diff --git a/NetworkPkg/Ip6Dxe/Ip6Impl.c b/NetworkPkg/Ip6Dxe/Ip6Impl.c index 9b34eceeb7..9775aec778 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Impl.c +++ b/NetworkPkg/Ip6Dxe/Ip6Impl.c @@ -15,7 +15,7 @@ #include "Ip6Impl.h" -EFI_IPSEC_PROTOCOL *mIpSec = NULL; +EFI_IPSEC2_PROTOCOL *mIpSec = NULL; EFI_IP6_PROTOCOL mEfiIp6ProtocolTemplete = { EfiIp6GetModeData, diff --git a/NetworkPkg/Ip6Dxe/Ip6Impl.h b/NetworkPkg/Ip6Dxe/Ip6Impl.h index 524de5e256..1241e63669 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Impl.h +++ b/NetworkPkg/Ip6Dxe/Ip6Impl.h @@ -89,7 +89,7 @@ #define IP6_NO_MAPPING(IpInstance) (!(IpInstance)->Interface->Configured) -extern EFI_IPSEC_PROTOCOL *mIpSec; +extern EFI_IPSEC2_PROTOCOL *mIpSec; // // IP6_TXTOKEN_WRAP wraps the upper layer's transmit token. diff --git a/NetworkPkg/Ip6Dxe/Ip6Input.c b/NetworkPkg/Ip6Dxe/Ip6Input.c index c18811b611..f63c1afa82 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Input.c +++ b/NetworkPkg/Ip6Dxe/Ip6Input.c @@ -481,11 +481,11 @@ Ip6IpSecFree ( actions: bypass the packet, discard the packet, or protect the packet. @param[in] IpSb The IP6 service instance. - @param[in] Head The caller-supplied IP6 header. + @param[in, out] Head The caller-supplied IP6 header. @param[in, out] LastHead The next header field of last IP header. @param[in, out] Netbuf The IP6 packet to be processed by IPsec. - @param[in] ExtHdrs The caller-supplied options. - @param[in] ExtHdrsLen The length of the option. + @param[in, out] ExtHdrs The caller-supplied options. + @param[in, out] ExtHdrsLen The length of the option. @param[in] Direction The directionality in an SPD entry, EfiIPsecInBound, or EfiIPsecOutBound. @param[in] Context The token's wrap. @@ -501,18 +501,20 @@ Ip6IpSecFree ( **/ EFI_STATUS Ip6IpSecProcessPacket ( - IN IP6_SERVICE *IpSb, - IN EFI_IP6_HEADER *Head, - IN OUT UINT8 *LastHead, - IN OUT NET_BUF **Netbuf, - IN VOID *ExtHdrs, - IN UINT32 ExtHdrsLen, - IN EFI_IPSEC_TRAFFIC_DIR Direction, - IN VOID *Context + IN IP6_SERVICE *IpSb, + IN OUT EFI_IP6_HEADER **Head, + IN OUT UINT8 *LastHead, + IN OUT NET_BUF **Netbuf, + IN OUT UINT8 **ExtHdrs, + IN OUT UINT32 *ExtHdrsLen, + IN EFI_IPSEC_TRAFFIC_DIR Direction, + IN VOID *Context ) { NET_FRAGMENT *FragmentTable; + NET_FRAGMENT *OriginalFragmentTable; UINT32 FragmentCount; + UINT32 OriginalFragmentCount; EFI_EVENT RecycleEvent; NET_BUF *Packet; IP6_TXTOKEN_WRAP *TxWrap; @@ -520,6 +522,7 @@ Ip6IpSecProcessPacket ( EFI_STATUS Status; EFI_IP6_HEADER *PacketHead; UINT8 *Buf; + EFI_IP6_HEADER ZeroHead; Status = EFI_SUCCESS; Packet = *Netbuf; @@ -530,6 +533,7 @@ Ip6IpSecProcessPacket ( Buf = NULL; TxWrap = (IP6_TXTOKEN_WRAP *) Context; FragmentCount = Packet->BlockOpNum; + ZeroMem (&ZeroHead, sizeof (EFI_IP6_HEADER)); if (mIpSec == NULL) { gBS->LocateProtocol (&gEfiIpSecProtocolGuid, NULL, (VOID **) &mIpSec); @@ -562,7 +566,7 @@ Ip6IpSecProcessPacket ( // // Bypass all multicast inbound or outbound traffic. // - if (IP6_IS_MULTICAST (&Head->DestinationAddress) || IP6_IS_MULTICAST (&Head->SourceAddress)) { + if (IP6_IS_MULTICAST (&(*Head)->DestinationAddress) || IP6_IS_MULTICAST (&(*Head)->SourceAddress)) { goto ON_EXIT; } @@ -577,6 +581,8 @@ Ip6IpSecProcessPacket ( } Status = NetbufBuildExt (Packet, FragmentTable, &FragmentCount); + OriginalFragmentTable = FragmentTable; + OriginalFragmentCount = FragmentCount; if (EFI_ERROR(Status)) { FreePool (FragmentTable); @@ -586,16 +592,16 @@ Ip6IpSecProcessPacket ( // // Convert host byte order to network byte order // - Ip6NtohHead (Head); + Ip6NtohHead (*Head); - Status = mIpSec->Process ( + Status = mIpSec->ProcessExt ( mIpSec, IpSb->Controller, IP_VERSION_6, - (VOID *) Head, + (VOID *) (*Head), LastHead, - NULL, - 0, + (VOID **) ExtHdrs, + ExtHdrsLen, (EFI_IPSEC_FRAGMENT_DATA **) (&FragmentTable), &FragmentCount, Direction, @@ -604,14 +610,20 @@ Ip6IpSecProcessPacket ( // // Convert back to host byte order // - Ip6NtohHead (Head); + Ip6NtohHead (*Head); if (EFI_ERROR (Status)) { goto ON_EXIT; } - if (Direction == EfiIPsecOutBound && TxWrap != NULL) { + if (OriginalFragmentCount == FragmentCount && OriginalFragmentTable == FragmentTable) { + // + // For ByPass Packet + // + goto ON_EXIT; + } + if (Direction == EfiIPsecOutBound && TxWrap != NULL) { TxWrap->IpSecRecycleSignal = RecycleEvent; TxWrap->Packet = NetbufFromExt ( FragmentTable, @@ -626,6 +638,13 @@ Ip6IpSecProcessPacket ( goto ON_EXIT; } + CopyMem ( + IP6_GET_CLIP_INFO (TxWrap->Packet), + IP6_GET_CLIP_INFO (Packet), + sizeof (IP6_CLIP_INFO) + ); + + NetIpSecNetbufFree(Packet); *Netbuf = TxWrap->Packet; } else { @@ -652,11 +671,11 @@ Ip6IpSecProcessPacket ( goto ON_EXIT; } - if (Direction == EfiIPsecInBound) { + if (Direction == EfiIPsecInBound && 0 != CompareMem (&ZeroHead, *Head, sizeof (EFI_IP6_HEADER))) { PacketHead = (EFI_IP6_HEADER *) NetbufAllocSpace ( Packet, - sizeof (EFI_IP6_HEADER) + ExtHdrsLen, + sizeof (EFI_IP6_HEADER) + *ExtHdrsLen, NET_BUF_HEAD ); if (PacketHead == NULL) { @@ -664,22 +683,22 @@ Ip6IpSecProcessPacket ( goto ON_EXIT; } - CopyMem (PacketHead, Head, sizeof (EFI_IP6_HEADER)); + CopyMem (PacketHead, *Head, sizeof (EFI_IP6_HEADER)); + *Head = PacketHead; Packet->Ip.Ip6 = PacketHead; - if (ExtHdrs != NULL) { + if (*ExtHdrs != NULL) { Buf = (UINT8 *) (PacketHead + 1); - CopyMem (Buf, ExtHdrs, ExtHdrsLen); + CopyMem (Buf, *ExtHdrs, *ExtHdrsLen); } - NetbufTrim (Packet, sizeof (EFI_IP6_HEADER) + ExtHdrsLen, TRUE); + NetbufTrim (Packet, sizeof (EFI_IP6_HEADER) + *ExtHdrsLen, TRUE); CopyMem ( IP6_GET_CLIP_INFO (Packet), IP6_GET_CLIP_INFO (IpSecWrap->Packet), sizeof (IP6_CLIP_INFO) ); } - *Netbuf = Packet; } @@ -688,73 +707,72 @@ ON_EXIT: } /** - The IP6 input routine. It is called by the IP6_INTERFACE when an - IP6 fragment is received from MNP. + Pre-process the IPv6 packet. First validates the IPv6 packet, and + then reassembles packet if it is necessary. - @param[in] Packet The IP6 packet received. - @param[in] IoStatus The return status of receive request. - @param[in] Flag The link layer flag for the packet received, such - as multicast. - @param[in] Context The IP6 service instance that owns the MNP. + @param[in] IpSb The IP6 service instance. + @param[in, out] Packet The received IP6 packet to be processed. + @param[in] Flag The link layer flag for the packet received, such + as multicast. + @param[out] Payload The pointer to the payload of the recieved packet. + it starts from the first byte of the extension header. + @param[out] LastHead The pointer of NextHeader of the last extension + header processed by IP6. + @param[out] ExtHdrsLen The length of the whole option. + @param[out] UnFragmentLen The length of unfragmented length of extension headers. + @param[out] Fragmented Indicate whether the packet is fragmented. + @param[out] Head The pointer to the EFI_IP6_Header. + + @retval EFI_SUCCESS The received packet is well format. + @retval EFI_INVALID_PARAMETER The received packet is malformed. **/ -VOID -Ip6AcceptFrame ( - IN NET_BUF *Packet, - IN EFI_STATUS IoStatus, - IN UINT32 Flag, - IN VOID *Context +EFI_STATUS +Ip6PreProcessPacket ( + IN IP6_SERVICE *IpSb, + IN OUT NET_BUF **Packet, + IN UINT32 Flag, + OUT UINT8 **Payload, + OUT UINT8 **LastHead, + OUT UINT32 *ExtHdrsLen, + OUT UINT32 *UnFragmentLen, + OUT BOOLEAN *Fragmented, + OUT EFI_IP6_HEADER **Head + + ) { - IP6_SERVICE *IpSb; - IP6_CLIP_INFO *Info; - EFI_IP6_HEADER *Head; UINT16 PayloadLen; - UINT8 *Payload; UINT16 TotalLen; - UINT8 *LastHead; UINT32 FormerHeadOffset; - UINT32 UnFragmentLen; - UINT32 ExtHdrsLen; UINT32 HeadLen; - BOOLEAN Fragmented; IP6_FRAGMENT_HEADER *FragmentHead; UINT16 FragmentOffset; - EFI_STATUS Status; + IP6_CLIP_INFO *Info; EFI_IPv6_ADDRESS Loopback; - IpSb = (IP6_SERVICE *) Context; - NET_CHECK_SIGNATURE (IpSb, IP6_SERVICE_SIGNATURE); - - Payload = NULL; - - // - // Check input parameters - // - if (EFI_ERROR (IoStatus) || (IpSb->State == IP6_SERVICE_DESTROY)) { - goto Drop; - } - + HeadLen = 0; + PayloadLen = 0; // // Check whether the input packet is a valid packet // - if (Packet->TotalSize < IP6_MIN_HEADLEN) { - goto Restart; + if ((*Packet)->TotalSize < IP6_MIN_HEADLEN) { + return EFI_INVALID_PARAMETER; } // // Get header information of the packet. // - Head = (EFI_IP6_HEADER *) NetbufGetByte (Packet, 0, NULL); - if (Head == NULL) { - goto Restart; + *Head = (EFI_IP6_HEADER *) NetbufGetByte (*Packet, 0, NULL); + if (*Head == NULL) { + return EFI_INVALID_PARAMETER; } // // Multicast addresses must not be used as source addresses in IPv6 packets. // - if ((Head->Version != 6) || (IP6_IS_MULTICAST (&Head->SourceAddress))) { - goto Restart; + if (((*Head)->Version != 6) || (IP6_IS_MULTICAST (&(*Head)->SourceAddress))) { + return EFI_INVALID_PARAMETER; } // @@ -762,20 +780,20 @@ Ip6AcceptFrame ( // ZeroMem (&Loopback, sizeof (EFI_IPv6_ADDRESS)); Loopback.Addr[15] = 0x1; - if ((CompareMem (&Loopback, &Head->DestinationAddress, sizeof (EFI_IPv6_ADDRESS)) == 0) || - (NetIp6IsUnspecifiedAddr (&Head->DestinationAddress))) { - goto Restart; + if ((CompareMem (&Loopback, &(*Head)->DestinationAddress, sizeof (EFI_IPv6_ADDRESS)) == 0) || + (NetIp6IsUnspecifiedAddr (&(*Head)->DestinationAddress))) { + return EFI_INVALID_PARAMETER; } // // Convert the IP header to host byte order. // - Packet->Ip.Ip6 = Ip6NtohHead (Head); + (*Packet)->Ip.Ip6 = Ip6NtohHead (*Head); // // Get the per packet info. // - Info = IP6_GET_CLIP_INFO (Packet); + Info = IP6_GET_CLIP_INFO (*Packet); Info->LinkFlag = Flag; Info->CastType = 0; @@ -783,10 +801,10 @@ Ip6AcceptFrame ( Info->CastType = Ip6Promiscuous; } - if (Ip6IsOneOfSetAddress (IpSb, &Head->DestinationAddress, NULL, NULL)) { + if (Ip6IsOneOfSetAddress (IpSb, &(*Head)->DestinationAddress, NULL, NULL)) { Info->CastType = Ip6Unicast; - } else if (IP6_IS_MULTICAST (&Head->DestinationAddress)) { - if (Ip6FindMldEntry (IpSb, &Head->DestinationAddress) != NULL) { + } else if (IP6_IS_MULTICAST (&(*Head)->DestinationAddress)) { + if (Ip6FindMldEntry (IpSb, &(*Head)->DestinationAddress) != NULL) { Info->CastType = Ip6Multicast; } } @@ -795,11 +813,11 @@ Ip6AcceptFrame ( // Drop the packet that is not delivered to us. // if (Info->CastType == 0) { - goto Restart; + return EFI_INVALID_PARAMETER; } - PayloadLen = Head->PayloadLength; + PayloadLen = (*Head)->PayloadLength; Info->Start = 0; Info->Length = PayloadLen; @@ -813,52 +831,51 @@ Ip6AcceptFrame ( // // Mnp may deliver frame trailer sequence up, trim it off. // - if (TotalLen < Packet->TotalSize) { - NetbufTrim (Packet, Packet->TotalSize - TotalLen, FALSE); + if (TotalLen < (*Packet)->TotalSize) { + NetbufTrim (*Packet, (*Packet)->TotalSize - TotalLen, FALSE); } - if (TotalLen != Packet->TotalSize) { - goto Restart; + if (TotalLen != (*Packet)->TotalSize) { + return EFI_INVALID_PARAMETER; } // // Check the extension headers, if exist validate them // if (PayloadLen != 0) { - Payload = AllocatePool ((UINTN) PayloadLen); - if (Payload == NULL) { - goto Restart; + *Payload = AllocatePool ((UINTN) PayloadLen); + if (*Payload == NULL) { + return EFI_INVALID_PARAMETER; } - NetbufCopy (Packet, sizeof (EFI_IP6_HEADER), PayloadLen, Payload); + NetbufCopy (*Packet, sizeof (EFI_IP6_HEADER), PayloadLen, *Payload); } - LastHead = NULL; if (!Ip6IsExtsValid ( IpSb, - Packet, - &Head->NextHeader, - Payload, + *Packet, + &(*Head)->NextHeader, + *Payload, (UINT32) PayloadLen, TRUE, &FormerHeadOffset, - &LastHead, - &ExtHdrsLen, - &UnFragmentLen, - &Fragmented + LastHead, + ExtHdrsLen, + UnFragmentLen, + Fragmented )) { - goto Restart; + return EFI_INVALID_PARAMETER; } - HeadLen = sizeof (EFI_IP6_HEADER) + UnFragmentLen; + HeadLen = sizeof (EFI_IP6_HEADER) + *UnFragmentLen; - if (Fragmented) { + if (*Fragmented) { // // Get the fragment offset from the Fragment header // - FragmentHead = (IP6_FRAGMENT_HEADER *) NetbufGetByte (Packet, HeadLen, NULL); + FragmentHead = (IP6_FRAGMENT_HEADER *) NetbufGetByte (*Packet, HeadLen, NULL); if (FragmentHead == NULL) { - goto Restart; + return EFI_INVALID_PARAMETER; } FragmentOffset = NTOHS (FragmentHead->FragmentOffset); @@ -888,49 +905,49 @@ Ip6AcceptFrame ( // Fragments should in the unit of 8 octets long except the last one. // if ((Info->LastFrag == 0) && (Info->Length % 8 != 0)) { - goto Restart; + return EFI_INVALID_PARAMETER; } // // Reassemble the packet. // - Packet = Ip6Reassemble (&IpSb->Assemble, Packet); - if (Packet == NULL) { - goto Restart; + *Packet = Ip6Reassemble (&IpSb->Assemble, *Packet); + if (*Packet == NULL) { + return EFI_INVALID_PARAMETER; } // // Re-check the assembled packet to get the right values. // - Head = Packet->Ip.Ip6; - PayloadLen = Head->PayloadLength; + *Head = (*Packet)->Ip.Ip6; + PayloadLen = (*Head)->PayloadLength; if (PayloadLen != 0) { - if (Payload != NULL) { - FreePool (Payload); + if (*Payload != NULL) { + FreePool (*Payload); } - Payload = AllocatePool ((UINTN) PayloadLen); - if (Payload == NULL) { - goto Restart; + *Payload = AllocatePool ((UINTN) PayloadLen); + if (*Payload == NULL) { + return EFI_INVALID_PARAMETER; } - NetbufCopy (Packet, sizeof (EFI_IP6_HEADER), PayloadLen, Payload); + NetbufCopy (*Packet, sizeof (EFI_IP6_HEADER), PayloadLen, *Payload); } if (!Ip6IsExtsValid ( IpSb, - Packet, - &Head->NextHeader, - Payload, + *Packet, + &(*Head)->NextHeader, + *Payload, (UINT32) PayloadLen, TRUE, NULL, - &LastHead, - &ExtHdrsLen, - &UnFragmentLen, - &Fragmented + LastHead, + ExtHdrsLen, + UnFragmentLen, + Fragmented )) { - goto Restart; + return EFI_INVALID_PARAMETER; } } @@ -938,30 +955,109 @@ Ip6AcceptFrame ( // Trim the head off, after this point, the packet is headless. // and Packet->TotalLen == Info->Length. // - NetbufTrim (Packet, sizeof (EFI_IP6_HEADER) + ExtHdrsLen, TRUE); + NetbufTrim (*Packet, sizeof (EFI_IP6_HEADER) + *ExtHdrsLen, TRUE); + + return EFI_SUCCESS; +} +/** + The IP6 input routine. It is called by the IP6_INTERFACE when an + IP6 fragment is received from MNP. + + @param[in] Packet The IP6 packet received. + @param[in] IoStatus The return status of receive request. + @param[in] Flag The link layer flag for the packet received, such + as multicast. + @param[in] Context The IP6 service instance that owns the MNP. + +**/ +VOID +Ip6AcceptFrame ( + IN NET_BUF *Packet, + IN EFI_STATUS IoStatus, + IN UINT32 Flag, + IN VOID *Context + ) +{ + IP6_SERVICE *IpSb; + EFI_IP6_HEADER *Head; + UINT8 *Payload; + UINT8 *LastHead; + UINT32 UnFragmentLen; + UINT32 ExtHdrsLen; + BOOLEAN Fragmented; + EFI_STATUS Status; + EFI_IP6_HEADER ZeroHead; + + IpSb = (IP6_SERVICE *) Context; + NET_CHECK_SIGNATURE (IpSb, IP6_SERVICE_SIGNATURE); + + Payload = NULL; + LastHead = NULL; + + // + // Check input parameters + // + if (EFI_ERROR (IoStatus) || (IpSb->State == IP6_SERVICE_DESTROY)) { + goto Drop; + } + + // + // Pre-Process the Ipv6 Packet and then reassemble if it is necessary. + // + Status = Ip6PreProcessPacket ( + IpSb, + &Packet, + Flag, + &Payload, + &LastHead, + &ExtHdrsLen, + &UnFragmentLen, + &Fragmented, + &Head + ); + if (EFI_ERROR (Status)) { + goto Restart; + } // // After trim off, the packet is a esp/ah/udp/tcp/icmp6 net buffer, // and no need consider any other ahead ext headers. // Status = Ip6IpSecProcessPacket ( IpSb, - Head, + &Head, LastHead, // need get the lasthead value for input &Packet, - NULL, - 0, + &Payload, + &ExtHdrsLen, EfiIPsecInBound, NULL ); - if (EFI_ERROR(Status)) { + if (EFI_ERROR (Status)) { goto Restart; } // - // TODO: may check the last head again, the same as the output routine + // If the packet is protected by IPsec Tunnel Mode, Check the Inner Ip Packet. // + ZeroMem (&ZeroHead, sizeof (EFI_IP6_HEADER)); + if (0 == CompareMem (Head, &ZeroHead, sizeof (EFI_IP6_HEADER))) { + Status = Ip6PreProcessPacket ( + IpSb, + &Packet, + Flag, + &Payload, + &LastHead, + &ExtHdrsLen, + &UnFragmentLen, + &Fragmented, + &Head + ); + if (EFI_ERROR (Status)) { + goto Restart; + } + } // // Packet may have been changed. The ownership of the packet diff --git a/NetworkPkg/Ip6Dxe/Ip6Input.h b/NetworkPkg/Ip6Dxe/Ip6Input.h index 8594896521..4d7ffc1c4f 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Input.h +++ b/NetworkPkg/Ip6Dxe/Ip6Input.h @@ -137,39 +137,39 @@ Ip6InstanceDeliverPacket ( ); /** - The work function to locate IPsec protocol to process the inbound or - outbound IP packets. The process routine handls the packet with the following + The work function to locate the IPsec protocol to process the inbound or + outbound IP packets. The process routine handles the packet with the following actions: bypass the packet, discard the packet, or protect the packet. @param[in] IpSb The IP6 service instance. - @param[in] Head The caller supplied IP6 header. + @param[in, out] Head The caller-supplied IP6 header. @param[in, out] LastHead The next header field of last IP header. @param[in, out] Netbuf The IP6 packet to be processed by IPsec. - @param[in] ExtHdrs The caller supplied options. - @param[in] ExtHdrsLen The length of the option. + @param[in, out] ExtHdrs The caller-supplied options. + @param[in, out] ExtHdrsLen The length of the option. @param[in] Direction The directionality in an SPD entry, - EfiIPsecInBound or EfiIPsecOutBound. + EfiIPsecInBound, or EfiIPsecOutBound. @param[in] Context The token's wrap. @retval EFI_SUCCESS The IPsec protocol is not available or disabled. - @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same. + @retval EFI_SUCCESS The packet was bypassed, and all buffers remain the same. @retval EFI_SUCCESS The packet was protected. @retval EFI_ACCESS_DENIED The packet was discarded. @retval EFI_OUT_OF_RESOURCES There are not suffcient resources to complete the operation. - @retval EFI_BUFFER_TOO_SMALL The number of non-empty block is bigger than the + @retval EFI_BUFFER_TOO_SMALL The number of non-empty blocks is bigger than the number of input data blocks when building a fragment table. **/ EFI_STATUS Ip6IpSecProcessPacket ( - IN IP6_SERVICE *IpSb, - IN EFI_IP6_HEADER *Head, - IN OUT UINT8 *LastHead, - IN OUT NET_BUF **Netbuf, - IN VOID *ExtHdrs, - IN UINT32 ExtHdrsLen, - IN EFI_IPSEC_TRAFFIC_DIR Direction, - IN VOID *Context + IN IP6_SERVICE *IpSb, + IN OUT EFI_IP6_HEADER **Head, + IN OUT UINT8 *LastHead, + IN OUT NET_BUF **Netbuf, + IN OUT UINT8 **ExtHdrs, + IN OUT UINT32 *ExtHdrsLen, + IN EFI_IPSEC_TRAFFIC_DIR Direction, + IN VOID *Context ); /** diff --git a/NetworkPkg/Ip6Dxe/Ip6Output.c b/NetworkPkg/Ip6Dxe/Ip6Output.c index baa4904fc9..ecbaf2d94c 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Output.c +++ b/NetworkPkg/Ip6Dxe/Ip6Output.c @@ -638,11 +638,11 @@ Ip6Output ( Status = Ip6IpSecProcessPacket ( IpSb, - Head, + &Head, LastHeader, // no need get the lasthead value for output &Packet, - ExtHdrs, - ExtHdrsLen, + &ExtHdrs, + &ExtHdrsLen, EfiIPsecOutBound, Context ); diff --git a/NetworkPkg/IpSecDxe/IpSecConfigImpl.c b/NetworkPkg/IpSecDxe/IpSecConfigImpl.c index e671e42e27..0b52a49ae5 100644 --- a/NetworkPkg/IpSecDxe/IpSecConfigImpl.c +++ b/NetworkPkg/IpSecDxe/IpSecConfigImpl.c @@ -2365,7 +2365,7 @@ EfiIpSecConfigGetNextSelector ( NET_LIST_FOR_EACH (Link, &mConfigData[DataType]) { CommonEntry = BASE_CR (Link, IPSEC_COMMON_POLICY_ENTRY, List); - if (IsFound || mIsZeroSelector[DataType](Selector)) { + if (IsFound || (BOOLEAN)(mIsZeroSelector[DataType](Selector))) { // // If found the appointed entry, then duplicate the next one and return, // or if the appointed entry is zero, then return the first one directly. diff --git a/NetworkPkg/IpSecDxe/IpSecCryptIo.c b/NetworkPkg/IpSecDxe/IpSecCryptIo.c index 7011f98b06..93b69a6682 100644 --- a/NetworkPkg/IpSecDxe/IpSecCryptIo.c +++ b/NetworkPkg/IpSecDxe/IpSecCryptIo.c @@ -18,15 +18,15 @@ // Alogrithm's informations for the Encrypt/Decrpt Alogrithm. // ENCRYPT_ALGORITHM mIpsecEncryptAlgorithmList[IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE] = { - {EFI_IPSEC_EALG_NULL, 0, 0, 1, NULL, NULL, NULL, NULL}, + {IKE_EALG_NULL, 0, 0, 1, NULL, NULL, NULL, NULL}, {(UINT8)-1, 0, 0, 0, NULL, NULL, NULL, NULL} }; // // Alogrithm's informations for the Authentication algorithm // AUTH_ALGORITHM mIpsecAuthAlgorithmList[IPSEC_AUTH_ALGORITHM_LIST_SIZE] = { - {EFI_IPSEC_AALG_NONE, 0, 0, 0, NULL, NULL, NULL, NULL}, - {EFI_IPSEC_AALG_NULL, 0, 0, 0, NULL, NULL, NULL, NULL}, + {IKE_AALG_NONE, 0, 0, 0, NULL, NULL, NULL, NULL}, + {IKE_AALG_NULL, 0, 0, 0, NULL, NULL, NULL, NULL}, {(UINT8)-1, 0, 0, 0, NULL, NULL, NULL, NULL} }; diff --git a/NetworkPkg/IpSecDxe/IpSecCryptIo.h b/NetworkPkg/IpSecDxe/IpSecCryptIo.h index d883a2ef72..ddceb12bb6 100644 --- a/NetworkPkg/IpSecDxe/IpSecCryptIo.h +++ b/NetworkPkg/IpSecDxe/IpSecCryptIo.h @@ -22,6 +22,23 @@ #define IPSEC_ENCRYPT_ALGORITHM_LIST_SIZE 2 #define IPSEC_AUTH_ALGORITHM_LIST_SIZE 3 +/// +/// Authentication Algorithm Definition +/// The number value definition is aligned to IANA assignment +/// +#define IKE_AALG_NONE 0x00 +#define IKE_AALG_SHA1HMAC 0x02 +#define IKE_AALG_NULL 0xFB + +/// +/// Encryption Algorithm Definition +/// The number value definition is aligned to IANA assignment +/// +#define IKE_EALG_NONE 0x00 +#define IKE_EALG_3DESCBC 0x03 +#define IKE_EALG_NULL 0x0B +#define IKE_EALG_AESCBC 0x0C + /** Prototype of Hash GetContextSize. diff --git a/NetworkPkg/IpSecDxe/IpSecDriver.c b/NetworkPkg/IpSecDxe/IpSecDriver.c index b38f2a9452..00fb26f761 100644 --- a/NetworkPkg/IpSecDxe/IpSecDriver.c +++ b/NetworkPkg/IpSecDxe/IpSecDriver.c @@ -174,7 +174,7 @@ IpSecDriverEntryPoint ( { EFI_STATUS Status; IPSEC_PRIVATE_DATA *Private; - EFI_IPSEC_PROTOCOL *IpSec; + EFI_IPSEC2_PROTOCOL *IpSec; // // Check whether ipsec protocol has already been installed. @@ -218,7 +218,7 @@ IpSecDriverEntryPoint ( Private->Signature = IPSEC_PRIVATE_DATA_SIGNATURE; Private->ImageHandle = ImageHandle; - CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC_PROTOCOL)); + CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL)); // // Initilize Private's members. Thess members is used for IKE. diff --git a/NetworkPkg/IpSecDxe/IpSecImpl.c b/NetworkPkg/IpSecDxe/IpSecImpl.c index 15884ae403..b693eb94d1 100644 --- a/NetworkPkg/IpSecDxe/IpSecImpl.c +++ b/NetworkPkg/IpSecDxe/IpSecImpl.c @@ -15,7 +15,7 @@ #include "IpSecConfigImpl.h" -EFI_IPSEC_PROTOCOL mIpSecInstance = { IpSecProcess, NULL, TRUE }; +EFI_IPSEC2_PROTOCOL mIpSecInstance = { IpSecProcess, NULL, TRUE }; extern LIST_ENTRY mConfigData[IPsecConfigDataTypeMaximum]; @@ -656,11 +656,11 @@ IpSecLookupSpdEntry ( @param[in] NicHandle Instance of the network interface. @param[in] IpVersion IPV4 or IPV6. @param[in, out] IpHead Pointer to the IP Header. - @param[in] LastHead The protocol of the next layer to be processed by IPsec. - @param[in] OptionsBuffer Pointer to the options buffer. - @param[in] OptionsLength Length of the options buffer. + @param[in, out] LastHead The protocol of the next layer to be processed by IPsec. + @param[in, out] OptionsBuffer Pointer to the options buffer. + @param[in, out] OptionsLength Length of the options buffer. @param[in, out] FragmentTable Pointer to a list of fragments. - @param[in] FragmentCount Number of fragments. + @param[in, out] FragmentCount Number of fragments. @param[in] TrafficDirection Traffic direction. @param[out] RecycleSignal Event for recycling of resources. @@ -672,15 +672,15 @@ IpSecLookupSpdEntry ( EFI_STATUS EFIAPI IpSecProcess ( - IN EFI_IPSEC_PROTOCOL *This, + IN EFI_IPSEC2_PROTOCOL *This, IN EFI_HANDLE NicHandle, IN UINT8 IpVersion, IN OUT VOID *IpHead, - IN UINT8 *LastHead, - IN VOID *OptionsBuffer, - IN UINT32 OptionsLength, + IN OUT UINT8 *LastHead, + IN OUT VOID **OptionsBuffer, + IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN UINT32 *FragmentCount, + IN OUT UINT32 *FragmentCount, IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, OUT EFI_EVENT *RecycleSignal ) diff --git a/NetworkPkg/IpSecDxe/IpSecImpl.h b/NetworkPkg/IpSecDxe/IpSecImpl.h index 644c658082..84494460c4 100644 --- a/NetworkPkg/IpSecDxe/IpSecImpl.h +++ b/NetworkPkg/IpSecDxe/IpSecImpl.h @@ -88,16 +88,19 @@ struct _IPSEC_SPD_ENTRY { }; typedef struct _IPSEC_SAD_DATA { - EFI_IPSEC_MODE Mode; - UINT64 SequenceNumber; - UINT8 AntiReplayWindowSize; - UINT64 AntiReplayBitmap[4]; // bitmap for received packet - EFI_IPSEC_ALGO_INFO AlgoInfo; - EFI_IPSEC_SA_LIFETIME SaLifetime; - UINT32 PathMTU; - IPSEC_SPD_ENTRY *SpdEntry; - BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled - BOOLEAN ManualSet; + EFI_IPSEC_MODE Mode; + UINT64 SequenceNumber; + UINT8 AntiReplayWindowSize; + UINT64 AntiReplayBitmap[4]; // bitmap for received packet + EFI_IPSEC_ALGO_INFO AlgoInfo; + EFI_IPSEC_SA_LIFETIME SaLifetime; + UINT32 PathMTU; + IPSEC_SPD_ENTRY *SpdEntry; + EFI_IPSEC_SPD_SELECTOR *SpdSelector; + BOOLEAN ESNEnabled; // Extended (64-bit) SN enabled + BOOLEAN ManualSet; + EFI_IP_ADDRESS TunnelDestAddress; + EFI_IP_ADDRESS TunnelSourceAddress; } IPSEC_SAD_DATA; typedef struct _IPSEC_SAD_ENTRY { @@ -122,7 +125,7 @@ struct _IPSEC_PRIVATE_DATA { UINT32 Signature; EFI_HANDLE Handle; // Virtual handle to install private prtocol EFI_HANDLE ImageHandle; - EFI_IPSEC_PROTOCOL IpSec; + EFI_IPSEC2_PROTOCOL IpSec; EFI_IPSEC_CONFIG_PROTOCOL IpSecConfig; BOOLEAN SetBySelf; LIST_ENTRY Udp4List; @@ -146,13 +149,13 @@ struct _IPSEC_PRIVATE_DATA { @param[in, out] IpHead Points to IP header containing the ESP/AH header to be trimed on input, and without ESP/AH header on return. - @param[in] LastHead The Last Header in IP header on return. - @param[in] OptionsBuffer Pointer to the options buffer. It is optional. - @param[in] OptionsLength Length of the options buffer. It is optional. + @param[out] LastHead The Last Header in IP header on return. + @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional. + @param[in, out] OptionsLength Length of the options buffer. It is optional. @param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec protected on input, and without IPsec protected on return. - @param[in] FragmentCount Number of fragments. + @param[in, out] FragmentCount Number of fragments. @param[out] SpdEntry Pointer to contain the address of SPD entry on return. @param[out] RecycleEvent Event for recycling of resources. @@ -164,11 +167,11 @@ EFI_STATUS IpSecProtectInboundPacket ( IN UINT8 IpVersion, IN OUT VOID *IpHead, - IN UINT8 *LastHead, - IN VOID *OptionsBuffer, OPTIONAL - IN UINT32 OptionsLength, OPTIONAL + OUT UINT8 *LastHead, + IN OUT VOID **OptionsBuffer, OPTIONAL + IN OUT UINT32 *OptionsLength, OPTIONAL IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN UINT32 *FragmentCount, + IN OUT UINT32 *FragmentCount, OUT IPSEC_SPD_ENTRY **SpdEntry, OUT EFI_EVENT *RecycleEvent ); @@ -184,13 +187,13 @@ IpSecProtectInboundPacket ( @param[in, out] IpHead Point to IP header containing the orginal IP header to be processed on input, and inserted ESP/AH header on return. - @param[in] LastHead The Last Header in IP header. - @param[in] OptionsBuffer Pointer to the options buffer. It is optional. - @param[in] OptionsLength Length of the options buffer. It is optional. + @param[in, out] LastHead The Last Header in IP header. + @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional. + @param[in, out] OptionsLength Length of the options buffer. It is optional. @param[in, out] FragmentTable Pointer to a list of fragments to be protected by IPsec on input, and with IPsec protected on return. - @param[in] FragmentCount Number of fragments. + @param[in, out] FragmentCount Number of fragments. @param[in] SadEntry Related SAD entry. @param[out] RecycleEvent Event for recycling of resources. @@ -202,11 +205,11 @@ EFI_STATUS IpSecProtectOutboundPacket ( IN UINT8 IpVersion, IN OUT VOID *IpHead, - IN UINT8 *LastHead, - IN VOID *OptionsBuffer, OPTIONAL - IN UINT32 OptionsLength, OPTIONAL + IN OUT UINT8 *LastHead, + IN OUT VOID **OptionsBuffer, OPTIONAL + IN OUT UINT32 *OptionsLength, OPTIONAL IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN UINT32 *FragmentCount, + IN OUT UINT32 *FragmentCount, IN IPSEC_SAD_ENTRY *SadEntry, OUT EFI_EVENT *RecycleEvent ); @@ -274,11 +277,11 @@ IpSecLookupSadBySpi ( @param[in] NicHandle Instance of the network interface. @param[in] IpVersion IPV4 or IPV6. @param[in, out] IpHead Pointer to the IP Header. - @param[in] LastHead The protocol of the next layer to be processed by IPsec. - @param[in] OptionsBuffer Pointer to the options buffer. - @param[in] OptionsLength Length of the options buffer. + @param[in, out] LastHead The protocol of the next layer to be processed by IPsec. + @param[in, out] OptionsBuffer Pointer to the options buffer. + @param[in, out] OptionsLength Length of the options buffer. @param[in, out] FragmentTable Pointer to a list of fragments. - @param[in] FragmentCount Number of fragments. + @param[in, out] FragmentCount Number of fragments. @param[in] TrafficDirection Traffic direction. @param[out] RecycleSignal Event for recycling of resources. @@ -290,21 +293,21 @@ IpSecLookupSadBySpi ( EFI_STATUS EFIAPI IpSecProcess ( - IN EFI_IPSEC_PROTOCOL *This, + IN EFI_IPSEC2_PROTOCOL *This, IN EFI_HANDLE NicHandle, IN UINT8 IpVersion, IN OUT VOID *IpHead, - IN UINT8 *LastHead, - IN VOID *OptionsBuffer, - IN UINT32 OptionsLength, + IN OUT UINT8 *LastHead, + IN OUT VOID **OptionsBuffer, + IN OUT UINT32 *OptionsLength, IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN UINT32 *FragmentCount, + IN OUT UINT32 *FragmentCount, IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, OUT EFI_EVENT *RecycleSignal ); extern EFI_DPC_PROTOCOL *mDpc; -extern EFI_IPSEC_PROTOCOL mIpSecInstance; +extern EFI_IPSEC2_PROTOCOL mIpSecInstance; extern EFI_COMPONENT_NAME2_PROTOCOL gIpSecComponentName2; extern EFI_COMPONENT_NAME_PROTOCOL gIpSecComponentName; diff --git a/NetworkPkg/IpSecDxe/IpSecSaEngine.c b/NetworkPkg/IpSecDxe/IpSecSaEngine.c index 8abf4d6bf4..b556b246a3 100644 --- a/NetworkPkg/IpSecDxe/IpSecSaEngine.c +++ b/NetworkPkg/IpSecDxe/IpSecSaEngine.c @@ -124,8 +124,8 @@ IpSecAuthPayload ( ) { switch (AuthAlgId) { - case EFI_IPSEC_AALG_NONE : - case EFI_IPSEC_AALG_NULL : + case IKE_AALG_NONE : + case IKE_AALG_NULL : return EFI_SUCCESS; default: @@ -222,15 +222,15 @@ IpSecEspDecryptPayload ( EFI_ESP_TAIL *EspTail; switch (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId) { - case EFI_IPSEC_EALG_NULL: + case IKE_EALG_NULL: EspTail = (EFI_ESP_TAIL *) (PayloadBuffer + EncryptSize - sizeof (EFI_ESP_TAIL)); *PaddingSize = EspTail->PaddingLength; *NextHeader = EspTail->NextHeader; *PlainPayloadSize = EncryptSize - EspTail->PaddingLength - sizeof (EFI_ESP_TAIL); break; - case EFI_IPSEC_EALG_3DESCBC: - case EFI_IPSEC_EALG_AESCBC: + case IKE_EALG_3DESCBC: + case IKE_EALG_AESCBC: // // TODO: support these algorithm // @@ -269,11 +269,11 @@ IpSecEspEncryptPayload ( ) { switch (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId) { - case EFI_IPSEC_EALG_NULL: + case IKE_EALG_NULL: return EFI_SUCCESS; - case EFI_IPSEC_EALG_3DESCBC: - case EFI_IPSEC_EALG_AESCBC: + case IKE_EALG_3DESCBC: + case IKE_EALG_AESCBC: // // TODO: support these algorithms // @@ -296,12 +296,12 @@ IpSecEspEncryptPayload ( to be trimed on input, and without ESP header on return. @param[out] LastHead The Last Header in IP header on return. - @param[in] OptionsBuffer Pointer to the options buffer. It is optional. - @param[in] OptionsLength Length of the options buffer. It is optional. + @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional. + @param[in, out] OptionsLength Length of the options buffer. It is optional. @param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec protected on input, and without IPsec protected on return. - @param[in] FragmentCount The number of fragments. + @param[in, out] FragmentCount The number of fragments. @param[out] SpdEntry Pointer to contain the address of SPD entry on return. @param[out] RecycleEvent The event for recycling of resources. @@ -318,10 +318,10 @@ IpSecEspInboundPacket ( IN UINT8 IpVersion, IN OUT VOID *IpHead, OUT UINT8 *LastHead, - IN VOID *OptionsBuffer, OPTIONAL - IN UINT32 OptionsLength, OPTIONAL + IN OUT VOID **OptionsBuffer, OPTIONAL + IN OUT UINT32 *OptionsLength, OPTIONAL IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN UINT32 *FragmentCount, + IN OUT UINT32 *FragmentCount, OUT IPSEC_SPD_ENTRY **SpdEntry, OUT EFI_EVENT *RecycleEvent ) @@ -558,13 +558,13 @@ ON_EXIT: @param[in, out] IpHead Points to IP header containing the orginal IP header to be processed on input, and inserted ESP header on return. - @param[in] LastHead The Last Header in IP header. - @param[in] OptionsBuffer Pointer to the options buffer. It is optional. - @param[in] OptionsLength Length of the options buffer. It is optional. + @param[in, out] LastHead The Last Header in IP header. + @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional. + @param[in, out] OptionsLength Length of the options buffer. It is optional. @param[in, out] FragmentTable Pointer to a list of fragments to be protected by IPsec on input, and with IPsec protected on return. - @param[in] FragmentCount The number of fragments. + @param[in, out] FragmentCount The number of fragments. @param[in] SadEntry The related SAD entry. @param[out] RecycleEvent The event for recycling of resources. @@ -576,11 +576,11 @@ EFI_STATUS IpSecEspOutboundPacket ( IN UINT8 IpVersion, IN OUT VOID *IpHead, - IN UINT8 *LastHead, - IN VOID *OptionsBuffer, OPTIONAL - IN UINT32 OptionsLength, OPTIONAL + IN OUT UINT8 *LastHead, + IN OUT VOID **OptionsBuffer, OPTIONAL + IN OUT UINT32 *OptionsLength, OPTIONAL IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN UINT32 *FragmentCount, + IN OUT UINT32 *FragmentCount, IN IPSEC_SAD_ENTRY *SadEntry, OUT EFI_EVENT *RecycleEvent ) @@ -825,29 +825,29 @@ ON_EXIT: @param[in, out] IpHead Points to IP header containing the ESP/AH header to be trimed on input, and without ESP/AH header on return. - @param[in] LastHead The Last Header in IP header on return. - @param[in] OptionsBuffer Pointer to the options buffer. It is optional. - @param[in] OptionsLength Length of the options buffer. It is optional. - @param[in, out] FragmentTable Pointer to a list of fragments in form of IPsec + @param[out] LastHead The Last Header in IP header on return. + @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional. + @param[in, out] OptionsLength Length of the options buffer. It is optional. + @param[in, out] FragmentTable Pointer to a list of fragments in the form of IPsec protected on input, and without IPsec protected on return. - @param[in] FragmentCount The number of fragments. + @param[in, out] FragmentCount Number of fragments. @param[out] SpdEntry Pointer to contain the address of SPD entry on return. - @param[out] RecycleEvent The event for recycling of resources. + @param[out] RecycleEvent Event for recycling of resources. - @retval EFI_SUCCESS The operation was successful. - @retval EFI_UNSUPPORTED The IPSEC protocol is not supported. + @retval EFI_SUCCESS The operation is successful. + @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported. **/ EFI_STATUS IpSecProtectInboundPacket ( IN UINT8 IpVersion, IN OUT VOID *IpHead, - IN UINT8 *LastHead, - IN VOID *OptionsBuffer, OPTIONAL - IN UINT32 OptionsLength, OPTIONAL + OUT UINT8 *LastHead, + IN OUT VOID **OptionsBuffer, OPTIONAL + IN OUT UINT32 *OptionsLength, OPTIONAL IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN UINT32 *FragmentCount, + IN OUT UINT32 *FragmentCount, OUT IPSEC_SPD_ENTRY **SpdEntry, OUT EFI_EVENT *RecycleEvent ) @@ -875,26 +875,26 @@ IpSecProtectInboundPacket ( } /** - This function processes the output traffic with IPsec. + This fucntion processes the output traffic with IPsec. It protected the sending packet by encrypting it payload and inserting ESP/AH header - in the orginal IP header, then returns the IpHeader and IPsec protected Fragmentable. + in the orginal IP header, then return the IpHeader and IPsec protected Fragmentable. @param[in] IpVersion The version of IP. - @param[in, out] IpHead Points to IP header containing the orginal IP header + @param[in, out] IpHead Point to IP header containing the orginal IP header to be processed on input, and inserted ESP/AH header on return. - @param[in] LastHead The Last Header in the IP header. - @param[in] OptionsBuffer Pointer to the options buffer. It is optional. - @param[in] OptionsLength Length of the options buffer. It is optional. + @param[in, out] LastHead The Last Header in IP header. + @param[in, out] OptionsBuffer Pointer to the options buffer. It is optional. + @param[in, out] OptionsLength Length of the options buffer. It is optional. @param[in, out] FragmentTable Pointer to a list of fragments to be protected by IPsec on input, and with IPsec protected on return. - @param[in] FragmentCount The number of fragments. - @param[in] SadEntry The related SAD entry. - @param[out] RecycleEvent The event for recycling of resources. + @param[in, out] FragmentCount Number of fragments. + @param[in] SadEntry Related SAD entry. + @param[out] RecycleEvent Event for recycling of resources. - @retval EFI_SUCCESS The operation was successful. + @retval EFI_SUCCESS The operation is successful. @retval EFI_UNSUPPORTED If the IPSEC protocol is not supported. **/ @@ -902,11 +902,11 @@ EFI_STATUS IpSecProtectOutboundPacket ( IN UINT8 IpVersion, IN OUT VOID *IpHead, - IN UINT8 *LastHead, - IN VOID *OptionsBuffer, OPTIONAL - IN UINT32 OptionsLength, OPTIONAL + IN OUT UINT8 *LastHead, + IN OUT VOID **OptionsBuffer, OPTIONAL + IN OUT UINT32 *OptionsLength, OPTIONAL IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, - IN UINT32 *FragmentCount, + IN OUT UINT32 *FragmentCount, IN IPSEC_SAD_ENTRY *SadEntry, OUT EFI_EVENT *RecycleEvent )