From nobody Fri May 3 12:00:55 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+39389+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39389+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1555989446; cv=none; d=zoho.com; s=zohoarc; b=HNQl+3JkMgImvNdcGY8RucIMIR0Vix/uqruVstYNnbDSzrAcPIGbRwWbXsmiunRcnsTNMVrNxhibONAUGHHafmI+ANYGqHWvcRIh3b8K1asnAUo5MfokzGDN6WRAV3C5Io0gNQUXDv+jbvVE45fQyt+Cz7Zknok+SejdtqJdbMg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1555989446; h=Cc:Date:From:List-Id:List-Unsubscribe:Message-ID:Reply-To:Sender:Subject:To:ARC-Authentication-Results; bh=Kzki5/KUL7hv7eevybc23XtcYoYp0Px5mOrMGTmCU5A=; b=T7lpZH4EK5LeHrXCkB4wZMwy7WZyy3N0tJVPN9w7DwEtCsJIrJLGG0inuJuVNLgBWoqokGEKPLGwPjiLBuI+mYSd6JzBklYi3sa5is1aRKq/bHm/Rw/MzIrPwaMdULIMc1Y6N8N82CKo177YiS77Y9+3/PcynyCQEv6wplTvpiU= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+39389+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1555989446305706.2758753014413; Mon, 22 Apr 2019 20:17:26 -0700 (PDT) Return-Path: X-Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by groups.io with SMTP; Mon, 22 Apr 2019 20:17:23 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Apr 2019 20:17:22 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,384,1549958400"; d="scan'208";a="153064539" X-Received: from fanwang2-hp.ccr.corp.intel.com ([10.239.9.28]) by orsmga002.jf.intel.com with ESMTP; 22 Apr 2019 20:16:58 -0700 From: "Wang Fan" To: devel@edk2.groups.io Cc: Fu Siyuan , Wu Jiaxin Subject: [edk2-devel] [Patch] NetworkPkg: Remove IpSec driver and application Date: Tue, 23 Apr 2019 11:16:50 +0800 Message-Id: <20190423031650.5716-1-fan.wang@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,fan.wang@intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1555989445; bh=R6xEW2rlKG9bJ3L5PuwfyZFVDYgkwToiHInno2fQEYE=; h=Cc:Date:From:Reply-To:Subject:To; b=hDwYNlkxzQ0YwDjAg3MLu0dqTA5dsk+OKQ1/2YvScYdKz5GjA0CzfqP00fkWw0zhzDj /pE09VIijGkHi6zBoGoh+e2kSo4pYE1x/1KM1TPtfLXmjpmdz9lvCXe9gTVcH7lO1Rvh+ YOWNAP+xipO5JzAcvfG+5OQ2ytjCx9CTYY8= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" * REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1577 The IpSec driver in NetworkPkg is not really used by platforms but has security risks. So it is scheduled to be removed from edk2, also include IpSecConfig application. Cc: Fu Siyuan Cc: Wu Jiaxin Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Wang Fan --- NetworkPkg/Application/IpsecConfig/Delete.c | 104 - NetworkPkg/Application/IpsecConfig/Delete.h | 36 - NetworkPkg/Application/IpsecConfig/Dump.c | 573 ---- NetworkPkg/Application/IpsecConfig/Dump.h | 28 - NetworkPkg/Application/IpsecConfig/ForEach.c | 109 - NetworkPkg/Application/IpsecConfig/ForEach.h | 48 - NetworkPkg/Application/IpsecConfig/Helper.c | 414 --- NetworkPkg/Application/IpsecConfig/Helper.h | 137 - NetworkPkg/Application/IpsecConfig/Indexer.c | 249 -- NetworkPkg/Application/IpsecConfig/Indexer.h | 52 - NetworkPkg/Application/IpsecConfig/IpSecConfig.c | 806 ----- NetworkPkg/Application/IpsecConfig/IpSecConfig.h | 143 - NetworkPkg/Application/IpsecConfig/IpSecConfig.inf | 70 - NetworkPkg/Application/IpsecConfig/IpSecConfig.uni | 17 - .../Application/IpsecConfig/IpSecConfigExtra.uni | 14 - .../Application/IpsecConfig/IpSecConfigStrings.uni | 127 - NetworkPkg/Application/IpsecConfig/Match.c | 157 - NetworkPkg/Application/IpsecConfig/Match.h | 35 - .../Application/IpsecConfig/PolicyEntryOperation.c | 2070 ------------ .../Application/IpsecConfig/PolicyEntryOperation.h | 153 - NetworkPkg/IpSecDxe/ComponentName.c | 345 -- NetworkPkg/IpSecDxe/IetfConstants.c | 382 --- NetworkPkg/IpSecDxe/Ike.h | 260 -- NetworkPkg/IpSecDxe/IkeCommon.c | 324 -- NetworkPkg/IpSecDxe/IkeCommon.h | 189 -- NetworkPkg/IpSecDxe/IkePacket.c | 259 -- NetworkPkg/IpSecDxe/IkePacket.h | 76 - NetworkPkg/IpSecDxe/IkeService.c | 813 ----- NetworkPkg/IpSecDxe/IkeService.h | 256 -- NetworkPkg/IpSecDxe/Ikev2/ChildSa.c | 193 -- NetworkPkg/IpSecDxe/Ikev2/Exchange.c | 803 ----- NetworkPkg/IpSecDxe/Ikev2/Ikev2.h | 252 -- NetworkPkg/IpSecDxe/Ikev2/Info.c | 403 --- NetworkPkg/IpSecDxe/Ikev2/Payload.c | 3329 ----------------= ---- NetworkPkg/IpSecDxe/Ikev2/Payload.h | 437 --- NetworkPkg/IpSecDxe/Ikev2/Sa.c | 2255 ------------- NetworkPkg/IpSecDxe/Ikev2/Utility.c | 2738 ---------------- NetworkPkg/IpSecDxe/Ikev2/Utility.h | 1061 ------- NetworkPkg/IpSecDxe/IpSecConfigImpl.c | 3156 ----------------= --- NetworkPkg/IpSecDxe/IpSecConfigImpl.h | 949 ------ NetworkPkg/IpSecDxe/IpSecCryptIo.c | 1015 ------ NetworkPkg/IpSecDxe/IpSecCryptIo.h | 821 ----- NetworkPkg/IpSecDxe/IpSecDebug.c | 328 -- NetworkPkg/IpSecDxe/IpSecDebug.h | 101 - NetworkPkg/IpSecDxe/IpSecDriver.c | 654 ---- NetworkPkg/IpSecDxe/IpSecDxe.inf | 104 - NetworkPkg/IpSecDxe/IpSecDxe.uni | 19 - NetworkPkg/IpSecDxe/IpSecDxeExtra.uni | 14 - NetworkPkg/IpSecDxe/IpSecImpl.c | 2178 ------------- NetworkPkg/IpSecDxe/IpSecImpl.h | 384 --- NetworkPkg/IpSecDxe/IpSecMain.c | 236 -- NetworkPkg/NetworkPkg.dec | 31 - NetworkPkg/NetworkPkg.dsc | 2 - 53 files changed, 29709 deletions(-) delete mode 100644 NetworkPkg/Application/IpsecConfig/Delete.c delete mode 100644 NetworkPkg/Application/IpsecConfig/Delete.h delete mode 100644 NetworkPkg/Application/IpsecConfig/Dump.c delete mode 100644 NetworkPkg/Application/IpsecConfig/Dump.h delete mode 100644 NetworkPkg/Application/IpsecConfig/ForEach.c delete mode 100644 NetworkPkg/Application/IpsecConfig/ForEach.h delete mode 100644 NetworkPkg/Application/IpsecConfig/Helper.c delete mode 100644 NetworkPkg/Application/IpsecConfig/Helper.h delete mode 100644 NetworkPkg/Application/IpsecConfig/Indexer.c delete mode 100644 NetworkPkg/Application/IpsecConfig/Indexer.h delete mode 100644 NetworkPkg/Application/IpsecConfig/IpSecConfig.c delete mode 100644 NetworkPkg/Application/IpsecConfig/IpSecConfig.h delete mode 100644 NetworkPkg/Application/IpsecConfig/IpSecConfig.inf delete mode 100644 NetworkPkg/Application/IpsecConfig/IpSecConfig.uni delete mode 100644 NetworkPkg/Application/IpsecConfig/IpSecConfigExtra.uni delete mode 100644 NetworkPkg/Application/IpsecConfig/IpSecConfigStrings.u= ni delete mode 100644 NetworkPkg/Application/IpsecConfig/Match.c delete mode 100644 NetworkPkg/Application/IpsecConfig/Match.h delete mode 100644 NetworkPkg/Application/IpsecConfig/PolicyEntryOperation= .c delete mode 100644 NetworkPkg/Application/IpsecConfig/PolicyEntryOperation= .h delete mode 100644 NetworkPkg/IpSecDxe/ComponentName.c delete mode 100644 NetworkPkg/IpSecDxe/IetfConstants.c delete mode 100644 NetworkPkg/IpSecDxe/Ike.h delete mode 100644 NetworkPkg/IpSecDxe/IkeCommon.c delete mode 100644 NetworkPkg/IpSecDxe/IkeCommon.h delete mode 100644 NetworkPkg/IpSecDxe/IkePacket.c delete mode 100644 NetworkPkg/IpSecDxe/IkePacket.h delete mode 100644 NetworkPkg/IpSecDxe/IkeService.c delete mode 100644 NetworkPkg/IpSecDxe/IkeService.h delete mode 100644 NetworkPkg/IpSecDxe/Ikev2/ChildSa.c delete mode 100644 NetworkPkg/IpSecDxe/Ikev2/Exchange.c delete mode 100644 NetworkPkg/IpSecDxe/Ikev2/Ikev2.h delete mode 100644 NetworkPkg/IpSecDxe/Ikev2/Info.c delete mode 100644 NetworkPkg/IpSecDxe/Ikev2/Payload.c delete mode 100644 NetworkPkg/IpSecDxe/Ikev2/Payload.h delete mode 100644 NetworkPkg/IpSecDxe/Ikev2/Sa.c delete mode 100644 NetworkPkg/IpSecDxe/Ikev2/Utility.c delete mode 100644 NetworkPkg/IpSecDxe/Ikev2/Utility.h delete mode 100644 NetworkPkg/IpSecDxe/IpSecConfigImpl.c delete mode 100644 NetworkPkg/IpSecDxe/IpSecConfigImpl.h delete mode 100644 NetworkPkg/IpSecDxe/IpSecCryptIo.c delete mode 100644 NetworkPkg/IpSecDxe/IpSecCryptIo.h delete mode 100644 NetworkPkg/IpSecDxe/IpSecDebug.c delete mode 100644 NetworkPkg/IpSecDxe/IpSecDebug.h delete mode 100644 NetworkPkg/IpSecDxe/IpSecDriver.c delete mode 100644 NetworkPkg/IpSecDxe/IpSecDxe.inf delete mode 100644 NetworkPkg/IpSecDxe/IpSecDxe.uni delete mode 100644 NetworkPkg/IpSecDxe/IpSecDxeExtra.uni delete mode 100644 NetworkPkg/IpSecDxe/IpSecImpl.c delete mode 100644 NetworkPkg/IpSecDxe/IpSecImpl.h delete mode 100644 NetworkPkg/IpSecDxe/IpSecMain.c diff --git a/NetworkPkg/Application/IpsecConfig/Delete.c b/NetworkPkg/Appli= cation/IpsecConfig/Delete.c deleted file mode 100644 index cd37efdf49..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Delete.c +++ /dev/null @@ -1,104 +0,0 @@ -/** @file - The implementation of delete policy entry function in IpSecConfig applic= ation. - - Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecConfig.h" -#include "Indexer.h" -#include "Delete.h" -#include "Match.h" -#include "ForEach.h" - -/** - Private function to delete entry information in database. - - @param[in] Selector The pointer to EFI_IPSEC_CONFIG_SELECTOR structur= e. - @param[in] Data The pointer to Data. - @param[in] Context The pointer to DELETE_POLICY_ENTRY_CONTEXT. - - @retval EFI_ABORTED Abort the iteration. - @retval EFI_SUCCESS Continue the iteration. -**/ -EFI_STATUS -DeletePolicyEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN DELETE_POLICY_ENTRY_CONTEXT *Context - ) -{ - if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Inde= xer)) { - Context->Status =3D mIpSecConfig->SetData ( - mIpSecConfig, - Context->DataType, - Selector, - NULL, - NULL - ); - // - // Abort the iteration after the insertion. - // - return EFI_ABORTED; - } - - return EFI_SUCCESS; -} - -/** - Flush or delete entry information in the database according to datatype. - - @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Delete entry information successfully. - @retval EFI_NOT_FOUND Can't find the specified entry. - @retval Others Some mistaken case. -**/ -EFI_STATUS -FlushOrDeletePolicyEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN LIST_ENTRY *ParamPackage - ) -{ - EFI_STATUS Status; - DELETE_POLICY_ENTRY_CONTEXT Context; - CONST CHAR16 *ValueStr; - - // - // If user wants to remove all. - // - if (ShellCommandLineGetFlag (ParamPackage, L"-f")) { - Status =3D mIpSecConfig->SetData ( - mIpSecConfig, - DataType, - NULL, - NULL, - NULL - ); - } else { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-d"); - if (ValueStr =3D=3D NULL) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_= NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr); - return EFI_NOT_FOUND; - } - - Status =3D mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, P= aramPackage); - if (!EFI_ERROR (Status)) { - Context.DataType =3D DataType; - Context.Status =3D EFI_NOT_FOUND; - ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) DeletePolicyEntry= , &Context); - Status =3D Context.Status; - - if (Status =3D=3D EFI_NOT_FOUND) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDE= X_NOT_FOUND), mHiiHandle, mAppName, ValueStr); - } else if (EFI_ERROR (Status)) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DELE= TE_FAILED), mHiiHandle, mAppName); - } - } - } - - return Status; -} diff --git a/NetworkPkg/Application/IpsecConfig/Delete.h b/NetworkPkg/Appli= cation/IpsecConfig/Delete.h deleted file mode 100644 index 35665b87d4..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Delete.h +++ /dev/null @@ -1,36 +0,0 @@ -/** @file - The internal structure and function declaration of delete policy entry f= unction - in IpSecConfig application. - - Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef __DELETE_H_ -#define __DELETE_H_ - -typedef struct { - EFI_IPSEC_CONFIG_DATA_TYPE DataType; - POLICY_ENTRY_INDEXER Indexer; - EFI_STATUS Status; //Indicate whether deletion s= ucceeds. -} DELETE_POLICY_ENTRY_CONTEXT; - -/** - Flush or delete entry information in the database according to datatype. - - @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Delete entry information successfully. - @retval EFI_NOT_FOUND Can't find the specified entry. - @retval Others Some mistaken case. -**/ -EFI_STATUS -FlushOrDeletePolicyEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN LIST_ENTRY *ParamPackage - ); - -#endif diff --git a/NetworkPkg/Application/IpsecConfig/Dump.c b/NetworkPkg/Applica= tion/IpsecConfig/Dump.c deleted file mode 100644 index cc88cf36e5..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Dump.c +++ /dev/null @@ -1,573 +0,0 @@ -/** @file - The implementation of dump policy entry function in IpSecConfig applicat= ion. - - Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecConfig.h" -#include "Dump.h" -#include "ForEach.h" -#include "Helper.h" - -/** - Private function called to get the version infomation from an EFI_IP_ADD= RESS_INFO structure. - - @param[in] AddressInfo The pointer to the EFI_IP_ADDRESS_INFO structu= re. - - @return the value of version. -**/ -UINTN -GetVerFromAddrInfo ( - IN EFI_IP_ADDRESS_INFO *AddressInfo -) -{ - if((AddressInfo->PrefixLength <=3D 32) && (AddressInfo->Address.Addr[1] = =3D=3D 0) && - (AddressInfo->Address.Addr[2] =3D=3D 0) && (AddressInfo->Address.Addr= [3] =3D=3D 0)) { - return IP_VERSION_4; - } else { - return IP_VERSION_6; - } -} - -/** - Private function called to get the version information from a EFI_IP_ADD= RESS structure. - - @param[in] Address The pointer to the EFI_IP_ADDRESS structure. - - @return The value of the version. -**/ -UINTN -GetVerFromIpAddr ( - IN EFI_IP_ADDRESS *Address -) -{ - if ((Address->Addr[1] =3D=3D 0) && (Address->Addr[2] =3D=3D 0) && (Addre= ss->Addr[3] =3D=3D 0)) { - return IP_VERSION_4; - } else { - return IP_VERSION_6; - } -} - -/** - Private function called to print an ASCII string in unicode char format. - - @param[in] Str The pointer to the ASCII string. - @param[in] Length The value of the ASCII string length. -**/ -VOID -DumpAsciiString ( - IN CHAR8 *Str, - IN UINTN Length - ) -{ - UINTN Index; - Print (L"\""); - for (Index =3D 0; Index < Length; Index++) { - Print (L"%c", (CHAR16) Str[Index]); - } - Print (L"\""); -} - -/** - Private function called to print a buffer in Hex format. - - @param[in] Data The pointer to the buffer. - @param[in] Length The size of the buffer. - -**/ -VOID -DumpBuf ( - IN UINT8 *Data, - IN UINTN Length - ) -{ - UINTN Index; - for (Index =3D 0; Index < Length; Index++) { - Print (L"%02x ", Data[Index]); - } -} - -/** - Private function called to print EFI_IP_ADDRESS_INFO content. - - @param[in] AddressInfo The pointer to the EFI_IP_ADDRESS_INFO structu= re. -**/ -VOID -DumpAddressInfo ( - IN EFI_IP_ADDRESS_INFO *AddressInfo - ) -{ - if (IP_VERSION_4 =3D=3D GetVerFromAddrInfo (AddressInfo)) { - Print ( - L"%d.%d.%d.%d", - (UINTN) AddressInfo->Address.v4.Addr[0], - (UINTN) AddressInfo->Address.v4.Addr[1], - (UINTN) AddressInfo->Address.v4.Addr[2], - (UINTN) AddressInfo->Address.v4.Addr[3] - ); - if (AddressInfo->PrefixLength !=3D 32) { - Print (L"/%d", (UINTN) AddressInfo->PrefixLength); - } - } - - if (IP_VERSION_6 =3D=3D GetVerFromAddrInfo (AddressInfo)) { - Print ( - L"%x:%x:%x:%x:%x:%x:%x:%x", - (((UINT16) AddressInfo->Address.v6.Addr[0]) << 8) | ((UINT16) Addres= sInfo->Address.v6.Addr[1]), - (((UINT16) AddressInfo->Address.v6.Addr[2]) << 8) | ((UINT16) Addres= sInfo->Address.v6.Addr[3]), - (((UINT16) AddressInfo->Address.v6.Addr[4]) << 8) | ((UINT16) Addres= sInfo->Address.v6.Addr[5]), - (((UINT16) AddressInfo->Address.v6.Addr[6]) << 8) | ((UINT16) Addres= sInfo->Address.v6.Addr[7]), - (((UINT16) AddressInfo->Address.v6.Addr[8]) << 8) | ((UINT16) Addres= sInfo->Address.v6.Addr[9]), - (((UINT16) AddressInfo->Address.v6.Addr[10]) << 8) | ((UINT16) Addre= ssInfo->Address.v6.Addr[11]), - (((UINT16) AddressInfo->Address.v6.Addr[12]) << 8) | ((UINT16) Addre= ssInfo->Address.v6.Addr[13]), - (((UINT16) AddressInfo->Address.v6.Addr[14]) << 8) | ((UINT16) Addre= ssInfo->Address.v6.Addr[15]) - ); - if (AddressInfo->PrefixLength !=3D 128) { - Print (L"/%d", AddressInfo->PrefixLength); - } - } -} - -/** - Private function called to print EFI_IP_ADDRESS content. - - @param[in] IpAddress The pointer to the EFI_IP_ADDRESS structure. -**/ -VOID -DumpIpAddress ( - IN EFI_IP_ADDRESS *IpAddress - ) -{ - if (IP_VERSION_4 =3D=3D GetVerFromIpAddr (IpAddress)) { - Print ( - L"%d.%d.%d.%d", - (UINTN) IpAddress->v4.Addr[0], - (UINTN) IpAddress->v4.Addr[1], - (UINTN) IpAddress->v4.Addr[2], - (UINTN) IpAddress->v4.Addr[3] - ); - } - - if (IP_VERSION_6 =3D=3D GetVerFromIpAddr (IpAddress)) { - Print ( - L"%x:%x:%x:%x:%x:%x:%x:%x", - (((UINT16) IpAddress->v6.Addr[0]) << 8) | ((UINT16) IpAddress->v6.Ad= dr[1]), - (((UINT16) IpAddress->v6.Addr[2]) << 8) | ((UINT16) IpAddress->v6.Ad= dr[3]), - (((UINT16) IpAddress->v6.Addr[4]) << 8) | ((UINT16) IpAddress->v6.Ad= dr[5]), - (((UINT16) IpAddress->v6.Addr[6]) << 8) | ((UINT16) IpAddress->v6.Ad= dr[7]), - (((UINT16) IpAddress->v6.Addr[8]) << 8) | ((UINT16) IpAddress->v6.Ad= dr[9]), - (((UINT16) IpAddress->v6.Addr[10]) << 8) | ((UINT16) IpAddress->v6.A= ddr[11]), - (((UINT16) IpAddress->v6.Addr[12]) << 8) | ((UINT16) IpAddress->v6.A= ddr[13]), - (((UINT16) IpAddress->v6.Addr[14]) << 8) | ((UINT16) IpAddress->v6.A= ddr[15]) - ); - } - -} - -/** - Private function called to print EFI_IPSEC_SPD_SELECTOR content. - - @param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structu= re. -**/ -VOID -DumpSpdSelector ( - IN EFI_IPSEC_SPD_SELECTOR *Selector - ) -{ - UINT32 Index; - CHAR16 *Str; - - for (Index =3D 0; Index < Selector->LocalAddressCount; Index++) { - if (Index > 0) { - Print (L","); - } - - DumpAddressInfo (&Selector->LocalAddress[Index]); - } - - if (Index =3D=3D 0) { - Print (L"localhost"); - } - - Print (L" -> "); - - for (Index =3D 0; Index < Selector->RemoteAddressCount; Index++) { - if (Index > 0) { - Print (L","); - } - - DumpAddressInfo (&Selector->RemoteAddress[Index]); - } - - Str =3D MapIntegerToString (Selector->NextLayerProtocol, mMapIpProtocol); - if (Str !=3D NULL) { - Print (L" %s", Str); - } else { - Print (L" proto:%d", (UINTN) Selector->NextLayerProtocol); - } - - if ((Selector->NextLayerProtocol =3D=3D EFI_IP4_PROTO_TCP) || (Selector-= >NextLayerProtocol =3D=3D EFI_IP4_PROTO_UDP)) { - Print (L" port:"); - if (Selector->LocalPort !=3D EFI_IPSEC_ANY_PORT) { - Print (L"%d", Selector->LocalPort); - if (Selector->LocalPortRange !=3D 0) { - Print (L"~%d", (UINTN) Selector->LocalPort + Selector->LocalPortRa= nge); - } - } else { - Print (L"any"); - } - - Print (L" -> "); - if (Selector->RemotePort !=3D EFI_IPSEC_ANY_PORT) { - Print (L"%d", Selector->RemotePort); - if (Selector->RemotePortRange !=3D 0) { - Print (L"~%d", (UINTN) Selector->RemotePort + Selector->RemotePort= Range); - } - } else { - Print (L"any"); - } - } else if (Selector->NextLayerProtocol =3D=3D EFI_IP4_PROTO_ICMP) { - Print (L" class/code:"); - if (Selector->LocalPort !=3D 0) { - Print (L"%d", (UINTN) (UINT8) Selector->LocalPort); - } else { - Print (L"any"); - } - - Print (L"/"); - if (Selector->RemotePort !=3D 0) { - Print (L"%d", (UINTN) (UINT8) Selector->RemotePort); - } else { - Print (L"any"); - } - } -} - -/** - Print EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA content. - - @param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR struc= ture. - @param[in] Data The pointer to the EFI_IPSEC_SPD_DATA structure. - @param[in] EntryIndex The pointer to the Index in SPD Database. - - @retval EFI_SUCCESS Dump SPD information successfully. -**/ -EFI_STATUS -DumpSpdEntry ( - IN EFI_IPSEC_SPD_SELECTOR *Selector, - IN EFI_IPSEC_SPD_DATA *Data, - IN UINTN *EntryIndex - ) -{ - BOOLEAN HasPre; - CHAR16 DataName[128]; - CHAR16 *String1; - CHAR16 *String2; - CHAR16 *String3; - UINT8 Index; - - Print (L"%d.", (*EntryIndex)++); - - // - // xxx.xxx.xxx.xxx/yy -> xxx.xxx.xxx.xx/yy proto:23 port:100~300 -> 300~= 400 - // Protect PF:0x34323423 Name:First Entry - // ext-sequence sequence-overflow fragcheck life:[B0,S1024,H3600] - // ESP algo1 algo2 Tunnel [xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx set] - // - - DumpSpdSelector (Selector); - Print (L"\n "); - - Print (L"%s ", MapIntegerToString (Data->Action, mMapIpSecAction)); - Print (L"PF:%08x ", Data->PackageFlag); - - Index =3D 0; - while (Data->Name[Index] !=3D 0) { - DataName[Index] =3D (CHAR16) Data->Name[Index]; - Index++; - ASSERT (Index < 128); - } - DataName[Index] =3D L'\0'; - - Print (L"Name:%s", DataName); - - if (Data->Action =3D=3D EfiIPsecActionProtect) { - Print (L"\n "); - if (Data->ProcessingPolicy->ExtSeqNum) { - Print (L"ext-sequence "); - } - - if (Data->ProcessingPolicy->SeqOverflow) { - Print (L"sequence-overflow "); - } - - if (Data->ProcessingPolicy->FragCheck) { - Print (L"fragment-check "); - } - - HasPre =3D FALSE; - if (Data->ProcessingPolicy->SaLifetime.ByteCount !=3D 0) { - Print (HasPre ? L"," : L"life:["); - Print (L"%lxB", Data->ProcessingPolicy->SaLifetime.ByteCount); - HasPre =3D TRUE; - } - - if (Data->ProcessingPolicy->SaLifetime.SoftLifetime !=3D 0) { - Print (HasPre ? L"," : L"life:["); - Print (L"%lxs", Data->ProcessingPolicy->SaLifetime.SoftLifetime); - HasPre =3D TRUE; - } - - if (Data->ProcessingPolicy->SaLifetime.HardLifetime !=3D 0) { - Print (HasPre ? L"," : L"life:["); - Print (L"%lxS", Data->ProcessingPolicy->SaLifetime.HardLifetime); - HasPre =3D TRUE; - } - - if (HasPre) { - Print (L"]"); - } - - if (HasPre || Data->ProcessingPolicy->ExtSeqNum || - Data->ProcessingPolicy->SeqOverflow || Data->ProcessingPolicy->Fra= gCheck) { - Print (L"\n "); - } - - String1 =3D MapIntegerToString (Data->ProcessingPolicy->Proto, mMapIpS= ecProtocol); - String2 =3D MapIntegerToString (Data->ProcessingPolicy->AuthAlgoId, mM= apAuthAlgo); - String3 =3D MapIntegerToString (Data->ProcessingPolicy->EncAlgoId, mMa= pEncAlgo); - Print ( - L"%s Auth:%s Encrypt:%s ", - String1, - String2, - String3 - ); - - Print (L"%s ", MapIntegerToString (Data->ProcessingPolicy->Mode, mMapI= pSecMode)); - if (Data->ProcessingPolicy->Mode =3D=3D EfiIPsecTunnel) { - Print (L"["); - DumpIpAddress (&Data->ProcessingPolicy->TunnelOption->LocalTunnelAdd= ress); - Print (L" -> "); - DumpIpAddress (&Data->ProcessingPolicy->TunnelOption->RemoteTunnelAd= dress); - Print (L" %s]", MapIntegerToString (Data->ProcessingPolicy->TunnelOp= tion->DF, mMapDfOption)); - } - } - - Print (L"\n"); - - return EFI_SUCCESS; -} - -/** - Print EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 content. - - @param[in] SaId The pointer to the EFI_IPSEC_SA_ID structure. - @param[in] Data The pointer to the EFI_IPSEC_SA_DATA2 structure. - @param[in] EntryIndex The pointer to the Index in the SAD Database. - - @retval EFI_SUCCESS Dump SAD information successfully. -**/ -EFI_STATUS -DumpSadEntry ( - IN EFI_IPSEC_SA_ID *SaId, - IN EFI_IPSEC_SA_DATA2 *Data, - IN UINTN *EntryIndex - ) -{ - BOOLEAN HasPre; - CHAR16 *AuthAlgoStr; - CHAR16 *EncAlgoStr; - - AuthAlgoStr =3D NULL; - EncAlgoStr =3D NULL; - - // - // SPI:1234 ESP Destination:xxx.xxx.xxx.xxx - // Mode:Transport SeqNum:134 AntiReplayWin:64 life:[0B,1023s,3400S] Pat= hMTU:34 - // Auth:xxxx/password Encrypt:yyyy/password - // xxx.xxx.xxx.xxx/yy -> xxx.xxx.xxx.xx/yy proto:23 port:100~300 -> 300= ~400 - // - - Print (L"%d.", (*EntryIndex)++); - Print (L"0x%x %s ", (UINTN) SaId->Spi, MapIntegerToString (SaId->Proto, = mMapIpSecProtocol)); - if (Data->Mode =3D=3D EfiIPsecTunnel) { - Print (L"TunnelSourceAddress:"); - DumpIpAddress (&Data->TunnelSourceAddress); - Print (L"\n"); - Print (L" TunnelDestination:"); - DumpIpAddress (&Data->TunnelDestinationAddress); - Print (L"\n"); - } - - Print ( - L" Mode:%s SeqNum:%lx AntiReplayWin:%d ", - MapIntegerToString (Data->Mode, mMapIpSecMode), - Data->SNCount, - (UINTN) Data->AntiReplayWindows - ); - - HasPre =3D FALSE; - if (Data->SaLifetime.ByteCount !=3D 0) { - Print (HasPre ? L"," : L"life:["); - Print (L"%lxB", Data->SaLifetime.ByteCount); - HasPre =3D TRUE; - } - - if (Data->SaLifetime.SoftLifetime !=3D 0) { - Print (HasPre ? L"," : L"life:["); - Print (L"%lxs", Data->SaLifetime.SoftLifetime); - HasPre =3D TRUE; - } - - if (Data->SaLifetime.HardLifetime !=3D 0) { - Print (HasPre ? L"," : L"life:["); - Print (L"%lxS", Data->SaLifetime.HardLifetime); - HasPre =3D TRUE; - } - - if (HasPre) { - Print (L"] "); - } - - Print (L"PathMTU:%d\n", (UINTN) Data->PathMTU); - - if (SaId->Proto =3D=3D EfiIPsecAH) { - Print ( - L" Auth:%s/%s\n", - MapIntegerToString (Data->AlgoInfo.AhAlgoInfo.AuthAlgoId, mMapAuthAl= go), - Data->AlgoInfo.AhAlgoInfo.AuthKey - ); - } else { - AuthAlgoStr =3D MapIntegerToString (Data->AlgoInfo.EspAlgoInfo.AuthAlg= oId, mMapAuthAlgo); - EncAlgoStr =3D MapIntegerToString (Data->AlgoInfo.EspAlgoInfo.EncAlgo= Id, mMapEncAlgo); - - if (Data->ManualSet) { - // - // if the SAD is set manually the key is a Ascii string in most of t= ime. - // Print the Key in Ascii string format. - // - Print (L" Auth:%s/",AuthAlgoStr); - DumpAsciiString ( - Data->AlgoInfo.EspAlgoInfo.AuthKey, - Data->AlgoInfo.EspAlgoInfo.AuthKeyLength - ); - Print (L"\n Encrypt:%s/",EncAlgoStr); - DumpAsciiString ( - Data->AlgoInfo.EspAlgoInfo.EncKey, - Data->AlgoInfo.EspAlgoInfo.EncKeyLength - ); - } else { - // - // if the SAD is created by IKE, the key is a set of hex value in bu= ffer. - // Print the Key in Hex format. - // - Print (L" Auth:%s/",AuthAlgoStr); - DumpBuf ((UINT8 *)(Data->AlgoInfo.EspAlgoInfo.AuthKey), Data->AlgoIn= fo.EspAlgoInfo.AuthKeyLength); - - Print (L"\n Encrypt:%s/",EncAlgoStr); - DumpBuf ((UINT8 *)(Data->AlgoInfo.EspAlgoInfo.EncKey), Data->AlgoInf= o.EspAlgoInfo.EncKeyLength); - } - } - Print (L"\n"); - if (Data->SpdSelector !=3D NULL) { - Print (L" "); - DumpSpdSelector (Data->SpdSelector); - Print (L"\n"); - } - - return EFI_SUCCESS; -} - -/** - Print EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA content. - - @param[in] PadId The pointer to the EFI_IPSEC_PAD_ID structure. - @param[in] Data The pointer to the EFI_IPSEC_PAD_DATA structure. - @param[in] EntryIndex The pointer to the Index in the PAD Database. - - @retval EFI_SUCCESS Dump PAD information successfully. -**/ -EFI_STATUS -DumpPadEntry ( - IN EFI_IPSEC_PAD_ID *PadId, - IN EFI_IPSEC_PAD_DATA *Data, - IN UINTN *EntryIndex - ) -{ - CHAR16 *String1; - CHAR16 *String2; - - // - // ADDR:10.23.17.34/15 - // IDEv1 PreSharedSecret IKE-ID - // password - // - - Print (L"%d.", (*EntryIndex)++); - - if (PadId->PeerIdValid) { - Print (L"ID:%s", PadId->Id.PeerId); - } else { - Print (L"ADDR:"); - DumpAddressInfo (&PadId->Id.IpAddress); - } - - Print (L"\n"); - - String1 =3D MapIntegerToString (Data->AuthProtocol, mMapAuthProto); - String2 =3D MapIntegerToString (Data->AuthMethod, mMapAuthMethod); - Print ( - L" %s %s", - String1, - String2 - ); - - if (Data->IkeIdFlag) { - Print (L"IKE-ID"); - } - - Print (L"\n"); - - if (Data->AuthData !=3D NULL) { - DumpAsciiString (Data->AuthData, Data->AuthDataSize); - Print (L"\n"); - } - - if (Data->RevocationData !=3D NULL) { - Print (L" %s\n", Data->RevocationData); - } - - return EFI_SUCCESS; - -} - -VISIT_POLICY_ENTRY mDumpPolicyEntry[] =3D { - (VISIT_POLICY_ENTRY) DumpSpdEntry, - (VISIT_POLICY_ENTRY) DumpSadEntry, - (VISIT_POLICY_ENTRY) DumpPadEntry -}; - -/** - Print all entry information in the database according to datatype. - - @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Dump all information successfully. - @retval Others Some mistaken case. -**/ -EFI_STATUS -ListPolicyEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN LIST_ENTRY *ParamPackage - ) -{ - UINTN EntryIndex; - - EntryIndex =3D 0; - return ForeachPolicyEntry (DataType, mDumpPolicyEntry[DataType], &EntryI= ndex); -} - diff --git a/NetworkPkg/Application/IpsecConfig/Dump.h b/NetworkPkg/Applica= tion/IpsecConfig/Dump.h deleted file mode 100644 index 44ed7aa6e9..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Dump.h +++ /dev/null @@ -1,28 +0,0 @@ -/** @file - The function declaration of dump policy entry function in IpSecConfig ap= plication. - - Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _DUMP_H_ -#define _DUMP_H_ - -/** - Print all entry information in the database according to datatype. - - @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Dump all information successfully. - @retval Others Some mistaken case. -**/ -EFI_STATUS -ListPolicyEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN LIST_ENTRY *ParamPackage - ); - -#endif diff --git a/NetworkPkg/Application/IpsecConfig/ForEach.c b/NetworkPkg/Appl= ication/IpsecConfig/ForEach.c deleted file mode 100644 index 6d82ee292b..0000000000 --- a/NetworkPkg/Application/IpsecConfig/ForEach.c +++ /dev/null @@ -1,109 +0,0 @@ -/** @file - The implementation to go through each entry in IpSecConfig application. - - Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecConfig.h" -#include "ForEach.h" - - -/** - Enumerate all entries in the database to execute specified operations ac= cording to datatype. - - @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. - @param[in] Routine The pointer to the function of a specified operat= ion. - @param[in] Context The pointer to the context of a function. - - @retval EFI_SUCCESS Execute specified operation successfully. -**/ -EFI_STATUS -ForeachPolicyEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN VISIT_POLICY_ENTRY Routine, - IN VOID *Context - ) -{ - EFI_STATUS GetNextStatus; - EFI_STATUS GetDataStatus; - EFI_IPSEC_CONFIG_SELECTOR *Selector; - VOID *Data; - UINTN SelectorSize; - UINTN DataSize; - BOOLEAN FirstGetNext; - - FirstGetNext =3D TRUE; - SelectorSize =3D sizeof (EFI_IPSEC_CONFIG_SELECTOR); - Selector =3D AllocateZeroPool (SelectorSize); - - DataSize =3D 0; - Data =3D NULL; - - while (TRUE) { - GetNextStatus =3D mIpSecConfig->GetNextSelector ( - mIpSecConfig, - DataType, - &SelectorSize, - Selector - ); - if (GetNextStatus =3D=3D EFI_BUFFER_TOO_SMALL) { - gBS->FreePool (Selector); - Selector =3D FirstGetNext ? AllocateZeroPool (SelectorSize) : Alloca= tePool (SelectorSize); - - GetNextStatus =3D mIpSecConfig->GetNextSelector ( - mIpSecConfig, - DataType, - &SelectorSize, - Selector - ); - } - - if (EFI_ERROR (GetNextStatus)) { - break; - } - - FirstGetNext =3D FALSE; - - GetDataStatus =3D mIpSecConfig->GetData ( - mIpSecConfig, - DataType, - Selector, - &DataSize, - Data - ); - if (GetDataStatus =3D=3D EFI_BUFFER_TOO_SMALL) { - if (Data !=3D NULL) { - gBS->FreePool (Data); - } - - Data =3D AllocateZeroPool (DataSize); - GetDataStatus =3D mIpSecConfig->GetData ( - mIpSecConfig, - DataType, - Selector, - &DataSize, - Data - ); - } - - ASSERT_EFI_ERROR (GetDataStatus); - - if (EFI_ERROR (Routine (Selector, Data, Context))) { - break; - } - } - - if (Data !=3D NULL) { - gBS->FreePool (Data); - } - - if (Selector !=3D NULL) { - gBS->FreePool (Selector); - } - - return EFI_SUCCESS; -} - diff --git a/NetworkPkg/Application/IpsecConfig/ForEach.h b/NetworkPkg/Appl= ication/IpsecConfig/ForEach.h deleted file mode 100644 index a69dd35619..0000000000 --- a/NetworkPkg/Application/IpsecConfig/ForEach.h +++ /dev/null @@ -1,48 +0,0 @@ -/** @file - The internal structure and function declaration of the implementation - to go through each entry in IpSecConfig application. - - Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _FOREACH_H_ -#define _FOREACH_H_ - -/** - The prototype for the DumpSpdEntry()/DumpSadEntry()/DumpPadEntry(). - Print EFI_IPSEC_CONFIG_SELECTOR and corresponding content. - - @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR unio= n. - @param[in] Data The pointer to the corresponding data. - @param[in] Context The pointer to the Index in SPD/SAD/PAD Database. - - @retval EFI_SUCCESS Dump SPD/SAD/PAD information successfully. -**/ -typedef -EFI_STATUS -(*VISIT_POLICY_ENTRY) ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN VOID *Context - ); - -/** - Enumerate all entry in the database to execute a specified operation acc= ording to datatype. - - @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. - @param[in] Routine The pointer to function of a specified operation. - @param[in] Context The pointer to the context of a function. - - @retval EFI_SUCCESS Execute specified operation successfully. -**/ -EFI_STATUS -ForeachPolicyEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN VISIT_POLICY_ENTRY Routine, - IN VOID *Context - ); - -#endif diff --git a/NetworkPkg/Application/IpsecConfig/Helper.c b/NetworkPkg/Appli= cation/IpsecConfig/Helper.c deleted file mode 100644 index 51718cbbbc..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Helper.c +++ /dev/null @@ -1,414 +0,0 @@ -/** @file - The assistant function implementation for IpSecConfig application. - - Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecConfig.h" -#include "Helper.h" - -/** - Helper function called to change an input parameter in the string format= to a number. - - @param[in] FlagStr The pointer to the flag string. - @param[in] Maximum Greatest value number. - @param[in, out] ValuePtr The pointer to the input parameter in st= ring format. - @param[in] ByteCount The valid byte count - @param[in] Map The pointer to the STR2INT table. - @param[in] ParamPackage The pointer to the ParamPackage list. - @param[in] FormatMask The bit mask. - BIT 0 set indicates the value of a flag = might be a number. - BIT 1 set indicates the value of a flag = might be a string that needs to be looked up. - - @retval EFI_SUCCESS The operation completed successfully. - @retval EFI_NOT_FOUND The input parameter can't be found. - @retval EFI_INVALID_PARAMETER The input parameter is an invalid input. -**/ -EFI_STATUS -GetNumber ( - IN CHAR16 *FlagStr, - IN UINT64 Maximum, - IN OUT VOID *ValuePtr, - IN UINTN ByteCount, - IN STR2INT *Map, - IN LIST_ENTRY *ParamPackage, - IN UINT32 FormatMask - ) -{ - EFI_STATUS Status; - UINT64 Value64; - BOOLEAN Converted; - UINTN Index; - CONST CHAR16 *ValueStr; - - ASSERT (FormatMask & (FORMAT_NUMBER | FORMAT_STRING)); - - Converted =3D FALSE; - Value64 =3D 0; - ValueStr =3D ShellCommandLineGetValue (ParamPackage, FlagStr); - - if (ValueStr =3D=3D NULL) { - return EFI_NOT_FOUND; - } else { - // - // Try to convert to integer directly if MaybeNumber is TRUE. - // - if ((FormatMask & FORMAT_NUMBER) !=3D 0) { - Value64 =3D StrToUInteger (ValueStr, &Status); - if (!EFI_ERROR (Status)) { - // - // Convert successfully. - // - if (Value64 > Maximum) { - // - // But the result is invalid - // - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - FlagStr, - ValueStr - ); - return EFI_INVALID_PARAMETER; - } - - Converted =3D TRUE; - } - } - - if (!Converted && ((FormatMask & FORMAT_STRING) !=3D 0)) { - // - // Convert falied, so use String->Integer map. - // - ASSERT (Map !=3D NULL); - Value64 =3D MapStringToInteger (ValueStr, Map); - if (Value64 =3D=3D (UINT32) -1) { - // - // Cannot find the string in the map. - // - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - FlagStr, - ValueStr - ); - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ACCE= PT_PARAMETERS), mHiiHandle); - for (Index =3D 0; Map[Index].String !=3D NULL; Index++) { - Print (L" %s", Map[Index].String); - } - - Print (L"\n"); - return EFI_INVALID_PARAMETER; - } - } - - CopyMem (ValuePtr, &Value64, ByteCount); - return EFI_SUCCESS; - } -} - -/** - Helper function called to convert a string containing an Ipv4 or Ipv6 In= ternet Protocol address - into a proper address for the EFI_IP_ADDRESS structure. - - @param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6 = Internet Protocol address. - @param[out] Ip The pointer to the EFI_IP_ADDRESS structure to contai= n the result. - - @retval EFI_SUCCESS The operation completed successfully. - @retval EFI_INVALID_PARAMETER Invalid parameter. -**/ -EFI_STATUS -EfiInetAddr2 ( - IN CHAR16 *Ptr, - OUT EFI_IP_ADDRESS *Ip - ) -{ - EFI_STATUS Status; - - if ((Ptr =3D=3D NULL) || (Ip =3D=3D NULL)) { - return EFI_INVALID_PARAMETER; - } - - // - // Parse the input address as Ipv4 Address first. - // - Status =3D NetLibStrToIp4 (Ptr, &Ip->v4); - if (!EFI_ERROR (Status)) { - return Status; - } - - Status =3D NetLibStrToIp6 (Ptr, &Ip->v6); - return Status; -} - -/** - Helper function called to calculate the prefix length associated with th= e string - containing an Ipv4 or Ipv6 Internet Protocol address. - - @param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6= Internet Protocol address. - @param[out] Addr The pointer to the EFI_IP_ADDRESS_INFO structure to = contain the result. - - @retval EFI_SUCCESS The operation completed successfully. - @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval Others Other mistake case. -**/ -EFI_STATUS -EfiInetAddrRange ( - IN CHAR16 *Ptr, - OUT EFI_IP_ADDRESS_INFO *Addr - ) -{ - EFI_STATUS Status; - - if ((Ptr =3D=3D NULL) || (Addr =3D=3D NULL)) { - return EFI_INVALID_PARAMETER; - } - - Status =3D NetLibStrToIp4 (Ptr, &Addr->Address.v4); - if (!EFI_ERROR (Status)) { - if ((UINT32)(*Addr->Address.v4.Addr) =3D=3D 0) { - Addr->PrefixLength =3D 0; - } else { - Addr->PrefixLength =3D 32; - } - return Status; - } - - Status =3D NetLibStrToIp6andPrefix (Ptr, &Addr->Address.v6, &Addr->Prefi= xLength); - if (!EFI_ERROR (Status) && (Addr->PrefixLength =3D=3D 0xFF)) { - Addr->PrefixLength =3D 128; - } - - return Status; -} - -/** - Helper function called to calculate the port range associated with the s= tring. - - @param[in] Ptr The pointer to the string containing a port and= range. - @param[out] Port The pointer to the Port to contain the result. - @param[out] PortRange The pointer to the PortRange to contain the res= ult. - - @retval EFI_SUCCESS The operation completed successfully. - @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval Others Other mistake case. -**/ -EFI_STATUS -EfiInetPortRange ( - IN CHAR16 *Ptr, - OUT UINT16 *Port, - OUT UINT16 *PortRange - ) -{ - CHAR16 *BreakPtr; - CHAR16 Ch; - EFI_STATUS Status; - - for (BreakPtr =3D Ptr; (*BreakPtr !=3D L'\0') && (*BreakPtr !=3D L':'); = BreakPtr++) { - ; - } - - Ch =3D *BreakPtr; - *BreakPtr =3D L'\0'; - *Port =3D (UINT16) StrToUInteger (Ptr, &Status); - *BreakPtr =3D Ch; - if (EFI_ERROR (Status)) { - return Status; - } - - *PortRange =3D 0; - if (*BreakPtr =3D=3D L':') { - BreakPtr++; - *PortRange =3D (UINT16) StrToUInteger (BreakPtr, &Status); - if (EFI_ERROR (Status)) { - return Status; - } - - if (*PortRange < *Port) { - return EFI_INVALID_PARAMETER; - } - - *PortRange =3D (UINT16) (*PortRange - *Port); - } - - return EFI_SUCCESS; -} - -/** - Helper function called to transfer a string to an unsigned integer. - - @param[in] Str The pointer to the string. - @param[out] Status The operation status. - - @return The integer value of converted Str. -**/ -UINT64 -StrToUInteger ( - IN CONST CHAR16 *Str, - OUT EFI_STATUS *Status - ) -{ - UINT64 Value; - UINT64 NewValue; - CHAR16 *StrTail; - CHAR16 Char; - UINTN Base; - UINTN Len; - - Base =3D 10; - Value =3D 0; - *Status =3D EFI_ABORTED; - - // - // Skip leading white space. - // - while ((*Str !=3D 0) && (*Str =3D=3D ' ')) { - Str++; - } - // - // For NULL Str, just return. - // - if (*Str =3D=3D 0) { - return 0; - } - // - // Skip white space in tail. - // - Len =3D StrLen (Str); - StrTail =3D (CHAR16 *) (Str + Len - 1); - while (*StrTail =3D=3D ' ') { - *StrTail =3D 0; - StrTail--; - } - - Len =3D StrTail - Str + 1; - - // - // Check hex prefix '0x'. - // - if ((Len >=3D 2) && (*Str =3D=3D '0') && ((*(Str + 1) =3D=3D 'x') || (*(= Str + 1) =3D=3D 'X'))) { - Str +=3D 2; - Len -=3D 2; - Base =3D 16; - } - - if (Len =3D=3D 0) { - return 0; - } - // - // Convert the string to value. - // - for (; Str <=3D StrTail; Str++) { - - Char =3D *Str; - - if (Base =3D=3D 16) { - if (RShiftU64 (Value, 60) !=3D 0) { - // - // Overflow here x16. - // - return 0; - } - - NewValue =3D LShiftU64 (Value, 4); - } else { - if (RShiftU64 (Value, 61) !=3D 0) { - // - // Overflow here x8. - // - return 0; - } - - NewValue =3D LShiftU64 (Value, 3); - Value =3D LShiftU64 (Value, 1); - NewValue +=3D Value; - if (NewValue < Value) { - // - // Overflow here. - // - return 0; - } - } - - Value =3D NewValue; - - if ((Base =3D=3D 16) && (Char >=3D 'a') && (Char <=3D 'f')) { - Char =3D (CHAR16) (Char - 'a' + 'A'); - } - - if ((Base =3D=3D 16) && (Char >=3D 'A') && (Char <=3D 'F')) { - Value +=3D (Char - 'A') + 10; - } else if ((Char >=3D '0') && (Char <=3D '9')) { - Value +=3D (Char - '0'); - } else { - // - // Unexpected Char encountered. - // - return 0; - } - } - - *Status =3D EFI_SUCCESS; - return Value; -} - -/** - Helper function called to transfer a string to an unsigned integer accor= ding to the map table. - - @param[in] Str The pointer to the string. - @param[in] Map The pointer to the map table. - - @return The integer value of converted Str. If not found, then return -1. -**/ -UINT32 -MapStringToInteger ( - IN CONST CHAR16 *Str, - IN STR2INT *Map - ) -{ - STR2INT *Item; - - for (Item =3D Map; Item->String !=3D NULL; Item++) { - if (StrCmp (Item->String, Str) =3D=3D 0) { - return Item->Integer; - } - } - - return (UINT32) -1; -} - -/** - Helper function called to transfer an unsigned integer to a string accor= ding to the map table. - - @param[in] Integer The pointer to the string. - @param[in] Map The pointer to the map table. - - @return The converted Str. If not found, then return NULL. -**/ -CHAR16 * -MapIntegerToString ( - IN UINT32 Integer, - IN STR2INT *Map - ) -{ - STR2INT *Item; - - for (Item =3D Map; Item->String !=3D NULL; Item++) { - if (Integer =3D=3D Item->Integer) { - return Item->String; - } - } - - return NULL; -} diff --git a/NetworkPkg/Application/IpsecConfig/Helper.h b/NetworkPkg/Appli= cation/IpsecConfig/Helper.h deleted file mode 100644 index a610bd8515..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Helper.h +++ /dev/null @@ -1,137 +0,0 @@ -/** @file - The assistant function declaration for IpSecConfig application. - - Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _HELPER_H_ -#define _HELPER_H_ - -#define FORMAT_NUMBER 0x1 -#define FORMAT_STRING 0x2 - -/** - Helper function called to change input parameter in string format to num= ber. - - @param[in] FlagStr The pointer to the flag string. - @param[in] Maximum most value number. - @param[in, out] ValuePtr The pointer to the input parameter in st= ring format. - @param[in] ByteCount The valid byte count - @param[in] Map The pointer to the STR2INT table. - @param[in] ParamPackage The pointer to the ParamPackage list. - @param[in] FormatMask The bit mask. - BIT 0 set indicates the value of flag mi= ght be number. - BIT 1 set indicates the value of flag mi= ght be a string that needs to be looked up. - - @retval EFI_SUCCESS The operation completed successfully. - @retval EFI_NOT_FOUND The input parameter can't be found. - @retval EFI_INVALID_PARAMETER The input parameter is an invalid input. -**/ -EFI_STATUS -GetNumber ( - IN CHAR16 *FlagStr, - IN UINT64 Maximum, - IN OUT VOID *ValuePtr, - IN UINTN ByteCount, - IN STR2INT *Map, - IN LIST_ENTRY *ParamPackage, - IN UINT32 FormatMask - ); - -/** - Helper function called to convert a string containing an (Ipv4) Internet= Protocol dotted address - into a proper address for the EFI_IP_ADDRESS structure. - - @param[in] Ptr The pointer to the string containing an (Ipv4) Intern= et Protocol dotted address. - @param[out] Ip The pointer to the Ip address structure to contain th= e result. - - @retval EFI_SUCCESS The operation completed successfully. - @retval EFI_INVALID_PARAMETER Invalid parameter. -**/ -EFI_STATUS -EfiInetAddr2 ( - IN CHAR16 *Ptr, - OUT EFI_IP_ADDRESS *Ip - ); - -/** - Helper function called to calculate the prefix length associated with th= e string - containing an Ipv4 or Ipv6 Internet Protocol address. - - @param[in] Ptr The pointer to the string containing an Ipv4 or Ipv6= Internet Protocol address. - @param[out] Addr The pointer to the EFI_IP_ADDRESS_INFO structure to = contain the result. - - @retval EFI_SUCCESS The operation completed successfully. - @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval Others Other mistake case. -**/ -EFI_STATUS -EfiInetAddrRange ( - IN CHAR16 *Ptr, - OUT EFI_IP_ADDRESS_INFO *Addr - ); - -/** - Helper function called to calculate the port range associated with the s= tring. - - @param[in] Ptr The pointer to the string containing a port and= range. - @param[out] Port The pointer to the Port to contain the result. - @param[out] PortRange The pointer to the PortRange to contain the res= ult. - - @retval EFI_SUCCESS The operation completed successfully. - @retval EFI_INVALID_PARAMETER Invalid parameter. - @retval Others Other mistake case. -**/ -EFI_STATUS -EfiInetPortRange ( - IN CHAR16 *Ptr, - OUT UINT16 *Port, - OUT UINT16 *PortRange - ); - -/** - Helper function called to transfer a string to an unsigned integer. - - @param[in] Str The pointer to the string. - @param[out] Status The operation status. - - @return The integer value of a converted str. -**/ -UINT64 -StrToUInteger ( - IN CONST CHAR16 *Str, - OUT EFI_STATUS *Status - ); - -/** - Helper function called to transfer a string to an unsigned integer accor= ding to the map table. - - @param[in] Str The pointer to the string. - @param[in] Map The pointer to the map table. - - @return The integer value of converted str. If not found, then return -1. -**/ -UINT32 -MapStringToInteger ( - IN CONST CHAR16 *Str, - IN STR2INT *Map - ); - -/** - Helper function called to transfer an unsigned integer to a string accor= ding to the map table. - - @param[in] Integer The pointer to the string. - @param[in] Map The pointer to the map table. - - @return The converted str. If not found, then return NULL. -**/ -CHAR16 * -MapIntegerToString ( - IN UINT32 Integer, - IN STR2INT *Map - ); - -#endif diff --git a/NetworkPkg/Application/IpsecConfig/Indexer.c b/NetworkPkg/Appl= ication/IpsecConfig/Indexer.c deleted file mode 100644 index 37524b0d66..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Indexer.c +++ /dev/null @@ -1,249 +0,0 @@ -/** @file - The implementation of construct ENTRY_INDEXER in IpSecConfig application. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecConfig.h" -#include "Indexer.h" -#include "Helper.h" - -/** - Fill in SPD_ENTRY_INDEXER through ParamPackage list. - - @param[in, out] Indexer The pointer to the SPD_ENTRY_INDEXER str= ucture. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Filled in SPD_ENTRY_INDEXER successfully. -**/ -EFI_STATUS -ConstructSpdIndexer ( - IN OUT SPD_ENTRY_INDEXER *Indexer, - IN LIST_ENTRY *ParamPackage - ) -{ - EFI_STATUS Status; - UINT64 Value64; - CONST CHAR16 *ValueStr; - - ValueStr =3D NULL; - - if (ShellCommandLineGetFlag (ParamPackage, L"-i")) { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-i"); - } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-d"); - } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-e"); - } else { - return EFI_INVALID_PARAMETER; - } - - if (ValueStr =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - Value64 =3D StrToUInteger (ValueStr, &Status); - if (!EFI_ERROR (Status)) { - Indexer->Index =3D (UINTN) Value64; - ZeroMem (Indexer->Name, MAX_PEERID_LEN); - } else { - UnicodeStrToAsciiStrS (ValueStr, (CHAR8 *) Indexer->Name, MAX_PEERID_L= EN); - } - - return EFI_SUCCESS; -} - -/** - Fill in SAD_ENTRY_INDEXER through ParamPackage list. - - @param[in, out] Indexer The pointer to the SAD_ENTRY_INDEXER str= ucture. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Filled in SPD_ENTRY_INDEXER successfull= y. - @retval EFI_INVALID_PARAMETER The mistaken user input in ParamPackage= list. -**/ -EFI_STATUS -ConstructSadIndexer ( - IN OUT SAD_ENTRY_INDEXER *Indexer, - IN LIST_ENTRY *ParamPackage - ) -{ - EFI_STATUS Status; - EFI_STATUS Status1; - UINT64 Value64; - CONST CHAR16 *ValueStr; - - ValueStr =3D NULL; - - if (ShellCommandLineGetFlag (ParamPackage, L"-i")) { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-i"); - } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-d"); - } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-e"); - } else { - return EFI_INVALID_PARAMETER; - } - - if (ValueStr =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - Value64 =3D StrToUInteger (ValueStr, &Status); - if (!EFI_ERROR (Status)) { - Indexer->Index =3D (UINTN) Value64; - ZeroMem (&Indexer->SaId, sizeof (EFI_IPSEC_SA_ID)); - } else { - if ((!ShellCommandLineGetFlag (ParamPackage, L"--lookup-spi")) || - (!ShellCommandLineGetFlag (ParamPackage, L"--lookup-ipsec-proto"))= || - (!ShellCommandLineGetFlag (ParamPackage, L"--lookup-dest"))) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), - mHiiHandle, - mAppName, - L"--lookup-spi --lookup-ipsec-proto --lookup-dest" - ); - return EFI_INVALID_PARAMETER; - } - - Status =3D GetNumber ( - L"--lookup-spi", - (UINT32) -1, - &Indexer->SaId.Spi, - sizeof (UINT32), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - Status1 =3D GetNumber ( - L"--lookup-ipsec-proto", - 0, - &Indexer->SaId.Proto, - sizeof (EFI_IPSEC_PROTOCOL_TYPE), - mMapIpSecProtocol, - ParamPackage, - FORMAT_STRING - ); - - if (EFI_ERROR (Status) || EFI_ERROR (Status1)) { - return EFI_INVALID_PARAMETER; - } - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--lookup-dest"); - ASSERT (ValueStr !=3D NULL); - - Status =3D EfiInetAddr2 ((CHAR16 *) ValueStr, &Indexer->SaId.DestAddre= ss); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - L"--lookup-dest", - ValueStr - ); - return EFI_INVALID_PARAMETER; - } - } - - return EFI_SUCCESS; -} - -/** - Fill in PAD_ENTRY_INDEXER through ParamPackage list. - - @param[in, out] Indexer The pointer to the PAD_ENTRY_INDEXER str= ucture. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Filled in PAD_ENTRY_INDEXER successfull= y. - @retval EFI_INVALID_PARAMETER The mistaken user input in ParamPackage= list. -**/ -EFI_STATUS -ConstructPadIndexer ( - IN OUT PAD_ENTRY_INDEXER *Indexer, - IN LIST_ENTRY *ParamPackage - ) -{ - EFI_STATUS Status; - UINT64 Value64; - CONST CHAR16 *ValueStr; - - ValueStr =3D NULL; - - if (ShellCommandLineGetFlag (ParamPackage, L"-i")) { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-i"); - } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-d"); - } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-e"); - } else { - return EFI_INVALID_PARAMETER; - } - - if (ValueStr =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - Value64 =3D StrToUInteger (ValueStr, &Status); - - if (!EFI_ERROR (Status)) { - Indexer->Index =3D (UINTN) Value64; - ZeroMem (&Indexer->PadId, sizeof (EFI_IPSEC_PAD_ID)); - } else { - - if (ShellCommandLineGetFlag (ParamPackage, L"--lookup-peer-address")) { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--lookup-peer= -address"); - ASSERT (ValueStr !=3D NULL); - - Indexer->PadId.PeerIdValid =3D FALSE; - Status =3D EfiInetAddrRange ((CHAR16 *) ValueStr, &Indexer->PadId.Id= .IpAddress); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - L"--lookup-peer-address", - ValueStr - ); - return EFI_INVALID_PARAMETER; - } - } else { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--lookup-peer= -id"); - if (ValueStr =3D=3D NULL) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), - mHiiHandle, - mAppName, - L"--lookup-peer-address --lookup-peer-id" - ); - return EFI_INVALID_PARAMETER; - } - - Indexer->PadId.PeerIdValid =3D TRUE; - ZeroMem (Indexer->PadId.Id.PeerId, MAX_PEERID_LEN); - StrnCpyS ((CHAR16 *) Indexer->PadId.Id.PeerId, MAX_PEERID_LEN / size= of (CHAR16), ValueStr, MAX_PEERID_LEN / sizeof (CHAR16) - 1); - } - } - - return EFI_SUCCESS; -} - -CONSTRUCT_POLICY_ENTRY_INDEXER mConstructPolicyEntryIndexer[] =3D { - (CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructSpdIndexer, - (CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructSadIndexer, - (CONSTRUCT_POLICY_ENTRY_INDEXER) ConstructPadIndexer -}; diff --git a/NetworkPkg/Application/IpsecConfig/Indexer.h b/NetworkPkg/Appl= ication/IpsecConfig/Indexer.h deleted file mode 100644 index b26e931c73..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Indexer.h +++ /dev/null @@ -1,52 +0,0 @@ -/** @file - The internal structure and function declaration to construct ENTRY_INDEX= ER in - IpSecConfig application. - - Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _INDEXER_H_ -#define _INDEXER_H_ - -typedef struct { - UINT8 Name[MAX_PEERID_LEN]; - UINTN Index; // Used only if Name buffer is filled with zero. -} SPD_ENTRY_INDEXER; - -typedef struct { - EFI_IPSEC_SA_ID SaId; - UINTN Index; -} SAD_ENTRY_INDEXER; - -typedef struct { - EFI_IPSEC_PAD_ID PadId; - UINTN Index; -} PAD_ENTRY_INDEXER; - -typedef union { - SPD_ENTRY_INDEXER Spd; - SAD_ENTRY_INDEXER Sad; - PAD_ENTRY_INDEXER Pad; -} POLICY_ENTRY_INDEXER; - -/** - The prototype for the ConstructSpdIndexer()/ConstructSadIndexer()/Constr= uctPadIndexer(). - Fill in SPD_ENTRY_INDEXER/SAD_ENTRY_INDEXER/PAD_ENTRY_INDEXER through Pa= ramPackage list. - - @param[in, out] Indexer The pointer to the POLICY_ENTRY_INDEXER = union. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Filled in POLICY_ENTRY_INDEXER successfully. -**/ -typedef -EFI_STATUS -(* CONSTRUCT_POLICY_ENTRY_INDEXER) ( - IN POLICY_ENTRY_INDEXER *Indexer, - IN LIST_ENTRY *ParamPackage -); - -extern CONSTRUCT_POLICY_ENTRY_INDEXER mConstructPolicyEntryIndexer[]; -#endif diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfig.c b/NetworkPkg/= Application/IpsecConfig/IpSecConfig.c deleted file mode 100644 index c10394fce5..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfig.c +++ /dev/null @@ -1,806 +0,0 @@ -/** @file - The main process for IpSecConfig application. - - Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include -#include - -#include - -#include "IpSecConfig.h" -#include "Dump.h" -#include "Indexer.h" -#include "PolicyEntryOperation.h" -#include "Delete.h" -#include "Helper.h" - -// -// String token ID of IpSecConfig command help message text. -// -GLOBAL_REMOVE_IF_UNREFERENCED EFI_STRING_ID mStringIpSecHelpTokenId =3D ST= RING_TOKEN (STR_IPSEC_CONFIG_HELP); - -// -// Used for ShellCommandLineParseEx only -// and to ensure user inputs are in valid format -// -SHELL_PARAM_ITEM mIpSecConfigParamList[] =3D { - { L"-p", TypeValue }, - { L"-a", TypeValue }, - { L"-i", TypeValue }, - { L"-e", TypeValue }, - { L"-d", TypeValue }, - { L"-f", TypeFlag }, - { L"-l", TypeFlag }, - { L"-enable", TypeFlag }, - { L"-disable", TypeFlag }, - { L"-status", TypeFlag }, - - // - // SPD Selector - // - { L"--local", TypeValue }, - { L"--remote", TypeValue }, - { L"--proto", TypeValue }, - { L"--local-port", TypeValue }, - { L"--remote-port", TypeValue }, - { L"--icmp-type", TypeValue }, - { L"--icmp-code", TypeValue }, - - // - // SPD Data - // - { L"--name", TypeValue }, - { L"--packet-flag", TypeValue }, - { L"--action", TypeValue }, - { L"--lifebyte", TypeValue }, - { L"--lifetime-soft", TypeValue }, - { L"--lifetime", TypeValue }, - { L"--mode", TypeValue }, - { L"--tunnel-local", TypeValue }, - { L"--tunnel-remote", TypeValue }, - { L"--dont-fragment", TypeValue }, - { L"--ipsec-proto", TypeValue }, - { L"--auth-algo", TypeValue }, - { L"--encrypt-algo", TypeValue }, - - { L"--ext-sequence", TypeFlag }, - { L"--sequence-overflow", TypeFlag }, - { L"--fragment-check", TypeFlag }, - { L"--ext-sequence-", TypeFlag }, - { L"--sequence-overflow-", TypeFlag }, - { L"--fragment-check-", TypeFlag }, - - // - // SA ID - // --ipsec-proto - // - { L"--spi", TypeValue }, - { L"--tunnel-dest", TypeValue }, - { L"--tunnel-source", TypeValue }, - { L"--lookup-spi", TypeValue }, - { L"--lookup-ipsec-proto", TypeValue }, - { L"--lookup-dest", TypeValue }, - - // - // SA DATA - // --mode - // --auth-algo - // --encrypt-algo - // - { L"--sequence-number", TypeValue }, - { L"--antireplay-window", TypeValue }, - { L"--auth-key", TypeValue }, - { L"--encrypt-key", TypeValue }, - { L"--path-mtu", TypeValue }, - - // - // PAD ID - // - { L"--peer-id", TypeValue }, - { L"--peer-address", TypeValue }, - { L"--auth-proto", TypeValue }, - { L"--auth-method", TypeValue }, - { L"--ike-id", TypeValue }, - { L"--ike-id-", TypeValue }, - { L"--auth-data", TypeValue }, - { L"--revocation-data", TypeValue }, - { L"--lookup-peer-id", TypeValue }, - { L"--lookup-peer-address", TypeValue }, - - { NULL, TypeMax }, -}; - -// -// -P -// -STR2INT mMapPolicy[] =3D { - { L"SPD", IPsecConfigDataTypeSpd }, - { L"SAD", IPsecConfigDataTypeSad }, - { L"PAD", IPsecConfigDataTypePad }, - { NULL, 0 }, -}; - -// -// --proto -// -STR2INT mMapIpProtocol[] =3D { - { L"TCP", EFI_IP4_PROTO_TCP }, - { L"UDP", EFI_IP4_PROTO_UDP }, - { L"ICMP", EFI_IP4_PROTO_ICMP }, - { NULL, 0 }, -}; - -// -// --action -// -STR2INT mMapIpSecAction[] =3D { - { L"Bypass", EfiIPsecActionBypass }, - { L"Discard", EfiIPsecActionDiscard }, - { L"Protect", EfiIPsecActionProtect }, - { NULL, 0 }, -}; - -// -// --mode -// -STR2INT mMapIpSecMode[] =3D { - { L"Transport", EfiIPsecTransport }, - { L"Tunnel", EfiIPsecTunnel }, - { NULL, 0 }, -}; - -// -// --dont-fragment -// -STR2INT mMapDfOption[] =3D { - { L"clear", EfiIPsecTunnelClearDf }, - { L"set", EfiIPsecTunnelSetDf }, - { L"copy", EfiIPsecTunnelCopyDf }, - { NULL, 0 }, -}; - -// -// --ipsec-proto -// -STR2INT mMapIpSecProtocol[] =3D { - { L"AH", EfiIPsecAH }, - { L"ESP", EfiIPsecESP }, - { NULL, 0 }, -}; - -// -// --auth-algo -// -STR2INT mMapAuthAlgo[] =3D { - { L"NONE", IPSEC_AALG_NONE }, - { L"MD5HMAC", IPSEC_AALG_MD5HMAC }, - { L"SHA1HMAC", IPSEC_AALG_SHA1HMAC }, - { L"SHA2-256HMAC", IPSEC_AALG_SHA2_256HMAC }, - { L"SHA2-384HMAC", IPSEC_AALG_SHA2_384HMAC }, - { L"SHA2-512HMAC", IPSEC_AALG_SHA2_512HMAC }, - { L"AES-XCBC-MAC", IPSEC_AALG_AES_XCBC_MAC }, - { L"NULL", IPSEC_AALG_NULL }, - { NULL, 0 }, -}; - -// -// --encrypt-algo -// -STR2INT mMapEncAlgo[] =3D { - { L"NONE", IPSEC_EALG_NONE }, - { L"DESCBC", IPSEC_EALG_DESCBC }, - { L"3DESCBC", IPSEC_EALG_3DESCBC }, - { L"CASTCBC", IPSEC_EALG_CASTCBC }, - { L"BLOWFISHCBC", IPSEC_EALG_BLOWFISHCBC }, - { L"NULL", IPSEC_EALG_NULL }, - { L"AESCBC", IPSEC_EALG_AESCBC }, - { L"AESCTR", IPSEC_EALG_AESCTR }, - { L"AES-CCM-ICV8", IPSEC_EALG_AES_CCM_ICV8 }, - { L"AES-CCM-ICV12",IPSEC_EALG_AES_CCM_ICV12 }, - { L"AES-CCM-ICV16",IPSEC_EALG_AES_CCM_ICV16 }, - { L"AES-GCM-ICV8", IPSEC_EALG_AES_GCM_ICV8 }, - { L"AES-GCM-ICV12",IPSEC_EALG_AES_GCM_ICV12 }, - { L"AES-GCM-ICV16",IPSEC_EALG_AES_GCM_ICV16 }, - { NULL, 0 }, -}; - -// -// --auth-proto -// -STR2INT mMapAuthProto[] =3D { - { L"IKEv1", EfiIPsecAuthProtocolIKEv1 }, - { L"IKEv2", EfiIPsecAuthProtocolIKEv2 }, - { NULL, 0 }, -}; - -// -// --auth-method -// -STR2INT mMapAuthMethod[] =3D { - { L"PreSharedSecret", EfiIPsecAuthMethodPreSharedSecret }, - { L"Certificates", EfiIPsecAuthMethodCertificates }, - { NULL, 0 }, -}; - -EFI_IPSEC2_PROTOCOL *mIpSec; -EFI_IPSEC_CONFIG_PROTOCOL *mIpSecConfig; -EFI_HII_HANDLE mHiiHandle; -CHAR16 mAppName[] =3D L"IpSecConfig"; - -// -// Used for IpSecConfigRetriveCheckListByName only to check the validation= of user input -// -VAR_CHECK_ITEM mIpSecConfigVarCheckList[] =3D { - { L"-enable", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0)= , 0 }, - { L"-disable", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0)= , 0 }, - { L"-status", BIT(1)|BIT(0), BIT(1), BIT(2)|BIT(1)|BIT(0)= , 0 }, - { L"-p", BIT(1), 0, BIT(2)|BIT(1)|BIT(0)= , 0 }, - - { L"-a", BIT(0), 0, BIT(2)|BIT(1)|BIT(0)= , 0 }, - { L"-i", BIT(0), 0, BIT(2)|BIT(1)|BIT(0)= , 0 }, - { L"-d", BIT(0), 0, BIT(2)|BIT(1)|BIT(0)= , 0 }, - { L"-e", BIT(0), 0, BIT(2)|BIT(1)|BIT(0)= , 0 }, - { L"-l", BIT(0), 0, BIT(2)|BIT(1)|BIT(0)= , 0 }, - { L"-f", BIT(0), 0, BIT(2)|BIT(1)|BIT(0)= , 0 }, - - { L"-?", BIT(0), BIT(0), BIT(2)|BIT(1)|BIT(0)= , 0 }, - - // - // SPD Selector - // - { L"--local", 0, 0, BIT(2)|BIT(1), = 0 }, - { L"--remote", 0, 0, BIT(2)|BIT(1), = 0 }, - { L"--proto", 0, 0, BIT(2)|BIT(1), = 0 }, - { L"--local-port", 0, 0, BIT(2)|BIT(1), = BIT(0) }, - { L"--remote-port", 0, 0, BIT(2)|BIT(1), = BIT(0) }, - { L"--icmp-type", 0, 0, BIT(2)|BIT(1), = BIT(1) }, - { L"--icmp-code", 0, 0, BIT(2)|BIT(1), = BIT(1) }, - - // - // SPD Data - // - { L"--name", 0, 0, BIT(2), = 0 }, - { L"--packet-flag", 0, 0, BIT(2), = 0 }, - { L"--action", 0, 0, BIT(2)|BIT(1), = 0 }, - { L"--lifebyte", 0, 0, BIT(2)|BIT(1), = 0 }, - { L"--lifetime-soft", 0, 0, BIT(2)|BIT(1), = 0 }, - { L"--lifetime", 0, 0, BIT(2)|BIT(1), = 0 }, - { L"--mode", 0, 0, BIT(2)|BIT(1), = 0 }, - { L"--tunnel-local", 0, 0, BIT(2), = 0 }, - { L"--tunnel-remote", 0, 0, BIT(2), = 0 }, - { L"--dont-fragment", 0, 0, BIT(2), = 0 }, - { L"--ipsec-proto", 0, 0, BIT(2)|BIT(1), = 0 }, - { L"--auth-algo", 0, 0, BIT(2)|BIT(1), = 0 }, - { L"--encrypt-algo", 0, 0, BIT(2)|BIT(1), = 0 }, - - { L"--ext-sequence", 0, 0, BIT(2), = BIT(2) }, - { L"--sequence-overflow", 0, 0, BIT(2), = BIT(2) }, - { L"--fragment-check", 0, 0, BIT(2), = BIT(2) }, - { L"--ext-sequence-", 0, 0, BIT(2), = BIT(3) }, - { L"--sequence-overflow-", 0, 0, BIT(2), = BIT(3) }, - { L"--fragment-check-", 0, 0, BIT(2), = BIT(3) }, - - // - // SA ID - // --ipsec-proto - // - { L"--spi", 0, 0, BIT(1), = 0 }, - { L"--tunnel-dest", 0, 0, BIT(1), = 0 }, - { L"--tunnel-source", 0, 0, BIT(1), = 0 }, - { L"--lookup-spi", 0, 0, BIT(1), = 0 }, - { L"--lookup-ipsec-proto", 0, 0, BIT(1), = 0 }, - { L"--lookup-dest", 0, 0, BIT(1), = 0 }, - - // - // SA DATA - // --mode - // --auth-algo - // --encrypt-algo - // - { L"--sequence-number", 0, 0, BIT(1), = 0 }, - { L"--antireplay-window", 0, 0, BIT(1), = 0 }, - { L"--auth-key", 0, 0, BIT(1), = 0 }, - { L"--encrypt-key", 0, 0, BIT(1), = 0 }, - { L"--path-mtu", 0, 0, BIT(1), = 0 }, - - // - // The example to add a PAD: - // "-A --peer-id Mike [--peer-address 10.23.2.2] --auth-proto IKE1/IKE2 - // --auth-method PreSharedSeceret/Certificate --ike-id - // --auth-data 343343 --revocation-data 2342432" - // The example to delete a PAD: - // "-D * --lookup-peer-id Mike [--lookup-peer-address 10.23.2.2]" - // "-D 1" - // The example to edit a PAD: - // "-E * --lookup-peer-id Mike --auth-method Certificate" - - // - // PAD ID - // - { L"--peer-id", 0, 0, BIT(0), = BIT(4) }, - { L"--peer-address", 0, 0, BIT(0), = BIT(5) }, - { L"--auth-proto", 0, 0, BIT(0), = 0 }, - { L"--auth-method", 0, 0, BIT(0), = 0 }, - { L"--IKE-ID", 0, 0, BIT(0), = BIT(6) }, - { L"--IKE-ID-", 0, 0, BIT(0), = BIT(7) }, - { L"--auth-data", 0, 0, BIT(0), = 0 }, - { L"--revocation-data", 0, 0, BIT(0), = 0 }, - { L"--lookup-peer-id", 0, 0, BIT(0), = BIT(4) }, - { L"--lookup-peer-address",0, 0, BIT(0), = BIT(5) }, - - { NULL, 0, 0, 0, = 0 }, -}; - -/** - The function to allocate the proper sized buffer for various - EFI interfaces. - - @param[in, out] Status Current status. - @param[in, out] Buffer Current allocated buffer, or NULL. - @param[in] BufferSize Current buffer size needed - - @retval TRUE If the buffer was reallocated and the caller should try= the API again. - @retval FALSE If the buffer was not reallocated successfully. -**/ -BOOLEAN -GrowBuffer ( - IN OUT EFI_STATUS *Status, - IN OUT VOID **Buffer, - IN UINTN BufferSize - ) -{ - BOOLEAN TryAgain; - - ASSERT (Status !=3D NULL); - ASSERT (Buffer !=3D NULL); - - // - // If this is an initial request, buffer will be null with a new buffer = size. - // - if ((NULL =3D=3D *Buffer) && (BufferSize !=3D 0)) { - *Status =3D EFI_BUFFER_TOO_SMALL; - } - - // - // If the status code is "buffer too small", resize the buffer. - // - TryAgain =3D FALSE; - if (*Status =3D=3D EFI_BUFFER_TOO_SMALL) { - - if (*Buffer !=3D NULL) { - FreePool (*Buffer); - } - - *Buffer =3D AllocateZeroPool (BufferSize); - - if (*Buffer !=3D NULL) { - TryAgain =3D TRUE; - } else { - *Status =3D EFI_OUT_OF_RESOURCES; - } - } - - // - // If there's an error, free the buffer. - // - if (!TryAgain && EFI_ERROR (*Status) && (*Buffer !=3D NULL)) { - FreePool (*Buffer); - *Buffer =3D NULL; - } - - return TryAgain; -} - -/** - Function returns an array of handles that support the requested protocol - in a buffer allocated from a pool. - - @param[in] SearchType Specifies which handle(s) are to be return= ed. - @param[in] Protocol Provides the protocol to search by. - This parameter is only valid for SearchTyp= e ByProtocol. - - @param[in] SearchKey Supplies the search key depending on the S= earchType. - @param[in, out] NoHandles The number of handles returned in Buffer. - @param[out] Buffer A pointer to the buffer to return the requ= ested array of - handles that support Protocol. - - @retval EFI_SUCCESS The resulting array of handles was returned. - @retval Others Other mistake case. -**/ -EFI_STATUS -LocateHandle ( - IN EFI_LOCATE_SEARCH_TYPE SearchType, - IN EFI_GUID *Protocol OPTIONAL, - IN VOID *SearchKey OPTIONAL, - IN OUT UINTN *NoHandles, - OUT EFI_HANDLE **Buffer - ) -{ - EFI_STATUS Status; - UINTN BufferSize; - - ASSERT (NoHandles !=3D NULL); - ASSERT (Buffer !=3D NULL); - - // - // Initialize for GrowBuffer loop. - // - Status =3D EFI_SUCCESS; - *Buffer =3D NULL; - BufferSize =3D 50 * sizeof (EFI_HANDLE); - - // - // Call the real function. - // - while (GrowBuffer (&Status, (VOID **) Buffer, BufferSize)) { - Status =3D gBS->LocateHandle ( - SearchType, - Protocol, - SearchKey, - &BufferSize, - *Buffer - ); - } - - *NoHandles =3D BufferSize / sizeof (EFI_HANDLE); - if (EFI_ERROR (Status)) { - *NoHandles =3D 0; - } - - return Status; -} - -/** - Find the first instance of this protocol in the system and return its in= terface. - - @param[in] ProtocolGuid The guid of the protocol. - @param[out] Interface The pointer to the first instance of the pro= tocol. - - @retval EFI_SUCCESS A protocol instance matching ProtocolGuid was fou= nd. - @retval Others A protocol instance matching ProtocolGuid was not= found. -**/ -EFI_STATUS -LocateProtocol ( - IN EFI_GUID *ProtocolGuid, - OUT VOID **Interface - ) - -{ - EFI_STATUS Status; - UINTN NumberHandles; - UINTN Index; - EFI_HANDLE *Handles; - - *Interface =3D NULL; - Handles =3D NULL; - NumberHandles =3D 0; - - Status =3D LocateHandle (ByProtocol, ProtocolGuid, NULL, &NumberH= andles, &Handles); - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_INFO, "LibLocateProtocol: Handle not found\n")); - return Status; - } - - for (Index =3D 0; Index < NumberHandles; Index++) { - ASSERT (Handles !=3D NULL); - Status =3D gBS->HandleProtocol ( - Handles[Index], - ProtocolGuid, - Interface - ); - - if (!EFI_ERROR (Status)) { - break; - } - } - - if (Handles !=3D NULL) { - FreePool (Handles); - } - - return Status; -} - -/** - Helper function called to check the conflicted flags. - - @param[in] CheckList The pointer to the VAR_CHECK_ITEM table. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS No conflicted flags. - @retval EFI_INVALID_PARAMETER The input parameter is erroroneous or t= here are some conflicted flags. -**/ -EFI_STATUS -IpSecConfigRetriveCheckListByName ( - IN VAR_CHECK_ITEM *CheckList, - IN LIST_ENTRY *ParamPackage -) -{ - - LIST_ENTRY *Node; - VAR_CHECK_ITEM *Item; - UINT32 Attribute1; - UINT32 Attribute2; - UINT32 Attribute3; - UINT32 Attribute4; - UINT32 Index; - - Attribute1 =3D 0; - Attribute2 =3D 0; - Attribute3 =3D 0; - Attribute4 =3D 0; - Index =3D 0; - Item =3D mIpSecConfigVarCheckList; - - if ((ParamPackage =3D=3D NULL) || (CheckList =3D=3D NULL)) { - return EFI_INVALID_PARAMETER; - } - - // - // Enumerate through the list of parameters that are input by user. - // - for (Node =3D GetFirstNode (ParamPackage); !IsNull (ParamPackage, Node);= Node =3D GetNextNode (ParamPackage, Node)) { - if (((SHELL_PARAM_PACKAGE *) Node)->Name !=3D NULL) { - // - // Enumerate the check list that defines the conflicted attributes o= f each flag. - // - for (; Item->VarName !=3D NULL; Item++) { - if (StrCmp (((SHELL_PARAM_PACKAGE *) Node)->Name, Item->VarName) = =3D=3D 0) { - Index++; - if (Index =3D=3D 1) { - Attribute1 =3D Item->Attribute1; - Attribute2 =3D Item->Attribute2; - Attribute3 =3D Item->Attribute3; - Attribute4 =3D Item->Attribute4; - } else { - Attribute1 &=3D Item->Attribute1; - Attribute2 |=3D Item->Attribute2; - Attribute3 &=3D Item->Attribute3; - Attribute4 |=3D Item->Attribute4; - if (Attribute1 !=3D 0) { - return EFI_INVALID_PARAMETER; - } - - if (Attribute2 !=3D 0) { - if ((Index =3D=3D 2) && (StrCmp (Item->VarName, L"-p") =3D= =3D 0)) { - continue; - } - - return EFI_INVALID_PARAMETER; - } - - if (Attribute3 =3D=3D 0) { - return EFI_INVALID_PARAMETER; - } - if (((Attribute4 & 0xFF) =3D=3D 0x03) || ((Attribute4 & 0xFF) = =3D=3D 0x0C) || - ((Attribute4 & 0xFF) =3D=3D 0x30) || ((Attribute4 & 0xFF) = =3D=3D 0xC0)) { - return EFI_INVALID_PARAMETER; - } - } - break; - } - } - - Item =3D mIpSecConfigVarCheckList; - } - } - - return EFI_SUCCESS; -} - -/** - This is the declaration of an EFI image entry point. This entry point is - the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, inclu= ding - both device drivers and bus drivers. - - The entry point for IpSecConfig application that parse the command line = input and call an IpSecConfig process. - - @param[in] ImageHandle The image handle of this application. - @param[in] SystemTable The pointer to the EFI System Table. - - @retval EFI_SUCCESS The operation completed successfully. - -**/ -EFI_STATUS -EFIAPI -InitializeIpSecConfig ( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE *SystemTable - ) -{ - EFI_STATUS Status; - EFI_IPSEC_CONFIG_DATA_TYPE DataType; - UINT8 Value; - LIST_ENTRY *ParamPackage; - CONST CHAR16 *ValueStr; - CHAR16 *ProblemParam; - UINTN NonOptionCount; - EFI_HII_PACKAGE_LIST_HEADER *PackageList; - - // - // Retrieve HII package list from ImageHandle - // - Status =3D gBS->OpenProtocol ( - ImageHandle, - &gEfiHiiPackageListProtocolGuid, - (VOID **) &PackageList, - ImageHandle, - NULL, - EFI_OPEN_PROTOCOL_GET_PROTOCOL - ); - if (EFI_ERROR (Status)) { - return Status; - } - - // - // Publish HII package list to HII Database. - // - Status =3D gHiiDatabase->NewPackageList ( - gHiiDatabase, - PackageList, - NULL, - &mHiiHandle - ); - if (EFI_ERROR (Status)) { - return Status; - } - - ASSERT (mHiiHandle !=3D NULL); - - Status =3D ShellCommandLineParseEx (mIpSecConfigParamList, &ParamPackage= , &ProblemParam, TRUE, FALSE); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_UNKNOWN_= OPERATION), mHiiHandle, ProblemParam); - goto Done; - } - - Status =3D IpSecConfigRetriveCheckListByName (mIpSecConfigVarCheckList, = ParamPackage); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_MISTAKEN_OPTION= S), mHiiHandle); - goto Done; - } - - Status =3D LocateProtocol (&gEfiIpSecConfigProtocolGuid, (VOID **) &mIpS= ecConfig); - if (EFI_ERROR (Status) || mIpSecConfig =3D=3D NULL) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_PROTOCOL= _INEXISTENT), mHiiHandle, mAppName); - goto Done; - } - - Status =3D LocateProtocol (&gEfiIpSec2ProtocolGuid, (VOID **) &mIpSec); - if (EFI_ERROR (Status) || mIpSec =3D=3D NULL) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_PROTOCOL= _INEXISTENT), mHiiHandle, mAppName); - goto Done; - } - - // - // Enable IPsec. - // - if (ShellCommandLineGetFlag (ParamPackage, L"-enable")) { - if (!(mIpSec->DisabledFlag)) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREAD= Y_ENABLE), mHiiHandle, mAppName); - } else { - // - // Set enable flag. - // - Value =3D IPSEC_STATUS_ENABLED; - Status =3D gRT->SetVariable ( - IPSECCONFIG_STATUS_NAME, - &gEfiIpSecConfigProtocolGuid, - EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_V= OLATILE, - sizeof (Value), - &Value - ); - if (!EFI_ERROR (Status)) { - mIpSec->DisabledFlag =3D FALSE; - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ENAB= LE_SUCCESS), mHiiHandle, mAppName); - } else { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ENAB= LE_FAILED), mHiiHandle, mAppName); - } - } - - goto Done; - } - - // - // Disable IPsec. - // - if (ShellCommandLineGetFlag (ParamPackage, L"-disable")) { - if (mIpSec->DisabledFlag) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREAD= Y_DISABLE), mHiiHandle, mAppName); - } else { - // - // Set disable flag; however, leave it to be disabled in the callbac= k function of DisabledEvent. - // - gBS->SignalEvent (mIpSec->DisabledEvent); - if (mIpSec->DisabledFlag) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DISA= BLE_SUCCESS), mHiiHandle, mAppName); - } else { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_DISA= BLE_FAILED), mHiiHandle, mAppName); - } - } - - goto Done; - } - - // - //IPsec Status. - // - if (ShellCommandLineGetFlag (ParamPackage, L"-status")) { - if (mIpSec->DisabledFlag) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_STATUS= _DISABLE), mHiiHandle, mAppName); - } else { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_STATUS= _ENABLE), mHiiHandle, mAppName); - } - goto Done; - } - - // - // Try to get policy database type. - // - DataType =3D (EFI_IPSEC_CONFIG_DATA_TYPE) - 1; - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-p"); - if (ValueStr !=3D NULL) { - DataType =3D (EFI_IPSEC_CONFIG_DATA_TYPE) MapStringToInteger (ValueStr= , mMapPolicy); - if (DataType =3D=3D -1) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INCORR= ECT_DB), mHiiHandle, mAppName, ValueStr); - goto Done; - } - } - - NonOptionCount =3D ShellCommandLineGetCount (ParamPackage); - if ((NonOptionCount - 1) > 0) { - ValueStr =3D ShellCommandLineGetRawValue (ParamPackage, (UINT32) (NonO= ptionCount - 1)); - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_REDUNDANCY_MANY= ), mHiiHandle, mAppName, ValueStr); - goto Done; - } - - if (DataType =3D=3D -1) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_= DB), mHiiHandle, mAppName); - goto Done; - } - - if (ShellCommandLineGetFlag (ParamPackage, L"-a")) { - Status =3D AddOrInsertPolicyEntry (DataType, ParamPackage); - if (EFI_ERROR (Status)) { - goto Done; - } - } else if (ShellCommandLineGetFlag (ParamPackage, L"-i")) { - Status =3D AddOrInsertPolicyEntry (DataType, ParamPackage); - if (EFI_ERROR (Status)) { - goto Done; - } - } else if (ShellCommandLineGetFlag (ParamPackage, L"-e")) { - Status =3D EditPolicyEntry (DataType, ParamPackage); - if (EFI_ERROR (Status)) { - goto Done; - } - } else if (ShellCommandLineGetFlag (ParamPackage, L"-d")) { - Status =3D FlushOrDeletePolicyEntry (DataType, ParamPackage); - if (EFI_ERROR (Status)) { - goto Done; - } - } else if (ShellCommandLineGetFlag (ParamPackage, L"-f")) { - Status =3D FlushOrDeletePolicyEntry (DataType, ParamPackage); - if (EFI_ERROR (Status)) { - goto Done; - } - } else if (ShellCommandLineGetFlag (ParamPackage, L"-l")) { - Status =3D ListPolicyEntry (DataType, ParamPackage); - if (EFI_ERROR (Status)) { - goto Done; - } - } else { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_UNKNOWN_= OPERATION), mHiiHandle, mAppName); - goto Done; - } - -Done: - ShellCommandLineFreeVarList (ParamPackage); - HiiRemovePackages (mHiiHandle); - - return EFI_SUCCESS; -} diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfig.h b/NetworkPkg/= Application/IpsecConfig/IpSecConfig.h deleted file mode 100644 index e37f8aae80..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfig.h +++ /dev/null @@ -1,143 +0,0 @@ -/** @file - The internal structure and function declaration in IpSecConfig applicati= on. - - Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _IPSEC_CONFIG_H_ -#define _IPSEC_CONFIG_H_ - -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#define IPSECCONFIG_STATUS_NAME L"IpSecStatus" - -#define BIT(x) (UINT32) (1 << (x)) - -#define IPSEC_STATUS_DISABLED 0x0 -#define IPSEC_STATUS_ENABLED 0x1 - -#define EFI_IP4_PROTO_ICMP 0x1 -#define EFI_IP4_PROTO_TCP 0x6 -#define EFI_IP4_PROTO_UDP 0x11 - -#define EFI_IPSEC_ANY_PROTOCOL 0xFFFF -#define EFI_IPSEC_ANY_PORT 0 - -/// -/// IPsec Authentication Algorithm Definition -/// The number value definition is aligned to IANA assignment -/// -#define IPSEC_AALG_NONE 0x00 -#define IPSEC_AALG_MD5HMAC 0x01 -#define IPSEC_AALG_SHA1HMAC 0x02 -#define IPSEC_AALG_SHA2_256HMAC 0x05 -#define IPSEC_AALG_SHA2_384HMAC 0x06 -#define IPSEC_AALG_SHA2_512HMAC 0x07 -#define IPSEC_AALG_AES_XCBC_MAC 0x09 -#define IPSEC_AALG_NULL 0xFB - -/// -/// IPsec Encryption Algorithm Definition -/// The number value definition is aligned to IANA assignment -/// -#define IPSEC_EALG_NONE 0x00 -#define IPSEC_EALG_DESCBC 0x02 -#define IPSEC_EALG_3DESCBC 0x03 -#define IPSEC_EALG_CASTCBC 0x06 -#define IPSEC_EALG_BLOWFISHCBC 0x07 -#define IPSEC_EALG_NULL 0x0B -#define IPSEC_EALG_AESCBC 0x0C -#define IPSEC_EALG_AESCTR 0x0D -#define IPSEC_EALG_AES_CCM_ICV8 0x0E -#define IPSEC_EALG_AES_CCM_ICV12 0x0F -#define IPSEC_EALG_AES_CCM_ICV16 0x10 -#define IPSEC_EALG_AES_GCM_ICV8 0x12 -#define IPSEC_EALG_AES_GCM_ICV12 0x13 -#define IPSEC_EALG_AES_GCM_ICV16 0x14 - -typedef struct { - CHAR16 *VarName; - UINT32 Attribute1; - UINT32 Attribute2; - UINT32 Attribute3; - UINT32 Attribute4; -} VAR_CHECK_ITEM; - -typedef struct { - LIST_ENTRY Link; - CHAR16 *Name; - SHELL_PARAM_TYPE Type; - CHAR16 *Value; - UINTN OriginalPosition; -} SHELL_PARAM_PACKAGE; - -typedef struct { - CHAR16 *String; - UINT32 Integer; -} STR2INT; - -extern EFI_IPSEC_CONFIG_PROTOCOL *mIpSecConfig; -extern EFI_HII_HANDLE mHiiHandle; -extern CHAR16 mAppName[]; - -// -// -P -// -extern STR2INT mMapPolicy[]; - -// -// --proto -// -extern STR2INT mMapIpProtocol[]; - -// -// --action -// -extern STR2INT mMapIpSecAction[]; - -// -// --mode -// -extern STR2INT mMapIpSecMode[]; - -// -// --dont-fragment -// -extern STR2INT mMapDfOption[]; - -// -// --ipsec-proto -// -extern STR2INT mMapIpSecProtocol[]; -// -// --auth-algo -// -extern STR2INT mMapAuthAlgo[]; - -// -// --encrypt-algo -// -extern STR2INT mMapEncAlgo[]; -// -// --auth-proto -// -extern STR2INT mMapAuthProto[]; - -// -// --auth-method -// -extern STR2INT mMapAuthMethod[]; - -#endif diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfig.inf b/NetworkPk= g/Application/IpsecConfig/IpSecConfig.inf deleted file mode 100644 index 7ad6b5627f..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfig.inf +++ /dev/null @@ -1,70 +0,0 @@ -## @file -# Shell application IpSecConfig. -# -# This application is used to set and retrieve security and policy relate= d information -# for the EFI IPsec protocol driver. -# -# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-# -# SPDX-License-Identifier: BSD-2-Clause-Patent -# -## - -[Defines] - INF_VERSION =3D 0x00010006 - BASE_NAME =3D IpSecConfig - FILE_GUID =3D 0922E604-F5EC-42ef-980D-A35E9A2B1844 - MODULE_TYPE =3D UEFI_APPLICATION - VERSION_STRING =3D 1.0 - ENTRY_POINT =3D InitializeIpSecConfig - MODULE_UNI_FILE =3D IpSecConfig.uni - -# -# -# This flag specifies whether HII resource section is generated into PE i= mage. -# - UEFI_HII_RESOURCE_SECTION =3D TRUE - -[Sources] - IpSecConfigStrings.uni - IpSecConfig.c - IpSecConfig.h - Dump.c - Dump.h - Indexer.c - Indexer.h - Match.c - Match.h - Delete.h - Delete.c - Helper.c - Helper.h - ForEach.c - ForEach.h - PolicyEntryOperation.c - PolicyEntryOperation.h - -[Packages] - MdePkg/MdePkg.dec - MdeModulePkg/MdeModulePkg.dec - ShellPkg/ShellPkg.dec - -[LibraryClasses] - UefiBootServicesTableLib - UefiApplicationEntryPoint - UefiHiiServicesLib - BaseMemoryLib - ShellLib - MemoryAllocationLib - DebugLib - HiiLib - NetLib - UefiLib - -[Protocols] - gEfiIpSec2ProtocolGuid ##CONSUMES - gEfiIpSecConfigProtocolGuid ##CONSUMES - gEfiHiiPackageListProtocolGuid ##CONSUMES - -[UserExtensions.TianoCore."ExtraFiles"] - IpSecConfigExtra.uni diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfig.uni b/NetworkPk= g/Application/IpsecConfig/IpSecConfig.uni deleted file mode 100644 index 3d01977ffd..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfig.uni +++ /dev/null @@ -1,17 +0,0 @@ -// /** @file -// Shell application IpSecConfig. -// -// This application is used to set and retrieve security and policy relate= d information -// for the EFI IPsec protocol driver. -// -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-// -// SPDX-License-Identifier: BSD-2-Clause-Patent -// -// **/ - - -#string STR_MODULE_ABSTRACT #language en-US "Shell application= IpSecConfig" - -#string STR_MODULE_DESCRIPTION #language en-US "This application = is used to set and retrieve security and policy related information for the= EFI IPsec protocol driver." - diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfigExtra.uni b/Netw= orkPkg/Application/IpsecConfig/IpSecConfigExtra.uni deleted file mode 100644 index 2fef5f4b31..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfigExtra.uni +++ /dev/null @@ -1,14 +0,0 @@ -// /** @file -// IpSecConfig Localized Strings and Content -// -// Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
-// -// SPDX-License-Identifier: BSD-2-Clause-Patent -// -// **/ - -#string STR_PROPERTIES_MODULE_NAME -#language en-US -"IpSec Config App" - - diff --git a/NetworkPkg/Application/IpsecConfig/IpSecConfigStrings.uni b/Ne= tworkPkg/Application/IpsecConfig/IpSecConfigStrings.uni deleted file mode 100644 index 9a854464a8..0000000000 --- a/NetworkPkg/Application/IpsecConfig/IpSecConfigStrings.uni +++ /dev/null @@ -1,127 +0,0 @@ -/** @file - String definitions for the Shell IpSecConfig application. - - Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#langdef en-US "English" - -#string STR_IPSEC_CONFIG_UNKNOWN_OPERATION #language en-US "%s: = Operation not specified.\n" - -#string STR_IPSEC_CONFIG_INCORRECT_DB #language en-US "%s: = Incorrect Database - %s.\n" - -#string STR_IPSEC_CONFIG_PROTOCOL_INEXISTENT #language en-US "%s: = IPSEC_CONFIG protocol inexistent.\n" - -#string STR_IPSEC_CONFIG_MISSING_DB #language en-US "%s: = Missing Database.\n" - -#string STR_IPSEC_CONFIG_FILE_OPEN_FAILED #language en-US "%s: = Open file failed - %s.\n" - -#string STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE #language en-US "%s: = Incorrect value of %s - %s.\n" - -#string STR_IPSEC_CONFIG_ACCEPT_PARAMETERS #language en-US " Va= lues could be:" - -#string STR_IPSEC_CONFIG_MISSING_PARAMETER #language en-US "%s: = Missing parameter - %s.\n" - -#string STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS #language en-US "%s: = Missing one of the parameters - %s.\n" - -#string STR_IPSEC_CONFIG_UNWANTED_PARAMETER #language en-US "%s: = Unwanted parameter - %s.\n" - -#string STR_IPSEC_CONFIG_INSERT_FAILED #language en-US "%s: = Policy entry insertion failed!\n" - -#string STR_IPSEC_CONFIG_DELETE_FAILED #language en-US "%s: = Policy entry deletion failed!\n" - -#string STR_IPSEC_CONFIG_EDIT_FAILED #language en-US "%s: = Policy entry edit failed!\n" - -#string STR_IPSEC_CONFIG_ALREADY_EXISTS #language en-US "%s: = Policy entry already exists!\n" - -#string STR_IPSEC_CONFIG_INDEX_NOT_FOUND #language en-US "%s: = Specified index not found!\n" - -#string STR_IPSEC_CONFIG_INDEX_NOT_SPECIFIED #language en-US "%s: = Index should be Specified!\n" - -#string STR_IPSEC_CONFIG_INSERT_UNSUPPORT #language en-US "%s: = Policy entry insertion not supported!\n" - -#string STR_IPSEC_MISTAKEN_OPTIONS #language en-US "Mist= aken Input. Please refer to %H"IpSecConfig -?"%N for more help information.= \n" - -#string STR_IPSEC_REDUNDANCY_MANY #language en-US "%s h= as one redundancy option: %H%s%N\n" - -#string STR_IPSEC_CONFIG_ALREADY_ENABLE #language en-US "IPse= c has been already enabled!\n" - -#string STR_IPSEC_CONFIG_ENABLE_SUCCESS #language en-US "Enab= le IPsec ! \n" - -#string STR_IPSEC_CONFIG_DISABLE_SUCCESS #language en-US "Disa= ble IPsec ! \n" - -#string STR_IPSEC_CONFIG_ALREADY_DISABLE #language en-US "IPse= c has been already disabled !\n" - -#string STR_IPSEC_CONFIG_STATUS_ENABLE #language en-US "IPse= c Status : Enabled ! \n" - -#string STR_IPSEC_CONFIG_STATUS_DISABLE #language en-US "IPse= c Status : Disabled ! \n" - -#string STR_IPSEC_CONFIG_ENABLE_FAILED #language en-US "Erro= r: Enable IPsec failed !\n" - -#string STR_IPSEC_CONFIG_DISABLE_FAILED #language en-US "Erro= r: Disable IPsec failed !\n" - -#string STR_IPSEC_CONFIG_HELP #language en-US "" -".TH IpSecConfig 0 "Displays or modifies the current IPsec configuration."= \r\n" -".SH NAME\r\n" -"Displays or modifies the current IPsec configuration.\r\n" -".SH SYNOPSIS\r\n" -" \r\n" -"%HIpSecConfig [-p {SPD|SAD|PAD}] [command] [options[parameters]]\r\n" -".SH OPTIONS\r\n" -" \r\n" -"%H-p (SPD|SAD|PAD)%N required.point to certain policy d= atabase.\r\n" -" \r\n" -"%Hcommand%N:\r\n" -" -a [options[parameters]] Add new policy entry.\r\n" -" -i entryid [options[parameters]] Insert new policy entry before the one= \r\n" -" matched by the entryid.\r\n" -" It's only supported on SPD policy data= base.\r\n" -" -d entryid Delete the policy entry matched by the= \r\n" -" entryid.\r\n" -" -e entryid [options[parameters]] Edit the policy entry matched by the\r= \n" -" entryid.\r\n" -" -f Flush the entire policy database.\r\n" -" -l List all entries for specified databas= e.\r\n" -" -enable Enable IPsec.\r\n" -" -disable Disable IPsec.\r\n" -" -status Show IPsec current status.\r\n" -" \r\n" -"%H[options[parameters]]%N for %HSPD%N:\r\n" -" --local localaddress optional local address\r\n" -" --remote remoteaddress required remote address\r\n" -" --proto (TCP|UDP|ICMP|...) required IP protocol\r\n" -" --local-port port optional local port for tcp/udp prot= ocol\r\n" -" --remote-port port optional remote port for tcp/udp pro= tocol\r\n" -" --name name optional SPD name\r\n" -" --action (Bypass|Discard|Protect) required \r\n" -" required IPsec action\r\n" -" --mode (Transport|Tunnel) optional IPsec mode, transport by de= fault\r\n" -" --ipsec-proto (AH|ESP) optional IPsec protocol, ESP by defa= ult\r\n" -" --auth-algo (NONE|SHA1HMAC) optional authentication algorithm\r\= n" -" --encrypt-algo(NONE|DESCBC|3DESCBC)optional encryption algorithm\r\n" -" --tunnel-local tunnellocaladdr optional tunnel local address(only f= or tunnel mode)\r\n" -" --tunnel-remote tunnelremoteaddr optional tunnel remote address(only = for tunnel mode)\r\n" -" \r\n" -"%H[options[parameters]]%N for %HSAD%N:\r\n" -" --spi spi required SPI value\r\n" -" --ipsec-proto (AH|ESP) required IPsec protocol\r\n" -" --local localaddress optional local address\r\n" -" --remote remoteaddress required destination address\r\n" -" --auth-algo (NONE|SHA1HMAC) required for AH. authentication a= lgorithm\n" -" --auth-key key required for AH. key for authenti= cation\r\n" -" --encrypt-algo (NONE|DESCBC|3DESCBC) required for ESP. encryption algo= rithm\r\n" -" --encrypt-key key required for ESP. key for encrypt= ion\r\n" -" --mode (Transport|Tunnel) optional IPsec mode, transport by= default\r\n" -" --tunnel-dest tunneldestaddr optional tunnel destination addre= ss(only for tunnel mode)\r\n" -" --tunnel-source tunnelsourceaddr optional tunnel source address(on= ly for tunnel mode)\r\n" -" \r\n" -"%H[options[parameters]]%N for %HPAD%N:\r\n" -" --peer-address address required peer address\r\n" -" --auth-proto (IKEv1|IKEv2) optional IKE protocol, IK= Ev1 by\r\n" -" default\r\n" -" --auth-method (PreSharedSecret|Certificates) required authentication m= ethod\r\n" -" --auth-data authdata required data for authent= ication\r\n" -" \r\n" diff --git a/NetworkPkg/Application/IpsecConfig/Match.c b/NetworkPkg/Applic= ation/IpsecConfig/Match.c deleted file mode 100644 index 9d5a81c4ac..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Match.c +++ /dev/null @@ -1,157 +0,0 @@ -/** @file - The implementation of match policy entry function in IpSecConfig applica= tion. - - Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecConfig.h" -#include "Indexer.h" -#include "Match.h" - -/** - Private function to validate a buffer that should be filled with zero. - - @param[in] Memory The pointer to the buffer. - @param[in] Size The size of the buffer. - - @retval TRUE The memory is filled with zero. - @retval FALSE The memory isn't filled with zero. -**/ -BOOLEAN -IsMemoryZero ( - IN VOID *Memory, - IN UINTN Size - ) -{ - UINTN Index; - - for (Index =3D 0; Index < Size; Index++) { - if (*((UINT8 *) Memory + Index) !=3D 0) { - return FALSE; - } - } - - return TRUE; -} - -/** - Find the matching SPD with Indexer. - - @param[in] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR structu= re. - @param[in] Data The pointer to the EFI_IPSEC_SPD_DATA structure. - @param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure. - - @retval TRUE The matched SPD is found. - @retval FALSE The matched SPD is not found. -**/ -BOOLEAN -MatchSpdEntry ( - IN EFI_IPSEC_SPD_SELECTOR *Selector, - IN EFI_IPSEC_SPD_DATA *Data, - IN SPD_ENTRY_INDEXER *Indexer - ) -{ - BOOLEAN Match; - - Match =3D FALSE; - if (!IsMemoryZero (Indexer->Name, MAX_PEERID_LEN)) { - if ((Data->Name !=3D NULL) && (AsciiStrCmp ((CHAR8 *) Indexer->Name, (= CHAR8 *) Data->Name) =3D=3D 0)) { - Match =3D TRUE; - } - } else { - if (Indexer->Index =3D=3D 0) { - Match =3D TRUE; - } - - Indexer->Index--; - } - - return Match; -} - -/** - Find the matching SAD with Indexer. - - @param[in] SaId The pointer to the EFI_IPSEC_SA_ID structure. - @param[in] Data The pointer to the EFI_IPSEC_SA_DATA2 structure. - @param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure. - - @retval TRUE The matched SAD is found. - @retval FALSE The matched SAD is not found. -**/ -BOOLEAN -MatchSadEntry ( - IN EFI_IPSEC_SA_ID *SaId, - IN EFI_IPSEC_SA_DATA2 *Data, - IN SAD_ENTRY_INDEXER *Indexer - ) -{ - BOOLEAN Match; - - Match =3D FALSE; - if (!IsMemoryZero (&Indexer->SaId, sizeof (EFI_IPSEC_SA_ID))) { - Match =3D (BOOLEAN) (CompareMem (&Indexer->SaId, SaId, sizeof (EFI_IPS= EC_SA_ID)) =3D=3D 0); - } else { - if (Indexer->Index =3D=3D 0) { - Match =3D TRUE; - } - Indexer->Index--; - } - - return Match; -} - -/** - Find the matching PAD with Indexer. - - @param[in] PadId The pointer to the EFI_IPSEC_PAD_ID structure. - @param[in] Data The pointer to the EFI_IPSEC_PAD_DATA structure. - @param[in] Indexer The pointer to the SPD_ENTRY_INDEXER structure. - - @retval TRUE The matched PAD is found. - @retval FALSE The matched PAD is not found. -**/ -BOOLEAN -MatchPadEntry ( - IN EFI_IPSEC_PAD_ID *PadId, - IN EFI_IPSEC_PAD_DATA *Data, - IN PAD_ENTRY_INDEXER *Indexer - ) -{ - BOOLEAN Match; - - Match =3D FALSE; - if (!IsMemoryZero (&Indexer->PadId, sizeof (EFI_IPSEC_PAD_ID))) { - Match =3D (BOOLEAN) ((Indexer->PadId.PeerIdValid =3D=3D PadId->PeerIdV= alid) && - ((PadId->PeerIdValid && - (StrCmp ( - (CONST CHAR16 *) Indexer->PadId.Id.PeerId, - (CONST CHAR16 *) PadId->Id.PeerId - ) =3D=3D 0)) || - ((!PadId->PeerIdValid) && - (Indexer->PadId.Id.IpAddress.PrefixLength =3D=3D = PadId->Id.IpAddress.PrefixLength) && - (CompareMem ( - &Indexer->PadId.Id.IpAddress.Address, - &PadId->Id.IpAddress.Address, - sizeof (EFI_IP_ADDRESS) - ) =3D=3D 0)))); - } else { - if (Indexer->Index =3D=3D 0) { - Match =3D TRUE; - } - - Indexer->Index--; - } - - return Match; -} - -MATCH_POLICY_ENTRY mMatchPolicyEntry[] =3D { - (MATCH_POLICY_ENTRY) MatchSpdEntry, - (MATCH_POLICY_ENTRY) MatchSadEntry, - (MATCH_POLICY_ENTRY) MatchPadEntry -}; - diff --git a/NetworkPkg/Application/IpsecConfig/Match.h b/NetworkPkg/Applic= ation/IpsecConfig/Match.h deleted file mode 100644 index 2e0b31b8b9..0000000000 --- a/NetworkPkg/Application/IpsecConfig/Match.h +++ /dev/null @@ -1,35 +0,0 @@ -/** @file - The internal structure and function declaration of - match policy entry function in IpSecConfig application. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _MATCH_H_ -#define _MATCH_H_ - -/** - The prototype for the MatchSpdEntry()/MatchSadEntry()/MatchPadEntry(). - The functionality is to find the matching SPD/SAD/PAD with Indexer. - - @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR unio= n. - @param[in] Data The pointer to corresponding Data. - @param[in] Indexer The pointer to the POLICY_ENTRY_INDEXER union. - - @retval TRUE The matched SPD/SAD/PAD is found. - @retval FALSE The matched SPD/SAD/PAD is not found. -**/ -typedef -BOOLEAN -(* MATCH_POLICY_ENTRY) ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN POLICY_ENTRY_INDEXER *Indexer - ); - -extern MATCH_POLICY_ENTRY mMatchPolicyEntry[]; - -#endif diff --git a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c b/Ne= tworkPkg/Application/IpsecConfig/PolicyEntryOperation.c deleted file mode 100644 index 16f3590977..0000000000 --- a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.c +++ /dev/null @@ -1,2070 +0,0 @@ -/** @file - The implementation of policy entry operation function in IpSecConfig app= lication. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecConfig.h" -#include "Indexer.h" -#include "Match.h" -#include "Helper.h" -#include "ForEach.h" -#include "PolicyEntryOperation.h" - -/** - Fill in EFI_IPSEC_SPD_SELECTOR through ParamPackage list. - - @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTO= R structure. - @param[in] ParamPackage The pointer to the ParamPackage list. - @param[in, out] Mask The pointer to the Mask. - - @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR successf= ully. - @retval EFI_INVALID_PARAMETER Invalid user input parameter. - -**/ -EFI_STATUS -CreateSpdSelector ( - OUT EFI_IPSEC_SPD_SELECTOR *Selector, - IN LIST_ENTRY *ParamPackage, - IN OUT UINT32 *Mask - ) -{ - EFI_STATUS Status; - EFI_STATUS ReturnStatus; - CONST CHAR16 *ValueStr; - - Status =3D EFI_SUCCESS; - ReturnStatus =3D EFI_SUCCESS; - - // - // Convert user imput from string to integer, and fill in the member in = EFI_IPSEC_SPD_SELECTOR. - // - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--local"); - if (ValueStr !=3D NULL) { - Selector->LocalAddressCount =3D 1; - Status =3D EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->LocalAddre= ss); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - L"--local", - ValueStr - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - *Mask |=3D LOCAL; - } - } - - // - // Convert user imput from string to integer, and fill in the member in = EFI_IPSEC_SPD_SELECTOR. - // - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--remote"); - if (ValueStr !=3D NULL) { - Selector->RemoteAddressCount =3D 1; - Status =3D EfiInetAddrRange ((CHAR16 *) ValueStr, Selector->RemoteAddr= ess); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - L"--remote", - ValueStr - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - *Mask |=3D REMOTE; - } - } - - Selector->NextLayerProtocol =3D EFI_IPSEC_ANY_PROTOCOL; - - // - // Convert user imput from string to integer, and fill in the member in = EFI_IPSEC_SPD_SELECTOR. - // - Status =3D GetNumber ( - L"--proto", - (UINT16) -1, - &Selector->NextLayerProtocol, - sizeof (UINT16), - mMapIpProtocol, - ParamPackage, - FORMAT_NUMBER | FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D PROTO; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - Selector->LocalPort =3D EFI_IPSEC_ANY_PORT; - Selector->RemotePort =3D EFI_IPSEC_ANY_PORT; - - // - // Convert user imput from string to integer, and fill in the member in = EFI_IPSEC_SPD_SELECTOR. - // - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--local-port"); - if (ValueStr !=3D NULL) { - Status =3D EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->LocalPort= , &Selector->LocalPortRange); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - L"--local-port", - ValueStr - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - *Mask |=3D LOCAL_PORT; - } - } - - // - // Convert user imput from string to integer, and fill in the member in = EFI_IPSEC_SPD_SELECTOR. - // - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--remote-port"); - if (ValueStr !=3D NULL) { - Status =3D EfiInetPortRange ((CHAR16 *) ValueStr, &Selector->RemotePor= t, &Selector->RemotePortRange); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - L"--remote-port", - ValueStr - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - *Mask |=3D REMOTE_PORT; - } - } - - // - // Convert user imput from string to integer, and fill in the member in = EFI_IPSEC_SPD_SELECTOR. - // - Status =3D GetNumber ( - L"--icmp-type", - (UINT8) -1, - &Selector->LocalPort, - sizeof (UINT16), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D ICMP_TYPE; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - // - // Convert user imput from string to integer, and fill in the member in = EFI_IPSEC_SPD_SELECTOR. - // - Status =3D GetNumber ( - L"--icmp-code", - (UINT8) -1, - &Selector->RemotePort, - sizeof (UINT16), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D ICMP_CODE; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - return ReturnStatus; -} - -/** - Fill in EFI_IPSEC_SPD_SELECTOR and EFI_IPSEC_SPD_DATA through ParamPacka= ge list. - - @param[out] Selector The pointer to the EFI_IPSEC_SPD_SELECTOR st= ructure. - @param[out] Data The pointer to the EFI_IPSEC_SPD_DATA struct= ure. - @param[in] ParamPackage The pointer to the ParamPackage list. - @param[out] Mask The pointer to the Mask. - @param[in] CreateNew The switch to create new. - - @retval EFI_SUCCESS Fill in EFI_IPSEC_SPD_SELECTOR and EFI_= IPSEC_SPD_DATA successfully. - @retval EFI_INVALID_PARAMETER Invalid user input parameter. - -**/ -EFI_STATUS -CreateSpdEntry ( - OUT EFI_IPSEC_SPD_SELECTOR **Selector, - OUT EFI_IPSEC_SPD_DATA **Data, - IN LIST_ENTRY *ParamPackage, - OUT UINT32 *Mask, - IN BOOLEAN CreateNew - ) -{ - EFI_STATUS Status; - EFI_STATUS ReturnStatus; - CONST CHAR16 *ValueStr; - UINTN DataSize; - - Status =3D EFI_SUCCESS; - *Mask =3D 0; - - *Selector =3D AllocateZeroPool (sizeof (EFI_IPSEC_SPD_SELECTOR) + 2 * si= zeof (EFI_IP_ADDRESS_INFO)); - ASSERT (*Selector !=3D NULL); - - (*Selector)->LocalAddress =3D (EFI_IP_ADDRESS_INFO *) (*Selector + 1); - (*Selector)->RemoteAddress =3D (*Selector)->LocalAddress + 1; - - ReturnStatus =3D CreateSpdSelector (*Selector, ParamPackage, Mask); - - // - // SPD DATA - // NOTE: Allocate enough memory and add padding for different arch. - // - DataSize =3D ALIGN_VARIABLE (sizeof (EFI_IPSEC_SPD_DATA)); - DataSize =3D ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_PROCESS_POLIC= Y)); - DataSize +=3D sizeof (EFI_IPSEC_TUNNEL_OPTION); - - *Data =3D AllocateZeroPool (DataSize); - ASSERT (*Data !=3D NULL); - - (*Data)->ProcessingPolicy =3D (EFI_IPSEC_PROCESS_POLICY *)= ALIGN_POINTER ( - = (*Data + 1), - = sizeof (UINTN) - = ); - (*Data)->ProcessingPolicy->TunnelOption =3D (EFI_IPSEC_TUNNEL_OPTION *) = ALIGN_POINTER ( - = ((*Data)->ProcessingPolicy + 1), - = sizeof (UINTN) - = ); - - - // - // Convert user imput from string to integer, and fill in the Name in EF= I_IPSEC_SPD_DATA. - // - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--name"); - if (ValueStr !=3D NULL) { - UnicodeStrToAsciiStrS (ValueStr, (CHAR8 *) (*Data)->Name, sizeof ((*Da= ta)->Name)); - *Mask |=3D NAME; - } - - // - // Convert user imput from string to integer, and fill in the PackageFla= g in EFI_IPSEC_SPD_DATA. - // - Status =3D GetNumber ( - L"--packet-flag", - (UINT8) -1, - &(*Data)->PackageFlag, - sizeof (UINT32), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D PACKET_FLAG; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - // - // Convert user imput from string to integer, and fill in the Action in = EFI_IPSEC_SPD_DATA. - // - Status =3D GetNumber ( - L"--action", - (UINT8) -1, - &(*Data)->Action, - sizeof (UINT32), - mMapIpSecAction, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D ACTION; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - // - // Convert user imput from string to integer, and fill in the ExtSeqNum = in EFI_IPSEC_SPD_DATA. - // - if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence")) { - (*Data)->ProcessingPolicy->ExtSeqNum =3D TRUE; - *Mask |=3D EXT_SEQUENCE; - } else if (ShellCommandLineGetFlag (ParamPackage, L"--ext-sequence-")) { - (*Data)->ProcessingPolicy->ExtSeqNum =3D FALSE; - *Mask |=3D EXT_SEQUENCE; - } - - // - // Convert user imput from string to integer, and fill in the SeqOverflo= w in EFI_IPSEC_SPD_DATA. - // - if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow")) { - (*Data)->ProcessingPolicy->SeqOverflow =3D TRUE; - *Mask |=3D SEQUENCE_OVERFLOW; - } else if (ShellCommandLineGetFlag (ParamPackage, L"--sequence-overflow-= ")) { - (*Data)->ProcessingPolicy->SeqOverflow =3D FALSE; - *Mask |=3D SEQUENCE_OVERFLOW; - } - - // - // Convert user imput from string to integer, and fill in the FragCheck = in EFI_IPSEC_SPD_DATA. - // - if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check")) { - (*Data)->ProcessingPolicy->FragCheck =3D TRUE; - *Mask |=3D FRAGMENT_CHECK; - } else if (ShellCommandLineGetFlag (ParamPackage, L"--fragment-check-"))= { - (*Data)->ProcessingPolicy->FragCheck =3D FALSE; - *Mask |=3D FRAGMENT_CHECK; - } - - // - // Convert user imput from string to integer, and fill in the Processing= Policy in EFI_IPSEC_SPD_DATA. - // - Status =3D GetNumber ( - L"--lifebyte", - (UINT64) -1, - &(*Data)->ProcessingPolicy->SaLifetime.ByteCount, - sizeof (UINT64), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D LIFEBYTE; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - Status =3D GetNumber ( - L"--lifetime", - (UINT64) -1, - &(*Data)->ProcessingPolicy->SaLifetime.HardLifetime, - sizeof (UINT64), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D LIFETIME; - } - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - Status =3D GetNumber ( - L"--lifetime-soft", - (UINT64) -1, - &(*Data)->ProcessingPolicy->SaLifetime.SoftLifetime, - sizeof (UINT64), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D LIFETIME_SOFT; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - (*Data)->ProcessingPolicy->Mode =3D EfiIPsecTransport; - Status =3D GetNumber ( - L"--mode", - 0, - &(*Data)->ProcessingPolicy->Mode, - sizeof (UINT32), - mMapIpSecMode, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D MODE; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--tunnel-local"); - if (ValueStr !=3D NULL) { - Status =3D EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPoli= cy->TunnelOption->LocalTunnelAddress); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - L"--tunnel-local", - ValueStr - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - *Mask |=3D TUNNEL_LOCAL; - } - } - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--tunnel-remote"); - if (ValueStr !=3D NULL) { - Status =3D EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->ProcessingPoli= cy->TunnelOption->RemoteTunnelAddress); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - L"--tunnel-remote", - ValueStr - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - *Mask |=3D TUNNEL_REMOTE; - } - } - - (*Data)->ProcessingPolicy->TunnelOption->DF =3D EfiIPsecTunnelCopyDf; - Status =3D GetNumber ( - L"--dont-fragment", - 0, - &(*Data)->ProcessingPolicy->TunnelOption->DF, - sizeof (UINT32), - mMapDfOption, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D DONT_FRAGMENT; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - (*Data)->ProcessingPolicy->Proto =3D EfiIPsecESP; - Status =3D GetNumber ( - L"--ipsec-proto", - 0, - &(*Data)->ProcessingPolicy->Proto, - sizeof (UINT32), - mMapIpSecProtocol, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D IPSEC_PROTO; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - Status =3D GetNumber ( - L"--encrypt-algo", - 0, - &(*Data)->ProcessingPolicy->EncAlgoId, - sizeof (UINT8), - mMapEncAlgo, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D ENCRYPT_ALGO; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - Status =3D GetNumber ( - L"--auth-algo", - 0, - &(*Data)->ProcessingPolicy->AuthAlgoId, - sizeof (UINT8), - mMapAuthAlgo, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D AUTH_ALGO; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - // - // Cannot check Mode against EfiIPsecTunnel, because user may want to ch= ange tunnel_remote only so the Mode is not set. - // - if ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE | DONT_FRAGMENT)) =3D=3D 0) { - (*Data)->ProcessingPolicy->TunnelOption =3D NULL; - } - - if ((*Mask & (EXT_SEQUENCE | SEQUENCE_OVERFLOW | FRAGMENT_CHECK | LIFEBY= TE | - LIFETIME_SOFT | LIFETIME | MODE | TUNNEL_LOCAL | TUNNEL_RE= MOTE | - DONT_FRAGMENT | IPSEC_PROTO | AUTH_ALGO | ENCRYPT_ALGO)) = =3D=3D 0) { - if ((*Data)->Action !=3D EfiIPsecActionProtect) { - // - // User may not provide additional parameter for Protect action, so = we cannot simply set ProcessingPolicy to NULL. - // - (*Data)->ProcessingPolicy =3D NULL; - } - } - - if (CreateNew) { - if ((*Mask & (LOCAL | REMOTE | PROTO | ACTION)) !=3D (LOCAL | REMOTE |= PROTO | ACTION)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), - mHiiHandle, - mAppName, - L"--local --remote --proto --action" - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else if (((*Data)->Action =3D=3D EfiIPsecActionProtect) && - ((*Data)->ProcessingPolicy->Mode =3D=3D EfiIPsecTunnel) && - ((*Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) !=3D (TUNNEL_LOCA= L | TUNNEL_REMOTE))) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), - mHiiHandle, - mAppName, - L"--tunnel-local --tunnel-remote" - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - } - - return ReturnStatus; -} - -/** - Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_SA_DATA2 through ParamPackage list. - - @param[out] SaId The pointer to the EFI_IPSEC_SA_ID structure. - @param[out] Data The pointer to the EFI_IPSEC_SA_DATA2 struct= ure. - @param[in] ParamPackage The pointer to the ParamPackage list. - @param[out] Mask The pointer to the Mask. - @param[in] CreateNew The switch to create new. - - @retval EFI_SUCCESS Fill in EFI_IPSEC_SA_ID and EFI_IPSEC_S= A_DATA2 successfully. - @retval EFI_INVALID_PARAMETER Invalid user input parameter. - -**/ -EFI_STATUS -CreateSadEntry ( - OUT EFI_IPSEC_SA_ID **SaId, - OUT EFI_IPSEC_SA_DATA2 **Data, - IN LIST_ENTRY *ParamPackage, - OUT UINT32 *Mask, - IN BOOLEAN CreateNew - ) -{ - EFI_STATUS Status; - EFI_STATUS ReturnStatus; - UINTN AuthKeyLength; - UINTN EncKeyLength; - CONST CHAR16 *ValueStr; - CHAR8 *AsciiStr; - UINTN DataSize; - - Status =3D EFI_SUCCESS; - ReturnStatus =3D EFI_SUCCESS; - *Mask =3D 0; - AuthKeyLength =3D 0; - EncKeyLength =3D 0; - - *SaId =3D AllocateZeroPool (sizeof (EFI_IPSEC_SA_ID)); - ASSERT (*SaId !=3D NULL); - - // - // Convert user imput from string to integer, and fill in the Spi in EFI= _IPSEC_SA_ID. - // - Status =3D GetNumber (L"--spi", (UINT32) -1, &(*SaId)->Spi, sizeof (UINT= 32), NULL, ParamPackage, FORMAT_NUMBER); - if (!EFI_ERROR (Status)) { - *Mask |=3D SPI; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - // - // Convert user imput from string to integer, and fill in the Proto in E= FI_IPSEC_SA_ID. - // - Status =3D GetNumber ( - L"--ipsec-proto", - 0, - &(*SaId)->Proto, - sizeof (EFI_IPSEC_PROTOCOL_TYPE), - mMapIpSecProtocol, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D IPSEC_PROTO; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - // - // Convert user imput from string to integer, and fill in EFI_IPSEC_SA_D= ATA2. - // - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--auth-key"); - if (ValueStr !=3D NULL) { - AuthKeyLength =3D StrLen (ValueStr); - } - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--encrypt-key"); - if (ValueStr !=3D NULL) { - EncKeyLength =3D StrLen (ValueStr); - } - - // - // EFI_IPSEC_SA_DATA2: - // +------------ - // | EFI_IPSEC_SA_DATA2 - // +----------------------- - // | AuthKey - // +------------------------- - // | EncKey - // +------------------------- - // | SpdSelector - // - // Notes: To make sure the address alignment add padding after each data= if needed. - // - DataSize =3D ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2)); - DataSize =3D ALIGN_VARIABLE (DataSize + AuthKeyLength); - DataSize =3D ALIGN_VARIABLE (DataSize + EncKeyLength); - DataSize =3D ALIGN_VARIABLE (DataSize + sizeof (EFI_IPSEC_SPD_SELECTOR)= ); - DataSize =3D ALIGN_VARIABLE (DataSize + sizeof (EFI_IP_ADDRESS_INFO)); - DataSize +=3D sizeof (EFI_IP_ADDRESS_INFO); - - - - *Data =3D AllocateZeroPool (DataSize); - ASSERT (*Data !=3D NULL); - - (*Data)->ManualSet =3D TRUE; - (*Data)->AlgoInfo.EspAlgoInfo.AuthKey =3D (VOID *) ALIGN_POINTER (((*Dat= a) + 1), sizeof (UINTN)); - (*Data)->AlgoInfo.EspAlgoInfo.EncKey =3D (VOID *) ALIGN_POINTER ( - ((UINT8 *) (*Data)->A= lgoInfo.EspAlgoInfo.AuthKey + AuthKeyLength), - sizeof (UINTN) - ); - (*Data)->SpdSelector =3D (EFI_IPSEC_SPD_SELECTOR *) ALI= GN_POINTER ( - ((U= INT8 *) (*Data)->AlgoInfo.EspAlgoInfo.EncKey + EncKeyLength), - siz= eof (UINTN) - ); - (*Data)->SpdSelector->LocalAddress =3D (EFI_IP_ADDRESS_INFO *) ALIGN_= POINTER ( - ((UINT= 8 *) (*Data)->SpdSelector + sizeof (EFI_IPSEC_SPD_SELECTOR)), - sizeof= (UINTN)); - (*Data)->SpdSelector->RemoteAddress =3D (EFI_IP_ADDRESS_INFO *) ALIGN_= POINTER ( - (*Data= )->SpdSelector->LocalAddress + 1, - sizeof= (UINTN) - ); - - (*Data)->Mode =3D EfiIPsecTransport; - Status =3D GetNumber ( - L"--mode", - 0, - &(*Data)->Mode, - sizeof (EFI_IPSEC_MODE), - mMapIpSecMode, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D MODE; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - // - // According to RFC 4303-3.3.3. The first packet sent using a given SA - // will contain a sequence number of 1. - // - (*Data)->SNCount =3D 1; - Status =3D GetNumber ( - L"--sequence-number", - (UINT64) -1, - &(*Data)->SNCount, - sizeof (UINT64), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D SEQUENCE_NUMBER; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - (*Data)->AntiReplayWindows =3D 0; - Status =3D GetNumber ( - L"--antireplay-window", - (UINT8) -1, - &(*Data)->AntiReplayWindows, - sizeof (UINT8), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D SEQUENCE_NUMBER; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - Status =3D GetNumber ( - L"--encrypt-algo", - 0, - &(*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId, - sizeof (UINT8), - mMapEncAlgo, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D ENCRYPT_ALGO; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--encrypt-key"); - if (ValueStr !=3D NULL ) { - (*Data)->AlgoInfo.EspAlgoInfo.EncKeyLength =3D EncKeyLength; - AsciiStr =3D AllocateZeroPool (EncKeyLength + 1); - ASSERT (AsciiStr !=3D NULL); - UnicodeStrToAsciiStrS (ValueStr, AsciiStr, EncKeyLength + 1); - CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.EncKey, AsciiStr, EncKeyLength= ); - FreePool (AsciiStr); - *Mask |=3D ENCRYPT_KEY; - } else { - (*Data)->AlgoInfo.EspAlgoInfo.EncKey =3D NULL; - } - - Status =3D GetNumber ( - L"--auth-algo", - 0, - &(*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId, - sizeof (UINT8), - mMapAuthAlgo, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D AUTH_ALGO; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--auth-key"); - if (ValueStr !=3D NULL) { - (*Data)->AlgoInfo.EspAlgoInfo.AuthKeyLength =3D AuthKeyLength; - AsciiStr =3D AllocateZeroPool (AuthKeyLength + 1); - ASSERT (AsciiStr !=3D NULL); - UnicodeStrToAsciiStrS (ValueStr, AsciiStr, AuthKeyLength + 1); - CopyMem ((*Data)->AlgoInfo.EspAlgoInfo.AuthKey, AsciiStr, AuthKeyLengt= h); - FreePool (AsciiStr); - *Mask |=3D AUTH_KEY; - } else { - (*Data)->AlgoInfo.EspAlgoInfo.AuthKey =3D NULL; - } - - Status =3D GetNumber ( - L"--lifebyte", - (UINT64) -1, - &(*Data)->SaLifetime.ByteCount, - sizeof (UINT64), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D LIFEBYTE; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - Status =3D GetNumber ( - L"--lifetime", - (UINT64) -1, - &(*Data)->SaLifetime.HardLifetime, - sizeof (UINT64), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D LIFETIME; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - Status =3D GetNumber ( - L"--lifetime-soft", - (UINT64) -1, - &(*Data)->SaLifetime.SoftLifetime, - sizeof (UINT64), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D LIFETIME_SOFT; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - Status =3D GetNumber ( - L"--path-mtu", - (UINT32) -1, - &(*Data)->PathMTU, - sizeof (UINT32), - NULL, - ParamPackage, - FORMAT_NUMBER - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D PATH_MTU; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - // - // Convert user imput from string to integer, and fill in the DestAddres= s in EFI_IPSEC_SA_ID. - // - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--tunnel-dest"); - if (ValueStr !=3D NULL) { - Status =3D EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->TunnelDestinat= ionAddress); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - L"--tunnel-dest", - ValueStr - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - *Mask |=3D DEST; - } - } - - // - // Convert user input from string to integer, and fill in the DestAddres= s in EFI_IPSEC_SA_ID. - // - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--tunnel-source"); - if (ValueStr !=3D NULL) { - Status =3D EfiInetAddr2 ((CHAR16 *) ValueStr, &(*Data)->TunnelSourceAd= dress); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - L"--tunnel-source", - ValueStr - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - *Mask |=3D SOURCE; - } - } - - // - // If it is TunnelMode, then check if the tunnel-source and --tunnel-des= t are set - // - if ((*Data)->Mode =3D=3D EfiIPsecTunnel) { - if ((*Mask & (DEST|SOURCE)) !=3D (DEST|SOURCE)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), - mHiiHandle, - mAppName, - L"--tunnel-source --tunnel-dest" - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - } - ReturnStatus =3D CreateSpdSelector ((*Data)->SpdSelector, ParamPackage, = Mask); - - if (CreateNew) { - if ((*Mask & (SPI|IPSEC_PROTO|LOCAL|REMOTE)) !=3D (SPI|IPSEC_PROTO|LOC= AL|REMOTE)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), - mHiiHandle, - mAppName, - L"--spi --ipsec-proto --local --remote" - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - if ((*SaId)->Proto =3D=3D EfiIPsecAH) { - if ((*Mask & AUTH_ALGO) =3D=3D 0) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), - mHiiHandle, - mAppName, - L"--auth-algo" - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else if ((*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId !=3D IPSEC_AAL= G_NONE && (*Mask & AUTH_KEY) =3D=3D 0) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), - mHiiHandle, - mAppName, - L"--auth-key" - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - } else { - if ((*Mask & (ENCRYPT_ALGO|AUTH_ALGO)) !=3D (ENCRYPT_ALGO|AUTH_ALG= O) ) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), - mHiiHandle, - mAppName, - L"--encrypt-algo --auth-algo" - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else if ((*Data)->AlgoInfo.EspAlgoInfo.EncAlgoId !=3D IPSEC_EALG= _NONE && (*Mask & ENCRYPT_KEY) =3D=3D 0) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), - mHiiHandle, - mAppName, - L"--encrypt-key" - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else if ((*Data)->AlgoInfo.EspAlgoInfo.AuthAlgoId !=3D IPSEC_AAL= G_NONE && (*Mask & AUTH_KEY) =3D=3D 0) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), - mHiiHandle, - mAppName, - L"--auth-key" - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - } - } - } - - return ReturnStatus; -} - -/** - Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_PAD_DATA through ParamPackage lis= t. - - @param[out] PadId The pointer to the EFI_IPSEC_PAD_ID structur= e. - @param[out] Data The pointer to the EFI_IPSEC_PAD_DATA struct= ure. - @param[in] ParamPackage The pointer to the ParamPackage list. - @param[out] Mask The pointer to the Mask. - @param[in] CreateNew The switch to create new. - - @retval EFI_SUCCESS Fill in EFI_IPSEC_PAD_ID and EFI_IPSEC_= PAD_DATA successfully. - @retval EFI_INVALID_PARAMETER Invalid user input parameter. - -**/ -EFI_STATUS -CreatePadEntry ( - OUT EFI_IPSEC_PAD_ID **PadId, - OUT EFI_IPSEC_PAD_DATA **Data, - IN LIST_ENTRY *ParamPackage, - OUT UINT32 *Mask, - IN BOOLEAN CreateNew - ) -{ - EFI_STATUS Status; - EFI_STATUS ReturnStatus; - SHELL_FILE_HANDLE FileHandle; - UINT64 FileSize; - UINTN AuthDataLength; - UINTN RevocationDataLength; - UINTN DataLength; - UINTN Index; - CONST CHAR16 *ValueStr; - UINTN DataSize; - - Status =3D EFI_SUCCESS; - ReturnStatus =3D EFI_SUCCESS; - *Mask =3D 0; - AuthDataLength =3D 0; - RevocationDataLength =3D 0; - - *PadId =3D AllocateZeroPool (sizeof (EFI_IPSEC_PAD_ID)); - ASSERT (*PadId !=3D NULL); - - // - // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_= ID. - // - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--peer-address"); - if (ValueStr !=3D NULL) { - (*PadId)->PeerIdValid =3D FALSE; - Status =3D EfiInetAddrRange ((CHAR16 *) ValueStr, &(*PadId)->Id.IpAddr= ess); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_INCORRECT_PARAMETER_VALUE), - mHiiHandle, - mAppName, - L"--peer-address", - ValueStr - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - *Mask |=3D PEER_ADDRESS; - } - } - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--peer-id"); - if (ValueStr !=3D NULL) { - (*PadId)->PeerIdValid =3D TRUE; - StrnCpyS ((CHAR16 *) (*PadId)->Id.PeerId, MAX_PEERID_LEN / sizeof (CHA= R16), ValueStr, MAX_PEERID_LEN / sizeof (CHAR16) - 1); - *Mask |=3D PEER_ID; - } - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--auth-data"); - if (ValueStr !=3D NULL) { - if (ValueStr[0] =3D=3D L'@') { - // - // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat" - // - Status =3D ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_= MODE_READ, 0); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED), - mHiiHandle, - mAppName, - &ValueStr[1] - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - Status =3D ShellGetFileSize (FileHandle, &FileSize); - ShellCloseFile (&FileHandle); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED), - mHiiHandle, - mAppName, - &ValueStr[1] - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else { - AuthDataLength =3D (UINTN) FileSize; - } - } - } else { - AuthDataLength =3D StrLen (ValueStr); - } - } - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--revocation-data= "); - if (ValueStr !=3D NULL) { - RevocationDataLength =3D (StrLen (ValueStr) + 1) * sizeof (CHAR16); - } - - // - // Allocate Buffer for Data. Add padding after each struct to make sure = the alignment - // in different Arch. - // - DataSize =3D ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA)); - DataSize =3D ALIGN_VARIABLE (DataSize + AuthDataLength); - DataSize +=3D RevocationDataLength; - - *Data =3D AllocateZeroPool (DataSize); - ASSERT (*Data !=3D NULL); - - (*Data)->AuthData =3D (VOID *) ALIGN_POINTER ((*Data + 1), sizeof = (UINTN)); - (*Data)->RevocationData =3D (VOID *) ALIGN_POINTER (((UINT8 *) (*Data + = 1) + AuthDataLength), sizeof (UINTN)); - (*Data)->AuthProtocol =3D EfiIPsecAuthProtocolIKEv1; - - // - // Convert user imput from string to integer, and fill in EFI_IPSEC_PAD_= DATA. - // - Status =3D GetNumber ( - L"--auth-proto", - 0, - &(*Data)->AuthProtocol, - sizeof (EFI_IPSEC_AUTH_PROTOCOL_TYPE), - mMapAuthProto, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D AUTH_PROTO; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - Status =3D GetNumber ( - L"--auth-method", - 0, - &(*Data)->AuthMethod, - sizeof (EFI_IPSEC_AUTH_METHOD), - mMapAuthMethod, - ParamPackage, - FORMAT_STRING - ); - if (!EFI_ERROR (Status)) { - *Mask |=3D AUTH_METHOD; - } - - if (Status =3D=3D EFI_INVALID_PARAMETER) { - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - - if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id")) { - (*Data)->IkeIdFlag =3D TRUE; - *Mask |=3D IKE_ID; - } - - if (ShellCommandLineGetFlag (ParamPackage, L"--ike-id-")) { - (*Data)->IkeIdFlag =3D FALSE; - *Mask |=3D IKE_ID; - } - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--auth-data"); - if (ValueStr !=3D NULL) { - if (ValueStr[0] =3D=3D L'@') { - // - // Input is a file: --auth-data "@fs1:\My Certificates\tom.dat" - // - - Status =3D ShellOpenFileByName (&ValueStr[1], &FileHandle, EFI_FILE_= MODE_READ, 0); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED), - mHiiHandle, - mAppName, - &ValueStr[1] - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - (*Data)->AuthData =3D NULL; - } else { - DataLength =3D AuthDataLength; - Status =3D ShellReadFile (FileHandle, &DataLength, (*Data)->Au= thData); - ShellCloseFile (&FileHandle); - if (EFI_ERROR (Status)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_FILE_OPEN_FAILED), - mHiiHandle, - mAppName, - &ValueStr[1] - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - (*Data)->AuthData =3D NULL; - } else { - ASSERT (DataLength =3D=3D AuthDataLength); - *Mask |=3D AUTH_DATA; - } - } - } else { - for (Index =3D 0; Index < AuthDataLength; Index++) { - ((CHAR8 *) (*Data)->AuthData)[Index] =3D (CHAR8) ValueStr[Index]; - } - (*Data)->AuthDataSize =3D AuthDataLength; - *Mask |=3D AUTH_DATA; - } - } - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"--revocation-data= "); - if (ValueStr !=3D NULL) { - CopyMem ((*Data)->RevocationData, ValueStr, RevocationDataLength); - (*Data)->RevocationDataSize =3D RevocationDataLength; - *Mask |=3D REVOCATION_DATA; - } else { - (*Data)->RevocationData =3D NULL; - } - - if (CreateNew) { - if ((*Mask & (PEER_ID | PEER_ADDRESS)) =3D=3D 0) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), - mHiiHandle, - mAppName, - L"--peer-id --peer-address" - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } else if ((*Mask & (AUTH_METHOD | AUTH_DATA)) !=3D (AUTH_METHOD | AUT= H_DATA)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), - mHiiHandle, - mAppName, - L"--auth-method --auth-data" - ); - ReturnStatus =3D EFI_INVALID_PARAMETER; - } - } - - return ReturnStatus; -} - -CREATE_POLICY_ENTRY mCreatePolicyEntry[] =3D { - (CREATE_POLICY_ENTRY) CreateSpdEntry, - (CREATE_POLICY_ENTRY) CreateSadEntry, - (CREATE_POLICY_ENTRY) CreatePadEntry -}; - -/** - Combine old SPD entry with new SPD entry. - - @param[in, out] OldSelector The pointer to the EFI_IPSEC_SPD_SELECTOR= structure. - @param[in, out] OldData The pointer to the EFI_IPSEC_SPD_DATA str= ucture. - @param[in] NewSelector The pointer to the EFI_IPSEC_SPD_SELECTOR= structure. - @param[in] NewData The pointer to the EFI_IPSEC_SPD_DATA str= ucture. - @param[in] Mask The pointer to the Mask. - @param[out] CreateNew The switch to create new. - - @retval EFI_SUCCESS Combined successfully. - @retval EFI_INVALID_PARAMETER Invalid user input parameter. - -**/ -EFI_STATUS -CombineSpdEntry ( - IN OUT EFI_IPSEC_SPD_SELECTOR *OldSelector, - IN OUT EFI_IPSEC_SPD_DATA *OldData, - IN EFI_IPSEC_SPD_SELECTOR *NewSelector, - IN EFI_IPSEC_SPD_DATA *NewData, - IN UINT32 Mask, - OUT BOOLEAN *CreateNew - ) -{ - - // - // Process Selector - // - *CreateNew =3D FALSE; - if ((Mask & LOCAL) =3D=3D 0) { - NewSelector->LocalAddressCount =3D OldSelector->LocalAddressCount; - NewSelector->LocalAddress =3D OldSelector->LocalAddress; - } else if ((NewSelector->LocalAddressCount !=3D OldSelector->LocalAddres= sCount) || - (CompareMem (NewSelector->LocalAddress, OldSelector->LocalAdd= ress, NewSelector->LocalAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) !=3D 0= )) { - *CreateNew =3D TRUE; - } - - if ((Mask & REMOTE) =3D=3D 0) { - NewSelector->RemoteAddressCount =3D OldSelector->RemoteAddressCount; - NewSelector->RemoteAddress =3D OldSelector->RemoteAddress; - } else if ((NewSelector->RemoteAddressCount !=3D OldSelector->RemoteAddr= essCount) || - (CompareMem (NewSelector->RemoteAddress, OldSelector->RemoteA= ddress, NewSelector->RemoteAddressCount * sizeof (EFI_IP_ADDRESS_INFO)) != =3D 0)) { - *CreateNew =3D TRUE; - } - - if ((Mask & PROTO) =3D=3D 0) { - NewSelector->NextLayerProtocol =3D OldSelector->NextLayerProtocol; - } else if (NewSelector->NextLayerProtocol !=3D OldSelector->NextLayerPro= tocol) { - *CreateNew =3D TRUE; - } - - switch (NewSelector->NextLayerProtocol) { - case EFI_IP4_PROTO_TCP: - case EFI_IP4_PROTO_UDP: - if ((Mask & LOCAL_PORT) =3D=3D 0) { - NewSelector->LocalPort =3D OldSelector->LocalPort; - NewSelector->LocalPortRange =3D OldSelector->LocalPortRange; - } else if ((NewSelector->LocalPort !=3D OldSelector->LocalPort) || - (NewSelector->LocalPortRange !=3D OldSelector->LocalPortRange)) { - *CreateNew =3D TRUE; - } - - if ((Mask & REMOTE_PORT) =3D=3D 0) { - NewSelector->RemotePort =3D OldSelector->RemotePort; - NewSelector->RemotePortRange =3D OldSelector->RemotePortRange; - } else if ((NewSelector->RemotePort !=3D OldSelector->RemotePort) || - (NewSelector->RemotePortRange !=3D OldSelector->RemotePortRange)) { - *CreateNew =3D TRUE; - } - break; - - case EFI_IP4_PROTO_ICMP: - if ((Mask & ICMP_TYPE) =3D=3D 0) { - NewSelector->LocalPort =3D OldSelector->LocalPort; - } else if (NewSelector->LocalPort !=3D OldSelector->LocalPort) { - *CreateNew =3D TRUE; - } - - if ((Mask & ICMP_CODE) =3D=3D 0) { - NewSelector->RemotePort =3D OldSelector->RemotePort; - } else if (NewSelector->RemotePort !=3D OldSelector->RemotePort) { - *CreateNew =3D TRUE; - } - break; - } - // - // Process Data - // - OldData->SaIdCount =3D 0; - - if ((Mask & NAME) !=3D 0) { - AsciiStrCpyS ((CHAR8 *) OldData->Name, MAX_PEERID_LEN, (CHAR8 *) NewDa= ta->Name); - } - - if ((Mask & PACKET_FLAG) !=3D 0) { - OldData->PackageFlag =3D NewData->PackageFlag; - } - - if ((Mask & ACTION) !=3D 0) { - OldData->Action =3D NewData->Action; - } - - if (OldData->Action !=3D EfiIPsecActionProtect) { - OldData->ProcessingPolicy =3D NULL; - } else { - // - // Protect - // - if (OldData->ProcessingPolicy =3D=3D NULL) { - // - // Just point to new data if originally NULL. - // - OldData->ProcessingPolicy =3D NewData->ProcessingPolicy; - if (OldData->ProcessingPolicy->Mode =3D=3D EfiIPsecTunnel && - (Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) !=3D (TUNNEL_LOCAL | TUN= NEL_REMOTE) - ) { - // - // Change to Protect action and Tunnel mode, but without providing= local/remote tunnel address. - // - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), - mHiiHandle, - mAppName, - L"--tunnel-local --tunnel-remote" - ); - return EFI_INVALID_PARAMETER; - } - } else { - // - // Modify some of the data. - // - if ((Mask & EXT_SEQUENCE) !=3D 0) { - OldData->ProcessingPolicy->ExtSeqNum =3D NewData->ProcessingPolicy= ->ExtSeqNum; - } - - if ((Mask & SEQUENCE_OVERFLOW) !=3D 0) { - OldData->ProcessingPolicy->SeqOverflow =3D NewData->ProcessingPoli= cy->SeqOverflow; - } - - if ((Mask & FRAGMENT_CHECK) !=3D 0) { - OldData->ProcessingPolicy->FragCheck =3D NewData->ProcessingPolicy= ->FragCheck; - } - - if ((Mask & LIFEBYTE) !=3D 0) { - OldData->ProcessingPolicy->SaLifetime.ByteCount =3D NewData->Proce= ssingPolicy->SaLifetime.ByteCount; - } - - if ((Mask & LIFETIME_SOFT) !=3D 0) { - OldData->ProcessingPolicy->SaLifetime.SoftLifetime =3D NewData->Pr= ocessingPolicy->SaLifetime.SoftLifetime; - } - - if ((Mask & LIFETIME) !=3D 0) { - OldData->ProcessingPolicy->SaLifetime.HardLifetime =3D NewData->Pr= ocessingPolicy->SaLifetime.HardLifetime; - } - - if ((Mask & MODE) !=3D 0) { - OldData->ProcessingPolicy->Mode =3D NewData->ProcessingPolicy->Mod= e; - } - - if ((Mask & IPSEC_PROTO) !=3D 0) { - OldData->ProcessingPolicy->Proto =3D NewData->ProcessingPolicy->Pr= oto; - } - - if ((Mask & AUTH_ALGO) !=3D 0) { - OldData->ProcessingPolicy->AuthAlgoId =3D NewData->ProcessingPolic= y->AuthAlgoId; - } - - if ((Mask & ENCRYPT_ALGO) !=3D 0) { - OldData->ProcessingPolicy->EncAlgoId =3D NewData->ProcessingPolicy= ->EncAlgoId; - } - - if (OldData->ProcessingPolicy->Mode !=3D EfiIPsecTunnel) { - OldData->ProcessingPolicy->TunnelOption =3D NULL; - } else { - if (OldData->ProcessingPolicy->TunnelOption =3D=3D NULL) { - // - // Set from Transport mode to Tunnel mode, should ensure TUNNEL_= LOCAL & TUNNEL_REMOTE both exists. - // - if ((Mask & (TUNNEL_LOCAL | TUNNEL_REMOTE)) !=3D (TUNNEL_LOCAL |= TUNNEL_REMOTE)) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), - mHiiHandle, - mAppName, - L"--tunnel-local --tunnel-remote" - ); - return EFI_INVALID_PARAMETER; - } - - OldData->ProcessingPolicy->TunnelOption =3D NewData->ProcessingP= olicy->TunnelOption; - } else { - if ((Mask & TUNNEL_LOCAL) !=3D 0) { - CopyMem ( - &OldData->ProcessingPolicy->TunnelOption->LocalTunnelAddress, - &NewData->ProcessingPolicy->TunnelOption->LocalTunnelAddress, - sizeof (EFI_IP_ADDRESS) - ); - } - - if ((Mask & TUNNEL_REMOTE) !=3D 0) { - CopyMem ( - &OldData->ProcessingPolicy->TunnelOption->RemoteTunnelAddres= s, - &NewData->ProcessingPolicy->TunnelOption->RemoteTunnelAddres= s, - sizeof (EFI_IP_ADDRESS) - ); - } - - if ((Mask & DONT_FRAGMENT) !=3D 0) { - OldData->ProcessingPolicy->TunnelOption->DF =3D NewData->Proce= ssingPolicy->TunnelOption->DF; - } - } - } - } - } - - return EFI_SUCCESS; -} - -/** - Combine old SAD entry with new SAD entry. - - @param[in, out] OldSaId The pointer to the EFI_IPSEC_SA_ID structur= e. - @param[in, out] OldData The pointer to the EFI_IPSEC_SA_DATA2 struc= ture. - @param[in] NewSaId The pointer to the EFI_IPSEC_SA_ID structur= e. - @param[in] NewData The pointer to the EFI_IPSEC_SA_DATA2 struc= ture. - @param[in] Mask The pointer to the Mask. - @param[out] CreateNew The switch to create new. - - @retval EFI_SUCCESS Combined successfully. - @retval EFI_INVALID_PARAMETER Invalid user input parameter. - -**/ -EFI_STATUS -CombineSadEntry ( - IN OUT EFI_IPSEC_SA_ID *OldSaId, - IN OUT EFI_IPSEC_SA_DATA2 *OldData, - IN EFI_IPSEC_SA_ID *NewSaId, - IN EFI_IPSEC_SA_DATA2 *NewData, - IN UINT32 Mask, - OUT BOOLEAN *CreateNew - ) -{ - - *CreateNew =3D FALSE; - - if ((Mask & SPI) =3D=3D 0) { - NewSaId->Spi =3D OldSaId->Spi; - } else if (NewSaId->Spi !=3D OldSaId->Spi) { - *CreateNew =3D TRUE; - } - - if ((Mask & IPSEC_PROTO) =3D=3D 0) { - NewSaId->Proto =3D OldSaId->Proto; - } else if (NewSaId->Proto !=3D OldSaId->Proto) { - *CreateNew =3D TRUE; - } - - if ((Mask & DEST) =3D=3D 0) { - CopyMem (&NewData->TunnelDestinationAddress, &OldData->TunnelDestinati= onAddress, sizeof (EFI_IP_ADDRESS)); - } else if (CompareMem (&NewData->TunnelDestinationAddress, &OldData->Tun= nelDestinationAddress, sizeof (EFI_IP_ADDRESS)) !=3D 0) { - *CreateNew =3D TRUE; - } - - if ((Mask & SOURCE) =3D=3D 0) { - CopyMem (&NewData->TunnelSourceAddress, &OldData->TunnelSourceAddress,= sizeof (EFI_IP_ADDRESS)); - } else if (CompareMem (&NewData->TunnelSourceAddress, &OldData->TunnelSo= urceAddress, sizeof (EFI_IP_ADDRESS)) !=3D 0) { - *CreateNew =3D TRUE; - } - // - // Process SA_DATA. - // - if ((Mask & MODE) !=3D 0) { - OldData->Mode =3D NewData->Mode; - } - - if ((Mask & SEQUENCE_NUMBER) !=3D 0) { - OldData->SNCount =3D NewData->SNCount; - } - - if ((Mask & ANTIREPLAY_WINDOW) !=3D 0) { - OldData->AntiReplayWindows =3D NewData->AntiReplayWindows; - } - - if ((Mask & AUTH_ALGO) !=3D 0) { - OldData->AlgoInfo.EspAlgoInfo.AuthAlgoId =3D NewData->AlgoInfo.EspA= lgoInfo.AuthAlgoId; - } - - if ((Mask & AUTH_KEY) !=3D 0) { - OldData->AlgoInfo.EspAlgoInfo.AuthKey =3D NewData->AlgoInfo.EspA= lgoInfo.AuthKey; - OldData->AlgoInfo.EspAlgoInfo.AuthKeyLength =3D NewData->AlgoInfo.EspA= lgoInfo.AuthKeyLength; - } - - if ((Mask & ENCRYPT_ALGO) !=3D 0) { - OldData->AlgoInfo.EspAlgoInfo.EncAlgoId =3D NewData->AlgoInfo.EspA= lgoInfo.EncAlgoId; - } - - if ((Mask & ENCRYPT_KEY) !=3D 0) { - OldData->AlgoInfo.EspAlgoInfo.EncKey =3D NewData->AlgoInfo.EspA= lgoInfo.EncKey; - OldData->AlgoInfo.EspAlgoInfo.EncKeyLength =3D NewData->AlgoInfo.EspA= lgoInfo.EncKeyLength; - } - - if (NewSaId->Proto =3D=3D EfiIPsecAH) { - if ((Mask & (ENCRYPT_ALGO | ENCRYPT_KEY)) !=3D 0) { - // - // Should not provide encrypt_* if AH. - // - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_UNWANTED_PARAMETER), - mHiiHandle, - mAppName, - L"--encrypt-algo --encrypt-key" - ); - return EFI_INVALID_PARAMETER; - } - } - - if (NewSaId->Proto =3D=3D EfiIPsecESP && OldSaId->Proto =3D=3D EfiIPsecA= H) { - // - // AH -> ESP - // Should provide encrypt_algo at least. - // - if ((Mask & ENCRYPT_ALGO) =3D=3D 0) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), - mHiiHandle, - mAppName, - L"--encrypt-algo" - ); - return EFI_INVALID_PARAMETER; - } - - // - // Encrypt_key should be provided if algorithm is not NONE. - // - if (NewData->AlgoInfo.EspAlgoInfo.EncAlgoId !=3D IPSEC_EALG_NONE && (M= ask & ENCRYPT_KEY) =3D=3D 0) { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_PARAMETER), - mHiiHandle, - mAppName, - L"--encrypt-algo" - ); - return EFI_INVALID_PARAMETER; - } - } - - if ((Mask & LIFEBYTE) !=3D 0) { - OldData->SaLifetime.ByteCount =3D NewData->SaLifetime.ByteCount; - } - - if ((Mask & LIFETIME_SOFT) !=3D 0) { - OldData->SaLifetime.SoftLifetime =3D NewData->SaLifetime.SoftLifetime; - } - - if ((Mask & LIFETIME) !=3D 0) { - OldData->SaLifetime.HardLifetime =3D NewData->SaLifetime.HardLifetime; - } - - if ((Mask & PATH_MTU) !=3D 0) { - OldData->PathMTU =3D NewData->PathMTU; - } - // - // Process SpdSelector. - // - if (OldData->SpdSelector =3D=3D NULL) { - if ((Mask & (LOCAL | REMOTE | PROTO | LOCAL_PORT | REMOTE_PORT | ICMP_= TYPE | ICMP_CODE)) !=3D 0) { - if ((Mask & (LOCAL | REMOTE | PROTO)) !=3D (LOCAL | REMOTE | PROTO))= { - ShellPrintHiiEx ( - -1, - -1, - NULL, - STRING_TOKEN (STR_IPSEC_CONFIG_MISSING_ONE_OF_PARAMETERS), - mHiiHandle, - mAppName, - L"--local --remote --proto" - ); - return EFI_INVALID_PARAMETER; - } - - OldData->SpdSelector =3D NewData->SpdSelector; - } - } else { - if ((Mask & LOCAL) !=3D 0) { - OldData->SpdSelector->LocalAddressCount =3D NewData->SpdSelector->L= ocalAddressCount; - OldData->SpdSelector->LocalAddress =3D NewData->SpdSelector->L= ocalAddress; - } - - if ((Mask & REMOTE) !=3D 0) { - OldData->SpdSelector->RemoteAddressCount =3D NewData->SpdSelector->R= emoteAddressCount; - OldData->SpdSelector->RemoteAddress =3D NewData->SpdSelector->R= emoteAddress; - } - - if ((Mask & PROTO) !=3D 0) { - OldData->SpdSelector->NextLayerProtocol =3D NewData->SpdSelector->N= extLayerProtocol; - } - - if (OldData->SpdSelector !=3D NULL) { - switch (OldData->SpdSelector->NextLayerProtocol) { - case EFI_IP4_PROTO_TCP: - case EFI_IP4_PROTO_UDP: - if ((Mask & LOCAL_PORT) !=3D 0) { - OldData->SpdSelector->LocalPort =3D NewData->SpdSelector->Loc= alPort; - } - - if ((Mask & REMOTE_PORT) !=3D 0) { - OldData->SpdSelector->RemotePort =3D NewData->SpdSelector->Rem= otePort; - } - break; - - case EFI_IP4_PROTO_ICMP: - if ((Mask & ICMP_TYPE) !=3D 0) { - OldData->SpdSelector->LocalPort =3D (UINT8) NewData->SpdSelec= tor->LocalPort; - } - - if ((Mask & ICMP_CODE) !=3D 0) { - OldData->SpdSelector->RemotePort =3D (UINT8) NewData->SpdSelec= tor->RemotePort; - } - break; - } - } - } - - return EFI_SUCCESS; -} - -/** - Combine old PAD entry with new PAD entry. - - @param[in, out] OldPadId The pointer to the EFI_IPSEC_PAD_ID structu= re. - @param[in, out] OldData The pointer to the EFI_IPSEC_PAD_DATA struc= ture. - @param[in] NewPadId The pointer to the EFI_IPSEC_PAD_ID structu= re. - @param[in] NewData The pointer to the EFI_IPSEC_PAD_DATA struc= ture. - @param[in] Mask The pointer to the Mask. - @param[out] CreateNew The switch to create new. - - @retval EFI_SUCCESS Combined successfully. - @retval EFI_INVALID_PARAMETER Invalid user input parameter. - -**/ -EFI_STATUS -CombinePadEntry ( - IN OUT EFI_IPSEC_PAD_ID *OldPadId, - IN OUT EFI_IPSEC_PAD_DATA *OldData, - IN EFI_IPSEC_PAD_ID *NewPadId, - IN EFI_IPSEC_PAD_DATA *NewData, - IN UINT32 Mask, - OUT BOOLEAN *CreateNew - ) -{ - - *CreateNew =3D FALSE; - - if ((Mask & (PEER_ID | PEER_ADDRESS)) =3D=3D 0) { - CopyMem (NewPadId, OldPadId, sizeof (EFI_IPSEC_PAD_ID)); - } else { - if ((Mask & PEER_ID) !=3D 0) { - if (OldPadId->PeerIdValid) { - if (StrCmp ((CONST CHAR16 *) OldPadId->Id.PeerId, (CONST CHAR16 *)= NewPadId->Id.PeerId) !=3D 0) { - *CreateNew =3D TRUE; - } - } else { - *CreateNew =3D TRUE; - } - } else { - // - // MASK & PEER_ADDRESS - // - if (OldPadId->PeerIdValid) { - *CreateNew =3D TRUE; - } else { - if ((CompareMem (&OldPadId->Id.IpAddress.Address, &NewPadId->Id.Ip= Address.Address, sizeof (EFI_IP_ADDRESS)) !=3D 0) || - (OldPadId->Id.IpAddress.PrefixLength !=3D NewPadId->Id.IpAddre= ss.PrefixLength)) { - *CreateNew =3D TRUE; - } - } - } - } - - if ((Mask & AUTH_PROTO) !=3D 0) { - OldData->AuthProtocol =3D NewData->AuthProtocol; - } - - if ((Mask & AUTH_METHOD) !=3D 0) { - OldData->AuthMethod =3D NewData->AuthMethod; - } - - if ((Mask & IKE_ID) !=3D 0) { - OldData->IkeIdFlag =3D NewData->IkeIdFlag; - } - - if ((Mask & AUTH_DATA) !=3D 0) { - OldData->AuthDataSize =3D NewData->AuthDataSize; - OldData->AuthData =3D NewData->AuthData; - } - - if ((Mask & REVOCATION_DATA) !=3D 0) { - OldData->RevocationDataSize =3D NewData->RevocationDataSize; - OldData->RevocationData =3D NewData->RevocationData; - } - - return EFI_SUCCESS; -} - -COMBINE_POLICY_ENTRY mCombinePolicyEntry[] =3D { - (COMBINE_POLICY_ENTRY) CombineSpdEntry, - (COMBINE_POLICY_ENTRY) CombineSadEntry, - (COMBINE_POLICY_ENTRY) CombinePadEntry -}; - -/** - Edit entry information in the database. - - @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR stru= cture. - @param[in] Data The pointer to the data. - @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT st= ructure. - - @retval EFI_SUCCESS Continue the iteration. - @retval EFI_ABORTED Abort the iteration. -**/ -EFI_STATUS -EditOperatePolicyEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN EDIT_POLICY_ENTRY_CONTEXT *Context - ) -{ - EFI_STATUS Status; - BOOLEAN CreateNew; - - if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Inde= xer)) { - ASSERT (Context->DataType < 3); - - Status =3D mCombinePolicyEntry[Context->DataType] ( - Selector, - Data, - Context->Selector, - Context->Data, - Context->Mask, - &CreateNew - ); - if (!EFI_ERROR (Status)) { - // - // If the Selector already existed, this Entry will be updated by se= t data. - // - Status =3D mIpSecConfig->SetData ( - mIpSecConfig, - Context->DataType, - Context->Selector, /// New created selector. - Data, /// Old date which has been modified,= need to be set data. - Selector - ); - ASSERT_EFI_ERROR (Status); - - if (CreateNew) { - // - // Edit the entry to a new one. So, we need delete the old entry. - // - Status =3D mIpSecConfig->SetData ( - mIpSecConfig, - Context->DataType, - Selector, /// Old selector. - NULL, /// NULL means to delete this Entry= specified by Selector. - NULL - ); - ASSERT_EFI_ERROR (Status); - } - } - - Context->Status =3D Status; - return EFI_ABORTED; - } - - return EFI_SUCCESS; -} - -/** - Edit entry information in database according to datatype. - - @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Edit entry information successfully. - @retval EFI_NOT_FOUND Can't find the specified entry. - @retval Others Some mistaken case. -**/ -EFI_STATUS -EditPolicyEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN LIST_ENTRY *ParamPackage - ) -{ - EFI_STATUS Status; - EDIT_POLICY_ENTRY_CONTEXT Context; - CONST CHAR16 *ValueStr; - - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-e"); - if (ValueStr =3D=3D NULL) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NO= T_SPECIFIED), mHiiHandle, mAppName, ValueStr); - return EFI_NOT_FOUND; - } - - Status =3D mConstructPolicyEntryIndexer[DataType] (&Context.Indexer, Par= amPackage); - if (!EFI_ERROR (Status)) { - Context.DataType =3D DataType; - Context.Status =3D EFI_NOT_FOUND; - Status =3D mCreatePolicyEntry[DataType] (&Context.Selector, &Context.D= ata, ParamPackage, &Context.Mask, FALSE); - if (!EFI_ERROR (Status)) { - ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) EditOperatePolicy= Entry, &Context); - Status =3D Context.Status; - } - - if (Context.Selector !=3D NULL) { - gBS->FreePool (Context.Selector); - } - - if (Context.Data !=3D NULL) { - gBS->FreePool (Context.Data); - } - } - - if (Status =3D=3D EFI_NOT_FOUND) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDEX_NO= T_FOUND), mHiiHandle, mAppName, ValueStr); - } else if (EFI_ERROR (Status)) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_EDIT_FAI= LED), mHiiHandle, mAppName); - } - - return Status; - -} - -/** - Insert entry information in database. - - @param[in] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR stru= cture. - @param[in] Data The pointer to the data. - @param[in] Context The pointer to the INSERT_POLICY_ENTRY_CONTEXT st= ructure. - - @retval EFI_SUCCESS Continue the iteration. - @retval EFI_ABORTED Abort the iteration. -**/ -EFI_STATUS -InsertPolicyEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN INSERT_POLICY_ENTRY_CONTEXT *Context - ) -{ - // - // Found the entry which we want to insert before. - // - if (mMatchPolicyEntry[Context->DataType] (Selector, Data, &Context->Inde= xer)) { - - Context->Status =3D mIpSecConfig->SetData ( - mIpSecConfig, - Context->DataType, - Context->Selector, - Context->Data, - Selector - ); - // - // Abort the iteration after the insertion. - // - return EFI_ABORTED; - } - - return EFI_SUCCESS; -} - -/** - Insert or add entry information in database according to datatype. - - @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Insert or add entry information successf= ully. - @retval EFI_NOT_FOUND Can't find the specified entry. - @retval EFI_BUFFER_TOO_SMALL The entry already existed. - @retval EFI_UNSUPPORTED The operation is not supported. - @retval Others Some mistaken case. -**/ -EFI_STATUS -AddOrInsertPolicyEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN LIST_ENTRY *ParamPackage - ) -{ - EFI_STATUS Status; - EFI_IPSEC_CONFIG_SELECTOR *Selector; - VOID *Data; - INSERT_POLICY_ENTRY_CONTEXT Context; - UINT32 Mask; - UINTN DataSize; - CONST CHAR16 *ValueStr; - - Status =3D mCreatePolicyEntry[DataType] (&Selector, &Data, ParamPackage,= &Mask, TRUE); - if (!EFI_ERROR (Status)) { - // - // Find if the Selector to be inserted already exists. - // - DataSize =3D 0; - Status =3D mIpSecConfig->GetData ( - mIpSecConfig, - DataType, - Selector, - &DataSize, - NULL - ); - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_ALREAD= Y_EXISTS), mHiiHandle, mAppName); - } else if (ShellCommandLineGetFlag (ParamPackage, L"-a")) { - Status =3D mIpSecConfig->SetData ( - mIpSecConfig, - DataType, - Selector, - Data, - NULL - ); - } else { - ValueStr =3D ShellCommandLineGetValue (ParamPackage, L"-i"); - if (ValueStr =3D=3D NULL) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INDE= X_NOT_SPECIFIED), mHiiHandle, mAppName, ValueStr); - return EFI_NOT_FOUND; - } - - Status =3D mConstructPolicyEntryIndexer[DataType] (&Context.Indexer,= ParamPackage); - if (!EFI_ERROR (Status)) { - Context.DataType =3D DataType; - Context.Status =3D EFI_NOT_FOUND; - Context.Selector =3D Selector; - Context.Data =3D Data; - - ForeachPolicyEntry (DataType, (VISIT_POLICY_ENTRY) InsertPolicyEnt= ry, &Context); - Status =3D Context.Status; - if (Status =3D=3D EFI_NOT_FOUND) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_IN= DEX_NOT_FOUND), mHiiHandle, mAppName, ValueStr); - } - } - } - - gBS->FreePool (Selector); - gBS->FreePool (Data); - } - - if (Status =3D=3D EFI_UNSUPPORTED) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_U= NSUPPORT), mHiiHandle, mAppName); - } else if (EFI_ERROR (Status)) { - ShellPrintHiiEx (-1, -1, NULL, STRING_TOKEN (STR_IPSEC_CONFIG_INSERT_F= AILED), mHiiHandle, mAppName); - } - - return Status; -} diff --git a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.h b/Ne= tworkPkg/Application/IpsecConfig/PolicyEntryOperation.h deleted file mode 100644 index 3384774f6a..0000000000 --- a/NetworkPkg/Application/IpsecConfig/PolicyEntryOperation.h +++ /dev/null @@ -1,153 +0,0 @@ -/** @file - The function declaration of policy entry operation in IpSecConfig applic= ation. - - Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _POLICY_ENTRY_OPERATION_H_ -#define _POLICY_ENTRY_OPERATION_H_ - -#define LOCAL BIT(0) -#define REMOTE BIT(1) -#define PROTO BIT(2) -#define LOCAL_PORT BIT(3) -#define REMOTE_PORT BIT(4) -#define ICMP_TYPE BIT(5) -#define ICMP_CODE BIT(6) -#define NAME BIT(7) -#define PACKET_FLAG BIT(8) -#define ACTION BIT(9) -#define EXT_SEQUENCE BIT(10) -#define SEQUENCE_OVERFLOW BIT(11) -#define FRAGMENT_CHECK BIT(12) -#define LIFEBYTE BIT(13) -#define LIFETIME_SOFT BIT(14) -#define LIFETIME BIT(15) -#define MODE BIT(16) -#define TUNNEL_LOCAL BIT(17) -#define TUNNEL_REMOTE BIT(18) -#define DONT_FRAGMENT BIT(19) -#define IPSEC_PROTO BIT(20) -#define AUTH_ALGO BIT(21) -#define ENCRYPT_ALGO BIT(22) -#define SPI BIT(23) -#define DEST BIT(24) -#define SEQUENCE_NUMBER BIT(25) -#define ANTIREPLAY_WINDOW BIT(26) -#define AUTH_KEY BIT(27) -#define ENCRYPT_KEY BIT(28) -#define PATH_MTU BIT(29) -#define SOURCE BIT(30) - -#define PEER_ID BIT(0) -#define PEER_ADDRESS BIT(1) -#define AUTH_PROTO BIT(2) -#define AUTH_METHOD BIT(3) -#define IKE_ID BIT(4) -#define AUTH_DATA BIT(5) -#define REVOCATION_DATA BIT(6) - -typedef struct { - EFI_IPSEC_CONFIG_DATA_TYPE DataType; - EFI_IPSEC_CONFIG_SELECTOR *Selector; // Data to be inserted. - VOID *Data; - UINT32 Mask; - POLICY_ENTRY_INDEXER Indexer; - EFI_STATUS Status; // Indicate whether insertio= n succeeds. -} EDIT_POLICY_ENTRY_CONTEXT; - -typedef struct { - EFI_IPSEC_CONFIG_DATA_TYPE DataType; - EFI_IPSEC_CONFIG_SELECTOR *Selector; // Data to be inserted. - VOID *Data; - POLICY_ENTRY_INDEXER Indexer; - EFI_STATUS Status; // Indicate whether insertio= n succeeds. -} INSERT_POLICY_ENTRY_CONTEXT; - -/** - The prototype for the CreateSpdEntry()/CreateSadEntry()/CreatePadEntry(). - Fill in EFI_IPSEC_CONFIG_SELECTOR and corresponding data thru ParamPacka= ge list. - - @param[out] Selector The pointer to the EFI_IPSEC_CONFIG_SELECTOR= union. - @param[out] Data The pointer to corresponding data. - @param[in] ParamPackage The pointer to the ParamPackage list. - @param[out] Mask The pointer to the Mask. - @param[in] CreateNew The switch to create new. - - @retval EFI_SUCCESS Filled in EFI_IPSEC_CONFIG_SELECTOR and= corresponding data successfully. - @retval EFI_INVALID_PARAMETER Invalid user input parameter. - -**/ -typedef -EFI_STATUS -(*CREATE_POLICY_ENTRY) ( - OUT EFI_IPSEC_CONFIG_SELECTOR **Selector, - OUT VOID **Data, - IN LIST_ENTRY *ParamPackage, - OUT UINT32 *Mask, - IN BOOLEAN CreateNew - ); - -/** - The prototype for the CombineSpdEntry()/CombineSadEntry()/CombinePadEntr= y(). - Combine old SPD/SAD/PAD entry with new SPD/SAD/PAD entry. - - @param[in, out] OldSelector The pointer to the old EFI_IPSEC_CONFIG_S= ELECTOR union. - @param[in, out] OldData The pointer to the corresponding old data. - @param[in] NewSelector The pointer to the new EFI_IPSEC_CONFIG_S= ELECTOR union. - @param[in] NewData The pointer to the corresponding new data. - @param[in] Mask The pointer to the Mask. - @param[out] CreateNew The switch to create new. - - @retval EFI_SUCCESS Combined successfully. - @retval EFI_INVALID_PARAMETER Invalid user input parameter. - -**/ -typedef -EFI_STATUS -(* COMBINE_POLICY_ENTRY) ( - IN OUT EFI_IPSEC_CONFIG_SELECTOR *OldSelector, - IN OUT VOID *OldData, - IN EFI_IPSEC_CONFIG_SELECTOR *NewSelector, - IN VOID *NewData, - IN UINT32 Mask, - OUT BOOLEAN *CreateNew - ); - -/** - Insert or add entry information in database according to datatype. - - @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Insert or add entry information successf= ully. - @retval EFI_NOT_FOUND Can't find the specified entry. - @retval EFI_BUFFER_TOO_SMALL The entry already existed. - @retval EFI_UNSUPPORTED The operation is not supported./ - @retval Others Some mistaken case. -**/ -EFI_STATUS -AddOrInsertPolicyEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN LIST_ENTRY *ParamPackage - ); - -/** - Edit entry information in the database according to datatype. - - @param[in] DataType The value of EFI_IPSEC_CONFIG_DATA_TYPE. - @param[in] ParamPackage The pointer to the ParamPackage list. - - @retval EFI_SUCCESS Edit entry information successfully. - @retval EFI_NOT_FOUND Can't find the specified entry. - @retval Others Some mistaken case. -**/ -EFI_STATUS -EditPolicyEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN LIST_ENTRY *ParamPackage - ); -#endif diff --git a/NetworkPkg/IpSecDxe/ComponentName.c b/NetworkPkg/IpSecDxe/Comp= onentName.c deleted file mode 100644 index 6fbc35a25c..0000000000 --- a/NetworkPkg/IpSecDxe/ComponentName.c +++ /dev/null @@ -1,345 +0,0 @@ -/** @file - UEFI Component Name(2) protocol implementation for IPsec driver. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecImpl.h" - -// -// EFI Component Name Functions -// -/** - Retrieves a Unicode string that is the user-readable name of the driver. - - This function retrieves the user-readable name of a driver in the form o= f a - Unicode string. If the driver specified by This has a user-readable name= in - the language specified by Language, then a pointer to the driver name is - returned in DriverName, and EFI_SUCCESS is returned. If the driver speci= fied - by This does not support the language specified by Language, - then EFI_UNSUPPORTED is returned. - - @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTO= COL or - EFI_COMPONENT_NAME_PROTOCOL instance. - - @param[in] Language A pointer to a Null-terminated ASCII string - array indicating the language. This is the - language of the driver name that the calle= r is - requesting, and it must match one of the - languages specified in SupportedLanguages.= The - number of languages supported by a driver = is up - to the driver writer. Language is specified - in RFC 4646 or ISO 639-2 language code for= mat. - - @param[out] DriverName A pointer to the Unicode string to return. - This Unicode string is the name of the - driver specified by This in the language - specified by Language. - - @retval EFI_SUCCESS The Unicode string for the Driver specifie= d by - This and the language specified by Languag= e was - returned in DriverName. - - @retval EFI_INVALID_PARAMETER Language is NULL. - - @retval EFI_INVALID_PARAMETER DriverName is NULL. - - @retval EFI_UNSUPPORTED The driver specified by This does not supp= ort - the language specified by Language. - -**/ -EFI_STATUS -EFIAPI -IpSecComponentNameGetDriverName ( - IN EFI_COMPONENT_NAME_PROTOCOL *This, - IN CHAR8 *Language, - OUT CHAR16 **DriverName - ); - -/** - Retrieves a Unicode string that is the user-readable name of the control= ler - that is being managed by a driver. - - This function retrieves the user-readable name of the controller specifi= ed by - ControllerHandle and ChildHandle in the form of a Unicode string. If the - driver specified by This has a user-readable name in the language specif= ied by - Language, then a pointer to the controller name is returned in Controlle= rName, - and EFI_SUCCESS is returned. If the driver specified by This is not cur= rently - managing the controller specified by ControllerHandle and ChildHandle, - then EFI_UNSUPPORTED is returned. If the driver specified by This does = not - support the language specified by Language, then EFI_UNSUPPORTED is retu= rned. - - @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTO= COL or - EFI_COMPONENT_NAME_PROTOCOL instance. - - @param[in] ControllerHandle The handle of a controller that the driver - specified by This is managing. This handle - specifies the controller whose name is to = be - returned. - - @param[in] ChildHandle The handle of the child controller to retr= ieve - the name of. This is an optional paramete= r that - may be NULL. It will be NULL for device - drivers. It will also be NULL for a bus d= rivers - that wish to retrieve the name of the bus - controller. It will not be NULL for a bus - driver that wishes to retrieve the name of= a - child controller. - - @param[in] Language A pointer to a Null-terminated ASCII string - array indicating the language. This is the - language of the driver name that the calle= r is - requesting, and it must match one of the - languages specified in SupportedLanguages.= The - number of languages supported by a driver = is up - to the driver writer. Language is specifie= d in - RFC 4646 or ISO 639-2 language code format. - - @param[out] ControllerName A pointer to the Unicode string to return. - This Unicode string is the name of the - controller specified by ControllerHandle a= nd - ChildHandle in the language specified by - Language from the point of view of the dri= ver - specified by This. - - @retval EFI_SUCCESS The Unicode string for the user-readable n= ame in - the language specified by Language for the - driver specified by This was returned in - DriverName. - - @retval EFI_INVALID_PARAMETER ControllerHandle is NULL. - - @retval EFI_INVALID_PARAMETER ChildHandle is not NULL and it is not a va= lid - EFI_HANDLE. - - @retval EFI_INVALID_PARAMETER Language is NULL. - - @retval EFI_INVALID_PARAMETER ControllerName is NULL. - - @retval EFI_UNSUPPORTED The driver specified by This is not curren= tly - managing the controller specified by - ControllerHandle and ChildHandle. - - @retval EFI_UNSUPPORTED The driver specified by This does not supp= ort - the language specified by Language. - -**/ -EFI_STATUS -EFIAPI -IpSecComponentNameGetControllerName ( - IN EFI_COMPONENT_NAME_PROTOCOL *This, - IN EFI_HANDLE ControllerHandle, - IN EFI_HANDLE ChildHandle, OPTIONAL - IN CHAR8 *Language, - OUT CHAR16 **ControllerName - ); - -// -// EFI Component Name Protocol -// -GLOBAL_REMOVE_IF_UNREFERENCED EFI_COMPONENT_NAME_PROTOCOL gIpSecCompone= ntName =3D { - IpSecComponentNameGetDriverName, - IpSecComponentNameGetControllerName, - "eng" -}; - -// -// EFI Component Name 2 Protocol -// -GLOBAL_REMOVE_IF_UNREFERENCED EFI_COMPONENT_NAME2_PROTOCOL gIpSecCompo= nentName2 =3D { - (EFI_COMPONENT_NAME2_GET_DRIVER_NAME) IpSecComponentNameGetDriverName, - (EFI_COMPONENT_NAME2_GET_CONTROLLER_NAME) IpSecComponentNameGetControlle= rName, - "en" -}; - -GLOBAL_REMOVE_IF_UNREFERENCED EFI_UNICODE_STRING_TABLE mIpSecDriverNameTab= le[] =3D { - { - "eng;en", - L"IpSec Driver" - }, - { - NULL, - NULL - } -}; - -GLOBAL_REMOVE_IF_UNREFERENCED EFI_UNICODE_STRING_TABLE mIpSecControllerNam= eTable[] =3D { - { - "eng;en", - L"IPsec Controller" - }, - { - NULL, - NULL - } -}; - -/** - Retrieves a Unicode string that is the user-readable name of the driver. - - This function retrieves the user-readable name of a driver in the form o= f a - Unicode string. If the driver specified by This has a user-readable name= in - the language specified by Language, then a pointer to the driver name is - returned in DriverName, and EFI_SUCCESS is returned. If the driver speci= fied - by This does not support the language specified by Language, - then EFI_UNSUPPORTED is returned. - - @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTO= COL or - EFI_COMPONENT_NAME_PROTOCOL instance. - - @param[in] Language A pointer to a Null-terminated ASCII string - array indicating the language. This is the - language of the driver name that the calle= r is - requesting, and it must match one of the - languages specified in SupportedLanguages.= The - number of languages supported by a driver = is up - to the driver writer. Language is specified - in RFC 4646 or ISO 639-2 language code for= mat. - - @param[out] DriverName A pointer to the Unicode string to return. - This Unicode string is the name of the - driver specified by This in the language - specified by Language. - - @retval EFI_SUCCESS The Unicode string for the Driver specifie= d by - This, and the language specified by Langua= ge was - returned in DriverName. - - @retval EFI_INVALID_PARAMETER Language is NULL. - - @retval EFI_INVALID_PARAMETER DriverName is NULL. - - @retval EFI_UNSUPPORTED The driver specified by This does not supp= ort - the language specified by Language. - -**/ -EFI_STATUS -EFIAPI -IpSecComponentNameGetDriverName ( - IN EFI_COMPONENT_NAME_PROTOCOL *This, - IN CHAR8 *Language, - OUT CHAR16 **DriverName - ) -{ - return LookupUnicodeString2 ( - Language, - This->SupportedLanguages, - mIpSecDriverNameTable, - DriverName, - (BOOLEAN) (This =3D=3D &gIpSecComponentName) - ); -} - -/** - Retrieves a Unicode string that is the user-readable name of the control= ler - that is being managed by a driver. - - This function retrieves the user-readable name of the controller specifi= ed by - ControllerHandle and ChildHandle in the form of a Unicode string. If the - driver specified by This has a user-readable name in the language specif= ied by - Language, then a pointer to the controller name is returned in Controlle= rName, - and EFI_SUCCESS is returned. If the driver specified by This is not cur= rently - managing the controller specified by ControllerHandle and ChildHandle, - then EFI_UNSUPPORTED is returned. If the driver specified by This does = not - support the language specified by Language, then EFI_UNSUPPORTED is retu= rned. - - @param[in] This A pointer to the EFI_COMPONENT_NAME2_PROTO= COL or - EFI_COMPONENT_NAME_PROTOCOL instance. - - @param[in] ControllerHandle The handle of a controller that the driver - specified by This is managing. This handle - specifies the controller whose name is to = be - returned. - - @param[in] ChildHandle The handle of the child controller to retr= ieve - the name of. This is an optional paramete= r that - may be NULL. It will be NULL for device - drivers. It will also be NULL for a bus d= rivers - that wish to retrieve the name of the bus - controller. It will not be NULL for a bus - driver that wishes to retrieve the name of= a - child controller. - - @param[in] Language A pointer to a Null-terminated ASCII string - array indicating the language. This is the - language of the driver name that the calle= r is - requesting, and it must match one of the - languages specified in SupportedLanguages.= The - number of languages supported by a driver = is up - to the driver writer. Language is specifie= d in - RFC 4646 or ISO 639-2 language code format. - - @param[out] ControllerName A pointer to the Unicode string to return. - This Unicode string is the name of the - controller specified by ControllerHandle a= nd - ChildHandle in the language specified by - Language from the point of view of the dri= ver - specified by This. - - @retval EFI_SUCCESS The Unicode string for the user-readable n= ame in - the language specified by Language for the - driver specified by This was returned in - DriverName. - - @retval EFI_INVALID_PARAMETER ControllerHandle is NULL. - - @retval EFI_INVALID_PARAMETER ChildHandle is not NULL, and it is not a v= alid - EFI_HANDLE. - - @retval EFI_INVALID_PARAMETER Language is NULL. - - @retval EFI_INVALID_PARAMETER ControllerName is NULL. - - @retval EFI_UNSUPPORTED The driver specified by This is not curren= tly - managing the controller specified by - ControllerHandle and ChildHandle. - - @retval EFI_UNSUPPORTED The driver specified by This does not supp= ort - the language specified by Language. - -**/ -EFI_STATUS -EFIAPI -IpSecComponentNameGetControllerName ( - IN EFI_COMPONENT_NAME_PROTOCOL *This, - IN EFI_HANDLE ControllerHandle, - IN EFI_HANDLE ChildHandle, OPTIONAL - IN CHAR8 *Language, - OUT CHAR16 **ControllerName - ) -{ - EFI_STATUS Status; - - // - // ChildHandle must be NULL for a Device Driver - // - if (ChildHandle !=3D NULL) { - return EFI_UNSUPPORTED; - } - - // - // Make sure this driver is currently managing ControllerHandle - // - Status =3D gBS->OpenProtocol ( - ControllerHandle, - &gEfiIpSec2ProtocolGuid, - NULL, - NULL, - NULL, - EFI_OPEN_PROTOCOL_TEST_PROTOCOL - ); - if (EFI_ERROR (Status)) { - return Status; - } - - return LookupUnicodeString2 ( - Language, - This->SupportedLanguages, - mIpSecControllerNameTable, - ControllerName, - (BOOLEAN) (This =3D=3D &gIpSecComponentName) - ); -} diff --git a/NetworkPkg/IpSecDxe/IetfConstants.c b/NetworkPkg/IpSecDxe/Ietf= Constants.c deleted file mode 100644 index 36cc1b69d5..0000000000 --- a/NetworkPkg/IpSecDxe/IetfConstants.c +++ /dev/null @@ -1,382 +0,0 @@ -/** @file - Cryptographic Parameter Constant Definitions from IETF; - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "Ike.h" - -// -// "First Oakley Default Group" from RFC2409, section 6.1. -// -// The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 } -// -GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp768Modulus[] =3D { - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, - 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, - 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, - 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, - 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, - 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, - 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, - 0xA6, 0x3A, 0x36, 0x20, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF - }; - -// -// "Second Oakley Default Group" from RFC2409, section 6.2. -// -// The prime is: 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }. -// -GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp1024Modulus[] =3D { - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, - 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, - 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, - 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, - 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, - 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, - 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, - 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, - 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, - 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - }; - -// -// "1536-bit MODP Group" from RFC3526, Section 2. -// -// The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } -// -GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp1536Modulus[]=3D{ - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, - 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, - 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, - 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, - 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, - 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, - 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, - 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, - 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, - 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, - 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, - 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, - 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, - 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, - 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, - 0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - }; - -// -// "2048-bit MODP Group" from RFC3526, Section 3. -// -// The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } -// -GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp2048Modulus[]=3D{ - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, - 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, - 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, - 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, - 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, - 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, - 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, - 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, - 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, - 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, - 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, - 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, - 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, - 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, - 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, - 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B, - 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2, - 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9, - 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C, - 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10, - 0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFF, - }; - -// -// "3072-bit MODP Group" from RFC3526, Section 4. -// -// The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } -// -GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp3072Modulus[]=3D{ - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, - 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, - 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, - 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, - 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, - 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, - 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, - 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, - 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, - 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, - 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, - 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, - 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, - 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, - 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, - 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B, - 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2, - 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9, - 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C, - 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10, - 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D, - 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64, - 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57, - 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7, - 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0, - 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B, - 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73, - 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C, - 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0, - 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31, - 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20, - 0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - }; - -// -// "4096-bit MODP Group" from RFC3526, Section 5. -// -// The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } -// -GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp4096Modulus[]=3D{ - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, - 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, - 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, - 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, - 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, - 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, - 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, - 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, - 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, - 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, - 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, - 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, - 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, - 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, - 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, - 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B, - 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2, - 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9, - 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C, - 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10, - 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D, - 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64, - 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57, - 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7, - 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0, - 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B, - 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73, - 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C, - 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0, - 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31, - 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20, - 0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7, - 0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18, - 0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA, - 0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB, - 0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6, - 0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F, - 0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED, - 0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76, - 0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9, - 0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC, - 0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99, - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - }; - -// -// "6144-bit MODP Group" from RFC3526, Section 6. -// -// The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } -// -GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp6144Modulus[]=3D{ - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, - 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, - 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, - 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, - 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, - 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, - 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, - 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, - 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, - 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, - 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, - 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, - 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, - 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, - 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, - 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B, - 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2, - 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9, - 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C, - 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10, - 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D, - 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64, - 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57, - 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7, - 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0, - 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B, - 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73, - 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C, - 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0, - 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31, - 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20, - 0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7, - 0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18, - 0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA, - 0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB, - 0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6, - 0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F, - 0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED, - 0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76, - 0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9, - 0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC, - 0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92, - 0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2, - 0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD, - 0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F, - 0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31, - 0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB, - 0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B, - 0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51, - 0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF, - 0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15, - 0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6, - 0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31, - 0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3, - 0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7, - 0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA, - 0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2, - 0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28, - 0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D, - 0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C, - 0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7, - 0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE, - 0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E, - 0x6D,0xCC,0x40,0x24,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, - }; - -// -// "8192-bit MODP Group" from RFC3526, Section 7. -// -// The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } -// -GLOBAL_REMOVE_IF_UNREFERENCED UINT8 Modp8192Modulus[]=3D{ - 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, - 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, - 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, - 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, - 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, - 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, - 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, - 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, - 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, - 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, - 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, - 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, - 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, - 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, - 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, - 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B, - 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2, - 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9, - 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C, - 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10, - 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D, - 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64, - 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57, - 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7, - 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0, - 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B, - 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73, - 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C, - 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0, - 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31, - 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20, - 0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7, - 0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18, - 0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA, - 0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB, - 0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6, - 0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F, - 0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED, - 0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76, - 0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9, - 0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC, - 0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92, - 0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2, - 0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD, - 0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F, - 0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31, - 0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB, - 0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B, - 0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51, - 0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF, - 0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15, - 0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6, - 0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31, - 0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3, - 0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7, - 0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA, - 0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2, - 0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28, - 0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D, - 0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C, - 0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7, - 0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE, - 0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E, - 0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4, - 0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0, - 0x73,0xB9,0x31,0xBA,0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00, - 0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,0x25,0x76,0xF6,0x93, - 0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68, - 0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB, - 0xE3,0x9D,0x65,0x2D,0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9, - 0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,0x13,0xEB,0x57,0xA8, - 0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B, - 0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F, - 0xA2,0xC0,0x87,0xE8,0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A, - 0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,0x6D,0x2A,0x13,0xF8, - 0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36, - 0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5, - 0x08,0x46,0x85,0x1D,0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1, - 0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,0xFA,0xF3,0x6B,0xC3, - 0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92, - 0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E, - 0xD5,0xEE,0x38,0x2B,0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47, - 0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,0x9E,0x30,0x50,0xE2, - 0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71, - 0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF, - 0xFF,0xFF,0xFF,0xFF, - }; - -// -// Pre-defined Oakley MODP Groups -// -#define DH_GENERATOR_2 2 -GLOBAL_REMOVE_IF_UNREFERENCED CONST MODP_GROUP OakleyModpGroup[] =3D { - {0, 0, NULL, 0}, //Undefined - {OakleyGroupModp768, 768, Modp768Modulus, DH_GENERATOR_2}, - {OakleyGroupModp1024, 1024, Modp1024Modulus, DH_GENERATOR_2}, - {0, 0, NULL, 0}, // For ECC. UnSup= ported - {0, 0, NULL, 0}, // For ECC. Unsup= ported - {OakleyGroupModp1536, 1536, Modp1536Modulus, DH_GENERATOR_2}, - {0, 0, NULL, 0}, //Undefined - {0, 0, NULL, 0}, //Undefined - {0, 0, NULL, 0}, //Undefined - {0, 0, NULL, 0}, //Undefined - {0, 0, NULL, 0}, //Undefined - {0, 0, NULL, 0}, //Undefined - {0, 0, NULL, 0}, //Undefined - {0, 0, NULL, 0}, //Undefined - {OakleyGroupModp2048, 2048, Modp2048Modulus, DH_GENERATOR_2}, - {OakleyGroupModp3072, 3072, Modp3072Modulus, DH_GENERATOR_2}, - {OakleyGroupModp4096, 4096, Modp4096Modulus, DH_GENERATOR_2}, - {OakleyGroupModp6144, 6144, Modp6144Modulus, DH_GENERATOR_2}, - {OakleyGroupModp8192, 8192, Modp8192Modulus, DH_GENERATOR_2}, -}; diff --git a/NetworkPkg/IpSecDxe/Ike.h b/NetworkPkg/IpSecDxe/Ike.h deleted file mode 100644 index 191f95e9fe..0000000000 --- a/NetworkPkg/IpSecDxe/Ike.h +++ /dev/null @@ -1,260 +0,0 @@ -/** @file - The common definition of IPsec Key Exchange (IKE). - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - - -**/ - -#ifndef _IKE_H_ -#define _IKE_H_ - -#include -#include -#include "IpSecImpl.h" - -#define IKE_VERSION_MAJOR_MASK 0xf0 -#define IKE_VERSION_MINOR_MASK 0x0f - -#define IKE_MAJOR_VERSION(v) (((v) & IKE_VERSION_MAJOR_MASK) >> 4) -#define IKE_MINOR_VERSION(v) ((v) & IKE_VERSION_MINOR_MASK) - -// -// Protocol Value Use in IKEv1 and IKEv2 -// -#define IPSEC_PROTO_ISAKMP 1 -#define IPSEC_PROTO_IPSEC_AH 2 -#define IPSEC_PROTO_IPSEC_ESP 3 -#define IPSEC_PROTO_IPCOMP 4 // For IKEv1 this value is reserved - -// -// For Algorithm search in support list.Last two types are for IKEv2 only. -// -#define IKE_ENCRYPT_TYPE 0 -#define IKE_AUTH_TYPE 1 -#define IKE_PRF_TYPE 2 -#define IKE_DH_TYPE 3 - -// -// Encryption Algorithm present in IKEv1 phasrs2 and IKEv2 transform paylo= ad (Transform Type 1) -// -#define IPSEC_ESP_DES_IV64 1 -#define IPSEC_ESP_DES 2 -#define IPSEC_ESP_3DES 3 -#define IPSEC_ESP_RC5 4 -#define IPSEC_ESP_IDEA 5 -#define IPSEC_ESP_CAST 6 -#define IPSEC_ESP_BLOWFISH 7 -#define IPSEC_ESP_3IDEA 8 -#define IPSEC_ESP_DES_IV32 9 -#define IPSEC_ESP_RC4 10 // It's reserved in IKEv2 -#define IPSEC_ESP_NULL 11 -#define IPSEC_ESP_AES 12 - -#define IKE_XCG_TYPE_NONE 0 -#define IKE_XCG_TYPE_BASE 1 -#define IKE_XCG_TYPE_IDENTITY_PROTECT 2 -#define IKE_XCG_TYPE_AUTH_ONLY 3 -#define IKE_XCG_TYPE_AGGR 4 -#define IKE_XCG_TYPE_INFO 5 -#define IKE_XCG_TYPE_QM 32 -#define IKE_XCG_TYPE_NGM 33 -#define IKE_XCG_TYPE_SA_INIT 34 -#define IKE_XCG_TYPE_AUTH 35 -#define IKE_XCG_TYPE_CREATE_CHILD_SA 36 -#define IKE_XCG_TYPE_INFO2 37 - -#define IKE_LIFE_TYPE_SECONDS 1 -#define IKE_LIFE_TYPE_KILOBYTES 2 - -// -// Deafult IKE SA lifetime and CHILD SA lifetime -// -#define IKE_SA_DEFAULT_LIFETIME 1200 -#define CHILD_SA_DEFAULT_LIFETIME 3600 - -// -// Next payload type presented within Proposal payload -// -#define IKE_PROPOSAL_NEXT_PAYLOAD_MORE 2 -#define IKE_PROPOSAL_NEXT_PAYLOAD_NONE 0 - -// -// Next payload type presented within Transform payload -// -#define IKE_TRANSFORM_NEXT_PAYLOAD_MORE 3 -#define IKE_TRANSFORM_NEXT_PAYLOAD_NONE 0 - -// -// Max size of the SA attribute -// -#define MAX_SA_ATTRS_SIZE 48 -#define SA_ATTR_FORMAT_BIT 0x8000 -// -// The definition for Information Message ID. -// -#define INFO_MID_SIGNATURE SIGNATURE_32 ('I', 'N', 'F', 'M') - -// -// Type for the IKE SESSION COMMON -// -typedef enum { - IkeSessionTypeIkeSa, - IkeSessionTypeChildSa, - IkeSessionTypeInfo, - IkeSessionTypeMax -} IKE_SESSION_TYPE; - -// -// The DH Group ID defined RFC3526 and RFC 2409 -// -typedef enum { - OakleyGroupModp768 =3D 1, - OakleyGroupModp1024 =3D 2, - OakleyGroupGp155 =3D 3, // Unsupported Now. - OakleyGroupGp185 =3D 4, // Unsupported Now. - OakleyGroupModp1536 =3D 5, - - OakleyGroupModp2048 =3D 14, - OakleyGroupModp3072 =3D 15, - OakleyGroupModp4096 =3D 16, - OakleyGroupModp6144 =3D 17, - OakleyGroupModp8192 =3D 18, - OakleyGroupMax -} OAKLEY_GROUP_ID; - -// -// IKE Header -// -#pragma pack(1) -typedef struct { - UINT64 InitiatorCookie; - UINT64 ResponderCookie; - UINT8 NextPayload; - UINT8 Version; - UINT8 ExchangeType; - UINT8 Flags; - UINT32 MessageId; - UINT32 Length; -} IKE_HEADER; -#pragma pack() - -typedef union { - UINT16 AttrLength; - UINT16 AttrValue; -} IKE_SA_ATTR_UNION; - -// -// SA Attribute present in Transform Payload -// -#pragma pack(1) -typedef struct { - UINT16 AttrType; - IKE_SA_ATTR_UNION Attr; -} IKE_SA_ATTRIBUTE; -#pragma pack() - -// -// Contains the IKE packet information. -// -typedef struct { - UINTN RefCount; - BOOLEAN IsHdrExt; - IKE_HEADER *Header; - BOOLEAN IsPayloadsBufExt; - UINT8 *PayloadsBuf; // The whole IkePakcet trimed the IKE = header. - UINTN PayloadTotalSize; - LIST_ENTRY PayloadList; - EFI_IP_ADDRESS RemotePeerIp; - BOOLEAN IsEncoded; // whether HTON is done when sending t= he packet - UINT32 Spi; // For the Delete Information Exchange - BOOLEAN IsDeleteInfo; // For the Delete Information Exchange - IPSEC_PRIVATE_DATA *Private; // For the Delete Information Exchange -} IKE_PACKET; - -// -// The generic structure to all kinds of IKE payloads. -// -typedef struct { - UINT32 Signature; - BOOLEAN IsPayloadBufExt; - UINT8 PayloadType; - UINT8 *PayloadBuf; - UINTN PayloadSize; - LIST_ENTRY ByPacket; -} IKE_PAYLOAD; - -// -// Udp Service -// -typedef struct { - UINT32 Signature; - UINT8 IpVersion; - LIST_ENTRY List; - LIST_ENTRY *ListHead; - EFI_HANDLE NicHandle; - EFI_HANDLE ImageHandle; - UDP_IO *Input; - UDP_IO *Output; - EFI_IP_ADDRESS DefaultAddress; - BOOLEAN IsConfigured; -} IKE_UDP_SERVICE; - -// -// Each IKE session has its own Key sets for local peer and remote peer. -// -typedef struct { - EFI_IPSEC_ALGO_INFO LocalPeerInfo; - EFI_IPSEC_ALGO_INFO RemotePeerInfo; -} SA_KEYMATS; - -// -// Each algorithm has its own Id, Guid, BlockSize and KeyLength. -// This struct contains these information for each algorithm. It is generi= c structure -// for both encryption and authentication algorithm. -// For authentication algorithm, the AlgSize means IcvSize. For encryption= algorithm, -// it means IvSize. -// -#pragma pack(1) -typedef struct { - UINT8 AlgorithmId; // Encryption or Authentication Id used by = ESP/AH - EFI_GUID *AlgGuid; - UINT8 AlgSize; // IcvSize or IvSize - UINT8 BlockSize; - UINTN KeyMateLen; -} IKE_ALG_GUID_INFO; // For IPsec Authentication and Encryption Algorith= m. -#pragma pack() - -// -// Structure used to store the DH group -// -typedef struct { - UINT8 GroupId; - UINTN Size; - UINT8 *Modulus; - UINTN GroupGenerator; -} MODP_GROUP; - -/** - This is prototype definition of general interface to phase the payloads - after/before the decode/encode. - - @param[in] SessionCommon Point to the SessionCommon - @param[in] PayloadBuf Point to the buffer of Payload. - @param[in] PayloadSize The size of the PayloadBuf in bytes. - @param[in] PayloadType The type of Payload. - -**/ -typedef -VOID -(*IKE_ON_PAYLOAD_FROM_NET) ( - IN UINT8 *SessionCommon, - IN UINT8 *PayloadBuf, - IN UINTN PayloadSize, - IN UINT8 PayloadType - ); - -#endif - diff --git a/NetworkPkg/IpSecDxe/IkeCommon.c b/NetworkPkg/IpSecDxe/IkeCommo= n.c deleted file mode 100644 index f5e058dbc9..0000000000 --- a/NetworkPkg/IpSecDxe/IkeCommon.c +++ /dev/null @@ -1,324 +0,0 @@ -/** @file - Common operation of the IKE - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "Ike.h" -#include "IkeCommon.h" -#include "IpSecConfigImpl.h" -#include "IpSecDebug.h" - -/** - Check whether the new generated Spi has existed. - - @param[in] IkeSaSession Pointer to the Child SA Session. - @param[in] SpiValue SPI Value. - - @retval TRUE This SpiValue has existed in the Child SA Session - @retval FALSE This SpiValue doesn't exist in the Child SA Session. - -**/ -BOOLEAN -IkeSpiValueExisted ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN UINT32 SpiValue - ) -{ - LIST_ENTRY *Entry; - LIST_ENTRY *Next; - IKEV2_CHILD_SA_SESSION *SaSession; - - Entry =3D NULL; - Next =3D NULL; - SaSession =3D NULL; - - // - // Check whether the SPI value has existed in ChildSaEstablishSessionLis= t. - // - NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaEstablishSess= ionList) { - SaSession=3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry); - if (SaSession->LocalPeerSpi =3D=3D SpiValue) { - return TRUE; - } - } - - // - // Check whether the SPI value has existed in ChildSaSessionList. - // - NET_LIST_FOR_EACH_SAFE (Entry, Next, &IkeSaSession->ChildSaSessionList) { - SaSession=3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry); - if (SaSession->LocalPeerSpi =3D=3D SpiValue) { - return TRUE; - } - } - - return FALSE; -} - -/** - Call Crypto Lib to generate a random value with eight-octet length. - - @return the 64 byte vaule. - -**/ -UINT64 -IkeGenerateCookie ( - VOID - ) -{ - UINT64 Cookie; - EFI_STATUS Status; - - Status =3D IpSecCryptoIoGenerateRandomBytes ((UINT8 *)&Cookie, sizeof (U= INT64)); - if (EFI_ERROR (Status)) { - return 0; - } else { - return Cookie; - } -} - -/** - Generate the random data for Nonce payload. - - @param[in] NonceSize Size of the data in bytes. - - @return Buffer which contains the random data of the spcified size. - -**/ -UINT8 * -IkeGenerateNonce ( - IN UINTN NonceSize - ) -{ - UINT8 *Nonce; - EFI_STATUS Status; - - Nonce =3D AllocateZeroPool (NonceSize); - if (Nonce =3D=3D NULL) { - return NULL; - } - - Status =3D IpSecCryptoIoGenerateRandomBytes (Nonce, NonceSize); - if (EFI_ERROR (Status)) { - FreePool (Nonce); - return NULL; - } else { - return Nonce; - } -} - -/** - Convert the IKE Header from Network order to Host order. - - @param[in, out] Header The pointer of the IKE_HEADER. - -**/ -VOID -IkeHdrNetToHost ( - IN OUT IKE_HEADER *Header - ) -{ - Header->InitiatorCookie =3D NTOHLL (Header->InitiatorCookie); - Header->ResponderCookie =3D NTOHLL (Header->ResponderCookie); - Header->MessageId =3D NTOHL (Header->MessageId); - Header->Length =3D NTOHL (Header->Length); -} - -/** - Convert the IKE Header from Host order to Network order. - - @param[in, out] Header The pointer of the IKE_HEADER. - -**/ -VOID -IkeHdrHostToNet ( - IN OUT IKE_HEADER *Header - ) -{ - Header->InitiatorCookie =3D HTONLL (Header->InitiatorCookie); - Header->ResponderCookie =3D HTONLL (Header->ResponderCookie); - Header->MessageId =3D HTONL (Header->MessageId); - Header->Length =3D HTONL (Header->Length); -} - -/** - Allocate a buffer of IKE_PAYLOAD and set its Signature. - - @return A buffer of IKE_PAYLOAD. - -**/ -IKE_PAYLOAD * -IkePayloadAlloc ( - VOID - ) -{ - IKE_PAYLOAD *IkePayload; - - IkePayload =3D (IKE_PAYLOAD *) AllocateZeroPool (sizeof (IKE_= PAYLOAD)); - if (IkePayload =3D=3D NULL) { - return NULL; - } - - IkePayload->Signature =3D IKE_PAYLOAD_SIGNATURE; - - return IkePayload; -} - -/** - Free a specified IKE_PAYLOAD buffer. - - @param[in] IkePayload Pointer of IKE_PAYLOAD to be freed. - -**/ -VOID -IkePayloadFree ( - IN IKE_PAYLOAD *IkePayload - ) -{ - if (IkePayload =3D=3D NULL) { - return; - } - // - // If this IkePayload is not referred by others, free it. - // - if (!IkePayload->IsPayloadBufExt && (IkePayload->PayloadBuf !=3D NULL)) { - FreePool (IkePayload->PayloadBuf); - } - - FreePool (IkePayload); -} - -/** - Generate an new SPI. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to t= his Child SA - Session. - @param[in, out] SpiValue Pointer to the new generated SPI value. - - @retval EFI_SUCCESS The operation performs successfully. - @retval Otherwise The operation is failed. - -**/ -EFI_STATUS -IkeGenerateSpi ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN OUT UINT32 *SpiValue - ) -{ - EFI_STATUS Status; - - Status =3D EFI_SUCCESS; - - while (TRUE) { - // - // Generate SPI randomly - // - Status =3D IpSecCryptoIoGenerateRandomBytes ((UINT8 *)SpiValue, sizeof= (UINT32)); - if (EFI_ERROR (Status)) { - break; - } - - // - // The set of SPI values in the range 1 through 255 are reserved by the - // Internet Assigned Numbers Authority (IANA) for future use; a reserv= ed - // SPI value will not normally be assigned by IANA unless the use of t= he - // assigned SPI value is specified in an RFC. - // - if (*SpiValue < IKE_SPI_BASE) { - *SpiValue +=3D IKE_SPI_BASE; - } - - // - // Check whether the new generated SPI has existed. - // - if (!IkeSpiValueExisted (IkeSaSession, *SpiValue)) { - break; - } - } - - return Status; -} - -/** - Generate a random data for IV - - @param[in] IvBuffer The pointer of the IV buffer. - @param[in] IvSize The IV size. - - @retval EFI_SUCCESS Create a random data for IV. - @retval otherwise Failed. - -**/ -EFI_STATUS -IkeGenerateIv ( - IN UINT8 *IvBuffer, - IN UINTN IvSize - ) -{ - return IpSecCryptoIoGenerateRandomBytes (IvBuffer, IvSize); -} - - -/** - Find SPD entry by a specified SPD selector. - - @param[in] SpdSel Point to SPD Selector to be searched for. - - @retval Point to SPD Entry if the SPD entry found. - @retval NULL if not found. - -**/ -IPSEC_SPD_ENTRY * -IkeSearchSpdEntry ( - IN EFI_IPSEC_SPD_SELECTOR *SpdSel - ) -{ - IPSEC_SPD_ENTRY *SpdEntry; - LIST_ENTRY *SpdList; - LIST_ENTRY *Entry; - - SpdList =3D &mConfigData[IPsecConfigDataTypeSpd]; - - NET_LIST_FOR_EACH (Entry, SpdList) { - SpdEntry =3D IPSEC_SPD_ENTRY_FROM_LIST (Entry); - - // - // Find the required SPD entry - // - if (CompareSpdSelector ( - (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel, - (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector - )) { - return SpdEntry; - } - - } - - return NULL; -} - -/** - Get the IKE Version from the IKE_SA_SESSION. - - @param[in] Session Pointer of the IKE_SA_SESSION. - -**/ -UINT8 -IkeGetVersionFromSession ( - IN UINT8 *Session - ) -{ - if (*(UINT32 *) Session =3D=3D IKEV2_SA_SESSION_SIGNATURE) { - return ((IKEV2_SA_SESSION *) Session)->SessionCommon.IkeVer; - } else { - // - // Add IKEv1 support here. - // - return 0; - } -} - diff --git a/NetworkPkg/IpSecDxe/IkeCommon.h b/NetworkPkg/IpSecDxe/IkeCommo= n.h deleted file mode 100644 index abdbbf173f..0000000000 --- a/NetworkPkg/IpSecDxe/IkeCommon.h +++ /dev/null @@ -1,189 +0,0 @@ -/** @file - Common operation of the IKE. - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _IKE_COMMON_H_ -#define _IKE_COMMON_H_ - -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include "Ikev2/Ikev2.h" -#include "IpSecImpl.h" -#include "IkePacket.h" -#include "IpSecCryptIo.h" - - -#define IKE_DEFAULT_PORT 500 -#define IKE_DEFAULT_TIMEOUT_INTERVAL 10000 // 10s -#define IKE_NONCE_SIZE 16 -#define IKE_MAX_RETRY 4 -#define IKE_SPI_BASE 0x100 -#define IKE_PAYLOAD_SIGNATURE SIGNATURE_32('I','K','E','P') -#define IKE_PAYLOAD_BY_PACKET(a) CR(a,IKE_PAYLOAD,ByPacket,IKE_PAYLOA= D_SIGNATURE) - - -#define IKE_PACKET_APPEND_PAYLOAD(IkePacket,IkePayload) \ - do { \ - InsertTailList(&(IkePacket)->PayloadList, &(IkePayload)->ByPacket); \ - } while (0) - -#define IKE_PACKET_REMOVE_PAYLOAD(IkePacket,IkePayload) \ - do { \ - RemoveEntryList(&(IkePayload)->ByPacket); \ - } while (0) - -#define IKE_PACKET_END_PAYLOAD(IkePacket, Node) \ - Node =3D GetFirstNode (&(IkePacket)->PayloadList); \ - while (!IsNodeAtEnd (&(IkePacket)->PayloadList, Node)) { \ - Node =3D GetNextNode (&(IkePacket)->PayloadList, Node); \ - } \ - -/** - Call Crypto Lib to generate a random value with eight-octet length. - - @return the 64 byte vaule. - -**/ -UINT64 -IkeGenerateCookie ( - VOID - ); - -/** - Generate the random data for Nonce payload. - - @param[in] NonceSize Size of the data in bytes. - - @return Buffer which contains the random data of the spcified size. - -**/ -UINT8 * -IkeGenerateNonce ( - IN UINTN NonceSize - ); - -/** - Convert the IKE Header from Network order to Host order. - - @param[in, out] Header The pointer of the IKE_HEADER. - -**/ -VOID -IkeHdrNetToHost ( - IN OUT IKE_HEADER *Header - ); - - -/** - Convert the IKE Header from Host order to Network order. - - @param[in, out] Header The pointer of the IKE_HEADER. - -**/ -VOID -IkeHdrHostToNet ( - IN OUT IKE_HEADER *Header - ); - -/** - Allocate a buffer of IKE_PAYLOAD and set its Signature. - - @return A buffer of IKE_PAYLOAD. - -**/ -IKE_PAYLOAD * -IkePayloadAlloc ( - VOID - ); - -/** - Free a specified IKE_PAYLOAD buffer. - - @param[in] IkePayload Pointer of IKE_PAYLOAD to be freed. - -**/ -VOID -IkePayloadFree ( - IN IKE_PAYLOAD *IkePayload - ); - -/** - Generate an new SPI. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to t= his Child SA - Session. - @param[in, out] SpiValue Pointer to the new generated SPI value. - - @retval EFI_SUCCESS The operation performs successfully. - @retval Otherwise The operation is failed. - -**/ -EFI_STATUS -IkeGenerateSpi ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN OUT UINT32 *SpiValue - ); - -/** - Generate a random data for IV - - @param[in] IvBuffer The pointer of the IV buffer. - @param[in] IvSize The IV size. - - @retval EFI_SUCCESS Create a random data for IV. - @retval otherwise Failed. - -**/ -EFI_STATUS -IkeGenerateIv ( - IN UINT8 *IvBuffer, - IN UINTN IvSize - ); - -/** - Get the IKE Version from the IKE_SA_SESSION. - - @param[in] Session Pointer of the IKE_SA_SESSION. - -**/ -UINT8 -IkeGetVersionFromSession ( - IN UINT8 *Session - ); - -/** - Find SPD entry by a specified SPD selector. - - @param[in] SpdSel Point to SPD Selector to be searched for. - - @retval Point to Spd Entry if the SPD entry found. - @retval NULL if not found. - -**/ -IPSEC_SPD_ENTRY * -IkeSearchSpdEntry ( - IN EFI_IPSEC_SPD_SELECTOR *SpdSel - ); - -extern MODP_GROUP OakleyModpGroup[]; -extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[]; -extern IKE_ALG_GUID_INFO mIPsecAuthAlgInfo[]; - -#endif - diff --git a/NetworkPkg/IpSecDxe/IkePacket.c b/NetworkPkg/IpSecDxe/IkePacke= t.c deleted file mode 100644 index a4f67ac9be..0000000000 --- a/NetworkPkg/IpSecDxe/IkePacket.c +++ /dev/null @@ -1,259 +0,0 @@ -/** @file - IKE Packet related operation. - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecDebug.h" -#include "Ikev2/Utility.h" - -/** - Allocate a buffer for the IKE_PACKET and intitalize its Header and paylo= adlist. - - @return The pointer of the IKE_PACKET. - -**/ -IKE_PACKET * -IkePacketAlloc ( - VOID - ) -{ - IKE_PACKET *IkePacket; - - IkePacket =3D (IKE_PACKET *) AllocateZeroPool (sizeof (IKE_PACKET)); - if (IkePacket =3D=3D NULL) { - return NULL; - } - - IkePacket->RefCount =3D 1; - InitializeListHead (&IkePacket->PayloadList); - - IkePacket->Header =3D (IKE_HEADER *) AllocateZeroPool (sizeof (IKE_HEADE= R)); - if (IkePacket->Header =3D=3D NULL) { - FreePool (IkePacket); - return NULL; - } - return IkePacket; -} - -/** - Free the IkePacket by the specified IKE_PACKET pointer. - - @param[in] IkePacket The pointer of the IKE_PACKET to be freed. - -**/ -VOID -IkePacketFree ( - IN IKE_PACKET *IkePacket - ) -{ - LIST_ENTRY *Entry; - IKE_PAYLOAD *IkePayload; - - if (IkePacket =3D=3D NULL) { - return; - } - // - // Check if the Packet is referred by others. - // - if (--IkePacket->RefCount =3D=3D 0) { - // - // Free IkePacket header - // - if (!IkePacket->IsHdrExt && IkePacket->Header !=3D NULL) { - FreePool (IkePacket->Header); - } - // - // Free the PayloadsBuff - // - if (!IkePacket->IsPayloadsBufExt && IkePacket->PayloadsBuf !=3D NULL) { - FreePool (IkePacket->PayloadsBuf); - } - // - // Iterate payloadlist and free all payloads - // - for (Entry =3D (IkePacket)->PayloadList.ForwardLink; Entry !=3D &(IkeP= acket)->PayloadList;) { - IkePayload =3D IKE_PAYLOAD_BY_PACKET (Entry); - Entry =3D Entry->ForwardLink; - - IkePayloadFree (IkePayload); - } - - FreePool (IkePacket); - } -} - -/** - Callback funtion of NetbufFromExt() - - @param[in] Arg The data passed from the NetBufFromExe(). - -**/ -VOID -EFIAPI -IkePacketNetbufFree ( - IN VOID *Arg - ) -{ - // - // TODO: add something if need. - // -} - -/** - Copy the NetBuf into a IKE_PACKET sturcture. - - Create a IKE_PACKET and fill the received IKE header into the header of = IKE_PACKET - and copy the recieved packet without IKE HEADER to the PayloadBuf of IKE= _PACKET. - - @param[in] Netbuf The pointer of the Netbuf which contains the who= le received - IKE packet. - - @return The pointer of the IKE_PACKET which contains the received packet. - -**/ -IKE_PACKET * -IkePacketFromNetbuf ( - IN NET_BUF *Netbuf - ) -{ - IKE_PACKET *IkePacket; - - IkePacket =3D NULL; - if (Netbuf->TotalSize < sizeof (IKE_HEADER)) { - goto Error; - } - - IkePacket =3D IkePacketAlloc (); - if (IkePacket =3D=3D NULL) { - return NULL; - } - // - // Copy the IKE header from Netbuf to IkePacket->Hdr - // - NetbufCopy (Netbuf, 0, sizeof (IKE_HEADER), (UINT8 *) IkePacket->Header); - // - // Net order to host order - // - IkeHdrNetToHost (IkePacket->Header); - if (IkePacket->Header->Length < Netbuf->TotalSize) { - goto Error; - } - - IkePacket->PayloadTotalSize =3D IkePacket->Header->Length - sizeof (IKE_= HEADER); - IkePacket->PayloadsBuf =3D (UINT8 *) AllocateZeroPool (IkePacket->P= ayloadTotalSize); - - if (IkePacket->PayloadsBuf =3D=3D NULL) { - goto Error; - } - // - // Copy the IKE packet without the header into the IkePacket->PayloadsBu= f. - // - NetbufCopy (Netbuf, sizeof (IKE_HEADER), (UINT32) IkePacket->PayloadTota= lSize, IkePacket->PayloadsBuf); - return IkePacket; - -Error: - if (IkePacket !=3D NULL) { - IkePacketFree (IkePacket); - } - - return NULL; -} - -/** - Convert the format from IKE_PACKET to NetBuf. - - @param[in] SessionCommon Pointer of related IKE_COMMON_SESSION - @param[in] IkePacket Pointer of IKE_PACKET to be copy to NetBuf - @param[in] IkeType The IKE type to pointer the packet is for whi= ch IKE - phase. Now it supports IKE_SA_TYPE, IKE_CHILD= SA_TYPE, - IKE_INFO_TYPE. - - @return a pointer of Netbuff which contains the IKE_PACKE in network ord= er. - -**/ -NET_BUF * -IkeNetbufFromPacket ( - IN UINT8 *SessionCommon, - IN IKE_PACKET *IkePacket, - IN UINTN IkeType - ) -{ - NET_BUF *Netbuf; - NET_FRAGMENT *Fragments; - UINTN Index; - UINTN NumPayloads; - LIST_ENTRY *PacketEntry; - LIST_ENTRY *Entry; - IKE_PAYLOAD *IkePayload; - EFI_STATUS RetStatus; - - RetStatus =3D EFI_SUCCESS; - - if (!IkePacket->IsEncoded) { - IkePacket->IsEncoded =3D TRUE; - // - // Convert Host order to Network order for IKE_PACKET header and paylo= ads - // Encryption payloads if needed - // - if (((IKEV2_SESSION_COMMON *) SessionCommon)->IkeVer =3D=3D 2) { - RetStatus =3D Ikev2EncodePacket ((IKEV2_SESSION_COMMON *) SessionCom= mon, IkePacket, IkeType); - if (EFI_ERROR (RetStatus)) { - return NULL; - } - - } else { - // - // If IKEv1 support, check it here. - // - return NULL; - } - } - - NumPayloads =3D 0; - // - // Get the number of the payloads - // - NET_LIST_FOR_EACH (PacketEntry, &(IkePacket)->PayloadList) { - - NumPayloads++; - } - // - // Allocate the Framgents according to the numbers of the IkePayload - // - Fragments =3D (NET_FRAGMENT *) AllocateZeroPool ((1 + NumPayloads) * siz= eof (NET_FRAGMENT)); - if (Fragments =3D=3D NULL) { - return NULL; - } - - Fragments[0].Bulk =3D (UINT8 *) IkePacket->Header; - Fragments[0].Len =3D sizeof (IKE_HEADER); - Index =3D 0; - - // - // Set payloads to the Framgments. - // - NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) { - IkePayload =3D IKE_PAYLOAD_BY_PACKET (Entry); - - Fragments[Index + 1].Bulk =3D IkePayload->PayloadBuf; - Fragments[Index + 1].Len =3D (UINT32) IkePayload->PayloadSize; - Index++; - } - - Netbuf =3D NetbufFromExt ( - Fragments, - (UINT32) (NumPayloads + 1), - 0, - 0, - IkePacketNetbufFree, - NULL - ); - - FreePool (Fragments); - return Netbuf; -} - diff --git a/NetworkPkg/IpSecDxe/IkePacket.h b/NetworkPkg/IpSecDxe/IkePacke= t.h deleted file mode 100644 index 3bc4b7a567..0000000000 --- a/NetworkPkg/IpSecDxe/IkePacket.h +++ /dev/null @@ -1,76 +0,0 @@ -/** @file - IKE Packet related definitions and function declarations. - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _IKE_V1_PACKET_H_ -#define _IKE_V1_PACKET_H_ - -#include "Ike.h" - -#define IKE_PACKET_REF(p) ((p)->RefCount++) - -/** - Allocate a buffer for the IKE_PACKET and intitalize its Header and paylo= adlist. - - @return The pointer of the IKE_PACKET. - -**/ -IKE_PACKET * -IkePacketAlloc ( - VOID - ); - - -/** - Free the IkePacket by the specified IKE_PACKET pointer. - - @param[in] IkePacket The pointer of the IKE_PACKET to be freed. - -**/ -VOID -IkePacketFree ( - IN IKE_PACKET *IkePacket - ); - - -/** - Copy the NetBuf into a IKE_PACKET sturcture. - - Create a IKE_PACKET and fill the received IKE header into the header of = IKE_PACKET - and copy the recieved packet without IKE HEADER to the PayloadBuf of IKE= _PACKET. - - @param[in] Netbuf The pointer of the Netbuf which contains the who= le received - IKE packet. - - @return The pointer of the IKE_PACKET which contains the received packet. - -**/ -IKE_PACKET * -IkePacketFromNetbuf ( - IN NET_BUF *Netbuf - ); - -/** - Convert the format from IKE_PACKET to NetBuf. - - @param[in] SessionCommon Pointer of related IKE_COMMON_SESSION - @param[in] IkePacket Pointer of IKE_PACKET to be copy to NetBuf - @param[in] IkeType The IKE type to pointer the packet is for whi= ch IKE - phase. Now it supports IKE_SA_TYPE, IKE_CHILD= SA_TYPE, - IKE_INFO_TYPE. - - @return A pointer of Netbuff which contains the contents of the IKE_PACK= E in network order. -**/ -NET_BUF * -IkeNetbufFromPacket ( - IN UINT8 *SessionCommon, - IN IKE_PACKET *IkePacket, - IN UINTN IkeType - ); - -#endif diff --git a/NetworkPkg/IpSecDxe/IkeService.c b/NetworkPkg/IpSecDxe/IkeServ= ice.c deleted file mode 100644 index c5ca86b5b0..0000000000 --- a/NetworkPkg/IpSecDxe/IkeService.c +++ /dev/null @@ -1,813 +0,0 @@ -/** @file - Provide IPsec Key Exchange (IKE) service general interfaces. - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IkeService.h" -#include "IpSecConfigImpl.h" - -IKE_EXCHANGE_INTERFACE *mIkeExchange[] =3D { - &mIkev1Exchange, - &mIkev2Exchange -}; - -EFI_UDP4_CONFIG_DATA mUdp4Conf =3D { - FALSE, - FALSE, - FALSE, - TRUE, - // - // IO parameters - // - 0, - 64, - FALSE, - 0, - 1000000, - FALSE, - {{0,0,0,0}}, - {{0,0,0,0}}, - IKE_DEFAULT_PORT, - {{0,0,0,0}}, - 0 -}; - -EFI_UDP6_CONFIG_DATA mUdp6Conf =3D { - FALSE, - FALSE, - TRUE, - // - // IO parameters - // - 0, - 128, - 0, - 1000000, - //Access Point - {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}, - IKE_DEFAULT_PORT, - {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}, - 0 -}; - -/** - Check if the NIC handle is binded to a Udp service. - - @param[in] Private Pointer of IPSEC_PRIVATE_DATA. - @param[in] Handle The Handle of the NIC card. - @param[in] IpVersion The version of the IP stack. - - @return a pointer of IKE_UDP_SERVICE. - -**/ -IKE_UDP_SERVICE * -IkeLookupUdp ( - IN IPSEC_PRIVATE_DATA *Private, - IN EFI_HANDLE Handle, - IN UINT8 IpVersion - ) -{ - LIST_ENTRY *Head; - LIST_ENTRY *Entry; - LIST_ENTRY *Next; - IKE_UDP_SERVICE *Udp; - - Udp =3D NULL; - Head =3D (IpVersion =3D=3D IP_VERSION_4) ? &Private->Udp4List : &Privat= e->Udp6List; - - NET_LIST_FOR_EACH_SAFE (Entry, Next, Head) { - - Udp =3D IPSEC_UDP_SERVICE_FROM_LIST (Entry); - // - // Find the right udp service which installed on the appointed NIC han= dle. - // - if (Handle =3D=3D Udp->NicHandle) { - break; - } else { - Udp =3D NULL; - } - } - - return Udp; -} - -/** - Configure a UDPIO's UDP4 instance. - - This fuction is called by the UdpIoCreateIo() to configures a - UDP4 instance. - - @param[in] UdpIo The UDP_IO to be configured. - @param[in] Context User-defined data when calling UdpIoCreateIo(). - - @retval EFI_SUCCESS The configuration succeeded. - @retval Others The UDP4 instance fails to configure. - -**/ -EFI_STATUS -EFIAPI -IkeConfigUdp4 ( - IN UDP_IO *UdpIo, - IN VOID *Context - ) -{ - EFI_UDP4_CONFIG_DATA Udp4Cfg; - EFI_UDP4_PROTOCOL *Udp4; - - ZeroMem (&Udp4Cfg, sizeof (EFI_UDP4_CONFIG_DATA)); - - Udp4 =3D UdpIo->Protocol.Udp4; - CopyMem ( - &Udp4Cfg, - &mUdp4Conf, - sizeof (EFI_UDP4_CONFIG_DATA) - ); - - if (Context !=3D NULL) { - // - // Configure udp4 io with local default address. - // - Udp4Cfg.UseDefaultAddress =3D TRUE; - } - - return Udp4->Configure (Udp4, &Udp4Cfg); -} - -/** - Configure a UDPIO's UDP6 instance. - - This fuction is called by the UdpIoCreateIo()to configure a - UDP6 instance. - - @param[in] UdpIo The UDP_IO to be configured. - @param[in] Context User-defined data when calling UdpIoCreateIo(). - - @retval EFI_SUCCESS The configuration succeeded. - @retval Others The configuration fails. - -**/ -EFI_STATUS -EFIAPI -IkeConfigUdp6 ( - IN UDP_IO *UdpIo, - IN VOID *Context - ) -{ - EFI_UDP6_PROTOCOL *Udp6; - EFI_UDP6_CONFIG_DATA Udp6Cfg; - - ZeroMem (&Udp6Cfg, sizeof (EFI_UDP6_CONFIG_DATA)); - - Udp6 =3D UdpIo->Protocol.Udp6; - CopyMem ( - &Udp6Cfg, - &mUdp6Conf, - sizeof (EFI_UDP6_CONFIG_DATA) - ); - - if (Context !=3D NULL) { - // - // Configure instance with a destination address to start source addre= ss - // selection, and then get the configure data from the mode data to st= ore - // the source address. - // - CopyMem ( - &Udp6Cfg.RemoteAddress, - Context, - sizeof (EFI_IPv6_ADDRESS) - ); - } - - return Udp6->Configure (Udp6, &Udp6Cfg); -} - -/** - Open and configure the related output UDPIO for IKE packet sending. - - If the UdpService is not configured, this fuction calls UdpIoCreatIo() to - create UDPIO to bind this UdpService for IKE packet sending. If the UdpS= ervice - has already been configured, then return. - - @param[in] UdpService The UDP_IO to be configured. - @param[in] RemoteIp User-defined data when calling UdpIoCreateIo(). - - @retval EFI_SUCCESS The configuration is successful. - @retval Others The configuration fails. - -**/ -EFI_STATUS -IkeOpenOutputUdp ( - IN IKE_UDP_SERVICE *UdpService, - IN EFI_IP_ADDRESS *RemoteIp - ) -{ - EFI_STATUS Status; - EFI_IP4_CONFIG2_PROTOCOL *Ip4Cfg2; - EFI_IP4_CONFIG2_INTERFACE_INFO *IfInfo; - UINTN BufSize; - EFI_IP6_MODE_DATA Ip6ModeData; - EFI_UDP6_PROTOCOL *Udp6; - - Status =3D EFI_SUCCESS; - IfInfo =3D NULL; - BufSize =3D 0; - - // - // Check whether the input and output udp io are both configured. - // - if (UdpService->IsConfigured) { - goto ON_EXIT; - } - - if (UdpService->IpVersion =3D=3D UDP_IO_UDP4_VERSION) { - // - // Handle ip4config protocol to get local default address. - // - Status =3D gBS->HandleProtocol ( - UdpService->NicHandle, - &gEfiIp4Config2ProtocolGuid, - (VOID **) &Ip4Cfg2 - ); - - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - // - // Get the interface information size. - // - Status =3D Ip4Cfg2->GetData ( - Ip4Cfg2, - Ip4Config2DataTypeInterfaceInfo, - &BufSize, - NULL - ); - - if (EFI_ERROR (Status) && Status !=3D EFI_BUFFER_TOO_SMALL) { - goto ON_EXIT; - } - - IfInfo =3D AllocateZeroPool (BufSize); - - if (IfInfo =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Get the interface info. - // - Status =3D Ip4Cfg2->GetData ( - Ip4Cfg2, - Ip4Config2DataTypeInterfaceInfo, - &BufSize, - IfInfo - ); - - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - CopyMem ( - &UdpService->DefaultAddress.v4, - &IfInfo->StationAddress, - sizeof (EFI_IPv4_ADDRESS) - ); - - // - // Create udp4 io for output with local default address. - // - UdpService->Output =3D UdpIoCreateIo ( - UdpService->NicHandle, - UdpService->ImageHandle, - IkeConfigUdp4, - UDP_IO_UDP4_VERSION, - &UdpService->DefaultAddress - ); - - if (UdpService->Output =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - } else { - // - // Create udp6 io for output with remote address. - // - UdpService->Output =3D UdpIoCreateIo ( - UdpService->NicHandle, - UdpService->ImageHandle, - IkeConfigUdp6, - UDP_IO_UDP6_VERSION, - RemoteIp - ); - - if (UdpService->Output =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - // - // Get ip6 mode data to get the result of source address selection. - // - ZeroMem (&Ip6ModeData, sizeof (EFI_IP6_MODE_DATA)); - - Udp6 =3D UdpService->Output->Protocol.Udp6; - Status =3D Udp6->GetModeData (Udp6, NULL, &Ip6ModeData, NULL, NULL); - - if (EFI_ERROR (Status)) { - UdpIoFreeIo (UdpService->Output); - goto ON_EXIT; - } - - if (Ip6ModeData.AddressList !=3D NULL) { - FreePool (Ip6ModeData.AddressList); - } - - if (Ip6ModeData.GroupTable !=3D NULL) { - FreePool (Ip6ModeData.GroupTable); - } - - if (Ip6ModeData.RouteTable !=3D NULL) { - FreePool (Ip6ModeData.RouteTable); - } - - if (Ip6ModeData.NeighborCache !=3D NULL) { - FreePool (Ip6ModeData.NeighborCache); - } - - if (Ip6ModeData.PrefixTable !=3D NULL) { - FreePool (Ip6ModeData.PrefixTable); - } - - if (Ip6ModeData.IcmpTypeList !=3D NULL) { - FreePool (Ip6ModeData.IcmpTypeList); - } - - // - // Reconfigure udp6 io without remote address. - // - Udp6->Configure (Udp6, NULL); - Status =3D IkeConfigUdp6 (UdpService->Output, NULL); - - // - // Record the selected source address for ipsec process later. - // - CopyMem ( - &UdpService->DefaultAddress.v6, - &Ip6ModeData.ConfigData.StationAddress, - sizeof (EFI_IPv6_ADDRESS) - ); - } - - UdpService->IsConfigured =3D TRUE; - -ON_EXIT: - if (IfInfo !=3D NULL) { - FreePool (IfInfo); - } - - return Status; -} - -/** - Open and configure a UDPIO of Udp4 for IKE packet receiving. - - This function is called at the IPsecDriverBinding start. IPsec create a = UDP4 and - UDP4 IO for each NIC handle. - - @param[in] Private Point to IPSEC_PRIVATE_DATA - @param[in] Controller Handler for NIC card. - @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDIN= G_PROTOCOL instance. - - @retval EFI_SUCCESS The Operation is successful. - @retval EFI_OUT_OF_RESOURCE The required system resource can't be al= located. - -**/ -EFI_STATUS -IkeOpenInputUdp4 ( - IN IPSEC_PRIVATE_DATA *Private, - IN EFI_HANDLE Controller, - IN EFI_HANDLE ImageHandle - ) -{ - IKE_UDP_SERVICE *Udp4Srv; - - // - // Check whether udp4 io of the controller has already been opened. - // - Udp4Srv =3D IkeLookupUdp (Private, Controller, IP_VERSION_4); - - if (Udp4Srv !=3D NULL) { - return EFI_ALREADY_STARTED; - } - - Udp4Srv =3D AllocateZeroPool (sizeof (IKE_UDP_SERVICE)); - - if (Udp4Srv =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // Create udp4 io for iutput. - // - Udp4Srv->Input =3D UdpIoCreateIo ( - Controller, - ImageHandle, - IkeConfigUdp4, - UDP_IO_UDP4_VERSION, - NULL - ); - - if (Udp4Srv->Input =3D=3D NULL) { - FreePool (Udp4Srv); - return EFI_OUT_OF_RESOURCES; - } - - Udp4Srv->NicHandle =3D Controller; - Udp4Srv->ImageHandle =3D ImageHandle; - Udp4Srv->ListHead =3D &(Private->Udp4List); - Udp4Srv->IpVersion =3D UDP_IO_UDP4_VERSION; - Udp4Srv->IsConfigured =3D FALSE; - - ZeroMem (&Udp4Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS)); - - // - // Insert the udp4 io into the list and increase the count. - // - InsertTailList (&Private->Udp4List, &Udp4Srv->List); - - Private->Udp4Num++; - - UdpIoRecvDatagram (Udp4Srv->Input, IkeDispatch, Udp4Srv, 0); - - return EFI_SUCCESS; -} - -/** - Open and configure a UDPIO of Udp6 for IKE packet receiving. - - This function is called at the IPsecDriverBinding start. IPsec create a = UDP6 and UDP6 - IO for each NIC handle. - - @param[in] Private Point to IPSEC_PRIVATE_DATA - @param[in] Controller Handler for NIC card. - @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDIN= G_PROTOCOL instance. - - @retval EFI_SUCCESS The Operation is successful. - @retval EFI_OUT_OF_RESOURCE The required system resource can't be al= located. - -**/ -EFI_STATUS -IkeOpenInputUdp6 ( - IN IPSEC_PRIVATE_DATA *Private, - IN EFI_HANDLE Controller, - IN EFI_HANDLE ImageHandle - ) -{ - IKE_UDP_SERVICE *Udp6Srv; - - Udp6Srv =3D IkeLookupUdp (Private, Controller, IP_VERSION_6); - - if (Udp6Srv !=3D NULL) { - return EFI_ALREADY_STARTED; - } - - Udp6Srv =3D AllocateZeroPool (sizeof (IKE_UDP_SERVICE)); - - if (Udp6Srv =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // Create udp6 io for input. - // - Udp6Srv->Input =3D UdpIoCreateIo ( - Controller, - ImageHandle, - IkeConfigUdp6, - UDP_IO_UDP6_VERSION, - NULL - ); - - if (Udp6Srv->Input =3D=3D NULL) { - FreePool (Udp6Srv); - return EFI_OUT_OF_RESOURCES; - } - - Udp6Srv->NicHandle =3D Controller; - Udp6Srv->ImageHandle =3D ImageHandle; - Udp6Srv->ListHead =3D &(Private->Udp6List); - Udp6Srv->IpVersion =3D UDP_IO_UDP6_VERSION; - Udp6Srv->IsConfigured =3D FALSE; - - ZeroMem (&Udp6Srv->DefaultAddress, sizeof (EFI_IP_ADDRESS)); - - // - // Insert the udp6 io into the list and increase the count. - // - InsertTailList (&Private->Udp6List, &Udp6Srv->List); - - Private->Udp6Num++; - - UdpIoRecvDatagram (Udp6Srv->Input, IkeDispatch, Udp6Srv, 0); - - return EFI_SUCCESS; -} - -/** - The general interface of starting IPsec Key Exchange. - - This function is called when a IKE negotiation to start getting a Key. - - @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for - IKE packet sending. - @param[in] SpdEntry Point to the SPD entry related to the IKE negoti= ation. - @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negot= iation. - - @retval EFI_SUCCESS The Operation is successful. - @retval EFI_ACCESS_DENIED No related PAD entry was found. - @retval EFI_INVALID_PARAMETER The IKE version is not supported. - -**/ -EFI_STATUS -IkeNegotiate ( - IN IKE_UDP_SERVICE *UdpService, - IN IPSEC_SPD_ENTRY *SpdEntry, - IN EFI_IP_ADDRESS *RemoteIp - ) -{ - EFI_STATUS Status; - UINT8 *IkeSaSession; - IKE_EXCHANGE_INTERFACE *Exchange; - IPSEC_PRIVATE_DATA *Private; - IPSEC_PAD_ENTRY *PadEntry; - UINT8 IkeVersion; - - Private =3D (UdpService->IpVersion =3D=3D IP_VERSION_4) ? - IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : - IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); - - // - // Try to open udp io for output if it hasn't. - // - Status =3D IkeOpenOutputUdp (UdpService, RemoteIp); - if (EFI_ERROR (Status)) { - return Status; - } - // - // Try to find the IKE SA session in the IKEv1 and IKEv2 established SA = session list. - // - IkeSaSession =3D (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2Establis= hedList, RemoteIp); - - - if (IkeSaSession =3D=3D NULL) { - // - // Find the pad entry by the remote ip address. - // - PadEntry =3D IpSecLookupPadEntry (UdpService->IpVersion, RemoteIp); - if (PadEntry =3D=3D NULL) { - return EFI_ACCESS_DENIED; - } - // - // Determine the IKE exchange instance by the auth protocol in pad ent= ry. - // - ASSERT (PadEntry->Data->AuthProtocol < EfiIPsecAuthProtocolMaximum); - if (PadEntry->Data->AuthProtocol =3D=3D EfiIPsecAuthProtocolIKEv1) { - return EFI_INVALID_PARAMETER; - } - Exchange =3D mIkeExchange[PadEntry->Data->AuthProtocol]; - // - // Start the main mode stage to negotiate IKE SA. - // - Status =3D Exchange->NegotiateSa (UdpService, SpdEntry, PadEntry, Remo= teIp); - } else { - // - // Determine the IKE exchange instance by the IKE version in IKE SA se= ssion. - // - IkeVersion =3D IkeGetVersionFromSession (IkeSaSession); - if (IkeVersion !=3D 2) { - return EFI_INVALID_PARAMETER; - } - - Exchange =3D mIkeExchange[IkeVersion - 1]; - // - // Start the quick mode stage to negotiate child SA. - // - Status =3D Exchange->NegotiateChildSa (IkeSaSession, SpdEntry, NULL); - } - - return Status; -} - -/** - The generic interface when receive a IKE packet. - - This function is called when UDP IO receives a IKE packet. - - @param[in] Packet Point to received IKE packet. - @param[in] EndPoint Point to UDP_END_POINT which contains the inform= ation of - Remote IP and Port. - @param[in] IoStatus The Status of Recieve Token. - @param[in] Context Point to data passed from the caller. - -**/ -VOID -EFIAPI -IkeDispatch ( - IN NET_BUF *Packet, - IN UDP_END_POINT *EndPoint, - IN EFI_STATUS IoStatus, - IN VOID *Context - ) -{ - IPSEC_PRIVATE_DATA *Private; - IKE_PACKET *IkePacket; - IKE_HEADER *IkeHdr; - IKE_UDP_SERVICE *UdpService; - IKE_EXCHANGE_INTERFACE *Exchange; - EFI_STATUS Status; - - UdpService =3D (IKE_UDP_SERVICE *) Context; - IkePacket =3D NULL; - Private =3D (UdpService->IpVersion =3D=3D IP_VERSION_4) ? - IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : - IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); - - if (EFI_ERROR (IoStatus)) { - goto ON_EXIT; - } - // - // Check whether the ipsec is enabled or not. - // - if (Private->IpSec.DisabledFlag =3D=3D TRUE) { - goto ON_EXIT; - } - - if (EndPoint->RemotePort !=3D IKE_DEFAULT_PORT) { - goto ON_EXIT; - } - - // - // Build IKE packet from the received netbuf. - // - IkePacket =3D IkePacketFromNetbuf (Packet); - - if (IkePacket =3D=3D NULL) { - goto ON_EXIT; - } - // - // Get the remote address from the IKE packet. - // - if (UdpService->IpVersion =3D=3D IP_VERSION_4) { - *(UINT32 *) IkePacket->RemotePeerIp.Addr =3D HTONL ((*(UINT32 *) EndPo= int->RemoteAddr.Addr)); - } else { - CopyMem ( - &IkePacket->RemotePeerIp, - NTOHLLL (&EndPoint->RemoteAddr.v6), - sizeof (EFI_IPv6_ADDRESS) - ); - } - // - // Try to open udp io for output if hasn't. - // - Status =3D IkeOpenOutputUdp (UdpService, &IkePacket->RemotePeerIp); - - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - IkeHdr =3D IkePacket->Header; - - // - // Determine the IKE exchange instance by the IKE version in IKE header. - // - if (IKE_MAJOR_VERSION (IkeHdr->Version) =3D=3D 2) { - Exchange =3D mIkeExchange[IKE_MAJOR_VERSION (IkeHdr->Version) - 1]; - } else { - goto ON_EXIT; - } - - switch (IkeHdr->ExchangeType) { - case IKE_XCG_TYPE_IDENTITY_PROTECT: - case IKE_XCG_TYPE_SA_INIT: - case IKE_XCG_TYPE_AUTH: - Exchange->HandleSa (UdpService, IkePacket); - break; - - case IKE_XCG_TYPE_QM: - case IKE_XCG_TYPE_CREATE_CHILD_SA: - Exchange->HandleChildSa (UdpService, IkePacket); - break; - - case IKE_XCG_TYPE_INFO: - case IKE_XCG_TYPE_INFO2: - Exchange->HandleInfo (UdpService, IkePacket); - break; - - default: - break; - } - -ON_EXIT: - if (IkePacket !=3D NULL) { - IkePacketFree (IkePacket); - } - - if (Packet !=3D NULL) { - NetbufFree (Packet); - } - - UdpIoRecvDatagram (UdpService->Input, IkeDispatch, UdpService, 0); - - return ; -} - -/** - Delete all established IKE SAs and related Child SAs. - - This function is the subfunction of the IpSecCleanupAllSa(). It first ca= lls - IkeDeleteChildSa() to delete all Child SAs then send out the related - Information packet. - - @param[in] Private Pointer of the IPSEC_PRIVATE_DATA - @param[in] IsDisableIpsec Indicate whether needs to disable IPsec. - -**/ -VOID -IkeDeleteAllSas ( - IN IPSEC_PRIVATE_DATA *Private, - IN BOOLEAN IsDisableIpsec - ) -{ - LIST_ENTRY *Entry; - LIST_ENTRY *NextEntry; - IKEV2_SA_SESSION *Ikev2SaSession; - UINT8 Value; - EFI_STATUS Status; - IKE_EXCHANGE_INTERFACE *Exchange; - UINT8 IkeVersion; - - Exchange =3D NULL; - - // - // If the IKEv1 is supported, first deal with the Ikev1Estatblished list. - // - - // - // If IKEv2 SAs are under establishing, delete it directly. - // - if (!IsListEmpty (&Private->Ikev2SessionList)) { - NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) { - Ikev2SaSession =3D IKEV2_SA_SESSION_BY_SESSION (Entry); - RemoveEntryList (Entry); - Ikev2SaSessionFree (Ikev2SaSession); - } - } - - // - // If there is no existing established IKE SA, set the Ipsec DisableFlag= to TRUE - // and turn off the IsIPsecDisabling flag. - // - if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) { - Value =3D IPSEC_STATUS_DISABLED; - Status =3D gRT->SetVariable ( - IPSECCONFIG_STATUS_NAME, - &gEfiIpSecConfigProtocolGuid, - EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE, - sizeof (Value), - &Value - ); - if (!EFI_ERROR (Status)) { - Private->IpSec.DisabledFlag =3D TRUE; - Private->IsIPsecDisabling =3D FALSE; - return ; - } - } - - // - // Delete established IKEv2 SAs. - // - if (!IsListEmpty (&Private->Ikev2EstablishedList)) { - for (Entry =3D Private->Ikev2EstablishedList.ForwardLink; Entry !=3D &= Private->Ikev2EstablishedList;) { - Ikev2SaSession =3D IKEV2_SA_SESSION_BY_SESSION (Entry); - Entry =3D Entry->ForwardLink; - - Ikev2SaSession->SessionCommon.State =3D IkeStateSaDeleting; - - // - // Call for Information Exchange. - // - IkeVersion =3D IkeGetVersionFromSession ((UINT8*)Ikev2SaSession); - if (IkeVersion =3D=3D 2) { - Exchange =3D mIkeExchange[IkeVersion - 1]; - Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL); - } - } - } - -} - - - diff --git a/NetworkPkg/IpSecDxe/IkeService.h b/NetworkPkg/IpSecDxe/IkeServ= ice.h deleted file mode 100644 index 36c925bdd2..0000000000 --- a/NetworkPkg/IpSecDxe/IkeService.h +++ /dev/null @@ -1,256 +0,0 @@ -/** @file - Prototypes definitions of IKE service. - - Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _IKE_SERVICE_H_ -#define _IKE_SERVICE_H_ - -#include "Ike.h" -#include "IpSecImpl.h" -#include "IkeCommon.h" -#include "Ikev2/Utility.h" - -#define IPSEC_CRYPTO_LIB_MEMORY 128 * 1024 - -/** - This is prototype definition of general interface to intialize a IKE neg= otiation. - - @param[in] UdpService Point to Udp Servcie used for the IKE packet= sending. - @param[in] SpdEntry Point to SPD entry related to this IKE negot= iation. - @param[in] PadEntry Point to PAD entry related to this IKE negot= iation. - @param[in] RemoteIp Point to IP Address which the remote peer to= negnotiate. - - @retval EFI_SUCCESS The operation is successful. - @return Otherwise The operation is failed. - -**/ -typedef -EFI_STATUS -(*IKE_NEGOTIATE_SA) ( - IN IKE_UDP_SERVICE * UdpService, - IN IPSEC_SPD_ENTRY * SpdEntry, - IN IPSEC_PAD_ENTRY * PadEntry, - IN EFI_IP_ADDRESS * RemoteIp - ); - -/** - This is prototype definition fo general interface to start a IKE negotia= tion at Quick Mode. - - This function will be called when the related IKE SA is existed and star= t to - create a Child SA. - - @param[in] IkeSaSession Point to IKE SA Session related to this Nego= tiation. - @param[in] SpdEntry Point to SPD entry related to this Negotiati= on. - @param[in] Context Point to data passed from the caller. - - @retval EFI_SUCCESS The operation is successful. - @retval Otherwise The operation is failed. - -**/ -typedef -EFI_STATUS -(*IKE_NEGOTIATE_CHILD_SA) ( - IN UINT8 *IkeSaSession, - IN IPSEC_SPD_ENTRY *SpdEntry, - IN UINT8 *Context - ); - -/** - This is prototype definition of the general interface when initialize a = Inforamtion - Exchange. - - @param[in] IkeSaSession Point to IKE SA Session related to. - @param[in] Context Point to data passed from caller. - -**/ -typedef -EFI_STATUS -(*IKE_NEGOTIATE_INFO) ( - IN UINT8 *IkeSaSession, - IN UINT8 *Context - ); - -/** - This is prototype definition of the general interface when recived a IKE= Pakcet - for the IKE SA establishing. - - @param[in] UdpService Point to UDP service used to send IKE Packet. - @param[in] IkePacket Point to received IKE packet. - -**/ -typedef -VOID -(*IKE_HANDLE_SA) ( - IN IKE_UDP_SERVICE *UdpService, - IN IKE_PACKET *IkePacket - ); - -/** - This is prototyp definition of the general interface when recived a IKE = Packet - xfor the Child SA establishing. - - @param[in] UdpService Point to UDP service used to send IKE packet. - @param[in] IkePacket Point to received IKE packet. - -**/ -typedef -VOID -(*IKE_HANDLE_CHILD_SA) ( - IN IKE_UDP_SERVICE *UdpService, - IN IKE_PACKET *IkePacket - ); - -/** - This is prototype definition of the general interface when received a IKE - information Packet. - - @param[in] UdpService Point to UDP service used to send IKE packet. - @param[in] IkePacket Point to received IKE packet. - -**/ -typedef -VOID -(*IKE_HANDLE_INFO) ( - IN IKE_UDP_SERVICE *UdpService, - IN IKE_PACKET *IkePacket - ); - -typedef struct _IKE_EXCHANGE_INTERFACE { - UINT8 IkeVer; - IKE_NEGOTIATE_SA NegotiateSa; - IKE_NEGOTIATE_CHILD_SA NegotiateChildSa; - IKE_NEGOTIATE_INFO NegotiateInfo; - IKE_HANDLE_SA HandleSa; - IKE_HANDLE_CHILD_SA HandleChildSa; - IKE_HANDLE_INFO HandleInfo; -} IKE_EXCHANGE_INTERFACE; - -/** - Open and configure a UDPIO of Udp4 for IKE packet receiving. - - This function is called at the IPsecDriverBinding start. IPsec create a = UDP4 and - a UDP4 IO for each NIC handle. - - @param[in] Private Point to IPSEC_PRIVATE_DATA - @param[in] Controller Handler for NIC card. - @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDIN= G_PROTOCOL instance. - - @retval EFI_SUCCESS The Operation is successful. - @retval EFI_OUT_OF_RESOURCE The required system resource can't be al= located. - -**/ -EFI_STATUS -IkeOpenInputUdp4 ( - IN IPSEC_PRIVATE_DATA *Private, - IN EFI_HANDLE Controller, - IN EFI_HANDLE ImageHandle - ); - -/** - Open and configure a UDPIO of Udp6 for IKE packet receiving. - - This function is called at the IPsecDriverBinding start. IPsec create a = UDP6 and UDP6 - IO for each NIC handle. - - @param[in] Private Point to IPSEC_PRIVATE_DATA - @param[in] Controller Handler for NIC card. - @param[in] ImageHandle The handle that contains the EFI_DRIVER_BINDIN= G_PROTOCOL instance. - - @retval EFI_SUCCESS The Operation is successful. - @retval EFI_OUT_OF_RESOURCE The required system resource can't be al= located. - -**/ -EFI_STATUS -IkeOpenInputUdp6 ( - IN IPSEC_PRIVATE_DATA *Private, - IN EFI_HANDLE Controller, - IN EFI_HANDLE ImageHandle - ); - -/** - The general interface of starting IPsec Key Exchange. - - This function is called when start a IKE negotiation to get a Key. - - @param[in] UdpService Point to IKE_UDP_SERVICE which will be used for - IKE packet sending. - @param[in] SpdEntry Point to the SPD entry related to the IKE negoti= ation. - @param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negot= iation. - - @retval EFI_SUCCESS The Operation is successful. - @retval EFI_ACCESS_DENIED No related PAD entry was found. - -**/ -EFI_STATUS -IkeNegotiate ( - IN IKE_UDP_SERVICE *UdpService, - IN IPSEC_SPD_ENTRY *SpdEntry, - IN EFI_IP_ADDRESS *RemoteIp - ); - -/** - The general interface when receive a IKE packet. - - This function is called when UDP IO receives a IKE packet. - - @param[in] Packet Point to received IKE packet. - @param[in] EndPoint Point to UDP_END_POINT which contains the inform= ation of - Remote IP and Port. - @param[in] IoStatus The Status of Recieve Token. - @param[in] Context Point to data passed from the caller. - -**/ -VOID -EFIAPI -IkeDispatch ( - IN NET_BUF *Packet, - IN UDP_END_POINT *EndPoint, - IN EFI_STATUS IoStatus, - IN VOID *Context - ); - -/** - Check if the NIC handle is binded to a Udp service. - - @param[in] Private Pointer of IPSEC_PRIVATE_DATA - @param[in] Handle The Handle of the NIC card - @param[in] IpVersion The version of the IP stack. - - @return a pointer of IKE_UDP_SERVICE. - -**/ -IKE_UDP_SERVICE * -IkeLookupUdp ( - IN IPSEC_PRIVATE_DATA *Private, - IN EFI_HANDLE Handle, - IN UINT8 IpVersion - ); - - -/** - Delete all established IKE SAs and related Child SAs. - - This function is the subfunction of the IpSecCleanupAllSa(). It first ca= lls - IkeDeleteChildSa() to delete all Child SAs then send out the related - Information packet. - - @param[in] Private Pointer of the IPSEC_PRIVATE_DATA. - @param[in] IsDisableIpsec Indicate whether needs to disable IPsec. - -**/ -VOID -IkeDeleteAllSas ( - IN IPSEC_PRIVATE_DATA *Private, - IN BOOLEAN IsDisableIpsec - ); - - -extern IKE_EXCHANGE_INTERFACE mIkev1Exchange; -extern IKE_EXCHANGE_INTERFACE mIkev2Exchange; - -#endif diff --git a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c b/NetworkPkg/IpSecDxe/Ikev= 2/ChildSa.c deleted file mode 100644 index 4cca34e9d3..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/ChildSa.c +++ /dev/null @@ -1,193 +0,0 @@ -/** @file - The operations for Child SA. - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "Utility.h" - -/** - Generate IKE Packet for CREATE_CHILD_SA exchange. - - This IKE Packet would be the packet for creating new CHILD SA, or the pa= cket for - rekeying existing IKE SA, or the packet for existing CHILD SA. - - @param[in] SaSession Pointer to related SA session. - @param[in] Context The data passed by the caller. - - return a pointer of IKE packet. - -**/ -IKE_PACKET * -Ikev2CreateChildGenerator ( - IN UINT8 *SaSession, - IN VOID *Context - ) -{ - - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PACKET *IkePacket; - IKE_PAYLOAD *NotifyPayload; - UINT32 *MessageId; - - NotifyPayload =3D NULL; - MessageId =3D NULL; - - ChildSaSession =3D (IKEV2_CHILD_SA_SESSION *) SaSession; - if (ChildSaSession =3D=3D NULL) { - return NULL; - } - - IkePacket =3D IkePacketAlloc(); - if (IkePacket =3D=3D NULL) { - return NULL; - } - - - if (Context !=3D NULL) { - MessageId =3D (UINT32 *) Context; - } - - IkePacket->Header->Version =3D (UINT8) (2 << 4); - IkePacket->Header->NextPayload =3D IKEV2_PAYLOAD_TYPE_NOTIFY; - IkePacket->Header->ExchangeType =3D IKE_XCG_TYPE_CREATE_CHILD_SA; - - if (ChildSaSession->SessionCommon.IkeSessionType =3D=3D IkeSessionTypeCh= ildSa) { - // - // 1.a Fill the IkePacket->Hdr - // - IkePacket->Header->InitiatorCookie =3D ChildSaSession->IkeSaSession->I= nitiatorCookie; - IkePacket->Header->ResponderCookie =3D ChildSaSession->IkeSaSession->R= esponderCookie; - - if (MessageId !=3D NULL) { - IkePacket->Header->MessageId =3D *MessageId; - } else { - IkePacket->Header->MessageId =3D ChildSaSession->MessageId; - } - - if (ChildSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags =3D IKE_HEADER_FLAGS_INIT; - } - - } else { - IkeSaSession =3D (IKEV2_SA_SESSION *) SaSession; - // - // 1.a Fill the IkePacket->Hdr - // - IkePacket->Header->InitiatorCookie =3D IkeSaSession->InitiatorCookie; - IkePacket->Header->ResponderCookie =3D IkeSaSession->ResponderCookie; - - if (MessageId !=3D NULL) { - IkePacket->Header->MessageId =3D *MessageId; - } else { - IkePacket->Header->MessageId =3D IkeSaSession->MessageId; - } - - if (IkeSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags =3D IKE_HEADER_FLAGS_INIT; - } - } - - if (MessageId !=3D NULL) { - IkePacket->Header->Flags |=3D IKE_HEADER_FLAGS_RESPOND; - } - - // - // According to RFC4306, Chapter 4. - // A minimal implementation may support the CREATE_CHILD_SA exchange onl= y to - // recognize requests and reject them with a Notify payload of type NO_A= DDITIONAL_SAS. - // - NotifyPayload =3D Ikev2GenerateNotifyPayload ( - 0, - IKEV2_PAYLOAD_TYPE_NONE, - 0, - IKEV2_NOTIFICATION_NO_ADDITIONAL_SAS, - NULL, - NULL, - 0 - ); - if (NotifyPayload =3D=3D NULL) { - IkePacketFree (IkePacket); - return NULL; - } - - IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload); - // - // TODO: Support the CREATE_CHILD_SA exchange. - // - return IkePacket; -} - -/** - Parse the IKE packet of CREATE_CHILD_SA exchange. - - This function parse the IKE packet and save the related information to f= urther - calculation. - - @param[in] SaSession Pointer to IKEv2_CHILD_SA_SESSION related to this= Exchange. - @param[in] IkePacket Received packet to be parsed. - - - @retval EFI_SUCCESS The IKE Packet is acceptable. - @retval EFI_UNSUPPORTED Not support the CREATE_CHILD_SA request. - -**/ -EFI_STATUS -Ikev2CreateChildParser ( - IN UINT8 *SaSession, - IN IKE_PACKET *IkePacket - ) -{ - return EFI_UNSUPPORTED; -} - -/** - Routine process before the payload decoding. - - @param[in] SessionCommon Pointer to ChildSa SessionCommon. - @param[in] PayloadBuf Pointer to the payload. - @param[in] PayloadSize Size of PayloadBuf in byte. - @param[in] PayloadType Type of Payload. - -**/ -VOID -Ikev2ChildSaBeforeDecodePayload ( - IN UINT8 *SessionCommon, - IN UINT8 *PayloadBuf, - IN UINTN PayloadSize, - IN UINT8 PayloadType - ) -{ - -} - -/** - Routine Process after the payload encoding. - - @param[in] SessionCommon Pointer to ChildSa SessionCommon. - @param[in] PayloadBuf Pointer to the payload. - @param[in] PayloadSize Size of PayloadBuf in byte. - @param[in] PayloadType Type of Payload. - -**/ -VOID -Ikev2ChildSaAfterEncodePayload ( - IN UINT8 *SessionCommon, - IN UINT8 *PayloadBuf, - IN UINTN PayloadSize, - IN UINT8 PayloadType - ) -{ -} - -IKEV2_PACKET_HANDLER mIkev2CreateChild =3D { - // - // Create Child - // - Ikev2CreateChildParser, - Ikev2CreateChildGenerator -}; diff --git a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c b/NetworkPkg/IpSecDxe/Ike= v2/Exchange.c deleted file mode 100644 index dc219c5353..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Exchange.c +++ /dev/null @@ -1,803 +0,0 @@ -/** @file - The general interfaces of the IKEv2. - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "Utility.h" -#include "IpSecDebug.h" -#include "IkeService.h" -#include "IpSecConfigImpl.h" - -/** - General interface to intialize a IKEv2 negotiation. - - @param[in] UdpService Point to Udp Servcie used for the IKE packet= sending. - @param[in] SpdEntry Point to SPD entry related to this IKE negot= iation. - @param[in] PadEntry Point to PAD entry related to this IKE negot= iation. - @param[in] RemoteIp Point to IP Address which the remote peer to= negnotiate. - - @retval EFI_SUCCESS The operation is successful. - @retval EFI_OUT_OF_RESOURCES The required system resource can't be allo= cated. - @retval EFI_INVALID_PARAMETER If UdpService or RemoteIp is NULL. - @return Others The operation is failed. - -**/ -EFI_STATUS -Ikev2NegotiateSa ( - IN IKE_UDP_SERVICE *UdpService, - IN IPSEC_SPD_ENTRY *SpdEntry, - IN IPSEC_PAD_ENTRY *PadEntry, - IN EFI_IP_ADDRESS *RemoteIp - ) -{ - IPSEC_PRIVATE_DATA *Private; - IKEV2_SA_SESSION *IkeSaSession; - IKEV2_SESSION_COMMON *SessionCommon; - IKEV2_PACKET_HANDLER Handler; - IKE_PACKET *IkePacket; - EFI_STATUS Status; - - if (UdpService =3D=3D NULL || RemoteIp =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - IkePacket =3D NULL; - Private =3D (UdpService->IpVersion =3D=3D IP_VERSION_4) ? - IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : - IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); - - // - // Lookup the remote ip address in the processing IKE SA session list. - // - IkeSaSession =3D Ikev2SaSessionLookup (&Private->Ikev2SessionList, Remot= eIp); - if (IkeSaSession !=3D NULL) { - // - // Drop the packet if already in process. - // - return EFI_SUCCESS; - } - - // - // Create a new IkeSaSession and initiate the common parameters. - // - IkeSaSession =3D Ikev2SaSessionAlloc (Private, UdpService); - if (IkeSaSession =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - // - // Set the specific parameters and state(IKE_STATE_INIT). - // - IkeSaSession->Spd =3D SpdEntry; - IkeSaSession->Pad =3D PadEntry; - SessionCommon =3D &IkeSaSession->SessionCommon; - SessionCommon->IsInitiator =3D TRUE; - SessionCommon->State =3D IkeStateInit; - // - // TODO: Get the prefer DH Group from the IPsec Configuration, after the= IPsecconfig application update - // to support it. - // - SessionCommon->PreferDhGroup =3D IKEV2_TRANSFORM_ID_DH_1024MODP; - - CopyMem ( - &SessionCommon->RemotePeerIp, - RemoteIp, - sizeof (EFI_IP_ADDRESS) - ); - - CopyMem ( - &SessionCommon->LocalPeerIp, - &UdpService->DefaultAddress, - sizeof (EFI_IP_ADDRESS) - ); - - IKEV2_DUMP_STATE (SessionCommon->State, IkeStateInit); - - // - // Initiate the SAD data of the IkeSaSession. - // - IkeSaSession->SaData =3D Ikev2InitializeSaData (SessionCommon); - if (IkeSaSession->SaData =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_ERROR; - } - - // - // Generate an IKE request packet and send it out. - // - Handler =3D mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][Session= Common->State]; - IkePacket =3D Handler.Generator ((UINT8 *) IkeSaSession, NULL); - if (IkePacket =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_ERROR; - } - - Status =3D Ikev2SendIkePacket (UdpService, (UINT8 *) SessionCommon, IkeP= acket, 0); - - if (EFI_ERROR (Status)) { - goto ON_ERROR; - } - - // - // Insert the current IkeSaSession into the processing IKE SA list. - // - Ikev2SaSessionInsert (&Private->Ikev2SessionList, IkeSaSession, RemoteIp= ); - - return EFI_SUCCESS; - -ON_ERROR: - - if (IkePacket !=3D NULL) { - IkePacketFree (IkePacket); - } - Ikev2SaSessionFree (IkeSaSession); - return Status; -} - -/** - It is general interface to negotiate the Child SA. - - There are three situations which will invoke this function. First, creat= e a CHILD - SA if the input Context is NULL. Second, rekeying the existing IKE SA if= the Context - is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the cont= ext is a - IKEv2_CHILD_SA_SESSION. - - @param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this ope= ration. - @param[in] SpdEntry Pointer to IPSEC_SPD_ENTRY related to this oper= ation. - @param[in] Context The data pass from the caller. - - @retval EFI_SUCCESS The operation is successful. - @retval EFI_OUT_OF_RESOURCES The required system resource can't be alloc= ated. - @retval EFI_UNSUPPORTED The condition is not support yet. - @return Others The operation is failed. - -**/ -EFI_STATUS -Ikev2NegotiateChildSa ( - IN UINT8 *IkeSaSession, - IN IPSEC_SPD_ENTRY *SpdEntry, - IN UINT8 *Context - ) -{ - EFI_STATUS Status; - IKEV2_SA_SESSION *SaSession; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SESSION_COMMON *ChildSaCommon; - IKE_PACKET *IkePacket; - IKE_UDP_SERVICE *UdpService; - - SaSession =3D (IKEV2_SA_SESSION*) IkeSaSession; - UdpService =3D SaSession->SessionCommon.UdpService; - IkePacket =3D NULL; - - // - // 1. Create another child SA session if context is null. - // 2. Rekeying the IKE SA session if the context is IKE SA session. - // 3. Rekeying the child SA session if the context is child SA session. - // - if (Context =3D=3D NULL) { - // - // Create a new ChildSaSession and initiate the common parameters. - // - ChildSaSession =3D Ikev2ChildSaSessionAlloc (UdpService, SaSession); - - if (ChildSaSession =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - // - // Set the specific parameters and state as IKE_STATE_CREATE_CHILD. - // - ChildSaSession->Spd =3D SpdEntry; - ChildSaCommon =3D &ChildSaSession->SessionCommon; - ChildSaCommon->IsInitiator =3D TRUE; - ChildSaCommon->State =3D IkeStateCreateChild; - - IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateCreateChild); - - if (SpdEntry->Selector->NextLayerProtocol !=3D EFI_IPSEC_ANY_PROTOCOL)= { - ChildSaSession->ProtoId =3D SpdEntry->Selector->NextLayerProtocol; - } - - if (SpdEntry->Selector->LocalPort !=3D EFI_IPSEC_ANY_PORT) { - ChildSaSession->LocalPort =3D SpdEntry->Selector->LocalPort; - } - - if (SpdEntry->Selector->RemotePort !=3D EFI_IPSEC_ANY_PORT) { - ChildSaSession->RemotePort =3D SpdEntry->Selector->RemotePort; - } - // - // Initiate the SAD data parameters of the ChildSaSession. - // - ChildSaSession->SaData =3D Ikev2InitializeSaData (ChildSaCommon); - if (ChildSaSession->SaData =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_ERROR; - } - // - // Generate an IKE request packet and send it out. - // - IkePacket =3D mIkev2CreateChild.Generator ((UINT8 *) ChildSaSession, N= ULL); - - if (IkePacket =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_ERROR; - } - - Status =3D Ikev2SendIkePacket (UdpService, (UINT8 *) ChildSaCommon, Ik= ePacket, 0); - - if (EFI_ERROR (Status)) { - goto ON_ERROR; - } - - // - // Insert the ChildSaSession into processing child SA list. - // - Ikev2ChildSaSessionInsert (&SaSession->ChildSaSessionList, ChildSaSess= ion); - } else { - // - // TODO: Rekeying IkeSaSession or ChildSaSession, NOT support yet. - // - // Rekey IkeSa, set IkeSaSession->State and pass over IkeSaSession - // Rekey ChildSa, set ChildSaSession->State and pass over ChildSaSessi= on - // - return EFI_UNSUPPORTED; - } - - return EFI_SUCCESS; - -ON_ERROR: - - if (ChildSaSession->SaData !=3D NULL) { - FreePool (ChildSaSession->SaData); - } - - if (ChildSaSession->SessionCommon.TimeoutEvent !=3D NULL) { - gBS->CloseEvent (ChildSaSession->SessionCommon.TimeoutEvent); - } - - if (IkePacket !=3D NULL) { - IkePacketFree (IkePacket); - } - - Ikev2ChildSaSessionFree (ChildSaSession); - return Status; -} - -/** - It is general interface to start the Information Exchange. - - There are three situations which will invoke this function. First, deliv= er a Delete Information - to delete the IKE SA if the input Context is NULL and the state of relat= ed IkeSaSeesion's is on - deleting.Second, deliver a Notify Information without the contents if th= e input Context is NULL. - Third, deliver a Notify Information if the input Context is not NULL. - - @param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this ope= ration. - @param[in] Context Data passed by caller. - - @retval EFI_SUCCESS The operation is successful. - @retval EFI_OUT_OF_RESOURCES The required system resource can't be alloc= ated. - @retval EFI_UNSUPPORTED The condition is not support yet. - @return Otherwise The operation is failed. - -**/ -EFI_STATUS -Ikev2NegotiateInfo ( - IN UINT8 *IkeSaSession, - IN UINT8 *Context - ) -{ - - EFI_STATUS Status; - IKEV2_SA_SESSION *Ikev2SaSession; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SESSION_COMMON *SaCommon; - IKE_PACKET *IkePacket; - IKE_UDP_SERVICE *UdpService; - LIST_ENTRY *Entry; - LIST_ENTRY *NextEntry; - - Ikev2SaSession =3D (IKEV2_SA_SESSION *) IkeSaSession; - UdpService =3D Ikev2SaSession->SessionCommon.UdpService; - SaCommon =3D &Ikev2SaSession->SessionCommon; - IkePacket =3D NULL; - Status =3D EFI_SUCCESS; - - // - // Delete the IKE SA. - // - if (Ikev2SaSession->SessionCommon.State =3D=3D IkeStateSaDeleting && Con= text =3D=3D NULL) { - - // - // Generate Information Packet which contains the Delete Payload. - // - IkePacket =3D mIkev2Info.Generator ((UINT8 *) Ikev2SaSession, NULL); - if (IkePacket =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_ERROR; - } - - // - // Send out the Packet - // - if (UdpService !=3D NULL && UdpService->Output !=3D NULL) { - Status =3D Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePa= cket, 0); - - if (EFI_ERROR (Status)) { - goto ON_ERROR; - } - } - } else if (!IsListEmpty (&Ikev2SaSession->DeleteSaList)) { - // - // Iterate all Deleting Child SAs. - // - NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Ikev2SaSession->DeleteSaLis= t) { - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_BY_DE= L_SA (Entry); - ChildSaSession->SessionCommon.State =3D IkeStateSaDeleting; - - // - // Generate Information Packet which contains the Child SA Delete Pa= yload. - // - IkePacket =3D mIkev2Info.Generator ((UINT8 *) ChildSaSession, NULL); - if (IkePacket =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_ERROR; - } - - // - // Send out the Packet - // - if (UdpService !=3D NULL && UdpService->Output !=3D NULL) { - Status =3D Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSessi= on->SessionCommon, IkePacket, 0); - - if (EFI_ERROR (Status)) { - goto ON_ERROR; - } - } - } - } else if (Context =3D=3D NULL) { - // - // TODO: Deliver null notification message. - // - } else if (Context !=3D NULL) { - // - // TODO: Send out the Information Exchange which contains the Notify P= ayload. - // - } -ON_ERROR: - if (IkePacket !=3D NULL) { - IkePacketFree (IkePacket); - } - return Status; - -} - -/** - The general interface when received a IKEv2 packet for the IKE SA establ= ishing. - - This function first find the related IKE SA Session according to the IKE= packet's - remote IP. Then call the corresponding function to handle this IKE packe= t according - to the related IKE SA Session's State. - - @param[in] UdpService Pointer of related UDP Service. - @param[in] IkePacket Data passed by caller. - -**/ -VOID -Ikev2HandleSa ( - IN IKE_UDP_SERVICE *UdpService, - IN IKE_PACKET *IkePacket - ) -{ - EFI_STATUS Status; - IKEV2_SA_SESSION *IkeSaSession; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SESSION_COMMON *IkeSaCommon; - IKEV2_SESSION_COMMON *ChildSaCommon; - IKEV2_PACKET_HANDLER Handler; - IKE_PACKET *Reply; - IPSEC_PAD_ENTRY *PadEntry; - IPSEC_PRIVATE_DATA *Private; - BOOLEAN IsNewSession; - - Private =3D (UdpService->IpVersion =3D=3D IP_VERSION_4) ? - IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : - IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); - - ChildSaSession =3D NULL; - ChildSaCommon =3D NULL; - - // - // Lookup the remote ip address in the processing IKE SA session list. - // - IkeSaSession =3D Ikev2SaSessionLookup (&Private->Ikev2SessionList, &IkeP= acket->RemotePeerIp); - IsNewSession =3D FALSE; - - if (IkeSaSession =3D=3D NULL) { - // - // Lookup the remote ip address in the pad. - // - PadEntry =3D IpSecLookupPadEntry (UdpService->IpVersion, &IkePacket->R= emotePeerIp); - if (PadEntry =3D=3D NULL) { - // - // Drop the packet if no pad entry matched, this is the request from= RFC 4301. - // - return ; - } - - // - // Create a new IkeSaSession and initiate the common parameters. - // - IkeSaSession =3D Ikev2SaSessionAlloc (Private, UdpService); - if (IkeSaSession =3D=3D NULL) { - return; - } - IkeSaSession->Pad =3D PadEntry; - IkeSaCommon =3D &IkeSaSession->SessionCommon; - IkeSaCommon->IsInitiator =3D FALSE; - IkeSaCommon->State =3D IkeStateInit; - - IKEV2_DUMP_STATE (IkeSaCommon->State, IkeStateInit); - - CopyMem ( - &IkeSaCommon->RemotePeerIp, - &IkePacket->RemotePeerIp, - sizeof (EFI_IP_ADDRESS) - ); - - CopyMem ( - &IkeSaCommon->LocalPeerIp, - &UdpService->DefaultAddress, - sizeof (EFI_IP_ADDRESS) - ); - - IsNewSession =3D TRUE; - } - - // - // Validate the IKE packet header. - // - if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) { - // - // Drop the packet if invalid IKE header. - // - goto ON_ERROR; - } - - // - // Decode all the payloads in the IKE packet. - // - IkeSaCommon =3D &IkeSaSession->SessionCommon; - Status =3D Ikev2DecodePacket (IkeSaCommon, IkePacket, IkeSessionTyp= eIkeSa); - if (EFI_ERROR (Status)) { - goto ON_ERROR; - } - - // - // Try to reate the first ChildSa Session of that IkeSaSession. - // If the IkeSaSession is responder, here will create the first ChildSaS= ession. - // - if (IkeSaCommon->State =3D=3D IkeStateAuth && IsListEmpty(&IkeSaSession-= >ChildSaSessionList)) { - // - // Generate a piggyback child SA in IKE_STATE_AUTH state. - // - ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) && - IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList)); - - ChildSaSession =3D Ikev2ChildSaSessionCreate (IkeSaSession, UdpService= ); - if (ChildSaSession =3D=3D NULL) { - goto ON_ERROR; - } - - ChildSaCommon =3D &ChildSaSession->SessionCommon; - } - - // - // Parse the IKE request packet according to the auth method and current= state. - // - Handler =3D mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][IkeSaComm= on->State]; - Status =3D Handler.Parser ((UINT8 *)IkeSaSession, IkePacket); - if (EFI_ERROR (Status)) { - goto ON_ERROR; - } - - // - // Try to reate the first ChildSa Session of that IkeSaSession. - // If the IkeSaSession is initiator, here will create the first ChildSaS= ession. - // - if (IkeSaCommon->State =3D=3D IkeStateAuth && IsListEmpty(&IkeSaSession-= >ChildSaSessionList)) { - // - // Generate a piggyback child SA in IKE_STATE_AUTH state. - // - ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) && - IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList)); - - ChildSaSession =3D Ikev2ChildSaSessionCreate (IkeSaSession, UdpService= ); - if (ChildSaSession =3D=3D NULL) { - goto ON_ERROR; - } - - ChildSaCommon =3D &ChildSaSession->SessionCommon; - - // - // Initialize the SA data for Child SA. - // - ChildSaSession->SaData =3D Ikev2InitializeSaData (ChildSaCommon); - } - - // - // Generate the IKE response packet and send it out if not established. - // - if (IkeSaCommon->State !=3D IkeStateIkeSaEstablished) { - Handler =3D mIkev2Initial[IkeSaSession->Pad->Data->AuthMethod][IkeSaCo= mmon->State]; - Reply =3D Handler.Generator ((UINT8 *) IkeSaSession, NULL); - if (Reply =3D=3D NULL) { - goto ON_ERROR; - } - - Status =3D Ikev2SendIkePacket (UdpService, (UINT8 *) IkeSaCommon, Repl= y, 0); - if (EFI_ERROR (Status)) { - goto ON_ERROR; - } - if (!IkeSaCommon->IsInitiator) { - IkeSaCommon->State ++; - IKEV2_DUMP_STATE (IkeSaCommon->State - 1, IkeSaCommon->State); - } - } - - // - // Insert the new IkeSaSession into the Private processing IkeSaSession = List. - // - if (IsNewSession) { - Ikev2SaSessionInsert (&Private->Ikev2SessionList, IkeSaSession, &IkePa= cket->RemotePeerIp); - } - - // - // Register the IkeSaSession and remove it from processing list. - // - if (IkeSaCommon->State =3D=3D IkeStateIkeSaEstablished) { - - // - // Remove the Established IKE SA Session from the IKE SA Session Negot= iating list - // and insert it into IKE SA Session Established list. - // - Ikev2SaSessionRemove (&Private->Ikev2SessionList, &IkePacket->RemotePe= erIp); - Ikev2SaSessionReg (IkeSaSession, Private); - - // - // Remove the Established Child SA Session from the IkeSaSession->Chil= dSaSessionList - // ,insert it into IkeSaSession->ChildSaEstablishSessionList and save = this Child SA - // into SAD. - // - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (IkeSaSession->Chi= ldSaSessionList.BackLink); - Ikev2ChildSaSessionRemove ( - &IkeSaSession->ChildSaSessionList, - ChildSaSession->LocalPeerSpi, - IKEV2_ESTABLISHING_CHILDSA_LIST - ); - Ikev2ChildSaSessionReg (ChildSaSession, Private); - } - - return ; - -ON_ERROR: - if (ChildSaSession !=3D NULL) { - // - // Remove the ChildSa from the list (Established list or Negotiating l= ist). - // - RemoveEntryList (&ChildSaSession->ByIkeSa); - Ikev2ChildSaSessionFree (ChildSaSession); - } - - if (IsNewSession && IkeSaSession !=3D NULL) { - // - // Remove the IkeSa from the list (Established list or Negotiating lis= t). - // - if ((&IkeSaSession->BySessionTable)->ForwardLink !=3D NULL && - !IsListEmpty (&IkeSaSession->BySessionTable - )){ - RemoveEntryList (&IkeSaSession->BySessionTable); - } - Ikev2SaSessionFree (IkeSaSession); - } - - return ; -} - -/** - - The general interface when received a IKEv2 packet for the IKE Child SA = establishing - or IKE SA/CHILD SA rekeying. - - This function first find the related IKE SA Session according to the IKE= packet's - remote IP. Then call the corresponding function to handle this IKE packe= t according - to the related IKE Child Session's State. - - @param[in] UdpService Pointer of related UDP Service. - @param[in] IkePacket Data passed by caller. - -**/ -VOID -Ikev2HandleChildSa ( - IN IKE_UDP_SERVICE *UdpService, - IN IKE_PACKET *IkePacket - ) -{ - EFI_STATUS Status; - IKEV2_SA_SESSION *IkeSaSession; - IKEV2_CREATE_CHILD_REQUEST_TYPE RequestType; - IKE_PACKET *Reply; - IPSEC_PRIVATE_DATA *Private; - - Private =3D (UdpService->IpVersion =3D=3D IP_VERSION_4) ? - IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : - IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); - - Reply =3D NULL; - - // - // Lookup the remote ip address in the processing IKE SA session list. - // - IkeSaSession =3D Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &= IkePacket->RemotePeerIp); - - if (IkeSaSession =3D=3D NULL) { - // - // Drop the packet if no IKE SA associated. - // - return ; - } - - // - // Validate the IKE packet header. - // - if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) { - // - // Drop the packet if invalid IKE header. - // - return; - } - - // - // Decode all the payloads in the IKE packet. - // - Status =3D Ikev2DecodePacket (&IkeSaSession->SessionCommon, IkePacket, I= keSessionTypeIkeSa); - if (EFI_ERROR (Status)) { - return; - } - - // - // Get the request type: CreateChildSa/RekeyChildSa/RekeyIkeSa. - // - RequestType =3D Ikev2ChildExchangeRequestType (IkePacket); - - switch (RequestType) { - case IkeRequestTypeCreateChildSa: - case IkeRequestTypeRekeyChildSa: - case IkeRequestTypeRekeyIkeSa: - // - // Parse the IKE request packet. Not support CREATE_CHILD_SA exchange = yet, so - // only EFI_UNSUPPORTED will be returned and that will trigger a reply= with a - // Notify payload of type NO_ADDITIONAL_SAS. - // - Status =3D mIkev2CreateChild.Parser ((UINT8 *) IkeSaSession, IkePacket= ); - if (EFI_ERROR (Status)) { - goto ON_REPLY; - } - - default: - // - // No support. - // - return ; - } - -ON_REPLY: - // - // Generate the reply packet if needed and send it out. - // - if (!(IkePacket->Header->Flags & IKE_HEADER_FLAGS_RESPOND)) { - Reply =3D mIkev2CreateChild.Generator ((UINT8 *) IkeSaSession, &IkePac= ket->Header->MessageId); - if (Reply !=3D NULL) { - Status =3D Ikev2SendIkePacket (UdpService, (UINT8 *) &(IkeSaSession-= >SessionCommon), Reply, 0); - if (EFI_ERROR (Status)) { - // - // Delete Reply payload. - // - if (Reply !=3D NULL) { - IkePacketFree (Reply); - } - } - } - } - return ; -} - -/** - - It is general interface to handle IKEv2 information Exchange. - - @param[in] UdpService Point to IKE UPD Service related to this informat= ion exchange. - @param[in] IkePacket The IKE packet to be parsed. - -**/ -VOID -Ikev2HandleInfo ( - IN IKE_UDP_SERVICE *UdpService, - IN IKE_PACKET *IkePacket - ) -{ - EFI_STATUS Status; - IKEV2_SESSION_COMMON *SessionCommon; - IKEV2_SA_SESSION *IkeSaSession; - IPSEC_PRIVATE_DATA *Private; - - Private =3D (UdpService->IpVersion =3D=3D IP_VERSION_4) ? - IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) : - IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead); - - // - // Lookup the remote ip address in the processing IKE SA session list. - // - IkeSaSession =3D Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &= IkePacket->RemotePeerIp); - - if (IkeSaSession =3D=3D NULL) { - // - // Drop the packet if no IKE SA associated. - // - return ; - } - // - // Validate the IKE packet header. - // - if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) { - - // - // Drop the packet if invalid IKE header. - // - return; - } - - SessionCommon =3D &IkeSaSession->SessionCommon; - - // - // Decode all the payloads in the IKE packet. - // - Status =3D Ikev2DecodePacket (SessionCommon, IkePacket, IkeSessionTypeIk= eSa); - if (EFI_ERROR (Status)) { - return; - } - - Status =3D mIkev2Info.Parser ((UINT8 *)IkeSaSession, IkePacket); - - if (EFI_ERROR (Status)) { - // - // Drop the packet if fail to parse. - // - return; - } -} - -IKE_EXCHANGE_INTERFACE mIkev1Exchange =3D { - 1, - NULL, //Ikev1NegotiateSa - NULL, //Ikev1NegotiateChildSa - NULL, - NULL, //Ikev1HandleSa, - NULL, //Ikev1HandleChildSa - NULL, //Ikev1HandleInfo -}; - -IKE_EXCHANGE_INTERFACE mIkev2Exchange =3D { - 2, - Ikev2NegotiateSa, - Ikev2NegotiateChildSa, - Ikev2NegotiateInfo, - Ikev2HandleSa, - Ikev2HandleChildSa, - Ikev2HandleInfo -}; - diff --git a/NetworkPkg/IpSecDxe/Ikev2/Ikev2.h b/NetworkPkg/IpSecDxe/Ikev2/= Ikev2.h deleted file mode 100644 index 83d1efdd3e..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Ikev2.h +++ /dev/null @@ -1,252 +0,0 @@ -/** @file - IKEv2 related definitions. - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ -#ifndef _IKE_V2_H_ -#define _IKE_V2_H_ - -#include "Ike.h" -#include "Payload.h" - -#define IKEV2_TS_ANY_PORT 0xffff -#define IKEV2_TS_ANY_PROTOCOL 0 - -#define IKEV2_DELET_CHILDSA_LIST 0 -#define IKEV2_ESTABLISHING_CHILDSA_LIST 1 -#define IKEV2_ESTABLISHED_CHILDSA_LIST 2 - -#define IKEV2_SA_SESSION_SIGNATURE SIGNATURE_32 ('I', 'K', 'E',= 'I') -#define IKEV2_SA_SESSION_FROM_COMMON(a) CR (a, IKEV2_SA_SESSION, Ses= sionCommon, IKEV2_SA_SESSION_SIGNATURE) -#define IKEV2_SA_SESSION_BY_SESSION(a) CR (a, IKEV2_SA_SESSION, ByS= essionTable, IKEV2_SA_SESSION_SIGNATURE) -#define IKEV2_SA_SESSION_BY_ESTABLISHED(a) CR (a, IKEV2_SA_SESSION, ByE= stablishedTable, IKEV2_SA_SESSION_SIGNATURE) - -#define IKEV2_CHILD_SA_SESSION_SIGNATURE SIGNATURE_32 ('I', 'K', 'E',= 'C') -#define IKEV2_CHILD_SA_SESSION_FROM_COMMON(a) CR (a, IKEV2_CHILD_SA_SESSIO= N, SessionCommon, IKEV2_CHILD_SA_SESSION_SIGNATURE) -#define IKEV2_CHILD_SA_SESSION_BY_IKE_SA(a) CR (a, IKEV2_CHILD_SA_SESSIO= N, ByIkeSa, IKEV2_CHILD_SA_SESSION_SIGNATURE) -#define IKEV2_CHILD_SA_SESSION_BY_DEL_SA(a) CR (a, IKEV2_CHILD_SA_SESSIO= N, ByDelete, IKEV2_CHILD_SA_SESSION_SIGNATURE) - -#define IS_IKEV2_SA_SESSION(s) ((s)->Common.IkeSessionType = =3D=3D IkeSessionTypeIkeSa) -#define IKEV2_SA_FIRST_PROPOSAL(Sa) (IKEV2_PROPOSAL *)((IKEV2_SA= *)(Sa)+1) -#define IKEV2_NEXT_TRANSFORM_WITH_SIZE(Transform,TransformSize) \ - (IKEV2_TRANSFORM *) ((UINT8 *)(Transform) + (TransformSize)) - -#define IKEV2_NEXT_PROPOSAL_WITH_SIZE(Proposal, ProposalSize) \ - (IKEV2_PROPOSAL *) ((UINT8 *)(Proposal) + (ProposalSize)) - -#define IKEV2_PROPOSAL_FIRST_TRANSFORM(Proposal) \ - (IKEV2_TRANSFORM *)((UINT8 *)((IKEV2_PROPOSAL *)(Proposal)+1) + \ - (((IKEV2_PROPOSAL *)(Proposal))->SpiSize)) -#define IKEV2_PROPOSAL_FIRST_TRANSFORM(Proposal) \ - (IKEV2_TRANSFORM *)((UINT8 *)((IKEV2_PROPOSAL *)(Proposal)+1) + \ - (((IKEV2_PROPOSAL *)(Proposal))->SpiSize)) - -typedef enum { - IkeStateInit, - IkeStateAuth, - IkeStateIkeSaEstablished, - IkeStateCreateChild, - IkeStateSaRekeying, - IkeStateChildSaEstablished, - IkeStateSaDeleting, - IkeStateMaximum -} IKEV2_SESSION_STATE; - -typedef enum { - IkeRequestTypeCreateChildSa, - IkeRequestTypeRekeyChildSa, - IkeRequestTypeRekeyIkeSa, - IkeRequestTypeMaximum -} IKEV2_CREATE_CHILD_REQUEST_TYPE; - -typedef struct { - UINT8 *GxBuffer; - UINTN GxSize; - UINT8 *GyBuffer; - UINTN GySize; - UINT8 *GxyBuffer; - UINTN GxySize; - UINT8 *DhContext; -} IKEV2_DH_BUFFER; - -typedef struct { - IKEV2_DH_BUFFER *DhBuffer; - UINT8 *SkdKey; - UINTN SkdKeySize; - UINT8 *SkAiKey; - UINTN SkAiKeySize; - UINT8 *SkArKey; - UINTN SkArKeySize; - UINT8 *SkEiKey; - UINTN SkEiKeySize; - UINT8 *SkErKey; - UINTN SkErKeySize; - UINT8 *SkPiKey; - UINTN SkPiKeySize; - UINT8 *SkPrKey; - UINTN SkPrKeySize; -} IKEV2_SESSION_KEYS; - -typedef struct { - UINT16 LifeType; - UINT64 LifeDuration; - UINT16 EncAlgId; - UINTN EnckeyLen; - UINT16 Prf; - UINT16 IntegAlgId; - UINTN IntegKeyLen; - UINT16 DhGroup; - UINT8 ExtSeq; -} IKEV2_SA_PARAMS; - -// -// Internal Payload -// -typedef struct { - IKEV2_SA SaHeader; - UINTN NumProposals; - // - // IKE_PROPOSAL_DATA Proposals[1]; - // -} IKEV2_SA_DATA; - -typedef struct { - UINT8 ProposalIndex; - UINT8 ProtocolId; - UINT8 *Spi; - UINT8 NumTransforms; - // - // IKE_TRANSFORM_DATA Transforms[1]; - // -} IKEV2_PROPOSAL_DATA; - -typedef struct { - UINT8 TransformIndex; - UINT8 TransformType; - UINT16 TransformId; - IKE_SA_ATTRIBUTE Attribute; -} IKEV2_TRANSFORM_DATA; - -typedef struct { - UINT8 IkeVer; - IKE_SESSION_TYPE IkeSessionType; - BOOLEAN IsInitiator; - BOOLEAN IsOnDeleting; // Flag to indicate whether the S= A is on deleting. - IKEV2_SESSION_STATE State; - EFI_EVENT TimeoutEvent; - UINT64 TimeoutInterval; - UINTN RetryCount; - IKE_PACKET *LastSentPacket; - IKEV2_SA_PARAMS *SaParams; - UINT16 PreferDhGroup; - EFI_IP_ADDRESS RemotePeerIp; - EFI_IP_ADDRESS LocalPeerIp; - IKE_ON_PAYLOAD_FROM_NET BeforeDecodePayload; - IKE_ON_PAYLOAD_FROM_NET AfterEncodePayload; - IKE_UDP_SERVICE *UdpService; - IPSEC_PRIVATE_DATA *Private; -} IKEV2_SESSION_COMMON; - -typedef struct { - UINT32 Signature; - IKEV2_SESSION_COMMON SessionCommon; - UINT64 InitiatorCookie; - UINT64 ResponderCookie; - // - // Initiator: SA proposals to be sent - // Responder: SA proposals to be matched - // - IKEV2_SA_DATA *SaData; // SA Private struct used for SA payload = generation - IKEV2_SESSION_KEYS *IkeKeys; - UINT8 *NiBlock; - UINTN NiBlkSize; - UINT8 *NrBlock; - UINTN NrBlkSize; - UINT8 *NCookie; // Buffer Contains t= he Notify Cookie - UINTN NCookieSize; // Size of NCookie - IPSEC_PAD_ENTRY *Pad; - IPSEC_SPD_ENTRY *Spd; // SPD that requeste= d the negotiation, TODO: better use SPD selector - LIST_ENTRY ChildSaSessionList; - LIST_ENTRY ChildSaEstablishSessionList; // For Establish Chi= ld SA. - LIST_ENTRY InfoMIDList; // For Information M= ID - LIST_ENTRY DeleteSaList; // For deteling Chil= d SA. - UINT8 *InitPacket; - UINTN InitPacketSize; - UINT8 *RespPacket; - UINTN RespPacketSize; - UINT32 MessageId; - LIST_ENTRY BySessionTable; // Use for all IkeSa= Session Links -} IKEV2_SA_SESSION; - -typedef struct { - UINT32 Signature; - IKEV2_SESSION_COMMON SessionCommon; - IKEV2_SA_SESSION *IkeSaSession; - UINT32 MessageId; - IKEV2_SA_DATA *SaData; - UINT8 IpsecProtocol; - UINT32 LocalPeerSpi; - UINT32 RemotePeerSpi; - UINT8 *NiBlock; - UINTN NiBlkSize; - UINT8 *NrBlock; - UINTN NrBlkSize; - SA_KEYMATS ChildKeymats; - IKEV2_DH_BUFFER *DhBuffer; //New DH exchnaged by CREATE_CHILD_= SA - IPSEC_SPD_ENTRY *Spd; - EFI_IPSEC_SPD_SELECTOR *SpdSelector; - UINT16 ProtoId; - UINT16 RemotePort; - UINT16 LocalPort; - LIST_ENTRY ByIkeSa; - LIST_ENTRY ByDelete; -} IKEV2_CHILD_SA_SESSION; - -typedef enum { - Ikev2InfoNotify, - Ikev2InfoDelete, - Ikev2InfoLiveCheck -} IKEV2_INFO_TYPE; - -// -// This struct is used to pass the detail infromation to the InfoGenerator= () for -// the response Information Exchange Message creatation. -// -typedef struct { - UINT32 MessageId; - IKEV2_INFO_TYPE InfoType; -} IKEV2_INFO_EXCHANGE_CONTEXT; - -typedef struct { - UINTN DataSize; - UINT8 *Data; -} PRF_DATA_FRAGMENT; - -typedef -IKE_PACKET * -(*IKEV2_PACKET_GENERATOR) ( - IN UINT8 *SaSession, - IN VOID *Context -); - -typedef -EFI_STATUS -(*IKEV2_PACKET_PARSER) ( - IN UINT8 *SaSession, - IN IKE_PACKET *IkePacket -); - -typedef struct { - IKEV2_PACKET_PARSER Parser; - IKEV2_PACKET_GENERATOR Generator; -} IKEV2_PACKET_HANDLER; - -extern IKEV2_PACKET_HANDLER mIkev2Initial[][2]; -extern IKEV2_PACKET_HANDLER mIkev2CreateChild; -extern IKEV2_PACKET_HANDLER mIkev2Info; - -#endif - diff --git a/NetworkPkg/IpSecDxe/Ikev2/Info.c b/NetworkPkg/IpSecDxe/Ikev2/I= nfo.c deleted file mode 100644 index 40320740d4..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Info.c +++ /dev/null @@ -1,403 +0,0 @@ -/** @file - The Implementations for Information Exchange. - - (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "Utility.h" -#include "IpSecDebug.h" -#include "IpSecConfigImpl.h" - -/** - Generate Information Packet. - - The information Packet may contain one Delete Payload, or Notify Payload= , which - dependes on the Context's parameters. - - @param[in] SaSession Pointer to IKE SA Session or Child SA Session wh= ich is - related to the information Exchange. - @param[in] Context The Data passed from the caller. If the Context = is not NULL - it should contain the information for Notificati= on Data. - - @retval Pointer of IKE_PACKET generated. - -**/ -IKE_PACKET * -Ikev2InfoGenerator ( - IN UINT8 *SaSession, - IN VOID *Context - ) -{ - IKEV2_SA_SESSION *IkeSaSession; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKE_PACKET *IkePacket; - IKE_PAYLOAD *IkePayload; - IKEV2_INFO_EXCHANGE_CONTEXT *InfoContext; - - InfoContext =3D NULL; - IkeSaSession =3D (IKEV2_SA_SESSION *) SaSession; - IkePacket =3D IkePacketAlloc (); - if (IkePacket =3D=3D NULL) { - return NULL; - } - - // - // Fill IkePacket Header. - // - IkePacket->Header->ExchangeType =3D IKEV2_EXCHANGE_TYPE_INFO; - IkePacket->Header->Version =3D (UINT8) (2 << 4); - - if (Context !=3D NULL) { - InfoContext =3D (IKEV2_INFO_EXCHANGE_CONTEXT *) Context; - } - - // - // For Liveness Check - // - if (InfoContext !=3D NULL && - (InfoContext->InfoType =3D=3D Ikev2InfoLiveCheck || InfoContext->Inf= oType =3D=3D Ikev2InfoNotify) - ) { - IkePacket->Header->MessageId =3D InfoContext->MessageId; - IkePacket->Header->InitiatorCookie =3D IkeSaSession->InitiatorCookie; - IkePacket->Header->ResponderCookie =3D IkeSaSession->ResponderCookie; - IkePacket->Header->NextPayload =3D IKEV2_PAYLOAD_TYPE_NONE; - IkePacket->Header->Flags =3D IKE_HEADER_FLAGS_RESPOND; - // - // TODO: add Notify Payload for Notification Information. - // - return IkePacket; - } - - // - // For delete SAs - // - if (IkeSaSession->SessionCommon.IkeSessionType =3D=3D IkeSessionTypeIkeS= a) { - - IkePacket->Header->InitiatorCookie =3D IkeSaSession->InitiatorCookie; - IkePacket->Header->ResponderCookie =3D IkeSaSession->ResponderCookie; - - // - // If the information message is response message,the MessageId should - // be same as the request MessageId which passed through the Context. - // - if (InfoContext !=3D NULL) { - IkePacket->Header->MessageId =3D InfoContext->MessageId; - } else { - IkePacket->Header->MessageId =3D IkeSaSession->MessageId; - Ikev2SaSessionIncreaseMessageId (IkeSaSession); - } - // - // If the state is on deleting generate a Delete Payload for it. - // - if (IkeSaSession->SessionCommon.State =3D=3D IkeStateSaDeleting ) { - IkePayload =3D Ikev2GenerateDeletePayload ( - IkeSaSession, - IKEV2_PAYLOAD_TYPE_NONE, - 0, - 0, - NULL - ); - if (IkePayload =3D=3D NULL) { - goto ERROR_EXIT; - } - // - // Fill the next payload in IkePacket's Header. - // - IkePacket->Header->NextPayload =3D IKEV2_PAYLOAD_TYPE_DELETE; - IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload); - IkePacket->Private =3D IkeSaSession->SessionCommon.Private; - IkePacket->Spi =3D 0; - IkePacket->IsDeleteInfo =3D TRUE; - - } else if (Context !=3D NULL) { - // - // TODO: If contest is not NULL Generate a Notify Payload. - // - } else { - // - // The input parameter is not correct. - // - goto ERROR_EXIT; - } - - if (IkeSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags =3D IKE_HEADER_FLAGS_INIT ; - } - } else { - // - // Delete the Child SA Information Exchagne - // - ChildSaSession =3D (IKEV2_CHILD_SA_SESSION *) SaSe= ssion; - IkeSaSession =3D ChildSaSession->IkeSaSession; - IkePacket->Header->InitiatorCookie =3D ChildSaSession->IkeSaSession->I= nitiatorCookie; - IkePacket->Header->ResponderCookie =3D ChildSaSession->IkeSaSession->R= esponderCookie; - - // - // If the information message is response message,the MessageId should - // be same as the request MessageId which passed through the Context. - // - if (InfoContext !=3D NULL && InfoContext->MessageId !=3D 0) { - IkePacket->Header->MessageId =3D InfoContext->MessageId; - } else { - IkePacket->Header->MessageId =3D ChildSaSession->IkeSaSession->M= essageId; - Ikev2SaSessionIncreaseMessageId (IkeSaSession); - } - - IkePayload =3D Ikev2GenerateDeletePayload ( - ChildSaSession->IkeSaSession, - IKEV2_PAYLOAD_TYPE_DELETE, - 4, - 1, - (UINT8 *)&ChildSaSession->LocalPeerSpi - ); - if (IkePayload =3D=3D NULL) { - goto ERROR_EXIT; - } - // - // Fill the Next Payload in IkePacket's Header. - // - IkePacket->Header->NextPayload =3D IKEV2_PAYLOAD_TYPE_DELETE; - IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload); - - IkePacket->Private =3D IkeSaSession->SessionCommon.Private; - IkePacket->Spi =3D ChildSaSession->LocalPeerSpi; - IkePacket->IsDeleteInfo =3D TRUE; - - if (!ChildSaSession->SessionCommon.IsInitiator) { - // - // If responder, use the MessageId fromt the initiator. - // - IkePacket->Header->MessageId =3D ChildSaSession->MessageId; - } - - // - // Change the IsOnDeleting Flag - // - ChildSaSession->SessionCommon.IsOnDeleting =3D TRUE; - - if (ChildSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags =3D IKE_HEADER_FLAGS_INIT ; - } - } - - if (InfoContext !=3D NULL) { - IkePacket->Header->Flags |=3D IKE_HEADER_FLAGS_RESPOND; - } - - return IkePacket; - -ERROR_EXIT: - if (IkePacket !=3D NULL) { - FreePool (IkePacket); - } - return NULL; - -} - -/** - Parse the Info Exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION. - @param[in] IkePacket Pointer to IkePacket related to the Information = Exchange. - - @retval EFI_SUCCESS The operation finised successed. - -**/ -EFI_STATUS -Ikev2InfoParser ( - IN UINT8 *SaSession, - IN IKE_PACKET *IkePacket - ) -{ - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *DeletePayload; - IKE_PAYLOAD *IkePayload; - IKEV2_DELETE *Delete; - LIST_ENTRY *Entry; - LIST_ENTRY *ListEntry; - UINT8 Index; - UINT32 Spi; - UINT8 *SpiBuffer; - IPSEC_PRIVATE_DATA *Private; - UINT8 Value; - EFI_STATUS Status; - IKE_PACKET *RespondPacket; - - IKEV2_INFO_EXCHANGE_CONTEXT Context; - - IkeSaSession =3D (IKEV2_SA_SESSION *) SaSession; - - DeletePayload =3D NULL; - Private =3D NULL; - RespondPacket =3D NULL; - Status =3D EFI_SUCCESS; - - // - // For Liveness Check - // - if (IkePacket->Header->NextPayload =3D=3D IKEV2_PAYLOAD_TYPE_NONE && - (IkePacket->PayloadTotalSize =3D=3D 0) - ) { - if (IkePacket->Header->Flags =3D=3D IKE_HEADER_FLAGS_INIT) { - // - // If it is Liveness check request, reply it. - // - Context.InfoType =3D Ikev2InfoLiveCheck; - Context.MessageId =3D IkePacket->Header->MessageId; - RespondPacket =3D Ikev2InfoGenerator ((UINT8 *)IkeSaSession, &Co= ntext); - - if (RespondPacket =3D=3D NULL) { - Status =3D EFI_INVALID_PARAMETER; - return Status; - } - Status =3D Ikev2SendIkePacket ( - IkeSaSession->SessionCommon.UdpService, - (UINT8 *)(&IkeSaSession->SessionCommon), - RespondPacket, - 0 - ); - - } else { - // - // Todo: verify the liveness check response packet. - // - } - return Status; - } - - // - // For SA Delete - // - NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) { - - // - // Iterate payloads to find the Delete/Notify Payload. - // - IkePayload =3D IKE_PAYLOAD_BY_PACKET (Entry); - - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_DELETE) { - DeletePayload =3D IkePayload; - Delete =3D (IKEV2_DELETE *)DeletePayload->PayloadBuf; - - if (Delete->SpiSize =3D=3D 0) { - // - // Delete IKE SA. - // - if (IkeSaSession->SessionCommon.State =3D=3D IkeStateSaDeleting) { - RemoveEntryList (&IkeSaSession->BySessionTable); - Ikev2SaSessionFree (IkeSaSession); - // - // Checking the Private status. - // - // - // when all IKE SAs were disabled by calling "IPsecConfig -disab= le", the IPsec - // status should be changed. - // - Private =3D IkeSaSession->SessionCommon.Private; - if (Private !=3D NULL && Private->IsIPsecDisabling) { - // - // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABL= ED value in - // IPsec status variable. - // - if (IsListEmpty (&Private->Ikev1EstablishedList) && - (IsListEmpty (&Private->Ikev2EstablishedList)) - ) { - Value =3D IPSEC_STATUS_DISABLED; - Status =3D gRT->SetVariable ( - IPSECCONFIG_STATUS_NAME, - &gEfiIpSecConfigProtocolGuid, - EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NO= N_VOLATILE, - sizeof (Value), - &Value - ); - if (!EFI_ERROR (Status)) { - // - // Set the DisabledFlag in Private data. - // - Private->IpSec.DisabledFlag =3D TRUE; - Private->IsIPsecDisabling =3D FALSE; - } - } - } - } else { - IkeSaSession->SessionCommon.State =3D IkeStateSaDeleting; - Context.InfoType =3D Ikev2InfoDelete; - Context.MessageId =3D IkePacket->Header->Message= Id; - - RespondPacket =3D Ikev2InfoGenerator ((UINT8 *)IkeSaSession, &Co= ntext); - if (RespondPacket =3D=3D NULL) { - Status =3D EFI_INVALID_PARAMETER; - return Status; - } - Status =3D Ikev2SendIkePacket ( - IkeSaSession->SessionCommon.UdpService, - (UINT8 *)(&IkeSaSession->SessionCommon), - RespondPacket, - 0 - ); - } - } else if (Delete->SpiSize =3D=3D 4) { - // - // Move the Child SAs to DeleteList - // - SpiBuffer =3D (UINT8 *)(Delete + 1); - for (Index =3D 0; Index < Delete->NumSpis; Index++) { - Spi =3D ReadUnaligned32 ((UINT32 *)SpiBuffer); - for (ListEntry =3D IkeSaSession->ChildSaEstablishSessionList.For= wardLink; - ListEntry !=3D &IkeSaSession->ChildSaEstablishSessionList; - ) { - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (ListEntry= ); - ListEntry =3D ListEntry->ForwardLink; - - if (ChildSaSession->RemotePeerSpi =3D=3D HTONL(Spi)) { - if (ChildSaSession->SessionCommon.State !=3D IkeStateSaDelet= ing) { - - // - // Insert the ChildSa Session into Delete List. - // - InsertTailList (&IkeSaSession->DeleteSaList, &ChildSaSessi= on->ByDelete); - ChildSaSession->SessionCommon.State =3D IkeStateSaDe= leting; - ChildSaSession->SessionCommon.IsInitiator =3D FALSE; - ChildSaSession->MessageId =3D IkePacket->H= eader->MessageId; - - Context.InfoType =3D Ikev2InfoDelete; - Context.MessageId =3D IkePacket->Header->MessageId; - - RespondPacket =3D Ikev2InfoGenerator ((UINT8 *)ChildSaSess= ion, &Context); - if (RespondPacket =3D=3D NULL) { - Status =3D EFI_INVALID_PARAMETER; - return Status; - } - Status =3D Ikev2SendIkePacket ( - ChildSaSession->SessionCommon.UdpService, - (UINT8 *)(&ChildSaSession->SessionCommon), - RespondPacket, - 0 - ); - } else { - // - // Delete the Child SA. - // - Ikev2ChildSaSilentDelete (IkeSaSession, Spi); - RemoveEntryList (&ChildSaSession->ByDelete); - } - } - } - SpiBuffer =3D SpiBuffer + sizeof (Spi); - } - } - } - } - - return Status; -} - -GLOBAL_REMOVE_IF_UNREFERENCED IKEV2_PACKET_HANDLER mIkev2Info =3D { - Ikev2InfoParser, - Ikev2InfoGenerator -}; diff --git a/NetworkPkg/IpSecDxe/Ikev2/Payload.c b/NetworkPkg/IpSecDxe/Ikev= 2/Payload.c deleted file mode 100644 index 56869e2db4..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Payload.c +++ /dev/null @@ -1,3329 +0,0 @@ -/** @file - The implementation of Payloads Creation. - - (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "Utility.h" -#include "IpSecDebug.h" -#include "IpSecConfigImpl.h" -#include "IpSecCryptIo.h" - -// -// The Constant String of "Key Pad for IKEv2" for Authentication Payload g= eneration. -// -#define CONSTANT_KEY_SIZE 17 -GLOBAL_REMOVE_IF_UNREFERENCED CHAR8 mConstantKey[CONSTANT_KEY_SIZE] =3D -{ - 'K', 'e', 'y', ' ', 'P', 'a', 'd', ' ', 'f', 'o', 'r', ' ', 'I', 'K', 'E= ', 'v', '2' -}; - -/** - Generate Ikev2 SA payload according to SessionSaData - - @param[in] SessionSaData The data used in SA payload. - @param[in] NextPayload The payload type presented in NextPayload fie= ld of - SA Payload header. - @param[in] Type The SA type. It MUST be neither (1) for IKE_S= A or - (2) for CHILD_SA or (3) for INFO. - - @retval a Pointer to SA IKE payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateSaPayload ( - IN IKEV2_SA_DATA *SessionSaData, - IN UINT8 NextPayload, - IN IKE_SESSION_TYPE Type - ) -{ - IKE_PAYLOAD *SaPayload; - IKEV2_SA_DATA *SaData; - UINTN SaDataSize; - - SaPayload =3D IkePayloadAlloc (); - if (SaPayload =3D=3D NULL) { - return NULL; - } - - // - // TODO: Get the Proposal Number and Transform Number from IPsec Config, - // after the Ipsecconfig Application is support it. - // - - if (Type =3D=3D IkeSessionTypeIkeSa) { - SaDataSize =3D sizeof (IKEV2_SA_DATA) + - SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA= ) + - sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposa= ls * 4; - } else { - SaDataSize =3D sizeof (IKEV2_SA_DATA) + - SessionSaData->NumProposals * sizeof (IKEV2_PROPOSAL_DATA= ) + - sizeof (IKEV2_TRANSFORM_DATA) * SessionSaData->NumProposa= ls * 3; - - } - - SaData =3D AllocateZeroPool (SaDataSize); - if (SaData =3D=3D NULL) { - IkePayloadFree (SaPayload); - return NULL; - } - - CopyMem (SaData, SessionSaData, SaDataSize); - SaData->SaHeader.Header.NextPayload =3D NextPayload; - SaPayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_SA; - SaPayload->PayloadBuf =3D (UINT8 *) SaData; - - return SaPayload; -} - -/** - Generate a Nonce payload containing the input parameter NonceBuf. - - @param[in] NonceBuf The nonce buffer contains the whole Nonce payl= oad block - except the payload header. - @param[in] NonceSize The buffer size of the NonceBuf - @param[in] NextPayload The payload type presented in the NextPayload = field - of Nonce Payload header. - - @retval Pointer to Nonce IKE paload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateNoncePayload ( - IN UINT8 *NonceBuf, - IN UINTN NonceSize, - IN UINT8 NextPayload - ) -{ - IKE_PAYLOAD *NoncePayload; - IKEV2_NONCE *Nonce; - UINTN Size; - UINT8 *NonceBlock; - - // 1 2 3 - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload !C! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ Nonce Data ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - Size =3D sizeof (IKEV2_NONCE) + NonceSize; - NonceBlock =3D NonceBuf; - - Nonce =3D AllocateZeroPool (Size); - if (Nonce =3D=3D NULL) { - return NULL; - } - - CopyMem (Nonce + 1, NonceBlock, Size - sizeof (IKEV2_NONCE)); - - Nonce->Header.NextPayload =3D NextPayload; - Nonce->Header.PayloadLength =3D (UINT16) Size; - NoncePayload =3D IkePayloadAlloc (); - if (NoncePayload =3D=3D NULL) { - FreePool (Nonce); - return NULL; - } - - NoncePayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_NONCE; - NoncePayload->PayloadBuf =3D (UINT8 *) Nonce; - NoncePayload->PayloadSize =3D Size; - - return NoncePayload; -} - -/** - Generate a Key Exchange payload according to the DH group type and save = the - public Key into IkeSaSession IkeKey field. - - @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION. - @param[in] NextPayload The payload type presented in the NextPa= yload field of Key - Exchange Payload header. - - @retval Pointer to Key IKE payload. - -**/ -IKE_PAYLOAD* -Ikev2GenerateKePayload ( - IN OUT IKEV2_SA_SESSION *IkeSaSession, - IN UINT8 NextPayload - ) -{ - IKE_PAYLOAD *KePayload; - IKEV2_KEY_EXCHANGE *Ke; - UINTN KeSize; - IKEV2_SESSION_KEYS *IkeKeys; - - // - // 1 2 3 - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload !C! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! DH Group # ! RESERVED ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ Key Exchange Data ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - IkeKeys =3D IkeSaSession->IkeKeys; - - if (IkeSaSession->SessionCommon.IsInitiator) { - KeSize =3D sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize; - } else { - KeSize =3D sizeof (IKEV2_KEY_EXCHANGE) + IkeKeys->DhBuffer->GxSize; - } - - // - // Allocate buffer for Key Exchange - // - Ke =3D AllocateZeroPool (KeSize); - if (Ke =3D=3D NULL) { - return NULL; - } - - Ke->Header.NextPayload =3D NextPayload; - Ke->Header.PayloadLength =3D (UINT16) KeSize; - Ke->DhGroup =3D IkeSaSession->SessionCommon.PreferDhGroup; - - CopyMem (Ke + 1, IkeKeys->DhBuffer->GxBuffer, IkeKeys->DhBuffer->GxSize); - - // - // Create IKE_PAYLOAD to point to Key Exchange payload - // - KePayload =3D IkePayloadAlloc (); - if (KePayload =3D=3D NULL) { - FreePool (Ke); - return NULL; - } - - KePayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_KE; - KePayload->PayloadBuf =3D (UINT8 *) Ke; - KePayload->PayloadSize =3D KeSize; - return KePayload; -} - -/** - Generate a ID payload. - - @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID= payload. - @param[in] NextPayload The payload type presented in the NextPayload= field - of ID Payload header. - - @retval Pointer to ID IKE payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateIdPayload ( - IN IKEV2_SESSION_COMMON *CommonSession, - IN UINT8 NextPayload - ) -{ - IKE_PAYLOAD *IdPayload; - IKEV2_ID *Id; - UINTN IdSize; - UINT8 IpVersion; - UINT8 AddrSize; - - // - // ID payload - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload ! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ID Type ! RESERVED ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ Identification Data ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - - IpVersion =3D CommonSession->UdpService->IpVersion; - AddrSize =3D (UINT8) ((IpVersion =3D=3D IP_VERSION_4) ? sizeof(EFI_IPv4= _ADDRESS) : sizeof(EFI_IPv6_ADDRESS)); - IdSize =3D sizeof (IKEV2_ID) + AddrSize; - - Id =3D (IKEV2_ID *) AllocateZeroPool (IdSize); - if (Id =3D=3D NULL) { - return NULL; - } - - IdPayload =3D IkePayloadAlloc (); - if (IdPayload =3D=3D NULL) { - FreePool (Id); - return NULL; - } - - IdPayload->PayloadType =3D (UINT8) ((CommonSession->IsInitiator) ? IKEV= 2_PAYLOAD_TYPE_ID_INIT : IKEV2_PAYLOAD_TYPE_ID_RSP); - IdPayload->PayloadBuf =3D (UINT8 *) Id; - IdPayload->PayloadSize =3D IdSize; - - // - // Set generic header of identification payload - // - Id->Header.NextPayload =3D NextPayload; - Id->Header.PayloadLength =3D (UINT16) IdSize; - Id->IdType =3D (UINT8) ((IpVersion =3D=3D IP_VERSION_4) ?= IKEV2_ID_TYPE_IPV4_ADDR : IKEV2_ID_TYPE_IPV6_ADDR); - CopyMem (Id + 1, &CommonSession->LocalPeerIp, AddrSize); - - return IdPayload; -} - -/** - Generate a ID payload. - - @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID= payload. - @param[in] NextPayload The payload type presented in the NextPayload= field - of ID Payload header. - @param[in] InCert Pointer to the Certificate which distinguishe= d name - will be added into the Id payload. - @param[in] CertSize Size of the Certificate. - - @retval Pointer to ID IKE payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateCertIdPayload ( - IN IKEV2_SESSION_COMMON *CommonSession, - IN UINT8 NextPayload, - IN UINT8 *InCert, - IN UINTN CertSize - ) -{ - IKE_PAYLOAD *IdPayload; - IKEV2_ID *Id; - UINTN IdSize; - UINTN SubjectSize; - UINT8 *CertSubject; - - // - // ID payload - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload ! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ID Type ! RESERVED ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ Identification Data ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - - SubjectSize =3D 0; - CertSubject =3D NULL; - IpSecCryptoIoGetSubjectFromCert ( - InCert, - CertSize, - &CertSubject, - &SubjectSize - ); - if (SubjectSize !=3D 0) { - ASSERT (CertSubject !=3D NULL); - } - - IdSize =3D sizeof (IKEV2_ID) + SubjectSize; - - Id =3D (IKEV2_ID *) AllocateZeroPool (IdSize); - if (Id =3D=3D NULL) { - return NULL; - } - - IdPayload =3D IkePayloadAlloc (); - if (IdPayload =3D=3D NULL) { - FreePool (Id); - return NULL; - } - - IdPayload->PayloadType =3D (UINT8) ((CommonSession->IsInitiator) ? IKEV= 2_PAYLOAD_TYPE_ID_INIT : IKEV2_PAYLOAD_TYPE_ID_RSP); - IdPayload->PayloadBuf =3D (UINT8 *) Id; - IdPayload->PayloadSize =3D IdSize; - - // - // Set generic header of identification payload - // - Id->Header.NextPayload =3D NextPayload; - Id->Header.PayloadLength =3D (UINT16) IdSize; - Id->IdType =3D 9; - CopyMem (Id + 1, CertSubject, SubjectSize); - - if (CertSubject !=3D NULL) { - FreePool (CertSubject); - } - return IdPayload; -} - -/** - Generate a Authentication Payload. - - This function is used for both Authentication generation and verificatio= n. When the - IsVerify is TRUE, it create a Auth Data for verification. This function = choose the - related IKE_SA_INIT Message for Auth data creation according to the IKE = Session's type - and the value of IsVerify parameter. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to. - @param[in] IdPayload Pointer to the ID payload to be used for Authe= ntication - payload generation. - @param[in] NextPayload The type filled into the Authentication Payloa= d next - payload field. - @param[in] IsVerify If it is TURE, the Authentication payload is u= sed for - verification. - - @return pointer to IKE Authentication payload for Pre-shared key method. - -**/ -IKE_PAYLOAD * -Ikev2PskGenerateAuthPayload ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_PAYLOAD *IdPayload, - IN UINT8 NextPayload, - IN BOOLEAN IsVerify - ) -{ - UINT8 *Digest; - UINTN DigestSize; - PRF_DATA_FRAGMENT Fragments[3]; - UINT8 *KeyBuf; - UINTN KeySize; - IKE_PAYLOAD *AuthPayload; - IKEV2_AUTH *PayloadBuf; - EFI_STATUS Status; - - // - // Auth =3D Prf(Prf(Secret,"Key Pad for IKEv2),IKE_SA_INIi/r|Ni/r|Prf(SK= _Pr, IDi/r)) - // - // 1 2 3 - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload !C! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Auth Method ! RESERVED ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ Authentication Data ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - - KeyBuf =3D NULL; - AuthPayload =3D NULL; - Digest =3D NULL; - - DigestSize =3D IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCom= mon.SaParams->Prf); - Digest =3D AllocateZeroPool (DigestSize); - if (Digest =3D=3D NULL) { - return NULL; - } - - if (IdPayload =3D=3D NULL) { - return NULL; - } - - // - // Calcualte Prf(Seceret, "Key Pad for IKEv2"); - // - Fragments[0].Data =3D (UINT8 *) mConstantKey; - Fragments[0].DataSize =3D CONSTANT_KEY_SIZE; - - Status =3D IpSecCryptoIoHmac ( - (UINT8)IkeSaSession->SessionCommon.SaParams->Prf, - IkeSaSession->Pad->Data->AuthData, - IkeSaSession->Pad->Data->AuthDataSize, - (HASH_DATA_FRAGMENT *)Fragments, - 1, - Digest, - DigestSize - ); - if (EFI_ERROR (Status)) { - goto EXIT; - } - - // - // Store the AuthKey into KeyBuf - // - KeyBuf =3D AllocateZeroPool (DigestSize); - if (KeyBuf =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto EXIT; - } - - CopyMem (KeyBuf, Digest, DigestSize); - KeySize =3D DigestSize; - - // - // Calculate Prf(SK_Pi/r, IDi/r) - // - Fragments[0].Data =3D IdPayload->PayloadBuf + sizeof (IKEV2_COMMON_P= AYLOAD_HEADER); - Fragments[0].DataSize =3D IdPayload->PayloadSize - sizeof (IKEV2_COMMON_= PAYLOAD_HEADER); - - if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) || - (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify) - ) { - Status =3D IpSecCryptoIoHmac ( - (UINT8)IkeSaSession->SessionCommon.SaParams->Prf, - IkeSaSession->IkeKeys->SkPrKey, - IkeSaSession->IkeKeys->SkPrKeySize, - (HASH_DATA_FRAGMENT *) Fragments, - 1, - Digest, - DigestSize - ); - } else { - Status =3D IpSecCryptoIoHmac ( - (UINT8)IkeSaSession->SessionCommon.SaParams->Prf, - IkeSaSession->IkeKeys->SkPiKey, - IkeSaSession->IkeKeys->SkPiKeySize, - (HASH_DATA_FRAGMENT *) Fragments, - 1, - Digest, - DigestSize - ); - } - if (EFI_ERROR (Status)) { - goto EXIT; - } - - // - // Copy data to Fragments. - // - if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) || - (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify) - ) { - Fragments[0].Data =3D IkeSaSession->RespPacket; - Fragments[0].DataSize =3D IkeSaSession->RespPacketSize; - Fragments[1].Data =3D IkeSaSession->NiBlock; - Fragments[1].DataSize =3D IkeSaSession->NiBlkSize; - } else { - Fragments[0].Data =3D IkeSaSession->InitPacket; - Fragments[0].DataSize =3D IkeSaSession->InitPacketSize; - Fragments[1].Data =3D IkeSaSession->NrBlock; - Fragments[1].DataSize =3D IkeSaSession->NrBlkSize; - } - - // - // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2]. - // - Fragments[2].Data =3D AllocateZeroPool (DigestSize); - if (Fragments[2].Data =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto EXIT; - } - - Fragments[2].DataSize =3D DigestSize; - CopyMem (Fragments[2].Data, Digest, DigestSize); - - // - // Calculate Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) - // - Status =3D IpSecCryptoIoHmac ( - (UINT8)IkeSaSession->SessionCommon.SaParams->Prf, - KeyBuf, - KeySize, - (HASH_DATA_FRAGMENT *) Fragments, - 3, - Digest, - DigestSize - ); - if (EFI_ERROR (Status)) { - goto EXIT; - } - - // - // Allocate buffer for Auth Payload - // - AuthPayload =3D IkePayloadAlloc (); - if (AuthPayload =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto EXIT; - } - - AuthPayload->PayloadSize =3D sizeof (IKEV2_AUTH) + DigestSize; - PayloadBuf =3D (IKEV2_AUTH *) AllocateZeroPool (AuthPaylo= ad->PayloadSize); - if (PayloadBuf =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto EXIT; - } - - // - // Fill in Auth payload. - // - PayloadBuf->Header.NextPayload =3D NextPayload; - PayloadBuf->Header.PayloadLength =3D (UINT16) (AuthPayload->PayloadSize); - if (IkeSaSession->Pad->Data->AuthMethod =3D=3D EfiIPsecAuthMethodPreShar= edSecret) { - // - // Only support Shared Key Message Integrity - // - PayloadBuf->AuthMethod =3D IKEV2_AUTH_METHOD_SKMI; - } else { - // - // Not support other Auth method. - // - Status =3D EFI_UNSUPPORTED; - goto EXIT; - } - - // - // Copy the result of Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) to A= uth - // payload block. - // - CopyMem ( - PayloadBuf + 1, - Digest, - DigestSize - ); - - // - // Fill in IKE_PACKET - // - AuthPayload->PayloadBuf =3D (UINT8 *) PayloadBuf; - AuthPayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_AUTH; - -EXIT: - if (KeyBuf !=3D NULL) { - FreePool (KeyBuf); - } - if (Digest !=3D NULL) { - FreePool (Digest); - } - if (Fragments[2].Data !=3D NULL) { - // - // Free the buffer which contains the result of Prf(SK_Pr, IDi/r) - // - FreePool (Fragments[2].Data); - } - - if (EFI_ERROR (Status)) { - if (AuthPayload !=3D NULL) { - IkePayloadFree (AuthPayload); - } - return NULL; - } else { - return AuthPayload; - } -} - -/** - Generate a Authentication Payload for Certificate Auth method. - - This function has two functions. One is creating a local Authentication - Payload for sending and other is creating the remote Authentication data - for verification when the IsVerify is TURE. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to. - @param[in] IdPayload Pointer to the ID payload to be used for A= uthentication - payload generation. - @param[in] NextPayload The type filled into the Authentication Pa= yload - next payload field. - @param[in] IsVerify If it is TURE, the Authentication payload = is used - for verification. - @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it= when - verify the authenticate payload. - @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignor= e it - when verify the authenticate payload. - @param[in] UefiKeyPwd Pointer to the password of UEFI private ke= y. - Ignore it when verify the authenticate pay= load. - @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it = when - verify the authenticate payload. - - @return pointer to IKE Authentication payload for Cerifitcation method. - -**/ -IKE_PAYLOAD * -Ikev2CertGenerateAuthPayload ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_PAYLOAD *IdPayload, - IN UINT8 NextPayload, - IN BOOLEAN IsVerify, - IN UINT8 *UefiPrivateKey, - IN UINTN UefiPrivateKeyLen, - IN UINT8 *UefiKeyPwd, - IN UINTN UefiKeyPwdLen - ) -{ - UINT8 *Digest; - UINTN DigestSize; - PRF_DATA_FRAGMENT Fragments[3]; - IKE_PAYLOAD *AuthPayload; - IKEV2_AUTH *PayloadBuf; - EFI_STATUS Status; - UINT8 *Signature; - UINTN SigSize; - - // - // Auth =3D Prf(Scert,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) - // - // 1 2 3 - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload !C! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Auth Method ! RESERVED ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ Authentication Data ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - // - // Initial point - // - AuthPayload =3D NULL; - Digest =3D NULL; - Signature =3D NULL; - SigSize =3D 0; - - if (IdPayload =3D=3D NULL) { - return NULL; - } - DigestSize =3D IpSecGetHmacDigestLength ((UINT8)IkeSaSession->SessionCom= mon.SaParams->Prf); - Digest =3D AllocateZeroPool (DigestSize); - if (Digest =3D=3D NULL) { - return NULL; - } - - // - // Calculate Prf(SK_Pi/r, IDi/r) - // - Fragments[0].Data =3D IdPayload->PayloadBuf + sizeof (IKEV2_COMMON_P= AYLOAD_HEADER); - Fragments[0].DataSize =3D IdPayload->PayloadSize - sizeof (IKEV2_COMMON_= PAYLOAD_HEADER); - - IpSecDumpBuf ("RestofIDPayload", Fragments[0].Data, Fragments[0].DataSiz= e); - - if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) || - (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify) - ) { - Status =3D IpSecCryptoIoHmac( - (UINT8)IkeSaSession->SessionCommon.SaParams->Prf, - IkeSaSession->IkeKeys->SkPrKey, - IkeSaSession->IkeKeys->SkPrKeySize, - (HASH_DATA_FRAGMENT *) Fragments, - 1, - Digest, - DigestSize - ); - IpSecDumpBuf ("MACedIDForR", Digest, DigestSize); - } else { - Status =3D IpSecCryptoIoHmac ( - (UINT8)IkeSaSession->SessionCommon.SaParams->Prf, - IkeSaSession->IkeKeys->SkPiKey, - IkeSaSession->IkeKeys->SkPiKeySize, - (HASH_DATA_FRAGMENT *) Fragments, - 1, - Digest, - DigestSize - ); - IpSecDumpBuf ("MACedIDForI", Digest, DigestSize); - } - if (EFI_ERROR (Status)) { - goto EXIT; - } - - // - // Copy data to Fragments. - // - if ((IkeSaSession->SessionCommon.IsInitiator && IsVerify) || - (!IkeSaSession->SessionCommon.IsInitiator && !IsVerify) - ) { - Fragments[0].Data =3D IkeSaSession->RespPacket; - Fragments[0].DataSize =3D IkeSaSession->RespPacketSize; - Fragments[1].Data =3D IkeSaSession->NiBlock; - Fragments[1].DataSize =3D IkeSaSession->NiBlkSize; - IpSecDumpBuf ("RealMessage2", Fragments[0].Data, Fragments[0].DataSize= ); - IpSecDumpBuf ("NonceIDdata", Fragments[1].Data, Fragments[1].DataSize); - } else { - Fragments[0].Data =3D IkeSaSession->InitPacket; - Fragments[0].DataSize =3D IkeSaSession->InitPacketSize; - Fragments[1].Data =3D IkeSaSession->NrBlock; - Fragments[1].DataSize =3D IkeSaSession->NrBlkSize; - IpSecDumpBuf ("RealMessage1", Fragments[0].Data, Fragments[0].DataSize= ); - IpSecDumpBuf ("NonceRDdata", Fragments[1].Data, Fragments[1].DataSize); - } - - // - // Copy the result of Prf(SK_Pr, IDi/r) to Fragments[2]. - // - Fragments[2].Data =3D AllocateZeroPool (DigestSize); - if (Fragments[2].Data =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto EXIT; - } - - Fragments[2].DataSize =3D DigestSize; - CopyMem (Fragments[2].Data, Digest, DigestSize); - - // - // Calculate Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) - // - Status =3D IpSecCryptoIoHash ( - (UINT8)IkeSaSession->SessionCommon.SaParams->Prf, - (HASH_DATA_FRAGMENT *) Fragments, - 3, - Digest, - DigestSize - ); - if (EFI_ERROR (Status)) { - goto EXIT; - } - - IpSecDumpBuf ("HashSignedOctects", Digest, DigestSize); - // - // Sign the data by the private Key - // - if (!IsVerify) { - IpSecCryptoIoAuthDataWithCertificate ( - Digest, - DigestSize, - UefiPrivateKey, - UefiPrivateKeyLen, - UefiKeyPwd, - UefiKeyPwdLen, - &Signature, - &SigSize - ); - - if (SigSize =3D=3D 0 || Signature =3D=3D NULL) { - goto EXIT; - } - } - - // - // Allocate buffer for Auth Payload - // - AuthPayload =3D IkePayloadAlloc (); - if (AuthPayload =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto EXIT; - } - - if (!IsVerify) { - AuthPayload->PayloadSize =3D sizeof (IKEV2_AUTH) + SigSize; - } else { - AuthPayload->PayloadSize =3D sizeof (IKEV2_AUTH) + DigestSize; - } - - PayloadBuf =3D (IKEV2_AUTH *) AllocateZeroPool (AuthPayload->PayloadSize= ); - if (PayloadBuf =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto EXIT; - } - - // - // Fill in Auth payload. - // - PayloadBuf->Header.NextPayload =3D NextPayload; - PayloadBuf->Header.PayloadLength =3D (UINT16) (AuthPayload->PayloadSize); - if (IkeSaSession->Pad->Data->AuthMethod =3D=3D EfiIPsecAuthMethodCertifi= cates) { - PayloadBuf->AuthMethod =3D IKEV2_AUTH_METHOD_RSA; - } else { - Status =3D EFI_INVALID_PARAMETER; - goto EXIT; - } - - // - // Copy the result of Prf(Key,IKE_SA_INIi/r|Ni/r|Prf(SK_Pr, IDi/r)) to A= uth - // payload block. - // - if (!IsVerify) { - CopyMem (PayloadBuf + 1, Signature, SigSize); - } else { - CopyMem (PayloadBuf + 1, Digest, DigestSize); - } - - // - // Fill in IKE_PACKET - // - AuthPayload->PayloadBuf =3D (UINT8 *) PayloadBuf; - AuthPayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_AUTH; - -EXIT: - if (Digest !=3D NULL) { - FreePool (Digest); - } - if (Signature !=3D NULL) { - FreePool (Signature); - } - if (Fragments[2].Data !=3D NULL) { - // - // Free the buffer which contains the result of Prf(SK_Pr, IDi/r) - // - FreePool (Fragments[2].Data); - } - - if (EFI_ERROR (Status)) { - if (AuthPayload !=3D NULL) { - IkePayloadFree (AuthPayload); - } - return NULL; - } else { - return AuthPayload; - } -} - -/** - Generate TS payload. - - This function generates TSi or TSr payload according to type of next pay= load. - If the next payload is Responder TS, gereate TSi Payload. Otherwise, gen= erate - TSr payload. - - @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to t= his TS payload. - @param[in] NextPayload The payload type presented in the NextPayload = field - of ID Payload header. - @param[in] IsTunnel It indicates that if the Ts Payload is after t= he CP payload. - If yes, it means the Tsi and Tsr payload shoul= d be with - Max port range and address range and protocol = is marked - as zero. - - @retval Pointer to Ts IKE payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateTsPayload ( - IN IKEV2_CHILD_SA_SESSION *ChildSa, - IN UINT8 NextPayload, - IN BOOLEAN IsTunnel - ) -{ - IKE_PAYLOAD *TsPayload; - IKEV2_TS *TsPayloadBuf; - TRAFFIC_SELECTOR *TsSelector; - UINTN SelectorSize; - UINTN TsPayloadSize; - UINT8 IpVersion; - UINT8 AddrSize; - - // - // 1 2 3 - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload !C! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Number of TSs ! RESERVED ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - - TsPayload =3D IkePayloadAlloc(); - if (TsPayload =3D=3D NULL) { - return NULL; - } - - IpVersion =3D ChildSa->SessionCommon.UdpService->IpVersion; - // - // The Starting Address and Ending Address is variable length depends on - // is IPv4 or IPv6 - // - AddrSize =3D (UINT8)((IpVersion =3D=3D IP_VERSION_4) ? sizeof (EFI_= IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS)); - SelectorSize =3D sizeof (TRAFFIC_SELECTOR) + 2 * AddrSize; - TsPayloadSize =3D sizeof (IKEV2_TS) + SelectorSize; - TsPayloadBuf =3D AllocateZeroPool (TsPayloadSize); - if (TsPayloadBuf =3D=3D NULL) { - goto ON_ERROR; - } - - TsPayload->PayloadBuf =3D (UINT8 *) TsPayloadBuf; - TsSelector =3D (TRAFFIC_SELECTOR*)(TsPayloadBuf + 1); - - TsSelector->TSType =3D (UINT8)((IpVersion =3D=3D IP_VERSION_4) ? IKEV2_T= S_TYPE_IPV4_ADDR_RANGE : IKEV2_TS_TYPS_IPV6_ADDR_RANGE); - - // - // For tunnel mode - // - if (IsTunnel) { - TsSelector->IpProtocolId =3D IKEV2_TS_ANY_PROTOCOL; - TsSelector->SelecorLen =3D (UINT16) SelectorSize; - TsSelector->StartPort =3D 0; - TsSelector->EndPort =3D IKEV2_TS_ANY_PORT; - ZeroMem ((UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR), AddrSize); - SetMem ((UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize, Add= rSize, 0xff); - - } else { - // - // TODO: Support port range and address range - // - if (NextPayload =3D=3D IKEV2_PAYLOAD_TYPE_TS_RSP){ - // - // Create initiator Traffic Selector - // - TsSelector->SelecorLen =3D (UINT16)SelectorSize; - - // - // Currently only support the port range from 0~0xffff. Don't suppor= t other - // port range. - // TODO: support Port range - // - if (ChildSa->SessionCommon.IsInitiator) { - if (ChildSa->Spd->Selector->LocalPort !=3D 0 && - ChildSa->Spd->Selector->LocalPortRange =3D=3D 0) { - // - // For not port range. - // - TsSelector->StartPort =3D ChildSa->Spd->Selector->LocalPort; - TsSelector->EndPort =3D ChildSa->Spd->Selector->LocalPort; - } else if (ChildSa->Spd->Selector->LocalPort =3D=3D 0){ - // - // For port from 0~0xffff - // - TsSelector->StartPort =3D 0; - TsSelector->EndPort =3D IKEV2_TS_ANY_PORT; - } else { - // - // Not support now. - // - goto ON_ERROR; - } - } else { - if (ChildSa->Spd->Selector->RemotePort !=3D 0 && - ChildSa->Spd->Selector->RemotePortRange =3D=3D 0) { - // - // For not port range. - // - TsSelector->StartPort =3D ChildSa->Spd->Selector->RemotePort; - TsSelector->EndPort =3D ChildSa->Spd->Selector->RemotePort; - } else if (ChildSa->Spd->Selector->RemotePort =3D=3D 0) { - // - // For port from 0~0xffff - // - TsSelector->StartPort =3D 0; - TsSelector->EndPort =3D IKEV2_TS_ANY_PORT; - } else { - // - // Not support now. - // - goto ON_ERROR; - } - } - // - // Copy Address.Currently the address range is not supported. - // The Starting address is same as Ending address - // TODO: Support Address Range. - // - CopyMem ( - (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR), - ChildSa->SessionCommon.IsInitiator ? - ChildSa->Spd->Selector->LocalAddress : - ChildSa->Spd->Selector->RemoteAddress, - AddrSize - ); - CopyMem ( - (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize, - ChildSa->SessionCommon.IsInitiator ? - ChildSa->Spd->Selector->LocalAddress : - ChildSa->Spd->Selector->RemoteAddress, - AddrSize - ); - // - // If the Next Payload is not TS responder, this TS payload type is = the TS responder. - // - TsPayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_TS_INIT; - }else{ - // - // Create responder Traffic Selector - // - TsSelector->SelecorLen =3D (UINT16)SelectorSize; - - // - // Currently only support the port range from 0~0xffff. Don't supp= ort other - // port range. - // TODO: support Port range - // - if (!ChildSa->SessionCommon.IsInitiator) { - if (ChildSa->Spd->Selector->LocalPort !=3D 0 && - ChildSa->Spd->Selector->LocalPortRange =3D=3D 0) { - // - // For not port range. - // - TsSelector->StartPort =3D ChildSa->Spd->Selector->LocalPort; - TsSelector->EndPort =3D ChildSa->Spd->Selector->LocalPort; - } else if (ChildSa->Spd->Selector->LocalPort =3D=3D 0){ - // - // For port from 0~0xffff - // - TsSelector->StartPort =3D 0; - TsSelector->EndPort =3D IKEV2_TS_ANY_PORT; - } else { - // - // Not support now. - // - goto ON_ERROR; - } - } else { - if (ChildSa->Spd->Selector->RemotePort !=3D 0 && - ChildSa->Spd->Selector->RemotePortRange =3D=3D 0) { - // - // For not port range. - // - TsSelector->StartPort =3D ChildSa->Spd->Selector->RemotePort; - TsSelector->EndPort =3D ChildSa->Spd->Selector->RemotePort; - } else if (ChildSa->Spd->Selector->RemotePort =3D=3D 0){ - // - // For port from 0~0xffff - // - TsSelector->StartPort =3D 0; - TsSelector->EndPort =3D IKEV2_TS_ANY_PORT; - } else { - // - // Not support now. - // - goto ON_ERROR; - } - } - // - // Copy Address.Currently the address range is not supported. - // The Starting address is same as Ending address - // TODO: Support Address Range. - // - CopyMem ( - (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR), - ChildSa->SessionCommon.IsInitiator ? - ChildSa->Spd->Selector->RemoteAddress : - ChildSa->Spd->Selector->LocalAddress, - AddrSize - ); - CopyMem ( - (UINT8*)TsSelector + sizeof(TRAFFIC_SELECTOR) + AddrSize, - ChildSa->SessionCommon.IsInitiator ? - ChildSa->Spd->Selector->RemoteAddress : - ChildSa->Spd->Selector->LocalAddress, - AddrSize - ); - // - // If the Next Payload is not TS responder, this TS payload type i= s the TS responder. - // - TsPayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_TS_RSP; - } - } - - if (ChildSa->Spd->Selector->NextLayerProtocol !=3D 0xffff) { - TsSelector->IpProtocolId =3D (UINT8)ChildSa->Spd->Selector->NextLaye= rProtocol; - } else { - TsSelector->IpProtocolId =3D IKEV2_TS_ANY_PROTOCOL; - } - - TsPayloadBuf->Header.NextPayload =3D NextPayload; - TsPayloadBuf->Header.PayloadLength =3D (UINT16)TsPayloadSize; - TsPayloadBuf->TSNumbers =3D 1; - TsPayload->PayloadSize =3D TsPayloadSize; - goto ON_EXIT; - -ON_ERROR: - if (TsPayload !=3D NULL) { - IkePayloadFree (TsPayload); - TsPayload =3D NULL; - } -ON_EXIT: - return TsPayload; -} - -/** - Generate the Notify payload. - - Since the structure of Notify payload which defined in RFC 4306 is simpl= e, so - there is no internal data structure for Notify payload. This function ge= nerate - Notify payload defined in RFC 4306, but all the fields in this payload a= re still - in host order and need call Ikev2EncodePayload() to convert those fields= from - the host order to network order beforing sending it. - - @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST b= e one (1). - For IPsec SAs it MUST be neither (2) for A= H or (3) - for ESP. - @param[in] NextPayload The next paylaod type in NextPayload field= of - the Notify payload. - @param[in] SpiSize Size of the SPI in SPI size field of the N= otify Payload. - @param[in] MessageType The message type in NotifyMessageType fiel= d of the - Notify Payload. - @param[in] SpiBuf Pointer to buffer contains the SPI value. - @param[in] NotifyData Pointer to buffer contains the notificatio= n data. - @param[in] NotifyDataSize The size of NotifyData in bytes. - - - @retval Pointer to IKE Notify Payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateNotifyPayload ( - IN UINT8 ProtocolId, - IN UINT8 NextPayload, - IN UINT8 SpiSize, - IN UINT16 MessageType, - IN UINT8 *SpiBuf, - IN UINT8 *NotifyData, - IN UINTN NotifyDataSize - ) -{ - IKE_PAYLOAD *NotifyPayload; - IKEV2_NOTIFY *Notify; - UINT16 NotifyPayloadLen; - UINT8 *MessageData; - - // 1 2 3 - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload !C! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Protocol ID ! SPI Size ! Notify Message Type ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ Security Parameter Index (SPI) ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ Notification Data ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - // - NotifyPayloadLen =3D (UINT16) (sizeof (IKEV2_NOTIFY) + NotifyDataSize += SpiSize); - Notify =3D (IKEV2_NOTIFY *) AllocateZeroPool (NotifyPayloadLe= n); - if (Notify =3D=3D NULL) { - return NULL; - } - - // - // Set Delete Payload's Generic Header - // - Notify->Header.NextPayload =3D NextPayload; - Notify->Header.PayloadLength =3D NotifyPayloadLen; - Notify->SpiSize =3D SpiSize; - Notify->ProtocolId =3D ProtocolId; - Notify->MessageType =3D MessageType; - - // - // Copy Spi , for Cookie Notify, there is no SPI. - // - if (SpiBuf !=3D NULL && SpiSize !=3D 0 ) { - CopyMem (Notify + 1, SpiBuf, SpiSize); - } - - MessageData =3D ((UINT8 *) (Notify + 1)) + SpiSize; - - // - // Copy Notification Data - // - if (NotifyDataSize !=3D 0) { - CopyMem (MessageData, NotifyData, NotifyDataSize); - } - - // - // Create Payload for and set type as IKEV2_PAYLOAD_TYPE_NOTIFY - // - NotifyPayload =3D IkePayloadAlloc (); - if (NotifyPayload =3D=3D NULL) { - FreePool (Notify); - return NULL; - } - - NotifyPayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_NOTIFY; - NotifyPayload->PayloadBuf =3D (UINT8 *) Notify; - NotifyPayload->PayloadSize =3D NotifyPayloadLen; - return NotifyPayload; -} - -/** - Generate the Delete payload. - - Since the structure of Delete payload which defined in RFC 4306 is simpl= e, - there is no internal data structure for Delete payload. This function ge= nerate - Delete payload defined in RFC 4306, but all the fields in this payload a= re still - in host order and need call Ikev2EncodePayload() to convert those fields= from - the host order to network order beforing sending it. - - @param[in] IkeSaSession Pointer to IKE SA Session to be used of De= lete payload generation. - @param[in] NextPayload The next paylaod type in NextPayload field= of - the Delete payload. - @param[in] SpiSize Size of the SPI in SPI size field of the D= elete Payload. - @param[in] SpiNum Number of SPI in NumofSPIs field of the De= lete Payload. - @param[in] SpiBuf Pointer to buffer contains the SPI value. - - @retval a Pointer of IKE Delete Payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateDeletePayload ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN UINT8 NextPayload, - IN UINT8 SpiSize, - IN UINT16 SpiNum, - IN UINT8 *SpiBuf - - ) -{ - IKE_PAYLOAD *DelPayload; - IKEV2_DELETE *Del; - UINT16 SpiBufSize; - UINT16 DelPayloadLen; - - // 1 2 3 - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload !C! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Protocol ID ! SPI Size ! # of SPIs ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ Security Parameter Index(es) (SPI) ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - SpiBufSize =3D (UINT16) (SpiSize * SpiNum); - if (SpiBufSize !=3D 0 && SpiBuf =3D=3D NULL) { - return NULL; - } - - DelPayloadLen =3D (UINT16) (sizeof (IKEV2_DELETE) + SpiBufSize); - - Del =3D AllocateZeroPool (DelPayloadLen); - if (Del =3D=3D NULL) { - return NULL; - } - - // - // Set Delete Payload's Generic Header - // - Del->Header.NextPayload =3D NextPayload; - Del->Header.PayloadLength =3D DelPayloadLen; - Del->NumSpis =3D SpiNum; - Del->SpiSize =3D SpiSize; - - if (SpiSize =3D=3D 4) { - // - // TODO: should consider the AH if needs to support. - // - Del->ProtocolId =3D IPSEC_PROTO_IPSEC_ESP; - } else { - Del->ProtocolId =3D IPSEC_PROTO_ISAKMP; - } - - // - // Set Del Payload's Idntification Data - // - CopyMem (Del + 1, SpiBuf, SpiBufSize); - DelPayload =3D IkePayloadAlloc (); - if (DelPayload =3D=3D NULL) { - FreePool (Del); - return NULL; - } - - DelPayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_DELETE; - DelPayload->PayloadBuf =3D (UINT8 *) Del; - DelPayload->PayloadSize =3D DelPayloadLen; - return DelPayload; -} - -/** - Generate the Configuration payload. - - This function generate configuration payload defined in RFC 4306, but al= l the - fields in this payload are still in host order and need call Ikev2Encode= Payload() - to convert those fields from the host order to network order beforing se= nding it. - - @param[in] IkeSaSession Pointer to IKE SA Session to be used for D= elete payload - generation. - @param[in] NextPayload The next paylaod type in NextPayload field= of - the Delete payload. - @param[in] CfgType The attribute type in the Configuration at= tribute. - - @retval Pointer to IKE CP Payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateCpPayload ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN UINT8 NextPayload, - IN UINT8 CfgType - ) -{ - IKE_PAYLOAD *CpPayload; - IKEV2_CFG *Cfg; - UINT16 PayloadLen; - IKEV2_CFG_ATTRIBUTES *CfgAttributes; - - // - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload !C! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! CFG Type ! RESERVED ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ Configuration Attributes ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - - PayloadLen =3D (UINT16) (sizeof (IKEV2_CFG) + sizeof (IKEV2_CFG_ATTRIBUT= ES)); - Cfg =3D (IKEV2_CFG *) AllocateZeroPool (PayloadLen); - - if (Cfg =3D=3D NULL) { - return NULL; - } - - CfgAttributes =3D (IKEV2_CFG_ATTRIBUTES *)((UINT8 *)Cfg + sizeof (IKEV2_= CFG)); - - // - // Only generate the configuration payload with an empty INTERNAL_IP4_AD= DRESS - // or INTERNAL_IP6_ADDRESS. - // - - Cfg->Header.NextPayload =3D NextPayload; - Cfg->Header.PayloadLength =3D PayloadLen; - Cfg->CfgType =3D IKEV2_CFG_TYPE_REQUEST; - - CfgAttributes->AttritType =3D CfgType; - CfgAttributes->ValueLength =3D 0; - - CpPayload =3D IkePayloadAlloc (); - if (CpPayload =3D=3D NULL) { - if (Cfg !=3D NULL) { - FreePool (Cfg); - } - return NULL; - } - - CpPayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_CP; - CpPayload->PayloadBuf =3D (UINT8 *) Cfg; - CpPayload->PayloadSize =3D PayloadLen; - return CpPayload; -} - -/** - Parser the Notify Cookie payload. - - This function parses the Notify Cookie payload.If the Notify ProtocolId = is not - IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType i= s not - the COOKIE, return EFI_INVALID_PARAMETER. - - @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians = the - Notify Cookie payload. - the Notify payload. - @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session. - - @retval EFI_SUCCESS The Notify Cookie Payload is valid. - @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid. - @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated. - -**/ -EFI_STATUS -Ikev2ParserNotifyCookiePayload ( - IN IKE_PAYLOAD *IkeNCookie, - IN OUT IKEV2_SA_SESSION *IkeSaSession - ) -{ - IKEV2_NOTIFY *NotifyPayload; - UINTN NotifyDataSize; - - NotifyPayload =3D (IKEV2_NOTIFY *)IkeNCookie->PayloadBuf; - - if ((NotifyPayload->ProtocolId !=3D IPSEC_PROTO_ISAKMP) || - (NotifyPayload->SpiSize !=3D 0) || - (NotifyPayload->MessageType !=3D IKEV2_NOTIFICATION_COOKIE) - ) { - return EFI_INVALID_PARAMETER; - } - - NotifyDataSize =3D NotifyPayload->Header.PayloadLength - sizeof (= IKEV2_NOTIFY); - IkeSaSession->NCookie =3D AllocateZeroPool (NotifyDataSize); - if (IkeSaSession->NCookie =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - IkeSaSession->NCookieSize =3D NotifyDataSize; - - CopyMem ( - IkeSaSession->NCookie, - (UINT8 *)NotifyPayload + sizeof (IKEV2_NOTIFY), - NotifyDataSize - ); - - return EFI_SUCCESS; -} - - -/** - Generate the Certificate payload or Certificate Request Payload. - - Since the Certificate Payload structure is same with Certificate Request= Payload, - the only difference is that one contains the Certificate Data, other con= tains - the acceptable certificateion CA. This function generate Certificate pay= load - or Certificate Request Payload defined in RFC 4306, but all the fields - in the payload are still in host order and need call Ikev2EncodePayload() - to convert those fields from the host order to network order beforing se= nding it. - - @param[in] IkeSaSession Pointer to IKE SA Session to be used of De= lete payload - generation. - @param[in] NextPayload The next paylaod type in NextPayload field= of - the Delete payload. - @param[in] Certificate Pointer of buffer contains the certificati= on data. - @param[in] CertificateLen The length of Certificate in byte. - @param[in] EncodeType Specified the Certificate Encodeing which = is defined - in RFC 4306. - @param[in] IsRequest To indicate create Certificate Payload or = Certificate - Request Payload. If it is TURE, create Cer= tificate - Request Payload. Otherwise, create Certifi= cate Payload. - - @retval a Pointer to IKE Payload whose payload buffer containing the Ce= rtificate - payload or Certificated Request payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateCertificatePayload ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN UINT8 NextPayload, - IN UINT8 *Certificate, - IN UINTN CertificateLen, - IN UINT8 EncodeType, - IN BOOLEAN IsRequest - ) -{ - IKE_PAYLOAD *CertPayload; - IKEV2_CERT *Cert; - UINT16 PayloadLen; - UINT8 *PublicKey; - UINTN PublicKeyLen; - HASH_DATA_FRAGMENT Fragment[1]; - UINT8 *HashData; - UINTN HashDataSize; - EFI_STATUS Status; - - // - // 1 2 3 - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload !C! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Cert Encoding ! ! - // +-+-+-+-+-+-+-+-+ ! - // ~ Certificate Data/Authority ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - - Status =3D EFI_SUCCESS; - PublicKey =3D NULL; - PublicKeyLen =3D 0; - - if (!IsRequest) { - PayloadLen =3D (UINT16) (sizeof (IKEV2_CERT) + CertificateLen); - } else { - // - // SHA1 Hash length is 20. - // - PayloadLen =3D (UINT16) (sizeof (IKEV2_CERT) + 20); - } - - Cert =3D AllocateZeroPool (PayloadLen); - if (Cert =3D=3D NULL) { - return NULL; - } - - // - // Generate Certificate Payload or Certificate Request Payload. - // - Cert->Header.NextPayload =3D NextPayload; - Cert->Header.PayloadLength =3D PayloadLen; - Cert->CertEncoding =3D EncodeType; - if (!IsRequest) { - CopyMem ( - ((UINT8 *)Cert) + sizeof (IKEV2_CERT), - Certificate, - CertificateLen - ); - } else { - Status =3D IpSecCryptoIoGetPublicKeyFromCert ( - Certificate, - CertificateLen, - &PublicKey, - &PublicKeyLen - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - Fragment[0].Data =3D PublicKey; - Fragment[0].DataSize =3D PublicKeyLen; - HashDataSize =3D IpSecGetHmacDigestLength (IKE_AALG_SHA1HMAC); - HashData =3D AllocateZeroPool (HashDataSize); - if (HashData =3D=3D NULL) { - goto ON_EXIT; - } - - Status =3D IpSecCryptoIoHash ( - IKE_AALG_SHA1HMAC, - Fragment, - 1, - HashData, - HashDataSize - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - CopyMem ( - ((UINT8 *)Cert) + sizeof (IKEV2_CERT), - HashData, - HashDataSize - ); - } - - CertPayload =3D IkePayloadAlloc (); - if (CertPayload =3D=3D NULL) { - goto ON_EXIT; - } - - if (!IsRequest) { - CertPayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_CERT; - } else { - CertPayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_CERTREQ; - } - - CertPayload->PayloadBuf =3D (UINT8 *) Cert; - CertPayload->PayloadSize =3D PayloadLen; - return CertPayload; - -ON_EXIT: - if (Cert !=3D NULL) { - FreePool (Cert); - } - if (PublicKey !=3D NULL) { - FreePool (PublicKey); - } - return NULL; -} - -/** - Remove and free all IkePayloads in the specified IkePacket. - - @param[in] IkePacket The pointer of IKE_PACKET. - -**/ -VOID -ClearAllPayloads ( - IN IKE_PACKET *IkePacket - ) -{ - LIST_ENTRY *PayloadEntry; - IKE_PAYLOAD *IkePayload; - // - // remove all payloads from list and free each payload. - // - while (!IsListEmpty (&IkePacket->PayloadList)) { - PayloadEntry =3D IkePacket->PayloadList.ForwardLink; - IkePayload =3D IKE_PAYLOAD_BY_PACKET (PayloadEntry); - IKE_PACKET_REMOVE_PAYLOAD (IkePacket, IkePayload); - IkePayloadFree (IkePayload); - } -} - -/** - Transfer the intrnal data structure IKEV2_SA_DATA to IKEV2_SA structure = defined in RFC. - - @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to the = SA Session. - @param[in] SaData Pointer to IKEV2_SA_DATA to be transfered. - - @retval return the pointer of IKEV2_SA. - -**/ -IKEV2_SA* -Ikev2EncodeSa ( - IN IKEV2_SESSION_COMMON *SessionCommon, - IN IKEV2_SA_DATA *SaData - ) -{ - IKEV2_SA *Sa; - UINTN SaSize; - IKEV2_PROPOSAL_DATA *ProposalData; - IKEV2_TRANSFORM_DATA *TransformData; - UINTN TotalTransforms; - UINTN SaAttrsSize; - UINTN TransformsSize; - UINTN TransformSize; - UINTN ProposalsSize; - UINTN ProposalSize; - UINTN ProposalIndex; - UINTN TransformIndex; - IKE_SA_ATTRIBUTE *SaAttribute; - IKEV2_PROPOSAL *Proposal; - IKEV2_TRANSFORM *Transform; - - // - // Transform IKE_SA_DATA structure to IKE_SA Payload. - // Header length is host order. - // The returned IKE_SA struct should be freed by caller. - // - TotalTransforms =3D 0; - // - // Calculate the Proposal numbers and Transform numbers. - // - for (ProposalIndex =3D 0; ProposalIndex < SaData->NumProposals; Proposal= Index++) { - - ProposalData =3D (IKEV2_PROPOSAL_DATA *) (SaData + 1) + ProposalIn= dex; - TotalTransforms +=3D ProposalData->NumTransforms; - - } - SaSize =3D sizeof (IKEV2_SA) + - SaData->NumProposals * sizeof (IKEV2_PROPOSAL) + - TotalTransforms * (sizeof (IKEV2_TRANSFORM) + MAX_SA_ATTRS_SIZE= ); - // - // Allocate buffer for IKE_SA. - // - Sa =3D AllocateZeroPool (SaSize); - if (Sa =3D=3D NULL) { - return NULL; - } - - CopyMem (Sa, SaData, sizeof (IKEV2_SA)); - Sa->Header.PayloadLength =3D (UINT16) sizeof (IKEV2_SA); - ProposalsSize =3D 0; - Proposal =3D (IKEV2_PROPOSAL *) (Sa + 1); - - // - // Set IKE_PROPOSAL - // - ProposalData =3D (IKEV2_PROPOSAL_DATA *) (SaData + 1); - for (ProposalIndex =3D 0; ProposalIndex < SaData->NumProposals; Proposal= Index++) { - Proposal->ProposalIndex =3D ProposalData->ProposalIndex; - Proposal->ProtocolId =3D ProposalData->ProtocolId; - Proposal->NumTransforms =3D ProposalData->NumTransforms; - - if (ProposalData->Spi =3D=3D 0) { - Proposal->SpiSize =3D 0; - } else { - Proposal->SpiSize =3D 4; - *(UINT32 *) (Proposal + 1) =3D HTONL (*((UINT32*)ProposalData->Spi)= ); - } - - TransformsSize =3D 0; - Transform =3D (IKEV2_TRANSFORM *) ((UINT8 *) (Proposal + 1) + Pr= oposal->SpiSize); - - // - // Set IKE_TRANSFORM - // - for (TransformIndex =3D 0; TransformIndex < ProposalData->NumTransform= s; TransformIndex++) { - TransformData =3D (IKEV2_TRANSFORM_DATA *) (ProposalDa= ta + 1) + TransformIndex; - Transform->TransformType =3D TransformData->TransformType; - Transform->TransformId =3D HTONS (TransformData->TransformId); - SaAttrsSize =3D 0; - - // - // If the Encryption Algorithm is variable key length set the key le= ngth in attribute. - // Note that only a single attribute type (Key Length) is defined an= d it is fixed length. - // - if (Transform->TransformType =3D=3D IKEV2_TRANSFORM_TYPE_ENCR && Tra= nsformData->Attribute.Attr.AttrValue !=3D 0) { - SaAttribute =3D (IKE_SA_ATTRIBUTE *) (Transform + = 1); - SaAttribute->AttrType =3D HTONS (IKEV2_ATTRIBUTE_TYPE_KEYLEN= | SA_ATTR_FORMAT_BIT); - SaAttribute->Attr.AttrValue =3D HTONS (TransformData->Attribute.At= tr.AttrValue); - SaAttrsSize =3D sizeof (IKE_SA_ATTRIBUTE); - } - - // - // If the Integrity Algorithm is variable key length set the key len= gth in attribute. - // - if (Transform->TransformType =3D=3D IKEV2_TRANSFORM_TYPE_INTEG && Tr= ansformData->Attribute.Attr.AttrValue !=3D 0) { - SaAttribute =3D (IKE_SA_ATTRIBUTE *) (Transform + = 1); - SaAttribute->AttrType =3D HTONS (IKEV2_ATTRIBUTE_TYPE_KEYLEN= | SA_ATTR_FORMAT_BIT); - SaAttribute->Attr.AttrValue =3D HTONS (TransformData->Attribute.At= tr.AttrValue); - SaAttrsSize =3D sizeof (IKE_SA_ATTRIBUTE); - } - - TransformSize =3D sizeof (IKEV2_TRANSFORM) + SaAttrs= Size; - TransformsSize +=3D TransformSize; - - Transform->Header.NextPayload =3D IKE_TRANSFORM_NEXT_PAYLOAD_MORE; - Transform->Header.PayloadLength =3D HTONS ((UINT16)TransformSize); - - if (TransformIndex =3D=3D ((UINT32)ProposalData->NumTransforms - 1))= { - Transform->Header.NextPayload =3D IKE_TRANSFORM_NEXT_PAYLOAD_NONE; - } - - Transform =3D (IKEV2_TRANSFORM *)((UINT8 *) Transform + Transfor= mSize); - } - - // - // Set Proposal's Generic Header. - // - ProposalSize =3D sizeof (IKEV2_PROPOSAL) + Proposal-= >SpiSize + TransformsSize; - ProposalsSize +=3D ProposalSize; - Proposal->Header.NextPayload =3D IKE_PROPOSAL_NEXT_PAYLOAD_MORE; - Proposal->Header.PayloadLength =3D HTONS ((UINT16)ProposalSize); - - if (ProposalIndex =3D=3D (UINTN)(SaData->NumProposals - 1)) { - Proposal->Header.NextPayload =3D IKE_PROPOSAL_NEXT_PAYLOAD_NONE; - } - - // - // Point to next Proposal Payload - // - Proposal =3D (IKEV2_PROPOSAL *) ((UINT8 *) Proposal + ProposalSize= ); - ProposalData =3D (IKEV2_PROPOSAL_DATA *)(((UINT8 *)ProposalData) + siz= eof (IKEV2_PROPOSAL_DATA) + (TransformIndex * sizeof (IKEV2_TRANSFORM_DATA)= )); - } - // - // Set SA's Generic Header. - // - Sa->Header.PayloadLength =3D (UINT16) (Sa->Header.PayloadLength + Propos= alsSize); - return Sa; -} - -/** - Decode SA payload. - - This function converts the received SA payload to internal data structur= e. - - @param[in] SessionCommon Pointer to IKE Common Session used to de= code the SA - Payload. - @param[in] Sa Pointer to SA Payload - - @return a Pointer to internal data structure for SA payload. - -**/ -IKEV2_SA_DATA * -Ikev2DecodeSa ( - IN IKEV2_SESSION_COMMON *SessionCommon, - IN IKEV2_SA *Sa - ) -{ - IKEV2_SA_DATA *SaData; - EFI_STATUS Status; - IKEV2_PROPOSAL *Proposal; - IKEV2_TRANSFORM *Transform; - UINTN TotalProposals; - UINTN TotalTransforms; - UINTN ProposalNextPayloadSum; - UINTN ProposalIndex; - UINTN TransformIndex; - UINTN SaRemaining; - UINT16 ProposalSize; - UINTN ProposalRemaining; - UINT16 TransformSize; - UINTN SaAttrRemaining; - IKE_SA_ATTRIBUTE *SaAttribute; - IKEV2_PROPOSAL_DATA *ProposalData; - IKEV2_TRANSFORM_DATA *TransformData; - UINT8 *Spi; - - // - // Transfrom from IKE_SA payload to IKE_SA_DATA structure. - // Header length NTOH is already done - // The returned IKE_SA_DATA should be freed by caller - // - SaData =3D NULL; - Status =3D EFI_SUCCESS; - - // - // First round sanity check and size calculae - // - TotalProposals =3D 0; - TotalTransforms =3D 0; - ProposalNextPayloadSum =3D 0; - SaRemaining =3D Sa->Header.PayloadLength - sizeof (IKEV2_SA);= // Point to current position in SA - Proposal =3D (IKEV2_PROPOSAL *)((IKEV2_SA *)(Sa)+1); - - // - // Calculate the number of Proposal payload and the total numbers of - // Transforms payload (the transforms in all proposal payload). - // - while (SaRemaining > sizeof (IKEV2_PROPOSAL)) { - ProposalSize =3D NTOHS (Proposal->Header.PayloadLength); - if (SaRemaining < ProposalSize) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - if (Proposal->SpiSize !=3D 0 && Proposal->SpiSize !=3D 4) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - TotalProposals++; - TotalTransforms +=3D Proposal->NumTransforms; - SaRemaining -=3D ProposalSize; - ProposalNextPayloadSum +=3D Proposal->Header.NextPayload; - Proposal =3D IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, P= roposalSize); - } - - // - // Check the proposal number. - // The proposal Substructure, the NextPayLoad field indicates : 0 (last)= or 2 (more) - // which Specifies whether this is the last Proposal Substructure in the= SA. - // Here suming all Proposal NextPayLoad field to check the proposal numb= er is correct - // or not. - // - if (TotalProposals =3D=3D 0 || - (TotalProposals - 1) * IKE_PROPOSAL_NEXT_PAYLOAD_MORE !=3D ProposalN= extPayloadSum - ) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - // - // Second round sanity check and decode. Transform the SA payload into - // a IKE_SA_DATA structure. - // - SaData =3D (IKEV2_SA_DATA *) AllocateZeroPool ( - sizeof (IKEV2_SA_DATA) + - TotalProposals * sizeof (IKEV2_PROPOSAL_DAT= A) + - TotalTransforms * sizeof (IKEV2_TRANSFORM_D= ATA) - ); - if (SaData =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem (SaData, Sa, sizeof (IKEV2_SA)); - SaData->NumProposals =3D TotalProposals; - ProposalData =3D (IKEV2_PROPOSAL_DATA *) (SaData + 1); - - // - // Proposal Payload - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload ! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Proposal # ! Protocol-Id ! SPI Size !# of Transforms! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! SPI (variable) ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - for (ProposalIndex =3D 0, Proposal =3D IKEV2_SA_FIRST_PROPOSAL (Sa); - ProposalIndex < TotalProposals; - ProposalIndex++ - ) { - - // - // TODO: check ProposalId - // - ProposalData->ProposalIndex =3D Proposal->ProposalIndex; - ProposalData->ProtocolId =3D Proposal->ProtocolId; - if (Proposal->SpiSize =3D=3D 0) { - ProposalData->Spi =3D 0; - } else { - // - // SpiSize =3D=3D 4 - // - Spi =3D AllocateZeroPool (Proposal->SpiSize); - if (Spi =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem (Spi, (UINT32 *) (Proposal + 1), Proposal->SpiSize); - *((UINT32*) Spi) =3D NTOHL (*((UINT32*) Spi)); - ProposalData->Spi =3D Spi; - } - - ProposalData->NumTransforms =3D Proposal->NumTransforms; - ProposalSize =3D NTOHS (Proposal->Header.PayloadLength); - ProposalRemaining =3D ProposalSize; - // - // Transform Payload - // 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! Next Payload ! RESERVED ! Payload Length ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // !Transform Type ! RESERVED ! Transform ID ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // ! ! - // ~ SA Attributes ~ - // ! ! - // +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - // - Transform =3D IKEV2_PROPOSAL_FIRST_TRANSFORM (Proposal); - for (TransformIndex =3D 0; TransformIndex < Proposal->NumTransforms; T= ransformIndex++) { - - // - // Transfer the IKEV2_TRANSFORM structure into internal IKEV2_TRANSF= ORM_DATA struture. - // - TransformData =3D (IKEV2_TRANSFORM_DATA *) (Propos= alData + 1) + TransformIndex; - TransformData->TransformId =3D NTOHS (Transform->TransformId); - TransformData->TransformType =3D Transform->TransformType; - TransformSize =3D NTOHS (Transform->Header.Payload= Length); - // - // Check the Proposal Data is correct. - // - if (ProposalRemaining < TransformSize) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - // - // Check if the Transform payload includes Attribution. - // - SaAttrRemaining =3D TransformSize - sizeof (IKEV2_TRANSFORM); - - // - // According to RFC 4603, currently only the Key length attribute ty= pe is - // supported. For each Transform, there is only one attributeion. - // - if (SaAttrRemaining > 0) { - if (SaAttrRemaining !=3D sizeof (IKE_SA_ATTRIBUTE)) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - SaAttribute =3D (IKE_SA_ATTRIBUTE *) (= (IKEV2_TRANSFORM *)(Transform) + 1); - TransformData->Attribute.AttrType =3D (UINT16)((NTOHS (SaAtt= ribute->AttrType)) & ~SA_ATTR_FORMAT_BIT); - TransformData->Attribute.Attr.AttrValue =3D NTOHS (SaAttribute->At= tr.AttrValue); - - // - // Currently, only supports the Key Length Attribution. - // - if (TransformData->Attribute.AttrType !=3D IKEV2_ATTRIBUTE_TYPE_KE= YLEN) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - } - - // - // Move to next Transform - // - Transform =3D IKEV2_NEXT_TRANSFORM_WITH_SIZE (Transform, TransformSi= ze); - } - Proposal =3D IKEV2_NEXT_PROPOSAL_WITH_SIZE (Proposal, ProposalSize= ); - ProposalData =3D (IKEV2_PROPOSAL_DATA *) ((UINT8 *)(ProposalData + 1) + - ProposalData->NumTransform= s * - sizeof (IKEV2_TRANSFORM_DA= TA)); - } - -Exit: - if (EFI_ERROR (Status) && SaData !=3D NULL) { - FreePool (SaData); - SaData =3D NULL; - } - return SaData; -} - -/** - General interface of payload encoding. - - This function encodes the internal data structure into payload which - is defined in RFC 4306. The IkePayload->PayloadBuf is used to store both= the input - payload and converted payload. Only the SA payload use the interal struc= ture - to store the attribute. Other payload use structure which is same with t= he RFC - defined, for this kind payloads just do host order to network order chan= ge of - some fields. - - @param[in] SessionCommon Pointer to IKE Session Common used t= o encode the payload. - @param[in, out] IkePayload Pointer to IKE payload to be encoded= as input, and - store the encoded result as output. - - @retval EFI_INVALID_PARAMETER Meet error when encoding the SA payload. - @retval EFI_SUCCESS Encoded successfully. - -**/ -EFI_STATUS -Ikev2EncodePayload ( - IN UINT8 *SessionCommon, - IN OUT IKE_PAYLOAD *IkePayload - ) -{ - IKEV2_SA_DATA *SaData; - IKEV2_SA *SaPayload; - IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr; - IKEV2_NOTIFY *NotifyPayload; - IKEV2_DELETE *DeletePayload; - IKEV2_KEY_EXCHANGE *KeyPayload; - IKEV2_TS *TsPayload; - IKEV2_CFG_ATTRIBUTES *CfgAttribute; - UINT8 *TsBuffer; - UINT8 Index; - TRAFFIC_SELECTOR *TrafficSelector; - - // - // Transform the Internal IKE structure to IKE payload. - // Only the SA payload use the interal structure to store the attribute. - // Other payload use structure which same with the RFC defined, so there= is - // no need to tranform them to IKE payload. - // - switch (IkePayload->PayloadType) { - case IKEV2_PAYLOAD_TYPE_SA: - // - // Transform IKE_SA_DATA to IK_SA payload - // - SaData =3D (IKEV2_SA_DATA *) IkePayload->PayloadBuf; - SaPayload =3D Ikev2EncodeSa ((IKEV2_SESSION_COMMON *) SessionCommon, S= aData); - - if (SaPayload =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - if (!IkePayload->IsPayloadBufExt) { - FreePool (IkePayload->PayloadBuf); - } - IkePayload->PayloadBuf =3D (UINT8 *) SaPayload; - IkePayload->IsPayloadBufExt =3D FALSE; - break; - - case IKEV2_PAYLOAD_TYPE_NOTIFY: - NotifyPayload =3D (IKEV2_NOTIFY *) IkePayload->PayloadBu= f; - NotifyPayload->MessageType =3D HTONS (NotifyPayload->MessageType); - break; - - case IKEV2_PAYLOAD_TYPE_DELETE: - DeletePayload =3D (IKEV2_DELETE *) IkePayload->PayloadBuf; - DeletePayload->NumSpis =3D HTONS (DeletePayload->NumSpis); - break; - - case IKEV2_PAYLOAD_TYPE_KE: - KeyPayload =3D (IKEV2_KEY_EXCHANGE *) IkePayload->Payload= Buf; - KeyPayload->DhGroup =3D HTONS (KeyPayload->DhGroup); - break; - - case IKEV2_PAYLOAD_TYPE_TS_INIT: - case IKEV2_PAYLOAD_TYPE_TS_RSP: - TsPayload =3D (IKEV2_TS *) IkePayload->PayloadBuf; - TsBuffer =3D IkePayload->PayloadBuf + sizeof (IKEV2_TS); - - for (Index =3D 0; Index < TsPayload->TSNumbers; Index++) { - TrafficSelector =3D (TRAFFIC_SELECTOR *) TsBuffer; - TsBuffer =3D TsBuffer + TrafficSelector->SelecorLen; - // - // Host order to network order - // - TrafficSelector->SelecorLen =3D HTONS (TrafficSelector->SelecorLen); - TrafficSelector->StartPort =3D HTONS (TrafficSelector->StartPort); - TrafficSelector->EndPort =3D HTONS (TrafficSelector->EndPort); - - } - - break; - - case IKEV2_PAYLOAD_TYPE_CP: - CfgAttribute =3D (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->P= ayloadBuf) + 1); - CfgAttribute->AttritType =3D HTONS (CfgAttribute->AttritType); - CfgAttribute->ValueLength =3D HTONS (CfgAttribute->ValueLength); - - case IKEV2_PAYLOAD_TYPE_ID_INIT: - case IKEV2_PAYLOAD_TYPE_ID_RSP: - case IKEV2_PAYLOAD_TYPE_AUTH: - default: - break; - } - - PayloadHdr =3D (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf; - IkePayload->PayloadSize =3D PayloadHdr->PayloadLength; - PayloadHdr->PayloadLength =3D HTONS (PayloadHdr->PayloadLength); - IKEV2_DUMP_PAYLOAD (IkePayload); - return EFI_SUCCESS; -} - -/** - The general interface for decoding Payload. - - This function converts the received Payload into internal structure. - - @param[in] SessionCommon Pointer to IKE Session Common used for= decoding. - @param[in, out] IkePayload Pointer to IKE payload to be decoded a= s input, and - store the decoded result as output. - - @retval EFI_INVALID_PARAMETER Meet error when decoding the SA payload. - @retval EFI_SUCCESS Decoded successfully. - -**/ -EFI_STATUS -Ikev2DecodePayload ( - IN UINT8 *SessionCommon, - IN OUT IKE_PAYLOAD *IkePayload - ) -{ - IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr; - UINT16 PayloadSize; - UINT8 PayloadType; - IKEV2_SA_DATA *SaData; - EFI_STATUS Status; - IKEV2_NOTIFY *NotifyPayload; - IKEV2_DELETE *DeletePayload; - UINT16 TsTotalSize; - TRAFFIC_SELECTOR *TsSelector; - IKEV2_TS *TsPayload; - IKEV2_KEY_EXCHANGE *KeyPayload; - IKEV2_CFG_ATTRIBUTES *CfgAttribute; - UINT8 Index; - - // - // Transform the IKE payload to Internal IKE structure. - // Only the SA payload and Hash Payload use the interal - // structure to store the attribute. Other payloads use - // structure which is same with the definitions in RFC, - // so there is no need to tranform them to internal IKE - // structure. - // - Status =3D EFI_SUCCESS; - PayloadSize =3D (UINT16) IkePayload->PayloadSize; - PayloadType =3D IkePayload->PayloadType; - PayloadHdr =3D (IKEV2_COMMON_PAYLOAD_HEADER *) IkePayload->PayloadBuf; - // - // The PayloadSize is the size of whole payload. - // Replace HTONS operation to assignment statements, since the result is= same. - // - PayloadHdr->PayloadLength =3D PayloadSize; - - IKEV2_DUMP_PAYLOAD (IkePayload); - switch (PayloadType) { - case IKEV2_PAYLOAD_TYPE_SA: - if (PayloadSize < sizeof (IKEV2_SA)) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - SaData =3D Ikev2DecodeSa ((IKEV2_SESSION_COMMON *) SessionCommon, (IKE= V2_SA *) PayloadHdr); - if (SaData =3D=3D NULL) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - if (!IkePayload->IsPayloadBufExt) { - FreePool (IkePayload->PayloadBuf); - } - - IkePayload->PayloadBuf =3D (UINT8 *) SaData; - IkePayload->IsPayloadBufExt =3D FALSE; - break; - - case IKEV2_PAYLOAD_TYPE_ID_INIT: - case IKEV2_PAYLOAD_TYPE_ID_RSP : - if (PayloadSize < sizeof (IKEV2_ID)) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - break; - - case IKEV2_PAYLOAD_TYPE_NOTIFY: - if (PayloadSize < sizeof (IKEV2_NOTIFY)) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - NotifyPayload =3D (IKEV2_NOTIFY *) PayloadHdr; - NotifyPayload->MessageType =3D NTOHS (NotifyPayload->MessageType); - break; - - case IKEV2_PAYLOAD_TYPE_DELETE: - if (PayloadSize < sizeof (IKEV2_DELETE)) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - DeletePayload =3D (IKEV2_DELETE *) PayloadHdr; - DeletePayload->NumSpis =3D NTOHS (DeletePayload->NumSpis); - break; - - case IKEV2_PAYLOAD_TYPE_AUTH: - if (PayloadSize < sizeof (IKEV2_AUTH)) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - break; - - case IKEV2_PAYLOAD_TYPE_KE: - KeyPayload =3D (IKEV2_KEY_EXCHANGE *) IkePayload->Payload= Buf; - KeyPayload->DhGroup =3D HTONS (KeyPayload->DhGroup); - break; - - case IKEV2_PAYLOAD_TYPE_TS_INIT: - case IKEV2_PAYLOAD_TYPE_TS_RSP : - TsTotalSize =3D 0; - if (PayloadSize < sizeof (IKEV2_TS)) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - // - // Parse each traffic selector and transfer network-order to host-order - // - TsPayload =3D (IKEV2_TS *) IkePayload->PayloadBuf; - TsSelector =3D (TRAFFIC_SELECTOR *) (IkePayload->PayloadBuf + sizeof = (IKEV2_TS)); - - for (Index =3D 0; Index < TsPayload->TSNumbers; Index++) { - TsSelector->SelecorLen =3D NTOHS (TsSelector->SelecorLen); - TsSelector->StartPort =3D NTOHS (TsSelector->StartPort); - TsSelector->EndPort =3D NTOHS (TsSelector->EndPort); - - TsTotalSize =3D (UINT16) (TsTotalSize + TsSelector->Sele= corLen); - TsSelector =3D (TRAFFIC_SELECTOR *) ((UINT8 *) TsSelect= or + TsSelector->SelecorLen); - } - // - // Check if the total size of Traffic Selectors is correct. - // - if (TsTotalSize !=3D PayloadSize - sizeof(IKEV2_TS)) { - Status =3D EFI_INVALID_PARAMETER; - } - - case IKEV2_PAYLOAD_TYPE_CP: - CfgAttribute =3D (IKEV2_CFG_ATTRIBUTES *)(((IKEV2_CFG *) IkePayload->P= ayloadBuf) + 1); - CfgAttribute->AttritType =3D NTOHS (CfgAttribute->AttritType); - CfgAttribute->ValueLength =3D NTOHS (CfgAttribute->ValueLength); - - default: - break; - } - - Exit: - return Status; -} - -/** - Decode the IKE packet. - - This function first decrypts the IKE packet if needed , then separates t= he whole - IKE packet from the IkePacket->PayloadBuf into IkePacket payload list. - - @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON c= ontaining - some parameter used by IKE packet= decoding. - @param[in, out] IkePacket The IKE Packet to be decoded on i= nput, and - the decoded result on return. - @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE= _INFO_TYPE and - IKE_CHILD_TYPE are supported. - - @retval EFI_SUCCESS The IKE packet is decoded success= fully. - @retval Otherwise The IKE packet decoding is failed. - -**/ -EFI_STATUS -Ikev2DecodePacket ( - IN IKEV2_SESSION_COMMON *SessionCommon, - IN OUT IKE_PACKET *IkePacket, - IN UINTN IkeType - ) -{ - EFI_STATUS Status; - IKEV2_COMMON_PAYLOAD_HEADER *PayloadHdr; - UINT8 PayloadType; - UINTN RemainBytes; - UINT16 PayloadSize; - IKE_PAYLOAD *IkePayload; - IKE_HEADER *IkeHeader; - IKEV2_SA_SESSION *IkeSaSession; - - IkeHeader =3D NULL; - - // - // Check if the IkePacket need decrypt. - // - if (SessionCommon->State >=3D IkeStateAuth) { - Status =3D Ikev2DecryptPacket (SessionCommon, IkePacket, IkeType); - if (EFI_ERROR (Status)) { - return Status; - } - } - - Status =3D EFI_SUCCESS; - - // - // If the IkePacket doesn't contain any payload return invalid parameter. - // - if (IkePacket->Header->NextPayload =3D=3D IKEV2_PAYLOAD_TYPE_NONE) { - if ((SessionCommon->State >=3D IkeStateAuth) && - (IkePacket->Header->ExchangeType =3D=3D IKEV2_EXCHANGE_TYPE_INFO) - ) { - // - // If it is Liveness check, there will be no payload load in the enc= rypt payload. - // - Status =3D EFI_SUCCESS; - } else { - Status =3D EFI_INVALID_PARAMETER; - } - } - - // - // If the PayloadTotalSize < Header length, return invalid parameter. - // - RemainBytes =3D IkePacket->PayloadTotalSize; - if (RemainBytes < sizeof (IKEV2_COMMON_PAYLOAD_HEADER)) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - // - // If the packet is first or second message, store whole message in - // IkeSa->InitiPacket or IkeSa->RespPacket for following Auth Payload - // calculate. - // - if (IkePacket->Header->ExchangeType =3D=3D IKEV2_EXCHANGE_TYPE_INIT) { - IkeHeader =3D AllocateZeroPool (sizeof (IKE_HEADER)); - if (IkeHeader =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem (IkeHeader, IkePacket->Header, sizeof (IKE_HEADER)); - - // - // Before store the whole packet, roll back the host order to network = order, - // since the header order was changed in the IkePacketFromNetbuf. - // - IkeHdrNetToHost (IkeHeader); - IkeSaSession =3D IKEV2_SA_SESSION_FROM_COMMON (SessionCommon); - if (SessionCommon->IsInitiator) { - IkeSaSession->RespPacket =3D AllocateZeroPool (IkePacket->Header= ->Length); - if (IkeSaSession->RespPacket =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->RespPacketSize =3D IkePacket->Header->Length; - CopyMem (IkeSaSession->RespPacket, IkeHeader, sizeof (IKE_HEADER)); - CopyMem ( - IkeSaSession->RespPacket + sizeof (IKE_HEADER), - IkePacket->PayloadsBuf, - IkePacket->Header->Length - sizeof (IKE_HEADER) - ); - } else { - IkeSaSession->InitPacket =3D AllocateZeroPool (IkePacket->Header= ->Length); - if (IkeSaSession->InitPacket =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->InitPacketSize =3D IkePacket->Header->Length; - CopyMem (IkeSaSession->InitPacket, IkeHeader, sizeof (IKE_HEADER)); - CopyMem ( - IkeSaSession->InitPacket + sizeof (IKE_HEADER), - IkePacket->PayloadsBuf, - IkePacket->Header->Length - sizeof (IKE_HEADER) - ); - } - } - - // - // Point to the first Payload - // - PayloadHdr =3D (IKEV2_COMMON_PAYLOAD_HEADER *) IkePacket->PayloadsBuf; - PayloadType =3D IkePacket->Header->NextPayload; - - // - // Parse each payload - // - while (RemainBytes >=3D sizeof (IKEV2_COMMON_PAYLOAD_HEADER)) { - PayloadSize =3D NTOHS (PayloadHdr->PayloadLength); - - // - //Check the size of the payload is correct. - // - if (RemainBytes < PayloadSize) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - // - // At certain states, it should save some datas before decoding. - // - if (SessionCommon->BeforeDecodePayload !=3D NULL) { - SessionCommon->BeforeDecodePayload ( - (UINT8 *) SessionCommon, - (UINT8 *) PayloadHdr, - PayloadSize, - PayloadType - ); - } - - // - // Initial IkePayload - // - IkePayload =3D IkePayloadAlloc (); - if (IkePayload =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - IkePayload->PayloadType =3D PayloadType; - IkePayload->PayloadBuf =3D (UINT8 *) PayloadHdr; - IkePayload->PayloadSize =3D PayloadSize; - IkePayload->IsPayloadBufExt =3D TRUE; - - Status =3D Ikev2DecodePayload ((UINT8 *) SessionCommon, IkePayload); - if (EFI_ERROR (Status)) { - goto Exit; - } - - IPSEC_DUMP_BUF ("After Decoding Payload", IkePayload->PayloadBuf, IkeP= ayload->PayloadSize); - // - // Add each payload into packet - // Notice, the IkePacket->Hdr->Lenght still recode the whole IkePacket= length - // which is before the decoding. - // - IKE_PACKET_APPEND_PAYLOAD (IkePacket, IkePayload); - - RemainBytes -=3D PayloadSize; - PayloadType =3D PayloadHdr->NextPayload; - if (PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_NONE) { - break; - } - - PayloadHdr =3D (IKEV2_COMMON_PAYLOAD_HEADER *) ((UINT8 *) PayloadHdr += PayloadSize); - } - - if (PayloadType !=3D IKEV2_PAYLOAD_TYPE_NONE) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - -Exit: - if (EFI_ERROR (Status)) { - ClearAllPayloads (IkePacket); - } - - if (IkeHeader !=3D NULL) { - FreePool (IkeHeader); - } - return Status; -} - -/** - Encode the IKE packet. - - This function puts all Payloads into one payload then encrypt it if need= ed. - - @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON conta= ining - some parameter used during IKE packet= encoding. - @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded a= s input, - and the encoded result as output. - @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INF= O_TYPE and - IKE_CHILD_TYPE are supportted. - - @retval EFI_SUCCESS Encode IKE packet successfully. - @retval Otherwise Encode IKE packet failed. - -**/ -EFI_STATUS -Ikev2EncodePacket ( - IN IKEV2_SESSION_COMMON *SessionCommon, - IN OUT IKE_PACKET *IkePacket, - IN UINTN IkeType - ) -{ - IKE_PAYLOAD *IkePayload; - UINTN PayloadTotalSize; - LIST_ENTRY *Entry; - EFI_STATUS Status; - IKEV2_SA_SESSION *IkeSaSession; - - PayloadTotalSize =3D 0; - // - // Encode each payload - // - for (Entry =3D IkePacket->PayloadList.ForwardLink; Entry !=3D &(IkePacke= t->PayloadList);) { - IkePayload =3D IKE_PAYLOAD_BY_PACKET (Entry); - Entry =3D Entry->ForwardLink; - Status =3D Ikev2EncodePayload ((UINT8 *) SessionCommon, IkePayloa= d); - if (EFI_ERROR (Status)) { - return Status; - } - - if (SessionCommon->AfterEncodePayload !=3D NULL) { - // - // For certain states, save some payload for further calculation - // - SessionCommon->AfterEncodePayload ( - (UINT8 *) SessionCommon, - IkePayload->PayloadBuf, - IkePayload->PayloadSize, - IkePayload->PayloadType - ); - } - - PayloadTotalSize +=3D IkePayload->PayloadSize; - } - IkePacket->PayloadTotalSize =3D PayloadTotalSize; - - Status =3D EFI_SUCCESS; - if (SessionCommon->State >=3D IkeStateAuth) { - // - // Encrypt all payload and transfer IKE packet header from Host order = to Network order. - // - Status =3D Ikev2EncryptPacket (SessionCommon, IkePacket); - if (EFI_ERROR (Status)) { - return Status; - } - } else { - // - // Fill in the lenght into IkePacket header and transfer Host order to= Network order. - // - IkePacket->Header->Length =3D (UINT32) (sizeof (IKE_HEADER) + IkePacke= t->PayloadTotalSize); - IkeHdrHostToNet (IkePacket->Header); - } - - // - // If the packet is first message, store whole message in IkeSa->InitiPa= cket - // for following Auth Payload calculation. - // - if (IkePacket->Header->ExchangeType =3D=3D IKEV2_EXCHANGE_TYPE_INIT) { - IkeSaSession =3D IKEV2_SA_SESSION_FROM_COMMON (SessionCommon); - if (SessionCommon->IsInitiator) { - IkeSaSession->InitPacketSize =3D IkePacket->PayloadTotalSize + sizeo= f (IKE_HEADER); - IkeSaSession->InitPacket =3D AllocateZeroPool (IkeSaSession->Ini= tPacketSize); - if (IkeSaSession->InitPacket =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - CopyMem (IkeSaSession->InitPacket, IkePacket->Header, sizeof (IKE_HE= ADER)); - PayloadTotalSize =3D 0; - for (Entry =3D IkePacket->PayloadList.ForwardLink; Entry !=3D &(IkeP= acket->PayloadList);) { - IkePayload =3D IKE_PAYLOAD_BY_PACKET (Entry); - Entry =3D Entry->ForwardLink; - CopyMem ( - IkeSaSession->InitPacket + sizeof (IKE_HEADER) + PayloadTotalSiz= e, - IkePayload->PayloadBuf, - IkePayload->PayloadSize - ); - PayloadTotalSize =3D PayloadTotalSize + IkePayload->PayloadSize; - } - } else { - IkeSaSession->RespPacketSize =3D IkePacket->PayloadTotalSize + sizeo= f(IKE_HEADER); - IkeSaSession->RespPacket =3D AllocateZeroPool (IkeSaSession->Res= pPacketSize); - if (IkeSaSession->RespPacket =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - CopyMem (IkeSaSession->RespPacket, IkePacket->Header, sizeof (IKE_HE= ADER)); - PayloadTotalSize =3D 0; - for (Entry =3D IkePacket->PayloadList.ForwardLink; Entry !=3D &(IkeP= acket->PayloadList);) { - IkePayload =3D IKE_PAYLOAD_BY_PACKET (Entry); - Entry =3D Entry->ForwardLink; - - CopyMem ( - IkeSaSession->RespPacket + sizeof (IKE_HEADER) + PayloadTotalSiz= e, - IkePayload->PayloadBuf, - IkePayload->PayloadSize - ); - PayloadTotalSize =3D PayloadTotalSize + IkePayload->PayloadSize; - } - } - } - - return Status; -} - -/** - Decrypt IKE packet. - - This function decrypts the Encrypted IKE packet and put the result into = IkePacket->PayloadBuf. - - @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON cont= aining - some parameter used during decryptin= g. - @param[in, out] IkePacket Pointer to IKE_PACKET to be decrypte= d as input, - and the decrypted result as output. - @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_IN= FO_TYPE and - IKE_CHILD_TYPE are supportted. - - @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or t= he - IKE packet length is not aligned with= Algorithm Block Size - @retval EFI_SUCCESS Decrypt IKE packet successfully. - -**/ -EFI_STATUS -Ikev2DecryptPacket ( - IN IKEV2_SESSION_COMMON *SessionCommon, - IN OUT IKE_PACKET *IkePacket, - IN OUT UINTN IkeType - ) -{ - UINT8 CryptBlockSize; // Encrypt Block Size - UINTN DecryptedSize; // Encrypted IKE Payload Size - UINT8 *DecryptedBuf; // Encrypted IKE Payload buf= fer - UINTN IntegritySize; - UINT8 *IntegrityBuffer; - UINTN IvSize; // Iv Size - UINT8 CheckSumSize; // Integrity Check Sum Size = depends on intergrity Auth - UINT8 *CheckSumData; // Check Sum data - IKEV2_SA_SESSION *IkeSaSession; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - EFI_STATUS Status; - UINT8 PadLen; - HASH_DATA_FRAGMENT Fragments[1]; - - IvSize =3D 0; - IkeSaSession =3D NULL; - CryptBlockSize =3D 0; - CheckSumSize =3D 0; - - // - // Check if the first payload is the Encrypted payload - // - if (IkePacket->Header->NextPayload !=3D IKEV2_PAYLOAD_TYPE_ENCRYPT) { - return EFI_ACCESS_DENIED; - } - CheckSumData =3D NULL; - DecryptedBuf =3D NULL; - IntegrityBuffer =3D NULL; - - // - // Get the Block Size - // - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - - CryptBlockSize =3D (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCo= mmon->SaParams->EncAlgId); - - CheckSumSize =3D (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->S= aParams->IntegAlgId); - IkeSaSession =3D IKEV2_SA_SESSION_FROM_COMMON (SessionCommon); - - } else if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeChildSa) { - - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon); - IkeSaSession =3D ChildSaSession->IkeSaSession; - CryptBlockSize =3D (UINT8) IpSecGetEncryptBlockSize ((UINT8) IkeSaSess= ion->SessionCommon.SaParams->EncAlgId); - CheckSumSize =3D (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->Se= ssionCommon.SaParams->IntegAlgId); - } else { - // - // The type of SA Session would either be IkeSa or ChildSa. - // - return EFI_INVALID_PARAMETER; - } - - CheckSumData =3D AllocateZeroPool (CheckSumSize); - if (CheckSumData =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Fill in the Integrity buffer - // - IntegritySize =3D IkePacket->PayloadTotalSize + sizeof (IKE_HEADER); - IntegrityBuffer =3D AllocateZeroPool (IntegritySize); - if (IntegrityBuffer =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - CopyMem (IntegrityBuffer, IkePacket->Header, sizeof(IKE_HEADER)); - CopyMem (IntegrityBuffer + sizeof (IKE_HEADER), IkePacket->PayloadsBuf, = IkePacket->PayloadTotalSize); - - // - // Change Host order to Network order, since the header order was changed - // in the IkePacketFromNetbuf. - // - IkeHdrHostToNet ((IKE_HEADER *)IntegrityBuffer); - - // - // Calculate the Integrity CheckSum Data - // - Fragments[0].Data =3D IntegrityBuffer; - Fragments[0].DataSize =3D IntegritySize - CheckSumSize; - - if (SessionCommon->IsInitiator) { - Status =3D IpSecCryptoIoHmac ( - (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId, - IkeSaSession->IkeKeys->SkArKey, - IkeSaSession->IkeKeys->SkArKeySize, - (HASH_DATA_FRAGMENT *) Fragments, - 1, - CheckSumData, - CheckSumSize - ); - } else { - Status =3D IpSecCryptoIoHmac ( - (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId, - IkeSaSession->IkeKeys->SkAiKey, - IkeSaSession->IkeKeys->SkAiKeySize, - (HASH_DATA_FRAGMENT *) Fragments, - 1, - CheckSumData, - CheckSumSize - ); - } - - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - // - // Compare the Integrity CheckSum Data with the one in IkePacket - // - if (CompareMem ( - IkePacket->PayloadsBuf + IkePacket->PayloadTotalSize - CheckSumSiz= e, - CheckSumData, - CheckSumSize - ) !=3D 0) { - DEBUG ((DEBUG_ERROR, "Error auth verify payload\n")); - Status =3D EFI_ACCESS_DENIED; - goto ON_EXIT; - } - - IvSize =3D CryptBlockSize; - - // - // Decrypt the payload with the key. - // - DecryptedSize =3D IkePacket->PayloadTotalSize - sizeof (IKEV2_COMMON_PAY= LOAD_HEADER) - IvSize - CheckSumSize; - DecryptedBuf =3D AllocateZeroPool (DecryptedSize); - if (DecryptedBuf =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - CopyMem ( - DecryptedBuf, - IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER) + IvSize, - DecryptedSize - ); - - if (SessionCommon->IsInitiator) { - Status =3D IpSecCryptoIoDecrypt ( - (UINT8) SessionCommon->SaParams->EncAlgId, - IkeSaSession->IkeKeys->SkErKey, - IkeSaSession->IkeKeys->SkErKeySize << 3, - IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER= ), - DecryptedBuf, - DecryptedSize, - DecryptedBuf - ); - } else { - Status =3D IpSecCryptoIoDecrypt ( - (UINT8) SessionCommon->SaParams->EncAlgId, - IkeSaSession->IkeKeys->SkEiKey, - IkeSaSession->IkeKeys->SkEiKeySize << 3, - IkePacket->PayloadsBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADE= R), - DecryptedBuf, - DecryptedSize, - DecryptedBuf - ); - } - - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Error decrypt buffer with %r\n", Status)); - goto ON_EXIT; - } - - // - // Get the Padding length - // - // - PadLen =3D (UINT8) (*(DecryptedBuf + DecryptedSize - sizeof (IKEV2_PAD_L= EN))); - - // - // Save the next payload of encrypted payload into IkePacket->Hdr->NextP= ayload - // - IkePacket->Header->NextPayload =3D ((IKEV2_ENCRYPTED *) IkePacket->Paylo= adsBuf)->Header.NextPayload; - - // - // Free old IkePacket->PayloadBuf and point it to decrypted paylaod buff= er. - // - FreePool (IkePacket->PayloadsBuf); - IkePacket->PayloadsBuf =3D DecryptedBuf; - IkePacket->PayloadTotalSize =3D DecryptedSize - PadLen; - - IPSEC_DUMP_BUF ("Decrypted Buffer", DecryptedBuf, DecryptedSize); - - -ON_EXIT: - if (CheckSumData !=3D NULL) { - FreePool (CheckSumData); - } - - if (EFI_ERROR (Status) && DecryptedBuf !=3D NULL) { - FreePool (DecryptedBuf); - } - - if (IntegrityBuffer !=3D NULL) { - FreePool (IntegrityBuffer); - } - - return Status; -} - -/** - Encrypt IKE packet. - - This function encrypt IKE packet before sending it. The Encrypted IKE pa= cket - is put in to IKEV2 Encrypted Payload. - - @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON rela= ted to the IKE packet. - @param[in, out] IkePacket Pointer to IKE packet to be encrypte= d. - - @retval EFI_SUCCESS Operation is successful. - @retval Others Operation is failed. - -**/ -EFI_STATUS -Ikev2EncryptPacket ( - IN IKEV2_SESSION_COMMON *SessionCommon, - IN OUT IKE_PACKET *IkePacket - ) -{ - UINT8 CryptBlockSize; // Encrypt Block Size - UINT8 CryptBlockSizeMask; // Block Mask - UINTN EncryptedSize; // Encrypted IKE Payload Size - UINT8 *EncryptedBuf; // Encrypted IKE Payload buf= fer - UINT8 *EncryptPayloadBuf; // Contain whole Encrypted P= ayload - UINTN EncryptPayloadSize; // Total size of the Encrypt= ed payload - UINT8 *IntegrityBuf; // Buffer to be intergity - UINT8 *IvBuffer; // Initialization Vector - UINT8 IvSize; // Iv Size - UINT8 CheckSumSize; // Integrity Check Sum Size = depends on intergrity Auth - UINT8 *CheckSumData; // Check Sum data - UINTN Index; - IKE_PAYLOAD *EncryptPayload; - IKEV2_SA_SESSION *IkeSaSession; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - EFI_STATUS Status; - LIST_ENTRY *Entry; - IKE_PAYLOAD *IkePayload; - HASH_DATA_FRAGMENT Fragments[1]; - - Status =3D EFI_SUCCESS; - - // - // Initial all buffers to NULL. - // - EncryptedBuf =3D NULL; - EncryptPayloadBuf =3D NULL; - IvBuffer =3D NULL; - CheckSumData =3D NULL; - IkeSaSession =3D NULL; - CryptBlockSize =3D 0; - CheckSumSize =3D 0; - IntegrityBuf =3D NULL; - // - // Get the Block Size - // - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - - CryptBlockSize =3D (UINT8) IpSecGetEncryptBlockSize ((UINT8) SessionCo= mmon->SaParams->EncAlgId); - CheckSumSize =3D (UINT8) IpSecGetIcvLength ((UINT8) SessionCommon->S= aParams->IntegAlgId); - IkeSaSession =3D IKEV2_SA_SESSION_FROM_COMMON (SessionCommon); - - } else if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeChildSa) { - - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon); - IkeSaSession =3D ChildSaSession->IkeSaSession; - CryptBlockSize =3D (UINT8) IpSecGetEncryptBlockSize ((UINT8) IkeSaSess= ion->SessionCommon.SaParams->EncAlgId); - CheckSumSize =3D (UINT8) IpSecGetIcvLength ((UINT8) IkeSaSession->Se= ssionCommon.SaParams->IntegAlgId); - } - - // - // Calcualte the EncryptPayloadSize and the PAD length - // - CryptBlockSizeMask =3D (UINT8) (CryptBlockSize - 1); - EncryptedSize =3D (IkePacket->PayloadTotalSize + sizeof (IKEV2_PAD= _LEN) + CryptBlockSizeMask) & ~CryptBlockSizeMask; - EncryptedBuf =3D (UINT8 *) AllocateZeroPool (EncryptedSize); - if (EncryptedBuf =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Copy all payload into EncryptedIkePayload - // - Index =3D 0; - NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) { - IkePayload =3D IKE_PAYLOAD_BY_PACKET (Entry); - - CopyMem (EncryptedBuf + Index, IkePayload->PayloadBuf, IkePayload->Pay= loadSize); - Index +=3D IkePayload->PayloadSize; - - }; - - // - // Fill in the Pading Length - // - *(EncryptedBuf + EncryptedSize - 1) =3D (UINT8)(EncryptedSize - IkePacke= t->PayloadTotalSize - 1); - - // - // The IV size is equal with block size - // - IvSize =3D CryptBlockSize; - IvBuffer =3D (UINT8 *) AllocateZeroPool (IvSize); - if (IvBuffer =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Generate IV - // - IkeGenerateIv (IvBuffer, IvSize); - - // - // Encrypt payload buf - // - if (SessionCommon->IsInitiator) { - Status =3D IpSecCryptoIoEncrypt ( - (UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId, - IkeSaSession->IkeKeys->SkEiKey, - IkeSaSession->IkeKeys->SkEiKeySize << 3, - IvBuffer, - EncryptedBuf, - EncryptedSize, - EncryptedBuf - ); - } else { - Status =3D IpSecCryptoIoEncrypt ( - (UINT8) IkeSaSession->SessionCommon.SaParams->EncAlgId, - IkeSaSession->IkeKeys->SkErKey, - IkeSaSession->IkeKeys->SkErKeySize << 3, - IvBuffer, - EncryptedBuf, - EncryptedSize, - EncryptedBuf - ); - } - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - // - // Allocate the buffer for the whole IKE payload (Encrypted Payload). - // - EncryptPayloadSize =3D sizeof(IKEV2_ENCRYPTED) + IvSize + EncryptedSize = + CheckSumSize; - EncryptPayloadBuf =3D AllocateZeroPool (EncryptPayloadSize); - if (EncryptPayloadBuf =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Fill in Header of Encrypted Payload - // - ((IKEV2_ENCRYPTED *) EncryptPayloadBuf)->Header.NextPayload =3D IkePac= ket->Header->NextPayload; - ((IKEV2_ENCRYPTED *) EncryptPayloadBuf)->Header.PayloadLength =3D HTONS = ((UINT16)EncryptPayloadSize); - - // - // Fill in Iv - // - CopyMem (EncryptPayloadBuf + sizeof (IKEV2_ENCRYPTED), IvBuffer, IvSize); - - // - // Fill in encrypted data - // - CopyMem (EncryptPayloadBuf + sizeof (IKEV2_ENCRYPTED) + IvSize, Encrypte= dBuf, EncryptedSize); - - // - // Fill in the IKE Packet header - // - IkePacket->PayloadTotalSize =3D EncryptPayloadSize; - IkePacket->Header->Length =3D (UINT32) (sizeof (IKE_HEADER) + IkePa= cket->PayloadTotalSize); - IkePacket->Header->NextPayload =3D IKEV2_PAYLOAD_TYPE_ENCRYPT; - - IntegrityBuf =3D AllocateZeroPool (IkePacket->Header->= Length); - if (IntegrityBuf =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - IkeHdrHostToNet (IkePacket->Header); - - CopyMem (IntegrityBuf, IkePacket->Header, sizeof (IKE_HEADER)); - CopyMem (IntegrityBuf + sizeof (IKE_HEADER), EncryptPayloadBuf, EncryptP= ayloadSize); - - // - // Calcualte Integrity CheckSum - // - Fragments[0].Data =3D IntegrityBuf; - Fragments[0].DataSize =3D EncryptPayloadSize + sizeof (IKE_HEADER) - Che= ckSumSize; - - CheckSumData =3D AllocateZeroPool (CheckSumSize); - if (CheckSumData =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - if (SessionCommon->IsInitiator) { - - IpSecCryptoIoHmac ( - (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId, - IkeSaSession->IkeKeys->SkAiKey, - IkeSaSession->IkeKeys->SkAiKeySize, - (HASH_DATA_FRAGMENT *) Fragments, - 1, - CheckSumData, - CheckSumSize - ); - } else { - - IpSecCryptoIoHmac ( - (UINT8)IkeSaSession->SessionCommon.SaParams->IntegAlgId, - IkeSaSession->IkeKeys->SkArKey, - IkeSaSession->IkeKeys->SkArKeySize, - (HASH_DATA_FRAGMENT *) Fragments, - 1, - CheckSumData, - CheckSumSize - ); - } - - // - // Copy CheckSum into Encrypted Payload - // - CopyMem (EncryptPayloadBuf + EncryptPayloadSize - CheckSumSize, CheckSum= Data, CheckSumSize); - - IPSEC_DUMP_BUF ("Encrypted payload buffer", EncryptPayloadBuf, EncryptPa= yloadSize); - IPSEC_DUMP_BUF ("Integrith CheckSum Data", CheckSumData, CheckSumSize); - - // - // Clean all payload under IkePacket->PayloadList. - // - ClearAllPayloads (IkePacket); - - // - // Create Encrypted Payload and add into IkePacket->PayloadList - // - EncryptPayload =3D IkePayloadAlloc (); - if (EncryptPayload =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Fill the encrypted payload into the IKE_PAYLOAD structure. - // - EncryptPayload->PayloadBuf =3D EncryptPayloadBuf; - EncryptPayload->PayloadSize =3D EncryptPayloadSize; - EncryptPayload->PayloadType =3D IKEV2_PAYLOAD_TYPE_ENCRYPT; - - IKE_PACKET_APPEND_PAYLOAD (IkePacket, EncryptPayload); - -ON_EXIT: - if (EncryptedBuf !=3D NULL) { - FreePool (EncryptedBuf); - } - - if (EFI_ERROR (Status) && EncryptPayloadBuf !=3D NULL) { - FreePool (EncryptPayloadBuf); - } - - if (IvBuffer !=3D NULL) { - FreePool (IvBuffer); - } - - if (CheckSumData !=3D NULL) { - FreePool (CheckSumData); - } - - if (IntegrityBuf !=3D NULL) { - FreePool (IntegrityBuf); - } - - return Status; -} - - -/** - - The notification function. It will be called when the related UDP_TX_TOK= EN's event - is signaled. - - This function frees the Net Buffer pointed to the input Packet. - - @param[in] Packet Pointer to Net buffer containing the sendin= g IKE packet. - @param[in] EndPoint Pointer to UDP_END_POINT containing the rem= ote and local - address information. - @param[in] IoStatus The Status of the related UDP_TX_TOKEN. - @param[in] Context Pointer to data passed from the caller. - -**/ -VOID -EFIAPI -Ikev2OnPacketSent ( - IN NET_BUF *Packet, - IN UDP_END_POINT *EndPoint, - IN EFI_STATUS IoStatus, - IN VOID *Context - ) -{ - IKE_PACKET *IkePacket; - IKEV2_SA_SESSION *IkeSaSession; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - UINT8 Value; - IPSEC_PRIVATE_DATA *Private; - EFI_STATUS Status; - - IkePacket =3D (IKE_PACKET *) Context; - Private =3D NULL; - - if (EFI_ERROR (IoStatus)) { - DEBUG ((DEBUG_ERROR, "Error send the last packet in IkeSessionTypeIkeS= a with %r\n", IoStatus)); - } - - NetbufFree (Packet); - - if (IkePacket->IsDeleteInfo) { - // - // For each RemotePeerIP, there are only one IKESA. - // - IkeSaSession =3D Ikev2SaSessionLookup ( - &IkePacket->Private->Ikev2EstablishedList, - &IkePacket->RemotePeerIp - ); - if (IkeSaSession =3D=3D NULL) { - IkePacketFree (IkePacket); - return; - } - - Private =3D IkePacket->Private; - if (IkePacket->Spi !=3D 0 ) { - // - // At that time, the established Child SA still in eht ChildSaEstabl= ishSessionList. - // And meanwhile, if the Child SA is in the the ChildSa in Delete li= st, - // remove it from delete list and delete it direclty. - // - ChildSaSession =3D Ikev2ChildSaSessionLookupBySpi ( - &IkeSaSession->ChildSaEstablishSessionList, - IkePacket->Spi - ); - if (ChildSaSession !=3D NULL) { - Ikev2ChildSaSessionRemove ( - &IkeSaSession->DeleteSaList, - ChildSaSession->LocalPeerSpi, - IKEV2_DELET_CHILDSA_LIST - ); - - // - // Delete the Child SA. - // - Ikev2ChildSaSilentDelete ( - IkeSaSession, - IkePacket->Spi - ); - } - - } else { - // - // Delete the IKE SA - // - DEBUG ( - (DEBUG_INFO, - "\n------ deleted Packet (cookie_i, cookie_r):(0x%lx, 0x%lx)------= \n", - IkeSaSession->InitiatorCookie, - IkeSaSession->ResponderCookie) - ); - - RemoveEntryList (&IkeSaSession->BySessionTable); - Ikev2SaSessionFree (IkeSaSession); - } - } - IkePacketFree (IkePacket); - - // - // when all IKE SAs were disabled by calling "IPsecConfig -disable", the= IPsec status - // should be changed. - // - if (Private !=3D NULL && Private->IsIPsecDisabling) { - // - // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABLED value= in - // IPsec status variable. - // - if (IsListEmpty (&Private->Ikev1EstablishedList) && IsListEmpty (&Priv= ate->Ikev2EstablishedList)) { - Value =3D IPSEC_STATUS_DISABLED; - Status =3D gRT->SetVariable ( - IPSECCONFIG_STATUS_NAME, - &gEfiIpSecConfigProtocolGuid, - EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATI= LE, - sizeof (Value), - &Value - ); - if (!EFI_ERROR (Status)) { - // - // Set the DisabledFlag in Private data. - // - Private->IpSec.DisabledFlag =3D TRUE; - Private->IsIPsecDisabling =3D FALSE; - } - } - } -} - -/** - Send out IKEV2 packet. - - @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send th= e IKE packet. - @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to= the IKE packet. - @param[in] IkePacket Pointer to IKE_PACKET to be sent out. - @param[in] IkeType The type of IKE to point what's kind of th= e IKE - packet is to be sent out. IKE_SA_TYPE, IKE= _INFO_TYPE - and IKE_CHILD_TYPE are supportted. - - @retval EFI_SUCCESS The operation complete successfully. - @retval Otherwise The operation is failed. - -**/ -EFI_STATUS -Ikev2SendIkePacket ( - IN IKE_UDP_SERVICE *IkeUdpService, - IN UINT8 *SessionCommon, - IN IKE_PACKET *IkePacket, - IN UINTN IkeType - ) -{ - EFI_STATUS Status; - NET_BUF *IkePacketNetbuf; - UDP_END_POINT EndPoint; - IKEV2_SESSION_COMMON *Common; - - Common =3D (IKEV2_SESSION_COMMON *) SessionCommon; - - // - // Set the resend interval - // - if (Common->TimeoutInterval =3D=3D 0) { - Common->TimeoutInterval =3D IKE_DEFAULT_TIMEOUT_INTERVAL; - } - - // - // Retransfer the packet if it is initial packet. - // - if (IkePacket->Header->Flags =3D=3D IKE_HEADER_FLAGS_INIT) { - // - // Set timer for next retry, this will cancel previous timer - // - Status =3D gBS->SetTimer ( - Common->TimeoutEvent, - TimerRelative, - MultU64x32 (Common->TimeoutInterval, 10000) // ms->100= ns - ); - if (EFI_ERROR (Status)) { - return Status; - } - } - - IKE_PACKET_REF (IkePacket); - // - // If the last sent packet is same with this round packet, the packet is= resent packet. - // - if (IkePacket !=3D Common->LastSentPacket && Common->LastSentPacket !=3D= NULL) { - IkePacketFree (Common->LastSentPacket); - } - - Common->LastSentPacket =3D IkePacket; - - // - // Transform IkePacke to NetBuf - // - IkePacketNetbuf =3D IkeNetbufFromPacket ((UINT8 *) SessionCommon, IkePac= ket, IkeType); - if (IkePacketNetbuf =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - ZeroMem (&EndPoint, sizeof (UDP_END_POINT)); - EndPoint.RemotePort =3D IKE_DEFAULT_PORT; - CopyMem (&IkePacket->RemotePeerIp, &Common->RemotePeerIp, sizeof (EFI_IP= _ADDRESS)); - CopyMem (&EndPoint.RemoteAddr, &Common->RemotePeerIp, sizeof (EFI_IP_ADD= RESS)); - CopyMem (&EndPoint.LocalAddr, &Common->LocalPeerIp, sizeof (EFI_IP_ADDRE= SS)); - - IPSEC_DUMP_PACKET (IkePacket, EfiIPsecOutBound, IkeUdpService->IpVersion= ); - - if (IkeUdpService->IpVersion =3D=3D IP_VERSION_4) { - EndPoint.RemoteAddr.Addr[0] =3D HTONL (EndPoint.RemoteAddr.Addr[0]); - EndPoint.LocalAddr.Addr[0] =3D HTONL (EndPoint.LocalAddr.Addr[0]); - } - - // - // Call UDPIO to send out the IKE packet. - // - Status =3D UdpIoSendDatagram ( - IkeUdpService->Output, - IkePacketNetbuf, - &EndPoint, - NULL, - Ikev2OnPacketSent, - (VOID*)IkePacket - ); - - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Error send packet with %r\n", Status)); - } - - return Status; -} - diff --git a/NetworkPkg/IpSecDxe/Ikev2/Payload.h b/NetworkPkg/IpSecDxe/Ikev= 2/Payload.h deleted file mode 100644 index 1f3cc328bd..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Payload.h +++ /dev/null @@ -1,437 +0,0 @@ -/** @file - The Definitions related to IKEv2 payload. - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ -#ifndef _IKE_V2_PAYLOAD_H_ -#define _IKE_V2_PAYLOAD_H_ - -// -// Payload Type for IKEv2 -// -#define IKEV2_PAYLOAD_TYPE_NONE 0 -#define IKEV2_PAYLOAD_TYPE_SA 33 -#define IKEV2_PAYLOAD_TYPE_KE 34 -#define IKEV2_PAYLOAD_TYPE_ID_INIT 35 -#define IKEV2_PAYLOAD_TYPE_ID_RSP 36 -#define IKEV2_PAYLOAD_TYPE_CERT 37 -#define IKEV2_PAYLOAD_TYPE_CERTREQ 38 -#define IKEV2_PAYLOAD_TYPE_AUTH 39 -#define IKEV2_PAYLOAD_TYPE_NONCE 40 -#define IKEV2_PAYLOAD_TYPE_NOTIFY 41 -#define IKEV2_PAYLOAD_TYPE_DELETE 42 -#define IKEV2_PAYLOAD_TYPE_VENDOR 43 -#define IKEV2_PAYLOAD_TYPE_TS_INIT 44 -#define IKEV2_PAYLOAD_TYPE_TS_RSP 45 -#define IKEV2_PAYLOAD_TYPE_ENCRYPT 46 -#define IKEV2_PAYLOAD_TYPE_CP 47 -#define IKEV2_PAYLOAD_TYPE_EAP 48 - -// -// IKE header Flag (1 octet) for IKEv2, defined in RFC 4306 section 3.1 -// -// I(nitiator) (bit 3 of Flags, 0x08) - This bit MUST be set in messages s= ent by the -// original initiator of the IKE_SA -// -// R(esponse) (bit 5 of Flags, 0x20) - This bit indicates that this messa= ge is a response to -// a message containing the same mess= age ID. -// -#define IKE_HEADER_FLAGS_INIT 0x08 -#define IKE_HEADER_FLAGS_RESPOND 0x20 - -// -// IKE Header Exchange Type for IKEv2 -// -#define IKEV2_EXCHANGE_TYPE_INIT 34 -#define IKEV2_EXCHANGE_TYPE_AUTH 35 -#define IKEV2_EXCHANGE_TYPE_CREATE_CHILD 36 -#define IKEV2_EXCHANGE_TYPE_INFO 37 - -#pragma pack(1) -typedef struct { - UINT8 NextPayload; - UINT8 Reserved; - UINT16 PayloadLength; -} IKEV2_COMMON_PAYLOAD_HEADER; -#pragma pack() - -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - // - // Proposals - // -} IKEV2_SA; -#pragma pack() - -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - UINT8 ProposalIndex; - UINT8 ProtocolId; - UINT8 SpiSize; - UINT8 NumTransforms; -} IKEV2_PROPOSAL; -#pragma pack() - -// -// IKEv2 Transform Type Values presented within Transform Payload -// -#define IKEV2_TRANSFORM_TYPE_ENCR 1 // Encryption Algorithm -#define IKEV2_TRANSFORM_TYPE_PRF 2 // Pseduo-Random Func -#define IKEV2_TRANSFORM_TYPE_INTEG 3 // Integrity Algorithm -#define IKEV2_TRANSFORM_TYPE_DH 4 // DH Group -#define IKEV2_TRANSFORM_TYPE_ESN 5 // Extended Sequence Number - -// -// IKEv2 Transform ID for Encrypt Algorithm (ENCR) -// -#define IKEV2_TRANSFORM_ID_ENCR_DES_IV64 1 -#define IKEV2_TRANSFORM_ID_ENCR_DES 2 -#define IKEV2_TRANSFORM_ID_ENCR_3DES 3 -#define IKEV2_TRANSFORM_ID_ENCR_RC5 4 -#define IKEV2_TRANSFORM_ID_ENCR_IDEA 5 -#define IKEV2_TRANSFORM_ID_ENCR_CAST 6 -#define IKEV2_TRANSFORM_ID_ENCR_BLOWFISH 7 -#define IKEV2_TRANSFORM_ID_ENCR_3IDEA 8 -#define IKEV2_TRANSFORM_ID_ENCR_DES_IV32 9 -#define IKEV2_TRANSFORM_ID_ENCR_NULL 11 -#define IKEV2_TRANSFORM_ID_ENCR_AES_CBC 12 -#define IKEV2_TRANSFORM_ID_ENCR_AES_CTR 13 - -// -// IKEv2 Transform ID for Pseudo-Random Function (PRF) -// -#define IKEV2_TRANSFORM_ID_PRF_HMAC_MD5 1 -#define IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1 2 -#define IKEV2_TRANSFORM_ID_PRF_HMAC_TIGER 3 -#define IKEV2_TRANSFORM_ID_PRF_AES128_XCBC 4 - -// -// IKEv2 Transform ID for Integrity Algorithm (INTEG) -// -#define IKEV2_TRANSFORM_ID_AUTH_NONE 0 -#define IKEV2_TRANSFORM_ID_AUTH_HMAC_MD5_96 1 -#define IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96 2 -#define IKEV2_TRANSFORM_ID_AUTH_HMAC_DES_MAC 3 -#define IKEV2_TRANSFORM_ID_AUTH_HMAC_KPDK_MD5 4 -#define IKEV2_TRANSFORM_ID_AUTH_HMAC_AES_XCBC_96 5 - -// -// IKEv2 Transform ID for Diffie-Hellman Group (DH) -// -#define IKEV2_TRANSFORM_ID_DH_768MODP 1 -#define IKEV2_TRANSFORM_ID_DH_1024MODP 2 -#define IKEV2_TRANSFORM_ID_DH_2048MODP 14 - -// -// IKEv2 Attribute Type Values -// -#define IKEV2_ATTRIBUTE_TYPE_KEYLEN 14 - -// -// Transform Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - UINT8 TransformType; - UINT8 Reserved; - UINT16 TransformId; - // - // SA Attributes - // -} IKEV2_TRANSFORM; -#pragma pack() - -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - UINT16 DhGroup; - UINT16 Reserved; - // - // Remaining part contains the key exchanged - // -} IKEV2_KEY_EXCHANGE; -#pragma pack() - -// -// Identification Type Values presented within Ikev2 ID payload -// -#define IKEV2_ID_TYPE_IPV4_ADDR 1 -#define IKEV2_ID_TYPE_FQDN 2 -#define IKEV2_ID_TYPE_RFC822_ADDR 3 -#define IKEV2_ID_TYPE_IPV6_ADDR 5 -#define IKEV2_ID_TYPE_DER_ASN1_DN 9 -#define IKEV2_ID_TYPE_DER_ASN1_GN 10 -#define IKEV2_ID_TYPE_KEY_ID 11 - -// -// Identification Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - UINT8 IdType; - UINT8 Reserver1; - UINT16 Reserver2; - // - // Identification Data - // -} IKEV2_ID; -#pragma pack() - -// -// Encoding Type presented in IKEV2 Cert Payload -// -#define IKEV2_CERT_ENCODEING_RESERVED 0 -#define IKEV2_CERT_ENCODEING_X509_CERT_WRAP 1 -#define IKEV2_CERT_ENCODEING_PGP_CERT 2 -#define IKEV2_CERT_ENCODEING_DNS_SIGN_KEY 3 -#define IKEV2_CERT_ENCODEING_X509_CERT_SIGN 4 -#define IKEV2_CERT_ENCODEING_KERBEROS_TOKEN 6 -#define IKEV2_CERT_ENCODEING_REVOCATION_LIST_CERT 7 -#define IKEV2_CERT_ENCODEING_AUTH_REVOCATION_LIST 8 -#define IKEV2_CERT_ENCODEING_SPKI_CERT 9 -#define IKEV2_CERT_ENCODEING_X509_CERT_ATTRIBUTE 10 -#define IKEV2_CERT_ENCODEING_RAW_RSA_KEY 11 -#define IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT 12 - -// -// IKEV2 Certificate Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - UINT8 CertEncoding; - // - // Cert Data - // -} IKEV2_CERT; -#pragma pack() - -// -// IKEV2 Certificate Request Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - UINT8 CertEncoding; - // - // Cert Authority - // -} IKEV2_CERT_REQ; -#pragma pack() - -// -// Authentication Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - UINT8 AuthMethod; - UINT8 Reserved1; - UINT16 Reserved2; - // - // Auth Data - // -} IKEV2_AUTH; -#pragma pack() - -// -// Authmethod in Authentication Payload -// -#define IKEV2_AUTH_METHOD_RSA 1; // RSA Digital Signature -#define IKEV2_AUTH_METHOD_SKMI 2; // Shared Key Message Integrity -#define IKEV2_AUTH_METHOD_DSS 3; // DSS Digital Signature - -// -// IKEv2 Nonce Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - // - // Nonce Data - // -} IKEV2_NONCE; -#pragma pack() - -// -// Notification Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - UINT8 ProtocolId; - UINT8 SpiSize; - UINT16 MessageType; - // - // SPI and Notification Data - // -} IKEV2_NOTIFY; -#pragma pack() - -// -// Notify Message Types presented within IKEv2 Notify Payload -// -#define IKEV2_NOTIFICATION_UNSUPPORT_CRITICAL_PAYLOAD 1 -#define IKEV2_NOTIFICATION_INVALID_IKE_SPI 4 -#define IKEV2_NOTIFICATION_INVALID_MAJOR_VERSION 5 -#define IKEV2_NOTIFICATION_INVALID_SYNTAX 7 -#define IKEV2_NOTIFICATION_INVALID_MESSAGE_ID 9 -#define IKEV2_NOTIFICATION_INVALID_SPI 11 -#define IKEV2_NOTIFICATION_NO_PROPOSAL_CHOSEN 14 -#define IKEV2_NOTIFICATION_INVALID_KEY_PAYLOAD 17 -#define IKEV2_NOTIFICATION_AUTHENTICATION_FAILED 24 -#define IKEV2_NOTIFICATION_SINGLE_PAIR_REQUIRED 34 -#define IKEV2_NOTIFICATION_NO_ADDITIONAL_SAS 35 -#define IKEV2_NOTIFICATION_INTERNAL_ADDRESS_FAILURE 36 -#define IKEV2_NOTIFICATION_FAILED_CP_REQUIRED 37 -#define IKEV2_NOTIFICATION_TS_UNCCEPTABLE 38 -#define IKEV2_NOTIFICATION_INVALID_SELECTORS 39 -#define IKEV2_NOTIFICATION_COOKIE 16390 -#define IKEV2_NOTIFICATION_USE_TRANSPORT_MODE 16391 -#define IKEV2_NOTIFICATION_REKEY_SA 16393 - -// -// IKEv2 Protocol ID -// -// -// IKEv2 Delete Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - UINT8 ProtocolId; - UINT8 SpiSize; - UINT16 NumSpis; - // - // SPIs - // -} IKEV2_DELETE; -#pragma pack() - -// -// Traffic Selector Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - UINT8 TSNumbers; - UINT8 Reserved1; - UINT16 Reserved2; - // - // Traffic Selector - // -} IKEV2_TS; -#pragma pack() - -// -// Traffic Selector -// -#pragma pack(1) -typedef struct { - UINT8 TSType; - UINT8 IpProtocolId; - UINT16 SelecorLen; - UINT16 StartPort; - UINT16 EndPort; - // - // Starting Address && Ending Address - // -} TRAFFIC_SELECTOR; -#pragma pack() - -// -// Ts Type in Traffic Selector -// -#define IKEV2_TS_TYPE_IPV4_ADDR_RANGE 7 -#define IKEV2_TS_TYPS_IPV6_ADDR_RANGE 8 - -// -// Vendor Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - // - // Vendor ID - // -} IKEV2_VENDOR; -#pragma pack() - -// -// Encrypted Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - // - // IV, Encrypted IKE Payloads, Padding, PAD length, Integrity CheckSum - // -} IKEV2_ENCRYPTED; -#pragma pack() - -#pragma pack(1) -typedef struct { - UINT8 PadLength; -} IKEV2_PAD_LEN; -#pragma pack() - -// -// Configuration Payload -// -#pragma pack(1) -typedef struct { - IKEV2_COMMON_PAYLOAD_HEADER Header; - UINT8 CfgType; - UINT8 Reserve1; - UINT16 Reserve2; - // - // Configuration Attributes - // -} IKEV2_CFG; -#pragma pack() - -// -// Configuration Payload CPG type -// -#define IKEV2_CFG_TYPE_REQUEST 1 -#define IKEV2_CFG_TYPE_REPLY 2 -#define IKEV2_CFG_TYPE_SET 3 -#define IKEV2_CFG_TYPE_ACK 4 - -// -// Configuration Attributes -// -#pragma pack(1) -typedef struct { - UINT16 AttritType; - UINT16 ValueLength; -} IKEV2_CFG_ATTRIBUTES; -#pragma pack() - -// -// Configuration Attributes -// -#define IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS 1 -#define IKEV2_CFG_ATTR_INTERNAL_IP4_NBTMASK 2 -#define IKEV2_CFG_ATTR_INTERNAL_IP4_DNS 3 -#define IKEV2_CFG_ATTR_INTERNAL_IP4_NBNS 4 -#define IKEV2_CFG_ATTR_INTERNA_ADDRESS_BXPIRY 5 -#define IKEV2_CFG_ATTR_INTERNAL_IP4_DHCP 6 -#define IKEV2_CFG_ATTR_APPLICATION_VERSION 7 -#define IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS 8 -#define IKEV2_CFG_ATTR_INTERNAL_IP6_DNS 10 -#define IKEV2_CFG_ATTR_INTERNAL_IP6_NBNS 11 -#define IKEV2_CFG_ATTR_INTERNAL_IP6_DHCP 12 -#define IKEV2_CFG_ATTR_INTERNAL_IP4_SUBNET 13 -#define IKEV2_CFG_ATTR_SUPPORTED_ATTRIBUTES 14 -#define IKEV2_CFG_ATTR_IP6_SUBNET 15 - -#endif - diff --git a/NetworkPkg/IpSecDxe/Ikev2/Sa.c b/NetworkPkg/IpSecDxe/Ikev2/Sa.c deleted file mode 100644 index d833f06a58..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Sa.c +++ /dev/null @@ -1,2255 +0,0 @@ -/** @file - The operations for IKEv2 SA. - - (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "Utility.h" -#include "IpSecDebug.h" -#include "IkeService.h" -#include "Ikev2.h" - -/** - Generates the DH Key. - - This generates the DH local public key and store it in the IKEv2 SA Sess= ion's GxBuffer. - - @param[in] IkeSaSession Pointer to related IKE SA Session. - - @retval EFI_SUCCESS The operation succeeded. - @retval Others The operation failed. - -**/ -EFI_STATUS -Ikev2GenerateSaDhPublicKey ( - IN IKEV2_SA_SESSION *IkeSaSession - ); - -/** - Generates the IKEv2 SA key for the furthure IKEv2 exchange. - - @param[in] IkeSaSession Pointer to IKEv2 SA Session. - @param[in] KePayload Pointer to Key payload used to generate t= he Key. - - @retval EFI_UNSUPPORTED If the Algorithm Id is not supported. - @retval EFI_SUCCESS The operation succeeded. - -**/ -EFI_STATUS -Ikev2GenerateSaKeys ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_PAYLOAD *KePayload - ); - -/** - Generates the Keys for the furthure IPsec Protocol. - - @param[in] ChildSaSession Pointer to IKE Child SA Session. - @param[in] KePayload Pointer to Key payload used to generate t= he Key. - - @retval EFI_UNSUPPORTED If one or more Algorithm Id is unsupported. - @retval EFI_SUCCESS The operation succeeded. - -**/ -EFI_STATUS -Ikev2GenerateChildSaKeys ( - IN IKEV2_CHILD_SA_SESSION *ChildSaSession, - IN IKE_PAYLOAD *KePayload - ); - -/** - Gernerates IKEv2 packet for IKE_SA_INIT exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchang= e. - @param[in] Context Context Data passed by caller. - - @retval EFI_SUCCESS The IKEv2 packet generation succeeded. - @retval Others The IKEv2 packet generation failed. - -**/ -IKE_PACKET * -Ikev2InitPskGenerator ( - IN UINT8 *SaSession, - IN VOID *Context - ) -{ - IKE_PACKET *IkePacket; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *KePayload; - IKE_PAYLOAD *NoncePayload; - IKE_PAYLOAD *NotifyPayload; - EFI_STATUS Status; - - SaPayload =3D NULL; - KePayload =3D NULL; - NoncePayload =3D NULL; - NotifyPayload =3D NULL; - - IkeSaSession =3D (IKEV2_SA_SESSION *) SaSession; - - // - // 1. Allocate IKE packet - // - IkePacket =3D IkePacketAlloc (); - if (IkePacket =3D=3D NULL) { - goto CheckError; - } - - // - // 1.a Fill the IkePacket->Hdr - // - IkePacket->Header->ExchangeType =3D IKEV2_EXCHANGE_TYPE_INIT; - IkePacket->Header->InitiatorCookie =3D IkeSaSession->InitiatorCookie; - IkePacket->Header->ResponderCookie =3D IkeSaSession->ResponderCookie; - IkePacket->Header->Version =3D (UINT8) (2 << 4); - IkePacket->Header->MessageId =3D 0; - - if (IkeSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags =3D IKE_HEADER_FLAGS_INIT; - } else { - IkePacket->Header->Flags =3D IKE_HEADER_FLAGS_RESPOND; - } - - // - // If the NCookie is not NULL, this IKE_SA_INIT packet is resent by the = NCookie - // and the NCookie payload should be the first payload in this packet. - // - if (IkeSaSession->NCookie !=3D NULL) { - IkePacket->Header->NextPayload =3D IKEV2_PAYLOAD_TYPE_NOTIFY; - NotifyPayload =3D Ikev2GenerateNotifyPayload ( - IPSEC_PROTO_ISAKMP, - IKEV2_PAYLOAD_TYPE_SA, - 0, - IKEV2_NOTIFICATION_COOKIE, - NULL, - IkeSaSession->NCookie, - IkeSaSession->NCookieSize - ); - } else { - IkePacket->Header->NextPayload =3D IKEV2_PAYLOAD_TYPE_SA; - } - - // - // 2. Generate SA Payload according to the SaData & SaParams - // - SaPayload =3D Ikev2GenerateSaPayload ( - IkeSaSession->SaData, - IKEV2_PAYLOAD_TYPE_KE, - IkeSessionTypeIkeSa - ); - - // - // 3. Generate DH public key. - // The DhPrivate Key has been generated in Ikev2InitPskParser, if the - // IkeSaSession is responder. If resending IKE_SA_INIT with Cookie No= tify - // No need to recompute the Public key. - // - if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie = =3D=3D NULL)) { - Status =3D Ikev2GenerateSaDhPublicKey (IkeSaSession); - if (EFI_ERROR (Status)) { - goto CheckError; - } - } - - // - // 4. Generate KE Payload according to SaParams->DhGroup - // - KePayload =3D Ikev2GenerateKePayload ( - IkeSaSession, - IKEV2_PAYLOAD_TYPE_NONCE - ); - - // - // 5. Generate Nonce Payload - // If resending IKE_SA_INIT with Cookie Notify paylaod, no need to re= generate - // the Nonce Payload. - // - if ((IkeSaSession->SessionCommon.IsInitiator) && (IkeSaSession->NCookie = =3D=3D NULL)) { - IkeSaSession->NiBlkSize =3D IKE_NONCE_SIZE; - IkeSaSession->NiBlock =3D IkeGenerateNonce (IKE_NONCE_SIZE); - if (IkeSaSession->NiBlock =3D=3D NULL) { - goto CheckError; - } - } - - if (IkeSaSession->SessionCommon.IsInitiator) { - NoncePayload =3D Ikev2GenerateNoncePayload ( - IkeSaSession->NiBlock, - IkeSaSession->NiBlkSize, - IKEV2_PAYLOAD_TYPE_NONE - ); - } else { - // - // The Nonce Payload has been created in Ikev2PskParser if the IkeSaSe= ssion is - // responder. - // - NoncePayload =3D Ikev2GenerateNoncePayload ( - IkeSaSession->NrBlock, - IkeSaSession->NrBlkSize, - IKEV2_PAYLOAD_TYPE_NONE - ); - } - - if (NotifyPayload !=3D NULL) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload); - } - if (SaPayload !=3D NULL) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload); - } - if (KePayload !=3D NULL) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, KePayload); - } - if (NoncePayload !=3D NULL) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, NoncePayload); - } - - return IkePacket; - -CheckError: - if (IkePacket !=3D NULL) { - IkePacketFree (IkePacket); - } - if (SaPayload !=3D NULL) { - IkePayloadFree (SaPayload); - } - return NULL; -} - -/** - Parses the IKEv2 packet for IKE_SA_INIT exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchang= e. - @param[in] IkePacket The received IKE packet to be parsed. - - @retval EFI_SUCCESS The IKEv2 packet is acceptable and the re= lative data is - saved for furthure communication. - @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the SA p= roposal is unacceptable. - -**/ -EFI_STATUS -Ikev2InitPskParser ( - IN UINT8 *SaSession, - IN IKE_PACKET *IkePacket - ) -{ - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *KeyPayload; - IKE_PAYLOAD *IkePayload; - IKE_PAYLOAD *NoncePayload; - IKE_PAYLOAD *NotifyPayload; - UINT8 *NonceBuffer; - UINTN NonceSize; - LIST_ENTRY *Entry; - EFI_STATUS Status; - - IkeSaSession =3D (IKEV2_SA_SESSION *) SaSession; - KeyPayload =3D NULL; - SaPayload =3D NULL; - NoncePayload =3D NULL; - IkePayload =3D NULL; - NotifyPayload =3D NULL; - - // - // Iterate payloads to find the SaPayload and KeyPayload. - // - NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) { - IkePayload =3D IKE_PAYLOAD_BY_PACKET (Entry); - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_SA) { - SaPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_KE) { - KeyPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_NONCE) { - NoncePayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_NOTIFY) { - NotifyPayload =3D IkePayload; - } - } - - // - // According to RFC 4306 - 2.6. If the responder responds with the COOKI= E Notify - // payload with the cookie data, initiator MUST retry the IKE_SA_INIT wi= th a - // Notify payload of type COOKIE containing the responder suppplied cook= ie data - // as first payload and all other payloads unchanged. - // - if (IkeSaSession->SessionCommon.IsInitiator) { - if (NotifyPayload !=3D NULL && !EFI_ERROR(Ikev2ParserNotifyCookiePaylo= ad (NotifyPayload, IkeSaSession))) { - return EFI_SUCCESS; - } - } - - if ((KeyPayload =3D=3D NULL) || (SaPayload =3D=3D NULL) || (NoncePayload= =3D=3D NULL)) { - return EFI_INVALID_PARAMETER; - } - - // - // Store NoncePayload for SKEYID computing. - // - NonceSize =3D NoncePayload->PayloadSize - sizeof (IKEV2_COMMON_PAYLOAD= _HEADER); - NonceBuffer =3D (UINT8 *) AllocatePool (NonceSize); - if (NonceBuffer =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto CheckError; - } - - CopyMem ( - NonceBuffer, - NoncePayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADER), - NonceSize - ); - - // - // Check if IkePacket Header matches the state - // - if (IkeSaSession->SessionCommon.IsInitiator) { - // - // 1. Check the IkePacket->Hdr =3D=3D IKE_HEADER_FLAGS_RESPOND - // - if (IkePacket->Header->Flags !=3D IKE_HEADER_FLAGS_RESPOND) { - Status =3D EFI_INVALID_PARAMETER; - goto CheckError; - } - - // - // 2. Parse the SA Payload and Key Payload to find out the cryptograph= ic - // suite and fill in the Sa paramse into CommonSession->SaParams - // - if (!Ikev2SaParseSaPayload (IkeSaSession, SaPayload, IkePacket->Header= ->Flags)) { - Status =3D EFI_INVALID_PARAMETER; - goto CheckError; - } - - // - // 3. If Initiator, the NoncePayload is Nr_b. - // - IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateAuth); - IkeSaSession->NrBlock =3D NonceBuffer; - IkeSaSession->NrBlkSize =3D NonceSize; - IkeSaSession->SessionCommon.State =3D IkeStateAuth; - IkeSaSession->ResponderCookie =3D IkePacket->Header->ResponderCook= ie; - - // - // 4. Change the state of IkeSaSession - // - IkeSaSession->SessionCommon.State =3D IkeStateAuth; - } else { - // - // 1. Check the IkePacket->Hdr =3D=3D IKE_HEADER_FLAGS_INIT - // - if (IkePacket->Header->Flags !=3D IKE_HEADER_FLAGS_INIT) { - Status =3D EFI_INVALID_PARAMETER; - goto CheckError; - } - - // - // 2. Parse the SA payload and find out the perfered one - // and fill in the SA parameters into CommonSession->SaParams and S= aData into - // IkeSaSession for the responder SA payload generation. - // - if (!Ikev2SaParseSaPayload (IkeSaSession, SaPayload, IkePacket->Header= ->Flags)) { - Status =3D EFI_INVALID_PARAMETER; - goto CheckError; - } - - // - // 3. Generat Dh Y parivate Key - // - Status =3D Ikev2GenerateSaDhPublicKey (IkeSaSession); - if (EFI_ERROR (Status)) { - goto CheckError; - } - - // - // 4. If Responder, the NoncePayload is Ni_b and go to generate Nr_b. - // - IkeSaSession->NiBlock =3D NonceBuffer; - IkeSaSession->NiBlkSize =3D NonceSize; - - // - // 5. Generate Nr_b - // - IkeSaSession->NrBlock =3D IkeGenerateNonce (IKE_NONCE_SIZE); - ASSERT (IkeSaSession->NrBlock !=3D NULL); - IkeSaSession->NrBlkSize =3D IKE_NONCE_SIZE; - - // - // 6. Save the Cookies - // - IkeSaSession->InitiatorCookie =3D IkePacket->Header->InitiatorCookie; - IkeSaSession->ResponderCookie =3D IkeGenerateCookie (); - } - - if (IkeSaSession->SessionCommon.PreferDhGroup !=3D ((IKEV2_KEY_EXCHANGE = *)KeyPayload->PayloadBuf)->DhGroup) { - Status =3D EFI_INVALID_PARAMETER; - goto CheckError; - } - // - // Call Ikev2GenerateSaKeys to create SKEYID, SKEYID_d, SKEYID_a, SKEYID= _e. - // - Status =3D Ikev2GenerateSaKeys (IkeSaSession, KeyPayload); - if (EFI_ERROR(Status)) { - goto CheckError; - } - return EFI_SUCCESS; - -CheckError: - if (NonceBuffer !=3D NULL) { - FreePool (NonceBuffer); - } - - return Status; -} - -/** - Generates the IKEv2 packet for IKE_AUTH exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION. - @param[in] Context Context data passed by caller. - - @retval Pointer to IKE Packet to be sent out. - -**/ -IKE_PACKET * -Ikev2AuthPskGenerator ( - IN UINT8 *SaSession, - IN VOID *Context - ) -{ - IKE_PACKET *IkePacket; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *IdPayload; - IKE_PAYLOAD *AuthPayload; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *TsiPayload; - IKE_PAYLOAD *TsrPayload; - IKE_PAYLOAD *NotifyPayload; - IKE_PAYLOAD *CpPayload; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - - - IkeSaSession =3D (IKEV2_SA_SESSION *) SaSession; - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeS= aSession->ChildSaSessionList)); - - IkePacket =3D NULL; - IdPayload =3D NULL; - AuthPayload =3D NULL; - SaPayload =3D NULL; - TsiPayload =3D NULL; - TsrPayload =3D NULL; - NotifyPayload =3D NULL; - CpPayload =3D NULL; - NotifyPayload =3D NULL; - - // - // 1. Allocate IKE Packet - // - IkePacket=3D IkePacketAlloc (); - if (IkePacket =3D=3D NULL) { - return NULL; - } - - // - // 1.a Fill the IkePacket Header. - // - IkePacket->Header->ExchangeType =3D IKEV2_EXCHANGE_TYPE_AUTH; - IkePacket->Header->InitiatorCookie =3D IkeSaSession->InitiatorCookie; - IkePacket->Header->ResponderCookie =3D IkeSaSession->ResponderCookie; - IkePacket->Header->Version =3D (UINT8)(2 << 4); - if (ChildSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->NextPayload =3D IKEV2_PAYLOAD_TYPE_ID_INIT; - } else { - IkePacket->Header->NextPayload =3D IKEV2_PAYLOAD_TYPE_ID_RSP; - } - - // - // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID s= hould - // be always number 0 and 1; - // - IkePacket->Header->MessageId =3D 1; - - if (IkeSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags =3D IKE_HEADER_FLAGS_INIT; - } else { - IkePacket->Header->Flags =3D IKE_HEADER_FLAGS_RESPOND; - } - - // - // 2. Generate ID Payload according to IP version and address. - // - IdPayload =3D Ikev2GenerateIdPayload ( - &IkeSaSession->SessionCommon, - IKEV2_PAYLOAD_TYPE_AUTH - ); - if (IdPayload =3D=3D NULL) { - goto CheckError; - } - - // - // 3. Generate Auth Payload - // If it is tunnel mode, should create the configuration payload afte= r the - // Auth payload. - // - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode =3D=3D EfiIPsecTrans= port) { - - AuthPayload =3D Ikev2PskGenerateAuthPayload ( - ChildSaSession->IkeSaSession, - IdPayload, - IKEV2_PAYLOAD_TYPE_SA, - FALSE - ); - } else { - AuthPayload =3D Ikev2PskGenerateAuthPayload ( - ChildSaSession->IkeSaSession, - IdPayload, - IKEV2_PAYLOAD_TYPE_CP, - FALSE - ); - if (IkeSaSession->SessionCommon.UdpService->IpVersion =3D=3D IP_VERSIO= N_4) { - CpPayload =3D Ikev2GenerateCpPayload ( - ChildSaSession->IkeSaSession, - IKEV2_PAYLOAD_TYPE_SA, - IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS - ); - } else { - CpPayload =3D Ikev2GenerateCpPayload ( - ChildSaSession->IkeSaSession, - IKEV2_PAYLOAD_TYPE_SA, - IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS - ); - } - - if (CpPayload =3D=3D NULL) { - goto CheckError; - } - } - - if (AuthPayload =3D=3D NULL) { - goto CheckError; - } - - // - // 4. Generate SA Payload according to the SA Data in ChildSaSession - // - SaPayload =3D Ikev2GenerateSaPayload ( - ChildSaSession->SaData, - IKEV2_PAYLOAD_TYPE_TS_INIT, - IkeSessionTypeChildSa - ); - if (SaPayload =3D=3D NULL) { - goto CheckError; - } - - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode =3D=3D EfiIPsecTrans= port) { - // - // Generate Tsi and Tsr. - // - TsiPayload =3D Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_TS_RSP, - FALSE - ); - - TsrPayload =3D Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_NOTIFY, - FALSE - ); - - // - // Generate Notify Payload. If transport mode, there should have Notify - // payload with TRANSPORT_MODE notification. - // - NotifyPayload =3D Ikev2GenerateNotifyPayload ( - 0, - IKEV2_PAYLOAD_TYPE_NONE, - 0, - IKEV2_NOTIFICATION_USE_TRANSPORT_MODE, - NULL, - NULL, - 0 - ); - if (NotifyPayload =3D=3D NULL) { - goto CheckError; - } - } else { - // - // Generate Tsr for Tunnel mode. - // - TsiPayload =3D Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_TS_RSP, - TRUE - ); - TsrPayload =3D Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_NONE, - FALSE - ); - } - - if (TsiPayload =3D=3D NULL || TsrPayload =3D=3D NULL) { - goto CheckError; - } - - IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, AuthPayload); - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode =3D=3D EfiIPsecTunne= l) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, CpPayload); - } - IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsiPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsrPayload); - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode =3D=3D EfiIPsecTrans= port) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload); - } - - return IkePacket; - -CheckError: - if (IkePacket !=3D NULL) { - IkePacketFree (IkePacket); - } - - if (IdPayload !=3D NULL) { - IkePayloadFree (IdPayload); - } - - if (AuthPayload !=3D NULL) { - IkePayloadFree (AuthPayload); - } - - if (CpPayload !=3D NULL) { - IkePayloadFree (CpPayload); - } - - if (SaPayload !=3D NULL) { - IkePayloadFree (SaPayload); - } - - if (TsiPayload !=3D NULL) { - IkePayloadFree (TsiPayload); - } - - if (TsrPayload !=3D NULL) { - IkePayloadFree (TsrPayload); - } - - if (NotifyPayload !=3D NULL) { - IkePayloadFree (NotifyPayload); - } - - return NULL; -} - -/** - Parses IKE_AUTH packet. - - @param[in] SaSession Pointer to the IKE_SA_SESSION related to this pa= cket. - @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered. - - @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA - proposal is unacceptable. - @retval EFI_SUCCESS The IKE packet is acceptable and the - relative data is saved for furthure = communication. - -**/ -EFI_STATUS -Ikev2AuthPskParser ( - IN UINT8 *SaSession, - IN IKE_PACKET *IkePacket - ) -{ - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *IkePayload; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *IdiPayload; - IKE_PAYLOAD *IdrPayload; - IKE_PAYLOAD *AuthPayload; - IKE_PAYLOAD *TsiPayload; - IKE_PAYLOAD *TsrPayload; - IKE_PAYLOAD *VerifiedAuthPayload; - LIST_ENTRY *Entry; - EFI_STATUS Status; - - IkeSaSession =3D (IKEV2_SA_SESSION *) SaSession; - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeS= aSession->ChildSaSessionList)); - - SaPayload =3D NULL; - IdiPayload =3D NULL; - IdrPayload =3D NULL; - AuthPayload =3D NULL; - TsiPayload =3D NULL; - TsrPayload =3D NULL; - - // - // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload. - // - NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) { - IkePayload =3D IKE_PAYLOAD_BY_PACKET (Entry); - - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_ID_INIT) { - IdiPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_ID_RSP) { - IdrPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_SA) { - SaPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_AUTH) { - AuthPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_TS_INIT) { - TsiPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_TS_RSP) { - TsrPayload =3D IkePayload; - } - } - - if ((SaPayload =3D=3D NULL) || (AuthPayload =3D=3D NULL) || (TsiPayload = =3D=3D NULL) || (TsrPayload =3D=3D NULL)) { - return EFI_INVALID_PARAMETER; - } - if ((IdiPayload =3D=3D NULL) && (IdrPayload =3D=3D NULL)) { - return EFI_INVALID_PARAMETER; - } - - // - // Check IkePacket Header is match the state - // - if (IkeSaSession->SessionCommon.IsInitiator) { - - // - // 1. Check the IkePacket->Hdr =3D=3D IKE_HEADER_FLAGS_RESPOND - // - if ((IkePacket->Header->Flags !=3D IKE_HEADER_FLAGS_RESPOND) || - (IkePacket->Header->ExchangeType !=3D IKEV2_EXCHANGE_TYPE_AUTH) - ) { - return EFI_INVALID_PARAMETER; - } - - } else { - // - // 1. Check the IkePacket->Hdr =3D=3D IKE_HEADER_FLAGS_INIT - // - if ((IkePacket->Header->Flags !=3D IKE_HEADER_FLAGS_INIT) || - (IkePacket->Header->ExchangeType !=3D IKEV2_EXCHANGE_TYPE_AUTH) - ) { - return EFI_INVALID_PARAMETER; - } - - // - // 2. Parse the SA payload and Key Payload and find out the perferable= one - // and fill in the Sa paramse into CommonSession->SaParams and SaDa= ta into - // IkeSaSession for the responder SA payload generation. - // - } - - // - // Verify the Auth Payload. - // - VerifiedAuthPayload =3D Ikev2PskGenerateAuthPayload ( - IkeSaSession, - IkeSaSession->SessionCommon.IsInitiator ? IdrPay= load : IdiPayload, - IKEV2_PAYLOAD_TYPE_SA, - TRUE - ); - if ((VerifiedAuthPayload !=3D NULL) && - (0 !=3D CompareMem ( - VerifiedAuthPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLO= AD_HEADER), - AuthPayload->PayloadBuf + sizeof (IKEV2_COMMON_PAYLOAD_HEADE= R), - VerifiedAuthPayload->PayloadSize - sizeof (IKEV2_COMMON_PAYL= OAD_HEADER) - ))) { - return EFI_INVALID_PARAMETER; - }; - - // - // 3. Parse the SA Payload to find out the cryptographic suite - // and fill in the Sa paramse into CommonSession->SaParams. If no acc= eptable - // porposal found, return EFI_INVALID_PARAMETER. - // - if (!Ikev2ChildSaParseSaPayload (ChildSaSession, SaPayload, IkePacket->H= eader->Flags)) { - return EFI_INVALID_PARAMETER; - } - - // - // 4. Parse TSi, TSr payloads. - // - if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))-= >IpProtocolId !=3D - ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))-= >IpProtocolId) && - (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))-= >IpProtocolId !=3D 0) && - (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))-= >IpProtocolId !=3D 0) - ) { - return EFI_INVALID_PARAMETER; - } - - if (!IkeSaSession->SessionCommon.IsInitiator) { - // - //TODO:check the Port range. Only support any port and one certain por= t here. - // - ChildSaSession->ProtoId =3D ((TRAFFIC_SELECTOR *)(TsrPayload->Paylo= adBuf + sizeof (IKEV2_TS)))->IpProtocolId; - ChildSaSession->LocalPort =3D ((TRAFFIC_SELECTOR *)(TsrPayload->Paylo= adBuf + sizeof (IKEV2_TS)))->StartPort; - ChildSaSession->RemotePort =3D ((TRAFFIC_SELECTOR *)(TsiPayload->Paylo= adBuf + sizeof (IKEV2_TS)))->StartPort; - // - // Association a SPD with this SA. - // - Status =3D Ikev2ChildSaAssociateSpdEntry (ChildSaSession); - if (EFI_ERROR (Status)) { - return EFI_INVALID_PARAMETER; - } - // - // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD. - // - if (ChildSaSession->IkeSaSession->Spd =3D=3D NULL) { - ChildSaSession->IkeSaSession->Spd =3D ChildSaSession->Spd; - Status =3D Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession); - if (EFI_ERROR (Status)) { - return Status; - } - } - } else { - // - //TODO:check the Port range. - // - if ((((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS))= )->StartPort !=3D 0) && - (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS))= )->StartPort !=3D ChildSaSession->RemotePort) - ) { - return EFI_INVALID_PARAMETER; - } - if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS))= )->StartPort !=3D 0) && - (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS))= )->StartPort !=3D ChildSaSession->LocalPort) - ) { - return EFI_INVALID_PARAMETER; - } - // - // For the tunnel mode, it should add the vitual IP address into the S= A's SPD Selector. - // - if (ChildSaSession->Spd->Data->ProcessingPolicy->Mode =3D=3D EfiIPsecT= unnel) { - if (!ChildSaSession->IkeSaSession->SessionCommon.IsInitiator) { - // - // If it is tunnel mode, the UEFI part must be the initiator. - // - return EFI_INVALID_PARAMETER; - } - // - // Get the Virtual IP address from the Tsi traffic selector. - // TODO: check the CFG reply payload - // - CopyMem ( - &ChildSaSession->SpdSelector->LocalAddress[0].Address, - TsiPayload->PayloadBuf + sizeof (IKEV2_TS) + sizeof (TRAFFIC_SELEC= TOR), - (ChildSaSession->SessionCommon.UdpService->IpVersion =3D=3D IP_VER= SION_4) ? - sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS) - ); - } - } - - // - // 5. Generate keymats for IPsec protocol. - // - Status =3D Ikev2GenerateChildSaKeys (ChildSaSession, NULL); - if (EFI_ERROR (Status)) { - return Status; - } - - if (IkeSaSession->SessionCommon.IsInitiator) { - // - // 6. Change the state of IkeSaSession - // - IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEsta= blished); - IkeSaSession->SessionCommon.State =3D IkeStateIkeSaEstablished; - } - - return EFI_SUCCESS; -} - -/** - Gernerates IKEv2 packet for IKE_SA_INIT exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchang= e. - @param[in] Context Context Data passed by caller. - - @retval EFI_SUCCESS The IKE packet generation succeeded. - @retval Others The IKE packet generation failed. - -**/ -IKE_PACKET* -Ikev2InitCertGenerator ( - IN UINT8 *SaSession, - IN VOID *Context - ) -{ - IKE_PACKET *IkePacket; - IKE_PAYLOAD *CertReqPayload; - LIST_ENTRY *Node; - IKE_PAYLOAD *NoncePayload; - - if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) { - return NULL; - } - - // - // The first two messages exchange is same between PSK and Cert. - // - IkePacket =3D Ikev2InitPskGenerator (SaSession, Context); - - if ((IkePacket !=3D NULL) && (!((IKEV2_SA_SESSION *)SaSession)->SessionC= ommon.IsInitiator)) { - // - // Add the Certification Request Payload - // - CertReqPayload =3D Ikev2GenerateCertificatePayload ( - (IKEV2_SA_SESSION *)SaSession, - IKEV2_PAYLOAD_TYPE_NONE, - (UINT8*)PcdGetPtr(PcdIpsecUefiCaFile), - PcdGet32(PcdIpsecUefiCaFileSize), - IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT, - TRUE - ); - // - // Change Nonce Payload Next payload type. - // - IKE_PACKET_END_PAYLOAD (IkePacket, Node); - NoncePayload =3D IKE_PAYLOAD_BY_PACKET (Node); - ((IKEV2_NONCE *)NoncePayload->PayloadBuf)->Header.NextPayload =3D IKEV= 2_PAYLOAD_TYPE_CERTREQ; - - // - // Add Certification Request Payload - // - IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertReqPayload); - } - - return IkePacket; -} - -/** - Parses the IKEv2 packet for IKE_SA_INIT exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION related to the exchang= e. - @param[in] IkePacket The received IKEv2 packet to be parsed. - - @retval EFI_SUCCESS The IKEv2 packet is acceptable and the re= lative data is - saved for furthure communication. - @retval EFI_INVALID_PARAMETER The IKE packet is malformed or the SA pro= posal is unacceptable. - @retval EFI_UNSUPPORTED The certificate authentication is not sup= ported. - -**/ -EFI_STATUS -Ikev2InitCertParser ( - IN UINT8 *SaSession, - IN IKE_PACKET *IkePacket - ) -{ - if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) { - return EFI_UNSUPPORTED; - } - - // - // The first two messages exchange is same between PSK and Cert. - // Todo: Parse Certificate Request from responder Initial Exchange. - // - return Ikev2InitPskParser (SaSession, IkePacket); -} - -/** - Generates the IKEv2 packet for IKE_AUTH exchange. - - @param[in] SaSession Pointer to IKEV2_SA_SESSION. - @param[in] Context Context data passed by caller. - - @retval Pointer to IKEv2 Packet to be sent out. - -**/ -IKE_PACKET * -Ikev2AuthCertGenerator ( - IN UINT8 *SaSession, - IN VOID *Context - ) -{ - IKE_PACKET *IkePacket; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *IdPayload; - IKE_PAYLOAD *AuthPayload; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *TsiPayload; - IKE_PAYLOAD *TsrPayload; - IKE_PAYLOAD *NotifyPayload; - IKE_PAYLOAD *CpPayload; - IKE_PAYLOAD *CertPayload; - IKE_PAYLOAD *CertReqPayload; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - - if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) { - return NULL; - } - - IkeSaSession =3D (IKEV2_SA_SESSION *) SaSession; - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeS= aSession->ChildSaSessionList)); - - IkePacket =3D NULL; - IdPayload =3D NULL; - AuthPayload =3D NULL; - CpPayload =3D NULL; - SaPayload =3D NULL; - TsiPayload =3D NULL; - TsrPayload =3D NULL; - NotifyPayload =3D NULL; - CertPayload =3D NULL; - CertReqPayload =3D NULL; - - // - // 1. Allocate IKE Packet - // - IkePacket=3D IkePacketAlloc (); - if (IkePacket =3D=3D NULL) { - return NULL; - } - - // - // 1.a Fill the IkePacket Header. - // - IkePacket->Header->ExchangeType =3D IKEV2_EXCHANGE_TYPE_AUTH; - IkePacket->Header->InitiatorCookie =3D IkeSaSession->InitiatorCookie; - IkePacket->Header->ResponderCookie =3D IkeSaSession->ResponderCookie; - IkePacket->Header->Version =3D (UINT8)(2 << 4); - if (ChildSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->NextPayload =3D IKEV2_PAYLOAD_TYPE_ID_INIT; - } else { - IkePacket->Header->NextPayload =3D IKEV2_PAYLOAD_TYPE_ID_RSP; - } - - // - // According to RFC4306_2.2, For the IKE_SA_INIT message the MessageID s= hould - // be always number 0 and 1; - // - IkePacket->Header->MessageId =3D 1; - - if (IkeSaSession->SessionCommon.IsInitiator) { - IkePacket->Header->Flags =3D IKE_HEADER_FLAGS_INIT; - } else { - IkePacket->Header->Flags =3D IKE_HEADER_FLAGS_RESPOND; - } - - // - // 2. Generate ID Payload according to IP version and address. - // - IdPayload =3D Ikev2GenerateCertIdPayload ( - &IkeSaSession->SessionCommon, - IKEV2_PAYLOAD_TYPE_CERT, - (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate), - PcdGet32 (PcdIpsecUefiCertificateSize) - ); - if (IdPayload =3D=3D NULL) { - goto CheckError; - } - - // - // 3. Generate Certificate Payload - // - CertPayload =3D Ikev2GenerateCertificatePayload ( - IkeSaSession, - (UINT8)(IkeSaSession->SessionCommon.IsInitiator ? IKEV2_= PAYLOAD_TYPE_CERTREQ : IKEV2_PAYLOAD_TYPE_AUTH), - (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate), - PcdGet32 (PcdIpsecUefiCertificateSize), - IKEV2_CERT_ENCODEING_X509_CERT_SIGN, - FALSE - ); - if (CertPayload =3D=3D NULL) { - goto CheckError; - } - - if (IkeSaSession->SessionCommon.IsInitiator) { - CertReqPayload =3D Ikev2GenerateCertificatePayload ( - IkeSaSession, - IKEV2_PAYLOAD_TYPE_AUTH, - (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificate), - PcdGet32 (PcdIpsecUefiCertificateSize), - IKEV2_CERT_ENCODEING_HASH_AND_URL_OF_X509_CERT, - TRUE - ); - if (CertReqPayload =3D=3D NULL) { - goto CheckError; - } - } - - // - // 4. Generate Auth Payload - // If it is tunnel mode, should create the configuration payload afte= r the - // Auth payload. - // - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode =3D=3D EfiIPsecTrans= port) { - AuthPayload =3D Ikev2CertGenerateAuthPayload ( - ChildSaSession->IkeSaSession, - IdPayload, - IKEV2_PAYLOAD_TYPE_SA, - FALSE, - (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificateKey), - PcdGet32 (PcdIpsecUefiCertificateKeySize), - ChildSaSession->IkeSaSession->Pad->Data->AuthData, - ChildSaSession->IkeSaSession->Pad->Data->AuthDataSize - ); - } else { - AuthPayload =3D Ikev2CertGenerateAuthPayload ( - ChildSaSession->IkeSaSession, - IdPayload, - IKEV2_PAYLOAD_TYPE_CP, - FALSE, - (UINT8 *)PcdGetPtr (PcdIpsecUefiCertificateKey), - PcdGet32 (PcdIpsecUefiCertificateKeySize), - ChildSaSession->IkeSaSession->Pad->Data->AuthData, - ChildSaSession->IkeSaSession->Pad->Data->AuthDataSize - ); - if (IkeSaSession->SessionCommon.UdpService->IpVersion =3D=3D IP_VERSIO= N_4) { - CpPayload =3D Ikev2GenerateCpPayload ( - ChildSaSession->IkeSaSession, - IKEV2_PAYLOAD_TYPE_SA, - IKEV2_CFG_ATTR_INTERNAL_IP4_ADDRESS - ); - } else { - CpPayload =3D Ikev2GenerateCpPayload ( - ChildSaSession->IkeSaSession, - IKEV2_PAYLOAD_TYPE_SA, - IKEV2_CFG_ATTR_INTERNAL_IP6_ADDRESS - ); - } - - if (CpPayload =3D=3D NULL) { - goto CheckError; - } - } - - if (AuthPayload =3D=3D NULL) { - goto CheckError; - } - - // - // 5. Generate SA Payload according to the Sa Data in ChildSaSession - // - SaPayload =3D Ikev2GenerateSaPayload ( - ChildSaSession->SaData, - IKEV2_PAYLOAD_TYPE_TS_INIT, - IkeSessionTypeChildSa - ); - if (SaPayload =3D=3D NULL) { - goto CheckError; - } - - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode =3D=3D EfiIPsecTrans= port) { - // - // Generate Tsi and Tsr. - // - TsiPayload =3D Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_TS_RSP, - FALSE - ); - - TsrPayload =3D Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_NOTIFY, - FALSE - ); - - // - // Generate Notify Payload. If transport mode, there should have Notify - // payload with TRANSPORT_MODE notification. - // - NotifyPayload =3D Ikev2GenerateNotifyPayload ( - 0, - IKEV2_PAYLOAD_TYPE_NONE, - 0, - IKEV2_NOTIFICATION_USE_TRANSPORT_MODE, - NULL, - NULL, - 0 - ); - if (NotifyPayload =3D=3D NULL) { - goto CheckError; - } - } else { - // - // Generate Tsr for Tunnel mode. - // - TsiPayload =3D Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_TS_RSP, - TRUE - ); - TsrPayload =3D Ikev2GenerateTsPayload ( - ChildSaSession, - IKEV2_PAYLOAD_TYPE_NONE, - FALSE - ); - } - - if (TsiPayload =3D=3D NULL || TsrPayload =3D=3D NULL) { - goto CheckError; - } - - IKE_PACKET_APPEND_PAYLOAD (IkePacket, IdPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertPayload); - if (IkeSaSession->SessionCommon.IsInitiator) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, CertReqPayload); - } - IKE_PACKET_APPEND_PAYLOAD (IkePacket, AuthPayload); - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode =3D=3D EfiIPsecTunne= l) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, CpPayload); - } - IKE_PACKET_APPEND_PAYLOAD (IkePacket, SaPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsiPayload); - IKE_PACKET_APPEND_PAYLOAD (IkePacket, TsrPayload); - if (IkeSaSession->Spd->Data->ProcessingPolicy->Mode =3D=3D EfiIPsecTrans= port) { - IKE_PACKET_APPEND_PAYLOAD (IkePacket, NotifyPayload); - } - - return IkePacket; - -CheckError: - if (IkePacket !=3D NULL) { - IkePacketFree (IkePacket); - } - - if (IdPayload !=3D NULL) { - IkePayloadFree (IdPayload); - } - - if (CertPayload !=3D NULL) { - IkePayloadFree (CertPayload); - } - - if (CertReqPayload !=3D NULL) { - IkePayloadFree (CertReqPayload); - } - - if (AuthPayload !=3D NULL) { - IkePayloadFree (AuthPayload); - } - - if (CpPayload !=3D NULL) { - IkePayloadFree (CpPayload); - } - - if (SaPayload !=3D NULL) { - IkePayloadFree (SaPayload); - } - - if (TsiPayload !=3D NULL) { - IkePayloadFree (TsiPayload); - } - - if (TsrPayload !=3D NULL) { - IkePayloadFree (TsrPayload); - } - - if (NotifyPayload !=3D NULL) { - IkePayloadFree (NotifyPayload); - } - - return NULL; -} - -/** - Parses IKE_AUTH packet. - - @param[in] SaSession Pointer to the IKE_SA_SESSION related to this pa= cket. - @param[in] IkePacket Pointer to the IKE_AUTH packet to be parsered. - - @retval EFI_INVALID_PARAMETER The IKEv2 packet is malformed or the= SA - proposal is unacceptable. - @retval EFI_SUCCESS The IKE packet is acceptable and the - relative data is saved for furthure = communication. - @retval EFI_UNSUPPORTED The certificate authentication is no= t supported. - -**/ -EFI_STATUS -Ikev2AuthCertParser ( - IN UINT8 *SaSession, - IN IKE_PACKET *IkePacket - ) -{ - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SA_SESSION *IkeSaSession; - IKE_PAYLOAD *IkePayload; - IKE_PAYLOAD *SaPayload; - IKE_PAYLOAD *IdiPayload; - IKE_PAYLOAD *IdrPayload; - IKE_PAYLOAD *AuthPayload; - IKE_PAYLOAD *TsiPayload; - IKE_PAYLOAD *TsrPayload; - IKE_PAYLOAD *CertPayload; - IKE_PAYLOAD *VerifiedAuthPayload; - LIST_ENTRY *Entry; - EFI_STATUS Status; - - if (!FeaturePcdGet (PcdIpsecCertificateEnabled)) { - return EFI_UNSUPPORTED; - } - - IkeSaSession =3D (IKEV2_SA_SESSION *) SaSession; - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (GetFirstNode (&IkeS= aSession->ChildSaSessionList)); - - SaPayload =3D NULL; - IdiPayload =3D NULL; - IdrPayload =3D NULL; - AuthPayload =3D NULL; - TsiPayload =3D NULL; - TsrPayload =3D NULL; - CertPayload =3D NULL; - VerifiedAuthPayload =3D NULL; - Status =3D EFI_INVALID_PARAMETER; - - // - // Iterate payloads to find the SaPayload/ID/AUTH/TS Payload. - // - NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) { - IkePayload =3D IKE_PAYLOAD_BY_PACKET (Entry); - - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_ID_INIT) { - IdiPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_ID_RSP) { - IdrPayload =3D IkePayload; - } - - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_SA) { - SaPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_AUTH) { - AuthPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_TS_INIT) { - TsiPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_TS_RSP) { - TsrPayload =3D IkePayload; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_CERT) { - CertPayload =3D IkePayload; - } - } - - if ((SaPayload =3D=3D NULL) || (AuthPayload =3D=3D NULL) || (TsiPayload = =3D=3D NULL) || - (TsrPayload =3D=3D NULL) || (CertPayload =3D=3D NULL)) { - goto Exit; - } - if ((IdiPayload =3D=3D NULL) && (IdrPayload =3D=3D NULL)) { - goto Exit; - } - - // - // Check IkePacket Header is match the state - // - if (IkeSaSession->SessionCommon.IsInitiator) { - - // - // 1. Check the IkePacket->Hdr =3D=3D IKE_HEADER_FLAGS_RESPOND - // - if ((IkePacket->Header->Flags !=3D IKE_HEADER_FLAGS_RESPOND) || - (IkePacket->Header->ExchangeType !=3D IKEV2_EXCHANGE_TYPE_AUTH)) { - goto Exit; - } - } else { - // - // 1. Check the IkePacket->Hdr =3D=3D IKE_HEADER_FLAGS_INIT - // - if ((IkePacket->Header->Flags !=3D IKE_HEADER_FLAGS_INIT) || - (IkePacket->Header->ExchangeType !=3D IKEV2_EXCHANGE_TYPE_AUTH)) { - goto Exit; - } - } - - // - // Verify the Auth Payload. - // - VerifiedAuthPayload =3D Ikev2CertGenerateAuthPayload ( - IkeSaSession, - IkeSaSession->SessionCommon.IsInitiator ? IdrPay= load:IdiPayload, - IKEV2_PAYLOAD_TYPE_SA, - TRUE, - NULL, - 0, - NULL, - 0 - ); - - if ((VerifiedAuthPayload !=3D NULL) && - (!IpSecCryptoIoVerifySignDataByCertificate ( - CertPayload->PayloadBuf + sizeof (IKEV2_CERT), - CertPayload->PayloadSize - sizeof (IKEV2_CERT), - (UINT8 *)PcdGetPtr (PcdIpsecUefiCaFile), - PcdGet32 (PcdIpsecUefiCaFileSize), - VerifiedAuthPayload->PayloadBuf + sizeof (IKEV2_AUTH), - VerifiedAuthPayload->PayloadSize - sizeof (IKEV2_AUTH), - AuthPayload->PayloadBuf + sizeof (IKEV2_AUTH), - AuthPayload->PayloadSize - sizeof (IKEV2_AUTH) - ))) { - goto Exit; - } - - // - // 3. Parse the SA Payload to find out the cryptographic suite - // and fill in the SA paramse into CommonSession->SaParams. If no acc= eptable - // porposal found, return EFI_INVALID_PARAMETER. - // - if (!Ikev2ChildSaParseSaPayload (ChildSaSession, SaPayload, IkePacket->H= eader->Flags)) { - goto Exit; - } - - // - // 4. Parse TSi, TSr payloads. - // - if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))-= >IpProtocolId !=3D - ((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))->= IpProtocolId) && - (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS)))-= >IpProtocolId !=3D 0) && - (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS)))-= >IpProtocolId !=3D 0) - ) { - goto Exit; - } - - if (!IkeSaSession->SessionCommon.IsInitiator) { - // - //Todo:check the Port range. Only support any port and one certain por= t here. - // - ChildSaSession->ProtoId =3D ((TRAFFIC_SELECTOR *)(TsrPayload->Paylo= adBuf + sizeof (IKEV2_TS)))->IpProtocolId; - ChildSaSession->LocalPort =3D ((TRAFFIC_SELECTOR *)(TsrPayload->Paylo= adBuf + sizeof (IKEV2_TS)))->StartPort; - ChildSaSession->RemotePort =3D ((TRAFFIC_SELECTOR *)(TsiPayload->Paylo= adBuf + sizeof (IKEV2_TS)))->StartPort; - // - // Association a SPD with this SA. - // - if (EFI_ERROR (Ikev2ChildSaAssociateSpdEntry (ChildSaSession))) { - goto Exit; - } - // - // Associate the IkeSaSession's SPD to the first ChildSaSession's SPD. - // - if (ChildSaSession->IkeSaSession->Spd =3D=3D NULL) { - ChildSaSession->IkeSaSession->Spd =3D ChildSaSession->Spd; - Status =3D Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession); - if (EFI_ERROR (Status)) { - goto Exit; - } - } - } else { - // - // Todo:check the Port range. - // - if ((((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS))= )->StartPort !=3D 0) && - (((TRAFFIC_SELECTOR *)(TsrPayload->PayloadBuf + sizeof (IKEV2_TS))= )->StartPort !=3D ChildSaSession->RemotePort) - ) { - goto Exit; - } - if ((((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS))= )->StartPort !=3D 0) && - (((TRAFFIC_SELECTOR *)(TsiPayload->PayloadBuf + sizeof (IKEV2_TS))= )->StartPort !=3D ChildSaSession->LocalPort) - ) { - goto Exit; - } - // - // For the tunnel mode, it should add the vitual IP address into the S= A's SPD Selector. - // - if (ChildSaSession->Spd->Data->ProcessingPolicy->Mode =3D=3D EfiIPsecT= unnel) { - if (!ChildSaSession->IkeSaSession->SessionCommon.IsInitiator) { - // - // If it is tunnel mode, the UEFI part must be the initiator. - // - goto Exit; - } - // - // Get the Virtual IP address from the Tsi traffic selector. - // TODO: check the CFG reply payload - // - CopyMem ( - &ChildSaSession->SpdSelector->LocalAddress[0].Address, - TsiPayload->PayloadBuf + sizeof (IKEV2_TS) + sizeof (TRAFFIC_SELEC= TOR), - (ChildSaSession->SessionCommon.UdpService->IpVersion =3D=3D IP_VER= SION_4) ? - sizeof (EFI_IPv4_ADDRESS) : sizeof (EFI_IPv6_ADDRESS) - ); - } - } - - // - // 5. Generat keymats for IPsec protocol. - // - Status =3D Ikev2GenerateChildSaKeys (ChildSaSession, NULL); - if (EFI_ERROR (Status)) { - goto Exit; - } - - if (IkeSaSession->SessionCommon.IsInitiator) { - // - // 6. Change the state of IkeSaSession - // - IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateIkeSaEsta= blished); - IkeSaSession->SessionCommon.State =3D IkeStateIkeSaEstablished; - } - - Status =3D EFI_SUCCESS; - -Exit: - if (VerifiedAuthPayload !=3D NULL) { - IkePayloadFree (VerifiedAuthPayload); - } - return Status; -} - -/** - Generates the DH Public Key. - - This generates the DH local public key and store it in the IKE SA Sessio= n's GxBuffer. - - @param[in] IkeSaSession Pointer to related IKE SA Session. - - @retval EFI_SUCCESS The operation succeeded. - @retval Others The operation failed. - -**/ -EFI_STATUS -Ikev2GenerateSaDhPublicKey ( - IN IKEV2_SA_SESSION *IkeSaSession - ) -{ - EFI_STATUS Status; - IKEV2_SESSION_KEYS *IkeKeys; - - IkeSaSession->IkeKeys =3D AllocateZeroPool (sizeof (IKEV2_SESSION_KEYS)); - if (IkeSaSession->IkeKeys =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - IkeKeys =3D IkeSaSession->IkeKeys; - IkeKeys->DhBuffer =3D AllocateZeroPool (sizeof (IKEV2_DH_BUFFER)); - if (IkeKeys->DhBuffer =3D=3D NULL) { - FreePool (IkeSaSession->IkeKeys); - return EFI_OUT_OF_RESOURCES; - } - - // - // Init DH with the certain DH Group Description. - // - IkeKeys->DhBuffer->GxSize =3D OakleyModpGroup[(UINT8)IkeSaSession->Ses= sionCommon.PreferDhGroup].Size >> 3; - IkeKeys->DhBuffer->GxBuffer =3D AllocateZeroPool (IkeKeys->DhBuffer->GxS= ize); - if (IkeKeys->DhBuffer->GxBuffer =3D=3D NULL) { - FreePool (IkeKeys->DhBuffer); - FreePool (IkeSaSession->IkeKeys); - return EFI_OUT_OF_RESOURCES; - } - - // - // Get X PublicKey - // - Status =3D IpSecCryptoIoDhGetPublicKey ( - &IkeKeys->DhBuffer->DhContext, - OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGr= oup].GroupGenerator, - OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGr= oup].Size, - OakleyModpGroup[(UINT8)IkeSaSession->SessionCommon.PreferDhGr= oup].Modulus, - IkeKeys->DhBuffer->GxBuffer, - &IkeKeys->DhBuffer->GxSize - ); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam X public key error St= atus =3D %r\n", Status)); - - FreePool (IkeKeys->DhBuffer->GxBuffer); - - FreePool (IkeKeys->DhBuffer); - - FreePool (IkeSaSession->IkeKeys); - - return Status; - } - - IPSEC_DUMP_BUF ("DH Public Key (g^x) Dump", IkeKeys->DhBuffer->GxBuffer,= IkeKeys->DhBuffer->GxSize); - - return EFI_SUCCESS; -} - -/** - Computes the DH Shared/Exchange Key. - - Given peer's public key, this function computes the exchanged common key= and - stores it in the IKEv2 SA Session's GxyBuffer. - - @param[in] DhBuffer Pointer to buffer of peer's puliic key. - @param[in] KePayload Pointer to received key payload. - - @retval EFI_SUCCESS The operation succeeded. - @retval Otherwise The operation failed. - -**/ -EFI_STATUS -Ikev2GenerateSaDhComputeKey ( - IN IKEV2_DH_BUFFER *DhBuffer, - IN IKE_PAYLOAD *KePayload - ) -{ - EFI_STATUS Status; - IKEV2_KEY_EXCHANGE *Ke; - UINT8 *PubKey; - UINTN PubKeySize; - - Ke =3D (IKEV2_KEY_EXCHANGE *) KePayload->PayloadBuf; - PubKey =3D (UINT8 *) (Ke + 1); - PubKeySize =3D KePayload->PayloadSize - sizeof (IKEV2_KEY_EXCHA= NGE); - DhBuffer->GxySize =3D DhBuffer->GxSize; - DhBuffer->GxyBuffer =3D AllocateZeroPool (DhBuffer->GxySize); - if (DhBuffer->GxyBuffer =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - // - // Get GxyBuf - // - Status =3D IpSecCryptoIoDhComputeKey ( - DhBuffer->DhContext, - PubKey, - PubKeySize, - DhBuffer->GxyBuffer, - &DhBuffer->GxySize - ); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Error CPLKeyManGetKeyParam Y session key error S= tatus =3D %r\n", Status)); - - FreePool (DhBuffer->GxyBuffer); - - return Status; - } - - // - // Create GxyBuf. - // - DhBuffer->GySize =3D PubKeySize; - DhBuffer->GyBuffer =3D AllocateZeroPool (DhBuffer->GySize); - if (DhBuffer->GyBuffer =3D=3D NULL) { - FreePool (DhBuffer->GxyBuffer); - - return Status; - } - - CopyMem (DhBuffer->GyBuffer, PubKey, DhBuffer->GySize); - - IPSEC_DUMP_BUF ("DH Public Key (g^y) Dump", DhBuffer->GyBuffer, DhBuffer= ->GySize); - IPSEC_DUMP_BUF ("DH Shared Key (g^xy) Dump", DhBuffer->GxyBuffer, DhBuff= er->GxySize); - - return EFI_SUCCESS; -} - -/** - Generates the IKE SKEYSEED and seven other secrets. SK_d, SK_ai, SK_ar, = SK_ei, SK_er, - SK_pi, SK_pr are keys for the furthure IKE exchange. - - @param[in] IkeSaSession Pointer to IKE SA Session. - @param[in] KePayload Pointer to Key payload used to generate t= he Key. - - @retval EFI_UNSUPPORTED If one or more Algorithm Id is not suppor= ted. - @retval EFI_OUT_OF_RESOURCES If there is no enough resource to be allo= cated to - meet the requirement. - @retval EFI_SUCCESS The operation succeeded. - -**/ -EFI_STATUS -Ikev2GenerateSaKeys ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_PAYLOAD *KePayload - ) -{ - EFI_STATUS Status; - IKEV2_SA_PARAMS *SaParams; - PRF_DATA_FRAGMENT Fragments[4]; - UINT64 InitiatorCookieNet; - UINT64 ResponderCookieNet; - UINT8 *KeyBuffer; - UINTN KeyBufferSize; - UINTN AuthAlgKeyLen; - UINTN EncryptAlgKeyLen; - UINTN IntegrityAlgKeyLen; - UINTN PrfAlgKeyLen; - UINT8 *OutputKey; - UINTN OutputKeyLength; - UINT8 *Digest; - UINTN DigestSize; - - Digest =3D NULL; - OutputKey =3D NULL; - KeyBuffer =3D NULL; - Status =3D EFI_SUCCESS; - - // - // Generate Gxy - // - Status =3D Ikev2GenerateSaDhComputeKey (IkeSaSession->IkeKeys->DhBuffer,= KePayload); - if (EFI_ERROR (Status)) { - goto Exit; - } - - // - // Get the key length of Authenticaion, Encryption, PRF, and Integrity. - // - SaParams =3D IkeSaSession->SessionCommon.SaParams; - AuthAlgKeyLen =3D IpSecGetHmacDigestLength ((UINT8)SaParams->Prf); - EncryptAlgKeyLen =3D IpSecGetEncryptKeyLength ((UINT8)SaParams->EncAlg= Id); - IntegrityAlgKeyLen =3D IpSecGetHmacDigestLength ((UINT8)SaParams->IntegA= lgId); - PrfAlgKeyLen =3D IpSecGetHmacDigestLength ((UINT8)SaParams->Prf); - - // - // If one or more algorithm is not support, return EFI_UNSUPPORTED. - // - if (AuthAlgKeyLen =3D=3D 0 || - EncryptAlgKeyLen =3D=3D 0 || - IntegrityAlgKeyLen =3D=3D 0 || - PrfAlgKeyLen =3D=3D 0 - ) { - Status =3D EFI_UNSUPPORTED; - goto Exit; - } - - // - // Compute SKEYSEED =3D prf(Ni | Nr, g^ir) - // - KeyBufferSize =3D IkeSaSession->NiBlkSize + IkeSaSession->NrBlkSize; - KeyBuffer =3D AllocateZeroPool (KeyBufferSize); - if (KeyBuffer =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem (KeyBuffer, IkeSaSession->NiBlock, IkeSaSession->NiBlkSize); - CopyMem (KeyBuffer + IkeSaSession->NiBlkSize, IkeSaSession->NrBlock, Ike= SaSession->NrBlkSize); - - Fragments[0].Data =3D IkeSaSession->IkeKeys->DhBuffer->GxyBuffer; - Fragments[0].DataSize =3D IkeSaSession->IkeKeys->DhBuffer->GxySize; - - DigestSize =3D IpSecGetHmacDigestLength ((UINT8)SaParams->Prf); - Digest =3D AllocateZeroPool (DigestSize); - - if (Digest =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - IpSecCryptoIoHmac ( - (UINT8)SaParams->Prf, - KeyBuffer, - KeyBufferSize, - (HASH_DATA_FRAGMENT *) Fragments, - 1, - Digest, - DigestSize - ); - - // - // {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =3D prf+ - // (SKEYSEED, Ni | Nr | SPIi | SPIr ) - // - Fragments[0].Data =3D IkeSaSession->NiBlock; - Fragments[0].DataSize =3D IkeSaSession->NiBlkSize; - Fragments[1].Data =3D IkeSaSession->NrBlock; - Fragments[1].DataSize =3D IkeSaSession->NrBlkSize; - InitiatorCookieNet =3D HTONLL (IkeSaSession->InitiatorCookie); - ResponderCookieNet =3D HTONLL (IkeSaSession->ResponderCookie); - Fragments[2].Data =3D (UINT8 *)(&InitiatorCookieNet); - Fragments[2].DataSize =3D sizeof (IkeSaSession->InitiatorCookie); - Fragments[3].Data =3D (UINT8 *)(&ResponderCookieNet); - Fragments[3].DataSize =3D sizeof (IkeSaSession->ResponderCookie); - - IPSEC_DUMP_BUF (">>> NiBlock", IkeSaSession->NiBlock, IkeSaSession->NiBl= kSize); - IPSEC_DUMP_BUF (">>> NrBlock", IkeSaSession->NrBlock, IkeSaSession->NrBl= kSize); - IPSEC_DUMP_BUF (">>> InitiatorCookie", (UINT8 *)&IkeSaSession->Initiator= Cookie, sizeof(UINT64)); - IPSEC_DUMP_BUF (">>> ResponderCookie", (UINT8 *)&IkeSaSession->Responder= Cookie, sizeof(UINT64)); - - OutputKeyLength =3D PrfAlgKeyLen + - 2 * EncryptAlgKeyLen + - 2 * AuthAlgKeyLen + - 2 * IntegrityAlgKeyLen; - OutputKey =3D AllocateZeroPool (OutputKeyLength); - if (OutputKey =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - // - // Generate Seven Keymates. - // - Status =3D Ikev2SaGenerateKey ( - (UINT8)SaParams->Prf, - Digest, - DigestSize, - OutputKey, - OutputKeyLength, - Fragments, - 4 - ); - if (EFI_ERROR(Status)) { - goto Exit; - } - - // - // Save the seven keys into KeySession. - // First, SK_d - // - IkeSaSession->IkeKeys->SkdKey =3D AllocateZeroPool (PrfAlgKeyLen); - if (IkeSaSession->IkeKeys->SkdKey =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkdKeySize =3D PrfAlgKeyLen; - CopyMem (IkeSaSession->IkeKeys->SkdKey, OutputKey, PrfAlgKeyLen); - - IPSEC_DUMP_BUF (">>> SK_D Key", IkeSaSession->IkeKeys->SkdKey, PrfAlgKey= Len); - - // - // Second, Sk_ai - // - IkeSaSession->IkeKeys->SkAiKey =3D AllocateZeroPool (IntegrityAlgKey= Len); - if (IkeSaSession->IkeKeys->SkAiKey =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkAiKeySize =3D IntegrityAlgKeyLen; - CopyMem (IkeSaSession->IkeKeys->SkAiKey, OutputKey + PrfAlgKeyLen, Integ= rityAlgKeyLen); - - IPSEC_DUMP_BUF (">>> SK_Ai Key", IkeSaSession->IkeKeys->SkAiKey, IkeSaSe= ssion->IkeKeys->SkAiKeySize); - - // - // Third, Sk_ar - // - IkeSaSession->IkeKeys->SkArKey =3D AllocateZeroPool (IntegrityAlgKey= Len); - if (IkeSaSession->IkeKeys->SkArKey =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkArKeySize =3D IntegrityAlgKeyLen; - CopyMem ( - IkeSaSession->IkeKeys->SkArKey, - OutputKey + PrfAlgKeyLen + IntegrityAlgKeyLen, - IntegrityAlgKeyLen - ); - - IPSEC_DUMP_BUF (">>> SK_Ar Key", IkeSaSession->IkeKeys->SkArKey, IkeSaSe= ssion->IkeKeys->SkArKeySize); - - // - // Fourth, Sk_ei - // - IkeSaSession->IkeKeys->SkEiKey =3D AllocateZeroPool (EncryptAlgKeyLe= n); - if (IkeSaSession->IkeKeys->SkEiKey =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkEiKeySize =3D EncryptAlgKeyLen; - - CopyMem ( - IkeSaSession->IkeKeys->SkEiKey, - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen, - EncryptAlgKeyLen - ); - IPSEC_DUMP_BUF ( - ">>> SK_Ei Key", - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen, - EncryptAlgKeyLen - ); - - // - // Fifth, Sk_er - // - IkeSaSession->IkeKeys->SkErKey =3D AllocateZeroPool (EncryptAlgKeyLe= n); - if (IkeSaSession->IkeKeys->SkErKey =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkErKeySize =3D EncryptAlgKeyLen; - - CopyMem ( - IkeSaSession->IkeKeys->SkErKey, - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + EncryptAlgKeyLen, - EncryptAlgKeyLen - ); - IPSEC_DUMP_BUF ( - ">>> SK_Er Key", - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + EncryptAlgKeyLen, - EncryptAlgKeyLen - ); - - // - // Sixth, Sk_pi - // - IkeSaSession->IkeKeys->SkPiKey =3D AllocateZeroPool (AuthAlgKeyLen); - if (IkeSaSession->IkeKeys->SkPiKey =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkPiKeySize =3D AuthAlgKeyLen; - - CopyMem ( - IkeSaSession->IkeKeys->SkPiKey, - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKe= yLen, - AuthAlgKeyLen - ); - IPSEC_DUMP_BUF ( - ">>> SK_Pi Key", - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKe= yLen, - AuthAlgKeyLen - ); - - // - // Seventh, Sk_pr - // - IkeSaSession->IkeKeys->SkPrKey =3D AllocateZeroPool (AuthAlgKeyLen); - if (IkeSaSession->IkeKeys->SkPrKey =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - IkeSaSession->IkeKeys->SkPrKeySize =3D AuthAlgKeyLen; - - CopyMem ( - IkeSaSession->IkeKeys->SkPrKey, - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKey= Len + AuthAlgKeyLen, - AuthAlgKeyLen - ); - IPSEC_DUMP_BUF ( - ">>> SK_Pr Key", - OutputKey + AuthAlgKeyLen + 2 * IntegrityAlgKeyLen + 2 * EncryptAlgKey= Len + AuthAlgKeyLen, - AuthAlgKeyLen - ); - - -Exit: - if (Digest !=3D NULL) { - FreePool (Digest); - } - if (KeyBuffer !=3D NULL) { - FreePool (KeyBuffer); - } - if (OutputKey !=3D NULL) { - FreePool (OutputKey); - } - - if (EFI_ERROR(Status)) { - if (IkeSaSession->IkeKeys->SkdKey !=3D NULL) { - FreePool (IkeSaSession->IkeKeys->SkdKey); - } - if (IkeSaSession->IkeKeys->SkAiKey !=3D NULL) { - FreePool (IkeSaSession->IkeKeys->SkAiKey); - } - if (IkeSaSession->IkeKeys->SkArKey !=3D NULL) { - FreePool (IkeSaSession->IkeKeys->SkArKey); - } - if (IkeSaSession->IkeKeys->SkEiKey !=3D NULL) { - FreePool (IkeSaSession->IkeKeys->SkEiKey); - } - if (IkeSaSession->IkeKeys->SkErKey !=3D NULL) { - FreePool (IkeSaSession->IkeKeys->SkErKey); - } - if (IkeSaSession->IkeKeys->SkPiKey !=3D NULL) { - FreePool (IkeSaSession->IkeKeys->SkPiKey); - } - if (IkeSaSession->IkeKeys->SkPrKey !=3D NULL) { - FreePool (IkeSaSession->IkeKeys->SkPrKey); - } - } - - - return Status; -} - -/** - Generates the Keys for the furthure IPsec Protocol. - - @param[in] ChildSaSession Pointer to IKE Child SA Session. - @param[in] KePayload Pointer to Key payload used to generate t= he Key. - - @retval EFI_UNSUPPORTED If one or more Algorithm Id is not supported. - @retval EFI_SUCCESS The operation succeeded. - -**/ -EFI_STATUS -Ikev2GenerateChildSaKeys ( - IN IKEV2_CHILD_SA_SESSION *ChildSaSession, - IN IKE_PAYLOAD *KePayload - ) -{ - EFI_STATUS Status; - IKEV2_SA_PARAMS *SaParams; - PRF_DATA_FRAGMENT Fragments[3]; - UINTN EncryptAlgKeyLen; - UINTN IntegrityAlgKeyLen; - UINT8* OutputKey; - UINTN OutputKeyLength; - - Status =3D EFI_SUCCESS; - OutputKey =3D NULL; - - if (KePayload !=3D NULL) { - // - // Generate Gxy - // - Status =3D Ikev2GenerateSaDhComputeKey (ChildSaSession->DhBuffer, KePa= yload); - if (EFI_ERROR (Status)) { - goto Exit; - } - - Fragments[0].Data =3D ChildSaSession->DhBuffer->GxyBuffer; - Fragments[0].DataSize =3D ChildSaSession->DhBuffer->GxySize; - } - - Fragments[1].Data =3D ChildSaSession->NiBlock; - Fragments[1].DataSize =3D ChildSaSession->NiBlkSize; - Fragments[2].Data =3D ChildSaSession->NrBlock; - Fragments[2].DataSize =3D ChildSaSession->NrBlkSize; - - // - // Get the key length of Authenticaion, Encryption, PRF, and Integrity. - // - SaParams =3D ChildSaSession->SessionCommon.SaParams; - EncryptAlgKeyLen =3D IpSecGetEncryptKeyLength ((UINT8)SaParams->EncAlg= Id); - IntegrityAlgKeyLen =3D IpSecGetHmacDigestLength ((UINT8)SaParams->IntegA= lgId); - OutputKeyLength =3D 2 * EncryptAlgKeyLen + 2 * IntegrityAlgKeyLen; - - if ((EncryptAlgKeyLen =3D=3D 0) || (IntegrityAlgKeyLen =3D=3D 0)) { - Status =3D EFI_UNSUPPORTED; - goto Exit; - } - - // - // - // If KePayload is not NULL, calculate KEYMAT =3D prf+(SK_d, g^ir (new) = | Ni | Nr ), - // otherwise, KEYMAT =3D prf+(SK_d, Ni | Nr ) - // - OutputKey =3D AllocateZeroPool (OutputKeyLength); - if (OutputKey =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - // - // Derive Key from the SkdKey Buffer. - // - Status =3D Ikev2SaGenerateKey ( - (UINT8)ChildSaSession->IkeSaSession->SessionCommon.SaParams->= Prf, - ChildSaSession->IkeSaSession->IkeKeys->SkdKey, - ChildSaSession->IkeSaSession->IkeKeys->SkdKeySize, - OutputKey, - OutputKeyLength, - KePayload =3D=3D NULL ? &Fragments[1] : Fragments, - KePayload =3D=3D NULL ? 2 : 3 - ); - - if (EFI_ERROR (Status)) { - goto Exit; - } - - // - // Copy KEYMATE (SK_ENCRYPT_i | SK_ENCRYPT_r | SK_INTEG_i | SK_INTEG_r) = to - // ChildKeyMates. - // - if (!ChildSaSession->SessionCommon.IsInitiator) { - - // - // Initiator Encryption Key - // - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = =3D (UINT8)SaParams->EncAlgId; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKeyLength = =3D EncryptAlgKeyLen; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey = =3D AllocateZeroPool (EncryptAlgKeyLen); - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey =3D= =3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey, - OutputKey, - EncryptAlgKeyLen - ); - - // - // Initiator Authentication Key - // - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthAlgoId = =3D (UINT8)SaParams->IntegAlgId; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKeyLength = =3D IntegrityAlgKeyLen; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey = =3D AllocateZeroPool (IntegrityAlgKeyLen); - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey =3D= =3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey, - OutputKey + EncryptAlgKeyLen, - IntegrityAlgKeyLen - ); - - // - // Responder Encrypt Key - // - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncAlgoId = =3D (UINT8)SaParams->EncAlgId; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKeyLength = =3D EncryptAlgKeyLen; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey = =3D AllocateZeroPool (EncryptAlgKeyLen); - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey =3D= =3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey, - OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen, - EncryptAlgKeyLen - ); - - // - // Responder Authentication Key - // - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthAlgoId = =3D (UINT8)SaParams->IntegAlgId; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKeyLength = =3D IntegrityAlgKeyLen; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = =3D AllocateZeroPool (IntegrityAlgKeyLen); - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey, - OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen, - IntegrityAlgKeyLen - ); - } else { - // - // Initiator Encryption Key - // - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncAlgoId = =3D (UINT8)SaParams->EncAlgId; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKeyLength = =3D EncryptAlgKeyLen; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey = =3D AllocateZeroPool (EncryptAlgKeyLen); - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey =3D= =3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey, - OutputKey, - EncryptAlgKeyLen - ); - - // - // Initiator Authentication Key - // - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthAlgoId = =3D (UINT8)SaParams->IntegAlgId; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKeyLength = =3D IntegrityAlgKeyLen; - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = =3D AllocateZeroPool (IntegrityAlgKeyLen); - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey = =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey, - OutputKey + EncryptAlgKeyLen, - IntegrityAlgKeyLen - ); - - // - // Responder Encryption Key - // - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncAlgoId = =3D (UINT8)SaParams->EncAlgId; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKeyLength = =3D EncryptAlgKeyLen; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey = =3D AllocateZeroPool (EncryptAlgKeyLen); - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey =3D= =3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey, - OutputKey + EncryptAlgKeyLen + IntegrityAlgKeyLen, - EncryptAlgKeyLen - ); - - // - // Responder Authentication Key - // - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthAlgoId = =3D (UINT8)SaParams->IntegAlgId; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKeyLength = =3D IntegrityAlgKeyLen; - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey = =3D AllocateZeroPool (IntegrityAlgKeyLen); - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey =3D= =3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - CopyMem ( - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey, - OutputKey + 2 * EncryptAlgKeyLen + IntegrityAlgKeyLen, - IntegrityAlgKeyLen - ); - } - - IPSEC_DUMP_BUF ( - " >>> Local Encryption Key", - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey, - EncryptAlgKeyLen - ); - IPSEC_DUMP_BUF ( - " >>> Remote Encryption Key", - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey, - EncryptAlgKeyLen - ); - IPSEC_DUMP_BUF ( - " >>> Local Authentication Key", - ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey, - IntegrityAlgKeyLen - ); - IPSEC_DUMP_BUF ( - " >>> Remote Authentication Key", - ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey, - IntegrityAlgKeyLen - ); - - - -Exit: - if (EFI_ERROR (Status)) { - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey !=3D= NULL) { - FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.Enc= Key); - } - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey != =3D NULL) { - FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.Aut= hKey); - } - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey != =3D NULL) { - FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.En= cKey); - } - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey != =3D NULL) { - FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.Au= thKey); - } - } - - if (OutputKey !=3D NULL) { - FreePool (OutputKey); - } - - return EFI_SUCCESS; -} - -GLOBAL_REMOVE_IF_UNREFERENCED IKEV2_PACKET_HANDLER mIkev2Initial[][2] =3D { - { //PSK - { // IKEV2_INIT - Ikev2InitPskParser, - Ikev2InitPskGenerator - }, - { //IKEV2_AUTH - Ikev2AuthPskParser, - Ikev2AuthPskGenerator - } - }, - { // CERT - { // IKEV2_INIT - Ikev2InitCertParser, - Ikev2InitCertGenerator - }, - { // IKEV2_AUTH - Ikev2AuthCertParser, - Ikev2AuthCertGenerator - }, - }, -}; diff --git a/NetworkPkg/IpSecDxe/Ikev2/Utility.c b/NetworkPkg/IpSecDxe/Ikev= 2/Utility.c deleted file mode 100644 index 87ec0bf5c8..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Utility.c +++ /dev/null @@ -1,2738 +0,0 @@ -/** @file - The Common operations used by IKE Exchange Process. - - (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "Utility.h" -#include "IpSecDebug.h" -#include "IkeService.h" -#include "IpSecConfigImpl.h" - -UINT16 mIkev2EncryptAlgorithmList[IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM] =3D= { - IKEV2_TRANSFORM_ID_ENCR_3DES, - IKEV2_TRANSFORM_ID_ENCR_AES_CBC, -}; - -UINT16 mIkev2PrfAlgorithmList[IKEV2_SUPPORT_PRF_ALGORITHM_NUM] =3D { - IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1, -}; - -UINT16 mIkev2DhGroupAlgorithmList[IKEV2_SUPPORT_DH_ALGORITHM_NUM] =3D { - IKEV2_TRANSFORM_ID_DH_1024MODP, - IKEV2_TRANSFORM_ID_DH_2048MODP, -}; - -UINT16 mIkev2AuthAlgorithmList[IKEV2_SUPPORT_AUTH_ALGORITHM_NUM] =3D { - IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96, -}; - -/** - Allocate buffer for IKEV2_SA_SESSION and initialize it. - - @param[in] Private Pointer to IPSEC_PRIVATE_DATA. - @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE= SA Session. - - @return Pointer to IKEV2_SA_SESSION or NULL. - -**/ -IKEV2_SA_SESSION * -Ikev2SaSessionAlloc ( - IN IPSEC_PRIVATE_DATA *Private, - IN IKE_UDP_SERVICE *UdpService - ) -{ - EFI_STATUS Status; - IKEV2_SESSION_COMMON *SessionCommon; - IKEV2_SA_SESSION *IkeSaSession; - - IkeSaSession =3D AllocateZeroPool (sizeof (IKEV2_SA_SESSION)); - if (IkeSaSession =3D=3D NULL) { - return NULL; - } - - // - // Initialize the fields of IkeSaSession and its SessionCommon. - // - IkeSaSession->NCookie =3D NULL; - IkeSaSession->Signature =3D IKEV2_SA_SESSION_SIGNATURE; - IkeSaSession->InitiatorCookie =3D IkeGenerateCookie (); - IkeSaSession->ResponderCookie =3D 0; - // - // BUGBUG: Message ID starts from 2 is to match the OpenSwan requirement= , but it - // might not match the IPv6 Logo. In its test specification, it mentions= that - // the Message ID should start from zero after the IKE_SA_INIT exchange. - // - IkeSaSession->MessageId =3D 2; - SessionCommon =3D &IkeSaSession->SessionCommon; - SessionCommon->UdpService =3D UdpService; - SessionCommon->Private =3D Private; - SessionCommon->IkeSessionType =3D IkeSessionTypeIkeSa; - SessionCommon->IkeVer =3D 2; - SessionCommon->AfterEncodePayload =3D NULL; - SessionCommon->BeforeDecodePayload =3D NULL; - - // - // Create a resend notfiy event for retry. - // - Status =3D gBS->CreateEvent ( - EVT_TIMER | EVT_NOTIFY_SIGNAL, - TPL_CALLBACK, - Ikev2ResendNotify, - SessionCommon, - &SessionCommon->TimeoutEvent - ); - - if (EFI_ERROR (Status)) { - FreePool (IkeSaSession); - return NULL; - } - - // - // Initialize the lists in IkeSaSession. - // - InitializeListHead (&IkeSaSession->ChildSaSessionList); - InitializeListHead (&IkeSaSession->ChildSaEstablishSessionList); - InitializeListHead (&IkeSaSession->InfoMIDList); - InitializeListHead (&IkeSaSession->DeleteSaList); - - return IkeSaSession; -} - -/** - Register the established IKEv2 SA into Private->Ikev2EstablishedList. If= there is - IKEV2_SA_SESSION with same remote peer IP, remove the old one then regis= ter the - new one. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered. - @param[in] Private Pointer to IPSEC_PRAVATE_DATA. - -**/ -VOID -Ikev2SaSessionReg ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IPSEC_PRIVATE_DATA *Private - ) -{ - IKEV2_SESSION_COMMON *SessionCommon; - IKEV2_SA_SESSION *OldIkeSaSession; - EFI_STATUS Status; - UINT64 Lifetime; - - // - // Keep IKE SA exclusive to remote ip address. - // - SessionCommon =3D &IkeSaSession->SessionCommon; - OldIkeSaSession =3D Ikev2SaSessionRemove (&Private->Ikev2EstablishedList= , &SessionCommon->RemotePeerIp); - if (OldIkeSaSession !=3D NULL) { - // - // TODO: It should delete all child SAs if rekey the IKE SA. - // - Ikev2SaSessionFree (OldIkeSaSession); - } - - // - // Cleanup the fields of SessionCommon for processing. - // - Ikev2SessionCommonRefresh (SessionCommon); - - // - // Insert the ready IKE SA session into established list. - // - Ikev2SaSessionInsert (&Private->Ikev2EstablishedList, IkeSaSession, &Ses= sionCommon->RemotePeerIp); - - // - // Create a notfiy event for the IKE SA life time counting. - // - Status =3D gBS->CreateEvent ( - EVT_TIMER | EVT_NOTIFY_SIGNAL, - TPL_CALLBACK, - Ikev2LifetimeNotify, - SessionCommon, - &SessionCommon->TimeoutEvent - ); - if (EFI_ERROR(Status)){ - // - // If TimerEvent creation failed, the SA will be alive untill user dis= able it or - // receiving a Delete Payload from peer. - // - return; - } - - // - // Start to count the lifetime of the IKE SA. - // - if (IkeSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime = =3D=3D 0) { - Lifetime =3D IKE_SA_DEFAULT_LIFETIME; - } else { - Lifetime =3D IkeSaSession->Spd->Data->ProcessingPolicy->SaLifetime.Har= dLifetime; - } - - Status =3D gBS->SetTimer ( - SessionCommon->TimeoutEvent, - TimerRelative, - MultU64x32(Lifetime, 10000000) // ms->100ns - ); - if (EFI_ERROR(Status)){ - // - // If SetTimer failed, the SA will be alive untill user disable it or - // receiving a Delete Payload from peer. - // - return ; - } - - DEBUG (( - DEBUG_INFO, - "\n------IkeSa established and start to count down %d seconds lifetime= \n", - Lifetime - )); - - return ; -} - -/** - Find a IKEV2_SA_SESSION by the remote peer IP. - - @param[in] SaSessionList SaSession List to be searched. - @param[in] RemotePeerIp Pointer to specified IP address. - - @return Pointer to IKEV2_SA_SESSION if find one or NULL. - -**/ -IKEV2_SA_SESSION * -Ikev2SaSessionLookup ( - IN LIST_ENTRY *SaSessionList, - IN EFI_IP_ADDRESS *RemotePeerIp - ) -{ - LIST_ENTRY *Entry; - IKEV2_SA_SESSION *IkeSaSession; - - NET_LIST_FOR_EACH (Entry, SaSessionList) { - IkeSaSession =3D IKEV2_SA_SESSION_BY_SESSION (Entry); - - if (CompareMem ( - &IkeSaSession->SessionCommon.RemotePeerIp, - RemotePeerIp, - sizeof (EFI_IP_ADDRESS) - ) =3D=3D 0) { - - return IkeSaSession; - } - } - - return NULL; -} - -/** - Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is= either - Private->Ikev2SaSession list or Private->Ikev2EstablishedList list. - - @param[in] SaSessionList Pointer to list to be inserted into. - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted. - @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the - unique IKEV2_SA_SESSION. - -**/ -VOID -Ikev2SaSessionInsert ( - IN LIST_ENTRY *SaSessionList, - IN IKEV2_SA_SESSION *IkeSaSession, - IN EFI_IP_ADDRESS *RemotePeerIp - ) -{ - Ikev2SaSessionRemove (SaSessionList, RemotePeerIp); - InsertTailList (SaSessionList, &IkeSaSession->BySessionTable); -} - -/** - Remove the SA Session by Remote Peer IP. - - @param[in] SaSessionList Pointer to list to be searched. - @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Sess= ion search. - - @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address= or NULL. - -**/ -IKEV2_SA_SESSION * -Ikev2SaSessionRemove ( - IN LIST_ENTRY *SaSessionList, - IN EFI_IP_ADDRESS *RemotePeerIp - ) -{ - LIST_ENTRY *Entry; - IKEV2_SA_SESSION *IkeSaSession; - - NET_LIST_FOR_EACH (Entry, SaSessionList) { - IkeSaSession =3D IKEV2_SA_SESSION_BY_SESSION (Entry); - - if (CompareMem ( - &IkeSaSession->SessionCommon.RemotePeerIp, - RemotePeerIp, - sizeof (EFI_IP_ADDRESS) - ) =3D=3D 0) { - - RemoveEntryList (Entry); - return IkeSaSession; - } - } - - return NULL; -} - - -/** - Free specified Seession Common. The session common would belong to a IKE= SA or - a Child SA. - - @param[in] SessionCommon Pointer to a Session Common. - -**/ -VOID -Ikev2SaSessionCommonFree ( - IN IKEV2_SESSION_COMMON *SessionCommon - ) -{ - - ASSERT (SessionCommon !=3D NULL); - - if (SessionCommon->LastSentPacket !=3D NULL) { - IkePacketFree (SessionCommon->LastSentPacket); - } - - if (SessionCommon->SaParams !=3D NULL) { - FreePool (SessionCommon->SaParams); - } - if (SessionCommon->TimeoutEvent !=3D NULL) { - gBS->CloseEvent (SessionCommon->TimeoutEvent); - } -} - -/** - After IKE/Child SA is estiblished, close the time event and free sent pa= cket. - - @param[in] SessionCommon Pointer to a Session Common. - -**/ -VOID -Ikev2SessionCommonRefresh ( - IN IKEV2_SESSION_COMMON *SessionCommon - ) -{ - ASSERT (SessionCommon !=3D NULL); - - gBS->CloseEvent (SessionCommon->TimeoutEvent); - SessionCommon->TimeoutEvent =3D NULL; - SessionCommon->TimeoutInterval =3D 0; - SessionCommon->RetryCount =3D 0; - if (SessionCommon->LastSentPacket !=3D NULL) { - IkePacketFree (SessionCommon->LastSentPacket); - SessionCommon->LastSentPacket =3D NULL; - } - - return ; -} -/** - Free specified IKEV2 SA Session. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed. - -**/ -VOID -Ikev2SaSessionFree ( - IN IKEV2_SA_SESSION *IkeSaSession - ) -{ - IKEV2_SESSION_KEYS *IkeKeys; - LIST_ENTRY *Entry; - IKEV2_CHILD_SA_SESSION *ChildSa; - IKEV2_DH_BUFFER *DhBuffer; - - ASSERT (IkeSaSession !=3D NULL); - - // - // Delete Common Session - // - Ikev2SaSessionCommonFree (&IkeSaSession->SessionCommon); - - // - // Delete ChildSaEstablish List and SAD - // - for (Entry =3D IkeSaSession->ChildSaEstablishSessionList.ForwardLink; - Entry !=3D &IkeSaSession->ChildSaEstablishSessionList; - ) { - - ChildSa =3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry); - Entry =3D Entry->ForwardLink; - Ikev2ChildSaSilentDelete (ChildSa->IkeSaSession, ChildSa->LocalPeerSpi= ); - - } - - // - // Delete ChildSaSessionList - // - for ( Entry =3D IkeSaSession->ChildSaSessionList.ForwardLink; - Entry !=3D &IkeSaSession->ChildSaSessionList; - ){ - ChildSa =3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry); - Entry =3D Entry->ForwardLink; - RemoveEntryList (Entry->BackLink); - Ikev2ChildSaSessionFree (ChildSa); - } - - // - // Delete DhBuffer and Keys - // - if (IkeSaSession->IkeKeys !=3D NULL) { - IkeKeys =3D IkeSaSession->IkeKeys; - DhBuffer =3D IkeKeys->DhBuffer; - - // - // Delete DhBuffer - // - Ikev2DhBufferFree (DhBuffer); - - // - // Delete Keys - // - if (IkeKeys->SkAiKey !=3D NULL) { - FreePool (IkeKeys->SkAiKey); - } - if (IkeKeys->SkArKey !=3D NULL) { - FreePool (IkeKeys->SkArKey); - } - if (IkeKeys->SkdKey !=3D NULL) { - FreePool (IkeKeys->SkdKey); - } - if (IkeKeys->SkEiKey !=3D NULL) { - FreePool (IkeKeys->SkEiKey); - } - if (IkeKeys->SkErKey !=3D NULL) { - FreePool (IkeKeys->SkErKey); - } - if (IkeKeys->SkPiKey !=3D NULL) { - FreePool (IkeKeys->SkPiKey); - } - if (IkeKeys->SkPrKey !=3D NULL) { - FreePool (IkeKeys->SkPrKey); - } - FreePool (IkeKeys); - } - - if (IkeSaSession->SaData !=3D NULL) { - FreePool (IkeSaSession->SaData); - } - - if (IkeSaSession->NiBlock !=3D NULL) { - FreePool (IkeSaSession->NiBlock); - } - - if (IkeSaSession->NrBlock !=3D NULL) { - FreePool (IkeSaSession->NrBlock); - } - - if (IkeSaSession->NCookie !=3D NULL) { - FreePool (IkeSaSession->NCookie); - } - - if (IkeSaSession->InitPacket !=3D NULL) { - FreePool (IkeSaSession->InitPacket); - } - - if (IkeSaSession->RespPacket !=3D NULL) { - FreePool (IkeSaSession->RespPacket); - } - - FreePool (IkeSaSession); - - return ; -} - -/** - Increase the MessageID in IkeSaSession. - - @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION. - -**/ -VOID -Ikev2SaSessionIncreaseMessageId ( - IN IKEV2_SA_SESSION *IkeSaSession - ) -{ - if (IkeSaSession->MessageId < 0xffffffff) { - IkeSaSession->MessageId ++; - } else { - // - // TODO: Trigger Rekey process. - // - } -} - -/** - Allocate memory for IKEV2 Child SA Session. - - @param[in] UdpService Pointer to IKE_UDP_SERVICE. - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this = Child SA - Session. - - @retval Pointer of a new created IKEV2 Child SA Session or NULL. - -**/ -IKEV2_CHILD_SA_SESSION * -Ikev2ChildSaSessionAlloc ( - IN IKE_UDP_SERVICE *UdpService, - IN IKEV2_SA_SESSION *IkeSaSession - ) -{ - EFI_STATUS Status; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SESSION_COMMON *ChildSaCommon; - IKEV2_SESSION_COMMON *SaCommon; - - ChildSaSession =3D AllocateZeroPool (sizeof (IKEV2_CHILD_SA_SESSION)); - if (ChildSaSession =3D=3D NULL) { - return NULL; - } - - // - // Initialize the fields of ChildSaSession and its SessionCommon. - // - ChildSaSession->Signature =3D IKEV2_CHILD_SA_SESSION_SIGNATURE; - ChildSaSession->IkeSaSession =3D IkeSaSession; - ChildSaSession->MessageId =3D IkeSaSession->MessageId; - - // - // Generate an new SPI. - // - Status =3D IkeGenerateSpi (IkeSaSession, &(ChildSaSession->LocalPeerSpi)= ); - if (EFI_ERROR (Status)) { - FreePool (ChildSaSession); - return NULL; - } - - ChildSaCommon =3D &ChildSaSession->SessionCommon; - ChildSaCommon->UdpService =3D UdpService; - ChildSaCommon->Private =3D IkeSaSession->SessionCommon.Priva= te; - ChildSaCommon->IkeSessionType =3D IkeSessionTypeChildSa; - ChildSaCommon->IkeVer =3D 2; - ChildSaCommon->AfterEncodePayload =3D Ikev2ChildSaAfterEncodePayload; - ChildSaCommon->BeforeDecodePayload =3D Ikev2ChildSaBeforeDecodePayload; - SaCommon =3D &ChildSaSession->IkeSaSession->SessionCommon; - - // - // Create a resend notfiy event for retry. - // - Status =3D gBS->CreateEvent ( - EVT_TIMER | EVT_NOTIFY_SIGNAL, - TPL_CALLBACK, - Ikev2ResendNotify, - ChildSaCommon, - &ChildSaCommon->TimeoutEvent - ); - if (EFI_ERROR (Status)) { - FreePool (ChildSaSession); - return NULL; - } - - CopyMem (&ChildSaCommon->LocalPeerIp, &SaCommon->LocalPeerIp, sizeof (EF= I_IP_ADDRESS)); - CopyMem (&ChildSaCommon->RemotePeerIp, &SaCommon->RemotePeerIp, sizeof (= EFI_IP_ADDRESS)); - - return ChildSaSession; -} - -/** - Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablis= hSessionList. - If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove = the old one - then register the new one. - - @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be regi= stered. - @param[in] Private Pointer to IPSEC_PRAVATE_DATA. - -**/ -VOID -Ikev2ChildSaSessionReg ( - IN IKEV2_CHILD_SA_SESSION *ChildSaSession, - IN IPSEC_PRIVATE_DATA *Private - ) -{ - IKEV2_SESSION_COMMON *SessionCommon; - IKEV2_CHILD_SA_SESSION *OldChildSaSession; - IKEV2_SA_SESSION *IkeSaSession; - EFI_STATUS Status; - UINT64 Lifetime; - - // - // Keep the IKE SA exclusive. - // - SessionCommon =3D &ChildSaSession->SessionCommon; - IkeSaSession =3D ChildSaSession->IkeSaSession; - OldChildSaSession =3D Ikev2ChildSaSessionRemove ( - &IkeSaSession->ChildSaEstablishSessionList, - ChildSaSession->LocalPeerSpi, - IKEV2_ESTABLISHED_CHILDSA_LIST - ); - if (OldChildSaSession !=3D NULL) { - // - // Free the old one. - // - Ikev2ChildSaSessionFree (OldChildSaSession); - } - - // - // Store the ready child SA into SAD. - // - Ikev2StoreSaData (ChildSaSession); - - // - // Cleanup the fields of SessionCommon for processing. - // - Ikev2SessionCommonRefresh (SessionCommon); - - // - // Insert the ready child SA session into established list. - // - Ikev2ChildSaSessionInsert (&IkeSaSession->ChildSaEstablishSessionList, C= hildSaSession); - - // - // Create a Notify event for the IKE SA life time counting. - // - Status =3D gBS->CreateEvent ( - EVT_TIMER | EVT_NOTIFY_SIGNAL, - TPL_CALLBACK, - Ikev2LifetimeNotify, - SessionCommon, - &SessionCommon->TimeoutEvent - ); - if (EFI_ERROR(Status)){ - return ; - } - - // - // Start to count the lifetime of the IKE SA. - // - if (ChildSaSession->Spd->Data->ProcessingPolicy->SaLifetime.HardLifetime= !=3D 0){ - Lifetime =3D ChildSaSession->Spd->Data->ProcessingPolicy->SaLifetime.H= ardLifetime; - } else { - Lifetime =3D CHILD_SA_DEFAULT_LIFETIME; - } - - Status =3D gBS->SetTimer ( - SessionCommon->TimeoutEvent, - TimerRelative, - MultU64x32(Lifetime, 10000000) // ms->100ns - ); - if (EFI_ERROR(Status)){ - return ; - } - - DEBUG (( - DEBUG_INFO, - "\n------ChildSa established and start to count down %d seconds lifeti= me\n", - Lifetime - )); - - return ; -} - - -/** - This function find the Child SA by the specified SPI. - - This functin find a ChildSA session by searching the ChildSaSessionlist = of - the input IKEV2_SA_SESSION by specified MessageID. - - @param[in] SaSessionList Pointer to List to be searched. - @param[in] Spi Specified SPI. - - @return Pointer to IKEV2_CHILD_SA_SESSION or NULL. - -**/ -IKEV2_CHILD_SA_SESSION * -Ikev2ChildSaSessionLookupBySpi ( - IN LIST_ENTRY *SaSessionList, - IN UINT32 Spi - ) -{ - LIST_ENTRY *Entry; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - - NET_LIST_FOR_EACH (Entry, SaSessionList) { - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry); - - if (ChildSaSession->RemotePeerSpi =3D=3D Spi || ChildSaSession->LocalP= eerSpi =3D=3D Spi) { - return ChildSaSession; - } - } - - return NULL; -} - -/** - Insert a Child SA Session into the specified ChildSa list. - - @param[in] SaSessionList Pointer to list to be inserted in. - @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inse= rted. - -**/ -VOID -Ikev2ChildSaSessionInsert ( - IN LIST_ENTRY *SaSessionList, - IN IKEV2_CHILD_SA_SESSION *ChildSaSession - ) -{ - InsertTailList (SaSessionList, &ChildSaSession->ByIkeSa); -} - -/** - Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList. - - @param[in] SaSessionList The SA Session List to be iterated. - @param[in] Spi Spi used to identified the IKEV2_CHILD_SA= _SESSION. - @param[in] ListType The type of the List to indicate whether = it is a - Established. - - @return The point to IKEV2_CHILD_SA_SESSION or NULL. - -**/ -IKEV2_CHILD_SA_SESSION * -Ikev2ChildSaSessionRemove ( - IN LIST_ENTRY *SaSessionList, - IN UINT32 Spi, - IN UINT8 ListType - ) -{ - LIST_ENTRY *Entry; - LIST_ENTRY *NextEntry; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - - NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, SaSessionList) { - - if (ListType =3D=3D IKEV2_ESTABLISHED_CHILDSA_LIST || ListType =3D=3D = IKEV2_ESTABLISHING_CHILDSA_LIST) { - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (Entry); - } else if (ListType =3D=3D IKEV2_DELET_CHILDSA_LIST) { - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_BY_DEL_SA (Entry); - } else { - return NULL; - } - - if (ChildSaSession->RemotePeerSpi =3D=3D Spi || ChildSaSession->LocalP= eerSpi =3D=3D Spi) { - RemoveEntryList (Entry); - return ChildSaSession; - } - } - - return NULL; -} - -/** - Free the memory located for the specified IKEV2_CHILD_SA_SESSION. - - @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION. - -**/ -VOID -Ikev2ChildSaSessionFree ( - IN IKEV2_CHILD_SA_SESSION *ChildSaSession - ) -{ - IKEV2_SESSION_COMMON *SessionCommon; - - SessionCommon =3D &ChildSaSession->SessionCommon; - if (ChildSaSession->SaData !=3D NULL) { - FreePool (ChildSaSession->SaData); - } - - if (ChildSaSession->NiBlock !=3D NULL) { - FreePool (ChildSaSession->NiBlock); - } - - if (ChildSaSession->NrBlock !=3D NULL) { - FreePool (ChildSaSession->NrBlock); - } - - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthKey !=3D = NULL) { - FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.AuthK= ey); - } - - if (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKey !=3D N= ULL) { - FreePool (ChildSaSession->ChildKeymats.LocalPeerInfo.EspAlgoInfo.EncKe= y); - } - - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.AuthKey !=3D= NULL) { - FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.Auth= Key); - } - - if (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncKey !=3D = NULL) { - FreePool (ChildSaSession->ChildKeymats.RemotePeerInfo.EspAlgoInfo.EncK= ey); - } - - // - // Delete DhBuffer - // - Ikev2DhBufferFree (ChildSaSession->DhBuffer); - - // - // Delete SpdSelector - // - if (ChildSaSession->SpdSelector !=3D NULL) { - if (ChildSaSession->SpdSelector->LocalAddress !=3D NULL) { - FreePool (ChildSaSession->SpdSelector->LocalAddress); - } - if (ChildSaSession->SpdSelector->RemoteAddress !=3D NULL) { - FreePool (ChildSaSession->SpdSelector->RemoteAddress); - } - FreePool (ChildSaSession->SpdSelector); - } - Ikev2SaSessionCommonFree (SessionCommon); - FreePool (ChildSaSession); - - return ; -} - -/** - Delete the specified established Child SA. - - This function delete the Child SA directly and don't send the Informatio= n Packet to - remote peer. - - @param[in] IkeSaSession Pointer to a IKE SA Session used to be search= ed for. - @param[in] Spi SPI used to find the Child SA. - - @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL. - @retval EFI_NOT_FOUND There is no specified Child SA related with t= he input - SPI under this IKE SA Session. - @retval EFI_SUCCESS Delete the Child SA successfully. - -**/ -EFI_STATUS -Ikev2ChildSaSilentDelete ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN UINT32 Spi - ) -{ - EFI_STATUS Status; - EFI_IPSEC_CONFIG_SELECTOR *Selector; - UINTN SelectorSize; - BOOLEAN IsLocalFound; - BOOLEAN IsRemoteFound; - UINT32 LocalSpi; - UINT32 RemoteSpi; - IKEV2_CHILD_SA_SESSION *ChildSession; - EFI_IPSEC_CONFIG_SELECTOR *LocalSelector; - EFI_IPSEC_CONFIG_SELECTOR *RemoteSelector; - IPSEC_PRIVATE_DATA *Private; - - if (IkeSaSession =3D=3D NULL) { - return EFI_NOT_FOUND; - } - - IsLocalFound =3D FALSE; - IsRemoteFound =3D FALSE; - ChildSession =3D NULL; - LocalSelector =3D NULL; - RemoteSelector =3D NULL; - - Private =3D IkeSaSession->SessionCommon.Private; - - // - // Remove the Established SA from ChildSaEstablishlist. - // - ChildSession =3D Ikev2ChildSaSessionRemove( - &(IkeSaSession->ChildSaEstablishSessionList), - Spi, - IKEV2_ESTABLISHED_CHILDSA_LIST - ); - if (ChildSession =3D=3D NULL) { - return EFI_NOT_FOUND; - } - - LocalSpi =3D ChildSession->LocalPeerSpi; - RemoteSpi =3D ChildSession->RemotePeerSpi; - - SelectorSize =3D sizeof (EFI_IPSEC_CONFIG_SELECTOR); - Selector =3D AllocateZeroPool (SelectorSize); - if (Selector =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - while (1) { - Status =3D EfiIpSecConfigGetNextSelector ( - &Private->IpSecConfig, - IPsecConfigDataTypeSad, - &SelectorSize, - Selector - ); - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { - FreePool (Selector); - - Selector =3D AllocateZeroPool (SelectorSize); - if (Selector =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - break; - } - - Status =3D EfiIpSecConfigGetNextSelector ( - &Private->IpSecConfig, - IPsecConfigDataTypeSad, - &SelectorSize, - Selector - ); - } - - if (EFI_ERROR (Status)) { - break; - } - - if (Selector->SaId.Spi =3D=3D RemoteSpi) { - // - // SPI is unique. There is only one SAD whose SPI is - // same with RemoteSpi. - // - IsRemoteFound =3D TRUE; - RemoteSelector =3D AllocateZeroPool (SelectorSize); - if (RemoteSelector =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - break; - } - - CopyMem (RemoteSelector, Selector, SelectorSize); - } - - if (Selector->SaId.Spi =3D=3D LocalSpi) { - // - // SPI is unique. There is only one SAD whose SPI is - // same with LocalSpi. - // - IsLocalFound =3D TRUE; - LocalSelector =3D AllocateZeroPool (SelectorSize); - if (LocalSelector =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - break; - } - - CopyMem (LocalSelector, Selector, SelectorSize); - } - } - // - // Delete SA from the Variable. - // - if (IsLocalFound) { - Status =3D EfiIpSecConfigSetData ( - &Private->IpSecConfig, - IPsecConfigDataTypeSad, - LocalSelector, - NULL, - NULL - ); - } - - if (IsRemoteFound) { - Status =3D EfiIpSecConfigSetData ( - &Private->IpSecConfig, - IPsecConfigDataTypeSad, - RemoteSelector, - NULL, - NULL - ); - - } - - DEBUG ( - (DEBUG_INFO, - "\n------IKEV2 deleted ChildSa(local spi, remote spi):(0x%x, 0x%x)----= --\n", - LocalSpi, - RemoteSpi) - ); - Ikev2ChildSaSessionFree (ChildSession); - - if (RemoteSelector !=3D NULL) { - FreePool (RemoteSelector); - } - - if (LocalSelector !=3D NULL) { - FreePool (LocalSelector); - } - - if (Selector !=3D NULL) { - FreePool (Selector); - } - - return Status; -} - -/** - Free the specified DhBuffer. - - @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed. - -**/ -VOID -Ikev2DhBufferFree ( - IKEV2_DH_BUFFER *DhBuffer -) -{ - if (DhBuffer !=3D NULL) { - if (DhBuffer->GxBuffer !=3D NULL) { - FreePool (DhBuffer->GxBuffer); - } - if (DhBuffer->GyBuffer !=3D NULL) { - FreePool (DhBuffer->GyBuffer); - } - if (DhBuffer->GxyBuffer !=3D NULL) { - FreePool (DhBuffer->GxyBuffer); - } - if (DhBuffer->DhContext !=3D NULL) { - IpSecCryptoIoFreeDh (&DhBuffer->DhContext); - } - FreePool (DhBuffer); - } -} - -/** - This function is to parse a request IKE packet and return its request ty= pe. - The request type is one of IKE CHILD SA creation, IKE SA rekeying and - IKE CHILD SA rekeying. - - @param[in] IkePacket IKE packet to be prased. - - return the type of the IKE packet. - -**/ -IKEV2_CREATE_CHILD_REQUEST_TYPE -Ikev2ChildExchangeRequestType( - IN IKE_PACKET *IkePacket - ) -{ - BOOLEAN Flag; - LIST_ENTRY *Entry; - IKE_PAYLOAD *IkePayload; - - Flag =3D FALSE; - - NET_LIST_FOR_EACH (Entry, &(IkePacket)->PayloadList) { - IkePayload =3D IKE_PAYLOAD_BY_PACKET (Entry); - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_TS_INIT) { - // - // Packet with Ts Payload means it is for either CHILD_SA_CREATE or = CHILD_SA_REKEY. - // - Flag =3D TRUE; - } - if (IkePayload->PayloadType =3D=3D IKEV2_PAYLOAD_TYPE_NOTIFY) { - if (((IKEV2_NOTIFY*)IkePayload)->MessageType =3D=3D IKEV2_NOTIFICATI= ON_REKEY_SA) { - // - // If notify payload with REKEY_SA message type, the IkePacket is = for - // rekeying Child SA. - // - return IkeRequestTypeRekeyChildSa; - } - } - }; - - if (!Flag){ - // - // The Create Child Exchange is for IKE SA rekeying. - // - return IkeRequestTypeRekeyIkeSa; - } else { - // - // If the Notify payloaad with transport mode message type, the IkePac= ket is - // for create Child SA. - // - return IkeRequestTypeCreateChildSa; - } -} - -/** - Associate a SPD selector to the Child SA Session. - - This function is called when the Child SA is not the first child SA of i= ts - IKE SA. It associate a SPD to this Child SA. - - @param[in, out] ChildSaSession Pointer to the Child SA Session to b= e associated to - a SPD selector. - - @retval EFI_SUCCESS Associate one SPD selector to this Child SA S= ession successfully. - @retval EFI_NOT_FOUND Can't find the related SPD selector. - -**/ -EFI_STATUS -Ikev2ChildSaAssociateSpdEntry ( - IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession - ) -{ - IpSecVisitConfigData (IPsecConfigDataTypeSpd, Ikev2MatchSpdEntry, ChildS= aSession); - if (ChildSaSession->Spd !=3D NULL) { - return EFI_SUCCESS; - } else { - return EFI_NOT_FOUND; - } -} - - - -/** - Validate the IKE header of received IKE packet. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this I= KE packet. - @param[in] IkeHdr Pointer to IKE header of received IKE packet. - - @retval TRUE If the IKE header is valid. - @retval FALSE If the IKE header is invalid. - -**/ -BOOLEAN -Ikev2ValidateHeader ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_HEADER *IkeHdr - ) -{ - - IKEV2_SESSION_STATE State; - - State =3D IkeSaSession->SessionCommon.State; - if (State =3D=3D IkeStateInit) { - // - // For the IKE Initial Exchange, the MessagId should be zero. - // - if (IkeHdr->MessageId !=3D 0) { - return FALSE; - } - } else { - if (State =3D=3D IkeStateAuth) { - if (IkeHdr->MessageId !=3D 1) { - return FALSE; - } - } - if (IkeHdr->InitiatorCookie !=3D IkeSaSession->InitiatorCookie || - IkeHdr->ResponderCookie !=3D IkeSaSession->ResponderCookie - ) { - // - // TODO: send notification INVALID-COOKIE - // - return FALSE; - } - } - - // - // Information Exchagne and Create Child Exchange can be started from ea= ch part. - // - if (IkeHdr->ExchangeType !=3D IKEV2_EXCHANGE_TYPE_INFO && - IkeHdr->ExchangeType !=3D IKEV2_EXCHANGE_TYPE_CREATE_CHILD - ) { - if (IkeSaSession->SessionCommon.IsInitiator) { - if (IkeHdr->InitiatorCookie !=3D IkeSaSession->InitiatorCookie) { - // - // TODO: send notification INVALID-COOKIE - // - return FALSE; - } - if (IkeHdr->Flags !=3D IKE_HEADER_FLAGS_RESPOND) { - return FALSE; - } - } else { - if (IkeHdr->Flags !=3D IKE_HEADER_FLAGS_INIT) { - return FALSE; - } - } - } - - return TRUE; -} - -/** - Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON. - - This function will be only called by the initiator. The responder's IKEV= 2_SA_DATA - will be generated during parsed the initiator packet. - - @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to. - - @retval a Pointer to a new IKEV2_SA_DATA or NULL. - -**/ -IKEV2_SA_DATA * -Ikev2InitializeSaData ( - IN IKEV2_SESSION_COMMON *SessionCommon - ) -{ - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SA_DATA *SaData; - IKEV2_PROPOSAL_DATA *ProposalData; - IKEV2_TRANSFORM_DATA *TransformData; - IKE_SA_ATTRIBUTE *Attribute; - - ASSERT (SessionCommon !=3D NULL); - // - // TODO: Remove the hard code of the support Alogrithm. Those data shoul= d be - // get from the SPD/PAD data. - // - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - SaData =3D AllocateZeroPool ( - sizeof (IKEV2_SA_DATA) + - sizeof (IKEV2_PROPOSAL_DATA) * 2 + - sizeof (IKEV2_TRANSFORM_DATA) * 4 * 2 - ); - } else { - SaData =3D AllocateZeroPool ( - sizeof (IKEV2_SA_DATA) + - sizeof (IKEV2_PROPOSAL_DATA) * 2 + - sizeof (IKEV2_TRANSFORM_DATA) * 3 * 2 - ); - } - if (SaData =3D=3D NULL) { - return NULL; - } - - // - // First proposal payload: 3DES + SHA1 + DH - // - SaData->NumProposals =3D 2; - ProposalData =3D (IKEV2_PROPOSAL_DATA *) (SaData + 1); - ProposalData->ProposalIndex =3D 1; - - // - // If SA data for IKE_SA_INIT exchage, contains 4 transforms. If SA data= for - // IKE_AUTH exchange contains 3 transforms. - // - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - ProposalData->NumTransforms =3D 4; - } else { - ProposalData->NumTransforms =3D 3; - } - - - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - ProposalData->ProtocolId =3D IPSEC_PROTO_ISAKMP; - } else { - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_FROM_COMMON (Se= ssionCommon); - ProposalData->ProtocolId =3D IPSEC_PROTO_IPSEC_ESP; - ProposalData->Spi =3D AllocateZeroPool (sizeof (ChildSaSessi= on->LocalPeerSpi)); - if (ProposalData->Spi =3D=3D NULL) { - FreePool (SaData); - return NULL; - } - - CopyMem ( - ProposalData->Spi, - &ChildSaSession->LocalPeerSpi, - sizeof(ChildSaSession->LocalPeerSpi) - ); - } - - // - // Set transform attribute for Encryption Algorithm - 3DES - // - TransformData =3D (IKEV2_TRANSFORM_DATA *) (ProposalData= + 1); - TransformData->TransformIndex =3D 0; - TransformData->TransformType =3D IKEV2_TRANSFORM_TYPE_ENCR; - TransformData->TransformId =3D IKEV2_TRANSFORM_ID_ENCR_3DES; - - // - // Set transform attribute for Integrity Algorithm - SHA1_96 - // - TransformData =3D (IKEV2_TRANSFORM_DATA *) (TransformDat= a + 1); - TransformData->TransformIndex =3D 1; - TransformData->TransformType =3D IKEV2_TRANSFORM_TYPE_INTEG; - TransformData->TransformId =3D IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96; - - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - // - // Set transform attribute for Pseduo-Random Function - HAMC_SHA1 - // - TransformData =3D (IKEV2_TRANSFORM_DATA *) (TransformD= ata + 1); - TransformData->TransformIndex =3D 2; - TransformData->TransformType =3D IKEV2_TRANSFORM_TYPE_PRF; - TransformData->TransformId =3D IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1; - } - - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - // - // Set transform attribute for DH Group - DH 1024 - // - TransformData =3D (IKEV2_TRANSFORM_DATA *) (TransformD= ata + 1); - TransformData->TransformIndex =3D 3; - TransformData->TransformType =3D IKEV2_TRANSFORM_TYPE_DH; - TransformData->TransformId =3D IKEV2_TRANSFORM_ID_DH_1024MODP; - } else { - // - // Transform type for Extended Sequence Numbers. Currently not support= Extended - // Sequence Number. - // - TransformData =3D (IKEV2_TRANSFORM_DATA *) (TransformD= ata + 1); - TransformData->TransformIndex =3D 2; - TransformData->TransformType =3D IKEV2_TRANSFORM_TYPE_ESN; - TransformData->TransformId =3D 0; - } - - // - // Second proposal payload: 3DES + SHA1 + DH - // - ProposalData =3D (IKEV2_PROPOSAL_DATA *) (TransformData= + 1); - ProposalData->ProposalIndex =3D 2; - - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - ProposalData->ProtocolId =3D IPSEC_PROTO_ISAKMP; - ProposalData->NumTransforms =3D 4; - } else { - - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_FROM_COMMON (Se= ssionCommon); - ProposalData->ProtocolId =3D IPSEC_PROTO_IPSEC_ESP; - ProposalData->NumTransforms =3D 3; - ProposalData->Spi =3D AllocateZeroPool (sizeof (ChildSaSessi= on->LocalPeerSpi)); - if (ProposalData->Spi =3D=3D NULL) { - FreePool (((IKEV2_PROPOSAL_DATA *) (SaData + 1))->Spi); - FreePool (SaData); - return NULL; - } - - CopyMem ( - ProposalData->Spi, - &ChildSaSession->LocalPeerSpi, - sizeof(ChildSaSession->LocalPeerSpi) - ); - } - - // - // Set transform attribute for Encryption Algorithm - AES-CBC - // - TransformData =3D (IKEV2_TRANSFORM_DATA *) (ProposalData= + 1); - TransformData->TransformIndex =3D 0; - TransformData->TransformType =3D IKEV2_TRANSFORM_TYPE_ENCR; - TransformData->TransformId =3D IKEV2_TRANSFORM_ID_ENCR_AES_CBC; - Attribute =3D &TransformData->Attribute; - Attribute->AttrType =3D IKEV2_ATTRIBUTE_TYPE_KEYLEN; - Attribute->Attr.AttrLength =3D (UINT16) (8 * IpSecGetEncryptKeyLength= (IKEV2_TRANSFORM_ID_ENCR_AES_CBC)); - - // - // Set transform attribute for Integrity Algorithm - SHA1_96 - // - TransformData =3D (IKEV2_TRANSFORM_DATA *) (TransformDat= a + 1); - TransformData->TransformIndex =3D 1; - TransformData->TransformType =3D IKEV2_TRANSFORM_TYPE_INTEG; - TransformData->TransformId =3D IKEV2_TRANSFORM_ID_AUTH_HMAC_SHA1_96; - - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - // - // Set transform attribute for Pseduo-Random Function - HAMC_SHA1 - // - TransformData =3D (IKEV2_TRANSFORM_DATA *) (TransformD= ata + 1); - TransformData->TransformIndex =3D 2; - TransformData->TransformType =3D IKEV2_TRANSFORM_TYPE_PRF; - TransformData->TransformId =3D IKEV2_TRANSFORM_ID_PRF_HMAC_SHA1; - } - - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - // - // Set transform attrbiute for DH Group - DH-1024 - // - TransformData =3D (IKEV2_TRANSFORM_DATA *) (TransformD= ata + 1); - TransformData->TransformIndex =3D 3; - TransformData->TransformType =3D IKEV2_TRANSFORM_TYPE_DH; - TransformData->TransformId =3D IKEV2_TRANSFORM_ID_DH_1024MODP; - } else { - // - // Transform type for Extended Sequence Numbers. Currently not support= Extended - // Sequence Number. - // - TransformData =3D (IKEV2_TRANSFORM_DATA *) (TransformD= ata + 1); - TransformData->TransformIndex =3D 2; - TransformData->TransformType =3D IKEV2_TRANSFORM_TYPE_ESN; - TransformData->TransformId =3D 0; - } - - return SaData; -} - -/** - Store the SA into SAD. - - @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION. - -**/ -VOID -Ikev2StoreSaData ( - IN IKEV2_CHILD_SA_SESSION *ChildSaSession - ) -{ - EFI_STATUS Status; - EFI_IPSEC_SA_ID SaId; - EFI_IPSEC_SA_DATA2 SaData; - IKEV2_SESSION_COMMON *SessionCommon; - IPSEC_PRIVATE_DATA *Private; - UINT32 TempAddressCount; - EFI_IP_ADDRESS_INFO *TempAddressInfo; - - SessionCommon =3D &ChildSaSession->SessionCommon; - Private =3D SessionCommon->Private; - - ZeroMem (&SaId, sizeof (EFI_IPSEC_SA_ID)); - ZeroMem (&SaData, sizeof (EFI_IPSEC_SA_DATA2)); - - // - // Create a SpdSelector. In this implementation, one SPD represents - // 2 direction traffic, so in here, there needs to reverse the local add= ress - // and remote address for Remote Peer's SA, then reverse again for the l= ocate - // SA. - // - TempAddressCount =3D ChildSaSession->SpdSelector->LocalAddressCount; - TempAddressInfo =3D ChildSaSession->SpdSelector->LocalAddress; - - ChildSaSession->SpdSelector->LocalAddressCount =3D ChildSaSession->SpdSe= lector->RemoteAddressCount; - ChildSaSession->SpdSelector->LocalAddress =3D ChildSaSession->SpdSe= lector->RemoteAddress; - - ChildSaSession->SpdSelector->RemoteAddress =3D TempAddressInfo; - ChildSaSession->SpdSelector->RemoteAddressCount=3D TempAddressCount; - - // - // Set the SaId and SaData. - // - SaId.Spi =3D ChildSaSession->LocalPeerSpi; - SaId.Proto =3D EfiIPsecESP; - SaData.AntiReplayWindows =3D 16; - SaData.SNCount =3D 0; - SaData.Mode =3D ChildSaSession->Spd->Data->ProcessingPolicy= ->Mode; - - // - // If it is tunnel mode, should add the TunnelDest and TunnelSource for = SaData. - // - if (SaData.Mode =3D=3D EfiIPsecTunnel) { - CopyMem ( - &SaData.TunnelSourceAddress, - &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->RemoteTu= nnelAddress, - sizeof (EFI_IP_ADDRESS) - ); - CopyMem ( - &SaData.TunnelDestinationAddress, - &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->LocalTun= nelAddress, - sizeof (EFI_IP_ADDRESS) - ); - } - - CopyMem (&SaId.DestAddress, &ChildSaSession->SessionCommon.LocalPeerIp, = sizeof (EFI_IP_ADDRESS)); - CopyMem (&SaData.AlgoInfo, &ChildSaSession->ChildKeymats.LocalPeerInfo, = sizeof (EFI_IPSEC_ALGO_INFO)); - SaData.SpdSelector =3D ChildSaSession->SpdSelector; - - // - // Store the remote SA into SAD. - // - Status =3D EfiIpSecConfigSetData ( - &Private->IpSecConfig, - IPsecConfigDataTypeSad, - (EFI_IPSEC_CONFIG_SELECTOR *) &SaId, - &SaData, - NULL - ); - ASSERT_EFI_ERROR (Status); - - // - // Store the local SA into SAD. - // - ChildSaSession->SpdSelector->RemoteAddressCount =3D ChildSaSession->SpdS= elector->LocalAddressCount; - ChildSaSession->SpdSelector->RemoteAddress =3D ChildSaSession->SpdS= elector->LocalAddress; - - ChildSaSession->SpdSelector->LocalAddress =3D TempAddressInfo; - ChildSaSession->SpdSelector->LocalAddressCount =3D TempAddressCount; - - SaId.Spi =3D ChildSaSession->RemotePeerSpi; - - CopyMem (&SaId.DestAddress, &ChildSaSession->SessionCommon.RemotePeerIp,= sizeof (EFI_IP_ADDRESS)); - CopyMem (&SaData.AlgoInfo, &ChildSaSession->ChildKeymats.RemotePeerInfo,= sizeof (EFI_IPSEC_ALGO_INFO)); - SaData.SpdSelector =3D ChildSaSession->SpdSelector; - - // - // If it is tunnel mode, should add the TunnelDest and TunnelSource for = SaData. - // - if (SaData.Mode =3D=3D EfiIPsecTunnel) { - CopyMem ( - &SaData.TunnelSourceAddress, - &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->LocalTun= nelAddress, - sizeof (EFI_IP_ADDRESS) - ); - CopyMem ( - &SaData.TunnelDestinationAddress, - &ChildSaSession->Spd->Data->ProcessingPolicy->TunnelOption->RemoteTu= nnelAddress, - sizeof (EFI_IP_ADDRESS) - ); - } - - Status =3D EfiIpSecConfigSetData ( - &Private->IpSecConfig, - IPsecConfigDataTypeSad, - (EFI_IPSEC_CONFIG_SELECTOR *) &SaId, - &SaData, - NULL - ); - - ASSERT_EFI_ERROR (Status); -} - -/** - Call back function of the IKE life time is over. - - This function will mark the related IKE SA Session as deleting and trigg= er a - Information negotiation. - - @param[in] Event The signaled Event. - @param[in] Context Pointer to data passed by caller. - -**/ -VOID -EFIAPI -Ikev2LifetimeNotify ( - IN EFI_EVENT Event, - IN VOID *Context - ) -{ - IKEV2_SA_SESSION *IkeSaSession; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SESSION_COMMON *SessionCommon; - - ASSERT (Context !=3D NULL); - SessionCommon =3D (IKEV2_SESSION_COMMON *) Context; - - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - IkeSaSession =3D IKEV2_SA_SESSION_FROM_COMMON (SessionCommon); - DEBUG (( - DEBUG_INFO, - "\n---IkeSa Lifetime is out(cookie_i, cookie_r):(0x%lx, 0x%lx)---\n", - IkeSaSession->InitiatorCookie, - IkeSaSession->ResponderCookie - )); - - // - // Change the IKE SA Session's State to IKE_STATE_SA_DELETING. - // - IKEV2_DUMP_STATE (IkeSaSession->SessionCommon.State, IkeStateSaDeletin= g); - IkeSaSession->SessionCommon.State =3D IkeStateSaDeleting; - - } else { - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon); - IkeSaSession =3D ChildSaSession->IkeSaSession; - - // - // Link the timeout child SA to the DeleteSaList. - // - InsertTailList (&IkeSaSession->DeleteSaList, &ChildSaSession->ByDelete= ); - - // - // Change the Child SA Session's State to IKE_STATE_SA_DELETING. - // - DEBUG (( - DEBUG_INFO, - "\n------ChildSa Lifetime is out(SPI):(0x%x)------\n", - ChildSaSession->LocalPeerSpi - )); - } - - // - // TODO: Send the delete info packet or delete silently - // - mIkev2Exchange.NegotiateInfo ((UINT8 *) IkeSaSession, NULL); -} - -/** - This function will be called if the TimeOut Event is signaled. - - @param[in] Event The signaled Event. - @param[in] Context The data passed by caller. - -**/ -VOID -EFIAPI -Ikev2ResendNotify ( - IN EFI_EVENT Event, - IN VOID *Context - ) -{ - IPSEC_PRIVATE_DATA *Private; - IKEV2_SA_SESSION *IkeSaSession; - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SESSION_COMMON *SessionCommon; - LIST_ENTRY *ChildSaEntry; - UINT8 Value; - EFI_STATUS Status; - - ASSERT (Context !=3D NULL); - IkeSaSession =3D NULL; - ChildSaSession =3D NULL; - SessionCommon =3D (IKEV2_SESSION_COMMON *) Context; - Private =3D SessionCommon->Private; - - // - // Remove the SA session from the processing list if exceed the max retr= y. - // - if (SessionCommon->RetryCount > IKE_MAX_RETRY) { - if (SessionCommon->IkeSessionType =3D=3D IkeSessionTypeIkeSa) { - IkeSaSession =3D IKEV2_SA_SESSION_FROM_COMMON (SessionCommon); - if (IkeSaSession->SessionCommon.State =3D=3D IkeStateSaDeleting) { - - // - // If the IkeSaSession is initiator, delete all its Child SAs befo= re removing IKE SA. - // If the IkesaSession is responder, all ChildSa has been remove i= n Ikev2HandleInfo(); - // - for (ChildSaEntry =3D IkeSaSession->ChildSaEstablishSessionList.Fo= rwardLink; - ChildSaEntry !=3D &IkeSaSession->ChildSaEstablishSessionList; - ) { - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_BY_IKE_SA (ChildSaEntr= y); - // - // Move to next ChildSa Entry. - // - ChildSaEntry =3D ChildSaEntry->ForwardLink; - // - // Delete LocalSpi & RemoteSpi and remove the ChildSaSession fro= m the - // EstablishedChildSaList. - // - Ikev2ChildSaSilentDelete (IkeSaSession, ChildSaSession->LocalPee= rSpi); - } - - // - // If the IKE SA Delete Payload wasn't sent out successfully, Dele= te it from the EstablishedList. - // - Ikev2SaSessionRemove (&Private->Ikev2EstablishedList, &SessionComm= on->RemotePeerIp); - - if (Private !=3D NULL && Private->IsIPsecDisabling) { - // - // After all IKE SAs were deleted, set the IPSEC_STATUS_DISABL= ED value in - // IPsec status variable. - // - if (IsListEmpty (&Private->Ikev1EstablishedList) && IsListEmpt= y (&Private->Ikev2EstablishedList)) { - Value =3D IPSEC_STATUS_DISABLED; - Status =3D gRT->SetVariable ( - IPSECCONFIG_STATUS_NAME, - &gEfiIpSecConfigProtocolGuid, - EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIAB= LE_NON_VOLATILE, - sizeof (Value), - &Value - ); - if (!EFI_ERROR (Status)) { - // - // Set the Disabled Flag in Private data. - // - Private->IpSec.DisabledFlag =3D TRUE; - Private->IsIPsecDisabling =3D FALSE; - } - } - } - } else { - Ikev2SaSessionRemove (&Private->Ikev2SessionList, &SessionCommon->= RemotePeerIp); - } - Ikev2SaSessionFree (IkeSaSession); - - } else { - - // - // If the packet sent by Child SA. - // - ChildSaSession =3D IKEV2_CHILD_SA_SESSION_FROM_COMMON (SessionCommon= ); - IkeSaSession =3D ChildSaSession->IkeSaSession; - if (ChildSaSession->SessionCommon.State =3D=3D IkeStateSaDeleting) { - - // - // Established Child SA should be remove from the SAD entry and - // DeleteList. The function of Ikev2DeleteChildSaSilent() will rem= ove - // the childSA from the IkeSaSession->ChildSaEstablishedList. So t= here - // is no need to remove it here. - // - Ikev2ChildSaSilentDelete (IkeSaSession, ChildSaSession->LocalPeerS= pi); - Ikev2ChildSaSessionRemove ( - &IkeSaSession->DeleteSaList, - ChildSaSession->LocalPeerSpi, - IKEV2_DELET_CHILDSA_LIST - ); - } else { - Ikev2ChildSaSessionRemove ( - &IkeSaSession->ChildSaSessionList, - ChildSaSession->LocalPeerSpi, - IKEV2_ESTABLISHING_CHILDSA_LIST - ); - } - - Ikev2ChildSaSessionFree (ChildSaSession); - } - return ; - } - - // - // Increase the retry count. - // - SessionCommon->RetryCount++; - DEBUG ((DEBUG_INFO, ">>>Resending the last packet ...\n")); - - // - // Resend the last packet. - // - Ikev2SendIkePacket ( - SessionCommon->UdpService, - (UINT8*)SessionCommon, - SessionCommon->LastSentPacket, - 0 - ); -} - -/** - Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector. - - ChildSaSession->SpdSelector stores the real Spdselector for its SA. Some= time, - the SpdSelector in ChildSaSession is more accurated or the scope is smal= ler - than the one in ChildSaSession->Spd, especially for the tunnel mode. - - @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION relat= ed to. - - @retval EFI_SUCCESS The operation complete successfully. - @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocat= ed. - -**/ -EFI_STATUS -Ikev2ChildSaSessionSpdSelectorCreate ( - IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession - ) -{ - EFI_STATUS Status; - - Status =3D EFI_SUCCESS; - - if (ChildSaSession->Spd !=3D NULL && ChildSaSession->Spd->Selector !=3D = NULL) { - if (ChildSaSession->SpdSelector =3D=3D NULL) { - ChildSaSession->SpdSelector =3D AllocateZeroPool (sizeof (EFI_IPSEC_= SPD_SELECTOR)); - if (ChildSaSession->SpdSelector =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - return Status; - } - } - CopyMem ( - ChildSaSession->SpdSelector, - ChildSaSession->Spd->Selector, - sizeof (EFI_IPSEC_SPD_SELECTOR) - ); - ChildSaSession->SpdSelector->RemoteAddress =3D AllocateCopyPool ( - ChildSaSession->Spd->Se= lector->RemoteAddressCount * - sizeof (EFI_IP_ADDRESS_= INFO), - ChildSaSession->Spd->Se= lector->RemoteAddress - ); - if (ChildSaSession->SpdSelector->RemoteAddress =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - - FreePool (ChildSaSession->SpdSelector); - - return Status; - } - - ChildSaSession->SpdSelector->LocalAddress =3D AllocateCopyPool ( - ChildSaSession->Spd->Sel= ector->LocalAddressCount * - sizeof (EFI_IP_ADDRESS_I= NFO), - ChildSaSession->Spd->Sel= ector->LocalAddress - ); - if (ChildSaSession->SpdSelector->LocalAddress =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - - FreePool (ChildSaSession->SpdSelector->RemoteAddress); - - FreePool (ChildSaSession->SpdSelector); - - return Status; - } - - ChildSaSession->SpdSelector->RemoteAddressCount =3D ChildSaSession->Sp= d->Selector->RemoteAddressCount; - ChildSaSession->SpdSelector->LocalAddressCount =3D ChildSaSession->Spd= ->Selector->LocalAddressCount; - } - - return Status; -} - -/** - Generate a ChildSa Session and insert it into related IkeSaSession. - - @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION. - @param[in] UdpService Pointer to related IKE_UDP_SERVICE. - - @return pointer of IKEV2_CHILD_SA_SESSION. - -**/ -IKEV2_CHILD_SA_SESSION * -Ikev2ChildSaSessionCreate ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_UDP_SERVICE *UdpService - ) -{ - IKEV2_CHILD_SA_SESSION *ChildSaSession; - IKEV2_SESSION_COMMON *ChildSaCommon; - - // - // Create a new ChildSaSession.Insert it into processing list and initia= te the common parameters. - // - ChildSaSession =3D Ikev2ChildSaSessionAlloc (UdpService, IkeSaSession); - if (ChildSaSession =3D=3D NULL) { - return NULL; - } - - // - // Set the specific parameters. - // - ChildSaSession->Spd =3D IkeSaSession->Spd; - ChildSaCommon =3D &ChildSaSession->SessionCommon; - ChildSaCommon->IsInitiator =3D IkeSaSession->SessionCommon.IsInitiator; - if (IkeSaSession->SessionCommon.State =3D=3D IkeStateAuth) { - ChildSaCommon->State =3D IkeStateAuth; - IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateAuth); - } else { - ChildSaCommon->State =3D IkeStateCreateChild; - IKEV2_DUMP_STATE (ChildSaCommon->State, IkeStateCreateChild); - } - - // - // If SPD->Selector is not NULL, copy it to the ChildSaSession->SpdSelec= tor. - // The ChildSaSession->SpdSelector might be changed after the traffic se= lector - // negoniation and it will be copied into the SAData after ChildSA estab= lished. - // - if (EFI_ERROR (Ikev2ChildSaSessionSpdSelectorCreate (ChildSaSession))) { - Ikev2ChildSaSessionFree (ChildSaSession); - return NULL; - } - - // - // Copy first NiBlock and NrBlock to ChildSa Session - // - ChildSaSession->NiBlock =3D AllocateZeroPool (IkeSaSession->NiBlkSize); - if (ChildSaSession->NiBlock =3D=3D NULL) { - Ikev2ChildSaSessionFree (ChildSaSession); - return NULL; - } - - ChildSaSession->NiBlkSize =3D IkeSaSession->NiBlkSize; - CopyMem (ChildSaSession->NiBlock, IkeSaSession->NiBlock, IkeSaSession->N= iBlkSize); - - ChildSaSession->NrBlock =3D AllocateZeroPool (IkeSaSession->NrBlkSize); - if (ChildSaSession->NrBlock =3D=3D NULL) { - Ikev2ChildSaSessionFree (ChildSaSession); - return NULL; - } - - ChildSaSession->NrBlkSize =3D IkeSaSession->NrBlkSize; - CopyMem (ChildSaSession->NrBlock, IkeSaSession->NrBlock, IkeSaSession->N= rBlkSize); - - // - // Only if the Create Child SA is called for the IKE_INIT Exchange and - // IkeSaSession is initiator (Only Initiator's SPD is not NULL), Set the - // Traffic Selectors related information here. - // - if (IkeSaSession->SessionCommon.State =3D=3D IkeStateAuth && IkeSaSessio= n->Spd !=3D NULL) { - ChildSaSession->ProtoId =3D IkeSaSession->Spd->Selector->NextLayerProt= ocol; - ChildSaSession->LocalPort =3D IkeSaSession->Spd->Selector->LocalPort; - ChildSaSession->RemotePort =3D IkeSaSession->Spd->Selector->RemotePort; - } - - // - // Insert the new ChildSaSession into processing child SA list. - // - Ikev2ChildSaSessionInsert (&IkeSaSession->ChildSaSessionList, ChildSaSes= sion); - return ChildSaSession; -} - -/** - Check if the SPD is related to the input Child SA Session. - - This function is the subfunction of Ikev1AssociateSpdEntry(). It is the = call - back function of IpSecVisitConfigData(). - - - @param[in] Type Type of the input Config Selector. - @param[in] Selector Pointer to the Configure Selector to be c= hecked. - @param[in] Data Pointer to the Configure Selector's Data = passed - from the caller. - @param[in] SelectorSize The buffer size of Selector. - @param[in] DataSize The buffer size of the Data. - @param[in] Context The data passed from the caller. It is a = Child - SA Session in this context. - - @retval EFI_SUCCESS The SPD Selector is not related to the Child = SA Session. - @retval EFI_ABORTED The SPD Selector is related to the Child SA s= ession and - set the ChildSaSession->Spd to point to this = SPD Selector. - -**/ -EFI_STATUS -Ikev2MatchSpdEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE Type, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN UINTN SelectorSize, - IN UINTN DataSize, - IN VOID *Context - ) -{ - IKEV2_CHILD_SA_SESSION *ChildSaSession; - EFI_IPSEC_SPD_SELECTOR *SpdSelector; - EFI_IPSEC_SPD_DATA *SpdData; - BOOLEAN IsMatch; - UINT8 IpVersion; - - ASSERT (Type =3D=3D IPsecConfigDataTypeSpd); - SpdData =3D (EFI_IPSEC_SPD_DATA *) Data; - // - // Bypass all non-protect SPD entry first - // - if (SpdData->Action !=3D EfiIPsecActionProtect) { - return EFI_SUCCESS; - } - - ChildSaSession =3D (IKEV2_CHILD_SA_SESSION *) Context; - IpVersion =3D ChildSaSession->SessionCommon.UdpService->IpVersion; - SpdSelector =3D (EFI_IPSEC_SPD_SELECTOR *) Selector; - IsMatch =3D TRUE; - - if (SpdSelector->NextLayerProtocol =3D=3D EFI_IP_PROTO_UDP && - SpdSelector->LocalPort =3D=3D IKE_DEFAULT_PORT && - SpdSelector->LocalPortRange =3D=3D 0 && - SpdSelector->RemotePort =3D=3D IKE_DEFAULT_PORT && - SpdSelector->RemotePortRange =3D=3D 0 - ) { - // - // TODO: Skip IKE Policy here or set a SPD entry? - // - return EFI_SUCCESS; - } - - if (SpdSelector->NextLayerProtocol !=3D EFI_IPSEC_ANY_PROTOCOL && - SpdSelector->NextLayerProtocol !=3D ChildSaSession->ProtoId - ) { - IsMatch =3D FALSE; - } - - if (SpdSelector->LocalPort !=3D EFI_IPSEC_ANY_PORT && SpdSelector->Local= Port !=3D ChildSaSession->LocalPort) { - IsMatch =3D FALSE; - } - - if (SpdSelector->RemotePort !=3D EFI_IPSEC_ANY_PORT && SpdSelector->Remo= tePort !=3D ChildSaSession->RemotePort) { - IsMatch =3D FALSE; - } - - IsMatch =3D (BOOLEAN) (IsMatch && - IpSecMatchIpAddress ( - IpVersion, - &ChildSaSession->SessionCommon.LocalPeerIp, - SpdSelector->LocalAddress, - SpdSelector->LocalAddressCount - )); - - IsMatch =3D (BOOLEAN) (IsMatch && - IpSecMatchIpAddress ( - IpVersion, - &ChildSaSession->SessionCommon.RemotePeerIp, - SpdSelector->RemoteAddress, - SpdSelector->RemoteAddressCount - )); - - if (IsMatch) { - ChildSaSession->Spd =3D IkeSearchSpdEntry (SpdSelector); - return EFI_ABORTED; - } else { - return EFI_SUCCESS; - } -} - -/** - Check if the Algorithm ID is supported. - - @param[in] AlgorithmId The specified Algorithm ID. - @param[in] Type The type used to indicate the Algorithm is for E= ncrypt or - Authentication. - - @retval TRUE If the Algorithm ID is supported. - @retval FALSE If the Algorithm ID is not supported. - -**/ -BOOLEAN -Ikev2IsSupportAlg ( - IN UINT16 AlgorithmId, - IN UINT8 Type - ) -{ - UINT8 Index; - switch (Type) { - case IKE_ENCRYPT_TYPE : - for (Index =3D 0; Index < IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM; Index++= ) { - if (mIkev2EncryptAlgorithmList[Index] =3D=3D AlgorithmId) { - return TRUE; - } - } - break; - - case IKE_AUTH_TYPE : - for (Index =3D 0; Index < IKEV2_SUPPORT_AUTH_ALGORITHM_NUM; Index++) { - if (mIkev2AuthAlgorithmList[Index] =3D=3D AlgorithmId) { - return TRUE; - } - } - break; - - case IKE_DH_TYPE : - for (Index =3D 0; Index < IKEV2_SUPPORT_DH_ALGORITHM_NUM; Index++) { - if (mIkev2DhGroupAlgorithmList[Index] =3D=3D AlgorithmId) { - return TRUE; - } - } - break; - - case IKE_PRF_TYPE : - for (Index =3D 0; Index < IKEV2_SUPPORT_PRF_ALGORITHM_NUM; Index++) { - if (mIkev2PrfAlgorithmList[Index] =3D=3D AlgorithmId) { - return TRUE; - } - } - } - return FALSE; -} - -/** - Get the preferred algorithm types from ProposalData. - - @param[in] ProposalData Pointer to related IKEV2_PROPO= SAL_DATA. - @param[in, out] PreferEncryptAlgorithm Pointer to buffer which is use= d to store the - preferred encrypt algorithm. - Input value shall be initializ= ed to zero that - indicates to be parsed from Pr= oposalData. - Output of preferred encrypt al= gorithm. - @param[in, out] PreferIntegrityAlgorithm Pointer to buffer which is use= d to store the - preferred integrity algorithm. - Input value shall be initializ= ed to zero that - indicates to be parsed from Pr= oposalData. - Output of preferred integrity = algorithm. - @param[in, out] PreferPrfAlgorithm Pointer to buffer which is use= d to store the - preferred PRF algorithm. - Input value shall be initializ= ed to zero that - indicates to be parsed from Pr= oposalData. - Output of preferred PRF algori= thm. Only - for IKE SA. - @param[in, out] PreferDhGroup Pointer to buffer which is use= d to store the - preferred DH group. - Input value shall be initializ= ed to zero that - indicates to be parsed from Pr= oposalData. - Output of preferred DH group. = Only for - IKE SA. - @param[out] PreferEncryptKeylength Pointer to buffer which is use= d to store the - preferred encrypt key length i= n bytes. - @param[out] IsSupportEsn Pointer to buffer which is use= d to store the - value about the Extented Seque= nce Number is - support or not. Only for Child= SA. - @param[in] IsChildSa If it is ture, the ProposalDat= a is for IKE - SA. Otherwise the proposalData= is for Child SA. - -**/ -VOID -Ikev2ParseProposalData ( - IN IKEV2_PROPOSAL_DATA *ProposalData, - IN OUT UINT16 *PreferEncryptAlgorithm, - IN OUT UINT16 *PreferIntegrityAlgorithm, - IN OUT UINT16 *PreferPrfAlgorithm, - IN OUT UINT16 *PreferDhGroup, - OUT UINTN *PreferEncryptKeylength, - OUT BOOLEAN *IsSupportEsn, - IN BOOLEAN IsChildSa -) -{ - IKEV2_TRANSFORM_DATA *TransformData; - UINT8 TransformIndex; - - // - // Check input parameters. - // - if (ProposalData =3D=3D NULL || - PreferEncryptAlgorithm =3D=3D NULL || - PreferIntegrityAlgorithm =3D=3D NULL || - PreferEncryptKeylength =3D=3D NULL - ) { - return; - } - - if (IsChildSa) { - if (IsSupportEsn =3D=3D NULL) { - return; - } - } else { - if (PreferPrfAlgorithm =3D=3D NULL || PreferDhGroup =3D=3D NULL) { - return; - } - } - - TransformData =3D (IKEV2_TRANSFORM_DATA *)(ProposalData + 1); - for (TransformIndex =3D 0; TransformIndex < ProposalData->NumTransforms;= TransformIndex++) { - switch (TransformData->TransformType) { - // - // For IKE SA there are four algorithm types. Encryption Algorithm, Ps= eudo-random Function, - // Integrity Algorithm, Diffie-Hellman Group. For Child SA, there are = three algorithm types. - // Encryption Algorithm, Integrity Algorithm, Extended Sequence Number. - // - case IKEV2_TRANSFORM_TYPE_ENCR: - if (*PreferEncryptAlgorithm =3D=3D 0 && Ikev2IsSupportAlg (Transform= Data->TransformId, IKE_ENCRYPT_TYPE)) { - // - // Check the attribute value. According to RFC, only Keylength is = support. - // - if (TransformData->Attribute.AttrType =3D=3D IKEV2_ATTRIBUTE_TYPE_= KEYLEN) { - // - // If the Keylength is not support, continue to check the next o= ne. - // - if (IpSecGetEncryptKeyLength ((UINT8)TransformData->TransformId)= !=3D (UINTN)(TransformData->Attribute.Attr.AttrValue >> 3)){ - break; - } else { - *PreferEncryptKeylength =3D TransformData->Attribute.Attr.Attr= Value; - } - } - *PreferEncryptAlgorithm =3D TransformData->TransformId; - } - break; - - case IKEV2_TRANSFORM_TYPE_PRF : - if (!IsChildSa) { - if (*PreferPrfAlgorithm =3D=3D 0 && Ikev2IsSupportAlg (TransformDa= ta->TransformId, IKE_PRF_TYPE)) { - *PreferPrfAlgorithm =3D TransformData->TransformId; - } - } - break; - - case IKEV2_TRANSFORM_TYPE_INTEG : - if (*PreferIntegrityAlgorithm =3D=3D 0 && Ikev2IsSupportAlg (Transfo= rmData->TransformId, IKE_AUTH_TYPE)) { - *PreferIntegrityAlgorithm =3D TransformData->TransformId; - } - break; - - case IKEV2_TRANSFORM_TYPE_DH : - if (!IsChildSa) { - if (*PreferDhGroup =3D=3D 0 && Ikev2IsSupportAlg (TransformData->T= ransformId, IKE_DH_TYPE)) { - *PreferDhGroup =3D TransformData->TransformId; - } - } - break; - - case IKEV2_TRANSFORM_TYPE_ESN : - if (IsChildSa) { - if (TransformData->TransformId !=3D 0) { - *IsSupportEsn =3D TRUE; - } - } - break; - - default: - break; - } - TransformData =3D (IKEV2_TRANSFORM_DATA *)(TransformData + 1); - } -} - -/** - Parse the received Initial Exchange Packet. - - This function parse the SA Payload and Key Payload to find out the crypt= ographic - suite for the further IKE negotiation and fill it into the IKE SA Sessio= n's - CommonSession->SaParams. - - @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION. - @param[in] SaPayload The received packet. - @param[in] Type The received packet IKE header flag. - - @retval TRUE If the SA proposal in Packet is acceptabl= e. - @retval FALSE If the SA proposal in Packet is not accep= table. - -**/ -BOOLEAN -Ikev2SaParseSaPayload ( - IN OUT IKEV2_SA_SESSION *IkeSaSession, - IN IKE_PAYLOAD *SaPayload, - IN UINT8 Type - ) -{ - IKEV2_PROPOSAL_DATA *ProposalData; - UINT8 ProposalIndex; - UINT16 PreferEncryptAlgorithm; - UINT16 PreferIntegrityAlgorithm; - UINT16 PreferPrfAlgorithm; - UINT16 PreferDhGroup; - UINTN PreferEncryptKeylength; - UINT16 EncryptAlgorithm; - UINT16 IntegrityAlgorithm; - UINT16 PrfAlgorithm; - UINT16 DhGroup; - UINTN EncryptKeylength; - BOOLEAN IsMatch; - UINTN SaDataSize; - - PreferPrfAlgorithm =3D 0; - PreferIntegrityAlgorithm =3D 0; - PreferDhGroup =3D 0; - PreferEncryptAlgorithm =3D 0; - PreferEncryptKeylength =3D 0; - PrfAlgorithm =3D 0; - IntegrityAlgorithm =3D 0; - DhGroup =3D 0; - EncryptAlgorithm =3D 0; - EncryptKeylength =3D 0; - IsMatch =3D FALSE; - - if (Type =3D=3D IKE_HEADER_FLAGS_INIT) { - ProposalData =3D (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload-= >PayloadBuf + 1); - for (ProposalIndex =3D 0; ProposalIndex < ((IKEV2_SA_DATA *)SaPayload-= >PayloadBuf)->NumProposals; ProposalIndex++) { - // - // Iterate each proposal to find the perfered one. - // - if (ProposalData->ProtocolId =3D=3D IPSEC_PROTO_ISAKMP && ProposalDa= ta->NumTransforms >=3D 4) { - // - // Get the preferred algorithms. - // - Ikev2ParseProposalData ( - ProposalData, - &PreferEncryptAlgorithm, - &PreferIntegrityAlgorithm, - &PreferPrfAlgorithm, - &PreferDhGroup, - &PreferEncryptKeylength, - NULL, - FALSE - ); - - if (PreferEncryptAlgorithm !=3D 0 && - PreferIntegrityAlgorithm !=3D 0 && - PreferPrfAlgorithm !=3D 0 && - PreferDhGroup !=3D 0 - ) { - // - // Find the matched one. - // - IkeSaSession->SessionCommon.SaParams =3D AllocateZeroPool (siz= eof (IKEV2_SA_PARAMS)); - if (IkeSaSession->SessionCommon.SaParams =3D=3D NULL) { - return FALSE; - } - - IkeSaSession->SessionCommon.SaParams->EncAlgId =3D PreferEnc= ryptAlgorithm; - IkeSaSession->SessionCommon.SaParams->EnckeyLen =3D PreferEnc= ryptKeylength; - IkeSaSession->SessionCommon.SaParams->DhGroup =3D PreferDhG= roup; - IkeSaSession->SessionCommon.SaParams->Prf =3D PreferPrf= Algorithm; - IkeSaSession->SessionCommon.SaParams->IntegAlgId =3D PreferInt= egrityAlgorithm; - IkeSaSession->SessionCommon.PreferDhGroup =3D PreferDhG= roup; - - // - // Save the matched one in IKEV2_SA_DATA for furthure calculat= ion. - // - SaDataSize =3D sizeof (IKEV2_SA_DATA) + - sizeof (IKEV2_PROPOSAL_DATA) + - sizeof (IKEV2_TRANSFORM_DATA) * 4; - IkeSaSession->SaData =3D AllocateZeroPool (SaDataSize); - if (IkeSaSession->SaData =3D=3D NULL) { - FreePool (IkeSaSession->SessionCommon.SaParams); - return FALSE; - } - - IkeSaSession->SaData->NumProposals =3D 1; - - // - // BUGBUG: Suppose the matched proposal only has 4 transforms.= If - // The matched Proposal has more than 4 transforms means it co= ntains - // one than one transform with same type. - // - CopyMem ( - (IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1), - ProposalData, - SaDataSize - sizeof (IKEV2_SA_DATA) - ); - - ((IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1))->Proposal= Index =3D 1; - - return TRUE; - } else { - PreferEncryptAlgorithm =3D 0; - PreferIntegrityAlgorithm =3D 0; - PreferPrfAlgorithm =3D 0; - PreferDhGroup =3D 0; - PreferEncryptKeylength =3D 0; - } - } - // - // Point to next Proposal. - // - ProposalData =3D (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) + - ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM= _DATA)); - } - } else if (Type =3D=3D IKE_HEADER_FLAGS_RESPOND) { - // - // First check the SA proposal's ProtoctolID and Transform Numbers. Si= nce it is - // the responded SA proposal, suppose it only has one proposal and the= transform Numbers - // is 4. - // - ProposalData =3D (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *) SaPayload-= >PayloadBuf + 1); - if (ProposalData->ProtocolId !=3D IPSEC_PROTO_ISAKMP || ProposalData->= NumTransforms !=3D 4) { - return FALSE; - } - // - // Get the preferred algorithms. - // - Ikev2ParseProposalData ( - ProposalData, - &PreferEncryptAlgorithm, - &PreferIntegrityAlgorithm, - &PreferPrfAlgorithm, - &PreferDhGroup, - &PreferEncryptKeylength, - NULL, - FALSE - ); - // - // Check if the Sa proposal data from received packet is in the IkeSaS= ession->SaData. - // - ProposalData =3D (IKEV2_PROPOSAL_DATA *) (IkeSaSession->SaData + 1); - - for (ProposalIndex =3D 0; ProposalIndex < IkeSaSession->SaData->NumPro= posals && (!IsMatch); ProposalIndex++) { - Ikev2ParseProposalData ( - ProposalData, - &EncryptAlgorithm, - &IntegrityAlgorithm, - &PrfAlgorithm, - &DhGroup, - &EncryptKeylength, - NULL, - FALSE - ); - if (EncryptAlgorithm =3D=3D PreferEncryptAlgorithm && - EncryptKeylength =3D=3D PreferEncryptKeylength && - IntegrityAlgorithm =3D=3D PreferIntegrityAlgorithm && - PrfAlgorithm =3D=3D PreferPrfAlgorithm && - DhGroup =3D=3D PreferDhGroup - ) { - IsMatch =3D TRUE; - } else { - EncryptAlgorithm =3D 0; - IntegrityAlgorithm =3D 0; - PrfAlgorithm =3D 0; - DhGroup =3D 0; - EncryptKeylength =3D 0; - } - - ProposalData =3D (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) + - ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM= _DATA)); - } - - if (IsMatch) { - IkeSaSession->SessionCommon.SaParams =3D AllocateZeroPool (sizeof = (IKEV2_SA_PARAMS)); - if (IkeSaSession->SessionCommon.SaParams =3D=3D NULL) { - return FALSE; - } - - IkeSaSession->SessionCommon.SaParams->EncAlgId =3D PreferEncrypt= Algorithm; - IkeSaSession->SessionCommon.SaParams->EnckeyLen =3D PreferEncrypt= Keylength; - IkeSaSession->SessionCommon.SaParams->DhGroup =3D PreferDhGroup; - IkeSaSession->SessionCommon.SaParams->Prf =3D PreferPrfAlgo= rithm; - IkeSaSession->SessionCommon.SaParams->IntegAlgId =3D PreferIntegri= tyAlgorithm; - IkeSaSession->SessionCommon.PreferDhGroup =3D PreferDhGroup; - - return TRUE; - } - } - - return FALSE; -} - -/** - Parse the received Authentication Exchange Packet. - - This function parse the SA Payload and Key Payload to find out the crypt= ographic - suite for the ESP and fill it into the Child SA Session's CommonSession-= >SaParams. - - @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION relat= ed to - this Authentication Exchange. - @param[in] SaPayload The received packet. - @param[in] Type The IKE header's flag of received packe= t . - - @retval TRUE If the SA proposal in Packet is accepta= ble. - @retval FALSE If the SA proposal in Packet is not acc= eptable. - -**/ -BOOLEAN -Ikev2ChildSaParseSaPayload ( - IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession, - IN IKE_PAYLOAD *SaPayload, - IN UINT8 Type - ) -{ - IKEV2_PROPOSAL_DATA *ProposalData; - UINT8 ProposalIndex; - UINT16 PreferEncryptAlgorithm; - UINT16 PreferIntegrityAlgorithm; - UINTN PreferEncryptKeylength; - BOOLEAN PreferIsSupportEsn; - UINT16 EncryptAlgorithm; - UINT16 IntegrityAlgorithm; - UINTN EncryptKeylength; - BOOLEAN IsSupportEsn; - BOOLEAN IsMatch; - UINTN SaDataSize; - - - PreferIntegrityAlgorithm =3D 0; - PreferEncryptAlgorithm =3D 0; - PreferEncryptKeylength =3D 0; - IntegrityAlgorithm =3D 0; - EncryptAlgorithm =3D 0; - EncryptKeylength =3D 0; - IsMatch =3D FALSE; - IsSupportEsn =3D FALSE; - PreferIsSupportEsn =3D FALSE; - - if (Type =3D=3D IKE_HEADER_FLAGS_INIT) { - ProposalData =3D (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *) SaPayload= ->PayloadBuf + 1); - for (ProposalIndex =3D 0; ProposalIndex < ((IKEV2_SA_DATA *) SaPayload= ->PayloadBuf)->NumProposals; ProposalIndex++) { - // - // Iterate each proposal to find the preferred one. - // - if (ProposalData->ProtocolId =3D=3D IPSEC_PROTO_IPSEC_ESP && Proposa= lData->NumTransforms >=3D 3) { - // - // Get the preferred algorithm. - // - Ikev2ParseProposalData ( - ProposalData, - &PreferEncryptAlgorithm, - &PreferIntegrityAlgorithm, - NULL, - NULL, - &PreferEncryptKeylength, - &IsSupportEsn, - TRUE - ); - // - // Don't support the ESN now. - // - if (PreferEncryptAlgorithm !=3D 0 && - PreferIntegrityAlgorithm !=3D 0 && - !IsSupportEsn - ) { - // - // Find the matched one. - // - ChildSaSession->SessionCommon.SaParams =3D AllocateZeroPool (siz= eof (IKEV2_SA_PARAMS)); - if (ChildSaSession->SessionCommon.SaParams =3D=3D NULL) { - return FALSE; - } - - ChildSaSession->SessionCommon.SaParams->EncAlgId =3D PreferEnc= ryptAlgorithm; - ChildSaSession->SessionCommon.SaParams->EnckeyLen =3D PreferEnc= ryptKeylength; - ChildSaSession->SessionCommon.SaParams->IntegAlgId =3D PreferInt= egrityAlgorithm; - CopyMem (&ChildSaSession->RemotePeerSpi, ProposalData->Spi, size= of (ChildSaSession->RemotePeerSpi)); - - // - // Save the matched one in IKEV2_SA_DATA for furthure calculatio= n. - // - SaDataSize =3D sizeof (IKEV2_SA_DATA) + - sizeof (IKEV2_PROPOSAL_DATA) + - sizeof (IKEV2_TRANSFORM_DATA) * 4; - - ChildSaSession->SaData =3D AllocateZeroPool (SaDataSize); - if (ChildSaSession->SaData =3D=3D NULL) { - FreePool (ChildSaSession->SessionCommon.SaParams); - return FALSE; - } - - ChildSaSession->SaData->NumProposals =3D 1; - - // - // BUGBUG: Suppose there are 4 transforms in the matched proposa= l. If - // the matched Proposal has more than 4 transforms that means th= ere - // are more than one transform with same type. - // - CopyMem ( - (IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1), - ProposalData, - SaDataSize - sizeof (IKEV2_SA_DATA) - ); - - ((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->Proposal= Index =3D 1; - - ((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->Spi =3D = AllocateCopyPool ( - = sizeof (ChildSaSession->LocalPeerSpi), - = &ChildSaSession->LocalPeerSpi - = ); - if (((IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1))->Spi = =3D=3D NULL) { - FreePool (ChildSaSession->SessionCommon.SaParams); - - FreePool (ChildSaSession->SaData ); - - return FALSE; - } - - return TRUE; - - } else { - PreferEncryptAlgorithm =3D 0; - PreferIntegrityAlgorithm =3D 0; - IsSupportEsn =3D TRUE; - } - } - // - // Point to next Proposal - // - ProposalData =3D (IKEV2_PROPOSAL_DATA *)((UINT8 *)(ProposalData + 1)= + - ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM= _DATA)); - } - } else if (Type =3D=3D IKE_HEADER_FLAGS_RESPOND) { - // - // First check the SA proposal's ProtoctolID and Transform Numbers. Si= nce it is - // the responded SA proposal, suppose it only has one proposal and the= transform Numbers - // is 3. - // - ProposalData =3D (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->= PayloadBuf + 1); - if (ProposalData->ProtocolId !=3D IPSEC_PROTO_IPSEC_ESP || ProposalDat= a->NumTransforms !=3D 3) { - return FALSE; - } - // - // Get the preferred algorithms. - // - Ikev2ParseProposalData ( - ProposalData, - &PreferEncryptAlgorithm, - &PreferIntegrityAlgorithm, - NULL, - NULL, - &PreferEncryptKeylength, - &PreferIsSupportEsn, - TRUE - ); - - ProposalData =3D (IKEV2_PROPOSAL_DATA *) (ChildSaSession->SaData + 1); - - for (ProposalIndex =3D 0; ProposalIndex < ChildSaSession->SaData->NumP= roposals && (!IsMatch); ProposalIndex++) { - Ikev2ParseProposalData ( - ProposalData, - &EncryptAlgorithm, - &IntegrityAlgorithm, - NULL, - NULL, - &EncryptKeylength, - &IsSupportEsn, - TRUE - ); - if (EncryptAlgorithm =3D=3D PreferEncryptAlgorithm && - EncryptKeylength =3D=3D PreferEncryptKeylength && - IntegrityAlgorithm =3D=3D PreferIntegrityAlgorithm && - IsSupportEsn =3D=3D PreferIsSupportEsn - ) { - IsMatch =3D TRUE; - } else { - IntegrityAlgorithm =3D 0; - EncryptAlgorithm =3D 0; - EncryptKeylength =3D 0; - IsSupportEsn =3D FALSE; - } - ProposalData =3D (IKEV2_PROPOSAL_DATA*)((UINT8*)(ProposalData + 1) + - ProposalData->NumTransforms * sizeof (IKEV2_TRANSFORM= _DATA)); - } - - ProposalData =3D (IKEV2_PROPOSAL_DATA *)((IKEV2_SA_DATA *)SaPayload->= PayloadBuf + 1); - if (IsMatch) { - ChildSaSession->SessionCommon.SaParams =3D AllocateZeroPool (sizeo= f (IKEV2_SA_PARAMS)); - if (ChildSaSession->SessionCommon.SaParams =3D=3D NULL) { - return FALSE; - } - - ChildSaSession->SessionCommon.SaParams->EncAlgId =3D PreferEncry= ptAlgorithm; - ChildSaSession->SessionCommon.SaParams->EnckeyLen =3D PreferEncry= ptKeylength; - ChildSaSession->SessionCommon.SaParams->IntegAlgId =3D PreferInteg= rityAlgorithm; - CopyMem (&ChildSaSession->RemotePeerSpi, ProposalData->Spi, sizeof= (ChildSaSession->RemotePeerSpi)); - - return TRUE; - } - } - return FALSE; -} - -/** - Generate Key buffer from fragments. - - If the digest length of specified HashAlgId is larger than or equal with= the - required output key length, derive the key directly. Otherwise, Key Mate= rial - needs to be PRF-based concatenation according to 2.13 of RFC 4306: - prf+ (K,S) =3D T1 | T2 | T3 | T4 | ..., T1 =3D prf (K, S | 0x01), - T2 =3D prf (K, T1 | S | 0x02), T3 =3D prf (K, T2 | S | 0x03),T4 =3D prf = (K, T3 | S | 0x04) - then derive the key from this key material. - - @param[in] HashAlgId The Hash Algorithm ID used to generate= key. - @param[in] HashKey Pointer to a key buffer which contains= hash key. - @param[in] HashKeyLength The length of HashKey in bytes. - @param[in, out] OutputKey Pointer to buffer which is used to rec= eive the - output key. - @param[in] OutputKeyLength The length of OutPutKey buffer. - @param[in] Fragments Pointer to the data to be used to gene= rate key. - @param[in] NumFragments The numbers of the Fragement. - - @retval EFI_SUCCESS The operation complete successfully. - @retval EFI_INVALID_PARAMETER If NumFragments is zero. - If the authentication algorithm given by = HashAlgId - cannot be found. - @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocat= ed. - @retval Others The operation is failed. - -**/ -EFI_STATUS -Ikev2SaGenerateKey ( - IN UINT8 HashAlgId, - IN UINT8 *HashKey, - IN UINTN HashKeyLength, - IN OUT UINT8 *OutputKey, - IN UINTN OutputKeyLength, - IN PRF_DATA_FRAGMENT *Fragments, - IN UINTN NumFragments - ) -{ - EFI_STATUS Status; - PRF_DATA_FRAGMENT LocalFragments[3]; - UINT8 *Digest; - UINTN DigestSize; - UINTN Round; - UINTN Index; - UINTN AuthKeyLength; - UINTN FragmentsSize; - UINT8 TailData; - - Status =3D EFI_SUCCESS; - - if (NumFragments =3D=3D 0) { - return EFI_INVALID_PARAMETER; - } - - LocalFragments[0].Data =3D NULL; - LocalFragments[1].Data =3D NULL; - LocalFragments[2].Data =3D NULL; - - AuthKeyLength =3D IpSecGetHmacDigestLength (HashAlgId); - if (AuthKeyLength =3D=3D 0) { - return EFI_INVALID_PARAMETER; - } - - DigestSize =3D AuthKeyLength; - Digest =3D AllocateZeroPool (AuthKeyLength); - - if (Digest =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // If the required output key length is less than the digest size, - // copy the digest into OutputKey. - // - if (OutputKeyLength <=3D DigestSize) { - Status =3D IpSecCryptoIoHmac ( - HashAlgId, - HashKey, - HashKeyLength, - (HASH_DATA_FRAGMENT *) Fragments, - NumFragments, - Digest, - DigestSize - ); - if (EFI_ERROR (Status)) { - goto Exit; - } - - CopyMem (OutputKey, Digest, OutputKeyLength); - goto Exit; - } - - // - //Otherwise, Key Material need to be PRF-based concatenation according t= o 2.13 - //of RFC 4306: prf+ (K,S) =3D T1 | T2 | T3 | T4 | ..., T1 =3D prf (K, S = | 0x01), - //T2 =3D prf (K, T1 | S | 0x02), T3 =3D prf (K, T2 | S | 0x03),T4 =3D pr= f (K, T3 | S | 0x04) - //then derive the key from this key material. - // - FragmentsSize =3D 0; - for (Index =3D 0; Index < NumFragments; Index++) { - FragmentsSize =3D FragmentsSize + Fragments[Index].DataSize; - } - - LocalFragments[1].Data =3D AllocateZeroPool (FragmentsSize); - if (LocalFragments[1].Data =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - LocalFragments[1].DataSize =3D FragmentsSize; - - // - // Copy all input fragments into LocalFragments[1]; - // - FragmentsSize =3D 0; - for (Index =3D 0; Index < NumFragments; Index++) { - CopyMem ( - LocalFragments[1].Data + FragmentsSize, - Fragments[Index].Data, - Fragments[Index].DataSize - ); - FragmentsSize =3D FragmentsSize + Fragments[Index].DataSize; - } - - // - // Prepare 0x01 as the first tail data. - // - TailData =3D 0x01; - LocalFragments[2].Data =3D &TailData; - LocalFragments[2].DataSize =3D sizeof (TailData); - // - // Allocate buffer for the first fragment - // - LocalFragments[0].Data =3D AllocateZeroPool (AuthKeyLength); - if (LocalFragments[0].Data =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - LocalFragments[0].DataSize =3D AuthKeyLength; - - Round =3D (OutputKeyLength - 1) / AuthKeyLength + 1; - for (Index =3D 0; Index < Round; Index++) { - Status =3D IpSecCryptoIoHmac ( - HashAlgId, - HashKey, - HashKeyLength, - (HASH_DATA_FRAGMENT *)(Index =3D=3D 0 ? &LocalFragments[1] = : LocalFragments), - Index =3D=3D 0 ? 2 : 3, - Digest, - DigestSize - ); - if (EFI_ERROR(Status)) { - goto Exit; - } - CopyMem ( - LocalFragments[0].Data, - Digest, - DigestSize - ); - if (OutputKeyLength > DigestSize * (Index + 1)) { - CopyMem ( - OutputKey + Index * DigestSize, - Digest, - DigestSize - ); - LocalFragments[0].DataSize =3D DigestSize; - TailData ++; - } else { - // - // The last round - // - CopyMem ( - OutputKey + Index * DigestSize, - Digest, - OutputKeyLength - Index * DigestSize - ); - } - } - -Exit: - // - // Only First and second Framgement Data need to be freed. - // - for (Index =3D 0 ; Index < 2; Index++) { - if (LocalFragments[Index].Data !=3D NULL) { - FreePool (LocalFragments[Index].Data); - } - } - if (Digest !=3D NULL) { - FreePool (Digest); - } - return Status; -} - diff --git a/NetworkPkg/IpSecDxe/Ikev2/Utility.h b/NetworkPkg/IpSecDxe/Ikev= 2/Utility.h deleted file mode 100644 index ee466c05ac..0000000000 --- a/NetworkPkg/IpSecDxe/Ikev2/Utility.h +++ /dev/null @@ -1,1061 +0,0 @@ -/** @file - The interfaces of IKE/Child session operations and payload related opera= tions - used by IKE Exchange Process. - - Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _IKE_V2_UTILITY_H_ -#define _IKE_V2_UTILITY_H_ - -#include "Ikev2.h" -#include "IkeCommon.h" -#include "IpSecCryptIo.h" - -#include - -#define IKEV2_SUPPORT_ENCRYPT_ALGORITHM_NUM 2 -#define IKEV2_SUPPORT_PRF_ALGORITHM_NUM 1 -#define IKEV2_SUPPORT_DH_ALGORITHM_NUM 2 -#define IKEV2_SUPPORT_AUTH_ALGORITHM_NUM 1 - -/** - Allocate buffer for IKEV2_SA_SESSION and initialize it. - - @param[in] Private Pointer to IPSEC_PRIVATE_DATA. - @param[in] UdpService Pointer to IKE_UDP_SERVICE related to this IKE= SA Session. - - @return Pointer to IKEV2_SA_SESSION. - -**/ -IKEV2_SA_SESSION * -Ikev2SaSessionAlloc ( - IN IPSEC_PRIVATE_DATA *Private, - IN IKE_UDP_SERVICE *UdpService - ); - -/** - Register Establish IKEv2 SA into Private->Ikev2EstablishedList. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be registered. - @param[in] Private Pointer to IPSEC_PRAVATE_DATA. - -**/ -VOID -Ikev2SaSessionReg ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IPSEC_PRIVATE_DATA *Private - ); - -/** - Find a IKEV2_SA_SESSION by the remote peer IP. - - @param[in] SaSessionList SaSession List to be searched. - @param[in] RemotePeerIp Pointer to specified IP address. - - @return Pointer to IKEV2_SA_SESSION if find one or NULL. - -**/ -IKEV2_SA_SESSION * -Ikev2SaSessionLookup ( - IN LIST_ENTRY *SaSessionList, - IN EFI_IP_ADDRESS *RemotePeerIp - ); - -/** - Insert a IKE_SA_SESSION into IkeSaSession list. The IkeSaSession list is= either - Private->Ikev2SaSession list or Private->Ikev2EstablishedList list. - - @param[in] SaSessionList Pointer to list to be inserted into. - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be inserted. - @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESSS to indicate the - unique IKEV2_SA_SESSION. - -**/ -VOID -Ikev2SaSessionInsert ( - IN LIST_ENTRY *SaSessionList, - IN IKEV2_SA_SESSION *IkeSaSession, - IN EFI_IP_ADDRESS *RemotePeerIp - ); - -/** - Remove the SA Session by Remote Peer IP. - - @param[in] SaSessionList Pointer to list to be searched. - @param[in] RemotePeerIp Pointer to EFI_IP_ADDRESS to use for SA Sess= ion search. - - @retval Pointer to IKEV2_SA_SESSION with the specified remote IP address. - -**/ -IKEV2_SA_SESSION * -Ikev2SaSessionRemove ( - IN LIST_ENTRY *SaSessionList, - IN EFI_IP_ADDRESS *RemotePeerIp - ); - - -/** - After IKE/Child SA is estiblished, close the time event and free sent pa= cket. - - @param[in] SessionCommon Pointer to a Session Common. - -**/ -VOID -Ikev2SessionCommonRefresh ( - IN IKEV2_SESSION_COMMON *SessionCommon - ); - -/** - Free specified IKEV2 SA Session. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION to be freed. - -**/ -VOID -Ikev2SaSessionFree ( - IN IKEV2_SA_SESSION *IkeSaSession - ); - -/** - Free specified Seession Common. The session common would belong to a IKE= SA or - a Child SA. - - @param[in] SessionCommon Pointer to a Session Common. - -**/ -VOID -Ikev2SaSessionCommonFree ( - IN IKEV2_SESSION_COMMON *SessionCommon - ); - -/** - Increase the MessageID in IkeSaSession. - - @param[in] IkeSaSession Pointer to a specified IKEV2_SA_SESSION. - -**/ -VOID -Ikev2SaSessionIncreaseMessageId ( - IN IKEV2_SA_SESSION *IkeSaSession - ); - -/** - Allocate Momery for IKEV2 Child SA Session. - - @param[in] UdpService Pointer to IKE_UDP_SERVICE. - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this = Child SA - Session. - - @retval Pointer of a new created IKEV2 Child SA Session. - -**/ -IKEV2_CHILD_SA_SESSION * -Ikev2ChildSaSessionAlloc ( - IN IKE_UDP_SERVICE *UdpService, - IN IKEV2_SA_SESSION *IkeSaSession - ); - -/** - Register a established IKEv2 Child SA into IkeSaSession->ChildSaEstablis= hSessionList. - If the there is IKEV2_CHILD_SA_SESSION with same remote peer IP, remove = the old one - then register the new one. - - @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be regi= stered. - @param[in] Private Pointer to IPSEC_PRAVATE_DATA. - -**/ -VOID -Ikev2ChildSaSessionReg ( - IN IKEV2_CHILD_SA_SESSION *ChildSaSession, - IN IPSEC_PRIVATE_DATA *Private - ); - -/** - This function find the Child SA by the specified Spi. - - This functin find a ChildSA session by searching the ChildSaSessionlist = of - the input IKEV2_SA_SESSION by specified MessageID. - - @param[in] SaSessionList Pointer to List to be searched. - @param[in] Spi Specified SPI. - - @return Pointer to IKEV2_CHILD_SA_SESSION. - -**/ -IKEV2_CHILD_SA_SESSION * -Ikev2ChildSaSessionLookupBySpi ( - IN LIST_ENTRY *SaSessionList, - IN UINT32 Spi - ); - - -/** - Insert a Child SA Session into the specified ChildSa list.. - - @param[in] SaSessionList Pointer to list to be inserted in. - @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION to be inse= rted. - -**/ -VOID -Ikev2ChildSaSessionInsert ( - IN LIST_ENTRY *SaSessionList, - IN IKEV2_CHILD_SA_SESSION *ChildSaSession - ); - -/** - Remove the IKEV2_CHILD_SA_SESSION from IkeSaSessionList. - - @param[in] SaSessionList The SA Session List to be iterated. - @param[in] Spi Spi used to identify the IKEV2_CHILD_SA_S= ESSION. - @param[in] ListType The type of the List to indicate whether = it is a - Established. - - @return The point to IKEV2_CHILD_SA_SESSION. - -**/ -IKEV2_CHILD_SA_SESSION * -Ikev2ChildSaSessionRemove ( - IN LIST_ENTRY *SaSessionList, - IN UINT32 Spi, - IN UINT8 ListType - ); - - -/** - Free the memory located for the specified IKEV2_CHILD_SA_SESSION. - - @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION. - -**/ -VOID -Ikev2ChildSaSessionFree ( - IN IKEV2_CHILD_SA_SESSION *ChildSaSession - ); - -/** - Free the specified DhBuffer. - - @param[in] DhBuffer Pointer to IKEV2_DH_BUFFER to be freed. - -**/ -VOID -Ikev2DhBufferFree ( - IN IKEV2_DH_BUFFER *DhBuffer - ); - -/** - Delete the specified established Child SA. - - This function delete the Child SA directly and dont send the Information= Packet to - remote peer. - - @param[in] IkeSaSession Pointer to a IKE SA Session used to be search= ed for. - @param[in] Spi SPI used to find the Child SA. - - @retval EFI_NOT_FOUND Pointer of IKE SA Session is NULL. - @retval EFI_NOT_FOUND There is no specified Child SA related with t= he input - SPI under this IKE SA Session. - @retval EFI_SUCCESS Delete the Child SA successfully. - -**/ -EFI_STATUS -Ikev2ChildSaSilentDelete ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN UINT32 Spi - ); - -/** - This function is to parse a request IKE packet and return its request ty= pe. - The request type is one of IKE CHILD SA creation, IKE SA rekeying and - IKE CHILD SA rekeying. - - @param[in] IkePacket IKE packet to be prased. - - return the type of the IKE packet. - -**/ -IKEV2_CREATE_CHILD_REQUEST_TYPE -Ikev2ChildExchangeRequestType( - IN IKE_PACKET *IkePacket - ); - - -/** - Associate a SPD selector to the Child SA Session. - - This function is called when the Child SA is not the first child SA of i= ts - IKE SA. It associate a SPD to this Child SA. - - @param[in, out] ChildSaSession Pointer to the Child SA Session to b= e associated to - a SPD selector. - - @retval EFI_SUCCESS Associate one SPD selector to this Child SA S= ession successfully. - @retval EFI_NOT_FOUND Can't find the related SPD selector. - -**/ -EFI_STATUS -Ikev2ChildSaAssociateSpdEntry ( - IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession - ); - -/** - Validate the IKE header of received IKE packet. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to this I= KE packet. - @param[in] IkeHdr Pointer to IKE header of received IKE packet. - - @retval TRUE If the IKE header is valid. - @retval FALSE If the IKE header is invalid. - -**/ -BOOLEAN -Ikev2ValidateHeader ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_HEADER *IkeHdr - ); - -/** - Create and intialize IKEV2_SA_DATA for speicifed IKEV2_SESSION_COMMON. - - This function will be only called by the initiator. The responder's IKEV= 2_SA_DATA - will be generated during parsed the initiator packet. - - @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON related to. - - @retval a Pointer to a new IKEV2_SA_DATA or NULL. - -**/ -IKEV2_SA_DATA * -Ikev2InitializeSaData ( - IN IKEV2_SESSION_COMMON *SessionCommon - ); - -/** - Store the SA into SAD. - - @param[in] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION. - -**/ -VOID -Ikev2StoreSaData ( - IN IKEV2_CHILD_SA_SESSION *ChildSaSession - ); - -/** - Routine process before the payload decoding. - - @param[in] SessionCommon Pointer to ChildSa SessionCommon. - @param[in] PayloadBuf Pointer to the payload. - @param[in] PayloadSize Size of PayloadBuf in byte. - @param[in] PayloadType Type of Payload. - -**/ -VOID -Ikev2ChildSaBeforeDecodePayload ( - IN UINT8 *SessionCommon, - IN UINT8 *PayloadBuf, - IN UINTN PayloadSize, - IN UINT8 PayloadType - ); - -/** - Routine Process after the encode payload. - - @param[in] SessionCommon Pointer to ChildSa SessionCommon. - @param[in] PayloadBuf Pointer to the payload. - @param[in] PayloadSize Size of PayloadBuf in byte. - @param[in] PayloadType Type of Payload. - -**/ -VOID -Ikev2ChildSaAfterEncodePayload ( - IN UINT8 *SessionCommon, - IN UINT8 *PayloadBuf, - IN UINTN PayloadSize, - IN UINT8 PayloadType - ); - -/** - Generate Ikev2 SA payload according to SessionSaData - - @param[in] SessionSaData The data used in SA payload. - @param[in] NextPayload The payload type presented in NextPayload fie= ld of - SA Payload header. - @param[in] Type The SA type. It MUST be neither (1) for IKE_S= A or - (2) for CHILD_SA or (3) for INFO. - - @retval a Pointer to SA IKE payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateSaPayload ( - IN IKEV2_SA_DATA *SessionSaData, - IN UINT8 NextPayload, - IN IKE_SESSION_TYPE Type - ); - -/** - Generate a ID payload. - - @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID= payload. - @param[in] NextPayload The payload type presented in the NextPayload= field - of ID Payload header. - - @retval Pointer to ID IKE payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateIdPayload ( - IN IKEV2_SESSION_COMMON *CommonSession, - IN UINT8 NextPayload - ); - -/** - Generate a ID payload. - - @param[in] CommonSession Pointer to IKEV2_SESSION_COMMON related to ID= payload. - @param[in] NextPayload The payload type presented in the NextPayload= field - of ID Payload header. - @param[in] InCert Pointer to the Certificate which distinguishe= d name - will be added into the Id payload. - @param[in] CertSize Size of the Certificate. - - @retval Pointer to ID IKE payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateCertIdPayload ( - IN IKEV2_SESSION_COMMON *CommonSession, - IN UINT8 NextPayload, - IN UINT8 *InCert, - IN UINTN CertSize - ); - -/** - Generate a Nonce payload contenting the input parameter NonceBuf. - - @param[in] NonceBuf The nonce buffer content the whole Nonce payl= oad block - except the payload header. - @param[in] NonceSize The buffer size of the NonceBuf - @param[in] NextPayload The payload type presented in the NextPayload = field - of Nonce Payload header. - - @retval Pointer to Nonce IKE paload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateNoncePayload ( - IN UINT8 *NonceBuf, - IN UINTN NonceSize, - IN UINT8 NextPayload - ); - -/** - Generate the Notify payload. - - Since the structure of Notify payload which defined in RFC 4306 is simpl= e, so - there is no internal data structure for Notify payload. This function ge= nerate - Notify payload defined in RFC 4306, but all the fields in this payload a= re still - in host order and need call Ikev2EncodePayload() to convert those fields= from - the host order to network order beforing sending it. - - @param[in] ProtocolId The protocol type ID. For IKE_SA it MUST b= e one (1). - For IPsec SAs it MUST be neither (2) for A= H or (3) - for ESP. - @param[in] NextPayload The next paylaod type in NextPayload field= of - the Notify payload. - @param[in] SpiSize Size of the SPI in SPI size field of the N= otify Payload. - @param[in] MessageType The message type in NotifyMessageType fiel= d of the - Notify Payload. - @param[in] SpiBuf Pointer to buffer contains the SPI value. - @param[in] NotifyData Pointer to buffer contains the notificatio= n data. - @param[in] NotifyDataSize The size of NotifyData in bytes. - - - @retval Pointer to IKE Notify Payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateNotifyPayload ( - IN UINT8 ProtocolId, - IN UINT8 NextPayload, - IN UINT8 SpiSize, - IN UINT16 MessageType, - IN UINT8 *SpiBuf, - IN UINT8 *NotifyData, - IN UINTN NotifyDataSize - ); - -/** - Generate the Delete payload. - - Since the structure of Delete payload which defined in RFC 4306 is simpl= e, - there is no internal data structure for Delete payload. This function ge= nerate - Delete payload defined in RFC 4306, but all the fields in this payload a= re still - in host order and need call Ikev2EncodePayload() to convert those fields= from - the host order to network order beforing sending it. - - @param[in] IkeSaSession Pointer to IKE SA Session to be used of De= lete payload generation. - @param[in] NextPayload The next paylaod type in NextPayload field= of - the Delete payload. - @param[in] SpiSize Size of the SPI in SPI size field of the D= elete Payload. - @param[in] SpiNum Number of SPI in NumofSPIs field of the De= lete Payload. - @param[in] SpiBuf Pointer to buffer contains the SPI value. - - @retval Pointer to IKE Delete Payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateDeletePayload ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN UINT8 NextPayload, - IN UINT8 SpiSize, - IN UINT16 SpiNum, - IN UINT8 *SpiBuf - ); - -/** - Generate the Configuration payload. - - This function generates a configuration payload defined in RFC 4306, but= all the - fields in this payload are still in host order and need call Ikev2Encode= Payload() - to convert those fields from the host order to network order beforing se= nding it. - - @param[in] IkeSaSession Pointer to IKE SA Session to be used for D= elete payload - generation. - @param[in] NextPayload The next paylaod type in NextPayload field= of - the Delete payload. - @param[in] CfgType The attribute type in the Configuration at= tribute. - - @retval Pointer to IKE CP Payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateCpPayload ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN UINT8 NextPayload, - IN UINT8 CfgType - ); - -/** - Generate a Authentication Payload. - - This function is used for both Authentication generation and verificatio= n. When the - IsVerify is TRUE, it create a Auth Data for verification. This function = choose the - related IKE_SA_INIT Message for Auth data creation according to the IKE = Session's type - and the value of IsVerify parameter. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to. - @param[in] IdPayload Pointer to the ID payload to be used for Authe= ntication - payload generation. - @param[in] NextPayload The type filled into the Authentication Payloa= d next - payload field. - @param[in] IsVerify If it is TURE, the Authentication payload is u= sed for - verification. - - @return pointer to IKE Authentication payload for pre-shard key method. - -**/ -IKE_PAYLOAD * -Ikev2PskGenerateAuthPayload ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_PAYLOAD *IdPayload, - IN UINT8 NextPayload, - IN BOOLEAN IsVerify - ); - -/** - Generate a Authentication Payload for Certificate Auth method. - - This function has two functions. One is creating a local Authentication - Payload for sending and other is creating the remote Authentication data - for verification when the IsVerify is TURE. - - @param[in] IkeSaSession Pointer to IKEV2_SA_SESSION related to. - @param[in] IdPayload Pointer to the ID payload to be used for A= uthentication - payload generation. - @param[in] NextPayload The type filled into the Authentication Pa= yload - next payload field. - @param[in] IsVerify If it is TURE, the Authentication payload = is used - for verification. - @param[in] UefiPrivateKey Pointer to the UEFI private key. Ignore it= when - verify the authenticate payload. - @param[in] UefiPrivateKeyLen The size of UefiPrivateKey in bytes. Ignor= e it - when verify the authenticate payload. - @param[in] UefiKeyPwd Pointer to the password of UEFI private ke= y. - Ignore it when verify the authenticate pay= load. - @param[in] UefiKeyPwdLen The size of UefiKeyPwd in bytes.Ignore it = when - verify the authenticate payload. - - @return pointer to IKE Authentication payload for certification method. - -**/ -IKE_PAYLOAD * -Ikev2CertGenerateAuthPayload ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_PAYLOAD *IdPayload, - IN UINT8 NextPayload, - IN BOOLEAN IsVerify, - IN UINT8 *UefiPrivateKey, - IN UINTN UefiPrivateKeyLen, - IN UINT8 *UefiKeyPwd, - IN UINTN UefiKeyPwdLen - ); - -/** - Generate TS payload. - - This function generates TSi or TSr payload according to type of next pay= load. - If the next payload is Responder TS, gereate TSi Payload. Otherwise, gen= erate - TSr payload - - @param[in] ChildSa Pointer to IKEV2_CHILD_SA_SESSION related to t= his TS payload. - @param[in] NextPayload The payload type presented in the NextPayload = field - of ID Payload header. - @param[in] IsTunnel It indicates that if the Ts Payload is after t= he CP payload. - If yes, it means the Tsi and Tsr payload shoul= d be with - Max port range and address range and protocol = is marked - as zero. - - @retval Pointer to Ts IKE payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateTsPayload ( - IN IKEV2_CHILD_SA_SESSION *ChildSa, - IN UINT8 NextPayload, - IN BOOLEAN IsTunnel - ); - -/** - Parser the Notify Cookie payload. - - This function parses the Notify Cookie payload.If the Notify ProtocolId = is not - IPSEC_PROTO_ISAKMP or if the SpiSize is not zero or if the MessageType i= s not - the COOKIE, return EFI_INVALID_PARAMETER. - - @param[in] IkeNCookie Pointer to the IKE_PAYLOAD which contians = the - Notify Cookie payload. - the Notify payload. - @param[in, out] IkeSaSession Pointer to the relevant IKE SA Session. - - @retval EFI_SUCCESS The Notify Cookie Payload is valid. - @retval EFI_INVALID_PARAMETER The Notify Cookie Payload is invalid. - @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated. - -**/ -EFI_STATUS -Ikev2ParserNotifyCookiePayload ( - IN IKE_PAYLOAD *IkeNCookie, - IN OUT IKEV2_SA_SESSION *IkeSaSession - ); - -/** - Generate the Certificate payload or Certificate Request Payload. - - Since the Certificate Payload structure is same with Certificate Request= Payload, - the only difference is that one contains the Certificate Data, other con= tains - the acceptable certificateion CA. This function generate Certificate pay= load - or Certificate Request Payload defined in RFC 4306, but all the fields - in the payload are still in host order and need call Ikev2EncodePayload() - to convert those fields from the host order to network order beforing se= nding it. - - @param[in] IkeSaSession Pointer to IKE SA Session to be used of De= lete payload - generation. - @param[in] NextPayload The next paylaod type in NextPayload field= of - the Delete payload. - @param[in] Certificate Pointer of buffer contains the certificati= on data. - @param[in] CertificateLen The length of Certificate in byte. - @param[in] EncodeType Specified the Certificate Encodeing which = is defined - in RFC 4306. - @param[in] IsRequest To indicate create Certificate Payload or = Certificate - Request Payload. If it is TURE, create Cer= tificate - Request Payload. Otherwise, create Certifi= cate Payload. - - @retval a Pointer to IKE Payload whose payload buffer containing the Ce= rtificate - payload or Certificated Request payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateCertificatePayload ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN UINT8 NextPayload, - IN UINT8 *Certificate, - IN UINTN CertificateLen, - IN UINT8 EncodeType, - IN BOOLEAN IsRequest - ); - -/** - General interface of payload encoding. - - This function encode the internal data structure into payload which - is defined in RFC 4306. The IkePayload->PayloadBuf used to store both th= e input - payload and converted payload. Only the SA payload use the interal struc= ture - to store the attribute. Other payload use structure which is same with t= he RFC - defined, for this kind payloads just do host order to network order chan= ge of - some fields. - - @param[in] SessionCommon Pointer to IKE Session Common used t= o encode the payload. - @param[in, out] IkePayload Pointer to IKE payload to be encode = as input, and - store the encoded result as output. - - @retval EFI_INVALID_PARAMETER Meet error when encode the SA payload. - @retval EFI_SUCCESS Encode successfully. - -**/ -EFI_STATUS -Ikev2EncodePayload ( - IN UINT8 *SessionCommon, - IN OUT IKE_PAYLOAD *IkePayload - ); - -/** - The general interface of decode Payload. - - This function convert the received Payload into internal structure. - - @param[in] SessionCommon Pointer to IKE Session Common to use f= or decoding. - @param[in, out] IkePayload Pointer to IKE payload to be decode as= input, and - store the decoded result as output. - - @retval EFI_INVALID_PARAMETER Meet error when decode the SA payload. - @retval EFI_SUCCESS Decode successfully. - -**/ -EFI_STATUS -Ikev2DecodePayload ( - IN UINT8 *SessionCommon, - IN OUT IKE_PAYLOAD *IkePayload - ); - -/** - Decrypt IKE packet. - - This function decrpt the Encrypted IKE packet and put the result into Ik= ePacket->PayloadBuf. - - @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON cont= aining - some parameter used during decryptin= g. - @param[in, out] IkePacket Point to IKE_PACKET to be decrypted = as input, - and the decrypted reslult as output. - @param[in, out] IkeType The type of IKE. IKE_SA_TYPE, IKE_IN= FO_TYPE and - IKE_CHILD_TYPE are supportted. - - @retval EFI_INVALID_PARAMETER If the IKE packet length is zero or t= he - IKE packet length is not Algorithm Bl= ock Size - alignment. - @retval EFI_SUCCESS Decrypt IKE packet successfully. - -**/ -EFI_STATUS -Ikev2DecryptPacket ( - IN IKEV2_SESSION_COMMON *SessionCommon, - IN OUT IKE_PACKET *IkePacket, - IN OUT UINTN IkeType - ); - -/** - Encrypt IKE packet. - - This function encrypt IKE packet before sending it. The Encrypted IKE pa= cket - is put in to IKEV2 Encrypted Payload. - - @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON rela= ted to the IKE packet. - @param[in, out] IkePacket Pointer to IKE packet to be encrypte= d. - - @retval EFI_SUCCESS Operation is successful. - @retval Others OPeration is failed. - -**/ -EFI_STATUS -Ikev2EncryptPacket ( - IN IKEV2_SESSION_COMMON *SessionCommon, - IN OUT IKE_PACKET *IkePacket - ); - -/** - Encode the IKE packet. - - This function put all Payloads into one payload then encrypt it if neede= d. - - @param[in] SessionCommon Pointer to IKEV2_SESSION_COMMON conta= ining - some parameter used during IKE packet= encoding. - @param[in, out] IkePacket Pointer to IKE_PACKET to be encoded a= s input, - and the encoded reslult as output. - @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE_INF= O_TYPE and - IKE_CHILD_TYPE are supportted. - - @retval EFI_SUCCESS Encode IKE packet successfully. - @retval Otherwise Encode IKE packet failed. - -**/ -EFI_STATUS -Ikev2EncodePacket ( - IN IKEV2_SESSION_COMMON *SessionCommon, - IN OUT IKE_PACKET *IkePacket, - IN UINTN IkeType - ); - -/** - Decode the IKE packet. - - This function first decrypts the IKE packet if needed , then separats th= e whole - IKE packet from the IkePacket->PayloadBuf into IkePacket payload list. - - @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON c= ontaining - some parameter used by IKE packet= decoding. - @param[in, out] IkePacket The IKE Packet to be decoded on i= nput, and - the decoded result on return. - @param[in] IkeType The type of IKE. IKE_SA_TYPE, IKE= _INFO_TYPE and - IKE_CHILD_TYPE are supportted. - - @retval EFI_SUCCESS The IKE packet is decoded success= full. - @retval Otherwise The IKE packet decoding is failed. - -**/ -EFI_STATUS -Ikev2DecodePacket ( - IN IKEV2_SESSION_COMMON *SessionCommon, - IN OUT IKE_PACKET *IkePacket, - IN UINTN IkeType - ); - - -/** - Send out IKEV2 packet. - - @param[in] IkeUdpService Pointer to IKE_UDP_SERVICE used to send th= e IKE packet. - @param[in] SessionCommon Pointer to IKEV1_SESSION_COMMON related to= the IKE packet. - @param[in] IkePacket Pointer to IKE_PACKET to be sent out. - @param[in] IkeType The type of IKE to point what's kind of th= e IKE - packet is to be sent out. IKE_SA_TYPE, IKE= _INFO_TYPE - and IKE_CHILD_TYPE are supportted. - - @retval EFI_SUCCESS The operation complete successfully. - @retval Otherwise The operation is failed. - -**/ -EFI_STATUS -Ikev2SendIkePacket ( - IN IKE_UDP_SERVICE *IkeUdpService, - IN UINT8 *SessionCommon, - IN IKE_PACKET *IkePacket, - IN UINTN IkeType - ); - -/** - Callback function for the IKE life time is over. - - This function will mark the related IKE SA Session as deleting and trigg= er a - Information negotiation. - - @param[in] Event The time out event. - @param[in] Context Pointer to data passed by caller. - -**/ -VOID -EFIAPI -Ikev2LifetimeNotify ( - IN EFI_EVENT Event, - IN VOID *Context - ); - -/** - This function will be called if the TimeOut Event is signaled. - - @param[in] Event The signaled Event. - @param[in] Context The data passed by caller. - -**/ -VOID -EFIAPI -Ikev2ResendNotify ( - IN EFI_EVENT Event, - IN VOID *Context - ); - -/** - Generate a Key Exchange payload according to the DH group type and save = the - public Key into IkeSaSession IkeKey field. - - @param[in, out] IkeSaSession Pointer of the IKE_SA_SESSION. - @param[in] NextPayload The payload type presented in the NextPa= yload field of Key - Exchange Payload header. - - @retval Pointer to Key IKE payload. - -**/ -IKE_PAYLOAD * -Ikev2GenerateKePayload ( - IN OUT IKEV2_SA_SESSION *IkeSaSession, - IN UINT8 NextPayload - ); - -/** - Check if the SPD is related to the input Child SA Session. - - This function is the subfunction of Ikev1AssociateSpdEntry(). It is the = call - back function of IpSecVisitConfigData(). - - - @param[in] Type Type of the input Config Selector. - @param[in] Selector Pointer to the Configure Selector to be c= hecked. - @param[in] Data Pointer to the Configure Selector's Data = passed - from the caller. - @param[in] SelectorSize The buffer size of Selector. - @param[in] DataSize The buffer size of the Data. - @param[in] Context The data passed from the caller. It is a = Child - SA Session in this context. - - @retval EFI_SUCCESS The SPD Selector is not related to the Child = SA Session. - @retval EFI_ABORTED The SPD Selector is related to the Child SA s= ession and - set the ChildSaSession->Spd to point to this = SPD Selector. - -**/ -EFI_STATUS -Ikev2MatchSpdEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE Type, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN UINTN SelectorSize, - IN UINTN DataSize, - IN VOID *Context - ); - -/** - Check if the Algorithm ID is supported. - - @param[in] AlgorithmId The specified Algorithm ID. - @param[in] Type The type used to indicate the Algorithm is for E= ncrypt or - Authentication. - - @retval TRUE If the Algorithm ID is supported. - @retval FALSE If the Algorithm ID is not supported. - -**/ -BOOLEAN -Ikev2IsSupportAlg ( - IN UINT16 AlgorithmId, - IN UINT8 Type - ); - -/** - Generate a ChildSa Session and insert it into related IkeSaSession. - - @param[in] IkeSaSession Pointer to related IKEV2_SA_SESSION. - @param[in] UdpService Pointer to related IKE_UDP_SERVICE. - - @return pointer of IKEV2_CHILD_SA_SESSION. - -**/ -IKEV2_CHILD_SA_SESSION * -Ikev2ChildSaSessionCreate ( - IN IKEV2_SA_SESSION *IkeSaSession, - IN IKE_UDP_SERVICE *UdpService - ) ; - -/** - Parse the received Initial Exchange Packet. - - This function parse the SA Payload and Key Payload to find out the crypt= ographic - suite for the further IKE negotiation and fill it into the IKE SA Sessio= n's - CommonSession->SaParams. - - @param[in, out] IkeSaSession Pointer to related IKEV2_SA_SESSION. - @param[in] SaPayload The received packet. - @param[in] Type The received packet IKE header flag. - - @retval TRUE If the SA proposal in Packet is acceptabl= e. - @retval FALSE If the SA proposal in Packet is not accep= table. - -**/ -BOOLEAN -Ikev2SaParseSaPayload ( - IN OUT IKEV2_SA_SESSION *IkeSaSession, - IN IKE_PAYLOAD *SaPayload, - IN UINT8 Type - ); - -/** - Parse the received Authentication Exchange Packet. - - This function parse the SA Payload and Key Payload to find out the crypt= ographic - suite for the ESP and fill it into the Child SA Session's CommonSession-= >SaParams. - - @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION relat= ed to - this Authentication Exchange. - @param[in] SaPayload The received packet. - @param[in] Type The IKE header's flag of received packe= t . - - @retval TRUE If the SA proposal in Packet is accepta= ble. - @retval FALSE If the SA proposal in Packet is not acc= eptable. - -**/ -BOOLEAN -Ikev2ChildSaParseSaPayload ( - IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession, - IN IKE_PAYLOAD *SaPayload, - IN UINT8 Type - ); - -/** - Generate Key buffer from fragments. - - If the digest length of specified HashAlgId is larger than or equal with= the - required output key length, derive the key directly. Otherwise, Key Mate= rial - needs to be PRF-based concatenation according to 2.13 of RFC 4306: - prf+ (K,S) =3D T1 | T2 | T3 | T4 | ..., T1 =3D prf (K, S | 0x01), - T2 =3D prf (K, T1 | S | 0x02), T3 =3D prf (K, T2 | S | 0x03),T4 =3D prf = (K, T3 | S | 0x04) - then derive the key from this key material. - - @param[in] HashAlgId The Hash Algorithm ID used to generate= key. - @param[in] HashKey Pointer to a key buffer which contains= hash key. - @param[in] HashKeyLength The length of HashKey in bytes. - @param[in, out] OutputKey Pointer to buffer which is used to rec= eive the - output key. - @param[in] OutputKeyLength The length of OutPutKey buffer. - @param[in] Fragments Pointer to the data to be used to gene= rate key. - @param[in] NumFragments The numbers of the Fragement. - - @retval EFI_SUCCESS The operation complete successfully. - @retval EFI_INVALID_PARAMETER If NumFragments is zero. - @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocat= ed. - @retval Others The operation is failed. - -**/ -EFI_STATUS -Ikev2SaGenerateKey ( - IN UINT8 HashAlgId, - IN UINT8 *HashKey, - IN UINTN HashKeyLength, - IN OUT UINT8 *OutputKey, - IN UINTN OutputKeyLength, - IN PRF_DATA_FRAGMENT *Fragments, - IN UINTN NumFragments - ); - -/** - Copy ChildSaSession->Spd->Selector to ChildSaSession->SpdSelector. - - ChildSaSession->SpdSelector stores the real Spdselector for its SA. Some= time, - the SpdSelector in ChildSaSession is more accurated or the scope is smal= ler - than the one in ChildSaSession->Spd, especially for the tunnel mode. - - @param[in, out] ChildSaSession Pointer to IKEV2_CHILD_SA_SESSION relat= ed to. - - @retval EFI_SUCCESS The operation complete successfully. - @retval EFI_OUT_OF_RESOURCES If the required resource can't be allocat= ed. - -**/ -EFI_STATUS -Ikev2ChildSaSessionSpdSelectorCreate ( - IN OUT IKEV2_CHILD_SA_SESSION *ChildSaSession - ); - -extern IKE_ALG_GUID_INFO mIPsecEncrAlgInfo[]; -#endif - diff --git a/NetworkPkg/IpSecDxe/IpSecConfigImpl.c b/NetworkPkg/IpSecDxe/Ip= SecConfigImpl.c deleted file mode 100644 index 74745519a0..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecConfigImpl.c +++ /dev/null @@ -1,3156 +0,0 @@ -/** @file - The implementation of IPSEC_CONFIG_PROTOCOL. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecConfigImpl.h" -#include "IpSecDebug.h" - -LIST_ENTRY mConfigData[IPsecConfigDataTypeMaximum]; -BOOLEAN mSetBySelf =3D FALSE; - -// -// Common CompareSelector routine entry for SPD/SAD/PAD. -// -IPSEC_COMPARE_SELECTOR mCompareSelector[] =3D { - (IPSEC_COMPARE_SELECTOR) CompareSpdSelector, - (IPSEC_COMPARE_SELECTOR) CompareSaId, - (IPSEC_COMPARE_SELECTOR) ComparePadId -}; - -// -// Common IsZeroSelector routine entry for SPD/SAD/PAD. -// -IPSEC_IS_ZERO_SELECTOR mIsZeroSelector[] =3D { - (IPSEC_IS_ZERO_SELECTOR) IsZeroSpdSelector, - (IPSEC_IS_ZERO_SELECTOR) IsZeroSaId, - (IPSEC_IS_ZERO_SELECTOR) IsZeroPadId -}; - -// -// Common DuplicateSelector routine entry for SPD/SAD/PAD. -// -IPSEC_DUPLICATE_SELECTOR mDuplicateSelector[] =3D { - (IPSEC_DUPLICATE_SELECTOR) DuplicateSpdSelector, - (IPSEC_DUPLICATE_SELECTOR) DuplicateSaId, - (IPSEC_DUPLICATE_SELECTOR) DuplicatePadId -}; - -// -// Common FixPolicyEntry routine entry for SPD/SAD/PAD. -// -IPSEC_FIX_POLICY_ENTRY mFixPolicyEntry[] =3D { - (IPSEC_FIX_POLICY_ENTRY) FixSpdEntry, - (IPSEC_FIX_POLICY_ENTRY) FixSadEntry, - (IPSEC_FIX_POLICY_ENTRY) FixPadEntry -}; - -// -// Common UnfixPolicyEntry routine entry for SPD/SAD/PAD. -// -IPSEC_FIX_POLICY_ENTRY mUnfixPolicyEntry[] =3D { - (IPSEC_FIX_POLICY_ENTRY) UnfixSpdEntry, - (IPSEC_FIX_POLICY_ENTRY) UnfixSadEntry, - (IPSEC_FIX_POLICY_ENTRY) UnfixPadEntry -}; - -// -// Common SetPolicyEntry routine entry for SPD/SAD/PAD. -// -IPSEC_SET_POLICY_ENTRY mSetPolicyEntry[] =3D { - (IPSEC_SET_POLICY_ENTRY) SetSpdEntry, - (IPSEC_SET_POLICY_ENTRY) SetSadEntry, - (IPSEC_SET_POLICY_ENTRY) SetPadEntry -}; - -// -// Common GetPolicyEntry routine entry for SPD/SAD/PAD. -// -IPSEC_GET_POLICY_ENTRY mGetPolicyEntry[] =3D { - (IPSEC_GET_POLICY_ENTRY) GetSpdEntry, - (IPSEC_GET_POLICY_ENTRY) GetSadEntry, - (IPSEC_GET_POLICY_ENTRY) GetPadEntry -}; - -// -// Routine entry for IpSecConfig protocol. -// -EFI_IPSEC_CONFIG_PROTOCOL mIpSecConfigInstance =3D { - EfiIpSecConfigSetData, - EfiIpSecConfigGetData, - EfiIpSecConfigGetNextSelector, - EfiIpSecConfigRegisterNotify, - EfiIpSecConfigUnregisterNotify -}; - -/** - Get the all IPSec configuration variables and store those variables - to the internal data structure. - - This founction is called by IpSecConfigInitialize() that is to intialize= the - IPsecConfiguration Protocol. - - @param[in] Private Point to IPSEC_PRIVATE_DATA. - - @retval EFI_OUT_OF_RESOURCES The required system resource could not be= allocated. - @retval EFI_SUCCESS Restore the IPsec Configuration successfu= lly. - @retval others Other errors is found during the variable= getting. - -**/ -EFI_STATUS -IpSecConfigRestore ( - IN IPSEC_PRIVATE_DATA *Private - ); - -/** - Check if the specified EFI_IP_ADDRESS_INFO is in EFI_IP_ADDRESS_INFO lis= t. - - @param[in] AddressInfo Pointer of IP_ADDRESS_INFO to be search= in AddressInfo list. - @param[in] AddressInfoList A list that contains IP_ADDRESS_INFOs. - @param[in] AddressCount Point out how many IP_ADDRESS_INFO in t= he list. - - @retval TRUE The specified AddressInfo is in the AddressInfoList. - @retval FALSE The specified AddressInfo is not in the AddressInfoList. - -**/ -BOOLEAN -IsInAddressInfoList( - IN EFI_IP_ADDRESS_INFO *AddressInfo, - IN EFI_IP_ADDRESS_INFO *AddressInfoList, - IN UINT32 AddressCount - ) -{ - UINT8 Index; - EFI_IP_ADDRESS ZeroAddress; - - ZeroMem(&ZeroAddress, sizeof (EFI_IP_ADDRESS)); - - // - // Zero Address means any address is matched. - // - if (AddressCount =3D=3D 1) { - if (CompareMem ( - &AddressInfoList[0].Address, - &ZeroAddress, - sizeof (EFI_IP_ADDRESS) - ) =3D=3D 0) { - return TRUE; - } - } - for (Index =3D 0; Index < AddressCount ; Index++) { - if (CompareMem ( - AddressInfo, - &AddressInfoList[Index].Address, - sizeof (EFI_IP_ADDRESS) - ) =3D=3D 0 && - AddressInfo->PrefixLength =3D=3D AddressInfoList[Index].PrefixLe= ngth - ) { - return TRUE; - } - } - return FALSE; -} - -/** - Compare two SPD Selectors. - - Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddres= sCount/ - NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange an= d the - Local Addresses and remote Addresses. - - @param[in] Selector1 Pointer of first SPD Selector. - @param[in] Selector2 Pointer of second SPD Selector. - - @retval TRUE This two Selector have the same value in above fields. - @retval FALSE Not all above fields have the same value in these two S= electors. - -**/ -BOOLEAN -CompareSpdSelector ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector1, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector2 - ) -{ - EFI_IPSEC_SPD_SELECTOR *SpdSel1; - EFI_IPSEC_SPD_SELECTOR *SpdSel2; - BOOLEAN IsMatch; - UINTN Index; - - SpdSel1 =3D &Selector1->SpdSelector; - SpdSel2 =3D &Selector2->SpdSelector; - IsMatch =3D TRUE; - - // - // Compare the LocalAddressCount/RemoteAddressCount/NextLayerProtocol/ - // LocalPort/LocalPortRange/RemotePort/RemotePortRange fields in the - // two Spdselectors. Since the SPD supports two directions, it needs to - // compare two directions. - // - if ((SpdSel1->LocalAddressCount !=3D SpdSel2->LocalAddressCount && - SpdSel1->LocalAddressCount !=3D SpdSel2->RemoteAddressCount) || - (SpdSel1->RemoteAddressCount !=3D SpdSel2->RemoteAddressCount && - SpdSel1->RemoteAddressCount !=3D SpdSel2->LocalAddressCount) || - SpdSel1->NextLayerProtocol !=3D SpdSel2->NextLayerProtocol || - SpdSel1->LocalPort !=3D SpdSel2->LocalPort || - SpdSel1->LocalPortRange !=3D SpdSel2->LocalPortRange || - SpdSel1->RemotePort !=3D SpdSel2->RemotePort || - SpdSel1->RemotePortRange !=3D SpdSel2->RemotePortRange - ) { - IsMatch =3D FALSE; - return IsMatch; - } - - // - // Compare the all LocalAddress and RemoteAddress fields in the two Spds= electors. - // First, SpdSel1->LocalAddress to SpdSel2->LocalAddress && Compare - // SpdSel1->RemoteAddress to SpdSel2->RemoteAddress. If all match, return - // TRUE. - // - for (Index =3D 0; Index < SpdSel1->LocalAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel1->LocalAddress[Index], - SpdSel2->LocalAddress, - SpdSel2->LocalAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - if (IsMatch) { - for (Index =3D 0; Index < SpdSel2->LocalAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel2->LocalAddress[Index], - SpdSel1->LocalAddress, - SpdSel1->LocalAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - } - if (IsMatch) { - for (Index =3D 0; Index < SpdSel1->RemoteAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel1->RemoteAddress[Index], - SpdSel2->RemoteAddress, - SpdSel2->RemoteAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - } - if (IsMatch) { - for (Index =3D 0; Index < SpdSel2->RemoteAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel2->RemoteAddress[Index], - SpdSel1->RemoteAddress, - SpdSel1->RemoteAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - } - // - // Finish the one direction compare. If it is matched, return; otherwise, - // compare the other direction. - // - if (IsMatch) { - return IsMatch; - } - // - // Secondly, the SpdSel1->LocalAddress doesn't equal to SpdSel2->LocalA= ddress and - // SpdSel1->RemoteAddress doesn't equal to SpdSel2->RemoteAddress. Try t= o compare - // the RemoteAddress to LocalAddress. - // - IsMatch =3D TRUE; - for (Index =3D 0; Index < SpdSel1->RemoteAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel1->RemoteAddress[Index], - SpdSel2->LocalAddress, - SpdSel2->LocalAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - if (IsMatch) { - for (Index =3D 0; Index < SpdSel2->RemoteAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel2->RemoteAddress[Index], - SpdSel1->LocalAddress, - SpdSel1->LocalAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - } - if (IsMatch) { - for (Index =3D 0; Index < SpdSel1->LocalAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel1->LocalAddress[Index], - SpdSel2->RemoteAddress, - SpdSel2->RemoteAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - } - if (IsMatch) { - for (Index =3D 0; Index < SpdSel2->LocalAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel2->LocalAddress[Index], - SpdSel1->RemoteAddress, - SpdSel1->RemoteAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - } - return IsMatch; -} - -/** - Find if the two SPD Selectors has subordinative. - - Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddres= sCount/ - NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange an= d the - Local Addresses and remote Addresses. - - @param[in] Selector1 Pointer of first SPD Selector. - @param[in] Selector2 Pointer of second SPD Selector. - - @retval TRUE The first SPD Selector is subordinate Selector of secon= d SPD Selector. - @retval FALSE The first SPD Selector is not subordinate Selector of s= econd - SPD Selector. - -**/ -BOOLEAN -IsSubSpdSelector ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector1, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector2 - ) -{ - EFI_IPSEC_SPD_SELECTOR *SpdSel1; - EFI_IPSEC_SPD_SELECTOR *SpdSel2; - BOOLEAN IsMatch; - UINTN Index; - - SpdSel1 =3D &Selector1->SpdSelector; - SpdSel2 =3D &Selector2->SpdSelector; - IsMatch =3D TRUE; - - // - // Compare the LocalAddressCount/RemoteAddressCount/NextLayerProtocol/ - // LocalPort/LocalPortRange/RemotePort/RemotePortRange fields in the - // two Spdselectors. Since the SPD supports two directions, it needs to - // compare two directions. - // - if (SpdSel1->LocalAddressCount > SpdSel2->LocalAddressCount || - SpdSel1->RemoteAddressCount > SpdSel2->RemoteAddressCount || - (SpdSel1->NextLayerProtocol !=3D SpdSel2->NextLayerProtocol && SpdSe= l2->NextLayerProtocol !=3D 0xffff) || - (SpdSel1->LocalPort > SpdSel2->LocalPort && SpdSel2->LocalPort !=3D = 0)|| - (SpdSel1->LocalPortRange > SpdSel2->LocalPortRange && SpdSel1->Local= Port !=3D 0)|| - (SpdSel1->RemotePort > SpdSel2->RemotePort && SpdSel2->RemotePort != =3D 0) || - (SpdSel1->RemotePortRange > SpdSel2->RemotePortRange && SpdSel2->Rem= otePort !=3D 0) - ) { - IsMatch =3D FALSE; - } - - // - // Compare the all LocalAddress and RemoteAddress fields in the two Spds= electors. - // First, SpdSel1->LocalAddress to SpdSel2->LocalAddress && Compare - // SpdSel1->RemoteAddress to SpdSel2->RemoteAddress. If all match, return - // TRUE. - // - if (IsMatch) { - for (Index =3D 0; Index < SpdSel1->LocalAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel1->LocalAddress[Index], - SpdSel2->LocalAddress, - SpdSel2->LocalAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - - if (IsMatch) { - for (Index =3D 0; Index < SpdSel1->RemoteAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel1->RemoteAddress[Index], - SpdSel2->RemoteAddress, - SpdSel2->RemoteAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - } - } - if (IsMatch) { - return IsMatch; - } - - // - // - // The SPD selector in SPD entry is two way. - // - // Compare the LocalAddressCount/RemoteAddressCount/NextLayerProtocol/ - // LocalPort/LocalPortRange/RemotePort/RemotePortRange fields in the - // two Spdselectors. Since the SPD supports two directions, it needs to - // compare two directions. - // - IsMatch =3D TRUE; - if (SpdSel1->LocalAddressCount > SpdSel2->RemoteAddressCount || - SpdSel1->RemoteAddressCount > SpdSel2->LocalAddressCount || - (SpdSel1->NextLayerProtocol !=3D SpdSel2->NextLayerProtocol && SpdSe= l2->NextLayerProtocol !=3D 0xffff) || - (SpdSel1->LocalPort > SpdSel2->RemotePort && SpdSel2->RemotePort != =3D 0)|| - (SpdSel1->LocalPortRange > SpdSel2->RemotePortRange && SpdSel1->Remo= tePort !=3D 0)|| - (SpdSel1->RemotePort > SpdSel2->LocalPort && SpdSel2->LocalPort !=3D= 0) || - (SpdSel1->RemotePortRange > SpdSel2->LocalPortRange && SpdSel2->Loca= lPort !=3D 0) - ) { - IsMatch =3D FALSE; - return IsMatch; - } - - // - // Compare the all LocalAddress and RemoteAddress fields in the two Spds= electors. - // First, SpdSel1->LocalAddress to SpdSel2->RemoteAddress && Compare - // SpdSel1->RemoteAddress to SpdSel2->LocalAddress. If all match, return - // TRUE. - // - for (Index =3D 0; Index < SpdSel1->LocalAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel1->LocalAddress[Index], - SpdSel2->RemoteAddress, - SpdSel2->RemoteAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - - if (IsMatch) { - for (Index =3D 0; Index < SpdSel1->RemoteAddressCount; Index++) { - if (!IsInAddressInfoList ( - &SpdSel1->RemoteAddress[Index], - SpdSel2->LocalAddress, - SpdSel2->LocalAddressCount - )) { - IsMatch =3D FALSE; - break; - } - } - } - return IsMatch; - -} - -/** - Compare two SA IDs. - - @param[in] Selector1 Pointer of first SA ID. - @param[in] Selector2 Pointer of second SA ID. - - @retval TRUE This two Selectors have the same SA ID. - @retval FALSE This two Selecotrs don't have the same SA ID. - -**/ -BOOLEAN -CompareSaId ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector1, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector2 - ) -{ - EFI_IPSEC_SA_ID *SaId1; - EFI_IPSEC_SA_ID *SaId2; - BOOLEAN IsMatch; - - SaId1 =3D &Selector1->SaId; - SaId2 =3D &Selector2->SaId; - IsMatch =3D TRUE; - - if (CompareMem (SaId1, SaId2, sizeof (EFI_IPSEC_SA_ID)) !=3D 0) { - IsMatch =3D FALSE; - } - - return IsMatch; -} - -/** - Compare two PAD IDs. - - @param[in] Selector1 Pointer of first PAD ID. - @param[in] Selector2 Pointer of second PAD ID. - - @retval TRUE This two Selectors have the same PAD ID. - @retval FALSE This two Selecotrs don't have the same PAD ID. - -**/ -BOOLEAN -ComparePadId ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector1, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector2 - ) -{ - EFI_IPSEC_PAD_ID *PadId1; - EFI_IPSEC_PAD_ID *PadId2; - BOOLEAN IsMatch; - - PadId1 =3D &Selector1->PadId; - PadId2 =3D &Selector2->PadId; - IsMatch =3D TRUE; - - // - // Compare the PeerIdValid fields in PadId. - // - if (PadId1->PeerIdValid !=3D PadId2->PeerIdValid) { - IsMatch =3D FALSE; - } - // - // Compare the PeerId fields in PadId if PeerIdValid is true. - // - if (IsMatch && - PadId1->PeerIdValid && - AsciiStriCmp ((CONST CHAR8 *) PadId1->Id.PeerId, (CONST CHAR8 *) Pad= Id2->Id.PeerId) !=3D 0 - ) { - IsMatch =3D FALSE; - } - // - // Compare the IpAddress fields in PadId if PeerIdValid is false. - // - if (IsMatch && - !PadId1->PeerIdValid && - (PadId1->Id.IpAddress.PrefixLength !=3D PadId2->Id.IpAddress.PrefixL= ength || - CompareMem (&PadId1->Id.IpAddress.Address, &PadId2->Id.IpAddress.Ad= dress, sizeof (EFI_IP_ADDRESS)) !=3D 0) - ) { - IsMatch =3D FALSE; - } - - return IsMatch; -} - -/** - Check if the SPD Selector is Zero by its LocalAddressCount and RemoteAdd= ressCount - fields. - - @param[in] Selector Pointer of the SPD Selector. - - @retval TRUE If the SPD Selector is Zero. - @retval FALSE If the SPD Selector is not Zero. - -**/ -BOOLEAN -IsZeroSpdSelector ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector - ) -{ - EFI_IPSEC_SPD_SELECTOR *SpdSel; - BOOLEAN IsZero; - - SpdSel =3D &Selector->SpdSelector; - IsZero =3D FALSE; - - if (SpdSel->LocalAddressCount =3D=3D 0 && SpdSel->RemoteAddressCount =3D= =3D 0) { - IsZero =3D TRUE; - } - - return IsZero; -} - -/** - Check if the SA ID is Zero by its DestAddress. - - @param[in] Selector Pointer of the SA ID. - - @retval TRUE If the SA ID is Zero. - @retval FALSE If the SA ID is not Zero. - -**/ -BOOLEAN -IsZeroSaId ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector - ) -{ - BOOLEAN IsZero; - EFI_IPSEC_CONFIG_SELECTOR ZeroSelector; - - IsZero =3D FALSE; - - ZeroMem (&ZeroSelector, sizeof (EFI_IPSEC_CONFIG_SELECTOR)); - - if (CompareMem (&ZeroSelector, Selector, sizeof (EFI_IPSEC_CONFIG_SELECT= OR)) =3D=3D 0) { - IsZero =3D TRUE; - } - - return IsZero; -} - -/** - Check if the PAD ID is Zero. - - @param[in] Selector Pointer of the PAD ID. - - @retval TRUE If the PAD ID is Zero. - @retval FALSE If the PAD ID is not Zero. - -**/ -BOOLEAN -IsZeroPadId ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector - ) -{ - EFI_IPSEC_PAD_ID *PadId; - EFI_IPSEC_PAD_ID ZeroId; - BOOLEAN IsZero; - - PadId =3D &Selector->PadId; - IsZero =3D FALSE; - - ZeroMem (&ZeroId, sizeof (EFI_IPSEC_PAD_ID)); - - if (CompareMem (PadId, &ZeroId, sizeof (EFI_IPSEC_PAD_ID)) =3D=3D 0) { - IsZero =3D TRUE; - } - - return IsZero; -} - -/** - Copy Source SPD Selector to the Destination SPD Selector. - - @param[in, out] DstSel Pointer of Destination SPD Selector. - @param[in] SrcSel Pointer of Source SPD Selector. - @param[in, out] Size The size of the Destination SPD Selec= tor. If it - not NULL and its value less than the = size of - Source SPD Selector, the value of Sou= rce SPD - Selector's size will be passed to cal= ler by this - parameter. - - @retval EFI_INVALID_PARAMETER If the Destination or Source SPD Selector= is NULL - @retval EFI_BUFFER_TOO_SMALL If the input Size is less than size of th= e Source SPD Selector. - @retval EFI_SUCCESS Copy Source SPD Selector to the Destinati= on SPD - Selector successfully. - -**/ -EFI_STATUS -DuplicateSpdSelector ( - IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel, - IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel, - IN OUT UINTN *Size - ) -{ - EFI_IPSEC_SPD_SELECTOR *Dst; - EFI_IPSEC_SPD_SELECTOR *Src; - - Dst =3D &DstSel->SpdSelector; - Src =3D &SrcSel->SpdSelector; - - if (Dst =3D=3D NULL || Src =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - if (Size !=3D NULL && (*Size) < SIZE_OF_SPD_SELECTOR (Src)) { - *Size =3D SIZE_OF_SPD_SELECTOR (Src); - return EFI_BUFFER_TOO_SMALL; - } - // - // Copy the base structure of SPD selector. - // - CopyMem (Dst, Src, sizeof (EFI_IPSEC_SPD_SELECTOR)); - - // - // Copy the local address array of SPD selector. - // - Dst->LocalAddress =3D (EFI_IP_ADDRESS_INFO *) (Dst + 1); - CopyMem ( - Dst->LocalAddress, - Src->LocalAddress, - sizeof (EFI_IP_ADDRESS_INFO) * Dst->LocalAddressCount - ); - - // - // Copy the remote address array of SPD selector. - // - Dst->RemoteAddress =3D Dst->LocalAddress + Dst->LocalAddressCount; - CopyMem ( - Dst->RemoteAddress, - Src->RemoteAddress, - sizeof (EFI_IP_ADDRESS_INFO) * Dst->RemoteAddressCount - ); - - return EFI_SUCCESS; -} - -/** - Copy Source SA ID to the Destination SA ID. - - @param[in, out] DstSel Pointer of Destination SA ID. - @param[in] SrcSel Pointer of Source SA ID. - @param[in, out] Size The size of the Destination SA ID. If= it - not NULL and its value less than the = size of - Source SA ID, the value of Source SA = ID's size - will be passed to caller by this para= meter. - - @retval EFI_INVALID_PARAMETER If the Destination or Source SA ID is NUL= L. - @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of sourc= e SA ID. - @retval EFI_SUCCESS Copy Source SA ID to the Destination SA = ID successfully. - -**/ -EFI_STATUS -DuplicateSaId ( - IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel, - IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel, - IN OUT UINTN *Size - ) -{ - EFI_IPSEC_SA_ID *Dst; - EFI_IPSEC_SA_ID *Src; - - Dst =3D &DstSel->SaId; - Src =3D &SrcSel->SaId; - - if (Dst =3D=3D NULL || Src =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - if (Size !=3D NULL && *Size < sizeof (EFI_IPSEC_SA_ID)) { - *Size =3D sizeof (EFI_IPSEC_SA_ID); - return EFI_BUFFER_TOO_SMALL; - } - - CopyMem (Dst, Src, sizeof (EFI_IPSEC_SA_ID)); - - return EFI_SUCCESS; -} - -/** - Copy Source PAD ID to the Destination PAD ID. - - @param[in, out] DstSel Pointer of Destination PAD ID. - @param[in] SrcSel Pointer of Source PAD ID. - @param[in, out] Size The size of the Destination PAD ID. I= f it - not NULL and its value less than the = size of - Source PAD ID, the value of Source PA= D ID's size - will be passed to caller by this para= meter. - - @retval EFI_INVALID_PARAMETER If the Destination or Source PAD ID is NU= LL. - @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of sourc= e PAD ID . - @retval EFI_SUCCESS Copy Source PAD ID to the Destination PA= D ID successfully. - -**/ -EFI_STATUS -DuplicatePadId ( - IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel, - IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel, - IN OUT UINTN *Size - ) -{ - EFI_IPSEC_PAD_ID *Dst; - EFI_IPSEC_PAD_ID *Src; - - Dst =3D &DstSel->PadId; - Src =3D &SrcSel->PadId; - - if (Dst =3D=3D NULL || Src =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - if (Size !=3D NULL && *Size < sizeof (EFI_IPSEC_PAD_ID)) { - *Size =3D sizeof (EFI_IPSEC_PAD_ID); - return EFI_BUFFER_TOO_SMALL; - } - - CopyMem (Dst, Src, sizeof (EFI_IPSEC_PAD_ID)); - - return EFI_SUCCESS; -} - -/** - Fix the value of some members of SPD Selector. - - This function is called by IpSecCopyPolicyEntry()which copy the Policy - Entry into the Variable. Since some members in SPD Selector are pointers, - a physical address to relative address convertion is required before cop= ying - this SPD entry into the variable. - - @param[in] Selector Pointer of SPD Selector. - @param[in, out] Data Pointer of SPD Data. - -**/ -VOID -FixSpdEntry ( - IN EFI_IPSEC_SPD_SELECTOR *Selector, - IN OUT EFI_IPSEC_SPD_DATA *Data - ) -{ - // - // It assumes that all ref buffers in SPD selector and data are - // stored in the continous memory and close to the base structure. - // - FIX_REF_BUF_ADDR (Selector->LocalAddress, Selector); - FIX_REF_BUF_ADDR (Selector->RemoteAddress, Selector); - - if (Data->ProcessingPolicy !=3D NULL) { - if (Data->ProcessingPolicy->TunnelOption !=3D NULL) { - FIX_REF_BUF_ADDR (Data->ProcessingPolicy->TunnelOption, Data); - } - - FIX_REF_BUF_ADDR (Data->ProcessingPolicy, Data); - } - -} - -/** - Fix the value of some members of SA ID. - - This function is called by IpSecCopyPolicyEntry()which copy the Policy - Entry into the Variable. Since some members in SA ID are pointers, - a physical address to relative address conversion is required before cop= ying - this SAD into the variable. - - @param[in] SaId Pointer of SA ID - @param[in, out] Data Pointer of SA Data. - -**/ -VOID -FixSadEntry ( - IN EFI_IPSEC_SA_ID *SaId, - IN OUT EFI_IPSEC_SA_DATA2 *Data - ) -{ - // - // It assumes that all ref buffers in SAD selector and data are - // stored in the continous memory and close to the base structure. - // - if (Data->AlgoInfo.EspAlgoInfo.AuthKey !=3D NULL) { - FIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.AuthKey, Data); - } - - if (SaId->Proto =3D=3D EfiIPsecESP && Data->AlgoInfo.EspAlgoInfo.EncKey = !=3D NULL) { - FIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.EncKey, Data); - } - - if (Data->SpdSelector !=3D NULL) { - if (Data->SpdSelector->LocalAddress !=3D NULL) { - FIX_REF_BUF_ADDR (Data->SpdSelector->LocalAddress, Data); - } - - FIX_REF_BUF_ADDR (Data->SpdSelector->RemoteAddress, Data); - FIX_REF_BUF_ADDR (Data->SpdSelector, Data); - } - -} - -/** - Fix the value of some members of PAD ID. - - This function is called by IpSecCopyPolicyEntry()which copy the Policy - Entry into the Variable. Since some members in PAD ID are pointers, - a physical address to relative address conversion is required before cop= ying - this PAD into the variable. - - @param[in] PadId Pointer of PAD ID. - @param[in, out] Data Pointer of PAD Data. - -**/ -VOID -FixPadEntry ( - IN EFI_IPSEC_PAD_ID *PadId, - IN OUT EFI_IPSEC_PAD_DATA *Data - ) -{ - // - // It assumes that all ref buffers in pad selector and data are - // stored in the continous memory and close to the base structure. - // - if (Data->AuthData !=3D NULL) { - FIX_REF_BUF_ADDR (Data->AuthData, Data); - } - - if (Data->RevocationData !=3D NULL) { - FIX_REF_BUF_ADDR (Data->RevocationData, Data); - } - -} - -/** - Recover the value of some members of SPD Selector. - - This function is corresponding to FixSpdEntry(). It recovers the value o= f members - of SPD Selector that are fixed by FixSpdEntry(). - - @param[in, out] Selector Pointer of SPD Selector. - @param[in, out] Data Pointer of SPD Data. - -**/ -VOID -UnfixSpdEntry ( - IN OUT EFI_IPSEC_SPD_SELECTOR *Selector, - IN OUT EFI_IPSEC_SPD_DATA *Data - ) -{ - // - // It assumes that all ref buffers in SPD selector and data are - // stored in the continous memory and close to the base structure. - // - UNFIX_REF_BUF_ADDR (Selector->LocalAddress, Selector); - UNFIX_REF_BUF_ADDR (Selector->RemoteAddress, Selector); - - if (Data->ProcessingPolicy !=3D NULL) { - UNFIX_REF_BUF_ADDR (Data->ProcessingPolicy, Data); - if (Data->ProcessingPolicy->TunnelOption !=3D NULL) { - UNFIX_REF_BUF_ADDR (Data->ProcessingPolicy->TunnelOption, Data); - } - } - -} - -/** - Recover the value of some members of SA ID. - - This function is corresponding to FixSadEntry(). It recovers the value o= f members - of SAD ID that are fixed by FixSadEntry(). - - @param[in, out] SaId Pointer of SAD ID. - @param[in, out] Data Pointer of SAD Data. - -**/ -VOID -UnfixSadEntry ( - IN OUT EFI_IPSEC_SA_ID *SaId, - IN OUT EFI_IPSEC_SA_DATA2 *Data - ) -{ - // - // It assumes that all ref buffers in SAD selector and data are - // stored in the continous memory and close to the base structure. - // - if (Data->AlgoInfo.EspAlgoInfo.AuthKey !=3D NULL) { - UNFIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.AuthKey, Data); - } - - if (SaId->Proto =3D=3D EfiIPsecESP && Data->AlgoInfo.EspAlgoInfo.EncKey = !=3D NULL) { - UNFIX_REF_BUF_ADDR (Data->AlgoInfo.EspAlgoInfo.EncKey, Data); - } - - if (Data->SpdSelector !=3D NULL) { - UNFIX_REF_BUF_ADDR (Data->SpdSelector, Data); - if (Data->SpdSelector->LocalAddress !=3D NULL) { - UNFIX_REF_BUF_ADDR (Data->SpdSelector->LocalAddress, Data); - } - - UNFIX_REF_BUF_ADDR (Data->SpdSelector->RemoteAddress, Data); - } - -} - -/** - Recover the value of some members of PAD ID. - - This function is corresponding to FixPadEntry(). It recovers the value o= f members - of PAD ID that are fixed by FixPadEntry(). - - @param[in] PadId Pointer of PAD ID. - @param[in, out] Data Pointer of PAD Data. - -**/ -VOID -UnfixPadEntry ( - IN EFI_IPSEC_PAD_ID *PadId, - IN OUT EFI_IPSEC_PAD_DATA *Data - ) -{ - // - // It assumes that all ref buffers in pad selector and data are - // stored in the continous memory and close to the base structure. - // - if (Data->AuthData !=3D NULL) { - UNFIX_REF_BUF_ADDR (Data->AuthData, Data); - } - - if (Data->RevocationData !=3D NULL) { - UNFIX_REF_BUF_ADDR (Data->RevocationData, Data); - } - -} - -/** - Set the security policy information for the EFI IPsec driver. - - The IPsec configuration data has a unique selector/identifier separately= to - identify a data entry. - - @param[in] Selector Pointer to an entry selector on operated - configuration data specified by DataType. - A NULL Selector causes the entire specifi= ed-type - configuration information to be flushed. - @param[in] Data The data buffer to be set. The structure - of the data buffer should be EFI_IPSEC_SP= D_DATA. - @param[in] Context Pointer to one entry selector that descri= bes - the expected position the new data entry = will - be added. If Context is NULL, the new ent= ry will - be appended the end of database. - - @retval EFI_INVALID_PARAMETER One or more of the following are TRUE: - - Selector is not NULL and its LocalAdd= ress - is NULL or its RemoteAddress is NULL. - - Data is not NULL and its Action is Pr= otected - and its plolicy is NULL. - - Data is not NULL, its Action is not p= rotected, - and its policy is not NULL. - - The Action of Data is Protected, its = policy - mode is Tunnel, and its tunnel option= is NULL. - - The Action of Data is protected and i= ts policy - mode is not Tunnel and it tunnel opti= on is not NULL. - - SadEntry requied to be set into new S= pdEntry's Sas has - been found but it is invalid. - @retval EFI_OUT_OF_RESOURCED The required system resource could not be = allocated. - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - -**/ -EFI_STATUS -SetSpdEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN VOID *Context OPTIONAL - ) -{ - EFI_IPSEC_SPD_SELECTOR *SpdSel; - EFI_IPSEC_SPD_DATA *SpdData; - EFI_IPSEC_SPD_SELECTOR *InsertBefore; - LIST_ENTRY *SpdList; - LIST_ENTRY *SadList; - LIST_ENTRY *SpdSas; - LIST_ENTRY *EntryInsertBefore; - LIST_ENTRY *Entry; - LIST_ENTRY *Entry2; - LIST_ENTRY *NextEntry; - LIST_ENTRY *NextEntry2; - IPSEC_SPD_ENTRY *SpdEntry; - IPSEC_SAD_ENTRY *SadEntry; - UINTN SpdEntrySize; - UINTN Index; - - SpdSel =3D (Selector =3D=3D NULL) ? NULL : &Selector->SpdSelector; - SpdData =3D (Data =3D=3D NULL) ? NULL : (EFI_IPSEC_SPD_DATA *) Dat= a; - InsertBefore =3D (Context =3D=3D NULL) ? NULL : &((EFI_IPSEC_CONFIG_SEL= ECTOR *) Context)->SpdSelector; - SpdList =3D &mConfigData[IPsecConfigDataTypeSpd]; - - if (SpdSel !=3D NULL) { - if (SpdSel->LocalAddress =3D=3D NULL || SpdSel->RemoteAddress =3D=3D N= ULL) { - return EFI_INVALID_PARAMETER; - } - } - - if (SpdData !=3D NULL) { - if ((SpdData->Action =3D=3D EfiIPsecActionProtect && SpdData->Processi= ngPolicy =3D=3D NULL) || - (SpdData->Action !=3D EfiIPsecActionProtect && SpdData->Processing= Policy !=3D NULL) - ) { - return EFI_INVALID_PARAMETER; - } - - if (SpdData->Action =3D=3D EfiIPsecActionProtect) { - if ((SpdData->ProcessingPolicy->Mode =3D=3D EfiIPsecTunnel && SpdDat= a->ProcessingPolicy->TunnelOption =3D=3D NULL) || - (SpdData->ProcessingPolicy->Mode !=3D EfiIPsecTunnel && SpdData-= >ProcessingPolicy->TunnelOption !=3D NULL) - ) { - return EFI_INVALID_PARAMETER; - } - } - } - // - // The default behavior is to insert the node ahead of the header. - // - EntryInsertBefore =3D SpdList; - - // - // Remove the existed SPD entry. - // - NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, SpdList) { - - SpdEntry =3D IPSEC_SPD_ENTRY_FROM_LIST (Entry); - - if (SpdSel =3D=3D NULL || - CompareSpdSelector ((EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Select= or, (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel) - ) { - // - // Record the existed entry position to keep the original order. - // - EntryInsertBefore =3D SpdEntry->List.ForwardLink; - RemoveEntryList (&SpdEntry->List); - - // - // Update the reverse ref of SAD entry in the SPD.sas list. - // - SpdSas =3D &SpdEntry->Data->Sas; - - // - // Remove the related SAs from Sas(SadEntry->BySpd). If the SA entry= is established by - // IKE, remove from mConfigData list(SadEntry->List) and then free i= t directly since its - // SpdEntry will be freed later. - // - NET_LIST_FOR_EACH_SAFE (Entry2, NextEntry2, SpdSas) { - SadEntry =3D IPSEC_SAD_ENTRY_FROM_SPD (Entry2); - - if (SadEntry->Data->SpdEntry !=3D NULL) { - RemoveEntryList (&SadEntry->BySpd); - SadEntry->Data->SpdEntry =3D NULL; - } - - if (!(SadEntry->Data->ManualSet)) { - RemoveEntryList (&SadEntry->List); - FreePool (SadEntry); - } - } - - // - // Free the existed SPD entry - // - FreePool (SpdEntry); - } - } - // - // Return success here if only want to remove the SPD entry. - // - if (SpdData =3D=3D NULL || SpdSel =3D=3D NULL) { - return EFI_SUCCESS; - } - // - // Search the appointed entry position if InsertBefore is not NULL. - // - if (InsertBefore !=3D NULL) { - - NET_LIST_FOR_EACH (Entry, SpdList) { - SpdEntry =3D IPSEC_SPD_ENTRY_FROM_LIST (Entry); - - if (CompareSpdSelector ( - (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector, - (EFI_IPSEC_CONFIG_SELECTOR *) InsertBefore - )) { - EntryInsertBefore =3D Entry; - break; - } - } - } - - // - // Do Padding for the different Arch. - // - SpdEntrySize =3D ALIGN_VARIABLE (sizeof (IPSEC_SPD_ENTRY)); - SpdEntrySize =3D ALIGN_VARIABLE (SpdEntrySize + SIZE_OF_SPD_SELECTOR (S= pdSel)); - SpdEntrySize +=3D IpSecGetSizeOfEfiSpdData (SpdData); - - SpdEntry =3D AllocateZeroPool (SpdEntrySize); - - if (SpdEntry =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // Fix the address of Selector and Data buffer and copy them, which is - // continous memory and close to the base structure of SPD entry. - // - SpdEntry->Selector =3D (EFI_IPSEC_SPD_SELECTOR *) ALIGN_POINTER ((SpdEn= try + 1), sizeof (UINTN)); - SpdEntry->Data =3D (IPSEC_SPD_DATA *) ALIGN_POINTER ( - ((UINT8 *) SpdEntry->Selector = + SIZE_OF_SPD_SELECTOR (SpdSel)), - sizeof (UINTN) - ); - - DuplicateSpdSelector ( - (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector, - (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel, - NULL - ); - - CopyMem ( - SpdEntry->Data->Name, - SpdData->Name, - sizeof (SpdData->Name) - ); - SpdEntry->Data->PackageFlag =3D SpdData->PackageFlag; - SpdEntry->Data->TrafficDirection =3D SpdData->TrafficDirection; - SpdEntry->Data->Action =3D SpdData->Action; - - // - // Fix the address of ProcessingPolicy and copy it if need, which is con= tinous - // memory and close to the base structure of SAD data. - // - if (SpdData->Action !=3D EfiIPsecActionProtect) { - SpdEntry->Data->ProcessingPolicy =3D NULL; - } else { - SpdEntry->Data->ProcessingPolicy =3D (EFI_IPSEC_PROCESS_POLICY *) ALIG= N_POINTER ( - SpdE= ntry->Data + 1, - size= of (UINTN) - ); - IpSecDuplicateProcessPolicy (SpdEntry->Data->ProcessingPolicy, SpdData= ->ProcessingPolicy); - } - // - // Update the sas list of the new SPD entry. - // - InitializeListHead (&SpdEntry->Data->Sas); - - SadList =3D &mConfigData[IPsecConfigDataTypeSad]; - - NET_LIST_FOR_EACH (Entry, SadList) { - SadEntry =3D IPSEC_SAD_ENTRY_FROM_LIST (Entry); - - for (Index =3D 0; Index < SpdData->SaIdCount; Index++) { - if (CompareSaId ( - (EFI_IPSEC_CONFIG_SELECTOR *) &SpdData->SaId[Index], - (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id - )) { - // - // Check whether the found SadEntry is vaild. - // - if (IsSubSpdSelector ( - (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Data->SpdSelector, - (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector - )) { - if (SadEntry->Data->SpdEntry !=3D NULL) { - RemoveEntryList (&SadEntry->BySpd); - } - InsertTailList (&SpdEntry->Data->Sas, &SadEntry->BySpd); - SadEntry->Data->SpdEntry =3D SpdEntry; - } else { - return EFI_INVALID_PARAMETER; - } - } - } - } - - // - // Insert the new SPD entry. - // - InsertTailList (EntryInsertBefore, &SpdEntry->List); - - return EFI_SUCCESS; -} - -/** - Set the security association information for the EFI IPsec driver. - - The IPsec configuration data has a unique selector/identifier separately= to - identify a data entry. - - @param[in] Selector Pointer to an entry selector on operated - configuration data specified by DataType. - A NULL Selector causes the entire specifi= ed-type - configuration information to be flushed. - @param[in] Data The data buffer to be set. The structure - of the data buffer should be EFI_IPSEC_SA= _DATA. - @param[in] Context Pointer to one entry selector which descr= ibes - the expected position the new data entry = will - be added. If Context is NULL,the new entr= y will - be appended the end of database. - - @retval EFI_OUT_OF_RESOURCED The required system resource could not be = allocated. - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - -**/ -EFI_STATUS -SetSadEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN VOID *Context OPTIONAL - ) -{ - IPSEC_SAD_ENTRY *SadEntry; - IPSEC_SPD_ENTRY *SpdEntry; - LIST_ENTRY *Entry; - LIST_ENTRY *NextEntry; - LIST_ENTRY *SadList; - LIST_ENTRY *SpdList; - EFI_IPSEC_SA_ID *SaId; - EFI_IPSEC_SA_DATA2 *SaData; - EFI_IPSEC_SA_ID *InsertBefore; - LIST_ENTRY *EntryInsertBefore; - UINTN SadEntrySize; - - SaId =3D (Selector =3D=3D NULL) ? NULL : &Selector->SaId; - SaData =3D (Data =3D=3D NULL) ? NULL : (EFI_IPSEC_SA_DATA2 *) Dat= a; - InsertBefore =3D (Context =3D=3D NULL) ? NULL : &((EFI_IPSEC_CONFIG_SEL= ECTOR *) Context)->SaId; - SadList =3D &mConfigData[IPsecConfigDataTypeSad]; - - // - // The default behavior is to insert the node ahead of the header. - // - EntryInsertBefore =3D SadList; - - // - // Remove the existed SAD entry. - // - NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, SadList) { - - SadEntry =3D IPSEC_SAD_ENTRY_FROM_LIST (Entry); - - if (SaId =3D=3D NULL || - CompareSaId ( - (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id, - (EFI_IPSEC_CONFIG_SELECTOR *) SaId - )) { - // - // Record the existed entry position to keep the original order. - // - EntryInsertBefore =3D SadEntry->List.ForwardLink; - - // - // Update the related SAD.byspd field. - // - if (SadEntry->Data->SpdEntry !=3D NULL) { - RemoveEntryList (&SadEntry->BySpd); - } - - RemoveEntryList (&SadEntry->List); - FreePool (SadEntry); - } - } - // - // Return success here if only want to remove the SAD entry - // - if (SaData =3D=3D NULL || SaId =3D=3D NULL) { - return EFI_SUCCESS; - } - // - // Search the appointed entry position if InsertBefore is not NULL. - // - if (InsertBefore !=3D NULL) { - - NET_LIST_FOR_EACH (Entry, SadList) { - SadEntry =3D IPSEC_SAD_ENTRY_FROM_LIST (Entry); - - if (CompareSaId ( - (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id, - (EFI_IPSEC_CONFIG_SELECTOR *) InsertBefore - )) { - EntryInsertBefore =3D Entry; - break; - } - } - } - - // - // Do Padding for different Arch. - // - SadEntrySize =3D ALIGN_VARIABLE (sizeof (IPSEC_SAD_ENTRY)); - SadEntrySize =3D ALIGN_VARIABLE (SadEntrySize + sizeof (EFI_IPSEC_SA_ID= )); - SadEntrySize =3D ALIGN_VARIABLE (SadEntrySize + sizeof (IPSEC_SAD_DATA)= ); - - if (SaId->Proto =3D=3D EfiIPsecAH) { - SadEntrySize +=3D SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength; - } else { - SadEntrySize =3D ALIGN_VARIABLE (SadEntrySize + SaData->AlgoInfo.EspA= lgoInfo.AuthKeyLength); - SadEntrySize +=3D ALIGN_VARIABLE (SaData->AlgoInfo.EspAlgoInfo.EncKeyL= ength); - } - - if (SaData->SpdSelector !=3D NULL) { - SadEntrySize +=3D SadEntrySize + SIZE_OF_SPD_SELECTOR (SaData->SpdSele= ctor); - } - SadEntry =3D AllocateZeroPool (SadEntrySize); - - if (SadEntry =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // Fix the address of Id and Data buffer and copy them, which is - // continous memory and close to the base structure of SAD entry. - // - SadEntry->Id =3D (EFI_IPSEC_SA_ID *) ALIGN_POINTER ((SadEntry + 1), s= izeof (UINTN)); - SadEntry->Data =3D (IPSEC_SAD_DATA *) ALIGN_POINTER ((SadEntry->Id + 1)= , sizeof (UINTN)); - - CopyMem (SadEntry->Id, SaId, sizeof (EFI_IPSEC_SA_ID)); - - SadEntry->Data->Mode =3D SaData->Mode; - SadEntry->Data->SequenceNumber =3D SaData->SNCount; - SadEntry->Data->AntiReplayWindowSize =3D SaData->AntiReplayWindows; - - ZeroMem ( - &SadEntry->Data->AntiReplayBitmap, - sizeof (SadEntry->Data->AntiReplayBitmap) - ); - - ZeroMem ( - &SadEntry->Data->AlgoInfo, - sizeof (EFI_IPSEC_ALGO_INFO) - ); - - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId =3D SaData->AlgoInfo= .EspAlgoInfo.AuthAlgoId; - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength =3D SaData->AlgoInfo= .EspAlgoInfo.AuthKeyLength; - - if (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength !=3D 0) { - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey =3D (VOID *) ALIGN_POINTE= R ((SadEntry->Data + 1), sizeof (UINTN)); - CopyMem ( - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey, - SaData->AlgoInfo.EspAlgoInfo.AuthKey, - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength - ); - } - - if (SaId->Proto =3D=3D EfiIPsecESP) { - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId =3D SaData->AlgoInfo= .EspAlgoInfo.EncAlgoId; - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength =3D SaData->AlgoInfo= .EspAlgoInfo.EncKeyLength; - - if (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength !=3D 0) { - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey =3D (VOID *) ALIGN_POINT= ER ( - ((UINT8 *) = (SadEntry->Data + 1) + - SadEntry-= >Data->AlgoInfo.EspAlgoInfo.AuthKeyLength), - sizeof (U= INTN) - ); - CopyMem ( - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey, - SaData->AlgoInfo.EspAlgoInfo.EncKey, - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength - ); - } - } - - CopyMem ( - &SadEntry->Data->SaLifetime, - &SaData->SaLifetime, - sizeof (EFI_IPSEC_SA_LIFETIME) - ); - - SadEntry->Data->PathMTU =3D SaData->PathMTU; - SadEntry->Data->SpdSelector =3D NULL; - SadEntry->Data->ESNEnabled =3D FALSE; - SadEntry->Data->ManualSet =3D SaData->ManualSet; - - // - // Copy Tunnel Source/Destination Address - // - if (SaData->Mode =3D=3D EfiIPsecTunnel) { - CopyMem ( - &SadEntry->Data->TunnelDestAddress, - &SaData->TunnelDestinationAddress, - sizeof (EFI_IP_ADDRESS) - ); - CopyMem ( - &SadEntry->Data->TunnelSourceAddress, - &SaData->TunnelSourceAddress, - sizeof (EFI_IP_ADDRESS) - ); - } - // - // Update the spd.sas list of the spd entry specified by SAD selector - // - SpdList =3D &mConfigData[IPsecConfigDataTypeSpd]; - - for (Entry =3D SpdList->ForwardLink; Entry !=3D SpdList && SaData->SpdSe= lector !=3D NULL; Entry =3D Entry->ForwardLink) { - - SpdEntry =3D IPSEC_SPD_ENTRY_FROM_LIST (Entry); - if (IsSubSpdSelector ( - (EFI_IPSEC_CONFIG_SELECTOR *) SaData->SpdSelector, - (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector - ) && SpdEntry->Data->Action =3D=3D EfiIPsecActionProtect) { - SadEntry->Data->SpdEntry =3D SpdEntry; - SadEntry->Data->SpdSelector =3D (EFI_IPSEC_SPD_SELECTOR *)((UINT8 *)= SadEntry + - SadEntrySi= ze - - SIZE_OF_SP= D_SELECTOR (SaData->SpdSelector) - ); - DuplicateSpdSelector ( - (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Data->SpdSelector, - (EFI_IPSEC_CONFIG_SELECTOR *) SaData->SpdSelector, - NULL - ); - InsertTailList (&SpdEntry->Data->Sas, &SadEntry->BySpd); - } - } - // - // Insert the new SAD entry. - // - InsertTailList (EntryInsertBefore, &SadEntry->List); - - return EFI_SUCCESS; -} - -/** - Set the peer authorization configuration information for the EFI IPsec d= river. - - The IPsec configuration data has a unique selector/identifier separately= to - identify a data entry. - - @param[in] Selector Pointer to an entry selector on operated - configuration data specified by DataType. - A NULL Selector causes the entire specifi= ed-type - configuration information to be flushed. - @param[in] Data The data buffer to be set. The structure - of the data buffer should be EFI_IPSEC_PA= D_DATA. - @param[in] Context Pointer to one entry selector that descri= bes - the expected position the new data entry = will - be added. If Context is NULL, the new ent= ry will - be appended the end of database. - - @retval EFI_OUT_OF_RESOURCES The required system resources could not be= allocated. - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - -**/ -EFI_STATUS -SetPadEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN VOID *Context OPTIONAL - ) -{ - IPSEC_PAD_ENTRY *PadEntry; - EFI_IPSEC_PAD_ID *PadId; - EFI_IPSEC_PAD_DATA *PadData; - LIST_ENTRY *PadList; - LIST_ENTRY *Entry; - LIST_ENTRY *NextEntry; - EFI_IPSEC_PAD_ID *InsertBefore; - LIST_ENTRY *EntryInsertBefore; - UINTN PadEntrySize; - - PadId =3D (Selector =3D=3D NULL) ? NULL : &Selector->PadId; - PadData =3D (Data =3D=3D NULL) ? NULL : (EFI_IPSEC_PAD_DATA *) Dat= a; - InsertBefore =3D (Context =3D=3D NULL) ? NULL : &((EFI_IPSEC_CONFIG_SEL= ECTOR *) Context)->PadId; - PadList =3D &mConfigData[IPsecConfigDataTypePad]; - - // - // The default behavior is to insert the node ahead of the header. - // - EntryInsertBefore =3D PadList; - - // - // Remove the existed pad entry. - // - NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, PadList) { - - PadEntry =3D IPSEC_PAD_ENTRY_FROM_LIST (Entry); - - if (PadId =3D=3D NULL || - ComparePadId ((EFI_IPSEC_CONFIG_SELECTOR *) PadEntry->Id, (EFI_IPS= EC_CONFIG_SELECTOR *) PadId) - ) { - // - // Record the existed entry position to keep the original order. - // - EntryInsertBefore =3D PadEntry->List.ForwardLink; - RemoveEntryList (&PadEntry->List); - - FreePool (PadEntry); - } - } - // - // Return success here if only want to remove the pad entry - // - if (PadData =3D=3D NULL || PadId =3D=3D NULL) { - return EFI_SUCCESS; - } - // - // Search the appointed entry position if InsertBefore is not NULL. - // - if (InsertBefore !=3D NULL) { - - NET_LIST_FOR_EACH (Entry, PadList) { - PadEntry =3D IPSEC_PAD_ENTRY_FROM_LIST (Entry); - - if (ComparePadId ( - (EFI_IPSEC_CONFIG_SELECTOR *) PadEntry->Id, - (EFI_IPSEC_CONFIG_SELECTOR *) InsertBefore - )) { - EntryInsertBefore =3D Entry; - break; - } - } - } - - // - // Do PADDING for different arch. - // - PadEntrySize =3D ALIGN_VARIABLE (sizeof (IPSEC_PAD_ENTRY)); - PadEntrySize =3D ALIGN_VARIABLE (PadEntrySize + sizeof (EFI_IPSEC_PAD_I= D)); - PadEntrySize =3D ALIGN_VARIABLE (PadEntrySize + sizeof (EFI_IPSEC_PAD_D= ATA)); - PadEntrySize =3D ALIGN_VARIABLE (PadEntrySize + (PadData->AuthData !=3D= NULL ? PadData->AuthDataSize : 0)); - PadEntrySize +=3D PadData->RevocationData !=3D NULL ? PadData->Revocatio= nDataSize : 0; - - PadEntry =3D AllocateZeroPool (PadEntrySize); - - if (PadEntry =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // Fix the address of Id and Data buffer and copy them, which is - // continous memory and close to the base structure of pad entry. - // - PadEntry->Id =3D (EFI_IPSEC_PAD_ID *) ALIGN_POINTER ((PadEntry + 1), = sizeof (UINTN)); - PadEntry->Data =3D (EFI_IPSEC_PAD_DATA *) ALIGN_POINTER ((PadEntry->Id = + 1), sizeof (UINTN)); - - CopyMem (PadEntry->Id, PadId, sizeof (EFI_IPSEC_PAD_ID)); - - PadEntry->Data->AuthProtocol =3D PadData->AuthProtocol; - PadEntry->Data->AuthMethod =3D PadData->AuthMethod; - PadEntry->Data->IkeIdFlag =3D PadData->IkeIdFlag; - - if (PadData->AuthData !=3D NULL) { - PadEntry->Data->AuthDataSize =3D PadData->AuthDataSize; - PadEntry->Data->AuthData =3D (VOID *) ALIGN_POINTER (PadEntry->Da= ta + 1, sizeof (UINTN)); - CopyMem ( - PadEntry->Data->AuthData, - PadData->AuthData, - PadData->AuthDataSize - ); - } else { - PadEntry->Data->AuthDataSize =3D 0; - PadEntry->Data->AuthData =3D NULL; - } - - if (PadData->RevocationData !=3D NULL) { - PadEntry->Data->RevocationDataSize =3D PadData->RevocationDataSize; - PadEntry->Data->RevocationData =3D (VOID *) ALIGN_POINTER ( - ((UINT8 *) (PadEntry->= Data + 1) + PadData->AuthDataSize), - sizeof (UINTN) - ); - CopyMem ( - PadEntry->Data->RevocationData, - PadData->RevocationData, - PadData->RevocationDataSize - ); - } else { - PadEntry->Data->RevocationDataSize =3D 0; - PadEntry->Data->RevocationData =3D NULL; - } - // - // Insert the new pad entry. - // - InsertTailList (EntryInsertBefore, &PadEntry->List); - - return EFI_SUCCESS; -} - -/** - This function lookup the data entry from IPsec SPD. Return the configura= tion - value of the specified SPD Entry. - - @param[in] Selector Pointer to an entry selector which is an i= dentifier - of the SPD entry. - @param[in, out] DataSize On output the size of data returned in Dat= a. - @param[out] Data The buffer to return the contents of the I= Psec - configuration data. The type of the data b= uffer - is associated with the DataType. - - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - @retval EFI_INVALID_PARAMETER Data is NULL and *DataSize is not zero. - @retval EFI_NOT_FOUND The configuration data specified by Select= or is not found. - @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. = DataSize has been - updated with the size needed to complete t= he request. - -**/ -EFI_STATUS -GetSpdEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN OUT UINTN *DataSize, - OUT VOID *Data - ) -{ - IPSEC_SPD_ENTRY *SpdEntry; - IPSEC_SAD_ENTRY *SadEntry; - EFI_IPSEC_SPD_SELECTOR *SpdSel; - EFI_IPSEC_SPD_DATA *SpdData; - LIST_ENTRY *SpdList; - LIST_ENTRY *SpdSas; - LIST_ENTRY *Entry; - UINTN RequiredSize; - - SpdSel =3D &Selector->SpdSelector; - SpdData =3D (EFI_IPSEC_SPD_DATA *) Data; - SpdList =3D &mConfigData[IPsecConfigDataTypeSpd]; - - NET_LIST_FOR_EACH (Entry, SpdList) { - SpdEntry =3D IPSEC_SPD_ENTRY_FROM_LIST (Entry); - - // - // Find the required SPD entry - // - if (CompareSpdSelector ( - (EFI_IPSEC_CONFIG_SELECTOR *) SpdSel, - (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector - )) { - - RequiredSize =3D IpSecGetSizeOfSpdData (SpdEntry->Data); - if (*DataSize < RequiredSize) { - *DataSize =3D RequiredSize; - return EFI_BUFFER_TOO_SMALL; - } - - if (SpdData =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - *DataSize =3D RequiredSize; - - // - // Extract and fill all SaId array from the SPD.sas list - // - SpdSas =3D &SpdEntry->Data->Sas; - SpdData->SaIdCount =3D 0; - - NET_LIST_FOR_EACH (Entry, SpdSas) { - SadEntry =3D IPSEC_SAD_ENTRY_FROM_SPD (Entry); - CopyMem ( - &SpdData->SaId[SpdData->SaIdCount++], - SadEntry->Id, - sizeof (EFI_IPSEC_SA_ID) - ); - } - // - // Fill the other fields in SPD data. - // - CopyMem (SpdData->Name, SpdEntry->Data->Name, sizeof (SpdData->Name)= ); - - SpdData->PackageFlag =3D SpdEntry->Data->PackageFlag; - SpdData->TrafficDirection =3D SpdEntry->Data->TrafficDirection; - SpdData->Action =3D SpdEntry->Data->Action; - - if (SpdData->Action !=3D EfiIPsecActionProtect) { - SpdData->ProcessingPolicy =3D NULL; - } else { - SpdData->ProcessingPolicy =3D (EFI_IPSEC_PROCESS_POLICY *) ((UINT8= *) SpdData + sizeof (EFI_IPSEC_SPD_DATA) + (SpdData->SaIdCount - 1) * size= of (EFI_IPSEC_SA_ID)); - - IpSecDuplicateProcessPolicy ( - SpdData->ProcessingPolicy, - SpdEntry->Data->ProcessingPolicy - ); - } - - return EFI_SUCCESS; - } - } - - return EFI_NOT_FOUND; -} - -/** - This function lookup the data entry from IPsec SAD. Return the configura= tion - value of the specified SAD Entry. - - @param[in] Selector Pointer to an entry selector which is an i= dentifier - of the SAD entry. - @param[in, out] DataSize On output, the size of data returned in Da= ta. - @param[out] Data The buffer to return the contents of the I= Psec - configuration data. The type of the data b= uffer - is associated with the DataType. - - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - @retval EFI_NOT_FOUND The configuration data specified by Select= or is not found. - @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. = DataSize has been - updated with the size needed to complete t= he request. - -**/ -EFI_STATUS -GetSadEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN OUT UINTN *DataSize, - OUT VOID *Data - ) -{ - IPSEC_SAD_ENTRY *SadEntry; - LIST_ENTRY *Entry; - LIST_ENTRY *SadList; - EFI_IPSEC_SA_ID *SaId; - EFI_IPSEC_SA_DATA2 *SaData; - UINTN RequiredSize; - - SaId =3D &Selector->SaId; - SaData =3D (EFI_IPSEC_SA_DATA2 *) Data; - SadList =3D &mConfigData[IPsecConfigDataTypeSad]; - - NET_LIST_FOR_EACH (Entry, SadList) { - SadEntry =3D IPSEC_SAD_ENTRY_FROM_LIST (Entry); - - // - // Find the required SAD entry. - // - if (CompareSaId ( - (EFI_IPSEC_CONFIG_SELECTOR *) SaId, - (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Id - )) { - // - // Calculate the required size of the SAD entry. - // Data Layout is follows: - // |EFI_IPSEC_SA_DATA - // |AuthKey - // |EncryptKey (Optional) - // |SpdSelector (Optional) - // - RequiredSize =3D ALIGN_VARIABLE (sizeof (EFI_IPSEC_SA_DATA2)); - - if (SaId->Proto =3D=3D EfiIPsecAH) { - RequiredSize =3D ALIGN_VARIABLE (RequiredSize + SadEntry->Data->A= lgoInfo.AhAlgoInfo.AuthKeyLength); - } else { - RequiredSize =3D ALIGN_VARIABLE (RequiredSize + SadEntry->Data->A= lgoInfo.EspAlgoInfo.AuthKeyLength); - RequiredSize =3D ALIGN_VARIABLE (RequiredSize + SadEntry->Data->A= lgoInfo.EspAlgoInfo.EncKeyLength); - } - - if (SadEntry->Data->SpdSelector !=3D NULL) { - RequiredSize +=3D SIZE_OF_SPD_SELECTOR (SadEntry->Data->SpdSelecto= r); - } - - if (*DataSize < RequiredSize) { - *DataSize =3D RequiredSize; - return EFI_BUFFER_TOO_SMALL; - } - - // - // Fill the data fields of SAD entry. - // - *DataSize =3D RequiredSize; - SaData->Mode =3D SadEntry->Data->Mode; - SaData->SNCount =3D SadEntry->Data->SequenceNumber; - SaData->AntiReplayWindows =3D SadEntry->Data->AntiReplayWindowSize; - - CopyMem ( - &SaData->SaLifetime, - &SadEntry->Data->SaLifetime, - sizeof (EFI_IPSEC_SA_LIFETIME) - ); - - ZeroMem ( - &SaData->AlgoInfo, - sizeof (EFI_IPSEC_ALGO_INFO) - ); - - if (SaId->Proto =3D=3D EfiIPsecAH) { - // - // Copy AH alogrithm INFO to SaData - // - SaData->AlgoInfo.AhAlgoInfo.AuthAlgoId =3D SadEntry->Data->Algo= Info.AhAlgoInfo.AuthAlgoId; - SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength =3D SadEntry->Data->Algo= Info.AhAlgoInfo.AuthKeyLength; - if (SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength !=3D 0) { - SaData->AlgoInfo.AhAlgoInfo.AuthKey =3D (VOID *) ALIGN_POINTER (= (SaData + 1), sizeof (UINTN)); - CopyMem ( - SaData->AlgoInfo.AhAlgoInfo.AuthKey, - SadEntry->Data->AlgoInfo.AhAlgoInfo.AuthKey, - SaData->AlgoInfo.AhAlgoInfo.AuthKeyLength - ); - } - } else if (SaId->Proto =3D=3D EfiIPsecESP) { - // - // Copy ESP alogrithem INFO to SaData - // - SaData->AlgoInfo.EspAlgoInfo.AuthAlgoId =3D SadEntry->Data->Al= goInfo.EspAlgoInfo.AuthAlgoId; - SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength =3D SadEntry->Data->Al= goInfo.EspAlgoInfo.AuthKeyLength; - if (SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength !=3D 0) { - SaData->AlgoInfo.EspAlgoInfo.AuthKey =3D (VOID *) ALIGN_POINTER = ((SaData + 1), sizeof (UINTN)); - CopyMem ( - SaData->AlgoInfo.EspAlgoInfo.AuthKey, - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey, - SaData->AlgoInfo.EspAlgoInfo.AuthKeyLength - ); - } - - SaData->AlgoInfo.EspAlgoInfo.EncAlgoId =3D SadEntry->Data->Algo= Info.EspAlgoInfo.EncAlgoId; - SaData->AlgoInfo.EspAlgoInfo.EncKeyLength =3D SadEntry->Data->Algo= Info.EspAlgoInfo.EncKeyLength; - - if (SaData->AlgoInfo.EspAlgoInfo.EncKeyLength !=3D 0) { - SaData->AlgoInfo.EspAlgoInfo.EncKey =3D (VOID *) ALIGN_POINTER ( - ((UINT8 *) (SaDa= ta + 1) + - SaData->AlgoIn= fo.EspAlgoInfo.AuthKeyLength), - sizeof (UINTN) - ); - CopyMem ( - SaData->AlgoInfo.EspAlgoInfo.EncKey, - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey, - SaData->AlgoInfo.EspAlgoInfo.EncKeyLength - ); - } - } - - SaData->PathMTU =3D SadEntry->Data->PathMTU; - - // - // Fill Tunnel Address if it is Tunnel Mode - // - if (SadEntry->Data->Mode =3D=3D EfiIPsecTunnel) { - CopyMem ( - &SaData->TunnelDestinationAddress, - &SadEntry->Data->TunnelDestAddress, - sizeof (EFI_IP_ADDRESS) - ); - CopyMem ( - &SaData->TunnelSourceAddress, - &SadEntry->Data->TunnelSourceAddress, - sizeof (EFI_IP_ADDRESS) - ); - } - // - // Fill the spd selector field of SAD data - // - if (SadEntry->Data->SpdSelector !=3D NULL) { - - SaData->SpdSelector =3D (EFI_IPSEC_SPD_SELECTOR *) ( - (UINT8 *)SaData + - RequiredSize - - SIZE_OF_SPD_SELECTOR (SadEntry->Data->SpdS= elector) - ); - - DuplicateSpdSelector ( - (EFI_IPSEC_CONFIG_SELECTOR *) SaData->SpdSelector, - (EFI_IPSEC_CONFIG_SELECTOR *) SadEntry->Data->SpdSelector, - NULL - ); - - } else { - - SaData->SpdSelector =3D NULL; - } - - SaData->ManualSet =3D SadEntry->Data->ManualSet; - - return EFI_SUCCESS; - } - } - - return EFI_NOT_FOUND; -} - -/** - This function lookup the data entry from IPsec PAD. Return the configura= tion - value of the specified PAD Entry. - - @param[in] Selector Pointer to an entry selector which is an i= dentifier - of the PAD entry. - @param[in, out] DataSize On output the size of data returned in Dat= a. - @param[out] Data The buffer to return the contents of the I= Psec - configuration data. The type of the data b= uffer - is associated with the DataType. - - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - @retval EFI_NOT_FOUND The configuration data specified by Select= or is not found. - @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. = DataSize has been - updated with the size needed to complete t= he request. - -**/ -EFI_STATUS -GetPadEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN OUT UINTN *DataSize, - OUT VOID *Data - ) -{ - IPSEC_PAD_ENTRY *PadEntry; - LIST_ENTRY *PadList; - LIST_ENTRY *Entry; - EFI_IPSEC_PAD_ID *PadId; - EFI_IPSEC_PAD_DATA *PadData; - UINTN RequiredSize; - - PadId =3D &Selector->PadId; - PadData =3D (EFI_IPSEC_PAD_DATA *) Data; - PadList =3D &mConfigData[IPsecConfigDataTypePad]; - - NET_LIST_FOR_EACH (Entry, PadList) { - PadEntry =3D IPSEC_PAD_ENTRY_FROM_LIST (Entry); - - // - // Find the required pad entry. - // - if (ComparePadId ( - (EFI_IPSEC_CONFIG_SELECTOR *) PadId, - (EFI_IPSEC_CONFIG_SELECTOR *) PadEntry->Id - )) { - // - // Calculate the required size of the pad entry. - // - RequiredSize =3D ALIGN_VARIABLE (sizeof (EFI_IPSEC_PAD_DATA)); - RequiredSize =3D ALIGN_VARIABLE (RequiredSize + PadEntry->Data->Aut= hDataSize); - RequiredSize +=3D PadEntry->Data->RevocationDataSize; - - if (*DataSize < RequiredSize) { - *DataSize =3D RequiredSize; - return EFI_BUFFER_TOO_SMALL; - } - // - // Fill the data fields of pad entry - // - *DataSize =3D RequiredSize; - PadData->AuthProtocol =3D PadEntry->Data->AuthProtocol; - PadData->AuthMethod =3D PadEntry->Data->AuthMethod; - PadData->IkeIdFlag =3D PadEntry->Data->IkeIdFlag; - - // - // Copy Authentication data. - // - if (PadEntry->Data->AuthData !=3D NULL) { - - PadData->AuthDataSize =3D PadEntry->Data->AuthDataSize; - PadData->AuthData =3D (VOID *) ALIGN_POINTER ((PadData + 1), s= izeof (UINTN)); - CopyMem ( - PadData->AuthData, - PadEntry->Data->AuthData, - PadData->AuthDataSize - ); - } else { - - PadData->AuthDataSize =3D 0; - PadData->AuthData =3D NULL; - } - // - // Copy Revocation Data. - // - if (PadEntry->Data->RevocationData !=3D NULL) { - - PadData->RevocationDataSize =3D PadEntry->Data->RevocationDataSize; - PadData->RevocationData =3D (VOID *) ALIGN_POINTER ( - ((UINT8 *) (PadData + 1) = + PadData->AuthDataSize), - sizeof (UINTN) - ); - CopyMem ( - PadData->RevocationData, - PadEntry->Data->RevocationData, - PadData->RevocationDataSize - ); - } else { - - PadData->RevocationDataSize =3D 0; - PadData->RevocationData =3D NULL; - } - - return EFI_SUCCESS; - } - } - - return EFI_NOT_FOUND; -} - -/** - Copy Source Process Policy to the Destination Process Policy. - - @param[in] Dst Pointer to the Source Process Policy. - @param[in] Src Pointer to the Destination Process Poli= cy. - -**/ -VOID -IpSecDuplicateProcessPolicy ( - IN EFI_IPSEC_PROCESS_POLICY *Dst, - IN EFI_IPSEC_PROCESS_POLICY *Src - ) -{ - // - // Firstly copy the structure content itself. - // - CopyMem (Dst, Src, sizeof (EFI_IPSEC_PROCESS_POLICY)); - - // - // Recursively copy the tunnel option if needed. - // - if (Dst->Mode !=3D EfiIPsecTunnel) { - ASSERT (Dst->TunnelOption =3D=3D NULL); - } else { - Dst->TunnelOption =3D (EFI_IPSEC_TUNNEL_OPTION *) ALIGN_POINTER ((Dst = + 1), sizeof (UINTN)); - CopyMem ( - Dst->TunnelOption, - Src->TunnelOption, - sizeof (EFI_IPSEC_TUNNEL_OPTION) - ); - } -} - -/** - Calculate the a whole size of EFI_IPSEC_SPD_DATA, which includes the buf= fer size pointed - to by the pointer members. - - @param[in] SpdData Pointer to a specified EFI_IPSEC_SPD_DAT= A. - - @return the whole size the specified EFI_IPSEC_SPD_DATA. - -**/ -UINTN -IpSecGetSizeOfEfiSpdData ( - IN EFI_IPSEC_SPD_DATA *SpdData - ) -{ - UINTN Size; - - Size =3D ALIGN_VARIABLE (sizeof (IPSEC_SPD_DATA)); - - if (SpdData->Action =3D=3D EfiIPsecActionProtect) { - Size =3D ALIGN_VARIABLE (Size + sizeof (EFI_IPSEC_PROCESS_POLICY)); - - if (SpdData->ProcessingPolicy->Mode =3D=3D EfiIPsecTunnel) { - Size =3D ALIGN_VARIABLE (Size + sizeof (EFI_IPSEC_TUNNEL_OPTION)); - } - } - - return Size; -} - -/** - Calculate the a whole size of IPSEC_SPD_DATA which includes the buffer s= ize pointed - to by the pointer members and the buffer size used by the Sa List. - - @param[in] SpdData Pointer to the specified IPSEC_SPD_DATA. - - @return the whole size of IPSEC_SPD_DATA. - -**/ -UINTN -IpSecGetSizeOfSpdData ( - IN IPSEC_SPD_DATA *SpdData - ) -{ - UINTN Size; - LIST_ENTRY *Link; - - Size =3D sizeof (EFI_IPSEC_SPD_DATA) - sizeof (EFI_IPSEC_SA_ID); - - if (SpdData->Action =3D=3D EfiIPsecActionProtect) { - Size +=3D sizeof (EFI_IPSEC_PROCESS_POLICY); - - if (SpdData->ProcessingPolicy->Mode =3D=3D EfiIPsecTunnel) { - Size +=3D sizeof (EFI_IPSEC_TUNNEL_OPTION); - } - } - - NET_LIST_FOR_EACH (Link, &SpdData->Sas) { - Size +=3D sizeof (EFI_IPSEC_SA_ID); - } - - return Size; -} - -/** - Get the IPsec Variable. - - Get the all variables which start with the string contained in Varaiable= Name. - Since all IPsec related variable store in continual space, those kinds of - variable can be searched by the EfiGetNextVariableName. Those variables = also are - returned in a continual buffer. - - @param[in] VariableName Pointer to a specified Variable Na= me. - @param[in] VendorGuid Pointer to a specified Vendor Guid. - @param[in] Attributes Point to memory location to return= the attributes - of variable. If the point is NULL,= the parameter - would be ignored. - @param[in, out] DataSize As input, point to the maximum siz= e of return - Data-Buffer. As output, point to t= he actual - size of the returned Data-Buffer. - @param[in] Data Point to return Data-Buffer. - - @retval EFI_ABORTED If the Variable size which contained in t= he variable - structure doesn't match the variable size= obtained - from the EFIGetVariable. - @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result.= DataSize has - been updated with the size needed to comp= lete the request. - @retval EFI_SUCCESS The function completed successfully. - @retval others Other errors found during the variable ge= tting. -**/ -EFI_STATUS -IpSecGetVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN UINT32 *Attributes, OPTIONAL - IN OUT UINTN *DataSize, - IN VOID *Data - ) -{ - EFI_STATUS Status; - EFI_GUID VendorGuidI; - UINTN VariableNameLength; - CHAR16 *VariableNameI; - UINTN VariableNameISize; - UINTN VariableNameISizeNew; - UINTN VariableIndex; - UINTN VariableCount; - IP_SEC_VARIABLE_INFO IpSecVariableInfo; - UINTN DataSizeI; - - // - // The variable name constructor is "VariableName + Info/0001/0002/... += NULL". - // So the varialbe name is like "VariableNameInfo", "VariableName0001", = ... - // "VariableNameNULL". - // - VariableNameLength =3D StrLen (VariableName); - VariableNameISize =3D (VariableNameLength + 5) * sizeof (CHAR16); - VariableNameI =3D AllocateZeroPool (VariableNameISize); - if (VariableNameI =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Construct the varible name of ipsecconfig meta data. - // - UnicodeSPrint (VariableNameI, VariableNameISize, L"%s%s", VariableName, = L"Info"); - - DataSizeI =3D sizeof (IpSecVariableInfo); - - Status =3D gRT->GetVariable ( - VariableNameI, - VendorGuid, - Attributes, - &DataSizeI, - &IpSecVariableInfo - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - if (*DataSize < IpSecVariableInfo.VariableSize) { - *DataSize =3D IpSecVariableInfo.VariableSize; - Status =3D EFI_BUFFER_TOO_SMALL; - goto ON_EXIT; - } - - VariableCount =3D IpSecVariableInfo.VariableCount; - VariableNameI[0] =3D L'\0'; - - while (VariableCount !=3D 0) { - // - // Get the variable name one by one in the variable database. - // - VariableNameISizeNew =3D VariableNameISize; - Status =3D gRT->GetNextVariableName ( - &VariableNameISizeNew, - VariableNameI, - &VendorGuidI - ); - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { - VariableNameI =3D ReallocatePool ( - VariableNameISize, - VariableNameISizeNew, - VariableNameI - ); - if (VariableNameI =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - break; - } - VariableNameISize =3D VariableNameISizeNew; - - Status =3D gRT->GetNextVariableName ( - &VariableNameISizeNew, - VariableNameI, - &VendorGuidI - ); - } - - if (EFI_ERROR (Status)) { - break; - } - // - // Check whether the current variable is the required "ipsecconfig". - // - if (StrnCmp (VariableNameI, VariableName, VariableNameLength) =3D=3D 0= || - CompareGuid (VendorGuid, &VendorGuidI) - ) { - // - // Parse the variable count of the current ipsecconfig data. - // - VariableIndex =3D StrDecimalToUintn (VariableNameI + VariableNameLen= gth); - if (VariableIndex!=3D 0 && VariableIndex <=3D IpSecVariableInfo.Vari= ableCount) { - // - // Get the variable size of the current ipsecconfig data. - // - DataSizeI =3D 0; - Status =3D gRT->GetVariable ( - VariableNameI, - VendorGuid, - Attributes, - &DataSizeI, - NULL - ); - ASSERT (Status =3D=3D EFI_BUFFER_TOO_SMALL); - // - // Validate the variable count and variable size. - // - if (VariableIndex !=3D IpSecVariableInfo.VariableCount) { - // - // If the varaibe is not the last one, its size should be the max - // size of the single variable. - // - if (DataSizeI !=3D IpSecVariableInfo.SingleVariableSize) { - return EFI_ABORTED; - } - } else { - if (DataSizeI !=3D IpSecVariableInfo.VariableSize % IpSecVariabl= eInfo.SingleVariableSize) { - return EFI_ABORTED; - } - } - // - // Get the variable data of the current ipsecconfig data and - // store it into user buffer continously. - // - Status =3D gRT->GetVariable ( - VariableNameI, - VendorGuid, - Attributes, - &DataSizeI, - (UINT8 *) Data + (VariableIndex - 1) * IpSecVariab= leInfo.SingleVariableSize - ); - ASSERT_EFI_ERROR (Status); - VariableCount--; - } - } - } - // - // The VariableCount in "VariableNameInfo" varaible should have the corr= ect - // numbers of variables which name starts with VariableName. - // - if (VariableCount !=3D 0) { - Status =3D EFI_ABORTED; - } - -ON_EXIT: - if (VariableNameI !=3D NULL) { - FreePool (VariableNameI); - } - return Status; -} - -/** - Set the IPsec variables. - - Set all IPsec variables which start with the specified variable name. Th= ose variables - are set one by one. - - @param[in] VariableName The name of the vendor's variable. It is a - Null-Terminated Unicode String. - @param[in] VendorGuid Unify identifier for vendor. - @param[in] Attributes Point to memory location to return the attribu= tes of - variable. If the point is NULL, the parameter = would be ignored. - @param[in] DataSize The size in bytes of Data-Buffer. - @param[in] Data Points to the content of the variable. - - @retval EFI_SUCCESS The firmware successfully stored the variable = and its data, as - defined by the Attributes. - @retval others Storing the variables failed. - -**/ -EFI_STATUS -IpSecSetVariable ( - IN CHAR16 *VariableName, - IN EFI_GUID *VendorGuid, - IN UINT32 Attributes, - IN UINTN DataSize, - IN VOID *Data - ) -{ - EFI_STATUS Status; - CHAR16 *VariableNameI; - UINTN VariableNameSize; - UINTN VariableIndex; - IP_SEC_VARIABLE_INFO IpSecVariableInfo; - UINT64 MaximumVariableStorageSize; - UINT64 RemainingVariableStorageSize; - UINT64 MaximumVariableSize; - - Status =3D gRT->QueryVariableInfo ( - Attributes, - &MaximumVariableStorageSize, - &RemainingVariableStorageSize, - &MaximumVariableSize - ); - if (EFI_ERROR (Status)) { - return Status; - } - - // - // "VariableName + Info/0001/0002/... + NULL" - // - VariableNameSize =3D (StrLen (VariableName) + 5) * sizeof (CHAR16); - VariableNameI =3D AllocateZeroPool (VariableNameSize); - - if (VariableNameI =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - // - // Construct the variable of ipsecconfig general information. Like the t= otal - // numbers of the Ipsecconfig variables, the total size of all ipsecconf= ig variables. - // - UnicodeSPrint (VariableNameI, VariableNameSize, L"%s%s", VariableName, L= "Info"); - MaximumVariableSize -=3D VariableNameSize; - - IpSecVariableInfo.VariableCount =3D (UINT32) ((DataSize + (UINTN) = MaximumVariableSize - 1) / (UINTN) MaximumVariableSize); - IpSecVariableInfo.VariableSize =3D (UINT32) DataSize; - IpSecVariableInfo.SingleVariableSize =3D (UINT32) MaximumVariableSize; - - // - // Set the variable of ipsecconfig general information. - // - Status =3D gRT->SetVariable ( - VariableNameI, - VendorGuid, - Attributes, - sizeof (IpSecVariableInfo), - &IpSecVariableInfo - ); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Error set ipsecconfig meta data with %r\n", Stat= us)); - goto ON_EXIT; - } - - for (VariableIndex =3D 0; VariableIndex < IpSecVariableInfo.VariableCoun= t; VariableIndex++) { - // - // Construct and set the variable of ipsecconfig data one by one. - // The index of variable name begin from 0001, and the varaible name - // likes "VariableName0001", "VaraiableName0002".... - // - UnicodeSPrint (VariableNameI, VariableNameSize, L"%s%04d", VariableNam= e, VariableIndex + 1); - Status =3D gRT->SetVariable ( - VariableNameI, - VendorGuid, - Attributes, - (VariableIndex =3D=3D IpSecVariableInfo.VariableCount = - 1) ? - (DataSize % (UINTN) MaximumVariableSize) : - (UINTN) MaximumVariableSize, - (UINT8 *) Data + VariableIndex * (UINTN) MaximumVariab= leSize - ); - - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "Error set ipsecconfig variable data with %r\n"= , Status)); - goto ON_EXIT; - } - } - -ON_EXIT: - if (VariableNameI !=3D NULL) { - FreePool (VariableNameI); - } - - return Status; -} - -/** - Return the configuration value for the EFI IPsec driver. - - This function lookup the data entry from IPsec database or IKEv2 configu= ration - information. The expected data type and unique identification are descri= bed in - DataType and Selector parameters. - - @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL i= nstance. - @param[in] DataType The type of data to retrieve. - @param[in] Selector Pointer to an entry selector that is an id= entifier of the IPsec - configuration data entry. - @param[in, out] DataSize On output the size of data returned in Dat= a. - @param[out] Data The buffer to return the contents of the I= Psec configuration data. - The type of the data buffer associated wit= h the DataType. - - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: - - This is NULL. - - Selector is NULL. - - DataSize is NULL. - - Data is NULL and *DataSize is not zero - @retval EFI_NOT_FOUND The configuration data specified by Select= or is not found. - @retval EFI_UNSUPPORTED The specified DataType is not supported. - @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. = DataSize has been - updated with the size needed to complete t= he request. - -**/ -EFI_STATUS -EFIAPI -EfiIpSecConfigGetData ( - IN EFI_IPSEC_CONFIG_PROTOCOL *This, - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN OUT UINTN *DataSize, - OUT VOID *Data - ) -{ - if (This =3D=3D NULL || Selector =3D=3D NULL || DataSize =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - if (*DataSize !=3D 0 && Data =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - if (DataType >=3D IPsecConfigDataTypeMaximum) { - return EFI_UNSUPPORTED; - } - - return mGetPolicyEntry[DataType](Selector, DataSize, Data); -} - -/** - Set the security association, security policy and peer authorization con= figuration - information for the EFI IPsec driver. - - This function is used to set the IPsec configuration information of type= DataType for - the EFI IPsec driver. - The IPsec configuration data has a unique selector/identifier separately= to identify - a data entry. The selector structure depends on DataType's definition. - Using SetData() with a Data of NULL causes the IPsec configuration data = entry identified - by DataType and Selector to be deleted. - - @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL i= nstance. - @param[in] DataType The type of data to be set. - @param[in] Selector Pointer to an entry selector on operated c= onfiguration data - specified by DataType. A NULL Selector cau= ses the entire - specified-type configuration information t= o be flushed. - @param[in] Data The data buffer to be set. The structure o= f the data buffer is - associated with the DataType. - @param[in] InsertBefore Pointer to one entry selector which descri= bes the expected - position the new data entry will be added.= If InsertBefore is NULL, - the new entry will be appended to the end = of the database. - - @retval EFI_SUCCESS The specified configuration entry data was= set successfully. - @retval EFI_INVALID_PARAMETER One or more of the following are TRUE: - - This is NULL. - @retval EFI_UNSUPPORTED The specified DataType is not supported. - @retval EFI_OUT_OF_RESOURCED The required system resource could not be = allocated. - -**/ -EFI_STATUS -EFIAPI -EfiIpSecConfigSetData ( - IN EFI_IPSEC_CONFIG_PROTOCOL *This, - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL - ) -{ - EFI_STATUS Status; - - if (This =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - if (DataType >=3D IPsecConfigDataTypeMaximum) { - return EFI_UNSUPPORTED; - } - - Status =3D mSetPolicyEntry[DataType](Selector, Data, InsertBefore); - - if (!EFI_ERROR (Status) && !mSetBySelf) { - // - // Save the updated config data into variable. - // - IpSecConfigSave (); - } - - return Status; -} - -/** - Enumerates the current selector for IPsec configuration data entry. - - This function is called multiple times to retrieve the entry Selector in= IPsec - configuration database. On each call to GetNextSelector(), the next entry - Selector are retrieved into the output interface. - - If the entire IPsec configuration database has been iterated, the error - EFI_NOT_FOUND is returned. - If the Selector buffer is too small for the next Selector copy, an - EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to r= eflect - the size of buffer needed. - - On the initial call to GetNextSelector() to start the IPsec configuratio= n database - search, a pointer to the buffer with all zero value is passed in Selecto= r. Calls - to SetData() between calls to GetNextSelector may produce unpredictable = results. - - @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL i= nstance. - @param[in] DataType The type of IPsec configuration data to re= trieve. - @param[in, out] SelectorSize The size of the Selector buffer. - @param[in, out] Selector On input, supplies the pointer to last Sel= ector that was - returned by GetNextSelector(). - On output, returns one copy of the current= entry Selector - of a given DataType. - - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: - - This is NULL. - - SelectorSize is NULL. - - Selector is NULL. - @retval EFI_NOT_FOUND The next configuration data entry was not = found. - @retval EFI_UNSUPPORTED The specified DataType is not supported. - @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the resu= lt. This parameter - has been updated with the size needed to c= omplete the search - request. - -**/ -EFI_STATUS -EFIAPI -EfiIpSecConfigGetNextSelector ( - IN EFI_IPSEC_CONFIG_PROTOCOL *This, - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN OUT UINTN *SelectorSize, - IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector - ) -{ - LIST_ENTRY *Link; - IPSEC_COMMON_POLICY_ENTRY *CommonEntry; - BOOLEAN IsFound; - - if (This =3D=3D NULL || Selector =3D=3D NULL || SelectorSize =3D=3D NULL= ) { - return EFI_INVALID_PARAMETER; - } - - if (DataType >=3D IPsecConfigDataTypeMaximum) { - return EFI_UNSUPPORTED; - } - - IsFound =3D FALSE; - - NET_LIST_FOR_EACH (Link, &mConfigData[DataType]) { - CommonEntry =3D BASE_CR (Link, IPSEC_COMMON_POLICY_ENTRY, List); - - if (IsFound || (BOOLEAN)(mIsZeroSelector[DataType](Selector))) { - // - // If found the appointed entry, then duplicate the next one and ret= urn, - // or if the appointed entry is zero, then return the first one dire= ctly. - // - return mDuplicateSelector[DataType](Selector, CommonEntry->Selector,= SelectorSize); - } else { - // - // Set the flag if find the appointed entry. - // - IsFound =3D mCompareSelector[DataType](Selector, CommonEntry->Select= or); - } - } - - return EFI_NOT_FOUND; -} - -/** - Register an event that is to be signaled whenever a configuration proces= s on the - specified IPsec configuration information is done. - - The register function is not surpport now and always returns EFI_UNSUPPO= RTED. - - @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL i= nstance. - @param[in] DataType The type of data to be registered the even= t for. - @param[in] Event The event to be registered. - - @retval EFI_SUCCESS The event is registered successfully. - @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL. - @retval EFI_ACCESS_DENIED The Event is already registered for the Da= taType. - @retval EFI_UNSUPPORTED The notify registration is unsupported, or= the specified - DataType is not supported. - -**/ -EFI_STATUS -EFIAPI -EfiIpSecConfigRegisterNotify ( - IN EFI_IPSEC_CONFIG_PROTOCOL *This, - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN EFI_EVENT Event - ) -{ - return EFI_UNSUPPORTED; -} - -/** - Remove the specified event that was previously registered on the specifi= ed IPsec - configuration data. - - This function is not support now and alwasy return EFI_UNSUPPORTED. - - @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL i= nstance. - @param[in] DataType The configuration data type to remove the = registered event for. - @param[in] Event The event to be unregistered. - - @retval EFI_SUCCESS The event was removed successfully. - @retval EFI_NOT_FOUND The Event specified by DataType could not = be found in the - database. - @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL. - @retval EFI_UNSUPPORTED The notify registration is unsupported, or= the specified - DataType is not supported. - -**/ -EFI_STATUS -EFIAPI -EfiIpSecConfigUnregisterNotify ( - IN EFI_IPSEC_CONFIG_PROTOCOL *This, - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN EFI_EVENT Event - ) -{ - return EFI_UNSUPPORTED; -} - -/** - Copy whole data in specified EFI_SIPEC_CONFIG_SELECTOR and the Data to a= buffer. - - This function is a caller defined function, and it is called by the IpSe= cVisitConfigData(). - The orignal caller is IpSecConfigSave(), which calls the IpsecVisitConfi= gData() to - copy all types of IPsec Config datas into one buffer and store this buff= er into firmware in - the form of several variables. - - @param[in] Type A specified IPSEC_CONFIG_DATA_TYPE. - @param[in] Selector Points to a EFI_IPSEC_CONFIG_SELECTOR = to be copied - to the buffer. - @param[in] Data Points to data to be copied to the buf= fer. The - Data type is related to the Type. - @param[in] SelectorSize The size of the Selector. - @param[in] DataSize The size of the Data. - @param[in, out] Buffer The buffer to store the Selector and D= ata. - - @retval EFI_SUCCESS Copy the Selector and Data to a buffer su= ccessfully. - @retval EFI_OUT_OF_RESOURCES The required system resource could not be= allocated. - -**/ -EFI_STATUS -IpSecCopyPolicyEntry ( - IN EFI_IPSEC_CONFIG_DATA_TYPE Type, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN UINTN SelectorSize, - IN UINTN DataSize, - IN OUT IPSEC_VARIABLE_BUFFER *Buffer - ) -{ - IPSEC_VAR_ITEM_HEADER SelectorHeader; - IPSEC_VAR_ITEM_HEADER DataHeader; - UINTN EntrySize; - UINT8 *TempPoint; - - if (Type =3D=3D IPsecConfigDataTypeSad) { - // - // Don't save automatically-generated SA entry into variable. - // - if (((EFI_IPSEC_SA_DATA2 *) Data)->ManualSet =3D=3D FALSE) { - return EFI_SUCCESS; - } - } - // - // Increase the capacity size of the buffer if needed. - // - EntrySize =3D ALIGN_VARIABLE (sizeof (SelectorHeader)); - EntrySize =3D ALIGN_VARIABLE (EntrySize + SelectorSize); - EntrySize =3D ALIGN_VARIABLE (EntrySize + sizeof (SelectorHeader)); - EntrySize =3D ALIGN_VARIABLE (EntrySize + DataSize); - - //EntrySize =3D SelectorSize + DataSize + 2 * sizeof (SelectorHeader); - if (Buffer->Capacity - Buffer->Size < EntrySize) { - // - // Calculate the required buffer - // - Buffer->Capacity +=3D EntrySize; - TempPoint =3D AllocatePool (Buffer->Capacity); - - if (TempPoint =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // Copy the old Buffer to new buffer and free the old one. - // - CopyMem (TempPoint, Buffer->Ptr, Buffer->Size); - FreePool (Buffer->Ptr); - - Buffer->Ptr =3D TempPoint; - } - - mFixPolicyEntry[Type](Selector, Data); - - // - // Fill the selector header and copy it into buffer. - // - SelectorHeader.Type =3D (UINT8) (Type | IPSEC_VAR_ITEM_HEADER_LOGO_BIT); - SelectorHeader.Size =3D (UINT16) SelectorSize; - - CopyMem ( - Buffer->Ptr + Buffer->Size, - &SelectorHeader, - sizeof (SelectorHeader) - ); - Buffer->Size =3D ALIGN_VARIABLE (Buffer->Size + sizeof (SelectorHeader)= ); - - // - // Copy the selector into buffer. - // - CopyMem ( - Buffer->Ptr + Buffer->Size, - Selector, - SelectorSize - ); - Buffer->Size =3D ALIGN_VARIABLE (Buffer->Size + SelectorSize); - - // - // Fill the data header and copy it into buffer. - // - DataHeader.Type =3D (UINT8) Type; - DataHeader.Size =3D (UINT16) DataSize; - - CopyMem ( - Buffer->Ptr + Buffer->Size, - &DataHeader, - sizeof (DataHeader) - ); - Buffer->Size =3D ALIGN_VARIABLE (Buffer->Size + sizeof (DataHeader)); - // - // Copy the data into buffer. - // - CopyMem ( - Buffer->Ptr + Buffer->Size, - Data, - DataSize - ); - Buffer->Size =3D ALIGN_VARIABLE (Buffer->Size + DataSize); - - mUnfixPolicyEntry[Type](Selector, Data); - - return EFI_SUCCESS; -} - -/** - Visit all IPsec Configurations of specified Type and call the caller def= ined - interface. - - @param[in] DataType The specified IPsec Config Data Type. - @param[in] Routine The function defined by the caller. - @param[in] Context The data passed to the Routine. - - @retval EFI_OUT_OF_RESOURCES The required system resource could not be= allocated - @retval EFI_SUCCESS This function completed successfully. - -**/ -EFI_STATUS -IpSecVisitConfigData ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN IPSEC_COPY_POLICY_ENTRY Routine, - IN VOID *Context - ) -{ - EFI_STATUS GetNextStatus; - EFI_STATUS GetDataStatus; - EFI_STATUS RoutineStatus; - EFI_IPSEC_CONFIG_SELECTOR *Selector; - VOID *Data; - UINTN SelectorSize; - UINTN DataSize; - UINTN SelectorBufferSize; - UINTN DataBufferSize; - BOOLEAN FirstGetNext; - - FirstGetNext =3D TRUE; - DataBufferSize =3D 0; - Data =3D NULL; - SelectorBufferSize =3D sizeof (EFI_IPSEC_CONFIG_SELECTOR); - Selector =3D AllocateZeroPool (SelectorBufferSize); - - if (Selector =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - while (TRUE) { - // - // Get the real size of the selector. - // - SelectorSize =3D SelectorBufferSize; - GetNextStatus =3D EfiIpSecConfigGetNextSelector ( - &mIpSecConfigInstance, - DataType, - &SelectorSize, - Selector - ); - if (GetNextStatus =3D=3D EFI_BUFFER_TOO_SMALL) { - FreePool (Selector); - SelectorBufferSize =3D SelectorSize; - // - // Allocate zero pool for the first selector, while store the last - // selector content for the other selectors. - // - if (FirstGetNext) { - Selector =3D AllocateZeroPool (SelectorBufferSize); - } else { - Selector =3D AllocateCopyPool (SelectorBufferSize, Selector); - } - - if (Selector =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // Get the content of the selector. - // - GetNextStatus =3D EfiIpSecConfigGetNextSelector ( - &mIpSecConfigInstance, - DataType, - &SelectorSize, - Selector - ); - } - - if (EFI_ERROR (GetNextStatus)) { - break; - } - - FirstGetNext =3D FALSE; - - // - // Get the real size of the policy entry according to the selector. - // - DataSize =3D DataBufferSize; - GetDataStatus =3D EfiIpSecConfigGetData ( - &mIpSecConfigInstance, - DataType, - Selector, - &DataSize, - Data - ); - if (GetDataStatus =3D=3D EFI_BUFFER_TOO_SMALL) { - if (Data !=3D NULL) { - FreePool (Data); - } - - DataBufferSize =3D DataSize; - Data =3D AllocateZeroPool (DataBufferSize); - - if (Data =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // Get the content of the policy entry according to the selector. - // - GetDataStatus =3D EfiIpSecConfigGetData ( - &mIpSecConfigInstance, - DataType, - Selector, - &DataSize, - Data - ); - } - - if (EFI_ERROR (GetDataStatus)) { - break; - } - // - // Prepare the buffer of updated policy entry, which is stored in - // the continous memory, and then save into variable later. - // - RoutineStatus =3D Routine ( - DataType, - Selector, - Data, - SelectorSize, - DataSize, - Context - ); - if (EFI_ERROR (RoutineStatus)) { - break; - } - } - - if (Data !=3D NULL) { - FreePool (Data); - } - - if (Selector !=3D NULL) { - FreePool (Selector); - } - - return EFI_SUCCESS; -} - -/** - This function is the subfunction of EFIIpSecConfigSetData. - - This function call IpSecSetVaraible to set the IPsec Configuration into = the firmware. - - @retval EFI_OUT_OF_RESOURCES The required system resource could not be= allocated. - @retval EFI_SUCCESS Saved the configration successfully. - @retval Others Other errors were found while obtaining t= he variable. - -**/ -EFI_STATUS -IpSecConfigSave ( - VOID - ) -{ - IPSEC_VARIABLE_BUFFER Buffer; - EFI_STATUS Status; - EFI_IPSEC_CONFIG_DATA_TYPE Type; - - Buffer.Size =3D 0; - Buffer.Capacity =3D IPSEC_DEFAULT_VARIABLE_SIZE; - Buffer.Ptr =3D AllocateZeroPool (Buffer.Capacity); - - if (Buffer.Ptr =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // For each policy database, prepare the contious buffer to save into va= riable. - // - for (Type =3D IPsecConfigDataTypeSpd; Type < IPsecConfigDataTypeMaximum;= Type++) { - IpSecVisitConfigData ( - Type, - (IPSEC_COPY_POLICY_ENTRY) IpSecCopyPolicyEntry, - &Buffer - ); - } - // - // Save the updated policy database into variable. - // - Status =3D IpSecSetVariable ( - IPSECCONFIG_VARIABLE_NAME, - &gEfiIpSecConfigProtocolGuid, - EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE, - Buffer.Size, - Buffer.Ptr - ); - - FreePool (Buffer.Ptr); - - return Status; -} - -/** - Get the all IPSec configuration variables and store those variables - to the internal data structure. - - This founction is called by IpSecConfigInitialize() which is to intializ= e the - IPsecConfiguration Protocol. - - @param[in] Private Point to IPSEC_PRIVATE_DATA. - - @retval EFI_OUT_OF_RESOURCES The required system resource could not be= allocated - @retval EFI_SUCCESS Restore the IPsec Configuration successfu= lly. - @retval others Other errors is found while obtaining the= variable. - -**/ -EFI_STATUS -IpSecConfigRestore ( - IN IPSEC_PRIVATE_DATA *Private - ) -{ - EFI_STATUS Status; - UINTN BufferSize; - UINT8 *Buffer; - IPSEC_VAR_ITEM_HEADER *Header; - UINT8 *Ptr; - EFI_IPSEC_CONFIG_SELECTOR *Selector; - EFI_IPSEC_CONFIG_DATA_TYPE Type; - VOID *Data; - UINT8 Value; - UINTN Size; - - Value =3D 0; - Size =3D sizeof (Value); - BufferSize =3D 0; - Buffer =3D NULL; - - Status =3D gRT->GetVariable ( - IPSECCONFIG_STATUS_NAME, - &gEfiIpSecConfigProtocolGuid, - NULL, - &Size, - &Value - ); - - if (!EFI_ERROR (Status) && Value =3D=3D IPSEC_STATUS_ENABLED) { - Private->IpSec.DisabledFlag =3D FALSE; - } - // - // Get the real size of policy database in variable. - // - Status =3D IpSecGetVariable ( - IPSECCONFIG_VARIABLE_NAME, - &gEfiIpSecConfigProtocolGuid, - NULL, - &BufferSize, - Buffer - ); - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { - - Buffer =3D AllocateZeroPool (BufferSize); - if (Buffer =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // Get the content of policy database in variable. - // - Status =3D IpSecGetVariable ( - IPSECCONFIG_VARIABLE_NAME, - &gEfiIpSecConfigProtocolGuid, - NULL, - &BufferSize, - Buffer - ); - if (EFI_ERROR (Status)) { - FreePool (Buffer); - return Status; - } - - for (Ptr =3D Buffer; Ptr < Buffer + BufferSize;) { - - Header =3D (IPSEC_VAR_ITEM_HEADER *) Ptr; - Type =3D (EFI_IPSEC_CONFIG_DATA_TYPE) (Header->Type & IPSEC_VAR_I= TEM_HEADER_CONTENT_BIT); - ASSERT (((Header->Type & 0x80) =3D=3D IPSEC_VAR_ITEM_HEADER_LOGO_BIT= ) && (Type < IPsecConfigDataTypeMaximum)); - - Selector =3D (EFI_IPSEC_CONFIG_SELECTOR *) ALIGN_POINTER (Header + = 1, sizeof (UINTN)); - Header =3D (IPSEC_VAR_ITEM_HEADER *) ALIGN_POINTER ( - (UINT8 *) Selector + Header-= >Size, - sizeof (UINTN) - ); - ASSERT (Header->Type =3D=3D Type); - - Data =3D ALIGN_POINTER (Header + 1, sizeof (UINTN)); - - mUnfixPolicyEntry[Type](Selector, Data); - - // - // Update each policy entry according to the content in variable. - // - mSetBySelf =3D TRUE; - Status =3D EfiIpSecConfigSetData ( - &Private->IpSecConfig, - Type, - Selector, - Data, - NULL - ); - mSetBySelf =3D FALSE; - - if (EFI_ERROR (Status)) { - FreePool (Buffer); - return Status; - } - - Ptr =3D ALIGN_POINTER ((UINT8 *) Data + Header->Size, sizeof (UINTN= )); - } - - FreePool (Buffer); - } - - return EFI_SUCCESS; -} - -/** - Install and Initialize IPsecConfig protocol - - @param[in, out] Private Pointer to IPSEC_PRIVATE_DATA. After this fun= ction finish, - the pointer of IPsecConfig Protocol implement= ation will copy - into its IPsecConfig member. - - @retval EFI_SUCCESS Initialized the IPsecConfig Protocol successf= ully. - @retval Others Initializing the IPsecConfig Protocol failed. -**/ -EFI_STATUS -IpSecConfigInitialize ( - IN OUT IPSEC_PRIVATE_DATA *Private - ) -{ - EFI_IPSEC_CONFIG_DATA_TYPE Type; - - CopyMem ( - &Private->IpSecConfig, - &mIpSecConfigInstance, - sizeof (EFI_IPSEC_CONFIG_PROTOCOL) - ); - - // - // Initialize the list head of policy database. - // - for (Type =3D IPsecConfigDataTypeSpd; Type < IPsecConfigDataTypeMaximum;= Type++) { - InitializeListHead (&mConfigData[Type]); - } - // - // Restore the content of policy database according to the variable. - // - IpSecConfigRestore (Private); - - return gBS->InstallMultipleProtocolInterfaces ( - &Private->Handle, - &gEfiIpSecConfigProtocolGuid, - &Private->IpSecConfig, - NULL - ); -} diff --git a/NetworkPkg/IpSecDxe/IpSecConfigImpl.h b/NetworkPkg/IpSecDxe/Ip= SecConfigImpl.h deleted file mode 100644 index c3c1d37935..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecConfigImpl.h +++ /dev/null @@ -1,949 +0,0 @@ -/** @file - Definitions related to IPSEC_CONFIG_PROTOCOL implementations. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _IPSEC_CONFIG_IMPL_H_ -#define _IPSEC_CONFIG_IMPL_H_ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -#include "IpSecImpl.h" - -#define EFI_IPSEC_ANY_PROTOCOL 0xFFFF -#define EFI_IPSEC_ANY_PORT 0 - -#define IPSEC_VAR_ITEM_HEADER_LOGO_BIT 0x80 -#define IPSEC_VAR_ITEM_HEADER_CONTENT_BIT 0x7F - -#define IPSECCONFIG_VARIABLE_NAME L"IpSecConfig" -#define IPSECCONFIG_STATUS_NAME L"IpSecStatus" - -#define SIZE_OF_SPD_SELECTOR(x) (sizeof (EFI_IPSEC_SPD_SELECTOR) \ - + sizeof (EFI_IP_ADDRESS_INFO) * ((x)->LocalAddressCount + (x)->Rem= oteAddressCount)) - -#define FIX_REF_BUF_ADDR(addr, base) addr =3D (VOID *) ((UINTN) (addr) = - (UINTN) (base)) -#define UNFIX_REF_BUF_ADDR(addr, base) addr =3D (VOID *) ((UINTN) (addr) = + (UINTN) (base)) - -// -// The data structure used to store the genernall information of IPsec con= figuration. -// -typedef struct { - UINT32 VariableCount; // the total number of the IPsecConfig variab= les. - UINT32 VariableSize; // The total size of all IpsecConfig variable= s. - UINT32 SingleVariableSize; // The max size of single variable -} IP_SEC_VARIABLE_INFO; - -typedef struct { - EFI_IPSEC_CONFIG_SELECTOR *Selector; - VOID *Data; - LIST_ENTRY List; -} IPSEC_COMMON_POLICY_ENTRY; - -typedef struct { - UINT8 *Ptr; - UINTN Size; - UINTN Capacity; -} IPSEC_VARIABLE_BUFFER; - -#pragma pack(1) -typedef struct { - UINT8 Type; - UINT16 Size; -} IPSEC_VAR_ITEM_HEADER; -#pragma pack() - -/** - The prototype of Copy Source Selector to the Destination Selector. - - @param[in, out] DstSel Pointer of Destination Selector. It w= ould be - SPD Selector, or SAD Selector or PAD = Selector. - @param[in] SrcSel Pointer of Source Selector. It would= be - SPD Selector, or SAD Selector or PAD = Selector. - @param[in, out] Size The size of the Destination Selector.= If it - is not NULL and its value is less tha= n the size of - Source Selector, the value of Source = Selector's - size will be passed to the caller by = this parameter. - - @retval EFI_INVALID_PARAMETER If the Destination or Source Selector is = NULL. - @retval EFI_BUFFER_TOO_SMALL If the input Size is less than size of So= urce Selector. - @retval EFI_SUCCESS Copy Source Selector to the Destination - Selector successfully. - -**/ -typedef -EFI_STATUS -(*IPSEC_DUPLICATE_SELECTOR) ( - IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel, - IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel, - IN OUT UINTN *Size - ); - -/** - It is prototype of compare two Selectors. The Selector would be SPD Sele= ctor, - or SAD Selector, or PAD selector. - - @param[in] Selector1 Pointer of the first Selector. - @param[in] Selector2 Pointer of the second Selector. - - @retval TRUE These two Selectors have the same value in certain fiel= ds. - @retval FALSE Not all fields have the same value in these two Selecto= rs. - -**/ -typedef -BOOLEAN -(*IPSEC_COMPARE_SELECTOR) ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector1, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector2 - ); - -/** - The prototype of a function to check if the Selector is Zero by its cert= ain fields. - - @param[in] Selector Pointer of the Selector. - - @retval TRUE If the Selector is Zero. - @retval FALSE If the Selector is not Zero. - -**/ -typedef -BOOLEAN -(*IPSEC_IS_ZERO_SELECTOR) ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector - ); - -/** - The prototype of a function to fix the value of particular members of th= e Selector. - - @param[in] Selector Pointer of Selector. - @param[in] Data Pointer of Data. - -**/ -typedef -VOID -(*IPSEC_FIX_POLICY_ENTRY) ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data - ); - -/** - It is prototype function to define a routine function by the caller of I= pSecVisitConfigData(). - - @param[in] Type A specified IPSEC_CONFIG_DATA_TYPE. - @param[in] Selector Points to EFI_IPSEC_CONFIG_SELECTOR to= be copied - to the buffer. - @param[in] Data Points to data to be copied to the buf= fer. The - Data type is related to the Type. - @param[in] SelectorSize The size of the Selector. - @param[in] DataSize The size of the Data. - @param[in, out] Buffer The buffer to store the Selector and D= ata. - - @retval EFI_SUCCESS Copied the Selector and Data to a buffer = successfully. - @retval EFI_OUT_OF_RESOURCES The required system resource could not be= allocated. - -**/ -typedef -EFI_STATUS -(*IPSEC_COPY_POLICY_ENTRY) ( - IN EFI_IPSEC_CONFIG_DATA_TYPE Type, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN UINTN SelectorSize, - IN UINTN DataSize, - IN OUT VOID *Context - ); - -/** - Set the security policy information for the EFI IPsec driver. - - The IPsec configuration data has a unique selector/identifier separately= to - identify a data entry. - - @param[in] Selector Pointer to an entry selector on operated - configuration data specified by DataType. - A NULL Selector causes the entire specifi= ed-type - configuration information to be flushed. - @param[in] Data The data buffer to be set. - @param[in] Context Pointer to one entry selector that descri= bes - the expected position the new data entry = will - be added. If Context is NULL, the new ent= ry will - be appended to the end of the database. - - @retval EFI_INVALID_PARAMETER Certain Parameters are not correct. The Pa= rameter - requiring a check depends on the Selector = type. - @retval EFI_OUT_OF_RESOURCED The required system resource could not be = allocated. - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - -**/ -typedef -EFI_STATUS -(*IPSEC_SET_POLICY_ENTRY) ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN VOID *Context OPTIONAL - ); - -/** - A prototype function definition to lookup the data entry from IPsec. Ret= urn the configuration - value of the specified Entry. - - @param[in] Selector Pointer to an entry selector that is an id= entifier - of the entry. - @param[in, out] DataSize On output, the size of data returned in Da= ta. - @param[out] Data The buffer to return the contents of the I= Psec - configuration data. The type of the data b= uffer - is associated with the DataType. - - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - @retval EFI_INVALID_PARAMETER Data is NULL and *DataSize is not zero. - @retval EFI_NOT_FOUND The configuration data specified by Select= or is not found. - @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. = DataSize has been - updated with the size needed to complete t= he request. - -**/ -typedef -EFI_STATUS -(*IPSEC_GET_POLICY_ENTRY) ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN OUT UINTN *DataSize, - IN VOID *Data - ); - -/** - Compare two SPD Selectors. - - Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddres= sCount/ - NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange an= d the - Local Addresses and remote Addresses. - - @param[in] Selector1 Pointer of the first SPD Selector. - @param[in] Selector2 Pointer of the second SPD Selector. - - @retval TRUE These two Selectors have the same value in above fields. - @retval FALSE Not all of the above fields have the same value in thes= e two Selectors. - -**/ -BOOLEAN -CompareSpdSelector ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector1, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector2 - ); - - -/** - Visit all IPsec Configurations of specified Type and call the caller def= ined - interface. - - @param[in] DataType The specified IPsec Config Data Type. - @param[in] Routine The function caller defined. - @param[in] Context The data passed to the Routine. - - @retval EFI_OUT_OF_RESOURCES The required system resource could not be= allocated. - @retval EFI_SUCCESS This function complete successfully. - -**/ -EFI_STATUS -IpSecVisitConfigData ( - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN IPSEC_COPY_POLICY_ENTRY Routine, - IN VOID *Context - ); - - -/** - This function is the subfunction of the EFIIpSecConfigSetData. - - This function call IpSecSetVaraible to set the IPsec Configuration into = the firmware. - - @retval EFI_OUT_OF_RESOURCES The required system resource could not be= allocated. - @retval EFI_SUCCESS Saved the configration successfully. - @retval Others Other errors were found while obtaining t= he variable. - -**/ -EFI_STATUS -IpSecConfigSave ( - VOID - ); - -/** - Initialize IPsecConfig protocol - - @param[in, out] Private Pointer to IPSEC_PRIVATE_DATA. After this fun= ction finish, - the pointer of IPsecConfig Protocol implement= ation will copy - into its IPsecConfig member. - - @retval EFI_SUCCESS Initialized the IPsecConfig Protocol successf= ully. - @retval Others Initializing the IPsecConfig Protocol failed. - -**/ -EFI_STATUS -IpSecConfigInitialize ( - IN OUT IPSEC_PRIVATE_DATA *Private - ); - -/** - Calculate the entire size of EFI_IPSEC_SPD_DATA, which includes the buff= er size pointed - by the pointer members. - - @param[in] SpdData Pointer to a specified EFI_IPSEC_SPD_DAT= A. - - @return The entire size of the specified EFI_IPSEC_SPD_DATA. - -**/ -UINTN -IpSecGetSizeOfEfiSpdData ( - IN EFI_IPSEC_SPD_DATA *SpdData - ); - -/** - Calculate the a entire size of IPSEC_SPD_DATA, which includes the buffer= size pointed - by the pointer members and the buffer size used by Sa List. - - @param[in] SpdData Pointer to the specified IPSEC_SPD_DATA. - - @return The entire size of IPSEC_SPD_DATA. - -**/ -UINTN -IpSecGetSizeOfSpdData ( - IN IPSEC_SPD_DATA *SpdData - ); - -/** - Copy Source Process Policy to the Destination Process Policy. - - @param[in] Dst Pointer to the Source Process Policy. - @param[in] Src Pointer to the Destination Process Poli= cy. - -**/ -VOID -IpSecDuplicateProcessPolicy ( - IN EFI_IPSEC_PROCESS_POLICY *Dst, - IN EFI_IPSEC_PROCESS_POLICY *Src - ); - -/** - Find if the two SPD Selectors has subordinative. - - Compare two SPD Selector by the fields of LocalAddressCount/RemoteAddres= sCount/ - NextLayerProtocol/LocalPort/LocalPortRange/RemotePort/RemotePortRange an= d the - Local Addresses and remote Addresses. - - @param[in] Selector1 Pointer of first SPD Selector. - @param[in] Selector2 Pointer of second SPD Selector. - - @retval TRUE The first SPD Selector is subordinate Selector of secon= d SPD Selector. - @retval FALSE The first SPD Selector is not subordinate Selector of s= econd - SPD Selector. - -**/ -BOOLEAN -IsSubSpdSelector ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector1, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector2 - ); - -/** - Compare two SA IDs. - - @param[in] Selector1 Pointer of the first SA ID. - @param[in] Selector2 Pointer of the second SA ID. - - @retval TRUE This two Selectors have the same SA ID. - @retval FALSE This two Selecotrs don't have the same SA ID. - -**/ -BOOLEAN -CompareSaId ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector1, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector2 - ); - -/** - Compare two PAD IDs. - - @param[in] Selector1 Pointer of the first PAD ID. - @param[in] Selector2 Pointer of the second PAD ID. - - @retval TRUE This two Selectors have the same PAD ID. - @retval FALSE This two Selecotrs don't have the same PAD ID. - -**/ -BOOLEAN -ComparePadId ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector1, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector2 - ); - -/** - Check if the SPD Selector is Zero by its LocalAddressCount and RemoteAdd= ressCount - fields. - - @param[in] Selector Pointer of the SPD Selector. - - @retval TRUE If the SPD Selector is Zero. - @retval FALSE If the SPD Selector is not Zero. - -**/ -BOOLEAN -IsZeroSpdSelector ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector - ); - -/** - Check if the SA ID is Zero by its DestAddress. - - @param[in] Selector Pointer of the SA ID. - - @retval TRUE If the SA ID is Zero. - @retval FALSE If the SA ID is not Zero. - -**/ -BOOLEAN -IsZeroSaId ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector - ); - -/** - Check if the PAD ID is Zero. - - @param[in] Selector Pointer of the PAD ID. - - @retval TRUE If the PAD ID is Zero. - @retval FALSE If the PAD ID is not Zero. - -**/ -BOOLEAN -IsZeroPadId ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector - ); - -/** - Copy Source SPD Selector to the Destination SPD Selector. - - @param[in, out] DstSel Pointer of Destination SPD Selector. - @param[in] SrcSel Pointer of Source SPD Selector. - @param[in, out] Size The size of the Destination SPD Selec= tor. If - it is not NULL and its value is less = than the - size of Source SPD Selector, the valu= e of - Source SPD Selector's size will be pa= ssed to - the caller by this parameter. - - @retval EFI_INVALID_PARAMETER If the Destination or Source SPD Selector= is NULL. - @retval EFI_BUFFER_TOO_SMALL If the input Size is less than size of So= urce SPD Selector. - @retval EFI_SUCCESS Copy Source SPD Selector to the Destinati= on SPD - Selector successfully. - -**/ -EFI_STATUS -DuplicateSpdSelector ( - IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel, - IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel, - IN OUT UINTN *Size - ); - -/** - Copy Source SA ID to the Destination SA ID. - - @param[in, out] DstSel Pointer of the Destination SA ID. - @param[in] SrcSel Pointer of the Source SA ID. - @param[in, out] Size The size of the Destination SA ID. If= it - not NULL, and its value is less than = the size of - Source SA ID, the value of Source SA = ID's size - will be passed to the caller by this = parameter. - - @retval EFI_INVALID_PARAMETER If the Destination or Source SA ID is NUL= L. - @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of sourc= e SA ID. - @retval EFI_SUCCESS Copied Source SA ID to the Destination SA= ID successfully. - -**/ -EFI_STATUS -DuplicateSaId ( - IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel, - IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel, - IN OUT UINTN *Size - ); - -/** - Copy Source PAD ID to the Destination PAD ID. - - @param[in, out] DstSel Pointer of Destination PAD ID. - @param[in] SrcSel Pointer of Source PAD ID. - @param[in, out] Size The size of the Destination PAD ID. I= f it - not NULL, and its value less than the= size of - Source PAD ID, the value of Source PA= D ID's size - will be passed to the caller by this = parameter. - - @retval EFI_INVALID_PARAMETER If the Destination or Source PAD ID is NU= LL. - @retval EFI_BUFFER_TOO_SMALL If the input Size less than size of sourc= e PAD ID. - @retval EFI_SUCCESS Copied Source PAD ID to the Destination P= AD ID successfully. - -**/ -EFI_STATUS -DuplicatePadId ( - IN OUT EFI_IPSEC_CONFIG_SELECTOR *DstSel, - IN EFI_IPSEC_CONFIG_SELECTOR *SrcSel, - IN OUT UINTN *Size - ); - -/** - Fix the value of some members of the SPD Selector. - - This function is called by IpSecCopyPolicyEntry(), which copies the Poli= cy - Entry into the Variable. Since some members in SPD Selector are pointers, - a physical address to relative address conversion is required before cop= ying - this SPD entry into the variable. - - @param[in] Selector Pointer of SPD Selector. - @param[in, out] Data Pointer of SPD Data. - -**/ -VOID -FixSpdEntry ( - IN EFI_IPSEC_SPD_SELECTOR *Selector, - IN OUT EFI_IPSEC_SPD_DATA *Data - ); - -/** - Fix the value of some members of SA ID. - - This function is called by IpSecCopyPolicyEntry(), which copies the Poli= cy - Entry into the Variable. Since some members in SA ID are pointers, - a physical address to relative address conversion is required before cop= ying - this SAD into the variable. - - @param[in] SaId Pointer of SA ID. - @param[in, out] Data Pointer of SA Data. - -**/ -VOID -FixSadEntry ( - IN EFI_IPSEC_SA_ID *SaId, - IN OUT EFI_IPSEC_SA_DATA2 *Data - ); - -/** - Fix the value of some members of PAD ID. - - This function is called by IpSecCopyPolicyEntry(), which copy the Policy - Entry into the Variable. Since some members in PAD ID are pointers, - a physical address to relative address conversion is required before cop= ying - this PAD into the variable. - - @param[in] PadId Pointer of PAD ID. - @param[in, out] Data Pointer of PAD Data. - -**/ -VOID -FixPadEntry ( - IN EFI_IPSEC_PAD_ID *PadId, - IN OUT EFI_IPSEC_PAD_DATA *Data - ); - -/** - Recover the value of some members of SPD Selector. - - This function is corresponding to FixSpdEntry(). It recovers the value o= f members - of SPD Selector which fix by the FixSpdEntry(). - - @param[in, out] Selector Pointer of SPD Selector. - @param[in, out] Data Pointer of SPD Data. - -**/ -VOID -UnfixSpdEntry ( - IN OUT EFI_IPSEC_SPD_SELECTOR *Selector, - IN OUT EFI_IPSEC_SPD_DATA *Data - ); - - -/** - Recover the value of some members of SA ID. - - This function is corresponding to FixSadEntry(). It recovers the value o= f members - of SAD ID which fix by the FixSadEntry(). - - @param[in, out] SaId Pointer of SAD ID - @param[in, out] Data Pointer of SAD Data. - -**/ -VOID -UnfixSadEntry ( - IN OUT EFI_IPSEC_SA_ID *SaId, - IN OUT EFI_IPSEC_SA_DATA2 *Data - ); - -/** - Recover the value of some members of PAD ID. - - This function is corresponding to FixPadEntry(). It recovers the value o= f members - of PAD ID which fix by the FixPadEntry(). - - @param[in] PadId Pointer of PAD ID - @param[in, out] Data Pointer of PAD Data. - -**/ -VOID -UnfixPadEntry ( - IN EFI_IPSEC_PAD_ID *PadId, - IN OUT EFI_IPSEC_PAD_DATA *Data - ); - -/** - Set the security policy information for the EFI IPsec driver. - - The IPsec configuration data has a unique selector/identifier separately= to - identify a data entry. - - @param[in] Selector Pointer to an entry selector on operated - configuration data specified by DataType. - A NULL Selector causes the entire specifi= ed-type - configuration information to be flushed. - @param[in] Data The data buffer to be set. The structure - of the data buffer should be EFI_IPSEC_SP= D_DATA. - @param[in] Context Pointer to one entry selector that descri= bes - the expected position the new data entry = will - be added. If Context is NULL,the new entr= y will - be appended the end of database. - - @retval EFI_INVALID_PARAMETER One or more of the following are TRUE: - - Selector is not NULL and its LocalAdd= ress - is NULL or its RemoteAddress is NULL. - - Data is not NULL, its Action is Prote= cted, - and its policy is NULL. - - Data is not NULL and its Action is no= t protected - and its policy is not NULL. - - The Action of Data is Protected, its = policy - mode is Tunnel, and its tunnel option= is NULL. - - The Action of Data is protected, its = policy - mode is not Tunnel, and it tunnel opt= ion is not NULL. - @retval EFI_OUT_OF_RESOURCED The required system resource could not be = allocated. - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - -**/ -EFI_STATUS -SetSpdEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN VOID *Context OPTIONAL - ); - -/** - Set the security association information for the EFI IPsec driver. - - The IPsec configuration data has a unique selector/identifier separately= to - identify a data entry. - - @param[in] Selector Pointer to an entry selector on operated - configuration data specified by DataType. - A NULL Selector causes the entire specifi= ed-type - configuration information to be flushed. - @param[in] Data The data buffer to be set. The structure - of the data buffer should be EFI_IPSEC_SA= _DATA. - @param[in] Context Pointer to one entry selector which descr= ibes - the expected position the new data entry = will - be added. If Context is NULL,the new entr= y will - be appended to the end of database. - - @retval EFI_OUT_OF_RESOURCED The required system resource could not be = allocated. - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - -**/ -EFI_STATUS -SetSadEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN VOID *Context OPTIONAL - ); - -/** - Set the peer authorization configuration information for the EFI IPsec d= river. - - The IPsec configuration data has a unique selector/identifier separately= to - identify a data entry. - - @param[in] Selector Pointer to an entry selector on operated - configuration data specified by DataType. - A NULL Selector causes the entire specifi= ed-type - configuration information to be flushed. - @param[in] Data The data buffer to be set. The structure - of the data buffer should be EFI_IPSEC_PA= D_DATA. - @param[in] Context Pointer to one entry selector that descri= bes - the expected position where the new data = entry will - be added. If Context is NULL, the new ent= ry will - be appended the end of database. - - @retval EFI_OUT_OF_RESOURCED The required system resource could not be = allocated. - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - -**/ -EFI_STATUS -SetPadEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN VOID *Context OPTIONAL - ); - -/** - This function looks up the data entry from IPsec SPD, and returns the co= nfiguration - value of the specified SPD Entry. - - @param[in] Selector Pointer to an entry selector which is an i= dentifier - of the SPD entry. - @param[in, out] DataSize On output the size of data returned in Dat= a. - @param[out] Data The buffer to return the contents of the I= Psec - configuration data. The type of the data b= uffer - is associated with the DataType. - - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - @retval EFI_INVALID_PARAMETER Data is NULL and *DataSize is not zero. - @retval EFI_NOT_FOUND The configuration data specified by Select= or is not found. - @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. = DataSize has been - updated with the size needed to complete t= he request. - -**/ -EFI_STATUS -GetSpdEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN OUT UINTN *DataSize, - OUT VOID *Data - ); - -/** - This function looks up the data entry from IPsec SAD and returns the con= figuration - value of the specified SAD Entry. - - @param[in] Selector Pointer to an entry selector that is an id= entifier - of the SAD entry. - @param[in, out] DataSize On output, the size of data returned in Da= ta. - @param[out] Data The buffer to return the contents of the I= Psec - configuration data. This type of the data = buffer - is associated with the DataType. - - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - @retval EFI_NOT_FOUND The configuration data specified by Select= or is not found. - @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. = DataSize has been - updated with the size needed to complete t= he request. - -**/ -EFI_STATUS -GetSadEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN OUT UINTN *DataSize, - OUT VOID *Data - ); - -/** - This function looks up the data entry from IPsec PADand returns the conf= iguration - value of the specified PAD Entry. - - @param[in] Selector Pointer to an entry selector that is an i= dentifier - of the PAD entry. - @param[in, out] DataSize On output the size of data returned in Dat= a. - @param[out] Data The buffer to return the contents of the I= Psec - configuration data. This type of the data = buffer - is associated with the DataType. - - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - @retval EFI_NOT_FOUND The configuration data specified by Select= or is not found. - @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. = DataSize has been - updated with the size needed to complete t= he request. - -**/ -EFI_STATUS -GetPadEntry ( - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN OUT UINTN *DataSize, - OUT VOID *Data - ); - -/** - Return the configuration value for the EFI IPsec driver. - - This function lookup the data entry from IPsec database or IKEv2 configu= ration - information. The expected data type and unique identification are descri= bed in - DataType and Selector parameters. - - @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL i= nstance. - @param[in] DataType The type of data to retrieve. - @param[in] Selector Pointer to an entry selector that is an id= entifier of the IPsec - configuration data entry. - @param[in, out] DataSize On output the size of data returned in Dat= a. - @param[out] Data The buffer to return the contents of the I= Psec configuration data. - The type of the data buffer is associated = with the DataType. - - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: - - This is NULL. - - Selector is NULL. - - DataSize is NULL. - - Data is NULL and *DataSize is not zero - @retval EFI_NOT_FOUND The configuration data specified by Select= or is not found. - @retval EFI_UNSUPPORTED The specified DataType is not supported. - @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. = DataSize has been - updated with the size needed to complete t= he request. - -**/ -EFI_STATUS -EFIAPI -EfiIpSecConfigGetData ( - IN EFI_IPSEC_CONFIG_PROTOCOL *This, - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN OUT UINTN *DataSize, - OUT VOID *Data - ); - -/** - Set the security association, security policy and peer authorization con= figuration - information for the EFI IPsec driver. - - This function is used to set the IPsec configuration information of type= DataType for - the EFI IPsec driver. - The IPsec configuration data has a unique selector/identifier separately= to identify - a data entry. The selector structure depends on DataType's definition. - Using SetData() with a Data of NULL causes the IPsec configuration data = entry identified - by DataType and Selector to be deleted. - - @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL i= nstance. - @param[in] DataType The type of data to be set. - @param[in] Selector Pointer to an entry selector on operated c= onfiguration data - specified by DataType. A NULL Selector cau= ses the entire - specified-type configuration information t= o be flushed. - @param[in] Data The data buffer to be set. The structure o= f the data buffer is - associated with the DataType. - @param[in] InsertBefore Pointer to one entry selector which descri= bes the expected - position the new data entry will be added.= If InsertBefore is NULL, - the new entry will be appended the end of = database. - - @retval EFI_SUCCESS The specified configuration entry data was= set successfully. - @retval EFI_INVALID_PARAMETER One or more of the following are TRUE: - - This is NULL. - @retval EFI_UNSUPPORTED The specified DataType is not supported. - @retval EFI_OUT_OF_RESOURCED The required system resource could not be = allocated. - -**/ -EFI_STATUS -EFIAPI -EfiIpSecConfigSetData ( - IN EFI_IPSEC_CONFIG_PROTOCOL *This, - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN EFI_IPSEC_CONFIG_SELECTOR *Selector, - IN VOID *Data, - IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL - ); - -/** - Enumerates the current selector for IPsec configuration data entry. - - This function is called multiple times to retrieve the entry Selector in= IPsec - configuration database. On each call to GetNextSelector(), the next entry - Selector are retrieved into the output interface. - - If the entire IPsec configuration database has been iterated, the error - EFI_NOT_FOUND is returned. - If the Selector buffer is too small for the next Selector copy, an - EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to r= eflect - the size of buffer needed. - - On the initial call to GetNextSelector() to start the IPsec configuratio= n database - search, a pointer to the buffer with all zero value is passed in Selecto= r. Calls - to SetData() between calls to GetNextSelector may produce unpredictable = results. - - @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL i= nstance. - @param[in] DataType The type of IPsec configuration data to re= trieve. - @param[in, out] SelectorSize The size of the Selector buffer. - @param[in, out] Selector On input, supplies the pointer to last Sel= ector that was - returned by GetNextSelector(). - On output, returns one copy of the current= entry Selector - of a given DataType. - - @retval EFI_SUCCESS The specified configuration data was obtai= ned successfully. - @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: - - This is NULL. - - SelectorSize is NULL. - - Selector is NULL. - @retval EFI_NOT_FOUND The next configuration data entry was not = found. - @retval EFI_UNSUPPORTED The specified DataType is not supported. - @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the resu= lt. This parameter - has been updated with the size needed to c= omplete the search - request. - -**/ -EFI_STATUS -EFIAPI -EfiIpSecConfigGetNextSelector ( - IN EFI_IPSEC_CONFIG_PROTOCOL *This, - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN OUT UINTN *SelectorSize, - IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector - ); - -/** - Register an event that is to be signaled whenever a configuration proces= s on the - specified IPsec configuration information is done. - - The register function is not surpport now and always returns EFI_UNSUPPO= RTED. - - @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL i= nstance. - @param[in] DataType The type of data to be registered the even= t for. - @param[in] Event The event to be registered. - - @retval EFI_SUCCESS The event is registered successfully. - @retval EFI_INVALID_PARAMETER This is NULL, or Event is NULL. - @retval EFI_ACCESS_DENIED The Event is already registered for the Da= taType. - @retval EFI_UNSUPPORTED The notify registration unsupported, or th= e specified - DataType is not supported. - -**/ -EFI_STATUS -EFIAPI -EfiIpSecConfigRegisterNotify ( - IN EFI_IPSEC_CONFIG_PROTOCOL *This, - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN EFI_EVENT Event - ); - - -/** - Remove the specified event that was previously registered on the specifi= ed IPsec - configuration data. - - This function is not supported now and always returns EFI_UNSUPPORTED. - - @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL i= nstance. - @param[in] DataType The configuration data type to remove the = registered event for. - @param[in] Event The event to be unregistered. - - @retval EFI_SUCCESS The event was removed successfully. - @retval EFI_NOT_FOUND The Event specified by DataType could not = be found in the - database. - @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL. - @retval EFI_UNSUPPORTED The notify registration unsupported or the= specified - DataType is not supported. - -**/ -EFI_STATUS -EFIAPI -EfiIpSecConfigUnregisterNotify ( - IN EFI_IPSEC_CONFIG_PROTOCOL *This, - IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, - IN EFI_EVENT Event - ); - -extern LIST_ENTRY mConfigData[IPsecConfigDataTypeMaximum]; - -#endif diff --git a/NetworkPkg/IpSecDxe/IpSecCryptIo.c b/NetworkPkg/IpSecDxe/IpSec= CryptIo.c deleted file mode 100644 index b87e2ca8d4..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecCryptIo.c +++ /dev/null @@ -1,1015 +0,0 @@ -/** @file - Common interfaces to call Security library. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecCryptIo.h" -// -// The informations for the supported Encrypt/Decrpt Alogrithm. -// -GLOBAL_REMOVE_IF_UNREFERENCED ENCRYPT_ALGORITHM mIpsecEncryptAlgorithmList= [IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE] =3D { - {IKE_EALG_NULL, 0, 0, 1, NULL, NULL, NULL, NULL}, - {IKE_EALG_NONE, 0, 0, 1, NULL, NULL, NULL, NULL}, - {IKE_EALG_3DESCBC, 24, 8, 8, TdesGetContextSize, TdesInit, TdesCbcEncryp= t, TdesCbcDecrypt}, - {IKE_EALG_AESCBC, 16, 16, 16, AesGetContextSize, AesInit, AesCbcEncrypt,= AesCbcDecrypt} -}; - -// -// The informations for the supported Authentication algorithm -// -GLOBAL_REMOVE_IF_UNREFERENCED AUTH_ALGORITHM mIpsecAuthAlgorithmList[IPSEC= _AUTH_ALGORITHM_LIST_SIZE] =3D { - {IKE_AALG_NONE, 0, 0, 0, NULL, NULL, NULL, NULL}, - {IKE_AALG_NULL, 0, 0, 0, NULL, NULL, NULL, NULL}, - {IKE_AALG_SHA1HMAC, 20, 12, 64, HmacSha1GetContextSize, HmacSha1Init, Hm= acSha1Update, HmacSha1Final} -}; - -// -// The information for the supported Hash aglorithm -// -GLOBAL_REMOVE_IF_UNREFERENCED HASH_ALGORITHM mIpsecHashAlgorithmList[IPSEC= _HASH_ALGORITHM_LIST_SIZE] =3D { - {IKE_AALG_NONE, 0, 0, 0, NULL, NULL, NULL, NULL}, - {IKE_AALG_NULL, 0, 0, 0, NULL, NULL, NULL, NULL}, - {IKE_AALG_SHA1HMAC, 20, 12, 64, Sha1GetContextSize, Sha1Init, Sha1Update= , Sha1Final} -}; - -BOOLEAN mInitialRandomSeed =3D FALSE; - -/** - Get the block size of specified encryption algorithm. - - @param[in] AlgorithmId The encryption algorithm ID. - - @return The value of block size. - -**/ -UINTN -IpSecGetEncryptBlockSize ( - IN UINT8 AlgorithmId - ) -{ - UINT8 Index; - - for (Index =3D 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) { - if (AlgorithmId =3D=3D mIpsecEncryptAlgorithmList[Index].AlgorithmId) { - return mIpsecEncryptAlgorithmList[Index].BlockSize; - } - } - - return (UINTN) -1; -} - -/** - Get the key length of the specified encryption algorithm. - - @param[in] AlgorithmId The encryption algorithm ID. - - @return The value of key length. - -**/ -UINTN -IpSecGetEncryptKeyLength ( - IN UINT8 AlgorithmId - ) -{ - UINT8 Index; - - for (Index =3D 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) { - if (AlgorithmId =3D=3D mIpsecEncryptAlgorithmList[Index].AlgorithmId) { - return mIpsecEncryptAlgorithmList[Index].KeyLength; - } - } - - return (UINTN) -1; -} - -/** - Get the IV size of the specified encryption algorithm. - - @param[in] AlgorithmId The encryption algorithm ID. - - @return The value of IV size. - -**/ -UINTN -IpSecGetEncryptIvLength ( - IN UINT8 AlgorithmId - ) -{ - UINT8 Index; - - for (Index =3D 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) { - if (AlgorithmId =3D=3D mIpsecEncryptAlgorithmList[Index].AlgorithmId) { - return mIpsecEncryptAlgorithmList[Index].IvLength; - } - } - - return (UINTN) -1; -} - -/** - Get the HMAC digest length by the specified Algorithm ID. - - @param[in] AlgorithmId The specified Alogrithm ID. - - @return The digest length of the specified Authentication Algorithm ID. - -**/ -UINTN -IpSecGetHmacDigestLength ( - IN UINT8 AlgorithmId - ) -{ - UINT8 Index; - - for (Index =3D 0; Index < IPSEC_AUTH_ALGORITHM_LIST_SIZE; Index++) { - if (mIpsecAuthAlgorithmList[Index].AlgorithmId =3D=3D AlgorithmId) { - // - // Return the Digest Length of the Algorithm. - // - return mIpsecAuthAlgorithmList[Index].DigestLength; - } - } - - return 0; -} - -/** - Get the ICV size of the specified Authenticaion algorithm. - - @param[in] AlgorithmId The Authentication algorithm ID. - - @return The value of ICV size. - -**/ -UINTN -IpSecGetIcvLength ( - IN UINT8 AlgorithmId - ) -{ - UINT8 Index; - - for (Index =3D 0; Index < IPSEC_AUTH_ALGORITHM_LIST_SIZE; Index++) { - if (AlgorithmId =3D=3D mIpsecAuthAlgorithmList[Index].AlgorithmId) { - return mIpsecAuthAlgorithmList[Index].IcvLength; - } - } - - return (UINTN) -1; -} - -/** - Generate a random data for IV. If the IvSize is zero, not needed to crea= te - IV and return EFI_SUCCESS. - - @param[in] IvBuffer The pointer of the IV buffer. - @param[in] IvSize The IV size in bytes. - - @retval EFI_SUCCESS Create a random data for IV. - -**/ -EFI_STATUS -IpSecGenerateIv ( - IN UINT8 *IvBuffer, - IN UINTN IvSize - ) -{ - if (IvSize !=3D 0) { - return IpSecCryptoIoGenerateRandomBytes (IvBuffer, IvSize); - } - - return EFI_SUCCESS; -} - -/** - Get index of the specified encryption algorithm from the mIpsecEncryptAl= gorithmList. - - @param[in] AlgorithmId The encryption algorithm ID. - - @return the index. - -**/ -UINTN -IpSecGetIndexFromEncList ( - IN UINT8 AlgorithmId - ) -{ - UINT8 Index; - - for (Index =3D 0; Index < IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE; Index++) { - if (AlgorithmId =3D=3D mIpsecEncryptAlgorithmList[Index].AlgorithmId) { - return Index; - } - } - - return (UINTN) -1; -} - -/** - Get index of the specified encryption algorithm from the mIpsecAuthAlgor= ithmList. - - @param[in] AlgorithmId The encryption algorithm ID. - - @return the index. - -**/ -UINTN -IpSecGetIndexFromAuthList ( - IN UINT8 AlgorithmId - ) -{ - UINT8 Index; - - for (Index =3D 0; Index < IPSEC_AUTH_ALGORITHM_LIST_SIZE; Index++) { - if (AlgorithmId =3D=3D mIpsecAuthAlgorithmList[Index].AlgorithmId) { - // - // The BlockSize is same with IvSize. - // - return Index; - } - } - - return (UINTN) -1; -} - -/** - Encrypt the buffer. - - This function calls relevant encryption interface from CryptoLib accordi= ng to - the input algorithm ID. The InData should be multiple of block size. Thi= s function - doesn't perform the padding. If it has the Ivec data, the length of it s= hould be - same with the block size. The block size is different from the different= algorithm. - - @param[in] AlgorithmId The Algorithm identification defined in = RFC. - @param[in] Key Pointer to the buffer containing encrypt= ing key. - @param[in] KeyBits The length of the key in bits. - @param[in] Ivec Point to the buffer containing the Initi= alization - Vector (IV) data. - @param[in] InData Point to the buffer containing the data = to be - encrypted. - @param[in] InDataLength The length of InData in Bytes. - @param[out] OutData Point to the buffer that receives the en= cryption - output. - - @retval EFI_UNSUPPORTED The input Algorithm is not supported. - @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated. - @retval EFI_SUCCESS The operation completed successfully. - -**/ -EFI_STATUS -IpSecCryptoIoEncrypt ( - IN CONST UINT8 AlgorithmId, - IN CONST UINT8 *Key, - IN CONST UINTN KeyBits, - IN CONST UINT8 *Ivec, OPTIONAL - IN UINT8 *InData, - IN UINTN InDataLength, - OUT UINT8 *OutData - ) -{ - UINTN Index; - UINTN ContextSize; - UINT8 *Context; - EFI_STATUS Status; - - Status =3D EFI_UNSUPPORTED; - - switch (AlgorithmId) { - - case IKE_EALG_NULL: - case IKE_EALG_NONE: - CopyMem (OutData, InData, InDataLength); - return EFI_SUCCESS; - - case IKE_EALG_3DESCBC: - case IKE_EALG_AESCBC: - Index =3D IpSecGetIndexFromEncList (AlgorithmId); - if (Index =3D=3D -1) { - return Status; - } - // - // Get Context Size - // - ContextSize =3D mIpsecEncryptAlgorithmList[Index].CipherGetContextSize= (); - Context =3D AllocateZeroPool (ContextSize); - - if (Context =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - // - // Initiate Context - // - if (mIpsecEncryptAlgorithmList[Index].CipherInitiate (Context, Key, Ke= yBits)) { - if (mIpsecEncryptAlgorithmList[Index].CipherEncrypt (Context, InData= , InDataLength, Ivec, OutData)) { - Status =3D EFI_SUCCESS; - } - } - break; - - default: - return Status; - - } - - if (Context !=3D NULL) { - FreePool (Context); - } - - return Status; -} - -/** - Decrypts the buffer. - - This function calls relevant Decryption interface from CryptoLib accordi= ng to - the input algorithm ID. The InData should be multiple of block size. Thi= s function - doesn't perform the padding. If it has the Ivec data, the length of it s= hould be - same with the block size. The block size is different from the different= algorithm. - - @param[in] AlgorithmId The Algorithm identification defined in = RFC. - @param[in] Key Pointer to the buffer containing encrypt= ing key. - @param[in] KeyBits The length of the key in bits. - @param[in] Ivec Point to the buffer containing the Initi= alization - Vector (IV) data. - @param[in] InData Point to the buffer containing the data = to be - decrypted. - @param[in] InDataLength The length of InData in Bytes. - @param[out] OutData Pointer to the buffer that receives the = decryption - output. - - @retval EFI_UNSUPPORTED The input Algorithm is not supported. - @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated. - @retval EFI_SUCCESS The operation completed successfully. - -**/ -EFI_STATUS -IpSecCryptoIoDecrypt ( - IN CONST UINT8 AlgorithmId, - IN CONST UINT8 *Key, - IN CONST UINTN KeyBits, - IN CONST UINT8 *Ivec, OPTIONAL - IN UINT8 *InData, - IN UINTN InDataLength, - OUT UINT8 *OutData - ) -{ - UINTN Index; - UINTN ContextSize; - UINT8 *Context; - EFI_STATUS Status; - - Status =3D EFI_UNSUPPORTED; - - switch (AlgorithmId) { - - case IKE_EALG_NULL: - case IKE_EALG_NONE: - CopyMem (OutData, InData, InDataLength); - return EFI_SUCCESS; - - case IKE_EALG_3DESCBC: - case IKE_EALG_AESCBC: - Index =3D IpSecGetIndexFromEncList(AlgorithmId); - if (Index =3D=3D -1) { - return Status; - } - - // - // Get Context Size - // - ContextSize =3D mIpsecEncryptAlgorithmList[Index].CipherGetContextSize= (); - Context =3D AllocateZeroPool (ContextSize); - if (Context =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - // - // Initiate Context - // - if (mIpsecEncryptAlgorithmList[Index].CipherInitiate (Context, Key, Ke= yBits)) { - if (mIpsecEncryptAlgorithmList[Index].CipherDecrypt (Context, InData= , InDataLength, Ivec, OutData)) { - Status =3D EFI_SUCCESS; - } - } - break; - - default: - return Status; - } - - if (Context !=3D NULL) { - FreePool (Context); - } - - return Status; -} - -/** - Digests the Payload with key and store the result into the OutData. - - This function calls relevant Hmac interface from CryptoLib according to - the input algorithm ID. It computes all datas from InDataFragment and ou= tput - the result into the OutData buffer. If the OutDataSize is larger than th= e related - HMAC algorithm output size, return EFI_INVALID_PARAMETER. - - @param[in] AlgorithmId The authentication Identification. - @param[in] Key Pointer of the authentication key. - @param[in] KeyLength The length of the Key in bytes. - @param[in] InDataFragment The list contains all data to be authent= icated. - @param[in] FragmentCount The size of the InDataFragment. - @param[out] OutData For in, the buffer to receive the output= data. - For out, the buffer contains the authent= icated data. - @param[in] OutDataSize The size of the buffer of OutData. - - @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list. - @retval EFI_INVALID_PARAMETER The OutData buffer size is larger than alg= orithm digest size. - @retval EFI_SUCCESS Authenticate the payload successfully. - @retval otherwise Authentication of the payload fails. - -**/ -EFI_STATUS -IpSecCryptoIoHmac ( - IN CONST UINT8 AlgorithmId, - IN CONST UINT8 *Key, - IN UINTN KeyLength, - IN HASH_DATA_FRAGMENT *InDataFragment, - IN UINTN FragmentCount, - OUT UINT8 *OutData, - IN UINTN OutDataSize - ) -{ - UINTN ContextSize; - UINTN Index; - UINT8 FragmentIndex; - UINT8 *HashContext; - EFI_STATUS Status; - UINT8 *OutHashData; - UINTN OutHashSize; - - Status =3D EFI_UNSUPPORTED; - OutHashData =3D NULL; - - OutHashSize =3D IpSecGetHmacDigestLength (AlgorithmId); - // - // If the expected hash data size is larger than the related Hash algori= thm - // output length, return EFI_INVALID_PARAMETER. - // - if (OutDataSize > OutHashSize) { - return EFI_INVALID_PARAMETER; - } - OutHashData =3D AllocatePool (OutHashSize); - - if (OutHashData =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - switch (AlgorithmId) { - - case IKE_AALG_NONE : - case IKE_AALG_NULL : - return EFI_SUCCESS; - - case IKE_AALG_SHA1HMAC: - Index =3D IpSecGetIndexFromAuthList (AlgorithmId); - if (Index =3D=3D -1) { - return Status; - } - - // - // Get Context Size - // - ContextSize =3D mIpsecAuthAlgorithmList[Index].HmacGetContextSize(); - HashContext =3D AllocateZeroPool (ContextSize); - - if (HashContext =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - // - // Initiate HMAC context and hash the input data. - // - if (mIpsecAuthAlgorithmList[Index].HmacInitiate(HashContext, Key, KeyL= ength)) { - for (FragmentIndex =3D 0; FragmentIndex < FragmentCount; FragmentInd= ex++) { - if (!mIpsecAuthAlgorithmList[Index].HmacUpdate ( - HashContext, - InDataFragment[FragmentIndex].Data, - InDataFragment[FragmentIndex].DataSize - ) - ) { - goto Exit; - } - } - if (mIpsecAuthAlgorithmList[Index].HmacFinal (HashContext, OutHashDa= ta)) { - // - // In some cases, like the Icv computing, the Icv size might be le= ss than - // the key length size, so copy the part of hash data to the OutDa= ta. - // - CopyMem (OutData, OutHashData, OutDataSize); - Status =3D EFI_SUCCESS; - } - - goto Exit; - } - - default: - return Status; - } - -Exit: - if (HashContext !=3D NULL) { - FreePool (HashContext); - } - if (OutHashData !=3D NULL) { - FreePool (OutHashData); - } - - return Status; -} - -/** - Digests the Payload and store the result into the OutData. - - This function calls relevant Hash interface from CryptoLib according to - the input algorithm ID. It computes all datas from InDataFragment and ou= tput - the result into the OutData buffer. If the OutDataSize is larger than th= e related - Hash algorithm output size, return EFI_INVALID_PARAMETER. - - @param[in] AlgorithmId The authentication Identification. - @param[in] InDataFragment A list contains all data to be authentic= ated. - @param[in] FragmentCount The size of the InDataFragment. - @param[out] OutData For in, the buffer to receive the output= data. - For out, the buffer contains the authent= icated data. - @param[in] OutDataSize The size of the buffer of OutData. - - @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list. - @retval EFI_SUCCESS Authenticated the payload successfully. - @retval EFI_INVALID_PARAMETER If the OutDataSize is larger than the rela= ted Hash - algorithm could handle. - @retval otherwise Authentication of the payload failed. - -**/ -EFI_STATUS -IpSecCryptoIoHash ( - IN CONST UINT8 AlgorithmId, - IN HASH_DATA_FRAGMENT *InDataFragment, - IN UINTN FragmentCount, - OUT UINT8 *OutData, - IN UINTN OutDataSize - ) -{ - UINTN ContextSize; - UINTN Index; - UINT8 FragmentIndex; - UINT8 *HashContext; - EFI_STATUS Status; - UINT8 *OutHashData; - UINTN OutHashSize; - - Status =3D EFI_UNSUPPORTED; - OutHashData =3D NULL; - - OutHashSize =3D IpSecGetHmacDigestLength (AlgorithmId); - // - // If the expected hash data size is larger than the related Hash algori= thm - // output length, return EFI_INVALID_PARAMETER. - // - if (OutDataSize > OutHashSize) { - return EFI_INVALID_PARAMETER; - } - OutHashData =3D AllocatePool (OutHashSize); - if (OutHashData =3D=3D NULL) { - return EFI_OUT_OF_RESOURCES; - } - - switch (AlgorithmId) { - - case IKE_AALG_NONE: - case IKE_AALG_NULL: - return EFI_SUCCESS; - - case IKE_AALG_SHA1HMAC: - Index =3D IpSecGetIndexFromAuthList (AlgorithmId); - if (Index =3D=3D -1) { - return Status; - } - // - // Get Context Size - // - ContextSize =3D mIpsecHashAlgorithmList[Index].HashGetContextSize(); - HashContext =3D AllocateZeroPool (ContextSize); - if (HashContext =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto Exit; - } - - // - // Initiate Hash context and hash the input data. - // - if (mIpsecHashAlgorithmList[Index].HashInitiate(HashContext)) { - for (FragmentIndex =3D 0; FragmentIndex < FragmentCount; FragmentInd= ex++) { - if (!mIpsecHashAlgorithmList[Index].HashUpdate ( - HashContext, - InDataFragment[FragmentIndex].Data, - InDataFragment[FragmentIndex].DataSize - ) - ) { - goto Exit; - } - } - if (mIpsecHashAlgorithmList[Index].HashFinal (HashContext, OutHashDa= ta)) { - // - // In some cases, like the Icv computing, the Icv size might be le= ss than - // the key length size, so copy the part of hash data to the OutDa= ta. - // - CopyMem (OutData, OutHashData, OutDataSize); - Status =3D EFI_SUCCESS; - } - - goto Exit; - } - - default: - return Status; - } - -Exit: - if (HashContext !=3D NULL) { - FreePool (HashContext); - } - if (OutHashData !=3D NULL) { - FreePool (OutHashData); - } - - return Status; -} - -/** - Generates the Diffie-Hellman public key. - - This function first initiate a DHContext, then call the DhSetParameter()= to set - the prime and primelength, at end call the DhGenerateKey() to generates = random - secret exponent, and computes the public key. The output returned via pa= rameter - PublicKey and PublicKeySize. DH context is updated accordingly. If the P= ublicKey - buffer is too small to hold the public key, EFI_INVALID_PARAMETER is ret= urned - and PublicKeySize is set to the required buffer size to obtain the publi= c key. - - @param[in, out] DhContext Pointer to the DH context. - @param[in] Generator Value of generator. - @param[in] PrimeLength Length in bits of prime to be generated. - @param[in] Prime Pointer to the buffer to receive the gen= erated - prime number. - @param[out] PublicKey Pointer to the buffer to receive generat= ed public key. - @param[in, out] PublicKeySize For in, the size of PublicKey buffer in = bytes. - For out, the size of data returned in Pu= blicKey - buffer in bytes. - - @retval EFI_SUCCESS The operation performs successfully. - @retval Otherwise The operation is failed. - -**/ -EFI_STATUS -IpSecCryptoIoDhGetPublicKey ( - IN OUT UINT8 **DhContext, - IN UINTN Generator, - IN UINTN PrimeLength, - IN CONST UINT8 *Prime, - OUT UINT8 *PublicKey, - IN OUT UINTN *PublicKeySize - ) -{ - EFI_STATUS Status; - - *DhContext =3D DhNew (); - ASSERT (*DhContext !=3D NULL); - if (!DhSetParameter (*DhContext, Generator, PrimeLength, Prime)) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - - if (!DhGenerateKey (*DhContext, PublicKey, PublicKeySize)) { - Status =3D EFI_INVALID_PARAMETER; - goto Exit; - } - return EFI_SUCCESS; - -Exit: - if (*DhContext !=3D NULL) { - DhFree (*DhContext); - DhContext =3D NULL; - } - - return Status; -} - -/** - Generates exchanged common key. - - Given peer's public key, this function computes the exchanged common key= , based - on its own context including value of prime modulus and random secret ex= ponent. - - @param[in, out] DhContext Pointer to the DH context. - @param[in] PeerPublicKey Pointer to the peer's Public Key. - @param[in] PeerPublicKeySize Size of peer's public key in bytes. - @param[out] Key Pointer to the buffer to receive gener= ated key. - @param[in, out] KeySize For in, the size of Key buffer in byte= s. - For out, the size of data returned in = Key - buffer in bytes. - - @retval EFI_SUCCESS The operation performs successfully. - @retval Otherwise The operation is failed. - -**/ -EFI_STATUS -IpSecCryptoIoDhComputeKey ( - IN OUT UINT8 *DhContext, - IN CONST UINT8 *PeerPublicKey, - IN UINTN PeerPublicKeySize, - OUT UINT8 *Key, - IN OUT UINTN *KeySize - ) -{ - if (!DhComputeKey (DhContext, PeerPublicKey, PeerPublicKeySize, Key, Key= Size)) { - return EFI_INVALID_PARAMETER; - } - - return EFI_SUCCESS; -} - -/** - Releases the DH context. If DhContext is NULL, return EFI_INVALID_PARAME= TER. - - @param[in, out] DhContext Pointer to the DH context to be fr= eed. - - @retval EFI_SUCCESS The operation performs successfully. - @retval EFI_INVALID_PARAMETER The DhContext is NULL. - -**/ -EFI_STATUS -IpSecCryptoIoFreeDh ( - IN OUT UINT8 **DhContext - ) -{ - if (*DhContext =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - DhFree (*DhContext); - return EFI_SUCCESS; -} - -/** - Generates random numbers of specified size. - - If the Random Generator wasn't initiated, initiate it first, then call R= andomBytes. - - @param[out] OutBuffer Pointer to buffer to receive random value. - @param[in] Bytes Size of random bytes to generate. - - @retval EFI_SUCCESS The operation performs successfully. - @retval Otherwise The operation is failed. - -**/ -EFI_STATUS -IpSecCryptoIoGenerateRandomBytes ( - OUT UINT8* OutBuffer, - IN UINTN Bytes - ) -{ - if (!mInitialRandomSeed) { - RandomSeed (NULL, 0); - mInitialRandomSeed =3D TRUE; - } - if (RandomBytes (OutBuffer, Bytes)) { - return EFI_SUCCESS; - } else { - return EFI_INVALID_PARAMETER; - } -} - -/** - Authenticate data with the certificate. - - @param[in] InData Pointer to the Data to be signed. - @param[in] InDataSize InData size in bytes. - @param[in] PrivateKey Pointer to the private key. - @param[in] PrivateKeySize The size of Private Key in bytes. - @param[in] KeyPassWord Pointer to the password for retrieving p= rivate key. - @param[in] KeyPwdSize The size of Key Password in bytes. - @param[out] OutData The pointer to the signed data. - @param[in, out] OutDataSize Pointer to contain the size of out data. - -**/ -VOID -IpSecCryptoIoAuthDataWithCertificate ( - IN UINT8 *InData, - IN UINTN InDataSize, - IN UINT8 *PrivateKey, - IN UINTN PrivateKeySize, - IN UINT8 *KeyPassWord, - IN UINTN KeyPwdSize, - OUT UINT8 **OutData, - IN OUT UINTN *OutDataSize - ) -{ - UINT8 *RsaContext; - UINT8 *Signature; - UINTN SigSize; - - SigSize =3D 0; - RsaContext =3D NULL; - - // - // Retrieve RSA Private Key from password-protected PEM data - // - RsaGetPrivateKeyFromPem ( - (CONST UINT8 *)PrivateKey, - PrivateKeySize, - (CONST CHAR8 *)KeyPassWord, - (VOID **) &RsaContext - ); - if (RsaContext =3D=3D NULL) { - return; - } - - // - // Sign data - // - Signature =3D NULL; - if (!RsaPkcs1Sign (RsaContext, InData, InDataSize, Signature, &SigSize))= { - Signature =3D AllocateZeroPool (SigSize); - } else { - return; - } - - RsaPkcs1Sign (RsaContext, InData, InDataSize, Signature, &SigSize); - - *OutData =3D Signature; - *OutDataSize =3D SigSize; - - if (RsaContext !=3D NULL) { - RsaFree (RsaContext); - } -} - -/** - Verify the singed data with the public key which is contained in a certi= ficate. - - @param[in] InCert Pointer to the Certificate which contains= the - public key. - @param[in] CertLen The size of Certificate in bytes. - @param[in] InCa Pointer to the CA certificate - @param[in] CaLen The size of CA certificate in bytes. - @param[in] InData Pointer to octet message hash to be check= ed. - @param[in] InDataSize Size of the message hash in bytes. - @param[in] Singnature The pointer to the RSA PKCS1-V1_5 signatu= re to be verified. - @param[in] SigSize Size of signature in bytes. - - @retval TRUE Valid signature encoded in PKCS1-v1_5. - @retval FALSE Invalid signature or invalid RSA context. - -**/ -BOOLEAN -IpSecCryptoIoVerifySignDataByCertificate ( - IN UINT8 *InCert, - IN UINTN CertLen, - IN UINT8 *InCa, - IN UINTN CaLen, - IN UINT8 *InData, - IN UINTN InDataSize, - IN UINT8 *Singnature, - IN UINTN SigSize - ) -{ - UINT8 *RsaContext; - BOOLEAN Status; - - // - // Create the RSA Context - // - RsaContext =3D RsaNew (); - if (RsaContext =3D=3D NULL) { - return FALSE; - } - - // - // Verify the validity of X509 Certificate - // - if (!X509VerifyCert (InCert, CertLen, InCa, CaLen)) { - return FALSE; - } - - // - // Retrieve the RSA public Key from Certificate - // - RsaGetPublicKeyFromX509 ((CONST UINT8 *)InCert, CertLen, (VOID **)&RsaCo= ntext); - - // - // Verify data - // - Status =3D RsaPkcs1Verify (RsaContext, InData, InDataSize, Singnature, S= igSize); - - if (RsaContext !=3D NULL) { - RsaFree (RsaContext); - } - - return Status; -} - -/** - Retrieves the RSA Public Key from one X509 certificate (DER format only). - - @param[in] InCert Pointer to the certificate. - @param[in] CertLen The size of the certificate in bytes. - @param[out] PublicKey Pointer to the retrieved public key. - @param[out] PublicKeyLen Size of Public Key in bytes. - - @retval EFI_SUCCESS Successfully get the public Key. - @retval EFI_INVALID_PARAMETER The certificate is malformed. - -**/ -EFI_STATUS -IpSecCryptoIoGetPublicKeyFromCert ( - IN UINT8 *InCert, - IN UINTN CertLen, - OUT UINT8 **PublicKey, - OUT UINTN *PublicKeyLen - ) -{ - UINT8 *RsaContext; - EFI_STATUS Status; - - Status =3D EFI_SUCCESS; - - // - // Create the RSA Context - // - RsaContext =3D RsaNew (); - - // - // Retrieve the RSA public key from CA Certificate - // - if (!RsaGetPublicKeyFromX509 ((CONST UINT8 *)InCert, CertLen, (VOID **) = &RsaContext)) { - Status =3D EFI_INVALID_PARAMETER; - goto EXIT; - } - - *PublicKeyLen =3D 0; - - RsaGetKey (RsaContext, RsaKeyN, NULL, PublicKeyLen); - - *PublicKey =3D AllocateZeroPool (*PublicKeyLen); - if (*PublicKey =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto EXIT; - } - - if (!RsaGetKey (RsaContext, RsaKeyN, *PublicKey, PublicKeyLen)) { - Status =3D EFI_INVALID_PARAMETER; - } - -EXIT: - if (RsaContext !=3D NULL) { - RsaFree (RsaContext); - } - - return Status; -} - -/** - Retrieves the subject name from one X509 certificate (DER format only). - - @param[in] InCert Pointer to the X509 certificate. - @param[in] CertSize The size of the X509 certificate in byt= es. - @param[out] CertSubject Pointer to the retrieved certificate su= bject. - @param[out] SubjectSize The size of Certificate Subject in byte= s. - - @retval EFI_SUCCESS Retrieved the certificate subject succes= sfully. - @retval EFI_INVALID_PARAMETER The certificate is malformed. - -**/ -EFI_STATUS -IpSecCryptoIoGetSubjectFromCert ( - IN UINT8 *InCert, - IN UINTN CertSize, - OUT UINT8 **CertSubject, - OUT UINTN *SubjectSize - ) -{ - EFI_STATUS Status; - - Status =3D EFI_SUCCESS; - - *SubjectSize =3D 0; - X509GetSubjectName (InCert, CertSize, *CertSubject, SubjectSize); - - *CertSubject =3D AllocateZeroPool (*SubjectSize); - if (!X509GetSubjectName (InCert, CertSize, *CertSubject, SubjectSize)) { - Status =3D EFI_INVALID_PARAMETER; - } - - return Status; -} diff --git a/NetworkPkg/IpSecDxe/IpSecCryptIo.h b/NetworkPkg/IpSecDxe/IpSec= CryptIo.h deleted file mode 100644 index dfb1d2df89..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecCryptIo.h +++ /dev/null @@ -1,821 +0,0 @@ -/** @file - Definitions related to the Cryptographic Operations in IPsec. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ -#ifndef _EFI_IPSEC_CRYPTIO_H_ -#define _EFI_IPSEC_CRYPTIO_H_ - -#include -#include -#include -#include -#include - -#include "IpSecImpl.h" -#include "IkeCommon.h" - -#define IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE 4 -#define IPSEC_AUTH_ALGORITHM_LIST_SIZE 3 -#define IPSEC_HASH_ALGORITHM_LIST_SIZE 3 - -/// -/// Authentication Algorithm Definition -/// The number value definition is aligned to IANA assignment -/// -#define IKE_AALG_NONE 0x00 -#define IKE_AALG_SHA1HMAC 0x02 -#define IKE_AALG_NULL 0xFB - -/// -/// Encryption Algorithm Definition -/// The number value definition is aligned to IANA assignment -/// -#define IKE_EALG_NONE 0x00 -#define IKE_EALG_3DESCBC 0x03 -#define IKE_EALG_NULL 0x0B -#define IKE_EALG_AESCBC 0x0C - -/** - Prototype of HMAC GetContextSize. - - Retrieves the size, in bytes, of the context buffer required. - - @return The size, in bytes, of the context buffer required. - -**/ -typedef -UINTN -(EFIAPI *CRYPTO_HMAC_GETCONTEXTSIZE)( - VOID - ); - -/** - Prototype of HMAC Operation Initiating. - - Initialization with a new context. - - @param[out] Context Input Context. - @param[in] Key Pointer to the key for HMAC. - @param[in] KeySize The length of the Key in bytes. - - @retval TRUE Initialization Successfully. - -**/ -typedef -BOOLEAN -(EFIAPI *CRYPTO_HMAC_INIT)( - OUT VOID *Context, - IN CONST UINT8 *Key, - IN UINTN KeySize - ); - -/** - Prototype of HMAC update. - HMAC update operation. Continue an HMAC message digest operation, proces= sing - another message block, and updating the HMAC context. - - If Context is NULL, then ASSERT(). - If Data is NULL, then ASSERT(). - - @param[in,out] Context The Specified Context. - @param[in,out] Data The Input Data to be digested. - @param[in] DataLength The length, in bytes, of Data. - - @retval TRUE Update data successfully. - @retval FALSE The Context has been finalized. - -**/ -typedef -BOOLEAN -(EFIAPI *CRYPTO_HMAC_UPDATE)( - IN OUT VOID *Context, - IN CONST VOID *Data, - IN UINTN DataLength - ); - -/** - Prototype of HMAC finalization. - Terminate a HMAC message digest operation and output the message digest. - - If Context is NULL, then ASSERT(). - If HashValue is NULL, then ASSERT(). - - @param[in,out] Context The specified Context. - @param[out] HmacValue Pointer to a 16-byte message digest output b= uffer. - - @retval TRUE Finalized successfully. - -**/ -typedef -BOOLEAN -(EFIAPI *CRYPTO_HMAC_FINAL)( - IN OUT VOID *Context, - OUT UINT8 *HmacValue - ); - -/** - Prototype of Block Cipher GetContextSize. - - Retrieves the size, in bytes, of the context buffer required. - - @return The size, in bytes, of the context buffer required. - -**/ -typedef -UINTN -(EFIAPI *CRYPTO_CIPHER_GETCONTEXTSIZE)( - VOID - ); - -/** - Prototype of Block Cipher initiation. - Initializes the user-supplied key as the specified context (key material= s) for both - encryption and decryption operations. - - If Context is NULL, then ASSERT(). - If Key is NULL, then generate random key for usage. - - @param[in,out] Context The specified Context. - @param[in] Key User-supplied cipher key. - @param[in] KeyBits Key length in bits. - - @retval TRUE Block Cipher Initialization was successful. - -**/ -typedef -BOOLEAN -(EFIAPI *CRYPTO_CIPHER_INIT)( - IN OUT VOID *Context, - IN CONST UINT8 *Key, - IN UINTN KeyBits - ); - -/** - Prototype of Cipher encryption. - Encrypts plaintext message with the specified cipher. - - If Context is NULL, then ASSERT(). - If InData is NULL, then ASSERT(). - If Size of input data is not multiple of Cipher algorithm related block = size, - then ASSERT(). - - @param[in] Context The specified Context. - @param[in] InData The input plaintext data to be encrypted. - @param[in] InputSize The size of input data. - @param[in] Ivec Pointer to Initial Vector data for encrypti= on. - @param[out] OutData The resultant encrypted ciphertext. - - @retval TRUE Encryption successful. - -**/ -typedef -BOOLEAN -(EFIAPI *CRYPTO_CIPHER_ENCRYPT)( - IN VOID *Context, - IN CONST UINT8 *InData, - IN UINTN InputSize, - IN CONST UINT8 *Ivec, - OUT UINT8 *OutData - ); - -/** - Prototype of Cipher decryption. - Decrypts cipher message with specified cipher. - - If Context is NULL, then ASSERT(). - If InData is NULL, then ASSERT(). - If Size of input data is not a multiple of a certaion block size , then = ASSERT(). - - @param[in] Context The specified Context. - @param[in] InData The input ciphertext data to be decrypted. - @param[in] InputSize The InData size. - @param[in] Ivec Pointer to the Initial Vector data for decr= yption. - @param[out] OutData The resultant decrypted plaintext. - - @retval TRUE Decryption successful. - -**/ -typedef -BOOLEAN -(EFIAPI *CRYPTO_CIPHER_DECRYPT)( - IN VOID *Context, - IN CONST UINT8 *InData, - IN UINTN InputSize, - IN CONST UINT8 *Ivec, - OUT UINT8 *OutData - ); - -/** - Prototype of Hash ContextSize. - - Retrieves the size, in bytes, of the context buffer required for specifi= ed hash operations. - - @return The size, in bytes, of the context buffer required for certain = hash operations. - -**/ -typedef -UINTN -(EFIAPI *CRYPTO_HASH_GETCONTEXTSIZE)( - VOID - ); - -/** - Prototype of Hash Initiate. - - Initializes user-supplied memory pointed by Context as specified hash co= ntext for - subsequent use. - - If Context is NULL, then ASSERT(). - - @param[out] Context Pointer to specified context being initialized. - - @retval TRUE context initialization succeeded. - @retval FALSE context initialization failed. - -**/ -typedef -BOOLEAN -(EFIAPI *CRYPTO_HASH_INIT)( - OUT VOID *Context - ); - -/** - Prototype of Hash Update - - Digests the input data and updates hash context. - - This function performs digest on a data buffer of the specified size. - It can be called multiple times to compute the digest of long or discont= inuous data streams. - Context should be already correctly initialized by HashInit(), and shoul= d not be finalized - by HashFinal(). Behavior with invalid context is undefined. - - If Context is NULL, then ASSERT(). - - @param[in, out] Context Pointer to the specified context. - @param[in] Data Pointer to the buffer containing the data = to be hashed. - @param[in] DataSize Size of Data buffer in bytes. - - @retval TRUE data digest succeeded. - @retval FALSE data digest failed. - -**/ -typedef -BOOLEAN -(EFIAPI *CRYPTO_HASH_UPDATE)( - IN OUT VOID *Context, - IN CONST VOID *Data, - IN UINTN DataSize - ); - -/** - Prototype of Hash Finalization. - - Completes computation of the digest value. - - This function completes hash computation and retrieves the digest value = into - the specified memory. After this function has been called, the context c= annot - be used again. - context should be already correctly initialized by HashInit(), and shoul= d not be - finalized by HashFinal(). Behavior with invalid context is undefined. - - If Context is NULL, then ASSERT(). - If HashValue is NULL, then ASSERT(). - - @param[in, out] Context Pointer to the specified context. - @param[out] HashValue Pointer to a buffer that receives the dige= st - value. - - @retval TRUE digest computation succeeded. - @retval FALSE digest computation failed. - -**/ -typedef -BOOLEAN -(EFIAPI *CRYPTO_HASH_FINAL)( - IN OUT VOID *Context, - OUT UINT8 *HashValue - ); - -// -// The struct used to store the information and operation of Block Cipher = algorithm. -// -typedef struct _ENCRYPT_ALGORITHM { - // - // The ID of the Algorithm - // - UINT8 AlgorithmId; - // - // The Key length of the Algorithm - // - UINTN KeyLength; - // - // Iv Size of the Algorithm - // - UINTN IvLength; - // - // The Block Size of the Algorithm - // - UINTN BlockSize; - // - // The Function pointer of GetContextSize. - // - CRYPTO_CIPHER_GETCONTEXTSIZE CipherGetContextSize; - // - // The Function pointer of Cipher initiation. - // - CRYPTO_CIPHER_INIT CipherInitiate; - // - // The Function pointer of Cipher Encryption. - // - CRYPTO_CIPHER_ENCRYPT CipherEncrypt; - // - // The Function pointer of Cipher Decryption. - // - CRYPTO_CIPHER_DECRYPT CipherDecrypt; -} ENCRYPT_ALGORITHM; - -// -// The struct used to store the information and operation of Authenticatio= n algorithm. -// -typedef struct _AUTH_ALGORITHM { - // - // ID of the Algorithm - // - UINT8 AlgorithmId; - // - // The Key length of the Algorithm - // - UINTN DigestLength; - // - // The ICV length of the Algorithm - // - UINTN IcvLength; - // - // The block size of the Algorithm - // - UINTN BlockSize; - // - // The function pointer of GetContextSize. - // - CRYPTO_HMAC_GETCONTEXTSIZE HmacGetContextSize; - // - // The function pointer of Initiation - // - CRYPTO_HMAC_INIT HmacInitiate; - // - // The function pointer of HMAC Update. - // - CRYPTO_HMAC_UPDATE HmacUpdate; - // - // The fucntion pointer of HMAC Final - // - CRYPTO_HMAC_FINAL HmacFinal; -} AUTH_ALGORITHM; - -// -// The struct used to store the information and operation of Hash algorith= m. -// -typedef struct _HASH_ALGORITHM { - // - // ID of the Algorithm - // - UINT8 AlgorithmId; - // - // The Key length of the Algorithm - // - UINTN DigestLength; - // - // The ICV length of the Algorithm - // - UINTN IcvLength; - // - // The block size of the Algorithm - // - UINTN BlockSize; - // - // The function pointer of GetContextSize - // - CRYPTO_HASH_GETCONTEXTSIZE HashGetContextSize; - // - // The function pointer of Initiation - // - CRYPTO_HASH_INIT HashInitiate; - // - // The function pointer of Hash Update - // - CRYPTO_HASH_UPDATE HashUpdate; - // - // The fucntion pointer of Hash Final - // - CRYPTO_HASH_FINAL HashFinal; -} HASH_ALGORITHM; - -/** - Get the IV size of specified encryption algorithm. - - @param[in] AlgorithmId The encryption algorithm ID. - - @return The value of IV size. - -**/ -UINTN -IpSecGetEncryptIvLength ( - IN UINT8 AlgorithmId - ); - -/** - Get the block size of specified encryption algorithm. - - @param[in] AlgorithmId The encryption algorithm ID. - - @return The value of block size. - -**/ -UINTN -IpSecGetEncryptBlockSize ( - IN UINT8 AlgorithmId - ); - -/** - Get the required key length of the specified encryption algorithm. - - @param[in] AlgorithmId The encryption algorithm ID. - - @return The value of key length. - -**/ -UINTN -IpSecGetEncryptKeyLength ( - IN UINT8 AlgorithmId - ); - -/** - Get the ICV size of the specified Authentication algorithm. - - @param[in] AlgorithmId The Authentication algorithm ID. - - @return The value of ICV size. - -**/ -UINTN -IpSecGetIcvLength ( - IN UINT8 AlgorithmId - ); - -/** - Get the HMAC digest length by the specified Algorithm ID. - - @param[in] AlgorithmId The specified Algorithm ID. - - @return The digest length of the specified Authentication Algorithm ID. - -**/ -UINTN -IpSecGetHmacDigestLength ( - IN UINT8 AlgorithmId - ); - -/** - Generate a random data for IV. If the IvSize is zero, not needed to crea= te - IV and return EFI_SUCCESS. - - @param[in] IvBuffer The pointer of the IV buffer. - @param[in] IvSize The IV size in bytes. - - @retval EFI_SUCCESS Create random data for IV. - -**/ -EFI_STATUS -IpSecGenerateIv ( - IN UINT8 *IvBuffer, - IN UINTN IvSize - ); - -/** - Encrypt the buffer. - - This function calls relevant encryption interface from CryptoLib accordi= ng to - the input algorithm ID. The InData should be multiple of block size. Thi= s function - doesn't perform the padding. If it has the Ivec data, the length of it s= hould be - same with the block size. The block size is different from the different= algorithm. - - @param[in] AlgorithmId The Algorithm identification defined in = RFC. - @param[in] Key Pointer to the buffer containing encrypt= ing key. - @param[in] KeyBits The length of the key in bits. - @param[in] Ivec Point to the buffer containing the Initi= alization - Vector (IV) data. - @param[in] InData Point to the buffer containing the data = to be - encrypted. - @param[in] InDataLength The length of InData in Bytes. - @param[out] OutData Point to the buffer that receives the en= cryption - output. - - @retval EFI_UNSUPPORTED The input Algorithm is not supported. - @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated. - @retval EFI_SUCCESS The operation completed successfully. - -**/ -EFI_STATUS -IpSecCryptoIoEncrypt ( - IN CONST UINT8 AlgorithmId, - IN CONST UINT8 *Key, - IN CONST UINTN KeyBits, - IN CONST UINT8 *Ivec, OPTIONAL - IN UINT8 *InData, - IN UINTN InDataLength, - OUT UINT8 *OutData - ); - -/** - Decrypts the buffer. - - This function calls relevant Decryption interface from CryptoLib accordi= ng to - the input algorithm ID. The InData should be multiple of block size. Thi= s function - doesn't perform the padding. If it has the Ivec data, the length of it s= hould be - same with the block size. The block size is different from the different= algorithm. - - @param[in] AlgorithmId The Algorithm identification defined in = RFC. - @param[in] Key Pointer to the buffer containing encrypt= ing key. - @param[in] KeyBits The length of the key in bits. - @param[in] Ivec Point to the buffer containing the Initi= alization - Vector (IV) data. - @param[in] InData Point to the buffer containing the data = to be - decrypted. - @param[in] InDataLength The length of InData in Bytes. - @param[out] OutData Pointer to the buffer that receives the = decryption - output. - - @retval EFI_UNSUPPORTED The input Algorithm is not supported. - @retval EFI_OUT_OF_RESOURCE The required resource can't be allocated. - @retval EFI_SUCCESS The operation completed successfully. - -**/ -EFI_STATUS -IpSecCryptoIoDecrypt ( - IN CONST UINT8 AlgorithmId, - IN CONST UINT8 *Key, - IN CONST UINTN KeyBits, - IN CONST UINT8 *Ivec, OPTIONAL - IN UINT8 *InData, - IN UINTN InDataLength, - OUT UINT8 *OutData - ); - -/** - Digests the Payload with key and store the result into the OutData. - - This function calls relevant Hmac interface from CryptoLib according to - the input algorithm ID. It computes all datas from InDataFragment and ou= tput - the result into the OutData buffer. If the OutDataSize is larger than th= e related - HMAC algorithm output size, return EFI_INVALID_PARAMETER. - - @param[in] AlgorithmId The authentication Identification. - @param[in] Key Pointer of the authentication key. - @param[in] KeyLength The length of the Key in bytes. - @param[in] InDataFragment The list contains all data to be authent= icated. - @param[in] FragmentCount The size of the InDataFragment. - @param[out] OutData For in, the buffer to receive the output= data. - For out, the buffer contains the authent= icated data. - @param[in] OutDataSize The size of the buffer of OutData. - - @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list. - @retval EFI_INVALID_PARAMETER The OutData buffer size is larger than alg= orithm digest size. - @retval EFI_SUCCESS Authenticate the payload successfully. - @retval otherwise Authentication of the payload fails. - -**/ -EFI_STATUS -IpSecCryptoIoHmac ( - IN CONST UINT8 AlgorithmId, - IN CONST UINT8 *Key, - IN UINTN KeyLength, - IN HASH_DATA_FRAGMENT *InDataFragment, - IN UINTN FragmentCount, - OUT UINT8 *OutData, - IN UINTN OutDataSize - ); - -/** - Digests the Payload and store the result into the OutData. - - This function calls relevant Hash interface from CryptoLib according to - the input algorithm ID. It computes all datas from InDataFragment and ou= tput - the result into the OutData buffer. If the OutDataSize is larger than th= e related - Hash algorithm output size, return EFI_INVALID_PARAMETER. - - @param[in] AlgorithmId The authentication Identification. - @param[in] InDataFragment A list contains all data to be authentic= ated. - @param[in] FragmentCount The size of the InDataFragment. - @param[out] OutData For in, the buffer to receive the output= data. - For out, the buffer contains the authent= icated data. - @param[in] OutDataSize The size of the buffer of OutData. - - @retval EFI_UNSUPPORTED If the AuthAlg is not in the support list. - @retval EFI_SUCCESS Authenticated the payload successfully. - @retval EFI_INVALID_PARAMETER If the OutDataSize is larger than the rela= ted Hash - algorithm could handle. - @retval otherwise Authentication of the payload failed. - -**/ -EFI_STATUS -IpSecCryptoIoHash ( - IN CONST UINT8 AlgorithmId, - IN HASH_DATA_FRAGMENT *InDataFragment, - IN UINTN FragmentCount, - OUT UINT8 *OutData, - IN UINTN OutDataSize - ); - -/** - Generates the Diffie-Hellman public key. - - This function first initiate a DHContext, then call the DhSetParameter()= to set - the prime and primelength, at end call the DhGenerateKey() to generates = random - secret exponent, and computes the public key. The output returned via pa= rameter - PublicKey and PublicKeySize. DH context is updated accordingly. If the P= ublicKey - buffer is too small to hold the public key, EFI_INVALID_PARAMETER is ret= urned - and PublicKeySize is set to the required buffer size to obtain the publi= c key. - - @param[in, out] DhContext Pointer to the DH context. - @param[in] Generator Value of generator. - @param[in] PrimeLength Length in bits of prime to be generated. - @param[in] Prime Pointer to the buffer to receive the gen= erated - prime number. - @param[out] PublicKey Pointer to the buffer to receive generat= ed public key. - @param[in, out] PublicKeySize For in, the size of PublicKey buffer in = bytes. - For out, the size of data returned in Pu= blicKey - buffer in bytes. - - @retval EFI_SUCCESS The operation performs successfully. - @retval Otherwise The operation is failed. - -**/ -EFI_STATUS -IpSecCryptoIoDhGetPublicKey ( - IN OUT UINT8 **DhContext, - IN UINTN Generator, - IN UINTN PrimeLength, - IN CONST UINT8 *Prime, - OUT UINT8 *PublicKey, - IN OUT UINTN *PublicKeySize - ); - -/** - Generates exchanged common key. - - Given peer's public key, this function computes the exchanged common key= , based - on its own context including value of prime modulus and random secret ex= ponent. - - @param[in, out] DhContext Pointer to the DH context. - @param[in] PeerPublicKey Pointer to the peer's Public Key. - @param[in] PeerPublicKeySize Size of peer's public key in bytes. - @param[out] Key Pointer to the buffer to receive gener= ated key. - @param[in, out] KeySize For in, the size of Key buffer in byte= s. - For out, the size of data returned in = Key - buffer in bytes. - - @retval EFI_SUCCESS The operation performs successfully. - @retval Otherwise The operation is failed. - -**/ -EFI_STATUS -IpSecCryptoIoDhComputeKey ( - IN OUT UINT8 *DhContext, - IN CONST UINT8 *PeerPublicKey, - IN UINTN PeerPublicKeySize, - OUT UINT8 *Key, - IN OUT UINTN *KeySize - ); - -/** - Releases the DH context. If DhContext is NULL, return EFI_INVALID_PARAME= TER. - - @param[in, out] DhContext Pointer to the DH context to be fr= eed. - - @retval EFI_SUCCESS The operation performs successfully. - @retval EFI_INVALID_PARAMETER The DhContext is NULL. - -**/ -EFI_STATUS -IpSecCryptoIoFreeDh ( - IN OUT UINT8 **DhContext - ); - -/** - Generates random numbers of specified size. - - If the Random Generator wasn't initiated, initiate it first, then call R= andomBytes. - - @param[out] OutBuffer Pointer to buffer to receive random value. - @param[in] Bytes Size of random bytes to generate. - - @retval EFI_SUCCESS The operation performs successfully. - @retval Otherwise The operation is failed. - -**/ -EFI_STATUS -IpSecCryptoIoGenerateRandomBytes ( - OUT UINT8* OutBuffer, - IN UINTN Bytes - ); - -/** - Authenticate data with the certificate. - - @param[in] InData Pointer to the Data to be signed. - @param[in] InDataSize InData size in bytes. - @param[in] PrivateKey Pointer to the private key. - @param[in] PrivateKeySize The size of Private Key in bytes. - @param[in] KeyPassWord Pointer to the password for retrieving p= rivate key. - @param[in] KeyPwdSize The size of Key Password in bytes. - @param[out] OutData The pointer to the signed data. - @param[in, out] OutDataSize Pointer to contain the size of out data. - -**/ -VOID -IpSecCryptoIoAuthDataWithCertificate ( - IN UINT8 *InData, - IN UINTN InDataSize, - IN UINT8 *PrivateKey, - IN UINTN PrivateKeySize, - IN UINT8 *KeyPassWord, - IN UINTN KeyPwdSize, - OUT UINT8 **OutData, - IN OUT UINTN *OutDataSize - ); - -/** - Verify the singed data with the public key which is contained in a certi= ficate. - - @param[in] InCert Pointer to the Certificate which contains= the - public key. - @param[in] CertLen The size of Certificate in bytes. - @param[in] InCa Pointer to the CA certificate - @param[in] CaLen The size of CA certificate in bytes. - @param[in] InData Pointer to octet message hash to be check= ed. - @param[in] InDataSize Size of the message hash in bytes. - @param[in] Singnature The pointer to the RSA PKCS1-V1_5 signatu= re to be verified. - @param[in] SigSize Size of signature in bytes. - - @retval TRUE Valid signature encoded in PKCS1-v1_5. - @retval FALSE Invalid signature or invalid RSA context. - -**/ -BOOLEAN -IpSecCryptoIoVerifySignDataByCertificate ( - IN UINT8 *InCert, - IN UINTN CertLen, - IN UINT8 *InCa, - IN UINTN CaLen, - IN UINT8 *InData, - IN UINTN InDataSize, - IN UINT8 *Singnature, - IN UINTN SigSize - ); - -/** - Retrieves the RSA Public Key from one X509 certificate (DER format only). - - @param[in] InCert Pointer to the certificate. - @param[in] CertLen The size of the certificate in bytes. - @param[out] PublicKey Pointer to the retrieved public key. - @param[out] PublicKeyLen Size of Public Key in bytes. - - @retval EFI_SUCCESS Successfully get the public Key. - @retval EFI_INVALID_PARAMETER The CA certificate is malformed. - -**/ -EFI_STATUS -IpSecCryptoIoGetPublicKeyFromCert ( - IN UINT8 *InCert, - IN UINTN CertLen, - OUT UINT8 **PublicKey, - OUT UINTN *PublicKeyLen - ); - -/** - Retrieves the subject name from one X509 certificate (DER format only). - - @param[in] InCert Pointer to the X509 certificate. - @param[in] CertSize The size of the X509 certificate in byt= es. - @param[out] CertSubject Pointer to the retrieved certificate su= bject. - @param[out] SubjectSize The size of Certificate Subject in byte= s. - - @retval EFI_SUCCESS Retrieved the certificate subject succes= sfully. - @retval EFI_INVALID_PARAMETER The certificate is malformed. - -**/ -EFI_STATUS -IpSecCryptoIoGetSubjectFromCert ( - IN UINT8 *InCert, - IN UINTN CertSize, - OUT UINT8 **CertSubject, - OUT UINTN *SubjectSize - ); - -#endif - diff --git a/NetworkPkg/IpSecDxe/IpSecDebug.c b/NetworkPkg/IpSecDxe/IpSecDe= bug.c deleted file mode 100644 index 0439328d5b..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDebug.c +++ /dev/null @@ -1,328 +0,0 @@ -/** @file - The Interfaces of IPsec debug information printing. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecImpl.h" -#include "IpSecDebug.h" - -// -// The print title for IKEv1 variety phase. -// -CHAR8 *mIkev1StateStr[IKE_STATE_NUM] =3D { - "IKEv1_MAIN_1", - "IKEv1_MAIN_2", - "IKEv1_MAIN_3", - "IKEv1_MAIN_ESTABLISHED", - "IKEv1_QUICK_1", - "IKEv1_QUICK_2", - "IKEv1_QUICK_ESTABLISHED" -}; - -// -// The print title for IKEv2 variety phase. -// -CHAR8 *mIkev2StateStr[IKE_STATE_NUM] =3D { - "IKEv2_STATE_INIT", - "IKEv2_STATE_AUTH", - "IKEv2_STATE_SA_ESTABLISH", - "IKEv2_STATE_CREATE_CHILD", - "IKEv2_STATE_SA_REKEYING", - "IKEv2_STATE_CHILD_SA_ESTABLISHED", - "IKEv2_STATE_SA_DELETING" -}; - -// -// The print title for IKEv1 variety Exchagne. -// -CHAR8 *mExchangeStr[] =3D { - "IKEv1 Main Exchange", - "IKEv1 Info Exchange", - "IKEv1 Quick Exchange", - "IKEv2 Initial Exchange", - "IKEv2 Auth Exchange", - "IKEv2 Create Child Exchange", - "IKEv2 Info Exchange", - "IKE Unknow Exchange" -}; - -// -// The print title for IKEv1 variety Payload. -// -CHAR8 *mIkev1PayloadStr[] =3D { - "IKEv1 None Payload", - "IKEv1 SA Payload", - "IKEv1 Proposal Payload", - "IKEv1 Transform Payload", - "IKEv1 KE Payload", - "IKEv1 ID Payload", - "IKEv1 Certificate Payload", - "IKEv1 Certificate Request Payload", - "IKEv1 Hash Payload", - "IKEv1 Signature Payload", - "IKEv1 Nonce Payload", - "IKEv1 Notify Payload", - "IKEv1 Delete Payload", - "IKEv1 Vendor Payload" -}; - -// -// The print title for IKEv2 variety Payload. -// -CHAR8* mIkev2PayloadStr[] =3D { - "IKEv2 SA Payload", - "IKEv2 Key Payload", - "IKEv2 Identity Initial Payload", - "IKEv2 Identity Respond Payload", - "IKEv2 Certificate Payload", - "IKEv2 Certificate Request Payload", - "IKEv2 Auth Payload", - "IKEv2 Nonce Payload", - "IKEv2 Notify Payload", - "IKEv2 Delet Payload", - "IKEv2 Vendor Payload", - "IKEv2 Traffic Selector Initiator Payload", - "IKEv2 Traffic Selector Respond Payload", - "IKEv2 Encrypt Payload", - "IKEv2 Configuration Payload", - "IKEv2 Extensible Authentication Payload" -}; - -/** - Print the IP address. - - @param[in] Level Debug print error level. Pass to DEBUG(). - @param[in] Ip Point to a specified IP address. - @param[in] IpVersion The IP Version. - -**/ -VOID -IpSecDumpAddress ( - IN UINTN Level, - IN EFI_IP_ADDRESS *Ip, - IN UINT8 IpVersion - ) -{ - if (IpVersion =3D=3D IP_VERSION_6) { - DEBUG ( - (Level, - "%x%x:%x%x:%x%x:%x%x", - Ip->v6.Addr[0], - Ip->v6.Addr[1], - Ip->v6.Addr[2], - Ip->v6.Addr[3], - Ip->v6.Addr[4], - Ip->v6.Addr[5], - Ip->v6.Addr[6], - Ip->v6.Addr[7]) - ); - DEBUG ( - (Level, - ":%x%x:%x%x:%x%x:%x%x\n", - Ip->v6.Addr[8], - Ip->v6.Addr[9], - Ip->v6.Addr[10], - Ip->v6.Addr[11], - Ip->v6.Addr[12], - Ip->v6.Addr[13], - Ip->v6.Addr[14], - Ip->v6.Addr[15]) - ); - } else { - DEBUG ( - (Level, - "%d.%d.%d.%d\n", - Ip->v4.Addr[0], - Ip->v4.Addr[1], - Ip->v4.Addr[2], - Ip->v4.Addr[3]) - ); - } - -} - -/** - Print IKE Current states. - - @param[in] Previous The Previous state of IKE. - @param[in] Current The current state of IKE. - @param[in] IkeVersion The version of IKE. - -**/ -VOID -IkeDumpState ( - IN UINT32 Previous, - IN UINT32 Current, - IN UINT8 IkeVersion - ) -{ - if (Previous >=3D IKE_STATE_NUM || Current >=3D IKE_STATE_NUM) { - return; - } - - if (Previous =3D=3D Current) { - if (IkeVersion =3D=3D 1) { - DEBUG ((DEBUG_INFO, "\n****Current state is %a\n", mIkev1StateStr[Pr= evious])); - } else if (IkeVersion =3D=3D 2) { - DEBUG ((DEBUG_INFO, "\n****Current state is %a\n", mIkev2StateStr[Pr= evious])); - } - } else { - if (IkeVersion =3D=3D 1) { - DEBUG ((DEBUG_INFO, "\n****Change state from %a to %a\n", mIkev1Stat= eStr[Previous], mIkev1StateStr[Current])); - } else { - DEBUG ((DEBUG_INFO, "\n****Change state from %a to %a\n", mIkev2Stat= eStr[Previous], mIkev2StateStr[Current])); - } - } -} - -/** - Print the IKE Packet. - - @param[in] Packet Point to IKE packet to be printed. - @param[in] Direction Point to the IKE packet is inbound or outbound. - @param[in] IpVersion Specified IP Version. - -**/ -VOID -IpSecDumpPacket ( - IN IKE_PACKET *Packet, - IN EFI_IPSEC_TRAFFIC_DIR Direction, - IN UINT8 IpVersion - ) -{ - CHAR8 *TypeStr; - UINTN PacketSize; - UINT64 InitCookie; - UINT64 RespCookie; - - ASSERT (Packet !=3D NULL); - - PacketSize =3D Packet->PayloadTotalSize + sizeof (IKE_HEADER); - InitCookie =3D (Direction =3D=3D EfiIPsecOutBound) ? HTONLL (Packet->Hea= der->InitiatorCookie) : Packet->Header->InitiatorCookie; - RespCookie =3D (Direction =3D=3D EfiIPsecOutBound) ? HTONLL (Packet->Hea= der->ResponderCookie) : Packet->Header->ResponderCookie; - - switch (Packet->Header->ExchangeType) { - case IKE_XCG_TYPE_IDENTITY_PROTECT: - TypeStr =3D mExchangeStr[0]; - break; - - case IKE_XCG_TYPE_INFO: - TypeStr =3D mExchangeStr[1]; - break; - - case IKE_XCG_TYPE_QM: - TypeStr =3D mExchangeStr[2]; - break; - - case IKE_XCG_TYPE_SA_INIT: - TypeStr =3D mExchangeStr[3]; - break; - - case IKE_XCG_TYPE_AUTH: - TypeStr =3D mExchangeStr[4]; - break; - - case IKE_XCG_TYPE_CREATE_CHILD_SA: - TypeStr =3D mExchangeStr[5]; - break; - - case IKE_XCG_TYPE_INFO2: - TypeStr =3D mExchangeStr[6]; - break; - - default: - TypeStr =3D mExchangeStr[7]; - break; - } - - if (Direction =3D=3D EfiIPsecOutBound) { - DEBUG ((DEBUG_INFO, "\n>>>Sending %d bytes %a to ", PacketSize, TypeSt= r)); - } else { - DEBUG ((DEBUG_INFO, "\n>>>Receiving %d bytes %a from ", PacketSize, Ty= peStr)); - } - - IpSecDumpAddress (DEBUG_INFO, &Packet->RemotePeerIp, IpVersion); - - DEBUG ((DEBUG_INFO, " InitiatorCookie:0x%lx ResponderCookie:0x%lx\n", = InitCookie, RespCookie)); - DEBUG ( - (DEBUG_INFO, - " Version: 0x%x Flags:0x%x ExchangeType:0x%x\n", - Packet->Header->Version, - Packet->Header->Flags, - Packet->Header->ExchangeType) - ); - DEBUG ( - (DEBUG_INFO, - " MessageId:0x%x NextPayload:0x%x\n", - Packet->Header->MessageId, - Packet->Header->NextPayload) - ); - -} - -/** - Print the IKE Paylolad. - - @param[in] IkePayload Point to payload to be printed. - @param[in] IkeVersion The specified version of IKE. - -**/ -VOID -IpSecDumpPayload ( - IN IKE_PAYLOAD *IkePayload, - IN UINT8 IkeVersion - ) -{ - if (IkeVersion =3D=3D 1) { - DEBUG ((DEBUG_INFO, "+%a\n", mIkev1PayloadStr[IkePayload->PayloadType]= )); - } else { - // - // For IKEV2 the first Payload type is started from 33. - // - DEBUG ((DEBUG_INFO, "+%a\n", mIkev2PayloadStr[IkePayload->PayloadType = - 33])); - } - IpSecDumpBuf ("Payload data", IkePayload->PayloadBuf, IkePayload->Payloa= dSize); -} - -/** - Print the buffer in form of Hex. - - @param[in] Title The strings to be printed before the data of the= buffer. - @param[in] Data Points to buffer to be printed. - @param[in] DataSize The size of the buffer to be printed. - -**/ -VOID -IpSecDumpBuf ( - IN CHAR8 *Title, - IN UINT8 *Data, - IN UINTN DataSize - ) -{ - UINTN Index; - UINTN DataIndex; - UINTN BytesRemaining; - UINTN BytesToPrint; - - DataIndex =3D 0; - BytesRemaining =3D DataSize; - - DEBUG ((DEBUG_INFO, "=3D=3D%a %d bytes=3D=3D\n", Title, DataSize)); - - while (BytesRemaining > 0) { - - BytesToPrint =3D (BytesRemaining > IPSEC_DEBUG_BYTE_PER_LINE) ? IPSEC_= DEBUG_BYTE_PER_LINE : BytesRemaining; - - for (Index =3D 0; Index < BytesToPrint; Index++) { - DEBUG ((DEBUG_INFO, " 0x%02x,", Data[DataIndex++])); - } - - DEBUG ((DEBUG_INFO, "\n")); - BytesRemaining -=3D BytesToPrint; - } - -} diff --git a/NetworkPkg/IpSecDxe/IpSecDebug.h b/NetworkPkg/IpSecDxe/IpSecDe= bug.h deleted file mode 100644 index bdc926eff6..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDebug.h +++ /dev/null @@ -1,101 +0,0 @@ -/** @file - The definition of functions and MACROs used for IPsec debug information = printting. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ -#ifndef _EFI_IPSEC_DEBUG_H_ -#define _EFI_IPSEC_DEBUG_H_ - -#include "IkeCommon.h" -#include "IkePacket.h" - -#define IPSEC_DUMP_ADDRESS(Level, Ip, Version) IpSecDumpAddress = (Level, Ip, Version) -#define IKEV1_DUMP_STATE(Previous, Current) IkeDumpState (Pre= vious, Current, 1) -#define IKEV2_DUMP_STATE(Previous, Current) IkeDumpState (Pre= vious, Current, 2) -#define IPSEC_DUMP_PACKET(Packet, Direction, IpVersion) IpSecDumpPacket (= Packet, Direction, IpVersion) -#define IPSEC_DUMP_PAYLOAD(IkePayload) IpSecDumpPayload = (IkePayload, 1) -#define IKEV2_DUMP_PAYLOAD(IkePayload) IpSecDumpPayload = (IkePayload, 2) -#define IPSEC_DUMP_BUF(Title, Data, DataSize) IpSecDumpBuf (Tit= le, Data, DataSize) - -#define IPSEC_DEBUG_BYTE_PER_LINE 8 -#define IKE_STATE_NUM 7 - - - -/** - Print the IP address. - - @param[in] Level Debug print error level. Pass to DEBUG(). - @param[in] Ip Point to specified IP address. - @param[in] IpVersion The IP Version. - -**/ -VOID -IpSecDumpAddress ( - IN UINTN Level, - IN EFI_IP_ADDRESS *Ip, - IN UINT8 IpVersion - ); - -/** - Print IKE Current states. - - @param[in] Previous The Previous state of IKE. - @param[in] Current The current state of IKE. - @param[in] IkeVersion The version of IKE. - -**/ -VOID -IkeDumpState ( - IN UINT32 Previous, - IN UINT32 Current, - IN UINT8 IkeVersion - ); - -/** - Print the IKE Packet. - - @param[in] Packet Point to IKE packet to be printed. - @param[in] Direction Point to the IKE packet is inbound or outbound. - @param[in] IpVersion Specified IP Version. - -**/ -VOID -IpSecDumpPacket ( - IN IKE_PACKET *Packet, - IN EFI_IPSEC_TRAFFIC_DIR Direction, - IN UINT8 IpVersion - ); - -/** - Print the IKE Paylolad. - - @param[in] IkePayload Point to payload to be printed. - @param[in] IkeVersion The specified version of IKE. - -**/ -VOID -IpSecDumpPayload ( - IN IKE_PAYLOAD *IkePayload, - IN UINT8 IkeVersion - ); - -/** - Print the buffer in form of Hex. - - @param[in] Title The strings to be printed before the data of the= buffer. - @param[in] Data Point to buffer to be printed. - @param[in] DataSize The size of the buffer to be printed. - -**/ -VOID -IpSecDumpBuf ( - IN CHAR8 *Title, - IN UINT8 *Data, - IN UINTN DataSize - ); - -#endif diff --git a/NetworkPkg/IpSecDxe/IpSecDriver.c b/NetworkPkg/IpSecDxe/IpSecD= river.c deleted file mode 100644 index 916b0b24de..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDriver.c +++ /dev/null @@ -1,654 +0,0 @@ -/** @file - Driver Binding Protocol for IPsec Driver. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include - -#include "IpSecConfigImpl.h" -#include "IkeService.h" -#include "IpSecDebug.h" - -/** - Test to see if this driver supports ControllerHandle. This is the worker= function - for IpSec4(6)DriverbindingSupported. - - @param[in] This Protocol instance pointer. - @param[in] ControllerHandle Handle of device to test. - @param[in] RemainingDevicePath Optional parameter used to pick a speci= fic child - device to start. - @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6. - - @retval EFI_SUCCES This driver supports this device. - @retval EFI_ALREADY_STARTED This driver is already running on this devi= ce. - @retval other This driver does not support this device. - -**/ -EFI_STATUS -EFIAPI -IpSecSupported ( - IN EFI_DRIVER_BINDING_PROTOCOL *This, - IN EFI_HANDLE ControllerHandle, - IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL, - IN UINT8 IpVersion - ) -{ - EFI_STATUS Status; - EFI_GUID *UdpServiceBindingGuid; - - if (IpVersion =3D=3D IP_VERSION_4) { - UdpServiceBindingGuid =3D &gEfiUdp4ServiceBindingProtocolGuid; - } else { - UdpServiceBindingGuid =3D &gEfiUdp6ServiceBindingProtocolGuid; - } - - Status =3D gBS->OpenProtocol ( - ControllerHandle, - UdpServiceBindingGuid, - NULL, - This->DriverBindingHandle, - ControllerHandle, - EFI_OPEN_PROTOCOL_TEST_PROTOCOL - ); - if (EFI_ERROR (Status)) { - return EFI_UNSUPPORTED; - } - return EFI_SUCCESS; -} - -/** - Start this driver on ControllerHandle. This is the worker function - for IpSec4(6)DriverbindingStart. - - @param[in] This Protocol instance pointer. - @param[in] ControllerHandle Handle of device to bind driver to. - @param[in] RemainingDevicePath Optional parameter used to pick a speci= fic child - device to start. - @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6. - - @retval EFI_SUCCES This driver is added to ControllerHandle - @retval EFI_ALREADY_STARTED This driver is already running on Controlle= rHandle - @retval EFI_DEVICE_ERROR The device could not be started due to a de= vice error. - Currently not implemented. - @retval other This driver does not support this device - -**/ -EFI_STATUS -EFIAPI -IpSecStart ( - IN EFI_DRIVER_BINDING_PROTOCOL *This, - IN EFI_HANDLE ControllerHandle, - IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL, - IN UINT8 IpVersion - ) -{ - EFI_IPSEC2_PROTOCOL *IpSec; - EFI_STATUS Status; - IPSEC_PRIVATE_DATA *Private; - - // - // Ipsec protocol should be installed when load image. - // - Status =3D gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **)= &IpSec); - - if (EFI_ERROR (Status)) { - return Status; - } - - Private =3D IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec); - - if (IpVersion =3D=3D IP_VERSION_4) { - // - // Try to open a udp4 io for input. - // - Status =3D gBS->OpenProtocol ( - ControllerHandle, - &gEfiUdp4ServiceBindingProtocolGuid, - NULL, - This->DriverBindingHandle, - ControllerHandle, - EFI_OPEN_PROTOCOL_TEST_PROTOCOL - ); - - if (!EFI_ERROR (Status)) { - Status =3D IkeOpenInputUdp4 (Private, ControllerHandle, This->Driver= BindingHandle); - } - } else { - // - // Try to open a udp6 io for input. - // - Status =3D gBS->OpenProtocol ( - ControllerHandle, - &gEfiUdp6ServiceBindingProtocolGuid, - NULL, - This->DriverBindingHandle, - ControllerHandle, - EFI_OPEN_PROTOCOL_TEST_PROTOCOL - ); - - if (!EFI_ERROR (Status)) { - Status =3D IkeOpenInputUdp6 (Private, ControllerHandle, This->Driver= BindingHandle); - } - } - - if (EFI_ERROR (Status)) { - return EFI_DEVICE_ERROR; - } - return EFI_SUCCESS; -} - -/** - Stop this driver on ControllerHandle. This is the worker function - for IpSec4(6)DriverbindingStop. - - @param[in] This Protocol instance pointer. - @param[in] ControllerHandle Handle of a device to stop the driver o= n. - @param[in] NumberOfChildren Number of Handles in ChildHandleBuffer.= If the number of - children is zero, stop the entire bus d= river. - @param[in] ChildHandleBuffer List of Child Handles to Stop. - @param[in] IpVersion IP_VERSION_4 or IP_VERSION_6. - - @retval EFI_SUCCES This driver removed ControllerHandle. - @retval other This driver was not removed from this devic= e. - -**/ -EFI_STATUS -EFIAPI -IpSecStop ( - IN EFI_DRIVER_BINDING_PROTOCOL *This, - IN EFI_HANDLE ControllerHandle, - IN UINTN NumberOfChildren, - IN EFI_HANDLE *ChildHandleBuffer, - IN UINT8 IpVersion - ) -{ - EFI_IPSEC2_PROTOCOL *IpSec; - EFI_STATUS Status; - IPSEC_PRIVATE_DATA *Private; - IKE_UDP_SERVICE *UdpSrv; - LIST_ENTRY *Entry; - LIST_ENTRY *Next; - IKEV2_SA_SESSION *Ikev2SaSession; - - // - // Locate ipsec protocol to get private data. - // - Status =3D gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **)= &IpSec); - - if (EFI_ERROR (Status)) { - return Status; - } - - Private =3D IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec); - - // - // The SAs are shared by both IP4 and IP6 stack. So we skip the cleanup - // and leave the SAs unchanged if the other IP stack is still running. - // - if ((IpVersion =3D=3D IP_VERSION_4 && Private->Udp6Num =3D=3D0) || - (IpVersion =3D=3D IP_VERSION_6 && Private->Udp4Num =3D=3D0)) { - // - // If IKEv2 SAs are under establishing, delete it directly. - // - if (!IsListEmpty (&Private->Ikev2SessionList)) { - NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Ikev2SessionList) { - Ikev2SaSession =3D IKEV2_SA_SESSION_BY_SESSION (Entry); - RemoveEntryList (&Ikev2SaSession->BySessionTable); - Ikev2SaSessionFree (Ikev2SaSession); - } - } - - // - // Delete established IKEv2 SAs. - // - if (!IsListEmpty (&Private->Ikev2EstablishedList)) { - NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Ikev2EstablishedList)= { - Ikev2SaSession =3D IKEV2_SA_SESSION_BY_SESSION (Entry); - RemoveEntryList (&Ikev2SaSession->BySessionTable); - Ikev2SaSessionFree (Ikev2SaSession); - } - } - } - - if (IpVersion =3D=3D IP_VERSION_4) { - // - // If has udp4 io opened on the controller, close and free it. - // - NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Udp4List) { - - UdpSrv =3D IPSEC_UDP_SERVICE_FROM_LIST (Entry); - // - // Find the right udp service which installed on the appointed nic h= andle. - // - if (UdpSrv->Input !=3D NULL && ControllerHandle =3D=3D UdpSrv->Input= ->UdpHandle) { - UdpIoFreeIo (UdpSrv->Input); - UdpSrv->Input =3D NULL; - } - - if (UdpSrv->Output !=3D NULL && ControllerHandle =3D=3D UdpSrv->Outp= ut->UdpHandle) { - UdpIoFreeIo (UdpSrv->Output); - UdpSrv->Output =3D NULL; - } - - if (UdpSrv->Input =3D=3D NULL && UdpSrv->Output =3D=3D NULL) { - RemoveEntryList (&UdpSrv->List); - FreePool (UdpSrv); - ASSERT (Private->Udp4Num > 0); - Private->Udp4Num--; - } - } - } else { - // - // If has udp6 io opened on the controller, close and free it. - // - NET_LIST_FOR_EACH_SAFE (Entry, Next, &Private->Udp6List) { - - UdpSrv =3D IPSEC_UDP_SERVICE_FROM_LIST (Entry); - // - // Find the right udp service which installed on the appointed nic h= andle. - // - if (UdpSrv->Input !=3D NULL && ControllerHandle =3D=3D UdpSrv->Input= ->UdpHandle) { - UdpIoFreeIo (UdpSrv->Input); - UdpSrv->Input =3D NULL; - } - - if (UdpSrv->Output !=3D NULL && ControllerHandle =3D=3D UdpSrv->Outp= ut->UdpHandle) { - UdpIoFreeIo (UdpSrv->Output); - UdpSrv->Output =3D NULL; - } - - if (UdpSrv->Input =3D=3D NULL && UdpSrv->Output =3D=3D NULL) { - RemoveEntryList (&UdpSrv->List); - FreePool (UdpSrv); - ASSERT (Private->Udp6Num > 0); - Private->Udp6Num--; - } - } - } - - return EFI_SUCCESS; -} - -/** - Test to see if this driver supports ControllerHandle. - - @param[in] This Protocol instance pointer. - @param[in] ControllerHandle Handle of device to test. - @param[in] RemainingDevicePath Optional parameter used to pick a speci= fic child - device to start. - - @retval EFI_SUCCES This driver supports this device. - @retval EFI_ALREADY_STARTED This driver is already running on this devi= ce. - @retval other This driver does not support this device. - -**/ -EFI_STATUS -EFIAPI -IpSec4DriverBindingSupported ( - IN EFI_DRIVER_BINDING_PROTOCOL *This, - IN EFI_HANDLE ControllerHandle, - IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL - ) -{ - return IpSecSupported ( - This, - ControllerHandle, - RemainingDevicePath, - IP_VERSION_4 - ); -} - -/** - Start this driver on ControllerHandle. - - @param[in] This Protocol instance pointer. - @param[in] ControllerHandle Handle of device to bind driver to. - @param[in] RemainingDevicePath Optional parameter used to pick a speci= fic child - device to start. - - @retval EFI_SUCCES This driver is added to ControllerHandle - @retval EFI_ALREADY_STARTED This driver is already running on Controlle= rHandle - @retval EFI_DEVICE_ERROR The device could not be started due to a de= vice error. - Currently not implemented. - @retval other This driver does not support this device - -**/ -EFI_STATUS -EFIAPI -IpSec4DriverBindingStart ( - IN EFI_DRIVER_BINDING_PROTOCOL *This, - IN EFI_HANDLE ControllerHandle, - IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL - ) -{ - return IpSecStart ( - This, - ControllerHandle, - RemainingDevicePath, - IP_VERSION_4 - ); -} - -/** - Stop this driver on ControllerHandle. - - @param[in] This Protocol instance pointer. - @param[in] ControllerHandle Handle of a device to stop the driver o= n. - @param[in] NumberOfChildren Number of Handles in ChildHandleBuffer.= If the number of - children is zero, stop the entire bus d= river. - @param[in] ChildHandleBuffer List of Child Handles to Stop. - - @retval EFI_SUCCES This driver removed ControllerHandle. - @retval other This driver was not removed from this devic= e. - -**/ -EFI_STATUS -EFIAPI -IpSec4DriverBindingStop ( - IN EFI_DRIVER_BINDING_PROTOCOL *This, - IN EFI_HANDLE ControllerHandle, - IN UINTN NumberOfChildren, - IN EFI_HANDLE *ChildHandleBuffer - ) -{ - return IpSecStop ( - This, - ControllerHandle, - NumberOfChildren, - ChildHandleBuffer, - IP_VERSION_4 - ); -} - -/** - Test to see if this driver supports ControllerHandle. - - @param[in] This Protocol instance pointer. - @param[in] ControllerHandle Handle of device to test. - @param[in] RemainingDevicePath Optional parameter used to pick a speci= fic child - device to start. - - @retval EFI_SUCCES This driver supports this device. - @retval EFI_ALREADY_STARTED This driver is already running on this devi= ce. - @retval other This driver does not support this device. - -**/ -EFI_STATUS -EFIAPI -IpSec6DriverBindingSupported ( - IN EFI_DRIVER_BINDING_PROTOCOL *This, - IN EFI_HANDLE ControllerHandle, - IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL - ) -{ - return IpSecSupported ( - This, - ControllerHandle, - RemainingDevicePath, - IP_VERSION_6 - ); -} - -/** - Start this driver on ControllerHandle. - - @param[in] This Protocol instance pointer. - @param[in] ControllerHandle Handle of device to bind driver to. - @param[in] RemainingDevicePath Optional parameter used to pick a speci= fic child - device to start. - - @retval EFI_SUCCES This driver is added to ControllerHandle - @retval EFI_ALREADY_STARTED This driver is already running on Controlle= rHandle - @retval EFI_DEVICE_ERROR The device could not be started due to a de= vice error. - Currently not implemented. - @retval other This driver does not support this device - -**/ -EFI_STATUS -EFIAPI -IpSec6DriverBindingStart ( - IN EFI_DRIVER_BINDING_PROTOCOL *This, - IN EFI_HANDLE ControllerHandle, - IN EFI_DEVICE_PATH_PROTOCOL *RemainingDevicePath OPTIONAL - ) -{ - return IpSecStart ( - This, - ControllerHandle, - RemainingDevicePath, - IP_VERSION_6 - ); -} - -/** - Stop this driver on ControllerHandle. - - @param[in] This Protocol instance pointer. - @param[in] ControllerHandle Handle of a device to stop the driver o= n. - @param[in] NumberOfChildren Number of Handles in ChildHandleBuffer.= If the number of - children is zero, stop the entire bus d= river. - @param[in] ChildHandleBuffer List of Child Handles to Stop. - - @retval EFI_SUCCES This driver removed ControllerHandle. - @retval other This driver was not removed from this devic= e. - -**/ -EFI_STATUS -EFIAPI -IpSec6DriverBindingStop ( - IN EFI_DRIVER_BINDING_PROTOCOL *This, - IN EFI_HANDLE ControllerHandle, - IN UINTN NumberOfChildren, - IN EFI_HANDLE *ChildHandleBuffer - ) -{ - return IpSecStop ( - This, - ControllerHandle, - NumberOfChildren, - ChildHandleBuffer, - IP_VERSION_6 - ); -} - -EFI_DRIVER_BINDING_PROTOCOL gIpSec4DriverBinding =3D { - IpSec4DriverBindingSupported, - IpSec4DriverBindingStart, - IpSec4DriverBindingStop, - 0xa, - NULL, - NULL -}; - -EFI_DRIVER_BINDING_PROTOCOL gIpSec6DriverBinding =3D { - IpSec6DriverBindingSupported, - IpSec6DriverBindingStart, - IpSec6DriverBindingStop, - 0xa, - NULL, - NULL -}; - -/** - This is a callback function when the mIpSecInstance.DisabledEvent is sig= naled. - - @param[in] Event Event whose notification function is being invo= ked. - @param[in] Context Pointer to the notification function's context. - -**/ -VOID -EFIAPI -IpSecCleanupAllSa ( - IN EFI_EVENT Event, - IN VOID *Context - ) -{ - IPSEC_PRIVATE_DATA *Private; - Private =3D (IPSEC_PRIVATE_DATA *) Context; - Private->IsIPsecDisabling =3D TRUE; - IkeDeleteAllSas (Private, TRUE); -} - -/** - This is the declaration of an EFI image entry point. This entry point is - the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, inclu= ding - both device drivers and bus drivers. - - The entry point for IPsec driver which installs the driver binding, - component name protocol, IPsec Config protcolon, and IPsec protocol in - its ImageHandle. - - @param[in] ImageHandle The firmware allocated handle for the UEFI= image. - @param[in] SystemTable A pointer to the EFI System Table. - - @retval EFI_SUCCESS The operation completed successfully. - @retval EFI_ALREADY_STARTED The IPsec driver has been already loaded. - @retval EFI_OUT_OF_RESOURCES The request could not be completed due to = a lack of resources. - @retval Others The operation is failed. - -**/ -EFI_STATUS -EFIAPI -IpSecDriverEntryPoint ( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE *SystemTable - ) -{ - EFI_STATUS Status; - IPSEC_PRIVATE_DATA *Private; - EFI_IPSEC2_PROTOCOL *IpSec; - - // - // Check whether ipsec protocol has already been installed. - // - Status =3D gBS->LocateProtocol (&gEfiIpSec2ProtocolGuid, NULL, (VOID **)= &IpSec); - - if (!EFI_ERROR (Status)) { - DEBUG ((DEBUG_WARN, "_ModuleEntryPoint: IpSec has been already loaded\= n")); - Status =3D EFI_ALREADY_STARTED; - goto ON_EXIT; - } - - Status =3D gBS->LocateProtocol (&gEfiDpcProtocolGuid, NULL, (VOID **) &m= Dpc); - - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to locate EfiDpcProtoc= ol\n")); - goto ON_EXIT; - } - - Private =3D AllocateZeroPool (sizeof (IPSEC_PRIVATE_DATA)); - - if (Private =3D=3D NULL) { - DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to allocate private da= ta\n")); - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - // - // Create disable event to cleanup all SA when ipsec disabled by user. - // - Status =3D gBS->CreateEvent ( - EVT_NOTIFY_SIGNAL, - TPL_CALLBACK, - IpSecCleanupAllSa, - Private, - &mIpSecInstance.DisabledEvent - ); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to create disable even= t\n")); - goto ON_FREE_PRIVATE; - } - - Private->Signature =3D IPSEC_PRIVATE_DATA_SIGNATURE; - Private->ImageHandle =3D ImageHandle; - CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL)); - - // - // Initilize Private's members. Thess members is used for IKE. - // - InitializeListHead (&Private->Udp4List); - InitializeListHead (&Private->Udp6List); - InitializeListHead (&Private->Ikev1SessionList); - InitializeListHead (&Private->Ikev1EstablishedList); - InitializeListHead (&Private->Ikev2SessionList); - InitializeListHead (&Private->Ikev2EstablishedList); - - RandomSeed (NULL, 0); - // - // Initialize the ipsec config data and restore it from variable. - // - Status =3D IpSecConfigInitialize (Private); - if (EFI_ERROR (Status)) { - DEBUG ((DEBUG_ERROR, "_ModuleEntryPoint: Failed to initialize IpSecCon= fig\n")); - goto ON_CLOSE_EVENT; - } - // - // Install ipsec protocol which is used by ip driver to process ipsec he= ader. - // - Status =3D gBS->InstallMultipleProtocolInterfaces ( - &Private->Handle, - &gEfiIpSec2ProtocolGuid, - &Private->IpSec, - NULL - ); - if (EFI_ERROR (Status)) { - goto ON_UNINSTALL_CONFIG; - } - - Status =3D EfiLibInstallDriverBindingComponentName2 ( - ImageHandle, - SystemTable, - &gIpSec4DriverBinding, - ImageHandle, - &gIpSecComponentName, - &gIpSecComponentName2 - ); - if (EFI_ERROR (Status)) { - goto ON_UNINSTALL_IPSEC; - } - - Status =3D EfiLibInstallDriverBindingComponentName2 ( - ImageHandle, - SystemTable, - &gIpSec6DriverBinding, - NULL, - &gIpSecComponentName, - &gIpSecComponentName2 - ); - if (EFI_ERROR (Status)) { - goto ON_UNINSTALL_IPSEC4_DB; - } - - return Status; - -ON_UNINSTALL_IPSEC4_DB: - EfiLibUninstallDriverBindingComponentName2 ( - &gIpSec4DriverBinding, - &gIpSecComponentName, - &gIpSecComponentName2 - ); - -ON_UNINSTALL_IPSEC: - gBS->UninstallProtocolInterface ( - Private->Handle, - &gEfiIpSec2ProtocolGuid, - &Private->IpSec - ); -ON_UNINSTALL_CONFIG: - gBS->UninstallProtocolInterface ( - Private->Handle, - &gEfiIpSecConfigProtocolGuid, - &Private->IpSecConfig - ); -ON_CLOSE_EVENT: - gBS->CloseEvent (mIpSecInstance.DisabledEvent); - mIpSecInstance.DisabledEvent =3D NULL; -ON_FREE_PRIVATE: - FreePool (Private); -ON_EXIT: - return Status; -} - diff --git a/NetworkPkg/IpSecDxe/IpSecDxe.inf b/NetworkPkg/IpSecDxe/IpSecDx= e.inf deleted file mode 100644 index 0cabc13059..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDxe.inf +++ /dev/null @@ -1,104 +0,0 @@ -## @file -# Packet-level security for IP datagram. -# -# This driver provides EFI IPsec2 Protocol which is used to abstract the = ability -# to deal with the individual packets sent and received by the host and p= rovide -# packet-level security for IP datagram. It provides the IP packet protec= tion via -# ESP and it supports IKEv2 for key negotiation. -# -# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-# -# SPDX-License-Identifier: BSD-2-Clause-Patent -# -## - -[Defines] - INF_VERSION =3D 0x00010005 - BASE_NAME =3D IpSecDxe - FILE_GUID =3D EE8367C0-A1D6-4565-8F89-EF628547B722 - MODULE_TYPE =3D UEFI_DRIVER - VERSION_STRING =3D 1.0 - - ENTRY_POINT =3D IpSecDriverEntryPoint - MODULE_UNI_FILE =3D IpSecDxe.uni - -# -# The following information is for reference only and not required by the = build tools. -# -# VALID_ARCHITECTURES =3D IA32 X64 EBC -# - -[Sources] - IpSecConfigImpl.c - IpSecConfigImpl.h - IpSecCryptIo.h - IpSecCryptIo.c - IpSecDebug.h - ComponentName.c - IkeCommon.h - IpSecImpl.c - IkeService.c - Ike.h - IkePacket.h - IkePacket.c - IpSecDebug.c - IpSecMain.c - IpSecDriver.c - IkeCommon.c - IetfConstants.c - IpSecImpl.h - IkeService.h - Ikev2/Ikev2.h - Ikev2/Payload.h - Ikev2/Utility.h - Ikev2/Utility.c - Ikev2/Sa.c - Ikev2/ChildSa.c - Ikev2/Info.c - Ikev2/Payload.c - Ikev2/Exchange.c - - - -[Packages] - MdePkg/MdePkg.dec - MdeModulePkg/MdeModulePkg.dec - CryptoPkg/CryptoPkg.dec - NetworkPkg/NetworkPkg.dec - -[LibraryClasses] - MemoryAllocationLib - BaseLib - UefiLib - UefiBootServicesTableLib - UefiRuntimeServicesTableLib - UefiDriverEntryPoint - BaseMemoryLib - DebugLib - PrintLib - BaseCryptLib - DpcLib - UdpIoLib - NetLib - PcdLib - -[Protocols] - gEfiIp4Config2ProtocolGuid ## SOMETIMES_CONSUMES - gEfiUdp4ServiceBindingProtocolGuid ## SOMETIMES_CONSUMES - gEfiUdp4ProtocolGuid ## SOMETIMES_CONSUMES - gEfiUdp6ServiceBindingProtocolGuid ## SOMETIMES_CONSUMES - gEfiUdp6ProtocolGuid ## SOMETIMES_CONSUMES - gEfiIpSecConfigProtocolGuid ## PRODUCES - gEfiIpSec2ProtocolGuid ## PRODUCES - -[Pcd] - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecCertificateEnabled ## SOMETIM= ES_CONSUMES - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFile ## SOMETIM= ES_CONSUMES - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFileSize ## SOMETIM= ES_CONSUMES - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificate ## SOMETIM= ES_CONSUMES - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateSize ## SOMETIM= ES_CONSUMES - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKey ## SOMETIM= ES_CONSUMES - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKeySize ## SOMETIM= ES_CONSUMES - -[UserExtensions.TianoCore."ExtraFiles"] - IpSecDxeExtra.uni diff --git a/NetworkPkg/IpSecDxe/IpSecDxe.uni b/NetworkPkg/IpSecDxe/IpSecDx= e.uni deleted file mode 100644 index 9e67d6d9ef..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDxe.uni +++ /dev/null @@ -1,19 +0,0 @@ -// /** @file -// Packet-level security for IP datagram. -// -// This driver provides EFI IPsec2 Protocol which is used to abstract the = ability -// to deal with the individual packets sent and received by the host and p= rovide -// packet-level security for IP datagram. It provides the IP packet protec= tion via -// ESP and it supports IKEv2 for key negotiation. -// -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-// -// SPDX-License-Identifier: BSD-2-Clause-Patent -// -// **/ - - -#string STR_MODULE_ABSTRACT #language en-US "Packet-level secu= rity for IP datagram" - -#string STR_MODULE_DESCRIPTION #language en-US "This driver provi= des EFI IPsec2 Protocol which is used to abstract the ability to deal with = the individual packets sent and received by the host and provide packet-lev= el security for IP datagram. It provides the IP packet protection via ESP a= nd it supports IKEv2 for key negotiation." - diff --git a/NetworkPkg/IpSecDxe/IpSecDxeExtra.uni b/NetworkPkg/IpSecDxe/Ip= SecDxeExtra.uni deleted file mode 100644 index d31c8dd88e..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecDxeExtra.uni +++ /dev/null @@ -1,14 +0,0 @@ -// /** @file -// IpSecDxe Localized Strings and Content -// -// Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.
-// -// SPDX-License-Identifier: BSD-2-Clause-Patent -// -// **/ - -#string STR_PROPERTIES_MODULE_NAME -#language en-US -"IpSec DXE" - - diff --git a/NetworkPkg/IpSecDxe/IpSecImpl.c b/NetworkPkg/IpSecDxe/IpSecImp= l.c deleted file mode 100644 index 32c806486b..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecImpl.c +++ /dev/null @@ -1,2178 +0,0 @@ -/** @file - The implementation of IPsec. - - (C) Copyright 2015 Hewlett-Packard Development Company, L.P.
- Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecImpl.h" -#include "IkeService.h" -#include "IpSecDebug.h" -#include "IpSecCryptIo.h" -#include "IpSecConfigImpl.h" - -/** - Check if the specified Address is the Valid Address Range. - - This function checks if the bytes after prefixed length are all Zero in = this - Address. This Address is supposed to point to a range address. That mean= s it - should gives the correct prefixed address and the bytes outside the pref= ixed are - zero. - - @param[in] IpVersion The IP version. - @param[in] Address Points to EFI_IP_ADDRESS to be checked. - @param[in] PrefixLength The PrefixeLength of this address. - - @retval TRUE The address is a vaild address range. - @retval FALSE The address is not a vaild address range. - -**/ -BOOLEAN -IpSecValidAddressRange ( - IN UINT8 IpVersion, - IN EFI_IP_ADDRESS *Address, - IN UINT8 PrefixLength - ) -{ - UINT8 Div; - UINT8 Mod; - UINT8 Mask; - UINT8 AddrLen; - UINT8 *Addr; - EFI_IP_ADDRESS ZeroAddr; - - if (PrefixLength =3D=3D 0) { - return TRUE; - } - - AddrLen =3D (UINT8) ((IpVersion =3D=3D IP_VERSION_4) ? 32 : 128); - - if (AddrLen <=3D PrefixLength) { - return FALSE; - } - - Div =3D (UINT8) (PrefixLength / 8); - Mod =3D (UINT8) (PrefixLength % 8); - Addr =3D (UINT8 *) Address; - ZeroMem (&ZeroAddr, sizeof (EFI_IP_ADDRESS)); - - // - // Check whether the mod part of host scope is zero or not. - // - if (Mod > 0) { - Mask =3D (UINT8) (0xFF << (8 - Mod)); - - if ((Addr[Div] | Mask) !=3D Mask) { - return FALSE; - } - - Div++; - } - // - // Check whether the div part of host scope is zero or not. - // - if (CompareMem ( - &Addr[Div], - &ZeroAddr, - sizeof (EFI_IP_ADDRESS) - Div - ) !=3D 0) { - return FALSE; - } - - return TRUE; -} - -/** - Extrct the Address Range from a Address. - - This function keep the prefix address and zero other part address. - - @param[in] Address Point to a specified address. - @param[in] PrefixLength The prefix length. - @param[out] Range Contain the return Address Range. - -**/ -VOID -IpSecExtractAddressRange ( - IN EFI_IP_ADDRESS *Address, - IN UINT8 PrefixLength, - OUT EFI_IP_ADDRESS *Range - ) -{ - UINT8 Div; - UINT8 Mod; - UINT8 Mask; - UINT8 *Addr; - - if (PrefixLength =3D=3D 0) { - return ; - } - - Div =3D (UINT8) (PrefixLength / 8); - Mod =3D (UINT8) (PrefixLength % 8); - Addr =3D (UINT8 *) Range; - - CopyMem (Range, Address, sizeof (EFI_IP_ADDRESS)); - - // - // Zero the mod part of host scope. - // - if (Mod > 0) { - Mask =3D (UINT8) (0xFF << (8 - Mod)); - Addr[Div] =3D (UINT8) (Addr[Div] & Mask); - Div++; - } - // - // Zero the div part of host scope. - // - ZeroMem (&Addr[Div], sizeof (EFI_IP_ADDRESS) - Div); - -} - -/** - Checks if the IP Address in the address range of AddressInfos specified. - - @param[in] IpVersion The IP version. - @param[in] IpAddr Point to EFI_IP_ADDRESS to be check. - @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used= to check - the IP Address is matched. - @param[in] AddressCount The total numbers of the AddressInfo. - - @retval TRUE If the Specified IP Address is in the range of the Add= ressInfos specified. - @retval FALSE If the Specified IP Address is not in the range of the= AddressInfos specified. - -**/ -BOOLEAN -IpSecMatchIpAddress ( - IN UINT8 IpVersion, - IN EFI_IP_ADDRESS *IpAddr, - IN EFI_IP_ADDRESS_INFO *AddressInfo, - IN UINT32 AddressCount - ) -{ - EFI_IP_ADDRESS Range; - UINT32 Index; - BOOLEAN IsMatch; - - IsMatch =3D FALSE; - - for (Index =3D 0; Index < AddressCount; Index++) { - // - // Check whether the target address is in the address range - // if it's a valid range of address. - // - if (IpSecValidAddressRange ( - IpVersion, - &AddressInfo[Index].Address, - AddressInfo[Index].PrefixLength - )) { - // - // Get the range of the target address belongs to. - // - ZeroMem (&Range, sizeof (EFI_IP_ADDRESS)); - IpSecExtractAddressRange ( - IpAddr, - AddressInfo[Index].PrefixLength, - &Range - ); - - if (CompareMem ( - &Range, - &AddressInfo[Index].Address, - sizeof (EFI_IP_ADDRESS) - ) =3D=3D 0) { - // - // The target address is in the address range. - // - IsMatch =3D TRUE; - break; - } - } - - if (CompareMem ( - IpAddr, - &AddressInfo[Index].Address, - sizeof (EFI_IP_ADDRESS) - ) =3D=3D 0) { - // - // The target address is exact same as the address. - // - IsMatch =3D TRUE; - break; - } - } - return IsMatch; -} - -/** - Check if the specified Protocol and Prot is supported by the specified S= PD Entry. - - This function is the subfunction of IPsecLookUpSpdEntry() that is used to - check if the sent/received IKE packet has the related SPD entry support. - - @param[in] Protocol The Protocol to be checked. - @param[in] IpPayload Point to IP Payload to be check. - @param[in] SpdProtocol The Protocol supported by SPD. - @param[in] SpdLocalPort The Local Port in SPD. - @param[in] SpdRemotePort The Remote Port in SPD. - @param[in] IsOutbound Flag to indicate the is for IKE Packet sen= ding or recieving. - - @retval TRUE The Protocol and Port are supported by the SPD Ent= ry. - @retval FALSE The Protocol and Port are not supported by the SPD= Entry. - -**/ -BOOLEAN -IpSecMatchNextLayerProtocol ( - IN UINT8 Protocol, - IN UINT8 *IpPayload, - IN UINT16 SpdProtocol, - IN UINT16 SpdLocalPort, - IN UINT16 SpdRemotePort, - IN BOOLEAN IsOutbound - ) -{ - BOOLEAN IsMatch; - - if (SpdProtocol =3D=3D EFI_IPSEC_ANY_PROTOCOL) { - return TRUE; - } - - IsMatch =3D FALSE; - - if (SpdProtocol =3D=3D Protocol) { - switch (Protocol) { - case EFI_IP_PROTO_UDP: - case EFI_IP_PROTO_TCP: - // - // For udp and tcp, (0, 0) means no need to check local and remote - // port. The payload is passed from upper level, which means it shou= ld - // be in network order. - // - IsMatch =3D (BOOLEAN) (SpdLocalPort =3D=3D 0 && SpdRemotePort =3D=3D= 0); - IsMatch =3D (BOOLEAN) (IsMatch || - (IsOutbound && - (BOOLEAN)( - NTOHS (((EFI_UDP_HEADER *) IpPayload)->SrcPo= rt) =3D=3D SpdLocalPort && - NTOHS (((EFI_UDP_HEADER *) IpPayload)->DstPo= rt) =3D=3D SpdRemotePort - ) - )); - - IsMatch =3D (BOOLEAN) (IsMatch || - (!IsOutbound && - (BOOLEAN)( - NTOHS (((EFI_UDP_HEADER *) IpPayload)->DstPo= rt) =3D=3D SpdLocalPort && - NTOHS (((EFI_UDP_HEADER *) IpPayload)->SrcPo= rt) =3D=3D SpdRemotePort - ) - )); - break; - - case EFI_IP_PROTO_ICMP: - // - // For icmpv4, type code is replaced with local port and remote port, - // and (0, 0) means no need to check. - // - IsMatch =3D (BOOLEAN) (SpdLocalPort =3D=3D 0 && SpdRemotePort =3D=3D= 0); - IsMatch =3D (BOOLEAN) (IsMatch || - (BOOLEAN) (((IP4_ICMP_HEAD *) IpPayload)->Type = =3D=3D SpdLocalPort && - ((IP4_ICMP_HEAD *) IpPayload)->Code = =3D=3D SpdRemotePort - ) - ); - break; - - case IP6_ICMP: - // - // For icmpv6, type code is replaced with local port and remote port, - // and (0, 0) means no need to check. - // - IsMatch =3D (BOOLEAN) (SpdLocalPort =3D=3D 0 && SpdRemotePort =3D=3D= 0); - - IsMatch =3D (BOOLEAN) (IsMatch || - (BOOLEAN) (((IP6_ICMP_HEAD *) IpPayload)->Type = =3D=3D SpdLocalPort && - ((IP6_ICMP_HEAD *) IpPayload)->Code = =3D=3D SpdRemotePort - ) - ); - break; - - default: - IsMatch =3D TRUE; - break; - } - } - - return IsMatch; -} - -/** - Find the SAD through a specified SPD's SAD list. - - @param[in] SadList SAD list related to a specified SPD entry. - @param[in] DestAddress The destination address used to find the S= AD entry. - @param[in] IpVersion The IP version. Ip4 or Ip6. - - @return The pointer to a certain SAD entry. - -**/ -IPSEC_SAD_ENTRY * -IpSecLookupSadBySpd ( - IN LIST_ENTRY *SadList, - IN EFI_IP_ADDRESS *DestAddress, - IN UINT8 IpVersion - ) -{ - LIST_ENTRY *Entry; - IPSEC_SAD_ENTRY *SadEntry; - - NET_LIST_FOR_EACH (Entry, SadList) { - - SadEntry =3D IPSEC_SAD_ENTRY_FROM_SPD (Entry); - // - // Find the right SAD entry which contains the appointed dest address. - // - if (IpSecMatchIpAddress ( - IpVersion, - DestAddress, - SadEntry->Data->SpdSelector->RemoteAddress, - SadEntry->Data->SpdSelector->RemoteAddressCount - )){ - return SadEntry; - } - } - - return NULL; -} - -/** - Find the SAD through whole SAD list. - - @param[in] Spi The SPI used to search the SAD entry. - @param[in] DestAddress The destination used to search the SAD ent= ry. - @param[in] IpVersion The IP version. Ip4 or Ip6. - - @return the pointer to a certain SAD entry. - -**/ -IPSEC_SAD_ENTRY * -IpSecLookupSadBySpi ( - IN UINT32 Spi, - IN EFI_IP_ADDRESS *DestAddress, - IN UINT8 IpVersion - ) -{ - LIST_ENTRY *Entry; - LIST_ENTRY *SadList; - IPSEC_SAD_ENTRY *SadEntry; - - SadList =3D &mConfigData[IPsecConfigDataTypeSad]; - - NET_LIST_FOR_EACH (Entry, SadList) { - - SadEntry =3D IPSEC_SAD_ENTRY_FROM_LIST (Entry); - - // - // Find the right SAD entry which contain the appointed spi and dest a= ddr. - // - if (SadEntry->Id->Spi =3D=3D Spi) { - if (SadEntry->Data->Mode =3D=3D EfiIPsecTunnel) { - if (CompareMem ( - &DestAddress, - &SadEntry->Data->TunnelDestAddress, - sizeof (EFI_IP_ADDRESS) - )) { - return SadEntry; - } - } else { - if (SadEntry->Data->SpdSelector !=3D NULL && - IpSecMatchIpAddress ( - IpVersion, - DestAddress, - SadEntry->Data->SpdSelector->RemoteAddress, - SadEntry->Data->SpdSelector->RemoteAddressCount - ) - ) { - return SadEntry; - } - } - } - } - return NULL; -} - -/** - Look up if there is existing SAD entry for specified IP packet sending. - - This function is called by the IPsecProcess when there is some IP packet= needed to - send out. This function checks if there is an existing SAD entry that ca= n be serviced - to this IP packet sending. If no existing SAD entry could be used, this - function will invoke an IPsec Key Exchange Negotiation. - - @param[in] Private Points to private data. - @param[in] NicHandle Points to a NIC handle. - @param[in] IpVersion The version of IP. - @param[in] IpHead The IP Header of packet to be sent out. - @param[in] IpPayload The IP Payload to be sent out. - @param[in] OldLastHead The Last protocol of the IP packet. - @param[in] SpdEntry Points to a related SPD entry. - @param[out] SadEntry Contains the Point of a related SAD entry. - - @retval EFI_DEVICE_ERROR One of following conditions is TRUE: - - If don't find related UDP service. - - Sequence Number is used up. - - Extension Sequence Number is used up. - @retval EFI_NOT_READY No existing SAD entry could be used. - @retval EFI_SUCCESS Find the related SAD entry. - -**/ -EFI_STATUS -IpSecLookupSadEntry ( - IN IPSEC_PRIVATE_DATA *Private, - IN EFI_HANDLE NicHandle, - IN UINT8 IpVersion, - IN VOID *IpHead, - IN UINT8 *IpPayload, - IN UINT8 OldLastHead, - IN IPSEC_SPD_ENTRY *SpdEntry, - OUT IPSEC_SAD_ENTRY **SadEntry - ) -{ - IKE_UDP_SERVICE *UdpService; - IPSEC_SAD_ENTRY *Entry; - IPSEC_SAD_DATA *Data; - EFI_IP_ADDRESS DestIp; - UINT32 SeqNum32; - - *SadEntry =3D NULL; - UdpService =3D IkeLookupUdp (Private, NicHandle, IpVersion); - - if (UdpService =3D=3D NULL) { - return EFI_DEVICE_ERROR; - } - // - // Parse the destination address from ip header. - // - ZeroMem (&DestIp, sizeof (EFI_IP_ADDRESS)); - if (IpVersion =3D=3D IP_VERSION_4) { - CopyMem ( - &DestIp, - &((IP4_HEAD *) IpHead)->Dst, - sizeof (IP4_ADDR) - ); - } else { - CopyMem ( - &DestIp, - &((EFI_IP6_HEADER *) IpHead)->DestinationAddress, - sizeof (EFI_IP_ADDRESS) - ); - } - - // - // Find the SAD entry in the spd.sas list according to the dest address. - // - Entry =3D IpSecLookupSadBySpd (&SpdEntry->Data->Sas, &DestIp, IpVersion); - - if (Entry =3D=3D NULL) { - if (OldLastHead !=3D IP6_ICMP || - (OldLastHead =3D=3D IP6_ICMP && *IpPayload =3D=3D ICMP_V6_ECHO_REQ= UEST) - ) { - // - // Start ike negotiation process except the request packet of ping. - // - if (SpdEntry->Data->ProcessingPolicy->Mode =3D=3D EfiIPsecTunnel) { - IkeNegotiate ( - UdpService, - SpdEntry, - &SpdEntry->Data->ProcessingPolicy->TunnelOption->RemoteTunnelAdd= ress - ); - } else { - IkeNegotiate ( - UdpService, - SpdEntry, - &DestIp - ); - } - - } - - return EFI_NOT_READY; - } - - Data =3D Entry->Data; - - if (!Data->ManualSet) { - if (Data->ESNEnabled) { - // - // Validate the 64bit sn number if 64bit sn enabled. - // - if ((UINT64) (Data->SequenceNumber + 1) =3D=3D 0) { - // - // TODO: Re-negotiate SA - // - return EFI_DEVICE_ERROR; - } - } else { - // - // Validate the 32bit sn number if 64bit sn disabled. - // - SeqNum32 =3D (UINT32) Data->SequenceNumber; - if ((UINT32) (SeqNum32 + 1) =3D=3D 0) { - // - // TODO: Re-negotiate SA - // - return EFI_DEVICE_ERROR; - } - } - } - - *SadEntry =3D Entry; - - return EFI_SUCCESS; -} - -/** - Find a PAD entry according to a remote IP address. - - @param[in] IpVersion The version of IP. - @param[in] IpAddr Points to remote IP address. - - @return the pointer of related PAD entry. - -**/ -IPSEC_PAD_ENTRY * -IpSecLookupPadEntry ( - IN UINT8 IpVersion, - IN EFI_IP_ADDRESS *IpAddr - ) -{ - LIST_ENTRY *PadList; - LIST_ENTRY *Entry; - EFI_IP_ADDRESS_INFO *IpAddrInfo; - IPSEC_PAD_ENTRY *PadEntry; - - PadList =3D &mConfigData[IPsecConfigDataTypePad]; - - for (Entry =3D PadList->ForwardLink; Entry !=3D PadList; Entry =3D Entry= ->ForwardLink) { - - PadEntry =3D IPSEC_PAD_ENTRY_FROM_LIST (Entry); - IpAddrInfo =3D &PadEntry->Id->Id.IpAddress; - // - // Find the right pad entry which contain the appointed dest addr. - // - if (IpSecMatchIpAddress (IpVersion, IpAddr, IpAddrInfo, 1)) { - return PadEntry; - } - } - - return NULL; -} - -/** - Check if the specified IP packet can be serviced by this SPD entry. - - @param[in] SpdEntry Point to SPD entry. - @param[in] IpVersion Version of IP. - @param[in] IpHead Point to IP header. - @param[in] IpPayload Point to IP payload. - @param[in] Protocol The Last protocol of IP packet. - @param[in] IsOutbound Traffic direction. - @param[out] Action The support action of SPD entry. - - @retval EFI_SUCCESS Find the related SPD. - @retval EFI_NOT_FOUND Not find the related SPD entry; - -**/ -EFI_STATUS -IpSecLookupSpdEntry ( - IN IPSEC_SPD_ENTRY *SpdEntry, - IN UINT8 IpVersion, - IN VOID *IpHead, - IN UINT8 *IpPayload, - IN UINT8 Protocol, - IN BOOLEAN IsOutbound, - OUT EFI_IPSEC_ACTION *Action - ) -{ - EFI_IPSEC_SPD_SELECTOR *SpdSel; - IP4_HEAD *Ip4; - EFI_IP6_HEADER *Ip6; - EFI_IP_ADDRESS SrcAddr; - EFI_IP_ADDRESS DstAddr; - BOOLEAN SpdMatch; - - ASSERT (SpdEntry !=3D NULL); - SpdSel =3D SpdEntry->Selector; - Ip4 =3D (IP4_HEAD *) IpHead; - Ip6 =3D (EFI_IP6_HEADER *) IpHead; - - ZeroMem (&SrcAddr, sizeof (EFI_IP_ADDRESS)); - ZeroMem (&DstAddr, sizeof (EFI_IP_ADDRESS)); - - // - // Parse the source and destination address from ip header. - // - if (IpVersion =3D=3D IP_VERSION_4) { - CopyMem (&SrcAddr, &Ip4->Src, sizeof (IP4_ADDR)); - CopyMem (&DstAddr, &Ip4->Dst, sizeof (IP4_ADDR)); - } else { - CopyMem (&SrcAddr, &Ip6->SourceAddress, sizeof (EFI_IPv6_ADDRESS)); - CopyMem (&DstAddr, &Ip6->DestinationAddress, sizeof (EFI_IPv6_ADDRESS)= ); - } - // - // Check the local and remote addresses for outbound traffic - // - SpdMatch =3D (BOOLEAN)(IsOutbound && - IpSecMatchIpAddress ( - IpVersion, - &SrcAddr, - SpdSel->LocalAddress, - SpdSel->LocalAddressCount - ) && - IpSecMatchIpAddress ( - IpVersion, - &DstAddr, - SpdSel->RemoteAddress, - SpdSel->RemoteAddressCount - ) - ); - - // - // Check the local and remote addresses for inbound traffic - // - SpdMatch =3D (BOOLEAN) (SpdMatch || - (!IsOutbound && - IpSecMatchIpAddress ( - IpVersion, - &DstAddr, - SpdSel->LocalAddress, - SpdSel->LocalAddressCount - ) && - IpSecMatchIpAddress ( - IpVersion, - &SrcAddr, - SpdSel->RemoteAddress, - SpdSel->RemoteAddressCount - ) - )); - - // - // Check the next layer protocol and local and remote ports. - // - SpdMatch =3D (BOOLEAN) (SpdMatch && - IpSecMatchNextLayerProtocol ( - Protocol, - IpPayload, - SpdSel->NextLayerProtocol, - SpdSel->LocalPort, - SpdSel->RemotePort, - IsOutbound - ) - ); - - if (SpdMatch) { - // - // Find the right SPD entry if match the 5 key elements. - // - *Action =3D SpdEntry->Data->Action; - return EFI_SUCCESS; - } - - return EFI_NOT_FOUND; -} - -/** - The call back function of NetbufFromExt. - - @param[in] Arg The argument passed from the caller. - -**/ -VOID -EFIAPI -IpSecOnRecyclePacket ( - IN VOID *Arg - ) -{ -} - -/** - This is a Notification function. It is called when the related IP6_TXTOK= EN_WRAP - is released. - - @param[in] Event The related event. - @param[in] Context The data passed by the caller. - -**/ -VOID -EFIAPI -IpSecRecycleCallback ( - IN EFI_EVENT Event, - IN VOID *Context - ) -{ - IPSEC_RECYCLE_CONTEXT *RecycleContext; - - RecycleContext =3D (IPSEC_RECYCLE_CONTEXT *) Context; - - if (RecycleContext->FragmentTable !=3D NULL) { - FreePool (RecycleContext->FragmentTable); - } - - if (RecycleContext->PayloadBuffer !=3D NULL) { - FreePool (RecycleContext->PayloadBuffer); - } - - FreePool (RecycleContext); - gBS->CloseEvent (Event); - -} - -/** - Calculate the extension hader of IP. The return length only doesn't cont= ain - the fixed IP header length. - - @param[in] IpHead Points to an IP head to be calculated. - @param[in] LastHead Points to the last header of the IP heade= r. - - @return The length of the extension header. - -**/ -UINT16 -IpSecGetPlainExtHeadSize ( - IN VOID *IpHead, - IN UINT8 *LastHead - ) -{ - UINT16 Size; - - Size =3D (UINT16) (LastHead - (UINT8 *) IpHead); - - if (Size > sizeof (EFI_IP6_HEADER)) { - // - // * (LastHead+1) point the last header's length but not include the f= irst - // 8 octers, so this formluation add 8 at the end. - // - Size =3D (UINT16) (Size - sizeof (EFI_IP6_HEADER) + *(LastHead + 1) + = 8); - } else { - Size =3D 0; - } - - return Size; -} - -/** - Verify if the Authentication payload is correct. - - @param[in] EspBuffer Points to the ESP wrapped buffer. - @param[in] EspSize The size of the ESP wrapped buffer. - @param[in] SadEntry The related SAD entry to store the authen= tication - algorithm key. - @param[in] IcvSize The length of ICV. - - @retval EFI_SUCCESS The authentication data is correct. - @retval EFI_ACCESS_DENIED The authentication data is not correct. - -**/ -EFI_STATUS -IpSecEspAuthVerifyPayload ( - IN UINT8 *EspBuffer, - IN UINTN EspSize, - IN IPSEC_SAD_ENTRY *SadEntry, - IN UINTN IcvSize - ) -{ - EFI_STATUS Status; - UINTN AuthSize; - UINT8 IcvBuffer[12]; - HASH_DATA_FRAGMENT HashFragment[1]; - - // - // Calculate the size of authentication payload. - // - AuthSize =3D EspSize - IcvSize; - - // - // Calculate the icv buffer and size of the payload. - // - HashFragment[0].Data =3D EspBuffer; - HashFragment[0].DataSize =3D AuthSize; - - Status =3D IpSecCryptoIoHmac ( - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId, - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey, - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength, - HashFragment, - 1, - IcvBuffer, - IcvSize - ); - if (EFI_ERROR (Status)) { - return Status; - } - - // - // Compare the calculated icv and the appended original icv. - // - if (CompareMem (EspBuffer + AuthSize, IcvBuffer, IcvSize) =3D=3D 0) { - return EFI_SUCCESS; - } - - DEBUG ((DEBUG_ERROR, "Error auth verify payload\n")); - return EFI_ACCESS_DENIED; -} - -/** - Search the related SAD entry by the input . - - @param[in] IpHead The pointer to IP header. - @param[in] IpVersion The version of IP (IP4 or IP6). - @param[in] Spi The SPI used to search the related SAD entry. - - - @retval NULL Not find the related SAD entry. - @retval IPSEC_SAD_ENTRY Return the related SAD entry. - -**/ -IPSEC_SAD_ENTRY * -IpSecFoundSadFromInboundPacket ( - UINT8 *IpHead, - UINT8 IpVersion, - UINT32 Spi - ) -{ - EFI_IP_ADDRESS DestIp; - - // - // Parse destination address from ip header. - // - ZeroMem (&DestIp, sizeof (EFI_IP_ADDRESS)); - if (IpVersion =3D=3D IP_VERSION_4) { - CopyMem ( - &DestIp, - &((IP4_HEAD *) IpHead)->Dst, - sizeof (IP4_ADDR) - ); - } else { - CopyMem ( - &DestIp, - &((EFI_IP6_HEADER *) IpHead)->DestinationAddress, - sizeof (EFI_IPv6_ADDRESS) - ); - } - - // - // Lookup SAD entry according to the spi and dest address. - // - return IpSecLookupSadBySpi (Spi, &DestIp, IpVersion); -} - -/** - Validate the IP6 extension header format for both the packets we received - and that we will transmit. - - @param[in] NextHeader The next header field in IPv6 basic header. - @param[in] ExtHdrs The first bye of the option. - @param[in] ExtHdrsLen The length of the whole option. - @param[out] LastHeader The pointer of NextHeader of the last extension - header processed by IP6. - @param[out] RealExtsLen The length of extension headers processed by I= P6 layer. - This is an optional parameter that may be NULL. - - @retval TRUE The option is properly formated. - @retval FALSE The option is malformated. - -**/ -BOOLEAN -IpSecIsIp6ExtsValid ( - IN UINT8 *NextHeader, - IN UINT8 *ExtHdrs, - IN UINT32 ExtHdrsLen, - OUT UINT8 **LastHeader, - OUT UINT32 *RealExtsLen OPTIONAL - ) -{ - UINT32 Pointer; - UINT8 *Option; - UINT8 OptionLen; - UINT8 CountD; - UINT8 CountF; - UINT8 CountA; - - if (RealExtsLen !=3D NULL) { - *RealExtsLen =3D 0; - } - - *LastHeader =3D NextHeader; - - if (ExtHdrs =3D=3D NULL && ExtHdrsLen =3D=3D 0) { - return TRUE; - } - - if ((ExtHdrs =3D=3D NULL && ExtHdrsLen !=3D 0) || (ExtHdrs !=3D NULL && = ExtHdrsLen =3D=3D 0)) { - return FALSE; - } - - Pointer =3D 0; - CountD =3D 0; - CountF =3D 0; - CountA =3D 0; - - while (Pointer <=3D ExtHdrsLen) { - - switch (*NextHeader) { - case IP6_HOP_BY_HOP: - if (Pointer !=3D 0) { - return FALSE; - } - - // - // Fall through - // - case IP6_DESTINATION: - if (*NextHeader =3D=3D IP6_DESTINATION) { - CountD++; - } - - if (CountD > 2) { - return FALSE; - } - - NextHeader =3D ExtHdrs + Pointer; - - Pointer++; - Option =3D ExtHdrs + Pointer; - OptionLen =3D (UINT8) ((*Option + 1) * 8 - 2); - Option++; - Pointer++; - - Pointer =3D Pointer + OptionLen; - break; - - case IP6_FRAGMENT: - if (++CountF > 1) { - return FALSE; - } - // - // RFC2402, AH header should after fragment header. - // - if (CountA > 1) { - return FALSE; - } - - NextHeader =3D ExtHdrs + Pointer; - Pointer =3D Pointer + 8; - break; - - case IP6_AH: - if (++CountA > 1) { - return FALSE; - } - - Option =3D ExtHdrs + Pointer; - NextHeader =3D Option; - Option++; - // - // RFC2402, Payload length is specified in 32-bit words, minus "2". - // - OptionLen =3D (UINT8) ((*Option + 2) * 4); - Pointer =3D Pointer + OptionLen; - break; - - default: - *LastHeader =3D NextHeader; - if (RealExtsLen !=3D NULL) { - *RealExtsLen =3D Pointer; - } - - return TRUE; - } - } - - *LastHeader =3D NextHeader; - - if (RealExtsLen !=3D NULL) { - *RealExtsLen =3D Pointer; - } - - return TRUE; -} - -/** - The actual entry to process the tunnel header and inner header for tunne= l mode - outbound traffic. - - This function is the subfunction of IpSecEspInboundPacket(). It change t= he destination - Ip address to the station address and recalculate the uplayyer's checksu= m. - - - @param[in, out] IpHead Points to the IP header containing th= e ESP header - to be trimed on input, and without ES= P header - on return. - @param[in] IpPayload The decrypted Ip payload. It start fr= om the inner - header. - @param[in] IpVersion The version of IP. - @param[in] SadData Pointer of the relevant SAD. - @param[in, out] LastHead The Last Header in IP header on retur= n. - -**/ -VOID -IpSecTunnelInboundPacket ( - IN OUT UINT8 *IpHead, - IN UINT8 *IpPayload, - IN UINT8 IpVersion, - IN IPSEC_SAD_DATA *SadData, - IN OUT UINT8 *LastHead - ) -{ - EFI_UDP_HEADER *UdpHeader; - TCP_HEAD *TcpHeader; - UINT16 *Checksum; - UINT16 PseudoChecksum; - UINT16 PacketChecksum; - UINT32 OptionLen; - IP6_ICMP_HEAD *Icmp6Head; - - Checksum =3D NULL; - - if (IpVersion =3D=3D IP_VERSION_4) { - // - // Zero OutIP header use this to indicate the input packet is under - // IPsec Tunnel protected. - // - ZeroMem ( - (IP4_HEAD *)IpHead, - sizeof (IP4_HEAD) - ); - CopyMem ( - &((IP4_HEAD *)IpPayload)->Dst, - &SadData->TunnelDestAddress.v4, - sizeof (EFI_IPv4_ADDRESS) - ); - - // - // Recalculate IpHeader Checksum - // - if (((IP4_HEAD *)(IpPayload))->Checksum !=3D 0 ) { - ((IP4_HEAD *)(IpPayload))->Checksum =3D 0; - ((IP4_HEAD *)(IpPayload))->Checksum =3D (UINT16) (~NetblockChecksum ( - (UINT8 *)IpPayload, - ((IP4_HEAD *)IpPay= load)->HeadLen << 2 - )); - - - } - - // - // Recalcualte PseudoChecksum - // - switch (((IP4_HEAD *)IpPayload)->Protocol) { - case EFI_IP_PROTO_UDP : - UdpHeader =3D (EFI_UDP_HEADER *)((UINT8 *)IpPayload + (((IP4_HEAD *)= IpPayload)->HeadLen << 2)); - Checksum =3D & UdpHeader->Checksum; - *Checksum =3D 0; - break; - - case EFI_IP_PROTO_TCP: - TcpHeader =3D (TCP_HEAD *) ((UINT8 *)IpPayload + (((IP4_HEAD *)IpPay= load)->HeadLen << 2)); - Checksum =3D &TcpHeader->Checksum; - *Checksum =3D 0; - break; - - default: - break; - } - PacketChecksum =3D NetblockChecksum ( - (UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->Head= Len << 2), - NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_= HEAD *)IpPayload)->HeadLen << 2) - ); - PseudoChecksum =3D NetPseudoHeadChecksum ( - ((IP4_HEAD *)IpPayload)->Src, - ((IP4_HEAD *)IpPayload)->Dst, - ((IP4_HEAD *)IpPayload)->Protocol, - 0 - ); - - if (Checksum !=3D NULL) { - *Checksum =3D NetAddChecksum (PacketChecksum, PseudoChecksum); - *Checksum =3D (UINT16) ~(NetAddChecksum (*Checksum, HTONS((UINT16)= (NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->Head= Len << 2))))); - } - }else { - // - // Zero OutIP header use this to indicate the input packet is under - // IPsec Tunnel protected. - // - ZeroMem ( - IpHead, - sizeof (EFI_IP6_HEADER) - ); - CopyMem ( - &((EFI_IP6_HEADER*)IpPayload)->DestinationAddress, - &SadData->TunnelDestAddress.v6, - sizeof (EFI_IPv6_ADDRESS) - ); - - // - // Get the Extension Header and Header length. - // - IpSecIsIp6ExtsValid ( - &((EFI_IP6_HEADER *)IpPayload)->NextHeader, - IpPayload + sizeof (EFI_IP6_HEADER), - ((EFI_IP6_HEADER *)IpPayload)->PayloadLength, - &LastHead, - &OptionLen - ); - - // - // Recalcualte PseudoChecksum - // - switch (*LastHead) { - case EFI_IP_PROTO_UDP: - UdpHeader =3D (EFI_UDP_HEADER *)((UINT8 *)IpPayload + sizeof (EFI_= IP6_HEADER) + OptionLen); - Checksum =3D &UdpHeader->Checksum; - *Checksum =3D 0; - break; - - case EFI_IP_PROTO_TCP: - TcpHeader =3D (TCP_HEAD *)(IpPayload + sizeof (EFI_IP6_HEADER) + O= ptionLen); - Checksum =3D &TcpHeader->Checksum; - *Checksum =3D 0; - break; - - case IP6_ICMP: - Icmp6Head =3D (IP6_ICMP_HEAD *) (IpPayload + sizeof (EFI_IP6_HEAD= ER) + OptionLen); - Checksum =3D &Icmp6Head->Checksum; - *Checksum =3D 0; - break; - } - PacketChecksum =3D NetblockChecksum ( - IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen, - NTOHS(((EFI_IP6_HEADER *)IpPayload)->PayloadLengt= h) - OptionLen - ); - PseudoChecksum =3D NetIp6PseudoHeadChecksum ( - &((EFI_IP6_HEADER *)IpPayload)->SourceAddress, - &((EFI_IP6_HEADER *)IpPayload)->DestinationAddres= s, - *LastHead, - 0 - ); - - if (Checksum !=3D NULL) { - *Checksum =3D NetAddChecksum (PacketChecksum, PseudoChecksum); - *Checksum =3D (UINT16) ~(NetAddChecksum ( - *Checksum, - HTONS ((UINT16)((NTOHS (((EFI_IP6_HEADER *)= (IpPayload))->PayloadLength)) - OptionLen)) - )); - } - } -} - -/** - The actual entry to create inner header for tunnel mode inbound traffic. - - This function is the subfunction of IpSecEspOutboundPacket(). It create - the sending packet by encrypting its payload and inserting ESP header in= the orginal - IP header, then return the IpHeader and IPsec protected Fragmentable. - - @param[in, out] IpHead Points to IP header containing the or= ginal IP header - to be processed on input, and inserte= d ESP header - on return. - @param[in] IpVersion The version of IP. - @param[in] SadData The related SAD data. - @param[in, out] LastHead The Last Header in IP header. - @param[in] OptionsBuffer Pointer to the options buffer. - @param[in] OptionsLength Length of the options buffer. - @param[in, out] FragmentTable Pointer to a list of fragments to be = protected by - IPsec on input, and with IPsec protec= ted - on return. - @param[in] FragmentCount The number of fragments. - -**/ -UINT8 * -IpSecTunnelOutboundPacket ( - IN OUT UINT8 *IpHead, - IN UINT8 IpVersion, - IN IPSEC_SAD_DATA *SadData, - IN OUT UINT8 *LastHead, - IN VOID **OptionsBuffer, - IN UINT32 *OptionsLength, - IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN UINT32 *FragmentCount - ) -{ - UINT8 *InnerHead; - NET_BUF *Packet; - UINT16 PacketChecksum; - UINT16 *Checksum; - UINT16 PseudoChecksum; - IP6_ICMP_HEAD *IcmpHead; - - Checksum =3D NULL; - if (OptionsLength =3D=3D NULL) { - return NULL; - } - - if (IpVersion =3D=3D IP_VERSION_4) { - InnerHead =3D AllocateZeroPool (sizeof (IP4_HEAD) + *OptionsLength); - if (InnerHead =3D=3D NULL) { - return NULL; - } - - CopyMem ( - InnerHead, - IpHead, - sizeof (IP4_HEAD) - ); - CopyMem ( - InnerHead + sizeof (IP4_HEAD), - *OptionsBuffer, - *OptionsLength - ); - } else { - InnerHead =3D AllocateZeroPool (sizeof (EFI_IP6_HEADER) + *OptionsLeng= th); - if (InnerHead =3D=3D NULL) { - return NULL; - } - - CopyMem ( - InnerHead, - IpHead, - sizeof (EFI_IP6_HEADER) - ); - CopyMem ( - InnerHead + sizeof (EFI_IP6_HEADER), - *OptionsBuffer, - *OptionsLength - ); - } - if (OptionsBuffer !=3D NULL) { - if (*OptionsLength !=3D 0) { - - *OptionsBuffer =3D NULL; - *OptionsLength =3D 0; - } - } - - // - // 2. Reassamlbe Fragment into Packet - // - Packet =3D NetbufFromExt ( - (NET_FRAGMENT *)(*FragmentTable), - *FragmentCount, - 0, - 0, - IpSecOnRecyclePacket, - NULL - ); - if (Packet =3D=3D NULL) { - FreePool (InnerHead); - return NULL; - } - - // - // 3. Check the Last Header, if it is TCP, UDP or ICMP recalcualate its = pesudo - // CheckSum. - // - switch (*LastHead) { - case EFI_IP_PROTO_UDP: - Packet->Udp =3D (EFI_UDP_HEADER *) NetbufGetByte (Packet, 0, 0); - ASSERT (Packet->Udp !=3D NULL); - Checksum =3D &Packet->Udp->Checksum; - *Checksum =3D 0; - break; - - case EFI_IP_PROTO_TCP: - Packet->Tcp =3D (TCP_HEAD *) NetbufGetByte (Packet, 0, 0); - ASSERT (Packet->Tcp !=3D NULL); - Checksum =3D &Packet->Tcp->Checksum; - *Checksum =3D 0; - break; - - case IP6_ICMP: - IcmpHead =3D (IP6_ICMP_HEAD *) NetbufGetByte (Packet, 0, NULL); - ASSERT (IcmpHead !=3D NULL); - Checksum =3D &IcmpHead->Checksum; - *Checksum =3D 0; - break; - - default: - break; - } - - PacketChecksum =3D NetbufChecksum (Packet); - - if (IpVersion =3D=3D IP_VERSION_4) { - // - // Replace the source address of Inner Header. - // - CopyMem ( - &((IP4_HEAD *)InnerHead)->Src, - &SadData->SpdSelector->LocalAddress[0].Address.v4, - sizeof (EFI_IPv4_ADDRESS) - ); - - PacketChecksum =3D NetbufChecksum (Packet); - PseudoChecksum =3D NetPseudoHeadChecksum ( - ((IP4_HEAD *)InnerHead)->Src, - ((IP4_HEAD *)InnerHead)->Dst, - *LastHead, - 0 - ); - - } else { - // - // Replace the source address of Inner Header. - // - CopyMem ( - &((EFI_IP6_HEADER *)InnerHead)->SourceAddress, - &(SadData->SpdSelector->LocalAddress[0].Address.v6), - sizeof (EFI_IPv6_ADDRESS) - ); - PacketChecksum =3D NetbufChecksum (Packet); - PseudoChecksum =3D NetIp6PseudoHeadChecksum ( - &((EFI_IP6_HEADER *)InnerHead)->SourceAddress, - &((EFI_IP6_HEADER *)InnerHead)->DestinationAddress, - *LastHead, - 0 - ); - - } - if (Checksum !=3D NULL) { - *Checksum =3D NetAddChecksum (PacketChecksum, PseudoChecksum); - *Checksum =3D (UINT16) ~(NetAddChecksum ((UINT16)*Checksum, HTONS ((U= INT16) Packet->TotalSize))); - } - - if (Packet !=3D NULL) { - NetbufFree (Packet); - } - return InnerHead; -} - -/** - The actual entry to relative function processes the inbound traffic of E= SP header. - - This function is the subfunction of IpSecProtectInboundPacket(). It chec= ks the - received packet security property and trim the ESP header and then retur= ns without - an IPsec protected IP Header and FramgmentTable. - - @param[in] IpVersion The version of IP. - @param[in, out] IpHead Points to the IP header containing th= e ESP header - to be trimed on input, and without ES= P header - on return. - @param[out] LastHead The Last Header in IP header on retur= n. - @param[in, out] OptionsBuffer Pointer to the options buffer. - @param[in, out] OptionsLength Length of the options buffer. - @param[in, out] FragmentTable Pointer to a list of fragments in the= form of IPsec - protected on input, and without IPsec= protected - on return. - @param[in, out] FragmentCount The number of fragments. - @param[out] SpdSelector Pointer to contain the address of SPD= selector on return. - @param[out] RecycleEvent The event for recycling of resources. - - @retval EFI_SUCCESS The operation was successful. - @retval EFI_ACCESS_DENIED One or more following conditions is TRU= E: - - ESP header was not found or mal-forma= t. - - The related SAD entry was not found. - - The related SAD entry does not suppor= t the ESP protocol. - @retval EFI_OUT_OF_RESOURCES The required system resource can't be a= llocated. - -**/ -EFI_STATUS -IpSecEspInboundPacket ( - IN UINT8 IpVersion, - IN OUT VOID *IpHead, - OUT UINT8 *LastHead, - IN OUT VOID **OptionsBuffer, - IN OUT UINT32 *OptionsLength, - IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN OUT UINT32 *FragmentCount, - OUT EFI_IPSEC_SPD_SELECTOR **SpdSelector, - OUT EFI_EVENT *RecycleEvent - ) -{ - EFI_STATUS Status; - NET_BUF *Payload; - UINTN EspSize; - UINTN IvSize; - UINTN BlockSize; - UINTN MiscSize; - UINTN PlainPayloadSize; - UINTN PaddingSize; - UINTN IcvSize; - UINT8 *ProcessBuffer; - EFI_ESP_HEADER *EspHeader; - EFI_ESP_TAIL *EspTail; - EFI_IPSEC_SA_ID *SaId; - IPSEC_SAD_DATA *SadData; - IPSEC_SAD_ENTRY *SadEntry; - IPSEC_RECYCLE_CONTEXT *RecycleContext; - UINT8 NextHeader; - UINT16 IpSecHeadSize; - UINT8 *InnerHead; - - Status =3D EFI_SUCCESS; - Payload =3D NULL; - ProcessBuffer =3D NULL; - RecycleContext =3D NULL; - *RecycleEvent =3D NULL; - PlainPayloadSize =3D 0; - NextHeader =3D 0; - - // - // Build netbuf from fragment table first. - // - Payload =3D NetbufFromExt ( - (NET_FRAGMENT *) *FragmentTable, - *FragmentCount, - 0, - sizeof (EFI_ESP_HEADER), - IpSecOnRecyclePacket, - NULL - ); - if (Payload =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Get the esp size and esp header from netbuf. - // - EspSize =3D Payload->TotalSize; - EspHeader =3D (EFI_ESP_HEADER *) NetbufGetByte (Payload, 0, NULL); - - if (EspHeader =3D=3D NULL) { - Status =3D EFI_ACCESS_DENIED; - goto ON_EXIT; - } - - // - // Parse destination address from ip header and found the related SAD En= try. - // - SadEntry =3D IpSecFoundSadFromInboundPacket ( - IpHead, - IpVersion, - NTOHL (EspHeader->Spi) - ); - - if (SadEntry =3D=3D NULL) { - Status =3D EFI_ACCESS_DENIED; - goto ON_EXIT; - } - - SaId =3D SadEntry->Id; - SadData =3D SadEntry->Data; - - // - // Only support esp protocol currently. - // - if (SaId->Proto !=3D EfiIPsecESP) { - Status =3D EFI_ACCESS_DENIED; - goto ON_EXIT; - } - - if (!SadData->ManualSet) { - // - // TODO: Check SA lifetime and sequence number - // - } - - // - // Allocate buffer for decryption and authentication. - // - ProcessBuffer =3D AllocateZeroPool (EspSize); - if (ProcessBuffer =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - NetbufCopy (Payload, 0, (UINT32) EspSize, ProcessBuffer); - - // - // Get the IcvSize for authentication and BlockSize/IvSize for Decryptio= n. - // - IcvSize =3D IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.Au= thAlgoId); - IvSize =3D IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoI= nfo.EncAlgoId); - BlockSize =3D IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgo= Info.EncAlgoId); - - // - // Make sure the ESP packet is not mal-formt. - // 1. Check whether the Espsize is larger than ESP header + IvSize + Esp= Tail + IcvSize. - // 2. Check whether the left payload size is multiple of IvSize. - // - MiscSize =3D sizeof (EFI_ESP_HEADER) + IvSize + IcvSize; - if (EspSize <=3D (MiscSize + sizeof (EFI_ESP_TAIL))) { - Status =3D EFI_ACCESS_DENIED; - goto ON_EXIT; - } - if ((EspSize - MiscSize) % BlockSize !=3D 0) { - Status =3D EFI_ACCESS_DENIED; - goto ON_EXIT; - } - - // - // Authenticate the ESP packet. - // - if (SadData->AlgoInfo.EspAlgoInfo.AuthKey !=3D NULL) { - Status =3D IpSecEspAuthVerifyPayload ( - ProcessBuffer, - EspSize, - SadEntry, - IcvSize - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - } - // - // Decrypt the payload by the SAD entry if it has decrypt key. - // - if (SadData->AlgoInfo.EspAlgoInfo.EncKey !=3D NULL) { - Status =3D IpSecCryptoIoDecrypt ( - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId, - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey, - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength << 3, - ProcessBuffer + sizeof (EFI_ESP_HEADER), - ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize, - EspSize - sizeof (EFI_ESP_HEADER) - IvSize - IcvSize, - ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - } - - // - // Parse EspTail and compute the plain payload size. - // - EspTail =3D (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSiz= e - sizeof (EFI_ESP_TAIL)); - PaddingSize =3D EspTail->PaddingLength; - NextHeader =3D EspTail->NextHeader; - - if (EspSize <=3D (MiscSize + sizeof (EFI_ESP_TAIL) + PaddingSize)) { - Status =3D EFI_ACCESS_DENIED; - goto ON_EXIT; - } - PlainPayloadSize =3D EspSize - MiscSize - sizeof (EFI_ESP_TAIL) - Paddi= ngSize; - - // - // TODO: handle anti-replay window - // - // - // Decryption and authentication with esp has been done, so it's time to - // reload the new packet, create recycle event and fixup ip header. - // - RecycleContext =3D AllocateZeroPool (sizeof (IPSEC_RECYCLE_CONTEXT)); - if (RecycleContext =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - Status =3D gBS->CreateEvent ( - EVT_NOTIFY_SIGNAL, - TPL_NOTIFY, - IpSecRecycleCallback, - RecycleContext, - RecycleEvent - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - // - // The caller will take responsible to handle the original fragment table - // - *FragmentTable =3D AllocateZeroPool (sizeof (EFI_IPSEC_FRAGMENT_DATA)); - if (*FragmentTable =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - RecycleContext->PayloadBuffer =3D ProcessBuffer; - RecycleContext->FragmentTable =3D *FragmentTable; - - // - // If Tunnel, recalculate upper-layyer PesudoCheckSum and trim the out - // - if (SadData->Mode =3D=3D EfiIPsecTunnel) { - InnerHead =3D ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize; - IpSecTunnelInboundPacket ( - IpHead, - InnerHead, - IpVersion, - SadData, - LastHead - ); - - if (IpVersion =3D=3D IP_VERSION_4) { - (*FragmentTable)[0].FragmentBuffer =3D InnerHead ; - (*FragmentTable)[0].FragmentLength =3D (UINT32) PlainPayloadSize; - - }else { - (*FragmentTable)[0].FragmentBuffer =3D InnerHead; - (*FragmentTable)[0].FragmentLength =3D (UINT32) PlainPayloadSize; - } - } else { - (*FragmentTable)[0].FragmentBuffer =3D ProcessBuffer + sizeof (EFI_ES= P_HEADER) + IvSize; - (*FragmentTable)[0].FragmentLength =3D (UINT32) PlainPayloadSize; - } - - *FragmentCount =3D 1; - - // - // Update the total length field in ip header since processed by esp. - // - if (SadData->Mode !=3D EfiIPsecTunnel) { - if (IpVersion =3D=3D IP_VERSION_4) { - ((IP4_HEAD *) IpHead)->TotalLen =3D HTONS ((UINT16) ((((IP4_HEAD *) = IpHead)->HeadLen << 2) + PlainPayloadSize)); - } else { - IpSecHeadSize =3D IpSecGetPlainExtHeadS= ize (IpHead, LastHead); - ((EFI_IP6_HEADER *) IpHead)->PayloadLength =3D HTONS ((UINT16)(IpSec= HeadSize + PlainPayloadSize)); - } - // - // Update the next layer field in ip header since esp header inserted. - // - *LastHead =3D NextHeader; - } - - - // - // Update the SPD association of the SAD entry. - // - *SpdSelector =3D SadData->SpdSelector; - -ON_EXIT: - if (Payload !=3D NULL) { - NetbufFree (Payload); - } - - if (EFI_ERROR (Status)) { - if (ProcessBuffer !=3D NULL) { - FreePool (ProcessBuffer); - } - - if (RecycleContext !=3D NULL) { - FreePool (RecycleContext); - } - - if (*RecycleEvent !=3D NULL) { - gBS->CloseEvent (*RecycleEvent); - } - } - - return Status; -} - -/** - The actual entry to the relative function processes the output traffic u= sing the ESP protocol. - - This function is the subfunction of IpSecProtectOutboundPacket(). It pro= tected - the sending packet by encrypting its payload and inserting ESP header in= the orginal - IP header, then return the IpHeader and IPsec protected Fragmentable. - - @param[in] IpVersion The version of IP. - @param[in, out] IpHead Points to IP header containing the or= ginal IP header - to be processed on input, and inserte= d ESP header - on return. - @param[in, out] LastHead The Last Header in IP header. - @param[in, out] OptionsBuffer Pointer to the options buffer. - @param[in, out] OptionsLength Length of the options buffer. - @param[in, out] FragmentTable Pointer to a list of fragments to be = protected by - IPsec on input, and with IPsec protec= ted - on return. - @param[in, out] FragmentCount The number of fragments. - @param[in] SadEntry The related SAD entry. - @param[out] RecycleEvent The event for recycling of resources. - - @retval EFI_SUCCESS The operation was successful. - @retval EFI_OUT_OF_RESOURCES The required system resources can't be = allocated. - -**/ -EFI_STATUS -IpSecEspOutboundPacket ( - IN UINT8 IpVersion, - IN OUT VOID *IpHead, - IN OUT UINT8 *LastHead, - IN OUT VOID **OptionsBuffer, - IN OUT UINT32 *OptionsLength, - IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN OUT UINT32 *FragmentCount, - IN IPSEC_SAD_ENTRY *SadEntry, - OUT EFI_EVENT *RecycleEvent - ) -{ - EFI_STATUS Status; - UINTN Index; - EFI_IPSEC_SA_ID *SaId; - IPSEC_SAD_DATA *SadData; - IPSEC_RECYCLE_CONTEXT *RecycleContext; - UINT8 *ProcessBuffer; - UINTN BytesCopied; - INTN EncryptBlockSize;// Size of encryption block, 4 by= tes aligned and >=3D 4 - UINTN EspSize; // Total size of esp wrapped ip p= ayload - UINTN IvSize; // Size of IV, optional, might be= 0 - UINTN PlainPayloadSize;// Original IP payload size - UINTN PaddingSize; // Size of padding - UINTN EncryptSize; // Size of data to be encrypted, = start after IV and - // stop before ICV - UINTN IcvSize; // Size of ICV, optional, might b= e 0 - UINT8 *RestOfPayload; // Start of Payload after IV - UINT8 *Padding; // Start address of padding - EFI_ESP_HEADER *EspHeader; // Start address of ESP frame - EFI_ESP_TAIL *EspTail; // Address behind padding - UINT8 *InnerHead; - HASH_DATA_FRAGMENT HashFragment[1]; - - Status =3D EFI_ACCESS_DENIED; - SaId =3D SadEntry->Id; - SadData =3D SadEntry->Data; - ProcessBuffer =3D NULL; - RecycleContext =3D NULL; - *RecycleEvent =3D NULL; - InnerHead =3D NULL; - - if (!SadData->ManualSet && - SadData->AlgoInfo.EspAlgoInfo.EncKey =3D=3D NULL && - SadData->AlgoInfo.EspAlgoInfo.AuthKey =3D=3D NULL - ) { - // - // Invalid manual SAD entry configuration. - // - goto ON_EXIT; - } - - // - // Create OutHeader according to Inner Header - // - if (SadData->Mode =3D=3D EfiIPsecTunnel) { - InnerHead =3D IpSecTunnelOutboundPacket ( - IpHead, - IpVersion, - SadData, - LastHead, - OptionsBuffer, - OptionsLength, - FragmentTable, - FragmentCount - ); - - if (InnerHead =3D=3D NULL) { - return EFI_INVALID_PARAMETER; - } - - } - - // - // Calculate enctrypt block size, need iv by default and 4 bytes alignme= nt. - // - EncryptBlockSize =3D 4; - - if (SadData->AlgoInfo.EspAlgoInfo.EncKey !=3D NULL) { - EncryptBlockSize =3D IpSecGetEncryptBlockSize (SadEntry->Data->AlgoIn= fo.EspAlgoInfo.EncAlgoId); - - if (EncryptBlockSize < 0 || (EncryptBlockSize !=3D 1 && EncryptBlockSi= ze % 4 !=3D 0)) { - goto ON_EXIT; - } - } - - // - // Calculate the plain payload size according to the fragment table. - // - PlainPayloadSize =3D 0; - for (Index =3D 0; Index < *FragmentCount; Index++) { - PlainPayloadSize +=3D (*FragmentTable)[Index].FragmentLength; - } - - // - // Add IPHeader size for Tunnel Mode - // - if (SadData->Mode =3D=3D EfiIPsecTunnel) { - if (IpVersion =3D=3D IP_VERSION_4) { - PlainPayloadSize +=3D sizeof (IP4_HEAD); - } else { - PlainPayloadSize +=3D sizeof (EFI_IP6_HEADER); - } - // - // OPtions should be encryption into it - // - PlainPayloadSize +=3D *OptionsLength; - } - - - // - // Calculate icv size, optional by default and 4 bytes alignment. - // - IcvSize =3D 0; - if (SadData->AlgoInfo.EspAlgoInfo.AuthKey !=3D NULL) { - IcvSize =3D IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.Au= thAlgoId); - if (IcvSize % 4 !=3D 0) { - goto ON_EXIT; - } - } - - // - // Calcuate the total size of esp wrapped ip payload. - // - IvSize =3D IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspA= lgoInfo.EncAlgoId); - EncryptSize =3D (PlainPayloadSize + sizeof (EFI_ESP_TAIL) + EncryptBlo= ckSize - 1) / EncryptBlockSize * EncryptBlockSize; - PaddingSize =3D EncryptSize - PlainPayloadSize - sizeof (EFI_ESP_TAIL); - EspSize =3D sizeof (EFI_ESP_HEADER) + IvSize + EncryptSize + IcvSi= ze; - - ProcessBuffer =3D AllocateZeroPool (EspSize); - if (ProcessBuffer =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - // - // Calculate esp header and esp tail including header, payload and paddi= ng. - // - EspHeader =3D (EFI_ESP_HEADER *) ProcessBuffer; - RestOfPayload =3D (UINT8 *) (EspHeader + 1) + IvSize; - Padding =3D RestOfPayload + PlainPayloadSize; - EspTail =3D (EFI_ESP_TAIL *) (Padding + PaddingSize); - - // - // Fill the sn and spi fields in esp header. - // - EspHeader->SequenceNumber =3D HTONL ((UINT32) SadData->SequenceNumber + = 1); - //EspHeader->SequenceNumber =3D HTONL ((UINT32) SadData->SequenceNumber); - EspHeader->Spi =3D HTONL (SaId->Spi); - - // - // Copy the rest of payload (after iv) from the original fragment buffer. - // - BytesCopied =3D 0; - - // - // For Tunnel Mode - // - if (SadData->Mode =3D=3D EfiIPsecTunnel) { - if (IpVersion =3D=3D IP_VERSION_4) { - // - // HeadLen, Total Length - // - ((IP4_HEAD *)InnerHead)->HeadLen =3D (UINT8) ((sizeof (IP4_HEAD) + = *OptionsLength) >> 2); - ((IP4_HEAD *)InnerHead)->TotalLen =3D HTONS ((UINT16) PlainPayloadSi= ze); - ((IP4_HEAD *)InnerHead)->Checksum =3D 0; - ((IP4_HEAD *)InnerHead)->Checksum =3D (UINT16) (~NetblockChecksum ( - (UINT8 *)InnerHead, - sizeof(IP4_HEAD) - )); - CopyMem ( - RestOfPayload + BytesCopied, - InnerHead, - sizeof (IP4_HEAD) + *OptionsLength - ); - BytesCopied +=3D sizeof (IP4_HEAD) + *OptionsLength; - - } else { - ((EFI_IP6_HEADER *)InnerHead)->PayloadLength =3D HTONS ((UINT16) (Plai= nPayloadSize - sizeof (EFI_IP6_HEADER))); - CopyMem ( - RestOfPayload + BytesCopied, - InnerHead, - sizeof (EFI_IP6_HEADER) + *OptionsLength - ); - BytesCopied +=3D sizeof (EFI_IP6_HEADER) + *OptionsLength; - } - } - - for (Index =3D 0; Index < *FragmentCount; Index++) { - CopyMem ( - (RestOfPayload + BytesCopied), - (*FragmentTable)[Index].FragmentBuffer, - (*FragmentTable)[Index].FragmentLength - ); - BytesCopied +=3D (*FragmentTable)[Index].FragmentLength; - } - // - // Fill the padding buffer by natural number sequence. - // - for (Index =3D 0; Index < PaddingSize; Index++) { - Padding[Index] =3D (UINT8) (Index + 1); - } - // - // Fill the padding length and next header fields in esp tail. - // - EspTail->PaddingLength =3D (UINT8) PaddingSize; - EspTail->NextHeader =3D *LastHead; - - // - // Fill the next header for Tunnel mode. - // - if (SadData->Mode =3D=3D EfiIPsecTunnel) { - if (IpVersion =3D=3D IP_VERSION_4) { - EspTail->NextHeader =3D 4; - } else { - EspTail->NextHeader =3D 41; - } - } - - // - // Generate iv at random by crypt library. - // - Status =3D IpSecGenerateIv ( - (UINT8 *) (EspHeader + 1), - IvSize - ); - - - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - - // - // Encryption the payload (after iv) by the SAD entry if has encrypt key. - // - if (SadData->AlgoInfo.EspAlgoInfo.EncKey !=3D NULL) { - Status =3D IpSecCryptoIoEncrypt ( - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId, - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKey, - SadEntry->Data->AlgoInfo.EspAlgoInfo.EncKeyLength << 3, - (UINT8 *)(EspHeader + 1), - RestOfPayload, - EncryptSize, - RestOfPayload - ); - - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - } - - // - // Authenticate the esp wrapped buffer by the SAD entry if it has auth k= ey. - // - if (SadData->AlgoInfo.EspAlgoInfo.AuthKey !=3D NULL) { - - HashFragment[0].Data =3D ProcessBuffer; - HashFragment[0].DataSize =3D EspSize - IcvSize; - Status =3D IpSecCryptoIoHmac ( - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId, - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey, - SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKeyLength, - HashFragment, - 1, - ProcessBuffer + EspSize - IcvSize, - IcvSize - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - } - - // - // Encryption and authentication with esp has been done, so it's time to - // reload the new packet, create recycle event and fixup ip header. - // - RecycleContext =3D AllocateZeroPool (sizeof (IPSEC_RECYCLE_CONTEXT)); - if (RecycleContext =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - Status =3D gBS->CreateEvent ( - EVT_NOTIFY_SIGNAL, - TPL_NOTIFY, - IpSecRecycleCallback, - RecycleContext, - RecycleEvent - ); - if (EFI_ERROR (Status)) { - goto ON_EXIT; - } - // - // Caller take responsible to handle the original fragment table. - // - *FragmentTable =3D AllocateZeroPool (sizeof (EFI_IPSEC_FRAGMENT_DATA)); - if (*FragmentTable =3D=3D NULL) { - Status =3D EFI_OUT_OF_RESOURCES; - goto ON_EXIT; - } - - RecycleContext->FragmentTable =3D *FragmentTable; - RecycleContext->PayloadBuffer =3D ProcessBuffer; - (*FragmentTable)[0].FragmentBuffer =3D ProcessBuffer; - (*FragmentTable)[0].FragmentLength =3D (UINT32) EspSize; - *FragmentCount =3D 1; - - // - // Update the total length field in ip header since processed by esp. - // - if (IpVersion =3D=3D IP_VERSION_4) { - ((IP4_HEAD *) IpHead)->TotalLen =3D HTONS ((UINT16) ((((IP4_HEAD *) Ip= Head)->HeadLen << 2) + EspSize)); - } else { - ((EFI_IP6_HEADER *) IpHead)->PayloadLength =3D (UINT16) (IpSecGetPlain= ExtHeadSize (IpHead, LastHead) + EspSize); - } - - // - // If tunnel mode, it should change the outer Ip header with tunnel sour= ce address - // and destination tunnel address. - // - if (SadData->Mode =3D=3D EfiIPsecTunnel) { - if (IpVersion =3D=3D IP_VERSION_4) { - CopyMem ( - &((IP4_HEAD *) IpHead)->Src, - &SadData->TunnelSourceAddress.v4, - sizeof (EFI_IPv4_ADDRESS) - ); - CopyMem ( - &((IP4_HEAD *) IpHead)->Dst, - &SadData->TunnelDestAddress.v4, - sizeof (EFI_IPv4_ADDRESS) - ); - } else { - CopyMem ( - &((EFI_IP6_HEADER *) IpHead)->SourceAddress, - &SadData->TunnelSourceAddress.v6, - sizeof (EFI_IPv6_ADDRESS) - ); - CopyMem ( - &((EFI_IP6_HEADER *) IpHead)->DestinationAddress, - &SadData->TunnelDestAddress.v6, - sizeof (EFI_IPv6_ADDRESS) - ); - } - } - - // - // Update the next layer field in ip header since esp header inserted. - // - *LastHead =3D IPSEC_ESP_PROTOCOL; - - // - // Increase the sn number in SAD entry according to rfc4303. - // - SadData->SequenceNumber++; - -ON_EXIT: - if (EFI_ERROR (Status)) { - if (ProcessBuffer !=3D NULL) { - FreePool (ProcessBuffer); - } - - if (RecycleContext !=3D NULL) { - FreePool (RecycleContext); - } - - if (*RecycleEvent !=3D NULL) { - gBS->CloseEvent (*RecycleEvent); - } - } - - return Status; -} - -/** - This function processes the inbound traffic with IPsec. - - It checks the received packet security property, trims the ESP/AH header= , and then - returns without an IPsec protected IP Header and FragmentTable. - - @param[in] IpVersion The version of IP. - @param[in, out] IpHead Points to IP header containing the ES= P/AH header - to be trimed on input, and without ES= P/AH header - on return. - @param[in, out] LastHead The Last Header in IP header on retur= n. - @param[in, out] OptionsBuffer Pointer to the options buffer. - @param[in, out] OptionsLength Length of the options buffer. - @param[in, out] FragmentTable Pointer to a list of fragments in for= m of IPsec - protected on input, and without IPsec= protected - on return. - @param[in, out] FragmentCount The number of fragments. - @param[out] SpdEntry Pointer to contain the address of SPD= entry on return. - @param[out] RecycleEvent The event for recycling of resources. - - @retval EFI_SUCCESS The operation was successful. - @retval EFI_UNSUPPORTED The IPSEC protocol is not supported. - -**/ -EFI_STATUS -IpSecProtectInboundPacket ( - IN UINT8 IpVersion, - IN OUT VOID *IpHead, - IN OUT UINT8 *LastHead, - IN OUT VOID **OptionsBuffer, - IN OUT UINT32 *OptionsLength, - IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN OUT UINT32 *FragmentCount, - OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry, - OUT EFI_EVENT *RecycleEvent - ) -{ - if (*LastHead =3D=3D IPSEC_ESP_PROTOCOL) { - // - // Process the esp ipsec header of the inbound traffic. - // - return IpSecEspInboundPacket ( - IpVersion, - IpHead, - LastHead, - OptionsBuffer, - OptionsLength, - FragmentTable, - FragmentCount, - SpdEntry, - RecycleEvent - ); - } - // - // The other protocols are not supported. - // - return EFI_UNSUPPORTED; -} - -/** - This fucntion processes the output traffic with IPsec. - - It protected the sending packet by encrypting it payload and inserting E= SP/AH header - in the orginal IP header, then return the IpHeader and IPsec protected F= ragmentable. - - @param[in] IpVersion The version of IP. - @param[in, out] IpHead Point to IP header containing the org= inal IP header - to be processed on input, and inserte= d ESP/AH header - on return. - @param[in, out] LastHead The Last Header in IP header. - @param[in, out] OptionsBuffer Pointer to the options buffer. - @param[in, out] OptionsLength Length of the options buffer. - @param[in, out] FragmentTable Pointer to a list of fragments to be = protected by - IPsec on input, and with IPsec protec= ted - on return. - @param[in, out] FragmentCount Number of fragments. - @param[in] SadEntry Related SAD entry. - @param[out] RecycleEvent Event for recycling of resources. - - @retval EFI_SUCCESS The operation is successful. - @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported. - -**/ -EFI_STATUS -IpSecProtectOutboundPacket ( - IN UINT8 IpVersion, - IN OUT VOID *IpHead, - IN OUT UINT8 *LastHead, - IN OUT VOID **OptionsBuffer, - IN OUT UINT32 *OptionsLength, - IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN OUT UINT32 *FragmentCount, - IN IPSEC_SAD_ENTRY *SadEntry, - OUT EFI_EVENT *RecycleEvent - ) -{ - if (SadEntry->Id->Proto =3D=3D EfiIPsecESP) { - // - // Process the esp ipsec header of the outbound traffic. - // - return IpSecEspOutboundPacket ( - IpVersion, - IpHead, - LastHead, - OptionsBuffer, - OptionsLength, - FragmentTable, - FragmentCount, - SadEntry, - RecycleEvent - ); - } - // - // The other protocols are not supported. - // - return EFI_UNSUPPORTED; -} diff --git a/NetworkPkg/IpSecDxe/IpSecImpl.h b/NetworkPkg/IpSecDxe/IpSecImp= l.h deleted file mode 100644 index c5cffede02..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecImpl.h +++ /dev/null @@ -1,384 +0,0 @@ -/** @file - The definitions related to IPsec protocol implementation. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef _IP_SEC_IMPL_H_ -#define _IP_SEC_IMPL_H_ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -typedef struct _IPSEC_PRIVATE_DATA IPSEC_PRIVATE_DATA; -typedef struct _IPSEC_SPD_ENTRY IPSEC_SPD_ENTRY; -typedef struct _IPSEC_PAD_ENTRY IPSEC_PAD_ENTRY; -typedef struct _IPSEC_SPD_DATA IPSEC_SPD_DATA; - -#define IPSEC_PRIVATE_DATA_SIGNATURE SIGNATURE_32 ('I', 'P', 'S', '= E') - -#define IPSEC_PRIVATE_DATA_FROM_IPSEC(a) CR (a, IPSEC_PRIVATE_DATA, IpS= ec, IPSEC_PRIVATE_DATA_SIGNATURE) -#define IPSEC_PRIVATE_DATA_FROM_UDP4LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp= 4List, IPSEC_PRIVATE_DATA_SIGNATURE) -#define IPSEC_PRIVATE_DATA_FROM_UDP6LIST(a) CR (a, IPSEC_PRIVATE_DATA, Udp= 6List, IPSEC_PRIVATE_DATA_SIGNATURE) -#define IPSEC_UDP_SERVICE_FROM_LIST(a) BASE_CR (a, IKE_UDP_SERVICE, L= ist) -#define IPSEC_SPD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SPD_ENTRY, L= ist) -#define IPSEC_SAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_SAD_ENTRY, L= ist) -#define IPSEC_PAD_ENTRY_FROM_LIST(a) BASE_CR (a, IPSEC_PAD_ENTRY, L= ist) -#define IPSEC_SAD_ENTRY_FROM_SPD(a) BASE_CR (a, IPSEC_SAD_ENTRY, B= ySpd) - -#define IPSEC_STATUS_DISABLED 0 -#define IPSEC_STATUS_ENABLED 1 -#define IPSEC_ESP_PROTOCOL 50 -#define IPSEC_AH_PROTOCOL 51 -#define IPSEC_DEFAULT_VARIABLE_SIZE 0x100 - -// -// Internal Structure Definition -// -#pragma pack(1) -typedef struct _EFI_AH_HEADER { - UINT8 NextHeader; - UINT8 PayloadLen; - UINT16 Reserved; - UINT32 Spi; - UINT32 SequenceNumber; -} EFI_AH_HEADER; - -typedef struct _EFI_ESP_HEADER { - UINT32 Spi; - UINT32 SequenceNumber; -} EFI_ESP_HEADER; - -typedef struct _EFI_ESP_TAIL { - UINT8 PaddingLength; - UINT8 NextHeader; -} EFI_ESP_TAIL; -#pragma pack() - -struct _IPSEC_SPD_DATA { - CHAR16 Name[100]; - UINT32 PackageFlag; - EFI_IPSEC_TRAFFIC_DIR TrafficDirection; - EFI_IPSEC_ACTION Action; - EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy; - LIST_ENTRY Sas; -}; - -struct _IPSEC_SPD_ENTRY { - EFI_IPSEC_SPD_SELECTOR *Selector; - IPSEC_SPD_DATA *Data; - LIST_ENTRY List; -}; - -typedef struct _IPSEC_SAD_DATA { - EFI_IPSEC_MODE Mode; - UINT64 SequenceNumber; - UINT8 AntiReplayWindowSize; - UINT64 AntiReplayBitmap[4]; // bitmap for received pack= et - EFI_IPSEC_ALGO_INFO AlgoInfo; - EFI_IPSEC_SA_LIFETIME SaLifetime; - UINT32 PathMTU; - IPSEC_SPD_ENTRY *SpdEntry; - EFI_IPSEC_SPD_SELECTOR *SpdSelector; - BOOLEAN ESNEnabled; // Extended (64-bit) SN ena= bled - BOOLEAN ManualSet; - EFI_IP_ADDRESS TunnelDestAddress; - EFI_IP_ADDRESS TunnelSourceAddress; -} IPSEC_SAD_DATA; - -typedef struct _IPSEC_SAD_ENTRY { - EFI_IPSEC_SA_ID *Id; - IPSEC_SAD_DATA *Data; - LIST_ENTRY List; - LIST_ENTRY BySpd; // Linked on IPSEC_SPD_DATA.= Sas -} IPSEC_SAD_ENTRY; - -struct _IPSEC_PAD_ENTRY { - EFI_IPSEC_PAD_ID *Id; - EFI_IPSEC_PAD_DATA *Data; - LIST_ENTRY List; -}; - -typedef struct _IPSEC_RECYCLE_CONTEXT { - EFI_IPSEC_FRAGMENT_DATA *FragmentTable; - UINT8 *PayloadBuffer; -} IPSEC_RECYCLE_CONTEXT; - -// -// Struct used to store the Hash and its data. -// -typedef struct { - UINTN DataSize; - UINT8 *Data; -} HASH_DATA_FRAGMENT; - -struct _IPSEC_PRIVATE_DATA { - UINT32 Signature; - EFI_HANDLE Handle; // Virtual handle to install= private prtocol - EFI_HANDLE ImageHandle; - EFI_IPSEC2_PROTOCOL IpSec; - EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig; - BOOLEAN SetBySelf; - LIST_ENTRY Udp4List; - UINTN Udp4Num; - LIST_ENTRY Udp6List; - UINTN Udp6Num; - LIST_ENTRY Ikev1SessionList; - LIST_ENTRY Ikev1EstablishedList; - LIST_ENTRY Ikev2SessionList; - LIST_ENTRY Ikev2EstablishedList; - BOOLEAN IsIPsecDisabling; -}; - -/** - This function processes the inbound traffic with IPsec. - - It checks the received packet security property, trims the ESP/AH header= , and then - returns without an IPsec protected IP Header and FragmentTable. - - @param[in] IpVersion The version of IP. - @param[in, out] IpHead Points to IP header containing the ES= P/AH header - to be trimed on input, and without ES= P/AH header - on return. - @param[in, out] LastHead The Last Header in IP header on retur= n. - @param[in, out] OptionsBuffer Pointer to the options buffer. - @param[in, out] OptionsLength Length of the options buffer. - @param[in, out] FragmentTable Pointer to a list of fragments in for= m of IPsec - protected on input, and without IPsec= protected - on return. - @param[in, out] FragmentCount The number of fragments. - @param[out] SpdEntry Pointer to contain the address of SPD= entry on return. - @param[out] RecycleEvent The event for recycling of resources. - - @retval EFI_SUCCESS The operation was successful. - @retval EFI_UNSUPPORTED The IPSEC protocol is not supported. - -**/ -EFI_STATUS -IpSecProtectInboundPacket ( - IN UINT8 IpVersion, - IN OUT VOID *IpHead, - IN OUT UINT8 *LastHead, - IN OUT VOID **OptionsBuffer, - IN OUT UINT32 *OptionsLength, - IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN OUT UINT32 *FragmentCount, - OUT EFI_IPSEC_SPD_SELECTOR **SpdEntry, - OUT EFI_EVENT *RecycleEvent - ); - - -/** - This fucntion processes the output traffic with IPsec. - - It protected the sending packet by encrypting it payload and inserting E= SP/AH header - in the orginal IP header, then return the IpHeader and IPsec protected F= ragmentable. - - @param[in] IpVersion The version of IP. - @param[in, out] IpHead Point to IP header containing the org= inal IP header - to be processed on input, and inserte= d ESP/AH header - on return. - @param[in, out] LastHead The Last Header in IP header. - @param[in, out] OptionsBuffer Pointer to the options buffer. - @param[in, out] OptionsLength Length of the options buffer. - @param[in, out] FragmentTable Pointer to a list of fragments to be = protected by - IPsec on input, and with IPsec protec= ted - on return. - @param[in, out] FragmentCount Number of fragments. - @param[in] SadEntry Related SAD entry. - @param[out] RecycleEvent Event for recycling of resources. - - @retval EFI_SUCCESS The operation is successful. - @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported. - -**/ -EFI_STATUS -IpSecProtectOutboundPacket ( - IN UINT8 IpVersion, - IN OUT VOID *IpHead, - IN OUT UINT8 *LastHead, - IN OUT VOID **OptionsBuffer, - IN OUT UINT32 *OptionsLength, - IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN OUT UINT32 *FragmentCount, - IN IPSEC_SAD_ENTRY *SadEntry, - OUT EFI_EVENT *RecycleEvent - ); - -/** - Check if the IP Address in the address range of AddressInfos specified. - - @param[in] IpVersion The IP version. - @param[in] IpAddr Points to EFI_IP_ADDRESS to be check. - @param[in] AddressInfo A list of EFI_IP_ADDRESS_INFO that is used= to check - the IP Address is matched. - @param[in] AddressCount The total numbers of the AddressInfo. - - @retval TRUE If the Specified IP Address is in the range of the Add= ressInfos specified. - @retval FALSE If the Specified IP Address is not in the range of the= AddressInfos specified. - -**/ -BOOLEAN -IpSecMatchIpAddress ( - IN UINT8 IpVersion, - IN EFI_IP_ADDRESS *IpAddr, - IN EFI_IP_ADDRESS_INFO *AddressInfo, - IN UINT32 AddressCount - ); - -/** - Find a PAD entry according to remote IP address. - - @param[in] IpVersion The version of IP. - @param[in] IpAddr Point to remote IP address. - - @return The pointer of related PAD entry. - -**/ -IPSEC_PAD_ENTRY * -IpSecLookupPadEntry ( - IN UINT8 IpVersion, - IN EFI_IP_ADDRESS *IpAddr - ); - -/** - Check if the specified IP packet can be serviced by this SPD entry. - - @param[in] SpdEntry Point to SPD entry. - @param[in] IpVersion Version of IP. - @param[in] IpHead Point to IP header. - @param[in] IpPayload Point to IP payload. - @param[in] Protocol The Last protocol of IP packet. - @param[in] IsOutbound Traffic direction. - @param[out] Action The support action of SPD entry. - - @retval EFI_SUCCESS Find the related SPD. - @retval EFI_NOT_FOUND Not find the related SPD entry; - -**/ -EFI_STATUS -IpSecLookupSpdEntry ( - IN IPSEC_SPD_ENTRY *SpdEntry, - IN UINT8 IpVersion, - IN VOID *IpHead, - IN UINT8 *IpPayload, - IN UINT8 Protocol, - IN BOOLEAN IsOutbound, - OUT EFI_IPSEC_ACTION *Action - ); - -/** - Look up if there is existing SAD entry for specified IP packet sending. - - This function is called by the IPsecProcess when there is some IP packet= needed to - send out. This function checks if there is an existing SAD entry that ca= n be serviced - to this IP packet sending. If no existing SAD entry could be used, this - function will invoke an IPsec Key Exchange Negotiation. - - @param[in] Private Points to private data. - @param[in] NicHandle Points to a NIC handle. - @param[in] IpVersion The version of IP. - @param[in] IpHead The IP Header of packet to be sent out. - @param[in] IpPayload The IP Payload to be sent out. - @param[in] OldLastHead The Last protocol of the IP packet. - @param[in] SpdEntry Points to a related SPD entry. - @param[out] SadEntry Contains the Point of a related SAD entry. - - @retval EFI_DEVICE_ERROR One of following conditions is TRUE: - - If don't find related UDP service. - - Sequence Number is used up. - - Extension Sequence Number is used up. - @retval EFI_NOT_READY No existing SAD entry could be used. - @retval EFI_SUCCESS Find the related SAD entry. - -**/ -EFI_STATUS -IpSecLookupSadEntry ( - IN IPSEC_PRIVATE_DATA *Private, - IN EFI_HANDLE NicHandle, - IN UINT8 IpVersion, - IN VOID *IpHead, - IN UINT8 *IpPayload, - IN UINT8 OldLastHead, - IN IPSEC_SPD_ENTRY *SpdEntry, - OUT IPSEC_SAD_ENTRY **SadEntry - ); - -/** - Find the SAD through whole SAD list. - - @param[in] Spi The SPI used to search the SAD entry. - @param[in] DestAddress The destination used to search the SAD ent= ry. - @param[in] IpVersion The IP version. Ip4 or Ip6. - - @return The pointer to a certain SAD entry. - -**/ -IPSEC_SAD_ENTRY * -IpSecLookupSadBySpi ( - IN UINT32 Spi, - IN EFI_IP_ADDRESS *DestAddress, - IN UINT8 IpVersion - ) -; - -/** - Handles IPsec packet processing for inbound and outbound IP packets. - - The EFI_IPSEC_PROCESS process routine handles each inbound or outbound p= acket. - The behavior is that it can perform one of the following actions: - bypass the packet, discard the packet, or protect the packet. - - @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL inst= ance. - @param[in] NicHandle Instance of the network interface. - @param[in] IpVersion IPV4 or IPV6. - @param[in, out] IpHead Pointer to the IP Header. - @param[in, out] LastHead The protocol of the next layer to be pr= ocessed by IPsec. - @param[in, out] OptionsBuffer Pointer to the options buffer. - @param[in, out] OptionsLength Length of the options buffer. - @param[in, out] FragmentTable Pointer to a list of fragments. - @param[in, out] FragmentCount Number of fragments. - @param[in] TrafficDirection Traffic direction. - @param[out] RecycleSignal Event for recycling of resources. - - @retval EFI_SUCCESS The packet was bypassed and all buffers= remain the same. - @retval EFI_SUCCESS The packet was protected. - @retval EFI_ACCESS_DENIED The packet was discarded. - -**/ -EFI_STATUS -EFIAPI -IpSecProcess ( - IN EFI_IPSEC2_PROTOCOL *This, - IN EFI_HANDLE NicHandle, - IN UINT8 IpVersion, - IN OUT VOID *IpHead, - IN OUT UINT8 *LastHead, - IN OUT VOID **OptionsBuffer, - IN OUT UINT32 *OptionsLength, - IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN OUT UINT32 *FragmentCount, - IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, - OUT EFI_EVENT *RecycleSignal - ); - -extern EFI_DPC_PROTOCOL *mDpc; -extern EFI_IPSEC2_PROTOCOL mIpSecInstance; - -extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2; -extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName; - - -#endif diff --git a/NetworkPkg/IpSecDxe/IpSecMain.c b/NetworkPkg/IpSecDxe/IpSecMai= n.c deleted file mode 100644 index 276426ea1f..0000000000 --- a/NetworkPkg/IpSecDxe/IpSecMain.c +++ /dev/null @@ -1,236 +0,0 @@ -/** @file - The mian interface of IPsec Protocol. - - Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
- - SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "IpSecConfigImpl.h" -#include "IpSecImpl.h" - -EFI_IPSEC2_PROTOCOL mIpSecInstance =3D { IpSecProcess, NULL, TRUE }; - -/** - Handles IPsec packet processing for inbound and outbound IP packets. - - The EFI_IPSEC_PROCESS process routine handles each inbound or outbound p= acket. - The behavior is that it can perform one of the following actions: - bypass the packet, discard the packet, or protect the packet. - - @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL inst= ance. - @param[in] NicHandle Instance of the network interface. - @param[in] IpVersion IPV4 or IPV6. - @param[in, out] IpHead Pointer to the IP Header. - @param[in, out] LastHead The protocol of the next layer to be pr= ocessed by IPsec. - @param[in, out] OptionsBuffer Pointer to the options buffer. - @param[in, out] OptionsLength Length of the options buffer. - @param[in, out] FragmentTable Pointer to a list of fragments. - @param[in, out] FragmentCount Number of fragments. - @param[in] TrafficDirection Traffic direction. - @param[out] RecycleSignal Event for recycling of resources. - - @retval EFI_SUCCESS The packet was bypassed and all buffers= remain the same. - @retval EFI_SUCCESS The packet was protected. - @retval EFI_ACCESS_DENIED The packet was discarded. - -**/ -EFI_STATUS -EFIAPI -IpSecProcess ( - IN EFI_IPSEC2_PROTOCOL *This, - IN EFI_HANDLE NicHandle, - IN UINT8 IpVersion, - IN OUT VOID *IpHead, - IN OUT UINT8 *LastHead, - IN OUT VOID **OptionsBuffer, - IN OUT UINT32 *OptionsLength, - IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN OUT UINT32 *FragmentCount, - IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, - OUT EFI_EVENT *RecycleSignal - ) -{ - IPSEC_PRIVATE_DATA *Private; - IPSEC_SPD_ENTRY *SpdEntry; - EFI_IPSEC_SPD_SELECTOR *SpdSelector; - IPSEC_SAD_ENTRY *SadEntry; - LIST_ENTRY *SpdList; - LIST_ENTRY *Entry; - EFI_IPSEC_ACTION Action; - EFI_STATUS Status; - UINT8 *IpPayload; - UINT8 OldLastHead; - BOOLEAN IsOutbound; - - if (OptionsBuffer =3D=3D NULL || - OptionsLength =3D=3D NULL || - FragmentTable =3D=3D NULL || - FragmentCount =3D=3D NULL - ) { - return EFI_INVALID_PARAMETER; - } - Private =3D IPSEC_PRIVATE_DATA_FROM_IPSEC (This); - IpPayload =3D (*FragmentTable)[0].FragmentBuffer; - IsOutbound =3D (BOOLEAN) ((TrafficDirection =3D=3D EfiIPsecOutBound= ) ? TRUE : FALSE); - OldLastHead =3D *LastHead; - *RecycleSignal =3D NULL; - SpdList =3D &mConfigData[IPsecConfigDataTypeSpd]; - - if (!IsOutbound) { - // - // For inbound traffic, process the ipsec header of the packet. - // - Status =3D IpSecProtectInboundPacket ( - IpVersion, - IpHead, - LastHead, - OptionsBuffer, - OptionsLength, - FragmentTable, - FragmentCount, - &SpdSelector, - RecycleSignal - ); - - if (Status =3D=3D EFI_ACCESS_DENIED || Status =3D=3D EFI_OUT_OF_RESOUR= CES) { - // - // The packet is denied to access. - // - goto ON_EXIT; - } - - if (Status =3D=3D EFI_SUCCESS) { - - // - // Check the spd entry if the packet is accessible. - // - if (SpdSelector =3D=3D NULL) { - Status =3D EFI_ACCESS_DENIED; - goto ON_EXIT; - } - - Status =3D EFI_ACCESS_DENIED; - NET_LIST_FOR_EACH (Entry, SpdList) { - SpdEntry =3D IPSEC_SPD_ENTRY_FROM_LIST (Entry); - if (IsSubSpdSelector ( - (EFI_IPSEC_CONFIG_SELECTOR *) SpdSelector, - (EFI_IPSEC_CONFIG_SELECTOR *) SpdEntry->Selector - )) { - Status =3D EFI_SUCCESS; - } - } - goto ON_EXIT; - } - } - - Status =3D EFI_ACCESS_DENIED; - - NET_LIST_FOR_EACH (Entry, SpdList) { - // - // For outbound and non-ipsec Inbound traffic: check the spd entry. - // - SpdEntry =3D IPSEC_SPD_ENTRY_FROM_LIST (Entry); - - if (EFI_ERROR (IpSecLookupSpdEntry ( - SpdEntry, - IpVersion, - IpHead, - IpPayload, - OldLastHead, - IsOutbound, - &Action - ))) { - // - // If the related SPD not find - // - continue; - } - - switch (Action) { - - case EfiIPsecActionProtect: - - if (IsOutbound) { - // - // For outbound traffic, lookup the sad entry. - // - Status =3D IpSecLookupSadEntry ( - Private, - NicHandle, - IpVersion, - IpHead, - IpPayload, - OldLastHead, - SpdEntry, - &SadEntry - ); - - if (SadEntry !=3D NULL) { - // - // Process the packet by the found sad entry. - // - Status =3D IpSecProtectOutboundPacket ( - IpVersion, - IpHead, - LastHead, - OptionsBuffer, - OptionsLength, - FragmentTable, - FragmentCount, - SadEntry, - RecycleSignal - ); - - } else if (OldLastHead =3D=3D IP6_ICMP && *IpPayload !=3D ICMP_V6_= ECHO_REQUEST) { - // - // TODO: if no need return not ready to upper layer, change here. - // - Status =3D EFI_SUCCESS; - } - } else if (OldLastHead =3D=3D IP6_ICMP && *IpPayload !=3D ICMP_V6_EC= HO_REQUEST) { - // - // For inbound icmpv6 traffic except ping request, accept the pack= et - // although no sad entry associated with protect spd entry. - // - Status =3D IpSecLookupSadEntry ( - Private, - NicHandle, - IpVersion, - IpHead, - IpPayload, - OldLastHead, - SpdEntry, - &SadEntry - ); - if (SadEntry =3D=3D NULL) { - Status =3D EFI_SUCCESS; - } - } - - goto ON_EXIT; - - case EfiIPsecActionBypass: - Status =3D EFI_SUCCESS; - goto ON_EXIT; - - case EfiIPsecActionDiscard: - goto ON_EXIT; - } - } - - // - // If don't find the related SPD entry, return the EFI_ACCESS_DENIED and= discard it. - // But it the packet is NS/NA, it should be by passed even not find the = related SPD entry. - // - if (OldLastHead =3D=3D IP6_ICMP && - (*IpPayload =3D=3D ICMP_V6_NEIGHBOR_SOLICIT || *IpPayload =3D=3D ICM= P_V6_NEIGHBOR_ADVERTISE) - ){ - Status =3D EFI_SUCCESS; - } - -ON_EXIT: - return Status; -} - diff --git a/NetworkPkg/NetworkPkg.dec b/NetworkPkg/NetworkPkg.dec index 1aa7c1ed31..25964539ed 100644 --- a/NetworkPkg/NetworkPkg.dec +++ b/NetworkPkg/NetworkPkg.dec @@ -49,42 +49,11 @@ [PcdsFixedAtBuild] ## The max attempt number will be created by iSCSI driver. # @Prompt Max attempt number. gEfiNetworkPkgTokenSpaceGuid.PcdMaxIScsiAttemptNumber|0x08|UINT8|0x00000= 00D =20 -[PcdsFeatureFlag] - ## Indicates if the IPsec IKEv2 Certificate Authentication feature is en= abled or not.

- # TRUE - Certificate Authentication feature is enabled.
- # FALSE - Does not support Certificate Authentication.
- # @Prompt Enable IPsec IKEv2 Certificate Authentication. - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecCertificateEnabled|TRUE|BOOLEAN|0x0= 0000007 - [PcdsFixedAtBuild, PcdsPatchableInModule] - ## CA certificate used by IPsec. - # @Prompt CA file. - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFile|{0x30, 0x82, 0x02, 0x76,= 0x30, 0x82, 0x01, 0xDF, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x= 80, 0x1D, 0xB9, 0x63, 0x93, 0x7C, 0x9D, 0xE0, 0x30, 0x0D, 0x06, 0x09, 0x2A,= 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, 0x74, 0x= 31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0A, 0x4D, 0x79,= 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x0B, 0x30, 0x09, 0x= 06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x48, 0x5A, 0x31, 0x0B, 0x30, 0x09,= 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x1C, 0x30, 0x= 1A, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,= 0x0D, 0x74, 0x65, 0x73, 0x74, 0x40, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0x= 6F, 0x6D, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x1C,= 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x= 63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x72= , 0x69, 0x74, 0x79, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x30, 0x31, 0x31, 0x30, 0= x31, 0x30, 0x31, 0x35, 0x33, 0x33, 0x37, 0x5A, 0x17, 0x0D, 0x31, 0x31, 0x31= , 0x31, 0x30, 0x31, 0x30, 0x31, 0x35, 0x33, 0x33, 0x37, 0x5A, 0x30, 0x74, 0= x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0A, 0x4D, 0x79= , 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x0B, 0x30, 0x09, 0= x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x48, 0x5A, 0x31, 0x0B, 0x30, 0x09= , 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x1C, 0x30, 0= x1A, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16= , 0x0D, 0x74, 0x65, 0x73, 0x74, 0x40, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, 0= x6F, 0x6D, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x1= C, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, = 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x7= 2, 0x69, 0x74, 0x79, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, = 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8D, 0x0= 0, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xFC, 0x80, 0x5D, 0x32, 0x55, = 0xC7, 0x4C, 0xC6, 0xA8, 0x2F, 0xF7, 0xEC, 0x1F, 0x75, 0x48, 0x02, 0x79, 0xE= B, 0xDF, 0x17, 0x1B, 0x08, 0xBA, 0x21, 0xDD, 0xE5, 0x43, 0x06, 0xE8, 0x81, = 0xC5, 0x50, 0x3C, 0x18, 0xDD, 0x53, 0xF4, 0xC9, 0xC9, 0xE1, 0x7A, 0xD3, 0x= B3, 0x99, 0xA7, 0xC6, 0x43, 0x2A, 0x51, 0x65, 0x10, 0x93, 0xBA, 0x5F, 0x48,= 0xAC, 0x54, 0x12, 0x70, 0x9E, 0xF2, 0x9E, 0x7D, 0xF7, 0x22, 0xAA, 0xB7, 0= x19, 0xDE, 0xA9, 0x4D, 0x55, 0xAA, 0x41, 0x8F, 0x08, 0xBD, 0x74, 0xFA, 0xE5= , 0x57, 0x13, 0xB4, 0x30, 0x9A, 0xBA, 0x56, 0x01, 0x55, 0x8A, 0x9B, 0x5B, = 0x50, 0x29, 0x82, 0xF9, 0x00, 0x69, 0x7E, 0x7B, 0x91, 0xA7, 0x2D, 0x48, 0x= 1A, 0x93, 0x7C, 0xA2, 0xF9, 0x06, 0x64, 0x4B, 0x80, 0xF8, 0x47, 0x58, 0x45,= 0x90, 0x09, 0xEA, 0xD6, 0x7B, 0x85, 0x49, 0x2A, 0x4E, 0xB6, 0x71, 0x02, 0x= 03, 0x01, 0x00, 0x01, 0xA3, 0x10, 0x30, 0x0E, 0x30, 0x0C, 0x06, 0x03, 0x55,= 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x0D, 0x06, 0x= 09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03,= 0x81, 0x81, 0x00, 0xEF, 0x38, 0x6A, 0x43, 0x1C, 0x1D, 0x37, 0xBD, 0xF7, 0x= CF, 0x15, 0x6A, 0x99, 0x44, 0xE1, 0xFC, 0x68, 0x6E, 0x91, 0x31, 0x9C, 0x1E,= 0x8C, 0x1F, 0x72, 0x4B, 0x93, 0x16, 0x1F, 0x06, 0xFE, 0x94, 0xA9, 0x41, 0= x64, 0x81, 0xFD, 0xFF, 0xE7, 0x27, 0x4D, 0xE7, 0x59, 0x55, 0xE1, 0x20, 0x1= 4, 0x07, 0x3C, 0x26, 0x78, 0xB0, 0x72, 0x48, 0x76, 0x0C, 0x8B, 0x3F, 0x08, = 0xD0, 0x75, 0x7D, 0x76, 0xA4, 0xB5, 0x56, 0xA6, 0xC9, 0x88, 0x17, 0x27, 0x9= 5, 0x85, 0xEE, 0x42, 0x1E, 0x15, 0x0B, 0x05, 0xDC, 0x2F, 0x97, 0x7B, 0x26, = 0x82, 0x62, 0x23, 0xDF, 0xBF, 0x55, 0x09, 0xBF, 0x5E, 0x28, 0x1A, 0xCA, 0x1= B, 0xEC, 0xA4, 0x81, 0xB7, 0x9D, 0x91, 0xC9, 0x60, 0x5B, 0x29, 0x2B, 0x4C, = 0x6F, 0x8B, 0xCC, 0x17, 0xA8, 0xD6, 0x5D, 0x6B, 0xBC, 0x0D, 0x03, 0x31, 0xB= 0, 0x57, 0xC9, 0xF8, 0x59, 0x88, 0x3D}|VOID*|0x00000001 - - ## CA certificate file's size. - # @Prompt CA file's size. - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCaFileSize|0x0000027A|UINT32|0x= 00000002 - - ## X509 certificate as Public Key which is used by IPsec (DER format) - # @Prompt Pubic Key for remote peer. - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificate|{0x30, 0x82, 0x02, = 0x4D, 0x30, 0x82, 0x01, 0xB6, 0x02, 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2= A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x30, 0x74, = 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0A, 0x4D, 0x7= 9, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x0B, 0x30, 0x09, = 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x02, 0x48, 0x5A, 0x31, 0x0B, 0x30, 0x0= 9, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x4E, 0x31, 0x1C, 0x30, = 0x1A, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x1= 6, 0x0D, 0x74, 0x65, 0x73, 0x74, 0x40, 0x63, 0x65, 0x72, 0x74, 0x2E, 0x63, = 0x6F, 0x6D, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x1= C, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, = 0x63, 0x61, 0x74, 0x69, 0x6F, 0x6E, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6F, 0x7= 2, 0x69, 0x74, 0x79, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x30, 0x31, 0x31, 0x30, = 0x31, 0x30, 0x32, 0x30, 0x34, 0x35, 0x39, 0x5A, 0x17, 0x0D, 0x31, 0x31, 0x3= 1, 0x31, 0x30, 0x31, 0x30, 0x32, 0x30, 0x34, 0x35, 0x39, 0x5A, 0x30, 0x6A, = 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x04, 0x55, 0x4= 5, 0x46, 0x49, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, = 0x02, 0x53, 0x48, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x1= 3, 0x02, 0x43, 0x4E, 0x31, 0x23, 0x30, 0x21, 0x06, 0x09, 0x2A, 0x86, 0x48, = 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x14, 0x75, 0x65, 0x66, 0x69, 0x2= E, 0x74, 0x69, 0x61, 0x6E, 0x6F, 0x40, 0x69, 0x6E, 0x74, 0x65, 0x6C, 0x2E, = 0x63, 0x6F, 0x6D, 0x31, 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x1= 3, 0x03, 0x53, 0x53, 0x47, 0x31, 0x0C, 0x30, 0x0A, 0x06, 0x03, 0x55, 0x04, = 0x0A, 0x13, 0x03, 0x53, 0x53, 0x47, 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x0= 9, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, = 0x81, 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xE9, 0x90, 0x4= 7, 0x0D, 0x79, 0x93, 0xED, 0xF5, 0xBD, 0xC9, 0x56, 0x03, 0xDF, 0xE2, 0x71, = 0xA9, 0x42, 0x3B, 0x20, 0x1E, 0xAF, 0x88, 0x9D, 0x3F, 0xE1, 0xDE, 0x61, 0xE= E, 0x83, 0xC4, 0x2E, 0x48, 0x7A, 0x1F, 0x86, 0x54, 0xD2, 0xD5, 0x61, 0x94, = 0xE1, 0x15, 0x79, 0x65, 0xCB, 0x39, 0xEE, 0x78, 0x68, 0x3D, 0x2C, 0xEB, 0xE= 4, 0x7A, 0x8D, 0x98, 0x14, 0x28, 0x7E, 0x6B, 0xFD, 0xC5, 0xF5, 0x1B, 0x62, = 0xB9, 0x86, 0x7C, 0xA1, 0x7C, 0xE9, 0x8F, 0xC8, 0xF4, 0xF3, 0x95, 0x5A, 0xA= F, 0x0C, 0x21, 0x39, 0xEA, 0x47, 0x5A, 0x1E, 0xBD, 0xBE, 0x7F, 0x1B, 0x0F, = 0x31, 0xFB, 0xBD, 0x57, 0xAE, 0xD7, 0xCB, 0x46, 0x83, 0x8B, 0x16, 0x19, 0x7= 4, 0xD9, 0x9E, 0x2D, 0x18, 0xE6, 0xA4, 0x5F, 0x90, 0x90, 0x54, 0xE1, 0x4B, = 0x7B, 0x57, 0x76, 0xBD, 0xF4, 0xC0, 0x4D, 0x79, 0x5F, 0x64, 0x6C, 0x0D, 0x2= D, 0x02, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, = 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x5= A, 0x80, 0x5F, 0xD3, 0x3C, 0x93, 0x81, 0xB9, 0x1B, 0xAA, 0x08, 0x1F, 0x47, = 0x9C, 0x88, 0xF3, 0x1E, 0xE6, 0x6B, 0xBB, 0x99, 0xE6, 0x23, 0x1A, 0xCB, 0x= 25, 0x81, 0x54, 0x51, 0x88, 0xDF, 0x9B, 0xC6, 0xBF, 0x60, 0xDB, 0x6C, 0x5D= , 0x69, 0xB1, 0x3A, 0xDE, 0x94, 0xEE, 0xD7, 0x6C, 0xF2, 0x2D, 0x63, 0xD3, 0= xB3, 0xAB, 0xE6, 0xB5, 0x0A, 0xBF, 0xCE, 0x61, 0xC0, 0xD3, 0x73, 0x9E, 0x80= , 0xB5, 0x0C, 0xC0, 0x03, 0x57, 0xA9, 0x56, 0x59, 0x1B, 0xA2, 0x99, 0x03, = 0xA6, 0xA3, 0xC4, 0x59, 0xB3, 0xD9, 0x14, 0xA1, 0x34, 0x18, 0xF3, 0x73, 0xB= 8, 0x54, 0xAA, 0xED, 0x7D, 0x31, 0x3E, 0x23, 0xAD, 0xF1, 0x86, 0xF7, 0xE6, = 0xD9, 0x01, 0x0D, 0x68, 0xC6, 0xC5, 0x95, 0x18, 0xD2, 0x89, 0xB7, 0x06, 0x9= 6, 0xC9, 0x11, 0xB9, 0xF0, 0xDA, 0xD9, 0x02, 0x25, 0xC4, 0xB9, 0x72, 0xF8, = 0x6D, 0xC5, 0x5B}|VOID*|0x00000003 - - ## X509 certificate as Public Key's size. - # @Prompt Pubic Key's size. - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateSize|0x251|UINT32|0x= 00000004 - - ## Private Key used by IPsec (PEM format). - # @Prompt Private Key. - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKey|{0x2D, 0x2D, 0x2= D, 0x2D, 0x2D, 0x42, 0x45, 0x47, 0x49, 0x4E, 0x20, 0x52, 0x53, 0x41, 0x20, = 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x20, 0x4B, 0x45, 0x59, 0x2D, 0x= 2D, 0x2D, 0x2D, 0x2D, 0x0A, 0x50, 0x72, 0x6F, 0x63, 0x2D, 0x54, 0x79, 0x70,= 0x65, 0x3A, 0x20, 0x34, 0x2C, 0x45, 0x4E, 0x43, 0x52, 0x59, 0x50, 0x54, 0= x45, 0x44, 0x0A, 0x44, 0x45, 0x4B, 0x2D, 0x49, 0x6E, 0x66, 0x6F, 0x3A, 0x2= 0, 0x44, 0x45, 0x53, 0x2D, 0x45, 0x44, 0x45, 0x33, 0x2D, 0x43, 0x42, 0x43, = 0x2C, 0x32, 0x42, 0x31, 0x46, 0x42, 0x41, 0x43, 0x41, 0x38, 0x36, 0x32, 0x= 36, 0x33, 0x34, 0x41, 0x37, 0x0A, 0x0A, 0x61, 0x52, 0x78, 0x49, 0x58, 0x33= , 0x59, 0x4D, 0x68, 0x49, 0x50, 0x41, 0x73, 0x59, 0x79, 0x6F, 0x6A, 0x49, = 0x76, 0x46, 0x7A, 0x42, 0x75, 0x6B, 0x74, 0x6B, 0x4A, 0x47, 0x5A, 0x38, 0x4= D, 0x64, 0x33, 0x5A, 0x53, 0x73, 0x39, 0x41, 0x2B, 0x52, 0x2B, 0x57, 0x45,= 0x59, 0x41, 0x70, 0x34, 0x63, 0x4F, 0x55, 0x43, 0x4A, 0x78, 0x51, 0x2F, 0= x66, 0x4A, 0x38, 0x58, 0x4F, 0x45, 0x64, 0x58, 0x38, 0x0A, 0x31, 0x63, 0x4= E, 0x66, 0x4B, 0x2B, 0x49, 0x62, 0x76, 0x4B, 0x4D, 0x68, 0x55, 0x67, 0x30, = 0x4B, 0x4E, 0x35, 0x38, 0x37, 0x71, 0x66, 0x2F, 0x4C, 0x31, 0x76, 0x57, 0x= 58, 0x6F, 0x31, 0x74, 0x5A, 0x6B, 0x59, 0x2B, 0x5A, 0x53, 0x4E, 0x63, 0x46= , 0x45, 0x41, 0x76, 0x37, 0x43, 0x43, 0x50, 0x51, 0x6B, 0x64, 0x4A, 0x42, = 0x48, 0x35, 0x65, 0x6B, 0x35, 0x44, 0x51, 0x2F, 0x37, 0x6D, 0x71, 0x55, 0x= 0A, 0x6B, 0x76, 0x78, 0x48, 0x53, 0x50, 0x70, 0x34, 0x66, 0x41, 0x71, 0x47,= 0x61, 0x68, 0x54, 0x31, 0x75, 0x37, 0x37, 0x56, 0x66, 0x4E, 0x66, 0x31, 0= x53, 0x74, 0x61, 0x73, 0x31, 0x6E, 0x4F, 0x67, 0x6A, 0x50, 0x31, 0x41, 0x6= C, 0x7A, 0x6E, 0x6B, 0x6A, 0x57, 0x61, 0x72, 0x6A, 0x51, 0x4F, 0x73, 0x48,= 0x46, 0x33, 0x41, 0x46, 0x31, 0x62, 0x61, 0x51, 0x4A, 0x50, 0x5A, 0x31, 0x= 6A, 0x71, 0x4C, 0x0A, 0x61, 0x30, 0x49, 0x45, 0x6E, 0x30, 0x6C, 0x59, 0x6C= , 0x78, 0x35, 0x79, 0x4D, 0x6D, 0x78, 0x54, 0x47, 0x57, 0x79, 0x52, 0x35, = 0x70, 0x57, 0x51, 0x35, 0x71, 0x66, 0x78, 0x2B, 0x62, 0x37, 0x64, 0x37, 0x= 75, 0x71, 0x67, 0x47, 0x69, 0x66, 0x36, 0x6A, 0x44, 0x47, 0x4D, 0x37, 0x68= , 0x38, 0x43, 0x78, 0x2F, 0x74, 0x67, 0x2B, 0x61, 0x62, 0x45, 0x31, 0x34, 0= x30, 0x2F, 0x50, 0x66, 0x6C, 0x33, 0x0A, 0x33, 0x6A, 0x50, 0x6C, 0x52, 0x7= 5, 0x73, 0x57, 0x6F, 0x6F, 0x63, 0x49, 0x41, 0x76, 0x49, 0x74, 0x79, 0x51,= 0x6D, 0x39, 0x39, 0x71, 0x74, 0x34, 0x64, 0x6E, 0x74, 0x6E, 0x74, 0x6F, 0= x4A, 0x43, 0x6D, 0x4F, 0x53, 0x79, 0x71, 0x67, 0x4D, 0x6E, 0x76, 0x2F, 0x76= , 0x2B, 0x51, 0x48, 0x74, 0x79, 0x4D, 0x73, 0x42, 0x64, 0x38, 0x34, 0x78, = 0x45, 0x57, 0x46, 0x36, 0x72, 0x58, 0x4D, 0x52, 0x63, 0x0A, 0x53, 0x2B, 0x= 66, 0x68, 0x54, 0x71, 0x58, 0x74, 0x54, 0x38, 0x44, 0x50, 0x65, 0x70, 0x2F= , 0x56, 0x44, 0x66, 0x65, 0x78, 0x6B, 0x41, 0x63, 0x6D, 0x63, 0x75, 0x41, = 0x69, 0x6F, 0x2B, 0x79, 0x64, 0x51, 0x75, 0x49, 0x31, 0x32, 0x7A, 0x50, 0x7= 0, 0x45, 0x68, 0x50, 0x45, 0x68, 0x31, 0x44, 0x50, 0x58, 0x73, 0x64, 0x58,= 0x67, 0x64, 0x77, 0x39, 0x75, 0x46, 0x47, 0x6D, 0x63, 0x35, 0x68, 0x52, 0= x0A, 0x35, 0x31, 0x57, 0x41, 0x31, 0x65, 0x63, 0x44, 0x48, 0x6A, 0x31, 0x5= 8, 0x32, 0x45, 0x72, 0x36, 0x39, 0x59, 0x70, 0x31, 0x50, 0x69, 0x43, 0x37, = 0x49, 0x47, 0x79, 0x6F, 0x71, 0x57, 0x43, 0x37, 0x69, 0x2F, 0x71, 0x6D, 0x= 6D, 0x72, 0x49, 0x66, 0x6F, 0x41, 0x54, 0x74, 0x39, 0x58, 0x34, 0x30, 0x54= , 0x56, 0x63, 0x37, 0x42, 0x63, 0x6A, 0x34, 0x63, 0x54, 0x31, 0x78, 0x37, = 0x6B, 0x70, 0x4F, 0x0A, 0x4C, 0x71, 0x67, 0x33, 0x6C, 0x50, 0x78, 0x33, 0x2= B, 0x4A, 0x63, 0x33, 0x43, 0x67, 0x34, 0x79, 0x5A, 0x54, 0x66, 0x6E, 0x4A,= 0x5A, 0x37, 0x48, 0x76, 0x36, 0x64, 0x68, 0x67, 0x45, 0x6D, 0x70, 0x4D, 0= x73, 0x74, 0x46, 0x65, 0x35, 0x34, 0x49, 0x53, 0x76, 0x74, 0x38, 0x37, 0x5= 9, 0x4E, 0x77, 0x74, 0x4C, 0x65, 0x6C, 0x34, 0x67, 0x50, 0x4A, 0x79, 0x53,= 0x42, 0x30, 0x4B, 0x76, 0x37, 0x69, 0x0A, 0x33, 0x32, 0x74, 0x37, 0x67, 0x= 4F, 0x30, 0x79, 0x6D, 0x73, 0x62, 0x71, 0x4A, 0x55, 0x75, 0x79, 0x41, 0x68= , 0x47, 0x64, 0x33, 0x63, 0x2B, 0x78, 0x4C, 0x46, 0x2F, 0x63, 0x63, 0x4F, = 0x57, 0x44, 0x52, 0x34, 0x79, 0x72, 0x30, 0x6A, 0x79, 0x64, 0x74, 0x70, 0x= 79, 0x69, 0x64, 0x52, 0x45, 0x66, 0x56, 0x46, 0x66, 0x53, 0x6C, 0x39, 0x54,= 0x30, 0x6D, 0x53, 0x72, 0x4E, 0x76, 0x43, 0x71, 0x45, 0x0A, 0x52, 0x52, 0= x5A, 0x6E, 0x42, 0x56, 0x76, 0x37, 0x50, 0x66, 0x6C, 0x75, 0x72, 0x31, 0x5= 9, 0x35, 0x70, 0x2F, 0x65, 0x78, 0x54, 0x63, 0x56, 0x34, 0x72, 0x4B, 0x52,= 0x69, 0x6C, 0x35, 0x58, 0x6A, 0x2F, 0x39, 0x59, 0x56, 0x31, 0x4E, 0x6E, 0= x6D, 0x4E, 0x2B, 0x2F, 0x31, 0x31, 0x74, 0x36, 0x58, 0x74, 0x6A, 0x72, 0x75= , 0x52, 0x62, 0x33, 0x79, 0x70, 0x38, 0x76, 0x64, 0x6C, 0x61, 0x65, 0x5A, = 0x0A, 0x6C, 0x67, 0x45, 0x69, 0x73, 0x30, 0x42, 0x7A, 0x4B, 0x59, 0x39, 0x= 59, 0x64, 0x58, 0x48, 0x64, 0x46, 0x58, 0x57, 0x59, 0x4F, 0x41, 0x71, 0x50= , 0x48, 0x45, 0x65, 0x4B, 0x57, 0x79, 0x61, 0x59, 0x5A, 0x56, 0x79, 0x43, 0= x70, 0x51, 0x65, 0x43, 0x53, 0x71, 0x4F, 0x71, 0x48, 0x38, 0x67, 0x42, 0x6= B, 0x4F, 0x62, 0x43, 0x69, 0x72, 0x41, 0x6A, 0x65, 0x56, 0x70, 0x35, 0x7A,= 0x37, 0x6B, 0x31, 0x0A, 0x64, 0x4F, 0x2F, 0x6D, 0x56, 0x74, 0x49, 0x2B, 0= x57, 0x47, 0x30, 0x48, 0x72, 0x37, 0x5A, 0x4C, 0x53, 0x52, 0x78, 0x6F, 0x61= , 0x44, 0x47, 0x42, 0x33, 0x4E, 0x35, 0x38, 0x4B, 0x56, 0x45, 0x4F, 0x34, = 0x65, 0x46, 0x56, 0x75, 0x6E, 0x59, 0x77, 0x51, 0x42, 0x54, 0x7A, 0x4F, 0x= 65, 0x57, 0x39, 0x6C, 0x4B, 0x79, 0x49, 0x38, 0x67, 0x4D, 0x45, 0x57, 0x6C= , 0x62, 0x4B, 0x72, 0x41, 0x45, 0x49, 0x0A, 0x46, 0x4B, 0x38, 0x7A, 0x58, = 0x6F, 0x44, 0x74, 0x39, 0x6A, 0x7A, 0x54, 0x37, 0x67, 0x68, 0x6A, 0x79, 0x4= 5, 0x54, 0x67, 0x44, 0x6C, 0x69, 0x50, 0x53, 0x49, 0x46, 0x6A, 0x79, 0x31,= 0x64, 0x6B, 0x6A, 0x6D, 0x68, 0x53, 0x78, 0x79, 0x6A, 0x67, 0x62, 0x71, 0= x45, 0x3D, 0x0A, 0x2D, 0x2D, 0x2D, 0x2D, 0x2D, 0x45, 0x4E, 0x44, 0x20, 0x5= 2, 0x53, 0x41, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x20, 0x4B, = 0x45, 0x59, 0x2D, 0x2D, 0x2D, 0x2D, 0x2D, 0x0A}|VOID*|0x00000005 - - ## Private Key's size. - # @Prompt Private Key's size. - gEfiNetworkPkgTokenSpaceGuid.PcdIpsecUefiCertificateKeySize|0x3d5|UINT32= |0x00000006 - ## Indicates whether HTTP connections (i.e., unsecured) are permitted or= not. # TRUE - HTTP connections are allowed. Both the "https://" and "http://= " URI schemes are permitted. # FALSE - HTTP connections are denied. Only the "https://" URI scheme is= permitted. # @Prompt Indicates whether HTTP connections are permitted or not. gEfiNetworkPkgTokenSpaceGuid.PcdAllowHttpConnections|FALSE|BOOLEAN|0x000= 00008 diff --git a/NetworkPkg/NetworkPkg.dsc b/NetworkPkg/NetworkPkg.dsc index 66d43bec12..b5416b1614 100644 --- a/NetworkPkg/NetworkPkg.dsc +++ b/NetworkPkg/NetworkPkg.dsc @@ -110,15 +110,13 @@ NetworkPkg/HttpDxe/HttpDxe.inf NetworkPkg/HttpUtilitiesDxe/HttpUtilitiesDxe.inf NetworkPkg/HttpBootDxe/HttpBootDxe.inf NetworkPkg/WifiConnectionManagerDxe/WifiConnectionManagerDxe.inf =20 - NetworkPkg/Application/IpsecConfig/IpSecConfig.inf NetworkPkg/Application/VConfig/VConfig.inf =20 [Components.IA32, Components.X64] - NetworkPkg/IpSecDxe/IpSecDxe.inf NetworkPkg/IScsiDxe/IScsiDxe.inf NetworkPkg/UefiPxeBcDxe/UefiPxeBcDxe.inf NetworkPkg/TlsDxe/TlsDxe.inf NetworkPkg/TlsAuthConfigDxe/TlsAuthConfigDxe.inf =20 --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#39389): https://edk2.groups.io/g/devel/message/39389 Mute This Topic: https://groups.io/mt/31305481/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-