULL.
- @retval EFI_UNSUPPORTED The specified DataType is not supported.
- @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
-
-**/
-EFI_STATUS
-EFIAPI
-EfiIpSecConfigSetData (
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
- IN VOID *Data,
- IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL
- );
-
-/**
- Enumerates the current selector for IPsec configuration data entry.
-
- This function is called multiple times to retrieve the entry Selector in IPsec
- configuration database. On each call to GetNextSelector(), the next entry
- Selector are retrieved into the output interface.
-
- If the entire IPsec configuration database has been iterated, the error
- EFI_NOT_FOUND is returned.
- If the Selector buffer is too small for the next Selector copy, an
- EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect
- the size of buffer needed.
-
- On the initial call to GetNextSelector() to start the IPsec configuration database
- search, a pointer to the buffer with all zero value is passed in Selector. Calls
- to SetData() between calls to GetNextSelector may produce unpredictable results.
-
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
- @param[in] DataType The type of IPsec configuration data to retrieve.
- @param[in, out] SelectorSize The size of the Selector buffer.
- @param[in, out] Selector On input, supplies the pointer to last Selector that was
- returned by GetNextSelector().
- On output, returns one copy of the current entry Selector
- of a given DataType.
-
- @retval EFI_SUCCESS The specified configuration data was obtained successfully.
- @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
- - This is NULL.
- - SelectorSize is NULL.
- - Selector is NULL.
- @retval EFI_NOT_FOUND The next configuration data entry was not found.
- @retval EFI_UNSUPPORTED The specified DataType is not supported.
- @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter
- has been updated with the size needed to complete the search
- request.
-
-**/
-EFI_STATUS
-EFIAPI
-EfiIpSecConfigGetNextSelector (
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN OUT UINTN *SelectorSize,
- IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector
- );
-
-/**
- Register an event that is to be signaled whenever a configuration process on the
- specified IPsec configuration information is done.
-
- The register function is not surpport now and always returns EFI_UNSUPPORTED.
-
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
- @param[in] DataType The type of data to be registered the event for.
- @param[in] Event The event to be registered.
-
- @retval EFI_SUCCESS The event is registered successfully.
- @retval EFI_INVALID_PARAMETER This is NULL, or Event is NULL.
- @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.
- @retval EFI_UNSUPPORTED The notify registration unsupported, or the specified
- DataType is not supported.
-
-**/
-EFI_STATUS
-EFIAPI
-EfiIpSecConfigRegisterNotify (
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN EFI_EVENT Event
- );
-
-
-/**
- Remove the specified event that was previously registered on the specified IPsec
- configuration data.
-
- This function is not supported now and always returns EFI_UNSUPPORTED.
-
- @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
- @param[in] DataType The configuration data type to remove the registered event for.
- @param[in] Event The event to be unregistered.
-
- @retval EFI_SUCCESS The event was removed successfully.
- @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the
- database.
- @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
- @retval EFI_UNSUPPORTED The notify registration unsupported or the specified
- DataType is not supported.
-
-**/
-EFI_STATUS
-EFIAPI
-EfiIpSecConfigUnregisterNotify (
- IN EFI_IPSEC_CONFIG_PROTOCOL *This,
- IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
- IN EFI_EVENT Event
- );
-
-extern LIST_ENTRY mConfigData[IPsecConfigDataTypeMaximum];
-
-#endif
diff --git a/NetworkPkg/IpSecDxe/IpSecCryptIo.c b/NetworkPkg/IpSecDxe/IpSecCryptIo.c deleted file mode 100644 index b87e2ca8d4..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecCryptIo.c +++ /dev/null @@ -1,1015 +0,0 @@ -/** @file
- Common interfaces to call Security library.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecCryptIo.h"
-//
-// The informations for the supported Encrypt/Decrpt Alogrithm.
-//
-GLOBAL_REMOVE_IF_UNREFERENCED ENCRYPT_ALGORITHM mIpsecEncryptAlgorithmList[IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE] = {
- {IKE_EALG_NULL, 0, 0, 1, NULL, NULL, NULL, NULL},
- {IKE_EALG_NONE, 0, 0, 1, NULL, NULL, NULL, NULL},
- {IKE_EALG_3DESCBC, 24, 8, 8, TdesGetContextSize, TdesInit, TdesCbcEncrypt, TdesCbcDecrypt},
- {IKE_EALG_AESCBC, 16, 16, 16, AesGetContextSize, AesInit, AesCbcEncrypt, AesCbcDecrypt}
-};
-
-//
-// The informations for the supported Authentication algorithm
-//
-GLOBAL_REMOVE_IF_UNREFERENCED AUTH_ALGORITHM mIpsecAuthAlgorithmList[IPSEC_AUTH_ALGORITHM_LIST_SIZE] = {
- {IKE_AALG_NONE, 0, 0, 0, NULL, NULL, NULL, NULL},
- {IKE_AALG_NULL, 0, 0, 0, NULL, NULL, NULL, NULL},
- {IKE_AALG_SHA1HMAC, 20, 12, 64, HmacSha1GetContextSize, HmacSha1Init, HmacSha1Update, HmacSha1Final}
-};
-
-//
-// The information for the supported Hash aglorithm
-//
-GLOBAL_REMOVE_IF_UNREFERENCED HASH_ALGORITHM mIpsecHashAlgorithmList[IPSEC_HASH_ALGORITHM_LIST_SIZE] = {
- {IKE_AALG_NONE, 0, 0, 0, NULL, NULL, NULL, NULL},
- {IKE_AALG_NULL, 0, 0, 0, NULL, NULL, NULL, NULL},
- {IKE_AALG_SHA1HMAC, 20, 12, 64, Sha1GetContextSize, Sha1Init, Sha1Update, Sha1Final}
-};
-
-BOOLEAN mInitialRandomSeed = FALSE;
-
-/**
- Get the block size of specified encryption algorithm.
-
- @param[in] AlgorithmId The encryption algorithm ID.
-
- @return The value of block size.
-
-**/
-UINTN
-IpSecGetEncryptBlockSize (
- IN UINT8 AlgorithmId
- )
-{
- UINT8 Index;
-
- for (Index = 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) {
- if (AlgorithmId == mIpsecEncryptAlgorithmList[Index].AlgorithmId) {
- return mIpsecEncryptAlgorithmList[Index].BlockSize;
- }
- }
-
- return (UINTN) -1;
-}
-
-/**
- Get the key length of the specified encryption algorithm.
-
- @param[in] AlgorithmId The encryption algorithm ID.
-
- @return The value of key length.
-
-**/
-UINTN
-IpSecGetEncryptKeyLength (
- IN UINT8 AlgorithmId
- )
-{
- UINT8 Index;
-
- for (Index = 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) {
- if (AlgorithmId == mIpsecEncryptAlgorithmList[Index].AlgorithmId) {
- return mIpsecEncryptAlgorithmList[Index].KeyLength;
- }
- }
-
- return (UINTN) -1;
-}
-
-/**
- Get the IV size of the specified encryption algorithm.
-
- @param[in] AlgorithmId The encryption algorithm ID.
-
- @return The value of IV size.
-
-**/
-UINTN
-IpSecGetEncryptIvLength (
- IN UINT8 AlgorithmId
- )
-{
- UINT8 Index;
-
- for (Index = 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) {
- if (AlgorithmId == mIpsecEncryptAlgorithmList[Index].AlgorithmId) {
- return mIpsecEncryptAlgorithmList[Index].IvLength;
- }
- }
-
- return (UINTN) -1;
-}
-
-/**
- Get the HMAC digest length by the specified Algorithm ID.
-
- @param[in] AlgorithmId The specified Alogrithm ID.
-
- @return The digest length of the specified Authentication Algorithm ID.
-
-**/
-UINTN
-IpSecGetHmacDigestLength (
- IN UINT8 AlgorithmId
- )
-{
- UINT8 Index;
-
- for (Index = 0; Index < IPSEC_AUTH_ALGORITHM_LIST_SIZE; Index++) {
- if (mIpsecAuthAlgorithmList[Index].AlgorithmId == AlgorithmId) {
- //
- // Return the Digest Length of the Algorithm.
- //
- return mIpsecAuthAlgorithmList[Index].DigestLength;
- }
- }
-
- return 0;
-}
-
-/**
- Get the ICV size of the specified Authenticaion algorithm.
-
- @param[in] AlgorithmId The Authentication algorithm ID.
-
- @return The value of ICV size.
-
-**/
-UINTN
-IpSecGetIcvLength (
- IN UINT8 AlgorithmId
- )
-{
- UINT8 Index;
-
- for (Index = 0; Index < IPSEC_AUTH_ALGORITHM_LIST_SIZE; Index++) {
- if (AlgorithmId == mIpsecAuthAlgorithmList[Index].AlgorithmId) {
- return mIpsecAuthAlgorithmList[Index].IcvLength;
- }
- }
-
- return (UINTN) -1;
-}
-
-/**
- Generate a random data for IV. If the IvSize is zero, not needed to create
- IV and return EFI_SUCCESS.
-
- @param[in] IvBuffer The pointer of the IV buffer.
- @param[in] IvSize The IV size in bytes.
-
- @retval EFI_SUCCESS Create a random data for IV.
-
-**/
-EFI_STATUS
-IpSecGenerateIv (
- IN UINT8 *IvBuffer,
- IN UINTN IvSize
- )
-{
- if (IvSize != 0) {
- return IpSecCryptoIoGenerateRandomBytes (IvBuffer, IvSize);
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Get index of the specified encryption algorithm from the mIpsecEncryptAlgorithmList.
-
- @param[in] AlgorithmId The encryption algorithm ID.
-
- @return the index.
-
-**/
-UINTN
-IpSecGetIndexFromEncList (
- IN UINT8 AlgorithmId
- )
-{
- UINT8 Index;
-
- for (Index = 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) {
- if (AlgorithmId == mIpsecEncryptAlgorithmList[Index].AlgorithmId) {
- return Index;
- }
- }
-
- return (UINTN) -1;
-}
-
-/**
- Get index of the specified encryption algorithm from the mIpsecAuthAlgorithmList.
-
- @param[in] AlgorithmId The encryption algorithm ID.
-
- @return the index.
-
-**/
-UINTN
-IpSecGetIndexFromAuthList (
- IN UINT8 AlgorithmId
- )
-{
- UINT8 Index;
-
- for (Index = 0; Index < IPSEC_AUTH_ALGORITHM_LIST_SIZE; Index++) {
- if (AlgorithmId == mIpsecAuthAlgorithmList[Index].AlgorithmId) {
- //
- // The BlockSize is same with IvSize.
- //
- return Index;
- }
- }
-
- return (UINTN) -1;
-}
-
-/**
- Encrypt the buffer.
-
- This function calls relevant encryption interface from CryptoLib according to
- the input algorithm ID. The InData should be multiple of block size. This function
- doesn't perform the padding. If it has the Ivec data, the length of it should be
- same with the block size. The block size is different from the different algorithm.
-
- @param[in] AlgorithmId The Algorithm identification defined in RFC.
- @param[in] Key Pointer to the buffer containing encrypting key.
- @param[in] KeyBits The length of the key in bits.
- @param[in] Ivec Point to the buffer containing the Initialization
- Vector (IV) data.
- @param[in] InData Point to the buffer containing the data to be
- encrypted.
- @param[in] InDataLength The length of InData in Bytes.
- @param[out] OutData Point to the buffer that receives the encryption
- output.
-
- @retval EFI_UNSUPPORTED The input Algorithm is not supported.
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
- @retval EFI_SUCCESS The operation completed successfully.
-
-**/
-EFI_STATUS
-IpSecCryptoIoEncrypt (
- IN CONST UINT8 AlgorithmId,
- IN CONST UINT8 *Key,
- IN CONST UINTN KeyBits,
- IN CONST UINT8 *Ivec, OPTIONAL
- IN UINT8 *InData,
- IN UINTN InDataLength,
- OUT UINT8 *OutData
- )
-{
- UINTN Index;
- UINTN ContextSize;
- UINT8 *Context;
- EFI_STATUS Status;
-
- Status = EFI_UNSUPPORTED;
-
- switch (AlgorithmId) {
-
- case IKE_EALG_NULL:
- case IKE_EALG_NONE:
- CopyMem (OutData, InData, InDataLength);
- return EFI_SUCCESS;
-
- case IKE_EALG_3DESCBC:
- case IKE_EALG_AESCBC:
- Index = IpSecGetIndexFromEncList (AlgorithmId);
- if (Index == -1) {
- return Status;
- }
- //
- // Get Context Size
- //
- ContextSize = mIpsecEncryptAlgorithmList[Index].CipherGetContextSize ();
- Context = AllocateZeroPool (ContextSize);
-
- if (Context == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
- //
- // Initiate Context
- //
- if (mIpsecEncryptAlgorithmList[Index].CipherInitiate (Context, Key, KeyBits)) {
- if (mIpsecEncryptAlgorithmList[Index].CipherEncrypt (Context, InData, InDataLength, Ivec, OutData)) {
- Status = EFI_SUCCESS;
- }
- }
- break;
-
- default:
- return Status;
-
- }
-
- if (Context != NULL) {
- FreePool (Context);
- }
-
- return Status;
-}
-
-/**
- Decrypts the buffer.
-
- This function calls relevant Decryption interface from CryptoLib according to
- the input algorithm ID. The InData should be multiple of block size. This function
- doesn't perform the padding. If it has the Ivec data, the length of it should be
- same with the block size. The block size is different from the different algorithm.
-
- @param[in] AlgorithmId The Algorithm identification defined in RFC.
- @param[in] Key Pointer to the buffer containing encrypting key.
- @param[in] KeyBits The length of the key in bits.
- @param[in] Ivec Point to the buffer containing the Initialization
- Vector (IV) data.
- @param[in] InData Point to the buffer containing the data to be
- decrypted.
- @param[in] InDataLength The length of InData in Bytes.
- @param[out] OutData Pointer to the buffer that receives the decryption
- output.
-
- @retval EFI_UNSUPPORTED The input Algorithm is not supported.
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
- @retval EFI_SUCCESS The operation completed successfully.
-
-**/
-EFI_STATUS
-IpSecCryptoIoDecrypt (
- IN CONST UINT8 AlgorithmId,
- IN CONST UINT8 *Key,
- IN CONST UINTN KeyBits,
- IN CONST UINT8 *Ivec, OPTIONAL
- IN UINT8 *InData,
- IN UINTN InDataLength,
- OUT UINT8 *OutData
- )
-{
- UINTN Index;
- UINTN ContextSize;
- UINT8 *Context;
- EFI_STATUS Status;
-
- Status = EFI_UNSUPPORTED;
-
- switch (AlgorithmId) {
-
- case IKE_EALG_NULL:
- case IKE_EALG_NONE:
- CopyMem (OutData, InData, InDataLength);
- return EFI_SUCCESS;
-
- case IKE_EALG_3DESCBC:
- case IKE_EALG_AESCBC:
- Index = IpSecGetIndexFromEncList(AlgorithmId);
- if (Index == -1) {
- return Status;
- }
-
- //
- // Get Context Size
- //
- ContextSize = mIpsecEncryptAlgorithmList[Index].CipherGetContextSize();
- Context = AllocateZeroPool (ContextSize);
- if (Context == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- //
- // Initiate Context
- //
- if (mIpsecEncryptAlgorithmList[Index].CipherInitiate (Context, Key, KeyBits)) {
- if (mIpsecEncryptAlgorithmList[Index].CipherDecrypt (Context, InData, InDataLength, Ivec, OutData)) {
- Status = EFI_SUCCESS;
- }
- }
- break;
-
- default:
- return Status;
- }
-
- if (Context != NULL) {
- FreePool (Context);
- }
-
- return Status;
-}
-
-/**
- Digests the Payload with key and store the result into the OutData.
-
- This function calls relevant Hmac interface from CryptoLib according to
- the input algorithm ID. It computes all datas from InDataFragment and output
- the result into the OutData buffer. If the OutDataSize is larger than the related
- HMAC algorithm output size, return EFI_INVALID_PARAMETER.
-
- @param[in] AlgorithmId The authentication Identification.
- @param[in] Key Pointer of the authentication key.
- @param[in] KeyLength The length of the Key in bytes.
- @param[in] InDataFragment The list contains all data to be authenticated.
- @param[in] FragmentCount The size of the InDataFragment.
- @param[out] OutData For in, the buffer to receive the output data.
- For out, the buffer contains the authenticated data.
- @param[in] OutDataSize The size of the buffer of OutData.
-
- @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list.
- @retval EFI_INVALID_PARAMETER The OutData buffer size is larger than algorithm digest size.
- @retval EFI_SUCCESS Authenticate the payload successfully.
- @retval otherwise Authentication of the payload fails.
-
-**/
-EFI_STATUS
-IpSecCryptoIoHmac (
- IN CONST UINT8 AlgorithmId,
- IN CONST UINT8 *Key,
- IN UINTN KeyLength,
- IN HASH_DATA_FRAGMENT *InDataFragment,
- IN UINTN FragmentCount,
- OUT UINT8 *OutData,
- IN UINTN OutDataSize
- )
-{
- UINTN ContextSize;
- UINTN Index;
- UINT8 FragmentIndex;
- UINT8 *HashContext;
- EFI_STATUS Status;
- UINT8 *OutHashData;
- UINTN OutHashSize;
-
- Status = EFI_UNSUPPORTED;
- OutHashData = NULL;
-
- OutHashSize = IpSecGetHmacDigestLength (AlgorithmId);
- //
- // If the expected hash data size is larger than the related Hash algorithm
- // output length, return EFI_INVALID_PARAMETER.
- //
- if (OutDataSize > OutHashSize) {
- return EFI_INVALID_PARAMETER;
- }
- OutHashData = AllocatePool (OutHashSize);
-
- if (OutHashData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- switch (AlgorithmId) {
-
- case IKE_AALG_NONE :
- case IKE_AALG_NULL :
- return EFI_SUCCESS;
-
- case IKE_AALG_SHA1HMAC:
- Index = IpSecGetIndexFromAuthList (AlgorithmId);
- if (Index == -1) {
- return Status;
- }
-
- //
- // Get Context Size
- //
- ContextSize = mIpsecAuthAlgorithmList[Index].HmacGetContextSize();
- HashContext = AllocateZeroPool (ContextSize);
-
- if (HashContext == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- //
- // Initiate HMAC context and hash the input data.
- //
- if (mIpsecAuthAlgorithmList[Index].HmacInitiate(HashContext, Key, KeyLength)) {
- for (FragmentIndex = 0; FragmentIndex < FragmentCount; FragmentIndex++) {
- if (!mIpsecAuthAlgorithmList[Index].HmacUpdate (
- HashContext,
- InDataFragment[FragmentIndex].Data,
- InDataFragment[FragmentIndex].DataSize
- )
- ) {
- goto Exit;
- }
- }
- if (mIpsecAuthAlgorithmList[Index].HmacFinal (HashContext, OutHashData)) {
- //
- // In some cases, like the Icv computing, the Icv size might be less than
- // the key length size, so copy the part of hash data to the OutData.
- //
- CopyMem (OutData, OutHashData, OutDataSize);
- Status = EFI_SUCCESS;
- }
-
- goto Exit;
- }
-
- default:
- return Status;
- }
-
-Exit:
- if (HashContext != NULL) {
- FreePool (HashContext);
- }
- if (OutHashData != NULL) {
- FreePool (OutHashData);
- }
-
- return Status;
-}
-
-/**
- Digests the Payload and store the result into the OutData.
-
- This function calls relevant Hash interface from CryptoLib according to
- the input algorithm ID. It computes all datas from InDataFragment and output
- the result into the OutData buffer. If the OutDataSize is larger than the related
- Hash algorithm output size, return EFI_INVALID_PARAMETER.
-
- @param[in] AlgorithmId The authentication Identification.
- @param[in] InDataFragment A list contains all data to be authenticated.
- @param[in] FragmentCount The size of the InDataFragment.
- @param[out] OutData For in, the buffer to receive the output data.
- For out, the buffer contains the authenticated data.
- @param[in] OutDataSize The size of the buffer of OutData.
-
- @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list.
- @retval EFI_SUCCESS Authenticated the payload successfully.
- @retval EFI_INVALID_PARAMETER If the OutDataSize is larger than the related Hash
- algorithm could handle.
- @retval otherwise Authentication of the payload failed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoHash (
- IN CONST UINT8 AlgorithmId,
- IN HASH_DATA_FRAGMENT *InDataFragment,
- IN UINTN FragmentCount,
- OUT UINT8 *OutData,
- IN UINTN OutDataSize
- )
-{
- UINTN ContextSize;
- UINTN Index;
- UINT8 FragmentIndex;
- UINT8 *HashContext;
- EFI_STATUS Status;
- UINT8 *OutHashData;
- UINTN OutHashSize;
-
- Status = EFI_UNSUPPORTED;
- OutHashData = NULL;
-
- OutHashSize = IpSecGetHmacDigestLength (AlgorithmId);
- //
- // If the expected hash data size is larger than the related Hash algorithm
- // output length, return EFI_INVALID_PARAMETER.
- //
- if (OutDataSize > OutHashSize) {
- return EFI_INVALID_PARAMETER;
- }
- OutHashData = AllocatePool (OutHashSize);
- if (OutHashData == NULL) {
- return EFI_OUT_OF_RESOURCES;
- }
-
- switch (AlgorithmId) {
-
- case IKE_AALG_NONE:
- case IKE_AALG_NULL:
- return EFI_SUCCESS;
-
- case IKE_AALG_SHA1HMAC:
- Index = IpSecGetIndexFromAuthList (AlgorithmId);
- if (Index == -1) {
- return Status;
- }
- //
- // Get Context Size
- //
- ContextSize = mIpsecHashAlgorithmList[Index].HashGetContextSize();
- HashContext = AllocateZeroPool (ContextSize);
- if (HashContext == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto Exit;
- }
-
- //
- // Initiate Hash context and hash the input data.
- //
- if (mIpsecHashAlgorithmList[Index].HashInitiate(HashContext)) {
- for (FragmentIndex = 0; FragmentIndex < FragmentCount; FragmentIndex++) {
- if (!mIpsecHashAlgorithmList[Index].HashUpdate (
- HashContext,
- InDataFragment[FragmentIndex].Data,
- InDataFragment[FragmentIndex].DataSize
- )
- ) {
- goto Exit;
- }
- }
- if (mIpsecHashAlgorithmList[Index].HashFinal (HashContext, OutHashData)) {
- //
- // In some cases, like the Icv computing, the Icv size might be less than
- // the key length size, so copy the part of hash data to the OutData.
- //
- CopyMem (OutData, OutHashData, OutDataSize);
- Status = EFI_SUCCESS;
- }
-
- goto Exit;
- }
-
- default:
- return Status;
- }
-
-Exit:
- if (HashContext != NULL) {
- FreePool (HashContext);
- }
- if (OutHashData != NULL) {
- FreePool (OutHashData);
- }
-
- return Status;
-}
-
-/**
- Generates the Diffie-Hellman public key.
-
- This function first initiate a DHContext, then call the DhSetParameter() to set
- the prime and primelength, at end call the DhGenerateKey() to generates random
- secret exponent, and computes the public key. The output returned via parameter
- PublicKey and PublicKeySize. DH context is updated accordingly. If the PublicKey
- buffer is too small to hold the public key, EFI_INVALID_PARAMETER is returned
- and PublicKeySize is set to the required buffer size to obtain the public key.
-
- @param[in, out] DhContext Pointer to the DH context.
- @param[in] Generator Value of generator.
- @param[in] PrimeLength Length in bits of prime to be generated.
- @param[in] Prime Pointer to the buffer to receive the generated
- prime number.
- @param[out] PublicKey Pointer to the buffer to receive generated public key.
- @param[in, out] PublicKeySize For in, the size of PublicKey buffer in bytes.
- For out, the size of data returned in PublicKey
- buffer in bytes.
-
- @retval EFI_SUCCESS The operation performs successfully.
- @retval Otherwise The operation is failed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoDhGetPublicKey (
- IN OUT UINT8 **DhContext,
- IN UINTN Generator,
- IN UINTN PrimeLength,
- IN CONST UINT8 *Prime,
- OUT UINT8 *PublicKey,
- IN OUT UINTN *PublicKeySize
- )
-{
- EFI_STATUS Status;
-
- *DhContext = DhNew ();
- ASSERT (*DhContext != NULL);
- if (!DhSetParameter (*DhContext, Generator, PrimeLength, Prime)) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
-
- if (!DhGenerateKey (*DhContext, PublicKey, PublicKeySize)) {
- Status = EFI_INVALID_PARAMETER;
- goto Exit;
- }
- return EFI_SUCCESS;
-
-Exit:
- if (*DhContext != NULL) {
- DhFree (*DhContext);
- DhContext = NULL;
- }
-
- return Status;
-}
-
-/**
- Generates exchanged common key.
-
- Given peer's public key, this function computes the exchanged common key, based
- on its own context including value of prime modulus and random secret exponent.
-
- @param[in, out] DhContext Pointer to the DH context.
- @param[in] PeerPublicKey Pointer to the peer's Public Key.
- @param[in] PeerPublicKeySize Size of peer's public key in bytes.
- @param[out] Key Pointer to the buffer to receive generated key.
- @param[in, out] KeySize For in, the size of Key buffer in bytes.
- For out, the size of data returned in Key
- buffer in bytes.
-
- @retval EFI_SUCCESS The operation performs successfully.
- @retval Otherwise The operation is failed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoDhComputeKey (
- IN OUT UINT8 *DhContext,
- IN CONST UINT8 *PeerPublicKey,
- IN UINTN PeerPublicKeySize,
- OUT UINT8 *Key,
- IN OUT UINTN *KeySize
- )
-{
- if (!DhComputeKey (DhContext, PeerPublicKey, PeerPublicKeySize, Key, KeySize)) {
- return EFI_INVALID_PARAMETER;
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Releases the DH context. If DhContext is NULL, return EFI_INVALID_PARAMETER.
-
- @param[in, out] DhContext Pointer to the DH context to be freed.
-
- @retval EFI_SUCCESS The operation performs successfully.
- @retval EFI_INVALID_PARAMETER The DhContext is NULL.
-
-**/
-EFI_STATUS
-IpSecCryptoIoFreeDh (
- IN OUT UINT8 **DhContext
- )
-{
- if (*DhContext == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- DhFree (*DhContext);
- return EFI_SUCCESS;
-}
-
-/**
- Generates random numbers of specified size.
-
- If the Random Generator wasn't initiated, initiate it first, then call RandomBytes.
-
- @param[out] OutBuffer Pointer to buffer to receive random value.
- @param[in] Bytes Size of random bytes to generate.
-
- @retval EFI_SUCCESS The operation performs successfully.
- @retval Otherwise The operation is failed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoGenerateRandomBytes (
- OUT UINT8* OutBuffer,
- IN UINTN Bytes
- )
-{
- if (!mInitialRandomSeed) {
- RandomSeed (NULL, 0);
- mInitialRandomSeed = TRUE;
- }
- if (RandomBytes (OutBuffer, Bytes)) {
- return EFI_SUCCESS;
- } else {
- return EFI_INVALID_PARAMETER;
- }
-}
-
-/**
- Authenticate data with the certificate.
-
- @param[in] InData Pointer to the Data to be signed.
- @param[in] InDataSize InData size in bytes.
- @param[in] PrivateKey Pointer to the private key.
- @param[in] PrivateKeySize The size of Private Key in bytes.
- @param[in] KeyPassWord Pointer to the password for retrieving private key.
- @param[in] KeyPwdSize The size of Key Password in bytes.
- @param[out] OutData The pointer to the signed data.
- @param[in, out] OutDataSize Pointer to contain the size of out data.
-
-**/
-VOID
-IpSecCryptoIoAuthDataWithCertificate (
- IN UINT8 *InData,
- IN UINTN InDataSize,
- IN UINT8 *PrivateKey,
- IN UINTN PrivateKeySize,
- IN UINT8 *KeyPassWord,
- IN UINTN KeyPwdSize,
- OUT UINT8 **OutData,
- IN OUT UINTN *OutDataSize
- )
-{
- UINT8 *RsaContext;
- UINT8 *Signature;
- UINTN SigSize;
-
- SigSize = 0;
- RsaContext = NULL;
-
- //
- // Retrieve RSA Private Key from password-protected PEM data
- //
- RsaGetPrivateKeyFromPem (
- (CONST UINT8 *)PrivateKey,
- PrivateKeySize,
- (CONST CHAR8 *)KeyPassWord,
- (VOID **) &RsaContext
- );
- if (RsaContext == NULL) {
- return;
- }
-
- //
- // Sign data
- //
- Signature = NULL;
- if (!RsaPkcs1Sign (RsaContext, InData, InDataSize, Signature, &SigSize)) {
- Signature = AllocateZeroPool (SigSize);
- } else {
- return;
- }
-
- RsaPkcs1Sign (RsaContext, InData, InDataSize, Signature, &SigSize);
-
- *OutData = Signature;
- *OutDataSize = SigSize;
-
- if (RsaContext != NULL) {
- RsaFree (RsaContext);
- }
-}
-
-/**
- Verify the singed data with the public key which is contained in a certificate.
-
- @param[in] InCert Pointer to the Certificate which contains the
- public key.
- @param[in] CertLen The size of Certificate in bytes.
- @param[in] InCa Pointer to the CA certificate
- @param[in] CaLen The size of CA certificate in bytes.
- @param[in] InData Pointer to octet message hash to be checked.
- @param[in] InDataSize Size of the message hash in bytes.
- @param[in] Singnature The pointer to the RSA PKCS1-V1_5 signature to be verified.
- @param[in] SigSize Size of signature in bytes.
-
- @retval TRUE Valid signature encoded in PKCS1-v1_5.
- @retval FALSE Invalid signature or invalid RSA context.
-
-**/
-BOOLEAN
-IpSecCryptoIoVerifySignDataByCertificate (
- IN UINT8 *InCert,
- IN UINTN CertLen,
- IN UINT8 *InCa,
- IN UINTN CaLen,
- IN UINT8 *InData,
- IN UINTN InDataSize,
- IN UINT8 *Singnature,
- IN UINTN SigSize
- )
-{
- UINT8 *RsaContext;
- BOOLEAN Status;
-
- //
- // Create the RSA Context
- //
- RsaContext = RsaNew ();
- if (RsaContext == NULL) {
- return FALSE;
- }
-
- //
- // Verify the validity of X509 Certificate
- //
- if (!X509VerifyCert (InCert, CertLen, InCa, CaLen)) {
- return FALSE;
- }
-
- //
- // Retrieve the RSA public Key from Certificate
- //
- RsaGetPublicKeyFromX509 ((CONST UINT8 *)InCert, CertLen, (VOID **)&RsaContext);
-
- //
- // Verify data
- //
- Status = RsaPkcs1Verify (RsaContext, InData, InDataSize, Singnature, SigSize);
-
- if (RsaContext != NULL) {
- RsaFree (RsaContext);
- }
-
- return Status;
-}
-
-/**
- Retrieves the RSA Public Key from one X509 certificate (DER format only).
-
- @param[in] InCert Pointer to the certificate.
- @param[in] CertLen The size of the certificate in bytes.
- @param[out] PublicKey Pointer to the retrieved public key.
- @param[out] PublicKeyLen Size of Public Key in bytes.
-
- @retval EFI_SUCCESS Successfully get the public Key.
- @retval EFI_INVALID_PARAMETER The certificate is malformed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoGetPublicKeyFromCert (
- IN UINT8 *InCert,
- IN UINTN CertLen,
- OUT UINT8 **PublicKey,
- OUT UINTN *PublicKeyLen
- )
-{
- UINT8 *RsaContext;
- EFI_STATUS Status;
-
- Status = EFI_SUCCESS;
-
- //
- // Create the RSA Context
- //
- RsaContext = RsaNew ();
-
- //
- // Retrieve the RSA public key from CA Certificate
- //
- if (!RsaGetPublicKeyFromX509 ((CONST UINT8 *)InCert, CertLen, (VOID **) &RsaContext)) {
- Status = EFI_INVALID_PARAMETER;
- goto EXIT;
- }
-
- *PublicKeyLen = 0;
-
- RsaGetKey (RsaContext, RsaKeyN, NULL, PublicKeyLen);
-
- *PublicKey = AllocateZeroPool (*PublicKeyLen);
- if (*PublicKey == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto EXIT;
- }
-
- if (!RsaGetKey (RsaContext, RsaKeyN, *PublicKey, PublicKeyLen)) {
- Status = EFI_INVALID_PARAMETER;
- }
-
-EXIT:
- if (RsaContext != NULL) {
- RsaFree (RsaContext);
- }
-
- return Status;
-}
-
-/**
- Retrieves the subject name from one X509 certificate (DER format only).
-
- @param[in] InCert Pointer to the X509 certificate.
- @param[in] CertSize The size of the X509 certificate in bytes.
- @param[out] CertSubject Pointer to the retrieved certificate subject.
- @param[out] SubjectSize The size of Certificate Subject in bytes.
-
- @retval EFI_SUCCESS Retrieved the certificate subject successfully.
- @retval EFI_INVALID_PARAMETER The certificate is malformed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoGetSubjectFromCert (
- IN UINT8 *InCert,
- IN UINTN CertSize,
- OUT UINT8 **CertSubject,
- OUT UINTN *SubjectSize
- )
-{
- EFI_STATUS Status;
-
- Status = EFI_SUCCESS;
-
- *SubjectSize = 0;
- X509GetSubjectName (InCert, CertSize, *CertSubject, SubjectSize);
-
- *CertSubject = AllocateZeroPool (*SubjectSize);
- if (!X509GetSubjectName (InCert, CertSize, *CertSubject, SubjectSize)) {
- Status = EFI_INVALID_PARAMETER;
- }
-
- return Status;
-}
diff --git a/NetworkPkg/IpSecDxe/IpSecCryptIo.h b/NetworkPkg/IpSecDxe/IpSecCryptIo.h deleted file mode 100644 index dfb1d2df89..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecCryptIo.h +++ /dev/null @@ -1,821 +0,0 @@ -/** @file
- Definitions related to the Cryptographic Operations in IPsec.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-#ifndef _EFI_IPSEC_CRYPTIO_H_
-#define _EFI_IPSEC_CRYPTIO_H_
-
-#include <Protocol/IpSecConfig.h>
-#include <Library/DebugLib.h>
-#include <Library/BaseCryptLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/MemoryAllocationLib.h>
-
-#include "IpSecImpl.h"
-#include "IkeCommon.h"
-
-#define IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE 4
-#define IPSEC_AUTH_ALGORITHM_LIST_SIZE 3
-#define IPSEC_HASH_ALGORITHM_LIST_SIZE 3
-
-///
-/// Authentication Algorithm Definition
-/// The number value definition is aligned to IANA assignment
-///
-#define IKE_AALG_NONE 0x00
-#define IKE_AALG_SHA1HMAC 0x02
-#define IKE_AALG_NULL 0xFB
-
-///
-/// Encryption Algorithm Definition
-/// The number value definition is aligned to IANA assignment
-///
-#define IKE_EALG_NONE 0x00
-#define IKE_EALG_3DESCBC 0x03
-#define IKE_EALG_NULL 0x0B
-#define IKE_EALG_AESCBC 0x0C
-
-/**
- Prototype of HMAC GetContextSize.
-
- Retrieves the size, in bytes, of the context buffer required.
-
- @return The size, in bytes, of the context buffer required.
-
-**/
-typedef
-UINTN
-(EFIAPI *CRYPTO_HMAC_GETCONTEXTSIZE)(
- VOID
- );
-
-/**
- Prototype of HMAC Operation Initiating.
-
- Initialization with a new context.
-
- @param[out] Context Input Context.
- @param[in] Key Pointer to the key for HMAC.
- @param[in] KeySize The length of the Key in bytes.
-
- @retval TRUE Initialization Successfully.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *CRYPTO_HMAC_INIT)(
- OUT VOID *Context,
- IN CONST UINT8 *Key,
- IN UINTN KeySize
- );
-
-/**
- Prototype of HMAC update.
- HMAC update operation. Continue an HMAC message digest operation, processing
- another message block, and updating the HMAC context.
-
- If Context is NULL, then ASSERT().
- If Data is NULL, then ASSERT().
-
- @param[in,out] Context The Specified Context.
- @param[in,out] Data The Input Data to be digested.
- @param[in] DataLength The length, in bytes, of Data.
-
- @retval TRUE Update data successfully.
- @retval FALSE The Context has been finalized.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *CRYPTO_HMAC_UPDATE)(
- IN OUT VOID *Context,
- IN CONST VOID *Data,
- IN UINTN DataLength
- );
-
-/**
- Prototype of HMAC finalization.
- Terminate a HMAC message digest operation and output the message digest.
-
- If Context is NULL, then ASSERT().
- If HashValue is NULL, then ASSERT().
-
- @param[in,out] Context The specified Context.
- @param[out] HmacValue Pointer to a 16-byte message digest output buffer.
-
- @retval TRUE Finalized successfully.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *CRYPTO_HMAC_FINAL)(
- IN OUT VOID *Context,
- OUT UINT8 *HmacValue
- );
-
-/**
- Prototype of Block Cipher GetContextSize.
-
- Retrieves the size, in bytes, of the context buffer required.
-
- @return The size, in bytes, of the context buffer required.
-
-**/
-typedef
-UINTN
-(EFIAPI *CRYPTO_CIPHER_GETCONTEXTSIZE)(
- VOID
- );
-
-/**
- Prototype of Block Cipher initiation.
- Initializes the user-supplied key as the specified context (key materials) for both
- encryption and decryption operations.
-
- If Context is NULL, then ASSERT().
- If Key is NULL, then generate random key for usage.
-
- @param[in,out] Context The specified Context.
- @param[in] Key User-supplied cipher key.
- @param[in] KeyBits Key length in bits.
-
- @retval TRUE Block Cipher Initialization was successful.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *CRYPTO_CIPHER_INIT)(
- IN OUT VOID *Context,
- IN CONST UINT8 *Key,
- IN UINTN KeyBits
- );
-
-/**
- Prototype of Cipher encryption.
- Encrypts plaintext message with the specified cipher.
-
- If Context is NULL, then ASSERT().
- If InData is NULL, then ASSERT().
- If Size of input data is not multiple of Cipher algorithm related block size,
- then ASSERT().
-
- @param[in] Context The specified Context.
- @param[in] InData The input plaintext data to be encrypted.
- @param[in] InputSize The size of input data.
- @param[in] Ivec Pointer to Initial Vector data for encryption.
- @param[out] OutData The resultant encrypted ciphertext.
-
- @retval TRUE Encryption successful.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *CRYPTO_CIPHER_ENCRYPT)(
- IN VOID *Context,
- IN CONST UINT8 *InData,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *OutData
- );
-
-/**
- Prototype of Cipher decryption.
- Decrypts cipher message with specified cipher.
-
- If Context is NULL, then ASSERT().
- If InData is NULL, then ASSERT().
- If Size of input data is not a multiple of a certaion block size , then ASSERT().
-
- @param[in] Context The specified Context.
- @param[in] InData The input ciphertext data to be decrypted.
- @param[in] InputSize The InData size.
- @param[in] Ivec Pointer to the Initial Vector data for decryption.
- @param[out] OutData The resultant decrypted plaintext.
-
- @retval TRUE Decryption successful.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *CRYPTO_CIPHER_DECRYPT)(
- IN VOID *Context,
- IN CONST UINT8 *InData,
- IN UINTN InputSize,
- IN CONST UINT8 *Ivec,
- OUT UINT8 *OutData
- );
-
-/**
- Prototype of Hash ContextSize.
-
- Retrieves the size, in bytes, of the context buffer required for specified hash operations.
-
- @return The size, in bytes, of the context buffer required for certain hash operations.
-
-**/
-typedef
-UINTN
-(EFIAPI *CRYPTO_HASH_GETCONTEXTSIZE)(
- VOID
- );
-
-/**
- Prototype of Hash Initiate.
-
- Initializes user-supplied memory pointed by Context as specified hash context for
- subsequent use.
-
- If Context is NULL, then ASSERT().
-
- @param[out] Context Pointer to specified context being initialized.
-
- @retval TRUE context initialization succeeded.
- @retval FALSE context initialization failed.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *CRYPTO_HASH_INIT)(
- OUT VOID *Context
- );
-
-/**
- Prototype of Hash Update
-
- Digests the input data and updates hash context.
-
- This function performs digest on a data buffer of the specified size.
- It can be called multiple times to compute the digest of long or discontinuous data streams.
- Context should be already correctly initialized by HashInit(), and should not be finalized
- by HashFinal(). Behavior with invalid context is undefined.
-
- If Context is NULL, then ASSERT().
-
- @param[in, out] Context Pointer to the specified context.
- @param[in] Data Pointer to the buffer containing the data to be hashed.
- @param[in] DataSize Size of Data buffer in bytes.
-
- @retval TRUE data digest succeeded.
- @retval FALSE data digest failed.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *CRYPTO_HASH_UPDATE)(
- IN OUT VOID *Context,
- IN CONST VOID *Data,
- IN UINTN DataSize
- );
-
-/**
- Prototype of Hash Finalization.
-
- Completes computation of the digest value.
-
- This function completes hash computation and retrieves the digest value into
- the specified memory. After this function has been called, the context cannot
- be used again.
- context should be already correctly initialized by HashInit(), and should not be
- finalized by HashFinal(). Behavior with invalid context is undefined.
-
- If Context is NULL, then ASSERT().
- If HashValue is NULL, then ASSERT().
-
- @param[in, out] Context Pointer to the specified context.
- @param[out] HashValue Pointer to a buffer that receives the digest
- value.
-
- @retval TRUE digest computation succeeded.
- @retval FALSE digest computation failed.
-
-**/
-typedef
-BOOLEAN
-(EFIAPI *CRYPTO_HASH_FINAL)(
- IN OUT VOID *Context,
- OUT UINT8 *HashValue
- );
-
-//
-// The struct used to store the information and operation of Block Cipher algorithm.
-//
-typedef struct _ENCRYPT_ALGORITHM {
- //
- // The ID of the Algorithm
- //
- UINT8 AlgorithmId;
- //
- // The Key length of the Algorithm
- //
- UINTN KeyLength;
- //
- // Iv Size of the Algorithm
- //
- UINTN IvLength;
- //
- // The Block Size of the Algorithm
- //
- UINTN BlockSize;
- //
- // The Function pointer of GetContextSize.
- //
- CRYPTO_CIPHER_GETCONTEXTSIZE CipherGetContextSize;
- //
- // The Function pointer of Cipher initiation.
- //
- CRYPTO_CIPHER_INIT CipherInitiate;
- //
- // The Function pointer of Cipher Encryption.
- //
- CRYPTO_CIPHER_ENCRYPT CipherEncrypt;
- //
- // The Function pointer of Cipher Decryption.
- //
- CRYPTO_CIPHER_DECRYPT CipherDecrypt;
-} ENCRYPT_ALGORITHM;
-
-//
-// The struct used to store the information and operation of Authentication algorithm.
-//
-typedef struct _AUTH_ALGORITHM {
- //
- // ID of the Algorithm
- //
- UINT8 AlgorithmId;
- //
- // The Key length of the Algorithm
- //
- UINTN DigestLength;
- //
- // The ICV length of the Algorithm
- //
- UINTN IcvLength;
- //
- // The block size of the Algorithm
- //
- UINTN BlockSize;
- //
- // The function pointer of GetContextSize.
- //
- CRYPTO_HMAC_GETCONTEXTSIZE HmacGetContextSize;
- //
- // The function pointer of Initiation
- //
- CRYPTO_HMAC_INIT HmacInitiate;
- //
- // The function pointer of HMAC Update.
- //
- CRYPTO_HMAC_UPDATE HmacUpdate;
- //
- // The fucntion pointer of HMAC Final
- //
- CRYPTO_HMAC_FINAL HmacFinal;
-} AUTH_ALGORITHM;
-
-//
-// The struct used to store the information and operation of Hash algorithm.
-//
-typedef struct _HASH_ALGORITHM {
- //
- // ID of the Algorithm
- //
- UINT8 AlgorithmId;
- //
- // The Key length of the Algorithm
- //
- UINTN DigestLength;
- //
- // The ICV length of the Algorithm
- //
- UINTN IcvLength;
- //
- // The block size of the Algorithm
- //
- UINTN BlockSize;
- //
- // The function pointer of GetContextSize
- //
- CRYPTO_HASH_GETCONTEXTSIZE HashGetContextSize;
- //
- // The function pointer of Initiation
- //
- CRYPTO_HASH_INIT HashInitiate;
- //
- // The function pointer of Hash Update
- //
- CRYPTO_HASH_UPDATE HashUpdate;
- //
- // The fucntion pointer of Hash Final
- //
- CRYPTO_HASH_FINAL HashFinal;
-} HASH_ALGORITHM;
-
-/**
- Get the IV size of specified encryption algorithm.
-
- @param[in] AlgorithmId The encryption algorithm ID.
-
- @return The value of IV size.
-
-**/
-UINTN
-IpSecGetEncryptIvLength (
- IN UINT8 AlgorithmId
- );
-
-/**
- Get the block size of specified encryption algorithm.
-
- @param[in] AlgorithmId The encryption algorithm ID.
-
- @return The value of block size.
-
-**/
-UINTN
-IpSecGetEncryptBlockSize (
- IN UINT8 AlgorithmId
- );
-
-/**
- Get the required key length of the specified encryption algorithm.
-
- @param[in] AlgorithmId The encryption algorithm ID.
-
- @return The value of key length.
-
-**/
-UINTN
-IpSecGetEncryptKeyLength (
- IN UINT8 AlgorithmId
- );
-
-/**
- Get the ICV size of the specified Authentication algorithm.
-
- @param[in] AlgorithmId The Authentication algorithm ID.
-
- @return The value of ICV size.
-
-**/
-UINTN
-IpSecGetIcvLength (
- IN UINT8 AlgorithmId
- );
-
-/**
- Get the HMAC digest length by the specified Algorithm ID.
-
- @param[in] AlgorithmId The specified Algorithm ID.
-
- @return The digest length of the specified Authentication Algorithm ID.
-
-**/
-UINTN
-IpSecGetHmacDigestLength (
- IN UINT8 AlgorithmId
- );
-
-/**
- Generate a random data for IV. If the IvSize is zero, not needed to create
- IV and return EFI_SUCCESS.
-
- @param[in] IvBuffer The pointer of the IV buffer.
- @param[in] IvSize The IV size in bytes.
-
- @retval EFI_SUCCESS Create random data for IV.
-
-**/
-EFI_STATUS
-IpSecGenerateIv (
- IN UINT8 *IvBuffer,
- IN UINTN IvSize
- );
-
-/**
- Encrypt the buffer.
-
- This function calls relevant encryption interface from CryptoLib according to
- the input algorithm ID. The InData should be multiple of block size. This function
- doesn't perform the padding. If it has the Ivec data, the length of it should be
- same with the block size. The block size is different from the different algorithm.
-
- @param[in] AlgorithmId The Algorithm identification defined in RFC.
- @param[in] Key Pointer to the buffer containing encrypting key.
- @param[in] KeyBits The length of the key in bits.
- @param[in] Ivec Point to the buffer containing the Initialization
- Vector (IV) data.
- @param[in] InData Point to the buffer containing the data to be
- encrypted.
- @param[in] InDataLength The length of InData in Bytes.
- @param[out] OutData Point to the buffer that receives the encryption
- output.
-
- @retval EFI_UNSUPPORTED The input Algorithm is not supported.
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
- @retval EFI_SUCCESS The operation completed successfully.
-
-**/
-EFI_STATUS
-IpSecCryptoIoEncrypt (
- IN CONST UINT8 AlgorithmId,
- IN CONST UINT8 *Key,
- IN CONST UINTN KeyBits,
- IN CONST UINT8 *Ivec, OPTIONAL
- IN UINT8 *InData,
- IN UINTN InDataLength,
- OUT UINT8 *OutData
- );
-
-/**
- Decrypts the buffer.
-
- This function calls relevant Decryption interface from CryptoLib according to
- the input algorithm ID. The InData should be multiple of block size. This function
- doesn't perform the padding. If it has the Ivec data, the length of it should be
- same with the block size. The block size is different from the different algorithm.
-
- @param[in] AlgorithmId The Algorithm identification defined in RFC.
- @param[in] Key Pointer to the buffer containing encrypting key.
- @param[in] KeyBits The length of the key in bits.
- @param[in] Ivec Point to the buffer containing the Initialization
- Vector (IV) data.
- @param[in] InData Point to the buffer containing the data to be
- decrypted.
- @param[in] InDataLength The length of InData in Bytes.
- @param[out] OutData Pointer to the buffer that receives the decryption
- output.
-
- @retval EFI_UNSUPPORTED The input Algorithm is not supported.
- @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated.
- @retval EFI_SUCCESS The operation completed successfully.
-
-**/
-EFI_STATUS
-IpSecCryptoIoDecrypt (
- IN CONST UINT8 AlgorithmId,
- IN CONST UINT8 *Key,
- IN CONST UINTN KeyBits,
- IN CONST UINT8 *Ivec, OPTIONAL
- IN UINT8 *InData,
- IN UINTN InDataLength,
- OUT UINT8 *OutData
- );
-
-/**
- Digests the Payload with key and store the result into the OutData.
-
- This function calls relevant Hmac interface from CryptoLib according to
- the input algorithm ID. It computes all datas from InDataFragment and output
- the result into the OutData buffer. If the OutDataSize is larger than the related
- HMAC algorithm output size, return EFI_INVALID_PARAMETER.
-
- @param[in] AlgorithmId The authentication Identification.
- @param[in] Key Pointer of the authentication key.
- @param[in] KeyLength The length of the Key in bytes.
- @param[in] InDataFragment The list contains all data to be authenticated.
- @param[in] FragmentCount The size of the InDataFragment.
- @param[out] OutData For in, the buffer to receive the output data.
- For out, the buffer contains the authenticated data.
- @param[in] OutDataSize The size of the buffer of OutData.
-
- @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list.
- @retval EFI_INVALID_PARAMETER The OutData buffer size is larger than algorithm digest size.
- @retval EFI_SUCCESS Authenticate the payload successfully.
- @retval otherwise Authentication of the payload fails.
-
-**/
-EFI_STATUS
-IpSecCryptoIoHmac (
- IN CONST UINT8 AlgorithmId,
- IN CONST UINT8 *Key,
- IN UINTN KeyLength,
- IN HASH_DATA_FRAGMENT *InDataFragment,
- IN UINTN FragmentCount,
- OUT UINT8 *OutData,
- IN UINTN OutDataSize
- );
-
-/**
- Digests the Payload and store the result into the OutData.
-
- This function calls relevant Hash interface from CryptoLib according to
- the input algorithm ID. It computes all datas from InDataFragment and output
- the result into the OutData buffer. If the OutDataSize is larger than the related
- Hash algorithm output size, return EFI_INVALID_PARAMETER.
-
- @param[in] AlgorithmId The authentication Identification.
- @param[in] InDataFragment A list contains all data to be authenticated.
- @param[in] FragmentCount The size of the InDataFragment.
- @param[out] OutData For in, the buffer to receive the output data.
- For out, the buffer contains the authenticated data.
- @param[in] OutDataSize The size of the buffer of OutData.
-
- @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list.
- @retval EFI_SUCCESS Authenticated the payload successfully.
- @retval EFI_INVALID_PARAMETER If the OutDataSize is larger than the related Hash
- algorithm could handle.
- @retval otherwise Authentication of the payload failed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoHash (
- IN CONST UINT8 AlgorithmId,
- IN HASH_DATA_FRAGMENT *InDataFragment,
- IN UINTN FragmentCount,
- OUT UINT8 *OutData,
- IN UINTN OutDataSize
- );
-
-/**
- Generates the Diffie-Hellman public key.
-
- This function first initiate a DHContext, then call the DhSetParameter() to set
- the prime and primelength, at end call the DhGenerateKey() to generates random
- secret exponent, and computes the public key. The output returned via parameter
- PublicKey and PublicKeySize. DH context is updated accordingly. If the PublicKey
- buffer is too small to hold the public key, EFI_INVALID_PARAMETER is returned
- and PublicKeySize is set to the required buffer size to obtain the public key.
-
- @param[in, out] DhContext Pointer to the DH context.
- @param[in] Generator Value of generator.
- @param[in] PrimeLength Length in bits of prime to be generated.
- @param[in] Prime Pointer to the buffer to receive the generated
- prime number.
- @param[out] PublicKey Pointer to the buffer to receive generated public key.
- @param[in, out] PublicKeySize For in, the size of PublicKey buffer in bytes.
- For out, the size of data returned in PublicKey
- buffer in bytes.
-
- @retval EFI_SUCCESS The operation performs successfully.
- @retval Otherwise The operation is failed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoDhGetPublicKey (
- IN OUT UINT8 **DhContext,
- IN UINTN Generator,
- IN UINTN PrimeLength,
- IN CONST UINT8 *Prime,
- OUT UINT8 *PublicKey,
- IN OUT UINTN *PublicKeySize
- );
-
-/**
- Generates exchanged common key.
-
- Given peer's public key, this function computes the exchanged common key, based
- on its own context including value of prime modulus and random secret exponent.
-
- @param[in, out] DhContext Pointer to the DH context.
- @param[in] PeerPublicKey Pointer to the peer's Public Key.
- @param[in] PeerPublicKeySize Size of peer's public key in bytes.
- @param[out] Key Pointer to the buffer to receive generated key.
- @param[in, out] KeySize For in, the size of Key buffer in bytes.
- For out, the size of data returned in Key
- buffer in bytes.
-
- @retval EFI_SUCCESS The operation performs successfully.
- @retval Otherwise The operation is failed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoDhComputeKey (
- IN OUT UINT8 *DhContext,
- IN CONST UINT8 *PeerPublicKey,
- IN UINTN PeerPublicKeySize,
- OUT UINT8 *Key,
- IN OUT UINTN *KeySize
- );
-
-/**
- Releases the DH context. If DhContext is NULL, return EFI_INVALID_PARAMETER.
-
- @param[in, out] DhContext Pointer to the DH context to be freed.
-
- @retval EFI_SUCCESS The operation performs successfully.
- @retval EFI_INVALID_PARAMETER The DhContext is NULL.
-
-**/
-EFI_STATUS
-IpSecCryptoIoFreeDh (
- IN OUT UINT8 **DhContext
- );
-
-/**
- Generates random numbers of specified size.
-
- If the Random Generator wasn't initiated, initiate it first, then call RandomBytes.
-
- @param[out] OutBuffer Pointer to buffer to receive random value.
- @param[in] Bytes Size of random bytes to generate.
-
- @retval EFI_SUCCESS The operation performs successfully.
- @retval Otherwise The operation is failed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoGenerateRandomBytes (
- OUT UINT8* OutBuffer,
- IN UINTN Bytes
- );
-
-/**
- Authenticate data with the certificate.
-
- @param[in] InData Pointer to the Data to be signed.
- @param[in] InDataSize InData size in bytes.
- @param[in] PrivateKey Pointer to the private key.
- @param[in] PrivateKeySize The size of Private Key in bytes.
- @param[in] KeyPassWord Pointer to the password for retrieving private key.
- @param[in] KeyPwdSize The size of Key Password in bytes.
- @param[out] OutData The pointer to the signed data.
- @param[in, out] OutDataSize Pointer to contain the size of out data.
-
-**/
-VOID
-IpSecCryptoIoAuthDataWithCertificate (
- IN UINT8 *InData,
- IN UINTN InDataSize,
- IN UINT8 *PrivateKey,
- IN UINTN PrivateKeySize,
- IN UINT8 *KeyPassWord,
- IN UINTN KeyPwdSize,
- OUT UINT8 **OutData,
- IN OUT UINTN *OutDataSize
- );
-
-/**
- Verify the singed data with the public key which is contained in a certificate.
-
- @param[in] InCert Pointer to the Certificate which contains the
- public key.
- @param[in] CertLen The size of Certificate in bytes.
- @param[in] InCa Pointer to the CA certificate
- @param[in] CaLen The size of CA certificate in bytes.
- @param[in] InData Pointer to octet message hash to be checked.
- @param[in] InDataSize Size of the message hash in bytes.
- @param[in] Singnature The pointer to the RSA PKCS1-V1_5 signature to be verified.
- @param[in] SigSize Size of signature in bytes.
-
- @retval TRUE Valid signature encoded in PKCS1-v1_5.
- @retval FALSE Invalid signature or invalid RSA context.
-
-**/
-BOOLEAN
-IpSecCryptoIoVerifySignDataByCertificate (
- IN UINT8 *InCert,
- IN UINTN CertLen,
- IN UINT8 *InCa,
- IN UINTN CaLen,
- IN UINT8 *InData,
- IN UINTN InDataSize,
- IN UINT8 *Singnature,
- IN UINTN SigSize
- );
-
-/**
- Retrieves the RSA Public Key from one X509 certificate (DER format only).
-
- @param[in] InCert Pointer to the certificate.
- @param[in] CertLen The size of the certificate in bytes.
- @param[out] PublicKey Pointer to the retrieved public key.
- @param[out] PublicKeyLen Size of Public Key in bytes.
-
- @retval EFI_SUCCESS Successfully get the public Key.
- @retval EFI_INVALID_PARAMETER The CA certificate is malformed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoGetPublicKeyFromCert (
- IN UINT8 *InCert,
- IN UINTN CertLen,
- OUT UINT8 **PublicKey,
- OUT UINTN *PublicKeyLen
- );
-
-/**
- Retrieves the subject name from one X509 certificate (DER format only).
-
- @param[in] InCert Pointer to the X509 certificate.
- @param[in] CertSize The size of the X509 certificate in bytes.
- @param[out] CertSubject Pointer to the retrieved certificate subject.
- @param[out] SubjectSize The size of Certificate Subject in bytes.
-
- @retval EFI_SUCCESS Retrieved the certificate subject successfully.
- @retval EFI_INVALID_PARAMETER The certificate is malformed.
-
-**/
-EFI_STATUS
-IpSecCryptoIoGetSubjectFromCert (
- IN UINT8 *InCert,
- IN UINTN CertSize,
- OUT UINT8 **CertSubject,
- OUT UINTN *SubjectSize
- );
-
-#endif
-
diff --git a/NetworkPkg/IpSecDxe/IpSecDebug.c b/NetworkPkg/IpSecDxe/IpSecDebug.c deleted file mode 100644 index 0439328d5b..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDebug.c +++ /dev/null @@ -1,328 +0,0 @@ -/** @file
- The Interfaces of IPsec debug information printing.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecImpl.h"
-#include "IpSecDebug.h"
-
-//
-// The print title for IKEv1 variety phase.
-//
-CHAR8 *mIkev1StateStr[IKE_STATE_NUM] = {
- "IKEv1_MAIN_1",
- "IKEv1_MAIN_2",
- "IKEv1_MAIN_3",
- "IKEv1_MAIN_ESTABLISHED",
- "IKEv1_QUICK_1",
- "IKEv1_QUICK_2",
- "IKEv1_QUICK_ESTABLISHED"
-};
-
-//
-// The print title for IKEv2 variety phase.
-//
-CHAR8 *mIkev2StateStr[IKE_STATE_NUM] = {
- "IKEv2_STATE_INIT",
- "IKEv2_STATE_AUTH",
- "IKEv2_STATE_SA_ESTABLISH",
- "IKEv2_STATE_CREATE_CHILD",
- "IKEv2_STATE_SA_REKEYING",
- "IKEv2_STATE_CHILD_SA_ESTABLISHED",
- "IKEv2_STATE_SA_DELETING"
-};
-
-//
-// The print title for IKEv1 variety Exchagne.
-//
-CHAR8 *mExchangeStr[] = {
- "IKEv1 Main Exchange",
- "IKEv1 Info Exchange",
- "IKEv1 Quick Exchange",
- "IKEv2 Initial Exchange",
- "IKEv2 Auth Exchange",
- "IKEv2 Create Child Exchange",
- "IKEv2 Info Exchange",
- "IKE Unknow Exchange"
-};
-
-//
-// The print title for IKEv1 variety Payload.
-//
-CHAR8 *mIkev1PayloadStr[] = {
- "IKEv1 None Payload",
- "IKEv1 SA Payload",
- "IKEv1 Proposal Payload",
- "IKEv1 Transform Payload",
- "IKEv1 KE Payload",
- "IKEv1 ID Payload",
- "IKEv1 Certificate Payload",
- "IKEv1 Certificate Request Payload",
- "IKEv1 Hash Payload",
- "IKEv1 Signature Payload",
- "IKEv1 Nonce Payload",
- "IKEv1 Notify Payload",
- "IKEv1 Delete Payload",
- "IKEv1 Vendor Payload"
-};
-
-//
-// The print title for IKEv2 variety Payload.
-//
-CHAR8* mIkev2PayloadStr[] = {
- "IKEv2 SA Payload",
- "IKEv2 Key Payload",
- "IKEv2 Identity Initial Payload",
- "IKEv2 Identity Respond Payload",
- "IKEv2 Certificate Payload",
- "IKEv2 Certificate Request Payload",
- "IKEv2 Auth Payload",
- "IKEv2 Nonce Payload",
- "IKEv2 Notify Payload",
- "IKEv2 Delet Payload",
- "IKEv2 Vendor Payload",
- "IKEv2 Traffic Selector Initiator Payload",
- "IKEv2 Traffic Selector Respond Payload",
- "IKEv2 Encrypt Payload",
- "IKEv2 Configuration Payload",
- "IKEv2 Extensible Authentication Payload"
-};
-
-/**
- Print the IP address.
-
- @param[in] Level Debug print error level. Pass to DEBUG().
- @param[in] Ip Point to a specified IP address.
- @param[in] IpVersion The IP Version.
-
-**/
-VOID
-IpSecDumpAddress (
- IN UINTN Level,
- IN EFI_IP_ADDRESS *Ip,
- IN UINT8 IpVersion
- )
-{
- if (IpVersion == IP_VERSION_6) {
- DEBUG (
- (Level,
- "%x%x:%x%x:%x%x:%x%x",
- Ip->v6.Addr[0],
- Ip->v6.Addr[1],
- Ip->v6.Addr[2],
- Ip->v6.Addr[3],
- Ip->v6.Addr[4],
- Ip->v6.Addr[5],
- Ip->v6.Addr[6],
- Ip->v6.Addr[7])
- );
- DEBUG (
- (Level,
- ":%x%x:%x%x:%x%x:%x%x\n",
- Ip->v6.Addr[8],
- Ip->v6.Addr[9],
- Ip->v6.Addr[10],
- Ip->v6.Addr[11],
- Ip->v6.Addr[12],
- Ip->v6.Addr[13],
- Ip->v6.Addr[14],
- Ip->v6.Addr[15])
- );
- } else {
- DEBUG (
- (Level,
- "%d.%d.%d.%d\n",
- Ip->v4.Addr[0],
- Ip->v4.Addr[1],
- Ip->v4.Addr[2],
- Ip->v4.Addr[3])
- );
- }
-
-}
-
-/**
- Print IKE Current states.
-
- @param[in] Previous The Previous state of IKE.
- @param[in] Current The current state of IKE.
- @param[in] IkeVersion The version of IKE.
-
-**/
-VOID
-IkeDumpState (
- IN UINT32 Previous,
- IN UINT32 Current,
- IN UINT8 IkeVersion
- )
-{
- if (Previous >= IKE_STATE_NUM || Current >= IKE_STATE_NUM) {
- return;
- }
-
- if (Previous == Current) {
- if (IkeVersion == 1) {
- DEBUG ((DEBUG_INFO, "\n****Current state is %a\n", mIkev1StateStr[Previous]));
- } else if (IkeVersion == 2) {
- DEBUG ((DEBUG_INFO, "\n****Current state is %a\n", mIkev2StateStr[Previous]));
- }
- } else {
- if (IkeVersion == 1) {
- DEBUG ((DEBUG_INFO, "\n****Change state from %a to %a\n", mIkev1StateStr[Previous], mIkev1StateStr[Current]));
- } else {
- DEBUG ((DEBUG_INFO, "\n****Change state from %a to %a\n", mIkev2StateStr[Previous], mIkev2StateStr[Current]));
- }
- }
-}
-
-/**
- Print the IKE Packet.
-
- @param[in] Packet Point to IKE packet to be printed.
- @param[in] Direction Point to the IKE packet is inbound or outbound.
- @param[in] IpVersion Specified IP Version.
-
-**/
-VOID
-IpSecDumpPacket (
- IN IKE_PACKET *Packet,
- IN EFI_IPSEC_TRAFFIC_DIR Direction,
- IN UINT8 IpVersion
- )
-{
- CHAR8 *TypeStr;
- UINTN PacketSize;
- UINT64 InitCookie;
- UINT64 RespCookie;
-
- ASSERT (Packet != NULL);
-
- PacketSize = Packet->PayloadTotalSize + sizeof (IKE_HEADER);
- InitCookie = (Direction == EfiIPsecOutBound) ? HTONLL (Packet->Header->InitiatorCookie) : Packet->Header->InitiatorCookie;
- RespCookie = (Direction == EfiIPsecOutBound) ? HTONLL (Packet->Header->ResponderCookie) : Packet->Header->ResponderCookie;
-
- switch (Packet->Header->ExchangeType) {
- case IKE_XCG_TYPE_IDENTITY_PROTECT:
- TypeStr = mExchangeStr[0];
- break;
-
- case IKE_XCG_TYPE_INFO:
- TypeStr = mExchangeStr[1];
- break;
-
- case IKE_XCG_TYPE_QM:
- TypeStr = mExchangeStr[2];
- break;
-
- case IKE_XCG_TYPE_SA_INIT:
- TypeStr = mExchangeStr[3];
- break;
-
- case IKE_XCG_TYPE_AUTH:
- TypeStr = mExchangeStr[4];
- break;
-
- case IKE_XCG_TYPE_CREATE_CHILD_SA:
- TypeStr = mExchangeStr[5];
- break;
-
- case IKE_XCG_TYPE_INFO2:
- TypeStr = mExchangeStr[6];
- break;
-
- default:
- TypeStr = mExchangeStr[7];
- break;
- }
-
- if (Direction == EfiIPsecOutBound) {
- DEBUG ((DEBUG_INFO, "\n>>>Sending %d bytes %a to ", PacketSize, TypeStr));
- } else {
- DEBUG ((DEBUG_INFO, "\n>>>Receiving %d bytes %a from ", PacketSize, TypeStr));
- }
-
- IpSecDumpAddress (DEBUG_INFO, &Packet->RemotePeerIp, IpVersion);
-
- DEBUG ((DEBUG_INFO, " InitiatorCookie:0x%lx ResponderCookie:0x%lx\n", InitCookie, RespCookie));
- DEBUG (
- (DEBUG_INFO,
- " Version: 0x%x Flags:0x%x ExchangeType:0x%x\n",
- Packet->Header->Version,
- Packet->Header->Flags,
- Packet->Header->ExchangeType)
- );
- DEBUG (
- (DEBUG_INFO,
- " MessageId:0x%x NextPayload:0x%x\n",
- Packet->Header->MessageId,
- Packet->Header->NextPayload)
- );
-
-}
-
-/**
- Print the IKE Paylolad.
-
- @param[in] IkePayload Point to payload to be printed.
- @param[in] IkeVersion The specified version of IKE.
-
-**/
-VOID
-IpSecDumpPayload (
- IN IKE_PAYLOAD *IkePayload,
- IN UINT8 IkeVersion
- )
-{
- if (IkeVersion == 1) {
- DEBUG ((DEBUG_INFO, "+%a\n", mIkev1PayloadStr[IkePayload->PayloadType]));
- } else {
- //
- // For IKEV2 the first Payload type is started from 33.
- //
- DEBUG ((DEBUG_INFO, "+%a\n", mIkev2PayloadStr[IkePayload->PayloadType - 33]));
- }
- IpSecDumpBuf ("Payload data", IkePayload->PayloadBuf, IkePayload->PayloadSize);
-}
-
-/**
- Print the buffer in form of Hex.
-
- @param[in] Title The strings to be printed before the data of the buffer.
- @param[in] Data Points to buffer to be printed.
- @param[in] DataSize The size of the buffer to be printed.
-
-**/
-VOID
-IpSecDumpBuf (
- IN CHAR8 *Title,
- IN UINT8 *Data,
- IN UINTN DataSize
- )
-{
- UINTN Index;
- UINTN DataIndex;
- UINTN BytesRemaining;
- UINTN BytesToPrint;
-
- DataIndex = 0;
- BytesRemaining = DataSize;
-
- DEBUG ((DEBUG_INFO, "==%a %d bytes==\n", Title, DataSize));
-
- while (BytesRemaining > 0) {
-
- BytesToPrint = (BytesRemaining > IPSEC_DEBUG_BYTE_PER_LINE) ? IPSEC_DEBUG_BYTE_PER_LINE : BytesRemaining;
-
- for (Index = 0; Index < BytesToPrint; Index++) {
- DEBUG ((DEBUG_INFO, " 0x%02x,", Data[DataIndex++]));
- }
-
- DEBUG ((DEBUG_INFO, "\n"));
- BytesRemaining -= BytesToPrint;
- }
-
-}
diff --git a/NetworkPkg/IpSecDxe/IpSecDebug.h b/NetworkPkg/IpSecDxe/IpSecDebug.h deleted file mode 100644 index bdc926eff6..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDebug.h +++ /dev/null @@ -1,101 +0,0 @@ -/** @file
- The definition of functions and MACROs used for IPsec debug information printting.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-#ifndef _EFI_IPSEC_DEBUG_H_
-#define _EFI_IPSEC_DEBUG_H_
-
-#include "IkeCommon.h"
-#include "IkePacket.h"
-
-#define IPSEC_DUMP_ADDRESS(Level, Ip, Version) IpSecDumpAddress (Level, Ip, Version)
-#define IKEV1_DUMP_STATE(Previous, Current) IkeDumpState (Previous, Current, 1)
-#define IKEV2_DUMP_STATE(Previous, Current) IkeDumpState (Previous, Current, 2)
-#define IPSEC_DUMP_PACKET(Packet, Direction, IpVersion) IpSecDumpPacket (Packet, Direction, IpVersion)
-#define IPSEC_DUMP_PAYLOAD(IkePayload) IpSecDumpPayload (IkePayload, 1)
-#define IKEV2_DUMP_PAYLOAD(IkePayload) IpSecDumpPayload (IkePayload, 2)
-#define IPSEC_DUMP_BUF(Title, Data, DataSize) IpSecDumpBuf (Title, Data, DataSize)
-
-#define IPSEC_DEBUG_BYTE_PER_LINE 8
-#define IKE_STATE_NUM 7
-
-
-
-/**
- Print the IP address.
-
- @param[in] Level Debug print error level. Pass to DEBUG().
- @param[in] Ip Point to specified IP address.
- @param[in] IpVersion The IP Version.
-
-**/
-VOID
-IpSecDumpAddress (
- IN UINTN Level,
- IN EFI_IP_ADDRESS *Ip,
- IN UINT8 IpVersion
- );
-
-/**
- Print IKE Current states.
-
- @param[in] Previous The Previous state of IKE.
- @param[in] Current The current state of IKE.
- @param[in] IkeVersion The version of IKE.
-
-**/
-VOID
-IkeDumpState (
- IN UINT32 Previous,
- IN UINT32 Current,
- IN UINT8 IkeVersion
- );
-
-/**
- Print the IKE Packet.
-
- @param[in] Packet Point to IKE packet to be printed.
- @param[in] Direction Point to the IKE packet is inbound or outbound.
- @param[in] IpVersion Specified IP Version.
-
-**/
-VOID
-IpSecDumpPacket (
- IN IKE_PACKET *Packet,
- IN EFI_IPSEC_TRAFFIC_DIR Direction,
- IN UINT8 IpVersion
- );
-
-/**
- Print the IKE Paylolad.
-
- @param[in] IkePayload Point to payload to be printed.
- @param[in] IkeVersion The specified version of IKE.
-
-**/
-VOID
-IpSecDumpPayload (
- IN IKE_PAYLOAD *IkePayload,
- IN UINT8 IkeVersion
- );
-
-/**
- Print the buffer in form of Hex.
-
- @param[in] Title The strings to be printed before the data of the buffer.
- @param[in] Data Point to buffer to be printed.
- @param[in] DataSize The size of the buffer to be printed.
-
-**/
-VOID
-IpSecDumpBuf (
- IN CHAR8 *Title,
- IN UINT8 *Data,
- IN UINTN DataSize
- );
-
-#endif
diff --git a/NetworkPkg/IpSecDxe/IpSecDriver.c b/NetworkPkg/IpSecDxe/IpSecDriver.c deleted file mode 100644 index 916b0b24de..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDriver.c +++ /dev/null @@ -1,654 +0,0 @@ -/** @file
- Driver Binding Protocol for IPsec Driver.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include <Library/BaseCryptLib.h>
-
-#include "IpSecConfigImpl.h"
-#include "IkeService.h"
-#include "IpSecDebug.h"
-
-/**
- Test to see if this driver supports ControllerHandle. This is the worker function
- for IpSec4(6)DriverbindingSupported.
-
- @param[in] This Protocol instance pointer.
- @param[in] ControllerHandle Handle of device to test.
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child
- device to start.
- @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.
-
- @retval EFI_SUCCES This driver supports this device.
- @retval EFI_ALREADY_STARTED This driver is already running on this device.
- @retval other This driver does not support this device.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSecSupported (
- IN EFI_DRIVER_BINDING_PROTOCOL *This,
- IN EFI_HANDLE ControllerHandle,
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL,
- IN UINT8 IpVersion
- )
-{
- EFI_STATUS Status;
- EFI_GUID *UdpServiceBindingGuid;
-
- if (IpVersion == IP_VERSION_4) {
- UdpServiceBindingGuid = &gEfiUdp4ServiceBindingProtocolGuid;
- } else {
- UdpServiceBindingGuid = &gEfiUdp6ServiceBindingProtocolGuid;
- }
-
- Status = gBS->OpenProtocol (
- ControllerHandle,
- UdpServiceBindingGuid,
- NULL,
- This->DriverBindingHandle,
- ControllerHandle,
- EFI_OPEN_PROTOCOL_TEST_PROTOCOL
- );
- if (EFI_ERROR (Status)) {
- return EFI_UNSUPPORTED;
- }
- return EFI_SUCCESS;
-}
-
-/**
- Start this driver on ControllerHandle. This is the worker function
- for IpSec4(6)DriverbindingStart.
-
- @param[in] This Protocol instance pointer.
- @param[in] ControllerHandle Handle of device to bind driver to.
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child
- device to start.
- @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.
-
- @retval EFI_SUCCES This driver is added to ControllerHandle
- @retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle
- @retval EFI_DEVICE_ERROR The device could not be started due to a device error.
- Currently not implemented.
- @retval other This driver does not support this device
-
-**/
-EFI_STATUS
-EFIAPI
-IpSecStart (
- IN EFI_DRIVER_BINDING_PROTOCOL *This,
- IN EFI_HANDLE ControllerHandle,
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL,
- IN UINT8 IpVersion
- )
-{
- EFI_IPSEC2_PROTOCOL *IpSec;
- EFI_STATUS Status;
- IPSEC_PRIVATE_DATA *Private;
-
- //
- // Ipsec protocol should be installed when load image.
- //
- Status = gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **) &IpSec);
-
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec);
-
- if (IpVersion == IP_VERSION_4) {
- //
- // Try to open a udp4 io for input.
- //
- Status = gBS->OpenProtocol (
- ControllerHandle,
- &gEfiUdp4ServiceBindingProtocolGuid,
- NULL,
- This->DriverBindingHandle,
- ControllerHandle,
- EFI_OPEN_PROTOCOL_TEST_PROTOCOL
- );
-
- if (!EFI_ERROR (Status)) {
- Status = IkeOpenInputUdp4 (Private, ControllerHandle, This->DriverBindingHandle);
- }
- } else {
- //
- // Try to open a udp6 io for input.
- //
- Status = gBS->OpenProtocol (
- ControllerHandle,
- &gEfiUdp6ServiceBindingProtocolGuid,
- NULL,
- This->DriverBindingHandle,
- ControllerHandle,
- EFI_OPEN_PROTOCOL_TEST_PROTOCOL
- );
-
- if (!EFI_ERROR (Status)) {
- Status = IkeOpenInputUdp6 (Private, ControllerHandle, This->DriverBindingHandle);
- }
- }
-
- if (EFI_ERROR (Status)) {
- return EFI_DEVICE_ERROR;
- }
- return EFI_SUCCESS;
-}
-
-/**
- Stop this driver on ControllerHandle. This is the worker function
- for IpSec4(6)DriverbindingStop.
-
- @param[in] This Protocol instance pointer.
- @param[in] ControllerHandle Handle of a device to stop the driver on.
- @param[in] NumberOfChildren Number of Handles in ChildHandleBuffer. If the number of
- children is zero, stop the entire bus driver.
- @param[in] ChildHandleBuffer List of Child Handles to Stop.
- @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6.
-
- @retval EFI_SUCCES This driver removed ControllerHandle.
- @retval other This driver was not removed from this device.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSecStop (
- IN EFI_DRIVER_BINDING_PROTOCOL *This,
- IN EFI_HANDLE ControllerHandle,
- IN UINTN NumberOfChildren,
- IN EFI_HANDLE *ChildHandleBuffer,
- IN UINT8 IpVersion
- )
-{
- EFI_IPSEC2_PROTOCOL *IpSec;
- EFI_STATUS Status;
- IPSEC_PRIVATE_DATA *Private;
- IKE_UDP_SERVICE *UdpSrv;
- LIST_ENTRY *Entry;
- LIST_ENTRY *Next;
- IKEV2_SA_SESSION *Ikev2SaSession;
-
- //
- // Locate ipsec protocol to get private data.
- //
- Status = gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **) &IpSec);
-
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec);
-
- //
- // The SAs are shared by both IP4 and IP6 stack. So we skip the cleanup
- // and leave the SAs unchanged if the other IP stack is still running.
- //
- if ((IpVersion == IP_VERSION_4 && Private->Udp6Num ==0) ||
- (IpVersion == IP_VERSION_6 && Private->Udp4Num ==0)) {
- //
- // If IKEv2 SAs are under establishing, delete it directly.
- //
- if (!IsListEmpty (&Private->Ikev2SessionList)) {
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Ikev2SessionList) {
- Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
- RemoveEntryList (&Ikev2SaSession->BySessionTable);
- Ikev2SaSessionFree (Ikev2SaSession);
- }
- }
-
- //
- // Delete established IKEv2 SAs.
- //
- if (!IsListEmpty (&Private->Ikev2EstablishedList)) {
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Ikev2EstablishedList) {
- Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
- RemoveEntryList (&Ikev2SaSession->BySessionTable);
- Ikev2SaSessionFree (Ikev2SaSession);
- }
- }
- }
-
- if (IpVersion == IP_VERSION_4) {
- //
- // If has udp4 io opened on the controller, close and free it.
- //
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Udp4List) {
-
- UdpSrv = IPSEC_UDP_SERVICE_FROM_LIST (Entry);
- //
- // Find the right udp service which installed on the appointed nic handle.
- //
- if (UdpSrv->Input != NULL && ControllerHandle == UdpSrv->Input->UdpHandle) {
- UdpIoFreeIo (UdpSrv->Input);
- UdpSrv->Input = NULL;
- }
-
- if (UdpSrv->Output != NULL && ControllerHandle == UdpSrv->Output->UdpHandle) {
- UdpIoFreeIo (UdpSrv->Output);
- UdpSrv->Output = NULL;
- }
-
- if (UdpSrv->Input == NULL && UdpSrv->Output == NULL) {
- RemoveEntryList (&UdpSrv->List);
- FreePool (UdpSrv);
- ASSERT (Private->Udp4Num > 0);
- Private->Udp4Num--;
- }
- }
- } else {
- //
- // If has udp6 io opened on the controller, close and free it.
- //
- NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Udp6List) {
-
- UdpSrv = IPSEC_UDP_SERVICE_FROM_LIST (Entry);
- //
- // Find the right udp service which installed on the appointed nic handle.
- //
- if (UdpSrv->Input != NULL && ControllerHandle == UdpSrv->Input->UdpHandle) {
- UdpIoFreeIo (UdpSrv->Input);
- UdpSrv->Input = NULL;
- }
-
- if (UdpSrv->Output != NULL && ControllerHandle == UdpSrv->Output->UdpHandle) {
- UdpIoFreeIo (UdpSrv->Output);
- UdpSrv->Output = NULL;
- }
-
- if (UdpSrv->Input == NULL && UdpSrv->Output == NULL) {
- RemoveEntryList (&UdpSrv->List);
- FreePool (UdpSrv);
- ASSERT (Private->Udp6Num > 0);
- Private->Udp6Num--;
- }
- }
- }
-
- return EFI_SUCCESS;
-}
-
-/**
- Test to see if this driver supports ControllerHandle.
-
- @param[in] This Protocol instance pointer.
- @param[in] ControllerHandle Handle of device to test.
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child
- device to start.
-
- @retval EFI_SUCCES This driver supports this device.
- @retval EFI_ALREADY_STARTED This driver is already running on this device.
- @retval other This driver does not support this device.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSec4DriverBindingSupported (
- IN EFI_DRIVER_BINDING_PROTOCOL *This,
- IN EFI_HANDLE ControllerHandle,
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL
- )
-{
- return IpSecSupported (
- This,
- ControllerHandle,
- RemainingDevicePath,
- IP_VERSION_4
- );
-}
-
-/**
- Start this driver on ControllerHandle.
-
- @param[in] This Protocol instance pointer.
- @param[in] ControllerHandle Handle of device to bind driver to.
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child
- device to start.
-
- @retval EFI_SUCCES This driver is added to ControllerHandle
- @retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle
- @retval EFI_DEVICE_ERROR The device could not be started due to a device error.
- Currently not implemented.
- @retval other This driver does not support this device
-
-**/
-EFI_STATUS
-EFIAPI
-IpSec4DriverBindingStart (
- IN EFI_DRIVER_BINDING_PROTOCOL *This,
- IN EFI_HANDLE ControllerHandle,
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL
- )
-{
- return IpSecStart (
- This,
- ControllerHandle,
- RemainingDevicePath,
- IP_VERSION_4
- );
-}
-
-/**
- Stop this driver on ControllerHandle.
-
- @param[in] This Protocol instance pointer.
- @param[in] ControllerHandle Handle of a device to stop the driver on.
- @param[in] NumberOfChildren Number of Handles in ChildHandleBuffer. If the number of
- children is zero, stop the entire bus driver.
- @param[in] ChildHandleBuffer List of Child Handles to Stop.
-
- @retval EFI_SUCCES This driver removed ControllerHandle.
- @retval other This driver was not removed from this device.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSec4DriverBindingStop (
- IN EFI_DRIVER_BINDING_PROTOCOL *This,
- IN EFI_HANDLE ControllerHandle,
- IN UINTN NumberOfChildren,
- IN EFI_HANDLE *ChildHandleBuffer
- )
-{
- return IpSecStop (
- This,
- ControllerHandle,
- NumberOfChildren,
- ChildHandleBuffer,
- IP_VERSION_4
- );
-}
-
-/**
- Test to see if this driver supports ControllerHandle.
-
- @param[in] This Protocol instance pointer.
- @param[in] ControllerHandle Handle of device to test.
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child
- device to start.
-
- @retval EFI_SUCCES This driver supports this device.
- @retval EFI_ALREADY_STARTED This driver is already running on this device.
- @retval other This driver does not support this device.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSec6DriverBindingSupported (
- IN EFI_DRIVER_BINDING_PROTOCOL *This,
- IN EFI_HANDLE ControllerHandle,
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL
- )
-{
- return IpSecSupported (
- This,
- ControllerHandle,
- RemainingDevicePath,
- IP_VERSION_6
- );
-}
-
-/**
- Start this driver on ControllerHandle.
-
- @param[in] This Protocol instance pointer.
- @param[in] ControllerHandle Handle of device to bind driver to.
- @param[in] RemainingDevicePath Optional parameter used to pick a specific child
- device to start.
-
- @retval EFI_SUCCES This driver is added to ControllerHandle
- @retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle
- @retval EFI_DEVICE_ERROR The device could not be started due to a device error.
- Currently not implemented.
- @retval other This driver does not support this device
-
-**/
-EFI_STATUS
-EFIAPI
-IpSec6DriverBindingStart (
- IN EFI_DRIVER_BINDING_PROTOCOL *This,
- IN EFI_HANDLE ControllerHandle,
- IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL
- )
-{
- return IpSecStart (
- This,
- ControllerHandle,
- RemainingDevicePath,
- IP_VERSION_6
- );
-}
-
-/**
- Stop this driver on ControllerHandle.
-
- @param[in] This Protocol instance pointer.
- @param[in] ControllerHandle Handle of a device to stop the driver on.
- @param[in] NumberOfChildren Number of Handles in ChildHandleBuffer. If the number of
- children is zero, stop the entire bus driver.
- @param[in] ChildHandleBuffer List of Child Handles to Stop.
-
- @retval EFI_SUCCES This driver removed ControllerHandle.
- @retval other This driver was not removed from this device.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSec6DriverBindingStop (
- IN EFI_DRIVER_BINDING_PROTOCOL *This,
- IN EFI_HANDLE ControllerHandle,
- IN UINTN NumberOfChildren,
- IN EFI_HANDLE *ChildHandleBuffer
- )
-{
- return IpSecStop (
- This,
- ControllerHandle,
- NumberOfChildren,
- ChildHandleBuffer,
- IP_VERSION_6
- );
-}
-
-EFI_DRIVER_BINDING_PROTOCOL gIpSec4DriverBinding = {
- IpSec4DriverBindingSupported,
- IpSec4DriverBindingStart,
- IpSec4DriverBindingStop,
- 0xa,
- NULL,
- NULL
-};
-
-EFI_DRIVER_BINDING_PROTOCOL gIpSec6DriverBinding = {
- IpSec6DriverBindingSupported,
- IpSec6DriverBindingStart,
- IpSec6DriverBindingStop,
- 0xa,
- NULL,
- NULL
-};
-
-/**
- This is a callback function when the mIpSecInstance.DisabledEvent is signaled.
-
- @param[in] Event Event whose notification function is being invoked.
- @param[in] Context Pointer to the notification function's context.
-
-**/
-VOID
-EFIAPI
-IpSecCleanupAllSa (
- IN EFI_EVENT Event,
- IN VOID *Context
- )
-{
- IPSEC_PRIVATE_DATA *Private;
- Private = (IPSEC_PRIVATE_DATA *) Context;
- Private->IsIPsecDisabling = TRUE;
- IkeDeleteAllSas (Private, TRUE);
-}
-
-/**
- This is the declaration of an EFI image entry point. This entry point is
- the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including
- both device drivers and bus drivers.
-
- The entry point for IPsec driver which installs the driver binding,
- component name protocol, IPsec Config protcolon, and IPsec protocol in
- its ImageHandle.
-
- @param[in] ImageHandle The firmware allocated handle for the UEFI image.
- @param[in] SystemTable A pointer to the EFI System Table.
-
- @retval EFI_SUCCESS The operation completed successfully.
- @retval EFI_ALREADY_STARTED The IPsec driver has been already loaded.
- @retval EFI_OUT_OF_RESOURCES The request could not be completed due to a lack of resources.
- @retval Others The operation is failed.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSecDriverEntryPoint (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
- )
-{
- EFI_STATUS Status;
- IPSEC_PRIVATE_DATA *Private;
- EFI_IPSEC2_PROTOCOL *IpSec;
-
- //
- // Check whether ipsec protocol has already been installed.
- //
- Status = gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **) &IpSec);
-
- if (!EFI_ERROR (Status)) {
- DEBUG ((DEBUG_WARN, "_ModuleEntryPoint: IpSec has been already loaded\n"));
- Status = EFI_ALREADY_STARTED;
- goto ON_EXIT;
- }
-
- Status = gBS->LocateProtocol (&gEfiDpcProtocolGuid, NULL, (VOID **) &mDpc);
-
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to locate EfiDpcProtocol\n"));
- goto ON_EXIT;
- }
-
- Private = AllocateZeroPool (sizeof (IPSEC_PRIVATE_DATA));
-
- if (Private == NULL) {
- DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to allocate private data\n"));
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
- //
- // Create disable event to cleanup all SA when ipsec disabled by user.
- //
- Status = gBS->CreateEvent (
- EVT_NOTIFY_SIGNAL,
- TPL_CALLBACK,
- IpSecCleanupAllSa,
- Private,
- &mIpSecInstance.DisabledEvent
- );
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to create disable event\n"));
- goto ON_FREE_PRIVATE;
- }
-
- Private->Signature = IPSEC_PRIVATE_DATA_SIGNATURE;
- Private->ImageHandle = ImageHandle;
- CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL));
-
- //
- // Initilize Private's members. Thess members is used for IKE.
- //
- InitializeListHead (&Private->Udp4List);
- InitializeListHead (&Private->Udp6List);
- InitializeListHead (&Private->Ikev1SessionList);
- InitializeListHead (&Private->Ikev1EstablishedList);
- InitializeListHead (&Private->Ikev2SessionList);
- InitializeListHead (&Private->Ikev2EstablishedList);
-
- RandomSeed (NULL, 0);
- //
- // Initialize the ipsec config data and restore it from variable.
- //
- Status = IpSecConfigInitialize (Private);
- if (EFI_ERROR (Status)) {
- DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to initialize IpSecConfig\n"));
- goto ON_CLOSE_EVENT;
- }
- //
- // Install ipsec protocol which is used by ip driver to process ipsec header.
- //
- Status = gBS->InstallMultipleProtocolInterfaces (
- &Private->Handle,
- &gEfiIpSec2ProtocolGuid,
- &Private->IpSec,
- NULL
- );
- if (EFI_ERROR (Status)) {
- goto ON_UNINSTALL_CONFIG;
- }
-
- Status = EfiLibInstallDriverBindingComponentName2 (
- ImageHandle,
- SystemTable,
- &gIpSec4DriverBinding,
- ImageHandle,
- &gIpSecComponentName,
- &gIpSecComponentName2
- );
- if (EFI_ERROR (Status)) {
- goto ON_UNINSTALL_IPSEC;
- }
-
- Status = EfiLibInstallDriverBindingComponentName2 (
- ImageHandle,
- SystemTable,
- &gIpSec6DriverBinding,
- NULL,
- &gIpSecComponentName,
- &gIpSecComponentName2
- );
- if (EFI_ERROR (Status)) {
- goto ON_UNINSTALL_IPSEC4_DB;
- }
-
- return Status;
-
-ON_UNINSTALL_IPSEC4_DB:
- EfiLibUninstallDriverBindingComponentName2 (
- &gIpSec4DriverBinding,
- &gIpSecComponentName,
- &gIpSecComponentName2
- );
-
-ON_UNINSTALL_IPSEC:
- gBS->UninstallProtocolInterface (
- Private->Handle,
- &gEfiIpSec2ProtocolGuid,
- &Private->IpSec
- );
-ON_UNINSTALL_CONFIG:
- gBS->UninstallProtocolInterface (
- Private->Handle,
- &gEfiIpSecConfigProtocolGuid,
- &Private->IpSecConfig
- );
-ON_CLOSE_EVENT:
- gBS->CloseEvent (mIpSecInstance.DisabledEvent);
- mIpSecInstance.DisabledEvent = NULL;
-ON_FREE_PRIVATE:
- FreePool (Private);
-ON_EXIT:
- return Status;
-}
-
diff --git a/NetworkPkg/IpSecDxe/IpSecDxe.inf b/NetworkPkg/IpSecDxe/IpSecDxe.inf deleted file mode 100644 index 0cabc13059..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDxe.inf +++ /dev/null @@ -1,104 +0,0 @@ -## @file
-# Packet-level security for IP datagram.
-#
-# This driver provides EFI IPsec2 Protocol which is used to abstract the ability
-# to deal with the individual packets sent and received by the host and provide
-# packet-level security for IP datagram. It provides the IP packet protection via
-# ESP and it supports IKEv2 for key negotiation.
-#
-# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-#
-# SPDX-License-Identifier: BSD-2-Clause-Patent
-#
-##
-
-[Defines]
- INF_VERSION = 0x00010005
- BASE_NAME = IpSecDxe
- FILE_GUID = EE8367C0-A1D6-4565-8F89-EF628547B722
- MODULE_TYPE = UEFI_DRIVER
- VERSION_STRING = 1.0
-
- ENTRY_POINT = IpSecDriverEntryPoint
- MODULE_UNI_FILE = IpSecDxe.uni
-
-#
-# The following information is for reference only and not required by the build tools.
-#
-# VALID_ARCHITECTURES = IA32 X64 EBC
-#
-
-[Sources]
- IpSecConfigImpl.c
- IpSecConfigImpl.h
- IpSecCryptIo.h
- IpSecCryptIo.c
- IpSecDebug.h
- ComponentName.c
- IkeCommon.h
- IpSecImpl.c
- IkeService.c
- Ike.h
- IkePacket.h
- IkePacket.c
- IpSecDebug.c
- IpSecMain.c
- IpSecDriver.c
- IkeCommon.c
- IetfConstants.c
- IpSecImpl.h
- IkeService.h
- Ikev2/Ikev2.h
- Ikev2/Payload.h
- Ikev2/Utility.h
- Ikev2/Utility.c
- Ikev2/Sa.c
- Ikev2/ChildSa.c
- Ikev2/Info.c
- Ikev2/Payload.c
- Ikev2/Exchange.c
-
-
-
-[Packages]
- MdePkg/MdePkg.dec
- MdeModulePkg/MdeModulePkg.dec
- CryptoPkg/CryptoPkg.dec
- NetworkPkg/NetworkPkg.dec
-
-[LibraryClasses]
- MemoryAllocationLib
- BaseLib
- UefiLib
- UefiBootServicesTableLib
- UefiRuntimeServicesTableLib
- UefiDriverEntryPoint
- BaseMemoryLib
- DebugLib
- PrintLib
- BaseCryptLib
- DpcLib
- UdpIoLib
- NetLib
- PcdLib
-
-[Protocols]
- gEfiIp4Config2ProtocolGuid ## SOMETIMES_CONSUMES
- gEfiUdp4ServiceBindingProtocolGuid ## SOMETIMES_CONSUMES
- gEfiUdp4ProtocolGuid ## SOMETIMES_CONSUMES
- gEfiUdp6ServiceBindingProtocolGuid ## SOMETIMES_CONSUMES
- gEfiUdp6ProtocolGuid ## SOMETIMES_CONSUMES
- gEfiIpSecConfigProtocolGuid ## PRODUCES
- gEfiIpSec2ProtocolGuid ## PRODUCES
-
-[Pcd]
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecCertificateEnabled ## SOMETIMES_CONSUMES
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFile ## SOMETIMES_CONSUMES
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFileSize ## SOMETIMES_CONSUMES
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificate ## SOMETIMES_CONSUMES
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateSize ## SOMETIMES_CONSUMES
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKey ## SOMETIMES_CONSUMES
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKeySize ## SOMETIMES_CONSUMES
-
-[UserExtensions.TianoCore."ExtraFiles"]
- IpSecDxeExtra.uni
diff --git a/NetworkPkg/IpSecDxe/IpSecDxe.uni b/NetworkPkg/IpSecDxe/IpSecDxe.uni deleted file mode 100644 index 9e67d6d9ef..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDxe.uni +++ /dev/null @@ -1,19 +0,0 @@ -// /** @file
-// Packet-level security for IP datagram.
-//
-// This driver provides EFI IPsec2 Protocol which is used to abstract the ability
-// to deal with the individual packets sent and received by the host and provide
-// packet-level security for IP datagram. It provides the IP packet protection via
-// ESP and it supports IKEv2 for key negotiation.
-//
-// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-//
-// SPDX-License-Identifier: BSD-2-Clause-Patent
-//
-// **/
-
-
-#string STR_MODULE_ABSTRACT #language en-US "Packet-level security for IP datagram"
-
-#string STR_MODULE_DESCRIPTION #language en-US "This driver provides EFI IPsec2 Protocol which is used to abstract the ability to deal with the individual packets sent and received by the host and provide packet-level security for IP datagram. It provides the IP packet protection via ESP and it supports IKEv2 for key negotiation."
-
diff --git a/NetworkPkg/IpSecDxe/IpSecDxeExtra.uni b/NetworkPkg/IpSecDxe/IpSecDxeExtra.uni deleted file mode 100644 index d31c8dd88e..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDxeExtra.uni +++ /dev/null @@ -1,14 +0,0 @@ -// /** @file
-// IpSecDxe Localized Strings and Content
-//
-// Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>
-//
-// SPDX-License-Identifier: BSD-2-Clause-Patent
-//
-// **/
-
-#string STR_PROPERTIES_MODULE_NAME
-#language en-US
-"IpSec DXE"
-
-
diff --git a/NetworkPkg/IpSecDxe/IpSecImpl.c b/NetworkPkg/IpSecDxe/IpSecImpl.c deleted file mode 100644 index 32c806486b..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecImpl.c +++ /dev/null @@ -1,2178 +0,0 @@ -/** @file
- The implementation of IPsec.
-
- (C) Copyright 2015 Hewlett-Packard Development Company, L.P.<BR>
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecImpl.h"
-#include "IkeService.h"
-#include "IpSecDebug.h"
-#include "IpSecCryptIo.h"
-#include "IpSecConfigImpl.h"
-
-/**
- Check if the specified Address is the Valid Address Range.
-
- This function checks if the bytes after prefixed length are all Zero in this
- Address. This Address is supposed to point to a range address. That means it
- should gives the correct prefixed address and the bytes outside the prefixed are
- zero.
-
- @param[in] IpVersion The IP version.
- @param[in] Address Points to EFI_IP_ADDRESS to be checked.
- @param[in] PrefixLength The PrefixeLength of this address.
-
- @retval TRUE The address is a vaild address range.
- @retval FALSE The address is not a vaild address range.
-
-**/
-BOOLEAN
-IpSecValidAddressRange (
- IN UINT8 IpVersion,
- IN EFI_IP_ADDRESS *Address,
- IN UINT8 PrefixLength
- )
-{
- UINT8 Div;
- UINT8 Mod;
- UINT8 Mask;
- UINT8 AddrLen;
- UINT8 *Addr;
- EFI_IP_ADDRESS ZeroAddr;
-
- if (PrefixLength == 0) {
- return TRUE;
- }
-
- AddrLen = (UINT8) ((IpVersion == IP_VERSION_4) ? 32 : 128);
-
- if (AddrLen <= PrefixLength) {
- return FALSE;
- }
-
- Div = (UINT8) (PrefixLength / 8);
- Mod = (UINT8) (PrefixLength % 8);
- Addr = (UINT8 *) Address;
- ZeroMem (&ZeroAddr, sizeof (EFI_IP_ADDRESS));
-
- //
- // Check whether the mod part of host scope is zero or not.
- //
- if (Mod > 0) {
- Mask = (UINT8) (0xFF << (8 - Mod));
-
- if ((Addr[Div] | Mask) != Mask) {
- return FALSE;
- }
-
- Div++;
- }
- //
- // Check whether the div part of host scope is zero or not.
- //
- if (CompareMem (
- &Addr[Div],
- &ZeroAddr,
- sizeof (EFI_IP_ADDRESS) - Div
- ) != 0) {
- return FALSE;
- }
-
- return TRUE;
-}
-
-/**
- Extrct the Address Range from a Address.
-
- This function keep the prefix address and zero other part address.
-
- @param[in] Address Point to a specified address.
- @param[in] PrefixLength The prefix length.
- @param[out] Range Contain the return Address Range.
-
-**/
-VOID
-IpSecExtractAddressRange (
- IN EFI_IP_ADDRESS *Address,
- IN UINT8 PrefixLength,
- OUT EFI_IP_ADDRESS *Range
- )
-{
- UINT8 Div;
- UINT8 Mod;
- UINT8 Mask;
- UINT8 *Addr;
-
- if (PrefixLength == 0) {
- return ;
- }
-
- Div = (UINT8) (PrefixLength / 8);
- Mod = (UINT8) (PrefixLength % 8);
- Addr = (UINT8 *) Range;
-
- CopyMem (Range, Address, sizeof (EFI_IP_ADDRESS));
-
- //
- // Zero the mod part of host scope.
- //
- if (Mod > 0) {
- Mask = (UINT8) (0xFF << (8 - Mod));
- Addr[Div] = (UINT8) (Addr[Div] & Mask);
- Div++;
- }
- //
- // Zero the div part of host scope.
- //
- ZeroMem (&Addr[Div], sizeof (EFI_IP_ADDRESS) - Div);
-
-}
-
-/**
- Checks if the IP Address in the address range of AddressInfos specified.
-
- @param[in] IpVersion The IP version.
- @param[in] IpAddr Point to EFI_IP_ADDRESS to be check.
- @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check
- the IP Address is matched.
- @param[in] AddressCount The total numbers of the AddressInfo.
-
- @retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.
- @retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.
-
-**/
-BOOLEAN
-IpSecMatchIpAddress (
- IN UINT8 IpVersion,
- IN EFI_IP_ADDRESS *IpAddr,
- IN EFI_IP_ADDRESS_INFO *AddressInfo,
- IN UINT32 AddressCount
- )
-{
- EFI_IP_ADDRESS Range;
- UINT32 Index;
- BOOLEAN IsMatch;
-
- IsMatch = FALSE;
-
- for (Index = 0; Index < AddressCount; Index++) {
- //
- // Check whether the target address is in the address range
- // if it's a valid range of address.
- //
- if (IpSecValidAddressRange (
- IpVersion,
- &AddressInfo[Index].Address,
- AddressInfo[Index].PrefixLength
- )) {
- //
- // Get the range of the target address belongs to.
- //
- ZeroMem (&Range, sizeof (EFI_IP_ADDRESS));
- IpSecExtractAddressRange (
- IpAddr,
- AddressInfo[Index].PrefixLength,
- &Range
- );
-
- if (CompareMem (
- &Range,
- &AddressInfo[Index].Address,
- sizeof (EFI_IP_ADDRESS)
- ) == 0) {
- //
- // The target address is in the address range.
- //
- IsMatch = TRUE;
- break;
- }
- }
-
- if (CompareMem (
- IpAddr,
- &AddressInfo[Index].Address,
- sizeof (EFI_IP_ADDRESS)
- ) == 0) {
- //
- // The target address is exact same as the address.
- //
- IsMatch = TRUE;
- break;
- }
- }
- return IsMatch;
-}
-
-/**
- Check if the specified Protocol and Prot is supported by the specified SPD Entry.
-
- This function is the subfunction of IPsecLookUpSpdEntry() that is used to
- check if the sent/received IKE packet has the related SPD entry support.
-
- @param[in] Protocol The Protocol to be checked.
- @param[in] IpPayload Point to IP Payload to be check.
- @param[in] SpdProtocol The Protocol supported by SPD.
- @param[in] SpdLocalPort The Local Port in SPD.
- @param[in] SpdRemotePort The Remote Port in SPD.
- @param[in] IsOutbound Flag to indicate the is for IKE Packet sending or recieving.
-
- @retval TRUE The Protocol and Port are supported by the SPD Entry.
- @retval FALSE The Protocol and Port are not supported by the SPD Entry.
-
-**/
-BOOLEAN
-IpSecMatchNextLayerProtocol (
- IN UINT8 Protocol,
- IN UINT8 *IpPayload,
- IN UINT16 SpdProtocol,
- IN UINT16 SpdLocalPort,
- IN UINT16 SpdRemotePort,
- IN BOOLEAN IsOutbound
- )
-{
- BOOLEAN IsMatch;
-
- if (SpdProtocol == EFI_IPSEC_ANY_PROTOCOL) {
- return TRUE;
- }
-
- IsMatch = FALSE;
-
- if (SpdProtocol == Protocol) {
- switch (Protocol) {
- case EFI_IP_PROTO_UDP:
- case EFI_IP_PROTO_TCP:
- //
- // For udp and tcp, (0, 0) means no need to check local and remote
- // port. The payload is passed from upper level, which means it should
- // be in network order.
- //
- IsMatch = (BOOLEAN) (SpdLocalPort == 0 && SpdRemotePort == 0);
- IsMatch = (BOOLEAN) (IsMatch ||
- (IsOutbound &&
- (BOOLEAN)(
- NTOHS (((EFI_UDP_HEADER *) IpPayload)->SrcPort) == SpdLocalPort &&
- NTOHS (((EFI_UDP_HEADER *) IpPayload)->DstPort) == SpdRemotePort
- )
- ));
-
- IsMatch = (BOOLEAN) (IsMatch ||
- (!IsOutbound &&
- (BOOLEAN)(
- NTOHS (((EFI_UDP_HEADER *) IpPayload)->DstPort) == SpdLocalPort &&
- NTOHS (((EFI_UDP_HEADER *) IpPayload)->SrcPort) == SpdRemotePort
- )
- ));
- break;
-
- case EFI_IP_PROTO_ICMP:
- //
- // For icmpv4, type code is replaced with local port and remote port,
- // and (0, 0) means no need to check.
- //
- IsMatch = (BOOLEAN) (SpdLocalPort == 0 && SpdRemotePort == 0);
- IsMatch = (BOOLEAN) (IsMatch ||
- (BOOLEAN) (((IP4_ICMP_HEAD *) IpPayload)->Type == SpdLocalPort &&
- ((IP4_ICMP_HEAD *) IpPayload)->Code == SpdRemotePort
- )
- );
- break;
-
- case IP6_ICMP:
- //
- // For icmpv6, type code is replaced with local port and remote port,
- // and (0, 0) means no need to check.
- //
- IsMatch = (BOOLEAN) (SpdLocalPort == 0 && SpdRemotePort == 0);
-
- IsMatch = (BOOLEAN) (IsMatch ||
- (BOOLEAN) (((IP6_ICMP_HEAD *) IpPayload)->Type == SpdLocalPort &&
- ((IP6_ICMP_HEAD *) IpPayload)->Code == SpdRemotePort
- )
- );
- break;
-
- default:
- IsMatch = TRUE;
- break;
- }
- }
-
- return IsMatch;
-}
-
-/**
- Find the SAD through a specified SPD's SAD list.
-
- @param[in] SadList SAD list related to a specified SPD entry.
- @param[in] DestAddress The destination address used to find the SAD entry.
- @param[in] IpVersion The IP version. Ip4 or Ip6.
-
- @return The pointer to a certain SAD entry.
-
-**/
-IPSEC_SAD_ENTRY *
-IpSecLookupSadBySpd (
- IN LIST_ENTRY *SadList,
- IN EFI_IP_ADDRESS *DestAddress,
- IN UINT8 IpVersion
- )
-{
- LIST_ENTRY *Entry;
- IPSEC_SAD_ENTRY *SadEntry;
-
- NET_LIST_FOR_EACH (Entry, SadList) {
-
- SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry);
- //
- // Find the right SAD entry which contains the appointed dest address.
- //
- if (IpSecMatchIpAddress (
- IpVersion,
- DestAddress,
- SadEntry->Data->SpdSelector->RemoteAddress,
- SadEntry->Data->SpdSelector->RemoteAddressCount
- )){
- return SadEntry;
- }
- }
-
- return NULL;
-}
-
-/**
- Find the SAD through whole SAD list.
-
- @param[in] Spi The SPI used to search the SAD entry.
- @param[in] DestAddress The destination used to search the SAD entry.
- @param[in] IpVersion The IP version. Ip4 or Ip6.
-
- @return the pointer to a certain SAD entry.
-
-**/
-IPSEC_SAD_ENTRY *
-IpSecLookupSadBySpi (
- IN UINT32 Spi,
- IN EFI_IP_ADDRESS *DestAddress,
- IN UINT8 IpVersion
- )
-{
- LIST_ENTRY *Entry;
- LIST_ENTRY *SadList;
- IPSEC_SAD_ENTRY *SadEntry;
-
- SadList = &mConfigData[IPsecConfigDataTypeSad];
-
- NET_LIST_FOR_EACH (Entry, SadList) {
-
- SadEntry = IPSEC_SAD_ENTRY_FROM_LIST (Entry);
-
- //
- // Find the right SAD entry which contain the appointed spi and dest addr.
- //
- if (SadEntry->Id->Spi == Spi) {
- if (SadEntry->Data->Mode == EfiIPsecTunnel) {
- if (CompareMem (
- &DestAddress,
- &SadEntry->Data->TunnelDestAddress,
- sizeof (EFI_IP_ADDRESS)
- )) {
- return SadEntry;
- }
- } else {
- if (SadEntry->Data->SpdSelector != NULL &&
- IpSecMatchIpAddress (
- IpVersion,
- DestAddress,
- SadEntry->Data->SpdSelector->RemoteAddress,
- SadEntry->Data->SpdSelector->RemoteAddressCount
- )
- ) {
- return SadEntry;
- }
- }
- }
- }
- return NULL;
-}
-
-/**
- Look up if there is existing SAD entry for specified IP packet sending.
-
- This function is called by the IPsecProcess when there is some IP packet needed to
- send out. This function checks if there is an existing SAD entry that can be serviced
- to this IP packet sending. If no existing SAD entry could be used, this
- function will invoke an IPsec Key Exchange Negotiation.
-
- @param[in] Private Points to private data.
- @param[in] NicHandle Points to a NIC handle.
- @param[in] IpVersion The version of IP.
- @param[in] IpHead The IP Header of packet to be sent out.
- @param[in] IpPayload The IP Payload to be sent out.
- @param[in] OldLastHead The Last protocol of the IP packet.
- @param[in] SpdEntry Points to a related SPD entry.
- @param[out] SadEntry Contains the Point of a related SAD entry.
-
- @retval EFI_DEVICE_ERROR One of following conditions is TRUE:
- - If don't find related UDP service.
- - Sequence Number is used up.
- - Extension Sequence Number is used up.
- @retval EFI_NOT_READY No existing SAD entry could be used.
- @retval EFI_SUCCESS Find the related SAD entry.
-
-**/
-EFI_STATUS
-IpSecLookupSadEntry (
- IN IPSEC_PRIVATE_DATA *Private,
- IN EFI_HANDLE NicHandle,
- IN UINT8 IpVersion,
- IN VOID *IpHead,
- IN UINT8 *IpPayload,
- IN UINT8 OldLastHead,
- IN IPSEC_SPD_ENTRY *SpdEntry,
- OUT IPSEC_SAD_ENTRY **SadEntry
- )
-{
- IKE_UDP_SERVICE *UdpService;
- IPSEC_SAD_ENTRY *Entry;
- IPSEC_SAD_DATA *Data;
- EFI_IP_ADDRESS DestIp;
- UINT32 SeqNum32;
-
- *SadEntry = NULL;
- UdpService = IkeLookupUdp (Private, NicHandle, IpVersion);
-
- if (UdpService == NULL) {
- return EFI_DEVICE_ERROR;
- }
- //
- // Parse the destination address from ip header.
- //
- ZeroMem (&DestIp, sizeof (EFI_IP_ADDRESS));
- if (IpVersion == IP_VERSION_4) {
- CopyMem (
- &DestIp,
- &((IP4_HEAD *) IpHead)->Dst,
- sizeof (IP4_ADDR)
- );
- } else {
- CopyMem (
- &DestIp,
- &((EFI_IP6_HEADER *) IpHead)->DestinationAddress,
- sizeof (EFI_IP_ADDRESS)
- );
- }
-
- //
- // Find the SAD entry in the spd.sas list according to the dest address.
- //
- Entry = IpSecLookupSadBySpd (&SpdEntry->Data->Sas, &DestIp, IpVersion);
-
- if (Entry == NULL) {
- if (OldLastHead != IP6_ICMP ||
- (OldLastHead == IP6_ICMP && *IpPayload == ICMP_V6_ECHO_REQUEST)
- ) {
- //
- // Start ike negotiation process except the request packet of ping.
- //
- if (SpdEntry->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) {
- IkeNegotiate (
- UdpService,
- SpdEntry,
- &SpdEntry->Data->ProcessingPolicy->TunnelOption->RemoteTunnelAddress
- );
- } else {
- IkeNegotiate (
- UdpService,
- SpdEntry,
- &DestIp
- );
- }
-
- }
-
- return EFI_NOT_READY;
- }
-
- Data = Entry->Data;
-
- if (!Data->ManualSet) {
- if (Data->ESNEnabled) {
- //
- // Validate the 64bit sn number if 64bit sn enabled.
- //
- if ((UINT64) (Data->SequenceNumber + 1) == 0) {
- //
- // TODO: Re-negotiate SA
- //
- return EFI_DEVICE_ERROR;
- }
- } else {
- //
- // Validate the 32bit sn number if 64bit sn disabled.
- //
- SeqNum32 = (UINT32) Data->SequenceNumber;
- if ((UINT32) (SeqNum32 + 1) == 0) {
- //
- // TODO: Re-negotiate SA
- //
- return EFI_DEVICE_ERROR;
- }
- }
- }
-
- *SadEntry = Entry;
-
- return EFI_SUCCESS;
-}
-
-/**
- Find a PAD entry according to a remote IP address.
-
- @param[in] IpVersion The version of IP.
- @param[in] IpAddr Points to remote IP address.
-
- @return the pointer of related PAD entry.
-
-**/
-IPSEC_PAD_ENTRY *
-IpSecLookupPadEntry (
- IN UINT8 IpVersion,
- IN EFI_IP_ADDRESS *IpAddr
- )
-{
- LIST_ENTRY *PadList;
- LIST_ENTRY *Entry;
- EFI_IP_ADDRESS_INFO *IpAddrInfo;
- IPSEC_PAD_ENTRY *PadEntry;
-
- PadList = &mConfigData[IPsecConfigDataTypePad];
-
- for (Entry = PadList->ForwardLink; Entry != PadList; Entry = Entry->ForwardLink) {
-
- PadEntry = IPSEC_PAD_ENTRY_FROM_LIST (Entry);
- IpAddrInfo = &PadEntry->Id->Id.IpAddress;
- //
- // Find the right pad entry which contain the appointed dest addr.
- //
- if (IpSecMatchIpAddress (IpVersion, IpAddr, IpAddrInfo, 1)) {
- return PadEntry;
- }
- }
-
- return NULL;
-}
-
-/**
- Check if the specified IP packet can be serviced by this SPD entry.
-
- @param[in] SpdEntry Point to SPD entry.
- @param[in] IpVersion Version of IP.
- @param[in] IpHead Point to IP header.
- @param[in] IpPayload Point to IP payload.
- @param[in] Protocol The Last protocol of IP packet.
- @param[in] IsOutbound Traffic direction.
- @param[out] Action The support action of SPD entry.
-
- @retval EFI_SUCCESS Find the related SPD.
- @retval EFI_NOT_FOUND Not find the related SPD entry;
-
-**/
-EFI_STATUS
-IpSecLookupSpdEntry (
- IN IPSEC_SPD_ENTRY *SpdEntry,
- IN UINT8 IpVersion,
- IN VOID *IpHead,
- IN UINT8 *IpPayload,
- IN UINT8 Protocol,
- IN BOOLEAN IsOutbound,
- OUT EFI_IPSEC_ACTION *Action
- )
-{
- EFI_IPSEC_SPD_SELECTOR *SpdSel;
- IP4_HEAD *Ip4;
- EFI_IP6_HEADER *Ip6;
- EFI_IP_ADDRESS SrcAddr;
- EFI_IP_ADDRESS DstAddr;
- BOOLEAN SpdMatch;
-
- ASSERT (SpdEntry != NULL);
- SpdSel = SpdEntry->Selector;
- Ip4 = (IP4_HEAD *) IpHead;
- Ip6 = (EFI_IP6_HEADER *) IpHead;
-
- ZeroMem (&SrcAddr, sizeof (EFI_IP_ADDRESS));
- ZeroMem (&DstAddr, sizeof (EFI_IP_ADDRESS));
-
- //
- // Parse the source and destination address from ip header.
- //
- if (IpVersion == IP_VERSION_4) {
- CopyMem (&SrcAddr, &Ip4->Src, sizeof (IP4_ADDR));
- CopyMem (&DstAddr, &Ip4->Dst, sizeof (IP4_ADDR));
- } else {
- CopyMem (&SrcAddr, &Ip6->SourceAddress, sizeof (EFI_IPv6_ADDRESS));
- CopyMem (&DstAddr, &Ip6->DestinationAddress, sizeof (EFI_IPv6_ADDRESS));
- }
- //
- // Check the local and remote addresses for outbound traffic
- //
- SpdMatch = (BOOLEAN)(IsOutbound &&
- IpSecMatchIpAddress (
- IpVersion,
- &SrcAddr,
- SpdSel->LocalAddress,
- SpdSel->LocalAddressCount
- ) &&
- IpSecMatchIpAddress (
- IpVersion,
- &DstAddr,
- SpdSel->RemoteAddress,
- SpdSel->RemoteAddressCount
- )
- );
-
- //
- // Check the local and remote addresses for inbound traffic
- //
- SpdMatch = (BOOLEAN) (SpdMatch ||
- (!IsOutbound &&
- IpSecMatchIpAddress (
- IpVersion,
- &DstAddr,
- SpdSel->LocalAddress,
- SpdSel->LocalAddressCount
- ) &&
- IpSecMatchIpAddress (
- IpVersion,
- &SrcAddr,
- SpdSel->RemoteAddress,
- SpdSel->RemoteAddressCount
- )
- ));
-
- //
- // Check the next layer protocol and local and remote ports.
- //
- SpdMatch = (BOOLEAN) (SpdMatch &&
- IpSecMatchNextLayerProtocol (
- Protocol,
- IpPayload,
- SpdSel->NextLayerProtocol,
- SpdSel->LocalPort,
- SpdSel->RemotePort,
- IsOutbound
- )
- );
-
- if (SpdMatch) {
- //
- // Find the right SPD entry if match the 5 key elements.
- //
- *Action = SpdEntry->Data->Action;
- return EFI_SUCCESS;
- }
-
- return EFI_NOT_FOUND;
-}
-
-/**
- The call back function of NetbufFromExt.
-
- @param[in] Arg The argument passed from the caller.
-
-**/
-VOID
-EFIAPI
-IpSecOnRecyclePacket (
- IN VOID *Arg
- )
-{
-}
-
-/**
- This is a Notification function. It is called when the related IP6_TXTOKEN_WRAP
- is released.
-
- @param[in] Event The related event.
- @param[in] Context The data passed by the caller.
-
-**/
-VOID
-EFIAPI
-IpSecRecycleCallback (
- IN EFI_EVENT Event,
- IN VOID *Context
- )
-{
- IPSEC_RECYCLE_CONTEXT *RecycleContext;
-
- RecycleContext = (IPSEC_RECYCLE_CONTEXT *) Context;
-
- if (RecycleContext->FragmentTable != NULL) {
- FreePool (RecycleContext->FragmentTable);
- }
-
- if (RecycleContext->PayloadBuffer != NULL) {
- FreePool (RecycleContext->PayloadBuffer);
- }
-
- FreePool (RecycleContext);
- gBS->CloseEvent (Event);
-
-}
-
-/**
- Calculate the extension hader of IP. The return length only doesn't contain
- the fixed IP header length.
-
- @param[in] IpHead Points to an IP head to be calculated.
- @param[in] LastHead Points to the last header of the IP header.
-
- @return The length of the extension header.
-
-**/
-UINT16
-IpSecGetPlainExtHeadSize (
- IN VOID *IpHead,
- IN UINT8 *LastHead
- )
-{
- UINT16 Size;
-
- Size = (UINT16) (LastHead - (UINT8 *) IpHead);
-
- if (Size > sizeof (EFI_IP6_HEADER)) {
- //
- // * (LastHead+1) point the last header's length but not include the first
- // 8 octers, so this formluation add 8 at the end.
- //
- Size = (UINT16) (Size - sizeof (EFI_IP6_HEADER) + *(LastHead + 1) + 8);
- } else {
- Size = 0;
- }
-
- return Size;
-}
-
-/**
- Verify if the Authentication payload is correct.
-
- @param[in] EspBuffer Points to the ESP wrapped buffer.
- @param[in] EspSize The size of the ESP wrapped buffer.
- @param[in] SadEntry The related SAD entry to store the authentication
- algorithm key.
- @param[in] IcvSize The length of ICV.
-
- @retval EFI_SUCCESS The authentication data is correct.
- @retval EFI_ACCESS_DENIED The authentication data is not correct.
-
-**/
-EFI_STATUS
-IpSecEspAuthVerifyPayload (
- IN UINT8 *EspBuffer,
- IN UINTN EspSize,
- IN IPSEC_SAD_ENTRY *SadEntry,
- IN UINTN IcvSize
- )
-{
- EFI_STATUS Status;
- UINTN AuthSize;
- UINT8 IcvBuffer[12];
- HASH_DATA_FRAGMENT HashFragment[1];
-
- //
- // Calculate the size of authentication payload.
- //
- AuthSize = EspSize - IcvSize;
-
- //
- // Calculate the icv buffer and size of the payload.
- //
- HashFragment[0].Data = EspBuffer;
- HashFragment[0].DataSize = AuthSize;
-
- Status = IpSecCryptoIoHmac (
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength,
- HashFragment,
- 1,
- IcvBuffer,
- IcvSize
- );
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- //
- // Compare the calculated icv and the appended original icv.
- //
- if (CompareMem (EspBuffer + AuthSize, IcvBuffer, IcvSize) == 0) {
- return EFI_SUCCESS;
- }
-
- DEBUG ((DEBUG_ERROR, "Error auth verify payload\n"));
- return EFI_ACCESS_DENIED;
-}
-
-/**
- Search the related SAD entry by the input .
-
- @param[in] IpHead The pointer to IP header.
- @param[in] IpVersion The version of IP (IP4 or IP6).
- @param[in] Spi The SPI used to search the related SAD entry.
-
-
- @retval NULL Not find the related SAD entry.
- @retval IPSEC_SAD_ENTRY Return the related SAD entry.
-
-**/
-IPSEC_SAD_ENTRY *
-IpSecFoundSadFromInboundPacket (
- UINT8 *IpHead,
- UINT8 IpVersion,
- UINT32 Spi
- )
-{
- EFI_IP_ADDRESS DestIp;
-
- //
- // Parse destination address from ip header.
- //
- ZeroMem (&DestIp, sizeof (EFI_IP_ADDRESS));
- if (IpVersion == IP_VERSION_4) {
- CopyMem (
- &DestIp,
- &((IP4_HEAD *) IpHead)->Dst,
- sizeof (IP4_ADDR)
- );
- } else {
- CopyMem (
- &DestIp,
- &((EFI_IP6_HEADER *) IpHead)->DestinationAddress,
- sizeof (EFI_IPv6_ADDRESS)
- );
- }
-
- //
- // Lookup SAD entry according to the spi and dest address.
- //
- return IpSecLookupSadBySpi (Spi, &DestIp, IpVersion);
-}
-
-/**
- Validate the IP6 extension header format for both the packets we received
- and that we will transmit.
-
- @param[in] NextHeader The next header field in IPv6 basic header.
- @param[in] ExtHdrs The first bye of the option.
- @param[in] ExtHdrsLen The length of the whole option.
- @param[out] LastHeader The pointer of NextHeader of the last extension
- header processed by IP6.
- @param[out] RealExtsLen The length of extension headers processed by IP6 layer.
- This is an optional parameter that may be NULL.
-
- @retval TRUE The option is properly formated.
- @retval FALSE The option is malformated.
-
-**/
-BOOLEAN
-IpSecIsIp6ExtsValid (
- IN UINT8 *NextHeader,
- IN UINT8 *ExtHdrs,
- IN UINT32 ExtHdrsLen,
- OUT UINT8 **LastHeader,
- OUT UINT32 *RealExtsLen OPTIONAL
- )
-{
- UINT32 Pointer;
- UINT8 *Option;
- UINT8 OptionLen;
- UINT8 CountD;
- UINT8 CountF;
- UINT8 CountA;
-
- if (RealExtsLen != NULL) {
- *RealExtsLen = 0;
- }
-
- *LastHeader = NextHeader;
-
- if (ExtHdrs == NULL && ExtHdrsLen == 0) {
- return TRUE;
- }
-
- if ((ExtHdrs == NULL && ExtHdrsLen != 0) || (ExtHdrs != NULL && ExtHdrsLen == 0)) {
- return FALSE;
- }
-
- Pointer = 0;
- CountD = 0;
- CountF = 0;
- CountA = 0;
-
- while (Pointer <= ExtHdrsLen) {
-
- switch (*NextHeader) {
- case IP6_HOP_BY_HOP:
- if (Pointer != 0) {
- return FALSE;
- }
-
- //
- // Fall through
- //
- case IP6_DESTINATION:
- if (*NextHeader == IP6_DESTINATION) {
- CountD++;
- }
-
- if (CountD > 2) {
- return FALSE;
- }
-
- NextHeader = ExtHdrs + Pointer;
-
- Pointer++;
- Option = ExtHdrs + Pointer;
- OptionLen = (UINT8) ((*Option + 1) * 8 - 2);
- Option++;
- Pointer++;
-
- Pointer = Pointer + OptionLen;
- break;
-
- case IP6_FRAGMENT:
- if (++CountF > 1) {
- return FALSE;
- }
- //
- // RFC2402, AH header should after fragment header.
- //
- if (CountA > 1) {
- return FALSE;
- }
-
- NextHeader = ExtHdrs + Pointer;
- Pointer = Pointer + 8;
- break;
-
- case IP6_AH:
- if (++CountA > 1) {
- return FALSE;
- }
-
- Option = ExtHdrs + Pointer;
- NextHeader = Option;
- Option++;
- //
- // RFC2402, Payload length is specified in 32-bit words, minus "2".
- //
- OptionLen = (UINT8) ((*Option + 2) * 4);
- Pointer = Pointer + OptionLen;
- break;
-
- default:
- *LastHeader = NextHeader;
- if (RealExtsLen != NULL) {
- *RealExtsLen = Pointer;
- }
-
- return TRUE;
- }
- }
-
- *LastHeader = NextHeader;
-
- if (RealExtsLen != NULL) {
- *RealExtsLen = Pointer;
- }
-
- return TRUE;
-}
-
-/**
- The actual entry to process the tunnel header and inner header for tunnel mode
- outbound traffic.
-
- This function is the subfunction of IpSecEspInboundPacket(). It change the destination
- Ip address to the station address and recalculate the uplayyer's checksum.
-
-
- @param[in, out] IpHead Points to the IP header containing the ESP header
- to be trimed on input, and without ESP header
- on return.
- @param[in] IpPayload The decrypted Ip payload. It start from the inner
- header.
- @param[in] IpVersion The version of IP.
- @param[in] SadData Pointer of the relevant SAD.
- @param[in, out] LastHead The Last Header in IP header on return.
-
-**/
-VOID
-IpSecTunnelInboundPacket (
- IN OUT UINT8 *IpHead,
- IN UINT8 *IpPayload,
- IN UINT8 IpVersion,
- IN IPSEC_SAD_DATA *SadData,
- IN OUT UINT8 *LastHead
- )
-{
- EFI_UDP_HEADER *UdpHeader;
- TCP_HEAD *TcpHeader;
- UINT16 *Checksum;
- UINT16 PseudoChecksum;
- UINT16 PacketChecksum;
- UINT32 OptionLen;
- IP6_ICMP_HEAD *Icmp6Head;
-
- Checksum = NULL;
-
- if (IpVersion == IP_VERSION_4) {
- //
- // Zero OutIP header use this to indicate the input packet is under
- // IPsec Tunnel protected.
- //
- ZeroMem (
- (IP4_HEAD *)IpHead,
- sizeof (IP4_HEAD)
- );
- CopyMem (
- &((IP4_HEAD *)IpPayload)->Dst,
- &SadData->TunnelDestAddress.v4,
- sizeof (EFI_IPv4_ADDRESS)
- );
-
- //
- // Recalculate IpHeader Checksum
- //
- if (((IP4_HEAD *)(IpPayload))->Checksum != 0 ) {
- ((IP4_HEAD *)(IpPayload))->Checksum = 0;
- ((IP4_HEAD *)(IpPayload))->Checksum = (UINT16) (~NetblockChecksum (
- (UINT8 *)IpPayload,
- ((IP4_HEAD *)IpPayload)->HeadLen << 2
- ));
-
-
- }
-
- //
- // Recalcualte PseudoChecksum
- //
- switch (((IP4_HEAD *)IpPayload)->Protocol) {
- case EFI_IP_PROTO_UDP :
- UdpHeader = (EFI_UDP_HEADER *)((UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2));
- Checksum = & UdpHeader->Checksum;
- *Checksum = 0;
- break;
-
- case EFI_IP_PROTO_TCP:
- TcpHeader = (TCP_HEAD *) ((UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2));
- Checksum = &TcpHeader->Checksum;
- *Checksum = 0;
- break;
-
- default:
- break;
- }
- PacketChecksum = NetblockChecksum (
- (UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2),
- NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)
- );
- PseudoChecksum = NetPseudoHeadChecksum (
- ((IP4_HEAD *)IpPayload)->Src,
- ((IP4_HEAD *)IpPayload)->Dst,
- ((IP4_HEAD *)IpPayload)->Protocol,
- 0
- );
-
- if (Checksum != NULL) {
- *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);
- *Checksum = (UINT16) ~(NetAddChecksum (*Checksum, HTONS((UINT16)(NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)))));
- }
- }else {
- //
- // Zero OutIP header use this to indicate the input packet is under
- // IPsec Tunnel protected.
- //
- ZeroMem (
- IpHead,
- sizeof (EFI_IP6_HEADER)
- );
- CopyMem (
- &((EFI_IP6_HEADER*)IpPayload)->DestinationAddress,
- &SadData->TunnelDestAddress.v6,
- sizeof (EFI_IPv6_ADDRESS)
- );
-
- //
- // Get the Extension Header and Header length.
- //
- IpSecIsIp6ExtsValid (
- &((EFI_IP6_HEADER *)IpPayload)->NextHeader,
- IpPayload + sizeof (EFI_IP6_HEADER),
- ((EFI_IP6_HEADER *)IpPayload)->PayloadLength,
- &LastHead,
- &OptionLen
- );
-
- //
- // Recalcualte PseudoChecksum
- //
- switch (*LastHead) {
- case EFI_IP_PROTO_UDP:
- UdpHeader = (EFI_UDP_HEADER *)((UINT8 *)IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen);
- Checksum = &UdpHeader->Checksum;
- *Checksum = 0;
- break;
-
- case EFI_IP_PROTO_TCP:
- TcpHeader = (TCP_HEAD *)(IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen);
- Checksum = &TcpHeader->Checksum;
- *Checksum = 0;
- break;
-
- case IP6_ICMP:
- Icmp6Head = (IP6_ICMP_HEAD *) (IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen);
- Checksum = &Icmp6Head->Checksum;
- *Checksum = 0;
- break;
- }
- PacketChecksum = NetblockChecksum (
- IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen,
- NTOHS(((EFI_IP6_HEADER *)IpPayload)->PayloadLength) - OptionLen
- );
- PseudoChecksum = NetIp6PseudoHeadChecksum (
- &((EFI_IP6_HEADER *)IpPayload)->SourceAddress,
- &((EFI_IP6_HEADER *)IpPayload)->DestinationAddress,
- *LastHead,
- 0
- );
-
- if (Checksum != NULL) {
- *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);
- *Checksum = (UINT16) ~(NetAddChecksum (
- *Checksum,
- HTONS ((UINT16)((NTOHS (((EFI_IP6_HEADER *)(IpPayload))->PayloadLength)) - OptionLen))
- ));
- }
- }
-}
-
-/**
- The actual entry to create inner header for tunnel mode inbound traffic.
-
- This function is the subfunction of IpSecEspOutboundPacket(). It create
- the sending packet by encrypting its payload and inserting ESP header in the orginal
- IP header, then return the IpHeader and IPsec protected Fragmentable.
-
- @param[in, out] IpHead Points to IP header containing the orginal IP header
- to be processed on input, and inserted ESP header
- on return.
- @param[in] IpVersion The version of IP.
- @param[in] SadData The related SAD data.
- @param[in, out] LastHead The Last Header in IP header.
- @param[in] OptionsBuffer Pointer to the options buffer.
- @param[in] OptionsLength Length of the options buffer.
- @param[in, out] FragmentTable Pointer to a list of fragments to be protected by
- IPsec on input, and with IPsec protected
- on return.
- @param[in] FragmentCount The number of fragments.
-
-**/
-UINT8 *
-IpSecTunnelOutboundPacket (
- IN OUT UINT8 *IpHead,
- IN UINT8 IpVersion,
- IN IPSEC_SAD_DATA *SadData,
- IN OUT UINT8 *LastHead,
- IN VOID **OptionsBuffer,
- IN UINT32 *OptionsLength,
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN UINT32 *FragmentCount
- )
-{
- UINT8 *InnerHead;
- NET_BUF *Packet;
- UINT16 PacketChecksum;
- UINT16 *Checksum;
- UINT16 PseudoChecksum;
- IP6_ICMP_HEAD *IcmpHead;
-
- Checksum = NULL;
- if (OptionsLength == NULL) {
- return NULL;
- }
-
- if (IpVersion == IP_VERSION_4) {
- InnerHead = AllocateZeroPool (sizeof (IP4_HEAD) + *OptionsLength);
- if (InnerHead == NULL) {
- return NULL;
- }
-
- CopyMem (
- InnerHead,
- IpHead,
- sizeof (IP4_HEAD)
- );
- CopyMem (
- InnerHead + sizeof (IP4_HEAD),
- *OptionsBuffer,
- *OptionsLength
- );
- } else {
- InnerHead = AllocateZeroPool (sizeof (EFI_IP6_HEADER) + *OptionsLength);
- if (InnerHead == NULL) {
- return NULL;
- }
-
- CopyMem (
- InnerHead,
- IpHead,
- sizeof (EFI_IP6_HEADER)
- );
- CopyMem (
- InnerHead + sizeof (EFI_IP6_HEADER),
- *OptionsBuffer,
- *OptionsLength
- );
- }
- if (OptionsBuffer != NULL) {
- if (*OptionsLength != 0) {
-
- *OptionsBuffer = NULL;
- *OptionsLength = 0;
- }
- }
-
- //
- // 2. Reassamlbe Fragment into Packet
- //
- Packet = NetbufFromExt (
- (NET_FRAGMENT *)(*FragmentTable),
- *FragmentCount,
- 0,
- 0,
- IpSecOnRecyclePacket,
- NULL
- );
- if (Packet == NULL) {
- FreePool (InnerHead);
- return NULL;
- }
-
- //
- // 3. Check the Last Header, if it is TCP, UDP or ICMP recalcualate its pesudo
- // CheckSum.
- //
- switch (*LastHead) {
- case EFI_IP_PROTO_UDP:
- Packet->Udp = (EFI_UDP_HEADER *) NetbufGetByte (Packet, 0, 0);
- ASSERT (Packet->Udp != NULL);
- Checksum = &Packet->Udp->Checksum;
- *Checksum = 0;
- break;
-
- case EFI_IP_PROTO_TCP:
- Packet->Tcp = (TCP_HEAD *) NetbufGetByte (Packet, 0, 0);
- ASSERT (Packet->Tcp != NULL);
- Checksum = &Packet->Tcp->Checksum;
- *Checksum = 0;
- break;
-
- case IP6_ICMP:
- IcmpHead = (IP6_ICMP_HEAD *) NetbufGetByte (Packet, 0, NULL);
- ASSERT (IcmpHead != NULL);
- Checksum = &IcmpHead->Checksum;
- *Checksum = 0;
- break;
-
- default:
- break;
- }
-
- PacketChecksum = NetbufChecksum (Packet);
-
- if (IpVersion == IP_VERSION_4) {
- //
- // Replace the source address of Inner Header.
- //
- CopyMem (
- &((IP4_HEAD *)InnerHead)->Src,
- &SadData->SpdSelector->LocalAddress[0].Address.v4,
- sizeof (EFI_IPv4_ADDRESS)
- );
-
- PacketChecksum = NetbufChecksum (Packet);
- PseudoChecksum = NetPseudoHeadChecksum (
- ((IP4_HEAD *)InnerHead)->Src,
- ((IP4_HEAD *)InnerHead)->Dst,
- *LastHead,
- 0
- );
-
- } else {
- //
- // Replace the source address of Inner Header.
- //
- CopyMem (
- &((EFI_IP6_HEADER *)InnerHead)->SourceAddress,
- &(SadData->SpdSelector->LocalAddress[0].Address.v6),
- sizeof (EFI_IPv6_ADDRESS)
- );
- PacketChecksum = NetbufChecksum (Packet);
- PseudoChecksum = NetIp6PseudoHeadChecksum (
- &((EFI_IP6_HEADER *)InnerHead)->SourceAddress,
- &((EFI_IP6_HEADER *)InnerHead)->DestinationAddress,
- *LastHead,
- 0
- );
-
- }
- if (Checksum != NULL) {
- *Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);
- *Checksum = (UINT16) ~(NetAddChecksum ((UINT16)*Checksum, HTONS ((UINT16) Packet->TotalSize)));
- }
-
- if (Packet != NULL) {
- NetbufFree (Packet);
- }
- return InnerHead;
-}
-
-/**
- The actual entry to relative function processes the inbound traffic of ESP header.
-
- This function is the subfunction of IpSecProtectInboundPacket(). It checks the
- received packet security property and trim the ESP header and then returns without
- an IPsec protected IP Header and FramgmentTable.
-
- @param[in] IpVersion The version of IP.
- @param[in, out] IpHead Points to the IP header containing the ESP header
- to be trimed on input, and without ESP header
- on return.
- @param[out] LastHead The Last Header in IP header on return.
- @param[in, out] OptionsBuffer Pointer to the options buffer.
- @param[in, out] OptionsLength Length of the options buffer.
- @param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec
- protected on input, and without IPsec protected
- on return.
- @param[in, out] FragmentCount The number of fragments.
- @param[out] SpdSelector Pointer to contain the address of SPD selector on return.
- @param[out] RecycleEvent The event for recycling of resources.
-
- @retval EFI_SUCCESS The operation was successful.
- @retval EFI_ACCESS_DENIED One or more following conditions is TRUE:
- - ESP header was not found or mal-format.
- - The related SAD entry was not found.
- - The related SAD entry does not support the ESP protocol.
- @retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
-
-**/
-EFI_STATUS
-IpSecEspInboundPacket (
- IN UINT8 IpVersion,
- IN OUT VOID *IpHead,
- OUT UINT8 *LastHead,
- IN OUT VOID **OptionsBuffer,
- IN OUT UINT32 *OptionsLength,
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN OUT UINT32 *FragmentCount,
- OUT EFI_IPSEC_SPD_SELECTOR **SpdSelector,
- OUT EFI_EVENT *RecycleEvent
- )
-{
- EFI_STATUS Status;
- NET_BUF *Payload;
- UINTN EspSize;
- UINTN IvSize;
- UINTN BlockSize;
- UINTN MiscSize;
- UINTN PlainPayloadSize;
- UINTN PaddingSize;
- UINTN IcvSize;
- UINT8 *ProcessBuffer;
- EFI_ESP_HEADER *EspHeader;
- EFI_ESP_TAIL *EspTail;
- EFI_IPSEC_SA_ID *SaId;
- IPSEC_SAD_DATA *SadData;
- IPSEC_SAD_ENTRY *SadEntry;
- IPSEC_RECYCLE_CONTEXT *RecycleContext;
- UINT8 NextHeader;
- UINT16 IpSecHeadSize;
- UINT8 *InnerHead;
-
- Status = EFI_SUCCESS;
- Payload = NULL;
- ProcessBuffer = NULL;
- RecycleContext = NULL;
- *RecycleEvent = NULL;
- PlainPayloadSize = 0;
- NextHeader = 0;
-
- //
- // Build netbuf from fragment table first.
- //
- Payload = NetbufFromExt (
- (NET_FRAGMENT *) *FragmentTable,
- *FragmentCount,
- 0,
- sizeof (EFI_ESP_HEADER),
- IpSecOnRecyclePacket,
- NULL
- );
- if (Payload == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Get the esp size and esp header from netbuf.
- //
- EspSize = Payload->TotalSize;
- EspHeader = (EFI_ESP_HEADER *) NetbufGetByte (Payload, 0, NULL);
-
- if (EspHeader == NULL) {
- Status = EFI_ACCESS_DENIED;
- goto ON_EXIT;
- }
-
- //
- // Parse destination address from ip header and found the related SAD Entry.
- //
- SadEntry = IpSecFoundSadFromInboundPacket (
- IpHead,
- IpVersion,
- NTOHL (EspHeader->Spi)
- );
-
- if (SadEntry == NULL) {
- Status = EFI_ACCESS_DENIED;
- goto ON_EXIT;
- }
-
- SaId = SadEntry->Id;
- SadData = SadEntry->Data;
-
- //
- // Only support esp protocol currently.
- //
- if (SaId->Proto != EfiIPsecESP) {
- Status = EFI_ACCESS_DENIED;
- goto ON_EXIT;
- }
-
- if (!SadData->ManualSet) {
- //
- // TODO: Check SA lifetime and sequence number
- //
- }
-
- //
- // Allocate buffer for decryption and authentication.
- //
- ProcessBuffer = AllocateZeroPool (EspSize);
- if (ProcessBuffer == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- NetbufCopy (Payload, 0, (UINT32) EspSize, ProcessBuffer);
-
- //
- // Get the IcvSize for authentication and BlockSize/IvSize for Decryption.
- //
- IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId);
- IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
- BlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
-
- //
- // Make sure the ESP packet is not mal-formt.
- // 1. Check whether the Espsize is larger than ESP header + IvSize + EspTail + IcvSize.
- // 2. Check whether the left payload size is multiple of IvSize.
- //
- MiscSize = sizeof (EFI_ESP_HEADER) + IvSize + IcvSize;
- if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL))) {
- Status = EFI_ACCESS_DENIED;
- goto ON_EXIT;
- }
- if ((EspSize - MiscSize) % BlockSize != 0) {
- Status = EFI_ACCESS_DENIED;
- goto ON_EXIT;
- }
-
- //
- // Authenticate the ESP packet.
- //
- if (SadData->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {
- Status = IpSecEspAuthVerifyPayload (
- ProcessBuffer,
- EspSize,
- SadEntry,
- IcvSize
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- }
- //
- // Decrypt the payload by the SAD entry if it has decrypt key.
- //
- if (SadData->AlgoInfo.EspAlgoInfo.EncKey != NULL) {
- Status = IpSecCryptoIoDecrypt (
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength << 3,
- ProcessBuffer + sizeof (EFI_ESP_HEADER),
- ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize,
- EspSize - sizeof (EFI_ESP_HEADER) - IvSize - IcvSize,
- ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- }
-
- //
- // Parse EspTail and compute the plain payload size.
- //
- EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL));
- PaddingSize = EspTail->PaddingLength;
- NextHeader = EspTail->NextHeader;
-
- if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL) + PaddingSize)) {
- Status = EFI_ACCESS_DENIED;
- goto ON_EXIT;
- }
- PlainPayloadSize = EspSize - MiscSize - sizeof (EFI_ESP_TAIL) - PaddingSize;
-
- //
- // TODO: handle anti-replay window
- //
- //
- // Decryption and authentication with esp has been done, so it's time to
- // reload the new packet, create recycle event and fixup ip header.
- //
- RecycleContext = AllocateZeroPool (sizeof (IPSEC_RECYCLE_CONTEXT));
- if (RecycleContext == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- Status = gBS->CreateEvent (
- EVT_NOTIFY_SIGNAL,
- TPL_NOTIFY,
- IpSecRecycleCallback,
- RecycleContext,
- RecycleEvent
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- //
- // The caller will take responsible to handle the original fragment table
- //
- *FragmentTable = AllocateZeroPool (sizeof (EFI_IPSEC_FRAGMENT_DATA));
- if (*FragmentTable == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- RecycleContext->PayloadBuffer = ProcessBuffer;
- RecycleContext->FragmentTable = *FragmentTable;
-
- //
- // If Tunnel, recalculate upper-layyer PesudoCheckSum and trim the out
- //
- if (SadData->Mode == EfiIPsecTunnel) {
- InnerHead = ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize;
- IpSecTunnelInboundPacket (
- IpHead,
- InnerHead,
- IpVersion,
- SadData,
- LastHead
- );
-
- if (IpVersion == IP_VERSION_4) {
- (*FragmentTable)[0].FragmentBuffer = InnerHead ;
- (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;
-
- }else {
- (*FragmentTable)[0].FragmentBuffer = InnerHead;
- (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;
- }
- } else {
- (*FragmentTable)[0].FragmentBuffer = ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize;
- (*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;
- }
-
- *FragmentCount = 1;
-
- //
- // Update the total length field in ip header since processed by esp.
- //
- if (SadData->Mode != EfiIPsecTunnel) {
- if (IpVersion == IP_VERSION_4) {
- ((IP4_HEAD *) IpHead)->TotalLen = HTONS ((UINT16) ((((IP4_HEAD *) IpHead)->HeadLen << 2) + PlainPayloadSize));
- } else {
- IpSecHeadSize = IpSecGetPlainExtHeadSize (IpHead, LastHead);
- ((EFI_IP6_HEADER *) IpHead)->PayloadLength = HTONS ((UINT16)(IpSecHeadSize + PlainPayloadSize));
- }
- //
- // Update the next layer field in ip header since esp header inserted.
- //
- *LastHead = NextHeader;
- }
-
-
- //
- // Update the SPD association of the SAD entry.
- //
- *SpdSelector = SadData->SpdSelector;
-
-ON_EXIT:
- if (Payload != NULL) {
- NetbufFree (Payload);
- }
-
- if (EFI_ERROR (Status)) {
- if (ProcessBuffer != NULL) {
- FreePool (ProcessBuffer);
- }
-
- if (RecycleContext != NULL) {
- FreePool (RecycleContext);
- }
-
- if (*RecycleEvent != NULL) {
- gBS->CloseEvent (*RecycleEvent);
- }
- }
-
- return Status;
-}
-
-/**
- The actual entry to the relative function processes the output traffic using the ESP protocol.
-
- This function is the subfunction of IpSecProtectOutboundPacket(). It protected
- the sending packet by encrypting its payload and inserting ESP header in the orginal
- IP header, then return the IpHeader and IPsec protected Fragmentable.
-
- @param[in] IpVersion The version of IP.
- @param[in, out] IpHead Points to IP header containing the orginal IP header
- to be processed on input, and inserted ESP header
- on return.
- @param[in, out] LastHead The Last Header in IP header.
- @param[in, out] OptionsBuffer Pointer to the options buffer.
- @param[in, out] OptionsLength Length of the options buffer.
- @param[in, out] FragmentTable Pointer to a list of fragments to be protected by
- IPsec on input, and with IPsec protected
- on return.
- @param[in, out] FragmentCount The number of fragments.
- @param[in] SadEntry The related SAD entry.
- @param[out] RecycleEvent The event for recycling of resources.
-
- @retval EFI_SUCCESS The operation was successful.
- @retval EFI_OUT_OF_RESOURCES The required system resources can't be allocated.
-
-**/
-EFI_STATUS
-IpSecEspOutboundPacket (
- IN UINT8 IpVersion,
- IN OUT VOID *IpHead,
- IN OUT UINT8 *LastHead,
- IN OUT VOID **OptionsBuffer,
- IN OUT UINT32 *OptionsLength,
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN OUT UINT32 *FragmentCount,
- IN IPSEC_SAD_ENTRY *SadEntry,
- OUT EFI_EVENT *RecycleEvent
- )
-{
- EFI_STATUS Status;
- UINTN Index;
- EFI_IPSEC_SA_ID *SaId;
- IPSEC_SAD_DATA *SadData;
- IPSEC_RECYCLE_CONTEXT *RecycleContext;
- UINT8 *ProcessBuffer;
- UINTN BytesCopied;
- INTN EncryptBlockSize;// Size of encryption block, 4 bytes aligned and >= 4
- UINTN EspSize; // Total size of esp wrapped ip payload
- UINTN IvSize; // Size of IV, optional, might be 0
- UINTN PlainPayloadSize;// Original IP payload size
- UINTN PaddingSize; // Size of padding
- UINTN EncryptSize; // Size of data to be encrypted, start after IV and
- // stop before ICV
- UINTN IcvSize; // Size of ICV, optional, might be 0
- UINT8 *RestOfPayload; // Start of Payload after IV
- UINT8 *Padding; // Start address of padding
- EFI_ESP_HEADER *EspHeader; // Start address of ESP frame
- EFI_ESP_TAIL *EspTail; // Address behind padding
- UINT8 *InnerHead;
- HASH_DATA_FRAGMENT HashFragment[1];
-
- Status = EFI_ACCESS_DENIED;
- SaId = SadEntry->Id;
- SadData = SadEntry->Data;
- ProcessBuffer = NULL;
- RecycleContext = NULL;
- *RecycleEvent = NULL;
- InnerHead = NULL;
-
- if (!SadData->ManualSet &&
- SadData->AlgoInfo.EspAlgoInfo.EncKey == NULL &&
- SadData->AlgoInfo.EspAlgoInfo.AuthKey == NULL
- ) {
- //
- // Invalid manual SAD entry configuration.
- //
- goto ON_EXIT;
- }
-
- //
- // Create OutHeader according to Inner Header
- //
- if (SadData->Mode == EfiIPsecTunnel) {
- InnerHead = IpSecTunnelOutboundPacket (
- IpHead,
- IpVersion,
- SadData,
- LastHead,
- OptionsBuffer,
- OptionsLength,
- FragmentTable,
- FragmentCount
- );
-
- if (InnerHead == NULL) {
- return EFI_INVALID_PARAMETER;
- }
-
- }
-
- //
- // Calculate enctrypt block size, need iv by default and 4 bytes alignment.
- //
- EncryptBlockSize = 4;
-
- if (SadData->AlgoInfo.EspAlgoInfo.EncKey != NULL) {
- EncryptBlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
-
- if (EncryptBlockSize < 0 || (EncryptBlockSize != 1 && EncryptBlockSize % 4 != 0)) {
- goto ON_EXIT;
- }
- }
-
- //
- // Calculate the plain payload size according to the fragment table.
- //
- PlainPayloadSize = 0;
- for (Index = 0; Index < *FragmentCount; Index++) {
- PlainPayloadSize += (*FragmentTable)[Index].FragmentLength;
- }
-
- //
- // Add IPHeader size for Tunnel Mode
- //
- if (SadData->Mode == EfiIPsecTunnel) {
- if (IpVersion == IP_VERSION_4) {
- PlainPayloadSize += sizeof (IP4_HEAD);
- } else {
- PlainPayloadSize += sizeof (EFI_IP6_HEADER);
- }
- //
- // OPtions should be encryption into it
- //
- PlainPayloadSize += *OptionsLength;
- }
-
-
- //
- // Calculate icv size, optional by default and 4 bytes alignment.
- //
- IcvSize = 0;
- if (SadData->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {
- IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId);
- if (IcvSize % 4 != 0) {
- goto ON_EXIT;
- }
- }
-
- //
- // Calcuate the total size of esp wrapped ip payload.
- //
- IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
- EncryptSize = (PlainPayloadSize + sizeof (EFI_ESP_TAIL) + EncryptBlockSize - 1) / EncryptBlockSize * EncryptBlockSize;
- PaddingSize = EncryptSize - PlainPayloadSize - sizeof (EFI_ESP_TAIL);
- EspSize = sizeof (EFI_ESP_HEADER) + IvSize + EncryptSize + IcvSize;
-
- ProcessBuffer = AllocateZeroPool (EspSize);
- if (ProcessBuffer == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- //
- // Calculate esp header and esp tail including header, payload and padding.
- //
- EspHeader = (EFI_ESP_HEADER *) ProcessBuffer;
- RestOfPayload = (UINT8 *) (EspHeader + 1) + IvSize;
- Padding = RestOfPayload + PlainPayloadSize;
- EspTail = (EFI_ESP_TAIL *) (Padding + PaddingSize);
-
- //
- // Fill the sn and spi fields in esp header.
- //
- EspHeader->SequenceNumber = HTONL ((UINT32) SadData->SequenceNumber + 1);
- //EspHeader->SequenceNumber = HTONL ((UINT32) SadData->SequenceNumber);
- EspHeader->Spi = HTONL (SaId->Spi);
-
- //
- // Copy the rest of payload (after iv) from the original fragment buffer.
- //
- BytesCopied = 0;
-
- //
- // For Tunnel Mode
- //
- if (SadData->Mode == EfiIPsecTunnel) {
- if (IpVersion == IP_VERSION_4) {
- //
- // HeadLen, Total Length
- //
- ((IP4_HEAD *)InnerHead)->HeadLen = (UINT8) ((sizeof (IP4_HEAD) + *OptionsLength) >> 2);
- ((IP4_HEAD *)InnerHead)->TotalLen = HTONS ((UINT16) PlainPayloadSize);
- ((IP4_HEAD *)InnerHead)->Checksum = 0;
- ((IP4_HEAD *)InnerHead)->Checksum = (UINT16) (~NetblockChecksum (
- (UINT8 *)InnerHead,
- sizeof(IP4_HEAD)
- ));
- CopyMem (
- RestOfPayload + BytesCopied,
- InnerHead,
- sizeof (IP4_HEAD) + *OptionsLength
- );
- BytesCopied += sizeof (IP4_HEAD) + *OptionsLength;
-
- } else {
- ((EFI_IP6_HEADER *)InnerHead)->PayloadLength = HTONS ((UINT16) (PlainPayloadSize - sizeof (EFI_IP6_HEADER)));
- CopyMem (
- RestOfPayload + BytesCopied,
- InnerHead,
- sizeof (EFI_IP6_HEADER) + *OptionsLength
- );
- BytesCopied += sizeof (EFI_IP6_HEADER) + *OptionsLength;
- }
- }
-
- for (Index = 0; Index < *FragmentCount; Index++) {
- CopyMem (
- (RestOfPayload + BytesCopied),
- (*FragmentTable)[Index].FragmentBuffer,
- (*FragmentTable)[Index].FragmentLength
- );
- BytesCopied += (*FragmentTable)[Index].FragmentLength;
- }
- //
- // Fill the padding buffer by natural number sequence.
- //
- for (Index = 0; Index < PaddingSize; Index++) {
- Padding[Index] = (UINT8) (Index + 1);
- }
- //
- // Fill the padding length and next header fields in esp tail.
- //
- EspTail->PaddingLength = (UINT8) PaddingSize;
- EspTail->NextHeader = *LastHead;
-
- //
- // Fill the next header for Tunnel mode.
- //
- if (SadData->Mode == EfiIPsecTunnel) {
- if (IpVersion == IP_VERSION_4) {
- EspTail->NextHeader = 4;
- } else {
- EspTail->NextHeader = 41;
- }
- }
-
- //
- // Generate iv at random by crypt library.
- //
- Status = IpSecGenerateIv (
- (UINT8 *) (EspHeader + 1),
- IvSize
- );
-
-
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
-
- //
- // Encryption the payload (after iv) by the SAD entry if has encrypt key.
- //
- if (SadData->AlgoInfo.EspAlgoInfo.EncKey != NULL) {
- Status = IpSecCryptoIoEncrypt (
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength << 3,
- (UINT8 *)(EspHeader + 1),
- RestOfPayload,
- EncryptSize,
- RestOfPayload
- );
-
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- }
-
- //
- // Authenticate the esp wrapped buffer by the SAD entry if it has auth key.
- //
- if (SadData->AlgoInfo.EspAlgoInfo.AuthKey != NULL) {
-
- HashFragment[0].Data = ProcessBuffer;
- HashFragment[0].DataSize = EspSize - IcvSize;
- Status = IpSecCryptoIoHmac (
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,
- SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength,
- HashFragment,
- 1,
- ProcessBuffer + EspSize - IcvSize,
- IcvSize
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- }
-
- //
- // Encryption and authentication with esp has been done, so it's time to
- // reload the new packet, create recycle event and fixup ip header.
- //
- RecycleContext = AllocateZeroPool (sizeof (IPSEC_RECYCLE_CONTEXT));
- if (RecycleContext == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- Status = gBS->CreateEvent (
- EVT_NOTIFY_SIGNAL,
- TPL_NOTIFY,
- IpSecRecycleCallback,
- RecycleContext,
- RecycleEvent
- );
- if (EFI_ERROR (Status)) {
- goto ON_EXIT;
- }
- //
- // Caller take responsible to handle the original fragment table.
- //
- *FragmentTable = AllocateZeroPool (sizeof (EFI_IPSEC_FRAGMENT_DATA));
- if (*FragmentTable == NULL) {
- Status = EFI_OUT_OF_RESOURCES;
- goto ON_EXIT;
- }
-
- RecycleContext->FragmentTable = *FragmentTable;
- RecycleContext->PayloadBuffer = ProcessBuffer;
- (*FragmentTable)[0].FragmentBuffer = ProcessBuffer;
- (*FragmentTable)[0].FragmentLength = (UINT32) EspSize;
- *FragmentCount = 1;
-
- //
- // Update the total length field in ip header since processed by esp.
- //
- if (IpVersion == IP_VERSION_4) {
- ((IP4_HEAD *) IpHead)->TotalLen = HTONS ((UINT16) ((((IP4_HEAD *) IpHead)->HeadLen << 2) + EspSize));
- } else {
- ((EFI_IP6_HEADER *) IpHead)->PayloadLength = (UINT16) (IpSecGetPlainExtHeadSize (IpHead, LastHead) + EspSize);
- }
-
- //
- // If tunnel mode, it should change the outer Ip header with tunnel source address
- // and destination tunnel address.
- //
- if (SadData->Mode == EfiIPsecTunnel) {
- if (IpVersion == IP_VERSION_4) {
- CopyMem (
- &((IP4_HEAD *) IpHead)->Src,
- &SadData->TunnelSourceAddress.v4,
- sizeof (EFI_IPv4_ADDRESS)
- );
- CopyMem (
- &((IP4_HEAD *) IpHead)->Dst,
- &SadData->TunnelDestAddress.v4,
- sizeof (EFI_IPv4_ADDRESS)
- );
- } else {
- CopyMem (
- &((EFI_IP6_HEADER *) IpHead)->SourceAddress,
- &SadData->TunnelSourceAddress.v6,
- sizeof (EFI_IPv6_ADDRESS)
- );
- CopyMem (
- &((EFI_IP6_HEADER *) IpHead)->DestinationAddress,
- &SadData->TunnelDestAddress.v6,
- sizeof (EFI_IPv6_ADDRESS)
- );
- }
- }
-
- //
- // Update the next layer field in ip header since esp header inserted.
- //
- *LastHead = IPSEC_ESP_PROTOCOL;
-
- //
- // Increase the sn number in SAD entry according to rfc4303.
- //
- SadData->SequenceNumber++;
-
-ON_EXIT:
- if (EFI_ERROR (Status)) {
- if (ProcessBuffer != NULL) {
- FreePool (ProcessBuffer);
- }
-
- if (RecycleContext != NULL) {
- FreePool (RecycleContext);
- }
-
- if (*RecycleEvent != NULL) {
- gBS->CloseEvent (*RecycleEvent);
- }
- }
-
- return Status;
-}
-
-/**
- This function processes the inbound traffic with IPsec.
-
- It checks the received packet security property, trims the ESP/AH header, and then
- returns without an IPsec protected IP Header and FragmentTable.
-
- @param[in] IpVersion The version of IP.
- @param[in, out] IpHead Points to IP header containing the ESP/AH header
- to be trimed on input, and without ESP/AH header
- on return.
- @param[in, out] LastHead The Last Header in IP header on return.
- @param[in, out] OptionsBuffer Pointer to the options buffer.
- @param[in, out] OptionsLength Length of the options buffer.
- @param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec
- protected on input, and without IPsec protected
- on return.
- @param[in, out] FragmentCount The number of fragments.
- @param[out] SpdEntry Pointer to contain the address of SPD entry on return.
- @param[out] RecycleEvent The event for recycling of resources.
-
- @retval EFI_SUCCESS The operation was successful.
- @retval EFI_UNSUPPORTED The IPSEC protocol is not supported.
-
-**/
-EFI_STATUS
-IpSecProtectInboundPacket (
- IN UINT8 IpVersion,
- IN OUT VOID *IpHead,
- IN OUT UINT8 *LastHead,
- IN OUT VOID **OptionsBuffer,
- IN OUT UINT32 *OptionsLength,
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN OUT UINT32 *FragmentCount,
- OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry,
- OUT EFI_EVENT *RecycleEvent
- )
-{
- if (*LastHead == IPSEC_ESP_PROTOCOL) {
- //
- // Process the esp ipsec header of the inbound traffic.
- //
- return IpSecEspInboundPacket (
- IpVersion,
- IpHead,
- LastHead,
- OptionsBuffer,
- OptionsLength,
- FragmentTable,
- FragmentCount,
- SpdEntry,
- RecycleEvent
- );
- }
- //
- // The other protocols are not supported.
- //
- return EFI_UNSUPPORTED;
-}
-
-/**
- This fucntion processes the output traffic with IPsec.
-
- It protected the sending packet by encrypting it payload and inserting ESP/AH header
- in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.
-
- @param[in] IpVersion The version of IP.
- @param[in, out] IpHead Point to IP header containing the orginal IP header
- to be processed on input, and inserted ESP/AH header
- on return.
- @param[in, out] LastHead The Last Header in IP header.
- @param[in, out] OptionsBuffer Pointer to the options buffer.
- @param[in, out] OptionsLength Length of the options buffer.
- @param[in, out] FragmentTable Pointer to a list of fragments to be protected by
- IPsec on input, and with IPsec protected
- on return.
- @param[in, out] FragmentCount Number of fragments.
- @param[in] SadEntry Related SAD entry.
- @param[out] RecycleEvent Event for recycling of resources.
-
- @retval EFI_SUCCESS The operation is successful.
- @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
-
-**/
-EFI_STATUS
-IpSecProtectOutboundPacket (
- IN UINT8 IpVersion,
- IN OUT VOID *IpHead,
- IN OUT UINT8 *LastHead,
- IN OUT VOID **OptionsBuffer,
- IN OUT UINT32 *OptionsLength,
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN OUT UINT32 *FragmentCount,
- IN IPSEC_SAD_ENTRY *SadEntry,
- OUT EFI_EVENT *RecycleEvent
- )
-{
- if (SadEntry->Id->Proto == EfiIPsecESP) {
- //
- // Process the esp ipsec header of the outbound traffic.
- //
- return IpSecEspOutboundPacket (
- IpVersion,
- IpHead,
- LastHead,
- OptionsBuffer,
- OptionsLength,
- FragmentTable,
- FragmentCount,
- SadEntry,
- RecycleEvent
- );
- }
- //
- // The other protocols are not supported.
- //
- return EFI_UNSUPPORTED;
-}
diff --git a/NetworkPkg/IpSecDxe/IpSecImpl.h b/NetworkPkg/IpSecDxe/IpSecImpl.h deleted file mode 100644 index c5cffede02..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecImpl.h +++ /dev/null @@ -1,384 +0,0 @@ -/** @file
- The definitions related to IPsec protocol implementation.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef _IP_SEC_IMPL_H_
-#define _IP_SEC_IMPL_H_
-
-#include <Uefi.h>
-#include <Library/UefiLib.h>
-#include <Library/NetLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/UefiBootServicesTableLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Protocol/IpSec.h>
-#include <Protocol/IpSecConfig.h>
-#include <Protocol/Dpc.h>
-#include <Protocol/ComponentName.h>
-#include <Protocol/ComponentName2.h>
-
-typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA;
-typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY;
-typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY;
-typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA;
-
-#define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', 'E')
-
-#define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpSec, IPSEC_PRIVATE_DATA_SIGNATURE)
-#define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp4List, IPSEC_PRIVATE_DATA_SIGNATURE)
-#define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp6List, IPSEC_PRIVATE_DATA_SIGNATURE)
-#define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, List)
-#define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, List)
-#define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, List)
-#define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, List)
-#define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, BySpd)
-
-#define IPSEC_STATUS_DISABLED 0
-#define IPSEC_STATUS_ENABLED 1
-#define IPSEC_ESP_PROTOCOL 50
-#define IPSEC_AH_PROTOCOL 51
-#define IPSEC_DEFAULT_VARIABLE_SIZE 0x100
-
-//
-// Internal Structure Definition
-//
-#pragma pack(1)
-typedef struct _EFI_AH_HEADER {
- UINT8 NextHeader;
- UINT8 PayloadLen;
- UINT16 Reserved;
- UINT32 Spi;
- UINT32 SequenceNumber;
-} EFI_AH_HEADER;
-
-typedef struct _EFI_ESP_HEADER {
- UINT32 Spi;
- UINT32 SequenceNumber;
-} EFI_ESP_HEADER;
-
-typedef struct _EFI_ESP_TAIL {
- UINT8 PaddingLength;
- UINT8 NextHeader;
-} EFI_ESP_TAIL;
-#pragma pack()
-
-struct _IPSEC_SPD_DATA {
- CHAR16 Name[100];
- UINT32 PackageFlag;
- EFI_IPSEC_TRAFFIC_DIR TrafficDirection;
- EFI_IPSEC_ACTION Action;
- EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;
- LIST_ENTRY Sas;
-};
-
-struct _IPSEC_SPD_ENTRY {
- EFI_IPSEC_SPD_SELECTOR *Selector;
- IPSEC_SPD_DATA *Data;
- LIST_ENTRY List;
-};
-
-typedef struct _IPSEC_SAD_DATA {
- EFI_IPSEC_MODE Mode;
- UINT64 SequenceNumber;
- UINT8 AntiReplayWindowSize;
- UINT64 AntiReplayBitmap[4]; // bitmap for received packet
- EFI_IPSEC_ALGO_INFO AlgoInfo;
- EFI_IPSEC_SA_LIFETIME SaLifetime;
- UINT32 PathMTU;
- IPSEC_SPD_ENTRY *SpdEntry;
- EFI_IPSEC_SPD_SELECTOR *SpdSelector;
- BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled
- BOOLEAN ManualSet;
- EFI_IP_ADDRESS TunnelDestAddress;
- EFI_IP_ADDRESS TunnelSourceAddress;
-} IPSEC_SAD_DATA;
-
-typedef struct _IPSEC_SAD_ENTRY {
- EFI_IPSEC_SA_ID *Id;
- IPSEC_SAD_DATA *Data;
- LIST_ENTRY List;
- LIST_ENTRY BySpd; // Linked on IPSEC_SPD_DATA.Sas
-} IPSEC_SAD_ENTRY;
-
-struct _IPSEC_PAD_ENTRY {
- EFI_IPSEC_PAD_ID *Id;
- EFI_IPSEC_PAD_DATA *Data;
- LIST_ENTRY List;
-};
-
-typedef struct _IPSEC_RECYCLE_CONTEXT {
- EFI_IPSEC_FRAGMENT_DATA *FragmentTable;
- UINT8 *PayloadBuffer;
-} IPSEC_RECYCLE_CONTEXT;
-
-//
-// Struct used to store the Hash and its data.
-//
-typedef struct {
- UINTN DataSize;
- UINT8 *Data;
-} HASH_DATA_FRAGMENT;
-
-struct _IPSEC_PRIVATE_DATA {
- UINT32 Signature;
- EFI_HANDLE Handle; // Virtual handle to install private prtocol
- EFI_HANDLE ImageHandle;
- EFI_IPSEC2_PROTOCOL IpSec;
- EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig;
- BOOLEAN SetBySelf;
- LIST_ENTRY Udp4List;
- UINTN Udp4Num;
- LIST_ENTRY Udp6List;
- UINTN Udp6Num;
- LIST_ENTRY Ikev1SessionList;
- LIST_ENTRY Ikev1EstablishedList;
- LIST_ENTRY Ikev2SessionList;
- LIST_ENTRY Ikev2EstablishedList;
- BOOLEAN IsIPsecDisabling;
-};
-
-/**
- This function processes the inbound traffic with IPsec.
-
- It checks the received packet security property, trims the ESP/AH header, and then
- returns without an IPsec protected IP Header and FragmentTable.
-
- @param[in] IpVersion The version of IP.
- @param[in, out] IpHead Points to IP header containing the ESP/AH header
- to be trimed on input, and without ESP/AH header
- on return.
- @param[in, out] LastHead The Last Header in IP header on return.
- @param[in, out] OptionsBuffer Pointer to the options buffer.
- @param[in, out] OptionsLength Length of the options buffer.
- @param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec
- protected on input, and without IPsec protected
- on return.
- @param[in, out] FragmentCount The number of fragments.
- @param[out] SpdEntry Pointer to contain the address of SPD entry on return.
- @param[out] RecycleEvent The event for recycling of resources.
-
- @retval EFI_SUCCESS The operation was successful.
- @retval EFI_UNSUPPORTED The IPSEC protocol is not supported.
-
-**/
-EFI_STATUS
-IpSecProtectInboundPacket (
- IN UINT8 IpVersion,
- IN OUT VOID *IpHead,
- IN OUT UINT8 *LastHead,
- IN OUT VOID **OptionsBuffer,
- IN OUT UINT32 *OptionsLength,
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN OUT UINT32 *FragmentCount,
- OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry,
- OUT EFI_EVENT *RecycleEvent
- );
-
-
-/**
- This fucntion processes the output traffic with IPsec.
-
- It protected the sending packet by encrypting it payload and inserting ESP/AH header
- in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable.
-
- @param[in] IpVersion The version of IP.
- @param[in, out] IpHead Point to IP header containing the orginal IP header
- to be processed on input, and inserted ESP/AH header
- on return.
- @param[in, out] LastHead The Last Header in IP header.
- @param[in, out] OptionsBuffer Pointer to the options buffer.
- @param[in, out] OptionsLength Length of the options buffer.
- @param[in, out] FragmentTable Pointer to a list of fragments to be protected by
- IPsec on input, and with IPsec protected
- on return.
- @param[in, out] FragmentCount Number of fragments.
- @param[in] SadEntry Related SAD entry.
- @param[out] RecycleEvent Event for recycling of resources.
-
- @retval EFI_SUCCESS The operation is successful.
- @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported.
-
-**/
-EFI_STATUS
-IpSecProtectOutboundPacket (
- IN UINT8 IpVersion,
- IN OUT VOID *IpHead,
- IN OUT UINT8 *LastHead,
- IN OUT VOID **OptionsBuffer,
- IN OUT UINT32 *OptionsLength,
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN OUT UINT32 *FragmentCount,
- IN IPSEC_SAD_ENTRY *SadEntry,
- OUT EFI_EVENT *RecycleEvent
- );
-
-/**
- Check if the IP Address in the address range of AddressInfos specified.
-
- @param[in] IpVersion The IP version.
- @param[in] IpAddr Points to EFI_IP_ADDRESS to be check.
- @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used to check
- the IP Address is matched.
- @param[in] AddressCount The total numbers of the AddressInfo.
-
- @retval TRUE If the Specified IP Address is in the range of the AddressInfos specified.
- @retval FALSE If the Specified IP Address is not in the range of the AddressInfos specified.
-
-**/
-BOOLEAN
-IpSecMatchIpAddress (
- IN UINT8 IpVersion,
- IN EFI_IP_ADDRESS *IpAddr,
- IN EFI_IP_ADDRESS_INFO *AddressInfo,
- IN UINT32 AddressCount
- );
-
-/**
- Find a PAD entry according to remote IP address.
-
- @param[in] IpVersion The version of IP.
- @param[in] IpAddr Point to remote IP address.
-
- @return The pointer of related PAD entry.
-
-**/
-IPSEC_PAD_ENTRY *
-IpSecLookupPadEntry (
- IN UINT8 IpVersion,
- IN EFI_IP_ADDRESS *IpAddr
- );
-
-/**
- Check if the specified IP packet can be serviced by this SPD entry.
-
- @param[in] SpdEntry Point to SPD entry.
- @param[in] IpVersion Version of IP.
- @param[in] IpHead Point to IP header.
- @param[in] IpPayload Point to IP payload.
- @param[in] Protocol The Last protocol of IP packet.
- @param[in] IsOutbound Traffic direction.
- @param[out] Action The support action of SPD entry.
-
- @retval EFI_SUCCESS Find the related SPD.
- @retval EFI_NOT_FOUND Not find the related SPD entry;
-
-**/
-EFI_STATUS
-IpSecLookupSpdEntry (
- IN IPSEC_SPD_ENTRY *SpdEntry,
- IN UINT8 IpVersion,
- IN VOID *IpHead,
- IN UINT8 *IpPayload,
- IN UINT8 Protocol,
- IN BOOLEAN IsOutbound,
- OUT EFI_IPSEC_ACTION *Action
- );
-
-/**
- Look up if there is existing SAD entry for specified IP packet sending.
-
- This function is called by the IPsecProcess when there is some IP packet needed to
- send out. This function checks if there is an existing SAD entry that can be serviced
- to this IP packet sending. If no existing SAD entry could be used, this
- function will invoke an IPsec Key Exchange Negotiation.
-
- @param[in] Private Points to private data.
- @param[in] NicHandle Points to a NIC handle.
- @param[in] IpVersion The version of IP.
- @param[in] IpHead The IP Header of packet to be sent out.
- @param[in] IpPayload The IP Payload to be sent out.
- @param[in] OldLastHead The Last protocol of the IP packet.
- @param[in] SpdEntry Points to a related SPD entry.
- @param[out] SadEntry Contains the Point of a related SAD entry.
-
- @retval EFI_DEVICE_ERROR One of following conditions is TRUE:
- - If don't find related UDP service.
- - Sequence Number is used up.
- - Extension Sequence Number is used up.
- @retval EFI_NOT_READY No existing SAD entry could be used.
- @retval EFI_SUCCESS Find the related SAD entry.
-
-**/
-EFI_STATUS
-IpSecLookupSadEntry (
- IN IPSEC_PRIVATE_DATA *Private,
- IN EFI_HANDLE NicHandle,
- IN UINT8 IpVersion,
- IN VOID *IpHead,
- IN UINT8 *IpPayload,
- IN UINT8 OldLastHead,
- IN IPSEC_SPD_ENTRY *SpdEntry,
- OUT IPSEC_SAD_ENTRY **SadEntry
- );
-
-/**
- Find the SAD through whole SAD list.
-
- @param[in] Spi The SPI used to search the SAD entry.
- @param[in] DestAddress The destination used to search the SAD entry.
- @param[in] IpVersion The IP version. Ip4 or Ip6.
-
- @return The pointer to a certain SAD entry.
-
-**/
-IPSEC_SAD_ENTRY *
-IpSecLookupSadBySpi (
- IN UINT32 Spi,
- IN EFI_IP_ADDRESS *DestAddress,
- IN UINT8 IpVersion
- )
-;
-
-/**
- Handles IPsec packet processing for inbound and outbound IP packets.
-
- The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
- The behavior is that it can perform one of the following actions:
- bypass the packet, discard the packet, or protect the packet.
-
- @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.
- @param[in] NicHandle Instance of the network interface.
- @param[in] IpVersion IPV4 or IPV6.
- @param[in, out] IpHead Pointer to the IP Header.
- @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.
- @param[in, out] OptionsBuffer Pointer to the options buffer.
- @param[in, out] OptionsLength Length of the options buffer.
- @param[in, out] FragmentTable Pointer to a list of fragments.
- @param[in, out] FragmentCount Number of fragments.
- @param[in] TrafficDirection Traffic direction.
- @param[out] RecycleSignal Event for recycling of resources.
-
- @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
- @retval EFI_SUCCESS The packet was protected.
- @retval EFI_ACCESS_DENIED The packet was discarded.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSecProcess (
- IN EFI_IPSEC2_PROTOCOL *This,
- IN EFI_HANDLE NicHandle,
- IN UINT8 IpVersion,
- IN OUT VOID *IpHead,
- IN OUT UINT8 *LastHead,
- IN OUT VOID **OptionsBuffer,
- IN OUT UINT32 *OptionsLength,
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN OUT UINT32 *FragmentCount,
- IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
- OUT EFI_EVENT *RecycleSignal
- );
-
-extern EFI_DPC_PROTOCOL *mDpc;
-extern EFI_IPSEC2_PROTOCOL mIpSecInstance;
-
-extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2;
-extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName;
-
-
-#endif
diff --git a/NetworkPkg/IpSecDxe/IpSecMain.c b/NetworkPkg/IpSecDxe/IpSecMain.c deleted file mode 100644 index 276426ea1f..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecMain.c +++ /dev/null @@ -1,236 +0,0 @@ -/** @file
- The mian interface of IPsec Protocol.
-
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-
- SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "IpSecConfigImpl.h"
-#include "IpSecImpl.h"
-
-EFI_IPSEC2_PROTOCOL mIpSecInstance = { IpSecProcess, NULL, TRUE };
-
-/**
- Handles IPsec packet processing for inbound and outbound IP packets.
-
- The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
- The behavior is that it can perform one of the following actions:
- bypass the packet, discard the packet, or protect the packet.
-
- @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.
- @param[in] NicHandle Instance of the network interface.
- @param[in] IpVersion IPV4 or IPV6.
- @param[in, out] IpHead Pointer to the IP Header.
- @param[in, out] LastHead The protocol of the next layer to be processed by IPsec.
- @param[in, out] OptionsBuffer Pointer to the options buffer.
- @param[in, out] OptionsLength Length of the options buffer.
- @param[in, out] FragmentTable Pointer to a list of fragments.
- @param[in, out] FragmentCount Number of fragments.
- @param[in] TrafficDirection Traffic direction.
- @param[out] RecycleSignal Event for recycling of resources.
-
- @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
- @retval EFI_SUCCESS The packet was protected.
- @retval EFI_ACCESS_DENIED The packet was discarded.
-
-**/
-EFI_STATUS
-EFIAPI
-IpSecProcess (
- IN EFI_IPSEC2_PROTOCOL *This,
- IN EFI_HANDLE NicHandle,
- IN UINT8 IpVersion,
- IN OUT VOID *IpHead,
- IN OUT UINT8 *LastHead,
- IN OUT VOID **OptionsBuffer,
- IN OUT UINT32 *OptionsLength,
- IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
- IN OUT UINT32 *FragmentCount,
- IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
- OUT EFI_EVENT *RecycleSignal
- )
-{
- IPSEC_PRIVATE_DATA *Private;
- IPSEC_SPD_ENTRY *SpdEntry;
- EFI_IPSEC_SPD_SELECTOR *SpdSelector;
- IPSEC_SAD_ENTRY *SadEntry;
- LIST_ENTRY *SpdList;
- LIST_ENTRY *Entry;
- EFI_IPSEC_ACTION Action;
- EFI_STATUS Status;
- UINT8 *IpPayload;
- UINT8 OldLastHead;
- BOOLEAN IsOutbound;
-
- if (OptionsBuffer == NULL ||
- OptionsLength == NULL ||
- FragmentTable == NULL ||
- FragmentCount == NULL
- ) {
- return EFI_INVALID_PARAMETER;
- }
- Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (This);
- IpPayload = (*FragmentTable)[0].FragmentBuffer;
- IsOutbound = (BOOLEAN) ((TrafficDirection == EfiIPsecOutBound) ? TRUE : FALSE);
- OldLastHead = *LastHead;
- *RecycleSignal = NULL;
- SpdList = &mConfigData[IPsecConfigDataTypeSpd];
-
- if (!IsOutbound) {
- //
- // For inbound traffic, process the ipsec header of the packet.
- //
- Status = IpSecProtectInboundPacket (
- IpVersion,
- IpHead,
- LastHead,
- OptionsBuffer,
- OptionsLength,
- FragmentTable,
- FragmentCount,
- &SpdSelector,
- RecycleSignal
- );
-
- if (Status == EFI_ACCESS_DENIED || Status == EFI_OUT_OF_RESOURCES) {
- //
- // The packet is denied to access.
- //
- goto ON_EXIT;
- }
-
- if (Status == EFI_SUCCESS) {
-
- //
- // Check the spd entry if the packet is accessible.
- //
- if (SpdSelector == NULL) {
- Status = EFI_ACCESS_DENIED;
- goto ON_EXIT;
- }
-
- Status = EFI_ACCESS_DENIED;
- NET_LIST_FOR_EACH (Entry, SpdList) {
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);
- if (IsSubSpdSelector (
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdSelector,
- (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector
- )) {
- Status = EFI_SUCCESS;
- }
- }
- goto ON_EXIT;
- }
- }
-
- Status = EFI_ACCESS_DENIED;
-
- NET_LIST_FOR_EACH (Entry, SpdList) {
- //
- // For outbound and non-ipsec Inbound traffic: check the spd entry.
- //
- SpdEntry = IPSEC_SPD_ENTRY_FROM_LIST (Entry);
-
- if (EFI_ERROR (IpSecLookupSpdEntry (
- SpdEntry,
- IpVersion,
- IpHead,
- IpPayload,
- OldLastHead,
- IsOutbound,
- &Action
- ))) {
- //
- // If the related SPD not find
- //
- continue;
- }
-
- switch (Action) {
-
- case EfiIPsecActionProtect:
-
- if (IsOutbound) {
- //
- // For outbound traffic, lookup the sad entry.
- //
- Status = IpSecLookupSadEntry (
- Private,
- NicHandle,
- IpVersion,
- IpHead,
- IpPayload,
- OldLastHead,
- SpdEntry,
- &SadEntry
- );
-
- if (SadEntry != NULL) {
- //
- // Process the packet by the found sad entry.
- //
- Status = IpSecProtectOutboundPacket (
- IpVersion,
- IpHead,
- LastHead,
- OptionsBuffer,
- OptionsLength,
- FragmentTable,
- FragmentCount,
- SadEntry,
- RecycleSignal
- );
-
- } else if (OldLastHead == IP6_ICMP && *IpPayload != ICMP_V6_ECHO_REQUEST) {
- //
- // TODO: if no need return not ready to upper layer, change here.
- //
- Status = EFI_SUCCESS;
- }
- } else if (OldLastHead == IP6_ICMP && *IpPayload != ICMP_V6_ECHO_REQUEST) {
- //
- // For inbound icmpv6 traffic except ping request, accept the packet
- // although no sad entry associated with protect spd entry.
- //
- Status = IpSecLookupSadEntry (
- Private,
- NicHandle,
- IpVersion,
- IpHead,
- IpPayload,
- OldLastHead,
- SpdEntry,
- &SadEntry
- );
- if (SadEntry == NULL) {
- Status = EFI_SUCCESS;
- }
- }
-
- goto ON_EXIT;
-
- case EfiIPsecActionBypass:
- Status = EFI_SUCCESS;
- goto ON_EXIT;
-
- case EfiIPsecActionDiscard:
- goto ON_EXIT;
- }
- }
-
- //
- // If don't find the related SPD entry, return the EFI_ACCESS_DENIED and discard it.
- // But it the packet is NS/NA, it should be by passed even not find the related SPD entry.
- //
- if (OldLastHead == IP6_ICMP &&
- (*IpPayload == ICMP_V6_NEIGHBOR_SOLICIT || *IpPayload == ICMP_V6_NEIGHBOR_ADVERTISE)
- ){
- Status = EFI_SUCCESS;
- }
-
-ON_EXIT:
- return Status;
-}
-
diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec index 1aa7c1ed31..25964539ed 100644 --- a/NetworkPkg/NetworkPkg.dec +++ b/NetworkPkg/NetworkPkg.dec @@ -51,38 +51,7 @@ # @Prompt Max attempt number.
gEfiNetworkPkgTokenSpaceGuid.PcdMaxIScsiAttemptNumber|0x08|UINT8|0x0000000D
-[PcdsFeatureFlag]
- ## Indicates if the IPsec IKEv2 Certificate Authentication feature is enabled or not.<BR><BR>
- # TRUE - Certificate Authentication feature is enabled.<BR>
- # FALSE - Does not support Certificate Authentication.<BR>
- # @Prompt Enable IPsec IKEv2 Certificate Authentication.
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecCertificateEnabled|TRUE|BOOLEAN|0x00000007
-
[PcdsFixedAtBuild, PcdsPatchableInModule]
- ## CA certificate used by IPsec.
- # @Prompt CA file.
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFile|{0x30, 0x82, 0x02, 0x76, 0x30, 0x82, 0x01, 0xDF, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x80, 0x1D, 0xB9, 0x63, 0x93, 0x7C, 0x9D, 0xE0, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0A, 0x4D, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x48, 0x5A, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x0D, 0x74, 0x65, 0x73, 0x74, 0x40, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x1C, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x30, 0x31, 0x31, 0x30, 0x31, 0x30, 0x31, 0x35, 0x33, 0x33, 0x37, 0x5A, 0x17, 0x0D, 0x31, 0x31, 0x31, 0x31, 0x30, 0x31, 0x30, 0x31, 0x35, 0x33, 0x33, 0x37, 0x5A, 0x30, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0A, 0x4D, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x48, 0x5A, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x0D, 0x74, 0x65, 0x73, 0x74, 0x40, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x1C, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xFC, 0x80, 0x5D, 0x32, 0x55, 0xC7, 0x4C, 0xC6, 0xA8, 0x2F, 0xF7, 0xEC, 0x1F, 0x75, 0x48, 0x02, 0x79, 0xEB, 0xDF, 0x17, 0x1B, 0x08, 0xBA, 0x21, 0xDD, 0xE5, 0x43, 0x06, 0xE8, 0x81, 0xC5, 0x50, 0x3C, 0x18, 0xDD, 0x53, 0xF4, 0xC9, 0xC9, 0xE1, 0x7A, 0xD3, 0xB3, 0x99, 0xA7, 0xC6, 0x43, 0x2A, 0x51, 0x65, 0x10, 0x93, 0xBA, 0x5F, 0x48, 0xAC, 0x54, 0x12, 0x70, 0x9E, 0xF2, 0x9E, 0x7D, 0xF7, 0x22, 0xAA, 0xB7, 0x19, 0xDE, 0xA9, 0x4D, 0x55, 0xAA, 0x41, 0x8F, 0x08, 0xBD, 0x74, 0xFA, 0xE5, 0x57, 0x13, 0xB4, 0x30, 0x9A, 0xBA, 0x56, 0x01, 0x55, 0x8A, 0x9B, 0x5B, 0x50, 0x29, 0x82, 0xF9, 0x00, 0x69, 0x7E, 0x7B, 0x91, 0xA7, 0x2D, 0x48, 0x1A, 0x93, 0x7C, 0xA2, 0xF9, 0x06, 0x64, 0x4B, 0x80, 0xF8, 0x47, 0x58, 0x45, 0x90, 0x09, 0xEA, 0xD6, 0x7B, 0x85, 0x49, 0x2A, 0x4E, 0xB6, 0x71, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x10, 0x30, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0xEF, 0x38, 0x6A, 0x43, 0x1C, 0x1D, 0x37, 0xBD, 0xF7, 0xCF, 0x15, 0x6A, 0x99, 0x44, 0xE1, 0xFC, 0x68, 0x6E, 0x91, 0x31, 0x9C, 0x1E, 0x8C, 0x1F, 0x72, 0x4B, 0x93, 0x16, 0x1F, 0x06, 0xFE, 0x94, 0xA9, 0x41, 0x64, 0x81, 0xFD, 0xFF, 0xE7, 0x27, 0x4D, 0xE7, 0x59, 0x55, 0xE1, 0x20, 0x14, 0x07, 0x3C, 0x26, 0x78, 0xB0, 0x72, 0x48, 0x76, 0x0C, 0x8B, 0x3F, 0x08, 0xD0, 0x75, 0x7D, 0x76, 0xA4, 0xB5, 0x56, 0xA6, 0xC9, 0x88, 0x17, 0x27, 0x95, 0x85, 0xEE, 0x42, 0x1E, 0x15, 0x0B, 0x05, 0xDC, 0x2F, 0x97, 0x7B, 0x26, 0x82, 0x62, 0x23, 0xDF, 0xBF, 0x55, 0x09, 0xBF, 0x5E, 0x28, 0x1A, 0xCA, 0x1B, 0xEC, 0xA4, 0x81, 0xB7, 0x9D, 0x91, 0xC9, 0x60, 0x5B, 0x29, 0x2B, 0x4C, 0x6F, 0x8B, 0xCC, 0x17, 0xA8, 0xD6, 0x5D, 0x6B, 0xBC, 0x0D, 0x03, 0x31, 0xB0, 0x57, 0xC9, 0xF8, 0x59, 0x88, 0x3D}|VOID*|0x00000001
-
- ## CA certificate file's size.
- # @Prompt CA file's size.
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFileSize|0x0000027A|UINT32|0x00000002
-
- ## X509 certificate as Public Key which is used by IPsec (DER format)
- # @Prompt Pubic Key for remote peer.
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificate|{0x30, 0x82, 0x02, 0x4D, 0x30, 0x82, 0x01, 0xB6, 0x02, 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, 0x74, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0A, 0x4D, 0x79, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x48, 0x5A, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x1C, 0x30, 0x1A, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x0D, 0x74, 0x65, 0x73, 0x74, 0x40, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x1C, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x30, 0x31, 0x31, 0x30, 0x31, 0x30, 0x32, 0x30, 0x34, 0x35, 0x39, 0x5A, 0x17, 0x0D, 0x31, 0x31, 0x31, 0x31, 0x30, 0x31, 0x30, 0x32, 0x30, 0x34, 0x35, 0x39, 0x5A, 0x30, 0x6A, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x55, 0x45, 0x46, 0x49, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x53, 0x48, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x23, 0x30, 0x21, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x14, 0x75, 0x65, 0x66, 0x69, 0x2E, 0x74, 0x69, 0x61, 0x6E, 0x6F, 0x40, 0x69, 0x6E, 0x74, 0x65, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13, 0x03, 0x53, 0x53, 0x47, 0x31, 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x03, 0x53, 0x53, 0x47, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xE9, 0x90, 0x47, 0x0D, 0x79, 0x93, 0xED, 0xF5, 0xBD, 0xC9, 0x56, 0x03, 0xDF, 0xE2, 0x71, 0xA9, 0x42, 0x3B, 0x20, 0x1E, 0xAF, 0x88, 0x9D, 0x3F, 0xE1, 0xDE, 0x61, 0xEE, 0x83, 0xC4, 0x2E, 0x48, 0x7A, 0x1F, 0x86, 0x54, 0xD2, 0xD5, 0x61, 0x94, 0xE1, 0x15, 0x79, 0x65, 0xCB, 0x39, 0xEE, 0x78, 0x68, 0x3D, 0x2C, 0xEB, 0xE4, 0x7A, 0x8D, 0x98, 0x14, 0x28, 0x7E, 0x6B, 0xFD, 0xC5, 0xF5, 0x1B, 0x62, 0xB9, 0x86, 0x7C, 0xA1, 0x7C, 0xE9, 0x8F, 0xC8, 0xF4, 0xF3, 0x95, 0x5A, 0xAF, 0x0C, 0x21, 0x39, 0xEA, 0x47, 0x5A, 0x1E, 0xBD, 0xBE, 0x7F, 0x1B, 0x0F, 0x31, 0xFB, 0xBD, 0x57, 0xAE, 0xD7, 0xCB, 0x46, 0x83, 0x8B, 0x16, 0x19, 0x74, 0xD9, 0x9E, 0x2D, 0x18, 0xE6, 0xA4, 0x5F, 0x90, 0x90, 0x54, 0xE1, 0x4B, 0x7B, 0x57, 0x76, 0xBD, 0xF4, 0xC0, 0x4D, 0x79, 0x5F, 0x64, 0x6C, 0x0D, 0x2D, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x5A, 0x80, 0x5F, 0xD3, 0x3C, 0x93, 0x81, 0xB9, 0x1B, 0xAA, 0x08, 0x1F, 0x47, 0x9C, 0x88, 0xF3, 0x1E, 0xE6, 0x6B, 0xBB, 0x99, 0xE6, 0x23, 0x1A, 0xCB, 0x25, 0x81, 0x54, 0x51, 0x88, 0xDF, 0x9B, 0xC6, 0xBF, 0x60, 0xDB, 0x6C, 0x5D, 0x69, 0xB1, 0x3A, 0xDE, 0x94, 0xEE, 0xD7, 0x6C, 0xF2, 0x2D, 0x63, 0xD3, 0xB3, 0xAB, 0xE6, 0xB5, 0x0A, 0xBF, 0xCE, 0x61, 0xC0, 0xD3, 0x73, 0x9E, 0x80, 0xB5, 0x0C, 0xC0, 0x03, 0x57, 0xA9, 0x56, 0x59, 0x1B, 0xA2, 0x99, 0x03, 0xA6, 0xA3, 0xC4, 0x59, 0xB3, 0xD9, 0x14, 0xA1, 0x34, 0x18, 0xF3, 0x73, 0xB8, 0x54, 0xAA, 0xED, 0x7D, 0x31, 0x3E, 0x23, 0xAD, 0xF1, 0x86, 0xF7, 0xE6, 0xD9, 0x01, 0x0D, 0x68, 0xC6, 0xC5, 0x95, 0x18, 0xD2, 0x89, 0xB7, 0x06, 0x96, 0xC9, 0x11, 0xB9, 0xF0, 0xDA, 0xD9, 0x02, 0x25, 0xC4, 0xB9, 0x72, 0xF8, 0x6D, 0xC5, 0x5B}|VOID*|0x00000003
-
- ## X509 certificate as Public Key's size.
- # @Prompt Pubic Key's size.
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateSize|0x251|UINT32|0x00000004
-
- ## Private Key used by IPsec (PEM format).
- # @Prompt Private Key.
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKey|{0x2D, 0x2D, 0x2D, 0x2D, 0x2D, 0x42, 0x45, 0x47, 0x49, 0x4E, 0x20, 0x52, 0x53, 0x41, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x20, 0x4B, 0x45, 0x59, 0x2D, 0x2D, 0x2D, 0x2D, 0x2D, 0x0A, 0x50, 0x72, 0x6F, 0x63, 0x2D, 0x54, 0x79, 0x70, 0x65, 0x3A, 0x20, 0x34, 0x2C, 0x45, 0x4E, 0x43, 0x52, 0x59, 0x50, 0x54, 0x45, 0x44, 0x0A, 0x44, 0x45, 0x4B, 0x2D, 0x49, 0x6E, 0x66, 0x6F, 0x3A, 0x20, 0x44, 0x45, 0x53, 0x2D, 0x45, 0x44, 0x45, 0x33, 0x2D, 0x43, 0x42, 0x43, 0x2C, 0x32, 0x42, 0x31, 0x46, 0x42, 0x41, 0x43, 0x41, 0x38, 0x36, 0x32, 0x36, 0x33, 0x34, 0x41, 0x37, 0x0A, 0x0A, 0x61, 0x52, 0x78, 0x49, 0x58, 0x33, 0x59, 0x4D, 0x68, 0x49, 0x50, 0x41, 0x73, 0x59, 0x79, 0x6F, 0x6A, 0x49, 0x76, 0x46, 0x7A, 0x42, 0x75, 0x6B, 0x74, 0x6B, 0x4A, 0x47, 0x5A, 0x38, 0x4D, 0x64, 0x33, 0x5A, 0x53, 0x73, 0x39, 0x41, 0x2B, 0x52, 0x2B, 0x57, 0x45, 0x59, 0x41, 0x70, 0x34, 0x63, 0x4F, 0x55, 0x43, 0x4A, 0x78, 0x51, 0x2F, 0x66, 0x4A, 0x38, 0x58, 0x4F, 0x45, 0x64, 0x58, 0x38, 0x0A, 0x31, 0x63, 0x4E, 0x66, 0x4B, 0x2B, 0x49, 0x62, 0x76, 0x4B, 0x4D, 0x68, 0x55, 0x67, 0x30, 0x4B, 0x4E, 0x35, 0x38, 0x37, 0x71, 0x66, 0x2F, 0x4C, 0x31, 0x76, 0x57, 0x58, 0x6F, 0x31, 0x74, 0x5A, 0x6B, 0x59, 0x2B, 0x5A, 0x53, 0x4E, 0x63, 0x46, 0x45, 0x41, 0x76, 0x37, 0x43, 0x43, 0x50, 0x51, 0x6B, 0x64, 0x4A, 0x42, 0x48, 0x35, 0x65, 0x6B, 0x35, 0x44, 0x51, 0x2F, 0x37, 0x6D, 0x71, 0x55, 0x0A, 0x6B, 0x76, 0x78, 0x48, 0x53, 0x50, 0x70, 0x34, 0x66, 0x41, 0x71, 0x47, 0x61, 0x68, 0x54, 0x31, 0x75, 0x37, 0x37, 0x56, 0x66, 0x4E, 0x66, 0x31, 0x53, 0x74, 0x61, 0x73, 0x31, 0x6E, 0x4F, 0x67, 0x6A, 0x50, 0x31, 0x41, 0x6C, 0x7A, 0x6E, 0x6B, 0x6A, 0x57, 0x61, 0x72, 0x6A, 0x51, 0x4F, 0x73, 0x48, 0x46, 0x33, 0x41, 0x46, 0x31, 0x62, 0x61, 0x51, 0x4A, 0x50, 0x5A, 0x31, 0x6A, 0x71, 0x4C, 0x0A, 0x61, 0x30, 0x49, 0x45, 0x6E, 0x30, 0x6C, 0x59, 0x6C, 0x78, 0x35, 0x79, 0x4D, 0x6D, 0x78, 0x54, 0x47, 0x57, 0x79, 0x52, 0x35, 0x70, 0x57, 0x51, 0x35, 0x71, 0x66, 0x78, 0x2B, 0x62, 0x37, 0x64, 0x37, 0x75, 0x71, 0x67, 0x47, 0x69, 0x66, 0x36, 0x6A, 0x44, 0x47, 0x4D, 0x37, 0x68, 0x38, 0x43, 0x78, 0x2F, 0x74, 0x67, 0x2B, 0x61, 0x62, 0x45, 0x31, 0x34, 0x30, 0x2F, 0x50, 0x66, 0x6C, 0x33, 0x0A, 0x33, 0x6A, 0x50, 0x6C, 0x52, 0x75, 0x73, 0x57, 0x6F, 0x6F, 0x63, 0x49, 0x41, 0x76, 0x49, 0x74, 0x79, 0x51, 0x6D, 0x39, 0x39, 0x71, 0x74, 0x34, 0x64, 0x6E, 0x74, 0x6E, 0x74, 0x6F, 0x4A, 0x43, 0x6D, 0x4F, 0x53, 0x79, 0x71, 0x67, 0x4D, 0x6E, 0x76, 0x2F, 0x76, 0x2B, 0x51, 0x48, 0x74, 0x79, 0x4D, 0x73, 0x42, 0x64, 0x38, 0x34, 0x78, 0x45, 0x57, 0x46, 0x36, 0x72, 0x58, 0x4D, 0x52, 0x63, 0x0A, 0x53, 0x2B, 0x66, 0x68, 0x54, 0x71, 0x58, 0x74, 0x54, 0x38, 0x44, 0x50, 0x65, 0x70, 0x2F, 0x56, 0x44, 0x66, 0x65, 0x78, 0x6B, 0x41, 0x63, 0x6D, 0x63, 0x75, 0x41, 0x69, 0x6F, 0x2B, 0x79, 0x64, 0x51, 0x75, 0x49, 0x31, 0x32, 0x7A, 0x50, 0x70, 0x45, 0x68, 0x50, 0x45, 0x68, 0x31, 0x44, 0x50, 0x58, 0x73, 0x64, 0x58, 0x67, 0x64, 0x77, 0x39, 0x75, 0x46, 0x47, 0x6D, 0x63, 0x35, 0x68, 0x52, 0x0A, 0x35, 0x31, 0x57, 0x41, 0x31, 0x65, 0x63, 0x44, 0x48, 0x6A, 0x31, 0x58, 0x32, 0x45, 0x72, 0x36, 0x39, 0x59, 0x70, 0x31, 0x50, 0x69, 0x43, 0x37, 0x49, 0x47, 0x79, 0x6F, 0x71, 0x57, 0x43, 0x37, 0x69, 0x2F, 0x71, 0x6D, 0x6D, 0x72, 0x49, 0x66, 0x6F, 0x41, 0x54, 0x74, 0x39, 0x58, 0x34, 0x30, 0x54, 0x56, 0x63, 0x37, 0x42, 0x63, 0x6A, 0x34, 0x63, 0x54, 0x31, 0x78, 0x37, 0x6B, 0x70, 0x4F, 0x0A, 0x4C, 0x71, 0x67, 0x33, 0x6C, 0x50, 0x78, 0x33, 0x2B, 0x4A, 0x63, 0x33, 0x43, 0x67, 0x34, 0x79, 0x5A, 0x54, 0x66, 0x6E, 0x4A, 0x5A, 0x37, 0x48, 0x76, 0x36, 0x64, 0x68, 0x67, 0x45, 0x6D, 0x70, 0x4D, 0x73, 0x74, 0x46, 0x65, 0x35, 0x34, 0x49, 0x53, 0x76, 0x74, 0x38, 0x37, 0x59, 0x4E, 0x77, 0x74, 0x4C, 0x65, 0x6C, 0x34, 0x67, 0x50, 0x4A, 0x79, 0x53, 0x42, 0x30, 0x4B, 0x76, 0x37, 0x69, 0x0A, 0x33, 0x32, 0x74, 0x37, 0x67, 0x4F, 0x30, 0x79, 0x6D, 0x73, 0x62, 0x71, 0x4A, 0x55, 0x75, 0x79, 0x41, 0x68, 0x47, 0x64, 0x33, 0x63, 0x2B, 0x78, 0x4C, 0x46, 0x2F, 0x63, 0x63, 0x4F, 0x57, 0x44, 0x52, 0x34, 0x79, 0x72, 0x30, 0x6A, 0x79, 0x64, 0x74, 0x70, 0x79, 0x69, 0x64, 0x52, 0x45, 0x66, 0x56, 0x46, 0x66, 0x53, 0x6C, 0x39, 0x54, 0x30, 0x6D, 0x53, 0x72, 0x4E, 0x76, 0x43, 0x71, 0x45, 0x0A, 0x52, 0x52, 0x5A, 0x6E, 0x42, 0x56, 0x76, 0x37, 0x50, 0x66, 0x6C, 0x75, 0x72, 0x31, 0x59, 0x35, 0x70, 0x2F, 0x65, 0x78, 0x54, 0x63, 0x56, 0x34, 0x72, 0x4B, 0x52, 0x69, 0x6C, 0x35, 0x58, 0x6A, 0x2F, 0x39, 0x59, 0x56, 0x31, 0x4E, 0x6E, 0x6D, 0x4E, 0x2B, 0x2F, 0x31, 0x31, 0x74, 0x36, 0x58, 0x74, 0x6A, 0x72, 0x75, 0x52, 0x62, 0x33, 0x79, 0x70, 0x38, 0x76, 0x64, 0x6C, 0x61, 0x65, 0x5A, 0x0A, 0x6C, 0x67, 0x45, 0x69, 0x73, 0x30, 0x42, 0x7A, 0x4B, 0x59, 0x39, 0x59, 0x64, 0x58, 0x48, 0x64, 0x46, 0x58, 0x57, 0x59, 0x4F, 0x41, 0x71, 0x50, 0x48, 0x45, 0x65, 0x4B, 0x57, 0x79, 0x61, 0x59, 0x5A, 0x56, 0x79, 0x43, 0x70, 0x51, 0x65, 0x43, 0x53, 0x71, 0x4F, 0x71, 0x48, 0x38, 0x67, 0x42, 0x6B, 0x4F, 0x62, 0x43, 0x69, 0x72, 0x41, 0x6A, 0x65, 0x56, 0x70, 0x35, 0x7A, 0x37, 0x6B, 0x31, 0x0A, 0x64, 0x4F, 0x2F, 0x6D, 0x56, 0x74, 0x49, 0x2B, 0x57, 0x47, 0x30, 0x48, 0x72, 0x37, 0x5A, 0x4C, 0x53, 0x52, 0x78, 0x6F, 0x61, 0x44, 0x47, 0x42, 0x33, 0x4E, 0x35, 0x38, 0x4B, 0x56, 0x45, 0x4F, 0x34, 0x65, 0x46, 0x56, 0x75, 0x6E, 0x59, 0x77, 0x51, 0x42, 0x54, 0x7A, 0x4F, 0x65, 0x57, 0x39, 0x6C, 0x4B, 0x79, 0x49, 0x38, 0x67, 0x4D, 0x45, 0x57, 0x6C, 0x62, 0x4B, 0x72, 0x41, 0x45, 0x49, 0x0A, 0x46, 0x4B, 0x38, 0x7A, 0x58, 0x6F, 0x44, 0x74, 0x39, 0x6A, 0x7A, 0x54, 0x37, 0x67, 0x68, 0x6A, 0x79, 0x45, 0x54, 0x67, 0x44, 0x6C, 0x69, 0x50, 0x53, 0x49, 0x46, 0x6A, 0x79, 0x31, 0x64, 0x6B, 0x6A, 0x6D, 0x68, 0x53, 0x78, 0x79, 0x6A, 0x67, 0x62, 0x71, 0x45, 0x3D, 0x0A, 0x2D, 0x2D, 0x2D, 0x2D, 0x2D, 0x45, 0x4E, 0x44, 0x20, 0x52, 0x53, 0x41, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x20, 0x4B, 0x45, 0x59, 0x2D, 0x2D, 0x2D, 0x2D, 0x2D, 0x0A}|VOID*|0x00000005
-
- ## Private Key's size.
- # @Prompt Private Key's size.
- gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKeySize|0x3d5|UINT32|0x00000006
-
## Indicates whether HTTP connections (i.e., unsecured) are permitted or not.
# TRUE - HTTP connections are allowed. Both the "https://" and "http://" URI schemes are permitted.
# FALSE - HTTP connections are denied. Only the "https://" URI scheme is permitted.
diff --git a/NetworkPkg/NetworkPkg.dsc b/NetworkPkg/NetworkPkg.dsc index 66d43bec12..b5416b1614 100644 --- a/NetworkPkg/NetworkPkg.dsc +++ b/NetworkPkg/NetworkPkg.dsc @@ -112,11 +112,9 @@ NetworkPkg/HttpBootDxe/HttpBootDxe.inf
NetworkPkg/WifiConnectionManagerDxe/WifiConnectionManagerDxe.inf
- NetworkPkg/Application/IpsecConfig/IpSecConfig.inf
NetworkPkg/Application/VConfig/VConfig.inf
[Components.IA32, Components.X64]
- NetworkPkg/IpSecDxe/IpSecDxe.inf
NetworkPkg/IScsiDxe/IScsiDxe.inf
NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf
NetworkPkg/TlsDxe/TlsDxe.inf
|