From d55d9d0664366efe731db461e14c6fc380fca776 Mon Sep 17 00:00:00 2001 From: "Wang, Fan" Date: Tue, 23 Apr 2019 11:16:50 +0800 Subject: NetworkPkg: Remove IpSec driver and application * REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1697 The IpSec driver in NetworkPkg is not really used by platforms but has security risks. So it is scheduled to be removed from edk2, also include IpSecConfig application. Cc: Fu Siyuan Cc: Wu Jiaxin Signed-off-by: Wang Fan Reviewed-by: Siyuan Fu --- NetworkPkg/IpSecDxe/Ikev2/Sa.c | 2255 ---------------------------------------- 1 file changed, 2255 deletions(-) delete mode 100644 NetworkPkg/IpSecDxe/Ikev2/Sa.c (limited to 'NetworkPkg/IpSecDxe/Ikev2/Sa.c') diff --git a/NetworkPkg/IpSecDxe/Ikev2/Sa.c b/NetworkPkg/IpSecDxe/Ikev2/Sa.c deleted file mode 100644 index d833f06a58..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Sa.c +++ /dev/null @@ -1,2255 +0,0 @@ -/** @file - The operations for IKEv2 SA. - - (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "Utility.h" -#include "IpSecDebug.h" -#include "IkeService.h" -#include "Ikev2.h" - -/** - Generates the DH Key. - - This generates the DH local public key and store it in the IKEv2 SA Session's GxBuffer. - - @param[in] IkeSaSession Pointer to related IKE SA Session. - - @retval EFI_SUCCESS The operation succeeded. - @retval Others The operation failed. - -**/ -EFI_STATUS -Ikev2GenerateSaDhPublicKey ( - IN IKEV2_SA_SESSION *IkeSaSession - ); - -/** - Generates the IKEv2 SA key for the furthure IKEv2 exchange. - - @param[in] IkeSaSession Pointer to IKEv2 SA Session. - @param[in] KePayload Pointer to Key payload used to generate the Key. - - @retval EFI_UNSUPPORTED If the Algorithm Id is not supported. - @retval EFI_SUCCESS The operation succeeded. - -**/ -EFI_STATUS -Ikev2GenerateSaKeys ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_PAYLOAD *KePayload - ); - -/** - Generates the Keys for the furthure IPsec Protocol. - - @param[in] ChildSaSession Pointer to IKE Child SA Session. - @param[in] KePayload Pointer to Key payload used to generate the Key. - - @retval EFI_UNSUPPORTED If one or more Algorithm Id is unsupported. - @retval EFI_SUCCESS The operation succeeded. - -**/ -EFI_STATUS -Ikev2GenerateChildSaKeys ( - IN IKEV2_CHILD_SA_SESSION *ChildSaSession, - IN IKE_PAYLOAD *KePayload - ); - -/** - Gernerates IKEv2 packet for IKE_SA_INIT exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange. - @param[in] Context Context Data passed by caller. - - @retval EFI_SUCCESS The IKEv2 packet generation succeeded. - @retval Others The IKEv2 packet generation failed. - -**/ -IKE_PACKET * -Ikev2InitPskGenerator ( - IN UINT8 *SaSession, - IN VOID *Context - ) -{ - IKE_PACKET *IkePacket; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *KePayload; - IKE_PAYLOAD *NoncePayload; - IKE_PAYLOAD *NotifyPayload; - EFI_STATUS Status; - - SaPayload = NULL; - KePayload = NULL; - NoncePayload = NULL; - NotifyPayload = NULL; - - IkeSaSession = (IKEV2_SA_SESSION *) SaSession; - - // - // 1. Allocate IKE packet - // - IkePacket = IkePacketAlloc (); - if (IkePacket == NULL) { - goto CheckError; - } - - // - // 1.a Fill the IkePacket->Hdr - // - IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_INIT; - IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie; - IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie; - IkePacket->Header->Version = (UINT8) (2 << 4); - IkePacket->Header->MessageId = 0; - - if (IkeSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT; - } else { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND; - } - - // - // If the NCookie is not NULL, this IKE_SA_INIT packet is resent by the NCookie - // and the NCookie payload should be the first payload in this packet. - // - if (IkeSaSession->NCookie != NULL) { - IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_NOTIFY; - NotifyPayload = Ikev2GenerateNotifyPayload ( - IPSEC_PROTO_ISAKMP, - IKEV2_PAYLOAD_TYPE_SA, - 0, - IKEV2_NOTIFICATION_COOKIE, - NULL, - IkeSaSession->NCookie, - IkeSaSession->NCookieSize - ); - } else { - IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_SA; - } - - // - // 2. Generate SA Payload according to the SaData & SaParams - // - SaPayload = Ikev2GenerateSaPayload ( - IkeSaSession->SaData, - IKEV2_PAYLOAD_TYPE_KE, - IkeSessionTypeIkeSa - ); - - // - // 3. Generate DH public key. - // The DhPrivate Key has been generated in Ikev2InitPskParser, if the - // IkeSaSession is responder. If resending IKE_SA_INIT with Cookie Notify - // No need to recompute the Public key. - // - if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) { - Status = Ikev2GenerateSaDhPublicKey (IkeSaSession); - if (EFI_ERROR (Status)) { - goto CheckError; - } - } - - // - // 4. Generate KE Payload according to SaParams->DhGroup - // - KePayload = Ikev2GenerateKePayload ( - IkeSaSession, - IKEV2_PAYLOAD_TYPE_NONCE - ); - - // - // 5. Generate Nonce Payload - // If resending IKE_SA_INIT with Cookie Notify paylaod, no need to regenerate - // the Nonce Payload. - // - if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie == NULL)) { - IkeSaSession->NiBlkSize = IKE_NONCE_SIZE; - IkeSaSession->NiBlock = IkeGenerateNonce (IKE_NONCE_SIZE); - if (IkeSaSession->NiBlock == NULL) { - goto CheckError; - } - } - - if (IkeSaSession->SessionCommon.IsInitiator) { - NoncePayload = Ikev2GenerateNoncePayload ( - IkeSaSession->NiBlock, - IkeSaSession->NiBlkSize, - IKEV2_PAYLOAD_TYPE_NONE - ); - } else { - // - // The Nonce Payload has been created in Ikev2PskParser if the IkeSaSession is - // responder. - // - NoncePayload = Ikev2GenerateNoncePayload ( - IkeSaSession->NrBlock, - IkeSaSession->NrBlkSize, - IKEV2_PAYLOAD_TYPE_NONE - ); - } - - if (NotifyPayload != NULL) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload); - } - if (SaPayload != NULL) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload); - } - if (KePayload != NULL) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, KePayload); - } - if (NoncePayload != NULL) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, NoncePayload); - } - - return IkePacket; - -CheckError: - if (IkePacket != NULL) { - IkePacketFree (IkePacket); - } - if (SaPayload != NULL) { - IkePayloadFree (SaPayload); - } - return NULL; -} - -/** - Parses the IKEv2 packet for IKE_SA_INIT exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange. - @param[in] IkePacket The received IKE packet to be parsed. - - @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is - saved for furthure communication. - @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA proposal is unacceptable. - -**/ -EFI_STATUS -Ikev2InitPskParser ( - IN UINT8 *SaSession, - IN IKE_PACKET *IkePacket - ) -{ - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *KeyPayload; - IKE_PAYLOAD *IkePayload; - IKE_PAYLOAD *NoncePayload; - IKE_PAYLOAD *NotifyPayload; - UINT8 *NonceBuffer; - UINTN NonceSize; - LIST_ENTRY *Entry; - EFI_STATUS Status; - - IkeSaSession = (IKEV2_SA_SESSION *) SaSession; - KeyPayload = NULL; - SaPayload = NULL; - NoncePayload = NULL; - IkePayload = NULL; - NotifyPayload = NULL; - - // - // Iterate payloads to find the SaPayload and KeyPayload. - // - NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) { - IkePayload = IKE_PAYLOAD_BY_PACKET (Entry); - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) { - SaPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_KE) { - KeyPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NONCE) { - NoncePayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_NOTIFY) { - NotifyPayload = IkePayload; - } - } - - // - // According to RFC 4306 - 2.6. If the responder responds with the COOKIE Notify - // payload with the cookie data, initiator MUST retry the IKE_SA_INIT with a - // Notify payload of type COOKIE containing the responder suppplied cookie data - // as first payload and all other payloads unchanged. - // - if (IkeSaSession->SessionCommon.IsInitiator) { - if (NotifyPayload != NULL && !EFI_ERROR(Ikev2ParserNotifyCookiePayload (NotifyPayload, IkeSaSession))) { - return EFI_SUCCESS; - } - } - - if ((KeyPayload == NULL) || (SaPayload == NULL) || (NoncePayload == NULL)) { - return EFI_INVALID_PARAMETER; - } - - // - // Store NoncePayload for SKEYID computing. - // - NonceSize = NoncePayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER); - NonceBuffer = (UINT8 *) AllocatePool (NonceSize); - if (NonceBuffer == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto CheckError; - } - - CopyMem ( - NonceBuffer, - NoncePayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER), - NonceSize - ); - - // - // Check if IkePacket Header matches the state - // - if (IkeSaSession->SessionCommon.IsInitiator) { - // - // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND - // - if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) { - Status = EFI_INVALID_PARAMETER; - goto CheckError; - } - - // - // 2. Parse the SA Payload and Key Payload to find out the cryptographic - // suite and fill in the Sa paramse into CommonSession->SaParams - // - if (!Ikev2SaParseSaPayload (IkeSaSession, SaPayload, IkePacket->Header->Flags)) { - Status = EFI_INVALID_PARAMETER; - goto CheckError; - } - - // - // 3. If Initiator, the NoncePayload is Nr_b. - // - IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateAuth); - IkeSaSession->NrBlock = NonceBuffer; - IkeSaSession->NrBlkSize = NonceSize; - IkeSaSession->SessionCommon.State = IkeStateAuth; - IkeSaSession->ResponderCookie = IkePacket->Header->ResponderCookie; - - // - // 4. Change the state of IkeSaSession - // - IkeSaSession->SessionCommon.State = IkeStateAuth; - } else { - // - // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT - // - if (IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) { - Status = EFI_INVALID_PARAMETER; - goto CheckError; - } - - // - // 2. Parse the SA payload and find out the perfered one - // and fill in the SA parameters into CommonSession->SaParams and SaData into - // IkeSaSession for the responder SA payload generation. - // - if (!Ikev2SaParseSaPayload (IkeSaSession, SaPayload, IkePacket->Header->Flags)) { - Status = EFI_INVALID_PARAMETER; - goto CheckError; - } - - // - // 3. Generat Dh Y parivate Key - // - Status = Ikev2GenerateSaDhPublicKey (IkeSaSession); - if (EFI_ERROR (Status)) { - goto CheckError; - } - - // - // 4. If Responder, the NoncePayload is Ni_b and go to generate Nr_b. - // - IkeSaSession->NiBlock = NonceBuffer; - IkeSaSession->NiBlkSize = NonceSize; - - // - // 5. Generate Nr_b - // - IkeSaSession->NrBlock = IkeGenerateNonce (IKE_NONCE_SIZE); - ASSERT (IkeSaSession->NrBlock != NULL); - IkeSaSession->NrBlkSize = IKE_NONCE_SIZE; - - // - // 6. Save the Cookies - // - IkeSaSession->InitiatorCookie = IkePacket->Header->InitiatorCookie; - IkeSaSession->ResponderCookie = IkeGenerateCookie (); - } - - if (IkeSaSession->SessionCommon.PreferDhGroup != ((IKEV2_KEY_EXCHANGE *)KeyPayload->PayloadBuf)->DhGroup) { - Status = EFI_INVALID_PARAMETER; - goto CheckError; - } - // - // Call Ikev2GenerateSaKeys to create SKEYID, SKEYID_d, SKEYID_a, SKEYID_e. - // - Status = Ikev2GenerateSaKeys (IkeSaSession, KeyPayload); - if (EFI_ERROR(Status)) { - goto CheckError; - } - return EFI_SUCCESS; - -CheckError: - if (NonceBuffer != NULL) { - FreePool (NonceBuffer); - } - - return Status; -} - -/** - Generates the IKEv2 packet for IKE_AUTH exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION. - @param[in] Context Context data passed by caller. - - @retval Pointer to IKE Packet to be sent out. - -**/ -IKE_PACKET * -Ikev2AuthPskGenerator ( - IN UINT8 *SaSession, - IN VOID *Context - ) -{ - IKE_PACKET *IkePacket; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *IdPayload; - IKE_PAYLOAD *AuthPayload; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *TsiPayload; - IKE_PAYLOAD *TsrPayload; - IKE_PAYLOAD *NotifyPayload; - IKE_PAYLOAD *CpPayload; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - - - IkeSaSession = (IKEV2_SA_SESSION *) SaSession; - ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList)); - - IkePacket = NULL; - IdPayload = NULL; - AuthPayload = NULL; - SaPayload = NULL; - TsiPayload = NULL; - TsrPayload = NULL; - NotifyPayload = NULL; - CpPayload = NULL; - NotifyPayload = NULL; - - // - // 1. Allocate IKE Packet - // - IkePacket= IkePacketAlloc (); - if (IkePacket == NULL) { - return NULL; - } - - // - // 1.a Fill the IkePacket Header. - // - IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_AUTH; - IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie; - IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie; - IkePacket->Header->Version = (UINT8)(2 << 4); - if (ChildSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_INIT; - } else { - IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_RSP; - } - - // - // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should - // be always number 0 and 1; - // - IkePacket->Header->MessageId = 1; - - if (IkeSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT; - } else { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND; - } - - // - // 2. Generate ID Payload according to IP version and address. - // - IdPayload = Ikev2GenerateIdPayload ( - &IkeSaSession->SessionCommon, - IKEV2_PAYLOAD_TYPE_AUTH - ); - if (IdPayload == NULL) { - goto CheckError; - } - - // - // 3. Generate Auth Payload - // If it is tunnel mode, should create the configuration payload after the - // Auth payload. - // - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) { - - AuthPayload = Ikev2PskGenerateAuthPayload ( - ChildSaSession->IkeSaSession, - IdPayload, - IKEV2_PAYLOAD_TYPE_SA, - FALSE - ); - } else { - AuthPayload = Ikev2PskGenerateAuthPayload ( - ChildSaSession->IkeSaSession, - IdPayload, - IKEV2_PAYLOAD_TYPE_CP, - FALSE - ); - if (IkeSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) { - CpPayload = Ikev2GenerateCpPayload ( - ChildSaSession->IkeSaSession, - IKEV2_PAYLOAD_TYPE_SA, - IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS - ); - } else { - CpPayload = Ikev2GenerateCpPayload ( - ChildSaSession->IkeSaSession, - IKEV2_PAYLOAD_TYPE_SA, - IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS - ); - } - - if (CpPayload == NULL) { - goto CheckError; - } - } - - if (AuthPayload == NULL) { - goto CheckError; - } - - // - // 4. Generate SA Payload according to the SA Data in ChildSaSession - // - SaPayload = Ikev2GenerateSaPayload ( - ChildSaSession->SaData, - IKEV2_PAYLOAD_TYPE_TS_INIT, - IkeSessionTypeChildSa - ); - if (SaPayload == NULL) { - goto CheckError; - } - - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) { - // - // Generate Tsi and Tsr. - // - TsiPayload = Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_TS_RSP, - FALSE - ); - - TsrPayload = Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_NOTIFY, - FALSE - ); - - // - // Generate Notify Payload. If transport mode, there should have Notify - // payload with TRANSPORT_MODE notification. - // - NotifyPayload = Ikev2GenerateNotifyPayload ( - 0, - IKEV2_PAYLOAD_TYPE_NONE, - 0, - IKEV2_NOTIFICATION_USE_TRANSPORT_MODE, - NULL, - NULL, - 0 - ); - if (NotifyPayload == NULL) { - goto CheckError; - } - } else { - // - // Generate Tsr for Tunnel mode. - // - TsiPayload = Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_TS_RSP, - TRUE - ); - TsrPayload = Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_NONE, - FALSE - ); - } - - if (TsiPayload == NULL || TsrPayload == NULL) { - goto CheckError; - } - - IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, AuthPayload); - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, CpPayload); - } - IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsiPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsrPayload); - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload); - } - - return IkePacket; - -CheckError: - if (IkePacket != NULL) { - IkePacketFree (IkePacket); - } - - if (IdPayload != NULL) { - IkePayloadFree (IdPayload); - } - - if (AuthPayload != NULL) { - IkePayloadFree (AuthPayload); - } - - if (CpPayload != NULL) { - IkePayloadFree (CpPayload); - } - - if (SaPayload != NULL) { - IkePayloadFree (SaPayload); - } - - if (TsiPayload != NULL) { - IkePayloadFree (TsiPayload); - } - - if (TsrPayload != NULL) { - IkePayloadFree (TsrPayload); - } - - if (NotifyPayload != NULL) { - IkePayloadFree (NotifyPayload); - } - - return NULL; -} - -/** - Parses IKE_AUTH packet. - - @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet. - @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered. - - @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA - proposal is unacceptable. - @retval EFI_SUCCESS The IKE packet is acceptable and the - relative data is saved for furthure communication. - -**/ -EFI_STATUS -Ikev2AuthPskParser ( - IN UINT8 *SaSession, - IN IKE_PACKET *IkePacket - ) -{ - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *IkePayload; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *IdiPayload; - IKE_PAYLOAD *IdrPayload; - IKE_PAYLOAD *AuthPayload; - IKE_PAYLOAD *TsiPayload; - IKE_PAYLOAD *TsrPayload; - IKE_PAYLOAD *VerifiedAuthPayload; - LIST_ENTRY *Entry; - EFI_STATUS Status; - - IkeSaSession = (IKEV2_SA_SESSION *) SaSession; - ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList)); - - SaPayload = NULL; - IdiPayload = NULL; - IdrPayload = NULL; - AuthPayload = NULL; - TsiPayload = NULL; - TsrPayload = NULL; - - // - // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload. - // - NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) { - IkePayload = IKE_PAYLOAD_BY_PACKET (Entry); - - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_INIT) { - IdiPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_RSP) { - IdrPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) { - SaPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_AUTH) { - AuthPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_INIT) { - TsiPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_RSP) { - TsrPayload = IkePayload; - } - } - - if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) || (TsrPayload == NULL)) { - return EFI_INVALID_PARAMETER; - } - if ((IdiPayload == NULL) && (IdrPayload == NULL)) { - return EFI_INVALID_PARAMETER; - } - - // - // Check IkePacket Header is match the state - // - if (IkeSaSession->SessionCommon.IsInitiator) { - - // - // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND - // - if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) || - (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH) - ) { - return EFI_INVALID_PARAMETER; - } - - } else { - // - // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT - // - if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) || - (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH) - ) { - return EFI_INVALID_PARAMETER; - } - - // - // 2. Parse the SA payload and Key Payload and find out the perferable one - // and fill in the Sa paramse into CommonSession->SaParams and SaData into - // IkeSaSession for the responder SA payload generation. - // - } - - // - // Verify the Auth Payload. - // - VerifiedAuthPayload = Ikev2PskGenerateAuthPayload ( - IkeSaSession, - IkeSaSession->SessionCommon.IsInitiator ? IdrPayload : IdiPayload, - IKEV2_PAYLOAD_TYPE_SA, - TRUE - ); - if ((VerifiedAuthPayload != NULL) && - (0 != CompareMem ( - VerifiedAuthPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER), - AuthPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER), - VerifiedAuthPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD_HEADER) - ))) { - return EFI_INVALID_PARAMETER; - }; - - // - // 3. Parse the SA Payload to find out the cryptographic suite - // and fill in the Sa paramse into CommonSession->SaParams. If no acceptable - // porposal found, return EFI_INVALID_PARAMETER. - // - if (!Ikev2ChildSaParseSaPayload (ChildSaSession, SaPayload, IkePacket->Header->Flags)) { - return EFI_INVALID_PARAMETER; - } - - // - // 4. Parse TSi, TSr payloads. - // - if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != - ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId) && - (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0) && - (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0) - ) { - return EFI_INVALID_PARAMETER; - } - - if (!IkeSaSession->SessionCommon.IsInitiator) { - // - //TODO:check the Port range. Only support any port and one certain port here. - // - ChildSaSession->ProtoId = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId; - ChildSaSession->LocalPort = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort; - ChildSaSession->RemotePort = ((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort; - // - // Association a SPD with this SA. - // - Status = Ikev2ChildSaAssociateSpdEntry (ChildSaSession); - if (EFI_ERROR (Status)) { - return EFI_INVALID_PARAMETER; - } - // - // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD. - // - if (ChildSaSession->IkeSaSession->Spd == NULL) { - ChildSaSession->IkeSaSession->Spd = ChildSaSession->Spd; - Status = Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession); - if (EFI_ERROR (Status)) { - return Status; - } - } - } else { - // - //TODO:check the Port range. - // - if ((((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) && - (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort) - ) { - return EFI_INVALID_PARAMETER; - } - if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) && - (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort) - ) { - return EFI_INVALID_PARAMETER; - } - // - // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector. - // - if (ChildSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) { - if (!ChildSaSession->IkeSaSession->SessionCommon.IsInitiator) { - // - // If it is tunnel mode, the UEFI part must be the initiator. - // - return EFI_INVALID_PARAMETER; - } - // - // Get the Virtual IP address from the Tsi traffic selector. - // TODO: check the CFG reply payload - // - CopyMem ( - &ChildSaSession->SpdSelector->LocalAddress[0].Address, - TsiPayload->PayloadBuf + sizeof (IKEV2_TS) + sizeof (TRAFFIC_SELECTOR), - (ChildSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) ? - sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS) - ); - } - } - - // - // 5. Generate keymats for IPsec protocol. - // - Status = Ikev2GenerateChildSaKeys (ChildSaSession, NULL); - if (EFI_ERROR (Status)) { - return Status; - } - - if (IkeSaSession->SessionCommon.IsInitiator) { - // - // 6. Change the state of IkeSaSession - // - IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEstablished); - IkeSaSession->SessionCommon.State = IkeStateIkeSaEstablished; - } - - return EFI_SUCCESS; -} - -/** - Gernerates IKEv2 packet for IKE_SA_INIT exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange. - @param[in] Context Context Data passed by caller. - - @retval EFI_SUCCESS The IKE packet generation succeeded. - @retval Others The IKE packet generation failed. - -**/ -IKE_PACKET* -Ikev2InitCertGenerator ( - IN UINT8 *SaSession, - IN VOID *Context - ) -{ - IKE_PACKET *IkePacket; - IKE_PAYLOAD *CertReqPayload; - LIST_ENTRY *Node; - IKE_PAYLOAD *NoncePayload; - - if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) { - return NULL; - } - - // - // The first two messages exchange is same between PSK and Cert. - // - IkePacket = Ikev2InitPskGenerator (SaSession, Context); - - if ((IkePacket != NULL) && (!((IKEV2_SA_SESSION *)SaSession)->SessionCommon.IsInitiator)) { - // - // Add the Certification Request Payload - // - CertReqPayload = Ikev2GenerateCertificatePayload ( - (IKEV2_SA_SESSION *)SaSession, - IKEV2_PAYLOAD_TYPE_NONE, - (UINT8*)PcdGetPtr(PcdIpsecUefiCaFile), - PcdGet32(PcdIpsecUefiCaFileSize), - IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT, - TRUE - ); - // - // Change Nonce Payload Next payload type. - // - IKE_PACKET_END_PAYLOAD (IkePacket, Node); - NoncePayload = IKE_PAYLOAD_BY_PACKET (Node); - ((IKEV2_NONCE *)NoncePayload->PayloadBuf)->Header.NextPayload = IKEV2_PAYLOAD_TYPE_CERTREQ; - - // - // Add Certification Request Payload - // - IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertReqPayload); - } - - return IkePacket; -} - -/** - Parses the IKEv2 packet for IKE_SA_INIT exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchange. - @param[in] IkePacket The received IKEv2 packet to be parsed. - - @retval EFI_SUCCESS The IKEv2 packet is acceptable and the relative data is - saved for furthure communication. - @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA proposal is unacceptable. - @retval EFI_UNSUPPORTED The certificate authentication is not supported. - -**/ -EFI_STATUS -Ikev2InitCertParser ( - IN UINT8 *SaSession, - IN IKE_PACKET *IkePacket - ) -{ - if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) { - return EFI_UNSUPPORTED; - } - - // - // The first two messages exchange is same between PSK and Cert. - // Todo: Parse Certificate Request from responder Initial Exchange. - // - return Ikev2InitPskParser (SaSession, IkePacket); -} - -/** - Generates the IKEv2 packet for IKE_AUTH exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION. - @param[in] Context Context data passed by caller. - - @retval Pointer to IKEv2 Packet to be sent out. - -**/ -IKE_PACKET * -Ikev2AuthCertGenerator ( - IN UINT8 *SaSession, - IN VOID *Context - ) -{ - IKE_PACKET *IkePacket; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *IdPayload; - IKE_PAYLOAD *AuthPayload; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *TsiPayload; - IKE_PAYLOAD *TsrPayload; - IKE_PAYLOAD *NotifyPayload; - IKE_PAYLOAD *CpPayload; - IKE_PAYLOAD *CertPayload; - IKE_PAYLOAD *CertReqPayload; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - - if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) { - return NULL; - } - - IkeSaSession = (IKEV2_SA_SESSION *) SaSession; - ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList)); - - IkePacket = NULL; - IdPayload = NULL; - AuthPayload = NULL; - CpPayload = NULL; - SaPayload = NULL; - TsiPayload = NULL; - TsrPayload = NULL; - NotifyPayload = NULL; - CertPayload = NULL; - CertReqPayload = NULL; - - // - // 1. Allocate IKE Packet - // - IkePacket= IkePacketAlloc (); - if (IkePacket == NULL) { - return NULL; - } - - // - // 1.a Fill the IkePacket Header. - // - IkePacket->Header->ExchangeType = IKEV2_EXCHANGE_TYPE_AUTH; - IkePacket->Header->InitiatorCookie = IkeSaSession->InitiatorCookie; - IkePacket->Header->ResponderCookie = IkeSaSession->ResponderCookie; - IkePacket->Header->Version = (UINT8)(2 << 4); - if (ChildSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_INIT; - } else { - IkePacket->Header->NextPayload = IKEV2_PAYLOAD_TYPE_ID_RSP; - } - - // - // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID should - // be always number 0 and 1; - // - IkePacket->Header->MessageId = 1; - - if (IkeSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_INIT; - } else { - IkePacket->Header->Flags = IKE_HEADER_FLAGS_RESPOND; - } - - // - // 2. Generate ID Payload according to IP version and address. - // - IdPayload = Ikev2GenerateCertIdPayload ( - &IkeSaSession->SessionCommon, - IKEV2_PAYLOAD_TYPE_CERT, - (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate), - PcdGet32 (PcdIpsecUefiCertificateSize) - ); - if (IdPayload == NULL) { - goto CheckError; - } - - // - // 3. Generate Certificate Payload - // - CertPayload = Ikev2GenerateCertificatePayload ( - IkeSaSession, - (UINT8)(IkeSaSession->SessionCommon.IsInitiator ? IKEV2_PAYLOAD_TYPE_CERTREQ : IKEV2_PAYLOAD_TYPE_AUTH), - (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate), - PcdGet32 (PcdIpsecUefiCertificateSize), - IKEV2_CERT_ENCODEING_X509_CERT_SIGN, - FALSE - ); - if (CertPayload == NULL) { - goto CheckError; - } - - if (IkeSaSession->SessionCommon.IsInitiator) { - CertReqPayload = Ikev2GenerateCertificatePayload ( - IkeSaSession, - IKEV2_PAYLOAD_TYPE_AUTH, - (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate), - PcdGet32 (PcdIpsecUefiCertificateSize), - IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT, - TRUE - ); - if (CertReqPayload == NULL) { - goto CheckError; - } - } - - // - // 4. Generate Auth Payload - // If it is tunnel mode, should create the configuration payload after the - // Auth payload. - // - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) { - AuthPayload = Ikev2CertGenerateAuthPayload ( - ChildSaSession->IkeSaSession, - IdPayload, - IKEV2_PAYLOAD_TYPE_SA, - FALSE, - (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificateKey), - PcdGet32 (PcdIpsecUefiCertificateKeySize), - ChildSaSession->IkeSaSession->Pad->Data->AuthData, - ChildSaSession->IkeSaSession->Pad->Data->AuthDataSize - ); - } else { - AuthPayload = Ikev2CertGenerateAuthPayload ( - ChildSaSession->IkeSaSession, - IdPayload, - IKEV2_PAYLOAD_TYPE_CP, - FALSE, - (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificateKey), - PcdGet32 (PcdIpsecUefiCertificateKeySize), - ChildSaSession->IkeSaSession->Pad->Data->AuthData, - ChildSaSession->IkeSaSession->Pad->Data->AuthDataSize - ); - if (IkeSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) { - CpPayload = Ikev2GenerateCpPayload ( - ChildSaSession->IkeSaSession, - IKEV2_PAYLOAD_TYPE_SA, - IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS - ); - } else { - CpPayload = Ikev2GenerateCpPayload ( - ChildSaSession->IkeSaSession, - IKEV2_PAYLOAD_TYPE_SA, - IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS - ); - } - - if (CpPayload == NULL) { - goto CheckError; - } - } - - if (AuthPayload == NULL) { - goto CheckError; - } - - // - // 5. Generate SA Payload according to the Sa Data in ChildSaSession - // - SaPayload = Ikev2GenerateSaPayload ( - ChildSaSession->SaData, - IKEV2_PAYLOAD_TYPE_TS_INIT, - IkeSessionTypeChildSa - ); - if (SaPayload == NULL) { - goto CheckError; - } - - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) { - // - // Generate Tsi and Tsr. - // - TsiPayload = Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_TS_RSP, - FALSE - ); - - TsrPayload = Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_NOTIFY, - FALSE - ); - - // - // Generate Notify Payload. If transport mode, there should have Notify - // payload with TRANSPORT_MODE notification. - // - NotifyPayload = Ikev2GenerateNotifyPayload ( - 0, - IKEV2_PAYLOAD_TYPE_NONE, - 0, - IKEV2_NOTIFICATION_USE_TRANSPORT_MODE, - NULL, - NULL, - 0 - ); - if (NotifyPayload == NULL) { - goto CheckError; - } - } else { - // - // Generate Tsr for Tunnel mode. - // - TsiPayload = Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_TS_RSP, - TRUE - ); - TsrPayload = Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_NONE, - FALSE - ); - } - - if (TsiPayload == NULL || TsrPayload == NULL) { - goto CheckError; - } - - IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertPayload); - if (IkeSaSession->SessionCommon.IsInitiator) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertReqPayload); - } - IKE_PACKET_APPEND_PAYLOAD (IkePacket, AuthPayload); - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, CpPayload); - } - IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsiPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsrPayload); - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTransport) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload); - } - - return IkePacket; - -CheckError: - if (IkePacket != NULL) { - IkePacketFree (IkePacket); - } - - if (IdPayload != NULL) { - IkePayloadFree (IdPayload); - } - - if (CertPayload != NULL) { - IkePayloadFree (CertPayload); - } - - if (CertReqPayload != NULL) { - IkePayloadFree (CertReqPayload); - } - - if (AuthPayload != NULL) { - IkePayloadFree (AuthPayload); - } - - if (CpPayload != NULL) { - IkePayloadFree (CpPayload); - } - - if (SaPayload != NULL) { - IkePayloadFree (SaPayload); - } - - if (TsiPayload != NULL) { - IkePayloadFree (TsiPayload); - } - - if (TsrPayload != NULL) { - IkePayloadFree (TsrPayload); - } - - if (NotifyPayload != NULL) { - IkePayloadFree (NotifyPayload); - } - - return NULL; -} - -/** - Parses IKE_AUTH packet. - - @param[in] SaSession Pointer to the IKE_SA_SESSION related to this packet. - @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered. - - @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA - proposal is unacceptable. - @retval EFI_SUCCESS The IKE packet is acceptable and the - relative data is saved for furthure communication. - @retval EFI_UNSUPPORTED The certificate authentication is not supported. - -**/ -EFI_STATUS -Ikev2AuthCertParser ( - IN UINT8 *SaSession, - IN IKE_PACKET *IkePacket - ) -{ - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *IkePayload; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *IdiPayload; - IKE_PAYLOAD *IdrPayload; - IKE_PAYLOAD *AuthPayload; - IKE_PAYLOAD *TsiPayload; - IKE_PAYLOAD *TsrPayload; - IKE_PAYLOAD *CertPayload; - IKE_PAYLOAD *VerifiedAuthPayload; - LIST_ENTRY *Entry; - EFI_STATUS Status; - - if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) { - return EFI_UNSUPPORTED; - } - - IkeSaSession = (IKEV2_SA_SESSION *) SaSession; - ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeSaSession->ChildSaSessionList)); - - SaPayload = NULL; - IdiPayload = NULL; - IdrPayload = NULL; - AuthPayload = NULL; - TsiPayload = NULL; - TsrPayload = NULL; - CertPayload = NULL; - VerifiedAuthPayload = NULL; - Status = EFI_INVALID_PARAMETER; - - // - // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload. - // - NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) { - IkePayload = IKE_PAYLOAD_BY_PACKET (Entry); - - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_INIT) { - IdiPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_ID_RSP) { - IdrPayload = IkePayload; - } - - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_SA) { - SaPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_AUTH) { - AuthPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_INIT) { - TsiPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_TS_RSP) { - TsrPayload = IkePayload; - } - if (IkePayload->PayloadType == IKEV2_PAYLOAD_TYPE_CERT) { - CertPayload = IkePayload; - } - } - - if ((SaPayload == NULL) || (AuthPayload == NULL) || (TsiPayload == NULL) || - (TsrPayload == NULL) || (CertPayload == NULL)) { - goto Exit; - } - if ((IdiPayload == NULL) && (IdrPayload == NULL)) { - goto Exit; - } - - // - // Check IkePacket Header is match the state - // - if (IkeSaSession->SessionCommon.IsInitiator) { - - // - // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_RESPOND - // - if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_RESPOND) || - (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)) { - goto Exit; - } - } else { - // - // 1. Check the IkePacket->Hdr == IKE_HEADER_FLAGS_INIT - // - if ((IkePacket->Header->Flags != IKE_HEADER_FLAGS_INIT) || - (IkePacket->Header->ExchangeType != IKEV2_EXCHANGE_TYPE_AUTH)) { - goto Exit; - } - } - - // - // Verify the Auth Payload. - // - VerifiedAuthPayload = Ikev2CertGenerateAuthPayload ( - IkeSaSession, - IkeSaSession->SessionCommon.IsInitiator ? IdrPayload:IdiPayload, - IKEV2_PAYLOAD_TYPE_SA, - TRUE, - NULL, - 0, - NULL, - 0 - ); - - if ((VerifiedAuthPayload != NULL) && - (!IpSecCryptoIoVerifySignDataByCertificate ( - CertPayload->PayloadBuf + sizeof (IKEV2_CERT), - CertPayload->PayloadSize - sizeof (IKEV2_CERT), - (UINT8 *)PcdGetPtr (PcdIpsecUefiCaFile), - PcdGet32 (PcdIpsecUefiCaFileSize), - VerifiedAuthPayload->PayloadBuf + sizeof (IKEV2_AUTH), - VerifiedAuthPayload->PayloadSize - sizeof (IKEV2_AUTH), - AuthPayload->PayloadBuf + sizeof (IKEV2_AUTH), - AuthPayload->PayloadSize - sizeof (IKEV2_AUTH) - ))) { - goto Exit; - } - - // - // 3. Parse the SA Payload to find out the cryptographic suite - // and fill in the SA paramse into CommonSession->SaParams. If no acceptable - // porposal found, return EFI_INVALID_PARAMETER. - // - if (!Ikev2ChildSaParseSaPayload (ChildSaSession, SaPayload, IkePacket->Header->Flags)) { - goto Exit; - } - - // - // 4. Parse TSi, TSr payloads. - // - if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != - ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId) && - (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0) && - (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId != 0) - ) { - goto Exit; - } - - if (!IkeSaSession->SessionCommon.IsInitiator) { - // - //Todo:check the Port range. Only support any port and one certain port here. - // - ChildSaSession->ProtoId = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->IpProtocolId; - ChildSaSession->LocalPort = ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort; - ChildSaSession->RemotePort = ((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort; - // - // Association a SPD with this SA. - // - if (EFI_ERROR (Ikev2ChildSaAssociateSpdEntry (ChildSaSession))) { - goto Exit; - } - // - // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD. - // - if (ChildSaSession->IkeSaSession->Spd == NULL) { - ChildSaSession->IkeSaSession->Spd = ChildSaSession->Spd; - Status = Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession); - if (EFI_ERROR (Status)) { - goto Exit; - } - } - } else { - // - // Todo:check the Port range. - // - if ((((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) && - (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->RemotePort) - ) { - goto Exit; - } - if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != 0) && - (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))->StartPort != ChildSaSession->LocalPort) - ) { - goto Exit; - } - // - // For the tunnel mode, it should add the vitual IP address into the SA's SPD Selector. - // - if (ChildSaSession->Spd->Data->ProcessingPolicy->Mode == EfiIPsecTunnel) { - if (!ChildSaSession->IkeSaSession->SessionCommon.IsInitiator) { - // - // If it is tunnel mode, the UEFI part must be the initiator. - // - goto Exit; - } - // - // Get the Virtual IP address from the Tsi traffic selector. - // TODO: check the CFG reply payload - // - CopyMem ( - &ChildSaSession->SpdSelector->LocalAddress[0].Address, - TsiPayload->PayloadBuf + sizeof (IKEV2_TS) + sizeof (TRAFFIC_SELECTOR), - (ChildSaSession->SessionCommon.UdpService->IpVersion == IP_VERSION_4) ? - sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS) - ); - } - } - - // - // 5. Generat keymats for IPsec protocol. - // - Status = Ikev2GenerateChildSaKeys (ChildSaSession, NULL); - if (EFI_ERROR (Status)) { - goto Exit; - } - - if (IkeSaSession->SessionCommon.IsInitiator) { - // - // 6. Change the state of IkeSaSession - // - IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEstablished); - IkeSaSession->SessionCommon.State = IkeStateIkeSaEstablished; - } - - Status = EFI_SUCCESS; - -Exit: - if (VerifiedAuthPayload != NULL) { - IkePayloadFree (VerifiedAuthPayload); - } - return Status; -} - -/** - Generates the DH Public Key. - - This generates the DH local public key and store it in the IKE SA Session's GxBuffer. - - @param[in] IkeSaSession Pointer to related IKE SA Session. - - @retval EFI_SUCCESS The operation succeeded. - @retval Others The operation failed. - -**/ -EFI_STATUS -Ikev2GenerateSaDhPublicKey ( - IN IKEV2_SA_SESSION *IkeSaSession - ) -{ - EFI_STATUS Status; - IKEV2_SESSION_KEYS *IkeKeys; - - IkeSaSession->IkeKeys = AllocateZeroPool (sizeof (IKEV2_SESSION_KEYS)); - if (IkeSaSession->IkeKeys == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - IkeKeys = IkeSaSession->IkeKeys; - IkeKeys->DhBuffer = AllocateZeroPool (sizeof (IKEV2_DH_BUFFER)); - if (IkeKeys->DhBuffer == NULL) { - FreePool (IkeSaSession->IkeKeys); - return EFI_OUT_OF_RESOURCES; - } - - // - // Init DH with the certain DH Group Description. - // - IkeKeys->DhBuffer->GxSize = OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Size >> 3; - IkeKeys->DhBuffer->GxBuffer = AllocateZeroPool (IkeKeys->DhBuffer->GxSize); - if (IkeKeys->DhBuffer->GxBuffer == NULL) { - FreePool (IkeKeys->DhBuffer); - FreePool (IkeSaSession->IkeKeys); - return EFI_OUT_OF_RESOURCES; - } - - // - // Get X PublicKey - // - Status = IpSecCryptoIoDhGetPublicKey ( - &IkeKeys->DhBuffer->DhContext, - OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].GroupGenerator, - OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Size, - OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGroup].Modulus, - IkeKeys->DhBuffer->GxBuffer, - &IkeKeys->DhBuffer->GxSize - ); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam X public key error Status = %r\n", Status)); - - FreePool (IkeKeys->DhBuffer->GxBuffer); - - FreePool (IkeKeys->DhBuffer); - - FreePool (IkeSaSession->IkeKeys); - - return Status; - } - - IPSEC_DUMP_BUF ("DH Public Key (g^x) Dump", IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize); - - return EFI_SUCCESS; -} - -/** - Computes the DH Shared/Exchange Key. - - Given peer's public key, this function computes the exchanged common key and - stores it in the IKEv2 SA Session's GxyBuffer. - - @param[in] DhBuffer Pointer to buffer of peer's puliic key. - @param[in] KePayload Pointer to received key payload. - - @retval EFI_SUCCESS The operation succeeded. - @retval Otherwise The operation failed. - -**/ -EFI_STATUS -Ikev2GenerateSaDhComputeKey ( - IN IKEV2_DH_BUFFER *DhBuffer, - IN IKE_PAYLOAD *KePayload - ) -{ - EFI_STATUS Status; - IKEV2_KEY_EXCHANGE *Ke; - UINT8 *PubKey; - UINTN PubKeySize; - - Ke = (IKEV2_KEY_EXCHANGE *) KePayload->PayloadBuf; - PubKey = (UINT8 *) (Ke + 1); - PubKeySize = KePayload->PayloadSize - sizeof (IKEV2_KEY_EXCHANGE); - DhBuffer->GxySize = DhBuffer->GxSize; - DhBuffer->GxyBuffer = AllocateZeroPool (DhBuffer->GxySize); - if (DhBuffer->GxyBuffer == NULL) { - return EFI_OUT_OF_RESOURCES; - } - - // - // Get GxyBuf - // - Status = IpSecCryptoIoDhComputeKey ( - DhBuffer->DhContext, - PubKey, - PubKeySize, - DhBuffer->GxyBuffer, - &DhBuffer->GxySize - ); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam Y session key error Status = %r\n", Status)); - - FreePool (DhBuffer->GxyBuffer); - - return Status; - } - - // - // Create GxyBuf. - // - DhBuffer->GySize = PubKeySize; - DhBuffer->GyBuffer = AllocateZeroPool (DhBuffer->GySize); - if (DhBuffer->GyBuffer == NULL) { - FreePool (DhBuffer->GxyBuffer); - - return Status; - } - - CopyMem (DhBuffer->GyBuffer, PubKey, DhBuffer->GySize); - - IPSEC_DUMP_BUF ("DH Public Key (g^y) Dump", DhBuffer->GyBuffer, DhBuffer->GySize); - IPSEC_DUMP_BUF ("DH Shared Key (g^xy) Dump", DhBuffer->GxyBuffer, DhBuffer->GxySize); - - return EFI_SUCCESS; -} - -/** - Generates the IKE SKEYSEED and seven other secrets. SK_d, SK_ai, SK_ar, SK_ei, SK_er, - SK_pi, SK_pr are keys for the furthure IKE exchange. - - @param[in] IkeSaSession Pointer to IKE SA Session. - @param[in] KePayload Pointer to Key payload used to generate the Key. - - @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported. - @retval EFI_OUT_OF_RESOURCES If there is no enough resource to be allocated to - meet the requirement. - @retval EFI_SUCCESS The operation succeeded. - -**/ -EFI_STATUS -Ikev2GenerateSaKeys ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_PAYLOAD *KePayload - ) -{ - EFI_STATUS Status; - IKEV2_SA_PARAMS *SaParams; - PRF_DATA_FRAGMENT Fragments[4]; - UINT64 InitiatorCookieNet; - UINT64 ResponderCookieNet; - UINT8 *KeyBuffer; - UINTN KeyBufferSize; - UINTN AuthAlgKeyLen; - UINTN EncryptAlgKeyLen; - UINTN IntegrityAlgKeyLen; - UINTN PrfAlgKeyLen; - UINT8 *OutputKey; - UINTN OutputKeyLength; - UINT8 *Digest; - UINTN DigestSize; - - Digest = NULL; - OutputKey = NULL; - KeyBuffer = NULL; - Status = EFI_SUCCESS; - - // - // Generate Gxy - // - Status = Ikev2GenerateSaDhComputeKey (IkeSaSession->IkeKeys->DhBuffer, KePayload); - if (EFI_ERROR (Status)) { - goto Exit; - } - - // - // Get the key length of Authenticaion, Encryption, PRF, and Integrity. - // - SaParams = IkeSaSession->SessionCommon.SaParams; - AuthAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf); - EncryptAlgKeyLen = IpSecGetEncryptKeyLength ((UINT8)SaParams->EncAlgId); - IntegrityAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->IntegAlgId); - PrfAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf); - - // - // If one or more algorithm is not support, return EFI_UNSUPPORTED. - // - if (AuthAlgKeyLen == 0 || - EncryptAlgKeyLen == 0 || - IntegrityAlgKeyLen == 0 || - PrfAlgKeyLen == 0 - ) { - Status = EFI_UNSUPPORTED; - goto Exit; - } - - // - // Compute SKEYSEED = prf(Ni | Nr, g^ir) - // - KeyBufferSize = IkeSaSession->NiBlkSize + IkeSaSession->NrBlkSize; - KeyBuffer = AllocateZeroPool (KeyBufferSize); - if (KeyBuffer == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem (KeyBuffer, IkeSaSession->NiBlock, IkeSaSession->NiBlkSize); - CopyMem (KeyBuffer + IkeSaSession->NiBlkSize, IkeSaSession->NrBlock, IkeSaSession->NrBlkSize); - - Fragments[0].Data = IkeSaSession->IkeKeys->DhBuffer->GxyBuffer; - Fragments[0].DataSize = IkeSaSession->IkeKeys->DhBuffer->GxySize; - - DigestSize = IpSecGetHmacDigestLength ((UINT8)SaParams->Prf); - Digest = AllocateZeroPool (DigestSize); - - if (Digest == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - IpSecCryptoIoHmac ( - (UINT8)SaParams->Prf, - KeyBuffer, - KeyBufferSize, - (HASH_DATA_FRAGMENT *) Fragments, - 1, - Digest, - DigestSize - ); - - // - // {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = prf+ - // (SKEYSEED, Ni | Nr | SPIi | SPIr ) - // - Fragments[0].Data = IkeSaSession->NiBlock; - Fragments[0].DataSize = IkeSaSession->NiBlkSize; - Fragments[1].Data = IkeSaSession->NrBlock; - Fragments[1].DataSize = IkeSaSession->NrBlkSize; - InitiatorCookieNet = HTONLL (IkeSaSession->InitiatorCookie); - ResponderCookieNet = HTONLL (IkeSaSession->ResponderCookie); - Fragments[2].Data = (UINT8 *)(&InitiatorCookieNet); - Fragments[2].DataSize = sizeof (IkeSaSession->InitiatorCookie); - Fragments[3].Data = (UINT8 *)(&ResponderCookieNet); - Fragments[3].DataSize = sizeof (IkeSaSession->ResponderCookie); - - IPSEC_DUMP_BUF (">>> NiBlock", IkeSaSession->NiBlock, IkeSaSession->NiBlkSize); - IPSEC_DUMP_BUF (">>> NrBlock", IkeSaSession->NrBlock, IkeSaSession->NrBlkSize); - IPSEC_DUMP_BUF (">>> InitiatorCookie", (UINT8 *)&IkeSaSession->InitiatorCookie, sizeof(UINT64)); - IPSEC_DUMP_BUF (">>> ResponderCookie", (UINT8 *)&IkeSaSession->ResponderCookie, sizeof(UINT64)); - - OutputKeyLength = PrfAlgKeyLen + - 2 * EncryptAlgKeyLen + - 2 * AuthAlgKeyLen + - 2 * IntegrityAlgKeyLen; - OutputKey = AllocateZeroPool (OutputKeyLength); - if (OutputKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - // - // Generate Seven Keymates. - // - Status = Ikev2SaGenerateKey ( - (UINT8)SaParams->Prf, - Digest, - DigestSize, - OutputKey, - OutputKeyLength, - Fragments, - 4 - ); - if (EFI_ERROR(Status)) { - goto Exit; - } - - // - // Save the seven keys into KeySession. - // First, SK_d - // - IkeSaSession->IkeKeys->SkdKey = AllocateZeroPool (PrfAlgKeyLen); - if (IkeSaSession->IkeKeys->SkdKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkdKeySize = PrfAlgKeyLen; - CopyMem (IkeSaSession->IkeKeys->SkdKey, OutputKey, PrfAlgKeyLen); - - IPSEC_DUMP_BUF (">>> SK_D Key", IkeSaSession->IkeKeys->SkdKey, PrfAlgKeyLen); - - // - // Second, Sk_ai - // - IkeSaSession->IkeKeys->SkAiKey = AllocateZeroPool (IntegrityAlgKeyLen); - if (IkeSaSession->IkeKeys->SkAiKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkAiKeySize = IntegrityAlgKeyLen; - CopyMem (IkeSaSession->IkeKeys->SkAiKey, OutputKey + PrfAlgKeyLen, IntegrityAlgKeyLen); - - IPSEC_DUMP_BUF (">>> SK_Ai Key", IkeSaSession->IkeKeys->SkAiKey, IkeSaSession->IkeKeys->SkAiKeySize); - - // - // Third, Sk_ar - // - IkeSaSession->IkeKeys->SkArKey = AllocateZeroPool (IntegrityAlgKeyLen); - if (IkeSaSession->IkeKeys->SkArKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkArKeySize = IntegrityAlgKeyLen; - CopyMem ( - IkeSaSession->IkeKeys->SkArKey, - OutputKey + PrfAlgKeyLen + IntegrityAlgKeyLen, - IntegrityAlgKeyLen - ); - - IPSEC_DUMP_BUF (">>> SK_Ar Key", IkeSaSession->IkeKeys->SkArKey, IkeSaSession->IkeKeys->SkArKeySize); - - // - // Fourth, Sk_ei - // - IkeSaSession->IkeKeys->SkEiKey = AllocateZeroPool (EncryptAlgKeyLen); - if (IkeSaSession->IkeKeys->SkEiKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkEiKeySize = EncryptAlgKeyLen; - - CopyMem ( - IkeSaSession->IkeKeys->SkEiKey, - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen, - EncryptAlgKeyLen - ); - IPSEC_DUMP_BUF ( - ">>> SK_Ei Key", - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen, - EncryptAlgKeyLen - ); - - // - // Fifth, Sk_er - // - IkeSaSession->IkeKeys->SkErKey = AllocateZeroPool (EncryptAlgKeyLen); - if (IkeSaSession->IkeKeys->SkErKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkErKeySize = EncryptAlgKeyLen; - - CopyMem ( - IkeSaSession->IkeKeys->SkErKey, - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + EncryptAlgKeyLen, - EncryptAlgKeyLen - ); - IPSEC_DUMP_BUF ( - ">>> SK_Er Key", - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + EncryptAlgKeyLen, - EncryptAlgKeyLen - ); - - // - // Sixth, Sk_pi - // - IkeSaSession->IkeKeys->SkPiKey = AllocateZeroPool (AuthAlgKeyLen); - if (IkeSaSession->IkeKeys->SkPiKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkPiKeySize = AuthAlgKeyLen; - - CopyMem ( - IkeSaSession->IkeKeys->SkPiKey, - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen, - AuthAlgKeyLen - ); - IPSEC_DUMP_BUF ( - ">>> SK_Pi Key", - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen, - AuthAlgKeyLen - ); - - // - // Seventh, Sk_pr - // - IkeSaSession->IkeKeys->SkPrKey = AllocateZeroPool (AuthAlgKeyLen); - if (IkeSaSession->IkeKeys->SkPrKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkPrKeySize = AuthAlgKeyLen; - - CopyMem ( - IkeSaSession->IkeKeys->SkPrKey, - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen, - AuthAlgKeyLen - ); - IPSEC_DUMP_BUF ( - ">>> SK_Pr Key", - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKeyLen + AuthAlgKeyLen, - AuthAlgKeyLen - ); - - -Exit: - if (Digest != NULL) { - FreePool (Digest); - } - if (KeyBuffer != NULL) { - FreePool (KeyBuffer); - } - if (OutputKey != NULL) { - FreePool (OutputKey); - } - - if (EFI_ERROR(Status)) { - if (IkeSaSession->IkeKeys->SkdKey != NULL) { - FreePool (IkeSaSession->IkeKeys->SkdKey); - } - if (IkeSaSession->IkeKeys->SkAiKey != NULL) { - FreePool (IkeSaSession->IkeKeys->SkAiKey); - } - if (IkeSaSession->IkeKeys->SkArKey != NULL) { - FreePool (IkeSaSession->IkeKeys->SkArKey); - } - if (IkeSaSession->IkeKeys->SkEiKey != NULL) { - FreePool (IkeSaSession->IkeKeys->SkEiKey); - } - if (IkeSaSession->IkeKeys->SkErKey != NULL) { - FreePool (IkeSaSession->IkeKeys->SkErKey); - } - if (IkeSaSession->IkeKeys->SkPiKey != NULL) { - FreePool (IkeSaSession->IkeKeys->SkPiKey); - } - if (IkeSaSession->IkeKeys->SkPrKey != NULL) { - FreePool (IkeSaSession->IkeKeys->SkPrKey); - } - } - - - return Status; -} - -/** - Generates the Keys for the furthure IPsec Protocol. - - @param[in] ChildSaSession Pointer to IKE Child SA Session. - @param[in] KePayload Pointer to Key payload used to generate the Key. - - @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported. - @retval EFI_SUCCESS The operation succeeded. - -**/ -EFI_STATUS -Ikev2GenerateChildSaKeys ( - IN IKEV2_CHILD_SA_SESSION *ChildSaSession, - IN IKE_PAYLOAD *KePayload - ) -{ - EFI_STATUS Status; - IKEV2_SA_PARAMS *SaParams; - PRF_DATA_FRAGMENT Fragments[3]; - UINTN EncryptAlgKeyLen; - UINTN IntegrityAlgKeyLen; - UINT8* OutputKey; - UINTN OutputKeyLength; - - Status = EFI_SUCCESS; - OutputKey = NULL; - - if (KePayload != NULL) { - // - // Generate Gxy - // - Status = Ikev2GenerateSaDhComputeKey (ChildSaSession->DhBuffer, KePayload); - if (EFI_ERROR (Status)) { - goto Exit; - } - - Fragments[0].Data = ChildSaSession->DhBuffer->GxyBuffer; - Fragments[0].DataSize = ChildSaSession->DhBuffer->GxySize; - } - - Fragments[1].Data = ChildSaSession->NiBlock; - Fragments[1].DataSize = ChildSaSession->NiBlkSize; - Fragments[2].Data = ChildSaSession->NrBlock; - Fragments[2].DataSize = ChildSaSession->NrBlkSize; - - // - // Get the key length of Authenticaion, Encryption, PRF, and Integrity. - // - SaParams = ChildSaSession->SessionCommon.SaParams; - EncryptAlgKeyLen = IpSecGetEncryptKeyLength ((UINT8)SaParams->EncAlgId); - IntegrityAlgKeyLen = IpSecGetHmacDigestLength ((UINT8)SaParams->IntegAlgId); - OutputKeyLength = 2 * EncryptAlgKeyLen + 2 * IntegrityAlgKeyLen; - - if ((EncryptAlgKeyLen == 0) || (IntegrityAlgKeyLen == 0)) { - Status = EFI_UNSUPPORTED; - goto Exit; - } - - // - // - // If KePayload is not NULL, calculate KEYMAT = prf+(SK_d, g^ir (new) | Ni | Nr ), - // otherwise, KEYMAT = prf+(SK_d, Ni | Nr ) - // - OutputKey = AllocateZeroPool (OutputKeyLength); - if (OutputKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - // - // Derive Key from the SkdKey Buffer. - // - Status = Ikev2SaGenerateKey ( - (UINT8)ChildSaSession->IkeSaSession->SessionCommon.SaParams->Prf, - ChildSaSession->IkeSaSession->IkeKeys->SkdKey, - ChildSaSession->IkeSaSession->IkeKeys->SkdKeySize, - OutputKey, - OutputKeyLength, - KePayload == NULL ? &Fragments[1] : Fragments, - KePayload == NULL ? 2 : 3 - ); - - if (EFI_ERROR (Status)) { - goto Exit; - } - - // - // Copy KEYMATE (SK_ENCRYPT_i | SK_ENCRYPT_r | SK_INTEG_i | SK_INTEG_r) to - // ChildKeyMates. - // - if (!ChildSaSession->SessionCommon.IsInitiator) { - - // - // Initiator Encryption Key - // - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen); - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey, - OutputKey, - EncryptAlgKeyLen - ); - - // - // Initiator Authentication Key - // - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen); - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey, - OutputKey + EncryptAlgKeyLen, - IntegrityAlgKeyLen - ); - - // - // Responder Encrypt Key - // - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen); - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey, - OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen, - EncryptAlgKeyLen - ); - - // - // Responder Authentication Key - // - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen); - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey, - OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen, - IntegrityAlgKeyLen - ); - } else { - // - // Initiator Encryption Key - // - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen); - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey, - OutputKey, - EncryptAlgKeyLen - ); - - // - // Initiator Authentication Key - // - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen); - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey, - OutputKey + EncryptAlgKeyLen, - IntegrityAlgKeyLen - ); - - // - // Responder Encryption Key - // - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = (UINT8)SaParams->EncAlgId; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKeyLength = EncryptAlgKeyLen; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey = AllocateZeroPool (EncryptAlgKeyLen); - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey, - OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen, - EncryptAlgKeyLen - ); - - // - // Responder Authentication Key - // - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthAlgoId = (UINT8)SaParams->IntegAlgId; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKeyLength = IntegrityAlgKeyLen; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey = AllocateZeroPool (IntegrityAlgKeyLen); - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey == NULL) { - Status = EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey, - OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen, - IntegrityAlgKeyLen - ); - } - - IPSEC_DUMP_BUF ( - " >>> Local Encryption Key", - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey, - EncryptAlgKeyLen - ); - IPSEC_DUMP_BUF ( - " >>> Remote Encryption Key", - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey, - EncryptAlgKeyLen - ); - IPSEC_DUMP_BUF ( - " >>> Local Authentication Key", - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey, - IntegrityAlgKeyLen - ); - IPSEC_DUMP_BUF ( - " >>> Remote Authentication Key", - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey, - IntegrityAlgKeyLen - ); - - - -Exit: - if (EFI_ERROR (Status)) { - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey != NULL) { - FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey); - } - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey != NULL) { - FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey); - } - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey != NULL) { - FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey); - } - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey != NULL) { - FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey); - } - } - - if (OutputKey != NULL) { - FreePool (OutputKey); - } - - return EFI_SUCCESS; -} - -GLOBAL_REMOVE_IF_UNREFERENCED IKEV2_PACKET_HANDLER mIkev2Initial[][2] = { - { //PSK - { // IKEV2_INIT - Ikev2InitPskParser, - Ikev2InitPskGenerator - }, - { //IKEV2_AUTH - Ikev2AuthPskParser, - Ikev2AuthPskGenerator - } - }, - { // CERT - { // IKEV2_INIT - Ikev2InitCertParser, - Ikev2InitCertGenerator - }, - { // IKEV2_AUTH - Ikev2AuthCertParser, - Ikev2AuthCertGenerator - }, - }, -}; -- cgit v1.2.3