tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

1.Update IPsec driver to set the Transform structure’s Next Payload field to be zero when it is the last transform structure in a proposal. The same as Proposal Structure’s Next Payload filed, it also should be zero when it is the last proposal in the SA. 

2.Delete all SAs in the IPsec->Stop().

Signed-off-by: qianouyang
Reviewed-by: sfu5

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@12768 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
qianouyang 2011-11-23 10:31:04 +00:00
parent eb5e7d3e7a
commit 6cf9230ff2
6 changed files with 414 additions and 409 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
NetworkPkg/IpSecDxe/IkeService.c
View File

@ -1,6 +1,6 @@
/** @file
Provide IPsec Key Exchange (IKE) service general interfaces.
Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
@ -104,13 +104,13 @@ IkeLookupUdp (
/**
Configure a UDPIO's UDP4 instance.
This fuction is called by the UdpIoCreateIo() to configures a
This fuction is called by the UdpIoCreateIo() to configures a
UDP4 instance.
@param[in] UdpIo The UDP_IO to be configured.
@param[in] Context User-defined data when calling UdpIoCreateIo().
@retval EFI_SUCCESS The configuration succeeded.
@retval Others The UDP4 instance fails to configure.
@ -146,13 +146,13 @@ IkeConfigUdp4 (
/**
Configure a UDPIO's UDP6 instance.
This fuction is called by the UdpIoCreateIo()to configure a
This fuction is called by the UdpIoCreateIo()to configure a
UDP6 instance.
@param[in] UdpIo The UDP_IO to be configured.
@param[in] Context User-defined data when calling UdpIoCreateIo().
@retval EFI_SUCCESS The configuration succeeded.
@retval Others The configuration fails.
@ -194,14 +194,14 @@ IkeConfigUdp6 (
/**
Open and configure the related output UDPIO for IKE packet sending.
If the UdpService is not configured, this fuction calls UdpIoCreatIo() to
If the UdpService is not configured, this fuction calls UdpIoCreatIo() to
create UDPIO to bind this UdpService for IKE packet sending. If the UdpService
has already been configured, then return.
@param[in] UdpService The UDP_IO to be configured.
@param[in] RemoteIp User-defined data when calling UdpIoCreateIo().
@retval EFI_SUCCESS The configuration is successful.
@retval Others The configuration fails.
@ -340,16 +340,16 @@ ON_EXIT:
/**
Open and configure a UDPIO of Udp4 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
UDP4 IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/
EFI_STATUS
IkeOpenInputUdp4 (
@ -411,16 +411,16 @@ IkeOpenInputUdp4 (
/**
Open and configure a UDPIO of Udp6 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6
IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/
EFI_STATUS
IkeOpenInputUdp6 (
@ -479,18 +479,18 @@ IkeOpenInputUdp6 (
/**
The general interface of starting IPsec Key Exchange.
This function is called when a IKE negotiation to start getting a Key.
@param[in] UdpService Point to IKE_UDP_SERVICE which will be used for
@param[in] UdpService Point to IKE_UDP_SERVICE which will be used for
IKE packet sending.
@param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.
@param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_ACCESS_DENIED No related PAD entry was found.
@retval EFI_INVALID_PARAMETER The IKE version is not supported.
**/
EFI_STATUS
IkeNegotiate (
@ -519,8 +519,8 @@ IkeNegotiate (
}
//
// Try to find the IKE SA session in the IKEv1 and IKEv2 established SA session list.
//
IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp);
//
IkeSaSession = (UINT8 *) Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, RemoteIp);
if (IkeSaSession == NULL) {
@ -551,7 +551,7 @@ IkeNegotiate (
if (IkeVersion != 2) {
return EFI_INVALID_PARAMETER;
}
Exchange = mIkeExchange[IkeVersion - 1];
//
// Start the quick mode stage to negotiate child SA.
@ -564,15 +564,15 @@ IkeNegotiate (
/**
The generic interface when receive a IKE packet.
This function is called when UDP IO receives a IKE packet.
@param[in] Packet Point to received IKE packet.
@param[in] EndPoint Point to UDP_END_POINT which contains the information of
@param[in] EndPoint Point to UDP_END_POINT which contains the information of
Remote IP and Port.
@param[in] IoStatus The Status of Recieve Token.
@param[in] Context Point to data passed from the caller.
**/
VOID
EFIAPI
@ -687,17 +687,19 @@ ON_EXIT:
/**
Delete all established IKE SAs and related Child SAs.
This function is the subfunction of the IpSecCleanupAllSa(). It first calls
IkeDeleteChildSa() to delete all Child SAs then send out the related
This function is the subfunction of the IpSecCleanupAllSa(). It first calls
IkeDeleteChildSa() to delete all Child SAs then send out the related
Information packet.
@param[in] Private Pointer of the IPSEC_PRIVATE_DATA
@param[in] Private Pointer of the IPSEC_PRIVATE_DATA
@param[in] IsDisableIPsec Indicate whether needs to disable IPsec.
**/
VOID
IkeDeleteAllSas (
IN IPSEC_PRIVATE_DATA *Private
IN IPSEC_PRIVATE_DATA *Private,
IN BOOLEAN IsDisableIpsec
)
{
LIST_ENTRY *Entry;
@ -719,17 +721,17 @@ IkeDeleteAllSas (
//
if (!IsListEmpty (&Private->Ikev2SessionList)) {
NET_LIST_FOR_EACH_SAFE (Entry, NextEntry, &Private->Ikev2SessionList) {
Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
RemoveEntryList (Entry);
Ikev2SaSessionFree (Ikev2SaSession);
}
}
//
// If there is no existing established IKE SA, set the Ipsec DisableFlag to TRUE
// and turn off the IsIPsecDisabling flag.
//
if (IsListEmpty (&Private->Ikev2EstablishedList)) {
if (IsListEmpty (&Private->Ikev2EstablishedList) && IsDisableIpsec) {
Value = IPSEC_STATUS_DISABLED;
Status = gRT->SetVariable (
IPSECCONFIG_STATUS_NAME,
@ -752,7 +754,7 @@ IkeDeleteAllSas (
for (Entry = Private->Ikev2EstablishedList.ForwardLink; Entry != &Private->Ikev2EstablishedList;) {
Ikev2SaSession = IKEV2_SA_SESSION_BY_SESSION (Entry);
Entry = Entry->ForwardLink;
Ikev2SaSession->SessionCommon.State = IkeStateSaDeleting;
//
@ -762,10 +764,10 @@ IkeDeleteAllSas (
if (IkeVersion == 2) {
Exchange = mIkeExchange[IkeVersion - 1];
Exchange->NegotiateInfo((UINT8*)Ikev2SaSession, NULL);
}
}
}
}
}

60
NetworkPkg/IpSecDxe/IkeService.h
View File

@ -1,6 +1,6 @@
/** @file
Prototypes definitions of IKE service.
Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
@ -44,7 +44,7 @@ EFI_STATUS
);
/**
This is prototype definition fo general interface to start a IKE negotiation at Quick Mode.
This is prototype definition fo general interface to start a IKE negotiation at Quick Mode.
This function will be called when the related IKE SA is existed and start to
create a Child SA.
@ -81,7 +81,7 @@ EFI_STATUS
);
/**
This is prototype definition of the general interface when recived a IKE Pakcet
This is prototype definition of the general interface when recived a IKE Pakcet
for the IKE SA establishing.
@param[in] UdpService Point to UDP service used to send IKE Packet.
@ -97,8 +97,8 @@ VOID
/**
This is prototyp definition of the general interface when recived a IKE Packet
xfor the Child SA establishing.
xfor the Child SA establishing.
@param[in] UdpService Point to UDP service used to send IKE packet.
@param[in] IkePacket Point to received IKE packet.
@ -111,7 +111,7 @@ VOID
);
/**
This is prototype definition of the general interface when received a IKE
This is prototype definition of the general interface when received a IKE
information Packet.
@param[in] UdpService Point to UDP service used to send IKE packet.
@ -137,16 +137,16 @@ typedef struct _IKE_EXCHANGE_INTERFACE {
/**
Open and configure a UDPIO of Udp4 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
This function is called at the IPsecDriverBinding start. IPsec create a UDP4 and
a UDP4 IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/
EFI_STATUS
IkeOpenInputUdp4 (
@ -156,16 +156,16 @@ IkeOpenInputUdp4 (
/**
Open and configure a UDPIO of Udp6 for IKE packet receiving.
This function is called at the IPsecDriverBinding start. IPsec create a UDP6 and UDP6
IO for each NIC handle.
@param[in] Private Point to IPSEC_PRIVATE_DATA
@param[in] Controller Handler for NIC card.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_OUT_OF_RESOURCE The required system resource can't be allocated.
**/
EFI_STATUS
IkeOpenInputUdp6 (
@ -175,17 +175,17 @@ IkeOpenInputUdp6 (
/**
The general interface of starting IPsec Key Exchange.
This function is called when start a IKE negotiation to get a Key.
@param[in] UdpService Point to IKE_UDP_SERVICE which will be used for
@param[in] UdpService Point to IKE_UDP_SERVICE which will be used for
IKE packet sending.
@param[in] SpdEntry Point to the SPD entry related to the IKE negotiation.
@param[in] RemoteIp Point to EFI_IP_ADDRESS related to the IKE negotiation.
@retval EFI_SUCCESS The Operation is successful.
@retval EFI_ACCESS_DENIED No related PAD entry was found.
**/
EFI_STATUS
IkeNegotiate (
@ -196,15 +196,15 @@ IkeNegotiate (
/**
The general interface when receive a IKE packet.
This function is called when UDP IO receives a IKE packet.
@param[in] Packet Point to received IKE packet.
@param[in] EndPoint Point to UDP_END_POINT which contains the information of
@param[in] EndPoint Point to UDP_END_POINT which contains the information of
Remote IP and Port.
@param[in] IoStatus The Status of Recieve Token.
@param[in] Context Point to data passed from the caller.
**/
VOID
EFIAPI
@ -235,17 +235,19 @@ IkeLookupUdp (
/**
Delete all established IKE SAs and related Child SAs.
This function is the subfunction of the IpSecCleanupAllSa(). It first calls
IkeDeleteChildSa() to delete all Child SAs then send out the related
This function is the subfunction of the IpSecCleanupAllSa(). It first calls
IkeDeleteChildSa() to delete all Child SAs then send out the related
Information packet.
@param[in] Private Pointer of the IPSEC_PRIVATE_DATA.
@param[in] Private Pointer of the IPSEC_PRIVATE_DATA.
@param[in] IsDisableIPsec Indicate whether needs to disable IPsec.
**/
VOID
IkeDeleteAllSas (
IN IPSEC_PRIVATE_DATA *Private
IN IPSEC_PRIVATE_DATA *Private,
IN BOOLEAN IsDisableIpsec
);

107
NetworkPkg/IpSecDxe/Ikev2/Exchange.c
View File

@ -1,7 +1,7 @@
/** @file
The general interfaces of the IKEv2.
Copyright (c) 2010, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@ -46,7 +46,7 @@ Ikev2NegotiateSa (
IKEV2_PACKET_HANDLER Handler;
IKE_PACKET *IkePacket;
EFI_STATUS Status;
if (UdpService == NULL || RemoteIp == NULL) {
return EFI_INVALID_PARAMETER;
}
@ -66,7 +66,7 @@ Ikev2NegotiateSa (
//
return EFI_SUCCESS;
}
//
// Create a new IkeSaSession and initiate the common parameters.
//
@ -79,7 +79,7 @@ Ikev2NegotiateSa (
// Set the specific parameters and state(IKE_STATE_INIT).
//
IkeSaSession->Spd = SpdEntry;
IkeSaSession->Pad = PadEntry;
IkeSaSession->Pad = PadEntry;
SessionCommon = &IkeSaSession->SessionCommon;
SessionCommon->IsInitiator = TRUE;
SessionCommon->State = IkeStateInit;
@ -88,13 +88,13 @@ Ikev2NegotiateSa (
// to support it.
//
SessionCommon->PreferDhGroup = IKEV2_TRANSFORM_ID_DH_1024MODP;
CopyMem (
&SessionCommon->RemotePeerIp,
RemoteIp,
sizeof (EFI_IP_ADDRESS)
);
CopyMem (
&SessionCommon->LocalPeerIp,
&UdpService->DefaultAddress,
@ -147,15 +147,15 @@ ON_ERROR:
/**
It is general interface to negotiate the Child SA.
There are three situations which will invoke this function. First, create a CHILD
SA if the input Context is NULL. Second, rekeying the existing IKE SA if the Context
is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the context is a
There are three situations which will invoke this function. First, create a CHILD
SA if the input Context is NULL. Second, rekeying the existing IKE SA if the Context
is a IKEv2_SA_SESSION. Third, rekeying the existing CHILD SA if the context is a
IKEv2_CHILD_SA_SESSION.
@param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.
@param[in] SpdEntry Pointer to IPSEC_SPD_ENTRY related to this operation.
@param[in] Context The data pass from the caller.
@retval EFI_SUCCESS The operation is successful.
@retval EFI_OUT_OF_RESOURCES The required system resource can't be allocated.
@retval EFI_UNSUPPORTED The condition is not support yet.
@ -239,7 +239,7 @@ Ikev2NegotiateChildSa (
if (EFI_ERROR (Status)) {
goto ON_ERROR;
}
//
// Insert the ChildSaSession into processing child SA list.
//
@ -278,8 +278,8 @@ ON_ERROR:
It is general interface to start the Information Exchange.
There are three situations which will invoke this function. First, deliver a Delete Information
to delete the IKE SA if the input Context is NULL and the state of related IkeSaSeesion's is on
deleting.Second, deliver a Notify Information without the contents if the input Context is NULL.
to delete the IKE SA if the input Context is NULL and the state of related IkeSaSeesion's is on
deleting.Second, deliver a Notify Information without the contents if the input Context is NULL.
Third, deliver a Notify Information if the input Context is not NULL.
@param[in] IkeSaSession Pointer to IKEv2_SA_SESSION related to this operation.
@ -297,7 +297,7 @@ Ikev2NegotiateInfo (
IN UINT8 *Context
)
{
EFI_STATUS Status;
IKEV2_SA_SESSION *Ikev2SaSession;
IKEV2_CHILD_SA_SESSION *ChildSaSession;
@ -318,11 +318,6 @@ Ikev2NegotiateInfo (
//
if (Ikev2SaSession->SessionCommon.State == IkeStateSaDeleting && Context == NULL) {
//
// The IKE SA Session should be initiator if it triggers the deleting.
//
Ikev2SaSession->SessionCommon.IsInitiator = TRUE;
//
// Generate Information Packet which contains the Delete Payload.
//
@ -335,10 +330,12 @@ Ikev2NegotiateInfo (
//
// Send out the Packet
//
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0);
if (UdpService != NULL) {
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) SaCommon, IkePacket, 0);
if (EFI_ERROR (Status)) {
goto ON_ERROR;
if (EFI_ERROR (Status)) {
goto ON_ERROR;
}
}
} else if (!IsListEmpty (&Ikev2SaSession->DeleteSaList)) {
//
@ -360,10 +357,12 @@ Ikev2NegotiateInfo (
//
// Send out the Packet
//
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0);
if (UdpService != NULL) {
Status = Ikev2SendIkePacket (UdpService, (UINT8 *) &ChildSaSession->SessionCommon, IkePacket, 0);
if (EFI_ERROR (Status)) {
goto ON_ERROR;
if (EFI_ERROR (Status)) {
goto ON_ERROR;
}
}
}
} else if (Context == NULL) {
@ -386,9 +385,9 @@ ON_ERROR:
/**
The general interface when received a IKEv2 packet for the IKE SA establishing.
This function first find the related IKE SA Session according to the IKE packet's
This function first find the related IKE SA Session according to the IKE packet's
remote IP. Then call the corresponding function to handle this IKE packet according
to the related IKE SA Session's State.
to the related IKE SA Session's State.
@param[in] UdpService Pointer of related UDP Service.
@param[in] IkePacket Data passed by caller.
@ -411,13 +410,13 @@ Ikev2HandleSa (
IPSEC_PRIVATE_DATA *Private;
BOOLEAN IsNewSession;
Private = (UdpService->IpVersion == IP_VERSION_4) ?
Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
ChildSaSession = NULL;
ChildSaCommon = NULL;
//
// Lookup the remote ip address in the processing IKE SA session list.
//
@ -461,7 +460,7 @@ Ikev2HandleSa (
&UdpService->DefaultAddress,
sizeof (EFI_IP_ADDRESS)
);
IsNewSession = TRUE;
}
@ -517,15 +516,15 @@ Ikev2HandleSa (
//
// Generate a piggyback child SA in IKE_STATE_AUTH state.
//
ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) &&
ASSERT (IsListEmpty (&IkeSaSession->ChildSaSessionList) &&
IsListEmpty (&IkeSaSession->ChildSaEstablishSessionList));
ChildSaSession = Ikev2ChildSaSessionCreate (IkeSaSession, UdpService);
ChildSaCommon = &ChildSaSession->SessionCommon;
//
// Initialize the SA data for Child SA.
//
//
ChildSaSession->SaData = Ikev2InitializeSaData (ChildSaCommon);
}
@ -570,7 +569,7 @@ Ikev2HandleSa (
//
// Remove the Established Child SA Session from the IkeSaSession->ChildSaSessionList
// ,insert it into IkeSaSession->ChildSaEstablishSessionList and save this Child SA
// ,insert it into IkeSaSession->ChildSaEstablishSessionList and save this Child SA
// into SAD.
//
ChildSaSession = IKEV2_CHILD_SA_SESSION_BY_IKE_SA (IkeSaSession->ChildSaSessionList.BackLink);
@ -610,12 +609,12 @@ ON_ERROR:
/**
The general interface when received a IKEv2 packet for the IKE Child SA establishing
The general interface when received a IKEv2 packet for the IKE Child SA establishing
or IKE SA/CHILD SA rekeying.
This function first find the related IKE SA Session according to the IKE packet's
This function first find the related IKE SA Session according to the IKE packet's
remote IP. Then call the corresponding function to handle this IKE packet according
to the related IKE Child Session's State.
to the related IKE Child Session's State.
@param[in] UdpService Pointer of related UDP Service.
@param[in] IkePacket Data passed by caller.
@ -632,8 +631,8 @@ Ikev2HandleChildSa (
IKEV2_CREATE_CHILD_REQUEST_TYPE RequestType;
IKE_PACKET *Reply;
IPSEC_PRIVATE_DATA *Private;
Private = (UdpService->IpVersion == IP_VERSION_4) ?
Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
@ -671,20 +670,20 @@ Ikev2HandleChildSa (
//
// Get the request type: CreateChildSa/RekeyChildSa/RekeyIkeSa.
//
//
RequestType = Ikev2ChildExchangeRequestType (IkePacket);
switch (RequestType) {
case IkeRequestTypeCreateChildSa:
case IkeRequestTypeRekeyChildSa:
case IkeRequestTypeRekeyIkeSa:
case IkeRequestTypeRekeyChildSa:
case IkeRequestTypeRekeyIkeSa:
//
// Parse the IKE request packet. Not support CREATE_CHILD_SA exchange yet, so
// only EFI_UNSUPPORTED will be returned and that will trigger a reply with a
// only EFI_UNSUPPORTED will be returned and that will trigger a reply with a
// Notify payload of type NO_ADDITIONAL_SAS.
//
Status = mIkev2CreateChild.Parser ((UINT8 *) IkeSaSession, IkePacket);
if (EFI_ERROR (Status)) {
if (EFI_ERROR (Status)) {
goto ON_REPLY;
}
@ -694,7 +693,7 @@ Ikev2HandleChildSa (
//
return ;
}
ON_REPLY:
//
// Generate the reply packet if needed and send it out.
@ -712,15 +711,15 @@ ON_REPLY:
}
}
}
}
}
return ;
}
/**
It is general interface to handle IKEv2 information Exchange.
@param[in] UdpService Point to IKE UPD Service related to this information exchange.
@param[in] UdpService Point to IKE UPD Service related to this information exchange.
@param[in] IkePacket The IKE packet to be parsed.
**/
@ -735,15 +734,15 @@ Ikev2HandleInfo (
IKEV2_SA_SESSION *IkeSaSession;
IPSEC_PRIVATE_DATA *Private;
Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
Private = (UdpService->IpVersion == IP_VERSION_4) ?
IPSEC_PRIVATE_DATA_FROM_UDP4LIST(UdpService->ListHead) :
IPSEC_PRIVATE_DATA_FROM_UDP6LIST(UdpService->ListHead);
//
// Lookup the remote ip address in the processing IKE SA session list.
//
IkeSaSession = Ikev2SaSessionLookup (&Private->Ikev2EstablishedList, &IkePacket->RemotePeerIp);
if (IkeSaSession == NULL) {
//
// Drop the packet if no IKE SA associated.
@ -754,12 +753,12 @@ Ikev2HandleInfo (
// Validate the IKE packet header.
//
if (!Ikev2ValidateHeader (IkeSaSession, IkePacket->Header)) {
//
// Drop the packet if invalid IKE header.
//
return;
}
}
SessionCommon = &IkeSaSession->SessionCommon;
@ -778,7 +777,7 @@ Ikev2HandleInfo (
// Drop the packet if fail to parse.
//
return;
}
}
}
IKE_EXCHANGE_INTERFACE mIkev1Exchange = {

371
NetworkPkg/IpSecDxe/Ikev2/Payload.c
View File

File diff suppressed because it is too large Load Diff

26
NetworkPkg/IpSecDxe/IpSecDriver.c
View File

@ -1,7 +1,7 @@
/** @file
Driver Binding Protocol for IPsec Driver.
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
@ -81,7 +81,7 @@ IpSecDriverBindingSupported (
@retval EFI_SUCCES This driver is added to ControllerHandle
@retval EFI_ALREADY_STARTED This driver is already running on ControllerHandle
@retval EFI_DEVICE_ERROR The device could not be started due to a device error.
@retval EFI_DEVICE_ERROR The device could not be started due to a device error.
Currently not implemented.
@retval other This driver does not support this device
@ -189,6 +189,10 @@ IpSecDriverBindingStop (
Private = IPSEC_PRIVATE_DATA_FROM_IPSEC (IpSec);
//
// Delete all SAs before stop Ipsec.
//
IkeDeleteAllSas (Private, FALSE);
//
// If has udp4 io opened on the controller, close and free it.
//
@ -256,9 +260,9 @@ EFI_DRIVER_BINDING_PROTOCOL gIpSecDriverBinding = {
/**
This is a callback function when the mIpSecInstance.DisabledEvent is signaled.
@param[in] Event Event whose notification function is being invoked.
@param[in] Context Pointer to the notification function's context.
@param[in] Context Pointer to the notification function's context.
**/
VOID
@ -271,15 +275,15 @@ IpSecCleanupAllSa (
IPSEC_PRIVATE_DATA *Private;
Private = (IPSEC_PRIVATE_DATA *) Context;
Private->IsIPsecDisabling = TRUE;
IkeDeleteAllSas (Private);
IkeDeleteAllSas (Private, TRUE);
}
/**
This is the declaration of an EFI image entry point. This entry point is
the same for UEFI Applications, UEFI OS Loaders, and UEFI Drivers, including
both device drivers and bus drivers.
The entry point for IPsec driver which installs the driver binding,
The entry point for IPsec driver which installs the driver binding,
component name protocol, IPsec Config protcolon, and IPsec protocol in
its ImageHandle.
@ -289,7 +293,7 @@ IpSecCleanupAllSa (
@retval EFI_SUCCESS The operation completed successfully.
@retval EFI_ALREADY_STARTED The IPsec driver has been already loaded.
@retval EFI_OUT_OF_RESOURCES The request could not be completed due to a lack of resources.
@retval Others The operation is failed.
@retval Others The operation is failed.
**/
EFI_STATUS
@ -346,7 +350,7 @@ IpSecDriverEntryPoint (
Private->Signature = IPSEC_PRIVATE_DATA_SIGNATURE;
Private->ImageHandle = ImageHandle;
CopyMem (&Private->IpSec, &mIpSecInstance, sizeof (EFI_IPSEC2_PROTOCOL));
//
// Initilize Private's members. Thess members is used for IKE.
//
@ -356,7 +360,7 @@ IpSecDriverEntryPoint (
InitializeListHead (&Private->Ikev1EstablishedList);
InitializeListHead (&Private->Ikev2SessionList);
InitializeListHead (&Private->Ikev2EstablishedList);
RandomSeed (NULL, 0);
//
// Initialize the ipsec config data and restore it from variable.
@ -390,7 +394,7 @@ IpSecDriverEntryPoint (
if (EFI_ERROR (Status)) {
goto ON_UNINSTALL_IPSEC;
}
return Status;
ON_UNINSTALL_IPSEC:

167
NetworkPkg/IpSecDxe/IpSecImpl.c
View File

@ -23,7 +23,7 @@
Check if the specified Address is the Valid Address Range.
This function checks if the bytes after prefixed length are all Zero in this
Address. This Address is supposed to point to a range address. That means it
Address. This Address is supposed to point to a range address. That means it
should gives the correct prefixed address and the bytes outside the prefixed are
zero.
@ -329,7 +329,7 @@ IpSecLookupSadBySpd (
{
LIST_ENTRY *Entry;
IPSEC_SAD_ENTRY *SadEntry;
NET_LIST_FOR_EACH (Entry, SadList) {
SadEntry = IPSEC_SAD_ENTRY_FROM_SPD (Entry);
@ -341,7 +341,7 @@ IpSecLookupSadBySpd (
DestAddress,
SadEntry->Data->SpdSelector->RemoteAddress,
SadEntry->Data->SpdSelector->RemoteAddressCount
)){
)){
return SadEntry;
}
}
@ -382,7 +382,7 @@ IpSecLookupSadBySpi (
if (SadEntry->Id->Spi == Spi) {
if (SadEntry->Data->Mode == EfiIPsecTunnel) {
if (CompareMem (
&DestAddress,
&DestAddress,
&SadEntry->Data->TunnelDestAddress,
sizeof (EFI_IP_ADDRESS)
)) {
@ -391,14 +391,14 @@ IpSecLookupSadBySpi (
} else {
if (SadEntry->Data->SpdSelector != NULL &&
IpSecMatchIpAddress (
IpVersion,
DestAddress,
IpVersion,
DestAddress,
SadEntry->Data->SpdSelector->RemoteAddress,
SadEntry->Data->SpdSelector->RemoteAddressCount
)
) {
return SadEntry;
}
}
}
}
}
@ -471,14 +471,13 @@ IpSecLookupSadEntry (
sizeof (EFI_IP_ADDRESS)
);
}
//
// Find the SAD entry in the spd.sas list according to the dest address.
//
Entry = IpSecLookupSadBySpd (&SpdEntry->Data->Sas, &DestIp, IpVersion);
if (Entry == NULL) {
if (OldLastHead != IP6_ICMP ||
(OldLastHead == IP6_ICMP && *IpPayload == ICMP_V6_ECHO_REQUEST)
) {
@ -498,7 +497,7 @@ IpSecLookupSadEntry (
&DestIp
);
}
}
return EFI_NOT_READY;
@ -595,7 +594,7 @@ IpSecLookupSpdEntry (
IN VOID *IpHead,
IN UINT8 *IpPayload,
IN UINT8 Protocol,
IN BOOLEAN IsOutbound,
IN BOOLEAN IsOutbound,
OUT EFI_IPSEC_ACTION *Action
)
{
@ -733,7 +732,7 @@ IpSecRecycleCallback (
}
/**
Calculate the extension hader of IP. The return length only doesn't contain
Calculate the extension hader of IP. The return length only doesn't contain
the fixed IP header length.
@param[in] IpHead Points to an IP head to be calculated.
@ -801,7 +800,7 @@ IpSecEspAuthVerifyPayload (
//
HashFragment[0].Data = EspBuffer;
HashFragment[0].DataSize = AuthSize;
Status = IpSecCryptoIoHmac (
SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId,
SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthKey,
@ -814,7 +813,7 @@ IpSecEspAuthVerifyPayload (
if (EFI_ERROR (Status)) {
return Status;
}
//
// Compare the calculated icv and the appended original icv.
//
@ -832,10 +831,10 @@ IpSecEspAuthVerifyPayload (
@param[in] IpHead The pointer to IP header.
@param[in] IpVersion The version of IP (IP4 or IP6).
@param[in] Spi The SPI used to search the related SAD entry.
@retval NULL Not find the related SAD entry.
@retval IPSEC_SAD_ENTRY Return the related SAD entry.
@retval IPSEC_SAD_ENTRY Return the related SAD entry.
**/
IPSEC_SAD_ENTRY *
@ -843,10 +842,10 @@ IpSecFoundSadFromInboundPacket (
UINT8 *IpHead,
UINT8 IpVersion,
UINT32 Spi
)
)
{
EFI_IP_ADDRESS DestIp;
//
// Parse destination address from ip header.
//
@ -864,10 +863,10 @@ IpSecFoundSadFromInboundPacket (
sizeof (EFI_IPv6_ADDRESS)
);
}
//
// Lookup SAD entry according to the spi and dest address.
//
//
return IpSecLookupSadBySpi (Spi, &DestIp, IpVersion);
}
@ -994,7 +993,7 @@ IpSecIsIp6ExtsValid (
}
return TRUE;
}
}
}
*LastHeader = NextHeader;
@ -1007,14 +1006,14 @@ IpSecIsIp6ExtsValid (
}
/**
The actual entry to process the tunnel header and inner header for tunnel mode
The actual entry to process the tunnel header and inner header for tunnel mode
outbound traffic.
This function is the subfunction of IpSecEspInboundPacket(). It change the destination
This function is the subfunction of IpSecEspInboundPacket(). It change the destination
Ip address to the station address and recalculate the uplayyer's checksum.
@param[in, out] IpHead Points to the IP header containing the ESP header
@param[in, out] IpHead Points to the IP header containing the ESP header
to be trimed on input, and without ESP header
on return.
@param[in] IpPayload The decrypted Ip payload. It start from the inner
@ -1042,10 +1041,10 @@ IpSecTunnelInboundPacket (
IP6_ICMP_HEAD *Icmp6Head;
Checksum = NULL;
if (IpVersion == IP_VERSION_4) {
//
// Zero OutIP header use this to indicate the input packet is under
// Zero OutIP header use this to indicate the input packet is under
// IPsec Tunnel protected.
//
ZeroMem (
@ -1057,20 +1056,20 @@ IpSecTunnelInboundPacket (
&SadData->TunnelDestAddress.v4,
sizeof (EFI_IPv4_ADDRESS)
);
//
// Recalculate IpHeader Checksum
//
if (((IP4_HEAD *)(IpPayload))->Checksum != 0 ) {
((IP4_HEAD *)(IpPayload))->Checksum = 0;
((IP4_HEAD *)(IpPayload))->Checksum = (UINT16) (~NetblockChecksum (
(UINT8 *)IpPayload,
(UINT8 *)IpPayload,
((IP4_HEAD *)IpPayload)->HeadLen << 2
));
}
//
// Recalcualte PseudoChecksum
//
@ -1091,7 +1090,7 @@ IpSecTunnelInboundPacket (
break;
}
PacketChecksum = NetblockChecksum (
(UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2),
(UINT8 *)IpPayload + (((IP4_HEAD *)IpPayload)->HeadLen << 2),
NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)
);
PseudoChecksum = NetPseudoHeadChecksum (
@ -1100,14 +1099,14 @@ IpSecTunnelInboundPacket (
((IP4_HEAD *)IpPayload)->Protocol,
0
);
if (Checksum != NULL) {
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);
*Checksum = (UINT16) ~(NetAddChecksum (*Checksum, HTONS((UINT16)(NTOHS (((IP4_HEAD *)IpPayload)->TotalLen) - (((IP4_HEAD *)IpPayload)->HeadLen << 2)))));
}
}else {
//
// Zero OutIP header use this to indicate the input packet is under
// Zero OutIP header use this to indicate the input packet is under
// IPsec Tunnel protected.
//
ZeroMem (
@ -1119,7 +1118,7 @@ IpSecTunnelInboundPacket (
&SadData->TunnelDestAddress.v6,
sizeof (EFI_IPv6_ADDRESS)
);
//
// Get the Extension Header and Header length.
//
@ -1130,7 +1129,7 @@ IpSecTunnelInboundPacket (
&LastHead,
&OptionLen
);
//
// Recalcualte PseudoChecksum
//
@ -1154,7 +1153,7 @@ IpSecTunnelInboundPacket (
break;
}
PacketChecksum = NetblockChecksum (
IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen,
IpPayload + sizeof (EFI_IP6_HEADER) + OptionLen,
NTOHS(((EFI_IP6_HEADER *)IpPayload)->PayloadLength) - OptionLen
);
PseudoChecksum = NetIp6PseudoHeadChecksum (
@ -1163,7 +1162,7 @@ IpSecTunnelInboundPacket (
*LastHead,
0
);
if (Checksum != NULL) {
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);
*Checksum = (UINT16) ~(NetAddChecksum (
@ -1171,22 +1170,22 @@ IpSecTunnelInboundPacket (
HTONS ((UINT16)((NTOHS (((EFI_IP6_HEADER *)(IpPayload))->PayloadLength)) - OptionLen))
));
}
}
}
}
/**
The actual entry to create inner header for tunnel mode inbound traffic.
This function is the subfunction of IpSecEspOutboundPacket(). It create
the sending packet by encrypting its payload and inserting ESP header in the orginal
This function is the subfunction of IpSecEspOutboundPacket(). It create
the sending packet by encrypting its payload and inserting ESP header in the orginal
IP header, then return the IpHeader and IPsec protected Fragmentable.
@param[in, out] IpHead Points to IP header containing the orginal IP header
@param[in, out] IpHead Points to IP header containing the orginal IP header
to be processed on input, and inserted ESP header
on return.
@param[in] IpVersion The version of IP.
@param[in] SadData The related SAD data.
@param[in, out] LastHead The Last Header in IP header.
@param[in, out] LastHead The Last Header in IP header.
@param[in] OptionsBuffer Pointer to the options buffer.
@param[in] OptionsLength Length of the options buffer.
@param[in, out] FragmentTable Pointer to a list of fragments to be protected by
@ -1221,7 +1220,7 @@ IpSecTunnelOutboundPacket (
if (OptionsLength == NULL) {
return NULL;
}
if (IpVersion == IP_VERSION_4) {
InnerHead = AllocateZeroPool (sizeof (IP4_HEAD) + *OptionsLength);
ASSERT (InnerHead != NULL);
@ -1256,7 +1255,7 @@ IpSecTunnelOutboundPacket (
*OptionsLength = 0;
}
}
//
// 2. Reassamlbe Fragment into Packet
//
@ -1294,13 +1293,13 @@ IpSecTunnelOutboundPacket (
Checksum = &IcmpHead->Checksum;
*Checksum = 0;
break;
default:
default:
break;
}
PacketChecksum = NetbufChecksum (Packet);
if (IpVersion == IP_VERSION_4) {
//
// Replace the source address of Inner Header.
@ -1318,7 +1317,7 @@ IpSecTunnelOutboundPacket (
*LastHead,
0
);
} else {
//
// Replace the source address of Inner Header.
@ -1335,7 +1334,7 @@ IpSecTunnelOutboundPacket (
*LastHead,
0
);
}
if (Checksum != NULL) {
*Checksum = NetAddChecksum (PacketChecksum, PseudoChecksum);
@ -1351,12 +1350,12 @@ IpSecTunnelOutboundPacket (
/**
The actual entry to relative function processes the inbound traffic of ESP header.
This function is the subfunction of IpSecProtectInboundPacket(). It checks the
This function is the subfunction of IpSecProtectInboundPacket(). It checks the
received packet security property and trim the ESP header and then returns without
an IPsec protected IP Header and FramgmentTable.
@param[in] IpVersion The version of IP.
@param[in, out] IpHead Points to the IP header containing the ESP header
@param[in, out] IpHead Points to the IP header containing the ESP header
to be trimed on input, and without ESP header
on return.
@param[out] LastHead The Last Header in IP header on return.
@ -1417,7 +1416,7 @@ IpSecEspInboundPacket (
*RecycleEvent = NULL;
PlainPayloadSize = 0;
NextHeader = 0;
//
// Build netbuf from fragment table first.
//
@ -1433,27 +1432,27 @@ IpSecEspInboundPacket (
Status = EFI_OUT_OF_RESOURCES;
goto ON_EXIT;
}
//
// Get the esp size and esp header from netbuf.
//
EspSize = Payload->TotalSize;
EspHeader = (EFI_ESP_HEADER *) NetbufGetByte (Payload, 0, NULL);
if (EspHeader == NULL) {
Status = EFI_ACCESS_DENIED;
goto ON_EXIT;
}
//
// Parse destination address from ip header and found the related SAD Entry.
//
SadEntry = IpSecFoundSadFromInboundPacket (
IpHead,
IpHead,
IpVersion,
NTOHL (EspHeader->Spi)
);
if (SadEntry == NULL) {
Status = EFI_ACCESS_DENIED;
goto ON_EXIT;
@ -1475,7 +1474,7 @@ IpSecEspInboundPacket (
// TODO: Check SA lifetime and sequence number
//
}
//
// Allocate buffer for decryption and authentication.
//
@ -1493,7 +1492,7 @@ IpSecEspInboundPacket (
IcvSize = IpSecGetIcvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.AuthAlgoId);
IvSize = IpSecGetEncryptIvLength (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
BlockSize = IpSecGetEncryptBlockSize (SadEntry->Data->AlgoInfo.EspAlgoInfo.EncAlgoId);
//
// Make sure the ESP packet is not mal-formt.
// 1. Check whether the Espsize is larger than ESP header + IvSize + EspTail + IcvSize.
@ -1540,20 +1539,20 @@ IpSecEspInboundPacket (
goto ON_EXIT;
}
}
//
// Parse EspTail and compute the plain payload size.
//
EspTail = (EFI_ESP_TAIL *) (ProcessBuffer + EspSize - IcvSize - sizeof (EFI_ESP_TAIL));
PaddingSize = EspTail->PaddingLength;
NextHeader = EspTail->NextHeader;
if (EspSize <= (MiscSize + sizeof (EFI_ESP_TAIL) + PaddingSize)) {
Status = EFI_ACCESS_DENIED;
goto ON_EXIT;
}
PlainPayloadSize = EspSize - MiscSize - sizeof (EFI_ESP_TAIL) - PaddingSize;
//
// TODO: handle anti-replay window
//
@ -1577,7 +1576,7 @@ IpSecEspInboundPacket (
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
//
// The caller will take responsible to handle the original fragment table
//
@ -1589,7 +1588,7 @@ IpSecEspInboundPacket (
RecycleContext->PayloadBuffer = ProcessBuffer;
RecycleContext->FragmentTable = *FragmentTable;
//
// If Tunnel, recalculate upper-layyer PesudoCheckSum and trim the out
//
@ -1602,20 +1601,20 @@ IpSecEspInboundPacket (
SadData,
LastHead
);
if (IpVersion == IP_VERSION_4) {
(*FragmentTable)[0].FragmentBuffer = InnerHead ;
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;
}else {
}else {
(*FragmentTable)[0].FragmentBuffer = InnerHead;
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;
}
}
} else {
(*FragmentTable)[0].FragmentBuffer = ProcessBuffer + sizeof (EFI_ESP_HEADER) + IvSize;
(*FragmentTable)[0].FragmentLength = (UINT32) PlainPayloadSize;
}
*FragmentCount = 1;
//
@ -1633,7 +1632,7 @@ IpSecEspInboundPacket (
//
*LastHead = NextHeader;
}
//
// Update the SPD association of the SAD entry.
@ -1721,7 +1720,7 @@ IpSecEspOutboundPacket (
EFI_ESP_TAIL *EspTail; // Address behind padding
UINT8 *InnerHead;
HASH_DATA_FRAGMENT HashFragment[1];
Status = EFI_ACCESS_DENIED;
SaId = SadEntry->Id;
SadData = SadEntry->Data;
@ -1754,7 +1753,7 @@ IpSecEspOutboundPacket (
FragmentTable,
FragmentCount
);
if (InnerHead == NULL) {
return EFI_INVALID_PARAMETER;
}
@ -1794,7 +1793,7 @@ IpSecEspOutboundPacket (
//
// OPtions should be encryption into it
//
PlainPayloadSize += *OptionsLength;
PlainPayloadSize += *OptionsLength;
}
@ -1852,7 +1851,7 @@ IpSecEspOutboundPacket (
// HeadLen, Total Length
//
((IP4_HEAD *)InnerHead)->HeadLen = (UINT8) ((sizeof (IP4_HEAD) + *OptionsLength) >> 2);
((IP4_HEAD *)InnerHead)->TotalLen = HTONS ((UINT16) PlainPayloadSize);
((IP4_HEAD *)InnerHead)->TotalLen = HTONS ((UINT16) PlainPayloadSize);
((IP4_HEAD *)InnerHead)->Checksum = 0;
((IP4_HEAD *)InnerHead)->Checksum = (UINT16) (~NetblockChecksum (
(UINT8 *)InnerHead,
@ -1904,7 +1903,7 @@ IpSecEspOutboundPacket (
EspTail->NextHeader = 4;
} else {
EspTail->NextHeader = 41;
}
}
}
//
@ -1914,8 +1913,8 @@ IpSecEspOutboundPacket (
(UINT8 *) (EspHeader + 1),
IvSize
);
if (EFI_ERROR (Status)) {
goto ON_EXIT;
}
@ -2011,10 +2010,10 @@ IpSecEspOutboundPacket (
if (SadData->Mode == EfiIPsecTunnel) {
if (IpVersion == IP_VERSION_4) {
CopyMem (
&((IP4_HEAD *) IpHead)->Src,
&((IP4_HEAD *) IpHead)->Src,
&SadData->TunnelSourceAddress.v4,
sizeof (EFI_IPv4_ADDRESS)
);
);
CopyMem (
&((IP4_HEAD *) IpHead)->Dst,
&SadData->TunnelDestAddress.v4,
@ -2065,11 +2064,11 @@ ON_EXIT:
/**
This function processes the inbound traffic with IPsec.
It checks the received packet security property, trims the ESP/AH header, and then
It checks the received packet security property, trims the ESP/AH header, and then
returns without an IPsec protected IP Header and FragmentTable.
@param[in] IpVersion The version of IP.
@param[in, out] IpHead Points to IP header containing the ESP/AH header
@param[in, out] IpHead Points to IP header containing the ESP/AH header
to be trimed on input, and without ESP/AH header
on return.
@param[in, out] LastHead The Last Header in IP header on return.